svn commit: r44822 - in head/share: security/advisories security/patches/EN-14:03 security/patches/EN-14:04 security/patches/EN-14:05 security/patches/SA-14:10 xml
Xin LI
delphij at FreeBSD.org
Tue May 13 23:55:54 UTC 2014
Author: delphij
Date: Tue May 13 23:55:52 2014
New Revision: 44822
URL: http://svnweb.freebsd.org/changeset/doc/44822
Log:
Add the latest advisory and 3 new errata notices:
Fix OpenSSL NULL pointer deference vulnerability. [SA-14:09]
Add pkg bootstrapping, configuration and public keys. [EN-14:03]
Improve build repeatability for kldxref(8). [EN-14:04]
Fix data corruption with ciss(4). [EN-14:05]
Added:
head/share/security/advisories/FreeBSD-EN-14:03.pkg.asc (contents, props changed)
head/share/security/advisories/FreeBSD-EN-14:04.kldxref.asc (contents, props changed)
head/share/security/advisories/FreeBSD-EN-14:05.ciss.asc (contents, props changed)
head/share/security/advisories/FreeBSD-SA-14:10.openssl.asc (contents, props changed)
head/share/security/patches/EN-14:03/
head/share/security/patches/EN-14:03/pkg-en-releng-8.4.patch (contents, props changed)
head/share/security/patches/EN-14:03/pkg-en-releng-8.4.patch.asc (contents, props changed)
head/share/security/patches/EN-14:03/pkg-en-releng-9.1.patch (contents, props changed)
head/share/security/patches/EN-14:03/pkg-en-releng-9.1.patch.asc (contents, props changed)
head/share/security/patches/EN-14:03/pkg-en-releng-9.2.patch (contents, props changed)
head/share/security/patches/EN-14:03/pkg-en-releng-9.2.patch.asc (contents, props changed)
head/share/security/patches/EN-14:04/
head/share/security/patches/EN-14:04/kldxref.patch (contents, props changed)
head/share/security/patches/EN-14:04/kldxref.patch.asc (contents, props changed)
head/share/security/patches/EN-14:05/
head/share/security/patches/EN-14:05/ciss.patch (contents, props changed)
head/share/security/patches/EN-14:05/ciss.patch.asc (contents, props changed)
head/share/security/patches/SA-14:10/
head/share/security/patches/SA-14:10/openssl.patch (contents, props changed)
head/share/security/patches/SA-14:10/openssl.patch.asc (contents, props changed)
Modified:
head/share/xml/advisories.xml
head/share/xml/notices.xml
Added: head/share/security/advisories/FreeBSD-EN-14:03.pkg.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-EN-14:03.pkg.asc Tue May 13 23:55:52 2014 (r44822)
@@ -0,0 +1,180 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-14:03.pkg Errata Notice
+ The FreeBSD Project
+
+Topic: pkg bootstrapping, configuration and public keys
+
+Category: core, packages
+Module: pkg
+Announced: 2014-05-13
+Credits: Baptiste Daroussin, Bryan Drewery
+Affects: All versions of FreeBSD prior to 10.0-RELEASE
+Corrected: 2014-04-15 23:40:47 UTC (stable/8, 8.4-STABLE)
+ 2014-05-13 23:24:32 UTC (releng/8.4, 8.4-RELEASE-p10)
+ 2014-03-11 14:48:44 UTC (stable/9, 9.2-STABLE)
+ 2014-05-13 23:24:14 UTC (releng/9.2, 9.2-RELEASE-p6)
+ 2014-05-13 23:24:14 UTC (releng/9.1, 9.1-RELEASE-p13)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:http://security.freebsd.org/>.
+
+I. Background
+
+The pkg(7) utility is the new package management tool for FreeBSD. The
+FreeBSD project has provided official pkg(7) packages since October 2013
+and signed packages since the pkg-1.2 release in November 2013. The
+signature checking requires known public keys to be installed locally.
+The repository configuration must be installed as well.
+
+The base system also includes a pkg(7) bootstrap tool that installs the
+latest real pkg(7) package. The bootstrap tool knows where to find the
+official pkg(7) package but once that is installed the real pkg(7) will
+not know where to find official packages, nor have the known public key
+for signature checking.
+
+The bootstrap tool was also improved in 10.0-RELEASE to check the
+signature on the pkg(7) package it is installing.
+
+II. Problem Description
+
+Only FreeBSD 10.0 has been released with the official repository
+configuration, known public keys, and a bootstrap tool that checks the
+signature of the pkg(7) package it is installing.
+
+To allow packages to be used on a system, the configuration must be
+manually setup and keys securely fetched and installed to the proper
+location.
+
+III. Impact
+
+Releases before 10.0 require manual configuration. Manually configuring the
+pkg(7) signatures could result in insecurely installing the keys or leaving
+the signature checking disabled.
+
+The bootstrap tool is not secure on releases prior to 10.0 due to not checking
+the signature and could result in having an unofficial pkg(7) installed due to
+MITM attacks.
+
+IV. Workaround
+
+To securely install pkg(7) on releases prior to 10.0, install it from ports
+obtained from a secure portsnap checkout:
+
+# portsnap fetch extract
+# echo "WITH_PKGNG=yes" >> /etc/make.conf
+# make -C /usr/ports/ports-mgmt/pkg install clean
+
+If this is an existing system it may be converted to pkg(7) as well by running:
+
+# pkg2ng
+
+After this is done /usr/ports may be removed if no longer required.
+
+To workaround the configuration and keys being missed, apply the solution in
+this Errata.
+
+V. Solution
+
+No solution is provided for pkg(7) bootstrap signature checking on releases prior
+to 10.0. Upgrading to 10.0 or stable/9 after r263038 will suffice.
+
+To install the configuration and public key in a secure means, perform one of
+the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+2) To update your present system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 9.2]
+# fetch http://security.FreeBSD.org/patches/EN-14:03/pkg-en-releng-9.2.patch
+# fetch http://security.FreeBSD.org/patches/EN-14:10/pkg-en-releng-9.2.patch.asc
+# gpg --verify pkg-en-releng-9.2.patch.asc
+
+[FreeBSD 9.1]
+# fetch http://security.FreeBSD.org/patches/EN-14:03/pkg-en-releng-9.1.patch
+# fetch http://security.FreeBSD.org/patches/EN-14:10/pkg-en-releng-9.1.patch.asc
+# gpg --verify pkg-en-releng-9.1.patch.asc
+
+[FreeBSD 8.4]
+# fetch http://security.FreeBSD.org/patches/EN-14:03/pkg-en-releng-8.4.patch
+# fetch http://security.FreeBSD.org/patches/EN-14:03/pkg-en-releng-8.4.patch.asc
+# gpg --verify pkg-en-releng-8.4.patch.asc
+
+b) Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+# cd /usr/src/etc/pkg
+# mkdir -p /etc/pkg /usr/share/keys/pkg/trusted /usr/share/keys/pkg/revoked
+# make install
+# cd /usr/src/share/keys/pkg
+# make install
+
+3) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+VI. Correction details
+
+The following list contains the revision numbers of each file that was
+corrected in FreeBSD.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/8/ r264519
+releng/8.4/ r265989
+stable/9/ r263937 (*)
+releng/9.1/ r265988
+releng/9.2/ r265988
+- -------------------------------------------------------------------------
+
+(*) The actual required changeset consists a series of changes, including
+r263023,r258550,r263050,r263053 and r263937.
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this Errata Notice is available at
+http://security.FreeBSD.org/advisories/FreeBSD-EN-14:03.pkg.asc
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0.22 (FreeBSD)
+
+iQIcBAEBCgAGBQJTcq5IAAoJEO1n7NZdz2rnPgsP/i1EV9g4qXg9v6HvakiFFKrv
+51810uJe/Eo9iujDT1TpwuYJuFQPzkW+h4JRvapaSLAMxeLsYqxj8WDuKz0eU6sW
+WjaPv6LZWUG91jHbFr3uEAgLLvkc86kMI/hfSmzq5FY7gsisEKoyfdraR2E63jtp
+BFARxAq9hnddck5zZiX7wCOMtvCVrvrSsozft1p885AUra+Tg9F1RuUloS0CYddD
+FtUb1dPMshkHlqHqC1wGzRfBVFgX7NnXfnxIi2St1ft0tEDKIL+HQgnjU2CwKbK7
+S9ioLYbbUhyo6edpS/4+y5gJ1kVLvlelY4myBHUkSOMJrsxoIBCTuXjdnO9PL5gr
+qpS9R6TQEMF5auEG5aIOwfu5t8wqczAfC4zVzbm4UPakRYPFS0NfvkDGW2Gno7Yh
+iOur/JFLUOqbV9i8UwssS8OzG0cr8EzbZ3iLkVPqt1Cxuxxpx8+NYiYV3F0PMxB8
+iImoOD1BY0lS3x0gqgeZb5ssBk988aVq1cmbrUuriHuKLK/uvSaFHlGXprQyQmTn
+4FEFmMNTCSMbYy3J2daEajUroiZVcBEjORPFR8QYtncRgbzB6u/AjVIo+3Uk/0hj
+paC8dvBikmT7ity3b7YoOvJIJn62XVqrq9srkYowkDuLJ1E8zQqmR2eZUOmf5vG1
+u3zAXa3xup1ginA9Wi6O
+=UI84
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-EN-14:04.kldxref.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-EN-14:04.kldxref.asc Tue May 13 23:55:52 2014 (r44822)
@@ -0,0 +1,127 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-14:04.kldxref Errata Notice
+ The FreeBSD Project
+
+Topic: Build repeatability for kldxref(8)
+
+Category: core
+Module: kldxref
+Announced: 2014-05-13
+Credits: Jilles Tjoelker
+Affects: All versions of FreeBSD prior to 10.0-RELEASE.
+Corrected: 2014-05-13 23:35:29 UTC (stable/8, 8.4-STABLE)
+ 2014-05-13 23:24:32 UTC (releng/8.4, 8.4-RELEASE-p10)
+ 2013-12-23 22:38:41 UTC (stable/9, 9.2-STABLE)
+ 2014-05-13 23:24:14 UTC (releng/9.2, 9.2-RELEASE-p6)
+ 2014-05-13 23:24:14 UTC (releng/9.1, 9.1-RELEASE-p13)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:http://security.freebsd.org/>.
+
+I. Background
+
+The kldxref utility is used to generate hint files which list modules, their
+version numbers, and the files that contain them. These hints are used by
+the kernel loader to determine where to find a particular KLD module.
+
+II. Problem Description
+
+Previous versions of kldxref(8) do not use an ordered list of files when
+generating the hints file. The result of kldxref(8) is equivalent but not
+the same if file system layout have been changed.
+
+III. Impact
+
+The generated hint files can be different across different builds, making
+unnecessary downloads for binary patch files.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+2) To update your present system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch http://security.FreeBSD.org/patches/EN-14:04/kldxref.patch
+# fetch http://security.FreeBSD.org/patches/EN-14:04/kldxref.patch.asc
+# gpg --verify kldxref.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
+
+3) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+VI. Correction details
+
+The following list contains the revision numbers of each file that was
+corrected in FreeBSD.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/8/ r265990
+releng/8.4/ r265989
+stable/9/ r259799
+releng/9.1/ r265988
+releng/9.2/ r265988
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this Errata Notice is available at
+http://security.FreeBSD.org/advisories/FreeBSD-EN-14:04.kldxref.asc
+
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0.22 (FreeBSD)
+
+iQIcBAEBCgAGBQJTcq5IAAoJEO1n7NZdz2rnmPgP/iPAKX2lIGwRXkrYFbNPEBSz
++Tehkgw/ReNG0iaAJql/p0LrxyGUoCwE2rpTJxxC8KB9X8Eq74DhjSNpdYaE12E2
+YFMyIyAb1b6wqU34Q7DsR9oPhqIcb9yET2dEg+s5NVSWfC7AMWdvvaJjjxtLgG4L
+M9yksDAKs3AJOHEVEtluy7Do8A5W/6b5SHXENbG+AUUBtwnDBKcs9riXic/TQ1WB
+vJzHwAJVznQ03bnxqjuG+gZoej6xUHusX+ih87ioKiJrcZ/5szq2C6LIUnRnAA66
+6b/szBJ3gRBweOKeopESIcZfwaLCd53EX9/r9vqAfXK6+3uqoIXzkZCyzo+cgSwa
++88SmZ3/4dao24JPoLbVupIyU0CJjmoLsV9jVCrC/fbkUFTxq7Cgbxeai3rmrpXC
+p11FXPJd4cOgwuQYUw3rowtoq8z8Wn3PI073SzwT2OZg4SgXRUn+FzGpMWwqbWoa
+1idQ9KSM/pFkoa7bdK5S7mYtp7jU9HQeiTXZYYF1S3URr2XpE1vyUFVOuDJpGkkW
+KIT/hdy02wGzPPGjQoFkSR2KpUmJr2zHhVSUdt7a8vvYhbZBR21sBIUNKSoWkYtC
+2CQXF4pFBHO/i79RiEU+2E1CKWpsqoHnvnKNRq3Bp54aaU9xa4YcRwRJ7lj9RALm
++igNrZJMo3yw3gs89uGp
+=W4to
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-EN-14:05.ciss.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-EN-14:05.ciss.asc Tue May 13 23:55:52 2014 (r44822)
@@ -0,0 +1,127 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-14:05.ciss Errata Notice
+ The FreeBSD Project
+
+Topic: data corruption with ciss(4)
+
+Category: core
+Module: ciss
+Announced: 2014-05-13
+Credits: Sean Bruno
+Affects: FreeBSD 10.x and FreeBSD 9.x
+Corrected: 2014-04-15 17:52:22 UTC (stable/9, 9.2-STABLE)
+ 2014-05-13 23:24:14 UTC (releng/9.2, 9.2-RELEASE-p6)
+ 2014-05-13 23:24:14 UTC (releng/9.1, 9.1-RELEASE-p13)
+ 2014-04-15 17:49:47 UTC (stable/10, 10.0-STABLE)
+ 2014-05-13 23:22:28 UTC (releng/10.0, 10.0-RELEASE-p3)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:http://security.freebsd.org/>.
+
+I. Background
+
+The ciss driver supports HP Smart Array line of hardware RAID controllers.
+
+II. Problem Description
+
+There is a programming error discovered in the ciss(4) driver, where a missing
+lock can trigger a failed assertion when the volume state changes, such as
+disk failure or a disk rebuild.
+
+III. Impact
+
+Systems using the ciss(4) driver may experience system crashes or data
+corruption when the volume state change.
+
+IV. Workaround
+
+No workaround is available, but systems that do not use ciss(4) devices are
+not affected.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+2) To update your present system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch http://security.FreeBSD.org/patches/EN-14:05/ciss.patch
+# fetch http://security.FreeBSD.org/patches/EN-14:05/ciss.patch.asc
+# gpg --verify ciss-10.patch.asc
+
+b) Apply the patch.
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+3) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+VI. Correction details
+
+The following list contains the revision numbers of each file that was
+corrected in FreeBSD.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/9/ r264511
+releng/9.1/ r265988
+releng/9.2/ r265988
+stable/10/ r264510
+releng/10.0/ r265987
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this Errata Notice is available at
+http://security.FreeBSD.org/advisories/FreeBSD-EN-14:05.ciss.asc
+
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0.22 (FreeBSD)
+
+iQIcBAEBCgAGBQJTcq5IAAoJEO1n7NZdz2rnNqAQAJCfdCBubWSDRO/dsSaqK6yT
+bnPY4Xly523ABRCQySe0vajSIK1qqfE0bAmhYa/7BTMqyJKz0BRhx819D8SiWNS9
+Hdy4yU/hOjBkbT6KAtpBaSUNXX4ODWaNbd78c+uDSvj9UeQgrunAQC7OJR6iYWuq
+25fBUXgovSr4g9puNyBs8sH+c7IzbG4HvhoPrjRDwdasEyCBzx6RggpnxusfVsd9
+91Eg/WPG3hIJW6kaHOWWeVwz4vCRZjv0u7myeJBcAa7gcwDX/J2DHeDrG60O3BNY
+/fZT2UcfDxE0rEVuVnV3Vc0XkIQjuNk7G9SkGjH4Zdx+I34UT05cxU5ZrdpKNiGL
+fjbo4H/KBML4agRGAPzeo3KU3rxOUmss+mh7Mu+CVoZP5uQUr1sEUkfQ+FkJjjbv
+es47Ij6ZmfGyUPuVKVCW34bXm6Ieyc0QZ10kRv8paOmPsWBA+WYWGibEhvwp5v0p
+AHdlGGO/FpOac4h/YEqOh6ryN8QldjCI+SCqkfs38DjeTX5IWecgax586oH7BpJm
+RGc/fgx3YSO8tmMaTwKZm5VVlujsld6t95XrA2dGWOhiWcRsoWGs+SaUTNf5Y0Te
+k2vD7tMsk37PG4jbp7pk4FH2Mfb9KRHe82ebdOnkOj4C5kWIB8FwYJyMIjDl3C4r
+OdXZDrbyKh/swjJZJIuP
+=orSF
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-SA-14:10.openssl.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-14:10.openssl.asc Tue May 13 23:55:52 2014 (r44822)
@@ -0,0 +1,140 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-14:10.openssl Security Advisory
+ The FreeBSD Project
+
+Topic: OpenSSL NULL pointer deference vulnerability
+
+Category: contrib
+Module: openssl
+Announced: 2014-05-13
+Affects: FreeBSD 10.x.
+Corrected: 2014-05-13 23:19:16 UTC (stable/10, 10.0-STABLE)
+ 2014-05-13 23:22:28 UTC (releng/10.0, 10.0-RELEASE-p3)
+CVE Name: CVE-2014-0198
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:http://security.FreeBSD.org/>.
+
+I. Background
+
+FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
+a collaborative effort to develop a robust, commercial-grade, full-featured
+Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
+and Transport Layer Security (TLS v1) protocols as well as a full-strength
+general purpose cryptography library.
+
+The TLS protocol supports an alert protocol which can be used to signal the
+other party with certain failures in the protocol context that may require
+immediate termination of the connection.
+
+II. Problem Description
+
+An attacker can trigger generation of an SSL alert which could cause a null
+pointer deference.
+
+III. Impact
+
+An attacker may be able to cause a service process that uses OpenSSL to crash,
+which can be used in a denial-of-service attack.
+
+IV. Workaround
+
+No workaround is available, but systems that do not use OpenSSL to implement
+the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
+protocols, or not using SSL_MODE_RELEASE_BUFFERS and use the same process
+to handle multiple SSL connections, are not vulnerable.
+
+The FreeBSD base system service daemons and utilities do not use the
+SSL_MODE_RELEASE_BUFFERS mode. However, many third party software uses this
+mode to reduce their memory footprint and may therefore be affected by this
+issue.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch http://security.FreeBSD.org/patches/SA-14:10/openssl.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:10/openssl.patch.asc
+# gpg --verify openssl.patch.asc
+
+b) Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+Recompile the operating system using buildworld and installworld as
+described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all deamons using the library, or reboot the system.
+
+3) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/10/ r265986
+releng/10.0/ r265987
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/005_openssl.patch.sig>
+
+<URL:https://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=3321>
+
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198>
+
+The latest revision of this advisory is available at
+<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:10.openssl.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0.22 (FreeBSD)
+
+iQIcBAEBCgAGBQJTcq5IAAoJEO1n7NZdz2rnNb4QAODp1Pxk3GlTwlptWQkC+DJb
+bwd2RRtkvkz677JIbdtyM7b5POgUih/NtAF9Yyy/pg8IJcSRiv0f7F5L+maV9nee
+KGb27zizWOgIqor6HhRAv2OniVN271OfoyCkt0xRmigBR6dQ80iBVuCk6McvxvjL
+5Yfw8wtfF8zAo5p1d4V3EEPOIVPwgJ31YnB/sVv+SyV6Ldl5DS0Gp1Cm9KjvaJUI
+CUIljIaH6AFuzs671V4DpuFPtFPIsvGUhEdpf6+ypVJN1J/D+BNRvoIX1zxou4Kf
+34qB6cs/LlyBKCPctK/qLU7UScNsuUItpWrw5ESHFHdgsTr8XA9POxU72wlCRCoQ
+T2A6zIqPQRgCWfrPnmJNwLN9riMQGc2oFBXd19iITyc8/7OcXAFnzIy+zu++jZp6
+rMwGIUCg5UKkSGVWnoYyS/1SQRYqi4MzUqC/AwpQHKoE5CqUzVCJ7zGTFcsie0o4
+wfWoFlkgbNl0Attn4HLuXncjvGVCMeWqUERKBU7xIxC1D5PKXF5QmCUqlZrddBaw
+ATIFsPEopu2bX/+sbgcGKSF5WAWwdT92vIgarjW3UkKDYihRNKusrOwp3sue7Iw+
+QIweOaJLqpSnfQ3me62I3fWYjRwceeASeTx7dYdxrK1Dx5DnlN8gGwwhl/7cvoWe
+Xm6DqYXeQRsIxZ7Ng/PO
+=4EYM
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/EN-14:03/pkg-en-releng-8.4.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/EN-14:03/pkg-en-releng-8.4.patch Tue May 13 23:55:52 2014 (r44822)
@@ -0,0 +1,232 @@
+Index: etc/Makefile
+===================================================================
+--- etc/Makefile (revision 265457)
++++ etc/Makefile (working copy)
+@@ -172,6 +172,7 @@ distribution:
+ ${_+_}cd ${.CURDIR}/devd; ${MAKE} install
+ ${_+_}cd ${.CURDIR}/gss; ${MAKE} install
+ ${_+_}cd ${.CURDIR}/periodic; ${MAKE} install
++ ${_+_}cd ${.CURDIR}/pkg; ${MAKE} install
+ ${_+_}cd ${.CURDIR}/rc.d; ${MAKE} install
+ ${_+_}cd ${.CURDIR}/../gnu/usr.bin/send-pr; ${MAKE} etc-gnats-freefall
+ ${_+_}cd ${.CURDIR}/../share/termcap; ${MAKE} etc-termcap
+Index: etc/mtree/BSD.root.dist
+===================================================================
+--- etc/mtree/BSD.root.dist (revision 265457)
++++ etc/mtree/BSD.root.dist (working copy)
+@@ -52,6 +52,8 @@
+ weekly
+ ..
+ ..
++ pkg
++ ..
+ ppp
+ ..
+ rc.d
+Index: etc/mtree/BSD.usr.dist
+===================================================================
+--- etc/mtree/BSD.usr.dist (revision 265457)
++++ etc/mtree/BSD.usr.dist (working copy)
+@@ -340,6 +340,14 @@
+ ..
+ info
+ ..
++ keys
++ pkg
++ revoked
++ ..
++ trusted
++ ..
++ ..
++ ..
+ locale
+ UTF-8
+ ..
+Index: etc/pkg/FreeBSD.conf
+===================================================================
+--- etc/pkg/FreeBSD.conf (revision 0)
++++ etc/pkg/FreeBSD.conf (working copy)
+@@ -0,0 +1,16 @@
++# $FreeBSD$
++#
++# To disable this repository, instead of modifying or removing this file,
++# create a /usr/local/etc/pkg/repos/FreeBSD.conf file:
++#
++# mkdir -p /usr/local/etc/pkg/repos
++# echo "FreeBSD: { enabled: no }" > /usr/local/etc/pkg/repos/FreeBSD.conf
++#
++
++FreeBSD: {
++ url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",
++ mirror_type: "srv",
++ signature_type: "fingerprints",
++ fingerprints: "/usr/share/keys/pkg",
++ enabled: yes
++}
+Index: etc/pkg/Makefile
+===================================================================
+--- etc/pkg/Makefile (revision 0)
++++ etc/pkg/Makefile (working copy)
+@@ -0,0 +1,10 @@
++# $FreeBSD$
++
++NO_OBJ=
++
++FILES= FreeBSD.conf
++
++FILESDIR= /etc/pkg
++FILESMODE= 644
++
++.include <bsd.prog.mk>
+Index: share/Makefile
+===================================================================
+--- share/Makefile (revision 265457)
++++ share/Makefile (working copy)
+@@ -9,6 +9,7 @@ SUBDIR= ${_colldef} \
+ ${_dict} \
+ ${_doc} \
+ ${_examples} \
++ keys \
+ ${_man} \
+ ${_me} \
+ misc \
+Index: share/keys/Makefile
+===================================================================
+--- share/keys/Makefile (revision 0)
++++ share/keys/Makefile (working copy)
+@@ -0,0 +1,5 @@
++# $FreeBSD$
++
++SUBDIR= pkg
++
++.include <bsd.subdir.mk>
+Index: share/keys/pkg/Makefile
+===================================================================
+--- share/keys/pkg/Makefile (revision 0)
++++ share/keys/pkg/Makefile (working copy)
+@@ -0,0 +1,5 @@
++# $FreeBSD$
++
++SUBDIR= trusted
++
++.include <bsd.subdir.mk>
+Index: share/keys/pkg/trusted/Makefile
+===================================================================
+--- share/keys/pkg/trusted/Makefile (revision 0)
++++ share/keys/pkg/trusted/Makefile (working copy)
+@@ -0,0 +1,10 @@
++# $FreeBSD$
++
++NO_OBJ=
++
++FILES= pkg.freebsd.org.2013102301
++
++FILESDIR= /usr/share/keys/pkg/trusted
++FILESMODE= 644
++
++.include <bsd.prog.mk>
+Index: share/keys/pkg/trusted/pkg.freebsd.org.2013102301
+===================================================================
+--- share/keys/pkg/trusted/pkg.freebsd.org.2013102301 (revision 0)
++++ share/keys/pkg/trusted/pkg.freebsd.org.2013102301 (working copy)
+@@ -0,0 +1,4 @@
++# $FreeBSD$
++
++function: "sha256"
++fingerprint: "b0170035af3acc5f3f3ae1859dc717101b4e6c1d0a794ad554928ca0cbb2f438"
+Index: share/man/man7/hier.7
+===================================================================
+--- share/man/man7/hier.7 (revision 265457)
++++ share/man/man7/hier.7 (working copy)
+@@ -32,7 +32,7 @@
+ .\" @(#)hier.7 8.1 (Berkeley) 6/5/93
+ .\" $FreeBSD$
+ .\"
+-.Dd May 25, 2008
++.Dd October 29, 2013
+ .Dt HIER 7
+ .Os
+ .Sh NAME
+@@ -546,6 +546,16 @@ ASCII text files used by various games
+ device description file for device name
+ .It Pa info/
+ GNU Info hypertext system
++.It Pa keys/
++known trusted and revoked keys.
++.Bl -tag -width ".Pa keys/pkg/" -compact
++.It Pa keys/pkg/
++fingerprints for
++.Xr pkg 7
++and
++.Xr pkg 8
++.El
++.Pp
+ .It Pa locale/
+ localization files;
+ see
+Index: usr.sbin/pkg/pkg.c
+===================================================================
+--- usr.sbin/pkg/pkg.c (revision 265457)
++++ usr.sbin/pkg/pkg.c (working copy)
+@@ -284,13 +284,10 @@ bootstrap_pkg(void)
+ {
+ struct url *u;
+ FILE *remote;
+- FILE *config;
+- char *site;
+ struct dns_srvinfo *mirrors, *current;
+ /* To store _https._tcp. + hostname + \0 */
+ char zone[MAXHOSTNAMELEN + 13];
+ char url[MAXPATHLEN];
+- char conf[MAXPATHLEN];
+ char abi[BUFSIZ];
+ char tmppkg[MAXPATHLEN];
+ char buf[10240];
+@@ -306,7 +303,6 @@ bootstrap_pkg(void)
+ max_retry = 3;
+ ret = -1;
+ remote = NULL;
+- config = NULL;
+ current = mirrors = NULL;
+
+ printf("Bootstrapping pkg please wait\n");
+@@ -387,26 +383,6 @@ bootstrap_pkg(void)
+ if ((ret = extract_pkg_static(fd, pkgstatic, MAXPATHLEN)) == 0)
+ ret = install_pkg_static(pkgstatic, tmppkg);
+
+- snprintf(conf, MAXPATHLEN, "%s/etc/pkg.conf",
+- getenv("LOCALBASE") ? getenv("LOCALBASE") : _LOCALBASE);
+-
+- if (access(conf, R_OK) == -1) {
+- site = strrchr(url, '/');
+- if (site == NULL)
+- goto cleanup;
+- site[0] = '\0';
+- site = strrchr(url, '/');
+- if (site == NULL)
+- goto cleanup;
+- site[0] = '\0';
+-
+- config = fopen(conf, "w+");
+- if (config == NULL)
+- goto cleanup;
+- fprintf(config, "packagesite: %s\n", url);
+- fclose(config);
+- }
+-
+ goto cleanup;
+
+ fetchfail:
+@@ -423,7 +399,11 @@ cleanup:
+
+ static const char confirmation_message[] =
+ "The package management tool is not yet installed on your system.\n"
+-"Do you want to fetch and install it now? [y/N]: ";
++"The mechanism for doing this is not secure on FreeBSD 8. To securely install\n"
++"pkg(8), use ports from a portsnap checkout:\n"
++" # portsnap fetch extract\n"
++" # make -C /usr/ports/ports-mgmt/pkg install clean\n"
++"Do you still want to fetch and install it now? [y/N]: ";
+
+ static int
+ pkg_query_yes_no(void)
Added: head/share/security/patches/EN-14:03/pkg-en-releng-8.4.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/EN-14:03/pkg-en-releng-8.4.patch.asc Tue May 13 23:55:52 2014 (r44822)
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0.22 (FreeBSD)
+
+iQIcBAABCgAGBQJTcq56AAoJEO1n7NZdz2rn7uAP/Aj/qkmd/B1E5OcnVndzFdVV
+wk7qiDIfo3SckWu0Mz3j45qKgZLYvPgnY4ensL8IuOT2RzLVj9PP9Bqy3aEZquPf
+6kYCOGDI8B2wZm8o6aRYPlRAY97OvrEucGFWk6kQCCpak4HmntqvIBmaTqeZ7tKV
+lohRBdVNBvYdO89IK3K4hbVReVP2D2qg6U6lZuj0RNLKjVTD8NtUqJMkwQQJTYK9
+3BAsiqZM7QFo/E85aP11/Ox14SYov4VQ5zONl2OhshbL4dANrVUGZxh2/ecaN2pv
+k+TGCHzd/o6fdopTawZTUqBLRt+Pbj5VCCVWqxszoA5xfIsLmFt9hNTGtzNnevVZ
+WjKDba4nyzQoEwig58jbMIKV0eKjvOOmvOAK80EBd9gAOftcsNiFMIuDBkAy0z6j
+1mHlQZJXcg4PjOgmzGgZjQrTOiwfGpsisbBnmOhMuBPhrglv7n5QCg5k91i8EBqQ
+AWpTY+UcxuFKn2CkEjubppwxf9kqBvK7ClO8gpsJxERjCVPkop8hJfiw9EG+Jzkp
+fp4pIeajT+Dj6pAS+Y64tjkClPVTDKEK0H2Ut3d44DO8RUrAgXSWwgqRWNeQQvcM
+U4HIuY8+Qt4Ue8NECGYlpJ/RvsoKROiM0hcQH7auGOqsUkdr9k9kA4ICABy43SK6
+KO7yxSd7x7hFFuUVMpV3
+=pIs3
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/EN-14:03/pkg-en-releng-9.1.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/EN-14:03/pkg-en-releng-9.1.patch Tue May 13 23:55:52 2014 (r44822)
@@ -0,0 +1,229 @@
+Index: etc/Makefile
+===================================================================
+--- etc/Makefile (revision 265457)
++++ etc/Makefile (working copy)
+@@ -205,6 +205,7 @@ distribution:
+ ${_+_}cd ${.CURDIR}/devd; ${MAKE} install
+ ${_+_}cd ${.CURDIR}/gss; ${MAKE} install
+ ${_+_}cd ${.CURDIR}/periodic; ${MAKE} install
++ ${_+_}cd ${.CURDIR}/pkg; ${MAKE} install
+ ${_+_}cd ${.CURDIR}/rc.d; ${MAKE} install
+ ${_+_}cd ${.CURDIR}/../gnu/usr.bin/send-pr; ${MAKE} etc-gnats-freefall
+ ${_+_}cd ${.CURDIR}/../share/termcap; ${MAKE} etc-termcap
+Index: etc/mtree/BSD.root.dist
+===================================================================
+--- etc/mtree/BSD.root.dist (revision 265457)
++++ etc/mtree/BSD.root.dist (working copy)
+@@ -52,6 +52,8 @@
+ weekly
+ ..
+ ..
++ pkg
++ ..
+ ppp
+ ..
+ rc.d
+Index: etc/mtree/BSD.usr.dist
+===================================================================
+--- etc/mtree/BSD.usr.dist (revision 265457)
++++ etc/mtree/BSD.usr.dist (working copy)
+@@ -398,6 +398,14 @@
+ ..
+ ..
+ ..
++ keys
++ pkg
++ revoked
++ ..
++ trusted
++ ..
++ ..
++ ..
+ locale
+ UTF-8
+ ..
+Index: etc/pkg/FreeBSD.conf
+===================================================================
+--- etc/pkg/FreeBSD.conf (revision 0)
++++ etc/pkg/FreeBSD.conf (working copy)
+@@ -0,0 +1,16 @@
++# $FreeBSD$
++#
++# To disable this repository, instead of modifying or removing this file,
++# create a /usr/local/etc/pkg/repos/FreeBSD.conf file:
++#
++# mkdir -p /usr/local/etc/pkg/repos
++# echo "FreeBSD: { enabled: no }" > /usr/local/etc/pkg/repos/FreeBSD.conf
++#
++
++FreeBSD: {
++ url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",
++ mirror_type: "srv",
++ signature_type: "fingerprints",
++ fingerprints: "/usr/share/keys/pkg",
++ enabled: yes
++}
+Index: etc/pkg/Makefile
+===================================================================
+--- etc/pkg/Makefile (revision 0)
++++ etc/pkg/Makefile (working copy)
+@@ -0,0 +1,10 @@
++# $FreeBSD$
++
++NO_OBJ=
++
++FILES= FreeBSD.conf
++
++FILESDIR= /etc/pkg
++FILESMODE= 644
++
++.include <bsd.prog.mk>
+Index: share/Makefile
+===================================================================
+--- share/Makefile (revision 265457)
++++ share/Makefile (working copy)
+@@ -10,6 +10,7 @@ SUBDIR= ${_colldef} \
+ ${_doc} \
+ ${_examples} \
+ ${_i18n} \
++ keys \
+ ${_man} \
+ ${_me} \
+ misc \
+Index: share/keys/Makefile
+===================================================================
+--- share/keys/Makefile (revision 0)
++++ share/keys/Makefile (working copy)
+@@ -0,0 +1,5 @@
++# $FreeBSD$
++
++SUBDIR= pkg
++
++.include <bsd.subdir.mk>
+Index: share/keys/pkg/Makefile
+===================================================================
+--- share/keys/pkg/Makefile (revision 0)
++++ share/keys/pkg/Makefile (working copy)
+@@ -0,0 +1,5 @@
++# $FreeBSD$
++
++SUBDIR= trusted
++
++.include <bsd.subdir.mk>
+Index: share/keys/pkg/trusted/Makefile
+===================================================================
+--- share/keys/pkg/trusted/Makefile (revision 0)
++++ share/keys/pkg/trusted/Makefile (working copy)
+@@ -0,0 +1,10 @@
++# $FreeBSD$
++
++NO_OBJ=
++
++FILES= pkg.freebsd.org.2013102301
++
++FILESDIR= /usr/share/keys/pkg/trusted
++FILESMODE= 644
++
++.include <bsd.prog.mk>
+Index: share/keys/pkg/trusted/pkg.freebsd.org.2013102301
+===================================================================
+--- share/keys/pkg/trusted/pkg.freebsd.org.2013102301 (revision 0)
++++ share/keys/pkg/trusted/pkg.freebsd.org.2013102301 (working copy)
+@@ -0,0 +1,4 @@
++# $FreeBSD$
++
++function: "sha256"
++fingerprint: "b0170035af3acc5f3f3ae1859dc717101b4e6c1d0a794ad554928ca0cbb2f438"
+Index: share/man/man7/hier.7
+===================================================================
+--- share/man/man7/hier.7 (revision 265457)
++++ share/man/man7/hier.7 (working copy)
+@@ -32,7 +32,7 @@
+ .\" @(#)hier.7 8.1 (Berkeley) 6/5/93
+ .\" $FreeBSD$
+ .\"
+-.Dd May 25, 2008
++.Dd October 29, 2013
+ .Dt HIER 7
+ .Os
+ .Sh NAME
+@@ -546,6 +546,16 @@ ASCII text files used by various games
+ device description file for device name
+ .It Pa info/
+ GNU Info hypertext system
++.It Pa keys/
++known trusted and revoked keys.
++.Bl -tag -width ".Pa keys/pkg/" -compact
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-doc-all
mailing list