diff options
author | Xin LI <delphij@FreeBSD.org> | 2014-01-14 19:57:49 +0000 |
---|---|---|
committer | Xin LI <delphij@FreeBSD.org> | 2014-01-14 19:57:49 +0000 |
commit | dcb9c59cc230c67c4b8743c52c86d74b7320deb4 (patch) | |
tree | 2bee7a6bddc866019c4c10f02058b7ab21021102 | |
parent | 1d54309d429a40f9944f9fcc7f85153db094f18a (diff) | |
download | doc-dcb9c59cc230c67c4b8743c52c86d74b7320deb4.tar.gz doc-dcb9c59cc230c67c4b8743c52c86d74b7320deb4.zip |
Add 4 latest advisories and 2 latest errata notices:
Fix bsnmpd remote denial of service vulnerability. [SA-14:01]
Fix ntpd distributed reflection Denial of Service vulnerability.
[SA-14:02]
Fix OpenSSL multiple vulnerabilities. [SA-14:03]
Fix BIND remote denial of service vulnerability. [SA-14:04]
Disable hardware RNGs by default. [EN-14:01]
Fix incorrect coalescing of stack entry with mmap. [EN-14:02]
Notes
Notes:
svn path=/head/; revision=43519
26 files changed, 1369 insertions, 0 deletions
diff --git a/share/security/advisories/FreeBSD-EN-14:01.random.asc b/share/security/advisories/FreeBSD-EN-14:01.random.asc new file mode 100644 index 0000000000..dca12523ee --- /dev/null +++ b/share/security/advisories/FreeBSD-EN-14:01.random.asc @@ -0,0 +1,142 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-14:01.random Errata Notice + The FreeBSD Project + +Topic: /dev/random should not make direct usage of hardware RNG + +Category: core +Module: random +Announced: 2014-01-14 +Affects: All versions of FreeBSD prior to 10.0-BETA1 +Corrected: 2014-01-14 19:27:42 UTC (stable/9, 9.2-STABLE) + 2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3) + 2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10) + 2014-01-14 19:27:42 UTC (stable/8, 8.4-STABLE) + 2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7) + 2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:http://security.freebsd.org/>. + +I. Background + +The random(4) and urandom(4) devices return an endless supply of pseudo-random +bytes when read. Cryptographic algorithms often depend on the secrecy of these +pseudo-random values for security. + +Yarrow is a secure pseudo-random number generator that combines entropy from +several entropy sources, mitigating a possible attack when someone could +predict the output when they are able to intercept one or more of the +entropy sources + +II. Problem Description + +When a hardware RNG exists, the FreeBSD random(4) and urandom(4) devices +would use their output directly. + +III. Impact + +Someone who has control over these hardware RNGs would be able to +predicate the output from random(4) and urandom(4) devices and may be able +to reveal unique keys that are used to encrypt data. + +IV. Workaround + +Disable the hardware RNGs by adding the following settings to /boot/loader.conf +and reboot the system: + +hw.nehemiah_rng_enable=0 +hw.ivy_rng_enable=0 + +V. Solution + +Hardware RNGs would be disabled by default with this errata notice. They +can be re-enabled by setting the corresponding loader tunables to non-zero +value. + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +2) To update your present system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 9.2 and 8.4] +# fetch http://security.FreeBSD.org/patches/EN-14:01/random-9.2-8.4.patch +# fetch http://security.FreeBSD.org/patches/EN-14:01/random-9.2-8.4.patch.asc +# gpg --verify random-9.2-8.4.patch.asc + +[FreeBSD 9.1] +# fetch http://security.FreeBSD.org/patches/EN-14:01/random-9.1.patch +# fetch http://security.FreeBSD.org/patches/EN-14:01/random-9.1.patch.asc +# gpg --verify random-9.1.patch.asc + +[FreeBSD 8.3] +# fetch http://security.FreeBSD.org/patches/EN-14:01/random-8.3.patch +# fetch http://security.FreeBSD.org/patches/EN-14:01/random-8.3.patch.asc +# gpg --verify random-8.3.patch.asc + +b) Apply the patch. + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +3) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the revision numbers of each file that was +corrected in FreeBSD. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r260644 +releng/8.3/ r260647 +releng/8.4/ r260647 +stable/9/ r260644 +releng/9.1/ r260647 +releng/9.2/ r260647 +- ------------------------------------------------------------------------- + +VII. References + +The latest revision of this Errata Notice is available at +http://security.FreeBSD.org/advisories/FreeBSD-EN-14:01.random.asc + +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJS1ZSoAAoJEO1n7NZdz2rnZcgP/3ITOg59t4PmOg2vUrlMsf35 +jVDZojqeu+XgDepYi37HJVB6pHSWusYoI59YP6O2N1n15W34Bp91Vcthofyr+jgx +7Guz+DXOqZy1yxGMSGkAl0hIrksszqp5kAADy4f1NMkFmvc2+8dXW1xmxYpDHrkG +d/alEeK0LuFgWXYnnrea3x/aWqEVVR+/YhCbk8FTD01Q4zqtfacIDfNL+gLf4Mhx +gNO1HSHmvS4GEF1gawtHzY4i6rGX9e4LgxKSEKSMUXfl1WUfnD5f62z9FB1UN1Js +EfVniP2ZN2ojAzoVWfiX5WDhpMA/KZpdTSLF+zOM1/Tr+7+N7WTYftL6nHy/HSj8 +LmsIZnSE4F7F2hFlZu7PPwGzaIj/rYk5tRzw3nTIoIwVoLbvbevzCrl0rIocq2CK +Sm5WV2qvMuWB+ZK2ZuzCIxAj6/fuLbUIBHmHd2VFfxWXcSwoK/cW3pFPMDyHKtJJ +ccocT7kXeHHtnSqzvSN1j1XFZsWdojbYU7HSU8QmiilG3ESvgrzZAKh7V+hC/aF/ +TE0Xhaip8X/sOt1NnjHGs8XzA3w7wUukssz2V7gRdarSS7c/+mU23pajLknQ4eiB +l3g8z/iX4jPuL8e0sn9GUCXVtTZIXWGl9hSilWeYk6tEihhlf/gVhY6ldCwSoZjr +U6gPf7bQn/NzE7wSUaQD +=viar +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-EN-14:02.mmap.asc b/share/security/advisories/FreeBSD-EN-14:02.mmap.asc new file mode 100644 index 0000000000..fa61742172 --- /dev/null +++ b/share/security/advisories/FreeBSD-EN-14:02.mmap.asc @@ -0,0 +1,127 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-14:02.mmap Errata Notice + The FreeBSD Project + +Topic: mmap should not coalesce stack entry + +Category: core +Module: kernel +Announced: 2014-01-14 +Credits: Konstantin Belousov +Affects: All supported versions of FreeBSD. +Corrected: 2013-12-30 08:57:54 UTC (stable/10, 10.0-PRERELEASE) + 2013-12-31 08:02:34 UTC (releng/10.0, 10.0-RC4) + 2013-12-31 08:02:34 UTC (releng/10.0, 10.0-RC3-p1) + 2013-12-31 08:02:34 UTC (releng/10.0, 10.0-RC2-p1) + 2013-12-31 08:02:34 UTC (releng/10.0, 10.0-RC1-p1) + 2013-12-30 09:04:06 UTC (stable/9, 9.2-STABLE) + 2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3) + 2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10) + 2014-01-14 19:33:28 UTC (stable/8, 8.4-STABLE) + 2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7) + 2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:http://security.freebsd.org/>. + +I. Background + +The FreeBSD virtual memory system allows growing stack by mapping anonymous +memory region on top of a stack via mmap(2) system call with MAP_STACK bit +enabled in flags parameter. + +II. Problem Description + +The FreeBSD virtual memory system tries to coalesce adjacent memory regions +into one single object when possible. When growing the stack via mmap(2), it +will also try to coalesce the newly allocated memory into the existing object. +This would result in a failed assertion later in vm_map_stack(), which expects +that a new object is returned. + +III. Impact + +The system will panic when this happens. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +2) To update your present system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/EN-14:02/mmap.patch +# fetch http://security.FreeBSD.org/patches/EN-14:02/mmap.patch.asc +# gpg --verify mmap.patch.asc + +b) Apply the patch. + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +3) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the revision numbers of each file that was +corrected in FreeBSD. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r260645 +releng/8.3/ r260647 +releng/8.4/ r260647 +stable/9/ r260082 +releng/9.1/ r260647 +releng/9.2/ r260647 +stable/10/ r260081 +releng/10.0/ r260122 +- ------------------------------------------------------------------------- + +VII. References + +The latest revision of this Errata Notice is available at +http://security.FreeBSD.org/advisories/FreeBSD-EN-14:02.mmap.asc + +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJS1ZSuAAoJEO1n7NZdz2rnsPoQAIFs/URebviZjkMpYJBTahwe +Lr50uJSZIlW2nMvi+urLJAB15fJm/WHDdHqp6+WHh5jjCozb45CoIxDFnP5UB4q8 +oclsQtKrt4R1dBDEa3RZQoJEm6DIk1YhfAfUtJMhDpROlvWCbBMzZWJbVQec5j3E +iyhY1FIl/BD4KWFw/hDhJX5j4HQWA/oZDagx5WZFMsFapq5rOXkC/fq3YHkTJBeW +7YEvAyTuZoj9zBVJ28cEYr7+ULtJMphBdTEzAhFZSEegsM+qyMafTf2c54MdtWR0 +pSgoh9i+cSXj444e4eeqLp6LwapW5YGIrKpAmBUwTECBg5F5915i2h8ddCnmJJSM +4Wq7bXJU6PGzFXTDUsAw9HB2HcCMU2EvVNhtM3wp7dSzojLpvrgEoRZKwanu32r1 +cuN/awHUGA1fzoUkxMygzT5B44IX+9gyT8lJ4N+PfKGnSO00WY41XkLheDmpgf2b +euDrzTSwbupEp70lT45CW6DUlqPXpw0Fn5vyNYBvoaAXineqyvwMkQ6YZwoNmfiU +xv2zjY40RkOR8EJKi8L1moBQsfh/i6rtVQhDIHmAU/1VaYBE4zVXS5BYAlUaUJgw +3rc5ho+F2BB+YV+HeaWszjW+NVhiIswpccw4Js7O2HQUA9M2KEq2+DXRtNdEa8/j +miG/hWqsuoWjAcrQKjKw +=rOvi +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-SA-14:01.bsnmpd.asc b/share/security/advisories/FreeBSD-SA-14:01.bsnmpd.asc new file mode 100644 index 0000000000..b7ec76cf6f --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-14:01.bsnmpd.asc @@ -0,0 +1,141 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-14:01.bsnmpd Security Advisory + The FreeBSD Project + +Topic: bsnmpd remote denial of service vulnerability + +Category: contrib +Module: bsnmp +Announced: 2014-01-14 +Credits: Dirk Meyer +Affects: All supported versions of FreeBSD. +Corrected: 2014-01-14 19:02:14 UTC (stable/10, 10.0-PRERELEASE) + 2014-01-14 19:10:38 UTC (releng/10.0, 10.0-RELEASE) + 2014-01-14 19:10:38 UTC (releng/10.0, 10.0-RC5-p1) + 2014-01-14 19:10:38 UTC (releng/10.0, 10.0-RC4-p1) + 2014-01-14 19:10:38 UTC (releng/10.0, 10.0-RC3-p1) + 2014-01-14 19:10:38 UTC (releng/10.0, 10.0-RC2-p1) + 2014-01-14 19:10:38 UTC (releng/10.0, 10.0-RC1-p1) + 2014-01-14 19:17:20 UTC (stable/9, 9.2-STABLE) + 2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3) + 2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10) + 2014-01-14 19:17:20 UTC (stable/8, 8.4-STABLE) + 2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7) + 2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14) +CVE Name: CVE-2014-1452 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:http://security.FreeBSD.org/>. + +I. Background + +The bsnmpd is a simple and extensible SNMP daemon serves the Internet SNMP +(Simple Network Management Protocol). + +II. Problem Description + +The bsnmpd(8) daemon is prone to a stack-based buffer-overflow when it +has received a specifically crafted GETBULK PDU request. + +III. Impact + +This issue could be exploited to execute arbitrary code in the context of +the service daemon, or crash the service daemon, causing a denial-of-service. + +IV. Workaround + +No workaround is available, but systems not running bsnmpd(8) are not +vulnerable. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/SA-14:01/bsnmpd.patch +# fetch http://security.FreeBSD.org/patches/SA-14:01/bsnmpd.patch.asc +# gpg --verify bsnmpd.patch.asc + +b) Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +Recompile the operating system using buildworld and installworld as +described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>. + +Restart the bsnmpd(8) daemons, or reboot the system. + +3) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r260642 +releng/8.3/ r260647 +releng/8.4/ r260647 +stable/9/ r260642 +releng/9.1/ r260647 +releng/9.2/ r260647 +stable/10/ r260638 +releng/10.0/ r260640 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<other info on vulnerability> + +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1452> + +The latest revision of this advisory is available at +<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:01.bsnmpd.asc> +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJS1ZS6AAoJEO1n7NZdz2rnDXwP/1iQmuO8VLjZoD3LMpiHyA/i +YgwjX5x9XT2MyVrRmu+nHaCG3ZDC4/IV72/jCzV8udQJ1RF6Aswhuk6mXI7oatol +OYF27JnRVAJQjAvXw3zMsp4hLv631TvgO1Az1vK7f1pX8bDC/eBTaiCH7I6QBYGS +E4Fsi2MwOWIRyglTjlFSL8Wb2yQmzkKCx/EVFF/6mRC7l3a9pkHf5VKQtut1KYFu +5QF5cG5anur4daP4w45yWsl0qkRDO5mJdpD+S3NtzydluWzz/Dk/0laS5wB+LLzV +cXC5/GR/acQhO+MvDIDT4Emra2OXzsheEahOJhLKHsBF8pHBi5IldkVwQmme76/g +aR1gLSFJ5LYcpAgBQgeWKXXCAol5zNRCR8v8IBnV2+rYRSrIdl5lstgVmla++xJD ++bC7PbTqcLlyFGrMEvd/mAvX1PVa9BVYtaxXA5QZq5EHP7nsKotcAk7/kouVfmao +Gdxlt7YjRic6D/WqF8RFiQv9ezpbEnMQ1BwOCSUEJasXlyxJXYA6vva7tyM3OmyD +c2I9JLeV8aCUgIf3s+HoGcZhz01kmu9REQ/OEDtiN8kX94WOzpectf8V5g+JnxRd +HoOfcvrChohL4nla+3RvG1LJo5KD5N09yHnV2y3LjxTdKu9Hw4ATzFwmPmEUqUfG +eF12aO4PVp42wYWNHtGe +=xZTc +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-SA-14:02.ntpd.asc b/share/security/advisories/FreeBSD-SA-14:02.ntpd.asc new file mode 100644 index 0000000000..30b6038cf0 --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-14:02.ntpd.asc @@ -0,0 +1,167 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-14:02.ntpd Security Advisory + The FreeBSD Project + +Topic: ntpd distributed reflection Denial of Service vulnerability + +Category: contrib +Module: ntpd +Announced: 2014-01-14 +Affects: All supported versions of FreeBSD. +Corrected: 2014-01-14 19:04:33 UTC (stable/10, 10.0-PRERELEASE) + 2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RELEASE) + 2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC5-p1) + 2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC4-p1) + 2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC3-p1) + 2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC2-p1) + 2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC1-p1) + 2014-01-14 19:20:41 UTC (stable/9, 9.2-STABLE) + 2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3) + 2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10) + 2014-01-14 19:20:41 UTC (stable/8, 8.4-STABLE) + 2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7) + 2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14) +CVE Name: CVE-2013-5211 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:http://security.FreeBSD.org/>. + +I. Background + +The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) +used to synchronize the time of a computer system to a reference time +source. + +II. Problem Description + +The ntpd(8) daemon supports a query 'monlist' which provides a history of +recent NTP clients without any authentication. + +III. Impact + +An attacker can send 'monlist' queries and use that as an amplification of +a reflection attack. + +IV. Workaround + +The administrator can implement one of the following possible workarounds +to mitigate the attack: + +1) Restrict access to ntpd(8). This can be done by adding the following +lines to /etc/ntp.conf: + +restrict -4 default nomodify nopeer noquery notrap +restrict -6 default nomodify nopeer noquery notrap +restrict 127.0.0.1 +restrict -6 ::1 +restrict 127.127.1.0 + +And restart the ntpd(8) daemon. Time service is not affected and the +administrator can still perform queries from local host. + +2) Use IP based restrictions in ntpd(8) itself or in IP firewalls to +restrict which systems can access ntpd(8). + +3) Replace the base system ntpd(8) with net/ntp-devel (version 4.2.7p76 or +newer) + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/SA-14:02/ntpd.patch +# fetch http://security.FreeBSD.org/patches/SA-14:02/ntpd.patch.asc +# gpg --verify ntpd.patch.asc + +b) Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +Recompile the operating system using buildworld and installworld as +described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>. + +Restart the ntpd(8) daemon, or reboot the system. + +3) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Note that the patch would disable monitoring features of ntpd(8) daemon +by default. If the feature is desirable, the administrator can choose +to enable it and firewall access to ntpd(8) service. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r260641 +releng/8.3/ r260647 +releng/8.4/ r260647 +stable/9/ r260641 +releng/9.1/ r260647 +releng/9.2/ r260647 +stable/10/ r260639 +releng/10.0/ r260641 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:http://www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks> + +<URL:https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks> + +<URL:http://bugs.ntp.org/show_bug.cgi?id=1532> + +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5211> + +The latest revision of this advisory is available at +<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:02.ntpd.asc> +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJS1ZTLAAoJEO1n7NZdz2rnn7YP/2DcBtR4LAlMLqa9t8WsFVrD +zrfmitYv5xZ6TUGURfQ3mhF4Xv+vSaYt5AWphBjo/Um+dZLTrX3NXJyjLWenCFZ1 +vUgoeT4czdh/sWXBO+BdahswttJ6uPO0ZPeW/TpczHMrfG++r6FZtcavYj1gWUPX +rQUEh3IRT5MzzcdiIdQFOpi6OeOP7hem5pNOqYwjyy4L4wrgIUetaMpvqXgi2Wa+ +R2vqQNpFAPxKkMkbohLEPRmEK9dXGXejQ7EHFK5jzxInyg32WGFPkJ46bLw3bEsB +sIoh+sxQ3J9mxyaykhX6T7U7PUkzBaNSs62bQE5H8695E30obnZqtfon6qBP5UCT +/kF1+42RIQIPJUFS22NXaUJVOkpd2zyVhwLxgCHg96PHwd1VAC0bnuB4CQt8lN2C +vcOsFcq6CUpMuteURBeiETb0OGWTTT3gyX4T7N4kRKptvmEVUKxZPnmfJCwNHM2I +TzM2HbHaBv9CMIy5X4iDQxLH3w3tSh+IHU6m9cN5rd6JDTa5DQEuRkhaeVbCGHRt +EcSHvUCr+llacITA2rkm1/KPcP97nGgbbM2QbbUVZ/vkdEcImPfrBzrBbaoBzf5p +FTplhJ/4bfF0/Kgt5GTNgQXqtIuEQOs+ljNu2HW+cAfX2Hizlo7jjfMxS0y7/fY2 +hBdg8zuXs/rBI2LKUcP6 +=7q6W +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-SA-14:03.openssl.asc b/share/security/advisories/FreeBSD-SA-14:03.openssl.asc new file mode 100644 index 0000000000..6c61df8754 --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-14:03.openssl.asc @@ -0,0 +1,135 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-14:03.openssl Security Advisory + The FreeBSD Project + +Topic: OpenSSL multiple vulnerabilities + +Category: contrib +Module: openssl +Announced: 2014-01-14 +Affects: FreeBSD 10.0 prior to 10.0-RC5 +Corrected: 2014-01-07 20:04:41 UTC (stable/10, 10.0-PRERELEASE) + 2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC5) + 2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC4-p1) + 2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC3-p1) + 2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC2-p1) + 2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC1-p1) +CVE Name: CVE-2013-4353, CVE-2013-6449, CVE-2013-6450 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:http://security.FreeBSD.org/>. + +I. Background + +FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is +a collaborative effort to develop a robust, commercial-grade, full-featured +Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) +and Transport Layer Security (TLS v1) protocols as well as a full-strength +general purpose cryptography library. + +II. Problem Description + +A carefully crafted invalid TLS handshake could crash OpenSSL with a NULL +pointer exception. [CVE-2013-4353] + +A flaw in DTLS handling can cause an application using OpenSSL and DTLS to +crash. [CVE-2013-6450] + +A flaw in OpenSSL can cause an application using OpenSSL to crash when using +TLS version 1.2. [CVE-2013-6449] + +III. Impact + +An attacker can send a specifically crafted packet that could cause an OpenSSL +enabled application to crash, resulting in a Denial of Service. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/SA-14:03/openssl.patch +# fetch http://security.FreeBSD.org/patches/SA-14:03/openssl.patch.asc +# gpg --verify openssl.patch.asc + +b) Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +Recompile the operating system using buildworld and installworld as +described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>. + +Restart all deamons using the library, or reboot the system. + +3) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r260404 +releng/10.0/ r260405 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4353> +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6449> +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6450> + +The latest revision of this advisory is available at +<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:03.openssl.asc> +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJS1ZTSAAoJEO1n7NZdz2rnHboP/Ryb4a9ENJ7J/S00E8V1YToh +hihrCKssMl6GVltS4oeyAmAW+mDx3DZy+RmAEhgjyAX4gpAxcY/g665j5BMtWAtV +LLJTI9D6ynO7+2y8CeD3W7tk28hNtBPWSV+cGi7USQMKijs6euPocgTU7TnAuF/e +/jcDTn8Sx/Sq0d3ecTWFBOcPHiq5sm/3pW5B1RVxY9DL+zhQ7T/Rb6pgfp6trssM +p8dklzoBReHqs1iPUC4RyhWXOoQoq5VX500b9SHh2X/7eBSq1ab76VF3x+9VOpjj +VRxL9sdkmp+iaVfMHxms3vCLSDlmpgYpq5SftL3jgkequPCpU6NFQGFQKw2crdL0 +NY7dDPjMuvDzzdG7BZtt1mjpRMMMGmZ7fK0myP0+a3YbXEEZeAGT6k07er/xkGCr +uTWyPNM4g3Ulwkfnz60TbFrdMdiCJbRVC9xxOkGEALe882v0WWGPhx9IVbT3dGVw +KGFOXM+IqF55JuaHQ0u/B4wrjBfgBSgOt90TDyMJ5rPjiKG9wyUWnn7QziAVJQ0M +0H/82/2cxNX5+efWNi7xhss2fs1zcU3kiyr135mqamgOQyPG8jFOF7RhdpeGfzVk +ollQG+y1uwVTAWhmVb4MSaAuJw8ixVuap73Rbyug+MuKRLgR2jSxHFiBeiHLA1eG +1+DWJPX0+/zoNakLiw+r +=YOCY +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-SA-14:04.bind.asc b/share/security/advisories/FreeBSD-SA-14:04.bind.asc new file mode 100644 index 0000000000..a0071db1e8 --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-14:04.bind.asc @@ -0,0 +1,140 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-14:04.bind Security Advisory + The FreeBSD Project + +Topic: BIND remote denial of service vulnerability + +Category: contrib +Module: bind +Announced: 2014-01-14 +Credits: ISC +Affects: FreeBSD 8.x and FreeBSD 9.x +Corrected: 2014-01-14 19:38:37 UTC (stable/9, 9.2-STABLE) + 2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3) + 2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10) + 2014-01-14 19:38:37 UTC (stable/8, 8.4-STABLE) + 2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7) + 2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14) +CVE Name: CVE-2014-0591 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:http://security.FreeBSD.org/>. + +I. Background + +BIND 9 is an implementation of the Domain Name System (DNS) protocols. +The named(8) daemon is an Internet Domain Name Server. + +II. Problem Description + +Because of a defect in handling queries for NSEC3-signed zones, BIND can +crash with an "INSIST" failure in name.c when processing queries possessing +certain properties. This issue only affects authoritative nameservers with +at least one NSEC3-signed zone. Recursive-only servers are not at risk. + +III. Impact + +An attacker who can send a specially crafted query could cause named(8) +to crash, resulting in a denial of service. + +IV. Workaround + +No workaround is available, but systems not running authoritative DNS service +with at least one NSEC3-signed zone using named(8) are not vulnerable. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 8.3, 8.4, 9.1, 9.2-RELEASE and 8.4-STABLE] +# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-release.patch +# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-release.patch.asc +# gpg --verify bind-release.patch.asc + +[FreeBSD 9.2-STABLE] +# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-stable-9.patch +# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-stable-9.patch.asc +# gpg --verify bind-stable-9.patch.asc + +b) Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +Recompile the operating system using buildworld and installworld as +described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>. + +Restart the applicable daemons, or reboot the system. + +3) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r260646 +releng/8.3/ r260647 +releng/8.4/ r260647 +stable/9/ r260646 +releng/9.1/ r260647 +releng/9.2/ r260647 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://kb.isc.org/article/AA-01078> + +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0591> + +The latest revision of this advisory is available at +<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:04.bind.asc> +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJS1ZTYAAoJEO1n7NZdz2rnOvQP/2/68/s9Cu35PmqNtSZVVxVG +ZSQP5EGWx/lramNf9566iKxOrLRMq/h3XWcC4goVd+gZFrvITJSVOWSa7ntDQ7TO +XcinfRZ/iyiJbs/Rg2wLHc/t5oVSyeouyccqODYFbOwOlk35JjOTMUG1YcX+Zasg +ax8RV+7Zt1QSBkMlOz/myBLXUjlTZ3Xg2FXVsfFQW5/g2CjuHpRSFx1bVNX6ysoG +9DT58EQcYxIS8WfkHRbbXKh9I1nSfZ7/Hky/kTafRdRMrjAgbqFgHkYTYsBZeav5 +fYWKGQRJulYfeZQ90yMTvlpF42DjCC3uJYamJnwDIu8OhS1WRBI8fQfr9DRzmRua +OK3BK9hUiScDZOJB6OqeVzUTfe7MAA4/UwrDtTYQ+PqAenv1PK8DZqwXyxA9ThHb +zKO3OwuKOVHJnKvpOcr+eNwo7jbnHlis0oBksj/mrq2P9m2ueF9gzCiq5Ri5Syag +Wssb1HUoMGwqU0roS8+pRpNC8YgsWpsttvUWSZ8u6Vj/FLeHpiV3mYXPVMaKRhVm +067BA2uj4Th1JKtGleox+Em0R7OFbCc/9aWC67wiqI6KRyit9pYiF3npph+7D5Eq +7zPsUdDd+qc+UTiLp3liCRp5w6484wWdhZO6wRtmUgxGjNkxFoNnX8CitzF8AaqO +UWWemqWuz3lAZuORQ9KX +=OQzQ +-----END PGP SIGNATURE----- diff --git a/share/security/patches/EN-14:01/random-8.3.patch b/share/security/patches/EN-14:01/random-8.3.patch new file mode 100644 index 0000000000..af1cd1c60d --- /dev/null +++ b/share/security/patches/EN-14:01/random-8.3.patch @@ -0,0 +1,27 @@ +Index: sys/dev/random/probe.c +=================================================================== +--- sys/dev/random/probe.c (revision 260523) ++++ sys/dev/random/probe.c (working copy) +@@ -30,6 +30,8 @@ __FBSDID("$FreeBSD$"); + + #include <sys/types.h> + #include <sys/param.h> ++#include <sys/systm.h> ++#include <sys/kernel.h> + #include <sys/malloc.h> + #include <sys/random.h> + #include <sys/selinfo.h> +@@ -57,7 +59,12 @@ random_ident_hardware(struct random_systat *systat + /* Then go looking for hardware */ + #if defined(__i386__) && !defined(PC98) + if (via_feature_rng & VIA_HAS_RNG) { +- *systat = random_nehemiah; ++ int enable; ++ ++ enable = 0; ++ TUNABLE_INT_FETCH("hw.nehemiah_rng_enable", &enable); ++ if (enable) ++ *systat = random_nehemiah; + } + #endif + } diff --git a/share/security/patches/EN-14:01/random-8.3.patch.asc b/share/security/patches/EN-14:01/random-8.3.patch.asc new file mode 100644 index 0000000000..da72b4fc15 --- /dev/null +++ b/share/security/patches/EN-14:01/random-8.3.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCgAGBQJS1ZUpAAoJEO1n7NZdz2rnCokP/16qEQ9ziJdRpMQ8YMbr19AC +GcUpad5oEXoUu7qvOykIFj1ATcXE71jE48ypyeVwpme/szQMUvWAjPp9P+lYb78l +ByVukT7Ajs7fcO8uq5f4T0MPN/zG00qNsSpGtlcM68mm4aYLnlfvYjv8Da6GPALy +dd5FE1YxZDnTT5aBpjsGVoj864I6PwehXhbH3FmehOK/vnpUYrgHKTzY9zaUZ5+t +AGw/fzRsOHislwC8rw0AyC6Ky7Du2tQKjur73PaUXz329EZzFoK8J2eHcRExVWvJ +A2zgwI7Y6gZUyJFhX8qcQs4JWxxPBoBQp+aKLkJXhW9U/GsEAVD3KaFAwZfjhOVm +l/fg5XUMPpifGSsQKnoOFGjO0597JBOD5oznwQIg+b780JpsZ4Hmk7XJhXq9+s2G +qBKIogXJG6mKBnx3qt0nlkd3UjS7QSnPMSmplCOoEUORwCMRfLFM0qb+P1d8ycGL +mP7f3ivEg/rUQjhBRbCQyi/+CF6qhVHm1AdA081RSEVlPuDIRAywvcfjKnnOuhbG +yf5AVIpwHwkoLn7qugECH4muTIPiHPFTgWK3qhI3oZfZDOCFZwi9Ognb6eg8qMtP +aEPmTMujVERBc3FXEnjB5VZZSzOwJLm/NI0jW5y3XY/VQhJSaE1hM9qYywqgviXz +g36p0LxezweK/mmxttVA +=jEbX +-----END PGP SIGNATURE----- diff --git a/share/security/patches/EN-14:01/random-9.1.patch b/share/security/patches/EN-14:01/random-9.1.patch new file mode 100644 index 0000000000..bb3caba001 --- /dev/null +++ b/share/security/patches/EN-14:01/random-9.1.patch @@ -0,0 +1,27 @@ +Index: sys/dev/random/probe.c +=================================================================== +--- sys/dev/random/probe.c (revision 260523) ++++ sys/dev/random/probe.c (working copy) +@@ -30,6 +30,8 @@ __FBSDID("$FreeBSD$"); + + #include <sys/types.h> + #include <sys/param.h> ++#include <sys/systm.h> ++#include <sys/kernel.h> + #include <sys/malloc.h> + #include <sys/random.h> + #include <sys/selinfo.h> +@@ -57,7 +59,12 @@ random_ident_hardware(struct random_systat *systat + /* Then go looking for hardware */ + #if defined(__amd64__) || (defined(__i386__) && !defined(PC98)) + if (via_feature_rng & VIA_HAS_RNG) { +- *systat = random_nehemiah; ++ int enable; ++ ++ enable = 0; ++ TUNABLE_INT_FETCH("hw.nehemiah_rng_enable", &enable); ++ if (enable) ++ *systat = random_nehemiah; + } + #endif + } diff --git a/share/security/patches/EN-14:01/random-9.1.patch.asc b/share/security/patches/EN-14:01/random-9.1.patch.asc new file mode 100644 index 0000000000..fc7999b93f --- /dev/null +++ b/share/security/patches/EN-14:01/random-9.1.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCgAGBQJS1ZUpAAoJEO1n7NZdz2rnhsAQALF5Gk7QtodIM06xOd0IAcUk +6y8N6s3gHxYhAyv5Af+y2yFTikfYu/yMYxIDbtgszcS+aB2y9b2+aVKwcNUkpiEr +mle+RAVGXPBQ9V7ieFLvMn7HC4PW1uPkFsiqOzu3KXACr2onlq1Jbbw4z6FeAyfa +2PvMTOFZrVNrHmkrjTKBwj+/jYcdHejb7OA0ckbiVgIXBRxftzVjKkVUTw+2ewZy +l73s1/wPRYlqESDOGVNpO/mm1W0zbcllfgxcbBPk3ukSuatNQVIVXEZRfb7Ti2FK +2CXTKbmaqrKPPxzpEkgbPXeOQ7kJ4th93gCbJV1i7uxyHvUo1Kodph0vKBKEiZmt +l+rwmqXD+Zm5JvoBDVXUsYi3DO3+Wi5rLMkzZFFzwsYJbHed+8TD4fLWTti6kLEs +CBQnUceBy4BKUTBj3STEjBBvFdd6Ri6Vdo0kN6Bjr/DuXqzLNyI/aLu6LmNgC3Fp +c3/P4Xp1fTYFVEpjKzc6kG2fUDZVwN+XEDFy6BuD/Hgj2MtmJ4JY4iKWu/P/MlBq +qI9K40rcMx4uMi9ffOC3v6uUHvqmK00FANz8GDIrpqeZEyMThd7yV8gmnBPRp47k +H1IbOqGB1ovaZS92wgiPKxU6SMjP9z7klGaWN+dr7NkGB3/54MwoqyPOKRpaVMcI +dYR/h4NDtwDgJqsuq+rH +=FCsi +-----END PGP SIGNATURE----- diff --git a/share/security/patches/EN-14:01/random-9.2-8.4.patch b/share/security/patches/EN-14:01/random-9.2-8.4.patch new file mode 100644 index 0000000000..995ee7aff7 --- /dev/null +++ b/share/security/patches/EN-14:01/random-9.2-8.4.patch @@ -0,0 +1,22 @@ +Index: sys/dev/random/probe.c +=================================================================== +--- sys/dev/random/probe.c (revision 259661) ++++ sys/dev/random/probe.c (working copy) +@@ -73,7 +73,7 @@ + if (via_feature_rng & VIA_HAS_RNG) { + int enable; + +- enable = 1; ++ enable = 0; + TUNABLE_INT_FETCH("hw.nehemiah_rng_enable", &enable); + if (enable) + *systat = random_nehemiah; +@@ -83,7 +83,7 @@ + if (cpu_feature2 & CPUID2_RDRAND) { + int enable; + +- enable = 1; ++ enable = 0; + TUNABLE_INT_FETCH("hw.ivy_rng_enable", &enable); + if (enable) + *systat = random_ivy; diff --git a/share/security/patches/EN-14:01/random-9.2-8.4.patch.asc b/share/security/patches/EN-14:01/random-9.2-8.4.patch.asc new file mode 100644 index 0000000000..7ee07e42fa --- /dev/null +++ b/share/security/patches/EN-14:01/random-9.2-8.4.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCgAGBQJS1ZUpAAoJEO1n7NZdz2rnODkQANga1UgaW4k2SA8SKLmGtRsO +DWo/fqJ12DneoN0cxxgqgUFzB90Cdj1Qrece2Oj6lrD/A8wNfHzB78CE/yCqlEwg +YCK5Ca8ajUS6MgBT9lwRslF6HFp0I11QAe1jb16gC7NpZFG5pCTkLTdj5wWC2qQX +rHgyVDNj6cveRiBhHt8NsPOLqRTIkxTBjZ6Tzn235erM/0ZCj8M57TYCWpTg9PHY +YtM71DDjpN6oaZG49ggAK7Gp+6Ny7jKexG/a81PxR0A+KsqPPqd5v8eRfq1VHhKe +l7MS+R8cTCBeGg195BY65trQdnA1R92tjwJ/ISFrfDMDoOmmm8TazGhP9Wh4JuM4 +bp6ZenKEwyZat0qcJy/omnfwcf4yHf9O/kAtyqzMQikLWG/ucMVHaJBdsoU5uSI4 +enfVxyOI3ASpZUeMwV97k/hLuJiMcPw175hRtOftsLWYK85mb8Ps9gTnuPEWYn6E +7zEpuFoXathSX4EgcOFgDsDfAvf7EhzSey1Pi6uPe9Lh2uHrptZ+Zzh6OpTOxejS +jcy9KlYRup20nxT3ofunzJsSe4D1rofa9eyTpTp0uxekQcM8RhfGH5DiBeNizPAs +Euqups2pp0vN+ywD3/LGgSiYtRQbqOiavJg/uW+dwQT6kPNqcKsuN+qfu4/qGwu3 +zcYx/rLhkJj8s+zip9GU +=kf47 +-----END PGP SIGNATURE----- diff --git a/share/security/patches/EN-14:02/mmap.patch b/share/security/patches/EN-14:02/mmap.patch new file mode 100644 index 0000000000..fd4040a881 --- /dev/null +++ b/share/security/patches/EN-14:02/mmap.patch @@ -0,0 +1,20 @@ +Index: sys/vm/vm_map.c +=================================================================== +--- sys/vm/vm_map.c (revision 259950) ++++ sys/vm/vm_map.c (revision 259951) +@@ -1207,6 +1207,7 @@ charged: + } + else if ((prev_entry != &map->header) && + (prev_entry->eflags == protoeflags) && ++ (cow & (MAP_ENTRY_GROWS_DOWN | MAP_ENTRY_GROWS_UP)) == 0 && + (prev_entry->end == start) && + (prev_entry->wired_count == 0) && + (prev_entry->cred == cred || +@@ -3339,7 +3340,6 @@ vm_map_stack(vm_map_t map, vm_offset_t addrbos, vm + * NOTE: We explicitly allow bi-directional stacks. + */ + orient = cow & (MAP_STACK_GROWS_DOWN|MAP_STACK_GROWS_UP); +- cow &= ~orient; + KASSERT(orient != 0, ("No stack grow direction")); + + if (addrbos < vm_map_min(map) || diff --git a/share/security/patches/EN-14:02/mmap.patch.asc b/share/security/patches/EN-14:02/mmap.patch.asc new file mode 100644 index 0000000000..92d66bd6cc --- /dev/null +++ b/share/security/patches/EN-14:02/mmap.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCgAGBQJS1ZUpAAoJEO1n7NZdz2rnT+4P/ilcGYfPLHfrBH3DNbBJMS8i +jsYkV0d2PbgWdaxIHJMbAwkAJBkcPIb3aQSL3HiVYehSH9AsMbJgHZPIDpAkJ7gl +oY3f+WapTRx+jun89a+EbM5tUpZhagX8rgGUunVpJ3emkzC81peHi9OyeSDCNs1M +1iPeRWYrL4MaAHnt8rFUqGiBzxEk2AEmvvMsfvhbXmS6AmMp8gL7jiuBXDlDx8+6 +eWi86kNcMyWtSb2KRNUQ/2Kf84Wl5H+qgdhhzFx5OkI9jH3XFB2aY2SPiDfUPAC8 +bdpAR8pKwyhm+AyQdv/bdqgVy3gWW6J55Q1hP7pqze2HONZFE9VekC8xVOr5sBxG +2pvMRiIUdoOOEIXgqcYa3d8y5fApVkRa/9vT27JY5QZu0ypSsu7LuSkS/IADy0o5 +B9Sknl0BZFuGdslm66zOJzEpeCHL9VHPrW96fs3ca8/01/WE7iXDcuKC6cfc8Pjd +5ZyazZrygwkzjmT4tqB9U9a9zmVqCKkfejg2pJLXBL7ONUnONXEKxkr1jheTyU+1 +PSY4qkY58bi5P0Ef+mDFjmfMCfT0UVdIePFg3R17ALztNahMOUGW7BxIPgTWNFjk +4+gH9w5RKdscW2UgSC/HPWJHxyBIJfl6nEPmWqnrK+J+behwrdSBZBl2mmgPaDAn +5siNUmFL9GU4xr/b9xeG +=sEcV +-----END PGP SIGNATURE----- diff --git a/share/security/patches/SA-14:01/bsnmpd.patch b/share/security/patches/SA-14:01/bsnmpd.patch new file mode 100644 index 0000000000..c86b45fe49 --- /dev/null +++ b/share/security/patches/SA-14:01/bsnmpd.patch @@ -0,0 +1,16 @@ +Index: contrib/bsnmp/lib/snmpagent.c +=================================================================== +--- contrib/bsnmp/lib/snmpagent.c (revision 259661) ++++ contrib/bsnmp/lib/snmpagent.c (working copy) +@@ -488,6 +488,11 @@ snmp_getbulk(struct snmp_pdu *pdu, struct asn_buf + for (cnt = 0; cnt < pdu->error_index; cnt++) { + eomib = 1; + for (i = non_rep; i < pdu->nbindings; i++) { ++ ++ if (resp->nbindings == SNMP_MAX_BINDINGS) ++ /* PDU is full */ ++ goto done; ++ + if (cnt == 0) + result = do_getnext(&context, &pdu->bindings[i], + &resp->bindings[resp->nbindings], pdu); diff --git a/share/security/patches/SA-14:01/bsnmpd.patch.asc b/share/security/patches/SA-14:01/bsnmpd.patch.asc new file mode 100644 index 0000000000..3d12ccc27c --- /dev/null +++ b/share/security/patches/SA-14:01/bsnmpd.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCgAGBQJS1ZUpAAoJEO1n7NZdz2rnc+4P/2gFudDRO3Cv0HPnOS7OTHY6 +nzGWpoR98r5POLPPP5/iAISn7ADi/W81Y895/XRzYBxzuaaZNhXbu0nB3a+T0VDh +q5LGtSzO9fZv8t+y87CLIz08zdS7Q+OPZ2Szge/yP184Oqqc7xTmnkm6VyTiRZE1 +W2chmOgv96RM4qqHXRQYinaD57Z8Kl1AlcrP+ZBpH3zP998LHhHP2LN+qQz4jnl9 +7M57krQ733HPBZMQ2JkHFlzyjVGcK/dMjm8ZFiKvWTeDQk2ommXdHHDcYFar2EfG +T4rFeJmNQJHwcA1k4mqi3rIzvxCoihjoPT9NuZ+gdwtM7WniuEpsbKz+I2iGSBSS +ADUX6vaSkD22Y2L88txzFcdkqKhDgGPYfg/Uq98zQsio0ceCqIpDU1XNtPs6Kts1 +1CGPTl0ZOQm2/kjmJKHrHhi4otNEydifassxyQLLQTOZ3tH4ggd/NQCAu7/6msbO +CqpElrmOFPwwffPtAGktL0VsCMyGxRztizzU7+G36zcOeES+mNR2qTDycUYE4/uD +czx+4ZnYQ5kA6qmuRVuM/1m+p2gwbS+CsuRaVmrMJXnowAV1EI5u+n49rdiuxNth +1gaTpDN/7pwnkwEyB/6yjGdvoIMiuTkJPVPvekXHqeLH9S9VT79HQYZfGEqA+w5Y +T/6rSxVCuDXgzmLLbO4W +=ibna +-----END PGP SIGNATURE----- diff --git a/share/security/patches/SA-14:02/ntpd.patch b/share/security/patches/SA-14:02/ntpd.patch new file mode 100644 index 0000000000..9838361106 --- /dev/null +++ b/share/security/patches/SA-14:02/ntpd.patch @@ -0,0 +1,13 @@ +Index: contrib/ntp/ntpd/ntp_config.c +=================================================================== +--- contrib/ntp/ntpd/ntp_config.c (revision 259828) ++++ contrib/ntp/ntpd/ntp_config.c (working copy) +@@ -597,6 +597,8 @@ getconfig( + #endif /* not SYS_WINNT */ + } + ++ proto_config(PROTO_MONITOR, 0, 0., NULL); ++ + for (;;) { + if (tok == CONFIG_END) + break; diff --git a/share/security/patches/SA-14:02/ntpd.patch.asc b/share/security/patches/SA-14:02/ntpd.patch.asc new file mode 100644 index 0000000000..0f4f8fd8bb --- /dev/null +++ b/share/security/patches/SA-14:02/ntpd.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCgAGBQJS1ZUpAAoJEO1n7NZdz2rnJTAP/RBwrD85MJhDpOi5yXWEC44L +h9aFMeUe56fFSk6IRYycNZTqSwnZYnTQg0qcrpGTy4Qt1C0n+oVzGob24XzkN5P0 +IZwR5msPNbNF4iJgfi16QFLKK1M8UdWrE2hiyjQbWLcCJQPAFl0A8nSKPHdbDGMz +06ZuLiCuasXs1+AiyIp5D6i8Z3JZthla7Gn5LSBL7MyxRIemIaqKv61CVxHeo/l5 +TypTDpkgq/63tBf3n8q6RPxhR7v07m10DI1PPKI9QE156YhvysO6/GpuvF5ZSWtR +AX57yDd9HBSYy6wIX7jZSWv0J3X3dAZj8jZHnIFAn41khxV7DlZ1kYGBNFq+hbM+ +JR/zqp6497GpuxKt9Ubbqyn8vHnCop25psH528tPNLN5vXluvOonjM0tBAdWLnpP +kYybztIA4EMJg/8sKRsrMFfxzY58LyHuQRUqAgR63czo2HDbcuXtAIiMqOrwrfLW +nP01z8PFco4UN7VXpw/rVZ5XLtnONjJ1i2xR880Z8LOL6bvlc8NwwS+zTCPP/eDv +QZh3IGTz26oG49cDNsvceS85tbX3BiAJLOg8jEkWOw7jdPBOg7CCQddVO5ccCunM +QDpl5Ontt8bDqRm7z21MC/07EnQeiaIkQ+C37IVr2ISHMHzrWK3u6C2KNPy1Rgx1 +qBzc4Pl36Yqk1Dp4cSOA +=wiMs +-----END PGP SIGNATURE----- diff --git a/share/security/patches/SA-14:03/openssl.patch b/share/security/patches/SA-14:03/openssl.patch new file mode 100644 index 0000000000..2a681158fa --- /dev/null +++ b/share/security/patches/SA-14:03/openssl.patch @@ -0,0 +1,91 @@ +Index: crypto/openssl/ssl/d1_both.c +=================================================================== +--- crypto/openssl/ssl/d1_both.c (revision 260378) ++++ crypto/openssl/ssl/d1_both.c (working copy) +@@ -214,6 +214,12 @@ dtls1_hm_fragment_new(unsigned long frag_len, int + static void + dtls1_hm_fragment_free(hm_fragment *frag) + { ++ ++ if (frag->msg_header.is_ccs) ++ { ++ EVP_CIPHER_CTX_free(frag->msg_header.saved_retransmit_state.enc_write_ctx); ++ EVP_MD_CTX_destroy(frag->msg_header.saved_retransmit_state.write_hash); ++ } + if (frag->fragment) OPENSSL_free(frag->fragment); + if (frag->reassembly) OPENSSL_free(frag->reassembly); + OPENSSL_free(frag); +Index: crypto/openssl/ssl/s3_both.c +=================================================================== +--- crypto/openssl/ssl/s3_both.c (revision 260378) ++++ crypto/openssl/ssl/s3_both.c (working copy) +@@ -208,7 +208,11 @@ static void ssl3_take_mac(SSL *s) + { + const char *sender; + int slen; +- ++ /* If no new cipher setup return immediately: other functions will ++ * set the appropriate error. ++ */ ++ if (s->s3->tmp.new_cipher == NULL) ++ return; + if (s->state & SSL_ST_CONNECT) + { + sender=s->method->ssl3_enc->server_finished_label; +Index: crypto/openssl/ssl/s3_lib.c +=================================================================== +--- crypto/openssl/ssl/s3_lib.c (revision 260378) ++++ crypto/openssl/ssl/s3_lib.c (working copy) +@@ -4274,7 +4274,7 @@ need to go to SSL_ST_ACCEPT. + long ssl_get_algorithm2(SSL *s) + { + long alg2 = s->s3->tmp.new_cipher->algorithm2; +- if (TLS1_get_version(s) >= TLS1_2_VERSION && ++ if (s->method->version == TLS1_2_VERSION && + alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF)) + return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256; + return alg2; +Index: crypto/openssl/ssl/ssl_locl.h +=================================================================== +--- crypto/openssl/ssl/ssl_locl.h (revision 260378) ++++ crypto/openssl/ssl/ssl_locl.h (working copy) +@@ -621,6 +621,8 @@ extern SSL3_ENC_METHOD TLSv1_enc_data; + extern SSL3_ENC_METHOD SSLv3_enc_data; + extern SSL3_ENC_METHOD DTLSv1_enc_data; + ++#define SSL_IS_DTLS(s) (s->method->version == DTLS1_VERSION) ++ + #define IMPLEMENT_tls_meth_func(version, func_name, s_accept, s_connect, \ + s_get_meth) \ + const SSL_METHOD *func_name(void) \ +Index: crypto/openssl/ssl/t1_enc.c +=================================================================== +--- crypto/openssl/ssl/t1_enc.c (revision 260378) ++++ crypto/openssl/ssl/t1_enc.c (working copy) +@@ -414,15 +414,20 @@ int tls1_change_cipher_state(SSL *s, int which) + s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; + else + s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM; +- if (s->enc_write_ctx != NULL) ++ if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s)) + reuse_dd = 1; +- else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) ++ else if ((s->enc_write_ctx=EVP_CIPHER_CTX_new()) == NULL) + goto err; ++ dd= s->enc_write_ctx; ++ if (SSL_IS_DTLS(s)) ++ { ++ mac_ctx = EVP_MD_CTX_create(); ++ if (!mac_ctx) ++ goto err; ++ s->write_hash = mac_ctx; ++ } + else +- /* make sure it's intialized in case we exit later with an error */ +- EVP_CIPHER_CTX_init(s->enc_write_ctx); +- dd= s->enc_write_ctx; +- mac_ctx = ssl_replace_hash(&s->write_hash,NULL); ++ mac_ctx = ssl_replace_hash(&s->write_hash,NULL); + #ifndef OPENSSL_NO_COMP + if (s->compress != NULL) + { diff --git a/share/security/patches/SA-14:03/openssl.patch.asc b/share/security/patches/SA-14:03/openssl.patch.asc new file mode 100644 index 0000000000..171a0ff8dc --- /dev/null +++ b/share/security/patches/SA-14:03/openssl.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCgAGBQJS1ZUqAAoJEO1n7NZdz2rnQCMP/2eEn3oK3bvXpEIJ4BQUo5ss +0sDeC4ttld9VvKtGI1Qkqf0wz/lHeEsz3V1ocg6rY44A3qLFQcFrisleh0D6AmyY +yySV1lwyPTJOJgQOlDeMGule7SveTCZclh05zTHM+482cNlnVIgUF+2qZ4HfRd7B +bYWTBLWDmzs86bk8TE8wJrZZItVO6QK8V2jwCAuvEp4clgi/ScEHfVSOuiEjr2iq +3BupUbdX/gi5wamPJphEU9CwE+gDnP86Jj5mlhB4RUhC2UEASKh6sxSYJDBbJ1lA ++zcyAn9sIkCpbczCyxNfROKzBN1QPshpma12wBMxIhF958CMO783PfFKboWAwi/j +JnxzhmZam9qnkds8rY2MgcsiGl2iErXP3HnrtDk+7YTr3VlSWJucudVBX89NzmhA +y01SQbX5NlRNr5vzDgNsgEczBCSUWdfYL+Kf/X9uiu4mkQOhicZhRieAcwsinP83 +WxtY59ulMzSQjtmby2MTd/1RdBlu7wbAbJ9eUKZwQzGA/LKuvGK8XaQz8WZ3uHPU +y9zLG77lpDu9yF+ui1wGl1v5uJEI55MGP4WkgcbiPZGy3g73C5y+92mne5Szq/cM +5Kf977/11QZamQkUayL1X0cNLY5ohpcuvY/UYwe3BtapaX+XpwG06tpAKzOUiuJR +Fcpl6iI961auHMtyyNb6 +=KeeT +-----END PGP SIGNATURE----- diff --git a/share/security/patches/SA-14:04/bind-release.patch b/share/security/patches/SA-14:04/bind-release.patch new file mode 100644 index 0000000000..0400e47f2b --- /dev/null +++ b/share/security/patches/SA-14:04/bind-release.patch @@ -0,0 +1,54 @@ +Index: contrib/bind9/bin/named/query.c +=================================================================== +--- contrib/bind9/bin/named/query.c (revision 260523) ++++ contrib/bind9/bin/named/query.c (working copy) +@@ -3622,8 +3622,7 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t + dns_fixedname_t fixed; + dns_hash_t hash; + dns_name_t name; +- int order; +- unsigned int count; ++ unsigned int skip = 0, labels; + dns_rdata_nsec3_t nsec3; + dns_rdata_t rdata = DNS_RDATA_INIT; + isc_boolean_t optout; +@@ -3636,6 +3635,7 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t + + dns_name_init(&name, NULL); + dns_name_clone(qname, &name); ++ labels = dns_name_countlabels(&name); + + /* + * Map unknown algorithm to known value. +@@ -3667,13 +3667,14 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t + dns_rdata_reset(&rdata); + optout = ISC_TF((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0); + if (found != NULL && optout && +- dns_name_fullcompare(&name, dns_db_origin(db), &order, +- &count) == dns_namereln_subdomain) { ++ dns_name_issubdomain(&name, dns_db_origin(db))) ++ { + dns_rdataset_disassociate(rdataset); + if (dns_rdataset_isassociated(sigrdataset)) + dns_rdataset_disassociate(sigrdataset); +- count = dns_name_countlabels(&name) - 1; +- dns_name_getlabelsequence(&name, 1, count, &name); ++ skip++; ++ dns_name_getlabelsequence(qname, skip, labels - skip, ++ &name); + ns_client_log(client, DNS_LOGCATEGORY_DNSSEC, + NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(3), + "looking for closest provable encloser"); +@@ -3691,7 +3692,11 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t + ns_client_log(client, DNS_LOGCATEGORY_DNSSEC, + NS_LOGMODULE_QUERY, ISC_LOG_WARNING, + "expected covering NSEC3, got an exact match"); +- if (found != NULL) ++ if (found == qname) { ++ if (skip != 0U) ++ dns_name_getlabelsequence(qname, skip, labels - skip, ++ found); ++ } else if (found != NULL) + dns_name_copy(&name, found, NULL); + return; + } diff --git a/share/security/patches/SA-14:04/bind-release.patch.asc b/share/security/patches/SA-14:04/bind-release.patch.asc new file mode 100644 index 0000000000..17313a753e --- /dev/null +++ b/share/security/patches/SA-14:04/bind-release.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCgAGBQJS1ZUqAAoJEO1n7NZdz2rnQC8QAM7tQ7OJji9KEwp/+Crv/9Jf ++8PGWOrLa7rz8i4wD7ujUwYGCzOzOUAMuSOO3B0SdCb4YVx9we2+5uLCvxbMAS1/ +tdw5WOhi0nWHPD+4uXhQmczCz+nXBG8LAdMM7eIMLgyfYlFdNvARpuRWeNhicKP2 +vaP1Pxq0TejNYzxekzWGUUiyfTdhM7SWza95mz27WO/eHhwKKPqjxb+hoitA7s5k +2fS17NvLyYivD2BBVGj61IKpSAVCwtK4Vdo73LKmGe9HDSTCKRUiz52+UIMMprpK +76cbuUFatyOPJsrDn/YuisqH8M1/HpRZp9MyzR+b2rIf+/f3OuAfLrfzzDt0akA+ +LvHc0SRDDuBr1cDCjv4eMlJXJvFnlBdc/z+PB/Un252kHB5mLFHev9n2vU0HohqS +Bj5C6svpMoZo3uTnI8dLonByl6n/7144T1uuRTlQ7pS2wrp5LrEd/cySe444Ek+A +Elxy5KI8ydb6+V0UmADFM3gK9ZK+AqoQqFtfCgYyrBhsOSdissJwVKTeLXlHJRZM +k6vo9/BLkAk0eo98/KkdHW2IrGaNVCNOucXRntTjNmLF02Ge5Ev2JFcc4XiMtPkM +HNxfS9t1qmYifjz7++0pFFwYKHCJdaZM+HJl3RxHkYiy0kHpHCIAem4STauDznDj +HL6Dl570twSTB9lvRGOW +=yZ2q +-----END PGP SIGNATURE----- diff --git a/share/security/patches/SA-14:04/bind-stable-9.patch b/share/security/patches/SA-14:04/bind-stable-9.patch new file mode 100644 index 0000000000..f35fc4c61c --- /dev/null +++ b/share/security/patches/SA-14:04/bind-stable-9.patch @@ -0,0 +1,54 @@ +Index: contrib/bind9/bin/named/query.c +=================================================================== +--- contrib/bind9/bin/named/query.c (revision 260523) ++++ contrib/bind9/bin/named/query.c (working copy) +@@ -5260,8 +5260,7 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t + dns_fixedname_t fixed; + dns_hash_t hash; + dns_name_t name; +- int order; +- unsigned int count; ++ unsigned int skip = 0, labels; + dns_rdata_nsec3_t nsec3; + dns_rdata_t rdata = DNS_RDATA_INIT; + isc_boolean_t optout; +@@ -5276,6 +5275,7 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t + + dns_name_init(&name, NULL); + dns_name_clone(qname, &name); ++ labels = dns_name_countlabels(&name); + dns_clientinfomethods_init(&cm, ns_client_sourceip); + dns_clientinfo_init(&ci, client); + +@@ -5309,13 +5309,14 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t + dns_rdata_reset(&rdata); + optout = ISC_TF((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0); + if (found != NULL && optout && +- dns_name_fullcompare(&name, dns_db_origin(db), &order, +- &count) == dns_namereln_subdomain) { ++ dns_name_issubdomain(&name, dns_db_origin(db))) ++ { + dns_rdataset_disassociate(rdataset); + if (dns_rdataset_isassociated(sigrdataset)) + dns_rdataset_disassociate(sigrdataset); +- count = dns_name_countlabels(&name) - 1; +- dns_name_getlabelsequence(&name, 1, count, &name); ++ skip++; ++ dns_name_getlabelsequence(qname, skip, labels - skip, ++ &name); + ns_client_log(client, DNS_LOGCATEGORY_DNSSEC, + NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(3), + "looking for closest provable encloser"); +@@ -5333,7 +5334,11 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t + ns_client_log(client, DNS_LOGCATEGORY_DNSSEC, + NS_LOGMODULE_QUERY, ISC_LOG_WARNING, + "expected covering NSEC3, got an exact match"); +- if (found != NULL) ++ if (found == qname) { ++ if (skip != 0U) ++ dns_name_getlabelsequence(qname, skip, labels - skip, ++ found); ++ } else if (found != NULL) + dns_name_copy(&name, found, NULL); + return; + } diff --git a/share/security/patches/SA-14:04/bind-stable-9.patch.asc b/share/security/patches/SA-14:04/bind-stable-9.patch.asc new file mode 100644 index 0000000000..74e22f9fc4 --- /dev/null +++ b/share/security/patches/SA-14:04/bind-stable-9.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCgAGBQJS1ZUqAAoJEO1n7NZdz2rntyQP/0Eg/BZkY4oj0uyldYOX1mYR +5H+vBeJ+uuXA122WFXRkEhazJzfKNjitDOiVSOfomaiFqU6EamvAEK72gUCtEHf3 +WncovpXKvtTZGO7SpPuR//p6W8OYBCdJaIc1fBZnbOcVWRGNdMEQ7AZXCs0/dT13 +RtfXHap0EfS1AEvqNitI9ad4O2N9nWkk05eQAEn4/dDcwHZXaaVkVgJZHzOmAqhz +RjDeGEGGTOQe/298cR0A63uyiQD8W2CHYxtzIytsR3euDnMcUGt+Yp1mkoc85WdS +LnW5se5+Gr+Rl1auyLtoBOy6J8mIJzQa9hPu6Y0sCgpriwxbt+3aEP+Lhsk1bgUf +3Ack9MthT1w5hz5lt1J5C4wHIkQZyQR47NNwPsD+t5p9884Gj6zKcDvJnC8NFp3y +f7R6NoPt7l32oUERV7ulYOoavbxgCMmZRc/as60+lIIrZfHlmjq6/5K8Fsi+6vMC +AyUBtrZ7iNX/RRC5yF5sBUeB5A3bOKJXAWoVIfQFJMURxN894liXAsaNtj1CWD+3 +tAdpI8GkZGE1cYicHqNoiP1S08O82pbPE4o28ZgoJj/sq8lYNLMXTXUE/3R+GSN/ +sAiv1NSyMNwV4RGv/r6EA1W+hlYOgVVw9dSD+iuawMEWqMxzkp/wwzsdvW/jNAwX +7go20QVo8mY0Qdb3DU7+ +=huh6 +-----END PGP SIGNATURE----- diff --git a/share/xml/advisories.xml b/share/xml/advisories.xml index c448377132..6ce926d40c 100644 --- a/share/xml/advisories.xml +++ b/share/xml/advisories.xml @@ -5,6 +5,35 @@ </cvs:keyword> <year> + <name>2014</name> + + <month> + <name>1</name> + + <day> + <name>14</name> + + <advisory> + <name>FreeBSD-SA-14:01.bsnmpd</name> + </advisory> + + <advisory> + <name>FreeBSD-SA-14:02.ntpd</name> + </advisory> + + <advisory> + <name>FreeBSD-SA-14:03.openssl</name> + </advisory> + + <advisory> + <name>FreeBSD-SA-14:04.bind</name> + </advisory> + </day> + </month> + + </year> + + <year> <name>2013</name> <month> diff --git a/share/xml/notices.xml b/share/xml/notices.xml index b99fe30ace..8f4ddf9c32 100644 --- a/share/xml/notices.xml +++ b/share/xml/notices.xml @@ -5,6 +5,26 @@ </cvs:keyword> <year> + <name>2014</name> + + <month> + <name>1</name> + + <day> + <name>14</name> + + <notice> + <name>FreeBSD-EN-14:01.random</name> + </notice> + + <notice> + <name>FreeBSD-EN-14:02.mmap</name> + </notice> + </day> + </month> + </year> + + <year> <name>2013</name> <month> |