130 lines
4.8 KiB
Text
130 lines
4.8 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-EN-19:17.ipfw Errata Notice
|
|
The FreeBSD Project
|
|
|
|
Topic: ipfw(8) jail keyword broken prior to jail startup
|
|
|
|
Category: core
|
|
Module: ipfw
|
|
Announced: 2019-08-20
|
|
Affects: FreeBSD 11.3
|
|
Corrected: 2019-08-15 17:40:48 UTC (stable/12, 12.0-STABLE)
|
|
2019-08-15 17:40:48 UTC (stable/11, 11.3-STABLE)
|
|
2019-08-20 17:46:40 UTC (releng/11.3, 11.3-RELEASE-p3)
|
|
|
|
Note that this issue was introduced after the FreeBSD 11.2 and 12.0 releases.
|
|
FreeBSD 11.3 is the only affected release.
|
|
|
|
For general information regarding FreeBSD Errata Notices and Security
|
|
Advisories, including descriptions of the fields above, security
|
|
branches, and the following sections, please visit
|
|
<URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
The ipfw(8) utility configures rules for the ipfw(4) firewall. The jail
|
|
keyword applies the rule for packets pertaining to the given jail, named by
|
|
the argument.
|
|
|
|
II. Problem Description
|
|
|
|
The jail argument no longer allowed jids to be specified before a jail was
|
|
created. Attempts to use the jail keyword in this scenario would result in
|
|
"jail <jid> not found" errors, when previously these rules would apply to
|
|
any jail with the given jid that was subsequently started.
|
|
|
|
III. Impact
|
|
|
|
The ipfw(4) firewall will reject rules that attempt to use the jail
|
|
keyword prior to jail startup, and these rules will not be applied.
|
|
|
|
IV. Workaround
|
|
|
|
The system administrator can apply jail-based firewall rules after jail
|
|
creation.
|
|
|
|
Systems that do not use ipfw(4) are not affected.
|
|
|
|
V. Solution
|
|
|
|
Upgrade your system to a supported FreeBSD stable or release / security
|
|
branch (releng) dated after the correction date.
|
|
|
|
Perform one of the following:
|
|
|
|
1) To update your system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
|
|
2) To update your system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
# fetch https://security.FreeBSD.org/patches/EN-19:17/ipfw.patch
|
|
# fetch https://security.FreeBSD.org/patches/EN-19:17/ipfw.patch.asc
|
|
# gpg --verify ipfw.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile the operating system using buildworld and installworld as
|
|
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
|
|
Restart jails to apply firewall rules, if required.
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/12/ r351094
|
|
stable/11/ r351094
|
|
releng/11.3/ r351258
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-19:17.ipfw.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
|
|
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1cPf5fFIAAAAAALgAo
|
|
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
|
|
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
|
|
5cIDTg//ca9BaMVV04yzSaIqgcuxCs5nM6eQMJehRKWP+Ibt6bUUnUYlS8V1HOBD
|
|
eUS0eW9GiO2QkrVmttxrC2IwJSutVzUXMP/zkLEyb91LJ13+YkuLKSaj14pucA+S
|
|
VNy1CH8Sry/PnA+bcFQxgpTAl8EGaTAzT0znRgdvooe26JbHw0y8941t88Mr3giN
|
|
vCPnfAdaT0MjKSdKgykA+xKKgY1+fwA1vUFOYybNzg+eN10gU2qRQfksFc4VpnNd
|
|
7J3j5I2n/1Y1KxsbEagGXK0JOztZa1PhqsAYuj4iAMhM8Nw+vdAtVX8DYyqHEe2m
|
|
hjJyGPu1Lrihrx2PUH5GVv0KXHbLVRnZ/N7Xs3hPsUZWBuSrcU2r3cdqe1nB055D
|
|
PQMr6m+Ydr0DXnySShd5Kow26IBDVJQ+YrGkK88CdMT2YGnarqcg/RaT/eIoJ654
|
|
lKvl5XeOL/P9apU567HzYoAUVlvxMAD2pEd2+NGr9gi3bXfAg2Usjeekwo7BRRMo
|
|
Ddmec7Ql/wBU0RED67l+TYIM2IDNj5ofua6WrSrs8QCIeNXnYi8kBLTBwKBiz5Fw
|
|
scisoACv92zexrIpac1RoAT/+OdWUgwtCx7axyLybbEsAC2FDfSDVqlJfq0m+DFY
|
|
/R3Bezk1Ek+U4KUpQr6I1DSBU+1Uo8DljfwkwH8DVn+aWy3194Q=
|
|
=8VPw
|
|
-----END PGP SIGNATURE-----
|