aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorXin LI <delphij@FreeBSD.org>2015-08-25 21:09:45 +0000
committerXin LI <delphij@FreeBSD.org>2015-08-25 21:09:45 +0000
commit9c7cd2396bbbb2a0081f3f36737af63ecbc292fc (patch)
tree6a9103723da5676cb5b68eaee599b8daf447c4d1
parenta34f8cc55cc1705897038a5c92b3f687c3e1d72c (diff)
downloaddoc-9c7cd2396bbbb2a0081f3f36737af63ecbc292fc.tar.gz
doc-9c7cd2396bbbb2a0081f3f36737af63ecbc292fc.zip
Add SA-15:21.amd64, SA-15:22.openssh, EN-15:14.ixgbe and EN-15:15.pkg.
Notes
Notes: svn path=/head/; revision=47309
-rw-r--r--share/security/advisories/FreeBSD-EN-15:14.ixgbe.asc121
-rw-r--r--share/security/advisories/FreeBSD-EN-15:15.pkg.asc132
-rw-r--r--share/security/advisories/FreeBSD-SA-15:21.amd64.asc139
-rw-r--r--share/security/advisories/FreeBSD-SA-15:22.openssh.asc161
-rw-r--r--share/security/patches/EN-15:14/ixgbe.patch26
-rw-r--r--share/security/patches/EN-15:14/ixgbe.patch.asc17
-rw-r--r--share/security/patches/EN-15:15/pkg.patch34
-rw-r--r--share/security/patches/EN-15:15/pkg.patch.asc17
-rw-r--r--share/security/patches/SA-15:21/amd64.patch53
-rw-r--r--share/security/patches/SA-15:21/amd64.patch.asc17
-rw-r--r--share/security/patches/SA-15:22/openssh.patch68
-rw-r--r--share/security/patches/SA-15:22/openssh.patch.asc17
-rw-r--r--share/xml/advisories.xml12
-rw-r--r--share/xml/notices.xml12
14 files changed, 826 insertions, 0 deletions
diff --git a/share/security/advisories/FreeBSD-EN-15:14.ixgbe.asc b/share/security/advisories/FreeBSD-EN-15:14.ixgbe.asc
new file mode 100644
index 0000000000..5b2f3b4ce8
--- /dev/null
+++ b/share/security/advisories/FreeBSD-EN-15:14.ixgbe.asc
@@ -0,0 +1,121 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-15:14.ixgbe Errata Notice
+ The FreeBSD Project
+
+Topic: Disable ixgbe(4) flow-director support
+
+Category: core
+Module: ixgbe
+Announced: 2015-08-25
+Credits: Marc De La Gueronniere (Verisign, Inc.)
+Affects: FreeBSD 10.1
+Corrected: 2014-10-11 22:10:39 UTC (stable/10, 10.1-STABLE)
+ 2015-08-25 20:48:58 UTC (releng/10.1, 10.1-RELEASE-p19)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.freebsd.org/>.
+
+I. Background
+
+Flow director is an Intel technology to steer incoming packets in application
+aware fashion.
+
+II. Problem Description
+
+Flow director support is not completely/correctly implemented in FreeBSD at
+this time.
+
+III. Impact
+
+Enabling flow director support may cause traffic to land on a wrong RX queue
+of the NIC, resulting in bad or sub-optimal performance on the receive side.
+
+IV. Workaround
+
+No workaround is available, but systems that do not have Intel(R) 82559
+series 10Gb Ethernet Controllers are not affected.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+2) To update your present system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+3) To update your present system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-15:14/ixgbe.patch
+# fetch https://security.FreeBSD.org/patches/EN-15:14/ixgbe.patch.asc
+# gpg --verify ixgbe.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/10/ r272967
+releng/10.1/ r287146
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this Errata Notice is available at
+https://security.FreeBSD.org/advisories/FreeBSD-EN-15:14.ixgbe.asc
+
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.7 (FreeBSD)
+
+iQIcBAEBCgAGBQJV3NfOAAoJEO1n7NZdz2rnImEP/j4kfmZ2XqZ/zbQINCPfybyU
+oSIgqyD6u4G/hy3gS4k7eLk6tQdUpnYzcoLLfeq0F2uY3DmWXJDBAKG0Bg7QaSzJ
+3wWyZsN6XHkgNNCFGFsmep//8kAAXoAgJ2IoIPLe6eRHimESLtW2xlnow5PFL4Aw
+JMj5B/RoxtQZ/phE1zJym7eSpjVUbBrqhj/KkJUZ0W6WOkaT0GPVctvHlc2buZh7
+6u17LKgZaMMmmCvBNggkYGfiE51aJ9I0n5FdAHvlcaLCw+K58/Q6M2CRpMIorgh6
+uaUHLZdT8VcZ8KVmDdBul0sZ9pkprHZ4J/htEL2mCOpmsRn/lduHAvf921mtX/64
+Msg8bdXM48Q5WCv9sfcmMVgMA+6m+MekKc9wKYWw6Ldy0wcQ874jE+nuh3KBq+6X
+Te4VbxrwuAnspqrnt4Q4NXnqxyElO0BGo6lCSEUGCRje+hlOWG2WhftEV894cRG+
+JCS6YRvX5C7i8+XD+MhvTeAi7pbaZkq6ODxQAOZgbz4JMQFq8ldOgvLdhUndKGlH
+xJ9/pK4u5kxXyVx4HPGm0MYlijjHDi/sSAJADutikpNOzlhyZqubA8LgLoBXtyfF
+/Kk3GYOJvOMSK8QB7YxFRS+zPi1YxAFPEJb7ZV2ygf6RMZpIFoRLFt1kDszo+TeZ
+iKXcFJvlwI49poLiz7Qs
+=i/HZ
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-EN-15:15.pkg.asc b/share/security/advisories/FreeBSD-EN-15:15.pkg.asc
new file mode 100644
index 0000000000..d72ebfef93
--- /dev/null
+++ b/share/security/advisories/FreeBSD-EN-15:15.pkg.asc
@@ -0,0 +1,132 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-15:15.pkg Errata Notice
+ The FreeBSD Project
+
+Topic: Insufficient check of unsupported pkg(7) signature methods
+
+Category: core
+Module: pkg
+Announced: 2015-08-25
+Credits: Fabian Keil
+Affects: All supported versions of FreeBSD.
+Corrected: 2015-08-19 18:32:36 UTC (stable/10, 10.2-STABLE)
+ 2015-08-25 20:48:51 UTC (releng/10.2, 10.2-RC3-p2)
+ 2015-08-25 20:48:51 UTC (releng/10.2, 10.2-RELEASE-p2)
+ 2015-08-25 20:48:58 UTC (releng/10.1, 10.1-RELEASE-p19)
+ 2015-08-19 18:33:25 UTC (stable/9, 9.3-STABLE)
+ 2015-08-25 20:49:05 UTC (releng/9.3, 9.3-RELEASE-p24)
+CVE Name: CVE-2015-5676
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.freebsd.org/>.
+
+I. Background
+
+The pkg(8) utility is the package management tool for FreeBSD. The base
+system includes a pkg(7) bootstrap utility used to install the latest pkg(8)
+utility.
+
+II. Problem Description
+
+When signature_type specified in pkg.conf(5) is set to an unsupported method,
+the pkg(7) bootstrap utility would behave as if signature_type is set to
+"none".
+
+III. Impact
+
+MITM attackers may be able to use this vulnerability and bypass validation,
+installing their own version of pkg(8).
+
+IV. Workaround
+
+No workaround is available, but the default FreeBSD configuration is not
+affected because it uses "fingerprint" method.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+2) To update your present system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+3) To update your present system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-15:15/pkg.patch
+# fetch https://security.FreeBSD.org/patches/EN-15:15/pkg.patch.asc
+# gpg --verify pkg.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/9/ r286936
+releng/9.3/ r287147
+stable/10/ r286935
+releng/10.1/ r287146
+releng/10.2/ r287145
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5676>
+
+The latest revision of this Errata Notice is available at
+https://security.FreeBSD.org/advisories/FreeBSD-EN-15:15.pkg.asc
+
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.7 (FreeBSD)
+
+iQIcBAEBCgAGBQJV3NfOAAoJEO1n7NZdz2rnzHwP/30xvOZqHSRYMykrkQKcIVH7
+Vhp0lp1z7KaDBq7xD0m08i2WSr0/pSaBU+At141iSKwvCPS0Szx307kZBO9a8gxw
+j7s6Z15qychKKGukJ5tJtKX4Q3mqAtjBoCC8wmwmJ/YNmr4HrZRL2vFp7nqAiyhl
+ntTcSuwEElBoalufeMHWd46eguRO/r9D8uWw+O7a+lLeJO9ThjnNZXOPyMfUE3Yh
+QoFpVcVdf+j6gIGUuPwNsfy4e6hBNvD0T47+PTBECTykiC1eoX+VXqf8PxKKWSOJ
+50sKgXOtRy55dMtWbXhu5zjq4jzWFWtBPIRHM5SH/7V898S7zMerh81bsczBUqEA
+aBu1XJS1fZHlXKlav6/m/G1Wo4QgscBUsV6PhsFNpFmvAdEW2qjnH887FBm7I/Fv
+a3wvxMmQX1ABPbavFCUZmfS4khLFITYD77XLo8ciu/fyAz/X9n9p1F2EsbL8djis
+TcTuyUVv3YXeq+gJ9OcOH4CFsYSNlKEYiAd86/9DBnsiVrQJqNzqx+roHjL7ZXg6
+AA/pqHmOEBq01idYh7PadOf+B5cU5A1CFMhjfpF1qe1yeuFFM30U7ugxjgV4w85O
+UFotAbyDlftUzeYYTQv2bK6oXzqtVagkhB/xXfQzPK9E3AnysfHA/bLysop7AMyZ
+CHeFaGA84VB1k9Ky5nSv
+=a+Ek
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-SA-15:21.amd64.asc b/share/security/advisories/FreeBSD-SA-15:21.amd64.asc
new file mode 100644
index 0000000000..70d6443ddb
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-15:21.amd64.asc
@@ -0,0 +1,139 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-15:21.amd64 Security Advisory
+ The FreeBSD Project
+
+Topic: Local privilege escalation in IRET handler
+
+Category: core
+Module: sys_amd64
+Announced: 2015-08-25
+Credits: Konstantin Belousov, Andrew Lutomirski
+Affects: FreeBSD 9.3 and FreeBSD 10.1
+Corrected: 2015-03-31 00:59:30 UTC (stable/10, 10.1-STABLE)
+ 2015-08-25 20:48:58 UTC (releng/10.1, 10.1-RELEASE-p19)
+ 2015-03-31 01:08:51 UTC (stable/9, 9.3-STABLE)
+ 2015-08-25 20:49:05 UTC (releng/9.3, 9.3-RELEASE-p24)
+CVE Name: CVE-2015-5675
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+FreeBSD/amd64 is commonly used on 64bit systems with AMD and Intel
+CPU's.
+
+The GS segment CPU register is used by both user processes and the
+kernel to conveniently access state data: 32-bit user processes use the
+register to manage per-thread data, while the kernel uses it to access
+per-processor data.
+
+The return from interrupt (IRET) instruction returns program control
+from an interrupt handler to the interrupted context.
+
+II. Problem Description
+
+If the kernel-mode IRET instruction generates an #SS or #NP exception,
+but the exception handler does not properly ensure that the right GS
+register base for kernel is reloaded, the userland GS segment may be
+used in the context of the kernel exception handler.
+
+III. Impact
+
+By causing an IRET with #SS or #NP exceptions, a local attacker can
+cause the kernel to use an arbitrary GS base, which may allow escalated
+privileges or panic the system.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+and reboot the system.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+And reboot the system.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-15:21/amd64.patch
+# fetch https://security.FreeBSD.org/patches/SA-15:21/amd64.patch.asc
+# gpg --verify amd64.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/9/ r280877
+releng/9.3/ r287147
+stable/10/ r280875
+releng/10.1/ r287146
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5675>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:21.amd64.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.7 (FreeBSD)
+
+iQIcBAEBCgAGBQJV3Ne8AAoJEO1n7NZdz2rn5ncQANs2pS8xCowX+BM9LmKTUb2Y
+eqGCvDetXV51/ljAOS10ubc4U0Zn2D5ACyz/DfiLIXVK8vkvlnJXFh3jSK6KIqPH
+ionXa8zMedBoytZL8xIEFSpk9+cYGkGupIYEGu6CCHVZGJ5fVgTlnnazuXd4evbt
+U1/7KNWt2H1R1j0YiYZ0MvhrIF35KqFmLOGf2JmZulqruwq91tYeMlv+7IY6vtPD
+L8n5kTM7pudB3qznXd1PBMj1Y6YVG1O3WL4Stfyj93qDuMbJ+wfnao1ZKMBG0az8
+IJITHrnTI+Xd4i/bbEoSmSN9V80S8uo/6J6JaXjtbrJfEqAMKhLrrcoMA7MHpKJQ
+L4dv2HGL1n7xfOIfj5Qo2io/LUSye5lO54LtEKZfjhzqsTtNQl57BDAYZgbQp2/A
+RsngIq3VrNcIJQK8F1Ba7SNL2+NVd091Wb+Z52837R5/D47jD2BhDia5eH6R5Opv
+6kfzTJujbLi6b9RSn0OT+wAQbQ80qSmD+IwMXwAAg0mukthjTiJpqabpMWvMmfGO
+mhfZBGqmf1Hx4lTczSRMLlRCmjOBc+BKioHT2ciE8QMX0WrHhkRuSBqY3euVTCMB
+9+iU7eJ23tARTbG5wMmBNRsWJzhOKieM0UEsXxso+z8tMMX1Vh/e9ls2qm+ks876
+WYT9/yPSsyU1z/AkHJU7
+=nHGY
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-SA-15:22.openssh.asc b/share/security/advisories/FreeBSD-SA-15:22.openssh.asc
new file mode 100644
index 0000000000..4dc3a9dffa
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-15:22.openssh.asc
@@ -0,0 +1,161 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-15:22.openssh Security Advisory
+ The FreeBSD Project
+
+Topic: OpenSSH multiple vulnerabilities
+
+Category: contrib
+Module: openssh
+Announced: 2015-08-25
+Affects: All supported versions of FreeBSD.
+Corrected: 2015-08-25 20:48:44 UTC (stable/10, 10.2-STABLE)
+ 2015-08-25 20:48:51 UTC (releng/10.2, 10.2-RC3-p2)
+ 2015-08-25 20:48:51 UTC (releng/10.2, 10.2-RELEASE-p2)
+ 2015-08-25 20:48:58 UTC (releng/10.1, 10.1-RELEASE-p19)
+ 2015-08-25 20:48:44 UTC (stable/9, 9.3-STABLE)
+ 2015-08-25 20:49:05 UTC (releng/9.3, 9.3-RELEASE-p24)
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+OpenSSH is an implementation of the SSH protocol suite, providing an
+encrypted and authenticated transport for a variety of services,
+including remote shell access.
+
+The PAM (Pluggable Authentication Modules) library provides a flexible
+framework for user authentication and session setup / teardown.
+
+The default FreeBSD OpenSSH configuration has PAM interactive
+authentication enabled.
+
+Privilege separation is a technique in which a program is divided into
+multiple cooperating processes, each with a different task, where each
+process is limited to the specific privileges required to perform that
+specific task, while the privileged parent process acts as an arbiter.
+
+II. Problem Description
+
+A programming error in the privileged monitor process of the sshd(8)
+service may allow the username of an already-authenticated user to be
+overwritten by the unprivileged child process.
+
+A use-after-free error in the privileged monitor process of he sshd(8)
+service may be deterministically triggered by the actions of a
+compromised unprivileged child process.
+
+A use-after-free error in the session multiplexing code in the sshd(8)
+service may result in unintended termination of the connection.
+
+III. Impact
+
+The first bug may allow a remote attacker who a) has already succeeded
+by other means in compromising the unprivileged pre-authentication
+child process and b) has valid credentials to one user on the target
+system to impersonate a different user.
+
+The second bug may allow a remote attacker who has already succeeded
+by other means in compromising the unprivileged pre-authentication
+child process to bypass PAM authentication entirely.
+
+The third bug is not exploitable, but can cause premature termination
+of a multiplexed ssh connection.
+
+IV. Workaround
+
+No workaround is available, but systems where ssh(1) and sshd(8) are
+not used are not vulnerable.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+The sshd(8) service has to be restarted after the update. A reboot
+is recommended but not required.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+The sshd(8) service has to be restarted after the update. A reboot
+is recommended but not required.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-15:22/openssh.patch
+# fetch https://security.FreeBSD.org/patches/SA-15:22/openssh.patch.asc
+# gpg --verify openssh.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the sshd(8) daemon, or reboot the system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/9/ r287144
+releng/9.3/ r287147
+stable/10/ r287144
+releng/10.1/ r287146
+releng/10.2/ r287145
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:22.openssh.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.7 (FreeBSD)
+
+iQIcBAEBCgAGBQJV3Ne8AAoJEO1n7NZdz2rnxq8P/jW05a6zT9n78wxBuHwRJ9gx
+7+CN9AsezavW4HmZF4GmWt6SjnJqpLDMwnhceo7po6ZMIxjyWwxBWWfvUwVqezwa
+kT+DS7oHKmeZAwCSFMj9K25NN+x7KAwXXiiANcj4U4iU+q0YrcEGVIBKVqCAn3ly
+pJAkMxdTbwlWR7MaPaTMbMenVOs87b6Xx/4gfSBWolFWz9bKfdTYCxK/AnULVIZq
+Q7lShezEvgyCb8b6QLvnrY4AwHtVduiYxnvNKv8ysbaatZCarkRS8nh68zGcdTBg
+IyzG5OEtUFokVkroJaLWFXL1mUp7tgn9+UNd0/53wFN2DTZKw9oTAkKn8xrbbOSa
+xQqYFhsmqsnKlBJMEMaoK9JgGZZ6xOGo3JZ6yrFfYxiZ9xFaR843rOUe0UVrxh+L
++2DmALTyLWSkeqlcg66oKqYKMQuvUyd6VpPL0yHpB0AqBTjKjUmG9RgG8AT5MpqW
+P3weyD0n7rOCBfagofx8MIy15REwjcQSUptarWrMwhJPua95RJ/IAVIIThGrMzZ5
+PxyWDFU7B/56FRlmX5+6mfi/NC60yIyR6lg0trBtuiiEfNV+HWz6QXOIUMYQvvo9
+w8fXSy6MJ12jTFqm0+CXbx2wWEVxAZS/wtLDsa3nf2oGkO3upzFl0/fvsR1dZ/hl
+plo/3SMPpFFbfvIhy2V/
+=2w70
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/EN-15:14/ixgbe.patch b/share/security/patches/EN-15:14/ixgbe.patch
new file mode 100644
index 0000000000..dd65299aa1
--- /dev/null
+++ b/share/security/patches/EN-15:14/ixgbe.patch
@@ -0,0 +1,26 @@
+Index: sys/conf/files
+===================================================================
+--- sys/conf/files (revision 286787)
++++ sys/conf/files (working copy)
+@@ -1704,7 +1704,7 @@ dev/ixgb/if_ixgb.c optional ixgb
+ dev/ixgb/ixgb_ee.c optional ixgb
+ dev/ixgb/ixgb_hw.c optional ixgb
+ dev/ixgbe/ixgbe.c optional ixgbe inet \
+- compile-with "${NORMAL_C} -I$S/dev/ixgbe -DSMP -DIXGBE_FDIR"
++ compile-with "${NORMAL_C} -I$S/dev/ixgbe -DSMP"
+ dev/ixgbe/ixv.c optional ixgbe inet \
+ compile-with "${NORMAL_C} -I$S/dev/ixgbe"
+ dev/ixgbe/ixgbe_phy.c optional ixgbe inet \
+Index: sys/modules/ixgbe/Makefile
+===================================================================
+--- sys/modules/ixgbe/Makefile (revision 286787)
++++ sys/modules/ixgbe/Makefile (working copy)
+@@ -12,7 +12,7 @@ SRCS += ixgbe.c ixv.c
+ SRCS += ixgbe_common.c ixgbe_api.c ixgbe_phy.c ixgbe_mbx.c ixgbe_vf.c
+ SRCS += ixgbe_dcb.c ixgbe_dcb_82598.c ixgbe_dcb_82599.c
+ SRCS += ixgbe_82599.c ixgbe_82598.c ixgbe_x540.c
+-CFLAGS+= -I${.CURDIR}/../../dev/ixgbe -DSMP -DIXGBE_FDIR
++CFLAGS+= -I${.CURDIR}/../../dev/ixgbe -DSMP
+
+ .if !defined(KERNBUILDDIR)
+ .if ${MK_INET_SUPPORT} != "no"
diff --git a/share/security/patches/EN-15:14/ixgbe.patch.asc b/share/security/patches/EN-15:14/ixgbe.patch.asc
new file mode 100644
index 0000000000..fc6891ef17
--- /dev/null
+++ b/share/security/patches/EN-15:14/ixgbe.patch.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.7 (FreeBSD)
+
+iQIcBAABCgAGBQJV3NfSAAoJEO1n7NZdz2rnwaoP/2b/ter6TOaSERlf0QxN8e9X
+c+aSr9LLLVQG4MtzuYS6mFHp1uDgA4dwFVlSZjXp9ZJBtSt5HWZDzDKO1eaFz9YR
+cY2zCC8Mo3H+KlXrDSBYaT9JCA7fEPTFQKvfDGushRDF6h6AoVoOl7W4IWOhZ+Nk
+SbbvMOBAyVHrevyT8gLBv2+nPeEtv4vvYg5Rq/HqCUW0IkxCFuhvMj30kQBrQYM1
+lOyXOGOC+SqPgeqN6+j9HPI3Fx7xDzPF/I1zThPI+Nvgn9BZRhTT1+Ev+g5MxGNy
+Z3mv4aW2tSJQksDsYa2X0wDl8/yvFhliQwLVmkDp27sf5dVsRqrJZwMwY4r6I8Ej
+JHFoJxyiCqQzfq5dWuBgVuyk1NYPF5GdZLEp7gP1i6Swbn+1kjYBh0HPkJK9VMcZ
+uYlHzEoUoQAbTfxs5N/Am82lT6ljvNvdbU9960Hilb8ObkJNop7vxWc9oNFhud20
+ECJF68Hw6CjjDFywEeY2c479Xs0Shf7sDXBId+RGNvjFXWWRGBV1YXk0w+gsUuUd
+r1P8D7ixy/ZQOPauw61+SC2DS3icMuwmSQamD1pOxmSvK0x+lLNRDK52X93TTA24
+4yvOvh7ePktvZLWWO0y375ZsEWfVnZRpf39rjaEpz/0jwREULkmz1HjipozDRhJn
+4No3c9hi9rwcH/oU0/xd
+=txUl
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/EN-15:15/pkg.patch b/share/security/patches/EN-15:15/pkg.patch
new file mode 100644
index 0000000000..0a8f7f8d2d
--- /dev/null
+++ b/share/security/patches/EN-15:15/pkg.patch
@@ -0,0 +1,34 @@
+Index: usr.sbin/pkg/pkg.c
+===================================================================
+--- usr.sbin/pkg/pkg.c (revision 286787)
++++ usr.sbin/pkg/pkg.c (working copy)
+@@ -749,7 +749,13 @@ bootstrap_pkg(bool force)
+ goto fetchfail;
+
+ if (signature_type != NULL &&
+- strcasecmp(signature_type, "FINGERPRINTS") == 0) {
++ strcasecmp(signature_type, "NONE") != 0) {
++ if (strcasecmp(signature_type, "FINGERPRINTS") != 0) {
++ warnx("Signature type %s is not supported for "
++ "bootstrapping.", signature_type);
++ goto cleanup;
++ }
++
+ snprintf(tmpsig, MAXPATHLEN, "%s/pkg.txz.sig.XXXXXX",
+ getenv("TMPDIR") ? getenv("TMPDIR") : _PATH_TMP);
+ snprintf(url, MAXPATHLEN, "%s/Latest/pkg.txz.sig",
+@@ -834,7 +840,13 @@ bootstrap_pkg_local(const char *pkgpath, bool forc
+ return (-1);
+ }
+ if (signature_type != NULL &&
+- strcasecmp(signature_type, "FINGERPRINTS") == 0) {
++ strcasecmp(signature_type, "NONE") != 0) {
++ if (strcasecmp(signature_type, "FINGERPRINTS") != 0) {
++ warnx("Signature type %s is not supported for "
++ "bootstrapping.", signature_type);
++ goto cleanup;
++ }
++
+ snprintf(path, sizeof(path), "%s.sig", pkgpath);
+
+ if ((fd_sig = open(path, O_RDONLY)) == -1) {
diff --git a/share/security/patches/EN-15:15/pkg.patch.asc b/share/security/patches/EN-15:15/pkg.patch.asc
new file mode 100644
index 0000000000..3c5c1ab5b2
--- /dev/null
+++ b/share/security/patches/EN-15:15/pkg.patch.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.7 (FreeBSD)
+
+iQIcBAABCgAGBQJV3NfSAAoJEO1n7NZdz2rnghsP/3LVlVtT+vCVLMrVcy2gZ2q8
+y9BICtPx2M2PRR9JOPBjD+DrcOZV9QrCX5FLvPmBDvFSMgGp+1EvZP9r/DFOngJ4
+B1+enlcBl48FoK6UmWhvScvDywH7wRoBFIh9HeSP+z6HXhYhDXpyS9XGiBXcTYFA
+QEAJOa+gdiA1trhgYZZpI3EQ/SzB/D2MiBZPGqtCgmL50lWRJS6Q79EYi11sPSoF
+Lovjipxp3FYrlFODsB1iBFReXC8E1k8s+peXJFZfFAM+HUh2YAXFhYnJ1Bleq8Jb
+zNox48EF7d4dXgFZVBAqgxpmuvVVpCsVWrZikLLcCzspIoKF1+F8+ZNyCDvfhSOm
+tWFH1NjE14U4NvF1ratwfSFSOogVyUrYSr0s2n3EWhmp2V5I4Q8Zz43GPVk6z/Qm
+LXInkYPVE6mI1l08MhW2EMJTNmp2euXgzorb/JVO01Zj5XGobB9C4XA5+3/AWu0P
+xKRfYp52z4rwX8w3RnzTM5L7l1uLm9LPlSis3rsZJvgpE2UHLpgahAgNMlGzYzQT
+M0cj0h/E2xfvrUYkrW9l35NOsZZ5Q0Ox4ft59ua3QZm8RxUKcWdaAf2fy0t1F53u
+YdA1bMVWFInVYYGwS/qrNj9yjoJcAa8E2v06McWyCZ8J2Tx3Gj50oWcebmiJtLxO
+RA9lcL+X6yPGHCROPmng
+=6SMS
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/SA-15:21/amd64.patch b/share/security/patches/SA-15:21/amd64.patch
new file mode 100644
index 0000000000..13e62f68a6
--- /dev/null
+++ b/share/security/patches/SA-15:21/amd64.patch
@@ -0,0 +1,53 @@
+Index: sys/amd64/amd64/exception.S
+===================================================================
+--- sys/amd64/amd64/exception.S (revision 286969)
++++ sys/amd64/amd64/exception.S (working copy)
+@@ -154,9 +154,13 @@ IDTVEC(xmm)
+ IDTVEC(tss)
+ TRAP_ERR(T_TSSFLT)
+ IDTVEC(missing)
+- TRAP_ERR(T_SEGNPFLT)
++ subq $TF_ERR,%rsp
++ movl $T_SEGNPFLT,TF_TRAPNO(%rsp)
++ jmp prot_addrf
+ IDTVEC(stk)
+- TRAP_ERR(T_STKFLT)
++ subq $TF_ERR,%rsp
++ movl $T_STKFLT,TF_TRAPNO(%rsp)
++ jmp prot_addrf
+ IDTVEC(align)
+ TRAP_ERR(T_ALIGNFLT)
+
+@@ -319,6 +323,7 @@ IDTVEC(page)
+ IDTVEC(prot)
+ subq $TF_ERR,%rsp
+ movl $T_PROTFLT,TF_TRAPNO(%rsp)
++prot_addrf:
+ movq $0,TF_ADDR(%rsp)
+ movq %rdi,TF_RDI(%rsp) /* free up a GP register */
+ leaq doreti_iret(%rip),%rdi
+Index: sys/amd64/amd64/machdep.c
+===================================================================
+--- sys/amd64/amd64/machdep.c (revision 286969)
++++ sys/amd64/amd64/machdep.c (working copy)
+@@ -428,6 +428,7 @@ sendsig(sig_t catcher, ksiginfo_t *ksi, sigset_t *
+ regs->tf_rflags &= ~(PSL_T | PSL_D);
+ regs->tf_cs = _ucodesel;
+ regs->tf_ds = _udatasel;
++ regs->tf_ss = _udatasel;
+ regs->tf_es = _udatasel;
+ regs->tf_fs = _ufssel;
+ regs->tf_gs = _ugssel;
+Index: sys/amd64/amd64/trap.c
+===================================================================
+--- sys/amd64/amd64/trap.c (revision 286969)
++++ sys/amd64/amd64/trap.c (working copy)
+@@ -473,8 +473,6 @@ trap(struct trapframe *frame)
+ goto out;
+
+ case T_STKFLT: /* stack fault */
+- break;
+-
+ case T_PROTFLT: /* general protection fault */
+ case T_SEGNPFLT: /* segment not present fault */
+ if (td->td_intr_nesting_level != 0)
diff --git a/share/security/patches/SA-15:21/amd64.patch.asc b/share/security/patches/SA-15:21/amd64.patch.asc
new file mode 100644
index 0000000000..2aea37e4f7
--- /dev/null
+++ b/share/security/patches/SA-15:21/amd64.patch.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.7 (FreeBSD)
+
+iQIcBAABCgAGBQJV3Ne1AAoJEO1n7NZdz2rnwuYP/i6fWwcpTVRtC9Fi9IDv6crB
+gTpiDC5oNLxBBk3INWkt03oBL5WenM48/fiIZ4/qICWZEaEGMWALsLhIjC1uE6z1
+6cZHUA4zUr9Fnx7YhwGMXeLugTPbjHDTKheKdiebjZ3xU8LNp7h4TcanPBSB4rM1
+6qhJLki9EIfHqLTJa0MXR7T0xOBUvd9337NgN99kYpE9R22h+Fl4UXLpJfkS5/zn
+i9RsqFCTK4iD5f0BCGvPVK+m2mDAIuedgoYNQxAdeiZ8SjeObDeXX27Po0pcK2V7
+mK7gaYrwFiHlVjgxenR+TKYoWGKl3OV6x9lmy2V11xuCIIXHU8umlNG2zBlEK8Da
+b7Dk+9Wmsoz5LspQORYWMHjLs6H0Q18udhztzlzlJHE1XZ9O3idV5dBxh3WrYzU4
+Yh3iWRTJiCp34dR98xSePhOq6FHw/jJcRH8M6MXus47Ssf32CvToLBFbfio6T2U5
+lQ6yLWIBrnl5WyGBtwNSGEzEWMgfvjU7PL2LEt5xnLR8F7+nQvysAXlt9MfTAexT
++Jrn44Sc5dy/mK5d7Tmxpo1VQ9rqI1Msn+5TW0p4/aG7/XnQruwzN8QVwAOajgQt
+cxZ0RmvV+8iLCAmvRuJszYqbo+VkRC2PtTWHmNjCwddYAawC+Rg9m2an/pJQaH/d
+0YB0zGqhLzGJV9L2+uem
+=7Eoy
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/SA-15:22/openssh.patch b/share/security/patches/SA-15:22/openssh.patch
new file mode 100644
index 0000000000..0171f47102
--- /dev/null
+++ b/share/security/patches/SA-15:22/openssh.patch
@@ -0,0 +1,68 @@
+Index: crypto/openssh/monitor.c
+===================================================================
+--- crypto/openssh/monitor.c (revision 286787)
++++ crypto/openssh/monitor.c (working copy)
+@@ -1027,9 +1027,7 @@ extern KbdintDevice sshpam_device;
+ int
+ mm_answer_pam_init_ctx(int sock, Buffer *m)
+ {
+-
+ debug3("%s", __func__);
+- authctxt->user = buffer_get_string(m, NULL);
+ sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
+ sshpam_authok = NULL;
+ buffer_clear(m);
+@@ -1111,14 +1109,16 @@ mm_answer_pam_respond(int sock, Buffer *m)
+ int
+ mm_answer_pam_free_ctx(int sock, Buffer *m)
+ {
++ int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
+
+ debug3("%s", __func__);
+ (sshpam_device.free_ctx)(sshpam_ctxt);
++ sshpam_ctxt = sshpam_authok = NULL;
+ buffer_clear(m);
+ mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
+ auth_method = "keyboard-interactive";
+ auth_submethod = "pam";
+- return (sshpam_authok == sshpam_ctxt);
++ return r;
+ }
+ #endif
+
+Index: crypto/openssh/monitor_wrap.c
+===================================================================
+--- crypto/openssh/monitor_wrap.c (revision 286787)
++++ crypto/openssh/monitor_wrap.c (working copy)
+@@ -820,7 +820,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt)
+
+ debug3("%s", __func__);
+ buffer_init(&m);
+- buffer_put_cstring(&m, authctxt->user);
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
+ debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);
+Index: crypto/openssh/mux.c
+===================================================================
+--- crypto/openssh/mux.c (revision 286787)
++++ crypto/openssh/mux.c (working copy)
+@@ -635,7 +635,8 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer
+ u_int lport, cport;
+ int i, ret = 0, freefwd = 1;
+
+- fwd.listen_host = fwd.connect_host = NULL;
++ memset(&fwd, 0, sizeof(fwd));
++
+ if (buffer_get_int_ret(&ftype, m) != 0 ||
+ (fwd.listen_host = buffer_get_string_ret(m, NULL)) == NULL ||
+ buffer_get_int_ret(&lport, m) != 0 ||
+@@ -785,7 +786,8 @@ process_mux_close_fwd(u_int rid, Channel *c, Buffe
+ int i, listen_port, ret = 0;
+ u_int lport, cport;
+
+- fwd.listen_host = fwd.connect_host = NULL;
++ memset(&fwd, 0, sizeof(fwd));
++
+ if (buffer_get_int_ret(&ftype, m) != 0 ||
+ (fwd.listen_host = buffer_get_string_ret(m, NULL)) == NULL ||
+ buffer_get_int_ret(&lport, m) != 0 ||
diff --git a/share/security/patches/SA-15:22/openssh.patch.asc b/share/security/patches/SA-15:22/openssh.patch.asc
new file mode 100644
index 0000000000..8cceaac74d
--- /dev/null
+++ b/share/security/patches/SA-15:22/openssh.patch.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.7 (FreeBSD)
+
+iQIcBAABCgAGBQJV3Ne1AAoJEO1n7NZdz2rnaD4P/27Y0Bd6TwsCXR33YG8bmmpO
+ASZxD1GyWFqZyTIrPw+gBN2SkfxROnjMSq5/RfbAgbTthQYEQ+vu7aX4rbpuGQ3E
+5nK1IJlCS9abr84QWOxFXuDtBrLuYhb4WRmMNpGANfmA+ZtKap7fNkdLsU5XYnGf
+wftLAWPtUF1GxPPFcc9NZdXyOePg4UcfTFqfPkHmdeEPSLlOhkCHv4ZtuWPg4VMB
+++uEZCAS+U1Ky4NIKaGmE9lO5x9LWzQnXzluLXHPAAnMxi4uTLs4DFocGgLR9Xvv
+NftlvAzJuQWzIAr5Tp/5YB24nqJB+qAMNwwmSMvsL2MFDI4Zepqq3o0Ss4xAPOjU
+taBDNow1+S/tLPH2jtF3hu/DP2H8HkSm5UqNWrHP8vS4UXqlXIofjaA5mTddtGLK
+FXc6C+NQ2G7bqgw+g5kiO+XH3gYBMxJtuRyBCIekeBAtIISoevz/V+ejFdTE0EFP
+MuvC4HWhSttdTJkdC74+WdcNWqpQ14iHwdrlY8Gazv9wQz/iwonZO7pzE+lea+j3
+f+e/2dyQLXxEIxrfGRRZljuekbvLnEn+DUSV9mExpNP60ZvRBKyVOBDcnteP3VhY
+4LAMaSFzE7kgPuhaLBfzecEFDd06Eiz7LEd4HesXVqpKBP1fBOevfAxW8Izidg/1
+/t/RV1/NkgKrKgNBkO97
+=ZQpd
+-----END PGP SIGNATURE-----
diff --git a/share/xml/advisories.xml b/share/xml/advisories.xml
index b53285109b..b80f62305c 100644
--- a/share/xml/advisories.xml
+++ b/share/xml/advisories.xml
@@ -11,6 +11,18 @@
<name>8</name>
<day>
+ <name>25</name>
+
+ <advisory>
+ <name>FreeBSD-SA-15:22.openssh</name>
+ </advisory>
+
+ <advisory>
+ <name>FreeBSD-SA-15:21.amd64</name>
+ </advisory>
+ </day>
+
+ <day>
<name>18</name>
<advisory>
diff --git a/share/xml/notices.xml b/share/xml/notices.xml
index b638c913ee..9e292abd6b 100644
--- a/share/xml/notices.xml
+++ b/share/xml/notices.xml
@@ -11,6 +11,18 @@
<name>8</name>
<day>
+ <name>25</name>
+
+ <notice>
+ <name>FreeBSD-EN-15:15.pkg</name>
+ </notice>
+
+ <notice>
+ <name>FreeBSD-EN-15:14.ixgbe</name>
+ </notice>
+ </day>
+
+ <day>
<name>18</name>
<notice>