Add SA-15:14 - SA-15:17.
This commit is contained in:
parent
0bacbbe09e
commit
a670bd9852
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=47125
19 changed files with 1757 additions and 0 deletions
share
security
advisories
FreeBSD-SA-15:14.bsdpatch.ascFreeBSD-SA-15:15.tcp.ascFreeBSD-SA-15:16.openssh.ascFreeBSD-SA-15:17.bind.asc
patches
xml
134
share/security/advisories/FreeBSD-SA-15:14.bsdpatch.asc
Normal file
134
share/security/advisories/FreeBSD-SA-15:14.bsdpatch.asc
Normal file
|
@ -0,0 +1,134 @@
|
||||||
|
-----BEGIN PGP SIGNED MESSAGE-----
|
||||||
|
Hash: SHA512
|
||||||
|
|
||||||
|
=============================================================================
|
||||||
|
FreeBSD-SA-15:14.bsdpatch Security Advisory
|
||||||
|
The FreeBSD Project
|
||||||
|
|
||||||
|
Topic: shell injection vulnerability in patch(1)
|
||||||
|
|
||||||
|
Category: contrib
|
||||||
|
Module: patch
|
||||||
|
Announced: 2015-07-28
|
||||||
|
Credits: Martin Natano
|
||||||
|
Affects: FreeBSD 10.x.
|
||||||
|
Corrected: 2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE)
|
||||||
|
2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2)
|
||||||
|
2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1)
|
||||||
|
2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16)
|
||||||
|
CVE Name: CVE-2015-1416
|
||||||
|
|
||||||
|
For general information regarding FreeBSD Security Advisories,
|
||||||
|
including descriptions of the fields above, security branches, and the
|
||||||
|
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
||||||
|
|
||||||
|
I. Background
|
||||||
|
|
||||||
|
The patch(1) utility takes a patch file produced by the diff(1) program and
|
||||||
|
apply the differences to an original file, producing a patched version.
|
||||||
|
|
||||||
|
The patch(1) utility supports certain version control systems, namely SCCS
|
||||||
|
and RCS, and attempts to get or check out the file before applying a patch,
|
||||||
|
if the original file do not already exist.
|
||||||
|
|
||||||
|
II. Problem Description
|
||||||
|
|
||||||
|
Due to insufficient sanitization of the input patch stream, it is possible
|
||||||
|
for a patch file to cause patch(1) to run commands in addition to the desired
|
||||||
|
SCCS or RCS commands.
|
||||||
|
|
||||||
|
III. Impact
|
||||||
|
|
||||||
|
This issue could be exploited to execute arbitrary commands as the user
|
||||||
|
invoking patch(1) against a specically crafted patch file, which could be
|
||||||
|
leveraged to obtain elevated privileges.
|
||||||
|
|
||||||
|
IV. Workaround
|
||||||
|
|
||||||
|
No workaround is available, but systems where a privileged user does not
|
||||||
|
make use of patches without proper validation are not affected.
|
||||||
|
|
||||||
|
V. Solution
|
||||||
|
|
||||||
|
Perform one of the following:
|
||||||
|
|
||||||
|
1) Upgrade your vulnerable system to a supported FreeBSD stable or
|
||||||
|
release / security branch (releng) dated after the correction date.
|
||||||
|
|
||||||
|
A reboot is not required after updating.
|
||||||
|
|
||||||
|
2) To update your vulnerable system via a binary patch:
|
||||||
|
|
||||||
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
||||||
|
platforms can be updated via the freebsd-update(8) utility:
|
||||||
|
|
||||||
|
# freebsd-update fetch
|
||||||
|
# freebsd-update install
|
||||||
|
|
||||||
|
A reboot is not required after updating.
|
||||||
|
|
||||||
|
3) To update your vulnerable system via a source code patch:
|
||||||
|
|
||||||
|
The following patches have been verified to apply to the applicable
|
||||||
|
FreeBSD release branches.
|
||||||
|
|
||||||
|
a) Download the relevant patch from the location below, and verify the
|
||||||
|
detached PGP signature using your PGP utility.
|
||||||
|
|
||||||
|
# fetch https://security.FreeBSD.org/patches/SA-15:14/bsdpatch.patch
|
||||||
|
# fetch https://security.FreeBSD.org/patches/SA-15:14/bsdpatch.patch.asc
|
||||||
|
# gpg --verify bsdpatch.patch.asc
|
||||||
|
|
||||||
|
b) Apply the patch. Execute the following commands as root:
|
||||||
|
|
||||||
|
# cd /usr/src
|
||||||
|
# patch < /path/to/patch
|
||||||
|
|
||||||
|
c) Recompile the operating system using buildworld and installworld as
|
||||||
|
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
|
||||||
|
|
||||||
|
VI. Correction details
|
||||||
|
|
||||||
|
The following list contains the correction revision numbers for each
|
||||||
|
affected branch.
|
||||||
|
|
||||||
|
Branch/path Revision
|
||||||
|
- -------------------------------------------------------------------------
|
||||||
|
stable/10/ r285976
|
||||||
|
releng/10.1/ r285978
|
||||||
|
releng/10.2/ r285979
|
||||||
|
- -------------------------------------------------------------------------
|
||||||
|
|
||||||
|
To see which files were modified by a particular revision, run the
|
||||||
|
following command, replacing NNNNNN with the revision number, on a
|
||||||
|
machine with Subversion installed:
|
||||||
|
|
||||||
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
||||||
|
|
||||||
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
||||||
|
|
||||||
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
||||||
|
|
||||||
|
VII. References
|
||||||
|
|
||||||
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1416>
|
||||||
|
|
||||||
|
The latest revision of this advisory is available at
|
||||||
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:14.bsdpatch.asc>
|
||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
Version: GnuPG v2.1.6 (FreeBSD)
|
||||||
|
|
||||||
|
iQIcBAEBCgAGBQJVt+JfAAoJEO1n7NZdz2rnmAAP/37DmuKX127SHD4Au3a1xy2F
|
||||||
|
90RP1doqTzpq2w3wzn8JPPK/IUxG6yjDWUk097/aadSMSiUWi/RyTERe68ZNHDia
|
||||||
|
IkcTnvF1308OM91yAJDogTKyCpomZwWqkhDhT8qRIkRijr7gr0q3SYF2Uqrj+QKy
|
||||||
|
fvhJrEEjhv9Lgw8I1qmnxWCpcmkKaW2Fm1eqplYlPOIwJky+2+Ddzv5PcjtQTjye
|
||||||
|
tNIkF9D+ILmGFbotKbNPDKSxapreLOsyDnf0W9QMURi7UolF9AClZnerfVZUWy78
|
||||||
|
4lJdbC9q5bf/FNUDv2o928hMgG+cc+blaH8AGXGOgxOx3ok0XWp3xEWRJnggyrZX
|
||||||
|
P6NN39u6yFSIrYaNHEwYLFGCIeA0nGWVLupq5h6WwJ+mhCpHz90kMw/5unlXc/wS
|
||||||
|
mfFVMeoFiqL227qBgB4azQkiBjN/fVsqPcMv/xk0PNYHaRPS/DASRYPSJF2gXY7h
|
||||||
|
fjemohKs9wmyc78nyrnayffPQ6hkXvVzw9zMfLJ1XWg/Fa/5X4u/POggivzGI4ia
|
||||||
|
yrvp3zd4avNbEVwlirTxxYgQJ1X44JwTP3Tkq11fea9WJcJtjLTWpIwrHSd8PHEg
|
||||||
|
n3r4bo52iPyaGORGUw3Zhx93gOse+I3ayXmBEVJLGDONlEdUf/uju0kSIyCXn4ab
|
||||||
|
LvnW7evT5KHA0rh5B07E
|
||||||
|
=JTtx
|
||||||
|
-----END PGP SIGNATURE-----
|
187
share/security/advisories/FreeBSD-SA-15:15.tcp.asc
Normal file
187
share/security/advisories/FreeBSD-SA-15:15.tcp.asc
Normal file
|
@ -0,0 +1,187 @@
|
||||||
|
-----BEGIN PGP SIGNED MESSAGE-----
|
||||||
|
Hash: SHA512
|
||||||
|
|
||||||
|
=============================================================================
|
||||||
|
FreeBSD-SA-15:15.tcp Security Advisory
|
||||||
|
The FreeBSD Project
|
||||||
|
|
||||||
|
Topic: Resource exhaustion in TCP reassembly
|
||||||
|
|
||||||
|
Category: core
|
||||||
|
Module: inet
|
||||||
|
Announced: 2015-07-28
|
||||||
|
Credits: Patrick Kelsey (Norse Corporation)
|
||||||
|
Affects: All supported versions of FreeBSD.
|
||||||
|
Corrected: 2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE)
|
||||||
|
2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2)
|
||||||
|
2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1)
|
||||||
|
2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16)
|
||||||
|
2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE)
|
||||||
|
2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21)
|
||||||
|
2015-07-28 19:58:54 UTC (stable/8, 8.4-STABLE)
|
||||||
|
2015-07-28 19:59:22 UTC (releng/8.4, 8.4-RELEASE-p35)
|
||||||
|
CVE Name: CVE-2015-1417
|
||||||
|
|
||||||
|
For general information regarding FreeBSD Security Advisories,
|
||||||
|
including descriptions of the fields above, security branches, and the
|
||||||
|
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
||||||
|
|
||||||
|
I. Background
|
||||||
|
|
||||||
|
The Transmission Control Protocol (TCP) of the TCP/IP protocol suite
|
||||||
|
provides a connection-oriented, reliable, sequence-preserving data
|
||||||
|
stream service.
|
||||||
|
|
||||||
|
The underlying simple and potentially unreliable IP datagram
|
||||||
|
communication protocol may deliver segments out of order, therefore,
|
||||||
|
the TCP receiver would need to reassemble the segments into their
|
||||||
|
original sequence to provide a reliable octet stream. Because the
|
||||||
|
reassembly requires additional resources to keep the queued segments,
|
||||||
|
historically resource exhaustion in the TCP reassembly path has been
|
||||||
|
prevented by limiting the total number of segments that could belong
|
||||||
|
to reassembly queues to a small fraction (1/16) of the total number of
|
||||||
|
mbuf clusters in the system.
|
||||||
|
|
||||||
|
VNET is a technique to virtualize the network stack, first introduced in
|
||||||
|
FreeBSD 8.0. It changes global resources in the network stack into per
|
||||||
|
network stack resources, so that a virtual network stack can be attached
|
||||||
|
to a jailed prison and the prison can have unrestricted access to the
|
||||||
|
virtual network stack. VNET is not enabled by default and has to be
|
||||||
|
enabled by recompiling the kernel.
|
||||||
|
|
||||||
|
II. Problem Description
|
||||||
|
|
||||||
|
There is a mistake with the introduction of VNET, which converted the
|
||||||
|
global limit on the number of segments that could belong to reassembly
|
||||||
|
queues into a per-VNET limit. Because mbufs are allocated from a
|
||||||
|
global pool, in the presence of a sufficient number of VNETs, the
|
||||||
|
total number of mbufs attached to reassembly queues can grow to the
|
||||||
|
total number of mbufs in the system, at which point all network
|
||||||
|
traffic would cease.
|
||||||
|
|
||||||
|
III. Impact
|
||||||
|
|
||||||
|
An attacker who can establish concurrent TCP connections across a
|
||||||
|
sufficient number of VNETs and manipulate the inbound packet streams
|
||||||
|
such that the maximum number of mbufs are enqueued on each reassembly
|
||||||
|
queue can cause mbuf cluster exhaustion on the target system, resulting
|
||||||
|
in a Denial of Service condition.
|
||||||
|
|
||||||
|
As the default per-VNET limit on the number of segments that can
|
||||||
|
belong to reassembly queues is 1/16 of the total number of mbuf
|
||||||
|
clusters in the system, only systems that have 16 or more VNET
|
||||||
|
instances are vulnerable.
|
||||||
|
|
||||||
|
IV. Workaround
|
||||||
|
|
||||||
|
FreeBSD 8.x, 9.x and 10.x systems that do not make use of VNETs
|
||||||
|
(option VIMAGE) are not affected. The support has to be specifically
|
||||||
|
compiled into a custom kernel, so its use is not common.
|
||||||
|
|
||||||
|
For affected systems, the system administrators may consider reducing
|
||||||
|
the net.inet.tcp.reass.maxsegments tunable to the value of
|
||||||
|
kern.ipc.nmbclusters divided by one greater than the total number of
|
||||||
|
VNETs that are going to be used in the system in order to prevent a
|
||||||
|
Denial of Service via this vulnerability. For example, if there are
|
||||||
|
16 VNETs in the system, the net.inet.tcp.reass.maxsegments tunable
|
||||||
|
should be set to kern.ipc.nmbclusters / 17.
|
||||||
|
|
||||||
|
V. Solution
|
||||||
|
|
||||||
|
Perform one of the following:
|
||||||
|
|
||||||
|
1) Upgrade your vulnerable system to a supported FreeBSD stable or
|
||||||
|
release / security branch (releng) dated after the correction date,
|
||||||
|
and reboot the system.
|
||||||
|
|
||||||
|
2) To update your vulnerable system via a binary patch:
|
||||||
|
|
||||||
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
||||||
|
platforms can be updated via the freebsd-update(8) utility:
|
||||||
|
|
||||||
|
# freebsd-update fetch
|
||||||
|
# freebsd-update install
|
||||||
|
|
||||||
|
And reboot the system.
|
||||||
|
|
||||||
|
3) To update your vulnerable system via a source code patch:
|
||||||
|
|
||||||
|
The following patches have been verified to apply to the applicable
|
||||||
|
FreeBSD release branches.
|
||||||
|
|
||||||
|
a) Download the relevant patch from the location below, and verify the
|
||||||
|
detached PGP signature using your PGP utility.
|
||||||
|
|
||||||
|
[FreeBSD 10.2]
|
||||||
|
# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp.patch
|
||||||
|
# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp.patch.asc
|
||||||
|
# gpg --verify tcp.patch.asc
|
||||||
|
|
||||||
|
[FreeBSD 9.3 and 10.1]
|
||||||
|
# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-9.3-10.1.patch
|
||||||
|
# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-9.3-10.1.patch.asc
|
||||||
|
# gpg --verify tcp-9.3-10.1.patch.asc
|
||||||
|
|
||||||
|
[FreeBSD 8.4]
|
||||||
|
# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-8.patch
|
||||||
|
# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-8.patch.asc
|
||||||
|
# gpg --verify tcp-8.patch.asc
|
||||||
|
|
||||||
|
b) Apply the patch. Execute the following commands as root:
|
||||||
|
|
||||||
|
# cd /usr/src
|
||||||
|
# patch < /path/to/patch
|
||||||
|
|
||||||
|
c) Recompile your kernel as described in
|
||||||
|
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
|
||||||
|
system.
|
||||||
|
|
||||||
|
VI. Correction details
|
||||||
|
|
||||||
|
The following list contains the correction revision numbers for each
|
||||||
|
affected branch.
|
||||||
|
|
||||||
|
Branch/path Revision
|
||||||
|
- -------------------------------------------------------------------------
|
||||||
|
stable/8/ r285977
|
||||||
|
releng/8.4/ r285980
|
||||||
|
stable/9/ r285977
|
||||||
|
releng/9.3/ r285980
|
||||||
|
stable/10/ r285976
|
||||||
|
releng/10.1/ r285979
|
||||||
|
releng/10.2/ r285978
|
||||||
|
- -------------------------------------------------------------------------
|
||||||
|
|
||||||
|
To see which files were modified by a particular revision, run the
|
||||||
|
following command, replacing NNNNNN with the revision number, on a
|
||||||
|
machine with Subversion installed:
|
||||||
|
|
||||||
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
||||||
|
|
||||||
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
||||||
|
|
||||||
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
||||||
|
|
||||||
|
VII. References
|
||||||
|
|
||||||
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1417>
|
||||||
|
|
||||||
|
The latest revision of this advisory is available at
|
||||||
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:15.tcp.asc>
|
||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
Version: GnuPG v2.1.6 (FreeBSD)
|
||||||
|
|
||||||
|
iQIcBAEBCgAGBQJVt+FcAAoJEO1n7NZdz2rnOAgQAKw0jR1Eb/USmcXlFpfMrmUr
|
||||||
|
Z6UWHsPqE9CwDJaFddrFBRyjCsbeBv4LmPyVcOKJoqspEb8P52GtBNDe9vqcco1U
|
||||||
|
C+KpcQQKWTQmu170AdLAIRVvLjoNEX0C09ig4XMbKpisrmQ8zLXavTbTw8FlbPXq
|
||||||
|
o9t0nFgPKsDfaXJF3Oas41K/NsBj4hdqnfx+R7KeOaJ6sSwiFGbRxqQ+GG3k+79a
|
||||||
|
RI+KVLpw4QV/IkhXKzl416o6uk7eWnJu72GohdrxPvXYWHBVSBkSiT7pLl3O5C7r
|
||||||
|
7+dpYyF9f4K0gnXLuATNixNS2/lL2WaJANb75ku7WnY2I5Yjx1oM2r5kE2eJ6Z/c
|
||||||
|
WXGnDE9/8SOVURqMwnpQgzVGopKZags0+X7FJAYKeW4/nWyUEAmDlQ+9dY7o/I0M
|
||||||
|
urFD+bsSxnrlGLLzjX55zKM1qyGlhNokowSusVeNlSEOl8/QV57CuyQDZ0wdAiUd
|
||||||
|
R2yl+fFxRKn4AeCMuKkEsoExLhISI7Uuz8Hjia7g0yJWfYjEjAWLcFpan/QmhwcP
|
||||||
|
4PMg+2ZuPC0uUoXqCMBqu3d0NAaae4cOCzx8WCZUaaF3DwhRnUcld+XesV/h3SNo
|
||||||
|
kn3ygFyOVWrCd7bSsEd00qqUwUN/cp/uYTqlbI9im89Emaa7/mYR/i3sq2/MRagr
|
||||||
|
2oio8OdZ8wwRuER4Jpq9
|
||||||
|
=PC1V
|
||||||
|
-----END PGP SIGNATURE-----
|
188
share/security/advisories/FreeBSD-SA-15:16.openssh.asc
Normal file
188
share/security/advisories/FreeBSD-SA-15:16.openssh.asc
Normal file
|
@ -0,0 +1,188 @@
|
||||||
|
-----BEGIN PGP SIGNED MESSAGE-----
|
||||||
|
Hash: SHA512
|
||||||
|
|
||||||
|
=============================================================================
|
||||||
|
FreeBSD-SA-15:16.openssh Security Advisory
|
||||||
|
The FreeBSD Project
|
||||||
|
|
||||||
|
Topic: OpenSSH multiple vulnerabilities
|
||||||
|
|
||||||
|
Category: contrib
|
||||||
|
Module: openssh
|
||||||
|
Announced: 2015-07-28
|
||||||
|
Affects: All supported versions of FreeBSD.
|
||||||
|
Corrected: 2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE)
|
||||||
|
2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2)
|
||||||
|
2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1)
|
||||||
|
2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16)
|
||||||
|
2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE)
|
||||||
|
2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21)
|
||||||
|
2015-07-28 19:58:54 UTC (stable/8, 8.4-STABLE)
|
||||||
|
2015-07-28 19:59:22 UTC (releng/8.4, 8.4-RELEASE-p35)
|
||||||
|
CVE Name: CVE-2014-2653, CVE-2015-5600
|
||||||
|
|
||||||
|
For general information regarding FreeBSD Security Advisories,
|
||||||
|
including descriptions of the fields above, security branches, and the
|
||||||
|
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
||||||
|
|
||||||
|
I. Background
|
||||||
|
|
||||||
|
OpenSSH is an implementation of the SSH protocol suite, providing an
|
||||||
|
encrypted and authenticated transport for a variety of services,
|
||||||
|
including remote shell access.
|
||||||
|
|
||||||
|
The security of the SSH connection relies on the server authenticating
|
||||||
|
itself to the client as well as the user authenticating itself to the
|
||||||
|
server. SSH servers uses host keys to verify their identity.
|
||||||
|
|
||||||
|
RFC 4255 has defined a method of verifying SSH host keys using Domain
|
||||||
|
Name System Security (DNSSEC), by publishing the key fingerprint using
|
||||||
|
DNS with "SSHFP" resource record. RFC 6187 has defined methods to use
|
||||||
|
a signature by a trusted certification authority to bind a given public
|
||||||
|
key to a given digital identity with X.509v3 certificates.
|
||||||
|
|
||||||
|
The PAM (Pluggable Authentication Modules) library provides a flexible
|
||||||
|
framework for user authentication and session setup / teardown.
|
||||||
|
|
||||||
|
OpenSSH uses PAM for password authentication by default.
|
||||||
|
|
||||||
|
II. Problem Description
|
||||||
|
|
||||||
|
OpenSSH clients does not correctly verify DNS SSHFP records when a server
|
||||||
|
offers a certificate. [CVE-2014-2653]
|
||||||
|
|
||||||
|
OpenSSH servers which are configured to allow password authentication
|
||||||
|
using PAM (default) would allow many password attempts.
|
||||||
|
|
||||||
|
III. Impact
|
||||||
|
|
||||||
|
A malicious server may be able to force a connecting client to skip DNS
|
||||||
|
SSHFP record check and require the user to perform manual host verification
|
||||||
|
of the host key fingerprint. This could allow man-in-the-middle attack
|
||||||
|
if the user does not carefully check the fingerprint. [CVE-2014-2653]
|
||||||
|
|
||||||
|
A remote attacker may effectively bypass MaxAuthTries settings, which would
|
||||||
|
enable them to brute force passwords. [CVE-2015-5600]
|
||||||
|
|
||||||
|
IV. Workaround
|
||||||
|
|
||||||
|
Systems that do not use OpenSSH are not affected.
|
||||||
|
|
||||||
|
There is no workaround for CVE-2014-2653, but the problem only affects
|
||||||
|
networks where DNSsec and SSHFP is properly configured. Users who uses
|
||||||
|
SSH should always check server host key fingerprints carefully when
|
||||||
|
prompted.
|
||||||
|
|
||||||
|
System administrators can set:
|
||||||
|
|
||||||
|
UsePAM no
|
||||||
|
|
||||||
|
In their /etc/ssh/sshd_config and restart sshd service to workaround the
|
||||||
|
problem described as CVE-2015-5600 at expense of losing features provided
|
||||||
|
by the PAM framework.
|
||||||
|
|
||||||
|
We recommend system administrators to disable password based authentication
|
||||||
|
completely, and use key based authentication exclusively in their SSH server
|
||||||
|
configuration, when possible. This would eliminate the possibility of being
|
||||||
|
ever exposed to password brute force attack.
|
||||||
|
|
||||||
|
V. Solution
|
||||||
|
|
||||||
|
Perform one of the following:
|
||||||
|
|
||||||
|
1) Upgrade your vulnerable system to a supported FreeBSD stable or
|
||||||
|
release / security branch (releng) dated after the correction date.
|
||||||
|
|
||||||
|
SSH service has to be restarted after the update. A reboot is recommended
|
||||||
|
but not required.
|
||||||
|
|
||||||
|
2) To update your vulnerable system via a binary patch:
|
||||||
|
|
||||||
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
||||||
|
platforms can be updated via the freebsd-update(8) utility:
|
||||||
|
|
||||||
|
# freebsd-update fetch
|
||||||
|
# freebsd-update install
|
||||||
|
|
||||||
|
SSH service has to be restarted after the update. A reboot is recommended
|
||||||
|
but not required.
|
||||||
|
|
||||||
|
3) To update your vulnerable system via a source code patch:
|
||||||
|
|
||||||
|
The following patches have been verified to apply to the applicable
|
||||||
|
FreeBSD release branches.
|
||||||
|
|
||||||
|
a) Download the relevant patch from the location below, and verify the
|
||||||
|
detached PGP signature using your PGP utility.
|
||||||
|
|
||||||
|
[FreeBSD 9.3, 10.1, 10.2]
|
||||||
|
# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh.patch
|
||||||
|
# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh.patch.asc
|
||||||
|
# gpg --verify openssh.patch.asc
|
||||||
|
|
||||||
|
[FreeBSD 8.4]
|
||||||
|
# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8.patch
|
||||||
|
# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8.patch.asc
|
||||||
|
# gpg --verify openssh-8.patch.asc
|
||||||
|
|
||||||
|
b) Apply the patch. Execute the following commands as root:
|
||||||
|
|
||||||
|
# cd /usr/src
|
||||||
|
# patch < /path/to/patch
|
||||||
|
|
||||||
|
c) Recompile the operating system using buildworld and installworld as
|
||||||
|
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
|
||||||
|
|
||||||
|
Restart the SSH service, or reboot the system.
|
||||||
|
|
||||||
|
VI. Correction details
|
||||||
|
|
||||||
|
The following list contains the correction revision numbers for each
|
||||||
|
affected branch.
|
||||||
|
|
||||||
|
Branch/path Revision
|
||||||
|
- -------------------------------------------------------------------------
|
||||||
|
stable/8/ r285977
|
||||||
|
releng/8.4/ r285980
|
||||||
|
stable/9/ r285977
|
||||||
|
releng/9.3/ r285980
|
||||||
|
stable/10/ r285976
|
||||||
|
releng/10.1/ r285979
|
||||||
|
releng/10.2/ r285978
|
||||||
|
- -------------------------------------------------------------------------
|
||||||
|
|
||||||
|
To see which files were modified by a particular revision, run the
|
||||||
|
following command, replacing NNNNNN with the revision number, on a
|
||||||
|
machine with Subversion installed:
|
||||||
|
|
||||||
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
||||||
|
|
||||||
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
||||||
|
|
||||||
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
||||||
|
|
||||||
|
VII. References
|
||||||
|
|
||||||
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2653>
|
||||||
|
|
||||||
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5600>
|
||||||
|
|
||||||
|
The latest revision of this advisory is available at
|
||||||
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:16.openssh.asc>
|
||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
Version: GnuPG v2.1.6 (FreeBSD)
|
||||||
|
|
||||||
|
iQIcBAEBCgAGBQJVt+FdAAoJEO1n7NZdz2rnPxEQAIFMhBzUuAEEeG3GoO6o6DQn
|
||||||
|
7ZVPdd+EdijDk0VAZbaa3NyeVGTNSEQhjpL/lSkIQUQT+yEAUUsUCVWu0T8OpCN0
|
||||||
|
UT6JlYhV+AwQVyWujlTjspQ3Ba3Kn3o76MCzvdIQWPTzD1yCZqRmpZ1eSjonmySZ
|
||||||
|
ts+kVDCV2ZJyWACOdG2GXHSmTraIErn0J1YaLg++c8nHUvb+TNo2/8viBGJINhdP
|
||||||
|
bvA6fzYPpAzgaq5EEKevySLUnUfUE2Nx5LGD2CUx/hMu7K8y2h4SR2fKmpyBauNS
|
||||||
|
4VHSssX6KjxZCYctCEsUgCokWYzt9fepyBsCiS9Vx4mTwat8Vuiz2zB1lCOwM97v
|
||||||
|
iDbkcmR/ixElrXSBb5+wrhOpBLnYtHFTNPx8dRz39wdb1MxJQqyOOb8KtDSlFMmQ
|
||||||
|
l5Lk1vTEcZQjWvmCV9XjVlPqcHnX4wNnV+IgUnQTnhQlbe0YgszdLAi5XZDGBmtA
|
||||||
|
DHuLfBy1091KYBoP641GRuldsq6/r6DUzyZuQJ+p30BDUEfkUAptIEnQWA2l3Y8W
|
||||||
|
/10eels29WJhV9N7WWo4pbADA54+DLvi0T/46R9WRbM9bA/dsqK9G5wmREaKCqmX
|
||||||
|
ccQUFrruxJTn7TV4QbN69ABEkOFCyQjqecP2GqA2N/5AAUsV47WC/VtKgOPp4FZ6
|
||||||
|
E0SkAoNzIighyNk54U9p
|
||||||
|
=6PBw
|
||||||
|
-----END PGP SIGNATURE-----
|
139
share/security/advisories/FreeBSD-SA-15:17.bind.asc
Normal file
139
share/security/advisories/FreeBSD-SA-15:17.bind.asc
Normal file
|
@ -0,0 +1,139 @@
|
||||||
|
-----BEGIN PGP SIGNED MESSAGE-----
|
||||||
|
Hash: SHA512
|
||||||
|
|
||||||
|
=============================================================================
|
||||||
|
FreeBSD-SA-15:17.bind Security Advisory
|
||||||
|
The FreeBSD Project
|
||||||
|
|
||||||
|
Topic: BIND remote denial of service vulnerability
|
||||||
|
|
||||||
|
Category: contrib
|
||||||
|
Module: bind
|
||||||
|
Announced: 2015-07-28
|
||||||
|
Credits: ISC
|
||||||
|
Affects: FreeBSD 8.x and FreeBSD 9.x.
|
||||||
|
Corrected: 2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE)
|
||||||
|
2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21)
|
||||||
|
2015-07-28 19:58:54 UTC (stable/8, 8.4-STABLE)
|
||||||
|
2015-07-28 19:59:22 UTC (releng/8.4, 8.4-RELEASE-p35)
|
||||||
|
CVE Name: CVE-2015-5477
|
||||||
|
|
||||||
|
For general information regarding FreeBSD Security Advisories,
|
||||||
|
including descriptions of the fields above, security branches, and the
|
||||||
|
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
||||||
|
|
||||||
|
I. Background
|
||||||
|
|
||||||
|
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
|
||||||
|
The named(8) daemon is an Internet Domain Name Server.
|
||||||
|
|
||||||
|
II. Problem Description
|
||||||
|
|
||||||
|
An error in the handling of TKEY queries can be exploited by an attacker
|
||||||
|
for use as a denial-of-service vector, as a constructed packet can use
|
||||||
|
the defect to trigger a REQUIRE assertion failure, causing BIND to exit.
|
||||||
|
|
||||||
|
III. Impact
|
||||||
|
|
||||||
|
A remote attacker can trigger a crash of a name server. Both recursive and
|
||||||
|
authoritative servers are affected, and the exposure can not be mitigated
|
||||||
|
by either ACLs or configuration options limiting or denying service because
|
||||||
|
the exploitable code occurs early in the packet handling, before checks
|
||||||
|
enforcing those boundaries.
|
||||||
|
|
||||||
|
IV. Workaround
|
||||||
|
|
||||||
|
No workaround is available, but systems that are not running BIND are not
|
||||||
|
vulnerable.
|
||||||
|
|
||||||
|
V. Solution
|
||||||
|
|
||||||
|
Perform one of the following:
|
||||||
|
|
||||||
|
1) Upgrade your vulnerable system to a supported FreeBSD stable or
|
||||||
|
release / security branch (releng) dated after the correction date.
|
||||||
|
|
||||||
|
The named service has to be restarted after the update. A reboot is
|
||||||
|
recommended but not required.
|
||||||
|
|
||||||
|
2) To update your vulnerable system via a binary patch:
|
||||||
|
|
||||||
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
||||||
|
platforms can be updated via the freebsd-update(8) utility:
|
||||||
|
|
||||||
|
# freebsd-update fetch
|
||||||
|
# freebsd-update install
|
||||||
|
|
||||||
|
The named service has to be restarted after the update. A reboot is
|
||||||
|
recommended but not required.
|
||||||
|
|
||||||
|
3) To update your vulnerable system via a source code patch:
|
||||||
|
|
||||||
|
The following patches have been verified to apply to the applicable
|
||||||
|
FreeBSD release branches.
|
||||||
|
|
||||||
|
a) Download the relevant patch from the location below, and verify the
|
||||||
|
detached PGP signature using your PGP utility.
|
||||||
|
|
||||||
|
# fetch https://security.FreeBSD.org/patches/SA-15:17/bind.patch
|
||||||
|
# fetch https://security.FreeBSD.org/patches/SA-15:17/bind.patch.asc
|
||||||
|
# gpg --verify bind.patch.asc
|
||||||
|
|
||||||
|
b) Apply the patch. Execute the following commands as root:
|
||||||
|
|
||||||
|
# cd /usr/src
|
||||||
|
# patch < /path/to/patch
|
||||||
|
|
||||||
|
c) Recompile the operating system using buildworld and installworld as
|
||||||
|
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
|
||||||
|
|
||||||
|
Restart the applicable daemons, or reboot the system.
|
||||||
|
|
||||||
|
VI. Correction details
|
||||||
|
|
||||||
|
The following list contains the correction revision numbers for each
|
||||||
|
affected branch.
|
||||||
|
|
||||||
|
Branch/path Revision
|
||||||
|
- -------------------------------------------------------------------------
|
||||||
|
stable/8/ r285977
|
||||||
|
releng/8.4/ r285980
|
||||||
|
stable/9/ r285977
|
||||||
|
releng/9.3/ r285980
|
||||||
|
- -------------------------------------------------------------------------
|
||||||
|
|
||||||
|
To see which files were modified by a particular revision, run the
|
||||||
|
following command, replacing NNNNNN with the revision number, on a
|
||||||
|
machine with Subversion installed:
|
||||||
|
|
||||||
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
||||||
|
|
||||||
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
||||||
|
|
||||||
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
||||||
|
|
||||||
|
VII. References
|
||||||
|
|
||||||
|
<URL:https://kb.isc.org/article/AA-01272>
|
||||||
|
|
||||||
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5477>
|
||||||
|
|
||||||
|
The latest revision of this advisory is available at
|
||||||
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:17.bind.asc>
|
||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
Version: GnuPG v2.1.6 (FreeBSD)
|
||||||
|
|
||||||
|
iQIcBAEBCgAGBQJVt+FdAAoJEO1n7NZdz2rnmAQQAK66bHEYirTecgswG+eiePfU
|
||||||
|
lcX46GdLU/OQ/3MHpmc6XQKz9kpJ+Inh8K8IvAJ1SXH41zk/xOtUgqbkUcgkGrS1
|
||||||
|
gBVKUC8SF82ll/1FUlORoJc+g+TQgax00Il/GweRVoL0RpU9S/YSnc6OLc0nWzBq
|
||||||
|
osweYaHBNRL6lBmUtAHYu1tyvGvHLlfTNk6NCtUxtWeXKe+urYFx4ViJKCU8dJ+U
|
||||||
|
F26nQb/3vH93WOEaNjSDHYWypl9qtous5hpOtXr76ofhID67EyOKmPPEC5+6jP/6
|
||||||
|
wkdMu7loVewI5K7ZF+zaNxr8CQESurCRkMX3qJSBNCfSw55sdcfKl4BO65SCxLH7
|
||||||
|
vXoh+B+Wbof2n3xAcEJNufOdiRQfTxlP1UMWIy00wvdB+VcOCDdD7TUB1kksxzpy
|
||||||
|
aXxePRdKLjvkPDiWy17BBpxq8JIfy+41a+N7Fm/hDgUJOYGDAMr27WJLx8MHzY3k
|
||||||
|
+B014IVvTnHkf0yo5ue5raTpgUr0TVCfwD3eqJOM9iUuOI8vj9h44FpP6R8KNyQA
|
||||||
|
mVI/wikVJfYAgmAkHqqRVEHeA8aWJsVNkmrKLHFDkLDdw6umr7oOHfXQo1hk7k7V
|
||||||
|
+2JEa09kp2AYNGYZkiFG/7jiCZ9GLCvAzKW1v1g8fRsBl+QA1PjW0Rg7HcRmZiwM
|
||||||
|
VfNsARSWl2y/t8Gnrfgx
|
||||||
|
=40iD
|
||||||
|
-----END PGP SIGNATURE-----
|
188
share/security/patches/SA-15:14/bsdpatch.patch
Normal file
188
share/security/patches/SA-15:14/bsdpatch.patch
Normal file
|
@ -0,0 +1,188 @@
|
||||||
|
Index: usr.bin/patch/common.h
|
||||||
|
===================================================================
|
||||||
|
--- usr.bin/patch/common.h (revision 285926)
|
||||||
|
+++ usr.bin/patch/common.h (working copy)
|
||||||
|
@@ -43,12 +43,10 @@
|
||||||
|
#define LINENUM_MAX LONG_MAX
|
||||||
|
|
||||||
|
#define SCCSPREFIX "s."
|
||||||
|
-#define GET "get -e %s"
|
||||||
|
-#define SCCSDIFF "get -p %s | diff - %s >/dev/null"
|
||||||
|
|
||||||
|
#define RCSSUFFIX ",v"
|
||||||
|
-#define CHECKOUT "co -l %s"
|
||||||
|
-#define RCSDIFF "rcsdiff %s > /dev/null"
|
||||||
|
+#define CHECKOUT "/usr/bin/co"
|
||||||
|
+#define RCSDIFF "/usr/bin/rcsdiff"
|
||||||
|
|
||||||
|
#define ORIGEXT ".orig"
|
||||||
|
#define REJEXT ".rej"
|
||||||
|
Index: usr.bin/patch/inp.c
|
||||||
|
===================================================================
|
||||||
|
--- usr.bin/patch/inp.c (revision 285926)
|
||||||
|
+++ usr.bin/patch/inp.c (working copy)
|
||||||
|
@@ -31,8 +31,10 @@
|
||||||
|
#include <sys/file.h>
|
||||||
|
#include <sys/stat.h>
|
||||||
|
#include <sys/mman.h>
|
||||||
|
+#include <sys/wait.h>
|
||||||
|
|
||||||
|
#include <ctype.h>
|
||||||
|
+#include <errno.h>
|
||||||
|
#include <libgen.h>
|
||||||
|
#include <stddef.h>
|
||||||
|
#include <stdint.h>
|
||||||
|
@@ -133,12 +135,14 @@ reallocate_lines(size_t *lines_allocated)
|
||||||
|
static bool
|
||||||
|
plan_a(const char *filename)
|
||||||
|
{
|
||||||
|
- int ifd, statfailed;
|
||||||
|
+ int ifd, statfailed, devnull, pstat;
|
||||||
|
char *p, *s, lbuf[INITLINELEN];
|
||||||
|
struct stat filestat;
|
||||||
|
ptrdiff_t sz;
|
||||||
|
size_t i;
|
||||||
|
size_t iline, lines_allocated;
|
||||||
|
+ pid_t pid;
|
||||||
|
+ char *argp[4] = {NULL};
|
||||||
|
|
||||||
|
#ifdef DEBUGGING
|
||||||
|
if (debug & 8)
|
||||||
|
@@ -166,13 +170,14 @@ plan_a(const char *filename)
|
||||||
|
}
|
||||||
|
if (statfailed && check_only)
|
||||||
|
fatal("%s not found, -C mode, can't probe further\n", filename);
|
||||||
|
- /* For nonexistent or read-only files, look for RCS or SCCS versions. */
|
||||||
|
+ /* For nonexistent or read-only files, look for RCS versions. */
|
||||||
|
+
|
||||||
|
if (statfailed ||
|
||||||
|
/* No one can write to it. */
|
||||||
|
(filestat.st_mode & 0222) == 0 ||
|
||||||
|
/* I can't write to it. */
|
||||||
|
((filestat.st_mode & 0022) == 0 && filestat.st_uid != getuid())) {
|
||||||
|
- const char *cs = NULL, *filebase, *filedir;
|
||||||
|
+ char *filebase, *filedir;
|
||||||
|
struct stat cstat;
|
||||||
|
char *tmp_filename1, *tmp_filename2;
|
||||||
|
|
||||||
|
@@ -180,43 +185,26 @@ plan_a(const char *filename)
|
||||||
|
tmp_filename2 = strdup(filename);
|
||||||
|
if (tmp_filename1 == NULL || tmp_filename2 == NULL)
|
||||||
|
fatal("strdupping filename");
|
||||||
|
+
|
||||||
|
filebase = basename(tmp_filename1);
|
||||||
|
filedir = dirname(tmp_filename2);
|
||||||
|
|
||||||
|
- /* Leave room in lbuf for the diff command. */
|
||||||
|
- s = lbuf + 20;
|
||||||
|
-
|
||||||
|
#define try(f, a1, a2, a3) \
|
||||||
|
- (snprintf(s, buf_size - 20, f, a1, a2, a3), stat(s, &cstat) == 0)
|
||||||
|
+ (snprintf(lbuf, sizeof(lbuf), f, a1, a2, a3), stat(lbuf, &cstat) == 0)
|
||||||
|
|
||||||
|
- if (try("%s/RCS/%s%s", filedir, filebase, RCSSUFFIX) ||
|
||||||
|
- try("%s/RCS/%s%s", filedir, filebase, "") ||
|
||||||
|
- try("%s/%s%s", filedir, filebase, RCSSUFFIX)) {
|
||||||
|
- snprintf(buf, buf_size, CHECKOUT, filename);
|
||||||
|
- snprintf(lbuf, sizeof lbuf, RCSDIFF, filename);
|
||||||
|
- cs = "RCS";
|
||||||
|
- } else if (try("%s/SCCS/%s%s", filedir, SCCSPREFIX, filebase) ||
|
||||||
|
- try("%s/%s%s", filedir, SCCSPREFIX, filebase)) {
|
||||||
|
- snprintf(buf, buf_size, GET, s);
|
||||||
|
- snprintf(lbuf, sizeof lbuf, SCCSDIFF, s, filename);
|
||||||
|
- cs = "SCCS";
|
||||||
|
- } else if (statfailed)
|
||||||
|
- fatal("can't find %s\n", filename);
|
||||||
|
-
|
||||||
|
- free(tmp_filename1);
|
||||||
|
- free(tmp_filename2);
|
||||||
|
-
|
||||||
|
/*
|
||||||
|
* else we can't write to it but it's not under a version
|
||||||
|
* control system, so just proceed.
|
||||||
|
*/
|
||||||
|
- if (cs) {
|
||||||
|
+ if (try("%s/RCS/%s%s", filedir, filebase, RCSSUFFIX) ||
|
||||||
|
+ try("%s/RCS/%s%s", filedir, filebase, "") ||
|
||||||
|
+ try("%s/%s%s", filedir, filebase, RCSSUFFIX)) {
|
||||||
|
if (!statfailed) {
|
||||||
|
if ((filestat.st_mode & 0222) != 0)
|
||||||
|
/* The owner can write to it. */
|
||||||
|
fatal("file %s seems to be locked "
|
||||||
|
- "by somebody else under %s\n",
|
||||||
|
- filename, cs);
|
||||||
|
+ "by somebody else under RCS\n",
|
||||||
|
+ filename);
|
||||||
|
/*
|
||||||
|
* It might be checked out unlocked. See if
|
||||||
|
* it's safe to check out the default version
|
||||||
|
@@ -224,21 +212,59 @@ plan_a(const char *filename)
|
||||||
|
*/
|
||||||
|
if (verbose)
|
||||||
|
say("Comparing file %s to default "
|
||||||
|
- "%s version...\n",
|
||||||
|
- filename, cs);
|
||||||
|
- if (system(lbuf))
|
||||||
|
+ "RCS version...\n", filename);
|
||||||
|
+
|
||||||
|
+ switch (pid = fork()) {
|
||||||
|
+ case -1:
|
||||||
|
+ fatal("can't fork: %s\n",
|
||||||
|
+ strerror(errno));
|
||||||
|
+ case 0:
|
||||||
|
+ devnull = open("/dev/null", O_RDONLY);
|
||||||
|
+ if (devnull == -1) {
|
||||||
|
+ fatal("can't open /dev/null: %s",
|
||||||
|
+ strerror(errno));
|
||||||
|
+ }
|
||||||
|
+ (void)dup2(devnull, STDOUT_FILENO);
|
||||||
|
+ argp[0] = strdup(RCSDIFF);
|
||||||
|
+ argp[1] = strdup(filename);
|
||||||
|
+ execv(RCSDIFF, argp);
|
||||||
|
+ exit(127);
|
||||||
|
+ }
|
||||||
|
+ pid = waitpid(pid, &pstat, 0);
|
||||||
|
+ if (pid == -1 || WEXITSTATUS(pstat) != 0) {
|
||||||
|
fatal("can't check out file %s: "
|
||||||
|
- "differs from default %s version\n",
|
||||||
|
- filename, cs);
|
||||||
|
+ "differs from default RCS version\n",
|
||||||
|
+ filename);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
+
|
||||||
|
if (verbose)
|
||||||
|
- say("Checking out file %s from %s...\n",
|
||||||
|
- filename, cs);
|
||||||
|
- if (system(buf) || stat(filename, &filestat))
|
||||||
|
- fatal("can't check out file %s from %s\n",
|
||||||
|
- filename, cs);
|
||||||
|
+ say("Checking out file %s from RCS...\n",
|
||||||
|
+ filename);
|
||||||
|
+
|
||||||
|
+ switch (pid = fork()) {
|
||||||
|
+ case -1:
|
||||||
|
+ fatal("can't fork: %s\n", strerror(errno));
|
||||||
|
+ case 0:
|
||||||
|
+ argp[0] = strdup(CHECKOUT);
|
||||||
|
+ argp[1] = strdup("-l");
|
||||||
|
+ argp[2] = strdup(filename);
|
||||||
|
+ execv(CHECKOUT, argp);
|
||||||
|
+ exit(127);
|
||||||
|
+ }
|
||||||
|
+ pid = waitpid(pid, &pstat, 0);
|
||||||
|
+ if (pid == -1 || WEXITSTATUS(pstat) != 0 ||
|
||||||
|
+ stat(filename, &filestat)) {
|
||||||
|
+ fatal("can't check out file %s from RCS\n",
|
||||||
|
+ filename);
|
||||||
|
+ }
|
||||||
|
+ } else if (statfailed) {
|
||||||
|
+ fatal("can't find %s\n", filename);
|
||||||
|
}
|
||||||
|
+ free(tmp_filename1);
|
||||||
|
+ free(tmp_filename2);
|
||||||
|
}
|
||||||
|
+
|
||||||
|
filemode = filestat.st_mode;
|
||||||
|
if (!S_ISREG(filemode))
|
||||||
|
fatal("%s is not a normal file--can't patch\n", filename);
|
17
share/security/patches/SA-15:14/bsdpatch.patch.asc
Normal file
17
share/security/patches/SA-15:14/bsdpatch.patch.asc
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
Version: GnuPG v2.1.6 (FreeBSD)
|
||||||
|
|
||||||
|
iQIcBAABCgAGBQJVt+FwAAoJEO1n7NZdz2rno1wP/1dqyumvREi7i84Ab2ew+X+x
|
||||||
|
YNbhqkhP/Q0+uwF68nbV1StAyuPZ85fSTy//19W0L3YU31vkZgz2B5N6Vl1Walpx
|
||||||
|
UGk/6LGm2U8xzRRSOgThSthbUbXI4cAAjxmAuUkgd5br9g8KZo+h9LQNKpv+6Caa
|
||||||
|
OCsTKZMwA81ImiOODCvJ9FQy7hQVBSQhssCVEZScU7aR+86FRhNy0a6tHX1Y8dkk
|
||||||
|
LLhOJprZgG6JHR9fr+g0fCSjerYWKml4QlgpbXy/Fp3mIYfsnf8K9MaKa3KBLjOZ
|
||||||
|
AoggAB/tNA+e9imXy8En/J5aZqMwhjDZNrWHACaDXB9kMrNEE8Nwp3gFMgpURGWf
|
||||||
|
NFd8x+5SDv6yG+1xM1X/ywP9mVDQqySactLnGoEF77ANNEFVat9KafbPESckiqa7
|
||||||
|
qw83IaO5/9P/IaZik+19SzOsJ9sZGRaco70HfAZA9r/SD+SLc+4U1PAdY0QxGdB6
|
||||||
|
n7Ap088KK/GfiIF4ra5AqNDFquEWTPdkVqb+55Lv7eKgg1/S0rm7Ou7Z/lbBQerw
|
||||||
|
QIJzcem/KDcPJxM3tkxumqMdzggwUCPtrxB6vDEjLMKSN/33I2iYD47UhP+rFjw5
|
||||||
|
cdnrrqVgw0zt+p5vAubJJegk+aVWfy7QRcHaQb/FA5MYkOVKQP69lboa7PX4M+Pn
|
||||||
|
EjipG4vadjqdZaYzuBhF
|
||||||
|
=fzsn
|
||||||
|
-----END PGP SIGNATURE-----
|
203
share/security/patches/SA-15:15/tcp-8.patch
Normal file
203
share/security/patches/SA-15:15/tcp-8.patch
Normal file
|
@ -0,0 +1,203 @@
|
||||||
|
Index: sys/netinet/tcp_reass.c
|
||||||
|
===================================================================
|
||||||
|
--- sys/netinet/tcp_reass.c (revision 285923)
|
||||||
|
+++ sys/netinet/tcp_reass.c (working copy)
|
||||||
|
@@ -80,29 +80,25 @@ static int tcp_reass_sysctl_qsize(SYSCTL_HANDLER_A
|
||||||
|
SYSCTL_NODE(_net_inet_tcp, OID_AUTO, reass, CTLFLAG_RW, 0,
|
||||||
|
"TCP Segment Reassembly Queue");
|
||||||
|
|
||||||
|
-static VNET_DEFINE(int, tcp_reass_maxseg) = 0;
|
||||||
|
-#define V_tcp_reass_maxseg VNET(tcp_reass_maxseg)
|
||||||
|
+static int tcp_reass_maxseg = 0;
|
||||||
|
SYSCTL_VNET_PROC(_net_inet_tcp_reass, OID_AUTO, maxsegments,
|
||||||
|
CTLTYPE_INT | CTLFLAG_RDTUN,
|
||||||
|
- &VNET_NAME(tcp_reass_maxseg), 0, &tcp_reass_sysctl_maxseg, "I",
|
||||||
|
+ &tcp_reass_maxseg, 0, &tcp_reass_sysctl_maxseg, "I",
|
||||||
|
"Global maximum number of TCP Segments in Reassembly Queue");
|
||||||
|
|
||||||
|
-static VNET_DEFINE(int, tcp_reass_qsize) = 0;
|
||||||
|
-#define V_tcp_reass_qsize VNET(tcp_reass_qsize)
|
||||||
|
-SYSCTL_VNET_PROC(_net_inet_tcp_reass, OID_AUTO, cursegments,
|
||||||
|
+static int tcp_reass_qsize = 0;
|
||||||
|
+SYSCTL_PROC(_net_inet_tcp_reass, OID_AUTO, cursegments,
|
||||||
|
CTLTYPE_INT | CTLFLAG_RD,
|
||||||
|
- &VNET_NAME(tcp_reass_qsize), 0, &tcp_reass_sysctl_qsize, "I",
|
||||||
|
+ &tcp_reass_qsize, 0, &tcp_reass_sysctl_qsize, "I",
|
||||||
|
"Global number of TCP Segments currently in Reassembly Queue");
|
||||||
|
|
||||||
|
-static VNET_DEFINE(int, tcp_reass_overflows) = 0;
|
||||||
|
-#define V_tcp_reass_overflows VNET(tcp_reass_overflows)
|
||||||
|
-SYSCTL_VNET_INT(_net_inet_tcp_reass, OID_AUTO, overflows,
|
||||||
|
+static int tcp_reass_overflows = 0;
|
||||||
|
+SYSCTL_INT(_net_inet_tcp_reass, OID_AUTO, overflows,
|
||||||
|
CTLTYPE_INT | CTLFLAG_RD,
|
||||||
|
- &VNET_NAME(tcp_reass_overflows), 0,
|
||||||
|
+ &tcp_reass_overflows, 0,
|
||||||
|
"Global number of TCP Segment Reassembly Queue Overflows");
|
||||||
|
|
||||||
|
-static VNET_DEFINE(uma_zone_t, tcp_reass_zone);
|
||||||
|
-#define V_tcp_reass_zone VNET(tcp_reass_zone)
|
||||||
|
+static uma_zone_t tcp_reass_zone;
|
||||||
|
|
||||||
|
/* Initialize TCP reassembly queue */
|
||||||
|
static void
|
||||||
|
@@ -109,34 +105,25 @@ static void
|
||||||
|
tcp_reass_zone_change(void *tag)
|
||||||
|
{
|
||||||
|
|
||||||
|
- V_tcp_reass_maxseg = nmbclusters / 16;
|
||||||
|
- uma_zone_set_max(V_tcp_reass_zone, V_tcp_reass_maxseg);
|
||||||
|
+ tcp_reass_maxseg = nmbclusters / 16;
|
||||||
|
+ uma_zone_set_max(tcp_reass_zone, tcp_reass_maxseg);
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
-tcp_reass_init(void)
|
||||||
|
+tcp_reass_global_init(void)
|
||||||
|
{
|
||||||
|
|
||||||
|
- V_tcp_reass_maxseg = nmbclusters / 16;
|
||||||
|
+ tcp_reass_maxseg = nmbclusters / 16;
|
||||||
|
TUNABLE_INT_FETCH("net.inet.tcp.reass.maxsegments",
|
||||||
|
- &V_tcp_reass_maxseg);
|
||||||
|
- V_tcp_reass_zone = uma_zcreate("tcpreass", sizeof (struct tseg_qent),
|
||||||
|
+ &tcp_reass_maxseg);
|
||||||
|
+ tcp_reass_zone = uma_zcreate("tcpreass", sizeof (struct tseg_qent),
|
||||||
|
NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
|
||||||
|
- uma_zone_set_max(V_tcp_reass_zone, V_tcp_reass_maxseg);
|
||||||
|
+ uma_zone_set_max(tcp_reass_zone, tcp_reass_maxseg);
|
||||||
|
EVENTHANDLER_REGISTER(nmbclusters_change,
|
||||||
|
tcp_reass_zone_change, NULL, EVENTHANDLER_PRI_ANY);
|
||||||
|
}
|
||||||
|
|
||||||
|
-#ifdef VIMAGE
|
||||||
|
void
|
||||||
|
-tcp_reass_destroy(void)
|
||||||
|
-{
|
||||||
|
-
|
||||||
|
- uma_zdestroy(V_tcp_reass_zone);
|
||||||
|
-}
|
||||||
|
-#endif
|
||||||
|
-
|
||||||
|
-void
|
||||||
|
tcp_reass_flush(struct tcpcb *tp)
|
||||||
|
{
|
||||||
|
struct tseg_qent *qe;
|
||||||
|
@@ -146,7 +133,7 @@ tcp_reass_flush(struct tcpcb *tp)
|
||||||
|
while ((qe = LIST_FIRST(&tp->t_segq)) != NULL) {
|
||||||
|
LIST_REMOVE(qe, tqe_q);
|
||||||
|
m_freem(qe->tqe_m);
|
||||||
|
- uma_zfree(V_tcp_reass_zone, qe);
|
||||||
|
+ uma_zfree(tcp_reass_zone, qe);
|
||||||
|
tp->t_segqlen--;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -158,7 +145,7 @@ tcp_reass_flush(struct tcpcb *tp)
|
||||||
|
static int
|
||||||
|
tcp_reass_sysctl_maxseg(SYSCTL_HANDLER_ARGS)
|
||||||
|
{
|
||||||
|
- V_tcp_reass_maxseg = uma_zone_get_max(V_tcp_reass_zone);
|
||||||
|
+ tcp_reass_maxseg = uma_zone_get_max(tcp_reass_zone);
|
||||||
|
return (sysctl_handle_int(oidp, arg1, arg2, req));
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -165,7 +152,7 @@ tcp_reass_sysctl_maxseg(SYSCTL_HANDLER_ARGS)
|
||||||
|
static int
|
||||||
|
tcp_reass_sysctl_qsize(SYSCTL_HANDLER_ARGS)
|
||||||
|
{
|
||||||
|
- V_tcp_reass_qsize = uma_zone_get_cur(V_tcp_reass_zone);
|
||||||
|
+ tcp_reass_qsize = uma_zone_get_cur(tcp_reass_zone);
|
||||||
|
return (sysctl_handle_int(oidp, arg1, arg2, req));
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -213,7 +200,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
|
||||||
|
*/
|
||||||
|
if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) &&
|
||||||
|
tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) {
|
||||||
|
- V_tcp_reass_overflows++;
|
||||||
|
+ tcp_reass_overflows++;
|
||||||
|
TCPSTAT_INC(tcps_rcvmemdrop);
|
||||||
|
m_freem(m);
|
||||||
|
*tlenp = 0;
|
||||||
|
@@ -232,7 +219,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
|
||||||
|
* Use a temporary structure on the stack for the missing segment
|
||||||
|
* when the zone is exhausted. Otherwise we may get stuck.
|
||||||
|
*/
|
||||||
|
- te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT);
|
||||||
|
+ te = uma_zalloc(tcp_reass_zone, M_NOWAIT);
|
||||||
|
if (te == NULL) {
|
||||||
|
if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) {
|
||||||
|
TCPSTAT_INC(tcps_rcvmemdrop);
|
||||||
|
@@ -283,7 +270,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
|
||||||
|
TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp);
|
||||||
|
m_freem(m);
|
||||||
|
if (te != &tqs)
|
||||||
|
- uma_zfree(V_tcp_reass_zone, te);
|
||||||
|
+ uma_zfree(tcp_reass_zone, te);
|
||||||
|
tp->t_segqlen--;
|
||||||
|
/*
|
||||||
|
* Try to present any queued data
|
||||||
|
@@ -320,7 +307,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
|
||||||
|
nq = LIST_NEXT(q, tqe_q);
|
||||||
|
LIST_REMOVE(q, tqe_q);
|
||||||
|
m_freem(q->tqe_m);
|
||||||
|
- uma_zfree(V_tcp_reass_zone, q);
|
||||||
|
+ uma_zfree(tcp_reass_zone, q);
|
||||||
|
tp->t_segqlen--;
|
||||||
|
q = nq;
|
||||||
|
}
|
||||||
|
@@ -359,7 +346,7 @@ present:
|
||||||
|
else
|
||||||
|
sbappendstream_locked(&so->so_rcv, q->tqe_m);
|
||||||
|
if (q != &tqs)
|
||||||
|
- uma_zfree(V_tcp_reass_zone, q);
|
||||||
|
+ uma_zfree(tcp_reass_zone, q);
|
||||||
|
tp->t_segqlen--;
|
||||||
|
q = nq;
|
||||||
|
} while (q && q->tqe_th->th_seq == tp->rcv_nxt);
|
||||||
|
Index: sys/netinet/tcp_subr.c
|
||||||
|
===================================================================
|
||||||
|
--- sys/netinet/tcp_subr.c (revision 285923)
|
||||||
|
+++ sys/netinet/tcp_subr.c (working copy)
|
||||||
|
@@ -375,7 +375,6 @@ tcp_init(void)
|
||||||
|
tcp_tw_init();
|
||||||
|
syncache_init();
|
||||||
|
tcp_hc_init();
|
||||||
|
- tcp_reass_init();
|
||||||
|
|
||||||
|
TUNABLE_INT_FETCH("net.inet.tcp.sack.enable", &V_tcp_do_sack);
|
||||||
|
V_sack_hole_zone = uma_zcreate("sackhole", sizeof(struct sackhole),
|
||||||
|
@@ -385,6 +384,8 @@ tcp_init(void)
|
||||||
|
if (!IS_DEFAULT_VNET(curvnet))
|
||||||
|
return;
|
||||||
|
|
||||||
|
+ tcp_reass_global_init();
|
||||||
|
+
|
||||||
|
/* XXX virtualize those bellow? */
|
||||||
|
tcp_delacktime = TCPTV_DELACK;
|
||||||
|
tcp_keepinit = TCPTV_KEEP_INIT;
|
||||||
|
@@ -424,7 +425,6 @@ void
|
||||||
|
tcp_destroy(void)
|
||||||
|
{
|
||||||
|
|
||||||
|
- tcp_reass_destroy();
|
||||||
|
tcp_hc_destroy();
|
||||||
|
syncache_destroy();
|
||||||
|
tcp_tw_destroy();
|
||||||
|
Index: sys/netinet/tcp_var.h
|
||||||
|
===================================================================
|
||||||
|
--- sys/netinet/tcp_var.h (revision 285923)
|
||||||
|
+++ sys/netinet/tcp_var.h (working copy)
|
||||||
|
@@ -653,11 +653,8 @@ char *tcp_log_addrs(struct in_conninfo *, struct
|
||||||
|
char *tcp_log_vain(struct in_conninfo *, struct tcphdr *, void *,
|
||||||
|
const void *);
|
||||||
|
int tcp_reass(struct tcpcb *, struct tcphdr *, int *, struct mbuf *);
|
||||||
|
-void tcp_reass_init(void);
|
||||||
|
+void tcp_reass_global_init(void);
|
||||||
|
void tcp_reass_flush(struct tcpcb *);
|
||||||
|
-#ifdef VIMAGE
|
||||||
|
-void tcp_reass_destroy(void);
|
||||||
|
-#endif
|
||||||
|
void tcp_input(struct mbuf *, int);
|
||||||
|
u_long tcp_maxmtu(struct in_conninfo *, int *);
|
||||||
|
u_long tcp_maxmtu6(struct in_conninfo *, int *);
|
17
share/security/patches/SA-15:15/tcp-8.patch.asc
Normal file
17
share/security/patches/SA-15:15/tcp-8.patch.asc
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
Version: GnuPG v2.1.6 (FreeBSD)
|
||||||
|
|
||||||
|
iQIcBAABCgAGBQJVt+FwAAoJEO1n7NZdz2rn4a0QAJNILy1kqMl42ffd2sO4NOmy
|
||||||
|
hHJ18P1zAEFb2Q5HdbQOVnY8ssJWlbXK8kf0S0m/gw+xQ+SXnz6JtLDIqxhM/4kP
|
||||||
|
r+s3ae3hVOLoNf0oz9Qdpbv/eZcfqfZSTFxiPXZC8J1pRH7qE7pH6jybfTHpNczg
|
||||||
|
7NrtgmK2poMgOrIkDUoUK8Xb5Pjg2Pfz07nEYuESA6yVUrlEk8izZq9HFos2eOff
|
||||||
|
gpfwjVr1zm5s8rIX/YP0oUKBcsdUlgk6zF6JCnOhO5cysy0rzMcz+HBMo0CigDS/
|
||||||
|
kmeQu59JpHVY4E//LGvNTXAVqOSEnERdSSZqcc7sZaqyEfJXRSYrrnq/57c9YnVm
|
||||||
|
qc/Q9D0kvEQhwzQgGJUG6OmKG3fkBTT44+rwlzB3TVBNXNoZNeY7uoOi/OyPu4JT
|
||||||
|
ejZse+Qq7X/f5oZT2CNScHkW/jLYBnFGwHGmyg5AZUf0evN8GvO6Z1yMxmnUzBqE
|
||||||
|
6J3oO6re/8I7L78PqTjXGh36rK6a2MZF/J5t24JilSvLgyhZx4VNDDHgv87KqCdA
|
||||||
|
fSMKaoyn6UwvVR/j1XP3ACcukBLjuFjsgH25Q97ESgijnte050DgabOBmsBawwVb
|
||||||
|
MCAZdSw3iczhCE9nrpNehX5zdnw9XYy70HJN8hVVfGjdyjzJazEkC8a+U+teHrTp
|
||||||
|
v3p8ijYPt0dRz8siZusT
|
||||||
|
=ETv1
|
||||||
|
-----END PGP SIGNATURE-----
|
194
share/security/patches/SA-15:15/tcp-9.3-10.1.patch
Normal file
194
share/security/patches/SA-15:15/tcp-9.3-10.1.patch
Normal file
|
@ -0,0 +1,194 @@
|
||||||
|
Index: sys/netinet/tcp_reass.c
|
||||||
|
===================================================================
|
||||||
|
--- sys/netinet/tcp_reass.c (revision 285923)
|
||||||
|
+++ sys/netinet/tcp_reass.c (working copy)
|
||||||
|
@@ -79,25 +79,22 @@ static int tcp_reass_sysctl_qsize(SYSCTL_HANDLER_A
|
||||||
|
static SYSCTL_NODE(_net_inet_tcp, OID_AUTO, reass, CTLFLAG_RW, 0,
|
||||||
|
"TCP Segment Reassembly Queue");
|
||||||
|
|
||||||
|
-static VNET_DEFINE(int, tcp_reass_maxseg) = 0;
|
||||||
|
-#define V_tcp_reass_maxseg VNET(tcp_reass_maxseg)
|
||||||
|
-SYSCTL_VNET_INT(_net_inet_tcp_reass, OID_AUTO, maxsegments, CTLFLAG_RDTUN,
|
||||||
|
- &VNET_NAME(tcp_reass_maxseg), 0,
|
||||||
|
+static int tcp_reass_maxseg = 0;
|
||||||
|
+SYSCTL_INT(_net_inet_tcp_reass, OID_AUTO, maxsegments, CTLFLAG_RDTUN,
|
||||||
|
+ &tcp_reass_maxseg, 0,
|
||||||
|
"Global maximum number of TCP Segments in Reassembly Queue");
|
||||||
|
|
||||||
|
-SYSCTL_VNET_PROC(_net_inet_tcp_reass, OID_AUTO, cursegments,
|
||||||
|
+SYSCTL_PROC(_net_inet_tcp_reass, OID_AUTO, cursegments,
|
||||||
|
(CTLTYPE_INT | CTLFLAG_RD), NULL, 0, &tcp_reass_sysctl_qsize, "I",
|
||||||
|
"Global number of TCP Segments currently in Reassembly Queue");
|
||||||
|
|
||||||
|
-static VNET_DEFINE(int, tcp_reass_overflows) = 0;
|
||||||
|
-#define V_tcp_reass_overflows VNET(tcp_reass_overflows)
|
||||||
|
-SYSCTL_VNET_INT(_net_inet_tcp_reass, OID_AUTO, overflows,
|
||||||
|
+static int tcp_reass_overflows = 0;
|
||||||
|
+SYSCTL_INT(_net_inet_tcp_reass, OID_AUTO, overflows,
|
||||||
|
CTLTYPE_INT | CTLFLAG_RD,
|
||||||
|
- &VNET_NAME(tcp_reass_overflows), 0,
|
||||||
|
+ &tcp_reass_overflows, 0,
|
||||||
|
"Global number of TCP Segment Reassembly Queue Overflows");
|
||||||
|
|
||||||
|
-static VNET_DEFINE(uma_zone_t, tcp_reass_zone);
|
||||||
|
-#define V_tcp_reass_zone VNET(tcp_reass_zone)
|
||||||
|
+static uma_zone_t tcp_reass_zone;
|
||||||
|
|
||||||
|
/* Initialize TCP reassembly queue */
|
||||||
|
static void
|
||||||
|
@@ -105,37 +102,28 @@ tcp_reass_zone_change(void *tag)
|
||||||
|
{
|
||||||
|
|
||||||
|
/* Set the zone limit and read back the effective value. */
|
||||||
|
- V_tcp_reass_maxseg = nmbclusters / 16;
|
||||||
|
- V_tcp_reass_maxseg = uma_zone_set_max(V_tcp_reass_zone,
|
||||||
|
- V_tcp_reass_maxseg);
|
||||||
|
+ tcp_reass_maxseg = nmbclusters / 16;
|
||||||
|
+ tcp_reass_maxseg = uma_zone_set_max(tcp_reass_zone,
|
||||||
|
+ tcp_reass_maxseg);
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
-tcp_reass_init(void)
|
||||||
|
+tcp_reass_global_init(void)
|
||||||
|
{
|
||||||
|
|
||||||
|
- V_tcp_reass_maxseg = nmbclusters / 16;
|
||||||
|
+ tcp_reass_maxseg = nmbclusters / 16;
|
||||||
|
TUNABLE_INT_FETCH("net.inet.tcp.reass.maxsegments",
|
||||||
|
- &V_tcp_reass_maxseg);
|
||||||
|
- V_tcp_reass_zone = uma_zcreate("tcpreass", sizeof (struct tseg_qent),
|
||||||
|
+ &tcp_reass_maxseg);
|
||||||
|
+ tcp_reass_zone = uma_zcreate("tcpreass", sizeof (struct tseg_qent),
|
||||||
|
NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
|
||||||
|
/* Set the zone limit and read back the effective value. */
|
||||||
|
- V_tcp_reass_maxseg = uma_zone_set_max(V_tcp_reass_zone,
|
||||||
|
- V_tcp_reass_maxseg);
|
||||||
|
+ tcp_reass_maxseg = uma_zone_set_max(tcp_reass_zone,
|
||||||
|
+ tcp_reass_maxseg);
|
||||||
|
EVENTHANDLER_REGISTER(nmbclusters_change,
|
||||||
|
tcp_reass_zone_change, NULL, EVENTHANDLER_PRI_ANY);
|
||||||
|
}
|
||||||
|
|
||||||
|
-#ifdef VIMAGE
|
||||||
|
void
|
||||||
|
-tcp_reass_destroy(void)
|
||||||
|
-{
|
||||||
|
-
|
||||||
|
- uma_zdestroy(V_tcp_reass_zone);
|
||||||
|
-}
|
||||||
|
-#endif
|
||||||
|
-
|
||||||
|
-void
|
||||||
|
tcp_reass_flush(struct tcpcb *tp)
|
||||||
|
{
|
||||||
|
struct tseg_qent *qe;
|
||||||
|
@@ -145,7 +133,7 @@ tcp_reass_flush(struct tcpcb *tp)
|
||||||
|
while ((qe = LIST_FIRST(&tp->t_segq)) != NULL) {
|
||||||
|
LIST_REMOVE(qe, tqe_q);
|
||||||
|
m_freem(qe->tqe_m);
|
||||||
|
- uma_zfree(V_tcp_reass_zone, qe);
|
||||||
|
+ uma_zfree(tcp_reass_zone, qe);
|
||||||
|
tp->t_segqlen--;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -159,7 +147,7 @@ tcp_reass_sysctl_qsize(SYSCTL_HANDLER_ARGS)
|
||||||
|
{
|
||||||
|
int qsize;
|
||||||
|
|
||||||
|
- qsize = uma_zone_get_cur(V_tcp_reass_zone);
|
||||||
|
+ qsize = uma_zone_get_cur(tcp_reass_zone);
|
||||||
|
return (sysctl_handle_int(oidp, &qsize, 0, req));
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -207,7 +195,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
|
||||||
|
*/
|
||||||
|
if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) &&
|
||||||
|
tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) {
|
||||||
|
- V_tcp_reass_overflows++;
|
||||||
|
+ tcp_reass_overflows++;
|
||||||
|
TCPSTAT_INC(tcps_rcvmemdrop);
|
||||||
|
m_freem(m);
|
||||||
|
*tlenp = 0;
|
||||||
|
@@ -226,7 +214,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
|
||||||
|
* Use a temporary structure on the stack for the missing segment
|
||||||
|
* when the zone is exhausted. Otherwise we may get stuck.
|
||||||
|
*/
|
||||||
|
- te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT);
|
||||||
|
+ te = uma_zalloc(tcp_reass_zone, M_NOWAIT);
|
||||||
|
if (te == NULL) {
|
||||||
|
if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) {
|
||||||
|
TCPSTAT_INC(tcps_rcvmemdrop);
|
||||||
|
@@ -277,7 +265,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
|
||||||
|
TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp);
|
||||||
|
m_freem(m);
|
||||||
|
if (te != &tqs)
|
||||||
|
- uma_zfree(V_tcp_reass_zone, te);
|
||||||
|
+ uma_zfree(tcp_reass_zone, te);
|
||||||
|
tp->t_segqlen--;
|
||||||
|
/*
|
||||||
|
* Try to present any queued data
|
||||||
|
@@ -314,7 +302,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
|
||||||
|
nq = LIST_NEXT(q, tqe_q);
|
||||||
|
LIST_REMOVE(q, tqe_q);
|
||||||
|
m_freem(q->tqe_m);
|
||||||
|
- uma_zfree(V_tcp_reass_zone, q);
|
||||||
|
+ uma_zfree(tcp_reass_zone, q);
|
||||||
|
tp->t_segqlen--;
|
||||||
|
q = nq;
|
||||||
|
}
|
||||||
|
@@ -353,7 +341,7 @@ present:
|
||||||
|
else
|
||||||
|
sbappendstream_locked(&so->so_rcv, q->tqe_m);
|
||||||
|
if (q != &tqs)
|
||||||
|
- uma_zfree(V_tcp_reass_zone, q);
|
||||||
|
+ uma_zfree(tcp_reass_zone, q);
|
||||||
|
tp->t_segqlen--;
|
||||||
|
q = nq;
|
||||||
|
} while (q && q->tqe_th->th_seq == tp->rcv_nxt);
|
||||||
|
Index: sys/netinet/tcp_subr.c
|
||||||
|
===================================================================
|
||||||
|
--- sys/netinet/tcp_subr.c (revision 285923)
|
||||||
|
+++ sys/netinet/tcp_subr.c (working copy)
|
||||||
|
@@ -375,7 +375,6 @@ tcp_init(void)
|
||||||
|
tcp_tw_init();
|
||||||
|
syncache_init();
|
||||||
|
tcp_hc_init();
|
||||||
|
- tcp_reass_init();
|
||||||
|
|
||||||
|
TUNABLE_INT_FETCH("net.inet.tcp.sack.enable", &V_tcp_do_sack);
|
||||||
|
V_sack_hole_zone = uma_zcreate("sackhole", sizeof(struct sackhole),
|
||||||
|
@@ -385,6 +384,8 @@ tcp_init(void)
|
||||||
|
if (!IS_DEFAULT_VNET(curvnet))
|
||||||
|
return;
|
||||||
|
|
||||||
|
+ tcp_reass_global_init();
|
||||||
|
+
|
||||||
|
/* XXX virtualize those bellow? */
|
||||||
|
tcp_delacktime = TCPTV_DELACK;
|
||||||
|
tcp_keepinit = TCPTV_KEEP_INIT;
|
||||||
|
@@ -432,7 +433,6 @@ void
|
||||||
|
tcp_destroy(void)
|
||||||
|
{
|
||||||
|
|
||||||
|
- tcp_reass_destroy();
|
||||||
|
tcp_hc_destroy();
|
||||||
|
syncache_destroy();
|
||||||
|
tcp_tw_destroy();
|
||||||
|
Index: sys/netinet/tcp_var.h
|
||||||
|
===================================================================
|
||||||
|
--- sys/netinet/tcp_var.h (revision 285923)
|
||||||
|
+++ sys/netinet/tcp_var.h (working copy)
|
||||||
|
@@ -666,11 +666,8 @@ char *tcp_log_addrs(struct in_conninfo *, struct t
|
||||||
|
char *tcp_log_vain(struct in_conninfo *, struct tcphdr *, void *,
|
||||||
|
const void *);
|
||||||
|
int tcp_reass(struct tcpcb *, struct tcphdr *, int *, struct mbuf *);
|
||||||
|
-void tcp_reass_init(void);
|
||||||
|
+void tcp_reass_global_init(void);
|
||||||
|
void tcp_reass_flush(struct tcpcb *);
|
||||||
|
-#ifdef VIMAGE
|
||||||
|
-void tcp_reass_destroy(void);
|
||||||
|
-#endif
|
||||||
|
void tcp_input(struct mbuf *, int);
|
||||||
|
u_long tcp_maxmtu(struct in_conninfo *, struct tcp_ifcap *);
|
||||||
|
u_long tcp_maxmtu6(struct in_conninfo *, struct tcp_ifcap *);
|
17
share/security/patches/SA-15:15/tcp-9.3-10.1.patch.asc
Normal file
17
share/security/patches/SA-15:15/tcp-9.3-10.1.patch.asc
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
Version: GnuPG v2.1.6 (FreeBSD)
|
||||||
|
|
||||||
|
iQIcBAABCgAGBQJVt+FwAAoJEO1n7NZdz2rn4MsP/1RRuWMRR2G2slK+cuaUhzHI
|
||||||
|
Zmr11d2Wf3MfnV4gyS36bei8RKUSlg1HpPoztjheMerfFuK+vV+thkysakKdAAkC
|
||||||
|
P5p5rqZSoQZ4rLjFFQwDkM0tm5CZQeVMiosz2KGHzEHUF/RVKeQ3tuOFWrEIyUdq
|
||||||
|
DzHsrS67CBW7KQzoauN/7p+RDtepajSgRPMcsIZ6SyMqhHCX/3ugSXANnexJw5It
|
||||||
|
YBbImj3PnIsMsKNvPLFx8zAvJxM4aEIhUfiJfpYlVXEVeSyIoxMRmrjDcrW8zrU9
|
||||||
|
1c1qx4s0nRRsnv7qKK79W4XES4ebppNUbtFk6wdJKdt1kzMvEAFNm0P5Li86aTTn
|
||||||
|
hksIS3DW3zcFFgMCHl6levunXKBv/Jot7DP8sfYGbxMRHbAI/Gs+QnxzLEPFeU7I
|
||||||
|
1BGrrVbE3f+sRgDirblhfVQdUsjTNQN7UzEs1Da4jTnfqKiE9o+cLe9uoXoRNLjJ
|
||||||
|
tnI/lK/XFh7fAczIaloOzClwid63W8cVe7SRIYFa2edAGzcnR4+AK+ZFFVadxUJ1
|
||||||
|
kQiO12nfnDFA00/FYrgm8jfwL4luINUrq9iQQCoSH6FJZ8H/W2jgZd/s6VCAd/bN
|
||||||
|
lwDok1Mn1r3Mkr8MAnh7XhAHWUFdEjXljPkcRTCOj4+NRmfpalLBnMroH12ofzl4
|
||||||
|
1C+wnnPtqXm2GysW0U/K
|
||||||
|
=KVcG
|
||||||
|
-----END PGP SIGNATURE-----
|
194
share/security/patches/SA-15:15/tcp.patch
Normal file
194
share/security/patches/SA-15:15/tcp.patch
Normal file
|
@ -0,0 +1,194 @@
|
||||||
|
Index: sys/netinet/tcp_reass.c
|
||||||
|
===================================================================
|
||||||
|
--- sys/netinet/tcp_reass.c (revision 285923)
|
||||||
|
+++ sys/netinet/tcp_reass.c (working copy)
|
||||||
|
@@ -79,25 +79,22 @@ static int tcp_reass_sysctl_qsize(SYSCTL_HANDLER_A
|
||||||
|
static SYSCTL_NODE(_net_inet_tcp, OID_AUTO, reass, CTLFLAG_RW, 0,
|
||||||
|
"TCP Segment Reassembly Queue");
|
||||||
|
|
||||||
|
-static VNET_DEFINE(int, tcp_reass_maxseg) = 0;
|
||||||
|
-#define V_tcp_reass_maxseg VNET(tcp_reass_maxseg)
|
||||||
|
-SYSCTL_VNET_INT(_net_inet_tcp_reass, OID_AUTO, maxsegments, CTLFLAG_RDTUN,
|
||||||
|
- &VNET_NAME(tcp_reass_maxseg), 0,
|
||||||
|
+static int tcp_reass_maxseg = 0;
|
||||||
|
+SYSCTL_INT(_net_inet_tcp_reass, OID_AUTO, maxsegments, CTLFLAG_RDTUN,
|
||||||
|
+ &tcp_reass_maxseg, 0,
|
||||||
|
"Global maximum number of TCP Segments in Reassembly Queue");
|
||||||
|
|
||||||
|
-SYSCTL_VNET_PROC(_net_inet_tcp_reass, OID_AUTO, cursegments,
|
||||||
|
+SYSCTL_PROC(_net_inet_tcp_reass, OID_AUTO, cursegments,
|
||||||
|
(CTLTYPE_INT | CTLFLAG_RD), NULL, 0, &tcp_reass_sysctl_qsize, "I",
|
||||||
|
"Global number of TCP Segments currently in Reassembly Queue");
|
||||||
|
|
||||||
|
-static VNET_DEFINE(int, tcp_reass_overflows) = 0;
|
||||||
|
-#define V_tcp_reass_overflows VNET(tcp_reass_overflows)
|
||||||
|
-SYSCTL_VNET_INT(_net_inet_tcp_reass, OID_AUTO, overflows,
|
||||||
|
+static int tcp_reass_overflows = 0;
|
||||||
|
+SYSCTL_INT(_net_inet_tcp_reass, OID_AUTO, overflows,
|
||||||
|
CTLFLAG_RD,
|
||||||
|
- &VNET_NAME(tcp_reass_overflows), 0,
|
||||||
|
+ &tcp_reass_overflows, 0,
|
||||||
|
"Global number of TCP Segment Reassembly Queue Overflows");
|
||||||
|
|
||||||
|
-static VNET_DEFINE(uma_zone_t, tcp_reass_zone);
|
||||||
|
-#define V_tcp_reass_zone VNET(tcp_reass_zone)
|
||||||
|
+static uma_zone_t tcp_reass_zone;
|
||||||
|
|
||||||
|
/* Initialize TCP reassembly queue */
|
||||||
|
static void
|
||||||
|
@@ -105,37 +102,28 @@ tcp_reass_zone_change(void *tag)
|
||||||
|
{
|
||||||
|
|
||||||
|
/* Set the zone limit and read back the effective value. */
|
||||||
|
- V_tcp_reass_maxseg = nmbclusters / 16;
|
||||||
|
- V_tcp_reass_maxseg = uma_zone_set_max(V_tcp_reass_zone,
|
||||||
|
- V_tcp_reass_maxseg);
|
||||||
|
+ tcp_reass_maxseg = nmbclusters / 16;
|
||||||
|
+ tcp_reass_maxseg = uma_zone_set_max(tcp_reass_zone,
|
||||||
|
+ tcp_reass_maxseg);
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
-tcp_reass_init(void)
|
||||||
|
+tcp_reass_global_init(void)
|
||||||
|
{
|
||||||
|
|
||||||
|
- V_tcp_reass_maxseg = nmbclusters / 16;
|
||||||
|
+ tcp_reass_maxseg = nmbclusters / 16;
|
||||||
|
TUNABLE_INT_FETCH("net.inet.tcp.reass.maxsegments",
|
||||||
|
- &V_tcp_reass_maxseg);
|
||||||
|
- V_tcp_reass_zone = uma_zcreate("tcpreass", sizeof (struct tseg_qent),
|
||||||
|
+ &tcp_reass_maxseg);
|
||||||
|
+ tcp_reass_zone = uma_zcreate("tcpreass", sizeof (struct tseg_qent),
|
||||||
|
NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
|
||||||
|
/* Set the zone limit and read back the effective value. */
|
||||||
|
- V_tcp_reass_maxseg = uma_zone_set_max(V_tcp_reass_zone,
|
||||||
|
- V_tcp_reass_maxseg);
|
||||||
|
+ tcp_reass_maxseg = uma_zone_set_max(tcp_reass_zone,
|
||||||
|
+ tcp_reass_maxseg);
|
||||||
|
EVENTHANDLER_REGISTER(nmbclusters_change,
|
||||||
|
tcp_reass_zone_change, NULL, EVENTHANDLER_PRI_ANY);
|
||||||
|
}
|
||||||
|
|
||||||
|
-#ifdef VIMAGE
|
||||||
|
void
|
||||||
|
-tcp_reass_destroy(void)
|
||||||
|
-{
|
||||||
|
-
|
||||||
|
- uma_zdestroy(V_tcp_reass_zone);
|
||||||
|
-}
|
||||||
|
-#endif
|
||||||
|
-
|
||||||
|
-void
|
||||||
|
tcp_reass_flush(struct tcpcb *tp)
|
||||||
|
{
|
||||||
|
struct tseg_qent *qe;
|
||||||
|
@@ -145,7 +133,7 @@ tcp_reass_flush(struct tcpcb *tp)
|
||||||
|
while ((qe = LIST_FIRST(&tp->t_segq)) != NULL) {
|
||||||
|
LIST_REMOVE(qe, tqe_q);
|
||||||
|
m_freem(qe->tqe_m);
|
||||||
|
- uma_zfree(V_tcp_reass_zone, qe);
|
||||||
|
+ uma_zfree(tcp_reass_zone, qe);
|
||||||
|
tp->t_segqlen--;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -159,7 +147,7 @@ tcp_reass_sysctl_qsize(SYSCTL_HANDLER_ARGS)
|
||||||
|
{
|
||||||
|
int qsize;
|
||||||
|
|
||||||
|
- qsize = uma_zone_get_cur(V_tcp_reass_zone);
|
||||||
|
+ qsize = uma_zone_get_cur(tcp_reass_zone);
|
||||||
|
return (sysctl_handle_int(oidp, &qsize, 0, req));
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -207,7 +195,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
|
||||||
|
*/
|
||||||
|
if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) &&
|
||||||
|
tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) {
|
||||||
|
- V_tcp_reass_overflows++;
|
||||||
|
+ tcp_reass_overflows++;
|
||||||
|
TCPSTAT_INC(tcps_rcvmemdrop);
|
||||||
|
m_freem(m);
|
||||||
|
*tlenp = 0;
|
||||||
|
@@ -226,7 +214,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
|
||||||
|
* Use a temporary structure on the stack for the missing segment
|
||||||
|
* when the zone is exhausted. Otherwise we may get stuck.
|
||||||
|
*/
|
||||||
|
- te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT);
|
||||||
|
+ te = uma_zalloc(tcp_reass_zone, M_NOWAIT);
|
||||||
|
if (te == NULL) {
|
||||||
|
if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) {
|
||||||
|
TCPSTAT_INC(tcps_rcvmemdrop);
|
||||||
|
@@ -277,7 +265,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
|
||||||
|
TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp);
|
||||||
|
m_freem(m);
|
||||||
|
if (te != &tqs)
|
||||||
|
- uma_zfree(V_tcp_reass_zone, te);
|
||||||
|
+ uma_zfree(tcp_reass_zone, te);
|
||||||
|
tp->t_segqlen--;
|
||||||
|
/*
|
||||||
|
* Try to present any queued data
|
||||||
|
@@ -314,7 +302,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
|
||||||
|
nq = LIST_NEXT(q, tqe_q);
|
||||||
|
LIST_REMOVE(q, tqe_q);
|
||||||
|
m_freem(q->tqe_m);
|
||||||
|
- uma_zfree(V_tcp_reass_zone, q);
|
||||||
|
+ uma_zfree(tcp_reass_zone, q);
|
||||||
|
tp->t_segqlen--;
|
||||||
|
q = nq;
|
||||||
|
}
|
||||||
|
@@ -353,7 +341,7 @@ present:
|
||||||
|
else
|
||||||
|
sbappendstream_locked(&so->so_rcv, q->tqe_m);
|
||||||
|
if (q != &tqs)
|
||||||
|
- uma_zfree(V_tcp_reass_zone, q);
|
||||||
|
+ uma_zfree(tcp_reass_zone, q);
|
||||||
|
tp->t_segqlen--;
|
||||||
|
q = nq;
|
||||||
|
} while (q && q->tqe_th->th_seq == tp->rcv_nxt);
|
||||||
|
Index: sys/netinet/tcp_subr.c
|
||||||
|
===================================================================
|
||||||
|
--- sys/netinet/tcp_subr.c (revision 285923)
|
||||||
|
+++ sys/netinet/tcp_subr.c (working copy)
|
||||||
|
@@ -376,7 +376,6 @@ tcp_init(void)
|
||||||
|
tcp_tw_init();
|
||||||
|
syncache_init();
|
||||||
|
tcp_hc_init();
|
||||||
|
- tcp_reass_init();
|
||||||
|
|
||||||
|
TUNABLE_INT_FETCH("net.inet.tcp.sack.enable", &V_tcp_do_sack);
|
||||||
|
V_sack_hole_zone = uma_zcreate("sackhole", sizeof(struct sackhole),
|
||||||
|
@@ -386,6 +385,8 @@ tcp_init(void)
|
||||||
|
if (!IS_DEFAULT_VNET(curvnet))
|
||||||
|
return;
|
||||||
|
|
||||||
|
+ tcp_reass_global_init();
|
||||||
|
+
|
||||||
|
/* XXX virtualize those bellow? */
|
||||||
|
tcp_delacktime = TCPTV_DELACK;
|
||||||
|
tcp_keepinit = TCPTV_KEEP_INIT;
|
||||||
|
@@ -433,7 +434,6 @@ void
|
||||||
|
tcp_destroy(void)
|
||||||
|
{
|
||||||
|
|
||||||
|
- tcp_reass_destroy();
|
||||||
|
tcp_hc_destroy();
|
||||||
|
syncache_destroy();
|
||||||
|
tcp_tw_destroy();
|
||||||
|
Index: sys/netinet/tcp_var.h
|
||||||
|
===================================================================
|
||||||
|
--- sys/netinet/tcp_var.h (revision 285923)
|
||||||
|
+++ sys/netinet/tcp_var.h (working copy)
|
||||||
|
@@ -679,11 +679,8 @@ char *tcp_log_addrs(struct in_conninfo *, struct t
|
||||||
|
char *tcp_log_vain(struct in_conninfo *, struct tcphdr *, void *,
|
||||||
|
const void *);
|
||||||
|
int tcp_reass(struct tcpcb *, struct tcphdr *, int *, struct mbuf *);
|
||||||
|
-void tcp_reass_init(void);
|
||||||
|
+void tcp_reass_global_init(void);
|
||||||
|
void tcp_reass_flush(struct tcpcb *);
|
||||||
|
-#ifdef VIMAGE
|
||||||
|
-void tcp_reass_destroy(void);
|
||||||
|
-#endif
|
||||||
|
void tcp_input(struct mbuf *, int);
|
||||||
|
u_long tcp_maxmtu(struct in_conninfo *, struct tcp_ifcap *);
|
||||||
|
u_long tcp_maxmtu6(struct in_conninfo *, struct tcp_ifcap *);
|
17
share/security/patches/SA-15:15/tcp.patch.asc
Normal file
17
share/security/patches/SA-15:15/tcp.patch.asc
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
Version: GnuPG v2.1.6 (FreeBSD)
|
||||||
|
|
||||||
|
iQIcBAABCgAGBQJVt+FwAAoJEO1n7NZdz2rnao8P/jUT5a0o9qZ9PjyVQCaMYGpz
|
||||||
|
y7HZylgcfVMxLGipVqS0H9vwoF7EgGwHSPn5U3YT3LxXJ5ptuGrDUfOHy5vtm6eT
|
||||||
|
AEDGKrR22sd7Thz+U821jlTKo9PLQr51bBwUjRhs4FHuAbCNX8A+Enjdb7Fo1oox
|
||||||
|
1AJBLbnvcZAwfRdURAtj864Mx81lQ58+AC1tKW4vlagd75tsoew7MEjPrW1ObTSy
|
||||||
|
Pl7R9SV8EnTianAyuoMZSQaGgA9kkPuG8e21+PhfQG9+enP3D2Sgad4VWfcV8KAd
|
||||||
|
CwyJDJ7Tu8mY7FvYmd0XZr5GfM634FGV9M/wGnDXslSZgFNSt83IULmnKIuKNnjJ
|
||||||
|
p3Map3//tZchR4/DT04q5fxcX1rWiGN+RbjYzHtttfr8i/h1rRq7BK2BWn1oM4h0
|
||||||
|
AzMKR4N1AEaa1huTZoucuaPWZ4P+6pMUm1uSd0SuJkhZuF2Lj/BlD+SlSANEYAjr
|
||||||
|
ajWh5hjTordmV/HXaNIcwZDIn5EN9pVm4UHcPD4x5z5eQ3r2w2kssfKusNWa5EUL
|
||||||
|
Hqh+PuNS00e2Opp6cF+tBUF+1zJyOYEWSMlYmYDG/J+MhlRWmOr5FobGCa7dUHYt
|
||||||
|
KvgkHmef/5Z45mTFIiD5jygNYNuxs3L0xUXFxd+2XlXPu9fKfXHtaV7aS1VozIpR
|
||||||
|
rSHM3bqswflAY+A0FHK1
|
||||||
|
=kwzI
|
||||||
|
-----END PGP SIGNATURE-----
|
89
share/security/patches/SA-15:16/openssh-8.patch
Normal file
89
share/security/patches/SA-15:16/openssh-8.patch
Normal file
|
@ -0,0 +1,89 @@
|
||||||
|
Index: crypto/openssh/auth2-chall.c
|
||||||
|
===================================================================
|
||||||
|
--- crypto/openssh/auth2-chall.c (revision 285923)
|
||||||
|
+++ crypto/openssh/auth2-chall.c (working copy)
|
||||||
|
@@ -82,6 +82,7 @@ struct KbdintAuthctxt
|
||||||
|
void *ctxt;
|
||||||
|
KbdintDevice *device;
|
||||||
|
u_int nreq;
|
||||||
|
+ u_int devices_done;
|
||||||
|
};
|
||||||
|
|
||||||
|
#ifdef USE_PAM
|
||||||
|
@@ -169,9 +170,14 @@ kbdint_next_device(KbdintAuthctxt *kbdintctxt)
|
||||||
|
|
||||||
|
if (len == 0)
|
||||||
|
break;
|
||||||
|
- for (i = 0; devices[i]; i++)
|
||||||
|
- if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
|
||||||
|
+ for (i = 0; devices[i]; i++) {
|
||||||
|
+ if ((kbdintctxt->devices_done & (1 << i)) != 0)
|
||||||
|
+ continue;
|
||||||
|
+ if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0) {
|
||||||
|
kbdintctxt->device = devices[i];
|
||||||
|
+ kbdintctxt->devices_done |= 1 << i;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
t = kbdintctxt->devices;
|
||||||
|
kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
|
||||||
|
xfree(t);
|
||||||
|
Index: crypto/openssh/sshconnect.c
|
||||||
|
===================================================================
|
||||||
|
--- crypto/openssh/sshconnect.c (revision 285923)
|
||||||
|
+++ crypto/openssh/sshconnect.c (working copy)
|
||||||
|
@@ -1141,29 +1141,39 @@ verify_host_key(char *host, struct sockaddr *hosta
|
||||||
|
{
|
||||||
|
int flags = 0;
|
||||||
|
char *fp;
|
||||||
|
+ Key *plain = NULL;
|
||||||
|
|
||||||
|
fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
|
||||||
|
debug("Server host key: %s %s", key_type(host_key), fp);
|
||||||
|
xfree(fp);
|
||||||
|
|
||||||
|
- /* XXX certs are not yet supported for DNS */
|
||||||
|
- if (!key_is_cert(host_key) && options.verify_host_key_dns &&
|
||||||
|
- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
|
||||||
|
- if (flags & DNS_VERIFY_FOUND) {
|
||||||
|
-
|
||||||
|
- if (options.verify_host_key_dns == 1 &&
|
||||||
|
- flags & DNS_VERIFY_MATCH &&
|
||||||
|
- flags & DNS_VERIFY_SECURE)
|
||||||
|
- return 0;
|
||||||
|
-
|
||||||
|
- if (flags & DNS_VERIFY_MATCH) {
|
||||||
|
- matching_host_key_dns = 1;
|
||||||
|
- } else {
|
||||||
|
- warn_changed_key(host_key);
|
||||||
|
- error("Update the SSHFP RR in DNS with the new "
|
||||||
|
- "host key to get rid of this message.");
|
||||||
|
+ if (options.verify_host_key_dns) {
|
||||||
|
+ /*
|
||||||
|
+ * XXX certs are not yet supported for DNS, so downgrade
|
||||||
|
+ * them and try the plain key.
|
||||||
|
+ */
|
||||||
|
+ plain = key_from_private(host_key);
|
||||||
|
+ if (key_is_cert(plain))
|
||||||
|
+ key_drop_cert(plain);
|
||||||
|
+ if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
|
||||||
|
+ if (flags & DNS_VERIFY_FOUND) {
|
||||||
|
+ if (options.verify_host_key_dns == 1 &&
|
||||||
|
+ flags & DNS_VERIFY_MATCH &&
|
||||||
|
+ flags & DNS_VERIFY_SECURE) {
|
||||||
|
+ key_free(plain);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ if (flags & DNS_VERIFY_MATCH) {
|
||||||
|
+ matching_host_key_dns = 1;
|
||||||
|
+ } else {
|
||||||
|
+ warn_changed_key(plain);
|
||||||
|
+ error("Update the SSHFP RR in DNS "
|
||||||
|
+ "with the new host key to get rid "
|
||||||
|
+ "of this message.");
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+ key_free(plain);
|
||||||
|
}
|
||||||
|
|
||||||
|
return check_host_key(host, hostaddr, options.port, host_key, RDRW,
|
17
share/security/patches/SA-15:16/openssh-8.patch.asc
Normal file
17
share/security/patches/SA-15:16/openssh-8.patch.asc
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
Version: GnuPG v2.1.6 (FreeBSD)
|
||||||
|
|
||||||
|
iQIcBAABCgAGBQJVt+FxAAoJEO1n7NZdz2rnH7cP/2bAQDMzE4S6t+gt28nd7aSh
|
||||||
|
GquAc96zD52sDz+IKyOBqQA9wsrHDnoaVQjQpavhx2qxsf+rsEvEejtvX1zdtH5o
|
||||||
|
DfNz5kArYTgw5F/MuvgXBAgwEZqPamRZdi96KuL8gGCu0nFlTx7S/jayyickPrsk
|
||||||
|
S03hXfDSZsFUi6bGHo+lMK0aaunZ26wSRuVU7Pb0JjtUiGgsM/YDy9uW2STTzGMl
|
||||||
|
E8iyjHUM8gfM7q/xmFXFIxWC3L5IkurjvCGd7RXltyagHRPxzj1N6NYu4jXQgogZ
|
||||||
|
yr9N2lDSZZaS3yoextvpR9lg+J2qDysgMEbsR0GPG1fsc/po8YuPvpT1cak8Vtk8
|
||||||
|
fQVs4MJMMwMfUW2QwIBnjNqA0V8unHCtd5ViDOnpHM7g+enHqCXNWxhidKSasZi/
|
||||||
|
0+RwFnyYi+JZs2aSpmAJdeQXuPKcNkXg8fhiU/SaRo7jFWwfgHhfj600b/To+l2J
|
||||||
|
0h6U5RmXi0RAJiibm6NqgJ/q7/lJTDNGyauM22AAWd47m75/2aO5uH0k4nZRaLbd
|
||||||
|
yi69978sXpw15jflP674lFOjVWMDZf2hZcNr2E8TJsriuYSymX0FcA/zSQ/3NhaR
|
||||||
|
1AqutoKu2zpqk5diXEKdov+rJ+kaEp0S+0tRxSWNh4eRORlt8ORvvtTS4UgaJHZg
|
||||||
|
yGBXrZcEks5bxpFSI2ys
|
||||||
|
=NdGQ
|
||||||
|
-----END PGP SIGNATURE-----
|
90
share/security/patches/SA-15:16/openssh.patch
Normal file
90
share/security/patches/SA-15:16/openssh.patch
Normal file
|
@ -0,0 +1,90 @@
|
||||||
|
Index: crypto/openssh/auth2-chall.c
|
||||||
|
===================================================================
|
||||||
|
--- crypto/openssh/auth2-chall.c (revision 285923)
|
||||||
|
+++ crypto/openssh/auth2-chall.c (working copy)
|
||||||
|
@@ -82,6 +82,7 @@ struct KbdintAuthctxt
|
||||||
|
void *ctxt;
|
||||||
|
KbdintDevice *device;
|
||||||
|
u_int nreq;
|
||||||
|
+ u_int devices_done;
|
||||||
|
};
|
||||||
|
|
||||||
|
#ifdef USE_PAM
|
||||||
|
@@ -168,11 +169,15 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthc
|
||||||
|
if (len == 0)
|
||||||
|
break;
|
||||||
|
for (i = 0; devices[i]; i++) {
|
||||||
|
- if (!auth2_method_allowed(authctxt,
|
||||||
|
+ if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
|
||||||
|
+ !auth2_method_allowed(authctxt,
|
||||||
|
"keyboard-interactive", devices[i]->name))
|
||||||
|
continue;
|
||||||
|
- if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
|
||||||
|
+ if (strncmp(kbdintctxt->devices, devices[i]->name,
|
||||||
|
+ len) == 0) {
|
||||||
|
kbdintctxt->device = devices[i];
|
||||||
|
+ kbdintctxt->devices_done |= 1 << i;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
t = kbdintctxt->devices;
|
||||||
|
kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
|
||||||
|
Index: crypto/openssh/sshconnect.c
|
||||||
|
===================================================================
|
||||||
|
--- crypto/openssh/sshconnect.c (revision 285923)
|
||||||
|
+++ crypto/openssh/sshconnect.c (working copy)
|
||||||
|
@@ -1247,29 +1247,39 @@ verify_host_key(char *host, struct sockaddr *hosta
|
||||||
|
{
|
||||||
|
int flags = 0;
|
||||||
|
char *fp;
|
||||||
|
+ Key *plain = NULL;
|
||||||
|
|
||||||
|
fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
|
||||||
|
debug("Server host key: %s %s", key_type(host_key), fp);
|
||||||
|
free(fp);
|
||||||
|
|
||||||
|
- /* XXX certs are not yet supported for DNS */
|
||||||
|
- if (!key_is_cert(host_key) && options.verify_host_key_dns &&
|
||||||
|
- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
|
||||||
|
- if (flags & DNS_VERIFY_FOUND) {
|
||||||
|
-
|
||||||
|
- if (options.verify_host_key_dns == 1 &&
|
||||||
|
- flags & DNS_VERIFY_MATCH &&
|
||||||
|
- flags & DNS_VERIFY_SECURE)
|
||||||
|
- return 0;
|
||||||
|
-
|
||||||
|
- if (flags & DNS_VERIFY_MATCH) {
|
||||||
|
- matching_host_key_dns = 1;
|
||||||
|
- } else {
|
||||||
|
- warn_changed_key(host_key);
|
||||||
|
- error("Update the SSHFP RR in DNS with the new "
|
||||||
|
- "host key to get rid of this message.");
|
||||||
|
+ if (options.verify_host_key_dns) {
|
||||||
|
+ /*
|
||||||
|
+ * XXX certs are not yet supported for DNS, so downgrade
|
||||||
|
+ * them and try the plain key.
|
||||||
|
+ */
|
||||||
|
+ plain = key_from_private(host_key);
|
||||||
|
+ if (key_is_cert(plain))
|
||||||
|
+ key_drop_cert(plain);
|
||||||
|
+ if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
|
||||||
|
+ if (flags & DNS_VERIFY_FOUND) {
|
||||||
|
+ if (options.verify_host_key_dns == 1 &&
|
||||||
|
+ flags & DNS_VERIFY_MATCH &&
|
||||||
|
+ flags & DNS_VERIFY_SECURE) {
|
||||||
|
+ key_free(plain);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ if (flags & DNS_VERIFY_MATCH) {
|
||||||
|
+ matching_host_key_dns = 1;
|
||||||
|
+ } else {
|
||||||
|
+ warn_changed_key(plain);
|
||||||
|
+ error("Update the SSHFP RR in DNS "
|
||||||
|
+ "with the new host key to get rid "
|
||||||
|
+ "of this message.");
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+ key_free(plain);
|
||||||
|
}
|
||||||
|
|
||||||
|
return check_host_key(host, hostaddr, options.port, host_key, RDRW,
|
17
share/security/patches/SA-15:16/openssh.patch.asc
Normal file
17
share/security/patches/SA-15:16/openssh.patch.asc
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
Version: GnuPG v2.1.6 (FreeBSD)
|
||||||
|
|
||||||
|
iQIcBAABCgAGBQJVt+FxAAoJEO1n7NZdz2rn2NkP/RBSyWex/lwblNKDYQpEu2jZ
|
||||||
|
Gc+opzaFAVfWHrlKNhcQDb9haoeuLo7+lJwIS/e1CvtV0opT2AKR/RFLtsYGOAmp
|
||||||
|
ydLPigTkw2kfEH/gyDiRxfFcqZ5UzlKIQGPre1/FE2HNjYHOUSnJp+K+cPJ81cJQ
|
||||||
|
bYICXuSvnhhpasak/3CwHKGgGKv7YyrE1pGfE79e52M404484VkW1dCqfE+URRr0
|
||||||
|
fiDIchhHFKjNM/Ycgr5iyZmisBgtupLC/aIHJzBE+h/tCUjApSTJMyroUB6P70lx
|
||||||
|
zeRPVEgcMJQi2K9MPXvuK78Ko4MjqrhVc05ufaqb0aEbBFMBGDyuFf8s5yHiluhK
|
||||||
|
YU047m2bbjDny7DJPrqEyg0X7vRCcHXjw0gBju1P3D2lpLdL+t5VX9VEvh0pfnDi
|
||||||
|
u7uXZGejhm4Nr5GsNZoNAiLL7wScOS6MVB52Fy0HPL1TqUcCddiyw+rc2rmj4VbH
|
||||||
|
ZwlHs4ecMeNyPYGmXvt7Kg4fZ3T19S8EypjrUdKqZbgI+0keNu77QD7/llEck9nu
|
||||||
|
ArM/386qrUX+F6V74PpSMNpjN49fMccKqPnImUyrc7EofeTinIfT5Z9Rw+K1xw+D
|
||||||
|
QkZtKhQXENNG3FeBWg11jvWywGkfj+4arlxDyfx04SwVYMHlTwMVj37NNaRrUjJ9
|
||||||
|
/1HdVB06GZS5dA5thOzB
|
||||||
|
=d3dY
|
||||||
|
-----END PGP SIGNATURE-----
|
12
share/security/patches/SA-15:17/bind.patch
Normal file
12
share/security/patches/SA-15:17/bind.patch
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
Index: contrib/bind9/lib/dns/tkey.c
|
||||||
|
===================================================================
|
||||||
|
--- contrib/bind9/lib/dns/tkey.c (revision 285922)
|
||||||
|
+++ contrib/bind9/lib/dns/tkey.c (working copy)
|
||||||
|
@@ -650,6 +650,7 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkey
|
||||||
|
* Try the answer section, since that's where Win2000
|
||||||
|
* puts it.
|
||||||
|
*/
|
||||||
|
+ name = NULL;
|
||||||
|
if (dns_message_findname(msg, DNS_SECTION_ANSWER, qname,
|
||||||
|
dns_rdatatype_tkey, 0, &name,
|
||||||
|
&tkeyset) != ISC_R_SUCCESS) {
|
17
share/security/patches/SA-15:17/bind.patch.asc
Normal file
17
share/security/patches/SA-15:17/bind.patch.asc
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
Version: GnuPG v2.1.6 (FreeBSD)
|
||||||
|
|
||||||
|
iQIcBAABCgAGBQJVt+FxAAoJEO1n7NZdz2rnse8P/2/topHY/AW0sJmsMFGDcCQl
|
||||||
|
6nYAyoriO354QXif99lFSMVjY6PeI35N8gLb9560Pcv2RBvyv55Bk9wPsCLIAzId
|
||||||
|
KZKmIlgw14kT5n1usyLoMRPbXcn37sKi3xdLOGIrGBP9d8VaCvRWUxC9Qh3pg4fQ
|
||||||
|
9dGsbso+5BI15/lqATI5xawu8lljHufwM46BUXpWqK63xyqBAsVNHbOoj+fhneNI
|
||||||
|
Bw14K6x1qOQNuv4Ri/39TWp5UCfPrhwZ2qpsIEp9oT7Jgvvs16ErqbY7UoxnD4pF
|
||||||
|
Jo4DCH2lZjesSlz05w9iam/PkQed5ltYvCK0rdyTfhjqB/Px6zd0xUvy40Pg+w5G
|
||||||
|
VY25+LSSJMtkQe88TbOW+SzcopPYwUZ88CgExoUPyn5Cd7Sv5GsNCAmoXhFA/0Of
|
||||||
|
BRT9h9KFD9VE1juAnlgB2Hp1MkBlfoqG2/ytomctvUjFLKRUGLmvkFTgshNqYgD1
|
||||||
|
6NDYri4sqDEHeKMhVvVVqTPciCg8kwAX2h1sLBca8fbXsyanzvEieM5RrxJdyaeH
|
||||||
|
856lhb2fnRECUdWA9vKModtqI3mUF76tP6/4GI7GdxaCmWWCRpPsJY7eubNEKqVX
|
||||||
|
jNT20ymBkchl/GAPshedz+xG7yGdO54wE14dwV9lgFLlup41w83DKQH4vm0DS+q/
|
||||||
|
GCgaLCun78PU/GjzYQh7
|
||||||
|
=uz3V
|
||||||
|
-----END PGP SIGNATURE-----
|
|
@ -10,6 +10,26 @@
|
||||||
<month>
|
<month>
|
||||||
<name>7</name>
|
<name>7</name>
|
||||||
|
|
||||||
|
<day>
|
||||||
|
<name>28</name>
|
||||||
|
|
||||||
|
<advisory>
|
||||||
|
<name>FreeBSD-SA-15:17.bind</name>
|
||||||
|
</advisory>
|
||||||
|
|
||||||
|
<advisory>
|
||||||
|
<name>FreeBSD-SA-15:16.openssh</name>
|
||||||
|
</advisory>
|
||||||
|
|
||||||
|
<advisory>
|
||||||
|
<name>FreeBSD-SA-15:15.tcp</name>
|
||||||
|
</advisory>
|
||||||
|
|
||||||
|
<advisory>
|
||||||
|
<name>FreeBSD-SA-15:14.bsdpatch</name>
|
||||||
|
</advisory>
|
||||||
|
</day>
|
||||||
|
|
||||||
<day>
|
<day>
|
||||||
<name>21</name>
|
<name>21</name>
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue