diff options
Diffstat (limited to 'website/static/security')
28 files changed, 2070 insertions, 2 deletions
diff --git a/website/static/security/advisories/FreeBSD-EN-25:15.arm64.asc b/website/static/security/advisories/FreeBSD-EN-25:15.arm64.asc new file mode 100644 index 0000000000..e2da868709 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-25:15.arm64.asc @@ -0,0 +1,137 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-25:15.arm64 Errata Notice + The FreeBSD Project + +Topic: arm64 syscall(2) allows unprivileged user to panic kernel + +Category: core +Module: arm64 +Announced: 2025-09-16 +Credits: Juniper Networks, Inc. +Affects: All supported versions of FreeBSD. +Corrected: 2025-08-25 15:23:01 UTC (stable/14, 14.3-STABLE) + 2025-09-16 16:31:06 UTC (releng/14.3, 14.3-RELEASE-p3) + 2025-09-16 16:31:17 UTC (releng/14.2, 14.2-RELEASE-p6) + 2025-08-25 15:23:22 UTC (stable/13, 13.5-STABLE) + 2025-09-16 16:31:26 UTC (releng/13.5, 13.5-RELEASE-p4) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +The FreeBSD arm64 kernel implements a 32-bit compatibility layer, enabling +execution of unmodified 32-bit arm binaries on a 64-bit system. + +FreeBSD implements a pseudo system call, syscall(2), which lets the caller +invoke a system call selected using the first system call argument. + +II. Problem Description + +The 32-bit compatibility layer implements syscall(2). It performs some +validation of the system call parameters and explicitly calls panic() to +panic the system if an unexpected state is reached. + +It is possible to construct a program which can reach this unexpected state, +resulting in a panic. In particular, no particular privileges are required +to do so. + +III. Impact + +An unprivileged user may be able to trigger a panic. + +IV. Workaround + +No workaround is available. Non-arm64 platforms are unaffected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-25:15/arm64.patch +# fetch https://security.FreeBSD.org/patches/EN-25:15/arm64.patch.asc +# gpg --verify arm64.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 17d87881a363 stable/14-n272249 +releng/14.3/ 99012995b4c6 releng/14.3-n271440 +releng/14.2/ 722746b39e6e releng/14.2-n269534 +stable/13/ 98ac13c4baf5 stable/13-n259404 +releng/13.5/ 751971e55454 releng/13.5-n259175 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-25:15.arm64.asc> +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmjJlBEACgkQbljekB8A +Gu+13w//fHfH1hAOg+FGwV3ZoMh2oEVd+VmkLg/CdghL9T+dGwqzIMOliXMKhaZq +Nzk++lmKlzdpuDEqaw1ikj+bJ+knhrZyAziTlxpB2uly6K119hchAU5TQK2M6D4W +8aQWxeJMPxobsfxi9JciVMWcQK9XsurwUzlCDuLvGgUMPPaMVdy89U86NnKo66eE +fjK2l1Mc730wtisTuTLkY1SHPBchvm20ehu8BVpx4eBEHnecqRaUxQHy2yxTi+/0 +IKrwnpvz8S7/QLcED6TSCKsuLDY/uOx8x6N9PlHHvcLay/ImyvhTPavREld/b3nM +YC8fFb7bjguPZCC222nr/J+/YkD+2+EqVHPOAq7HxVT0uqss7BL9qwIywg0CIhvT +G3fw121L7cwXI/f/Hw6coVTFHnNXUB48FyIFkEXPdMxrNBUSE/KejYjkkJ2YaRir +kXZboMMOoxIf0NPNmv78v+PBj3jpbPP2epjhIk0I5D6uNzdjXEqRlRNgBhqc01Qn +veu+1tEox5Y0Zp4Mum0EipuTaZMjeT4hwmt9zwogsYEZFnyIvilzIOc3zEFRB4Y2 +IB1EUkw49V/zzHn5KnVujaUiVOdVUxe6G8txFcPIT66mPdJZmKO1fbD3pR/0NDj6 +Smj07jNL8PskCLuoe0MmMFiNJI3CHTh+6Ly39j5UpnSsPCPRTyM= +=58zg +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-25:16.vfs.asc b/website/static/security/advisories/FreeBSD-EN-25:16.vfs.asc new file mode 100644 index 0000000000..648944e6a9 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-25:16.vfs.asc @@ -0,0 +1,131 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-25:16.vfs Errata Notice + The FreeBSD Project + +Topic: copy_file_range(2) fails to set output parameters + +Category: core +Module: vfs +Announced: 2025-09-16 +Affects: FreeBSD 14.3 +Corrected: 2025-08-23 21:25:20 UTC (stable/14, 14.3-STABLE) + 2025-09-16 16:31:07 UTC (releng/14.3, 14.3-RELEASE-p3) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +copy_file_range(2) is a system call which takes two file descriptors as input +and copies data from one file to the other. + +II. Problem Description + +The copy_file_range(2) system call accepts two optional pointer arguments, +inoffp and outoffp. When non-NULL, the kernel is to use their values to +determine the starting offsets for the input and output files, respectively. +In this case, the seek offset corresponding to the file descriptor is not +used or updated. + +When finishing the copy, the kernel is supposed to write updated offsets to +the pointed-to values. However, it does not do so. + +III. Impact + +Applications which rely on this behaviour may behave incorrectly. No such +applications exist in the base system. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r now + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-25:16/vfs.patch +# fetch https://security.FreeBSD.org/patches/EN-25:16/vfs.patch.asc +# gpg --verify vfs.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 2fd0083fcc23 stable/14-n272229 +releng/14.3/ d1e981cbf3bd releng/14.3-n271441 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=288985> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-25:16.vfs.asc> +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmjJlBMACgkQbljekB8A +Gu8ZLxAAql8vK7+rcHUDI0gKQu9TC2jlNC7EZcDwMupCnbjXFv8mSbC48XWeXUYk +j6DLDK8BWGOs4+1xftFlHCgu4yPLm7YhcgiUIhqlViAhNBfwIH9YDP/3heYEkvBn +Ns6sh/jtRkB3t+j1fbrcMFZZT2G1plCr4GTZS1fEE+YXQ6NNwo90liSi5dDh2m2Y +1OvLjdRwVj/BzVNqygiVJGXkof2SS3KsoVMv8CsoBZnSgvXyIPjgBhqJIjzh6my7 +BqRmylf+8tZXAKCR0Ylp6qFdI1gEcxWNXyadfUuigAoQFiAFSOX/T1NYYtpK7koH +IROnhKxU6TKj1EhvPrV40I+vdwBYczTZlXIFRrQw0CI7sDIus53T94rmUaqwfY+L +0yiW7gnqwujzaFkv6u9biAoVvm0FHuqq+tsOeB5k344nQ5BrbzMKVatPw2J3HG53 +alalSlMQzgKZYfCkQPemzusVJIlkazJ5r2kMeHzKukfMtjCLyOP+K/evo+Y0HCHh +eOwNoRLNdLra92GGlk643bKBx8pbC4J+FYXq7/+/MHQkAFX8GWZ5XoMjqIaq/e1r +poa72xNwSFrPLbbWkBXf/kknifVv98/VPRE4guzgwNjBo5wVUNzRhhVUsSmzEHPe +3ris0e+OD+te5gqfp5+cKaQS7RUXItXtGO/FzJHl+mmkEfrkD9I= +=q5E4 +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-25:17.bnxt.asc b/website/static/security/advisories/FreeBSD-EN-25:17.bnxt.asc new file mode 100644 index 0000000000..df6b461cfc --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-25:17.bnxt.asc @@ -0,0 +1,140 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-25:17.bnxt Errata Notice + The FreeBSD Project + +Topic: bnxt(4) fails to set media type in some cases + +Category: core +Module: bnxt +Announced: 2025-09-16 +Affects: FreeBSD 14.3 +Corrected: 2025-06-22 07:18:55 UTC (stable/14, 14.3-STABLE) + 2025-09-16 16:31:08 UTC (releng/14.3, 14.3-RELEASE-p3) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +The bnxt(4) driver provides support for Broadcom NetXtreme-C/NetXtreme-E Family +of Ethernet controllers. A key function of the driver is to report the various +supported physical media types and operational modes (e.g., 1000base-T, +40GBASE-AOC, full-duplex, autoselect) to the operating system's ifmedia +interface. This allows network administrators to view and configure the +interface link settings. + +II. Problem Description + +A logic error was introduced into the bnxt(4) driver which prevented the proper +population of the supported media list for several physical connection types. +Inside the function responsible for building this list, a switch statement +incorrectly used return statements instead of break statements. This caused +the function to exit prematurely after identifying certain media types, +including common BASE-T (copper), 40G Active Optical Cable (AOC), and 1G-CX +connections, before the corresponding speed and duplex options could be +registered with the network subsystem. + +III. Impact + +For network controllers using the affected media types, the driver fails to +advertise any supported link modes. An administrator running ifconfig(8) on +the interface would see incorrect media (unknown). Because of this, the +network interface may be unable to establish a link, as the operating system +cannot properly configure it or initiate auto-negotiation. The network port +will be unusable. + +IV. Workaround + +No workaround is available. Only systems that uses bnxt(4) device with the +affected media types are affected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r now + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-25:17/bnxt.patch +# fetch https://security.FreeBSD.org/patches/EN-25:17/bnxt.patch.asc +# gpg --verify bnxt.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 33f65f12eba1 stable/14-n271757 +releng/14.3/ c07b1838f9c9 releng/14.3-n271442 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=33f65f12eba1> + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=287395> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-25:17.bnxt.asc> +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmjJlBUACgkQbljekB8A +Gu//GBAAu3k3rFlqFKbSgq38xldf8fFngj/IuLa4BjB2lcTa7Rpy+6vxlFxXyqVk +9VVXf+tkXNhQ5ngY52SqMDdlG0OQdr+rwPcB8bI2nw+1DW1FRMVvBN7PlJrGgs2N +OtE6I4Wy+IK7vyzEgs8P3Kq3U7oXQVz/jJ3n1DmmjxlKfNqlo3eOGDlNZgTdFF2h +NbZUW4CGZTQxV4Ihq7Zg99bJw38o6WkOjkBkd7/djQfLm9aufVoWPN7SDaVnDun0 +vtWTTXrxsmPfVZB0sxdhYLjKPX+4GdVype0k3A26K50dTNVh5GAhWzH1LqFS6BR4 +DveE4/02bjaTAqK1XW+08JoGqibzmOTt8mUOlKL1aomACgmFc2Lzj33Qd6z1JdJB +6XYTcAoi2Kz94VHBMYjgWOBjiw66YryEyNpHJkFCfWnA3jgZB9TKZn2FZPxGBbvM +6an5ZcjaKHv1X+en2Fh8Ri1Hq4CKN/SmI/Sp0B28hXv8MQCNOnTqxqgdKgg2xQnD +0BasLt7y8y4rAHed+znWW1gRHWLP9q4FLqdvargtdMO81N2n/fm8jKe+SD2YNfTQ +Nvs29hRzs/thxI1gJMhDmmHkprGOyy6fzdZLtUjqhPh2l/YvHq32i/iNKpVfCy5v +hHpd38wxOpTs5nk4qbVZlS2DgRuTSO/VU0IMphaIwBhwHkZaoWY= +=jvzm +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-25:18.freebsd-update.asc b/website/static/security/advisories/FreeBSD-EN-25:18.freebsd-update.asc new file mode 100644 index 0000000000..879a139248 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-25:18.freebsd-update.asc @@ -0,0 +1,140 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-25:18.freebsd-update Errata Notice + The FreeBSD Project + +Topic: freebsd-update(8) installs libraries in incorrect order + +Category: core +Module: freebsd-update +Announced: 2025-09-30 +Credits: Graham Perrin +Affects: All supported versions of FreeBSD. +Corrected: 2025-09-25 19:26:37 UTC (stable/15, 15.0-ALPHA4) + 2025-09-25 19:27:06 UTC (stable/14, 14.3-STABLE) + 2025-09-30 15:37:15 UTC (releng/14.3, 14.3-RELEASE-p4) + 2025-09-30 15:37:24 UTC (releng/14.2, 14.2-RELEASE-p7) + 2025-09-25 19:27:34 UTC (stable/13, 13.5-STABLE) + 2025-09-30 15:37:34 UTC (releng/13.5, 13.5-RELEASE-p5) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +The freebsd-update(8) utility is used to fetch, install, and rollback +binary updates to the FreeBSD base system. In addition to security and +errata updates within a release (its original purpose), freebsd-update(8) +can be used to upgrade to a newer FreeBSD release. + +II. Problem Description + +When installing updates, freebsd-update(8) did not enforce ordering between +the C standard library ("libc") and the system library ("libsys") which was +introduced in FreeBSD 15.0. + +III. Impact + +When using freebsd-update(8) to upgrade a system from FreeBSD 13.x or 14.x to +FreeBSD 15.0, freebsd-update(8) would install a new libc which depends on +libsys before the libsys library existed. This resulted in the rest of the +update failing to install and a mostly-unusable system, with only statically +linked binaries (e.g. in /rescue) functioning. + +IV. Workaround + +No workaround is available, but this misbehaviour only applies to using +freebsd-update(8) to upgrade to FreeBSD 15.0; applying security and errata +updates (including this one) within a release branch is unaffected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-25:18/freebsd-update.patch +# fetch https://security.FreeBSD.org/patches/EN-25:18/freebsd-update.patch.asc +# gpg --verify freebsd-update.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ 8134e7f4b406 stable/15-n280326 +stable/14/ e26928669f39 stable/14-n272484 +releng/14.3/ 978e04ff5bcf releng/14.3-n271445 +releng/14.2/ 3447fea3523b releng/14.2-n269536 +stable/13/ 87eb52f1b061 stable/13-n259445 +releng/13.5/ ab91dd76ff72 releng/13.5-n259177 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=289769> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-25:18.freebsd-update.asc> +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmjb+x0ACgkQbljekB8A +Gu8DQhAAt4nGFTHJcC4dVceeanMY4+p8zUqtrjGP1wO+dgnBbPJuHteMlaK8bi0N +A1f+XRCcbHN7OUZz0k+WgNsFOC583Zg29l+Oe6DvgRzyjUhp7q70/vgEUYbTn2eM +CeXL0GNP9h/UYcqmpot4bO0VvXf9g6qG6qBqYN31eSuDBWcRLLAOzQwbWTLxZYgB +vYDPTqMSOTygGJEiSwGDkywE45N0JvT/GA9kNiu9uh5xL0dQLgwi07BB3+bQ3rNx +hB5sK5EJSa0FcRmpSxXvtQJK5l9eIYkAcFUo0K4/UaSknIFqSOr7j4zS3MOE1PPa +7u+ZJY3SMYg9/YRlRpLs7FGe8t+Oz/1IFgjJ1bJVHZCA55kGaB9toh+wunGsSUHc ++DzPGC0PYmcVLtk75WgjjkofCRCco8Dx3QlLfEUKxzNJFL+LwfE+zi5Pk//GJcr2 +V6RipeMNJGc60N/Zz2X95ut/43/tOBFh157oSXnVFdTbDJ7zc16EvjH99IIwlkEy +pasLr0i0XklormpAyUkddA3z57qy3580/sZf07QUHrQJQfy738qPf1QY6ejk560D +INBXdJk5FNJAYiogMrHyK0N1xX5WHk6qbbiAOmSefFCKcB7uL5CPcu6l8D0sAtyP +CbzuTLGqCWiDBT0aLK1xn1MNQMPT4PL7JhWqrSJnQpicgibqAsg= +=8oNH +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-25:08.openssl.asc b/website/static/security/advisories/FreeBSD-SA-25:08.openssl.asc new file mode 100644 index 0000000000..339a9ce084 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-25:08.openssl.asc @@ -0,0 +1,207 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-25:08.openssl Security Advisory + The FreeBSD Project + +Topic: Multiple vulnerabilities in OpenSSL + +Category: contrib +Module: openssl +Announced: 2025-09-30 +Credits: Stanislav Fort (Aisle Research) +Affects: All supported versions of FreeBSD. +Corrected: 2025-09-30 15:26:14 UTC (stable/15, 15.0-ALPHA4) + 2025-09-30 15:28:38 UTC (stable/14, 14.3-STABLE) + 2025-09-30 15:37:16 UTC (releng/14.3, 14.3-RELEASE-p4) + 2025-09-30 15:37:25 UTC (releng/14.2, 14.2-RELEASE-p7) + 2025-09-30 15:30:02 UTC (stable/13, 13.5-STABLE) + 2025-09-30 15:37:35 UTC (releng/13.5, 13.5-RELEASE-p5) +CVE Name: CVE-2025-9230, CVE-2025-9231, CVE-2025-9232 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a +collaborative effort to develop a robust, commercial-grade, full-featured +Open Source toolkit for the Transport Layer Security (TLS) protocol. It is +also a general-purpose cryptography library. + +II. Problem Description + +* Out-of-bounds read & write in RFC 3211 KEK Unwrap (CVE-2025-9230) +Affects: FreeBSD 15.x, 14.x, and 13.x + +An application trying to decrypt cryptographic message syntax (CMS) messages +encrypted using password based encryption can trigger an out-of-bounds read +and write. + +* Timing side-channel in SM2 algorithm on 64 bit ARM (CVE-2025-9231) +Affects: FreeBSD 15.x only + +A timing side-channel which could potentially allow remote recovery of the +private key exists in the SM2 algorithm implementation on 64-bit ARM +platforms. + +* Out-of-bounds read in HTTP client no_proxy handling (CVE-2025-9232) +Affects: FreeBSD 15.x and 14.x only + +An application using the OpenSSL HTTP client API functions may trigger an +out-of-bounds read if the "no_proxy" environment variable is set and the host +portion of the authority component of the HTTP URL is an IPv6 address. + +III. Impact + +* Out-of-bounds read & write in RFC 3211 KEK Unwrap (CVE-2025-9230) +Affects: FreeBSD 15.x, 14.x, and 13.x + +The out-of-bounds read may trigger a crash which leads to denial of service +for an application. The out-of-bounds write can cause a memory corruption +which can have various consequences including a denial of service or +execution of attacker-supplied code. + +Although the consequences of a successful exploit of this vulnerability +could be severe, the probability that an attacker would be able to +perform it is low. Password based (PWRI) encryption support in CMS +messages is very rarely used. + +* Timing side-channel in SM2 algorithm on 64 bit ARM (CVE-2025-9231) +Affects: FreeBSD 15.x only + +A timing side-channel in SM2 signature computations on 64 bit ARM platforms +could allow recovering the private key by an attacker. + +OpenSSL does not directly support certificates with SM2 keys in TLS, and so +this CVE is not relevant in most TLS contexts. However, it is possible to +add support for such certificates via a custom provider. + +* Out-of-bounds read in HTTP client no_proxy handling (CVE-2025-9232) +Affects: FreeBSD 15.x and 14.x only + +An out-of-bounds read can trigger a crash which leads to denial of service +for an application. + +The OpenSSL HTTP client API functions can be used directly by applications +but they are also used by the OCSP client functions and CMP (Certificate +Management Protocol) client implementation in OpenSSL. However the URLs used +by these implementations are unlikely to be controlled by an attacker. + +In this vulnerable code the out of bounds read can only trigger a crash. +Furthermore the vulnerability requires an attacker-controlled URL to be +passed from an application to the OpenSSL function and the user has to have +a "no_proxy" environment variable set. + +IV. Workaround + +No workaround is available. Several of the issues have mitigating factors. +Please see the Impact section for more details. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 15.x] +# fetch https://security.FreeBSD.org/patches/SA-25:08/openssl-15.patch +# fetch https://security.FreeBSD.org/patches/SA-25:08/openssl-15.patch.asc +# gpg --verify openssl-15.patch.asc + +[FreeBSD 14.x] +# fetch https://security.FreeBSD.org/patches/SA-25:08/openssl-14.patch +# fetch https://security.FreeBSD.org/patches/SA-25:08/openssl-14.patch.asc +# gpg --verify openssl-14.patch.asc + +[FreeBSD 13.5] +# fetch https://security.FreeBSD.org/patches/SA-25:08/openssl-13.patch +# fetch https://security.FreeBSD.org/patches/SA-25:08/openssl-13.patch.asc +# gpg --verify openssl-13.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart all daemons that use the library, or reboot the system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ 4d6fd774b5b3 stable/15-n280387 +stable/14/ 270158508d7c stable/14-n272541 +releng/14.3/ 75d258af9fe9 releng/14.3-n271446 +releng/14.2/ 6a0d914d9c3e releng/14.2-n269537 +stable/13/ c0dbaf2b5dbd stable/13-n259448 +releng/13.5/ ae7c74cfa531 releng/13.5-n259178 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://openssl-library.org/news/secadv/20250930.txt> + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9230> +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9231> +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9232> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-25:08.openssl.asc> +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmjb+z4ACgkQbljekB8A +Gu8kgA//TsqChpypUuth9KRbWpU0noUkxkbIS1CI1YYRmZn6GF52YNhe9enKN4Gc +PeUSZOsfbABv0UGfUPbaD4VifGni/ss/bhSK5nzmfbOLDbnOX1oodLVNhspDjv9K +kJPz7C3zzUrNchCZzDRvrulMXeoYOKmqY/Mc0VViXqeg2k6IqXlCPm62jFc4Glpw +g0pvTyXNhbebuP/XGGYq4nQW2ZUX+Z6yvKqCn8d/7YHRRb48KP7c5LCryUU3UdQa +pjcHX0U8dYsJlQIqWH7HPn9RrWX87EN5v7csZN+fV030lgtnsTsFRK3TxrdTTvxt +JgyNQVXy/RTmd1tQLo1dVZRjdav5MBYVBxgmweL54VcPYngTZWjEY7HjUr0WWU32 +1Fhf7Bs4q+vWalDkyA8nxyXPG4Lq018yRRxwKebsRy2fm5SqlJSK5g7TNRvo0QfM +LnfZItuya9flw6r3I9ypjKaY1WAz5Kzt83yr2be7GzLEDCuCd882JeYwmqyRnUKQ ++/IPbE7VM3oK7lzJfVuKyRxWPXWLxAaEDKNTafSNWfsz/TolyBxsF6obYaZOkw1C +mstsaaMnHdV9+GktwavCRVV6M0WK4o7xvn1nUSHPwKWpq4dfjH7syujeO483+pz3 +tZoLEkWhaNn3KmIQKbl+t+CjzDRoshzZg6Xl1UVoZvrtOyX/IUY= +=nUv2 +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-25:09.netinet.asc b/website/static/security/advisories/FreeBSD-SA-25:09.netinet.asc new file mode 100644 index 0000000000..49fe1c653f --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-25:09.netinet.asc @@ -0,0 +1,162 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-25:09.netinet Security Advisory + The FreeBSD Project + +Topic: SO_REUSEPORT_LB breaks connect(2) for UDP sockets + +Category: core +Module: netinet +Announced: 2025-10-22 +Credits: MSc. student Omer Ben Simhon and Prof. Amit Klein, + both from the Hebrew University School of Computer + Science and Engineering +Affects: All supported versions of FreeBSD. +Corrected: 2025-10-22 15:48:25 UTC (stable/15, 15.0-STABLE) + 2025-10-22 15:50:30 UTC (releng/15.0, 15.0-BETA2-p1) + 2025-10-22 15:48:51 UTC (stable/14, 14.3-STABLE) + 2025-10-22 15:51:57 UTC (releng/14.3, 14.3-RELEASE-p5) + 2025-10-22 15:49:32 UTC (stable/13, 13.4-STABLE) + 2025-10-22 15:53:35 UTC (releng/13.5, 13.5-RELEASE-p6) +CVE Name: CVE-2025-24934 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +SO_REUSEPORT_LB is a socket option, set by setsockopt(2), which allows multiple +TCP or UDP sockets to bind to the same socket address, creating a +load-balancing group. Incoming packets and connections are distributed evenly +among sockets in a group. This helps network services avoid scalability +bottlenecks caused by having a single TCP listening socket. In particular, it +is expected that sockets belonging to a load-balancing group will accept +packets from any source address. + +II. Problem Description + +Connected sockets are not intended to belong to load-balancing groups. +However, the kernel failed to check the connection state of sockets when adding +them to load-balancing groups. Furthermore, when looking up the destination +socket for an incoming packet, the kernel will match a socket belonging to a +load-balancing group even if it is connected. + +Connected sockets are only supposed to receive packets originating from the +connected host. The above behavior violates this contract. + +III. Impact + +Software which sets SO_REUSEPORT_LB on a socket and then connects it to a host +will not observe any problems. However, due to its membership in a +load-balancing group, that socket will receive packets originating from any +host. This breaks the contract of the connect(2) and implied connect via +sendto(2), and may leave the application vulnerable to spoofing attacks. + +IV. Workaround + +No workaround is available. Software which does not use SO_REUSEPORT_LB is +not affected. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 15.x] +# fetch https://security.FreeBSD.org/patches/SA-25:09/netinet-15.patch +# fetch https://security.FreeBSD.org/patches/SA-25:09/netinet-15.patch.asc +# gpg --verify netinet-15.patch.asc + +[FreeBSD 14.x] +# fetch https://security.FreeBSD.org/patches/SA-25:09/netinet-14.patch +# fetch https://security.FreeBSD.org/patches/SA-25:09/netinet-14.patch.asc +# gpg --verify netinet-14.patch.asc + +[FreeBSD 13.x] +# fetch https://security.FreeBSD.org/patches/SA-25:09/netinet-13.patch +# fetch https://security.FreeBSD.org/patches/SA-25:09/netinet-13.patch.asc +# gpg --verify netinet-13.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ ef159100ec2b stable/15-n280782 +releng/15.0/ 98c539667881 releng/15.0-n280723 +stable/14/ e276759b3687 stable/14-n272700 +releng/14.3/ 058bcb57cd4b releng/14.3-n271448 +stable/13/ df888c8f41f6 stable/13-n259508 +releng/13.5/ 90e14aa082d3 releng/13.5-n259180 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24934> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-25:09.netinet.asc> +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmj5CrEACgkQbljekB8A +Gu98YQ//dMMpEdKapK6bBM++8HoSWeydnoUifFqu3LiDXcDTgQ6jVsmwQ/QOUPll +bOB7etdtu+FQEI4yl8d9w98TrXC8Mvl6p+dZ3SkIglLNeVmouiot+VDBpoOr/EPq +xXf6dGlkDneYTsAFXwDKe48vmisdWd1trtYhVuE6qWq54AH4Y3dv0+DOMIdlKbPc +GHFLRoJ/eEJH+3QAhL8Ozdp2WySUWHPMsScBRldcrhariXzEQ9KcM6TJx8mYGKta +DYeezna1DQ87wU8Zs5fKfhUS6q/YJcXr9Te5P1xirmcmgr2frJW1DjfWKI8oQ9ru +2mn6oedSu6nRFjpYzO9tS/7svC8Hkyyr1rsZujRkC5cMRwY2DovU653GoaOwadMc +gig8CvOeb1srD1kMnFyGfa54VTbGZCZ261bnGdUc9BCL8ARtv6q4KNTRofkYrCLP +YwGTxEsCVdNbtDGv5nLJ/V7RfAUMnp9YuYpHc0Auttt6cUW6DI3nGQg+LlfoCJ0n +JESXa3Fry0GcFWiPB6oigyFSH6c3Ml+E7TiUYAZOtQ4cqJG1v9x1Lv5BQ1dz5vah +J24oGW2uI6Xp0TbvIFBd6KCFZSa/dS9sq486norj17X7ktZ7EeVVpm4vRBtDEo4N +k2WdkjcWfSM5uLnYLZR+rp+1rhtSIxw3gZaoJLl18p+9NMOFBH4= +=RgID +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisory-template.txt b/website/static/security/advisory-template.txt index 87a8e6cd18..0d244e517b 100644 --- a/website/static/security/advisory-template.txt +++ b/website/static/security/advisory-template.txt @@ -11,7 +11,8 @@ Credits: Affects: <affected versions> <e.g., "All supported versions of FreeBSD.", "FreeBSD 13.4 and later.", "FreeBSD 13.x", or "FreeBSD 14.2"> -Corrected: 2025-XX-XX XX:XX:XX UTC (stable/14, 14.3-STABLE) +Corrected: 2025-XX-XX XX:XX:XX UTC (stable/15, 15.0-STABLE) + 2025-XX-XX XX:XX:XX UTC (stable/14, 14.3-STABLE) 2025-XX-XX XX:XX:XX UTC (releng/14.3, 14.3-RELEASE-pXX) 2025-XX-XX XX:XX:XX UTC (releng/14.2, 14.2-RELEASE-pXX) 2025-XX-XX XX:XX:XX UTC (stable/13, 13.5-STABLE) @@ -117,6 +118,7 @@ following stable and release branches: Branch/path Hash Revision ------------------------------------------------------------------------- +stable/15/ XXXXXXXXXXXX stable/15-nXXXXXX stable/14/ XXXXXXXXXXXX stable/14-nXXXXXX releng/14.3/ XXXXXXXXXXXX releng/14.3-nXXXXXX releng/14.2/ XXXXXXXXXXXX releng/14.2-nXXXXXX diff --git a/website/static/security/errata-template.txt b/website/static/security/errata-template.txt index 0c55033296..61adffe11b 100644 --- a/website/static/security/errata-template.txt +++ b/website/static/security/errata-template.txt @@ -11,7 +11,8 @@ Credits: Affects: <affected versions> <e.g., "All supported versions of FreeBSD.", "FreeBSD 13.5 and later.", "FreeBSD 13.x", or "FreeBSD 14.2"> -Corrected: 2025-XX-XX XX:XX:XX UTC (stable/14, 14.3-STABLE) +Corrected: 2025-XX-XX XX:XX:XX UTC (stable/15, 15.0-STABLE) + 2025-XX-XX XX:XX:XX UTC (stable/14, 14.3-STABLE) 2025-XX-XX XX:XX:XX UTC (releng/14.3, 14.3-RELEASE-pXX) 2025-XX-XX XX:XX:XX UTC (releng/14.2, 14.2-RELEASE-pXX) 2025-XX-XX XX:XX:XX UTC (stable/13, 13.5-STABLE) @@ -117,6 +118,7 @@ following stable and release branches: Branch/path Hash Revision ------------------------------------------------------------------------- +stable/15/ XXXXXXXXXXXX stable/15-nXXXXXX stable/14/ XXXXXXXXXXXX stable/14-nXXXXXX releng/14.3/ XXXXXXXXXXXX releng/14.3-nXXXXXX releng/14.2/ XXXXXXXXXXXX releng/14.2-nXXXXXX diff --git a/website/static/security/patches/EN-25:15/arm64.patch b/website/static/security/patches/EN-25:15/arm64.patch new file mode 100644 index 0000000000..c5c5ea4b31 --- /dev/null +++ b/website/static/security/patches/EN-25:15/arm64.patch @@ -0,0 +1,11 @@ +--- sys/arm64/arm64/elf32_machdep.c.orig ++++ sys/arm64/arm64/elf32_machdep.c +@@ -195,7 +195,7 @@ + register_t *ap; + struct syscall_args *sa; + int error, i, nap, narg; +- unsigned int args[4]; ++ unsigned int args[6]; + + nap = 4; + p = td->td_proc; diff --git a/website/static/security/patches/EN-25:15/arm64.patch.asc b/website/static/security/patches/EN-25:15/arm64.patch.asc new file mode 100644 index 0000000000..5b8cae892e --- /dev/null +++ b/website/static/security/patches/EN-25:15/arm64.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmjJlBIACgkQbljekB8A +Gu/RohAA4pWcgChN+oBJGkiwMVH8mj+pdLE0aIbC3EVPEMfcF3twv2ZHrI+L38p6 +sRL1tMohZQFkA1NmTNnxf/qZmwnMei1nqeTTkfCHZPMBUeeoFh7TK9gl+qpGTcJr +WibRnC2breqD63sQXvaSihPo2ayc0AWDrDE8XRLEHgYE4EV940nFyb0elr8cV+4P +EaXOGn3vN9k7xYnPXwlX9Nt8MoYpY0LJFONCcBhpZNyun+VR3GaUBuGe9fyfMZYP +znNBdH4Kx5wwd3rEa2uo/ErLA1HU2E5BXrjE99VGHt+GNn8TgIxC4oS1+jKV56oM +/4VeeBlouIAM266opHtzk6OsQC5H9FyilM6XjSr1G80HfKYz3h1zPwIMRYKuI7sr +lQd7/XotZKkBIGy5bNeouwPhqt5iXerbDBNq+i80AoxQcLup+GEKmNRmkiahyetm +nj6dJRwtn1f8Fy8w3sMeH9UswFBi8j/oUcQ48GQ8s4BxcYKFkm4+aViYYa85AlSp +awFDp2un/oZIR8KNalAQI5cPTSyG6E/G2Ssg08ThhDrXANF9hPuzKodmc69+okVX +5EoC8wAVYG1mdR2V/7nQO478w8yRu+ne9bvQvAup7umdwGR7psNMB+Zua6zl1WsJ +8I2N8jC5w32scN7pzVNfdwYD5S8eLZB8iFQ6WlxKE/LhTJ7lXEw= +=pygX +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/EN-25:16/vfs.patch b/website/static/security/patches/EN-25:16/vfs.patch new file mode 100644 index 0000000000..226ae9f81a --- /dev/null +++ b/website/static/security/patches/EN-25:16/vfs.patch @@ -0,0 +1,52 @@ +--- sys/kern/vfs_syscalls.c.orig ++++ sys/kern/vfs_syscalls.c +@@ -5050,11 +5050,12 @@ + size_t retlen; + void *rl_rcookie, *rl_wcookie; + off_t inoff, outoff, savinoff, savoutoff; +- bool foffsets_locked; ++ bool foffsets_locked, foffsets_set; + + infp = outfp = NULL; + rl_rcookie = rl_wcookie = NULL; + foffsets_locked = false; ++ foffsets_set = false; + error = 0; + retlen = 0; + +@@ -5122,6 +5123,8 @@ + } + foffset_lock_pair(infp1, &inoff, outfp1, &outoff, 0); + foffsets_locked = true; ++ } else { ++ foffsets_set = true; + } + savinoff = inoff; + savoutoff = outoff; +@@ -5180,11 +5183,12 @@ + vn_rangelock_unlock(invp, rl_rcookie); + if (rl_wcookie != NULL) + vn_rangelock_unlock(outvp, rl_wcookie); ++ if ((foffsets_locked || foffsets_set) && ++ (error == EINTR || error == ERESTART)) { ++ inoff = savinoff; ++ outoff = savoutoff; ++ } + if (foffsets_locked) { +- if (error == EINTR || error == ERESTART) { +- inoff = savinoff; +- outoff = savoutoff; +- } + if (inoffp == NULL) + foffset_unlock(infp, inoff, 0); + else +@@ -5193,6 +5197,9 @@ + foffset_unlock(outfp, outoff, 0); + else + *outoffp = outoff; ++ } else if (foffsets_set) { ++ *inoffp = inoff; ++ *outoffp = outoff; + } + if (outfp != NULL) + fdrop(outfp, td); diff --git a/website/static/security/patches/EN-25:16/vfs.patch.asc b/website/static/security/patches/EN-25:16/vfs.patch.asc new file mode 100644 index 0000000000..5d302e77f4 --- /dev/null +++ b/website/static/security/patches/EN-25:16/vfs.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmjJlBQACgkQbljekB8A +Gu9MZBAAghcIHmJAoGyWlG9gEsbEMRWmg9KDcNZuJ6oJM3EzRw/d7nzfvFHQUkk4 +5Seao9EexaN6XO/sq4v+6dVYh3c1lrlBTK7dHA0Mt9XSCip202Fh4rzZA5QhhjhD +8WwaF1J/y1FZv0ag5Z8XJxCIQCz49V/VctObzhq5PpB1XF+Axbddz2H80Jxb27Kh +GEcbKW66+CfVtL3AAhpvCUfgLyEciS1qhfC2tnNrIEl2gSlEqj7AaZ/fx4v/F1QK +ixo0nFQyox13HrlOMWgJBQJM1bCjwueERVmZSnT88SG9cro+LiEdzrbY+ITAMtqT +lA2oQ8AbOYYVPvwc0fnlDlxhwmjFzMSCm+mQQ/haYVrLrIcMeJ8SzV/gxEuamkpi +C0lgf5Y4mzv102CKUygghuOfNnOi0zFjCTqSf5q/7TwaNuelYn/kndMOj9qFFCjn +Wtvvn1BPVnnsLj2xgr1w4V6BnZDjo+xLujLQKOYt5x1RrlPQ/pEt3WNg/ekldLEy +Po4Hzmih/DLfqUo3ttKI4ZXeTisv7KmHE4woy/ok+FZ4U+SxaWKalEoNab7MgTRm +nV7jfMA4AiiK5jkK/3TCPvc82TktgufH19IVuCrMe1RocVxfjIGtXoJ0osLG1YIL +pGlJ5/MXZQLGE4oPi4wb2lErHwpogfS6Jq0prnXE6IbLAi6EHFk= +=Yxtv +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/EN-25:17/bnxt.patch b/website/static/security/patches/EN-25:17/bnxt.patch new file mode 100644 index 0000000000..796f2332bf --- /dev/null +++ b/website/static/security/patches/EN-25:17/bnxt.patch @@ -0,0 +1,44 @@ +--- sys/dev/bnxt/bnxt_en/if_bnxt.c.orig ++++ sys/dev/bnxt/bnxt_en/if_bnxt.c +@@ -4609,34 +4609,34 @@ + + case HWRM_PORT_PHY_QCFG_OUTPUT_PHY_TYPE_40G_ACTIVE_CABLE: + media_type = BNXT_MEDIA_AC; +- return; ++ break; + + case HWRM_PORT_PHY_QCFG_OUTPUT_PHY_TYPE_1G_BASECX: + media_type = BNXT_MEDIA_BASECX; +- return; ++ break; + + case HWRM_PORT_PHY_QCFG_OUTPUT_PHY_TYPE_1G_BASET: + case HWRM_PORT_PHY_QCFG_OUTPUT_PHY_TYPE_BASET: + case HWRM_PORT_PHY_QCFG_OUTPUT_PHY_TYPE_BASETE: + media_type = BNXT_MEDIA_BASET; +- return; ++ break; + + case HWRM_PORT_PHY_QCFG_OUTPUT_PHY_TYPE_BASEKX: + media_type = BNXT_MEDIA_BASEKX; +- return; ++ break; + + case HWRM_PORT_PHY_QCFG_OUTPUT_PHY_TYPE_SGMIIEXTPHY: + media_type = BNXT_MEDIA_BASESGMII; +- return; ++ break; + + case HWRM_PORT_PHY_QCFG_OUTPUT_PHY_TYPE_UNKNOWN: + /* Only Autoneg is supported for TYPE_UNKNOWN */ +- return; ++ break; + + default: + /* Only Autoneg is supported for new phy type values */ + device_printf(softc->dev, "phy type %d not supported by driver\n", phy_type); +- return; ++ break; + } + + switch (link_info->sig_mode) { diff --git a/website/static/security/patches/EN-25:17/bnxt.patch.asc b/website/static/security/patches/EN-25:17/bnxt.patch.asc new file mode 100644 index 0000000000..6e25f45b25 --- /dev/null +++ b/website/static/security/patches/EN-25:17/bnxt.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmjJlBYACgkQbljekB8A +Gu/wNRAAsT7ZDT8E6cuOTcv2lZMKjYdW4gVdM8FQPbHrWm1GgURK7Gm9X6HPmSEC +kZRO4aYr3CDuPPLkUQk6PvQybIrZWq2/MkNu3OqnN4ByUCb1qzIIBMWAgzwyKZjT +rkh0VXgIHB0AMbecUsvX6y0J99eesxi0FG1zuGu9YrtKPwdM2ZejEaK+Ix5owpbP +czcvxcr6iLU7HJQgl7vWM0lnmKCUzTu/X+UH/UEyX8NRIfBdnsW39QheDR8/2ony +aL3z9V8I0rczQSxsRBFn4cDl4vYQ87zrtu8eai1hj9NQ1yCUuP5tqICBR0Ljwn+Q +oDlkZaVp/KgTVX1b5JxxU2EAHYAdVFBz9c1wJ7hz4ciuC4+luVFSZljz9tnrniuK +GmS/xPt9HirPFqH2GeYrdD8a58eKmr0ew9kL3upf49cITRvfIiwn8KSUzbakNok2 +SmKeAO7ScgCfS2I9xWj/VYiePwKsd2tPQ8/TgZfeHxKrFdwzpm1GZsacqX9kymvX +7r7Kl6VjNhuv2sLeEgd25GtG9i6G0bFXJJhC4ZUCkW5LCULIOywUdGEQ1HAvIvlb +ppHCIXZavoHYyXWRaPTAfxj6v9UdxHFzChK4AG21I4Chh28EutvDTG675HQ7FScd +ICnCu+g4bDgVJcWkwp+Ou5ViYFQM0e7WgJoBQ23krj6VFj0D0T4= +=66Ry +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/EN-25:18/freebsd-update.patch b/website/static/security/patches/EN-25:18/freebsd-update.patch new file mode 100644 index 0000000000..df93f7bb03 --- /dev/null +++ b/website/static/security/patches/EN-25:18/freebsd-update.patch @@ -0,0 +1,32 @@ +--- usr.sbin/freebsd-update/freebsd-update.sh.orig ++++ usr.sbin/freebsd-update/freebsd-update.sh +@@ -3111,10 +3111,28 @@ + grep -E '^/libexec/ld-elf[^|]*\.so\.[0-9]+\|' > INDEX-NEW + install_from_index INDEX-NEW || return 1 + +- # Install new shared libraries next ++ # Next, in order, libsys, libc, and libthr. + grep -vE '^/boot/' $1/INDEX-NEW | + grep -vE '^[^|]+\|d\|' | + grep -vE '^/libexec/ld-elf[^|]*\.so\.[0-9]+\|' | ++ grep -E '^[^|]*/lib/libsys\.so\.[0-9]+\|' > INDEX-NEW ++ install_from_index INDEX-NEW || return 1 ++ grep -vE '^/boot/' $1/INDEX-NEW | ++ grep -vE '^[^|]+\|d\|' | ++ grep -vE '^/libexec/ld-elf[^|]*\.so\.[0-9]+\|' | ++ grep -E '^[^|]*/lib/libc\.so\.[0-9]+\|' > INDEX-NEW ++ install_from_index INDEX-NEW || return 1 ++ grep -vE '^/boot/' $1/INDEX-NEW | ++ grep -vE '^[^|]+\|d\|' | ++ grep -vE '^/libexec/ld-elf[^|]*\.so\.[0-9]+\|' | ++ grep -E '^[^|]*/lib/libthr\.so\.[0-9]+\|' > INDEX-NEW ++ install_from_index INDEX-NEW || return 1 ++ ++ # Install the rest of the shared libraries next ++ grep -vE '^/boot/' $1/INDEX-NEW | ++ grep -vE '^[^|]+\|d\|' | ++ grep -vE '^/libexec/ld-elf[^|]*\.so\.[0-9]+\|' | ++ grep -vE '^[^|]*/lib/(libsys|libc|libthr)\.so\.[0-9]+\|' | + grep -E '^[^|]*/lib/[^|]*\.so\.[0-9]+\|' > INDEX-NEW + install_from_index INDEX-NEW || return 1 + diff --git a/website/static/security/patches/EN-25:18/freebsd-update.patch.asc b/website/static/security/patches/EN-25:18/freebsd-update.patch.asc new file mode 100644 index 0000000000..f44b92f70d --- /dev/null +++ b/website/static/security/patches/EN-25:18/freebsd-update.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmjb+yMACgkQbljekB8A +Gu85Mw/9HtHqy0ZseVpE6OhJy4+6pG00tCnQq/ERCbycGkyZziJakwCQFviEx0MO +MUSta9g8MhysdMLNTRl9wwaiEGoXxXZvRaEEFB0Crf4Fvt4V4QLzU7WUxgbfa4kp +wQOad+xzfe/7KLiUk70OHh1ODfYydC8NVPCoIT+pbkHzdGvaqEKXR8vtjs7Myf7V +M7Y6GhRs9tDvA63TEBWEVLP1wVTJ3sYGopeyzKU7xNBEngih5LaP17BOXMlA74rR +zrNxIkRTJe+gPAbMUyZ7OdmbdtzeYtcbwZN+7uf4Vd2xSP0VjqNlC8goKdPNw2kN +71mrGpejtDSqvT23RCPA3ek5dqDFsl+2h2MfUstNLofnKSO4H6pq0I61PZbYDDkY +VVgNdybqzs/lFsL4VNFS5dbaoa6OiBpX2yo2b7AUwaqtP4n6qKSaO2yTBsZfxoAs +nTZkCzbVCzlqP4JXCDdmjvnAhaf0DxEx7QsSj5YCp5RihIqXaE+XZ4LlQFt0HgDr +2iLLX2V9g3g966CKcXI0vVt/vzOqpakrcBpnslW0b6+rhthe1MTIhgdDLvpmJ5DX +a35bUeKqqxCq9yiPDKE0RpABnxSKEWGB+asVErLNRga97wf5fUojTmtLURALMIY8 +OSCW9nsI8iCX/4+eB3OfuWPpW9Z9IGB19CDMgdnVUnozBgjv0cM= +=saMY +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-25:08/openssl-13.patch b/website/static/security/patches/SA-25:08/openssl-13.patch new file mode 100644 index 0000000000..ff46f32c81 --- /dev/null +++ b/website/static/security/patches/SA-25:08/openssl-13.patch @@ -0,0 +1,11 @@ +--- crypto/openssl/crypto/cms/cms_pwri.c.orig ++++ crypto/openssl/crypto/cms/cms_pwri.c +@@ -215,7 +215,7 @@ + /* Check byte failure */ + goto err; + } +- if (inlen < (size_t)(tmp[0] - 4)) { ++ if (inlen < 4 + (size_t)tmp[0]) { + /* Invalid length value */ + goto err; + } diff --git a/website/static/security/patches/SA-25:08/openssl-13.patch.asc b/website/static/security/patches/SA-25:08/openssl-13.patch.asc new file mode 100644 index 0000000000..b8cb1f7718 --- /dev/null +++ b/website/static/security/patches/SA-25:08/openssl-13.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmjb+0IACgkQbljekB8A +Gu+lIg/+Lolkw+WssmbgxxZdypCud/7HTk/+M4YdBPMtoZYFec/Mzpw9ok+MUs2O +7Ev1mc0rQ9Rcfw5PEe6tKvC3MMFtWOcHNr3QqkkvkAA2nsxCeEPIBHyQiEm347PU +ntraIANMy+MbmaegU5+vyzpZQxBl6erAc+9p7eyMFBJtFzRCZV2SIPV4lUrgYsKq +WyjM7o7jRfOcn7aZ6X+pPnUjQY6jkJQIiHqytdG8XTIkzDvcpy88g9Yg1qxBwi// +ESgZWIHdU4kbChQJPFfYGYUFZ2tn15iMRjmjQA6SKCWpJNq56r3PLNCQ7Z99KCe8 +dAs0Uw0ZPQZuZVMNb3XV4W/MEDWc+2I9HUXwJfA6RFDbm71sj9XTwBYskEDPcD+q +w3OMkG184EUgqrZazaO2MLas+X7aaMwn7Dvr+zCjREfKp8s6Qar5nKgjP7XoBmTg +ewez2FEUmjdt7SIq5K81Xjmnd7Qu069Yztw/YavCHcQOpwf7Iea1etH9ynMQ0jEb +zAgO++HJJiN6+Noahcauet8L5TsjJIoZd8DTB2g0fONt1S5HCtklnBptyDfispBO +pWf059PG079wiTmL/qT1x4UnYnyZs32HghR9+R4tOkSFs3RiVMaGk8ZnIL+Nmp3v +sRx3so9zFU0TBVww9eRe9/ve4MKd+AqJJe8X1iioDvk7l8JyUTw= +=NXRd +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-25:08/openssl-14.patch b/website/static/security/patches/SA-25:08/openssl-14.patch new file mode 100644 index 0000000000..10c55dd60a --- /dev/null +++ b/website/static/security/patches/SA-25:08/openssl-14.patch @@ -0,0 +1,21 @@ +--- crypto/openssl/crypto/cms/cms_pwri.c.orig ++++ crypto/openssl/crypto/cms/cms_pwri.c +@@ -228,7 +228,7 @@ + /* Check byte failure */ + goto err; + } +- if (inlen < (size_t)(tmp[0] - 4)) { ++ if (inlen < 4 + (size_t)tmp[0]) { + /* Invalid length value */ + goto err; + } +--- crypto/openssl/crypto/http/http_lib.c.orig ++++ crypto/openssl/crypto/http/http_lib.c +@@ -267,6 +267,7 @@ + /* strip leading '[' and trailing ']' from escaped IPv6 address */ + sl -= 2; + strncpy(host, server + 1, sl); ++ host[sl] = '\0'; + server = host; + } + diff --git a/website/static/security/patches/SA-25:08/openssl-14.patch.asc b/website/static/security/patches/SA-25:08/openssl-14.patch.asc new file mode 100644 index 0000000000..43ac390451 --- /dev/null +++ b/website/static/security/patches/SA-25:08/openssl-14.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmjb+0MACgkQbljekB8A +Gu8Mrg//Wx7TovEbu7hCYrBcs3+LwhVEQh2S6V7APXHtoXIY6Tp56b0ii60F5nBY +a8LSKYqb+sZlTgRt2IHU/gFAzHJAPB5zb2Vc+//T6l192mS8sI+Z3lgJQ8IvWaW5 +g3RI/iukDMo2He7xrXgtGukJjKOen/Y0gphb5kXApBgdw5I/yPXFhbF1WmfB13aN +M8gfhr7fuRBd+BXQ6S/q0WSNg0cwQkiA1fy0iE6xaIfeX6I44sxGBU7yKWnxfGfS +crExJdfVFTv+9duMRIjQovDAEheQBAd5ZJLnTUHmJX0pCP9Qv1Mg0rGchvVzKlSg +Q0GXLABmuyq81XwMHz9enW0xzTWmp1/9gCyL9+O/x5EeQnYqOSarWDxFg3G9qYyF +1TGAX7oj3PJ3s7HkHoBKKN3tR7pHjIi+EHkXFnbpA8Pik8rLY54kwMPHXSL153o7 +DNKyn41sx76+yBckiWKvNq6yIzRiFCcuQ8IwOVMNZ+bkw4M14HjSRs0+aDlmkvgG +Hs5tqWH0qdo5wMMp09aVizlXgTfTSZhdRxW/cUdS+XPBKJ7ogvTI/M9TDn33BzuP +oex1SeoBIRInKKMW6EipisAE9B6jnvfH5gsh2f0XpUDqX5vWBjOpxiF4hZLmPvti +nt18T+/ScdIwHebnKUob70hf3mTGxLpnPNH5eM8SdkMsJORGook= +=DhAy +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-25:08/openssl-15.patch b/website/static/security/patches/SA-25:08/openssl-15.patch new file mode 100644 index 0000000000..f4678a9583 --- /dev/null +++ b/website/static/security/patches/SA-25:08/openssl-15.patch @@ -0,0 +1,173 @@ +--- crypto/openssl/crypto/cms/cms_pwri.c.orig ++++ crypto/openssl/crypto/cms/cms_pwri.c +@@ -242,7 +242,7 @@ + /* Check byte failure */ + goto err; + } +- if (inlen < (size_t)(tmp[0] - 4)) { ++ if (inlen < 4 + (size_t)tmp[0]) { + /* Invalid length value */ + goto err; + } +--- crypto/openssl/crypto/ec/ecp_sm2p256.c.orig ++++ crypto/openssl/crypto/ec/ecp_sm2p256.c +@@ -56,10 +56,6 @@ + 0xffffffffffffffff, 0xffffffff00000000, + 0xffffffffffffffff, 0xfffffffeffffffff + }; +-ALIGN32 static const BN_ULONG def_ord[P256_LIMBS] = { +- 0x53bbf40939d54123, 0x7203df6b21c6052b, +- 0xffffffffffffffff, 0xfffffffeffffffff +-}; + + ALIGN32 static const BN_ULONG ONE[P256_LIMBS] = {1, 0, 0, 0}; + +@@ -177,13 +173,6 @@ + BN_MOD_INV(out, in, ecp_sm2p256_div_by_2, ecp_sm2p256_sub, def_p); + } + +-/* Modular inverse mod order |out| = |in|^(-1) % |ord|. */ +-static ossl_inline void ecp_sm2p256_mod_ord_inverse(BN_ULONG* out, +- const BN_ULONG* in) { +- BN_MOD_INV(out, in, ecp_sm2p256_div_by_2_mod_ord, ecp_sm2p256_sub_mod_ord, +- def_ord); +-} +- + /* Point double: R <- P + P */ + static void ecp_sm2p256_point_double(P256_POINT *R, const P256_POINT *P) + { +@@ -454,52 +443,6 @@ + } + #endif + +-/* +- * Convert Jacobian coordinate point into affine coordinate (x,y) +- */ +-static int ecp_sm2p256_get_affine(const EC_GROUP *group, +- const EC_POINT *point, +- BIGNUM *x, BIGNUM *y, BN_CTX *ctx) +-{ +- ALIGN32 BN_ULONG z_inv2[P256_LIMBS] = {0}; +- ALIGN32 BN_ULONG z_inv3[P256_LIMBS] = {0}; +- ALIGN32 BN_ULONG x_aff[P256_LIMBS] = {0}; +- ALIGN32 BN_ULONG y_aff[P256_LIMBS] = {0}; +- ALIGN32 BN_ULONG point_x[P256_LIMBS] = {0}; +- ALIGN32 BN_ULONG point_y[P256_LIMBS] = {0}; +- ALIGN32 BN_ULONG point_z[P256_LIMBS] = {0}; +- +- if (EC_POINT_is_at_infinity(group, point)) { +- ECerr(ERR_LIB_EC, EC_R_POINT_AT_INFINITY); +- return 0; +- } +- +- if (ecp_sm2p256_bignum_field_elem(point_x, point->X) <= 0 +- || ecp_sm2p256_bignum_field_elem(point_y, point->Y) <= 0 +- || ecp_sm2p256_bignum_field_elem(point_z, point->Z) <= 0) { +- ECerr(ERR_LIB_EC, EC_R_COORDINATES_OUT_OF_RANGE); +- return 0; +- } +- +- ecp_sm2p256_mod_inverse(z_inv3, point_z); +- ecp_sm2p256_sqr(z_inv2, z_inv3); +- +- if (x != NULL) { +- ecp_sm2p256_mul(x_aff, point_x, z_inv2); +- if (!bn_set_words(x, x_aff, P256_LIMBS)) +- return 0; +- } +- +- if (y != NULL) { +- ecp_sm2p256_mul(z_inv3, z_inv3, z_inv2); +- ecp_sm2p256_mul(y_aff, point_y, z_inv3); +- if (!bn_set_words(y, y_aff, P256_LIMBS)) +- return 0; +- } +- +- return 1; +-} +- + /* r = sum(scalar[i]*point[i]) */ + static int ecp_sm2p256_windowed_mul(const EC_GROUP *group, + P256_POINT *r, +@@ -689,44 +632,6 @@ + return 1; + } + +-static int ecp_sm2p256_inv_mod_ord(const EC_GROUP *group, BIGNUM *r, +- const BIGNUM *x, BN_CTX *ctx) +-{ +- int ret = 0; +- ALIGN32 BN_ULONG t[P256_LIMBS] = {0}; +- ALIGN32 BN_ULONG out[P256_LIMBS] = {0}; +- +- if (bn_wexpand(r, P256_LIMBS) == NULL) { +- ECerr(ERR_LIB_EC, ERR_R_BN_LIB); +- goto err; +- } +- +- if ((BN_num_bits(x) > 256) || BN_is_negative(x)) { +- BIGNUM *tmp; +- +- if ((tmp = BN_CTX_get(ctx)) == NULL +- || !BN_nnmod(tmp, x, group->order, ctx)) { +- ECerr(ERR_LIB_EC, ERR_R_BN_LIB); +- goto err; +- } +- x = tmp; +- } +- +- if (!ecp_sm2p256_bignum_field_elem(t, x)) { +- ECerr(ERR_LIB_EC, EC_R_COORDINATES_OUT_OF_RANGE); +- goto err; +- } +- +- ecp_sm2p256_mod_ord_inverse(out, t); +- +- if (!bn_set_words(r, out, P256_LIMBS)) +- goto err; +- +- ret = 1; +-err: +- return ret; +-} +- + const EC_METHOD *EC_GFp_sm2p256_method(void) + { + static const EC_METHOD ret = { +@@ -747,7 +652,7 @@ + ossl_ec_GFp_simple_point_copy, + ossl_ec_GFp_simple_point_set_to_infinity, + ossl_ec_GFp_simple_point_set_affine_coordinates, +- ecp_sm2p256_get_affine, ++ ossl_ec_GFp_simple_point_get_affine_coordinates, + 0, 0, 0, + ossl_ec_GFp_simple_add, + ossl_ec_GFp_simple_dbl, +@@ -763,7 +668,7 @@ + ecp_sm2p256_field_mul, + ecp_sm2p256_field_sqr, + 0 /* field_div */, +- 0 /* field_inv */, ++ ossl_ec_GFp_simple_field_inv, + 0 /* field_encode */, + 0 /* field_decode */, + 0 /* field_set_to_one */, +@@ -779,7 +684,7 @@ + ossl_ecdsa_simple_sign_setup, + ossl_ecdsa_simple_sign_sig, + ossl_ecdsa_simple_verify_sig, +- ecp_sm2p256_inv_mod_ord, ++ 0, /* use constant‑time fallback for inverse mod order */ + 0, /* blind_coordinates */ + 0, /* ladder_pre */ + 0, /* ladder_step */ +--- crypto/openssl/crypto/http/http_lib.c.orig ++++ crypto/openssl/crypto/http/http_lib.c +@@ -263,6 +263,7 @@ + /* strip leading '[' and trailing ']' from escaped IPv6 address */ + sl -= 2; + strncpy(host, server + 1, sl); ++ host[sl] = '\0'; + server = host; + } + diff --git a/website/static/security/patches/SA-25:08/openssl-15.patch.asc b/website/static/security/patches/SA-25:08/openssl-15.patch.asc new file mode 100644 index 0000000000..452a1fbaaa --- /dev/null +++ b/website/static/security/patches/SA-25:08/openssl-15.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmjb+0QACgkQbljekB8A +Gu+tUg//daQG6OHScuUNTvwR9d3kOqeiEcA2hiaMg7BuPlaimq6+o4/Nsrxuu5z1 +l2l1seZXGP1iTXAWAjxL1d8ceVBJ4mqO3yhIg5qDF3rlhCNpHf8Fphl0yu7SQohx +wBVx2RcZ8ldq+TmvgNywWeEeuuJ5D4CukPHPAjIv1+/NB/P+NsrkC37YZ88bfckF +0oAqF6b2KONV3hBVVSAjMhoR3esDOoqp7yGwpzBsiDb7EANj+wMd1aYuUtp3bOHH +dZa0uGLEBITzd2s/rGEfsF7os0UdJFv0GJ2SZXxHUV80coIyKSxccFAwnxI1/CVY +8ji20zfYtdVmwn2ZhnVCO3n95HqAsiglX35LrrXSoohC3nx9XcCQr3BlYc6G6icC +9RnCeI6sFjAQ7x46fnYy51BrfgTmmRrTmGDbbGrrwphNP8QrrrXBRD7TIaHKmQgj +nTS7VsQya/X9pnQHTIxjmOPQ6gVLrZ0w6nBRyNC8HkjcCv+jOLXcyf+8flNTI84/ +dmuh9c/xDqzhXgUaEe4SHW9NtL9ohV7/l/Qt1FgXOV/VzHuK+kLtCXz9KskIsUYc +kKg0UPFuP0t0UgDimkXx3eLctEyfmJtbL/j1iLUqV442REkK+QttyJILV0GmMpQy +KvIHb9/sQnC65TpP3oyxbVcrasosNRhvaILmtzXvIInlqHC0OhQ= +=lGPI +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-25:09/netinet-13.patch b/website/static/security/patches/SA-25:09/netinet-13.patch new file mode 100644 index 0000000000..49031737eb --- /dev/null +++ b/website/static/security/patches/SA-25:09/netinet-13.patch @@ -0,0 +1,244 @@ +--- sys/netinet/in_pcb.c.orig ++++ sys/netinet/in_pcb.c +@@ -2668,6 +2668,7 @@ + struct inpcbinfo *pcbinfo = inp->inp_pcbinfo; + struct inpcbport *phd; + u_int32_t hashkey_faddr; ++ bool connected; + + INP_WLOCK_ASSERT(inp); + INP_HASH_WLOCK_ASSERT(pcbinfo); +@@ -2676,11 +2677,15 @@ + ("in_pcbinshash: INP_INHASHLIST")); + + #ifdef INET6 +- if (inp->inp_vflag & INP_IPV6) ++ if (inp->inp_vflag & INP_IPV6) { + hashkey_faddr = INP6_PCBHASHKEY(&inp->in6p_faddr); +- else ++ connected = !IN6_IS_ADDR_UNSPECIFIED(&inp->in6p_faddr); ++ } else + #endif +- hashkey_faddr = inp->inp_faddr.s_addr; ++ { ++ hashkey_faddr = inp->inp_faddr.s_addr; ++ connected = inp->inp_faddr.s_addr != INADDR_ANY; ++ } + + pcbhash = &pcbinfo->ipi_hashbase[INP_PCBHASH(hashkey_faddr, + inp->inp_lport, inp->inp_fport, pcbinfo->ipi_hashmask)]; +@@ -2689,10 +2694,12 @@ + INP_PCBPORTHASH(inp->inp_lport, pcbinfo->ipi_porthashmask)]; + + /* +- * Add entry to load balance group. +- * Only do this if SO_REUSEPORT_LB is set. ++ * Ignore SO_REUSEPORT_LB if the socket is connected. Really this case ++ * should be an error, but for UDP sockets it is not, and some ++ * applications erroneously set it on connected UDP sockets, so we can't ++ * change this without breaking compatibility. + */ +- if ((inp->inp_flags2 & INP_REUSEPORT_LB) != 0) { ++ if (!connected && (inp->inp_flags2 & INP_REUSEPORT_LB) != 0) { + int error = in_pcbinslbgrouphash(inp, M_NODOM); + if (error != 0) + return (error); +@@ -2761,6 +2768,7 @@ + struct inpcbinfo *pcbinfo = inp->inp_pcbinfo; + struct inpcbhead *head; + u_int32_t hashkey_faddr; ++ bool connected; + + INP_WLOCK_ASSERT(inp); + INP_HASH_WLOCK_ASSERT(pcbinfo); +@@ -2769,11 +2777,19 @@ + ("in_pcbrehash: !INP_INHASHLIST")); + + #ifdef INET6 +- if (inp->inp_vflag & INP_IPV6) ++ if (inp->inp_vflag & INP_IPV6) { + hashkey_faddr = INP6_PCBHASHKEY(&inp->in6p_faddr); +- else ++ connected = !IN6_IS_ADDR_UNSPECIFIED(&inp->in6p_faddr); ++ } else + #endif +- hashkey_faddr = inp->inp_faddr.s_addr; ++ { ++ hashkey_faddr = inp->inp_faddr.s_addr; ++ connected = inp->inp_faddr.s_addr != INADDR_ANY; ++ } ++ ++ /* See the comment in in_pcbinshash(). */ ++ if (connected && (inp->inp_flags2 & INP_REUSEPORT_LB) != 0) ++ in_pcbremlbgrouphash(inp); + + head = &pcbinfo->ipi_hashbase[INP_PCBHASH(hashkey_faddr, + inp->inp_lport, inp->inp_fport, pcbinfo->ipi_hashmask)]; +--- tests/sys/netinet/so_reuseport_lb_test.c.orig ++++ tests/sys/netinet/so_reuseport_lb_test.c +@@ -29,6 +29,8 @@ + + #include <sys/cdefs.h> + #include <sys/param.h> ++#include <sys/filio.h> ++#include <sys/ioccom.h> + #include <sys/socket.h> + + #include <netinet/in.h> +@@ -236,10 +238,156 @@ + } + } + ++/* ++ * The kernel erroneously permits calling connect() on a UDP socket with ++ * SO_REUSEPORT_LB set. Verify that packets sent to the bound address are ++ * dropped unless they come from the connected address. ++ */ ++ATF_TC_WITHOUT_HEAD(connect_udp); ++ATF_TC_BODY(connect_udp, tc) ++{ ++ struct sockaddr_in sin = { ++ .sin_family = AF_INET, ++ .sin_len = sizeof(sin), ++ .sin_addr = { htonl(INADDR_LOOPBACK) }, ++ }; ++ ssize_t n; ++ int error, len, s1, s2, s3; ++ char ch; ++ ++ s1 = socket(PF_INET, SOCK_DGRAM, 0); ++ ATF_REQUIRE(s1 >= 0); ++ s2 = socket(PF_INET, SOCK_DGRAM, 0); ++ ATF_REQUIRE(s2 >= 0); ++ s3 = socket(PF_INET, SOCK_DGRAM, 0); ++ ATF_REQUIRE(s3 >= 0); ++ ++ error = setsockopt(s1, SOL_SOCKET, SO_REUSEPORT_LB, (int[]){1}, ++ sizeof(int)); ++ ATF_REQUIRE_MSG(error == 0, ++ "setsockopt(SO_REUSEPORT_LB) failed: %s", strerror(errno)); ++ error = bind(s1, (struct sockaddr *)&sin, sizeof(sin)); ++ ATF_REQUIRE_MSG(error == 0, "bind() failed: %s", strerror(errno)); ++ ++ error = bind(s2, (struct sockaddr *)&sin, sizeof(sin)); ++ ATF_REQUIRE_MSG(error == 0, "bind() failed: %s", strerror(errno)); ++ ++ error = bind(s3, (struct sockaddr *)&sin, sizeof(sin)); ++ ATF_REQUIRE_MSG(error == 0, "bind() failed: %s", strerror(errno)); ++ ++ /* Connect to an address not owned by s2. */ ++ error = getsockname(s3, (struct sockaddr *)&sin, ++ (socklen_t[]){sizeof(sin)}); ++ ATF_REQUIRE(error == 0); ++ error = connect(s1, (struct sockaddr *)&sin, sizeof(sin)); ++ ATF_REQUIRE_MSG(error == 0, "connect() failed: %s", strerror(errno)); ++ ++ /* Try to send a packet to s1 from s2. */ ++ error = getsockname(s1, (struct sockaddr *)&sin, ++ (socklen_t[]){sizeof(sin)}); ++ ATF_REQUIRE(error == 0); ++ ++ ch = 42; ++ n = sendto(s2, &ch, sizeof(ch), 0, (struct sockaddr *)&sin, ++ sizeof(sin)); ++ ATF_REQUIRE(n == 1); ++ ++ /* Give the packet some time to arrive. */ ++ usleep(100000); ++ ++ /* s1 is connected to s3 and shouldn't receive from s2. */ ++ error = ioctl(s1, FIONREAD, &len); ++ ATF_REQUIRE(error == 0); ++ ATF_REQUIRE_MSG(len == 0, "unexpected data available"); ++ ++ /* ... but s3 can of course send to s1. */ ++ n = sendto(s3, &ch, sizeof(ch), 0, (struct sockaddr *)&sin, ++ sizeof(sin)); ++ ATF_REQUIRE(n == 1); ++ usleep(100000); ++ error = ioctl(s1, FIONREAD, &len); ++ ATF_REQUIRE(error == 0); ++ ATF_REQUIRE_MSG(len >= 1, "expected data available"); ++} ++ ++/* ++ * The kernel erroneously permits calling connect() on a UDP socket with ++ * SO_REUSEPORT_LB set. Verify that packets sent to the bound address are ++ * dropped unless they come from the connected address. ++ */ ++ATF_TC_WITHOUT_HEAD(connect_udp6); ++ATF_TC_BODY(connect_udp6, tc) ++{ ++ struct sockaddr_in6 sin6 = { ++ .sin6_family = AF_INET6, ++ .sin6_len = sizeof(sin6), ++ .sin6_addr = IN6ADDR_LOOPBACK_INIT, ++ }; ++ ssize_t n; ++ int error, len, s1, s2, s3; ++ char ch; ++ ++ s1 = socket(PF_INET6, SOCK_DGRAM, 0); ++ ATF_REQUIRE(s1 >= 0); ++ s2 = socket(PF_INET6, SOCK_DGRAM, 0); ++ ATF_REQUIRE(s2 >= 0); ++ s3 = socket(PF_INET6, SOCK_DGRAM, 0); ++ ATF_REQUIRE(s3 >= 0); ++ ++ error = setsockopt(s1, SOL_SOCKET, SO_REUSEPORT_LB, (int[]){1}, ++ sizeof(int)); ++ ATF_REQUIRE_MSG(error == 0, ++ "setsockopt(SO_REUSEPORT_LB) failed: %s", strerror(errno)); ++ error = bind(s1, (struct sockaddr *)&sin6, sizeof(sin6)); ++ ATF_REQUIRE_MSG(error == 0, "bind() failed: %s", strerror(errno)); ++ ++ error = bind(s2, (struct sockaddr *)&sin6, sizeof(sin6)); ++ ATF_REQUIRE_MSG(error == 0, "bind() failed: %s", strerror(errno)); ++ ++ error = bind(s3, (struct sockaddr *)&sin6, sizeof(sin6)); ++ ATF_REQUIRE_MSG(error == 0, "bind() failed: %s", strerror(errno)); ++ ++ /* Connect to an address not owned by s2. */ ++ error = getsockname(s3, (struct sockaddr *)&sin6, ++ (socklen_t[]){sizeof(sin6)}); ++ ATF_REQUIRE(error == 0); ++ error = connect(s1, (struct sockaddr *)&sin6, sizeof(sin6)); ++ ATF_REQUIRE_MSG(error == 0, "connect() failed: %s", strerror(errno)); ++ ++ /* Try to send a packet to s1 from s2. */ ++ error = getsockname(s1, (struct sockaddr *)&sin6, ++ (socklen_t[]){sizeof(sin6)}); ++ ATF_REQUIRE(error == 0); ++ ++ ch = 42; ++ n = sendto(s2, &ch, sizeof(ch), 0, (struct sockaddr *)&sin6, ++ sizeof(sin6)); ++ ATF_REQUIRE(n == 1); ++ ++ /* Give the packet some time to arrive. */ ++ usleep(100000); ++ ++ /* s1 is connected to s3 and shouldn't receive from s2. */ ++ error = ioctl(s1, FIONREAD, &len); ++ ATF_REQUIRE(error == 0); ++ ATF_REQUIRE_MSG(len >= 0, "unexpected data available"); ++ ++ /* ... but s3 can of course send to s1. */ ++ n = sendto(s3, &ch, sizeof(ch), 0, (struct sockaddr *)&sin6, ++ sizeof(sin6)); ++ ATF_REQUIRE(n == 1); ++ usleep(100000); ++ error = ioctl(s1, FIONREAD, &len); ++ ATF_REQUIRE(error == 0); ++ ATF_REQUIRE_MSG(len >= 1, "expected data available"); ++} ++ + ATF_TP_ADD_TCS(tp) + { + ATF_TP_ADD_TC(tp, basic_ipv4); + ATF_TP_ADD_TC(tp, basic_ipv6); ++ ATF_TP_ADD_TC(tp, connect_udp); ++ ATF_TP_ADD_TC(tp, connect_udp6); + + return (atf_no_error()); + } diff --git a/website/static/security/patches/SA-25:09/netinet-13.patch.asc b/website/static/security/patches/SA-25:09/netinet-13.patch.asc new file mode 100644 index 0000000000..4767da0d8d --- /dev/null +++ b/website/static/security/patches/SA-25:09/netinet-13.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmj5CrcACgkQbljekB8A +Gu+Aqg/8CJPC1rYA+WwpTlAFbQ4HbNrWWptKQvnvvc9qZ6I74p4B4g5tXTsarJaw +Y5fEX4o+SU1aM2x3jLEEKXvjm+BHjeI8OFWDIXsSwg6SH9CkXiiqVeFsgYl7ld0R +W1YU+1QN8/4co/QLOgbRAPFcTm8z6FX6yzWcWRnwrHksT6lSu6q0FTTm//2T+upN +QdW8L19dV0zvL36aA47P7WR5aiaRuyDj9K8gpQnD/rlCPjMpwmuVXdlvQDs7m0uE +4fbrNULAk+2QXUMqWG8qUbpLgAK5oNrI5dGVXzWwJ98pOm5gO7rozWlAE4bn46nk +9/4cMWVZoYHp4Ui0iHqb9nvdJQq21jFS1408Bxsi4sT+nztRsbO8plD3ihSiG+XL +VVcauVUxxf8ezbJmTSji5HTnSIs16kHPiVGCgEuX0bBeItyqrT9p6v379Jw2pSgH +FQHNGoFYJQ0KDlEFxpxChpZyyH7DMKYF0ckwd9apsD8HCUvw1w6y89UjahPpb7Gj +2p3O8NvEFpy0ODL0/h5G7Wc6hzs++i/gaiXiRZXhMtXY0rlpcH6N5SrTso2jY2SA +yEOM1AZV9v9hzS6st4R+Tot/e3j4OlxMjhSKJu9F3VyGyNbIhXFW8pMvjTD06CWM +YSLX4qyBoHhkrMpsj53acGif0hlikN59tuAuVRjGeXRgrbQudkU= +=4UW4 +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-25:09/netinet-14.patch b/website/static/security/patches/SA-25:09/netinet-14.patch new file mode 100644 index 0000000000..0c022135e8 --- /dev/null +++ b/website/static/security/patches/SA-25:09/netinet-14.patch @@ -0,0 +1,198 @@ +--- sys/netinet/in_pcb.c.orig ++++ sys/netinet/in_pcb.c +@@ -2702,10 +2702,13 @@ + INP_PCBPORTHASH(inp->inp_lport, pcbinfo->ipi_porthashmask)]; + + /* +- * Add entry to load balance group. +- * Only do this if SO_REUSEPORT_LB is set. ++ * Ignore SO_REUSEPORT_LB if the socket is connected. Really this case ++ * should be an error, but for UDP sockets it is not, and some ++ * applications erroneously set it on connected UDP sockets, so we can't ++ * change this without breaking compatibility. + */ +- if ((inp->inp_socket->so_options & SO_REUSEPORT_LB) != 0) { ++ if (!connected && ++ (inp->inp_socket->so_options & SO_REUSEPORT_LB) != 0) { + int error = in_pcbinslbgrouphash(inp, M_NODOM); + if (error != 0) + return (error); +@@ -2836,6 +2839,10 @@ + connected = !in_nullhost(inp->inp_faddr); + } + ++ /* See the comment in in_pcbinshash(). */ ++ if (connected && (inp->inp_flags & INP_INLBGROUP) != 0) ++ in_pcbremlbgrouphash(inp); ++ + /* + * When rehashing, the caller must ensure that either the new or the old + * foreign address was unspecified. +--- tests/sys/netinet/so_reuseport_lb_test.c.orig ++++ tests/sys/netinet/so_reuseport_lb_test.c +@@ -29,6 +29,8 @@ + + #include <sys/cdefs.h> + #include <sys/param.h> ++#include <sys/filio.h> ++#include <sys/ioccom.h> + #include <sys/socket.h> + + #include <netinet/in.h> +@@ -236,10 +238,156 @@ + } + } + ++/* ++ * The kernel erroneously permits calling connect() on a UDP socket with ++ * SO_REUSEPORT_LB set. Verify that packets sent to the bound address are ++ * dropped unless they come from the connected address. ++ */ ++ATF_TC_WITHOUT_HEAD(connect_udp); ++ATF_TC_BODY(connect_udp, tc) ++{ ++ struct sockaddr_in sin = { ++ .sin_family = AF_INET, ++ .sin_len = sizeof(sin), ++ .sin_addr = { htonl(INADDR_LOOPBACK) }, ++ }; ++ ssize_t n; ++ int error, len, s1, s2, s3; ++ char ch; ++ ++ s1 = socket(PF_INET, SOCK_DGRAM, 0); ++ ATF_REQUIRE(s1 >= 0); ++ s2 = socket(PF_INET, SOCK_DGRAM, 0); ++ ATF_REQUIRE(s2 >= 0); ++ s3 = socket(PF_INET, SOCK_DGRAM, 0); ++ ATF_REQUIRE(s3 >= 0); ++ ++ error = setsockopt(s1, SOL_SOCKET, SO_REUSEPORT_LB, (int[]){1}, ++ sizeof(int)); ++ ATF_REQUIRE_MSG(error == 0, ++ "setsockopt(SO_REUSEPORT_LB) failed: %s", strerror(errno)); ++ error = bind(s1, (struct sockaddr *)&sin, sizeof(sin)); ++ ATF_REQUIRE_MSG(error == 0, "bind() failed: %s", strerror(errno)); ++ ++ error = bind(s2, (struct sockaddr *)&sin, sizeof(sin)); ++ ATF_REQUIRE_MSG(error == 0, "bind() failed: %s", strerror(errno)); ++ ++ error = bind(s3, (struct sockaddr *)&sin, sizeof(sin)); ++ ATF_REQUIRE_MSG(error == 0, "bind() failed: %s", strerror(errno)); ++ ++ /* Connect to an address not owned by s2. */ ++ error = getsockname(s3, (struct sockaddr *)&sin, ++ (socklen_t[]){sizeof(sin)}); ++ ATF_REQUIRE(error == 0); ++ error = connect(s1, (struct sockaddr *)&sin, sizeof(sin)); ++ ATF_REQUIRE_MSG(error == 0, "connect() failed: %s", strerror(errno)); ++ ++ /* Try to send a packet to s1 from s2. */ ++ error = getsockname(s1, (struct sockaddr *)&sin, ++ (socklen_t[]){sizeof(sin)}); ++ ATF_REQUIRE(error == 0); ++ ++ ch = 42; ++ n = sendto(s2, &ch, sizeof(ch), 0, (struct sockaddr *)&sin, ++ sizeof(sin)); ++ ATF_REQUIRE(n == 1); ++ ++ /* Give the packet some time to arrive. */ ++ usleep(100000); ++ ++ /* s1 is connected to s3 and shouldn't receive from s2. */ ++ error = ioctl(s1, FIONREAD, &len); ++ ATF_REQUIRE(error == 0); ++ ATF_REQUIRE_MSG(len == 0, "unexpected data available"); ++ ++ /* ... but s3 can of course send to s1. */ ++ n = sendto(s3, &ch, sizeof(ch), 0, (struct sockaddr *)&sin, ++ sizeof(sin)); ++ ATF_REQUIRE(n == 1); ++ usleep(100000); ++ error = ioctl(s1, FIONREAD, &len); ++ ATF_REQUIRE(error == 0); ++ ATF_REQUIRE_MSG(len == 1, "unexpected data available"); ++} ++ ++/* ++ * The kernel erroneously permits calling connect() on a UDP socket with ++ * SO_REUSEPORT_LB set. Verify that packets sent to the bound address are ++ * dropped unless they come from the connected address. ++ */ ++ATF_TC_WITHOUT_HEAD(connect_udp6); ++ATF_TC_BODY(connect_udp6, tc) ++{ ++ struct sockaddr_in6 sin6 = { ++ .sin6_family = AF_INET6, ++ .sin6_len = sizeof(sin6), ++ .sin6_addr = IN6ADDR_LOOPBACK_INIT, ++ }; ++ ssize_t n; ++ int error, len, s1, s2, s3; ++ char ch; ++ ++ s1 = socket(PF_INET6, SOCK_DGRAM, 0); ++ ATF_REQUIRE(s1 >= 0); ++ s2 = socket(PF_INET6, SOCK_DGRAM, 0); ++ ATF_REQUIRE(s2 >= 0); ++ s3 = socket(PF_INET6, SOCK_DGRAM, 0); ++ ATF_REQUIRE(s3 >= 0); ++ ++ error = setsockopt(s1, SOL_SOCKET, SO_REUSEPORT_LB, (int[]){1}, ++ sizeof(int)); ++ ATF_REQUIRE_MSG(error == 0, ++ "setsockopt(SO_REUSEPORT_LB) failed: %s", strerror(errno)); ++ error = bind(s1, (struct sockaddr *)&sin6, sizeof(sin6)); ++ ATF_REQUIRE_MSG(error == 0, "bind() failed: %s", strerror(errno)); ++ ++ error = bind(s2, (struct sockaddr *)&sin6, sizeof(sin6)); ++ ATF_REQUIRE_MSG(error == 0, "bind() failed: %s", strerror(errno)); ++ ++ error = bind(s3, (struct sockaddr *)&sin6, sizeof(sin6)); ++ ATF_REQUIRE_MSG(error == 0, "bind() failed: %s", strerror(errno)); ++ ++ /* Connect to an address not owned by s2. */ ++ error = getsockname(s3, (struct sockaddr *)&sin6, ++ (socklen_t[]){sizeof(sin6)}); ++ ATF_REQUIRE(error == 0); ++ error = connect(s1, (struct sockaddr *)&sin6, sizeof(sin6)); ++ ATF_REQUIRE_MSG(error == 0, "connect() failed: %s", strerror(errno)); ++ ++ /* Try to send a packet to s1 from s2. */ ++ error = getsockname(s1, (struct sockaddr *)&sin6, ++ (socklen_t[]){sizeof(sin6)}); ++ ATF_REQUIRE(error == 0); ++ ++ ch = 42; ++ n = sendto(s2, &ch, sizeof(ch), 0, (struct sockaddr *)&sin6, ++ sizeof(sin6)); ++ ATF_REQUIRE(n == 1); ++ ++ /* Give the packet some time to arrive. */ ++ usleep(100000); ++ ++ /* s1 is connected to s3 and shouldn't receive from s2. */ ++ error = ioctl(s1, FIONREAD, &len); ++ ATF_REQUIRE(error == 0); ++ ATF_REQUIRE_MSG(len == 0, "unexpected data available"); ++ ++ /* ... but s3 can of course send to s1. */ ++ n = sendto(s3, &ch, sizeof(ch), 0, (struct sockaddr *)&sin6, ++ sizeof(sin6)); ++ ATF_REQUIRE(n == 1); ++ usleep(100000); ++ error = ioctl(s1, FIONREAD, &len); ++ ATF_REQUIRE(error == 0); ++ ATF_REQUIRE_MSG(len == 1, "unexpected data available"); ++} ++ + ATF_TP_ADD_TCS(tp) + { + ATF_TP_ADD_TC(tp, basic_ipv4); + ATF_TP_ADD_TC(tp, basic_ipv6); ++ ATF_TP_ADD_TC(tp, connect_udp); ++ ATF_TP_ADD_TC(tp, connect_udp6); + + return (atf_no_error()); + } diff --git a/website/static/security/patches/SA-25:09/netinet-14.patch.asc b/website/static/security/patches/SA-25:09/netinet-14.patch.asc new file mode 100644 index 0000000000..b0c2e2429c --- /dev/null +++ b/website/static/security/patches/SA-25:09/netinet-14.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmj5CrgACgkQbljekB8A +Gu+IoRAAlJrsOBxL+/qrj25ehBLzbEmgD3t6xdbz3GboR1Nfwx1ragW11xHR0sCN +Mx73rW8Gvf9vOAThvSPs4ajMq4gEmu5tTz8LR5wZnsiGQJrxgz8OZLIvQPIfiF0X +deaXmWE/QK+7T3zqGM5uQIv2I8XIhx6cyvnm5sXFL/cpjiWwWwo3eMiB4k5ecW0w +HZqF/VclSAnB7VhkyvoVOU45+9DdgG6wVdGTBZbGOm6Y7JKkrrlIH84yb4onNanx +XjPOwD+TNXFGlz1rS3R5KuVsEUx1TR3NCYkrjBZcTVFul3YhnH+Cvn2LxUKv+Brf +1EVywW11lF2FMa+cukIaei6Dnka79UnHdarKaCyBseSFmzmcV+XSb0dsvDoEF4mx +XvaIn7BBoEfcBcH2HB46huUWeVWAVvjC4qpkoKGYbiYnS+iamA+uTrazeP5zkgnz +f1KRpgVvAzFNQqGhUI6AO9m+/DugShjtHN6oT8HmKTNfEo2/nbEWGh1+KNCTWMfr +CtVWBwSCV0UECH5DcKDcbjtgoqnJ2qNkooye2ruSjbLkOr6wyWMcNnhm/y9XlXJc +1meQGpMWTHhPYyi+VK4Z+/E5oj3fNv9ZFKDrEnAq5lzNEhkW+O0tYVTkfj/D2bNy +CR50qzAogqsn73XJJ++y2mGa18hs0BNhwAOV8jy4clR4HCRP65c= +=lJlP +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-25:09/netinet-15.patch b/website/static/security/patches/SA-25:09/netinet-15.patch new file mode 100644 index 0000000000..7083189c9a --- /dev/null +++ b/website/static/security/patches/SA-25:09/netinet-15.patch @@ -0,0 +1,201 @@ +--- sys/netinet/in_pcb.c.orig ++++ sys/netinet/in_pcb.c +@@ -2665,10 +2665,13 @@ + INP_PCBPORTHASH(inp->inp_lport, pcbinfo->ipi_porthashmask)]; + + /* +- * Add entry to load balance group. +- * Only do this if SO_REUSEPORT_LB is set. ++ * Ignore SO_REUSEPORT_LB if the socket is connected. Really this case ++ * should be an error, but for UDP sockets it is not, and some ++ * applications erroneously set it on connected UDP sockets, so we can't ++ * change this without breaking compatibility. + */ +- if ((inp->inp_socket->so_options & SO_REUSEPORT_LB) != 0) { ++ if (!connected && ++ (inp->inp_socket->so_options & SO_REUSEPORT_LB) != 0) { + int error = in_pcbinslbgrouphash(inp, M_NODOM); + if (error != 0) + return (error); +@@ -2770,6 +2773,10 @@ + connected = !in_nullhost(inp->inp_faddr); + } + ++ /* See the comment in in_pcbinshash(). */ ++ if (connected && (inp->inp_flags & INP_INLBGROUP) != 0) ++ in_pcbremlbgrouphash(inp); ++ + /* + * When rehashing, the caller must ensure that either the new or the old + * foreign address was unspecified. +--- tests/sys/netinet/so_reuseport_lb_test.c.orig ++++ tests/sys/netinet/so_reuseport_lb_test.c +@@ -29,6 +29,8 @@ + + #include <sys/param.h> + #include <sys/event.h> ++#include <sys/filio.h> ++#include <sys/ioccom.h> + #include <sys/socket.h> + + #include <netinet/in.h> +@@ -551,6 +553,150 @@ + close(s); + } + ++/* ++ * The kernel erroneously permits calling connect() on a UDP socket with ++ * SO_REUSEPORT_LB set. Verify that packets sent to the bound address are ++ * dropped unless they come from the connected address. ++ */ ++ATF_TC_WITHOUT_HEAD(connect_udp); ++ATF_TC_BODY(connect_udp, tc) ++{ ++ struct sockaddr_in sin = { ++ .sin_family = AF_INET, ++ .sin_len = sizeof(sin), ++ .sin_addr = { htonl(INADDR_LOOPBACK) }, ++ }; ++ ssize_t n; ++ int error, len, s1, s2, s3; ++ char ch; ++ ++ s1 = socket(PF_INET, SOCK_DGRAM, 0); ++ ATF_REQUIRE(s1 >= 0); ++ s2 = socket(PF_INET, SOCK_DGRAM, 0); ++ ATF_REQUIRE(s2 >= 0); ++ s3 = socket(PF_INET, SOCK_DGRAM, 0); ++ ATF_REQUIRE(s3 >= 0); ++ ++ error = setsockopt(s1, SOL_SOCKET, SO_REUSEPORT_LB, (int[]){1}, ++ sizeof(int)); ++ ATF_REQUIRE_MSG(error == 0, ++ "setsockopt(SO_REUSEPORT_LB) failed: %s", strerror(errno)); ++ error = bind(s1, (struct sockaddr *)&sin, sizeof(sin)); ++ ATF_REQUIRE_MSG(error == 0, "bind() failed: %s", strerror(errno)); ++ ++ error = bind(s2, (struct sockaddr *)&sin, sizeof(sin)); ++ ATF_REQUIRE_MSG(error == 0, "bind() failed: %s", strerror(errno)); ++ ++ error = bind(s3, (struct sockaddr *)&sin, sizeof(sin)); ++ ATF_REQUIRE_MSG(error == 0, "bind() failed: %s", strerror(errno)); ++ ++ /* Connect to an address not owned by s2. */ ++ error = getsockname(s3, (struct sockaddr *)&sin, ++ (socklen_t[]){sizeof(sin)}); ++ ATF_REQUIRE(error == 0); ++ error = connect(s1, (struct sockaddr *)&sin, sizeof(sin)); ++ ATF_REQUIRE_MSG(error == 0, "connect() failed: %s", strerror(errno)); ++ ++ /* Try to send a packet to s1 from s2. */ ++ error = getsockname(s1, (struct sockaddr *)&sin, ++ (socklen_t[]){sizeof(sin)}); ++ ATF_REQUIRE(error == 0); ++ ++ ch = 42; ++ n = sendto(s2, &ch, sizeof(ch), 0, (struct sockaddr *)&sin, ++ sizeof(sin)); ++ ATF_REQUIRE(n == 1); ++ ++ /* Give the packet some time to arrive. */ ++ usleep(100000); ++ ++ /* s1 is connected to s3 and shouldn't receive from s2. */ ++ error = ioctl(s1, FIONREAD, &len); ++ ATF_REQUIRE(error == 0); ++ ATF_REQUIRE_MSG(len == 0, "unexpected data available"); ++ ++ /* ... but s3 can of course send to s1. */ ++ n = sendto(s3, &ch, sizeof(ch), 0, (struct sockaddr *)&sin, ++ sizeof(sin)); ++ ATF_REQUIRE(n == 1); ++ usleep(100000); ++ error = ioctl(s1, FIONREAD, &len); ++ ATF_REQUIRE(error == 0); ++ ATF_REQUIRE_MSG(len == 1, "unexpected data available"); ++} ++ ++/* ++ * The kernel erroneously permits calling connect() on a UDP socket with ++ * SO_REUSEPORT_LB set. Verify that packets sent to the bound address are ++ * dropped unless they come from the connected address. ++ */ ++ATF_TC_WITHOUT_HEAD(connect_udp6); ++ATF_TC_BODY(connect_udp6, tc) ++{ ++ struct sockaddr_in6 sin6 = { ++ .sin6_family = AF_INET6, ++ .sin6_len = sizeof(sin6), ++ .sin6_addr = IN6ADDR_LOOPBACK_INIT, ++ }; ++ ssize_t n; ++ int error, len, s1, s2, s3; ++ char ch; ++ ++ s1 = socket(PF_INET6, SOCK_DGRAM, 0); ++ ATF_REQUIRE(s1 >= 0); ++ s2 = socket(PF_INET6, SOCK_DGRAM, 0); ++ ATF_REQUIRE(s2 >= 0); ++ s3 = socket(PF_INET6, SOCK_DGRAM, 0); ++ ATF_REQUIRE(s3 >= 0); ++ ++ error = setsockopt(s1, SOL_SOCKET, SO_REUSEPORT_LB, (int[]){1}, ++ sizeof(int)); ++ ATF_REQUIRE_MSG(error == 0, ++ "setsockopt(SO_REUSEPORT_LB) failed: %s", strerror(errno)); ++ error = bind(s1, (struct sockaddr *)&sin6, sizeof(sin6)); ++ ATF_REQUIRE_MSG(error == 0, "bind() failed: %s", strerror(errno)); ++ ++ error = bind(s2, (struct sockaddr *)&sin6, sizeof(sin6)); ++ ATF_REQUIRE_MSG(error == 0, "bind() failed: %s", strerror(errno)); ++ ++ error = bind(s3, (struct sockaddr *)&sin6, sizeof(sin6)); ++ ATF_REQUIRE_MSG(error == 0, "bind() failed: %s", strerror(errno)); ++ ++ /* Connect to an address not owned by s2. */ ++ error = getsockname(s3, (struct sockaddr *)&sin6, ++ (socklen_t[]){sizeof(sin6)}); ++ ATF_REQUIRE(error == 0); ++ error = connect(s1, (struct sockaddr *)&sin6, sizeof(sin6)); ++ ATF_REQUIRE_MSG(error == 0, "connect() failed: %s", strerror(errno)); ++ ++ /* Try to send a packet to s1 from s2. */ ++ error = getsockname(s1, (struct sockaddr *)&sin6, ++ (socklen_t[]){sizeof(sin6)}); ++ ATF_REQUIRE(error == 0); ++ ++ ch = 42; ++ n = sendto(s2, &ch, sizeof(ch), 0, (struct sockaddr *)&sin6, ++ sizeof(sin6)); ++ ATF_REQUIRE(n == 1); ++ ++ /* Give the packet some time to arrive. */ ++ usleep(100000); ++ ++ /* s1 is connected to s3 and shouldn't receive from s2. */ ++ error = ioctl(s1, FIONREAD, &len); ++ ATF_REQUIRE(error == 0); ++ ATF_REQUIRE_MSG(len == 0, "unexpected data available"); ++ ++ /* ... but s3 can of course send to s1. */ ++ n = sendto(s3, &ch, sizeof(ch), 0, (struct sockaddr *)&sin6, ++ sizeof(sin6)); ++ ATF_REQUIRE(n == 1); ++ usleep(100000); ++ error = ioctl(s1, FIONREAD, &len); ++ ATF_REQUIRE(error == 0); ++ ATF_REQUIRE_MSG(len == 1, "unexpected data available"); ++} ++ + ATF_TP_ADD_TCS(tp) + { + ATF_TP_ADD_TC(tp, basic_ipv4); +@@ -561,6 +707,8 @@ + ATF_TP_ADD_TC(tp, bind_without_listen); + ATF_TP_ADD_TC(tp, connect_not_bound); + ATF_TP_ADD_TC(tp, connect_bound); ++ ATF_TP_ADD_TC(tp, connect_udp); ++ ATF_TP_ADD_TC(tp, connect_udp6); + + return (atf_no_error()); + } diff --git a/website/static/security/patches/SA-25:09/netinet-15.patch.asc b/website/static/security/patches/SA-25:09/netinet-15.patch.asc new file mode 100644 index 0000000000..380b5aba55 --- /dev/null +++ b/website/static/security/patches/SA-25:09/netinet-15.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmj5CrkACgkQbljekB8A +Gu9urA//d3+X7bwSN9niBanoXBIRFsxr7+im0rHelA5UtPJ9OQ160IAbDdu2H9Cn +76HavCQ+bpytDZxVTWplm9lK9NskFq71ChMosgH7rqDPVcgqyNPqDuGWNbH28dBq +sBydMzY7ZkiDurLlUaesQCKopBES8I4s9DXmO9lWLXm0VI2CkiCYkf3HPZeyxJp5 +7NLXNZQWz+/Osnd1HYb/HlxEiX/DjDgnvbtD11ho2kzlO9wDy4jKwOwAgM49+UP9 +HapQh+1nrRPiX/dqZ5bAVLnztTjSVXq58V/kejpHHlbht8OxAqkGfSoeHB6emSyl +gH5fPSnBd9/IwpBUR79f0+BuHkkibhoVOrSqNl95C3VyuUNPhy/fhrChEQbET1vs +NfbsGO7pNaaTjg5zjEGXJK8x8q+S9R9Q31M1Lts5FMiKdjGIHNzWPu+ZLPMSXBdy +3iJ0OAaLLo5GJ6mefJWCTyUGbegaaxjBrJD+No12sjgXkcogvMm0VvmA7wNxnBXW +Fevs5++9hR8NU4eIhCx3mZQaQDwFOgoV6zKcPtir52jZd+txKnkw3fC01RKE86FW +opINfUTA/W4sZCG2DaSuU7USo2vMKG3m//HBvbO5eSBq+qnavFOWTvQUc16hfMxa +7+pd8VXtdEiZkwqR2Dj58Gt9D3xqoh4fbHQ+AbqvoN3lPJmnNsA= +=/zfq +-----END PGP SIGNATURE----- |