From nobody Tue Aug 01 21:26:02 2023 X-Original-To: dev-commits-doc-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RFp7g07GJz4psgK for ; Tue, 1 Aug 2023 21:26:04 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RFp7b6Jx4z3NPt; Tue, 1 Aug 2023 21:26:03 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1690925163; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=SMmA/GQWiE2nDoCVaM1CG4s5hDIsV6FtxQWSyuwvwhs=; b=jTioLihTj7zF9T50Zg/SrhytYmm9EAAmbFo7QFtRa76kCPp0O4sGeOunGaLZOMrO6hJii6 ifas/a4aGf28AykdJIMzdn/j22FCohCcoXa4A1GrKYruHXCWQh+TCMsINLTfnjztKUf3vV +j5GbnyGvB6WKzYaN/qGva/QekfQxCbKgLVtgXDRb0YQRP/Ht3iSBas7Tx1KR39iM6dUAo pqnBYCUKIzKhqny0icCyU7MZ5gQL2gJBayvOZg0cezedXDnQQWnKz+lgjaSb1NcxpvE/X8 QKal2+V/mPtxjxDnO3QFd8jsszopIvXIaeDRcbuTKA5djen9kHGn+gIGS2HeNg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1690925163; a=rsa-sha256; cv=none; b=fbEnC9Z9dDQwyXfGk5sR/sFXJ/fFkmE1oXH5s+lVhiESpwidMH9TjxZwB2cm6X89eUh45q IGVnlVClHm4UHsZUJyMjzyrld6YMlzdnk+OI2u4xZstjsBKfMzOR1tlt5RDQMn+9PUJlTh nNOVKs0kW60D2ahfI/OThObJHPCioYqA5zwQGIZ3/PNwIKyzs9w8IUa6P2orVi0CQ0ovYt MNjBvdUgc6BTpZB9LSiI42bu3DOxgOy+9LSSUdTraQ4QQThlhBAAFYE14ONhZRZcK5iQGf W0V4BL457TOscJIRT7QvCNskcPw5jr4tdhztK+1yBIadiXz3NLuZ/kktVejkCA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1690925163; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=SMmA/GQWiE2nDoCVaM1CG4s5hDIsV6FtxQWSyuwvwhs=; b=rWU0TWy1uRbROAD6G/cMLD0g5ZzgcpeKzpTQv+Xc+1z2Q4/ZFOCFFU2uMnjuHA2F0/HQcW MmO8UZ7EquppR7xCe8PSNE6rQ2UQOiW4rTXER38Y1ZdnrQrEC22uIvfwpJXT1rji7NUHH9 o+z5mQeZrVqepC0pEdQb9+eussR8hMAywqV4W+svKFSAylVmSz5cvOQbSjXx326KyqC3hI R9vA/59nEaw2kEFZNGfISdHwetadKGTRH5Kq7xNhoIL6L/7lhx0ctAq1KqFBwsUB2CF/MS J2ShUKMIGzI5puh5xhLbJySiQm7pXhMvZQnKytCCNPIgwFgr5eb5HqS38UO7SA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4RFp7Z4GwNztSH; Tue, 1 Aug 2023 21:26:02 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 371LQ2Co046642; Tue, 1 Aug 2023 21:26:02 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 371LQ2hZ046641; Tue, 1 Aug 2023 21:26:02 GMT (envelope-from git) Date: Tue, 1 Aug 2023 21:26:02 GMT Message-Id: <202308012126.371LQ2hZ046641@gitrepo.freebsd.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org From: Gordon Tetlow Subject: git: bf75c163e2 - main - Add EN-23:08 and SA-23:06 through SA-23:09. List-Id: Commit messages for all branches of the doc repository List-Archive: https://lists.freebsd.org/archives/dev-commits-doc-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-doc-all@freebsd.org X-BeenThere: dev-commits-doc-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: gordon X-Git-Repository: doc X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: bf75c163e29a921f5ade9d5046a8f637789de307 Auto-Submitted: auto-generated The branch main has been updated by gordon: URL: https://cgit.FreeBSD.org/doc/commit/?id=bf75c163e29a921f5ade9d5046a8f637789de307 commit bf75c163e29a921f5ade9d5046a8f637789de307 Author: Gordon Tetlow AuthorDate: 2023-08-01 21:25:02 +0000 Commit: Gordon Tetlow CommitDate: 2023-08-01 21:25:02 +0000 Add EN-23:08 and SA-23:06 through SA-23:09. Approved by: so --- website/data/security/advisories.toml | 16 + website/data/security/errata.toml | 4 + .../security/advisories/FreeBSD-EN-23:08.vnet.asc | 147 ++ .../security/advisories/FreeBSD-SA-23:06.ipv6.asc | 171 ++ .../security/advisories/FreeBSD-SA-23:07.bhyve.asc | 148 ++ .../security/advisories/FreeBSD-SA-23:08.ssh.asc | 167 ++ .../advisories/FreeBSD-SA-23:09.pam_krb5.asc | 166 ++ .../static/security/patches/EN-23:08/vnet.patch | 16 + .../security/patches/EN-23:08/vnet.patch.asc | 16 + .../static/security/patches/SA-23:06/ipv6.patch | 14 + .../security/patches/SA-23:06/ipv6.patch.asc | 16 + .../security/patches/SA-23:07/bhyve.13.1.patch | 87 + .../security/patches/SA-23:07/bhyve.13.1.patch.asc | 16 + .../security/patches/SA-23:07/bhyve.13.2.patch | 84 + .../security/patches/SA-23:07/bhyve.13.2.patch.asc | 16 + .../security/patches/SA-23:08/ssh.12.4.patch | 189 ++ .../security/patches/SA-23:08/ssh.12.4.patch.asc | 16 + .../security/patches/SA-23:08/ssh.13.1.patch | 48 + .../security/patches/SA-23:08/ssh.13.1.patch.asc | 16 + .../security/patches/SA-23:08/ssh.13.2.patch | 2036 ++++++++++++++++++++ .../security/patches/SA-23:08/ssh.13.2.patch.asc | 16 + .../security/patches/SA-23:09/pam_krb5.patch | 21 + .../security/patches/SA-23:09/pam_krb5.patch.asc | 16 + 23 files changed, 3442 insertions(+) diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml index 72324804c6..2d5b3077f7 100644 --- a/website/data/security/advisories.toml +++ b/website/data/security/advisories.toml @@ -1,6 +1,22 @@ # Sort advisories by year, month and day # $FreeBSD$ +[[advisories]] +name = "FreeBSD-SA-23:09.pam_krb5" +date = "2023-08-01" + +[[advisories]] +name = "FreeBSD-SA-23:08.ssh" +date = "2023-08-01" + +[[advisories]] +name = "FreeBSD-SA-23:07.bhyve" +date = "2023-08-01" + +[[advisories]] +name = "FreeBSD-SA-23:06.ipv6" +date = "2023-08-01" + [[advisories]] name = "FreeBSD-SA-23:05.openssh" date = "2023-06-21" diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml index 15ae740438..0fccd5baf3 100644 --- a/website/data/security/errata.toml +++ b/website/data/security/errata.toml @@ -1,6 +1,10 @@ # Sort errata notices by year, month and day # $FreeBSD$ +[[notices]] +name = "FreeBSD-EN-23:08.vnet" +date = "2023-08-01" + [[notices]] name = "FreeBSD-EN-23:07.mpr" date = "2023-06-21" diff --git a/website/static/security/advisories/FreeBSD-EN-23:08.vnet.asc b/website/static/security/advisories/FreeBSD-EN-23:08.vnet.asc new file mode 100644 index 0000000000..fc722d9cff --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-23:08.vnet.asc @@ -0,0 +1,147 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-23:08.vnet Errata Notice + The FreeBSD Project + +Topic: VNET and DPCPU module panic on arm64 + +Category: core +Module: kernel +Announced: 2023-08-01 +Affects: FreeBSD 13.2 +Corrected: 2023-07-26 18:03:46 UTC (stable/13, 13.2-STABLE) + 2023-08-01 19:50:47 UTC (releng/13.2, 13.2-RELEASE-p2) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +VNET is the name of a technique to virtualize the network stack. It changes +global resources, most notably variables, into per network stack resources +and handles them in the context of the correct instance. VNET is enabled by +default in GENERIC kernels on all architectures except 32-bit ARM. + +DPCPU is a dynamic per-CPU memory allocator which can instantiate one +instance of a global variable with each CPU in the system. Dynamically +allocated per-CPU variables can be defined with custom names and types. +DPCPU is always enabled. + +II. Problem Description + +After FreeBSD 13.1 was released, the contributed LLVM components (LLVM, +clang, compiler-rt, libc++, libunwind, lld, lldb and openmp) were +upgraded to upstream version 14.0.5. The new version of lld, the llvm +linker, got additional optimizations for arm64 in the form of so-called +relocation relaxations. + +These relaxations are fine for regular userland applications, as the +dynamic linker can handle the optimized relocations. However, due to the +way the VNET and DPCPU features are implemented, the optimized +relocations can cause panics if they are used in kernel modules. + +III. Impact + +On arm64 systems, loading kernel modules that use VNET or DPCPU features can +cause panics. A known example is the WireGuard kernel module, if_wg(4). + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +A reboot is required, because the kernel and several kernel modules are +updated. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +A reboot is required, because the kernel and several kernel modules are updated. + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-23:08/vnet.patch +# fetch https://security.FreeBSD.org/patches/EN-23:08/vnet.patch.asc +# gpg --verify vnet.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ 98e7f836e65e stable/13-n255888 +releng/13.2/ e3e6fc371322 releng/13.2-n254623 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJd+EACgkQbljekB8A +Gu+2XRAAnIRnEfyWHe8XQa3ElzCx3gwyldIkZJqjqEX1hWm1uhASJGV3Zk/xj6gv +6yyr8P5nij6rbblpo/YpUzwFeRVUX3foMU+R4blTB0nriJuW6P1vMiHpD1w52oS5 +OWpsyAouJ4/IsDh73jCqrJk3M7ZKOkfQ5tHn/E+bLl20ASQy/5S/t3G9QU8o8TeH +Ak+zakq8Gf13BA6vMyq0beA34A0zT0niznKhbTqAc3czdsd18Rkeg/9txXU2iOkV +8VBqnN2kJQ/gBfM79PtUOfz8uK/7tIWMpNoept4Kp0XlDPpJUhqBwjjmTBsuxB8w +fpYpfNF5ADX50L1nzm24oxBjFsbA+YUNXzO1VHCQZeWNxI2cubZWFtzu7WoxT7QQ +trdhUWlSI28jtRJSg5eBwfSI/iT/iESIH9f5wFdVo3iORPXe28CrW6EtEHXhVk37 +JQaQdIPr48n2IfsEzuogQyEMAWuD6hSUDksfZsArkPcS9QJFBzv1xkiTXmInn1CL +JQK4XaVXSELKh0JWgnGTA3/Xsi/DRXcPbN+1saKi8Dp5LzwaMN26UmvWzMFYpQuY +hrfFDpk3IP9iacvnnObuMretppd1LdwFx3O2Pq4Fs0nRYIKSU3OVpIVzu75otiwE +GtArfSeRWgwy9moWd8W4wSWNFosTkFMFbZONS0n9SfEYzabpCzM= +=0mU9 +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-23:06.ipv6.asc b/website/static/security/advisories/FreeBSD-SA-23:06.ipv6.asc new file mode 100644 index 0000000000..77b3701de3 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-23:06.ipv6.asc @@ -0,0 +1,171 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-23:06.ipv6 Security Advisory + The FreeBSD Project + +Topic: Remote denial of service in IPv6 fragment reassembly + +Category: core +Module: ipv6 +Announced: 2023-08-01 +Credits: Zweig of Kunlun Lab +Affects: All supported versions of FreeBSD +Corrected: 2023-08-01 19:49:07 UTC (stable/13, 13.2-STABLE) + 2023-08-01 19:51:27 UTC (releng/13.2, 13.2-RELEASE-p2) + 2023-08-01 19:49:52 UTC (releng/13.1, 13.1-RELEASE-p9) + 2023-08-01 20:05:08 UTC (stable/12, 12.4-STABLE) + 2023-08-01 20:05:42 UTC (releng/12.4, 12.4-RELEASE-p4) +CVE Name: CVE-2023-3107 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +IPv6 packets may be fragmented in order to accommodate the maximum +transmission unit (MTU) of the network path between the source and +destination hosts. The FreeBSD kernel keeps track of received packet +fragments and will reassemble the original packet once all fragments +have been received, at which point the packet is processed normally. + +II. Problem Description + +Each fragment of an IPv6 packet contains a fragment header which +specifies the offset of the fragment relative to the original packet, +and each fragment specifies its length in the IPv6 header. When +reassembling the packet, the kernel calculates the complete IPv6 payload +length. The payload length must fit into a 16-bit field in the IPv6 +header. + +Due to a bug in the kernel, a set of carefully crafted packets can +trigger an integer overflow in the calculation of the reassembled +packet's payload length field. + +III. Impact + +Once an IPv6 packet has been reassembled, the kernel continues +processing its contents. It does so assuming that the fragmentation +layer has validated all fields of the constructed IPv6 header. This bug +violates such assumptions and can be exploited to trigger a remote +kernel panic, resulting in a denial of service. + +IV. Workaround + +Users with IPv6 disabled on untrusted network interfaces are not +affected. Such interfaces will have the IFDISABLED nd6 flag set in +ifconfig(8). + +The kernel may be configured to drop all IPv6 fragments by setting the +net.inet6.ip6.maxfrags sysctl to 0. Doing so will prevent the bug from +being triggered, with the caveat that legitimate IPv6 fragments will +be dropped. + +If the pf(4) firewall is enabled, and scrubbing and fragment reassembly +is enabled on untrusted interfaces, the bug cannot be triggered. This +is the default if pf(4) is enabled. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date and +reboot. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-23:06/ipv6.patch +# fetch https://security.FreeBSD.org/patches/SA-23:06/ipv6.patch.asc +# gpg --verify ipv6.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ 9515f04fe3b1 stable/13-n255919 +releng/13.2/ da38eaca4a22 releng/13.2-n254626 +releng/13.1/ 4e548c72914a releng/13.1-n250191 +stable/12/ r373149 +releng/12.4/ r373152 +- ------------------------------------------------------------------------- + +For FreeBSD 13 and later: + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +For FreeBSD 12 and earlier: + +Run the following command to see which files were modified by a particular +revision, replacing NNNNNN with the revision number: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdsAACgkQbljekB8A +Gu8rERAA2iGzA4ydDrYsKnNGXMtQEXRIkGOPOkCSB1fC6CGIWLD//XuPw7sISPNu +vvt0DVlkOC/ZKjgUQVWDLHd/DWcEv6prhhCUEPEQ57nwvgfa9/oZNqF0ZvVgdyst +OUc7wO3Pt9lAp6fPkay0LGmsHLlgRJR1VqUQ6fnWvJ7jRllsvIdjxr8krIwYyyVn +E7U8+lBYoBmQLMql0jgiQ3S4FZ5kYX6MN9r2I1/nSQdE6IUOiqL0oux9H2PDTz3r +mx9nYSrsd0WPNVO7n7GRnk48STwJryJNdY7tCZOUGsmOOtQAnXvF/ZYDQOMK1L66 +4d5XFVXTwYdHDwDbXMPCCqa+MsZyjrgz8NmNzcto1l0mClz1SGNW9MKmxTKU7op/ +dNTjziffvwxZefpFPv+r9ZEyJpPe1rcNgOskJFW4DVq0uNSaujPkHE77hkE93ozF +ScDErtexPV+OEQyqGTgO4MxTjlk2l9DZGFVrLl+8Js1sFfLXlReGHLA2xtDtxJL0 +mLo1WtKq8Oq3XPBdU0UoAw3Wlp+BOZ7cY5AVk7IY5zU0T2jQP636QgzX33ZTynkD +oLtFufJBOWMSPNx9bTFautEoNsivtKcOl3XWEKKgEqt4b+9h6VGU0tFjfRuozjxJ +QAaYf0qXk9kfHp4EdHj4CeSoeZKgHCExJxpfX54qBGH/TY3Dd4c= +=V/jE +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-23:07.bhyve.asc b/website/static/security/advisories/FreeBSD-SA-23:07.bhyve.asc new file mode 100644 index 0000000000..770be95081 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-23:07.bhyve.asc @@ -0,0 +1,148 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-23:07.bhyve Security Advisory + The FreeBSD Project + +Topic: bhyve privileged guest escape via fwctl + +Category: core +Module: bhyve +Announced: 2023-08-01 +Credits: Omri Ben Bassat and Vladimir Eli Tokarev from Microsoft +Affects: FreeBSD 13.1 and 13.2 +Corrected: 2023-08-01 19:48:53 UTC (stable/13, 13.2-STABLE) + 2023-08-01 19:50:47 UTC (releng/13.2, 13.2-RELEASE-p2) + 2023-08-01 19:48:26 UTC (releng/13.1, 13.1-RELEASE-p9) +CVE Name: CVE-2023-3494 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +bhyve(8)'s fwctl interface provides a mechanism through which guest +firmware can query the hypervisor for information about the virtual +machine. The fwctl interface is available to guests when bhyve is run +with the "-l bootrom" option, used for example when booting guests in +UEFI mode. + +bhyve is currently only supported on the amd64 platform. + +II. Problem Description + +The fwctl driver implements a state machine which is executed when the +guest accesses certain x86 I/O ports. The interface lets the guest copy +a string into a buffer resident in the bhyve process' memory. A bug in +the state machine implementation can result in a buffer overflowing when +copying this string. + +III. Impact + +A malicious, privileged software running in a guest VM can exploit the +buffer overflow to achieve code execution on the host in the bhyve +userspace process, which typically runs as root. Note that bhyve runs +in a Capsicum sandbox, so malicious code is constrained by the +capabilities available to the bhyve process. + +IV. Workaround + +No workaround is available. bhyve guests that are executed without the +"-l bootrom" option are unaffected. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Restart all affected virtual machines. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 13.2] +# fetch https://security.FreeBSD.org/patches/SA-23:07/bhyve.13.2.patch +# fetch https://security.FreeBSD.org/patches/SA-23:07/bhyve.13.2.patch.asc +# gpg --verify bhyve.13.2.patch.asc + +[FreeBSD 13.1] +# fetch https://security.FreeBSD.org/patches/SA-23:07/bhyve.13.1.patch +# fetch https://security.FreeBSD.org/patches/SA-23:07/bhyve.13.1.patch.asc +# gpg --verify bhyve.13.1.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart all affected virtual machines. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ 9fe302d78109 stable/13-n255918 +releng/13.2/ 2bae613e0da3 releng/13.2-n254625 +releng/13.1/ 87702e38a4b4 releng/13.1-n250190 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdsIACgkQbljekB8A +Gu8Q1Q/7BFw5Aa0cFxBzbdz+O5NAImj58MvKS6xw61bXcYr12jchyT6ENC7yiR+K +qCqbe5TssRbtZ1gg/94gSGEXccz5OcJGxW+qozhcdPUh2L2nzBPkMCrclrYJfTtM +cnmQKjg/wFZLUVr71GEM95ZFaktlZdXyXx9Z8eBzow5rXexpl1TTHQQ2kZZ41K4K +KFhup91dzGCIj02cqbl+1h5BrXJe3s/oNJt5JKIh/GBh5THQu9n6AywQYl18HtjV +fMb1qRTAS9WbiEP5QV2eEuOG86ucuhytqnEN5MnXJ2rLSjfb9izs9HzLo3ggy7yb +hN3tlbfIPjMEwYexieuoyP3rzKkLeYfLXqJU4zKCRnIbBIkMRy4mcFkfcYmI+MhF +NPh2R9kccemppKXeDhKJurH0vsetr8ti+AwOZ3pgO21+9w+mjE+EfaedIi+JWhip +hwqeFv03bAQHJdacNYGV47NsJ91CY4ZgWC3ZOzBZ2Y5SDtKFjyc0bf83WTfU9A/0 +drC0z3xaJribah9e6k5d7lmZ7L6aHCbQ70+aayuAEZQLr/N1doB0smNi0IHdrtY0 +JdIqmVX+d1ihVhJ05prC460AS/Kolqiaysun1igxR+ZnctE9Xdo1BlLEbYu2KjT4 +LpWvSuhRMSQaYkJU72SodQc0FM5mqqNN42Vx+X4EutOfvQuRGlI= +=MlAY +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-23:08.ssh.asc b/website/static/security/advisories/FreeBSD-SA-23:08.ssh.asc new file mode 100644 index 0000000000..37d9c0df7f --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-23:08.ssh.asc @@ -0,0 +1,167 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-23:08.ssh Security Advisory + The FreeBSD Project + +Topic: Potential remote code execution via ssh-agent forwarding + +Category: contrib +Module: OpenSSH +Announced: 2023-08-01 +Credits: Qualys +Affects: All supported versions of FreeBSD. +Corrected: 2023-07-21 14:41:41 UTC (stable/13, 13.2-STABLE) + 2023-08-01 19:50:47 UTC (releng/13.2, 13.2-RELEASE-p2) + 2023-08-01 19:48:26 UTC (releng/13.1, 13.1-RELEASE-p9) + 2023-07-21 16:25:51 UTC (stable/12, 12.4-STABLE) + 2023-08-01 19:47:00 UTC (releng/12.4, 12.4-RELEASE-p4) +CVE Name: CVE-2023-38408 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +ssh-agent is a program to hold private keys used for OpenSSH public key +authentication. Connections to ssh-agent may be forwarded from further +remote hosts using the -A option to ssh. The server to which the ssh-agent +connection is forwarded may cause the ssh-agent process to load (and unload) +operating system-provided shared libraries to support the addition and +deletion of PKCS#11 keys. + +II. Problem Description + +The server may cause ssh-agent to load shared libraries other than those +required for PKCS#11 support. These shared libraries may have side effects +that occur on load and unload (dlopen and dlclose). + +III. Impact + +An attacker with access to a server that accepts a forwarded ssh-agent +connection may be able to execute code on the machine running ssh-agent. +Note that the attack relies on properties of operating system-provided +libraries. This has been demonstrated on other operating systems; it is +unknown whether this attack is possible using the libraries provided by +a FreeBSD installation. + +IV. Workaround + +Avoid using ssh-agent forwarding, or start ssh-agent with an empty +PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that +contains only specific provider libraries. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date and +restart any ssh sessions using ssh-agent forwarding. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 13.2] +# fetch https://security.FreeBSD.org/patches/SA-23:08/ssh.13.2.patch +# fetch https://security.FreeBSD.org/patches/SA-23:08/ssh.13.2.patch.asc +# gpg --verify ssh.13.2.patch.asc + +[FreeBSD 13.1] +# fetch https://security.FreeBSD.org/patches/SA-23:08/ssh.13.1.patch +# fetch https://security.FreeBSD.org/patches/SA-23:08/ssh.13.1.patch.asc +# gpg --verify ssh.13.1.patch.asc + +[FreeBSD 12.4] +# fetch https://security.FreeBSD.org/patches/SA-23:08/ssh.12.4.patch +# fetch https://security.FreeBSD.org/patches/SA-23:08/ssh.12.4.patch.asc +# gpg --verify ssh.12.4.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . +Restart all ssh sessions that use ssh-agent forwarding, or reboot. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ d578a19e2cd3 stable/13-n255848 +releng/13.2/ 20bcfc33d3f2 releng/13.2-n254624 +releng/13.1/ 3d3a1cbfd7a2 releng/13.1-n250189 +stable/12/ r373142 +releng/12.4/ r373151 +- ------------------------------------------------------------------------- + +For FreeBSD 13 and later: + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +For FreeBSD 12 and earlier: + +Run the following command to see which files were modified by a particular +revision, replacing NNNNNN with the revision number: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdsUACgkQbljekB8A +Gu9M3A//ftE38dmRBx//0dm0sY6Pb++OprS7SKkm/dPlv2ywFMrUOZJl47pcfEuJ +h+jeHOMWzQJYwSQBxPii/PbJRbxd4w4c0pjLDKXO3fc74anmuLQh7b8DLip6jQ/S +C4LM11e0lGfxwJmrQl49r8eKkm4ta+TOn+IoSzGzsYUYkpqX3jpBuP/yhFvueXO7 +9ZaXCIsg99/tZvXU34b4ZA5t3vVjkAhtbV9HSAza0RnM4ZFJnXJoZbheVMgp63qp +yg2pieDnA5U/c1exC8joRQoiyXtSZjmq2+8e4HYXc9+LZvWr+/fyfBXO6BXn4hmU +KSB6t2aldvB0ywWEbge+mM9I+h0jPKHNo/HsAwwF4gKfLqzZ1XNLnHC+LVTTe0cD +lNHw6kBgH9qx4oLBXg8fZwxtPGv5qvSjC4qisDWi/BMDeVsTfr8wa+LoKHIp0KOH +AnhuNKs1/TYpyHZfa2l7OfvSc70jSGYyG6Flcr5lYrhfDnXEFR6En4qbRLjIS6GA ++8otM6AyuLLiwfaLdha2G9scuA/RUfyixB7AAhrFrxJPBQypC/kIi+lF0TKmEx69 +Q2TlWktN/zzHzPJLafor5g9W9dft2Kt4T8hHsmQVwwwN58l3Q49FSrKAib5Agv66 +1QuQDP5hhsq7VISG81ZzMZbgvhNgCM5EPjggZ65Qrk9/NCyWhOw= +=scNH +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-23:09.pam_krb5.asc b/website/static/security/advisories/FreeBSD-SA-23:09.pam_krb5.asc new file mode 100644 index 0000000000..9d40ed76db --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-23:09.pam_krb5.asc @@ -0,0 +1,166 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-23:09.pam_krb5 Security Advisory + The FreeBSD Project + +Topic: Network authentication attack via pam_krb5 + +Category: core +Module: pam_krb5 +Announced: 2023-08-01 +Affects: All supported versions of FreeBSD +Corrected: 2023-07-08 05:44:29 UTC (stable/13, 13.2-STABLE) + 2023-08-01 19:50:30 UTC (releng/13.2, 13.2-RELEASE-p2) + 2023-08-01 19:48:09 UTC (releng/13.1, 13.1-RELEASE-p9) + 2023-07-08 05:44:51 UTC (stable/12, 12.4-STABLE) + 2023-08-01 19:46:53 UTC (releng/12.4, 12.4-RELEASE-p4) +CVE Name: CVE-2023-3326 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +Kerberos 5 (krb5) is a computer-network authentication protocol that works on +the basis of tickets to allow nodes communicating over a non-secure network +to prove their identity to one another in a secure manner. + +The PAM (Pluggable Authentication Modules) library provides a flexible +framework for user authentication and session setup / teardown. + +pam_krb5 is a PAM module that allows using a Kerberos password to +authenticate the user. pam_krb5 is disabled in the default FreeBSD +installation. + +pam_krb5 uses passwords for authentication, which is distinct from +Kerberos native protocols like GSSAPI, which allows for login without the +exchange of passwords. GSSAPI is not affected by this issue. + +II. Problem Description + +The problem detailed in FreeBSD-SA-23:04.pam_krb5 persisted following +the patch for that advisory. + +III. Impact + +The impact described in FreeBSD-SA-23:04.pam_krb5 persists. + +IV. Workaround + +If you are not using Kerberos at all, ensure /etc/krb5.conf is missing from +your system. Additionally, ensure pam_krb5 is commented out of your PAM +configuration located as documented in pam.conf(5), generally /etc/pam.d. +Note, the default FreeBSD PAM configuration has pam_krb5 commented out. + +If you are using Kerberos, but not using pam_krb5, ensure pam_krb5 is +commented out of your PAM configuration located as documented in pam.conf(5), +generally /etc/pam.d. Note, the default FreeBSD PAM configuration has +pam_krb5 commented out. + +If you are using pam_krb5, ensure you have a keytab on your system as +provided by your Kerberos administrator. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-23:09/pam_krb5.patch +# fetch https://security.FreeBSD.org/patches/SA-23:09/pam_krb5.patch.asc +# gpg --verify pam_krb5.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart all daemons that use the PAM module, or reboot the system. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ d295e418ae7e stable/13-n255792 +releng/13.2/ 9b45d8eddfac releng/13.2-n254622 +releng/13.1/ 140f65a20533 releng/13.1-n250188 +stable/12/ r373127 +releng/12.4/ r373150 +- ------------------------------------------------------------------------- + +For FreeBSD 13 and later: + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +For FreeBSD 12 and earlier: + +Run the following command to see which files were modified by a particular +revision, replacing NNNNNN with the revision number: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdskACgkQbljekB8A +Gu9QjQ/7BlRQJGHtf/tljjCbzVKAOTcknk/d2VncZ4dDidsHWgO4umaYIrQzYxX0 +1mBtLEPZ7vHt2t4IC4NZ1FP7wrdLNDWCfHcKlP9p9tCzhh2zQXgv6NHbruUTMtJX +/LN+fxdOcRo++23ae0ohaBUwFVo69/nel0KnSq3QOeSwzJdvaW9cggimOK96pvB1 +QXsqJvb9uBZGdv0yufZ4xJ174xDVnchBY/wvLx2qSdAsXGPO6ihvoeJHFJ7JAYLP +JYtEAKkgHnkDtG9cw9DQigskwr8VC0x8J+9JG5H4zTXtzofng4pFD7+LBDhozoPy +FRGi5IfWA4VkeQYDaMB9mE37R333PpKFfJZWF8cwOyeLXNTTUvtPEu2k0DRvljqs +6lmKcqNLJMbbHa7jIDwdYs5wrSqXJuKOD0Fsj/QScfqWphK86oz6VBdft71A+g55 +D9QFVoXZ2kYTdJ3mMvcKPCdsnixVdtIaaTQ+Embeu2dnMUemc9xsRiPNp18a5y1a +EgLJ5WHIVJoCjte7HROnPKN6IeB7G/laPeewpoO8AJqL46Z+Ch0PMJacYLhNp5fn +9rDnJkurJBa4hqii05MztQvhvaoJyy1WFQbObrzfNQI7Hl+EtMb8dlP09qsiWeGq +27gca8AB1KaMbG+Wwc92n1cn8ZSiF6WT0cV/+Cx3lYuIbmMgnBU= +=eKnj +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/EN-23:08/vnet.patch b/website/static/security/patches/EN-23:08/vnet.patch new file mode 100644 index 0000000000..e3ae10b6a5 --- /dev/null +++ b/website/static/security/patches/EN-23:08/vnet.patch @@ -0,0 +1,16 @@ +--- sys/conf/kmod.mk.orig ++++ sys/conf/kmod.mk +@@ -168,6 +168,13 @@ + CFLAGS+= -fPIC + .endif + ++.if ${MACHINE_CPUARCH} == "aarch64" ++# https://bugs.freebsd.org/264094 ++# lld >= 14 and recent GNU ld can relax adrp+add and adrp+ldr instructions, ++# which breaks VNET. ++LDFLAGS+= --no-relax ++.endif ++ + # Temporary workaround for PR 196407, which contains the fascinating details. + # Don't allow clang to use fpu instructions or registers in kernel modules. + .if ${MACHINE_CPUARCH} == arm diff --git a/website/static/security/patches/EN-23:08/vnet.patch.asc b/website/static/security/patches/EN-23:08/vnet.patch.asc new file mode 100644 index 0000000000..deba5b5d36 --- /dev/null +++ b/website/static/security/patches/EN-23:08/vnet.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdr8ACgkQbljekB8A +Gu+HgBAApQv1OSL3BdPCm44GOO4JE8cyWetpTxlM/wblnQS2WHv+cvWiDitgthgX +Enek4lTFjz3SlgyeSGEwgDz0NucHSOGixS4SIqLKGHXEEqwcZFdICOhb56tcT5Mg +GLndgCKaNjCM4vLQ7U/TRHZl03m0NyxXt9c9ga6cad4fZkFDAWpiIWAmzVF766vY +7KIXlZ97y1IpqmHtuv3nTwcfBlw1ThiWj23JdoJyj9CEA8Qd5I3vAdHkX8JDirkJ +qzS1hMExQAWQfY7cNH7fa56Z418ZdDRPoZeub7VYBaC4YG79D3s/FBcu9tADyb07 +aW6k6CnAGDOGPCxzKCCWgGB+GeYyd+zT0pEstwin43m9yNCgiXtI4UBIEZCJrbo4 +wKR5QF22R3uSBfU5T6JrLvl1muyGvcEsCWja0+O3CR6vrFKZEqm0nkzmTrNsB7e+ +9V5ZtgSEH3NmBejwLUjjDAoLz9EFf6Asji3obkdSbzEaZV5OSF20w4XDnvc8hXze +psDcgspUjdiFoS3ci8LO/xl0jf6rguj56JA4FG9nB8fHe3lxuxwbJuJsm4dsHtNr +Hxh7RQRGvTdvZ1bHwbIVc6Y9+Nnwozl7+q1+7a2yws2ZuxtLYE86+dvA/l2dl8iH +IkZSKycsArwnnmkxfcqUGbbzKOF+x3nBruC0z8cYlSo0KWr193Q= +=mU3Y +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-23:06/ipv6.patch b/website/static/security/patches/SA-23:06/ipv6.patch new file mode 100644 index 0000000000..9735c134d9 --- /dev/null +++ b/website/static/security/patches/SA-23:06/ipv6.patch @@ -0,0 +1,14 @@ +--- sys/netinet6/frag6.c.orig ++++ sys/netinet6/frag6.c +@@ -807,6 +807,11 @@ + /* Adjust offset to point where the original next header starts. */ + offset = ip6af->ip6af_offset - sizeof(struct ip6_frag); + free(ip6af, M_FRAG6); ++ if ((u_int)plen + (u_int)offset - sizeof(struct ip6_hdr) > ++ IPV6_MAXPACKET) { ++ frag6_freef(q6, bucket); ++ goto dropfrag; ++ } + ip6 = mtod(m, struct ip6_hdr *); + ip6->ip6_plen = htons((u_short)plen + offset - sizeof(struct ip6_hdr)); + if (q6->ip6q_ecn == IPTOS_ECN_CE) diff --git a/website/static/security/patches/SA-23:06/ipv6.patch.asc b/website/static/security/patches/SA-23:06/ipv6.patch.asc new file mode 100644 index 0000000000..1bbe4f57cc --- /dev/null +++ b/website/static/security/patches/SA-23:06/ipv6.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdsEACgkQbljekB8A +Gu8RkA/+Kt5g7V4+D2GAttjm73kuDZpYpiD0evC7i1SMEJqm9SuLrUhAY0glKHLC +wvXGOLQxKLupPv4XVtimtAPY9sSaTqnWtvit/upLLw5N+fIhEXWSX7JXnsmsALEv +ky+mTt4RL8kB6XnzVJGA6kEpn6DF0tuR8kooxWvoxTAdSGQsS5P2PIcDP026JWWk ++4VgHe1iB4sAtIUlCp55HYWw+GaUMhXf74pJjGNG0GihW1m4XCrEYMas/f4PqMID *** 2642 LINES SKIPPED ***