os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Add EN-20:03 through EN-20:06 and SA-20:04 through SA-20:09.

Browse source 
Approved by:	so
This commit is contained in:
Gordon Tetlow 2020-03-19 17:20:56 +00:00
parent ea82915183
commit bc912e3b54
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=53996
40 changed files with 120685 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

119
share/security/advisories/FreeBSD-EN-20:03.sshd.asc Normal file
View file

@ -0,0 +1,119 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-20:03.sshd Errata Notice
The FreeBSD Project
Topic: Misleading log messages upon successful sshd login
Category: contrib
Module: sshd
Announced: 2020-03-19
Affects: FreeBSD 12.1
Corrected: 2019-11-28 02:18:19 UTC (stable/12, 12.1-STABLE)
2020-03-19 16:34:11 UTC (releng/12.1, 12.1-RELEASE-p3)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
The sshd server implements the secure shell protocol, providing remote
access.
II. Problem Description
Due to a programming error, error messages of the form "Failed unknown for
user <user> ..." will be emitted to auth.log for successful logins.
III. Impact
Log files will be confusing, and programs like fail2ban that parse logs will
not function correctly.
IV. Workaround
No workaround is available.
V. Solution
Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date, and restart the sshd
service.
Perform one of the following:
1) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# nohup service sshd restart
2) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-20:03/sshd.patch
# fetch https://security.FreeBSD.org/patches/EN-20:03/sshd.patch.asc
# gpg --verify sshd.patch.asc
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the applicable daemons, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r355160
releng/12.1/ r359134
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=234793>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:03.sshd.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zplJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJLCA//V8LAaiI3320RkieKpp1W8VJLajd1aWnwmMzCMuyXYsEnDoLRzGdsEdcv
K1HhEz27vEuhusmW6AwLGcuHDJl+/230JJMcs24dtbJ/VcanG4Tw5fKjT6g1zT9m
A8ZQ16N5LU8q8TGcRATie9+88Ri3iepDkur4Gh4HBH/VKfI4szoWZXpBe0UZJTPr
EGXtcvTRlVlex3jWJF2FA/4TioR6PGAyJxwtxLpaSWoMJFrTKh0b7AnyCTzqC6cE
aHF/RDH8i16VbVDTHmfo0FPKeCcF25uFYG1edDpSofdvE9XZTEvqy1fz6Nv+LEbp
EMFOa99zUtzjWVkvPMXWXSYDVivyjoX38pEvbZnNxWNot8His9UWOss9vff9/B/L
Y6uHIpPeW8JhBpyOJ6hlYZ/zkEnKy33tNm+/mzV6TBUpu0h8cTULKkXCeIQIyU61
YUGEhw+TFRS0X9v6lovXif3/Cs6r8nNKSh/NUa43B7oxacEsCimfU1YApNi7nj3L
DD1vQmvR7j7k8tTDw4FGqv3HgkRL4RgkbWsGJB83dUXTEUV/Dtjh6o7duTsYbdw0
eEaqTQBysENCQEsZ3s0NHF0nUdrmxecw/6US+dhnt1nMJH7I4UaHM95wMXY0x3CQ
k5yDoMPMs4NTC7iBRtyw69IQMsOwRsUU5notdlWjklKKSvRAXnA=
=8o6k
-----END PGP SIGNATURE-----

132
share/security/advisories/FreeBSD-EN-20:04.pfctl.asc Normal file
View file

@ -0,0 +1,132 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-20:04.pfctl Errata Notice
The FreeBSD Project
Topic: Missing pfctl(8) tunable
Category: core
Module: pfctl(8)
Announced: 2020-03-19
Credits: Rubicon Communications, LLC (netgate.com)
Affects: FreeBSD 11.3-RELEASE
Corrected: 2020-02-12 14:50:13 UTC (stable/11, 11.3-STABLE)
2020-03-19 16:35:15 UTC (releng/11.3, 11.3-RELEASE-p7)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
Packet filtering takes place in the kernel. A pseudo-device, /dev/pf, allows
userland processes to control the behavior of the packet filter through an
ioctl(2) interface. Commands include enabling and disabling the filter,
loading rulesets, adding and removing individual rules or state table entries,
and retrieving statistics. The most commonly used functions are covered by
the pfctl(8) utility.
II. Problem Description
pf(4) ioctls frequently take a variable number of elements as argument.
This can potentially allow users to request very large allocations.
A failing non-blocking pf(4) allocation can tie up resources resulting in
concurrent blocking allocations entering vm_wait() and inducing reclamation
of caches.
III. Impact
The kernel will reject very large tables to avoid resource exhaustion
attacks. Some users run into this limit with legitimate table
configurations.
IV. Workaround
No workaround is available, however systems that do not employ pf(4) nor
use pf(4) table definitions larger than 65535 entries are unaffected.
V. Solution
Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date, and reboot.
Perform one of the following:
1) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for an errata update"
2) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 11.3]
# fetch https://security.FreeBSD.org/patches/EN-20:04/pfctl.patch
# fetch https://security.FreeBSD.org/patches/EN-20:04/pfctl.patch.asc
# gpg --verify pfctl.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/11/ r357822
releng/11.3/ r359135
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:04.pfctl.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zpldfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cL4Aw/9GhPqyMcVMROjoX2xepwOubsM+C9lMCTQtxOOhYLtt9IIt5KTgSefAcyt
DMcqE78R6wgaxf08XAQyD/iN3udhCFT4YRElB1o5XMEhYUcCIsatKcb8hIVJuRD3
Ap2goT7zHlicFxpKuWblg/qenU0A9PgaCjsRaVePHS2nzOW+d9DJSg3yxz6xwGCZ
Nuv03Y2OBVm/KdW4awk50FdzR2L04U0D0ZATh+5yr25aH99dVpUQMmRc+qjRtXzh
4j34Qj8mWteAkD5690zcE1nGwu7lGDFoRjwhiP5RP9Gn3o2Sv5SJwHNwB5W1WQDr
GAormcXgUwuWwd9ijtKfWNmJm7MhZhCjvq9l0tt54e+j4Nmz39/ZijFfa1Ug7XKJ
4yp1ey2ri3W3bGrv2nRHMzY6d3EaQq/96vupt/dWxlufoIHbUvUQ0l8KWNmQ8kK1
dplsoMS6x/AeFjjF4I62Cp429vBbpRDRCJk4mZ6itJ8CWbNXIv2xCj7aKzRcrwpx
kmcblpkFpm7edVkTGjtv/MMhUPXdlskQStOCjSkHoo/cofcAOUovJ8755AvYNkwl
P0e49iOxvFFMA3jZSuxCrQksHq295VwjImEUSJKYyARGdDiPR4q8AdUy+CPyDoLs
zMrzZz5HiNSNdoh4mX3OFIkjtuk/fXR5LQnMBuzHfmfhLtsmHAQ=
=upRR
-----END PGP SIGNATURE-----

122
share/security/advisories/FreeBSD-EN-20:05.mlx5en.asc Normal file
View file

@ -0,0 +1,122 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-20:05.mlx5en Errata Notice
The FreeBSD Project
Topic: Fix packet forwarding performance in mlx5en(4) driver
Category: core
Module: mlx5en
Announced: 2020-03-19
Affects: FreeBSD 12.1
Corrected: 2019-11-07 13:12:38 UTC (stable/12, 12.1-STABLE)
2020-03-19 16:41:29 UTC (releng/12.1, 12.1-RELEASE-p3)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
Add CSUM_SND_TAG flag and set this flag for outgoing ratelimited mbufs.
This fixes an issue that redirected packets are dropped in the mlx5en
transmit routine.
II. Problem Description
Ratelimiting support in the network stack reuses an mbuf field for a
different purpose to avoid having to grow the mbuf size. This can a cause
packet drop in the forwarding case if the field in question is not cleared
prior to transmit.
III. Impact
All packets going through firewall code are dropped when using mlx5en(4).
IV. Workaround
No workaround is available. Systems not using mlx5en(4) are not affected.
V. Solution
Perform one of the following:
1) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# reboot
2) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 12.1]
# fetch https://security.FreeBSD.org/patches/EN-20:05/mlx5en.patch
# fetch https://security.FreeBSD.org/patches/EN-20:05/mlx5en.patch.asc
# gpg --verify mlx5en.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r354440
releng/12.1/ r359136
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=243871>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:05.mlx5en.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zpldfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cIMCw/7BCNrVg/W7nwnbDdQs1xR0gTz4pUTGB7SnyXs69kJ15dimWt00oVCJurP
oh7uZIPenrS/xRosmbehsNc3IJRN6Npnf86dazuj3qRu24E3CJg9bQJ0sAHrWOXB
i6UgrWIDKIEQ/Yflpcl4bqj/L5HQsTQ/mbkBl1nYiu7VUwjGPhidRYSCQQHDY8ZM
XJ4BFBJCx+gSEcfP6iAqZTGcDAwyFkl9kzxfMIymIRqGlBABBqN6OFrnMjiBoDGL
CiTFt0rFs4/bdX8wQyRhQ6IHjFGiEbXZS4txJxP3XZaIJaPYF5snrrV1rgGjOeVl
2PmGF82ugSwrpVgPuDCMkiJEvYR6matvjRrYQDEBsz0rY6pyid4q9Ck7uKt2KW8u
M3tPtL61SbnuPXTYGpFD++xWYjlQrkcuudwHRT3NYOgNAwU6U+ejLuDzpbWFtPAh
RCQ/tmSOxTQWubxbiwiA07zxVY1a2ffguyzpc+p8PTwIbgrtuh64saoenuvNg0wJ
rhuShGQnhsfWbStOW1T21tsBkB/cZekQYt3e9zB3RREl3WBvJmKPLqO0m8WBaSUx
2iTxnMrhEAnD4R6oVouibCwRdlnxMD3xyYmJJZJ/p8hFXVZlWm60c5nKh82bQVLj
mN4Uf+V7Q/P+fkfoWFm7Dq4kYQp7DmANjh2gK80/88f9/AhX+so=
=EjZa
-----END PGP SIGNATURE-----

136
share/security/advisories/FreeBSD-EN-20:06.ipv6.asc Normal file
View file

@ -0,0 +1,136 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-20:06.ipv6 Errata Notice
The FreeBSD Project
Topic: Incorrect checksum calculations with IPv6 extension headers
Category: core
Module: netinet6
Announced: 2020-03-19
Credits: Francis Dupont <fdupont@isc.org>
Affects: All supported versions of FreeBSD.
Corrected: 2020-03-02 22:54:32 UTC (stable/12, 12.1-STABLE)
2020-03-19 16:43:37 UTC (releng/12.1, 12.1-RELEASE-p3)
2020-03-03 08:24:09 UTC (stable/11, 11.3-STABLE)
2020-03-19 16:43:37 UTC (releng/11.3, 11.3-RELEASE-p7)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
Upper layer transport protocols, e.g., TCP, UDP, or SCTP, include
checksums in their headers. IPv6 is a network protocol, which can
add extension headers between its own header and that of the upper
layer protocol.
II. Problem Description
Pseudo header checksum calculations can be delayed until the IPv6
output routine or offloaded to the NIC. In case IPv6 extension
headers are present, FreeBSD currently never offloads to the NIC.
When passing the data to the functions doing the delayed checksum
calculations, the contents of the extension headers were erroneously
included as part of the checksum.
III. Impact
Upper layer transport protocol checksums may be wrong for IPv6 packets,
such as IPv6 fragments, or IPv6 packets with a Destination Options or
Hop-by-Hop Options extension header.
IV. Workaround
No workaround is available. Packets sent over IPv4 or IPv6 without
any extension headers are unaffected.
V. Solution
Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date, and reboot.
Perform one of the following:
1) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for errata update"
2) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 11.3]
# fetch https://security.FreeBSD.org/patches/EN-20:06/ipv6.patch
# fetch https://security.FreeBSD.org/patches/EN-20:06/ipv6.patch.asc
# gpg --verify ipv6.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r358557
releng/12.1/ r359137
stable/11/ r358566
releng/11.3/ r359137
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=243675>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:06.ipv6.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zpldfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cLxaA/+IUDfq39zppv1SsIrwD1a2VZVQvPtNPmM0OUzJK7gt6Jj1lDJjY/WTXl6
I93Xm1q6VL6u+6n95XfaUe3xu05Oujlq+KE0zu3tOigs50tvyn2+PAQU1waTT3O7
zFqqLb0mBoQl1WasiLj0NhIpAK3GDYNV/Zd0jYuQzyyhu1kahMpeiVYn5OG7Q1C0
BUPfObwGfzDYZbDtT4RSok35uVfzLnk5mZ1L+grQaoZbh3OJonlx5GnbRAboncCY
IJRfeyrHvCX2WMKx0CiUTEHZKJErKWcynYHkWYc+jmSqfTFARWBdIHpxQzF52kuW
E34WQDuCf9miSRGrlV1CgwjXUExuPOcUN7XcRRJQkkjc2wnpjMi1qudpyZmNW7Ig
rMQQdRLAmHyuy8ZjNuuBesWqBZYC2pr1p94KGUO7VsRNRVWOe8CEBT5NCRcRzoqw
rhyGlS1ahc6P/6FliYd86MMpdS4S0olRcylW+r5z3O8DStt0VEvwC5cYubqJJDud
Crpuces4hq8xZ2E4ZVN2YclT/gKNNvtNXmPfqpWVLdtCJqg6JTjAShX/YH52Q3/Q
5VOqj1wJmAMV07f68gp6GH+dQIxAnI5uAXwrGBs5Y7PCzRafhUkEy/6m5FHYOpUN
CR+/5Iqp2S79LeAoxSbZmuVh1pmLrs6bVZcfI21V91d5hSniPPE=
=/jJ1
-----END PGP SIGNATURE-----

144
share/security/advisories/FreeBSD-SA-20:04.tcp.asc Normal file
View file

@ -0,0 +1,144 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-20:04.tcp Security Advisory
The FreeBSD Project
Topic: TCP IPv6 SYN cache kernel information disclosure
Category: core
Module: tcp
Announced: 2020-03-19
Credits: Michael Tuexen (Netflix, contractor)
Affects: All supported versions of FreeBSD.
Corrected: 2020-03-08 14:48:21 UTC (stable/12, 12.1-STABLE)
2020-03-19 16:46:01 UTC (releng/12.1, 12.1-RELEASE-p3)
2020-03-08 14:48:32 UTC (stable/11, 11.3-STABLE)
2020-03-19 16:46:01 UTC (releng/11.3, 11.3-RELEASE-p7)
CVE Name: CVE-2020-7451
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The Internet Protocol version 6 (IPv6) header contains a one byte field
called Traffic Class. Two bits of this field are used for Explicit
Congestion Notification (ECN), the other six bits are used as Differentiated
Services Field Codepoints (DSCP).
The Transmission Control Protocol (TCP) is a connection oriented transport
protocol, which can be used as an upper layer of IPv6. A TCP endpoint is
either acting as a client (sending initially a SYN segment) or as a server
(initially waiting to receive a SYN segment and then responding with a
SYN-ACK segment).
To mitigate the impact of some attacks against TCP servers (like
SYN-flooding), FreeBSD uses specific code to handle the TCP connection setup
for servers. This includes the transmission and retransmission of SYN-ACK
segments or responding with a challenge ACK segment to a received RST
segment.
II. Problem Description
When a TCP server transmits or retransmits a TCP SYN-ACK segment over IPv6,
the Traffic Class field is not initialized. This also applies to challenge ACK
segments, which are sent in response to received RST segments during the TCP
connection setup phase.
III. Impact
For each TCP SYN-ACK (or challenge TCP-ACK) segment sent over IPv6, one byte
of kernel memory is transmitted over the network.
IV. Workaround
No workaround is available. Systems not using IPv6 are unaffected.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-20:04/tcp.patch
# fetch https://security.FreeBSD.org/patches/SA-20:04/tcp.patch.asc
# gpg --verify tcp.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r358739
releng/12.1/ r359138
stable/11/ r358740
releng/11.3/ r359138
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7451>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:04.tcp.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zplhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cLuzQ/9HvuKX5w2/CDerZPseNDKqumxjoap6MjfExvpVN4Auy31wcE7248JpZ/d
I+Be927dmghiey97opVcR56g5OJ9QAinQRTWX1rLKaQ2xldGFE5924iLyQ/hjMXG
LDkYrBpJ2Wkdq9XFZKAuu2dpV/RUMlGnKANG/QfAAd5V4VC7Sg5X6ty7ISlVMrM7
aQdBP4e5XyssfeqZeZ/A57dF3Yi7F1TEEjXeM+dulTET4nm0+w74n+QaNoH6hcMI
n3Bb/SsF9HfbZtXz235vkzbgvvSX4f+D/d3vrcAA9KMVjKBH6QbiwJKuHSdb0GY8
ENMb7vO7Rx71u8GnCYg659qFrWb/kaTW2BCbgAJyp2747nAw8I7DwZiN2RKWA7qh
JbcZb1rJN9gEccnGyNouuy4DzUlUc4VQnp4ajqV4S1YGbwdfsBqi2c0dYwqEcW96
RKxxTrH9JB8d52wMMshB7hMfwbeLeOJJ4phFL8knXuv19SWCP/tz6XDopoBN6wTW
yn5g+n7oVCOsSwlPLHl/5WWUTvKjyCB6eZIblFhlbiNTuQiUaegDXx66On+vgVKD
oYA9cDQUcvIKLne/KgCqTQ5MAuwE/7hPyUlGmuiZ3/Qx6CW568+v1kTc19eUQb0a
+e5HDRFhtiQyRMpTC9Yt14sv8oFLynhyt/IbQWTeqppZhBugbJ8=
=CFKz
-----END PGP SIGNATURE-----

132
share/security/advisories/FreeBSD-SA-20:05.if_oce_ioctl.asc Normal file
View file

@ -0,0 +1,132 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-20:05.if_oce_ioctl Security Advisory
The FreeBSD Project
Topic: Insufficient oce(4) ioctl(2) privilege checking
Category: core
Module: oce(4)
Announced: 2020-03-19
Credits: Ilja Van Sprundel
Affects: All supported versions of FreeBSD.
Corrected: 2019-12-26 16:56:42 UTC (stable/12, 12.1-STABLE)
2020-03-19 16:48:29 UTC (releng/12.1, 12.1-RELEASE-p3)
2019-12-26 16:58:11 UTC (stable/11, 11.3-STABLE)
2020-03-19 16:48:29 UTC (releng/11.3, 11.3-RELEASE-p7)
CVE Name: CVE-2019-15876
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The primary interface used for network driver configuration is ioctl(2).
Several ioctl(2) commands are reserved for driver-specific purposes. For
instance, a driver may use one of these ioctls to implement an interface for
updating device firmware.
II. Problem Description
The driver-specific ioctl(2) command handlers in oce(4) failed to check
whether the caller has sufficient privileges to perform the corresponding
operation.
III. Impact
The oce(4) handler permits unprivileged users to send passthrough commands to
device firmware.
IV. Workaround
No workaround is available. Systems that do not contain devices driven by
oce(4) are unaffected.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-20:05/if_oce_ioctl.patch
# fetch https://security.FreeBSD.org/patches/SA-20:05/if_oce_ioctl.patch.asc
# gpg --verify if_oce_ioctl.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r356089
releng/12.1/ r359139
stable/11/ r356090
releng/11.3/ r359139
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15876>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:05.if_oce_ioctl.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zplhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJAuBAAnsnjdm2aTLo14rOiNHTNh0NqJPQTJ5F6MwE1P/nUlP5xM21GzDkyki7H
4AytZiCma6MCPzbc8aO6wGnc5zfSA1G/5TLetIgIQeyDQ8wRd0uhIoeO3NB3EXhz
KJkNqtyosmzKUSmq7V/WqYN7VOVceegvbvLXCMTYFkUmvJxYbB67s0upqydFBAD4
j1ecKkNOIehV6cGColM3Dv7sJtVgdvaKg2ehW+AWR7UBOntIr/X3mVpkUE5Y2oLX
tpjuEbdraOpIw/ohKfvpZNPXnEFmhgxrRV4WRw8yFeMsEtLI2HyyUV4ysZrgMKB+
LKxdhfd7HhIiGdoRZO4P60traRiRD+VfqU9Jt3xd9fO1t0MZYTS0R0Lqt9n3UPhR
26YcyrJgElaHIz8Viiw1U7Pdxila7b7gL+V4QVNSG00OqCKkdepgURRepzaz8Zhd
lrfLf+9vysPIL6RsJwDb77qYbu9kK/afGmadBVot6QGg6ovWVLUGd0pQFJuLihZl
YRocdxDO0lgF+w6llmp6ZidEjaScL7XG3yKG1DuoSa0tS+0eQU2U2hByJDzzzkTn
x7t7WU8o5gSRYDe68yuJHXiHWswA4IK+tkYf+h8fDhENDbt7PCo86Vq0Dixg3hoG
ak/KfomAAsnh6MfWNRlCWDXbe0p/yxYLPRHugDdrZ2IpX+uJWHs=
=pADZ
-----END PGP SIGNATURE-----

128
share/security/advisories/FreeBSD-SA-20:06.if_ixl_ioctl.asc Normal file
View file

@ -0,0 +1,128 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-20:06.if_ixl_ioctl Security Advisory
The FreeBSD Project
Topic: Insufficient ixl(4) ioctl(2) privilege checking
Category: core
Module: ixl(4)
Announced: 2020-03-19
Credits: Ilja Van Sprundel
Affects: All supported versions of FreeBSD.
Corrected: 2020-01-10 18:31:59 UTC (stable/12, 12.1-STABLE)
2020-03-19 16:49:32 UTC (releng/12.1, 12.1-RELEASE-p3)
CVE Name: CVE-2019-15877
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The primary interface used for network driver configuration is ioctl(2).
Several ioctl(2) commands are reserved for driver-specific purposes. For
instance, a driver may use one of these ioctls to implement an interface for
updating device firmware.
II. Problem Description
The driver-specific ioctl(2) command handlers in ixl(4) failed to check
whether the caller has sufficient privileges to perform the corresponding
operation.
III. Impact
The ixl(4) handler permits unprivileged users to trigger updates to the
device's non-volatile memory (NVM).
IV. Workaround
No workaround is available. Systems that do not contain devices driven by
ixl(4) are unaffected.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-20:06/if_ixl_ioctl.patch
# fetch https://security.FreeBSD.org/patches/SA-20:06/if_ixl_ioctl.patch.asc
# gpg --verify if_ixl_ioctl.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r356606
releng/12.1/ r359140
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15877>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:06.if_ixl_ioctl.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zplhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cIyvg/+Myq/m3iP2V8tluOVxVmXOEn9qULYfSEM8thr7N+EZpepK45KMkVeBMp5
gGvd8XEbZyS1RSu+Knr3+yU+jQTFeVg/52QJ8fcTbH5r+5fcO0eJw9I0hwoJBAM+
Fp7mTtON6PUCIlaXcwmFQfQ4l1iPee2qCsn7ia02dBFZXvHq6fT6tplSagtJj8Fd
xOBvnlf8obrvC+TswIKydCREaGAIRKTa0yMzh0Ml435gmCYMrGTe2NtjNKM9sgw8
N0Y5QHuV59kiM3mYc5I7uLux1wUIlO6rdZ2lOsbuWNcW40q9IE1Gve9kjhmha8Ls
h7BW3VPLM8gxwrgJNygxSRtremDYfQZNoeONqRKd0C2H5EVT4vZfPRI4VxziNGU7
US0VJwm7x/bET/zbVS5YIsGwqyn9kVjBRpv+eRN4CNmEoZugB/ZJn7lRhZ9cdsTG
fDM/ULk7UMPrap8ltr0hcYvLYzOmsR1K+oxqmWLzO2+FpnoUrAmWaInptbBuOaSj
tbmRc97wpR7LJcrmAo3rHvHdbwzY9jsQk1X1Y4LAKAr114S36m3HqwX5mhv91/ZR
oXOiDYCvFlf8BBQo5BMFDlSfft1Nd8iwAEumHmo+hFFs/yVwJlwwyt2tVwpT3V3Z
py6szSTnDzjslb/JGYI8ujpHNuJrfdWRmJUrXzqreKbiYA5pWGo=
=MmYl
-----END PGP SIGNATURE-----

136
share/security/advisories/FreeBSD-SA-20:07.epair.asc Normal file
View file

@ -0,0 +1,136 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-20:07.epair Security Advisory
The FreeBSD Project
Topic: Incorrect user-controlled pointer use in epair
Category: core
Module: kernel
Announced: 2020-03-19
Credits: Ilja van Sprundel
Affects: All supported versions of FreeBSD.
Corrected: 2020-02-04 04:29:54 UTC (stable/12, 12.1-STABLE)
2020-03-19 16:50:36 UTC (releng/12.1, 12.1-RELEASE-p3)
2020-02-04 04:29:53 UTC (stable/11, 11.3-STABLE)
2020-03-19 16:50:36 UTC (releng/11.3, 11.3-RELEASE-p7)
CVE Name: CVE-2020-7452
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The epair(4) interface provides a pair of virtual back-to-back connected
Ethernet interfaces.
II. Problem Description
Incorrect use of a potentially user-controlled pointer in the kernel allowed
vnet jailed users to panic the system and potentially execute aribitrary code
in the kernel.
III. Impact
Users with root level access (or the PRIV_NET_IFCREATE privilege) can panic
the system, or potentially escape the jail or execute arbitrary code with
kernel priviliges.
IV. Workaround
No workaround is available. Systems not using epair(4) are not vulnerable.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 12.1]
# fetch https://security.FreeBSD.org/patches/SA-20:07/epair.12.patch
# fetch https://security.FreeBSD.org/patches/SA-20:07/epair.12.patch.asc
# gpg --verify epair.12.patch.asc
[FreeBSD 11.3]
# fetch https://security.FreeBSD.org/patches/SA-20:07/epair.11.patch
# fetch https://security.FreeBSD.org/patches/SA-20:07/epair.11.patch.asc
# gpg --verify epair.11.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- - -------------------------------------------------------------------------
stable/12/ r357490
releng/12.1/ r359141
stable/11/ r357489
releng/11.3/ r359141
- - -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7452>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:07.epair.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zplhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJIrhAAjdJsKCoBkjLmwIG/yU2W5jUkqahriXx6hAQwOqwAl7pyguAghPBUFRF6
SjU2yr/4yQk0TB3wxRMGJNVlKuBZm8I62BQLdh7al6zO3S55s4FedeM3FOBZ1jT+
GrHU08DPEoDT3pgz4w5/T5PQFxBwqsQDEE204kAOBBOsoZEhgxz+6pADyDpt1ciY
3x+b47PTMk0D4Oi2eXX+ErMApB5xA6sEQfVa6j7HoaQ3HRnvRbuF2vQt2/KTdrWB
pOnad52smH0+5ervZS9Ooidg7L9Sfu+ARdWSFxOIsFPOSgJr7dVIKw6vcliw93Py
GwRVaOxKWUmVxuQUNBSawsIbhLCQYMp74hUL9iZ/vLo398H32u/sd/xLfHYXyZfb
GoyTQ6WxjjqzXlc1ISj3gv8+25X9vnPZ/zQC45cDLqTBYkB7V3rdDAcqrxzR/PF/
hA+skUOnJ9N00MM/WB9+fMlAj4ZqZR2btpQcxPbRkTHbm0NZfGAFU2IlLgQ38sPD
ZN/zXEho+7rCFocEJ8AxFWMsTB0eAsVfvFyN2sdQXMQcGeHb2HfAX7d3MUInb+aH
BQm6tMi+cNTDUdPnMefRy0G/gQGEUPha0Nv5uePMhXum8J1Gaubs5a9SEezCBRby
6k1Oj0PSkR89XW4X9nkTnKo4F7fu/wB+IQy7Ts7rTa36LcgtV+U=
=yXWc
-----END PGP SIGNATURE-----

138
share/security/advisories/FreeBSD-SA-20:08.jail.asc Normal file
View file

@ -0,0 +1,138 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-20:08.jail Security Advisory
The FreeBSD Project
Topic: Kernel memory disclosure with nested jails
Category: core
Module: kern
Announced: 2020-03-19
Credits: Hans Christian Woithe <chwoithe@yahoo.com>
Affects: All supported versions of FreeBSD.
Corrected: 2020-03-16 21:12:46 UTC (stable/12, 12.1-STABLE)
2020-03-19 16:51:33 UTC (releng/12.1, 12.1-RELEASE-p3)
2020-03-16 21:12:32 UTC (stable/11, 11.3-STABLE)
2020-03-19 16:51:33 UTC (releng/11.3, 11.3-RELEASE-p7)
CVE Name: CVE-2020-7453
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The jail_set(2) system call allows a system administrator to lock up a
process and all its descendants inside a closed environment with very
limited ability to affect the system outside that environment, even
for processes with superuser privileges.
The jail_get(2) system call allows a system administrator to read the
configuration of running jails.
II. Problem Description
A missing NUL-termination check for the jail_set(2) configration option
"osrelease" may return more bytes when reading the jail configuration
back with jail_get(2) than were originally set.
III. Impact
For jails with a non-default setting of children.max > 0 ("nested jails")
a superuser inside a jail can create a jail and may be able to read and
take advantage of exposed kernel memory.
IV. Workaround
No workaround is available. Systems not altering the default settings of
the jail configuration option children.max=0 are not affected as a root on
the base system has access to kernel memory by other means and a super
user inside a jail cannot create further jails.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-20:08/kern_jail.patch
# fetch https://security.FreeBSD.org/patches/SA-20:08/kern_jail.patch.asc
# gpg --verify kern_jail.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r359021
releng/12.1/ r359142
stable/11/ r359020
releng/11.3/ r359142
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7453>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:08.jail.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zplhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cKWdw//ZFfaoCenbVtvB6a4JW9HOT0yMoDXup+OdpjbhUTsJSyvDB9eZUSiZJ7u
4rQZpYQZotND2I/U8BSUjcJlDVzhTn6WN1yZFpWI9oFrSJhKxkwGMuetocUw7MgE
++WaaVueodMBjG7+v7mUmr5pXomdpxCO4XZxTW0BCm3Pvydera1kZVHzQ2pAw0On
cnOiSN+v04latfkjjdjPv+oC8GUsI3Q+4jF745MN9dND+4KV/4CW5BJg6sUiJakx
WB6cXayxp+Q/WPoB4OS/w3loe1FGIqESjXMxdHAV0n9eVofv8+h0rQt5kQ9oFpCm
Ql2NUG7xKqoidGlhzff5w0j5+VNXA/exv+sH/lQTZO5xJa/5Ti1wlUxsrp/8jO9Z
vRDd3CwjOIG+dFBSAXWcAaSedJ+Ax97RVbfKmYiy5B7ujJp/X6rJXU2G3zOhObCS
8/E+KHlj9YT4hN73zDeGiw5zKVjbfVQp661mKgP1lO+4Mv9357F8epux+CV3fdb6
BBttCm8l8ubhfr12fmBAfXUXDx7stNTpvcgphGUB0v6Sfxbv0OHoGzfAGrQ3i3LP
Os7OoFRJ+2SJ/G8xpjVjriOsAoLeUX43JIlPTOEvU2mhol/M717Rwn94ndqXfNJh
XCF2AaOVXxBpdx2Vik3FBTGZvAfTCxMQOZwGn7zVzpbxlCbasKM=
=13XM
-----END PGP SIGNATURE-----

168
share/security/advisories/FreeBSD-SA-20:09.ntp.asc Normal file
View file

@ -0,0 +1,168 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-20:09.ntp Security Advisory
The FreeBSD Project
Topic: Multiple denial of service in ntpd
Category: contrib
Module: ntp
Announced: 2020-03-19
Credits: Philippe Antoine and Miroslav Lichvar
Affects: All supported versions of FreeBSD.
Corrected: 2020-03-04 23:54:13 UTC (stable/12, 12.1-STABLE)
2020-03-19 16:52:41 UTC (releng/12.1, 12.1-RELEASE-p3)
2020-03-05 00:18:09 UTC (stable/11, 11.3-STABLE)
2020-03-19 16:52:41 UTC (releng/11.3, 11.3-RELEASE-p7)
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The ntpd(8) daemon is an implementation of the Network Time Protocol
(NTP) used to synchronize the time of a computer system to a reference
time source.
II. Problem Description
Three NTP vulnerabilities are addressed by this security advisory.
NTP Bug 3610: Process_control() should exit earlier on short packets.
On systems that override the default and enable ntpdc (mode 7), fuzz testing
detected a short packet will cause ntpd to read uninitialized data.
NTP Bug 3596: Due to highly predictable transmit timestamps, an
unauthenticated, unmonitored ntpd is vulnerable to attack over IPv4. A victim
ntpd configured to receive time from an unauthenticated time source is
vulnerable to an off-path attacker with permission to query the victim. The
attacker must send from a spoofed IPv4 address of an upstream NTP server and
the victim must process a large number of packets with that spoofed IPv4
address. After eight or more successful attacks in a row, the attacker can
either modify the victim's clock by a small amount or cause ntpd to
terminate. The attack is especially effective when unusually short poll
intervals have been configured.
NTP Bug 3592: The fix for https://bugs.ntp.org/3445 introduced a bug such
that an ntpd can be prevented from initiating a time volley to its peer
resulting in a DoS.
III. Impact
All three NTP bugs may result in DoS or terimation of the ntp daemon.
IV. Workaround
Systems not using ntpd(8) are not vulnerable.
Systems running ntpd should make the following changes:
- - Disable mode 7
- - Use many trustworthy sources of time
- - Use NTP packet authentication
- - Monitor ntpd for error messages indicating attack
- - If only unauthenticated time over IPv4 is available, use the restrict
configuration directive
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 12.1-STABLE]
# fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.12.patch
# fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.12.patch.asc
# gpg --verify ntp.12.patch.asc
[FreeBSD 12.1-RELEASE]
# fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.12.1.patch
# fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.12.1.patch.asc
# gpg --verify ntp.12.1.patch.asc
[FreeBSD 11.3-STABLE]
# fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.11.patch
# fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.11.patch.asc
# gpg --verify ntp.11.patch.asc
[FreeBSD 11.3-RELEASE]
# fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.11.3.patch
# fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.11.3.patch.asc
# gpg --verify ntp.11.3.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the applicable daemons, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r358659
releng/12.1/ r359144
stable/11/ r358660
releng/11.3/ r359144
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:http://support.ntp.org/bin/view/Main/SecurityNotice#March_2020_ntp_4_2_8p14_NTP_Rele>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:09.ntp.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zplhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cIoaA//V8fG/ugFkS6ASluls3rsww0gxoVH65HM7SDiPC814cl8ck2DUSMO7lzA
jPAmsLPdrhGrJ7lTndUxuZ5hf0YeI/CgccTWYoPgiZjfXoeHS2ydQVVpM9j2ByNo
KgwqEnRxLaIRBg3+zf7sT/IenC+ivHbPDxrmW4y7ehUQO/fZ3AcXjcAw6PPCzGlp
pN8Jml04uUuD/Nb92IzWGKvLPsL27slWAHG6nPPw0onzqaZqNhFf1UUDK9qvZRNB
2pHO+aJPfRq2kUk2DvfcB4kTGB1jbHJBBRNA1ns2xrtdKKIBnwSBatN/SBznhPuF
nxGN/Y0k8EYJdVOHaoyqSlG31jatAd/TaA9+1JauxB7/29c65JHyAfddtZKY64vl
DVnfDus+fcxg9D5FI7/O9qUeMZ/S1Ix683BzUPYhCDksC+VP28mqCHMBYRdKrc1m
ysnnER8Tli+Zbenn88202+lJAaAI3gKygdzKRQg5FgXWqWi84G1WPs+c8dihpovV
ZG5AqS1gJuwlP72x/g8by7BT140PZIEYaR5Qm7uIlfNTQxNBDmDkCF54wrhAFQWY
XZrOLiOsVJdn6mX9WfPh7kxd59nAjGuy5fKwWF22g5vQsGCGoBHsqZTKPiA+WxVu
Ngqq+8zUMkcTXP7NE3aT+4HDTXi/WRwiEKTGd8zGm5J8bEHXi9I=
=Q4Yq
-----END PGP SIGNATURE-----

11
share/security/patches/EN-20:03/sshd.patch Normal file
View file

@ -0,0 +1,11 @@
--- crypto/openssh/monitor.c.orig
+++ crypto/openssh/monitor.c
@@ -193,7 +193,7 @@
#endif
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
#ifdef HAVE_LOGIN_CAP
- {MONITOR_REQ_GETPWCLASS, MON_AUTH, mm_answer_login_getpwclass},
+ {MONITOR_REQ_GETPWCLASS, MON_ISAUTH, mm_answer_login_getpwclass},
#endif
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},

18
share/security/patches/EN-20:03/sshd.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zpotfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cIsbQ/9HDDvo7coVA4O70bhusaw40fVNZB8ZYvncW6CgP26TsXj4IGdhFNoQRaW
wfBOnADtv+0P0WvPkHe9+bNOXBD1KI1oejBnYFW9xjgPoilWtE5eoQzpbBGkar+/
WUTHpdqunAcnt2gYly+pKByn9yrbZDmtbR9Fu1lGSMxuiOWxc7U6pFRZrJ3b+IRm
eUSiLiwR1l1Xuju5FEe7yZVKEkNOFuZUCd9dN2Iw6NFpFONug4RAmSwzBBdmgbyH
54aPvkwMpPBGqQp0WATGWlWi/FHPLWzK8wEkz+Z2UtLR/khkCd+314MMCkZpGeGp
I2SU6vQA+zL2qy75dWI13tyAPZHkBcj9FsIVQ4z86w8a/kmwbQE5VXZhIyqPQ4XQ
SJ6RkOJ+ltAQt0YsptndbZ149qimNOxT2ly4sAysNCELla+AyQgEWHgD53jfOVN6
p4clsrRiAHXba/+4SZWqdrebck0VvqCpbp1o2TBJ3vPLGNql8ovfWrYL0KWZUndq
oqjwJtP4YTwsymX9AwNuOMwzYBUnTMPPhjwOlrWSMIQUsEva8rDI0yprdikwxUHt
3vddotFj/fcM5xJRMZykNbz7ORFVEYP2KJjTDBp/gu7nV9+UQtK9aquURgZ2bs0X
aKH2Y66XcYbUP3VgQxWapiFesFVjCFl+JtuD2Sm6aC6qibjXxLY=
=r0HP
-----END PGP SIGNATURE-----

155
share/security/patches/EN-20:04/pfctl.patch Normal file
View file

@ -0,0 +1,155 @@
--- sys/netpfil/pf/pf.c.orig
+++ sys/netpfil/pf/pf.c
@@ -363,11 +363,14 @@
u_long pf_srchashmask;
static u_long pf_hashsize;
static u_long pf_srchashsize;
+u_long pf_ioctl_maxcount = 65535;
SYSCTL_ULONG(_net_pf, OID_AUTO, states_hashsize, CTLFLAG_RDTUN,
&pf_hashsize, 0, "Size of pf(4) states hashtable");
SYSCTL_ULONG(_net_pf, OID_AUTO, source_nodes_hashsize, CTLFLAG_RDTUN,
&pf_srchashsize, 0, "Size of pf(4) source nodes hashtable");
+SYSCTL_ULONG(_net_pf, OID_AUTO, request_maxcount, CTLFLAG_RDTUN,
+ &pf_ioctl_maxcount, 0, "Maximum number of tables, addresses, ... in a single ioctl() call");
VNET_DEFINE(void *, pf_swi_cookie);
--- sys/netpfil/pf/pf_ioctl.c.orig
+++ sys/netpfil/pf/pf_ioctl.c
@@ -86,8 +86,6 @@
#include <net/altq/altq.h>
#endif
-#define PF_TABLES_MAX_REQUEST 65535 /* Maximum tables per request. */
-
static struct pf_pool *pf_get_pool(char *, u_int32_t, u_int8_t, u_int32_t,
u_int8_t, u_int8_t, u_int8_t);
@@ -215,6 +213,8 @@
/* pflog */
pflog_packet_t *pflog_packet_ptr = NULL;
+extern u_long pf_ioctl_maxcount;
+
static void
pfattach_vnet(void)
{
@@ -2528,7 +2528,8 @@
break;
}
- if (io->pfrio_size < 0 || io->pfrio_size > PF_TABLES_MAX_REQUEST) {
+ if (io->pfrio_size < 0 || io->pfrio_size > pf_ioctl_maxcount ||
+ WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_table))) {
error = ENOMEM;
break;
}
@@ -2559,7 +2560,8 @@
break;
}
- if (io->pfrio_size < 0 || io->pfrio_size > PF_TABLES_MAX_REQUEST) {
+ if (io->pfrio_size < 0 || io->pfrio_size > pf_ioctl_maxcount ||
+ WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_table))) {
error = ENOMEM;
break;
}
@@ -2732,6 +2734,7 @@
break;
}
if (io->pfrio_size < 0 ||
+ io->pfrio_size > pf_ioctl_maxcount ||
WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_addr))) {
error = EINVAL;
break;
@@ -2769,6 +2772,7 @@
break;
}
if (io->pfrio_size < 0 ||
+ io->pfrio_size > pf_ioctl_maxcount ||
WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_addr))) {
error = EINVAL;
break;
@@ -2810,7 +2814,8 @@
break;
}
count = max(io->pfrio_size, io->pfrio_size2);
- if (WOULD_OVERFLOW(count, sizeof(struct pfr_addr))) {
+ if (count > pf_ioctl_maxcount ||
+ WOULD_OVERFLOW(count, sizeof(struct pfr_addr))) {
error = EINVAL;
break;
}
@@ -2848,6 +2853,7 @@
break;
}
if (io->pfrio_size < 0 ||
+ io->pfrio_size > pf_ioctl_maxcount ||
WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_addr))) {
error = EINVAL;
break;
@@ -2879,6 +2885,7 @@
break;
}
if (io->pfrio_size < 0 ||
+ io->pfrio_size > pf_ioctl_maxcount ||
WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_astats))) {
error = EINVAL;
break;
@@ -2910,6 +2917,7 @@
break;
}
if (io->pfrio_size < 0 ||
+ io->pfrio_size > pf_ioctl_maxcount ||
WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_addr))) {
error = EINVAL;
break;
@@ -2947,6 +2955,7 @@
break;
}
if (io->pfrio_size < 0 ||
+ io->pfrio_size > pf_ioctl_maxcount ||
WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_addr))) {
error = EINVAL;
break;
@@ -2984,6 +2993,7 @@
break;
}
if (io->pfrio_size < 0 ||
+ io->pfrio_size > pf_ioctl_maxcount ||
WOULD_OVERFLOW(io->pfrio_size, sizeof(struct pfr_addr))) {
error = EINVAL;
break;
@@ -3036,6 +3046,7 @@
break;
}
if (io->size < 0 ||
+ io->size > pf_ioctl_maxcount ||
WOULD_OVERFLOW(io->size, sizeof(struct pfioc_trans_e))) {
error = EINVAL;
break;
@@ -3112,6 +3123,7 @@
break;
}
if (io->size < 0 ||
+ io->size > pf_ioctl_maxcount ||
WOULD_OVERFLOW(io->size, sizeof(struct pfioc_trans_e))) {
error = EINVAL;
break;
@@ -3189,6 +3201,7 @@
}
if (io->size < 0 ||
+ io->size > pf_ioctl_maxcount ||
WOULD_OVERFLOW(io->size, sizeof(struct pfioc_trans_e))) {
error = EINVAL;
break;
@@ -3407,6 +3420,7 @@
}
if (io->pfiio_size < 0 ||
+ io->pfiio_size > pf_ioctl_maxcount ||
WOULD_OVERFLOW(io->pfiio_size, sizeof(struct pfi_kif))) {
error = EINVAL;
break;

18
share/security/patches/EN-20:04/pfctl.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zpotfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cI4mQ//S1DbTRLbm9xnXDA9XUKtC/2icqJ4B74oApa92Yn2y9Vu2Zz9x43HV/Hr
0+qqqZcw5kouz9SuP2JeTFBZqqDaSoR2Ee8TboM/MslIMYRkagJxxQUSZY/5U/3O
TihXbGgnVjyt+kAorH4+nJVbBtKnJhIvBmk+EGBIci5Pdlz8OVp2kuOk8jlN2zs3
WeRpwv+Wwv1BLaa86+4sbUMIm28v3jWrNlJgDnJ2On9Wu9iXCRgPUBm5jIztfkGA
d5XDCTISwM1o5lNmEg8rl2ZdO/3Q3hJRSjYETgMqnDXyWvNmxWUmDvQYmABYkfGq
PRnjVlUyOdK7uVPa6TAI+8MEv1akUKmhWCsjGoJqHTqbg6Q7rItD3z6G2etfPNi8
RL+DGW/ugJhwKjY8DLd3JH1GFyNpUxIcCF5wOaYvliY4Hvy0KC6BBVcNXuGxB9Nd
kVYt2Ki2J2pzLc5jkngfybuYjPnbp8uMOkO2BZtngmzGncuT/UMZyon6ONMB88yn
Yz3F4/IrKJ7guDnYZwOPyaNVHKcADB+tmmDQfSIok+3zuw2QJrCj9/jwI5urzBQu
xYab1xjAutPsWBPmDEMIdSt42aYjDV4tCWeFo0BKas2v391/8YdAu378+Xw/TLfp
mCr5c2g2zUyeKzvEQvv5hCPLRT2ViTcSp8roeBvoXq6FUwmlUso=
=HAnc
-----END PGP SIGNATURE-----

68
share/security/patches/EN-20:05/mlx5en.patch Normal file
View file

@ -0,0 +1,68 @@
--- sys/dev/mlx5/mlx5_en/mlx5_en_tx.c.orig
+++ sys/dev/mlx5/mlx5_en/mlx5_en_tx.c
@@ -609,7 +609,8 @@
struct mlx5e_sq *sq;
int ret;
- if (mb->m_pkthdr.snd_tag != NULL) {
+ if ((mb->m_pkthdr.csum_flags & CSUM_SND_TAG) != 0 &&
+ (mb->m_pkthdr.snd_tag != NULL)) {
sq = mlx5e_select_queue_by_send_tag(ifp, mb);
if (unlikely(sq == NULL)) {
/* Check for route change */
--- sys/netinet/ip_output.c.orig
+++ sys/netinet/ip_output.c
@@ -653,6 +653,7 @@
in_pcboutput_txrtlmt(inp, ifp, m);
/* stamp send tag on mbuf */
m->m_pkthdr.snd_tag = inp->inp_snd_tag;
+ m->m_pkthdr.csum_flags |= CSUM_SND_TAG;
} else {
m->m_pkthdr.snd_tag = NULL;
}
@@ -705,6 +706,7 @@
in_pcboutput_txrtlmt(inp, ifp, m);
/* stamp send tag on mbuf */
m->m_pkthdr.snd_tag = inp->inp_snd_tag;
+ m->m_pkthdr.csum_flags |= CSUM_SND_TAG;
} else {
m->m_pkthdr.snd_tag = NULL;
}
--- sys/netinet6/ip6_output.c.orig
+++ sys/netinet6/ip6_output.c
@@ -966,6 +966,7 @@
in_pcboutput_txrtlmt(inp, ifp, m);
/* stamp send tag on mbuf */
m->m_pkthdr.snd_tag = inp->inp_snd_tag;
+ m->m_pkthdr.csum_flags |= CSUM_SND_TAG;
} else {
m->m_pkthdr.snd_tag = NULL;
}
@@ -1081,6 +1082,7 @@
in_pcboutput_txrtlmt(inp, ifp, m);
/* stamp send tag on mbuf */
m->m_pkthdr.snd_tag = inp->inp_snd_tag;
+ m->m_pkthdr.csum_flags |= CSUM_SND_TAG;
} else {
m->m_pkthdr.snd_tag = NULL;
}
--- sys/sys/mbuf.h.orig
+++ sys/sys/mbuf.h
@@ -519,6 +519,8 @@
#define CSUM_L5_VALID 0x20000000 /* checksum is correct */
#define CSUM_COALESCED 0x40000000 /* contains merged segments */
+#define CSUM_SND_TAG 0x80000000 /* Packet header has send tag */
+
/*
* CSUM flag description for use with printf(9) %b identifier.
*/
@@ -528,7 +530,7 @@
"\12CSUM_IP6_UDP\13CSUM_IP6_TCP\14CSUM_IP6_SCTP\15CSUM_IP6_TSO" \
"\16CSUM_IP6_ISCSI" \
"\31CSUM_L3_CALC\32CSUM_L3_VALID\33CSUM_L4_CALC\34CSUM_L4_VALID" \
- "\35CSUM_L5_CALC\36CSUM_L5_VALID\37CSUM_COALESCED"
+ "\35CSUM_L5_CALC\36CSUM_L5_VALID\37CSUM_COALESCED\40CSUM_SND_TAG"
/* CSUM flags compatibility mappings. */
#define CSUM_IP_CHECKED CSUM_L3_CALC

18
share/security/patches/EN-20:05/mlx5en.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zpotfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJdIQ/+L5DjK4Dny1CiFCxHMU52Gli2cYq37RIRciPockVn8aV5BQ4spn8BHgVd
l4LOZu3Scp2Ooo7m34L65+EkTp9cXsG5Ins3Cxv2EHMApwQs8GFWPZGSwiaNUC6V
iAmCMux4unoCd4kpIXVJcFa0KLP4jH9rofFGbVpJSxvdkfLIxdxPDTQauDJUCI80
ZWmb78AZMX7xZXNduwEszSg4JRej46jHZhCxOQdJ3jaAbXgiTwMof61qVkcSbtmP
q4UOGuGbLp53hFjItc9LMAyn6GXzqO5KFrQbQUifqaeKbpYELKcSjARcHN0FFXzc
mba3CwDG/PPInCF49Mb4Q/VkJyPNaKdoUWRhCc05Xl5p0k4BJYy/lmlNqqg97tX1
gbWyGc6xa+8GmlNA7uj1C4wFlXCziTnNth6PNK+teyZh3YFJW7bXvTqNNwbp3qB0
qs113nT+FL7UEBTwVNdTaF9wAoVWb/bHg5hjw7Lg3cNx8WbpMKhOP9jhQcfd2QDO
uGjzLGkwb5Q9RMOogq8OD00FHr7Ok2x2YPrJFIBqV36bMEyjsvkjr2W1kIgodZkv
LSXHYmTKiUEOc1XgBZN+qrlTBjQ+MZLyoAdpb0dlH4gQyS/vikY5FwrJqUTfBf4n
06P8HJ5TW6d0KH6Vm+6V57KLzTAqdc0hK9hOb3L257Bs54EZWUg=
=0lYL
-----END PGP SIGNATURE-----

83
share/security/patches/EN-20:06/ipv6.patch Normal file
View file

@ -0,0 +1,83 @@
--- sys/netinet6/ip6_output.c.orig
+++ sys/netinet6/ip6_output.c
@@ -205,6 +205,36 @@
*(u_short *)mtodo(m, offset) = csum;
}
+static int
+ip6_output_delayed_csum(struct mbuf *m, struct ifnet *ifp, int csum_flags,
+ int plen, int optlen, bool frag __unused)
+{
+
+ KASSERT((plen >= optlen), ("%s:%d: plen %d < optlen %d, m %p, ifp %p "
+ "csum_flags %#x frag %d\n",
+ __func__, __LINE__, plen, optlen, m, ifp, csum_flags, frag));
+
+ if ((csum_flags & CSUM_DELAY_DATA_IPV6) ||
+#ifdef SCTP
+ (csum_flags & CSUM_SCTP_IPV6) ||
+#endif
+ false) {
+ if (csum_flags & CSUM_DELAY_DATA_IPV6) {
+ in6_delayed_cksum(m, plen - optlen,
+ sizeof(struct ip6_hdr) + optlen);
+ m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA_IPV6;
+ }
+#ifdef SCTP
+ if (csum_flags & CSUM_SCTP_IPV6) {
+ sctp_delayed_cksum(m, sizeof(struct ip6_hdr) + optlen);
+ m->m_pkthdr.csum_flags &= ~CSUM_SCTP_IPV6;
+ }
+#endif
+ }
+
+ return (0);
+}
+
int
ip6_fragment(struct ifnet *ifp, struct mbuf *m0, int hlen, u_char nextproto,
int fraglen , uint32_t id)
@@ -908,17 +938,10 @@
* XXX-BZ Need a framework to know when the NIC can handle it, even
* with ext. hdrs.
*/
- if (sw_csum & CSUM_DELAY_DATA_IPV6) {
- sw_csum &= ~CSUM_DELAY_DATA_IPV6;
- in6_delayed_cksum(m, plen, sizeof(struct ip6_hdr));
- }
-#ifdef SCTP
- if (sw_csum & CSUM_SCTP_IPV6) {
- sw_csum &= ~CSUM_SCTP_IPV6;
- sctp_delayed_cksum(m, sizeof(struct ip6_hdr));
- }
-#endif
- m->m_pkthdr.csum_flags &= ifp->if_hwassist;
+ error = ip6_output_delayed_csum(m, ifp, sw_csum, plen, optlen, false);
+ if (error != 0)
+ goto bad;
+ /* XXX-BZ m->m_pkthdr.csum_flags &= ~ifp->if_hwassist; */
tlen = m->m_pkthdr.len;
if ((opt && (opt->ip6po_flags & IP6PO_DONTFRAG)) || tso)
@@ -1017,16 +1040,11 @@
* fragmented packets, then do it here.
* XXX-BZ handle the hw offloading case. Need flags.
*/
- if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA_IPV6) {
- in6_delayed_cksum(m, plen, hlen);
- m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA_IPV6;
- }
-#ifdef SCTP
- if (m->m_pkthdr.csum_flags & CSUM_SCTP_IPV6) {
- sctp_delayed_cksum(m, hlen);
- m->m_pkthdr.csum_flags &= ~CSUM_SCTP_IPV6;
- }
-#endif
+ error = ip6_output_delayed_csum(m, ifp, m->m_pkthdr.csum_flags,
+ plen, optlen, true);
+ if (error != 0)
+ goto bad;
+
/*
* Change the next header field of the last header in the
* unfragmentable part.

18
share/security/patches/EN-20:06/ipv6.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zpotfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cIh8Q/9ETsrnu22hJARS6H5kO+HGOd3NhRamWpllytcM1Q2TLMYbHB6UunMao05
YxBp86u9NhWYgyQ+qJeOqXgQpo6/ReUmjfplersuraacGjVoDgxPRqCVibAX8Of7
3PhaVCH8vwC5bkZqMm3JpPS62eEF2WF/Mc2asao6z0pI16PCi01ZOEgLFC9CdqTr
IZpHN1QX3Jj1uinYoACkwTKoY/y5FdoSoXg0Z8cvuoZ94ruSg/bUmuZJD0Hrs20r
HGWmcUJx/qorozp0X006kbErZqQ8WIlk+BDLiGdG/XjDd+OWOmYclAcKvpbJb8IR
2ELeLbP+yhXgpayrbXKA/B4Dd0p4uzPe0KV9GjLb+6et7SFV5Aidxs+7PfNubzpi
JecV47YEvLDS6AhdiYmVD7ZF7PX6LEd3tFKgsH+yygYfPCWjZopeViqo2vAE4aBC
a1fIIPugZDsqQowhdo0IfEc/BBP5X8hRlQt1FwKoepZ++hcQzvSvOtZgQI/VTP4R
B+zPVSJKvb7lbPknSXHMnLEqhf4TtRWAEHQiz14YhVFdeCFxxJ+V6Rsm+6DnijLs
O69YmQ4eI59eY1rfADaDE+ej6OPHhQ46rJKmN7+JyzAM/NcW3ZRuUEItdlSrBt4M
4olOYvnF6OBl3Qnta85O/53fP1dEnclxv838uEtSXYesVZbyVeA=
=xBIY
-----END PGP SIGNATURE-----

12
share/security/patches/SA-20:04/tcp.patch Normal file
View file

@ -0,0 +1,12 @@
--- sys/netinet/tcp_syncache.c.orig
+++ sys/netinet/tcp_syncache.c
@@ -1728,7 +1728,8 @@
ip6->ip6_dst = sc->sc_inc.inc6_faddr;
ip6->ip6_plen = htons(tlen - hlen);
/* ip6_hlim is set after checksum */
- ip6->ip6_flow &= ~IPV6_FLOWLABEL_MASK;
+ /* Zero out traffic class and flow label. */
+ ip6->ip6_flow &= ~IPV6_FLOWINFO_MASK;
ip6->ip6_flow |= sc->sc_flowlabel;
th = (struct tcphdr *)(ip6 + 1);

18
share/security/patches/SA-20:04/tcp.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zpoxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cL73A//ccllY3bR2AqzjlfNp8I+w6dzZx8uS/waSLJL+zUeSI1TVrSu2+mjTbIK
s0JVqZ9XP+CPHE+37acn3YpXMsVRn1E4DBLzeaMLH255x+b5svWFZh+/rdgy0w+S
WSlTB5zu+77WaCr9XdBD5V0EkUBmUIOgkUc+LL9tM9s1x4+DUD+4KybLQHQo7zke
wbQ/mc0mpD7ugb4t5V7xPxvYOOxmCZEnZNIaNz991q/n48Kqi47GDPdnTidjUqdT
i6f2N0/eToGMmx+Dilbuyk2hCtOiSdydUVJAk+KA1RGSGKIGSQ7nUD5wmOLRmPO3
xQCEdG117Fpu1Y54zSLmU6O11S+FjOO9RyDPQkeQq+TD23rweTJG7kFgxIEZw3om
gMFaVW8BNmqR0ozTqryM6wpNqeI52HiWi9OKhp05jV1cV6z6o5kyfGGceI/HcAAa
Du/JAyvqNDSyrGJQZKSTkcr0/8YxtzM/QYXaSQoqrhYnyegGYTfkv2OgGgcypTdl
QxKd1F/wVhIac5FGDBmAst/nHMwlnyadugRe1FjCQLOdwIkuj5Ol/fRq670+eBQh
mLFQM3fGw2nW2ZuVj5ewqIbeLAzJ/cz3USdX+XT473i9u1/3O0OyN3tVY6HsSIP2
7SgjuAxAwsy5Gkg5pq42sYeENKJn0DTIks11llrfGNaivQHWmao=
=m2Ba
-----END PGP SIGNATURE-----

22
share/security/patches/SA-20:05/if_oce_ioctl.patch Normal file
View file

@ -0,0 +1,22 @@
--- sys/dev/oce/oce_if.c.orig
+++ sys/dev/oce/oce_if.c
@@ -616,6 +616,9 @@
break;
case SIOCGPRIVATE_0:
+ rc = priv_check(curthread, PRIV_DRIVER);
+ if (rc != 0)
+ break;
rc = oce_handle_passthrough(ifp, data);
break;
default:
--- sys/dev/oce/oce_if.h.orig
+++ sys/dev/oce/oce_if.h
@@ -46,6 +46,7 @@
#include <sys/kernel.h>
#include <sys/bus.h>
#include <sys/mbuf.h>
+#include <sys/priv.h>
#include <sys/rman.h>
#include <sys/socket.h>
#include <sys/sockio.h>

18
share/security/patches/SA-20:05/if_oce_ioctl.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zpoxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cI3/hAAmEYQUOLoEEcfq7YAM+P+kowlu+atAw+istqcqMqs8KWlELcd5PG78R2v
EXdywpDDDnmbp/zTBTs1aaIShmKkV8e/+ow++n8eABDYp/ERdNFMhosCuNjvGjy8
u38hBUL5L7FC5CARndSp5teixEi9GnITg9CckHrOYfAje2WOJJjhd2VKTKsblEn6
1jrVdncK3HQQFmRS+A2l0Ot+WVF7zO7H5vZgkqDOgt9bNXc47eTX6GumZ0NgKnDG
Mth0PJvCVMBw2cQLmYF2/gkZPFIff9TucHvosESScjQkD1NPNQ+0sc73lEhQolmV
7KvmahlayMrMZp5t48iDSjhMug4uVrIv+hvM3VTE7VQKNV0gWfUAYKaXDiF/1Dq8
cDCPttm/Ohq1wbEWtidP/vfmQd5TowKofikHOS0y+65qCvg5CR3FTU2cC0vUkwxN
yE/XYz9lfNyuLyJOj/plr/1dQXZoOGjg/4iurttGDy+PTqazQQuGJigSDaYirj/J
CJyZPG3Y3QKYM0DACS9KJxoydv9L6prusS0PqW4YaCPRZ9zuV93J7GyIxzi/DCXB
go8pRDAvqgJ5O1eQUYOX3IKl9nCeuXvleHEL/jDBozrsvmvkdVDlcsYCGzOA7LUv
vEjoncew786D9bAc+SRWgsuebU40wgLV1mbjtjBaEX/QVWqsypc=
=en9g
-----END PGP SIGNATURE-----

48
share/security/patches/SA-20:06/if_ixl_ioctl.patch Normal file
View file

@ -0,0 +1,48 @@
--- sys/dev/ixl/if_ixl.c.orig
+++ sys/dev/ixl/if_ixl.c
@@ -1625,12 +1625,30 @@
struct ifdrv *ifd = (struct ifdrv *)data;
int error = 0;
- /* NVM update command */
- if (ifd->ifd_cmd == I40E_NVM_ACCESS)
- error = ixl_handle_nvmupd_cmd(pf, ifd);
- else
- error = EINVAL;
+ /*
+ * The iflib_if_ioctl forwards SIOCxDRVSPEC and SIOGPRIVATE_0 without
+ * performing privilege checks. It is important that this function
+ * perform the necessary checks for commands which should only be
+ * executed by privileged threads.
+ */
+ switch(command) {
+ case SIOCGDRVSPEC:
+ case SIOCSDRVSPEC:
+ /* NVM update command */
+ if (ifd->ifd_cmd == I40E_NVM_ACCESS) {
+ error = priv_check(curthread, PRIV_DRIVER);
+ if (error)
+ break;
+ error = ixl_handle_nvmupd_cmd(pf, ifd);
+ } else {
+ error = EINVAL;
+ }
+ break;
+ default:
+ error = EOPNOTSUPP;
+ }
+
return (error);
}
--- sys/dev/ixl/ixl.h.orig
+++ sys/dev/ixl/ixl.h
@@ -52,6 +52,7 @@
#include <sys/sockio.h>
#include <sys/eventhandler.h>
#include <sys/syslog.h>
+#include <sys/priv.h>
#include <net/if.h>
#include <net/if_var.h>

18
share/security/patches/SA-20:06/if_ixl_ioctl.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zpoxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJedxAAkRktJwXTYThJXPRmmF0iko2vuF6FBr/dtZO2elSStsXmDL5EeU6Qn8XY
kId640GOm8UmLctWspVL8R/Vo2CGMnZam2+Z5rPZ/UEXS2KyC4FTWMNR8nQtiNci
GVFJgUIyKTjuDAEGMI51cFZ72Hheh4vV3jtw8RmKnPjsHxwTJqEPt0povqvu/gym
3kBk1BXbLSKOw04AH/MiVw8t7mMRZWNrYE61zsG9LE9FprITtZcQZB6yNsZFICpd
ImfivrHm75X5Or1Q0T0+MeGvVe0hCjRa2O81wnGPoAYYKorhHSVhg0zQWOBzCqgi
B+8Az7eGuIRCGzh4ZDJwN6hI6vAb0lk2MSAvAvAkhrwzO5NAcMXg/PTej4Ph79U+
IYlfp+gA4vaBgChx/++n9TM7b/2etq1hB1aF8hcgvJOLdcXiVK9cl4ad97uAezz0
0ux71E/igUC/tub0TUL9Oe8VCoWrzZUF+UeWZadbalIALnFPaZJ+5ZQH/xvr+D7H
aQXwbUJqp0Qq3TS07Yk9wqq5UeyF+H15lgUAHJ3CWolUaiJJyjmNqj5ekijreP0P
7Lk8q4Ouxi5jz2S/ZbeHWnVLY+vDnrn7Ww+qWJh2T8+nHLRgw1vYeWQUO3FHUxH3
/lJy6n1ypS63tYfmN3vpmhKpgRfKbp5ovCAAONgSdqxSzBmhVd4=
=O27d
-----END PGP SIGNATURE-----

114
share/security/patches/SA-20:07/epair.11.patch Normal file
View file

@ -0,0 +1,114 @@
--- sys/net/if_clone.c.orig
+++ sys/net/if_clone.c
@@ -208,6 +208,17 @@
return (if_clone_createif(ifc, name, len, params));
}
+void
+if_clone_addif(struct if_clone *ifc, struct ifnet *ifp)
+{
+
+ if_addgroup(ifp, ifc->ifc_name);
+
+ IF_CLONE_LOCK(ifc);
+ IFC_IFLIST_INSERT(ifc, ifp);
+ IF_CLONE_UNLOCK(ifc);
+}
+
/*
* Create a clone network interface.
*/
@@ -230,11 +241,7 @@
if (ifp == NULL)
panic("%s: lookup failed for %s", __func__, name);
- if_addgroup(ifp, ifc->ifc_name);
-
- IF_CLONE_LOCK(ifc);
- IFC_IFLIST_INSERT(ifc, ifp);
- IF_CLONE_UNLOCK(ifc);
+ if_clone_addif(ifc, ifp);
}
return (err);
--- sys/net/if_clone.h.orig
+++ sys/net/if_clone.h
@@ -72,7 +72,8 @@
struct if_clone *if_clone_findifc(struct ifnet *);
void if_clone_addgroup(struct ifnet *, struct if_clone *);
-/* The below interface used only by epair(4). */
+/* The below interfaces are used only by epair(4). */
+void if_clone_addif(struct if_clone *, struct ifnet *);
int if_clone_destroyif(struct if_clone *, struct ifnet *);
#endif /* _KERNEL */
--- sys/net/if_epair.c.orig
+++ sys/net/if_epair.c
@@ -704,6 +704,23 @@
return (1);
}
+static void
+epair_clone_add(struct if_clone *ifc, struct epair_softc *scb)
+{
+ struct ifnet *ifp;
+ uint8_t eaddr[ETHER_ADDR_LEN]; /* 00:00:00:00:00:00 */
+
+ ifp = scb->ifp;
+ /* Assign a hopefully unique, locally administered etheraddr. */
+ eaddr[0] = 0x02;
+ eaddr[3] = (ifp->if_index >> 8) & 0xff;
+ eaddr[4] = ifp->if_index & 0xff;
+ eaddr[5] = 0x0b;
+ ether_ifattach(ifp, eaddr);
+
+ if_clone_addif(ifc, ifp);
+}
+
static int
epair_clone_create(struct if_clone *ifc, char *name, size_t len, caddr_t params)
{
@@ -713,26 +730,6 @@
int error, unit, wildcard;
uint8_t eaddr[ETHER_ADDR_LEN]; /* 00:00:00:00:00:00 */
- /*
- * We are abusing params to create our second interface.
- * Actually we already created it and called if_clone_create()
- * for it to do the official insertion procedure the moment we knew
- * it cannot fail anymore. So just do attach it here.
- */
- if (params) {
- scb = (struct epair_softc *)params;
- ifp = scb->ifp;
- /* Assign a hopefully unique, locally administered etheraddr. */
- eaddr[0] = 0x02;
- eaddr[3] = (ifp->if_index >> 8) & 0xff;
- eaddr[4] = ifp->if_index & 0xff;
- eaddr[5] = 0x0b;
- ether_ifattach(ifp, eaddr);
- /* Correctly set the name for the cloner list. */
- strlcpy(name, scb->ifp->if_xname, len);
- return (0);
- }
-
/* Try to see if a special unit was requested. */
error = ifc_name2unit(name, &unit);
if (error != 0)
@@ -860,10 +857,11 @@
ifp->if_snd.ifq_maxlen = ifqmaxlen;
/* We need to play some tricks here for the second interface. */
strlcpy(name, epairname, len);
- error = if_clone_create(name, len, (caddr_t)scb);
- if (error)
- panic("%s: if_clone_create() for our 2nd iface failed: %d",
- __func__, error);
+
+ /* Correctly set the name for the cloner list. */
+ strlcpy(name, scb->ifp->if_xname, len);
+ epair_clone_add(ifc, scb);
+
scb->if_qflush = ifp->if_qflush;
ifp->if_qflush = epair_qflush;
ifp->if_transmit = epair_transmit;

18
share/security/patches/SA-20:07/epair.11.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zpoxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cIQtQ//UD8/0BDQYHiWjIfps4h6sPh0UQvXsCbE7uvLWpyA7H96Qi7EZhq17Yjr
IrF0iwkNtp4LInhbLEmAOuYwbkdhk4oqAZ30T7VbZQRuny/fDzMfM2M3mTW+2Ozr
SbIw3TlRd47p1NZQW5nhG7GFTVwlLQS0VxS1uHnNCXD9djW29tgeN9jI7pYe/ozq
VHIx5Dq9EphU5DvBrZNWQDIGS8Wq63DrRzHTJmm6+WpAFnHBETv3pplN9XRpjY24
RFPv94Xtj0fbn6D4b+rDQUCVZ1ukea6EcMCRZDL4RQrCgWXpNTqQr1Nsqf4QGdFS
dz0krA4IRdZnUQvqp8X0KkAb80rCEhXOzI8bmD9VSoTMJtn0NrYU0oh5O9quZVXh
OVisB5o+eBY+Ywgh6q1R6Arm5MOzSAuDgQ3J+M3sRmx4k6SIL5F72hUupIWEvesk
rqpashwDQM4luXMyEmucpbEvB/s7ELUjMp1BDnb2+xRyzAAPDPr/d8PPAP5lWa+k
YjCDRGObtnaX2A0uEXDt0JZ0UCrxDW4NRmdWzI8/PrT4IekW8NwvJX4ON6zAFudW
ENoOK3qmIIZkhIUbIHUrmJ/pl52vwY7ztiQ3cHvolZX4T7bHURScwnVPcwiaDyZ4
z4HeBdJafULZnZifVkWa3gTer804AMy3Ww8vSdkclIg+ADtUZg8=
=Fp6B
-----END PGP SIGNATURE-----

112
share/security/patches/SA-20:07/epair.12.patch Normal file
View file

@ -0,0 +1,112 @@
--- sys/net/if_clone.c.orig
+++ sys/net/if_clone.c
@@ -211,6 +211,18 @@
return (if_clone_createif(ifc, name, len, params));
}
+void
+if_clone_addif(struct if_clone *ifc, struct ifnet *ifp)
+{
+
+ if ((ifc->ifc_flags & IFC_NOGROUP) == 0)
+ if_addgroup(ifp, ifc->ifc_name);
+
+ IF_CLONE_LOCK(ifc);
+ IFC_IFLIST_INSERT(ifc, ifp);
+ IF_CLONE_UNLOCK(ifc);
+}
+
/*
* Create a clone network interface.
*/
@@ -233,12 +245,7 @@
if (ifp == NULL)
panic("%s: lookup failed for %s", __func__, name);
- if ((ifc->ifc_flags & IFC_NOGROUP) == 0)
- if_addgroup(ifp, ifc->ifc_name);
-
- IF_CLONE_LOCK(ifc);
- IFC_IFLIST_INSERT(ifc, ifp);
- IF_CLONE_UNLOCK(ifc);
+ if_clone_addif(ifc, ifp);
}
return (err);
--- sys/net/if_clone.h.orig
+++ sys/net/if_clone.h
@@ -79,7 +79,8 @@
struct if_clone *if_clone_findifc(struct ifnet *);
void if_clone_addgroup(struct ifnet *, struct if_clone *);
-/* The below interface used only by epair(4). */
+/* The below interfaces are used only by epair(4). */
+void if_clone_addif(struct if_clone *, struct ifnet *);
int if_clone_destroyif(struct if_clone *, struct ifnet *);
#endif /* _KERNEL */
--- sys/net/if_epair.c.orig
+++ sys/net/if_epair.c
@@ -711,6 +711,21 @@
return (1);
}
+static void
+epair_clone_add(struct if_clone *ifc, struct epair_softc *scb)
+{
+ struct ifnet *ifp;
+ uint8_t eaddr[ETHER_ADDR_LEN]; /* 00:00:00:00:00:00 */
+
+ ifp = scb->ifp;
+ /* Copy epairNa etheraddr and change the last byte. */
+ memcpy(eaddr, scb->oifp->if_hw_addr, ETHER_ADDR_LEN);
+ eaddr[5] = 0x0b;
+ ether_ifattach(ifp, eaddr);
+
+ if_clone_addif(ifc, ifp);
+}
+
static int
epair_clone_create(struct if_clone *ifc, char *name, size_t len, caddr_t params)
{
@@ -723,24 +738,6 @@
uint32_t hash;
uint8_t eaddr[ETHER_ADDR_LEN]; /* 00:00:00:00:00:00 */
- /*
- * We are abusing params to create our second interface.
- * Actually we already created it and called if_clone_create()
- * for it to do the official insertion procedure the moment we knew
- * it cannot fail anymore. So just do attach it here.
- */
- if (params) {
- scb = (struct epair_softc *)params;
- ifp = scb->ifp;
- /* Copy epairNa etheraddr and change the last byte. */
- memcpy(eaddr, scb->oifp->if_hw_addr, ETHER_ADDR_LEN);
- eaddr[5] = 0x0b;
- ether_ifattach(ifp, eaddr);
- /* Correctly set the name for the cloner list. */
- strlcpy(name, ifp->if_xname, len);
- return (0);
- }
-
/* Try to see if a special unit was requested. */
error = ifc_name2unit(name, &unit);
if (error != 0)
@@ -891,10 +888,11 @@
if_setsendqready(ifp);
/* We need to play some tricks here for the second interface. */
strlcpy(name, epairname, len);
- error = if_clone_create(name, len, (caddr_t)scb);
- if (error)
- panic("%s: if_clone_create() for our 2nd iface failed: %d",
- __func__, error);
+
+ /* Correctly set the name for the cloner list. */
+ strlcpy(name, scb->ifp->if_xname, len);
+ epair_clone_add(ifc, scb);
+
scb->if_qflush = ifp->if_qflush;
ifp->if_qflush = epair_qflush;
ifp->if_transmit = epair_transmit;

18
share/security/patches/SA-20:07/epair.12.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zpoxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cLwgg/9G7rMa/od4rYSAnzkA0nPcsSQnZbpEnxUmDhEx9oaEOXOKvWEd8WCikei
YIZZ2UmHdtLs9nYhVuw7pM1DTzrxwO+9YJe5ywE6ZiuZ0oX8xvEU+OeeTaQbh8Ks
fHPybbZFyi7gxJpOgmka00qeV8O6Q8ixNqqOo/xsfFszbmgp/MQeFW3czmEKy53y
CxsDjpnjr4MdlGSKQ5v97TuCyeJs+jvxNigoEj8xog0xFqHAk9WhZjTOzaaQiiUS
owrUyavN97amH1ZOAKsi2m8uvRlNZxa8eDff12Fcrt3Qe+7JQr8oKhk9377RCw8G
z1O5lBXR2ga1O9q05S/17LF2tCs380UdBgaOGEa0cg2SvHPiPAGOUwvlDNMrQCkL
btGn2JMPRK2qISM1jjwM3Gfk2txCQsMYEwsF9YgGyOiXWu0Pq/uABAeEqgzdmhZp
0u7EqchQ9lyQR102i9446EMSfO4VmgFgszfzCdVVcuSRYekjqko0z0KLC7FtXl1Z
EtUPHOYWyeI/wF1wFj8BKXEEfp8PEccLYNVmSafMRfj/GxX6CMCMHoTHblVSwZ2v
tzaGwxHyqwCwE0Qqk6wMUtRyzQdRbUYSyUy41PrM41RZg+AOwvMZVYghUDfNbXJ1
PfdW/jWle2FukRhUK5upGuXc2atFBwY50wwJrL4zG0UoT6CSIM4=
=SiJG
-----END PGP SIGNATURE-----

30
share/security/patches/SA-20:08/kern_jail.patch Normal file
View file

@ -0,0 +1,30 @@
--- sys/kern/kern_jail.c.orig
+++ sys/kern/kern_jail.c
@@ -865,8 +865,12 @@
"osrelease cannot be changed after creation");
goto done_errmsg;
}
- if (len == 0 || len >= OSRELEASELEN) {
+ if (len == 0 || osrelstr[len - 1] != '\0') {
error = EINVAL;
+ goto done_free;
+ }
+ if (len >= OSRELEASELEN) {
+ error = ENAMETOOLONG;
vfs_opterror(opts,
"osrelease string must be 1-%d bytes long",
OSRELEASELEN - 1);
@@ -1241,9 +1245,11 @@
pr->pr_osreldate = osreldt ? osreldt : ppr->pr_osreldate;
if (osrelstr == NULL)
- strcpy(pr->pr_osrelease, ppr->pr_osrelease);
+ strlcpy(pr->pr_osrelease, ppr->pr_osrelease,
+ sizeof(pr->pr_osrelease));
else
- strcpy(pr->pr_osrelease, osrelstr);
+ strlcpy(pr->pr_osrelease, osrelstr,
+ sizeof(pr->pr_osrelease));
LIST_INIT(&pr->pr_children);
mtx_init(&pr->pr_mtx, "jail mutex", NULL, MTX_DEF | MTX_DUPOK);

18
share/security/patches/SA-20:08/kern_jail.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zpoxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJybQ/+MODmoQrligHy7yuXlpo+mY4Ew3ALca4Q+F1+u1ZtwaPbyyiT2dZO5uhi
mIdUvq3okDeaJhU+JDJ9KmEtxAOTUE90AJTCsUISbHQ+RGtkYvuuJDDLw/7hZItC
yepdHa5Jcp6TIPa/JLC0TZJVWKBYr/JyiUk8svUzMJXB1b0BNxNJ0yOiiprEmiuI
drFgnzHIJRE8W9AxtyK1+ypLTGUuDpdvbVRlYnx5IBC7Jks/0U8jHWW9xsjOdA3/
RNz15yvX9dyc7DQBi6a3xr+TJUDnDRPRmzCUHvqVJp+cErLylfTS5sON3tY85TqU
C/kr27nHRqML05iaWyW5bE9S84I6uilh5/Cj51aHaKRqCO5yLpybNcB35GmgTLXG
Ojj5MCxbCexvlCiiy+I97cikl+kfmmk63zjRwNF5dgYU7CITARf1sLJLp4Ia3iux
MMvLgugvMPneF94u2zas2yNVO0JfndV6BEMEVt32aGc+eUBDKrnv/jSXshB/WGKf
PXO9K6x2lVOZfjIk0x/Ete/70nutn9GZ58ipHnQD968dmTR+6+wQdYkZxH1s+9p9
NRDwlz0K2f5+OvfFRlIqIZhDJP6ZwJ475M9oTZvxIzcmceVMdcOImWB1c4a4qcOV
cdVgf6v02+A+S7taomKPaNNSeyrJn/UOrO+ZNHqMcLRr7Ho8/G0=
=OlVb
-----END PGP SIGNATURE-----

29580
share/security/patches/SA-20:09/ntp.11.3.patch Normal file
View file

File diff suppressed because it is too large Load diff

18
share/security/patches/SA-20:09/ntp.11.3.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zpoxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cLGmQ/+P9irP0D3tbkbMt5pUlII3N74BhzPRfHTP8Bu13e6qnoXTpRjk54Kh0eV
Eq1JrimJAFbcym4X9UG3ZHFUFf9oD2xPSLJ1VMoulS8pWxXVf9wycm/haBZNpHZz
RKGNiANhpWBZRz6G+I/9duTkYvWkB3drpL3RL9LFIsiq5mkmDSOVNRvcfGHqRn/P
+LLuwpz+q6GMR5EmX5qmh1BJQUz9v7lcL11kLB1iTi/epqfj6aVv3xQDzgwZH6S8
TuN/EBl6P56naH9t+99NIZMJ8iuphbYz6Wlu/6AofZ57z7hZKYk4LBi31HyllkDr
10P3QRSu6Ma32wVLvFvTLW7EsMRRe38vhEi/g+cwG5Xtfwpjr1g167mwOKye2l1q
EEiRgrNOqU1ISrRpQApXOs2r39ybOcOfYUgtKsjkRVRo56eCBmIHSrzdLkkW90Rm
xFB/Oq3K79XF/91iBco1iMfVlEHxLi7JfzuGGfrxtmZ9coDfLn2LBaECEHOE6mSL
uKxQ4EpnF7/6Fa/j2GjHit0l8HR+WkGtbPqtP3whM+BilvYxGV+LaNE8knWQZ0DF
mgt0mHLTcZVZ3wc028Eb56m93ZXv2CHEgZCRpfG98k+uYIzOU+oclue92iBun0ce
2Gl/v90id0HB3hzFA0K+8cMMDppVrbitR83RheFAPVqquw48WxY=
=4Nof
-----END PGP SIGNATURE-----

29580
share/security/patches/SA-20:09/ntp.11.patch Normal file
View file

File diff suppressed because it is too large Load diff

18
share/security/patches/SA-20:09/ntp.11.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zpo1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cLhBBAAlKJopXbDl7MK38nmJDEmeIFAlaXN+Y8em60/682eJD9sT4qQ8WZOXiPG
pDuRHLfN+EkSrH9Iv7Yc0yaFn7HP7Yb895cLpu4QnelIZzpFZpaP7PKq1oU4XPzJ
A2luZgzxWqZAOWynPKQkpfidjDXx8lYb5lL8/fRTiw8cQyZJVcig8ENUFt7g5tcb
/Eo0QlWwFMTkUM7lz6HlmLoc4AHu+COnIBsPNQo6mafXuMrNMvyv4xnhlNnwlhO1
iu3Z9T868jat2jVQkU3eI/OUsA1ogEZDhgzH+4v5la+pRRZaD7s3tPVjJpXHCIu0
OlEJsk63D3wfIykgxugK4BEfHdHBrIzab/AjPzPf5u8cKmLcJDjC668a0O5fGrRG
mxyq7bvpWnDgxlWK2+YfMdO46Wz2laHF36ZSTpVswBZE8/QA4fuFNLDHAtXF2/2a
4x9RK3oTCC9wQ5wIGXBNMkrhwGLFrEeGbIEPGeOyOkbmiCt/5VOUWJhpft+IcQtA
SLhuU8b0/L4j236hNHaZt7kAEleWhxO939QPROu81j98cRMr8K+makngjHEOly7J
6fIuFvw78rDS1ZGgy69/OjgcJgxEnYzgFPiHwLONythG6yt/tMI123qJsUtdQ5mi
MPPGNqNrRigb5AV2siZd7Ae1i4t9bT+0SX/ZGwB2vvh8i4b5/G8=
=kNfC
-----END PGP SIGNATURE-----

29611
share/security/patches/SA-20:09/ntp.12.1.patch Normal file
View file

File diff suppressed because it is too large Load diff

18
share/security/patches/SA-20:09/ntp.12.1.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zpo1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cIsxRAAgJGAocqd3QAuL/lnEPbDFzDDUn/XzyUpFYG7gXXih9cjzdzHTA0BxxYM
JaOeqdJnRL1j+clKCx01dUI0H05fRmklRpUxaK0CFyPHFuFaP+SIXLKE6/l6JN1Q
Xw2+VKHFRmZhxOeo12K9yxBJKhY7MgtHtOxT1TR08UwhkWhqofyjPjBZkJK9nSyT
zf0lzazOCeFzrm/J5C1R81wXSsNckdfwVJN4qjVNENb2TqIy9VDTTyMe9/uqNz2k
AoU2Llp3BuHD/xLbMrRU30KX9sDz8PdLo5n/7FyauTiXwrc4A4HXQBMur/MAYfxC
HIe9xMDfLDfhoEHQhiGh+KdgS+U7gSrGhW5EvPMf812lbuTkt+ST4qP0t4Qyz+vi
ZRYY1KX/tCzlH4blQlgdwLeiHK6sEFS+EZBEI57BhzYomT0cJIVYeLUMUlEJCKkY
my15XiOfVP/0CxD8uaSxWfZnf5xADiADTnKn7DiMYf7G16T3vHY0FdC+J9Kh6a3+
9R+lC2w6r8WoF0iWvOJFu0tUVYRVtVSaN2k1vXoOmRnzYu1LJZezfVAwuk/vFQqx
57e2bDIC8Tpp+UejHKoj9lvBbL7K6GFFU2cUVP9vIAlzWXm6k6vD6mkbEHkBPTkN
yTpb+IZdeDq51j0ar16JSztO9mAM7AgxrcmO8ED2dgb6PUwakAg=
=boWC
-----END PGP SIGNATURE-----

29594
share/security/patches/SA-20:09/ntp.12.patch Normal file
View file

File diff suppressed because it is too large Load diff

18
share/security/patches/SA-20:09/ntp.12.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zpo1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cIeSg//TDEvOMSDPQOblXISBwEKv6yGvkGGuxNVidmtoMFaDf96OIQv4U1L22dE
z1VD4gqXat3FWbP5SwNWk6uWWdYQQOMJPnVjLf54ketJ2UlMjYWsR9c9zvd6OsoU
7ed5KvQLWOYOF6bP7H4ArsDwRFaA50CsrYh0yqwUzZqGdwvJWw9U6kBRepxgyQEV
HA2HDtdgar+4hudn5ITXrpkYbCXOvkK9ePnR0RwLYasG2QwrKXQFlsnbsznd2oiq
ASC3yTdpIcSV2ThlM1tF3EVU3TL+pPrF48CJyZ7ZZ2zQfHG4nuAN01wD7j25+7/I
NfpI0J3/3O5JgSINAcjrb/085bGs6QbZswl97YGKtlRDQSP+z+R5TqmrL34hIslm
uCieT3up2l7XWAXPAWvqYXD0m+zmuLICAYch7PR78i4nP/IDM74eEUeZecbliaJa
DGXcqKUi67YSW0G2+dx1m2pNFCt5WkE07nIPRRsEWtzed04VIEaC3P3RQw73O7sN
YXqg3+Mj+cUtZYqh2m+NmgCUU58qRx/OdesLRj+vq/0GJPwdoSi8X2KE74Bpgk1D
tgGkh4+glyOgvxsMaDxNxRWFpl1/kt7fYzL1C9pzKKYoWOo861FK22mUh3b/MbPN
mBNgysCq4cvUnyNs2fzdaiRr53rL5UMFOcC0pLUZ7jAmztDss4s=
=/hXi
-----END PGP SIGNATURE-----

33
share/xml/advisories.xml
View file

@ -7,6 +7,39 @@
<year> <year>
<name>2020</name> <name>2020</name>
<month>
<name>3</name>
<day>
<name>19</name>
<advisory>
<name>FreeBSD-SA-20:09.ntp</name>
</advisory>
<advisory>
<name>FreeBSD-SA-20:08.jail</name>
</advisory>
<advisory>
<name>FreeBSD-SA-20:07.epair</name>
</advisory>
<advisory>
<name>FreeBSD-SA-20:06.if_ixl_ioctl</name>
</advisory>
<advisory>
<name>FreeBSD-SA-20:05.if_oce_ioctl</name>
</advisory>
<advisory>
<name>FreeBSD-SA-20:04.tcp</name>
</advisory>
</day>
</month>
<month> <month>
<name>1</name> <name>1</name>

25
share/xml/notices.xml
View file

@ -7,6 +7,31 @@
<year> <year>
<name>2020</name> <name>2020</name>
<month>
<name>3</name>
<day>
<name>19</name>
<notice>
<name>FreeBSD-EN-20:06.ipv6</name>
</notice>
<notice>
<name>FreeBSD-EN-20:05.mlx5en</name>
</notice>
<notice>
<name>FreeBSD-EN-20:04.pfctl</name>
</notice>
<notice>
<name>FreeBSD-EN-20:03.sshd</name>
</notice>
</day>
</month>
<month> <month>
<name>1</name> <name>1</name>