From nobody Mon Feb 12 17:12:17 2024 X-Original-To: announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TYWGq1ZBWz5B9JV for ; Mon, 12 Feb 2024 17:12:19 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4TYWGq0bK9z4FdK for ; Mon, 12 Feb 2024 17:12:19 +0000 (UTC) (envelope-from jhb@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1707757939; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=QrBWcs5rOnFVzNMB8rPKQCD01u2XHrskSDGW6WToe6I=; b=lyYwOXex8nQxJXbzzVIvXbDudFUN6jKxU5PS3ATy+VDhP5r2owgvHBaF/cHdzbKExZv6bz BJ4Y2JF28zPjVP2MYjPZGqPu9E8kAE50IMlXYEvoV28ZEL/W3YPZKRye1C7KAw0X/dq4+I fIxYURoUDflUXmMsYdTtyOa4uD+XcT8wNPqfjKTupUSh9rKuf5oK4B/EEkAq+rxMn08gIe tS/AMRO9IFhxg4BMpxBQRxNgx1JZryQEiQnMVCbQI2CNrH7W7WiTGge6T2TK9T85a8lpGg YvTLZ7Pfq6lWOiAWmm7RBJPiHznmG1A/LN8GTGwTTlyOYDDElGb5FageZtEyyw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1707757939; a=rsa-sha256; cv=none; b=BAI+Zh1ttvCTSjvoAhXktcEc2zHJ8IPmPfCSb4HtKIr+pFpR1NYSHvdE8LZppqqGoZ1xVW VllYwaOwc6iobeRJvKPSAlPiPgVFjbKSS2F0QsFqVhLg8K1SU+K7VyVmREHFx4JT2WSOAc Vl3Hk1FYujQQS3RTY+gloeePpw4t5MbHn8psOalKOq1fghBZOn4eZKEQupZqHTNNf7wz/l lSgRuDRukGs+P/TtwdCJYPPE1m8fvFdUqYNlsKil4LM04NuwZRA+DVBT4i9vKRCRRPBoyo VXbcsNgAdNSOxz8A+ubdkhYw4IqWA2Hm6YyWHgECSPyikn/zQiIJBOpQYo7xwQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1707757939; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=QrBWcs5rOnFVzNMB8rPKQCD01u2XHrskSDGW6WToe6I=; b=D+ALGFkHL4PtVItZO2RVJCCIw4zuuJZlCobVkvcr8DL2v4/7j6M9jbkXSR9Hzs+dfo8gVZ ncjZO+19CtHLlglHJIbOJ3ACbNXlpmJK2eWJOc8Un98tnXvWutWIuXDbfzft/4p9Oaf7sT qUHavIgsJqfwR9DGedq1RzdlKtdgixktkb2MZZcrA2kPwxa0rc4mpF1m/pBuyIhHTIwwEH Mx6Ut2Bco/QDtQgboyMNOc9oosqvZOLbQIYsGwncUIDHrYu/p995RTWvVbg6ZjC8Dldrmb SwAWFxD4MUAbAsA3rYcQYkYyHkKbUwDLZSfca//PX8W51JgmRVAWesG9TSNXDg== Received: from [IPV6:2601:644:937c:5920:4c63:23c7:5c22:d7ba] (unknown [IPv6:2601:644:937c:5920:4c63:23c7:5c22:d7ba]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: jhb) by smtp.freebsd.org (Postfix) with ESMTPSA id 4TYWGp5XP3zTBl for ; Mon, 12 Feb 2024 17:12:18 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Message-ID: Date: Mon, 12 Feb 2024 09:12:17 -0800 List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-announce@freebsd.org X-BeenThere: freebsd-announce@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US From: John Baldwin To: announce@FreeBSD.org Subject: Future of 32-bit platform support in FreeBSD Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit FreeBSD is deprecating 32-bit platforms over the next couple of major releases. We anticipate FreeBSD 15.0 will not include the armv6, i386, and powerpc platforms, and FreeBSD 16.0 will not include armv7. Support for executing 32-bit binaries on 64-bit kernels will be retained through at least the lifetime of the stable/16 branch if not longer. (There is currently no plan to remove support for 32-bit binaries on 64-bit kernels.) More background: Since its inception, FreeBSD has aimed to provide a stable and performant general-purpose BSD-based operating system for modern and widely-available systems. Initially this took the form of focusing on the i386 architecture. Over time FreeBSD has added and removed support for various architectures based on changes in the marketplace (in some cases, anticipated changes in the marketplace). The decision to remove support for an architecture in particular depends on a couple of factors including both the future viability and availability of systems using that architecture as well as the developer resources available in the project to continue maintaining support. In addition, some changes and features may require explicit support on each architecture. Architectures that are less well-maintained can degrade into a tax on such changes delaying their implementation on architectures with stronger support. Looking forward, general purpose 32-bit platforms are in a state of decline in the marketplace (some more quickly than others), and we have a shrinking pool of developers dedicated to supporting them. Of our existing 32-bit platforms today (i386, armv[67], powerpc), only armv7 continues to be used in recent system designs. We feel that FreeBSD will be better served by narrowing the focus of our developer resources on 64-bit systems moving forward. This includes both deprecating existing 32-bit platforms and not adding new 32-bit platforms (e.g., FreeBSD does not plan to add a 32-bit RISC-V architecture). Support for individual 32-bit platforms may be extended if there is both demand and commitment to increased developer resources. More details on the current plans for the future of 32-bit platforms can be found in the "General Notes Regarding Future FreeBSD Releases" section of the 14.0 release notes at https://www.freebsd.org/releases/14.0R/relnotes/ On behalf of the FreeBSD Core Team, -- John Baldwin From nobody Wed Feb 14 07:07:06 2024 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TZTlb1Nmsz5BBvK for ; Wed, 14 Feb 2024 07:07:07 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4TZTlZ5yVzz4cfy; Wed, 14 Feb 2024 07:07:06 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1707894426; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=2xJN0uQIbWl8KXcQn/h3cH3oE6pQ16Tnw7zQbGu30h8=; b=MKhWT+FDHFl+nd5/jj1KqMJR3U1RXioDyn4sOEIX889Ya7E+xLXPa1tlwSLJuPjDbkpNwu n7fTFdAD9ZSF7oF6FJlpsNOCJ9knR1akeBssEnbB0Wzh25w5xYEEF0ylmTAXwVbOsMDUv/ RtZsabM/8rfEhMNiDaJdWPm4XIfQx4jBadcMI8wEv4+pUl4f6DB2eAEhoPfmpBsIAO+tHt 8SlTz6XT3ZC2mNZeW3SMZ0pgpI9hcV2oKxZAH/0esTaS6Jd1Tm4hOUji7vbjrArF39kOaB sMKs9OYCWYs+klCygdSQ4jRxlHkW7kdCB4UHXdXqhojU0Ta7a162V18hJJfGqQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1707894426; a=rsa-sha256; cv=none; b=H/aW2W4MXRwewIzlNgBrMVJAQbS+0SGubPOHhM3oENbiQ9HqvxvUXNX+7qoPz2wGAYIbZw kzL62vIV8Ijqr9YYiLhUwnQwxHiFtp9XzUDxTqV+U6yLuGeBm+L9O25JfuSwl78dfs+eKB TfK/GJ60kAR9gj+poRuX2JmVES7oYU3I/DsWtSEv6FsaS8mBswNTvfKPktqR7aIQnzaszS CevGeuYsH8m7ofRjVuaNKfmKfGMQ4ceQzMKnTkZ2VDzWjGQR/CXUbeGFsWty7EI8H9FNFC mUgLiD0etQOLomplmn64EC00M5ON4qd6SWXq+lntpMh93xl0m2/ioQFIYQZRUg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1707894426; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=2xJN0uQIbWl8KXcQn/h3cH3oE6pQ16Tnw7zQbGu30h8=; b=Zk+j+xbvP0yMOraDlL7tt2wA4A9SKGLRdcwtpVPBUOuUFd/9HyRr/ZniS7CeRxyZFrBZd9 R5ZiHCPN2SjSxnF0ddTw/1HiMD8+1ZFEzc699PpWuFlKR/Qa8bUdQ2FcyL/Pe10S9ESseP nIS1c61Qa7CKVH4L+oH7xIPbBFTrIXK64koSabRz9KmKRVYnP9KbaoVX/CXKkgti5OYtKq 056oo3K99Od1+VkEwxRFGgyRRqPCDa7lXeoIabfl4ij+Hb3Skp3HCVCz6lUqzkGt2FWjuS zdLxe9hCmw5lE+EaXGnAt9t29pCH8uoWTwQQ9njzxyy7ZS6Rv/S2TVF91ZgRXg== Received: by freefall.freebsd.org (Postfix, from userid 945) id B909F26982; Wed, 14 Feb 2024 07:07:06 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:01.bhyveload Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20240214070706.B909F26982@freefall.freebsd.org> Date: Wed, 14 Feb 2024 07:07:06 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-announce@freebsd.org X-BeenThere: freebsd-announce@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:01.bhyveload Security Advisory The FreeBSD Project Topic: bhyveload(8) host file access Category: core Module: bhyeload Announced: 2024-02-14 Credits: The water cooler. (Note, this is the requested credit) Affects: All supported versions of FreeBSD. Corrected: 2024-01-15 22:27:59 UTC (stable/14, 14.0-STABLE) 2024-02-14 06:05:44 UTC (releng/14.0, 14.0-RELEASE-p5) 2024-01-15 23:11:38 UTC (stable/13, 13.2-STABLE) 2024-02-14 06:06:00 UTC (releng/13.2, 13.2-RELEASE-p10) CVE Name: CVE-2024-25940 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background bhyveload(8) is used to load a FreeBSD guest into a bhyve virtual machine. II. Problem Description `bhyveload -h ` may be used to grant loader access to the directory tree on the host. Affected versions of bhyveload(8) do not make any attempt to restrict loader's access to , allowing the loader to read any file the host user has access to. III. Impact In the bhyveload(8) model, the host supplies a userboot.so to boot with, but the loader scripts generally come from the guest image. A maliciously crafted script could be used to exfiltrate sensitive data from the host accessible to the user running bhyhveload(8), which is often the system root. IV. Workaround No workaround is available, but guests that do not use `bhyveload -h` are not impacted. Common VM solutions that use bhyveload(8) do not usually use the - -h option. V. Solution Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 14.0] # fetch https://security.FreeBSD.org/patches/SA-24:01/bhyveload-14.0.patch # fetch https://security.FreeBSD.org/patches/SA-24:01/bhyveload-14.0.patch.asc # gpg --verify bhyveload-14.0.patch.asc [FreeBSD 13.2] # fetch https://security.FreeBSD.org/patches/SA-24:01/bhyveload-13.2.patch # fetch https://security.FreeBSD.org/patches/SA-24:01/bhyveload-13.2.patch.asc # gpg --verify bhyveload-13.2.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Virtual machines that have been booted with bhyveload(8) do not need to be rebooted. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 426b28fdf700 stable/14-n266333 releng/14.0/ f5bb597829e1 releng/14.0-n265406 stable/13/ 78345dbd7a00 stable/13-n257186 releng/13.2/ 48598b1670ce releng/13.2-n254657 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmXMYRAACgkQbljekB8A Gu8KwRAAxCnMsCQbp/CZ1O2GYxDTCOt1M5CZaFBD8r3b4xSN1gFB79z3aHAmSX0a kTGpp5QSbxx1UtA9eZoZTa/wpmMAo1AZ7ry0OK1VuRFtF2D+IM64l07m91HW5ncU YCsbeQ6wuXHeVlZ/t7eu/X03YltYIuMu/wIzpsPYtMvTB+ZI50nm0pUGaQnH9ZA2 jMGhLcWQSaHi46pMJ1o2iXWbaFZh4S6fHhNXSEFxaWuQf/o//whSgeqtFnhozfZ4 vbx0pyF3HrkjPRLwc9QDRNcFnG0F9DCOmiGlAAZD4/XRNOd5PgSvmHxDPrc1UkJO K8CcU7vIgloKdETS43HhlDhT34/adV1dMpwCLpr9JZ3FmfTtIor1q8w9l0nLohln VeLUbhaMZAXYqQp5wcDso26n9moD8l/izJZZ0gWu8xsooKmE2DY0t7ASXdcvnSq8 VKlpZP0DHcdZdeePiCF6XovAvv3fAq5hvIdCccBIJHbFIWEL2Psq9hYqFISb+mFb gAoX5gyo4S+lWgn33aUCzjYuR0MhelJPRFIndjr5+Dn0AgQniNre7uRt4k97jvT1 Q9h+f4uyNFafuD5YMqfRhsk8EN93bEc3Bkq47KCYDSTJujd99pYFPE1SzvNAPmNY CYxqYjkfjklarfellifxvqdKrOWoeOkK4a3Ckd5+4Y8BaaTzWCY= =LOMD -----END PGP SIGNATURE----- From nobody Wed Feb 14 07:07:11 2024 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TZTlg3B5Fz5BBby for ; Wed, 14 Feb 2024 07:07:11 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4TZTlg220dz4d0c; Wed, 14 Feb 2024 07:07:11 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1707894431; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=c2Z67PDdAwFf8XcNdhnUJFAj4JFEPYcSo61NJi4CKP0=; b=QTWKeslIeeeD5dAkx1UzuLl/q48TPMXPJm/g3UggmGVYFmkLX59NMKUG94tmNtMtREWtJN ovjBFVQ1Se1eAOQGKMsqOn/pC7aaaLfOmxU165MlZQApfGKgZaI2qSjHHmkoB0DOSqCnTJ x+A27KzfiaJhBdMcgwcmLx2IKE7Ih+UAQJ67OOwbRVWWoP4RfpOIe53uTI9vpQwcZ4FbpD 3ZTuxEUEA3zD88yIAO1UZ5coohjLEdVsx0NhYnny7qd1tOwOO1Ciybcu4AP6kONCPZ3roa SyqJf6re6Dtn0omnv+lTpOD4N1Mt/FMFwfNhOvDxeCH8UZgGZVXBLqJVHUOLwQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1707894431; a=rsa-sha256; cv=none; b=vVFLn+ftypFHXytx8dM0MlzgpHxaOQ/hNVDk3MGmNkxGsu3LfkN/o11tXfVxpUXwzdoxaa 22pQYAz2EUn8raLFGQjb1s0OrSrgCclXL/z2XVcyiGGftkCEG6MZdf7J1MCDTPN8LLtwX/ r3G2ziwj/EcF4qu/z5+vkyGu05PpMiSCKypFQ8pgPj5gT3MFNbthmRJKYehd+cktXPRgiS XahFzsSbQSXJUDsMXvjaxvfLQgHPJ4J6Q1YUf9aSZ3VRtQSdEV+szMmEqh0EURnCN4uOBh 2SaWKCDLQRShWpRzQNwaKb/mMHNwDWR7IC1a3FudilM7VjBqe1nG8Eq6ZEjPrg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1707894431; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=c2Z67PDdAwFf8XcNdhnUJFAj4JFEPYcSo61NJi4CKP0=; b=Beiq+xS7/1jeB5zTx1jI17Cnfw1z+R3+xE27LHcYE4NePrJwgS/d6JHE9YAIT1AWrhGvMw vlA0Ssfw+gbk/TJ+WHHn2t6scVGhi2zBeMtFBn3f6qInnlawbuWUCV7tuJ4aFJjBpMZnHv ZVaFpFjSctlqQyJIMXZ+3ARrf7m05gEz1jUQNzgxMpHroM4BnA5maXz0+an1gYMuh01wI1 a8yXkuYm36Ue+9S2rU/yV6ekaoiUVp89y+E9Oh0u18/HBzp2/JilEZJbV6KlujhOMKu4qr Ks0HsRSGs79gXM3zD7OSLT5FtzvJKER65pq4U6ht2Fja2Vpu3DKGjaBCmY18pQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id 3259126676; Wed, 14 Feb 2024 07:07:11 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:02.tty Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20240214070711.3259126676@freefall.freebsd.org> Date: Wed, 14 Feb 2024 07:07:11 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-announce@freebsd.org X-BeenThere: freebsd-announce@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:02.tty Security Advisory The FreeBSD Project Topic: jail(2) information leak Category: core Module: jail Announced: 2024-02-14 Credits: Pawel Jakub Dawidek Affects: All supported versions of FreeBSD. Corrected: 2024-02-12 16:25:54 UTC (stable/14, 14.0-STABLE) 2024-02-14 06:05:46 UTC (releng/14.0, 14.0-RELEASE-p5) 2024-02-12 16:27:37 UTC (stable/13, 13.2-STABLE) 2024-02-14 06:06:01 UTC (releng/13.2, 13.2-RELEASE-p10) CVE Name: CVE-2024-25941 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The jail(2) system call allows a system administrator to lock a process and all of its descendants inside an environment with a very limited ability to affect the system outside that environment, even for processes with superuser privileges. It is an extension of, but far more powerful than, the traditional UNIX chroot(2) system call. tty(4) is a general terminal device. II. Problem Description The jail(2) system call has not limited a visiblity of allocated TTYs (the kern.ttys sysctl). This gives rise to an information leak about processes outside the current jail. III. Impact Attacker can get information about TTYs allocated on the host or in other jails. Effectively, the information printed by "pstat -t" may be leaked. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-24:02/tty.patch # fetch https://security.FreeBSD.org/patches/SA-24:02/tty.patch.asc # gpg --verify tty.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 215bb03edc54 stable/14-n266676 releng/14.0/ 4d354159d150 releng/14.0-n265407 stable/13/ 9bff7ec98354 stable/13-n257418 releng/13.2/ 17257e6e9a23 releng/13.2-n254658 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmXMYRMACgkQbljekB8A Gu8C7hAAxXasfu+Xn3+voOk5pJvFJd6jWA1ZCvR83YnIqAGibiWvNaMdsdfe4k6x eEoaQ6maYYu/wjXMZ0HbapTuJPRxwrcG7i2mZ52vSm9glSZO87Lw3oWVIV7eRPpN pFJtR5bUXns1/dWQgcgFMc/4nNk7NO6gamuK/uwfrDF0aQsYif5pX5DmhkOD/CnQ CjPWhv6FT94qzUiQrZLSWjCIe/rhNbmbLkhyck4MZP+1aILxsb+BHSaEeBzej2+S 8WisLPKlTwNgpA+DN+sLn28gR1+0Vd5rAv7gvcbWHE3VNvq0ABTwRoZFA4SzHEhL BNkwMJnMJyR7qj1jWCmfrHptIPpSXtNIvh70yts5/+9nPBDkAYV9U+nJYQTZ40+U Mn1OfN4ioRfB7bOjVA4J6Ncws4M2ttcOEyk+d8Egd5/7njOGC1sqX0F4FXAtioZF JATTBd09J9TTZvX5xz6JdK8ZHKc+xtxYiBYg4WQTyVcPg38ONpYarSIQ6XYnNSyP 0Cv1ih5DpxzdEBA+Pu4+dJmZSlyNOJXpmlPKgyiUX0Z085ZqHTMvAXQQS/M7MXai 06d2YnZx4XfGoAhCXZKyvE6J6btiy+t8QNx14tEdtD/ktzAmB3EYHOuuPEFoS44Y 8tafKE9ps5AgWtqXvK7H5NKMwtb9Ry60WSAFfgn0LoFmw8UyBjg= =HQVb -----END PGP SIGNATURE----- From nobody Wed Feb 14 07:07:20 2024 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TZTlr6j2tz5BBvR for ; Wed, 14 Feb 2024 07:07:20 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4TZTlr4F8Pz4crQ; Wed, 14 Feb 2024 07:07:20 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1707894440; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=AWikY9O9Zx9apr+AZ8rPtECPOuUYJn1gcH2aZPrMkGw=; b=xHw6ektZNtFoNLW6kv+Bp0Woxd5bTtZBd7i7IRpFFhxwARjGdjHYb4pa/jp0gbeMJ+riro 6ovUD0KhfDnvZ0VEt+hslS075oM8sICTgGnUJPHzJoFPlyx4GfScx9iLRi+Jc8tb4Q0O/9 6Temv2QOhEIQl3Erf3IVsDdeR7bATMI29zGC+xN2f7MU8OxS2okQS8RSiqJ2bvuhWgWVEf Jrifu6AE0doY4ivxNfEtGAj5Kh8n1qRztIwLBcW7jK7ljEnJkdVht+2Bydthz4o0gGQJJR bQ57ormZbwpcfROdcVR4a1HEmLDBPKr265jTM1ANejaw9OiFU/gRwhMyeKIr/Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1707894440; a=rsa-sha256; cv=none; b=hwlf9En9kQ2JHuoa6ZX0HnUUGb8Px4Y65VFwL0WNhlssuEeyZ/BKNypDMQjHXUhzm5RHlq W5CsnjLRNlq/xTynhCX6+GC29xz0jF2xPkNPNEdaMUEe/Vqt95UXI/dqXMM8LwY7lVlqyS LVWzrAK4GDXw8Vkq7ZVVdtkkOEF7fvzmb8of4x4sNl7II6KdpaMnEzjal42Enf/ICUjBw6 PtMTooZsqiXbuzpG/6B5hEuUGd/eyeS8vWUBseqZgDQXq8KVEsys0ZkKWOaVZvwcoCY9I5 tTMeA5r7V6t8OQTpkWobQiZb0FcmDWJtWtLLMH0PY2csIsHGcZbgbOvB/hJ+dg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1707894440; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=AWikY9O9Zx9apr+AZ8rPtECPOuUYJn1gcH2aZPrMkGw=; b=LmZJUvxp9zz0JkYrbOgoHtt3lPteQt5NkFDMyKyYlpvjj9Y9IQXaeCIIJMt/uIWgcsQMVT Nd1Uw7HGNQI2bDStc8ac6tk8ZCOapba1lmDNDu9wC/cv6Zt6NNTQldF3x8pyW81isvVL/E AaCtSAgq0nXXfEaYyi1+yrapDSUmhiGqNHEHsll7XpW/vrC00gtT8hJzqodhcmStCLCNPn eSIQeWZGeIAv0foCLZIRDP3ypLqkKqH8zMWt2Cyw0QdH2l48ORLF8vCSGur1OmkfHBZFIp 1Ti7gZ0tzqPgMCT9Vcq1onraDzum8inEdyy9oa9WSWmxzRm/0+AT6BmFaKg0uw== Received: by freefall.freebsd.org (Postfix, from userid 945) id 7AEE5267C3; Wed, 14 Feb 2024 07:07:20 +0000 (UTC) From: FreeBSD Errata Notices To: FreeBSD Errata Notices Subject: FreeBSD Errata Notice FreeBSD-EN-24:01.tzdata Reply-To: freebsd-stable@freebsd.org Precedence: bulk Message-Id: <20240214070720.7AEE5267C3@freefall.freebsd.org> Date: Wed, 14 Feb 2024 07:07:20 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-announce@freebsd.org X-BeenThere: freebsd-announce@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-24:01.tzdata Errata Notice The FreeBSD Project Topic: Timezone database information update Category: contrib Module: zoneinfo Announced: 2024-02-14 Affects: All supported versions of FreeBSD Corrected: 2024-02-05 00:30:01 UTC (stable/14, 14.0-STABLE) 2024-02-14 06:21:06 UTC (releng/14.0, 14.0-RELEASE-p5) 2024-02-05 00:30:42 UTC (stable/13, 13.2-STABLE) 2024-02-14 06:27:47 UTC (releng/13.2, 13.2-RELEASE-p10) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The IANA Time Zone Database (often called tz or zoneinfo) contains code and data that represent the history of local time for many representative locations around the globe. It is updated periodically to reflect changes made by political bodies to time zone boundaries, UTC offsets, and daylight-saving rules. Leap seconds are occasional adjustments added to -- or potentially subtracted from -- Coordinated Universal Time (UTC). An authoritative list of leap second adjustments is maintained by the International Earth Rotation and Reference Systems Service (IERS). FreeBSD releases install the IANA Time Zone Database in /usr/share/zoneinfo. The tzsetup(8) utility allows the user to specify the default local time zone. Based on the selected time zone, tzsetup(8) copies one of the files from /usr/share/zoneinfo to /etc/localtime. A time zone may also be selected for an individual process by setting its TZ environment variable to a desired time zone name. The latest list of leap seconds at the time of release is installed on FreeBSD in /var/db/ntpd.leap-seconds.list. The startup rc(8) scripts of the ntpd(8) Network Time Protocol implementation included in the FreeBSD base system can periodically download an updated leap-seconds.list file from configurable internet sites. II. Problem Description Several changes to future and past timestamps have been recorded in the IANA Time Zone Database after previous FreeBSD releases were released. This affects many users in different parts of the world. Because of these changes, the data in the zoneinfo files need to be updated. If the local timezone on the running system is affected, tzsetup(8) needs to be run to update /etc/localtime. In the default configuration, the ntpd(8) startup script included with FreeBSD checks for an updated leap-seconds.list on the IETF's web server. As of 2023, the IETF no longer distributes a copy of this file. III. Impact An incorrect time will be displayed on a system configured to use one of the affected time zones if the /usr/share/zoneinfo and /etc/localtime files are not updated, and all applications on the system that rely on the system time, such as cron(8) and syslog(8), will be affected. With the default configuration, FreeBSD systems cannot file updates to the installed leap-seconds.list file. Since no leap second was introduced at the end of 2023, the leap-seconds.list file included with all supported FreeBSD releases is still accurate. Moreover, ntpd(8) is able to receive updated leap second information from its peers. However, a diagnostic warning about an expired leap-seconds.list is printed at startup. IV. Workaround The system administrator can install an updated version of the IANA Time Zone Database from the misc/zoneinfo port and run tzsetup(8). Applications that store and display times in Coordinated Universal Time (UTC) are not affected. The ntpd(8) startup script can be configured to download an updated leap-seconds.list file from IERS with the following rc.conf(5) setting: ntp_leapfile_sources="https://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list" Larger sites, or sites without reliable connectivity to the internet, may wish to point to their locally maintained copy of this file. V. Solution Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Please note that some third party software, for instance PHP, Ruby, Java, Perl and Python, may be using different zoneinfo data sources, in such cases this software must be updated separately. Software packages that are installed via binary packages can be upgraded by executing 'pkg upgrade'. Following the instructions in this Errata Notice will only update the IANA Time Zone Database installed in /usr/share/zoneinfo. Perform one of the following: 1) To update your system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Restart all the affected applications and daemons, or reboot the system. 2) To update your system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/EN-24:01/tzdata-2024a.patch # fetch https://security.FreeBSD.org/patches/EN-24:01/tzdata-2024a.patch.asc # gpg --verify tzdata-2024a.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all the affected applications and daemons, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 26fe22019cb2 stable/14-n266642 releng/14.0/ a3b7bafd2acc releng/14.0-n265409 stable/13/ f4256acec1c9 stable/13-n257384 releng/13.2/ 66bb668fe5f2 releng/13.2-n254660 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmXMYP4ACgkQbljekB8A Gu8lBxAA6XgVr3mwvCPgeu8UFa8OeIJzIBgCDv5QFD9BL5NjK5TQuUtc/EqFeuIp wSR+KC5Lc/NCsi3fX85M4ZI6HnsTBwOVQ5t7xhYxmQvBmzeZWz02UfGIVLuU6/JG mYjpRRCx1yEyUntzfuXEYNsCLkGWYLuydBfFsL+6tN587dk7A/rRMyzdEDsKApGE GcP5N7/cKaxNCoDSJonLpX0AbsoQRQJeyhVFgtKWnbPKW9yTeEAZEIG2jqlqOX5O JQ4Ih3nj4Y4IVVSwPyO5eZYtTc1N1MMixJct63yM4C8IHjCFnxfPASz6+9s8DcAx BwezcAogXJ0ERuohJe2SXPayEUPqrcPAUXQfwO8kPvAX7VrF97cwfyPY6sf9j7gw qtHX2e9OPt+oMbXOzgvnIt/p6OZ4SHpfDpiSIIJqk0f+w+qVPeRDKa2SUjWEGphc GS1wQc+lXqwvlm2DknpESRDOF6nLQfgSm1IFOWin/10kf6mFQR4RnK0lxP2rwZgQ s1VKhA8zPLrXhB4z/OJod7F2R5nXXfqQwlCmWC8RQjL7T7Bz7NEAIU9zwqIPAQb5 DTtCBe4dYBt6eeYPFQ8EjD3BfYzqJyT2rXQtnwl9Je/foHqZ6pJrFbQool81aRkq aCo/OKuzUKNnOLsLwyTTsO/kTqL1ryW/CiFHz7XhD2Y8+YqwOHE= =7Xjc -----END PGP SIGNATURE----- From nobody Wed Feb 14 07:07:33 2024 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TZTm528Vjz5BC2D for ; Wed, 14 Feb 2024 07:07:33 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4TZTm517CJz4dHn; Wed, 14 Feb 2024 07:07:33 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1707894453; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=aatl62zna4Dp06fG6uQScFVHN4Vx9kQhUITyNOF/K3I=; b=XAqpMgHyXjUfPr23v4Z+ULCK4tjtJdIfNEvrxSzGJe9OCcvsn1+8+IbRh68sNoO3dIL3hr tbtlZJtD/x31fs3ObOva/gfiWD7W2XCQApRZ8P3WQxW/2ta7GZXLzAWCEqg5c9oIhrdUGw yExf+x7hKyB+x7nDkr19NhflXUI9kVJroalhqF8oZLYV13L4b64r2fEI3khAfNB82IdVti 5hP+uDU+88QMItcnUeYazJ83wkN3rrSJUJ9zxUxG/Uw1nm7bc2PRqBI7isGiKQ0vpj2TyD 5LXJGAORFeYNNUc2EriQbXTtz9zKqK5a/jnpXc5w/WXoBVCBKrWOhciZlOz3VA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1707894453; a=rsa-sha256; cv=none; b=qSeiq/Rv2aVJ6kGuCnufaX8xrtkBdGURnjlX7WYnQ95IR270mZfhwEXPtWiS7f5It5EjfQ w98ikI/cX2+fHiL40eea1zj/WSnMve34reWYstM1MeG3DrydzffwHaq/QtFD7ZyuwAWPYU /x50Jbxcacfl2e95TBwK7YPtv61Q9hOfLbWAAQjcQakLOEuhxEbEEyKsZ6X/n7N4vNErvi qB4KURkMNKHDi6IO/BnF5AJVZsNhILA6uMxsonusduW93M6LT3t5ApVsoCg3j6ZUtGXKGk zBHUuwQ3QI/Ds8GJ9C+v6agMVb7fvLQ8Tm4ZUDjn7FoHGd60w05g9uaTpHVfVQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1707894453; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=aatl62zna4Dp06fG6uQScFVHN4Vx9kQhUITyNOF/K3I=; b=u7rSrfdnrFQ24R+owDpouPzXAEq4V44P/7ajWHAM7qt/LoDKOc6aza5HHOQHzm02fJk/0f ObtYTyDt44Rn7X7A2g97zR2NkM5XJ/b0fIe1nApWmP0MqiHQM49XoWw9xHugwYB5ellsb/ MX4qNqoB+BsCRgcSbLfxlmV4LVEMb+MDYDHMHNSWiw/REwWUpOEbk3ppXEmQU7oQvgp+JH YxpcKW0N2oeRhQNF3Oz1mEtvkhTC96z65bo7WOs491RkDH0Uxxqbicz2P0lD/6Fevkr0C7 wy6PWnbfvDButKftM/ixaj70qz/0Cyqk8kwNBAR4x3OUSQbgEehhWm4QH49RGg== Received: by freefall.freebsd.org (Postfix, from userid 945) id 0EE4E266E7; Wed, 14 Feb 2024 07:07:33 +0000 (UTC) From: FreeBSD Errata Notices To: FreeBSD Errata Notices Subject: FreeBSD Errata Notice FreeBSD-EN-24:02.libutil Reply-To: freebsd-stable@freebsd.org Precedence: bulk Message-Id: <20240214070733.0EE4E266E7@freefall.freebsd.org> Date: Wed, 14 Feb 2024 07:07:33 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-announce@freebsd.org X-BeenThere: freebsd-announce@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-24:02.libutil Errata Notice The FreeBSD Project Topic: Login class resource limits and CPU mask bypass Category: core Module: libutil Announced: 2024-02-14 Credits: Olivier Certner Affects: All supported versions of FreeBSD. Corrected: 2023-10-24 00:57:11 UTC (stable/14, 14.0-STABLE) 2023-02-14 06:05:41 UTC (releng/14.0, 14.0-RELEASE-p5) 2023-12-21 13:39:03 UTC (stable/13, 13.2-STABLE) 2023-02-14 06:05:57 UTC (releng/13.2, 13.2-RELEASE-p10) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background setusercontext() is a high-level API generally used by login-like programs to set the general environment of new processes launched on behalf of other users, including the credentials (users, groups, MAC security label), resource limits, CPU mask and process priority. This function only applies the settings of the types requested by the caller via flags (e.g., LOGIN_SETALL for all types, LOGIN_SETUSER to set the real, effective and saved user IDs, etc.), and for some of them requires privileges to do so. Among these, the resource limits (flag LOGIN_SETRESOURCES) and CPU mask (flag LOGIN_SETCPUMASK) types are set not only based on the target user's login class, which is controlled by the system administrator, but also on his personal configuration file '~/.login_conf' (see login.conf(5)). In order to prevent unprivileged users from overriding the administrator settings, setusercontext() applies a personal configuration file only if the real user ID of the process that runs it matches that of the target user, with the goal to avoid applying the user-controlled settings with privileges. II. Problem Description When deciding to apply a target user's personal configuration file, setusetcontext() checks the real user ID of the process whereas it should instead check the effective user ID, which is the one affecting the process' privileges and consequently which settings it can change and to which values. III. Impact An unprivileged user may bypass the administrator's resource limits and/or CPU mask settings stemming from his login class provided he can run a (setuid) login-like program that: - - Calls setusercontext() with the LOGIN_SETRESOURCES and/or LOGIN_SETCPUMASK flags but without LOGIN_SETUSER (which excludes the use of LOGIN_SETALL), and with a non-NULL 'pwd' argument. - - Does so before changing the effective user ID to the target user. No programs in FreeBSD's base system, including login(1) and su(1), meet these requirements, but third-party programs may. In particular, sudo(8) does when using the default sudoers(5) plugin configured with the 'use_loginclass' flag enabled. doas(8) does not. IV. Workaround There are at least two possible workarounds. The first one is for an administrator is to prepare for all users a '~/.login_conf' they can't write or replace, e.g., using filesystem flags 'schg' or 'sunlnk' (see chflags(1)), defeating user's own customizations. The second one is to review setuid login programs accessible to users, determine if they meet the requirements above, and deactivate those that do or reconfigure them when possible, as mentioned above for sudo(8). V. Solution Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install It should be followed by a restart of all third-party daemons that use the 'libutil' library, or a reboot of the system. 2) To update your system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/EN-24:02/libutil.patch # fetch https://security.FreeBSD.org/patches/EN-24:02/libutil.patch.asc # gpg --verify libutil.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart of all third-party daemons that use the 'libutil' library, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ ede6fd06726c stable/14-n265587 releng/14.0/ c2a9cfc55046 releng/14.0-n265403 stable/13/ 9fcf54d3750e stable/13-n256941 releng/13.2/ 9deb5ca77beb releng/13.2-n254655 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmXMYQoACgkQbljekB8A Gu8m9Q//cmgbS/PZPMBjARTQa2kkEpIy7zYgDq9/oriREfUBgbN+hFdxlwN5q59r t+lJGJYSynMQDFglQcsD61nECP6fnjco1RxLPpzf+aBmP/VebOh7irsI7QElisY+ SoiCHhZrpXcZGU5OBTA0Nd7NbKVmCflF6aJN0bOCZHvONSUH+ijsXPd98Pjx6TgF 0yQV3ryMYtEBbIaXdR751HLe011hcQYBnlU+/0B9bzL5JCr67NaYM3MDkMkwvXSs zJaefj9xxMlJdB4EvkJGtcau4Kw/qdM0iFllUMmOPl3QK+s4LKguaVtuWWI0bSvL VlFbGVCoRmaVzV+ZaCrDZrsl3NOC92Trhg5QdLV5HJUP3sSRAo5PGNostdWB6VsT mfgJp0owv7LSSt/irDgtY2OGFb3Y/RZmqTBXR7ScFAguuA5dJva44eDkUX8YXBU/ 7ZlXMuF94dmaTmcDqOqWBmfeIWlIKdVsol6fzoKQhLjtZuUg5vdl2rUlj6GSNSL9 6GLU2/LiobuBhfc0qL/mmtyovqHO2HDLsNX54zusBEzy7lI2URvTcCjcHX0Tbwwi cuj6b/XzvAnQ2qFyA4l8bhCSpECkGybLgar+ig199K077HrwRUjLt666JQtMBkKQ LZafucjfGCSpDJFcVjfGfliYnYQFyAd4NAfDsnR15xz9Pxw7MOg= =mDl9 -----END PGP SIGNATURE----- From nobody Wed Feb 14 07:07:42 2024 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TZTmG64b2z5BBlN for ; Wed, 14 Feb 2024 07:07:42 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4TZTmG492tz4dTB; Wed, 14 Feb 2024 07:07:42 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1707894462; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=nYpyB9ytjFo33NJdYpSucUMYdLEL6gweaoWcOEEy+0s=; b=rsN/0TVOKONa6GQ789lZJiSR4cRE9sMO7yduJFCe2DXXM5DaL+7UEOyKdQgT30eEQKjyLn /EBy8VGyc/8v2S/Nyd+05Ssl4ywju2VaP2FCzZWcpNqcP4j2rUDdu9z6QcS4igtM/DQxC/ xFOg8C7vdkmwRCOVZFKskgrnjIq+BWXRH/1NbWrlVapkNLlJ6Z5DqRBx1+Lg5WXSQa+hds 6+/2UljSCSflcaQxMJWtexgHe9bSTtOYhq99jseqFxGgit2GloOwe1bzwu3h2qqz73g9j/ nzWpqaA+clcGtnorsGjiAFo4dvsCKhBb2CrSAxp6eG8q7BNRjmxgkVx1KFksJg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1707894462; a=rsa-sha256; cv=none; b=IqPlJR/ijXMIq6uZnWlXzs4yUZ5pjJK/q3BbUTpPNghlKADKn/hEWEBfsQMaanV7D9Wtzl O492nnR2rRYTdTzvKVhzam7qPT3DXHjjeJnvqi23I+iTxiDeNHKQsfamzTOfEdtnMulo9X 00Zr2H2ZGoMmrxXh+3xlMEtviHkP2L/HxhKY3iLxC+aXXcOLiyeGfs7ctH06TEixXzlpgm EBxSur3IgFvFtf9xYuDW/dRvI8I3efBua1qblfgkDOakuSh1twflaWJddTH5WiFASrUFb+ W9TE8pnIaoB1B/nOsJEBPJWQs6NuI56jJ3InJaYpxAtHry96F9JFOEaTOP0/oQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1707894462; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=nYpyB9ytjFo33NJdYpSucUMYdLEL6gweaoWcOEEy+0s=; b=kOWN8nfaAEN8llnTxbxBjUF2B4yzDOuHJvTdzqwPdVTtiXdKEChjh0UgSHA0thwHiJ1lJZ s1EKg94M4ljNbsYJ3uT02Jpxnmo59+ePiXoYwYSO3wND68HKcfJuPaWR5hBn2aRcAF3KMi 3BV2K1vyW1aXbp/zF9LofdS9KQZVIcJFZU2OEGHSPJxpNvc0u//tNb50pC3YC3hdEcmLhu HmgcdY6m9sdxMVZFmo9+AL26pM6e3XmcjLncC7w2XLQB+bqL20lHJDo/Dwom9jtTDDdWOV J9KzhksT62qRIuf6T0izXsDVQnbR55TEArNvAPXMcEBsFmtR/Iv4wpWmAsLAGQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id 727F026987; Wed, 14 Feb 2024 07:07:42 +0000 (UTC) From: FreeBSD Errata Notices To: FreeBSD Errata Notices Subject: FreeBSD Errata Notice FreeBSD-EN-24:03.kqueue Reply-To: freebsd-stable@freebsd.org Precedence: bulk Message-Id: <20240214070742.727F026987@freefall.freebsd.org> Date: Wed, 14 Feb 2024 07:07:42 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-announce@freebsd.org X-BeenThere: freebsd-announce@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-24:03.kqueue Errata Notice The FreeBSD Project Topic: kqueue_close(2) page fault on exit using rfork(2) Category: core Module: kqueue Announced: 2024-02-14 Affects: All supported versions of FreeBSD. Corrected: 2023-12-05 00:43:27 UTC (stable/14, 14.0-STABLE) 2024-02-14 06:05:42 UTC (releng/14.0, 14.0-RELEASE-p5) 2023-12-05 00:44:13 UTC (stable/13, 13.2-STABLE) 2024-02-14 06:05:58 UTC (releng/13.2, 13.2-RELEASE-p10) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The kqueue(2) system call provides a generic method of notifying the user when an event happens or a condition holds. II. Problem Description Normally, when a process exits, all its kqueue fds will be destroyed at the moment p_klist is detached. However, if the process was created with rfork(2) with shared file descriptors, its signal knotes can survive. This can eventually result in a page fault when the process exits. III. Impact Using kqueue(2) with a process using rfork(2) can panic the system. IV. Workaround No workaround is available. V. Solution Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Reboot the system. 2) To update your system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/EN-24:03/kqueue.patch # fetch https://security.FreeBSD.org/patches/EN-24:03/kqueue.patch.asc # gpg --verify kqueue.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 24346a2f7775 stable/14-n265907 releng/14.0/ bb06104dce0b releng/14.0-n265404 stable/13/ 55e91944998c stable/13-n256837 releng/13.2/ 154dedade465 releng/13.2-n254656 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmXMYQwACgkQbljekB8A Gu+GSxAA5voCfr4a2LrMmBjQvgD7XwpCNH9yvYN3chKG07TTqNWkHbCxNvc4Brzm IXKGxvolrY3PZhXgN2KZhe/wAOf0I1ZazeW9wdk13O9G2SF5aaUYBkCvoMmPME42 f7lVXnkxhTQAovVFQRZAK6sYCVspIPQEpavoa7rq5dDDtO9g2AqB53aAbgdBpQ0j ClIcMzM2HdiYQBi4WuL36XVbeX6N++N5ouE8Hdz+pDcQSHuOm3VHUKlpRsEXLmYI 3uDJ8py+PGbtcLnSVALEcnreirJcCJ5em7Gaec2KXHDRis/dLW+DPlPyZp1mpIBZ l073AME8hEOxnJOUALvxTVHQS3L35JjFmxnSGwnLzXH16v/fGUKlnAZkOftNcRan JW1fLXB2EH+H+hdnOWiQeTCk8duIIvXuWEYf8dfP6SBMm9FfzBAoTv/K1mHxGFKZ s3iR4WyC7Y6r56meVdNfs/F4XtVh3edhVfOdjf/5I8+Ut9HGRNuHOCepLG9DASOd eQbhHAnHnUB21qq4Tme0eKoA130gVcBMr2NsE0lifNArLzEvvGB0Bw+9ZP9IfFeS /fPs4Yq1XIjpgk+TDdOPGexLWCIBl0ursjZMSuGyhXkDaD1oYzF3SKWrJRkahpUq +tN6jVPkG7Iy36myKSHofuPh641hSmk88IJPJHVrdNjo88hUti0= =xsIs -----END PGP SIGNATURE----- From nobody Wed Feb 14 07:07:45 2024 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TZTmL1VhSz5BBtr for ; Wed, 14 Feb 2024 07:07:46 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4TZTmK71mdz4dqg; Wed, 14 Feb 2024 07:07:45 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1707894466; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=mz8o0SG6L4nUV4JU5ZPx0np2X8MU0cIYQD48hQJhm+0=; b=Y9BNSPkclleXbW7AnAE6SGdU9QObKnscpODZn4wId65aLd5ud3FgeUOzp/S0C9QsAWlRAg yLBwoZA+HZMdZwIvXNBrepOHePHDx7a0VgOXdqLkzzM8XrUeWQRf36w1bdrquZfzVzz5jP TDgVW3WBdvHtDOAoaLbWmSNpzpZ+JLNW6/xwnCakKyWQwtDdq6zxAEDsyperwA+RpFgVL4 fW7GjxPHvt5KvagV5HhUN7NvNqK5Ov9CVCCfrQaZ2n3uX/ew3ug/tJuUAPtRgFsxSSSA5Z sNkKoXQML3eC+F6mF56QZSpLn/mH/lfZohx8YmynQDGhJcmKf536kxJIQuq4oA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1707894466; a=rsa-sha256; cv=none; b=H4hKxKcmHrpHFvePN3ntLAS+UdEL1m70OWuuEQmgD/Apa6vAZr9rGBCaG07iq4orrIdWf4 ftuyqFHaROalebaopHiBXOwGnM3E1QX2+Vjy62TAn7ubu7QQ4RoIEY0e9GsIdrMoIU5qJr lR6UInpLVrnlItORv0qzHVgWsp5hvV9wM5ypnPIHF8/8s343MEKHj2gtb3LY5y+BwVMDWm p5Kj3pJS+nfIITH22TmYvCzkbAheSKk3HnAresb2PE6LNLGGLx9QoEQ7fFlDwaECsgatw7 ditR/j4RSyK/pI1xMimc6aJutydIAC7FwYt+7IqUNiLNypQDaCpOor2iB8Izuw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1707894466; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=mz8o0SG6L4nUV4JU5ZPx0np2X8MU0cIYQD48hQJhm+0=; b=VvNQ20sc7Zg0p7YDPfZoi2FC5vbLHttRD/WO6GkggumemTpEfRUiSrynsZpdyUP2JsEwUO HBmfxJJK/H/QRc3GOrCvoW4FMd4exfb3cHdiwkopQ4XG5KUiuvVQR+HvuY1yk4nA56ah97 uzZmdGGGX9+secDriSE0ry5TrO4Iu9WUAaL1+rWhFf97inX+JVEZ2fOvH34snmqJBaTN3V MfFI09jbQRscGzFOHRVRuoF5uwAKftUGlDOuWPWedjKSLyqAI8MMPT1b2otGDqefhqPy+B P0lOL15kNXK8cyVZWl/IQI1h2GdfD9wG+SWN3Eu2+KVBR1ImhagfnNGPuaeDig== Received: by freefall.freebsd.org (Postfix, from userid 945) id BB51326747; Wed, 14 Feb 2024 07:07:45 +0000 (UTC) From: FreeBSD Errata Notices To: FreeBSD Errata Notices Subject: FreeBSD Errata Notice FreeBSD-EN-24:04.ip Reply-To: freebsd-stable@freebsd.org Precedence: bulk Message-Id: <20240214070745.BB51326747@freefall.freebsd.org> Date: Wed, 14 Feb 2024 07:07:45 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-announce@freebsd.org X-BeenThere: freebsd-announce@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-24:04.ip Errata Notice The FreeBSD Project Topic: Kernel panic triggered by bind(2) Category: core Module: ip Announced: 2024-02-14 Affects: FreeBSD 14.0 Corrected: 2024-01-09 00:30:05 UTC (stable/14, 14.0-STABLE) 2024-02-14 06:05:43 UTC (releng/14.0, 14.0-RELEASE-p5) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The inpcb subsystem of the kernel is responsible for implementing portions of socket-related system calls (e.g., bind(2)) on behalf of IP-based network protocol implementations. This layer provides lookup tables which can be used within the kernel to translate between sockets and the internet addresses to which they are bound or connected. II. Problem Description The inpcb layer maintains several hash tables which are synchronized by a combination of mutexes and the use of lock-free data structures. The implementation of the latter was flawed such that a locked lookup could return a socket that was in the process of being removed from the table. III. Impact The race condition can trigger a NULL pointer dereference in the kernel, resulting in a kernel panic. IV. Workaround No workaround is available. V. Solution Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r now 2) To update your system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/EN-24:04/ip.patch # fetch https://security.FreeBSD.org/patches/EN-24:04/ip.patch.asc # gpg --verify ip.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 2bfe735277b8 stable/14-n266255 releng/14.0/ 9db5ae3ec45f releng/14.0-n265405 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmXMYQ4ACgkQbljekB8A Gu8ffg/7BY7BfPU1emJ7YfFNKszPKJooefFS8dejskN6ic55hCt8fh0RuV9g/Lwg 25QehLwGl821HaoTBijM9EBt4RTT9qdzU0m+9MKKATxy5wfnfANtU3fa+nwvuWhB fM6kLJcnViobhGHDoFN29Nz2BjfGodh4XXf1uE4zOLytw9WrM69H/UbHPMn7xSzM mPqGppk/TdxEdWXywaHLhSKf8Y21jtcidQBQ3aILnLbNObt2uii+hqVQw5+CDRYw NnHi1QBWMTP3blwmwGV3rtpytDMhhXUptA0ILpzVm6YAtGTsTLL4VrssGtcuW+Sh o7wkwmNzQLayoKNwdUkx8S/X+ilCBeHVXBH3A2GHjisMstP8cU3fRAuPVI5QvIyh rWsCLyoL+QwtZ58KJLpe6WQtLfG/xpq20+7lUJtyLaInZ7YStkNLXMZHJUbjx7yO xZsraeCI3Y6qtdHYxk4wH3HBqR2w6WmU30iXMA5UWXjL9LaB0Az/8cHlXoTA6apB XoHCzfC/LbV972c28P7Nky97oFkYTPvB0+iHPqMB77pciMO6gKWitf4FFA9fsp7H QfWjUHMJSIbtzCgskKurO93UmlogQbfbgahmzSA7SDTryObbXdre2SuSrfDwbW/O scgug9GgFuTjAp9GB7SYFA+eYUQsakyVHK1gnxt3Su7lcw/GMG0= =2K5v -----END PGP SIGNATURE----- From nobody Fri Feb 16 17:31:18 2024 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TbzVt3r99z53c9Q for ; Fri, 16 Feb 2024 17:31:18 +0000 (UTC) (envelope-from salvadore@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4TbzVt3W1Jz549q for ; Fri, 16 Feb 2024 17:31:18 +0000 (UTC) (envelope-from salvadore@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1708104678; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=mYyiew30QBsOHJiZCYMQ0XiocH9JM632w1CzwUJA2A4=; b=TfKXTjyRsvgtaCB7Ch11nKKm1sT/5/5fVRNUM2zZCfGlvbl7TGT9xy2ctNm5h/wJ99V+wf m7wwTVC0469bk0rl3KF4j7a3fObYhYYpQdDqPgfIFW42EFK0Jy8y99Ufham9RBLKChvwNK f9xQyS3rR+w9EPlR1+EBZ3PJBJ0qCRP5jMkwjuXT0uuxaiz42pRS9Lb8iCydy9Ax/ZVR4p rcHTUW6t6HbV528RDxV7Ggh59QAtKUwiwiTyjNkXI7jc1A6A3uLUTiaml46mnf8DA6zR8r WP4o9i7wswhmiXcAidRVkewLymzy62CP1hUgGgoLdinv7m2aC26w0DJGUxuakg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1708104678; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=mYyiew30QBsOHJiZCYMQ0XiocH9JM632w1CzwUJA2A4=; b=KEzSP8rp6j3n+eQ9U+A+tDEUup5ywQ3065bGb0yDmF1o6mPJAdQUaqIMMcuEhaJ3sJRYFz S8vfXHtfAyuSXAgv+v+9E9ZsahBQDQfDokokp7AoWLNH8DuhiPbx43n3Bo6Y1pbS1Qbjuu +L7oIQ3avv8stjpBRmVpAFSOIcfAehKLpTXjkJ8Z8gksxEw9Ovoylt9wT6dLtAmHOsJTKv /khqgOnf8ruWHciGIo0Q+TC2CoTiI/UYiuEuerChdp64Rmvho9ofTgU4wXrrm0fLU23xtN JLmeHd5I7vPyvadHZbyZHEmSg7dxW4kNZva28Hf1+9RLC6WO2MzCMMw3iJxpqg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1708104678; a=rsa-sha256; cv=none; b=vq3XThPMrdrPSFi8Fya/R+bSO3KfCigqGLPAPIUiEUsBuf9XW/6eUPYZ1v3C+1yGOh35gf Q8Dq8DhQSXqfi4WJwhDotH0a32YE5rbTaYXw5gELTM7YEtYV7eJv9SjXydFeiDEjCxXm67 63vT9ulItXwfTS/v/Y55HjMzDHjlP70aBWFbKbZq08q91Vw+WIuir8NhFVw3dS75ZVLmK+ pjugbN5HHJ2kEDhfG+Msmvu4Fa+/bGFSDZ6/o7017+7c4TjJIursG1fP4P0eTS7pVW13QJ NEJBaG6kr8jatT/wPkNW8JSKT8r1yOXfjqDco1ItqKAJPO3NK4t1SEZBkPxuuA== Received: by freefall.freebsd.org (Postfix, from userid 1472) id 5FF59633E; Fri, 16 Feb 2024 17:31:18 +0000 (UTC) Date: Fri, 16 Feb 2024 17:31:18 +0000 From: Lorenzo Salvadore To: freebsd-announce@freebsd.org Subject: FreeBSD Status Report - Fourth Quater 2023 Message-ID: List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-announce@freebsd.org X-BeenThere: freebsd-announce@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit FreeBSD Status Report Fourth Quarter 2023 Here is the fourth 2023 status report, with 18 entries. This is the last 2023 quarter. As you have probably noticed, this status report comes later than usual and with fewer reports than the preceding quarter. Indeed, please keep in mind that the last quarter of every year is for many members of our community the quarter of the celebrations for Christmas and for the New Year, which implies that those members will spend more time with their families and will have less time for their favorite voluntary software projects. Thus there is less to report and reports tend to arrive later. But finally, here they are. Have a nice read. Lorenzo Salvadore, on behalf of the Status Team. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ A rendered version of this report is available here: https://www.freebsd.org/status/report-2023-10-2023-12/ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Table of Contents • FreeBSD Team Reports □ FreeBSD Core Team □ FreeBSD Foundation □ FreeBSD Release Engineering Team □ Cluster Administration Team □ Continuous Integration □ Ports Collection □ Bugmeister Team and Bugzilla • Userland □ Service jails — Automatic jailing of rc.d services • Kernel □ Packrat - NFS client caching on non-volatile storage • Architectures □ armv7 Ports Quality Assurance □ SIMD enhancements for amd64 • Cloud □ OpenStack on FreeBSD □ FreeBSD on Microsoft HyperV and Azure □ FreeBSD on EC2 • Documentation □ Documentation Engineering Team □ FreeBSD Online Editor and Man Page Editor □ FreeBSD Wiki • Ports □ KDE on FreeBSD □ State of GNOME 44 □ GCC on FreeBSD • Third Party Projects □ Containers and FreeBSD: Pot, Potluck and Potman ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ FreeBSD Team Reports Entries from the various official and semi-official teams, as found in the Administration Page. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ FreeBSD Core Team Contact: FreeBSD Core Team The FreeBSD Core Team is the governing body of FreeBSD. Along the release engineering team, the project dedicates the 14.0-RELEASE to the memory of Hans Petter Selasky. 14.0-RELEASE FreeBSD 14.0 was released at the end of 2023Q4. The release notes can be found at https://www.freebsd.org/releases/14.0R/relnotes/ New Release Engineering Team After years of serving as the release engineer gjb@ stepped down. cperciva@ took over as the new release engineer. karels@ is serving as the new deputy release engineer. Core would like to thank gjb@ for his long tenure and the many timely releases he created. FreeBSD 2024 Community Survey In the end of 2023, Core Team works with the Foundation to do the 2024 community survey. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ FreeBSD Foundation Links: FreeBSD Foundation URL: https://freebsdfoundation.org/ Technology Roadmap URL: https://freebsdfoundation.org/blog/technology-roadmap/ Donate URL: https://freebsdfoundation.org/donate/ Foundation Partnership Program URL: https://freebsdfoundation.org/our-donors/ freebsd-foundation-partnership-program/ FreeBSD Journal URL: https://freebsdfoundation.org/journal/ Foundation Events URL: https://freebsdfoundation.org/our-work/events/ Contact: Deb Goodkin The FreeBSD Foundation is a 501(c)(3) non-profit organization dedicated to supporting and promoting the FreeBSD Project and worldwide community, and helping to advance the state of FreeBSD. We do this in both technical and non-technical ways. We are 100% supported by donations from individuals and corporations and those investments help us fund the: • Software development projects to implement features and functionality in FreeBSD • Sponsor and organize conferences and developer summits to provide collaborative opportunities and promote FreeBSD • Purchase and support of hardware to improve and maintain FreeBSD infrastructure, • Resources to improve security, quality assurance, and continuous integration efforts. • Materials and staff needed to promote, educate, and advocate for FreeBSD, • Collaboration between commercial vendors and FreeBSD developers, • Representation of the FreeBSD Project in executing contracts, license agreements, and other legal arrangements that require a recognized legal entity. We supported FreeBSD in the following ways during the last quarter of 2023: OS Improvements During the fourth quarter of 2023, 236 src, 47 ports, and 33 doc tree commits identified The FreeBSD Foundation as a sponsor. Some of this Foundation-sponsored work is described in separate report entries: • OpenStack on FreeBSD • SIMD enhancements for amd64. Three new contractors started. Cheng Cui began working full-time on wireless networking. A main goal for Cheng’s project is to assist Bjoern Zeeb with 802.11ac support in iwlwifi. Tom Jones began work to port the Vector Packet Processor (VPP) to FreeBSD. VPP is an open-source, high-performance user space networking stack that provides fast packet processing suitable for software-defined networking and network function virtualization applications. Olivier Certner joined the FreeBSD Foundation as a general FreeBSD developer. Some of Olivier’s contributions so far include: • reviewing, fixing, and hardening several security policies aimed at limiting process visibility, policies that are based on user identity, group membership, or sub-jail membership • committing fixes in the login class code, including one that allowed unprivileged users to bypass resource limits • implementing a secure hardware fix for the Zenbleed issue affecting AMD Zen2 processors. Here is a sampling of other Foundation-sponsored work completed over the last quarter of 2023: • arm64: Add Armv8 rndr random number provider • net80211, LinuxKPI, and iwlwifi fixes and improvements • OpenSSL: updates to 3.0.11 and 3.0.12 • Various freebsd-update fixes in preparation for 14.0 • ssh: Update to OpenSSH 9.5p1 • Various iommu fixes • Various makefs/zfs fixes Learn more about our software development work for all of 2023 at https://freebsdfoundation.org/blog/2023-in-review-software-development/. FreeBSD Infrastructure We approved over $100,000 for a cluster refresh that began in late 2023 and will carry over into the new year by purchasing and shipping 15 new servers to 4 racks generously donated by NYI in their new Chicago facility. The systems specifications were determined by the Cluster Administration team and consist of: • 5 package builders • 3 web servers • 2 package mirrors • 2 CI servers • 2 firewall/router • 1 admin bastion More on our 2023 infrastructure support can be found at: https://freebsdfoundation.org/blog/2023-in-review-infrastructure/. Continuous Integration and Workflow Improvement As part of our continued support of the FreeBSD Project, the Foundation supports a full-time staff member dedicated to improving the Project’s continuous integration system and the test infrastructure. The full update can be found within the quarterly status report. Partnerships and Research In Q4 I connected with the following people, companies, and organizations: Phil Shafer, who works at Juniper Networks, and I met at All Things Open. He told me about the libxo library and his continuing work on related issues, like rewriting and filtering output to allow richer options that regular expressions provide. Sticking with Juniper, I also met Simon Gerraty at the Vendor Summit and heard his talk on SecureBoot. In alphabetical order, I also met with AMD, Ampere, Center for Internet Security (CIS), Innovate UK, Michael Dexter, Metify, Microsoft, several people at NetApp when I attended their annual conference (Thank you for the invitation!!), NetScaler, NIST, Nozomi Networks, NVIDIA, members of the Open Container Initiative community, OpenSSF, RG Nets, Doug Rabson. I greatly appreciated the opportunity to attend NetApp’s annual conference in October. I heard from and connected with experts at NetApp and their partners and customers on topics such as AI and seamless AI data pipelines, hybrid cloud, and green computing. I took the opportunity to hand out some FreeBSD lapel pins 🙂 and I connected with a FreeBSD user and member of the Enterprise WG whose company is a NetApp Customer. In Q4 we announced the new FreeBSD SSDF Attestation program to help commercial users of FreeBSD comply with new US Government procurement regulations. This program was informed by valuable feedback from NetApp, Metify, and NIST, and the genesis of the idea came thanks to my involvement with open source policy experts, in particular via the OSI’s Open Policy Alliance. The Open Container Initiative Technical Oversight Board voted in December to approve Doug Rabson’s proposal to create a Working Group to extend the OCI runtime specification to support FreeBSD. Huge thanks to all involved! An OCI runtime extension for FreeBSD is one of the most frequently requested capabilities and I was happy to play a small role in helping to coordinate this effort so far. The Vendor Summit in November was a great event. Huge props to John Baldwin and Anne Dickison for all the work to organize and orchestrate. I got a lot out of the event. Personal highlights were conversations with a diversity of users, the CHERI talk, the end user panel, and Allan’s talk on being an upstream first company. For a full recap on our efforts to strengthen partnerships and increase funding in 2023, check out: https://freebsdfoundation.org/blog/2023-in-review-partnerships-and-research/. Advocacy >From organizing and attending events, to creating technical content that educates, and expanding the coverage of FreeBSD in the media, here is a sample of what we did last quarter to support FreeBSD. • Helped organize and sponsor the November 2023 Vendor Summit held at NetApp in San Jose. Many consider this one of the best summits to date. Be sure to check out the videos. • Introduced FreeBSD to new and returning folks at All Things Open in North Carolina. • Provided an overview of FreeBSD 14: Security, Performance, and Interoperability; Introducing FreeBSD 14 • In collaboration with the Core team, released the 2024 FreeBSD Community Survey • Participated in an interview about FreeBSD: What the Dev Podcast: The Evolution of the FreeBSD Project • Release the September/October 2023 issue of the FreeBSD Journal now with HTML versions of the articles. For a full recap of what we did to advocate for FreeBSD in 2023, please check out the Advocacy Year in Review: https://freebsdfoundation.org/blog/2023-in-review-advocacy/ or the monthly newsletters: https://freebsdfoundation.org/our-work/latest-updates/?filter=newsletter. Fundraising Thank you to everyone who gave us a financial contribution last quarter to help fund our work to support the Project. You brought us even closer to our goal and we are grateful for your investment in FreeBSD! We are still receiving donations in the mail and will post the final number in mid-February. Please consider supporting our efforts in 2024 by making a donation here: https://freebsdfoundation.org/donate/. Or, check out our Partnership opportunities here: https://freebsdfoundation.org/our-donors/freebsd-foundation-partnership-program/. Legal/FreeBSD IP The Foundation owns the FreeBSD trademarks, and it is our responsibility to protect them. We also provide legal support for the core team to investigate questions that arise. Go to https://freebsdfoundation.org to find more about how we support FreeBSD and how we can help you! ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ FreeBSD Release Engineering Team Links: FreeBSD 13.3-RELEASE schedule URL: https://www.freebsd.org/releases/13.3R/schedule/ FreeBSD releases URL: https://download.freebsd.org/releases/ISO-IMAGES/ FreeBSD development snapshots URL: https://download.freebsd.org/snapshots/ISO-IMAGES/ Contact: FreeBSD Release Engineering Team, The FreeBSD Release Engineering Team is responsible for setting and publishing release schedules for official project releases of FreeBSD, announcing code freezes and maintaining the respective branches, among other things. During the fourth quarter of the year, the Team continued work on 14.0-RELEASE, leading to the final RELEASE build and announcement in November. Planning has started for the upcoming 13.3-RELEASE and 14.1-RELEASE cycles. The Release Engineering Team continued providing weekly development snapshot builds for the main and stable/13 branches, and (after 14.0-RELEASE) started weekly builds for stable/14. After over a decade as Release Engineering Lead, Glen Barber has retired from the role; his Deputy, Colin Percival, has moved into the Lead role, while Mike Karels has assumed the position of Deputy Release Engineer. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Cluster Administration Team Links: Cluster Administration Team members URL: https://www.freebsd.org/administration/#t-clusteradm Contact: Cluster Administration Team FreeBSD Cluster Administration Team members are responsible for managing the machines the Project relies on to synchronize its distributed work and communications. In this quarter, the team has worked on the following: • Regular support for FreeBSD.org user accounts. • Regular disk and parts support (and replacement) for all physical hosts and mirrors. • Enable mirroring of https://www.FreeBSD.org and https://docs.FreeBSD.org in the FreeBSD project-managed mirrors. • Cluster refresh, upgrading all hosts and jails to the most recent versions of 15-CURRENT, 14-STABLE, 13-STABLE, and 12-STABLE. • Begin sunsetting 12-STABLE infrastructure as the branch approaches its end of life. In addition to these projects, with Modirum generously sponsoring Philip’s time for most of October, we were able to bring pkgbase into "preview" production in time for 14.0-RELEASE in November. We also installed a new European mirror site in Sjöbo, Sweden, sponsored by Teleservice Skåne AB. Traffic in Europe is now directed roughly equally between our existing mirror in Frankfurt (sponsored by Equinix) and the new mirror in Sweden. After well over ten years in service, we plan to decommission our mirror site in the UK during first quarter of 2024. We would like to thank Bytemark Hosting for supporting this mirror for all this time. Next quarter, supported by the FreeBSD Foundation, we plan to bring up a new primary cluster site in Chicago. FreeBSD Official Mirrors Overview Current locations are Australia, Brazil, Germany, Japan (two full mirror sites), Malaysia, South Africa, Sweden, Taiwan, United Kingdom (full mirror site), United States of America — California, New Jersey (primary site), and Washington. The hardware and network connection have been generously provided by: • Bytemark Hosting (decommissioned during 2024Q1) • Cloud and SDN Laboratory at BroadBand Tower, Inc • Department of Computer Science, National Yang Ming Chiao Tung University • Equinix • Internet Association of Australia • Internet Systems Consortium • INX-ZA • KDDI Web Communications Inc • Malaysian Research & Education Network • Metapeer • NIC.br • Your.Org • 365 Data Centers • Teleservice Skåne AB (new since 2023Q4) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Continuous Integration Links: FreeBSD Jenkins Instance URL: https://ci.FreeBSD.org FreeBSD CI Tinderbox view URL: https://https://tinderbox.freebsd.org FreeBSD CI artifact archive URL: https://artifact.ci.FreeBSD.org Hosted CI wiki URL: https://wiki.FreeBSD.org/HostedCI 3rd Party Software CI URL: https://wiki.FreeBSD.org/3rdPartySoftwareCI Tickets related to freebsd-testing@ URL: https://bugs.freebsd.org/bugzilla/buglist.cgi?bug_status=open&email1=testing%40FreeBSD.org&emailassigned_to1=1&emailcc1=1&emailtype1=equals FreeBSD CI Repository URL: https://github.com/freebsd/freebsd-ci dev-ci Mailing List URL: https://lists.FreeBSD.org/subscription/dev-ci Contact: Jenkins Admin Contact: Li-Wen Hsu Contact: freebsd-testing Mailing List Contact: IRC #freebsd-ci channel on EFNet In the fourth quarter of 2023, we worked with the project contributors and developers to address their testing requirements. Concurrently, we collaborated with external projects and companies to enhance their products by testing more on FreeBSD. Important completed tasks: • Adding job to build amd64 architecture with GCC 13. (Thanks jhb@) • Adding powerpc64le jobs config for stable-14 (Thanks alfredo@) • Updating the build env of jobs of main and stable/14 branches to 14.0-RELEASE Work in progress tasks: • Designing and implementing pre-commit CI building and testing and pull/ merged-request based system (to support the workflow working group) • Proof of concept system is in progress. • Designing and implementing use of CI cluster to build release artifacts as release engineering does, starting with snapshot builds • Simplifying CI/test environment setting up for contributors and developers • Setting up the CI stage environment and putting the experimental jobs on it • Redesigning the hardware test lab and adding more hardware for testing • Merge https://reviews.freebsd.org/D38815 • Merge https://reviews.freebsd.org/D36257 Open or queued tasks: • Collecting and sorting CI tasks and ideas • Setting up public network access for the VM guest running tests • Implementing use of bare-metal hardware to run test suites • Adding drm ports building tests against -CURRENT • Planning to run ztest tests • Helping more software get FreeBSD support in its CI pipeline (Wiki pages: 3rdPartySoftwareCI, HostedCI) • Working with hosted CI providers to have better FreeBSD support Please see freebsd-testing@ related tickets for more WIP information, and do not hesitate to join the effort! Sponsor: The FreeBSD Foundation ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Ports Collection Links: About FreeBSD Ports URL: https://www.FreeBSD.org/ports/ Contributing to Ports URL: https://docs.freebsd.org/en/articles/contributing/#ports-contributing + Ports Management Team URL: https://www.freebsd.org/portmgr/ Ports Tarball URL: http://ftp.freebsd.org/pub/FreeBSD/ports/ports/ Contact: Tobias C. Berner Contact: FreeBSD Ports Management Team The Ports Management Team is responsible for overseeing the overall direction of the Ports Tree, building packages, and personnel matters. Below is what happened in the last quarter. • According to INDEX, there are currently 31,942 ports in the Ports Collection. There are currently ~3,100 open ports PRs. The last quarter saw 9,424 commits by 157 committers on the main branch and 781 commits by 71 committers on the 2023Q4 branch. Compared to last quarter, this means a hefty decrease in the number of commits on the main branch (down from 11,454) and slightly fewer backports to the quarterly branch (down from 828). The number of ports also fell a bit (down from 34,600). In Q4 there were around 9424 commits to main. The most active committers where: sunpoet 2946 yuri 861 bofh 793 jbeich 419 fuz 324 eduardo 168 fernape 160 jhale 153 thierry 146 diizzy 123 During Q4 we welcomed Michael Osipov (michaelo) and Timothy Beyer (beyert) as new committers, but sadly also had to say goodbye to bland, sbruno, hselasky and gjb. We invited arrowd, flo and riggs to be part of portmgr-lurkers for the next months. Support for FreeBSD 12.x was removed at the end of the quarter. The end of Q4 also saw the introduction of subpackages to the ports tree. Similar to when flavors were introduced, new subpackages will require an approval by portmgr before being pushed to the tree. With subpackages it is possible to create multiple packages from a single build of a port. The following happened on the infrastructure side: * Packages for 14.0-RELEASE were built * Poudriere was updated to release-3.4 • Support for FreeBSD 12.x was removed. • The no-longer maintained www/qt5-webkit was removed. • postgresql11, php80, mysql57, percona57, ghostscript9 were removed. • The following default versions changed: • perl to 5.36 • ghostcript to 10 • corosync to 3 • Updates to major ports that happened were: • ports-mgmt/pkg to 1.20.9 • ports-mgmt/poudriere to 3.4.0 (subpackage support) • KDE-bits to plasma-5.27.10, frameworks-5.112, gear-23.08.4, and beta-2 • www/chromium to 120.0.6099.129 • www/firefox to 121.0 (rc1) • lang/rust to 1.74.1 • …​ and many more …​ During the last quarter, pkgmgr@ ran 26 exp-runs to test various ports upgrades, updates to default versions of ports, subpackage support and base system changes. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Bugmeister Team and Bugzilla Links: Bugmeister team URL: https://www.freebsd.org/administration/#t-bugmeister FreeBSD Bugzilla URL: https://bugs.freebsd.org/bugzilla/ Contact: Bugmeister Some recent maintenance has been done on our Bugzilla instance: • the weekly reminder emails now include the correct values for mfc-* Flags queries; • the Dashboard page has had an obsolete query removed. (We no longer use the 'patch-ready' Keyword; it was too much paperwork. Thus, the query on that field was useless.); • the limit that capped the maximum number of reported PRs at 10000 has been raised to 12500. In addition, the Wiki documentation on our Bugzilla has been updated: • the page https://wiki.freebsd.org/Bugzilla/SearchQueries has been substantially reworked: □ In particular, documentation about how to search on Flag values has been added. (This may not have been done before.) Example: search for PRs with Flag 'mfc-stable14' set; □ This page may be of interest to all committers and contributors; • the page https://wiki.freebsd.org/Bugmeister/BugmeisterQA has also been updated; While similar to the above, it is of more specific interest to bugmeister and triagers. As well, PRs that are specific to FreeBSD 12 are being culled, as 12 has gone out of support as of 20231231. A further effort is being made to document our setup of Bugzilla itself, especially with respect to our customizations. This is needed to bring our own repository up to date with what is running on production. The number of PRs over the past quarter (and year) has remained consistent. However, we do seem to be closing incoming PRs more quickly these days. For reference: https://bugs.freebsd.org/bugzilla/page.cgi?id=dashboard.html&days=90 . The overall number of PRs remains around 11,400. Bugmeister is also working towards restarting the Bugathons. See the updated page https://wiki.freebsd.org/Bugathons. Bugmeister would like to thank a number of people who have assisted with bugbusting, including Mina Galić, Graham Perrin, Lorenzo Salvadore, and Fernando Apesteguìa, among others. In addition, bugmeister would like to thank all the FreeBSD committers who help process the PRs as they come in. Over the last few months we seem to be much closer to steady-state. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Userland Changes affecting the base system and programs in it. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Service jails — Automatic jailing of rc.d services Links: D40370: Infrastructure for automatic jailing of rc.d-services URL: https://reviews.freebsd.org/D40370 D40371: automatic service jails: some setup for full functionality of the services in automatic service jails URL: https://reviews.freebsd.org/D40371 D42779: Handbook / rc-article update for Service Jails URL: https://reviews.freebsd.org/D42779 Contact: Alexander Leidinger Service jails extend the rc(8) system to allow automatic jailing of rc.d services. A service jail inherits the filesystem of the parent host or jail, but uses all other limits of the jail (process visibility, restricted network access, filesystem mounting permissions, sysvipc, …​) by default. Additional configuration allows inheritance of the IPs of the parent, sysvipc, memory page locking, and use of the bhyve virtual machine monitor (vmm(4)). If you want to put e.g. local_unbound into a service jail and allow IPv4 and IPv6 access, simply change rc.conf(5) to have: local_unbound_svcj_options=net_basic local_unbound_svcj=YES Note: all base system services are covered in the patches with either name_svcj_options or a hard-coded disabling of the service jails feature where it does not make sense (e.g. pure services which change the runtime configuration but do not start daemons, or where things are run which can not be run in a sensible way inside a jail). As such the local_unbound_svcj_options line above is superfluous and serves just as an example about the amount of configuration needed in total. While this does not have the same security benefits as a manual jail setup with a separate filesystem and IP/VNET, it is much easier to set up, while providing some of the security benefits of a jail like hiding other processes of the same user. Since the previous service jails status report, the following were added: • support for NFS inside jails in the service jails framework (untested), • the possibility of jailing other service commands than start and stop, • service jails options / config for all base system services in the patch in D40371, • a first step at documenting the service jails in the Handbook. Not all services are tested, but all services are covered with a config. Any testing and feedback (even as simple as "service X works in a service jail") is welcome. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Kernel Updates to kernel subsystems/features, driver support, filesystems, and more. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Packrat - NFS client caching on non-volatile storage Contact: Rick Macklem NFSv4.1/4.2 provides support for a feature called delegations. When a NFSv4.1/ 4.2 client holds a delegation, the client has certain rights to a file, including a guarantee that no other client will make changes to the file unless the delegation is recalled. As such, when a client holds a delegation for a file, it can aggressively cache the file’s data, knowing that it will not be modified by other clients until it returns the delegation. This project is intended to allow the NFSv4.1/4.2 client to aggressively cache file data on client local non-volatile storage, when the client holds a delegation for the file. I created a patch long ago to try and do this for NFSv4.0, but it was never at a stage where it was worth using. This project is a complete rewrite of the patch, done in part because NFSv4.1/4.2 plus other recent NFSv4-related changes make doing this more feasible. I now have code running fairly well and hope to have a patch ready for others to test this winter. Early testing shows promise. For a test run of "make buildkernel", the test with and without packrat enabled performed as follows: Table 1. NFS operation counts NFS operation counts Getattr Lookup Read Write Total RPCs with packrats 433506 99254 0 0 371736 without packrats 2359913 97954 10748 0 2318810 Table 2. Elapsed Run Time Elapsed Run Time (sec) with packrat without packrat 5561 6203 As you can see, the packrat case ran a little faster and with fewer RPCs. Although this test was run on my little LAN, it is hoped that a NFSv4.1/4.2 mount over a WAN would show a larger difference in performance. I will note that the packrat cache was primed by unrolling a tarball of FreeBSD’s /usr/src into the NFSv4.1/4.2 mount. This will be very much an experimental feature, but it is hoped it will allow NFS mounts to be used more effectively, particularly in WAN situations, such as a mobile laptop. There is still work to be done, particularly with respect to recovery of delegations after a NFSv4.1/4.2 client restart. Hopefully, the next status report will include a URL that allows downloading of a patch for user testing. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Architectures Updating platform-specific features and bringing in support for new hardware platforms. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ armv7 Ports Quality Assurance Contact: Robert Clausecker As part of a long term project to improve the quality of the FreeBSD ports collection for the armv7 architecture, a number of issues in the base system and in various ports have been fixed. Through this action, the number of binary packages that could be successfully built from the 2023Q4 branch of the ports collection was increased from 30018 (as of 2023-10-04) to 31118 (as of 2023-11-24). Two kernel bugs affecting package builds (PR 267788 and PR 274705) were identified and addressed, with these two alone being responsible for around 900 failed packages. The most common other causes for build failures include • lack of FreeBSD-specific armv7 support code • data alignment issues (armv7 being one of the few architectures for which we do not support unaligned memory accesses) • address space exhaustion during the build processes (usually LTO related; PR 274705 addressed many cases) • lack of OpenMP support on armv7 FreeBSD If you are a user of the FreeBSD ports collection on armv7, do not hesitate to file a bug report on our bug tracker should there be any issues. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ SIMD enhancements for amd64 Links: FreeBSD Foundation blog post URL: https://freebsdfoundation.org/blog/a-sneak-peek-simd-enhanced-string-functions-for-amd64/ simd(7) URL: https://man.freebsd.org/cgi/man.cgi?query=simd&sektion=7&manpath=FreeBSD+15.0-CURRENT Work currently under acceptance testing URL: https://github.com/clausecker/freebsd-src/commits/acceptance-testing Contact: Robert Clausecker The project to enhance the libc with SIMD implementations of string functions for amd64 has now concluded. In total, SIMD implementations for 17 libc functions have been written, complemented by scalar implementations where needed. Through this rewrite, performance of these functions on strings with an average length of 64 characters was improved by an average factor of 5.54. In addition, 9 other library functions were rewritten to call into the SIMD-enhanced routines, conveying benefits without requiring additional assembly implementations. Please see the FreeBSD Foundation blog post linked above for more details. Parts of the SIMD work are already found in the CURRENT branch. The rest is currently undergoing acceptance testing and will be merged if no problems emerge. It is planned to back port all improvements to 14-STABLE for inclusion into FreeBSD 14.1. Sponsor: The FreeBSD Foundation ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Cloud Updating cloud-specific features and bringing in support for new cloud platforms. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ OpenStack on FreeBSD Links: OpenStack URL: https://www.openstack.org/ OpenStack on FreeBSD URL: https://github.com/openstack-on-freebsd Contact: Chih-Hsin Chang Contact: Li-Wen Hsu In the fourth quarter, we successfully migrated the originally virtualized OpenStack platform to physical machines running FreeBSD 14.0-STABLE. The ported OpenStack components include Keystone, Glance, Placement, Neutron, and Nova. As part of this process, we took the opportunity to update the installation documentation and the list of dependencies. Moving forward, we encourage users and developers interested in this project to effortlessly recreate the OpenStack platform in their FreeBSD environments following this documentation. Any issues or difficulties encountered are welcome to be reported on the GitHub project page. Your contributions will contribute to the refinement of our installation documentation and the overall porting efforts. In the upcoming quarter, our focus will shift towards incorporating various patches and workarounds generated during the migration process into the project in a more structured code form. Additionally, we plan to develop FreeBSD ports for each OpenStack component, further streamlining the installation process. Sponsor: The FreeBSD Foundation ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ FreeBSD on Microsoft HyperV and Azure Links: Microsoft Azure article on FreeBSD wiki URL: https://wiki.freebsd.org/ MicrosoftAzure Microsoft HyperV article on FreeBSD wiki URL: https://wiki.freebsd.org/HyperV Contact: Microsoft FreeBSD Integration Services Team Contact: freebsd-cloud Mailing List Contact: The FreeBSD Azure Release Engineering Team Contact: Wei Hu Contact: Souradeep Chakrabarti Contact: Li-Wen Hsu In this quarter, we have solved all the blocking issues and published the 14.0-RELEASE on Azure Marketplace, with complete architecture (amd64, arm64) and VM generation (gen1, gen2) support, available in both UFS and ZFS as the root file system. Work in progress tasks: • Automating the image building and publishing process and merging to src/ release/. • Building and publishing snapshot builds to Azure community gallery. The above tasks are sponsored by The FreeBSD Foundation, with resources provided by Microsoft. Open tasks: • Update FreeBSD related doc at Microsoft Learn • Support FreeBSD in Azure Pipelines • Update Azure agent port to the latest version • Upstream local modifications of Azure agent • Port Linux Virtual Machine Extensions for Azure Sponsor: Microsoft for people in Microsoft, and for resources for the rest Sponsor: The FreeBSD Foundation for everything else ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ FreeBSD on EC2 Links: FreeBSD/EC2 Patreon URL: https://www.patreon.com/cperciva Contact: Colin Percival FreeBSD is available on both amd64 (Intel and AMD) and arm64 (Graviton) EC2 instances. Work continues to ensure that upcoming instance types will be supported; most recently, changes were needed to support "7th generation" Intel and AMD instances. FreeBSD 14.0-RELEASE shipped with experimental ZFS-root AMIs and "cloud-init" AMIs. Additional "flavored" FreeBSD AMIs are planned, including "AMI Builder" and "minimal" (no debug symbols). A bug in the release-building process which resulted in 14.0-RELEASE AMIs shipping with duplicate lines in /etc/rc.conf has been corrected and future releases should not be affected. A bug in the ec2-aws-imdsv2-get utility which resulted in 14.0-RELEASE AMIs not supporting binary user-data files has been corrected and future releases should not be affected. This work is supported by Colin’s FreeBSD/EC2 Patreon. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Documentation Noteworthy changes in the documentation tree, manual pages, or new external books/documents. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Documentation Engineering Team Link: FreeBSD Documentation Project URL: https://www.freebsd.org/docproj/ Link: FreeBSD Documentation Project Primer for New Contributors URL: https://docs.freebsd.org/en/books/fdp-primer/ Link: Documentation Engineering Team URL: https://www.freebsd.org/administration/#t-doceng Contact: FreeBSD Doceng Team The doceng@ team is a body to handle some of the meta-project issues associated with the FreeBSD Documentation Project; for more information, see FreeBSD Doceng Team Charter. During the last quarter: Glen Barber stepped down from doceng. doceng would like to thank gjb@ for his service. Ceri Davies' commit bit was taken for safekeeping as per his request. doceng would like to thank ceri@ for his contributions. mhorne@ to be mentored by carlavilla@ to obtain a documentation commit bit. FreeBSD Handbook: The Handbook was updated to show that FreeBSD 14.0 is the latest release. FreeBSD Translations on Weblate Link: Translate FreeBSD on Weblate URL: https://wiki.freebsd.org/Doc/Translation/Weblate Link: FreeBSD Weblate Instance URL: https://translate-dev.freebsd.org/ Q4 2023 Status • 17 team languages • 203 registered users Languages • Chinese (Simplified) (zh-cn) (progress: 7%) • Chinese (Traditional) (zh-tw) (progress: 3%) • Dutch (nl) (progress: 1%) • French (fr) (progress: 1%) • German (de) (progress: 1%) • Indonesian (id) (progress: 1%) • Italian (it) (progress: 5%) • Korean (ko) (progress: 33%) • Norwegian (nb-no) (progress: 1%) • Persian (fa-ir) (progress: 2%) • Polish (progress: 1%) • Portuguese (progress: 0%) • Portuguese (pt-br) (progress: 22%) • Spanish (es) (progress: 35%) • Turkish (tr) (progress: 2%) We want to thank everyone that contributed, translating or reviewing documents. And please, help promote this effort on your local user group, we always need more volunteers. FreeBSD Handbook working group Contact: Sergio Carlavilla • The Network chapter has been rewritten • The Jails chapter has been rewritten • The next section to work on will be the file systems part: UFS, ZFS, Other File Systems FAQ Working Group Contact: Sergio Carlavilla A new FAQ was released alongside FreeBSD 14.0. FreeBSD Website Revamp - WebApps working group Contact: Sergio Carlavilla Working group in charge of creating the new FreeBSD Documentation Portal and redesigning the FreeBSD main website and its components. FreeBSD developers can follow and join the working group on the FreeBSD Slack channel #wg-www21. The work will be divided into three phases: 1. Redesign of the Manual Pages on web Scripts to generate the HTML pages using mandoc. (Complete, Approved by Doceng, Deploy Date Not Decided Yet) Public instance on https://man-dev.FreeBSD.org 2. Redesign of the FreeBSD main website New design, responsive and dark theme. (Almost Complete, Presented at EuroBSDCon) 3. Redesign of the Ports page on web Ports scripts to create an applications portal. (Work in progress) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ FreeBSD Online Editor and Man Page Editor Links: FreeBSD Online Document Editor URL: https://github.com/Wang-Yan-Hao/FreeBSD-Online-Document-Editor FreeBSD Online Man Page Editor URL: https://github.com/Wang-Yan-Hao/man_page_editor Contact: Yan-Hao Wang Contact: Li-Wen Hsu This report provides a continued overview of the FreeBSD online editor and man page editor project, outlining recent efforts to enhance the documentation and manual page editing processes. In order to optimize the project’s structural integrity, we enlisted the expertise of a professional front-end programmer. We plan to release the editor soon and currently have some tasks that require additional support. 1. We are actively seeking a qualified individual to conduct a comprehensive front-end security review of the project. 2. A meticulous inspection of the JavaScript code is imperative to ensure its robustness and efficiency. We are looking for someone with expertise to thoroughly examine the codebase, identify any issues, and propose enhancements for optimal performance. 3. Since there is currently no existing JavaScript library for rendering mandoc, I had to create my own. However, there are still some hidden errors that emerge during the editing process. We are seeking assistance to fix these rendering issues. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ FreeBSD Wiki Links: Wiki URL: https://wiki.freebsd.org Contact: Wiki administration Plans are underway to familiarize our audience on Discord with the wiki (there are too many "silos" in our FreeBSD community). Contact Setesh on the FreeBSD Discord for more information. Preliminary work is being done on updating the wiki software itself. Continuing to run MoinMoin requires a jail with a downrev version of Python. The MoinMoin project itself seems to have stalled in the middle of a redesign; at a minimum, a complete upgrade of the backend database would be needed. Alternatives that are under consideration include MediaWiki and DocuWiki; see https://wiki.freebsd.org/Wiki/NextGeneration. Most of the discussion is occurring on Matrix; please contact wiki-admin@FreeBSD.org if you would like to participate. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Ports Changes affecting the Ports Collection, whether sweeping changes that touch most of the tree, or individual ports themselves. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ KDE on FreeBSD Links: KDE/FreeBSD initiative URL: https://freebsd.kde.org/ FreeBSD — KDE Community Wiki URL: https://community.kde.org/FreeBSD Contact: Adriaan de Groot The KDE on FreeBSD project packages CMake, Qt, and software from the KDE Community, for the FreeBSD ports tree. The software includes a full desktop environment called KDE Plasma (for both X11 and Wayland) and hundreds of applications that can be used on any FreeBSD machine. The KDE team is part of desktop@ and x11@, building the software stack to make FreeBSD beautiful and usable as a daily-driver graphical desktop workstation. The notes below describe mostly ports for KDE, but also include items that are important for the entire desktop stack. Infrastructure CMake was updated several times and is now version 3.28.1, the latest upstream release. FreeBSD ports are once again fully up-to-date. Qt5 is now on long-term support and updates only rarely. The KDE patch collection is a community-supported branch of Qt which pulls in upstream patches and fixes from the KDE community, and updated to 5.15.12. There were several deprecations (see below) in the Qt5 ports. Qt6 and KDE’s upcoming megarelease of KDE Plasma 6 (scheduled for 2024q1) are the next major milestone for the KDE team. Qt6 was updated to version 6.6.1 along with the Python bindings for Qt, PySide. An alpha-release of KDE Frameworks 6 was added to the ports tree. KDE Stack KDE Gear releases happen every quarter, KDE Plasma updates once a month, and KDE Frameworks have a new release every month as well. These (large) updates land shortly after their upstream release and are not listed separately. • KDE Frameworks reached version 5.112. The KDE Frameworks 5 series is winding down, although it will a few months still until it enters long-term support upstream. • KDE Plasma Desktop was updated to version KDE Plasma 5.27.10. • KDE Gear updated to 23.08.4. • KDE Frameworks 6 (alpha) 5.247 was updated in the ports tree. • KDE Plasma Desktop 6 (beta 2) 5.91.0 was updated in the ports tree. Related Ports The KDE ecosystem includes a wide range of ports — most maintained by kde@, all building on a shared base of Qt and KDE Frameworks. The KDE team updates them all as needed. This quarter the KDE team would like to thank Tobias C. Berner, Gleb Popov and Jason E. Hale again for keeping things up-to-date. Many ports have been "flavorized" to support a Qt5 and a Qt6 flavor in the ports tree. Special mention to: • New port x11/xwaylandvideobridge. By design, X11 applications can’t access window or screen contents for Wayland clients. The video bridge improves Wayland support for screen sharing tools like Discord, MS Teams, Skype, and more. Screen sharing is fully under the control of the Wayland user. • Update for multimedia/mlt7 which was updated to 7.20.0. • Update for sysutils/bsdisks which was updated to 0.33. • Bugfix for devel/llvm15 to make devel/kdevelop work again. • Security fixes for www/qt5-webengine and www/qt6-webengine. Deprecations Web browsers are huge, and have a considerable security surface. The venerable www/qt5-webkit WebKit port was removed on the last day of 2023. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ State of GNOME 44 Links: GNOME URL: https://www.gnome.org/ Development repository URL: https://codeberg.org/olivierd/freebsd-ports-gnome Contact: FreeBSD GNOME Team Contact: Olivier Duchateau < duchateau.olivier@gmail.com> GNOME is a full desktop environment which is mainly based on GLib, GTK3/GTK4, and libadwaita. It provides two window managers or compositors: x11-wm/mutter and x11-wm/metacity. Currently in the ports collection, x11/gnome-shell is not supported by upstream anymore. As it is a lot of work, in order to have GNOME 44 available for users, I decided to split this update, because it impacts several ports. As a maintainer of x11/budgie and Pantheon desktop (a window manager based on x11-wm/mutter, developed for elementary OS) I need more recent versions of some GNOME libraries. Firstly I worked on WebKitGTK. The 4.0 "legacy" API is almost not used by GNOME’s libraries. The bare minimum is the 4.1 API. I created webkit.mk for the Mk/Uses framework, in order to flavorize www/webkit2-gtk3. There is an ongoing effort, but currently it is too unstable. Often applications such as Epiphany, mail clients (Geary, Evolution), or the online accounts panel in package:sysutils/gnome-control-center dump core. Nonetheless, remainder of desktop is usable and the latest release (44.7) of GNOME Shell is functional. I have begun sending my first patches for review (as well as those in Bugzilla). • D43183 • D43230 • D43244 • D40489 I have also ported the GNOME Flashback session module. It depends on x11-wm/ metacity and x11-toolkits/libwnck3. I also maintain a documentation, and we can see various desktops available. GNOME 45 is almost finished, except for GNOME Shell extensions. For this release I will focus on Wayland support (bug #258042 and bug #271836). Tests and patches are welcomed, especially for WebKitGTK. Next months I plan to work on: • Allowing selecting a session in display manager (gdm), it is regression with our patches. • Fixing sharing network (VNC, SSH) panel in gnome-control-center and backport for bug #275900. • Continuing to update applications and libraries for GNOME 45. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ GCC on FreeBSD Links: GCC Project URL: https://gcc.gnu.org/ GCC 10 release series URL: https://gcc.gnu.org/gcc-10/ GCC 11 release series URL: https://gcc.gnu.org/gcc-11/ GCC 12 release series URL: https://gcc.gnu.org/gcc-12/ GCC 13 release series URL: https://gcc.gnu.org/gcc-13/ Contact: Lorenzo Salvadore Updating GCC default version to 13 is moving ahead. Thanks to Antoine Brodin who ran the exp-runs and to all other developers and ports maintainers involved. As you might remember from last quarter, additional patches were tested together with the default version updates. Some of them have already been merged: • lang/gcc11 has switched back to STANDARD_BOOTSTRAP and has been updated to 11.4.0; • lang/gcc13 has been updated to version 13.2.0. About half of the open bugs have been fixed, but another half remains. If you maintain any of the affected ports, please try to fix your port(s) and/or get your port buildable with the compiler in base. This quarter many bug reports have also been opened about GCC. As soon as the default GCC version update is finished, all of those bugs will be addressed. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Third Party Projects Many projects build upon FreeBSD or incorporate components of FreeBSD into their project. As these projects may be of interest to the broader FreeBSD community, we sometimes include brief updates submitted by these projects in our quarterly report. The FreeBSD project makes no representation as to the accuracy or veracity of any claims in these submissions. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Containers and FreeBSD: Pot, Potluck and Potman Links: Pot organization on GitHub URL: https://github.com/bsdpot Contact: Luca Pizzamiglio (Pot) Contact: Bretton Vine (Potluck) Contact: Michael Gmelin (Potman) Pot is a jail management tool that also supports orchestration through Nomad. During this quarter, Pot 0.16.0 was released containing a number of features and fixes, including a new setting to prevent direct traffic between VNET pots and new attributes to configure pot stop behavior. There were also maintenance/ stability releases to potnet (0.5.0) and a nomad-pot-driver (0.10.0). Potluck aims to be to FreeBSD and Pot what Dockerhub is to Linux and Docker: a repository of Pot flavours and complete container images for usage with Pot and in many cases Nomad. One of the new container images that have been added during the last quarter is Zincsearch, a more light-weight alternative to Elasticsearch written in Go. The Mastodon container is meanwhile powering the public mastodon.africa instance. Also, we got some more publicity: BSD Now Episode 536 is titled "Pot-flavored Jails". As always, feedback and patches are welcome. Sponsors: Nikulipe UAB, Honeyguide Group