Michael Tuexen

**Name of the Vulnerable Software and Affected Versions** FreeBSD (affected versions not specified) **Description** A flaw exists where the `tcp respond()` function can leak an mbuf when a challenge ACK is not sent. An attacker on the network path, or able to establish a TCP connection, can craft packets to trigger this leak, exceeding the configured rate limit. Off-path attackers may also exploit this by spoofing packets, though this is more difficult. The issue involves leaking an mbuf for each crafted packet sent in excess of the rate limit settings. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FreeBSD versions 12.1-STABLE before r358739 FreeBSD versions 12.1-RELEASE before 12.1-RELEASE-p3 FreeBSD versions 11.3-STABLE before r358740 FreeBSD versions 11.3-RELEASE before 11.3-RELEASE-p7 **Description** A TCP SYN-ACK or challenge TCP-ACK segment over IPv6 that is transmitted or retransmitted does not properly initialize the Traffic Class field, disclosing one byte of kernel memory over the network. **Recommendations** For FreeBSD versions 12.1-STABLE before r358739, update to a version after r358739. For FreeBSD versions 12.1-RELEASE before 12.1-RELEASE-p3, update to 12.1-RELEASE-p3 or later. For FreeBSD versions 11.3-STABLE before r358740, update to a version after r358740. For FreeBSD versions 11.3-RELEASE before 11.3-RELEASE-p7, update to 11.3-RELEASE-p7 or later.