doc/share/security/advisories/FreeBSD-EN-15:18.pkg.asc

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-EN-15:18.pkg                                            Errata Notice
                                                          The FreeBSD Project

Topic:          Implement pubkey support for pkg(7) bootstrap

Category:       core
Module:         pkg
Announced:      2015-09-16
Credits:        Baptiste Daroussin
Affects:        All supported versions of FreeBSD.
Corrected:      2015-09-15 05:56:16 UTC (stable/10, 10.2-STABLE)
                2015-09-16 20:59:41 UTC (releng/10.2, 10.2-RELEASE-p3)
                2015-09-16 21:00:21 UTC (releng/10.1, 10.1-RELEASE-p20)
                2015-09-15 08:34:32 UTC (stable/9, 9.3-STABLE)
                2015-09-16 21:00:21 UTC (releng/9.3, 9.3-RELEASE-p26)

For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.freebsd.org/>.

I.   Background

The pkg(8) utility is the package management tool for FreeBSD.  The base
system includes a pkg(7) bootstrap utility used to install the latest
pkg(8) utility.

II.  Problem Description

The pubkey method is not supported by the pkg(7) bootstrap utility.
Previously, before EN-15:15.pkg, if the system administrator requested
this method, it is silently ignored and no check is performed.

In EN-15:15.pkg, pkg(7) have been modified to issue warning and refuse
to proceed any further.

III. Impact

There is no way to use the pubkey method to bootstrap pkg(8) on the
system.

IV.  Workaround

No workaround is available, but the default FreeBSD configuration is not
affected because it uses "fingerprint" method.

V.   Solution

Perform one of the following:

1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.

2) To update your present system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

3) To update your present system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 10.x]
# fetch https://security.FreeBSD.org/patches/EN-15:18/pkg-10.patch
# fetch https://security.FreeBSD.org/patches/EN-15:18/pkg-10.patch.asc
# gpg --verify pkg-10.patch.asc

[FreeBSD 9.3]
# fetch https://security.FreeBSD.org/patches/EN-15:18/pkg-9.patch
# fetch https://security.FreeBSD.org/patches/EN-15:18/pkg-9.patch.asc
# gpg --verify pkg-9.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path                                                      Revision
- -------------------------------------------------------------------------
stable/9/                                                         r287814
releng/9.3/                                                       r287873
stable/10/                                                        r287810
releng/10.1/                                                      r287873
releng/10.2/                                                      r287872
- -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

VII. References

The latest revision of this Errata Notice is available at
https://security.FreeBSD.org/advisories/FreeBSD-EN-15:18.pkg.asc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.8 (FreeBSD)

iQIcBAEBCgAGBQJV+dppAAoJEO1n7NZdz2rn9cUP/0CWVv/p9UJb53HzTjFJTmm3
WS0eDqvGS9DS9G/QWsYUWqDQY+Sf9kIFpSQFjIxNbhGlxxRyYaU7hrn2fqbxdJvk
wOlr+7Enui5d9dFLSYKuMfxY5dlyX+Y9WshdH5WI1I4jYrsEPrLc+YeJ7aaQ2QmP
GbXHl21SenB32GxLh1/THuWPYRaMuOujbpO3DCbbTsxFfdgytUO3cbefvuKn4gfe
Ol8yDUS9emD5mmD55uSuIvbOgywWFqpYGBcnAIwB5oRRKgJitbeZbXjOjyxCTVvT
B3lBdPP6RIWnrMpBiQ9NPVWpYvk5jHnhUOfVDmVFIpG6UzRqqbLQVn4m2QoHmaxe
eHNMuRT/Zpf5QIPZBpdVITz647V1M/gEb5GRnQ1B2JA0KXAxCsnt6qHPoG8JsrRW
6G90QHjHqGLFtssGIILeCTRHJHYzjCxlRVWF8LgUgshQBbxpUmde6VedahdwKFel
JG34M4Qxr9PIQ9u7UN4+bolxXtRSsUiKDtakYQs/NrnF48OZJSY98e4QG4tRsxvy
cWcSsjkFbqzn/Z14KFb8zfygJCGdvOEOjl0Is44w+y9R8dddcwoFW3ufvsJi9KMc
jQ622C+jZHa+fdUED4qJU9HDMEMDcMFH6Ule4JYwegBSq463keFX/gRoDvQK/eTS
9KWvZ0KR3azq26fp7Ni4
=ru1t
-----END PGP SIGNATURE-----