Author: delphij
Date: Wed Apr 30 04:04:42 2014
New Revision: 265124
URL: http://svnweb.freebsd.org/changeset/base/265124
Log:
Fix devfs rules not applied by default for jails.
Fix OpenSSL use-after-free vulnerability.
Fix TCP reassembly vulnerability.
Security: FreeBSD-SA-14:07.devfs
Security: CVE-2014-3001
Security: FreeBSD-SA-14:08.tcp
Security: CVE-2014-3000
Security: FreeBSD-SA-14:09.openssl
Security: CVE-2010-5298
Approved by: so
Modified:
releng/10.0/UPDATING
releng/10.0/crypto/openssl/ssl/s3_pkt.c
releng/10.0/etc/defaults/rc.conf
releng/10.0/sys/conf/newvers.sh
releng/10.0/sys/netinet/tcp_reass.c
Modified: releng/10.0/UPDATING
==============================================================================
--- releng/10.0/UPDATING Wed Apr 30 04:04:20 2014 (r265123)
+++ releng/10.0/UPDATING Wed Apr 30 04:04:42 2014 (r265124)
@@ -16,6 +16,16 @@ from older versions of FreeBSD, try WITH
stable/10, and then rebuild without this option. The bootstrap process from
older version of current is a bit fragile.
+20140430: p2 FreeBSD-SA-14:07.devfs
+ FreeBSD-SA-14:08.tcp
+ FreeBSD-SA-14:09.openssl
+
+ Fix devfs rules not applied by default for jails. [SA-14:07]
+
+ Fix TCP reassembly vulnerability. [SA-14:08]
+
+ Fix OpenSSL use-after-free vulnerability. [SA-14:09]
+
20140408: p1 FreeBSD-SA-14:05.nfsserver
FreeBSD-SA-14:06.openssl
Fix deadlock in the NFS server. [SA-14:05]
Modified: releng/10.0/crypto/openssl/ssl/s3_pkt.c
==============================================================================
--- releng/10.0/crypto/openssl/ssl/s3_pkt.c Wed Apr 30 04:04:20 2014
(r265123)
+++ releng/10.0/crypto/openssl/ssl/s3_pkt.c Wed Apr 30 04:04:42 2014
(r265124)
@@ -1055,7 +1055,7 @@ start:
{
s->rstate=SSL_ST_READ_HEADER;
rr->off=0;
- if (s->mode & SSL_MODE_RELEASE_BUFFERS)
+ if (s->mode & SSL_MODE_RELEASE_BUFFERS &&
s->s3->rbuf.left == 0)
ssl3_release_read_buffer(s);
}
}
Modified: releng/10.0/etc/defaults/rc.conf
==============================================================================
--- releng/10.0/etc/defaults/rc.conf Wed Apr 30 04:04:20 2014
(r265123)
+++ releng/10.0/etc/defaults/rc.conf Wed Apr 30 04:04:42 2014
(r265124)
@@ -649,7 +649,7 @@ devfs_rulesets="/etc/defaults/devfs.rule
devfs_system_ruleset="" # The name (NOT number) of a ruleset to apply
to /dev
devfs_set_rulesets="" # A list of /mount/dev=ruleset_name settings to
# apply (must be mounted already, i.e. fstab(5))
-devfs_load_rulesets="NO" # Enable to always load the default rulesets
+devfs_load_rulesets="YES" # Enable to always load the default rulesets
performance_cx_lowest="HIGH" # Online CPU idle state
performance_cpu_freq="NONE" # Online CPU frequency
economy_cx_lowest="HIGH" # Offline CPU idle state
Modified: releng/10.0/sys/conf/newvers.sh
==============================================================================
--- releng/10.0/sys/conf/newvers.sh Wed Apr 30 04:04:20 2014
(r265123)
+++ releng/10.0/sys/conf/newvers.sh Wed Apr 30 04:04:42 2014
(r265124)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="10.0"
-BRANCH="RELEASE-p1"
+BRANCH="RELEASE-p2"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/10.0/sys/netinet/tcp_reass.c
==============================================================================
--- releng/10.0/sys/netinet/tcp_reass.c Wed Apr 30 04:04:20 2014
(r265123)
+++ releng/10.0/sys/netinet/tcp_reass.c Wed Apr 30 04:04:42 2014
(r265124)
@@ -205,7 +205,7 @@ tcp_reass(struct tcpcb *tp, struct tcphd
* Investigate why and re-evaluate the below limit after the behaviour
* is understood.
*/
- if (th->th_seq != tp->rcv_nxt &&
+ if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) &&
tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) {
V_tcp_reass_overflows++;
TCPSTAT_INC(tcps_rcvmemdrop);
@@ -228,7 +228,7 @@ tcp_reass(struct tcpcb *tp, struct tcphd
*/
te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT);
if (te == NULL) {
- if (th->th_seq != tp->rcv_nxt) {
+ if (th->th_seq != tp->rcv_nxt ||
!TCPS_HAVEESTABLISHED(tp->t_state)) {
TCPSTAT_INC(tcps_rcvmemdrop);
m_freem(m);
*tlenp = 0;
@@ -276,7 +276,8 @@ tcp_reass(struct tcpcb *tp, struct tcphd
TCPSTAT_INC(tcps_rcvduppack);
TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp);
m_freem(m);
- uma_zfree(V_tcp_reass_zone, te);
+ if (te != &tqs)
+ uma_zfree(V_tcp_reass_zone, te);
tp->t_segqlen--;
/*
* Try to present any queued data
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "[email protected]"
