From owner-freebsd-announce@freebsd.org Thu Jan 14 10:03:19 2016 Return-Path: Delivered-To: freebsd-announce@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 046B6A80973 for ; Thu, 14 Jan 2016 10:03:19 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id DE1C61F0B; Thu, 14 Jan 2016 10:03:18 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1025) id DCDEC1221; Thu, 14 Jan 2016 10:03:18 +0000 (UTC) From: FreeBSD Errata Notices To: FreeBSD Errata Notices Reply-To: freebsd-stable@freebsd.org Precedence: bulk Message-Id: <20160114100318.DCDEC1221@freefall.freebsd.org> Date: Thu, 14 Jan 2016 10:03:18 +0000 (UTC) Subject: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-16:01.filemon X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jan 2016 10:03:19 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-16:01.filemon Errata Notice The FreeBSD Project Topic: filemon and bmake meta-mode stability issues Category: core Module: filemon Announced: 2016-01-14 Credits: Bryan Drewery Affects: FreeBSD 10.2-RELEASE Corrected: 2015-09-09 17:15:13 UTC (stable/10, 10.2-STABLE) 2016-01-14 09:10:46 UTC (releng/10.2, 10.2-RELEASE-p9) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background In FreeBSD 10.2, /usr/bin/make is the NetBSD bmake utility. bmake has a feature called meta-mode [1], which can make use of the filemon(4) kernel module to perform reliable update builds and provide better build dependencies. [1] http://www.crufty.net/sjg/blog/freebsd-meta-mode.htm II. Problem Description Multiple stability and locking problems have been fixed in the filemon(4) kernel module. Without these fixes, using meta-mode and filemon(4) on a FreeBSD 10.2 system may result in kernel panics. III. Impact For the jails and virtual machines used by the FreeBSD Jenkins Continuous Integration builders, it is desirable to use released versions FreeBSD. This will allow us to set up builders to test building FreeBSD-CURRENT with meta-mode, using a FreeBSD 10.2-RELEASE-p9 build host. IV. Workaround No workaround is available for the filemon stability problems. V. Solution Perform one of the following: 1) Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your present system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your present system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/EN-16:01/filemon.patch # fetch https://security.FreeBSD.org/patches/EN-16:01/filemon.patch.asc # gpg --verify filemon.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/10 r287598 releng/10.2 r293893 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this Errata Notice is available at -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJWl2jlAAoJEO1n7NZdz2rnF6kQAJEgtPKwowupOd3QV2UvMJ4T PP/UK9tvF+Tbmow+5z9vV8ghh/oHc/AUWxhbIcnOFO7YldwrYJDXAHWF5VoTgatb Ycg+R10Kyg8loZZuAAaGsY+zS78BIXunKVduWealz6TV978sZ5mr7qVJjX03Bvdh 9s3dX6PLfA0ZtqxXuhJ3oMj1Nt7UoGyNNNg23TWhQDMzpueB1EihhjzcLEk8UCjR OlZElMXsnI/c9zG0eaSDPqfUuQrZDasQ+kM4eWaEXxcZVHSEQtU7vJ6SjxAkeCHT fzRcAilzQBQJzObzpdXCxrd3OmKL52Ml44Kll2k31QQM3YDHw5g+mMJ+G6BoD5HZ hQktb7Y064s/SQ0S91aTCgdSBzlTOny7IjsE1W+T6WD4Dohc1aY5y5u2UDBIRIS9 BvovQF9k0PXIqpA3DjV1cGp3oYLpmJc5NYqHuJ9hkQWSp8FntfuQ1gKpieznyg25 mb7fsOU693Dglcodtz1uQcwwgh/0s7bEcP6o7ejzsd4bzhe9CTLgD5qp0MD8htiH Li+i9O5hUS8nheJt03btw/mq7CPbr66JWnpVHmPe8kL8SU7qmwBwq6d3buk5Hyr1 tOmpuTyW+dq4iWweG411/j9M8Q03fD/DI4Ez2KS5OTizNAWb2wq8e+OZIk6TDE37 Aam3KrksQZjG+sqL7NVp =INcx -----END PGP SIGNATURE----- From owner-freebsd-announce@freebsd.org Thu Jan 14 10:03:24 2016 Return-Path: Delivered-To: freebsd-announce@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BC370A80984 for ; Thu, 14 Jan 2016 10:03:24 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id B45191F0C; Thu, 14 Jan 2016 10:03:24 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1025) id B30E51224; Thu, 14 Jan 2016 10:03:24 +0000 (UTC) From: FreeBSD Errata Notices To: FreeBSD Errata Notices Reply-To: freebsd-stable@freebsd.org Precedence: bulk Message-Id: <20160114100324.B30E51224@freefall.freebsd.org> Date: Thu, 14 Jan 2016 10:03:24 +0000 (UTC) Subject: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-16:02.pf X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jan 2016 10:03:24 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-16:02.pf Errata Notice The FreeBSD Project Topic: Invalid TCP checksums with pf(4) Category: core Module: pf Announced: 2016-01-14 Credits: Kristof Provost Affects: All supported versions of FreeBSD. Corrected: 2015-11-11 12:36:42 UTC (stable/10, 10.2-STABLE) 2016-01-14 09:10:46 UTC (releng/10.2, 10.2-RELEASE-p9) 2016-01-14 09:11:16 UTC (releng/10.1, 10.1-RELEASE-p26) 2015-12-25 15:12:54 UTC (stable/9, 9.3-STABLE) 2016-01-14 09:11:26 UTC (releng/9.3, 9.3-RELEASE-p33) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The pf(4) is one of several packet filters available in FreeBSD, originally written for OpenBSD. In addition to filtering packets, it also has packet normalization capabilities. II. Problem Description When running with certain network interfaces, capable for hardware transmit checksum offloading, or TCP segmentation offload, pf(4) produces packets with invalid TCP checksums. III. Impact The TCP packets with invalid checksums are rejected by the remote host, leading to large performance impacts or inability to successfully run a TCP connection. IV. Workaround Disable transmit checksum offloading and TSO support on the affected network interface: # ifconfig ue0 -txcsum -tso V. Solution Perform one of the following: 1) Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Reboot the system or unload and reload the pf.ko kernel module. 2) To update your system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Reboot the system or unload and reload the pf.ko kernel module. 3) To update your system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.2] # fetch https://security.FreeBSD.org/patches/EN-16:02/pf-10.2.patch # fetch https://security.FreeBSD.org/patches/EN-16:02/pf-10.2.patch.asc # gpg --verify pf-10.2.patch.asc [FreeBSD 10.1] # fetch https://security.FreeBSD.org/patches/EN-16:02/pf-10.1.patch # fetch https://security.FreeBSD.org/patches/EN-16:02/pf-10.1.patch.asc # gpg --verify pf-10.1.patch.asc [FreeBSD 9.3] # fetch https://security.FreeBSD.org/patches/EN-16:02/pf-9.3.patch # fetch https://security.FreeBSD.org/patches/EN-16:02/pf-9.3.patch.asc # gpg --verify pf-9.3.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system or unload and reload the pf.ko kernel module. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r292732 releng/9.3/ r293896 stable/10/ r290669 releng/10.1/ r293894 releng/10.2/ r293893 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJWl2rlAAoJEO1n7NZdz2rnv0QP/RXPzKbSRsyyX3914BJv/W4V coLFodRd62WxPvFIOXaLbNsVSi1yqRqNS3BPNTXnldEvjZWS5HsRlY5inq7hCjOn NzZFIBVD3aL3eIXBUghNHTcCp3Ml5zIzcGUwJ0wW4F8j3D8Ty0YbJs+E7Ku63DIb 3rR2Mj1Jcoxi4JNVaQ962JlRrqauQUIiFbS0bSmP/cQCUlvhm+uk8Yj1KgSYesSu n+lQAipH2zZWGjVj1xxvqi4cUcr6J6LEF0eTmg+UoM24vhq+QNql5aactYMOORiW f+80HOWm6R8F/6TI2xs7HpNfnQNuNBRTfmfViQB8GgzgV2juElcTXW4NKXALrkWy HxAfv6wdhDxclOXzumUXDOXC90o62Jv5gWiToJWLyETHI1vTe4UuE0egejFHSDJB bmFpbYeuvXJ5/3dAYHHtnjtIPE9PXG+c16eJr3XDkY4plreL/hpyDHFRd3scqWew EvPnkYcXZmzpCC/wZbDM5sI76YAfX7vayVqsUI0X4WRueYyIljRQGwygwfmHWiac HIrgLgJvXZCGXiiuSpZq5874er0/UN9czGuMVOFZoXZ45yuj99pO1rJNZryO926A UAOsC76m78myPrM+a4dJDrnWKgZjputCEBHXXNS8Yxt1cimrrbAb2wy0gt1CIMFm cuAfikAwdNj3JAvjS4oA =Aw1R -----END PGP SIGNATURE----- From owner-freebsd-announce@freebsd.org Thu Jan 14 10:03:29 2016 Return-Path: Delivered-To: freebsd-announce@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CFA03A8098F for ; Thu, 14 Jan 2016 10:03:29 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id C81D41F76; Thu, 14 Jan 2016 10:03:29 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1025) id C744C1268; Thu, 14 Jan 2016 10:03:29 +0000 (UTC) From: FreeBSD Errata Notices To: FreeBSD Errata Notices Reply-To: freebsd-stable@freebsd.org Precedence: bulk Message-Id: <20160114100329.C744C1268@freefall.freebsd.org> Date: Thu, 14 Jan 2016 10:03:29 +0000 (UTC) Subject: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-16:03.yplib X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jan 2016 10:03:29 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-16:03.ypclnt Errata Notice The FreeBSD Project Topic: YP/NIS client library critical bug Category: core Module: ypclnt Announced: 2016-01-14 Credits: Ravi Pokala, Lakshmi Narasimhan Sundararajan, Fred Lewis, Pushkar Kothavade Affects: All supported versions of FreeBSD. Corrected: 2015-12-21 14:32:29 UTC (stable/10, 10.2-STABLE) 2016-01-14 09:10:46 UTC (releng/10.2, 10.2-RELEASE-p9) 2016-01-14 09:11:16 UTC (releng/10.1, 10.1-RELEASE-p26) 2016-01-13 05:32:24 UTC (stable/9, 9.3-STABLE) 2016-01-14 09:11:26 UTC (releng/9.3, 9.3-RELEASE-p33) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The YP/NIS subsystem allows network management of passwd, group, netgroup, hosts, services, rpc, bootparams and ethers file entries. The ypclnt suite provides an interface to the YP subsystem. The standard NIS protocol limits its database entries to YPMAXRECORD (1024 characters). II. Problem Description There is a bug with the NIS client library, which can lead to an infinite loop. III. Impact A server that is deliberately configured to violate the NIS/YP protocol can cause a FreeBSD NIS client to be stuck forever. IV. Workaround No workaround is available, but systems that are not configured to use NIS/YP are not affected. V. Solution Perform one of the following: 1) Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. A reboot is recommended. 2) To update your system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install A reboot is recommended. 3) To update your system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/EN-16:03/yplib.patch # fetch https://security.FreeBSD.org/patches/EN-16:03/yplib.patch.asc # gpg --verify yplib.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . A reboot is recommended. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r293804 releng/9.3/ r293896 stable/10/ r292547 releng/10.1/ r293894 releng/10.2/ r293893 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJWl2j1AAoJEO1n7NZdz2rnRZQP/iZq/xlDFZrxwpW4S0GimmmK CdB9yE8rITW2XRWIaTW+fj4aqQ8cvD3IpqtgPe1wCXe69XgmICPwwBh/zNB4w0qu xmyihP6/2qTLatIq886StqXRkS+05U5y4VoEwFaRkBCy3IWDVXgM41DsRhOuYq3y Y72VNeJFSuD+qb0i0B56PpPhaVd7hyEgvuXLXxi3l/BiUMD9t4Z36W8a2IPrF1wa wviTB6cr614dzH+Jou+d9ffKoD6TWeZtbcf1jrw12YVBJhPx3vCqPVJGerGRUwVF TeD4cUyHmY1nRa4zssKJcbAbgbYGtumRZTysa50eXBVsd7MTloZk0o8Angr6uGeR rRo8Sop8PbwWm81Zykb4lIBOVUB4TsEfMjusKhgcJ5kmd+gK8z1ZzE/ZlOes2UJ8 eH+LOEKjux3c9UKkz6RDWinM277J5fhZ5Zi6jO6n/LrJRKiqKud6VeHQLOElXye7 /8KFqCaym8JpZ0P3Cywid+2EyqjlNwvsZleDs8EE/d1+60yX+Qm2j+BKAfqhSyLD a9TimJTsEMA47Rf3af2lx1q4bnrKJVSBGhNaNzDHe5UIge0FAt8uUwgL/yIDpBlS /5TtnD3F30B34482sAf4u/WW/1ipppIFEe8i6d9uwIGjG9Z5eVVom2FJbAHHdVA6 w8xVZil5irkB2fdI1DOi =A4Qy -----END PGP SIGNATURE----- From owner-freebsd-announce@freebsd.org Thu Jan 14 10:04:32 2016 Return-Path: Delivered-To: freebsd-announce@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EAC38A80AF3 for ; Thu, 14 Jan 2016 10:04:32 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id E2DAE1767; Thu, 14 Jan 2016 10:04:32 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1025) id E1EA91462; Thu, 14 Jan 2016 10:04:32 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20160114100432.E1EA91462@freefall.freebsd.org> Date: Thu, 14 Jan 2016 10:04:32 +0000 (UTC) Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-16:01.sctp X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jan 2016 10:04:33 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-16:01.sctp Security Advisory The FreeBSD Project Topic: SCTP ICMPv6 error message vulnerability Category: core Module: SCTP Announced: 2016-01-14 Credits: Jonathan T. Looney Affects: All supported versions of FreeBSD Corrected: 2016-01-14 09:11:42 UTC (stable/10, 10.2-STABLE) 2016-01-14 09:10:46 UTC (releng/10.2, 10.2-RELEASE-p9) 2016-01-14 09:11:16 UTC (releng/10.1, 10.1-RELEASE-p26) 2016-01-14 09:11:48 UTC (stable/9, 9.3-STABLE) 2016-01-14 09:11:26 UTC (releng/9.3, 9.3-RELEASE-p33) CVE Name: CVE-2016-1879 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The Stream Control Transmission Protocol (SCTP) protocol provides reliable, flow-controlled, two-way transmission of data. The Internet Control Message Protocol for IPv6 (ICMPv6) provides a way for hosts on the Internet to exchange control information. Among other uses, a host or router can use ICMPv6 to inform a host when there is an error delivering a packet sent by that host. II. Problem Description A lack of proper input checks in the ICMPv6 processing in the SCTP stack can lead to either a failed kernel assertion or to a NULL pointer dereference. In either case, a kernel panic will follow. III. Impact A remote, unauthenticated attacker can reliably trigger a kernel panic in a vulnerable system running IPv6. Any kernel compiled with both IPv6 and SCTP support is vulnerable. There is no requirement to have an SCTP socket open. IPv4 ICMP processing is not impacted by this vulnerability. IV. Workaround No workaround is available, but systems using a kernel compiled without SCTP support or IPv6 support are not vulnerable. In addition, some stateful firewalls may block ICMPv6 messages that are not responding to a legitimate connection. (However, this may not completely block the problem, as an ICMPv6 message could still be sent in response to a legitimate SCTP connection.) V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Rebooting to the new kernel is required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Rebooting to the new kernel is required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-16:01/sctp.patch # fetch https://security.FreeBSD.org/patches/SA-16:01/sctp.patch.asc # gpg --verify sctp.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r293898 releng/9.3/ r293896 stable/10/ r293897 releng/10.1/ r293894 releng/10.2/ r293893 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJWl2j1AAoJEO1n7NZdz2rnIfoQAOZTLX3VovQPGj9wr7PspLQi Tazu6vRnjzdOdjpeWwSgYlq6DJGjT71c/BRyCWCoijr2uyBWRlANqzMO64thuTzx gc6juRlChLDF4sNVWbNDMRwuHTfCpgDH2/4hQeR/9CmiQxHJyqL0gXc889D206i9 KzgmYrSALEVK0E2kDBeRMsadtqPIEzCw4LygWd4qrtYNPjAfBR/a9U4rg7ZN0ICZ RCPnkAF6qI09B931QfHaI4C9wdBF8DJ6nKN/2aU9ATdOJJb7oUkpaHht8kmbdZS+ Tn12nEXkQvNxuAKT7Fb87M14s7LUR12V5wgDeMd2UtOfkeSpGEDFACdhYW3IpKan gD+2IlzLRhoQTJ7lQWMRTKh3OiDDR2kLwvbEU7BGecDSG6fVkgumn6NlHYybdH7L axpDOxPz8ITfcdRipIXLOQEC308ckdmaEwqi4ikgBGwEkSgIwj1flGStswvcMrim vT0xof2dv1y6RW5xYnJF7Mtn/rEcqrql/BeBp/kxJZ2Qt3hkppQnjWD6kvrEj00s CajzxdBTM7J3buDzu++RL2GL9p5Cwo1kDmUJdWimIbSecL62J9+PwFCDYp/dOy25 GAPGnf7gk8YhwM8pHwLtcX0b9UundkXLWnLBN7R12fL7Ch2CmPbgPcoFc5CSbcIx TBRU+4TGcNGxigXyzIHT =G0DD -----END PGP SIGNATURE----- From owner-freebsd-announce@freebsd.org Thu Jan 14 10:04:37 2016 Return-Path: Delivered-To: freebsd-announce@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E69D3A80B6E for ; Thu, 14 Jan 2016 10:04:36 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id DEB2E17A7; Thu, 14 Jan 2016 10:04:36 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1025) id DDA4D146D; Thu, 14 Jan 2016 10:04:36 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20160114100436.DDA4D146D@freefall.freebsd.org> Date: Thu, 14 Jan 2016 10:04:36 +0000 (UTC) Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-16:02.ntp X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jan 2016 10:04:37 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-16:02.ntp Security Advisory The FreeBSD Project Topic: ntp panic threshold bypass vulnerability Category: contrib Module: ntp Announced: 2016-01-14 Credits: Network Time Foundation Affects: All supported versions of FreeBSD. Corrected: 2016-01-11 01:09:50 UTC (stable/10, 10.2-STABLE) 2016-01-14 09:10:46 UTC (releng/10.2, 10.2-RELEASE-p9) 2016-01-14 09:11:16 UTC (releng/10.1, 10.1-RELEASE-p26) 2016-01-11 01:48:16 UTC (stable/9, 9.3-STABLE) 2016-01-14 09:11:26 UTC (releng/9.3, 9.3-RELEASE-p33) CVE Name: CVE-2015-5300 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. II. Problem Description The ntpd(8) daemon has a safety feature to prevent excessive stepping of the clock called the "panic threshold". If ever ntpd(8) determines the system clock is incorrect by more than this threshold, the daemon exits. There is an implementation error within the ntpd(8) implementation of this feature, which allows the system time be adjusted in certain circumstances. III. Impact When ntpd(8) is started with the '-g' option specified, the system time will be corrected regardless of if the time offset exceeds the panic threshold (by default, 1000 seconds). The FreeBSD rc(8) subsystem allows specifying the '-g' option by either including '-g' in the ntpd_flags list or by enabling ntpd_sync_on_start in the system rc.conf(5) file. If at the moment ntpd(8) is restarted, an attacker can immediately respond to enough requests from enough sources trusted by the target, which is difficult and not common, there is a window of opportunity where the attacker can cause ntpd(8) to set the time to an arbitrary value. IV. Workaround No workaround is available, but systems not running ntpd(8), or running ntpd(8) but do not use ntpd_sync_on_start="YES" or specify the '-g' option in ntpd_flags are not affected. Neither of these are set by default. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. The ntpd service has to be restarted after the update. A reboot is recommended but not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install The ntpd service has to be restarted after the update. A reboot is recommended but not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.1 and 10.2] # fetch https://security.FreeBSD.org/patches/SA-16:02/ntp-10.patch # fetch https://security.FreeBSD.org/patches/SA-16:02/ntp-10.patch.asc # gpg --verify ntp-10.patch.asc [FreeBSD 9.3] # fetch https://security.FreeBSD.org/patches/SA-16:02/ntp-9.patch # fetch https://security.FreeBSD.org/patches/SA-16:02/ntp-9.patch.asc # gpg --verify ntp-9.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r293652 releng/9.3/ r293896 stable/10/ r293650 releng/10.1/ r293894 releng/10.2/ r293893 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJWl2j2AAoJEO1n7NZdz2rnyg4QAJ/x3xs+pNGXxTT63hbBqLcB NTSljW5+hFpL94Nr+rHrelvcT3HkvdWUC+7BvMksoUYCZv0vClp5W7tsfuojDPr0 GechK1BpLwxeLnRexulWEuvDQpbr6BN9ABdfSl4h3AaUwGYbBVLMY8aT5JpTiE3I UZg/5iPXVGFPcfdFhzaPgCpZxQtGI3QV7m5jx+Pf8r0ifuTNi8bAbwHCRzmOV8rA 1LM4fvlCPd6TiP3UANWM7PFGbX8UArgzXlb8jSwkxEVC02oZitol4UhcLgacwVrO 0/0q71pyn8W3NBQ1QPUaUg1M81sE501NCTCP3rEg+o6g7oxiq+GpgB0FKwCJxrTk n3EL7tyhbvVcsglPLRkIXkGz3o5XdelFJ66+qS+mZAiPozkzEFUIdxd8rHKsA1e4 ZIFARDvDgi8iTArbJnPsQH0CgK8+/2RV2ILFW00Zcu7batvSWJtAUNNFqTSN34tk JJzHWYwKfGwRIMyEABsy9wLez9K2tRIG0fX75p82dVbRcRZwwSfPmFdfDPuMRRmc dsNF3133TA92uxwZ177cZk537g+Q0/0I6bts8us3GlCdY2HBuIc+HvRJQyEEqGEv v1GfEdnwGLp4rmPI8uY+JQ87now7KYhAK1SVil9AXm3tLrIqJsHYayA9nI8mjxfY Mh1utEeP+TMuievDMQNo =il8c -----END PGP SIGNATURE----- From owner-freebsd-announce@freebsd.org Thu Jan 14 10:04:42 2016 Return-Path: Delivered-To: freebsd-announce@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 885C2A80BFC for ; Thu, 14 Jan 2016 10:04:42 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 6ED0218B4; Thu, 14 Jan 2016 10:04:42 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1025) id 6E39414C5; Thu, 14 Jan 2016 10:04:42 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20160114100442.6E39414C5@freefall.freebsd.org> Date: Thu, 14 Jan 2016 10:04:42 +0000 (UTC) Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-16:03.linux X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jan 2016 10:04:42 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-16:03.linux Security Advisory The FreeBSD Project Topic: Linux compatibility layer incorrect futex handling Category: core Module: kernel Announced: 2016-01-14 Credits: Mateusz Guzik Affects: All supported versions of FreeBSD. Corrected: 2016-01-14 09:11:42 UTC (stable/10, 10.2-STABLE) 2016-01-14 09:10:46 UTC (releng/10.2, 10.2-RELEASE-p9) 2016-01-14 09:11:16 UTC (releng/10.1, 10.1-RELEASE-p26) 2016-01-14 09:11:48 UTC (stable/9, 9.3-STABLE) 2016-01-14 09:11:26 UTC (releng/9.3, 9.3-RELEASE-p33) CVE Name: CVE-2016-1880 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD is binary-compatible with the Linux operating system through a loadable kernel module/optional kernel component. The support is provided on amd64 and i386 machines. II. Problem Description A programming error in the handling of Linux futex robust lists may result in incorrect memory locations being accessed. III. Impact It is possible for a local attacker to read portions of kernel memory, which may result in a privilege escalation. IV. Workaround No workaround is available, but systems not using the Linux binary compatibility layer are not vulnerable. The following command can be used to test if the Linux binary compatibility layer is loaded: # kldstat -m linuxelf V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Reboot the system or unload and reload the linux.ko kernel module. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Reboot the system or unload and reload the linux.ko kernel module. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-16:03/linux.patch # fetch http://security.FreeBSD.org/patches/SA-16:03/linux.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch # cd /usr/src/amd64/linux32 # make sysent # cd /usr/src/i386/linux # make sysent c) Recompile your kernel and modules as described in . Reboot the system or unload and reload the linux.ko kernel module. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Subversion: Branch/path Revision - --------------------------------------------------------------------------- stable/9/ r293898 releng/9.3/ r293896 stable/10/ r293897 releng/10.1/ r293894 releng/10.2/ r293893 - --------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJWl2j2AAoJEO1n7NZdz2rngkcQAJ8yxlxYd+qZPf+pbP+0Kj6w +Sy8BrSUrYLMFynrs4vRPTJobLnVGpwkp6I6ZCDL/yoI/7Xkl3ld7HWfH7MAJ6WP x0j5/bC+AlWGpKfL6wqeddxjHgmaAlDznN1MyO+3byVfP1Y8VVppbzqPNw9AW17Q kNqNAMsVuk3OMpoE7CYEsaH6rzHzbMGAPuR+KN5J55Mth6dNkIYSIFJ0sCae5cnv P6SoMKjn7ffcHymmX/Yj7K0FTOrJOePR0eLbTITivJT1uZ3bYbbYyK1bYslE6bwF EQ3Ij+LhZdM5D7GBOpILBZ9ojvVMq8PiW9yY3zo7DRrwWajBy8pe/3ow0u7igoOK /0XUFmRT0Q0iCxlGhXPxEGcc40g6oE6oVz1m3Ewgqc2+iZm+w6N/w88dRqiBHNgL AiCqleI10eRNgP1uq7XT/5PEslmQLxSCrDPFDOgmSZc3uY7H5LBb6O9fb7YTpn6J bfL7yyJFei/lAlY1s2b+4/DW9PE1OwxNw/R85mSUpbP5my5wwZR+s3mGTLI2JAlk 74Nw/OR9HLLHoEO5JlagfEclKp7O+JzhHYkAcBm7yRMRr1LV+7JZQEaTCeWTkm6L YvL8Ca1PAL6qNLZbxQ26Gjka7KCrFhhNfR22c3Lz4pLtkg9YmDRb4sy6i+q3ellG 0mLi0OqTu2gn+25xhidf =OQft -----END PGP SIGNATURE----- From owner-freebsd-announce@freebsd.org Thu Jan 14 10:04:45 2016 Return-Path: Delivered-To: freebsd-announce@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2C139A80C1E for ; Thu, 14 Jan 2016 10:04:45 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 245A61985; Thu, 14 Jan 2016 10:04:45 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1025) id 239A31526; Thu, 14 Jan 2016 10:04:45 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20160114100445.239A31526@freefall.freebsd.org> Date: Thu, 14 Jan 2016 10:04:45 +0000 (UTC) Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-16:04.linux X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jan 2016 10:04:45 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-16:04.linux Security Advisory The FreeBSD Project Topic: Linux compatibility layer setgroups(2) system call vulnerability Category: core Module: kernel Announced: 2016-01-14 Credits: Dmitry Chagin Affects: All supported versions of FreeBSD Corrected: 2016-01-14 09:11:42 UTC (stable/10, 10.2-STABLE) 2016-01-14 09:10:46 UTC (releng/10.2, 10.2-RELEASE-p9) 2016-01-14 09:11:16 UTC (releng/10.1, 10.1-RELEASE-p26) 2016-01-14 09:11:48 UTC (stable/9, 9.3-STABLE) 2016-01-14 09:11:26 UTC (releng/9.3, 9.3-RELEASE-p33) CVE Name: CVE-2016-1881 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD is binary-compatible with the Linux operating system through a loadable kernel module/optional kernel component. The support is provided on amd64 and i386 machines. II. Problem Description A programming error in the Linux compatibility layer setgroups(2) system call can lead to an unexpected results, such as overwriting random kernel memory contents. III. Impact It is possible for a local attacker to overwrite portions of kernel memory, which may result in a privilege escalation or cause a system panic. IV. Workaround No workaround is available, but systems not using the Linux binary compatibility layer are not vulnerable. The following command can be used to test if the Linux binary compatibility layer is loaded: # kldstat -m linuxelf V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Reboot the system or unload and reload the linux.ko kernel module. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Reboot the system or unload and reload the linux.ko kernel module. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-16:04/linux.patch # fetch https://security.FreeBSD.org/patches/SA-16:04/linux.patch.asc # gpg --verify linux.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/amd64/linux32 # make sysent # cd /usr/src/i386/linux # make sysent c) Recompile your kernel as described in . Reboot the system or unload and reload the linux.ko kernel module. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r293898 releng/9.3/ r293896 stable/10/ r293897 releng/10.1/ r293894 releng/10.2/ r293893 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJWl2j3AAoJEO1n7NZdz2rnstMP/jddSJehSXe9rlL2qhYfRrQY XZSuoOtolvcl2xSQCZYprXN95/i890VOdJ9x4+iYJA2IQO55a8MjS1DcJjjonV7J zJa7Apnu1jaK1jDx+RL6C3eVDff0ss1B7NvZTXmjHn+nIsIRxd6vzxDp2NujTnWS XHNinNAPcVK9Hy/AJh1W+mClvgLg+lyMICuraMjTDc5ML3+fxUmXfDUWq1mm2Chq uYXMXcIBXBJx1mnnm9n2izExr7j7AHaVJywe/UYk+KCNbSeags76pt1vuPfoOjdE BaSlX9KNMouYU0JNfv/wC7/UnuQ/BY1XzxheVpIqmXwlFstAmSiKYIQkpIuypVF1 yUmf8CjN6AOx9P5CjxX88eeY3F6J1yohch1AI4IMqT3F3fd5LbJ5WqOjritt0J96 hDjnsiVhw4ozQE6SWTY8TKlokOOEfJC+yhNIJ0cNaHnkLSCUuDDErtGzp1CYoYmt Q8D1VJ1UEaVPaKcaNAo4+sjiE1uK6svPiWa1+W9VbKGvc3Y7PbcuVIzU0aI4ySgj VecEFM1O5wr3WXIYnDQNwkWVxbCQdxOIPyW0rqMGQVpu1h7MKk0oMboY1bLcQYFy Aa9okOl+D7ItpEpRUgnIT06B6krC5sUQuzkUxnVIBPKtcl1OZ4B8KidLjEqu4BSx 3qOQSGqZzr8TFcwPIJv4 =JKVW -----END PGP SIGNATURE----- From owner-freebsd-announce@freebsd.org Thu Jan 14 10:04:51 2016 Return-Path: Delivered-To: freebsd-announce@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6B98AA80CD7 for ; Thu, 14 Jan 2016 10:04:51 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 483161AB5; Thu, 14 Jan 2016 10:04:51 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1025) id 358FF15B7; Thu, 14 Jan 2016 10:04:51 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20160114100451.358FF15B7@freefall.freebsd.org> Date: Thu, 14 Jan 2016 10:04:51 +0000 (UTC) Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-16:05.tcp X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jan 2016 10:04:51 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-16:05.tcp Security Advisory The FreeBSD Project Topic: TCP MD5 signature denial of service Category: core Module: kernel Announced: 2016-01-14 Credits: Ryan Stone, Jonathan T. Looney Affects: All supported versions of FreeBSD. Corrected: 2016-01-14 09:11:42 UTC (stable/10, 10.2-STABLE) 2016-01-14 09:10:46 UTC (releng/10.2, 10.2-RELEASE-p9) 2016-01-14 09:11:16 UTC (releng/10.1, 10.1-RELEASE-p26) 2016-01-14 09:11:48 UTC (stable/9, 9.3-STABLE) 2016-01-14 09:11:26 UTC (releng/9.3, 9.3-RELEASE-p33) CVE Name: CVE-2016-1882 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The Transmission Control Protocol (TCP) of the TCP/IP protocol suite provides a connection-oriented, reliable, sequence-preserving data stream service. An optional extension to TCP described in RFC 2385 allows protecting data streams against spoofed packets with MD5 signature. Support for TCP MD5 signatures is not enabled in default kernel. II. Problem Description A programming error in processing a TCP connection with both TCP_MD5SIG and TCP_NOOPT socket options may lead to kernel crash. III. Impact A local attacker can crash the kernel, resulting in a denial-of-service. A remote attack is theoretically possible, if server has a listening socket with TCP_NOOPT set, and server is either out of SYN cache entries, or SYN cache is disabled by configuration. IV. Workaround No workaround is available, but installations running a default kernel, or a custom kernel without TCP_SIGNATURE option are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. System reboot is required. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-16:05/tcp.patch # fetch https://security.FreeBSD.org/patches/SA-16:05/tcp.patch.asc # gpg --verify tcp.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r293898 releng/9.3/ r293896 stable/10/ r293897 releng/10.1/ r293894 releng/10.2/ r293893 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJWl2j3AAoJEO1n7NZdz2rnrWcQAN+QX6wEvC7FkTXyX2LHFWas CVOI/KkxkHSVwYMMScmorG27OxDsHTkvrGfqyVbYDczmC5NY+AorMiZMoo7CHn5J gYmS8NZvBPeMKmFt45lBTBDnKT6mOvHBz6UPhyyHruvR6VZ2h3fyLqYzbMKcy12i Onmk/nm3vgrqOCmnqYQN8Xo2v2x4KcKU3/jegK+pdfOwd9Q1bmxzBWwFx8yc7pZ0 3YItalkiMsuRppSuNS9fGoRSoB/Ybf/8pu6SDnhvJnw4CIRGAl3IDKpBanB7F/9E sofcI499s+uyOHPY8TrQ62L4UjteEukwaV8EJh6vPaLm3pns0cSURzKczgytTH3G Nz9GcI3hYdfbXRBgJvwtZv9JY5s3ZtPiqqTwHta7AdplXwiOJJ1Ylso5lZ4beiJh q7Sv+YMJr9cNfnYmSGv33rKN4hdae7XfJm+Ipde4bpgCLFpKkb/aQaGxGlowjDaW 0C77qCg+se3TzwGl0A7ClEq4dLaadTsiShQCpZGQOgc6Wgz9QUBGxU811e3KQHLo 3XQgxGSB9+3d7YiK/ZNkzi8d89VXMgUOx4HoOZ7+SkVBg1+qpbiYnk8VJjLmXyOz dPtDbzWG68wluWcSc7TD5yIYx2Lw4E9ZMWzh2boOxEWrcd9mxCUPiU9nsF+PIAPG kTcLnX0+iXijpKMnQpgP =UjjC -----END PGP SIGNATURE----- From owner-freebsd-announce@freebsd.org Thu Jan 14 10:04:55 2016 Return-Path: Delivered-To: freebsd-announce@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 57A8EA80D0E for ; Thu, 14 Jan 2016 10:04:55 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 4FE6A1BA5; Thu, 14 Jan 2016 10:04:55 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1025) id 4F26E1621; Thu, 14 Jan 2016 10:04:55 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20160114100455.4F26E1621@freefall.freebsd.org> Date: Thu, 14 Jan 2016 10:04:55 +0000 (UTC) Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-16:06.bsnmpd X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jan 2016 10:04:55 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-16:06.bsnmpd Security Advisory The FreeBSD Project Topic: Insecure default bsnmpd.conf permissions Category: contrib Module: bsnmpd Announced: 2016-01-14 Credits: Pierre Kim Affects: All supported versions of FreeBSD. Corrected: 2016-01-14 09:11:42 UTC (stable/10, 10.2-STABLE) 2016-01-14 09:10:46 UTC (releng/10.2, 10.2-RELEASE-p9) 2016-01-14 09:11:16 UTC (releng/10.1, 10.1-RELEASE-p26) 2016-01-14 09:11:48 UTC (stable/9, 9.3-STABLE) 2016-01-14 09:11:26 UTC (releng/9.3, 9.3-RELEASE-p33) CVE Name: CVE-2015-5677 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The bsnmpd daemon serves the Internet SNMP (Simple Network Management Protocol). It is intended to serve only the absolute basic MIBs and implements all other MIBs through loadable modules. II. Problem Description The SNMP protocol supports an authentication model called USM, which relies on a shared secret. The default permission of the bsnmpd configuration file, /etc/bsnmpd.conf, is weak and does not provide adequate protection against local unprivileged users. III. Impact A local user may be able to read the shared secret, if configured and used by the system administrator. IV. Workaround No workaround is available, but systems that do not use bsnmpd with its USM authentication model are not vulnerable. V. Solution This vulnerability can be fixed by modifying the permission on /etc/bsnmpd.conf to owner root:wheel and permission 0600. The patch is provided mainly for third party vendors who deploy FreeBSD and provide a safe default. The patch itself DOES NOT fix the permissions for existing installations. The patch can be applied by performing one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. The system administrator should change the permission on /etc/bsnmpd.conf to root:wheel and 0600. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install The system administrator should change the permission on /etc/bsnmpd.conf to root:wheel and 0600. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-16:06/bsnmpd.patch # fetch https://security.FreeBSD.org/patches/SA-16:06/bsnmpd.patch.asc # gpg --verify bsnmpd.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r293898 releng/9.3/ r293896 stable/10/ r293897 releng/10.1/ r293894 releng/10.2/ r293893 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJWl2j4AAoJEO1n7NZdz2rnkaQP/3K9kqYY1YoHQ++uzFPnfuZQ mkGPJ0frGG46pTL806QJidky6D0LP0zNCzhtU45ZlFMguJ3B3QYp/62Cw61dBG22 x0uEkvI2F2F39IPA/clspyUHg3Y1RYgTpJrxey0JLrK0yxelyI8vMwB4tCB2eEDW ZGVU6rvFQcWJOWHABXVYcc+4Yy5ucudp0QbJsVHAKLtF7MLuntVlUj+x4Nncog5k kmGt6W7tzFn2gNsWcmntmG/LWyPkPURWhYfIj3fgcRrpMTVIDFX5PTgQyJR7DwOM /beIoQxxKBUwTW1ZRgvcCqFBu7DKSCMABoHgpqLj1gdeiJ1LaO4dErtWXvdBEAAP +XLi5OkRG3OKzIAIRnkz/SrkAUoRkzHEK1dI0coyw7AdXXjDBWtX+n9lzRXs7hqT LC3riK/Km9OYVn3+T7tCWnvKN45f+FnD8zxZDE+33Jv9wI8X+CCs9GjJdoJ0HDSd b6rg8E4gGPzfwFxSNXZQKfDSSuVBECIp3av1gp6hN3qZNOX/sadMsxro8VVGFLPg 81rC+JfKNTeVtxF8oJi9eg3FQ/eupxQv4RvC2c37R7LcErAU1KKxZyNrwv6xDEMx QVnx74o+luxXSirLxq276pfBQJdMjxYzWCj6E8ztcAZenz3M4WNiRFlt7hdq/3YO bDBdQPe4eYSHHSGyGcz/ =LDPU -----END PGP SIGNATURE----- From owner-freebsd-announce@freebsd.org Fri Jan 15 05:44:55 2016 Return-Path: Delivered-To: freebsd-announce@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9F7C7A83A7F for ; Fri, 15 Jan 2016 05:44:55 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 95A521AC5; Fri, 15 Jan 2016 05:44:55 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1025) id 947A21D0E; Fri, 15 Jan 2016 05:44:55 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20160115054455.947A21D0E@freefall.freebsd.org> Date: Fri, 15 Jan 2016 05:44:55 +0000 (UTC) Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-16:07.openssh X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Jan 2016 05:44:55 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-16:07.openssh Security Advisory The FreeBSD Project Topic: OpenSSH client information leak Category: contrib Module: openssh Announced: 2016-01-14 Credits: Qualys Security Advisory Team Affects: All supported versions of FreeBSD. Corrected: 2016-01-14 22:42:43 UTC (stable/10, 10.2-STABLE) 2016-01-14 22:45:33 UTC (releng/10.2, 10.2-RELEASE-p10) 2016-01-14 22:47:54 UTC (releng/10.1, 10.1-RELEASE-p27) 2016-01-14 22:50:35 UTC (stable/9, 9.3-STABLE) 2016-01-14 22:53:07 UTC (releng/9.3, 9.3-RELEASE-p34) CVE Name: CVE-2016-0777 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background OpenSSH is an implementation of the SSH protocol suite, providing an encrypted and authenticated transport for a variety of services, including remote shell access. The ssh(1) is client side utility used to login to remote servers. II. Problem Description The OpenSSH client code contains experimental support for resuming SSH connections (roaming). The matching server code has never been shipped, but the client code was enabled by default and could be tricked by a malicious server into leaking client memory to the server, including private client user keys. III. Impact A user that authenticates to a malicious or compromised server may reveal private data, including the private SSH key of the user. IV. Workaround The vulnerable code in the client can be completely disabled by adding 'UseRoaming no' to the global ssh_config(5) file, or to user configuration in ~/.ssh/config, or by passing -oUseRoaming=no on the command line. All current remote ssh(1) sessions need to be restared after changing the configuration file. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-16:07/openssh.patch # fetch https://security.FreeBSD.org/patches/SA-16:07/openssh.patch.asc # gpg --verify openssh.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r294053 releng/9.3/ r294054 stable/10/ r294049 releng/10.1/ r294051 releng/10.2/ r294052 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJWmH8uAAoJEO1n7NZdz2rnZ3MQAMPm2/+gM/83HbibOzRXfo7v 4D3j93BOEGltCQx8y+Stu3Y/CNA6eRYVPvD0u65DeO2bevQcYPQbfHSa5fxYgjWQ yqmLAvB+KZyGxAWZZhXsOWS6oUsK6y75jaWho3Oq19VLps8CWqHauvIyk0b1z/KA IlYYcXOdAvDgLoZHVcLbKU0jdOvMmc/iwxhx0aPVu4D2LXIr59xQcA/AsbKobk5V oqWt5CaaiZCXmVaw9eQhqNuXYC3zoY2/eh8FKG6IkIH9eyL6qQUIxumluxcui1MZ 25tZjp+OsmpVLgWxUyKKyQOVj3rRjaiRBwyUMUk+87GwmW+5b71UYjtVfQw9KHf1 KjGfylhu1oFcw5vCiul9xMm5jtBweqly1U1GEigybkDzaRNM3wheaOjWJVplU9Ku pNYZJo7cBi19KztUUyF9AUroAdVGVO4fzRtHxWUPIBxXFpgvlXijw/AMckTGcqWy TcEh45zSs2TScP1F8GeLPvmWUFbcChTCYWUIzFVUakEVeM5iRmx6B9qMFcN7YUS7 aFiraTIJFhaYrBbKK95CMfFvDAXwe+tBoGfLjXIfZdHcrmB6jkDyUue8ItopsAS0 hozJQUgcnZzzG+KcWODEB2xMdZSqldUoztDXJII3aisCf39ZXN5IFNJHti13tc8l Lw/p7lOx/U4SIq+QNqqy =EApM -----END PGP SIGNATURE-----