From nobody Tue Nov 01 22:09:30 2022 X-Original-To: dev-commits-doc-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4N241k6bxNz4g9Sl for ; Tue, 1 Nov 2022 22:09:30 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4N241k6M6Nz3SSt; Tue, 1 Nov 2022 22:09:30 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1667340570; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=/uqPusjFYH02jvMv8eJNjbfbARCq0xSyp4SC9aa3zac=; b=uN+8DhMOjK4xYcRx6Pg4A6To1fHtf2Cc2pNeZ79qsk7Uj4WHrlloji3jm094KxHBf3iq6+ zwBARmKBx7vmUL/yzzWGPTEl42Gf2mHhF2VV52ouCbtQe5B3TXGSjXjyBkcm4etzfuIrDW cq39cfCyf3eDEleKNOf6oMvg53+SkrY6vJuV7v2kgnTOZBFoyJ/SkHp8Rl1evZLSNH1gE4 8lmrfZWrumI5PHVUD6sFuiuQ8CWI71bH7YUebY0orAZ/aN+KBcz5SiuPxwGNqm26UJu1+4 9m5hjct5jJXS7rd7oBWgdt92k2ZgsyKxqB9FsPK/DHTh/p1ZHy7CMRgYuYTpgQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4N241k5Hh6zXqT; Tue, 1 Nov 2022 22:09:30 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 2A1M9UXd055252; Tue, 1 Nov 2022 22:09:30 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 2A1M9UIa055251; Tue, 1 Nov 2022 22:09:30 GMT (envelope-from git) Date: Tue, 1 Nov 2022 22:09:30 GMT Message-Id: <202211012209.2A1M9UIa055251@gitrepo.freebsd.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org From: Gordon Tetlow Subject: git: f9f3f4b9a1 - main - Add EN-22:21 through EN-22:27. List-Id: Commit messages for all branches of the doc repository List-Archive: https://lists.freebsd.org/archives/dev-commits-doc-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-doc-all@freebsd.org X-BeenThere: dev-commits-doc-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: gordon X-Git-Repository: doc X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: f9f3f4b9a13c9e4107f78d997719cfb0c0bdd869 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1667340570; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=/uqPusjFYH02jvMv8eJNjbfbARCq0xSyp4SC9aa3zac=; b=ga/w4m3PqOWmNTJPQqWJwM2rUF56Pb+BE45aGtvloC89RNbGLFybLBA38EUg5uUmH2KzCe GarNlQi113RM04GsbqRdm9ZMUPLXIoID8MGJgzpm8xkT/mmCTgS3Dg9zAbLU4ue/Y3+Z6D 1mMOOJIGvKMtdEagPeCRsGB6MqlkmlVUbVHZHgMfU9EtC9HLnlzZxVA24qZYYvnGQYVV3X O8/Y7RIDPoNnWDsvF5McOy8XN4mvuBiSfb3dgiC4yfqXDZNauo83RBGBgJ1bv6O3AusxoD ZXC8eaDBOh5O38dKR6IJMOpfdUiFvQhkuzC1ySmlAm5KpDU3kxMbnB1f3Idwsw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1667340570; a=rsa-sha256; cv=none; b=MJndj9Foj6QXwwJEh5+nGkUhBEvnbVCro69/UKTSagM5cQpbrzuxqYUvEYXl2HZmuALVAv fDN2AIhuLHowJiLtJmifQs5UilDGOWH9d7wWAWbhgPzD9t3arz0ztbowNlsziPk3Qf9ISs WYGhNkFUghMpheXfLz5XfQmngCSCD0wlcJvakP1OOTJ22Fo8ZBdNJxkyR8y9dLY/sYRcxo PRZNhYQFw21+TDq/9n8DRyPIAV4ceY7PNTu7pZoxuvi3qPoHRDHOH/8t8oo7gbpf1/MNK+ OxVeJBwonjfJS1KlEf4tByzlCj+3wfVn+pB4yibjXg4KryfcdUke3pEh9FWOOw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by gordon (src committer): URL: https://cgit.FreeBSD.org/doc/commit/?id=f9f3f4b9a13c9e4107f78d997719cfb0c0bdd869 commit f9f3f4b9a13c9e4107f78d997719cfb0c0bdd869 Author: Gordon Tetlow AuthorDate: 2022-11-01 22:08:49 +0000 Commit: Gordon Tetlow CommitDate: 2022-11-01 22:08:49 +0000 Add EN-22:21 through EN-22:27. Approved by: so --- website/data/security/errata.toml | 28 + .../security/advisories/FreeBSD-EN-22:21.zfs.asc | 135 + .../advisories/FreeBSD-EN-22:22.tzdata.asc | 180 ++ .../security/advisories/FreeBSD-EN-22:23.vm.asc | 130 + .../security/advisories/FreeBSD-EN-22:24.zfs.asc | 130 + .../security/advisories/FreeBSD-EN-22:25.tcp.asc | 140 + .../security/advisories/FreeBSD-EN-22:26.cam.asc | 128 + .../advisories/FreeBSD-EN-22:27.loader.asc | 127 + website/static/security/patches/EN-22:21/zfs.patch | 23 + .../static/security/patches/EN-22:21/zfs.patch.asc | 16 + .../patches/EN-22:22/tzdata-2022f.12.patch | 3183 ++++++++++++++++++++ .../patches/EN-22:22/tzdata-2022f.12.patch.asc | 16 + .../patches/EN-22:22/tzdata-2022f.13.patch | 3183 ++++++++++++++++++++ .../patches/EN-22:22/tzdata-2022f.13.patch.asc | 16 + website/static/security/patches/EN-22:23/vm.patch | 26 + .../static/security/patches/EN-22:23/vm.patch.asc | 16 + website/static/security/patches/EN-22:24/zfs.patch | 12 + .../static/security/patches/EN-22:24/zfs.patch.asc | 16 + website/static/security/patches/EN-22:25/tcp.patch | 104 + .../static/security/patches/EN-22:25/tcp.patch.asc | 16 + website/static/security/patches/EN-22:26/cam.patch | 18 + .../static/security/patches/EN-22:26/cam.patch.asc | 16 + .../static/security/patches/EN-22:27/loader.patch | 14 + .../security/patches/EN-22:27/loader.patch.asc | 16 + 24 files changed, 7689 insertions(+) diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml index 657fa4133e..abe9329081 100644 --- a/website/data/security/errata.toml +++ b/website/data/security/errata.toml @@ -1,6 +1,34 @@ # Sort errata notices by year, month and day # $FreeBSD$ +[[notices]] +name = "FreeBSD-EN-22:27.loader" +date = "2022-11-01" + +[[notices]] +name = "FreeBSD-EN-22:26.cam" +date = "2022-11-01" + +[[notices]] +name = "FreeBSD-EN-22:25.tcp" +date = "2022-11-01" + +[[notices]] +name = "FreeBSD-EN-22:24.zfs" +date = "2022-11-01" + +[[notices]] +name = "FreeBSD-EN-22:23.vm" +date = "2022-11-01" + +[[notices]] +name = "FreeBSD-EN-22:22.tzdata" +date = "2022-11-01" + +[[notices]] +name = "FreeBSD-EN-22:21.zfs" +date = "2022-11-01" + [[notices]] name = "FreeBSD-EN-22:20.tzdata" date = "2022-08-30" diff --git a/website/static/security/advisories/FreeBSD-EN-22:21.zfs.asc b/website/static/security/advisories/FreeBSD-EN-22:21.zfs.asc new file mode 100644 index 0000000000..658e035d7b --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-22:21.zfs.asc @@ -0,0 +1,135 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-22:21.zfs Errata Notice + The FreeBSD Project +Topic: ZFS B-Tree use-after-free +Category: contrib +Module: zfs +Announced: 2022-11-01 +Credits: Richard Yao and Coverty Static Analysis +Affects: FreeBSD 13.1 +Corrected: 2022-10-04 15:52:45 UTC (stable/13, 13.1-STABLE) + 2022-11-01 18:03:25 UTC (releng/13.1, 13.1-RELEASE-p3) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +ZFS is one of several filesystems available on FreeBSD. ZFS supports +many advanced features, including checksumming, transparent compression, +and snapshots. + +II. Problem Description + +The B-Tree implementation in ZFS contains a heap use-after-free bug. When +removing entries, the node memory is freed before it is removed from the tree, +and the remove operation itself requires modifying the memory containing the +node. This creates a race window when one thread is removing data from the +B-Tree and another is performing an allocation. In the case the removing +thread loses the race, it will corrupt the B-Tree. + +III. Impact + +The use-after-free can cause system instability or data corruption. + +Systems with debug kernels may sometimes detect this issue after a kernel +memory corruption has happened. When they do, they will trigger a kernel +panic to protect the system from further damage. The following is printed +to dmesg at the time of the panic: + +panic: VERIFY3(zfs_btree_find(tree, value, &where) != NULL) failed... + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date, and then reboot. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r now + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-22:21/zfs.patch +# fetch https://security.FreeBSD.org/patches/EN-22:21/zfs.patch.asc +# gpg --verify zfs.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ f193a24ec570 stable/13-n252634 +releng/13.1/ 8838c650cb59 releng/13.1-n250167 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmNhlpgACgkQ05eS9J6n +5cJtMQ//aZXPrFWqJxVIn87FtHClwKykAaWWcN+iuT4wTVss0OTbaFc1k+UBPf+9 +wdjmt6Io9xUK4FT5TcMIyzF6I7XaxG/up8572NPUQp+eOa4AI8862QLLF7pi26RT +Fyb+Ywjsw1d30NXcTE4+K5UMUgISFVFkor9d07wWd7sQwU/o4bzHBWFSFSI18l70 +zsjyN3wrLQaSHmBb6kZ7OrycBc52Rw00segXCJGxLEpiViPSC5HY6DJYdWyn0bNM +1xvG3DkYQDBWGNQgWB6ldOM5nmOqY6zSPFTK9byqOwz6CHmfRYqmLpx3czuAO3U6 +PpsTYG7PKpFBviP99jg6XsEYigoMHaHIcBzUSP+DYYO9JlyrzRmbQ6MIkRN+YD59 +1CK0n7+WuQpjBXgFmIEKtM2xJ4sh+aQxdV4SwIEmMTAaNs4PFivNzEgwpj4Txh+q +aUbY6l9O2H8ERvFokF94/ea5ahOhVaTgaipN2O92rvldiy3zTqv5DP3hX4tU1oaG +n0s57pn/uF+aYVMtzk1opNpZdqH8AkKX1Q7Opha/IEvnk48Njgbwtf9HVEeo65Ec +njvc63PZel0cbzk6ZA4BS7BX3UtSHURmFOjiRUV1DI9yUsLXuEbM0LtH3Zpgyzr0 +7U+YHLB4z3LxdK9ZuWo2uSCF/5iVyyjGSdOGuu2ISJis+vp9PCg= +=9c/T +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-22:22.tzdata.asc b/website/static/security/advisories/FreeBSD-EN-22:22.tzdata.asc new file mode 100644 index 0000000000..45991ec800 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-22:22.tzdata.asc @@ -0,0 +1,180 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-22:22.tzdata Errata Notice + The FreeBSD Project + +Topic: Timezone database information update + +Category: contrib +Module: zoneinfo +Announced: 2022-11-01 +Affects: All supported versions of FreeBSD. +Corrected: 2022-11-01 01:06:25 UTC (stable/13, 13.1-STABLE) + 2022-11-01 18:03:24 UTC (releng/13.1, 13.1-RELEASE-p3) + 2022-11-01 01:07:17 UTC (stable/12, 12.4-STABLE) + 2022-11-01 20:35:42 UTC (releng/12.3, 12.3-RELEASE-p8) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +The IANA Time Zone Database (often called tz or zoneinfo) contains code and +data that represent the history of local time for many representative +locations around the globe. It is updated periodically to reflect changes +made by political bodies to time zone boundaries, UTC offsets, and +daylight-saving rules. + +FreeBSD releases install the IANA Time Zone Database in /usr/share/zoneinfo. +The tzsetup(8) utility allows the user to specify the default local time +zone. Based on the selected time zone, tzsetup(8) copies one of the files +from /usr/share/zoneinfo to /etc/localtime. A time zone may also be selected +for an individual process by setting its TZ environment variable to a desired +time zone name. + +II. Problem Description + +Several changes to future and past timestamps have been recorded in the IANA +Time Zone Database after previous FreeBSD releases were released. This +affects many users in different parts of the world. Because of these +changes, the data in the zoneinfo files need to be updated. If the local +timezone on the running system is affected, tzsetup(8) needs to be run to +update /etc/localtime. + +III. Impact + +An incorrect time will be displayed on a system configured to use one of the +affected time zones if the /usr/share/zoneinfo and /etc/localtime files are +not updated, and all applications on the system that rely on the system time, +such as cron(8) and syslog(8), will be affected. + +IV. Workaround + +The system administrator can install an updated version of the IANA Time Zone +Database from the misc/zoneinfo port and run tzsetup(8). + +Applications that store and display times in Coordinated Universal Time (UTC) +are not affected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Please note that some third party software, for instance PHP, Ruby, Java, +Perl and Python, may be using different zoneinfo data sources, in such cases +this software must be updated separately. Software packages that are +installed via binary packages can be upgraded by executing 'pkg upgrade'. + +Following the instructions in this Errata Notice will only update the IANA +Time Zone Database installed in /usr/share/zoneinfo. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Restart all the affected applications and daemons, or reboot the system. + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 13.1] +# fetch https://security.FreeBSD.org/patches/EN-22:22/tzdata-2022f.13.patch +# fetch https://security.FreeBSD.org/patches/EN-22:22/tzdata-2022f.13.patch.asc +# gpg --verify tzdata-2022f.13.patch.asc + +[FreeBSD 12.3] +# fetch https://security.FreeBSD.org/patches/EN-22:22/tzdata-2022f.12.patch +# fetch https://security.FreeBSD.org/patches/EN-22:22/tzdata-2022f.12.patch.asc +# gpg --verify tzdata-2022f.12.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch -E < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart all the affected applications and daemons, or reboot the system. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ 46d324ec6502 stable/13-n252892 +releng/13.1/ 0bcdf24a7cf3 releng/13.1-n250165 +stable/12/ r372688 +releng/12.3/ r372694 +- ------------------------------------------------------------------------- + +For FreeBSD 13 and later: + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +For FreeBSD 12 and earlier: + +Run the following command to see which files were modified by a particular +revision, replacing NNNNNN with the revision number: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmNhl5cACgkQ05eS9J6n +5cLCHg/5AX0d3XNjxGdEhrn8d9xFEtnV75WJKJ+o+jHUCfYNnTD1EJY3Q9EbIoWT ++52Qgcr8HVTZKxKaMoEaR8iDMNwzYbQ1PZrRlXbE8Iant4ULw4cgctIaxtNtUMSM +wRJatQ1LjXp9VjdLv8BCn1jXoVFstUjonLskQ8tNOUrvF1APGgXZRC/B+kt/gs1L +9b2Qs5vZ4e1ycfFiQyw1+ACpQjFB/s4XaN1BQx5JdFBpK8uhg4/LaxMIKA5Fmixh +xNb+VJ6kCxi0swTzsqKnU67OM5k4Dl+loz82d5X3imB4EZmJ6Pv7e9XX2EfGpQXz +5ABxbEzAqN7GCRmCV86dZYThLJiw+vCJnAyX5hXsFup09UpInN7xzrlJ7BiRZ254 +CBtPmj0d6tedkUahG0/GxgU8zl8L3MU/Mwbvg8wHcejciTrjcj94TZBRUxq88E+8 +DHEMsumzSAmD73CWrpUG6KsdtmA55opKodqeCwSG7zmzibaMKYabPJ/4Yq7kZNnq +58uiMLwk2CYwZfbqEHdbUP96G7BxINY1rMHq72kbZ02PzYkFA2vDFM84EqZq1F9B ++ET3Nkucx0FIVhd/zU5cYKuvC7+REXpIxy0SagVumBMgNiREeRwgVC7mghCuM3Vy +DC40UWQBY4SHzU+LpKiagArRJZVPMMA2zbSyp7BkS546oAaHn1Y= +=TNmt +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-22:23.vm.asc b/website/static/security/advisories/FreeBSD-EN-22:23.vm.asc new file mode 100644 index 0000000000..dfdb6cd733 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-22:23.vm.asc @@ -0,0 +1,130 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-22:23.vm Errata Notice + The FreeBSD Project + +Topic: Memory pages become unreclaimable + +Category: core +Module: vm +Announced: 2022-11-01 +Affects: FreeBSD 13.1 +Corrected: 2022-10-12 13:49:25 UTC (stable/13, 13.1-STABLE) + 2022-11-01 13:28:11 UTC (releng/13.1, 13.1-RELEASE-p3) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +The FreeBSD kernel's VM subsystem manages system memory. Among other +responsibilities, it provides a page allocator and maintains a pool of +free pages. When this pool is depleted, the VM reclaims allocated pages +from a set of page queues. + +II. Problem Description + +In certain workloads, allocated pages are not enqueued as they should +be, causing them to become unreclaimable when free memory is scarce. In +some situations the memory may become available again following restarts +of services (e.g., database servers) which are triggering the bug. + +III. Impact + +System memory could become inaccessible to the page daemon, resulting +in less memory available for caching. In some cases this can result in +out-of-memory process kills. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date and reboot. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +5min "Installing errata update" + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-22:23/vm.patch +# fetch https://security.FreeBSD.org/patches/EN-22:23/vm.patch.asc +# gpg --verify vm.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ 6094749a1a5d stable/13-n252707 +releng/13.1/ 4867d7d34dfd releng/13.1-n250160 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmNhlqQACgkQ05eS9J6n +5cKKfg//f+YhLk47E5Bk/KZ07ONQ7xN0W9YZyz1P4iLc85LIaszC8+L8auwM+uR4 +ufvo4ToDzbDq0v+2mHUdgQ7CVylOzAb114z8ZFADHhlBJeft5pdzm+/R3wfqADbm +VL2I6uqjsQiH41umNgZQtyQh15LBWUlvrDd7r5dGVMzU0+VXNTngP58Jn7kqiUPg +jwUQk6l/PPRLRGqX5RJHoz8traCLsd7i+58/FPyaofrtrwl97uxtcbBEcPvcXsrL +yTnTcyPHnR8lqgmNXExcOPxfMBFz0sXgfDIXebnEP+inMx4gF2U3CBJuTCww8NWV +M4R7bj1HjWw8WZV1dZUFB73qx4r51iKanYQsqFVEWl7KnhQL6zG8nCt4iPR0wiKJ +x7qIRGtXCgzZieg0fQnsNjSdjjiIQmLCOq6BTmG1X5tcLF7hAM8D42RFGSbvLhNU +cGP/1Gd1iK72VqBRCSHKhZi79//YA8lI+f3b7ORMB9Q5cmy9l0A0nMO2EpBdc7x/ +0VGSXMaVaegaKGb3vXteVvmqtHAWg2NiBMgUHb3oMEXdbjsymmgkCsTciuiYDLxQ +Y/XdbtMHZi7VpZNS3Qt6wIpAEhSDxYsgf2+7/22Ni09Awn5H2/F3DCeo0dU8hWR1 +gksYdLbwRI+By8hguqALkpC1lP/M8Hc/HBrEiG6OqY+OvZr43OA= +=n7Mz +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-22:24.zfs.asc b/website/static/security/advisories/FreeBSD-EN-22:24.zfs.asc new file mode 100644 index 0000000000..b8a30a101f --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-22:24.zfs.asc @@ -0,0 +1,130 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-22:24.zfs Errata Notice + The FreeBSD Project + +Topic: ZFS snapshot directories not accessible over NFS + +Category: core +Module: zfs +Announced: 2022-11-01 +Affects: FreeBSD 13.1 +Corrected: 2022-10-27 12:00:01 UTC (stable/13, 13.1-STABLE) + 2022-11-01 13:28:11 UTC (releng/13.1, 13.1-RELEASE-p3) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +ZFS is one of several filesystems available on FreeBSD. ZFS supports +many advanced features, including checksumming, transparent compression, +and snapshots. + +Snapshots of a ZFS dataset can be accessed through a hidden directory, +.zfs/snapshots, located in the root of the mounted dataset. + +II. Problem Description + +A kernel regression caused all dataset snapshot directories to become +inaccessible over NFS. Any attempt to access individual snapshots would +return an error message mentioning a stale file handle. + +III. Impact + +Workflows which rely on ZFS snapshots being accessible over NFS are +broken. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date and reboot. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +5min "Installing errata update" + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-22:24/zfs.patch +# fetch https://security.FreeBSD.org/patches/EN-22:24/zfs.patch.asc +# gpg --verify zfs.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ 562c9ac58c76 stable/13-n252848 +releng/13.1/ 7ab877cb3f9d releng/13.1-n250159 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmNhlqQACgkQ05eS9J6n +5cJZcg/+MejjhAq/rpPema1jiqGkD8eTRTw+zmufvqBKwnLdZycwndza2su7xpD+ +30dbVVcY5Suhr5mElt5C6mdU+YCrqLG9o1zAI9QX7hx3PsnqIMBzudgK9TkjtK2n +WiG36PvA+rSIdjE8jw2quv9LMLycRiSevQGWDiD4rGm7JLdet2XH4ioHy1v3rPWe +kB4365zSmPGi4fLalpEFYD6pid2kbS0gUZvhxrEAoy11WFwT+upjdlfD0aJDsoTo +8wvZ1hvoHGYjsmYXLSKmJXO+6J0pTnI5QuohySi0RYUEFtws1IlD+JIxWUdP8ejh +ODPX2mDpP3ySl26HbTzCViJkd3z87F9hV8jaxo57azrD9kYpsWLq/UtsB2Fr2hcA +tYFCvqQ7fftx6Pf5xLOQvQTqwlFpx6M+EoWUV8RKa11jdMv6ndbMuZoY0j99iuYD +qEqi4T08b10SeI7aueOJZGuEYAab5ZcULgA1OOmmetIyAZccGcbvDqUajNabS+QC +QKgHNi94ZVJbEyFTQ9cnZBFn1/Bet9pC9Yj/5qtVsN9a5cKD0t1TEeXWZtZ+Qkm8 +V73qmq3qty2QfPqw7spVykIUzHlOyongMGNQx0sPHDDy5UucFtv6Itj6o/nlhuo1 +veecgamjvnPzROzCTe/UVbp7tliv6fpTHDc/T+ewQwF03xJoA1Q= +=8q+F +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-22:25.tcp.asc b/website/static/security/advisories/FreeBSD-EN-22:25.tcp.asc new file mode 100644 index 0000000000..34870f06c0 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-22:25.tcp.asc @@ -0,0 +1,140 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-22:25.tcp Errata Notice + The FreeBSD Project + +Topic: Possible data corruption with TCP SACK retransmissions + +Category: core +Module: tcp +Announced: 2022-08-28 +Credits: Richard Scheffenegger +Affects: FreeBSD 13.1 +Corrected: 2022-09-14 01:28:03 UTC (stable/13, 13.1-STABLE) + 2022-11-01 13:28:11 UTC (releng/13.1, 13.1-RELEASE-p3) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +TCP supports an enhancement that allows faster recovery and retransmission of +data when loss is discovered called Selected Acknowledgements (SACK). + +SACK allows a TCP sender to communicate more information about which segments +are lost. During a SACK episode a TCP sender will reduce its rate to avoid +causing congestion on the network. + +II. Problem Description + +A change made to make TCP more resilient and effective when handling loss +recovery by SACK, could lead to connection interruption when incoming ACKs +suddenly no longer contain SACK blocks. + +III. Impact + +This can lead to correct data being placed at the wrong offset in the +stream in a non-deterministic manner. This can result in termination of +the TCP connection by the application or in the worst case silent data +corruption. + +IV. Workaround + +Disable SACK globally by setting the net.inet.tcp.sack.enable sysctl to 0: + + # sysctl net.inet.tcp.sack.enable=0 + +Note that this will only affect new connections. Thus, either persist the +setting in /etc/sysctl.conf and reboot, or ensure that any critical connections +are restarted after modifying the sysctl setting. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +A reboot is required for these changes to be applied. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +A reboot is required for these changes to be applied. + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-22:25/tcp.patch +# fetch https://security.FreeBSD.org/patches/EN-22:25/tcp.patch.asc +# gpg --verify tcp.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ 2b8ee332b938 stable/13-n252399 +releng/13.1/ dd35207e2025 releng/13.1-n250162 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmNhmIQACgkQ05eS9J6n +5cLiKA/+NSB8VRq7tjXC0+MFQAPEL9YUtQYyRfn8u3YywHli/6RTeTQPKfd6BnvK +T1clrnVFgp97QG948WAQ7ehct1GRAlrOagVHP0DnQqqQnTmoIVO0vyMVlQ1ONcAY +GO3VxZfEUJhbtcSLIdT03RG3Y+lK7R4Bs6mplkBUpVGOtrhtdmNBULgC8N1HiwHg +wJJpr/9/EMPqGXVtm1MzvgeKH4SIfNsDoiS4W90g1CepsPWylY+vsVjPhXR74gxz +peNHKFQM7SpTm1hc9YqwjyU5qFExq/O+je273sykyld6ZcJCpKe50+dE8D+gHpu6 +6CwiLb+uDQcF3RN9ofunRDvpYdtl1muT2/zQQ6yJ6DWJzvWpav+PTA4gEeDj8b+b +eu8wR7IoSPAHxqnGrvmB1EVn1tvFLF/mtcsrE1fdGviNf5LI/P5OYgZ6pkHaEJoN +NNnhPWZlteFsXYvD+Rz6rlhM86wE2/5Zj88oR36K6xUtbUimmES4NOU82q9MFMPU +nzOqflNf194o71ZbjdJK1gIemijRP90helrhGNHMBVdRM6UD/MywL349jIDzwp7Y +V3Jlpd+yU6K5Yuw5+nG7Z6oEJTwQI7vKNkEg6xnjpaaH47NaijGZDFb3SXvvCW4e +f/x3Y7sMPIRJIaKxKIbcRodeGChkkMZDEQ69OyuxBeP6Xo6OKOg= +=GANq +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-22:26.cam.asc b/website/static/security/advisories/FreeBSD-EN-22:26.cam.asc new file mode 100644 index 0000000000..00c02d7e79 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-22:26.cam.asc @@ -0,0 +1,128 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-22:26.cam Errata Notice + The FreeBSD Project + +Topic: CAM ioctl(2) compatibility breakage + +Category: core +Module: cam +Announced: 2022-11-01 +Affects: FreeBSD 13.1 +Corrected: 2022-10-13 00:44:16 UTC (stable/13, 13.1-STABLE) + 2022-11-01 13:28:11 UTC (releng/13.1, 13.1-RELEASE-p3) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +CAM (Common Access Method) is a FreeBSD kernel subsystem which handles +various aspects of storage management. Various CAM components expose +an ioctl(2) interface to userspace. + +II. Problem Description + +A backwards-incompatible change to the CAM ioctl interface was made. +Partial compatibility support for the old version of the interface was +provided, but it was incomplete. In particular, CAM periph drivers +did not handle the old version of the CAMGETPASSTHRU ioctl. + +III. Impact + +Software applications which make use of the CAM ioctl(2) interface +may fail to work following an upgrade to FreeBSD 13.1. + +IV. Workaround + +Affected applications can be recompiled on FreeBSD 13.1. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date and reboot. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +5min "Installing errata update" + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-22:26/cam.patch +# fetch https://security.FreeBSD.org/patches/EN-22:26/cam.patch.asc +# gpg --verify cam.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ 16d4c1de7b40 stable/13-n252721 +releng/13.1/ fff5c5fe911e releng/13.1-n250161 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmNhmLEACgkQ05eS9J6n +5cJRzQ//XtqKLesa2RAQiFgGcWeBjbmSqz+0zriFkfZxHyp4VgORXVwOrqUJrO6M +SX4TnZ5a+ElbZd1yulSB7JgHSV7ZWh/ltSTUIIGAg+514YtfwhrzJ8ID3Kt01lA2 +KGJMaKZOlyLihbaeIyJm1IvgjFi24QxDRLA479PhtZjjMlrVhm49PLum2TDR7qwr +j44pisNGqhxgA6C6YZW4XaNDJ4kISOFjYPmlKLC6qi7i8vsPXJNzgrZq6zJscomh +fvk7Th3/1p65+KNSK26aJbmxqvgJDRJHyCXseAYylxyISvuoVmvWrgDFYmwCgfy0 +/VNsnxDRPvx+tpGvLyWBGcb5slUg/+j8JxK1pgV5xRUQ30CGP42jQWGMmIna3Lud +pv6Q1jhvcZWKC7kuZIdyzj/UgeQPwGw8qLax4DSSvysMU7YDkBwE3l4909eZElkG +okitdWuWeHnz//CC6dtJE2mGmgoIFUr/uKro2TMV5a6/97A/1CFULydc8dd4objV +YHaXEda1scMzq8GevfDFhji2gqg7tZ4eB7M0VVSgMBjcHkbIldpgtm1wKRNDBXPP +rbvi0aKr1GcrBp19Jeuaz6rxGEzvsxEhBC5lW8hIBiYQEaMK6OJrzkJEiUGQCHPl +JrynKvzC6dHnFKFhVfZaG1SZ2wS7hXnV0Y1LnNjPwK9zrJJJcgc= +=KqXj +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-22:27.loader.asc b/website/static/security/advisories/FreeBSD-EN-22:27.loader.asc new file mode 100644 index 0000000000..bfbb585e38 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-22:27.loader.asc @@ -0,0 +1,127 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-22:27.loader Errata Notice + The FreeBSD Project + +Topic: UEFI loader failing to boot older amd64 kernels + +Category: core +Module: loader +Announced: 2022-11-01 +Affects: FreeBSD 13.1 +Corrected: 2022-10-14 03:06:13 UTC (stable/13, 13.1-STABLE) + 2022-11-01 18:03:25 UTC (releng/13.1, 13.1-RELEASE-p3) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + *** 6891 LINES SKIPPED ***