svn commit: r49623 - in head/share: security/advisories security/patches/SA-16:33 security/patches/SA-16:34 security/patches/SA-16:35 xml
Xin LI
delphij at FreeBSD.org
Wed Nov 2 07:45:13 UTC 2016
Author: delphij
Date: Wed Nov 2 07:45:10 2016
New Revision: 49623
URL: https://svnweb.freebsd.org/changeset/doc/49623
Log:
Add SA-16:33, SA-16:34 and SA-16:35.
Added:
head/share/security/advisories/FreeBSD-SA-16:33.openssh.asc (contents, props changed)
head/share/security/advisories/FreeBSD-SA-16:34.bind.asc (contents, props changed)
head/share/security/advisories/FreeBSD-SA-16:35.openssl.asc (contents, props changed)
head/share/security/patches/SA-16:33/
head/share/security/patches/SA-16:33/openssh.patch (contents, props changed)
head/share/security/patches/SA-16:33/openssh.patch.asc (contents, props changed)
head/share/security/patches/SA-16:34/
head/share/security/patches/SA-16:34/bind.patch (contents, props changed)
head/share/security/patches/SA-16:34/bind.patch.asc (contents, props changed)
head/share/security/patches/SA-16:35/
head/share/security/patches/SA-16:35/openssl-10.patch (contents, props changed)
head/share/security/patches/SA-16:35/openssl-10.patch.asc (contents, props changed)
head/share/security/patches/SA-16:35/openssl-9.patch (contents, props changed)
head/share/security/patches/SA-16:35/openssl-9.patch.asc (contents, props changed)
Modified:
head/share/xml/advisories.xml
Added: head/share/security/advisories/FreeBSD-SA-16:33.openssh.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-16:33.openssh.asc Wed Nov 2 07:45:10 2016 (r49623)
@@ -0,0 +1,143 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-16:33.openssh Security Advisory
+ The FreeBSD Project
+
+Topic: OpenSSH Remote Denial of Service vulnerability
+
+Category: contrib
+Module: OpenSSH
+Announced: 2016-11-02
+Affects: All supported versions of FreeBSD.
+Corrected: 2016-11-02 06:56:35 UTC (stable/11, 11.0-STABLE)
+ 2016-11-02 07:23:19 UTC (releng/11.0, 11.0-RELEASE-p3)
+ 2016-11-02 06:58:47 UTC (stable/10, 10.3-STABLE)
+ 2016-11-02 07:23:36 UTC (releng/10.3, 10.3-RELEASE-p12)
+CVE Name: CVE-2016-8858
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+OpenSSH is an implementation of the SSH protocol suite, providing an
+encrypted and authenticated transport for a variety of services,
+including remote shell access.
+
+During the SSH handshake procedure, the client and server exchanges the
+supported encryption, MAC and compression algorithms along with other
+information to negotiate algorithms for initial key exchange, with a
+message named SSH_MSG_KEXINIT.
+
+II. Problem Description
+
+When processing the SSH_MSG_KEXINIT message, the server could allocate
+up to a few hundreds of megabytes of memory per each connection, before
+any authentication take place.
+
+III. Impact
+
+A remote attacker may be able to cause a SSH server to allocate an excessive
+amount of memory. Note that the default MaxStartups setting on FreeBSD will
+limit the effectiveness of this attack.
+
+IV. Workaround
+
+No workaround is available, but systems where sshd(8) is not used are
+not vulnerable.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+The sshd(8) service has to be restarted after the update. A reboot
+is recommended but not required.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+The sshd(8) service has to be restarted after the update. A reboot
+is recommended but not required.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-16:33/openssh.patch
+# fetch https://security.FreeBSD.org/patches/SA-16:33/openssh.patch.asc
+# gpg --verify openssh.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+The sshd(8) service has to be restarted after the update. A reboot
+is recommended but not required.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/10/ r308199
+releng/10.3/ r308203
+stable/11/ r308198
+releng/11.0/ r308202
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:http://seclists.org/oss-sec/2016/q4/195>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8858>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:33.openssh.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.15 (FreeBSD)
+
+iQIcBAEBCgAGBQJYGZhkAAoJEO1n7NZdz2rnws4P/0i2V2lw3snDi4oVsX2AVkl+
+bQ9iRUvgO0SSB4b8JZ8dK6wws8InDR8oihm8jBsaOYPOxu7Wz9Zua2ZAjBAY/GLB
+o2+2UMGKVNlP59D/pwBD3qWEjG2KYpE5hItX7iykjwDvd8c7UOLZt7oofVfq8R7D
+84BkMQb9DM/1PwFI+ztMYN3uAlzsNxi0GqoHe7PBYmA5rq3QF9LoUlRyOW9KQq8Q
+TsBg8briGhy44XifhxU7eUsPUrxJLb5c/w3xsuzSw1AFpgSAc8IKAcrknnTdy+0c
+k5GfJz/84xcN1/HO6FDVtYgIoOK2C/ljCHiRAPRsVK3TvXl6agErVBf3CTvWKjg9
+NY6QD0KTJw5QF0LT6GbLRAdwnAexQI0U7Hw3Xylv2CFnaxsdYeB9YTVqqMricUqQ
+7GZ/ktiXJwBpDLkaieeI6WhbAVdsNQc5A1UWQwjv6mFr5TKhOFWvmHRo/KZprWqd
+vFqYNHc3NngcKs537WOXchNnW46hWMsiis/1mJfiRZd89rzq5Dtz7tCcX1c7RgRW
+4h0vhtqRMQraby0fI0ND3kC7EnXchMqWAoQ3Tric+2yWQMW/OGDvWXWbM0HqUKq7
+7fOGMmXmLhQnkykf4uwjrP4cyMSzSbGdrLQxpwWPwZoH47es/qYKHukBRcnmEkA+
+VpT6Vpm0Lqi80W5bh783
+=xyal
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-SA-16:34.bind.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-16:34.bind.asc Wed Nov 2 07:45:10 2016 (r49623)
@@ -0,0 +1,137 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-16:34.bind Security Advisory
+ The FreeBSD Project
+
+Topic: BIND Remote Denial of Service vulnerability
+
+Category: contrib
+Module: bind
+Announced: 2016-11-02
+Credits: ISC
+Affects: FreeBSD 9.x
+Corrected: 2016-11-02 05:13:27 UTC (stable/9, 9.3-STABLE)
+ 2016-11-02 07:24:34 UTC (releng/9.3, 9.3-RELEASE-p50)
+CVE Name: CVE-2016-8864
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+BIND 9 is an implementation of the Domain Name System (DNS) protocols.
+The named(8) daemon is an Internet Domain Name Server.
+
+II. Problem Description
+
+A defect in BIND's handling of responses containing a DNAME answer could
+cause a resolver to exit after encountering an assertion failure in
+db.c or resolver.c.
+
+During processing of a recursive response that contains a DNAME record
+in the answer section, BIND could stop executing after encountering an
+assertion error in resolver.c.
+
+III. Impact
+
+A remote attacker who could cause a server to make a query deliberately
+chosen to trigger the failed assertions could cause named(8) to stop,
+resulting in a Denial of Service condition to its clients.
+
+IV. Workaround
+
+No workaround is available, but hosts not running named(8) recursive
+servers are not affected.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+The named service has to be restarted after the update. A reboot is
+recommended but not required.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+The named service has to be restarted after the update. A reboot is
+recommended but not required.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-16:34/bind.patch
+# fetch https://security.FreeBSD.org/patches/SA-16:34/bind.patch.asc
+# gpg --verify bind.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the named service, or reboot the system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/9/ r308193
+releng/9.3/ r308205
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://kb.isc.org/article/AA-01434/>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8864>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:34.bind.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.15 (FreeBSD)
+
+iQIcBAEBCgAGBQJYGZhkAAoJEO1n7NZdz2rn14UQAOI+3haO5nI3D4wPP9EavF9j
+SU1yuv2ZrWaldbdv9lSHWsK5gjOjZAwK4TmZSnhe3yC3nNOJimiD5KAjHhCiQEMN
+xZ4L0Xtyhp6Bef7pEPdn1KgJCdufRaXt8QYx+YWz2Zk2lV78J9IRUuWNYzTleetM
+yNkPIfkGbIEyzMG11nZKzIQ+rjxNS+/KXJTBD4z4xpyjCwnulHuCTGNNPIGSPbbO
+1rwY6NifZXRP6yCWmrQWZPV3I7eAjwtWpmU18kLf6dRbRAWa/M9f+ZCW4vR1bBoR
+CAX07D0VDPaUM56XCUaspKSvJ3dpJC9GjuEZVXfBoJzbfixeMqYkjgwaPGT+BxLo
+AxJv8PVXZiigq+0pXMGjaHdrwWW8UxkthyifGJFSffZMs4eECrIUhFe/SlMQ/5Zm
+WZhA28S4QqlcTpObnWVet3C9QdpBtjlodfZqmovHHWZGGcIVPbW+sVaJ3WF2ni6H
+OQuJucIVfKQVuv88aSRVlrtGY/KN9wjyUf4zIpyUgPL+qy3vxz2NB41mjM12ZyAi
+35KIv3tR5lZIq4C062qR0zlHKldQgxaQPX4rWq7lhQkk2X8B3SjypSMBRfrAosoW
+p/xQGqVwX05M7F8ykcdf8vfu3iipz/JDQgSdy3aeziwO5+2xGUt5cdXWpR0gxK4M
+2ajEFjl+rHAfYpDkfoGP
+=F1Vx
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-SA-16:35.openssl.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-16:35.openssl.asc Wed Nov 2 07:45:10 2016 (r49623)
@@ -0,0 +1,148 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-16:35.openssl Security Advisory
+ The FreeBSD Project
+
+Topic: OpenSSL Remote DoS vulnerability
+
+Category: contrib
+Module: openssl
+Announced: 2016-11-02
+Affects: FreeBSD 9.x and FreeBSD 10.x.
+Corrected: 2016-11-02 07:09:31 UTC (stable/10, 10.3-STABLE)
+ 2016-11-02 07:23:36 UTC (releng/10.3, 10.3-RELEASE-p12)
+ 2016-11-02 07:24:14 UTC (releng/10.2, 10.2-RELEASE-p25)
+ 2016-11-02 07:24:14 UTC (releng/10.1, 10.1-RELEASE-p42)
+ 2016-11-02 07:09:31 UTC (stable/9, 9.3-STABLE)
+ 2016-11-02 07:24:34 UTC (releng/9.3, 9.3-RELEASE-p50)
+CVE Name: CVE-2016-8610
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
+a collaborative effort to develop a robust, commercial-grade, full-featured
+Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
+and Transport Layer Security (TLS v1) protocols as well as a full-strength
+general purpose cryptography library.
+
+The SSL alert protocol is a way to communicate problems within a SSL/TLS session.
+
+II. Problem Description
+
+Due to improper handling of alert packets, OpenSSL would consume an excessive
+amount of CPU time processing undefined alert messages.
+
+III. Impact
+
+A remote attacker who can initiate handshakes with an OpenSSL based server
+can cause the server to consume a lot of computation power with very little
+bandwidth usage, and may be able to use this technique in a leveraged Denial
+of Service attack.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Restart all daemons that use the library, or reboot the system.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Restart all daemons that use the library, or reboot the system.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 10.x]
+# fetch https://security.FreeBSD.org/patches/SA-16:35/openssl-10.patch
+# fetch https://security.FreeBSD.org/patches/SA-16:35/openssl-10.patch.asc
+# gpg --verify openssl-10.patch.asc
+
+[FreeBSD 9.3]
+# fetch https://security.FreeBSD.org/patches/SA-16:35/openssl-9.patch
+# fetch https://security.FreeBSD.org/patches/SA-16:35/openssl-9.patch.asc
+# gpg --verify openssl-9.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all daemons that use the library, or reboot the system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/9/ r308200
+releng/9.3/ r308205
+stable/10/ r308200
+releng/10.1/ r308204
+releng/10.2/ r308204
+releng/10.3/ r308203
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:http://seclists.org/oss-sec/2016/q4/224>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8610>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:35.openssl.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.15 (FreeBSD)
+
+iQIcBAEBCgAGBQJYGZhkAAoJEO1n7NZdz2rnwbMQAOiGWegkYQodqBzNboK9U+6M
+8Jt6HNrYDWAyzp+mZmWxgPWZMkGaNAsBEFXwZlHgs65RCbRczxr/kUWZx2/XHbM3
+kGx5eNIq46BFIrTDPvUgNciorl/ncJGeO4SYEFBYImceDNwIQVtpfz1IUAve+LNW
+RYYICakWn8HPuqzmIFjQydMkoyEaHMwsmkv3nVNVX46sVIQ1umZ3RZsKtlPOQqNs
+sAa0HuOOQbeU2eJhhtcYcDEPNF7Do9WvSMnYrJQ/lE2SuatXq2tdbvZLV8ieiPoj
+3AMf9p2yPpeqqO9yy19CayTSPmDiKMVQq8jikVomX5XkVqNKLrQoQfrvpwR0DWOW
+fwIDjZ1H9IXoqjVVZwp5GLfHhAURNjbsszF4B1lXQHI1D/p4bXyOOrcuM1JxHXRK
+UGvagbs30DWH+4Baph/UVOsFUhPU0sguPtpPa0XFxSIxB6qZJJGjdOh7el6aBYJu
+VxQuw1wWQvJPm9CsIIZrX4WYBcwS8ro82wsfNWO+ZC0j5UbMwh2joFgrbEdWNM3f
+MWVYuH5czzoJO85Nu7uGB+qa9GYqKkdwGRDnFshnvPhHHnpmGL/tLHM+Kqg7uDeu
+8RsNaZ4PYChZh8YHVooOraDl0Nz0Ln/kok8GdsZUpNfuiXm3U9fLUCAFAdNUOlr6
+PJuvkUEQRMlhG8tX3+11
+=1gO7
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-16:33/openssh.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-16:33/openssh.patch Wed Nov 2 07:45:10 2016 (r49623)
@@ -0,0 +1,10 @@
+--- crypto/openssh/kex.c.orig
++++ crypto/openssh/kex.c
+@@ -468,6 +468,7 @@
+ if (kex == NULL)
+ return SSH_ERR_INVALID_ARGUMENT;
+
++ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
+ ptr = sshpkt_ptr(ssh, &dlen);
+ if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
+ return r;
Added: head/share/security/patches/SA-16:33/openssh.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-16:33/openssh.patch.asc Wed Nov 2 07:45:10 2016 (r49623)
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.15 (FreeBSD)
+
+iQIcBAABCgAGBQJYGZiEAAoJEO1n7NZdz2rn+gwP/iKpzCRr46PX5c9XHHy5NGlY
+unel+99VsL2KH5mfAfFVRU67FS2AtTWOpSi5CuWMimc0a97mszkbeqzbtO5dcppA
+0i71XkzB9nmRLgXKYMt7H7KVmUd4DIXuztvX/sQxbwX5yonRzeqqo1R7Pq55wz6/
+OO//BKLxKUiwDOKHUhhAZkaXEBt39c1EB0bRBpNeqsfsdD9IWm82Wh69jWrkOWeO
+6q+lRAtGoAl5vCO85XHYor4Pd7V2uSvLK4DRJyGFps8oc5vr6ZRmRvDTlF6VGBV4
+P/3xPDe1euVDBUZMAnlJVLvkiI2FeEc4lbXAtgirYfKE97XpEkXoEwSc2ExGKte9
+6e3xdmGei4HVb7FQPfrFb4wD/wGXbqp9XKLE/ECYKZM76Hltz1ac7ziihYYJSLyS
+/kzS4TBidIHiAiZDYGrREx28LPYtm5w84jBmngdg8BGAPzZNPtXM9phmXaBWeU/c
+PcLsjGQUi436R/NYzZ0Z8qM/SDbeghSIvSO+FmaoUHs7T8Bkk1xVU8TQhiv4uYW9
+j94qfOZ8oDbwbq16F2xsfvXLj2b+nnMgcICEiDeoA7aifrmHQCmx3y4VdGPH0/oD
+lw9wjSA3vfLgCh9UFb1BkxMcJpYkdTSDOb8cvR+ukIq4jIdJgnucQMd1KItZeaSQ
+q09FlZaUT20jY+bZZ2r0
+=qiKR
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-16:34/bind.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-16:34/bind.patch Wed Nov 2 07:45:10 2016 (r49623)
@@ -0,0 +1,184 @@
+--- contrib/bind9/lib/dns/resolver.c.orig
++++ contrib/bind9/lib/dns/resolver.c
+@@ -524,7 +524,9 @@
+ valarg->addrinfo = addrinfo;
+
+ if (!ISC_LIST_EMPTY(fctx->validators))
+- INSIST((valoptions & DNS_VALIDATOR_DEFER) != 0);
++ valoptions |= DNS_VALIDATOR_DEFER;
++ else
++ valoptions &= ~DNS_VALIDATOR_DEFER;
+
+ result = dns_validator_create(fctx->res->view, name, type, rdataset,
+ sigrdataset, fctx->rmessage,
+@@ -4849,13 +4851,6 @@
+ rdataset,
+ sigrdataset,
+ valoptions, task);
+- /*
+- * Defer any further validations.
+- * This prevents multiple validators
+- * from manipulating fctx->rmessage
+- * simultaneously.
+- */
+- valoptions |= DNS_VALIDATOR_DEFER;
+ }
+ } else if (CHAINING(rdataset)) {
+ if (rdataset->type == dns_rdatatype_cname)
+@@ -4961,6 +4956,11 @@
+ eresult == DNS_R_NCACHENXRRSET);
+ }
+ event->result = eresult;
++ if (adbp != NULL && *adbp != NULL) {
++ if (anodep != NULL && *anodep != NULL)
++ dns_db_detachnode(*adbp, anodep);
++ dns_db_detach(adbp);
++ }
+ dns_db_attach(fctx->cache, adbp);
+ dns_db_transfernode(fctx->cache, &node, anodep);
+ clone_results(fctx);
+@@ -5208,6 +5208,11 @@
+ fctx->attributes |= FCTX_ATTR_HAVEANSWER;
+ if (event != NULL) {
+ event->result = eresult;
++ if (adbp != NULL && *adbp != NULL) {
++ if (anodep != NULL && *anodep != NULL)
++ dns_db_detachnode(*adbp, anodep);
++ dns_db_detach(adbp);
++ }
+ dns_db_attach(fctx->cache, adbp);
+ dns_db_transfernode(fctx->cache, &node, anodep);
+ clone_results(fctx);
+@@ -6016,13 +6021,15 @@
+ answer_response(fetchctx_t *fctx) {
+ isc_result_t result;
+ dns_message_t *message;
+- dns_name_t *name, *dname = NULL, *qname, tname, *ns_name;
++ dns_name_t *name, *dname = NULL, *qname, *dqname, tname, *ns_name;
++ dns_name_t *cname = NULL;
+ dns_rdataset_t *rdataset, *ns_rdataset;
+ isc_boolean_t done, external, chaining, aa, found, want_chaining;
+- isc_boolean_t have_answer, found_cname, found_type, wanted_chaining;
++ isc_boolean_t have_answer, found_cname, found_dname, found_type;
++ isc_boolean_t wanted_chaining;
+ unsigned int aflag;
+ dns_rdatatype_t type;
+- dns_fixedname_t fdname, fqname;
++ dns_fixedname_t fdname, fqname, fqdname;
+ dns_view_t *view;
+
+ FCTXTRACE("answer_response");
+@@ -6036,6 +6043,7 @@
+
+ done = ISC_FALSE;
+ found_cname = ISC_FALSE;
++ found_dname = ISC_FALSE;
+ found_type = ISC_FALSE;
+ chaining = ISC_FALSE;
+ have_answer = ISC_FALSE;
+@@ -6045,12 +6053,13 @@
+ aa = ISC_TRUE;
+ else
+ aa = ISC_FALSE;
+- qname = &fctx->name;
++ dqname = qname = &fctx->name;
+ type = fctx->type;
+ view = fctx->res->view;
++ dns_fixedname_init(&fqdname);
+ result = dns_message_firstname(message, DNS_SECTION_ANSWER);
+ while (!done && result == ISC_R_SUCCESS) {
+- dns_namereln_t namereln;
++ dns_namereln_t namereln, dnamereln;
+ int order;
+ unsigned int nlabels;
+
+@@ -6058,6 +6067,8 @@
+ dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
+ external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
+ namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
++ dnamereln = dns_name_fullcompare(dqname, name, &order,
++ &nlabels);
+ if (namereln == dns_namereln_equal) {
+ wanted_chaining = ISC_FALSE;
+ for (rdataset = ISC_LIST_HEAD(name->list);
+@@ -6152,7 +6163,7 @@
+ }
+ } else if (rdataset->type == dns_rdatatype_rrsig
+ && rdataset->covers ==
+- dns_rdatatype_cname
++ dns_rdatatype_cname
+ && !found_type) {
+ /*
+ * We're looking for something else,
+@@ -6182,11 +6193,18 @@
+ * a CNAME or DNAME).
+ */
+ INSIST(!external);
+- if (aflag ==
+- DNS_RDATASETATTR_ANSWER) {
++ if ((rdataset->type !=
++ dns_rdatatype_cname) ||
++ !found_dname ||
++ (aflag ==
++ DNS_RDATASETATTR_ANSWER))
++ {
+ have_answer = ISC_TRUE;
++ if (rdataset->type ==
++ dns_rdatatype_cname)
++ cname = name;
+ name->attributes |=
+- DNS_NAMEATTR_ANSWER;
++ DNS_NAMEATTR_ANSWER;
+ }
+ rdataset->attributes |= aflag;
+ if (aa)
+@@ -6280,11 +6298,11 @@
+ return (DNS_R_FORMERR);
+ }
+
+- if (namereln != dns_namereln_subdomain) {
++ if (dnamereln != dns_namereln_subdomain) {
+ char qbuf[DNS_NAME_FORMATSIZE];
+ char obuf[DNS_NAME_FORMATSIZE];
+
+- dns_name_format(qname, qbuf,
++ dns_name_format(dqname, qbuf,
+ sizeof(qbuf));
+ dns_name_format(name, obuf,
+ sizeof(obuf));
+@@ -6299,7 +6317,7 @@
+ want_chaining = ISC_TRUE;
+ POST(want_chaining);
+ aflag = DNS_RDATASETATTR_ANSWER;
+- result = dname_target(rdataset, qname,
++ result = dname_target(rdataset, dqname,
+ nlabels, &fdname);
+ if (result == ISC_R_NOSPACE) {
+ /*
+@@ -6316,10 +6334,13 @@
+
+ dname = dns_fixedname_name(&fdname);
+ if (!is_answertarget_allowed(view,
+- qname, rdataset->type,
+- dname, &fctx->domain)) {
++ dqname, rdataset->type,
++ dname, &fctx->domain))
++ {
+ return (DNS_R_SERVFAIL);
+ }
++ dqname = dns_fixedname_name(&fqdname);
++ dns_name_copy(dname, dqname, NULL);
+ } else {
+ /*
+ * We've found a signature that
+@@ -6344,6 +6365,10 @@
+ INSIST(!external);
+ if (aflag == DNS_RDATASETATTR_ANSWER) {
+ have_answer = ISC_TRUE;
++ found_dname = ISC_TRUE;
++ if (cname != NULL)
++ cname->attributes &=
++ ~DNS_NAMEATTR_ANSWER;
+ name->attributes |=
+ DNS_NAMEATTR_ANSWER;
+ }
Added: head/share/security/patches/SA-16:34/bind.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-16:34/bind.patch.asc Wed Nov 2 07:45:10 2016 (r49623)
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.15 (FreeBSD)
+
+iQIcBAABCgAGBQJYGZiEAAoJEO1n7NZdz2rnuoAP/2ghYzKyVElGqCJqNSvj9tLV
+CAC6SdIdw9SaLyvPc33O6Sx0hpUlUkJxs9DDAA34OcdkiT0MiB2G2QvIFqUaF2p/
+CTPtKCYQ3dmPXdedm/JX5mkz1BJUWl5vHha2Kzmrv2H5VYAti58RGcQASlIIlbl+
+OKIkME+kD1wABPuY3HD4BofT7yt6vezwhvxdSaZDnqEMp2owed8PKNZBRxl4tYX/
+ABioDFCxqs2OwDLU8HYoFcIlXkCin5WgIqGnXtBLIYE/W6E2hFCO4K94QQjRrfoJ
+qxYzsIBEVkDsTu1TLvPsINp2PY3Hz93yVSNWAz39z+3R5MzQFhsREfrX6/EJPOi6
+Z8o3oLGZKMsgZ9SPw1gElcvo6Rq9ZfGLsw0GsMWrLOhXtIAfNoL9gVeFPh2rw7lr
+qtlOPgnnpXEfOanAQhUfQtp5BuNvcIrfvtMkxqL4BPDT6aeoI+NS1VstZQjnBZR4
+Flgd1ykQbV1ZoCOeJVJaeFiLmMZ0BKz4T0KVrRmBijrVoDzJid11SgDW4N40qSGp
+VwQit82ooPzj/YnOp/hDZ19fKY8wA1CUFafjvauqtZwcuc8bDX+AQNZST/we1iki
+bEZfH0fDUimKCxkzK1JfnJNG412/m2eZc43aPcXDvH9LjGFbTZw2axTXXgicf2Lo
+6A0HJlZU8SV/Y0M/mtlB
+=BP8h
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-16:35/openssl-10.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-16:35/openssl-10.patch Wed Nov 2 07:45:10 2016 (r49623)
@@ -0,0 +1,94 @@
+--- crypto/openssl/ssl/d1_pkt.c.orig
++++ crypto/openssl/ssl/d1_pkt.c
+@@ -924,6 +924,13 @@
+ goto start;
+ }
+
++ /*
++ * Reset the count of consecutive warning alerts if we've got a non-empty
++ * record that isn't an alert.
++ */
++ if (rr->type != SSL3_RT_ALERT && rr->length != 0)
++ s->s3->alert_count = 0;
++
+ /* we now have a packet which can be read and processed */
+
+ if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
+@@ -1190,6 +1197,14 @@
+
+ if (alert_level == SSL3_AL_WARNING) {
+ s->s3->warn_alert = alert_descr;
++
++ s->s3->alert_count++;
++ if (s->s3->alert_count == MAX_WARN_ALERT_COUNT) {
++ al = SSL_AD_UNEXPECTED_MESSAGE;
++ SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
++ goto f_err;
++ }
++
+ if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
+ #ifndef OPENSSL_NO_SCTP
+ /*
+--- crypto/openssl/ssl/s3_pkt.c.orig
++++ crypto/openssl/ssl/s3_pkt.c
+@@ -1057,6 +1057,13 @@
+ return (ret);
+ }
+
++ /*
++ * Reset the count of consecutive warning alerts if we've got a non-empty
++ * record that isn't an alert.
++ */
++ if (rr->type != SSL3_RT_ALERT && rr->length != 0)
++ s->s3->alert_count = 0;
++
+ /* we now have a packet which can be read and processed */
+
+ if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
+@@ -1271,6 +1278,14 @@
+
+ if (alert_level == SSL3_AL_WARNING) {
+ s->s3->warn_alert = alert_descr;
++
++ s->s3->alert_count++;
++ if (s->s3->alert_count == MAX_WARN_ALERT_COUNT) {
++ al = SSL_AD_UNEXPECTED_MESSAGE;
++ SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
++ goto f_err;
++ }
++
+ if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
+ s->shutdown |= SSL_RECEIVED_SHUTDOWN;
+ return (0);
+--- crypto/openssl/ssl/ssl.h.orig
++++ crypto/openssl/ssl/ssl.h
+@@ -2717,6 +2717,7 @@
+ # define SSL_R_TLS_HEARTBEAT_PENDING 366
+ # define SSL_R_TLS_ILLEGAL_EXPORTER_LABEL 367
+ # define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 157
++# define SSL_R_TOO_MANY_WARN_ALERTS 409
+ # define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
+ # define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234
+ # define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 235
+--- crypto/openssl/ssl/ssl3.h.orig
++++ crypto/openssl/ssl/ssl3.h
+@@ -587,6 +587,8 @@
+ char is_probably_safari;
+ # endif /* !OPENSSL_NO_EC */
+ # endif /* !OPENSSL_NO_TLSEXT */
++ /* Count of the number of consecutive warning alerts received */
++ unsigned int alert_count;
+ } SSL3_STATE;
+
+ # endif
+--- crypto/openssl/ssl/ssl_locl.h.orig
++++ crypto/openssl/ssl/ssl_locl.h
+@@ -389,6 +389,8 @@
+ */
+ # define SSL_MAX_DIGEST 6
+
++# define MAX_WARN_ALERT_COUNT 5
++
+ # define TLS1_PRF_DGST_MASK (0xff << TLS1_PRF_DGST_SHIFT)
+
+ # define TLS1_PRF_DGST_SHIFT 10
Added: head/share/security/patches/SA-16:35/openssl-10.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-16:35/openssl-10.patch.asc Wed Nov 2 07:45:10 2016 (r49623)
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.15 (FreeBSD)
+
+iQIcBAABCgAGBQJYGZiEAAoJEO1n7NZdz2rnVlMP/iC0pDsRby5HftZwmlfd0oIA
+GsyDBXQf3H2lFrkb5rFKuiDEwMIV1s2uti64TFg5ipYejXXGjkl6r4ogsWFfa2gy
+KU6+R4psMOC4C5aVS7QvclIJiyaBNFuAKaoGgv6p/SXYcw9Rbta6BYIy4s0Mr2WB
+UiVzTsJg7Ye6ooKREFouZrW98o5VwcRHy22TONnvkTym2Qr1kDU3PuF/TRe6KK/n
+IrRs/VI0Hs+VNBRRxIo74zXJm6GLHcadjU8RejVH3iJfQvK6yfyD+S/zhZxLAc9c
+zfcNs9RTBxJhKhrfC/mYU+8pF/4t7viRjb/YrHMvnYZXiOygeRTCeIpcbNun/bqy
+hBYOZfzdfF0OgAzBviJSU3dx7HHCmzuKNgtxNFh9nsP41E28hy3/jXOkW6476JvK
+bfa3RNAIespSqMBR/8DOj16uuDiAp8nZdV5XcOlgcv/Cl992pf+V8+IpZiApJJpR
+yrbdS5oBTuiS5nWJRllH1XSEDPA5zpsfcIpbe+2ip81Uxn5cV2+nXI7nRhzGKcSm
+/KSqC5ois3EMyfBocTtexy4bDAZZRTSusauLxLh6qR7y92vbckukZLEUeo5XRtOk
+BZt63O16ALxUQbYhVoL6Wm/j4xWiL6+s9q/Y8CAgZniviih3UEcFzpKKxglnApZG
+XtVDN3i4EaZ2+8mriBp6
+=0PWO
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-16:35/openssl-9.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-16:35/openssl-9.patch Wed Nov 2 07:45:10 2016 (r49623)
@@ -0,0 +1,94 @@
+--- crypto/openssl/ssl/d1_pkt.c.orig
++++ crypto/openssl/ssl/d1_pkt.c
+@@ -820,6 +820,13 @@
+ goto start;
+ }
+
++ /*
++ * Reset the count of consecutive warning alerts if we've got a non-empty
++ * record that isn't an alert.
++ */
++ if (rr->type != SSL3_RT_ALERT && rr->length != 0)
++ s->s3->alert_count = 0;
++
+ /* we now have a packet which can be read and processed */
+
+ if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
+@@ -1043,6 +1050,14 @@
+
+ if (alert_level == 1) { /* warning */
+ s->s3->warn_alert = alert_descr;
++
++ s->s3->alert_count++;
++ if (s->s3->alert_count == MAX_WARN_ALERT_COUNT) {
++ al = SSL_AD_UNEXPECTED_MESSAGE;
++ SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
++ goto f_err;
++ }
++
+ if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
+ s->shutdown |= SSL_RECEIVED_SHUTDOWN;
+ return (0);
+--- crypto/openssl/ssl/s3_pkt.c.orig
++++ crypto/openssl/ssl/s3_pkt.c
+@@ -922,6 +922,13 @@
+ return (ret);
+ }
+
++ /*
++ * Reset the count of consecutive warning alerts if we've got a non-empty
++ * record that isn't an alert.
++ */
++ if (rr->type != SSL3_RT_ALERT && rr->length != 0)
++ s->s3->alert_count = 0;
++
+ /* we now have a packet which can be read and processed */
+
+ if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
+@@ -1121,6 +1128,14 @@
+
+ if (alert_level == 1) { /* warning */
+ s->s3->warn_alert = alert_descr;
++
++ s->s3->alert_count++;
++ if (s->s3->alert_count == MAX_WARN_ALERT_COUNT) {
++ al = SSL_AD_UNEXPECTED_MESSAGE;
++ SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
++ goto f_err;
++ }
++
+ if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
+ s->shutdown |= SSL_RECEIVED_SHUTDOWN;
+ return (0);
+--- crypto/openssl/ssl/ssl.h.orig
++++ crypto/openssl/ssl/ssl.h
+@@ -2195,6 +2195,7 @@
+ # define SSL_R_TLSV1_UNSUPPORTED_EXTENSION 1110
+ # define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 232
+ # define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 227
++# define SSL_R_TOO_MANY_WARN_ALERTS 409
+ # define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
+ # define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234
+ # define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 235
+--- crypto/openssl/ssl/ssl3.h.orig
++++ crypto/openssl/ssl/ssl3.h
+@@ -491,6 +491,8 @@
+ char is_probably_safari;
+ # endif /* !OPENSSL_NO_EC */
+ # endif /* !OPENSSL_NO_TLSEXT */
++ /* Count of the number of consecutive warning alerts received */
++ unsigned int alert_count;
+ } SSL3_STATE;
+
+ /* SSLv3 */
+--- crypto/openssl/ssl/ssl_locl.h.orig
++++ crypto/openssl/ssl/ssl_locl.h
+@@ -247,6 +247,8 @@
+ # define DEC32(a) ((a)=((a)-1)&0xffffffffL)
+ # define MAX_MAC_SIZE 20 /* up from 16 for SSLv3 */
+
++# define MAX_WARN_ALERT_COUNT 5
++
+ /*
+ * Define the Bitmasks for SSL_CIPHER.algorithms.
+ * This bits are used packed as dense as possible. If new methods/ciphers
Added: head/share/security/patches/SA-16:35/openssl-9.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-16:35/openssl-9.patch.asc Wed Nov 2 07:45:10 2016 (r49623)
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.15 (FreeBSD)
+
+iQIcBAABCgAGBQJYGZiEAAoJEO1n7NZdz2rnnpgP/RDo7UkBM/p/JjDZam+hTaYN
+zhGZdsBG2tG9Q28SBoJ7MVzry287DkG+/LSfupeqbgsyhuYv4/c+148yK01q8Yw1
+d76zQR+3me2scQ6+kfm+lqYTbqSj6zEZXPU4ND29jEIDhz8BTZTlcyv1rZWrlA6d
+FjbFNJQcb74ZbF6JRs1uSIrim3LKQf+Dt6ZUSF0+5zY3SLawXtmPVlvCJ1pYlYRk
+4hhCzdojtA8PhQmMpW0RiN9NJX5dJ9sBIHAYQ2Y4zET+2cMA10nvCpixRMnjFriT
+Dzpnj+PmF0X6bRh1z6tdM0GmcJxHlzgBCFQcxuWilsezlpdboijOCd4uOha+nr6b
+qUJG2ahfZtlvofjUrMVhOK/wyyzztU9+qyQzI6bd4H56gjshR05Ey1BxsyA0+tnW
+rLyvYfMIvA5aB52WKeZjOZtXQ8NcKDOmpewAO75hAHEfPD3VknN8FahmbAKcv5Y5
+0PjwiZ//dlp4lvoCYCXEMcLjmmOAOSp+rxFgb/ik4M/K62KhAEBw1QTYTQ4oUpgC
+cwWA8vfFtqOYJj/XXn+9NY20YOfobmCmcQ8Hlni8D+X1UD8W/mjkKu9pjkbHDJKo
+G2jLJmI0s6hsOPxXWwmWfuC0H/dMry/p790NA8RL2E2JV5bv7TWOCwWNYLTw7UK6
+WNX4+gnV9EucX+/fjxXL
+=bOQ8
+-----END PGP SIGNATURE-----
Modified: head/share/xml/advisories.xml
==============================================================================
--- head/share/xml/advisories.xml Wed Nov 2 07:38:59 2016 (r49622)
+++ head/share/xml/advisories.xml Wed Nov 2 07:45:10 2016 (r49623)
@@ -8,6 +8,26 @@
<name>2016</name>
<month>
+ <name>11</name>
+
+ <day>
+ <name>2</name>
+
+ <advisory>
+ <name>FreeBSD-SA-16:35.openssl</name>
+ </advisory>
+
+ <advisory>
+ <name>FreeBSD-SA-16:34.bind</name>
+ </advisory>
+
+ <advisory>
+ <name>FreeBSD-SA-16:33.openssh</name>
+ </advisory>
+ </day>
+ </month>
+
+ <month>
<name>10</name>
<day>
More information about the svn-doc-head
mailing list