From owner-freebsd-announce@freebsd.org Wed Nov 4 13:14:49 2015 Return-Path: Delivered-To: freebsd-announce@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5453DA245B9 for ; Wed, 4 Nov 2015 13:14:49 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 3753A1E77; Wed, 4 Nov 2015 13:14:49 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1025) id 368A81AD1; Wed, 4 Nov 2015 13:14:49 +0000 (UTC) From: FreeBSD Errata Notices To: FreeBSD Errata Notices Reply-To: freebsd-stable@freebsd.org Precedence: bulk Message-Id: <20151104131449.368A81AD1@freefall.freebsd.org> Date: Wed, 4 Nov 2015 13:14:49 +0000 (UTC) Subject: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-15:19.kqueue X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Nov 2015 13:14:49 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-15:19.kqueue Errata Notice The FreeBSD Project Topic: kqueue write events for files greater 2GB would never fire Category: core Module: kern Announced: 2015-11-04 Credits: Steven Hartland Affects: All supported versions of FreeBSD. Corrected: 2015-09-24 08:42:08 UTC (stable/10, 10.2-STABLE) 2015-11-04 11:27:13 UTC (releng/10.2, 10.2-RELEASE-p7) 2015-11-04 11:27:21 UTC (releng/10.1, 10.1-RELEASE-p24) 2015-09-24 09:35:35 UTC (stable/9, 9.3-STABLE) 2015-11-04 11:27:30 UTC (releng/9.3, 9.3-RELEASE-p30) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The kqueue(2) system call provides a generic method of notifying the user when an event happens or a condition holds, based on the results of small pieces of kernel code termed filters. II. Problem Description Due to int usage for file offsets in the VOP_WRITE_(PRE|POST) macros, kqueue(2) write events for files greater 2GB where never fired. III. Impact Any kqueue(2) consumer monitoring for file changes will fail to receive an event if the monitored file is greater than 2GB. This causes commands such as 'tail -f' to never see updates. IV. Workaround For the specific case of tail(1), using '-F' instead of '-f' avoids the issue, however other consumers of kqueue(2) events to monitor files do not have a workaround. V. Solution Perform one of the following: 1) Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. 2) To update your present system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install And reboot the system. 3) To update your present system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/EN-15:19/kqueue.patch # fetch https://security.FreeBSD.org/patches/EN-15:19/kqueue.patch.asc # gpg --verify kqueue.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r288168 releng/9.3/ r290363 stable/10/ r288167 releng/10.1/ r290362 releng/10.2/ r290361 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this Errata Notice is available at https://security.FreeBSD.org/advisories/FreeBSD-EN-15:19.kqueue.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJWOe7vAAoJEO1n7NZdz2rneAkP/0FCRnyH6vkJFZBbfdIQY5u7 XPSbSD+2847aJRWw/xU+FWHsFjjcfKrvKqgRtdZXkTBe3FjTgiNbf6jQRCSy0f6u odcPXt4ZprXmhn6BOsyF92NgDHE5VXIiO1h0Jz1Y/+PTi/52BjNbevGUox6VpbMc t9XwxuARKG5bSNU+QdWdilP4H//+SAxuhK4Y96i6pccbT51DoO3ACCa8EpuOJYW9 elXTQbB4XC1n0EATr5gtTwKE+5/yPDEgl9pPNjsN8UTWCqzPwxPTwfplf3idN5Vq Oe5YIiI5aaAE16fSYUkIZR0kZ/ScR6gbmc2ALKRtHPa4+9g9TpNINpfmreV2htfH CrUW4qGZaoABpX1X2sFJ6su2NCgW3DliOuSAJUyK8Re2XEJZVfcVauyWaZxocJhu NRoH8yBoLJKrPB0Z3Dr9eygmDNGEvaFUB/ZpbeCbyebwyFTmTMUshwfZwcfPftaB bNd+R4J9UkY5wJWYUve7VpGDY2L6+j2MoPnlZJDfZZpYmFByD/GmdV5Pxxl4yEj3 2DBevZIGOGlH9E26JrPTcCYjkX15OS0KUkWQy7xv1jdxXCZ4AVbRq8CRiFdQ2JPU uSsrwgrGPdYkku0k6xXbb5YDw4475lQPAy9gMSeEDCqcl4GjKf1AVbrN9Jq73C8o c65YAK83vX3x9HDWCrss =OODP -----END PGP SIGNATURE----- From owner-freebsd-announce@freebsd.org Wed Nov 4 13:14:49 2015 Return-Path: Delivered-To: freebsd-announce@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 550D2A245BA for ; Wed, 4 Nov 2015 13:14:49 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 3EA3A1E79; Wed, 4 Nov 2015 13:14:49 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1025) id 3E28A1AD3; Wed, 4 Nov 2015 13:14:49 +0000 (UTC) From: FreeBSD Errata Notices To: FreeBSD Errata Notices Reply-To: freebsd-stable@freebsd.org Precedence: bulk Message-Id: <20151104131449.3E28A1AD3@freefall.freebsd.org> Date: Wed, 4 Nov 2015 13:14:49 +0000 (UTC) Subject: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-15:20.vm X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Nov 2015 13:14:49 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-15:20.vm Errata Notice The FreeBSD Project Topic: Applications exiting due to segmentation violation on a correct memory address Category: core Module: kernel Announced: 2015-11-04 Credits: Konstantin Belousov Affects: All supported versions of FreeBSD. Corrected: 2015-09-15 04:20:39 UTC (stable/10, 10.2-STABLE) 2015-11-04 11:27:13 UTC (releng/10.2, 10.2-RELEASE-p7) 2015-11-04 11:27:21 UTC (releng/10.1, 10.1-RELEASE-p24) 2015-10-30 13:05:39 UTC (stable/9, 9.3-STABLE) 2015-11-04 11:27:30 UTC (releng/9.3, 9.3-RELEASE-p30) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The FreeBSD virtual memory system provides processes with virtual address space. Features of virtual address space include copy-on-write pages and page wiring. II. Problem Description A race condition exists in the virtual memory implementation. When an application writes to a valid address in its address space, and the corresponding map entry is marked as copy-on-write, and right now undergoes wiring process, and the corresponding page does not yet have a page table entry installed, the application receives a segmentation violation signal. A usual case for this scenario to happen is a write into a never written map entry in a child process right after fork(2) system call. III. Impact Under certain conditions, a correctly behaving application could be terminated. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date and reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # reboot 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/EN-15:20/vm.patch # fetch https://security.FreeBSD.org/patches/EN-15:20/vm.patch.asc # gpg --verify vm.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r290194 releng/9.3/ r290363 stable/10/ r287846 releng/10.1/ r290362 releng/10.2/ r290361 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJWOe8FAAoJEO1n7NZdz2rnqBcP/2XPJ87Fr1b7I1i0R8ClJj5G Kk+pGD+OkZF9h7ix0b1NrSBjB2quCFUy+u8ImPXMkSZM0Id7hAIX0VourkqcoHSL CrsYTUXyqq4KU3E7xvoU4Q54cnDAd3hHIm9Gsduv1UNY02YBI/mRYqiMVnXKHGk/ SLlmMtFCmLkXHJP5/Ynx1xILWC9c2xYLqfvlLbkTTbmtZn8gAQqgh1kfuEkzEvt4 sgXx8kewUnv9Z2Oo+Xcqqrh5UfeppDEc7x8Y7a4tiSkW034xMETzC0xjrbq+4lE1 2MU/j65ZN5Sq5EjrmHdnr5q0R7/V4CHjRcLAvw2UaVpNlfMNmVpe5uye/slUDRw0 gCcztomi1heU78octR71kD0irhRVa+bcftsuanDRF8hs0czJL5BhPYyIaEb7e4s5 tGQyyflncD4EONbI/rmfsQhLEaTTg240NtkZbQFY1f5FqoyFiKXX99Hwm1jHZsRR OYGOAo3YZPx6biRdaIOPg0OTjqNw/mZgY3uQ/vCjWGAcgSzynDMkMJEOmyf+RBgZ F4qWOxmmFMr9+X1+1c7/ApwjampmfCV/Z7UvJTaFkVuKPiFA4ubrJ3TmDLsQMzza k9zumzxZAo+tsYD8ArbpPYlERe6JoF3axm/97JcFrn5iUcnaMM8vmawQo8xsrunx GyLfwUPpXSI25C1iNJDx =HTKc -----END PGP SIGNATURE----- From owner-freebsd-announce@freebsd.org Wed Nov 4 13:14:49 2015 Return-Path: Delivered-To: freebsd-announce@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2E67CA245B6 for ; Wed, 4 Nov 2015 13:14:49 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 23DD71E74; Wed, 4 Nov 2015 13:14:49 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1025) id 231401AC9; Wed, 4 Nov 2015 13:14:49 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20151104131449.231401AC9@freefall.freebsd.org> Date: Wed, 4 Nov 2015 13:14:49 +0000 (UTC) Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-15:25.ntp [REVISED] X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Nov 2015 13:14:49 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-15:25.ntp Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities of ntp [REVISED] Category: contrib Module: ntp Announced: 2015-10-26, revised on 2015-11-04 Credits: Network Time Foundation Affects: All supported versions of FreeBSD. Corrected: 2015-10-26 11:35:40 UTC (stable/10, 10.2-STABLE) 2015-11-04 11:27:13 UTC (releng/10.2, 10.2-RELEASE-p7) 2015-11-04 11:27:21 UTC (releng/10.1, 10.1-RELEASE-p24) 2015-11-02 10:39:26 UTC (stable/9, 9.3-STABLE) 2015-11-04 11:27:30 UTC (releng/9.3, 9.3-RELEASE-p30) CVE Name: CVE-2015-7701, CVE-2015-7702, CVE-2015-7703, CVE-2015-7704, CVE-2015-7848, CVE-2015-7849, CVE-2015-7850, CVE-2015-7851, CVE-2015-7852, CVE-2015-7853, CVE-2015-7854, CVE-2015-7855, CVE-2015-7871 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/. 0. Revision history. v1.0 2015-10-26 Initial release. v1.1 2015-11-04 Revised patches to address regression in ntpq(8), ntpdc(8) utilities and lack of RAWDCF reference clock support in ntpd(8). I. Background The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. II. Problem Description Crypto-NAK packets can be used to cause ntpd(8) to accept time from an unauthenticated ephemeral symmetric peer by bypassing the authentication required to mobilize peer associations. [CVE-2015-7871] FreeBSD 9.3 and 10.1 are not affected. If ntpd(8) is fed a crafted mode 6 or mode 7 packet containing an unusually long data value where a network address is expected, the decodenetnum() function will abort with an assertion failure instead of simply returning a failure condition. [CVE-2015-7855] If ntpd(8) is configured to allow remote configuration, and if the (possibly spoofed) source IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password or if ntpd(8) was configured to disable authentication, then an attacker can send a set of packets to ntpd(8) that may cause it to crash, with the hypothetical possibility of a small code injection. [CVE-2015-7854] A negative value for the datalen parameter will overflow a data buffer. The NTF ntpd(8) driver implementation always sets this value to 0 and are therefore not vulnerable to this weakness. If the system runs a custom refclock driver in ntpd(8) and that driver supplies a negative value for datalen (no custom driver of even minimal competence would do this), then ntpd(8) would overflow the data buffer. It is even hypothetically possible in this case that instead of simply crashing ntpd(8), the attacker could effect a code injection attack. [CVE-2015-7853] If an attacker can figure out the precise moment that ntpq(8) is listening for data and the port number on which it is listening, or if the attacker can provide a malicious instance ntpd(8) that victims will connect to, then an attacker can send a set of crafted mode 6 response packets that, if received by ntpq(8), can cause ntpq(8) to crash. [CVE-2015-7852] If ntpd(8) is configured to allow remote configuration, and if the (possibly spoofed) IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password or if ntpd(8) was configured to disable authentication, then an attacker can send a set of packets to ntpd that may cause ntpd(8) to overwrite files. [CVE-2015-7851] The default configuration of ntpd(8) within FreeBSD does not allow remote configuration. If ntpd(8) is configured to allow remote configuration, and if the (possibly spoofed) source IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password or if ntpd(8) was configured to disable authentication, then an attacker can send a set of packets to ntpd that will cause it to crash and/or create a potentially huge log file. Specifically, the attacker could enable extended logging, point the key file at the log file, and cause what amounts to an infinite loop. [CVE-2015-7850] The default configuration of ntpd(8) within FreeBSD does not allow remote configuration. If ntpd(8) is configured to allow remote configuration, and if the (possibly spoofed) source IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password or if ntpd(8) was configured to disable authentication, then an attacker can send a set of packets to ntpd(8) that may cause a crash or theoretically perform a code injection attack. [CVE-2015-7849] The default configuration of ntpd(8) within FreeBSD does not allow remote configuration. If ntpd(8) is configured to enable mode 7 packets, and if the use of mode 7 packets is not properly protected through the use of the available mode 7 authentication and restriction mechanisms, and if the (possibly spoofed) source IP address is allowed to send mode 7 queries, then an attacker can send a crafted packet to ntpd that will cause it to crash. [CVE-2015-7848] The default configuration of ntpd(8) within FreeBSD does not allow mode 7 packets. If ntpd(8) is configured to use autokey, then an attacker can send packets to ntpd that will, after several days of ongoing attack, cause it to run out of memory. [CVE-2015-7701] The default configuration of ntpd(8) within FreeBSD does not use autokey. If ntpd(8) is configured to allow for remote configuration, and if the (possibly spoofed) source IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password, it is possible for an attacker to use the "pidfile" or "driftfile" directives to potentially overwrite other files. [CVE-2015-5196] The default configuration of ntpd(8) within FreeBSD does not allow remote configuration An ntpd(8) client that honors Kiss-of-Death responses will honor Kiss-of-Death messages that have been forged by an attacker, causing it to delay or stop querying its servers for time updates. Also, an attacker can forge packets that claim to be from the target and send them to servers often enough that a server that implements Kiss-of-Death rate limiting will send the target machine a Kiss-of-Death response to attempt to reduce the rate of incoming packets, or it may also trigger a firewall block at the server for packets from the target machine. For either of these attacks to succeed, the attacker must know what servers the target is communicating with. An attacker can be anywhere on the Internet and can frequently learn the identity of the time source of a target by sending the target a time query. [CVE-2015-7704] The fix for CVE-2014-9750 was incomplete in that there were certain code paths where a packet with particular autokey operations that contained malicious data was not always being completely validated. Receipt of these packets can cause ntpd to crash. [CVE-2015-7702]. The default configuration of ntpd(8) within FreeBSD does not use autokey. III. Impact An attacker which can send NTP packets to ntpd(8) which uses cryptographic authentication of NTP data, may be able to inject malicious time data causing the system clock to be set incorrectly. [CVE-2015-7871] An attacker which can send NTP packets to ntpd(8) can block the communication of the daemon with time servers, causing the system clock not being synchronized. [CVE-2015-7704] An attacker which can send NTP packets to ntpd(8) can remotely crash the daemon, sending malicious data packet. [CVE-2015-7855] [CVE-2015-7854] [CVE-2015-7853] [CVE-2015-7852] [CVE-2015-7849] [CVE-2015-7848] An attacker which can send NTP packets to ntpd(8) can remotely trigger the daemon to overwrite its configuration files. [CVE-2015-7851] [CVE-2015-5196] IV. Workaround No workaround is available, but systems not running ntpd(8) are not affected. Network administrators are advised to implement BCP-38, which helps to reduce risk associated with the attacks. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. The ntpd service has to be restarted after the update. A reboot is recommended but not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install The ntpd service has to be restarted after the update. A reboot is recommended but not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [*** v1.1 NOTE ***] If your sources are not yet patched using initial advisory patches, then you need to apply full patches named ntp-NNN.patch, where NNN stands for the release version. If your sources are already updated, or patched with patches from initial advisory, then you need to apply incremental patches, named ntp-NNN-inc.patch, where NNN stands for the release version. [FreeBSD 10.2-RELEASE-p5, not patched with initial SA-15:25 patch] # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102.patch.xz # unxz ntp-102.patch.xz # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102.patch.asc # gpg --verify ntp-102.patch.asc [FreeBSD 10.1-RELEASE-p22, not patched with initial SA-15:25 patch] # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101.patch.xz # unxz ntp-101.patch.xz # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101.patch.asc # gpg --verify ntp-101.patch.asc [FreeBSD 9.3-RELEASE-p28, not patched with initial SA-15:25 patch] # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-93.patch.xz # unxz ntp-93.patch.xz # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-93.patch.asc # gpg --verify ntp-93.patch.asc [FreeBSD 10.2-RELEASE-p6, initial SA-15:25 patch applied] # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102-inc.patch # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102-inc.patch.asc # gpg --verify ntp-102-inc.patch.asc [FreeBSD 10.1-RELEASE-p23, initial SA-15:25 patch applied] # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101-inc.patch # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101-inc.patch.asc # gpg --verify ntp-101-inc.patch.asc [FreeBSD 9.3-RELEASE-p29, initial SA-15:25 patch applied] # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-93-inc.patch # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-93-inc.patch.asc # gpg --verify ntp-93-inc.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch -p0 < /path/to/patch # find contrib/ntp -type f -empty -delete c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html. d) For 9.3-RELEASE and 10.1-RELEASE an update to /etc/ntp.conf is recommended, which can be done with help of the mergemaster(8) tool on 9.3-RELEASE and with help of the etcupdate(8) tool on 10.1-RELEASE. Restart the ntpd(8) daemon, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r290269 releng/9.3/ r290363 stable/10/ r289997 releng/10.1/ r290362 releng/10.2/ r290361 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7703 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7848 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7849 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7851 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7853 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7854 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871 The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-15:25.ntp.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJWOe7GAAoJEO1n7NZdz2rnzLUQAOugJiyGHZFYllUnCF/EBFoo UIKc3RjWAqreJ5Mg0upKqI7i2oHw4/VjxVjdvwdp7E5t6b+/LYA5jDCfO/RcuMMS SZDyC2BWGq8kkSuwNZmo1js1WRUsdpTQPr3TLvoTh/o1w5D0ncLgqJz7IeuqlHer 2VG5yJP30OUyF1cdk4E9LJcDXx24u8iP0DN5e/0XJGST5/trp/+VYpMy7Vm8dv1l IQks3wtU4tI574rQKjmAiQyRnvLq0TJ4v/eHHKP4PkMC6FNFUyJx0OhVqZdqWJXz ynT28JY5d1SsiPlhUDfSRKGjdpi4kC4szv7ceCuAwmWiDlsNqinKadu9bz4Rwudt qlgJZRmtoFcyeReHckZmEwcmW9hPT3i98kjWs83vZqGD9bw7Zt05HfZ/TPyTk3tg ec1Dmvhx4s9jprypuThPgs3W7KlgnvdpYdc2aagiU/dqvTArzVuWeLP0ryo269CD ZWbgVrfFZjhvi+/nUJD+eMoVLsJYBhNZoJEv7NvUSWizVE4bfD4oFkAxEHBpXxVo VKt5V6edVR0rdmI3xFkiP8372UPbYN8KUfa1R5y4GWPbORv/Z5Wb/XAVmGlvkHNj U0bmAWv5XOw3CtwFJnRaATl/H5+WqQOVthxvT9EHvt8fHczAq8HvDHS7bIrFDEdN gVRXzv6oTlBVGq6sP17H =Jtlu -----END PGP SIGNATURE-----