1 files changed, 171 insertions, 0 deletions
diff --git a/website/static/security/advisories/FreeBSD-SA-23:06.ipv6.asc b/website/static/security/advisories/FreeBSD-SA-23:06.ipv6.asc
new file mode 100644
index 0000000000..77b3701de3
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-23:06.ipv6.asc
@@ -0,0 +1,171 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-23:06.ipv6                                       Security Advisory
+                                                          The FreeBSD Project
+
+Topic: Remote denial of service in IPv6 fragment reassembly
+
+Category:       core
+Module:         ipv6
+Announced:      2023-08-01
+Credits:        Zweig of Kunlun Lab
+Affects:        All supported versions of FreeBSD
+Corrected:      2023-08-01 19:49:07 UTC (stable/13, 13.2-STABLE)
+                2023-08-01 19:51:27 UTC (releng/13.2, 13.2-RELEASE-p2)
+                2023-08-01 19:49:52 UTC (releng/13.1, 13.1-RELEASE-p9)
+                2023-08-01 20:05:08 UTC (stable/12, 12.4-STABLE)
+                2023-08-01 20:05:42 UTC (releng/12.4, 12.4-RELEASE-p4)
+CVE Name:       CVE-2023-3107
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+IPv6 packets may be fragmented in order to accommodate the maximum
+transmission unit (MTU) of the network path between the source and
+destination hosts.  The FreeBSD kernel keeps track of received packet
+fragments and will reassemble the original packet once all fragments
+have been received, at which point the packet is processed normally.
+
+II.  Problem Description
+
+Each fragment of an IPv6 packet contains a fragment header which
+specifies the offset of the fragment relative to the original packet,
+and each fragment specifies its length in the IPv6 header.  When
+reassembling the packet, the kernel calculates the complete IPv6 payload
+length.  The payload length must fit into a 16-bit field in the IPv6
+header.
+
+Due to a bug in the kernel, a set of carefully crafted packets can
+trigger an integer overflow in the calculation of the reassembled
+packet's payload length field.
+
+III. Impact
+
+Once an IPv6 packet has been reassembled, the kernel continues
+processing its contents.  It does so assuming that the fragmentation
+layer has validated all fields of the constructed IPv6 header.  This bug
+violates such assumptions and can be exploited to trigger a remote
+kernel panic, resulting in a denial of service.
+
+IV.  Workaround
+
+Users with IPv6 disabled on untrusted network interfaces are not
+affected.  Such interfaces will have the IFDISABLED nd6 flag set in
+ifconfig(8).
+
+The kernel may be configured to drop all IPv6 fragments by setting the
+net.inet6.ip6.maxfrags sysctl to 0.  Doing so will prevent the bug from
+being triggered, with the caveat that legitimate IPv6 fragments will
+be dropped.
+
+If the pf(4) firewall is enabled, and scrubbing and fragment reassembly
+is enabled on untrusted interfaces, the bug cannot be triggered.  This
+is the default if pf(4) is enabled.
+
+V.   Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date and
+reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-23:06/ipv6.patch
+# fetch https://security.FreeBSD.org/patches/SA-23:06/ipv6.patch.asc
+# gpg --verify ipv6.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path                             Hash                     Revision
+- -------------------------------------------------------------------------
+stable/13/                              9515f04fe3b1    stable/13-n255919
+releng/13.2/                            da38eaca4a22  releng/13.2-n254626
+releng/13.1/                            4e548c72914a  releng/13.1-n250191
+stable/12/                                                        r373149
+releng/12.4/                                                      r373152
+- -------------------------------------------------------------------------
+
+For FreeBSD 13 and later:
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+For FreeBSD 12 and earlier:
+
+Run the following command to see which files were modified by a particular
+revision, replacing NNNNNN with the revision number:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3107>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-23:06.ipv6.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdsAACgkQbljekB8A
+Gu8rERAA2iGzA4ydDrYsKnNGXMtQEXRIkGOPOkCSB1fC6CGIWLD//XuPw7sISPNu
+vvt0DVlkOC/ZKjgUQVWDLHd/DWcEv6prhhCUEPEQ57nwvgfa9/oZNqF0ZvVgdyst
+OUc7wO3Pt9lAp6fPkay0LGmsHLlgRJR1VqUQ6fnWvJ7jRllsvIdjxr8krIwYyyVn
+E7U8+lBYoBmQLMql0jgiQ3S4FZ5kYX6MN9r2I1/nSQdE6IUOiqL0oux9H2PDTz3r
+mx9nYSrsd0WPNVO7n7GRnk48STwJryJNdY7tCZOUGsmOOtQAnXvF/ZYDQOMK1L66
+4d5XFVXTwYdHDwDbXMPCCqa+MsZyjrgz8NmNzcto1l0mClz1SGNW9MKmxTKU7op/
+dNTjziffvwxZefpFPv+r9ZEyJpPe1rcNgOskJFW4DVq0uNSaujPkHE77hkE93ozF
+ScDErtexPV+OEQyqGTgO4MxTjlk2l9DZGFVrLl+8Js1sFfLXlReGHLA2xtDtxJL0
+mLo1WtKq8Oq3XPBdU0UoAw3Wlp+BOZ7cY5AVk7IY5zU0T2jQP636QgzX33ZTynkD
+oLtFufJBOWMSPNx9bTFautEoNsivtKcOl3XWEKKgEqt4b+9h6VGU0tFjfRuozjxJ
+QAaYf0qXk9kfHp4EdHj4CeSoeZKgHCExJxpfX54qBGH/TY3Dd4c=
+=V/jE
+-----END PGP SIGNATURE-----