svn commit: r46288 - in head/share: security/advisories security/patches/EN-15:01 security/patches/EN-15:02 security/patches/EN-15:03 security/patches/SA-15:04 security/patches/SA-15:05 xml
Xin LI
delphij at FreeBSD.org
Wed Feb 25 06:26:02 UTC 2015
Author: delphij
Date: Wed Feb 25 06:25:59 2015
New Revision: 46288
URL: https://svnweb.freebsd.org/changeset/doc/46288
Log:
Add latest batch of security advisories and errata notices.
Added:
head/share/security/advisories/FreeBSD-EN-15:01.vt.asc (contents, props changed)
head/share/security/advisories/FreeBSD-EN-15:02.openssl.asc (contents, props changed)
head/share/security/advisories/FreeBSD-EN-15:03.freebsd-update.asc (contents, props changed)
head/share/security/advisories/FreeBSD-SA-15:04.igmp.asc (contents, props changed)
head/share/security/advisories/FreeBSD-SA-15:05.bind.asc (contents, props changed)
head/share/security/patches/EN-15:01/
head/share/security/patches/EN-15:01/vt.patch (contents, props changed)
head/share/security/patches/EN-15:01/vt.patch.asc (contents, props changed)
head/share/security/patches/EN-15:02/
head/share/security/patches/EN-15:02/openssl-10.0.patch (contents, props changed)
head/share/security/patches/EN-15:02/openssl-10.0.patch.asc (contents, props changed)
head/share/security/patches/EN-15:02/openssl-10.1.patch (contents, props changed)
head/share/security/patches/EN-15:02/openssl-10.1.patch.asc (contents, props changed)
head/share/security/patches/EN-15:02/openssl-8.4.patch (contents, props changed)
head/share/security/patches/EN-15:02/openssl-8.4.patch.asc (contents, props changed)
head/share/security/patches/EN-15:02/openssl-9.3.patch (contents, props changed)
head/share/security/patches/EN-15:02/openssl-9.3.patch.asc (contents, props changed)
head/share/security/patches/EN-15:03/
head/share/security/patches/EN-15:03/freebsd-update.patch (contents, props changed)
head/share/security/patches/EN-15:03/freebsd-update.patch.asc (contents, props changed)
head/share/security/patches/SA-15:04/
head/share/security/patches/SA-15:04/igmp.patch (contents, props changed)
head/share/security/patches/SA-15:04/igmp.patch.asc (contents, props changed)
head/share/security/patches/SA-15:05/
head/share/security/patches/SA-15:05/bind.patch (contents, props changed)
head/share/security/patches/SA-15:05/bind.patch.asc (contents, props changed)
Modified:
head/share/xml/advisories.xml
head/share/xml/notices.xml
Added: head/share/security/advisories/FreeBSD-EN-15:01.vt.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-EN-15:01.vt.asc Wed Feb 25 06:25:59 2015 (r46288)
@@ -0,0 +1,132 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-15:01.vt Errata Notice
+ The FreeBSD Project
+
+Topic: vt(4) crash with improper ioctl parameters
+
+Category: core
+Module: vt
+Announced: 2015-02-25
+Credits: Francisco Falcon from Core Security Technologies
+Affects: FreeBSD 9.3 and FreeBSD 10.1
+Corrected: 2015-02-02 18:48:49 UTC (stable/10, 10.1-STABLE)
+ 2015-02-25 05:56:16 UTC (releng/10.1, 10.1-RELEASE-p6)
+ 2015-02-02 18:48:49 UTC (stable/9, 9.3-STABLE)
+ 2015-02-25 05:56:54 UTC (releng/9.3, 9.3-RELEASE-p10)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.freebsd.org/>.
+
+I. Background
+
+The vt(4) device provides multiple virtual terminals with an extensive
+feature set.
+
+II. Problem Description
+
+The vt(4) code uses a signed integer as index value and does not test for
+negative values.
+
+III. Impact
+
+A local attacker could trigger a panic by tricking the kernel into
+accessing undefined kernel memory.
+
+IV. Workaround
+
+No workaround is available, but systems that do not use vt(4) are not
+affected.
+
+All affected FreeBSD releases does not ship with vt(4) enabled by
+default, and user have to enable them explicitly.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+2) To update your present system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+3) To update your present system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-15:01/vt.patch
+# fetch https://security.FreeBSD.org/patches/EN-15:01/vt.patch.asc
+# gpg --verify vt.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/9/ r278106
+releng/9.3/ r279265
+stable/10/ r278106
+releng/10.1/ r279264
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0998>
+
+<URL:http://www.coresecurity.com/advisories/freebsd-kernel-multiple-vulnerabilities>
+
+The latest revision of this Errata Notice is available at
+https://security.FreeBSD.org/advisories/FreeBSD-EN-15:01.vt.asc
+
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.1 (FreeBSD)
+
+iQIcBAEBCgAGBQJU7Wi8AAoJEO1n7NZdz2rnjXUQAIXWVC52AmDrQHvirZ23Jc84
+OnhLpYU3McHxtEpuIRZOcklDwuBQlP/0u1zsHoPvlHP/t6k74SA07MsuYjnUYrom
+lF+P9wlmADXXFijGceE3UvdxD574ByyOVuqwvjDMbnxJOCyUNM4NaflZCacpqt4J
+P7cpZVBLIh/lmFZYuuyYZ+AKC+02hNGQkLfY010EmPjsZMPYgr6UfRP5UG3+JLvy
+LXYXOMkklQst9tSyJoC1QhQ8N6MbvGAjs0f9tO2G3nLkxdSZfAWnIExkACUnhW5G
+2JzBJXTrXbyRelX3RmCV93j/9PHkS5Oj85p3fmc8swsdEgyq3e2rVMUdWEtJEZuE
+c5lR/cGikMpFlsFnJqNi8LyIoXiGuVfLlhsNZsfjOn4WzenYd5gbmzZFLiu5agfq
+TZZOAtpoYv7yvW+t98yZR+wUDQNk0Jsq738FR8qnPG4uN0yFVMjg+EEWMIEA+fnj
+rLPxCO798PkpsVgUY+KC02Q/OLDcavWmf4+dGLGXVOHGrdmW4/9mSywiQQEZXl/9
+5GsY/5Qy6XmL8bf+I7pa1ozUGvJNZo+GZaak5hnaaaWiAt/aTlf9uoeNCizGo7ad
++srCLTEI0lEo883PrgNE8K1WWbg/by9Nv9YkE9AkPaAt8gIj/sOMuRv5/oGUj94D
+v5gabABppiNMM9tNykM9
+=7HYa
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-EN-15:02.openssl.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-EN-15:02.openssl.asc Wed Feb 25 06:25:59 2015 (r46288)
@@ -0,0 +1,150 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-15:02.openssl Errata Notice
+ The FreeBSD Project
+
+Topic: OpenSSL update
+
+Category: contrib
+Module: openssl
+Announced: 2015-02-25
+Affects: All supported versions of FreeBSD.
+Corrected: 2015-01-23 19:14:36 UTC (stable/10, 10.1-STABLE)
+ 2015-02-25 05:56:16 UTC (releng/10.1, 10.1-RELEASE-p6)
+ 2015-02-25 05:56:16 UTC (releng/10.0, 10.0-RELEASE-p18)
+ 2015-01-09 01:11:43 UTC (stable/9, 9.3-STABLE)
+ 2015-02-25 05:56:54 UTC (releng/9.3, 9.3-RELEASE-p10)
+ 2015-01-09 01:11:43 UTC (stable/8, 8.4-STABLE)
+ 2015-02-25 05:56:54 UTC (releng/8.4, 8.4-RELEASE-p24)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.freebsd.org/>.
+
+I. Background
+
+FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
+a collaborative effort to develop a robust, commercial-grade, full-featured
+Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
+and Transport Layer Security (TLS v1) protocols as well as a full-strength
+general purpose cryptography library.
+
+II. Problem Description
+
+The OpenSSL software bundled with the FreeBSD base system has been diverged
+due to various security advisories in the past and some reliability fixes
+were not merged.
+
+III. Impact
+
+Divergence in the cryptographic code makes it harder to review changes, and
+running unique code exposes users who run FreeBSD to possible unique bugs,
+if there is any.
+
+IV. Workaround
+
+No workaround is available, but systems that do not use base system OpenSSL
+for public facing services are not affected.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+2) To update your present system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+3) To update your present system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 8.4]
+# fetch https://security.FreeBSD.org/patches/EN-15:02/openssl-8.4.patch
+# fetch https://security.FreeBSD.org/patches/EN-15:02/openssl-8.4.patch.asc
+
+[FreeBSD 9.3]
+# fetch https://security.FreeBSD.org/patches/EN-15:02/openssl-9.3.patch
+# fetch https://security.FreeBSD.org/patches/EN-15:02/openssl-9.3.patch.asc
+
+[FreeBSD 10.0]
+# fetch https://security.FreeBSD.org/patches/EN-15:02/openssl-10.0.patch
+# fetch https://security.FreeBSD.org/patches/EN-15:02/openssl-10.0.patch.asc
+
+[FreeBSD 10.1]
+# fetch https://security.FreeBSD.org/patches/EN-15:02/openssl-10.1.patch
+# fetch https://security.FreeBSD.org/patches/EN-15:02/openssl-10.1.patch.asc
+
+# gpg --verify XXXX.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all deamons using the library, or reboot the system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/8/ r276865
+releng/8.4/ r279265
+stable/9/ r276865
+releng/9.3/ r279265
+stable/10/ r277597
+releng/10.0/ r279264
+releng/10.1/ r279264
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this Errata Notice is available at
+https://security.FreeBSD.org/advisories/FreeBSD-EN-15:02.openssl.asc
+
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.1 (FreeBSD)
+
+iQIcBAEBCgAGBQJU7WjCAAoJEO1n7NZdz2rnqScP/0nfy96IWKzt6GdHXIF7rgSl
+yNF9xCfsG0jYgL2B7eLOmLyqT4+P5kEgarTCncjtDh/YEtfx/xXTseCPCAbVGmre
+qhYQ/8J05bmw4vkFUxUtQAt0Kn2e911IfU1BM1J9/7sO39iBZkrbTf+mQ3zbuHP/
+0Iluz0vQY4N5qrStywr34Qy3UVzh06YmrNYGryxn+vw4FmGMp0eMeX7SGHO1saAI
+Rwe8Q2nArl1pIffMtbB84MU8GphIS9td5U3w7+wJ94r7s9bXULIvKwd91H8+A8sW
+njmldZLs4L192Ez7NoL25+uz0AdB0R2Flb9iDwTxDyvuudQeZR0qJAfXU/sbsa6r
+PFt41UCV1ZJA0d+N8GG1X2lHBkaw5LWcV5GNKAFwGj659ycYqRndpPhjviM1WLJs
+s/zlhM/0z3iFC5EZn0z1oNf8W0AhxGMrGG9EdFLGFE1w0U6BqPujqdZMBoey0y+Q
+00O0APcQENNo4jr8xBg/ykzA7cbCao48nbPDOWiY2SLiB+HLdbafapPimndyF0nf
+JxOe973UzZVRg+mdni3I6MriK1uaTAjMzNYD5x0avoResocrJKwZVUswNOJV1ONs
+gvTvmAAYHGvDXeiV8YP1nb2+G8dusljawRkkY2Hg0yBH6PS+qKfMfCq+UEQ5ewdc
+L7YxxXDEwrBgtAkv5A5z
+=xouA
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-EN-15:03.freebsd-update.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-EN-15:03.freebsd-update.asc Wed Feb 25 06:25:59 2015 (r46288)
@@ -0,0 +1,160 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-15:03.freebsd-update Errata Notice
+ The FreeBSD Project
+
+Topic: freebsd-update updates libraries in suboptimal order
+
+Category: base
+Module: freebsd-update
+Announced: 2015-02-25
+Credits: Brooks Davis
+Affects: All supported versions of FreeBSD.
+Corrected: 2015-02-09 09:22:47 UTC (stable/10, 10.1-STABLE)
+ 2015-02-25 05:56:16 UTC (releng/10.1, 10.1-RELEASE-p6)
+ 2015-02-25 05:56:16 UTC (releng/10.0, 10.0-RELEASE-p18)
+ 2015-02-09 09:45:58 UTC (stable/9, 9.3-STABLE)
+ 2015-02-25 05:56:54 UTC (releng/9.3, 9.3-RELEASE-p10)
+ 2015-02-09 10:09:46 UTC (stable/8, 8.4-STABLE)
+ 2015-02-25 05:56:54 UTC (releng/8.4, 8.4-RELEASE-p24)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.freebsd.org/>.
+
+I. Background
+
+The freebsd-update(8) utility is used to apply binary patches to FreeBSD
+systems installed from official release images, as an alternative to
+rebuilding from source. A freebsd-update(8) build server generates the
+signed update packages, consisting of an index of files and directories
+with checksums before the update, a set of binary patches, and an
+index of files and directories with checksums after the update. The
+client downloads the indexes, verifies the signatures and checksums,
+then downloads and applies the required patches.
+
+II. Problem Description
+
+In general, the runtime linker needs to be updated before all other
+libraries, including the standard C library (libc) and the threading
+library (libthr), because these libraries depend on functionality of
+the runtime linker.
+
+Before this update, the freebsd-update(8) utility did not enforce
+this ordering requirement and would replace libthr (and all other
+libraries) before updating the runtime linker.
+
+A recent change to the FreeBSD threading library that would prevent
+a deadlock in a child process requires a NULL pointer test in the
+runtime linker (/libexec/ld-elf.so.1) be in place. Since previous
+versions of the runtime linker do not have this test, processes will
+crash due to a NULL pointer deference.
+
+III. Impact
+
+If a name-service switch module linked to the threading library -- such
+as ldap or winbind -- was configured to provide passwd or group services
+in /etc/nsswitch.conf, then all attempts to look up a user or group by
+name after the threading library was updated would result in a crash.
+Most obviously, all further install(1) invocations by freebsd-update(8)
+will crash, leaving the system partially updated and largely unusable.
+
+IV. Workaround
+
+Disabling any name-service switch modules linked to libthr prior to
+running the freebsd-update(8) 'upgrade' command works around the issue.
+These modules include, but are not limited to, ldap and winbind.
+
+V. Solution
+
+The freebsd-update(8) utility has been updated to install the runtime
+linker before any libraries.
+
+You MUST upgrade systems prior to 10.1 to address this errata notice before
+updating to 10.1 or later using freebsd-update(8).
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+2) To update your present system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+3) To update your present system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 9.3]
+# fetch https://security.FreeBSD.org/patches/EN-15:03/freebsd-update.patch
+# fetch https://security.FreeBSD.org/patches/EN-15:03/freebsd-update.patch.asc
+# gpg --verify freebsd-update.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/8/ r278446
+releng/8.4/ r279265
+stable/9/ r278444
+releng/9.3/ r279265
+stable/10/ r278443
+releng/10.0/ r279264
+releng/10.1/ r279264
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this Errata Notice is available at
+https://security.FreeBSD.org/advisories/FreeBSD-EN-15:03.freebsd-update.asc
+
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.1 (FreeBSD)
+
+iQIcBAEBCgAGBQJU7WjDAAoJEO1n7NZdz2rnkNkQAOJU6l5aKWWwvxU+Bxwc/zV5
+DcmGnL+7b/dN2zKdRVz6N54vuFnoUsXMd5EobxdC5MX31Yn/GnL5dQMbJDNAEL8D
+I6jYdqf7PQL3v+EBiOFNazjeRbx5EM2gNLfwozv5LHKxER5ggmalmmf168Se4cRX
+V+v2i28lCvAgOu3hXLd5gKQ3s8dNh2t/uxWI+fS3Sl6bitC0xVsXFEpTc8qIaJEu
+cbVmedRQEoSnQPLdpoSgbmQpjp6/45l/UtLZpK7Cr7h8BHS9wtKdWjjkNL/wyF5j
+3p2yanr6koT3P1iAhBJFE/3Dw4h5PlvWH56LP4PJmACuxU02AYrjc/ZVX1IL6bLt
+9AuO8W28DTi6q9q8xy+XHcYXuDS4PF3oCDZ92m2iZMHcO747q8UQdKkgCEUfIZ2n
+L79Dfkkx0uSmp4FIc1f/T6gDiBkZFRfs4stHRrm9K6nbyvFCAczj8wTUQPDjDUGw
+zGH1jN9r/I3mHi3FREd0+w++BYZproepf4yfv5c/UJN9P88vCBAZZqlS1kkxYGUz
+jOwzsF/MkpMWW16Xp58f7uwGTVZNTLzoq0r2GTln2R9fQAoQNrJYcBiW48MPSlQe
+wef9nRhC8BPOSI70dl5r16/lOu4IuBqwBFiY8QzzDc/DABmaDUQrhLRp+VDHqFeL
+taJCUogXb0n1CFub4f9P
+=J5C+
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-SA-15:04.igmp.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-15:04.igmp.asc Wed Feb 25 06:25:59 2015 (r46288)
@@ -0,0 +1,133 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-15:04.igmp Security Advisory
+ The FreeBSD Project
+
+Topic: Integer overflow in IGMP protocol
+
+Category: core
+Module: igmp
+Announced: 2015-02-25
+Credits: Mateusz Kocielski, Logicaltrust,
+ Marek Kroemeke, and 22733db72ab3ed94b5f8a1ffcde850251fe6f466
+Affects: All supported versions of FreeBSD.
+Corrected: 2015-02-25 05:43:02 UTC (stable/10, 10.1-STABLE)
+ 2015-02-25 05:56:16 UTC (releng/10.1, 10.1-RELEASE-p6)
+ 2015-02-25 05:56:16 UTC (releng/10.0, 10.0-RELEASE-p18)
+ 2015-02-25 05:43:02 UTC (stable/9, 9.3-STABLE)
+ 2015-02-25 05:56:54 UTC (releng/9.3, 9.3-RELEASE-p10)
+ 2015-02-25 05:43:02 UTC (stable/8, 8.4-STABLE)
+ 2015-02-25 05:56:54 UTC (releng/8.4, 8.4-RELEASE-p24)
+CVE Name: CVE-2015-1414
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+IGMP is a control plane protocol used by IPv4 hosts and routers to propagate
+multicast group membership information. IGMP version 3 is implemented on
+FreeBSD.
+
+II. Problem Description
+
+An integer overflow in computing the size of IGMPv3 data buffer can result
+in a buffer which is too small for the requested operation.
+
+III. Impact
+
+An attacker who can send specifically crafted IGMP packets could cause a
+denial of service situation by causing the kernel to crash.
+
+IV. Workaround
+
+Block incoming IGMP packets by protecting your host/networks with a firewall.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-15:04/igmp.patch
+# fetch https://security.FreeBSD.org/patches/SA-15:04/igmp.patch.asc
+# gpg --verify igmp.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/8/ r279263
+releng/8.4/ r279265
+stable/9/ r279263
+releng/9.3/ r279265
+stable/10/ r279263
+releng/10.0/ r279264
+releng/10.1/ r279264
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1414>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:04.igmp.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.1 (FreeBSD)
+
+iQIcBAEBCgAGBQJU7WjDAAoJEO1n7NZdz2rnjr8QAL0J0+4lRtPXRyDRX2xFSnzw
+sc3OpfmlTiD3pCFkebTYy3/+EK86iAL1ZELqlJe5mm2+pzhCQB13C4/exc0l1U6b
+tyiGXxhVi2/4SBrs6n9lmB/YhXkgtqaOQAcNaOD6sVbS1e5cBtjnG86oOq8tQ2qG
+c7Dvh3HTp9M5fDJtsI40SIpqy3FcKORBfpjYd8jONfSqMnLM2kM8xzwHSv4/X23e
+GlDKHtIi+1ylD/Qu7Z3S7hqXDTSYjZb1QHc7axDFB6X6nj2Rz3aWS2hPPTypFd3T
+zTj5DZjgiP7U2LhR40sWW68RYi21yzNUwbe0w5LeDah6Ymc5CDO2ujdm3HDQbQGH
+pA9QIOjzpgR64nWLIJfZ7jMxL3rCCaCW3NCB/iRXni2Ib/wt3ZDkJyEk/SF4K82H
+72U2u2qVjAsnhmwWK8gksBi9bEXk3TnX778bkrwm4rt1xOjACq8k66LAernoE4tB
+DkE0pO4QR+6XwFb5sJMG/3L9CmrhTp2pkPDBQDbSD+ngBs5V5mJOqVf7gB+UptnN
+Fh8OACO/5KtDkqBDsCljHxHZNaboVF4Q613+iF5CUc6SYOTkLnBDUE4Pq38vlzVB
+GdZMEo/hvsCbR4c2TmdKuvEkEqayxCxcv0DXiyTlVCecxSkaYvMXPwCKK43QtS7S
+het83QCUxaVuxLiznuwR
+=lkYC
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-SA-15:05.bind.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-15:05.bind.asc Wed Feb 25 06:25:59 2015 (r46288)
@@ -0,0 +1,140 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-15:05.bind Security Advisory
+ The FreeBSD Project
+
+Topic: BIND remote denial of service vulnerability
+
+Category: contrib
+Module: bind
+Announced: 2015-02-25
+Credits: ISC
+Affects: FreeBSD 8.x and FreeBSD 9.x.
+Corrected: 2015-02-18 22:20:19 UTC (stable/9, 9.3-STABLE)
+ 2015-02-25 05:56:54 UTC (releng/9.3, 9.3-RELEASE-p10)
+ 2015-02-18 22:29:52 UTC (stable/8, 8.4-STABLE)
+ 2015-02-25 05:56:54 UTC (releng/8.4, 8.4-RELEASE-p24)
+CVE Name: CVE-2015-1349
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+BIND 9 is an implementation of the Domain Name System (DNS) protocols.
+The named(8) daemon is an Internet Domain Name Server.
+
+II. Problem Description
+
+BIND servers which are configured to perform DNSSEC validation and which
+are using managed keys (which occurs implicitly when using
+"dnssec-validation auto;" or "dnssec-lookaside auto;") may exhibit
+unpredictable behavior due to the use of an improperly initialized
+variable.
+
+III. Impact
+
+A remote attacker can trigger a crash of a name server that is configured
+to use managed keys under specific and limited circumstances. However,
+the complexity of the attack is very high unless the attacker has a
+specific network relationship to the BIND server which is targeted.
+
+IV. Workaround
+
+Only systems that runs BIND, including recursive resolvers and authoritative
+servers that performs DNSSEC validation and using managed-keys are affected.
+
+This issue can be worked around by not using "auto" for the dnssec-validation
+or dnssec-lookaside options and do not configure a managed-keys statement.
+Note that in order to do DNSSEC validation with this workaround one would
+have to configure an explicit trusted-keys statement with the appropriate
+keys.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-15:05/bind.patch
+# fetch https://security.FreeBSD.org/patches/SA-15:05/bind.patch.asc
+# gpg --verify bind.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the applicable daemons, or reboot the system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/8/ r278973
+releng/8.4/ r279265
+stable/9/ r278972
+releng/9.3/ r279265
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://kb.isc.org/article/AA-01235>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1349>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:05.bind.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.1 (FreeBSD)
+
+iQIcBAEBCgAGBQJU7WjDAAoJEO1n7NZdz2rnKkgP/3vUBO8o5ofQFMUYSS1siPxZ
+63OeeRlMabEgiWZaQ+V2O7/CPrHDIgJHQABx9kNoiutWD9TC3c5f7Yh4nfaXmbKe
+Ncu3EjF1Zw/uGbu3cXjboX0CYnBDYrPNJnzIvSG0UlTY5hEIi3FgN4v2Q3gzuU/2
+3aUlFHyZb4GVzK+lA+wD0unOc6+il6LHPpSzwRbLpNxCB2J582HoCuw9i5NfMiOB
+KP8axZeNZLMpE90s3H/VD+7UIoe6eOC0kykH/DpuUIUxxlExK9c8f9QurpoCnOrV
+qwPAeWEYjmjZmMFivVZf5ugir6diaenfPjpXvUGNz2pCp5wlRkku71sMDsgnErX2
+Fnuc6nCXqTb/XX6zQmz/236EEVr2UBuX0cXWT0Dvu8GznMij/s4J+9+/Pkjp/mr7
+PfXj4H9UMv2Q3zOW7+Vb2Ru0zwfL9Dt90SyNbvt6DOA9KSNnUZIkN/pbKuS9fnHX
+Pw7eiNPs4Rq0Ui1DJDWVsJnZV2aVSw+qHxeMVtjCWbx3O7IVGgj5W7i95iAPHRJ4
+PVd1oaI2WsteoLNGpfXUD5sQr9yFRU/mRKtgSjxtKRV/nIkdwfTNcHHXIl0XuIWw
+C7VmAjlZgqj7aacTZWiVXqiFkN6gDjjFv1lVYmuDQOiK52JCbcBavYnxzZxVzuSa
+yIpDuhJS5vIt/B5oepoZ
+=uquT
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/EN-15:01/vt.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/EN-15:01/vt.patch Wed Feb 25 06:25:59 2015 (r46288)
@@ -0,0 +1,34 @@
+Index: sys/dev/vt/vt_core.c
+===================================================================
+--- sys/dev/vt/vt_core.c (revision 278106)
++++ sys/dev/vt/vt_core.c (working copy)
+@@ -1719,14 +1719,16 @@ skip_thunk:
+ }
+ VT_UNLOCK(vd);
+ return (EINVAL);
+- case VT_WAITACTIVE:
++ case VT_WAITACTIVE: {
++ unsigned int idx;
++
+ error = 0;
+
+- i = *(unsigned int *)data;
+- if (i > VT_MAXWINDOWS)
++ idx = *(unsigned int *)data;
++ if (idx > VT_MAXWINDOWS)
+ return (EINVAL);
+- if (i != 0)
+- vw = vd->vd_windows[i - 1];
++ if (idx > 0)
++ vw = vd->vd_windows[idx - 1];
+
+ VT_LOCK(vd);
+ while (vd->vd_curwindow != vw && error == 0)
+@@ -1733,6 +1735,7 @@ skip_thunk:
+ error = cv_wait_sig(&vd->vd_winswitch, &vd->vd_lock);
+ VT_UNLOCK(vd);
+ return (error);
++ }
+ case VT_SETMODE: { /* set screen switcher mode */
+ struct vt_mode *mode;
+ struct proc *p1;
Added: head/share/security/patches/EN-15:01/vt.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/EN-15:01/vt.patch.asc Wed Feb 25 06:25:59 2015 (r46288)
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.1 (FreeBSD)
+
+iQIcBAABCgAGBQJU7WjZAAoJEO1n7NZdz2rnu1YQAOmWCucNAVFb6agfA4im6Roz
+Y0ujoSDgLmbYiKbT8tgXE456hLzk/VIOT6LdBxxsbXFBvKcRUlSDVlTa7YS2FlHN
+QmQFput2r+1Cxase9tEFDFWG4c7TUFxWSotNZKrx0Xvt14kg4vUVqrkFEWQlnWlg
+NhsPPZ4Ui2XQW3+hEUha7HuUvca6JWe8KbHFlzKcABm20cbGxHSnmyzsg6DjofeI
+35fyKdJe81HYG94P31Xqx60HwBK4ncvJY7HXbdMfmIE/nGrdn19147X8bo2N/EvG
+0mXis5iRbsKVqDqvuE9eXHXtVg5JibDgT/vos4T0ZtauLK0e4j7kDGAcp7HFE8p8
+OoHLHLf8VevO8iI1UYczNN97tLfGWD3P7wiO/p7mpYUny0G+U4lqQGaTSmfgobxe
+MJUNyZl/riIYlgjg7lG9lrtsdecEFKY6V4mzCt+kEb0QysoYCs8Kk7zrm9C8B02T
+cydBPV5bjy3cKuFOfoYFXHKROKTaaR81e6lHaoRMYZ4XOzrVHFnTQoPlEe6k2EsS
+lgwnPEmkoTMT46IcOnLN1Nq7pQIrls6bstrCcM6bIIvjv//k70emw8nNd1gcow38
+rFOjOmruepze0sA1OSAXshDwzLt+XUOvl8AT/X4O2FX52KWic48sL9L4cEkv7pL8
+sxl/mffCaySZUHqrmv9X
+=chiR
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/EN-15:02/openssl-10.0.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/EN-15:02/openssl-10.0.patch Wed Feb 25 06:25:59 2015 (r46288)
@@ -0,0 +1,58313 @@
+Index: crypto/openssl/ACKNOWLEDGMENTS
+===================================================================
+--- crypto/openssl/ACKNOWLEDGMENTS (revision 279126)
++++ crypto/openssl/ACKNOWLEDGMENTS (working copy)
+@@ -10,13 +10,18 @@ OpenSSL project.
+ We would like to identify and thank the following such sponsors for their past
+ or current significant support of the OpenSSL project:
+
++Major support:
++
++ Qualys http://www.qualys.com/
++
+ Very significant support:
+
+- OpenGear: www.opengear.com
++ OpenGear: http://www.opengear.com/
+
+ Significant support:
+
+- PSW Group: www.psw.net
++ PSW Group: http://www.psw.net/
++ Acano Ltd. http://acano.com/
+
+ Please note that we ask permission to identify sponsors and that some sponsors
+ we consider eligible for inclusion here have requested to remain anonymous.
+Index: crypto/openssl/CHANGES
+===================================================================
+--- crypto/openssl/CHANGES (revision 279126)
++++ crypto/openssl/CHANGES (working copy)
+@@ -2,9 +2,376 @@
+ OpenSSL CHANGES
+ _______________
+
++ Changes between 1.0.1k and 1.0.1l [15 Jan 2015]
++
++ *) Build fixes for the Windows and OpenVMS platforms
++ [Matt Caswell and Richard Levitte]
++
++ Changes between 1.0.1j and 1.0.1k [8 Jan 2015]
++
++ *) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS
++ message can cause a segmentation fault in OpenSSL due to a NULL pointer
++ dereference. This could lead to a Denial Of Service attack. Thanks to
++ Markus Stenberg of Cisco Systems, Inc. for reporting this issue.
++ (CVE-2014-3571)
++ [Steve Henson]
++
++ *) Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the
++ dtls1_buffer_record function under certain conditions. In particular this
++ could occur if an attacker sent repeated DTLS records with the same
++ sequence number but for the next epoch. The memory leak could be exploited
++ by an attacker in a Denial of Service attack through memory exhaustion.
++ Thanks to Chris Mueller for reporting this issue.
++ (CVE-2015-0206)
++ [Matt Caswell]
++
++ *) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
++ built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
++ method would be set to NULL which could later result in a NULL pointer
++ dereference. Thanks to Frank Schmirler for reporting this issue.
++ (CVE-2014-3569)
++ [Kurt Roeckx]
++
++ *) Abort handshake if server key exchange message is omitted for ephemeral
++ ECDH ciphersuites.
++
++ Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for
++ reporting this issue.
++ (CVE-2014-3572)
++ [Steve Henson]
++
++ *) Remove non-export ephemeral RSA code on client and server. This code
++ violated the TLS standard by allowing the use of temporary RSA keys in
++ non-export ciphersuites and could be used by a server to effectively
++ downgrade the RSA key length used to a value smaller than the server
++ certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at
++ INRIA or reporting this issue.
++ (CVE-2015-0204)
++ [Steve Henson]
++
++ *) Fixed issue where DH client certificates are accepted without verification.
++ An OpenSSL server will accept a DH certificate for client authentication
++ without the certificate verify message. This effectively allows a client to
++ authenticate without the use of a private key. This only affects servers
++ which trust a client certificate authority which issues certificates
++ containing DH keys: these are extremely rare and hardly ever encountered.
++ Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting
++ this issue.
++ (CVE-2015-0205)
++ [Steve Henson]
++
++ *) Ensure that the session ID context of an SSL is updated when its
++ SSL_CTX is updated via SSL_set_SSL_CTX.
++
++ The session ID context is typically set from the parent SSL_CTX,
++ and can vary with the CTX.
++ [Adam Langley]
++
++ *) Fix various certificate fingerprint issues.
++
++ By using non-DER or invalid encodings outside the signed portion of a
++ certificate the fingerprint can be changed without breaking the signature.
++ Although no details of the signed portion of the certificate can be changed
++ this can cause problems with some applications: e.g. those using the
++ certificate fingerprint for blacklists.
++
++ 1. Reject signatures with non zero unused bits.
++
++ If the BIT STRING containing the signature has non zero unused bits reject
++ the signature. All current signature algorithms require zero unused bits.
++
++ 2. Check certificate algorithm consistency.
++
++ Check the AlgorithmIdentifier inside TBS matches the one in the
++ certificate signature. NB: this will result in signature failure
++ errors for some broken certificates.
++
++ Thanks to Konrad Kraszewski from Google for reporting this issue.
++
++ 3. Check DSA/ECDSA signatures use DER.
++
++ Reencode DSA/ECDSA signatures and compare with the original received
++ signature. Return an error if there is a mismatch.
++
++ This will reject various cases including garbage after signature
++ (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
++ program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
++ (negative or with leading zeroes).
++
++ Further analysis was conducted and fixes were developed by Stephen Henson
++ of the OpenSSL core team.
++
++ (CVE-2014-8275)
++ [Steve Henson]
++
++ *) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect
++ results on some platforms, including x86_64. This bug occurs at random
++ with a very low probability, and is not known to be exploitable in any
++ way, though its exact impact is difficult to determine. Thanks to Pieter
++ Wuille (Blockstream) who reported this issue and also suggested an initial
++ fix. Further analysis was conducted by the OpenSSL development team and
++ Adam Langley of Google. The final fix was developed by Andy Polyakov of
++ the OpenSSL core team.
++ (CVE-2014-3570)
++ [Andy Polyakov]
++
++ *) Do not resume sessions on the server if the negotiated protocol
++ version does not match the session's version. Resuming with a different
++ version, while not strictly forbidden by the RFC, is of questionable
++ sanity and breaks all known clients.
++ [David Benjamin, Emilia Käsper]
++
++ *) Tighten handling of the ChangeCipherSpec (CCS) message: reject
++ early CCS messages during renegotiation. (Note that because
++ renegotiation is encrypted, this early CCS was not exploitable.)
++ [Emilia Käsper]
++
++ *) Tighten client-side session ticket handling during renegotiation:
++ ensure that the client only accepts a session ticket if the server sends
++ the extension anew in the ServerHello. Previously, a TLS client would
++ reuse the old extension state and thus accept a session ticket if one was
++ announced in the initial ServerHello.
++
++ Similarly, ensure that the client requires a session ticket if one
++ was advertised in the ServerHello. Previously, a TLS client would
++ ignore a missing NewSessionTicket message.
++ [Emilia Käsper]
++
++ Changes between 1.0.1i and 1.0.1j [15 Oct 2014]
++
++ *) SRTP Memory Leak.
++
++ A flaw in the DTLS SRTP extension parsing code allows an attacker, who
++ sends a carefully crafted handshake message, to cause OpenSSL to fail
++ to free up to 64k of memory causing a memory leak. This could be
++ exploited in a Denial Of Service attack. This issue affects OpenSSL
++ 1.0.1 server implementations for both SSL/TLS and DTLS regardless of
++ whether SRTP is used or configured. Implementations of OpenSSL that
++ have been compiled with OPENSSL_NO_SRTP defined are not affected.
++
++ The fix was developed by the OpenSSL team.
++ (CVE-2014-3513)
++ [OpenSSL team]
++
++ *) Session Ticket Memory Leak.
++
++ When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
++ integrity of that ticket is first verified. In the event of a session
++ ticket integrity check failing, OpenSSL will fail to free memory
++ causing a memory leak. By sending a large number of invalid session
++ tickets an attacker could exploit this issue in a Denial Of Service
++ attack.
++ (CVE-2014-3567)
++ [Steve Henson]
++
++ *) Build option no-ssl3 is incomplete.
++
++ When OpenSSL is configured with "no-ssl3" as a build option, servers
++ could accept and complete a SSL 3.0 handshake, and clients could be
++ configured to send them.
++ (CVE-2014-3568)
++ [Akamai and the OpenSSL team]
++
++ *) Add support for TLS_FALLBACK_SCSV.
++ Client applications doing fallback retries should call
++ SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
++ (CVE-2014-3566)
++ [Adam Langley, Bodo Moeller]
++
++ *) Add additional DigestInfo checks.
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-doc-head
mailing list