From nobody Wed Feb 14 06:57:45 2024 X-Original-To: dev-commits-doc-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TZTXn5wvkz5B9pX for ; Wed, 14 Feb 2024 06:57:45 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4TZTXn5Kvmz4cbK; Wed, 14 Feb 2024 06:57:45 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1707893865; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=KFBWYte031tL3EOYspxJjxNRyLk9boomDKsOfXtIPng=; b=URETKnttWb2RTBXNLX6i6flCHw8QbW8HAv1FZRiLYfmUyWhROr1oqU4aLSQLYMOmINvym2 yae9CF268sRvrl6pqMN/7fjhHWTUuq01Njg4sPsLKDVOsLemZ0Pt5ca2aMl+2VPdX1iMj2 o4e6SNwC8e85CzNC4oKQWRcVxsohAaCwLm/zqveZxU3X82o9M01lR+ySOGBqiP/JToaNF6 vMZM56fFIiQr6wAWqa1m8zxhzTcjdECJzpHTBGYgp/pgZ69padDSe9neNN/UBldiUWeMCK ZD8K6+/3xM6DXVNpMGyqIslqoFTVdYADaeHayJTsamJUQyF2nwMPHVkUoBgRuw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1707893865; a=rsa-sha256; cv=none; b=fM8wAxOvXnv9BOspwzuT2FE42CLByt0QpBSRKse32Q4dw+94/LJ8qwa7VvNXKpFSyVd0yJ NR/MTq2F1BTTiqLNbTQMIMQW2yX/1WzSOmbhS3lQ6R2JsLxNBiiRXcrct/meoH+JkBD5BL 6RI6gZWk+Eh95s4GzOidRp25agt3RuCKf6vWX+RtPE2sWqa3L27Jw0eGZsz2PUD1vyrxYb m/7fGULGfwUekee1g33/CQZVeb/9+KxeUpnH61zrVP77NZ/rakx2fKAfKakmtkl/krRcCS +1ozSdAQJUMGZOPrZX+ZnWot3wId2/lNaqcksuoCM6gecsEh0pzKln3vV8EqUA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1707893865; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=KFBWYte031tL3EOYspxJjxNRyLk9boomDKsOfXtIPng=; b=YUPsPfMnS3DGY/SvT7cOIgFAj5OcraHONTELcOuTGK0JuVpVkjExMW5Y7/bO1RB0TlEKcS 0wxopJsJmNXF6TW85i/35ip75Ohym4yymg2DrQsVOg+I9ZSBnqoS0RDAX7DTy+DMyA+nQC D0qHmOIaYM0mZ2vBTyouOLVpBDoGcNyQtjOJjOAR8bbP1H3tHG1Tx4/QoPEqfKWrRDof6j Cl7dvhFQFfCmdIZRMPmu4ke456ZuHBQbWSzxHFqDqFdw60getmX6Bp664QRmuPKD/+LGWQ 5wOPmph9SXzoF//XNGoCqKq2fS3BotbICOtAPbPAAvpKhdZ0fBKQOlwhGjB3jg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4TZTXn4H3zzp8Y; Wed, 14 Feb 2024 06:57:45 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 41E6vjVn069351; Wed, 14 Feb 2024 06:57:45 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 41E6vj4p069348; Wed, 14 Feb 2024 06:57:45 GMT (envelope-from git) Date: Wed, 14 Feb 2024 06:57:45 GMT Message-Id: <202402140657.41E6vj4p069348@gitrepo.freebsd.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org From: Gordon Tetlow Subject: git: d1a54e045f - main - Actually add the SA/EN texts. List-Id: Commit messages for all branches of the doc repository List-Archive: https://lists.freebsd.org/archives/dev-commits-doc-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-doc-all@freebsd.org X-BeenThere: dev-commits-doc-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: gordon X-Git-Repository: doc X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: d1a54e045f3f9fcab5b4effede7b76ad17800cb3 Auto-Submitted: auto-generated The branch main has been updated by gordon: URL: https://cgit.FreeBSD.org/doc/commit/?id=d1a54e045f3f9fcab5b4effede7b76ad17800cb3 commit d1a54e045f3f9fcab5b4effede7b76ad17800cb3 Author: Gordon Tetlow AuthorDate: 2024-02-14 06:56:56 +0000 Commit: Gordon Tetlow CommitDate: 2024-02-14 06:56:56 +0000 Actually add the SA/EN texts. Approved by: so --- .../advisories/FreeBSD-EN-24:01.tzdata.asc | 191 ++ .../advisories/FreeBSD-EN-24:02.libutil.asc | 169 ++ .../advisories/FreeBSD-EN-24:03.kqueue.asc | 131 + .../security/advisories/FreeBSD-EN-24:04.ip.asc | 130 + .../advisories/FreeBSD-SA-24:01.bhyveload.asc | 140 + .../security/advisories/FreeBSD-SA-24:02.tty.asc | 137 + .../security/patches/EN-24:01/tzdata-2024a.patch | 2927 ++++++++++++++++++++ .../patches/EN-24:01/tzdata-2024a.patch.asc | 16 + .../static/security/patches/EN-24:02/libutil.patch | 11 + .../security/patches/EN-24:02/libutil.patch.asc | 16 + .../static/security/patches/EN-24:03/kqueue.patch | 13 + .../security/patches/EN-24:03/kqueue.patch.asc | 16 + website/static/security/patches/EN-24:04/ip.patch | 150 + .../static/security/patches/EN-24:04/ip.patch.asc | 16 + .../security/patches/SA-24:01/bhyveload-13.2.patch | 137 + .../patches/SA-24:01/bhyveload-13.2.patch.asc | 16 + .../security/patches/SA-24:01/bhyveload-14.0.patch | 129 + .../patches/SA-24:01/bhyveload-14.0.patch.asc | 16 + website/static/security/patches/SA-24:02/tty.patch | 55 + .../static/security/patches/SA-24:02/tty.patch.asc | 16 + 20 files changed, 4432 insertions(+) diff --git a/website/static/security/advisories/FreeBSD-EN-24:01.tzdata.asc b/website/static/security/advisories/FreeBSD-EN-24:01.tzdata.asc new file mode 100644 index 0000000000..91d9cb0447 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-24:01.tzdata.asc @@ -0,0 +1,191 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-24:01.tzdata Errata Notice + The FreeBSD Project + +Topic: Timezone database information update + +Category: contrib +Module: zoneinfo +Announced: 2024-02-14 +Affects: All supported versions of FreeBSD +Corrected: 2024-02-05 00:30:01 UTC (stable/14, 14.0-STABLE) + 2024-02-14 06:21:06 UTC (releng/14.0, 14.0-RELEASE-p5) + 2024-02-05 00:30:42 UTC (stable/13, 13.2-STABLE) + 2024-02-14 06:27:47 UTC (releng/13.2, 13.2-RELEASE-p10) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +The IANA Time Zone Database (often called tz or zoneinfo) contains code and +data that represent the history of local time for many representative +locations around the globe. It is updated periodically to reflect changes +made by political bodies to time zone boundaries, UTC offsets, and +daylight-saving rules. + +Leap seconds are occasional adjustments added to -- or potentially subtracted +from -- Coordinated Universal Time (UTC). An authoritative list of leap +second adjustments is maintained by the International Earth Rotation and +Reference Systems Service (IERS). + +FreeBSD releases install the IANA Time Zone Database in /usr/share/zoneinfo. +The tzsetup(8) utility allows the user to specify the default local time +zone. Based on the selected time zone, tzsetup(8) copies one of the files +from /usr/share/zoneinfo to /etc/localtime. A time zone may also be selected +for an individual process by setting its TZ environment variable to a desired +time zone name. + +The latest list of leap seconds at the time of release is installed on FreeBSD +in /var/db/ntpd.leap-seconds.list. The startup rc(8) scripts of the ntpd(8) +Network Time Protocol implementation included in the FreeBSD base system can +periodically download an updated leap-seconds.list file from configurable +internet sites. + +II. Problem Description + +Several changes to future and past timestamps have been recorded in the IANA +Time Zone Database after previous FreeBSD releases were released. This +affects many users in different parts of the world. Because of these +changes, the data in the zoneinfo files need to be updated. If the local +timezone on the running system is affected, tzsetup(8) needs to be run to +update /etc/localtime. + +In the default configuration, the ntpd(8) startup script included with FreeBSD +checks for an updated leap-seconds.list on the IETF's web server. As of 2023, +the IETF no longer distributes a copy of this file. + +III. Impact + +An incorrect time will be displayed on a system configured to use one of the +affected time zones if the /usr/share/zoneinfo and /etc/localtime files are +not updated, and all applications on the system that rely on the system time, +such as cron(8) and syslog(8), will be affected. + +With the default configuration, FreeBSD systems cannot file updates to the +installed leap-seconds.list file. Since no leap second was introduced at the +end of 2023, the leap-seconds.list file included with all supported FreeBSD +releases is still accurate. Moreover, ntpd(8) is able to receive updated leap +second information from its peers. However, a diagnostic warning about an +expired leap-seconds.list is printed at startup. + +IV. Workaround + +The system administrator can install an updated version of the IANA Time Zone +Database from the misc/zoneinfo port and run tzsetup(8). + +Applications that store and display times in Coordinated Universal Time (UTC) +are not affected. + +The ntpd(8) startup script can be configured to download an updated +leap-seconds.list file from IERS with the following rc.conf(5) setting: + +ntp_leapfile_sources="https://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list" + +Larger sites, or sites without reliable connectivity to the internet, may wish +to point to their locally maintained copy of this file. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Please note that some third party software, for instance PHP, Ruby, Java, +Perl and Python, may be using different zoneinfo data sources, in such cases +this software must be updated separately. Software packages that are +installed via binary packages can be upgraded by executing 'pkg upgrade'. + +Following the instructions in this Errata Notice will only update the IANA +Time Zone Database installed in /usr/share/zoneinfo. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install + +Restart all the affected applications and daemons, or reboot the system. + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-24:01/tzdata-2024a.patch +# fetch https://security.FreeBSD.org/patches/EN-24:01/tzdata-2024a.patch.asc +# gpg --verify tzdata-2024a.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart all the affected applications and daemons, or reboot the system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 26fe22019cb2 stable/14-n266642 +releng/14.0/ a3b7bafd2acc releng/14.0-n265409 +stable/13/ f4256acec1c9 stable/13-n257384 +releng/13.2/ 66bb668fe5f2 releng/13.2-n254660 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmXMYP4ACgkQbljekB8A +Gu8lBxAA6XgVr3mwvCPgeu8UFa8OeIJzIBgCDv5QFD9BL5NjK5TQuUtc/EqFeuIp +wSR+KC5Lc/NCsi3fX85M4ZI6HnsTBwOVQ5t7xhYxmQvBmzeZWz02UfGIVLuU6/JG +mYjpRRCx1yEyUntzfuXEYNsCLkGWYLuydBfFsL+6tN587dk7A/rRMyzdEDsKApGE +GcP5N7/cKaxNCoDSJonLpX0AbsoQRQJeyhVFgtKWnbPKW9yTeEAZEIG2jqlqOX5O +JQ4Ih3nj4Y4IVVSwPyO5eZYtTc1N1MMixJct63yM4C8IHjCFnxfPASz6+9s8DcAx +BwezcAogXJ0ERuohJe2SXPayEUPqrcPAUXQfwO8kPvAX7VrF97cwfyPY6sf9j7gw +qtHX2e9OPt+oMbXOzgvnIt/p6OZ4SHpfDpiSIIJqk0f+w+qVPeRDKa2SUjWEGphc +GS1wQc+lXqwvlm2DknpESRDOF6nLQfgSm1IFOWin/10kf6mFQR4RnK0lxP2rwZgQ +s1VKhA8zPLrXhB4z/OJod7F2R5nXXfqQwlCmWC8RQjL7T7Bz7NEAIU9zwqIPAQb5 +DTtCBe4dYBt6eeYPFQ8EjD3BfYzqJyT2rXQtnwl9Je/foHqZ6pJrFbQool81aRkq +aCo/OKuzUKNnOLsLwyTTsO/kTqL1ryW/CiFHz7XhD2Y8+YqwOHE= +=7Xjc +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-24:02.libutil.asc b/website/static/security/advisories/FreeBSD-EN-24:02.libutil.asc new file mode 100644 index 0000000000..c5c33a7863 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-24:02.libutil.asc @@ -0,0 +1,169 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-24:02.libutil Errata Notice + The FreeBSD Project + +Topic: Login class resource limits and CPU mask bypass + +Category: core +Module: libutil +Announced: 2024-02-14 +Credits: Olivier Certner +Affects: All supported versions of FreeBSD. +Corrected: 2023-10-24 00:57:11 UTC (stable/14, 14.0-STABLE) + 2023-02-14 06:05:41 UTC (releng/14.0, 14.0-RELEASE-p5) + 2023-12-21 13:39:03 UTC (stable/13, 13.2-STABLE) + 2023-02-14 06:05:57 UTC (releng/13.2, 13.2-RELEASE-p10) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +setusercontext() is a high-level API generally used by login-like programs to +set the general environment of new processes launched on behalf of other +users, including the credentials (users, groups, MAC security label), resource +limits, CPU mask and process priority. + +This function only applies the settings of the types requested by the caller +via flags (e.g., LOGIN_SETALL for all types, LOGIN_SETUSER to set the real, +effective and saved user IDs, etc.), and for some of them requires privileges +to do so. Among these, the resource limits (flag LOGIN_SETRESOURCES) and CPU +mask (flag LOGIN_SETCPUMASK) types are set not only based on the target user's +login class, which is controlled by the system administrator, but also on his +personal configuration file '~/.login_conf' (see login.conf(5)). + +In order to prevent unprivileged users from overriding the administrator +settings, setusercontext() applies a personal configuration file only if the +real user ID of the process that runs it matches that of the target user, with +the goal to avoid applying the user-controlled settings with privileges. + +II. Problem Description + +When deciding to apply a target user's personal configuration file, +setusetcontext() checks the real user ID of the process whereas it should +instead check the effective user ID, which is the one affecting the process' +privileges and consequently which settings it can change and to which values. + +III. Impact + +An unprivileged user may bypass the administrator's resource limits and/or CPU +mask settings stemming from his login class provided he can run a (setuid) +login-like program that: +- - Calls setusercontext() with the LOGIN_SETRESOURCES and/or LOGIN_SETCPUMASK + flags but without LOGIN_SETUSER (which excludes the use of LOGIN_SETALL), + and with a non-NULL 'pwd' argument. +- - Does so before changing the effective user ID to the target user. + +No programs in FreeBSD's base system, including login(1) and su(1), meet these +requirements, but third-party programs may. In particular, sudo(8) does when +using the default sudoers(5) plugin configured with the 'use_loginclass' flag +enabled. doas(8) does not. + +IV. Workaround + +There are at least two possible workarounds. + +The first one is for an administrator is to prepare for all users a +'~/.login_conf' they can't write or replace, e.g., using filesystem flags +'schg' or 'sunlnk' (see chflags(1)), defeating user's own customizations. + +The second one is to review setuid login programs accessible to users, +determine if they meet the requirements above, and deactivate those that do or +reconfigure them when possible, as mentioned above for sudo(8). + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install + +It should be followed by a restart of all third-party daemons that use the +'libutil' library, or a reboot of the system. + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-24:02/libutil.patch +# fetch https://security.FreeBSD.org/patches/EN-24:02/libutil.patch.asc +# gpg --verify libutil.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart of all third-party daemons that use the 'libutil' library, or reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ ede6fd06726c stable/14-n265587 +releng/14.0/ c2a9cfc55046 releng/14.0-n265403 +stable/13/ 9fcf54d3750e stable/13-n256941 +releng/13.2/ 9deb5ca77beb releng/13.2-n254655 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmXMYQoACgkQbljekB8A +Gu8m9Q//cmgbS/PZPMBjARTQa2kkEpIy7zYgDq9/oriREfUBgbN+hFdxlwN5q59r +t+lJGJYSynMQDFglQcsD61nECP6fnjco1RxLPpzf+aBmP/VebOh7irsI7QElisY+ +SoiCHhZrpXcZGU5OBTA0Nd7NbKVmCflF6aJN0bOCZHvONSUH+ijsXPd98Pjx6TgF +0yQV3ryMYtEBbIaXdR751HLe011hcQYBnlU+/0B9bzL5JCr67NaYM3MDkMkwvXSs +zJaefj9xxMlJdB4EvkJGtcau4Kw/qdM0iFllUMmOPl3QK+s4LKguaVtuWWI0bSvL +VlFbGVCoRmaVzV+ZaCrDZrsl3NOC92Trhg5QdLV5HJUP3sSRAo5PGNostdWB6VsT +mfgJp0owv7LSSt/irDgtY2OGFb3Y/RZmqTBXR7ScFAguuA5dJva44eDkUX8YXBU/ +7ZlXMuF94dmaTmcDqOqWBmfeIWlIKdVsol6fzoKQhLjtZuUg5vdl2rUlj6GSNSL9 +6GLU2/LiobuBhfc0qL/mmtyovqHO2HDLsNX54zusBEzy7lI2URvTcCjcHX0Tbwwi +cuj6b/XzvAnQ2qFyA4l8bhCSpECkGybLgar+ig199K077HrwRUjLt666JQtMBkKQ +LZafucjfGCSpDJFcVjfGfliYnYQFyAd4NAfDsnR15xz9Pxw7MOg= +=mDl9 +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-24:03.kqueue.asc b/website/static/security/advisories/FreeBSD-EN-24:03.kqueue.asc new file mode 100644 index 0000000000..6ddfa84ef7 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-24:03.kqueue.asc @@ -0,0 +1,131 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-24:03.kqueue Errata Notice + The FreeBSD Project + +Topic: kqueue_close(2) page fault on exit using rfork(2) + +Category: core +Module: kqueue +Announced: 2024-02-14 +Affects: All supported versions of FreeBSD. +Corrected: 2023-12-05 00:43:27 UTC (stable/14, 14.0-STABLE) + 2024-02-14 06:05:42 UTC (releng/14.0, 14.0-RELEASE-p5) + 2023-12-05 00:44:13 UTC (stable/13, 13.2-STABLE) + 2024-02-14 06:05:58 UTC (releng/13.2, 13.2-RELEASE-p10) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +The kqueue(2) system call provides a generic method of notifying the user +when an event happens or a condition holds. + +II. Problem Description + +Normally, when a process exits, all its kqueue fds will be destroyed at the +moment p_klist is detached. However, if the process was created with rfork(2) +with shared file descriptors, its signal knotes can survive. This can +eventually result in a page fault when the process exits. + +III. Impact + +Using kqueue(2) with a process using rfork(2) can panic the system. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date, and reboot the system. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install + +Reboot the system. + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-24:03/kqueue.patch +# fetch https://security.FreeBSD.org/patches/EN-24:03/kqueue.patch.asc +# gpg --verify kqueue.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 24346a2f7775 stable/14-n265907 +releng/14.0/ bb06104dce0b releng/14.0-n265404 +stable/13/ 55e91944998c stable/13-n256837 +releng/13.2/ 154dedade465 releng/13.2-n254656 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmXMYQwACgkQbljekB8A +Gu+GSxAA5voCfr4a2LrMmBjQvgD7XwpCNH9yvYN3chKG07TTqNWkHbCxNvc4Brzm +IXKGxvolrY3PZhXgN2KZhe/wAOf0I1ZazeW9wdk13O9G2SF5aaUYBkCvoMmPME42 +f7lVXnkxhTQAovVFQRZAK6sYCVspIPQEpavoa7rq5dDDtO9g2AqB53aAbgdBpQ0j +ClIcMzM2HdiYQBi4WuL36XVbeX6N++N5ouE8Hdz+pDcQSHuOm3VHUKlpRsEXLmYI +3uDJ8py+PGbtcLnSVALEcnreirJcCJ5em7Gaec2KXHDRis/dLW+DPlPyZp1mpIBZ +l073AME8hEOxnJOUALvxTVHQS3L35JjFmxnSGwnLzXH16v/fGUKlnAZkOftNcRan +JW1fLXB2EH+H+hdnOWiQeTCk8duIIvXuWEYf8dfP6SBMm9FfzBAoTv/K1mHxGFKZ +s3iR4WyC7Y6r56meVdNfs/F4XtVh3edhVfOdjf/5I8+Ut9HGRNuHOCepLG9DASOd +eQbhHAnHnUB21qq4Tme0eKoA130gVcBMr2NsE0lifNArLzEvvGB0Bw+9ZP9IfFeS +/fPs4Yq1XIjpgk+TDdOPGexLWCIBl0ursjZMSuGyhXkDaD1oYzF3SKWrJRkahpUq ++tN6jVPkG7Iy36myKSHofuPh641hSmk88IJPJHVrdNjo88hUti0= +=xsIs +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-24:04.ip.asc b/website/static/security/advisories/FreeBSD-EN-24:04.ip.asc new file mode 100644 index 0000000000..a5fbf4e1a1 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-24:04.ip.asc @@ -0,0 +1,130 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-24:04.ip Errata Notice + The FreeBSD Project + +Topic: Kernel panic triggered by bind(2) + +Category: core +Module: ip +Announced: 2024-02-14 +Affects: FreeBSD 14.0 +Corrected: 2024-01-09 00:30:05 UTC (stable/14, 14.0-STABLE) + 2024-02-14 06:05:43 UTC (releng/14.0, 14.0-RELEASE-p5) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +The inpcb subsystem of the kernel is responsible for implementing +portions of socket-related system calls (e.g., bind(2)) on behalf of +IP-based network protocol implementations. This layer provides lookup +tables which can be used within the kernel to translate between sockets +and the internet addresses to which they are bound or connected. + +II. Problem Description + +The inpcb layer maintains several hash tables which are synchronized by +a combination of mutexes and the use of lock-free data structures. The +implementation of the latter was flawed such that a locked lookup could +return a socket that was in the process of being removed from the table. + +III. Impact + +The race condition can trigger a NULL pointer dereference in the kernel, +resulting in a kernel panic. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r now + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-24:04/ip.patch +# fetch https://security.FreeBSD.org/patches/EN-24:04/ip.patch.asc +# gpg --verify ip.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 2bfe735277b8 stable/14-n266255 +releng/14.0/ 9db5ae3ec45f releng/14.0-n265405 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmXMYQ4ACgkQbljekB8A +Gu8ffg/7BY7BfPU1emJ7YfFNKszPKJooefFS8dejskN6ic55hCt8fh0RuV9g/Lwg +25QehLwGl821HaoTBijM9EBt4RTT9qdzU0m+9MKKATxy5wfnfANtU3fa+nwvuWhB +fM6kLJcnViobhGHDoFN29Nz2BjfGodh4XXf1uE4zOLytw9WrM69H/UbHPMn7xSzM +mPqGppk/TdxEdWXywaHLhSKf8Y21jtcidQBQ3aILnLbNObt2uii+hqVQw5+CDRYw +NnHi1QBWMTP3blwmwGV3rtpytDMhhXUptA0ILpzVm6YAtGTsTLL4VrssGtcuW+Sh +o7wkwmNzQLayoKNwdUkx8S/X+ilCBeHVXBH3A2GHjisMstP8cU3fRAuPVI5QvIyh +rWsCLyoL+QwtZ58KJLpe6WQtLfG/xpq20+7lUJtyLaInZ7YStkNLXMZHJUbjx7yO +xZsraeCI3Y6qtdHYxk4wH3HBqR2w6WmU30iXMA5UWXjL9LaB0Az/8cHlXoTA6apB +XoHCzfC/LbV972c28P7Nky97oFkYTPvB0+iHPqMB77pciMO6gKWitf4FFA9fsp7H +QfWjUHMJSIbtzCgskKurO93UmlogQbfbgahmzSA7SDTryObbXdre2SuSrfDwbW/O +scgug9GgFuTjAp9GB7SYFA+eYUQsakyVHK1gnxt3Su7lcw/GMG0= +=2K5v +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-24:01.bhyveload.asc b/website/static/security/advisories/FreeBSD-SA-24:01.bhyveload.asc new file mode 100644 index 0000000000..c61b036f16 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-24:01.bhyveload.asc @@ -0,0 +1,140 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-24:01.bhyveload Security Advisory + The FreeBSD Project + +Topic: bhyveload(8) host file access + +Category: core +Module: bhyeload +Announced: 2024-02-14 +Credits: The water cooler. (Note, this is the requested credit) +Affects: All supported versions of FreeBSD. +Corrected: 2024-01-15 22:27:59 UTC (stable/14, 14.0-STABLE) + 2024-02-14 06:05:44 UTC (releng/14.0, 14.0-RELEASE-p5) + 2024-01-15 23:11:38 UTC (stable/13, 13.2-STABLE) + 2024-02-14 06:06:00 UTC (releng/13.2, 13.2-RELEASE-p10) +CVE Name: CVE-2024-25940 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +bhyveload(8) is used to load a FreeBSD guest into a bhyve virtual machine. + +II. Problem Description + +`bhyveload -h ` may be used to grant loader access to the +directory tree on the host. Affected versions of bhyveload(8) do not make any +attempt to restrict loader's access to , allowing the loader to read +any file the host user has access to. + +III. Impact + +In the bhyveload(8) model, the host supplies a userboot.so to boot with, but the +loader scripts generally come from the guest image. A maliciously crafted +script could be used to exfiltrate sensitive data from the host accessible to +the user running bhyhveload(8), which is often the system root. + +IV. Workaround + +No workaround is available, but guests that do not use `bhyveload -h` are not +impacted. Common VM solutions that use bhyveload(8) do not usually use the +- -h option. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 14.0] +# fetch https://security.FreeBSD.org/patches/SA-24:01/bhyveload-14.0.patch +# fetch https://security.FreeBSD.org/patches/SA-24:01/bhyveload-14.0.patch.asc +# gpg --verify bhyveload-14.0.patch.asc + +[FreeBSD 13.2] +# fetch https://security.FreeBSD.org/patches/SA-24:01/bhyveload-13.2.patch +# fetch https://security.FreeBSD.org/patches/SA-24:01/bhyveload-13.2.patch.asc +# gpg --verify bhyveload-13.2.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . Virtual +machines that have been booted with bhyveload(8) do not need to be rebooted. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 426b28fdf700 stable/14-n266333 +releng/14.0/ f5bb597829e1 releng/14.0-n265406 +stable/13/ 78345dbd7a00 stable/13-n257186 +releng/13.2/ 48598b1670ce releng/13.2-n254657 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmXMYRAACgkQbljekB8A +Gu8KwRAAxCnMsCQbp/CZ1O2GYxDTCOt1M5CZaFBD8r3b4xSN1gFB79z3aHAmSX0a +kTGpp5QSbxx1UtA9eZoZTa/wpmMAo1AZ7ry0OK1VuRFtF2D+IM64l07m91HW5ncU +YCsbeQ6wuXHeVlZ/t7eu/X03YltYIuMu/wIzpsPYtMvTB+ZI50nm0pUGaQnH9ZA2 +jMGhLcWQSaHi46pMJ1o2iXWbaFZh4S6fHhNXSEFxaWuQf/o//whSgeqtFnhozfZ4 +vbx0pyF3HrkjPRLwc9QDRNcFnG0F9DCOmiGlAAZD4/XRNOd5PgSvmHxDPrc1UkJO +K8CcU7vIgloKdETS43HhlDhT34/adV1dMpwCLpr9JZ3FmfTtIor1q8w9l0nLohln +VeLUbhaMZAXYqQp5wcDso26n9moD8l/izJZZ0gWu8xsooKmE2DY0t7ASXdcvnSq8 +VKlpZP0DHcdZdeePiCF6XovAvv3fAq5hvIdCccBIJHbFIWEL2Psq9hYqFISb+mFb +gAoX5gyo4S+lWgn33aUCzjYuR0MhelJPRFIndjr5+Dn0AgQniNre7uRt4k97jvT1 +Q9h+f4uyNFafuD5YMqfRhsk8EN93bEc3Bkq47KCYDSTJujd99pYFPE1SzvNAPmNY +CYxqYjkfjklarfellifxvqdKrOWoeOkK4a3Ckd5+4Y8BaaTzWCY= +=LOMD +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-24:02.tty.asc b/website/static/security/advisories/FreeBSD-SA-24:02.tty.asc new file mode 100644 index 0000000000..6b40af77f9 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-24:02.tty.asc @@ -0,0 +1,137 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-24:02.tty Security Advisory + The FreeBSD Project + +Topic: jail(2) information leak + +Category: core +Module: jail +Announced: 2024-02-14 +Credits: Pawel Jakub Dawidek +Affects: All supported versions of FreeBSD. +Corrected: 2024-02-12 16:25:54 UTC (stable/14, 14.0-STABLE) + 2024-02-14 06:05:46 UTC (releng/14.0, 14.0-RELEASE-p5) + 2024-02-12 16:27:37 UTC (stable/13, 13.2-STABLE) + 2024-02-14 06:06:01 UTC (releng/13.2, 13.2-RELEASE-p10) +CVE Name: CVE-2024-25941 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +The jail(2) system call allows a system administrator to lock a process +and all of its descendants inside an environment with a very limited +ability to affect the system outside that environment, even for +processes with superuser privileges. It is an extension of, but +far more powerful than, the traditional UNIX chroot(2) system call. + +tty(4) is a general terminal device. + +II. Problem Description + +The jail(2) system call has not limited a visiblity of allocated TTYs +(the kern.ttys sysctl). This gives rise to an information leak about +processes outside the current jail. + +III. Impact + +Attacker can get information about TTYs allocated on the host or in other +jails. Effectively, the information printed by "pstat -t" may be leaked. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date +and reboot. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-24:02/tty.patch +# fetch https://security.FreeBSD.org/patches/SA-24:02/tty.patch.asc +# gpg --verify tty.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 215bb03edc54 stable/14-n266676 +releng/14.0/ 4d354159d150 releng/14.0-n265407 +stable/13/ 9bff7ec98354 stable/13-n257418 +releng/13.2/ 17257e6e9a23 releng/13.2-n254658 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmXMYRMACgkQbljekB8A +Gu8C7hAAxXasfu+Xn3+voOk5pJvFJd6jWA1ZCvR83YnIqAGibiWvNaMdsdfe4k6x +eEoaQ6maYYu/wjXMZ0HbapTuJPRxwrcG7i2mZ52vSm9glSZO87Lw3oWVIV7eRPpN +pFJtR5bUXns1/dWQgcgFMc/4nNk7NO6gamuK/uwfrDF0aQsYif5pX5DmhkOD/CnQ +CjPWhv6FT94qzUiQrZLSWjCIe/rhNbmbLkhyck4MZP+1aILxsb+BHSaEeBzej2+S +8WisLPKlTwNgpA+DN+sLn28gR1+0Vd5rAv7gvcbWHE3VNvq0ABTwRoZFA4SzHEhL +BNkwMJnMJyR7qj1jWCmfrHptIPpSXtNIvh70yts5/+9nPBDkAYV9U+nJYQTZ40+U +Mn1OfN4ioRfB7bOjVA4J6Ncws4M2ttcOEyk+d8Egd5/7njOGC1sqX0F4FXAtioZF +JATTBd09J9TTZvX5xz6JdK8ZHKc+xtxYiBYg4WQTyVcPg38ONpYarSIQ6XYnNSyP +0Cv1ih5DpxzdEBA+Pu4+dJmZSlyNOJXpmlPKgyiUX0Z085ZqHTMvAXQQS/M7MXai +06d2YnZx4XfGoAhCXZKyvE6J6btiy+t8QNx14tEdtD/ktzAmB3EYHOuuPEFoS44Y +8tafKE9ps5AgWtqXvK7H5NKMwtb9Ry60WSAFfgn0LoFmw8UyBjg= +=HQVb +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/EN-24:01/tzdata-2024a.patch b/website/static/security/patches/EN-24:01/tzdata-2024a.patch new file mode 100644 index 0000000000..a6ce7c687d --- /dev/null +++ b/website/static/security/patches/EN-24:01/tzdata-2024a.patch @@ -0,0 +1,2927 @@ +--- contrib/tzdata/Makefile.orig ++++ contrib/tzdata/Makefile +@@ -1,7 +1,25 @@ + # Make and install tzdb code and data. +- + # This file is in the public domain, so clarified as of + # 2009-05-17 by Arthur David Olson. ++# Request POSIX conformance; this must be the first non-comment line. ++.POSIX: ++# On older platforms you may need to scrounge for a POSIX-conforming 'make'. ++# For example, on Solaris 10 (2005), use /usr/sfw/bin/gmake or *** 3601 LINES SKIPPED ***