os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Add SA-16:33, SA-16:34 and SA-16:35.

Browse source
This commit is contained in:
Xin LI 2016-11-02 07:45:10 +00:00
parent 8676a9c6df
commit e89d9b204b
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=49623
12 changed files with 898 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

143
share/security/advisories/FreeBSD-SA-16:33.openssh.asc Normal file
View file

@ -0,0 +1,143 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-16:33.openssh Security Advisory
The FreeBSD Project
Topic: OpenSSH Remote Denial of Service vulnerability
Category: contrib
Module: OpenSSH
Announced: 2016-11-02
Affects: All supported versions of FreeBSD.
Corrected: 2016-11-02 06:56:35 UTC (stable/11, 11.0-STABLE)
2016-11-02 07:23:19 UTC (releng/11.0, 11.0-RELEASE-p3)
2016-11-02 06:58:47 UTC (stable/10, 10.3-STABLE)
2016-11-02 07:23:36 UTC (releng/10.3, 10.3-RELEASE-p12)
CVE Name: CVE-2016-8858
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
OpenSSH is an implementation of the SSH protocol suite, providing an
encrypted and authenticated transport for a variety of services,
including remote shell access.
During the SSH handshake procedure, the client and server exchanges the
supported encryption, MAC and compression algorithms along with other
information to negotiate algorithms for initial key exchange, with a
message named SSH_MSG_KEXINIT.
II. Problem Description
When processing the SSH_MSG_KEXINIT message, the server could allocate
up to a few hundreds of megabytes of memory per each connection, before
any authentication take place.
III. Impact
A remote attacker may be able to cause a SSH server to allocate an excessive
amount of memory. Note that the default MaxStartups setting on FreeBSD will
limit the effectiveness of this attack.
IV. Workaround
No workaround is available, but systems where sshd(8) is not used are
not vulnerable.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
The sshd(8) service has to be restarted after the update. A reboot
is recommended but not required.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
The sshd(8) service has to be restarted after the update. A reboot
is recommended but not required.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-16:33/openssh.patch
# fetch https://security.FreeBSD.org/patches/SA-16:33/openssh.patch.asc
# gpg --verify openssh.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
The sshd(8) service has to be restarted after the update. A reboot
is recommended but not required.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/10/ r308199
releng/10.3/ r308203
stable/11/ r308198
releng/11.0/ r308202
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:http://seclists.org/oss-sec/2016/q4/195>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8858>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:33.openssh.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.15 (FreeBSD)
iQIcBAEBCgAGBQJYGZhkAAoJEO1n7NZdz2rnws4P/0i2V2lw3snDi4oVsX2AVkl+
bQ9iRUvgO0SSB4b8JZ8dK6wws8InDR8oihm8jBsaOYPOxu7Wz9Zua2ZAjBAY/GLB
o2+2UMGKVNlP59D/pwBD3qWEjG2KYpE5hItX7iykjwDvd8c7UOLZt7oofVfq8R7D
84BkMQb9DM/1PwFI+ztMYN3uAlzsNxi0GqoHe7PBYmA5rq3QF9LoUlRyOW9KQq8Q
TsBg8briGhy44XifhxU7eUsPUrxJLb5c/w3xsuzSw1AFpgSAc8IKAcrknnTdy+0c
k5GfJz/84xcN1/HO6FDVtYgIoOK2C/ljCHiRAPRsVK3TvXl6agErVBf3CTvWKjg9
NY6QD0KTJw5QF0LT6GbLRAdwnAexQI0U7Hw3Xylv2CFnaxsdYeB9YTVqqMricUqQ
7GZ/ktiXJwBpDLkaieeI6WhbAVdsNQc5A1UWQwjv6mFr5TKhOFWvmHRo/KZprWqd
vFqYNHc3NngcKs537WOXchNnW46hWMsiis/1mJfiRZd89rzq5Dtz7tCcX1c7RgRW
4h0vhtqRMQraby0fI0ND3kC7EnXchMqWAoQ3Tric+2yWQMW/OGDvWXWbM0HqUKq7
7fOGMmXmLhQnkykf4uwjrP4cyMSzSbGdrLQxpwWPwZoH47es/qYKHukBRcnmEkA+
VpT6Vpm0Lqi80W5bh783
=xyal
-----END PGP SIGNATURE-----

137
share/security/advisories/FreeBSD-SA-16:34.bind.asc Normal file
View file

@ -0,0 +1,137 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-16:34.bind Security Advisory
The FreeBSD Project
Topic: BIND Remote Denial of Service vulnerability
Category: contrib
Module: bind
Announced: 2016-11-02
Credits: ISC
Affects: FreeBSD 9.x
Corrected: 2016-11-02 05:13:27 UTC (stable/9, 9.3-STABLE)
2016-11-02 07:24:34 UTC (releng/9.3, 9.3-RELEASE-p50)
CVE Name: CVE-2016-8864
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.
II. Problem Description
A defect in BIND's handling of responses containing a DNAME answer could
cause a resolver to exit after encountering an assertion failure in
db.c or resolver.c.
During processing of a recursive response that contains a DNAME record
in the answer section, BIND could stop executing after encountering an
assertion error in resolver.c.
III. Impact
A remote attacker who could cause a server to make a query deliberately
chosen to trigger the failed assertions could cause named(8) to stop,
resulting in a Denial of Service condition to its clients.
IV. Workaround
No workaround is available, but hosts not running named(8) recursive
servers are not affected.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
The named service has to be restarted after the update. A reboot is
recommended but not required.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
The named service has to be restarted after the update. A reboot is
recommended but not required.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-16:34/bind.patch
# fetch https://security.FreeBSD.org/patches/SA-16:34/bind.patch.asc
# gpg --verify bind.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the named service, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/9/ r308193
releng/9.3/ r308205
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://kb.isc.org/article/AA-01434/>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8864>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:34.bind.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.15 (FreeBSD)
iQIcBAEBCgAGBQJYGZhkAAoJEO1n7NZdz2rn14UQAOI+3haO5nI3D4wPP9EavF9j
SU1yuv2ZrWaldbdv9lSHWsK5gjOjZAwK4TmZSnhe3yC3nNOJimiD5KAjHhCiQEMN
xZ4L0Xtyhp6Bef7pEPdn1KgJCdufRaXt8QYx+YWz2Zk2lV78J9IRUuWNYzTleetM
yNkPIfkGbIEyzMG11nZKzIQ+rjxNS+/KXJTBD4z4xpyjCwnulHuCTGNNPIGSPbbO
1rwY6NifZXRP6yCWmrQWZPV3I7eAjwtWpmU18kLf6dRbRAWa/M9f+ZCW4vR1bBoR
CAX07D0VDPaUM56XCUaspKSvJ3dpJC9GjuEZVXfBoJzbfixeMqYkjgwaPGT+BxLo
AxJv8PVXZiigq+0pXMGjaHdrwWW8UxkthyifGJFSffZMs4eECrIUhFe/SlMQ/5Zm
WZhA28S4QqlcTpObnWVet3C9QdpBtjlodfZqmovHHWZGGcIVPbW+sVaJ3WF2ni6H
OQuJucIVfKQVuv88aSRVlrtGY/KN9wjyUf4zIpyUgPL+qy3vxz2NB41mjM12ZyAi
35KIv3tR5lZIq4C062qR0zlHKldQgxaQPX4rWq7lhQkk2X8B3SjypSMBRfrAosoW
p/xQGqVwX05M7F8ykcdf8vfu3iipz/JDQgSdy3aeziwO5+2xGUt5cdXWpR0gxK4M
2ajEFjl+rHAfYpDkfoGP
=F1Vx
-----END PGP SIGNATURE-----

148
share/security/advisories/FreeBSD-SA-16:35.openssl.asc Normal file
View file

@ -0,0 +1,148 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-16:35.openssl Security Advisory
The FreeBSD Project
Topic: OpenSSL Remote DoS vulnerability
Category: contrib
Module: openssl
Announced: 2016-11-02
Affects: FreeBSD 9.x and FreeBSD 10.x.
Corrected: 2016-11-02 07:09:31 UTC (stable/10, 10.3-STABLE)
2016-11-02 07:23:36 UTC (releng/10.3, 10.3-RELEASE-p12)
2016-11-02 07:24:14 UTC (releng/10.2, 10.2-RELEASE-p25)
2016-11-02 07:24:14 UTC (releng/10.1, 10.1-RELEASE-p42)
2016-11-02 07:09:31 UTC (stable/9, 9.3-STABLE)
2016-11-02 07:24:34 UTC (releng/9.3, 9.3-RELEASE-p50)
CVE Name: CVE-2016-8610
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.
The SSL alert protocol is a way to communicate problems within a SSL/TLS session.
II. Problem Description
Due to improper handling of alert packets, OpenSSL would consume an excessive
amount of CPU time processing undefined alert messages.
III. Impact
A remote attacker who can initiate handshakes with an OpenSSL based server
can cause the server to consume a lot of computation power with very little
bandwidth usage, and may be able to use this technique in a leveraged Denial
of Service attack.
IV. Workaround
No workaround is available.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Restart all daemons that use the library, or reboot the system.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Restart all daemons that use the library, or reboot the system.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 10.x]
# fetch https://security.FreeBSD.org/patches/SA-16:35/openssl-10.patch
# fetch https://security.FreeBSD.org/patches/SA-16:35/openssl-10.patch.asc
# gpg --verify openssl-10.patch.asc
[FreeBSD 9.3]
# fetch https://security.FreeBSD.org/patches/SA-16:35/openssl-9.patch
# fetch https://security.FreeBSD.org/patches/SA-16:35/openssl-9.patch.asc
# gpg --verify openssl-9.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart all daemons that use the library, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/9/ r308200
releng/9.3/ r308205
stable/10/ r308200
releng/10.1/ r308204
releng/10.2/ r308204
releng/10.3/ r308203
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:http://seclists.org/oss-sec/2016/q4/224>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8610>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:35.openssl.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.15 (FreeBSD)
iQIcBAEBCgAGBQJYGZhkAAoJEO1n7NZdz2rnwbMQAOiGWegkYQodqBzNboK9U+6M
8Jt6HNrYDWAyzp+mZmWxgPWZMkGaNAsBEFXwZlHgs65RCbRczxr/kUWZx2/XHbM3
kGx5eNIq46BFIrTDPvUgNciorl/ncJGeO4SYEFBYImceDNwIQVtpfz1IUAve+LNW
RYYICakWn8HPuqzmIFjQydMkoyEaHMwsmkv3nVNVX46sVIQ1umZ3RZsKtlPOQqNs
sAa0HuOOQbeU2eJhhtcYcDEPNF7Do9WvSMnYrJQ/lE2SuatXq2tdbvZLV8ieiPoj
3AMf9p2yPpeqqO9yy19CayTSPmDiKMVQq8jikVomX5XkVqNKLrQoQfrvpwR0DWOW
fwIDjZ1H9IXoqjVVZwp5GLfHhAURNjbsszF4B1lXQHI1D/p4bXyOOrcuM1JxHXRK
UGvagbs30DWH+4Baph/UVOsFUhPU0sguPtpPa0XFxSIxB6qZJJGjdOh7el6aBYJu
VxQuw1wWQvJPm9CsIIZrX4WYBcwS8ro82wsfNWO+ZC0j5UbMwh2joFgrbEdWNM3f
MWVYuH5czzoJO85Nu7uGB+qa9GYqKkdwGRDnFshnvPhHHnpmGL/tLHM+Kqg7uDeu
8RsNaZ4PYChZh8YHVooOraDl0Nz0Ln/kok8GdsZUpNfuiXm3U9fLUCAFAdNUOlr6
PJuvkUEQRMlhG8tX3+11
=1gO7
-----END PGP SIGNATURE-----

10
share/security/patches/SA-16:33/openssh.patch Normal file
View file

@ -0,0 +1,10 @@
--- crypto/openssh/kex.c.orig
+++ crypto/openssh/kex.c
@@ -468,6 +468,7 @@
if (kex == NULL)
return SSH_ERR_INVALID_ARGUMENT;
+ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
ptr = sshpkt_ptr(ssh, &dlen);
if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
return r;

17
share/security/patches/SA-16:33/openssh.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.15 (FreeBSD)
iQIcBAABCgAGBQJYGZiEAAoJEO1n7NZdz2rn+gwP/iKpzCRr46PX5c9XHHy5NGlY
unel+99VsL2KH5mfAfFVRU67FS2AtTWOpSi5CuWMimc0a97mszkbeqzbtO5dcppA
0i71XkzB9nmRLgXKYMt7H7KVmUd4DIXuztvX/sQxbwX5yonRzeqqo1R7Pq55wz6/
OO//BKLxKUiwDOKHUhhAZkaXEBt39c1EB0bRBpNeqsfsdD9IWm82Wh69jWrkOWeO
6q+lRAtGoAl5vCO85XHYor4Pd7V2uSvLK4DRJyGFps8oc5vr6ZRmRvDTlF6VGBV4
P/3xPDe1euVDBUZMAnlJVLvkiI2FeEc4lbXAtgirYfKE97XpEkXoEwSc2ExGKte9
6e3xdmGei4HVb7FQPfrFb4wD/wGXbqp9XKLE/ECYKZM76Hltz1ac7ziihYYJSLyS
/kzS4TBidIHiAiZDYGrREx28LPYtm5w84jBmngdg8BGAPzZNPtXM9phmXaBWeU/c
PcLsjGQUi436R/NYzZ0Z8qM/SDbeghSIvSO+FmaoUHs7T8Bkk1xVU8TQhiv4uYW9
j94qfOZ8oDbwbq16F2xsfvXLj2b+nnMgcICEiDeoA7aifrmHQCmx3y4VdGPH0/oD
lw9wjSA3vfLgCh9UFb1BkxMcJpYkdTSDOb8cvR+ukIq4jIdJgnucQMd1KItZeaSQ
q09FlZaUT20jY+bZZ2r0
=qiKR
-----END PGP SIGNATURE-----

184
share/security/patches/SA-16:34/bind.patch Normal file
View file

@ -0,0 +1,184 @@
--- contrib/bind9/lib/dns/resolver.c.orig
+++ contrib/bind9/lib/dns/resolver.c
@@ -524,7 +524,9 @@
valarg->addrinfo = addrinfo;
if (!ISC_LIST_EMPTY(fctx->validators))
- INSIST((valoptions & DNS_VALIDATOR_DEFER) != 0);
+ valoptions |= DNS_VALIDATOR_DEFER;
+ else
+ valoptions &= ~DNS_VALIDATOR_DEFER;
result = dns_validator_create(fctx->res->view, name, type, rdataset,
sigrdataset, fctx->rmessage,
@@ -4849,13 +4851,6 @@
rdataset,
sigrdataset,
valoptions, task);
- /*
- * Defer any further validations.
- * This prevents multiple validators
- * from manipulating fctx->rmessage
- * simultaneously.
- */
- valoptions |= DNS_VALIDATOR_DEFER;
}
} else if (CHAINING(rdataset)) {
if (rdataset->type == dns_rdatatype_cname)
@@ -4961,6 +4956,11 @@
eresult == DNS_R_NCACHENXRRSET);
}
event->result = eresult;
+ if (adbp != NULL && *adbp != NULL) {
+ if (anodep != NULL && *anodep != NULL)
+ dns_db_detachnode(*adbp, anodep);
+ dns_db_detach(adbp);
+ }
dns_db_attach(fctx->cache, adbp);
dns_db_transfernode(fctx->cache, &node, anodep);
clone_results(fctx);
@@ -5208,6 +5208,11 @@
fctx->attributes |= FCTX_ATTR_HAVEANSWER;
if (event != NULL) {
event->result = eresult;
+ if (adbp != NULL && *adbp != NULL) {
+ if (anodep != NULL && *anodep != NULL)
+ dns_db_detachnode(*adbp, anodep);
+ dns_db_detach(adbp);
+ }
dns_db_attach(fctx->cache, adbp);
dns_db_transfernode(fctx->cache, &node, anodep);
clone_results(fctx);
@@ -6016,13 +6021,15 @@
answer_response(fetchctx_t *fctx) {
isc_result_t result;
dns_message_t *message;
- dns_name_t *name, *dname = NULL, *qname, tname, *ns_name;
+ dns_name_t *name, *dname = NULL, *qname, *dqname, tname, *ns_name;
+ dns_name_t *cname = NULL;
dns_rdataset_t *rdataset, *ns_rdataset;
isc_boolean_t done, external, chaining, aa, found, want_chaining;
- isc_boolean_t have_answer, found_cname, found_type, wanted_chaining;
+ isc_boolean_t have_answer, found_cname, found_dname, found_type;
+ isc_boolean_t wanted_chaining;
unsigned int aflag;
dns_rdatatype_t type;
- dns_fixedname_t fdname, fqname;
+ dns_fixedname_t fdname, fqname, fqdname;
dns_view_t *view;
FCTXTRACE("answer_response");
@@ -6036,6 +6043,7 @@
done = ISC_FALSE;
found_cname = ISC_FALSE;
+ found_dname = ISC_FALSE;
found_type = ISC_FALSE;
chaining = ISC_FALSE;
have_answer = ISC_FALSE;
@@ -6045,12 +6053,13 @@
aa = ISC_TRUE;
else
aa = ISC_FALSE;
- qname = &fctx->name;
+ dqname = qname = &fctx->name;
type = fctx->type;
view = fctx->res->view;
+ dns_fixedname_init(&fqdname);
result = dns_message_firstname(message, DNS_SECTION_ANSWER);
while (!done && result == ISC_R_SUCCESS) {
- dns_namereln_t namereln;
+ dns_namereln_t namereln, dnamereln;
int order;
unsigned int nlabels;
@@ -6058,6 +6067,8 @@
dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
+ dnamereln = dns_name_fullcompare(dqname, name, &order,
+ &nlabels);
if (namereln == dns_namereln_equal) {
wanted_chaining = ISC_FALSE;
for (rdataset = ISC_LIST_HEAD(name->list);
@@ -6152,7 +6163,7 @@
}
} else if (rdataset->type == dns_rdatatype_rrsig
&& rdataset->covers ==
- dns_rdatatype_cname
+ dns_rdatatype_cname
&& !found_type) {
/*
* We're looking for something else,
@@ -6182,11 +6193,18 @@
* a CNAME or DNAME).
*/
INSIST(!external);
- if (aflag ==
- DNS_RDATASETATTR_ANSWER) {
+ if ((rdataset->type !=
+ dns_rdatatype_cname) ||
+ !found_dname ||
+ (aflag ==
+ DNS_RDATASETATTR_ANSWER))
+ {
have_answer = ISC_TRUE;
+ if (rdataset->type ==
+ dns_rdatatype_cname)
+ cname = name;
name->attributes |=
- DNS_NAMEATTR_ANSWER;
+ DNS_NAMEATTR_ANSWER;
}
rdataset->attributes |= aflag;
if (aa)
@@ -6280,11 +6298,11 @@
return (DNS_R_FORMERR);
}
- if (namereln != dns_namereln_subdomain) {
+ if (dnamereln != dns_namereln_subdomain) {
char qbuf[DNS_NAME_FORMATSIZE];
char obuf[DNS_NAME_FORMATSIZE];
- dns_name_format(qname, qbuf,
+ dns_name_format(dqname, qbuf,
sizeof(qbuf));
dns_name_format(name, obuf,
sizeof(obuf));
@@ -6299,7 +6317,7 @@
want_chaining = ISC_TRUE;
POST(want_chaining);
aflag = DNS_RDATASETATTR_ANSWER;
- result = dname_target(rdataset, qname,
+ result = dname_target(rdataset, dqname,
nlabels, &fdname);
if (result == ISC_R_NOSPACE) {
/*
@@ -6316,10 +6334,13 @@
dname = dns_fixedname_name(&fdname);
if (!is_answertarget_allowed(view,
- qname, rdataset->type,
- dname, &fctx->domain)) {
+ dqname, rdataset->type,
+ dname, &fctx->domain))
+ {
return (DNS_R_SERVFAIL);
}
+ dqname = dns_fixedname_name(&fqdname);
+ dns_name_copy(dname, dqname, NULL);
} else {
/*
* We've found a signature that
@@ -6344,6 +6365,10 @@
INSIST(!external);
if (aflag == DNS_RDATASETATTR_ANSWER) {
have_answer = ISC_TRUE;
+ found_dname = ISC_TRUE;
+ if (cname != NULL)
+ cname->attributes &=
+ ~DNS_NAMEATTR_ANSWER;
name->attributes |=
DNS_NAMEATTR_ANSWER;
}

17
share/security/patches/SA-16:34/bind.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.15 (FreeBSD)
iQIcBAABCgAGBQJYGZiEAAoJEO1n7NZdz2rnuoAP/2ghYzKyVElGqCJqNSvj9tLV
CAC6SdIdw9SaLyvPc33O6Sx0hpUlUkJxs9DDAA34OcdkiT0MiB2G2QvIFqUaF2p/
CTPtKCYQ3dmPXdedm/JX5mkz1BJUWl5vHha2Kzmrv2H5VYAti58RGcQASlIIlbl+
OKIkME+kD1wABPuY3HD4BofT7yt6vezwhvxdSaZDnqEMp2owed8PKNZBRxl4tYX/
ABioDFCxqs2OwDLU8HYoFcIlXkCin5WgIqGnXtBLIYE/W6E2hFCO4K94QQjRrfoJ
qxYzsIBEVkDsTu1TLvPsINp2PY3Hz93yVSNWAz39z+3R5MzQFhsREfrX6/EJPOi6
Z8o3oLGZKMsgZ9SPw1gElcvo6Rq9ZfGLsw0GsMWrLOhXtIAfNoL9gVeFPh2rw7lr
qtlOPgnnpXEfOanAQhUfQtp5BuNvcIrfvtMkxqL4BPDT6aeoI+NS1VstZQjnBZR4
Flgd1ykQbV1ZoCOeJVJaeFiLmMZ0BKz4T0KVrRmBijrVoDzJid11SgDW4N40qSGp
VwQit82ooPzj/YnOp/hDZ19fKY8wA1CUFafjvauqtZwcuc8bDX+AQNZST/we1iki
bEZfH0fDUimKCxkzK1JfnJNG412/m2eZc43aPcXDvH9LjGFbTZw2axTXXgicf2Lo
6A0HJlZU8SV/Y0M/mtlB
=BP8h
-----END PGP SIGNATURE-----

94
share/security/patches/SA-16:35/openssl-10.patch Normal file
View file

@ -0,0 +1,94 @@
--- crypto/openssl/ssl/d1_pkt.c.orig
+++ crypto/openssl/ssl/d1_pkt.c
@@ -924,6 +924,13 @@
goto start;
}
+ /*
+ * Reset the count of consecutive warning alerts if we've got a non-empty
+ * record that isn't an alert.
+ */
+ if (rr->type != SSL3_RT_ALERT && rr->length != 0)
+ s->s3->alert_count = 0;
+
/* we now have a packet which can be read and processed */
if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
@@ -1190,6 +1197,14 @@
if (alert_level == SSL3_AL_WARNING) {
s->s3->warn_alert = alert_descr;
+
+ s->s3->alert_count++;
+ if (s->s3->alert_count == MAX_WARN_ALERT_COUNT) {
+ al = SSL_AD_UNEXPECTED_MESSAGE;
+ SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
+ goto f_err;
+ }
+
if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
#ifndef OPENSSL_NO_SCTP
/*
--- crypto/openssl/ssl/s3_pkt.c.orig
+++ crypto/openssl/ssl/s3_pkt.c
@@ -1057,6 +1057,13 @@
return (ret);
}
+ /*
+ * Reset the count of consecutive warning alerts if we've got a non-empty
+ * record that isn't an alert.
+ */
+ if (rr->type != SSL3_RT_ALERT && rr->length != 0)
+ s->s3->alert_count = 0;
+
/* we now have a packet which can be read and processed */
if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
@@ -1271,6 +1278,14 @@
if (alert_level == SSL3_AL_WARNING) {
s->s3->warn_alert = alert_descr;
+
+ s->s3->alert_count++;
+ if (s->s3->alert_count == MAX_WARN_ALERT_COUNT) {
+ al = SSL_AD_UNEXPECTED_MESSAGE;
+ SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
+ goto f_err;
+ }
+
if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
s->shutdown |= SSL_RECEIVED_SHUTDOWN;
return (0);
--- crypto/openssl/ssl/ssl.h.orig
+++ crypto/openssl/ssl/ssl.h
@@ -2717,6 +2717,7 @@
# define SSL_R_TLS_HEARTBEAT_PENDING 366
# define SSL_R_TLS_ILLEGAL_EXPORTER_LABEL 367
# define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 157
+# define SSL_R_TOO_MANY_WARN_ALERTS 409
# define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
# define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234
# define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 235
--- crypto/openssl/ssl/ssl3.h.orig
+++ crypto/openssl/ssl/ssl3.h
@@ -587,6 +587,8 @@
char is_probably_safari;
# endif /* !OPENSSL_NO_EC */
# endif /* !OPENSSL_NO_TLSEXT */
+ /* Count of the number of consecutive warning alerts received */
+ unsigned int alert_count;
} SSL3_STATE;
# endif
--- crypto/openssl/ssl/ssl_locl.h.orig
+++ crypto/openssl/ssl/ssl_locl.h
@@ -389,6 +389,8 @@
*/
# define SSL_MAX_DIGEST 6
+# define MAX_WARN_ALERT_COUNT 5
+
# define TLS1_PRF_DGST_MASK (0xff << TLS1_PRF_DGST_SHIFT)
# define TLS1_PRF_DGST_SHIFT 10

17
share/security/patches/SA-16:35/openssl-10.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.15 (FreeBSD)
iQIcBAABCgAGBQJYGZiEAAoJEO1n7NZdz2rnVlMP/iC0pDsRby5HftZwmlfd0oIA
GsyDBXQf3H2lFrkb5rFKuiDEwMIV1s2uti64TFg5ipYejXXGjkl6r4ogsWFfa2gy
KU6+R4psMOC4C5aVS7QvclIJiyaBNFuAKaoGgv6p/SXYcw9Rbta6BYIy4s0Mr2WB
UiVzTsJg7Ye6ooKREFouZrW98o5VwcRHy22TONnvkTym2Qr1kDU3PuF/TRe6KK/n
IrRs/VI0Hs+VNBRRxIo74zXJm6GLHcadjU8RejVH3iJfQvK6yfyD+S/zhZxLAc9c
zfcNs9RTBxJhKhrfC/mYU+8pF/4t7viRjb/YrHMvnYZXiOygeRTCeIpcbNun/bqy
hBYOZfzdfF0OgAzBviJSU3dx7HHCmzuKNgtxNFh9nsP41E28hy3/jXOkW6476JvK
bfa3RNAIespSqMBR/8DOj16uuDiAp8nZdV5XcOlgcv/Cl992pf+V8+IpZiApJJpR
yrbdS5oBTuiS5nWJRllH1XSEDPA5zpsfcIpbe+2ip81Uxn5cV2+nXI7nRhzGKcSm
/KSqC5ois3EMyfBocTtexy4bDAZZRTSusauLxLh6qR7y92vbckukZLEUeo5XRtOk
BZt63O16ALxUQbYhVoL6Wm/j4xWiL6+s9q/Y8CAgZniviih3UEcFzpKKxglnApZG
XtVDN3i4EaZ2+8mriBp6
=0PWO
-----END PGP SIGNATURE-----

94
share/security/patches/SA-16:35/openssl-9.patch Normal file
View file

@ -0,0 +1,94 @@
--- crypto/openssl/ssl/d1_pkt.c.orig
+++ crypto/openssl/ssl/d1_pkt.c
@@ -820,6 +820,13 @@
goto start;
}
+ /*
+ * Reset the count of consecutive warning alerts if we've got a non-empty
+ * record that isn't an alert.
+ */
+ if (rr->type != SSL3_RT_ALERT && rr->length != 0)
+ s->s3->alert_count = 0;
+
/* we now have a packet which can be read and processed */
if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
@@ -1043,6 +1050,14 @@
if (alert_level == 1) { /* warning */
s->s3->warn_alert = alert_descr;
+
+ s->s3->alert_count++;
+ if (s->s3->alert_count == MAX_WARN_ALERT_COUNT) {
+ al = SSL_AD_UNEXPECTED_MESSAGE;
+ SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
+ goto f_err;
+ }
+
if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
s->shutdown |= SSL_RECEIVED_SHUTDOWN;
return (0);
--- crypto/openssl/ssl/s3_pkt.c.orig
+++ crypto/openssl/ssl/s3_pkt.c
@@ -922,6 +922,13 @@
return (ret);
}
+ /*
+ * Reset the count of consecutive warning alerts if we've got a non-empty
+ * record that isn't an alert.
+ */
+ if (rr->type != SSL3_RT_ALERT && rr->length != 0)
+ s->s3->alert_count = 0;
+
/* we now have a packet which can be read and processed */
if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
@@ -1121,6 +1128,14 @@
if (alert_level == 1) { /* warning */
s->s3->warn_alert = alert_descr;
+
+ s->s3->alert_count++;
+ if (s->s3->alert_count == MAX_WARN_ALERT_COUNT) {
+ al = SSL_AD_UNEXPECTED_MESSAGE;
+ SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
+ goto f_err;
+ }
+
if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
s->shutdown |= SSL_RECEIVED_SHUTDOWN;
return (0);
--- crypto/openssl/ssl/ssl.h.orig
+++ crypto/openssl/ssl/ssl.h
@@ -2195,6 +2195,7 @@
# define SSL_R_TLSV1_UNSUPPORTED_EXTENSION 1110
# define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 232
# define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 227
+# define SSL_R_TOO_MANY_WARN_ALERTS 409
# define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
# define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234
# define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 235
--- crypto/openssl/ssl/ssl3.h.orig
+++ crypto/openssl/ssl/ssl3.h
@@ -491,6 +491,8 @@
char is_probably_safari;
# endif /* !OPENSSL_NO_EC */
# endif /* !OPENSSL_NO_TLSEXT */
+ /* Count of the number of consecutive warning alerts received */
+ unsigned int alert_count;
} SSL3_STATE;
/* SSLv3 */
--- crypto/openssl/ssl/ssl_locl.h.orig
+++ crypto/openssl/ssl/ssl_locl.h
@@ -247,6 +247,8 @@
# define DEC32(a) ((a)=((a)-1)&0xffffffffL)
# define MAX_MAC_SIZE 20 /* up from 16 for SSLv3 */
+# define MAX_WARN_ALERT_COUNT 5
+
/*
* Define the Bitmasks for SSL_CIPHER.algorithms.
* This bits are used packed as dense as possible. If new methods/ciphers

17
share/security/patches/SA-16:35/openssl-9.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.15 (FreeBSD)
iQIcBAABCgAGBQJYGZiEAAoJEO1n7NZdz2rnnpgP/RDo7UkBM/p/JjDZam+hTaYN
zhGZdsBG2tG9Q28SBoJ7MVzry287DkG+/LSfupeqbgsyhuYv4/c+148yK01q8Yw1
d76zQR+3me2scQ6+kfm+lqYTbqSj6zEZXPU4ND29jEIDhz8BTZTlcyv1rZWrlA6d
FjbFNJQcb74ZbF6JRs1uSIrim3LKQf+Dt6ZUSF0+5zY3SLawXtmPVlvCJ1pYlYRk
4hhCzdojtA8PhQmMpW0RiN9NJX5dJ9sBIHAYQ2Y4zET+2cMA10nvCpixRMnjFriT
Dzpnj+PmF0X6bRh1z6tdM0GmcJxHlzgBCFQcxuWilsezlpdboijOCd4uOha+nr6b
qUJG2ahfZtlvofjUrMVhOK/wyyzztU9+qyQzI6bd4H56gjshR05Ey1BxsyA0+tnW
rLyvYfMIvA5aB52WKeZjOZtXQ8NcKDOmpewAO75hAHEfPD3VknN8FahmbAKcv5Y5
0PjwiZ//dlp4lvoCYCXEMcLjmmOAOSp+rxFgb/ik4M/K62KhAEBw1QTYTQ4oUpgC
cwWA8vfFtqOYJj/XXn+9NY20YOfobmCmcQ8Hlni8D+X1UD8W/mjkKu9pjkbHDJKo
G2jLJmI0s6hsOPxXWwmWfuC0H/dMry/p790NA8RL2E2JV5bv7TWOCwWNYLTw7UK6
WNX4+gnV9EucX+/fjxXL
=bOQ8
-----END PGP SIGNATURE-----

20
share/xml/advisories.xml
View file

@ -7,6 +7,26 @@
<year>
<name>2016</name>
<month>
<name>11</name>
<day>
<name>2</name>
<advisory>
<name>FreeBSD-SA-16:35.openssl</name>
</advisory>
<advisory>
<name>FreeBSD-SA-16:34.bind</name>
</advisory>
<advisory>
<name>FreeBSD-SA-16:33.openssh</name>
</advisory>
</day>
</month>
<month>
<name>10</name>