From nobody Thu Mar 28 07:20:26 2024 X-Original-To: dev-commits-doc-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V4w173v66z5GNXr for ; Thu, 28 Mar 2024 07:20:27 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4V4w173dfWz4jJG; Thu, 28 Mar 2024 07:20:27 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1711610427; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=0BfOkzf0+YXgdGz7sb7/LgZEbTp9znsg/xqKDsEioMI=; b=c39ykBLil5sbsAnlaA6568QinG35Q0Hmtpl/82wD8KjRQCGexBk2nwG2ZdocwzijseQDkO nwU/dQLArAq96CXzrzqZMFbg0TQdlwKEqJK8iXPU3x463AjxaDkpUTz/zJAYfLYXYPHPzT 0bClIVrghv+N/AiXAZ2Vd3UwOCksKQE0fq9o2wpBaWlh160P3W7Icdxs4N9LlAxu1Ecgdu jveV7CuRK1yedTc2gj6LOQTjc3IW14XRgUYVo1nFOfI1akS2sAMK6sWtTYM26niW4XKSNY RafsNUV/Jiwsgby2e8zMuQIhrTn4yHTXQW2rH8JetmAsrC0KX1owE4RZqsWA9A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1711610427; a=rsa-sha256; cv=none; b=BtO5D2800zLRkjSwgHSWs49sjZU+RIoYpaXdLHN47Fyp/nSkP5toc0XQABDf1mwkn+pDcJ g6mvSn+VQrfetcF0gnhAs/6a41ie9rHh0ofVG7utnDFaHNmfk/68F9HwXn8g9eLp+Xxsss qsy/SAlgeeFwDKdBHDKqzYHvsyy8uWOmnGSTM2EWRWp5OsaDNB4jAul+jnOOlngVJd13B7 VaOqVJiaVk4ko903Q12Zu35HzcZEySNT8scjBobNKkMBce/2DnRLiXuCfUvJs6Arl50hM4 /1y8txOKoztx48sgFg0r0Nzqr9lUJT6+55skcl+zuRVzuWMx9XVxaGx+V+wRnA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1711610427; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=0BfOkzf0+YXgdGz7sb7/LgZEbTp9znsg/xqKDsEioMI=; b=bJ4HZbhrcIU8RjP03sZe3Ggyeo/6KqvGIR0qSBVWLCKZJMip9iCjOYvoSwD+G0jkQ4vQtm ydkvyhon86HzA8t+3hfTWkzTrdNV+FeyedofH2XsRWtpMUocQLkYDWT8uuq59sf4mxC/oN MjfsBXLJtgNlnY80UKOYC6LjpdBWpUskwrk/V+JMCTsHStQYSmLPf5KsXbHQZk8oen1rLI 4Hkm63RlZWf9Qi8/7uirvWChEh8lQP0c1VVOmYUR15DlDfcOs7kXlQnMav+YLrOIxtT/hu Hsdird0+i1lm9Z4qxE4vlwhq1inMTK1R+nCP5IYlaUginusFaCNSmVynHWXZUA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4V4w173DJ5zJL1; Thu, 28 Mar 2024 07:20:27 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 42S7KRpP028390; Thu, 28 Mar 2024 07:20:27 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 42S7KQZ3028387; Thu, 28 Mar 2024 07:20:26 GMT (envelope-from git) Date: Thu, 28 Mar 2024 07:20:26 GMT Message-Id: <202403280720.42S7KQZ3028387@gitrepo.freebsd.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org From: Gordon Tetlow Subject: git: 08fecaeaba - main - Add EN-24:05 through EN-24:08, SA-24:03. List-Id: Commit messages for all branches of the doc repository List-Archive: https://lists.freebsd.org/archives/dev-commits-doc-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-doc-all@freebsd.org X-BeenThere: dev-commits-doc-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: gordon X-Git-Repository: doc X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 08fecaeabaa47379154afa3f8fd71c46b2371e80 Auto-Submitted: auto-generated The branch main has been updated by gordon: URL: https://cgit.FreeBSD.org/doc/commit/?id=08fecaeabaa47379154afa3f8fd71c46b2371e80 commit 08fecaeabaa47379154afa3f8fd71c46b2371e80 Author: Gordon Tetlow AuthorDate: 2024-03-28 07:20:00 +0000 Commit: Gordon Tetlow CommitDate: 2024-03-28 07:20:00 +0000 Add EN-24:05 through EN-24:08, SA-24:03. Approved by: so --- website/data/security/advisories.toml | 4 + website/data/security/errata.toml | 16 + .../security/advisories/FreeBSD-EN-24:05.tty.asc | 132 + .../advisories/FreeBSD-EN-24:06.wireguard.asc | 138 + .../security/advisories/FreeBSD-EN-24:07.clang.asc | 127 + .../advisories/FreeBSD-EN-24:08.kerberos.asc | 127 + .../advisories/FreeBSD-SA-24:03.unbound.asc | 147 + website/static/security/patches/EN-24:05/tty.patch | 23 + .../static/security/patches/EN-24:05/tty.patch.asc | 16 + .../security/patches/EN-24:06/wireguard.patch | 40 + .../security/patches/EN-24:06/wireguard.patch.asc | 16 + .../static/security/patches/EN-24:07/clang.patch | 25 + .../security/patches/EN-24:07/clang.patch.asc | 16 + .../security/patches/EN-24:08/kerberos.patch | 203 + .../security/patches/EN-24:08/kerberos.patch.asc | 16 + .../security/patches/SA-24:03/unbound-13.patch | 24911 +++++++++++++++++++ .../security/patches/SA-24:03/unbound-13.patch.asc | 16 + .../security/patches/SA-24:03/unbound-14.patch | 24911 +++++++++++++++++++ .../security/patches/SA-24:03/unbound-14.patch.asc | 16 + 19 files changed, 50900 insertions(+) diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml index 15f9a96938..d2a4603d5f 100644 --- a/website/data/security/advisories.toml +++ b/website/data/security/advisories.toml @@ -1,6 +1,10 @@ # Sort advisories by year, month and day # $FreeBSD$ +[[advisories]] +name = "FreeBSD-SA-24:03.unbound" +date = "2024-03-28" + [[advisories]] name = "FreeBSD-SA-24:02.tty" date = "2024-02-14" diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml index c292820014..50d0a89e3a 100644 --- a/website/data/security/errata.toml +++ b/website/data/security/errata.toml @@ -1,6 +1,22 @@ # Sort errata notices by year, month and day # $FreeBSD$ +[[notices]] +name = "FreeBSD-EN-24:08.kerberos" +date = "2024-03-28" + +[[notices]] +name = "FreeBSD-EN-24:07.clang" +date = "2024-03-28" + +[[notices]] +name = "FreeBSD-EN-24:06.wireguard" +date = "2024-03-28" + +[[notices]] +name = "FreeBSD-EN-24:05.tty" +date = "2024-03-28" + [[notices]] name = "FreeBSD-EN-24:04.ip" date = "2024-02-14" diff --git a/website/static/security/advisories/FreeBSD-EN-24:05.tty.asc b/website/static/security/advisories/FreeBSD-EN-24:05.tty.asc new file mode 100644 index 0000000000..979d0c2c5f --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-24:05.tty.asc @@ -0,0 +1,132 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-24:05.tty Erratum Notice + The FreeBSD Project + +Topic: TTY Kernel Panic + +Category: core +Module: kernel +Announced: 2024-03-28 +Affects: FreeBSD 13.2 and FreeBSD 14.0 +Corrected: 2024-02-29 00:29:13 UTC (stable/14, 14.0-STABLE) + 2024-03-28 05:06:21 UTC (releng/14.0, 14.0-RELEASE-p6) + 2024-02-29 00:30:12 UTC (stable/13, 13.2-STABLE) + 2024-03-28 05:07:53 UTC (releng/13.2, 13.2-RELEASE-p11) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +tty(4) is the general terminal device. The kern.ttys sysctl provides tty +information for tools such as `pstat -t`. + +FreeBSD-SA-24:02.tty addressed an information leak about outside processes +from within a jail. + +II. Problem Description + +A missing check resulted in a null pointer dereference if a tty had a session +associated, but no session leader. + +III. Impact + +Under certain conditions an unprivileged user could provoke a kernel panic. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date, and reboot. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for an erratum update" + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-24:05/tty.patch +# fetch https://security.FreeBSD.org/patches/EN-24:05/tty.patch.asc +# gpg --verify tty.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 8d22744f5be1 stable/14-n266915 +releng/14.0/ a3ec3054762f releng/14.0-n265411 +stable/13/ a60220bbb551 stable/13-n257543 +releng/13.2/ f3195cc08ccc releng/13.2-n254662 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmYFGaEACgkQbljekB8A +Gu8NTw//Rqyq8heDUZZyz0TKMs/ObZY9h7VbL3Pces9mpnE6mgZx9g1kalo1xml3 +x0kRIJ0L606oBxhrJYqam3DrcJsPWs/8LOmmUa9u4/M2sAPuw03pyPEYNnokhf05 +NvC6mjNCpuJY4jzoa1hYdjvUHJe6u66reEoWuARPxoT6ZGPLiVhYPmoYIJFtoEAy +tLEIH4GRjfRuOEgSDY7sIy5MoxjObBqPQl4VtbCSZDN/PN4z6WuxC/f2N0vpN1uq +IyDGWCvEOa6g+7kDEiBJo4LRp30mQtMJalfQUlLm653Do2Jh6L5tUuQ+T0qIOlqc +gTlKnnaa0m/hMUD9t4lJHQbLfGFaYpXbyJpblO8hPoM7Trk2vsoGubksMYZSRHIy +/9IiZafdnNoHxa5+ZTRSqxYw9e38gwTlWsNjQpCezhtaZo0FWkhcgC7zUG+yMUXz +zYhYXCQkZXpEvIg+BJs3ZdigGK7wRjC9qsC8jfnhOU+q452qqnKjg8bxJdGxBbZ0 +HKFfAVgtqAEgU3PzPN7Nmu4QJ+VOu9L/e1mOhrqcmHtYDYLfdelCT8DjHj85oggn +C5iDPG6AxnLczTlTxVsHTiQcmTy6awfeTf1N1JCbfZPovrO/CTaOLnMy/PNeZIml +UnarxLtQNeK6BDKd0E/rEym9wL0YJ1Xj/3XE1qPAjz52YufRHHM= +=w167 +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-24:06.wireguard.asc b/website/static/security/advisories/FreeBSD-EN-24:06.wireguard.asc new file mode 100644 index 0000000000..a7c7fb1c09 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-24:06.wireguard.asc @@ -0,0 +1,138 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-24:06.wireguard Errata Notice + The FreeBSD Project + +Topic: Insufficient barriers in WireGuard if_wg(4) + +Category: core +Module: if_wg +Announced: 2024-03-28 +Affects: All supported versions of FreeBSD. +Corrected: 2024-03-22 15:21:39 UTC (stable/14, 14.0-STABLE) + 2024-03-28 05:06:22 UTC (releng/14.0, 14.0-RELEASE-p6) + 2024-03-22 15:21:42 UTC (stable/13, 13.3-STABLE) + 2024-03-28 07:14:19 UTC (releng/13.3, 13.3-RELEASE-p1) + 2024-03-28 05:07:54 UTC (releng/13.2, 13.2-RELEASE-p11) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +if_wg is the kernel module that implements WireGuard tunnels between two +endpoints. When packets arrive from the tunnel or are sent over the tunnel, +they are decrypted or encrypted in a separate thread from the one that delivers +the packet to its final destination. + +II. Problem Description + +Insufficient barriers between the encrypt/decrypt threads and the delivery +threads may result in the wrong part of an mbuf chain being read and sent along +through the network stack on architectures with a weaker memory model, e.g., +aarch64, under certain workloads. + +III. Impact + +The part of the mbuf chain being sent along may contain some invalid state that +causes a later fault and panic. + +IV. Workaround + +No workaround is available, but X86 platforms (that is, i386 and amd64) are +not affected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date and reboot or reload the +if_wg kernel module. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD arm64 platform can be updated +via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +After the updates have installed, you will need to reboot the system or reload +the if_wg kernel module. + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-24:06/wireguard.patch +# fetch https://security.FreeBSD.org/patches/EN-24:06/wireguard.patch.asc +# gpg --verify wireguard.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system or reload the if_wg kernel module. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 590e02d3c088 stable/14-2576116 +releng/14.0/ 56be7cd84447 releng/14.0-n265412 +stable/13/ 806e51f81dba stable/13-n257611 +releng/13.3/ f07351f90aa3 releng/13.3-n257429 +releng/13.2/ 8f1f4e60ceb9 releng/13.2-n254663 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmYFGagACgkQbljekB8A +Gu/p2g//cupzJnkQB/sXm0EWroHjy/I6X6gbZlDpHZFbetGx8niyCH/xK3FMySuq +q1XGKpXqQKBR3R+VmTNs+Tfd0DbFK8nwStPHXnewKZJ+Qddah27Y3zEuj9+vmmmq +rzgJNDNv53eZj0c2ExIWVSfjn1faiE4ctVUOROtvxvxr9RtFpatGTzT5i/wgoNnj +gyO/VoFIn3C4ya8F/7EMicnEdQuXW55Ds+3ub9MO4DcXDds3QLWnYIVYfnvnBNV4 +YX7N+yynBxGOwD1Isbee6dCFTslsOgqV8WGkN4hMXvikPGvD+lXwCpDftfJCEFbR +xDUzf+M/6eBDgTztMmg7bTQO53Dp1iv5nd6Sw71rqS6tCwJ4BoxHV8Cx31yBbPRq +S2JsUjT0UsH5Cdvq8Ky5vMPSuSa/n8Ma/CeNtAQ0wvMw9WXkDGOZQSfBuEvJIItB +WQyfpBgrWjUZ3fMX7URPc5hca04y/bLyBV+gRfRqVy2nc4T4AwplWYOvBb5f8EXs +2+Jq1Bh3PQTBM4ZdXJtGmBct7ciZn3tZSrAt8c2sNLV5tUfVhWgNTYmcj5ffpPGh +r6D9m++Oq4ZORrFpydDfgv/0qXJQrp/9nFVxv8TdhwHBOkdYWP9mJpIUJxVxwfYp +jlFBr6yZWp4bWsGGgdtQqQ5+gKo8B25aQ52IE22weZsFxxaYn24= +=oKHT +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-24:07.clang.asc b/website/static/security/advisories/FreeBSD-EN-24:07.clang.asc new file mode 100644 index 0000000000..eeaceee0b4 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-24:07.clang.asc @@ -0,0 +1,127 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-24:07.clang Errata Notice + The FreeBSD Project + +Topic: Clang crash when certain optimization is enabled + +Category: contrib +Module: clang +Announced: 2024-03-28 +Affects: FreeBSD 14.0 and FreeBSD 13.3 +Corrected: 2024-03-08 08:19:28 UTC (stable/14, 14.0-STABLE) + 2024-03-28 05:06:23 UTC (releng/14.0, 14.0-RELEASE-p6) + 2024-03-08 08:19:49 UTC (stable/13, 13.3-STABLE) + 2024-03-28 07:14:20 UTC (releng/13.3, 13.3-RELEASE-p1) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +FreeBSD includes the Clang C/C++ compiler in the base system. FreeBSD 14.0 +and FreeBSD 13.3 include Clang version 17. + +II. Problem Description + +Clang 17 has a bug that results in a crash under certain circumstances. + +III. Impact + +The compiler crashes instead of generating an object file. + +IV. Workaround + +Avoid use of -fzero-call-used-regs, or install a version of Clang other than +17 from ports or packages. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-24:07/clang.patch +# fetch https://security.FreeBSD.org/patches/EN-24:07/clang.patch.asc +# gpg --verify clang.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ fc31d474c40a stable/14-n266942 +releng/14.0/ 711422d54795 releng/14.0-n265413 +stable/13/ 961271f952fc stable/13-n257558 +releng/13.3/ 26059a4f2c14 releng/13.3-n257430 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmYFGaoACgkQbljekB8A +Gu/y4RAAqXAE1WeZIk1tYMnlgqcw1SM5ojKvzK2iZegpPND0Yov7gzkwmNYNqCGY +GLEKVJcVqS5hagCowAZkptq0dh8JtHusBVWq53IZdI5RB81xQOa2yYp+87GkVacn +j8UnnbmAbb0rfMQyzVbMc5Kv3fkeAkZYZxiKmm+2iKt1cFHXv8yU4DIsTkxLAOUM +AlextCl+SO6NLyZ6+64XkArc9ekcrrTs4QpKhZwHcBWNOogDzvFxCokObVGM98cb +AN9pS09BTquuN5Yq5kXgFVzp8KLM0uruFKuEy+yNTCFJMMix1/9hj84yA2STm1iu +AGd0lp8N7JXfnGKdktBZ4YeOL7GRTTgrInixJ3KbzjFbwmwrgQSzBC1neZqjPbAf +iomKNIo23wsaMpjDh+RBBIOpDZnfPOO+imWh6A4ErdObMWyNw3+2MqUSHgMI9STO +qqWIAHvQQwlB0lZAYvh6/iHntfLfIa3vdUH+g7kl8d5xzZlV18HkqsF6LtzbXbE5 +tJ6QxtqlZjLa7eq/7qyg5bQFk7eJ0bhN7al+P5FOjezJo/tCFOIStWaFgTWntNep +FkysAdgJUnkMreaccWT3YrIKKKyjBUVYvh1UWf6GudSdPs9ZPzsAR3X1RmixGO6H +Y5EjL5hvuaNdqM3RiCF2/Vm/sVwF8KkEJs1rDbFFhM1HKCt9000= +=lTOH +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-24:08.kerberos.asc b/website/static/security/advisories/FreeBSD-EN-24:08.kerberos.asc new file mode 100644 index 0000000000..32ac450b39 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-24:08.kerberos.asc @@ -0,0 +1,127 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-24:08.kerberos Errata Notice + The FreeBSD Project + +Topic: Kerberos segfaults when using weak crypto + +Category: contrib +Module: heimdal +Announced: 2024-03-28 +Affects: FreeBSD 14.0 +Corrected: 2024-01-22 15:49:24 UTC (stable/14, 14.0-STABLE) + 2024-03-28 05:06:25 UTC (releng/14.0, 14.0-RELEASE-p6) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +FreeBSD includes Heimdal, an implementation of ASN.1/DER, PKIX, and Kerberos. +It uses OpenSSL to provide a number of cryptographic routines. + +II. Problem Description + +Weak crypto is provided by the openssl "legacy" provider which is not loaded +by default. + +III. Impact + +Attempting to use weak crypto routines when the legacy provider is not loaded +results in the application crashing. + +IV. Workaround + +Edit /etc/ssl/openssl.cnf to load the legacy provider unconditionally. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-24:08/kerberos.patch +# fetch https://security.FreeBSD.org/patches/EN-24:08/kerberos.patch.asc +# gpg --verify kerberos.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart all daemons that use the library, or reboot the system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ c7db2e15e404 stable/14-n266467 +releng/14.0/ c48fe39ad139 releng/14.0-n265415 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmYFGawACgkQbljekB8A +Gu9Euw/+LX8qcrGUvA11MNOVemD+SEH/Ol97L4gLHhzGlWSf3VMq5F1KtY0VRwGK +ykM3VsSAk3PoYHLn+jbHPuAMjJVym+MLg27ZZWlqnx2Z7/wk2KuAb9RVCUl4FnPy +eTXzBNt3tCSYa2ZCRWEH+uN6dZh4o8VP0DWfrNdaazH7R7ezRmTzirvcQ39MXTcE +8wI+zQedVZG4OSuqOSFY21d70nlzqgs6ThY3K6KrtcaQGfenYBSQgFmjMJlBqtrb +Mr1Yvgc+wE66Ara/Hz+/2L11bwjyFwT1dpO57DKrcyTaGTnSYiDQiDscUIAW0gCh +bUMCgWCHq+kk7pAyUIMlRbdrA/6N/wmvwP/iO6GGxYmN0lNX8udxeZWz3OPPnbif +anM5OGnvKFkkTzCqnpHumljolvJL0/VeD7XCNBBgWa1I46gFmmNZ7R2esm7UEdU8 +IR4Hk9EqGhfl+EwU7OW04/Hq3br667kXbVsq1TTVM4ht39K+WhVoxzirp7QzOGTJ +WjRq6DK+44PyhQgnnAJgM/4gOGr5O/Y3ezRx4uj1S9L9faXTC5xlT8Vw78xU2wXq +BjG7vXi5r9d4POjtRcNiaMVKXQPF/saGjHcPGrGnuBLC8AFG54bFycmvM5QzWqng +AeRFOg+O8lkxLoQMDqJsNt8OMIk7vZHguwL7pt0tRtouuoaszU0= +=UnED +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-24:03.unbound.asc b/website/static/security/advisories/FreeBSD-SA-24:03.unbound.asc new file mode 100644 index 0000000000..6873ea8d0d --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-24:03.unbound.asc @@ -0,0 +1,147 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-24:03.unbound Security Advisory + The FreeBSD Project + +Topic: Multiple vulnerabilities in unbound + +Category: contrib +Module: unbound +Announced: 2024-03-28 +Affects: FreeBSD 13.2 and FreeBSD 14.0 +Corrected: 2024-02-17 13:45:44 UTC (stable/14, 14.0-STABLE) + 2024-03-28 05:06:26 UTC (releng/14.0, 14.0-RELEASE-p6) + 2024-02-17 13:45:44 UTC (stable/13, 13.2-STABLE) + 2024-03-28 05:07:55 UTC (releng/13.2, 13.2-RELEASE-p11) +CVE Name: CVE-2023-50387, CVE-2023-50868 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +Unbound is a validating, recursive, and caching DNS resolver. + +II. Problem Description + +The KeyTrap vulnerability (CVE-2023-50387) works by using a combination of Keys +(also colliding Keys), Signatures and number of RRSETs on a malicious zone. +Answers from that zone can force a DNSSEC validator down a very CPU intensive +and time costly validation path. + +The NSEC3 vulnerability (CVE-2023-50868) uses specially crafted responses on a +malicious zone with multiple NSEC3 RRSETs to force a DNSSEC validator down a +very CPU intensive and time costly NSEC3 hash calculation path. + + +III. Impact + +Both issues can force Unbound to spend an enormous time (comparative to regular +traffic) validating a single specially crafted DNSSEC response while everything +else is on hold for that thread. A trivially orchestrated attack could render +all threads busy with such responses leading to denial of service. + +IV. Workaround + +No workaround is available. Systems not running Unbound are not affected. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 14.0] +# fetch https://security.FreeBSD.org/patches/SA-24:03/unbound-14.patch +# fetch https://security.FreeBSD.org/patches/SA-24:03/unbound-14.patch.asc +# gpg --verify unbound-14.patch.asc + +[FreeBSD 13.2] +# fetch https://security.FreeBSD.org/patches/SA-24:03/unbound-13.patch +# fetch https://security.FreeBSD.org/patches/SA-24:03/unbound-13.patch.asc +# gpg --verify unbound-13.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch -p0 < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart the applicable daemons, or reboot the system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ e2b44c401cc2 stable/14-n266696 +releng/14.0/ c189b94f8a22 releng/14.0-n265416 +stable/13/ abe4ced2b9de stable/13-n257436 +releng/13.2/ d9d90e5e42f6 releng/13.2-n254664 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmYFGa4ACgkQbljekB8A +Gu8Oxw/9HrzGZVx0FsUb8dhvf6Hlcfy3B0RNjxcnvvBm+P/V0+WSEaFTod9YaonO +GN331SXI1blvqfCpOz2TLiOvHjWDPCcb8bb9YqQXRId4axnpxCCzIY0HkxgXFNDu +XgXwM4JYapmWis/pOxifRXnB087lwbkfVx/0iOTeA0XUFoRRIbooiL/6H76hOmq7 +XR5moI8xYyAX5Xh+5/6yZgd+A+0n/KfQnOEpA7Ex9MWC17co+RGOP1JUZYIFHhAc +W/vNuL23UWqR1TjMgVWTHEvVBTrUPEiDfp2Z1LiQexH9IaQ4cePu7qrWlzAo7rr6 +6Cf3DybH9IxALQQSSKq1JWNqQFOWvpXCy5JKBua+Z7kcFHR5tmAgolqGLGJ629Ko +GNwsSUTZ8SzwupJ93boMaD4jF2t+zOXvBvceYywZEEvd2gq2zkfMV6WJwtUUOvdm +z7Z7AejUFONrQyYps4rcKCthnQOLHtzcPUQom68KpUACsdOr1hkA0VOCf5HRrEe6 +DpwM9PX1T3eiHSq1eZj2MMkz+Cw/DJK+wegkULRxg2ZOmWKA2U8df+Qj1RYpX4QT +JrPSHh4EqovfrB5H0uUgfLWBgAzGBLEeFKAMA+omlEaELyNzvG/4xv8eJVtjTG+D +EEQCXVTJmws/ZFDC2vJhVR6vdAwMuPz8YkBtcQkqnNcF+zzbcEk= +=PELN +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/EN-24:05/tty.patch b/website/static/security/patches/EN-24:05/tty.patch new file mode 100644 index 0000000000..8499da5c00 --- /dev/null +++ b/website/static/security/patches/EN-24:05/tty.patch @@ -0,0 +1,23 @@ +--- sys/kern/tty.c.orig ++++ sys/kern/tty.c +@@ -1312,7 +1312,8 @@ + struct xtty *xtlist, *xt; + struct tty *tp; + struct proc *p; +- int cansee, error; ++ int error; ++ bool cansee; + + sx_slock(&tty_list_sx); + lsize = tty_list_count * sizeof(struct xtty); +@@ -1325,8 +1326,8 @@ + + TAILQ_FOREACH(tp, &tty_list, t_list) { + tty_lock(tp); +- if (tp->t_session != NULL) { +- p = tp->t_session->s_leader; ++ if (tp->t_session != NULL && ++ (p = atomic_load_ptr(&tp->t_session->s_leader)) != NULL) { + PROC_LOCK(p); + cansee = (p_cansee(td, p) == 0); + PROC_UNLOCK(p); diff --git a/website/static/security/patches/EN-24:05/tty.patch.asc b/website/static/security/patches/EN-24:05/tty.patch.asc new file mode 100644 index 0000000000..02b14fbbcb --- /dev/null +++ b/website/static/security/patches/EN-24:05/tty.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmYFGacACgkQbljekB8A +Gu/pQxAA4CSM2nWX56Ajxbg37GqmL3I72ePFiC5qZa5/JbjqowQP82PfWOd4chRC +0qy3RFy9WN2+fS8md7blvLqqj1OiM9S6FrfQLJEaBlovZ4w4VH763Za3mr1zrrvc +LF4Jz6KAwOhv6Zm8ROaywjHhOsNHci81pzcdTEQoKJnML85IiGdelaMwdbgN02fo +f7muMsHsLV+BMQXAx//2UZqWZ/d11LmqlSjYWy3JYdasy+mA4Arwy3Qoyq1WyQzo +qeBQO1V78VyG5+5trbe7YvjhsOqQUbf3ctACvVtQ4XIufXnPskPNFb/0bmDOYwkG +e+7GMKNvnzIwa7bpFCM6B/8iqN6Mye7Nn0jiCjThH481NsbjdSnab6YbnmSYtgo9 +2Fn2u7hWDCagZgwCkEzLPUWzDR8yoiibFhsMrsnxrZZMzNT+AWP1HMo5JlArWeQf +TveQwUfpMYdHGHPcrKCACv3w1RVEVzAKfOjDy/NgtYKSpOt4Wi7FGTzWvCkHPA2M +CXYLi/0hWWbEJ7ZhybZilOvb+wy/8iK7mcoqYBmLGYM9Ne8quGtHfLS7FbuRaiXL +ZXD1if338wxZj+iekZQxdqG+MB0TrNbGn50jekiv+laQ1mQBhjYcpgd3E6/uYVvZ +TXsWzDPBjKXxKtIuw0UYtimQYg4oBwzNPVtKIZSRcSClDuv138Q= +=ZBRs +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/EN-24:06/wireguard.patch b/website/static/security/patches/EN-24:06/wireguard.patch new file mode 100644 index 0000000000..c736ef8ee0 --- /dev/null +++ b/website/static/security/patches/EN-24:06/wireguard.patch @@ -0,0 +1,40 @@ +--- sys/dev/wg/if_wg.c.orig ++++ sys/dev/wg/if_wg.c +@@ -1515,8 +1515,7 @@ + state = WG_PACKET_CRYPTED; + out: + pkt->p_mbuf = m; +- wmb(); +- pkt->p_state = state; ++ atomic_store_rel_int(&pkt->p_state, state); + GROUPTASK_ENQUEUE(&peer->p_send); + noise_remote_put(remote); + } +@@ -1588,8 +1587,7 @@ + state = WG_PACKET_CRYPTED; + out: + pkt->p_mbuf = m; +- wmb(); +- pkt->p_state = state; ++ atomic_store_rel_int(&pkt->p_state, state); + GROUPTASK_ENQUEUE(&peer->p_recv); + noise_remote_put(remote); + } +@@ -1645,7 +1643,7 @@ + wg_peer_get_endpoint(peer, &endpoint); + + while ((pkt = wg_queue_dequeue_serial(&peer->p_encrypt_serial)) != NULL) { +- if (pkt->p_state != WG_PACKET_CRYPTED) ++ if (atomic_load_acq_int(&pkt->p_state) != WG_PACKET_CRYPTED) + goto error; + + m = pkt->p_mbuf; +@@ -1687,7 +1685,7 @@ + struct epoch_tracker et; + + while ((pkt = wg_queue_dequeue_serial(&peer->p_decrypt_serial)) != NULL) { +- if (pkt->p_state != WG_PACKET_CRYPTED) ++ if (atomic_load_acq_int(&pkt->p_state) != WG_PACKET_CRYPTED) + goto error; + + m = pkt->p_mbuf; diff --git a/website/static/security/patches/EN-24:06/wireguard.patch.asc b/website/static/security/patches/EN-24:06/wireguard.patch.asc new file mode 100644 index 0000000000..8d89aa382d --- /dev/null +++ b/website/static/security/patches/EN-24:06/wireguard.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmYFGakACgkQbljekB8A +Gu8yxQ//RsSn/2skiogUdzdv2r/2Ax4jYBMCDOI5QyBorhXEr188pU5iqG070NU3 +WnjD5YjjgIlfmZfHhN+ONwaoG7RuDou6lmCKydzXg1NJawUsUoa3Wwjn5JBwg9LB +5VzSGa3zoQkcKT/mbyTuqUgtsFjRJc130UtnUtOt9HNRTiMMExnTE3XFgrutFv4t +Rlhmw4puKPvNucsjjQWU94ra2eOEQVKqyBEOLO5hABIfz0G4LpLplkeEnW1O43RF +uNCOoFU2vSOovGQX1DpdhNDrQPYX+0BjKZD4SGb+RnXSH3GekxhtKVZu2B7Vx82F +w0kNtxK+6cD91R3JdIRl9Fl/uDI6NoYD4WKzO5dLS2Xon0VpIsQl6R1YNVnYF2nT +wfvBNaLyB4mmu02/9LXQx4NtKf6Fln7bdB1Aie00/nJx/2X2pTJMA+Juc+stMarQ +MNJikdx3ilbVW4Jd5iLGA1yH1VrK4lLdgLUs4XoaS8jp7pFefsElbVBH9SzSJIJn +7EExx16JMynUltN88pe/b79JNjFH33HQBD8ncFh8JXh8wKQCYX+A5fM23QUxwMPO +o3VL//YLuwyU/v+b9xDurkNAgi0tlq+TOgviNFDJbrxQADgdvZmYCZI8H2XViA+M +SAwx5zLRJJAao/78A+n0Q8ixjJ89h5bExdozkXZwqUNsOLUe29o= +=fsNv +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/EN-24:07/clang.patch b/website/static/security/patches/EN-24:07/clang.patch new file mode 100644 index 0000000000..5ac7e17e7a --- /dev/null +++ b/website/static/security/patches/EN-24:07/clang.patch @@ -0,0 +1,25 @@ +--- contrib/llvm-project/llvm/lib/CodeGen/PrologEpilogInserter.cpp.orig ++++ contrib/llvm-project/llvm/lib/CodeGen/PrologEpilogInserter.cpp +@@ -1285,6 +1285,8 @@ + continue; + + MCRegister Reg = MO.getReg(); ++ if (!Reg) ++ continue; + + // This picks up sibling registers (e.q. %al -> %ah). + for (MCRegUnit Unit : TRI.regunits(Reg)) +@@ -1308,8 +1310,11 @@ + if (!MO.isReg()) + continue; + +- for (const MCPhysReg &Reg : +- TRI.sub_and_superregs_inclusive(MO.getReg())) ++ MCRegister Reg = MO.getReg(); ++ if (!Reg) ++ continue; ++ ++ for (const MCPhysReg Reg : TRI.sub_and_superregs_inclusive(Reg)) + RegsToZero.reset(Reg); + } + } diff --git a/website/static/security/patches/EN-24:07/clang.patch.asc b/website/static/security/patches/EN-24:07/clang.patch.asc new file mode 100644 index 0000000000..957b801ada --- /dev/null +++ b/website/static/security/patches/EN-24:07/clang.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmYFGasACgkQbljekB8A +Gu9AWw/+LI09U9VZahOf/j6NPfrneFaDy0SWK5GEQeUausZ8bdotxzwIlu0OC8S0 +1hmpPlaXtINY0xNru5sSsENCFnj0JXyB/CFVXL/gLnCYnYx99ae77jBcDzX86VAV +XcX89hwcqIk9u/a8MHxvIyoRBunqO1617lRxP0ZGZ6CxGLwCk/ys8HFkPavYvfQT +y/h8sbbKp7VDlKEjVwr8uPy1XnO+e5dRLHsinWXp2DM/JPRLi5slcbO9SmPiGyVB +F1Pca5ryAsWJYsnqA6O7aDviBDodrR8EigzkEbYGOlh3QLLHKCmfQRI9i6zMTzKK +G9LvIcodR1w/DQ9S4TwozpXG5zfuvU8vz/BGNtySL5DzZ2zyHHhwC3wWqZZRFVAY +2KggMsXnCo7pVSQWVofQ9zL+w3lUEiJSCiYvbHW9gFqMnv0891zTIbHTfu5ktYeV ++p5vQv6qxhkp9PC/LYGOxHTYRAeZT4BBWG92dqrEivZTPd4LNzLmOn0WlZBOjlfl +Ztdes1BhxmY4+wBgxivvVWoNb15jQjUU9+HBGgF6GhiZRuXw84KzzAjP12FkN0lH +5IH4qbhsMHzD2256rMKGPpvS35DzKoMkWBYgVup/ZnScw0luTEOybHiTswzg3T/c +6Rgj545wxkyRYYw2zIHTmr2pMPQnTUXWETn51WTqk3UsVREFhiY= +=GKxn +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/EN-24:08/kerberos.patch b/website/static/security/patches/EN-24:08/kerberos.patch new file mode 100644 index 0000000000..adf73729d8 --- /dev/null +++ b/website/static/security/patches/EN-24:08/kerberos.patch @@ -0,0 +1,203 @@ +--- crypto/heimdal/lib/kadm5/create_s.c.orig ++++ crypto/heimdal/lib/kadm5/create_s.c +@@ -169,6 +169,10 @@ + ent.entry.keys.len = 0; + ent.entry.keys.val = NULL; + ++ ret = fbsd_ossl_provider_load(); ++ if (ret) ++ goto out; ++ + ret = _kadm5_set_keys(context, &ent.entry, password); + if (ret) + goto out; +--- crypto/heimdal/lib/kadm5/kadm5_locl.h.orig ++++ crypto/heimdal/lib/kadm5/kadm5_locl.h +@@ -79,5 +79,6 @@ + #include + #include + #include "private.h" ++#include "fbsd_ossl_provider.h" + + #endif /* __KADM5_LOCL_H__ */ +--- crypto/heimdal/lib/krb5/context.c.orig ++++ crypto/heimdal/lib/krb5/context.c +@@ -392,6 +392,10 @@ + } + HEIMDAL_MUTEX_init(p->mutex); + ++ ret = fbsd_ossl_provider_load(); ++ if(ret) *** 50073 LINES SKIPPED ***