From nobody Tue Oct 29 21:33:02 2024 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XdNlf4lQbz5bwws for ; Tue, 29 Oct 2024 21:33:02 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XdNlf121dz4ZCF; Tue, 29 Oct 2024 21:33:02 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1730237582; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=HwrI+bpPUfZi/JvpO9jJzY6vhB16ZWf7/y44tVhvFeg=; b=N18qK+M4O/spwP7Vte52wrY2htV9n9OV3Jw9c20h8HDn3kWKHUGOkQ0V+4twUcjCsHRFhg tCELeBFvqfRTWM+ajTVcmaGdyXpuoqlh1OqjY36n8+xeZlnNrRXL4kk8o91ayM26cbJw72 LLlp1xkh68h8q9VhGY+CVdBvjJdYmkZl06mEWS0TvJR8IvWYDD6ujHkBoF+/vtTgjTTq8o inp7hQdHwP46ST22pmB0G4kTMwWSedcSpHddOTivf9K0VghrhkV+96mgPPnM6WCYYzO09F BDL725kUNNZm/dx6WHkn9uUz5eCsUa03B4UI2VpDSgyfk86OWS0E4b/mNsI4ow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1730237582; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=HwrI+bpPUfZi/JvpO9jJzY6vhB16ZWf7/y44tVhvFeg=; b=H5mfz1AvHRCp2cKsYkVKx3QxlwhVsZUXoEB3jiLDXgKvRifBCfuODi2rRv1JDVpJesDDDu Ly3WYZeQa4jVZN+f+cQK9MwEnvEqfizZnckaZ1WRTGNVFz/I0gdNmetrxy9NCy5zRbI6We xU9mhFiDOOuo0fa9swA0q+dNvfXWKFufxBXlHuMJKihoMr4v2mz7Ukk/x9nr6XirBn9gHE jfrWuDeS2sr7lysmE9f3qCPndtjXJwokZNrbVWamNBMBLGqGZ4feYIwj/OsGoxx7gthyS9 gYAOCvpqfqeV3WRuLP0OrOqmIZbbk4hTZ+AhKA+KfHwO/f2CWgpL4c5T5IntCA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1730237582; a=rsa-sha256; cv=none; b=tBHJvuyHvmA/P/l9GdKXgcYQGJMunpdKyZw2IE2qxZxs3riQnJ8Vv//WJ3fu3FkLO4/byp v3u85uY3aw7vWXxWp+0WS8YgTb9atnrCJsTD0KTCeMkNN1kQhIcHfkkcJNMGNZg8g3nHzi 6FnJIOWIW3aYBJcMNtweKTdpNuzfFyyuas9rbHDFM8mfn67dl9677A40JmeEPehAU5i2fN Rp7ykX6YNqZS7WSxy9idX6M3kQsw4EANjk+/Vfm6KykhPUGw4o7zYknMp9+fo9X4UxoR/u mCgjJqB1VVTMrZzIAs1pcgLbTszBW8pdP/wmsM/SX7mEWWGkgfcPUm4MQRj4DQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id 17AA09298; Tue, 29 Oct 2024 21:33:02 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:19.fetch Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20241029213302.17AA09298@freefall.freebsd.org> Date: Tue, 29 Oct 2024 21:33:02 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-announce@freebsd.org Sender: owner-freebsd-announce@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:19.fetch Security Advisory The FreeBSD Project Topic: Certificate revocation list fetch(1) option fails Category: core Module: fetch Announced: 2024-10-29 Credits: Franco Fichtner Affects: All supported versions of FreeBSD. Corrected: 2024-10-09 11:49:32 UTC (stable/14, 14.1-STABLE) 2024-10-29 18:57:00 UTC (releng/14.1, 14.1-RELEASE-p6) 2024-10-09 11:50:06 UTC (stable/13, 13.4-STABLE) 2024-10-29 18:57:13 UTC (releng/13.4, 13.4-RELEASE-p2) 2024-10-29 18:57:30 UTC (releng/13.3, 13.3-RELEASE-p8) CVE Name: CVE-2024-45289 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Fetch is utility used to retrieve file(s) from URL(s) specified on the command line. It supports a --crl option to specify a certificate revocation list which contains peer certificates which have been revoked. II. Problem Description The fetch(3) library uses environment variables for passing certain information, including the revocation file pathname. The environment variable name used by fetch(1) to pass the filename to the library was incorrect, in effect ignoring the option. III. Impact Fetch would still connect to a host presenting a certificate included in the revocation file passed to the --crl option. IV. Workaround The certificate revocation list file can be specified by the SSL_CRL_FILE fetch(3) environment variable rather than using the --crl option to fetch(1). V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-24:19/fetch.patch # fetch https://security.FreeBSD.org/patches/SA-24:19/fetch.patch.asc # gpg --verify fetch.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 51676e0a3bd3 stable/14-n269041 releng/14.1/ 0e8bf366e6c5 releng/14.1-n267725 stable/13/ 484724578422 stable/13-n258502 releng/13.4/ 51f6c450d991 releng/13.4-n258267 releng/13.3/ 9f1314a30b4a releng/13.3-n257477 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmchUCkACgkQbljekB8A Gu/0RQ//fm2B2XPZPiGADBhuNeC8NsVwFqzNh/Nrxj2bUCel44kU4yGRZ0jADOD+ URW+0LDs+rOhIV2cw6fZDUwN+/dblFjZiKpQHJF42A1M90hNRfPArbCh6X2h8EAq C4Kr6M6tUByfMX2Hf0aj/QNVrar/hirNhM8ZwDXVMxDj+aBSHSUqZCzfgeTy4/nn 9DJKOaxJ6WKE9OmAEUhSNoPF6AP+ZzU0aOQCs9tUn+OqKDTxLwn0vXSTPaPw4FcR YYYIeiIKpqLhZxPhDnLh/Z/J4AleXPLZeL8VFKemopYk5Fi6HOG/f8UjC/GYoFp/ eHlEY7H1/aRUYJ6FWm4p/cGfxdJOWmkcJax6VQwBNKX23bEzQh9+4RlnE5cPbAio w4XeQybgitic/NeKhI8Jt/aFnVQah2i+O/PQRFCsDDVJGqRnjVw7+6Zvl4zEDoTP Xx96PXGCW3UZyNgqDo2jgZman1P5GLKtZg6FmGKlc/IrqijVnWfh06fI5nZ7Bo1z b8DiCGSQ/W2cL+d2ILj0illAU9g7JO3MDJOl/lchSUTg4XLUI+G201HaR9wRxSo0 SXYq23CG4Nll6b8tdC6EEnOoc4RgyQIJv+N/oML8enJ15x7teXG+JlWIf0rM2qkf Bxn8hBawdfshzuIkLf2X0J6rm8MBj/s9O3j87oD1C37dqp+E4Uo= =CEwj -----END PGP SIGNATURE-----