svn commit: r43519 - in head/share: security/advisories security/patches/EN-14:01 security/patches/EN-14:02 security/patches/SA-14:01 security/patches/SA-14:02 security/patches/SA-14:03 security/pa...
Xin LI
delphij at FreeBSD.org
Tue Jan 14 19:57:52 UTC 2014
Author: delphij
Date: Tue Jan 14 19:57:49 2014
New Revision: 43519
URL: http://svnweb.freebsd.org/changeset/doc/43519
Log:
Add 4 latest advisories and 2 latest errata notices:
Fix bsnmpd remote denial of service vulnerability. [SA-14:01]
Fix ntpd distributed reflection Denial of Service vulnerability.
[SA-14:02]
Fix OpenSSL multiple vulnerabilities. [SA-14:03]
Fix BIND remote denial of service vulnerability. [SA-14:04]
Disable hardware RNGs by default. [EN-14:01]
Fix incorrect coalescing of stack entry with mmap. [EN-14:02]
Added:
head/share/security/advisories/FreeBSD-EN-14:01.random.asc (contents, props changed)
head/share/security/advisories/FreeBSD-EN-14:02.mmap.asc (contents, props changed)
head/share/security/advisories/FreeBSD-SA-14:01.bsnmpd.asc (contents, props changed)
head/share/security/advisories/FreeBSD-SA-14:02.ntpd.asc (contents, props changed)
head/share/security/advisories/FreeBSD-SA-14:03.openssl.asc (contents, props changed)
head/share/security/advisories/FreeBSD-SA-14:04.bind.asc (contents, props changed)
head/share/security/patches/EN-14:01/
head/share/security/patches/EN-14:01/random-8.3.patch (contents, props changed)
head/share/security/patches/EN-14:01/random-8.3.patch.asc (contents, props changed)
head/share/security/patches/EN-14:01/random-9.1.patch (contents, props changed)
head/share/security/patches/EN-14:01/random-9.1.patch.asc (contents, props changed)
head/share/security/patches/EN-14:01/random-9.2-8.4.patch (contents, props changed)
head/share/security/patches/EN-14:01/random-9.2-8.4.patch.asc (contents, props changed)
head/share/security/patches/EN-14:02/
head/share/security/patches/EN-14:02/mmap.patch (contents, props changed)
head/share/security/patches/EN-14:02/mmap.patch.asc (contents, props changed)
head/share/security/patches/SA-14:01/
head/share/security/patches/SA-14:01/bsnmpd.patch (contents, props changed)
head/share/security/patches/SA-14:01/bsnmpd.patch.asc (contents, props changed)
head/share/security/patches/SA-14:02/
head/share/security/patches/SA-14:02/ntpd.patch (contents, props changed)
head/share/security/patches/SA-14:02/ntpd.patch.asc (contents, props changed)
head/share/security/patches/SA-14:03/
head/share/security/patches/SA-14:03/openssl.patch (contents, props changed)
head/share/security/patches/SA-14:03/openssl.patch.asc (contents, props changed)
head/share/security/patches/SA-14:04/
head/share/security/patches/SA-14:04/bind-release.patch (contents, props changed)
head/share/security/patches/SA-14:04/bind-release.patch.asc (contents, props changed)
head/share/security/patches/SA-14:04/bind-stable-9.patch (contents, props changed)
head/share/security/patches/SA-14:04/bind-stable-9.patch.asc (contents, props changed)
Modified:
head/share/xml/advisories.xml
head/share/xml/notices.xml
Added: head/share/security/advisories/FreeBSD-EN-14:01.random.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-EN-14:01.random.asc Tue Jan 14 19:57:49 2014 (r43519)
@@ -0,0 +1,142 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-14:01.random Errata Notice
+ The FreeBSD Project
+
+Topic: /dev/random should not make direct usage of hardware RNG
+
+Category: core
+Module: random
+Announced: 2014-01-14
+Affects: All versions of FreeBSD prior to 10.0-BETA1
+Corrected: 2014-01-14 19:27:42 UTC (stable/9, 9.2-STABLE)
+ 2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3)
+ 2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10)
+ 2014-01-14 19:27:42 UTC (stable/8, 8.4-STABLE)
+ 2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7)
+ 2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:http://security.freebsd.org/>.
+
+I. Background
+
+The random(4) and urandom(4) devices return an endless supply of pseudo-random
+bytes when read. Cryptographic algorithms often depend on the secrecy of these
+pseudo-random values for security.
+
+Yarrow is a secure pseudo-random number generator that combines entropy from
+several entropy sources, mitigating a possible attack when someone could
+predict the output when they are able to intercept one or more of the
+entropy sources
+
+II. Problem Description
+
+When a hardware RNG exists, the FreeBSD random(4) and urandom(4) devices
+would use their output directly.
+
+III. Impact
+
+Someone who has control over these hardware RNGs would be able to
+predicate the output from random(4) and urandom(4) devices and may be able
+to reveal unique keys that are used to encrypt data.
+
+IV. Workaround
+
+Disable the hardware RNGs by adding the following settings to /boot/loader.conf
+and reboot the system:
+
+hw.nehemiah_rng_enable=0
+hw.ivy_rng_enable=0
+
+V. Solution
+
+Hardware RNGs would be disabled by default with this errata notice. They
+can be re-enabled by setting the corresponding loader tunables to non-zero
+value.
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+2) To update your present system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 9.2 and 8.4]
+# fetch http://security.FreeBSD.org/patches/EN-14:01/random-9.2-8.4.patch
+# fetch http://security.FreeBSD.org/patches/EN-14:01/random-9.2-8.4.patch.asc
+# gpg --verify random-9.2-8.4.patch.asc
+
+[FreeBSD 9.1]
+# fetch http://security.FreeBSD.org/patches/EN-14:01/random-9.1.patch
+# fetch http://security.FreeBSD.org/patches/EN-14:01/random-9.1.patch.asc
+# gpg --verify random-9.1.patch.asc
+
+[FreeBSD 8.3]
+# fetch http://security.FreeBSD.org/patches/EN-14:01/random-8.3.patch
+# fetch http://security.FreeBSD.org/patches/EN-14:01/random-8.3.patch.asc
+# gpg --verify random-8.3.patch.asc
+
+b) Apply the patch.
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+3) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+VI. Correction details
+
+The following list contains the revision numbers of each file that was
+corrected in FreeBSD.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/8/ r260644
+releng/8.3/ r260647
+releng/8.4/ r260647
+stable/9/ r260644
+releng/9.1/ r260647
+releng/9.2/ r260647
+- -------------------------------------------------------------------------
+
+VII. References
+
+The latest revision of this Errata Notice is available at
+http://security.FreeBSD.org/advisories/FreeBSD-EN-14:01.random.asc
+
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJS1ZSoAAoJEO1n7NZdz2rnZcgP/3ITOg59t4PmOg2vUrlMsf35
+jVDZojqeu+XgDepYi37HJVB6pHSWusYoI59YP6O2N1n15W34Bp91Vcthofyr+jgx
+7Guz+DXOqZy1yxGMSGkAl0hIrksszqp5kAADy4f1NMkFmvc2+8dXW1xmxYpDHrkG
+d/alEeK0LuFgWXYnnrea3x/aWqEVVR+/YhCbk8FTD01Q4zqtfacIDfNL+gLf4Mhx
+gNO1HSHmvS4GEF1gawtHzY4i6rGX9e4LgxKSEKSMUXfl1WUfnD5f62z9FB1UN1Js
+EfVniP2ZN2ojAzoVWfiX5WDhpMA/KZpdTSLF+zOM1/Tr+7+N7WTYftL6nHy/HSj8
+LmsIZnSE4F7F2hFlZu7PPwGzaIj/rYk5tRzw3nTIoIwVoLbvbevzCrl0rIocq2CK
+Sm5WV2qvMuWB+ZK2ZuzCIxAj6/fuLbUIBHmHd2VFfxWXcSwoK/cW3pFPMDyHKtJJ
+ccocT7kXeHHtnSqzvSN1j1XFZsWdojbYU7HSU8QmiilG3ESvgrzZAKh7V+hC/aF/
+TE0Xhaip8X/sOt1NnjHGs8XzA3w7wUukssz2V7gRdarSS7c/+mU23pajLknQ4eiB
+l3g8z/iX4jPuL8e0sn9GUCXVtTZIXWGl9hSilWeYk6tEihhlf/gVhY6ldCwSoZjr
+U6gPf7bQn/NzE7wSUaQD
+=viar
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-EN-14:02.mmap.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-EN-14:02.mmap.asc Tue Jan 14 19:57:49 2014 (r43519)
@@ -0,0 +1,127 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-14:02.mmap Errata Notice
+ The FreeBSD Project
+
+Topic: mmap should not coalesce stack entry
+
+Category: core
+Module: kernel
+Announced: 2014-01-14
+Credits: Konstantin Belousov
+Affects: All supported versions of FreeBSD.
+Corrected: 2013-12-30 08:57:54 UTC (stable/10, 10.0-PRERELEASE)
+ 2013-12-31 08:02:34 UTC (releng/10.0, 10.0-RC4)
+ 2013-12-31 08:02:34 UTC (releng/10.0, 10.0-RC3-p1)
+ 2013-12-31 08:02:34 UTC (releng/10.0, 10.0-RC2-p1)
+ 2013-12-31 08:02:34 UTC (releng/10.0, 10.0-RC1-p1)
+ 2013-12-30 09:04:06 UTC (stable/9, 9.2-STABLE)
+ 2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3)
+ 2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10)
+ 2014-01-14 19:33:28 UTC (stable/8, 8.4-STABLE)
+ 2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7)
+ 2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:http://security.freebsd.org/>.
+
+I. Background
+
+The FreeBSD virtual memory system allows growing stack by mapping anonymous
+memory region on top of a stack via mmap(2) system call with MAP_STACK bit
+enabled in flags parameter.
+
+II. Problem Description
+
+The FreeBSD virtual memory system tries to coalesce adjacent memory regions
+into one single object when possible. When growing the stack via mmap(2), it
+will also try to coalesce the newly allocated memory into the existing object.
+This would result in a failed assertion later in vm_map_stack(), which expects
+that a new object is returned.
+
+III. Impact
+
+The system will panic when this happens.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+2) To update your present system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch http://security.FreeBSD.org/patches/EN-14:02/mmap.patch
+# fetch http://security.FreeBSD.org/patches/EN-14:02/mmap.patch.asc
+# gpg --verify mmap.patch.asc
+
+b) Apply the patch.
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+3) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+VI. Correction details
+
+The following list contains the revision numbers of each file that was
+corrected in FreeBSD.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/8/ r260645
+releng/8.3/ r260647
+releng/8.4/ r260647
+stable/9/ r260082
+releng/9.1/ r260647
+releng/9.2/ r260647
+stable/10/ r260081
+releng/10.0/ r260122
+- -------------------------------------------------------------------------
+
+VII. References
+
+The latest revision of this Errata Notice is available at
+http://security.FreeBSD.org/advisories/FreeBSD-EN-14:02.mmap.asc
+
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJS1ZSuAAoJEO1n7NZdz2rnsPoQAIFs/URebviZjkMpYJBTahwe
+Lr50uJSZIlW2nMvi+urLJAB15fJm/WHDdHqp6+WHh5jjCozb45CoIxDFnP5UB4q8
+oclsQtKrt4R1dBDEa3RZQoJEm6DIk1YhfAfUtJMhDpROlvWCbBMzZWJbVQec5j3E
+iyhY1FIl/BD4KWFw/hDhJX5j4HQWA/oZDagx5WZFMsFapq5rOXkC/fq3YHkTJBeW
+7YEvAyTuZoj9zBVJ28cEYr7+ULtJMphBdTEzAhFZSEegsM+qyMafTf2c54MdtWR0
+pSgoh9i+cSXj444e4eeqLp6LwapW5YGIrKpAmBUwTECBg5F5915i2h8ddCnmJJSM
+4Wq7bXJU6PGzFXTDUsAw9HB2HcCMU2EvVNhtM3wp7dSzojLpvrgEoRZKwanu32r1
+cuN/awHUGA1fzoUkxMygzT5B44IX+9gyT8lJ4N+PfKGnSO00WY41XkLheDmpgf2b
+euDrzTSwbupEp70lT45CW6DUlqPXpw0Fn5vyNYBvoaAXineqyvwMkQ6YZwoNmfiU
+xv2zjY40RkOR8EJKi8L1moBQsfh/i6rtVQhDIHmAU/1VaYBE4zVXS5BYAlUaUJgw
+3rc5ho+F2BB+YV+HeaWszjW+NVhiIswpccw4Js7O2HQUA9M2KEq2+DXRtNdEa8/j
+miG/hWqsuoWjAcrQKjKw
+=rOvi
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-SA-14:01.bsnmpd.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-14:01.bsnmpd.asc Tue Jan 14 19:57:49 2014 (r43519)
@@ -0,0 +1,141 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-14:01.bsnmpd Security Advisory
+ The FreeBSD Project
+
+Topic: bsnmpd remote denial of service vulnerability
+
+Category: contrib
+Module: bsnmp
+Announced: 2014-01-14
+Credits: Dirk Meyer
+Affects: All supported versions of FreeBSD.
+Corrected: 2014-01-14 19:02:14 UTC (stable/10, 10.0-PRERELEASE)
+ 2014-01-14 19:10:38 UTC (releng/10.0, 10.0-RELEASE)
+ 2014-01-14 19:10:38 UTC (releng/10.0, 10.0-RC5-p1)
+ 2014-01-14 19:10:38 UTC (releng/10.0, 10.0-RC4-p1)
+ 2014-01-14 19:10:38 UTC (releng/10.0, 10.0-RC3-p1)
+ 2014-01-14 19:10:38 UTC (releng/10.0, 10.0-RC2-p1)
+ 2014-01-14 19:10:38 UTC (releng/10.0, 10.0-RC1-p1)
+ 2014-01-14 19:17:20 UTC (stable/9, 9.2-STABLE)
+ 2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3)
+ 2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10)
+ 2014-01-14 19:17:20 UTC (stable/8, 8.4-STABLE)
+ 2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7)
+ 2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14)
+CVE Name: CVE-2014-1452
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:http://security.FreeBSD.org/>.
+
+I. Background
+
+The bsnmpd is a simple and extensible SNMP daemon serves the Internet SNMP
+(Simple Network Management Protocol).
+
+II. Problem Description
+
+The bsnmpd(8) daemon is prone to a stack-based buffer-overflow when it
+has received a specifically crafted GETBULK PDU request.
+
+III. Impact
+
+This issue could be exploited to execute arbitrary code in the context of
+the service daemon, or crash the service daemon, causing a denial-of-service.
+
+IV. Workaround
+
+No workaround is available, but systems not running bsnmpd(8) are not
+vulnerable.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch http://security.FreeBSD.org/patches/SA-14:01/bsnmpd.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:01/bsnmpd.patch.asc
+# gpg --verify bsnmpd.patch.asc
+
+b) Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+Recompile the operating system using buildworld and installworld as
+described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the bsnmpd(8) daemons, or reboot the system.
+
+3) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/8/ r260642
+releng/8.3/ r260647
+releng/8.4/ r260647
+stable/9/ r260642
+releng/9.1/ r260647
+releng/9.2/ r260647
+stable/10/ r260638
+releng/10.0/ r260640
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<other info on vulnerability>
+
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1452>
+
+The latest revision of this advisory is available at
+<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:01.bsnmpd.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJS1ZS6AAoJEO1n7NZdz2rnDXwP/1iQmuO8VLjZoD3LMpiHyA/i
+YgwjX5x9XT2MyVrRmu+nHaCG3ZDC4/IV72/jCzV8udQJ1RF6Aswhuk6mXI7oatol
+OYF27JnRVAJQjAvXw3zMsp4hLv631TvgO1Az1vK7f1pX8bDC/eBTaiCH7I6QBYGS
+E4Fsi2MwOWIRyglTjlFSL8Wb2yQmzkKCx/EVFF/6mRC7l3a9pkHf5VKQtut1KYFu
+5QF5cG5anur4daP4w45yWsl0qkRDO5mJdpD+S3NtzydluWzz/Dk/0laS5wB+LLzV
+cXC5/GR/acQhO+MvDIDT4Emra2OXzsheEahOJhLKHsBF8pHBi5IldkVwQmme76/g
+aR1gLSFJ5LYcpAgBQgeWKXXCAol5zNRCR8v8IBnV2+rYRSrIdl5lstgVmla++xJD
++bC7PbTqcLlyFGrMEvd/mAvX1PVa9BVYtaxXA5QZq5EHP7nsKotcAk7/kouVfmao
+Gdxlt7YjRic6D/WqF8RFiQv9ezpbEnMQ1BwOCSUEJasXlyxJXYA6vva7tyM3OmyD
+c2I9JLeV8aCUgIf3s+HoGcZhz01kmu9REQ/OEDtiN8kX94WOzpectf8V5g+JnxRd
+HoOfcvrChohL4nla+3RvG1LJo5KD5N09yHnV2y3LjxTdKu9Hw4ATzFwmPmEUqUfG
+eF12aO4PVp42wYWNHtGe
+=xZTc
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-SA-14:02.ntpd.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-14:02.ntpd.asc Tue Jan 14 19:57:49 2014 (r43519)
@@ -0,0 +1,167 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-14:02.ntpd Security Advisory
+ The FreeBSD Project
+
+Topic: ntpd distributed reflection Denial of Service vulnerability
+
+Category: contrib
+Module: ntpd
+Announced: 2014-01-14
+Affects: All supported versions of FreeBSD.
+Corrected: 2014-01-14 19:04:33 UTC (stable/10, 10.0-PRERELEASE)
+ 2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RELEASE)
+ 2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC5-p1)
+ 2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC4-p1)
+ 2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC3-p1)
+ 2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC2-p1)
+ 2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC1-p1)
+ 2014-01-14 19:20:41 UTC (stable/9, 9.2-STABLE)
+ 2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3)
+ 2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10)
+ 2014-01-14 19:20:41 UTC (stable/8, 8.4-STABLE)
+ 2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7)
+ 2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14)
+CVE Name: CVE-2013-5211
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:http://security.FreeBSD.org/>.
+
+I. Background
+
+The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP)
+used to synchronize the time of a computer system to a reference time
+source.
+
+II. Problem Description
+
+The ntpd(8) daemon supports a query 'monlist' which provides a history of
+recent NTP clients without any authentication.
+
+III. Impact
+
+An attacker can send 'monlist' queries and use that as an amplification of
+a reflection attack.
+
+IV. Workaround
+
+The administrator can implement one of the following possible workarounds
+to mitigate the attack:
+
+1) Restrict access to ntpd(8). This can be done by adding the following
+lines to /etc/ntp.conf:
+
+restrict -4 default nomodify nopeer noquery notrap
+restrict -6 default nomodify nopeer noquery notrap
+restrict 127.0.0.1
+restrict -6 ::1
+restrict 127.127.1.0
+
+And restart the ntpd(8) daemon. Time service is not affected and the
+administrator can still perform queries from local host.
+
+2) Use IP based restrictions in ntpd(8) itself or in IP firewalls to
+restrict which systems can access ntpd(8).
+
+3) Replace the base system ntpd(8) with net/ntp-devel (version 4.2.7p76 or
+newer)
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch http://security.FreeBSD.org/patches/SA-14:02/ntpd.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:02/ntpd.patch.asc
+# gpg --verify ntpd.patch.asc
+
+b) Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+Recompile the operating system using buildworld and installworld as
+described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the ntpd(8) daemon, or reboot the system.
+
+3) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Note that the patch would disable monitoring features of ntpd(8) daemon
+by default. If the feature is desirable, the administrator can choose
+to enable it and firewall access to ntpd(8) service.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/8/ r260641
+releng/8.3/ r260647
+releng/8.4/ r260647
+stable/9/ r260641
+releng/9.1/ r260647
+releng/9.2/ r260647
+stable/10/ r260639
+releng/10.0/ r260641
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:http://www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks>
+
+<URL:https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks>
+
+<URL:http://bugs.ntp.org/show_bug.cgi?id=1532>
+
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5211>
+
+The latest revision of this advisory is available at
+<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:02.ntpd.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJS1ZTLAAoJEO1n7NZdz2rnn7YP/2DcBtR4LAlMLqa9t8WsFVrD
+zrfmitYv5xZ6TUGURfQ3mhF4Xv+vSaYt5AWphBjo/Um+dZLTrX3NXJyjLWenCFZ1
+vUgoeT4czdh/sWXBO+BdahswttJ6uPO0ZPeW/TpczHMrfG++r6FZtcavYj1gWUPX
+rQUEh3IRT5MzzcdiIdQFOpi6OeOP7hem5pNOqYwjyy4L4wrgIUetaMpvqXgi2Wa+
+R2vqQNpFAPxKkMkbohLEPRmEK9dXGXejQ7EHFK5jzxInyg32WGFPkJ46bLw3bEsB
+sIoh+sxQ3J9mxyaykhX6T7U7PUkzBaNSs62bQE5H8695E30obnZqtfon6qBP5UCT
+/kF1+42RIQIPJUFS22NXaUJVOkpd2zyVhwLxgCHg96PHwd1VAC0bnuB4CQt8lN2C
+vcOsFcq6CUpMuteURBeiETb0OGWTTT3gyX4T7N4kRKptvmEVUKxZPnmfJCwNHM2I
+TzM2HbHaBv9CMIy5X4iDQxLH3w3tSh+IHU6m9cN5rd6JDTa5DQEuRkhaeVbCGHRt
+EcSHvUCr+llacITA2rkm1/KPcP97nGgbbM2QbbUVZ/vkdEcImPfrBzrBbaoBzf5p
+FTplhJ/4bfF0/Kgt5GTNgQXqtIuEQOs+ljNu2HW+cAfX2Hizlo7jjfMxS0y7/fY2
+hBdg8zuXs/rBI2LKUcP6
+=7q6W
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-SA-14:03.openssl.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-14:03.openssl.asc Tue Jan 14 19:57:49 2014 (r43519)
@@ -0,0 +1,135 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-14:03.openssl Security Advisory
+ The FreeBSD Project
+
+Topic: OpenSSL multiple vulnerabilities
+
+Category: contrib
+Module: openssl
+Announced: 2014-01-14
+Affects: FreeBSD 10.0 prior to 10.0-RC5
+Corrected: 2014-01-07 20:04:41 UTC (stable/10, 10.0-PRERELEASE)
+ 2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC5)
+ 2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC4-p1)
+ 2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC3-p1)
+ 2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC2-p1)
+ 2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC1-p1)
+CVE Name: CVE-2013-4353, CVE-2013-6449, CVE-2013-6450
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:http://security.FreeBSD.org/>.
+
+I. Background
+
+FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
+a collaborative effort to develop a robust, commercial-grade, full-featured
+Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
+and Transport Layer Security (TLS v1) protocols as well as a full-strength
+general purpose cryptography library.
+
+II. Problem Description
+
+A carefully crafted invalid TLS handshake could crash OpenSSL with a NULL
+pointer exception. [CVE-2013-4353]
+
+A flaw in DTLS handling can cause an application using OpenSSL and DTLS to
+crash. [CVE-2013-6450]
+
+A flaw in OpenSSL can cause an application using OpenSSL to crash when using
+TLS version 1.2. [CVE-2013-6449]
+
+III. Impact
+
+An attacker can send a specifically crafted packet that could cause an OpenSSL
+enabled application to crash, resulting in a Denial of Service.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch http://security.FreeBSD.org/patches/SA-14:03/openssl.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:03/openssl.patch.asc
+# gpg --verify openssl.patch.asc
+
+b) Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+Recompile the operating system using buildworld and installworld as
+described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all deamons using the library, or reboot the system.
+
+3) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/10/ r260404
+releng/10.0/ r260405
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4353>
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6449>
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6450>
+
+The latest revision of this advisory is available at
+<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:03.openssl.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJS1ZTSAAoJEO1n7NZdz2rnHboP/Ryb4a9ENJ7J/S00E8V1YToh
+hihrCKssMl6GVltS4oeyAmAW+mDx3DZy+RmAEhgjyAX4gpAxcY/g665j5BMtWAtV
+LLJTI9D6ynO7+2y8CeD3W7tk28hNtBPWSV+cGi7USQMKijs6euPocgTU7TnAuF/e
+/jcDTn8Sx/Sq0d3ecTWFBOcPHiq5sm/3pW5B1RVxY9DL+zhQ7T/Rb6pgfp6trssM
+p8dklzoBReHqs1iPUC4RyhWXOoQoq5VX500b9SHh2X/7eBSq1ab76VF3x+9VOpjj
+VRxL9sdkmp+iaVfMHxms3vCLSDlmpgYpq5SftL3jgkequPCpU6NFQGFQKw2crdL0
+NY7dDPjMuvDzzdG7BZtt1mjpRMMMGmZ7fK0myP0+a3YbXEEZeAGT6k07er/xkGCr
+uTWyPNM4g3Ulwkfnz60TbFrdMdiCJbRVC9xxOkGEALe882v0WWGPhx9IVbT3dGVw
+KGFOXM+IqF55JuaHQ0u/B4wrjBfgBSgOt90TDyMJ5rPjiKG9wyUWnn7QziAVJQ0M
+0H/82/2cxNX5+efWNi7xhss2fs1zcU3kiyr135mqamgOQyPG8jFOF7RhdpeGfzVk
+ollQG+y1uwVTAWhmVb4MSaAuJw8ixVuap73Rbyug+MuKRLgR2jSxHFiBeiHLA1eG
+1+DWJPX0+/zoNakLiw+r
+=YOCY
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-SA-14:04.bind.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-14:04.bind.asc Tue Jan 14 19:57:49 2014 (r43519)
@@ -0,0 +1,140 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-14:04.bind Security Advisory
+ The FreeBSD Project
+
+Topic: BIND remote denial of service vulnerability
+
+Category: contrib
+Module: bind
+Announced: 2014-01-14
+Credits: ISC
+Affects: FreeBSD 8.x and FreeBSD 9.x
+Corrected: 2014-01-14 19:38:37 UTC (stable/9, 9.2-STABLE)
+ 2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3)
+ 2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10)
+ 2014-01-14 19:38:37 UTC (stable/8, 8.4-STABLE)
+ 2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7)
+ 2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14)
+CVE Name: CVE-2014-0591
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:http://security.FreeBSD.org/>.
+
+I. Background
+
+BIND 9 is an implementation of the Domain Name System (DNS) protocols.
+The named(8) daemon is an Internet Domain Name Server.
+
+II. Problem Description
+
+Because of a defect in handling queries for NSEC3-signed zones, BIND can
+crash with an "INSIST" failure in name.c when processing queries possessing
+certain properties. This issue only affects authoritative nameservers with
+at least one NSEC3-signed zone. Recursive-only servers are not at risk.
+
+III. Impact
+
+An attacker who can send a specially crafted query could cause named(8)
+to crash, resulting in a denial of service.
+
+IV. Workaround
+
+No workaround is available, but systems not running authoritative DNS service
+with at least one NSEC3-signed zone using named(8) are not vulnerable.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 8.3, 8.4, 9.1, 9.2-RELEASE and 8.4-STABLE]
+# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-release.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-release.patch.asc
+# gpg --verify bind-release.patch.asc
+
+[FreeBSD 9.2-STABLE]
+# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-stable-9.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-stable-9.patch.asc
+# gpg --verify bind-stable-9.patch.asc
+
+b) Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+Recompile the operating system using buildworld and installworld as
+described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the applicable daemons, or reboot the system.
+
+3) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/8/ r260646
+releng/8.3/ r260647
+releng/8.4/ r260647
+stable/9/ r260646
+releng/9.1/ r260647
+releng/9.2/ r260647
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://kb.isc.org/article/AA-01078>
+
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0591>
+
+The latest revision of this advisory is available at
+<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:04.bind.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJS1ZTYAAoJEO1n7NZdz2rnOvQP/2/68/s9Cu35PmqNtSZVVxVG
+ZSQP5EGWx/lramNf9566iKxOrLRMq/h3XWcC4goVd+gZFrvITJSVOWSa7ntDQ7TO
+XcinfRZ/iyiJbs/Rg2wLHc/t5oVSyeouyccqODYFbOwOlk35JjOTMUG1YcX+Zasg
+ax8RV+7Zt1QSBkMlOz/myBLXUjlTZ3Xg2FXVsfFQW5/g2CjuHpRSFx1bVNX6ysoG
+9DT58EQcYxIS8WfkHRbbXKh9I1nSfZ7/Hky/kTafRdRMrjAgbqFgHkYTYsBZeav5
+fYWKGQRJulYfeZQ90yMTvlpF42DjCC3uJYamJnwDIu8OhS1WRBI8fQfr9DRzmRua
+OK3BK9hUiScDZOJB6OqeVzUTfe7MAA4/UwrDtTYQ+PqAenv1PK8DZqwXyxA9ThHb
+zKO3OwuKOVHJnKvpOcr+eNwo7jbnHlis0oBksj/mrq2P9m2ueF9gzCiq5Ri5Syag
+Wssb1HUoMGwqU0roS8+pRpNC8YgsWpsttvUWSZ8u6Vj/FLeHpiV3mYXPVMaKRhVm
+067BA2uj4Th1JKtGleox+Em0R7OFbCc/9aWC67wiqI6KRyit9pYiF3npph+7D5Eq
+7zPsUdDd+qc+UTiLp3liCRp5w6484wWdhZO6wRtmUgxGjNkxFoNnX8CitzF8AaqO
+UWWemqWuz3lAZuORQ9KX
+=OQzQ
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/EN-14:01/random-8.3.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/EN-14:01/random-8.3.patch Tue Jan 14 19:57:49 2014 (r43519)
@@ -0,0 +1,27 @@
+Index: sys/dev/random/probe.c
+===================================================================
+--- sys/dev/random/probe.c (revision 260523)
++++ sys/dev/random/probe.c (working copy)
+@@ -30,6 +30,8 @@ __FBSDID("$FreeBSD$");
+
+ #include <sys/types.h>
+ #include <sys/param.h>
++#include <sys/systm.h>
++#include <sys/kernel.h>
+ #include <sys/malloc.h>
+ #include <sys/random.h>
+ #include <sys/selinfo.h>
+@@ -57,7 +59,12 @@ random_ident_hardware(struct random_systat *systat
+ /* Then go looking for hardware */
+ #if defined(__i386__) && !defined(PC98)
+ if (via_feature_rng & VIA_HAS_RNG) {
+- *systat = random_nehemiah;
++ int enable;
++
++ enable = 0;
++ TUNABLE_INT_FETCH("hw.nehemiah_rng_enable", &enable);
++ if (enable)
++ *systat = random_nehemiah;
+ }
+ #endif
+ }
Added: head/share/security/patches/EN-14:01/random-8.3.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/EN-14:01/random-8.3.patch.asc Tue Jan 14 19:57:49 2014 (r43519)
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJS1ZUpAAoJEO1n7NZdz2rnCokP/16qEQ9ziJdRpMQ8YMbr19AC
+GcUpad5oEXoUu7qvOykIFj1ATcXE71jE48ypyeVwpme/szQMUvWAjPp9P+lYb78l
+ByVukT7Ajs7fcO8uq5f4T0MPN/zG00qNsSpGtlcM68mm4aYLnlfvYjv8Da6GPALy
+dd5FE1YxZDnTT5aBpjsGVoj864I6PwehXhbH3FmehOK/vnpUYrgHKTzY9zaUZ5+t
+AGw/fzRsOHislwC8rw0AyC6Ky7Du2tQKjur73PaUXz329EZzFoK8J2eHcRExVWvJ
+A2zgwI7Y6gZUyJFhX8qcQs4JWxxPBoBQp+aKLkJXhW9U/GsEAVD3KaFAwZfjhOVm
+l/fg5XUMPpifGSsQKnoOFGjO0597JBOD5oznwQIg+b780JpsZ4Hmk7XJhXq9+s2G
+qBKIogXJG6mKBnx3qt0nlkd3UjS7QSnPMSmplCOoEUORwCMRfLFM0qb+P1d8ycGL
+mP7f3ivEg/rUQjhBRbCQyi/+CF6qhVHm1AdA081RSEVlPuDIRAywvcfjKnnOuhbG
+yf5AVIpwHwkoLn7qugECH4muTIPiHPFTgWK3qhI3oZfZDOCFZwi9Ognb6eg8qMtP
+aEPmTMujVERBc3FXEnjB5VZZSzOwJLm/NI0jW5y3XY/VQhJSaE1hM9qYywqgviXz
+g36p0LxezweK/mmxttVA
+=jEbX
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/EN-14:01/random-9.1.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/EN-14:01/random-9.1.patch Tue Jan 14 19:57:49 2014 (r43519)
@@ -0,0 +1,27 @@
+Index: sys/dev/random/probe.c
+===================================================================
+--- sys/dev/random/probe.c (revision 260523)
++++ sys/dev/random/probe.c (working copy)
+@@ -30,6 +30,8 @@ __FBSDID("$FreeBSD$");
+
+ #include <sys/types.h>
+ #include <sys/param.h>
++#include <sys/systm.h>
++#include <sys/kernel.h>
+ #include <sys/malloc.h>
+ #include <sys/random.h>
+ #include <sys/selinfo.h>
+@@ -57,7 +59,12 @@ random_ident_hardware(struct random_systat *systat
+ /* Then go looking for hardware */
+ #if defined(__amd64__) || (defined(__i386__) && !defined(PC98))
+ if (via_feature_rng & VIA_HAS_RNG) {
+- *systat = random_nehemiah;
++ int enable;
++
++ enable = 0;
++ TUNABLE_INT_FETCH("hw.nehemiah_rng_enable", &enable);
++ if (enable)
++ *systat = random_nehemiah;
+ }
+ #endif
+ }
Added: head/share/security/patches/EN-14:01/random-9.1.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/EN-14:01/random-9.1.patch.asc Tue Jan 14 19:57:49 2014 (r43519)
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJS1ZUpAAoJEO1n7NZdz2rnhsAQALF5Gk7QtodIM06xOd0IAcUk
+6y8N6s3gHxYhAyv5Af+y2yFTikfYu/yMYxIDbtgszcS+aB2y9b2+aVKwcNUkpiEr
+mle+RAVGXPBQ9V7ieFLvMn7HC4PW1uPkFsiqOzu3KXACr2onlq1Jbbw4z6FeAyfa
+2PvMTOFZrVNrHmkrjTKBwj+/jYcdHejb7OA0ckbiVgIXBRxftzVjKkVUTw+2ewZy
+l73s1/wPRYlqESDOGVNpO/mm1W0zbcllfgxcbBPk3ukSuatNQVIVXEZRfb7Ti2FK
+2CXTKbmaqrKPPxzpEkgbPXeOQ7kJ4th93gCbJV1i7uxyHvUo1Kodph0vKBKEiZmt
+l+rwmqXD+Zm5JvoBDVXUsYi3DO3+Wi5rLMkzZFFzwsYJbHed+8TD4fLWTti6kLEs
+CBQnUceBy4BKUTBj3STEjBBvFdd6Ri6Vdo0kN6Bjr/DuXqzLNyI/aLu6LmNgC3Fp
+c3/P4Xp1fTYFVEpjKzc6kG2fUDZVwN+XEDFy6BuD/Hgj2MtmJ4JY4iKWu/P/MlBq
+qI9K40rcMx4uMi9ffOC3v6uUHvqmK00FANz8GDIrpqeZEyMThd7yV8gmnBPRp47k
+H1IbOqGB1ovaZS92wgiPKxU6SMjP9z7klGaWN+dr7NkGB3/54MwoqyPOKRpaVMcI
+dYR/h4NDtwDgJqsuq+rH
+=FCsi
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/EN-14:01/random-9.2-8.4.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/EN-14:01/random-9.2-8.4.patch Tue Jan 14 19:57:49 2014 (r43519)
@@ -0,0 +1,22 @@
+Index: sys/dev/random/probe.c
+===================================================================
+--- sys/dev/random/probe.c (revision 259661)
++++ sys/dev/random/probe.c (working copy)
+@@ -73,7 +73,7 @@
+ if (via_feature_rng & VIA_HAS_RNG) {
+ int enable;
+
+- enable = 1;
++ enable = 0;
+ TUNABLE_INT_FETCH("hw.nehemiah_rng_enable", &enable);
+ if (enable)
+ *systat = random_nehemiah;
+@@ -83,7 +83,7 @@
+ if (cpu_feature2 & CPUID2_RDRAND) {
+ int enable;
+
+- enable = 1;
++ enable = 0;
+ TUNABLE_INT_FETCH("hw.ivy_rng_enable", &enable);
+ if (enable)
+ *systat = random_ivy;
Added: head/share/security/patches/EN-14:01/random-9.2-8.4.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/EN-14:01/random-9.2-8.4.patch.asc Tue Jan 14 19:57:49 2014 (r43519)
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJS1ZUpAAoJEO1n7NZdz2rnODkQANga1UgaW4k2SA8SKLmGtRsO
+DWo/fqJ12DneoN0cxxgqgUFzB90Cdj1Qrece2Oj6lrD/A8wNfHzB78CE/yCqlEwg
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-doc-all
mailing list