Date: Tue, 09 Jun 2026 21:50:07 +0000 From: Gordon Tetlow <gordon@FreeBSD.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org Subject: git: 2a530dd472 - main - Add EN-26:14, EN-26:15, and SA-26:25 through SA-26:36. Message-ID: <6a288a8f.27f28.363c0b74@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by gordon: URL: https://cgit.FreeBSD.org/doc/commit/?id=2a530dd472df2a76ffe89ddd3b68d0b8381a5adf commit 2a530dd472df2a76ffe89ddd3b68d0b8381a5adf Author: Gordon Tetlow <gordon@FreeBSD.org> AuthorDate: 2026-06-09 21:49:15 +0000 Commit: Gordon Tetlow <gordon@FreeBSD.org> CommitDate: 2026-06-09 21:49:15 +0000 Add EN-26:14, EN-26:15, and SA-26:25 through SA-26:36. Approved by: so --- website/data/security/advisories.toml | 48 + website/data/security/errata.toml | 8 + .../advisories/FreeBSD-EN-26:14.syslogd.asc | 151 + .../advisories/FreeBSD-EN-26:15.openssl.asc | 188 + .../security/advisories/FreeBSD-SA-26:25.thr.asc | 163 + .../security/advisories/FreeBSD-SA-26:26.ktls.asc | 161 + .../security/advisories/FreeBSD-SA-26:27.sound.asc | 186 + .../advisories/FreeBSD-SA-26:28.capsicum.asc | 193 + .../advisories/FreeBSD-SA-26:29.ip6_multicast.asc | 166 + .../security/advisories/FreeBSD-SA-26:30.linux.asc | 161 + .../security/advisories/FreeBSD-SA-26:31.arm64.asc | 186 + .../security/advisories/FreeBSD-SA-26:32.elf.asc | 169 + .../advisories/FreeBSD-SA-26:33.unbound.asc | 180 + .../security/advisories/FreeBSD-SA-26:34.vt.asc | 150 + .../advisories/FreeBSD-SA-26:35.openssl.asc | 208 + .../security/advisories/FreeBSD-SA-26:36.ldns.asc | 152 + .../static/security/patches/EN-26:14/syslogd.patch | 54 + .../security/patches/EN-26:14/syslogd.patch.asc | 17 + .../security/patches/EN-26:15/openssl-14.3.patch | 680999 ++++++++++++++++++ .../patches/EN-26:15/openssl-14.3.patch.asc | 17 + .../security/patches/EN-26:15/openssl-14.4.patch | 489826 +++++++++++++ .../patches/EN-26:15/openssl-14.4.patch.asc | 17 + .../security/patches/EN-26:15/openssl-15.0.patch | 679696 +++++++++++++++++ .../patches/EN-26:15/openssl-15.0.patch.asc | 17 + website/static/security/patches/SA-26:25/thr.patch | 11 + .../static/security/patches/SA-26:25/thr.patch.asc | 17 + .../static/security/patches/SA-26:26/ktls.patch | 168 + .../security/patches/SA-26:26/ktls.patch.asc | 17 + .../security/patches/SA-26:27/sound-14.3.patch | 358 + .../security/patches/SA-26:27/sound-14.3.patch.asc | 17 + .../security/patches/SA-26:27/sound-14.4.patch | 360 + .../security/patches/SA-26:27/sound-14.4.patch.asc | 17 + .../security/patches/SA-26:27/sound-15.0.patch | 369 + .../security/patches/SA-26:27/sound-15.0.patch.asc | 17 + .../security/patches/SA-26:27/sound-15.1.patch | 369 + .../security/patches/SA-26:27/sound-15.1.patch.asc | 17 + .../security/patches/SA-26:28/capsicum-14.patch | 47 + .../patches/SA-26:28/capsicum-14.patch.asc | 17 + .../security/patches/SA-26:28/capsicum-15.0.patch | 47 + .../patches/SA-26:28/capsicum-15.0.patch.asc | 17 + .../security/patches/SA-26:28/capsicum-15.1.patch | 47 + .../patches/SA-26:28/capsicum-15.1.patch.asc | 17 + .../patches/SA-26:29/ip6_multicast-14.patch | 188 + .../patches/SA-26:29/ip6_multicast-14.patch.asc | 17 + .../patches/SA-26:29/ip6_multicast-15.0.patch | 188 + .../patches/SA-26:29/ip6_multicast-15.0.patch.asc | 17 + .../patches/SA-26:29/ip6_multicast-15.1.patch | 189 + .../patches/SA-26:29/ip6_multicast-15.1.patch.asc | 17 + .../static/security/patches/SA-26:30/linux.patch | 15 + .../security/patches/SA-26:30/linux.patch.asc | 17 + .../security/patches/SA-26:31/arm64-14.3.patch | 179 + .../security/patches/SA-26:31/arm64-14.3.patch.asc | 17 + .../security/patches/SA-26:31/arm64-14.4.patch | 74 + .../security/patches/SA-26:31/arm64-14.4.patch.asc | 17 + .../security/patches/SA-26:31/arm64-15.patch | 74 + .../security/patches/SA-26:31/arm64-15.patch.asc | 17 + .../security/patches/SA-26:32/elf-14.3.patch | 254 + .../security/patches/SA-26:32/elf-14.3.patch.asc | 17 + .../security/patches/SA-26:32/elf-14.4.patch | 254 + .../security/patches/SA-26:32/elf-14.4.patch.asc | 17 + .../static/security/patches/SA-26:32/elf-15.patch | 254 + .../security/patches/SA-26:32/elf-15.patch.asc | 17 + .../static/security/patches/SA-26:33/unbound.patch | 642 + .../security/patches/SA-26:33/unbound.patch.asc | 17 + website/static/security/patches/SA-26:34/vt.patch | 47 + .../static/security/patches/SA-26:34/vt.patch.asc | 17 + .../security/patches/SA-26:35/openssl-14.patch | 626 + .../security/patches/SA-26:35/openssl-14.patch.asc | 17 + .../security/patches/SA-26:35/openssl-15.patch | 1065 + .../security/patches/SA-26:35/openssl-15.patch.asc | 17 + .../static/security/patches/SA-26:36/ldns.patch | 188 + .../security/patches/SA-26:36/ldns.patch.asc | 17 + 72 files changed, 1859534 insertions(+) diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml index 1a44fe400f..6558eefda7 100644 --- a/website/data/security/advisories.toml +++ b/website/data/security/advisories.toml @@ -1,6 +1,54 @@ # Sort advisories by year, month and day # $FreeBSD$ +[[advisories]] +name = "FreeBSD-SA-26:36.ldns" +date = "2026-06-09" + +[[advisories]] +name = "FreeBSD-SA-26:35.openssl" +date = "2026-06-09" + +[[advisories]] +name = "FreeBSD-SA-26:34.vt" +date = "2026-06-09" + +[[advisories]] +name = "FreeBSD-SA-26:33.unbound" +date = "2026-06-09" + +[[advisories]] +name = "FreeBSD-SA-26:32.elf" +date = "2026-06-09" + +[[advisories]] +name = "FreeBSD-SA-26:31.arm64" +date = "2026-06-09" + +[[advisories]] +name = "FreeBSD-SA-26:30.linux" +date = "2026-06-09" + +[[advisories]] +name = "FreeBSD-SA-26:29.ip6_multicast" +date = "2026-06-09" + +[[advisories]] +name = "FreeBSD-SA-26:28.capsicum" +date = "2026-06-09" + +[[advisories]] +name = "FreeBSD-SA-26:27.sound" +date = "2026-06-09" + +[[advisories]] +name = "FreeBSD-SA-26:26.ktls" +date = "2026-06-09" + +[[advisories]] +name = "FreeBSD-SA-26:25.thr" +date = "2026-06-09" + [[advisories]] name = "FreeBSD-SA-26:24.cap_net" date = "2026-05-20" diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml index 6cb37b7b15..3ecb2721f7 100644 --- a/website/data/security/errata.toml +++ b/website/data/security/errata.toml @@ -1,6 +1,14 @@ # Sort errata notices by year, month and day # $FreeBSD$ +[[notices]] +name = "FreeBSD-EN-26:15.openssl" +date = "2026-06-09" + +[[notices]] +name = "FreeBSD-EN-26:14.syslogd" +date = "2026-06-09" + [[notices]] name = "FreeBSD-EN-26:13.freebsd-update" date = "2026-05-20" diff --git a/website/static/security/advisories/FreeBSD-EN-26:14.syslogd.asc b/website/static/security/advisories/FreeBSD-EN-26:14.syslogd.asc new file mode 100644 index 0000000000..ac172fdfde --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-26:14.syslogd.asc @@ -0,0 +1,151 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-26:14.syslogd Errata Notice + The FreeBSD Project + +Topic: syslogd(8) memory leak in casper_ttymsg() + +Category: core +Module: syslogd +Announced: 2026-06-09 +Affects: FreeBSD 15.0 and later +Corrected: 2026-05-26 20:41:22 UTC (stable/15, 15.1-STABLE) + 2026-05-28 22:16:09 UTC (releng/15.1, 15.1-RC2) + 2026-06-09 19:19:32 UTC (releng/15.0, 15.0-RELEASE-p10) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +syslogd(8) is the system log daemon, responsible for receiving log messages +from the kernel and from userland programs and dispatching them according to +syslog.conf(5). It can be configured to log messages to a system console or +to logged-in users' TTYs. + +As of FreeBSD 15.0, syslogd runs in a Capsicum sandbox, and delegates the +actual writing of console messages to a libcasper(3) service. + +II. Problem Description + +When delivering a message to the console or to a terminal, the libcasper +service retrieved the message text with nvlist_take_string_array(9), which +transfers ownership of the array and its strings to the caller. The +casper_ttymsg() and casper_wallmsg() functions never freed them, leaking +memory on every message routed to the console or a terminal. + +III. Impact + +On long-running systems that emit a steady stream of log messages routed to +/dev/console or to user terminals, the resident size of syslogd.casper +helper process grows without bound. This may eventually lead to memory +pressure, including swap usage, or process termination by the out-of-memory +killer. syslogd itself continues to function. + +IV. Workaround + +Periodically restarting syslogd will reclaim leaked memory. Systems that do +not direct syslog output to /dev/console, terminals, or wall destinations +are not affected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your system installed from base system packages: + +Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 +platforms, which were installed using base system packages, can be updated +via the pkg(8) utility: + +# pkg upgrade -r FreeBSD-base +# service syslogd restart + +2) To update your system installed from binary distribution sets: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms +which were not installed using base system packages can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# service syslogd restart + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-26:14/syslogd.patch +# fetch https://security.FreeBSD.org/patches/EN-26:14/syslogd.patch.asc +# gpg --verify syslogd.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart syslogd(8), or reboot the system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ be03b0fb2241 stable/15-n283693 +releng/15.1/ d51d91b07f5b releng/15.1-n283540 +releng/15.0/ 998de2d14e25 releng/15.0-n281049 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=295488>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-26:14.syslogd.asc>; +-----BEGIN PGP SIGNATURE----- + +iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmooiS0bFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvi2gQAMf5aER4RND+DWh7qbbQ +ZuQwejCwW1MeX/oex0TAD8tvGgaBXOztAMMPQ4KRyrzjIYeo5+NpWAYlhqiAOOKE +DCctvWY2hMylj5NNV2etV4QpK0h2R4ZTRj2gnWhYIr/PkzRmaJu9tc3dOH5DQSQZ +WZTwo+Wu/vcAnevgIe4cOPI07YdZjl6bGlOo8q0qBaJ1xKk5NbY3Se9IJX3pCf31 +KODaPY1Py9EuYyW1HoDfrZV7V0iV3X51lgLNmHa2l8Z2cFD/U7Xsk08wU/vtcY0o +la+hvXwMjzHrtie6a2FNV2twyH534B/2ye5Olsf/QnI+g6mEKr3Xif9tt5fYQHXW +Lku+Auc3Hy1d1vK5MUOUpf53SEtvLFkISBAAFIT5x/4kC9W+Kjvl7vspSw+2whuM +S4iLfBbx3DN9aHCNvL1rnkTvn9H7/nOtiaJ5SHBXmtWyYDS/ZptBuzq8L0NaLRfp +lHoSCwND6HXQNZZi3QGVctthFg24ZJoxZOZrx7cDHIphtf/AHMlYkpIPZMaCuiBa +Pw0B/m03VBFYgHCyXlKjQ1EKbAHpS3/pNv5EtCnAAWPNGNoiAjQDa5CnUg0nlz3d +wI+qXBAAM7dUndhvs10/ta/n15Dn6hf89Eojx4SDvPWWAmvtmhd0dDn7kIRDVzVf +2nqvCHY/6icyLLm3vbwjwgv5 +=nmHp +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-26:15.openssl.asc b/website/static/security/advisories/FreeBSD-EN-26:15.openssl.asc new file mode 100644 index 0000000000..f3bb91d1b7 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-26:15.openssl.asc @@ -0,0 +1,188 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-26:15.openssl Errata Notice + The FreeBSD Project + +Topic: Update OpenSSL to 3.0.20 and 3.5.6 + +Category: contrib +Module: openssl +Announced: 2026-06-09 +Affects: All supported versions of FreeBSD. +Corrected: 2026-04-12 02:15:10 UTC (stable/15, 15.0-STABLE) + 2026-06-09 19:19:33 UTC (releng/15.0, 15.0-RELEASE-p10) + 2026-04-13 00:12:11 UTC (stable/14, 14.4-STABLE) + 2026-06-09 19:18:58 UTC (releng/14.4, 14.4-RELEASE-p6) + 2026-06-09 19:18:25 UTC (releng/14.3, 14.3-RELEASE-p15) +CVE Name: CVE-2026-2673, CVE-2026-28387, CVE-2026-28388, + CVE-2026-28389, CVE-2026-31789, CVE-2026-31790 + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a +collaborative effort to develop a robust, commercial-grade, full-featured +Open Source toolkit for the Transport Layer Security (TLS) protocol. It is +also a general-purpose cryptography library. + +II. Problem Description + +The OpenSSL releases included with the affected FreeBSD versions predate +OpenSSL 3.0.20 (FreeBSD 14) and 3.5.6 (FreeBSD 15). This update imports the +current upstream point release on each branch. The import resolves several +issues affecting different OpenSSL versions, and therefore different FreeBSD +versions. Instead of listing detailed writeups for each issue, please see +the referenced advisory from OpenSSL. + +Issues affecting FreeBSD 15 (OpenSSL 3.5): + CVE-2026-2673 - DEFAULT keyword corrupts the key-agreement group list + CVE-2026-28387 - Possible use-after-free in DANE client code + CVE-2026-28388 - NULL dereference when processing a delta CRL + CVE-2026-28389 - NULL dereference processing CMS KeyAgreeRecipientInfo + CVE-2026-31789 - Heap buffer overflow in hexadecimal conversion + CVE-2026-31790 - NULL dereference processing CMS KeyTransRecipientInfo + +Issues affecting FreeBSD 14 (OpenSSL 3.0): + CVE-2026-28387 - Possible use-after-free in DANE client code + CVE-2026-28388 - NULL dereference when processing a delta CRL + CVE-2026-28389 - NULL dereference processing CMS KeyAgreeRecipientInfo + CVE-2026-31789 - Heap buffer overflow in hexadecimal conversion + CVE-2026-31790 - NULL dereference processing CMS KeyTransRecipientInfo + +III. Impact + +The issues include missing input validation, NULL pointer dereferences, a +use-after-free, and a heap buffer overflow. Impact is generally limited +to a crash and a Denial of Service. See the OpenSSL advisory for specific +details. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. A reboot is required +following the upgrade to ensure that all applications and kernel code are +rebuilt with the updated OpenSSL-provided code. + +Perform one of the following: + +1) To update your system installed from base system packages: + +Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 +platforms, which were installed using base system packages, can be updated +via the pkg(8) utility: + +# pkg upgrade -r FreeBSD-base +# shutdown -r +10min "Rebooting for an erratum fix" + +2) To update your system installed from binary distribution sets: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms +which were not installed using base system packages can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for an erratum fix" + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 15.0] +# fetch https://security.FreeBSD.org/patches/EN-26:15/openssl-15.0.patch +# fetch https://security.FreeBSD.org/patches/EN-26:15/openssl-15.0.patch.asc +# gpg --verify openssl-15.0.patch.asc + +[FreeBSD 14.4] +# fetch https://security.FreeBSD.org/patches/EN-26:15/openssl-14.4.patch +# fetch https://security.FreeBSD.org/patches/EN-26:15/openssl-14.4.patch.asc +# gpg --verify openssl-14.4.patch.asc + +[FreeBSD 14.3] +# fetch https://security.FreeBSD.org/patches/EN-26:15/openssl-14.3.patch +# fetch https://security.FreeBSD.org/patches/EN-26:15/openssl-14.3.patch.asc +# gpg --verify openssl-14.3.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart all daemons that use the library, or reboot the system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ 51a80be04fe6 stable/15-n282933 +releng/15.0/ 0f6e90c4cc4f releng/15.0-n281050 +stable/14/ 27ac9d336f71 stable/14-n273945 +releng/14.4/ 1bfe60bae8b8 releng/14.4-n273712 +releng/14.3/ d95a8c20f3bc releng/14.3-n271512 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<XX confirm the OpenSSL advisory URL/date before release> +<URL:https://openssl-library.org/news/secadv/20260407.txt>; + +<URL:https://www.cve.org/CVERecord?id=CVE-2026-2673>; +<URL:https://www.cve.org/CVERecord?id=CVE-2026-28387>; +<URL:https://www.cve.org/CVERecord?id=CVE-2026-28388>; +<URL:https://www.cve.org/CVERecord?id=CVE-2026-28389>; +<URL:https://www.cve.org/CVERecord?id=CVE-2026-31789>; +<URL:https://www.cve.org/CVERecord?id=CVE-2026-31790>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-26:15.openssl.asc>; +-----BEGIN PGP SIGNATURE----- + +iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmooiTUbFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv7GgP/Rlmd7bwJWjqt05Rdw+u +QEJnicVJ4PaoXKlDOxyZ5e8N24tV2MImhgxb1lIS0EluYSVYw8dN0jMymgAK0qxJ +W0UfgE05tOvEncUmAM62Rm+aQCljP9xu65CNcYkP4JJ3Rx+ebPugi6hbXwH4jlgG +PIL1E0WJrOQhC/ZhJ79kU4yRTy5Lo1CRNQ54z+84nV81xWiKDrHoGlFzcr491xZv +E+MysddGPq8o/YhuAR0aG/dokUbNsdBpak0zzXTAPQxCHO/MmnTRg3I+iWIhyTkp +y+vq10xqZaZVOmumlsn6hbyDTcCyWP6uFwvk2KS0xLW1JU+PjYPmo9yJF64HD0ic +IWEW2GQ1wCk0N/JKoUZIkW+Xnz2dOZtpYm05hgJyqaNcyUqZ1rHUpE2nTkgUlGMk +NX+kroBqwqEy/+UZUa6b2B5sWDw/sOe7q08moso8ayXgM3/cvVpxh7x0o2SUC0jq +IZd7y5HvvNqVnhAapSFFiQQ2LZNohcR5z8QSLf+ksr20nh+4841dSEry6s9iZxMD +EMtx2JmFfLhsEOAyG4EoKHJnSIIcpDScqhT1xBpZLzceiOhKRWR34/TBcnkku+aR +/zehcFDZjHFkmh1ZSrzzFSLB6Ph1VUjT32jhetfcjCeYgY8J0AmCJb6HZVVNLTRl +Av4Oox3d6umxDz3LWggvJqNU +=jdTF +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-26:25.thr.asc b/website/static/security/advisories/FreeBSD-SA-26:25.thr.asc new file mode 100644 index 0000000000..95dd443d22 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-26:25.thr.asc @@ -0,0 +1,163 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-26:25.thr Security Advisory + The FreeBSD Project + +Topic: Missing permission check in thr_kill2(2) + +Category: core +Module: thr +Announced: 2026-06-09 +Credits: Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, + and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai +Credits: Igor Gabriel Sousa e Souza +Affects: All supported versions of FreeBSD +Corrected: 2026-06-09 19:17:27 UTC (stable/15, 15.1-STABLE) + 2026-06-09 19:20:05 UTC (releng/15.1, 15.1-RC3-p1) + 2026-06-09 19:19:42 UTC (releng/15.0, 15.0-RELEASE-p10) + 2026-06-09 19:17:45 UTC (stable/14, 14.4-STABLE) + 2026-06-09 19:19:04 UTC (releng/14.4, 14.4-RELEASE-p6) + 2026-06-09 19:18:34 UTC (releng/14.3, 14.3-RELEASE-p15) +CVE Name: CVE-2026-45256 + +This vulnerability was independently reported by multiple parties prior to +publication. + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The thr_kill2(2) system call delivers a signal to a specific thread of a +process identified by its process and thread IDs. As with kill(2), the +kernel verifies that the calling process is permitted to signal the target +before the signal is delivered. + +II. Problem Description + +When used to deliver a signal to a specific thread, thr_kill2(2) called +p_cansignal() to determine whether the operation was permitted but did not +check the result before delivering the signal. The signal was sent even +when the permission check failed. The system call returned the resulting +error to the caller, but by then the signal had already been delivered. + +III. Impact + +The missing check allows an unprivileged local user who knows or can guess a +target's process and thread IDs to send any signal to a process they would +not normally be permitted to signal, including processes owned by other +users or by root. The same check enforces jail boundaries, so a jailed +process can signal processes on the host or in other jails. Thread IDs are +allocated globally and sequentially, and so can be discovered by brute force +with no visibility into the target. + +An attacker can stop or terminate arbitrary processes, including critical +system daemons, resulting in a Denial of Service (DoS). + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, and +reboot the system. + +Perform one of the following: + +1) To update your vulnerable system installed from base system packages: + +Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 +platforms, which were installed using base system packages, can be updated +via the pkg(8) utility: + +# pkg upgrade -r FreeBSD-base +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system installed from binary distribution sets: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms +which were not installed using base system packages can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-26:25/thr.patch +# fetch https://security.FreeBSD.org/patches/SA-26:25/thr.patch.asc +# gpg --verify thr.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ afa0c67a1ba3 stable/15-n283881 +releng/15.1/ 068168fefd4b releng/15.1-n283549 +releng/15.0/ 6f6c7b996719 releng/15.0-n281051 +stable/14/ 72ad7baa99c7 stable/14-n274310 +releng/14.4/ 31f6086db8fe releng/14.4-n273713 +releng/14.3/ fa5581c379fe releng/14.3-n271513 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://www.cve.org/CVERecord?id=CVE-2026-45256>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:25.thr.asc>; +-----BEGIN PGP SIGNATURE----- + +iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmooiUobFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvHNUQAMEmYLwDsVIj73SAnWE4 +PN3KAVFvybeK4R4xYPiwPDtOrdV6HEb4G9O9VgZAomMzE9U7OIZVbXSjKdnEc4Ud +/54Kg0VlURUCUxncndeBVnT56IzXf9uuT1HuAcSoyN2dDZedAGFbtIrg2YJvPyWL +oOe1TyRrj03sP8VnznCZZsPYIqUb7UopdFHaVv2qONdlC0OSnODWiqeRJ8Z38tCd +918AbxTarEKwv5Qx8kV2mvvXIAaK1f6K7l2KqFGdp8HCf5C/plBd7vv6SEVvQhDj +8D6c1Syc/rUTkn6bmeLFinaPxK7OB1oS/Z+7DwJrjlusAhSKbBFcesE2hHYzxEhP +8rmevDJPMNZbouvuC4aJeDSKvGd5eUL+5Rt/EIijBsrlzZv1g/glllbTc/7+g3um +aGP9c4BCDUJVjWxui5ACqR9pe2LWQwDtA7YbukXZqkH0M2OroxLRWWCyOLrAlela +Eilf64XI6KliSMR+rAL6dmPLxFXVMpJXRKxJmUK3FXDi+Vm0bGaeRwCz49Ts+6XV +oU7MRQG/F1w+lZRkS2XQ6YJTv4DBiDAofl7i0Rcjlq1JbWxBjpF8ArZX5VqSSi1y +bOkum8QekuU/sbBIij7JyiEPx2r0ICm/pGXDYnxYuwd0+48orpu9uB6M0gKYEe6D +mYgtjqeBtUCJwPKOzr36faXQ +=rFeT +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-26:26.ktls.asc b/website/static/security/advisories/FreeBSD-SA-26:26.ktls.asc new file mode 100644 index 0000000000..65c2adcd14 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-26:26.ktls.asc @@ -0,0 +1,161 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-26:26.ktls Security Advisory + The FreeBSD Project + +Topic: Arbitrary file overwrite via the KTLS receive path + +Category: core +Module: ktls +Announced: 2026-06-09 +Credits: Bumsrakete +Affects: All supported versions of FreeBSD +Corrected: 2026-06-09 19:17:28 UTC (stable/15, 15.1-STABLE) + 2026-06-09 19:20:06 UTC (releng/15.1, 15.1-RC3-p1) + 2026-06-09 19:19:43 UTC (releng/15.0, 15.0-RELEASE-p10) + 2026-06-09 19:17:46 UTC (stable/14, 14.4-STABLE) + 2026-06-09 19:19:05 UTC (releng/14.4, 14.4-RELEASE-p6) + 2026-06-09 19:18:35 UTC (releng/14.3, 14.3-RELEASE-p15) +CVE Name: CVE-2026-45257 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +Kernel TLS (KTLS) moves Transport Layer Security (TLS) record processing +into the kernel, allowing applications to encrypt and decrypt socket data +without copying it to and from userspace and to serve TLS data with +sendfile(2). When a connection uses software KTLS on the receive path, +the kernel decrypts each incoming TLS record in place within the socket +buffer. + +II. Problem Description + +The KTLS receive path decrypted each record in place, assuming that the +mbufs holding received data were anonymous and safe to modify. This +assumption does not hold for data placed on a socket by sendfile(2), +which can reference file-backed memory directly through non-anonymous +M_EXTPG pages or EXT_SFBUF mbufs. When the sender transmits such data +over a loopback connection without enabling KTLS on the transmit side, +the file-backed mbufs reach the receiver's decryption path unchanged. +Decrypting a record in place then overwrites the backing file's page +cache instead of a private copy of the data. + +III. Impact + +An unprivileged local user who can read a file can overwrite its +contents with data of their choosing by sending the file over a loopback +connection on which they have enabled KTLS receive. The write modifies +the page cache directly, so it bypasses file flags such as schg and is +written back to disk. By overwriting a setuid binary or other trusted +file, a local user can escalate privileges, potentially gaining full +control of the affected system. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, +and reboot the system. + +Perform one of the following: + +1) To update your vulnerable system installed from base system packages: + +Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 +platforms, which were installed using base system packages, can be updated +via the pkg(8) utility: + +# pkg upgrade -r FreeBSD-base +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system installed from binary distribution sets: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms +which were not installed using base system packages can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-26:26/ktls.patch +# fetch https://security.FreeBSD.org/patches/SA-26:26/ktls.patch.asc +# gpg --verify ktls.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ a51345704403 stable/15-n283882 +releng/15.1/ 48c1c5e3c348 releng/15.1-n283550 +releng/15.0/ 540a315cdb46 releng/15.0-n281052 +stable/14/ 333bdd7e9427 stable/14-n274311 +releng/14.4/ d43259dd66b3 releng/14.4-n273714 +releng/14.3/ af3398862ac0 releng/14.3-n271514 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://www.cve.org/CVERecord?id=CVE-2026-45257>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:26.ktls.asc>; +-----BEGIN PGP SIGNATURE----- + +iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmooiUwbFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv6hQP/3x8lGHZpLeT8PjB5NMF +xCfwzKQlu5vlkOqSv+9uEGsh3FQa9gHE/68SwZYa01waeFbTSKpBvrf1X4kRKGnE +r3z8DSAPnVqSRzp4k0PNTxPLtF09FfWiMEBA+PIedL91WkG24gQ63k3fORVjkSvs +a/uY1DQnmypV2mdV/S/hWmrtVCmi5itZKsVedZFoZHZ04GKwIObMoqXgtbUxdfhJ +XvjSCqGgvpsUPVpE72nKYAbbL81w344tNOGtjoC07utitkLoHtMlYqMTfXCv0dY7 +Oo3RZ408afAl1CalUdZ64KXJWqjCZt3FWxtn4ugZkewLc3cDyO5Y2ZUDMAb71P/V +Sdq6+GRIC5wMOmd2C2Wb4C72FODhh4o4+n/E7qeIojT5jozWNFAFN0ugzNcqzuM9 +b8ekwLWK9MbtjZWF1A0OhsLqQoYuBcwX4RymVJCfpEnlPEDwaf0fv/Sx/OyU9MBx +zbT/Thqa9cB++4U6Obodcj55mXM9p23b9OpEnSD5FKlhxXPxCYW5gc2mK4k+yoKd +5ZCzzcdzbMoNgqyHnvrBgFGMsPggXJxaidsRFtVSb9E1GWQUweyN9hR10Gr8wX5j +QL18EHe3Lcgg2Z+mi8NQ8lrqPoGpTIjZ8enEYHLrILe/p8JMjNU5fe+YqQTE0tyD +pWQqqx8AYbHJsnCDELTeqt96 +=lD4w +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-26:27.sound.asc b/website/static/security/advisories/FreeBSD-SA-26:27.sound.asc new file mode 100644 index 0000000000..14595411b0 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-26:27.sound.asc @@ -0,0 +1,186 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-26:27.sound Security Advisory + The FreeBSD Project + +Topic: Multiple vulnerabilities in the sound(4) mmap path + +Category: core +Module: sound +Announced: 2026-06-09 +Credits: Lexpl0it, 75Acol, ch0wn, zer0duck (CVE-2026-45258) +Credits: Emmanuel Genier from Quarkslab (CVE-2026-45258) +Credits: Hazley Samsudin of GovTech CSG (CVE-2026-45258) +Credits: Lexpl0it, 75Acol, Liyw979, Rob1n (CVE-2026-49417) +Affects: All supported versions of FreeBSD. +Corrected: 2026-06-09 19:17:31 UTC (stable/15, 15.1-STABLE) + 2026-06-09 19:20:08 UTC (releng/15.1, 15.1-RC3-p1) + 2026-06-09 19:19:45 UTC (releng/15.0, 15.0-RELEASE-p10) + 2026-06-09 19:17:48 UTC (stable/14, 14.4-STABLE) + 2026-06-09 19:19:07 UTC (releng/14.4, 14.4-RELEASE-p6) + 2026-06-09 19:18:37 UTC (releng/14.3, 14.3-RELEASE-p15) +CVE Name: CVE-2026-45258, CVE-2026-49417 + +CVE-2026-45258 was independently reported by multiple parties prior to +publication. + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +FreeBSD provides audio support through the sound(4) driver, which presents +each audio device as a set of character device nodes such as /dev/dsp. +Applications can use mmap(2) on these devices to map a channel's audio +buffer directly into their address space. + +II. Problem Description + +The sound(4) driver contained two memory-safety errors in its mmap(2) +support. + +First, dsp_mmap_single() validated the requested mapping by checking the +sum of the user-supplied offset and length against the buffer size. This +addition could overflow, so that a large offset and length wrapped around +and passed the check. The offset was then narrowed from 64 to 32 bits when +converted to a buffer address, yielding a mapping that extended past the +audio buffer into unrelated kernel memory. (CVE-2026-45258) + +Second, the audio buffer backing a mapping could be freed when the device +was closed even though the mapping remained valid. The freed memory could +then be reused elsewhere while still accessible through the stale mapping. +(CVE-2026-49417) + +III. Impact + +The /dev/dsp device nodes are world-accessible by default. On a system +with an audio device, either issue allows an unprivileged local user to +read and write kernel memory, which can be used to escalate privileges, +potentially gaining full control of the affected system. At a minimum, an +attacker can crash the kernel, resulting in a Denial of Service (DoS). + +IV. Workaround + +No workaround is available. Systems with no sound devices are unaffected. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, +and reboot the system. + +Perform one of the following: + +1) To update your vulnerable system installed from base system packages: + +Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 +platforms, which were installed using base system packages, can be updated +via the pkg(8) utility: + +# pkg upgrade -r FreeBSD-base +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system installed from binary distribution sets: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms +which were not installed using base system packages can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 15.1] +# fetch https://security.FreeBSD.org/patches/SA-26:27/sound-15.1.patch +# fetch https://security.FreeBSD.org/patches/SA-26:27/sound-15.1.patch.asc +# gpg --verify sound-15.1.patch.asc + +[FreeBSD 15.0] +# fetch https://security.FreeBSD.org/patches/SA-26:27/sound-15.0.patch +# fetch https://security.FreeBSD.org/patches/SA-26:27/sound-15.0.patch.asc +# gpg --verify sound-15.0.patch.asc + +[FreeBSD 14.4] +# fetch https://security.FreeBSD.org/patches/SA-26:27/sound-14.4.patch +# fetch https://security.FreeBSD.org/patches/SA-26:27/sound-14.4.patch.asc +# gpg --verify sound-14.4.patch.asc + +[FreeBSD 14.3] +# fetch https://security.FreeBSD.org/patches/SA-26:27/sound-14.3.patch +# fetch https://security.FreeBSD.org/patches/SA-26:27/sound-14.3.patch.asc +# gpg --verify sound-14.3.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + *** 1859077 LINES SKIPPED ***home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6a288a8f.27f28.363c0b74>