diff options
| author | Gordon Tetlow <gordon@FreeBSD.org> | 2020-03-19 17:20:56 +0000 |
|---|---|---|
| committer | Gordon Tetlow <gordon@FreeBSD.org> | 2020-03-19 17:20:56 +0000 |
| commit | bc912e3b54784b5e39db8309b5db0ac8adb823a8 (patch) | |
| tree | 13af7f60f7fe5bc1fa91b069a1603c6884e64c3d /share/security/advisories | |
| parent | ea8291518345ab723c033caa615c460e66efab3f (diff) | |
| download | doc-bc912e3b54784b5e39db8309b5db0ac8adb823a8.tar.gz doc-bc912e3b54784b5e39db8309b5db0ac8adb823a8.zip | |
Add EN-20:03 through EN-20:06 and SA-20:04 through SA-20:09.
Approved by: so
Notes
Notes:
svn path=/head/; revision=53996
Diffstat (limited to 'share/security/advisories')
| -rw-r--r-- | share/security/advisories/FreeBSD-EN-20:03.sshd.asc | 119 | ||||
| -rw-r--r-- | share/security/advisories/FreeBSD-EN-20:04.pfctl.asc | 132 | ||||
| -rw-r--r-- | share/security/advisories/FreeBSD-EN-20:05.mlx5en.asc | 122 | ||||
| -rw-r--r-- | share/security/advisories/FreeBSD-EN-20:06.ipv6.asc | 136 | ||||
| -rw-r--r-- | share/security/advisories/FreeBSD-SA-20:04.tcp.asc | 144 | ||||
| -rw-r--r-- | share/security/advisories/FreeBSD-SA-20:05.if_oce_ioctl.asc | 132 | ||||
| -rw-r--r-- | share/security/advisories/FreeBSD-SA-20:06.if_ixl_ioctl.asc | 128 | ||||
| -rw-r--r-- | share/security/advisories/FreeBSD-SA-20:07.epair.asc | 136 | ||||
| -rw-r--r-- | share/security/advisories/FreeBSD-SA-20:08.jail.asc | 138 | ||||
| -rw-r--r-- | share/security/advisories/FreeBSD-SA-20:09.ntp.asc | 168 |
10 files changed, 1355 insertions, 0 deletions
diff --git a/share/security/advisories/FreeBSD-EN-20:03.sshd.asc b/share/security/advisories/FreeBSD-EN-20:03.sshd.asc new file mode 100644 index 0000000000..944aaacefa --- /dev/null +++ b/share/security/advisories/FreeBSD-EN-20:03.sshd.asc @@ -0,0 +1,119 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-20:03.sshd Errata Notice + The FreeBSD Project + +Topic: Misleading log messages upon successful sshd login + +Category: contrib +Module: sshd +Announced: 2020-03-19 +Affects: FreeBSD 12.1 +Corrected: 2019-11-28 02:18:19 UTC (stable/12, 12.1-STABLE) + 2020-03-19 16:34:11 UTC (releng/12.1, 12.1-RELEASE-p3) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +The sshd server implements the secure shell protocol, providing remote +access. + +II. Problem Description + +Due to a programming error, error messages of the form "Failed unknown for +user <user> ..." will be emitted to auth.log for successful logins. + +III. Impact + +Log files will be confusing, and programs like fail2ban that parse logs will +not function correctly. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date, and restart the sshd +service. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# nohup service sshd restart + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-20:03/sshd.patch +# fetch https://security.FreeBSD.org/patches/EN-20:03/sshd.patch.asc +# gpg --verify sshd.patch.asc + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart the applicable daemons, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r355160 +releng/12.1/ r359134 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=234793> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:03.sshd.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zplJfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJLCA//V8LAaiI3320RkieKpp1W8VJLajd1aWnwmMzCMuyXYsEnDoLRzGdsEdcv +K1HhEz27vEuhusmW6AwLGcuHDJl+/230JJMcs24dtbJ/VcanG4Tw5fKjT6g1zT9m +A8ZQ16N5LU8q8TGcRATie9+88Ri3iepDkur4Gh4HBH/VKfI4szoWZXpBe0UZJTPr +EGXtcvTRlVlex3jWJF2FA/4TioR6PGAyJxwtxLpaSWoMJFrTKh0b7AnyCTzqC6cE +aHF/RDH8i16VbVDTHmfo0FPKeCcF25uFYG1edDpSofdvE9XZTEvqy1fz6Nv+LEbp +EMFOa99zUtzjWVkvPMXWXSYDVivyjoX38pEvbZnNxWNot8His9UWOss9vff9/B/L +Y6uHIpPeW8JhBpyOJ6hlYZ/zkEnKy33tNm+/mzV6TBUpu0h8cTULKkXCeIQIyU61 +YUGEhw+TFRS0X9v6lovXif3/Cs6r8nNKSh/NUa43B7oxacEsCimfU1YApNi7nj3L +DD1vQmvR7j7k8tTDw4FGqv3HgkRL4RgkbWsGJB83dUXTEUV/Dtjh6o7duTsYbdw0 +eEaqTQBysENCQEsZ3s0NHF0nUdrmxecw/6US+dhnt1nMJH7I4UaHM95wMXY0x3CQ +k5yDoMPMs4NTC7iBRtyw69IQMsOwRsUU5notdlWjklKKSvRAXnA= +=8o6k +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-EN-20:04.pfctl.asc b/share/security/advisories/FreeBSD-EN-20:04.pfctl.asc new file mode 100644 index 0000000000..e6cca7a5f4 --- /dev/null +++ b/share/security/advisories/FreeBSD-EN-20:04.pfctl.asc @@ -0,0 +1,132 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-20:04.pfctl Errata Notice + The FreeBSD Project + +Topic: Missing pfctl(8) tunable + +Category: core +Module: pfctl(8) +Announced: 2020-03-19 +Credits: Rubicon Communications, LLC (netgate.com) +Affects: FreeBSD 11.3-RELEASE +Corrected: 2020-02-12 14:50:13 UTC (stable/11, 11.3-STABLE) + 2020-03-19 16:35:15 UTC (releng/11.3, 11.3-RELEASE-p7) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +Packet filtering takes place in the kernel. A pseudo-device, /dev/pf, allows +userland processes to control the behavior of the packet filter through an +ioctl(2) interface. Commands include enabling and disabling the filter, +loading rulesets, adding and removing individual rules or state table entries, +and retrieving statistics. The most commonly used functions are covered by +the pfctl(8) utility. + +II. Problem Description + +pf(4) ioctls frequently take a variable number of elements as argument. +This can potentially allow users to request very large allocations. + +A failing non-blocking pf(4) allocation can tie up resources resulting in +concurrent blocking allocations entering vm_wait() and inducing reclamation +of caches. + +III. Impact + +The kernel will reject very large tables to avoid resource exhaustion +attacks. Some users run into this limit with legitimate table +configurations. + +IV. Workaround + +No workaround is available, however systems that do not employ pf(4) nor +use pf(4) table definitions larger than 65535 entries are unaffected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date, and reboot. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for an errata update" + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 11.3] +# fetch https://security.FreeBSD.org/patches/EN-20:04/pfctl.patch +# fetch https://security.FreeBSD.org/patches/EN-20:04/pfctl.patch.asc +# gpg --verify pfctl.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/11/ r357822 +releng/11.3/ r359135 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:04.pfctl.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zpldfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cL4Aw/9GhPqyMcVMROjoX2xepwOubsM+C9lMCTQtxOOhYLtt9IIt5KTgSefAcyt +DMcqE78R6wgaxf08XAQyD/iN3udhCFT4YRElB1o5XMEhYUcCIsatKcb8hIVJuRD3 +Ap2goT7zHlicFxpKuWblg/qenU0A9PgaCjsRaVePHS2nzOW+d9DJSg3yxz6xwGCZ +Nuv03Y2OBVm/KdW4awk50FdzR2L04U0D0ZATh+5yr25aH99dVpUQMmRc+qjRtXzh +4j34Qj8mWteAkD5690zcE1nGwu7lGDFoRjwhiP5RP9Gn3o2Sv5SJwHNwB5W1WQDr +GAormcXgUwuWwd9ijtKfWNmJm7MhZhCjvq9l0tt54e+j4Nmz39/ZijFfa1Ug7XKJ +4yp1ey2ri3W3bGrv2nRHMzY6d3EaQq/96vupt/dWxlufoIHbUvUQ0l8KWNmQ8kK1 +dplsoMS6x/AeFjjF4I62Cp429vBbpRDRCJk4mZ6itJ8CWbNXIv2xCj7aKzRcrwpx +kmcblpkFpm7edVkTGjtv/MMhUPXdlskQStOCjSkHoo/cofcAOUovJ8755AvYNkwl +P0e49iOxvFFMA3jZSuxCrQksHq295VwjImEUSJKYyARGdDiPR4q8AdUy+CPyDoLs +zMrzZz5HiNSNdoh4mX3OFIkjtuk/fXR5LQnMBuzHfmfhLtsmHAQ= +=upRR +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-EN-20:05.mlx5en.asc b/share/security/advisories/FreeBSD-EN-20:05.mlx5en.asc new file mode 100644 index 0000000000..be8a5d80ab --- /dev/null +++ b/share/security/advisories/FreeBSD-EN-20:05.mlx5en.asc @@ -0,0 +1,122 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-20:05.mlx5en Errata Notice + The FreeBSD Project + +Topic: Fix packet forwarding performance in mlx5en(4) driver + +Category: core +Module: mlx5en +Announced: 2020-03-19 +Affects: FreeBSD 12.1 +Corrected: 2019-11-07 13:12:38 UTC (stable/12, 12.1-STABLE) + 2020-03-19 16:41:29 UTC (releng/12.1, 12.1-RELEASE-p3) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +Add CSUM_SND_TAG flag and set this flag for outgoing ratelimited mbufs. +This fixes an issue that redirected packets are dropped in the mlx5en +transmit routine. + +II. Problem Description + +Ratelimiting support in the network stack reuses an mbuf field for a +different purpose to avoid having to grow the mbuf size. This can a cause +packet drop in the forwarding case if the field in question is not cleared +prior to transmit. + +III. Impact + +All packets going through firewall code are dropped when using mlx5en(4). + +IV. Workaround + +No workaround is available. Systems not using mlx5en(4) are not affected. + +V. Solution + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# reboot + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 12.1] +# fetch https://security.FreeBSD.org/patches/EN-20:05/mlx5en.patch +# fetch https://security.FreeBSD.org/patches/EN-20:05/mlx5en.patch.asc +# gpg --verify mlx5en.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r354440 +releng/12.1/ r359136 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=243871> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:05.mlx5en.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zpldfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cIMCw/7BCNrVg/W7nwnbDdQs1xR0gTz4pUTGB7SnyXs69kJ15dimWt00oVCJurP +oh7uZIPenrS/xRosmbehsNc3IJRN6Npnf86dazuj3qRu24E3CJg9bQJ0sAHrWOXB +i6UgrWIDKIEQ/Yflpcl4bqj/L5HQsTQ/mbkBl1nYiu7VUwjGPhidRYSCQQHDY8ZM +XJ4BFBJCx+gSEcfP6iAqZTGcDAwyFkl9kzxfMIymIRqGlBABBqN6OFrnMjiBoDGL +CiTFt0rFs4/bdX8wQyRhQ6IHjFGiEbXZS4txJxP3XZaIJaPYF5snrrV1rgGjOeVl +2PmGF82ugSwrpVgPuDCMkiJEvYR6matvjRrYQDEBsz0rY6pyid4q9Ck7uKt2KW8u +M3tPtL61SbnuPXTYGpFD++xWYjlQrkcuudwHRT3NYOgNAwU6U+ejLuDzpbWFtPAh +RCQ/tmSOxTQWubxbiwiA07zxVY1a2ffguyzpc+p8PTwIbgrtuh64saoenuvNg0wJ +rhuShGQnhsfWbStOW1T21tsBkB/cZekQYt3e9zB3RREl3WBvJmKPLqO0m8WBaSUx +2iTxnMrhEAnD4R6oVouibCwRdlnxMD3xyYmJJZJ/p8hFXVZlWm60c5nKh82bQVLj +mN4Uf+V7Q/P+fkfoWFm7Dq4kYQp7DmANjh2gK80/88f9/AhX+so= +=EjZa +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-EN-20:06.ipv6.asc b/share/security/advisories/FreeBSD-EN-20:06.ipv6.asc new file mode 100644 index 0000000000..e0a11f1d71 --- /dev/null +++ b/share/security/advisories/FreeBSD-EN-20:06.ipv6.asc @@ -0,0 +1,136 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-20:06.ipv6 Errata Notice + The FreeBSD Project + +Topic: Incorrect checksum calculations with IPv6 extension headers + +Category: core +Module: netinet6 +Announced: 2020-03-19 +Credits: Francis Dupont <fdupont@isc.org> +Affects: All supported versions of FreeBSD. +Corrected: 2020-03-02 22:54:32 UTC (stable/12, 12.1-STABLE) + 2020-03-19 16:43:37 UTC (releng/12.1, 12.1-RELEASE-p3) + 2020-03-03 08:24:09 UTC (stable/11, 11.3-STABLE) + 2020-03-19 16:43:37 UTC (releng/11.3, 11.3-RELEASE-p7) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +Upper layer transport protocols, e.g., TCP, UDP, or SCTP, include +checksums in their headers. IPv6 is a network protocol, which can +add extension headers between its own header and that of the upper +layer protocol. + +II. Problem Description + +Pseudo header checksum calculations can be delayed until the IPv6 +output routine or offloaded to the NIC. In case IPv6 extension +headers are present, FreeBSD currently never offloads to the NIC. +When passing the data to the functions doing the delayed checksum +calculations, the contents of the extension headers were erroneously +included as part of the checksum. + +III. Impact + +Upper layer transport protocol checksums may be wrong for IPv6 packets, +such as IPv6 fragments, or IPv6 packets with a Destination Options or +Hop-by-Hop Options extension header. + +IV. Workaround + +No workaround is available. Packets sent over IPv4 or IPv6 without +any extension headers are unaffected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date, and reboot. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for errata update" + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 11.3] +# fetch https://security.FreeBSD.org/patches/EN-20:06/ipv6.patch +# fetch https://security.FreeBSD.org/patches/EN-20:06/ipv6.patch.asc +# gpg --verify ipv6.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r358557 +releng/12.1/ r359137 +stable/11/ r358566 +releng/11.3/ r359137 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=243675> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:06.ipv6.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zpldfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cLxaA/+IUDfq39zppv1SsIrwD1a2VZVQvPtNPmM0OUzJK7gt6Jj1lDJjY/WTXl6 +I93Xm1q6VL6u+6n95XfaUe3xu05Oujlq+KE0zu3tOigs50tvyn2+PAQU1waTT3O7 +zFqqLb0mBoQl1WasiLj0NhIpAK3GDYNV/Zd0jYuQzyyhu1kahMpeiVYn5OG7Q1C0 +BUPfObwGfzDYZbDtT4RSok35uVfzLnk5mZ1L+grQaoZbh3OJonlx5GnbRAboncCY +IJRfeyrHvCX2WMKx0CiUTEHZKJErKWcynYHkWYc+jmSqfTFARWBdIHpxQzF52kuW +E34WQDuCf9miSRGrlV1CgwjXUExuPOcUN7XcRRJQkkjc2wnpjMi1qudpyZmNW7Ig +rMQQdRLAmHyuy8ZjNuuBesWqBZYC2pr1p94KGUO7VsRNRVWOe8CEBT5NCRcRzoqw +rhyGlS1ahc6P/6FliYd86MMpdS4S0olRcylW+r5z3O8DStt0VEvwC5cYubqJJDud +Crpuces4hq8xZ2E4ZVN2YclT/gKNNvtNXmPfqpWVLdtCJqg6JTjAShX/YH52Q3/Q +5VOqj1wJmAMV07f68gp6GH+dQIxAnI5uAXwrGBs5Y7PCzRafhUkEy/6m5FHYOpUN +CR+/5Iqp2S79LeAoxSbZmuVh1pmLrs6bVZcfI21V91d5hSniPPE= +=/jJ1 +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-SA-20:04.tcp.asc b/share/security/advisories/FreeBSD-SA-20:04.tcp.asc new file mode 100644 index 0000000000..cbad273c2e --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-20:04.tcp.asc @@ -0,0 +1,144 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-20:04.tcp Security Advisory + The FreeBSD Project + +Topic: TCP IPv6 SYN cache kernel information disclosure + +Category: core +Module: tcp +Announced: 2020-03-19 +Credits: Michael Tuexen (Netflix, contractor) +Affects: All supported versions of FreeBSD. +Corrected: 2020-03-08 14:48:21 UTC (stable/12, 12.1-STABLE) + 2020-03-19 16:46:01 UTC (releng/12.1, 12.1-RELEASE-p3) + 2020-03-08 14:48:32 UTC (stable/11, 11.3-STABLE) + 2020-03-19 16:46:01 UTC (releng/11.3, 11.3-RELEASE-p7) +CVE Name: CVE-2020-7451 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The Internet Protocol version 6 (IPv6) header contains a one byte field +called Traffic Class. Two bits of this field are used for Explicit +Congestion Notification (ECN), the other six bits are used as Differentiated +Services Field Codepoints (DSCP). + +The Transmission Control Protocol (TCP) is a connection oriented transport +protocol, which can be used as an upper layer of IPv6. A TCP endpoint is +either acting as a client (sending initially a SYN segment) or as a server +(initially waiting to receive a SYN segment and then responding with a +SYN-ACK segment). + +To mitigate the impact of some attacks against TCP servers (like +SYN-flooding), FreeBSD uses specific code to handle the TCP connection setup +for servers. This includes the transmission and retransmission of SYN-ACK +segments or responding with a challenge ACK segment to a received RST +segment. + +II. Problem Description + +When a TCP server transmits or retransmits a TCP SYN-ACK segment over IPv6, +the Traffic Class field is not initialized. This also applies to challenge ACK +segments, which are sent in response to received RST segments during the TCP +connection setup phase. + +III. Impact + +For each TCP SYN-ACK (or challenge TCP-ACK) segment sent over IPv6, one byte +of kernel memory is transmitted over the network. + +IV. Workaround + +No workaround is available. Systems not using IPv6 are unaffected. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, +and reboot. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-20:04/tcp.patch +# fetch https://security.FreeBSD.org/patches/SA-20:04/tcp.patch.asc +# gpg --verify tcp.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r358739 +releng/12.1/ r359138 +stable/11/ r358740 +releng/11.3/ r359138 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7451> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:04.tcp.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zplhfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cLuzQ/9HvuKX5w2/CDerZPseNDKqumxjoap6MjfExvpVN4Auy31wcE7248JpZ/d +I+Be927dmghiey97opVcR56g5OJ9QAinQRTWX1rLKaQ2xldGFE5924iLyQ/hjMXG +LDkYrBpJ2Wkdq9XFZKAuu2dpV/RUMlGnKANG/QfAAd5V4VC7Sg5X6ty7ISlVMrM7 +aQdBP4e5XyssfeqZeZ/A57dF3Yi7F1TEEjXeM+dulTET4nm0+w74n+QaNoH6hcMI +n3Bb/SsF9HfbZtXz235vkzbgvvSX4f+D/d3vrcAA9KMVjKBH6QbiwJKuHSdb0GY8 +ENMb7vO7Rx71u8GnCYg659qFrWb/kaTW2BCbgAJyp2747nAw8I7DwZiN2RKWA7qh +JbcZb1rJN9gEccnGyNouuy4DzUlUc4VQnp4ajqV4S1YGbwdfsBqi2c0dYwqEcW96 +RKxxTrH9JB8d52wMMshB7hMfwbeLeOJJ4phFL8knXuv19SWCP/tz6XDopoBN6wTW +yn5g+n7oVCOsSwlPLHl/5WWUTvKjyCB6eZIblFhlbiNTuQiUaegDXx66On+vgVKD +oYA9cDQUcvIKLne/KgCqTQ5MAuwE/7hPyUlGmuiZ3/Qx6CW568+v1kTc19eUQb0a ++e5HDRFhtiQyRMpTC9Yt14sv8oFLynhyt/IbQWTeqppZhBugbJ8= +=CFKz +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-SA-20:05.if_oce_ioctl.asc b/share/security/advisories/FreeBSD-SA-20:05.if_oce_ioctl.asc new file mode 100644 index 0000000000..24a12489dc --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-20:05.if_oce_ioctl.asc @@ -0,0 +1,132 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-20:05.if_oce_ioctl Security Advisory + The FreeBSD Project + +Topic: Insufficient oce(4) ioctl(2) privilege checking + +Category: core +Module: oce(4) +Announced: 2020-03-19 +Credits: Ilja Van Sprundel +Affects: All supported versions of FreeBSD. +Corrected: 2019-12-26 16:56:42 UTC (stable/12, 12.1-STABLE) + 2020-03-19 16:48:29 UTC (releng/12.1, 12.1-RELEASE-p3) + 2019-12-26 16:58:11 UTC (stable/11, 11.3-STABLE) + 2020-03-19 16:48:29 UTC (releng/11.3, 11.3-RELEASE-p7) +CVE Name: CVE-2019-15876 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The primary interface used for network driver configuration is ioctl(2). +Several ioctl(2) commands are reserved for driver-specific purposes. For +instance, a driver may use one of these ioctls to implement an interface for +updating device firmware. + +II. Problem Description + +The driver-specific ioctl(2) command handlers in oce(4) failed to check +whether the caller has sufficient privileges to perform the corresponding +operation. + +III. Impact + +The oce(4) handler permits unprivileged users to send passthrough commands to +device firmware. + +IV. Workaround + +No workaround is available. Systems that do not contain devices driven by +oce(4) are unaffected. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, +and reboot. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-20:05/if_oce_ioctl.patch +# fetch https://security.FreeBSD.org/patches/SA-20:05/if_oce_ioctl.patch.asc +# gpg --verify if_oce_ioctl.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r356089 +releng/12.1/ r359139 +stable/11/ r356090 +releng/11.3/ r359139 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15876> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:05.if_oce_ioctl.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zplhfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJAuBAAnsnjdm2aTLo14rOiNHTNh0NqJPQTJ5F6MwE1P/nUlP5xM21GzDkyki7H +4AytZiCma6MCPzbc8aO6wGnc5zfSA1G/5TLetIgIQeyDQ8wRd0uhIoeO3NB3EXhz +KJkNqtyosmzKUSmq7V/WqYN7VOVceegvbvLXCMTYFkUmvJxYbB67s0upqydFBAD4 +j1ecKkNOIehV6cGColM3Dv7sJtVgdvaKg2ehW+AWR7UBOntIr/X3mVpkUE5Y2oLX +tpjuEbdraOpIw/ohKfvpZNPXnEFmhgxrRV4WRw8yFeMsEtLI2HyyUV4ysZrgMKB+ +LKxdhfd7HhIiGdoRZO4P60traRiRD+VfqU9Jt3xd9fO1t0MZYTS0R0Lqt9n3UPhR +26YcyrJgElaHIz8Viiw1U7Pdxila7b7gL+V4QVNSG00OqCKkdepgURRepzaz8Zhd +lrfLf+9vysPIL6RsJwDb77qYbu9kK/afGmadBVot6QGg6ovWVLUGd0pQFJuLihZl +YRocdxDO0lgF+w6llmp6ZidEjaScL7XG3yKG1DuoSa0tS+0eQU2U2hByJDzzzkTn +x7t7WU8o5gSRYDe68yuJHXiHWswA4IK+tkYf+h8fDhENDbt7PCo86Vq0Dixg3hoG +ak/KfomAAsnh6MfWNRlCWDXbe0p/yxYLPRHugDdrZ2IpX+uJWHs= +=pADZ +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-SA-20:06.if_ixl_ioctl.asc b/share/security/advisories/FreeBSD-SA-20:06.if_ixl_ioctl.asc new file mode 100644 index 0000000000..83a32fd9bf --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-20:06.if_ixl_ioctl.asc @@ -0,0 +1,128 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-20:06.if_ixl_ioctl Security Advisory + The FreeBSD Project + +Topic: Insufficient ixl(4) ioctl(2) privilege checking + +Category: core +Module: ixl(4) +Announced: 2020-03-19 +Credits: Ilja Van Sprundel +Affects: All supported versions of FreeBSD. +Corrected: 2020-01-10 18:31:59 UTC (stable/12, 12.1-STABLE) + 2020-03-19 16:49:32 UTC (releng/12.1, 12.1-RELEASE-p3) +CVE Name: CVE-2019-15877 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The primary interface used for network driver configuration is ioctl(2). +Several ioctl(2) commands are reserved for driver-specific purposes. For +instance, a driver may use one of these ioctls to implement an interface for +updating device firmware. + +II. Problem Description + +The driver-specific ioctl(2) command handlers in ixl(4) failed to check +whether the caller has sufficient privileges to perform the corresponding +operation. + +III. Impact + +The ixl(4) handler permits unprivileged users to trigger updates to the +device's non-volatile memory (NVM). + +IV. Workaround + +No workaround is available. Systems that do not contain devices driven by +ixl(4) are unaffected. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, +and reboot. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-20:06/if_ixl_ioctl.patch +# fetch https://security.FreeBSD.org/patches/SA-20:06/if_ixl_ioctl.patch.asc +# gpg --verify if_ixl_ioctl.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r356606 +releng/12.1/ r359140 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15877> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:06.if_ixl_ioctl.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zplhfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cIyvg/+Myq/m3iP2V8tluOVxVmXOEn9qULYfSEM8thr7N+EZpepK45KMkVeBMp5 +gGvd8XEbZyS1RSu+Knr3+yU+jQTFeVg/52QJ8fcTbH5r+5fcO0eJw9I0hwoJBAM+ +Fp7mTtON6PUCIlaXcwmFQfQ4l1iPee2qCsn7ia02dBFZXvHq6fT6tplSagtJj8Fd +xOBvnlf8obrvC+TswIKydCREaGAIRKTa0yMzh0Ml435gmCYMrGTe2NtjNKM9sgw8 +N0Y5QHuV59kiM3mYc5I7uLux1wUIlO6rdZ2lOsbuWNcW40q9IE1Gve9kjhmha8Ls +h7BW3VPLM8gxwrgJNygxSRtremDYfQZNoeONqRKd0C2H5EVT4vZfPRI4VxziNGU7 +US0VJwm7x/bET/zbVS5YIsGwqyn9kVjBRpv+eRN4CNmEoZugB/ZJn7lRhZ9cdsTG +fDM/ULk7UMPrap8ltr0hcYvLYzOmsR1K+oxqmWLzO2+FpnoUrAmWaInptbBuOaSj +tbmRc97wpR7LJcrmAo3rHvHdbwzY9jsQk1X1Y4LAKAr114S36m3HqwX5mhv91/ZR +oXOiDYCvFlf8BBQo5BMFDlSfft1Nd8iwAEumHmo+hFFs/yVwJlwwyt2tVwpT3V3Z +py6szSTnDzjslb/JGYI8ujpHNuJrfdWRmJUrXzqreKbiYA5pWGo= +=MmYl +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-SA-20:07.epair.asc b/share/security/advisories/FreeBSD-SA-20:07.epair.asc new file mode 100644 index 0000000000..62e1642809 --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-20:07.epair.asc @@ -0,0 +1,136 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-20:07.epair Security Advisory + The FreeBSD Project + +Topic: Incorrect user-controlled pointer use in epair + +Category: core +Module: kernel +Announced: 2020-03-19 +Credits: Ilja van Sprundel +Affects: All supported versions of FreeBSD. +Corrected: 2020-02-04 04:29:54 UTC (stable/12, 12.1-STABLE) + 2020-03-19 16:50:36 UTC (releng/12.1, 12.1-RELEASE-p3) + 2020-02-04 04:29:53 UTC (stable/11, 11.3-STABLE) + 2020-03-19 16:50:36 UTC (releng/11.3, 11.3-RELEASE-p7) +CVE Name: CVE-2020-7452 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The epair(4) interface provides a pair of virtual back-to-back connected +Ethernet interfaces. + +II. Problem Description + +Incorrect use of a potentially user-controlled pointer in the kernel allowed +vnet jailed users to panic the system and potentially execute aribitrary code +in the kernel. + +III. Impact + +Users with root level access (or the PRIV_NET_IFCREATE privilege) can panic +the system, or potentially escape the jail or execute arbitrary code with +kernel priviliges. + +IV. Workaround + +No workaround is available. Systems not using epair(4) are not vulnerable. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, +and reboot. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 12.1] +# fetch https://security.FreeBSD.org/patches/SA-20:07/epair.12.patch +# fetch https://security.FreeBSD.org/patches/SA-20:07/epair.12.patch.asc +# gpg --verify epair.12.patch.asc + +[FreeBSD 11.3] +# fetch https://security.FreeBSD.org/patches/SA-20:07/epair.11.patch +# fetch https://security.FreeBSD.org/patches/SA-20:07/epair.11.patch.asc +# gpg --verify epair.11.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- - ------------------------------------------------------------------------- +stable/12/ r357490 +releng/12.1/ r359141 +stable/11/ r357489 +releng/11.3/ r359141 +- - ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7452> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:07.epair.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zplhfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJIrhAAjdJsKCoBkjLmwIG/yU2W5jUkqahriXx6hAQwOqwAl7pyguAghPBUFRF6 +SjU2yr/4yQk0TB3wxRMGJNVlKuBZm8I62BQLdh7al6zO3S55s4FedeM3FOBZ1jT+ +GrHU08DPEoDT3pgz4w5/T5PQFxBwqsQDEE204kAOBBOsoZEhgxz+6pADyDpt1ciY +3x+b47PTMk0D4Oi2eXX+ErMApB5xA6sEQfVa6j7HoaQ3HRnvRbuF2vQt2/KTdrWB +pOnad52smH0+5ervZS9Ooidg7L9Sfu+ARdWSFxOIsFPOSgJr7dVIKw6vcliw93Py +GwRVaOxKWUmVxuQUNBSawsIbhLCQYMp74hUL9iZ/vLo398H32u/sd/xLfHYXyZfb +GoyTQ6WxjjqzXlc1ISj3gv8+25X9vnPZ/zQC45cDLqTBYkB7V3rdDAcqrxzR/PF/ +hA+skUOnJ9N00MM/WB9+fMlAj4ZqZR2btpQcxPbRkTHbm0NZfGAFU2IlLgQ38sPD +ZN/zXEho+7rCFocEJ8AxFWMsTB0eAsVfvFyN2sdQXMQcGeHb2HfAX7d3MUInb+aH +BQm6tMi+cNTDUdPnMefRy0G/gQGEUPha0Nv5uePMhXum8J1Gaubs5a9SEezCBRby +6k1Oj0PSkR89XW4X9nkTnKo4F7fu/wB+IQy7Ts7rTa36LcgtV+U= +=yXWc +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-SA-20:08.jail.asc b/share/security/advisories/FreeBSD-SA-20:08.jail.asc new file mode 100644 index 0000000000..03891c36cd --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-20:08.jail.asc @@ -0,0 +1,138 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-20:08.jail Security Advisory + The FreeBSD Project + +Topic: Kernel memory disclosure with nested jails + +Category: core +Module: kern +Announced: 2020-03-19 +Credits: Hans Christian Woithe <chwoithe@yahoo.com> +Affects: All supported versions of FreeBSD. +Corrected: 2020-03-16 21:12:46 UTC (stable/12, 12.1-STABLE) + 2020-03-19 16:51:33 UTC (releng/12.1, 12.1-RELEASE-p3) + 2020-03-16 21:12:32 UTC (stable/11, 11.3-STABLE) + 2020-03-19 16:51:33 UTC (releng/11.3, 11.3-RELEASE-p7) +CVE Name: CVE-2020-7453 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The jail_set(2) system call allows a system administrator to lock up a +process and all its descendants inside a closed environment with very +limited ability to affect the system outside that environment, even +for processes with superuser privileges. + +The jail_get(2) system call allows a system administrator to read the +configuration of running jails. + +II. Problem Description + +A missing NUL-termination check for the jail_set(2) configration option +"osrelease" may return more bytes when reading the jail configuration +back with jail_get(2) than were originally set. + +III. Impact + +For jails with a non-default setting of children.max > 0 ("nested jails") +a superuser inside a jail can create a jail and may be able to read and +take advantage of exposed kernel memory. + +IV. Workaround + +No workaround is available. Systems not altering the default settings of +the jail configuration option children.max=0 are not affected as a root on +the base system has access to kernel memory by other means and a super +user inside a jail cannot create further jails. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, +and reboot. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-20:08/kern_jail.patch +# fetch https://security.FreeBSD.org/patches/SA-20:08/kern_jail.patch.asc +# gpg --verify kern_jail.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r359021 +releng/12.1/ r359142 +stable/11/ r359020 +releng/11.3/ r359142 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7453> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:08.jail.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zplhfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cKWdw//ZFfaoCenbVtvB6a4JW9HOT0yMoDXup+OdpjbhUTsJSyvDB9eZUSiZJ7u +4rQZpYQZotND2I/U8BSUjcJlDVzhTn6WN1yZFpWI9oFrSJhKxkwGMuetocUw7MgE +++WaaVueodMBjG7+v7mUmr5pXomdpxCO4XZxTW0BCm3Pvydera1kZVHzQ2pAw0On +cnOiSN+v04latfkjjdjPv+oC8GUsI3Q+4jF745MN9dND+4KV/4CW5BJg6sUiJakx +WB6cXayxp+Q/WPoB4OS/w3loe1FGIqESjXMxdHAV0n9eVofv8+h0rQt5kQ9oFpCm +Ql2NUG7xKqoidGlhzff5w0j5+VNXA/exv+sH/lQTZO5xJa/5Ti1wlUxsrp/8jO9Z +vRDd3CwjOIG+dFBSAXWcAaSedJ+Ax97RVbfKmYiy5B7ujJp/X6rJXU2G3zOhObCS +8/E+KHlj9YT4hN73zDeGiw5zKVjbfVQp661mKgP1lO+4Mv9357F8epux+CV3fdb6 +BBttCm8l8ubhfr12fmBAfXUXDx7stNTpvcgphGUB0v6Sfxbv0OHoGzfAGrQ3i3LP +Os7OoFRJ+2SJ/G8xpjVjriOsAoLeUX43JIlPTOEvU2mhol/M717Rwn94ndqXfNJh +XCF2AaOVXxBpdx2Vik3FBTGZvAfTCxMQOZwGn7zVzpbxlCbasKM= +=13XM +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-SA-20:09.ntp.asc b/share/security/advisories/FreeBSD-SA-20:09.ntp.asc new file mode 100644 index 0000000000..8e6d3b2f8d --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-20:09.ntp.asc @@ -0,0 +1,168 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-20:09.ntp Security Advisory + The FreeBSD Project + +Topic: Multiple denial of service in ntpd + +Category: contrib +Module: ntp +Announced: 2020-03-19 +Credits: Philippe Antoine and Miroslav Lichvar +Affects: All supported versions of FreeBSD. +Corrected: 2020-03-04 23:54:13 UTC (stable/12, 12.1-STABLE) + 2020-03-19 16:52:41 UTC (releng/12.1, 12.1-RELEASE-p3) + 2020-03-05 00:18:09 UTC (stable/11, 11.3-STABLE) + 2020-03-19 16:52:41 UTC (releng/11.3, 11.3-RELEASE-p7) + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The ntpd(8) daemon is an implementation of the Network Time Protocol +(NTP) used to synchronize the time of a computer system to a reference +time source. + +II. Problem Description + +Three NTP vulnerabilities are addressed by this security advisory. + +NTP Bug 3610: Process_control() should exit earlier on short packets. +On systems that override the default and enable ntpdc (mode 7), fuzz testing +detected a short packet will cause ntpd to read uninitialized data. + +NTP Bug 3596: Due to highly predictable transmit timestamps, an +unauthenticated, unmonitored ntpd is vulnerable to attack over IPv4. A victim +ntpd configured to receive time from an unauthenticated time source is +vulnerable to an off-path attacker with permission to query the victim. The +attacker must send from a spoofed IPv4 address of an upstream NTP server and +the victim must process a large number of packets with that spoofed IPv4 +address. After eight or more successful attacks in a row, the attacker can +either modify the victim's clock by a small amount or cause ntpd to +terminate. The attack is especially effective when unusually short poll +intervals have been configured. + +NTP Bug 3592: The fix for https://bugs.ntp.org/3445 introduced a bug such +that an ntpd can be prevented from initiating a time volley to its peer +resulting in a DoS. + +III. Impact + +All three NTP bugs may result in DoS or terimation of the ntp daemon. + +IV. Workaround + +Systems not using ntpd(8) are not vulnerable. + +Systems running ntpd should make the following changes: +- - Disable mode 7 +- - Use many trustworthy sources of time +- - Use NTP packet authentication +- - Monitor ntpd for error messages indicating attack +- - If only unauthenticated time over IPv4 is available, use the restrict + configuration directive + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 12.1-STABLE] +# fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.12.patch +# fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.12.patch.asc +# gpg --verify ntp.12.patch.asc + +[FreeBSD 12.1-RELEASE] +# fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.12.1.patch +# fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.12.1.patch.asc +# gpg --verify ntp.12.1.patch.asc + +[FreeBSD 11.3-STABLE] +# fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.11.patch +# fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.11.patch.asc +# gpg --verify ntp.11.patch.asc + +[FreeBSD 11.3-RELEASE] +# fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.11.3.patch +# fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.11.3.patch.asc +# gpg --verify ntp.11.3.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart the applicable daemons, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r358659 +releng/12.1/ r359144 +stable/11/ r358660 +releng/11.3/ r359144 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:http://support.ntp.org/bin/view/Main/SecurityNotice#March_2020_ntp_4_2_8p14_NTP_Rele> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:09.ntp.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zplhfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cIoaA//V8fG/ugFkS6ASluls3rsww0gxoVH65HM7SDiPC814cl8ck2DUSMO7lzA +jPAmsLPdrhGrJ7lTndUxuZ5hf0YeI/CgccTWYoPgiZjfXoeHS2ydQVVpM9j2ByNo +KgwqEnRxLaIRBg3+zf7sT/IenC+ivHbPDxrmW4y7ehUQO/fZ3AcXjcAw6PPCzGlp +pN8Jml04uUuD/Nb92IzWGKvLPsL27slWAHG6nPPw0onzqaZqNhFf1UUDK9qvZRNB +2pHO+aJPfRq2kUk2DvfcB4kTGB1jbHJBBRNA1ns2xrtdKKIBnwSBatN/SBznhPuF +nxGN/Y0k8EYJdVOHaoyqSlG31jatAd/TaA9+1JauxB7/29c65JHyAfddtZKY64vl +DVnfDus+fcxg9D5FI7/O9qUeMZ/S1Ix683BzUPYhCDksC+VP28mqCHMBYRdKrc1m +ysnnER8Tli+Zbenn88202+lJAaAI3gKygdzKRQg5FgXWqWi84G1WPs+c8dihpovV +ZG5AqS1gJuwlP72x/g8by7BT140PZIEYaR5Qm7uIlfNTQxNBDmDkCF54wrhAFQWY +XZrOLiOsVJdn6mX9WfPh7kxd59nAjGuy5fKwWF22g5vQsGCGoBHsqZTKPiA+WxVu +Ngqq+8zUMkcTXP7NE3aT+4HDTXi/WRwiEKTGd8zGm5J8bEHXi9I= +=Q4Yq +-----END PGP SIGNATURE----- |