From nobody Wed Aug 7 14:59:47 2024 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WfCyC2M3Wz5SH2T for ; Wed, 07 Aug 2024 14:59:47 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WfCyC1py2z42cj; Wed, 7 Aug 2024 14:59:47 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1723042787; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=c8y8ucrib6KeKjAJ2biVxCKewl1w4en/w88coFr+Lq8=; b=fWO1AQFPQoxx6sXwsrv5Emw+vw8KuhVco5FtSBqtL2nVOwEI39WLzyV1AbhYkGbGqO68hY cxLQOX4LOUOEdnptnzzX515P6VMuAzTN4t3Wa3VtR3ZhLfhSA9XI+fT7lU76u1Ddr7S1TY 8iSj23frkLMrcdnGj8WB2+SD7fzYCekvPwecOvf0yCDGAP7/5lAbT2bpafnNy2ISBidOId 0tntdtT+cWMo2bY1SnCpTWDdZyYOIfwxOXnsGvTfEWjmHSAto2YitrOoNNrTxAYxWFUi0L l0GSawiW2a7cfPEHDvNs+6EYWqOhfMi3ZUfuBukeVlWilKbI1MfNfyEzjX8SVw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1723042787; a=rsa-sha256; cv=none; b=cjF6wQ+2UNGpln2+yzHzpgDKSsNTXSwdBsJtPeE+7ESBhDR4njEWKYLSH7NPVcLIsK2xis RkS6hnW0jFJQ25KLNP8DD2epmxOuht5UHT0Q5P74KXCGGFKrtDRT5v9/V5s0pI8chsOk+u /qlVz4GShyLWJLK2vT9fnh8r8jUvc1U+wo8jqv/UREn7qhxzjgH8Dl9PkaYGcGzlvlqwaq +zdotXvwVWRos0/8tiu829whGEh2ITPF9hm7Y7q0VJqN2gofgUAfxOByfTp+asj2gfyugJ WXX8qSENLKP70pJISoruPo95xkKD2x/XuFZQX6Dss9EUSaL/Ui/gVv3qy/me4g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1723042787; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=c8y8ucrib6KeKjAJ2biVxCKewl1w4en/w88coFr+Lq8=; b=VvVgh8fi1+C+LQcv2Hsg37Jm81K9HWEmcvXiQRqwM21wmOlNYqtFfLoU94aViZgjYBwbqW egueJ2ParMdEnPuLwfvtSz8hdtQyhNUuq6uO7QyurwqDcQFJgBlG4LulS6pRAxBjU3iMQY h369zlGOHjlKwR9u35ZYOBGqUgLOeGqzXcckQEvpghelBpW7mBVObyE9VEYyYARP7GasTH dpsUgJ9mcyVqyvFRKyZvjOKXDXcAs+ucDBllcCCelT15FfHC0q0s41mTxnnXUSv/I9mx6f jV7FEQMzf69ps7XI0deyuOxJGOuJyPVrr085XTov9MfGIzPL99SJH4cLXHnM/g== Received: by freefall.freebsd.org (Postfix, from userid 945) id 12F2059DC; Wed, 07 Aug 2024 14:59:47 +0000 (UTC) From: FreeBSD Errata Notices To: FreeBSD Errata Notices Subject: FreeBSD Errata Notice FreeBSD-EN-24:14.ifconfig Reply-To: freebsd-stable@freebsd.org Precedence: bulk Message-Id: <20240807145947.12F2059DC@freefall.freebsd.org> Date: Wed, 07 Aug 2024 14:59:47 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-announce@freebsd.org Sender: owner-freebsd-announce@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-24:14.ifconfig Errata Notice The FreeBSD Project Topic: Incorrect ifconfig netmask assignment Category: core Module: ifconfig Announced: 2024-08-07 Affects: FreeBSD 14.0 and later Corrected: 2024-06-15 15:24:59 UTC (stable/14, 14.1-STABLE) 2024-08-07 13:44:28 UTC (releng/14.1, 14.1-RELEASE-p3) 2024-08-07 13:44:41 UTC (releng/14.0, 14.0-RELEASE-p9) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Prior to the advent of classless inter-domain routing (CIDR), the IPv4 address space was divided into classes based on how many of an address's most-significant bits were set. Since the class dictated the network mask, it was not necessary to specify the mask when configuring an interface. Even after CIDR was introduced, FreeBSD continued to allow the network mask to be omitted, for backward compatibility reasons. II. Problem Description When FreeBSD switched from using ioctl(2) to using Netlink sockets to configure network interfaces, the logic for determining the default mask in cases where one was not explicitly provided was inadvertantly inverted, resulting in class A addresses getting a prefix size of 24 instead of 8, and vice versa for class C addresses. Class B addresses were not affected. III. Impact FreeBSD hosts which still rely on default network mask assignment and have addresses in the old class A (0.0.0.0-127.255.255.255) or class C (192.0.0.0-223.255.255.255) ranges will have an incorrect network mask. The exact consequences will vary depending on the direction of the error and the relative positions of the affected host and its default router within the local address space. Affected hosts should still be able to communicate with at least a subset of their local network, and may also be able to communicate with a subset of the wider network, but will typically lose the ability to communicate with any address which is not within both the actual local address space and the misconfigured local address space. This may include their default router. IV. Workaround Make sure to always specify either a network mask or a prefix size when adding IPv4 addresses to network interfaces. For instance, in a VM with a paravirtualized network interface and an IPv4 address of 192.0.2.5 (historically class C), use either of the following in /etc/rc.conf or /etc/rc.conf.d/network: ifconfig_vtnet0="inet 192.0.2.5/24" or ifconfig_vtnet0="inet 192.0.2.5 netmask 255.255.255.0" V. Solution Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/EN-24:14/ifconfig.patch # fetch https://security.FreeBSD.org/patches/EN-24:14/ifconfig.patch.asc # gpg --verify ifconfig.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 048ad7a9ef9f stable/14-n267957 releng/14.1/ b9115dba07e8 releng/14.1-n267692 releng/14.0/ 01792dd7f27b releng/14.0-n265424 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmazhZwACgkQbljekB8A Gu/6HBAA1PB3WA8wuqi2iebMvqZ1iM0Oh0sb9JotX8VFpO7zWpIHImITbLvWjYEm 0YMb62mJNiKBVxRf0p1SWhOqRJcJAVNxU8U8wb6p7UJ2LXnLgU7t3kLNVdKN+Yq5 jIMBOHpIJz/na/LsOEtxtneCvnNL+lOQ4NkHLKfFOUtf0PkAn2nUVnYyA+PGH/3l VQFxSCQCB3CxNMeiI5R2x9ZdaESfNdn/qh6vZcca2fl6seWMQaoqwzxrtBS1VXsR 1LofhqJsOvIDOkKS5SFLIGMfPdETl2jmd+YrG9ujXWYcyvaQxfRE66RRT1AROCXb +vD8MXc7q3gtjAV398iYdMwf7eqbPngX6xZCLPs6PR96eaa1tGTK0+cdan7CfHFB WahFo1md9kORCq2DLkLhekdJjy1+4J9KsMjGWLYRILZNPHU/IvAGFS1czFMPmTbm V1IHWeszDUPgjKlp0m59CsGjwcyJnIeZBnTMiMQ5EM29zEOUdgCayz2/v6JaEgwb 7xCb5x0HzyR0hM4GDG8ccNe8VQFSm6McRSWb77zXnB5Lp2aCug9VwuUN1mJNdQVp 3O5tm+Wd5HeA15YubO4aQ3aUTdsk92BZ9cxorn2dOTlE8vyxmqLk7KYs0644Dzmv IxRNYmBfb/trIWDLW7QZTVXtoSpTjdNvQG0+yEAFDTfTuAe0qVM= =+Q9R -----END PGP SIGNATURE----- From nobody Wed Aug 7 15:00:00 2024 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WfCyS51wJz5SHGk for ; Wed, 07 Aug 2024 15:00:00 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WfCyS41Zvz42vJ; Wed, 7 Aug 2024 15:00:00 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1723042800; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=dvYtraIFLutLb4ehyo95HP3wM0hBxxNwydNqXOqMcDA=; b=XRbHbZkRZvPQDkvrR59xaAY8cKALmGa2tK/ZlLmaRc34hIzqGcny0CD79WYhnSARy5Thdt +kjpQ5TxTdH9E8J7P9sjfFEGdisG65PktJjvQic1fSsqnDKjOngu69wOJL8cgiZdYfvqAb BQudjTzPAJVBIcsbMJTvrMN2m1moK2l+SQgeeyF8X9oRl5T5KZApQvDJGK2HlkjXe4qlxR J2Ta4r3ZVDZOuzMrp1cSYSrwucDHeF4t4TJnhFEUW09GaXY744X5dVlZELU2rRlI3sVhpU 4cB2qdoMo28ZlG/S+msxlWvqpCBged6kREB1wK8ntPlbAT2291YOWU0B7Csdcg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1723042800; a=rsa-sha256; cv=none; b=FE3AijIxOIr6Y6pehEfMXkWUMkWSqSXiAUsmDTkTJArcIsOCa100iL3gJzuo0yJaJtKVPV Rr2xahWWqNb1KlEmQaKtFfTxW+S7rr+OVmmsBqujtmdI7Nwg/ityFfKgVuoDnQx7ZEibRo BVu9fov/CnYGjM4erpUbSGZr3TthzopQ25WqGEP6Xbki7UUjyEyVLtPiAClMjbm99ErRKk wT2qKSd/aiKseimYI8hstwkPFn1BjDzo1qJyKFrq4lZAg4oj8fW8wZV8iHylGXpBIv8KRd s647Y/+bYnfN6xracs2ZWUAf8P4RrRQVbIVgo47pN+YKwZFHtsu2PgYhggojqg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1723042800; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=dvYtraIFLutLb4ehyo95HP3wM0hBxxNwydNqXOqMcDA=; b=kEWkTV6lCTZEqh3cHRT5SUfN1kGVV21xtnv+Q0kgKb3Xj5b5ro9SX2iOme3dtyPFlRVJoR d0xYEk9NDCDB0W2ROJRqXbnA0rBgzmT/u45Oa6f5IbzwCW9Ekeh5Ylc5/NIOMep28z4cC8 8fPuUCvWg4La8POjCWWsuBI3xJ9WU91YNZJ/DhnRIgUeEAbn+ulXAod7M2ShVluAUjq8c6 PPjCXiNRZNYxiYRj74houVFABFhJbg28nNlz+fW76Dl8mBYMSxUK4qjnn234IvyMBlkkQo 3u3KuExTjGLvvgOBD4zIG199Eb46iHTBb4Xiz3wRpQsEMXjrA4F65IJo6/QCTw== Received: by freefall.freebsd.org (Postfix, from userid 945) id 5C69E5A4D; Wed, 07 Aug 2024 15:00:00 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:05.pf Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20240807150000.5C69E5A4D@freefall.freebsd.org> Date: Wed, 07 Aug 2024 15:00:00 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-announce@freebsd.org Sender: owner-freebsd-announce@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:05.pf Security Advisory The FreeBSD Project Topic: pf incorrectly matches different ICMPv6 states in the state table Category: core Module: pf Announced: 2024-08-07 Credits: Enrico Bassetti e.bassetti@tudelft.nl (Cybersecurity @ TU Delft, SPRITZ Group @ UniPD) Affects: All supported versions of FreeBSD. Corrected: 2024-07-31 07:41:11 UTC (stable/14, 14.0-STABLE) 2024-08-07 13:44:25 UTC (releng/14.1, 14.1-RELEASE-p3) 2024-08-07 13:44:46 UTC (releng/14.0, 14.0-RELEASE-p9) 2024-07-31 07:41:12 UTC (stable/13, 13.3-STABLE) 2024-08-07 13:44:57 UTC (releng/13.3, 13.3-RELEASE-p5) CVE Name: CVE-2024-6640 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background pf is an Internet Protocol packet filter originally written for OpenBSD. pf uses a state table to determine whether to allow a packet that is from a known/already open transmission. It identifies ICMPv6 states based on the address family, protocol, addresses, and the ID. Normally, states are created by outgoing packets, or by incoming packets matching 'pass' rules. A packet that do not match any rule will be blocked or allowed depending on the default rule. ICMPv6 Neighbor Discovery has to be allowed in the firewall for IPv6 to work properly in broadcast networks, such as Ethernet. II. Problem Description In ICMPv6 Neighbor Discovery (ND), the ID is always 0. When pf is configured to allow ND and block incoming Echo Requests, a crafted Echo Request packet after a Neighbor Solicitation (NS) can trigger an Echo Reply. The packet has to come from the same host as the NS and have a zero as identifier to match the state created by the Neighbor Discovery and allow replies to be generated. III. Impact ICMPv6 packets with identifier value of zero bypass firewall rules written on the assumption that the incoming packets are going to create a state in the state table. IV. Workaround No workaround is available but systems not using the pf firewall are not affected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 13.3] # fetch https://security.FreeBSD.org/patches/SA-24:05/pf-13.patch # fetch https://security.FreeBSD.org/patches/SA-24:05/pf-13.patch.asc # gpg --verify pf.patch.asc [FreeBSD 14.0 & FreeBSD 14.1] # fetch https://security.FreeBSD.org/patches/SA-24:05/pf-14.patch # fetch https://security.FreeBSD.org/patches/SA-24:05/pf-14.patch.asc # gpg --verify pf.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 3382c691dc6a stable/14-n268277 releng/14.1/ a66d33fcf334 releng/14.1-n267690 releng/14.0/ ca9580967e74 releng/14.0-n265428 stable/13/ 05f91f8dd5ce stable/13-n258160 releng/13.3/ 5eb30c313cb0 releng/13.3-n257443 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmazhasACgkQbljekB8A Gu9/0Q//S/qcyIxnQ1V8Gz8ghAQuJu8OlTdYV9OexFSKExcbc9FYK6LwhSUfPtHf Bx9KowhQCH2D1X33qHRUCWVhDMhgpvHmg/+ajnm0IP/+nc+ZnNFCC0Ew5b/mk7Uw jQAxW54/RSe1Cnl11T4RTcPI7YhGTej8T5T8dm2TlCdTI3m7xS/zfR3e4x89yrmW gVUBG54udbSSzxMDJk2rbr9anoinzaI0eiXY/rnb729OTU6y4SmJ9ZZZwXs+bRpP AUE7Zgj7pNrWC1CxTMy6XLdPE/L/8Yxz9mOFpyJcHahoEHcMH+5DKQePGa4mQgnS N8Srtrxx3Ipz5/zzOPr+O0BbOh8m7KMXU/J8Y3aHpUzbnr+IfGEUHBukN93M3qbV Qkw9iW+5HZ45P16Fyaj2cq7He7F39/7B/DhfjLldbUOnWGPmn3JrWkvONL++iAyI +vOrfGubyTtwgSdZGDcv+FUrL6af6nQzFBBgv4z4TpHN+BTcwA5c6JwuOlvMc5ZY ISh8WItjxmK5Gh27H7JBGKwWDnKYjqkRcgJ7QZd7dmjo2bzOlnKV0eYk51eBvoIh FV4YGAgMPxCJGBrl54/0F5+C8zl0cjNlEhnyyl2IEBbPbnfmvpNw3tMbJdPfEUhF DK+j5IkDU/4sNrV/dmeD+K+u/3xgDxtUv6IjH2odmADtlCbOV80= =/mRR -----END PGP SIGNATURE----- From nobody Wed Aug 7 15:00:05 2024 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WfCyZ1CNwz5SHD7 for ; Wed, 07 Aug 2024 15:00:06 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WfCyZ0C7gz43Gt; Wed, 7 Aug 2024 15:00:06 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1723042806; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=x/2mtK09wPqXbNceDvWIm4xKOlZ97hxXXtZUL676sVo=; b=LDgfZ+pDzuO0UaeKfXIqeQAiINEOXJVpiN/inL3u5PykoyeUZvkjLaV0FdGzV708xpRNDL zrBzQXgeRou1CM6wijdDexBpkR7Vyxr1Y49i8OpUxjPQcbQmywRJiAY7hoSsL1TcJZ3u0r XkhHcgl0WexmEzxs9UdfdOpQ+pox8/AzM33epDbaX4yj8IRiIOerHvNbRNNQ+v+G1zijGP f+ku/qF69kp6INiMcxI0JdIL5bZMOQudUsUPDGNf2XPerIBdVvu8kqMOnkxl8nX1bDqy9r 7kRkM2lum+byRsrTX8OcyDAFJaZI4aODLiDAm5XJAyAi/A2AAmaPd8RPLrnqhQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1723042806; a=rsa-sha256; cv=none; b=dH8LBy5Tgxz4zzWP2UEUy6qtoPqzNr70woI2yNAybIxotMaSZqZBGx682NMGdvg0TwkflK 9/MFNG3zEm+SvHVr0TaBEznALH1FUXAdd0DHAKlcDO0NhbVr5AFp9rp7GYyrT1gxPwipI5 /iCXt9kpviMqPg0on25gyemJyHXe2JMyV4GdPZmSbsGWGDISoepEvpJ+FULzDNnq/qkK/F 96YVnahLYEuh+OxzWVBiDUbjSm/yFnOdVOPZ0pS9tVx63BbxIYfDQnOwIWr6DpSBRcgrKe 98tCBKXjJzfO8EBLqVxZ2ZDMGr8l8GQ63mVPZx15zmZn9lQPliokmIA9BE5wQg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1723042806; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=x/2mtK09wPqXbNceDvWIm4xKOlZ97hxXXtZUL676sVo=; b=aP3meQaPEqaVMH2FYpAMz6K6KwnSHpzvduxbnv/hrY4zhd5LsQcfLv0U/ujdslbQIBMCJn N3YjZqpsirn3US+vxYug91c4JMtLo2e3rSpDfJNsANdhzk9O5CiOsk/0IApBI9j5KNNotk r9TsgJxVWdgTBfKtAzfGFV5X1bL9j5ZcY1KM2pVC9Z5kHgmGUqaOHWBeEPAz8ackqLOU+F 11cTp8GF+RQ40/h6FHr7MpURdU35bGudV8Z0IE9p1tV5+BEtVn1hXo0mL1cyQ5+nPNrljH KQbCt1VkWc3qUwFc+AVPtNtmSyk+M3nPWknt1NkCQ/J+ElZTITnmkqbepC/aUQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id D39815D01; Wed, 07 Aug 2024 15:00:05 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:06.ktrace Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20240807150005.D39815D01@freefall.freebsd.org> Date: Wed, 07 Aug 2024 15:00:05 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-announce@freebsd.org Sender: owner-freebsd-announce@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:06.ktrace Security Advisory The FreeBSD Project Topic: ktrace(2) fails to detach when executing a setuid binary Category: core Module: ktrace Announced: 2024-08-07 Affects: All supported versions of FreeBSD Corrected: 2024-08-07 13:41:53 UTC (stable/14, 14.1-STABLE) 2024-08-07 13:44:29 UTC (releng/14.1, 14.1-RELEASE-p3) 2024-08-07 13:44:47 UTC (releng/14.0, 14.0-RELEASE-p9) 2024-08-07 13:42:10 UTC (stable/13, 13.3-STABLE) 2024-08-07 13:44:59 UTC (releng/13.3, 13.3-RELEASE-p5) CVE Name: CVE-2024-6760 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The ktrace utility enables kernel trace logging for the specified processes, commonly used for diagnostic or debugging purposes. The kernel operations that are traced include system calls, namei translations, signal processing, and I/O as well as data associated with these operations. II. Problem Description A logic bug in the code which disables kernel tracing for setuid programs meant that tracing was not disabled when it should have, allowing unprivileged users to trace and inspect the behavior of setuid programs. III. Impact The bug may be used by an unprivileged user to read the contents of files to which they would not otherwise have access, such as the local password database. IV. Workaround No workaround is available. I/O tracing can be disabled by setting the kern.ktrace.genio_size sysctl to 0, but other information recorded by ktrace, such as system call arguments, can still be leaked. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-24:06/ktrace.patch # fetch https://security.FreeBSD.org/patches/SA-24:06/ktrace.patch.asc # gpg --verify ktrace.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 8b400c8488f0 stable/14-n268423 releng/14.1/ 22d04990cee5 releng/14.1-n267693 releng/14.0/ c39fb98e4740 releng/14.0-n265429 stable/13/ f702110bc4bc stable/13-n258224 releng/13.3/ 769536bcb5c3 releng/13.3-n257445 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmazha0ACgkQbljekB8A Gu/6ThAAvKUJFwdRV/rSRyGEOTWJE+dv1Qig000xhD6g42yKpfGShaNFUTSvMPG+ kLtpN41SRN/LXyNyQfk3GL2SmphB2V9nlJ+FM2PEmi4hMrWoiNi6uX9MmSheFbp3 QbDAh5+2sRo66AUXjUX118cK1ruqQjRRMVSW6D8hOeDv64Wvg01L0R3ls1ZsdXYL 5wYuTRNh2ciyMEHQ0QUz8X38qebdPSV/8aVNSZYinwtYE+wGWbpmUCQoqgtLlnT9 3UqIy68KVj4+TNYoZuQkK5/Ur9YG884YlNpzsJ6peX8U0gjQhG1BfqEPAylTZn/6 vPp0LtJ0fRRZs0a6XJQ+rBxhuh22vLLFLXI9jSthCcNdJhRFFnnY9nFoB0/EOpIH I6i94dEExCeGkWcpPB2wyrQGPcRTik9h57vsTaHcnEAPWu1fO2OckUILZVsMs7Yp WXePdrVfTke1hIzk5DAc5PYJ1IKcN49m/+GhXjLz8aCcy9RadJPpJDe2HSltgfTn xvxAudY+58f6518getIfvU4tAA1DVw2Y9zRoRhdlXLiVDayBkCOFRMMBY1cWOk9o aUnbQ9PYO2h7iyzSvqgWDLIy7fIdLZnyuflSVtJ4KUnetk2hU5kxb0VZFx10+z7l dsTyXGdb04olDMvURtgn5eQotbJzn+KLqi3vOmQ92uAGSsLeH70= =3iOc -----END PGP SIGNATURE----- From nobody Wed Aug 7 15:00:12 2024 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WfCyh5QTfz5SHMQ for ; Wed, 07 Aug 2024 15:00:12 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WfCyh4XMQz43WJ; Wed, 7 Aug 2024 15:00:12 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1723042812; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=rXuzDHRX4VhOFI0Qsqd2eyK144II+JwZflhUmi7wpFI=; b=Xxu9UvxmFkUA9M4iHWwhunEZPreO6pOKs/7IjhHMgRl0v8af64yt9U+VY90drceMEdlUov NRd1/cSEerTYQiqfQRfdk4xsgbMIl/ml3caZk4w+8swKKtvcnNLIVfdd22Y/XNcVWAjau6 FHi/Y0w4rxmRXkvZmg2llTmJ3gfHb63MZAAt9nwB5ucyq5pcawsGesJlsWiXbv1wsNfDzf 96GQl5IEjn8xGJwc0JCbFha+TYWKDZdL6YLC5d1d3NPtdy7T9hahbGcG5rz19qc0mbOeRO LCiFE7LX5wt/NQ8wAnuYnLwJFGQXaSGT74ZTNNtxt5/DzmSBpA/wykGEPbHJug== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1723042812; a=rsa-sha256; cv=none; b=r91NoLcCICcvQBdZp4DUr7aK3AMA/eiKNVsWJNVUWv/KO1BN0cE2DXpXqtWvIAdYIt5KP5 IbNikjFpGzO0Q8T4OLsw7n25xo4B3vjv8wBbR2tgqiMp/dtbiiQ8aKc2kOCCBEsFrl2kn3 0f6kQTuUuSm+CZPrT8tWYQsxWs+RKDbAvcrmnXI1hn8M5ecadfO3XV2y1L4GwvyID1mjEl RWizqIllRFUr88FCIDkwLcJCmW2/7wi62+0KVA19gZ8jDWeD9mgyj1QdKrHm+o26RUc/t7 4hWv94KMPKSMlVJRM0Qft1fYI6+p2c8Q7HtLaviR2dBpNkn0kMUsXBFocEmE/w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1723042812; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=rXuzDHRX4VhOFI0Qsqd2eyK144II+JwZflhUmi7wpFI=; b=P0gt82rgSi/ZTrKvVZJSrda/BdVF2U+iv67Md3ZKu6LI8regCYJUjkMK6qSNgFyE4SK0B5 5SxALURorJ7o2dP9n/One40SE/HqeIv7nBcR906TGtPoPxhPyrGl0qJ8sJIvIDNDr3S91D RXaP7Vb9nlGfR7erQpkkOOmntypEA507SGdCCzbkuYtP0k+zmTyUe0k4+7Tk7w0u/ljvzi Q8OCbq46gTytfuiRM3WJVzqZgCtBlk7fCj7AFTNGsJ3tCAVdnnzWQCMAzoLZ0Q4AIiF0MM V+7CTjRsHMPBG5OO1tZN2KdMjlw1CpRwYik3nUEcPpjA1qx1oaqDbuxg6eXacQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id 88B735D02; Wed, 07 Aug 2024 15:00:12 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:07.nfsclient Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20240807150012.88B735D02@freefall.freebsd.org> Date: Wed, 07 Aug 2024 15:00:12 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-announce@freebsd.org Sender: owner-freebsd-announce@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:07.nfsclient Security Advisory The FreeBSD Project Topic: NFS client accepts file names containing path separators Category: core Module: NFS client Announced: 2024-08-07 Credits: Apple Security Engineering and Architecture (SEAR) Affects: All supported versions of FreeBSD Corrected: 2024-07-27 03:54:45 UTC (stable/14, 14.1-STABLE) 2024-08-07 13:44:21 UTC (releng/14.1, 14.1-RELEASE-p3) 2024-08-07 13:44:39 UTC (releng/14.0, 14.0-RELEASE-p9) 2024-07-28 04:14:54 UTC (stable/13, 13.3-STABLE) 2024-08-07 13:44:52 UTC (releng/13.3, 13.3-RELEASE-p5) CVE Name: CVE-2024-6759 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The Network File System (NFS) is a distributed file system that allows remote systems to access files and directories over a network as if they were local. FreeBSD includes both server and client implementations of NFS. II. Problem Description When mounting a remote filesystem using NFS, the kernel did not sanitize remotely provided filenames for the path separator character, "/". This allows readdir(3) and related functions to return filesystem entries with names containing additional path components. III. Impact The lack of validation described above gives rise to a confused deputy problem. For example, a program copying files from an NFS mount could be tricked into copying from outside the intended source directory, and/or to a location outside the intended destination directory. IV. Workaround No workaround is available. Note that for the problem to occur, the NFS server would have to deliberately inject altered paths into RPC replies, or a MITM would have to be altering NFS traffic. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 13.3] # fetch https://security.FreeBSD.org/patches/SA-24:07/nfclient-13.patch # fetch https://security.FreeBSD.org/patches/SA-24:07/nfclient-13.patch.asc # gpg --verify nfsclient-13.patch.asc [FreeBSD 14.0 & FreeBSD 14.1] # fetch https://security.FreeBSD.org/patches/SA-24:07/nfclient-14.patch # fetch https://security.FreeBSD.org/patches/SA-24:07/nfclient-14.patch.asc # gpg --verify nfsclient-14.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 9328ded386d5 stable/14-n268239 releng/14.1/ 8533e927afc1 releng/14.1-n267686 releng/14.0/ 4e7bf17e9db8 releng/14.0-n265422 stable/13/ 0172b5145ad9 stable/13-n258140 releng/13.3/ 3d5cb2b9a97c releng/13.3-n257439 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmazha8ACgkQbljekB8A Gu80VxAAsDhdNW5FHcXEBZXbfR6fsShdWGQo8rCY1R1Buq8uhPI4bdzXCFrgUKM7 Rm5P+zfZNcTYtM0epU1Fiz2BhjsKVfKIOMIBmuMik9xMBfeHnTihKGFBZ+TFj7i8 1Kv/NE+oCn99jKZS7sZVNBvdbDMNBq4Em0vixXGRnKlEpa3r8b7niLuB0rHa97// gzIP5GvhUTsMaw3TwCAkVnZDrx+AoAU0dbLVIFf07P4mEt7StGd76C1dq4a6+3ZV s3Gqm16H8nYan5NJzpH2SIhcav4YyDuSD1eS8isyLn5bybpROdYQT7tCAfplpR2X pX0oQ8FRlslodV/wWaGNnCTNTYoSTj0jf77CM4fd8ERdKKmhC6x9zHsDyJBzH5Ku E6JlY9IvM0fL2N4KPDpNjF/U8RmNWDcxxaaou/6uohWdg977CX8uP1wfSL/4Sw6u SvqfDwwqd5BRE4KiqMFE024zgeogeJU7i21747HKs4nxWlNuPhVrWRjrarRhYlc2 M4l2te7OQMjVPtbYhO4DXnDMqNgN37Qf2srgBiAnlOpmRX5Trgj4pw6DGQlSVoWO xY8fO02xAZuRUKgNA/TEvmRVuZx0LaLkl49xQjB8DxSvggYVFbJaY2HpfjnktmN0 ZuMlcw0h/cv9UEFn3FWy0147xN/cjXjozvACmDUWhG0LdiUcnzc= =tJAo -----END PGP SIGNATURE----- From nobody Wed Aug 7 15:00:17 2024 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WfCyn6b3Pz5SHFB for ; Wed, 07 Aug 2024 15:00:17 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WfCyn368kz43ZW; Wed, 7 Aug 2024 15:00:17 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1723042817; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=uwYR0hTEaSWwsW8rAf96JUmNQXCsIF43ZOYWs1H5Bzg=; b=eDurSwKqKxj9uwypIm2V2AoF0c7+zr7GwiXc4FqOG056KVvaSAHxzlTIgS8Ol7g9FbSgW4 pLNv1i0lA0HYrXuxaQDr2dRKbNqIjeNfTrCMxUranTc/6EUx8FD60DAZi52ET+jY9eRcqP HnSvFSvedu8mTwi1BSvn2kzl29PWni+9xjmanniS0aiYKgHC4dQZu5uaJXZPIfDl0+t78F tAfqT7VIXtJlxFgMHCzU3I9LrfMWMTA+L/BjQW4I64eO/AHpm7PuJRRofDiNycrfvjWwa0 B/S0K3MaNVuFoVq1tDjkvKRxcPG4QINA74grx0thbzA+52/aEfeWmDkT+fN5Ag== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1723042817; a=rsa-sha256; cv=none; b=KgDMZH3CVQQoMghL7RFAMQkLCWi5NhjIlItqXBKQ/89+cRsPQusAgP+Ppo19r4e3MM0ZUJ XsCiV2/uLO3rJVWElpIM7TJ8t7Thh6haIZfiH2hQAfgUl1I7P3Tn3vE5QvsRkchL5DkRIb ZMlAU7FsEpYjmd0yeZe9SS1WdIGAw5gxsAUpK/aO8s8vyuCZ2s8n/ZHQE+XvYTkMJWn3rM KSm1boYtpyb5J+46hDif/MEz3UIaBo/Z1CqjWFvaV/C52t9uMXcD9sPmBKfht6V2lqQodu I/IqvDss2if3r3tx31+zwbZYm7i22zQ+IznDKysJ0xVvGxtPrE+HqhLUwWKTSg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1723042817; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=uwYR0hTEaSWwsW8rAf96JUmNQXCsIF43ZOYWs1H5Bzg=; b=GN/d0hZYJ0kPmd3xXEIGfkubfoBSAkbqNL2zho9ull8Y1OL2/QlcciNKuERXFDi6Tm7RKi PaiNGaeaOZRVc2vXeKjAvKcUNiYpGpD3w6lP4gAw0oghR3FO8z1bWifZYLpmqr7fK7PFqN 5JmH4PTVWc0JHt0ZYI1YXlyR+zjlZGmRUlOS8znTXolBJNp52P9HHGIQ+oONGGM7ZiMwXE T9B+vlWImG5HmBrtYGL3nHIFZzwThYskw/yMRmS+HAwaGNl3Zn4q7vdLqSHVk3VnDmNFPp 5bvlt3xKQ/SjRRWDQUjAtgCoz/7hGtzctG3xFt9L4EBNBz54ZRQP7FKaZV+iKA== Received: by freefall.freebsd.org (Postfix, from userid 945) id 352775BAB; Wed, 07 Aug 2024 15:00:17 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:08.openssh Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20240807150017.352775BAB@freefall.freebsd.org> Date: Wed, 07 Aug 2024 15:00:17 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-announce@freebsd.org Sender: owner-freebsd-announce@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:08.openssh Security Advisory The FreeBSD Project Topic: OpenSSH pre-authentication async signal safety issue Category: contrib Module: openssh Announced: 2024-08-07 Affects: All supported versions of FreeBSD. Corrected: 2024-08-06 19:43:54 UTC (stable/14, 14.1-STABLE) 2024-08-07 13:44:26 UTC (releng/14.1, 14.1-RELEASE-p3) 2024-08-07 13:44:40 UTC (releng/14.0, 14.0-RELEASE-p9) 2024-08-06 19:46:19 UTC (stable/13, 13.3-STABLE) 2024-08-07 13:44:58 UTC (releng/13.3, 13.3-RELEASE-p5) CVE Name: CVE-2024-7589 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background OpenSSH is an implementation of the SSH protocol suite, providing an encrypted and authenticated transport for a variety of services, including remote shell access. II. Problem Description A signal handler in sshd(8) may call a logging function that is not async- signal-safe. The signal handler is invoked when a client does not authenticate within the LoginGraceTime seconds (120 by default). This signal handler executes in the context of the sshd(8)'s privileged code, which is not sandboxed and runs with full root privileges. This issue is another instance of the problem in CVE-2024-6387 addressed by FreeBSD-SA-24:04.openssh. The faulty code in this case is from the integration of blacklistd in OpenSSH in FreeBSD. III. Impact As a result of calling functions that are not async-signal-safe in the privileged sshd(8) context, a race condition exists that a determined attacker may be able to exploit to allow an unauthenticated remote code execution as root. IV. Workaround If sshd(8) cannot be updated, this signal handler race condition can be mitigated by setting LoginGraceTime to 0 in /etc/ssh/sshd_config and restarting sshd(8). This makes sshd(8) vulnerable to a denial of service (the exhaustion of all MaxStartups connections), but makes it safe from the remote code execution presented in this advisory. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and restart sshd. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-24:08/openssh.patch # fetch https://security.FreeBSD.org/patches/SA-24:08/openssh.patch.asc # gpg --verify openssh.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 73466449a9bf stable/14-n268414 releng/14.1/ 450425089212 releng/14.1-n267691 releng/14.0/ c4ade13d5498 releng/14.0-n265423 stable/13/ d5f16ef6463d stable/13-n258221 releng/13.3/ f41c11d7f209 releng/13.3-n257444 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmazhbIACgkQbljekB8A Gu8uDBAA6gj9o4DXfVMHeZCFKr3WT/g3wPbilTk2xmvzkYoCkAMFC2PZ48wbxK7U /tXvVC5Hs7OO0jkZXgCNiLsUe4kzgEPeutsyi3x5i6uWlLA+I03UZyPdwFgkBM75 w4IYeut6nMfiozJmiy7ekmxdjO1f+IGMy/yoa46gUr0524TyNjqF//p1wAePTF75 WgvZrGEildEuZk6lHp3/sm1fmv4HxG5EmNmzlzWcj/jjMnOAe5Cbf8qpcKe42V5Y vBj8Cm6lVtOaviuT4XXnmkQro3uejeUq6z+LYwM7Pcs26OIeRgz9kzLNB2EXEwR7 GNJDwzUbKvaOfvTnZao8KWqdw3fbS9Un39SJAAs32Y+5sqAcUnmRbdHa1pEFZ2rx F9moYxZ3/xuQhxzNmMqXMyAfWrlJcoX1Tc5hVSh2Rn0TWpH17BMTs3FVdtoaP2iG owhwdPLXBvePkNa/FSARVfhunrFDIBEwBQd3pN5TJRCmKdzvNqmxJsL6Z2y7Ib48 EkFaw90t9kRg1+87YUjMQlhwNVww/yLzDzdZ137bRAeJtP3i7ZdbEVqUZGQvubCE 2eDDaYuEj4RM3UElIlHRj2Z8YlXgfmgr2BcbLpqgP3cXw6McS0POG4Pw4z4Wyshn prFtFlMFqJbAqlNQkXfdVquu/V8BSay0iLaEy69t4KBVp4DFsf4= =TDgI -----END PGP SIGNATURE----- From nobody Fri Aug 9 23:38:45 2024 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WggN63hHsz5Sls5 for ; Fri, 09 Aug 2024 23:38:46 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WggN571cCz4sh5; Fri, 9 Aug 2024 23:38:45 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1723246726; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=pqpskrFUdVhUKofs6f+lfUjZ55J2P4P2GczFfPuXd8c=; b=wd3iTmLvLFVgrziIYfLgBTXVbG++VIoKQxVmzbruv/wEtG4sBgqPoDFk+vWVlwtZvO5933 QxSC5HEdr2ZY5KJgWWZBvXJY/QEycxWZyKclDUMBMRoj0ir4QCFbWIcgQbohYpTGisRLsf eQL2XON72fe6QQ+DKkVrUVvEwSB5UovKbYhrLD72SxlrtQz86k9feyIWwAofolRgtRfzTj WPOMSug8cGlUr55pUQYDEwTSzr/BakpU7XHRXY9fRf5/0S9DExBF+y5vs2NAsNtNKWxX0X ERoePaHZQlTm3I6McluVX2zGY3wJnhoMZZCpyOhDVhB/oOeiMtblsr5ISHYu/Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1723246726; a=rsa-sha256; cv=none; b=LM57smt7suEz5KWt20aLbtszBoX4eM0T5PLXY7xUyHHxJeWMuoZjLzeeIi/7zRA3RjWO6F jZVr5LttNuqVSZ3FWNN1lFcxe4tUrZ6daQ1a2xfDE/nigOk8D9/D6rlvK7LmbAEPd2RRr/ 0uZvBMsaFMSiStKuRTsYlygPERvieqSZPr6KKVFcvp/07LC5ZWaiwTtRPeAeZSdkGEcRJI uJzMt8w7e04mWrbnE8T/KYHT75FgCVfmdI+VyleZlABTPHx3USGlEIeq2Du9HiIpZmyXca rqCvTlMJ1xhRoc/h6x+tzPU3OcUNaWw8dPqUrv0bleBA27aDizmIRxiddONo1A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1723246726; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=pqpskrFUdVhUKofs6f+lfUjZ55J2P4P2GczFfPuXd8c=; b=NbQZPYHy0G7xDx7aj2FYXl1Xb9X+X9/BEkSIjFkmjzLdW/SuIY/CkWsHl3x2HVN7wsvtjr f4MB9w16Hl73XtkQ1BK4Ru/qS0zmEpMcIN26H1jnd0XqRpAn63xr4bh8Np4M2IWqrcs7bC dl8nhJA6SmGrnfXkXpVy5pcR/MPLUYFjWi6suVtYqhB+x8OWCpJ0rIMUbVdqa5gAlCcs+8 WamwUh+0nRzDJLlUuAQ5gHTikjAFhytTfecwJY04WtNZavKcvgzIeKaZlP8gnUtm4Up3A0 3ejGrbxP396swS7/N/0kdCrfl45E2bpt9DLmH94DruTLpi/HUGxafBfPhyHVcg== Received: by freefall.freebsd.org (Postfix, from userid 945) id D90F5AFBF; Fri, 09 Aug 2024 23:38:45 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:07.nfsclient [REVISED] Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20240809233845.D90F5AFBF@freefall.freebsd.org> Date: Fri, 09 Aug 2024 23:38:45 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-announce@freebsd.org Sender: owner-freebsd-announce@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:07.nfsclient Security Advisory The FreeBSD Project Topic: NFS client accepts file names containing path separators Category: core Module: NFS client Announced: 2024-08-07 Credits: Apple Security Engineering and Architecture (SEAR) Affects: All supported versions of FreeBSD Corrected: 2024-07-27 03:54:45 UTC (stable/14, 14.1-STABLE) 2024-08-07 13:44:21 UTC (releng/14.1, 14.1-RELEASE-p3) 2024-08-07 13:44:39 UTC (releng/14.0, 14.0-RELEASE-p9) 2024-07-28 04:14:54 UTC (stable/13, 13.3-STABLE) 2024-08-07 13:44:52 UTC (releng/13.3, 13.3-RELEASE-p5) CVE Name: CVE-2024-6759 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . 0. Revision History v1.0 2024-08-07 -- Initial release v1.1 2024-08-09 -- Corrected patch path typo I. Background The Network File System (NFS) is a distributed file system that allows remote systems to access files and directories over a network as if they were local. FreeBSD includes both server and client implementations of NFS. II. Problem Description When mounting a remote filesystem using NFS, the kernel did not sanitize remotely provided filenames for the path separator character, "/". This allows readdir(3) and related functions to return filesystem entries with names containing additional path components. III. Impact The lack of validation described above gives rise to a confused deputy problem. For example, a program copying files from an NFS mount could be tricked into copying from outside the intended source directory, and/or to a location outside the intended destination directory. IV. Workaround No workaround is available. Note that for the problem to occur, the NFS server would have to deliberately inject altered paths into RPC replies, or a MITM would have to be altering NFS traffic. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 13.3] # fetch https://security.FreeBSD.org/patches/SA-24:07/nfsclient-13.patch # fetch https://security.FreeBSD.org/patches/SA-24:07/nfsclient-13.patch.asc # gpg --verify nfsclient-13.patch.asc [FreeBSD 14.0 & FreeBSD 14.1] # fetch https://security.FreeBSD.org/patches/SA-24:07/nfsclient-14.patch # fetch https://security.FreeBSD.org/patches/SA-24:07/nfsclient-14.patch.asc # gpg --verify nfsclient-14.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 9328ded386d5 stable/14-n268239 releng/14.1/ 8533e927afc1 releng/14.1-n267686 releng/14.0/ 4e7bf17e9db8 releng/14.0-n265422 stable/13/ 0172b5145ad9 stable/13-n258140 releng/13.3/ 3d5cb2b9a97c releng/13.3-n257439 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAma2pYUACgkQbljekB8A Gu+eAQ/+K8Bh4GvdoSsAW14+/ee/uVjQoXpUKsjDTEsU0kRMCgD9aYN5+D/o/nPU lAuKwjkLm+5xpzZjXtm1z24v7fDKy674YL0O7snAEtzcFNKcNob4sCVESs5USSB7 6rG/3/XCCZhsHM5g52caIdqzC/rflOnipKU6ldySMmJHFlHfgag5VQfklq0F6J8V 0NAyodMYO3IcpBNz9mR4sWnwpd31JLPnbD7LYo460YReu9u29qxUdPljLZaKW8ti 2RhzbiTO8JDu6962Qh0QQf9bnalMKCbmh/Vc6qnRIHsn60vxrRR9BArQ9QBuskYN 4H32OCO+GlL4y0smJSQoolTY4Kq4B1qHIJz9DUbFVayFL0EoJAhuEQsYqRIhTD5r h5PJz07/xIvVO41rUqCJiCflcy+KEmBjom065wGspAsfoYraIcILVe9jUmaiuur/ qZjZ3jvpujulqaOCQcy2zOg6qoI2CrVcPuTKWnEDUWAOZoq0SYcef2DfoRNPCgeb P1Y8TeoD3pzb5AYeGavWYP969Lbk4jE+Pfz/7isIegpvru6gilsTtZgX89s5BZuL bf42dkeRmQnzx/3P89LIEV1/ud5/wnE388UYa00VVkH1xbmMcI+Cp1dKqUWzELiZ fnKRJycdR0bW02ufWkjPfHlfOVHAPK1Y7prkOTj4tD52rbmVgi8= =Pgiz -----END PGP SIGNATURE-----