diff options
Diffstat (limited to 'share/security/advisories/FreeBSD-SA-20:31.icmp6.asc')
| -rw-r--r-- | share/security/advisories/FreeBSD-SA-20:31.icmp6.asc | 152 |
1 files changed, 0 insertions, 152 deletions
diff --git a/share/security/advisories/FreeBSD-SA-20:31.icmp6.asc b/share/security/advisories/FreeBSD-SA-20:31.icmp6.asc deleted file mode 100644 index 113dbca831..0000000000 --- a/share/security/advisories/FreeBSD-SA-20:31.icmp6.asc +++ /dev/null @@ -1,152 +0,0 @@ ------BEGIN PGP SIGNED MESSAGE----- -Hash: SHA512 - -============================================================================= -FreeBSD-SA-20:31.icmp6 Security Advisory - The FreeBSD Project - -Topic: ICMPv6 use-after-free in error message handling - -Category: core -Module: icmp6 -Announced: 2020-12-01 -Credits: Maxime Villard -Affects: All supported versions of FreeBSD. -Corrected: 2020-11-05 22:41:54 UTC (stable/12, 12.2-STABLE) - 2020-12-01 19:38:52 UTC (releng/12.2, 12.2-RELEASE-p1) - 2020-12-01 19:38:52 UTC (releng/12.1, 12.1-RELEASE-p11) - 2020-12-01 03:07:26 UTC (stable/11, 11.4-STABLE) - 2020-12-01 19:38:52 UTC (releng/11.4, 11.4-RELEASE-p5) -CVE Name: CVE-2020-7469 - -For general information regarding FreeBSD Security Advisories, -including descriptions of the fields above, security branches, and the -following sections, please visit <URL:https://security.FreeBSD.org/>. - -I. Background - -ICMPv6 is the ICMP protocol for IPv6. It is used to transmit informational -and error messages between IPv6 hosts. - -II. Problem Description - -When an ICMPv6 error message is received, the FreeBSD ICMPv6 stack may -extract information from the message to hand to upper-layer protocols. As a -part of this operation, it may parse IPv6 header options from a packet -embedded in the ICMPv6 message. - -The handler for a routing option caches a pointer into the packet buffer -holding the ICMPv6 message. However, when processing subsequent options the -packet buffer may be freed, rendering the cached pointer invalid. The -network stack may later dereference the pointer, potentially triggering a -use-after-free. - -III. Impact - -A remote host may be able to trigger a read of freed kernel memory. This may -trigger a kernel panic if the address had been unmapped. - -IV. Workaround - -Systems with IPv6 disabled are not affected. No workaround is available -except to disable IPv6 on the system's network interfaces. - -V. Solution - -Upgrade your vulnerable system to a supported FreeBSD stable or -release / security branch (releng) dated after the correction date and -reboot. - -Perform one of the following: - -1) To update your vulnerable system via a binary patch: - -Systems running a RELEASE version of FreeBSD on the i386 or amd64 -platforms can be updated via the freebsd-update(8) utility: - -# freebsd-update fetch -# freebsd-update install -# shutdown -r +10min "Rebooting for a security update" - -2) To update your vulnerable system via a source code patch: - -The following patches have been verified to apply to the applicable -FreeBSD release branches. - -a) Download the relevant patch from the location below, and verify the -detached PGP signature using your PGP utility. - -[FreeBSD 12.2] -# fetch https://security.FreeBSD.org/patches/SA-20:31/icmp6.12.2.patch -# fetch https://security.FreeBSD.org/patches/SA-20:31/icmp6.12.2.patch.asc -# gpg --verify icmp6.12.2.patch.asc - -[FreeBSD 12.1] -# fetch https://security.FreeBSD.org/patches/SA-20:31/icmp6.12.1.patch -# fetch https://security.FreeBSD.org/patches/SA-20:31/icmp6.12.1.patch.asc -# gpg --verify icmp6.12.1.patch.asc - -[FreeBSD 11.4] -# fetch https://security.FreeBSD.org/patches/SA-20:31/icmp6.11.4.patch -# fetch https://security.FreeBSD.org/patches/SA-20:31/icmp6.11.4.patch.asc -# gpg --verify icmp6.11.4.patch.asc - -b) Apply the patch. Execute the following commands as root: - -# cd /usr/src -# patch < /path/to/patch - -c) Recompile your kernel as described in -<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the -system. - -VI. Correction details - -The following list contains the correction revision numbers for each -affected branch. - -Branch/path Revision -- ------------------------------------------------------------------------- -stable/12/ r367402 -releng/12.2/ r368255 -releng/12.1/ r368255 -stable/11/ r368202 -releng/11.4/ r368255 -- ------------------------------------------------------------------------- - -To see which files were modified by a particular revision, run the -following command, replacing NNNNNN with the revision number, on a -machine with Subversion installed: - -# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base - -Or visit the following URL, replacing NNNNNN with the revision number: - -<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> - -VII. References - -<other info on vulnerability> - -<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7469> - -The latest revision of this advisory is available at -<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:31.icmp6.asc> ------BEGIN PGP SIGNATURE----- - -iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/GndVfFIAAAAAALgAo -aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD -MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n -5cIE8g//d4TXo4cXH4H0k6Et5lCoKz7R+x/wE6EuTymvKOiYyvwGwk3TZnLwhSSr -+FmwYMa0nQfHl3JdbUFYcQdA8Q/mvh0OZf55icRRHwchA+V9ENzuN8DqP1FPbL09 -Ar3Q7osE2LyblTX9vOF0KYNWT+OmUZE5BDHEJ+OD5TKV2xWMkrksVOylXdKKgNyK -Umc3uccud3nvBlrIeP5SiNewCP06/SEZkSovFI1QKCVJGs4hCO97Es0RWiY9MkPG -JcUOdCsYVrvfcWNeRkcAqnH/vgWQYBumSW15ldNGIrMaUAi0DiDTisFIifPI1z8T -j+WmxN2IGvjYQzLBLhpJqq9Ox1OUD2R6Q0YSsndMHgf2bo1HheVUtQlBPMOq/V/8 -I74Ppu2NPxdh2ocUzk60XaNZ2PuZhqkDMOLqZLcKNEe7m94ImzfNxtDGyRkEwpbw -/Vu4ysFrHQR4derU3c9TV+LJwCYaoNw//0WKpcycnqfvb/y5dWgOc3sBf5zwiuRL -NNwRnnRK/gaGoigJxm/Ev2SNsJDLs0g7IuscwYPRtadi1eUTeKeJFg3yvSVTYRov -tGPIhWYmWvOmKSg8ZGIAnTcXeNleyymw+vi6l0gHtwcLJ0AjdbVEWZ3FCy7XvD3c -yRbkJ4ORllto95caGGtzHDj0CMShYaOMNhrf+QrEYDRMB8jfXh0= -=a0pv ------END PGP SIGNATURE----- |