git: 062b6a21b6 - main - Add EN-23:05 to EN-23:07, SA-23:04, and SA-23:05.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 21 Jun 2023 06:06:38 UTC
The branch main has been updated by gordon:
URL: https://cgit.FreeBSD.org/doc/commit/?id=062b6a21b63e70bd29199145e72fcd648700b90e
commit 062b6a21b63e70bd29199145e72fcd648700b90e
Author: Gordon Tetlow <gordon@FreeBSD.org>
AuthorDate: 2023-06-21 06:05:44 +0000
Commit: Gordon Tetlow <gordon@FreeBSD.org>
CommitDate: 2023-06-21 06:05:44 +0000
Add EN-23:05 to EN-23:07, SA-23:04, and SA-23:05.
Approved by: so
---
website/data/security/advisories.toml | 8 +
website/data/security/errata.toml | 12 +
.../advisories/FreeBSD-EN-23:05.tzdata.asc | 174 ++
.../advisories/FreeBSD-EN-23:06.loader.asc | 129 ++
.../security/advisories/FreeBSD-EN-23:07.mpr.asc | 136 ++
.../advisories/FreeBSD-SA-23:04.pam_krb5.asc | 180 ++
.../advisories/FreeBSD-SA-23:05.openssh.asc | 124 ++
.../security/patches/EN-23:05/tzdata-2023c.patch | 1896 ++++++++++++++++++++
.../patches/EN-23:05/tzdata-2023c.patch.asc | 16 +
.../static/security/patches/EN-23:06/loader.patch | 17 +
.../security/patches/EN-23:06/loader.patch.asc | 16 +
website/static/security/patches/EN-23:07/mpr.patch | 24 +
.../static/security/patches/EN-23:07/mpr.patch.asc | 16 +
.../security/patches/SA-23:04/pam_krb5.patch | 216 +++
.../security/patches/SA-23:04/pam_krb5.patch.asc | 16 +
.../static/security/patches/SA-23:05/openssh.patch | 11 +
.../security/patches/SA-23:05/openssh.patch.asc | 16 +
17 files changed, 3007 insertions(+)
diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml
index 8694a6a8ae..72324804c6 100644
--- a/website/data/security/advisories.toml
+++ b/website/data/security/advisories.toml
@@ -1,6 +1,14 @@
# Sort advisories by year, month and day
# $FreeBSD$
+[[advisories]]
+name = "FreeBSD-SA-23:05.openssh"
+date = "2023-06-21"
+
+[[advisories]]
+name = "FreeBSD-SA-23:04.pam_krb5"
+date = "2023-06-21"
+
[[advisories]]
name = "FreeBSD-SA-23:03.openssl"
date = "2023-02-16"
diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml
index b1b74bf67c..15ae740438 100644
--- a/website/data/security/errata.toml
+++ b/website/data/security/errata.toml
@@ -1,6 +1,18 @@
# Sort errata notices by year, month and day
# $FreeBSD$
+[[notices]]
+name = "FreeBSD-EN-23:07.mpr"
+date = "2023-06-21"
+
+[[notices]]
+name = "FreeBSD-EN-23:06.loader"
+date = "2023-06-21"
+
+[[notices]]
+name = "FreeBSD-EN-23:05.tzdata"
+date = "2023-06-21"
+
[[notices]]
name = "FreeBSD-EN-23:04.ixgbe"
date = "2023-02-08"
diff --git a/website/static/security/advisories/FreeBSD-EN-23:05.tzdata.asc b/website/static/security/advisories/FreeBSD-EN-23:05.tzdata.asc
new file mode 100644
index 0000000000..663ca66ebf
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-23:05.tzdata.asc
@@ -0,0 +1,174 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-23:05.tzdata Errata Notice
+ The FreeBSD Project
+
+Topic: Timezone database information update
+
+Category: contrib
+Module: zoneinfo
+Announced: 2023-06-21
+Affects: FreeBSD 13.1, 12.4
+Corrected: 2023-03-29 01:19:25 UTC (stable/13, 13.2-STABLE)
+ 2023-06-21 05:03:18 UTC (releng/13.1, 13.1-RELEASE-p8)
+ 2023-03-29 01:20:06 UTC (stable/12, 12.4-STABLE)
+ 2023-06-21 05:43:27 UTC (releng/12.4, 12.4-RELEASE-p3)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The IANA Time Zone Database (often called tz or zoneinfo) contains code and
+data that represent the history of local time for many representative
+locations around the globe. It is updated periodically to reflect changes
+made by political bodies to time zone boundaries, UTC offsets, and
+daylight-saving rules.
+
+FreeBSD releases install the IANA Time Zone Database in /usr/share/zoneinfo.
+The tzsetup(8) utility allows the user to specify the default local time
+zone. Based on the selected time zone, tzsetup(8) copies one of the files
+from /usr/share/zoneinfo to /etc/localtime. A time zone may also be selected
+for an individual process by setting its TZ environment variable to a desired
+time zone name.
+
+II. Problem Description
+
+Several changes to future and past timestamps have been recorded in the IANA
+Time Zone Database after previous FreeBSD releases were released. This
+affects many users in different parts of the world. Because of these
+changes, the data in the zoneinfo files need to be updated. If the local
+timezone on the running system is affected, tzsetup(8) needs to be run to
+update /etc/localtime.
+
+III. Impact
+
+An incorrect time will be displayed on a system configured to use one of the
+affected time zones if the /usr/share/zoneinfo and /etc/localtime files are
+not updated, and all applications on the system that rely on the system time,
+such as cron(8) and syslog(8), will be affected.
+
+IV. Workaround
+
+The system administrator can install an updated version of the IANA Time Zone
+Database from the misc/zoneinfo port and run tzsetup(8).
+
+Applications that store and display times in Coordinated Universal Time (UTC)
+are not affected.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Please note that some third party software, for instance PHP, Ruby, Java,
+Perl and Python, may be using different zoneinfo data sources, in such cases
+this software must be updated separately. Software packages that are
+installed via binary packages can be upgraded by executing 'pkg upgrade'.
+
+Following the instructions in this Errata Notice will only update the IANA
+Time Zone Database installed in /usr/share/zoneinfo.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Restart all the affected applications and daemons, or reboot the system.
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-23:05/tzdata-2023c.patch
+# fetch https://security.FreeBSD.org/patches/EN-23:05/tzdata-2023c.patch.asc
+# gpg --verify tzdata-2023c.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all the affected applications and daemons, or reboot the system.
+
+VI. Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ bb7b15831531 stable/13-n254928
+releng/13.1/ 0e577c42f61c releng/13.1-n250183
+stable/12/ r373009
+releng/12.4/ r373101
+- -------------------------------------------------------------------------
+
+For FreeBSD 13 and later:
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+For FreeBSD 12 and earlier:
+
+Run the following command to see which files were modified by a particular
+revision, replacing NNNNNN with the revision number:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://github.com/eggert/tz/blob/2023c/NEWS>
+<URL:https://github.com/eggert/tz/blob/2023b/NEWS>
+<URL:https://github.com/eggert/tz/blob/2023a/NEWS>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-23:05.tzdata.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmSSki0ACgkQbljekB8A
+Gu8TvxAAtPUGUHuME21ttewmNzBuW6CHhD3MFYheFFs3CiuLsUbla7BRKgXPMOmT
+WzXHOe/PDKefrrrW09lPLG63DChu9WgmAfEQyvDK+uV8gazfTTkDN3wD+XS1k5Uh
+PNk9ZE2jAGOY7vbzmJyXAXVYx1MJcT9jGpT0S1s5AhOWL3GgsjlUb/IXMHaDIpRy
+r0L6snLzLypZzHmTf9HJ3dvkXAqiMv6Km1SwMeWibnm0ChCwhHzktOihbVcPQBoY
+vlUbAb0zKSZmNblbQS89vZtdtwgzFW8t+/F6esMEvrxwlW3hU1f8dZTBsRoIsKCR
+VqE2SSTu9O5wG0Huj4UR64EQ116Co8xU2JlVmdp0jFqu8SYa4kq5O3f0sVbRSVzi
+agwzaS0U7h8FzxBIyaSOQX1k+tWVIbXViKI/BD17NXqR/LXCLT1e7Eu4uxJn3mqE
+zmeyXEQ1TvP9VkGrLmuKrv2h+cqFrWVqFWlzRG3jq8x21r1fL7sTC2cnw54cqItN
+lAci5GUpc02LBo+74sz0J5WSpLFj/0sA+5W4EkUZ4EyoTpmR/d5L22eU1h91ZJx6
+mg/5xxTCvvEL0woMOIHeUf5essP4JiWWwGLv1dblVUiq5UuP9R9UdZef3xt/s+gD
+Ew8Tyqv80ZJiamfWGOYQbbY6Bi7cUgzBvQkOXDVAXXeUXcCfWF4=
+=fStA
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-23:06.loader.asc b/website/static/security/advisories/FreeBSD-EN-23:06.loader.asc
new file mode 100644
index 0000000000..cfe389dc89
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-23:06.loader.asc
@@ -0,0 +1,129 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-23:06.loader Errata Notice
+ The FreeBSD Project
+
+Topic: x86 kernel console configuration
+
+Category: core
+Module: loader
+Announced: 2023-06-21
+Affects: FreeBSD 13.x
+Corrected: 2023-04-26 17:30:19 UTC (stable/13, 13.2-STABLE)
+ 2023-06-21 05:05:15 UTC (releng/13.2, 13.2-RELEASE-p1)
+ 2023-06-21 05:05:51 UTC (releng/13.1, 13.1-RELEASE-p8)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The x86 loader's "comconsole" driver drives an ns16550-like uart for the loader
+output, and it also generates a console specification for the kernel to use.
+
+II. Problem Description
+
+comconsole will unconditionally clear the hw.uart.console environment variable,
+whether the system is configured to use comconsole or not.
+
+III. Impact
+
+Systems with uart hardware that the kernel supports but loader doesn't cannot be
+configured to use this uart for console output if comconsole clears the
+hw.uart.console variable even when it's not in use.
+
+IV. Workaround
+
+No workaround is available, but non-x86 machines and x86 machines using UEFI to
+boot are not affected.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date. A reboot will be required to
+get console output.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# reboot
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-23:06/loader.patch
+# fetch https://security.FreeBSD.org/patches/EN-23:06/loader.patch.asc
+# gpg --verify loader.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Reboot the system to use the new /boot/loader.
+
+VI. Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ 362677cae8e9 stable/13-n255172
+releng/13.2/ 525ac1948af8 releng/13.2-n254618
+releng/13.1/ 5d2bbb9db2d2 releng/13.1-n250184
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-23:06.loader.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmSSkjkACgkQbljekB8A
+Gu/4HQ//WJFI/SehPJhbpyGKsePYJSecIA6FYS3/pEYmffxEHCxAlWIovYfZwEsl
+7UrqQfCOFIEtF2Au4GAhI2srH7+ecEFYyHzMfrWANLRMnHlqqLUqCdgmY6FKSM+v
+L0kIOh2ygMCU4s1nNjXDT5rwjLhS8rl+oaVbDvSHBIcwyNL0FdouuMnQR2GcHW1q
+nu+iYXCG0OAS7DAJ1hmPG5f85iXvt8dRfC9i/EH7sQSLJ8wZQIgQXOGbwwpMbPDW
+dsPP3mvxZ2h2i3WAMd2bidby+ImbDynpiabT8BuTg7vOo6P6pf+bREKKnHOQrN4C
+sZGzpPDGPKo0rAJ94R5qAS2QgzGX5gS/p0vporpwnvKZWL18AoioHp/Bh9TXFWfW
+8aQn2LcIEjd/vhU1B1Erg1ctavD71W6A5ZTxU5BocNot3ZIts2VTuF2LajUJ8bSp
+y2DBP3FmpFZi3CHvDV3NmJvUyasHb12EipYhamzAWpvUxRC0YP1zLaYbFRusSlFA
+D6rjrRh0sd9AGip6gZ0ZSLd0v7kuebpqCh8nTEd1Betyg1pa00SGLTp++RsPcgow
+D6ty5KWjItqbS1UGibFAexXRTc0PPW+/Jd+UmgoAWA6HYuw4HwznxIdfBGy4qMsN
+V30TjUxl7ulInD3Ts92TOU5FpHiS2yGNFLBkeT/RClbnaXHIC0Y=
+=gAQK
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-23:07.mpr.asc b/website/static/security/advisories/FreeBSD-EN-23:07.mpr.asc
new file mode 100644
index 0000000000..10df65cee6
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-23:07.mpr.asc
@@ -0,0 +1,136 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-23:07.mpr Errata Notice
+ The FreeBSD Project
+
+Topic: mpr(4) may fail to initialize devices
+
+Category: core
+Module: mpr
+Announced: 2023-06-21
+Affects: All supported versions of FreeBSD.
+Corrected: 2023-05-02 12:21:35 UTC (stable/13, 13.2-STABLE)
+ 2023-06-21 05:06:39 UTC (releng/13.2, 13.2-RELEASE-p1)
+ 2023-06-21 05:07:50 UTC (releng/13.1, 13.1-RELEASE-p8)
+ 2023-05-02 12:21:26 UTC (stable/12, 12.4-STABLE)
+ 2023-06-21 05:43:37 UTC (releng/12.4, 12.4-RELEASE-p3)
+
+I. Background
+
+mpr(4) is a driver for Broadcom SAS controllers.
+
+II. Problem Description
+
+The mpr(4) driver did not correctly initialize command data sent to the
+controller when attaching.
+
+III. Impact
+
+mpr(4) would fail to initialize the controller in some cases, making the
+attached storage devices inaccessible.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date and reboot.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for an erratum update"
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-23:07/mpr.patch
+# fetch https://security.FreeBSD.org/patches/EN-23:07/mpr.patch.asc
+# gpg --verify mpr.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ e7a3a08febd0 stable/13-n255252
+releng/13.2/ e63d8b8fa6d9 releng/13.2-n254619
+releng/13.1/ bc61a15ededc releng/13.1-n250185
+stable/12/ r373058
+releng/12.4/ r373102
+- -------------------------------------------------------------------------
+
+For FreeBSD 13 and later:
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+For FreeBSD 12 and earlier:
+
+Run the following command to see which files were modified by a particular
+revision, replacing NNNNNN with the revision number:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-23:07.mpr.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmSSkjsACgkQbljekB8A
+Gu/jiw/9HCji9U0ygORSvETbwBg9eBNJNtQTqqnAEKPv7kjBUYhYkKwqyyzzaoCF
+7rj0dw3heObLTdsDhDynnLinmTN1htXAoVE4F4RpS7li44eUnVp2hDSr//ft/bxR
+Zrd0NbxDt9OCuPVPxWclVyAnG+fi446pwpX5zBMz1U8STQHDe7N8DRUlzOmCxY1z
+N3pEJdFoYt8zUUixymBdpAmXyvBL5FAi9yvm0dt20Dl1e8EKVkdT+38x6RhYgjkO
+Cr//HnldHyoVXnIzqOIIv+VpEwAV4nYcKei9EvI8bJ/LSWUIk+7PHzzpmygk7fPM
+HFyIIlNQbkL0/KsEi/I07LUIBVoFEeB2pRHuOfF5jYhc6J4zcZ2pGX8BY3Ai8gdn
+hRAVvUHbiKKIFjezwl4S+8N+jipP8xIovEW5LG4MTp8BSpq0aNy1VtXYLyTvZhEb
+XhrepXUnPjh85sD2gLTfM4JDqCyuaNFTKqi0w+vCunvXjCfDhAFC+ttzJvDeijKG
+cuW2nF2Iniug3Y7BjGIe4xWYFEBiDTp+vOYOg/J4Me4cd1+BJzD4Enmu60dmtCd3
+6u4HceA/CjVEV1iuZZXty9RkSqA5S6xCinZihho1fLrYLUOBA7MvSkIgZl1VH+RD
+XkgQtO3LyurJ2Hi7O7LIcG9IOI5XmpNH0i2S3i7BOcQvMdTjamY=
+=/a3j
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-23:04.pam_krb5.asc b/website/static/security/advisories/FreeBSD-SA-23:04.pam_krb5.asc
new file mode 100644
index 0000000000..bba8573771
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-23:04.pam_krb5.asc
@@ -0,0 +1,180 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-23:04.pam_krb5 Security Advisory
+ The FreeBSD Project
+
+Topic: Network authentication attack via pam_krb5
+
+Category: core
+Module: pam_krb5
+Announced: 2023-06-21
+Credits: Taylor R Campbell <riastradh@NetBSD.org>
+Affects: All supported versions of FreeBSD
+Corrected: 2023-06-21 05:25:18 UTC (stable/13, 13.2-STABLE)
+ 2023-06-21 05:27:12 UTC (releng/13.2, 13.2-RELEASE-p1)
+ 2023-06-21 05:27:22 UTC (releng/13.1, 13.1-RELEASE-p8)
+ 2023-06-21 05:27:27 UTC (stable/12, 12.4-STABLE)
+ 2023-06-21 05:43:39 UTC (releng/12.4, 12.4-RELEASE-p3)
+CVE Name: CVE-2023-3326
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+Kerberos 5 (krb5) is a computer-network authentication protocol that works on
+the basis of tickets to allow nodes communicating over a non-secure network
+to prove their identity to one another in a secure manner.
+
+The PAM (Pluggable Authentication Modules) library provides a flexible
+framework for user authentication and session setup / teardown.
+
+pam_krb5 is a PAM module that allows using a Kerberos password to
+authenticate the user. pam_krb5 is disabled in the default FreeBSD
+installation.
+
+pam_krb5 uses passwords for authentication, which is distinct from
+Kerberos native protocols like GSSAPI, which allows for login without the
+exchange of passwords. GSSAPI is not affected by this issue.
+
+II. Problem Description
+
+pam_krb5 authenticates the user by essentially running kinit(1) with the
+password, getting a `ticket-granting ticket' (tgt) from the Kerberos KDC (Key
+Distribution Center) over the network, as a way to verify the password.
+
+Normally, the system running the pam_krb5 module will also have a keytab, a
+key provisioned by the KDC. The pam_krb5 module will use the tgt to get a
+service ticket and validate it against the keytab, ensuring the tgt is valid
+and therefore, the password is valid.
+
+However, if a keytab is not provisioned on the system, pam_krb5 has no way to
+validate the response from the KDC, and essentially trusts the tgt provided
+over the network as being valid.
+
+III. Impact
+
+In a non-default FreeBSD installation that leverages pam_krb5 for
+authentication and does not have a keytab provisioned, an attacker that is
+able to control both the password and the KDC responses can return a valid
+tgt, allowing authentication to occur for any user on the system.
+
+IV. Workaround
+
+If you are not using Kerberos at all, ensure /etc/krb5.conf is missing from
+your system. Additionally, ensure pam_krb5 is commented out of your PAM
+configuration located as documented in pam.conf(5), generally /etc/pam.d.
+Note, the default FreeBSD PAM configuration has pam_krb5 commented out.
+
+If you are using Kerberos, but not using pam_krb5, ensure pam_krb5 is
+commented out of your PAM configuration located as documented in pam.conf(5),
+generally /etc/pam.d. Note, the default FreeBSD PAM configuration has
+pam_krb5 commented out.
+
+If you are using pam_krb5, ensure you have a keytab on your system as
+provided by your Kerberos administrator.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-23:04/pam_krb5.patch
+# fetch https://security.FreeBSD.org/patches/SA-23:04/pam_krb5.patch.asc
+# gpg --verify pam_krb5.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all daemons that use the PAM module, or reboot the system.
+
+VI. Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ 6322a6c9daaa stable/13-n255613
+releng/13.2/ 58d21e3e8e56 releng/13.2-n254620
+releng/13.1/ 07e3f54f2ea1 releng/13.1-n250186
+stable/12/ r373100
+releng/12.4/ r373103
+- -------------------------------------------------------------------------
+
+For FreeBSD 13 and later:
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+For FreeBSD 12 and earlier:
+
+Run the following command to see which files were modified by a particular
+revision, replacing NNNNNN with the revision number:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3326>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-23:04.pam_krb5.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmSSkl0ACgkQbljekB8A
+Gu/7pxAA5piBa4nYH+o+h2zGENXpWnKfGXpbWvxA1y9GCEhVAyq0xNK1voVbeLxO
+j0JriahVImk+JjYgbuFSqQ44viRVUssIn2+tCT/rzWxjCYOAN7E5tHHuomzBtM6O
+JSyeTT5Hk58iOjseTxCOy+FkLZ1daHyUiEGxURAJGf/KLg532xnYAgoXli48JBdA
+3QwQ/q6hUEYS2KJpV3s8EI2oss2SI8+SW+5YjtPCHrs5JhVvRo4803Gwgxexu8Hv
+ZO8oBb+R0+C9Q30ediAmHTrWdb1/ir5T/4kE/dOYNo3yeHBkpb5hqXEiAareFMhP
+LvgFOFg8tNR6BEO3brRkgITvcLQOq48JSQlB1/ROE2+abSS0W1wEFlm/vyWen6as
+0lMJYcO3+eTlKRkJ8fJyUZFntKk8s+ys8wNYYMoUr2AK89JvxtvIrL4kfZJ2SyHw
+OwRCXpDx+rT4EXrspDsU3ya9mlT/+GVvMDD0J7eRpY8T+TKhp9P5VtofYAidw+tP
+GafiRcuj8YLuHGTKlRQtmy3tE9jXsZ2p/R9bBt94ARPG0K/iJA7uR5gFs8PLXfpA
+GxIGJwif6jFEFUXg5pufwTDmW0g4BNL7rWzO2l7ZDxE7tdgSH0qr4D376VyI385d
+mzjiGNJZ07ng8R5MAXUDeqsZA1RvG5BV3toJawMzessvf55R1EI=
+=YOWz
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-23:05.openssh.asc b/website/static/security/advisories/FreeBSD-SA-23:05.openssh.asc
new file mode 100644
index 0000000000..a989e564f4
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-23:05.openssh.asc
@@ -0,0 +1,124 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-23:05.openssh Security Advisory
+ The FreeBSD Project
+
+Topic: ssh-add does not honor per-hop destination constraints
+
+Category: contrib
+Module: openssh
+Announced: 2023-06-21
+Credits: Luci Stanescu
+Affects: FreeBSD 12.4
+Corrected: 2023-06-05 16:04:15 UTC (stable/12, 12.4-STABLE)
+ 2023-06-21 05:43:42 UTC (releng/12.4, 12.4-RELEASE-p3)
+CVE Name: CVE-2023-28531
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+OpenSSH is an implementation of the SSH protocol suite, providing an
+encrypted and authenticated transport for a variety of services, including
+remote shell access.
+
+II. Problem Description
+
+When using ssh-add(1) to add smartcard keys to ssh-agent(1) with per-hop
+destination constraints, a logic error prevented the constraints from being
+sent to the agent resulting in keys being added to the agent without
+constraints.
+
+III. Impact
+
+A malicious server could leverage the keys provided by a forwarded agent that
+would normally not be allowed due to the logic error.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-23:05/openssh.patch
+# fetch https://security.FreeBSD.org/patches/SA-23:05/openssh.patch.asc
+# gpg --verify openssh.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+VI. Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/12/ r373093
+releng/12.4/ r373104
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a particular
+revision, replacing NNNNNN with the revision number:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=271839>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28531>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-23:05.openssh.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmSSkl8ACgkQbljekB8A
+Gu+p6Q//YJCvfTB82/cs++ok7D/bKGdwq5rvf9CaNMPrvEp7eVvzlTTDtxO6fU1P
+eT9IZNSBxQHQEnbDyhN0kiTSp+cumGUl44azMwXrHmatN8SZ0FJ/SwEF/VIkxLq5
+suHmWh+E2JYdEKfBahjYiO6WJRL/WnKUGPkoDwcqszMyVEVcWh1Jr7nd8VmAJL54
+Q5IADSZYpZHJTgdKM/jwkI0yUdsm3qRdMpfnHrNRHUoo84JIpr69bKAISwRF/w5m
+AgSFrV/0fW4EEqN0roXip6fyM3BlpOI8BjBE0V6mlPOkwxqzGvM7GwuEMGbxRWEj
+pBv00Kqr0wdDmwge2EFaPLnd1wlB9dvy3+Z4GN2bmdwtM+tW5PXUgZ4iiKaD9/yK
+Xf4dvSX8vs0IS4Rbk6e/MdZQHDXSzEFxPYz/a1PK/mMPVVeyyzCrQ8/66qUF5Uht
+grItkiiD+20c/7SEoy7Tj/sDfYpohHYcUbFRxtFp4RlMBZtUgpUwSrvipixb/iKd
+JkwUHrN5y6ct/oep7FiiGkHmQ3krXn6o5X4JiDf4JjoqbhPQLWMWdmLI+EeHOTcs
+EtN2JUHK+uVnMoKIOY12D9EzbMH/haBAmHSldXyk/pkxxz0OrSKytjXuYQMo9ooG
+wlwKMhEOMU6Jhb0YX4nR4jnKEtUx73/i08GBAV7tUuu5he0q6/I=
+=8fxE
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-23:05/tzdata-2023c.patch b/website/static/security/patches/EN-23:05/tzdata-2023c.patch
new file mode 100644
index 0000000000..eec11f4f0e
--- /dev/null
+++ b/website/static/security/patches/EN-23:05/tzdata-2023c.patch
@@ -0,0 +1,1896 @@
+--- contrib/tzdata/CONTRIBUTING.orig
++++ contrib/tzdata/CONTRIBUTING
+@@ -18,7 +18,7 @@
+ 'diff -u old/europe new/europe >myfix.patch', and attach
+ 'myfix.patch' to the email.
+
+-For more-elaborate or possibly-controversial changes,
++For more-elaborate or possibly controversial changes,
+ such as renaming, adding or removing zones, please read
+ "Theory and pragmatics of the tz code and data"
+ <https://www.iana.org/time-zones/repository/theory.html>.
+--- contrib/tzdata/Makefile.orig
++++ contrib/tzdata/Makefile
+@@ -35,22 +35,14 @@
+
+ LOCALTIME= Factory
+
+-# The POSIXRULES macro controls interpretation of nonstandard and obsolete
+-# POSIX-like TZ settings like TZ='EET-2EEST' that lack DST transition rules.
+-# Such a setting uses the rules in a template file to determine
+-# "spring forward" and "fall back" days and times; the environment
+-# variable itself specifies UT offsets of standard and daylight saving time.
+-#
++# The POSIXRULES macro controls interpretation of POSIX-like TZ
++# settings like TZ='EET-2EEST' that lack DST transition rules.
+ # If POSIXRULES is '-', no template is installed; this is the default.
+-#
+ # Any other value for POSIXRULES is obsolete and should not be relied on, as:
+ # * It does not work correctly in popular implementations such as GNU/Linux.
+ # * It does not work even in tzcode, except for historical timestamps
+ # that precede the last explicit transition in the POSIXRULES file.
+ # Hence it typically does not work for current and future timestamps.
+-# In short, software should avoid ruleless settings like TZ='EET-2EEST'
+-# and so should not depend on the value of POSIXRULES.
+-#
+ # If, despite the above, you want a template for handling these settings,
+ # you can change the line below (after finding the timezone you want in the
+ # one of the $(TDATA) source files, or adding it to a source file).
+@@ -63,7 +55,7 @@
+ POSIXRULES= -
+
+ # Also see TZDEFRULESTRING below, which takes effect only
+-# if the time zone files cannot be accessed.
++# if POSIXRULES is '-' or if the template file cannot be accessed.
+
+
+ # Installation locations.
+@@ -211,7 +203,7 @@
+ # -DHAVE_DECL_ENVIRON if <unistd.h> declares 'environ'
+ # -DHAVE_DECL_TIMEGM=0 if <time.h> does not declare timegm
+ # -DHAVE_DIRECT_H if mkdir needs <direct.h> (MS-Windows)
+-# -DHAVE_GENERIC=0 if _Generic does not work*
++# -DHAVE__GENERIC=0 if _Generic does not work*
+ # -DHAVE_GETRANDOM if getrandom works (e.g., GNU/Linux),
+ # -DHAVE_GETRANDOM=0 to avoid using getrandom
+ # -DHAVE_GETTEXT if gettext works (e.g., GNU/Linux, FreeBSD, Solaris),
+@@ -220,7 +212,7 @@
+ # -DHAVE_INCOMPATIBLE_CTIME_R if your system's time.h declares
+ # ctime_r and asctime_r incompatibly with the POSIX standard
+ # (Solaris when _POSIX_PTHREAD_SEMANTICS is not defined).
+-# -DHAVE_INTTYPES_H=0 if <inttypes.h> does not work*
++# -DHAVE_INTTYPES_H=0 if <inttypes.h> does not work*+
+ # -DHAVE_LINK=0 if your system lacks a link function
+ # -DHAVE_LOCALTIME_R=0 if your system lacks a localtime_r function
+ # -DHAVE_LOCALTIME_RZ=0 if you do not want zdump to use localtime_rz
+@@ -229,22 +221,24 @@
+ # -DHAVE_POSIX_DECLS=0 if your system's include files do not declare
+ # functions like 'link' or variables like 'tzname' required by POSIX
+ # -DHAVE_SETENV=0 if your system lacks the setenv function
+-# -DHAVE_SNPRINTF=0 if your system lacks the snprintf function
++# -DHAVE_SNPRINTF=0 if your system lacks the snprintf function+
+ # -DHAVE_STDCKDINT_H=0 if neither <stdckdint.h> nor substitutes like
+ # __builtin_add_overflow work*
+-# -DHAVE_STDINT_H=0 if <stdint.h> does not work*
++# -DHAVE_STDINT_H=0 if <stdint.h> does not work*+
+ # -DHAVE_STRFTIME_L if <time.h> declares locale_t and strftime_l
+ # -DHAVE_STRDUP=0 if your system lacks the strdup function
+-# -DHAVE_STRTOLL=0 if your system lacks the strtoll function
++# -DHAVE_STRTOLL=0 if your system lacks the strtoll function+
+ # -DHAVE_SYMLINK=0 if your system lacks the symlink function
+ # -DHAVE_SYS_STAT_H=0 if <sys/stat.h> does not work*
+ # -DHAVE_TZSET=0 if your system lacks a tzset function
+ # -DHAVE_UNISTD_H=0 if <unistd.h> does not work*
+ # -DHAVE_UTMPX_H=0 if <utmpx.h> does not work*
+ # -Dlocale_t=XXX if your system uses XXX instead of locale_t
++# -DPORT_TO_C89 if tzcode should also run on C89 platforms+
+ # -DRESERVE_STD_EXT_IDS if your platform reserves standard identifiers
+ # with external linkage, e.g., applications cannot define 'localtime'.
+ # -Dssize_t=long on hosts like MS-Windows that lack ssize_t
++# -DSUPPORT_C89 if the tzcode library should support C89 callers+
+ # -DSUPPRESS_TZDIR to not prepend TZDIR to file names; this has
+ # security implications and is not recommended for general use
+ # -DTHREAD_SAFE to make localtime.c thread-safe, as POSIX requires;
+@@ -256,7 +250,13 @@
+ # -DTZ_DOMAINDIR=\"/path\" to use "/path" for gettext directory;
+ # the default is system-supplied, typically "/usr/lib/locale"
+ # -DTZDEFRULESTRING=\",date/time,date/time\" to default to the specified
+-# DST transitions if the time zone files cannot be accessed
++# DST transitions for POSIX-style TZ strings lacking them,
++# in the usual case where POSIXRULES is '-'. If not specified,
++# TZDEFRULESTRING defaults to US rules for future DST transitions.
++# This mishandles some past timestamps, as US DST rules have changed.
++# It also mishandles settings like TZ='EET-2EEST' for eastern Europe,
++# as Europe and US DST rules differ.
++# -DTZNAME_MAXIMUM=N to limit time zone abbreviations to N bytes (default 255)
+ # -DUNINIT_TRAP if reading uninitialized storage can cause problems
+ # other than simply getting garbage data
+ # -DUSE_LTZ=0 to build zdump with the system time zone library
+@@ -273,6 +273,8 @@
+ # $(GCC_DEBUG_FLAGS) if you are using recent GCC and want lots of checking
+ #
+ # * Options marked "*" can be omitted if your compiler is C23 compatible.
++# * Options marked "+" are obsolescent and are planned to be removed
++# once the code assumes C99 or later.
+ #
+ # Select instrumentation via "make GCC_INSTRUMENT='whatever'".
+ GCC_INSTRUMENT = \
+@@ -363,7 +365,7 @@
+ # -DNETBSD_INSPIRED=0
+ # to the end of the "CFLAGS=" line. Otherwise, the functions
+ # "localtime_rz", "mktime_z", "tzalloc", and "tzfree" are added to the
+-# time library, and if STD_INSPIRED is also defined the functions
++# time library, and if STD_INSPIRED is also defined to nonzero the functions
+ # "posix2time_z" and "time2posix_z" are added as well.
+ # The functions ending in "_z" (or "_rz") are like their unsuffixed
+ # (or suffixed-by-"_r") counterparts, except with an extra first
+@@ -455,16 +457,13 @@
+ SAFE_CHARSET= $(SAFE_CHARSET1)$(SAFE_CHARSET2)$(SAFE_CHARSET3)
+ SAFE_CHAR= '[]'$(SAFE_CHARSET)'-]'
+
+-# These characters are Latin-1, and so are likely to be displayable
+-# even in editors with limited character sets.
+-UNUSUAL_OK_LATIN_1 = «°±»½¾×
*** 2165 LINES SKIPPED ***