FreeBSD Security Advisory FreeBSD-SA-18:07.lazyfpu
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:07.lazyfpuSecurity Advisory The FreeBSD Project Topic: Lazy FPU State Restore Information Disclosure Category: core Module: kernel Announced: 2018-06-21 Credits:Julian Stecklina from Amazon Germany Thomas Prescher from Cyberus Technology GmbH Zdenek Sojka from SYSGO AG Colin Percival Affects:All supported version of FreeBSD. Corrected: 2018-06-14 18:50:49 UTC (stable/11, 11.2-PRERELEASE) 2018-06-15 13:21:37 UTC (releng/11.2, 11.2-RC3) 2018-06-21 05:17:13 UTC (releng/11.1, 11.1-RELEASE-p11) CVE Name: CVE-2018-3665 Special Note: This advisory only addresses this issue for FreeBSD 11.x on i386 and amd64. We expect to update this advisory to include 10.x in the near future. For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background Modern CPUs have a floating point unit (FPU) which needs to maintain state per thread. One technique is to only save and to only restore the FPU state for a thread when a thread attempts to utilize the FPU. This technique is called Lazy FPU state restore. II. Problem Description A subset of Intel processors can allow a local thread to infer data from another thread through a speculative execution side channel when Lazy FPU state restore is used. III. Impact Any local thread can potentially read FPU state information from other threads running on the host. This could include cryptographic keys when the AES-NI CPU feature is present. IV. Workaround No workaround is available, but non-Intel branded CPUs are not believed to be vulnerable. V. Solution The patch changes from Lazy FPU state restore to Eager FPU state restore. This new technique is the recommended practice from Intel and in some cases can actually increase performance, depending on workload. Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterward, reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterward, reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.1] # fetch https://security.FreeBSD.org/patches/SA-18:07/lazyfpu-11.patch # fetch https://security.FreeBSD.org/patches/SA-18:07/lazyfpu-11.patch.asc # gpg --verify lazyfpu-11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/11/r335169 releng/11.2/ r335196 releng/11.1/ r335465 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00145.html> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3665> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-18:07.lazyfpu.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlsrN1hfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cJTLA/+Kt7QLkNCVudaiE+d+VMuC2f1aGhqoyd+36xL9rNsn2ShZhIo+gq1dhXn
[SECURITY] [DSA 4232-1] xen security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4232-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 20, 2018 https://www.debian.org/security/faq - - Package: xen CVE ID : CVE-2018-3665 This update provides mitigations for the "lazy FPU" vulnerability affecting a range of Intel CPUs, which could result in leaking CPU register states belonging to another vCPU previously scheduled on the same CPU. For additional information please refer to https://xenbits.xen.org/xsa/advisory-267.html For the stable distribution (stretch), this problem has been fixed in version 4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u8. We recommend that you upgrade your xen packages. For the detailed security status of xen please refer to its security tracker page at: https://security-tracker.debian.org/tracker/xen Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlsp+ycACgkQEMKTtsN8 TjaS5g/9FZbJH3HX+T6CsX0buGcfuJlbCACF/GYlNakcLTLDEIgnt8VHc/APX1zP f+lUhpPwK8IEkO1HwPlp94OE4/4P1kMw+mqE58VOKczEZIdlTESoLZYYvwQ1HBwl wgPaS7FykrLT/TPCuKTyqEGENrtmSMOAEKB1E7cIGBEthcCapdOK8xDe67qX0R6b dnP3gDJpYRWrvMUZGURGLpVlV1fIUB1ki9O6PyA8rcm/pXLQQVqoeZ9CV+/AxA2E 2GLSLPpSNPcTtQC9lQeQ0Wp27nAC/Sb2dj0A2cByeTcDit2m53KDnhLzMammmXfi TkY24lIgp0I0dIFRQSD6HJar1oI5gvw2xJulDCFNtWG8RQfT4zRBfxCcTe7ldhx1 R/wh8czaPLg/ysJAFP8wZjcNgNMutpX2K7kTdi2mtND9yw3Xw0Ev+ZXKvtxNzXTb QLefmNUwqbqcoH7sIxfbCQdSA7fTqtBXzShmamuAQYO8Sa1a2PM7MEgPTtvCiRFy aCDJ6nFlIiS94RnHtrZcOtBngMWAOLPocWFVLJOCvWS8Qp+Mu1ZqgLrSqlhealy5 hd3+b0bvSRJq9aJzMgxXMbpGI7sHGNhvE87iruSoqJN1oDBACwyx7heTPUuSQFHe jlPuMujmWVI+VzknrDTFMFNLfOX1ZqjO9bm4lEJ6iAbikOlL56E= =enDo -END PGP SIGNATURE-
[slackware-security] gnupg (SSA:2018-170-01)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] gnupg (SSA:2018-170-01) New gnupg packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix a security issue. Here are the details from the Slackware 14.2 ChangeLog: +--+ patches/packages/gnupg-1.4.23-i586-1_slack14.2.txz: Upgraded. Sanitize the diagnostic output of the original file name in verbose mode. By using a made up file name in the message it was possible to fake status messages. Using this technique it was for example possible to fake the verification status of a signed mail. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12020 (* Security fix *) +--+ Where to find the new packages: +-+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 13.0: ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/gnupg-1.4.23-i486-1_slack13.0.txz Updated package for Slackware x86_64 13.0: ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/gnupg-1.4.23-x86_64-1_slack13.0.txz Updated package for Slackware 13.1: ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/gnupg-1.4.23-i486-1_slack13.1.txz Updated package for Slackware x86_64 13.1: ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/gnupg-1.4.23-x86_64-1_slack13.1.txz Updated package for Slackware 13.37: ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/gnupg-1.4.23-i486-1_slack13.37.txz Updated package for Slackware x86_64 13.37: ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/gnupg-1.4.23-x86_64-1_slack13.37.txz Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/gnupg-1.4.23-i486-1_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/gnupg-1.4.23-x86_64-1_slack14.0.txz Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/gnupg-1.4.23-i486-1_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/gnupg-1.4.23-x86_64-1_slack14.1.txz Updated package for Slackware 14.2: ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/gnupg-1.4.23-i586-1_slack14.2.txz Updated package for Slackware x86_64 14.2: ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/gnupg-1.4.23-x86_64-1_slack14.2.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/gnupg-1.4.23-i586-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/gnupg-1.4.23-x86_64-1.txz MD5 signatures: +-+ Slackware 13.0 package: e3fd748746eebd7c73a37ee7b9a6fc8d gnupg-1.4.23-i486-1_slack13.0.txz Slackware x86_64 13.0 package: 86b54ca9798d4165e8ebeb896111b6d4 gnupg-1.4.23-x86_64-1_slack13.0.txz Slackware 13.1 package: c0e29f1d4533c0ca87af087d6499bf06 gnupg-1.4.23-i486-1_slack13.1.txz Slackware x86_64 13.1 package: d82a4e0e70df7505ee5a1ae43310a02f gnupg-1.4.23-x86_64-1_slack13.1.txz Slackware 13.37 package: d8ab207d74fefc379e4b1f0a100031c9 gnupg-1.4.23-i486-1_slack13.37.txz Slackware x86_64 13.37 package: 0b118525aa8221af24a016dca610131e gnupg-1.4.23-x86_64-1_slack13.37.txz Slackware 14.0 package: e3adf42872a9802e493e5b64308a63f8 gnupg-1.4.23-i486-1_slack14.0.txz Slackware x86_64 14.0 package: e529dd67cf4b3f3d07d182a006a3a4d0 gnupg-1.4.23-x86_64-1_slack14.0.txz Slackware 14.1 package: 9c357070da7b83d54ec78bcd6153634d gnupg-1.4.23-i486-1_slack14.1.txz Slackware x86_64 14.1 package: 1bb034ddc21cabd485ea11b0a52ddc45 gnupg-1.4.23-x86_64-1_slack14.1.txz Slackware 14.2 package: e1f3ce5a7792f1d5114016a4422e89d6 gnupg-1.4.23-i586-1_slack14.2.txz Slackware x86_64 14.2 package: 03b9ee586771e16030060a0f19be78e1 gnupg-1.4.23-x86_64-1_slack14.2.txz Slackware -current package: 5fbae3f3c437309df772713b4d3f6550 n/gnupg-1.4.23-i586-1.txz Slackware x86_64 -current package: f0d9b825caf815938f60caf3a7839886 n/gnupg-1.4.23-x86_64-1.txz Installation instructions: ++ Upgrade the package as root: # upgradepkg gnupg-1.4.23-i586-1_slack14.2.txz +-+ Slackware Linux Security Team http://slackware.com/gpg-key secur...@slackware.com ++ | To leave the slackware-security mailing list: | ++ | Send an email to
XSS in Canopy login page
[Title] XSS in Canopy login page -- [Description] CheckSec Canopy 3.x before 3.0.7 has stored XSS via the Login Page Disclaimer, allowing attacks by low-privileged users against higher-privileged users.This instance of stored cross-site scripting (XSS) vulnerability could allow any users with administrator rights to inject malicious scripts to compromise any users that visit the login page. -- [Authors] Wen Bin Kong (@kongwenbin) & @ryantzj -- [CVSSv3 Score] 3.8 -- [CVSS Vector] AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N -- [Vulnerability Type] Cross Site Scripting (XSS) -- [Vendor of Product] CheckSec Ltd -- [Affected Product Code Base] Canopy - 3.0.0-3.0.6 -- [Affected Component] Login Page Disclaimer -- [Attack Type] Context-dependent -- [CVE ID] CVE-2018-9036 -- [Attack Vectors] If a low privileged user were to enter a Cross-Site Scripting payload into the Login Page Disclaimer, then when a user with higher privileges browse the login page, the malicious content would be executed within the latter's user context. The malicious payload could also be configured to perform any application action available to the authenticated user. -- [Reference] https://twitter.com/checksec https://support.checksec.com/hc/en-us/articles/36145163