From nobody Wed Sep 4 23:18:38 2024 X-Original-To: dev-commits-doc-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Wzdht2yNJz5VZfQ for ; Wed, 04 Sep 2024 23:18:38 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Wzdht2dr8z41Sv; Wed, 4 Sep 2024 23:18:38 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725491918; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=t5A59rY3X0Tryxv1FzRu9EaH3uRlGrvGb79zs0oaPBU=; b=T3XNGfoAbP6bIfJ5RwKzHviZ0q2xRxii6e7DKCDnA+Xkko4/KxLbrVUbv+tUqPczAvmk5T QAmTENOJn070P2PnlgqD2wrQLedqLCPigskox/HebjamVyekBEFRHkG8iXsfiFenZNhfdC gkKLAR7pTtSRFpoM4a6FEbdJZHW14S2a50Yp3RDTuBbnUS7+y+VS/7S+mqN5n7bWosXPKf 0j1hmums0WLe7M4mtUFKSHtXvzXiqgEkzTrZCFYKh7uNJ9LRUexFyhg7GIijIXXSyk7exc Nm9xnbqdVQCdEWK126MW83aHkO/N8mzKQr2XkYnkYBW7ak3eHyPaXUrTWlRUbw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1725491918; a=rsa-sha256; cv=none; b=ql9D0biDtkTu90NKzvOK7ChFfpGZ9aJ+McRmNXqq1YokuGh1nf+bUt6BDk1FPb3KT+IV97 3Y14GhAfWxwDuUoylhNo1aPjcOIcGsdX6jFxw1n8L3e1qNKI4y0Ap60ejwSGDwaTxAcqhD UmmQD+xRpzB0Pm+haz43jBr3hrzrhhC2EO5J1fh+TO57R7eqH0TZ1u6kUjvw2QlhOJkyGh +OptjVSYhwQMGgWInj+QghdpJ45JytZm967XPzDG/BWxTlGL+eucJOpOuhaqaTJjZU9LR3 I5QSCnPmieaGIRRG1m0nhiRLtJOumvq9HT6sAdETeJimXGHpfiq/A7Fuzqqk+Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725491918; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=t5A59rY3X0Tryxv1FzRu9EaH3uRlGrvGb79zs0oaPBU=; b=HcPsbrcNuD7aTUytLbF4IA0lt9qRTPoiFO3+tnIGztjS7sckoW7bTyoBpOxffg6bWZrIN7 TVTHpV0KHYB2Lawy0LJYH873u9m+Nk/IMFJVPPQR6y4IzkGAsIOnWgCq7HoDD16rIhwiNK NvdLUKj7/ruEoBZupTI9XERF9vTpqgT7YGHttzhK+V6m8aXcavfxRSaGsOw4W+Ch0/xC5s TmsKsrVvObVTUaR2gN619oUksMynn4e9fof4mwNvvPimEAPEwFZyxI+ttVuhHI+me7YL86 UgML2IZY8i6VAHywTwz5wxbuhe7cEZzJvVn0/SVChnVDAzs6nufLso42Cyzmtw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Wzdht1wbjzkJP; Wed, 4 Sep 2024 23:18:38 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 484NIcmb075216; Wed, 4 Sep 2024 23:18:38 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 484NIcYO075213; Wed, 4 Sep 2024 23:18:38 GMT (envelope-from git) Date: Wed, 4 Sep 2024 23:18:38 GMT Message-Id: <202409042318.484NIcYO075213@gitrepo.freebsd.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org From: Gordon Tetlow Subject: git: 82c36e5403 - main - Add EN-24:15 and SA-24:09 through SA-24:14. List-Id: Commit messages for all branches of the doc repository List-Archive: https://lists.freebsd.org/archives/dev-commits-doc-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-doc-all@freebsd.org Sender: owner-dev-commits-doc-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: gordon X-Git-Repository: doc X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 82c36e540374ebb3c0822626f0b7f43086d249fe Auto-Submitted: auto-generated The branch main has been updated by gordon: URL: https://cgit.FreeBSD.org/doc/commit/?id=82c36e540374ebb3c0822626f0b7f43086d249fe commit 82c36e540374ebb3c0822626f0b7f43086d249fe Author: Gordon Tetlow AuthorDate: 2024-09-04 23:18:00 +0000 Commit: Gordon Tetlow CommitDate: 2024-09-04 23:18:00 +0000 Add EN-24:15 and SA-24:09 through SA-24:14. Approved by: so --- .../advisories/FreeBSD-EN-24:15.calendar.asc | 137 ++++++++++++ .../security/advisories/FreeBSD-SA-24:09.libnv.asc | 158 ++++++++++++++ .../security/advisories/FreeBSD-SA-24:10.bhyve.asc | 146 +++++++++++++ .../security/advisories/FreeBSD-SA-24:11.ctl.asc | 178 ++++++++++++++++ .../security/advisories/FreeBSD-SA-24:12.bhyve.asc | 148 +++++++++++++ .../advisories/FreeBSD-SA-24:13.openssl.asc | 136 ++++++++++++ .../security/advisories/FreeBSD-SA-24:14.umtx.asc | 143 +++++++++++++ .../security/patches/EN-24:15/calendar.patch | 11 + .../security/patches/EN-24:15/calendar.patch.asc | 16 ++ .../static/security/patches/SA-24:09/libnv.patch | 115 ++++++++++ .../security/patches/SA-24:09/libnv.patch.asc | 16 ++ .../static/security/patches/SA-24:10/bhyve.patch | 20 ++ .../security/patches/SA-24:10/bhyve.patch.asc | 16 ++ .../security/patches/SA-24:11/ctl-13.4.patch | 90 ++++++++ .../security/patches/SA-24:11/ctl-13.4.patch.asc | 16 ++ website/static/security/patches/SA-24:11/ctl.patch | 107 ++++++++++ .../static/security/patches/SA-24:11/ctl.patch.asc | 16 ++ .../static/security/patches/SA-24:12/bhyve.patch | 20 ++ .../security/patches/SA-24:12/bhyve.patch.asc | 16 ++ .../static/security/patches/SA-24:13/openssl.patch | 92 ++++++++ .../security/patches/SA-24:13/openssl.patch.asc | 16 ++ .../static/security/patches/SA-24:14/umtx.patch | 232 +++++++++++++++++++++ .../security/patches/SA-24:14/umtx.patch.asc | 16 ++ 23 files changed, 1861 insertions(+) diff --git a/website/static/security/advisories/FreeBSD-EN-24:15.calendar.asc b/website/static/security/advisories/FreeBSD-EN-24:15.calendar.asc new file mode 100644 index 0000000000..2b4ff86788 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-24:15.calendar.asc @@ -0,0 +1,137 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-24:15.calendar Errata Notice + The FreeBSD Project + +Topic: cron(8) / periodic(8) session login + +Category: core +Module: periodic +Announced: 2024-09-04 +Affects: All supported versions of FreeBSD. +Corrected: 2024-08-08 20:07:04 UTC (stable/14, 14.1-STABLE) + 2024-09-04 21:34:23 UTC (releng/14.1, 14.1-RELEASE-p4) + 2024-09-04 20:54:10 UTC (releng/14.0, 14.0-RELEASE-p10) + 2024-08-08 20:07:07 UTC (stable/13, 13.4-STABLE) + 2024-08-14 03:37:16 UTC (releng/13.4, 13.4-BETA3) + 2024-09-04 20:29:38 UTC (releng/13.3, 13.3-RELEASE-p6) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +periodic(8) is run via cron(8) as root to perform periodic system functions to +be executed on a daily, weekly, or monthly basis. + +II. Problem Description + +periodic(8) jobs are typically run in a context as the `root` user, but an +erratum in calendar(1) may clobber the login session of both cron(8) and +periodic(8) to a non-`root` user if the daily calendar job is enabled with +`daily_calendar_enable=YES`. + +III. Impact + +Mail sent after calendar(1) has run in the daily periodic run will have a +non-root sender on the envelope. This includes security jobs as well as other +cron jobs that may be run after the daily job has concluded. + +IV. Workaround + +No workaround is available. Systems that have not explicitly enabled the daily +calendar job are not affected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-24:15/calendar.patch +# fetch https://security.FreeBSD.org/patches/EN-24:15/calendar.patch.asc +# gpg --verify calendar.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart the applicable daemons, or reboot the system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 33708452aaab stable/14-n268432 +releng/14.1/ 86d01789bf41 releng/14.1-n267709 +releng/14.0/ d94dbaa516e0 releng/14.0-n265431 +stable/13/ 3a9010c98b3d stable/13-n258228 +releng/13.4/ 7088bf662d46 releng/13.4-n258220 +releng/13.3/ eab94c0fbb78 releng/13.3-n257447 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY53AACgkQbljekB8A +Gu+FxA/+JUfcaaoOhPcS8VabJS4UKYKH3S703qTSqaR1KsHj+nKXj5eSWCyGA4KI +C4p+9C4H7shzgO4SF18+HR679i+y0QNayEpEv9MkUsuYfevx3t8+E7joOH10usi1 +g92EPpAUYM5Cb0NpsjFS8gQk18qRlY76asdQlA+b8RDB0gU7lJkDTxrT4TUtJqKP +ysAa2ZruGuJbZpZlVPY/JLA9/liwBZcq6fij1g4dyQke6PbvTkoWxFD/3+/ufKXu +mWW+VsYxldNQRIJF9+8SuIcGTkDUr4HAP7EPYYKU8prX39lsAN0fA7oQO0ohvQ1b +20Oglq4PYQTEzv16KbAGZdByEzH2Tnzoz8jkaUeIfgnQrHEZbiaqckixi3bUOzPV +SJ037qikttpxVXrs6qxehl1f9tMLXFlbRSOrVrxg+YSb8Xy0nxRvdNwuJ+1OS2bD +DoPDXs3BVtecKrArDrZcbFcvzNbNiESZGRlFBI7hiy8DQFNFT755n1NnIDxjDerW +Qo9MELlWerWyP2djzS+C5YeTe3HPMw8dRbPORRKBD65+dXDn+W53TeJdVY/uwN/O +B9l/RRehDTB4pj79J6689h3mPSBgMC0tS33Nv1Xm42+58JPb9hP+RzHQkNVJcrxk +RDpKKxgJjTm5hQ+U8TMN+YOfWJnrEGk+mSWK8Vk96C0JQJSd0lI= +=Z1hr +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-24:09.libnv.asc b/website/static/security/advisories/FreeBSD-SA-24:09.libnv.asc new file mode 100644 index 0000000000..8fa9aa9e43 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-24:09.libnv.asc @@ -0,0 +1,158 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-24:09.libnv Security Advisory + The FreeBSD Project + +Topic: Multiple vulnerabilities in libnv + +Category: core +Module: libnv +Announced: 2024-09-04 +Credits: Taylor R Campbell (NetBSD, CVE-2024-45287) + Synacktiv (CVE-2024-45287, CVE-2024-45288) +Sponsored by: The FreeBSD Foundation, The Alpha-Omega Project +Affects: All supported versions of FreeBSD. +Corrected: 2024-09-04 12:24:56 UTC (stable/14, 14.1-STABLE) + 2024-09-04 21:07:27 UTC (releng/14.1, 14.1-RELEASE-p4) + 2024-09-04 20:54:12 UTC (releng/14.0, 14.0-RELEASE-p10) + 2024-09-04 12:24:12 UTC (stable/13, 13.4-STABLE) + 2024-09-04 19:13:10 UTC (releng/13.4, 13.4-RC2-p1) + 2024-09-04 20:29:40 UTC (releng/13.3, 13.3-RELEASE-p6) +CVE Name: CVE-2024-45287, CVE-2024-45288 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +libnv (also called nvlist) is a general-purpose library designed for storing +name-value pairs. This library can serve as an Inter-Process Communication +(IPC) framework, enabling processes to exchange data. For example, it is +used in libcasper to communicate between privileged and unprivileged +processes. Additionally, libnv can function as an interface for communication +between userland and kernel. + +Originally, libnv was inspired by OpenZFS nvlist. However, the +implementations are separate. This advisory is only about base system +implementation of libnv, not a OpenZFS one. + +II. Problem Description + +CVE-2024-45287 is a vulnerability that affects both the kernel and userland. +A malicious value of size in a structure of packed libnv can cause an integer +overflow, leading to the allocation of a smaller buffer than required for the +parsed data. + +CVE-2024-45288 is a vulnerability that affects both the kernel and userland. +A missing null-termination character in the last element of an nvlist array +string can lead to writing outside the allocated buffer. + +III. Impact + +It is possible for an attacker to overwrite portions of memory (in userland +or the kernel) as the allocated buffer might be smaller than the data +received from a malicious process. This vulnerability could result in +privilege escalation or cause a system panic. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date +and reboot. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-24:09/libnv.patch +# fetch https://security.FreeBSD.org/patches/SA-24:09/libnv.patch.asc +# gpg --verify libnv.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +d) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 9c2ef102166e stable/14-n268655 +releng/14.1/ d87f821959fb releng/14.1-n267696 +releng/14.0/ b219ce1c5a93 releng/14.0-n265433 +stable/13/ 03bef9971d73 stable/13-n258309 +releng/13.4/ 3aa9be7e3334 releng/13.4-n258240 +releng/13.3/ 33b4e2361c82 releng/13.3-n257449 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY54cACgkQbljekB8A +Gu8YLRAAmpVVVib8RgEj0bKS5qNLwujEssMIO96LS73txcFGm/Iy+QJA/N/SRtDL +lnKRi0ya90pBmXXhX03Uei+O/nBAFxkCxCukuQ36bauJrA74RFgn/8ZK63RbvdDE +K+xAyK71FXLTr+wGqyzv0xOxNA60dl14WiyaLCUX++0DU3EesmVD508wIL7Ls/bS +5g5vllxmELV2zXYXY/DbEVHS/i2YRCs8ftasa92uXVgOibODVpL/GSXy1QHyykNQ +ODAmGjs+p0xf2JDJa2qvokMh4WS4HkGe4W/TcJueTiSbsdOrDDhOV/n0QTgwt1rQ +zq2QQU3tk2unYjhQrR6ZvHTbFCKc7G3BVFCPAZ6fSthq834EoCr2LUGyYhU+bLZ6 +SweQfCP48ExjIqvDzQqMOlvp9rMiLbxpjkdDcsml4zhD2GE+byuT6RSRBqq3tBvT +893YoIiW1m069DnAQxh1Zlewsk/BZFeeXBHZdk4Ik5KYFCwCabV3HLFa9hA1/iKx +5ITULL0gZgZKBQ9IbpkL45q9mcDHXrVuMPfA0a3bb38rpoK5uof25+oKSGGvWyDA +plGXuEh5Sltmx0lOdY2O70j8pLh7bVJCyo5rYDhObzQlWiajUx1pH3M9DePbI+Rk +Z+Gby0zKpXzgSfHSiSyfVPgDMa83yDpiozRMszjpvApB7h/hekQ= +=yX5r +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-24:10.bhyve.asc b/website/static/security/advisories/FreeBSD-SA-24:10.bhyve.asc new file mode 100644 index 0000000000..3c14fec494 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-24:10.bhyve.asc @@ -0,0 +1,146 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-24:10.bhyve Security Advisory + The FreeBSD Project + +Topic: bhyve(8) privileged guest escape via TPM device passthrough + +Category: core +Module: bhyve +Announced: 2024-09-04 +Credits: Synacktiv +Sponsored by: The FreeBSD Foundation, The Alpha-Omega Project +Affects: FreeBSD 14.x +Corrected: 2024-09-04 15:42:29 UTC (stable/14, 14.1-STABLE) + 2024-09-04 21:07:28 UTC (releng/14.1, 14.1-RELEASE-p4) + 2024-09-04 20:54:13 UTC (releng/14.0, 14.0-RELEASE-p10) +CVE Name: CVE-2024-41928 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +bhyve(8) is a hypervisor that runs guest operating systems inside a virtual +machine. + +II. Problem Description + +bhyve can be configured to provide access to the host's TPM device, where it +passes the communication through an emulated device provided to the guest. This +may be performed on the command-line by starting bhyve with the +`-l tpm,passthru,/dev/tpmX` parameters. + +The MMIO handler for the emulated device did not validate the offset and size +of the memory access correctly, allowing guests to read and write memory +contents outside of the memory area effectively allocated. + +III. Impact + +Malicious software running in a guest VM can exploit the buffer overflow to +achieve code execution on the host in the bhyve userspace process, which +typically runs as root. Note that bhyve runs in a Capsicum sandbox, so +malicious code is constrained by the capabilities available to the bhyve +process. + +IV. Workaround + +No workaround is available, but guests that do not use TPM passthrough are +not impacted. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Guest operating systems exposing the TPM device need to be restarted for the +correction to be applied. (i.e., their corresponding bhyve process needs to be +terminated and started again) + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-24:10/bhyve.patch +# fetch https://security.FreeBSD.org/patches/SA-24:10/bhyve.patch.asc +# gpg --verify bhyve.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart the corresponding bhyve processes, or reboot the system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 6ce4821f0859 stable/14-n268656 +releng/14.1/ eab723be7542 releng/14.1-n267697 +releng/14.0/ 429f200688ca releng/14.0-n265434 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +The corresponding part of the security audit report as provided by Synacktiv +will be published in due course. + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY54kACgkQbljekB8A +Gu9vGg//YkEx8/3PWE8GUfdwfGrzMD+bpXoJViBIW+CX4tYYDU05CzF9i/FbB93B +629nWU4HMmTrQfARtpC/VCRASz+v6kSJvsOwt2120GVx5SUuFkP2nw3fCWdH5tqu +c/M4GRT2Brl4ZJFZGdfXCKYvGKnw68qhuX6CWFhXgAPAlj2VHNCluElriGMsuPs9 +mmu6/YX5vwVps8dj1XJqx8TFv81PXyatBbzmDi4VMpeBkcM6RBjzDl3C9XVh2k9S +ahPVp9yW/bXLS2U5GA+rTK4PNIJukZ5tRb2DXH3g5Ku9l6s2l3b8oof6kNifhwf7 +1L8QeTYabkeeGgCfpKmQb7ouZoAHw2fe6M64X/IAkWM46XejiV0mzRokjrG9VIPf +Ushi7hnEbI7Kzxw/H280R/lgsQh/o8+fF+3iFDij/GPKoWlLVy4WnLluihXkE2Xd +wlFxD80CKVxGi18JBjCIo7sFrLPuec1rGPn9sULCf2Yi5TnRnBYp9OzD7wSx5zIR +ohm6zKfajdyVlis9HLm1Xee4B7dEEbZWn6seo3DclCTIO22esN3Kjs8ovSyv1KFn +B0m0bR8YbJ0qVT/jDYdWkZmJW/EmmZpMMAN91G0q+M9m8Od4e81iQZknvujPsw+I +QjM5FlKvEuYXjt2tMxP35Dq8PXdl3jvY0fqTNrkCpuzKK0q76sM= +=VI0d +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-24:11.ctl.asc b/website/static/security/advisories/FreeBSD-SA-24:11.ctl.asc new file mode 100644 index 0000000000..019935a17e --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-24:11.ctl.asc @@ -0,0 +1,178 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-24:11.ctl Security Advisory + The FreeBSD Project + +Topic: Multiple issues in ctl(4) CAM Target Layer + +Category: core +Module: ctl +Announced: 2024-09-04 +Credits: Synacktiv +Sponsored by: The FreeBSD Foundation, The Alpha-Omega Project +Affects: All supported versions of FreeBSD. +Corrected: 2024-09-04 15:51:07 UTC (stable/14, 14.1-STABLE) + 2024-09-04 21:07:33 UTC (releng/14.1, 14.1-RELEASE-p4) + 2024-09-04 20:54:18 UTC (releng/14.0, 14.0-RELEASE-p10) + 2024-09-04 15:53:53 UTC (stable/13, 13.4-STABLE) + 2024-09-04 19:58:25 UTC (releng/13.4, 13.4-RC2-p1) + 2024-09-04 20:29:45 UTC (releng/13.3, 13.3-RELEASE-p6) +CVE Name: CVE-2024-8178, CVE-2024-42416, CVE-2024-43110, + CVE-2024-45063 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +The ctl subsystem provides SCSI target devices emulation. The bhyve(8) +hypervisor and ctld(8) iSCSI target daemon make use of ctl. + +II. Problem Description + +Several vulnerabilities were found in the ctl subsystem. + +The function ctl_write_buffer incorrectly set a flag which resulted in a +kernel Use-After-Free when a command finished processing (CVE-2024-45063). +The ctl_write_buffer and ctl_read_buffer functions allocated memory to be +returned to userspace, without initializing it (CVE-2024-8178). +The ctl_report_supported_opcodes function did not sufficiently validate a +field provided by userspace, allowing an arbitrary write to a limited amount +of kernel help memory (CVE-2024-42416). +The ctl_request_sense function could expose up to three bytes of the kernel +heap to userspace (CVE-2024-43110). + +Guest virtual machines in the bhyve hypervisor can send SCSI commands to the +corresponding kernel driver via the virtio_scsi interface. This provides +guests with direct access to the vulnerabilities covered by this advisory. + +The CAM Target Layer iSCSI target daemon ctld(8) accepts incoming iSCSI +connections, performs authentication and passes connections to the kernel +ctl(4) target layer. + +III. Impact + +Malicious software running in a guest VM that exposes virtio_scsi can exploit +the vulnerabilities to achieve code execution on the host in the bhyve +userspace process, which typically runs as root. Note that bhyve runs in a +Capsicum sandbox, so malicious code is constrained by the capabilities +available to the bhyve process. + +A malicious iSCSI initiator could achieve remote code execution on the iSCSI +target host. + +IV. Workaround + +No workaround is available. + +bhyve VMs that do not make use of virtio_scsi (for instance, via +`bhyve -s NN,virtio-scsi,...`), and hosts that do not export iSCSI targets, +are not affected. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +The system should be rebooted in order to effectively mitigate the issue with +certainty. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 13.3, 14.0, 14.1] +# fetch https://security.FreeBSD.org/patches/SA-24:11/ctl.patch +# fetch https://security.FreeBSD.org/patches/SA-24:11/ctl.patch.asc +# gpg --verify ctl.patch.asc + +[FreeBSD 13.4] +# fetch https://security.FreeBSD.org/patches/SA-24:11/ctl-13.4.patch +# fetch https://security.FreeBSD.org/patches/SA-24:11/ctl-13.4.patch.asc +# gpg --verify ctl-13.4.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 803e0c2ab29b stable/14-n268660 +releng/14.1/ d30ffde0806e releng/14.1-n267701 +releng/14.0/ 4c60b8289d0e releng/14.0-n265438 +stable/13/ c8afc072690f stable/13-n258314 +releng/13.4/ 004298792002 releng/13.4-n258243 +releng/13.3/ 639494a3c1e6 releng/13.3-n257453 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +The corresponding part of the security audit report as provided by Synacktiv +will be published in due course. + + + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY54sACgkQbljekB8A +Gu9gEBAArLEF2hSMAo63riezMWcREkF+3r7GfgOmKNq1CWFgfA/ikjZKxIxAojEj +il6LBgEPQl7jhcC/eG2/U80gze5AtSsQpdCN5DgaQa4rrq4C8dIu8Q8DI/ZGkkAD +1oFQ5iz9IW0fszjCgwvdnEZt0wEvcMi8d3GzJddouVVxPgcTatw0VbMZWH9ZrpFA +pwgybyntTE3IG1DqOmFWqjZmjV55BESlphp3LoheWYR21iGwuMsZWBWZ7+c9IK2j +6RP7ZBN6F/IEr0Np0G22iqUcgQOyA20zL1EJPq93Hp7OdxTMLSgggg1zq3GMEZi6 +A8rjLHmiC6SIIjv7cFohU6vHHrUQkvkx1U0xmtI32StHowKf/Mn5wL8e+i+5g/JE +vPG6vmFRDUvMqWjB/GK0atyZ7pFHMX9s75NcI7q846Rg0IW9birlgFfqZEQOndH+ +O4AM2oQWOENg9FavMkZ9ScaR2/m2wQR8c4H3BLmAz6Q4R2+QQAjlDu2DtsLWFEeW +3DNna0/Lw67yDXv2+hJcj+WwQxxWBW3yEz6OVVdszdOofLy8eyUXHo2XGUFJZQKG +ZpplFPuvq1ZEci544hRDmjGhdKH9h6UoUAOiZQz9vJbx0GyCnhiunyIcM9gN+Rmk +KGP0t+jEDaMjkAWsu5w0qju68cFMRwEP1E+fT5atsmvnzQR+Zqo= +=eocJ +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-24:12.bhyve.asc b/website/static/security/advisories/FreeBSD-SA-24:12.bhyve.asc new file mode 100644 index 0000000000..8306450694 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-24:12.bhyve.asc @@ -0,0 +1,148 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-24:12.bhyve Security Advisory + The FreeBSD Project + +Topic: bhyve(8) privileged guest escape via USB controller + +Category: core +Module: bhyve +Announced: 2024-09-04 +Credits: Synacktiv +Sponsored by: The FreeBSD Foundation, The Alpha-Omega Project +Affects: All supported versions of FreeBSD. +Corrected: 2024-09-04 15:42:30 UTC (stable/14, 14.1-STABLE) + 2024-09-04 21:07:34 UTC (releng/14.1, 14.1-RELEASE-p4) + 2024-09-04 20:54:19 UTC (releng/14.0, 14.0-RELEASE-p10) + 2024-09-04 15:45:38 UTC (stable/13, 13.4-STABLE) + 2024-09-04 19:58:26 UTC (releng/13.4, 13.4-RC2-p1) + 2024-09-04 20:29:46 UTC (releng/13.3, 13.3-RELEASE-p6) +CVE Name: CVE-2024-32668 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +bhyve(8) is a hypervisor that runs guest operating systems inside a virtual +machine. + +II. Problem Description + +bhyve can be configured to emulate devices on a virtual USB controller (XHCI), +such as USB tablet devices. An insufficient boundary validation in the USB code +could lead to an out-of-bounds write on the heap, with data controlled by the +caller. + +III. Impact + +A malicious, privileged software running in a guest VM can exploit the +vulnerability to achieve code execution on the host in the bhyve userspace +process, which typically runs as root. Note that bhyve runs in a Capsicum +sandbox, so malicious code is constrained by the capabilities available to the +bhyve process. + +IV. Workaround + +No workaround is available, but VMs that do not make the XHCI device +available to the guest (via `bhyve -s xhci,...`) are not impacted. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Guest operating systems emulating USB devices with XHCI need to be restarted for +the correction to be applied. (i.e., their corresponding bhyve process needs to +be terminated and started again) + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-24:12/bhyve.patch +# fetch https://security.FreeBSD.org/patches/SA-24:12/bhyve.patch.asc +# gpg --verify bhyve.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart the corresponding bhyve processes, or reboot the system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 90af1336ed5e stable/14-n268657 +releng/14.1/ bb245c142075 releng/14.1-n267702 +releng/14.0/ 1d01a6c11210 releng/14.0-n265439 +stable/13/ 5920b7e6eea1 stable/13-n258311 +releng/13.4/ b3f0e555781c releng/13.4-n258244 +releng/13.3/ 5d6576f4f000 releng/13.3-n257454 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +The corresponding part of the security audit report as provided by Synacktiv +will be published in due course. + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY544ACgkQbljekB8A +Gu+rCw/9FKPcF1L1kRh6J9Y6TLEmMIQx95YwodI4O11KMjgEL3wnz36p/Mrkrj8Z +g8h2+OBmqdr8NegyKHIuOHo8j9M892dnZpGWjyCgtbpnc57rXZhm83DDzRQ2r9OP +7yOWftWjgje1cyTphlFAr2p6IWg6z+6UicGwmeV17FSaG5rPjWuYoOOt63kzk3NA +0viDPIgLpoyGRCaiXa/sdoM2YQH9FxzKEC2yeURF/mLSPEFhaMO6SS8nrxmRC9Wc +f8DP5G00I3RPjAQ5ehXc5n0z88SHGKJc/dstI4jSzguyBNO8HQtCD6HC6uEo0ACV +EEJ80FJ+TOfZ9fhHkyEpGfMxwsAjpzud0zZWKV8+4jeY3kIp94g8MCKrHkLr6hXL +0+DMBsdqNS3T7lPzIimhJ7cwk/fXVQvUWu3rGBO33l3IUK0BWz/o3cTARTPEl/Zi +MMBETwn+ga6JioRBTmmOMazufAyA3Nlf/eRzIc9RGTUBjoqnY0jHzdwfPI8hDKXR +1bi1Rii8IcAmaHvMkGww6PJOkRTV8uyuW6JZ2te8V8PC5ojdUniYq5JN6mbrkpOR +RIYt3f16o6ANZ9qgMqmq2gdBBnJ80LDkQa71FV1bDf9g/LEd5aDynloaZb5D3EMp +0J0ZIPKKy/qprhVzEjxROzhLzNH0bJy6yaQhoxPY3QLzU78qrE4= +=nYwM +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-24:13.openssl.asc b/website/static/security/advisories/FreeBSD-SA-24:13.openssl.asc new file mode 100644 index 0000000000..7b3a152879 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-24:13.openssl.asc @@ -0,0 +1,136 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-24:13.openssl Security Advisory + The FreeBSD Project + +Topic: Possible DoS in X.509 name checks in OpenSSL + +Category: contrib +Module: openssl +Announced: 2024-09-03 +Credits: David Benjamin (Google) +Affects: FreeBSD 14.x +Corrected: 2024-09-03 17:09:21 UTC (stable/14, 14.1-STABLE) + 2024-09-04 21:07:35 UTC (releng/14.1, 14.1-RELEASE-p4) + 2024-09-04 20:54:20 UTC (releng/14.0, 14.0-RELEASE-p10) +CVE Name: CVE-2024-6119 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a +collaborative effort to develop a robust, commercial-grade, full-featured +Open Source toolkit for the Transport Layer Security (TLS) protocol. It is +also a general-purpose cryptography library. + +II. Problem Description + +Applications performing certificate name checks (e.g., TLS clients checking +server certificates) may attempt to read an invalid memory address when +comparing the expected name with an otherName subject alternative name of an +X.509 certificate. + +Basic certificate chain validation is not affected. The issue only occurs +when an application also specifies an expected DNS name, Email address or IP +address. + +III. Impact + +Applications affected by the problem may result in a termination, leading to +a denial of service. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-24:13/openssl.patch +# fetch https://security.FreeBSD.org/patches/SA-24:13/openssl.patch.asc +# gpg --verify openssl.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart all daemons that use the library, or reboot the system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 5946b0c6cbc7 stable/14-n268645 +releng/14.1/ 9a5a7c90d5e5 releng/14.1-n267703 +releng/14.0/ abd3a7939117 releng/14.0-n265440 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY55AACgkQbljekB8A +Gu/qxQ/9H4Iaao+a5X4aXiV1iU+fT2KSli8fMZKeRw/OOIAztSOHZp7go0noAX65 +SVwsb0fShwqAfDpeZhSjzMjpMmfkwQUkRbMK1SD+zLznSmC1McKF/EIAWrMwr78z +zDLv497wh26tY+3CUZJQPwkodTvkHnwU0jeUSTjHqC+lOQeOcQ9HwL0T4FsHw4HF +BJEX/k6uabpXsQe4H9U8C3MbUlOxiKfwFZAxDBhei2zZN/kfAY63iQhVH6/Ls5BG +ei7TcEF2e6ylhdaLcCxpArRrdql1VQ4SanAGVW4MQ/2s3YpxQYweKGMg4VSZvqXt +07mBlNHcLepsHK1/qXhDqO/UMO5QsSsH1trwiohmZRQZJp4wXFsGhc102dezDbun +TEJutKpNsojvWQ01IFcykCkvH2AAGXHJTB8H3jVXhBIU6DuqcmjVc8WXbrdN0vX8 +KcZgI7S5PyQ0WF+ESqR5MHGXx7Qr9uZPKSMvPq0/g2d+6G52/Yw4oZ3rZtqU34iO +uLq+FApa0Ema3jzxhq89c9oybfADpBDmYsAfqfMqexS+nIuPjeUpcv9gCukr2Of3 +rJDxx2hF/1c/hd83Pp7MKBT/x/4E3vombPjeNeP/sBLhXFSKiVxUDYGYgm6yw3GA +E7rv33ZJ09RaDGp9jbYaV5rOuEWAZpy42X/LsHjI9W3v0sGCJvU= +=JDHd +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-24:14.umtx.asc b/website/static/security/advisories/FreeBSD-SA-24:14.umtx.asc new file mode 100644 index 0000000000..7f5c4ee555 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-24:14.umtx.asc @@ -0,0 +1,143 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 *** 1052 LINES SKIPPED ***