Date: Tue, 27 Jan 2026 22:01:45 +0000 From: Gordon Tetlow <gordon@FreeBSD.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org Subject: git: 6b1bdbc6f2 - main - Add EN-26:01 through EN-26:03, SA-26:01, and SA-26:02. Message-ID: <697935c9.3c192.ba5b936@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by gordon: URL: https://cgit.FreeBSD.org/doc/commit/?id=6b1bdbc6f2b401b1bc0f1b937596714b781c9aa1 commit 6b1bdbc6f2b401b1bc0f1b937596714b781c9aa1 Author: Gordon Tetlow <gordon@FreeBSD.org> AuthorDate: 2026-01-27 22:01:10 +0000 Commit: Gordon Tetlow <gordon@FreeBSD.org> CommitDate: 2026-01-27 22:01:10 +0000 Add EN-26:01 through EN-26:03, SA-26:01, and SA-26:02. Approved by: so --- website/data/security/advisories.toml | 8 + website/data/security/errata.toml | 12 + .../advisories/FreeBSD-EN-26:01.devinfo.asc | 127 +++++ .../security/advisories/FreeBSD-EN-26:02.arm64.asc | 137 +++++ .../security/advisories/FreeBSD-EN-26:03.vm.asc | 144 ++++++ .../advisories/FreeBSD-SA-26:01.openssl.asc | 203 ++++++++ .../security/advisories/FreeBSD-SA-26:02.jail.asc | 150 ++++++ .../static/security/patches/EN-26:01/devinfo.patch | 477 ++++++++++++++++++ .../security/patches/EN-26:01/devinfo.patch.asc | 16 + .../security/patches/EN-26:02/arm64-14.patch | 66 +++ .../security/patches/EN-26:02/arm64-14.patch.asc | 16 + .../security/patches/EN-26:02/arm64-15.patch | 66 +++ .../security/patches/EN-26:02/arm64-15.patch.asc | 16 + .../static/security/patches/EN-26:03/vm-13.patch | 62 +++ .../security/patches/EN-26:03/vm-13.patch.asc | 16 + .../static/security/patches/EN-26:03/vm-14.patch | 62 +++ .../security/patches/EN-26:03/vm-14.patch.asc | 16 + .../static/security/patches/EN-26:03/vm-15.patch | 62 +++ .../security/patches/EN-26:03/vm-15.patch.asc | 16 + .../security/patches/SA-26:01/openssl-13.patch | 194 ++++++++ .../security/patches/SA-26:01/openssl-13.patch.asc | 16 + .../security/patches/SA-26:01/openssl-14.patch | 251 ++++++++++ .../security/patches/SA-26:01/openssl-14.patch.asc | 16 + .../security/patches/SA-26:01/openssl-15.patch | 550 +++++++++++++++++++++ .../security/patches/SA-26:01/openssl-15.patch.asc | 16 + .../static/security/patches/SA-26:02/jail-13.patch | 550 +++++++++++++++++++++ .../security/patches/SA-26:02/jail-13.patch.asc | 16 + .../static/security/patches/SA-26:02/jail-14.patch | 498 +++++++++++++++++++ .../security/patches/SA-26:02/jail-14.patch.asc | 16 + 29 files changed, 3795 insertions(+) diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml index 2a35d25d09..6623b3623e 100644 --- a/website/data/security/advisories.toml +++ b/website/data/security/advisories.toml @@ -1,6 +1,14 @@ # Sort advisories by year, month and day # $FreeBSD$ +[[advisories]] +name = "FreeBSD-SA-26:02.jail" +date = "2026-01-27" + +[[advisories]] +name = "FreeBSD-SA-26:01.openssl" +date = "2026-01-27" + [[advisories]] name = "FreeBSD-SA-25:12.rtsold" date = "2025-12-16" diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml index d726df571c..24f08a7faf 100644 --- a/website/data/security/errata.toml +++ b/website/data/security/errata.toml @@ -1,6 +1,18 @@ # Sort errata notices by year, month and day # $FreeBSD$ +[[notices]] +name = "FreeBSD-EN-26:03.vm" +date = "2026-01-27" + +[[notices]] +name = "FreeBSD-EN-26:02.arm64" +date = "2026-01-27" + +[[notices]] +name = "FreeBSD-EN-26:01.devinfo" +date = "2026-01-27" + [[notices]] name = "FreeBSD-EN-25:20.vmm" date = "2025-12-16" diff --git a/website/static/security/advisories/FreeBSD-EN-26:01.devinfo.asc b/website/static/security/advisories/FreeBSD-EN-26:01.devinfo.asc new file mode 100644 index 0000000000..fffa00bdf3 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-26:01.devinfo.asc @@ -0,0 +1,127 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-26:01.devinfo Errata Notice + The FreeBSD Project + +Topic: devinfo output formatting regression + +Category: core +Module: devinfo +Announced: 2026-01-27 +Affects: FreeBSD 15.0 +Corrected: 2025-12-19 18:16:12 UTC (stable/15, 15.0-STABLE) + 2026-01-27 19:15:45 UTC (releng/15.0, 15.0-RELEASE-p2) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +devinfo(8) is a tool to report information about devices present in a system +including resources used by devices such as MMIO regions and interrupts. + +libxo is a library that provides both "human-readable" and structured text +output (e.g. JSON and XML). + +II. Problem Description + +Changes made during the development cycle of 15.0 to adapt devinfo(8) to use +libxo unintentionally altered the human-readable output breaking existing tools +that parsed the output. + +III. Impact + +This bug broke the Intel nvmupdate tool available in the +sysutils/intel-nvmupdate port. There may be other utilities that are also +broken. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms +can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-26:01/devinfo.patch +# fetch https://security.FreeBSD.org/patches/EN-26:01/devinfo.patch.asc +# gpg --verify devinfo.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ ed6612dea24f stable/15-n281586 +releng/15.0/ 6a192c14d244 releng/15.0-n281000 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=291510>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-26:01.devinfo.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAml5NCkACgkQbljekB8A +Gu+8tA//fEWpN3LE3MMstQzJM9EaQqO0Yt2PBGWhg+pR99i/Bx1Xcsmm+8zMhbx9 +2HB99/x91xVmkhaLISgLsK+tAB2vPCln1dpAt8K/nQxo/+AgF5oNdRI5sytzjhsZ +MxfAECJ81MtT83isA2sJpRbp6pYA3yPj9ab2C7V2I9GQLRK6/Fy8MhvuwHlc3Y0S +LgMSn8wOH4vRZ+dXn8JgPA38hbSnEpoWPMWaREQJYwTO5zKJw/TW4/tWaeyZOZd7 +fMxv22xuB6Bta3mTL9sWwYnGN4Ig0miBQstBto6UQnXkm7qZ1Av7MLM2UvZG44Ol +cGDtLyngyxhlEdVGu0AcO3AP2F4s1ot2g9DjC39/dIfRqlSrqjg0elm9N4pXeT0Z +5u9pBkea8z9aAkkxMyCBqROLpnWzdSKAW7MEAmRuZBrdczkfAGulvWJBEsPEu9ZW +wldCugRHxVO+5r9Mq11InRVcM1Jfkv7ZqH/5p1GHdDbUUlqdMC/H1P0oXDfowx9h +m/LJTP1FQyCDJr2rtR4JHRo7ifQJwpMVaKWDfbBKtIHlsq27woEy8dZIad9WyAAN +pvC4wq7PPg4WZ1HB54CUmAD5y49HuHeaS3KLA8ir4BwmdFmSC0KWQGpHQDgmh+Gt +xU7Sl+e4gJpu+zlD6I5pn7JTaz0DqIFdyzckBxEUBlmPkIETM+s= +=mQty +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-26:02.arm64.asc b/website/static/security/advisories/FreeBSD-EN-26:02.arm64.asc new file mode 100644 index 0000000000..ceb386017f --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-26:02.arm64.asc @@ -0,0 +1,137 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-26:02.arm64 Errata Notice + The FreeBSD Project + +Topic: arm64 SVE signal context misalignment + +Category: core +Module: arm64 +Announced: 2026-01-27 +Affects: FreeBSD 15.0 and 14.3 +Corrected: 2026-01-13 16:27:47 UTC (stable/15, 15.0-STABLE) + 2026-01-27 19:15:46 UTC (releng/15.0, 15.0-RELEASE-p2) + 2026-01-26 14:47:24 UTC (stable/14, 14.3-STABLE) + 2026-01-27 19:16:11 UTC (releng/14.3, 14.3-RELEASE-p8) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +Scalable Vector Extension (SVE) is an extension of the arm64 instruction set +providing SIMD functionality. + +II. Problem Description + +When a signal is delivered to a thread, the kernel saves the thread's usermode +register values and stores them on the interrupted thread's stack prior to +invoking the signal handler. + +When SVE is present, SVE registers must be saved as well. This register context +was not properly aligned when written out to userspace, and a subsequent request +to restore that context could fail as a result. + +III. Impact + +Processes could crash unexpectedly after handling a signal. + +IV. Workaround + +No workaround is available. Non-arm64 systems are not affected, and arm64 +systems without SVE are not affected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms +can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r now + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 15.0] +# fetch https://security.FreeBSD.org/patches/EN-26:02/arm64-15.patch +# fetch https://security.FreeBSD.org/patches/EN-26:02/arm64-15.patch.asc +# gpg --verify arm64-15.patch.asc + +[FreeBSD 14.3] +# fetch https://security.FreeBSD.org/patches/EN-26:02/arm64-14.patch +# fetch https://security.FreeBSD.org/patches/EN-26:02/arm64-14.patch.asc +# gpg --verify arm64-14.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ 683decf362ce stable/15-n281851 +releng/15.0/ 679b1a810e0e releng/15.0-n281001 +stable/14/ bcd6bb8067d1 stable/14-n273416 +releng/14.3/ 3ba856f715ca releng/14.3-n271456 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-26:02.arm64.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAml5NCwACgkQbljekB8A +Gu/mSxAAwNJzUNx/bCFoGEoV1vkM5aUOd4lBnFyH/aeRUP/R8bKWQ4ydxiZTfd8m +m+ltioN//WUsP88h6OaAw4JeZBt4HCNi3Pj0fGyu0z4zCjFuKL/1k78Vl51Zt3pJ +bWJBr6WJ5JVmTzf3edbTpa6KA8uKH9JYdpwBsW6ACklBExFyjlYBBblxjWxNP4zo +WPzaYBqGQ/ZQqcQMF06n1M//ufvkHI++R3sOhGzuXz/PJlaUWhn5hblfw0iFt1Py +G3il68l+ONnPiXIkKRzEUCFoYO8feYsj4xK52hAik904JVqJLqUpkPeWgT7bRhzi +YUruypFE5Nt6RCPQ74dKZrshfdGcKeA1pVMAt8QC2e3DzWPYWjVCJiDlYD/kIvls +d/YiGieYs4cbVlX3FS1xWAs3MgN4osyfj/a5fTeSjuTcqjACW0g6xQRLW4LwMZ4V +rH6vm/gRf5/gheFOKokZh/ES3CKQFEXunGdn1ObWd1VKZU77LvVQLsI4J2pXhVYf +CqdU1qs80Qk13K7QmGMt6oRVp0IkM7NRIRivznOLUD0/SAtEdTb3G7gwJAR+AE0U +y61Bsmo4ujOTAGHH5gNAPX9xSWUlItYNTm5shKy6Xv5bQCY04Zi3S2ztXi0NkmX3 +4xWdz9v7/d1CPLCndgWHHDgnZuG3rUH6ueJCDQhtITcnD81w/5U= +=utLQ +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-26:03.vm.asc b/website/static/security/advisories/FreeBSD-EN-26:03.vm.asc new file mode 100644 index 0000000000..dd79584d27 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-26:03.vm.asc @@ -0,0 +1,144 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-26:03.vm Errata Notice + The FreeBSD Project + +Topic: The page fault handler fails to zero memory + +Category: core +Module: vm +Announced: 2026-01-27 +Affects: All supported versions of FreeBSD. +Corrected: 2025-12-15 10:37:54 UTC (stable/15, 15.0-STABLE) + 2026-01-27 19:15:47 UTC (releng/15.0, 15.0-RELEASE-p2) + 2025-12-15 10:42:28 UTC (stable/14, 14.3-STABLE) + 2026-01-27 19:16:12 UTC (releng/14.3, 14.3-RELEASE-p8) + 2026-01-26 15:18:32 UTC (stable/13, 13.4-STABLE) + 2026-01-27 19:16:34 UTC (releng/13.5, 13.5-RELEASE-p9) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +The mmap(2) system call allows applications and system libraries to allocate +heap memory using the MAP_ANON flag. The system call allocates virtual memory +in the calling thread's address space and physical memory is allocated on +demand as page faults occur. Memory allocated this way is guaranteed to be +zero-filled. + +II. Problem Description + +Under some conditions, the physical pages allocated and mapped by the kernel +may not be zero-filled. + +III. Impact + +This bug has been observed to cause process crashes. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r now + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 15.0] +# fetch https://security.FreeBSD.org/patches/EN-26:03/vm-15.patch +# fetch https://security.FreeBSD.org/patches/EN-26:03/vm-15.patch.asc +# gpg --verify vm-15.patch.asc + +[FreeBSD 14.3] +# fetch https://security.FreeBSD.org/patches/EN-26:03/vm-14.patch +# fetch https://security.FreeBSD.org/patches/EN-26:03/vm-14.patch.asc +# gpg --verify vm-14.patch.asc + +[FreeBSD 13.5] +# fetch https://security.FreeBSD.org/patches/EN-26:03/vm-13.patch +# fetch https://security.FreeBSD.org/patches/EN-26:03/vm-13.patch.asc +# gpg --verify vm-13.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ 3c0942f99209 stable/15-n281508 +releng/15.0/ 6e279feb40be releng/15.0-n281002 +stable/14/ 99f641267d44 stable/14-n272998 +releng/14.3/ de311ee39b3f releng/14.3-n271457 +stable/13/ babac9d7bc05 stable/13-n259725 +releng/13.5/ 4967e14ba25b releng/13.5-n259188 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-26:03.vm.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAml5NC8ACgkQbljekB8A +Gu/4KhAAgF/05mLRDs9wlSC1BrN5xZf6zoFdrsj0BC72miZD1qQXe9VtxzJINMLu +b/jbKYT1ILPEXGhHX7epjc4GEM1Eq/kUJnTb35jnkFN63stMn1MX1nqtSNxLzj5f +tJcsb2Atp/3EkNMhcFwFmolQ2qSdQG+s7xDZhHI/hNi5CS/8B7W59LZI3tWXJujM +AbTiHZZSS68RA/co0lmbDYtLMkFEuQBLdcDAdfOHL5+rV2/QIAVYBdqiynVx+cia +iJBbwBuOjiMWSdqP9JiSRnd1HhW3dMUMJTlZFmyGiQNmS+lYE1AgLgPdMPwSReO8 ++79yUfIrFUqWpG6lM33a9T/t3jN8ejZsYRO8OFghvtaePJvUm/P6D0n0werR8PaE +lI9u7BlBqpX9PJ4FUJmUCHAojqXH6msT2RXLg5GcLhjlApMUi2hAcNuT9tp7/+4A +ekc0/sZqJdrcWTmu00w6Tpk9zohW/MX/DHxNEj4SPn5dpjvz9QttaCpNJNyNARuU +GdzZc8poPk3mpTcawABAD0LItpW6d2XLUehtgaWRc5mDoKZj5GIfLjDmqIqqxe9k +C9e6bhL+1QSZQ2HTTNl8e/xoUX+D2pAiE4GkpRSc6u6ZZ3BOQ+fRwbZlnFSz6diT +IIkUddz63TCmxPiiZiJs7XZFZMpx2wJTvuu51hjLs5t6Eswdk20= +=ecKh +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-26:01.openssl.asc b/website/static/security/advisories/FreeBSD-SA-26:01.openssl.asc new file mode 100644 index 0000000000..135e849c56 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-26:01.openssl.asc @@ -0,0 +1,203 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-26:01.openssl Security Advisory + The FreeBSD Project + +Topic: Multiple vulnerabilities in OpenSSL + +Category: contrib +Module: openssl +Announced: 2026-01-27 +Credits: Aisle Research +Affects: All supported versions of FreeBSD. +Corrected: 2026-01-27 19:14:58 UTC (stable/15, 15.0-STABLE) + 2026-01-27 19:15:49 UTC (releng/15.0, 15.0-RELEASE-p2) + 2026-01-27 19:15:10 UTC (stable/14, 14.3-STABLE) + 2026-01-27 19:16:22 UTC (releng/14.3, 14.3-RELEASE-p8) + 2026-01-27 19:15:19 UTC (stable/13, 13.4-STABLE) + 2026-01-27 19:16:45 UTC (releng/13.5, 13.5-RELEASE-p9) +CVE Name: CVE-2025-11187, CVE-2025-15467, CVE-2025-15468, + CVE-2025-15469, CVE-2025-66199, CVE-2025-68160, + CVE-2025-69418, CVE-2025-69419, CVE-2025-69420, + CVE-2025-69421, CVE-2026-22795, CVE-2026-22796 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a +collaborative effort to develop a robust, commercial-grade, full-featured +Open Source toolkit for the Transport Layer Security (TLS) protocol. It is +also a general-purpose cryptography library. + +II. Problem Description + +Multiple issues have been reported as part of this advisory with different +issues affecting different OpenSSL versions and therefore different FreeBSD +versions. Instead of exhaustively listing detailed writeups for each issue, +please see the referenced advisory from OpenSSL. + +Issues affecting FreeBSD 15.0 (OpenSSL 3.5): + CVE-2025-11187 - Improper validation of PBMAC1 parameters in PKCS#12 MAC verification + CVE-2025-15467 - Stack buffer overflow in CMS AuthEnvelopedData parsing + CVE-2025-15468 - NULL dereference in SSL_CIPHER_find() function on unknown cipher ID + CVE-2025-15469 - "openssl dgst" one-shot codepath silently truncates inputs >16MB + CVE-2025-66199 - TLS 1.3 CompressedCertificate excessive memory allocation + CVE-2025-68160 - Heap out-of-bounds write in BIO_f_linebuffer on short writes + CVE-2025-69418 - Unauthenticated/unencrypted trailing bytes with low-level OCB function calls + CVE-2025-69419 - Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion + CVE-2025-69420 - Missing ASN1_TYPE validation in TS_RESP_verify_response() function + CVE-2025-69421 - NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function + CVE-2026-22795 - Missing ASN1_TYPE validation in PKCS#12 parsing + CVE-2026-22796 - ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function + +Issues affecting FreeBSD 14.3 (OpenSSL 3.0): + CVE-2025-15467 - Stack buffer overflow in CMS AuthEnvelopedData parsing + CVE-2025-68160 - Heap out-of-bounds write in BIO_f_linebuffer on short writes + CVE-2025-69418 - Unauthenticated/unencrypted trailing bytes with low-level OCB function calls + CVE-2025-69419 - Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion + CVE-2025-69420 - Missing ASN1_TYPE validation in TS_RESP_verify_response() function + CVE-2025-69421 - NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function + CVE-2026-22795 - Missing ASN1_TYPE validation in PKCS#12 parsing + CVE-2026-22796 - ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function + +Issues affecting FreeBSD 13.5 (OpenSSL 1.1.1): + CVE-2025-68160 - Heap out-of-bounds write in BIO_f_linebuffer on short writes + CVE-2025-69418 - Unauthenticated/unencrypted trailing bytes with low-level OCB function calls + CVE-2025-69419 - Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion + CVE-2025-69420 - Missing ASN1_TYPE validation in TS_RESP_verify_response() function + CVE-2025-69421 - NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function + CVE-2026-22795 - Missing ASN1_TYPE validation in PKCS#12 parsing + CVE-2026-22796 - ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function + +III. Impact + +The issues include improper/missing validation, NULL pointer dereferences, +out-of-bounds writes, incorrect data exposure, input truncation, excessive +memory allocation, and a stack buffer overflow. + +Security impact can be a minimal information disclosure to a potential remote +code execution. See the OpenSSL advisory for specific details. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 15.0] +# fetch https://security.FreeBSD.org/patches/SA-26:01/openssl-15.patch +# fetch https://security.FreeBSD.org/patches/SA-26:01/openssl-15.patch.asc +# gpg --verify openssl-15.patch.asc + +[FreeBSD 14.3] +# fetch https://security.FreeBSD.org/patches/SA-26:01/openssl-14.patch +# fetch https://security.FreeBSD.org/patches/SA-26:01/openssl-14.patch.asc +# gpg --verify openssl-14.patch.asc + +[FreeBSD 13.5] +# fetch https://security.FreeBSD.org/patches/SA-26:01/openssl-13.patch +# fetch https://security.FreeBSD.org/patches/SA-26:01/openssl-13.patch.asc +# gpg --verify openssl-13.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart all daemons that use the library, or reboot the system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ 5626e81f1a43 stable/15-n282001 +releng/15.0/ 02f448fe5cc2 releng/15.0-n281004 +stable/14/ ee8d50bfd59e stable/14-n273467 +releng/14.3/ 65c1295c6bb0 releng/14.3-n271466 +stable/13/ 1741502f8d93 stable/13-n259728 +releng/13.5/ 9afc16c4e8a2 releng/13.5-n259198 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://openssl-library.org/news/secadv/20260127.txt>; + +<URL:https://www.cve.org/CVERecord?id=CVE-2025-11187>; +<URL:https://www.cve.org/CVERecord?id=CVE-2025-15467>; +<URL:https://www.cve.org/CVERecord?id=CVE-2025-15468>; +<URL:https://www.cve.org/CVERecord?id=CVE-2025-15469>; +<URL:https://www.cve.org/CVERecord?id=CVE-2025-66199>; +<URL:https://www.cve.org/CVERecord?id=CVE-2025-68160>; +<URL:https://www.cve.org/CVERecord?id=CVE-2025-69418>; +<URL:https://www.cve.org/CVERecord?id=CVE-2025-69419>; +<URL:https://www.cve.org/CVERecord?id=CVE-2025-69420>; +<URL:https://www.cve.org/CVERecord?id=CVE-2025-69421>; +<URL:https://www.cve.org/CVERecord?id=CVE-2026-22795>; +<URL:https://www.cve.org/CVERecord?id=CVE-2026-22796>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:01.openssl.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAml5NDQACgkQbljekB8A +Gu/F1g/+LJ7/7CqPRxwRZ3/PCX6aDCnCOtau49/5EsYYRzplz9YdFIOrfXKd9krg +OQy4gRufTAImG+vbVXjNfWD10r7pLVgbrqYjT9uGMPWEHlaMBlZz/d2sM86B8nLa +KfEuiQYYLFCvU8N8JsdF2krZ8RI1wCs+cMSddOgCmDTsPykDIW37wRYYkxwZakG4 +yQ8tJ1yTn07ayuNXvPdYUeyH67HCDXHOedZUBAQXvjYTpYna1XEOIOEptm73TEMp +/+UN4YPSmpAEBqo4sStEcZ4hTesMiP90hUXFH97QN5Hj4rYZQqHuPNgPJL3XLnZD +n/exm89riGa+Pag8Ok4y5uknAN0FtiKN5pIsTiFhmDzyl8maTD+nraQe3yyDai0Y +F8kR/z+ceQv7HtNl9ACSW57a0YSngURzdNH6jK1LyroXg15U55D4M/5oGKZPC0B1 +yg3qjvyHL/RTd1mx+UHNP6FXpZzTGwav1Y859jnD7UVHDJPKvGC1bol0QklgQ2jf +zR4reh7kITU59CB1iMp1qB5N9oIBi1XVEIRYP59p/fqSb4H4WfGMDdpv4GwI4KGB +KsNylKJ+lBIqRy5NyIUaTEScog4RCPbghUdg9hpX9eitB5XIaLDg9qtBhPeYj2/v +mSk9hEDZT/BvxXWrYskBs6vyoT+gNtbHByLBRTdJp/GsDxfntPo= +=G/dg +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-26:02.jail.asc b/website/static/security/advisories/FreeBSD-SA-26:02.jail.asc new file mode 100644 index 0000000000..1f36df3553 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-26:02.jail.asc @@ -0,0 +1,150 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-26:02.jail Security Advisory + The FreeBSD Project + +Topic: Jail escape by a privileged user via nullfs + +Category: core +Module: jail +Announced: 2026-01-27 +Affects: FreeBSD 14.3 and 13.5 +Corrected: 2025-06-30 14:21:28 UTC (stable/14, 14.3-STABLE) + 2026-01-27 19:16:15 UTC (releng/14.3, 14.3-RELEASE-p8) + 2026-01-26 15:51:19 UTC (stable/13, 13.4-STABLE) + 2026-01-27 19:16:37 UTC (releng/13.5, 13.5-RELEASE-p9) +CVE Name: CVE-2025-15547 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +Jails are an operating system virtualization technology which allow +administrators to confine processes within an environment with limited ability +to affect the system outside of that environment. In particular, jailed +processes typically have their filesystem access confined by a chroot-like +mechanism. + +nullfs(4) is a pseudo-filesystem which allows a directory to be mounted at +another point in the filesystem hierarchy. + +II. Problem Description + +By default, jailed processes cannot mount filesystems, including nullfs(4). +However, the allow.mount.nullfs option enables mounting nullfs filesystems, +subject to privilege checks. + +If a privileged user within a jail is able to nullfs-mount directories, a +limitation of the kernel's path lookup logic allows that user to escape the +jail's chroot, yielding access to the full filesystem of the host or parent +jail. + +III. Impact + +In a jail configured to allow nullfs(4) mounts from within the jail, the jailed +root user can escape the jail's filesystem root. + +IV. Workaround + +No workaround is available. Jails not created with the allow.mount.nullfs option +are unaffected. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 14.3] +# fetch https://security.FreeBSD.org/patches/SA-26:02/jail-14.patch +# fetch https://security.FreeBSD.org/patches/SA-26:02/jail-14.patch.asc +# gpg --verify jail-14.patch.asc + +[FreeBSD 13.5] +# fetch https://security.FreeBSD.org/patches/SA-26:02/jail-13.patch +# fetch https://security.FreeBSD.org/patches/SA-26:02/jail-13.patch.asc +# gpg --verify jail-13.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 53963866f708 stable/14-n271804 +releng/14.3/ 193ae464aa36 releng/14.3-n271460 +stable/13/ f0fbaa71a5a2 stable/13-n259726 +releng/13.5/ e87a5dd8054a releng/13.5-n259191 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=262180>; + +<URL:https://www.cve.org/CVERecord?id=CVE-2025-15547>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:02.jail.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAml5NVcACgkQbljekB8A +Gu/70A//VWtonOhQP9CeZPUOL41yHUYKOOm9Wf6DkbWqq7aqxcpM5FiGn3Wq84ql +Qy0qpLIXg4KpHD8qjARqQDg2A3J60O1yW2X7WWLRCCDVMsPRe5sNCuwPH88Mzu+x +1VsE9qne25CKJrLcvFsMoO6XfCx6yQ4Qw6uZjyk1DPPIjZfaZYaM9ysAswAo8tsi +7/s+NsFImjN9S6S7q7Z3E+222pOmEkhUKPNaCXoCXTeutiMd+18oxL290xzXs/49 +0NpdOQcX9R+AiA3hJYkrg6YwoxJASc4aXUv7/SKNRdyL9eRiRkt0ta5jsCup3CXw +SIovbhzauXTbv+AliUoAVSXnEK7S0MyUoMM6RG6OPH7JoKf83Sx61P+D8Y1fMYs1 +Gd+g5Nw00Xk3/8hQUSo91K3+A0Lb88QLt+Wc8pzaj7QYfaaYb9DSfyx3U/cjbYiv +sovFZ7D3r0EH5P3n1jkWHQWrV1/u4I7nd/URC0Lz4WUhEfM3X0abaq5q939fpvJU +y37vBlbfw5d139S3C2frPR2sPX6e6K+jXZzjnpLtYF6CsIjfcfWRCRu3pBvWJ24X +/KCJ2AlhGRDcTbYjafzUQMcni4lw5uZ/gpl5SGfbcOTaM1yC0HWmG8W9NaYR79Gn +QtZ+RgQm5wJJAzHX9wQbVTaMoWW5/AbQy2dhDZBjx2rbZmOGBNc= +=SqAm +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/EN-26:01/devinfo.patch b/website/static/security/patches/EN-26:01/devinfo.patch new file mode 100644 index 0000000000..282c8124de --- /dev/null +++ b/website/static/security/patches/EN-26:01/devinfo.patch @@ -0,0 +1,477 @@ +--- usr.sbin/devinfo/Makefile.orig ++++ usr.sbin/devinfo/Makefile +@@ -2,6 +2,6 @@ + PROG= devinfo + MAN= devinfo.8 + +-LIBADD= xo devinfo ++LIBADD= devinfo + + .include <bsd.prog.mk> +--- usr.sbin/devinfo/devinfo.8.orig ++++ usr.sbin/devinfo/devinfo.8 +@@ -34,13 +34,10 @@ + .Nd print information about system device configuration + .Sh SYNOPSIS + .Nm +-.Op Fl -libxo + .Op Fl rv + .Nm +-.Op Fl -libxo + .Fl p Ar dev Op Fl v + .Nm +-.Op Fl -libxo + .Fl u Op Fl v + .Sh DESCRIPTION + The +@@ -51,14 +48,7 @@ + device. + .Pp + The following options are accepted: +-.Bl -tag -width "--libxo" +-.It Fl -libxo +-Generate output via +-.Xr libxo 3 +-in a selection of different human and machine readable formats. +-See +-.Xr xo_options 7 +-for details on command line arguments. ++.Bl -tag -width indent + .It Fl p Ar dev + Display the path of + .Ar dev +@@ -83,8 +73,6 @@ + .Sh SEE ALSO + .Xr systat 1 , + .Xr devinfo 3 , +-.Xr libxo 3 , +-.Xr xo_options 7 , + .Xr devctl 8 , + .Xr iostat 8 , + .Xr pciconf 8 , +--- usr.sbin/devinfo/devinfo.c.orig ++++ usr.sbin/devinfo/devinfo.c +@@ -4,7 +4,6 @@ + * Copyright (c) 2000, 2001 Michael Smith + * Copyright (c) 2000 BSDi + * All rights reserved. +- * Copyright (c) 2024 KT Ullavik + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions +@@ -41,18 +40,12 @@ + #include <stdlib.h> + #include <string.h> + #include <unistd.h> +- +-#include <libxo/xo.h> + #include "devinfo.h" + + static bool rflag; + static bool vflag; +-static int open_tag_count; +-static char *last_res; + + static void print_indent(int); +-static void print_kvlist(char *); +-static char* xml_safe_string(char *); + static void print_resource(struct devinfo_res *); + static int print_device_matching_resource(struct devinfo_res *, void *); + static int print_device_rman_resources(struct devinfo_rman *, void *); +@@ -81,46 +74,7 @@ + n = MIN((size_t)n, sizeof(buffer) - 1); + memset(buffer, ' ', n); + buffer[n] = '\0'; +- xo_emit("{Pa:%s}", buffer); +-} +- +-/* +- * Takes a list of key-value pairs in the form +- * "key1=val1 key2=val2 ..." and prints them according +- * to xo formatting. +- */ +-static void +-print_kvlist(char *s) +-{ +- char *kv; +- char *copy; +- +- if ((copy = strdup(s)) == NULL) +- xo_err(1, "No memory!"); +- +- while ((kv = strsep(©, " ")) != NULL) { +- char* k = strsep(&kv, "="); *** 3037 LINES SKIPPED ***home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?697935c9.3c192.ba5b936>