git: 516370df65 - main - Add EN-21:06 to EN-21:08 and SA-21:03 to SA-21:06.
Gordon Tetlow
gordon at FreeBSD.org
Wed Feb 24 05:53:50 UTC 2021
The branch main has been updated by gordon (src committer):
URL: https://cgit.FreeBSD.org/doc/commit/?id=516370df6584390f8886526c148cc83437d07cad
commit 516370df6584390f8886526c148cc83437d07cad
Author: Gordon Tetlow <gordon at FreeBSD.org>
AuthorDate: 2021-02-24 05:53:31 +0000
Commit: Gordon Tetlow <gordon at FreeBSD.org>
CommitDate: 2021-02-24 05:53:31 +0000
Add EN-21:06 to EN-21:08 and SA-21:03 to SA-21:06.
Approved by: so
---
website/data/security/advisories.toml | 16 +
website/data/security/errata.toml | 12 +
.../advisories/FreeBSD-EN-21:06.microcode.asc | 128 ++
.../advisories/FreeBSD-EN-21:07.caroot.asc | 121 ++
.../advisories/FreeBSD-EN-21:08.freebsd-update.asc | 126 ++
.../FreeBSD-SA-21:03.pam_login_access.asc | 144 ++
.../advisories/FreeBSD-SA-21:04.jail_remove.asc | 161 ++
.../advisories/FreeBSD-SA-21:05.jail_chdir.asc | 162 ++
.../security/advisories/FreeBSD-SA-21:06.xen.asc | 154 ++
.../security/patches/EN-21:06/microcode.patch | 11 +
.../security/patches/EN-21:06/microcode.patch.asc | 16 +
.../static/security/patches/EN-21:07/caroot.patch | 2145 ++++++++++++++++++++
.../security/patches/EN-21:07/caroot.patch.asc | 16 +
.../security/patches/EN-21:08/freebsd-update.patch | 23 +
.../patches/EN-21:08/freebsd-update.patch.asc | 16 +
.../patches/SA-21:03/pam_login_access.patch | 16 +
.../patches/SA-21:03/pam_login_access.patch.asc | 16 +
.../security/patches/SA-21:04/jail_remove.13.patch | 95 +
.../patches/SA-21:04/jail_remove.13.patch.asc | 16 +
.../security/patches/SA-21:04/jail_remove.patch | 66 +
.../patches/SA-21:04/jail_remove.patch.asc | 16 +
.../security/patches/SA-21:05/jail_chdir.13.patch | 103 +
.../patches/SA-21:05/jail_chdir.13.patch.asc | 16 +
.../security/patches/SA-21:05/jail_chdir.patch | 98 +
.../security/patches/SA-21:05/jail_chdir.patch.asc | 16 +
website/static/security/patches/SA-21:06/xen.patch | 34 +
.../static/security/patches/SA-21:06/xen.patch.asc | 16 +
27 files changed, 3759 insertions(+)
diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml
index 95683bed85..10229d9ce6 100644
--- a/website/data/security/advisories.toml
+++ b/website/data/security/advisories.toml
@@ -1,6 +1,22 @@
# Sort advisories by year, month and day
# $FreeBSD$
+[[advisories]]
+name = "FreeBSD-SA-21:06.xen"
+date = "2021-02-24"
+
+[[advisories]]
+name = "FreeBSD-SA-21:05.jail_chdir"
+date = "2021-02-24"
+
+[[advisories]]
+name = "FreeBSD-SA-21:04.jail_remove"
+date = "2021-02-24"
+
+[[advisories]]
+name = "FreeBSD-SA-21:03.pam_login_access"
+date = "2021-02-24"
+
[[advisories]]
name = "FreeBSD-SA-21:02.xenoom"
date = "2021-01-29"
diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml
index eb4071d077..d6a17c8a9b 100644
--- a/website/data/security/errata.toml
+++ b/website/data/security/errata.toml
@@ -1,6 +1,18 @@
# Sort errata notices by year, month and day
# $FreeBSD$
+[[notices]]
+name = "FreeBSD-EN-21:08.freebsd-update"
+date = "2021-02-24"
+
+[[notices]]
+name = "FreeBSD-EN-21:07.caroot"
+date = "2021-02-24"
+
+[[notices]]
+name = "FreeBSD-EN-21:06.microcode"
+date = "2021-02-24"
+
[[notices]]
name = "FreeBSD-EN-21:05.libatomic"
date = "2021-01-29"
diff --git a/website/static/security/advisories/FreeBSD-EN-21:06.microcode.asc b/website/static/security/advisories/FreeBSD-EN-21:06.microcode.asc
new file mode 100644
index 0000000000..ae590c2ec7
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-21:06.microcode.asc
@@ -0,0 +1,128 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-21:06.microcode Errata Notice
+ The FreeBSD Project
+
+Topic: Boot-time microcode loading causes a boot hang
+
+Category: core
+Module: x86
+Announced: 2021-02-24
+Affects: FreeBSD 12.2
+Corrected: 2021-02-19 20:57:34 UTC (stable/12, 12.2-STABLE)
+ 2021-02-24 01:43:50 UTC (releng/12.2, 12.2-RELEASE-p4)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+CPU microcode updates may include security fixes or mitigations. The
+boot-time microcode loader applies CPU microcode as early in the boot process
+as possible, minimizing the amount of code executed without updated
+microcode.
+
+Microcode updates for many different CPU types are concatenated into one file
+and loaded by the boot loader. After the kernel has determined the correct
+update to apply, it frees the memory containing unused microcode updates,
+keeping only the update for the CPU on which the kernel is running.
+
+II. Problem Description
+
+An interaction between the code which frees the unused portions of the
+microcode file and the rest of the system can cause boot hangs.
+
+III. Impact
+
+The kernel may hang during boot if boot-time microcode updates are configured.
+
+IV. Workaround
+
+Systems not configured to load microcode at boot-time are unaffected.
+Boot-time microcode loading is currently only supported with Intel CPUs.
+
+On systems that are configured to load microcode at boot-time, setting the
+"debug.ucode.release" loader tunable to 0 will prevent the microcode update
+file from being freed, working around the problem.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-21:06/microcode.patch
+# fetch https://security.FreeBSD.org/patches/EN-21:06/microcode.patch.asc
+# gpg --verify microcode.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12/ r369310
+releng/12.2/ r369355
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-21:06.microcode.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15bwACgkQ05eS9J6n
+5cLgbg//cottS8aQLl6YmSFs6JIyZwE4RutM2tSrkwkdQmuYLfba3tEyYs3R2iAK
+x9y5bf9jFG5m7mUVr9QhEPRGrFlKTdTtW682T5ClLrZO1TIWwTUZlEC9omIpAPV3
+/A2tFFK253Zhufh2bKol8y8LwEle9MrO2xURj8KOo5dFa0HxSrMeCb+YlINV/iCy
+hEJPuGvVWr+1rTP0hbKT+lHwtsgV2yB73FuG85p3FtJ4nr7OBlrzDnVgAKANvGTG
+VTE/g/mqKfQlYqrNccw8Si/K5vh9PNiFjXiercSyMWV1eaYT6WU/a3x94RlISvR7
+6t56uWyJ9YTs3+E1bwplIZ/0qrCOvcgYqsv6ANu5/2gysFCNaNACDcAtidcly2UB
+AL0hDjEQ7sAmsGmjAXfg7bbgUD/1h3saTmI3UmuWayZodMt1w6A0d/3A4bb/yZid
+rF3gVvgmLBSjsgSXSqYtnS3N+af/rr01/tLaZh/yvO8d0EwFteyGar/dduSCoXbU
+EK636ZNy+df7k6eCfqeh2/WixqSE7pKw2anQXmn11vHMBWDyuF919jMxrm64OdzT
+sLlVrGOH8FHbUwnTsNUAfggqO7VUowvfRnYk+CzDElpXqn0Pteq8UCGABLmRKW9u
+kISBhJwAjnnybyZ5/nvFaAN5UtvG5he0qhpbvArposyvqLdsgZ0=
+=j/+s
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-21:07.caroot.asc b/website/static/security/advisories/FreeBSD-EN-21:07.caroot.asc
new file mode 100644
index 0000000000..8919ef0524
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-21:07.caroot.asc
@@ -0,0 +1,121 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-21:07.caroot Errata Notice
+ The FreeBSD Project
+
+Topic: Root certificate bundle update
+
+Category: core
+Module: caroot
+Announced: 2021-02-24
+Affects: FreeBSD 12.2
+Corrected: 2020-12-15 21:50:05 UTC (stable/12, 12.2-STABLE)
+ 2021-02-24 01:43:56 UTC (releng/12.2, 12.2-RELEASE-p4)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The root certificate bundle is the trust store that is used by OpenSSL
+programs and libraries to aide in determining whether it should trust
+a given SSL certificate.
+
+II. Problem Description
+
+Several certificates were removed from the bundle after the latest release
+of FreeBSD 12.2.
+
+III. Impact
+
+Certificates are often removed from the root bundle due to a failure to
+meet the standards established by Mozilla for being considered a trusted
+Certificate Authority.
+
+IV. Workaround
+
+No workaround is available. Software that uses an internal trust store
+is not affected.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-21:07/caroot.patch
+# fetch https://security.FreeBSD.org/patches/EN-21:07/caroot.patch.asc
+# gpg --verify caroot.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all applications that may be using OpenSSL, or reboot the system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12/ r368678
+releng/12.2/ r369357
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-21:07.caroot.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15ccACgkQ05eS9J6n
+5cJUlRAAnoqim9czLfJS8ooYVSmB2Q3Td+vg+/QrS1ftwGBI3hXAwzFtlsCn4P35
+7k5tJQL3sVv3/nFfJ6/S5T832tVAfBgxFyzbu1C8zP2fYDLJ7uKKCtluoaHchB1y
+KMOE11SPfdPtG0WeWUI1QEqCAhy91mZo1+B4zTMNazZ2AdLs7YSaovrBeYMcAR+K
+xSGxvRndtX+4BvtGpehO3F+JMYsjpA06W3HP1gCsg9JnKo1whzrth83ar4V0aONS
+Gcl90oyOy4IGHYPDm3vYahtKXmsO8FI3IpuuNDdkeL1KPbrUaCOvmnnTZWS9pAoT
+S0DxUtHqfNz+iRuTLRO0/RIaopLADqx0fmDaRqGPy3MFUp1hevRCpPn8o5rtsjEK
+hpsaWhhxrD3edGdu459JvM5cMT9Xr9/QxCneeJF96lgDP17IrB57RmNGu048ARbQ
+Myb4G5+ypjnQJ4Y4ctGGlIJQcjfI7dVpSRXdj+qTLBdh2BCeL3d4UC267AgGA3mz
+uspX/AxIcdHAvsiHGicbhV+tSw0LY1zPLCP9fgWcfDw8jyzY+Jrtj+B4TBsmTStu
+qUpbq6WU7SJ4b7inV0RDmugyDAPFwROuc0u8+VSwI7Kt4VuzAPeSgvcythS88/47
+huwCdkRE5Gh6RFy+gTg0tSyv5znQarif6E6pmETSnB8Cr4IbaBk=
+=LVRY
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-21:08.freebsd-update.asc b/website/static/security/advisories/FreeBSD-EN-21:08.freebsd-update.asc
new file mode 100644
index 0000000000..181200d684
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-21:08.freebsd-update.asc
@@ -0,0 +1,126 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-21:08.freebsd-update Errata Notice
+ The FreeBSD Project
+
+Topic: freebsd-update passwd regeneration
+
+Category: core
+Module: freebsd-update
+Announced: 2021-02-24
+Affects: All supported versions of FreeBSD.
+Corrected: 2020-12-27 20:50:53 UTC (stable/12, 12.2-STABLE)
+ 2021-02-24 01:43:52 UTC (releng/12.2, 12.2-RELEASE-p4)
+ 2020-12-27 20:52:37 UTC (stable/11, 11.4-STABLE)
+ 2021-02-24 01:41:49 UTC (releng/11.4, 11.4-RELEASE-p8)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+freebsd-update provides binary updates for supported releases of FreeBSD on
+amd64 and i386.
+
+II. Problem Description
+
+The existing logic to try and avoid regenerating passwd/login.conf files
+relies on timestamp comparisons between old and new files, with the caveat
+that it's comparing the installed with a timestamp that has been clobbered to
+do the comparison.
+
+III. Impact
+
+User and login.conf changes coming in from a binary update may not properly
+regenerate the databases for the changes to take effect.
+
+IV. Workaround
+
+To workaround this issue, one may regenerate databases manually with
+pwd_mkdb(8) and cap_mkdb(1), e.g.,
+
+pwd_mkdb -p /etc/master.passwd
+cap_mkdb /etc/login.conf
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date. No reboot is required.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-21:08/freebsd-update.patch
+# fetch https://security.FreeBSD.org/patches/EN-21:08/freebsd-update.patch.asc
+# gpg --verify freebsd-update.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12/ r368873
+releng/12.2/ r369356
+stable/11/ r368824
+releng/11.4/ r369349
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-21:08.freebsd-update.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15cgACgkQ05eS9J6n
+5cJRqA/+NMSpCafAMdn0T3ZFbZ+AwN3nHS5t/2UBBRnpUks0CWXR1XnZ7CqeTZUc
+vCy3+QR93bQYDVCW7tNCOVs0bL7dVyyT9qLrmaJC1LFBtMAaM091A3gXdlhaL5I9
+mATPs/Qy3/HFDjeWWZDNeg0RsXhzEnM3I/FPhhWYkA/iO++5Og1VuBWFpuPGUZbG
+VuRRVuazHzqVKjlQL7XUKHJk2PGJIXTBAZHQkBn4cwux9iDxjhowtvN3hMJSPTPI
+GAu3YD1YrM7UIyguh3WieVOVuHtwUdj+mccw3iifn02crq93H2Wyj4nDDYaUQXz5
+Ab9HjuVGE/VjPMgfqRtouQieGTJIMCo8Y/4ytPe+Dhvtxrd4LYBHuYhZFfMFTITC
+lAXUhtdF5l/PJWNG24BE3BWjPEgU3vwTtuL56PHcpO08lKgwzidvOtPV2hM2mbw/
+RRJWZ0AYe8q624NwpC96WUvW5DoBA2thBXxmUaQ4KBK06tiSg/jXzmG9em4WfaQH
+z2aAeg+MURBaecTfl1gWZFdkOOwNcn089T/XhLh2FuzX4NGIQChvo1gEj7thsXQp
+jWF+HUpxfZ9ZZIRuNCdAjCCAY2R3pkAZSGAUvi7TTqZfbPQtAb0SgT6QXj6OslCG
+w4puBrBQl+R3g3dN1Q9NSDqmob1g8MrN7mUv8Nl7LFNpnWDh4Bs=
+=C5YV
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-21:03.pam_login_access.asc b/website/static/security/advisories/FreeBSD-SA-21:03.pam_login_access.asc
new file mode 100644
index 0000000000..2e7f0fac32
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-21:03.pam_login_access.asc
@@ -0,0 +1,144 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-21:03.pam_login_access Security Advisory
+ The FreeBSD Project
+
+Topic: login.access fails to apply rules
+
+Category: core
+Module: pam_login_access
+Announced: 2021-02-24
+Affects: All supported versions of FreeBSD.
+Corrected: 2021-02-24 01:20:53 UTC (stable/13, 13.0-STABLE)
+ 2021-02-24 01:42:42 UTC (releng/13.0, 13.0-BETA3-p1)
+ 2021-02-24 01:40:36 UTC (stable/12, 12.2-STABLE)
+ 2021-02-24 01:44:01 UTC (releng/12.2, 12.2-RELEASE-p4)
+ 2021-02-24 01:39:53 UTC (stable/11, 11.4-STABLE)
+ 2021-02-24 01:41:53 UTC (releng/11.4, 11.4-RELEASE-p8)
+CVE Name: CVE-2020-25580
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+login.access(5) is a system configuration file allowing administrators to
+define policy around system login access by specific users and groups. It
+is implemented by a pam(3) module, pam_login_access(8), and is configured
+by default for accesses via sshd(8), telnetd(8) and the system console.
+
+II. Problem Description
+
+A regression in the login.access(5) rule processor has the effect of causing
+rules to fail to match even when they should not. This means that rules
+denying access may be ignored.
+
+III. Impact
+
+The configuration in login.access(5) may not be applied, permitting login
+access to users even when the system is configured to deny it.
+
+IV. Workaround
+
+No workaround is available. Systems not relying on login.access(5) to
+enforce custom login policies are not affected.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-21:03/pam_login_access.patch
+# fetch https://security.FreeBSD.org/patches/SA-21:03/pam_login_access.patch.asc
+# gpg --verify pam_login_access.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all daemons that use the library, or reboot the system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/13/ 8cf559d6b9b4782bf67eb868ea480f47fc8c64a4
+releng/13.0/ f82cffcf2f44c909bec00d18549826f5d1d62205
+stable/12/ r369346
+releng/12.2/ r369359
+stable/11/ r369345
+releng/11.4/ r369351
+- -------------------------------------------------------------------------
+
+[FreeBSD 13.x]
+To see which files were modified by a particular revision, run the following
+command in a checked out git repository, replacing NNNNNN with the revision
+hash:
+
+# git show --stat NNNNNN
+
+Or visit the following URL, replace NNNNNN with the revision hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+[FreeBSD 11.x, FreeBSD 12.x]
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25580>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-21:03.pam_login_access.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15dYACgkQ05eS9J6n
+5cKg1A/+MKN4Gf9ndHqjEUKiquiUGAE63RJC3wZRpN/GsxP2qLArX4QDOXLJxFZ3
++T+u3lb0vxhhowvp23vFegmQbmWA6ZHI4M+NBsgMnPLTEWkwy4tRTfZDma1Q9j3k
+RNPJFnzJ5HTKBXtZom/yKcxuXw1JGlqmxuJYfveBEBIN6PmH5nz3qwcRVV8j+gAM
+1CtmnWpUVHm8aOqEGhOPr/eNRbAX14S/rdrtETmyyKm7WlYtiFD8GN5Px+eTTZcM
+khZhyhlpvEPU0tLNahnDGiPBmlr8VpysT0+0ZdGsT6qMME8WQne3pvJeM2HaZs8a
+ob35quA5tH241NjNBvoYmMj50/UOFS8RZKb6VILX7+PVsYOiuoGKR8ikr6n09SZs
+LYThBcnWx5Bwcn08DXbd2bPn48aSFnbe0UMTzwrTC0L/5lp2FLv9j+bhwb3gF6W1
+9hmRHOb+Cvdxxqw/djFCQsxODC9qZzneRW012PTsEZcwB8UjvG+OEVahz5iOfiGC
+tXNQ6rdbdTEr7QY+JCx0ngyHkQyDrOEJGd8UTIavr0CiuSdSWzi2zrppqZzvjBIp
+MENgB7uWf0MvzkYbxqwlRFr+25MLPGPYNfcLR/NnoWZcEuXR9VUL9Nb+ozH1HGs2
+oziYLqXp3yvDGrHXdItOz5sVsgsZCZLLVD4SVI7Y31Ctxd6MlcM=
+=WQ8j
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-21:04.jail_remove.asc b/website/static/security/advisories/FreeBSD-SA-21:04.jail_remove.asc
new file mode 100644
index 0000000000..4420ba75c1
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-21:04.jail_remove.asc
@@ -0,0 +1,161 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-21:04.jail_remove Security Advisory
+ The FreeBSD Project
+
+Topic: jail_remove(2) fails to kill all jailed processes
+
+Category: core
+Module: jail
+Announced: 2021-02-24
+Credits: Mateusz Guzik
+Affects: All supported versions of FreeBSD.
+Corrected: 2021-02-19 01:22:08 UTC (stable/13, 13.0-STABLE)
+ 2021-02-19 21:53:07 UTC (releng/13.0, 13.0-BETA3-p1)
+ 2021-02-19 21:46:31 UTC (stable/12, 12.2-STABLE)
+ 2021-02-24 01:43:39 UTC (releng/12.2, 12.2-RELEASE-p4)
+ 2021-02-19 21:50:26 UTC (stable/11, 11.4-STABLE)
+ 2021-02-24 01:41:41 UTC (releng/11.4, 11.4-RELEASE-p8)
+CVE Name: CVE-2020-25581
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The jail(2) system call allows a system administrator to lock a process
+and all of its descendants inside an environment with a very limited
+ability to affect the system outside that environment, even for
+processes with superuser privileges. It is an extension of, but
+far more powerful than, the traditional UNIX chroot(2) system call.
+
+The jail_remove(2) system call, which was introduced in FreeBSD 8.0,
+allows a non-jailed process to remove a jail, which includes terminating
+all the processes running in that jail.
+
+II. Problem Description
+
+Due to a race condition in the jail_remove(2) implementation, it may fail
+to kill some of the processes.
+
+III. Impact
+
+A process running inside a jail can avoid being killed during jail termination.
+If a jail is subsequently started with the same root path, a lingering jailed
+process may be able to exploit the window during which a devfs filesystem is
+mounted but the jail's devfs ruleset has not been applied, to access device
+nodes which are ordinarily inaccessible. If the process is privileged, it may
+be able to escape the jail and gain full access to the system.
+
+IV. Workaround
+
+The problem is limited to scenarios where a jail containing an untrusted,
+privileged process is stopped, and a jail is subsequently started with the same
+root path. Users not running jails are not affected, and the problem can be
+avoided by not starting a jail with the same path as a previously stopped jail.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 13.x]
+# fetch https://security.FreeBSD.org/patches/SA-21:04/jail_remove.13.patch
+# fetch https://security.FreeBSD.org/patches/SA-21:04/jail_remove.13.patch.asc
+# gpg --verify jail_remove.13.patch.asc
+
+[FreeBSD 11.x, FreeBSD 12.x]
+# fetch https://security.FreeBSD.org/patches/SA-21:04/jail_remove.patch
+# fetch https://security.FreeBSD.org/patches/SA-21:04/jail_remove.patch.asc
+# gpg --verify jail_remove.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/13/ 894360bacd42f021551f76518edd445f6d299f2e
+releng/13.0/ 9f00cb5fa8a438e7b9efb2158f2e2edc730badd1
+stable/12/ r369312
+releng/12.2/ r369353
+stable/11/ r369313
+releng/11.4/ r369347
+- -------------------------------------------------------------------------
+
+[FreeBSD 13.x]
+To see which files were modified by a particular revision, run the following
+command in a checked out git repository, replacing NNNNNN with the revision
+hash:
+
+# git show --stat NNNNNN
+
+Or visit the following URL, replace NNNNNN with the revision hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+[FreeBSD 11.x, FreeBSD 12.x]
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25581>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-21:04.jail_remove.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15dYACgkQ05eS9J6n
+5cK69Q//UI2SeHrGXytm6ScQzCIbFPlUXlhkCX51WSOJmr/LUXpF9bcUhW73qqov
+/c70VGF876woMXHkbfYnCVdB4ETLIqTbGOl2aw/c8fuwrmFdtyeDEQ4SRRfWgdC4
+L6jEgMvB/fMO9e662k19f6RFXrdMspK4rOz3/aowTFbOEvD3Q0HpBUnFbWWg3Iiy
+I190M0jbytFuZ2EJQ563bbRFFjEafZ51SKYz1FcR3cJAbVo/q75G3uDrjeNhnHxZ
+0VqcTGHmF4Lh+RocUeW0v/1wHL8lBpoAKXmo4IL+FhFIR8fjVpKbGSm/IHSueatT
+Tr6xOg93Ef+sETWVn9Jv26BAU06LEM/ZuXz+HS7T7DwnJJeKa3d74KTJnnGauE24
+67OO0i4Fok9Yyy2ArBH8V8mnzdW96dJyHrwdG0UUBddYlEyzArxkUQZyoIdj1Gb1
+fns8ndY8t5tky2fxHZG2UMBWwQKBtbMZY027JRylAJWExsG6wH7DcUJ51FpcnbNe
+r3QvCB+ifOBGzFd2S4PduttxHW+xldWknah8513u9mRNCwnSFbY9ZXTpSeDmJaPo
+hYAZ2WlDodkaJxbTTMbJ+4fr6wMkmWf32g5pRh+wDfMAd0Wvbzmu/+fUQVf54FNU
+Qb91AAtVBuIE0J8jKqZxw+dtno+e6etmO1pXoZXvPHUr2N2BJmI=
+=yxgm
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-21:05.jail_chdir.asc b/website/static/security/advisories/FreeBSD-SA-21:05.jail_chdir.asc
new file mode 100644
index 0000000000..5112914c16
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-21:05.jail_chdir.asc
@@ -0,0 +1,162 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-21:05.jail_chdir Security Advisory
+ The FreeBSD Project
+
+Topic: jail_attach(2) relies on the caller to change the cwd
+
+Category: core
+Module: jail
+Announced: 2021-02-24
+Credits: Mateusz Guzik
+Affects: All supported versions of FreeBSD.
+Corrected: 2021-02-22 05:49:40 UTC (stable/13, 13.0-STABLE)
+ 2021-02-22 18:25:23 UTC (releng/13.0, 13.0-BETA3-p1)
+ 2021-02-22 19:03:43 UTC (stable/12, 12.2-STABLE)
+ 2021-02-24 01:43:47 UTC (releng/12.2, 12.2-RELEASE-p4)
+ 2021-02-22 19:08:27 UTC (stable/11, 11.4-STABLE)
+ 2021-02-24 01:41:46 UTC (releng/11.4, 11.4-RELEASE-p8)
+CVE Name: CVE-2020-25582
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The jail(2) system call allows a system administrator to lock a process
+and all of its descendants inside an environment with a very limited
+ability to affect the system outside that environment, even for
+processes with superuser privileges. It is an extension of, but
+far more powerful than, the traditional UNIX chroot(2) system call.
+
+The jail_attach(2) system call, which was introduced in FreeBSD 5
+before 5.1-RELEASE, allows a non-jailed process to permanently move
+into an existing jail.
+
+The ptrace(2) system call provides tracing and debugging facilities by
+allowing one process (the tracing process) to watch and control
+another (the traced process).
+
+II. Problem Description
+
+When a process, such as jexec(8) or killall(1), calls jail_attach(2)
+to enter a jail, the jailed root can attach to it using ptrace(2) before
+the current working directory is changed.
+
+III. Impact
+
+A process with superuser privileges running inside a jail could change
+the root directory outside of the jail, thereby gaining full read and
+writing access to all files and directories in the system.
+
+IV. Workaround
+
+No workaround is available, but systems that are not running jails with
+untrusted root users are not vulnerable.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 13.x]
+# fetch https://security.FreeBSD.org/patches/SA-21:05/jail_chdir.13.patch
+# fetch https://security.FreeBSD.org/patches/SA-21:05/jail_chdir.13.patch.asc
+# gpg --verify jail_chdir.13.patch.asc
+
+[FreeBSD 11.x, FreeBSD 12.x]
+# fetch https://security.FreeBSD.org/patches/SA-21:05/jail_chdir.patch
+# fetch https://security.FreeBSD.org/patches/SA-21:05/jail_chdir.patch.asc
+# gpg --verify jail_chdir.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/13/ 5dbb407145c8128753fa30b695bc266dc671e433
+releng/13.0/ f3f042d850baaeda1bed19e00c2b3b578644b7e9
+stable/12/ r369334
+releng/12.2/ r369354
+stable/11/ r369335
+releng/11.4/ r369348
+- -------------------------------------------------------------------------
+
+[FreeBSD 13.x]
+To see which files were modified by a particular revision, run the following
+command in a checked out git repository, replacing NNNNNN with the revision
+hash:
+
+# git show --stat NNNNNN
+
+Or visit the following URL, replace NNNNNN with the revision hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+[FreeBSD 11.x, FreeBSD 12.x]
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25582>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-21:05.jail_chdir.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15dYACgkQ05eS9J6n
+5cKj/xAAjbGc0bV3Ua8PuIFoDk7ADnwNotFV9PlXknWpeM4fXVVrt5EDncMfgHdw
+XeKHOjzKNocOCtDioDhOcev9hhLeiYJjGHKrOQeKv34hJoufd6Wr0nvLgv/IVlMr
+iZRVndvG1eBlnkwzlbx0xh1OY9zhffqjEiVkQNxXZV0iz/P2ndG0wP7N/bTG2QW3
+1mZmp4Fh9AsbjLPVGyutoLZXiypuroGPLQZrth3n7Cz8HklwyPzoAgPOYx7mMW3D
+x1Th6kYIEx1aCe+ZBsgOuPsKeZ4SSB5o1w2F5y+mor/rslgQJAppNakBMmyDkSEI
+UhEqLGNA469P0qonCHhGY83wfkuUedFTuWLrdnh97J7yr+WIn1ik1/jBXxv3+1kS
+bKivBd/oj6hEFULE7r6T/UVomJjU+dPPBm+ewljJFVib+3zIQsbxauLdqUuqWlob
+QUkQc4mu7fjVSAMyVbYVrjBAgwQJit0KfX+JSbEcLndmPv1RCK8wnxIf0zbmV2m/
+DMg9QGqwfcJkba6Y/JCAFZcl+HUCfEGUqZ7pEqGuwsp3wnMwO7Qg9IAEmDt8i2lf
+6kaqAatJ5Reo/D+j6KJFvGCajnEfD0n+jDx8cdJFNY2Zzbo3/lRGd8dque5OEbTA
+O0UZu2hRv5YMIagMf57WWzGrF+ACtgYbath710IKfVUfP/OiCIM=
+=/d5L
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-21:06.xen.asc b/website/static/security/advisories/FreeBSD-SA-21:06.xen.asc
new file mode 100644
index 0000000000..46ec778a4b
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-21:06.xen.asc
@@ -0,0 +1,154 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-21:06.xen Security Advisory
+ The FreeBSD Project
+
+Topic: Xen grant mapping error handling issues
+
+Category: contrib
*** 2987 LINES SKIPPED ***
More information about the dev-commits-doc-all
mailing list