From nobody Wed May 20 21:54:53 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gLQLn0cMQz6fTV1; Wed, 20 May 2026 21:54:57 +0000 (UTC) (envelope-from freebsdlists@montesse.ca) Received: from foxtrot.brtsvcs.net (foxtrot.brtsvcs.net [192.73.240.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4gLQLm1HDSz4D62; Wed, 20 May 2026 21:54:56 +0000 (UTC) (envelope-from freebsdlists@montesse.ca) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of freebsdlists@montesse.ca designates 192.73.240.122 as permitted sender) smtp.mailfrom=freebsdlists@montesse.ca Received: from chombo.houseloki.net (chombo [65.100.43.2]) by foxtrot.brtsvcs.net (Postfix) with ESMTPS id 5F3A711C100; Wed, 20 May 2026 21:54:54 +0000 (UTC) Received: from [10.26.25.201] (unknown [10.26.25.201]) by chombo.houseloki.net (Postfix) with ESMTPSA id 188913300; Wed, 20 May 2026 14:54:54 -0700 (PDT) Message-ID: Date: Wed, 20 May 2026 14:54:53 -0700 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.15.1 Content-Language: en-US To: freebsd-questions@freebsd.org, freebsd-security@freebsd.org From: Jordan Montesse Subject: 15.0p9 pkgs in repo, but no corresponding security/errata notice? Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spamd-Result: default: False [-0.49 / 15.00]; SUBJECT_ENDS_QUESTION(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_SPAM_MEDIUM(1.00)[0.997]; NEURAL_HAM_SHORT(-0.98)[-0.983]; RCVD_IN_DNSWL_MED(-0.20)[192.73.240.122:from]; R_SPF_ALLOW(-0.20)[+ip4:192.73.240.122]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; ASN(0.00)[asn:36236, ipnet:192.73.240.0/24, country:US]; MID_RHS_MATCH_FROM(0.00)[]; MLMMJ_DEST(0.00)[freebsd-questions@freebsd.org,freebsd-security@freebsd.org]; MIME_TRACE(0.00)[0:+]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; R_DKIM_NA(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[montesse.ca]; RCVD_TLS_ALL(0.00)[] X-Spamd-Bar: / X-Rspamd-Queue-Id: 4gLQLm1HDSz4D62 Today: # pkg upgrade -nr FreeBSD-base Updating FreeBSD-base repository catalogue... FreeBSD-base repository is up to date. FreeBSD-base is up to date. Checking for upgrades (9 candidates): 100% Processing candidates (9 candidates): 100% The following 8 package(s) will be affected (of 0 checked): Installed packages to be UPGRADED: FreeBSD-bsdconfig: 15.0 -> 15.0p9 [FreeBSD-base] FreeBSD-bsdinstall: 15.0 -> 15.0p9 [FreeBSD-base] FreeBSD-kernel-generic: 15.0p8 -> 15.0p9 [FreeBSD-base] FreeBSD-libcasper: 15.0 -> 15.0p9 [FreeBSD-base] FreeBSD-rcmds: 15.0 -> 15.0p9 [FreeBSD-base] FreeBSD-runtime: 15.0p8 -> 15.0p9 [FreeBSD-base] FreeBSD-syslogd: 15.0 -> 15.0p9 [FreeBSD-base] FreeBSD-utilities: 15.0p1 -> 15.0p9 [FreeBSD-base] Number of packages to be upgraded: 8 56 MiB to be downloaded. But the latest notices available on the website and -announce are only for 15.0p8? From nobody Wed May 20 22:04:09 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gLQYW2zyqz6fVSZ; Wed, 20 May 2026 22:04:15 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gLQYW2D2rz4Gk1; Wed, 20 May 2026 22:04:15 +0000 (UTC) (envelope-from cperciva@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779314655; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=fhVZhAdsFIvxBb8uKoXYtUN5S1/C2gQTtyNaAUO2kdk=; b=AXQ7mVqmDUSPlJHmgmm+Wv6eTcyUy3MS0g8spgBHo5/qPPdVvVikYpwcZsrp37BZXyyzOs TYUoJd11xB7jQzLCZcaLArGtbdcK7qdFlW6ohVpG9ZXJaxqr8aNKMagMaXrpG5ga5gzOBe ZVOg072cYzF/hkdcpydV6DYT/nMLvHefB9ttzuZpirXgnqoGYq5x/+QhKGMq8AbYo89pus jwJy5eKbIERpneJ+tfhE0nlYalHLcHvmC6UTsP+2uVpF/o62fGNZymO4TAgjf7SFC35biW n1D5h+JdnOo/odRRnsF7mZ2/V6GRUu8ZWGbyB3bxzTOT6l3/5HaT8FKjS4t+3g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1779314655; a=rsa-sha256; cv=none; b=UG09Cvb3MMpW4EKslSIbpHiKcS1YE4p3L8cLFVG/HGn3EWyuhwHMtqVJR7FvCXlCBxyoza EtirPsDY4NcRPoDC7dVZ48bjPAEGtTY/IdG7vLtkaIKwxJQI3D+CGVgjohbFHr8D26DWG7 Jwfbp0rmZk0YitHRCecC0heAWJ92n3O/IB8dV4S9R8NQQ1RIpjHM93lgn/i4VtWFGEnK3/ 2K2DTxxzVc+XwJpK45PDEhrZ7B6AuBzQXGxjxwldZBIvFGP0vot7Jc48kngX3VVlF2x9KP KZsZYuRnd2nYQLeoFHCo/bmlUhA6Wqg3DLMXqWf0gUgi34yMscYpiKKPfBq+bw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779314655; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=fhVZhAdsFIvxBb8uKoXYtUN5S1/C2gQTtyNaAUO2kdk=; b=kpOH8QU48T1Dvfp0mHeDJ8g3JL7yG/+N+Ihv3OwRLN3AItekimDajnvb3e5GT8nx23dAkG 9dCuUf2Q8cPCVQ/7DRtidCPn3B4JXP94NvIXt1ZWWGnJNUJsc/SmVMmVT9VM5KItOZ2JrA /rCAulLWetR/YoNrVzsGAc1yrkU9blJEX1EnU1h40ngC91xSrksZsFH9fnlrWfM0HysywS sjUsscg0IDlkgqWq+S06E6Grz90iR1egwlCnQsSwkZ90HKZQG7T1oeJlUx5W4O10znfkMf Jd7Hi3I9TiFQ+3znjHJOunT0V08lT6S+oNfchBR8rQezgbyFQP9htdSGTum8vg== Received: from [192.168.4.34] (S0106684a76304d01.vf.shawcable.net [70.69.240.84]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: cperciva/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4gLQYV6cLSz1BMn; Wed, 20 May 2026 22:04:14 +0000 (UTC) (envelope-from cperciva@freebsd.org) Message-ID: <8899531a-bc50-4a1d-bee8-5d09357796cf@freebsd.org> Date: Wed, 20 May 2026 15:04:09 -0700 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: 15.0p9 pkgs in repo, but no corresponding security/errata notice? To: Jordan Montesse , freebsd-questions@freebsd.org, freebsd-security@freebsd.org References: Content-Language: en-US From: Colin Percival Autocrypt: addr=cperciva@freebsd.org; keydata= xsFNBGWMSrYBEACdWRqDn3B3SKO7IG0/fGHYtfs26f3Q5QeAcasy1fQLniwGQWn5rlILhbCD K/jdNoDm5Zxq20eqyffoDNObCjnHgg4tGANdi+RmDy+7CDpE789H8dss9y7Pt5DlGGAXQQnt hxush3EYS/Ctprd9UUL/lzOOLOU1aNtzB84tNrJBtcJmL7OYHfyTSNFxvedqJrrasejIQOLI t/DQ89BPzz+vsKHz7FJPXh3fsVkzLA00DJYcfkgxyABfJNA7U6yMwd4DVSdx/SsvfIDMVXnu UXCXswo106WPZbYGlZPpq0wW6iibtTerJix+8AeuwXvl9O1p8yESK4ErkIxCnmghTSz+pdzj z/6xBRkdDM9VdZ0r+CzsaNXMpDOzFuKyjaiYBdgCLljbDnXIHFcqXenrZ7Xwkm09g/M4uVSh pIUG2RYa6tsHSQoGCp3f2RZv1znfViKQFbbL83QjtPA20AhseZSYbHp1FPhXyy9J0wkGL16L e99g6gdGeIRE82BZjBjKGDkoyDPq+oDRSFl8NtzmIKy+cfz00nViqcTF4bREXEawFGhlpO0X O9q8mijI9iFB6zaPBiSdJGBL5ML5qLTNCl8Zlf4m1TBvmRTqF/lzMHVXHidDoUhpSh/y3AFZ 1KrYc27ztJQywDJPJPWPbtY8YhFLFs377gfP8WldsZjzp8nvoQARAQABzSVDb2xpbiBQZXJj aXZhbCA8Y3BlcmNpdmFARnJlZUJTRC5vcmc+wsGRBBMBCAA7FiEEglY7hNBiDtwN+4ZBOJfy 4i5lrT8FAmWMSrYCGwMICwkNCAwHCwMFFQoJCAsFFgMCAQACHgUCF4AACgkQOJfy4i5lrT++ ig/9GZKdN2fHSyrANKZX38ivd7IX2wAYouqH9DrQM94W8IciaDLmarN4Pl9mY+aucMwQUSyp uNtKOJwKqhVVaalF9Zw0sRMH4CJuvT7vKCtZ3q1Okb7soRvFte4d+vXhvPxCvBFDA5JzU7Lg DR5eqqcvF1dN1OuCq16pl0zCOSH/Jr5ToE3LM3Av1KBGcZD7ZSzHRWsFjV5AOUJKySuA3GwJ e/jASQcQ0YfCnru8ntLmYg/2SKvZFlfthZiCBnAppMt4n4BUAw3TDvf10HIDtdneejawcbLS gofLCvGqumwbZYAMKWrFzT4+7KQvr0pOw8QD7EbxnB4f9hQ7UiVF8qWsyKU3iv6b5JLhbS59 ooKRccyOvdMLcVJ0ZdpqoxrNv061ZUqLL5RiWjBlc1qjBnDxeg5oyM0rT8WLftdgvyH6RQt0 KWngumBAT5AT2DUYL8Uz1490cqfO9K4yEGZAJB9XRVX1g2IWTOjae+0g9ZII+h91UngFz+Rz aKDeseKBbCGDOFXx1TqKiHl2g255ZnUxKYTlucFtguv4gDGBgEk4G9JaEWBw1IWblcKhxH7L 2vWsUhvwghjIxHdO/RkeIeHvSp4YZxCJ7a3TaJLYAlwYopfTKVzNhcDY5h5syEuoHjyJCxXK SyoJYAVu8Yl2KUhvOtOmL1VZ6xyHnpdMRWKJZ5jOwU0EZYxKtgEQANYfgbtUMVnhjxDHhWLp g5kLHK3YW0TfJKzpXqDB7NiqxHofn4OcbZnVC3MKggcbs9o1/UtsjnlsG8550PfiYkDXvPiO RJwgbGs6MGIDK797C6cnBLQ8xwBa9SL4cl5iQFnhWmt6vwnJ+an/cm5JpYves3wL7jV09qU9 57hkHXEUcl38r4FssZzVcLKPUVTa3Un+QGRTGDGe/f4ctjMaqv0ZCM+l2ixPhf/vqESrfSLv V/+T3dmtUfXjazO3SABvsHwxgGuTTYOlKoPCaebr+BRdqm0xeIShoIlhvTI8y4clchqx/Uxg UG5X2kvU13k3DS3Q8uLE4Et9x1CcZT6WGgBZSR6R0WfD0SDnzufNnRWJ0dEPA2MtJHE7+85R Vi9j/IgZV+y5Ur+bnPkjDG1s2SVciX5v9HQ0oilcBhvx0j5lGE9hhurD9F+fCvkr4KdbCknE 6Y8ce8pCNBUoB/DqibJivOzTk9K9MGB5x0De5TerIrFiaw3/mQC9nGeO9dtE7wvDJetWeoTq 4BEaCzpufNqbkpOaTQILr4V6Gp7M6v97g83TVAwZntz/q8ptwuKQPZ2JaSFLZn7oWUpYXA5s +SIODFHLn6iMoYpBQskHQjnj4lEPJadl4qj+ZKA89iDAKsniyoFXsbJe2CPbMS1yzBxKZq6K D/jpt7BOnuHr/JrXABEBAAHCwXYEGAEIACAWIQSCVjuE0GIO3A37hkE4l/LiLmWtPwUCZYxK tgIbDAAKCRA4l/LiLmWtP3jmEACQrh9gWe8F1Tkw3m6VoHKwLc5he4tX3WpQa//soPO6iGG3 S3WPruQ46NrAaAojoOcKI9UONDO5rxG0ZTX53S+lu2EO47jbcLwOCjaEpjKpDRt9ZXBQE8Xl mtBE9Bp3W9gpjB1nE3KNM1mJYgsK0QdRpwwfh4pVgGpOj8j23I6MCK+v99zEBnpgCn2GX8W/ kctRXHqWwndHysOJtRP/zrl7dDaABF1f9efUl0LL3TD3GJ9VDz+DNOin/uK2a1hiJo8QzTRk PpfUQ2ebzDsrd1i/pOWkMSkdH+rEu4AGrXWtaBwrMyrGkL6Icb6yO+P9/z0W2wlgBf3P1YRt JPgQt/Dj3yvA/UnaV/QmuVQPjl13o24UnJGsZM8XGnNdfWBKkC1Q6VXC4QT+dyBHYH9MuE9d 6oGl8pFM1+cTfEfbM62/rRoPkF1yHMsI/903VxEvuUIKfhEZAVLFyHldooNxuchntHQP9y8J 8Ou9bWYQP7MnEn+kwSwrZkjurfPkan+xQvp6dDYnj3V0GwA5pprBMaB928VIDVOv+1PNQI3t Cvk5VPv/skq+TJRMHW7bFSt8PRa91cUf1FOLIz9APDiJOzXkwxUEHGV3zPSaUhs1JYjyBeGT wDAvtLUdjOnRhEUOwlnIrztmvyciutjJoVzKEEjj5WXnHk9L9kQ1bpAjkjTONw== In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit On 5/20/26 14:54, Jordan Montesse wrote: > # pkg upgrade -nr FreeBSD-base > Updating FreeBSD-base repository catalogue... > FreeBSD-base repository is up to date. > FreeBSD-base is up to date. > Checking for upgrades (9 candidates): 100% > Processing candidates (9 candidates): 100% > The following 8 package(s) will be affected (of 0 checked): > > Installed packages to be UPGRADED: >         FreeBSD-bsdconfig: 15.0 -> 15.0p9 [FreeBSD-base] >         FreeBSD-bsdinstall: 15.0 -> 15.0p9 [FreeBSD-base] >         FreeBSD-kernel-generic: 15.0p8 -> 15.0p9 [FreeBSD-base] >         FreeBSD-libcasper: 15.0 -> 15.0p9 [FreeBSD-base] >         FreeBSD-rcmds: 15.0 -> 15.0p9 [FreeBSD-base] >         FreeBSD-runtime: 15.0p8 -> 15.0p9 [FreeBSD-base] >         FreeBSD-syslogd: 15.0 -> 15.0p9 [FreeBSD-base] >         FreeBSD-utilities: 15.0p1 -> 15.0p9 [FreeBSD-base] > > Number of packages to be upgraded: 8 > > 56 MiB to be downloaded. > > But the latest notices available on the website and -announce are only for > 15.0p8? They're coming soon. :-) In the mean time you can see the patches in the src repository; those commit messages provide some context for the issues which were fixed. -- Colin Percival FreeBSD Release Engineering Lead & EC2 platform maintainer Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid From nobody Wed May 20 22:23:36 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gLQzs0cl7z6fXD6 for ; Wed, 20 May 2026 22:23:37 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gLQzr5nRLz4M4y; Wed, 20 May 2026 22:23:36 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779315816; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=4cXwYz3lvUZa9gUk3NYjNr5SDcXuUNm6hsF/MSDb1b4=; b=eFGdoSf4p4UiuMUPCSu4w58o9xCdqy1fLJBIxQ1x97HV2l3jI6CTtwf5/OAQMFAPPp2mt8 DhEdk6/B6+563GeB/V0dp9l3sRiRzcRcDTw6I/Zu577cxn0jCPd9aNXpoopcIzBVEFxIdV tOsGxXLLO02MuoS4VbRk9RuRL3uCEFKmHj+5CgAR38Je41FNsc4quJt63R6kSLZxwVsWki 6so1PyDjfQW4f81OwiAM4aL58yrPUl1K+8KjTTVp+GV8gxgA4bOYtyJPNAMW5qEaNtTOKa IRkgMg8lA/QJ9frU/bbh/e/o5FizDy07LxkrYSrhMmB1+33HKx1PuWzkoVqO3Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1779315816; a=rsa-sha256; cv=none; b=o7QjLhQM8AFDN4wKd3DsRSkA+Mld0ZYNkNnx25I2A5HkOU3evycdY8pHPs5ntHNPg3oXYQ +3A5DCR3RnZzZfvmdrYoPgrQ40QtrWAO+JS173+du3WrtMpo5juCZlaf6URN+XDZot9D96 dYkTPT0QZrm4beceTQr9+51Rbpe5HYNiBizU2PR2BkINdKssOG5DdI72JyW4vmGECskVB+ RWDgv7ntlgdeXpCemh7N4br3wa0mkACwZSqcxXTFj+mYUyZCNBQtc2QWMacfPP2mbg6pKZ dl2AiWbIzqNYIFEHtqqgh7OBNl45suc6iuZYhZmRTylNBUfs06RigxKxNPZfuw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779315816; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=4cXwYz3lvUZa9gUk3NYjNr5SDcXuUNm6hsF/MSDb1b4=; b=tYkGEGJbxesImqZqWudsst9M28h0X41bdZJNwUD4Szkq8DdVZUbIv0sOASngcQO7amaitn 1zAmKfuGHhjlQyD0sTPIQbvJ5LjgD6C0zhN5Szj4CL3GJmvWs9TxFi2oNIC+m2HsFilCXk QDlnVvREM9QR9eQqqu+Zm6i00+55+iX6CvYpCj31b9mxYBTbXwbQbN3maRuvlEYrvjBpRs E0AA4ZAJyzEXS9cHfYwczxdoNDPkju0qGYGttkZRk9CiVINN8CJ6pSVuugcIVeK/r/qr8n 0S2yzNKbdlvAFRAouEhJDvnEYlDaYCNRUsDCyJGGbdTpGgcWLq5yLBnA+ZHkuQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id B3A779C43; Wed, 20 May 2026 22:23:36 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:18.setcred Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260520222336.B3A779C43@freefall.freebsd.org> Date: Wed, 20 May 2026 22:23:36 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:18.setcred Security Advisory The FreeBSD Project Topic: Stack buffer overflow via setcred(2) Category: core Module: setcred Announced: 2026-05-20 Credits: Ryan of Calif.io Credits: Przemyslaw Frasunek Affects: All supported versions of FreeBSD. Corrected: 2026-01-06 13:34:30 UTC (stable/15, 15.0-STABLE) 2026-05-20 19:39:28 UTC (releng/15.0, 15.0-RELEASE-p9) 2026-05-20 19:37:54 UTC (stable/14, 14.4-STABLE) 2026-05-20 19:39:54 UTC (releng/14.4, 14.4-RELEASE-p5) 2026-05-20 19:40:32 UTC (releng/14.3, 14.3-RELEASE-p14) CVE Name: CVE-2026-45250 This vulnerability was independently reported by multiple parties prior to publication. For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background System calls are the programmatic interface through which user-space processes request services from the operating system kernel, providing a controlled boundary between unprivileged application code and privileged kernel operations. setcred(2) is a system call which enables a privileged process to atomically set its full credential set, including the real, effective, and saved user and group identifiers, as well as the list of supplementary groups. It is intended for use by programs such as login(1) and PAM(3)-aware authentication frameworks that must transition a process into a target user context in a single, race-free operation, replacing the need for multiple discrete calls to setuid(2), setgid(2), and setgroups(2). II. Problem Description The setcred(2) system call is only available to privileged users. However, before the privilege level of the caller is checked, the user-supplied list of supplementary groups is copied into a fixed-size kernel stack buffer without first validating its length. If the supplied list exceeds the capacity of that buffer, a stack buffer overflow occurs. III. Impact Because the bounds check on the supplementary groups list occurs after the kernel stack buffer has already been written, an unprivileged local user may trigger the overflow without holding any special privilege. Successful exploitation may allow an attacker to execute arbitrary code in the context of the kernel, allowing an unprivileged local user to gain elevated privileges on the affected system. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.x] # fetch https://security.FreeBSD.org/patches/SA-26:18/setcred-15.patch # fetch https://security.FreeBSD.org/patches/SA-26:18/setcred-15.patch.asc # gpg --verify setcred-15.patch.asc [FreeBSD 14.x] # fetch https://security.FreeBSD.org/patches/SA-26:18/setcred-14.patch # fetch https://security.FreeBSD.org/patches/SA-26:18/setcred-14.patch.asc # gpg --verify setcred-14.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ b6cba9028457 stable/15-n281743 releng/15.0/ d98c0a494a42 releng/15.0-n281038 stable/14/ 8eb0bbbd2e46 stable/14-n274162 releng/14.4/ 34da5845b8d4 releng/14.4-n273702 releng/14.3/ bfff5c180193 releng/14.3-n271502 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKGobFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvSpsP/38o7yHdNEMNMPPOBtKZ 2dn/vmcOo1srkhUx0kl2EVBzirSDsTVkWfUq1Txg5JA7/pG3On/YiaAmUMi9jHqy q0tgkyO/scKGWNDYmFIA9QAXAwwSUZnT+eEwt3IawOzquezD/qr++CCimntSUzsu IP3oMFYaw9JvMF6Z6tTfcYYA02CF7nRrtIJtrxfWkgyDoMoikHsNW4o2LXJTz4bV 2uk7BuQKbDc3gxoEBYd0bulXBa9DHsrfS59eEnbb8txrBjt21aQGjBY8SJSoFyYh yZixmadpZ9J4oTBc03hOO2Z2BN5f/QficGIU4t0wj0A8EcsrspFMDRj2xd/5zi86 VLqiQf6WJbgVyytUe5aYbBPC6eH2TRnMWaOERbocNS6xQKcYpZYqwnVZ77n6tPb4 wKQd+qKYM74lf0BPCBc60h7yo9e6Qd8puGolyL05qdZVB+c3m0qB000gsyNFytFs kQSovaXFf4r0DCEuBixE/Ic5ADwl7A4pCIxqwWwJlnrj77XCobNEQJtajkrapXsU MSLQ20RuRiVNesgyjP9dZCk8enuOl96TwrvdkyqvSJgb0Gw3XEeyCWT4dAE+Fh3A n8RhQeY6YWWk+DOiuw5Q5v2PyoBNoV8jV2AjeXzhIOQsyWGeSYQ2GeFu6PW3UyzQ olNjUPjprNwteRkUuGHmE3zQ =6aG+ -----END PGP SIGNATURE----- From nobody Wed May 20 22:23:44 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gLR006tLHz6fX0X for ; Wed, 20 May 2026 22:23:44 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gLR0054Wdz4MCB; Wed, 20 May 2026 22:23:44 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779315824; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=ZpMjib41uHiT77B/j4Fl3NTGZ/T/iGPik6i5BqYMPDk=; b=oBdqHJJWWmZ7QvW3JI1n3w61Hl/pjxTTyAjzj+kLSwnLN9Rr19nE3vM5rqYab4PMUnmr00 //+zINOD/uJ8ROdGYycT2M9Qj5ku+iXBBLkKDOmuaYPIMz1SDdT90I7/ndKFSxthC/gj2M TzQsN1qTutsD+gz72yUjNrgQfKKTS8lsLcgmvgwda/aagtmtZWgKf59ZJHPoTf0oy9R9Vr AFpR9w+JGYx2FUKq0qGJGz6+KRowqGuGPP0wA5ZyDl40c0s1/Qpjy1OJQoVyx5FnfLVzD1 0P03x5TOdYV97ghn5B6Z9eigDcLhMuDT7uOwiGD5Sb7NGacSBqRNOr8kcU4hOg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1779315824; a=rsa-sha256; cv=none; b=lllcgfjl6hb3M8KBlgxzf6HgnOcHg96dq2NuvBp/+WGS0T7hWjvdvK4cVN3Xi0lDO/CNVl bSKCVgLSyYXe12j94qmcy43i+WJ9xmuO2UO15RUzIygqm3cCOQMkS/BasBlwrAccEiP8dn jS1b3cH0IE2XFXZu2b+0c/XBwNmEy9Pwx+3hAu8yYrKECxIkBmIfp/IoczjbWx8OYuf2zV hYzUrCArA6peJMiDq7lRTfMSET4Ucl5zmKdCpwBfIFTVz08FPDvT+9T9fg0KrYOlUaJiFZ QTavdKfZ3KIArGTmOXTy55TkTyMH9zp5yUTSufeySLoK48dFWGy57AN7KoDDKA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779315824; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=ZpMjib41uHiT77B/j4Fl3NTGZ/T/iGPik6i5BqYMPDk=; b=fNk0MntvzcblzETucTIBl//dKAaCkQ0oKtQLIY0YR4FB73mmtOmjsSUw9cjOlN4oNbioA8 51hN1KXlVMsGPX4WPkkuy0NRMjw3SWb+21SI/Tv/M9aRITJr5aRIzsTGfQo1DRs79q2D2K XvIsApp1vYcIEHoRk8RfGqqJya/RlM3rkrndt85V87G3rCen7r14u1H0Tsih/z9ILC03K6 OhEhumY0rn+wl8lLd/199zzNxSk4U6Jzd/svpQbh9e65oQOjt2C+8/78YemEL/XBn0Snmj xpsudUlF+CWXCSjzoPzlozjTQMUVmTM8w1wRYKL6d2mXfGKiUGC3pvxBE7OaZQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id 954B29E1C; Wed, 20 May 2026 22:23:44 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:19.file Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260520222344.954B29E1C@freefall.freebsd.org> Date: Wed, 20 May 2026 22:23:44 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:19.file Security Advisory The FreeBSD Project Topic: Kernel use-after-free via file descriptor syscalls Category: core Module: file Announced: 2026-05-20 Credits: 75Acol, Lexpl0it, fcgboy, and robinzeng2015 Credits: Ryan at Calif.io Affects: All supported versions of FreeBSD. Corrected: 2026-05-20 19:36:37 UTC (stable/15, 15.0-STABLE) 2026-05-20 19:39:31 UTC (releng/15.0, 15.0-RELEASE-p9) 2026-05-20 19:37:57 UTC (stable/14, 14.4-STABLE) 2026-05-20 19:39:57 UTC (releng/14.4, 14.4-RELEASE-p5) 2026-05-20 19:40:34 UTC (releng/14.3, 14.3-RELEASE-p14) CVE Name: CVE-2026-45251 This vulnerability was independently reported by multiple parties prior to publication. The reporters' findings prompted a broader review by the FreeBSD Security Team, which identified additional occurrences of the same issue in related code. All known exploitable instances are corrected by this update. For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD implements a number of file descriptor types. Traditionally file descriptors are used to perform file or network I/O, but other variants exist such as process descriptors, which enable operations on a particular process. The select(2) and poll(2) system calls allow applications to wait for events related to the object to which a file descriptor refers. These system calls are implemented for many different file descriptor types. For instance, a process descriptor may be used with either system call to wait for the target process to exit. II. Problem Description A file descriptor can be closed while a thread is blocked in a poll(2) or select(2) call waiting for that descriptor. Because the blocked thread does not hold a reference to the underlying object, this closure may result in the object being freed while the thread remains blocked. In this situation, the kernel must remove the blocked thread from the per-object wait queue prior to freeing the object. In the case of some file descriptor types, the kernel failed to unlink blocked threads from the object before freeing it. When the blocked thread is subsequently woken, it accesses memory that has already been freed resulting in a use-after-free vulnerability. III. Impact The use-after-free vulnerability may be triggered by an unprivileged local user and can be exploited to obtain superuser privileges. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.x] # fetch https://security.FreeBSD.org/patches/SA-26:19/file-15.patch # fetch https://security.FreeBSD.org/patches/SA-26:19/file-15.patch.asc # gpg --verify file-15.patch.asc [FreeBSD 14.x] # fetch https://security.FreeBSD.org/patches/SA-26:19/file-14.patch # fetch https://security.FreeBSD.org/patches/SA-26:19/file-14.patch.asc # gpg --verify file-14.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 53a78e582a6f stable/15-n283641 releng/15.0/ af79f4148450 releng/15.0-n281041 stable/14/ b90b25c3779e stable/14-n274164 releng/14.4/ 8d8694c224e2 releng/14.4-n273704 releng/14.3/ 659818009d15 releng/14.3-n271504 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKG4bFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvA78P/iRlQXxVUpth5tRn2FiC lseIWOmh3DVI1OjwFQ30VydwnA5rlOqPPTpF2hsT0ee3ExS6pUKITi3735BmkPvT KvnOKkY9A2DdzXJQ9eZvrVJRN1/VlKx8Us1VmWWRxPHghmcqqTY0wN2lFcsyqcpN 6Wdi51z+X5sLWZZsLsvqAskWiCNqUzBSSWqCTLEW0tBD9AoW2BPQcpAeEmx4MDch Hk2/pecoUL2T/hu3bjo60CTp3R7E4gPt9wM5Ejf32vwsW0sTNkTmy7HbZCNmYHZw R764O4i4poDzccTiXxuhXdrIDXmRQwTyB9d6S12OmP8ec8dAQzm9p5xl4HoHhOho 9zTMCiLoU+ApN1H+bXqN9JvmZ9hfxGqdPaJgZRkQ11xRHg8tz48SigON/vxlbYff ln9EJ+NGEcskrbUAG8cUCJ3/a8A7xLQo07TpvyddeUc6ufk+nFEBzNS3rpaFNy5y GqFIOzqISRSsE1tf6rrItULQEKWtOMUYvAbrcLRwPAQ1cav+sOv9YlfpW36s1+mc CyuXDh3pbN5biajjImGO1CYN92mq/Jfz/cRnvQub+78T+4w6yAxj53fBNg97tIOI b7EISAnbgGj5akQRGJXJ84iuYij9xTPEOCSbfgAqsWXKz6l/bgSoVUhq/e0/dXKA sr+3pjhi5P7N66SvO+7iEpYI =iM1b -----END PGP SIGNATURE----- From nobody Wed May 20 22:23:51 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gLR0755jvz6fX6J for ; Wed, 20 May 2026 22:23:51 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gLR0732Nvz4MNl; Wed, 20 May 2026 22:23:51 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779315831; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=IoqJktqJhJIQrIp/woa1yvEhumXRT7b1faW4sP4dqf0=; b=vKZNLszUL/2eXfWdNh/M0SecGmY+gYvslvp+pGtqmSSzfKB5fR8OOiFa6KB7SNDeJ3upsm fXARHsFXwGS+t7wpJyVRXFDeFP7PNZaiZW+YXAJ6GPWKe3yOYPxdn+w1/pQlnX4YlcodXO qN0OCgTzq9ZDY0Mljsn2ktY5m28AoNeK3IMCZgzdLfNXMIi2CSAO9laBvZIMXZ8R2D9e9u k8NOMmpvLo/QtIU0ngzAUyCr23mXCGXsmNIN9fkZuYy1hTz5DCpHqPq8pml2Qt5+J0l2oe kBPNuzi432jVwvcIQq5c/nV41Wdopbw3bJk2swuQ3/YPUTX+PWo8RSq+EM2Cuw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1779315831; a=rsa-sha256; cv=none; b=F8WsKblvCyKiStfSJw41CIfQPrYu12fIc64o09k5CgXeMlsl6rZ/bCJ08TnfF+i6cKkLcx ie2WY4Esm5znSMMjo5Iv+EgpEA1+AsgUTwy4ufYuFnOCNkV6dsmuJ87KsM9nrj/gB8OYUl JquLcD9bwg8d5sgzPcctoBS7/VS1bZx1eAzDkYieuMt9ds99VWjdBa8EeT455GxXYwysVR DTUXHpxRguTUlQj+UH6OsczBkrlBLkaVYdF843ie+U/YjczqmzMqxhDLteXM5wUfcLBnT1 Vx75xb/XAF8n3Xa0BD4Su0rpDDpX0HMzk0RNZwNlEGxAZ95OzkpcjSUoA6ULwQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779315831; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=IoqJktqJhJIQrIp/woa1yvEhumXRT7b1faW4sP4dqf0=; b=N1lM26eaY1kmb65aEJXEAeq1+w3cwYzzf842lngyDZ51RQnwF06maXhu1wPdsro+Gfapas lRVgmr9dfsF0LzoCrVXTdNnwN1QjhXiTr6z77oNzaRpHWx4ID1YpOuJCO2k8We/qRSxZP8 7Zey/WlEIbueUpjXOovJLA1T+d7bXSlkp6pCS6q7B1RFqDjMmASHXbE3jeO51d6AlewBWj HyOZgWBUFdEZKM7GoSLf+Uowg63qXq8wRoJLLoSShxD2RC8aoh3Lpw/ALHRNEj801WCtba p2oOAIP0f/iE3GSGSY5DXSPI7OKoRAhTt7GWN1anHXoLCtz6JjQn96QlfN+8cA== Received: by freefall.freebsd.org (Postfix, from userid 945) id 5F9809CCB; Wed, 20 May 2026 22:23:51 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:20.fusefs Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260520222351.5F9809CCB@freefall.freebsd.org> Date: Wed, 20 May 2026 22:23:51 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:20.fusefs Security Advisory The FreeBSD Project Topic: Heap overflow in FUSE_LISTXATTR Category: core Module: fusefs Announced: 2026-05-20 Credits: Joshua Rogers of AISLE Research Team Affects: All supported versions of FreeBSD. Corrected: 2026-05-20 19:36:38 UTC (stable/15, 15.0-STABLE) 2026-05-20 19:39:32 UTC (releng/15.0, 15.0-RELEASE-p9) 2026-05-20 19:37:58 UTC (stable/14, 14.4-STABLE) 2026-05-20 19:39:58 UTC (releng/14.4, 14.4-RELEASE-p5) 2026-05-20 19:40:36 UTC (releng/14.3, 14.3-RELEASE-p14) CVE Name: CVE-2026-45252 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The fusefs file system delegates file system operations to a userspace daemon. This daemon ordinarily requires root privileges to operate. When the "vfs.usermount" sysctl is set to 1 (not the default), unprivileged users are permitted to run such daemons and mount fusefs file systems. II. Problem Description When a fusefs file system implements extended attributes, the kernel may send a FUSE_LISTXATTR message to the userspace daemon to retrieve the list of extended attributes for a given file. The FUSE protocol requires the daemon to return a packed list of NUL-terminated strings. The fusefs kernel module calls strlen() on this daemon-supplied buffer without first verifying that the entire list is NUL-terminated. III. Impact If a malicious daemon sends a non-NUL-terminated list, the fusefs kernel module may read beyond the end of one heap-allocated buffer and potentially write beyond the end of a second buffer. A malicious daemon could disclose up to 253 bytes of kernel heap memory, or it could inject up to 250 attacker-controlled bytes into unallocated kernel heap space. IV. Workaround No workaround is available, but systems that do not load the fusefs kernel module or set vfs.usermount=1 are unaffected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.0] # fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-15.patch # fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-15.patch.asc # gpg --verify fusefs-15.patch.asc [FreeBSD 14.4] # fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-14.4.patch # fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-14.4.patch.asc # gpg --verify fusefs-14.4.patch.asc [FreeBSD 14.3] # fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-14.3.patch # fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-14.3.patch.asc # gpg --verify fusefs-14.3.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ df3f3fa82775 stable/15-n283642 releng/15.0/ 0dd8b983db3c releng/15.0-n281042 stable/14/ 25148c51c8c6 stable/14-n274165 releng/14.4/ 6a299460f159 releng/14.4-n273705 releng/14.3/ 53f3bf4ee1ce releng/14.3-n271505 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKHIbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvobkP/R3O3bwsnJkhG1NQ6pKh UFcwpZ8TSAqtccHZRQz2zoKTqu/EeClT7Bdgw/Qa8gbZ7IfZgS8AJaR7e4fgpE96 AhHU6cbyZrpwvWUatIKgX57032+M1ioMiz9g0KbGg4W4WKe/QHj4yt45F7qRfLNb BD7Qp7E0XtV+UrNXkhOQQmHyVTpB85tK/e5Yc+vcSgAQ3LWrzwO4zED4f78e3faw oiLm1oE/Vx0jfrRKsnCECdJS532xlfH6iJ2/2ZXfUthGQmZQe34wOMwYS0EcaGZV TQoLwsg5qLj4hJOGMCZk4X4TjrkoQquWdsAQetB8tqXIyw7QEgbMIIbhS3mQZ5CW aEq3wbYMowxCMb/6Dd/R56wDqyGI2Z6GHmUT58M0OSIIISfsD+UHOCW2lrQQ5zrI o1O/IFAvqsmCN6JQzFgC3KC8BLLZWzxf5Bun6yOls/YA31zOXAen0isnbOvVnGot 42Dy65fENCUQMt+p3eDDLQzxDhlqGAGbiqysBmxwTA5Wqc4furv7O0wmBPwOOGeH NqlKYsqO9u4kEW2lTCPs7R5+wsc+EACc07kikDQgp1m59JlkMfmXU4Kbcgw9r4GR 9OWtidfTCDGmt9mXzJVKaBurgJ1iqsBfzzLamWo0iDpUMgUP7VA9jVjVbUmtjH1V qAWdXCXwrbOr+eA50IIPxkal =HzW3 -----END PGP SIGNATURE----- From nobody Wed May 20 22:23:57 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gLR0G0SgCz6fXHM for ; Wed, 20 May 2026 22:23:58 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gLR0F1pYYz4Md9; Wed, 20 May 2026 22:23:57 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779315837; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=6OsagTGPlqTBwd8HsfIz7pUOU3GBimSeg8LnbCRY1A8=; b=ebWhg8LX/NyKYoi88ML9C5PPEYbCCBExROBcNLMKyISxVUVa78HGbXjmmh6F2ah70FAEmH wLS+jadaFDHgczUmOFScEjewL0zt+SQmFN5gEA51pmIWECKek7OvD9JgDPoMYXx8nJ7yvy 1BBjAMy0HSQenmp4vSVtM6APGsC6+c/oSB/FL67TrJC7/WGMjXqkc9dm503r92yhZMiLl1 3xQv7pSjvOf40Um78YAfRZ+jyrIowVGcyp6b8mPEPxIZ+Nf6Mg52wjsgLQAkViC9jJ21aA c9n7MicmRQ3jbQC6B08XSGvROvgBvCjq8X1oNtS7n2eoubjmSVKxDCM3KUp4Jw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1779315837; a=rsa-sha256; cv=none; b=jxSEe2jU3Yvg0q/OVH+0OyCWSXh9Ts/XQt257p0r53oEuCVtjkmL72HdleX0CKoTETEmop c3qPrVmx5mtBT2j8sPdSLcyu6tTgsQkr57aC+VGwj3Q/SbGdXpPJW3syrhM99pDIY+wuX0 eVrv0dKJ66lXd7eESqOb84ZeSs6NhUX4TU+TQQp9/AOALu2lMz7W4QUtaYR7ggvAoPqjMh BZpCfBBs6TgRG2Nmer/g/c/c5I7EWtqf7W+bf+pBog47ywjL1iQoOdDjyZ85oJF9ixOGV1 XlrAxtP88NS3jMoEhvPV0j40+ZzzTYvrBbga3ZzLtttWLGf9yoiIukhRq0BbpA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779315837; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=6OsagTGPlqTBwd8HsfIz7pUOU3GBimSeg8LnbCRY1A8=; b=udCT+WpUIx90wMXPM0ssky7foShFlunKHAwa6MYMHi7rNby8F0D7Ruob8FIiNHdvj/VTJ4 wvGkUG6y3zVPM4fFsiVUPRiayLH42G10mCat0pyqZ2FBtQ0NiCf+FYji+TbJKt6qUGXbf6 XCcr3bPyI8zTo1Drq6XTOXV++NlhCRcrZ/e0hDS5ACLmAJJRLpKm7i6YeBz98Hof+h6lKD q5qifTTiuRHmqmM+ByXcXOeXWgCXEA8OC0Llz/7Oomc0Hv6zjc0Di8KXrBQcKECr1UWOMt aq1JWC2Bq4kvQYz0kQIAJF48os/EhIegTtuc8RvJ1i/PcvkoDhQZu7e67jFtBg== Received: by freefall.freebsd.org (Postfix, from userid 945) id 2565C9CD0; Wed, 20 May 2026 22:23:57 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:21.ptrace Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260520222357.2565C9CD0@freefall.freebsd.org> Date: Wed, 20 May 2026 22:23:57 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:21.ptrace Security Advisory The FreeBSD Project Topic: Missing validation in ptrace(PT_SC_REMOTE) Category: core Module: ptrace Announced: 2026-05-20 Credits: Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai Credits: Ryan at Calif.io Affects: All supported versions of FreeBSD. Corrected: 2026-05-20 19:36:40 UTC (stable/15, 15.0-STABLE) 2026-05-20 19:39:34 UTC (releng/15.0, 15.0-RELEASE-p9) 2026-05-20 19:37:59 UTC (stable/14, 14.4-STABLE) 2026-05-20 19:39:59 UTC (releng/14.4, 14.4-RELEASE-p5) 2026-05-20 19:40:37 UTC (releng/14.3, 14.3-RELEASE-p14) CVE Name: CVE-2026-45253 This vulnerability was independently reported by multiple parties prior to publication. For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The ptrace(2) system call provides facilities for a debugger to control the execution of a target process and to obtain status information about it. Among other capabilities, it permits a debugger to execute arbitrary system calls in the target process via the PT_SC_REMOTE operation. II. Problem Description ptrace(PT_SC_REMOTE) failed to properly validate parameters for the syscall(2) and __syscall(2) meta-system calls. As a result, a user with the ability to debug a process may trigger arbitrary code execution in the kernel, even if the target process has no special privileges. III. Impact The missing validation allows an unprivileged local user to escalate privileges, potentially gaining full control of the affected system. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.0] # fetch https://security.FreeBSD.org/patches/SA-26:21/ptrace-15.patch # fetch https://security.FreeBSD.org/patches/SA-26:21/ptrace-15.patch.asc # gpg --verify ptrace-15.patch.asc [FreeBSD 14.4] # fetch https://security.FreeBSD.org/patches/SA-26:21/ptrace-14.4.patch # fetch https://security.FreeBSD.org/patches/SA-26:21/ptrace-14.4.patch.asc # gpg --verify ptrace-14.4.patch.asc [FreeBSD 14.3] # fetch https://security.FreeBSD.org/patches/SA-26:21/ptrace-14.3.patch # fetch https://security.FreeBSD.org/patches/SA-26:21/ptrace-14.3.patch.asc # gpg --verify ptrace-14.3.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 3b4afab9add2 stable/15-n283643 releng/15.0/ fd24dd0b38a8 releng/15.0-n281043 stable/14/ fac902a3e039 stable/14-n274166 releng/14.4/ c21d23f0f8be releng/14.4-n273706 releng/14.3/ 45bd421661c4 releng/14.3-n271506 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKHcbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvLd0QAOQGyaTmlTQJTS+EIPMU +poVU59Fe4L+/+H8LSibnCPBbycH1bv6m9e906s/za0IBLGVq7PhY0U1YtPO5++J A86nLzgqk4hEU5RWmA3+dnLYrIxOf3fVvSev/XAZe/1eWwcljYRCtqLV+IBmyxeZ amfYoXliUTuZHO+r+88HVAgDy6efZ3IlnHF9iMlpsF0IFezpgFh4E6tiJk9/pMlz wuXpHCm34rEjy6bvQaDP9G1zXGszrEatT25d9rKZnHscZCQuRgtpLaOVCuH8oDca +1PFTfTNJnepH9Ir1nSaYLViZdHfuDK40CafZm54q4669AramrySoxNJlnNHOiMK DN4aqxMfW5xCEEK+fIJYqTyW2L3WzRJ8tm3bF/zzsMYTsNmclcklzmuMNqsGQls1 TGIhb+J+e0vkdZOpuJaT65pmGaF2dJeBvwNsIMJgtY3yotUPbDFD1ALNVUwIkKYh m68XK0Ykw93ySLjbORUVFLP5nv5PvYtubAy37q5tskN6hXLlyX5a0QxIL5T5u0jx hwDnyl4UAHGmkBM8U0CnaQbixP/yV0p5q+3NtpBurHB74tov593/U1eroydDywRl Mw2R3k7AFIC5CszwMA6J0l3W2tLq/j7tcTQ/8CNgPpP/TPVntQxQShxB93F+/MdX n9D4phEb7cKk4Y9QIBKkdbYZ =egz5 -----END PGP SIGNATURE----- From nobody Wed May 20 22:24:06 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gLR0R2dgtz6fXSd for ; Wed, 20 May 2026 22:24:07 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gLR0Q73sgz4Mvf; Wed, 20 May 2026 22:24:06 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779315847; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=L8ZpLp5LiN70Ck2C2ufmL30jxXPr4dh3RvQfJMtoMgc=; b=Pu5wfA0rw8RQ+IreYOpy6RedRiR1I8xXMf9bdY7hYzY7FwbpTkn/dgNXI8D/0dmD0x1lvR +qv3/WpItqxRyVA0VpfIqaWIdepM4WaVvAc/DXmXGLr8VKgoYlnthKEhnGlhKn6hzpDL8p W4HEHWlKYMYsrcoaNCyoEh+G5Zv4RiHBvKZ21TXaanFAXrN4zkU5XXKEmqMCLTU1oeVPdz FQP1RRgiIncyZpMHehfUVUeYqOXbrc3qUVQRmeYj/nc1PgStoKlINtgKZspSEDG1I/ym8e rX/zVFCjgLr/0rBFenGvJnJz/rxBlNeVp9NA2QBBkryYu1ymkbhYjstrFlWF3g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1779315847; a=rsa-sha256; cv=none; b=nmPyIWiPNvA1ZDW8crz3mO1VwI8HWrvHB87uiK2lz1TTvK4faTTCckzb6/MZJRY2qYXL2l yRA1bps3fqU3fek1Zv0vvTwFZZbIWIY09NcCchuOCrjlJKj1q/bEObGhecaR/GvEjF69sV 9KEKdIkmWC4W3ATGrl7aRyv5dmbqbpvW6jggjN0eYiUszLe9rLrtlK/YoJ586Ol0rLzl2Q AYn0bDOufMBqCeG90i0Br0VHWqEFzuauvrJDCr/Bg1AkU6LTdbyBI0wPmkCw0tAmTzPgCT UmubVfvMAvzIORMVjx20qgOZVw7M+QSPV9jTyE+9WUmuFFiaBw/gP5VblEeyWg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779315847; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=L8ZpLp5LiN70Ck2C2ufmL30jxXPr4dh3RvQfJMtoMgc=; b=vbXKbf2BiGikHqEDJID989HCSjDJg9EJ9y9D9Id9as3T6RlThxMW2NdWbq6LsW//BIKwef 0WTSbh/MCv2jHMnqFOONNRvV+lcOEPG+Gpe+0ZPv5BoOkGALB9fjYKx7srwv+re+b4keP5 pmueVuVw3WADIxIlFYH3EGaInnrC93y2zZtwQpw4XJTLgdYOr/qYIn8HK2ksX/SUX4a2VP 0nF4G6gk4Y+/fqvQgh7iObgt5Vm/YjZGzQscvfLKBbxpfroQPJgosS9yp8yNk3P1K7JTYi AxUAwykmT4dBNMBKvUlD63eKqHqCQP9c9lTwzOkNe+qlGvuglNug3ULDT88Lpw== Received: by freefall.freebsd.org (Postfix, from userid 945) id E8A7C9B7F; Wed, 20 May 2026 22:24:06 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:22.libcasper Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260520222406.E8A7C9B7F@freefall.freebsd.org> Date: Wed, 20 May 2026 22:24:06 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:22.libcasper Security Advisory The FreeBSD Project Topic: select(2) file descriptor set overflow causes stack overflow Category: core Module: libcasper Announced: 2026-05-20 Credits: Joshua Rogers of AISLE Research Team Affects: All supported versions of FreeBSD. Corrected: 2026-05-20 19:36:41 UTC (stable/15, 15.0-STABLE) 2026-05-20 19:39:35 UTC (releng/15.0, 15.0-RELEASE-p9) 2026-05-20 19:38:00 UTC (stable/14, 14.4-STABLE) 2026-05-20 19:40:00 UTC (releng/14.4, 14.4-RELEASE-p5) 2026-05-20 19:40:38 UTC (releng/14.3, 14.3-RELEASE-p14) CVE Name: CVE-2026-39461 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background libcasper(3) allows Capsicum-sandboxed applications to access system interfaces that are otherwise unavailable within the sandbox. It is used by numerous programs in the base system. II. Problem Description libcasper(3) communicates with helper processes via UNIX domain sockets, and uses the select(2) system call to wait for data to become available. However, it does not verify that its socket descriptor fits within select(2)'s descriptor set size limit of FD_SETSIZE (1024). III. Impact An attacker able to cause an application using libcasper(3) to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, may trigger stack corruption. If the target application runs with setuid root privileges, this could be used to escalate local privileges. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, which were not installed using base system packages, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.x] # fetch https://security.FreeBSD.org/patches/SA-26:22/libcasper-15.patch # fetch https://security.FreeBSD.org/patches/SA-26:22/libcasper-15.patch.asc # gpg --verify libcasper-15.patch.asc [FreeBSD 14.x] # fetch https://security.FreeBSD.org/patches/SA-26:22/libcasper-14.patch # fetch https://security.FreeBSD.org/patches/SA-26:22/libcasper-14.patch.asc # gpg --verify libcasper-14.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 23929d729d1a stable/15-n283644 releng/15.0/ e22f3f55c360 releng/15.0-n281044 stable/14/ 9e74d5e2e5e4 stable/14-n274167 releng/14.4/ ae34dd1a391f releng/14.4-n273707 releng/14.3/ cbec31838173 releng/14.3-n271507 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKHsbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrveQAP/iyv1O1XI6tSrRictadU 9tBJFE5WlWGPrB8ID/12nLsKaTM5hzbA1G+v8c3So3FaSEl+m7D8BTri4X0XPibQ 5Pp4v67MO+yqsNxOjwyqAizOnD5bk/sEUuBV5JijZuqsAiEWFw5l0dKDU83zt3vu hyk8/eeKuIxEwDiWQoeE32RM3BupY1ClWp46kiSjvOVzUK04miHQjgFFnVqkBuI7 DeanTjzCw3g+RQNTRKVGE2LYRLFHka6m4Z5RYT7beFOLdlD58T7lvQLl3l3f2QSR hXcq5RxAhf4omPkm432fIdd4nev4gti3rxJC76NM2rIHGeSlRd4O7MHreNwNkU2O 8Rv8IWMCM20zZCtbov7q8XbTqKp8JXSJ/8g15iZuZ4wk+THnpRy7dsRe5eYQvVbB J/zBKB9xMXGp69+88uZHDsSSoS841pkZ61+MlxeK4xC3MO6tlTO0Hannhmy8WCb4 U5GimvX3EcvhGeBWRvPTdPJY9EcrDPDU2djaiFzPZZ7rrUjR8YJ685fyj161nnb+ ibubcwiz7ygQu8b9T0rc1AV5ZTAC/QAlRarDpRNx2Ynh/FlZ89n+N5LnSHwGXc/v /P+ob/5AqdLfyofw5pcx/FVuAiK4bjqDGGYuZw1tplg/L7AV3k87zIMYdCgr3e95 PyQCsFAG014gMVETPGHKm6/7 =ypPx -----END PGP SIGNATURE----- From nobody Wed May 20 22:24:12 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gLR0Y0bfNz6fXJN for ; Wed, 20 May 2026 22:24:13 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gLR0X5MRNz4N3q; Wed, 20 May 2026 22:24:12 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779315852; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=PhP+Z4H89uK4q1vJShVTYwkuFsB+BX+yUcZ1trMS1SM=; b=Uorb6Z/8MnndqaudENfG+8Dcd2ETJtXi1GQzefD6B1tRgvbgDTj/lFbGnjzq41/guQy/aT rC5CJs5n+UABz6RQh8Etlev+N1ulr3UrSJPngab/RggvtFGAOGDp7BuiSn0jZIuSXk+4ld lhjriwKSkw3b2TR1CzYK10fzsYKo/uF3eiaq1byd+NAaWm8eTcB7XFI0OWkijUFscwmAsd bzbiqAHrOoZvB0kl2A9NF5pR8AeburPFX+g4sR2K4/rUlK95HjYo0aaQkgKgl/PS1knR+t 9ILXanT8FrNqi+ISB7Vv1ZrbfqDyvDPXjbyfr+X6zzqdE/0UEzhRsUTMz/117Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1779315852; a=rsa-sha256; cv=none; b=IxmlW06lqOwxGD1nC00MVAO3CEbQW3h4tYwVR4myCP+meFrpXJqn90ULebfwHLVn2nOXUc BlLDJYc8a8JwPB1fDXiV0gpOydNZr0cFxiFia4+fFfUsVHNXF7C2BiPsl3aFUnlw0oUPyY aV50dEBxnHq0/FIkX3rGE/F1SE4+aaHmlt9g9kTHAasDeKPeGlZRxH6PZXrLpsmJsH/VgW sMvSyzEXYrbZ1e2lAxWJp2ju6T8SOKroWG0Eav1+HXos2/Saw5UcvWeyu5nMjCuo0ATPvf WXwd2zwedJsSdoaPUfrpbEF559so9Fza0/Puzp0VxeGiQ5dLLoNPs1lwAsS8Hg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779315852; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=PhP+Z4H89uK4q1vJShVTYwkuFsB+BX+yUcZ1trMS1SM=; b=QgrjDlEsZTEFmLTEnQWumzMcTCHvkB0PshXIOvjmM+KxS8uoNHWOt8rex9O2UkpJHplXtX IDIs76XlO1U1n/GsBdKrKuoWZVuE4abZCM/6OlphyjllStpIjIfg/xZi4G0TaW88DsyeNs ZKPQkxVMvyTTrdXM1H8ZP98i2bs4BKcgpUgxew4rwCIzNyeVv8CjgiahkmoJ6iyiGOr6fn PM16AP62B0Dijy6Rp53e/0ayP8bz6DZqwD9knKlOYZKL/PbovagQ2TaSI83oTXJrLQALxd Gpk6PxNE53ZypwD5TDw41RjGA8ia0k+itKE6ikI9m9Gtr4E3zb4BUlHrkCocUw== Received: by freefall.freebsd.org (Postfix, from userid 945) id B0B9A9BF2; Wed, 20 May 2026 22:24:12 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:23.bsdinstall Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260520222412.B0B9A9BF2@freefall.freebsd.org> Date: Wed, 20 May 2026 22:24:12 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:23.bsdinstall Security Advisory The FreeBSD Project Topic: Remote code execution via installer Wi-Fi access point scans Category: core Module: bsdinstall Announced: 2026-05-20 Credits: Austin Ralls Affects: All supported versions of FreeBSD. Corrected: 2026-05-20 19:36:43 UTC (stable/15, 15.0-STABLE) 2026-05-20 19:39:37 UTC (releng/15.0, 15.0-RELEASE-p9) 2026-05-20 19:38:03 UTC (stable/14, 14.4-STABLE) 2026-05-20 19:40:02 UTC (releng/14.4, 14.4-RELEASE-p5) 2026-05-20 19:40:40 UTC (releng/14.3, 14.3-RELEASE-p14) CVE Name: CVE-2026-45255 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background bsdinstall and bsdconfig are utilities that provide an interactive configuration mechanism for FreeBSD. Among other functionality, they can be used to configure FreeBSD to automatically join a Wi-Fi network. II. Problem Description When bsdinstall or bsdconfig are prompted to scan for nearby Wi-Fi networks, they build up a list of network names and use bsddialog(1) to prompt the user to select a network. This is implemented using a shell script, and the code which handled network names was not careful to prevent expansion by the shell. As a result, a suitably crafted network name can be used to execute commands via a subshell. III. Impact The problem can be exploited to execute code as root on the system running bsdinstall or bsdconfig. The attacker would need to create an access point with a specially crafted name and be within range of a Wi-Fi scan. Note that bsdinstall and bsdconfig are vulnerable as soon as the user prompts them to scan for nearby networks; they do not need to actually select the malicious network. IV. Workaround Avoid using bsdinstall or bsdconfig to scan for Wi-Fi networks, and instead configure Wi-Fi manually. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.x] # fetch https://security.FreeBSD.org/patches/SA-26:23/bsdinstall-15.patch # fetch https://security.FreeBSD.org/patches/SA-26:23/bsdinstall-15.patch.asc # gpg --verify bsdinstall-15.patch.asc [FreeBSD 14.x] # fetch https://security.FreeBSD.org/patches/SA-26:23/bsdinstall-14.patch # fetch https://security.FreeBSD.org/patches/SA-26:23/bsdinstall-14.patch.asc # gpg --verify bsdinstall-14.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 6f5674b97fd6 stable/15-n283646 releng/15.0/ b89f48ade920 releng/15.0-n281046 stable/14/ f15df0adbcd2 stable/14-n274170 releng/14.4/ dd50cc216e4d releng/14.4-n273709 releng/14.3/ 9cb0be8381f7 releng/14.3-n271509 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKH8bFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvTloP/0369bPHpZf0yt9C2VEk NyOeFq+58zQGrz+RRrXA6Vg2xNdaD3fcjpVzAoqzscuE2T7VqZkpi6cS+cbzEE40 NXX+d7qPgd5udqJR4gL8+90KWj7yQ9Wl0tnbV8wTLE6km/Dma+MXuDJrIqUl8Tsb q9hXGPfeymptS2vkR1Nj3VxEhDg0CCQz3bGD1sln7Oj63amX8HkHO9MwW8zHTyGj pcMqEF2sN3Zz0WyyaBf5XS9G0EP0BpicDIcF1NiwYbPi0rlA/nU/zjACfao7lEJk /XCq/iBKQsOiicvNGhoms/ku4YLNQv/L40FSJFNm8wmUsJD4fh6ll2+5Rm88666e gJUcBiLEzlKFogiel4JLqXMBaAZseV6Py8B+puAYh2eFCa/3aF6w2QppMj4jIHCL xEC/XUoBXN+34riiOCkPuSPqmgktvw7oZOBuk5DpV6qt7kdkInZ9i4HQnR13dhlF vLW88oyuO+2dUn+LiLaHi6f7gxkHcgyOOa/N60D95E9+d6Aop9otyMxNRFbSiQ7I x13B4j9ONtdAwL0uYJ+HPNHIfGTBHtpFzt62JfKdWqbSa5oVQrU5aq6wfMjMVupI sYCq+XNTN0MVr4iHowDPqwuEi0+RBoPOQPIXFZRfJr4uTdeim5dzX6fjfe95KIps 3nJWEVEXVF/FiFWL3C+Lk3Cv =Y3q0 -----END PGP SIGNATURE----- From nobody Wed May 20 22:24:17 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gLR0f3g5mz6fXcQ for ; Wed, 20 May 2026 22:24:18 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gLR0f0Wghz4N2b; Wed, 20 May 2026 22:24:18 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779315858; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=Gp0CJwCAZmWwGY02xpa4GKUuVJ/1WAyq11ytkeNaCx8=; b=LxkpAtwZ3M/DyyX+GhS7HNxqUe2lpi0GMyn6fK2H1Z8Yn3pKEs7Nfy2tzekaO3cwQZRxfI pNARtOqcGgXQOn9EVnXFD29Ymb7ufewKqBTsMMVcoxyjcxuLSS1FBMMlCw9i22UhGUqJJ8 yFo9/c4cBW8E6+YfGMvuLe1NPu8BfiDe/COkjZuq2dVfPfND2y1OzG91id0lsXnYquORCH nP4ee0FIxHmiYtYqw+6xz1wmFjA0lO6do5BvLo8r60oroMknXvIKzbcC2VzL5GxZhvuNpZ cpMgxKsX/6yYu3wiADDxZPFVNShKo+i/2nSDqA5P1BkZyd7850Y/+10xAT9yDg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1779315858; a=rsa-sha256; cv=none; b=c2RyzeCt5MyMQAB1O1jjxhoFcX2foRYkG6oC43RP1mKsowk4x87gaAIPIJkkUlMHfNATeg 5Ta2JVMFEJhN2VMeEc11gngsi8fwqACl9RVHqAJ1Ge4J4C9Crw6DAlRMA9hpjepQUsMH9A gZ7BkHVEOfY7Vupq8+8r3sJaHhij7JJn82Fugktb6Ij2rUE/XCN6bZTd/eBxB4Lm++U8gu 5AF9YT0Z/5AJUMhuB0r9xH7G3SDtkFJtjaJWUUvfGPjwxjrZf0apv4w4jI5fMPWHPDKvaM ErwLJUeiXL3J7jH0J/+PBWPtZkaC/xUkFF24lEta1mq3Co8mknpPgVNrSiqOvA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779315858; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=Gp0CJwCAZmWwGY02xpa4GKUuVJ/1WAyq11ytkeNaCx8=; b=vvg/lKqqtMTZhTs2ctKiOtGB/JawSHlDGZrXzNRlkwnCeKSpk2orx2HAtj042O5P0Y7ohb IiR9lfW6vWQq6mcgimhCQuXNTuy0e8klnv/Gw/Ai4B3ZYg+GK4rtlGNYSV432N3q0e5b3u ER44cO3b4oWpuKE3z1e0fLJ7j5GIuHu9zgIstwPVIXrbj/2aEpy4AE8xP4QHjIP4isOzhb ZweIMgFzNAsk2iYXVOz/swNMRn8ymsqYabEkeZvFD7uo2OkdtFQKtbiZMotbdQqfCFKunY fnozWChirE/kRhToscwOpWIuwC9sSFeV4hwl+TwUvk85zHQXqod3tbVhC9mW8Q== Received: by freefall.freebsd.org (Postfix, from userid 945) id E4D519BF4; Wed, 20 May 2026 22:24:17 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:24.cap_net Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260520222417.E4D519BF4@freefall.freebsd.org> Date: Wed, 20 May 2026 22:24:17 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:24.cap_net Security Advisory The FreeBSD Project Topic: Incorrect libcap_net limitation list manipulation Category: core Module: libcap_net Announced: 2026-05-20 Credits: Joshua Rogers of AISLE Research Team Affects: All supported versions of FreeBSD. Corrected: 2026-05-19 23:03:59 UTC (stable/15, 15.0-STABLE) 2026-05-20 19:39:38 UTC (releng/15.0, 15.0-RELEASE-p9) 2026-05-19 23:04:13 UTC (stable/14, 14.4-STABLE) 2026-05-20 19:40:03 UTC (releng/14.4, 14.4-RELEASE-p5) 2026-05-20 19:40:41 UTC (releng/14.3, 14.3-RELEASE-p14) CVE Name: CVE-2026-45254 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background libcasper(3) allows Capsicum-sandboxed applications to define and use system interfaces which are otherwise not available in a capability sandbox, through implementing special services. One of these services, libcap_net, enables networking capabilities within the restricted environment. Casper services allow the application to define fine-grained limits on each operation handled by the service. Each service maintains a specific list of permitted operations. Certain operations can be further restricted by specifying an explicit list of allowed names. For example, libcap_net allows the application to limit the addresses to which the application may bind or connect. If it attempts to use libcap_net to bind or connect to addresses outside the allowed list, the operation will fail. In keeping with Capsicum's capability model, once a set of limits is applied, subsequent adjustments may only narrow the set of permitted operations to a subset of the current one. II. Problem Description In the case of the cap_net service, when a key present in the old limit was omitted from the new limit, the missing key was treated as "allow any" instead of being rejected. III. Impact In certain scenarios, an application that had previously restricted a subset of network operations could ask for a new limit that extended the permissions of the process. IV. Workaround No workaround is available. Note that no FreeBSD base system software is affected by this issue. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:24/cap_net.patch # fetch https://security.FreeBSD.org/patches/SA-26:24/cap_net.patch.asc # gpg --verify cap_net.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all daemons that use the library, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 7eb3fd691d64 stable/15-n283630 releng/15.0/ f69df16fcc20 releng/15.0-n281047 stable/14/ b79faca1c596 stable/14-n274156 releng/14.4/ f977328c7277 releng/14.4-n273710 releng/14.3/ b3baecf08405 releng/14.3-n271510 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKIMbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvCBgQANie9vi7Gg5seuAZqAjF JozB+Gs6qaHzHu1CcsDSjbm3Sx5l7p5vbdTR/qsdj9WJbORSI7l5CgB175s8Dbcn PrBYNHCa/+lQEMjRkxGrQF9+qr0W48jrARBgauqqzrYTXHAtLGG1e4S6s83w0IJP wZ/3zoEOb7dzcfvxOXSSa+BGcIirmzctg886IH1+EvQKluARzAMxFhNTMwbMMRe7 k0duMSU7KIlh2C23aMLUPlj1Su52gbiSMz3fDgl4i1cbo3xnQPQNWZnnlu8u+ZCB 2pXQoNag7AHTzaOMvOtIyYKXfR9OLdPa4Ii6D38s6WTUb5q0GmS6G7ISYOAnTM+3 TEvH2uhOpq8bySWb6TEx1ppedyIwZ+awocQ9XUeDvarJGCCTlBQ3kV08TMKKZxPA /DOWHJ9KSgKku9sKaLpbTNacpDmkipIEgKZdicifA9KpvH7frBlvwVsTzERVm/qy SVySVCqSE5fpYo6FN3Mo0GfN3EnBU2aYpPRx3RHvzKHTbQSU7iaNOu+Iki6GJuiH HTQ6oaWHmNAkotNN5tAdmDXrm9wnMncCbMT1JHrtEDanJWgKWEovhK1mw6LhHlg1 K+bvyTB6LyZYnOZXhb9540tXfyrmjdTzM/jNMZL1Z5AYjy1FfDdTxH460gIsy6PU f4TRsebl2L+EThYrx6pjoj5D =K5/f -----END PGP SIGNATURE----- From nobody Wed May 20 22:28:08 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gLR591b6hz6fYCn for ; Wed, 20 May 2026 22:28:13 +0000 (UTC) (envelope-from lost.emails@omgtu.ru) Received: from forward502d.mail.yandex.net (forward502d.mail.yandex.net [178.154.239.210]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4gLR584T7Vz3GYM for ; Wed, 20 May 2026 22:28:12 +0000 (UTC) (envelope-from lost.emails@omgtu.ru) Authentication-Results: mx1.freebsd.org; none Received: from mail-nwsmtp-mxback-production-main-28.klg.yp-c.yandex.net (mail-nwsmtp-mxback-production-main-28.klg.yp-c.yandex.net [IPv6:2a02:6b8:c43:a28:0:640:6018:0]) by forward502d.mail.yandex.net (Yandex) with ESMTPS id 6AB7CC1526 for ; Thu, 21 May 2026 01:28:09 +0300 (MSK) Received: from 2a02:6b8:c42:4726:0:640:a892:0 (2a02:6b8:c42:4726:0:640:a892:0 [2a02:6b8:c42:4726:0:640:a892:0]) by mail-nwsmtp-mxback-production-main-28.klg.yp-c.yandex.net (mxback) with HTTPS id NRbHgn0x0Os0-MT60RNIQ; Thu, 21 May 2026 01:28:09 +0300 X-Yandex-Fwd: 1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=omgtu.ru; s=mail; t=1779316089; bh=W9ypETTPqkQyLCeYVBO/+mjFMhbJ2YO5e1esCPNIlXA=; h=In-Reply-To:Message-Id:References:Date:From:To:Subject; b=Q4b9QDL8g8LfsdHTOgWnFAhX4imgjNZIRSeINMcrAtnwEQVtFequ2FTd3HGh5im20 y+5J0dKwBVQ2wIGEUWFanlx/sYsWYtxOedfgjviJBKJ97uHVuM28oVKKDDyC2KnIWN 086YHYYjOBNYLw7eQETVTOkWQjQVbiNSQIZuOpQ4= Subject: =?utf-8?B?UmU6IEZyZWVCU0QgU2VjdXJpdHkgQWR2aXNvcnkgRnJlZUJTRC1TQS0yNjoxOC5zZXRjcmVk?= To: freebsd-security@freebsd.org Date: Thu, 21 May 2026 01:28:08 +0300 From: =?utf-8?B?0J/QuNGB0YzQvNCwINCfLg==?= Message-Id: <8851779316088@4c7d04a3-6230-42a9-9c00-61ae23108dda> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 X-Mailer: Yamail [ http://yandex.ru ] 5.0 X-Yandex-Forward: 6138d21a4c945e99f76847c2af99576c X-AutoReply: YES Auto-Submitted: auto-replied In-Reply-To: <20260520222336.BA0F59B7A@freefall.freebsd.org> References: <20260520222336.BA0F59B7A@freefall.freebsd.org> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:200350, ipnet:178.154.224.0/19, country:RU] X-Rspamd-Queue-Id: 4gLR584T7Vz3GYM X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated 0JTQvtCx0YDRi9C5INC00LXQvdGMIQrQo9C60LDQt9Cw0L3QvdC+0LPQviDQsNC00YDQtdGB0LAg 0LIg0LTQvtC80LXQvdC1IG9tZ3R1LnJ1IChvbWd0dS50ZWNoKSDQvdC1INGB0YPRidC10YHRgtCy 0YPQtdGCLiDQn9GA0L7QstC10YDRjNGC0LUg0LDQtNGA0LXRgSDQuCDQv9C+0LLRgtC+0YDQuNGC 0LUg0L7RgtC/0YDQsNCy0LrRgy4KCi0tCtCU0LDQvdC90L7QtSDQv9C40YHRjNC80L4g0YHRhNC+ 0YDQvNC40YDQvtCy0LDQvdC+INCw0LLRgtC+0LzQsNGC0LjRh9C10YHQutC4INC4INC90LUg0YLR gNC10LHRg9C10YIg0L7RgtCy0LXRgtCw From nobody Wed May 20 22:32:35 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gLRBG5yf5z6fYj8 for ; Wed, 20 May 2026 22:32:38 +0000 (UTC) (envelope-from lost.emails@omgtu.ru) Received: from forward501d.mail.yandex.net (forward501d.mail.yandex.net [178.154.239.209]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4gLRBF73Rgz3PVY for ; Wed, 20 May 2026 22:32:37 +0000 (UTC) (envelope-from lost.emails@omgtu.ru) Authentication-Results: mx1.freebsd.org; none Received: from mail-nwsmtp-mxback-production-main-89.klg.yp-c.yandex.net (mail-nwsmtp-mxback-production-main-89.klg.yp-c.yandex.net [IPv6:2a02:6b8:c43:f358:0:640:cd97:0]) by forward501d.mail.yandex.net (Yandex) with ESMTPS id 6AF4481C6F for ; Thu, 21 May 2026 01:32:35 +0300 (MSK) Received: from 2a02:6b8:c42:5da4:0:640:9073:0 (2a02:6b8:c42:5da4:0:640:9073:0 [2a02:6b8:c42:5da4:0:640:9073:0]) by mail-nwsmtp-mxback-production-main-89.klg.yp-c.yandex.net (mxback) with HTTPS id DWbURj0vqGk0-OjkTxrJl; Thu, 21 May 2026 01:32:35 +0300 X-Yandex-Fwd: 1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=omgtu.ru; s=mail; t=1779316355; bh=W9ypETTPqkQyLCeYVBO/+mjFMhbJ2YO5e1esCPNIlXA=; h=In-Reply-To:Message-Id:References:Date:From:To:Subject; b=fCz48QV4HsSqSbE5xSyRTvDIDhBkbbRKU2wvaNHayKX+lrRdcr8ZW9aQ5hujHptsN nTLTG/HL2Ts66YBtXoG5l7yT8BcTjrn9avz1hx4IH5wbJnSbwDMYjV04R+hXplrVJb 72fa0BEuIx747fgLAyIVujcgq+aWTRyOPYKmA+Mk= Subject: =?utf-8?B?UmU6IEZyZWVCU0QgU2VjdXJpdHkgQWR2aXNvcnkgRnJlZUJTRC1TQS0yNjoxOS5maWxl?= To: freebsd-security@freebsd.org Date: Thu, 21 May 2026 01:32:35 +0300 From: =?utf-8?B?0J/QuNGB0YzQvNCwINCfLg==?= Message-Id: <9641779316355@acb5ab56-9219-435b-b865-aa6040762cc1> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 X-Mailer: Yamail [ http://yandex.ru ] 5.0 X-Yandex-Forward: 6138d21a4c945e99f76847c2af99576c X-AutoReply: YES Auto-Submitted: auto-replied In-Reply-To: <20260520222344.9D8689E87@freefall.freebsd.org> References: <20260520222344.9D8689E87@freefall.freebsd.org> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:200350, ipnet:178.154.224.0/19, country:RU] X-Rspamd-Queue-Id: 4gLRBF73Rgz3PVY X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated 0JTQvtCx0YDRi9C5INC00LXQvdGMIQrQo9C60LDQt9Cw0L3QvdC+0LPQviDQsNC00YDQtdGB0LAg 0LIg0LTQvtC80LXQvdC1IG9tZ3R1LnJ1IChvbWd0dS50ZWNoKSDQvdC1INGB0YPRidC10YHRgtCy 0YPQtdGCLiDQn9GA0L7QstC10YDRjNGC0LUg0LDQtNGA0LXRgSDQuCDQv9C+0LLRgtC+0YDQuNGC 0LUg0L7RgtC/0YDQsNCy0LrRgy4KCi0tCtCU0LDQvdC90L7QtSDQv9C40YHRjNC80L4g0YHRhNC+ 0YDQvNC40YDQvtCy0LDQvdC+INCw0LLRgtC+0LzQsNGC0LjRh9C10YHQutC4INC4INC90LUg0YLR gNC10LHRg9C10YIg0L7RgtCy0LXRgtCw From nobody Wed May 20 22:39:08 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gLRKx6q1dz6fZRp for ; Wed, 20 May 2026 22:39:17 +0000 (UTC) (envelope-from lost.emails@omgtu.ru) Received: from forward500d.mail.yandex.net (forward500d.mail.yandex.net [IPv6:2a02:6b8:c41:1300:1:45:d181:d500]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4gLRKx33sSz3b4d for ; Wed, 20 May 2026 22:39:17 +0000 (UTC) (envelope-from lost.emails@omgtu.ru) Authentication-Results: mx1.freebsd.org; none Received: from mail-nwsmtp-mxback-production-main-15.iva.yp-c.yandex.net (mail-nwsmtp-mxback-production-main-15.iva.yp-c.yandex.net [IPv6:2a02:6b8:c0c:2a09:0:640:8eee:0]) by forward500d.mail.yandex.net (Yandex) with ESMTPS id C6EC8824FA for ; Thu, 21 May 2026 01:39:08 +0300 (MSK) Received: from 2a02:6b8:c0c:b59f:0:640:6fa2:0 (2a02:6b8:c0c:b59f:0:640:6fa2:0 [2a02:6b8:c0c:b59f:0:640:6fa2:0]) by mail-nwsmtp-mxback-production-main-15.iva.yp-c.yandex.net (mxback) with HTTPS id gYbQmR1vp8c0-1prcszoJ; Thu, 21 May 2026 01:39:08 +0300 X-Yandex-Fwd: 1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=omgtu.ru; s=mail; t=1779316748; bh=W9ypETTPqkQyLCeYVBO/+mjFMhbJ2YO5e1esCPNIlXA=; h=In-Reply-To:Message-Id:References:Date:From:To:Subject; b=F5w1KLgfOwwfBwSDd7hr0sUrixl/CNdn6Lu7//G3BdVTWg43x84s4b08Exatclcqm 7S4k9zIxOelAsAI63PBS3dymttaR8s9tf0vbIoxnPxqPEIYhGFxkgUSufA7p0VtCCR 6D/WU86+FSgUgPrZIRvxXqvffsYi6XyH1J/7GtL8= Subject: =?utf-8?B?UmU6IEZyZWVCU0QgU2VjdXJpdHkgQWR2aXNvcnkgRnJlZUJTRC1TQS0yNjoyMC5mdXNlZnM=?= To: freebsd-security@freebsd.org Date: Thu, 21 May 2026 01:39:08 +0300 From: =?utf-8?B?0J/QuNGB0YzQvNCwINCfLg==?= Message-Id: <9211779316748@7713c2ea-51e9-4c3f-a20d-082a3afebe4c> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 X-Mailer: Yamail [ http://yandex.ru ] 5.0 X-Yandex-Forward: 6138d21a4c945e99f76847c2af99576c X-AutoReply: YES Auto-Submitted: auto-replied In-Reply-To: <20260520222351.65B2D9D96@freefall.freebsd.org> References: <20260520222351.65B2D9D96@freefall.freebsd.org> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:208398, ipnet:2a02:6b8::/32, country:RS] X-Rspamd-Queue-Id: 4gLRKx33sSz3b4d X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated 0JTQvtCx0YDRi9C5INC00LXQvdGMIQrQo9C60LDQt9Cw0L3QvdC+0LPQviDQsNC00YDQtdGB0LAg 0LIg0LTQvtC80LXQvdC1IG9tZ3R1LnJ1IChvbWd0dS50ZWNoKSDQvdC1INGB0YPRidC10YHRgtCy 0YPQtdGCLiDQn9GA0L7QstC10YDRjNGC0LUg0LDQtNGA0LXRgSDQuCDQv9C+0LLRgtC+0YDQuNGC 0LUg0L7RgtC/0YDQsNCy0LrRgy4KCi0tCtCU0LDQvdC90L7QtSDQv9C40YHRjNC80L4g0YHRhNC+ 0YDQvNC40YDQvtCy0LDQvdC+INCw0LLRgtC+0LzQsNGC0LjRh9C10YHQutC4INC4INC90LUg0YLR gNC10LHRg9C10YIg0L7RgtCy0LXRgtCw From nobody Wed May 20 22:43:10 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gLRQT1ypBz6fb3X for ; Wed, 20 May 2026 22:43:13 +0000 (UTC) (envelope-from lost.emails@omgtu.ru) Received: from forward502d.mail.yandex.net (forward502d.mail.yandex.net [178.154.239.210]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4gLRQS5ylKz3jst for ; Wed, 20 May 2026 22:43:12 +0000 (UTC) (envelope-from lost.emails@omgtu.ru) Authentication-Results: mx1.freebsd.org; none Received: from mail-nwsmtp-mxback-production-main-93.klg.yp-c.yandex.net (mail-nwsmtp-mxback-production-main-93.klg.yp-c.yandex.net [IPv6:2a02:6b8:c42:21a3:0:640:4e9a:0]) by forward502d.mail.yandex.net (Yandex) with ESMTPS id 10DC6C1545 for ; Thu, 21 May 2026 01:43:11 +0300 (MSK) Received: from 2a02:6b8:c42:24ca:0:640:51eb:0 (2a02:6b8:c42:24ca:0:640:51eb:0 [2a02:6b8:c42:24ca:0:640:51eb:0]) by mail-nwsmtp-mxback-production-main-93.klg.yp-c.yandex.net (mxback) with HTTPS id 9hbRxi0vpCg0-rP5plkYw; Thu, 21 May 2026 01:43:10 +0300 X-Yandex-Fwd: 1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=omgtu.ru; s=mail; t=1779316990; bh=W9ypETTPqkQyLCeYVBO/+mjFMhbJ2YO5e1esCPNIlXA=; h=In-Reply-To:Message-Id:References:Date:From:To:Subject; b=aFI4dgG+Ja+74jSugMMaC0kZxCG4D04Nm3tO3O4WEKf/Yj/roIJqyXO/AvZPc90le J6wwYY6GQMNbWCKQTXbATaUKjON/tEuDUE0b1GzoYuDxEePNH4/fX7urr8NJTUAeef 76p0a0A9rp86DySdypaVT+XTgEX30NAIWpbCJa0U= Subject: =?utf-8?B?UmU6IEZyZWVCU0QgU2VjdXJpdHkgQWR2aXNvcnkgRnJlZUJTRC1TQS0yNjoyMS5wdHJhY2U=?= To: freebsd-security@freebsd.org Date: Thu, 21 May 2026 01:43:10 +0300 From: =?utf-8?B?0J/QuNGB0YzQvNCwINCfLg==?= Message-Id: <9221779316990@8d140f31-ff7c-4fcd-a9eb-9211c587caf6> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 X-Mailer: Yamail [ http://yandex.ru ] 5.0 X-Yandex-Forward: 6138d21a4c945e99f76847c2af99576c X-AutoReply: YES Auto-Submitted: auto-replied In-Reply-To: <20260520222357.2A7EE9CD1@freefall.freebsd.org> References: <20260520222357.2A7EE9CD1@freefall.freebsd.org> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:200350, ipnet:178.154.224.0/19, country:RU] X-Rspamd-Queue-Id: 4gLRQS5ylKz3jst X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated 0JTQvtCx0YDRi9C5INC00LXQvdGMIQrQo9C60LDQt9Cw0L3QvdC+0LPQviDQsNC00YDQtdGB0LAg 0LIg0LTQvtC80LXQvdC1IG9tZ3R1LnJ1IChvbWd0dS50ZWNoKSDQvdC1INGB0YPRidC10YHRgtCy 0YPQtdGCLiDQn9GA0L7QstC10YDRjNGC0LUg0LDQtNGA0LXRgSDQuCDQv9C+0LLRgtC+0YDQuNGC 0LUg0L7RgtC/0YDQsNCy0LrRgy4KCi0tCtCU0LDQvdC90L7QtSDQv9C40YHRjNC80L4g0YHRhNC+ 0YDQvNC40YDQvtCy0LDQvdC+INCw0LLRgtC+0LzQsNGC0LjRh9C10YHQutC4INC4INC90LUg0YLR gNC10LHRg9C10YIg0L7RgtCy0LXRgtCw From nobody Wed May 20 22:48:58 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gLRYJ01Rkz6fbm9 for ; Wed, 20 May 2026 22:49:07 +0000 (UTC) (envelope-from lost.emails@omgtu.ru) Received: from forward502b.mail.yandex.net (forward502b.mail.yandex.net [IPv6:2a02:6b8:c02:900:1:45:d181:d502]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4gLRYH1YbDz3sQH for ; Wed, 20 May 2026 22:49:07 +0000 (UTC) (envelope-from lost.emails@omgtu.ru) Authentication-Results: mx1.freebsd.org; none Received: from mail-nwsmtp-mxback-production-main-54.sas.yp-c.yandex.net (mail-nwsmtp-mxback-production-main-54.sas.yp-c.yandex.net [IPv6:2a02:6b8:c23:13c5:0:640:a208:0]) by forward502b.mail.yandex.net (Yandex) with ESMTPS id AF5BA81629 for ; Thu, 21 May 2026 01:48:58 +0300 (MSK) Received: from 2a02:6b8:c11:17:0:640:ce06:0 (2a02:6b8:c11:17:0:640:ce06:0 [2a02:6b8:c11:17:0:640:ce06:0]) by mail-nwsmtp-mxback-production-main-54.sas.yp-c.yandex.net (mxback) with HTTPS id vmbZMT1vnOs0-0ICWo5YT; Thu, 21 May 2026 01:48:58 +0300 X-Yandex-Fwd: 1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=omgtu.ru; s=mail; t=1779317338; bh=W9ypETTPqkQyLCeYVBO/+mjFMhbJ2YO5e1esCPNIlXA=; h=In-Reply-To:Message-Id:References:Date:From:To:Subject; b=BtEO15kXlpQVBA8hqhXtZkxkOhbjUkotNoK5o0Xd678KGJITRUeDAybfYOVkvbcSR T6o2EDLjjpi+i+ctlJFy7dxgtmerTtAnHrYotbqZHRii7URAcwSuVq3GyHx6n+CGhS 19efq0l0PYH9pMUwTPuXJrBID+62XpXbyUDNrWaY= Subject: =?utf-8?B?UmU6IEZyZWVCU0QgU2VjdXJpdHkgQWR2aXNvcnkgRnJlZUJTRC1TQS0yNjoyMi5saWJjYXNwZXI=?= To: freebsd-security@freebsd.org Date: Thu, 21 May 2026 01:48:58 +0300 From: =?utf-8?B?0J/QuNGB0YzQvNCwINCfLg==?= Message-Id: <9301779317338@a2eb86f9-d166-4d0c-8708-66303a8e819f> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 X-Mailer: Yamail [ http://yandex.ru ] 5.0 X-Yandex-Forward: 6138d21a4c945e99f76847c2af99576c X-AutoReply: YES Auto-Submitted: auto-replied In-Reply-To: <20260520222406.EEBC79D29@freefall.freebsd.org> References: <20260520222406.EEBC79D29@freefall.freebsd.org> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:208398, ipnet:2a02:6b8::/32, country:RS] X-Rspamd-Queue-Id: 4gLRYH1YbDz3sQH X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated 0JTQvtCx0YDRi9C5INC00LXQvdGMIQrQo9C60LDQt9Cw0L3QvdC+0LPQviDQsNC00YDQtdGB0LAg 0LIg0LTQvtC80LXQvdC1IG9tZ3R1LnJ1IChvbWd0dS50ZWNoKSDQvdC1INGB0YPRidC10YHRgtCy 0YPQtdGCLiDQn9GA0L7QstC10YDRjNGC0LUg0LDQtNGA0LXRgSDQuCDQv9C+0LLRgtC+0YDQuNGC 0LUg0L7RgtC/0YDQsNCy0LrRgy4KCi0tCtCU0LDQvdC90L7QtSDQv9C40YHRjNC80L4g0YHRhNC+ 0YDQvNC40YDQvtCy0LDQvdC+INCw0LLRgtC+0LzQsNGC0LjRh9C10YHQutC4INC4INC90LUg0YLR gNC10LHRg9C10YIg0L7RgtCy0LXRgtCw From nobody Wed May 20 22:54:53 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gLRh256hTz6fcN5 for ; Wed, 20 May 2026 22:54:58 +0000 (UTC) (envelope-from lost.emails@omgtu.ru) Received: from forward502a.mail.yandex.net (forward502a.mail.yandex.net [178.154.239.82]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4gLRh05WdJz42pY for ; Wed, 20 May 2026 22:54:56 +0000 (UTC) (envelope-from lost.emails@omgtu.ru) Authentication-Results: mx1.freebsd.org; none Received: from mail-nwsmtp-mxback-production-main-53.vla.yp-c.yandex.net (mail-nwsmtp-mxback-production-main-53.vla.yp-c.yandex.net [IPv6:2a02:6b8:c2d:7302:0:640:a4ac:0]) by forward502a.mail.yandex.net (Yandex) with ESMTPS id 3275D82F91 for ; Thu, 21 May 2026 01:54:54 +0300 (MSK) Received: from 2a02:6b8:c15:19a2:0:640:4412:0 (2a02:6b8:c15:19a2:0:640:4412:0 [2a02:6b8:c15:19a2:0:640:4412:0]) by mail-nwsmtp-mxback-production-main-53.vla.yp-c.yandex.net (mxback) with HTTPS id JsbaMX1vqa60-5I1l2gBa; Thu, 21 May 2026 01:54:53 +0300 X-Yandex-Fwd: 1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=omgtu.ru; s=mail; t=1779317693; bh=W9ypETTPqkQyLCeYVBO/+mjFMhbJ2YO5e1esCPNIlXA=; h=In-Reply-To:Message-Id:References:Date:From:To:Subject; b=D0ZIF3rSI+wVv0sNEk7Ndm6SAEacsmV7YBp/y3UApOqrloeLKU2fg2KxaAdgkYbQc ZWC1BAPF8kMYbiLoCW8Cd9AZNIkAqzkl39knZwQj/gtXiC1dlbG/uIc2QNkwpkhf1I KT5b6uk/Ayny8msJTgzeUiZuEs387vhaltxRFsrs= Subject: =?utf-8?B?UmU6IEZyZWVCU0QgU2VjdXJpdHkgQWR2aXNvcnkgRnJlZUJTRC1TQS0yNjoyMy5ic2RpbnN0YWxs?= To: freebsd-security@freebsd.org Date: Thu, 21 May 2026 01:54:53 +0300 From: =?utf-8?B?0J/QuNGB0YzQvNCwINCfLg==?= Message-Id: <15321779317693@df550cb7-21ac-490d-80ca-1d184eca4ca3> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 X-Mailer: Yamail [ http://yandex.ru ] 5.0 X-Yandex-Forward: 6138d21a4c945e99f76847c2af99576c X-AutoReply: YES Auto-Submitted: auto-replied In-Reply-To: <20260520222412.B71CF9D2A@freefall.freebsd.org> References: <20260520222412.B71CF9D2A@freefall.freebsd.org> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:200350, ipnet:178.154.224.0/19, country:RU] X-Rspamd-Queue-Id: 4gLRh05WdJz42pY X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated 0JTQvtCx0YDRi9C5INC00LXQvdGMIQrQo9C60LDQt9Cw0L3QvdC+0LPQviDQsNC00YDQtdGB0LAg 0LIg0LTQvtC80LXQvdC1IG9tZ3R1LnJ1IChvbWd0dS50ZWNoKSDQvdC1INGB0YPRidC10YHRgtCy 0YPQtdGCLiDQn9GA0L7QstC10YDRjNGC0LUg0LDQtNGA0LXRgSDQuCDQv9C+0LLRgtC+0YDQuNGC 0LUg0L7RgtC/0YDQsNCy0LrRgy4KCi0tCtCU0LDQvdC90L7QtSDQv9C40YHRjNC80L4g0YHRhNC+ 0YDQvNC40YDQvtCy0LDQvdC+INCw0LLRgtC+0LzQsNGC0LjRh9C10YHQutC4INC4INC90LUg0YLR gNC10LHRg9C10YIg0L7RgtCy0LXRgtCw From nobody Wed May 20 23:00:21 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gLRpJ3H3Fz6ddl5 for ; Wed, 20 May 2026 23:00:24 +0000 (UTC) (envelope-from lost.emails@omgtu.ru) Received: from forward501d.mail.yandex.net (forward501d.mail.yandex.net [178.154.239.209]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4gLRpJ0WP4z3D2Z for ; Wed, 20 May 2026 23:00:24 +0000 (UTC) (envelope-from lost.emails@omgtu.ru) Authentication-Results: mx1.freebsd.org; none Received: from mail-nwsmtp-mxback-production-main-45.iva.yp-c.yandex.net (mail-nwsmtp-mxback-production-main-45.iva.yp-c.yandex.net [IPv6:2a02:6b8:c0c:92a0:0:640:b337:0]) by forward501d.mail.yandex.net (Yandex) with ESMTPS id 4851981D53 for ; Thu, 21 May 2026 02:00:22 +0300 (MSK) Received: from 2a02:6b8:c0c:1c23:0:640:812:0 (2a02:6b8:c0c:1c23:0:640:812:0 [2a02:6b8:c0c:1c23:0:640:812:0]) by mail-nwsmtp-mxback-production-main-45.iva.yp-c.yandex.net (mxback) with HTTPS id E0citQ1wtSw0-KkuR6xZ2; Thu, 21 May 2026 02:00:22 +0300 X-Yandex-Fwd: 1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=omgtu.ru; s=mail; t=1779318022; bh=W9ypETTPqkQyLCeYVBO/+mjFMhbJ2YO5e1esCPNIlXA=; h=In-Reply-To:Message-Id:References:Date:From:To:Subject; b=BZCcUQwRvp3GCr6dqAZY34XkPfZ13WvVlSNOiOmm6Ot1Q9lKbNzEV4NcBg+UgDZnt bMneyd7g0A0egTahsGZpwpMZ+DAsn+RassK4vdsNl6cVwPKv6eZIs2f9Y9cAQu2Kag VWLpm0G0XhhwLqL09l19wBOB1QfiEhga1rOhV8l0= Subject: =?utf-8?B?UmU6IEZyZWVCU0QgU2VjdXJpdHkgQWR2aXNvcnkgRnJlZUJTRC1TQS0yNjoyNC5jYXBfbmV0?= To: freebsd-security@freebsd.org Date: Thu, 21 May 2026 02:00:21 +0300 From: =?utf-8?B?0J/QuNGB0YzQvNCwINCfLg==?= Message-Id: <7531779318021@cc2cd6dd-410a-4c7c-9804-0191b7c7dcbd> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 X-Mailer: Yamail [ http://yandex.ru ] 5.0 X-Yandex-Forward: 6138d21a4c945e99f76847c2af99576c X-AutoReply: YES Auto-Submitted: auto-replied In-Reply-To: <20260520222417.EE4109CD7@freefall.freebsd.org> References: <20260520222417.EE4109CD7@freefall.freebsd.org> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:200350, ipnet:178.154.224.0/19, country:RU] X-Rspamd-Queue-Id: 4gLRpJ0WP4z3D2Z X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated 0JTQvtCx0YDRi9C5INC00LXQvdGMIQrQo9C60LDQt9Cw0L3QvdC+0LPQviDQsNC00YDQtdGB0LAg 0LIg0LTQvtC80LXQvdC1IG9tZ3R1LnJ1IChvbWd0dS50ZWNoKSDQvdC1INGB0YPRidC10YHRgtCy 0YPQtdGCLiDQn9GA0L7QstC10YDRjNGC0LUg0LDQtNGA0LXRgSDQuCDQv9C+0LLRgtC+0YDQuNGC 0LUg0L7RgtC/0YDQsNCy0LrRgy4KCi0tCtCU0LDQvdC90L7QtSDQv9C40YHRjNC80L4g0YHRhNC+ 0YDQvNC40YDQvtCy0LDQvdC+INCw0LLRgtC+0LzQsNGC0LjRh9C10YHQutC4INC4INC90LUg0YLR gNC10LHRg9C10YIg0L7RgtCy0LXRgtCw From nobody Thu May 21 06:07:25 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gLdH465Mfz6fSPX; Thu, 21 May 2026 06:07:28 +0000 (UTC) (envelope-from gerrit.kuehn@aei.mpg.de) Received: from umail2.aei.mpg.de (umail2.aei.mpg.de [194.94.224.8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4gLdH43nlCz47TW; Thu, 21 May 2026 06:07:28 +0000 (UTC) (envelope-from gerrit.kuehn@aei.mpg.de) Authentication-Results: mx1.freebsd.org; none Received: from arc.aei.uni-hannover.de (theq.aei.uni-hannover.de [130.75.117.4]) by umail2.aei.mpg.de (Postfix) with ESMTPS id 15B582C44C7B; Thu, 21 May 2026 08:07:26 +0200 (CEST) Date: Thu, 21 May 2026 08:07:25 +0200 From: Gerrit =?UTF-8?B?S8O8aG4=?= To: freebsd-questions@freebsd.org Cc: Colin Percival , Jordan Montesse , freebsd-security@freebsd.org Subject: Re: 15.0p9 pkgs in repo, but no corresponding security/errata notice? Message-ID: <20260521080725.17485152@arc.aei.uni-hannover.de> In-Reply-To: <8899531a-bc50-4a1d-bee8-5d09357796cf@freebsd.org> References: <8899531a-bc50-4a1d-bee8-5d09357796cf@freebsd.org> Organization: MPG X-Mailer: Claws Mail 4.4.0 (GTK 3.24.52; amd64-portbld-freebsd14.3) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_//ZZDE1dLPSnktN99ohYJmH="; protocol="application/pkcs7-signature"; micalg=SHA384 X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:680, ipnet:194.94.0.0/15, country:DE] X-Rspamd-Queue-Id: 4gLdH43nlCz47TW X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated --Sig_//ZZDE1dLPSnktN99ohYJmH= Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Am Wed, 20 May 2026 15:04:09 -0700 schrieb Colin Percival : > > Installed packages to be UPGRADED: > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 FreeBSD-bsdconfig: 15.0 -> = 15.0p9 [FreeBSD-base] > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 FreeBSD-bsdinstall: 15.0 ->= 15.0p9 [FreeBSD-base] > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 FreeBSD-kernel-generic: 15.= 0p8 -> 15.0p9 [FreeBSD-base] > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 FreeBSD-libcasper: 15.0 -> = 15.0p9 [FreeBSD-base] > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 FreeBSD-rcmds: 15.0 -> 15.0= p9 [FreeBSD-base] > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 FreeBSD-runtime: 15.0p8 -> = 15.0p9 [FreeBSD-base] > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 FreeBSD-syslogd: 15.0 -> 15= .0p9 [FreeBSD-base] > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 FreeBSD-utilities: 15.0p1 -= > 15.0p9 [FreeBSD-base] > >=20 > > Number of packages to be upgraded: 8 > >=20 > > 56 MiB to be downloaded. > >=20 > > But the latest notices available on the website and -announce are only > > for 15.0p8? =20 > They're coming soon. :-) >=20 > In the mean time you can see the patches in the src repository; those > commit messages provide some context for the issues which were fixed. Just wondering: Is it correct that pkg audit does not reflect on CVEs in pkgbase? cu Gerrit --Sig_//ZZDE1dLPSnktN99ohYJmH= Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=smime.p7s MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgIFADCABgkqhkiG9w0B BwEAAKCCF/QwggQyMIIDGqADAgECAgEBMA0GCSqGSIb3DQEBBQUAMHsxCzAJBgNV BAYTAkdCMRswGQYDVQQIDBJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcMB1Nh bGZvcmQxGjAYBgNVBAoMEUNvbW9kbyBDQSBMaW1pdGVkMSEwHwYDVQQDDBhBQUEg Q2VydGlmaWNhdGUgU2VydmljZXMwHhcNMDQwMTAxMDAwMDAwWhcNMjgxMjMxMjM1 OTU5WjB7MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVy MRAwDgYDVQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEh MB8GA1UEAwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKCAQEAvkCd9G7h6naHHE1FRI6+RsiDBp3BKv4YH47kAvrz q11QihYxC5oG0MVwIs1JLVRjzLZuaEYLU+rLTCTAvHJO6vEVrvRUmhIKw3qyM2Di 2olV8yJY897cz++DhqKMlE+faPKYkEaEJ8d2v+PMNSyLXgdkZYLASLCokflhn3Yg UKiRx2a163hiA1bwihoT6jGjHqCZ/Tj29icyWG8H9Wu4+xQrr7eqzNZjX3OM2gWZ qDioyxd4NlGs6Z70eDqNzw/ZQuKYDKsvnw4B3u+fmUnxLd+sdE0bmLVHxeUp0fmQ GMdinL6DxyZ7Poolx8DdneY1aBAgnY/Y3tLDhJwNXugvyQIDAQABo4HAMIG9MB0G A1UdDgQWBBSgEQojPpbxB+zirynvgqV/0DCktDAOBgNVHQ8BAf8EBAMCAQYwDwYD VR0TAQH/BAUwAwEB/zB7BgNVHR8EdDByMDigNqA0hjJodHRwOi8vY3JsLmNvbW9k b2NhLmNvbS9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDA2oDSgMoYwaHR0cDov L2NybC5jb21vZG8ubmV0L0FBQUNlcnRpZmljYXRlU2VydmljZXMuY3JsMA0GCSqG SIb3DQEBBQUAA4IBAQAIVvwC8Jvo/6T61nvGRIDOT8TF9gBYzKa2vBRJaAR26Obu XewCD2DWjVAYTyZOAePmsKXuv7x0VEG//fwSuMdPWvSJYAV/YLcFSvP28cK/xLl0 hrYtfWvM0vNG3S/G4GrDwzQDLH2W3VrCDqcKmcEFi6sML/NcOs9sN1UJh95TQGxY 7/y2q2VuBPYb3DzgWhXGntnxWUgwIWUDbOzpIXPsmwOh4DetoBUYj/q6As6nLKkQ EyzU5QgmqyKXYPiQXnTUoppTvfKpaOCibsLXbLGjD56/62jnVvKu8uMrODoJgbVr hde+Le0/GreyY+L1YiyC1GoAQVDxOYOflek2lphuMIIFgTCCBGmgAwIBAgIQOXJE Ovkit1HX02wQ3TE1lTANBgkqhkiG9w0BAQwFADB7MQswCQYDVQQGEwJHQjEbMBkG A1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRowGAYD VQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmljYXRl IFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4MTIzMTIzNTk1OVowgYgxCzAJ BgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtKZXJzZXkg Q2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYDVQQDEyVV U0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjANBgkqhkiG 9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sIs9CsVw127c0n00ytUINh4qog TQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnGvDoZtF+mvX2do2NCtnbyqTsr kfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQIjy8/hPwhxR79uQfjtTkUcYR Z0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfbIWax1Jt4A8BQOujM8Ny8nkz+ rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0tyA9yn8iNK5+O2hmAUTnAU5G U5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97Exwzf4TKuzJM7UXiVZ4vuPVb+ DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNVicQNwZNUMBkTrNN9N6frXTps NVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5D9kCnusSTJV882sFqV4Wg8y4 Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJWBp/kjbmUZIO8yZ9HE0XvMns QybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ5lhCLkMaTLTwJUdZ+gQek9Qm RkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzGKAgEJTm4Diup8kyXHAc/DVL1 7e8vgg8CAwEAAaOB8jCB7zAfBgNVHSMEGDAWgBSgEQojPpbxB+zirynvgqV/0DCk tDAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgGG MA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEMGA1UdHwQ8MDow OKA2oDSGMmh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0FBQUNlcnRpZmljYXRlU2Vy dmljZXMuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29j c3AuY29tb2RvY2EuY29tMA0GCSqGSIb3DQEBDAUAA4IBAQAYh1HcdCE9nIrgJ7cz 0C7M7PDmy14R3iJvm3WOnnL+5Nb+qh+cli3vA0p+rvSNb3I8QzvAP+u431yqqcau 8vzY7qN7Q/aGNnwU4M309z/+3ri0ivCRlv79Q2R+/czSAaF9ffgZGclCKxO/WIu6 pKJmBHaIkU4MiRTOok3JMrO66BQavHHxW/BBC5gACiIDEOUMsfnNkjcZ7Tvx5Dq2 +UUTJnWvu6rvP3t3O9LEApE9GQDTF1w52z97GA1FzZOFli9d31kWTz9RvdVFGD/t So7oBmF0Ixa1DVBzJ0RHfxBdiSprhTEUxOipakyAvGp4z7h/jnZymQyd/teRCBah o1+VMIIG5jCCBM6gAwIBAgIQMQJw1DW+mySa+FbQ4eKFSTANBgkqhkiG9w0BAQwF ADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcT C0plcnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAs BgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcN MjAwMjE4MDAwMDAwWhcNMzMwNTAxMjM1OTU5WjBGMQswCQYDVQQGEwJOTDEZMBcG A1UEChMQR0VBTlQgVmVyZW5pZ2luZzEcMBoGA1UEAxMTR0VBTlQgUGVyc29uYWwg Q0EgNDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALNK4iJeJ1vpBFsU BDUyIBSutNIxQMbNUMAeoUTKr55KYX8tkN5imzNqLaRCypYBPP9wED2AaO6e8njk bjzJwLgPqDBkW9sG3kmi3GW6cF4Hwr5ysZqve/5EJDhV+9OhfTu/4dMnoR4Q41Hc jMk9MzLOADAQ0awBZ/29r0d49AUmIKELNeqEqmnTN6fndL7x/2K0TLToZLxqS7sy /Jvi0wEFr0CfdjcAsioh7KaD+Jizyb1aRKQzJ6Q20VEHX7UqWc1SkzTkbz6xj0S5 ydBBFQh0fNiy+qM/deVpK4HgmPSJrrpQZ+LlbHfWabmwoDPxF71QZVYiqrrAoUrG RJ+47iLBiIg8miIYS7Hd2ppvAUt24CugMXUjETjQ+oYh09fNi5n/AvoER8UBvTHL xt+blL0bvL+2z2YiUWk+2Qtn+dD+JU5Z2y71qV7+cr+4YXjvGzF5bYsi8HiwflTb 4Php3y+k1twKtchdcq2QGc0eDG6Y01nRHUiyr8/PtMAsLHEPNZ2wzsA7fb8mftHi V20ZFmYqknJ8AIOfwdTVA+E62JayOJ+sxadqcmFDorsz/mrPwGZ8+txr4xSuvVjg 0dlv0yuA+1YpBDIYNfL4bkX+IcZ1mTstL4Xw0f4N2iW3bBmnPnYmoYxMM8gflCiT gss73nBvG2f7v1PD7BDGYNO4iD4vAgMBAAGjggGLMIIBhzAfBgNVHSMEGDAWgBRT eb9aqitKz1SA4dibwJ3ysgNmyzAdBgNVHQ4EFgQUaQChxyFY+ODFGyCwCt2nUb8T 2eQwDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0lBBYw FAYIKwYBBQUHAwIGCCsGAQUFBwMEMDgGA1UdIAQxMC8wLQYEVR0gADAlMCMGCCsG AQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzBQBgNVHR8ESTBHMEWgQ6BB hj9odHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBQ2VydGlmaWNh dGlvbkF1dGhvcml0eS5jcmwwdgYIKwYBBQUHAQEEajBoMD8GCCsGAQUFBzAChjNo dHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBQWRkVHJ1c3RDQS5j cnQwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZI hvcNAQEMBQADggIBAAoFTnsNjx8TOQD9b+xixsPt7Req4wHMeNw/R5dddEPgQAQA YJZKz5BEv1cjGbH7nbPH3AxrxhN6OVH40p6OLIo9MXSrrfMzGs7/P+FTCjwgNxFE tLQ1KC9NboA3asJcl7mIs3l8h9iAgEH1zLUvq2s+5n++NQmbzudDsTFDMapY3kX1 TwyUCTRzmItqcbsYIyg2MeIXWfRtqPqC5R4bufmpzA5BPINLX340Sp/CNQ9QZqw3 VkfyHWwTo+vO9Gm2L6srNamJT6Lb+TeXZvl8UPL5a72O/pH0GgGHjt6z9QzPARna RKshVWviNK6ST4WmZHllu3CJg0BXqx1vWyswawgvNeWt1qxITacYe9mSWTbNR2Cf tvTUwerruDSY2jMaZPoNqbjUpuG/blYwWzzvVerBUhviAahPXJF/9V48ybWPBq6q KOEokW+s3B4ad5sY96KlovEijaIQDip1HO0SD+rLNYaiBcr9MV2aK+DfbZ8w9BaN CQyFEYwzxIKOVk3bYvzHRk5ihUDascmbk/bkiNl74c/KfuKQmJImaqWoWZR6jBcX cPV0WUIKz/nILTpFhGojZEQW77by3aezAi9jrEIUBHRG1LwzPbJc2V3SOzYyaJFQ atzuKZbN1Q9s9y/2x1QXtKwREY8jNgvx0iIfOK35gKgYJJcyDql4XfuEc2nVMIIH SzCCBTOgAwIBAgIRAMCEqCZW/bEp9AgcdlGEWuEwDQYJKoZIhvcNAQEMBQAwRjEL MAkGA1UEBhMCTkwxGTAXBgNVBAoTEEdFQU5UIFZlcmVuaWdpbmcxHDAaBgNVBAMT E0dFQU5UIFBlcnNvbmFsIENBIDQwHhcNMjMwODE1MDAwMDAwWhcNMjYwODE0MjM1 OTU5WjCB0zEOMAwGA1UEERMFODA1MzkxRzBFBgNVBAoMPk1heC1QbGFuY2stR2Vz ZWxsc2NoYWZ0IHp1ciBGw7ZyZGVydW5nIGRlciBXaXNzZW5zY2hhZnRlbiBlLlYu MRswGQYDVQQJDBJIb2ZnYXJ0ZW5zdHJhw59lIDgxDzANBgNVBAgTBkJheWVybjEL MAkGA1UEBhMCREUxFTATBgNVBAMTDEdlcnJpdCBLdWVobjEmMCQGCSqGSIb3DQEJ ARYXZ2Vycml0Lmt1ZWhuQGFlaS5tcGcuZGUwggIiMA0GCSqGSIb3DQEBAQUAA4IC DwAwggIKAoICAQCg7n7fRC0hIeomyBYF0RZ0L/jKjURwqPL3vBN+HvDxzp+Wcn0a Voeia3LPeXvf18d7BeIQ2SVFXWnWzVpVKzv7VUg4OD424GmcQrFXkChSvOc/rLaA FmNIaKWgYwUOAqmDh3t9JzQTVj6FrAeJwzXmnv42msNUfnhA2dRllOCmilLUqm/5 nOgrImuiA3R1S0CcljAmEr5PnUmKJaanbaq74Jb54gf622cRyWwylMJijMGboDYw uaGynrLgfo+rWbXc2TASO6pjSQDKAAfXO/NzLgp+BmneN1II9alVUAJRUpFDkgx9 peM+qUJryLtO+veOKElsOe2S4qvk0PaE/MVAcIJiThdY7qde8Q9FyOJsDN5kiX4g fsKmtF7EdB71Uc8N78L62r7/7Y5WL8gRxXCN8BsmLXSiCylvtIYsbJMDhK6C+37w 9Cg1A8AWeksg1TmCcvolEJy3+bfPx7NlmEfRdkdzuVb1KxfB0z4SbhSwOAR1WYVg mEAQuj1l9k7suUtdUY4ZeMnRLVPtmQh+bxcJPaRllpHSTYbYVQlSNXkP0al2/J8d jJHhulOsCX8oYfyQ9a33jHsKUf632Lpg8446ym19UrNPh9pntXRXVhhkw+/tPE8G BxH81BCvvSUhVu0Nckx8zOWiI1+6Z5t71udnXOEv9lJFvqDlY71lkiu+jQIDAQAB o4IBpDCCAaAwHwYDVR0jBBgwFoAUaQChxyFY+ODFGyCwCt2nUb8T2eQwHQYDVR0O BBYEFOsacOXMtCWA1hWcY7A/tb8e/tTSMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMB Af8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjA/BgNVHSAEODA2 MDQGCysGAQQBsjEBAgJPMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5j b20vQ1BTMEIGA1UdHwQ7MDkwN6A1oDOGMWh0dHA6Ly9HRUFOVC5jcmwuc2VjdGln by5jb20vR0VBTlRQZXJzb25hbENBNC5jcmwweAYIKwYBBQUHAQEEbDBqMD0GCCsG AQUFBzAChjFodHRwOi8vR0VBTlQuY3J0LnNlY3RpZ28uY29tL0dFQU5UUGVyc29u YWxDQTQuY3J0MCkGCCsGAQUFBzABhh1odHRwOi8vR0VBTlQub2NzcC5zZWN0aWdv LmNvbTAiBgNVHREEGzAZgRdnZXJyaXQua3VlaG5AYWVpLm1wZy5kZTANBgkqhkiG 9w0BAQwFAAOCAgEAbUB7zWvNZ98vh3u7hzpnbA1K4U9bga1YkpVbOgv7/UY5RiZP Rk06O18f5TnRSWiiF3XImBG1uVjbcwVKIemliCQRQzVVt2JXOJVT1EafDDe9DK5o QaXGHY7NAT1lPLEwtgv8hxBBvthMaMa6lpibT/IUi83jHPZUgsGajCgPXd05Bh/L jCzWDOmHuwFdjRAMQs1VsPYx+OVcRvS1jmw0bT6o5/nruRwF5brxUK39Mftj3sIN b+UvVkXdAGw5iQWFwllGpwBgo3iESa1R72qkBMWph8D6Jbg795WBgjMULCPTiZkq eOif9sW1/37AoutSh7VMh7WMrEW9QURVWYR1hYjS0/TMo8aXfPOLtLYoSg/R6i+j eXqREsJQxMAl0e/JJej1TAFCsWg0r6Dg4mYq636plAr6pu7pJATNVPT0HrsBMYWu PV2WRH8Obs+n1xe4ftGxE4yDWiL56lnp6tnfVR8qinEqpGBfj7BAwEcO/Na9b+oK tDEmWHzupKkdmoOWktURY+Q/5RVWoiozNujYljc9iaK3agqBbJ5ZzRyrCKOPLnw4 9b8koO03WkXPqlm59nxAOdJE6ZQ2aQ8ev6ji+UlGnlIvgk70MsRukY2shpAiowb6 bKjKyK3QGNnT4zmL6ixSRmnYhC95U923Yf+hy+6jqS1Ec6kgpREYG53Qv5IxggM5 MIIDNQIBATBbMEYxCzAJBgNVBAYTAk5MMRkwFwYDVQQKExBHRUFOVCBWZXJlbmln aW5nMRwwGgYDVQQDExNHRUFOVCBQZXJzb25hbCBDQSA0AhEAwISoJlb9sSn0CBx2 UYRa4TANBglghkgBZQMEAgIFAKCBsDAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcB MBwGCSqGSIb3DQEJBTEPFw0yNjA1MjEwNjA3MjVaMDUGCSqGSIb3DQEJDzEoMCYw CwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzA/BgkqhkiG9w0B CQQxMgQwKaVsGTDjX8gdaUWInhkgwhNHNJsw7JcjodQco1S1GeUh5bHqJV6W0i3v B/J48CofMA0GCSqGSIb3DQEBAQUABIICAAvbD8g4MMpxfI5yDQnG4TOLqap97ABl q/yGFd9nhkABNnsZa/mczwjcOecjHLdnrHdpI8BBUpsSVjEDdXwR01E1jPTCDxPZ jhkV8szAqrnGjtHWD6Gr3dd6w5F2+llC6T/f9diQSlNMR2eBLSWVVa7e6bl12pYX wCGOdsjRkEjKEHL4MSix9dLbBHrn0nZyuiBN3BPjvG4tbYSB/W4UW7tQ4LlA7Skf 29wmiJ90z2HxA4yyCEbIvJyJmMaZr/rHUOd7F1GPKFeqN8Rf/uIA6wwzfh2Ckq18 G5l36XKFn8TWjCySIuu6P+dTv4wH4xwVcI6b57pDj+K7uHlZhmNP7/fbqE2AqR8z 617c1Fh+fsGPmLkR60zaANfEO6RVvf7MiWiBsRdgE/oF8MB6BkOl9vhgIWEGcirj WL/zrzWhEEd/Gt2Jlo7t6axytxcbb994nSBzXPeGXEam7NonuNEfInzTeQysdS2a 5Jb7v+h7OzmUlKdPyueeI3vf2Z+QHMaOdf7yItYoHZHDSM92nnw6CcX9RsZ4dcPJ bLT39ohj9uqXOKm7GPQq15jld9Tez2gurSwEjXw4TTrNDSY/pfvI7QEsaEOgXs2q f/2dCClPNi5sxNTSOinCbbqv8Cx2FyPGrbszETW18tVtNZwtvFg4XSOvu7LWOKbD kOcl41k5OMwVAAAAAAAA --Sig_//ZZDE1dLPSnktN99ohYJmH=-- From nobody Thu May 21 08:39:32 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gLhfn5XTKz6fjxP; Thu, 21 May 2026 08:39:45 +0000 (UTC) (envelope-from olce@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gLhfn1wCFz3T3k; Thu, 21 May 2026 08:39:45 +0000 (UTC) (envelope-from olce@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779352785; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=+EeI8sIWbucUQjfdPzL8aATrMsNobPaWPtRRecBeDkQ=; b=LEcYCALrQireCkOYll7HJjmJkZxnDHR3Ira6z4wZI3/ve2oYLyCJSN4IaNTkQwKd7mPoJA r7dtoMQwdajnphR1WX1FyCGx/8E3kUg+vSI2R+NzAbClpmBWSYIbQr+DGZYXZ1IZAtGAhA TbEEJHNoJjZ8EQDxc2yHKpvwyv11yQRYlSm1vOrOSScPrH6XQdeGmjwPseiBOWU63EtJII QPAVOmx9jwA2LVDrctUA6WcGVjCiRTSlANHRcX0LtBJ//Yuf6RMJOB0gUuVLkxXZpA6FDQ NocobSmTAo5CU0ss1IAXTYdndxXW/+QvHbodihVTVz2/P5ynYFWXTg7NPl0ixQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1779352785; a=rsa-sha256; cv=none; b=AB5ceyMisg4W2/KiMgkZ22osgQsjskI3+ehHoeUS8HBMW9V9RGr/66Pz6dfjopVFYJyPhN XWvvzcF3g02RDSHUyQVXgPYsXBHqsFHl4ISwrSrZj7WavD1vT5kPetgYRf6/KRxdbq/c9e k2O0rfVtORvTTrfeItqRbEQLGZTYpkOAOtDfRBzsi3tKbvzW2TeXeUEVAuGzZmYk9rEQOF 3tOD0B2CuBB7vLxW1zvku5ZYeYa4MQ9SVrSBCcq9SdeCBMIjNIOs2D82yM88wUCUY+0VIB +uGk2xTKX1oRnU6gYo1vl7KhoM4XiZEHBtx3Dl15luhAXQv9Ul89oWMPGysdvA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779352785; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=+EeI8sIWbucUQjfdPzL8aATrMsNobPaWPtRRecBeDkQ=; b=EmyeNS486o8kAaYsNOXoV+S27S5ndlGqNMe+pvSeDuiC+H5Qx/Z+ePIz/FoK9RMl5zaGXy lLM+k8oseYZqUh7t8LKaXav8TST+I0MURgi4L1XPbmRJUbcbt+xv34p19xydiZHhJ7KE2R NxYwABl9Sixj9+3jHrAMmFxedAgtus630g9STB743nClsJqM8kiqwPmGN1T8tw7+2jle7r oNUHMiqfvFv1GHzXURrhVkuVN0UwnCxKFAFwzhBca7YcFcQPezLY0uJUupTSTEnzDTx3LH zrK2N9tbHLj11uDTvhXssz6I2mMvWfi8P/V3CQHmEazYvCT93pmE2rKM7NFmyw== Received: from ravel.localnet (lfbn-nic-1-328-19.w90-116.abo.wanadoo.fr [90.116.162.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: olce/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4gLhfm4F2KzBKk; Thu, 21 May 2026 08:39:44 +0000 (UTC) (envelope-from olce@freebsd.org) From: Olivier Certner To: FreeBSD Security Advisories , security-notifications@freebsd.org Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-26:18.setcred Date: Thu, 21 May 2026 10:39:32 +0200 Message-ID: <13306571.xkLNZX5ndW@ravel> In-Reply-To: <20260520222336.BA0F59B7A@freefall.freebsd.org> References: <20260520222336.BA0F59B7A@freefall.freebsd.org> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3100967.fspEBoepoX"; micalg="pgp-sha384"; protocol="application/pgp-signature" --nextPart3100967.fspEBoepoX Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="utf-8"; protected-headers="v1" From: Olivier Certner Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-26:18.setcred Date: Thu, 21 May 2026 10:39:32 +0200 Message-ID: <13306571.xkLNZX5ndW@ravel> In-Reply-To: <20260520222336.BA0F59B7A@freefall.freebsd.org> References: <20260520222336.BA0F59B7A@freefall.freebsd.org> MIME-Version: 1.0 Hi, Let me add some more information and correct some inaccuracy: > I. Background > (snip) > setcred(2) is a system call which enables a privileged process to atomically > set its full credential set, including the real, effective, and saved user > and group identifiers, as well as the list of supplementary groups. It is > intended for use by programs such as login(1) and PAM(3)-aware authentication > frameworks that must transition a process into a target user context in a > single, race-free operation, replacing the need for multiple discrete calls > to setuid(2), setgid(2), and setgroups(2). The only base system's program currently leveraging setcred(2) is mdo(1), so only those using it could stumble on the bug inadvertently (unless they have their own programs calling setcred(2)). Of course, this does not preclude malicious people from trying to actively exploit that, either through mdo(1) or by calling setcred(2) directly. > II. Problem Description > > The setcred(2) system call is only available to privileged users. However, > before the privilege level of the caller is checked, the user-supplied list > of supplementary groups is copied into a fixed-size kernel stack buffer > without first validating its length. If the supplied list exceeds the > capacity of that buffer, a stack buffer overflow occurs. The fixed-size kernel stack buffer is in fact a C array of group IDs, whose length was (of course) validated in an indirect manner, by deciding to copy to it only if the number of groups was low enough to fit. The actual problem is that the *byte size* calculation driving the copy used a wrong sizeof() (twice too big), and we do allocate a buffer of this computed size only if there are more than CRED_SMALLGROUPS_NB (16) supplementary groups, else we use the fixed-size buffer. Bottom line, the mentioned buffer overflow only occurs when the passed number of supplementary groups is exactly between 9 and 16 included, not in any other cases, which is why it was not caught earlier. Even before discovery of this flaw, that code had been simplified (allowed by the change in how we handle the effective GID and supplementary groups starting from FreeBSD 15), so the bug has not been present anymore both in main and stable/15 for months (so, not in releng/15.1 either), which is why no commit to them was necessary. Unfortunately, the MFC of this simplification to stable/15 occurred too late for inclusion in 15.0, hence requiring a direct commit to releng/15.0 Thanks to those who reported and those who fixed the bug for the supported releases. Sorry that this stupid mistake slipped through the cracks. Regards. -- Olivier Certner --nextPart3100967.fspEBoepoX Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- iQIzBAABCQAdFiEEmNCxHjkosai0LYIujKEwQJceJicFAmoOxMQACgkQjKEwQJce JieErg//ZVK3Q4rIYuNDKDwCl4jgdjCijf9Sn+RRfXdL7Qpp4dM+OxVDxMkccVVq hXSdZ7KGJixpzDKa3Y5UAo1FAvYe+SKnwmFuX7B9FsK6y0wNL0ie0JdBl0kENI6f Dck5iyH7LKA1n/0N9osFg5hO0Iz/Hxr2/rI5Z9FjKfX0wkkgmShYqQMboWiA+e1Y fsTwGTMDbB6DgAdRyoAEi198NRZnssEJk+s0TFxEiFQ27Hi10tBFc4556EOz8k+l BCWsBAlG2YkF80/8n5GOhCRVRmqmx0Q54aFYZMpWBwNbbWZzl1TuPOoWE4Br328k 5cqZ7Iruz33OwfSqoag9BUQSL+L7S+B09i7FhVzNyjtXYfuMckeVW6e4F7FOCWl8 Ze7nFIycfzOJE5ezthE8gWekpAY6pewyb9S3nxWzVSjPooix0Z21kt76FFYefUM8 BNMnIS1GKidQUpPkrj7ufat5cLd43yVFKAFz6Baj8Aj/lL5F1sbiGTZpqnO3Ogti /DQZSy9NiVuX9zeDjIHeajPgap3IJB7mxGojzF4jAxCNJtY4iR5XBwzmzIBiBp5P g9rQmxMQIm8t5QNQXgOtT7DJzToXqmtHOP4oRM40i5M9mAjqGMBGFS2I8zI3IZTn WheHjcuh5y9ZzmCUsdwRmH3JcJlThfMQHd1g38dAaCjYLEL9vFQ= =a+BH -----END PGP SIGNATURE----- --nextPart3100967.fspEBoepoX-- From nobody Thu May 21 08:45:20 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gLhnQ73Dgz6fkv3 for ; Thu, 21 May 2026 08:45:30 +0000 (UTC) (envelope-from przemyslaw@frasunek.com) Received: from lagoon.freebsd.lublin.pl (lagoon.freebsd.lublin.pl [IPv6:2001:67c:ea8::13]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (prime256v1) client-digest SHA256) (Client CN "lagoon.freebsd.lublin.pl", Issuer "E8" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gLhnP6B6fz3Vvj for ; Thu, 21 May 2026 08:45:29 +0000 (UTC) (envelope-from przemyslaw@frasunek.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=frasunek.com header.s=netium header.b=Ek0nDCkr; dmarc=pass (policy=quarantine) header.from=frasunek.com; spf=pass (mx1.freebsd.org: domain of przemyslaw@frasunek.com designates 2001:67c:ea8::13 as permitted sender) smtp.mailfrom=przemyslaw@frasunek.com Received: from [IPV6:2a00:8dc0:b000:400:d41a:c1a2:33da:e437] (unknown [IPv6:2a00:8dc0:b000:400:d41a:c1a2:33da:e437]) by lagoon.freebsd.lublin.pl (Postfix) with ESMTPSA id 6446A173FDC for ; Thu, 21 May 2026 10:45:21 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=frasunek.com; s=netium; t=1779353121; bh=l05MzaJN8B27fu4vdDila1Hfzudja7VzvoyVQjnv2DM=; h=Date:Subject:To:References:From:In-Reply-To; b=Ek0nDCkrBKwJCUpbQ5xoQ8dajp9HN4zGlTw4Rlllxv3AgutOWw1mmJlXnOEivRfwJ GtxtgY2bNrkSk6ukSjyg/JEEStbVEXnpGXPZwlan+Yi2Sr7MwAv+Fxb1VCyXOIb7EJ lj7EnTMXefDhlIIY0imXpaMkQNx8rHN/jWEkLN5Q= Message-ID: <832f02ee-9fdb-4eda-a06a-d3330ba9aa30@frasunek.com> Date: Thu, 21 May 2026 10:45:20 +0200 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: FreeBSD Security Advisory FreeBSD-SA-26:18.setcred To: freebsd-security@freebsd.org References: <20260520222336.BA0F59B7A@freefall.freebsd.org> <13306571.xkLNZX5ndW@ravel> Content-Language: pl From: Przemyslaw Frasunek In-Reply-To: <13306571.xkLNZX5ndW@ravel> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spamd-Result: default: False [-3.24 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-0.87)[-0.866]; NEURAL_HAM_SHORT(-0.57)[-0.570]; DMARC_POLICY_ALLOW(-0.50)[frasunek.com,quarantine]; R_DKIM_ALLOW(-0.20)[frasunek.com:s=netium]; ONCE_RECEIVED(0.20)[]; R_SPF_ALLOW(-0.20)[+ip6:2001:67c:ea8::/48]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_ONE(0.00)[1]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:57811, ipnet:2001:67c:ea8::/48, country:PL]; RCVD_TLS_ALL(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DKIM_TRACE(0.00)[frasunek.com:+] X-Spamd-Bar: --- X-Rspamd-Queue-Id: 4gLhnP6B6fz3Vvj > The only base system's program currently leveraging setcred(2) is mdo(1), so only those using it could stumble on the bug inadvertently (unless they have their own programs calling setcred(2)). > > Of course, this does not preclude malicious people from trying to actively exploit that, either through mdo(1) or by calling setcred(2) directly. As the reporter of this vulnerability, I am sharing a full write-up demonstrating LPE with SMAP/SMEP enabled: https://fatgid.io/ From nobody Thu May 21 20:45:50 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gM0mk2nB5z6dvb1 for ; Thu, 21 May 2026 20:45:58 +0000 (UTC) (envelope-from olce@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gM0mk28kMz458J; Thu, 21 May 2026 20:45:58 +0000 (UTC) (envelope-from olce@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779396358; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=/HxCVP2khpNtFGCSdMrHmoPYWS9YVZXnC8anqorpG28=; b=dN3915sFDwsmEy2bAu06Zi32YpuZ03fNZ8NZsDl6zQpvyBU+bABet3eL2r5oiGkC1WY4ut CaZ4P4FfAK7hdRBu3lZDvz8CVvMbfahntnMYNHHCwuWZpxpNcCzaSaJoooczPufBu1BpqQ CN7Zkday+g006RlUFKwZ/wBOp6JTkOsbVx/GQfbnadUsX3KUVDZsNrEBvFsVJuu3uB+7A5 ItoajNt14UBUJ4B2/helEQkFKlOzyHrdvZlWJ7N5sMoyEruKshSTAQFirOh3S6Mb9OrpKN X84rUvPjqzCWqsyEgPfPRMHIijdcV0aXHACqG6aFJOEyXBCERqJ+QYZ2ThWgZw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1779396358; a=rsa-sha256; cv=none; b=l5XWju2OQDsN2dK7DUrObzoY4aE7fOnfI4EdBQ7MdBiysnl+sqg7Ev5HwzWTndxPD28Ekq 2tdq63Whp5Jy2rEOEkbgk3qFf3cPWfGixuiCZxegLcJh90gun7jgYhiLVlKmJyLFUVKLR+ RsXsfQiaROwNbh1Z2b8o9mCbwNAsrZd+PWDazI/qIOVVkT5cFDizTQ6Dvrk6LwelSKfLkX Si3HPYu0XLB3awkBbtbX0mNtzpmBRvuRYjz/xMppNy/ZUk//Tnsk7DnO7GLKWF+UIsllEI M7D+u2NvbTl7kMynuzKE3Y4R36Lv0yijPc5gkBV/oNyuLiJvDkSsHBTyMaYpMw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779396358; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=/HxCVP2khpNtFGCSdMrHmoPYWS9YVZXnC8anqorpG28=; b=Ec0ttX6y1lsU/z9Vg4YedO7FxnO5cfKQXXMPuplJ+u+sHARjihAn6YU3Dc5IIosKhzymW3 McWqkK4dkEWBCVnMN1CW/4hBaFaFnJulPWY1n7v2duJtXRVEaLOBYLJud8l//Snci7RsXy PufDLf4jDEDUQE8lJncAENVNHuoz/PFtohL9Eesi1XUtdEHEdgp14g/JekFIHOXy+gTcKL bLBqHYYktUcC4h/VhA2Li3+5u1JN+iXzK0dDA3FsktT+ziVBnK3veY6uIPf2WeVUstjZ3Z cEAof0SFzD+8tsx4uadlHU/jLYeFPEUBHQ72EghWzewcl1ASMuUR38cXqnEerA== Received: from ravel.localnet (lfbn-nic-1-328-19.w90-116.abo.wanadoo.fr [90.116.162.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: olce/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4gM0mj67mTzkDv; Thu, 21 May 2026 20:45:57 +0000 (UTC) (envelope-from olce@freebsd.org) From: Olivier Certner To: Przemyslaw Frasunek Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-26:18.setcred Date: Thu, 21 May 2026 22:45:50 +0200 Message-ID: <2786573.XrqEPMHAR6@ravel> In-Reply-To: <832f02ee-9fdb-4eda-a06a-d3330ba9aa30@frasunek.com> References: <20260520222336.BA0F59B7A@freefall.freebsd.org> <13306571.xkLNZX5ndW@ravel> <832f02ee-9fdb-4eda-a06a-d3330ba9aa30@frasunek.com> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2070753.ruP0FAUDoQ"; micalg="pgp-sha384"; protocol="application/pgp-signature" --nextPart2070753.ruP0FAUDoQ Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="utf-8"; protected-headers="v1" From: Olivier Certner To: Przemyslaw Frasunek Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-26:18.setcred Date: Thu, 21 May 2026 22:45:50 +0200 Message-ID: <2786573.XrqEPMHAR6@ravel> In-Reply-To: <832f02ee-9fdb-4eda-a06a-d3330ba9aa30@frasunek.com> MIME-Version: 1.0 > As the reporter of this vulnerability, I am sharing a full write-up > demonstrating LPE with SMAP/SMEP enabled: https://fatgid.io/ This write-up is good for the vulnerability description. Thanks! (I just skimmed through the exploitation part.) I'd just correct/complete this part: > The underlying fix is the main-branch commit 000d5b52c19ff3858a6f0cbb405d47713c4267a4 from 2025-11-27 ("setcred(2): Fix a panic on too many groups from latest commit"), which refactored kern_setcred_copyin_supp_groups() into user_setcred_copyin_supp_groups(), changing the groups argument from gid_t ** to a local gid_t *, and replacing both sizeof(*groups) occurrences with sizeof(gid_t). The underlying fix is not the commit you mention, which is a followup of the simplification commit evoked in my previous answer, which is the right one: https://cgit.freebsd.org/src/commit/?id=4cd93df95e69. It's where the sizeof(*groups) were replaced with sizeof(gid_t). > The original commit message does not mention the stack overflow; the fix appears to be an unintentional side effect of the refactoring. It's slightly more complex than that actually. It's true I did not see the stack overflow back then, but was very close to. I don't really recall how the sizeof(*groups) first appeared in commit https://cgit.freebsd.org/src/commit/?id=ddb3eb4efe55 (perhaps it came from an earlier development version where 'groups' was of type 'gid_t *'; or maybe it was a plain mistake from the start). But, when I did the simplification commit, I clearly remember noticing the logical mistake (the missing '*'). Unfortunately, this is where I made a second mistake, that is, to assess that this logical mistake had no practical significance because I had somehow convinced myself that uid_t/gid_t had the natural size of the platform (which is not the case: they are 32-bit wide everywhere). And that's why I did not bother fixing it in other branches and releases back then. Thanks and regards. -- Olivier Certner --nextPart2070753.ruP0FAUDoQ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- iQIzBAABCQAdFiEEmNCxHjkosai0LYIujKEwQJceJicFAmoPbv4ACgkQjKEwQJce JifiXQ//Y3OOpWTGL5k3skyzgzo2ApUscbP6FdRBt9rUp1HPina9tcDevj7ulxXs 40GSSmW2l/Ie5DvlImtzdb4dcy3CFiE9NxUEINBDX2VjTNdqp6iChUXofb/iv+29 nC1KxqvR3RzDmcFP3lk+RTFF96nhEWyV9A5NKNpwh+1BT0DGEhkmgOtijDigveGL U2yaf4yKQKyf6mdn6/5LaZmnpL3/a+M5d7qtJslM8wGCR8SiM89gj4G/JRTuK6wy S6bq00N4q58wdNQX3WVW+4hq34JvzykKaML+TmWMlIJdVzLnyCLvvbH37ZMDBHzU FEisOp+16rVghtVqcSrR6ed0zDP0/LoYA3TN/wIG08P8nHNzK1X2jJznZVw7tKMw DhQZ6f/EnpfXZob3Kh8klyqFUG41Vv3i7/k86p2WdeaYQRodG3br1b4qaDcNGELJ +nmSdvOCPdEs3EIgsz8TwQL5aVnQsj1nZTo7w0tC1VBBVyvVlf6TeAzENE6G/XXC K1EP0GGSRly/elqhAcppm778bIO29UVDAnoSQwsHcCCs0QuaAFuNC/zThxiF0iIA 8mCnIc6gCKmPrtczCwSLqw5+JAVcTzrNn9fMVOAgn2j63pY7LE24FRwldu0Umd0b hI/fCxK+5TO6zKXFJOptAK0jvwMEb8gdCbrAs6DGT8vtUyOdR5o= =118g -----END PGP SIGNATURE----- --nextPart2070753.ruP0FAUDoQ-- From nobody Fri May 22 05:24:25 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gMDH01gWnz6dmW9 for ; Fri, 22 May 2026 05:24:28 +0000 (UTC) (envelope-from przemyslaw@frasunek.com) Received: from lagoon.freebsd.lublin.pl (lagoon.freebsd.lublin.pl [185.73.211.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (prime256v1) client-digest SHA256) (Client CN "lagoon.freebsd.lublin.pl", Issuer "E8" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gMDGz4F3fz4HjP; Fri, 22 May 2026 05:24:27 +0000 (UTC) (envelope-from przemyslaw@frasunek.com) Authentication-Results: mx1.freebsd.org; none Received: from [IPV6:2001:67c:ea8:1::3] (unknown [IPv6:2001:67c:ea8:1::3]) by lagoon.freebsd.lublin.pl (Postfix) with ESMTPSA id 72733173B2F; Fri, 22 May 2026 07:24:25 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=frasunek.com; s=netium; t=1779427465; bh=SAOi53cjwCG2V9nLkZ8tOzNX+BOUpNceOQ/63LG6dSo=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=mHssU3h40yj0eE2c1D2KgcJA5LLj12Ft/BwUFEgc9lImaDZs1YVX1I2YWtH301k0n jTtbz5EugE2Wdt+X2ZhixjeqO8cr4Nt06hGedCDsh7iFvHSmAyigrSYQ8GY+9Lg0dt XfZ1p/rfsKYSl34zFFy77qEVP83RHGfOxpORnTTw= Message-ID: Date: Fri, 22 May 2026 07:24:25 +0200 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: FreeBSD Security Advisory FreeBSD-SA-26:18.setcred To: Olivier Certner Cc: freebsd-security@freebsd.org References: <20260520222336.BA0F59B7A@freefall.freebsd.org> <13306571.xkLNZX5ndW@ravel> <832f02ee-9fdb-4eda-a06a-d3330ba9aa30@frasunek.com> <2786573.XrqEPMHAR6@ravel> Content-Language: pl From: Przemyslaw Frasunek In-Reply-To: <2786573.XrqEPMHAR6@ravel> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:57811, ipnet:185.73.211.0/24, country:PL] X-Rspamd-Queue-Id: 4gMDGz4F3fz4HjP X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated > I'd just correct/complete this part: [...] Thank you, Olivier. I updated the write-up accordingly.