Add SA-17:06, EN-17:07 and EN-17:08.

svn path=/head/; revision=50656
2017-08-10 07:14:48 +00:00 · 2017-08-10 07:14:48 +00:00 · c4b9f70c8f · 2020-12-08 03:00:23 +00:00
commit c4b9f70c8f
parent 9586f72962
11 changed files with 539 additions and 0 deletions
--- a/share/security/patches/EN-17:07/vnet.patch
+++ b/share/security/patches/EN-17:07/vnet.patch
@ -0,0 +1,18 @@
+--- sys/kern/sys_socket.c.orig
+++ sys/kern/sys_socket.c
+@@ -675,6 +675,7 @@
+ {
+ 	struct kaiocb *job;
+ 
+	CURVNET_SET(so->so_vnet);
+ 	SOCKBUF_LOCK(sb);
+ 	while (!TAILQ_EMPTY(&sb->sb_aiojobq) && soaio_ready(so, sb)) {
+ 		job = TAILQ_FIRST(&sb->sb_aiojobq);
+@@ -698,6 +699,7 @@
+ 	ACCEPT_LOCK();
+ 	SOCK_LOCK(so);
+ 	sorele(so);
+	CURVNET_RESTORE();
+ }
+ 
+ void
--- a/share/security/patches/EN-17:07/vnet.patch.asc
+++ b/share/security/patches/EN-17:07/vnet.patch.asc
@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.21 (FreeBSD)
+
+iQIzBAABCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlmMBigACgkQ7Wfs1l3P
+aud1/g//T+r0QjiYhomNf6Nuqc1mQKRG7YT0rJJ7bBHNn+ftOFuscW8gzgfvkL8m
+I8jJVEnWyQy6+tcsg0aZt0WntmAyM+tmmdXZA55WdeZ550jzfKyJRCjya7vTGqWT
+3ewoXm5Vsw08+Cr5CgF1YZWHHDXGXSScoiOsWnjqXHywRg2t4lrJjEWJOh/BZq+q
+ro0pL236Awa7R2OnystMF8Vp7XUPjKcueEDmrjqmq9vMqvXJn1D/XW/p8StTDdRB
+E00IYcuyZEX2s1OrEEqusHsRjNMPIJCb1x0eJl6Zh/lekjejl5hG7VhlJJicl9GN
+kzATbcIcifEAZEwSPx1THgZwJL1PzQJ7peyALCG/hB6buqYonYP7JrWNcQq32vg+
+P1BlLq8XfUa2yV7H8x2fUBcUN7Xjy7/8d/nJd68gX2vdDjOfvh43xAnECUDnWpGW
+AzRLFiMJJ5blv1fjn3xDLBoEPOMY7uwIk0I7ye9FUAIQRdD1jvTimcTI0wx0i0lE
+6HHjNtpC7ZYhk7ADFouzCfzAUYfzPY0xFP/Qp9vmR+DiFQffAAUn4vhHpiROoEHd
+k+PK+0wihcnglHj+v/A0vFYgJ86cWqF7tDA2iwkqVhXJWwWkQ+ZTiYJBaFRqNPWw
+k8lMNOcs0BxLZ4XRKqH/wr/r9ZsDtAVDiz0G8ANo1+FdXbVqAcI=
+=QQJA
+-----END PGP SIGNATURE-----
--- a/share/security/patches/EN-17:08/pf.patch
+++ b/share/security/patches/EN-17:08/pf.patch
@ -0,0 +1,24 @@
+--- sys/netpfil/pf/pf.c.orig
+++ sys/netpfil/pf/pf.c
+@@ -129,6 +129,8 @@
+ #define	V_pf_tcp_secret_init		 VNET(pf_tcp_secret_init)
+ VNET_DEFINE(int,			 pf_tcp_iss_off);
+ #define	V_pf_tcp_iss_off		 VNET(pf_tcp_iss_off)
+VNET_DECLARE(int,			 pf_vnet_active);
+#define	V_pf_vnet_active		 VNET(pf_vnet_active)
+ 
+ /*
+  * Queue for pf_intr() sends.
+@@ -1441,6 +1443,12 @@
+ 			kproc_exit(0);
+ 		}
+ 
+		/* Wait while V_pf_default_rule.timeout is initialized. */
+		if (V_pf_vnet_active == 0) {
+			CURVNET_RESTORE();
+			continue;
+		}
+
+ 		/* Process 1/interval fraction of the state table every run. */
+ 		idx = pf_purge_expired_states(idx, pf_hashmask /
+ 			    (V_pf_default_rule.timeout[PFTM_INTERVAL] * 10));
--- a/share/security/patches/EN-17:08/pf.patch.asc
+++ b/share/security/patches/EN-17:08/pf.patch.asc
@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.21 (FreeBSD)
+
+iQIzBAABCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlmMBigACgkQ7Wfs1l3P
+auf3yhAA3kHXPGMKXhLNNU4x4Nen4lwOPw78L+ZIboLMCT8cOLRDXtHiqLdGljeQ
+jQfNTXxL3wgNYyX8M3uwbvTeuJ1XGqWoDvdqCB/ngfUNQjnaturyKBiu60soiXJp
+RIta99QQ+PUpL6e5Kxnb9jIF0HvFELkxfq6eicS2d7V/QjcZAKpArF14vOAVdt18
+C+aUY5wpNFzvyDJ6a/uWpexACnS2wFMElWOV10fjh4vSMaxCectK6eejT7ansQC2
+OAcpyzd6p2giidw2D+B54PGZAOX2utKEpJ9jBm+ITFYqhasQm3WtEQ0ozl8Rc4Ru
+j4DToZwFwwaKTcpyKE2C3E9EtqiadePkQoFkfhQixdcUm7FFj0k+6Kou3QT4eAMy
+5iuenPh9q2oMrW0ye8EqTVyRan9s4+jBpiibW/AEIPguegGl9L2Pg3Xw39pTXLPj
+D0+la6GnESFWRod9w6IPcL97EQuD2NnBRkMru2xHHk7636Zc9aE12oI0ckrhfi7D
+Pda31jKEC3BucLMIGMnVU8JN7IX3abbY+wgL8ttWeGmjr4TRMnV8fX0b/4bhKOx5
+fQMakqxQXBJr8i9tPmx43+TPO8f9ddqtSDKRAfZTpASN0ugCFyH08veTx8Ahh7bQ
+TwyY8wRFQCxEeod1kJ4rUoWou1/1tMZiM4N3+I2Os7E+HdO+3HY=
+=hezW
+-----END PGP SIGNATURE-----
--- a/share/security/patches/SA-17:06/openssh.patch
+++ b/share/security/patches/SA-17:06/openssh.patch
@ -0,0 +1,21 @@
+--- crypto/openssh/auth-passwd.c.orig
+++ crypto/openssh/auth-passwd.c
+@@ -66,6 +66,8 @@
+ #define DAY		(24L * 60 * 60) /* 1 day in seconds */
+ #define TWO_WEEKS	(2L * 7 * DAY)	/* 2 weeks in seconds */
+ 
+#define MAX_PASSWORD_LEN	1024
+
+ void
+ disable_forwarding(void)
+ {
+@@ -87,6 +89,9 @@
+ 	static int expire_checked = 0;
+ #endif
+ 
+	if (strlen(password) > MAX_PASSWORD_LEN)
+		return 0;
+
+ #ifndef HAVE_CYGWIN
+ 	if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
+ 		ok = 0;
--- a/share/security/patches/SA-17:06/openssh.patch.asc
+++ b/share/security/patches/SA-17:06/openssh.patch.asc
@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.21 (FreeBSD)
+
+iQIzBAABCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlmMBicACgkQ7Wfs1l3P
+aueQ2hAAlv9j3RiWL+SaafCb4DUcDEq99zGpHbOAr1wgV/n7UqFpaan5UIE9z92e
+YJXKJrwvxMr4Znc9O0MI6C/fawIgO1g/699Q9CwlmROtqBaF2Qz7PTj7RP5IntOZ
+RgFNycPvq8qy+H1S1yK8UbfQ+3rl2Vz1xBe9SwmXvseHhVIHxr2l8mLTjEPtInOW
+EMXsdX+QPX3+4uPX+mkV4WtPt4YYmM3aHVeqI2YVwe6DlsWL4y2OIBz23B9Lggwp
+28m4sIfonNtZwDf0BSf7sdzPzYGQyjQ9Kwr5SEyqOV0eR9FeHr6cjW4UBu3X1X0I
+eeCTBcrHbzcpEFr75pvEbsTRhzGVtBWtTAhvD+eXN2NaqTQrivvFAZaYiu8tWlpZ
+QYgMwdwotZd96msiI1H1M6IdM1wJjEvXlaipnoAKkX2b88Hd5WDA2q2PZSU5BMDP
+gKK51xc6BQ/6KzwCyfxNX0vzImM7mL6MBo7y9Lqi/7U3CPQmuDX3sCzs6fLp0kli
+fQLpjetc5IcIFhyRnvRUpDVvfnU8KyyveU4ZMJ1dqfAZnBGXtu+ri7hknVLO10HY
+XipKtvPkaMIA7v5ky/pTOyfRc0sqWUvHav0M7eDL331GaWoz9bUP5NcD+YowRAgs
+P4/LyAdTxkT53jzqGSf/RN3I8KRhniUzZVjTv6nq39Qf6MvJG9g=
+=n0X7
+-----END PGP SIGNATURE-----