From nobody Tue Mar 15 19:22:32 2022 X-Original-To: dev-commits-doc-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 1DDA01A14551 for ; Tue, 15 Mar 2022 19:22:33 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KJ3Fj0FR7z3h87; Tue, 15 Mar 2022 19:22:33 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1647372153; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=JLd1/4yJy96NJwOo5NO+v6GWXPYLlBoJ0mszOJ8sQw8=; b=aNQgXRPNKGV7ePqU+ctrOiTfmM2LoZZyCVT+JE4fWumDGnJflJyn1euq3JIEXYT9p4Z+p2 p4mlH6R7wFwJc04UaGkAO9VzFgFiLssW367l9D9sY3K9as9558Kraa1pH2PRs3BBzb95ux +Tvt79OYBBmeW23VsbR+v931NPu/yQZhODRrFjB8zznHB7icaVveXtGILLkHDlPWsv4fet UyzXg66SWlBvL7f1CM1qmG6IBSeT48BFvpIffFpafFWQq70oj1wab0f60sHIBnjxjyv8W3 3AZ6NIG+UUZBJZFWlJ9cqqYNSoayguBfmhMjatJySI9GVaRLc4knAeFSwZZ0XA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id D18DE2776F; Tue, 15 Mar 2022 19:22:32 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 22FJMWxr069858; Tue, 15 Mar 2022 19:22:32 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 22FJMW0G069857; Tue, 15 Mar 2022 19:22:32 GMT (envelope-from git) Date: Tue, 15 Mar 2022 19:22:32 GMT Message-Id: <202203151922.22FJMW0G069857@gitrepo.freebsd.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org From: Gordon Tetlow Subject: git: ba3b824455 - main - Add EN-22:09 to EN-22:12 and SA-22:02 to SA-22:03. List-Id: Commit messages for all branches of the doc repository List-Archive: https://lists.freebsd.org/archives/dev-commits-doc-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-doc-all@freebsd.org X-BeenThere: dev-commits-doc-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: gordon X-Git-Repository: doc X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: ba3b824455f82aeca72ef6cd34cabf09672a2640 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1647372153; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=JLd1/4yJy96NJwOo5NO+v6GWXPYLlBoJ0mszOJ8sQw8=; b=pvllMikI0lnvPgPMh7+WlZi3x5Neodc6bSio9Y9mqYhrhpn6smYPNB5PdfdRLfl2IqklRs Mpach5v8mhgT/rCH1y2Y6ZddoSO99l80IaxU8XZmo4h5IPoa8RcJMLi8AzgNrPCnRl47XV n8O8l2gq+8mGMcgaRTNtFBg3J4Jmx78sr4KmtAXrlRB1sThPkg6f8LT4R0OSSpvA3b4H15 SEqPrJ8fD9ar3o+qVQ85gxlUXiWlLLXW6fJe/rsesmI/dG4HjK3+tzi4VVs2/ZKoHDZluI 4KeFXvOVglYhIyBeKVOFj/SDnZzskX+DwLjCTbxCPR/G4atmf6MIkLH2B05KmQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1647372153; a=rsa-sha256; cv=none; b=AQE8QNodQSbRZu2VE1jjI5krYDe073w2DW6K56XAQVSm199Y4n+KFPH5EkaSQ+0cG1cupF pcqSOKCXaTqgBkGxOI8R7eqJyjcgVyF9rKu37CxRXodlx8m1g0vo4XT127/AgPJ734jved PmDUnNcDHQ0nc+n5RUyo+5G9Qfrc4SFitWz563aJ/GaLl1vlASL0GZ1FODb4IhR3AsVsWg hd1bE2iXkoLrXD4NirzHMc5AwIq8A6FySkPsROrc6EVSnHXOqjyIfJVUMkD6kMPIBtk9cF Ni/x6H9z2JMBHYygDWy4L7+0ESz5+KtjuQEz40++i5Ho3JDstzhawfoN59El4w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by gordon (src committer): URL: https://cgit.FreeBSD.org/doc/commit/?id=ba3b824455f82aeca72ef6cd34cabf09672a2640 commit ba3b824455f82aeca72ef6cd34cabf09672a2640 Author: Gordon Tetlow AuthorDate: 2022-03-15 19:18:42 +0000 Commit: Gordon Tetlow CommitDate: 2022-03-15 19:21:16 +0000 Add EN-22:09 to EN-22:12 and SA-22:02 to SA-22:03. Approved by: so --- website/data/security/advisories.toml | 8 + website/data/security/errata.toml | 16 + .../advisories/FreeBSD-EN-22:09.freebsd-update.asc | 125 +++++++ .../security/advisories/FreeBSD-EN-22:10.zfs.asc | 134 +++++++ .../security/advisories/FreeBSD-EN-22:11.zfs.asc | 133 +++++++ .../security/advisories/FreeBSD-EN-22:12.zfs.asc | 128 +++++++ .../security/advisories/FreeBSD-SA-22:02.wifi.asc | 165 +++++++++ .../advisories/FreeBSD-SA-22:03.openssl.asc | 153 ++++++++ .../security/patches/EN-22:09/freebsd-update.patch | 25 ++ .../patches/EN-22:09/freebsd-update.patch.asc | 16 + website/static/security/patches/EN-22:10/zfs.patch | 45 +++ .../static/security/patches/EN-22:10/zfs.patch.asc | 16 + website/static/security/patches/EN-22:11/zfs.patch | 199 +++++++++++ .../static/security/patches/EN-22:11/zfs.patch.asc | 16 + website/static/security/patches/EN-22:12/zfs.patch | 44 +++ .../static/security/patches/EN-22:12/zfs.patch.asc | 16 + .../static/security/patches/SA-22:02/wifi.12.patch | 389 +++++++++++++++++++++ .../security/patches/SA-22:02/wifi.12.patch.asc | 16 + .../static/security/patches/SA-22:02/wifi.13.patch | 367 +++++++++++++++++++ .../security/patches/SA-22:02/wifi.13.patch.asc | 16 + .../static/security/patches/SA-22:03/openssl.patch | 92 +++++ .../security/patches/SA-22:03/openssl.patch.asc | 16 + 22 files changed, 2135 insertions(+) diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml index bfacfbf277..6a60b5b67b 100644 --- a/website/data/security/advisories.toml +++ b/website/data/security/advisories.toml @@ -1,6 +1,14 @@ # Sort advisories by year, month and day # $FreeBSD$ +[[advisories]] +name = "FreeBSD-SA-22:03.openssl" +date = "2022-03-15" + +[[advisories]] +name = "FreeBSD-SA-22:02.wifi" +date = "2022-03-15" + [[advisories]] name = "FreeBSD-SA-22:01.vt" date = "2022-01-11" diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml index 3ab79b1502..b246718740 100644 --- a/website/data/security/errata.toml +++ b/website/data/security/errata.toml @@ -1,6 +1,22 @@ # Sort errata notices by year, month and day # $FreeBSD$ +[[notices]] +name = "FreeBSD-EN-22:12.zfs" +date = "2022-03-15" + +[[notices]] +name = "FreeBSD-EN-22:11.zfs" +date = "2022-03-15" + +[[notices]] +name = "FreeBSD-EN-22:10.zfs" +date = "2022-03-15" + +[[notices]] +name = "FreeBSD-EN-22:09.freebsd-update" +date = "2022-03-15" + [[notices]] name = "FreeBSD-EN-22:08.i386" date = "2022-02-01" diff --git a/website/static/security/advisories/FreeBSD-EN-22:09.freebsd-update.asc b/website/static/security/advisories/FreeBSD-EN-22:09.freebsd-update.asc new file mode 100644 index 0000000000..a85ee4d0cf --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-22:09.freebsd-update.asc @@ -0,0 +1,125 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-22:09.freebsd-update Errata Notice + The FreeBSD Project + +Topic: freebsd-update creating erroneous boot environments + +Category: core +Module: freebsd-update +Announced: 2022-03-15 +Affects: FreeBSD 12.3 +Corrected: 2022-02-15 06:09:41 UTC (stable/12, 12.3-STABLE) + 2022-03-15 18:17:55 UTC (releng/12.3, 12.3-RELEASE-p3) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +By default, freebsd-update(8) is configured to create new ZFS boot environments +on systems that are compatible with bectl(8). + +II. Problem Description + +When updating a jail or another root that isn't the system root using -b, +freebsd-update(8) will create a spurious boot environment despite the updated +root not causing a change in the boot environment. + +III. Impact + +Users that have used freebsd-update(8) with the -b or -j flags may have some +extra boot environments present on the system that did not meaningfully impact +the boot environment. + +IV. Workaround + +No workaround is available. Systems with "CreateBootEnv" set to "no" in their +/etc/freebsd-update.conf are not affected. Systems that do not use ZFS are also +not affected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. No reboot is required. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 12.3] +# fetch https://security.FreeBSD.org/patches/EN-22:09/freebsd-update.patch +# fetch https://security.FreeBSD.org/patches/EN-22:09/freebsd-update.patch.asc +# gpg --verify freebsd-update.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/12/ r371637 +releng/12.3/ r371743 +- ------------------------------------------------------------------------- + +For FreeBSD 12 and earlier: + +Run the following command to see which files were modified by a particular +revision, replacing NNNNNN with the revision number: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmIw44sACgkQ05eS9J6n +5cLudhAAmVnJH5dbgVkjuaiGI2fvdoKCZKlMIwvA+kUqgio6MaoiXIygWXgzbLmV +M3BSzEvyrB/pBen/Af3R+3hljjhiOId/3RCKP596fT53bpmWQh4TyAryDX9SmY/+ +mXfARp4MgkAi7bDjKQQMpDlyA5Lp3i/Hqyq6IjIZnk2O1PxhAAer+yoqnjBsDQUl +1SzM+T802NbclKx0nsM6ODFk8IvKmBjK1d6esApihDRzFX4qCXjuP+QMFSKAYEb4 +shZx6pGeDfqMhn8TkIydVhsjO16f7rUSxYoM1i93QZecVfxpWdQhh2OMG91G6ELu +9aQ+CsYPcQoWgkLqsnTuJXVpKQ+PmzIwfD/DHahFvXvkXhL7cXFNgctp/2kb/lPW +mgwPvguUzSJBu3tOs2RyVQTOTSzB+7Cf6hadhuBlzI4p/ZSViSIhI4hsE0Wln2TK +3k+WCCfhEoGZRt6pR1YEjqvjeSin9Rcjd5nSS0vE137pXpjzheXxGQFVtPDtjq28 +mkr4HM6XUafvCs8oqoitpzFRMRwYODEah+z5PXWSpvguhFfehihFBW82e/3YZhLF +2Ub4WkTFXhGx98lH5ofjnWS3kuqy7stG/5fk5gNHayCzPZjH2O6ecSGbBh4IZ9Xw +5vFR0Tfbzo+N/eTiyTq0pj0QK2JTE4cns+xxfEczfLYiGGyFmPE= +=Uh7O +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-22:10.zfs.asc b/website/static/security/advisories/FreeBSD-EN-22:10.zfs.asc new file mode 100644 index 0000000000..83b00d4553 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-22:10.zfs.asc @@ -0,0 +1,134 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-22:10.zfs Errata Notice + The FreeBSD Project + +Topic: ZFS writes fail to update file size + +Category: contrib +Module: zfs +Announced: 2022-03-15 +Affects: FreeBSD 13.0 +Corrected: 2022-02-21 14:59:58 UTC (stable/13, 13.0-STABLE) + 2022-03-15 18:09:52 UTC (releng/13.0, 13.0-RELEASE-p8) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +ZFS is one of several filesystems available on FreeBSD. ZFS supports +many advanced features, including checksumming, transparent compression, +and snapshots. + +FreeBSD's virtual filesystem layer includes a deadlock-avoidance +mechanism to handle situations where a read(2) or write(2) system call +is invoked and the user-supplied buffer lies within a mmap(2)-created +mapping of the target file. Individual filesystems, such as ZFS, must +implement a portion of the deadlock avoidance protocol. + +II. Problem Description + +The implementation of the deadlock avoidance protocol in ZFS's +implementation of write(2) was incorrect and could, in certain +circumstances, cause an appending write to a file to fail to update the +file size despite returning success to the caller. + +III. Impact + +The bug may cause application misbehavior; the precise effects depend +on the nature of the application triggering the bug. + +IV. Workaround + +No workaround is available, but systems not using ZFS are not affected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date and reboot. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for an errata update" + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-22:10/zfs.patch +# fetch https://security.FreeBSD.org/patches/EN-22:10/zfs.patch.asc +# gpg --verify zfs.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ b55a7f3422d7 stable/13-n249621 +releng/13.0/ 9dc74c5a4b3d releng/13.0-n244783 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmIw44sACgkQ05eS9J6n +5cJP2Q//fDLZ876IGCxtcyCc5eNrOgI7V4P/ajQ2Jz3VYvd3NAag4bbfV8OQKTy8 +dn62/bhjmKEDGjLAs2oHrlT+G0gEEYLnxZGzgcHo0UFo9FIEmCV18zEFXGipFMeH +b9pCexvy1a7EH97voS7Mr6V+Bktj3Vcq3B0yIXRxoGxcRvTFTpc5rpYzs8RZWHiu +tzUij2bmtrtXh7oJgmF83roujwNEJele9IY2+AMJ/URtGmxuJ54KN1hNTkeGknMd +WtEarFz7HDoXuy7WDysgwUSdq6s+o+rWm/+knflCFXvYqetjm3Kwl35wBr0hch6f +rb59AIZ1RVN8LsZZT6UNaxsQINEPb4RF9T132nYlMlQPdulEBjWiKI7Y4VSMUSXr +Xtz54FMouRXi/WdgJL7P7CxY3+t+1zWorBvI25jnkEp5mhEhd7DVTgy2Sw0sNI4F +iAYGBmpFyE6pGmJOaz6WLGV96sK9m0/RmmZXwPah5cwBMy4qUFnuPgoT91h8LRIr +5SKLm010lyPxsThcb1NRrqsd4LIUhYb6bZNgOmCd5OcSC03+aUjxEyrmM90Hjtb4 +yhANSTVExJB9bXNnb1rWtdO1inrjb3YAUpd6CpuK3vct/LWw9b0ehuRdJKFDgLtC +dVPQZYc89dcjZNnDWFJ94D2Inoae7oT0o2+nULURXyLABWSDYs0= +=+FRE +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-22:11.zfs.asc b/website/static/security/advisories/FreeBSD-EN-22:11.zfs.asc new file mode 100644 index 0000000000..60462a6f36 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-22:11.zfs.asc @@ -0,0 +1,133 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-22:11.zfs Errata Notice + The FreeBSD Project + +Topic: ZFS lseek(2) inconsistencies + +Category: contrib +Module: zfs +Announced: 2022-03-15 +Affects: FreeBSD 13.0 +Corrected: 2021-12-19 15:25:26 UTC (stable/13, 13.0-STABLE) + 2022-03-15 18:09:52 UTC (releng/13.0, 13.0-RELEASE-p8) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +ZFS is one of several filesystems available on FreeBSD. ZFS supports +many advanced features, including checksumming, transparent compression, +and snapshots. + +File "holes" are used by filesystems to limit the amount of storage +space occupied by a file containing long runs of zero bytes. Rather +than filling disk blocks with zeroes, file metadata can indicate the +extent of such a run and the filesystem hides the distinction from user +applications. + +II. Problem Description + +When a file containing holes is mapped using mmap(2), mapped regions +of the file may be ignored by lseek(2) when SEEK_HOLE or SEEK_DATA are +passed as the "whence" parameter. + +III. Impact + +The bug may cause application misbehavior; the precise effects depend +on the nature of the application triggering the bug. + +IV. Workaround + +No workaround is available, but systems not using ZFS are not affected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date and reboot. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for an errata update" + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-22:11/zfs.patch +# fetch https://security.FreeBSD.org/patches/EN-22:11/zfs.patch.asc +# gpg --verify zfs.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ 3aa1cabca37d stable/13-n248633 +releng/13.0/ f5be20afc356 releng/13.0-n244785 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmIw44wACgkQ05eS9J6n +5cIYqA/9HFBfFjdHnU6exTxpeSC3Rf2EcNqkPd/nbT3jP1TGUXHMHCO72rNOuUZB +xVWT7+js4zRkJCAKkqkW9Xww5N3nzrIISFzYKHK5rgzIDA/tlKvcau8WLiRDe8JD +HC1vOVn44tdS9UorxG01lNhSuoNkqoTf1I7ReOzt2L305rzlqVX61T5JzOHMhnFh +enPXcrrVUdw99TgYjUBXrD7qOjDEGP2ZdsUUwnRPLJ6slQQDzE2R2mNRd6tIM8In +RgAZUxkHZ+QDhGYJs7d7uRXDkvXAOgOtzZt/EO+3vOmLvth8b9DzN5TSSv6oZ8le +wWLBPbW8SMBzBAJ6pBbg+AZGg1qMlO8rGyGKyeGOF9hk78SunbdPQ116DYDZS2Yj +jzIu9JXyLLonpXLIIzhQ2alo8xm5vvDN4Hqay92xKJvGJdq+M1hTQ7sVYioxBYP/ +l6gGSgKEJuMukW0qryGvcm5a4qpfpcJYnCMegwDGHwLY+jHkA+Rl54kYKFQQ6OlO +P7/PW+JytcLiD6vuQ+9++6ccM3l2/otyGYhEyLvBmeTnxfy8S3L409NEeYQJrsXW +tjnfXP18rHReI01nBpCU88+HalxDH+Ge1iwY+RkoLpbd2g/VQF1py73mJkjTY8He +N+3Gvx77vmuGzPoGFWo6WNsBt2WQIEGowpTm9Z6i4RIUF9c7LOo= +=X7kd +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-22:12.zfs.asc b/website/static/security/advisories/FreeBSD-EN-22:12.zfs.asc new file mode 100644 index 0000000000..dcb85ca049 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-22:12.zfs.asc @@ -0,0 +1,128 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-22:12.zfs Errata Notice + The FreeBSD Project + +Topic: ZFS panic upon concurrent 'zfs list' calls + +Category: contrib +Module: zfs +Announced: 2022-03-15 +Affects: FreeBSD 13.0 +Corrected: 2021-04-04 13:18:45 UTC (stable/13, 13.0-STABLE) + 2022-03-15 18:09:52 UTC (releng/13.0, 13.0-RELEASE-p8) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +ZFS is one of several filesystems available on FreeBSD. ZFS supports +many advanced features, including checksumming, transparent compression, +and snapshots. + +II. Problem Description + +A race condition due to incorrect locking can cause a panic when multiple +invocations of 'zfs list' occur in rapid succession. + +III. Impact + +An unprivileged user can trigger the race condition, resulting in a +panic and denial of service. + +IV. Workaround + +No workaround is available, but systems not using ZFS are not affected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date and reboot. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for an errata update" + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-22:12/zfs.patch +# fetch https://security.FreeBSD.org/patches/EN-22:12/zfs.patch.asc +# gpg --verify zfs.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ cf2a72643460 stable/13-n245102 +releng/13.0/ 0abaf7f63023 releng/13.0-n244784 +- ------------------------------------------------------------------------- + +For FreeBSD 13 and later: + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmIw44wACgkQ05eS9J6n +5cLz+Q/9FTU5djSE02eqK6IKqWOZDre30OF8KFnBZz9CwnCagyTlxWFvZNscZe30 +a4vm01GyPhKXzWcCgkze5kc8h0E4hGD2zFU0N+oYRGRBQyl3B+DEpKKMZ+SUlYdo +fRAhW4j1btD/zUhK9F5xshtMsbswMyN9wWu8iuK7QDReEgTnQj21Ca4r/Qwn+Y2z +5vMfjeUdBxfMZNomESBTfFtI6FYgpAQmjmdaT0nfJzOjm+uf+Xe5qTzka+XMjj6/ +7mveWg7qv2OsTa9Wj0isbydGooVH65RBdtFacabWfh8MsNVZaFztHsfxGhyDAIwA +A4YhD8fkFdQk7KpB8R1i2TTWJF+zt0tMQwBVMsv41rUDytINmwVF+y18XGLzKggY +rb0YRsIGLjI6V35ESiepUPYqgNLrhQiYG/uGOX5cs+5vwsm1ecbq3gHB7TL3ZiDR +RimxtHfrXM3wMsFacgcKpYZ+lYlF8QS/xcc+p8FrBztPjnRxco7Pxw7ZAm5jJqlk +AbAN0gMCwyeX4kBX99NKYVrYOiTO6XsE/DDuyO/UCTiLnxh1onKUJZiolgpbatz/ +z1hnBvA6BrXtWuRA5+9SM3zNKNjHh6pmsSCrG/3XAQhOXzI7gwhzKIlunccA8yaJ +4ytPNW16OO+mhpewszXvBU/3OG937W3XmFpgNjzkCtVRGBfUUts= +=YnFH +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-22:02.wifi.asc b/website/static/security/advisories/FreeBSD-SA-22:02.wifi.asc new file mode 100644 index 0000000000..f2ae1d0acf --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-22:02.wifi.asc @@ -0,0 +1,165 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-22:02.wifi Security Advisory + The FreeBSD Project + +Topic: Multiple WiFi issues + +Category: core +Module: net80211 +Announced: 2022-03-15 +Affects: FreeBSD 12.x and FreeBSD 13.0 +Corrected: 2021-11-19 00:01:25 UTC (stable/13, 13.0-STABLE) + 2022-03-15 17:45:36 UTC (releng/13.0, 13.0-RELEASE-p8) + 2022-02-15 16:05:49 UTC (stable/12, 12.3-STABLE) + 2022-03-15 18:18:08 UTC (releng/12.3, 12.3-RELEASE-p3) + 2022-03-15 18:17:30 UTC (releng/12.2, 12.2-RELEASE-p14) +CVE Name: CVE-2020-26147, CVE-2020-24588, CVE-2020-26144 + +Note: This issue is already fixed in FreeBSD 13.1-BETA1. + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +FreeBSD's net80211 kernel subsystem provides infrastructure and drivers +for IEEE 802.11 wireless (Wi-Fi) communications. + +II. Problem Description + +The paper "Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and +Fragmentation" reported a number of security vulnerabilities in 802.11 +specificaiton related to frame aggregation and fragmentation. + +Additionally, FreeBSD 12.x missed length validation of SSIDs and Information +Elements (IEs). + +III. Impact + +As reported on the FragAttacks website, the "design flaws are hard to abuse +because doing so requires user interaction or is only possible when using +uncommon network settings." Under suitable conditions an attacker may be +able to extract sensitive data or inject data. + +IV. Workaround + +No workaround is available, but the ability to extract or inject data is +mitigated by the use of application (e.g. HTTPS) or transport (e.g. TLS, +IPSEC) layer encryption. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, +and reboot. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 13.0] +# fetch https://security.FreeBSD.org/patches/SA-22:02/wifi.13.patch +# fetch https://security.FreeBSD.org/patches/SA-22:02/wifi.13.patch.asc +# gpg --verify wifi.13.patch.asc + +[FreeBSD 12.x] +# fetch https://security.FreeBSD.org/patches/SA-22:02/wifi.12.patch +# fetch https://security.FreeBSD.org/patches/SA-22:02/wifi.12.patch.asc +# gpg --verify wifi.12.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ 6acb9d5f955b stable/13-n248098 +releng/13.0/ 0d1db5c3257e releng/13.0-n244782 +stable/12/ r371640 +releng/12.3/ r371748 +releng/12.2/ r371740 +- ------------------------------------------------------------------------- + +For FreeBSD 13 and later: + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +For FreeBSD 12 and earlier: + +Run the following command to see which files were modified by a particular +revision, replacing NNNNNN with the revision number: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmIw5aoACgkQ05eS9J6n +5cLuYw/+OtkGeEYFTmwoZrFn105OOhi1MHjopUmW3B3FDeIMP2BnULkCodLKpDqx +WNROwaLBZ/FSHdX+rwcFhZVKksGuXafRY2bywDfJNCRmSIRjSEiSozIkJbihmKYq +SAWxUwbZxkg+MPtgoiUNocXZhFplN4E1VmfZl6XDfcd9jrFTuNiMKPKWzW8haI7R +H3Tovh6GgRLFfP5nnY2X8xZSSrxqkzXj4iRHJDedu6nmBFtsB34kjhW42fpycM/c +irhHBApfgl9XW31sLSFP2lwhq36AVD27SaYKDWxAv4ywp6PiwPTTNr8lwk05Z0jp +z76f3ZIBDhz3M3qzphMQ5wj6CB7SqTrgSD0WDZchdgDk904BdNum3vNRTO4x9iSB +czlXk/utMbupW8AU9rjdKWeMz0DBpDGckjZq1Ot8+fSwbiLkPCjpYTDsxqiLZs6i +xp/qjDW8rUKbgQSztSq3svF58dY74TLZ34rN0cqVPgvfpG1/fbM4W63vR0b4YG/5 +mv4OKXe5whJmh1OVrrVSX/ttyTFm6JpNFRxpXCkRKOgNICevw9yHlvx8uE6rVKde +P7PXAdRT48gcmN9gIscFuRwt2glvChYuH6ncF1jMQmfoAMTlDGRATQUuDy81fIw9 +va3fiGDy2FsenAQYa4UwaA/iCodjaC0cNjNnf2cc9nZEnuq86l8= +=Cjzd +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-22:03.openssl.asc b/website/static/security/advisories/FreeBSD-SA-22:03.openssl.asc new file mode 100644 index 0000000000..79aa990d28 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-22:03.openssl.asc @@ -0,0 +1,153 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-22:03.openssl Security Advisory + The FreeBSD Project + +Topic: OpenSSL certificate parsing infinite loop + +Category: contrib +Module: openssl +Announced: 2022-03-15 +Credits: Tavis Ormandy from Google +Affects: All supported versions of FreeBSD. +Corrected: 2022-03-15 16:51:46 UTC (stable/13, 13.1-STABLE) + 2022-03-15 17:42:48 UTC (releng/13.1, 13.1-BETA1-p1) + 2022-03-15 17:43:02 UTC (releng/13.0, 13.0-RELEASE-p8) + 2022-03-15 16:56:09 UTC (stable/12, 12.3-STABLE) + 2022-03-15 18:17:50 UTC (releng/12.3, 12.3-RELEASE-p3) + 2022-03-15 18:17:16 UTC (releng/12.2, 12.2-RELEASE-p14) +CVE Name: CVE-2022-0778 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a +collaborative effort to develop a robust, commercial-grade, full-featured +Open Source toolkit for the Transport Layer Security (TLS) protocol. It is +also a general-purpose cryptography library. + +II. Problem Description + +The BN_mod_sqrt() function, which computes a modular square root, contains +a bug that can cause it to loop forever for non-prime moduli. This function +is used when parsing certificates that contain certain forms of elliptic +curves. + +III. Impact + +A specially crafted certificate with invalid explicit curve parameters may +trigger an infinite loop, leading to a denial of service. Since certificate +parsing happens prior to verification of the certificate signature, any +process that parses an externally supplied certificate may be affected. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-22:03/openssl.patch +# fetch https://security.FreeBSD.org/patches/SA-22:03/openssl.patch.asc +# gpg --verify openssl.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart all daemons that use the library, or reboot the system. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ 5f3d952f6e6b stable/13-n250020 +releng/13.1/ 942b5e156d41 releng/13.1-n249979 +releng/13.0/ 3847c17aa23a releng/13.0-n244777 +stable/12/ r371734 +releng/12.3/ r371742 +releng/12.2/ r371735 +- ------------------------------------------------------------------------- + +For FreeBSD 13 and later: + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +For FreeBSD 12 and earlier: + +Run the following command to see which files were modified by a particular +revision, replacing NNNNNN with the revision number: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmIw5a0ACgkQ05eS9J6n +5cKZqQ/8D7qHRsnXGENtJqjN9Nt2VRiBeO5GKrhBJFVS8/cgVvlgDPFIrWOA/b7v +p386eSIRPA3BGpEzP6cQddM/pogHFjSuskSznkNvfsUeZ7B9avODNvHykiODMajU +ACv/JZ8IU9rWR2C3DqtlnVqKt3N8Pa8ZpxUCpYDeBEMIaYn/UOUZ9PmZZtaCJ1jz +ZSsel99VvA7RdSd58ahb9Mga6KLDdp4bVVftfpepihTOu7pfmxZqrG7W+1pld/wd +R88yGEDxyDD9/qDToA13i8+gAU5P5ASmzfNNqVwzJ4QLlkk2OrJBFKCLl+1BrR2p +w6r3eZzx9SexCSJ9jLw54rezpXgLyJ/+fURHtKVOu39ELqZmftBgBYS0gxWiQ6jH +Wx3lrPjjskFBp4MO5uBChnF8BIpGZN2guLpQkPtHCiaa469OI/NI5zarvXYvGPJL +j4BMZtQQWGj2WIFWmMu7fvkhYOgVWmyjS4SWEwom7UGLq1EJKb9Rau9e4TOr8bYw +EQV5c71Wn7IV9Oga1rPVRUe2hHAX1VkvhVm49G47V2gyvmPwXwwbVe7byW8Mz46j +znkTSmAzHNbXFcJV+aPXejGRDvg0H+wfDyQFlN32IXdyVrbphRjekOu2Ftn8eWS9 +SkEdbvYP5x192NpBgfpHo5tc2CJHcM4xKg7WAIUk0vrK7aSgPoc= +=TDUh +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/EN-22:09/freebsd-update.patch b/website/static/security/patches/EN-22:09/freebsd-update.patch new file mode 100644 index 0000000000..abd72d631c --- /dev/null +++ b/website/static/security/patches/EN-22:09/freebsd-update.patch @@ -0,0 +1,25 @@ +--- usr.sbin/freebsd-update/freebsd-update.sh.orig ++++ usr.sbin/freebsd-update/freebsd-update.sh +@@ -890,7 +890,12 @@ + install_create_be () { + # Figure out if we're running in a jail and return if we are + if [ `sysctl -n security.jail.jailed` = 1 ]; then +- return 1 ++ return 1 ++ fi ++ # Operating on roots that aren't located at / will, more often than not, ++ # not touch the boot environment. ++ if [ "$BASEDIR" != "/" ]; then ++ return 1 + fi + # Create a boot environment if enabled + if [ ${BOOTENV} = yes ]; then +@@ -911,7 +916,7 @@ + esac + if [ ${CREATEBE} = yes ]; then + echo -n "Creating snapshot of existing boot environment... " +- VERSION=`freebsd-version -k` ++ VERSION=`freebsd-version -ku | sort -V | tail -n 1` + TIMESTAMP=`date +"%Y-%m-%d_%H%M%S"` *** 1328 LINES SKIPPED ***