From nobody Wed Aug 7 15:00:00 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WfCyS6b3Tz5SH7Y for ; Wed, 07 Aug 2024 15:00:00 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WfCyS5Xfdz434p; Wed, 7 Aug 2024 15:00:00 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1723042800; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=dvYtraIFLutLb4ehyo95HP3wM0hBxxNwydNqXOqMcDA=; b=yFPYTjH97ivQ2OAlA5inSPoDZAuQi+6zgai1tOH/lG4QizHWbSLZlQiMIAKOn6/BYyvI1X zs55Ow/5htPazKF1H6SFgEBILs5mVrXA8dtWJRfiGETr64PpqgxJSg/KOvNdGWUQ5QoOjq dBe74J9kXf9/yBjrCdHWGaCoskYR4CGcdspZ5YmHpuMmKnYHEEynFFM7M1WiWrTumZurdK LXrM+EGLaDrd5HswDEXPGKqOdxBhNtNMctljbMQ2gadX2QqiuCpWqjy0YL5HKwLS+OI0uG xYh8+P3uQn43zW5T3MTDlxpDlNe1qP4vShXwYbTnlF+jqx2dwn5HJ+GGWPIuxw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1723042800; a=rsa-sha256; cv=none; b=e0k9g9vm8mZbdNnbd0YYYRljNh4ulUILntSf9r+Vsl9jkbIFEa1g1WrOCk2/tK0SdXqXf+ c/2dLbkQHLAOZKXumzoRTH8d8efCuAQZWT4rUJ7Eshp3urME6WH5bQw9ONv09PiWWxS/37 Je8Ei+LKc74MHztGBCxn6NSOg4ACUswGIFZ34XJp+iCTQH898thHu6lY/PlL5L/bSp5xvC Uo2XhlrtKu/QSkb7A93p3toYbG/BMnC1DWm9XBjhXD1C6FdDrR7YZgmNMt95fRw880bdb6 mOGw95SKmmVanoGyiGnuZq0bA5Z4wKlAmNPWbFHSwgelz6tS81aP7NPxqZMA0Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1723042800; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=dvYtraIFLutLb4ehyo95HP3wM0hBxxNwydNqXOqMcDA=; b=sbU/JjcHbvomevjg+HtxuCBDM+Lg10QFphIf+0Q+APVRoGTAIN9dBBIfyPPQq8UX/4sS6Q f1JJCE91WFZd0l/GU3S5dSR2pXX5voGFo7Zh1R0QmcnzUEBtgyvyal2PN7NBOhGsxm3x0M DHeFDXil4rEDpqpJX0Mk/WD/FnWh4sTr0hUk3YzdhOO24yn3nNfyAaaf4rWXnJqVw4cuYm vB2j9GUvFk26Xdb2bEE4kzU7pLAME6z/6X5kxVB00JowhjRnpa1BgBoIqOIW06kbbuEJSJ PNidgCmLzJxXBrtAqDvfjrP3CW8thRCZY3fzZTm8VW49C4OuN93NAwBB1U4efQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id 79028597F; Wed, 07 Aug 2024 15:00:00 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:05.pf Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20240807150000.79028597F@freefall.freebsd.org> Date: Wed, 07 Aug 2024 15:00:00 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:05.pf Security Advisory The FreeBSD Project Topic: pf incorrectly matches different ICMPv6 states in the state table Category: core Module: pf Announced: 2024-08-07 Credits: Enrico Bassetti e.bassetti@tudelft.nl (Cybersecurity @ TU Delft, SPRITZ Group @ UniPD) Affects: All supported versions of FreeBSD. Corrected: 2024-07-31 07:41:11 UTC (stable/14, 14.0-STABLE) 2024-08-07 13:44:25 UTC (releng/14.1, 14.1-RELEASE-p3) 2024-08-07 13:44:46 UTC (releng/14.0, 14.0-RELEASE-p9) 2024-07-31 07:41:12 UTC (stable/13, 13.3-STABLE) 2024-08-07 13:44:57 UTC (releng/13.3, 13.3-RELEASE-p5) CVE Name: CVE-2024-6640 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background pf is an Internet Protocol packet filter originally written for OpenBSD. pf uses a state table to determine whether to allow a packet that is from a known/already open transmission. It identifies ICMPv6 states based on the address family, protocol, addresses, and the ID. Normally, states are created by outgoing packets, or by incoming packets matching 'pass' rules. A packet that do not match any rule will be blocked or allowed depending on the default rule. ICMPv6 Neighbor Discovery has to be allowed in the firewall for IPv6 to work properly in broadcast networks, such as Ethernet. II. Problem Description In ICMPv6 Neighbor Discovery (ND), the ID is always 0. When pf is configured to allow ND and block incoming Echo Requests, a crafted Echo Request packet after a Neighbor Solicitation (NS) can trigger an Echo Reply. The packet has to come from the same host as the NS and have a zero as identifier to match the state created by the Neighbor Discovery and allow replies to be generated. III. Impact ICMPv6 packets with identifier value of zero bypass firewall rules written on the assumption that the incoming packets are going to create a state in the state table. IV. Workaround No workaround is available but systems not using the pf firewall are not affected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 13.3] # fetch https://security.FreeBSD.org/patches/SA-24:05/pf-13.patch # fetch https://security.FreeBSD.org/patches/SA-24:05/pf-13.patch.asc # gpg --verify pf.patch.asc [FreeBSD 14.0 & FreeBSD 14.1] # fetch https://security.FreeBSD.org/patches/SA-24:05/pf-14.patch # fetch https://security.FreeBSD.org/patches/SA-24:05/pf-14.patch.asc # gpg --verify pf.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 3382c691dc6a stable/14-n268277 releng/14.1/ a66d33fcf334 releng/14.1-n267690 releng/14.0/ ca9580967e74 releng/14.0-n265428 stable/13/ 05f91f8dd5ce stable/13-n258160 releng/13.3/ 5eb30c313cb0 releng/13.3-n257443 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmazhasACgkQbljekB8A Gu9/0Q//S/qcyIxnQ1V8Gz8ghAQuJu8OlTdYV9OexFSKExcbc9FYK6LwhSUfPtHf Bx9KowhQCH2D1X33qHRUCWVhDMhgpvHmg/+ajnm0IP/+nc+ZnNFCC0Ew5b/mk7Uw jQAxW54/RSe1Cnl11T4RTcPI7YhGTej8T5T8dm2TlCdTI3m7xS/zfR3e4x89yrmW gVUBG54udbSSzxMDJk2rbr9anoinzaI0eiXY/rnb729OTU6y4SmJ9ZZZwXs+bRpP AUE7Zgj7pNrWC1CxTMy6XLdPE/L/8Yxz9mOFpyJcHahoEHcMH+5DKQePGa4mQgnS N8Srtrxx3Ipz5/zzOPr+O0BbOh8m7KMXU/J8Y3aHpUzbnr+IfGEUHBukN93M3qbV Qkw9iW+5HZ45P16Fyaj2cq7He7F39/7B/DhfjLldbUOnWGPmn3JrWkvONL++iAyI +vOrfGubyTtwgSdZGDcv+FUrL6af6nQzFBBgv4z4TpHN+BTcwA5c6JwuOlvMc5ZY ISh8WItjxmK5Gh27H7JBGKwWDnKYjqkRcgJ7QZd7dmjo2bzOlnKV0eYk51eBvoIh FV4YGAgMPxCJGBrl54/0F5+C8zl0cjNlEhnyyl2IEBbPbnfmvpNw3tMbJdPfEUhF DK+j5IkDU/4sNrV/dmeD+K+u/3xgDxtUv6IjH2odmADtlCbOV80= =/mRR -----END PGP SIGNATURE----- From nobody Wed Aug 7 15:00:05 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WfCyZ3Fd3z5SHDC for ; Wed, 07 Aug 2024 15:00:06 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WfCyZ1DlMz43KF; Wed, 7 Aug 2024 15:00:06 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1723042806; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=x/2mtK09wPqXbNceDvWIm4xKOlZ97hxXXtZUL676sVo=; b=IA4L8C3b9u9MXpIF2YKydNok6ACYMeYXvVaK3ffoL5mSgi9zrgBMrMgP4paHtV+lOOYA7D 474ucOjCmlH/72PO58rRAjMJFKmeA7nf+XA2zF6XsTTs80KVORrHTiyNBX7G39kcYe5PG1 ui7U+A0lA9em8pnuV8guDtWwb5AeAVzp9yEOQQHC3D1Fg22dO8WuDh6lj1yxvHpYPUt0ff NvVSKuxexI9ZmeT6FjcsiDoWYECSwmPihSQRR+PWvb5kR75HTseLo9LqYG984a1J/xz3Po 29h8EfreknnKgdFrpgXpiEJ8hf6t5QF4IHqQZAVeoT/K8kQWWcOIP0YoCWUlmA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1723042806; a=rsa-sha256; cv=none; b=ak5cB66L1iBCy1NUx+NOh5IlUwnBvgVyVuAbTcDE9zXfoGen58C+rVIo7SFxemme+nB12G z65DMeAm9JOie7Q3X/W//ISgPweuoJ8eMgRSXY8Od1/nbtvpv7UCVdjWyQ7YOtSgSj4DOx oiF/BErevOYZQk3O1IfAlTp+PM/Mcr6fw5IHO4+tHNdY/sYw9vk6O8hIr7Blc++D2ASQVe 7pDcaNxJK566fJS2fS0Ps99Cr8QTgtIfZnregRKQDHyaya7NejKs1ZRS+VAuCHyAKsmpkh 8cKaOnjjUDmgeHNECVi2R53VG8TfASBcnoC1/bTEKs/tgcjvfC4psu62xVlrSQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1723042806; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=x/2mtK09wPqXbNceDvWIm4xKOlZ97hxXXtZUL676sVo=; b=U6mn1k7Tk+DCXkmHrgM34hMxVxO3T+/+/XqWGlP2F1zRm9X/TNBotjujLxS6TrUp1BZ10U m8ujZ80dOTF/IvtatOcaspesgWo911A9SOQy1t5qVPD8+VGrG2TYr1HZQHPiQC1Fycp7yE plsny1hbYJ7VqwRMIBGXTuq4EZNdXvTbaUd+KoOi1Br/+bfuP76WnKKveZEezqMpI8mAR9 h6/3yiwn8w3Wnr3FiF8WPDC7Y2avZEOxglSqH630C6hHzRI8q3a/M5NI+k0wojUI57F+lB hR/84jKULPdW8DZ6vdXWJvGXX1rbPf5yfY/VWQ5x+n2zQOgUa75GlZeY0y8Ogw== Received: by freefall.freebsd.org (Postfix, from userid 945) id 010025B2B; Wed, 07 Aug 2024 15:00:05 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:06.ktrace Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20240807150006.010025B2B@freefall.freebsd.org> Date: Wed, 07 Aug 2024 15:00:05 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:06.ktrace Security Advisory The FreeBSD Project Topic: ktrace(2) fails to detach when executing a setuid binary Category: core Module: ktrace Announced: 2024-08-07 Affects: All supported versions of FreeBSD Corrected: 2024-08-07 13:41:53 UTC (stable/14, 14.1-STABLE) 2024-08-07 13:44:29 UTC (releng/14.1, 14.1-RELEASE-p3) 2024-08-07 13:44:47 UTC (releng/14.0, 14.0-RELEASE-p9) 2024-08-07 13:42:10 UTC (stable/13, 13.3-STABLE) 2024-08-07 13:44:59 UTC (releng/13.3, 13.3-RELEASE-p5) CVE Name: CVE-2024-6760 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The ktrace utility enables kernel trace logging for the specified processes, commonly used for diagnostic or debugging purposes. The kernel operations that are traced include system calls, namei translations, signal processing, and I/O as well as data associated with these operations. II. Problem Description A logic bug in the code which disables kernel tracing for setuid programs meant that tracing was not disabled when it should have, allowing unprivileged users to trace and inspect the behavior of setuid programs. III. Impact The bug may be used by an unprivileged user to read the contents of files to which they would not otherwise have access, such as the local password database. IV. Workaround No workaround is available. I/O tracing can be disabled by setting the kern.ktrace.genio_size sysctl to 0, but other information recorded by ktrace, such as system call arguments, can still be leaked. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-24:06/ktrace.patch # fetch https://security.FreeBSD.org/patches/SA-24:06/ktrace.patch.asc # gpg --verify ktrace.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 8b400c8488f0 stable/14-n268423 releng/14.1/ 22d04990cee5 releng/14.1-n267693 releng/14.0/ c39fb98e4740 releng/14.0-n265429 stable/13/ f702110bc4bc stable/13-n258224 releng/13.3/ 769536bcb5c3 releng/13.3-n257445 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmazha0ACgkQbljekB8A Gu/6ThAAvKUJFwdRV/rSRyGEOTWJE+dv1Qig000xhD6g42yKpfGShaNFUTSvMPG+ kLtpN41SRN/LXyNyQfk3GL2SmphB2V9nlJ+FM2PEmi4hMrWoiNi6uX9MmSheFbp3 QbDAh5+2sRo66AUXjUX118cK1ruqQjRRMVSW6D8hOeDv64Wvg01L0R3ls1ZsdXYL 5wYuTRNh2ciyMEHQ0QUz8X38qebdPSV/8aVNSZYinwtYE+wGWbpmUCQoqgtLlnT9 3UqIy68KVj4+TNYoZuQkK5/Ur9YG884YlNpzsJ6peX8U0gjQhG1BfqEPAylTZn/6 vPp0LtJ0fRRZs0a6XJQ+rBxhuh22vLLFLXI9jSthCcNdJhRFFnnY9nFoB0/EOpIH I6i94dEExCeGkWcpPB2wyrQGPcRTik9h57vsTaHcnEAPWu1fO2OckUILZVsMs7Yp WXePdrVfTke1hIzk5DAc5PYJ1IKcN49m/+GhXjLz8aCcy9RadJPpJDe2HSltgfTn xvxAudY+58f6518getIfvU4tAA1DVw2Y9zRoRhdlXLiVDayBkCOFRMMBY1cWOk9o aUnbQ9PYO2h7iyzSvqgWDLIy7fIdLZnyuflSVtJ4KUnetk2hU5kxb0VZFx10+z7l dsTyXGdb04olDMvURtgn5eQotbJzn+KLqi3vOmQ92uAGSsLeH70= =3iOc -----END PGP SIGNATURE----- From nobody Wed Aug 7 15:00:12 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WfCyj0qFHz5SHPk for ; Wed, 07 Aug 2024 15:00:13 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WfCyh5jRLz43Lb; Wed, 7 Aug 2024 15:00:12 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1723042812; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=rXuzDHRX4VhOFI0Qsqd2eyK144II+JwZflhUmi7wpFI=; b=ldASlh54m9JjGy504NGrVjHWVIG5I8dTtVlc6xnPoSZTr6oFGYdxm9B4hOoegrRet90plw FwiFeH0bWPpy3nz4OgA1PqWbVX1rXhcZwiDXD52WG6HxBQLwAsL4V1fYYiARErJAQADjPQ zPeBVaMUm0cSb2dGSxUCAzJZ0hiqoSf3EC/rXRDkZpIOkPmpJ9+eYKib2E+qWZ4rqCT9ca 1C4gFuIqYXm7olWbVNUrrY5IynFq1RThlmGoR2D+CIQGmzS9Lnpte+KSkCJ5rI5LUYG7yF rD2qxZXft9CtD7VdHz9P3B3YIeIRFrMPO7G36yrsS57Gdrknnj/RZGtdVlnbKg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1723042812; a=rsa-sha256; cv=none; b=NmCp5O+T3fUMS5TRCzvbUt2FoGv3buDjHufzNj+AA3k57/n5yTyu5Z40ez6jpkKu/jH/5i GP4/zVcost6B4eRoAdCRg6xBrfMSdJRxkSTVHVc6ht0ra8hxHc6W0gBL3wYlxcyYBHLCSt K1QVJYXpO6AmPA370zjnhVHzhrVKxsj7+Ks4OlRHgAdyy1Wa73rXtH8e5IIA2+JbObhRCc n+SsPkPVPhJTFvt+0s+/i7UGWcFF+jJP8NkQapIssb4HZHqosDUHegg+6pIdQ4p3i1YGvO kgD05wRu2K3uxZiBRJCm6a56tr/ywBqexKzC5kayfxCSiIQSRh7biVL8We5tPw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1723042812; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=rXuzDHRX4VhOFI0Qsqd2eyK144II+JwZflhUmi7wpFI=; b=vXVVB8+fKPX1atuLP6Y5Sbgd/h9lqIigqUtlB3atXEHWAklX+RasLA7ZCln++bUPAUMUQn hMhv1PQ6kMZz7FRNdxA7Poe5vlXKKE1JBnpuQOHGJYDucTjDm6rbKVDz8RpYjbSPTb1Ebf sAlFQ1XlwH3Wyot0SWLMIiddzkUi0pZXwCiQmTbKeW0VynGe3jS5hI7yjGpcovaWVeB9uv ep/Kab922a7tYOF6osyx51yEBUPsGdXEpDABcQyVA6UQuSYlfgP/mDLmocg4ktwVwEmsrM Cue05p1cq/1L7AuhcqRoihKYlGp6VT5WWEkp8yUq4fsqO+iwIqN77iI8NuIVAA== Received: by freefall.freebsd.org (Postfix, from userid 945) id 94E075BA9; Wed, 07 Aug 2024 15:00:12 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:07.nfsclient Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20240807150012.94E075BA9@freefall.freebsd.org> Date: Wed, 07 Aug 2024 15:00:12 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:07.nfsclient Security Advisory The FreeBSD Project Topic: NFS client accepts file names containing path separators Category: core Module: NFS client Announced: 2024-08-07 Credits: Apple Security Engineering and Architecture (SEAR) Affects: All supported versions of FreeBSD Corrected: 2024-07-27 03:54:45 UTC (stable/14, 14.1-STABLE) 2024-08-07 13:44:21 UTC (releng/14.1, 14.1-RELEASE-p3) 2024-08-07 13:44:39 UTC (releng/14.0, 14.0-RELEASE-p9) 2024-07-28 04:14:54 UTC (stable/13, 13.3-STABLE) 2024-08-07 13:44:52 UTC (releng/13.3, 13.3-RELEASE-p5) CVE Name: CVE-2024-6759 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The Network File System (NFS) is a distributed file system that allows remote systems to access files and directories over a network as if they were local. FreeBSD includes both server and client implementations of NFS. II. Problem Description When mounting a remote filesystem using NFS, the kernel did not sanitize remotely provided filenames for the path separator character, "/". This allows readdir(3) and related functions to return filesystem entries with names containing additional path components. III. Impact The lack of validation described above gives rise to a confused deputy problem. For example, a program copying files from an NFS mount could be tricked into copying from outside the intended source directory, and/or to a location outside the intended destination directory. IV. Workaround No workaround is available. Note that for the problem to occur, the NFS server would have to deliberately inject altered paths into RPC replies, or a MITM would have to be altering NFS traffic. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 13.3] # fetch https://security.FreeBSD.org/patches/SA-24:07/nfclient-13.patch # fetch https://security.FreeBSD.org/patches/SA-24:07/nfclient-13.patch.asc # gpg --verify nfsclient-13.patch.asc [FreeBSD 14.0 & FreeBSD 14.1] # fetch https://security.FreeBSD.org/patches/SA-24:07/nfclient-14.patch # fetch https://security.FreeBSD.org/patches/SA-24:07/nfclient-14.patch.asc # gpg --verify nfsclient-14.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 9328ded386d5 stable/14-n268239 releng/14.1/ 8533e927afc1 releng/14.1-n267686 releng/14.0/ 4e7bf17e9db8 releng/14.0-n265422 stable/13/ 0172b5145ad9 stable/13-n258140 releng/13.3/ 3d5cb2b9a97c releng/13.3-n257439 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmazha8ACgkQbljekB8A Gu80VxAAsDhdNW5FHcXEBZXbfR6fsShdWGQo8rCY1R1Buq8uhPI4bdzXCFrgUKM7 Rm5P+zfZNcTYtM0epU1Fiz2BhjsKVfKIOMIBmuMik9xMBfeHnTihKGFBZ+TFj7i8 1Kv/NE+oCn99jKZS7sZVNBvdbDMNBq4Em0vixXGRnKlEpa3r8b7niLuB0rHa97// gzIP5GvhUTsMaw3TwCAkVnZDrx+AoAU0dbLVIFf07P4mEt7StGd76C1dq4a6+3ZV s3Gqm16H8nYan5NJzpH2SIhcav4YyDuSD1eS8isyLn5bybpROdYQT7tCAfplpR2X pX0oQ8FRlslodV/wWaGNnCTNTYoSTj0jf77CM4fd8ERdKKmhC6x9zHsDyJBzH5Ku E6JlY9IvM0fL2N4KPDpNjF/U8RmNWDcxxaaou/6uohWdg977CX8uP1wfSL/4Sw6u SvqfDwwqd5BRE4KiqMFE024zgeogeJU7i21747HKs4nxWlNuPhVrWRjrarRhYlc2 M4l2te7OQMjVPtbYhO4DXnDMqNgN37Qf2srgBiAnlOpmRX5Trgj4pw6DGQlSVoWO xY8fO02xAZuRUKgNA/TEvmRVuZx0LaLkl49xQjB8DxSvggYVFbJaY2HpfjnktmN0 ZuMlcw0h/cv9UEFn3FWy0147xN/cjXjozvACmDUWhG0LdiUcnzc= =tJAo -----END PGP SIGNATURE----- From nobody Wed Aug 7 15:00:17 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WfCyn6Glcz5SHF9 for ; Wed, 07 Aug 2024 15:00:17 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WfCyn2tFTz43X1; Wed, 7 Aug 2024 15:00:17 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1723042817; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=uwYR0hTEaSWwsW8rAf96JUmNQXCsIF43ZOYWs1H5Bzg=; b=SjKkf3SqV7FFEDxgBfF/7CEBdH6eC/JMgy23y7rm9SEP9XQerm4em/jzILw+G7xG8Eyjyv J0J7eW09JIlPSKU19nC0wTYBsgnYQh5rVvFRzJT03eQFpDraHNVlFQT/YLX2tzD2h4+W/j OB52xTA5Eecu1rFV14teRnU2WOAmE0hlmYoAr1kUpB7FcXe6yAwNnEGuYCO0xLSyYPR7fU hmqR3V9LpJ9tXlG28srybcbs80FhB/N8l11b3m17hWFQTASbiX8PkX0DWI4We6hjAGb3aa G+AN1WgoQtdaRRnllx2zfRioexCcN5S2PhrqpwJhU+nB2CI9TJe/Cx0W2kq0EQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1723042817; a=rsa-sha256; cv=none; b=spAYnE+4Gc2rZ7CIotARpSfFs3wnJorkn0EssmK/nY0RiIzGbyAlKXB/noMYi0hB9DomV9 YtEttcnYNwdCa7let1L+x360oed5BEIqXyDCBw0JReInmcPDfEielo68Kdb7qCJNrNHRcV 0iZfPNIeHhD0tCFDRV02WR/cM9sX7rj3A35QIGimJvR4q8rsnO8hfmh/pjZxYUd4xqLMMt 8Q6dqdWyu9PhR9RU4N0tU2ZOe9QBs3dl7W+rTn1akDfBDEEDLFwEYUHBZCWnETfSrp3FqM FMbWQ+lEGdirzyMLngv4jXIgTKBDRPzvC1qtfNk8nOdpr1VwsFgLkZRp5vzYGQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1723042817; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=uwYR0hTEaSWwsW8rAf96JUmNQXCsIF43ZOYWs1H5Bzg=; b=scNOB6HDPM+/dy41/cyhu/Dy7lpq+aQCOwEdK+RKBov+srDdm70RjuYhZdXeuV6mNM6R38 gHC0n73U7nkhe4MMqJHA774TnRHva7Bnb4MEhuyoGzK8unPmJp/iT2wztri2zVUbEy0E5C y0u9JZ7HOXZcOLjHKMk13EBdJgIPDaOxyFXMFRdEqPk2et9tVGOkjJdepVeW3/mZlmFSut swoLPuks8yNwRkTg9LPnBpjFe2BpvB3siNLCPUOBYRcVnXMjpPuxSI13VlYRKaUdZR+3JQ OfXSfybJQuloM03+ybnSLtIJLgVStRbqJ/fnMS08vdLMthYCSETamnomWbIoxA== Received: by freefall.freebsd.org (Postfix, from userid 945) id 530DA5A54; Wed, 07 Aug 2024 15:00:17 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:08.openssh Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20240807150017.530DA5A54@freefall.freebsd.org> Date: Wed, 07 Aug 2024 15:00:17 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:08.openssh Security Advisory The FreeBSD Project Topic: OpenSSH pre-authentication async signal safety issue Category: contrib Module: openssh Announced: 2024-08-07 Affects: All supported versions of FreeBSD. Corrected: 2024-08-06 19:43:54 UTC (stable/14, 14.1-STABLE) 2024-08-07 13:44:26 UTC (releng/14.1, 14.1-RELEASE-p3) 2024-08-07 13:44:40 UTC (releng/14.0, 14.0-RELEASE-p9) 2024-08-06 19:46:19 UTC (stable/13, 13.3-STABLE) 2024-08-07 13:44:58 UTC (releng/13.3, 13.3-RELEASE-p5) CVE Name: CVE-2024-7589 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background OpenSSH is an implementation of the SSH protocol suite, providing an encrypted and authenticated transport for a variety of services, including remote shell access. II. Problem Description A signal handler in sshd(8) may call a logging function that is not async- signal-safe. The signal handler is invoked when a client does not authenticate within the LoginGraceTime seconds (120 by default). This signal handler executes in the context of the sshd(8)'s privileged code, which is not sandboxed and runs with full root privileges. This issue is another instance of the problem in CVE-2024-6387 addressed by FreeBSD-SA-24:04.openssh. The faulty code in this case is from the integration of blacklistd in OpenSSH in FreeBSD. III. Impact As a result of calling functions that are not async-signal-safe in the privileged sshd(8) context, a race condition exists that a determined attacker may be able to exploit to allow an unauthenticated remote code execution as root. IV. Workaround If sshd(8) cannot be updated, this signal handler race condition can be mitigated by setting LoginGraceTime to 0 in /etc/ssh/sshd_config and restarting sshd(8). This makes sshd(8) vulnerable to a denial of service (the exhaustion of all MaxStartups connections), but makes it safe from the remote code execution presented in this advisory. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and restart sshd. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-24:08/openssh.patch # fetch https://security.FreeBSD.org/patches/SA-24:08/openssh.patch.asc # gpg --verify openssh.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 73466449a9bf stable/14-n268414 releng/14.1/ 450425089212 releng/14.1-n267691 releng/14.0/ c4ade13d5498 releng/14.0-n265423 stable/13/ d5f16ef6463d stable/13-n258221 releng/13.3/ f41c11d7f209 releng/13.3-n257444 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmazhbIACgkQbljekB8A Gu8uDBAA6gj9o4DXfVMHeZCFKr3WT/g3wPbilTk2xmvzkYoCkAMFC2PZ48wbxK7U /tXvVC5Hs7OO0jkZXgCNiLsUe4kzgEPeutsyi3x5i6uWlLA+I03UZyPdwFgkBM75 w4IYeut6nMfiozJmiy7ekmxdjO1f+IGMy/yoa46gUr0524TyNjqF//p1wAePTF75 WgvZrGEildEuZk6lHp3/sm1fmv4HxG5EmNmzlzWcj/jjMnOAe5Cbf8qpcKe42V5Y vBj8Cm6lVtOaviuT4XXnmkQro3uejeUq6z+LYwM7Pcs26OIeRgz9kzLNB2EXEwR7 GNJDwzUbKvaOfvTnZao8KWqdw3fbS9Un39SJAAs32Y+5sqAcUnmRbdHa1pEFZ2rx F9moYxZ3/xuQhxzNmMqXMyAfWrlJcoX1Tc5hVSh2Rn0TWpH17BMTs3FVdtoaP2iG owhwdPLXBvePkNa/FSARVfhunrFDIBEwBQd3pN5TJRCmKdzvNqmxJsL6Z2y7Ib48 EkFaw90t9kRg1+87YUjMQlhwNVww/yLzDzdZ137bRAeJtP3i7ZdbEVqUZGQvubCE 2eDDaYuEj4RM3UElIlHRj2Z8YlXgfmgr2BcbLpqgP3cXw6McS0POG4Pw4z4Wyshn prFtFlMFqJbAqlNQkXfdVquu/V8BSay0iLaEy69t4KBVp4DFsf4= =TDgI -----END PGP SIGNATURE----- From nobody Fri Aug 9 14:28:25 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WgR9P0kvVz5S789 for ; Fri, 09 Aug 2024 14:28:41 +0000 (UTC) (envelope-from achyuth.amar@gmail.com) Received: from mail-ej1-x62c.google.com (mail-ej1-x62c.google.com [IPv6:2a00:1450:4864:20::62c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WgR9N32LNz4bw9 for ; Fri, 9 Aug 2024 14:28:40 +0000 (UTC) (envelope-from achyuth.amar@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20230601 header.b=l8rqUlxv; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of achyuth.amar@gmail.com designates 2a00:1450:4864:20::62c as permitted sender) smtp.mailfrom=achyuth.amar@gmail.com Received: by mail-ej1-x62c.google.com with SMTP id a640c23a62f3a-a7aa086b077so217260166b.0 for ; Fri, 09 Aug 2024 07:28:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1723213718; x=1723818518; darn=freebsd.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=knC4MefdGfzUGx0wNOpGJ6LnGlyqb7bjki8nD0dXDTk=; b=l8rqUlxvHjarG2P3/6FoiU0c8MaZRQBb2hpWwhf+W9ruEDpMeGtKi4zW1snNZ+tIug psmC6KTIW+UqgaWTnayEzWOIfvDuc996AaBuaHcBHBKz5cCKB5p7VJ7vjeXOQHn+2wR1 nq48ftazJk5GIfgGX1bQwEI1dIRTHrFe5+kyNsTiddxWekyS+15P/A5QqAlSA3R3kls4 o2zLnU7lWhrvbFEcEgS48ShGH0VvR4nBKHbV/UKp7fnWJfxTTOvZPGyGa+7eXMUJK44C FqKJlTcklHqgH0DNTmxF02b08gddyOKb9xw2l/6Y/L/4531P42RIuJlGZZXIt6D/nsy0 8qYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723213718; x=1723818518; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=knC4MefdGfzUGx0wNOpGJ6LnGlyqb7bjki8nD0dXDTk=; b=dsOE28IF7XX0PwuA+smK8NHf+tQADVVud3HPdU+gDkvQIXB9dkT99H84nWiqsvZEj4 nm9yl2Ds2ZoHRYD/CWBakGxsUn7MbrYyD9pX9N9PJSRIbLbB8xKBLgMRQ2WTcusM5usB k09T3RtGatAv0aARMyhR55mNRtdnIyZak+MrKaWRg6BKpGcRN+vlMKFUXKNb7KhQEiMT AS1t8ehLSy0Sl/JrsrO7VWEGpze/ypRWsdWXUQgC+8FXfgL/DL+5uF9f6uznyTGltaex 7cKlzYxgYz+iScEhsxufzCmiGg4aqGVF2OAVAH6AcBBbih6A4LncFUqyAIn0nF7vE94i MY3Q== X-Gm-Message-State: AOJu0YzdBhY4h/MouVHB5kirfPiKfFfiqyW862SNoyJCmGi1/HU/P1Vw kcoYzPdsndeRnBXpsj/R4CrI1gamjkyU18xTB/WKniAnDJsewkhA38JOHDRFl7FoQYrxGh9xTSM qcU0rPGItZE9XKMyDYKIp6LfbGugTHw== X-Google-Smtp-Source: AGHT+IE98Vz72HHsKTOOxPH94S4Jv7njtndCPIJ274MdKFfTq5vuHWZgjRuJX1TutU0T/TXZKXo891BfdK4HFrdWQVM= X-Received: by 2002:a17:907:e649:b0:a72:5f9a:159a with SMTP id a640c23a62f3a-a80aa56c325mr137237066b.2.1723213717967; Fri, 09 Aug 2024 07:28:37 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 From: Achyuth Nandikotkur Date: Fri, 9 Aug 2024 10:28:25 -0400 Message-ID: Subject: Patch URLs for SA-24:07.nfsclient.asc are not accessible To: freebsd-security@freebsd.org Content-Type: multipart/alternative; boundary="00000000000088205b061f40f549" X-Spamd-Bar: - X-Spamd-Result: default: False [-1.80 / 15.00]; HFILTER_URL_ONLY(2.20)[1]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36:c]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20230601]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_FROM(0.00)[gmail.com]; RCPT_COUNT_ONE(0.00)[1]; FREEMAIL_ENVFROM(0.00)[gmail.com]; TAGGED_FROM(0.00)[]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; MISSING_XM_UA(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; MID_RHS_MATCH_FROMTLD(0.00)[]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; RCVD_COUNT_ONE(0.00)[1]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::62c:from] X-Rspamd-Queue-Id: 4WgR9N32LNz4bw9 --00000000000088205b061f40f549 Content-Type: text/plain; charset="UTF-8" Hello, This is to let you know that URLs pertaining to patches in the following security advisory are not accessible. https://www.freebsd.org/security/advisories/FreeBSD-SA-24:07.nfsclient.asc [FreeBSD 13.3] https://security.FreeBSD.org/patches/SA-24:07/nfclient-13.patch https://security.FreeBSD.org/patches/SA-24:07/nfclient-13.patch.asc [FreeBSD 14.0 & FreeBSD 14.1] https://security.FreeBSD.org/patches/SA-24:07/nfclient-14.patch https://security.FreeBSD.org/patches/SA-24:07/nfclient-14.patch.asc Regards Achyuth --00000000000088205b061f40f549 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable --00000000000088205b061f40f549-- From nobody Fri Aug 9 14:45:53 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WgRYS2XR6z5S8y5 for ; Fri, 09 Aug 2024 14:46:04 +0000 (UTC) (envelope-from pjlists@netzkommune.com) Received: from smtp1.nkhosting.net (smtp1.nkhosting.net [84.200.40.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4WgRYR122hz4f3j for ; Fri, 9 Aug 2024 14:46:03 +0000 (UTC) (envelope-from pjlists@netzkommune.com) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of pjlists@netzkommune.com has no SPF policy when checking 84.200.40.83) smtp.mailfrom=pjlists@netzkommune.com Received: from [IPV6:2a01:170:1170:54:aaa1:59ff:fe9a:3960] (unknown [IPv6:2a01:170:1170:54:aaa1:59ff:fe9a:3960]) by smtp1.nkhosting.net (Postfix) with ESMTPSA id DB0E7294D2 for ; Fri, 9 Aug 2024 16:45:53 +0200 (CEST) Message-ID: <322ec7d2-a77f-4961-89a9-07ac40b0f389@netzkommune.com> Date: Fri, 9 Aug 2024 16:45:53 +0200 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Patch URLs for SA-24:07.nfsclient.asc are not accessible To: freebsd-security@freebsd.org References: Content-Language: en-US From: Philip Jocks In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spamd-Bar: - X-Spamd-Result: default: False [-1.78 / 15.00]; AUTH_NA(1.00)[]; NEURAL_HAM_LONG(-1.00)[-0.998]; NEURAL_HAM_MEDIUM(-0.98)[-0.984]; NEURAL_HAM_SHORT(-0.81)[-0.806]; ONCE_RECEIVED(0.10)[]; MIME_GOOD(-0.10)[text/plain]; XM_UA_NO_VERSION(0.01)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:44066, ipnet:84.200.0.0/16, country:DE]; MIME_TRACE(0.00)[0:+]; MID_RHS_MATCH_FROM(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; ARC_NA(0.00)[]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; R_DKIM_NA(0.00)[]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DMARC_NA(0.00)[netzkommune.com]; RCVD_TLS_ALL(0.00)[] X-Rspamd-Queue-Id: 4WgRYR122hz4f3j Hej, On 8/9/24 16:28, Achyuth Nandikotkur wrote: > Hello, > > This is to let you know that URLs pertaining to patches in the following > security advisory are not accessible. > > https://www.freebsd.org/security/advisories/FreeBSD-SA-24:07.nfsclient.asc > > [FreeBSD 13.3] > > https://security.FreeBSD.org/patches/SA-24:07/nfclient-13.patch > https://security.FreeBSD.org/patches/SA-24:07/nfclient-13.patch.asc > > [FreeBSD 14.0 & FreeBSD 14.1] > > https://security.FreeBSD.org/patches/SA-24:07/nfclient-14.patch > https://security.FreeBSD.org/patches/SA-24:07/nfclient-14.patch.asc > it seems to be a typo, the links begin with nfclient.., while nfsclient... works: [FreeBSD 13.3] https://security.FreeBSD.org/patches/SA-24:07/nfsclient-13.patch https://security.FreeBSD.org/patches/SA-24:07/nfsclient-13.patch.asc [FreeBSD 14.0 & FreeBSD 14.1] https://security.FreeBSD.org/patches/SA-24:07/nfsclient-14.patch https://security.FreeBSD.org/patches/SA-24:07/nfsclient-14.patch.asc Cheers, Philip From nobody Fri Aug 9 16:27:23 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WgTpf2wSMz5SMWM for ; Fri, 09 Aug 2024 16:27:38 +0000 (UTC) (envelope-from achyuth.amar@gmail.com) Received: from mail-ej1-x630.google.com (mail-ej1-x630.google.com [IPv6:2a00:1450:4864:20::630]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WgTpf02lMz4tPV for ; Fri, 9 Aug 2024 16:27:38 +0000 (UTC) (envelope-from achyuth.amar@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-ej1-x630.google.com with SMTP id a640c23a62f3a-a7a9a7af0d0so265738966b.3 for ; Fri, 09 Aug 2024 09:27:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1723220857; x=1723825657; darn=freebsd.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=yExvx7Da0g1FYL9JsLg5RlHSAsMKmNmNMMsNiSvVvC8=; b=muGNQxGzkJqg92NqKb8/UgInsMNiXTl6Q5tfhXmkDvyA8KdvLL78ekXgg4eQlnHGGP xMf/FljVV6xxDiJ1+AoTJ3f3qUTNOgzXsC1cLZXEacjVmcRj22pbQnl+izOHjN0cgAup hkH4UNGrgijmHUb7IgGEljq9nIttegNAyPXG/grGXb9TS+9Qtid4asG/8jCvAo2MAhkH mhpXBAUo2bFOf2Rq7MQ9mvAKFcztvUaNahBfWpsSw4/yNa9RAa0QHHRiGWxAuZZPjwSz mJY5YAcwXES8t7K097VUyjtWTRg6iv4cTjA0dYsbvnZeXtWxcZ2IfGWxU+Xt0TsklIBd +vXg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723220857; x=1723825657; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=yExvx7Da0g1FYL9JsLg5RlHSAsMKmNmNMMsNiSvVvC8=; b=UjPC0f1QOayNcZHY1abWhMGgnPkNadT6fgI8IPcoEPSb+ghF3FipbEypwopGj83eli Vj8vlWZdqkMJG/QZo00d4p43AcJ80mlhz1++INT016pN/vOGPNXkotWrxTezIdzjSr6H w4RYl8EneuNbbQYu7P44RNmwvkXfk87KqBUInxI5amDbjRHBvhAN5AXkCm3t0SfudeE2 djiT877OTkUanQF1j1sw0qFSowWOaSWeeHpe3UXt316eEu5Vjy6bjO8N1OGjdlyDsFUn KA7TF3/OZaEAQATVpBK0gS5aYmqh9C32Wvrb9cjKdrWsnx22Ssgt+vFbTOscIWBfSZCG 06Eg== X-Gm-Message-State: AOJu0YzJaLpRTA/CbmhOvm+UIgBV7VuLegbzYm9nlhM0Cq+WspNTRkTS I9x8E5X/c68Ff5cxjE0X49ZCQGIR9tYHs39Izr5kTrbPoURAc8xFoBCgIAajvUj5AIieXDWy4lU 89ojP2ppUajL2a4s4CW4qmC+WuwwReQ== X-Google-Smtp-Source: AGHT+IGALFBP/WO3w/ty2/T65d87AmLVxC3HEiiHsZ8yLf2JXnEkvtThmnsXVGBnaB69kx2rX7fFqK/4NBGoW6u6uLo= X-Received: by 2002:a17:907:efde:b0:a7a:8378:625e with SMTP id a640c23a62f3a-a80aa5a2279mr164862966b.26.1723220855964; Fri, 09 Aug 2024 09:27:35 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 References: <322ec7d2-a77f-4961-89a9-07ac40b0f389@netzkommune.com> In-Reply-To: <322ec7d2-a77f-4961-89a9-07ac40b0f389@netzkommune.com> From: Achyuth Nandikotkur Date: Fri, 9 Aug 2024 12:27:23 -0400 Message-ID: Subject: Re: Patch URLs for SA-24:07.nfsclient.asc are not accessible To: Philip Jocks Cc: freebsd-security@freebsd.org Content-Type: multipart/alternative; boundary="000000000000fd4a16061f429e9c" X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; TAGGED_FROM(0.00)[] X-Rspamd-Queue-Id: 4WgTpf02lMz4tPV --000000000000fd4a16061f429e9c Content-Type: text/plain; charset="UTF-8" Yes it was a typo. Thanks for your response. Achyuth On Fri, 9 Aug, 2024, 10:46 am Philip Jocks, wrote: > Hej, > > On 8/9/24 16:28, Achyuth Nandikotkur wrote: > > > Hello, > > > > This is to let you know that URLs pertaining to patches in the following > > security advisory are not accessible. > > > > > https://www.freebsd.org/security/advisories/FreeBSD-SA-24:07.nfsclient.asc > < > https://www.freebsd.org/security/advisories/FreeBSD-SA-24:07.nfsclient.asc > > > > > > [FreeBSD 13.3] > > > > https://security.FreeBSD.org/patches/SA-24:07/nfclient-13.patch > > > https://security.FreeBSD.org/patches/SA-24:07/nfclient-13.patch.asc > > > > > [FreeBSD 14.0 & FreeBSD 14.1] > > > > https://security.FreeBSD.org/patches/SA-24:07/nfclient-14.patch > > > https://security.FreeBSD.org/patches/SA-24:07/nfclient-14.patch.asc > > > > > it seems to be a typo, the links begin with nfclient.., while > nfsclient... works: > > [FreeBSD 13.3] > > https://security.FreeBSD.org/patches/SA-24:07/nfsclient-13.patch > https://security.FreeBSD.org/patches/SA-24:07/nfsclient-13.patch.asc > > [FreeBSD 14.0 & FreeBSD 14.1] > > https://security.FreeBSD.org/patches/SA-24:07/nfsclient-14.patch > https://security.FreeBSD.org/patches/SA-24:07/nfsclient-14.patch.asc > > Cheers, > > Philip > > > > --000000000000fd4a16061f429e9c Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

Yes it was a typo. Thanks for your response.

Achyuth


On Fri= , 9 Aug, 2024, 10:46 am Philip Jocks, <pjlists@netzkommune.com> wrote:
Hej,

On 8/9/24 16:28, Achyuth Nandikotkur wrote:

=C2=A0> Hello,
=C2=A0>
=C2=A0> This is to let you know that URLs pertaining to patches in the f= ollowing
=C2=A0> security advisory are not accessible.
=C2=A0>
=C2=A0>
https://www.fre= ebsd.org/security/advisories/FreeBSD-SA-24:07.nfsclient.asc
<https://www= .freebsd.org/security/advisories/FreeBSD-SA-24:07.nfsclient.asc>
=C2=A0>
=C2=A0> [FreeBSD 13.3]
=C2=A0>
=C2=A0> https://securit= y.FreeBSD.org/patches/SA-24:07/nfclient-13.patch
<https://security.freeb= sd.org/patches/SA-24:07/nfclient-13.patch>
=C2=A0> https://sec= urity.FreeBSD.org/patches/SA-24:07/nfclient-13.patch.asc
<https://security.f= reebsd.org/patches/SA-24:07/nfclient-13.patch.asc>
=C2=A0>
=C2=A0> [FreeBSD 14.0 & FreeBSD 14.1]
=C2=A0>
=C2=A0> https://securit= y.FreeBSD.org/patches/SA-24:07/nfclient-14.patch
<https://security.freeb= sd.org/patches/SA-24:07/nfclient-14.patch>
=C2=A0> https://sec= urity.FreeBSD.org/patches/SA-24:07/nfclient-14.patch.asc
<https://security.f= reebsd.org/patches/SA-24:07/nfclient-14.patch.asc>
=C2=A0>

it seems to be a typo, the links begin with nfclient.., while
nfsclient... works:

[FreeBSD 13.3]

https://security.FreeBSD.= org/patches/SA-24:07/nfsclient-13.patch
https://security.Free= BSD.org/patches/SA-24:07/nfsclient-13.patch.asc

[FreeBSD 14.0 & FreeBSD 14.1]

https://security.FreeBSD.= org/patches/SA-24:07/nfsclient-14.patch
https://security.Free= BSD.org/patches/SA-24:07/nfsclient-14.patch.asc

Cheers,

Philip



--000000000000fd4a16061f429e9c-- From nobody Fri Aug 9 23:38:45 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WggN63cxgz5Slhr for ; Fri, 09 Aug 2024 23:38:46 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WggN60Bb5z4sQn; Fri, 9 Aug 2024 23:38:46 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1723246726; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=pqpskrFUdVhUKofs6f+lfUjZ55J2P4P2GczFfPuXd8c=; b=NrfxcVtjosdS435K02B4ABtWGby+plQKolAkAJSthW3ALvigcr95q7EpEicwN5df5HC0jw drSIBOFJBu+g3bL5ECg/Zi1I15FnDpyQo00Iid0llkrvSRG7g+01JSHf0iCOKCpHcQsqpS tBKptnKFsdS5aCCUDYcuUa470SNpL30+Q6XBMy/IxeGCr0T3HT0QLZfkk2w5gyV8beFttL PQt1id9vdJSgBMHR9YfSpvwrcm6kQD9U+CgTfzmcB5UW71SsbpSWxyvE8IoAt0S1YQObhh A9PJ1xPy7ygyVcb4db4lABRq3A6DY3kpS99KeWDJ1NtksEIlaEFODEpoW6A6XQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1723246726; a=rsa-sha256; cv=none; b=d2RirderTndfuaDJii7TNNi/Gcz8UmF75hj2+M7+u0gIgE2pQTom4jmjbpkyFGfvmp4im6 /m0SGP2U3OrrNcXNTogNbpnN6Ru4/4ZP1B5eU0dfT1MSk1zo36bWT79CAnCMcHKsxgs405 zrJOuHkcc7OCkYb0Tv7ii0rfV4ZmwBN2D4vsRliTHL6byMKBZju3UbEdyVBktmgE9gV38S WgpdY7psuJ8qiOTVpqDGC2L/k7gI9DqD4CZtu7N8RDm2LFb8dLsvCBSUYBZ0N/SfuaXwbN 1dULtc/PnnhFhz9K45JiDJnBL6H93Tg8kUWejYtjP5yrD3LEd/vrXfV3NKyb1w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1723246726; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=pqpskrFUdVhUKofs6f+lfUjZ55J2P4P2GczFfPuXd8c=; b=pXc9V6lo9XsY+gffqsmkxkk2rRh9mPsF5N5hpjcYJMTXJsdjsiHldGLcSABcW1rEzIHPmI 2OjuufcPhaWTYp/yOTqSRPhNXvKTnR36Bv6OtSF2ggr4JvQpgzhRfHRcKPBpTHql2KwIKE dWBXWTFYnaTjwhjtWUW85H9tejN3cd8AA8s9ABkLMLQ1F3T88QwEyFpnSvxWV3i7PXRpya rKd/NJdiut2RTEi2tDVNbTSdo923BdlddLKBAyBlM2tegWWT3RLGAEWF07a0T+C40Zbt56 DsVyGuG8zT9d7mffWTN7zrN3LTufP94GAv0yDLQUZG78/gz6CEh4GRz0iO60ig== Received: by freefall.freebsd.org (Postfix, from userid 945) id DD118B187; Fri, 09 Aug 2024 23:38:45 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:07.nfsclient [REVISED] Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20240809233845.DD118B187@freefall.freebsd.org> Date: Fri, 09 Aug 2024 23:38:45 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:07.nfsclient Security Advisory The FreeBSD Project Topic: NFS client accepts file names containing path separators Category: core Module: NFS client Announced: 2024-08-07 Credits: Apple Security Engineering and Architecture (SEAR) Affects: All supported versions of FreeBSD Corrected: 2024-07-27 03:54:45 UTC (stable/14, 14.1-STABLE) 2024-08-07 13:44:21 UTC (releng/14.1, 14.1-RELEASE-p3) 2024-08-07 13:44:39 UTC (releng/14.0, 14.0-RELEASE-p9) 2024-07-28 04:14:54 UTC (stable/13, 13.3-STABLE) 2024-08-07 13:44:52 UTC (releng/13.3, 13.3-RELEASE-p5) CVE Name: CVE-2024-6759 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . 0. Revision History v1.0 2024-08-07 -- Initial release v1.1 2024-08-09 -- Corrected patch path typo I. Background The Network File System (NFS) is a distributed file system that allows remote systems to access files and directories over a network as if they were local. FreeBSD includes both server and client implementations of NFS. II. Problem Description When mounting a remote filesystem using NFS, the kernel did not sanitize remotely provided filenames for the path separator character, "/". This allows readdir(3) and related functions to return filesystem entries with names containing additional path components. III. Impact The lack of validation described above gives rise to a confused deputy problem. For example, a program copying files from an NFS mount could be tricked into copying from outside the intended source directory, and/or to a location outside the intended destination directory. IV. Workaround No workaround is available. Note that for the problem to occur, the NFS server would have to deliberately inject altered paths into RPC replies, or a MITM would have to be altering NFS traffic. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 13.3] # fetch https://security.FreeBSD.org/patches/SA-24:07/nfsclient-13.patch # fetch https://security.FreeBSD.org/patches/SA-24:07/nfsclient-13.patch.asc # gpg --verify nfsclient-13.patch.asc [FreeBSD 14.0 & FreeBSD 14.1] # fetch https://security.FreeBSD.org/patches/SA-24:07/nfsclient-14.patch # fetch https://security.FreeBSD.org/patches/SA-24:07/nfsclient-14.patch.asc # gpg --verify nfsclient-14.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 9328ded386d5 stable/14-n268239 releng/14.1/ 8533e927afc1 releng/14.1-n267686 releng/14.0/ 4e7bf17e9db8 releng/14.0-n265422 stable/13/ 0172b5145ad9 stable/13-n258140 releng/13.3/ 3d5cb2b9a97c releng/13.3-n257439 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAma2pYUACgkQbljekB8A Gu+eAQ/+K8Bh4GvdoSsAW14+/ee/uVjQoXpUKsjDTEsU0kRMCgD9aYN5+D/o/nPU lAuKwjkLm+5xpzZjXtm1z24v7fDKy674YL0O7snAEtzcFNKcNob4sCVESs5USSB7 6rG/3/XCCZhsHM5g52caIdqzC/rflOnipKU6ldySMmJHFlHfgag5VQfklq0F6J8V 0NAyodMYO3IcpBNz9mR4sWnwpd31JLPnbD7LYo460YReu9u29qxUdPljLZaKW8ti 2RhzbiTO8JDu6962Qh0QQf9bnalMKCbmh/Vc6qnRIHsn60vxrRR9BArQ9QBuskYN 4H32OCO+GlL4y0smJSQoolTY4Kq4B1qHIJz9DUbFVayFL0EoJAhuEQsYqRIhTD5r h5PJz07/xIvVO41rUqCJiCflcy+KEmBjom065wGspAsfoYraIcILVe9jUmaiuur/ qZjZ3jvpujulqaOCQcy2zOg6qoI2CrVcPuTKWnEDUWAOZoq0SYcef2DfoRNPCgeb P1Y8TeoD3pzb5AYeGavWYP969Lbk4jE+Pfz/7isIegpvru6gilsTtZgX89s5BZuL bf42dkeRmQnzx/3P89LIEV1/ud5/wnE388UYa00VVkH1xbmMcI+Cp1dKqUWzELiZ fnKRJycdR0bW02ufWkjPfHlfOVHAPK1Y7prkOTj4tD52rbmVgi8= =Pgiz -----END PGP SIGNATURE-----