From nobody Wed Jun 21 06:06:38 2023 X-Original-To: dev-commits-doc-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QmCgg1Jyrz4g6M5 for ; Wed, 21 Jun 2023 06:06:39 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4QmCgg16BYz3qFH; Wed, 21 Jun 2023 06:06:39 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1687327599; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ycdbqjnzu0KXuJw4QY8a5LCWg/St+PDwFj0lwvr3xBs=; b=q0vrRLp1/HLfmShShBivhcJ3ZspZSbPVY+M5URsQAVbPYpydEX/BhJiatUWB/C+AVLSA2b bCQGtaDU485YC8mdGOYb6iypaES2LQhfafcVziBttM6v1M+MIL6EkISrxhrYeqKWVV6ZoN NPhsa0rfYJuWK1kGzVA90G3V/Nc2mYWI+mB+ymOYNXInmP/Kb6nWko4zZJkoADuBobLn5I EhMTHYmevV0bKfHK+umkPGurWH9SoOC8SgfJNYReKJouynUDiSIVTVR2ijD05l1v+X+btI 0J9LU8sLFDo4etSTB47kY506CmAI96IlGQhlA+5NnEoSlp1UFW+1cpKHxxeO9w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1687327599; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ycdbqjnzu0KXuJw4QY8a5LCWg/St+PDwFj0lwvr3xBs=; b=i3KS9d7XJbJ/h4fWWbaP82az6huViWyBzLeAV3qEFAk+F/R+usN103zKavSv2bJo2Bbe/f q2Z8rx4Ok6eigo44L2iUIb8fQDpf1cGpIIQMAfrs5mpiAqrQn/5k7mrkoirIb89RL3REP6 2fDy2cNKV5rwgv+beAPTiFgouPpgdwJO0ogS0cyTBJy+8y3Gx1EYZUkiq/R/LIEQ/yRC80 tKRnEpJ8hYdLprHFDz9Okzu198+6VSbSI2/0rclfWqwZ72dmgRY/nv8xJqiLwHFydeo1Cn NSvCDnVfPsqPcES2u7u36Y0pDt/U1kFyMuiNE/0TCS9awgxKrVHex/IxYERoGA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1687327599; a=rsa-sha256; cv=none; b=Ic7jddvYt/+YN7rKa9Ige6LU/xSOvNzPLAIJLHEovHgF/XaU3AttWO24EmDkHPL3fFCxjL kwFDj+AckfN2OeTQ38KKXkrz7cAUFk2z+/acaMMESwHz/H0oIFttqP8OmghWR/IQ4J0qrH SKHAxmiLUGYvHq2y8kJ9vTqEq/uXiHWXsIXvvJoDtwiPUZMawE/lvXQsqStdiGR2JHHYnz OUVCuXc0wqO23jcnujr51EN5IXf6DWrJV2jl9zHl0Wj9QQi/FawtqN7nTACjnLXpTdDiEw tTlcnxEVnXOyJaLforpn6FWTGY0Tcsw53W67jo0G6rTdf540RFxc4Mass/fLbA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4QmCgg040TzVdq; Wed, 21 Jun 2023 06:06:39 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 35L66ct6099221; Wed, 21 Jun 2023 06:06:38 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 35L66cHo099220; Wed, 21 Jun 2023 06:06:38 GMT (envelope-from git) Date: Wed, 21 Jun 2023 06:06:38 GMT Message-Id: <202306210606.35L66cHo099220@gitrepo.freebsd.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org From: Gordon Tetlow Subject: git: 062b6a21b6 - main - Add EN-23:05 to EN-23:07, SA-23:04, and SA-23:05. List-Id: Commit messages for all branches of the doc repository List-Archive: https://lists.freebsd.org/archives/dev-commits-doc-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-doc-all@freebsd.org X-BeenThere: dev-commits-doc-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: gordon X-Git-Repository: doc X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 062b6a21b63e70bd29199145e72fcd648700b90e Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by gordon: URL: https://cgit.FreeBSD.org/doc/commit/?id=062b6a21b63e70bd29199145e72fcd648700b90e commit 062b6a21b63e70bd29199145e72fcd648700b90e Author: Gordon Tetlow AuthorDate: 2023-06-21 06:05:44 +0000 Commit: Gordon Tetlow CommitDate: 2023-06-21 06:05:44 +0000 Add EN-23:05 to EN-23:07, SA-23:04, and SA-23:05. Approved by: so --- website/data/security/advisories.toml | 8 + website/data/security/errata.toml | 12 + .../advisories/FreeBSD-EN-23:05.tzdata.asc | 174 ++ .../advisories/FreeBSD-EN-23:06.loader.asc | 129 ++ .../security/advisories/FreeBSD-EN-23:07.mpr.asc | 136 ++ .../advisories/FreeBSD-SA-23:04.pam_krb5.asc | 180 ++ .../advisories/FreeBSD-SA-23:05.openssh.asc | 124 ++ .../security/patches/EN-23:05/tzdata-2023c.patch | 1896 ++++++++++++++++++++ .../patches/EN-23:05/tzdata-2023c.patch.asc | 16 + .../static/security/patches/EN-23:06/loader.patch | 17 + .../security/patches/EN-23:06/loader.patch.asc | 16 + website/static/security/patches/EN-23:07/mpr.patch | 24 + .../static/security/patches/EN-23:07/mpr.patch.asc | 16 + .../security/patches/SA-23:04/pam_krb5.patch | 216 +++ .../security/patches/SA-23:04/pam_krb5.patch.asc | 16 + .../static/security/patches/SA-23:05/openssh.patch | 11 + .../security/patches/SA-23:05/openssh.patch.asc | 16 + 17 files changed, 3007 insertions(+) diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml index 8694a6a8ae..72324804c6 100644 --- a/website/data/security/advisories.toml +++ b/website/data/security/advisories.toml @@ -1,6 +1,14 @@ # Sort advisories by year, month and day # $FreeBSD$ +[[advisories]] +name = "FreeBSD-SA-23:05.openssh" +date = "2023-06-21" + +[[advisories]] +name = "FreeBSD-SA-23:04.pam_krb5" +date = "2023-06-21" + [[advisories]] name = "FreeBSD-SA-23:03.openssl" date = "2023-02-16" diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml index b1b74bf67c..15ae740438 100644 --- a/website/data/security/errata.toml +++ b/website/data/security/errata.toml @@ -1,6 +1,18 @@ # Sort errata notices by year, month and day # $FreeBSD$ +[[notices]] +name = "FreeBSD-EN-23:07.mpr" +date = "2023-06-21" + +[[notices]] +name = "FreeBSD-EN-23:06.loader" +date = "2023-06-21" + +[[notices]] +name = "FreeBSD-EN-23:05.tzdata" +date = "2023-06-21" + [[notices]] name = "FreeBSD-EN-23:04.ixgbe" date = "2023-02-08" diff --git a/website/static/security/advisories/FreeBSD-EN-23:05.tzdata.asc b/website/static/security/advisories/FreeBSD-EN-23:05.tzdata.asc new file mode 100644 index 0000000000..663ca66ebf --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-23:05.tzdata.asc @@ -0,0 +1,174 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-23:05.tzdata Errata Notice + The FreeBSD Project + +Topic: Timezone database information update + +Category: contrib +Module: zoneinfo +Announced: 2023-06-21 +Affects: FreeBSD 13.1, 12.4 +Corrected: 2023-03-29 01:19:25 UTC (stable/13, 13.2-STABLE) + 2023-06-21 05:03:18 UTC (releng/13.1, 13.1-RELEASE-p8) + 2023-03-29 01:20:06 UTC (stable/12, 12.4-STABLE) + 2023-06-21 05:43:27 UTC (releng/12.4, 12.4-RELEASE-p3) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +The IANA Time Zone Database (often called tz or zoneinfo) contains code and +data that represent the history of local time for many representative +locations around the globe. It is updated periodically to reflect changes +made by political bodies to time zone boundaries, UTC offsets, and +daylight-saving rules. + +FreeBSD releases install the IANA Time Zone Database in /usr/share/zoneinfo. +The tzsetup(8) utility allows the user to specify the default local time +zone. Based on the selected time zone, tzsetup(8) copies one of the files +from /usr/share/zoneinfo to /etc/localtime. A time zone may also be selected +for an individual process by setting its TZ environment variable to a desired +time zone name. + +II. Problem Description + +Several changes to future and past timestamps have been recorded in the IANA +Time Zone Database after previous FreeBSD releases were released. This +affects many users in different parts of the world. Because of these +changes, the data in the zoneinfo files need to be updated. If the local +timezone on the running system is affected, tzsetup(8) needs to be run to +update /etc/localtime. + +III. Impact + +An incorrect time will be displayed on a system configured to use one of the +affected time zones if the /usr/share/zoneinfo and /etc/localtime files are +not updated, and all applications on the system that rely on the system time, +such as cron(8) and syslog(8), will be affected. + +IV. Workaround + +The system administrator can install an updated version of the IANA Time Zone +Database from the misc/zoneinfo port and run tzsetup(8). + +Applications that store and display times in Coordinated Universal Time (UTC) +are not affected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Please note that some third party software, for instance PHP, Ruby, Java, +Perl and Python, may be using different zoneinfo data sources, in such cases +this software must be updated separately. Software packages that are +installed via binary packages can be upgraded by executing 'pkg upgrade'. + +Following the instructions in this Errata Notice will only update the IANA +Time Zone Database installed in /usr/share/zoneinfo. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Restart all the affected applications and daemons, or reboot the system. + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-23:05/tzdata-2023c.patch +# fetch https://security.FreeBSD.org/patches/EN-23:05/tzdata-2023c.patch.asc +# gpg --verify tzdata-2023c.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart all the affected applications and daemons, or reboot the system. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ bb7b15831531 stable/13-n254928 +releng/13.1/ 0e577c42f61c releng/13.1-n250183 +stable/12/ r373009 +releng/12.4/ r373101 +- ------------------------------------------------------------------------- + +For FreeBSD 13 and later: + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +For FreeBSD 12 and earlier: + +Run the following command to see which files were modified by a particular +revision, replacing NNNNNN with the revision number: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmSSki0ACgkQbljekB8A +Gu8TvxAAtPUGUHuME21ttewmNzBuW6CHhD3MFYheFFs3CiuLsUbla7BRKgXPMOmT +WzXHOe/PDKefrrrW09lPLG63DChu9WgmAfEQyvDK+uV8gazfTTkDN3wD+XS1k5Uh +PNk9ZE2jAGOY7vbzmJyXAXVYx1MJcT9jGpT0S1s5AhOWL3GgsjlUb/IXMHaDIpRy +r0L6snLzLypZzHmTf9HJ3dvkXAqiMv6Km1SwMeWibnm0ChCwhHzktOihbVcPQBoY +vlUbAb0zKSZmNblbQS89vZtdtwgzFW8t+/F6esMEvrxwlW3hU1f8dZTBsRoIsKCR +VqE2SSTu9O5wG0Huj4UR64EQ116Co8xU2JlVmdp0jFqu8SYa4kq5O3f0sVbRSVzi +agwzaS0U7h8FzxBIyaSOQX1k+tWVIbXViKI/BD17NXqR/LXCLT1e7Eu4uxJn3mqE +zmeyXEQ1TvP9VkGrLmuKrv2h+cqFrWVqFWlzRG3jq8x21r1fL7sTC2cnw54cqItN +lAci5GUpc02LBo+74sz0J5WSpLFj/0sA+5W4EkUZ4EyoTpmR/d5L22eU1h91ZJx6 +mg/5xxTCvvEL0woMOIHeUf5essP4JiWWwGLv1dblVUiq5UuP9R9UdZef3xt/s+gD +Ew8Tyqv80ZJiamfWGOYQbbY6Bi7cUgzBvQkOXDVAXXeUXcCfWF4= +=fStA +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-23:06.loader.asc b/website/static/security/advisories/FreeBSD-EN-23:06.loader.asc new file mode 100644 index 0000000000..cfe389dc89 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-23:06.loader.asc @@ -0,0 +1,129 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-23:06.loader Errata Notice + The FreeBSD Project + +Topic: x86 kernel console configuration + +Category: core +Module: loader +Announced: 2023-06-21 +Affects: FreeBSD 13.x +Corrected: 2023-04-26 17:30:19 UTC (stable/13, 13.2-STABLE) + 2023-06-21 05:05:15 UTC (releng/13.2, 13.2-RELEASE-p1) + 2023-06-21 05:05:51 UTC (releng/13.1, 13.1-RELEASE-p8) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +The x86 loader's "comconsole" driver drives an ns16550-like uart for the loader +output, and it also generates a console specification for the kernel to use. + +II. Problem Description + +comconsole will unconditionally clear the hw.uart.console environment variable, +whether the system is configured to use comconsole or not. + +III. Impact + +Systems with uart hardware that the kernel supports but loader doesn't cannot be +configured to use this uart for console output if comconsole clears the +hw.uart.console variable even when it's not in use. + +IV. Workaround + +No workaround is available, but non-x86 machines and x86 machines using UEFI to +boot are not affected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. A reboot will be required to +get console output. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# reboot + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-23:06/loader.patch +# fetch https://security.FreeBSD.org/patches/EN-23:06/loader.patch.asc +# gpg --verify loader.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Reboot the system to use the new /boot/loader. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ 362677cae8e9 stable/13-n255172 +releng/13.2/ 525ac1948af8 releng/13.2-n254618 +releng/13.1/ 5d2bbb9db2d2 releng/13.1-n250184 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmSSkjkACgkQbljekB8A +Gu/4HQ//WJFI/SehPJhbpyGKsePYJSecIA6FYS3/pEYmffxEHCxAlWIovYfZwEsl +7UrqQfCOFIEtF2Au4GAhI2srH7+ecEFYyHzMfrWANLRMnHlqqLUqCdgmY6FKSM+v +L0kIOh2ygMCU4s1nNjXDT5rwjLhS8rl+oaVbDvSHBIcwyNL0FdouuMnQR2GcHW1q +nu+iYXCG0OAS7DAJ1hmPG5f85iXvt8dRfC9i/EH7sQSLJ8wZQIgQXOGbwwpMbPDW +dsPP3mvxZ2h2i3WAMd2bidby+ImbDynpiabT8BuTg7vOo6P6pf+bREKKnHOQrN4C +sZGzpPDGPKo0rAJ94R5qAS2QgzGX5gS/p0vporpwnvKZWL18AoioHp/Bh9TXFWfW +8aQn2LcIEjd/vhU1B1Erg1ctavD71W6A5ZTxU5BocNot3ZIts2VTuF2LajUJ8bSp +y2DBP3FmpFZi3CHvDV3NmJvUyasHb12EipYhamzAWpvUxRC0YP1zLaYbFRusSlFA +D6rjrRh0sd9AGip6gZ0ZSLd0v7kuebpqCh8nTEd1Betyg1pa00SGLTp++RsPcgow +D6ty5KWjItqbS1UGibFAexXRTc0PPW+/Jd+UmgoAWA6HYuw4HwznxIdfBGy4qMsN +V30TjUxl7ulInD3Ts92TOU5FpHiS2yGNFLBkeT/RClbnaXHIC0Y= +=gAQK +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-23:07.mpr.asc b/website/static/security/advisories/FreeBSD-EN-23:07.mpr.asc new file mode 100644 index 0000000000..10df65cee6 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-23:07.mpr.asc @@ -0,0 +1,136 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-23:07.mpr Errata Notice + The FreeBSD Project + +Topic: mpr(4) may fail to initialize devices + +Category: core +Module: mpr +Announced: 2023-06-21 +Affects: All supported versions of FreeBSD. +Corrected: 2023-05-02 12:21:35 UTC (stable/13, 13.2-STABLE) + 2023-06-21 05:06:39 UTC (releng/13.2, 13.2-RELEASE-p1) + 2023-06-21 05:07:50 UTC (releng/13.1, 13.1-RELEASE-p8) + 2023-05-02 12:21:26 UTC (stable/12, 12.4-STABLE) + 2023-06-21 05:43:37 UTC (releng/12.4, 12.4-RELEASE-p3) + +I. Background + +mpr(4) is a driver for Broadcom SAS controllers. + +II. Problem Description + +The mpr(4) driver did not correctly initialize command data sent to the +controller when attaching. + +III. Impact + +mpr(4) would fail to initialize the controller in some cases, making the +attached storage devices inaccessible. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date and reboot. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for an erratum update" + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-23:07/mpr.patch +# fetch https://security.FreeBSD.org/patches/EN-23:07/mpr.patch.asc +# gpg --verify mpr.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ e7a3a08febd0 stable/13-n255252 +releng/13.2/ e63d8b8fa6d9 releng/13.2-n254619 +releng/13.1/ bc61a15ededc releng/13.1-n250185 +stable/12/ r373058 +releng/12.4/ r373102 +- ------------------------------------------------------------------------- + +For FreeBSD 13 and later: + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +For FreeBSD 12 and earlier: + +Run the following command to see which files were modified by a particular +revision, replacing NNNNNN with the revision number: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmSSkjsACgkQbljekB8A +Gu/jiw/9HCji9U0ygORSvETbwBg9eBNJNtQTqqnAEKPv7kjBUYhYkKwqyyzzaoCF +7rj0dw3heObLTdsDhDynnLinmTN1htXAoVE4F4RpS7li44eUnVp2hDSr//ft/bxR +Zrd0NbxDt9OCuPVPxWclVyAnG+fi446pwpX5zBMz1U8STQHDe7N8DRUlzOmCxY1z +N3pEJdFoYt8zUUixymBdpAmXyvBL5FAi9yvm0dt20Dl1e8EKVkdT+38x6RhYgjkO +Cr//HnldHyoVXnIzqOIIv+VpEwAV4nYcKei9EvI8bJ/LSWUIk+7PHzzpmygk7fPM +HFyIIlNQbkL0/KsEi/I07LUIBVoFEeB2pRHuOfF5jYhc6J4zcZ2pGX8BY3Ai8gdn +hRAVvUHbiKKIFjezwl4S+8N+jipP8xIovEW5LG4MTp8BSpq0aNy1VtXYLyTvZhEb +XhrepXUnPjh85sD2gLTfM4JDqCyuaNFTKqi0w+vCunvXjCfDhAFC+ttzJvDeijKG +cuW2nF2Iniug3Y7BjGIe4xWYFEBiDTp+vOYOg/J4Me4cd1+BJzD4Enmu60dmtCd3 +6u4HceA/CjVEV1iuZZXty9RkSqA5S6xCinZihho1fLrYLUOBA7MvSkIgZl1VH+RD +XkgQtO3LyurJ2Hi7O7LIcG9IOI5XmpNH0i2S3i7BOcQvMdTjamY= +=/a3j +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-23:04.pam_krb5.asc b/website/static/security/advisories/FreeBSD-SA-23:04.pam_krb5.asc new file mode 100644 index 0000000000..bba8573771 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-23:04.pam_krb5.asc @@ -0,0 +1,180 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-23:04.pam_krb5 Security Advisory + The FreeBSD Project + +Topic: Network authentication attack via pam_krb5 + +Category: core +Module: pam_krb5 +Announced: 2023-06-21 +Credits: Taylor R Campbell +Affects: All supported versions of FreeBSD +Corrected: 2023-06-21 05:25:18 UTC (stable/13, 13.2-STABLE) + 2023-06-21 05:27:12 UTC (releng/13.2, 13.2-RELEASE-p1) + 2023-06-21 05:27:22 UTC (releng/13.1, 13.1-RELEASE-p8) + 2023-06-21 05:27:27 UTC (stable/12, 12.4-STABLE) + 2023-06-21 05:43:39 UTC (releng/12.4, 12.4-RELEASE-p3) +CVE Name: CVE-2023-3326 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +Kerberos 5 (krb5) is a computer-network authentication protocol that works on +the basis of tickets to allow nodes communicating over a non-secure network +to prove their identity to one another in a secure manner. + +The PAM (Pluggable Authentication Modules) library provides a flexible +framework for user authentication and session setup / teardown. + +pam_krb5 is a PAM module that allows using a Kerberos password to +authenticate the user. pam_krb5 is disabled in the default FreeBSD +installation. + +pam_krb5 uses passwords for authentication, which is distinct from +Kerberos native protocols like GSSAPI, which allows for login without the +exchange of passwords. GSSAPI is not affected by this issue. + +II. Problem Description + +pam_krb5 authenticates the user by essentially running kinit(1) with the +password, getting a `ticket-granting ticket' (tgt) from the Kerberos KDC (Key +Distribution Center) over the network, as a way to verify the password. + +Normally, the system running the pam_krb5 module will also have a keytab, a +key provisioned by the KDC. The pam_krb5 module will use the tgt to get a +service ticket and validate it against the keytab, ensuring the tgt is valid +and therefore, the password is valid. + +However, if a keytab is not provisioned on the system, pam_krb5 has no way to +validate the response from the KDC, and essentially trusts the tgt provided +over the network as being valid. + +III. Impact + +In a non-default FreeBSD installation that leverages pam_krb5 for +authentication and does not have a keytab provisioned, an attacker that is +able to control both the password and the KDC responses can return a valid +tgt, allowing authentication to occur for any user on the system. + +IV. Workaround + +If you are not using Kerberos at all, ensure /etc/krb5.conf is missing from +your system. Additionally, ensure pam_krb5 is commented out of your PAM +configuration located as documented in pam.conf(5), generally /etc/pam.d. +Note, the default FreeBSD PAM configuration has pam_krb5 commented out. + +If you are using Kerberos, but not using pam_krb5, ensure pam_krb5 is +commented out of your PAM configuration located as documented in pam.conf(5), +generally /etc/pam.d. Note, the default FreeBSD PAM configuration has +pam_krb5 commented out. + +If you are using pam_krb5, ensure you have a keytab on your system as +provided by your Kerberos administrator. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-23:04/pam_krb5.patch +# fetch https://security.FreeBSD.org/patches/SA-23:04/pam_krb5.patch.asc +# gpg --verify pam_krb5.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart all daemons that use the PAM module, or reboot the system. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ 6322a6c9daaa stable/13-n255613 +releng/13.2/ 58d21e3e8e56 releng/13.2-n254620 +releng/13.1/ 07e3f54f2ea1 releng/13.1-n250186 +stable/12/ r373100 +releng/12.4/ r373103 +- ------------------------------------------------------------------------- + +For FreeBSD 13 and later: + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +For FreeBSD 12 and earlier: + +Run the following command to see which files were modified by a particular +revision, replacing NNNNNN with the revision number: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmSSkl0ACgkQbljekB8A +Gu/7pxAA5piBa4nYH+o+h2zGENXpWnKfGXpbWvxA1y9GCEhVAyq0xNK1voVbeLxO +j0JriahVImk+JjYgbuFSqQ44viRVUssIn2+tCT/rzWxjCYOAN7E5tHHuomzBtM6O +JSyeTT5Hk58iOjseTxCOy+FkLZ1daHyUiEGxURAJGf/KLg532xnYAgoXli48JBdA +3QwQ/q6hUEYS2KJpV3s8EI2oss2SI8+SW+5YjtPCHrs5JhVvRo4803Gwgxexu8Hv +ZO8oBb+R0+C9Q30ediAmHTrWdb1/ir5T/4kE/dOYNo3yeHBkpb5hqXEiAareFMhP +LvgFOFg8tNR6BEO3brRkgITvcLQOq48JSQlB1/ROE2+abSS0W1wEFlm/vyWen6as +0lMJYcO3+eTlKRkJ8fJyUZFntKk8s+ys8wNYYMoUr2AK89JvxtvIrL4kfZJ2SyHw +OwRCXpDx+rT4EXrspDsU3ya9mlT/+GVvMDD0J7eRpY8T+TKhp9P5VtofYAidw+tP +GafiRcuj8YLuHGTKlRQtmy3tE9jXsZ2p/R9bBt94ARPG0K/iJA7uR5gFs8PLXfpA +GxIGJwif6jFEFUXg5pufwTDmW0g4BNL7rWzO2l7ZDxE7tdgSH0qr4D376VyI385d +mzjiGNJZ07ng8R5MAXUDeqsZA1RvG5BV3toJawMzessvf55R1EI= +=YOWz +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-23:05.openssh.asc b/website/static/security/advisories/FreeBSD-SA-23:05.openssh.asc new file mode 100644 index 0000000000..a989e564f4 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-23:05.openssh.asc @@ -0,0 +1,124 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-23:05.openssh Security Advisory + The FreeBSD Project + +Topic: ssh-add does not honor per-hop destination constraints + +Category: contrib +Module: openssh +Announced: 2023-06-21 +Credits: Luci Stanescu +Affects: FreeBSD 12.4 +Corrected: 2023-06-05 16:04:15 UTC (stable/12, 12.4-STABLE) + 2023-06-21 05:43:42 UTC (releng/12.4, 12.4-RELEASE-p3) +CVE Name: CVE-2023-28531 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +OpenSSH is an implementation of the SSH protocol suite, providing an +encrypted and authenticated transport for a variety of services, including +remote shell access. + +II. Problem Description + +When using ssh-add(1) to add smartcard keys to ssh-agent(1) with per-hop +destination constraints, a logic error prevented the constraints from being +sent to the agent resulting in keys being added to the agent without +constraints. + +III. Impact + +A malicious server could leverage the keys provided by a forwarded agent that +would normally not be allowed due to the logic error. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-23:05/openssh.patch +# fetch https://security.FreeBSD.org/patches/SA-23:05/openssh.patch.asc +# gpg --verify openssh.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/12/ r373093 +releng/12.4/ r373104 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a particular +revision, replacing NNNNNN with the revision number: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmSSkl8ACgkQbljekB8A +Gu+p6Q//YJCvfTB82/cs++ok7D/bKGdwq5rvf9CaNMPrvEp7eVvzlTTDtxO6fU1P +eT9IZNSBxQHQEnbDyhN0kiTSp+cumGUl44azMwXrHmatN8SZ0FJ/SwEF/VIkxLq5 +suHmWh+E2JYdEKfBahjYiO6WJRL/WnKUGPkoDwcqszMyVEVcWh1Jr7nd8VmAJL54 +Q5IADSZYpZHJTgdKM/jwkI0yUdsm3qRdMpfnHrNRHUoo84JIpr69bKAISwRF/w5m +AgSFrV/0fW4EEqN0roXip6fyM3BlpOI8BjBE0V6mlPOkwxqzGvM7GwuEMGbxRWEj +pBv00Kqr0wdDmwge2EFaPLnd1wlB9dvy3+Z4GN2bmdwtM+tW5PXUgZ4iiKaD9/yK +Xf4dvSX8vs0IS4Rbk6e/MdZQHDXSzEFxPYz/a1PK/mMPVVeyyzCrQ8/66qUF5Uht +grItkiiD+20c/7SEoy7Tj/sDfYpohHYcUbFRxtFp4RlMBZtUgpUwSrvipixb/iKd +JkwUHrN5y6ct/oep7FiiGkHmQ3krXn6o5X4JiDf4JjoqbhPQLWMWdmLI+EeHOTcs +EtN2JUHK+uVnMoKIOY12D9EzbMH/haBAmHSldXyk/pkxxz0OrSKytjXuYQMo9ooG +wlwKMhEOMU6Jhb0YX4nR4jnKEtUx73/i08GBAV7tUuu5he0q6/I= +=8fxE +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/EN-23:05/tzdata-2023c.patch b/website/static/security/patches/EN-23:05/tzdata-2023c.patch new file mode 100644 index 0000000000..eec11f4f0e --- /dev/null +++ b/website/static/security/patches/EN-23:05/tzdata-2023c.patch @@ -0,0 +1,1896 @@ +--- contrib/tzdata/CONTRIBUTING.orig ++++ contrib/tzdata/CONTRIBUTING +@@ -18,7 +18,7 @@ + 'diff -u old/europe new/europe >myfix.patch', and attach + 'myfix.patch' to the email. + +-For more-elaborate or possibly-controversial changes, ++For more-elaborate or possibly controversial changes, + such as renaming, adding or removing zones, please read + "Theory and pragmatics of the tz code and data" + . +--- contrib/tzdata/Makefile.orig ++++ contrib/tzdata/Makefile +@@ -35,22 +35,14 @@ + + LOCALTIME= Factory + +-# The POSIXRULES macro controls interpretation of nonstandard and obsolete +-# POSIX-like TZ settings like TZ='EET-2EEST' that lack DST transition rules. +-# Such a setting uses the rules in a template file to determine +-# "spring forward" and "fall back" days and times; the environment +-# variable itself specifies UT offsets of standard and daylight saving time. +-# ++# The POSIXRULES macro controls interpretation of POSIX-like TZ ++# settings like TZ='EET-2EEST' that lack DST transition rules. + # If POSIXRULES is '-', no template is installed; this is the default. +-# + # Any other value for POSIXRULES is obsolete and should not be relied on, as: + # * It does not work correctly in popular implementations such as GNU/Linux. + # * It does not work even in tzcode, except for historical timestamps + # that precede the last explicit transition in the POSIXRULES file. + # Hence it typically does not work for current and future timestamps. +-# In short, software should avoid ruleless settings like TZ='EET-2EEST' +-# and so should not depend on the value of POSIXRULES. +-# + # If, despite the above, you want a template for handling these settings, + # you can change the line below (after finding the timezone you want in the + # one of the $(TDATA) source files, or adding it to a source file). +@@ -63,7 +55,7 @@ + POSIXRULES= - + + # Also see TZDEFRULESTRING below, which takes effect only +-# if the time zone files cannot be accessed. ++# if POSIXRULES is '-' or if the template file cannot be accessed. + + + # Installation locations. +@@ -211,7 +203,7 @@ + # -DHAVE_DECL_ENVIRON if declares 'environ' + # -DHAVE_DECL_TIMEGM=0 if does not declare timegm + # -DHAVE_DIRECT_H if mkdir needs (MS-Windows) +-# -DHAVE_GENERIC=0 if _Generic does not work* ++# -DHAVE__GENERIC=0 if _Generic does not work* + # -DHAVE_GETRANDOM if getrandom works (e.g., GNU/Linux), + # -DHAVE_GETRANDOM=0 to avoid using getrandom + # -DHAVE_GETTEXT if gettext works (e.g., GNU/Linux, FreeBSD, Solaris), +@@ -220,7 +212,7 @@ + # -DHAVE_INCOMPATIBLE_CTIME_R if your system's time.h declares + # ctime_r and asctime_r incompatibly with the POSIX standard + # (Solaris when _POSIX_PTHREAD_SEMANTICS is not defined). +-# -DHAVE_INTTYPES_H=0 if does not work* ++# -DHAVE_INTTYPES_H=0 if does not work*+ + # -DHAVE_LINK=0 if your system lacks a link function + # -DHAVE_LOCALTIME_R=0 if your system lacks a localtime_r function + # -DHAVE_LOCALTIME_RZ=0 if you do not want zdump to use localtime_rz +@@ -229,22 +221,24 @@ + # -DHAVE_POSIX_DECLS=0 if your system's include files do not declare + # functions like 'link' or variables like 'tzname' required by POSIX + # -DHAVE_SETENV=0 if your system lacks the setenv function +-# -DHAVE_SNPRINTF=0 if your system lacks the snprintf function ++# -DHAVE_SNPRINTF=0 if your system lacks the snprintf function+ + # -DHAVE_STDCKDINT_H=0 if neither nor substitutes like + # __builtin_add_overflow work* +-# -DHAVE_STDINT_H=0 if does not work* ++# -DHAVE_STDINT_H=0 if does not work*+ + # -DHAVE_STRFTIME_L if declares locale_t and strftime_l + # -DHAVE_STRDUP=0 if your system lacks the strdup function +-# -DHAVE_STRTOLL=0 if your system lacks the strtoll function ++# -DHAVE_STRTOLL=0 if your system lacks the strtoll function+ + # -DHAVE_SYMLINK=0 if your system lacks the symlink function + # -DHAVE_SYS_STAT_H=0 if does not work* + # -DHAVE_TZSET=0 if your system lacks a tzset function + # -DHAVE_UNISTD_H=0 if does not work* + # -DHAVE_UTMPX_H=0 if does not work* + # -Dlocale_t=XXX if your system uses XXX instead of locale_t ++# -DPORT_TO_C89 if tzcode should also run on C89 platforms+ + # -DRESERVE_STD_EXT_IDS if your platform reserves standard identifiers + # with external linkage, e.g., applications cannot define 'localtime'. + # -Dssize_t=long on hosts like MS-Windows that lack ssize_t ++# -DSUPPORT_C89 if the tzcode library should support C89 callers+ + # -DSUPPRESS_TZDIR to not prepend TZDIR to file names; this has + # security implications and is not recommended for general use + # -DTHREAD_SAFE to make localtime.c thread-safe, as POSIX requires; +@@ -256,7 +250,13 @@ + # -DTZ_DOMAINDIR=\"/path\" to use "/path" for gettext directory; + # the default is system-supplied, typically "/usr/lib/locale" + # -DTZDEFRULESTRING=\",date/time,date/time\" to default to the specified +-# DST transitions if the time zone files cannot be accessed ++# DST transitions for POSIX-style TZ strings lacking them, ++# in the usual case where POSIXRULES is '-'. If not specified, ++# TZDEFRULESTRING defaults to US rules for future DST transitions. ++# This mishandles some past timestamps, as US DST rules have changed. ++# It also mishandles settings like TZ='EET-2EEST' for eastern Europe, ++# as Europe and US DST rules differ. ++# -DTZNAME_MAXIMUM=N to limit time zone abbreviations to N bytes (default 255) + # -DUNINIT_TRAP if reading uninitialized storage can cause problems + # other than simply getting garbage data + # -DUSE_LTZ=0 to build zdump with the system time zone library +@@ -273,6 +273,8 @@ + # $(GCC_DEBUG_FLAGS) if you are using recent GCC and want lots of checking + # + # * Options marked "*" can be omitted if your compiler is C23 compatible. ++# * Options marked "+" are obsolescent and are planned to be removed ++# once the code assumes C99 or later. + # + # Select instrumentation via "make GCC_INSTRUMENT='whatever'". + GCC_INSTRUMENT = \ +@@ -363,7 +365,7 @@ + # -DNETBSD_INSPIRED=0 + # to the end of the "CFLAGS=" line. Otherwise, the functions + # "localtime_rz", "mktime_z", "tzalloc", and "tzfree" are added to the +-# time library, and if STD_INSPIRED is also defined the functions ++# time library, and if STD_INSPIRED is also defined to nonzero the functions + # "posix2time_z" and "time2posix_z" are added as well. + # The functions ending in "_z" (or "_rz") are like their unsuffixed + # (or suffixed-by-"_r") counterparts, except with an extra first +@@ -455,16 +457,13 @@ + SAFE_CHARSET= $(SAFE_CHARSET1)$(SAFE_CHARSET2)$(SAFE_CHARSET3) + SAFE_CHAR= '[]'$(SAFE_CHARSET)'-]' + +-# These characters are Latin-1, and so are likely to be displayable +-# even in editors with limited character sets. +-UNUSUAL_OK_LATIN_1 = «°±»½¾× *** 2165 LINES SKIPPED ***