Add SA-15:14 - SA-15:17.
This commit is contained in:
parent
0bacbbe09e
commit
a670bd9852
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=47125
19 changed files with 1757 additions and 0 deletions
share
security
advisories
FreeBSD-SA-15:14.bsdpatch.ascFreeBSD-SA-15:15.tcp.ascFreeBSD-SA-15:16.openssh.ascFreeBSD-SA-15:17.bind.asc
patches
xml
134
share/security/advisories/FreeBSD-SA-15:14.bsdpatch.asc
Normal file
134
share/security/advisories/FreeBSD-SA-15:14.bsdpatch.asc
Normal file
|
@ -0,0 +1,134 @@
|
|||
-----BEGIN PGP SIGNED MESSAGE-----
|
||||
Hash: SHA512
|
||||
|
||||
=============================================================================
|
||||
FreeBSD-SA-15:14.bsdpatch Security Advisory
|
||||
The FreeBSD Project
|
||||
|
||||
Topic: shell injection vulnerability in patch(1)
|
||||
|
||||
Category: contrib
|
||||
Module: patch
|
||||
Announced: 2015-07-28
|
||||
Credits: Martin Natano
|
||||
Affects: FreeBSD 10.x.
|
||||
Corrected: 2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE)
|
||||
2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2)
|
||||
2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1)
|
||||
2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16)
|
||||
CVE Name: CVE-2015-1416
|
||||
|
||||
For general information regarding FreeBSD Security Advisories,
|
||||
including descriptions of the fields above, security branches, and the
|
||||
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
||||
|
||||
I. Background
|
||||
|
||||
The patch(1) utility takes a patch file produced by the diff(1) program and
|
||||
apply the differences to an original file, producing a patched version.
|
||||
|
||||
The patch(1) utility supports certain version control systems, namely SCCS
|
||||
and RCS, and attempts to get or check out the file before applying a patch,
|
||||
if the original file do not already exist.
|
||||
|
||||
II. Problem Description
|
||||
|
||||
Due to insufficient sanitization of the input patch stream, it is possible
|
||||
for a patch file to cause patch(1) to run commands in addition to the desired
|
||||
SCCS or RCS commands.
|
||||
|
||||
III. Impact
|
||||
|
||||
This issue could be exploited to execute arbitrary commands as the user
|
||||
invoking patch(1) against a specically crafted patch file, which could be
|
||||
leveraged to obtain elevated privileges.
|
||||
|
||||
IV. Workaround
|
||||
|
||||
No workaround is available, but systems where a privileged user does not
|
||||
make use of patches without proper validation are not affected.
|
||||
|
||||
V. Solution
|
||||
|
||||
Perform one of the following:
|
||||
|
||||
1) Upgrade your vulnerable system to a supported FreeBSD stable or
|
||||
release / security branch (releng) dated after the correction date.
|
||||
|
||||
A reboot is not required after updating.
|
||||
|
||||
2) To update your vulnerable system via a binary patch:
|
||||
|
||||
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
||||
platforms can be updated via the freebsd-update(8) utility:
|
||||
|
||||
# freebsd-update fetch
|
||||
# freebsd-update install
|
||||
|
||||
A reboot is not required after updating.
|
||||
|
||||
3) To update your vulnerable system via a source code patch:
|
||||
|
||||
The following patches have been verified to apply to the applicable
|
||||
FreeBSD release branches.
|
||||
|
||||
a) Download the relevant patch from the location below, and verify the
|
||||
detached PGP signature using your PGP utility.
|
||||
|
||||
# fetch https://security.FreeBSD.org/patches/SA-15:14/bsdpatch.patch
|
||||
# fetch https://security.FreeBSD.org/patches/SA-15:14/bsdpatch.patch.asc
|
||||
# gpg --verify bsdpatch.patch.asc
|
||||
|
||||
b) Apply the patch. Execute the following commands as root:
|
||||
|
||||
# cd /usr/src
|
||||
# patch < /path/to/patch
|
||||
|
||||
c) Recompile the operating system using buildworld and installworld as
|
||||
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
|
||||
|
||||
VI. Correction details
|
||||
|
||||
The following list contains the correction revision numbers for each
|
||||
affected branch.
|
||||
|
||||
Branch/path Revision
|
||||
- -------------------------------------------------------------------------
|
||||
stable/10/ r285976
|
||||
releng/10.1/ r285978
|
||||
releng/10.2/ r285979
|
||||
- -------------------------------------------------------------------------
|
||||
|
||||
To see which files were modified by a particular revision, run the
|
||||
following command, replacing NNNNNN with the revision number, on a
|
||||
machine with Subversion installed:
|
||||
|
||||
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
||||
|
||||
Or visit the following URL, replacing NNNNNN with the revision number:
|
||||
|
||||
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
||||
|
||||
VII. References
|
||||
|
||||
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1416>
|
||||
|
||||
The latest revision of this advisory is available at
|
||||
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:14.bsdpatch.asc>
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2.1.6 (FreeBSD)
|
||||
|
||||
iQIcBAEBCgAGBQJVt+JfAAoJEO1n7NZdz2rnmAAP/37DmuKX127SHD4Au3a1xy2F
|
||||
90RP1doqTzpq2w3wzn8JPPK/IUxG6yjDWUk097/aadSMSiUWi/RyTERe68ZNHDia
|
||||
IkcTnvF1308OM91yAJDogTKyCpomZwWqkhDhT8qRIkRijr7gr0q3SYF2Uqrj+QKy
|
||||
fvhJrEEjhv9Lgw8I1qmnxWCpcmkKaW2Fm1eqplYlPOIwJky+2+Ddzv5PcjtQTjye
|
||||
tNIkF9D+ILmGFbotKbNPDKSxapreLOsyDnf0W9QMURi7UolF9AClZnerfVZUWy78
|
||||
4lJdbC9q5bf/FNUDv2o928hMgG+cc+blaH8AGXGOgxOx3ok0XWp3xEWRJnggyrZX
|
||||
P6NN39u6yFSIrYaNHEwYLFGCIeA0nGWVLupq5h6WwJ+mhCpHz90kMw/5unlXc/wS
|
||||
mfFVMeoFiqL227qBgB4azQkiBjN/fVsqPcMv/xk0PNYHaRPS/DASRYPSJF2gXY7h
|
||||
fjemohKs9wmyc78nyrnayffPQ6hkXvVzw9zMfLJ1XWg/Fa/5X4u/POggivzGI4ia
|
||||
yrvp3zd4avNbEVwlirTxxYgQJ1X44JwTP3Tkq11fea9WJcJtjLTWpIwrHSd8PHEg
|
||||
n3r4bo52iPyaGORGUw3Zhx93gOse+I3ayXmBEVJLGDONlEdUf/uju0kSIyCXn4ab
|
||||
LvnW7evT5KHA0rh5B07E
|
||||
=JTtx
|
||||
-----END PGP SIGNATURE-----
|
187
share/security/advisories/FreeBSD-SA-15:15.tcp.asc
Normal file
187
share/security/advisories/FreeBSD-SA-15:15.tcp.asc
Normal file
|
@ -0,0 +1,187 @@
|
|||
-----BEGIN PGP SIGNED MESSAGE-----
|
||||
Hash: SHA512
|
||||
|
||||
=============================================================================
|
||||
FreeBSD-SA-15:15.tcp Security Advisory
|
||||
The FreeBSD Project
|
||||
|
||||
Topic: Resource exhaustion in TCP reassembly
|
||||
|
||||
Category: core
|
||||
Module: inet
|
||||
Announced: 2015-07-28
|
||||
Credits: Patrick Kelsey (Norse Corporation)
|
||||
Affects: All supported versions of FreeBSD.
|
||||
Corrected: 2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE)
|
||||
2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2)
|
||||
2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1)
|
||||
2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16)
|
||||
2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE)
|
||||
2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21)
|
||||
2015-07-28 19:58:54 UTC (stable/8, 8.4-STABLE)
|
||||
2015-07-28 19:59:22 UTC (releng/8.4, 8.4-RELEASE-p35)
|
||||
CVE Name: CVE-2015-1417
|
||||
|
||||
For general information regarding FreeBSD Security Advisories,
|
||||
including descriptions of the fields above, security branches, and the
|
||||
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
||||
|
||||
I. Background
|
||||
|
||||
The Transmission Control Protocol (TCP) of the TCP/IP protocol suite
|
||||
provides a connection-oriented, reliable, sequence-preserving data
|
||||
stream service.
|
||||
|
||||
The underlying simple and potentially unreliable IP datagram
|
||||
communication protocol may deliver segments out of order, therefore,
|
||||
the TCP receiver would need to reassemble the segments into their
|
||||
original sequence to provide a reliable octet stream. Because the
|
||||
reassembly requires additional resources to keep the queued segments,
|
||||
historically resource exhaustion in the TCP reassembly path has been
|
||||
prevented by limiting the total number of segments that could belong
|
||||
to reassembly queues to a small fraction (1/16) of the total number of
|
||||
mbuf clusters in the system.
|
||||
|
||||
VNET is a technique to virtualize the network stack, first introduced in
|
||||
FreeBSD 8.0. It changes global resources in the network stack into per
|
||||
network stack resources, so that a virtual network stack can be attached
|
||||
to a jailed prison and the prison can have unrestricted access to the
|
||||
virtual network stack. VNET is not enabled by default and has to be
|
||||
enabled by recompiling the kernel.
|
||||
|
||||
II. Problem Description
|
||||
|
||||
There is a mistake with the introduction of VNET, which converted the
|
||||
global limit on the number of segments that could belong to reassembly
|
||||
queues into a per-VNET limit. Because mbufs are allocated from a
|
||||
global pool, in the presence of a sufficient number of VNETs, the
|
||||
total number of mbufs attached to reassembly queues can grow to the
|
||||
total number of mbufs in the system, at which point all network
|
||||
traffic would cease.
|
||||
|
||||
III. Impact
|
||||
|
||||
An attacker who can establish concurrent TCP connections across a
|
||||
sufficient number of VNETs and manipulate the inbound packet streams
|
||||
such that the maximum number of mbufs are enqueued on each reassembly
|
||||
queue can cause mbuf cluster exhaustion on the target system, resulting
|
||||
in a Denial of Service condition.
|
||||
|
||||
As the default per-VNET limit on the number of segments that can
|
||||
belong to reassembly queues is 1/16 of the total number of mbuf
|
||||
clusters in the system, only systems that have 16 or more VNET
|
||||
instances are vulnerable.
|
||||
|
||||
IV. Workaround
|
||||
|
||||
FreeBSD 8.x, 9.x and 10.x systems that do not make use of VNETs
|
||||
(option VIMAGE) are not affected. The support has to be specifically
|
||||
compiled into a custom kernel, so its use is not common.
|
||||
|
||||
For affected systems, the system administrators may consider reducing
|
||||
the net.inet.tcp.reass.maxsegments tunable to the value of
|
||||
kern.ipc.nmbclusters divided by one greater than the total number of
|
||||
VNETs that are going to be used in the system in order to prevent a
|
||||
Denial of Service via this vulnerability. For example, if there are
|
||||
16 VNETs in the system, the net.inet.tcp.reass.maxsegments tunable
|
||||
should be set to kern.ipc.nmbclusters / 17.
|
||||
|
||||
V. Solution
|
||||
|
||||
Perform one of the following:
|
||||
|
||||
1) Upgrade your vulnerable system to a supported FreeBSD stable or
|
||||
release / security branch (releng) dated after the correction date,
|
||||
and reboot the system.
|
||||
|
||||
2) To update your vulnerable system via a binary patch:
|
||||
|
||||
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
||||
platforms can be updated via the freebsd-update(8) utility:
|
||||
|
||||
# freebsd-update fetch
|
||||
# freebsd-update install
|
||||
|
||||
And reboot the system.
|
||||
|
||||
3) To update your vulnerable system via a source code patch:
|
||||
|
||||
The following patches have been verified to apply to the applicable
|
||||
FreeBSD release branches.
|
||||
|
||||
a) Download the relevant patch from the location below, and verify the
|
||||
detached PGP signature using your PGP utility.
|
||||
|
||||
[FreeBSD 10.2]
|
||||
# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp.patch
|
||||
# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp.patch.asc
|
||||
# gpg --verify tcp.patch.asc
|
||||
|
||||
[FreeBSD 9.3 and 10.1]
|
||||
# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-9.3-10.1.patch
|
||||
# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-9.3-10.1.patch.asc
|
||||
# gpg --verify tcp-9.3-10.1.patch.asc
|
||||
|
||||
[FreeBSD 8.4]
|
||||
# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-8.patch
|
||||
# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-8.patch.asc
|
||||
# gpg --verify tcp-8.patch.asc
|
||||
|
||||
b) Apply the patch. Execute the following commands as root:
|
||||
|
||||
# cd /usr/src
|
||||
# patch < /path/to/patch
|
||||
|
||||
c) Recompile your kernel as described in
|
||||
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
|
||||
system.
|
||||
|
||||
VI. Correction details
|
||||
|
||||
The following list contains the correction revision numbers for each
|
||||
affected branch.
|
||||
|
||||
Branch/path Revision
|
||||
- -------------------------------------------------------------------------
|
||||
stable/8/ r285977
|
||||
releng/8.4/ r285980
|
||||
stable/9/ r285977
|
||||
releng/9.3/ r285980
|
||||
stable/10/ r285976
|
||||
releng/10.1/ r285979
|
||||
releng/10.2/ r285978
|
||||
- -------------------------------------------------------------------------
|
||||
|
||||
To see which files were modified by a particular revision, run the
|
||||
following command, replacing NNNNNN with the revision number, on a
|
||||
machine with Subversion installed:
|
||||
|
||||
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
||||
|
||||
Or visit the following URL, replacing NNNNNN with the revision number:
|
||||
|
||||
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
||||
|
||||
VII. References
|
||||
|
||||
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1417>
|
||||
|
||||
The latest revision of this advisory is available at
|
||||
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:15.tcp.asc>
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2.1.6 (FreeBSD)
|
||||
|
||||
iQIcBAEBCgAGBQJVt+FcAAoJEO1n7NZdz2rnOAgQAKw0jR1Eb/USmcXlFpfMrmUr
|
||||
Z6UWHsPqE9CwDJaFddrFBRyjCsbeBv4LmPyVcOKJoqspEb8P52GtBNDe9vqcco1U
|
||||
C+KpcQQKWTQmu170AdLAIRVvLjoNEX0C09ig4XMbKpisrmQ8zLXavTbTw8FlbPXq
|
||||
o9t0nFgPKsDfaXJF3Oas41K/NsBj4hdqnfx+R7KeOaJ6sSwiFGbRxqQ+GG3k+79a
|
||||
RI+KVLpw4QV/IkhXKzl416o6uk7eWnJu72GohdrxPvXYWHBVSBkSiT7pLl3O5C7r
|
||||
7+dpYyF9f4K0gnXLuATNixNS2/lL2WaJANb75ku7WnY2I5Yjx1oM2r5kE2eJ6Z/c
|
||||
WXGnDE9/8SOVURqMwnpQgzVGopKZags0+X7FJAYKeW4/nWyUEAmDlQ+9dY7o/I0M
|
||||
urFD+bsSxnrlGLLzjX55zKM1qyGlhNokowSusVeNlSEOl8/QV57CuyQDZ0wdAiUd
|
||||
R2yl+fFxRKn4AeCMuKkEsoExLhISI7Uuz8Hjia7g0yJWfYjEjAWLcFpan/QmhwcP
|
||||
4PMg+2ZuPC0uUoXqCMBqu3d0NAaae4cOCzx8WCZUaaF3DwhRnUcld+XesV/h3SNo
|
||||
kn3ygFyOVWrCd7bSsEd00qqUwUN/cp/uYTqlbI9im89Emaa7/mYR/i3sq2/MRagr
|
||||
2oio8OdZ8wwRuER4Jpq9
|
||||
=PC1V
|
||||
-----END PGP SIGNATURE-----
|
188
share/security/advisories/FreeBSD-SA-15:16.openssh.asc
Normal file
188
share/security/advisories/FreeBSD-SA-15:16.openssh.asc
Normal file
|
@ -0,0 +1,188 @@
|
|||
-----BEGIN PGP SIGNED MESSAGE-----
|
||||
Hash: SHA512
|
||||
|
||||
=============================================================================
|
||||
FreeBSD-SA-15:16.openssh Security Advisory
|
||||
The FreeBSD Project
|
||||
|
||||
Topic: OpenSSH multiple vulnerabilities
|
||||
|
||||
Category: contrib
|
||||
Module: openssh
|
||||
Announced: 2015-07-28
|
||||
Affects: All supported versions of FreeBSD.
|
||||
Corrected: 2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE)
|
||||
2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2)
|
||||
2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1)
|
||||
2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16)
|
||||
2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE)
|
||||
2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21)
|
||||
2015-07-28 19:58:54 UTC (stable/8, 8.4-STABLE)
|
||||
2015-07-28 19:59:22 UTC (releng/8.4, 8.4-RELEASE-p35)
|
||||
CVE Name: CVE-2014-2653, CVE-2015-5600
|
||||
|
||||
For general information regarding FreeBSD Security Advisories,
|
||||
including descriptions of the fields above, security branches, and the
|
||||
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
||||
|
||||
I. Background
|
||||
|
||||
OpenSSH is an implementation of the SSH protocol suite, providing an
|
||||
encrypted and authenticated transport for a variety of services,
|
||||
including remote shell access.
|
||||
|
||||
The security of the SSH connection relies on the server authenticating
|
||||
itself to the client as well as the user authenticating itself to the
|
||||
server. SSH servers uses host keys to verify their identity.
|
||||
|
||||
RFC 4255 has defined a method of verifying SSH host keys using Domain
|
||||
Name System Security (DNSSEC), by publishing the key fingerprint using
|
||||
DNS with "SSHFP" resource record. RFC 6187 has defined methods to use
|
||||
a signature by a trusted certification authority to bind a given public
|
||||
key to a given digital identity with X.509v3 certificates.
|
||||
|
||||
The PAM (Pluggable Authentication Modules) library provides a flexible
|
||||
framework for user authentication and session setup / teardown.
|
||||
|
||||
OpenSSH uses PAM for password authentication by default.
|
||||
|
||||
II. Problem Description
|
||||
|
||||
OpenSSH clients does not correctly verify DNS SSHFP records when a server
|
||||
offers a certificate. [CVE-2014-2653]
|
||||
|
||||
OpenSSH servers which are configured to allow password authentication
|
||||
using PAM (default) would allow many password attempts.
|
||||
|
||||
III. Impact
|
||||
|
||||
A malicious server may be able to force a connecting client to skip DNS
|
||||
SSHFP record check and require the user to perform manual host verification
|
||||
of the host key fingerprint. This could allow man-in-the-middle attack
|
||||
if the user does not carefully check the fingerprint. [CVE-2014-2653]
|
||||
|
||||
A remote attacker may effectively bypass MaxAuthTries settings, which would
|
||||
enable them to brute force passwords. [CVE-2015-5600]
|
||||
|
||||
IV. Workaround
|
||||
|
||||
Systems that do not use OpenSSH are not affected.
|
||||
|
||||
There is no workaround for CVE-2014-2653, but the problem only affects
|
||||
networks where DNSsec and SSHFP is properly configured. Users who uses
|
||||
SSH should always check server host key fingerprints carefully when
|
||||
prompted.
|
||||
|
||||
System administrators can set:
|
||||
|
||||
UsePAM no
|
||||
|
||||
In their /etc/ssh/sshd_config and restart sshd service to workaround the
|
||||
problem described as CVE-2015-5600 at expense of losing features provided
|
||||
by the PAM framework.
|
||||
|
||||
We recommend system administrators to disable password based authentication
|
||||
completely, and use key based authentication exclusively in their SSH server
|
||||
configuration, when possible. This would eliminate the possibility of being
|
||||
ever exposed to password brute force attack.
|
||||
|
||||
V. Solution
|
||||
|
||||
Perform one of the following:
|
||||
|
||||
1) Upgrade your vulnerable system to a supported FreeBSD stable or
|
||||
release / security branch (releng) dated after the correction date.
|
||||
|
||||
SSH service has to be restarted after the update. A reboot is recommended
|
||||
but not required.
|
||||
|
||||
2) To update your vulnerable system via a binary patch:
|
||||
|
||||
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
||||
platforms can be updated via the freebsd-update(8) utility:
|
||||
|
||||
# freebsd-update fetch
|
||||
# freebsd-update install
|
||||
|
||||
SSH service has to be restarted after the update. A reboot is recommended
|
||||
but not required.
|
||||
|
||||
3) To update your vulnerable system via a source code patch:
|
||||
|
||||
The following patches have been verified to apply to the applicable
|
||||
FreeBSD release branches.
|
||||
|
||||
a) Download the relevant patch from the location below, and verify the
|
||||
detached PGP signature using your PGP utility.
|
||||
|
||||
[FreeBSD 9.3, 10.1, 10.2]
|
||||
# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh.patch
|
||||
# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh.patch.asc
|
||||
# gpg --verify openssh.patch.asc
|
||||
|
||||
[FreeBSD 8.4]
|
||||
# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8.patch
|
||||
# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8.patch.asc
|
||||
# gpg --verify openssh-8.patch.asc
|
||||
|
||||
b) Apply the patch. Execute the following commands as root:
|
||||
|
||||
# cd /usr/src
|
||||
# patch < /path/to/patch
|
||||
|
||||
c) Recompile the operating system using buildworld and installworld as
|
||||
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
|
||||
|
||||
Restart the SSH service, or reboot the system.
|
||||
|
||||
VI. Correction details
|
||||
|
||||
The following list contains the correction revision numbers for each
|
||||
affected branch.
|
||||
|
||||
Branch/path Revision
|
||||
- -------------------------------------------------------------------------
|
||||
stable/8/ r285977
|
||||
releng/8.4/ r285980
|
||||
stable/9/ r285977
|
||||
releng/9.3/ r285980
|
||||
stable/10/ r285976
|
||||
releng/10.1/ r285979
|
||||
releng/10.2/ r285978
|
||||
- -------------------------------------------------------------------------
|
||||
|
||||
To see which files were modified by a particular revision, run the
|
||||
following command, replacing NNNNNN with the revision number, on a
|
||||
machine with Subversion installed:
|
||||
|
||||
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
||||
|
||||
Or visit the following URL, replacing NNNNNN with the revision number:
|
||||
|
||||
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
||||
|
||||
VII. References
|
||||
|
||||
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2653>
|
||||
|
||||
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5600>
|
||||
|
||||
The latest revision of this advisory is available at
|
||||
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:16.openssh.asc>
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2.1.6 (FreeBSD)
|
||||
|
||||
iQIcBAEBCgAGBQJVt+FdAAoJEO1n7NZdz2rnPxEQAIFMhBzUuAEEeG3GoO6o6DQn
|
||||
7ZVPdd+EdijDk0VAZbaa3NyeVGTNSEQhjpL/lSkIQUQT+yEAUUsUCVWu0T8OpCN0
|
||||
UT6JlYhV+AwQVyWujlTjspQ3Ba3Kn3o76MCzvdIQWPTzD1yCZqRmpZ1eSjonmySZ
|
||||
ts+kVDCV2ZJyWACOdG2GXHSmTraIErn0J1YaLg++c8nHUvb+TNo2/8viBGJINhdP
|
||||
bvA6fzYPpAzgaq5EEKevySLUnUfUE2Nx5LGD2CUx/hMu7K8y2h4SR2fKmpyBauNS
|
||||
4VHSssX6KjxZCYctCEsUgCokWYzt9fepyBsCiS9Vx4mTwat8Vuiz2zB1lCOwM97v
|
||||
iDbkcmR/ixElrXSBb5+wrhOpBLnYtHFTNPx8dRz39wdb1MxJQqyOOb8KtDSlFMmQ
|
||||
l5Lk1vTEcZQjWvmCV9XjVlPqcHnX4wNnV+IgUnQTnhQlbe0YgszdLAi5XZDGBmtA
|
||||
DHuLfBy1091KYBoP641GRuldsq6/r6DUzyZuQJ+p30BDUEfkUAptIEnQWA2l3Y8W
|
||||
/10eels29WJhV9N7WWo4pbADA54+DLvi0T/46R9WRbM9bA/dsqK9G5wmREaKCqmX
|
||||
ccQUFrruxJTn7TV4QbN69ABEkOFCyQjqecP2GqA2N/5AAUsV47WC/VtKgOPp4FZ6
|
||||
E0SkAoNzIighyNk54U9p
|
||||
=6PBw
|
||||
-----END PGP SIGNATURE-----
|
139
share/security/advisories/FreeBSD-SA-15:17.bind.asc
Normal file
139
share/security/advisories/FreeBSD-SA-15:17.bind.asc
Normal file
|
@ -0,0 +1,139 @@
|
|||
-----BEGIN PGP SIGNED MESSAGE-----
|
||||
Hash: SHA512
|
||||
|
||||
=============================================================================
|
||||
FreeBSD-SA-15:17.bind Security Advisory
|
||||
The FreeBSD Project
|
||||
|
||||
Topic: BIND remote denial of service vulnerability
|
||||
|
||||
Category: contrib
|
||||
Module: bind
|
||||
Announced: 2015-07-28
|
||||
Credits: ISC
|
||||
Affects: FreeBSD 8.x and FreeBSD 9.x.
|
||||
Corrected: 2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE)
|
||||
2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21)
|
||||
2015-07-28 19:58:54 UTC (stable/8, 8.4-STABLE)
|
||||
2015-07-28 19:59:22 UTC (releng/8.4, 8.4-RELEASE-p35)
|
||||
CVE Name: CVE-2015-5477
|
||||
|
||||
For general information regarding FreeBSD Security Advisories,
|
||||
including descriptions of the fields above, security branches, and the
|
||||
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
||||
|
||||
I. Background
|
||||
|
||||
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
|
||||
The named(8) daemon is an Internet Domain Name Server.
|
||||
|
||||
II. Problem Description
|
||||
|
||||
An error in the handling of TKEY queries can be exploited by an attacker
|
||||
for use as a denial-of-service vector, as a constructed packet can use
|
||||
the defect to trigger a REQUIRE assertion failure, causing BIND to exit.
|
||||
|
||||
III. Impact
|
||||
|
||||
A remote attacker can trigger a crash of a name server. Both recursive and
|
||||
authoritative servers are affected, and the exposure can not be mitigated
|
||||
by either ACLs or configuration options limiting or denying service because
|
||||
the exploitable code occurs early in the packet handling, before checks
|
||||
enforcing those boundaries.
|
||||
|
||||
IV. Workaround
|
||||
|
||||
No workaround is available, but systems that are not running BIND are not
|
||||
vulnerable.
|
||||
|
||||
V. Solution
|
||||
|
||||
Perform one of the following:
|
||||
|
||||
1) Upgrade your vulnerable system to a supported FreeBSD stable or
|
||||
release / security branch (releng) dated after the correction date.
|
||||
|
||||
The named service has to be restarted after the update. A reboot is
|
||||
recommended but not required.
|
||||
|
||||
2) To update your vulnerable system via a binary patch:
|
||||
|
||||
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
||||
platforms can be updated via the freebsd-update(8) utility:
|
||||
|
||||
# freebsd-update fetch
|
||||
# freebsd-update install
|
||||
|
||||
The named service has to be restarted after the update. A reboot is
|
||||
recommended but not required.
|
||||
|
||||
3) To update your vulnerable system via a source code patch:
|
||||
|
||||
The following patches have been verified to apply to the applicable
|
||||
FreeBSD release branches.
|
||||
|
||||
a) Download the relevant patch from the location below, and verify the
|
||||
detached PGP signature using your PGP utility.
|
||||
|
||||
# fetch https://security.FreeBSD.org/patches/SA-15:17/bind.patch
|
||||
# fetch https://security.FreeBSD.org/patches/SA-15:17/bind.patch.asc
|
||||
# gpg --verify bind.patch.asc
|
||||
|
||||
b) Apply the patch. Execute the following commands as root:
|
||||
|
||||
# cd /usr/src
|
||||
# patch < /path/to/patch
|
||||
|
||||
c) Recompile the operating system using buildworld and installworld as
|
||||
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
|
||||
|
||||
Restart the applicable daemons, or reboot the system.
|
||||
|
||||
VI. Correction details
|
||||
|
||||
The following list contains the correction revision numbers for each
|
||||
affected branch.
|
||||
|
||||
Branch/path Revision
|
||||
- -------------------------------------------------------------------------
|
||||
stable/8/ r285977
|
||||
releng/8.4/ r285980
|
||||
stable/9/ r285977
|
||||
releng/9.3/ r285980
|
||||
- -------------------------------------------------------------------------
|
||||
|
||||
To see which files were modified by a particular revision, run the
|
||||
following command, replacing NNNNNN with the revision number, on a
|
||||
machine with Subversion installed:
|
||||
|
||||
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
||||
|
||||
Or visit the following URL, replacing NNNNNN with the revision number:
|
||||
|
||||
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
||||
|
||||
VII. References
|
||||
|
||||
<URL:https://kb.isc.org/article/AA-01272>
|
||||
|
||||
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5477>
|
||||
|
||||
The latest revision of this advisory is available at
|
||||
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:17.bind.asc>
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2.1.6 (FreeBSD)
|
||||
|
||||
iQIcBAEBCgAGBQJVt+FdAAoJEO1n7NZdz2rnmAQQAK66bHEYirTecgswG+eiePfU
|
||||
lcX46GdLU/OQ/3MHpmc6XQKz9kpJ+Inh8K8IvAJ1SXH41zk/xOtUgqbkUcgkGrS1
|
||||
gBVKUC8SF82ll/1FUlORoJc+g+TQgax00Il/GweRVoL0RpU9S/YSnc6OLc0nWzBq
|
||||
osweYaHBNRL6lBmUtAHYu1tyvGvHLlfTNk6NCtUxtWeXKe+urYFx4ViJKCU8dJ+U
|
||||
F26nQb/3vH93WOEaNjSDHYWypl9qtous5hpOtXr76ofhID67EyOKmPPEC5+6jP/6
|
||||
wkdMu7loVewI5K7ZF+zaNxr8CQESurCRkMX3qJSBNCfSw55sdcfKl4BO65SCxLH7
|
||||
vXoh+B+Wbof2n3xAcEJNufOdiRQfTxlP1UMWIy00wvdB+VcOCDdD7TUB1kksxzpy
|
||||
aXxePRdKLjvkPDiWy17BBpxq8JIfy+41a+N7Fm/hDgUJOYGDAMr27WJLx8MHzY3k
|
||||
+B014IVvTnHkf0yo5ue5raTpgUr0TVCfwD3eqJOM9iUuOI8vj9h44FpP6R8KNyQA
|
||||
mVI/wikVJfYAgmAkHqqRVEHeA8aWJsVNkmrKLHFDkLDdw6umr7oOHfXQo1hk7k7V
|
||||
+2JEa09kp2AYNGYZkiFG/7jiCZ9GLCvAzKW1v1g8fRsBl+QA1PjW0Rg7HcRmZiwM
|
||||
VfNsARSWl2y/t8Gnrfgx
|
||||
=40iD
|
||||
-----END PGP SIGNATURE-----
|
188
share/security/patches/SA-15:14/bsdpatch.patch
Normal file
188
share/security/patches/SA-15:14/bsdpatch.patch
Normal file
|
@ -0,0 +1,188 @@
|
|||
Index: usr.bin/patch/common.h
|
||||
===================================================================
|
||||
--- usr.bin/patch/common.h (revision 285926)
|
||||
+++ usr.bin/patch/common.h (working copy)
|
||||
@@ -43,12 +43,10 @@
|
||||
#define LINENUM_MAX LONG_MAX
|
||||
|
||||
#define SCCSPREFIX "s."
|
||||
-#define GET "get -e %s"
|
||||
-#define SCCSDIFF "get -p %s | diff - %s >/dev/null"
|
||||
|
||||
#define RCSSUFFIX ",v"
|
||||
-#define CHECKOUT "co -l %s"
|
||||
-#define RCSDIFF "rcsdiff %s > /dev/null"
|
||||
+#define CHECKOUT "/usr/bin/co"
|
||||
+#define RCSDIFF "/usr/bin/rcsdiff"
|
||||
|
||||
#define ORIGEXT ".orig"
|
||||
#define REJEXT ".rej"
|
||||
Index: usr.bin/patch/inp.c
|
||||
===================================================================
|
||||
--- usr.bin/patch/inp.c (revision 285926)
|
||||
+++ usr.bin/patch/inp.c (working copy)
|
||||
@@ -31,8 +31,10 @@
|
||||
#include <sys/file.h>
|
||||
#include <sys/stat.h>
|
||||
#include <sys/mman.h>
|
||||
+#include <sys/wait.h>
|
||||
|
||||
#include <ctype.h>
|
||||
+#include <errno.h>
|
||||
#include <libgen.h>
|
||||
#include <stddef.h>
|
||||
#include <stdint.h>
|
||||
@@ -133,12 +135,14 @@ reallocate_lines(size_t *lines_allocated)
|
||||
static bool
|
||||
plan_a(const char *filename)
|
||||
{
|
||||
- int ifd, statfailed;
|
||||
+ int ifd, statfailed, devnull, pstat;
|
||||
char *p, *s, lbuf[INITLINELEN];
|
||||
struct stat filestat;
|
||||
ptrdiff_t sz;
|
||||
size_t i;
|
||||
size_t iline, lines_allocated;
|
||||
+ pid_t pid;
|
||||
+ char *argp[4] = {NULL};
|
||||
|
||||
#ifdef DEBUGGING
|
||||
if (debug & 8)
|
||||
@@ -166,13 +170,14 @@ plan_a(const char *filename)
|
||||
}
|
||||
if (statfailed && check_only)
|
||||
fatal("%s not found, -C mode, can't probe further\n", filename);
|
||||
- /* For nonexistent or read-only files, look for RCS or SCCS versions. */
|
||||
+ /* For nonexistent or read-only files, look for RCS versions. */
|
||||
+
|
||||
if (statfailed ||
|
||||
/* No one can write to it. */
|
||||
(filestat.st_mode & 0222) == 0 ||
|
||||
/* I can't write to it. */
|
||||
((filestat.st_mode & 0022) == 0 && filestat.st_uid != getuid())) {
|
||||
- const char *cs = NULL, *filebase, *filedir;
|
||||
+ char *filebase, *filedir;
|
||||
struct stat cstat;
|
||||
char *tmp_filename1, *tmp_filename2;
|
||||
|
||||
@@ -180,43 +185,26 @@ plan_a(const char *filename)
|
||||
tmp_filename2 = strdup(filename);
|
||||
if (tmp_filename1 == NULL || tmp_filename2 == NULL)
|
||||
fatal("strdupping filename");
|
||||
+
|
||||
filebase = basename(tmp_filename1);
|
||||
filedir = dirname(tmp_filename2);
|
||||
|
||||
- /* Leave room in lbuf for the diff command. */
|
||||
- s = lbuf + 20;
|
||||
-
|
||||
#define try(f, a1, a2, a3) \
|
||||
- (snprintf(s, buf_size - 20, f, a1, a2, a3), stat(s, &cstat) == 0)
|
||||
+ (snprintf(lbuf, sizeof(lbuf), f, a1, a2, a3), stat(lbuf, &cstat) == 0)
|
||||
|
||||
- if (try("%s/RCS/%s%s", filedir, filebase, RCSSUFFIX) ||
|
||||
- try("%s/RCS/%s%s", filedir, filebase, "") ||
|
||||
- try("%s/%s%s", filedir, filebase, RCSSUFFIX)) {
|
||||
- snprintf(buf, buf_size, CHECKOUT, filename);
|
||||
- snprintf(lbuf, sizeof lbuf, RCSDIFF, filename);
|
||||
- cs = "RCS";
|
||||
- } else if (try("%s/SCCS/%s%s", filedir, SCCSPREFIX, filebase) ||
|
||||
- try("%s/%s%s", filedir, SCCSPREFIX, filebase)) {
|
||||
- snprintf(buf, buf_size, GET, s);
|
||||
- snprintf(lbuf, sizeof lbuf, SCCSDIFF, s, filename);
|
||||
- cs = "SCCS";
|
||||
- } else if (statfailed)
|
||||
- fatal("can't find %s\n", filename);
|
||||
-
|
||||
- free(tmp_filename1);
|
||||
- free(tmp_filename2);
|
||||
-
|
||||
/*
|
||||
* else we can't write to it but it's not under a version
|
||||
* control system, so just proceed.
|
||||
*/
|
||||
- if (cs) {
|
||||
+ if (try("%s/RCS/%s%s", filedir, filebase, RCSSUFFIX) ||
|
||||
+ try("%s/RCS/%s%s", filedir, filebase, "") ||
|
||||
+ try("%s/%s%s", filedir, filebase, RCSSUFFIX)) {
|
||||
if (!statfailed) {
|
||||
if ((filestat.st_mode & 0222) != 0)
|
||||
/* The owner can write to it. */
|
||||
fatal("file %s seems to be locked "
|
||||
- "by somebody else under %s\n",
|
||||
- filename, cs);
|
||||
+ "by somebody else under RCS\n",
|
||||
+ filename);
|
||||
/*
|
||||
* It might be checked out unlocked. See if
|
||||
* it's safe to check out the default version
|
||||
@@ -224,21 +212,59 @@ plan_a(const char *filename)
|
||||
*/
|
||||
if (verbose)
|
||||
say("Comparing file %s to default "
|
||||
- "%s version...\n",
|
||||
- filename, cs);
|
||||
- if (system(lbuf))
|
||||
+ "RCS version...\n", filename);
|
||||
+
|
||||
+ switch (pid = fork()) {
|
||||
+ case -1:
|
||||
+ fatal("can't fork: %s\n",
|
||||
+ strerror(errno));
|
||||
+ case 0:
|
||||
+ devnull = open("/dev/null", O_RDONLY);
|
||||
+ if (devnull == -1) {
|
||||
+ fatal("can't open /dev/null: %s",
|
||||
+ strerror(errno));
|
||||
+ }
|
||||
+ (void)dup2(devnull, STDOUT_FILENO);
|
||||
+ argp[0] = strdup(RCSDIFF);
|
||||
+ argp[1] = strdup(filename);
|
||||
+ execv(RCSDIFF, argp);
|
||||
+ exit(127);
|
||||
+ }
|
||||
+ pid = waitpid(pid, &pstat, 0);
|
||||
+ if (pid == -1 || WEXITSTATUS(pstat) != 0) {
|
||||
fatal("can't check out file %s: "
|
||||
- "differs from default %s version\n",
|
||||
- filename, cs);
|
||||
+ "differs from default RCS version\n",
|
||||
+ filename);
|
||||
+ }
|
||||
}
|
||||
+
|
||||
if (verbose)
|
||||
- say("Checking out file %s from %s...\n",
|
||||
- filename, cs);
|
||||
- if (system(buf) || stat(filename, &filestat))
|
||||
- fatal("can't check out file %s from %s\n",
|
||||
- filename, cs);
|
||||
+ say("Checking out file %s from RCS...\n",
|
||||
+ filename);
|
||||
+
|
||||
+ switch (pid = fork()) {
|
||||
+ case -1:
|
||||
+ fatal("can't fork: %s\n", strerror(errno));
|
||||
+ case 0:
|
||||
+ argp[0] = strdup(CHECKOUT);
|
||||
+ argp[1] = strdup("-l");
|
||||
+ argp[2] = strdup(filename);
|
||||
+ execv(CHECKOUT, argp);
|
||||
+ exit(127);
|
||||
+ }
|
||||
+ pid = waitpid(pid, &pstat, 0);
|
||||
+ if (pid == -1 || WEXITSTATUS(pstat) != 0 ||
|
||||
+ stat(filename, &filestat)) {
|
||||
+ fatal("can't check out file %s from RCS\n",
|
||||
+ filename);
|
||||
+ }
|
||||
+ } else if (statfailed) {
|
||||
+ fatal("can't find %s\n", filename);
|
||||
}
|
||||
+ free(tmp_filename1);
|
||||
+ free(tmp_filename2);
|
||||
}
|
||||
+
|
||||
filemode = filestat.st_mode;
|
||||
if (!S_ISREG(filemode))
|
||||
fatal("%s is not a normal file--can't patch\n", filename);
|
17
share/security/patches/SA-15:14/bsdpatch.patch.asc
Normal file
17
share/security/patches/SA-15:14/bsdpatch.patch.asc
Normal file
|
@ -0,0 +1,17 @@
|
|||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2.1.6 (FreeBSD)
|
||||
|
||||
iQIcBAABCgAGBQJVt+FwAAoJEO1n7NZdz2rno1wP/1dqyumvREi7i84Ab2ew+X+x
|
||||
YNbhqkhP/Q0+uwF68nbV1StAyuPZ85fSTy//19W0L3YU31vkZgz2B5N6Vl1Walpx
|
||||
UGk/6LGm2U8xzRRSOgThSthbUbXI4cAAjxmAuUkgd5br9g8KZo+h9LQNKpv+6Caa
|
||||
OCsTKZMwA81ImiOODCvJ9FQy7hQVBSQhssCVEZScU7aR+86FRhNy0a6tHX1Y8dkk
|
||||
LLhOJprZgG6JHR9fr+g0fCSjerYWKml4QlgpbXy/Fp3mIYfsnf8K9MaKa3KBLjOZ
|
||||
AoggAB/tNA+e9imXy8En/J5aZqMwhjDZNrWHACaDXB9kMrNEE8Nwp3gFMgpURGWf
|
||||
NFd8x+5SDv6yG+1xM1X/ywP9mVDQqySactLnGoEF77ANNEFVat9KafbPESckiqa7
|
||||
qw83IaO5/9P/IaZik+19SzOsJ9sZGRaco70HfAZA9r/SD+SLc+4U1PAdY0QxGdB6
|
||||
n7Ap088KK/GfiIF4ra5AqNDFquEWTPdkVqb+55Lv7eKgg1/S0rm7Ou7Z/lbBQerw
|
||||
QIJzcem/KDcPJxM3tkxumqMdzggwUCPtrxB6vDEjLMKSN/33I2iYD47UhP+rFjw5
|
||||
cdnrrqVgw0zt+p5vAubJJegk+aVWfy7QRcHaQb/FA5MYkOVKQP69lboa7PX4M+Pn
|
||||
EjipG4vadjqdZaYzuBhF
|
||||
=fzsn
|
||||
-----END PGP SIGNATURE-----
|
203
share/security/patches/SA-15:15/tcp-8.patch
Normal file
203
share/security/patches/SA-15:15/tcp-8.patch
Normal file
|
@ -0,0 +1,203 @@
|
|||
Index: sys/netinet/tcp_reass.c
|
||||
===================================================================
|
||||
--- sys/netinet/tcp_reass.c (revision 285923)
|
||||
+++ sys/netinet/tcp_reass.c (working copy)
|
||||
@@ -80,29 +80,25 @@ static int tcp_reass_sysctl_qsize(SYSCTL_HANDLER_A
|
||||
SYSCTL_NODE(_net_inet_tcp, OID_AUTO, reass, CTLFLAG_RW, 0,
|
||||
"TCP Segment Reassembly Queue");
|
||||
|
||||
-static VNET_DEFINE(int, tcp_reass_maxseg) = 0;
|
||||
-#define V_tcp_reass_maxseg VNET(tcp_reass_maxseg)
|
||||
+static int tcp_reass_maxseg = 0;
|
||||
SYSCTL_VNET_PROC(_net_inet_tcp_reass, OID_AUTO, maxsegments,
|
||||
CTLTYPE_INT | CTLFLAG_RDTUN,
|
||||
- &VNET_NAME(tcp_reass_maxseg), 0, &tcp_reass_sysctl_maxseg, "I",
|
||||
+ &tcp_reass_maxseg, 0, &tcp_reass_sysctl_maxseg, "I",
|
||||
"Global maximum number of TCP Segments in Reassembly Queue");
|
||||
|
||||
-static VNET_DEFINE(int, tcp_reass_qsize) = 0;
|
||||
-#define V_tcp_reass_qsize VNET(tcp_reass_qsize)
|
||||
-SYSCTL_VNET_PROC(_net_inet_tcp_reass, OID_AUTO, cursegments,
|
||||
+static int tcp_reass_qsize = 0;
|
||||
+SYSCTL_PROC(_net_inet_tcp_reass, OID_AUTO, cursegments,
|
||||
CTLTYPE_INT | CTLFLAG_RD,
|
||||
- &VNET_NAME(tcp_reass_qsize), 0, &tcp_reass_sysctl_qsize, "I",
|
||||
+ &tcp_reass_qsize, 0, &tcp_reass_sysctl_qsize, "I",
|
||||
"Global number of TCP Segments currently in Reassembly Queue");
|
||||
|
||||
-static VNET_DEFINE(int, tcp_reass_overflows) = 0;
|
||||
-#define V_tcp_reass_overflows VNET(tcp_reass_overflows)
|
||||
-SYSCTL_VNET_INT(_net_inet_tcp_reass, OID_AUTO, overflows,
|
||||
+static int tcp_reass_overflows = 0;
|
||||
+SYSCTL_INT(_net_inet_tcp_reass, OID_AUTO, overflows,
|
||||
CTLTYPE_INT | CTLFLAG_RD,
|
||||
- &VNET_NAME(tcp_reass_overflows), 0,
|
||||
+ &tcp_reass_overflows, 0,
|
||||
"Global number of TCP Segment Reassembly Queue Overflows");
|
||||
|
||||
-static VNET_DEFINE(uma_zone_t, tcp_reass_zone);
|
||||
-#define V_tcp_reass_zone VNET(tcp_reass_zone)
|
||||
+static uma_zone_t tcp_reass_zone;
|
||||
|
||||
/* Initialize TCP reassembly queue */
|
||||
static void
|
||||
@@ -109,34 +105,25 @@ static void
|
||||
tcp_reass_zone_change(void *tag)
|
||||
{
|
||||
|
||||
- V_tcp_reass_maxseg = nmbclusters / 16;
|
||||
- uma_zone_set_max(V_tcp_reass_zone, V_tcp_reass_maxseg);
|
||||
+ tcp_reass_maxseg = nmbclusters / 16;
|
||||
+ uma_zone_set_max(tcp_reass_zone, tcp_reass_maxseg);
|
||||
}
|
||||
|
||||
void
|
||||
-tcp_reass_init(void)
|
||||
+tcp_reass_global_init(void)
|
||||
{
|
||||
|
||||
- V_tcp_reass_maxseg = nmbclusters / 16;
|
||||
+ tcp_reass_maxseg = nmbclusters / 16;
|
||||
TUNABLE_INT_FETCH("net.inet.tcp.reass.maxsegments",
|
||||
- &V_tcp_reass_maxseg);
|
||||
- V_tcp_reass_zone = uma_zcreate("tcpreass", sizeof (struct tseg_qent),
|
||||
+ &tcp_reass_maxseg);
|
||||
+ tcp_reass_zone = uma_zcreate("tcpreass", sizeof (struct tseg_qent),
|
||||
NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
|
||||
- uma_zone_set_max(V_tcp_reass_zone, V_tcp_reass_maxseg);
|
||||
+ uma_zone_set_max(tcp_reass_zone, tcp_reass_maxseg);
|
||||
EVENTHANDLER_REGISTER(nmbclusters_change,
|
||||
tcp_reass_zone_change, NULL, EVENTHANDLER_PRI_ANY);
|
||||
}
|
||||
|
||||
-#ifdef VIMAGE
|
||||
void
|
||||
-tcp_reass_destroy(void)
|
||||
-{
|
||||
-
|
||||
- uma_zdestroy(V_tcp_reass_zone);
|
||||
-}
|
||||
-#endif
|
||||
-
|
||||
-void
|
||||
tcp_reass_flush(struct tcpcb *tp)
|
||||
{
|
||||
struct tseg_qent *qe;
|
||||
@@ -146,7 +133,7 @@ tcp_reass_flush(struct tcpcb *tp)
|
||||
while ((qe = LIST_FIRST(&tp->t_segq)) != NULL) {
|
||||
LIST_REMOVE(qe, tqe_q);
|
||||
m_freem(qe->tqe_m);
|
||||
- uma_zfree(V_tcp_reass_zone, qe);
|
||||
+ uma_zfree(tcp_reass_zone, qe);
|
||||
tp->t_segqlen--;
|
||||
}
|
||||
|
||||
@@ -158,7 +145,7 @@ tcp_reass_flush(struct tcpcb *tp)
|
||||
static int
|
||||
tcp_reass_sysctl_maxseg(SYSCTL_HANDLER_ARGS)
|
||||
{
|
||||
- V_tcp_reass_maxseg = uma_zone_get_max(V_tcp_reass_zone);
|
||||
+ tcp_reass_maxseg = uma_zone_get_max(tcp_reass_zone);
|
||||
return (sysctl_handle_int(oidp, arg1, arg2, req));
|
||||
}
|
||||
|
||||
@@ -165,7 +152,7 @@ tcp_reass_sysctl_maxseg(SYSCTL_HANDLER_ARGS)
|
||||
static int
|
||||
tcp_reass_sysctl_qsize(SYSCTL_HANDLER_ARGS)
|
||||
{
|
||||
- V_tcp_reass_qsize = uma_zone_get_cur(V_tcp_reass_zone);
|
||||
+ tcp_reass_qsize = uma_zone_get_cur(tcp_reass_zone);
|
||||
return (sysctl_handle_int(oidp, arg1, arg2, req));
|
||||
}
|
||||
|
||||
@@ -213,7 +200,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
|
||||
*/
|
||||
if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) &&
|
||||
tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) {
|
||||
- V_tcp_reass_overflows++;
|
||||
+ tcp_reass_overflows++;
|
||||
TCPSTAT_INC(tcps_rcvmemdrop);
|
||||
m_freem(m);
|
||||
*tlenp = 0;
|
||||
@@ -232,7 +219,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
|
||||
* Use a temporary structure on the stack for the missing segment
|
||||
* when the zone is exhausted. Otherwise we may get stuck.
|
||||
*/
|
||||
- te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT);
|
||||
+ te = uma_zalloc(tcp_reass_zone, M_NOWAIT);
|
||||
if (te == NULL) {
|
||||
if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) {
|
||||
TCPSTAT_INC(tcps_rcvmemdrop);
|
||||
@@ -283,7 +270,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
|
||||
TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp);
|
||||
m_freem(m);
|
||||
if (te != &tqs)
|
||||
- uma_zfree(V_tcp_reass_zone, te);
|
||||
+ uma_zfree(tcp_reass_zone, te);
|
||||
tp->t_segqlen--;
|
||||
/*
|
||||
* Try to present any queued data
|
||||
@@ -320,7 +307,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
|
||||
nq = LIST_NEXT(q, tqe_q);
|
||||
LIST_REMOVE(q, tqe_q);
|
||||
m_freem(q->tqe_m);
|
||||
- uma_zfree(V_tcp_reass_zone, q);
|
||||
+ uma_zfree(tcp_reass_zone, q);
|
||||
tp->t_segqlen--;
|
||||
q = nq;
|
||||
}
|
||||
@@ -359,7 +346,7 @@ present:
|
||||
else
|
||||
sbappendstream_locked(&so->so_rcv, q->tqe_m);
|
||||
if (q != &tqs)
|
||||
- uma_zfree(V_tcp_reass_zone, q);
|
||||
+ uma_zfree(tcp_reass_zone, q);
|
||||
tp->t_segqlen--;
|
||||
q = nq;
|
||||
} while (q && q->tqe_th->th_seq == tp->rcv_nxt);
|
||||
Index: sys/netinet/tcp_subr.c
|
||||
===================================================================
|
||||
--- sys/netinet/tcp_subr.c (revision 285923)
|
||||
+++ sys/netinet/tcp_subr.c (working copy)
|
||||
@@ -375,7 +375,6 @@ tcp_init(void)
|
||||
tcp_tw_init();
|
||||
syncache_init();
|
||||
tcp_hc_init();
|
||||
- tcp_reass_init();
|
||||
|
||||
TUNABLE_INT_FETCH("net.inet.tcp.sack.enable", &V_tcp_do_sack);
|
||||
V_sack_hole_zone = uma_zcreate("sackhole", sizeof(struct sackhole),
|
||||
@@ -385,6 +384,8 @@ tcp_init(void)
|
||||
if (!IS_DEFAULT_VNET(curvnet))
|
||||
return;
|
||||
|
||||
+ tcp_reass_global_init();
|
||||
+
|
||||
/* XXX virtualize those bellow? */
|
||||
tcp_delacktime = TCPTV_DELACK;
|
||||
tcp_keepinit = TCPTV_KEEP_INIT;
|
||||
@@ -424,7 +425,6 @@ void
|
||||
tcp_destroy(void)
|
||||
{
|
||||
|
||||
- tcp_reass_destroy();
|
||||
tcp_hc_destroy();
|
||||
syncache_destroy();
|
||||
tcp_tw_destroy();
|
||||
Index: sys/netinet/tcp_var.h
|
||||
===================================================================
|
||||
--- sys/netinet/tcp_var.h (revision 285923)
|
||||
+++ sys/netinet/tcp_var.h (working copy)
|
||||
@@ -653,11 +653,8 @@ char *tcp_log_addrs(struct in_conninfo *, struct
|
||||
char *tcp_log_vain(struct in_conninfo *, struct tcphdr *, void *,
|
||||
const void *);
|
||||
int tcp_reass(struct tcpcb *, struct tcphdr *, int *, struct mbuf *);
|
||||
-void tcp_reass_init(void);
|
||||
+void tcp_reass_global_init(void);
|
||||
void tcp_reass_flush(struct tcpcb *);
|
||||
-#ifdef VIMAGE
|
||||
-void tcp_reass_destroy(void);
|
||||
-#endif
|
||||
void tcp_input(struct mbuf *, int);
|
||||
u_long tcp_maxmtu(struct in_conninfo *, int *);
|
||||
u_long tcp_maxmtu6(struct in_conninfo *, int *);
|
17
share/security/patches/SA-15:15/tcp-8.patch.asc
Normal file
17
share/security/patches/SA-15:15/tcp-8.patch.asc
Normal file
|
@ -0,0 +1,17 @@
|
|||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2.1.6 (FreeBSD)
|
||||
|
||||
iQIcBAABCgAGBQJVt+FwAAoJEO1n7NZdz2rn4a0QAJNILy1kqMl42ffd2sO4NOmy
|
||||
hHJ18P1zAEFb2Q5HdbQOVnY8ssJWlbXK8kf0S0m/gw+xQ+SXnz6JtLDIqxhM/4kP
|
||||
r+s3ae3hVOLoNf0oz9Qdpbv/eZcfqfZSTFxiPXZC8J1pRH7qE7pH6jybfTHpNczg
|
||||
7NrtgmK2poMgOrIkDUoUK8Xb5Pjg2Pfz07nEYuESA6yVUrlEk8izZq9HFos2eOff
|
||||
gpfwjVr1zm5s8rIX/YP0oUKBcsdUlgk6zF6JCnOhO5cysy0rzMcz+HBMo0CigDS/
|
||||
kmeQu59JpHVY4E//LGvNTXAVqOSEnERdSSZqcc7sZaqyEfJXRSYrrnq/57c9YnVm
|
||||
qc/Q9D0kvEQhwzQgGJUG6OmKG3fkBTT44+rwlzB3TVBNXNoZNeY7uoOi/OyPu4JT
|
||||
ejZse+Qq7X/f5oZT2CNScHkW/jLYBnFGwHGmyg5AZUf0evN8GvO6Z1yMxmnUzBqE
|
||||
6J3oO6re/8I7L78PqTjXGh36rK6a2MZF/J5t24JilSvLgyhZx4VNDDHgv87KqCdA
|
||||
fSMKaoyn6UwvVR/j1XP3ACcukBLjuFjsgH25Q97ESgijnte050DgabOBmsBawwVb
|
||||
MCAZdSw3iczhCE9nrpNehX5zdnw9XYy70HJN8hVVfGjdyjzJazEkC8a+U+teHrTp
|
||||
v3p8ijYPt0dRz8siZusT
|
||||
=ETv1
|
||||
-----END PGP SIGNATURE-----
|
194
share/security/patches/SA-15:15/tcp-9.3-10.1.patch
Normal file
194
share/security/patches/SA-15:15/tcp-9.3-10.1.patch
Normal file
|
@ -0,0 +1,194 @@
|
|||
Index: sys/netinet/tcp_reass.c
|
||||
===================================================================
|
||||
--- sys/netinet/tcp_reass.c (revision 285923)
|
||||
+++ sys/netinet/tcp_reass.c (working copy)
|
||||
@@ -79,25 +79,22 @@ static int tcp_reass_sysctl_qsize(SYSCTL_HANDLER_A
|
||||
static SYSCTL_NODE(_net_inet_tcp, OID_AUTO, reass, CTLFLAG_RW, 0,
|
||||
"TCP Segment Reassembly Queue");
|
||||
|
||||
-static VNET_DEFINE(int, tcp_reass_maxseg) = 0;
|
||||
-#define V_tcp_reass_maxseg VNET(tcp_reass_maxseg)
|
||||
-SYSCTL_VNET_INT(_net_inet_tcp_reass, OID_AUTO, maxsegments, CTLFLAG_RDTUN,
|
||||
- &VNET_NAME(tcp_reass_maxseg), 0,
|
||||
+static int tcp_reass_maxseg = 0;
|
||||
+SYSCTL_INT(_net_inet_tcp_reass, OID_AUTO, maxsegments, CTLFLAG_RDTUN,
|
||||
+ &tcp_reass_maxseg, 0,
|
||||
"Global maximum number of TCP Segments in Reassembly Queue");
|
||||
|
||||
-SYSCTL_VNET_PROC(_net_inet_tcp_reass, OID_AUTO, cursegments,
|
||||
+SYSCTL_PROC(_net_inet_tcp_reass, OID_AUTO, cursegments,
|
||||
(CTLTYPE_INT | CTLFLAG_RD), NULL, 0, &tcp_reass_sysctl_qsize, "I",
|
||||
"Global number of TCP Segments currently in Reassembly Queue");
|
||||
|
||||
-static VNET_DEFINE(int, tcp_reass_overflows) = 0;
|
||||
-#define V_tcp_reass_overflows VNET(tcp_reass_overflows)
|
||||
-SYSCTL_VNET_INT(_net_inet_tcp_reass, OID_AUTO, overflows,
|
||||
+static int tcp_reass_overflows = 0;
|
||||
+SYSCTL_INT(_net_inet_tcp_reass, OID_AUTO, overflows,
|
||||
CTLTYPE_INT | CTLFLAG_RD,
|
||||
- &VNET_NAME(tcp_reass_overflows), 0,
|
||||
+ &tcp_reass_overflows, 0,
|
||||
"Global number of TCP Segment Reassembly Queue Overflows");
|
||||
|
||||
-static VNET_DEFINE(uma_zone_t, tcp_reass_zone);
|
||||
-#define V_tcp_reass_zone VNET(tcp_reass_zone)
|
||||
+static uma_zone_t tcp_reass_zone;
|
||||
|
||||
/* Initialize TCP reassembly queue */
|
||||
static void
|
||||
@@ -105,37 +102,28 @@ tcp_reass_zone_change(void *tag)
|
||||
{
|
||||
|
||||
/* Set the zone limit and read back the effective value. */
|
||||
- V_tcp_reass_maxseg = nmbclusters / 16;
|
||||
- V_tcp_reass_maxseg = uma_zone_set_max(V_tcp_reass_zone,
|
||||
- V_tcp_reass_maxseg);
|
||||
+ tcp_reass_maxseg = nmbclusters / 16;
|
||||
+ tcp_reass_maxseg = uma_zone_set_max(tcp_reass_zone,
|
||||
+ tcp_reass_maxseg);
|
||||
}
|
||||
|
||||
void
|
||||
-tcp_reass_init(void)
|
||||
+tcp_reass_global_init(void)
|
||||
{
|
||||
|
||||
- V_tcp_reass_maxseg = nmbclusters / 16;
|
||||
+ tcp_reass_maxseg = nmbclusters / 16;
|
||||
TUNABLE_INT_FETCH("net.inet.tcp.reass.maxsegments",
|
||||
- &V_tcp_reass_maxseg);
|
||||
- V_tcp_reass_zone = uma_zcreate("tcpreass", sizeof (struct tseg_qent),
|
||||
+ &tcp_reass_maxseg);
|
||||
+ tcp_reass_zone = uma_zcreate("tcpreass", sizeof (struct tseg_qent),
|
||||
NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
|
||||
/* Set the zone limit and read back the effective value. */
|
||||
- V_tcp_reass_maxseg = uma_zone_set_max(V_tcp_reass_zone,
|
||||
- V_tcp_reass_maxseg);
|
||||
+ tcp_reass_maxseg = uma_zone_set_max(tcp_reass_zone,
|
||||
+ tcp_reass_maxseg);
|
||||
EVENTHANDLER_REGISTER(nmbclusters_change,
|
||||
tcp_reass_zone_change, NULL, EVENTHANDLER_PRI_ANY);
|
||||
}
|
||||
|
||||
-#ifdef VIMAGE
|
||||
void
|
||||
-tcp_reass_destroy(void)
|
||||
-{
|
||||
-
|
||||
- uma_zdestroy(V_tcp_reass_zone);
|
||||
-}
|
||||
-#endif
|
||||
-
|
||||
-void
|
||||
tcp_reass_flush(struct tcpcb *tp)
|
||||
{
|
||||
struct tseg_qent *qe;
|
||||
@@ -145,7 +133,7 @@ tcp_reass_flush(struct tcpcb *tp)
|
||||
while ((qe = LIST_FIRST(&tp->t_segq)) != NULL) {
|
||||
LIST_REMOVE(qe, tqe_q);
|
||||
m_freem(qe->tqe_m);
|
||||
- uma_zfree(V_tcp_reass_zone, qe);
|
||||
+ uma_zfree(tcp_reass_zone, qe);
|
||||
tp->t_segqlen--;
|
||||
}
|
||||
|
||||
@@ -159,7 +147,7 @@ tcp_reass_sysctl_qsize(SYSCTL_HANDLER_ARGS)
|
||||
{
|
||||
int qsize;
|
||||
|
||||
- qsize = uma_zone_get_cur(V_tcp_reass_zone);
|
||||
+ qsize = uma_zone_get_cur(tcp_reass_zone);
|
||||
return (sysctl_handle_int(oidp, &qsize, 0, req));
|
||||
}
|
||||
|
||||
@@ -207,7 +195,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
|
||||
*/
|
||||
if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) &&
|
||||
tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) {
|
||||
- V_tcp_reass_overflows++;
|
||||
+ tcp_reass_overflows++;
|
||||
TCPSTAT_INC(tcps_rcvmemdrop);
|
||||
m_freem(m);
|
||||
*tlenp = 0;
|
||||
@@ -226,7 +214,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
|
||||
* Use a temporary structure on the stack for the missing segment
|
||||
* when the zone is exhausted. Otherwise we may get stuck.
|
||||
*/
|
||||
- te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT);
|
||||
+ te = uma_zalloc(tcp_reass_zone, M_NOWAIT);
|
||||
if (te == NULL) {
|
||||
if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) {
|
||||
TCPSTAT_INC(tcps_rcvmemdrop);
|
||||
@@ -277,7 +265,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
|
||||
TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp);
|
||||
m_freem(m);
|
||||
if (te != &tqs)
|
||||
- uma_zfree(V_tcp_reass_zone, te);
|
||||
+ uma_zfree(tcp_reass_zone, te);
|
||||
tp->t_segqlen--;
|
||||
/*
|
||||
* Try to present any queued data
|
||||
@@ -314,7 +302,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
|
||||
nq = LIST_NEXT(q, tqe_q);
|
||||
LIST_REMOVE(q, tqe_q);
|
||||
m_freem(q->tqe_m);
|
||||
- uma_zfree(V_tcp_reass_zone, q);
|
||||
+ uma_zfree(tcp_reass_zone, q);
|
||||
tp->t_segqlen--;
|
||||
q = nq;
|
||||
}
|
||||
@@ -353,7 +341,7 @@ present:
|
||||
else
|
||||
sbappendstream_locked(&so->so_rcv, q->tqe_m);
|
||||
if (q != &tqs)
|
||||
- uma_zfree(V_tcp_reass_zone, q);
|
||||
+ uma_zfree(tcp_reass_zone, q);
|
||||
tp->t_segqlen--;
|
||||
q = nq;
|
||||
} while (q && q->tqe_th->th_seq == tp->rcv_nxt);
|
||||
Index: sys/netinet/tcp_subr.c
|
||||
===================================================================
|
||||
--- sys/netinet/tcp_subr.c (revision 285923)
|
||||
+++ sys/netinet/tcp_subr.c (working copy)
|
||||
@@ -375,7 +375,6 @@ tcp_init(void)
|
||||
tcp_tw_init();
|
||||
syncache_init();
|
||||
tcp_hc_init();
|
||||
- tcp_reass_init();
|
||||
|
||||
TUNABLE_INT_FETCH("net.inet.tcp.sack.enable", &V_tcp_do_sack);
|
||||
V_sack_hole_zone = uma_zcreate("sackhole", sizeof(struct sackhole),
|
||||
@@ -385,6 +384,8 @@ tcp_init(void)
|
||||
if (!IS_DEFAULT_VNET(curvnet))
|
||||
return;
|
||||
|
||||
+ tcp_reass_global_init();
|
||||
+
|
||||
/* XXX virtualize those bellow? */
|
||||
tcp_delacktime = TCPTV_DELACK;
|
||||
tcp_keepinit = TCPTV_KEEP_INIT;
|
||||
@@ -432,7 +433,6 @@ void
|
||||
tcp_destroy(void)
|
||||
{
|
||||
|
||||
- tcp_reass_destroy();
|
||||
tcp_hc_destroy();
|
||||
syncache_destroy();
|
||||
tcp_tw_destroy();
|
||||
Index: sys/netinet/tcp_var.h
|
||||
===================================================================
|
||||
--- sys/netinet/tcp_var.h (revision 285923)
|
||||
+++ sys/netinet/tcp_var.h (working copy)
|
||||
@@ -666,11 +666,8 @@ char *tcp_log_addrs(struct in_conninfo *, struct t
|
||||
char *tcp_log_vain(struct in_conninfo *, struct tcphdr *, void *,
|
||||
const void *);
|
||||
int tcp_reass(struct tcpcb *, struct tcphdr *, int *, struct mbuf *);
|
||||
-void tcp_reass_init(void);
|
||||
+void tcp_reass_global_init(void);
|
||||
void tcp_reass_flush(struct tcpcb *);
|
||||
-#ifdef VIMAGE
|
||||
-void tcp_reass_destroy(void);
|
||||
-#endif
|
||||
void tcp_input(struct mbuf *, int);
|
||||
u_long tcp_maxmtu(struct in_conninfo *, struct tcp_ifcap *);
|
||||
u_long tcp_maxmtu6(struct in_conninfo *, struct tcp_ifcap *);
|
17
share/security/patches/SA-15:15/tcp-9.3-10.1.patch.asc
Normal file
17
share/security/patches/SA-15:15/tcp-9.3-10.1.patch.asc
Normal file
|
@ -0,0 +1,17 @@
|
|||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2.1.6 (FreeBSD)
|
||||
|
||||
iQIcBAABCgAGBQJVt+FwAAoJEO1n7NZdz2rn4MsP/1RRuWMRR2G2slK+cuaUhzHI
|
||||
Zmr11d2Wf3MfnV4gyS36bei8RKUSlg1HpPoztjheMerfFuK+vV+thkysakKdAAkC
|
||||
P5p5rqZSoQZ4rLjFFQwDkM0tm5CZQeVMiosz2KGHzEHUF/RVKeQ3tuOFWrEIyUdq
|
||||
DzHsrS67CBW7KQzoauN/7p+RDtepajSgRPMcsIZ6SyMqhHCX/3ugSXANnexJw5It
|
||||
YBbImj3PnIsMsKNvPLFx8zAvJxM4aEIhUfiJfpYlVXEVeSyIoxMRmrjDcrW8zrU9
|
||||
1c1qx4s0nRRsnv7qKK79W4XES4ebppNUbtFk6wdJKdt1kzMvEAFNm0P5Li86aTTn
|
||||
hksIS3DW3zcFFgMCHl6levunXKBv/Jot7DP8sfYGbxMRHbAI/Gs+QnxzLEPFeU7I
|
||||
1BGrrVbE3f+sRgDirblhfVQdUsjTNQN7UzEs1Da4jTnfqKiE9o+cLe9uoXoRNLjJ
|
||||
tnI/lK/XFh7fAczIaloOzClwid63W8cVe7SRIYFa2edAGzcnR4+AK+ZFFVadxUJ1
|
||||
kQiO12nfnDFA00/FYrgm8jfwL4luINUrq9iQQCoSH6FJZ8H/W2jgZd/s6VCAd/bN
|
||||
lwDok1Mn1r3Mkr8MAnh7XhAHWUFdEjXljPkcRTCOj4+NRmfpalLBnMroH12ofzl4
|
||||
1C+wnnPtqXm2GysW0U/K
|
||||
=KVcG
|
||||
-----END PGP SIGNATURE-----
|
194
share/security/patches/SA-15:15/tcp.patch
Normal file
194
share/security/patches/SA-15:15/tcp.patch
Normal file
|
@ -0,0 +1,194 @@
|
|||
Index: sys/netinet/tcp_reass.c
|
||||
===================================================================
|
||||
--- sys/netinet/tcp_reass.c (revision 285923)
|
||||
+++ sys/netinet/tcp_reass.c (working copy)
|
||||
@@ -79,25 +79,22 @@ static int tcp_reass_sysctl_qsize(SYSCTL_HANDLER_A
|
||||
static SYSCTL_NODE(_net_inet_tcp, OID_AUTO, reass, CTLFLAG_RW, 0,
|
||||
"TCP Segment Reassembly Queue");
|
||||
|
||||
-static VNET_DEFINE(int, tcp_reass_maxseg) = 0;
|
||||
-#define V_tcp_reass_maxseg VNET(tcp_reass_maxseg)
|
||||
-SYSCTL_VNET_INT(_net_inet_tcp_reass, OID_AUTO, maxsegments, CTLFLAG_RDTUN,
|
||||
- &VNET_NAME(tcp_reass_maxseg), 0,
|
||||
+static int tcp_reass_maxseg = 0;
|
||||
+SYSCTL_INT(_net_inet_tcp_reass, OID_AUTO, maxsegments, CTLFLAG_RDTUN,
|
||||
+ &tcp_reass_maxseg, 0,
|
||||
"Global maximum number of TCP Segments in Reassembly Queue");
|
||||
|
||||
-SYSCTL_VNET_PROC(_net_inet_tcp_reass, OID_AUTO, cursegments,
|
||||
+SYSCTL_PROC(_net_inet_tcp_reass, OID_AUTO, cursegments,
|
||||
(CTLTYPE_INT | CTLFLAG_RD), NULL, 0, &tcp_reass_sysctl_qsize, "I",
|
||||
"Global number of TCP Segments currently in Reassembly Queue");
|
||||
|
||||
-static VNET_DEFINE(int, tcp_reass_overflows) = 0;
|
||||
-#define V_tcp_reass_overflows VNET(tcp_reass_overflows)
|
||||
-SYSCTL_VNET_INT(_net_inet_tcp_reass, OID_AUTO, overflows,
|
||||
+static int tcp_reass_overflows = 0;
|
||||
+SYSCTL_INT(_net_inet_tcp_reass, OID_AUTO, overflows,
|
||||
CTLFLAG_RD,
|
||||
- &VNET_NAME(tcp_reass_overflows), 0,
|
||||
+ &tcp_reass_overflows, 0,
|
||||
"Global number of TCP Segment Reassembly Queue Overflows");
|
||||
|
||||
-static VNET_DEFINE(uma_zone_t, tcp_reass_zone);
|
||||
-#define V_tcp_reass_zone VNET(tcp_reass_zone)
|
||||
+static uma_zone_t tcp_reass_zone;
|
||||
|
||||
/* Initialize TCP reassembly queue */
|
||||
static void
|
||||
@@ -105,37 +102,28 @@ tcp_reass_zone_change(void *tag)
|
||||
{
|
||||
|
||||
/* Set the zone limit and read back the effective value. */
|
||||
- V_tcp_reass_maxseg = nmbclusters / 16;
|
||||
- V_tcp_reass_maxseg = uma_zone_set_max(V_tcp_reass_zone,
|
||||
- V_tcp_reass_maxseg);
|
||||
+ tcp_reass_maxseg = nmbclusters / 16;
|
||||
+ tcp_reass_maxseg = uma_zone_set_max(tcp_reass_zone,
|
||||
+ tcp_reass_maxseg);
|
||||
}
|
||||
|
||||
void
|
||||
-tcp_reass_init(void)
|
||||
+tcp_reass_global_init(void)
|
||||
{
|
||||
|
||||
- V_tcp_reass_maxseg = nmbclusters / 16;
|
||||
+ tcp_reass_maxseg = nmbclusters / 16;
|
||||
TUNABLE_INT_FETCH("net.inet.tcp.reass.maxsegments",
|
||||
- &V_tcp_reass_maxseg);
|
||||
- V_tcp_reass_zone = uma_zcreate("tcpreass", sizeof (struct tseg_qent),
|
||||
+ &tcp_reass_maxseg);
|
||||
+ tcp_reass_zone = uma_zcreate("tcpreass", sizeof (struct tseg_qent),
|
||||
NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
|
||||
/* Set the zone limit and read back the effective value. */
|
||||
- V_tcp_reass_maxseg = uma_zone_set_max(V_tcp_reass_zone,
|
||||
- V_tcp_reass_maxseg);
|
||||
+ tcp_reass_maxseg = uma_zone_set_max(tcp_reass_zone,
|
||||
+ tcp_reass_maxseg);
|
||||
EVENTHANDLER_REGISTER(nmbclusters_change,
|
||||
tcp_reass_zone_change, NULL, EVENTHANDLER_PRI_ANY);
|
||||
}
|
||||
|
||||
-#ifdef VIMAGE
|
||||
void
|
||||
-tcp_reass_destroy(void)
|
||||
-{
|
||||
-
|
||||
- uma_zdestroy(V_tcp_reass_zone);
|
||||
-}
|
||||
-#endif
|
||||
-
|
||||
-void
|
||||
tcp_reass_flush(struct tcpcb *tp)
|
||||
{
|
||||
struct tseg_qent *qe;
|
||||
@@ -145,7 +133,7 @@ tcp_reass_flush(struct tcpcb *tp)
|
||||
while ((qe = LIST_FIRST(&tp->t_segq)) != NULL) {
|
||||
LIST_REMOVE(qe, tqe_q);
|
||||
m_freem(qe->tqe_m);
|
||||
- uma_zfree(V_tcp_reass_zone, qe);
|
||||
+ uma_zfree(tcp_reass_zone, qe);
|
||||
tp->t_segqlen--;
|
||||
}
|
||||
|
||||
@@ -159,7 +147,7 @@ tcp_reass_sysctl_qsize(SYSCTL_HANDLER_ARGS)
|
||||
{
|
||||
int qsize;
|
||||
|
||||
- qsize = uma_zone_get_cur(V_tcp_reass_zone);
|
||||
+ qsize = uma_zone_get_cur(tcp_reass_zone);
|
||||
return (sysctl_handle_int(oidp, &qsize, 0, req));
|
||||
}
|
||||
|
||||
@@ -207,7 +195,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
|
||||
*/
|
||||
if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) &&
|
||||
tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) {
|
||||
- V_tcp_reass_overflows++;
|
||||
+ tcp_reass_overflows++;
|
||||
TCPSTAT_INC(tcps_rcvmemdrop);
|
||||
m_freem(m);
|
||||
*tlenp = 0;
|
||||
@@ -226,7 +214,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
|
||||
* Use a temporary structure on the stack for the missing segment
|
||||
* when the zone is exhausted. Otherwise we may get stuck.
|
||||
*/
|
||||
- te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT);
|
||||
+ te = uma_zalloc(tcp_reass_zone, M_NOWAIT);
|
||||
if (te == NULL) {
|
||||
if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) {
|
||||
TCPSTAT_INC(tcps_rcvmemdrop);
|
||||
@@ -277,7 +265,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
|
||||
TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp);
|
||||
m_freem(m);
|
||||
if (te != &tqs)
|
||||
- uma_zfree(V_tcp_reass_zone, te);
|
||||
+ uma_zfree(tcp_reass_zone, te);
|
||||
tp->t_segqlen--;
|
||||
/*
|
||||
* Try to present any queued data
|
||||
@@ -314,7 +302,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
|
||||
nq = LIST_NEXT(q, tqe_q);
|
||||
LIST_REMOVE(q, tqe_q);
|
||||
m_freem(q->tqe_m);
|
||||
- uma_zfree(V_tcp_reass_zone, q);
|
||||
+ uma_zfree(tcp_reass_zone, q);
|
||||
tp->t_segqlen--;
|
||||
q = nq;
|
||||
}
|
||||
@@ -353,7 +341,7 @@ present:
|
||||
else
|
||||
sbappendstream_locked(&so->so_rcv, q->tqe_m);
|
||||
if (q != &tqs)
|
||||
- uma_zfree(V_tcp_reass_zone, q);
|
||||
+ uma_zfree(tcp_reass_zone, q);
|
||||
tp->t_segqlen--;
|
||||
q = nq;
|
||||
} while (q && q->tqe_th->th_seq == tp->rcv_nxt);
|
||||
Index: sys/netinet/tcp_subr.c
|
||||
===================================================================
|
||||
--- sys/netinet/tcp_subr.c (revision 285923)
|
||||
+++ sys/netinet/tcp_subr.c (working copy)
|
||||
@@ -376,7 +376,6 @@ tcp_init(void)
|
||||
tcp_tw_init();
|
||||
syncache_init();
|
||||
tcp_hc_init();
|
||||
- tcp_reass_init();
|
||||
|
||||
TUNABLE_INT_FETCH("net.inet.tcp.sack.enable", &V_tcp_do_sack);
|
||||
V_sack_hole_zone = uma_zcreate("sackhole", sizeof(struct sackhole),
|
||||
@@ -386,6 +385,8 @@ tcp_init(void)
|
||||
if (!IS_DEFAULT_VNET(curvnet))
|
||||
return;
|
||||
|
||||
+ tcp_reass_global_init();
|
||||
+
|
||||
/* XXX virtualize those bellow? */
|
||||
tcp_delacktime = TCPTV_DELACK;
|
||||
tcp_keepinit = TCPTV_KEEP_INIT;
|
||||
@@ -433,7 +434,6 @@ void
|
||||
tcp_destroy(void)
|
||||
{
|
||||
|
||||
- tcp_reass_destroy();
|
||||
tcp_hc_destroy();
|
||||
syncache_destroy();
|
||||
tcp_tw_destroy();
|
||||
Index: sys/netinet/tcp_var.h
|
||||
===================================================================
|
||||
--- sys/netinet/tcp_var.h (revision 285923)
|
||||
+++ sys/netinet/tcp_var.h (working copy)
|
||||
@@ -679,11 +679,8 @@ char *tcp_log_addrs(struct in_conninfo *, struct t
|
||||
char *tcp_log_vain(struct in_conninfo *, struct tcphdr *, void *,
|
||||
const void *);
|
||||
int tcp_reass(struct tcpcb *, struct tcphdr *, int *, struct mbuf *);
|
||||
-void tcp_reass_init(void);
|
||||
+void tcp_reass_global_init(void);
|
||||
void tcp_reass_flush(struct tcpcb *);
|
||||
-#ifdef VIMAGE
|
||||
-void tcp_reass_destroy(void);
|
||||
-#endif
|
||||
void tcp_input(struct mbuf *, int);
|
||||
u_long tcp_maxmtu(struct in_conninfo *, struct tcp_ifcap *);
|
||||
u_long tcp_maxmtu6(struct in_conninfo *, struct tcp_ifcap *);
|
17
share/security/patches/SA-15:15/tcp.patch.asc
Normal file
17
share/security/patches/SA-15:15/tcp.patch.asc
Normal file
|
@ -0,0 +1,17 @@
|
|||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2.1.6 (FreeBSD)
|
||||
|
||||
iQIcBAABCgAGBQJVt+FwAAoJEO1n7NZdz2rnao8P/jUT5a0o9qZ9PjyVQCaMYGpz
|
||||
y7HZylgcfVMxLGipVqS0H9vwoF7EgGwHSPn5U3YT3LxXJ5ptuGrDUfOHy5vtm6eT
|
||||
AEDGKrR22sd7Thz+U821jlTKo9PLQr51bBwUjRhs4FHuAbCNX8A+Enjdb7Fo1oox
|
||||
1AJBLbnvcZAwfRdURAtj864Mx81lQ58+AC1tKW4vlagd75tsoew7MEjPrW1ObTSy
|
||||
Pl7R9SV8EnTianAyuoMZSQaGgA9kkPuG8e21+PhfQG9+enP3D2Sgad4VWfcV8KAd
|
||||
CwyJDJ7Tu8mY7FvYmd0XZr5GfM634FGV9M/wGnDXslSZgFNSt83IULmnKIuKNnjJ
|
||||
p3Map3//tZchR4/DT04q5fxcX1rWiGN+RbjYzHtttfr8i/h1rRq7BK2BWn1oM4h0
|
||||
AzMKR4N1AEaa1huTZoucuaPWZ4P+6pMUm1uSd0SuJkhZuF2Lj/BlD+SlSANEYAjr
|
||||
ajWh5hjTordmV/HXaNIcwZDIn5EN9pVm4UHcPD4x5z5eQ3r2w2kssfKusNWa5EUL
|
||||
Hqh+PuNS00e2Opp6cF+tBUF+1zJyOYEWSMlYmYDG/J+MhlRWmOr5FobGCa7dUHYt
|
||||
KvgkHmef/5Z45mTFIiD5jygNYNuxs3L0xUXFxd+2XlXPu9fKfXHtaV7aS1VozIpR
|
||||
rSHM3bqswflAY+A0FHK1
|
||||
=kwzI
|
||||
-----END PGP SIGNATURE-----
|
89
share/security/patches/SA-15:16/openssh-8.patch
Normal file
89
share/security/patches/SA-15:16/openssh-8.patch
Normal file
|
@ -0,0 +1,89 @@
|
|||
Index: crypto/openssh/auth2-chall.c
|
||||
===================================================================
|
||||
--- crypto/openssh/auth2-chall.c (revision 285923)
|
||||
+++ crypto/openssh/auth2-chall.c (working copy)
|
||||
@@ -82,6 +82,7 @@ struct KbdintAuthctxt
|
||||
void *ctxt;
|
||||
KbdintDevice *device;
|
||||
u_int nreq;
|
||||
+ u_int devices_done;
|
||||
};
|
||||
|
||||
#ifdef USE_PAM
|
||||
@@ -169,9 +170,14 @@ kbdint_next_device(KbdintAuthctxt *kbdintctxt)
|
||||
|
||||
if (len == 0)
|
||||
break;
|
||||
- for (i = 0; devices[i]; i++)
|
||||
- if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
|
||||
+ for (i = 0; devices[i]; i++) {
|
||||
+ if ((kbdintctxt->devices_done & (1 << i)) != 0)
|
||||
+ continue;
|
||||
+ if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0) {
|
||||
kbdintctxt->device = devices[i];
|
||||
+ kbdintctxt->devices_done |= 1 << i;
|
||||
+ }
|
||||
+ }
|
||||
t = kbdintctxt->devices;
|
||||
kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
|
||||
xfree(t);
|
||||
Index: crypto/openssh/sshconnect.c
|
||||
===================================================================
|
||||
--- crypto/openssh/sshconnect.c (revision 285923)
|
||||
+++ crypto/openssh/sshconnect.c (working copy)
|
||||
@@ -1141,29 +1141,39 @@ verify_host_key(char *host, struct sockaddr *hosta
|
||||
{
|
||||
int flags = 0;
|
||||
char *fp;
|
||||
+ Key *plain = NULL;
|
||||
|
||||
fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
|
||||
debug("Server host key: %s %s", key_type(host_key), fp);
|
||||
xfree(fp);
|
||||
|
||||
- /* XXX certs are not yet supported for DNS */
|
||||
- if (!key_is_cert(host_key) && options.verify_host_key_dns &&
|
||||
- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
|
||||
- if (flags & DNS_VERIFY_FOUND) {
|
||||
-
|
||||
- if (options.verify_host_key_dns == 1 &&
|
||||
- flags & DNS_VERIFY_MATCH &&
|
||||
- flags & DNS_VERIFY_SECURE)
|
||||
- return 0;
|
||||
-
|
||||
- if (flags & DNS_VERIFY_MATCH) {
|
||||
- matching_host_key_dns = 1;
|
||||
- } else {
|
||||
- warn_changed_key(host_key);
|
||||
- error("Update the SSHFP RR in DNS with the new "
|
||||
- "host key to get rid of this message.");
|
||||
+ if (options.verify_host_key_dns) {
|
||||
+ /*
|
||||
+ * XXX certs are not yet supported for DNS, so downgrade
|
||||
+ * them and try the plain key.
|
||||
+ */
|
||||
+ plain = key_from_private(host_key);
|
||||
+ if (key_is_cert(plain))
|
||||
+ key_drop_cert(plain);
|
||||
+ if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
|
||||
+ if (flags & DNS_VERIFY_FOUND) {
|
||||
+ if (options.verify_host_key_dns == 1 &&
|
||||
+ flags & DNS_VERIFY_MATCH &&
|
||||
+ flags & DNS_VERIFY_SECURE) {
|
||||
+ key_free(plain);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ if (flags & DNS_VERIFY_MATCH) {
|
||||
+ matching_host_key_dns = 1;
|
||||
+ } else {
|
||||
+ warn_changed_key(plain);
|
||||
+ error("Update the SSHFP RR in DNS "
|
||||
+ "with the new host key to get rid "
|
||||
+ "of this message.");
|
||||
+ }
|
||||
}
|
||||
}
|
||||
+ key_free(plain);
|
||||
}
|
||||
|
||||
return check_host_key(host, hostaddr, options.port, host_key, RDRW,
|
17
share/security/patches/SA-15:16/openssh-8.patch.asc
Normal file
17
share/security/patches/SA-15:16/openssh-8.patch.asc
Normal file
|
@ -0,0 +1,17 @@
|
|||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2.1.6 (FreeBSD)
|
||||
|
||||
iQIcBAABCgAGBQJVt+FxAAoJEO1n7NZdz2rnH7cP/2bAQDMzE4S6t+gt28nd7aSh
|
||||
GquAc96zD52sDz+IKyOBqQA9wsrHDnoaVQjQpavhx2qxsf+rsEvEejtvX1zdtH5o
|
||||
DfNz5kArYTgw5F/MuvgXBAgwEZqPamRZdi96KuL8gGCu0nFlTx7S/jayyickPrsk
|
||||
S03hXfDSZsFUi6bGHo+lMK0aaunZ26wSRuVU7Pb0JjtUiGgsM/YDy9uW2STTzGMl
|
||||
E8iyjHUM8gfM7q/xmFXFIxWC3L5IkurjvCGd7RXltyagHRPxzj1N6NYu4jXQgogZ
|
||||
yr9N2lDSZZaS3yoextvpR9lg+J2qDysgMEbsR0GPG1fsc/po8YuPvpT1cak8Vtk8
|
||||
fQVs4MJMMwMfUW2QwIBnjNqA0V8unHCtd5ViDOnpHM7g+enHqCXNWxhidKSasZi/
|
||||
0+RwFnyYi+JZs2aSpmAJdeQXuPKcNkXg8fhiU/SaRo7jFWwfgHhfj600b/To+l2J
|
||||
0h6U5RmXi0RAJiibm6NqgJ/q7/lJTDNGyauM22AAWd47m75/2aO5uH0k4nZRaLbd
|
||||
yi69978sXpw15jflP674lFOjVWMDZf2hZcNr2E8TJsriuYSymX0FcA/zSQ/3NhaR
|
||||
1AqutoKu2zpqk5diXEKdov+rJ+kaEp0S+0tRxSWNh4eRORlt8ORvvtTS4UgaJHZg
|
||||
yGBXrZcEks5bxpFSI2ys
|
||||
=NdGQ
|
||||
-----END PGP SIGNATURE-----
|
90
share/security/patches/SA-15:16/openssh.patch
Normal file
90
share/security/patches/SA-15:16/openssh.patch
Normal file
|
@ -0,0 +1,90 @@
|
|||
Index: crypto/openssh/auth2-chall.c
|
||||
===================================================================
|
||||
--- crypto/openssh/auth2-chall.c (revision 285923)
|
||||
+++ crypto/openssh/auth2-chall.c (working copy)
|
||||
@@ -82,6 +82,7 @@ struct KbdintAuthctxt
|
||||
void *ctxt;
|
||||
KbdintDevice *device;
|
||||
u_int nreq;
|
||||
+ u_int devices_done;
|
||||
};
|
||||
|
||||
#ifdef USE_PAM
|
||||
@@ -168,11 +169,15 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthc
|
||||
if (len == 0)
|
||||
break;
|
||||
for (i = 0; devices[i]; i++) {
|
||||
- if (!auth2_method_allowed(authctxt,
|
||||
+ if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
|
||||
+ !auth2_method_allowed(authctxt,
|
||||
"keyboard-interactive", devices[i]->name))
|
||||
continue;
|
||||
- if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
|
||||
+ if (strncmp(kbdintctxt->devices, devices[i]->name,
|
||||
+ len) == 0) {
|
||||
kbdintctxt->device = devices[i];
|
||||
+ kbdintctxt->devices_done |= 1 << i;
|
||||
+ }
|
||||
}
|
||||
t = kbdintctxt->devices;
|
||||
kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
|
||||
Index: crypto/openssh/sshconnect.c
|
||||
===================================================================
|
||||
--- crypto/openssh/sshconnect.c (revision 285923)
|
||||
+++ crypto/openssh/sshconnect.c (working copy)
|
||||
@@ -1247,29 +1247,39 @@ verify_host_key(char *host, struct sockaddr *hosta
|
||||
{
|
||||
int flags = 0;
|
||||
char *fp;
|
||||
+ Key *plain = NULL;
|
||||
|
||||
fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
|
||||
debug("Server host key: %s %s", key_type(host_key), fp);
|
||||
free(fp);
|
||||
|
||||
- /* XXX certs are not yet supported for DNS */
|
||||
- if (!key_is_cert(host_key) && options.verify_host_key_dns &&
|
||||
- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
|
||||
- if (flags & DNS_VERIFY_FOUND) {
|
||||
-
|
||||
- if (options.verify_host_key_dns == 1 &&
|
||||
- flags & DNS_VERIFY_MATCH &&
|
||||
- flags & DNS_VERIFY_SECURE)
|
||||
- return 0;
|
||||
-
|
||||
- if (flags & DNS_VERIFY_MATCH) {
|
||||
- matching_host_key_dns = 1;
|
||||
- } else {
|
||||
- warn_changed_key(host_key);
|
||||
- error("Update the SSHFP RR in DNS with the new "
|
||||
- "host key to get rid of this message.");
|
||||
+ if (options.verify_host_key_dns) {
|
||||
+ /*
|
||||
+ * XXX certs are not yet supported for DNS, so downgrade
|
||||
+ * them and try the plain key.
|
||||
+ */
|
||||
+ plain = key_from_private(host_key);
|
||||
+ if (key_is_cert(plain))
|
||||
+ key_drop_cert(plain);
|
||||
+ if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
|
||||
+ if (flags & DNS_VERIFY_FOUND) {
|
||||
+ if (options.verify_host_key_dns == 1 &&
|
||||
+ flags & DNS_VERIFY_MATCH &&
|
||||
+ flags & DNS_VERIFY_SECURE) {
|
||||
+ key_free(plain);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ if (flags & DNS_VERIFY_MATCH) {
|
||||
+ matching_host_key_dns = 1;
|
||||
+ } else {
|
||||
+ warn_changed_key(plain);
|
||||
+ error("Update the SSHFP RR in DNS "
|
||||
+ "with the new host key to get rid "
|
||||
+ "of this message.");
|
||||
+ }
|
||||
}
|
||||
}
|
||||
+ key_free(plain);
|
||||
}
|
||||
|
||||
return check_host_key(host, hostaddr, options.port, host_key, RDRW,
|
17
share/security/patches/SA-15:16/openssh.patch.asc
Normal file
17
share/security/patches/SA-15:16/openssh.patch.asc
Normal file
|
@ -0,0 +1,17 @@
|
|||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2.1.6 (FreeBSD)
|
||||
|
||||
iQIcBAABCgAGBQJVt+FxAAoJEO1n7NZdz2rn2NkP/RBSyWex/lwblNKDYQpEu2jZ
|
||||
Gc+opzaFAVfWHrlKNhcQDb9haoeuLo7+lJwIS/e1CvtV0opT2AKR/RFLtsYGOAmp
|
||||
ydLPigTkw2kfEH/gyDiRxfFcqZ5UzlKIQGPre1/FE2HNjYHOUSnJp+K+cPJ81cJQ
|
||||
bYICXuSvnhhpasak/3CwHKGgGKv7YyrE1pGfE79e52M404484VkW1dCqfE+URRr0
|
||||
fiDIchhHFKjNM/Ycgr5iyZmisBgtupLC/aIHJzBE+h/tCUjApSTJMyroUB6P70lx
|
||||
zeRPVEgcMJQi2K9MPXvuK78Ko4MjqrhVc05ufaqb0aEbBFMBGDyuFf8s5yHiluhK
|
||||
YU047m2bbjDny7DJPrqEyg0X7vRCcHXjw0gBju1P3D2lpLdL+t5VX9VEvh0pfnDi
|
||||
u7uXZGejhm4Nr5GsNZoNAiLL7wScOS6MVB52Fy0HPL1TqUcCddiyw+rc2rmj4VbH
|
||||
ZwlHs4ecMeNyPYGmXvt7Kg4fZ3T19S8EypjrUdKqZbgI+0keNu77QD7/llEck9nu
|
||||
ArM/386qrUX+F6V74PpSMNpjN49fMccKqPnImUyrc7EofeTinIfT5Z9Rw+K1xw+D
|
||||
QkZtKhQXENNG3FeBWg11jvWywGkfj+4arlxDyfx04SwVYMHlTwMVj37NNaRrUjJ9
|
||||
/1HdVB06GZS5dA5thOzB
|
||||
=d3dY
|
||||
-----END PGP SIGNATURE-----
|
12
share/security/patches/SA-15:17/bind.patch
Normal file
12
share/security/patches/SA-15:17/bind.patch
Normal file
|
@ -0,0 +1,12 @@
|
|||
Index: contrib/bind9/lib/dns/tkey.c
|
||||
===================================================================
|
||||
--- contrib/bind9/lib/dns/tkey.c (revision 285922)
|
||||
+++ contrib/bind9/lib/dns/tkey.c (working copy)
|
||||
@@ -650,6 +650,7 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkey
|
||||
* Try the answer section, since that's where Win2000
|
||||
* puts it.
|
||||
*/
|
||||
+ name = NULL;
|
||||
if (dns_message_findname(msg, DNS_SECTION_ANSWER, qname,
|
||||
dns_rdatatype_tkey, 0, &name,
|
||||
&tkeyset) != ISC_R_SUCCESS) {
|
17
share/security/patches/SA-15:17/bind.patch.asc
Normal file
17
share/security/patches/SA-15:17/bind.patch.asc
Normal file
|
@ -0,0 +1,17 @@
|
|||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2.1.6 (FreeBSD)
|
||||
|
||||
iQIcBAABCgAGBQJVt+FxAAoJEO1n7NZdz2rnse8P/2/topHY/AW0sJmsMFGDcCQl
|
||||
6nYAyoriO354QXif99lFSMVjY6PeI35N8gLb9560Pcv2RBvyv55Bk9wPsCLIAzId
|
||||
KZKmIlgw14kT5n1usyLoMRPbXcn37sKi3xdLOGIrGBP9d8VaCvRWUxC9Qh3pg4fQ
|
||||
9dGsbso+5BI15/lqATI5xawu8lljHufwM46BUXpWqK63xyqBAsVNHbOoj+fhneNI
|
||||
Bw14K6x1qOQNuv4Ri/39TWp5UCfPrhwZ2qpsIEp9oT7Jgvvs16ErqbY7UoxnD4pF
|
||||
Jo4DCH2lZjesSlz05w9iam/PkQed5ltYvCK0rdyTfhjqB/Px6zd0xUvy40Pg+w5G
|
||||
VY25+LSSJMtkQe88TbOW+SzcopPYwUZ88CgExoUPyn5Cd7Sv5GsNCAmoXhFA/0Of
|
||||
BRT9h9KFD9VE1juAnlgB2Hp1MkBlfoqG2/ytomctvUjFLKRUGLmvkFTgshNqYgD1
|
||||
6NDYri4sqDEHeKMhVvVVqTPciCg8kwAX2h1sLBca8fbXsyanzvEieM5RrxJdyaeH
|
||||
856lhb2fnRECUdWA9vKModtqI3mUF76tP6/4GI7GdxaCmWWCRpPsJY7eubNEKqVX
|
||||
jNT20ymBkchl/GAPshedz+xG7yGdO54wE14dwV9lgFLlup41w83DKQH4vm0DS+q/
|
||||
GCgaLCun78PU/GjzYQh7
|
||||
=uz3V
|
||||
-----END PGP SIGNATURE-----
|
|
@ -10,6 +10,26 @@
|
|||
<month>
|
||||
<name>7</name>
|
||||
|
||||
<day>
|
||||
<name>28</name>
|
||||
|
||||
<advisory>
|
||||
<name>FreeBSD-SA-15:17.bind</name>
|
||||
</advisory>
|
||||
|
||||
<advisory>
|
||||
<name>FreeBSD-SA-15:16.openssh</name>
|
||||
</advisory>
|
||||
|
||||
<advisory>
|
||||
<name>FreeBSD-SA-15:15.tcp</name>
|
||||
</advisory>
|
||||
|
||||
<advisory>
|
||||
<name>FreeBSD-SA-15:14.bsdpatch</name>
|
||||
</advisory>
|
||||
</day>
|
||||
|
||||
<day>
|
||||
<name>21</name>
|
||||
|
||||
|
|
Loading…
Reference in a new issue