From nobody Wed Jan 29 15:57:15 2025 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Yjmxn0Cllz5lSsf for ; Wed, 29 Jan 2025 15:57:17 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smarthost1.sentex.ca", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Yjmxl6mTmz3Zf2 for ; Wed, 29 Jan 2025 15:57:15 +0000 (UTC) (envelope-from mike@sentex.net) Authentication-Results: mx1.freebsd.org; dkim=none; spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates 2607:f3e0:0:1::12 as permitted sender) smtp.mailfrom=mike@sentex.net; dmarc=none Received: from pyroxene2a.sentex.ca (pyroxene19.sentex.ca [199.212.134.19]) by smarthost1.sentex.ca (8.18.1/8.18.1) with ESMTPS id 50TFvF0N026262 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=FAIL) for ; Wed, 29 Jan 2025 10:57:15 -0500 (EST) (envelope-from mike@sentex.net) Received: from [IPV6:2607:f3e0:0:4::29] ([IPv6:2607:f3e0:0:4:0:0:0:29]) by pyroxene2a.sentex.ca (8.18.1/8.15.2) with ESMTPS id 50TFvEGs021543 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO) for ; Wed, 29 Jan 2025 10:57:14 -0500 (EST) (envelope-from mike@sentex.net) Message-ID: Date: Wed, 29 Jan 2025 10:57:15 -0500 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US To: "freebsd-security@freebsd.org" From: mike tancsa Subject: OpenSSL Jan 20th vuln Autocrypt: addr=mike@sentex.net; keydata= xsBNBFywzOMBCACoNFpwi5MeyEREiCeHtbm6pZJI/HnO+wXdCAWtZkS49weOoVyUj5BEXRZP xflV2ib2hflX4nXqhenaNiia4iaZ9ft3I1ebd7GEbGnsWCvAnob5MvDZyStDAuRxPJK1ya/s +6rOvr+eQiXYNVvfBhrCfrtR/esSkitBGxhUkBjOti8QwzD71JVF5YaOjBAs7jZUKyLGj0kW yDg4jUndudWU7G2yc9GwpHJ9aRSUN8e/mWdIogK0v+QBHfv/dsI6zVB7YuxCC9Fx8WPwfhDH VZC4kdYCQWKXrm7yb4TiVdBh5kgvlO9q3js1yYdfR1x8mjK2bH2RSv4bV3zkNmsDCIxjABEB AAHNHW1pa2UgdGFuY3NhIDxtaWtlQHNlbnRleC5uZXQ+wsCOBBMBCAA4FiEEmuvCXT0aY6hs 4SbWeVOEFl5WrMgFAl+pQfkCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQeVOEFl5W rMiN6ggAk3H5vk8QnbvGbb4sinxZt/wDetgk0AOR9NRmtTnPaW+sIJEfGBOz47Xih+f7uWJS j+uvc9Ewn2Z7n8z3ZHJlLAByLVLtcNXGoRIGJ27tevfOaNqgJHBPbFOcXCBBFTx4MYMM4iAZ cDT5vsBTSaM36JZFtHZBKkuFEItbA/N8ZQSHKdTYMIA7A3OCLGbJBqloQ8SlW4MkTzKX4u7R yefAYQ0h20x9IqC5Ju8IsYRFacVZconT16KS81IBceO42vXTN0VexbVF2rZIx3v/NT75r6Vw 0FlXVB1lXOHKydRA2NeleS4NEG2vWqy/9Boj0itMfNDlOhkrA/0DcCurMpnpbM7ATQRcsMzk AQgA1Dpo/xWS66MaOJLwA28sKNMwkEk1Yjs+okOXDOu1F+0qvgE8sVmrOOPvvWr4axtKRSG1 t2QUiZ/ZkW/x/+t0nrM39EANV1VncuQZ1ceIiwTJFqGZQ8kb0+BNkwuNVFHRgXm1qzAJweEt RdsCMohB+H7BL5LGCVG5JaU0lqFU9pFP40HxEbyzxjsZgSE8LwkI6wcu0BLv6K6cLm0EiHPO l5G8kgRi38PS7/6s3R8QDsEtbGsYy6O82k3zSLIjuDBwA9GRaeigGppTxzAHVjf5o9KKu4O7 gC2KKVHPegbXS+GK7DU0fjzX57H5bZ6komE5eY4p3oWT/CwVPSGfPs8jOwARAQABwsB2BBgB CAAgFiEEmuvCXT0aY6hs4SbWeVOEFl5WrMgFAl+pQfkCGwwACgkQeVOEFl5WrMiVqwf9GwU8 c6cylknZX8QwlsVudTC8xr/L17JA84wf03k3d4wxP7bqy5AYy7jboZMbgWXngAE/HPQU95NM aukysSnknzoIpC96XZJ0okLBXVS6Y0ylZQ+HrbIhMpuQPoDweoF5F9wKrsHRoDaUK1VR706X rwm4HUzh7Jk+auuMYfuCh0FVlFBEuiJWMLhg/5WCmcRfiuB6F59ZcUQrwLEZeNhF2XJV4KwB Tlg7HCWO/sy1foE5noaMyACjAtAQE9p5kGYaj+DuRhPdWUTsHNuqrhikzIZd2rrcMid+ktb0 NvtvswzMO059z1YGMtGSqQ4srCArju+XHIdTFdiIYbd7+jeehg== Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.86 X-Spamd-Result: default: False [-3.50 / 15.00]; NEURAL_HAM_SHORT(-1.00)[-0.999]; NEURAL_HAM_LONG(-1.00)[-0.999]; NEURAL_HAM_MEDIUM(-1.00)[-0.998]; R_SPF_ALLOW(-0.20)[+ip6:2607:f3e0::/32]; RCVD_IN_DNSWL_LOW(-0.20)[2607:f3e0:0:1::12:from,199.212.134.19:received]; MIME_GOOD(-0.10)[text/plain]; RCPT_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA]; FREEFALL_USER(0.00)[mike]; MID_RHS_MATCH_FROM(0.00)[]; MIME_TRACE(0.00)[0:+]; R_DKIM_NA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[sentex.net]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_EQ_ADDR_ALL(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCVD_TLS_ALL(0.00)[] X-Spamd-Bar: --- X-Rspamd-Queue-Id: 4Yjmxl6mTmz3Zf2 It is marked low https://openssl-library.org/news/vulnerabilities/#CVE-2024-13176 Any plans to bring in the new version ?     ---Mike From nobody Wed Jan 29 19:33:57 2025 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Yjsm02tYJz5lrK8 for ; Wed, 29 Jan 2025 19:34:08 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smarthost1.sentex.ca", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Yjsly698Dz3RhL for ; Wed, 29 Jan 2025 19:34:06 +0000 (UTC) (envelope-from mike@sentex.net) Authentication-Results: mx1.freebsd.org; dkim=none; spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates 2607:f3e0:0:1::12 as permitted sender) smtp.mailfrom=mike@sentex.net; dmarc=none Received: from pyroxene2a.sentex.ca (pyroxene19.sentex.ca [199.212.134.19]) by smarthost1.sentex.ca (8.18.1/8.18.1) with ESMTPS id 50TJY21d022500 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=FAIL) for ; Wed, 29 Jan 2025 14:34:02 -0500 (EST) (envelope-from mike@sentex.net) Received: from [IPV6:2607:f3e0:0:4::29] ([IPv6:2607:f3e0:0:4:0:0:0:29]) by pyroxene2a.sentex.ca (8.18.1/8.15.2) with ESMTPS id 50TJXuU0090400 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO) for ; Wed, 29 Jan 2025 14:34:01 -0500 (EST) (envelope-from mike@sentex.net) Message-ID: <86ba2900-aa1c-4834-8e06-fa3ed0aaf134@sentex.net> Date: Wed, 29 Jan 2025 14:33:57 -0500 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: OpenSSL Jan 20th vuln From: mike tancsa To: "freebsd-security@freebsd.org" References: Content-Language: en-US Autocrypt: addr=mike@sentex.net; keydata= xsBNBFywzOMBCACoNFpwi5MeyEREiCeHtbm6pZJI/HnO+wXdCAWtZkS49weOoVyUj5BEXRZP xflV2ib2hflX4nXqhenaNiia4iaZ9ft3I1ebd7GEbGnsWCvAnob5MvDZyStDAuRxPJK1ya/s +6rOvr+eQiXYNVvfBhrCfrtR/esSkitBGxhUkBjOti8QwzD71JVF5YaOjBAs7jZUKyLGj0kW yDg4jUndudWU7G2yc9GwpHJ9aRSUN8e/mWdIogK0v+QBHfv/dsI6zVB7YuxCC9Fx8WPwfhDH VZC4kdYCQWKXrm7yb4TiVdBh5kgvlO9q3js1yYdfR1x8mjK2bH2RSv4bV3zkNmsDCIxjABEB AAHNHW1pa2UgdGFuY3NhIDxtaWtlQHNlbnRleC5uZXQ+wsCOBBMBCAA4FiEEmuvCXT0aY6hs 4SbWeVOEFl5WrMgFAl+pQfkCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQeVOEFl5W rMiN6ggAk3H5vk8QnbvGbb4sinxZt/wDetgk0AOR9NRmtTnPaW+sIJEfGBOz47Xih+f7uWJS j+uvc9Ewn2Z7n8z3ZHJlLAByLVLtcNXGoRIGJ27tevfOaNqgJHBPbFOcXCBBFTx4MYMM4iAZ cDT5vsBTSaM36JZFtHZBKkuFEItbA/N8ZQSHKdTYMIA7A3OCLGbJBqloQ8SlW4MkTzKX4u7R yefAYQ0h20x9IqC5Ju8IsYRFacVZconT16KS81IBceO42vXTN0VexbVF2rZIx3v/NT75r6Vw 0FlXVB1lXOHKydRA2NeleS4NEG2vWqy/9Boj0itMfNDlOhkrA/0DcCurMpnpbM7ATQRcsMzk AQgA1Dpo/xWS66MaOJLwA28sKNMwkEk1Yjs+okOXDOu1F+0qvgE8sVmrOOPvvWr4axtKRSG1 t2QUiZ/ZkW/x/+t0nrM39EANV1VncuQZ1ceIiwTJFqGZQ8kb0+BNkwuNVFHRgXm1qzAJweEt RdsCMohB+H7BL5LGCVG5JaU0lqFU9pFP40HxEbyzxjsZgSE8LwkI6wcu0BLv6K6cLm0EiHPO l5G8kgRi38PS7/6s3R8QDsEtbGsYy6O82k3zSLIjuDBwA9GRaeigGppTxzAHVjf5o9KKu4O7 gC2KKVHPegbXS+GK7DU0fjzX57H5bZ6komE5eY4p3oWT/CwVPSGfPs8jOwARAQABwsB2BBgB CAAgFiEEmuvCXT0aY6hs4SbWeVOEFl5WrMgFAl+pQfkCGwwACgkQeVOEFl5WrMiVqwf9GwU8 c6cylknZX8QwlsVudTC8xr/L17JA84wf03k3d4wxP7bqy5AYy7jboZMbgWXngAE/HPQU95NM aukysSnknzoIpC96XZJ0okLBXVS6Y0ylZQ+HrbIhMpuQPoDweoF5F9wKrsHRoDaUK1VR706X rwm4HUzh7Jk+auuMYfuCh0FVlFBEuiJWMLhg/5WCmcRfiuB6F59ZcUQrwLEZeNhF2XJV4KwB Tlg7HCWO/sy1foE5noaMyACjAtAQE9p5kGYaj+DuRhPdWUTsHNuqrhikzIZd2rrcMid+ktb0 NvtvswzMO059z1YGMtGSqQ4srCArju+XHIdTFdiIYbd7+jeehg== In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.86 X-Spamd-Result: default: False [-3.48 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-0.997]; NEURAL_HAM_SHORT(-0.98)[-0.979]; R_SPF_ALLOW(-0.20)[+ip6:2607:f3e0::/32]; RCVD_IN_DNSWL_LOW(-0.20)[2607:f3e0:0:1::12:from,199.212.134.19:received]; MIME_GOOD(-0.10)[text/plain]; ARC_NA(0.00)[]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA]; FREEFALL_USER(0.00)[mike]; MID_RHS_MATCH_FROM(0.00)[]; MIME_TRACE(0.00)[0:+]; R_DKIM_NA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[sentex.net]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_EQ_ADDR_ALL(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCVD_TLS_ALL(0.00)[] X-Spamd-Bar: --- X-Rspamd-Queue-Id: 4Yjsly698Dz3RhL On 1/29/2025 10:57 AM, mike tancsa wrote: > It is marked low > > https://openssl-library.org/news/vulnerabilities/#CVE-2024-13176 > > Any plans to bring in the new version ? > I guess no new version, just patches for now https://groups.google.com/a/openssl.org/g/openssl-announce/c/kV3rF1Zd9RU     ---Mike From nobody Wed Jan 29 21:31:02 2025 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YjwLv1Brmz5m2yt for ; Wed, 29 Jan 2025 21:31:03 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YjwLt6thgz3s3r; Wed, 29 Jan 2025 21:31:02 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1738186263; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=w60hGinYKxkxbdyD4AmVxtttCcJEgXqMsTM/GBvSIFM=; b=Ne3IgG9VZkh4v2g/jUhRtapsD0m9D4TLIVzY4/jPHR7FETpI4TvVwRR5ABdisBCd5dsEqD JOuKyHQ3FqB0tswTQ4QB2iqIOHzg/dDvrDyXB+T2DwAMav8TjctLnDH1Ow1yTlWoR2qpzl LkqQl6h+MGHLrkZ8Sv8II6gXVNL2Vh/NPqsLAxRqI4wdO8M2I7PcWUpQDF5htdR66ecFu8 HetMS4QW+1yrFSOpdXLJG730JFsmgV6r2s01n+OmTIBJTFbW6Fug3OqlOxMaxaf1vyw0O4 VX3kBF5rxAY06h3PLiC46Rxs6wVMkwuHQ+HeJsXuCzJ9bZbIqO1RBY1YQWiXRQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1738186263; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=w60hGinYKxkxbdyD4AmVxtttCcJEgXqMsTM/GBvSIFM=; b=Fc71n/5viEHcQiILinIBhfrZbob2NsmUPrtinC8anSFx1sed49+EB0ImH0f0gYs2XSCKtz gKAW/4InLGXqxts5ULYLWJs7qkS0w+JRpQIcgP9hjE8Z11PEImq3GNbTgWiUBV8m2/mN7K Sa+ir9DICEulHUZYRJO9Xza9HJeV2hrzcsBI76v0nFSA1nyRUEtJk+PKvwt5fHNLsB75in dV/FFUnWgsiG9IjsXc72q3wRj4cOzQzxBz2I4bX37ah5EFIFThDP6164tWJQpYvufZ0BlB eXw7Rf8GpyKw3KsKgF4suOYmS4jmC3sYqlGCg6cyjeRS88ZVn5LR5loixv73cg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1738186263; a=rsa-sha256; cv=none; b=s0DV6pyyR4UcULcvxIcxdvF52zWd9CUkdNoqYJm05VXFPQsPGO1sknR4SJHQgMIE30AUFR oPEYk43VS457wS8xSgtuqCeEZA2Tdz8wAAoYxrE1r2KwIXR24fTcMLb7eK7WAQA32BnGo1 QALVH1VF1DSV1KueJQFlu1hCTWPuxLnMwVQaM+cdOcobHgUkBLuGnGV6sYV9lhWFhBzFIN BToYKkyCVDKXLE61L2f5LuFS37oEixZLQKApRIlVnNpREAxp+TzdGYm6tbXOGninS6ZyVO mk9PT1XJ58WFofZJopJARZinVT4xBqDgXvZ/Mnf4OBiatKKLHkGheZxBr3s+HA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: by freefall.freebsd.org (Postfix, from userid 945) id E4CFA27A5; Wed, 29 Jan 2025 21:31:02 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-25:01.openssh Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20250129213102.E4CFA27A5@freefall.freebsd.org> Date: Wed, 29 Jan 2025 21:31:02 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-25:01.openssh Security Advisory The FreeBSD Project Topic: OpenSSH Keystroke Obfuscation Bypass Category: contrib Module: openssh Announced: 2025-01-29 Credits: Philippos Giavridis Credits: Jacky Wei En Kung, Daniel Hugenroth and Alastair Beresford (University of Cambridge) Affects: FreeBSD 14.1 Corrected: 2024-07-15 18:45:16 UTC (stable/14, 14.2-STABLE) 2025-01-29 18:55:25 UTC (releng/14.1, 14.1-RELEASE-p7) 2024-08-01 15:03:50 UTC (stable/13, 13.4-STABLE) CVE Name: CVE-2024-39894 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background OpenSSH is an implementation of the SSH protocol suite, providing an encrypted and authenticated transport for a variety of services, including remote shell access. OpenSSH version 9.5 introduced a mechanism to mitigate keystroke timing attacks by "sending interactive traffic at fixed intervals when there is only a small amount of data being sent." II. Problem Description A logic error in the ssh(1) ObscureKeystrokeTiming feature (on by default) rendered this feature ineffective. III. Impact A passive observer could detect which network packets contain real keystrokes, and infer the specific characters being transmitted from packet timing. IV. Workaround No workaround is available. This bug does not affect connections when ObscureKeystrokeTiming was disabled or sessions where no TTY was requested. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 14.1] # fetch https://security.FreeBSD.org/patches/SA-25:01/openssh.patch # fetch https://security.FreeBSD.org/patches/SA-25:01/openssh.patch.asc # gpg --verify openssh.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ bf9a275b24f6 stable/14-n268158 releng/14.1/ 88d5d8108711 releng/14.1-n267735 stable/13/ 79853e40abd8 stable/13-n258171 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmeajKgACgkQbljekB8A Gu8WORAAl3zgLVz40e7nhduuV4eZlnvWAc6sruSap5f80ikGLRDfuzgKugWdOvTA i+bSZuZkGPx444uyC0JcN016+oUpd/1Xzr4/KQ7BL0ZYmgxQn/O8jfPbEiSloXpG Vgn8ZXYh1EKilhIw6n79yZN6WSY/gAfMZzeY/R7v1n7WaBnUYaUB8fl94CoTxf1j qQfmngBi6GU52OqirqBI4OYozJ2dkhRK/epvFUxMPGFVKa7wj4GChrQFW+PCyvHE TPg4H37kbSC37LbCn2Y/vjs8WcAr/xI68AGkalANgqVvtIpA0+tO7hn5gqgevbc8 xO1xDvy38mlgX1CIdRD/Ur857z3P23mVfPhHkXX+85mbH/8QRbMJuB88zrhS9pcY V+dq23r0ALRCo8t8Sab5xukZhuK2rxFfXvfF2YT920Vd7LgCsA9MjTCdU/IfNpH0 Ax5Lq1bm4cv9DT47XBRn+0QDZU0TSq0uJ8YLrusfS67ikzdbSBqL3tOAXtz6DeCL UDqSg3Ohw4HFn+DNMOdmESWO/t5LesEY/nB/vGSQYNYQMqlednwAPVhp6D8jvcgE Wi26qTLo4SgcvfDUk4EfDeLp90pgCXkBn5Zo9eTdOlyY/aMzvFcI7EKbsSAkX1Cg zus5DrcA9BTu2Wp9xWTUHLBC65ecHy6/xXSubjL4GCbYcPcjxQI= =oskq -----END PGP SIGNATURE----- From nobody Wed Jan 29 21:31:05 2025 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YjwLy4Xmwz5m2pV for ; Wed, 29 Jan 2025 21:31:06 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YjwLy07zFz3sC1; Wed, 29 Jan 2025 21:31:06 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1738186266; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=BHYAQ1lB/AO2LCnpMzxZrnBbcJ5KRqCymEB6teZRBeo=; b=N5vo1xdSFJYTbJKHSYq7e1NvpZUFDlRcSCPiEZ9UDmO8x2TJW7sSiQIDo2x6UTuPL5A971 lWlwKmV6lkgljmK3Zt/Mn0P/GGwGWXXKptYar1e9BaKE7nLaj9AV7MMoTBml73YH+IaQ+N VDc5z/KSkqn/5t32sObu/dFYhhHfgyNlWQTP1e2Vm1HAjeXAAtiLiAmzr6jl/bT/YYYih6 DaYltJpSGW4heFN31ON79EChUChLtM3TYDETzl+5P1b1NIwlyi2zip436xbydj3U3OEGug IEgJzv9wwbymjRSrK1bRdCmNO6+RY93iE8yJb2OfqreTcQAEVU+LhjiTh7dPFw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1738186266; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=BHYAQ1lB/AO2LCnpMzxZrnBbcJ5KRqCymEB6teZRBeo=; b=XdD6aIJ4fHRlDLSKmhCA6Mawzgzkm6ItsWQpLnFdlHL5aW3507ooJoHugvwBec4UgY+pR8 B1OMcN35Pbk4SlP5djgbsf98Mz5U4sYMnB60ESbty442TgjY8Ra6PgvH/f1/MvpJRe72xw eZ/cR0DWrI8EapBQmkSESnuvrslK09OuLoXxx6m3NwGAIJRchry3zJMyWCal/rKeYCrwnX iThtvheXn0IkQX18y/GFRneetyWk4/bjRkVvMayhaiqxcB6mUrM3yXEWsrgYJO6hudalih zdU+Hv0BkXkw6rwku/NTxUB8yqOvaCF4AIrrxKvYh4rlOt9cC2WwWJuZHtbz9w== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1738186266; a=rsa-sha256; cv=none; b=MJX3WBcuurV5sP/pQJ8ndXq2UhtF4gy+7EbDgqzrzjPHStfWb9wkj4ksK7ft4LjTwYygJD UvA0xweU1dWhMoPHOVqIlAefEqGTcjoCg/trIhR6uKF+OKGDKPtBPL4gDRQ+rifqevTL+0 /JN0u+kPSInyGkvmmFPUBx044x74ymYff+8PVXYmYCyp/H25OWzDFEdyhEkyHZdftAt2qO cTKqc+CgcUm7J4C+U0kA0JKODZrXTUb2qOuxI5iF1OyxFzYXzLLdn5533CFVwnFar7KCSJ IYgyBaKL6vrkgKg1IR2xpnGAVhFZDAOky6H9bnshkhtNqgr71297Hbkoov9uQw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: by freefall.freebsd.org (Postfix, from userid 945) id E0D7E2736; Wed, 29 Jan 2025 21:31:05 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-25:02.fs Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20250129213105.E0D7E2736@freefall.freebsd.org> Date: Wed, 29 Jan 2025 21:31:05 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-25:02.fs Security Advisory The FreeBSD Project Topic: Buffer overflow in some filesystems via NFS Category: core Module: fs Announced: 2025-01-29 Credits: Kevin Miller Affects: All supported versions of FreeBSD. Corrected: 2025-01-17 13:53:10 UTC (stable/14, 14.2-STABLE) 2025-01-29 18:54:56 UTC (releng/14.2, 14.2-RELEASE-p1) 2025-01-29 18:55:22 UTC (releng/14.1, 14.1-RELEASE-p7) 2025-01-17 14:00:40 UTC (stable/13, 13.4-STABLE) 2025-01-29 18:55:29 UTC (releng/13.4, 13.4-RELEASE-p3) CVE Name: CVE-2025-0373 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD provides a number of filesystem implementations for different purposes. cd9660 is used to mount ISO 9660 images; tarfs is used to mount POSIX tar archives; ext2fs is used to mount ext2, ext3, and ext4 filesystems. II. Problem Description In order to export a file system via NFS, the file system must define a file system identifier (FID) for all exported files. Each FreeBSD file system implements operations to translate between FIDs and vnodes, the kernel's in-memory representation of files. These operations are VOP_VPTOFH(9) and VFS_FHTOVP(9). On 64-bit systems, the implementation of VOP_VPTOFH() in the cd9660, tarfs and ext2fs filesystems overflows the destination FID buffer by 4 bytes, a stack buffer overflow. III. Impact A NFS server that exports a cd9660, tarfs, or ext2fs file system can be made to panic by mounting and accessing the export with an NFS client. Further exploitation (e.g., bypassing file permission checking or remote kernel code execution) is potentially possible, though this has not been demonstrated. In particular, release kernels are compiled with stack protection enabled, and some instances of the overflow are caught by this mechanism, causing a panic. IV. Workaround No workaround is available, however, only systems which export a cd9660, tarfs, or ext2fs filesystem via NFS are affected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 14.x] # fetch https://security.FreeBSD.org/patches/SA-25:02/fs-14.patch # fetch https://security.FreeBSD.org/patches/SA-25:02/fs-14.patch.asc # gpg --verify fs-14.patch.asc [FreeBSD 13.x] # fetch https://security.FreeBSD.org/patches/SA-25:02/fs-13.patch # fetch https://security.FreeBSD.org/patches/SA-25:02/fs-13.patch.asc # gpg --verify fs-13.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 7a3a0402aeb6 stable/14-n270143 releng/14.2/ faa47d299a0e releng/14.2-n269512 releng/14.1/ c90866090517 releng/14.1-n267732 stable/13/ ee931cf4a49c stable/13-n259016 releng/13.4/ 0365b776f1b1 releng/13.4-n258273 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmeajKoACgkQbljekB8A Gu8JFw/7Bq7C56cUeMwxb6I7BU3U2/DNjKLAR3bymrYqqJberyyyfUtgCcaTyz2q uCOAlK8xSbOVwX4WYb4pygR/uxRCPBaooTLpIZBPTCT5TxyTeLqQWfedeVMgYHgd zkuS4cG97IACiS9Zey6xFO5Rati0QoSuhEf36rvJXO/E7HQHARe954G7FDWvTi3W Snn5MvWYFwCvcL7gtthaoXtxS/FFRv+ht+cv6u/k6BNQXU7QFhF5qfFxM5rFczhO +TTFMoizAxLyirZNPy2n2jg9u+vrh2LKmfwiuMxX3zUeNI8/7yNZJ7ea+VGoRAxh OEXXPLbNPVtJdi6qvZ+3D0HUw/3aRjg/i0/Qe+5KXFC7OLBxksM5vyOC+eAjoyQW Y489eI7B5tV1td52wotZ1bIyt3GHmKtFxOt2kajPaR0vjuaYtdUb85PtT2QGjnRJ XbzmwrCM1YsBKANUHdh7sP5Bx1UI6dlQS2dgRQdbz43378lM1XND3RidioAdbYe6 SyDyFnZPypHaQfZVdlepnYxActqvhKeeq0aWkgqymaeL78sqmF4AARFVSqep8MXL boUkn3tMp1rojKH87Hk8saqRepZfX3DuwONsz++mgKEmqgnb8zKYI0Q4Gq6nYgcr d8UxaWQz1mkiPfaqDvUOmAYWoWIiA+KsfIZIKj7+vrMEH32QzaA= =vbcl -----END PGP SIGNATURE----- From nobody Wed Jan 29 21:33:19 2025 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YjwPX4wJnz5m3gd for ; Wed, 29 Jan 2025 21:33:20 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YjwPW5Tjlz3whq; Wed, 29 Jan 2025 21:33:19 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1738186399; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=M0jn+qA0JUOJvgAJj0BPy1SU7alJqC+NIlGtN6PB8Yo=; b=HxjCkvAu+M78cqLNUhYgUFzEnP0sm2dmwKMNPEEaPX5zylIKfdlszjqPEfZVzDGtCyNB0l sbj5l91ThNgiogf+oPP0MMY7ZIZ8qBz7Aqvm1l8VLJc081qyldVFHRFwSZPW35lgJffExo eiKwx9+NC2KiygRaIzLXxztpnHmeAet+ksVESPo2hcJKL7JQ4q7ace+VtI+gCB+tFJPmHl xMnN7lDoZI7yk0EBBrnKUgelLr1s71KC2Epxo9X8/K7c337GgmgqxUDTQel0Wj+2GClw4s UFopISq0frHGqKkFRWQPj+k06I2nWQJE5qj3xhTdi+JSbLTiaq7CZShiAhZYBQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1738186399; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=M0jn+qA0JUOJvgAJj0BPy1SU7alJqC+NIlGtN6PB8Yo=; b=G3dO8bvRZWaD8dzXD/Chd8Ktu2OVOhvi8a21Bmjo+3x7WoxYQUGuLUQZk9+0eGAfl5u3zO 0TsheUvb23TqyJGWbNXupHT3QZJCFe0TROVMi0lb2tLyYBOII+9dAGYCT9yT5pnFels8oC oXOceUzMwMyLaBvg2D8OuzIsVjVWh/BVhieIpAydAa7I3yp5ValsHpWkyY4ZTpV/+zCp6d pKRro9RzmV5lWmU63NLQUJiPKRNGn0Nrl1tpn+Y05mfA7PbQ8a3AWQBEP6Hc9q5r5/EfY0 IE5WGEOOGkBpoy6O83jfUwFSRL99jKmGgrZxkOJabbom6NifdWdILK9Embj9kQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1738186399; a=rsa-sha256; cv=none; b=XycXM/q5SsAJ9rj/I4de6ZObeSDmV44YJLkLlnzFVz6oOMQVihBMp8yEvOtwW4wXHGoO4o Izd+KtjeIFnys+RPnQuOEhiNfFA21frFihRtfzgxkxd9/inBWzqLvva2EixfVoz6XFIzZg 4kACIBmIS78efFNNV6YehSUJ4+WD0PnFC7d8h7MN07+iQ/o/AaTWPui4Yw55o2DedOpfAl Gx7g0g5f+PfV1+y+mfui7Ib8gAk5imNaFxgZR82pzf3UZ161BwHV96+2be9Gr9eFCpoKSk r8J52Rzk40mQseh1G5S4rFpk594K2qeLa4fm893kxE0Zudq2fagZdvypuNp4fw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: by freefall.freebsd.org (Postfix, from userid 945) id A632028C8; Wed, 29 Jan 2025 21:33:19 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-25:04.ktrace Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20250129213319.A632028C8@freefall.freebsd.org> Date: Wed, 29 Jan 2025 21:33:19 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-25:04.ktrace Security Advisory The FreeBSD Project Topic: Uninitialized kernel memory disclosure via ktrace(2) Category: core Module: ktrace Announced: 2025-01-29 Credits: Yichen Chai and Zhuo Ying Jiang Li Affects: FreeBSD 14.2 Corrected: 2025-01-20 22:09:53 UTC (stable/14, 14.2-STABLE) 2025-01-29 18:54:50 UTC (releng/14.2, 14.2-RELEASE-p1) CVE Name: CVE-2025-0662 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The ktrace utility enables kernel trace logging for the specified processes, commonly used for diagnostic or debugging purposes. The kernel operations that are traced include system calls, namei translations, signal processing, and I/O as well as data associated with these operations. II. Problem Description In some cases, the ktrace facility will log the contents of kernel structures to userspace. In one such case, ktrace dumps a variable-sized sockaddr to userspace. There, the full sockaddr is copied, even when it is shorter than the full size. This can result in up to 14 uninitialized bytes of kernel memory being copied out to userspace. III. Impact It is possible for an unprivileged userspace program to leak 14 bytes of a kernel heap allocation to userspace. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-25:04/ktrace.patch # fetch https://security.FreeBSD.org/patches/SA-25:04/ktrace.patch.asc # gpg --verify ktrace.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 99d5ee8738a3 stable/14-n270190 releng/14.2/ 10f8a9df522f releng/14.2-n269507 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmeajK4ACgkQbljekB8A Gu84pQ//WXxC3kW+JP6R73oQ3s5hhokCE7FjwlRj6QhkblmgBdRrwwFzkR0nLfSK TUirfyYikaCtw3K/FpAYfm4VSJR3MlFhjUXhU+4KWBnJHf0t6NYEJP6MixsDFMvn IZWZsrLs8Ryl03kKiH3EWfA9KVqx0OI0Cj9LOLo5nBzZjR0auUxYRdNrYuEq4i9n OxMRbB3i5C3oy+I8ZW6fAAyYRb008oLDZmMBluIybCH01B35NQP/iAjpO6HQT5rt fvHlo/kEOGSqBrwcnJXzLiJE4uKtiS4CDBltEN1WpP3N1MBqbLj6GO5uEWQGA73F MhOzeCd3kM+41KQjdtxvIJ9yc0i/m0VLOnBTaKCqAS4bGTOl5FIIZEaY3J3+7dOP wkcdFTOxl9K+RZ5CERAUxoGqgS9r+HOvWBIQcQoD9j4UCBocwyZn8fvp6niK0CWl TR4T7UE8nAiK/QqBQ7DTqKlAkrMC3+FS5XVfw6GXJ7NFMP/HFh/AIE7oEYN+h/rQ JXPmuU9Ml0ZHuy4PLcX16YSX+T+fdNWMxL1eomHE/FUwZoNP2RC0Wi9nGxEKtLun JLGFkfQzuwfIItGYICvvOKw6Ry9Q1WYJFTdrNLCn7upUW0BnXVDVzRz7X68FJgtO uXQGChtW/PfG/KoMY544eX5lL27Kxi5oBNS/VzDtCPG0bHAAgMw= =ErDS -----END PGP SIGNATURE----- From nobody Wed Jan 29 21:45:18 2025 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YjwgL5nRHz5m5xQ for ; Wed, 29 Jan 2025 21:45:18 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YjwgL1fYXz3Hgk; Wed, 29 Jan 2025 21:45:18 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1738187118; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=lXq7DNRYGIfsLJ0Azg1kNELsdync4vCFhzW6BFKRQIk=; b=kqbJvcIRX5oCgVl83+Rs1R4MA5OVqu7LIU/rO9cxoMySmPe3ZVhPxZm1QeDNotfW3zzgBZ wsDUduWXQGZUgfK4sAr6hqad+DUdrDFYEYhB3r1qLEnhniTfz0j7yVcQnxwpL2rwTJYGwN jQBzAeRehYd7CT4Lk+LNtiFdhiyL6qDRlNBMm/slkd/HVW3Sp9RgwvstBYF0dm4oqJAG3h d2BCrROJ+VINXvD15m0FIywuiT0rnMuvIubHAzxWxacHNRw6gOgKqBhplQWJlLiayshEgc tsvVmijT1WpKUmZt5iCQ7Bk2MPpcH3noA8Q8hJqfhu2px8fP4/0TbF3jrZGjzw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1738187118; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=lXq7DNRYGIfsLJ0Azg1kNELsdync4vCFhzW6BFKRQIk=; b=ZZ52jI+dRpNvaTjRiyWOuAB2mehJPoL9z5iOiMWK3c1R3wxXLKZMXwpERZdUyySE1ejLJs 2gxqSAd9Ek/3OlFugG4esoQlMffekAoxx5oewaXfr/ROXS2oPp3R5TohAIH34ANVdwHoW2 Y7s598zEDhbxDCEY6X6X6XDwNfOIBi2PZ1S4T7WbFh12nkIGzjNi1txkpjg+c7aXKZu3ng VYnu1JR8hJujmWgDIBE13Jrqp9ciooQ5B3VH4gL1fh8Yl2hd0w7RY5yGcUjlSSJmztglKb V1L/7WoZ8Hu7vcVFVNAF7Nr4e4/48zdf4uLcwE2P48XrGJQsuyT3Lr93k7sCGg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1738187118; a=rsa-sha256; cv=none; b=q+zemOTIhfqJfokNZv6YBUDWtawlmOylDHitk2TdhqjyZbtCDiaDeP4KOPKVtLIeOVkNNv 2LUEpqmXpY8M8+PEJNUqaCmxpAtYGdBemGK1UbKcNqtqYkj7CmazuLZDVTyV2ZF5UCDN1Q JNaZGjJbZQjnssdrAig6f8TdQrZLBGG6nnjXkzAGOBaiaQlw2nu+lCf0PcT6zqvdFGgJdC DDgzlOkaQ2SHLVe8B81UzrMolg6Wsg79Q2Q2bwgjrjZjMZhW4irNIjTZfJ03qLoMNmyF2V iOBFnv8P66dzfmzDbwxHSj4m811p6JYSf6/BjQK6FRmBLuX1ML5IzEqHkNndQg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: by freefall.freebsd.org (Postfix, from userid 945) id 204513097; Wed, 29 Jan 2025 21:45:18 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-25:03.etcupdate Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20250129214518.204513097@freefall.freebsd.org> Date: Wed, 29 Jan 2025 21:45:18 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-25:03.etcupdate Security Advisory The FreeBSD Project Topic: Unprivileged access to system files Category: core Module: etcupdate Announced: 2025-01-29 Credits: Christos Chatzaras Affects: All supported versions of FreeBSD. Corrected: 2025-01-28 16:07:18 UTC (stable/14, 14.2-STABLE) 2025-01-29 18:54:57 UTC (releng/14.2, 14.2-RELEASE-p1) 2025-01-29 18:55:26 UTC (releng/14.1, 14.1-RELEASE-p7) 2025-01-28 16:07:34 UTC (stable/13, 13.4-STABLE) 2025-01-29 18:55:30 UTC (releng/13.4, 13.4-RELEASE-p3) CVE Name: CVE-2025-0374 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The etcupdate(8) utility is a tool for managing updates to files that are not updated as part of ‘make installworld’ such as files in /etc. It manages updates by doing a three-way merge of changes made to these files against the local versions. It is also designed to minimize the amount of user intervention with the goal of simplifying upgrades for clusters of machines. II. Problem Description When etcupdate encounters conflicts while merging files, it saves a version containing conflict markers in /var/db/etcupdate/conflicts. This version does not preserve the mode of the input file, and is world-readable. This applies to files that would normally have restricted visibility, such as /etc/master.passwd. III. Impact An unprivileged local user may be able to read encrypted root and user passwords from the temporary master.passwd file created in /var/db/etcupdate/conflicts. This is possible only when conflicts within the password file arise during an update, and the unprotected file is deleted when conflicts are resolved. IV. Workaround No workaround is available. Systems whose files are updated using a mechanism other than etcupdate, such as freebsd-update(8), are unaffected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-25:03/etcupdate.patch # fetch https://security.FreeBSD.org/patches/SA-25:03/etcupdate.patch.asc # gpg --verify etcupdate.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 93836ff92be8 stable/14-n270244 releng/14.2/ c55000e7c233 releng/14.2-n269513 releng/14.1/ b8945a926a2f releng/14.1-n267736 stable/13/ 17e935f1f327 stable/13-n259074 releng/13.4/ c1c180910d46 releng/13.4-n258274 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmeajKwACgkQbljekB8A Gu+/Zg//S1n7l9ABmKTrFKWstkDgyNplTyb8VRQ6HQtdAQSa1M5C8MUXt57wjCV0 uOilT3GwT29IzBW2EDe3m8uOGdd3n0Ti6pCn0a11HV/VXqTt7zbbLNSPs7soTWVs oIsig0wmw/oZ2+ZkOvZG19ae99NdLzrV6YSK8NpdnOqwnTiZtN0cxCEdzhAQVznL omYwXjw7todZ1mskECDuaFrw+1R6K2Aw0lpauveNcsGewjV85IML6G3sPKYMJJCq E51LZ/1AfkQ+DDae+BVrGpvocf8YtR1p9Af8nSq16/WKKn4bwsVqFDf+fDpLpHW6 W7P+Ng4KDKMPX7D/ObzTECKJLuhP3f0yZkkOrypIXFC5M34lbmyqJvR4tB7uJeNU uqlD9RNbKY652isbIRZKz5L8gnZpFK0IUTHhcGOpTw8dfF19CsfE2jHoI/7fs8rC RqMRCHo2dlPMP1xHTWfsgS3BYNJgC99CF1VCgpj2PuwQ3tP+CnQ5Ed2tvdTRrPjA /IL3DzH/5hUIhHUPPPnw7m4PHUduXJyG1gvv998oIVw4Q7AXTcTGYU4fLZrEvBY7 r4Zgpy8WkdRYMJHfdlrmSJNf3r2isrVXosw5PLbwBRw1k+V2KlxBRo6YjglbakU/ LEmgLL7D4BrMHUBjqe1m1wff3Urz41tRTQr/IaBjeXxI6jlwDDM= =60Xo -----END PGP SIGNATURE----- From nobody Thu Jan 30 04:52:12 2025 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Yk6851VX2z5mRWK for ; Thu, 30 Jan 2025 04:52:21 +0000 (UTC) (envelope-from shuriku@shurik.kiev.ua) Received: from mail.flex-it.com.ua (mail.flex-it.com.ua [193.239.74.7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Yk6845lg9z43Ch for ; Thu, 30 Jan 2025 04:52:20 +0000 (UTC) (envelope-from shuriku@shurik.kiev.ua) Authentication-Results: mx1.freebsd.org; none Received: from [188.231.181.61] (helo=[10.2.1.129]) by mail.flex-it.com.ua with esmtpsa (TLS1.3) tls TLS_AES_128_GCM_SHA256 (Exim 4.98 (FreeBSD)) (envelope-from ) id 1tdMXJ-000000002Hb-2aBR for freebsd-security@freebsd.org; Thu, 30 Jan 2025 06:52:17 +0200 Message-ID: Date: Thu, 30 Jan 2025 06:52:12 +0200 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: FreeBSD Security Advisory FreeBSD-SA-25:01.openssh To: freebsd-security@freebsd.org References: <20250129213102.E4CFA27A5@freefall.freebsd.org> Content-Language: en-US From: Oleksandr Kryvulia In-Reply-To: <20250129213102.E4CFA27A5@freefall.freebsd.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-ACL-Warn: SPF failed. 188.231.181.61 is not allowed to send mail from shurik.kiev.ua. X-Rspamd-Queue-Id: 4Yk6845lg9z43Ch X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:35297, ipnet:193.239.72.0/22, country:UA] 29.01.25 23:31, FreeBSD Security Advisories: > ============================================================================= > FreeBSD-SA-25:01.openssh Security Advisory >                                                           The FreeBSD > Project > > Topic:          OpenSSH Keystroke Obfuscation Bypass > > Category:       contrib > Module:         openssh > Announced:      2025-01-29 > Credits:        Philippos Giavridis > Credits:        Jacky Wei En Kung, Daniel Hugenroth and >                 Alastair Beresford (University of Cambridge) > Affects:        FreeBSD 14.1 > Corrected:      2024-07-15 18:45:16 UTC (stable/14, 14.2-STABLE) >                 2025-01-29 18:55:25 UTC (releng/14.1, 14.1-RELEASE-p7) >                 2024-08-01 15:03:50 UTC (stable/13, 13.4-STABLE) > CVE Name:       CVE-2024-39894 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . > > I.   Background > > OpenSSH is an implementation of the SSH protocol suite, providing an > encrypted and authenticated transport for a variety of services, including > remote shell access. > > OpenSSH version 9.5 introduced a mechanism to mitigate keystroke timing > attacks by "sending interactive traffic at fixed intervals when there is > only a small amount of data being sent." > > II.  Problem Description > > A logic error in the ssh(1) ObscureKeystrokeTiming feature (on by default) > rendered this feature ineffective. > > III. Impact > > A passive observer could detect which network packets contain real > keystrokes, > and infer the specific characters being transmitted from packet timing. > > IV.  Workaround > > No workaround is available.  This bug does not affect connections when > ObscureKeystrokeTiming was disabled or sessions where no TTY was > requested. > > V.   Solution > > Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date. > > Perform one of the following: > > 1) To update your vulnerable system via a binary patch: > > Systems running a RELEASE version of FreeBSD on the amd64 or arm64 > platforms, > or the i386 platform on FreeBSD 13, can be updated via the > freebsd-update(8) > utility: > > # freebsd-update fetch > # freebsd-update install > # shutdown -r +10min "Rebooting for a security update" > > 2) To update your vulnerable system via a source code patch: > > The following patches have been verified to apply to the applicable > FreeBSD release branches. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > [FreeBSD 14.1] > # fetch https://security.FreeBSD.org/patches/SA-25:01/openssh.patch > # fetch https://security.FreeBSD.org/patches/SA-25:01/openssh.patch.asc > # gpg --verify openssh.patch.asc > > b) Apply the patch.  Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile the operating system using buildworld and installworld as > described in . > > VI.  Correction details > > This issue is corrected as of the corresponding Git commit hash in the > following stable and release branches: > > Branch/path                             Hash Revision > ------------------------------------------------------------------------- > stable/14/                              bf9a275b24f6 stable/14-n268158 > releng/14.1/                            88d5d8108711 releng/14.1-n267735 > stable/13/                              79853e40abd8 stable/13-n258171 > ------------------------------------------------------------------------- > > Run the following command to see which files were modified by a > particular commit: > > # git show --stat > > Or visit the following URL, replacing NNNNNN with the hash: > > > > To determine the commit count in a working tree (for comparison against > nNNNNNN in the table above), run: > > # git rev-list --count --first-parent HEAD > > VII. References > > > > The latest revision of this advisory is available at > Do we really need to reboot or restart sshd is enough? From nobody Thu Jan 30 14:18:27 2025 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YkLjX0M7Kz5mY50 for ; Thu, 30 Jan 2025 14:18:40 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-io1-f42.google.com (mail-io1-f42.google.com [209.85.166.42]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YkLjW3wBvz3Hrl for ; Thu, 30 Jan 2025 14:18:39 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-io1-f42.google.com with SMTP id ca18e2360f4ac-84ceaf2667aso57971539f.3 for ; Thu, 30 Jan 2025 06:18:39 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738246718; x=1738851518; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=OUoCah7ggXtRYWocUYV8kmT260Ij8gKgNScwdjdlPpk=; b=BfDGSxy2BHzTi6KWTEsxW23Fna9l7Y/0eSuck2xqFp6v93F91N8sFkfqjoTJgDhBUY a8XYAmcHwCeIYIhSa1Rj1/S8qGK5iLdctw0JMKf3ANzZ+KpNyceVSEOCBrCRCNF5Y2V/ 5lQo+wPC3I1+TOdv9OC3vWXoxadaRzNBMEbM7O6YaWHglrkrCDMYoE32P0iAtX6zc1th rRtjJuEaKtFc5OYo1yxLuWPRXqpKRyILgXpdBzS4G/fTrQnghr11BJWy4XAmQlZWkOM+ 2zduREc85jy2U91+8G6psET1xyPoK6qSgecAiJTtQNAhRFXMbWBdMNXw7fBoZuOHqD4U PycA== X-Gm-Message-State: AOJu0YzKWJjmBbhuNIxj93Gnb3oq+5MglGhhbQeeLtdFcrzWBM3lgmgz pkBx2ukmbTFV6HJW6BQO0A8YdWhxf7MNeTeUvjSY92Q6GggN8Y3c7+rmNr78EiQniuAeMw6Qs3J eSLUqJtyG9BY0ZXz8+3vk5WBS4t216g== X-Gm-Gg: ASbGncvW1EMlyrnrVSAjjRkHJ0f0rNLxDC18XJ7g3RQ+/io5DlHsPe/gsln2voAnGOo 9oV3iJc0Hii/C+E2c2eACrn2xpAwwY22iXMN/yTAkA5qsv13Tk4Q+rciMbLLuASkuE17Ywv9n92 3kYgPzaDk4Of86K/iCZwsJUOdyPdBnDmw= X-Google-Smtp-Source: AGHT+IGj7r4TFytZrvW1tgCOaZBI2mf2WsYIpt5GcbVm07v/CqOUY9CpOf6C7PDdavndZ9BWSdJ7cZDOU1J7ulbkubA= X-Received: by 2002:a05:6e02:1d02:b0:3cf:b365:dcf8 with SMTP id e9e14a558f8ab-3cffe45bdddmr63380265ab.21.1738246718245; Thu, 30 Jan 2025 06:18:38 -0800 (PST) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 References: <20250129213102.E4CFA27A5@freefall.freebsd.org> In-Reply-To: From: Ed Maste Date: Thu, 30 Jan 2025 09:18:27 -0500 X-Gm-Features: AWEUYZm55p575cyKIYOnTyX1PEUd-OTPMsZhfzxHP94DBUrEqAq9LbA0AefAGMg Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-25:01.openssh To: Oleksandr Kryvulia Cc: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4YkLjW3wBvz3Hrl X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US] On Wed, 29 Jan 2025 at 23:53, Oleksandr Kryvulia wrote: > > Do we really need to reboot or restart sshd is enough? Just restart sshd. If you're applying a binary patch via freebsd-update this is done automatically for you.