Date: Wed, 17 Dec 2025 00:34:28 +0000 From: Gordon Tetlow <gordon@FreeBSD.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org Subject: git: 3285cfd2ac - main - Add EN-25:19, EN-25:20, SA-25:11, and SA-25:12. Message-ID: <6941fa94.2687a.6d355598@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by gordon: URL: https://cgit.FreeBSD.org/doc/commit/?id=3285cfd2ac60b7a0c77b956a716d622fde23d341 commit 3285cfd2ac60b7a0c77b956a716d622fde23d341 Author: Gordon Tetlow <gordon@FreeBSD.org> AuthorDate: 2025-12-17 00:33:36 +0000 Commit: Gordon Tetlow <gordon@FreeBSD.org> CommitDate: 2025-12-17 00:33:36 +0000 Add EN-25:19, EN-25:20, SA-25:11, and SA-25:12. Approved by: so --- website/data/security/advisories.toml | 8 ++ website/data/security/errata.toml | 8 ++ .../security/advisories/FreeBSD-EN-25:19.zfs.asc | 124 ++++++++++++++++++ .../security/advisories/FreeBSD-EN-25:20.vmm.asc | 129 ++++++++++++++++++ .../security/advisories/FreeBSD-SA-25:11.ipfw.asc | 143 ++++++++++++++++++++ .../advisories/FreeBSD-SA-25:12.rtsold.asc | 145 +++++++++++++++++++++ website/static/security/patches/EN-25:19/zfs.patch | 11 ++ .../static/security/patches/EN-25:19/zfs.patch.asc | 16 +++ website/static/security/patches/EN-25:20/vmm.patch | 28 ++++ .../static/security/patches/EN-25:20/vmm.patch.asc | 16 +++ .../static/security/patches/SA-25:11/ipfw-13.patch | 85 ++++++++++++ .../security/patches/SA-25:11/ipfw-13.patch.asc | 16 +++ .../static/security/patches/SA-25:11/ipfw-14.patch | 85 ++++++++++++ .../security/patches/SA-25:11/ipfw-14.patch.asc | 16 +++ .../static/security/patches/SA-25:12/rtsold.patch | 62 +++++++++ .../security/patches/SA-25:12/rtsold.patch.asc | 16 +++ 16 files changed, 908 insertions(+) diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml index f792f093d3..2a35d25d09 100644 --- a/website/data/security/advisories.toml +++ b/website/data/security/advisories.toml @@ -1,6 +1,14 @@ # Sort advisories by year, month and day # $FreeBSD$ +[[advisories]] +name = "FreeBSD-SA-25:12.rtsold" +date = "2025-12-16" + +[[advisories]] +name = "FreeBSD-SA-25:11.ipfw" +date = "2025-12-16" + [[advisories]] name = "FreeBSD-SA-25:10.unbound" date = "2025-11-26" diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml index 8240585f03..d726df571c 100644 --- a/website/data/security/errata.toml +++ b/website/data/security/errata.toml @@ -1,6 +1,14 @@ # Sort errata notices by year, month and day # $FreeBSD$ +[[notices]] +name = "FreeBSD-EN-25:20.vmm" +date = "2025-12-16" + +[[notices]] +name = "FreeBSD-EN-25:19.zfs" +date = "2025-12-16" + [[notices]] name = "FreeBSD-EN-25:18.freebsd-update" date = "2025-09-30" diff --git a/website/static/security/advisories/FreeBSD-EN-25:19.zfs.asc b/website/static/security/advisories/FreeBSD-EN-25:19.zfs.asc new file mode 100644 index 0000000000..1685af0160 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-25:19.zfs.asc @@ -0,0 +1,124 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-25:19.zfs Errata Notice + The FreeBSD Project + +Topic: Unprivileged kernel NULL pointer dereference + +Category: contrib +Module: openzfs +Announced: 2025-12-16 +Credits: Collin Funk +Affects: FreeBSD 15.0 +Corrected: 2025-12-15 14:16:12 UTC (stable/15, 15.0-STABLE) + 2025-12-16 23:42:59 UTC (releng/15.0, 15.0-RELEASE-p1) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +ZFS is an advanced and scalable file system that is commonly used on FreeBSD. + +II. Problem Description + +Invoking the fsync(2) system call on a named pipe will trigger a NULL pointer +dereference in the kernel, causing a system panic. + +III. Impact + +A malicious, unprivileged user may be able to panic the system. + +Software which attempts to fsync a named pipe may inadvertently panic the +system. + +IV. Workaround + +No workaround is available. Systems not using ZFS are unaffected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date, and reboot. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms +can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r now + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-25:19/zfs.patch +# fetch https://security.FreeBSD.org/patches/EN-25:19/zfs.patch.asc +# gpg --verify zfs.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ d988a0c1fc4c stable/15-n281511 +releng/15.0/ ff6b9c7c1c34 releng/15.0-n280996 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-25:19.zfs.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmlB+bIACgkQbljekB8A +Gu8e+hAA1P5avUtCSkV+8EtFRP06yMwe/Lq79Q/pKZPPznhweJYx2tiEey7qfUEA +7QT8aE8EgOCaaVs159Jn5c3RmQUeV9k+CKWxGbMuThfQJTX/ytmVdQX9tbTyfet1 +o6zZmvRViWR+GpArtCDrjapV5luvvW4DqFN0wBhqAN4PK4GUG/77kbWeeRGGNcNF +2hzjrqUsi7vQ4CrhYYJH01PKIOW7V4HySzodPKSD24/LxILRY/XAA5y3n1gLeZ/i +G8JWIjX3bhKrmyHlL+bOCPcUpJEC3CD//CtisGQX0UsOrRbR6nZrDVpIXGnrW9kM +qUZvwjd731sTmab/ZyKcqoJ5cOwe1fBHgB/uK7H8DLzUCijiUS2+m+X5U6ncggFW +qsFpdW2rEUWDoc1n1qkFpIbkQqXZKiEaX5C1MFcQvRv/5nkXszHMVSKuhuamC6xc +Or7GXnxSVsTLS0H5ASg5aY65KsiJdDJI/4I6VSv7BIzJrZGXA/eH0G5+lAyU7rfd +vZ67vtT+Gvz2Hof8oFwUL/6ID2v/RLKG9+wIx5m2HB6DsdxqB/UCpAVV5yh2FIt9 +OUODbFKIGQMtBL1pUhqxAIOzbJfAxcZfR11+2MuQWIkEXVMHWu86mRjxrQd33c10 +HET/1kMnGTZBbi77QM9eQvLqxfXRhRslquITHWz6XE+QN4hu44o= +=o0ys +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-25:20.vmm.asc b/website/static/security/advisories/FreeBSD-EN-25:20.vmm.asc new file mode 100644 index 0000000000..b7a8736f14 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-25:20.vmm.asc @@ -0,0 +1,129 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-25:20.vmm Errata Notice + The FreeBSD Project + +Topic: bhyve(8) PCI passthru regression + +Category: core +Module: vmm +Announced: 2025-12-16 +Affects: FreeBSD 15.0 +Corrected: 2025-12-15 15:47:23 UTC (stable/15, 15.0-STABLE) + 2025-12-16 23:43:00 UTC (releng/15.0, 15.0-RELEASE-p1) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +vmm(4) is a kernel module which provides an interface to hardware +virtualization capabilities. It is the kernel-side counterpart to bhyve(8). + +PCI passthru is a feature of bhyve(8) on amd64 which allows a PCIe device, such +as a network interface or GPU, to be effectively detached from the host system +and passed directly into a guest virtual machine, allowing the guest to control +the physical hardware. + +II. Problem Description + +Some refactoring of the vmm(4) code introduced a regression in the portion +of the module which creates IOMMU mappings of guest memory. + +III. Impact + +The bug could cause PCI passthrough to not work as expected. + +IV. Workaround + +No workaround is available. Users not using bhyve(8) with PCI passthrough are +unaffected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms +can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r now + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-25:20/vmm.patch +# fetch https://security.FreeBSD.org/patches/EN-25:20/vmm.patch.asc +# gpg --verify vmm.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ 4f7436bf297b stable/15-n281529 +releng/15.0/ 04e9f1aab83a releng/15.0-n280997 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=290920>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-25:20.vmm.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmlB+b0ACgkQbljekB8A +Gu94Og//V+/8PQJEF9OxtyaDRsgoC2NmHDDdYW4RnwG6uxSCHhSLO8LUH1XjmWWb +c54Miuk6Xqh1D54D3Ppmr62nFKEhhqihDIZ28JTp67pvrJIFFUC5DXGTVcAUKzOG +O/6jNJST82SFmfUHu6ntHWwRkaOW7LjUdBnH8pj3JetlseRtYghiWX6Y2Ql5XDfB +AQF18mnxicXAg/PkI00iLqqkXaolAM29G2Io/KsdwMZZtL9RrFHKOlekX5iIyIBz +TOm+7hpLznKbNEpybdknphc3VpjG9aaJyoDMqjkuZ/wJSUusFDMNpO3vpggnTS5D +Yiu9yOGZb1nFEorfRco25Lh06FURaMb6t2lQFdmBg2ade1tiqR8E0CNdEBJIgjU+ +v6qZw7ayLTnfExvHyeHYxgVWpHp9eUpxMITiO7wt03BiEQvmmsnAMFSx2f5+Cvcy +Q3eddVsJ0S4pS9mhUBAfrUxvDikXj2sQ2fKs3niB5xzk3z6XzC1Ukf6XlGtOyH0J +PnMwZXRBChgaFwCzMwTdZpw2pZiVcWdsuLy24ecUWp9OUDGlfUG3heIbZBfSrdjz +VeUo8Mv+gmwVAeOcYZxJLbNftNwjtKIVvjbs/Dx30g8hiGck7QpdBLTOmLQouUx+ +1GcguiXe6fhsf15aywvEM/Okt+g2X4jDArhYM3xF4dZGSoX7RpY= +=8iiC +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-25:11.ipfw.asc b/website/static/security/advisories/FreeBSD-SA-25:11.ipfw.asc new file mode 100644 index 0000000000..c67d77839c --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-25:11.ipfw.asc @@ -0,0 +1,143 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-25:11.ipfw Security Advisory + The FreeBSD Project + +Topic: ipfw denial of service + +Category: core +Module: ipfw +Announced: 2025-12-16 +Affects: FreeBSD 13 and 14 +Corrected: 2025-11-04 00:52:54 UTC (stable/14, 14.3-STABLE) + 2025-12-16 23:43:24 UTC (releng/14.3, 14.3-RELEASE-p7) + 2025-11-04 00:52:12 UTC (stable/13, 13.5-STABLE) + 2025-12-16 23:43:32 UTC (releng/13.5, 13.5-RELEASE-p8) +CVE Name: CVE-2025-14769 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +ipfw(4) is one of the firewalls provided in the FreeBSD base system. Its +`tcp-setmss` configuration directive allows the system administrator to lower +the Maximum Segment Size of a packet. + +II. Problem Description + +In some cases, the `tcp-setmss` handler may free the packet data and throw an +error without halting the rule processing engine. A subsequent rule can then +allow the traffic after the packet data is gone, resulting in a NULL pointer +dereference. + +III. Impact + +Maliciously crafted packets sent from a remote host may result in a Denial of +Service (DoS) if the `tcp-setmss` directive is used and a subsequent rule would +allow the traffic to pass. + +IV. Workaround + +No workaround is available, but systems that do not use ipfw(4) with the +`tcp-setmss` directive are not affected. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, and +reboot the system. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 14.3] +# fetch https://security.FreeBSD.org/patches/SA-25:11/ipfw-14.patch +# fetch https://security.FreeBSD.org/patches/SA-25:11/ipfw-14.patch.asc +# gpg --verify ipfw-14.patch.asc + +[FreeBSD 13.5] +# fetch https://security.FreeBSD.org/patches/SA-25:11/ipfw-13.patch +# fetch https://security.FreeBSD.org/patches/SA-25:11/ipfw-13.patch.asc +# gpg --verify ipfw-13.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ deb684f9d1d6 stable/14-n272799 +releng/14.3/ c0cb68169beb releng/14.3-n271453 +stable/13/ 94360584542a stable/13-n259534 +releng/13.5/ 60026b06366f releng/13.5-n259185 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284606>; + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14769>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-25:11.ipfw.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmlB+cAACgkQbljekB8A +Gu9XFA//V2aCX1XCn6tCRPR51ixMJ/9rKfpWmYpGruZoB1GaKC0UvkQqDNIkXw8K +r6OY1G2rK36y+AGCrxtXHnUKfDj/hzZkL4lEBr9AjcB6N4czk6q/fSuzcL0FCi9T +CbWjxSEjV2M2IO4nObu8CKB/7cVY6UlIhe2d4iBH+otkzfyBsYHwCSvhDOWxeWFj +f+I9ddOvCFv7lRh74RZk0CdSPe4HyptCSkwERwIn5Cm+fk7PJIFWDM4hF9atP+G8 +VT3PUirG1na33vtfRw46c/Qj+L8gybq0pztkTnqsm52WME0n1go3aI7mbPmSWTwe +xSC5totcYxbjQ/lMcXv00kgDzraFuPSzSzej6Z4BYXTHOgNTgHHexa3rqxs8y3i/ +IoOWSDZdyd2d3B9r5xAFSzp+HVv+C9UBB/AQ0kQt0gPTX6j9d0WiMninNiedVSWf +BOYCmgvI7+0ybeV54QFrVnEsImEoYu32NlLVVmswSnDOBuBcU2XtHtO7/x5BUcyU +CdOiAZ78TS+007QllROCuidXiQc0FNFqgm+rRFv37Wmmm0LZVkVJ7OVB0vXuk4ps +iNBFmXxHCiKL6zJGvx+OQmAXLE+xf71n9xt0jJIk/NfI1BkHYRrlYnH7JXhfBvAO +SYtM+FXK1Kehj+ltLUO+9WYhkgfAUtlI/+7GKLMDzy76Q+ZMzhk= +=0OhG +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-25:12.rtsold.asc b/website/static/security/advisories/FreeBSD-SA-25:12.rtsold.asc new file mode 100644 index 0000000000..03844597f1 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-25:12.rtsold.asc @@ -0,0 +1,145 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-25:12.rtsold Security Advisory + The FreeBSD Project + +Topic: Remote code execution via ND6 Router Advertisements + +Category: core +Module: rtsold +Announced: 2025-12-16 +Credits: Kevin Day +Affects: All supported versions of FreeBSD. +Corrected: 2025-12-16 23:39:32 UTC (stable/15, 15.0-STABLE) + 2025-12-16 23:43:01 UTC (releng/15.0, 15.0-RELEASE-p1) + 2025-12-16 23:45:05 UTC (stable/14, 14.3-STABLE) + 2025-12-16 23:43:25 UTC (releng/14.3, 14.3-RELEASE-p7) + 2025-12-16 23:44:10 UTC (stable/13, 13.4-STABLE) + 2025-12-16 23:43:33 UTC (releng/13.5, 13.5-RELEASE-p8) +CVE Name: CVE-2025-14558 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +rtsold(8) and rtsol(8) are programs which process router advertisement +packets as part of the IPv6 stateless address autoconfiguration (SLAAC) +mechanism. + +II. Problem Description + +The rtsol(8) and rtsold(8) programs do not validate the domain search list +options provided in router advertisement messages; the option body is passed +to resolvconf(8) unmodified. + +resolvconf(8) is a shell script which does not validate its input. A lack of +quoting meant that shell commands pass as input to resolvconf(8) may be +executed. + +III. Impact + +Systems running rtsol(8) or rtsold(8) are vulnerable to remote code execution +from systems on the same network segment. In particular, router advertisement +messages are not routable and should be dropped by routers, so the attack does +not cross network boundaries. + +IV. Workaround + +No workaround is available. Users not using IPv6, and IPv6 users that do not +configure the system to accept router advertisement messages, are not affected. +A network interface listed by ifconfig(8) accepts router advertisement messages +if the string "ACCEPT_RTADV" is present in the nd6 option list. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-25:12/rtsold.patch +# fetch https://security.FreeBSD.org/patches/SA-25:12/rtsold.patch.asc +# gpg --verify rtsold.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart the applicable daemons, or reboot the system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ 6759fbb1a553 stable/15-n281548 +releng/15.0/ 408f5c61821f releng/15.0-n280998 +stable/14/ 26702912e857 stable/14-n273051 +releng/14.3/ 3c54b204bf86 releng/14.3-n271454 +stable/13/ 4fef5819cca9 stable/13-n259643 +releng/13.5/ 35cee6a90119 releng/13.5-n259186 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14558>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-25:12.rtsold.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmlB+cMACgkQbljekB8A +Gu9YXA//UpSYz4dseSTcDElpN6jp/2W0+OKDYVqRkH0PaLwZX8iGugm8QwqCxLoL +m1xK2BJir15wuUYmD++EYbjHajXrKIPaD+sW9KjqxgxDVsQWwfl9ZND743JM5TFE +Y3fx8halkChIwtNGCNDHTu5N2DmEPoTO03jOqKqjH6PZwJ6ycYTw4zJvPdP5eDiT ++zWpTNNm0VCkBQQB7ukJGku3zWAh4swZWylP2GvyzifcYKR3Z4OGhDdwQCBa99cn +jC67D7vURTqlk4pcTFJ6JrIVRIQJdNWQGRou3hAedE59bpAZZc8B/fd//Ganmrit +CBG1kMLYVxtV3/12+maEt/DLEMM7isGJPQiSWYe+qseBcdakmuJ8hdR8HKTqrK40 +57ZO59CnzEFr49DrrTD4B97cJwtrXLWtUp4LiXxuYy0CkCl8CiXvcgovCBusQpx+ +r68dgbfcH0UY/ryQp0ZWTI1y3NKmOSuPVpkW4Ss0BeGESlA4DJHuEwIs1D4TnOJL +90C5D7v7jeOtdXhZ6BHVLtXB+nn8zMpAO209H/pRQWJdAEpABheKCgisP9C80g6h +kM300GZjH4joYDyFbMYrW6uWfylwDFC1g8MdFi8yjZzEEOfrKNcY63b+Kx+c3xNL +hIa8yUcjLYHvMRnjTQU1bgUVU+SmW6n05HcqtWV7VKh39ATJcX4= +=TK7t +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/EN-25:19/zfs.patch b/website/static/security/patches/EN-25:19/zfs.patch new file mode 100644 index 0000000000..83ceaef2be --- /dev/null +++ b/website/static/security/patches/EN-25:19/zfs.patch @@ -0,0 +1,11 @@ +--- sys/contrib/openzfs/module/os/freebsd/zfs/zfs_vnops_os.c.orig ++++ sys/contrib/openzfs/module/os/freebsd/zfs/zfs_vnops_os.c +@@ -5275,7 +5275,7 @@ + * Push any dirty mmap()'d data out to the DMU and ZIL, ready for + * zil_commit() to be called in zfs_fsync(). + */ +- if (vm_object_mightbedirty(vp->v_object)) { ++ if (vp->v_object != NULL && vm_object_mightbedirty(vp->v_object)) { + zfs_vmobject_wlock(vp->v_object); + if (!vm_object_page_clean(vp->v_object, 0, 0, 0)) + err = SET_ERROR(EIO); diff --git a/website/static/security/patches/EN-25:19/zfs.patch.asc b/website/static/security/patches/EN-25:19/zfs.patch.asc new file mode 100644 index 0000000000..0425b9df66 --- /dev/null +++ b/website/static/security/patches/EN-25:19/zfs.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmlB+bwACgkQbljekB8A +Gu9SoRAAm4keitzrLj9mO+gAZdzrfK/JO3QhWbwhIRnzRlGId4Y2tXQg0kQspeQZ +Wm81e0tDPLHsFJs5xeDg0IC4s0EJAx+6xleDhDCHJQL76C75O9WdcYAq6KKOTxyW +I1hsNNlFD/b3fG64yB7EXQCmb3zLBFArP4gvBi0m5Juy0C6Eu8jxdu8+fbxNcRXs +OUJRJ0OBFnQ1xBxeKsxjXA2TJendAj2TmLGlWwnoAiEuHrAjT0xaH5+m53xfuNgH +7HIGs+4xXh31EFWA9893e64dMQZ1JPUL1M5tG9BlWlMAx3QfDMrjh//UiN4eoLXe +tRQitwKinIP2vBMNptOS1Jz9EBKpkaqkGn5J0Os4vYxOdKG/dbNOuHmlzAhm7SvE +VmrCo2EhxwACgR2GptWJ6/3EszIHNrhqLKkXdg52LziuIgxRYoT/Rpyui1aCEx+j +stPEn+dWjTyiZ6jStgcr3KkaroQST56LifSZDds619XCZl6VFYcD1c5CTa9tBKNP +aOuNLBU75cREmhsAzAN8NNJ4z5OwV/b72LwUSnPEfls1MjRktbWdTs9KaFlXmkog +eToz8wkMsWu/w4QB+XdjHT5T9T3RDhDXzGtvDK4FGPJChdhQMflUdqk1qto9BIoK +E6nmw6FW3GeDCWKi/4ffsbyBmpJdePjXdlH/PFylhRfuCBmIA3E= +=198O +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/EN-25:20/vmm.patch b/website/static/security/patches/EN-25:20/vmm.patch new file mode 100644 index 0000000000..fa68754d4b --- /dev/null +++ b/website/static/security/patches/EN-25:20/vmm.patch @@ -0,0 +1,28 @@ +--- sys/amd64/vmm/vmm.c.orig ++++ sys/amd64/vmm/vmm.c +@@ -755,10 +755,10 @@ + sx_assert(&vm->mem.mem_segs_lock, SX_LOCKED); + + for (i = 0; i < VM_MAX_MEMMAPS; i++) { +- if (!vm_memseg_sysmem(vm, i)) ++ mm = &vm->mem.mem_maps[i]; ++ if (!vm_memseg_sysmem(vm, mm->segid)) + continue; + +- mm = &vm->mem.mem_maps[i]; + KASSERT((mm->flags & VM_MEMMAP_F_IOMMU) == 0, + ("iommu map found invalid memmap %#lx/%#lx/%#x", + mm->gpa, mm->len, mm->flags)); +@@ -803,10 +803,10 @@ + sx_assert(&vm->mem.mem_segs_lock, SX_LOCKED); + + for (i = 0; i < VM_MAX_MEMMAPS; i++) { +- if (!vm_memseg_sysmem(vm, i)) ++ mm = &vm->mem.mem_maps[i]; ++ if (!vm_memseg_sysmem(vm, mm->segid)) + continue; + +- mm = &vm->mem.mem_maps[i]; + if ((mm->flags & VM_MEMMAP_F_IOMMU) == 0) + continue; + mm->flags &= ~VM_MEMMAP_F_IOMMU; diff --git a/website/static/security/patches/EN-25:20/vmm.patch.asc b/website/static/security/patches/EN-25:20/vmm.patch.asc new file mode 100644 index 0000000000..3a82c526bf --- /dev/null +++ b/website/static/security/patches/EN-25:20/vmm.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmlB+b8ACgkQbljekB8A +Gu8rmg//fxgg8RHsX+2subMm7G4VlBKHDk0vULQgGV4PXMAmSn30b+TLuNsJsaTp +fvPVKq2Q2Xuu5icWV2cdSmjd+egDOZfVRMdEbhr3ZdoUfPWtx1Om7xbwRtrTYtku +GloBN/KzUPvyk7d33K8qAIW7xyKOjCdepaG3EheMzgwWaWXrGUWJacGGqsYI7yrJ +HNvy6Zn0bxyVJUMVKMjgElt57K/D/CwzCOx3uTngbMTz09AGxuA4gHL1wMcJUqEI +SZ63RK4B2GfNj9+nNYCThwZAdmXLSCLdcc18Etq06spiJFJHG/xD/UZmJZV5N3ze +LriUeaOiCZgtVweVH+3JrFhvbQ/8Du0+8U7vPUV6bStE1czb1jAuWVKtZvT+6n4j +IwnLbST9Iymw/kXdiD238Js7tPUQKTR+kgpLyGNGRAIeadqFvfZ/T+iNgBXVPRRm +B4Lt+DI+Cxs6mP5+8zwc6rYKEwOsMTdLPWCe9rFX6BUy0SYpB/oTNPFI9c+lMvw7 +huGZQJcGlDSDuTr4FXTxjvs5wZdRL9aq/l9fFB9xgB4UJozOwa/SFt2p4Ff60CzG +5lCYWqgsOsm802f2NNwtMQZ1of3MutogBPh0HxYOOJHUxtqJ7o2D1EYtJx3kCc/7 +pAxgVSbZwMM6bvzuMJ3ZY9QJQfarj34BJQPlZRveSzSzoIxeeY8= +=uBhK +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-25:11/ipfw-13.patch b/website/static/security/patches/SA-25:11/ipfw-13.patch new file mode 100644 index 0000000000..fb05925f47 --- /dev/null +++ b/website/static/security/patches/SA-25:11/ipfw-13.patch @@ -0,0 +1,85 @@ +--- sys/netpfil/ipfw/pmod/tcpmod.c.orig ++++ sys/netpfil/ipfw/pmod/tcpmod.c +@@ -58,7 +58,8 @@ + #define V_tcpmod_setmss_eid VNET(tcpmod_setmss_eid) + + static int +-tcpmod_setmss(struct mbuf **mp, struct tcphdr *tcp, int tlen, uint16_t mss) ++tcpmod_setmss(struct mbuf **mp, struct tcphdr *tcp, int tlen, uint16_t mss, ++ int *done) + { + struct mbuf *m; + u_char *cp; +@@ -73,8 +74,10 @@ + * TCP header with options. + */ + *mp = m = m_pullup(m, m->m_pkthdr.len); +- if (m == NULL) ++ if (m == NULL) { ++ *done = 1; + return (ret); ++ } + } + /* Parse TCP options. */ + for (tlen -= sizeof(struct tcphdr), cp = (u_char *)(tcp + 1); +@@ -115,7 +118,7 @@ + + #ifdef INET6 + static int +-tcpmod_ipv6_setmss(struct mbuf **mp, uint16_t mss) ++tcpmod_ipv6_setmss(struct mbuf **mp, uint16_t mss, int *done) + { + struct ip6_hdr *ip6; + struct ip6_hbh *hbh; +@@ -143,13 +146,13 @@ + /* We must have TCP options and enough data in a packet. */ + if (hlen <= sizeof(struct tcphdr) || hlen > plen) + return (IP_FW_DENY); +- return (tcpmod_setmss(mp, tcp, hlen, mss)); ++ return (tcpmod_setmss(mp, tcp, hlen, mss, done)); + } + #endif /* INET6 */ + + #ifdef INET + static int +-tcpmod_ipv4_setmss(struct mbuf **mp, uint16_t mss) ++tcpmod_ipv4_setmss(struct mbuf **mp, uint16_t mss, int *done) + { + struct tcphdr *tcp; + struct ip *ip; +@@ -163,7 +166,7 @@ + /* We must have TCP options and enough data in a packet. */ + if (hlen <= sizeof(struct tcphdr) || hlen > plen) + return (IP_FW_DENY); +- return (tcpmod_setmss(mp, tcp, hlen, mss)); ++ return (tcpmod_setmss(mp, tcp, hlen, mss, done)); + } + #endif /* INET */ + +@@ -207,19 +210,23 @@ + switch (args->f_id.addr_type) { + #ifdef INET + case 4: +- ret = tcpmod_ipv4_setmss(&args->m, htons(icmd->arg1)); ++ ret = tcpmod_ipv4_setmss(&args->m, htons(icmd->arg1), ++ done); + break; + #endif + #ifdef INET6 + case 6: +- ret = tcpmod_ipv6_setmss(&args->m, htons(icmd->arg1)); ++ ret = tcpmod_ipv6_setmss(&args->m, htons(icmd->arg1), ++ done); + break; + #endif + } + /* + * We return zero in both @ret and @done on success, and ipfw_chk() + * will update rule counters. Otherwise a packet will not be matched +- * by rule. ++ * by rule. We passed @done around above in case we hit a fatal error ++ * somewhere, we'll return non-zero but signal that rule processing ++ * cannot succeed. + */ + return (ret); + } diff --git a/website/static/security/patches/SA-25:11/ipfw-13.patch.asc b/website/static/security/patches/SA-25:11/ipfw-13.patch.asc new file mode 100644 index 0000000000..67aea97cdc --- /dev/null +++ b/website/static/security/patches/SA-25:11/ipfw-13.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmlB+cEACgkQbljekB8A +Gu+asw//WJUmaNnjyTsdXVY8r6CxzKjDngJFx0wiQ0KG2PB27ZckN/8HTB+ufDpt +XppOzfoplV0NPS3MY+Zbsl3UB+H51tpe72r4s8DJO0CY0YN1870JwQ7STCGOSY6r +iC8ZUe59tfBS96BKkEJmCVzMQtw6Sl2uBdUUvH3SdkOWN8qmzgsvnX9sJxPKS90f +vrYvEuOvSXzpj6k5RwoW0bHyVKd8bYxHby2yyyySyShUYSOZZYN8HLPKqFTrKA7x +80bJWK//OssKLKdBGQjS0jbXnqwy+jvz1hfTbijvZnbTfkY5JbnxZ/nLHjgdGB3i +T8VoT5IixsDxN0XN+GzphlGkE++LzhVsm8SB3361Twxr/J2PPWAMbY+Ic18qgbhV +OlNolgIpTeatQ2zCrX6A15z+gWaLMv6XFdhR/kgNU715MoFAc+o+Zzf/3FMgE0wN +R+J5vuUc5Wbv4IT3eQvmgEUzaTst4vGX7NHY51IHlSLa/AZqJl0dvutKQCBb8o8R +qWlubHA4nIMLM8avN555NFgVAN3wSKlgyPaWCMQxbwTQjN4IQdIRFwiSWfs5E2aM +WJPMbeV9w/bnFK2oM8ieei24UwhKGB/QJ8Z97VdI5fbj+C4OrD/Pq6MFPeNLeEH8 +LZ8aXmx7MaD1vuDr/LiDm88BTE47dIsP4NQwqX+mnwXlAa3I2S8= +=HOuk +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-25:11/ipfw-14.patch b/website/static/security/patches/SA-25:11/ipfw-14.patch new file mode 100644 index 0000000000..fb05925f47 --- /dev/null +++ b/website/static/security/patches/SA-25:11/ipfw-14.patch @@ -0,0 +1,85 @@ +--- sys/netpfil/ipfw/pmod/tcpmod.c.orig ++++ sys/netpfil/ipfw/pmod/tcpmod.c +@@ -58,7 +58,8 @@ + #define V_tcpmod_setmss_eid VNET(tcpmod_setmss_eid) + + static int +-tcpmod_setmss(struct mbuf **mp, struct tcphdr *tcp, int tlen, uint16_t mss) ++tcpmod_setmss(struct mbuf **mp, struct tcphdr *tcp, int tlen, uint16_t mss, ++ int *done) + { + struct mbuf *m; + u_char *cp; +@@ -73,8 +74,10 @@ + * TCP header with options. + */ + *mp = m = m_pullup(m, m->m_pkthdr.len); +- if (m == NULL) ++ if (m == NULL) { ++ *done = 1; + return (ret); ++ } + } + /* Parse TCP options. */ + for (tlen -= sizeof(struct tcphdr), cp = (u_char *)(tcp + 1); +@@ -115,7 +118,7 @@ + + #ifdef INET6 + static int +-tcpmod_ipv6_setmss(struct mbuf **mp, uint16_t mss) ++tcpmod_ipv6_setmss(struct mbuf **mp, uint16_t mss, int *done) + { + struct ip6_hdr *ip6; + struct ip6_hbh *hbh; +@@ -143,13 +146,13 @@ + /* We must have TCP options and enough data in a packet. */ + if (hlen <= sizeof(struct tcphdr) || hlen > plen) + return (IP_FW_DENY); +- return (tcpmod_setmss(mp, tcp, hlen, mss)); ++ return (tcpmod_setmss(mp, tcp, hlen, mss, done)); + } + #endif /* INET6 */ + + #ifdef INET + static int +-tcpmod_ipv4_setmss(struct mbuf **mp, uint16_t mss) ++tcpmod_ipv4_setmss(struct mbuf **mp, uint16_t mss, int *done) + { + struct tcphdr *tcp; + struct ip *ip; +@@ -163,7 +166,7 @@ + /* We must have TCP options and enough data in a packet. */ + if (hlen <= sizeof(struct tcphdr) || hlen > plen) + return (IP_FW_DENY); +- return (tcpmod_setmss(mp, tcp, hlen, mss)); ++ return (tcpmod_setmss(mp, tcp, hlen, mss, done)); + } + #endif /* INET */ + +@@ -207,19 +210,23 @@ + switch (args->f_id.addr_type) { + #ifdef INET + case 4: +- ret = tcpmod_ipv4_setmss(&args->m, htons(icmd->arg1)); ++ ret = tcpmod_ipv4_setmss(&args->m, htons(icmd->arg1), ++ done); + break; + #endif + #ifdef INET6 + case 6: +- ret = tcpmod_ipv6_setmss(&args->m, htons(icmd->arg1)); ++ ret = tcpmod_ipv6_setmss(&args->m, htons(icmd->arg1), ++ done); + break; + #endif + } + /* + * We return zero in both @ret and @done on success, and ipfw_chk() + * will update rule counters. Otherwise a packet will not be matched +- * by rule. ++ * by rule. We passed @done around above in case we hit a fatal error ++ * somewhere, we'll return non-zero but signal that rule processing ++ * cannot succeed. + */ + return (ret); + } diff --git a/website/static/security/patches/SA-25:11/ipfw-14.patch.asc b/website/static/security/patches/SA-25:11/ipfw-14.patch.asc new file mode 100644 index 0000000000..2be67b87f8 --- /dev/null +++ b/website/static/security/patches/SA-25:11/ipfw-14.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmlB+cIACgkQbljekB8A +Gu/0YhAA1u4RvqedV9mVTbrHhsUUl0+O9WhSyiuqTWKOFihFYnJbL+z1C/bsnY5w +/u4EpyaRKion9FykXek3UFyteK6+ugqW8++H/5cN+95AuOVBZcz6gAhziy+beHA8 +YeO5G5o9p/pCQNWp5XP70uG8i4qm4fJ2GfHD2xY4Ji2A0IGEz0+NFK0+bfMUiHNx +HgJVEjFBZbgjltajatNbtf080/Gc5hJbvwejri9WRI0CxntJvHd9n6SJj9y9eBa8 +vr6bQcSY+IM8noEwmU2vtFF/AuCl8kRY6wHO78usEO7whnIzSQHqX2z0lKi1nImd +6gY2a69ZT11iKA0R7Qa2gtSZvJvA6Hb1D6i6t7EKKHcrVrGBEUYovCSyMR9g+cCV +7XPcweh/b/SIH+++oc856aw/hIeQTHcngFF6G+wJA0c7VyatMvARdit4u7q6Qfha +CwmeZTEWH+p1wBBMm8S5fPkUFDR87rW2NX3SnGpw4xKvsF3A8SW9cC1ktIvZY1km +VzXAAFWotWaRpju/LBSlzfYGl/uG86byY0/F1E3IvANympuzsL+ja0iE7lvDntca +Rwf8rVnA7ofK6Q3pF2Rm3ZqwH0RB9X8PiAWMHyR6RVhn+rScqOZx3skOI5n071/I +kX+ZkAX5Ca/tpGSmimI4ZgBpyBR6rHksUUbudq1i2JhG+OtrJrY= +=QOXB +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-25:12/rtsold.patch b/website/static/security/patches/SA-25:12/rtsold.patch new file mode 100644 index 0000000000..a448720b35 --- /dev/null +++ b/website/static/security/patches/SA-25:12/rtsold.patch @@ -0,0 +1,62 @@ +--- usr.sbin/rtsold/rtsol.c.orig ++++ usr.sbin/rtsold/rtsol.c +@@ -776,6 +776,41 @@ + argv[0], status); + } + ++#define PERIOD 0x2e ++#define hyphenchar(c) ((c) == 0x2d) ++#define periodchar(c) ((c) == PERIOD) ++#define alphachar(c) (((c) >= 0x41 && (c) <= 0x5a) || \ ++ ((c) >= 0x61 && (c) <= 0x7a)) ++#define digitchar(c) ((c) >= 0x30 && (c) <= 0x39) ++ ++#define borderchar(c) (alphachar(c) || digitchar(c)) ++#define middlechar(c) (borderchar(c) || hyphenchar(c)) ++ ++static int ++res_hnok(const char *dn) ++{ ++ int pch = PERIOD, ch = *dn++; ++ ++ while (ch != '\0') { ++ int nch = *dn++; ++ ++ if (periodchar(ch)) { *** 59 LINES SKIPPED ***home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6941fa94.2687a.6d355598>