Date: Tue, 28 Jul 2015 20:17:11 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r47125 - in head/share: security/advisories security/patches/SA-15:14 security/patches/SA-15:15 security/patches/SA-15:16 security/patches/SA-15:17 xml Message-ID: <201507282017.t6SKHBrv011153@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Tue Jul 28 20:17:10 2015 New Revision: 47125 URL: https://svnweb.freebsd.org/changeset/doc/47125 Log: Add SA-15:14 - SA-15:17. Added: head/share/security/advisories/FreeBSD-SA-15:14.bsdpatch.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-15:15.tcp.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-15:16.openssh.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-15:17.bind.asc (contents, props changed) head/share/security/patches/SA-15:14/ head/share/security/patches/SA-15:14/bsdpatch.patch (contents, props changed) head/share/security/patches/SA-15:14/bsdpatch.patch.asc (contents, props changed) head/share/security/patches/SA-15:15/ head/share/security/patches/SA-15:15/tcp-8.patch (contents, props changed) head/share/security/patches/SA-15:15/tcp-8.patch.asc (contents, props changed) head/share/security/patches/SA-15:15/tcp-9.3-10.1.patch (contents, props changed) head/share/security/patches/SA-15:15/tcp-9.3-10.1.patch.asc (contents, props changed) head/share/security/patches/SA-15:15/tcp.patch (contents, props changed) head/share/security/patches/SA-15:15/tcp.patch.asc (contents, props changed) head/share/security/patches/SA-15:16/ head/share/security/patches/SA-15:16/openssh-8.patch (contents, props changed) head/share/security/patches/SA-15:16/openssh-8.patch.asc (contents, props changed) head/share/security/patches/SA-15:16/openssh.patch (contents, props changed) head/share/security/patches/SA-15:16/openssh.patch.asc (contents, props changed) head/share/security/patches/SA-15:17/ head/share/security/patches/SA-15:17/bind.patch (contents, props changed) head/share/security/patches/SA-15:17/bind.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml Added: head/share/security/advisories/FreeBSD-SA-15:14.bsdpatch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-15:14.bsdpatch.asc Tue Jul 28 20:17:10 2015 (r47125) @@ -0,0 +1,134 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-15:14.bsdpatch Security Advisory + The FreeBSD Project + +Topic: shell injection vulnerability in patch(1) + +Category: contrib +Module: patch +Announced: 2015-07-28 +Credits: Martin Natano +Affects: FreeBSD 10.x. +Corrected: 2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE) + 2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2) + 2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1) + 2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16) +CVE Name: CVE-2015-1416 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The patch(1) utility takes a patch file produced by the diff(1) program and +apply the differences to an original file, producing a patched version. + +The patch(1) utility supports certain version control systems, namely SCCS +and RCS, and attempts to get or check out the file before applying a patch, +if the original file do not already exist. + +II. Problem Description + +Due to insufficient sanitization of the input patch stream, it is possible +for a patch file to cause patch(1) to run commands in addition to the desired +SCCS or RCS commands. + +III. Impact + +This issue could be exploited to execute arbitrary commands as the user +invoking patch(1) against a specically crafted patch file, which could be +leveraged to obtain elevated privileges. + +IV. Workaround + +No workaround is available, but systems where a privileged user does not +make use of patches without proper validation are not affected. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +A reboot is not required after updating. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +A reboot is not required after updating. + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-15:14/bsdpatch.patch +# fetch https://security.FreeBSD.org/patches/SA-15:14/bsdpatch.patch.asc +# gpg --verify bsdpatch.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r285976 +releng/10.1/ r285978 +releng/10.2/ r285979 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1416>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:14.bsdpatch.asc>; +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.6 (FreeBSD) + +iQIcBAEBCgAGBQJVt+JfAAoJEO1n7NZdz2rnmAAP/37DmuKX127SHD4Au3a1xy2F +90RP1doqTzpq2w3wzn8JPPK/IUxG6yjDWUk097/aadSMSiUWi/RyTERe68ZNHDia +IkcTnvF1308OM91yAJDogTKyCpomZwWqkhDhT8qRIkRijr7gr0q3SYF2Uqrj+QKy +fvhJrEEjhv9Lgw8I1qmnxWCpcmkKaW2Fm1eqplYlPOIwJky+2+Ddzv5PcjtQTjye +tNIkF9D+ILmGFbotKbNPDKSxapreLOsyDnf0W9QMURi7UolF9AClZnerfVZUWy78 +4lJdbC9q5bf/FNUDv2o928hMgG+cc+blaH8AGXGOgxOx3ok0XWp3xEWRJnggyrZX +P6NN39u6yFSIrYaNHEwYLFGCIeA0nGWVLupq5h6WwJ+mhCpHz90kMw/5unlXc/wS +mfFVMeoFiqL227qBgB4azQkiBjN/fVsqPcMv/xk0PNYHaRPS/DASRYPSJF2gXY7h +fjemohKs9wmyc78nyrnayffPQ6hkXvVzw9zMfLJ1XWg/Fa/5X4u/POggivzGI4ia +yrvp3zd4avNbEVwlirTxxYgQJ1X44JwTP3Tkq11fea9WJcJtjLTWpIwrHSd8PHEg +n3r4bo52iPyaGORGUw3Zhx93gOse+I3ayXmBEVJLGDONlEdUf/uju0kSIyCXn4ab +LvnW7evT5KHA0rh5B07E +=JTtx +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-15:15.tcp.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-15:15.tcp.asc Tue Jul 28 20:17:10 2015 (r47125) @@ -0,0 +1,187 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-15:15.tcp Security Advisory + The FreeBSD Project + +Topic: Resource exhaustion in TCP reassembly + +Category: core +Module: inet +Announced: 2015-07-28 +Credits: Patrick Kelsey (Norse Corporation) +Affects: All supported versions of FreeBSD. +Corrected: 2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE) + 2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2) + 2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1) + 2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16) + 2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE) + 2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21) + 2015-07-28 19:58:54 UTC (stable/8, 8.4-STABLE) + 2015-07-28 19:59:22 UTC (releng/8.4, 8.4-RELEASE-p35) +CVE Name: CVE-2015-1417 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The Transmission Control Protocol (TCP) of the TCP/IP protocol suite +provides a connection-oriented, reliable, sequence-preserving data +stream service. + +The underlying simple and potentially unreliable IP datagram +communication protocol may deliver segments out of order, therefore, +the TCP receiver would need to reassemble the segments into their +original sequence to provide a reliable octet stream. Because the +reassembly requires additional resources to keep the queued segments, +historically resource exhaustion in the TCP reassembly path has been +prevented by limiting the total number of segments that could belong +to reassembly queues to a small fraction (1/16) of the total number of +mbuf clusters in the system. + +VNET is a technique to virtualize the network stack, first introduced in +FreeBSD 8.0. It changes global resources in the network stack into per +network stack resources, so that a virtual network stack can be attached +to a jailed prison and the prison can have unrestricted access to the +virtual network stack. VNET is not enabled by default and has to be +enabled by recompiling the kernel. + +II. Problem Description + +There is a mistake with the introduction of VNET, which converted the +global limit on the number of segments that could belong to reassembly +queues into a per-VNET limit. Because mbufs are allocated from a +global pool, in the presence of a sufficient number of VNETs, the +total number of mbufs attached to reassembly queues can grow to the +total number of mbufs in the system, at which point all network +traffic would cease. + +III. Impact + +An attacker who can establish concurrent TCP connections across a +sufficient number of VNETs and manipulate the inbound packet streams +such that the maximum number of mbufs are enqueued on each reassembly +queue can cause mbuf cluster exhaustion on the target system, resulting +in a Denial of Service condition. + +As the default per-VNET limit on the number of segments that can +belong to reassembly queues is 1/16 of the total number of mbuf +clusters in the system, only systems that have 16 or more VNET +instances are vulnerable. + +IV. Workaround + +FreeBSD 8.x, 9.x and 10.x systems that do not make use of VNETs +(option VIMAGE) are not affected. The support has to be specifically +compiled into a custom kernel, so its use is not common. + +For affected systems, the system administrators may consider reducing +the net.inet.tcp.reass.maxsegments tunable to the value of +kern.ipc.nmbclusters divided by one greater than the total number of +VNETs that are going to be used in the system in order to prevent a +Denial of Service via this vulnerability. For example, if there are +16 VNETs in the system, the net.inet.tcp.reass.maxsegments tunable +should be set to kern.ipc.nmbclusters / 17. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, +and reboot the system. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +And reboot the system. + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 10.2] +# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp.patch +# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp.patch.asc +# gpg --verify tcp.patch.asc + +[FreeBSD 9.3 and 10.1] +# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-9.3-10.1.patch +# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-9.3-10.1.patch.asc +# gpg --verify tcp-9.3-10.1.patch.asc + +[FreeBSD 8.4] +# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-8.patch +# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-8.patch.asc +# gpg --verify tcp-8.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r285977 +releng/8.4/ r285980 +stable/9/ r285977 +releng/9.3/ r285980 +stable/10/ r285976 +releng/10.1/ r285979 +releng/10.2/ r285978 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1417>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:15.tcp.asc>; +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.6 (FreeBSD) + +iQIcBAEBCgAGBQJVt+FcAAoJEO1n7NZdz2rnOAgQAKw0jR1Eb/USmcXlFpfMrmUr +Z6UWHsPqE9CwDJaFddrFBRyjCsbeBv4LmPyVcOKJoqspEb8P52GtBNDe9vqcco1U +C+KpcQQKWTQmu170AdLAIRVvLjoNEX0C09ig4XMbKpisrmQ8zLXavTbTw8FlbPXq +o9t0nFgPKsDfaXJF3Oas41K/NsBj4hdqnfx+R7KeOaJ6sSwiFGbRxqQ+GG3k+79a +RI+KVLpw4QV/IkhXKzl416o6uk7eWnJu72GohdrxPvXYWHBVSBkSiT7pLl3O5C7r +7+dpYyF9f4K0gnXLuATNixNS2/lL2WaJANb75ku7WnY2I5Yjx1oM2r5kE2eJ6Z/c +WXGnDE9/8SOVURqMwnpQgzVGopKZags0+X7FJAYKeW4/nWyUEAmDlQ+9dY7o/I0M +urFD+bsSxnrlGLLzjX55zKM1qyGlhNokowSusVeNlSEOl8/QV57CuyQDZ0wdAiUd +R2yl+fFxRKn4AeCMuKkEsoExLhISI7Uuz8Hjia7g0yJWfYjEjAWLcFpan/QmhwcP +4PMg+2ZuPC0uUoXqCMBqu3d0NAaae4cOCzx8WCZUaaF3DwhRnUcld+XesV/h3SNo +kn3ygFyOVWrCd7bSsEd00qqUwUN/cp/uYTqlbI9im89Emaa7/mYR/i3sq2/MRagr +2oio8OdZ8wwRuER4Jpq9 +=PC1V +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-15:16.openssh.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-15:16.openssh.asc Tue Jul 28 20:17:10 2015 (r47125) @@ -0,0 +1,188 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-15:16.openssh Security Advisory + The FreeBSD Project + +Topic: OpenSSH multiple vulnerabilities + +Category: contrib +Module: openssh +Announced: 2015-07-28 +Affects: All supported versions of FreeBSD. +Corrected: 2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE) + 2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2) + 2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1) + 2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16) + 2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE) + 2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21) + 2015-07-28 19:58:54 UTC (stable/8, 8.4-STABLE) + 2015-07-28 19:59:22 UTC (releng/8.4, 8.4-RELEASE-p35) +CVE Name: CVE-2014-2653, CVE-2015-5600 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +OpenSSH is an implementation of the SSH protocol suite, providing an +encrypted and authenticated transport for a variety of services, +including remote shell access. + +The security of the SSH connection relies on the server authenticating +itself to the client as well as the user authenticating itself to the +server. SSH servers uses host keys to verify their identity. + +RFC 4255 has defined a method of verifying SSH host keys using Domain +Name System Security (DNSSEC), by publishing the key fingerprint using +DNS with "SSHFP" resource record. RFC 6187 has defined methods to use +a signature by a trusted certification authority to bind a given public +key to a given digital identity with X.509v3 certificates. + +The PAM (Pluggable Authentication Modules) library provides a flexible +framework for user authentication and session setup / teardown. + +OpenSSH uses PAM for password authentication by default. + +II. Problem Description + +OpenSSH clients does not correctly verify DNS SSHFP records when a server +offers a certificate. [CVE-2014-2653] + +OpenSSH servers which are configured to allow password authentication +using PAM (default) would allow many password attempts. + +III. Impact + +A malicious server may be able to force a connecting client to skip DNS +SSHFP record check and require the user to perform manual host verification +of the host key fingerprint. This could allow man-in-the-middle attack +if the user does not carefully check the fingerprint. [CVE-2014-2653] + +A remote attacker may effectively bypass MaxAuthTries settings, which would +enable them to brute force passwords. [CVE-2015-5600] + +IV. Workaround + +Systems that do not use OpenSSH are not affected. + +There is no workaround for CVE-2014-2653, but the problem only affects +networks where DNSsec and SSHFP is properly configured. Users who uses +SSH should always check server host key fingerprints carefully when +prompted. + +System administrators can set: + + UsePAM no + +In their /etc/ssh/sshd_config and restart sshd service to workaround the +problem described as CVE-2015-5600 at expense of losing features provided +by the PAM framework. + +We recommend system administrators to disable password based authentication +completely, and use key based authentication exclusively in their SSH server +configuration, when possible. This would eliminate the possibility of being +ever exposed to password brute force attack. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +SSH service has to be restarted after the update. A reboot is recommended +but not required. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +SSH service has to be restarted after the update. A reboot is recommended +but not required. + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 9.3, 10.1, 10.2] +# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh.patch +# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh.patch.asc +# gpg --verify openssh.patch.asc + +[FreeBSD 8.4] +# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8.patch +# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8.patch.asc +# gpg --verify openssh-8.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart the SSH service, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r285977 +releng/8.4/ r285980 +stable/9/ r285977 +releng/9.3/ r285980 +stable/10/ r285976 +releng/10.1/ r285979 +releng/10.2/ r285978 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2653>; + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5600>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:16.openssh.asc>; +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.6 (FreeBSD) + +iQIcBAEBCgAGBQJVt+FdAAoJEO1n7NZdz2rnPxEQAIFMhBzUuAEEeG3GoO6o6DQn +7ZVPdd+EdijDk0VAZbaa3NyeVGTNSEQhjpL/lSkIQUQT+yEAUUsUCVWu0T8OpCN0 +UT6JlYhV+AwQVyWujlTjspQ3Ba3Kn3o76MCzvdIQWPTzD1yCZqRmpZ1eSjonmySZ +ts+kVDCV2ZJyWACOdG2GXHSmTraIErn0J1YaLg++c8nHUvb+TNo2/8viBGJINhdP +bvA6fzYPpAzgaq5EEKevySLUnUfUE2Nx5LGD2CUx/hMu7K8y2h4SR2fKmpyBauNS +4VHSssX6KjxZCYctCEsUgCokWYzt9fepyBsCiS9Vx4mTwat8Vuiz2zB1lCOwM97v +iDbkcmR/ixElrXSBb5+wrhOpBLnYtHFTNPx8dRz39wdb1MxJQqyOOb8KtDSlFMmQ +l5Lk1vTEcZQjWvmCV9XjVlPqcHnX4wNnV+IgUnQTnhQlbe0YgszdLAi5XZDGBmtA +DHuLfBy1091KYBoP641GRuldsq6/r6DUzyZuQJ+p30BDUEfkUAptIEnQWA2l3Y8W +/10eels29WJhV9N7WWo4pbADA54+DLvi0T/46R9WRbM9bA/dsqK9G5wmREaKCqmX +ccQUFrruxJTn7TV4QbN69ABEkOFCyQjqecP2GqA2N/5AAUsV47WC/VtKgOPp4FZ6 +E0SkAoNzIighyNk54U9p +=6PBw +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-15:17.bind.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-15:17.bind.asc Tue Jul 28 20:17:10 2015 (r47125) @@ -0,0 +1,139 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-15:17.bind Security Advisory + The FreeBSD Project + +Topic: BIND remote denial of service vulnerability + +Category: contrib +Module: bind +Announced: 2015-07-28 +Credits: ISC +Affects: FreeBSD 8.x and FreeBSD 9.x. +Corrected: 2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE) + 2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21) + 2015-07-28 19:58:54 UTC (stable/8, 8.4-STABLE) + 2015-07-28 19:59:22 UTC (releng/8.4, 8.4-RELEASE-p35) +CVE Name: CVE-2015-5477 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +BIND 9 is an implementation of the Domain Name System (DNS) protocols. +The named(8) daemon is an Internet Domain Name Server. + +II. Problem Description + +An error in the handling of TKEY queries can be exploited by an attacker +for use as a denial-of-service vector, as a constructed packet can use +the defect to trigger a REQUIRE assertion failure, causing BIND to exit. + +III. Impact + +A remote attacker can trigger a crash of a name server. Both recursive and +authoritative servers are affected, and the exposure can not be mitigated +by either ACLs or configuration options limiting or denying service because +the exploitable code occurs early in the packet handling, before checks +enforcing those boundaries. + +IV. Workaround + +No workaround is available, but systems that are not running BIND are not +vulnerable. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +The named service has to be restarted after the update. A reboot is +recommended but not required. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +The named service has to be restarted after the update. A reboot is +recommended but not required. + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-15:17/bind.patch +# fetch https://security.FreeBSD.org/patches/SA-15:17/bind.patch.asc +# gpg --verify bind.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart the applicable daemons, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r285977 +releng/8.4/ r285980 +stable/9/ r285977 +releng/9.3/ r285980 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:https://kb.isc.org/article/AA-01272>; + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5477>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:17.bind.asc>; +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.6 (FreeBSD) + +iQIcBAEBCgAGBQJVt+FdAAoJEO1n7NZdz2rnmAQQAK66bHEYirTecgswG+eiePfU +lcX46GdLU/OQ/3MHpmc6XQKz9kpJ+Inh8K8IvAJ1SXH41zk/xOtUgqbkUcgkGrS1 +gBVKUC8SF82ll/1FUlORoJc+g+TQgax00Il/GweRVoL0RpU9S/YSnc6OLc0nWzBq +osweYaHBNRL6lBmUtAHYu1tyvGvHLlfTNk6NCtUxtWeXKe+urYFx4ViJKCU8dJ+U +F26nQb/3vH93WOEaNjSDHYWypl9qtous5hpOtXr76ofhID67EyOKmPPEC5+6jP/6 +wkdMu7loVewI5K7ZF+zaNxr8CQESurCRkMX3qJSBNCfSw55sdcfKl4BO65SCxLH7 +vXoh+B+Wbof2n3xAcEJNufOdiRQfTxlP1UMWIy00wvdB+VcOCDdD7TUB1kksxzpy +aXxePRdKLjvkPDiWy17BBpxq8JIfy+41a+N7Fm/hDgUJOYGDAMr27WJLx8MHzY3k ++B014IVvTnHkf0yo5ue5raTpgUr0TVCfwD3eqJOM9iUuOI8vj9h44FpP6R8KNyQA +mVI/wikVJfYAgmAkHqqRVEHeA8aWJsVNkmrKLHFDkLDdw6umr7oOHfXQo1hk7k7V ++2JEa09kp2AYNGYZkiFG/7jiCZ9GLCvAzKW1v1g8fRsBl+QA1PjW0Rg7HcRmZiwM +VfNsARSWl2y/t8Gnrfgx +=40iD +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-15:14/bsdpatch.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-15:14/bsdpatch.patch Tue Jul 28 20:17:10 2015 (r47125) @@ -0,0 +1,188 @@ +Index: usr.bin/patch/common.h +=================================================================== +--- usr.bin/patch/common.h (revision 285926) ++++ usr.bin/patch/common.h (working copy) +@@ -43,12 +43,10 @@ + #define LINENUM_MAX LONG_MAX + + #define SCCSPREFIX "s." +-#define GET "get -e %s" +-#define SCCSDIFF "get -p %s | diff - %s >/dev/null" + + #define RCSSUFFIX ",v" +-#define CHECKOUT "co -l %s" +-#define RCSDIFF "rcsdiff %s > /dev/null" ++#define CHECKOUT "/usr/bin/co" ++#define RCSDIFF "/usr/bin/rcsdiff" + + #define ORIGEXT ".orig" + #define REJEXT ".rej" +Index: usr.bin/patch/inp.c +=================================================================== +--- usr.bin/patch/inp.c (revision 285926) ++++ usr.bin/patch/inp.c (working copy) +@@ -31,8 +31,10 @@ + #include <sys/file.h> + #include <sys/stat.h> + #include <sys/mman.h> ++#include <sys/wait.h> + + #include <ctype.h> ++#include <errno.h> + #include <libgen.h> + #include <stddef.h> + #include <stdint.h> +@@ -133,12 +135,14 @@ reallocate_lines(size_t *lines_allocated) + static bool + plan_a(const char *filename) + { +- int ifd, statfailed; ++ int ifd, statfailed, devnull, pstat; + char *p, *s, lbuf[INITLINELEN]; + struct stat filestat; + ptrdiff_t sz; + size_t i; + size_t iline, lines_allocated; ++ pid_t pid; ++ char *argp[4] = {NULL}; + + #ifdef DEBUGGING + if (debug & 8) +@@ -166,13 +170,14 @@ plan_a(const char *filename) + } + if (statfailed && check_only) + fatal("%s not found, -C mode, can't probe further\n", filename); +- /* For nonexistent or read-only files, look for RCS or SCCS versions. */ ++ /* For nonexistent or read-only files, look for RCS versions. */ ++ + if (statfailed || + /* No one can write to it. */ + (filestat.st_mode & 0222) == 0 || + /* I can't write to it. */ + ((filestat.st_mode & 0022) == 0 && filestat.st_uid != getuid())) { +- const char *cs = NULL, *filebase, *filedir; ++ char *filebase, *filedir; + struct stat cstat; + char *tmp_filename1, *tmp_filename2; + +@@ -180,43 +185,26 @@ plan_a(const char *filename) + tmp_filename2 = strdup(filename); + if (tmp_filename1 == NULL || tmp_filename2 == NULL) + fatal("strdupping filename"); ++ + filebase = basename(tmp_filename1); + filedir = dirname(tmp_filename2); + +- /* Leave room in lbuf for the diff command. */ +- s = lbuf + 20; +- + #define try(f, a1, a2, a3) \ +- (snprintf(s, buf_size - 20, f, a1, a2, a3), stat(s, &cstat) == 0) ++ (snprintf(lbuf, sizeof(lbuf), f, a1, a2, a3), stat(lbuf, &cstat) == 0) + +- if (try("%s/RCS/%s%s", filedir, filebase, RCSSUFFIX) || +- try("%s/RCS/%s%s", filedir, filebase, "") || +- try("%s/%s%s", filedir, filebase, RCSSUFFIX)) { +- snprintf(buf, buf_size, CHECKOUT, filename); +- snprintf(lbuf, sizeof lbuf, RCSDIFF, filename); +- cs = "RCS"; +- } else if (try("%s/SCCS/%s%s", filedir, SCCSPREFIX, filebase) || +- try("%s/%s%s", filedir, SCCSPREFIX, filebase)) { +- snprintf(buf, buf_size, GET, s); +- snprintf(lbuf, sizeof lbuf, SCCSDIFF, s, filename); +- cs = "SCCS"; +- } else if (statfailed) +- fatal("can't find %s\n", filename); +- +- free(tmp_filename1); +- free(tmp_filename2); +- + /* + * else we can't write to it but it's not under a version + * control system, so just proceed. + */ +- if (cs) { ++ if (try("%s/RCS/%s%s", filedir, filebase, RCSSUFFIX) || ++ try("%s/RCS/%s%s", filedir, filebase, "") || ++ try("%s/%s%s", filedir, filebase, RCSSUFFIX)) { + if (!statfailed) { + if ((filestat.st_mode & 0222) != 0) + /* The owner can write to it. */ + fatal("file %s seems to be locked " +- "by somebody else under %s\n", +- filename, cs); ++ "by somebody else under RCS\n", ++ filename); + /* + * It might be checked out unlocked. See if + * it's safe to check out the default version +@@ -224,21 +212,59 @@ plan_a(const char *filename) + */ + if (verbose) + say("Comparing file %s to default " +- "%s version...\n", +- filename, cs); +- if (system(lbuf)) ++ "RCS version...\n", filename); ++ ++ switch (pid = fork()) { ++ case -1: ++ fatal("can't fork: %s\n", ++ strerror(errno)); ++ case 0: ++ devnull = open("/dev/null", O_RDONLY); ++ if (devnull == -1) { ++ fatal("can't open /dev/null: %s", ++ strerror(errno)); ++ } ++ (void)dup2(devnull, STDOUT_FILENO); ++ argp[0] = strdup(RCSDIFF); ++ argp[1] = strdup(filename); ++ execv(RCSDIFF, argp); ++ exit(127); ++ } ++ pid = waitpid(pid, &pstat, 0); ++ if (pid == -1 || WEXITSTATUS(pstat) != 0) { + fatal("can't check out file %s: " +- "differs from default %s version\n", +- filename, cs); ++ "differs from default RCS version\n", ++ filename); ++ } + } ++ + if (verbose) +- say("Checking out file %s from %s...\n", +- filename, cs); +- if (system(buf) || stat(filename, &filestat)) +- fatal("can't check out file %s from %s\n", +- filename, cs); ++ say("Checking out file %s from RCS...\n", ++ filename); ++ ++ switch (pid = fork()) { ++ case -1: ++ fatal("can't fork: %s\n", strerror(errno)); ++ case 0: ++ argp[0] = strdup(CHECKOUT); ++ argp[1] = strdup("-l"); ++ argp[2] = strdup(filename); ++ execv(CHECKOUT, argp); ++ exit(127); ++ } ++ pid = waitpid(pid, &pstat, 0); ++ if (pid == -1 || WEXITSTATUS(pstat) != 0 || ++ stat(filename, &filestat)) { ++ fatal("can't check out file %s from RCS\n", ++ filename); ++ } ++ } else if (statfailed) { ++ fatal("can't find %s\n", filename); + } ++ free(tmp_filename1); ++ free(tmp_filename2); + } ++ + filemode = filestat.st_mode; + if (!S_ISREG(filemode)) + fatal("%s is not a normal file--can't patch\n", filename); Added: head/share/security/patches/SA-15:14/bsdpatch.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-15:14/bsdpatch.patch.asc Tue Jul 28 20:17:10 2015 (r47125) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.6 (FreeBSD) + +iQIcBAABCgAGBQJVt+FwAAoJEO1n7NZdz2rno1wP/1dqyumvREi7i84Ab2ew+X+x +YNbhqkhP/Q0+uwF68nbV1StAyuPZ85fSTy//19W0L3YU31vkZgz2B5N6Vl1Walpx +UGk/6LGm2U8xzRRSOgThSthbUbXI4cAAjxmAuUkgd5br9g8KZo+h9LQNKpv+6Caa +OCsTKZMwA81ImiOODCvJ9FQy7hQVBSQhssCVEZScU7aR+86FRhNy0a6tHX1Y8dkk +LLhOJprZgG6JHR9fr+g0fCSjerYWKml4QlgpbXy/Fp3mIYfsnf8K9MaKa3KBLjOZ +AoggAB/tNA+e9imXy8En/J5aZqMwhjDZNrWHACaDXB9kMrNEE8Nwp3gFMgpURGWf +NFd8x+5SDv6yG+1xM1X/ywP9mVDQqySactLnGoEF77ANNEFVat9KafbPESckiqa7 +qw83IaO5/9P/IaZik+19SzOsJ9sZGRaco70HfAZA9r/SD+SLc+4U1PAdY0QxGdB6 +n7Ap088KK/GfiIF4ra5AqNDFquEWTPdkVqb+55Lv7eKgg1/S0rm7Ou7Z/lbBQerw +QIJzcem/KDcPJxM3tkxumqMdzggwUCPtrxB6vDEjLMKSN/33I2iYD47UhP+rFjw5 +cdnrrqVgw0zt+p5vAubJJegk+aVWfy7QRcHaQb/FA5MYkOVKQP69lboa7PX4M+Pn +EjipG4vadjqdZaYzuBhF +=fzsn +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-15:15/tcp-8.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-15:15/tcp-8.patch Tue Jul 28 20:17:10 2015 (r47125) @@ -0,0 +1,203 @@ +Index: sys/netinet/tcp_reass.c +=================================================================== +--- sys/netinet/tcp_reass.c (revision 285923) ++++ sys/netinet/tcp_reass.c (working copy) +@@ -80,29 +80,25 @@ static int tcp_reass_sysctl_qsize(SYSCTL_HANDLER_A + SYSCTL_NODE(_net_inet_tcp, OID_AUTO, reass, CTLFLAG_RW, 0, + "TCP Segment Reassembly Queue"); + +-static VNET_DEFINE(int, tcp_reass_maxseg) = 0; +-#define V_tcp_reass_maxseg VNET(tcp_reass_maxseg) ++static int tcp_reass_maxseg = 0; + SYSCTL_VNET_PROC(_net_inet_tcp_reass, OID_AUTO, maxsegments, + CTLTYPE_INT | CTLFLAG_RDTUN, +- &VNET_NAME(tcp_reass_maxseg), 0, &tcp_reass_sysctl_maxseg, "I", ++ &tcp_reass_maxseg, 0, &tcp_reass_sysctl_maxseg, "I", + "Global maximum number of TCP Segments in Reassembly Queue"); + +-static VNET_DEFINE(int, tcp_reass_qsize) = 0; +-#define V_tcp_reass_qsize VNET(tcp_reass_qsize) +-SYSCTL_VNET_PROC(_net_inet_tcp_reass, OID_AUTO, cursegments, ++static int tcp_reass_qsize = 0; ++SYSCTL_PROC(_net_inet_tcp_reass, OID_AUTO, cursegments, + CTLTYPE_INT | CTLFLAG_RD, +- &VNET_NAME(tcp_reass_qsize), 0, &tcp_reass_sysctl_qsize, "I", ++ &tcp_reass_qsize, 0, &tcp_reass_sysctl_qsize, "I", + "Global number of TCP Segments currently in Reassembly Queue"); + +-static VNET_DEFINE(int, tcp_reass_overflows) = 0; +-#define V_tcp_reass_overflows VNET(tcp_reass_overflows) +-SYSCTL_VNET_INT(_net_inet_tcp_reass, OID_AUTO, overflows, ++static int tcp_reass_overflows = 0; ++SYSCTL_INT(_net_inet_tcp_reass, OID_AUTO, overflows, + CTLTYPE_INT | CTLFLAG_RD, +- &VNET_NAME(tcp_reass_overflows), 0, ++ &tcp_reass_overflows, 0, + "Global number of TCP Segment Reassembly Queue Overflows"); + +-static VNET_DEFINE(uma_zone_t, tcp_reass_zone); +-#define V_tcp_reass_zone VNET(tcp_reass_zone) ++static uma_zone_t tcp_reass_zone; + + /* Initialize TCP reassembly queue */ + static void +@@ -109,34 +105,25 @@ static void + tcp_reass_zone_change(void *tag) + { + +- V_tcp_reass_maxseg = nmbclusters / 16; +- uma_zone_set_max(V_tcp_reass_zone, V_tcp_reass_maxseg); ++ tcp_reass_maxseg = nmbclusters / 16; ++ uma_zone_set_max(tcp_reass_zone, tcp_reass_maxseg); + } + + void +-tcp_reass_init(void) ++tcp_reass_global_init(void) + { + +- V_tcp_reass_maxseg = nmbclusters / 16; ++ tcp_reass_maxseg = nmbclusters / 16; + TUNABLE_INT_FETCH("net.inet.tcp.reass.maxsegments", +- &V_tcp_reass_maxseg); +- V_tcp_reass_zone = uma_zcreate("tcpreass", sizeof (struct tseg_qent), ++ &tcp_reass_maxseg); ++ tcp_reass_zone = uma_zcreate("tcpreass", sizeof (struct tseg_qent), + NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE); +- uma_zone_set_max(V_tcp_reass_zone, V_tcp_reass_maxseg); ++ uma_zone_set_max(tcp_reass_zone, tcp_reass_maxseg); + EVENTHANDLER_REGISTER(nmbclusters_change, + tcp_reass_zone_change, NULL, EVENTHANDLER_PRI_ANY); + } + +-#ifdef VIMAGE + void +-tcp_reass_destroy(void) +-{ +- +- uma_zdestroy(V_tcp_reass_zone); +-} +-#endif +- +-void + tcp_reass_flush(struct tcpcb *tp) + { + struct tseg_qent *qe; +@@ -146,7 +133,7 @@ tcp_reass_flush(struct tcpcb *tp) + while ((qe = LIST_FIRST(&tp->t_segq)) != NULL) { + LIST_REMOVE(qe, tqe_q); + m_freem(qe->tqe_m); +- uma_zfree(V_tcp_reass_zone, qe); ++ uma_zfree(tcp_reass_zone, qe); + tp->t_segqlen--; + } + +@@ -158,7 +145,7 @@ tcp_reass_flush(struct tcpcb *tp) + static int + tcp_reass_sysctl_maxseg(SYSCTL_HANDLER_ARGS) + { +- V_tcp_reass_maxseg = uma_zone_get_max(V_tcp_reass_zone); ++ tcp_reass_maxseg = uma_zone_get_max(tcp_reass_zone); + return (sysctl_handle_int(oidp, arg1, arg2, req)); + } + +@@ -165,7 +152,7 @@ tcp_reass_sysctl_maxseg(SYSCTL_HANDLER_ARGS) + static int + tcp_reass_sysctl_qsize(SYSCTL_HANDLER_ARGS) + { +- V_tcp_reass_qsize = uma_zone_get_cur(V_tcp_reass_zone); ++ tcp_reass_qsize = uma_zone_get_cur(tcp_reass_zone); + return (sysctl_handle_int(oidp, arg1, arg2, req)); + } + +@@ -213,7 +200,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int + */ + if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) && + tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) { +- V_tcp_reass_overflows++; ++ tcp_reass_overflows++; + TCPSTAT_INC(tcps_rcvmemdrop); + m_freem(m); + *tlenp = 0; +@@ -232,7 +219,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int + * Use a temporary structure on the stack for the missing segment + * when the zone is exhausted. Otherwise we may get stuck. + */ +- te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT); *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201507282017.t6SKHBrv011153>