diff options
author | Xin LI <delphij@FreeBSD.org> | 2014-05-13 23:55:52 +0000 |
---|---|---|
committer | Xin LI <delphij@FreeBSD.org> | 2014-05-13 23:55:52 +0000 |
commit | 6705d6148284301d1298018d8721551911279cd5 (patch) | |
tree | 027ccc05bbd9fd4a3408bb1862ba8eec4f401983 /share | |
parent | 1acb4e93476570ee8602c2f0d0a9fea70af5a1cb (diff) | |
download | doc-6705d6148284301d1298018d8721551911279cd5.tar.gz doc-6705d6148284301d1298018d8721551911279cd5.zip |
Add the latest advisory and 3 new errata notices:
Fix OpenSSL NULL pointer deference vulnerability. [SA-14:09]
Add pkg bootstrapping, configuration and public keys. [EN-14:03]
Improve build repeatability for kldxref(8). [EN-14:04]
Fix data corruption with ciss(4). [EN-14:05]
Notes
Notes:
svn path=/head/; revision=44822
Diffstat (limited to 'share')
18 files changed, 1511 insertions, 0 deletions
diff --git a/share/security/advisories/FreeBSD-EN-14:03.pkg.asc b/share/security/advisories/FreeBSD-EN-14:03.pkg.asc new file mode 100644 index 0000000000..ba203beafb --- /dev/null +++ b/share/security/advisories/FreeBSD-EN-14:03.pkg.asc @@ -0,0 +1,180 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-14:03.pkg Errata Notice + The FreeBSD Project + +Topic: pkg bootstrapping, configuration and public keys + +Category: core, packages +Module: pkg +Announced: 2014-05-13 +Credits: Baptiste Daroussin, Bryan Drewery +Affects: All versions of FreeBSD prior to 10.0-RELEASE +Corrected: 2014-04-15 23:40:47 UTC (stable/8, 8.4-STABLE) + 2014-05-13 23:24:32 UTC (releng/8.4, 8.4-RELEASE-p10) + 2014-03-11 14:48:44 UTC (stable/9, 9.2-STABLE) + 2014-05-13 23:24:14 UTC (releng/9.2, 9.2-RELEASE-p6) + 2014-05-13 23:24:14 UTC (releng/9.1, 9.1-RELEASE-p13) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:http://security.freebsd.org/>. + +I. Background + +The pkg(7) utility is the new package management tool for FreeBSD. The +FreeBSD project has provided official pkg(7) packages since October 2013 +and signed packages since the pkg-1.2 release in November 2013. The +signature checking requires known public keys to be installed locally. +The repository configuration must be installed as well. + +The base system also includes a pkg(7) bootstrap tool that installs the +latest real pkg(7) package. The bootstrap tool knows where to find the +official pkg(7) package but once that is installed the real pkg(7) will +not know where to find official packages, nor have the known public key +for signature checking. + +The bootstrap tool was also improved in 10.0-RELEASE to check the +signature on the pkg(7) package it is installing. + +II. Problem Description + +Only FreeBSD 10.0 has been released with the official repository +configuration, known public keys, and a bootstrap tool that checks the +signature of the pkg(7) package it is installing. + +To allow packages to be used on a system, the configuration must be +manually setup and keys securely fetched and installed to the proper +location. + +III. Impact + +Releases before 10.0 require manual configuration. Manually configuring the +pkg(7) signatures could result in insecurely installing the keys or leaving +the signature checking disabled. + +The bootstrap tool is not secure on releases prior to 10.0 due to not checking +the signature and could result in having an unofficial pkg(7) installed due to +MITM attacks. + +IV. Workaround + +To securely install pkg(7) on releases prior to 10.0, install it from ports +obtained from a secure portsnap checkout: + +# portsnap fetch extract +# echo "WITH_PKGNG=yes" >> /etc/make.conf +# make -C /usr/ports/ports-mgmt/pkg install clean + +If this is an existing system it may be converted to pkg(7) as well by running: + +# pkg2ng + +After this is done /usr/ports may be removed if no longer required. + +To workaround the configuration and keys being missed, apply the solution in +this Errata. + +V. Solution + +No solution is provided for pkg(7) bootstrap signature checking on releases prior +to 10.0. Upgrading to 10.0 or stable/9 after r263038 will suffice. + +To install the configuration and public key in a secure means, perform one of +the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +2) To update your present system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 9.2] +# fetch http://security.FreeBSD.org/patches/EN-14:03/pkg-en-releng-9.2.patch +# fetch http://security.FreeBSD.org/patches/EN-14:10/pkg-en-releng-9.2.patch.asc +# gpg --verify pkg-en-releng-9.2.patch.asc + +[FreeBSD 9.1] +# fetch http://security.FreeBSD.org/patches/EN-14:03/pkg-en-releng-9.1.patch +# fetch http://security.FreeBSD.org/patches/EN-14:10/pkg-en-releng-9.1.patch.asc +# gpg --verify pkg-en-releng-9.1.patch.asc + +[FreeBSD 8.4] +# fetch http://security.FreeBSD.org/patches/EN-14:03/pkg-en-releng-8.4.patch +# fetch http://security.FreeBSD.org/patches/EN-14:03/pkg-en-releng-8.4.patch.asc +# gpg --verify pkg-en-releng-8.4.patch.asc + +b) Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch +# cd /usr/src/etc/pkg +# mkdir -p /etc/pkg /usr/share/keys/pkg/trusted /usr/share/keys/pkg/revoked +# make install +# cd /usr/src/share/keys/pkg +# make install + +3) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the revision numbers of each file that was +corrected in FreeBSD. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r264519 +releng/8.4/ r265989 +stable/9/ r263937 (*) +releng/9.1/ r265988 +releng/9.2/ r265988 +- ------------------------------------------------------------------------- + +(*) The actual required changeset consists a series of changes, including +r263023,r258550,r263050,r263053 and r263937. + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +The latest revision of this Errata Notice is available at +http://security.FreeBSD.org/advisories/FreeBSD-EN-14:03.pkg.asc +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.22 (FreeBSD) + +iQIcBAEBCgAGBQJTcq5IAAoJEO1n7NZdz2rnPgsP/i1EV9g4qXg9v6HvakiFFKrv +51810uJe/Eo9iujDT1TpwuYJuFQPzkW+h4JRvapaSLAMxeLsYqxj8WDuKz0eU6sW +WjaPv6LZWUG91jHbFr3uEAgLLvkc86kMI/hfSmzq5FY7gsisEKoyfdraR2E63jtp +BFARxAq9hnddck5zZiX7wCOMtvCVrvrSsozft1p885AUra+Tg9F1RuUloS0CYddD +FtUb1dPMshkHlqHqC1wGzRfBVFgX7NnXfnxIi2St1ft0tEDKIL+HQgnjU2CwKbK7 +S9ioLYbbUhyo6edpS/4+y5gJ1kVLvlelY4myBHUkSOMJrsxoIBCTuXjdnO9PL5gr +qpS9R6TQEMF5auEG5aIOwfu5t8wqczAfC4zVzbm4UPakRYPFS0NfvkDGW2Gno7Yh +iOur/JFLUOqbV9i8UwssS8OzG0cr8EzbZ3iLkVPqt1Cxuxxpx8+NYiYV3F0PMxB8 +iImoOD1BY0lS3x0gqgeZb5ssBk988aVq1cmbrUuriHuKLK/uvSaFHlGXprQyQmTn +4FEFmMNTCSMbYy3J2daEajUroiZVcBEjORPFR8QYtncRgbzB6u/AjVIo+3Uk/0hj +paC8dvBikmT7ity3b7YoOvJIJn62XVqrq9srkYowkDuLJ1E8zQqmR2eZUOmf5vG1 +u3zAXa3xup1ginA9Wi6O +=UI84 +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-EN-14:04.kldxref.asc b/share/security/advisories/FreeBSD-EN-14:04.kldxref.asc new file mode 100644 index 0000000000..1edc9b6edb --- /dev/null +++ b/share/security/advisories/FreeBSD-EN-14:04.kldxref.asc @@ -0,0 +1,127 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-14:04.kldxref Errata Notice + The FreeBSD Project + +Topic: Build repeatability for kldxref(8) + +Category: core +Module: kldxref +Announced: 2014-05-13 +Credits: Jilles Tjoelker +Affects: All versions of FreeBSD prior to 10.0-RELEASE. +Corrected: 2014-05-13 23:35:29 UTC (stable/8, 8.4-STABLE) + 2014-05-13 23:24:32 UTC (releng/8.4, 8.4-RELEASE-p10) + 2013-12-23 22:38:41 UTC (stable/9, 9.2-STABLE) + 2014-05-13 23:24:14 UTC (releng/9.2, 9.2-RELEASE-p6) + 2014-05-13 23:24:14 UTC (releng/9.1, 9.1-RELEASE-p13) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:http://security.freebsd.org/>. + +I. Background + +The kldxref utility is used to generate hint files which list modules, their +version numbers, and the files that contain them. These hints are used by +the kernel loader to determine where to find a particular KLD module. + +II. Problem Description + +Previous versions of kldxref(8) do not use an ordered list of files when +generating the hints file. The result of kldxref(8) is equivalent but not +the same if file system layout have been changed. + +III. Impact + +The generated hint files can be different across different builds, making +unnecessary downloads for binary patch files. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +2) To update your present system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/EN-14:04/kldxref.patch +# fetch http://security.FreeBSD.org/patches/EN-14:04/kldxref.patch.asc +# gpg --verify kldxref.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>. + +3) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the revision numbers of each file that was +corrected in FreeBSD. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r265990 +releng/8.4/ r265989 +stable/9/ r259799 +releng/9.1/ r265988 +releng/9.2/ r265988 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +The latest revision of this Errata Notice is available at +http://security.FreeBSD.org/advisories/FreeBSD-EN-14:04.kldxref.asc + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.22 (FreeBSD) + +iQIcBAEBCgAGBQJTcq5IAAoJEO1n7NZdz2rnmPgP/iPAKX2lIGwRXkrYFbNPEBSz ++Tehkgw/ReNG0iaAJql/p0LrxyGUoCwE2rpTJxxC8KB9X8Eq74DhjSNpdYaE12E2 +YFMyIyAb1b6wqU34Q7DsR9oPhqIcb9yET2dEg+s5NVSWfC7AMWdvvaJjjxtLgG4L +M9yksDAKs3AJOHEVEtluy7Do8A5W/6b5SHXENbG+AUUBtwnDBKcs9riXic/TQ1WB +vJzHwAJVznQ03bnxqjuG+gZoej6xUHusX+ih87ioKiJrcZ/5szq2C6LIUnRnAA66 +6b/szBJ3gRBweOKeopESIcZfwaLCd53EX9/r9vqAfXK6+3uqoIXzkZCyzo+cgSwa ++88SmZ3/4dao24JPoLbVupIyU0CJjmoLsV9jVCrC/fbkUFTxq7Cgbxeai3rmrpXC +p11FXPJd4cOgwuQYUw3rowtoq8z8Wn3PI073SzwT2OZg4SgXRUn+FzGpMWwqbWoa +1idQ9KSM/pFkoa7bdK5S7mYtp7jU9HQeiTXZYYF1S3URr2XpE1vyUFVOuDJpGkkW +KIT/hdy02wGzPPGjQoFkSR2KpUmJr2zHhVSUdt7a8vvYhbZBR21sBIUNKSoWkYtC +2CQXF4pFBHO/i79RiEU+2E1CKWpsqoHnvnKNRq3Bp54aaU9xa4YcRwRJ7lj9RALm ++igNrZJMo3yw3gs89uGp +=W4to +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-EN-14:05.ciss.asc b/share/security/advisories/FreeBSD-EN-14:05.ciss.asc new file mode 100644 index 0000000000..adffc814a5 --- /dev/null +++ b/share/security/advisories/FreeBSD-EN-14:05.ciss.asc @@ -0,0 +1,127 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-14:05.ciss Errata Notice + The FreeBSD Project + +Topic: data corruption with ciss(4) + +Category: core +Module: ciss +Announced: 2014-05-13 +Credits: Sean Bruno +Affects: FreeBSD 10.x and FreeBSD 9.x +Corrected: 2014-04-15 17:52:22 UTC (stable/9, 9.2-STABLE) + 2014-05-13 23:24:14 UTC (releng/9.2, 9.2-RELEASE-p6) + 2014-05-13 23:24:14 UTC (releng/9.1, 9.1-RELEASE-p13) + 2014-04-15 17:49:47 UTC (stable/10, 10.0-STABLE) + 2014-05-13 23:22:28 UTC (releng/10.0, 10.0-RELEASE-p3) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:http://security.freebsd.org/>. + +I. Background + +The ciss driver supports HP Smart Array line of hardware RAID controllers. + +II. Problem Description + +There is a programming error discovered in the ciss(4) driver, where a missing +lock can trigger a failed assertion when the volume state changes, such as +disk failure or a disk rebuild. + +III. Impact + +Systems using the ciss(4) driver may experience system crashes or data +corruption when the volume state change. + +IV. Workaround + +No workaround is available, but systems that do not use ciss(4) devices are +not affected. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +2) To update your present system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/EN-14:05/ciss.patch +# fetch http://security.FreeBSD.org/patches/EN-14:05/ciss.patch.asc +# gpg --verify ciss-10.patch.asc + +b) Apply the patch. + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +3) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the revision numbers of each file that was +corrected in FreeBSD. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/9/ r264511 +releng/9.1/ r265988 +releng/9.2/ r265988 +stable/10/ r264510 +releng/10.0/ r265987 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +The latest revision of this Errata Notice is available at +http://security.FreeBSD.org/advisories/FreeBSD-EN-14:05.ciss.asc + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.22 (FreeBSD) + +iQIcBAEBCgAGBQJTcq5IAAoJEO1n7NZdz2rnNqAQAJCfdCBubWSDRO/dsSaqK6yT +bnPY4Xly523ABRCQySe0vajSIK1qqfE0bAmhYa/7BTMqyJKz0BRhx819D8SiWNS9 +Hdy4yU/hOjBkbT6KAtpBaSUNXX4ODWaNbd78c+uDSvj9UeQgrunAQC7OJR6iYWuq +25fBUXgovSr4g9puNyBs8sH+c7IzbG4HvhoPrjRDwdasEyCBzx6RggpnxusfVsd9 +91Eg/WPG3hIJW6kaHOWWeVwz4vCRZjv0u7myeJBcAa7gcwDX/J2DHeDrG60O3BNY +/fZT2UcfDxE0rEVuVnV3Vc0XkIQjuNk7G9SkGjH4Zdx+I34UT05cxU5ZrdpKNiGL +fjbo4H/KBML4agRGAPzeo3KU3rxOUmss+mh7Mu+CVoZP5uQUr1sEUkfQ+FkJjjbv +es47Ij6ZmfGyUPuVKVCW34bXm6Ieyc0QZ10kRv8paOmPsWBA+WYWGibEhvwp5v0p +AHdlGGO/FpOac4h/YEqOh6ryN8QldjCI+SCqkfs38DjeTX5IWecgax586oH7BpJm +RGc/fgx3YSO8tmMaTwKZm5VVlujsld6t95XrA2dGWOhiWcRsoWGs+SaUTNf5Y0Te +k2vD7tMsk37PG4jbp7pk4FH2Mfb9KRHe82ebdOnkOj4C5kWIB8FwYJyMIjDl3C4r +OdXZDrbyKh/swjJZJIuP +=orSF +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-SA-14:10.openssl.asc b/share/security/advisories/FreeBSD-SA-14:10.openssl.asc new file mode 100644 index 0000000000..2c293bdba3 --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-14:10.openssl.asc @@ -0,0 +1,140 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-14:10.openssl Security Advisory + The FreeBSD Project + +Topic: OpenSSL NULL pointer deference vulnerability + +Category: contrib +Module: openssl +Announced: 2014-05-13 +Affects: FreeBSD 10.x. +Corrected: 2014-05-13 23:19:16 UTC (stable/10, 10.0-STABLE) + 2014-05-13 23:22:28 UTC (releng/10.0, 10.0-RELEASE-p3) +CVE Name: CVE-2014-0198 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:http://security.FreeBSD.org/>. + +I. Background + +FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is +a collaborative effort to develop a robust, commercial-grade, full-featured +Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) +and Transport Layer Security (TLS v1) protocols as well as a full-strength +general purpose cryptography library. + +The TLS protocol supports an alert protocol which can be used to signal the +other party with certain failures in the protocol context that may require +immediate termination of the connection. + +II. Problem Description + +An attacker can trigger generation of an SSL alert which could cause a null +pointer deference. + +III. Impact + +An attacker may be able to cause a service process that uses OpenSSL to crash, +which can be used in a denial-of-service attack. + +IV. Workaround + +No workaround is available, but systems that do not use OpenSSL to implement +the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) +protocols, or not using SSL_MODE_RELEASE_BUFFERS and use the same process +to handle multiple SSL connections, are not vulnerable. + +The FreeBSD base system service daemons and utilities do not use the +SSL_MODE_RELEASE_BUFFERS mode. However, many third party software uses this +mode to reduce their memory footprint and may therefore be affected by this +issue. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/SA-14:10/openssl.patch +# fetch http://security.FreeBSD.org/patches/SA-14:10/openssl.patch.asc +# gpg --verify openssl.patch.asc + +b) Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +Recompile the operating system using buildworld and installworld as +described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>. + +Restart all deamons using the library, or reboot the system. + +3) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r265986 +releng/10.0/ r265987 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/005_openssl.patch.sig> + +<URL:https://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=3321> + +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198> + +The latest revision of this advisory is available at +<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:10.openssl.asc> +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.22 (FreeBSD) + +iQIcBAEBCgAGBQJTcq5IAAoJEO1n7NZdz2rnNb4QAODp1Pxk3GlTwlptWQkC+DJb +bwd2RRtkvkz677JIbdtyM7b5POgUih/NtAF9Yyy/pg8IJcSRiv0f7F5L+maV9nee +KGb27zizWOgIqor6HhRAv2OniVN271OfoyCkt0xRmigBR6dQ80iBVuCk6McvxvjL +5Yfw8wtfF8zAo5p1d4V3EEPOIVPwgJ31YnB/sVv+SyV6Ldl5DS0Gp1Cm9KjvaJUI +CUIljIaH6AFuzs671V4DpuFPtFPIsvGUhEdpf6+ypVJN1J/D+BNRvoIX1zxou4Kf +34qB6cs/LlyBKCPctK/qLU7UScNsuUItpWrw5ESHFHdgsTr8XA9POxU72wlCRCoQ +T2A6zIqPQRgCWfrPnmJNwLN9riMQGc2oFBXd19iITyc8/7OcXAFnzIy+zu++jZp6 +rMwGIUCg5UKkSGVWnoYyS/1SQRYqi4MzUqC/AwpQHKoE5CqUzVCJ7zGTFcsie0o4 +wfWoFlkgbNl0Attn4HLuXncjvGVCMeWqUERKBU7xIxC1D5PKXF5QmCUqlZrddBaw +ATIFsPEopu2bX/+sbgcGKSF5WAWwdT92vIgarjW3UkKDYihRNKusrOwp3sue7Iw+ +QIweOaJLqpSnfQ3me62I3fWYjRwceeASeTx7dYdxrK1Dx5DnlN8gGwwhl/7cvoWe +Xm6DqYXeQRsIxZ7Ng/PO +=4EYM +-----END PGP SIGNATURE----- diff --git a/share/security/patches/EN-14:03/pkg-en-releng-8.4.patch b/share/security/patches/EN-14:03/pkg-en-releng-8.4.patch new file mode 100644 index 0000000000..ae3ebe1828 --- /dev/null +++ b/share/security/patches/EN-14:03/pkg-en-releng-8.4.patch @@ -0,0 +1,232 @@ +Index: etc/Makefile +=================================================================== +--- etc/Makefile (revision 265457) ++++ etc/Makefile (working copy) +@@ -172,6 +172,7 @@ distribution: + ${_+_}cd ${.CURDIR}/devd; ${MAKE} install + ${_+_}cd ${.CURDIR}/gss; ${MAKE} install + ${_+_}cd ${.CURDIR}/periodic; ${MAKE} install ++ ${_+_}cd ${.CURDIR}/pkg; ${MAKE} install + ${_+_}cd ${.CURDIR}/rc.d; ${MAKE} install + ${_+_}cd ${.CURDIR}/../gnu/usr.bin/send-pr; ${MAKE} etc-gnats-freefall + ${_+_}cd ${.CURDIR}/../share/termcap; ${MAKE} etc-termcap +Index: etc/mtree/BSD.root.dist +=================================================================== +--- etc/mtree/BSD.root.dist (revision 265457) ++++ etc/mtree/BSD.root.dist (working copy) +@@ -52,6 +52,8 @@ + weekly + .. + .. ++ pkg ++ .. + ppp + .. + rc.d +Index: etc/mtree/BSD.usr.dist +=================================================================== +--- etc/mtree/BSD.usr.dist (revision 265457) ++++ etc/mtree/BSD.usr.dist (working copy) +@@ -340,6 +340,14 @@ + .. + info + .. ++ keys ++ pkg ++ revoked ++ .. ++ trusted ++ .. ++ .. ++ .. + locale + UTF-8 + .. +Index: etc/pkg/FreeBSD.conf +=================================================================== +--- etc/pkg/FreeBSD.conf (revision 0) ++++ etc/pkg/FreeBSD.conf (working copy) +@@ -0,0 +1,16 @@ ++# $FreeBSD$ ++# ++# To disable this repository, instead of modifying or removing this file, ++# create a /usr/local/etc/pkg/repos/FreeBSD.conf file: ++# ++# mkdir -p /usr/local/etc/pkg/repos ++# echo "FreeBSD: { enabled: no }" > /usr/local/etc/pkg/repos/FreeBSD.conf ++# ++ ++FreeBSD: { ++ url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest", ++ mirror_type: "srv", ++ signature_type: "fingerprints", ++ fingerprints: "/usr/share/keys/pkg", ++ enabled: yes ++} +Index: etc/pkg/Makefile +=================================================================== +--- etc/pkg/Makefile (revision 0) ++++ etc/pkg/Makefile (working copy) +@@ -0,0 +1,10 @@ ++# $FreeBSD$ ++ ++NO_OBJ= ++ ++FILES= FreeBSD.conf ++ ++FILESDIR= /etc/pkg ++FILESMODE= 644 ++ ++.include <bsd.prog.mk> +Index: share/Makefile +=================================================================== +--- share/Makefile (revision 265457) ++++ share/Makefile (working copy) +@@ -9,6 +9,7 @@ SUBDIR= ${_colldef} \ + ${_dict} \ + ${_doc} \ + ${_examples} \ ++ keys \ + ${_man} \ + ${_me} \ + misc \ +Index: share/keys/Makefile +=================================================================== +--- share/keys/Makefile (revision 0) ++++ share/keys/Makefile (working copy) +@@ -0,0 +1,5 @@ ++# $FreeBSD$ ++ ++SUBDIR= pkg ++ ++.include <bsd.subdir.mk> +Index: share/keys/pkg/Makefile +=================================================================== +--- share/keys/pkg/Makefile (revision 0) ++++ share/keys/pkg/Makefile (working copy) +@@ -0,0 +1,5 @@ ++# $FreeBSD$ ++ ++SUBDIR= trusted ++ ++.include <bsd.subdir.mk> +Index: share/keys/pkg/trusted/Makefile +=================================================================== +--- share/keys/pkg/trusted/Makefile (revision 0) ++++ share/keys/pkg/trusted/Makefile (working copy) +@@ -0,0 +1,10 @@ ++# $FreeBSD$ ++ ++NO_OBJ= ++ ++FILES= pkg.freebsd.org.2013102301 ++ ++FILESDIR= /usr/share/keys/pkg/trusted ++FILESMODE= 644 ++ ++.include <bsd.prog.mk> +Index: share/keys/pkg/trusted/pkg.freebsd.org.2013102301 +=================================================================== +--- share/keys/pkg/trusted/pkg.freebsd.org.2013102301 (revision 0) ++++ share/keys/pkg/trusted/pkg.freebsd.org.2013102301 (working copy) +@@ -0,0 +1,4 @@ ++# $FreeBSD$ ++ ++function: "sha256" ++fingerprint: "b0170035af3acc5f3f3ae1859dc717101b4e6c1d0a794ad554928ca0cbb2f438" +Index: share/man/man7/hier.7 +=================================================================== +--- share/man/man7/hier.7 (revision 265457) ++++ share/man/man7/hier.7 (working copy) +@@ -32,7 +32,7 @@ + .\" @(#)hier.7 8.1 (Berkeley) 6/5/93 + .\" $FreeBSD$ + .\" +-.Dd May 25, 2008 ++.Dd October 29, 2013 + .Dt HIER 7 + .Os + .Sh NAME +@@ -546,6 +546,16 @@ ASCII text files used by various games + device description file for device name + .It Pa info/ + GNU Info hypertext system ++.It Pa keys/ ++known trusted and revoked keys. ++.Bl -tag -width ".Pa keys/pkg/" -compact ++.It Pa keys/pkg/ ++fingerprints for ++.Xr pkg 7 ++and ++.Xr pkg 8 ++.El ++.Pp + .It Pa locale/ + localization files; + see +Index: usr.sbin/pkg/pkg.c +=================================================================== +--- usr.sbin/pkg/pkg.c (revision 265457) ++++ usr.sbin/pkg/pkg.c (working copy) +@@ -284,13 +284,10 @@ bootstrap_pkg(void) + { + struct url *u; + FILE *remote; +- FILE *config; +- char *site; + struct dns_srvinfo *mirrors, *current; + /* To store _https._tcp. + hostname + \0 */ + char zone[MAXHOSTNAMELEN + 13]; + char url[MAXPATHLEN]; +- char conf[MAXPATHLEN]; + char abi[BUFSIZ]; + char tmppkg[MAXPATHLEN]; + char buf[10240]; +@@ -306,7 +303,6 @@ bootstrap_pkg(void) + max_retry = 3; + ret = -1; + remote = NULL; +- config = NULL; + current = mirrors = NULL; + + printf("Bootstrapping pkg please wait\n"); +@@ -387,26 +383,6 @@ bootstrap_pkg(void) + if ((ret = extract_pkg_static(fd, pkgstatic, MAXPATHLEN)) == 0) + ret = install_pkg_static(pkgstatic, tmppkg); + +- snprintf(conf, MAXPATHLEN, "%s/etc/pkg.conf", +- getenv("LOCALBASE") ? getenv("LOCALBASE") : _LOCALBASE); +- +- if (access(conf, R_OK) == -1) { +- site = strrchr(url, '/'); +- if (site == NULL) +- goto cleanup; +- site[0] = '\0'; +- site = strrchr(url, '/'); +- if (site == NULL) +- goto cleanup; +- site[0] = '\0'; +- +- config = fopen(conf, "w+"); +- if (config == NULL) +- goto cleanup; +- fprintf(config, "packagesite: %s\n", url); +- fclose(config); +- } +- + goto cleanup; + + fetchfail: +@@ -423,7 +399,11 @@ cleanup: + + static const char confirmation_message[] = + "The package management tool is not yet installed on your system.\n" +-"Do you want to fetch and install it now? [y/N]: "; ++"The mechanism for doing this is not secure on FreeBSD 8. To securely install\n" ++"pkg(8), use ports from a portsnap checkout:\n" ++" # portsnap fetch extract\n" ++" # make -C /usr/ports/ports-mgmt/pkg install clean\n" ++"Do you still want to fetch and install it now? [y/N]: "; + + static int + pkg_query_yes_no(void) diff --git a/share/security/patches/EN-14:03/pkg-en-releng-8.4.patch.asc b/share/security/patches/EN-14:03/pkg-en-releng-8.4.patch.asc new file mode 100644 index 0000000000..fea3b68c8b --- /dev/null +++ b/share/security/patches/EN-14:03/pkg-en-releng-8.4.patch.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.22 (FreeBSD) + +iQIcBAABCgAGBQJTcq56AAoJEO1n7NZdz2rn7uAP/Aj/qkmd/B1E5OcnVndzFdVV +wk7qiDIfo3SckWu0Mz3j45qKgZLYvPgnY4ensL8IuOT2RzLVj9PP9Bqy3aEZquPf +6kYCOGDI8B2wZm8o6aRYPlRAY97OvrEucGFWk6kQCCpak4HmntqvIBmaTqeZ7tKV +lohRBdVNBvYdO89IK3K4hbVReVP2D2qg6U6lZuj0RNLKjVTD8NtUqJMkwQQJTYK9 +3BAsiqZM7QFo/E85aP11/Ox14SYov4VQ5zONl2OhshbL4dANrVUGZxh2/ecaN2pv +k+TGCHzd/o6fdopTawZTUqBLRt+Pbj5VCCVWqxszoA5xfIsLmFt9hNTGtzNnevVZ +WjKDba4nyzQoEwig58jbMIKV0eKjvOOmvOAK80EBd9gAOftcsNiFMIuDBkAy0z6j +1mHlQZJXcg4PjOgmzGgZjQrTOiwfGpsisbBnmOhMuBPhrglv7n5QCg5k91i8EBqQ +AWpTY+UcxuFKn2CkEjubppwxf9kqBvK7ClO8gpsJxERjCVPkop8hJfiw9EG+Jzkp +fp4pIeajT+Dj6pAS+Y64tjkClPVTDKEK0H2Ut3d44DO8RUrAgXSWwgqRWNeQQvcM +U4HIuY8+Qt4Ue8NECGYlpJ/RvsoKROiM0hcQH7auGOqsUkdr9k9kA4ICABy43SK6 +KO7yxSd7x7hFFuUVMpV3 +=pIs3 +-----END PGP SIGNATURE----- diff --git a/share/security/patches/EN-14:03/pkg-en-releng-9.1.patch b/share/security/patches/EN-14:03/pkg-en-releng-9.1.patch new file mode 100644 index 0000000000..493fe9db51 --- /dev/null +++ b/share/security/patches/EN-14:03/pkg-en-releng-9.1.patch @@ -0,0 +1,229 @@ +Index: etc/Makefile +=================================================================== +--- etc/Makefile (revision 265457) ++++ etc/Makefile (working copy) +@@ -205,6 +205,7 @@ distribution: + ${_+_}cd ${.CURDIR}/devd; ${MAKE} install + ${_+_}cd ${.CURDIR}/gss; ${MAKE} install + ${_+_}cd ${.CURDIR}/periodic; ${MAKE} install ++ ${_+_}cd ${.CURDIR}/pkg; ${MAKE} install + ${_+_}cd ${.CURDIR}/rc.d; ${MAKE} install + ${_+_}cd ${.CURDIR}/../gnu/usr.bin/send-pr; ${MAKE} etc-gnats-freefall + ${_+_}cd ${.CURDIR}/../share/termcap; ${MAKE} etc-termcap +Index: etc/mtree/BSD.root.dist +=================================================================== +--- etc/mtree/BSD.root.dist (revision 265457) ++++ etc/mtree/BSD.root.dist (working copy) +@@ -52,6 +52,8 @@ + weekly + .. + .. ++ pkg ++ .. + ppp + .. + rc.d +Index: etc/mtree/BSD.usr.dist +=================================================================== +--- etc/mtree/BSD.usr.dist (revision 265457) ++++ etc/mtree/BSD.usr.dist (working copy) +@@ -398,6 +398,14 @@ + .. + .. + .. ++ keys ++ pkg ++ revoked ++ .. ++ trusted ++ .. ++ .. ++ .. + locale + UTF-8 + .. +Index: etc/pkg/FreeBSD.conf +=================================================================== +--- etc/pkg/FreeBSD.conf (revision 0) ++++ etc/pkg/FreeBSD.conf (working copy) +@@ -0,0 +1,16 @@ ++# $FreeBSD$ ++# ++# To disable this repository, instead of modifying or removing this file, ++# create a /usr/local/etc/pkg/repos/FreeBSD.conf file: ++# ++# mkdir -p /usr/local/etc/pkg/repos ++# echo "FreeBSD: { enabled: no }" > /usr/local/etc/pkg/repos/FreeBSD.conf ++# ++ ++FreeBSD: { ++ url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest", ++ mirror_type: "srv", ++ signature_type: "fingerprints", ++ fingerprints: "/usr/share/keys/pkg", ++ enabled: yes ++} +Index: etc/pkg/Makefile +=================================================================== +--- etc/pkg/Makefile (revision 0) ++++ etc/pkg/Makefile (working copy) +@@ -0,0 +1,10 @@ ++# $FreeBSD$ ++ ++NO_OBJ= ++ ++FILES= FreeBSD.conf ++ ++FILESDIR= /etc/pkg ++FILESMODE= 644 ++ ++.include <bsd.prog.mk> +Index: share/Makefile +=================================================================== +--- share/Makefile (revision 265457) ++++ share/Makefile (working copy) +@@ -10,6 +10,7 @@ SUBDIR= ${_colldef} \ + ${_doc} \ + ${_examples} \ + ${_i18n} \ ++ keys \ + ${_man} \ + ${_me} \ + misc \ +Index: share/keys/Makefile +=================================================================== +--- share/keys/Makefile (revision 0) ++++ share/keys/Makefile (working copy) +@@ -0,0 +1,5 @@ ++# $FreeBSD$ ++ ++SUBDIR= pkg ++ ++.include <bsd.subdir.mk> +Index: share/keys/pkg/Makefile +=================================================================== +--- share/keys/pkg/Makefile (revision 0) ++++ share/keys/pkg/Makefile (working copy) +@@ -0,0 +1,5 @@ ++# $FreeBSD$ ++ ++SUBDIR= trusted ++ ++.include <bsd.subdir.mk> +Index: share/keys/pkg/trusted/Makefile +=================================================================== +--- share/keys/pkg/trusted/Makefile (revision 0) ++++ share/keys/pkg/trusted/Makefile (working copy) +@@ -0,0 +1,10 @@ ++# $FreeBSD$ ++ ++NO_OBJ= ++ ++FILES= pkg.freebsd.org.2013102301 ++ ++FILESDIR= /usr/share/keys/pkg/trusted ++FILESMODE= 644 ++ ++.include <bsd.prog.mk> +Index: share/keys/pkg/trusted/pkg.freebsd.org.2013102301 +=================================================================== +--- share/keys/pkg/trusted/pkg.freebsd.org.2013102301 (revision 0) ++++ share/keys/pkg/trusted/pkg.freebsd.org.2013102301 (working copy) +@@ -0,0 +1,4 @@ ++# $FreeBSD$ ++ ++function: "sha256" ++fingerprint: "b0170035af3acc5f3f3ae1859dc717101b4e6c1d0a794ad554928ca0cbb2f438" +Index: share/man/man7/hier.7 +=================================================================== +--- share/man/man7/hier.7 (revision 265457) ++++ share/man/man7/hier.7 (working copy) +@@ -32,7 +32,7 @@ + .\" @(#)hier.7 8.1 (Berkeley) 6/5/93 + .\" $FreeBSD$ + .\" +-.Dd May 25, 2008 ++.Dd October 29, 2013 + .Dt HIER 7 + .Os + .Sh NAME +@@ -546,6 +546,16 @@ ASCII text files used by various games + device description file for device name + .It Pa info/ + GNU Info hypertext system ++.It Pa keys/ ++known trusted and revoked keys. ++.Bl -tag -width ".Pa keys/pkg/" -compact ++.It Pa keys/pkg/ ++fingerprints for ++.Xr pkg 7 ++and ++.Xr pkg 8 ++.El ++.Pp + .It Pa locale/ + localization files; + see +Index: usr.sbin/pkg/pkg.c +=================================================================== +--- usr.sbin/pkg/pkg.c (revision 265457) ++++ usr.sbin/pkg/pkg.c (working copy) +@@ -282,10 +282,7 @@ static int + bootstrap_pkg(void) + { + FILE *remote; +- FILE *config; +- char *site; + char url[MAXPATHLEN]; +- char conf[MAXPATHLEN]; + char abi[BUFSIZ]; + char tmppkg[MAXPATHLEN]; + char buf[10240]; +@@ -300,7 +297,6 @@ bootstrap_pkg(void) + last = 0; + ret = -1; + remote = NULL; +- config = NULL; + + printf("Bootstrapping pkg please wait\n"); + +@@ -355,26 +351,6 @@ bootstrap_pkg(void) + if ((ret = extract_pkg_static(fd, pkgstatic, MAXPATHLEN)) == 0) + ret = install_pkg_static(pkgstatic, tmppkg); + +- snprintf(conf, MAXPATHLEN, "%s/etc/pkg.conf", +- getenv("LOCALBASE") ? getenv("LOCALBASE") : _LOCALBASE); +- +- if (access(conf, R_OK) == -1) { +- site = strrchr(url, '/'); +- if (site == NULL) +- goto cleanup; +- site[0] = '\0'; +- site = strrchr(url, '/'); +- if (site == NULL) +- goto cleanup; +- site[0] = '\0'; +- +- config = fopen(conf, "w+"); +- if (config == NULL) +- goto cleanup; +- fprintf(config, "packagesite: %s\n", url); +- fclose(config); +- } +- + goto cleanup; + + fetchfail: +@@ -391,7 +367,11 @@ cleanup: + + static const char confirmation_message[] = + "The package management tool is not yet installed on your system.\n" +-"Do you want to fetch and install it now? [y/N]: "; ++"The mechanism for doing this is not secure on FreeBSD 9.1. To securely install\n" ++"pkg(8), use ports from a portsnap checkout:\n" ++" # portsnap fetch extract\n" ++" # make -C /usr/ports/ports-mgmt/pkg install clean\n" ++"Do you still want to fetch and install it now? [y/N]: "; + + static int + pkg_query_yes_no(void) diff --git a/share/security/patches/EN-14:03/pkg-en-releng-9.1.patch.asc b/share/security/patches/EN-14:03/pkg-en-releng-9.1.patch.asc new file mode 100644 index 0000000000..ef90b8abf0 --- /dev/null +++ b/share/security/patches/EN-14:03/pkg-en-releng-9.1.patch.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.22 (FreeBSD) + +iQIcBAABCgAGBQJTcq56AAoJEO1n7NZdz2rnpMoP/0YInCSO2ibhMFgcpDF1fcWU +35grsxS6e/r5f1R51rWbYpATp3ha5IcFUkqw8BE0J5SG5AeVGBNQKLaTZojn1UII +PF/+oFJ+l8dwBHB1W+3BKyxKXABTB5/kuMsXdFCcTu0gY4nCqBuwRSC34WhA+5k6 +wsED+2U/Nwye/nudJ/jIkC8r9pInCiNcc0JGTI4s6mbEeJUOoAutAFCSpXbOiwN7 +CgdtlmKW8flLmjaB+rzg5FervM4y0zXUXPeuILHoWrC6Blq/EygVMxnFg29V4G/+ +wo2tqKuYOQFpHI5sZOe4Ozo/sWEELwxZYC8SxWkvFT/3JGF64ZtjL0ETRq8yQcYX +HnlbMtD/oFmQdOHMzfvRNSH6ZrbmdJioTRZt1l35ifr56ivGqpoegAwKeZJu238g +KufmU6C3qsFY6lEnTewu3pv6+x9jUdNXCVzPq/LN7FrraPxkc++nV+0pXayAMMdl +EHgIbi2U4YCOueKvcAO8CiH7sJFqe1w5EUD2/SU7Pnl0uINxyyhlmEN10DJ7b3gJ +OJHfp40fJAntxPR847fwslRUxpSFPIURksgro4Izhycd8UDRcjBi4ETVyYlGSMCO +rXbSB9cnVtcClCCA5HFsLRHoqgNlvEozpSODm+9DS1t2ePNyJ8CCTobdiiwWcrVA +/itoWkjBq7mezniYtCMh +=fE9a +-----END PGP SIGNATURE----- diff --git a/share/security/patches/EN-14:03/pkg-en-releng-9.2.patch b/share/security/patches/EN-14:03/pkg-en-releng-9.2.patch new file mode 100644 index 0000000000..4d53d799ee --- /dev/null +++ b/share/security/patches/EN-14:03/pkg-en-releng-9.2.patch @@ -0,0 +1,232 @@ +Index: etc/Makefile +=================================================================== +--- etc/Makefile (revision 265457) ++++ etc/Makefile (working copy) +@@ -224,6 +224,7 @@ distribution: + ${_+_}cd ${.CURDIR}/devd; ${MAKE} install + ${_+_}cd ${.CURDIR}/gss; ${MAKE} install + ${_+_}cd ${.CURDIR}/periodic; ${MAKE} install ++ ${_+_}cd ${.CURDIR}/pkg; ${MAKE} install + ${_+_}cd ${.CURDIR}/rc.d; ${MAKE} install + ${_+_}cd ${.CURDIR}/../gnu/usr.bin/send-pr; ${MAKE} etc-gnats-freefall + ${_+_}cd ${.CURDIR}/../share/termcap; ${MAKE} etc-termcap +Index: etc/mtree/BSD.root.dist +=================================================================== +--- etc/mtree/BSD.root.dist (revision 265457) ++++ etc/mtree/BSD.root.dist (working copy) +@@ -52,6 +52,8 @@ + weekly + .. + .. ++ pkg ++ .. + ppp + .. + rc.d +Index: etc/mtree/BSD.usr.dist +=================================================================== +--- etc/mtree/BSD.usr.dist (revision 265457) ++++ etc/mtree/BSD.usr.dist (working copy) +@@ -402,6 +402,14 @@ + .. + .. + .. ++ keys ++ pkg ++ revoked ++ .. ++ trusted ++ .. ++ .. ++ .. + locale + UTF-8 + .. +Index: etc/pkg/FreeBSD.conf +=================================================================== +--- etc/pkg/FreeBSD.conf (revision 0) ++++ etc/pkg/FreeBSD.conf (working copy) +@@ -0,0 +1,16 @@ ++# $FreeBSD$ ++# ++# To disable this repository, instead of modifying or removing this file, ++# create a /usr/local/etc/pkg/repos/FreeBSD.conf file: ++# ++# mkdir -p /usr/local/etc/pkg/repos ++# echo "FreeBSD: { enabled: no }" > /usr/local/etc/pkg/repos/FreeBSD.conf ++# ++ ++FreeBSD: { ++ url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest", ++ mirror_type: "srv", ++ signature_type: "fingerprints", ++ fingerprints: "/usr/share/keys/pkg", ++ enabled: yes ++} +Index: etc/pkg/Makefile +=================================================================== +--- etc/pkg/Makefile (revision 0) ++++ etc/pkg/Makefile (working copy) +@@ -0,0 +1,10 @@ ++# $FreeBSD$ ++ ++NO_OBJ= ++ ++FILES= FreeBSD.conf ++ ++FILESDIR= /etc/pkg ++FILESMODE= 644 ++ ++.include <bsd.prog.mk> +Index: share/Makefile +=================================================================== +--- share/Makefile (revision 265457) ++++ share/Makefile (working copy) +@@ -11,6 +11,7 @@ SUBDIR= ${_colldef} \ + dtrace \ + ${_examples} \ + ${_i18n} \ ++ keys \ + ${_man} \ + ${_me} \ + misc \ +Index: share/keys/Makefile +=================================================================== +--- share/keys/Makefile (revision 0) ++++ share/keys/Makefile (working copy) +@@ -0,0 +1,5 @@ ++# $FreeBSD$ ++ ++SUBDIR= pkg ++ ++.include <bsd.subdir.mk> +Index: share/keys/pkg/Makefile +=================================================================== +--- share/keys/pkg/Makefile (revision 0) ++++ share/keys/pkg/Makefile (working copy) +@@ -0,0 +1,5 @@ ++# $FreeBSD$ ++ ++SUBDIR= trusted ++ ++.include <bsd.subdir.mk> +Index: share/keys/pkg/trusted/Makefile +=================================================================== +--- share/keys/pkg/trusted/Makefile (revision 0) ++++ share/keys/pkg/trusted/Makefile (working copy) +@@ -0,0 +1,10 @@ ++# $FreeBSD$ ++ ++NO_OBJ= ++ ++FILES= pkg.freebsd.org.2013102301 ++ ++FILESDIR= /usr/share/keys/pkg/trusted ++FILESMODE= 644 ++ ++.include <bsd.prog.mk> +Index: share/keys/pkg/trusted/pkg.freebsd.org.2013102301 +=================================================================== +--- share/keys/pkg/trusted/pkg.freebsd.org.2013102301 (revision 0) ++++ share/keys/pkg/trusted/pkg.freebsd.org.2013102301 (working copy) +@@ -0,0 +1,4 @@ ++# $FreeBSD$ ++ ++function: "sha256" ++fingerprint: "b0170035af3acc5f3f3ae1859dc717101b4e6c1d0a794ad554928ca0cbb2f438" +Index: share/man/man7/hier.7 +=================================================================== +--- share/man/man7/hier.7 (revision 265457) ++++ share/man/man7/hier.7 (working copy) +@@ -32,7 +32,7 @@ + .\" @(#)hier.7 8.1 (Berkeley) 6/5/93 + .\" $FreeBSD$ + .\" +-.Dd January 21, 2010 ++.Dd October 29, 2013 + .Dt HIER 7 + .Os + .Sh NAME +@@ -546,6 +546,16 @@ ASCII text files used by various games + device description file for device name + .It Pa info/ + GNU Info hypertext system ++.It Pa keys/ ++known trusted and revoked keys. ++.Bl -tag -width ".Pa keys/pkg/" -compact ++.It Pa keys/pkg/ ++fingerprints for ++.Xr pkg 7 ++and ++.Xr pkg 8 ++.El ++.Pp + .It Pa locale/ + localization files; + see +Index: usr.sbin/pkg/pkg.c +=================================================================== +--- usr.sbin/pkg/pkg.c (revision 265457) ++++ usr.sbin/pkg/pkg.c (working copy) +@@ -284,13 +284,10 @@ bootstrap_pkg(void) + { + struct url *u; + FILE *remote; +- FILE *config; +- char *site; + struct dns_srvinfo *mirrors, *current; + /* To store _https._tcp. + hostname + \0 */ + char zone[MAXHOSTNAMELEN + 13]; + char url[MAXPATHLEN]; +- char conf[MAXPATHLEN]; + char abi[BUFSIZ]; + char tmppkg[MAXPATHLEN]; + char buf[10240]; +@@ -306,7 +303,6 @@ bootstrap_pkg(void) + max_retry = 3; + ret = -1; + remote = NULL; +- config = NULL; + current = mirrors = NULL; + + printf("Bootstrapping pkg please wait\n"); +@@ -387,26 +383,6 @@ bootstrap_pkg(void) + if ((ret = extract_pkg_static(fd, pkgstatic, MAXPATHLEN)) == 0) + ret = install_pkg_static(pkgstatic, tmppkg); + +- snprintf(conf, MAXPATHLEN, "%s/etc/pkg.conf", +- getenv("LOCALBASE") ? getenv("LOCALBASE") : _LOCALBASE); +- +- if (access(conf, R_OK) == -1) { +- site = strrchr(url, '/'); +- if (site == NULL) +- goto cleanup; +- site[0] = '\0'; +- site = strrchr(url, '/'); +- if (site == NULL) +- goto cleanup; +- site[0] = '\0'; +- +- config = fopen(conf, "w+"); +- if (config == NULL) +- goto cleanup; +- fprintf(config, "packagesite: %s\n", url); +- fclose(config); +- } +- + goto cleanup; + + fetchfail: +@@ -423,7 +399,11 @@ cleanup: + + static const char confirmation_message[] = + "The package management tool is not yet installed on your system.\n" +-"Do you want to fetch and install it now? [y/N]: "; ++"The mechanism for doing this is not secure on FreeBSD 9.2. To securely install\n" ++"pkg(8), use ports from a portsnap checkout:\n" ++" # portsnap fetch extract\n" ++" # make -C /usr/ports/ports-mgmt/pkg install clean\n" ++"Do you still want to fetch and install it now? [y/N]: "; + + static int + pkg_query_yes_no(void) diff --git a/share/security/patches/EN-14:03/pkg-en-releng-9.2.patch.asc b/share/security/patches/EN-14:03/pkg-en-releng-9.2.patch.asc new file mode 100644 index 0000000000..90aaa79bcc --- /dev/null +++ b/share/security/patches/EN-14:03/pkg-en-releng-9.2.patch.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.22 (FreeBSD) + +iQIcBAABCgAGBQJTcq56AAoJEO1n7NZdz2rnr5YP/37fG1wkIUyrDvn3fZTMtx6W +G7Qroe8EqW+0eUgaOm2eIyBhdw9xpn7rT0I53gp7LRPn1hnBIjuP8FPhadyIrbUd +C3e4cwOZ0EOU0A91b2UuIeWrwN2qcwtkLEhlzbmn+v23+N9SgSWD9jNCnfRQhkhT +neJY7Yk2+C/+yQpcauKe1rwBUKAV/EPiIvbDZEW45zLsZ6lm9H4V6Hu2z0XkaT3w +EwYklJsaJjE0JI/PN8BVW4ChSHnGsiJJLdLqavHhMXau7sOlOQhkwJmsXpmv0HPL +GBKG9S05v0y+hH0RHrQnzt6iRXYa9EreW4SBp8OK+x0yC0GpKZYLLs9Gt/xOyjMi +a+Luul/LWshfnUfN0k74POcFddhZz1sKWx6nRv9+AOFn/I9dBaYJ2Ux4WExQs1JN +E17aRkQadbo/Z2Y//rt+URW9x9jvVx86karDk/CnwNPjgKvkGPFz64EQNciFvbUL +BkV6PLTBjigtP4DdaP00eF4qzC4QVrzUQs9d4+aJHpZZ24ZwtC5h/Y1pkPvJRBdx +CCxhR/JjFtjpF2owvIuYB9delHcfWaBlkKLGbLncBg0VkAhYK4Qjwmj2iEpCikcG +uglbHXs8yyqQAzPnYZF/2IoR2PqO2G1e32OFH18UyGPdD+JQlGNOBym63xKZcv3W +x0WIT9Ox4/plEyu+LU/H +=aYZ5 +-----END PGP SIGNATURE----- diff --git a/share/security/patches/EN-14:04/kldxref.patch b/share/security/patches/EN-14:04/kldxref.patch new file mode 100644 index 0000000000..95bd665ded --- /dev/null +++ b/share/security/patches/EN-14:04/kldxref.patch @@ -0,0 +1,30 @@ +Index: usr.sbin/kldxref/kldxref.c +=================================================================== +--- usr.sbin/kldxref/kldxref.c (revision 265111) ++++ usr.sbin/kldxref/kldxref.c (working copy) +@@ -274,6 +274,16 @@ usage(void) + exit(1); + } + ++static int ++compare(const FTSENT *const *a, const FTSENT *const *b) ++{ ++ if ((*a)->fts_info == FTS_D && (*b)->fts_info != FTS_D) ++ return 1; ++ if ((*a)->fts_info != FTS_D && (*b)->fts_info == FTS_D) ++ return -1; ++ return strcmp((*a)->fts_name, (*b)->fts_name); ++} ++ + int + main(int argc, char *argv[]) + { +@@ -315,7 +325,7 @@ main(int argc, char *argv[]) + err(1, "%s", argv[0]); + } + +- ftsp = fts_open(argv, fts_options, 0); ++ ftsp = fts_open(argv, fts_options, compare); + if (ftsp == NULL) + exit(1); + diff --git a/share/security/patches/EN-14:04/kldxref.patch.asc b/share/security/patches/EN-14:04/kldxref.patch.asc new file mode 100644 index 0000000000..3b64dfe15c --- /dev/null +++ b/share/security/patches/EN-14:04/kldxref.patch.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.22 (FreeBSD) + +iQIcBAABCgAGBQJTcq56AAoJEO1n7NZdz2rnpNEP/0xBdG0G1LxUZFG+pZ7z95RG +Fgr2hg7m5iRoHd9x3LJ9PLfP6nZjRHUeLIxbPF5cUO1lQWHiHsInm6qZ+A7ufMPa +meGgkFtwH5rKTmvrHmmiajJObYq1cJzxwNZOZh2UHTH+mL+npj30F5JyUAUTVNpp +jTfAFGDjpI1nrl7SUZ0JAUE7SBNgSRHlWwx3BTrPbD0mYdKaob5RnVYxNoCZneEX +IePhmq+59yYlQfTvsuEUKPsfJH/IrPGrVpwH1jRSYQCQnoGj4voFsQJkZSPPqKyN ++/EeAPuAFEQgsNbQBVQA3wY7Jb0cY/07mqYiBODC/AT8c5jTyNv1U8mRyAllVUrQ +sofakJSA/G5a6NYY0OB6w2simRRwRdy/Z4lGrwchFYlOeVAMf5+9983cDT3Nl7HE +DVNJM8MVrMcb2yZ3lQA3DoLPw+NL5U7I1uQjll1VMeGd7I1JoeVRV5/sdmda/HXt +o5gUmvxg5WyO7+Da5ZMkbsWOkBtVhYQVUPL/3BOkHjRj3OHPns7tZcluOjluJpJA +ItKEqQ46955zVjb5k/BrNV4Vn1IABtEDzHYmf5VWbCaRbnmHLRbicIJkVcOqk8Ox +KGq3EbuK5z4+ngGm2XK5iMqel9Fxq5MTlGEBfxWDCZyblPwjr5I2Zmqy59c05cd8 +eQI6u8f1Dda+tO/jQ9qT +=XTgH +-----END PGP SIGNATURE----- diff --git a/share/security/patches/EN-14:05/ciss.patch b/share/security/patches/EN-14:05/ciss.patch new file mode 100644 index 0000000000..697984b92e --- /dev/null +++ b/share/security/patches/EN-14:05/ciss.patch @@ -0,0 +1,65 @@ +Index: sys/dev/ciss/ciss.c +=================================================================== +--- sys/dev/ciss/ciss.c (revision 264510) ++++ sys/dev/ciss/ciss.c (revision 264511) +@@ -180,8 +180,6 @@ + static void ciss_cam_poll(struct cam_sim *sim); + static void ciss_cam_complete(struct ciss_request *cr); + static void ciss_cam_complete_fixup(struct ciss_softc *sc, struct ccb_scsiio *csio); +-static struct cam_periph *ciss_find_periph(struct ciss_softc *sc, +- int bus, int target); + static int ciss_name_device(struct ciss_softc *sc, int bus, int target); + + /* periodic status monitoring */ +@@ -3398,27 +3396,6 @@ + + + /******************************************************************************** +- * Find a peripheral attached at (target) +- */ +-static struct cam_periph * +-ciss_find_periph(struct ciss_softc *sc, int bus, int target) +-{ +- struct cam_periph *periph; +- struct cam_path *path; +- int status; +- +- status = xpt_create_path(&path, NULL, cam_sim_path(sc->ciss_cam_sim[bus]), +- target, 0); +- if (status == CAM_REQ_CMP) { +- periph = cam_periph_find(path, NULL); +- xpt_free_path(path); +- } else { +- periph = NULL; +- } +- return(periph); +-} +- +-/******************************************************************************** + * Name the device at (target) + * + * XXX is this strictly correct? +@@ -3427,12 +3404,22 @@ + ciss_name_device(struct ciss_softc *sc, int bus, int target) + { + struct cam_periph *periph; ++ struct cam_path *path; ++ int status; + + if (CISS_IS_PHYSICAL(bus)) + return (0); +- if ((periph = ciss_find_periph(sc, bus, target)) != NULL) { ++ ++ status = xpt_create_path(&path, NULL, cam_sim_path(sc->ciss_cam_sim[bus]), ++ target, 0); ++ ++ if (status == CAM_REQ_CMP) { ++ mtx_lock(&sc->ciss_mtx); ++ periph = cam_periph_find(path, NULL); + sprintf(sc->ciss_logical[bus][target].cl_name, "%s%d", + periph->periph_name, periph->unit_number); ++ mtx_unlock(&sc->ciss_mtx); ++ xpt_free_path(path); + return(0); + } + sc->ciss_logical[bus][target].cl_name[0] = 0; diff --git a/share/security/patches/EN-14:05/ciss.patch.asc b/share/security/patches/EN-14:05/ciss.patch.asc new file mode 100644 index 0000000000..02ba0f98f8 --- /dev/null +++ b/share/security/patches/EN-14:05/ciss.patch.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.22 (FreeBSD) + +iQIcBAABCgAGBQJTcq57AAoJEO1n7NZdz2rn6DgP/itRaA98D+sfQCMYuK3u5XiT +uDw1iKT3bio1f8/OrfwljpO0afDoJwEFpL89quG0BhIU89GcArqMk6cGa63N2/DI +PiTPss4g0MG4pVdEJEkO1JsqvK07ePTYH/7MaVFdJSQc6Q3N1EtmABFP0+xk3QPS +Gg9wRK0Bfl0ewawMsC0Bj2RQ6ltQaURFKogcCmDVDYRkn3j11b3CUcNrHlAlaM/3 +5LMCExizLlKHzFYpQhahHxWHjEXEn0eDDbAFD9xU+d+GUCFiw+G09Lp56if0HgMy +RmVMVd7uP5slxpAbbRiTqhoa/qwAWx9rj8By6PudBxqxACVc81di6ADuqRhUrpTt +xZY/vVdDT8r8zX2kKDx8e/uWDo9nUQIZznYDvDSBzLjbIn0DLXajmiXKMz9pPzBx ++rl2LIwwmcdi75r03qugd+PQKWtdnOI7u3B5qKtS3Rxf3dAyIRwT35KHg4SwImjg +3GmRByHEOtdgV6huYoTAIvurYlzDLK/leZgnw7f1neIhLRhz3rpKE2kzMUEj6jom +/LzUqJVIOHOkrLztc314f4PdTn7L1rVIQuwIErybwOO6c1Xu3aSRuAF9K2tfD4VE +PAoLmD6PpqT1dc/7kmwY5wE4nrNU4ubqW8opFLPBCLH1Xk5pvniSUglxWJBDxK84 +tDIyHPvRjdQ0mROo0cSZ +=lTSe +-----END PGP SIGNATURE----- diff --git a/share/security/patches/SA-14:10/openssl.patch b/share/security/patches/SA-14:10/openssl.patch new file mode 100644 index 0000000000..47f27c0267 --- /dev/null +++ b/share/security/patches/SA-14:10/openssl.patch @@ -0,0 +1,15 @@ +Index: crypto/openssl/ssl/s3_pkt.c +=================================================================== +--- crypto/openssl/ssl/s3_pkt.c (revision 265111) ++++ crypto/openssl/ssl/s3_pkt.c (working copy) +@@ -657,6 +657,10 @@ static int do_ssl3_write(SSL *s, int type, const u + if (i <= 0) + return(i); + /* if it went, fall through and send more stuff */ ++ /* we may have released our buffer, so get it again */ ++ if (wb->buf == NULL) ++ if (!ssl3_setup_write_buffer(s)) ++ return -1; + } + + if (len == 0 && !create_empty_fragment) diff --git a/share/security/patches/SA-14:10/openssl.patch.asc b/share/security/patches/SA-14:10/openssl.patch.asc new file mode 100644 index 0000000000..bf3790f647 --- /dev/null +++ b/share/security/patches/SA-14:10/openssl.patch.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.22 (FreeBSD) + +iQIcBAABCgAGBQJTcq6MAAoJEO1n7NZdz2rnDAYP/3jlC66FjgMihCUB3tVByZjO +7aa2ChUYO0V5fiwOWdUxwz15iFH+PbIiRBCBsHADtIV63z6KMF56irEqGdKQJNRb +YCr/5ErcHH1xd/SXEqJLGVWl6ydYaUC++20PjhqTZvy3/T6y8/CVjCHa1+u37cQB +B8pPjs+umq/XXqdG3WSJabCGRrEdJVTgydhOpUHvg38mtz29y3odALdwJp4CK5Ml +JEocIIfpPwUTrsGITbF9ql4XcF/hFTqVZOcLJTt3VWfsYMR8Rd+EuQO1Cmzrfo6R +U50FXYibYtXUqM3N2ByH2JbTBXjI4uyPE5//Y4dnFYTQD1Vy+rKH6h9pXV2wKSlk +sMx0ibHrpBXJvrebVBB3lDJgmmUCxxUX87bpGafTFsk3BphhpV/Vq7Pgvtfz6hFa +ifzc7Iy2oNR05DRekG+fMa0UwBaZand4IVY6jqpBikW4OMaSOEjrV+uqV+MkfXLw +IRJEvVUbSfvwsSkBEhMvjTp/DUx6wNUGyXJ1931u7fTZlpQRp3sn2Zi+76U3B31l +6oEPmoYWbwytScwcrIL82rdBRziF0kuuf9f5dG11zTuMqlT+7HuF4iYkENfMwiuu +W69OfochdyqIPA2Nw5iIvg73Ozs/fyJOAIh5pIC5oL83O/Ea3FVFJeFAzkPWd2fA +SiGNEd12hER2Xx4Hkvi7 +=qOXh +-----END PGP SIGNATURE----- diff --git a/share/xml/advisories.xml b/share/xml/advisories.xml index 9ed359f0a2..4a6d685754 100644 --- a/share/xml/advisories.xml +++ b/share/xml/advisories.xml @@ -8,6 +8,18 @@ <name>2014</name> <month> + <name>5</name> + + <day> + <name>13</name> + + <advisory> + <name>FreeBSD-SA-14:09.openssl</name> + </advisory> + </day> + </month> + + <month> <name>4</name> <day> diff --git a/share/xml/notices.xml b/share/xml/notices.xml index aa553c25b4..2cba9d8129 100644 --- a/share/xml/notices.xml +++ b/share/xml/notices.xml @@ -8,6 +8,26 @@ <name>2014</name> <month> + <name>5</name> + + <day> + <name>13</name> + + <notice> + <name>FreeBSD-EN-14:03.pkg</name> + </notice> + + <notice> + <name>FreeBSD-EN-14:04.kldxref</name> + </notice> + + <notice> + <name>FreeBSD-EN-14:05.ciss</name> + </notice> + </day> + </month> + + <month> <name>1</name> <day> |