From nobody Tue Oct 29 21:33:02 2024 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XdNlf4mdmz5bx7K for ; Tue, 29 Oct 2024 21:33:02 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XdNlf1Sblz4ZLR; Tue, 29 Oct 2024 21:33:02 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1730237582; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=HwrI+bpPUfZi/JvpO9jJzY6vhB16ZWf7/y44tVhvFeg=; b=NviKc0MqrpRa7gZryzONbqIfhPth9awfvNYcqgnFw1APNwbvNsAUh8/RCKKmX3tEo2QaAS nSd9heH3uzq/dhW952Jysqj23dBu0h4Zr+QoogLkQE/ZstDWubLayLiglTcrLj2zCbNhZo KjAG9hepNnEBQWYv/ya3GyjlQPHQ3Jcx+PHGSRiN/ukHvV+PWMQqaI9eJtblxF9vsPBePU olr9U3A8ZTJx0d3JXws7L0bDYi8f7S8of6yfbXvq0yKf9uE9Nj234lPhc+s0mZLNd8BLzd MWyEdD4LnBGyHnXU7L9UwkPKzg/pmgT1i+9/BCU8Mc4jl9NhKlMwgR5+ex5VDg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1730237582; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=HwrI+bpPUfZi/JvpO9jJzY6vhB16ZWf7/y44tVhvFeg=; b=muDUh2paIpay3URo5Q8cFdQszREXlGkwek0UmISV+7r9xp69lN54w95g/ruzmoGBnEKYVP fJ44YbhlpDH3KVALbhL54LsW61QVAbe8PNLalwpj//9xx7/6G1Q1jhz8L8SxIb/7ocNimf IrfZ8jPRnf0Inrwu8SHrEBzmrJxfPNejWbcG9TgaByU15L3ttEB1/KjVagns+Fhu9FWRJ2 8EdypdZaJelsqyREo80YROPIWFyzHfhyZT+jTczIYQh+sOssG8ukaPXEoo0XGN1PdN7wBL VHiL8mhEEwHtqhxw9CYTzNjrQiKIh/E44FfZel/ALsaaJfQI6QM7PcG2Zl81og== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1730237582; a=rsa-sha256; cv=none; b=HlOWL6qQ7N7+lHeVcpWDhvVyBuXjL+OOzPdPHrZE7DEcinaqqPHIyKxguKeQa3dK1+P8QU Z14UCkgX/+mbGQk3mv8gs5xHHz4LQSfG/eKFbHWeR94hbfMW5Lm4PmrzXCesqAH7Fl3dTt dwvN6ziee6X57aahJm2uYeavN+XIALzzFRyWZ6EaKJfUoyya1B7D0cTBWCrSf+SSIdEalV GUqLJws0gsGXp2ZMSobZDnmOXU92p39foEQWvyWvCYEpD+zxdasYaHSk5WgJG3zz244Oru Fi0cotyrb/4uF3EXmna7WdWdeXvK5Z5BovlxPF7IyrcFqKIbAhj3LzX9XBIT3A== Received: by freefall.freebsd.org (Postfix, from userid 945) id 21C869406; Tue, 29 Oct 2024 21:33:02 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:19.fetch Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20241029213302.21C869406@freefall.freebsd.org> Date: Tue, 29 Oct 2024 21:33:02 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security-notifications@freebsd.org Sender: owner-freebsd-security-notifications@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:19.fetch Security Advisory The FreeBSD Project Topic: Certificate revocation list fetch(1) option fails Category: core Module: fetch Announced: 2024-10-29 Credits: Franco Fichtner Affects: All supported versions of FreeBSD. Corrected: 2024-10-09 11:49:32 UTC (stable/14, 14.1-STABLE) 2024-10-29 18:57:00 UTC (releng/14.1, 14.1-RELEASE-p6) 2024-10-09 11:50:06 UTC (stable/13, 13.4-STABLE) 2024-10-29 18:57:13 UTC (releng/13.4, 13.4-RELEASE-p2) 2024-10-29 18:57:30 UTC (releng/13.3, 13.3-RELEASE-p8) CVE Name: CVE-2024-45289 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Fetch is utility used to retrieve file(s) from URL(s) specified on the command line. It supports a --crl option to specify a certificate revocation list which contains peer certificates which have been revoked. II. Problem Description The fetch(3) library uses environment variables for passing certain information, including the revocation file pathname. The environment variable name used by fetch(1) to pass the filename to the library was incorrect, in effect ignoring the option. III. Impact Fetch would still connect to a host presenting a certificate included in the revocation file passed to the --crl option. IV. Workaround The certificate revocation list file can be specified by the SSL_CRL_FILE fetch(3) environment variable rather than using the --crl option to fetch(1). V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-24:19/fetch.patch # fetch https://security.FreeBSD.org/patches/SA-24:19/fetch.patch.asc # gpg --verify fetch.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 51676e0a3bd3 stable/14-n269041 releng/14.1/ 0e8bf366e6c5 releng/14.1-n267725 stable/13/ 484724578422 stable/13-n258502 releng/13.4/ 51f6c450d991 releng/13.4-n258267 releng/13.3/ 9f1314a30b4a releng/13.3-n257477 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmchUCkACgkQbljekB8A Gu/0RQ//fm2B2XPZPiGADBhuNeC8NsVwFqzNh/Nrxj2bUCel44kU4yGRZ0jADOD+ URW+0LDs+rOhIV2cw6fZDUwN+/dblFjZiKpQHJF42A1M90hNRfPArbCh6X2h8EAq C4Kr6M6tUByfMX2Hf0aj/QNVrar/hirNhM8ZwDXVMxDj+aBSHSUqZCzfgeTy4/nn 9DJKOaxJ6WKE9OmAEUhSNoPF6AP+ZzU0aOQCs9tUn+OqKDTxLwn0vXSTPaPw4FcR YYYIeiIKpqLhZxPhDnLh/Z/J4AleXPLZeL8VFKemopYk5Fi6HOG/f8UjC/GYoFp/ eHlEY7H1/aRUYJ6FWm4p/cGfxdJOWmkcJax6VQwBNKX23bEzQh9+4RlnE5cPbAio w4XeQybgitic/NeKhI8Jt/aFnVQah2i+O/PQRFCsDDVJGqRnjVw7+6Zvl4zEDoTP Xx96PXGCW3UZyNgqDo2jgZman1P5GLKtZg6FmGKlc/IrqijVnWfh06fI5nZ7Bo1z b8DiCGSQ/W2cL+d2ILj0illAU9g7JO3MDJOl/lchSUTg4XLUI+G201HaR9wRxSo0 SXYq23CG4Nll6b8tdC6EEnOoc4RgyQIJv+N/oML8enJ15x7teXG+JlWIf0rM2qkf Bxn8hBawdfshzuIkLf2X0J6rm8MBj/s9O3j87oD1C37dqp+E4Uo= =CEwj -----END PGP SIGNATURE-----