From nobody Tue Oct 3 23:03:59 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S0YKW6lvFz4w70v for ; Tue, 3 Oct 2023 23:03:59 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4S0YKW5TgKz3HWG; Tue, 3 Oct 2023 23:03:59 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1696374239; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=cwFbAXBShrNMpth4vLAYvSHrdkBxV35tu4qoJoQjOaM=; b=nO7Xc1pzYGHNRRpW0vsjjyTk+H5Vsq/OfmauuySrgS+gy+uP8UNHNjLXq86roRzEBTsajX b/oNL9w3EK683nbScDOqN7cxmxJ44IKVu8xJYxyTl9kiZaUrny5ef0BPoIaq5f5aPaGclT u/UOAW4nVrpxC0MPMk80/rYQ0Zo8PL0MGcf/s9U5ZWLamgkk5HuG6qtIK6sQA8SjpcBk62 wKy0y/cIO4W0coMdf0s0m+4ubexHUJGKPqB2BiNIt1W0P7lDHMJcQim2CZaoBxcMvnWPFD psuwV/6OL2qzX0PER5YuYS5QZgLMsOb7NdpJaaIuajFL5cS1yHGqUa5p/x2r9A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1696374239; a=rsa-sha256; cv=none; b=VkOY1+m1ZOvy25sKfAfm+LCtRbSYcHIYG1RqsIJ1SjYv2HrLOKFv0WvWa75cOkcaXdL94f MOdC0VOJERCyTJEcUttNnT1FL2jYwhSiFF9VkT8TtnIyqoiXkNrcEK9K/0Obc0M3Vae0Iv 26klP58zF4pCPmdgq9GiewlF6fsLuZmOdEJXuVNp26g3UV+yIo6+/rKmkTY42snFzlBR7J c7M+4PZthr2dp5PZiL4D+R8dS69L1QFhM+MlqKASlSbOLCoWrRL3GtWY1i3IGZHZGW6Vko rsrbMfo3sDVdTXNw66lN+3tx/IewtPev6l72bUbkzb8qvx0uezvoDBAKJxRumw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1696374239; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=cwFbAXBShrNMpth4vLAYvSHrdkBxV35tu4qoJoQjOaM=; b=ssH9EynHDtv94Ay0nrhd0V7GKMpMeh1qclaCkJF2IWE/6WINneS1hOY7HV+dPUgDIMLoJM cYeWO8QXVREsqcw4C8xl5JMUbuGgBv2KdH6Q6TewSBQPGk+0VIUlQr3CZcQtokQvtSOYFo s/fpDn3dmu19GYNopRwgXxiIljxT0RMhazVeethFHCuCWDOtjkyHtl5G3ydWMyf2fsYXye p1PTD8bPwGi0UqXhj/HQ2y2ea6+7UO+32pIbWp7mtGrDtM0xf55RsTBBoM0cRItZzF9SUd 1KJmHg8lKmHlNtTUaKJ+DcTCzN0HNKgUZtU7Qj5Dmep5p0Wu3+svn3dxnoECQw== Received: by freefall.freebsd.org (Postfix, from userid 945) id 9F450133C0; Tue, 3 Oct 2023 23:03:59 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-23:12.msdosfs Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20231003230359.9F450133C0@freefall.freebsd.org> Date: Tue, 3 Oct 2023 23:03:59 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-23:12.msdosfs Security Advisory The FreeBSD Project Topic: msdosfs data disclosure Category: core Module: msdosfs (FAT) file system driver Announced: 2023-10-03 Credits: Maxim Suhanov Affects: All supported versions of FreeBSD. Corrected: 2023-07-18 05:46:13 UTC (stable/13, 13.2-STABLE) 2023-10-03 21:23:40 UTC (releng/13.2, 13.2-RELEASE-p4) 2023-09-11 18:51:21 UTC (stable/12, 12.4-STABLE) 2023-10-03 22:15:40 UTC (releng/12.4, 12.4-RELEASE-p6) CVE Name: CVE-2023-5368 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The msdosfs driver provides read and write access to MS-DOS (FAT) file systems. Systems may be configured to allow unprivileged users to have read and write access to mounted msdosfs file systems. II. Problem Description In certain cases using the truncate or ftruncate system call to extend a file size populates the additional space in the file with unallocated data from the underlying disk device, rather than zero bytes. III. Impact A user with write access to files on a msdosfs file system may be able to read unintended data (for example, from a previously deleted file). IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 13.2] # fetch https://security.FreeBSD.org/patches/SA-23:12/msdosfs.13.2.patch # fetch https://security.FreeBSD.org/patches/SA-23:12/msdosfs.13.2.patch.asc # gpg --verify msdosfs.13.2.patch.asc [FreeBSD 12.4] # fetch https://security.FreeBSD.org/patches/SA-23:12/msdosfs.12.4.patch # fetch https://security.FreeBSD.org/patches/SA-23:12/msdosfs.12.4.patch.asc # gpg --verify msdosfs.12.4.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ 868f3eadc5e0 stable/13-n255824 releng/13.2/ 7d08a7e6908b releng/13.2-n254635 stable/12/ r373207 releng/12.4/ r373233 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmUclUoACgkQbljekB8A Gu9CSw/9G+9cwxNruCQaEOcNGCIUdOe9itmZzVJKVtIIWqXZhq+unXRS0D2YDMdA EKkfGj6GYaPnFlRe7T3cfrqUFhlNMb4Na5SW0wJp8HUqhKzKB4/SNZSs+iXNQE2z WdhYFl582Gg2+vuoije4Z9Idl0WYPqXHXyRC7TCtSwUHDwRsU9jA6g/GNM0X+0dl mOzFxFSSGoORF5aJYtp91KeNwGdNwORc75k6xxMWGGDc0sba9Fbupfrjc/XQ8SaQ tYil3Eomh/cbYOKneppGQo9ohY+PAC1u/2XxRBxXYFCDtNLed4SGEWp4pLKjq2QM X8jkDooTPLwDiVaM6Cps54PmUI3YBrYKSpt3Z1SdTHWyh0hDtpAJb/1f/sPUu90D oWCiFI5p6oZjFNJxskZZ8T6xFgjqiII70ULfHQ3GxGhMZ0Pe5QyzmqIFGvkn0UtX uGechgeL+jwqnyviIFyfVTGORmbcWj60WHajUAVUbb5aF/WV5QS0XDOLhTFkeY/P WQjOBFAH/pf93ahUnA0NuDqAe5yX/3NEXLzMg8bnSBDJRIPRWsPfIE3lqWl0zNmD sdtsugBS74zTM3MUn/Lq5MdtozuvEWK6Hs60i1wuiTMT39X8oE89r5LLVgTyc0Tj 2nML+7TKutMqWgeRvYsXBp6VtEiZd9Qc6nx8FWtSq8UMODa57C8= =T0YO -----END PGP SIGNATURE----- From nobody Tue Oct 3 23:04:05 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S0YKd2rH3z4w6HS for ; Tue, 3 Oct 2023 23:04:05 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4S0YKd1cJyz3Hlk; Tue, 3 Oct 2023 23:04:05 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1696374245; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=z3mkaK1hGpKJ46Wug8FNyr1K0ba+H0fZLqh2fiZS5do=; b=P6ybfj7mHj7tiCVeDHsbzTQpaZbqnmd2zAc8zAiuB+P51sF2UJygW+9DIYgcqrr47qhwP4 EkbW+MBiWWhkqKI2c0H4qTX2hsKBehxzJ80uKfbgtj+7RwMbLjE+QuaiYf2rPeyZJo/MKZ Jgi6TjGWZETAzZ8GV50JBO89QIbvZP0o7uaSe2p9l8yCHeJNV/CE3vJguSs+7GuolYHtx8 89pN8JcjQwIY9go/vkIzsVXglyFpCj6q1JUupyaXwOGpS8xuOEUiZlnIywXVjPhGbpdKI8 7sVDyqz23BBh2JizKh+mGNaZNWWZbpS8Tp70Gtu37rvnEosHJOtqmusjdic+6w== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1696374245; a=rsa-sha256; cv=none; b=hK2YFxF6ab+K8haN+YQ0Dqdk8/iK8Rp78Wzsui2Nmw6WBFoYzL7UVLzUp3qYjJ4Ni6AlV/ BW2SHw1Vib4D9wjYRYkbErtbcE3416hKnymZUfcsSpNks92UHHPMB96OR3XjRjCRcvdZxs x8pdtraK+99SzmE/oq1A/J2J+uacUgUHGnMroKryvDWFmOQH1CxUvR/YEE+VCjrEZzR2Nz GhHSviIrEIFnXUF/8EKrFQQK/iASuYk9wHHg/Z4xgnfprSOlP3L9VPsP26x9K3cCaPfzK+ V9vkw4HXWnkeq2UFiu8EIcDQ/JLRDQLhqnURhafvzux1XRm5n7Ace++osPiIGw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1696374245; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=z3mkaK1hGpKJ46Wug8FNyr1K0ba+H0fZLqh2fiZS5do=; b=EhLf0NH2efsTIIgDfF7kPOkCAchb+eRdjdQCo8apgmylJOnfkueqEn4EIWE+zqgUd+TMCB t5WkpaomEuCgR9DwpkfXRoT6sZ9upl1Kwo28G03qwEreaJQrr1vchkIFUTHJiK2KcUBjEc TQqAqyiROOTWgi4aIDf6El1KZOe9fFug6oYR4eEjGhwPZfLZy5sMDcAQEwAF5OqD75wQqL R/uJFyuI9ic3l2dJVnWxCIyWkTtAZ9QrUTlatFCZikSq/D+vm++zoeCUVW9fMrlAYIU2Mn n2XFnXpsKi8VYufbazRR5Vlb1RteT1L73I9VV2bH6Kttt3E2DSMBtgC1LpFqAA== Received: by freefall.freebsd.org (Postfix, from userid 945) id 254E513336; Tue, 3 Oct 2023 23:04:05 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-23:13.capsicum Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20231003230405.254E513336@freefall.freebsd.org> Date: Tue, 3 Oct 2023 23:04:05 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-23:13.capsicum Security Advisory The FreeBSD Project Topic: copy_file_range insufficient capability rights check Category: core Module: capsicum Announced: 2023-10-03 Credits: David Chisnall Affects: FreeBSD 13.2 Corrected: 2023-10-02 16:00:27 UTC (stable/13, 13.2-STABLE) 2023-10-03 21:24:41 UTC (releng/13.2, 13.2-RELEASE-p4) CVE Name: CVE-2023-5369 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Capsicum is a lightweight OS capability and sandbox framework. It provides two kernel primatives, capability mode and capabilities. Capabilities limit operations that can be performed on file descriptors. copy_file_range is a system call that performs a kernel copy of a byte range from one file to another or within one file. copy_file_range accepts optional pointers to offsets for the input and output file descriptors. II. Problem Description The syscall checked only for the CAP_READ and CAP_WRITE capabilities on the input and output file descriptors, respectively. Using an offset is logically equivalent to seeking, and the syscall must additionally require the CAP_SEEK capability. III. Impact A sandboxed process with only read or write but no seek capability on a file descriptor may be able to read data from or write data to an arbitrary location within the file corresponding to that file descriptor. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-23:13/capsicum.patch # fetch https://security.FreeBSD.org/patches/SA-23:13/capsicum.patch.asc # gpg --verify capsicum.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ 3f0ce63828dc stable/13-n256458 releng/13.2/ 2d23f6c33431 releng/13.2-n254636 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmUclU0ACgkQbljekB8A Gu/a3Q//aXO1+HdImFnqAzKEto8E97DEv6vB2HUZAoxrmwSX9VNjkrIo9Z9+LRyL q7WXMcok1OPQCCE3ad+g05eqXwnmJ55CpToP/jEXrOOZRDInK0Z5owZbwVpmyAmW zF/+xoEjcw90H7ReIQQ3+TNGDf025tCoXlTQKdzWtNN6BcY3px4zuDYHPUKgMwSv XJDrjYWBzBede00CnlolwmsBorjvZvRMfllTIpiVTlmtD73s+sRDI7rc768MY0RZ gCplCL9S9EkIGL8XJhDWB2+TsG7nvwrUII5M2u0Db252IK7nmgty4l03PtYotx4p jH/a3oXWKeqExGHJaqNcaUwS6xdu+pvMRuJgY4mH6rd+uvOMbC5jvac3FopSlmXq aVIctA2LCRomyYmVDsWXIGLcBT5cAOhsqkrw+JE0kA/k2Pl6NDNK7HNgo6Fj01TR lVf91A1mTsDJxfymU4SWB/KGgImAnR9e7gHUo4gLZCNyYXvcnFa/ntHoswNZ+12L e/b4+PnHts2X4/+I4K6qdF522yzF/vpyF6UjfwAGtT6qmbmGyW9VbDcn6TIL9I3p IDKJCWeHPBfyspWua2hCUIi3/EwpSFvIECPad3hFT6cej1pZ6hfJt8XT0ma82QGp ocbh3tb3E1phSGvgZitk8J0oyWDehuck3YfZ+6nHMwzPBgmr6Lo= =lS69 -----END PGP SIGNATURE----- From nobody Tue Oct 3 23:04:10 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S0YKk3tmKz4w74C for ; Tue, 3 Oct 2023 23:04:10 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4S0YKk2fTYz3Hxl; Tue, 3 Oct 2023 23:04:10 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1696374250; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=qZQnpCyyos3M2c4nqLRvSKPm9OxgAZ4qFvwgA21pZjM=; b=M72fZU99Qb4TRqB8/eLsKwshIK7F3b60hBnLWl7i3sKcWG6yhJXAxPOf/NDuXGohF9G+jT ScaX5GTkSxNsN/Rr7CNznn2cewz5AKTbKK33f7kl1gyC4UEDGvElcK6PDXCU/hITnNKYGP 21OYS6J3EChFyfIq/IGiF5rjflgznugC0v6kay+EuUryXMWkD8rqbh51IBtTqSPFW0vpRN CbHNjYd4FSyw2bm+kyHKh0FDSoR5bZOd85M+TMTuHudu9YmuI4QvHxthPq/NBK7l5ytrIw j65Jzv/B99xANrA56dLAaGV+vLQe0CueXb0gtU4GC7tfB+1DbiI36YWcro6/sQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1696374250; a=rsa-sha256; cv=none; b=UuLXRhxKsVyS0fNqxrhDlUiBfl0OdnIN0pyWKQggC7RsxIGumt3RfslGYtltWGSquS8dqu 7YVWz1ZuPeH26m13+V5GogR/yIh7z40yEON2CcUWCeCj3ptr7SB6jhPemZ0lwgQG5yUo4y 6UDr7tIwsTbGNn2ar6fk6LN+QbtW+4cC9m3W1qGh9F774qKylNMUbp9+mZf3PtH2vwqIHr t89MDmJYIPI6k4v17HlIKgcKYdueBzDR3vj8aeZrEOn+OZoAbp1C6KDLf7kEt8NIKHlExJ gGgEgoYW0iVHnJPTfg19yavp2DYPXooIF+vjHvUud+NcRFPWwfwRNIFmK9ZIvw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1696374250; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=qZQnpCyyos3M2c4nqLRvSKPm9OxgAZ4qFvwgA21pZjM=; b=WeUlktLTcfNsnarEBfm7INk9oILx2ZR90N0Rb44ZlraX9fS8Iqv//7lyuCipEFNGJjXcC3 iGegov2lsaLGiJr2+1rNzhpLOx5Eb5T3XfyJrE8ruPYIyGhaEsIieI/5ohCWzVm8BjuJ+I p2LgcYVCUgMDCb9VYTLtqmjWpiuF4Tn0r8e0jIODEioRyJMq2BdNRo5bGTthKVg/tcvEZq +QNWI3ebXoRxqdinggrXMxvUMxfv2OTnSFjPXVa7FG/Cv3UImErnOXJOvsIfh90gbz5iZO XpFX3JVd6B3Z6s+B4ZkLuRKhvYDFMACtaU2XR1+6WBgB/15WRYJUjFnCFmcRAQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id 4C15F13493; Tue, 3 Oct 2023 23:04:10 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-23:14.smccc Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20231003230410.4C15F13493@freefall.freebsd.org> Date: Tue, 3 Oct 2023 23:04:10 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-23:14.smccc Security Advisory The FreeBSD Project Topic: arm64 boot CPUs may lack speculative execution protections Category: core Module: arm64 Announced: 2023-10-03 Affects: FreeBSD 13.2 Corrected: 2023-09-25 12:13:47 UTC (stable/13, 13.2-STABLE) 2023-10-03 21:29:11 UTC (releng/13.2, 13.2-RELEASE-p4) CVE Name: CVE-2023-5370 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background To mitigate speculative execution side channel attacks on some AArch64 hardware the kernel can call into the boot firmware using the Secure Monitor Call Calling Convention (SMCCC) mechanism. To decide if the kernel needs to use the SMCCC mitigation on a given CPU it can query the firmware if the SMCCC workaround is present. II. Problem Description On CPU 0 the check for the SMCCC workaround is called before SMCCC support has been initialized. III. Impact No speculative execution workarounds are installed on CPU 0. IV. Workaround No workaround is available. Not all AArch64 CPUs are affected. Systems where CPU 0 has the CSV2 and PSTATE.SSBS processor features are unaffected by the speculative execution attacks. The kernel will print the following under CPU 0 on unaffected CPUs: Processor Features 0 = <...CVS2...> Processor Features 1 = <...PSTATE.SSBS...> The Arm Cortex-A35, Cortex-A53, and Cortex-A55 CPUs are unaffected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-23:14/smccc.patch # fetch https://security.FreeBSD.org/patches/SA-23:14/smccc.patch.asc # gpg --verify smccc.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ 4df1447f2c76 stable/13-n256420 releng/13.2/ 485912e051bb releng/13.2-n254637 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmUclU8ACgkQbljekB8A Gu8zqQ//bCjUB/hXZxypEFmnnnyUPr0Y/pzHd1i7EcIFQubd6kosUw4k2VGzwOsi /BwKU4W/MrUyr/wwSkjJ/lmeA+CRX2TAPWPTPC0umnN58fOXRqhKpVAi0yfho+L9 lYUfdLWM0xS4XWsZk7DapjfN8XznLnn6iQrWmFLmZd0ViJFGkGJcxjdWr7aSs7ZX C8v8GoqFx6GUUdOgRERdpZ/2mxi7ibs9LbCt4PUTwKV8clAmq4w4Mv+q4xfZPSnM nXGrTd+t2G5ZrmEZ9Rq32C9JqGaAaQUTp/NsOw8yQq5YVBXanA12VJLx2kdoVKsj 84e3rJz/QTpXTpgiSkVmWdT3ziZW8Zs9aygvUXyzK6C/s2ZiKd8o65dnF3MGCyJs Y7aNgAS51mX/fgPyXwicF/eYA1nm/1AJAK9J/eUBbsi+hu9DW5XjpiLUYAe10KKf 9XsgJ1vTJMKXIv/UAlN0d78SfSfcGyUCbH0qk7zCzw9XfLYj+r9a7de/vnAc0qtm 8Gh0hqbacA6dqtxrNEDC9R1Tp6inf0YYR6gP5HPjjy96FvfZCGmHk5XUmbmk4C4T UylvLXrO4gJiyBXhdZ3P3Mib6HdMWkLMRh095Y2revdAGMv0BrGs3G+eaMVIgNt2 puELCPfLgJF1ljcHV8svdQcuy0Fea2R2R22cqwsT1vPuKqgmP60= =lOTX -----END PGP SIGNATURE----- From nobody Sat Oct 7 14:59:31 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S2pP54t5Wz4wdTY for ; Sat, 7 Oct 2023 14:59:53 +0000 (UTC) (envelope-from trashcan@ellael.org) Received: from mx2.enfer-du-nord.net (mx2.enfer-du-nord.net [135.125.211.209]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4S2pP44dT4z4kXC for ; Sat, 7 Oct 2023 14:59:52 +0000 (UTC) (envelope-from trashcan@ellael.org) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=ellael.org header.s=dkim header.b=oSsdlngr; spf=pass (mx1.freebsd.org: domain of trashcan@ellael.org designates 135.125.211.209 as permitted sender) smtp.mailfrom=trashcan@ellael.org; dmarc=pass (policy=quarantine) header.from=ellael.org Received: from smtpclient.apple (p5b2e5fa5.dip0.t-ipconnect.de [91.46.95.165]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx2.enfer-du-nord.net (Postfix) with ESMTPSA id 4S2pNs5Cg3zHsQ; Sat, 7 Oct 2023 16:59:41 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ellael.org; s=dkim; t=1696690781; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=K8BlliVo9OC71RnqXz7oYYzzTb+/IeZyQEXeDSpgdDE=; b=oSsdlngrJZnbXnsxKSYkSm9jUib/LoUJaokQMFaCiD7zEfsl52DChj8FLCHD9hDxXjrT8P Nq+eNqBMNbxDjbVub/YMXUCkp+8XJ3CBwHxTWjO31KQiK66LHGxd4BiqWsVZpn2kJ1RdCc AFzRZmVn41iXxEoOJYirrXZ6EMKq7YGE675vTuiAFQt7vouQ1UwP4PYyOQeiVDelLhCuRN yDDHEfJuKHMZnHSo+Vkjne6CfEKJo2ufEh9bKzobDWvyLiSHGk7mHZCbC5wfxZuHUYy7/I 7EoYNHbKN1iBUv10roMscF4wVTz4mKdh/FSfmGduaE+6XUlY2ziMcZeP1+5JAw== From: Michael Grimm Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\)) Subject: net/openntpd with constraint stops working after recent security/ca_root_nss upgrade Message-Id: <123E9280-CBF1-4E00-B803-86AE4438C9D7@ellael.org> Date: Sat, 7 Oct 2023 16:59:31 +0200 To: freebsd-ports@freebad.org, freebsd-security@freebsd.org X-Mailer: Apple Mail (2.3731.700.6) X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.32 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.92)[-0.920]; MV_CASE(0.50)[]; DMARC_POLICY_ALLOW(-0.50)[ellael.org,quarantine]; R_DKIM_ALLOW(-0.20)[ellael.org:s=dkim]; R_SPF_ALLOW(-0.20)[+ip4:135.125.211.209]; MIME_GOOD(-0.10)[text/plain]; ONCE_RECEIVED(0.10)[]; RCVD_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:16276, ipnet:135.125.128.0/17, country:FR]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; RCVD_TLS_ALL(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; DKIM_TRACE(0.00)[ellael.org:+]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_NONE(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[] X-Rspamd-Queue-Id: 4S2pP44dT4z4kXC Hi I am running net/openntpd with a constraint: =E2=80=A6 constraint from "9.9.9.9" After the recent upgrade of security/ca_root_nss to 3.93_1 I noticed a = lot of warning messages (see end of mail). Now, net/openntpd 6.8p1_7,2 stopped working: Oct 7 09:39:53 kaan-bock ntpd[932]: constraints = configured but none available Oct 7 09:39:53 kaan-bock ntpd[934]: constraint: = failed to load constraint ca I had to remove that constraint from ntpd.conf in order to get ntpd = working again. Is this a bug or feature with recent security/ca_root_nss? Thanks and regards, Michael [13/58] Extracting ca_root_nss-3.93_1: 100% Scanning /usr/share/certs/untrusted for certificates... Scanning /usr/share/certs/trusted for certificates... Skipping untrusted certificate = /usr/share/certs/trusted/AddTrust_External_Root.pem = (/etc/ssl/untrusted/157753a5.0) Skipping untrusted certificate = /usr/share/certs/trusted/AddTrust_Low-Value_Services_Root.pem = (/etc/ssl/untrusted/861a399d.0) Skipping untrusted certificate = /usr/share/certs/trusted/Camerfirma_Chambers_of_Commerce_Root.pem = (/etc/ssl/untrusted/f90208f7.0) Skipping untrusted certificate = /usr/share/certs/trusted/Camerfirma_Global_Chambersign_Root.pem = (/etc/ssl/untrusted/cb59f961.0) Skipping untrusted certificate = /usr/share/certs/trusted/Certum_Root_CA.pem = (/etc/ssl/untrusted/442adcac.0) Skipping untrusted certificate = /usr/share/certs/trusted/Chambers_of_Commerce_Root_-_2008.pem = (/etc/ssl/untrusted/c47d9980.0) Skipping untrusted certificate = /usr/share/certs/trusted/D-TRUST_Root_CA_3_2013.pem = (/etc/ssl/untrusted/0b7c536a.0) Skipping untrusted certificate /usr/share/certs/trusted/EC-ACC.pem = (/etc/ssl/untrusted/349f2832.0) Skipping untrusted certificate = /usr/share/certs/trusted/EE_Certification_Centre_Root_CA.pem = (/etc/ssl/untrusted/128805a3.0) Skipping untrusted certificate = /usr/share/certs/trusted/GeoTrust_Global_CA.pem = (/etc/ssl/untrusted/2c543cd1.0) Skipping untrusted certificate = /usr/share/certs/trusted/GeoTrust_Primary_Certification_Authority_-_G2.pem= (/etc/ssl/untrusted/116bf586.0) Skipping untrusted certificate = /usr/share/certs/trusted/GeoTrust_Primary_Certification_Authority_-_G3.pem= (/etc/ssl/untrusted/e2799e36.0) Skipping untrusted certificate = /usr/share/certs/trusted/GeoTrust_Primary_Certification_Authority.pem = (/etc/ssl/untrusted/480720ec.0) Skipping untrusted certificate = /usr/share/certs/trusted/GeoTrust_Universal_CA_2.pem = (/etc/ssl/untrusted/8867006a.0) Skipping untrusted certificate = /usr/share/certs/trusted/GeoTrust_Universal_CA.pem = (/etc/ssl/untrusted/ad088e1d.0) Skipping untrusted certificate = /usr/share/certs/trusted/Global_Chambersign_Root_-_2008.pem = (/etc/ssl/untrusted/0c4c9b6c.0) Skipping untrusted certificate = /usr/share/certs/trusted/LuxTrust_Global_Root_2.pem = (/etc/ssl/untrusted/def36a68.0) Skipping untrusted certificate = /usr/share/certs/trusted/OISTE_WISeKey_Global_Root_GA_CA.pem = (/etc/ssl/untrusted/b1b8a7f3.0) Skipping untrusted certificate = /usr/share/certs/trusted/QuoVadis_Root_CA.pem = (/etc/ssl/untrusted/080911ac.0) Skipping untrusted certificate = /usr/share/certs/trusted/Sonera_Class_2_Root_CA.pem = (/etc/ssl/untrusted/9c2e7d30.0) Skipping untrusted certificate = /usr/share/certs/trusted/Staat_der_Nederlanden_Root_CA_-_G2.pem = (/etc/ssl/untrusted/5c44d531.0) Skipping untrusted certificate = /usr/share/certs/trusted/Staat_der_Nederlanden_Root_CA_-_G3.pem = (/etc/ssl/untrusted/5a4d6896.0) Skipping untrusted certificate = /usr/share/certs/trusted/SwissSign_Platinum_CA_-_G2.pem = (/etc/ssl/untrusted/a8dee976.0) Skipping untrusted certificate = /usr/share/certs/trusted/Symantec_Class_1_Public_Primary_Certification_Aut= hority_-_G4.pem (/etc/ssl/untrusted/62744ee1.0) Skipping untrusted certificate = /usr/share/certs/trusted/Symantec_Class_1_Public_Primary_Certification_Aut= hority_-_G6.pem (/etc/ssl/untrusted/26312675.0) Skipping untrusted certificate = /usr/share/certs/trusted/Symantec_Class_2_Public_Primary_Certification_Aut= hority_-_G4.pem (/etc/ssl/untrusted/4d4ba017.0) Skipping untrusted certificate = /usr/share/certs/trusted/Symantec_Class_2_Public_Primary_Certification_Aut= hority_-_G6.pem (/etc/ssl/untrusted/1320b215.0) Skipping untrusted certificate /usr/share/certs/trusted/Taiwan_GRCA.pem = (/etc/ssl/untrusted/6410666e.0) Skipping untrusted certificate = /usr/share/certs/trusted/thawte_Primary_Root_CA_-_G2.pem = (/etc/ssl/untrusted/c089bbbd.0) Skipping untrusted certificate = /usr/share/certs/trusted/thawte_Primary_Root_CA_-_G3.pem = (/etc/ssl/untrusted/ba89ed3b.0) Skipping untrusted certificate = /usr/share/certs/trusted/thawte_Primary_Root_CA.pem = (/etc/ssl/untrusted/2e4eed3c.0) Skipping untrusted certificate = /usr/share/certs/trusted/Trustis_FPS_Root_CA.pem = (/etc/ssl/untrusted/d853d49e.0) Skipping untrusted certificate = /usr/share/certs/trusted/Verisign_Class_1_Public_Primary_Certification_Aut= hority_-_G3.pem (/etc/ssl/untrusted/ee1365c0.0) Skipping untrusted certificate = /usr/share/certs/trusted/Verisign_Class_2_Public_Primary_Certification_Aut= hority_-_G3.pem (/etc/ssl/untrusted/dc45b0bd.0) Skipping untrusted certificate = /usr/share/certs/trusted/Verisign_Class_3_Public_Primary_Certification_Aut= hority_-_G3.pem (/etc/ssl/untrusted/c0ff1f52.0) Skipping untrusted certificate = /usr/share/certs/trusted/VeriSign_Class_3_Public_Primary_Certification_Aut= hority_-_G4.pem (/etc/ssl/untrusted/7d0b38bd.0) Skipping untrusted certificate = /usr/share/certs/trusted/VeriSign_Class_3_Public_Primary_Certification_Aut= hority_-_G5.pem (/etc/ssl/untrusted/b204d74a.0) Skipping untrusted certificate = /usr/share/certs/trusted/VeriSign_Universal_Root_Certification_Authority.p= em (/etc/ssl/untrusted/c01cdfa2.0) Scanning /usr/local/share/certs for certificates... From nobody Sat Oct 7 15:03:09 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S2pT2689bz4wdt0; Sat, 7 Oct 2023 15:03:18 +0000 (UTC) (envelope-from herbert@gojira.at) Received: from mail.bsd4all.net (mail.bsd4all.net [IPv6:2a01:4f8:13b:240c::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail.bsd4all.net", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4S2pT14T6pz4lx4; Sat, 7 Oct 2023 15:03:17 +0000 (UTC) (envelope-from herbert@gojira.at) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gojira.at header.s=mail202005 header.b=gMPw+ajb; spf=pass (mx1.freebsd.org: domain of herbert@gojira.at designates 2a01:4f8:13b:240c::25 as permitted sender) smtp.mailfrom=herbert@gojira.at; dmarc=none Date: Sat, 7 Oct 2023 17:03:09 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=gojira.at; s=mail202005; t=1696690989; bh=eXjA5wICADvKSBslDhwqqlfmrQ4bamZQlkLMiDlpa0A=; h=Date:From:To:Subject:Message-ID:MIME-Version:Content-Type; b=gMPw+ajb08pKPpu85WurSIVTgLnWaMSY4RO801guAboO1MCpCvms5jSBGMzeHgfV9 3JPSJz9FGEU6hoppcmP+e6u5R3X0t8qKvhygF1oeVg4eaKvcc40F7yCLn1f9sngjwg HF/yeyHX88uhaJH73DbxfFBOupn97/4UqDwfwe37ZNr8llZBAn2Ch2jRJlFFkLrwjj Or5IK6VETev95/hFaQ6uQT6mOMUEd+X8eairAHfaIUTLix+jHKwqDGaA1nlXfbirFz agSi+OuerGKOEVpU3nwtjagxpkV8CUhuMfO4m7a70FntXRj5CxaABYQZhb9lAANa65 4uTbplPmhaIrg== From: "Herbert J. Skuhra" To: freebsd-ports@freebsd.org, freebsd-security@freebsd.org Subject: Re: net/openntpd with constraint stops working after recent security/ca_root_nss upgrade Message-ID: References: <123E9280-CBF1-4E00-B803-86AE4438C9D7@ellael.org> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <123E9280-CBF1-4E00-B803-86AE4438C9D7@ellael.org> X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.49 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.994]; R_SPF_ALLOW(-0.20)[+ip6:2a01:4f8:13b:240c::25]; R_DKIM_ALLOW(-0.20)[gojira.at:s=mail202005]; MIME_GOOD(-0.10)[text/plain]; MLMMJ_DEST(0.00)[freebsd-ports@freebsd.org,freebsd-security@freebsd.org]; ARC_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; RCVD_COUNT_ZERO(0.00)[0]; RCPT_COUNT_TWO(0.00)[2]; DMARC_NA(0.00)[gojira.at]; MIME_TRACE(0.00)[0:+]; FROM_HAS_DN(0.00)[]; DKIM_TRACE(0.00)[gojira.at:+]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/32, country:DE] X-Rspamd-Queue-Id: 4S2pT14T6pz4lx4 On Sat, Oct 07, 2023 at 04:59:31PM +0200, Michael Grimm wrote: > Hi > > I am running net/openntpd with a constraint: > > … > constraint from "9.9.9.9" > > After the recent upgrade of security/ca_root_nss to 3.93_1 I noticed a lot of warning messages (see end of mail). > > Now, net/openntpd 6.8p1_7,2 stopped working: > > Oct 7 09:39:53 kaan-bock ntpd[932]: constraints configured but none available > Oct 7 09:39:53 kaan-bock ntpd[934]: constraint: failed to load constraint ca > > I had to remove that constraint from ntpd.conf in order to get ntpd working again. > > Is this a bug or feature with recent security/ca_root_nss? https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=274322 -- Herbert From nobody Sat Oct 7 15:22:19 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S2pvF0xxjz4whq5; Sat, 7 Oct 2023 15:22:33 +0000 (UTC) (envelope-from trashcan@ellael.org) Received: from mx2.enfer-du-nord.net (mx2.enfer-du-nord.net [135.125.211.209]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4S2pvD3srtz4qtq; Sat, 7 Oct 2023 15:22:32 +0000 (UTC) (envelope-from trashcan@ellael.org) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=ellael.org header.s=dkim header.b="WqoWSs//"; spf=pass (mx1.freebsd.org: domain of trashcan@ellael.org designates 135.125.211.209 as permitted sender) smtp.mailfrom=trashcan@ellael.org; dmarc=pass (policy=quarantine) header.from=ellael.org Received: from smtpclient.apple (p5b2e5fa5.dip0.t-ipconnect.de [91.46.95.165]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx2.enfer-du-nord.net (Postfix) with ESMTPSA id 4S2pvB1SZhzHvV; Sat, 7 Oct 2023 17:22:30 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ellael.org; s=dkim; t=1696692150; h=from:from:reply-to:subject:subject:date:date:message-id:message-id:to: cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=G+bWirRvbOQ7dv2cVQGOawxNGeIacVI1sQ0AjCsW/34=; b=WqoWSs//FOOE4m9m78KNAIEgO5xl6JyHEdOnhxpDg3GaPuOMzCcXpcgod51Qsig/KT058Z p36ro3Y+mE5+zQEwjtPAjs0WqMezeKOTLLij1m0K3bgNSi7aHRw+E+qhJh6g5mAIO5cqRw 6kpj5CWT5gofoPRwuU86WCneoUkmIWmFPjNkynJgd+2pnVx40/LnJgHd9lV7xQpRxDsS9n S70if6i32dINsTX7Hi2h/14keLLgCZlIswCcMZkdYYPvfWckCPHqijl/LXGJVCgrpaqZx3 GyIjX4iViTE7YHbBv/4ZxRN4iJsCUFpT9aql8Sgx9oxPxFTHoCilqRw4sPa+EQ== From: Michael Grimm Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\)) Subject: Re: net/openntpd with constraint stops working after recent security/ca_root_nss upgrade Date: Sat, 7 Oct 2023 17:22:19 +0200 In-Reply-To: Cc: freebsd-ports@freebsd.org, freebsd-security@freebsd.org References: <123E9280-CBF1-4E00-B803-86AE4438C9D7@ellael.org> Message-Id: <154B43A7-D35C-4C67-A46D-1B95CBB6E5CF@ellael.org> X-Mailer: Apple Mail (2.3731.700.6) X-Spamd-Bar: - X-Spamd-Result: default: False [-1.26 / 15.00]; MISSING_TO(2.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.86)[-0.865]; DMARC_POLICY_ALLOW(-0.50)[ellael.org,quarantine]; MV_CASE(0.50)[]; R_DKIM_ALLOW(-0.20)[ellael.org:s=dkim]; R_SPF_ALLOW(-0.20)[+ip4:135.125.211.209:c]; ONCE_RECEIVED(0.10)[]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_ALL(0.00)[]; ASN(0.00)[asn:16276, ipnet:135.125.128.0/17, country:FR]; RCVD_COUNT_ONE(0.00)[1]; FROM_EQ_ENVFROM(0.00)[]; MLMMJ_DEST(0.00)[freebsd-ports@freebsd.org,freebsd-security@freebsd.org]; DKIM_TRACE(0.00)[ellael.org:+]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; ARC_NA(0.00)[] X-Rspamd-Queue-Id: 4S2pvD3srtz4qtq Herbert J. Skuhra wrote: >=20 >=20 > On Sat, Oct 07, 2023 at 04:59:31PM +0200, Michael Grimm wrote: >> Hi >>=20 >> I am running net/openntpd with a constraint: >>=20 >> =E2=80=A6 >> constraint from "9.9.9.9" >>=20 >> After the recent upgrade of security/ca_root_nss to 3.93_1 I noticed = a lot of warning messages (see end of mail). >>=20 >> Now, net/openntpd 6.8p1_7,2 stopped working: >>=20 >> Oct 7 09:39:53 kaan-bock ntpd[932]: constraints = configured but none available >> Oct 7 09:39:53 kaan-bock ntpd[934]: constraint: failed = to load constraint ca >>=20 >> I had to remove that constraint from ntpd.conf in order to get ntpd = working again. >>=20 >> Is this a bug or feature with recent security/ca_root_nss? >=20 > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D274322 Ah!=20 Thanks, Michael=