Date: Wed, 29 Apr 2026 18:11:26 +0000 From: Gordon Tetlow <gordon@FreeBSD.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org Subject: git: 51a06c2348 - main - Add EN-26:08 through EN-26:10 and SA-26:12 through SA-26:17. Message-ID: <69f249ce.312df.21c6eb51@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by gordon: URL: https://cgit.FreeBSD.org/doc/commit/?id=51a06c23483710cfe93554cfd4f3b109be17fbc1 commit 51a06c23483710cfe93554cfd4f3b109be17fbc1 Author: Gordon Tetlow <gordon@FreeBSD.org> AuthorDate: 2026-04-29 18:10:38 +0000 Commit: Gordon Tetlow <gordon@FreeBSD.org> CommitDate: 2026-04-29 18:10:38 +0000 Add EN-26:08 through EN-26:10 and SA-26:12 through SA-26:17. Approved by: so --- website/data/security/advisories.toml | 24 + website/data/security/errata.toml | 12 + .../security/advisories/FreeBSD-EN-26:08.pf.asc | 139 + .../advisories/FreeBSD-EN-26:09.tzdata.asc | 179 ++ .../security/advisories/FreeBSD-EN-26:10.amd64.asc | 155 + .../advisories/FreeBSD-SA-26:12.dhclient.asc | 155 + .../security/advisories/FreeBSD-SA-26:13.exec.asc | 150 + .../security/advisories/FreeBSD-SA-26:14.pf.asc | 168 ++ .../advisories/FreeBSD-SA-26:15.dhclient.asc | 159 ++ .../security/advisories/FreeBSD-SA-26:16.libnv.asc | 152 + .../security/advisories/FreeBSD-SA-26:17.libnv.asc | 156 + website/static/security/patches/EN-26:08/pf.patch | 69 + .../static/security/patches/EN-26:08/pf.patch.asc | 17 + .../patches/EN-26:09/tzdata-2026b-144.patch | 681 +++++ .../patches/EN-26:09/tzdata-2026b-144.patch.asc | 17 + .../security/patches/EN-26:09/tzdata-2026b.patch | 3015 ++++++++++++++++++++ .../patches/EN-26:09/tzdata-2026b.patch.asc | 17 + .../static/security/patches/EN-26:10/amd64.patch | 34 + .../security/patches/EN-26:10/amd64.patch.asc | 17 + .../security/patches/SA-26:12/dhclient.patch | 28 + .../security/patches/SA-26:12/dhclient.patch.asc | 17 + .../static/security/patches/SA-26:13/exec.patch | 11 + .../security/patches/SA-26:13/exec.patch.asc | 17 + .../static/security/patches/SA-26:14/pf-135.patch | 165 ++ .../security/patches/SA-26:14/pf-135.patch.asc | 17 + .../static/security/patches/SA-26:14/pf-143.patch | 165 ++ .../security/patches/SA-26:14/pf-143.patch.asc | 17 + .../static/security/patches/SA-26:14/pf-144.patch | 98 + .../security/patches/SA-26:14/pf-144.patch.asc | 17 + .../static/security/patches/SA-26:14/pf-150.patch | 163 ++ .../security/patches/SA-26:14/pf-150.patch.asc | 17 + .../security/patches/SA-26:15/dhclient.patch | 13 + .../security/patches/SA-26:15/dhclient.patch.asc | 17 + .../static/security/patches/SA-26:16/libnv.patch | 34 + .../security/patches/SA-26:16/libnv.patch.asc | 17 + .../static/security/patches/SA-26:17/libnv.patch | 25 + .../security/patches/SA-26:17/libnv.patch.asc | 17 + 37 files changed, 6171 insertions(+) diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml index 611ec14b67..3c30ea9bd5 100644 --- a/website/data/security/advisories.toml +++ b/website/data/security/advisories.toml @@ -1,6 +1,30 @@ # Sort advisories by year, month and day # $FreeBSD$ +[[advisories]] +name = "FreeBSD-SA-26:17.libnv" +date = "2026-04-29" + +[[advisories]] +name = "FreeBSD-SA-26:16.libnv" +date = "2026-04-29" + +[[advisories]] +name = "FreeBSD-SA-26:15.dhclient" +date = "2026-04-29" + +[[advisories]] +name = "FreeBSD-SA-26:14.pf" +date = "2026-04-29" + +[[advisories]] +name = "FreeBSD-SA-26:13.exec" +date = "2026-04-29" + +[[advisories]] +name = "FreeBSD-SA-26:12.dhclient" +date = "2026-04-29" + [[advisories]] name = "FreeBSD-SA-26:11.amd64" date = "2026-04-21" diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml index f14683655b..1614ad90a8 100644 --- a/website/data/security/errata.toml +++ b/website/data/security/errata.toml @@ -1,6 +1,18 @@ # Sort errata notices by year, month and day # $FreeBSD$ +[[notices]] +name = "FreeBSD-EN-26:10.amd64" +date = "2026-04-29" + +[[notices]] +name = "FreeBSD-EN-26:09.tzdata" +date = "2026-04-29" + +[[notices]] +name = "FreeBSD-EN-26:08.pf" +date = "2026-04-29" + [[notices]] name = "FreeBSD-EN-26:07.pkgbase" date = "2026-04-21" diff --git a/website/static/security/advisories/FreeBSD-EN-26:08.pf.asc b/website/static/security/advisories/FreeBSD-EN-26:08.pf.asc new file mode 100644 index 0000000000..c5a4f42406 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-26:08.pf.asc @@ -0,0 +1,139 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-26:08.pf Errata Notice + The FreeBSD Project + +Topic: Incorrect duplicate rule detection for automatic tables + +Category: core +Module: pf +Announced: 2026-04-29 +Credits: Michael Sinatra +Affects: FreeBSD 15.0 +Corrected: 2026-04-26 10:12:28 UTC (stable/15, 15.0-STABLE) + 2026-04-29 14:48:24 UTC (releng/15.0, 15.0-RELEASE-p7) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +pf is an Internet Protocol packet filter originally written for OpenBSD. +While loading its configuration, pf hashes rules and silently drops +duplicates as an optimisation. Only the first rule with the same hash is +considered. + +II. Problem Description + +While checking for duplicate rules pf did not distinguish automatically +created tables from each other. As a result some of those rules may have +unexpectedly not been loaded. + +III. Impact + +The ruleset loaded in the kernel might not match the configured ruleset. + +IV. Workaround + +This problem only affects rules with tables created by the pfctl rules +optimiser. Either disable ruleset optimisation ('set ruleset-optimization +none'), or avoid constructs which would be optimisised into a table (e.g. by +manually creating such tables). + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date, and reboot the system. + +Perform one of the following: + +1) To update your system installed from base system packages: + +Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 +platforms, which were installed using base system packages, can be updated +via the pkg(8) utility: + +# pkg upgrade -r FreeBSD-base +# shutdown -r now + +2) To update your system installed from binary distribution sets: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, which were not installed using base +system packages, can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r now + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-26:08/pf.patch +# fetch https://security.FreeBSD.org/patches/EN-26:08/pf.patch.asc +# gpg --verify pf.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ fdcc60f52841 stable/15-n283345 +releng/15.0/ d91d13c12484 releng/15.0-n281025 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-26:08.pf.asc>; +-----BEGIN PGP SIGNATURE----- + +iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnySREbFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvIygQAKSJuU4Ka3cRRqje85kA +O03aC+IoU1YOaepkziI4TKxwKNSc7wh4S0xlCBiNXDqM9JUs20XbG47JT1GDUKP9 +TNDymnUxNGjzmgEwbh/ZQvTKGqib2d0c4fhvLWMSg6FAbET8EnkyniM5A55QfUX0 +YwsTFRk27K09AcCW8gpoRgAjJBhdlN18SvvlE8CQ57xpUQnukFJp+zh37OCGkRVO +fciwOmEYmsrIur9vde7RX/ohBX2RbB3QrMQh9x4td+RpwUGfEkZ4oei+aJWJazVW +VimwkJXXSl2Hdn4V/eNPKj3viSu40tgTPQelSgh1qFPxLMTVvRf1I8VlKYTFHV1O +0EGGsya4nE1pEYWL1CWh/9v2BoTiV7OVDEcu1prc9p/5dHv4cDNaaRf5ZMN8f7Sp +S1X1eHY/eJ59ayBCPNShOMTf36hvMuQT9hBXdBArb6MpeGLubWFtGsHkaFZtoBvj +QnpH4uTxeDMTZANqoM3t6QqrwDUEKBn9ai25k/k9a7vqYwrcLUo4WsLauiwhAbz0 +7bmnXUE+gbn5qlX03UFLqANA7OujEjuBxc5+vmlJXK+1CARMcQToDEdMojhkBwbN +xgxGtyol/Pq3MwvGZyKMlQii0xre2sA1Gqv41k4l7oPukU8DRAOFZQ9nDBmIB0NW +s9JLPOImH1NE9iA05ezJk46Q +=7VtI +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-26:09.tzdata.asc b/website/static/security/advisories/FreeBSD-EN-26:09.tzdata.asc new file mode 100644 index 0000000000..09b3d387db --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-26:09.tzdata.asc @@ -0,0 +1,179 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-26:09.tzdata Errata Notice + The FreeBSD Project + +Topic: Timezone database information update + +Category: contrib +Module: zoneinfo +Announced: 2026-04-29 +Affects: All supported versions of FreeBSD. +Corrected: 2026-03-05 01:36:15 UTC (stable/15, 15.0-STABLE) + 2026-04-29 14:48:25 UTC (releng/15.0, 15.0-RELEASE-p7) + 2026-03-05 01:33:16 UTC (stable/14, 14.4-STABLE) + 2026-04-29 14:49:38 UTC (releng/14.4, 14.4-RELEASE-p3) + 2026-04-29 14:49:18 UTC (releng/14.3, 14.3-RELEASE-p12) + 2026-03-05 01:33:52 UTC (stable/13, 13.5-STABLE) + 2026-04-29 14:50:16 UTC (releng/13.5, 13.5-RELEASE-p13) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +The IANA Time Zone Database (often called tz or zoneinfo) contains code and +data that represent the history of local time for many representative +locations around the globe. It is updated periodically to reflect changes +made by political bodies to time zone boundaries, UTC offsets, and +daylight-saving rules. + +FreeBSD releases install the IANA Time Zone Database in /usr/share/zoneinfo. +The tzsetup(8) utility allows the user to specify the default local time +zone. Based on the selected time zone, tzsetup(8) copies one of the files +from /usr/share/zoneinfo to /etc/localtime. A time zone may also be selected +for an individual process by setting its TZ environment variable to a desired +time zone name. + +II. Problem Description + +Several changes to future and past timestamps have been recorded in the IANA +Time Zone Database after previous FreeBSD releases were released. This +affects many users in different parts of the world. Because of these +changes, the data in the zoneinfo files need to be updated. If the local +timezone on the running system is affected, tzsetup(8) needs to be run to +update /etc/localtime. + +III. Impact + +An incorrect time will be displayed on a system configured to use one of the +affected time zones if the /usr/share/zoneinfo and /etc/localtime files are +not updated, and all applications on the system that rely on the system time, +such as cron(8) and syslog(8), will be affected. + +IV. Workaround + +The system administrator can install an updated version of the IANA Time Zone +Database from the misc/zoneinfo port and run tzsetup(8). + +Applications that store and display times in Coordinated Universal Time (UTC) +are not affected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Please note that some third party software, for instance PHP, Ruby, Java, +Perl and Python, may be using different zoneinfo data sources, in such cases +this software must be updated separately. Software packages that are +installed via binary packages can be upgraded by executing 'pkg upgrade'. + +Following the instructions in this Errata Notice will only update the IANA +Time Zone Database installed in /usr/share/zoneinfo. + +Perform one of the following: + +1) To update your system installed from base system packages: + +Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 +platforms, which were installed using base system packages, can be updated +via the pkg(8) utility: + +# pkg upgrade -r FreeBSD-base + +2) To update your system installed from binary distribution sets: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, which were not installed using base +system packages, can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 13.5, FreeBSD 14.3, and FreeBSD 15.0] +# fetch https://security.FreeBSD.org/patches/EN-26:09/tzdata-2026b.patch +# fetch https://security.FreeBSD.org/patches/EN-26:09/tzdata-2026b.patch.asc +# gpg --verify tzdata-2026b.patch.asc + +[FreeBSD 14.4] +# fetch https://security.FreeBSD.org/patches/EN-26:09/tzdata-2026b-144.patch +# fetch https://security.FreeBSD.org/patches/EN-26:09/tzdata-2026b-144.patch.asc +# gpg --verify tzdata-2026b-144.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart all the affected applications and daemons, or reboot the system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ 564480f108e7 stable/15-n282573 +releng/15.0/ 183f96697f82 releng/15.0-n281026 +stable/14/ 4830cb713ed8 stable/14-n273807 +releng/14.4/ 677aeab69b13 releng/14.4-n273688 +releng/14.3/ 1d3ca32f88f2 releng/14.3-n271488 +stable/13/ c0b2aff48ff3 stable/13-n259815 +releng/13.5/ f7e6b9f128e3 releng/13.5-n259213 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://github.com/eggert/tz/blob/2026b/NEWS>; +<URL:https://github.com/eggert/tz/blob/2026a/NEWS>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-26:09.tzdata.asc>; +-----BEGIN PGP SIGNATURE----- + +iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnySRMbFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvVGsP/20IASIuyeEzCQSGN/oA +u/t7PXGIHre/ApxXzQ+K2A4Sn92f0VAG+SG4g4zdLAI+kQXfdCGq2b0oJoEzQg64 +fLAMF772Pc9GMijEXcTMU76hVqD9RiQncOH8w5ODWe3Lmszr8y0foFC9LU0IyccC +5MbHIv9vRRIe0Wpgp33XMLU2mjND+4LVgKxGHpqz86Rqo9zjLAbW1aiSK9mJBE5n +BHWWbRpG8lFzm3jx0m7bIZYaghnnuyrg5TV7bZBbMPg64WTFrBrEyS3QlI9addp/ +hwxwUY2F14fyyjgnlVOVNsMX/BaDh/c6W8R/EyFVxADjAQazQqJJxO/DTwlxqnbu +gaiwdn64vPfR9xJgglsaDutvytEXUMcNuNpDWu8OZUWx1Vd+OnJKLu0m6JC0LLuA +LFbq72HyTNoI0I9kpjkY5XBcuPx4DZHzG3WgvgYJ7tO1myUDaKjawAc2khxHsvpf +JIsY85kBBEoqXEJiLb5DHVO+2Airldz/8DlHVUMWmds9QrQVo7bQzwRpFMZDDc3b +Psp0U9FRe87eQLhgwMn9dRi7QHRRcjAfcqOb3HRHMVRZ2MNq0O9vIRGMyfLzOqwn +iweujCGTmSB9tph/StkKv/n+4zzxLOvyJcmSYcz3zLuFq9t2qOeRtQnhD4tn4wLW +Kq2ZK/k/IL4g1lI6rg4C3BmF +=Mc5t +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-26:10.amd64.asc b/website/static/security/advisories/FreeBSD-EN-26:10.amd64.asc new file mode 100644 index 0000000000..30eff34440 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-26:10.amd64.asc @@ -0,0 +1,155 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-26:10.amd64 Errata Notice + The FreeBSD Project + +Topic: TLB invalidation bug on AMD systems with INVLPGB + +Category: core +Module: vm +Announced: 2026-04-29 +Affects: FreeBSD 14.3 and later +Corrected: 2026-04-23 13:48:45 UTC (stable/15, 15.0-STABLE) + 2026-04-29 14:48:26 UTC (releng/15.0, 15.0-RELEASE-p7) + 2026-04-23 13:49:23 UTC (stable/14, 14.4-STABLE) + 2026-04-29 14:49:39 UTC (releng/14.4, 14.4-RELEASE-p3) + 2026-04-29 14:49:19 UTC (releng/14.3, 14.3-RELEASE-p12) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +On multi-core systems, TLB invalidation operations must notify other cores, +as each core maintains a local TLB. On amd64 systems this has historically +been implemented using interprocessor interrupts. Recent AMD CPUs provide +a new instruction, invlpgb, which allows a core to broadcast TLB invalidations +to other cores without need to explicitly raise interrupts. The FreeBSD kernel +makes use of this instruction when available. + +II. Problem Description + +The FreeBSD implementation of ranged TLB invalidation took advantage of a bit +in an invlpgb operand to invalidate consecutive 2M entries, instead of +invalidating purely in increments of 4K pages. The hardware invlpgb +implementation uses the underlying page size to invalidate regardless of the +status of this bit, which may leave a series of 4K mappings intact that should +have been invalidated. + +III. Impact + +Failing to invalidate pages when it required may result in apparent kernel +memory corruption, typically resulting in a kernel panic. Workloads involving +heavy use of kqueue(2) and/or large file descriptor tables seem to trigger +the problem somewhat readily. + +IV. Workaround + +Intel and non-x86 systems are not affected. + +AMD systems that support INVLPGB (reported during the kernel boot process in +"AMD Extended Feature Extensions ID EBX") may set vm.pmap.invlpgb_works=0 in +/boot/loader.conf to work around this issue by disabling the use of invlpgb. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date, and reboot the system. + +Perform one of the following: + +1) To update your system installed from base system packages: + +Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 +platforms, which were installed using base system packages, can be updated +via the pkg(8) utility: + +# pkg upgrade -r FreeBSD-base +# shutdown -r +10min "Rebooting for a security update" + +2) To update your system installed from binary distribution sets: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, which were not installed using base +system packages, can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-26:10/amd64.patch +# fetch https://security.FreeBSD.org/patches/EN-26:10/amd64.patch.asc +# gpg --verify amd64.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ 280cfe2264d7 stable/15-n283199 +releng/15.0/ 182c59658218 releng/15.0-n281027 +stable/14/ ff11ae166cd9 stable/14-n274021 +releng/14.4/ b00785205990 releng/14.4-n273689 +releng/14.3/ 3b1365cb816e releng/14.3-n271489 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=293382>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-26:10.amd64.asc>; +-----BEGIN PGP SIGNATURE----- + +iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnySRcbFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv4zAP/3/9no397tY5+uMITwzb +d8RklxyJatGAYnqSQrJCjxm4er+CUijdCb6jUrg2L2hKt8c3KOQctSY5ko2agkZ2 +41ghOeIOU6N9+aiNN4wlqCbgufUXjtBWBBEgOvJHyU1QnSazKDZmGAwWfiTz8Uh7 +QtuRHV/I8LDKpd6UtVC6S6lsKSiDrmMQ6CmDSMiMDEpJO8cM1rKejU/gGSTaiwak +25SvR6z1rgJwh5VFKnT5a7G9Gw3oV04+zWQRoYOotiblg1qUgLAjMxogrIvFQKbR +fQElldSwQl7ErlFjYCBrvDbXzGqlsDDab05ay4361VD92QWQ4o64X5KHR+Rb0yYt +RWfPxfCNA1fNMDjkY1y9ROjGERuNdhJzGl5o2m6TXJl/rUX+BZrWZLTC/68CMy/B +DHrKPMLRD6rOS6AupNK1UfKoRPqha9tdwdofOOD4qr6PQ0UecLyUrUQljlK6QUYm +yUQQzC0eun6SdQihPaHGEXK0oe7MqWJvt7s82DE6EKKR8FJ2aqWfMT7qjV3Y3E7e +TJzJGDsbLoZYtPl8u6OQM2gaxAf5CqSCxU7PvyOsu5/gf89CsakdC6OUBkXh/pAS +wCLDDyqffmgwOi1hE9ACgUOVASRyrITZwP1sqyAVJF8yY3YhxGHImaFrdAJ/yU4Q +xp9Ok7v2qSxueDnMc9C16AFt +=pWDj +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-26:12.dhclient.asc b/website/static/security/advisories/FreeBSD-SA-26:12.dhclient.asc new file mode 100644 index 0000000000..531af13cae --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-26:12.dhclient.asc @@ -0,0 +1,155 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-26:12.dhclient Security Advisory + The FreeBSD Project + +Topic: Remote code execution via malicious DHCP options + +Category: core +Module: dhclient +Announced: 2026-04-29 +Credits: Joshua Rogers of AISLE Research Team +Affects: All supported versions of FreeBSD. +Corrected: 2026-04-29 14:47:47 UTC (stable/15, 15.0-STABLE) + 2026-04-29 14:48:28 UTC (releng/15.0, 15.0-RELEASE-p7) + 2026-04-29 14:48:50 UTC (stable/14, 14.4-STABLE) + 2026-04-29 14:49:41 UTC (releng/14.4, 14.4-RELEASE-p3) + 2026-04-29 14:49:22 UTC (releng/14.3, 14.3-RELEASE-p12) + 2026-04-29 14:50:06 UTC (stable/13, 13.5-STABLE) + 2026-04-29 14:50:18 UTC (releng/13.5, 13.5-RELEASE-p13) +CVE Name: CVE-2026-42511 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +dhclient(8) is the default IPv4 DHCP client used on FreeBSD. It is +responsible for contacting DHCP servers on a network segment and for +initialising and configuring network interfaces based on received +information. + +II. Problem Description + +The BOOTP file field is written to the lease file without escaping embedded +double-quotes, allowing injection of arbitrary dhclient.conf directives. +When the lease file is subsequently re-parsed by dhclient, e.g., after a +system restart, an attacker-controlled field from the lease is passed to +dhclient-script(8), which evaluates it. + +III. Impact + +A rogue DHCP server may be able to execute arbirary code as root on a system +running dhclient. + +IV. Workaround + +No workaround is available. Systems not running dhclient(8) are not +affected. + +The attacker needs to be on the same broadcast domain and respond to DHCP +requests. A well-managed network will configure DHCP snooping on switches to +prevent rogue DHCP servers from operating. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system installed from base system packages: + +Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 +platforms, which were installed using base system packages, can be updated +via the pkg(8) utility: + +# pkg upgrade -r FreeBSD-base + +2) To update your vulnerable system installed from binary distribution sets: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, which were not installed using base +system packages, can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-26:12/dhclient.patch +# fetch https://security.FreeBSD.org/patches/SA-26:12/dhclient.patch.asc +# gpg --verify dhclient.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart the applicable daemons, or reboot the system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ 2621f6c5d4ae stable/15-n283377 +releng/15.0/ e7b4fb41aafa releng/15.0-n281029 +stable/14/ b3087e05e848 stable/14-n274076 +releng/14.4/ 73b801e3b5b3 releng/14.4-n273691 +releng/14.3/ dda71167a101 releng/14.3-n271492 +stable/13/ 46c01e4dd102 stable/13-n259859 +releng/13.5/ a2d45189b9ee releng/13.5-n259215 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://www.cve.org/CVERecord?id=CVE-2026-42511>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:12.dhclient.asc>; +-----BEGIN PGP SIGNATURE----- + +iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnySScbFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv/HEQANr71RMaW0408Cp2xZ/n +DN8DsU7vCXPDcZWF/HAl+COurXipEycxnP6pBdm2uCqRGWXmNPkjyA5nyoAM2qYP +9b3rXQHKdrqc0vvbjJuahzqfttwcv1jFQp+8Z8N8TYWUnETprai5VOwZ+7p2caGC +gZg3UkS8qx7+qUZn1c1nOpYgW7AE1cxuBzSM3O/4pyaSnnMGgeUcz/utv+F272rn +/rdDaC1nvH09OKIJOqBxOQ7m7izTBu70P1zhuWmGDAzmvy1sNCUpv325iFBc7B78 +fRvINps878aSqheJqIx2jpeykW+nBjbVpsh++0ZUNjoWQTbZM7WaxNJxD4KjdInW +zvK24qX34aMrY4pS0BjpQ46RTkEIDFnzSYTUAN+33LQ9rQ+1DaUF0UJAlO10XBQ+ +6J1ZDXnSmqOsXu2pnRyXWKrsliz6+j3LOzkJoc2gQFwiDzex20ZJtO3Jd2dVMJ5a +F/jN5SY800LhvCbPFPL4k03xK98n7fLs432jsJOMYtRvY9N62oEbufBj0dCS0S15 +A7Vj537ziRZuGt4xz3vdE48GEBdxm+frPNadS8IurW1gDN4Rr0d5VLfKFwMsiSXr +baVMWTjn6kcfpomYDhl5451lDAyhZ20qFxx9M1lRNj7ploz4khmdv1e1zqENocQd +t4eQrptk4YUgxEIZ0R56b2qf +=h/Vp +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-26:13.exec.asc b/website/static/security/advisories/FreeBSD-SA-26:13.exec.asc new file mode 100644 index 0000000000..3d9a0ea526 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-26:13.exec.asc @@ -0,0 +1,150 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-26:13.exec Security Advisory + The FreeBSD Project + +Topic: Local privilege escalation via execve() + +Category: core +Module: execve(2) +Announced: 2026-04-29 +Credits: Ryan Austin of Calif.io +Affects: All supported versions of FreeBSD. +Corrected: 2026-04-29 14:47:46 UTC (stable/15, 15.0-STABLE) + 2026-04-29 14:48:27 UTC (releng/15.0, 15.0-RELEASE-p7) + 2026-04-29 14:48:49 UTC (stable/14, 14.4-STABLE) + 2026-04-29 14:49:40 UTC (releng/14.4, 14.4-RELEASE-p3) + 2026-04-29 14:49:21 UTC (releng/14.3, 14.3-RELEASE-p12) + 2026-04-29 14:50:05 UTC (stable/13, 13.5-STABLE) + 2026-04-29 14:50:17 UTC (releng/13.5, 13.5-RELEASE-p13) +CVE Name: CVE-2026-7270 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +execve(2) is a system call is used to launch an executable image, including +scripts prefixed with a path to the interpreter. The system call takes a +path to the image as a parameter, followed by extra arguments and environment +variables to be passed to the new image. + +II. Problem Description + +An operator precedence bug in the kernel results in a scenario where a buffer +overflow causes attacker-controlled data to overwrite adjacent execve(2) +argument buffers. + +III. Impact + +The bug may be exploitable by an unprivileged user to obtain superuser +privileges. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, +and reboot the system. + +Perform one of the following: + +1) To update your vulnerable system installed from base system packages: + +Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 +platforms, which were installed using base system packages, can be updated +via the pkg(8) utility: + +# pkg upgrade -r FreeBSD-base +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system installed from binary distribution sets: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, which were not installed using base +system packages, can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-26:13/exec.patch +# fetch https://security.FreeBSD.org/patches/SA-26:13/exec.patch.asc +# gpg --verify exec.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ c3e943e78e06 stable/15-n283376 +releng/15.0/ 934b48683c4f releng/15.0-n281028 +stable/14/ ae00a52921ca stable/14-n274075 +releng/14.4/ 943aa64ba91a releng/14.4-n273690 +releng/14.3/ f04c40607b8f releng/14.3-n271491 +stable/13/ d619e3a3c0ec stable/13-n259858 +releng/13.5/ 7c5c37ac8f8f releng/13.5-n259214 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://www.cve.org/CVERecord?id=CVE-2026-7270>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:13.exec.asc>; +-----BEGIN PGP SIGNATURE----- + +iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnySSobFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvjo8QANkZEWuyL/5O51TNbvUj +SSwE2BN/mjpiLVM7bfvsb7/Ow0vnKiQ3o9ABLbk/YHVOPEzWTzzPJ1XY6Jfnje4h +embXMN9hA/DT0QnnoB8HYzckZ4WpV1Ok+yfR25C/Gjbfje9Qb+dbhoS9aXEDrVA9 +5o8OmrsC+cngG053KeCMG5Ja+IEN6ZKleO327J+j7DON84K8QDl8KKT/hEcy5Mx2 +M6aho8YDo/wroc4nSJ6dZYpG7hfKEQRNTRbYrj21VAg2zXz8gOB2bQgiIr9Bb0ha +Kzj/iRapiZDOVu76jpi0clstqDiKEmI3/kf0HNF8B4xWSJ9XL6zfV5EkWCAOzhg6 +Y12Z2RyoWp6Vc35utL7zEuSDvMitEQx4QlhTQRqXoKLgRCnz9OZ8eGhYGiKLrc+Z +FZ3j/l2RM5SXwh70xN1b455t2HBNm/ZDkpjTYhQPgYDq2A8z1K0d63rh6tAhNGjK +NHZ7hFaf1kKAmO/p8AyoQJ0bl36u31JXOVgJ7U2UEm3bdvHF0SQ8Xe61oiHSMifO +dP6Sv//VPEWLqq/oGIplkxJMZ9VAWdiap7/+1lWI72DvFkpb+GdXIPs4fAbIYVwI +MbdcJygSDwjB8fJh4+sdylWAVQJQFkjUeAvn3huCuoEzlAtaE9Urdh0JnibLAYKN +v/drFvMv5zppIn1Ry/knM4vG +=YAct +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-26:14.pf.asc b/website/static/security/advisories/FreeBSD-SA-26:14.pf.asc new file mode 100644 index 0000000000..c5d889135b --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-26:14.pf.asc @@ -0,0 +1,168 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-26:14.pf Security Advisory + The FreeBSD Project + +Topic: pf can overflow the stack parsing crafted SCTP packets + +Category: core +Module: pf +Announced: 2026-04-29 +Credits: Igor Gabriel Sousa e Souza +Affects: All supported versions of FreeBSD. +Corrected: 2026-04-29 14:47:50 UTC (stable/15, 15.0-STABLE) + 2026-04-29 14:48:30 UTC (releng/15.0, 15.0-RELEASE-p7) + 2026-04-29 14:48:52 UTC (stable/14, 14.4-STABLE) + 2026-04-29 14:49:44 UTC (releng/14.4, 14.4-RELEASE-p3) + 2026-04-29 14:49:20 UTC (releng/14.3, 14.3-RELEASE-p12) + 2026-04-29 14:50:08 UTC (stable/13, 13.5-STABLE) + 2026-04-29 14:50:20 UTC (releng/13.5, 13.5-RELEASE-p13) +CVE Name: CVE-2026-7164 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +pf is an Internet Protocol packet filter originally written for OpenBSD. +SCTP is a transport protocol with multihome support. + +pf parses SCTP packets to discover additional addresses for SCTP endpoints, +allowing it to create states allowing connections between these additional +addresses. + +II. Problem Description + +Incorrect packet validation allowed unbounded recursion parsing SCTP chunk +parameters. This can eventually result in a stack overflow and panic. + +III. Impact + +Remote attackers can craft packets which cause affected systems to panic. +This affects any system where pf is configured to process traffic, +independent of the configured ruleset. + +IV. Workaround + +No workaround is available. Systems not using pf are not affected. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, +and reboot the system. + +Perform one of the following: + +1) To update your vulnerable system installed from base system packages: + +Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 *** 5469 LINES SKIPPED ***home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69f249ce.312df.21c6eb51>