From owner-freebsd-announce@freebsd.org Wed Mar 7 07:09:39 2018 Return-Path: Delivered-To: freebsd-announce@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2DFA8F3215D for ; Wed, 7 Mar 2018 07:09:39 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D969B82067; Wed, 7 Mar 2018 07:09:38 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id D1CC04467; Wed, 7 Mar 2018 07:09:38 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20180307070938.D1CC04467@freefall.freebsd.org> Date: Wed, 7 Mar 2018 07:09:38 +0000 (UTC) Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-18:01.ipsec X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.25 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2018 07:09:39 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-18:01.ipsec Security Advisory The FreeBSD Project Topic: ipsec validation and use-after-free Category: core Module: ipsec Announced: 2018-03-07 Credits: Maxime Villard Affects: All supported versions of FreeBSD. Corrected: 2018-02-24 13:04:02 UTC (stable/11, 11.1-STABLE) 2018-03-07 05:53:35 UTC (releng/11.1, 11.1-RELEASE-p7) 2018-03-07 05:47:48 UTC (stable/10, 10.4-STABLE) 2018-03-07 05:53:35 UTC (releng/10.4, 10.4-RELEASE-p6) 2018-03-07 05:53:35 UTC (releng/10.3, 10.3-RELEASE-p27) CVE Name: CVE-2018-6916 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The IPsec suite of protocols provide network level security for IPv4 and IPv6 packets. FreeBSD includes software originally developed by the KAME project which implements the various protocols that make up IPsec. In IPsec, the IP Authentication Header (AH) is used to provide protection against replay attacks and connectionless integrity and data origin authentication for IP datagrams. II. Problem Description Due to a lack of strict checking, an attacker from a trusted host can send a specially constructed IP packet that may lead to a system crash. Additionally, a use-after-free vulnerability in the AH handling code could cause unpredictable results. III. Impact Access to out of bounds or freed mbuf data can lead to a kernel panic or other unpredictable results. IV. Workaround No workaround is available, but systems not using IPsec are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. And reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install And reboot the system 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.x] # fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-10.patch # fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-10.patch.asc # gpg --verify ipsec-10.patch.asc [FreeBSD 11.1] # fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-11.patch # fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-11.patch.asc # gpg --verify ipsec-11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/10/ r330565 releng/10.3/ r330566 releng/10.4/ r330566 stable/11/ r329907 releng/11.1/ r330566 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlqfhClfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cISCQ//f9bjAzuou4wlbaoVBp+csfE8qwJl0PJAs/guwO9dO/TMLrVzJ+oNtAIR VO6T7j2uC/eLD80PFsGoTpDAm4O1gqcGGX4OZm/6rE/OdqC3/UhhqpMYke0ZdNuh ugUyztXZkHuvsLgoR/peW9QqAxRRABTUWL0NPQU4YvtEpa5iOOkzNYuPQ9+dltQC SXkbGDrHgHwMHSyoZ14eRffrlwOU+bYH7tdMvDzPyr3z4NhJSTJvKBy4dohCal9F bQRjZSqsGGZ4D0T0BW88RpD3wRBj9s23bSgbcrR8tQvtwEN897S/oL0wtbFYVOQ+ p/ZgiVgV2JvB17m6Dnmt8+CQLEri+21l1NCF2rVMvMBUcZioiO3L43Z3dZNZfRb5 pknuSB6q0HEF5qE1sRIlT2WwH/6rd6VASQOb0NQRTBKNVM7ZU6+Q1PN56KjPhZmw uVREGJ6fHz/MB58fOLkyhbhvcmL7Hz1CGQwQz1Qi05Gp5T2OYP9POJyK8e/EW+Gs hiiErWezEWpVtHHfUpbudVlqlLp/Mc8LHlVOCIhnrEWH1zhgBX2Bx/WmELUerJz/ RjOKUdPTQwn8IVkXJfpj42IbxdCG8xvQN/NKWf01maa+Y2xLCtlg8H0I9/9zT80Q bLdFKjj+M5ysz+bcSR4jl3pd2WMqpidXPvOjph5JcfNWDA5131I= =Uzqo -----END PGP SIGNATURE----- From owner-freebsd-announce@freebsd.org Wed Mar 7 07:10:09 2018 Return-Path: Delivered-To: freebsd-announce@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0F228F3222C for ; Wed, 7 Mar 2018 07:10:09 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B8642820A3; Wed, 7 Mar 2018 07:10:08 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id B1366447B; Wed, 7 Mar 2018 07:10:08 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20180307071008.B1366447B@freefall.freebsd.org> Date: Wed, 7 Mar 2018 07:10:08 +0000 (UTC) Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-18:02.ntp X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.25 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2018 07:10:09 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-18:02.ntp Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities of ntp Category: contrib Module: ntp Announced: 2018-03-07 Credits: Network Time Foundation Affects: All supported versions of FreeBSD. Corrected: 2018-02-28 09:01:03 UTC (stable/11, 11.1-STABLE) 2018-03-07 05:58:24 UTC (releng/11.1, 11.1-RELEASE-p7) 2018-03-01 04:06:49 UTC (stable/10, 10.4-STABLE) 2018-03-07 05:58:24 UTC (releng/10.4, 10.4-RELEASE-p6) 2018-03-07 05:58:24 UTC (releng/10.3, 10.3-RELEASE-p27) CVE Name: CVE-2018-7182, CVE-2018-7170, CVE-2018-7184, CVE-2018-7185, CVE-2018-7183 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. II. Problem Description The ctl_getitem() function is used by ntpd(8) to process incoming "mode 6" packets. A malicious "mode 6" packet can be sent to an ntpd instance, and if the ntpd instance is from 4.2.8p6 through 4.2.8p10, ctl_getitem() will read past the end of its buffer. [CVE-2018-7182] The ntpd(8) service can be vulnerable to Sybil attacks. If a system is configured to use a trustedkey and if one is not using the feature introduced in ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to specify which IPs can serve time, a malicious authenticated peer, i.e., one where the attacker knows the private symmetric key, can create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim's clock. [CVE-2018-7170] The fix for NtpBug2952 was incomplete, and while it fixed one problem it created another. Specifically, it drops bad packets before updating the "received" timestamp. This means a third-party can inject a packet with a zero-origin timestamp, meaning the sender wants to reset the association, and the transmit timestamp in this bogus packet will be saved as the most recent "received" timestamp. The real remote peer does not know this value and this will disrupt the association until the association resets. [CVE-2018-7184] The NTP Protocol allows for both non-authenticated and authenticated associations, in client/server, symmetric (peer), and several broadcast modes. In addition to the basic NTP operational modes, symmetric mode and broadcast servers can support an interleaved mode of operation. In ntp-4.2.8p4, a bug was inadvertently introduced into the protocol engine that allows a non-authenticated zero-origin (reset) packet to reset an authenticated interleaved peer association. If an attacker can send a packet with a zero-origin timestamp and the source IP address of the "other side" of an interleaved association, the 'victim' ntpd will reset its association. The attacker must continue sending these packets in order to maintain the disruption of the association. [CVE-2018-7185] The ntpq(8) utility is a monitoring and control program for ntpd. The internal decodearr() function of ntpq(8) that is used to decode an array in a response string when formatted data is being displayed. This is a problem in affected versions of ntpq if a maliciously-altered ntpd returns an array result that will trip this bug, or if a bad actor is able to read an ntpq(8) request on its way to a remote ntpd server and forge and send a response before the remote ntpd sends its response. It is potentially possible that the malicious data could become injectable/executable code. [CVE-2017-7183] III. Impact Malicious remote attackers may be able to break time synchornization, or cause the ntpq(8) utility to crash. IV. Workaround No workaround is available, but systems not running ntpd(8) or ntpq(8) are not affected. Network administrators are advised to implement BCP-38 which helps to reduce risk associated with the attacks. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. The ntpd service has to be restarted after the update. A reboot is recommended but not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install The ntpd service has to be restarted after the update. A reboot is recommended but not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.1] # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-11.1.patch # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-11.1.patch.asc # gpg --verify ntp-11.1.patch.asc [FreeBSD 10.4] # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-10.4.patch # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-10.4.patch.asc # gpg --verify ntp-10.4.patch.asc [FreeBSD 10.3] # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-10.3.patch # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-10.3.patch.asc # gpg --verify ntp-10.3.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/10/ r330141 releng/10.3/ r330567 releng/10.4/ r330567 stable/11/ r330106 releng/11.1/ r330567 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlqfhYNfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cL9GQ/+PLffyegsvxKngL83XWG9UuHbcGG5aWbNwCecTEzNoCI72TI03aga0ge5 iLz5kW3SQvl8tsq778U4YbfFcCw6ifq2ws8asqNviv+u4AcJh7oD8CS3/kFuA9xM zjAIrScdNR2taBJhBW3nwlb7RmDeKqydQ3OIxHVvs9Fj5Alc5ZEGezUjC2dueB+M UdORg6GvHGMYQ+4AtBFRgZHAU3BFkwmgqsIICywYnUVH+AxKj34shs/pMMeJd/d9 a+BIu/tUjAIlQp23VunNAfq7r2eZik9LOV8Y5l1Ww7+K1IwlwezxI+Iw18BMFEVn L9baBY9RFh8v/yrZCBqUc7Prhs3ExU/lnAb05Va7TYeD4RXVmSU0jNXi/przN3y2 PR7Z3JCm60mFKyp0/Hz2MmS1XPBVBrW4P6g9hH8TZmOHb2mZlK3zDXmil7HKp5DK UhtMJpPEWV9k5rfP8iijHJnwkPr0ALntMUAAKUyw/6isVtHT6BZLaYsZvRYIm8YY Mn2RUl74m+XoIhQ8R4mxRcaAHwKKXyeyP5nlAs6TQVb9QJukoRiNDr3g8TwbtT54 iTswVu+z/a89/YIwJoc6Ud7eCZSDYe6qfuC19TVuledayjjy/ZPMH0ZkNWFWJ3AE VAvdyvoUuNbmsv42o4AUtpE/1CmDqOjwBRZZbtV4CONCDFpk26o= =D2ov -----END PGP SIGNATURE----- From owner-freebsd-announce@freebsd.org Wed Mar 7 07:10:39 2018 Return-Path: Delivered-To: freebsd-announce@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 12BFCF32306 for ; Wed, 7 Mar 2018 07:10:39 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BB33082123; Wed, 7 Mar 2018 07:10:38 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id B3E3544BF; Wed, 7 Mar 2018 07:10:38 +0000 (UTC) From: FreeBSD Errata Notices To: FreeBSD Errata Notices Reply-To: freebsd-stable@freebsd.org Precedence: bulk Message-Id: <20180307071038.B3E3544BF@freefall.freebsd.org> Date: Wed, 7 Mar 2018 07:10:38 +0000 (UTC) Subject: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-18:01.tzdata X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.25 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2018 07:10:39 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-18:01.tzdata Errata Notice The FreeBSD Project Topic: Timezone database information update Category: contrib Module: zoneinfo Announced: 2018-03-07 Credits: Philip Paeps Affects: All supported versions of FreeBSD Corrected: 2018-01-27 13:29:55 UTC (stable/11, 11.1-STABLE) 2018-03-07 06:01:44 UTC (releng/11.1, 11.1-RELEASE-p7) 2018-01-27 13:34:14 UTC (stable/10, 10.4-STABLE) 2018-03-07 06:01:44 UTC (releng/10.4, 10.4-RELEASE-p6) 2018-03-07 06:01:44 UTC (releng/10.3, 10.3-RELEASE-p27) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The tzsetup(8) program allows the user to specify the default local timezone. Based on the selected timezone, tzsetup(8) copies one of the files from /usr/share/zoneinfo to /etc/localtime. This file actually controls the conversion. II. Problem Description Several changes in Daylight Savings Time happened after previous FreeBSD releases were released that would affect many people who live in different countries. Because of these changes, the data in the zoneinfo files need to be updated, and if the local timezone on the running system is affected, tzsetup(8) needs to be run so the /etc/localtime is updated. III. Impact An incorrect time will be displayed on a system configured to use one of the affected timezones if the /usr/share/zoneinfo and /etc/localtime files are not updated, and all applications on the system that rely on the system time, such as cron(8) and syslog(8), will be affected. IV. Workaround The system administrator can install an updated timezone database from the misc/zoneinfo port and run tzsetup(8) to get the timezone database corrected. Applications that store and display times in Coordinated Universal Time (UTC) are not affected. V. Solution Please note that some third party software, for instance PHP, Ruby, Java and Perl, may be using different zoneinfo data source, in such cases this software must be updated separately. For software packages that is installed via binary packages, they can be upgraded by executing `pkg upgrade'. Following the instructions in this Errata Notice will update all of the zoneinfo files to be the same as what was released with FreeBSD release. Perform one of the following: 1) Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Restart all the affected applications and daemons, or reboot the system. 2) To update your system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Restart all the affected applications and daemons, or reboot the system. 3) To update your system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/EN-18:01/tzdata-2018c.patch # fetch https://security.FreeBSD.org/patches/EN-18:01/tzdata-2018c.patch.asc # gpg --verify tzdata-2018c.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all the affected applications and daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/10/ r328476 releng/10.3/ r330568 releng/10.4/ r330568 stable/11/ r328475 releng/11.1/ r330568 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlqfhfZfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cJp7Q//fHWkVYNLtrjtWwhWdklnNdJq16V4Jnvd4bniw9O9tlWBZlQPwFB4Ez/l GNLqamLhgakaFXFE9oISjqn1LvNZOoaIDKHVs9KRkTEWpGZaIVRVPyHkZsGImG4A ale+8grJBcyepZPxXGbmEcPsrGPlOs5M3LsQabwEvuPW8yf9CLAh5IOkmD7r7qMJ zbhLKW/rKQOq9Weka3XZSuVXXi1h536tmGPkQoj0S+k73d0X67E5jlFCOFo8Q/yh qqsIXRNrvvfieVujUtTRwYrbCi6Omngj6lNZWCOO7QUNKd0YoEgsdj/tAxZ+cwwn Z7J55ARBD+/dkRAFbZaqryPFuznDA3+bPS/oKJfyVdIDWC4gT38L8WUFMSRpeFbr BdZMUdoxvj2NRjRejgO/kii7JDzg2+nztGmt8hw0z4lNt5ZXIc2W4+ou7oEaAr5i YoM95ZxwnNe5JEgYXWOJ8f4krB1GICLk0KQZ38P1kP2jQRs52OtQKNBRw3UVZLEV SnFSACTNYSQzE3CajEgVQ/cfg3+KMA0fYbYdmA5ZXekQqjSMPeqrui/z+9C57Bjm 6+4qTpzST8oJbNBOGlU2uncIcYllaWSrMQ2kRWmq73O/PUMhoPhukahPeYEMj8PR STD8RLoN9Rp+6GdZfLndLBl6ZJHOFKY0yd6NYsGlj7AsjJwsgKw= =mVpJ -----END PGP SIGNATURE----- From owner-freebsd-announce@freebsd.org Wed Mar 7 07:10:58 2018 Return-Path: Delivered-To: freebsd-announce@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A6463F323BE for ; Wed, 7 Mar 2018 07:10:58 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5B6478219C; Wed, 7 Mar 2018 07:10:58 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id 53E0744D9; Wed, 7 Mar 2018 07:10:58 +0000 (UTC) From: FreeBSD Errata Notices To: FreeBSD Errata Notices Reply-To: freebsd-stable@freebsd.org Precedence: bulk Message-Id: <20180307071058.53E0744D9@freefall.freebsd.org> Date: Wed, 7 Mar 2018 07:10:58 +0000 (UTC) Subject: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-18:02.file X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.25 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2018 07:10:59 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-18:02.file Errata Notice The FreeBSD Project Topic: Version and security update of file(1) and libmagic(3) Category: contrib Module: file Announced: 2018-03-07 Affects: All supported versions of FreeBSD. Corrected: 2018-02-05 08:20:11 UTC (stable/11, 11.1-STABLE) 2018-03-07 06:04:25 UTC (releng/11.1, 11.1-RELEASE-p7) 2018-02-05 08:50:34 UTC (stable/10, 10.4-STABLE) 2018-03-07 06:04:25 UTC (releng/10.4, 10.4-RELEASE-p6) 2018-03-07 06:04:25 UTC (releng/10.3, 10.3-RELEASE-p27) CVE Name: CVE-2017-1000249 For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The file(1) utility attempts to classify file system objects based on filesystem, magic number and language tests. The libmagic(3) library provides most of the functionality of file(1) and may be used by other applications. II. Problem Description The file(1) utility contains a stack based buffer overflow when parsing a specially crafted input file. III. Impact The issue lets an attacker overwrite a fixed 20 bytes stack buffer with with a specially crafted .notes section in an ELF binary file. IV. Workaround No workaround is available, but systems where file(1) and other applications using libmagic(3) are never run on untrusted input are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.3] # fetch https://security.FreeBSD.org/patches/EN-18:02/file-10.3.patch # fetch https://security.FreeBSD.org/patches/EN-18:02/file-10.3.patch.asc # gpg --verify file-10.3.patch.asc [FreeBSD 10.4] # fetch https://security.FreeBSD.org/patches/EN-18:02/file-10.4.patch # fetch https://security.FreeBSD.org/patches/EN-18:02/file-10.4.patch.asc # gpg --verify file-10.4.patch.asc [FreeBSD 11.1] # fetch https://security.FreeBSD.org/patches/EN-18:02/file-11.patch # fetch https://security.FreeBSD.org/patches/EN-18:02/file-11.patch.asc # gpg --verify file-11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all daemons that use the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/10/ r328875 releng/10.3/ r330569 releng/10.4/ r330569 stable/11/ r328874 releng/11.1/ r330569 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlqfhmJfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cLAmg/+Ls59X/iLsmZiRvMiqfxI78P7FYuvTZ/6It0oaElmbswoaIDs3NF1c+II lcKYwFyXPs4ge/9P4k4pz9bWN7IZcMlGuzDalWSpywF2y3I/6zCNOU2Xyzz4LLVx wrLuWbTYqXFq6bgYsT8BBOANIadH5tjCfvO7DXOtRHyfUK5DJqsT+xMyv6R4Kncv VnwjyBNkutT/kAkWYYdqJYLR7uhW2NmVk/57Un6lnGxsLUMgfL8jxzsTlGOa90q9 0fmGVTwkHxqfxqVSd9+lymISuuw4pg2Ar8bY0AKzMjhQTVMhEtLEsn0N+VbLg6Ns 6HCuPsYwDtGLJ8hd44JPCfbzxzOAW08flUwgu1U5E4e+sUIlKMTOhKxt/HrH+JFk OyzLDytuv2364lMepThzO4++vWZkErxfa5uJFjjrax5w+WECyEddrUJG3HovOxMd YXD/dBSulgxaAgVQLXhn1AI+BUR5rD59wsmi6rEYFDXhAfTxNtrHXp1vIoHiW4CO a8jVPHfFcSuNzLfi+hE/QV8q2RWVOseYlOey0vme4h0upzi3HKQ8WPvUQUrHmDLw D0Hmr6m9PpyoKFnh2UlM4RiEMf3RO4o4nkRHzPp40LPawzmOmilSmPwv/HasBe2z X49GD/ortXLxn7UmGqjkIEApOo9me8lHxCYtODQC73BwZdFNrP4= =PpWQ -----END PGP SIGNATURE----- From owner-freebsd-announce@freebsd.org Thu Mar 8 06:29:30 2018 Return-Path: Delivered-To: freebsd-announce@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8BCDDF3756A for ; Thu, 8 Mar 2018 06:29:30 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 406DC681EB; Thu, 8 Mar 2018 06:29:30 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id 38C3B33F5; Thu, 8 Mar 2018 06:29:30 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20180308062930.38C3B33F5@freefall.freebsd.org> Date: Thu, 8 Mar 2018 06:29:30 +0000 (UTC) Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-18:01.ipsec [REVISED] X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.25 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Mar 2018 06:29:30 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-18:01.ipsec [REVISED] Security Advisory The FreeBSD Project Topic: ipsec validation and use-after-free Category: core Module: ipsec Announced: 2018-03-07 Credits: Maxime Villard Affects: All supported versions of FreeBSD. Corrected: 2018-02-24 13:04:02 UTC (stable/11, 11.1-STABLE) 2018-03-07 05:53:35 UTC (releng/11.1, 11.1-RELEASE-p7) 2018-03-07 16:55:15 UTC (stable/10, 10.4-STABLE) 2018-03-07 17:16:41 UTC (releng/10.4, 10.4-RELEASE-p7) 2018-03-07 17:16:41 UTC (releng/10.3, 10.3-RELEASE-p28) CVE Name: CVE-2018-6916 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . 0. Revision History v1.0 2018-03-07 Initial release. v1.1 2018-03-08 Correct patch for 10.x releases. I. Background The IPsec suite of protocols provide network level security for IPv4 and IPv6 packets. FreeBSD includes software originally developed by the KAME project which implements the various protocols that make up IPsec. In IPsec, the IP Authentication Header (AH) is used to provide protection against replay attacks and connectionless integrity and data origin authentication for IP datagrams. II. Problem Description Due to a lack of strict checking, an attacker from a trusted host can send a specially constructed IP packet that may lead to a system crash. Additionally, a use-after-free vulnerability in the AH handling code could cause unpredictable results. III. Impact Access to out of bounds or freed mbuf data can lead to a kernel panic or other unpredictable results. IV. Workaround No workaround is available, but systems not using IPsec are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. And reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install And reboot the system 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. [*** v1.1 NOTE ***] If your 10.x sources were already patched using the initially published advisory patches, you need to apply the ipsec-10.rev1.patch. If you had not yet patched your 10.x sources, you need only apply the ipsec-10.patch file. 11.1 sources were correct in the initial release and do not need to be updated. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.x system not patched with the original SA-18:01 patch] # fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-10.patch # fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-10.patch.asc # gpg --verify ipsec-10.patch.asc [FreeBSD 10.x that had been patched with the original SA-18:01 patch] # fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-10.rev1.patch # fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-10.rev1.patch.asc # gpg --verify ipsec-10.rev1.patch.asc [FreeBSD 11.1] # fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-11.patch # fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-11.patch.asc # gpg --verify ipsec-11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/10/ r330609 releng/10.3/ r330611 releng/10.4/ r330611 stable/11/ r329907 releng/11.1/ r330566 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlqg1K9fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cJCDQ/+OpTS1PrKiwuRsJ5i0RWnS8C9d/dIn9C83JJtuxhGb+CEY5bYSVKufsW/ ilkUK3fiOWWwDHYecZW15qvt1E2E6Hm608b+K37bqL+FKobNj78B+KQr4erb0183 /Kqo0TKDtsUzr20sNFWgeQWgHP/EqyWyJuB2zfOSb1vGUViiuxJfMxajzfE2tKqh IDG/QpMvRolJFKSWdQnF08NIYLXfffZ4Sz9+VDCdfeLEQKi+LT6DJnlGDz/rR5iB TwyMg3AbobpGuuV0puOZTul2GiHaPwh/fJR8JoG13+kK5VznvrOXopLAl2CVAjtj mNuHeQHwaSQanSXgKtYxZG4/w1JDMSr60FKgG7FizhJ+9WAbjPySbb+wV5qJD4oY a8F2urt3Tj1c1l4juOctVW+NVSS96idpf9NsmsmticTujgBu+2k63+cSIchiNj1B ZcPw5PLgiC/r0P6FITrwXa7zJLNHdFrPvNihKTlEHJAgGno7FJJpdagxmcfGnpb2 74VlbQF7Tq+9NQJU23y9Vj3YL0XERB/b45oRHkBEoVJKgK9/4U4mzFufn4PfANUt 0hcgMlxTOVKt0S405dh4I6ok51iq6XDol18QoYbXJHqMuEq7Lo80fKuq8gpKmCJ0 h3NBYJKPUsngfJUisXS7VrQx3zTB8Yyp1BykpCDKET8LVJGmV7c= =RMG/ -----END PGP SIGNATURE-----