os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Add EN-17:01-04, SA-17:02.

Browse source
This commit is contained in:
Xin LI 2017-02-23 07:28:05 +00:00
parent dee8d95b16
commit af7b670712
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=50004
19 changed files with 25115 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

129
share/security/advisories/FreeBSD-EN-17:01.pcie.asc Normal file
View file

@ -0,0 +1,129 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-17:01.pcie Errata Notice
The FreeBSD Project
Topic: System hang when booting when PCI-express HotPlug is enabled
Category: core
Module: kernel
Announced: 2017-02-23
Credits: Alan Somers, Dave Baukus
Affects: FreeBSD 11.0
Corrected: 2017-02-07 22:40:38 UTC (stable/11, 11.0-STABLE)
2017-02-23 07:11:48 UTC (releng/11.0, 11.0-RELEASE-p8)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
Native PCI-express HotPlug permits PCI-express devices to be added and
removed at runtime in slots that support HotPlug.
II. Problem Description
Some PCI-express slots indicate partial support for PCI-express HotPlug
in the capability registers associated with an individual slot. The
PCI-express HotPlug driver attempted to configure these slots for HotPlug
operation. However, since these slots do not fully support HotPlug,
enabling HotPlug results in unpredictable behavior.
III. Impact
On at least some systems, booting a kernel with PCI-express HotPlug
support can hang.
IV. Workaround
The hw.pci.enable_pcie_hp loader tunable can be set to 0 to disable
support for PCI-express HotPlug before booting an affected kernel.
V. Solution
Perform one of the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
Afterward, reboot the system.
2) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Afterward, reboot the system.
3) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-17:01/pcie.patch
# fetch https://security.FreeBSD.org/patches/EN-17:01/pcie.patch.asc
# gpg --verify pcie.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/11/ r313408
releng/11.0/ r314125
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211699>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-17:01.pcie.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.18 (FreeBSD)
iQIzBAEBCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAliujNEACgkQ7Wfs1l3P
aucj/RAAsB/+cWKAaf5pLiP9Hh9Rjmry8ZMyiG6RVBB22N8UM34ioiPPSjTu1ogQ
ZCP31fUqCWDwwQgVu6/Nl4Ur/NjeOYMjHAzxyjlgrFPx2RliptZCakMSA7NDBm7h
vhFxlvBdLvYOL1sDTPwO1HuaIRl8f6BMa3p99Ubaur2Blw7Zn2gDaIEDdiG8K2LN
m+R+yJvDqJmpQJcTiqkxMrcfemcmpuVkH/PTaQhjcuZfslQW8eL82dfXsmkuv5tz
J1cXJHSZHhX1Bq+cuKpAVp7rV65iud5nElt1NJiG4GC61h289nSoqsUebWcjzx4j
0XVwCxitLVqgybdD+OtJejxBwgwWnB3K2xicu5WYOSo/jUhXGRLXZTSk1COvDwZZ
4ndeGv1RwwknQTNxfHlnOH9uZozvQq1fCyXZ2CBnsfKs5gxW2GAF1+xTGXD2tSAJ
ntyc9JhiV0EmixG/aiDk8D6HaUnvcqvtUHCewbNXKy2xqRbnNDal613vzhgbNWKi
RqFoPDDCaLsD9uoL/DSh8R8sHh8QuNq903JxPODM0MoioWYGj+xzz5RNY1EwlhcO
nRI3CwmQr/Oxow+ajEqT4MRaQtmHSudmvcF6Syyw6Rt0lWF4R6KxYk2fPdaW18N0
LU9fqH2IWGSmzPMdnJKI6I49jtOiUaIfXCAGpX15jpVN/1ZUg1k=
=x/qY
-----END PGP SIGNATURE-----

128
share/security/advisories/FreeBSD-EN-17:02.yp.asc Normal file
View file

@ -0,0 +1,128 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-17:02.yp Errata Notice
The FreeBSD Project
Topic: NIS master updates are not pushed to NIS slave
Category: core
Module: yppush, ypxfr
Announced: 2017-02-23
Credits: Mark Johnston
Affects: FreeBSD 11.0-RELEASE
Corrected: 2016-10-19 17:18:48 UTC (stable/11, 11.0-STABLE)
2017-02-23 07:11:48 UTC (releng/11.0, 11.0-RELEASE-p8)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
yppush(8) and ypxfr(8) utilities are used to synchronize databases from
a master NIS server.
II. Problem Description
A bug present in FreeBSD 11.0 prevents these utilities from working
properly. In particular, an attempt to synchronize a non-empty map
causes yppush(8) to crash.
III. Impact
The problem prevents updates to a master NIS server from being propagated
to NIS slave servers.
IV. Workaround
No workaround is available, but NIS configurations which do not make
use of NIS slave servers are unaffected.
V. Solution
Perform one of the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
2) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
A reboot is not required. However, the system administrator may need to
manually run yppush(8) after the update have been applied on slave systems.
3) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-17:02/yp.patch
# fetch https://security.FreeBSD.org/patches/EN-17:02/yp.patch.asc
# gpg --verify yp.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
A reboot is not required. However, the system administrator may need to
manually run yppush(8) after the update have been applied on slave systems.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/11/ r307642
releng/11.0/ r314125
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=213506>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-17:02.yp.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.18 (FreeBSD)
iQIzBAEBCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAliujNcACgkQ7Wfs1l3P
aucX/Q/5AbGPtToi+NC4OB0sNJbCiJD5WOP7tmbNipDm5SGoItN+lXQSv+FN1wbF
9R4vhqBqDROE35PF9QUWdFb1qE4i37lD4DznK7r1urg3n7CWx5zcPYAz3PNA7FFX
IJixTM4fjhoWoKAWMLZhc+7+ez7HB83AZrExXDBFRnj7SvceJw6B//yCRB/he9l3
trE5yvUyAiSPylG5qfA6upsJftXsluajq0uQ/yD4iGfqT8nqjOrsd4z64S6+3wTT
lnZHyjNEfIqVQ81Lp9EIsqaU7pyvPrjRQqxsHI+rZO/2YVA/RDokeIcq6s+8GN76
/H7U8XoEuLFNq39s+fHOLTIPGjSM5PN1jqreoJTXnLFqpDtc2WI3W6cvMUY3lD2y
rW3jDrQOxKF8E9qD/wyi7Sa74cC4PduEe9F+fwNOf+gQUtd/NF+OcnSo0imUnmvU
VJy7FHSUQWZY7ZDW0L7CUT6IDBvIncUKlt1DX4b8M9GkX65FtXmd4risExxBlGDh
ikMD+qzCE8tlqzXKPzEmZNLgsAj0nJiZIcD6kMDORLNyzdI7AeqSazg6Pt70XstR
r+GjK1Hclp/lTqaEJLuBrkd2LJGI2Wcyp/nRZ6OifyduvRwk5vKPhQf792zqx+FK
0sZ1T7po0aop1sDFRDZKCHMRxxpKfd5BTxEyQ24v7GL02Dz/rVk=
=zlKa
-----END PGP SIGNATURE-----

139
share/security/advisories/FreeBSD-EN-17:03.hyperv.asc Normal file
View file

@ -0,0 +1,139 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-17:03.hyperv Errata Notice
The FreeBSD Project
Topic: Compatibility with Hyper-V/storage after KB3172614 or
KB3179574
Category: core
Module: hyperv/storvsc
Announced: 2017-02-23
Credits: Microsoft OSTC
Affects: FreeBSD 11.0-RELEASE
Corrected: 2016-10-19 07:43:39 UTC (stable/11, 11.0-STABLE)
2017-02-23 07:11:48 UTC (releng/11.0, 11.0-RELEASE-p8)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
Hyper-V is a default hypervisor provided on Windows server by Microsoft.
ATA driver is the legacy storage driver for FreeBSD on Hyper-V, now they
are replaced by synthetic driver which has better performance. There are
issues when attaching synthetic storage driver for FreeBSD 11 on some of
Hyper-V hosts.
II. Problem Description
There are some compatibility issues with the FreeBSD Hyper-V driver,
which will cause the OS disk to be detached if August 2016 update rollup
is applied on Windows host (KB3172614 or KB3179574).
III. Impact
FreeBSD 11.0 can not be installed on a guest system on Hyper-V host.
IV. Workaround
On Hyper-V connection, when the installer boot prompt, select
3. Escape to the loader prompt
Then:
set hw.ata.disk_enable=1
boot.
Note: this workaround force FreeBSD to use legacy storage driver
which is much slower than synthetic driver.
V. Solution
Perform one of the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
Afterward, reboot the system.
2) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Afterward, reboot the system.
3) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-17:03/hyperv.patch
# fetch https://security.FreeBSD.org/patches/EN-17:03/hyperv.patch.asc
# gpg --verify hyperv.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/11/ r307617
releng/11.0/ r314125
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=212721>
<URL:https://support.microsoft.com/en-au/help/24717/windows-8-1-and-windows-server-2012-r2-update-history>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.18 (FreeBSD)
iQIzBAEBCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAliujNwACgkQ7Wfs1l3P
auea7BAAtYKNH1OVGWZ2frFoaVAuzLA0Gow599XCM5ycF39HTlavmoR1+KN9g8Gh
r2wEBvIM/Yzla16mmLEzt7QLeSFMP1mgVb1lUtvAp62b/lzb2ImIvL3qhury0nop
eczup/A/nFOOgOa/IEMsxqi5noB5e2ODkWEOayiLNd5fmD/BF+yACEKi0YI0krQY
Oonq4N9ah7z4rT8OYC2LNQPvc00ZAAq9eq/IDdtWDvLgpxOF1W+dJ0MAzLhQwNJn
9cdW13AcrdJHxzyjAGeOd1pedWFs0ueEXLI+J5pVOvpZd3WeAc9Fls8t7GNgYwvf
dpf9uaB765n5tZCa+gc8h2eSzY59aEAQOtHXTqlMGp3ACl7D7Gjmhh42Vp4fgySb
zeeKEqAnNay4NdBEGt/U9CjycNKMKi6/bqLpEq3rxu8QFPzeXuwIB3favj8MpIUI
ZMda4CQ1E9XLgG6YoupSpnVSbvNFZIEQ2RHzZesKlIoQIM4OPSBWPGjSR9UDMNKH
mxb/cWMwO9N4G7xzKSULuIAF33wZYkaKqTfzOKVtOEZ7hlBPlqzfXK2MNqlbc0PO
3bqPvrg8KXL8OyswEy0sZaptQs/jTUZjqI9/JNWY+IdRR1clVrRdpg/YWljwqqvb
hFIarahbNC1fvsMTeAFq8QBGXkoy6ovmjpKrhBfPNpaiL5ccuWU=
=nMwL
-----END PGP SIGNATURE-----

124
share/security/advisories/FreeBSD-EN-17:04.mandoc.asc Normal file
View file

@ -0,0 +1,124 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-17:04.mandoc Errata Notice
The FreeBSD Project
Topic: makewhatis output is not reproducible
Category: contrib
Module: mandoc
Announced: 2017-02-23
Credits: Ingo Schwarze, Ed Maste
Affects: FreeBSD 11.0-RELEASE
Corrected: 2016-11-26 03:39:02 UTC (stable/11, 11.0-STABLE)
2017-02-23 07:11:48 UTC (releng/11.0, 11.0-RELEASE-p8)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
The makewhatis utility extracts keywords from UNIX manuals and indexes
them in a database for fast retrieval by apropos(1), whatis(1), and
man(1)'s -k option.
II. Problem Description
The generation of makewhatis database is not reproducible.
III. Impact
The freebsd-update(8) build procedure may consider mandoc.db as changed when
built multiple times.
IV. Workaround
No workaround is available, but the impact is mostly cosmetic.
V. Solution
Perform one of the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
Reboot is not necessary.
2) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Reboot is not necessary.
3) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-17:04/mandoc.patch
# fetch https://security.FreeBSD.org/patches/EN-17:04/mandoc.patch.asc
# gpg --verify mandoc.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/11/ r309183
releng/11.0/ r314125
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=214545>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-17:04.mandoc.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.18 (FreeBSD)
iQIzBAEBCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAliujOMACgkQ7Wfs1l3P
aucxsA//fsEp6miJAsXLBOFxI1hiRheHb6HlOaXYrMo59sKLgRGRipe34AxIq3Ca
cYvVRHOEpXlUZNMvModg/P42SkkQLDi+2tIenvQUG5T5r3xSRTAHOU0pSRlpfjaA
8OCIaZaWYDIcTOEfaQocIbjwuKfzw5qVxZY6Ot3NPz0QEpOSzFGkbRrM8JxkrVyg
ROtzY/rqaDbhfdKyTCS8PZCIW4ZwNiBjAV9kZysviN3RUSQvLaxEC+vTDjU9BBm5
CKIU3y0aoSlO4W6A9ahqVb/4hX7A2WBoFpfhMVXsVOzi4SkJhaFKNdjwbq6Nrmxr
hePKGTSYVtcVIaiyf0rJwHDvGK6y4NKCTTqCwlQ7hrMGZHY2D5t5NAdd10uvIrv6
PDQkJBap5hZTnSeJ+rZt1jSUR1qAJ+xb86Fe1dG30fs6AsKpbYJEpTLWgSXmOfp/
GQT0SCxv5mxtxMzIom8MUQipYay1cUIiXAh/wlfxERNWHHt3UXoP4/wS9Df+26w9
zQ/5fk3TbtxAcCpZWBeZr1+pKIomQ4+51wU7zgyjAHvGRDesoA54XS3BOTJPWKnY
G1iNBWECSQC26jwzmSv/MMXf4BqT6ezZXXZ22uMeYQCTD4p0tiC6/H4RUEVSgOSl
TnZ026b3FQRlE6FIOYPK9a4AipnLYu4NW6f9tsJquwRyElLSd/U=
=oyNi
-----END PGP SIGNATURE-----

164
share/security/advisories/FreeBSD-SA-17:02.openssl.asc Normal file
View file

@ -0,0 +1,164 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-17:02.openssl Security Advisory
The FreeBSD Project
Topic: OpenSSL multiple vulnerabilities
Category: contrib
Module: openssl
Announced: 2017-02-23
Affects: All supported versions of FreeBSD.
Corrected: 2017-01-26 19:14:14 UTC (stable/11, 11.0-STABLE)
2017-02-23 07:11:48 UTC (releng/11.0, 11.0-RELEASE-p8)
2017-01-27 07:45:06 UTC (stable/10, 10.3-STABLE)
2017-02-23 07:12:18 UTC (releng/10.3, 10.3-RELEASE-p16)
CVE Name: CVE-2016-7055, CVE-2017-3731, CVE-2017-3732
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.
II. Problem Description
If an SSL/TLS server or client is running on a 32-bit host, and a specific
cipher is being used, then a truncated packet can cause that server or
client to perform an out-of-bounds read, usually resulting in a crash.
[CVE-2017-3731]
There is a carry propagating bug in the x86_64 Montgomery squaring procedure.
No EC algorithms are affected. Analysis suggests that attacks against RSA and
DSA as a result of this defect would be very difficult to perform and are not
believed likely. Attacks against DH are considered just feasible (although
very difficult) because most of the work necessary to deduce information
about a private key may be performed offline. The amount of resources
required for such an attack would be very significant and likely only
accessible to a limited number of attackers. An attacker would additionally
need online access to an unpatched system using the target private key in
a scenario with persistent DH parameters and a private key that is shared
between multiple clients. [CVE-2017-3732]
Montgomery multiplication may produce incorrect results. [CVE-2016-7055]
III. Impact
A remote attacker may trigger a crash on servers or clients that supported
RC4-MD5. [CVE-2017-3731]
A remote attacker may be able to deduce information about a private key,
but that would require enormous amount of resources. [CVE-2017-3732,
CVE-2016-7055]
IV. Workaround
No workaround is available.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Restart all daemons that use the library, or reboot the system.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Restart all daemons that use the library, or reboot the system.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 11.0]
# fetch https://security.FreeBSD.org/patches/SA-17:02/openssl-11.patch
# fetch https://security.FreeBSD.org/patches/SA-17:02/openssl-11.patch.asc
# gpg --verify openssl-11.patch.asc
[FreeBSD 10.3]
# fetch https://security.FreeBSD.org/patches/SA-17:02/openssl-10.patch
# fetch https://security.FreeBSD.org/patches/SA-17:02/openssl-10.patch.asc
# gpg --verify openssl-10.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart all daemons that use the library, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/10/ r312863
releng/10.3/ r314125
stable/11/ r312826
releng/11.0/ r314126
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7055>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3731>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3732>
<URL:https://www.openssl.org/news/secadv/20170126.txt>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-17:02.openssl.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.18 (FreeBSD)
iQIzBAEBCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAliujOsACgkQ7Wfs1l3P
aufZHhAAy8U5oOrLGq0XH8Dumpkyc+bFOmsEh+S1hL6jFL13jUVpDqogZ3w/a7If
Hcqiyipx5dbcGbHJayokfimkxPcIYydYQK9NwWaXVlnZifvgWka+KxtcD0u2A8S5
cpTbNl+CALQQqEF3+JmOc4Uq2Dtui0xFG1N5Og4oF5Uo+lvQh4bcJ1UbfhMdq8EG
US3hGlJLJJW75m3jkgHyu0o7A0swnNTUQrW9Z0p/3iTiel7fM57d/N1who+kt59V
UErXTzMDBT1kkWRne0aTA71gdy3SUeRiVi9/LWggjIRJNyMnQjO3UI2UOIHLLQAG
CXcZLPekB87iHZxMAw8oV6b4GIkJhqUFW2ep2AZkUdDZ2Mup9bDrx/0Ik0jHjyQY
KEmZDroHvP8z569q+aWfIIpMXPv6zJTnent45U2/q13wMHJwWsADu9ukeWKTw7wI
P0Rc3vht+AXbXFi9SjxwdldgrVszV7x8Yi6W9KhHsGqCl6NBCW9Md/PWbNQQUVkq
I5tV0WB3pTwOk0yMi3h/okM9VBr1lPDU18W0he5T9wbOh4w0jwFb8AqMu1slst3l
9MlhRfO/4LIDlfRQ/dj4dOfVLZqEd/xleax99yFXZUzibUYrOMlBxNaKvV80plwB
Kg2Hr3DJuJa3599kNgXMCNV1lRIOJbJ9dRmX6B0YzMgvxKPIXY4=
=8Jsr
-----END PGP SIGNATURE-----