os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Add EN-14:12, SA-14:24, SA-14:25 and SA-14:26.

Browse source
This commit is contained in:
Dag-Erling Smørgrav 2014-11-05 00:28:45 +00:00
parent 35a4e5ba7f
commit d97869806c
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=45928
18 changed files with 1029 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

139
share/security/advisories/FreeBSD-EN-14:12.zfs.asc Normal file
View file

@ -0,0 +1,139 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-14:12.zfs Errata Notice
The FreeBSD Project
Topic: NFSv4 and ZFS cache consistency issue
Category: contrib
Module: zfs
Announced: 2011-11-04
Credits: Bart Hsiao, Marcelo Araujo, Kevin Buhr
Affects: All supported versions of FreeBSD.
Corrected: 2014-10-07 06:00:09 UTC (stable/10, 10.0-STABLE)
2014-10-15 06:31:08 UTC (releng/10.1, 10.1-RC2)
2014-11-04 23:31:17 UTC (releng/10.0, 10.0-RELEASE-p12)
2014-10-07 06:00:32 UTC (stable/9, 9.3-STABLE)
2014-11-04 23:33:46 UTC (releng/9.3, 9.3-RELEASE-p5)
2014-11-04 23:33:17 UTC (releng/9.2, 9.2-RELEASE-p15)
2014-11-04 23:32:45 UTC (releng/9.1, 9.1-RELEASE-p22)
2014-11-04 23:30:23 UTC (stable/8, 8.4-STABLE)
2014-11-04 23:32:15 UTC (releng/8.4, 8.4-RELEASE-p19)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:http://security.freebsd.org/>.
I. Background
The Network File System (NFS) allows a host to export some or all of
its file systems that can be any kind of file systems such like UFS, ZFS
etcetera, so that other hosts can access them over the network and mount
them as if they were on local disks.
II. Problem Description
In a configuration where two or more clients mount a ZFS file system over
NFSv4 from a FreeBSD server, if client1 caches a directory listing and a
file in the directory is renamed on client2, then client1 can end up in
a state where the cached but incorrect directory contents persists indefinitely
and is never updated.
III. Impact
When client2 renames a file or directory, client1 does not receive the
changed attributes and never does a READDIR to get the updated contents.
This could result in a client that has incorrect information about the
actual content of the mounted file system.
IV. Workaround
No workaround is available.
V. Solution
Perform one of the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
2) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
3) To update your present system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/EN-14:12/zfs.patch
# fetch http://security.FreeBSD.org/patches/EN-14:12/zfs.patch.asc
# gpg --verify zfs.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/zfs.patch
c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r274108
releng/8.4/ r274111
stable/9/ r272677
releng/9.1/ r274112
releng/9.2/ r274113
releng/9.3/ r274114
stable/10/ r272676
releng/10.0/ r274110
releng/10.1/ r273122
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
The latest revision of this Errata Notice is available at
http://security.FreeBSD.org/advisories/FreeBSD-EN-14:12.zfs.asc
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJUWWUOAAoJEO1n7NZdz2rn9KsQAIw7xhRYGUQ+SwIl6E8Tzodd
bx/VkTLOgcDrGSNqREzkgNeTtWXOXRwibZpBVXl8sglf+WPtZsnGcCALze9CiS14
boesjajpl7znqJ8zDpIU3qMdFsEOB5Ky3KDTQgCMEygAJrOxASGv6TCOT/3e1hRr
Ez0+32dnqooxNRJjHA0t+t+gBszFFLV1PbstpaCOOAsZpmNMtJGbhsydF/aKcK17
dcNaOKjMPB4SDGMx+dcZqS8bToEXfe0lwOGiEDAavVCyMx5zyie2bGfUWEI2bpu5
1VcOtnMxpKlgJdEOIbFI0RXdj4CujLbfwNBnDGLELcCZsPtoWJQZHDmDXK5pkEof
6aOHqqmZrFsI9V81ymVbQYYSHF67ZeRZB3CotC8trQn+tnxK1l0s6KF0FzSHQigU
y1Q1vErOKuzPEcrD7sp7xTS3VAQ1a7/uGY6KcTSrJu7xwrJe8KRNvufokgnzU3D4
X/O/L7TxvjTmTu1T2882mMIrtpALf/tjGwW32ksUnXo6RiwByvaalO9ObEBPYzGQ
C9xG3ggfqhyHDlw21VhCjZF5hQ7xUnBKHjT60LbGMB5llaN1DUN6HRT9rCbeN4gP
5eJalL2x1NLT1XVCBYlq1IhE6vTcnTdVVcGRBJQbPnfqivrDzBfIFzhy/4tc1J7K
IkJAwk+aThuF3j3xnt+z
=lQAP
-----END PGP SIGNATURE-----

160
share/security/advisories/FreeBSD-SA-14:24.sshd.asc Normal file
View file

@ -0,0 +1,160 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-14:24.sshd Security Advisory
The FreeBSD Project
Topic: Denial of service attack against sshd(8)
Category: contrib
Module: openssh
Announced: 2014-11-04
Credits:
Affects: FreeBSD 9.1, 9.2 and 10.0.
Corrected: 2014-05-04 07:28:26 UTC (stable/10, 10.0-STABLE)
2014-11-04 23:31:17 UTC (releng/10.0, 10.0-RELEASE-p12)
2014-05-04 07:57:20 UTC (stable/9, 9.2-STABLE)
2014-11-04 23:33:17 UTC (releng/9.2, 9.2-RELEASE-p15)
2014-11-04 23:32:45 UTC (releng/9.1, 9.1-RELEASE-p22)
CVE Name: CVE-2014-8475
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
OpenSSH is an implementation of the SSH protocol suite, providing an
encrypted and authenticated transport for a variety of services,
including remote shell access. The sshd(8) daemon is the server side
of OpenSSH.
Heimdal is an implementation of Kerberos 5, which provides
authentication and single sign-on capability for many network
services, including OpenSSH.
II. Problem Description
Although OpenSSH is not multithreaded, when OpenSSH is compiled with
Kerberos support, the Heimdal libraries bring in the POSIX thread
library as a dependency. Due to incorrect library ordering while
linking sshd(8), symbols in the C library which are shadowed by the
POSIX thread library may not be resolved correctly at run time.
Note that this problem is specific to the FreeBSD build system and
does not affect other operating systems or the version of OpenSSH
available from the FreeBSD ports tree.
III. Impact
An incorrectly linked sshd(8) child process may deadlock while
handling an incoming connection. The connection may then time out or
be interrupted by the client, leaving the deadlocked sshd(8) child
process behind. Eventually, the sshd(8) parent process stops
accepting new connections.
An attacker may take advantage of this by repeatedly connecting and
then dropping the connection after having begun, but not completed,
the authentication process.
IV. Workaround
Possible workarounds include rebuilding sshd with Kerberos support
disabled or installing the security/openssh-portable package from the
FreeBSD ports tree or an official package repository.
Systems that do not run an OpenSSH server are not affected.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/SA-14:24/sshd.patch
# fetch http://security.FreeBSD.org/patches/SA-14:24/sshd.patch.asc
# gpg --verify sshd.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/sshd.patch
c) Recompile sshd. Execute the following commands as root:
# cd /usr/src/secure/usr.sbin/sshd
# make && make install
4) Restart the affected service
To restart the affected service after updating the system, either
reboot the system or execute the following command as root:
# service sshd restart
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/9/ r265314
releng/9.1/ r274112
releng/9.2/ r274113
stable/10/ r265313
releng/10.0/ r274110
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<other info on vulnerability>
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8475>
The latest revision of this advisory is available at
<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:24.sshd.asc>
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJUWWlZAAoJEO1n7NZdz2rn4UEP/0VdM6uSHWyQSOzO+kuDxRfT
wru9+yjCB4NJtFzvBLe8eeiUDiTqJaTfrAGbbr9l5qkRXvTaUzWyaHyraLN4nK51
/ouxKzxxrqf0YDpYQPIUwCVmkoLn/+0T3U7sB78bx5WH4W1XoKKWIkChCyZpVvBI
vw6A5Ep4+U6mTGXE2D04WQISkKXYqzCuW0rJBnm0xDj9xUprgZJ7tTSx/ewAiA/L
FV37riqb8OII8lThV7g0s0F0JWDUf+AznG/S7amior0jMMSExdafifcvHEUZNs72
4cYh66p/GxeImU2Tm3VDRlfoAv86kUFwIevwD4oj5wXa7aBMdUwPITyQJ0We68gj
3kMBpJaZAJ7DpwYuCu7/RF7K4Irt3mSJJipS3IvI2LteHCakZBIUlbrPJrcfMl4P
VJQU3v4HLH5XZskuR5UEJ755DT+7ZMd7tFl0iWFVsutwjf/bn2u0rtfdcpOerAub
0gYGzPcC9dzBM5OHZdo1wwmZu56jRpddmQ/nc94Wsmm7Nw2ibd9YZpU88LCqR7xa
jsW+F/+napKvsBXqAHTlmJ87oJUSruYS+K/dKbGvCDIjBTjsNu3HqMNS5g4vG+GR
MazlN8Vrg6zVx11ESzFiIJBAgLLNfRgXNFNSPY3NMuMYiS7q0QwGkQlWBb5bmiB8
FlP/B/8bn/171n5RfarG
=mry5
-----END PGP SIGNATURE-----

153
share/security/advisories/FreeBSD-SA-14:25.setlogin.asc Normal file
View file

@ -0,0 +1,153 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-14:25.setlogin Security Advisory
The FreeBSD Project
Topic: Kernel stack disclosure in setlogin(2) / getlogin(2)
Category: core
Module: kernel
Announced: 2014-11-04
Credits: Mateusz Guzik
Affects: All supported versions of FreeBSD.
Corrected: 2014-11-04 23:29:57 UTC (stable/10, 10.1-PRERELEASE)
2014-11-04 23:34:46 UTC (releng/10.1, 10.1-RC4-p1)
2014-11-04 23:34:46 UTC (releng/10.1, 10.1-RC3-p1)
2014-11-04 23:34:46 UTC (releng/10.1, 10.1-RC2-p3)
2014-11-04 23:31:17 UTC (releng/10.0, 10.0-RELEASE-p12)
2014-11-04 23:30:47 UTC (stable/9, 9.3-STABLE)
2014-11-04 23:33:46 UTC (releng/9.3, 9.3-RELEASE-p5)
2014-11-04 23:33:17 UTC (releng/9.2, 9.2-RELEASE-p15)
2014-11-04 23:32:45 UTC (releng/9.1, 9.1-RELEASE-p22)
2014-11-04 23:30:23 UTC (stable/8, 8.4-STABLE)
2014-11-04 23:32:15 UTC (releng/8.4, 8.4-RELEASE-p19)
CVE Name: CVE-2014-8476
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
The setlogin(2) system call sets the login name of the user associated
with the current session. The getlogin(2) routine returns the login name
of the user associated with the current session, as previously set by
setlogin(2).
II. Problem Description
When setlogin(2) is called while setting up a new login session, the
login name is copied into an uninitialized stack buffer, which is then
copied into a buffer of the same size in the session structure. The
getlogin(2) system call returns the entire buffer rather than just the
portion occupied by the login name associated with the session.
III. Impact
An unprivileged user can access this memory by calling getlogin(2) and
reading beyond the terminating NUL character of the resulting string.
Up to 16 (FreeBSD 8) or 32 (FreeBSD 9 and 10) bytes of kernel memory
may be leaked in this manner for each invocation of setlogin(2).
This memory may contain sensitive information, such as portions of the
file cache or terminal buffers, which an attacker might leverage to
obtain elevated privileges.
IV. Workaround
No workaround is available.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 9.1]
# fetch http://security.FreeBSD.org/patches/SA-14:25/setlogin-91.patch
# fetch http://security.FreeBSD.org/patches/SA-14:25/setlogin-91.patch.asc
# gpg --verify setlogin-91.patch.asc
[All other versions]
# fetch http://security.FreeBSD.org/patches/SA-14:25/setlogin.patch
# fetch http://security.FreeBSD.org/patches/SA-14:25/setlogin.patch.asc
# gpg --verify setlogin.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r274108
releng/8.4/ r274111
stable/9/ r274109
releng/9.1/ r274112
releng/9.2/ r274113
releng/9.3/ r274114
stable/10/ r274107
releng/10.0/ r274110
releng/10.1/ r274115
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8476>
The latest revision of this advisory is available at
<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:25.setlogin.asc>
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJUWWUQAAoJEO1n7NZdz2rnI0IP/RlwFhOJgr9CHdKg5SYsruSQ
LG6z0ufgUETIkeXP1KGm6oYz0X8hpU2Q+MIE5urrPbGYL4Ouo/1oCiwGkBPh4xM/
L2Z/qIBxmfG/NaRK8PnGSXzlCc02XGnqf9Y6CJN1sIkwrptop02y9sgaLsqLy7K6
s/YvQ1fe5FT6TV9Nr9l6OwKkVAYa1Ba+JUnklVBWA2eZkLa6YOUlY25w9alqTMVQ
Z4oaLHCnGradKdaKKk0NOOYv0ZGHjkp/Lwd9ja8wyW0K+R1aef9Z5tWloVWQBeJ8
gzxeA/JpfRtb0lYj2GIpny6znP/lzkEve42No6xDdmUr4Wp0b5hN2qGgwwgEFSIo
2kFVwMkRlK1JsD0U+VK8AxP4neJFECw3t0zWTUr3BMnxoOEG6O1nIU0T6Ru8/K0b
aIc/G8TiOxOaXHuiWJhR1p9cblGlz7HnFSAmM6vN0O4DBcX7xwr/ndDl/6npvkmt
biB+hXZK0Ega8X9LsZ5injDo0FZ4XNIyEOy4/QOeJW4kJQv0Oh14cYSU6cM/yfaU
tJ7M6WYnFS8G+0e03auM1XVeu2oxyR0ry1IC7xS4O9N4m+8nE7DlRU8okhQRXiFB
iCmzO1XmOTK0zygtS34bDaOuey3U0yFG4O5wMKrAkMeQ9jPogyt99ZzIk3L3UPqZ
xcWRhKahyz9umrzsssOL
=xiWR
-----END PGP SIGNATURE-----

151
share/security/advisories/FreeBSD-SA-14:26.ftp.asc Normal file
View file

@ -0,0 +1,151 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-14:26.ftp Security Advisory
The FreeBSD Project
Topic: Remote command execution in ftp(1)
Category: core
Module: ftp
Announced: 2014-11-04
Credits: Jared McNeill, Alistair Crooks
Affects: All supported versions of FreeBSD.
Corrected: 2014-11-04 23:29:57 UTC (stable/10, 10.1-PRERELEASE)
2014-11-04 23:34:46 UTC (releng/10.1, 10.1-RC4-p1)
2014-11-04 23:34:46 UTC (releng/10.1, 10.1-RC3-p1)
2014-11-04 23:34:46 UTC (releng/10.1, 10.1-RC2-p3)
2014-11-04 23:31:17 UTC (releng/10.0, 10.0-RELEASE-p12)
2014-11-04 23:30:47 UTC (stable/9, 9.3-STABLE)
2014-11-04 23:33:46 UTC (releng/9.3, 9.3-RELEASE-p5)
2014-11-04 23:33:17 UTC (releng/9.2, 9.2-RELEASE-p15)
2014-11-04 23:32:45 UTC (releng/9.1, 9.1-RELEASE-p22)
2014-11-04 23:30:23 UTC (stable/8, 8.4-STABLE)
2014-11-04 23:32:15 UTC (releng/8.4, 8.4-RELEASE-p19)
CVE Name: CVE-2014-8517
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
The ftp(1) userland utility is an interactive FTP client. It can also
be used non-interactively, by providing a URL on the command line. In
this mode, it supports HTTP in addition to FTP.
II. Problem Description
A malicious HTTP server could cause ftp(1) to execute arbitrary
commands.
III. Impact
When operating on HTTP URIs, the ftp(1) client follows HTTP redirects,
and uses the part of the path after the last '/' from the last
resource it accesses as the output filename if '-o' is not specified.
If the output file name provided by the server begins with a pipe
('|'), the output is passed to popen(3), which might be used to
execute arbitrary commands on the ftp(1) client machine.
IV. Workaround
No workaround is available. Users are encouraged to replace ftp(1) in
non-interactive use by either fetch(1) or a third-party client such as
curl or wget.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 8]
# fetch http://security.FreeBSD.org/patches/SA-14:26/ftp-8.patch
# fetch http://security.FreeBSD.org/patches/SA-14:26/ftp-8.patch.asc
# gpg --verify ftp-8.patch.asc
[All other versions]
# fetch http://security.FreeBSD.org/patches/SA-14:26/ftp.patch
# fetch http://security.FreeBSD.org/patches/SA-14:26/ftp.patch.asc
# gpg --verify ftp.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile ftp. Execute the following commands as root:
# cd /usr/src/usr.bin/ftp
# make && make install
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r274108
releng/8.4/ r274111
stable/9/ r274109
releng/9.1/ r274112
releng/9.2/ r274113
releng/9.3/ r274114
stable/10/ r274107
releng/10.0/ r274110
releng/10.1/ r274115
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8517>
The latest revision of this advisory is available at
<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:26.ftpd.asc>
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJUWWUQAAoJEO1n7NZdz2rnhUwP+wQKrgKs6lRk6Yl4UtRyEwyG
BHGkA62oaQbehuccahjQgIcLTk3Vp3AalXtSQpdyWJktHiYrFwBnheW/IrhJ6bMS
dpJv3yqqQtSED9sADf+GAvxV6TG9bknq/RDxXKpsQ/MocYbiVxz/3nDOMz9CB7ep
saDttvGHW7RUmNoKL70pgItGapiVuBzMF01PCZ2SmFiJHYi7BoiJwm72Y1NLU8YE
TkiX2ZAoTVMN5/R3DW38HyVCyeY2tMTHSdQXRSYjwzJ0gEbBPWMPQyB1SAa8dtk5
j54KFNOBoaXMjd3USqFgo0fduU3rGZp5PwITTx5Rx5Ixtz2vHddyOISV0RcjA0cq
TWDwBGlKET7qZ1j7nHTgy4U4wMTWFbkjjqEY+RHYywaAmy8ACDmEUci8d3fWKWVY
d4y8RCvBrlnFVjmNiNcBc5XFXxY0Ra3BQ8C/VE0k0ZFuzmFUCi+DJZDR2Gtl0R9Q
1hAdj+yOJo46ylHPiSyoBZmsRZccV1a81phOPe0mPR84BvzNvBsdI+EFIJWi+5bw
bjuSM8YCOHrlGkqh9h9+BizvLfJFpjUSglwzPmOfRpTv59XJpc6D1Hia+uICTEfd
lSiJgDZ6enozY7QVoiO7G/ycyQCVe7Ehwywx/dpWXVpva85tn4Xl2khBCiPNbBBo
xnPjqxmwGK+4uegsO6CY
=QT3h
-----END PGP SIGNATURE-----

12
share/security/patches/EN-14:12/zfs.patch Normal file
View file

@ -0,0 +1,12 @@
Index: sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c
===================================================================
--- sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c.orig
+++ sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c
@@ -2827,6 +2827,7 @@ zfs_getattr(vnode_t *vp, vattr_t *vap, int flags,
#endif
vap->va_seq = zp->z_seq;
vap->va_flags = 0; /* FreeBSD: Reset chflags(2) flags. */
+ vap->va_filerev = zp->z_seq;
/*
* Add in any requested optional attributes and the create time.

16
share/security/patches/EN-14:12/zfs.patch.asc Normal file
View file

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJUWU5xAAoJEO1n7NZdz2rnvzEQAOhDEi1MDJ5kuXjUFdMJZKiR
xsslfTMBk3xUXiGldU3pFEYAe0xKvQKk2yHgjy1TYTo30UINqTcCkxVIgW06RMLm
61/3Jt0BCboMz4Jg4TNuBZCS/gRI/bZyHP1abXCtTx3PnZUqKvezYX4+dir+CWLW
km9fN4f9ieH8B7GjBTDv1d19jCK8/Vhjw3GtAlVmqor5wCmvmQLv6DLgfVp16Wrf
lmLS9X/fSwTykVlhCQckaDnPt22klv0vUvg3P7BocTYCv44Be50nGPRhme0W7LNw
r2jQPIzGmNsV3KhbilYvaEwm6iLqcgP6Hqrd7924MAM2fkr2qzSFAZYn12Ty3DSl
K47+7DOBfQ7E/REoRMkXLdppUhcvrf/ooS5o98kTx8EEitmo0+ogndaP3WkPK5iR
pyxyhTwRChlqM4DdYrrZ7TCu8XkxxShhoKtYH1IKn/ZIZw9UTMlOES6DqcNz9jIZ
4yaW9TgffZ7S6c4/lVU5PyIbaZao/fT8HtWd+JubFpEc+J/0QkXA0MJuOxm+WgWY
NUVOukFR4fKAIXfdnnN8bZqAfNidPQUaTwdmwy6Zsg2xJxe9L+IaViE8uCkJENic
2T0Y1isfxPMf1MYBsdwRv8KfGtpudc24eRZEXbgdATjClj/CyQHeCQuHTOJDz649
mEI6MBnMqzSdhf9pR7DX
=S5Fz
-----END PGP SIGNATURE-----

21
share/security/patches/SA-14:24/sshd.patch Normal file
View file

@ -0,0 +1,21 @@
Index: secure/usr.sbin/sshd/Makefile
===================================================================
--- secure/usr.sbin/sshd/Makefile.orig
+++ secure/usr.sbin/sshd/Makefile
@@ -57,6 +57,16 @@
DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
LDADD+= -lcrypt -lcrypto -lz
+# Fix the order of NEEDED entries for libthr and libc. The libthr
+# needs to interpose libc symbols, leaving the libthr loading as
+# dependency of krb causes reversed order and broken interposing. Put
+# the threading library last on the linker command line, just before
+# the -lc added by a compiler driver.
+.if ${MK_KERBEROS_SUPPORT} != "no"
+DPADD+= ${LIBPTHREAD}
+LDADD+= -lpthread
+.endif
+
.if defined(LOCALBASE)
CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE}/bin/xauth\"
.endif

16
share/security/patches/SA-14:24/sshd.patch.asc Normal file
View file

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJUWU5yAAoJEO1n7NZdz2rncK8P/1ErftXKGU76gZEkjXW+xm0A
daRQM+jwRLlplCA32Si++jj0LHGEL1wEFWT/Q3042vV2YjYT5mhi9EOvPVFouC7Z
3f5PyXaC0gBqdu5lq8heahnEiwkU5z0WcyUOHDdYNVY0uSrRd2dT/yQ2RLMYw9S9
B9ubILTmwZi2uASS43fuhRk4Hc4gXhlgV3WUtauXTRYSfDme+exmXMMjVxp/YpuH
6QXH/hEOVN3L4aZ6yaVA/EvEgERpJlXLfSKREOOmVzeJ6VCQ3M7aqk6UMGQpUWDB
bd929pvvgg5EsAGEAQI8QPs/zALL9fqLr7MEvjuDRMn4gBzf2ykngfN3s3+0VvuF
Bd93Mf7/GZxjdB0QkRWPpGu1ngQr4645ZTPsrWafFDm+Q51fS/bZhoZZrfBcxZz/
hgC9SKB7LfXHwf+QZkUQGEp31kjO/pmYnNVbFFM2rhCu7gzh//B2P1+ycF+nCIis
fPZIfUXbdDhQ8fVV6H6WwdLHAgxz0CDSDdtSJBMWdwzzA5RykRamcvDbWCOCGASq
BkrPsUgWJntJa+TNCQxpt0I85m/NxtpSOAua2/KHY9ZHJaQkl/58gaji0hoKauyU
ZRfQP/yVoZ9GZMlUzdiv3xj7xOImYP4naQOLLy7v/aOkQ824QXD6vesPy76hp9lT
xYacjZi9fbvmEFX6llHO
=TFaU
-----END PGP SIGNATURE-----

63
share/security/patches/SA-14:25/setlogin-91.patch Normal file
View file

@ -0,0 +1,63 @@
Index: sys/kern/kern_prot.c
===================================================================
--- sys/kern/kern_prot.c.orig
+++ sys/kern/kern_prot.c
@@ -2073,19 +2073,20 @@
int
sys_getlogin(struct thread *td, struct getlogin_args *uap)
{
- int error;
char login[MAXLOGNAME];
struct proc *p = td->td_proc;
+ size_t len;
if (uap->namelen > MAXLOGNAME)
uap->namelen = MAXLOGNAME;
PROC_LOCK(p);
SESS_LOCK(p->p_session);
- bcopy(p->p_session->s_login, login, uap->namelen);
+ len = strlcpy(login, p->p_session->s_login, uap->namelen) + 1;
SESS_UNLOCK(p->p_session);
PROC_UNLOCK(p);
- error = copyout(login, uap->namebuf, uap->namelen);
- return(error);
+ if (len > uap->namelen)
+ return (ERANGE);
+ return (copyout(login, uap->namebuf, len));
}
/*
@@ -2104,21 +2105,23 @@
int error;
char logintmp[MAXLOGNAME];
+ CTASSERT(sizeof(p->p_session->s_login) >= sizeof(logintmp));
+
error = priv_check(td, PRIV_PROC_SETLOGIN);
if (error)
return (error);
error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL);
- if (error == ENAMETOOLONG)
- error = EINVAL;
- else if (!error) {
- PROC_LOCK(p);
- SESS_LOCK(p->p_session);
- (void) memcpy(p->p_session->s_login, logintmp,
- sizeof(logintmp));
- SESS_UNLOCK(p->p_session);
- PROC_UNLOCK(p);
+ if (error != 0) {
+ if (error == ENAMETOOLONG)
+ error = EINVAL;
+ return (error);
}
- return (error);
+ PROC_LOCK(p);
+ SESS_LOCK(p->p_session);
+ strcpy(p->p_session->s_login, logintmp);
+ SESS_UNLOCK(p->p_session);
+ PROC_UNLOCK(p);
+ return (0);
}
void

16
share/security/patches/SA-14:25/setlogin-91.patch.asc Normal file
View file

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJUWU5zAAoJEO1n7NZdz2rnXBIP/jT00G4/lEHn8ZqvXylqkAcd
Cq6X0C1TxNBvB2T2bdss63NwjSu91BxQJoVu+LNoKBOd3SHgfbAFuLHThTRQ5s4G
OF7/woXnP5DyyTdXrPHPMMnc3bi1pLy9j3cTg+QJy5PQEM/lYqZB52E9hsgd62to
tbp6wBe6tSGbrlOZG5E4yT4yEqRLhdz8IAhfzCNraRFxMEFGbTVl5cPK62h1tHZZ
4mAKLXSiq1S2lFtbvNrwsnV/ohJlzOmyT0wy3cWJ4YIoufaImjnPsZzzGKvmDDib
X90WNrM65fGRPZq6OaDSv3BuxSO8rD4+v9g/l2YyfMZrLq+JS+C/rwij79HiRUOT
EnKyywoi0oC0/wHQ43Lx/RDV7dyvB+0VhDjBKH3YXmyDf+lWPbW8iqZQpIkilDD1
2mFhHSr0ub44o37WIRe4p4WjG0WOxOFL4iNmiw6d704Hkgq1N5/LHrv7pNZwAn29
vgHnKJtjq/MyH5QWoNLXopbrAjF+4YXOhUqhlWf95kdFRedOexv5GqHAi9Synnri
MVYdOGXD1bs0b1tyjtXS1+vPq1teDBEA8Fr20IrnvPbcNRmZEhHW7va/TbPQTF5R
p7tBycaki1V9WBBE5jE2oZRmpenegbPuzstYtcpm1pnm2dNL5MoeTefB3WNnmPWZ
cdHvpwCQQURRaUyYnlxw
=o8um
-----END PGP SIGNATURE-----

64
share/security/patches/SA-14:25/setlogin.patch Normal file
View file

@ -0,0 +1,64 @@
Index: sys/kern/kern_prot.c
===================================================================
--- sys/kern/kern_prot.c.orig
+++ sys/kern/kern_prot.c
@@ -2066,21 +2066,20 @@
int
sys_getlogin(struct thread *td, struct getlogin_args *uap)
{
- int error;
char login[MAXLOGNAME];
struct proc *p = td->td_proc;
+ size_t len;
if (uap->namelen > MAXLOGNAME)
uap->namelen = MAXLOGNAME;
PROC_LOCK(p);
SESS_LOCK(p->p_session);
- bcopy(p->p_session->s_login, login, uap->namelen);
+ len = strlcpy(login, p->p_session->s_login, uap->namelen) + 1;
SESS_UNLOCK(p->p_session);
PROC_UNLOCK(p);
- if (strlen(login) + 1 > uap->namelen)
+ if (len > uap->namelen)
return (ERANGE);
- error = copyout(login, uap->namebuf, uap->namelen);
- return (error);
+ return (copyout(login, uap->namebuf, len));
}
/*
@@ -2099,21 +2098,23 @@
int error;
char logintmp[MAXLOGNAME];
+ CTASSERT(sizeof(p->p_session->s_login) >= sizeof(logintmp));
+
error = priv_check(td, PRIV_PROC_SETLOGIN);
if (error)
return (error);
error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL);
- if (error == ENAMETOOLONG)
- error = EINVAL;
- else if (!error) {
- PROC_LOCK(p);
- SESS_LOCK(p->p_session);
- (void) memcpy(p->p_session->s_login, logintmp,
- sizeof(logintmp));
- SESS_UNLOCK(p->p_session);
- PROC_UNLOCK(p);
+ if (error != 0) {
+ if (error == ENAMETOOLONG)
+ error = EINVAL;
+ return (error);
}
- return (error);
+ PROC_LOCK(p);
+ SESS_LOCK(p->p_session);
+ strcpy(p->p_session->s_login, logintmp);
+ SESS_UNLOCK(p->p_session);
+ PROC_UNLOCK(p);
+ return (0);
}
void

16
share/security/patches/SA-14:25/setlogin.patch.asc Normal file
View file

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJUWU5zAAoJEO1n7NZdz2rn7IkQAOFzWal/xCl4moNG5SGXkJaR
3I1a6Dhmti0gHEEUJrvGVW7wpqiVAyy2Qz2m3k2mSz0yr54PVCwGSQnUYBNI5GdG
xC6Zv3e1PMDhKc5ZMq2f/3x/1yS+NzK9JsRcth3yTqA+LazcNZm2B4quGkfKfL/L
Zz43Z+d67ZW5CRkfYGQlp6c70sryCltmyQXTlLTWhVEWpSrkN5zDjnKvAdnXo1gK
Eb7sAimL8vbUyiphv7uAg7M4OrJ5LRWyLRSiWHVi1LTcVXS6OuWeIsxS3wFrqsZD
EyhNyq95pyy9lE5csoUbsbNjvkjT/+M4WdSk+38QitYcJhIltLENYTViW3SFZ70T
FThZdYwq1i5NyMeWWe5FF3IeU7obcXrtdNsNYgY1GDTfShwHYs5ViEKaVa9tw5qk
6Me1HcBs1JoyZklNUrFyXyf1fMp5mtDrRrsgOOfu4r5tqJFHqW8GBFWLlJsJVJzq
65jnNToSlKPGN4aO4iCMA2S1EZOOE0hi5b3/u+FlAg/QmZAQCTwXAQzrgumetklX
DPyffhEx0NacaRuRSjE77GkQ8GIR9XxJW+or3a5WaVoHfIwER1SZdJjbOZ8hzog3
I2TIqmvbzGx89Ref84kjio3S786cvPQvFbDeDJbaatn+V0SedG23+TM8txUtwUOt
dll5L1WYjpDnPqSj3R7V
=c72I
-----END PGP SIGNATURE-----

69
share/security/patches/SA-14:26/ftp-8.patch Normal file
View file

@ -0,0 +1,69 @@
Index: contrib/lukemftp/src/fetch.c
===================================================================
--- contrib/lukemftp/src/fetch.c.orig
+++ contrib/lukemftp/src/fetch.c
@@ -540,7 +540,7 @@
url_decode(decodedpath);
if (outfile)
- savefile = xstrdup(outfile);
+ savefile = outfile;
else {
cp = strrchr(decodedpath, '/'); /* find savefile */
if (cp != NULL)
@@ -566,8 +566,7 @@
rangestart = rangeend = entitylen = -1;
mtime = -1;
if (restartautofetch) {
- if (strcmp(savefile, "-") != 0 && *savefile != '|' &&
- stat(savefile, &sb) == 0)
+ if (stat(savefile, &sb) == 0)
restart_point = sb.st_size;
}
if (urltype == FILE_URL_T) { /* file:// URLs */
@@ -1085,17 +1084,25 @@
} /* end of ftp:// or http:// specific setup */
/* Open the output file. */
- if (strcmp(savefile, "-") == 0) {
- fout = stdout;
- } else if (*savefile == '|') {
- oldintp = xsignal(SIGPIPE, SIG_IGN);
- fout = popen(savefile + 1, "w");
- if (fout == NULL) {
- warn("Can't run `%s'", savefile + 1);
- goto cleanup_fetch_url;
+
+ /*
+ * Only trust filenames with special meaning if they came from
+ * the command line
+ */
+ if (outfile == savefile) {
+ if (strcmp(savefile, "-") == 0) {
+ fout = stdout;
+ } else if (*savefile == '|') {
+ oldintp = xsignal(SIGPIPE, SIG_IGN);
+ fout = popen(savefile + 1, "w");
+ if (fout == NULL) {
+ warn("Can't execute `%s'", savefile + 1);
+ goto cleanup_fetch_url;
+ }
+ closefunc = pclose;
}
- closefunc = pclose;
- } else {
+ }
+ if (fout == NULL) {
if ((rangeend != -1 && rangeend <= restart_point) ||
(rangestart == -1 && filesize != -1 && filesize <= restart_point)) {
/* already done */
@@ -1278,7 +1285,8 @@
(*closefunc)(fout);
if (res0)
freeaddrinfo(res0);
- FREEPTR(savefile);
+ if (savefile != outfile)
+ FREEPTR(savefile);
FREEPTR(user);
FREEPTR(pass);
FREEPTR(host);

16
share/security/patches/SA-14:26/ftp-8.patch.asc Normal file
View file

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJUWU5zAAoJEO1n7NZdz2rnL8oP/RHdyCs8fERJMVysB5JvlZNi
ONzdlUforbspVVcftM5eATZFYxzSPxiGnkBV/K3iudglaHHOnhIB3B8vDi4RXQhI
aSTEPJ8WvjhhBdld3he+EsihDEmx0e64EG8RlViv8Uec35FqzmGH36fQIu7pVp0M
0NfPma0h2WjK4mifBunEyg4KEv8pmsWzzPUZUALTXO2Q4INLhSKu6yiAxiab2RXn
cE09UX6MPHT5lkISSBAN1YjJDjg2sL86d01Ar+1G5iH/Rf3IIoV30bPvfYO2c5Co
cZacymlTiakc/JWTxyZAd9jWJTfp6I2Htt8YSygsiRZnJ0WYMaoFb/tzel8U+jXf
UkZTeJtm08xeMS2jVax2j7ceJkWxsFcD0P5LDzIDw3Y+atdONJlknIjEyUq5+9uZ
IywGZGyQFwh3Xz0YVEdKI+81kEW5amRypdRFKijpLkwKwo9FIIQmtBNQZR7xMdgo
JcPvtnzy/3AARVVjv3KLFnj+VTAwnGVOuEb3164ISfhaeU+ny9CKeR/6XRstNaW2
c0oKO+LsX+6xXC3QIUqBo0grNsNk0SBQpBQCApwPWE0SP/fQ4IcCjx6HsSTnnOKJ
Z1ssejQUPex7Dz8I+wdl92qbUGckdqH/dIl+oI+fxMHRpsNPOEBN6i46zVideojt
NhBAdZGUtj80bGfm+2g1
=KPRE
-----END PGP SIGNATURE-----

69
share/security/patches/SA-14:26/ftp.patch Normal file
View file

@ -0,0 +1,69 @@
Index: contrib/tnftp/src/fetch.c
===================================================================
--- contrib/tnftp/src/fetch.c.orig
+++ contrib/tnftp/src/fetch.c
@@ -547,7 +547,7 @@
url_decode(decodedpath);
if (outfile)
- savefile = ftp_strdup(outfile);
+ savefile = outfile;
else {
cp = strrchr(decodedpath, '/'); /* find savefile */
if (cp != NULL)
@@ -571,8 +571,7 @@
rangestart = rangeend = entitylen = -1;
mtime = -1;
if (restartautofetch) {
- if (strcmp(savefile, "-") != 0 && *savefile != '|' &&
- stat(savefile, &sb) == 0)
+ if (stat(savefile, &sb) == 0)
restart_point = sb.st_size;
}
if (urltype == FILE_URL_T) { /* file:// URLs */
@@ -1098,17 +1097,25 @@
} /* end of ftp:// or http:// specific setup */
/* Open the output file. */
- if (strcmp(savefile, "-") == 0) {
- fout = stdout;
- } else if (*savefile == '|') {
- oldintp = xsignal(SIGPIPE, SIG_IGN);
- fout = popen(savefile + 1, "w");
- if (fout == NULL) {
- warn("Can't execute `%s'", savefile + 1);
- goto cleanup_fetch_url;
+
+ /*
+ * Only trust filenames with special meaning if they came from
+ * the command line
+ */
+ if (outfile == savefile) {
+ if (strcmp(savefile, "-") == 0) {
+ fout = stdout;
+ } else if (*savefile == '|') {
+ oldintp = xsignal(SIGPIPE, SIG_IGN);
+ fout = popen(savefile + 1, "w");
+ if (fout == NULL) {
+ warn("Can't execute `%s'", savefile + 1);
+ goto cleanup_fetch_url;
+ }
+ closefunc = pclose;
}
- closefunc = pclose;
- } else {
+ }
+ if (fout == NULL) {
if ((rangeend != -1 && rangeend <= restart_point) ||
(rangestart == -1 && filesize != -1 && filesize <= restart_point)) {
/* already done */
@@ -1318,7 +1325,8 @@
(*closefunc)(fout);
if (res0)
freeaddrinfo(res0);
- FREEPTR(savefile);
+ if (savefile != outfile)
+ FREEPTR(savefile);
FREEPTR(uuser);
if (pass != NULL)
memset(pass, 0, strlen(pass));

16
share/security/patches/SA-14:26/ftp.patch.asc Normal file
View file

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJUWU50AAoJEO1n7NZdz2rn+wIP/R3bxE1qRqY/Vn9s4PmJguAZ
PYPrzwJx2S24wwnYTiIDzGyGRSjkOdUAejhjXR3PlA0a0gQgvX3WWPmUSHuMQwH8
BslEQp42oF3yHGnvROrDoPwPJOrHowXksBBhwr/fQaVHDXtnaEaFfsd9+MK6N8Mt
BSjwG5oOaGujePJTKWIraxHUvLsZFMl4io03YV9sNEM4WWZNMKsCntM5Za+pBcuN
mxMWgi7m2EbMumGgER8gj7L0lSPy1I7nuLj+IL5uh7AEYGHVPetMqyoZhA623IUS
xM3UE/7bvh4S8ZqCiVIu+I1+lUxhAaowY6eYghsGc2Cg9hSc78JXfWnPK4HCuCva
qmweOHd7zLf0GHicxfSFrmW7wvHIHCKbrNFfViGpZ8GyHKcsIcUx2TNP/LFabj35
nZZesG5WlUj3dOdZvQFpG8PZRtugZ7WZDkYZKw4MenS8tFyNvsJ2mb4wHsfjZJc+
rZNgVySyPdyX/xmwTjOzLbUIemQL0X5Shl2Eu4DHBP0XDdEZ796HTYzugOyzzfXI
bJcSR1H1X/4EZ/nFMqeOysGsjVecKQ1M4smGC1GIXWAO+9yNorgHAcgT8M/vHZZw
YhL/aEVFk7h4pbLmdL+cGP/o6bmDImQVfPfswCEmisi4Lqjq0RdAs++vlmTSQGl0
y15rJEjfnSDIjv3L57dm
=BGxP
-----END PGP SIGNATURE-----

20
share/xml/advisories.xml
View file

@ -7,6 +7,26 @@
<year>
<name>2014</name>
<month>
<name>11</name>
<day>
<name>04</name>
<notice>
<name>FreeBSD-SA-14:24.sshd</name>
</notice>
<notice>
<name>FreeBSD-SA-14:25.setlogin</name>
</notice>
<notice>
<name>FreeBSD-SA-14:26.ftp</name>
</notice>
</day>
</month>
<month>
<name>10</name>

12
share/xml/notices.xml
View file

@ -7,6 +7,18 @@
<year>
<name>2014</name>
<month>
<name>11</name>
<day>
<name>04</name>
<notice>
<name>FreeBSD-EN-14:12.zfs</name>
</notice>
</day>
</month>
<month>
<name>10</name>