svn commit: r54319 - in head/share: security/advisories security/patches/EN-20:13 security/patches/EN-20:14 security/patches/EN-20:15 security/patches/SA-20:18 security/patches/SA-20:19 security/pa...
Gordon Tetlow
gordon at FreeBSD.org
Wed Jul 8 20:50:29 UTC 2020
Author: gordon (src committer)
Date: Wed Jul 8 20:50:27 2020
New Revision: 54319
URL: https://svnweb.freebsd.org/changeset/doc/54319
Log:
Add EN-20:13 through EN-20:15, and SA-20:18 through SA-20:20.
Approved by: so
Added:
head/share/security/advisories/FreeBSD-EN-20:13.bhyve.asc (contents, props changed)
head/share/security/advisories/FreeBSD-EN-20:14.linuxkpi.asc (contents, props changed)
head/share/security/advisories/FreeBSD-EN-20:15.mps.asc (contents, props changed)
head/share/security/advisories/FreeBSD-SA-20:18.posix_spawnp.asc (contents, props changed)
head/share/security/advisories/FreeBSD-SA-20:19.unbound.asc (contents, props changed)
head/share/security/advisories/FreeBSD-SA-20:20.ipv6.asc (contents, props changed)
head/share/security/patches/EN-20:13/
head/share/security/patches/EN-20:13/bhyve.patch (contents, props changed)
head/share/security/patches/EN-20:13/bhyve.patch.asc (contents, props changed)
head/share/security/patches/EN-20:14/
head/share/security/patches/EN-20:14/linuxkpi.patch (contents, props changed)
head/share/security/patches/EN-20:14/linuxkpi.patch.asc (contents, props changed)
head/share/security/patches/EN-20:15/
head/share/security/patches/EN-20:15/mps.patch (contents, props changed)
head/share/security/patches/EN-20:15/mps.patch.asc (contents, props changed)
head/share/security/patches/SA-20:18/
head/share/security/patches/SA-20:18/posix_spawnp.patch (contents, props changed)
head/share/security/patches/SA-20:18/posix_spawnp.patch.asc (contents, props changed)
head/share/security/patches/SA-20:19/
head/share/security/patches/SA-20:19/unbound.11.3.patch (contents, props changed)
head/share/security/patches/SA-20:19/unbound.11.3.patch.asc (contents, props changed)
head/share/security/patches/SA-20:19/unbound.11.4.patch (contents, props changed)
head/share/security/patches/SA-20:19/unbound.11.4.patch.asc (contents, props changed)
head/share/security/patches/SA-20:19/unbound.12.1.patch (contents, props changed)
head/share/security/patches/SA-20:19/unbound.12.1.patch.asc (contents, props changed)
head/share/security/patches/SA-20:20/
head/share/security/patches/SA-20:20/ipv6.patch (contents, props changed)
head/share/security/patches/SA-20:20/ipv6.patch.asc (contents, props changed)
Modified:
head/share/xml/advisories.xml
head/share/xml/notices.xml
Added: head/share/security/advisories/FreeBSD-EN-20:13.bhyve.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-EN-20:13.bhyve.asc Wed Jul 8 20:50:27 2020 (r54319)
@@ -0,0 +1,143 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-20:13.bhyve Errata Notice
+ The FreeBSD Project
+
+Topic: Host crash in bhyve with PCI device passthrough
+
+Category: core
+Module: bhyve
+Announced: 2020-07-08
+Credits: Peter Grehan
+Affects: FreeBSD 12.1
+Corrected: 2020-06-01 05:14:01 UTC (stable/12, 12.1-STABLE)
+ 2020-07-08 19:56:34 UTC (releng/12.1, 12.1-RELEASE-p7)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+bhyve(8) is a hypervisor that supports running a variety of guest operating
+systems in virtual machines. bhyve(8) includes support for PCI devices
+passthrough (a technique to pass host PCI devices to a virtual machine for its
+exclusive control and use).
+
+II. Problem Description
+
+When an attempt is made to pass through a PCI device to a bhyve(8) VM (causing
+initialization of IOMMU) on certain Intel chipsets using VT-d the PCI bus
+stops working entirely resulting in a host crash. This issue occurs at least
+on the Intel Skylake series processors and those released later.
+
+A device passed through to a guest VM running OpenBSD at least since version
+6.4 on both AMD and Intel processors may not fully work in the guest. OpenBSD
+issues 4-byte PCI configuration-space register reads and writes to consecutive
+2-byte fields, which were not handled correctly by bhyve(8).
+
+III. Impact
+
+These issues prevent using bhyve in production with some combinations of host
+hardware and/or guest operating system.
+
+IV. Workaround
+
+No workaround is available. Systems not using bhyve(8) for virtualization
+with PCI passthrough are not affected.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date and reboot.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for errata update"
+
+The first problem requires a reboot as the affected part is the kernel.
+
+The second problem does not require a reboot as the affected part is the
+bhyve userland executable.
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-20:13/bhyve.patch
+# fetch https://security.FreeBSD.org/patches/EN-20:13/bhyve.patch.asc
+# gpg --verify bhyve.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+d) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12/ r361686
+releng/12.1/ r363022
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229852>
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=245392>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:13.bhyve.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl8GLjVfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKMwQ/9HxrcUNvL8myn512t+drnCnDg/lNL2cqlc53VyDsvwesgXbGA3k1pQsyV
+VLB2jn56+EWcq0b1eieLavK77YtdrbEfa72YOlTd576586VRroUC3d4o6eaAHKHS
+Hzm/Qh5cQM46065Eoshz8T+N1/RNmU0ANS19ogBmogqhbJwwQUSr402a/BGrTES+
++rx4ywmTOrmXxVQwAlRHp1/7pQ5PL3cK2ByYzuFjKjzNX3scHoMxOul2TC1bYwj6
+IhBT7NNxQuY/g7gxGM/ndifOiJtAlsxJdccWxZAMdYv3mzhnM2vqCmdz8KjB7UKH
+2XOKB1RwSq0b1FBsur8Z0Pg6AlIRcNW952mAn2UJxx9mh/oCSj0sqtdmAKu0EO1e
+Vn6+psOffB28ITvdBsf7D/3ixM8+jdAogFzW00iGPppF02QwM6FVxa3+mogOVtsv
+R+Fu381qwQmqvMtAEXOxQ6NiAk3fTan+VuEDB8FnYPEs5JkWef/fn4SPRUrr04hY
+yTkX8F3XID2XdSMTgJllQzhf1uCK3QT77Y0BcPJH+NPZIZiyKkROxqnpS7LGFlEs
+v8dLXTOFnaHfdrjefB/QCwLMTcX1AfN1n0OxQigtwKC1rvKHweaqZBEujtDmyMOm
+uFXhQjoT3o29i1O139Q/3yINEbVYn6U5INrW5ZUGt1nm/wL9PuA=
+=mH7Y
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-EN-20:14.linuxkpi.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-EN-20:14.linuxkpi.asc Wed Jul 8 20:50:27 2020 (r54319)
@@ -0,0 +1,131 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-20:14.linuxkpi Errata Notice
+ The FreeBSD Project
+
+Topic: Kernel panic in LinuxKPI subsystem
+
+Category: core
+Module: linuxkpi
+Announced: 2020-07-08
+Affects: FreeBSD 12.1 and 11.3
+Corrected: 2020-01-22 00:30:27 UTC (stable/12, 12.1-STABLE)
+ 2020-07-08 19:57:24 UTC (releng/12.1, 12.1-RELEASE-p7)
+ 2020-01-22 15:51:24 UTC (stable/11, 11.3-STABLE)
+ 2020-07-08 19:57:24 UTC (releng/11.3, 11.3-RELEASE-p11)
+
+Note: FreeBSD 11.4 was branched after the original commit to the stable/11
+branch and already includes this erratum.
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The LinuxKPI subsystem allows kernel code ported from Linux to run in the
+FreeBSD kernel without extensive modification. Some graphics drivers make
+use of this subsystem.
+
+II. Problem Description
+
+A bug in one of the LinuxKPI subroutines could cause a kernel panic.
+
+III. Impact
+
+Certain graphical applications may trigger a kernel panic. This is most
+often observed when using X11 forwarding to run an application remotely.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date and reboot.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for errata update"
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-20:14/linuxpki.patch
+# fetch https://security.FreeBSD.org/patches/EN-20:14/linuxpki.patch.asc
+# gpg --verify linuxkpi.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12/ r356953
+releng/12.1/ r363023
+stable/11/ r356987
+releng/11.3/ r363023
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<other info on the problem>
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=242913>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:14.linuxkpi.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl8GLkpfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJG7A//RWsupxbp1AMqYFz7KsC6zezh8pYU8rONJvWGgaH5MNTdzKVa+SDAg9il
+HI2IOAsDDRFRQvweyf1yOPMdPFUv15ZPgYpUcx2MoAbLFNa5TsqcodE6t1hEjBrQ
+20x0yjg/Fy6T17BaX3cziBFjxd3YW79jf/+FpzCTOoNasxIteiR5Vt4NbJ7Esqoa
+u7U3uXtIvDmfVASfMYq2NmKWTP8cz+f2FCB3687G4jGmBhrfMK8DNVQ3RI6IjGEm
+RUzmnYLX0Xbs83PTCYEkEqmEdj+o9zRokCPxdhFjd9XxnKaWh5vM0N6FNxBOcYER
+OqGMy0X88wsqvs5l+FnXYdI/BzELrzXmB4lMEh9wXDfrCZt4wVkb0C0NBLGgrafV
+95/YQobMsghe44ysVTmpfTi1++NnEDPgV/klVwBo6u9VluMH3PRxrTtW92SB0DOt
+QABVpgV96LKibsO26PRLS5yqMEgUPJ57W6mQvL9RdsTL/4VBamHQmUinXM1VlMml
+d2WVLguLw2vc86Mv2V4FZiC6A1eG91mUDTUYCeGxqBknl7DxBl+iGyM4Bu3Kw1+p
+eRi1Y6hAR/Vb/VyE4mNTBd0UzZhRymaXkiVm7nAKZjTAvSbpbEe26QCPzZGUgVsT
+UemEPi2lAAn2J3O46sEv8RjFjOOdrbOnyaZkJNBaKSPK7qq6etc=
+=1UKD
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-EN-20:15.mps.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-EN-20:15.mps.asc Wed Jul 8 20:50:27 2020 (r54319)
@@ -0,0 +1,129 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-20:15.mps Errata Notice
+ The FreeBSD Project
+
+Topic: Kernel panic in mps(4) driver
+
+Category: core
+Module: mps
+Announced: 2020-07-08
+Affects: All supported version of FreeBSD.
+Corrected: 2020-06-11 14:48:20 UTC (stable/12, 12.1-STABLE)
+ 2020-07-08 19:58:00 UTC (releng/12.1, 12.1-RELEASE-p7)
+ 2020-06-11 14:49:38 UTC (stable/11, 11.4-STABLE)
+ 2020-07-08 19:58:00 UTC (releng/11.4, 11.4-RELEASE-p1)
+ 2020-07-08 19:58:00 UTC (releng/11.3, 11.3-RELEASE-p11)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+mps(4) is a disk controller driver. It exports an ioctl(2) interface used by
+several command-line utilities to query for or set properties of the device.
+
+II. Problem Description
+
+mps(4) implements a pass-through interface which allows privileged user
+processes to submit commands directly to disks behind the controller. A bug
+in the code which copies command results out to the requesting process could
+cause a kernel panic.
+
+III. Impact
+
+Administrative commands issued by, e.g., sas2ircu, could cause a kernel panic.
+
+IV. Workaround
+
+No workaround is available. Systems that do not use mps(4) are unaffected.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date and reboot.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for errata update"
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-20:15/mps.patch
+# fetch https://security.FreeBSD.org/patches/EN-20:15/mps.patch.asc
+# gpg --verify mps.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12/ r362057
+releng/12.1/ r363024
+stable/11/ r362058
+releng/11.4/ r363024
+releng/11.3/ r363024
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=223813>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:15.mps.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl8GLk5fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cLlPxAAgUVjwHuRGD4sTiymH2QgkdjneeE99obAzXDTDDNAOWaJQqmZV2L+ooYq
+2nnNdax0CpNvSaNF7KyEFYy30kcoBkSl8MBfOwtuUbO4fWUTDLIm3nUBn6YLvlkr
+ZdrDEzLN3EXOoHnVez4+dcCostVDWAVMPiGzNitU4htPy3pPvwyEcko9lA4eOF5Q
+ZanF1YjsAJOUvtmmCOr1XGRjzsW05Fbiyv6dAmaK7z508gAUj9t7x1a6XnIdLbJY
+tx4+UcBT3yvdSkXNlqGa8EGtPXz9ue4Aq53PSy+C9pbUiEBPgvnLQB0IJNU5Kynv
+fGlHMhee/Ih9+ZfSXoInvDJ+gVYdhufqQQ3GSUcdm7suUuQ+Gc8xn+KUUUZ8xtub
+3EfDeQ2h2eKlaGs0RrVNHtE9ETn+aimagVp5wcws6JLw3Nm5cEAzJFz8fK8lIbXe
+xONslLH1a6985k8CmHVDh6YULCZV9G3G+DGG3mvBnj+/wtysSaa3nOyQEPFuUXHI
+rf6d9JWzV6Is3nx0+34StQu/lyyixwb1LssSjop08+J2G66/ZBVYoorQ1qVzU1lH
+OkUg00JeHvFI4uKEEsv0/P31vM4aeW5iJsiWvjY6MAZ7VMmJMOrJEdiX+vycNkQ1
+cS7Qi6DCEpnFZCP61cEbYonBK1rgvNexTRTwIHIrATLLKEOtq+U=
+=6tC9
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-SA-20:18.posix_spawnp.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-20:18.posix_spawnp.asc Wed Jul 8 20:50:27 2020 (r54319)
@@ -0,0 +1,138 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-20:18.posix_spawnp Security Advisory
+ The FreeBSD Project
+
+Topic: posix_spawnp(3) buffer overflow
+
+Category: core
+Module: libc
+Announced: 2020-07-08
+Credits: Andrew Gierth
+Affects: FreeBSD 11.4
+Corrected: 2020-06-17 16:22:08 UTC (stable/12, 12.1-STABLE)
+ 2020-06-17 16:22:08 UTC (stable/11, 11.4-STABLE)
+ 2020-07-08 20:08:05 UTC (releng/11.4, 11.4-RELEASE-p1)
+CVE Name: CVE-2020-7458
+
+Note: This vulnerability was introduced after the release of FreeBSD 11.3 and
+FreeBSD 12.1; FreeBSD 11.4 is the only affected release.
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+posix_spawnp(3) is a lightweight process creation mechanism provided by libc
+for general application usage.
+
+II. Problem Description
+
+posix_spawnp spawns a new thread with a limited stack allocated on the heap
+before delegating to execvp for the final execution within that thread.
+
+execvp would previously make unbounded allocations on the stack, directly
+proportional to the length of the user-controlled PATH environment variable.
+
+III. Impact
+
+Long values in the user-controlled PATH environment variable cause
+posix_spawnp to write beyond the end of stack that was allocated, ultimately
+overflowing the heap-allocated stack with a direct copy of the value stored
+in PATH.
+
+IV. Workaround
+
+No workaround is available. Few applications in the base system use
+posix_spawnp(3) and none of them are particularly viable candidates for an
+exploit. Use by third-party applications has not been investigated.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 11.4]
+# fetch https://security.FreeBSD.org/patches/SA-20:18/posix_spawnp.patch
+# fetch https://security.FreeBSD.org/patches/SA-20:18/posix_spawnp.patch.asc
+# gpg --verify posix_spawnp.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all daemons that use the library, or reboot the system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12/ r362281
+stable/11/ r362281
+releng/11.4/ r363025
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7458>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:18.posix_spawnp.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl8GLlNfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cLdthAAgchE9dOcTvmFerK/SEAI7G/+3l1GRQ/hKJfvGbvNuZKKudpMdCmLHzil
+MepCvRO7ft6OTBF66PaAscbdadD54CluQGjD96eLNnQ6dMgU5yZdWTUvvjdJze1R
+200oAlAu2eoZvuRghSNFqh4s8iffYN/T4Tc1ubRCAyZUXYbq5rg3r21P9FugXX+Y
+RZhYzUNRMCi4ZSGkUmcqLltZZtSrI9GOU2H4cKpedYaHJ+b76tALt1fCsSVZwMJK
+7WKiqKkw4ilRH5gbUuTqngVjt7Uy9JGyS2WrAwhnxLIr6+4qxAkiOltwZdFNUhSJ
+HGvTzl2As/gxxjqpqmvzegKfrGOd4pz2i7ZdAhhPWEK0sHNp1NttPQ7wWnU1Ikt3
+bkoiy+eJTF43GL7IpxurOOMDdH9MWL/RAZBZNpTof4XCjhEHvvMaSoeO/GLpcSja
++dYFoip65b1tlBtGt/tlgHVqlzCD86o6pBiRdZ7mYYLTxurDc/dcTpebypQPogcB
+agD3IO0hMXnt1Q/UQVl1pC3LDnSvabeHVI7xuB1T9UP/CsAxTt1nhEM4b9/YnJv5
+Bt1cZFlBvZgrVFVvegYAf7lVz3TsF3xz2pKZD6wxezAk+QbH4ho6aTHWJkRotE4z
+C5bcIEbIz6OX+J7VjOxcgkTu+bFykWb9xcTjtKpRexxICMOef+E=
+=2OBY
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-SA-20:19.unbound.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-20:19.unbound.asc Wed Jul 8 20:50:27 2020 (r54319)
@@ -0,0 +1,143 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-20:19.unbound Security Advisory
+ The FreeBSD Project
+
+Topic: Multiple vulnerabilities in unbound
+
+Category: contrib
+Module: unbound
+Announced: 2020-07-08
+Affects: All supported versions of FreeBSD.
+Corrected: 2020-05-24 16:47:27 UTC (stable/12, 12.1-STABLE)
+ 2020-07-08 20:25:06 UTC (releng/12.1, 12.1-RELEASE-p7)
+ 2020-05-24 11:47:27 UTC (stable/11, 11.4-STABLE)
+ 2020-07-08 20:22:38 UTC (releng/11.4, 11.4-RELEASE-p1)
+ 2020-07-08 20:20:59 UTC (releng/11.3, 11.3-RELEASE-p11)
+CVE Name: CVE-2020-12662, CVE-2020-12663
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+Unbound is a validating, recursive, and caching DNS resolver.
+
+II. Problem Description
+
+Malformed answers from upstream name servers can send Unbound into an infinite
+loop, resulting in denial of service. A malicious query can cause a traffic
+amplification attack against third party authoritative nameservers.
+
+III. Impact
+
+Denial of service of the affected host, or of third parties via traffic
+amplification.
+
+IV. Workaround
+
+No workaround is available. Systems not running Unbound are not affected.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 12.1]
+# fetch https://security.FreeBSD.org/patches/SA-20:19/unbound.12.1.patch
+# fetch https://security.FreeBSD.org/patches/SA-20:19/unbound.12.1.patch.asc
+# gpg --verify unbound.12.1.patch.asc
+
+[FreeBSD 11.4]
+# fetch https://security.FreeBSD.org/patches/SA-20:19/unbound.11.4.patch
+# fetch https://security.FreeBSD.org/patches/SA-20:19/unbound.11.4.patch.asc
+# gpg --verify unbound.11.4.patch.asc
+
+[FreeBSD 11.3]
+# fetch https://security.FreeBSD.org/patches/SA-20:19/unbound.11.3.patch
+# fetch https://security.FreeBSD.org/patches/SA-20:19/unbound.11.3.patch.asc
+# gpg --verify unbound.11.3.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch -p0 < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the applicable daemons, or reboot the system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12/ r361435
+releng/12.1/ r363029
+stable/11/ r361435
+releng/11.4/ r363028
+releng/11.3/ r363027
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://nlnetlabs.nl/downloads/unbound/CVE-2020-12662_2020-12663.txt>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12662>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12663>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:19.unbound.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl8GLldfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cLg3g/+KxaCk6wFvqDCYlT2Rx8ZfxuU4cG8anJvdanwI8pV7SWsVIilWvpIuW5Y
+1P/TVmZiXpICToiUXdwaOMj8r/8QhmALXd3icb+QBUBdLlkm6Cuh/lSbEAyA63aF
+YYDF9FsXITVMcUCiUCxpVWSzDUW3LD5jMC/0jjvb7N0VhQyn4vHgEUa74jstnu4r
+36QV1s+ucsJafwAyzfobP+fCGKnVM8rmJ/3jE/eifN9RajFJdlkTtV0j6ReK9XQR
+jWunCgYZs8Ur0RFu98hspeRsXPuygV83sDiVWPQUd+iKXC8fW52f+IpAVO4BB763
+ZOjXaeudVfqorBXpKsldggEaCrxbJlEdwR9oZOrNww4QDqgPnU4Fkdb2TXyl5Gtx
+t0fbvEl2sxfx5M+3rF9ae++DPpmIiu8DiodF8XKfXicFZ2WpJmnwEY0SeEGYGyrO
+MJZW3i45qfe4CneFtt1r1v1feX3XQZKuyjtb++S2/PDiSQ1ZrkdE3Y3VYS3X+pLt
+C1ZFkw6nLDDSVzPiD+1i8VzRoKwS7zZKfAWMBJRiO3Jjh2vXsNRYO6wAMPq4HAvA
+DkB0Ykm0ioDqtUwEKhqAcJEmu6P44BM9SJ0ApFeKQ8L+isNoiaEMEVFG1HW9avl6
+E+I33y5yBtvgrRiyqUvANh/ZYSb7FQDTf5rlUOwG+Pk/kUlMrUA=
+=tonD
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-SA-20:20.ipv6.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-20:20.ipv6.asc Wed Jul 8 20:50:27 2020 (r54319)
@@ -0,0 +1,131 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-20:20.ipv6 Security Advisory
+ The FreeBSD Project
+
+Topic: IPv6 socket option race condition and use after free
+
+Category: core
+Module: network
+Announced: 2020-07-08
+Credits: syzkaller, Andy Nguyen
+Affects: All supported versions of FreeBSD.
+Corrected: 2020-04-02 15:30:51 UTC (stable/12, 12.1-STABLE)
+ 2020-07-08 20:11:40 UTC (releng/12.1, 12.1-RELEASE-p7)
+ 2020-07-06 20:23:14 UTC (stable/11, 11.4-STABLE)
+ 2020-07-08 20:11:40 UTC (releng/11.4, 11.4-RELEASE-p1)
+ 2020-07-08 20:11:40 UTC (releng/11.3, 11.3-RELEASE-p11)
+CVE Name: CVE-2020-7457
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The IPV6_2292PKTOPTIONS socket option allows user code to set IPv6
+header options on a socket.
+
+II. Problem Description
+
+The IPV6_2292PKTOPTIONS set handler was missing synchronization,
+so racing accesses could modify freed memory.
+
+III. Impact
+
+A malicious user application could trigger memory corruption, leading
+to privilege escalation.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or release /
+security branch (releng) dated after the correction date and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-20:20/ipv6.patch
+# fetch https://security.FreeBSD.org/patches/SA-20:20/ipv6.patch.asc
+# gpg --verify ipv6.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12/ r359565
+releng/12.1/ r363026
+stable/11/ r362975
+releng/11.4/ r363026
+releng/11.3/ r363026
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://hackerone.com/reports/826026>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7457>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:20.ipv6.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl8GLvVfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJqxA/9H58yyRUSUy6BTRw0XkCQFO3r0NpTYPWK4RJFPWO2Jh5zL2QjxuSj3k9t
+zgJXM6a1RRgOxevxSzJJXD74BZz3XLJnC9T0tXsp3nikMrd+NSVN0g2jfAbx0l7R
+RFRUJOI2EfcGkIe0tZy4/nGr+H9eZiJt9a9vJ8DCoJuU9Ph/7w3GrVG+gbJfH4sV
+KhvhrRzla4ePadnHyQZALL5ov554BUa3dB9STz8zbdjt5yFREpvCJ9mIOHKNPBCR
+X5v7OMwhw++2Q0JtoMsmBHMi8zOkDpbjPk5eQNLHg3Iw9ZQrxW8KtM9Ru3KFtPw9
+gisI9e53NkCUGLm9iq3oQG6CnCMulTMAlgN5f0HflEwy3vd7R/ibNLvx2yObmVOU
+cX1Nf0ydFfhoS/YQwArdGTUg12BlYL9lqiXTqojUBG+yikwA3XAIUJccpcYyZDLQ
+jR5N8Ct7fV9Ec5pdu4xkSQhKsto9pQVfS0Kabv7hlwumynVL+S7qsmS7FT3IC/4n
+FiXisrJr5TTNO8p/bIs8qooHYUkd06A5O8xy+gRDDPbgvYfevGWrd/vaHmiXpUsv
+dvv9ZnU8xlaSi66AEPs9kYw/WhF55deqaU1M0p6Ob3+TGyJIR3j3IPTAIIXSgTrq
+YiyvzqXM+ob3aysILYRv48LK7+5N/3hDU48FLUN6q1V99G7TV8o=
+=JUip
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/EN-20:13/bhyve.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/EN-20:13/bhyve.patch Wed Jul 8 20:50:27 2020 (r54319)
@@ -0,0 +1,342 @@
+--- sys/amd64/vmm/intel/vtd.c.orig
++++ sys/amd64/vmm/intel/vtd.c
+@@ -51,6 +51,8 @@
+ * Architecture Spec, September 2008.
+ */
+
++#define VTD_DRHD_INCLUDE_PCI_ALL(Flags) (((Flags) >> 0) & 0x1)
++
+ /* Section 10.4 "Register Descriptions" */
+ struct vtdmap {
+ volatile uint32_t version;
+@@ -116,10 +118,11 @@
+ static SLIST_HEAD(, domain) domhead;
+
+ #define DRHD_MAX_UNITS 8
+-static int drhd_num;
+-static struct vtdmap *vtdmaps[DRHD_MAX_UNITS];
+-static int max_domains;
+-typedef int (*drhd_ident_func_t)(void);
++static ACPI_DMAR_HARDWARE_UNIT *drhds[DRHD_MAX_UNITS];
++static int drhd_num;
++static struct vtdmap *vtdmaps[DRHD_MAX_UNITS];
++static int max_domains;
++typedef int (*drhd_ident_func_t)(void);
+
+ static uint64_t root_table[PAGE_SIZE / sizeof(uint64_t)] __aligned(4096);
+ static uint64_t ctx_tables[256][PAGE_SIZE / sizeof(uint64_t)] __aligned(4096);
+@@ -175,6 +178,69 @@
+ return (id);
+ }
+
++static struct vtdmap *
++vtd_device_scope(uint16_t rid)
++{
++ int i, remaining, pathremaining;
++ char *end, *pathend;
++ struct vtdmap *vtdmap;
++ ACPI_DMAR_HARDWARE_UNIT *drhd;
++ ACPI_DMAR_DEVICE_SCOPE *device_scope;
++ ACPI_DMAR_PCI_PATH *path;
++
++ for (i = 0; i < drhd_num; i++) {
++ drhd = drhds[i];
++
++ if (VTD_DRHD_INCLUDE_PCI_ALL(drhd->Flags)) {
++ /*
++ * From Intel VT-d arch spec, version 3.0:
++ * If a DRHD structure with INCLUDE_PCI_ALL flag Set is reported
++ * for a Segment, it must be enumerated by BIOS after all other
++ * DRHD structures for the same Segment.
++ */
++ vtdmap = vtdmaps[i];
++ return(vtdmap);
++ }
++
++ end = (char *)drhd + drhd->Header.Length;
++ remaining = drhd->Header.Length - sizeof(ACPI_DMAR_HARDWARE_UNIT);
++ while (remaining > sizeof(ACPI_DMAR_DEVICE_SCOPE)) {
++ device_scope = (ACPI_DMAR_DEVICE_SCOPE *)(end - remaining);
++ remaining -= device_scope->Length;
++
++ switch (device_scope->EntryType){
++ /* 0x01 and 0x02 are PCI device entries */
++ case 0x01:
++ case 0x02:
++ break;
++ default:
++ continue;
++ }
++
++ if (PCI_RID2BUS(rid) != device_scope->Bus)
++ continue;
++
++ pathend = (char *)device_scope + device_scope->Length;
++ pathremaining = device_scope->Length - sizeof(ACPI_DMAR_DEVICE_SCOPE);
++ while (pathremaining >= sizeof(ACPI_DMAR_PCI_PATH)) {
++ path = (ACPI_DMAR_PCI_PATH *)(pathend - pathremaining);
++ pathremaining -= sizeof(ACPI_DMAR_PCI_PATH);
++
++ if (PCI_RID2SLOT(rid) != path->Device)
++ continue;
++ if (PCI_RID2FUNC(rid) != path->Function)
++ continue;
++
++ vtdmap = vtdmaps[i];
++ return (vtdmap);
++ }
++ }
++ }
++
++ /* No matching scope */
++ return (NULL);
++}
++
+ static void
+ vtd_wbflush(struct vtdmap *vtdmap)
+ {
+@@ -240,7 +306,7 @@
+ static int
+ vtd_init(void)
+ {
+- int i, units, remaining;
++ int i, units, remaining, tmp;
+ struct vtdmap *vtdmap;
+ vm_paddr_t ctx_paddr;
+ char *end, envname[32];
+@@ -291,8 +357,9 @@
+ break;
+
+ drhd = (ACPI_DMAR_HARDWARE_UNIT *)hdr;
+- vtdmaps[units++] = (struct vtdmap *)PHYS_TO_DMAP(drhd->Address);
+- if (units >= DRHD_MAX_UNITS)
++ drhds[units] = drhd;
++ vtdmaps[units] = (struct vtdmap *)PHYS_TO_DMAP(drhd->Address);
++ if (++units >= DRHD_MAX_UNITS)
+ break;
+ remaining -= hdr->Length;
+ }
+@@ -302,12 +369,18 @@
+
+ skip_dmar:
+ drhd_num = units;
+- vtdmap = vtdmaps[0];
+
+- if (VTD_CAP_CM(vtdmap->cap) != 0)
+- panic("vtd_init: invalid caching mode");
++ max_domains = 64 * 1024; /* maximum valid value */
++ for (i = 0; i < drhd_num; i++){
++ vtdmap = vtdmaps[i];
++
++ if (VTD_CAP_CM(vtdmap->cap) != 0)
++ panic("vtd_init: invalid caching mode");
+
+- max_domains = vtd_max_domains(vtdmap);
++ /* take most compatible (minimum) value */
++ if ((tmp = vtd_max_domains(vtdmap)) < max_domains)
++ max_domains = tmp;
++ }
+
+ /*
+ * Set up the root-table to point to the context-entry tables
+@@ -373,7 +446,6 @@
+ struct vtdmap *vtdmap;
+ uint8_t bus;
+
+- vtdmap = vtdmaps[0];
+ bus = PCI_RID2BUS(rid);
+ ctxp = ctx_tables[bus];
+ pt_paddr = vtophys(dom->ptp);
+@@ -385,6 +457,10 @@
+ (uint16_t)(ctxp[idx + 1] >> 8));
+ }
+
++ if ((vtdmap = vtd_device_scope(rid)) == NULL)
++ panic("vtd_add_device: device %x is not in scope for "
++ "any DMA remapping unit", rid);
++
+ /*
+ * Order is important. The 'present' bit is set only after all fields
+ * of the context pointer are initialized.
+@@ -568,8 +644,6 @@
+ if (drhd_num <= 0)
+ panic("vtd_create_domain: no dma remapping hardware available");
+
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-doc-head
mailing list