Security Advisories
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Subject: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-16:02.pf
From: FreeBSD Errata Notices <This email address is being protected from spambots. You need JavaScript enabled to view it.>
Date: Thu, 14 Jan 2016 10:03:24 +0000 (UTC)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-16:02.pf Errata Notice
The FreeBSD Project
Topic: Invalid TCP checksums with pf(4)
Category: core
Module: pf
Announced: 2016-01-14
Credits: Kristof Provost <This email address is being protected from spambots. You need JavaScript enabled to view it.>
Affects: All supported versions of FreeBSD.
Corrected: 2015-11-11 12:36:42 UTC (stable/10, 10.2-STABLE)
2016-01-14 09:10:46 UTC (releng/10.2, 10.2-RELEASE-p9)
2016-01-14 09:11:16 UTC (releng/10.1, 10.1-RELEASE-p26)
2015-12-25 15:12:54 UTC (stable/9, 9.3-STABLE)
2016-01-14 09:11:26 UTC (releng/9.3, 9.3-RELEASE-p33)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
The pf(4) is one of several packet filters available in FreeBSD, originally
written for OpenBSD. In addition to filtering packets, it also has packet
normalization capabilities.
II. Problem Description
When running with certain network interfaces, capable for hardware transmit
checksum offloading, or TCP segmentation offload, pf(4) produces packets with
invalid TCP checksums.
III. Impact
The TCP packets with invalid checksums are rejected by the remote host,
leading to large performance impacts or inability to successfully run
a TCP connection.
IV. Workaround
Disable transmit checksum offloading and TSO support on the affected
network interface:
# ifconfig ue0 -txcsum -tso
V. Solution
Perform one of the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
Reboot the system or unload and reload the pf.ko kernel module.
2) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Reboot the system or unload and reload the pf.ko kernel module.
3) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 10.2]
# fetch https://security.FreeBSD.org/patches/EN-16:02/pf-10.2.patch
# fetch https://security.FreeBSD.org/patches/EN-16:02/pf-10.2.patch.asc
# gpg --verify pf-10.2.patch.asc
[FreeBSD 10.1]
# fetch https://security.FreeBSD.org/patches/EN-16:02/pf-10.1.patch
# fetch https://security.FreeBSD.org/patches/EN-16:02/pf-10.1.patch.asc
# gpg --verify pf-10.1.patch.asc
[FreeBSD 9.3]
# fetch https://security.FreeBSD.org/patches/EN-16:02/pf-9.3.patch
# fetch https://security.FreeBSD.org/patches/EN-16:02/pf-9.3.patch.asc
# gpg --verify pf-9.3.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system or unload and reload the pf.ko kernel module.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/9/ r292732
releng/9.3/ r293896
stable/10/ r290669
releng/10.1/ r293894
releng/10.2/ r293893
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=154428>
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=193579>
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=198868>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-16:02.pf.asc>
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJWl2rlAAoJEO1n7NZdz2rnv0QP/RXPzKbSRsyyX3914BJv/W4V
coLFodRd62WxPvFIOXaLbNsVSi1yqRqNS3BPNTXnldEvjZWS5HsRlY5inq7hCjOn
NzZFIBVD3aL3eIXBUghNHTcCp3Ml5zIzcGUwJ0wW4F8j3D8Ty0YbJs+E7Ku63DIb
3rR2Mj1Jcoxi4JNVaQ962JlRrqauQUIiFbS0bSmP/cQCUlvhm+uk8Yj1KgSYesSu
n+lQAipH2zZWGjVj1xxvqi4cUcr6J6LEF0eTmg+UoM24vhq+QNql5aactYMOORiW
f+80HOWm6R8F/6TI2xs7HpNfnQNuNBRTfmfViQB8GgzgV2juElcTXW4NKXALrkWy
HxAfv6wdhDxclOXzumUXDOXC90o62Jv5gWiToJWLyETHI1vTe4UuE0egejFHSDJB
bmFpbYeuvXJ5/3dAYHHtnjtIPE9PXG+c16eJr3XDkY4plreL/hpyDHFRd3scqWew
EvPnkYcXZmzpCC/wZbDM5sI76YAfX7vayVqsUI0X4WRueYyIljRQGwygwfmHWiac
HIrgLgJvXZCGXiiuSpZq5874er0/UN9czGuMVOFZoXZ45yuj99pO1rJNZryO926A
UAOsC76m78myPrM+a4dJDrnWKgZjputCEBHXXNS8Yxt1cimrrbAb2wy0gt1CIMFm
cuAfikAwdNj3JAvjS4oA
=Aw1R
-----END PGP SIGNATURE-----
_______________________________________________
This email address is being protected from spambots. You need JavaScript enabled to view it. mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "This email address is being protected from spambots. You need JavaScript enabled to view it."
| Powered by: | MHonArc  |
