svn commit: r46499 - in head/share: security/advisories security/patches/SA-15:04 security/patches/SA-15:07 security/patches/SA-15:08 security/patches/SA-15:09 xml

Xin LI delphij at FreeBSD.org
Tue Apr 7 20:36:39 UTC 2015


Author: delphij
Date: Tue Apr  7 20:36:34 2015
New Revision: 46499
URL: https://svnweb.freebsd.org/changeset/doc/46499

Log:
  Add 3 new advisories and patches.

Added:
  head/share/security/advisories/FreeBSD-SA-15:07.ntp.asc   (contents, props changed)
  head/share/security/advisories/FreeBSD-SA-15:08.bsdinstall.asc   (contents, props changed)
  head/share/security/advisories/FreeBSD-SA-15:09.ipv6.asc   (contents, props changed)
  head/share/security/patches/SA-15:04/igmp-errata.patch   (contents, props changed)
  head/share/security/patches/SA-15:04/igmp-errata.patch.asc   (contents, props changed)
  head/share/security/patches/SA-15:07/
  head/share/security/patches/SA-15:07/ntp.patch   (contents, props changed)
  head/share/security/patches/SA-15:07/ntp.patch.asc   (contents, props changed)
  head/share/security/patches/SA-15:08/
  head/share/security/patches/SA-15:08/bsdinstall.patch   (contents, props changed)
  head/share/security/patches/SA-15:08/bsdinstall.patch.asc   (contents, props changed)
  head/share/security/patches/SA-15:09/
  head/share/security/patches/SA-15:09/ipv6.patch   (contents, props changed)
  head/share/security/patches/SA-15:09/ipv6.patch.asc   (contents, props changed)
Modified:
  head/share/security/advisories/FreeBSD-SA-15:04.igmp.asc
  head/share/xml/advisories.xml

Modified: head/share/security/advisories/FreeBSD-SA-15:04.igmp.asc
==============================================================================
--- head/share/security/advisories/FreeBSD-SA-15:04.igmp.asc	Tue Apr  7 17:18:50 2015	(r46498)
+++ head/share/security/advisories/FreeBSD-SA-15:04.igmp.asc	Tue Apr  7 20:36:34 2015	(r46499)
@@ -9,23 +9,27 @@ Topic:          Integer overflow in IGMP
 
 Category:       core
 Module:         igmp
-Announced:      2015-02-25
+Announced:      2015-02-25; Last revised on 2015-04-07
 Credits:        Mateusz Kocielski, Logicaltrust,
                 Marek Kroemeke, and 22733db72ab3ed94b5f8a1ffcde850251fe6f466
 Affects:        All supported versions of FreeBSD.
-Corrected:      2015-02-25 05:43:02 UTC (stable/10, 10.1-STABLE)
-                2015-02-25 05:56:16 UTC (releng/10.1, 10.1-RELEASE-p6)
-                2015-02-25 05:56:16 UTC (releng/10.0, 10.0-RELEASE-p18)
-                2015-02-25 05:43:02 UTC (stable/9, 9.3-STABLE)
-                2015-02-25 05:56:54 UTC (releng/9.3, 9.3-RELEASE-p10)
-                2015-02-25 05:43:02 UTC (stable/8, 8.4-STABLE)
-                2015-02-25 05:56:54 UTC (releng/8.4, 8.4-RELEASE-p24)
+Corrected:      2015-04-07 20:20:24 UTC (stable/10, 10.1-STABLE)
+                2015-04-07 20:21:01 UTC (releng/10.1, 10.1-RELEASE-p9)
+                2015-04-07 20:20:44 UTC (stable/9, 9.3-STABLE)
+                2015-04-07 20:21:23 UTC (releng/9.3, 9.3-RELEASE-p13)
+                2015-04-07 20:20:44 UTC (stable/8, 8.4-STABLE)
+                2015-04-07 20:21:23 UTC (releng/8.4, 8.4-RELEASE-p27)
 CVE Name:       CVE-2015-1414
 
 For general information regarding FreeBSD Security Advisories,
 including descriptions of the fields above, security branches, and the
 following sections, please visit <URL:https://security.FreeBSD.org/>.
 
+0.   Revision history
+
+v1.0  2015-02-25 Initial release.
+v1.1  2015-04-07 Revised patch to address a potential overflow issue.
+
 I.   Background
 
 IGMP is a control plane protocol used by IPv4 hosts and routers to propagate
@@ -73,6 +77,10 @@ detached PGP signature using your PGP ut
 # fetch https://security.FreeBSD.org/patches/SA-15:04/igmp.patch.asc
 # gpg --verify igmp.patch.asc
 
+# fetch https://security.FreeBSD.org/patches/SA-15:04/igmp-errata.patch
+# fetch https://security.FreeBSD.org/patches/SA-15:04/igmp-errata.patch.asc
+# gpg --verify igmp-errata.patch.asc
+
 b) Apply the patch.  Execute the following commands as root:
 
 # cd /usr/src
@@ -89,13 +97,12 @@ affected branch.
 
 Branch/path                                                      Revision
 - -------------------------------------------------------------------------
-stable/8/                                                         r279263
-releng/8.4/                                                       r279265
-stable/9/                                                         r279263
-releng/9.3/                                                       r279265
-stable/10/                                                        r279263
-releng/10.0/                                                      r279264
-releng/10.1/                                                      r279264
+stable/8/                                                         r281231
+releng/8.4/                                                       r281233
+stable/9/                                                         r281231
+releng/9.3/                                                       r281233
+stable/10/                                                        r281230
+releng/10.1/                                                      r281232
 - -------------------------------------------------------------------------
 
 To see which files were modified by a particular revision, run the
@@ -115,19 +122,19 @@ VII. References
 The latest revision of this advisory is available at
 <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:04.igmp.asc>
 -----BEGIN PGP SIGNATURE-----
-Version: GnuPG v2.1.1 (FreeBSD)
+Version: GnuPG v2.1.2 (FreeBSD)
 
-iQIcBAEBCgAGBQJU7WjDAAoJEO1n7NZdz2rnjr8QAL0J0+4lRtPXRyDRX2xFSnzw
-sc3OpfmlTiD3pCFkebTYy3/+EK86iAL1ZELqlJe5mm2+pzhCQB13C4/exc0l1U6b
-tyiGXxhVi2/4SBrs6n9lmB/YhXkgtqaOQAcNaOD6sVbS1e5cBtjnG86oOq8tQ2qG
-c7Dvh3HTp9M5fDJtsI40SIpqy3FcKORBfpjYd8jONfSqMnLM2kM8xzwHSv4/X23e
-GlDKHtIi+1ylD/Qu7Z3S7hqXDTSYjZb1QHc7axDFB6X6nj2Rz3aWS2hPPTypFd3T
-zTj5DZjgiP7U2LhR40sWW68RYi21yzNUwbe0w5LeDah6Ymc5CDO2ujdm3HDQbQGH
-pA9QIOjzpgR64nWLIJfZ7jMxL3rCCaCW3NCB/iRXni2Ib/wt3ZDkJyEk/SF4K82H
-72U2u2qVjAsnhmwWK8gksBi9bEXk3TnX778bkrwm4rt1xOjACq8k66LAernoE4tB
-DkE0pO4QR+6XwFb5sJMG/3L9CmrhTp2pkPDBQDbSD+ngBs5V5mJOqVf7gB+UptnN
-Fh8OACO/5KtDkqBDsCljHxHZNaboVF4Q613+iF5CUc6SYOTkLnBDUE4Pq38vlzVB
-GdZMEo/hvsCbR4c2TmdKuvEkEqayxCxcv0DXiyTlVCecxSkaYvMXPwCKK43QtS7S
-het83QCUxaVuxLiznuwR
-=lkYC
+iQIcBAEBCgAGBQJVJD39AAoJEO1n7NZdz2rnewwQAN9xI01nzOO71Q7qP7xDq+wu
+RW2C+2A4viIZIId1od6GiDY7Qpigy1CMwHsae6qJ62R+D5F2x9vANV4U6AS44oNy
+2jDwbrByM7QQ3qeCh8NzCUvOwPuXyKsAGKV73t3QPk0leKdbqUyjTooWJtZAv0dN
+VgQ4VCQh+2ZlxjMT0igUScmCVqOncRUm33xKBLeTif5LZHi/afkR6CToMlACOvl3
+syJNhEeM+zYU9XLzb90hAjvqn1xLDkoS4qJNbrekj0/dI0jkgZdk18QAualwWgeZ
+i39Da6IQ4wCn8Sx9o8pc8NdtzHn37rmOcdzBIodzxa1vALmNhDWuBpIIysffsZvf
+ewVdI83pabRdZZxO1YAPjJi34CTXmvwf8Hit/hh0n1AO21lhr0NhwQzEn7gmLqSh
+JZYg46k6tNGy6qUa1NU/ywja0kLCG0KdR1FO9IKaN6TCgB30bpndGq1Y0esX1Mo8
+5xq/P/KoNPE9BzifyhbDBt77eEmfpiKIuQXQVP3B1n3KEDDUlSSeiz3x0h9ZOjfm
+vLb1hinfp1RPC4S72a0Zts6r60aee9dMWd/DvC8RqWQqEE0PUamipL2ClzBmOpTK
+F9b2y9776hfPV/mvGUwS7H63mAMJkMOTDGZn3WWIT3Dmr6Eru0/t1XXqCPB4cNUl
+uf5sxNtEDjXadkeM20lu
+=y2yR
 -----END PGP SIGNATURE-----

Added: head/share/security/advisories/FreeBSD-SA-15:07.ntp.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-15:07.ntp.asc	Tue Apr  7 20:36:34 2015	(r46499)
@@ -0,0 +1,157 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-15:07.ntp                                        Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Multiple vulnerabilities of ntp
+
+Category:       contrib
+Module:         ntp
+Announced:      2015-04-07
+Credits:        Network Time Foundation
+Affects:        All supported versions of FreeBSD.
+Corrected:      2015-04-07 20:20:24 UTC (stable/10, 10.1-STABLE)
+                2015-04-07 20:21:01 UTC (releng/10.1, 10.1-RELEASE-p9)
+                2015-04-07 20:20:44 UTC (stable/9, 9.3-STABLE)
+                2015-04-07 20:21:23 UTC (releng/9.3, 9.3-RELEASE-p13)
+                2015-04-07 20:20:44 UTC (stable/8, 8.4-STABLE)
+                2015-04-07 20:21:23 UTC (releng/8.4, 8.4-RELEASE-p27)
+CVE Name:       CVE-2014-9297, CVE-2015-1798, CVE-2015-1799
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP)
+used to synchronize the time of a computer system to a reference time
+source.
+
+II.  Problem Description
+
+The vallen packet value is not validated in several code paths in
+ntp_crypto.c. [CVE-2014-9297]
+
+When ntpd(8) is configured to use a symmetric key to authenticate a remote
+NTP server/peer, it checks if the NTP message authentication code (MAC)
+in received packets is valid, but not that there actually is any MAC
+included, and packets without a MAC are accepted as if they had a valid
+MAC. [CVE-2015-1798]
+
+NTP state variables are updated prior to validating the received packets.
+[CVE-2015-1799]
+
+III. Impact
+
+A remote attacker who can send specifically crafted packets may be able
+to reveal memory contents of ntpd(8) or cause it to crash, when ntpd(8)
+is configured to use autokey. [CVE-2014-9297]
+
+A man-in-the-middle (MITM) attacker can send specially forged packets
+that would be accepted by the client/peer without having to know the
+symmetric key. [CVE-2015-1798]
+
+An attacker knowing that NTP hosts A and B are peering with each other
+(symmetric association) can periodically send a specially crafted or
+replayed packet which will break the synchronization between the two
+peers due to transmit timestamp mismatch, preventing the two nodes from
+synchronizing with each other, even when authentication is enabled.
+[CVE-2015-1799]
+
+IV.  Workaround
+
+No workaround is available, but systems not running ntpd(8) are not
+affected.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-15:07/ntp.patch
+# fetch https://security.FreeBSD.org/patches/SA-15:07/ntp.patch.asc
+# gpg --verify ntp.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the applicable daemons, or reboot the system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/8/                                                         r281231
+releng/8.4/                                                       r281233
+stable/9/                                                         r281231
+releng/9.3/                                                       r281233
+stable/10/                                                        r281230
+releng/10.1/                                                      r281232
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9297>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1798>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:07.ntp.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.2 (FreeBSD)
+
+iQIcBAEBCgAGBQJVJD4CAAoJEO1n7NZdz2rn4doQAKwA67MgX6jiCS4dm1roREi+
+G1moTCtqO8LXzH3nOOOk6R/MqFGOs6Jq8D+K/YmdD+4l3c/qCNR0qtv0YcVL0kE+
++xfaIYoGxTzlPjEfpWtceCM0wcAThaF8085hi0IAzG7ozhKPt+Inv33ISgos5c7h
+zYcbTqBYgQqcJGWdftnYpZ1Nxvoa3wiOlxsOMa4qnNeUakeXcGLZ+1XB5pLjXMZF
+dHfKhMS6KxcUdHoPgOj468D3bQE05puLk13Kjy+Ti38GhcgMROAsMZVOzgno3J7g
+D7Hk4dR1dms+6xcSJ0BV4ej0ZfypGv0xiFmUiTk/p7AVbnqrChyjvGca+8reu+Gc
+Ks/67oZjP5rc0glvRFgjJBmQV/xK2rUK805e4eAm8qBecRjDv6M3mUmPdw5BlgcA
+7fcj4VdGkOzLB0Vj7uJFjf3p9cyT+x8yvMtknxehiYmrYnFDsM5d7lcv0+KnRzb2
+3bt6maO40wqWIcLErFthcT/nLP+wi35aykNIbGh7PXvqL92gWX+h/xB6YY9Ouo4N
+hb32W/F5O50MjL6BeY+k5J6usoFrk0EHWK+2Fxm2/AA/5K/JnryWN44F8PVPNzxE
+f+Vb6CzxBvmflpa/29tF/wSD0oU78AhuShtVrnEVT5ZWJj+/PHBZtcLk2Z+s5hgd
+hKFvV5Xqix0/U//+yGhj
+=1fHm
+-----END PGP SIGNATURE-----

Added: head/share/security/advisories/FreeBSD-SA-15:08.bsdinstall.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-15:08.bsdinstall.asc	Tue Apr  7 20:36:34 2015	(r46499)
@@ -0,0 +1,119 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-15:08.bsdinstall                                 Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Insecure default GELI keyfile permissions
+
+Category:       core
+Module:         bsdinstall
+Announced:      2015-04-07
+Credits:        Pierre Kim
+Affects:        FreeBSD 10.1.
+Corrected:      2015-04-07 20:20:24 UTC (stable/10, 10.1-STABLE)
+                2015-04-07 20:21:01 UTC (releng/10.1, 10.1-RELEASE-p9)
+CVE Name:       CVE-2015-1415
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The GEOM ELI class, or geli(8) implements encryption on GEOM providers which
+supports various cryptographic encryption and authentication methods as
+well as hardware acceleration.  Each geli(8) provider has two key slots,
+and each slot holds a copy of its master key encrypted by a keyfile and/or
+a passphrase chosen by the system administrator.
+
+The bsdinstall(8) installer is the default system installer of FreeBSD since
+FreeBSD 10.0-RELEASE.
+
+II.  Problem Description
+
+The default permission set by bsdinstall(8) installer when configuring full
+disk encrypted ZFS is too open.
+
+III. Impact
+
+A local attacker may be able to get a copy of the geli(8) provider's
+keyfile which is located at a fixed location.
+
+IV.  Solution
+
+Note well: due to the nature of this issue, there is no way to fix this
+issue for already installed systems without human intervention.  System
+administrators are advised to assume that the keyfile have already been
+leaked and a new keyfile is necessary.
+
+The system administrator can create a new keyfile with the correct
+permissions, and change the key slot that holds the master key encrypted
+with the old keyfile.
+
+For example, if the GELI provider is /dev/ada0, the system administrator
+can do the following:
+
+# umask 077
+# dd if=/dev/random of=/boot/encryption.key.new bs=4096 count=1
+# umask 022
+# geli setkey -K /boot/encryption.key.new /dev/ada0p3
+Enter new passphrase:
+Reenter new passphrase:
+
+(Repeat the geli setkey command if multiple providers are used)
+
+# mv /boot/encryption.key.new /boot/encryption.key
+# ls -l /boot/encryption.key
+
+Make sure that the new /boot/encryption.key can only be read by root.
+
+The FreeBSD stable and security branch (releng) and the changes are mainly
+intended for system integrators who build their own installation image for
+new installations.
+
+V.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/10/                                                        r281230
+releng/10.1/                                                      r281232
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VI. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1415>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:08.bsdinstall.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.2 (FreeBSD)
+
+iQIcBAEBCgAGBQJVJD4CAAoJEO1n7NZdz2rntF0P/0vVZ6W5xpIAm5K7eS184GaJ
+TuQ0E5XdqH1i6smYxAwUHtINFmAJ11cv+KwAbwFwazdB9jy4def6kwBZ/PE1y1M9
+OGi/JD3RghL0RrrrIzADVz5Z4Hi401BmLN7aOW9REX75/o82XqGXTRlDmow5z22D
+/B4NRNQ0p6cwmwh179HHuJPgQsDmL3mBkgn4oMv1036q9VjP5V/b+i2Ja/I6oCa/
+ZJhdEg17P9ek6GBna/fV7yo1Cr+A7v9aSUFcN9E8VqoWGn06jO0sLjWCC9Lrc6sZ
+KAgFbxNuPW/eZOE447DIu9jrgE8xxBFn6skeW81jsPsT4FsF/7KWG+dxBOa9XxOH
+XQTzc9sx3tsRVUzEBUGHRpPh/ZbkqtqQ5MYrAYk66NJ1NFqbrhY08mqzOd4+Sr7a
+CUMV/1vD0pCRME8bgIVupKciIw9y6QYWo2Gm+BJIqAw7L8EaEhaN7nnBxDbRehlj
+PdRYxHO4aQLIxdaV4dtDx3SX+njRxyVP/0OOSVQz1laiKadsRO2YQe+IhVoFhU5v
+fLSoBI+8mX8Sc65UasqsuNXC3G2c6XXKkLBCYzmL90R2pwPtxbQRTDVGMmG9fyyc
+b4w+yindLcwKXxKJryQWswAbv6hBQunAoCaVsqiIdF2N9Psrlr3FhkU//JbvrxA1
+COcciZEksTS0JwEpOGi5
+=wg1b
+-----END PGP SIGNATURE-----

Added: head/share/security/advisories/FreeBSD-SA-15:09.ipv6.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-15:09.ipv6.asc	Tue Apr  7 20:36:34 2015	(r46499)
@@ -0,0 +1,153 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-15:09.ipv6                                       Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Denial of Service with IPv6 Router Advertisements
+
+Category:       core
+Module:         ipv6
+Announced:      2015-04-07
+Credits:        Dennis Ljungmark
+Affects:        All supported versions of FreeBSD.
+Corrected:      2015-04-07 20:20:24 UTC (stable/10, 10.1-STABLE)
+                2015-04-07 20:21:01 UTC (releng/10.1, 10.1-RELEASE-p9)
+                2015-04-07 20:20:44 UTC (stable/9, 9.3-STABLE)
+                2015-04-07 20:21:23 UTC (releng/9.3, 9.3-RELEASE-p13)
+                2015-04-07 20:20:44 UTC (stable/8, 8.4-STABLE)
+                2015-04-07 20:21:23 UTC (releng/8.4, 8.4-RELEASE-p27)
+CVE Name:       CVE-2015-2923
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+IPv6 nodes use the Neighbor Discovery protocol to determine the link-layer
+address of other nodes, find routers, and maintain reachability information.
+Routers advertise their presence together with various link and Internet
+parameters either periodically, or in response to a Router Solicitation
+message, using Router Advertisement (ICMPv6 type 134).
+
+II.  Problem Description
+
+The Neighbor Discover Protocol allows a local router to advertise a
+suggested Current Hop Limit value of a link, which will replace
+Current Hop Limit on an interface connected to the link on the FreeBSD
+system.
+
+III. Impact
+
+When the Current Hop Limit (similar to IPv4's TTL) is small, IPv6 packets
+may get dropped before they reached their destinations.
+
+By sending specifically crafted Router Advertisement packets, an attacker
+on the local network can cause the FreeBSD system to lose the ability to
+communicate with another IPv6 node on a different network.
+
+IV.  Workaround
+
+Only systems that are manually configured to use "accept_rtadv"
+ifconfig(8) flag on an interface are affected.
+
+The system administrator may decide to disable acceptance of Router
+Advertisements from untrusted network in a per-interface basis, by
+removing accept_rtadv flag at run time using ifconfig(8):
+
+	ifconfig em0 inet6 -accept_rtadv
+
+Note that an interface does not accept Router Advertisement messages
+by default even if an IPv6 address is configured.  One can know
+whether an interface is accepting Router Advertisement message or not
+from existence of ACCEPT_RTADV in "nd6 options" line in an output of
+ifconfig(8):
+
+	nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-15:09/ipv6.patch
+# fetch https://security.FreeBSD.org/patches/SA-15:09/ipv6.patch.asc
+# gpg --verify ipv6.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/8/                                                         r281231
+releng/8.4/                                                       r281233
+stable/9/                                                         r281231
+releng/9.3/                                                       r281233
+stable/10/                                                        r281230
+releng/10.1/                                                      r281232
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2923>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:09.ipv6.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.2 (FreeBSD)
+
+iQIcBAEBCgAGBQJVJD4CAAoJEO1n7NZdz2rn13cQANJCk2LXSX8GDHGzWnD+D5gN
+rNC4Q8n9CnN80ZO/0Pk0Xx2VAtr3CKxflBTXBKISKuY+dWOzNvuUuUUkrB9SlyTj
+MYpqAljnBT0JkosGGBKJwt39DjW34HWlaj9wEPr1SdIq5vQO0cXS2glVPI/CQuy3
+NwnpaAmftAG4eMSYojOeodXniha/ZasFap5Zj+1dgofFHEP87zxefP2IamG1Cq72
+d8YJSCD8yy51mZ7dVFM29R3FAFdMpponci31dXGb5p8pj0yzVfvI/HF1MRK+x8Nz
+R0/jFOHY4TR26BfKsc4Nc6Ze7jdZHUP1qWoL2O6HiLVqws0nQp3jma7FkMrUMuui
+H9kAQaIc27tJOkSK4Gdc/dwzHgb3xr2fNfOjvbUv3VNjzijTzbzKfRlVH77EAxAi
+sQfUcql/toGdC/QaOlhC8+v5jHdwkLdpfRc4QdsV1rKDAA8mj068sJQS/yAig8E8
+QUNmB3UK1QsX3tmy0JuDJk7tr/jjnhl2Jt9Skvm70xUiA7G05Z1qouErkIAjwikY
+zQSPpSQebi3am9TtK/GViOjEVpWLYzLFYo6laR8wMw9eJsj0xlF8Qqz+0HudqfSt
+lMOfpVfUmBSIxlFdiIzMBfbpLdD1gSo4oBLIYA/xw7UtDMiWi2Iji/mBY1Jg/i5V
+ZCTwZmnmaVuPcsGOzv5W
+=A2Am
+-----END PGP SIGNATURE-----

Added: head/share/security/patches/SA-15:04/igmp-errata.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/SA-15:04/igmp-errata.patch	Tue Apr  7 20:36:34 2015	(r46499)
@@ -0,0 +1,32 @@
+Index: sys/netinet/igmp.c
+===================================================================
+--- sys/netinet/igmp.c	(revision 280920)
++++ sys/netinet/igmp.c	(working copy)
+@@ -1534,7 +1534,6 @@ igmp_input(struct mbuf *m, int off)
+ 				struct igmpv3 *igmpv3;
+ 				uint16_t igmpv3len;
+ 				uint16_t nsrc;
+-				int srclen;
+ 
+ 				IGMPSTAT_INC(igps_rcv_v3_queries);
+ 				igmpv3 = (struct igmpv3 *)igmp;
+@@ -1542,8 +1541,8 @@ igmp_input(struct mbuf *m, int off)
+ 				 * Validate length based on source count.
+ 				 */
+ 				nsrc = ntohs(igmpv3->igmp_numsrc);
+-				srclen = sizeof(struct in_addr) * nsrc;
+-				if (nsrc * sizeof(in_addr_t) > srclen) {
++				if (nsrc * sizeof(in_addr_t) >
++				    UINT16_MAX - iphlen - IGMP_V3_QUERY_MINLEN) {
+ 					IGMPSTAT_INC(igps_rcv_tooshort);
+ 					return;
+ 				}
+@@ -1552,7 +1551,7 @@ igmp_input(struct mbuf *m, int off)
+ 				 * this scope.
+ 				 */
+ 				igmpv3len = iphlen + IGMP_V3_QUERY_MINLEN +
+-				    srclen;
++				    sizeof(struct in_addr) * nsrc;
+ 				if ((m->m_flags & M_EXT ||
+ 				     m->m_len < igmpv3len) &&
+ 				    (m = m_pullup(m, igmpv3len)) == NULL) {

Added: head/share/security/patches/SA-15:04/igmp-errata.patch.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/SA-15:04/igmp-errata.patch.asc	Tue Apr  7 20:36:34 2015	(r46499)
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.2 (FreeBSD)
+
+iQIcBAABCgAGBQJVJD4RAAoJEO1n7NZdz2rnrYQQANA/aVjCvRZArJcQTrv6KZQx
+UA3GLXRG+gSlE3tVo7zx1qFvQGTET6lDNM8C8shj//biaevNxjRlagFDQWHUoh7U
+5HYfImnCAkIsO4OvAeJWHj+Xfskf22VRNGodou1PpVEco3XAFCQKMmsdMDUetiIw
+zgXEMcONQFgUBf0g8e2YS0UPtJDwaxTFkGs/4uQvOoKLqCNf5esUDGKNeKMp85wg
+pFt6TCIsXIoQidFCFz6TWSjXLin9QKhGxSngxKrM9LnkM4l3b7bsh1JoqIrsXQ/W
+lIFZnInVYsRrbq/RUaYeh/2FzYGFfks1nKH1Gyg9I/uy0hF1NMig7egUP5cnh7GU
+emXVUU6CYvkh4ndmPFKxlWgnf4PBJAebjzFrZtNK8OY6Uz8FrLZo1HuSFhNFdd6k
+MRncaZ4rY7AyYYgXZKu5563+ztQh1tAvrSbXAN9adk1QH6t5DmWvOopK7vVJ3fTD
+KLcXOQ2wmmr2rmQiSDLg9pUAi7ewu1sUzSbd2IML97ovtALDWU7VMWoQsBAlfHfP
+GaY3ncCxsiJW+87udH4kGfDXRkY85Io7VRGEblFaz+AsF4xisMTboXcYy+z+SZH4
+4QXsqoDoTLwZ4XZaIaNW8Z/PdB81j2WPvDbxdRD4DtZkx47KZw1a8SU3tRzlVyaS
+Cboc9S/wjp6xphvBNRJl
+=WOIN
+-----END PGP SIGNATURE-----

Added: head/share/security/patches/SA-15:07/ntp.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/SA-15:07/ntp.patch	Tue Apr  7 20:36:34 2015	(r46499)
@@ -0,0 +1,377 @@
+Index: contrib/ntp/ntpd/ntp_crypto.c
+===================================================================
+--- contrib/ntp/ntpd/ntp_crypto.c	(revision 280717)
++++ contrib/ntp/ntpd/ntp_crypto.c	(working copy)
+@@ -93,6 +93,7 @@
+ #define TAI_1972	10	/* initial TAI offset (s) */
+ #define MAX_LEAP	100	/* max UTC leapseconds (s) */
+ #define VALUE_LEN	(6 * 4) /* min response field length */
++#define MAX_VALLEN	(65535 - VALUE_LEN)
+ #define YEAR		(60 * 60 * 24 * 365) /* seconds in year */
+ 
+ /*
+@@ -137,8 +138,8 @@ static u_int ident_scheme = 0;	/* server identity
+  */
+ static	int	crypto_verify	P((struct exten *, struct value *,
+ 				    struct peer *));
+-static	int	crypto_encrypt	P((struct exten *, struct value *,
+-				    keyid_t *));
++static	int	crypto_encrypt	P((const u_char *, u_int, keyid_t *,
++				    struct value *));
+ static	int	crypto_alice	P((struct peer *, struct value *));
+ static	int	crypto_alice2	P((struct peer *, struct value *));
+ static	int	crypto_alice3	P((struct peer *, struct value *));
+@@ -446,6 +447,12 @@ crypto_recv(
+ 			tstamp = ntohl(ep->tstamp);
+ 			fstamp = ntohl(ep->fstamp);
+ 			vallen = ntohl(ep->vallen);
++			/*
++			 * Bug 2761: I hope this isn't too early...
++			 */
++			if (   vallen == 0
++			    || len - VALUE_LEN < vallen)
++				return XEVNT_LEN;
+ 		}
+ 		switch (code) {
+ 
+@@ -488,7 +495,7 @@ crypto_recv(
+ 				break;
+ 
+ 			if (vallen == 0 || vallen > MAXHOSTNAME ||
+-			    len < VALUE_LEN + vallen) {
++			    len - VALUE_LEN < vallen) {
+ 				rval = XEVNT_LEN;
+ 				break;
+ 			}
+@@ -1250,7 +1257,8 @@ crypto_xmit(
+ 		vallen = ntohl(ep->vallen);
+ 		if (vallen == 8) {
+ 			strcpy(certname, sys_hostname);
+-		} else if (vallen == 0 || vallen > MAXHOSTNAME) {
++		} else if (vallen == 0 || vallen > MAXHOSTNAME ||
++		    len - VALUE_LEN < vallen) {
+ 			rval = XEVNT_LEN;
+ 			break;
+ 
+@@ -1407,7 +1415,10 @@ crypto_xmit(
+ 	 * anything goes wrong.
+ 	 */
+ 	case CRYPTO_COOK | CRYPTO_RESP:
+-		if ((opcode & 0xffff) < VALUE_LEN) {
++		vallen = ntohl(ep->vallen);	/* Must be <64k */
++		if (   vallen == 0
++		    || (vallen >= MAX_VALLEN)
++		    || (opcode & 0x0000ffff)  < VALUE_LEN + vallen) {
+ 			rval = XEVNT_LEN;
+ 			break;
+ 		}
+@@ -1420,10 +1431,11 @@ crypto_xmit(
+ 			}
+ 			tcookie = peer->pcookie;
+ 		}
+-		if ((rval = crypto_encrypt(ep, &vtemp, &tcookie)) ==
+-		    XEVNT_OK)
++		if ((rval = crypto_encrypt((const u_char *)ep->pkt, vallen, &tcookie, &vtemp))
++		    == XEVNT_OK) {
+ 			len += crypto_send(fp, &vtemp);
+-		value_free(&vtemp);
++			value_free(&vtemp);
++		}
+ 		break;
+ 
+ 	/*
+@@ -1558,10 +1570,15 @@ crypto_verify(
+ 	 * are rounded up to the next word.
+ 	 */
+ 	vallen = ntohl(ep->vallen);
++	if (   vallen == 0
++	    || vallen > MAX_VALLEN)
++		return (XEVNT_LEN);
+ 	i = (vallen + 3) / 4;
+ 	siglen = ntohl(ep->pkt[i++]);
+-	if (len < VALUE_LEN + ((vallen + 3) / 4) * 4 + ((siglen + 3) /
+-	    4) * 4)
++	if (   siglen > MAX_VALLEN
++	    || len - VALUE_LEN < ((vallen + 3) / 4) * 4
++	    || len - VALUE_LEN - ((vallen + 3) / 4) * 4
++	      < ((siglen + 3) / 4) * 4)
+ 		return (XEVNT_LEN);
+ 
+ 	/*
+@@ -1627,6 +1644,7 @@ crypto_verify(
+ 	 * avoid doing the sign exchange.
+ 	 */
+ 	EVP_VerifyInit(&ctx, peer->digest);
++	/* XXX: the "+ 12" needs to be at least documented... */
+ 	EVP_VerifyUpdate(&ctx, (u_char *)&ep->tstamp, vallen + 12);
+ 	if (EVP_VerifyFinal(&ctx, (u_char *)&ep->pkt[i], siglen, pkey) <= 0)
+ 		return (XEVNT_SIG);
+@@ -1641,10 +1659,10 @@ crypto_verify(
+ 
+ 
+ /*
+- * crypto_encrypt - construct encrypted cookie and signature from
+- * extension field and cookie
++ * crypto_encrypt - construct vp (encrypted cookie and signature) from
++ * the public key and cookie.
+  *
+- * Returns
++ * Returns:
+  * XEVNT_OK	success
+  * XEVNT_PUB	bad or missing public key
+  * XEVNT_CKY	bad or missing cookie
+@@ -1652,9 +1670,10 @@ crypto_verify(
+  */
+ static int
+ crypto_encrypt(
+-	struct exten *ep,	/* extension pointer */
+-	struct value *vp,	/* value pointer */
+-	keyid_t	*cookie		/* server cookie */
++	const u_char *ptr,	/* Public Key */
++	u_int	vallen,		/* Length of Public Key */
++	keyid_t	*cookie,	/* server cookie */
++	struct value *vp	/* value pointer */
+ 	)
+ {
+ 	EVP_PKEY *pkey;		/* public key */
+@@ -1661,15 +1680,11 @@ crypto_encrypt(
+ 	EVP_MD_CTX ctx;		/* signature context */
+ 	tstamp_t tstamp;	/* NTP timestamp */
+ 	u_int32	temp32;
+-	u_int	len;
+-	u_char	*ptr;
+ 
+ 	/*
+ 	 * Extract the public key from the request.
+ 	 */
+-	len = ntohl(ep->vallen);
+-	ptr = (u_char *)ep->pkt;
+-	pkey = d2i_PublicKey(EVP_PKEY_RSA, NULL, &ptr, len);
++	pkey = d2i_PublicKey(EVP_PKEY_RSA, NULL, &ptr, vallen);
+ 	if (pkey == NULL) {
+ 		msyslog(LOG_ERR, "crypto_encrypt %s\n",
+ 		    ERR_error_string(ERR_get_error(), NULL));
+@@ -1683,9 +1698,9 @@ crypto_encrypt(
+ 	memset(vp, 0, sizeof(struct value));
+ 	vp->tstamp = htonl(tstamp);
+ 	vp->fstamp = hostval.tstamp;
+-	len = EVP_PKEY_size(pkey);
+-	vp->vallen = htonl(len);
+-	vp->ptr = emalloc(len);
++	vallen = EVP_PKEY_size(pkey);
++	vp->vallen = htonl(vallen);
++	vp->ptr = emalloc(vallen);
+ 	temp32 = htonl(*cookie);
+ 	if (!RSA_public_encrypt(4, (u_char *)&temp32, vp->ptr,
+ 	    pkey->pkey.rsa, RSA_PKCS1_OAEP_PADDING)) {
+@@ -1705,9 +1720,9 @@ crypto_encrypt(
+ 	vp->sig = emalloc(sign_siglen);
+ 	EVP_SignInit(&ctx, sign_digest);
+ 	EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12);
+-	EVP_SignUpdate(&ctx, vp->ptr, len);
+-	if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey))
+-		vp->siglen = htonl(len);
++	EVP_SignUpdate(&ctx, vp->ptr, vallen);
++	if (EVP_SignFinal(&ctx, vp->sig, &vallen, sign_pkey))
++		vp->siglen = htonl(sign_siglen);
+ 	return (XEVNT_OK);
+ }
+ 
+@@ -1794,6 +1809,9 @@ crypto_ident(
+  * call in the protocol module.
+  *
+  * Returns extension field pointer (no errors).
++ *
++ * XXX: opcode and len should really be 32-bit quantities and
++ * we should make sure that str is not too big.
+  */
+ struct exten *
+ crypto_args(
+@@ -1805,11 +1823,14 @@ crypto_args(
+ 	tstamp_t tstamp;	/* NTP timestamp */
+ 	struct exten *ep;	/* extension field pointer */
+ 	u_int	len;		/* extension field length */
++	size_t	slen;
+ 
+ 	tstamp = crypto_time();
+ 	len = sizeof(struct exten);
+-	if (str != NULL)
+-		len += strlen(str);
++	if (str != NULL) {
++		slen = strlen(str);
++		len += slen;
++	}
+ 	ep = emalloc(len);
+ 	memset(ep, 0, len);
+ 	if (opcode == 0)
+@@ -1829,8 +1850,8 @@ crypto_args(
+ 	ep->fstamp = hostval.tstamp;
+ 	ep->vallen = 0;
+ 	if (str != NULL) {
+-		ep->vallen = htonl(strlen(str));
+-		memcpy((char *)ep->pkt, str, strlen(str));
++		ep->vallen = htonl(slen);
++		memcpy((char *)ep->pkt, str, slen);
+ 	} else {
+ 		ep->pkt[0] = peer->associd;
+ 	}
+@@ -1844,6 +1865,8 @@ crypto_args(
+  * Returns extension field length. Note: it is not polite to send a
+  * nonempty signature with zero timestamp or a nonzero timestamp with
+  * empty signature, but these rules are not enforced here.
++ *
++ * XXX This code won't work on a box with 16-bit ints.
+  */
+ u_int
+ crypto_send(
+@@ -2212,7 +2235,8 @@ crypto_bob(
+ 	tstamp_t tstamp;	/* NTP timestamp */
+ 	BIGNUM	*bn, *bk, *r;
+ 	u_char	*ptr;
+-	u_int	len;
++	u_int	len;		/* extension field length */
++	u_int	vallen = 0;	/* value length */
+ 
+ 	/*
+ 	 * If the IFF parameters are not valid, something awful
+@@ -2227,8 +2251,11 @@ crypto_bob(
+ 	/*
+ 	 * Extract r from the challenge.
+ 	 */
+-	len = ntohl(ep->vallen);
+-	if ((r = BN_bin2bn((u_char *)ep->pkt, len, NULL)) == NULL) {
++	vallen = ntohl(ep->vallen);
++	len = ntohl(ep->opcode) & 0x0000ffff;
++	if (vallen == 0 || len < VALUE_LEN || len - VALUE_LEN < vallen)
++		return XEVNT_LEN;
++	if ((r = BN_bin2bn((u_char *)ep->pkt, vallen, NULL)) == NULL) {
+ 		msyslog(LOG_ERR, "crypto_bob %s\n",
+ 		    ERR_error_string(ERR_get_error(), NULL));
+ 		return (XEVNT_ERR);
+@@ -2240,7 +2267,7 @@ crypto_bob(
+ 	 */
+ 	bctx = BN_CTX_new(); bk = BN_new(); bn = BN_new();
+ 	sdsa = DSA_SIG_new();
+-	BN_rand(bk, len * 8, -1, 1);		/* k */
++	BN_rand(bk, vallen * 8, -1, 1);		/* k */
+ 	BN_mod_mul(bn, dsa->priv_key, r, dsa->q, bctx); /* b r mod q */
+ 	BN_add(bn, bn, bk);
+ 	BN_mod(bn, bn, dsa->q, bctx);		/* k + b r mod q */
+@@ -2254,19 +2281,25 @@ crypto_bob(
+ 	/*
+ 	 * Encode the values in ASN.1 and sign.
+ 	 */
+-	tstamp = crypto_time();
+-	memset(vp, 0, sizeof(struct value));
+-	vp->tstamp = htonl(tstamp);
+-	vp->fstamp = htonl(if_fstamp);
+-	len = i2d_DSA_SIG(sdsa, NULL);
+-	if (len <= 0) {
++	vallen = i2d_DSA_SIG(sdsa, NULL);
++	if (vallen == 0) {
+ 		msyslog(LOG_ERR, "crypto_bob %s\n",
+ 		    ERR_error_string(ERR_get_error(), NULL));
+ 		DSA_SIG_free(sdsa);
+ 		return (XEVNT_ERR);
+ 	}
+-	vp->vallen = htonl(len);
+-	ptr = emalloc(len);
++	if (vallen > MAX_VALLEN) {
++		msyslog(LOG_ERR, "crypto_bob: signature is too big: %d",
++		    vallen);
++		DSA_SIG_free(sdsa);
++		return (XEVNT_LEN);
++	}
++	memset(vp, 0, sizeof(struct value));
++	tstamp = crypto_time();
++	vp->tstamp = htonl(tstamp);
++	vp->fstamp = htonl(if_fstamp);
++	vp->vallen = htonl(vallen);
++	ptr = emalloc(vallen);
+ 	vp->ptr = ptr;
+ 	i2d_DSA_SIG(sdsa, &ptr);
+ 	DSA_SIG_free(sdsa);
+@@ -2277,11 +2310,12 @@ crypto_bob(
+ 	if (tstamp < cinfo->first || tstamp > cinfo->last)
+ 		return (XEVNT_PER);
+ 
++	/* XXX: more validation to make sure the sign fits... */
+ 	vp->sig = emalloc(sign_siglen);
+ 	EVP_SignInit(&ctx, sign_digest);
+ 	EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12);
+-	EVP_SignUpdate(&ctx, vp->ptr, len);
+-	if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey))
++	EVP_SignUpdate(&ctx, vp->ptr, vallen);
++	if (EVP_SignFinal(&ctx, vp->sig, &vallen, sign_pkey))
+ 		vp->siglen = htonl(len);
+ 	return (XEVNT_OK);
+ }
+Index: contrib/ntp/ntpd/ntp_proto.c
+===================================================================
+--- contrib/ntp/ntpd/ntp_proto.c	(revision 280717)
++++ contrib/ntp/ntpd/ntp_proto.c	(working copy)
+@@ -459,7 +459,7 @@ receive(
+ 	while (has_mac > 0) {
+ 		int temp;
+ 
+-		if (has_mac % 4 != 0 || has_mac < 0) {
++		if (has_mac % 4 != 0 || has_mac < MIN_MAC_LEN) {
+ 			sys_badlength++;
+ 			return;			/* bad MAC length */
+ 		}
+@@ -483,6 +483,13 @@ receive(
+ 			return;			/* bad MAC length */
+ 		}
+ 	}
++	/*
++	 * If has_mac is < 0 we had a malformed packet.
++	 */
++	if (has_mac < 0) {
++		sys_badlength++;
++		return;		/* bad length */
++	}
+ #ifdef OPENSSL
+ 	pkeyid = tkeyid = 0;
+ #endif /* OPENSSL */
+@@ -942,12 +949,9 @@ receive(
+ 	}
+ 
+ 	/*
+-	 * Update the origin and destination timestamps. If
+-	 * unsynchronized or bogus abandon ship. If the crypto machine
++	 * If unsynchronized or bogus abandon ship. If the crypto machine
+ 	 * breaks, light the crypto bit and plaint the log.
+ 	 */
+-	peer->org = p_xmt;
+-	peer->rec = rbufp->recv_time;
+ 	if (peer->flash & PKT_TEST_MASK) {
+ #ifdef OPENSSL
+ 		if (crypto_flags && (peer->flags & FLAG_SKEY)) {
+@@ -978,10 +982,11 @@ receive(
+ 	 * versions. If symmetric modes, return a crypto-NAK. The peer
+ 	 * should restart the protocol.
+ 	 */
+-	} else if (!AUTH(peer->keyid || (restrict_mask & RES_DONTTRUST),
+-	    is_authentic)) {
++	} else if (!AUTH(peer->keyid || has_mac ||
++	    (restrict_mask & RES_DONTTRUST), is_authentic)) {
+ 		peer->flash |= TEST5;
+-		if (hismode == MODE_ACTIVE || hismode == MODE_PASSIVE)
++		if (has_mac &&
++		    (hismode == MODE_ACTIVE || hismode == MODE_PASSIVE))
+ 			fast_xmit(rbufp, MODE_ACTIVE, 0, restrict_mask);
+ 		return;				/* bad auth */
+ 	}
+@@ -989,7 +994,12 @@ receive(
+ 	/*
+ 	 * That was hard and I am sweaty, but the packet is squeaky
+ 	 * clean. Get on with real work.
++	 *
++	 * Update the origin and destination timestamps.
+ 	 */
++	peer->org = p_xmt;
++	peer->rec = rbufp->recv_time;
++
+ 	peer->received++;
+ 	peer->timereceived = current_time;
+ 	if (is_authentic == AUTH_OK)

Added: head/share/security/patches/SA-15:07/ntp.patch.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/SA-15:07/ntp.patch.asc	Tue Apr  7 20:36:34 2015	(r46499)
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.2 (FreeBSD)
+
+iQIcBAABCgAGBQJVJD4SAAoJEO1n7NZdz2rnXCUQAJAxDCUySWaZ/XvdHiIXfMfa
+fcB4oEVQBUuMjmE/hC5CzA/t98M4VM2TtV2oWp53CKhIGsBlte64y3t8a7r2nyBt
+17x7P6FtV1q6yRS5DPYl/JZV/mbO4cPGto3f8MXOYraNl7MPvZFJcXXEZPXOQDrz
+2Ek4wasnnuCruTjtwSWoXWgC5dqQch97dQG639EyhUtOQ1a/pS334lbBw8wDGAnA
+ITsQuEGGqwFBJ2NIVwxW0rHFfz4mSk67OHru0mrnza37TQM8HnYhxvL8nrZNhGcC
+FhDjWAWDs4VlqrBIuiRC/dTgA6H6PvF3LDAxQ+ODSB5RiGs9g4TvcxF0XJp0EIp4
+9Kh0rC9wY4nO/q+DBz4nOJXMwJi7rUH2Y7dPSoKsWtgXIuyuefrACD9C2WwZ8EKA
+GWSuF4YidBOadl2x6kJGiIrjFhdrgRENVL4Nj5oVy1JztSBdb+qJMn3GSgpC1C00
+7tsvOJmjQgzgRuMnUo/IA++6P8Gj4G3M99K7yN4NcYJOQm1h9opEx7XKZ9W4hnrK
+qK9rxeXNzGhXi7/sfHER6AQIRgUliqUyl30RBcy6XuNwX5+2e2SwenAUb5Uu1HkX
+oTWWjm47BeG+sjGzM1QXGcukQFH8YFYaZmhSTk3O1ZoKFpMvzhqZEg9CJqfSOCKC
+PbrCxYouiyHPXLAIV+OZ
+=1bd7
+-----END PGP SIGNATURE-----

Added: head/share/security/patches/SA-15:08/bsdinstall.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/SA-15:08/bsdinstall.patch	Tue Apr  7 20:36:34 2015	(r46499)
@@ -0,0 +1,14 @@
+Index: usr.sbin/bsdinstall/scripts/zfsboot

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***


More information about the svn-doc-all mailing list