os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Add 4 latest advisories and 2 latest errata notices:

Browse source 
Fix bsnmpd remote denial of service vulnerability. [SA-14:01]

Fix ntpd distributed reflection Denial of Service vulnerability.
[SA-14:02]

Fix OpenSSL multiple vulnerabilities. [SA-14:03]

Fix BIND remote denial of service vulnerability. [SA-14:04]

Disable hardware RNGs by default. [EN-14:01]

Fix incorrect coalescing of stack entry with mmap. [EN-14:02]
This commit is contained in:
Xin LI 2014-01-14 19:57:49 +00:00
parent 1d54309d42
commit dcb9c59cc2
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=43519
26 changed files with 1369 additions and 0 deletions

142
share/security/advisories/FreeBSD-EN-14:01.random.asc Normal file
View file

@ -0,0 +1,142 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-14:01.random Errata Notice
The FreeBSD Project
Topic: /dev/random should not make direct usage of hardware RNG
Category: core
Module: random
Announced: 2014-01-14
Affects: All versions of FreeBSD prior to 10.0-BETA1
Corrected: 2014-01-14 19:27:42 UTC (stable/9, 9.2-STABLE)
2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3)
2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10)
2014-01-14 19:27:42 UTC (stable/8, 8.4-STABLE)
2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7)
2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:http://security.freebsd.org/>.
I. Background
The random(4) and urandom(4) devices return an endless supply of pseudo-random
bytes when read. Cryptographic algorithms often depend on the secrecy of these
pseudo-random values for security.
Yarrow is a secure pseudo-random number generator that combines entropy from
several entropy sources, mitigating a possible attack when someone could
predict the output when they are able to intercept one or more of the
entropy sources
II. Problem Description
When a hardware RNG exists, the FreeBSD random(4) and urandom(4) devices
would use their output directly.
III. Impact
Someone who has control over these hardware RNGs would be able to
predicate the output from random(4) and urandom(4) devices and may be able
to reveal unique keys that are used to encrypt data.
IV. Workaround
Disable the hardware RNGs by adding the following settings to /boot/loader.conf
and reboot the system:
hw.nehemiah_rng_enable=0
hw.ivy_rng_enable=0
V. Solution
Hardware RNGs would be disabled by default with this errata notice. They
can be re-enabled by setting the corresponding loader tunables to non-zero
value.
Perform one of the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
2) To update your present system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 9.2 and 8.4]
# fetch http://security.FreeBSD.org/patches/EN-14:01/random-9.2-8.4.patch
# fetch http://security.FreeBSD.org/patches/EN-14:01/random-9.2-8.4.patch.asc
# gpg --verify random-9.2-8.4.patch.asc
[FreeBSD 9.1]
# fetch http://security.FreeBSD.org/patches/EN-14:01/random-9.1.patch
# fetch http://security.FreeBSD.org/patches/EN-14:01/random-9.1.patch.asc
# gpg --verify random-9.1.patch.asc
[FreeBSD 8.3]
# fetch http://security.FreeBSD.org/patches/EN-14:01/random-8.3.patch
# fetch http://security.FreeBSD.org/patches/EN-14:01/random-8.3.patch.asc
# gpg --verify random-8.3.patch.asc
b) Apply the patch.
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
3) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r260644
releng/8.3/ r260647
releng/8.4/ r260647
stable/9/ r260644
releng/9.1/ r260647
releng/9.2/ r260647
- -------------------------------------------------------------------------
VII. References
The latest revision of this Errata Notice is available at
http://security.FreeBSD.org/advisories/FreeBSD-EN-14:01.random.asc
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJS1ZSoAAoJEO1n7NZdz2rnZcgP/3ITOg59t4PmOg2vUrlMsf35
jVDZojqeu+XgDepYi37HJVB6pHSWusYoI59YP6O2N1n15W34Bp91Vcthofyr+jgx
7Guz+DXOqZy1yxGMSGkAl0hIrksszqp5kAADy4f1NMkFmvc2+8dXW1xmxYpDHrkG
d/alEeK0LuFgWXYnnrea3x/aWqEVVR+/YhCbk8FTD01Q4zqtfacIDfNL+gLf4Mhx
gNO1HSHmvS4GEF1gawtHzY4i6rGX9e4LgxKSEKSMUXfl1WUfnD5f62z9FB1UN1Js
EfVniP2ZN2ojAzoVWfiX5WDhpMA/KZpdTSLF+zOM1/Tr+7+N7WTYftL6nHy/HSj8
LmsIZnSE4F7F2hFlZu7PPwGzaIj/rYk5tRzw3nTIoIwVoLbvbevzCrl0rIocq2CK
Sm5WV2qvMuWB+ZK2ZuzCIxAj6/fuLbUIBHmHd2VFfxWXcSwoK/cW3pFPMDyHKtJJ
ccocT7kXeHHtnSqzvSN1j1XFZsWdojbYU7HSU8QmiilG3ESvgrzZAKh7V+hC/aF/
TE0Xhaip8X/sOt1NnjHGs8XzA3w7wUukssz2V7gRdarSS7c/+mU23pajLknQ4eiB
l3g8z/iX4jPuL8e0sn9GUCXVtTZIXWGl9hSilWeYk6tEihhlf/gVhY6ldCwSoZjr
U6gPf7bQn/NzE7wSUaQD
=viar
-----END PGP SIGNATURE-----

127
share/security/advisories/FreeBSD-EN-14:02.mmap.asc Normal file
View file

@ -0,0 +1,127 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-14:02.mmap Errata Notice
The FreeBSD Project
Topic: mmap should not coalesce stack entry
Category: core
Module: kernel
Announced: 2014-01-14
Credits: Konstantin Belousov
Affects: All supported versions of FreeBSD.
Corrected: 2013-12-30 08:57:54 UTC (stable/10, 10.0-PRERELEASE)
2013-12-31 08:02:34 UTC (releng/10.0, 10.0-RC4)
2013-12-31 08:02:34 UTC (releng/10.0, 10.0-RC3-p1)
2013-12-31 08:02:34 UTC (releng/10.0, 10.0-RC2-p1)
2013-12-31 08:02:34 UTC (releng/10.0, 10.0-RC1-p1)
2013-12-30 09:04:06 UTC (stable/9, 9.2-STABLE)
2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3)
2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10)
2014-01-14 19:33:28 UTC (stable/8, 8.4-STABLE)
2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7)
2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:http://security.freebsd.org/>.
I. Background
The FreeBSD virtual memory system allows growing stack by mapping anonymous
memory region on top of a stack via mmap(2) system call with MAP_STACK bit
enabled in flags parameter.
II. Problem Description
The FreeBSD virtual memory system tries to coalesce adjacent memory regions
into one single object when possible. When growing the stack via mmap(2), it
will also try to coalesce the newly allocated memory into the existing object.
This would result in a failed assertion later in vm_map_stack(), which expects
that a new object is returned.
III. Impact
The system will panic when this happens.
IV. Workaround
No workaround is available.
V. Solution
Perform one of the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
2) To update your present system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/EN-14:02/mmap.patch
# fetch http://security.FreeBSD.org/patches/EN-14:02/mmap.patch.asc
# gpg --verify mmap.patch.asc
b) Apply the patch.
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
3) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r260645
releng/8.3/ r260647
releng/8.4/ r260647
stable/9/ r260082
releng/9.1/ r260647
releng/9.2/ r260647
stable/10/ r260081
releng/10.0/ r260122
- -------------------------------------------------------------------------
VII. References
The latest revision of this Errata Notice is available at
http://security.FreeBSD.org/advisories/FreeBSD-EN-14:02.mmap.asc
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJS1ZSuAAoJEO1n7NZdz2rnsPoQAIFs/URebviZjkMpYJBTahwe
Lr50uJSZIlW2nMvi+urLJAB15fJm/WHDdHqp6+WHh5jjCozb45CoIxDFnP5UB4q8
oclsQtKrt4R1dBDEa3RZQoJEm6DIk1YhfAfUtJMhDpROlvWCbBMzZWJbVQec5j3E
iyhY1FIl/BD4KWFw/hDhJX5j4HQWA/oZDagx5WZFMsFapq5rOXkC/fq3YHkTJBeW
7YEvAyTuZoj9zBVJ28cEYr7+ULtJMphBdTEzAhFZSEegsM+qyMafTf2c54MdtWR0
pSgoh9i+cSXj444e4eeqLp6LwapW5YGIrKpAmBUwTECBg5F5915i2h8ddCnmJJSM
4Wq7bXJU6PGzFXTDUsAw9HB2HcCMU2EvVNhtM3wp7dSzojLpvrgEoRZKwanu32r1
cuN/awHUGA1fzoUkxMygzT5B44IX+9gyT8lJ4N+PfKGnSO00WY41XkLheDmpgf2b
euDrzTSwbupEp70lT45CW6DUlqPXpw0Fn5vyNYBvoaAXineqyvwMkQ6YZwoNmfiU
xv2zjY40RkOR8EJKi8L1moBQsfh/i6rtVQhDIHmAU/1VaYBE4zVXS5BYAlUaUJgw
3rc5ho+F2BB+YV+HeaWszjW+NVhiIswpccw4Js7O2HQUA9M2KEq2+DXRtNdEa8/j
miG/hWqsuoWjAcrQKjKw
=rOvi
-----END PGP SIGNATURE-----

141
share/security/advisories/FreeBSD-SA-14:01.bsnmpd.asc Normal file
View file

@ -0,0 +1,141 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-14:01.bsnmpd Security Advisory
The FreeBSD Project
Topic: bsnmpd remote denial of service vulnerability
Category: contrib
Module: bsnmp
Announced: 2014-01-14
Credits: Dirk Meyer
Affects: All supported versions of FreeBSD.
Corrected: 2014-01-14 19:02:14 UTC (stable/10, 10.0-PRERELEASE)
2014-01-14 19:10:38 UTC (releng/10.0, 10.0-RELEASE)
2014-01-14 19:10:38 UTC (releng/10.0, 10.0-RC5-p1)
2014-01-14 19:10:38 UTC (releng/10.0, 10.0-RC4-p1)
2014-01-14 19:10:38 UTC (releng/10.0, 10.0-RC3-p1)
2014-01-14 19:10:38 UTC (releng/10.0, 10.0-RC2-p1)
2014-01-14 19:10:38 UTC (releng/10.0, 10.0-RC1-p1)
2014-01-14 19:17:20 UTC (stable/9, 9.2-STABLE)
2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3)
2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10)
2014-01-14 19:17:20 UTC (stable/8, 8.4-STABLE)
2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7)
2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14)
CVE Name: CVE-2014-1452
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
The bsnmpd is a simple and extensible SNMP daemon serves the Internet SNMP
(Simple Network Management Protocol).
II. Problem Description
The bsnmpd(8) daemon is prone to a stack-based buffer-overflow when it
has received a specifically crafted GETBULK PDU request.
III. Impact
This issue could be exploited to execute arbitrary code in the context of
the service daemon, or crash the service daemon, causing a denial-of-service.
IV. Workaround
No workaround is available, but systems not running bsnmpd(8) are not
vulnerable.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/SA-14:01/bsnmpd.patch
# fetch http://security.FreeBSD.org/patches/SA-14:01/bsnmpd.patch.asc
# gpg --verify bsnmpd.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
Recompile the operating system using buildworld and installworld as
described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
Restart the bsnmpd(8) daemons, or reboot the system.
3) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r260642
releng/8.3/ r260647
releng/8.4/ r260647
stable/9/ r260642
releng/9.1/ r260647
releng/9.2/ r260647
stable/10/ r260638
releng/10.0/ r260640
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<other info on vulnerability>
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1452>
The latest revision of this advisory is available at
<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:01.bsnmpd.asc>
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJS1ZS6AAoJEO1n7NZdz2rnDXwP/1iQmuO8VLjZoD3LMpiHyA/i
YgwjX5x9XT2MyVrRmu+nHaCG3ZDC4/IV72/jCzV8udQJ1RF6Aswhuk6mXI7oatol
OYF27JnRVAJQjAvXw3zMsp4hLv631TvgO1Az1vK7f1pX8bDC/eBTaiCH7I6QBYGS
E4Fsi2MwOWIRyglTjlFSL8Wb2yQmzkKCx/EVFF/6mRC7l3a9pkHf5VKQtut1KYFu
5QF5cG5anur4daP4w45yWsl0qkRDO5mJdpD+S3NtzydluWzz/Dk/0laS5wB+LLzV
cXC5/GR/acQhO+MvDIDT4Emra2OXzsheEahOJhLKHsBF8pHBi5IldkVwQmme76/g
aR1gLSFJ5LYcpAgBQgeWKXXCAol5zNRCR8v8IBnV2+rYRSrIdl5lstgVmla++xJD
+bC7PbTqcLlyFGrMEvd/mAvX1PVa9BVYtaxXA5QZq5EHP7nsKotcAk7/kouVfmao
Gdxlt7YjRic6D/WqF8RFiQv9ezpbEnMQ1BwOCSUEJasXlyxJXYA6vva7tyM3OmyD
c2I9JLeV8aCUgIf3s+HoGcZhz01kmu9REQ/OEDtiN8kX94WOzpectf8V5g+JnxRd
HoOfcvrChohL4nla+3RvG1LJo5KD5N09yHnV2y3LjxTdKu9Hw4ATzFwmPmEUqUfG
eF12aO4PVp42wYWNHtGe
=xZTc
-----END PGP SIGNATURE-----

167
share/security/advisories/FreeBSD-SA-14:02.ntpd.asc Normal file
View file

@ -0,0 +1,167 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-14:02.ntpd Security Advisory
The FreeBSD Project
Topic: ntpd distributed reflection Denial of Service vulnerability
Category: contrib
Module: ntpd
Announced: 2014-01-14
Affects: All supported versions of FreeBSD.
Corrected: 2014-01-14 19:04:33 UTC (stable/10, 10.0-PRERELEASE)
2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RELEASE)
2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC5-p1)
2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC4-p1)
2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC3-p1)
2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC2-p1)
2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC1-p1)
2014-01-14 19:20:41 UTC (stable/9, 9.2-STABLE)
2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3)
2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10)
2014-01-14 19:20:41 UTC (stable/8, 8.4-STABLE)
2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7)
2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14)
CVE Name: CVE-2013-5211
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP)
used to synchronize the time of a computer system to a reference time
source.
II. Problem Description
The ntpd(8) daemon supports a query 'monlist' which provides a history of
recent NTP clients without any authentication.
III. Impact
An attacker can send 'monlist' queries and use that as an amplification of
a reflection attack.
IV. Workaround
The administrator can implement one of the following possible workarounds
to mitigate the attack:
1) Restrict access to ntpd(8). This can be done by adding the following
lines to /etc/ntp.conf:
restrict -4 default nomodify nopeer noquery notrap
restrict -6 default nomodify nopeer noquery notrap
restrict 127.0.0.1
restrict -6 ::1
restrict 127.127.1.0
And restart the ntpd(8) daemon. Time service is not affected and the
administrator can still perform queries from local host.
2) Use IP based restrictions in ntpd(8) itself or in IP firewalls to
restrict which systems can access ntpd(8).
3) Replace the base system ntpd(8) with net/ntp-devel (version 4.2.7p76 or
newer)
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/SA-14:02/ntpd.patch
# fetch http://security.FreeBSD.org/patches/SA-14:02/ntpd.patch.asc
# gpg --verify ntpd.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
Recompile the operating system using buildworld and installworld as
described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
Restart the ntpd(8) daemon, or reboot the system.
3) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Note that the patch would disable monitoring features of ntpd(8) daemon
by default. If the feature is desirable, the administrator can choose
to enable it and firewall access to ntpd(8) service.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r260641
releng/8.3/ r260647
releng/8.4/ r260647
stable/9/ r260641
releng/9.1/ r260647
releng/9.2/ r260647
stable/10/ r260639
releng/10.0/ r260641
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:http://www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks>
<URL:https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks>
<URL:http://bugs.ntp.org/show_bug.cgi?id=1532>
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5211>
The latest revision of this advisory is available at
<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:02.ntpd.asc>
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJS1ZTLAAoJEO1n7NZdz2rnn7YP/2DcBtR4LAlMLqa9t8WsFVrD
zrfmitYv5xZ6TUGURfQ3mhF4Xv+vSaYt5AWphBjo/Um+dZLTrX3NXJyjLWenCFZ1
vUgoeT4czdh/sWXBO+BdahswttJ6uPO0ZPeW/TpczHMrfG++r6FZtcavYj1gWUPX
rQUEh3IRT5MzzcdiIdQFOpi6OeOP7hem5pNOqYwjyy4L4wrgIUetaMpvqXgi2Wa+
R2vqQNpFAPxKkMkbohLEPRmEK9dXGXejQ7EHFK5jzxInyg32WGFPkJ46bLw3bEsB
sIoh+sxQ3J9mxyaykhX6T7U7PUkzBaNSs62bQE5H8695E30obnZqtfon6qBP5UCT
/kF1+42RIQIPJUFS22NXaUJVOkpd2zyVhwLxgCHg96PHwd1VAC0bnuB4CQt8lN2C
vcOsFcq6CUpMuteURBeiETb0OGWTTT3gyX4T7N4kRKptvmEVUKxZPnmfJCwNHM2I
TzM2HbHaBv9CMIy5X4iDQxLH3w3tSh+IHU6m9cN5rd6JDTa5DQEuRkhaeVbCGHRt
EcSHvUCr+llacITA2rkm1/KPcP97nGgbbM2QbbUVZ/vkdEcImPfrBzrBbaoBzf5p
FTplhJ/4bfF0/Kgt5GTNgQXqtIuEQOs+ljNu2HW+cAfX2Hizlo7jjfMxS0y7/fY2
hBdg8zuXs/rBI2LKUcP6
=7q6W
-----END PGP SIGNATURE-----

135
share/security/advisories/FreeBSD-SA-14:03.openssl.asc Normal file
View file

@ -0,0 +1,135 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-14:03.openssl Security Advisory
The FreeBSD Project
Topic: OpenSSL multiple vulnerabilities
Category: contrib
Module: openssl
Announced: 2014-01-14
Affects: FreeBSD 10.0 prior to 10.0-RC5
Corrected: 2014-01-07 20:04:41 UTC (stable/10, 10.0-PRERELEASE)
2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC5)
2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC4-p1)
2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC3-p1)
2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC2-p1)
2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC1-p1)
CVE Name: CVE-2013-4353, CVE-2013-6449, CVE-2013-6450
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.
II. Problem Description
A carefully crafted invalid TLS handshake could crash OpenSSL with a NULL
pointer exception. [CVE-2013-4353]
A flaw in DTLS handling can cause an application using OpenSSL and DTLS to
crash. [CVE-2013-6450]
A flaw in OpenSSL can cause an application using OpenSSL to crash when using
TLS version 1.2. [CVE-2013-6449]
III. Impact
An attacker can send a specifically crafted packet that could cause an OpenSSL
enabled application to crash, resulting in a Denial of Service.
IV. Workaround
No workaround is available.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/SA-14:03/openssl.patch
# fetch http://security.FreeBSD.org/patches/SA-14:03/openssl.patch.asc
# gpg --verify openssl.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
Recompile the operating system using buildworld and installworld as
described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
Restart all deamons using the library, or reboot the system.
3) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/10/ r260404
releng/10.0/ r260405
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4353>
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6449>
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6450>
The latest revision of this advisory is available at
<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:03.openssl.asc>
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJS1ZTSAAoJEO1n7NZdz2rnHboP/Ryb4a9ENJ7J/S00E8V1YToh
hihrCKssMl6GVltS4oeyAmAW+mDx3DZy+RmAEhgjyAX4gpAxcY/g665j5BMtWAtV
LLJTI9D6ynO7+2y8CeD3W7tk28hNtBPWSV+cGi7USQMKijs6euPocgTU7TnAuF/e
/jcDTn8Sx/Sq0d3ecTWFBOcPHiq5sm/3pW5B1RVxY9DL+zhQ7T/Rb6pgfp6trssM
p8dklzoBReHqs1iPUC4RyhWXOoQoq5VX500b9SHh2X/7eBSq1ab76VF3x+9VOpjj
VRxL9sdkmp+iaVfMHxms3vCLSDlmpgYpq5SftL3jgkequPCpU6NFQGFQKw2crdL0
NY7dDPjMuvDzzdG7BZtt1mjpRMMMGmZ7fK0myP0+a3YbXEEZeAGT6k07er/xkGCr
uTWyPNM4g3Ulwkfnz60TbFrdMdiCJbRVC9xxOkGEALe882v0WWGPhx9IVbT3dGVw
KGFOXM+IqF55JuaHQ0u/B4wrjBfgBSgOt90TDyMJ5rPjiKG9wyUWnn7QziAVJQ0M
0H/82/2cxNX5+efWNi7xhss2fs1zcU3kiyr135mqamgOQyPG8jFOF7RhdpeGfzVk
ollQG+y1uwVTAWhmVb4MSaAuJw8ixVuap73Rbyug+MuKRLgR2jSxHFiBeiHLA1eG
1+DWJPX0+/zoNakLiw+r
=YOCY
-----END PGP SIGNATURE-----

140
share/security/advisories/FreeBSD-SA-14:04.bind.asc Normal file
View file

@ -0,0 +1,140 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-14:04.bind Security Advisory
The FreeBSD Project
Topic: BIND remote denial of service vulnerability
Category: contrib
Module: bind
Announced: 2014-01-14
Credits: ISC
Affects: FreeBSD 8.x and FreeBSD 9.x
Corrected: 2014-01-14 19:38:37 UTC (stable/9, 9.2-STABLE)
2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3)
2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10)
2014-01-14 19:38:37 UTC (stable/8, 8.4-STABLE)
2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7)
2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14)
CVE Name: CVE-2014-0591
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.
II. Problem Description
Because of a defect in handling queries for NSEC3-signed zones, BIND can
crash with an "INSIST" failure in name.c when processing queries possessing
certain properties. This issue only affects authoritative nameservers with
at least one NSEC3-signed zone. Recursive-only servers are not at risk.
III. Impact
An attacker who can send a specially crafted query could cause named(8)
to crash, resulting in a denial of service.
IV. Workaround
No workaround is available, but systems not running authoritative DNS service
with at least one NSEC3-signed zone using named(8) are not vulnerable.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 8.3, 8.4, 9.1, 9.2-RELEASE and 8.4-STABLE]
# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-release.patch
# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-release.patch.asc
# gpg --verify bind-release.patch.asc
[FreeBSD 9.2-STABLE]
# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-stable-9.patch
# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-stable-9.patch.asc
# gpg --verify bind-stable-9.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
Recompile the operating system using buildworld and installworld as
described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
Restart the applicable daemons, or reboot the system.
3) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r260646
releng/8.3/ r260647
releng/8.4/ r260647
stable/9/ r260646
releng/9.1/ r260647
releng/9.2/ r260647
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://kb.isc.org/article/AA-01078>
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0591>
The latest revision of this advisory is available at
<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:04.bind.asc>
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJS1ZTYAAoJEO1n7NZdz2rnOvQP/2/68/s9Cu35PmqNtSZVVxVG
ZSQP5EGWx/lramNf9566iKxOrLRMq/h3XWcC4goVd+gZFrvITJSVOWSa7ntDQ7TO
XcinfRZ/iyiJbs/Rg2wLHc/t5oVSyeouyccqODYFbOwOlk35JjOTMUG1YcX+Zasg
ax8RV+7Zt1QSBkMlOz/myBLXUjlTZ3Xg2FXVsfFQW5/g2CjuHpRSFx1bVNX6ysoG
9DT58EQcYxIS8WfkHRbbXKh9I1nSfZ7/Hky/kTafRdRMrjAgbqFgHkYTYsBZeav5
fYWKGQRJulYfeZQ90yMTvlpF42DjCC3uJYamJnwDIu8OhS1WRBI8fQfr9DRzmRua
OK3BK9hUiScDZOJB6OqeVzUTfe7MAA4/UwrDtTYQ+PqAenv1PK8DZqwXyxA9ThHb
zKO3OwuKOVHJnKvpOcr+eNwo7jbnHlis0oBksj/mrq2P9m2ueF9gzCiq5Ri5Syag
Wssb1HUoMGwqU0roS8+pRpNC8YgsWpsttvUWSZ8u6Vj/FLeHpiV3mYXPVMaKRhVm
067BA2uj4Th1JKtGleox+Em0R7OFbCc/9aWC67wiqI6KRyit9pYiF3npph+7D5Eq
7zPsUdDd+qc+UTiLp3liCRp5w6484wWdhZO6wRtmUgxGjNkxFoNnX8CitzF8AaqO
UWWemqWuz3lAZuORQ9KX
=OQzQ
-----END PGP SIGNATURE-----

27
share/security/patches/EN-14:01/random-8.3.patch Normal file
View file

@ -0,0 +1,27 @@
Index: sys/dev/random/probe.c
===================================================================
--- sys/dev/random/probe.c (revision 260523)
+++ sys/dev/random/probe.c (working copy)
@@ -30,6 +30,8 @@ __FBSDID("$FreeBSD$");
#include <sys/types.h>
#include <sys/param.h>
+#include <sys/systm.h>
+#include <sys/kernel.h>
#include <sys/malloc.h>
#include <sys/random.h>
#include <sys/selinfo.h>
@@ -57,7 +59,12 @@ random_ident_hardware(struct random_systat *systat
/* Then go looking for hardware */
#if defined(__i386__) && !defined(PC98)
if (via_feature_rng & VIA_HAS_RNG) {
- *systat = random_nehemiah;
+ int enable;
+
+ enable = 0;
+ TUNABLE_INT_FETCH("hw.nehemiah_rng_enable", &enable);
+ if (enable)
+ *systat = random_nehemiah;
}
#endif
}

16
share/security/patches/EN-14:01/random-8.3.patch.asc Normal file
View file

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJS1ZUpAAoJEO1n7NZdz2rnCokP/16qEQ9ziJdRpMQ8YMbr19AC
GcUpad5oEXoUu7qvOykIFj1ATcXE71jE48ypyeVwpme/szQMUvWAjPp9P+lYb78l
ByVukT7Ajs7fcO8uq5f4T0MPN/zG00qNsSpGtlcM68mm4aYLnlfvYjv8Da6GPALy
dd5FE1YxZDnTT5aBpjsGVoj864I6PwehXhbH3FmehOK/vnpUYrgHKTzY9zaUZ5+t
AGw/fzRsOHislwC8rw0AyC6Ky7Du2tQKjur73PaUXz329EZzFoK8J2eHcRExVWvJ
A2zgwI7Y6gZUyJFhX8qcQs4JWxxPBoBQp+aKLkJXhW9U/GsEAVD3KaFAwZfjhOVm
l/fg5XUMPpifGSsQKnoOFGjO0597JBOD5oznwQIg+b780JpsZ4Hmk7XJhXq9+s2G
qBKIogXJG6mKBnx3qt0nlkd3UjS7QSnPMSmplCOoEUORwCMRfLFM0qb+P1d8ycGL
mP7f3ivEg/rUQjhBRbCQyi/+CF6qhVHm1AdA081RSEVlPuDIRAywvcfjKnnOuhbG
yf5AVIpwHwkoLn7qugECH4muTIPiHPFTgWK3qhI3oZfZDOCFZwi9Ognb6eg8qMtP
aEPmTMujVERBc3FXEnjB5VZZSzOwJLm/NI0jW5y3XY/VQhJSaE1hM9qYywqgviXz
g36p0LxezweK/mmxttVA
=jEbX
-----END PGP SIGNATURE-----

27
share/security/patches/EN-14:01/random-9.1.patch Normal file
View file

@ -0,0 +1,27 @@
Index: sys/dev/random/probe.c
===================================================================
--- sys/dev/random/probe.c (revision 260523)
+++ sys/dev/random/probe.c (working copy)
@@ -30,6 +30,8 @@ __FBSDID("$FreeBSD$");
#include <sys/types.h>
#include <sys/param.h>
+#include <sys/systm.h>
+#include <sys/kernel.h>
#include <sys/malloc.h>
#include <sys/random.h>
#include <sys/selinfo.h>
@@ -57,7 +59,12 @@ random_ident_hardware(struct random_systat *systat
/* Then go looking for hardware */
#if defined(__amd64__) || (defined(__i386__) && !defined(PC98))
if (via_feature_rng & VIA_HAS_RNG) {
- *systat = random_nehemiah;
+ int enable;
+
+ enable = 0;
+ TUNABLE_INT_FETCH("hw.nehemiah_rng_enable", &enable);
+ if (enable)
+ *systat = random_nehemiah;
}
#endif
}

16
share/security/patches/EN-14:01/random-9.1.patch.asc Normal file
View file

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJS1ZUpAAoJEO1n7NZdz2rnhsAQALF5Gk7QtodIM06xOd0IAcUk
6y8N6s3gHxYhAyv5Af+y2yFTikfYu/yMYxIDbtgszcS+aB2y9b2+aVKwcNUkpiEr
mle+RAVGXPBQ9V7ieFLvMn7HC4PW1uPkFsiqOzu3KXACr2onlq1Jbbw4z6FeAyfa
2PvMTOFZrVNrHmkrjTKBwj+/jYcdHejb7OA0ckbiVgIXBRxftzVjKkVUTw+2ewZy
l73s1/wPRYlqESDOGVNpO/mm1W0zbcllfgxcbBPk3ukSuatNQVIVXEZRfb7Ti2FK
2CXTKbmaqrKPPxzpEkgbPXeOQ7kJ4th93gCbJV1i7uxyHvUo1Kodph0vKBKEiZmt
l+rwmqXD+Zm5JvoBDVXUsYi3DO3+Wi5rLMkzZFFzwsYJbHed+8TD4fLWTti6kLEs
CBQnUceBy4BKUTBj3STEjBBvFdd6Ri6Vdo0kN6Bjr/DuXqzLNyI/aLu6LmNgC3Fp
c3/P4Xp1fTYFVEpjKzc6kG2fUDZVwN+XEDFy6BuD/Hgj2MtmJ4JY4iKWu/P/MlBq
qI9K40rcMx4uMi9ffOC3v6uUHvqmK00FANz8GDIrpqeZEyMThd7yV8gmnBPRp47k
H1IbOqGB1ovaZS92wgiPKxU6SMjP9z7klGaWN+dr7NkGB3/54MwoqyPOKRpaVMcI
dYR/h4NDtwDgJqsuq+rH
=FCsi
-----END PGP SIGNATURE-----

22
share/security/patches/EN-14:01/random-9.2-8.4.patch Normal file
View file

@ -0,0 +1,22 @@
Index: sys/dev/random/probe.c
===================================================================
--- sys/dev/random/probe.c (revision 259661)
+++ sys/dev/random/probe.c (working copy)
@@ -73,7 +73,7 @@
if (via_feature_rng & VIA_HAS_RNG) {
int enable;
- enable = 1;
+ enable = 0;
TUNABLE_INT_FETCH("hw.nehemiah_rng_enable", &enable);
if (enable)
*systat = random_nehemiah;
@@ -83,7 +83,7 @@
if (cpu_feature2 & CPUID2_RDRAND) {
int enable;
- enable = 1;
+ enable = 0;
TUNABLE_INT_FETCH("hw.ivy_rng_enable", &enable);
if (enable)
*systat = random_ivy;

16
share/security/patches/EN-14:01/random-9.2-8.4.patch.asc Normal file
View file

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJS1ZUpAAoJEO1n7NZdz2rnODkQANga1UgaW4k2SA8SKLmGtRsO
DWo/fqJ12DneoN0cxxgqgUFzB90Cdj1Qrece2Oj6lrD/A8wNfHzB78CE/yCqlEwg
YCK5Ca8ajUS6MgBT9lwRslF6HFp0I11QAe1jb16gC7NpZFG5pCTkLTdj5wWC2qQX
rHgyVDNj6cveRiBhHt8NsPOLqRTIkxTBjZ6Tzn235erM/0ZCj8M57TYCWpTg9PHY
YtM71DDjpN6oaZG49ggAK7Gp+6Ny7jKexG/a81PxR0A+KsqPPqd5v8eRfq1VHhKe
l7MS+R8cTCBeGg195BY65trQdnA1R92tjwJ/ISFrfDMDoOmmm8TazGhP9Wh4JuM4
bp6ZenKEwyZat0qcJy/omnfwcf4yHf9O/kAtyqzMQikLWG/ucMVHaJBdsoU5uSI4
enfVxyOI3ASpZUeMwV97k/hLuJiMcPw175hRtOftsLWYK85mb8Ps9gTnuPEWYn6E
7zEpuFoXathSX4EgcOFgDsDfAvf7EhzSey1Pi6uPe9Lh2uHrptZ+Zzh6OpTOxejS
jcy9KlYRup20nxT3ofunzJsSe4D1rofa9eyTpTp0uxekQcM8RhfGH5DiBeNizPAs
Euqups2pp0vN+ywD3/LGgSiYtRQbqOiavJg/uW+dwQT6kPNqcKsuN+qfu4/qGwu3
zcYx/rLhkJj8s+zip9GU
=kf47
-----END PGP SIGNATURE-----

20
share/security/patches/EN-14:02/mmap.patch Normal file
View file

@ -0,0 +1,20 @@
Index: sys/vm/vm_map.c
===================================================================
--- sys/vm/vm_map.c (revision 259950)
+++ sys/vm/vm_map.c (revision 259951)
@@ -1207,6 +1207,7 @@ charged:
}
else if ((prev_entry != &map->header) &&
(prev_entry->eflags == protoeflags) &&
+ (cow & (MAP_ENTRY_GROWS_DOWN | MAP_ENTRY_GROWS_UP)) == 0 &&
(prev_entry->end == start) &&
(prev_entry->wired_count == 0) &&
(prev_entry->cred == cred ||
@@ -3339,7 +3340,6 @@ vm_map_stack(vm_map_t map, vm_offset_t addrbos, vm
* NOTE: We explicitly allow bi-directional stacks.
*/
orient = cow & (MAP_STACK_GROWS_DOWN|MAP_STACK_GROWS_UP);
- cow &= ~orient;
KASSERT(orient != 0, ("No stack grow direction"));
if (addrbos < vm_map_min(map) ||

16
share/security/patches/EN-14:02/mmap.patch.asc Normal file
View file

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJS1ZUpAAoJEO1n7NZdz2rnT+4P/ilcGYfPLHfrBH3DNbBJMS8i
jsYkV0d2PbgWdaxIHJMbAwkAJBkcPIb3aQSL3HiVYehSH9AsMbJgHZPIDpAkJ7gl
oY3f+WapTRx+jun89a+EbM5tUpZhagX8rgGUunVpJ3emkzC81peHi9OyeSDCNs1M
1iPeRWYrL4MaAHnt8rFUqGiBzxEk2AEmvvMsfvhbXmS6AmMp8gL7jiuBXDlDx8+6
eWi86kNcMyWtSb2KRNUQ/2Kf84Wl5H+qgdhhzFx5OkI9jH3XFB2aY2SPiDfUPAC8
bdpAR8pKwyhm+AyQdv/bdqgVy3gWW6J55Q1hP7pqze2HONZFE9VekC8xVOr5sBxG
2pvMRiIUdoOOEIXgqcYa3d8y5fApVkRa/9vT27JY5QZu0ypSsu7LuSkS/IADy0o5
B9Sknl0BZFuGdslm66zOJzEpeCHL9VHPrW96fs3ca8/01/WE7iXDcuKC6cfc8Pjd
5ZyazZrygwkzjmT4tqB9U9a9zmVqCKkfejg2pJLXBL7ONUnONXEKxkr1jheTyU+1
PSY4qkY58bi5P0Ef+mDFjmfMCfT0UVdIePFg3R17ALztNahMOUGW7BxIPgTWNFjk
4+gH9w5RKdscW2UgSC/HPWJHxyBIJfl6nEPmWqnrK+J+behwrdSBZBl2mmgPaDAn
5siNUmFL9GU4xr/b9xeG
=sEcV
-----END PGP SIGNATURE-----

16
share/security/patches/SA-14:01/bsnmpd.patch Normal file
View file

@ -0,0 +1,16 @@
Index: contrib/bsnmp/lib/snmpagent.c
===================================================================
--- contrib/bsnmp/lib/snmpagent.c (revision 259661)
+++ contrib/bsnmp/lib/snmpagent.c (working copy)
@@ -488,6 +488,11 @@ snmp_getbulk(struct snmp_pdu *pdu, struct asn_buf
for (cnt = 0; cnt < pdu->error_index; cnt++) {
eomib = 1;
for (i = non_rep; i < pdu->nbindings; i++) {
+
+ if (resp->nbindings == SNMP_MAX_BINDINGS)
+ /* PDU is full */
+ goto done;
+
if (cnt == 0)
result = do_getnext(&context, &pdu->bindings[i],
&resp->bindings[resp->nbindings], pdu);

16
share/security/patches/SA-14:01/bsnmpd.patch.asc Normal file
View file

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJS1ZUpAAoJEO1n7NZdz2rnc+4P/2gFudDRO3Cv0HPnOS7OTHY6
nzGWpoR98r5POLPPP5/iAISn7ADi/W81Y895/XRzYBxzuaaZNhXbu0nB3a+T0VDh
q5LGtSzO9fZv8t+y87CLIz08zdS7Q+OPZ2Szge/yP184Oqqc7xTmnkm6VyTiRZE1
W2chmOgv96RM4qqHXRQYinaD57Z8Kl1AlcrP+ZBpH3zP998LHhHP2LN+qQz4jnl9
7M57krQ733HPBZMQ2JkHFlzyjVGcK/dMjm8ZFiKvWTeDQk2ommXdHHDcYFar2EfG
T4rFeJmNQJHwcA1k4mqi3rIzvxCoihjoPT9NuZ+gdwtM7WniuEpsbKz+I2iGSBSS
ADUX6vaSkD22Y2L88txzFcdkqKhDgGPYfg/Uq98zQsio0ceCqIpDU1XNtPs6Kts1
1CGPTl0ZOQm2/kjmJKHrHhi4otNEydifassxyQLLQTOZ3tH4ggd/NQCAu7/6msbO
CqpElrmOFPwwffPtAGktL0VsCMyGxRztizzU7+G36zcOeES+mNR2qTDycUYE4/uD
czx+4ZnYQ5kA6qmuRVuM/1m+p2gwbS+CsuRaVmrMJXnowAV1EI5u+n49rdiuxNth
1gaTpDN/7pwnkwEyB/6yjGdvoIMiuTkJPVPvekXHqeLH9S9VT79HQYZfGEqA+w5Y
T/6rSxVCuDXgzmLLbO4W
=ibna
-----END PGP SIGNATURE-----

13
share/security/patches/SA-14:02/ntpd.patch Normal file
View file

@ -0,0 +1,13 @@
Index: contrib/ntp/ntpd/ntp_config.c
===================================================================
--- contrib/ntp/ntpd/ntp_config.c (revision 259828)
+++ contrib/ntp/ntpd/ntp_config.c (working copy)
@@ -597,6 +597,8 @@ getconfig(
#endif /* not SYS_WINNT */
}
+ proto_config(PROTO_MONITOR, 0, 0., NULL);
+
for (;;) {
if (tok == CONFIG_END)
break;

16
share/security/patches/SA-14:02/ntpd.patch.asc Normal file
View file

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJS1ZUpAAoJEO1n7NZdz2rnJTAP/RBwrD85MJhDpOi5yXWEC44L
h9aFMeUe56fFSk6IRYycNZTqSwnZYnTQg0qcrpGTy4Qt1C0n+oVzGob24XzkN5P0
IZwR5msPNbNF4iJgfi16QFLKK1M8UdWrE2hiyjQbWLcCJQPAFl0A8nSKPHdbDGMz
06ZuLiCuasXs1+AiyIp5D6i8Z3JZthla7Gn5LSBL7MyxRIemIaqKv61CVxHeo/l5
TypTDpkgq/63tBf3n8q6RPxhR7v07m10DI1PPKI9QE156YhvysO6/GpuvF5ZSWtR
AX57yDd9HBSYy6wIX7jZSWv0J3X3dAZj8jZHnIFAn41khxV7DlZ1kYGBNFq+hbM+
JR/zqp6497GpuxKt9Ubbqyn8vHnCop25psH528tPNLN5vXluvOonjM0tBAdWLnpP
kYybztIA4EMJg/8sKRsrMFfxzY58LyHuQRUqAgR63czo2HDbcuXtAIiMqOrwrfLW
nP01z8PFco4UN7VXpw/rVZ5XLtnONjJ1i2xR880Z8LOL6bvlc8NwwS+zTCPP/eDv
QZh3IGTz26oG49cDNsvceS85tbX3BiAJLOg8jEkWOw7jdPBOg7CCQddVO5ccCunM
QDpl5Ontt8bDqRm7z21MC/07EnQeiaIkQ+C37IVr2ISHMHzrWK3u6C2KNPy1Rgx1
qBzc4Pl36Yqk1Dp4cSOA
=wiMs
-----END PGP SIGNATURE-----

91
share/security/patches/SA-14:03/openssl.patch Normal file
View file

@ -0,0 +1,91 @@
Index: crypto/openssl/ssl/d1_both.c
===================================================================
--- crypto/openssl/ssl/d1_both.c (revision 260378)
+++ crypto/openssl/ssl/d1_both.c (working copy)
@@ -214,6 +214,12 @@ dtls1_hm_fragment_new(unsigned long frag_len, int
static void
dtls1_hm_fragment_free(hm_fragment *frag)
{
+
+ if (frag->msg_header.is_ccs)
+ {
+ EVP_CIPHER_CTX_free(frag->msg_header.saved_retransmit_state.enc_write_ctx);
+ EVP_MD_CTX_destroy(frag->msg_header.saved_retransmit_state.write_hash);
+ }
if (frag->fragment) OPENSSL_free(frag->fragment);
if (frag->reassembly) OPENSSL_free(frag->reassembly);
OPENSSL_free(frag);
Index: crypto/openssl/ssl/s3_both.c
===================================================================
--- crypto/openssl/ssl/s3_both.c (revision 260378)
+++ crypto/openssl/ssl/s3_both.c (working copy)
@@ -208,7 +208,11 @@ static void ssl3_take_mac(SSL *s)
{
const char *sender;
int slen;
-
+ /* If no new cipher setup return immediately: other functions will
+ * set the appropriate error.
+ */
+ if (s->s3->tmp.new_cipher == NULL)
+ return;
if (s->state & SSL_ST_CONNECT)
{
sender=s->method->ssl3_enc->server_finished_label;
Index: crypto/openssl/ssl/s3_lib.c
===================================================================
--- crypto/openssl/ssl/s3_lib.c (revision 260378)
+++ crypto/openssl/ssl/s3_lib.c (working copy)
@@ -4274,7 +4274,7 @@ need to go to SSL_ST_ACCEPT.
long ssl_get_algorithm2(SSL *s)
{
long alg2 = s->s3->tmp.new_cipher->algorithm2;
- if (TLS1_get_version(s) >= TLS1_2_VERSION &&
+ if (s->method->version == TLS1_2_VERSION &&
alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF))
return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
return alg2;
Index: crypto/openssl/ssl/ssl_locl.h
===================================================================
--- crypto/openssl/ssl/ssl_locl.h (revision 260378)
+++ crypto/openssl/ssl/ssl_locl.h (working copy)
@@ -621,6 +621,8 @@ extern SSL3_ENC_METHOD TLSv1_enc_data;
extern SSL3_ENC_METHOD SSLv3_enc_data;
extern SSL3_ENC_METHOD DTLSv1_enc_data;
+#define SSL_IS_DTLS(s) (s->method->version == DTLS1_VERSION)
+
#define IMPLEMENT_tls_meth_func(version, func_name, s_accept, s_connect, \
s_get_meth) \
const SSL_METHOD *func_name(void) \
Index: crypto/openssl/ssl/t1_enc.c
===================================================================
--- crypto/openssl/ssl/t1_enc.c (revision 260378)
+++ crypto/openssl/ssl/t1_enc.c (working copy)
@@ -414,15 +414,20 @@ int tls1_change_cipher_state(SSL *s, int which)
s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM;
else
s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM;
- if (s->enc_write_ctx != NULL)
+ if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s))
reuse_dd = 1;
- else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
+ else if ((s->enc_write_ctx=EVP_CIPHER_CTX_new()) == NULL)
goto err;
+ dd= s->enc_write_ctx;
+ if (SSL_IS_DTLS(s))
+ {
+ mac_ctx = EVP_MD_CTX_create();
+ if (!mac_ctx)
+ goto err;
+ s->write_hash = mac_ctx;
+ }
else
- /* make sure it's intialized in case we exit later with an error */
- EVP_CIPHER_CTX_init(s->enc_write_ctx);
- dd= s->enc_write_ctx;
- mac_ctx = ssl_replace_hash(&s->write_hash,NULL);
+ mac_ctx = ssl_replace_hash(&s->write_hash,NULL);
#ifndef OPENSSL_NO_COMP
if (s->compress != NULL)
{

16
share/security/patches/SA-14:03/openssl.patch.asc Normal file
View file

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJS1ZUqAAoJEO1n7NZdz2rnQCMP/2eEn3oK3bvXpEIJ4BQUo5ss
0sDeC4ttld9VvKtGI1Qkqf0wz/lHeEsz3V1ocg6rY44A3qLFQcFrisleh0D6AmyY
yySV1lwyPTJOJgQOlDeMGule7SveTCZclh05zTHM+482cNlnVIgUF+2qZ4HfRd7B
bYWTBLWDmzs86bk8TE8wJrZZItVO6QK8V2jwCAuvEp4clgi/ScEHfVSOuiEjr2iq
3BupUbdX/gi5wamPJphEU9CwE+gDnP86Jj5mlhB4RUhC2UEASKh6sxSYJDBbJ1lA
+zcyAn9sIkCpbczCyxNfROKzBN1QPshpma12wBMxIhF958CMO783PfFKboWAwi/j
JnxzhmZam9qnkds8rY2MgcsiGl2iErXP3HnrtDk+7YTr3VlSWJucudVBX89NzmhA
y01SQbX5NlRNr5vzDgNsgEczBCSUWdfYL+Kf/X9uiu4mkQOhicZhRieAcwsinP83
WxtY59ulMzSQjtmby2MTd/1RdBlu7wbAbJ9eUKZwQzGA/LKuvGK8XaQz8WZ3uHPU
y9zLG77lpDu9yF+ui1wGl1v5uJEI55MGP4WkgcbiPZGy3g73C5y+92mne5Szq/cM
5Kf977/11QZamQkUayL1X0cNLY5ohpcuvY/UYwe3BtapaX+XpwG06tpAKzOUiuJR
Fcpl6iI961auHMtyyNb6
=KeeT
-----END PGP SIGNATURE-----

54
share/security/patches/SA-14:04/bind-release.patch Normal file
View file

@ -0,0 +1,54 @@
Index: contrib/bind9/bin/named/query.c
===================================================================
--- contrib/bind9/bin/named/query.c (revision 260523)
+++ contrib/bind9/bin/named/query.c (working copy)
@@ -3622,8 +3622,7 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t
dns_fixedname_t fixed;
dns_hash_t hash;
dns_name_t name;
- int order;
- unsigned int count;
+ unsigned int skip = 0, labels;
dns_rdata_nsec3_t nsec3;
dns_rdata_t rdata = DNS_RDATA_INIT;
isc_boolean_t optout;
@@ -3636,6 +3635,7 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t
dns_name_init(&name, NULL);
dns_name_clone(qname, &name);
+ labels = dns_name_countlabels(&name);
/*
* Map unknown algorithm to known value.
@@ -3667,13 +3667,14 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t
dns_rdata_reset(&rdata);
optout = ISC_TF((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0);
if (found != NULL && optout &&
- dns_name_fullcompare(&name, dns_db_origin(db), &order,
- &count) == dns_namereln_subdomain) {
+ dns_name_issubdomain(&name, dns_db_origin(db)))
+ {
dns_rdataset_disassociate(rdataset);
if (dns_rdataset_isassociated(sigrdataset))
dns_rdataset_disassociate(sigrdataset);
- count = dns_name_countlabels(&name) - 1;
- dns_name_getlabelsequence(&name, 1, count, &name);
+ skip++;
+ dns_name_getlabelsequence(qname, skip, labels - skip,
+ &name);
ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(3),
"looking for closest provable encloser");
@@ -3691,7 +3692,11 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t
ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
NS_LOGMODULE_QUERY, ISC_LOG_WARNING,
"expected covering NSEC3, got an exact match");
- if (found != NULL)
+ if (found == qname) {
+ if (skip != 0U)
+ dns_name_getlabelsequence(qname, skip, labels - skip,
+ found);
+ } else if (found != NULL)
dns_name_copy(&name, found, NULL);
return;
}

16
share/security/patches/SA-14:04/bind-release.patch.asc Normal file
View file

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJS1ZUqAAoJEO1n7NZdz2rnQC8QAM7tQ7OJji9KEwp/+Crv/9Jf
+8PGWOrLa7rz8i4wD7ujUwYGCzOzOUAMuSOO3B0SdCb4YVx9we2+5uLCvxbMAS1/
tdw5WOhi0nWHPD+4uXhQmczCz+nXBG8LAdMM7eIMLgyfYlFdNvARpuRWeNhicKP2
vaP1Pxq0TejNYzxekzWGUUiyfTdhM7SWza95mz27WO/eHhwKKPqjxb+hoitA7s5k
2fS17NvLyYivD2BBVGj61IKpSAVCwtK4Vdo73LKmGe9HDSTCKRUiz52+UIMMprpK
76cbuUFatyOPJsrDn/YuisqH8M1/HpRZp9MyzR+b2rIf+/f3OuAfLrfzzDt0akA+
LvHc0SRDDuBr1cDCjv4eMlJXJvFnlBdc/z+PB/Un252kHB5mLFHev9n2vU0HohqS
Bj5C6svpMoZo3uTnI8dLonByl6n/7144T1uuRTlQ7pS2wrp5LrEd/cySe444Ek+A
Elxy5KI8ydb6+V0UmADFM3gK9ZK+AqoQqFtfCgYyrBhsOSdissJwVKTeLXlHJRZM
k6vo9/BLkAk0eo98/KkdHW2IrGaNVCNOucXRntTjNmLF02Ge5Ev2JFcc4XiMtPkM
HNxfS9t1qmYifjz7++0pFFwYKHCJdaZM+HJl3RxHkYiy0kHpHCIAem4STauDznDj
HL6Dl570twSTB9lvRGOW
=yZ2q
-----END PGP SIGNATURE-----

54
share/security/patches/SA-14:04/bind-stable-9.patch Normal file
View file

@ -0,0 +1,54 @@
Index: contrib/bind9/bin/named/query.c
===================================================================
--- contrib/bind9/bin/named/query.c (revision 260523)
+++ contrib/bind9/bin/named/query.c (working copy)
@@ -5260,8 +5260,7 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t
dns_fixedname_t fixed;
dns_hash_t hash;
dns_name_t name;
- int order;
- unsigned int count;
+ unsigned int skip = 0, labels;
dns_rdata_nsec3_t nsec3;
dns_rdata_t rdata = DNS_RDATA_INIT;
isc_boolean_t optout;
@@ -5276,6 +5275,7 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t
dns_name_init(&name, NULL);
dns_name_clone(qname, &name);
+ labels = dns_name_countlabels(&name);
dns_clientinfomethods_init(&cm, ns_client_sourceip);
dns_clientinfo_init(&ci, client);
@@ -5309,13 +5309,14 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t
dns_rdata_reset(&rdata);
optout = ISC_TF((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0);
if (found != NULL && optout &&
- dns_name_fullcompare(&name, dns_db_origin(db), &order,
- &count) == dns_namereln_subdomain) {
+ dns_name_issubdomain(&name, dns_db_origin(db)))
+ {
dns_rdataset_disassociate(rdataset);
if (dns_rdataset_isassociated(sigrdataset))
dns_rdataset_disassociate(sigrdataset);
- count = dns_name_countlabels(&name) - 1;
- dns_name_getlabelsequence(&name, 1, count, &name);
+ skip++;
+ dns_name_getlabelsequence(qname, skip, labels - skip,
+ &name);
ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(3),
"looking for closest provable encloser");
@@ -5333,7 +5334,11 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t
ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
NS_LOGMODULE_QUERY, ISC_LOG_WARNING,
"expected covering NSEC3, got an exact match");
- if (found != NULL)
+ if (found == qname) {
+ if (skip != 0U)
+ dns_name_getlabelsequence(qname, skip, labels - skip,
+ found);
+ } else if (found != NULL)
dns_name_copy(&name, found, NULL);
return;
}

16
share/security/patches/SA-14:04/bind-stable-9.patch.asc Normal file
View file

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJS1ZUqAAoJEO1n7NZdz2rntyQP/0Eg/BZkY4oj0uyldYOX1mYR
5H+vBeJ+uuXA122WFXRkEhazJzfKNjitDOiVSOfomaiFqU6EamvAEK72gUCtEHf3
WncovpXKvtTZGO7SpPuR//p6W8OYBCdJaIc1fBZnbOcVWRGNdMEQ7AZXCs0/dT13
RtfXHap0EfS1AEvqNitI9ad4O2N9nWkk05eQAEn4/dDcwHZXaaVkVgJZHzOmAqhz
RjDeGEGGTOQe/298cR0A63uyiQD8W2CHYxtzIytsR3euDnMcUGt+Yp1mkoc85WdS
LnW5se5+Gr+Rl1auyLtoBOy6J8mIJzQa9hPu6Y0sCgpriwxbt+3aEP+Lhsk1bgUf
3Ack9MthT1w5hz5lt1J5C4wHIkQZyQR47NNwPsD+t5p9884Gj6zKcDvJnC8NFp3y
f7R6NoPt7l32oUERV7ulYOoavbxgCMmZRc/as60+lIIrZfHlmjq6/5K8Fsi+6vMC
AyUBtrZ7iNX/RRC5yF5sBUeB5A3bOKJXAWoVIfQFJMURxN894liXAsaNtj1CWD+3
tAdpI8GkZGE1cYicHqNoiP1S08O82pbPE4o28ZgoJj/sq8lYNLMXTXUE/3R+GSN/
sAiv1NSyMNwV4RGv/r6EA1W+hlYOgVVw9dSD+iuawMEWqMxzkp/wwzsdvW/jNAwX
7go20QVo8mY0Qdb3DU7+
=huh6
-----END PGP SIGNATURE-----

29
share/xml/advisories.xml
View file

@ -4,6 +4,35 @@
$FreeBSD$
</cvs:keyword>
<year>
<name>2014</name>
<month>
<name>1</name>
<day>
<name>14</name>
<advisory>
<name>FreeBSD-SA-14:01.bsnmpd</name>
</advisory>
<advisory>
<name>FreeBSD-SA-14:02.ntpd</name>
</advisory>
<advisory>
<name>FreeBSD-SA-14:03.openssl</name>
</advisory>
<advisory>
<name>FreeBSD-SA-14:04.bind</name>
</advisory>
</day>
</month>
</year>
<year>
<name>2013</name>

20
share/xml/notices.xml
View file

@ -4,6 +4,26 @@
$FreeBSD$
</cvs:keyword>
<year>
<name>2014</name>
<month>
<name>1</name>
<day>
<name>14</name>
<notice>
<name>FreeBSD-EN-14:01.random</name>
</notice>
<notice>
<name>FreeBSD-EN-14:02.mmap</name>
</notice>
</day>
</month>
</year>
<year>
<name>2013</name>