From nobody Thu Apr 10 16:27:50 2025 X-Original-To: dev-commits-doc-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZYQGH4PgNz5t7vB for ; Thu, 10 Apr 2025 16:27:51 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZYQGH1MzBz3lQC; Thu, 10 Apr 2025 16:27:51 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1744302471; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=IZjZOIqFEsvQeLK7okXEtp9+sthbCwBa58mglQ4rmpg=; b=h17sIyZ8klWso1rJx2zUKnHRcvZFxsnC9MjffpURwTmM3xX/N1WBGdPWiGZbfW9Hqy76L3 1asgtkZLpYQ+Pmu6ApQ84189tU5+vpORXQkzRrCegHK/ycVwTAhWYGjpDzXQJC+H1aHhZ1 GAMEc3IwN0XuvcBguYO09dVXe9BYzLlG0BjAdvrideQ2z9DS9rrw05Js888QZ+E8EGhP91 5Ty+ZLm5suc7QUsaMUjpW6xrgXz0vmzmY+EM4phctSyqrQ6jz8IP6/01FMZaCWeg48j5Pv W/m+kuYz8JQSLRufxPbiXB40ITexdt/hj1ZxOtisVX+jaDUuWlWm4TLa+/Qxww== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1744302471; a=rsa-sha256; cv=none; b=q/d1NoLat6FP5bIH1xXU2eI+0KQdUfXH76dpkLCNNp+mBH/iAXbPNo54eNjb5oVLkKm1Hv 1h95rrC3qOKNU+UWZD3ah6RDUnr4QXP1yefgnT8Er6fvwTFoYa6SIl6ZdbVksF/xPN3f4N Vg14U91oVigNAJIbAmoMcVk1Uwe3+KM8PKKPYLzI+/e0ESb2zeXlYGf7Mxlxi/FATxbNk/ 9nn6qh0g9klPT+ObQhUs05dOvlOwnH3WciXc6JF72zv5vTH0cPrzokonWoHajJCBw4jRjd CkkBOQHYofoFLjvV1Gw62fOlMsERwwBX/CBCFUj+gLX5M4EQmU37Bi46lMdDLA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1744302471; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=IZjZOIqFEsvQeLK7okXEtp9+sthbCwBa58mglQ4rmpg=; b=K/Zd/PwZe90vrP4HAsWdvhzznfa0cPF1etqFs4ZHeq/hXx8fmiVMtMupCJza0yxvKjO/DA QdD8u20kd7Lc2+ufKMMY007Hgyj84igxYxvn4HfagzQ7m+RBEoWPuSp/ypC0QQj+p9yCjU qgveDsXMxgBpvdvzbW4blbTDdzrlmyzUwu5t8mPbuxprHrCj/RUwrLrOkJpZXchd6FRVKK 6krxY+rW/G1NVKJMwmhyBqdEwNyKwKXYjIA2Cgb2+ELipH0K3ScX+rZYL2i3hSqBey/xt1 TkdPiW9yJ52IKntChZwKIRlwLj/KDyxn98qXEZoBYMxb+6fwMijnTXqoEY2h4w== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4ZYQGH0pwfz19Mp; Thu, 10 Apr 2025 16:27:51 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 53AGRpDH026101; Thu, 10 Apr 2025 16:27:51 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 53AGRoWt026097; Thu, 10 Apr 2025 16:27:50 GMT (envelope-from git) Date: Thu, 10 Apr 2025 16:27:50 GMT Message-Id: <202504101627.53AGRoWt026097@gitrepo.freebsd.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org From: Gordon Tetlow Subject: git: 1e9a766add - main - Add EN-25:04 through EN-25:08. List-Id: Commit messages for all branches of the doc repository List-Archive: https://lists.freebsd.org/archives/dev-commits-doc-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-doc-all@freebsd.org Sender: owner-dev-commits-doc-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: gordon X-Git-Repository: doc X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 1e9a766addb348bcc62307b9cdcded48f705296a Auto-Submitted: auto-generated The branch main has been updated by gordon: URL: https://cgit.FreeBSD.org/doc/commit/?id=1e9a766addb348bcc62307b9cdcded48f705296a commit 1e9a766addb348bcc62307b9cdcded48f705296a Author: Gordon Tetlow AuthorDate: 2025-04-10 16:27:06 +0000 Commit: Gordon Tetlow CommitDate: 2025-04-10 16:27:06 +0000 Add EN-25:04 through EN-25:08. Approved by: so --- website/data/security/errata.toml | 20 + .../advisories/FreeBSD-EN-25:04.tzdata.asc | 161 + .../security/advisories/FreeBSD-EN-25:05.expat.asc | 159 + .../advisories/FreeBSD-EN-25:06.daemon.asc | 135 + .../advisories/FreeBSD-EN-25:07.openssl.asc | 178 + .../advisories/FreeBSD-EN-25:08.caroot.asc | 148 + .../security/patches/EN-25:04/tzdata-2025b.patch | 274 + .../patches/EN-25:04/tzdata-2025b.patch.asc | 16 + .../patches/EN-25:05/expat-13.4-14.2.patch | 5223 ++++++++++++++++ .../patches/EN-25:05/expat-13.4-14.2.patch.asc | 16 + .../security/patches/EN-25:05/expat-13.5.patch | 3179 ++++++++++ .../security/patches/EN-25:05/expat-13.5.patch.asc | 16 + .../static/security/patches/EN-25:06/daemon.patch | 199 + .../security/patches/EN-25:06/daemon.patch.asc | 16 + .../static/security/patches/EN-25:07/openssl.patch | 6544 ++++++++++++++++++++ .../security/patches/EN-25:07/openssl.patch.asc | 16 + .../security/patches/EN-25:08/caroot-13.4.patch | 3374 ++++++++++ .../patches/EN-25:08/caroot-13.4.patch.asc | 16 + .../security/patches/EN-25:08/caroot-13.5.patch | 3374 ++++++++++ .../patches/EN-25:08/caroot-13.5.patch.asc | 16 + .../security/patches/EN-25:08/caroot-14.2.patch | 3374 ++++++++++ .../patches/EN-25:08/caroot-14.2.patch.asc | 16 + 22 files changed, 26470 insertions(+) diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml index d26f0bf3f2..bd86e232cc 100644 --- a/website/data/security/errata.toml +++ b/website/data/security/errata.toml @@ -1,6 +1,26 @@ # Sort errata notices by year, month and day # $FreeBSD$ +[[notices]] +name = "FreeBSD-EN-25:08.caroot" +date = "2025-04-10" + +[[notices]] +name = "FreeBSD-EN-25:07.openssl" +date = "2025-04-10" + +[[notices]] +name = "FreeBSD-EN-25:06.daemon" +date = "2025-04-10" + +[[notices]] +name = "FreeBSD-EN-25:05.expat" +date = "2025-04-10" + +[[notices]] +name = "FreeBSD-EN-25:04.tzdata" +date = "2025-04-10" + [[notices]] name = "FreeBSD-EN-25:03.tzdata" date = "2025-01-29" diff --git a/website/static/security/advisories/FreeBSD-EN-25:04.tzdata.asc b/website/static/security/advisories/FreeBSD-EN-25:04.tzdata.asc new file mode 100644 index 0000000000..acf18a34a7 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-25:04.tzdata.asc @@ -0,0 +1,161 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-25:04.tzdata Errata Notice + The FreeBSD Project + +Topic: Timezone database information update + +Category: contrib +Module: zoneinfo +Announced: 2025-04-10 +Affects: All supported versions of FreeBSD. +Corrected: 2025-03-26 01:04:32 UTC (stable/14, 14.2-STABLE) + 2025-04-10 14:57:39 UTC (releng/14.2, 14.2-RELEASE-p3) + 2025-03-26 01:04:59 UTC (stable/13, 13.5-STABLE) + 2025-04-10 14:59:01 UTC (releng/13.5, 13.5-RELEASE-p1) + 2025-04-10 14:59:35 UTC (releng/13.4, 13.4-RELEASE-p5) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +The IANA Time Zone Database (often called tz or zoneinfo) contains code and +data that represent the history of local time for many representative +locations around the globe. It is updated periodically to reflect changes +made by political bodies to time zone boundaries, UTC offsets, and +daylight-saving rules. + +FreeBSD releases install the IANA Time Zone Database in /usr/share/zoneinfo. +The tzsetup(8) utility allows the user to specify the default local time +zone. Based on the selected time zone, tzsetup(8) copies one of the files +from /usr/share/zoneinfo to /etc/localtime. A time zone may also be selected +for an individual process by setting its TZ environment variable to a desired +time zone name. + +II. Problem Description + +Several changes to future and past timestamps have been recorded in the IANA +Time Zone Database after previous FreeBSD releases were released. This +affects many users in different parts of the world. Because of these +changes, the data in the zoneinfo files need to be updated. If the local +timezone on the running system is affected, tzsetup(8) needs to be run to +update /etc/localtime. + +III. Impact + +An incorrect time will be displayed on a system configured to use one of the +affected time zones if the /usr/share/zoneinfo and /etc/localtime files are +not updated, and all applications on the system that rely on the system time, +such as cron(8) and syslog(8), will be affected. + +IV. Workaround + +The system administrator can install an updated version of the IANA Time Zone +Database from the misc/zoneinfo port and run tzsetup(8). + +Applications that store and display times in Coordinated Universal Time (UTC) +are not affected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Please note that some third party software, for instance PHP, Ruby, Java, +Perl and Python, may be using different zoneinfo data sources, in such cases +this software must be updated separately. Software packages that are +installed via binary packages can be upgraded by executing 'pkg upgrade'. + +Following the instructions in this Errata Notice will only update the IANA +Time Zone Database installed in /usr/share/zoneinfo. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install + +Restart all the affected applications and daemons, or reboot the system. + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-25:04/tzdata-2025b.patch +# fetch https://security.FreeBSD.org/patches/EN-25:04/tzdata-2025b.patch.asc +# gpg --verify tzdata-2025b.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart all the affected applications and daemons, or reboot the system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 475082194ac8 stable/14-n270829 +releng/14.2/ 2c5831b3047d releng/14.2-n269519 +stable/13/ 7b17666c32f7 stable/13-n259218 +releng/13.5/ 74aa5e2a7b10 releng/13.5-n259163 +releng/13.4/ f8c2bedb03a2 releng/13.4-n258280 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmf38CwACgkQbljekB8A +Gu8ZtxAAgvGZHyMBOTxDHJimqZQWwFMTyUrqUDAt19N1ETuFTeDXYi7OGWLUV9sn +lSEVO+n5xEesF20vauQnv9vrXCK2gmvv97bT4SUEGjhdmPm78L14uD6UP8Ws/2+v +lrps0cu0qYfmNLZUsKYH05ZcNCHBi7kSG14CMLXqFHPBM/9pKefnU7wp89oWvWpe +0gsTvEEixmQELsmKDieIPiqlavRCzLLjtbUGr2/Apqe9WK2eyDwpZlSjqAUba7JR +N4zod+EHwVrXsQdzXM1nSHAUR2I7AC2dn7CJX+o1wN1qHpLov5mnkxvFxO2otalY +fLgOQCNzPpYlrMozCEDKTAVu+fL4qDB9NouE6uPo0AgPul9DVmJ/WsSdDEzbicss +giG1S47ulsb/MTi0pGWz7emdstqtoxu/bGsTcjzB1IaMYZufz67rQjayfjVkX8Iy +AOiRXJQMQnXCEOz30OskewXdrShbpV1siBBFUdvBOd/QUc4LrnrtdWUriDgdDi5w +13ahxer5jGh+QC8tueNkZ2HOBAbid7W7wy1pbThCguCbIjUlpTh4F9my8NzVIGtF +twmPrbwLXcX2G41NH3YWZ6U9pcB2r8JjAgbZrLjN/SytZu5Zc2hhO+JgjxAVxCdY +SrOpg0NrCqftfNPehxqNP7BiAHCRFFrOfdEiX2Wd7mUmb7CLK0g= +=aI5z +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-25:05.expat.asc b/website/static/security/advisories/FreeBSD-EN-25:05.expat.asc new file mode 100644 index 0000000000..552401a580 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-25:05.expat.asc @@ -0,0 +1,159 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-25:05.expat Errata Notice + The FreeBSD Project + +Topic: Update expat to 2.7.1 + +Category: contrib +Module: libbsdxml +Announced: 2025-04-10 +Affects: All supported versions of FreeBSD. +Corrected: 2025-04-07 03:39:34 UTC (stable/14, 14.2-STABLE) + 2025-04-10 14:57:40 UTC (releng/14.2, 14.2-RELEASE-p3) + 2025-04-07 03:41:14 UTC (stable/13, 13.5-STABLE) + 2025-04-10 14:59:02 UTC (releng/13.5, 13.5-RELEASE-p1) + 2025-04-10 14:59:36 UTC (releng/13.4, 13.4-RELEASE-p5) +CVE Name: CVE-2024-8176 + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +Expat is an XML parser library written in C. It is a stream-oriented +parser in which an application registers handlers for things the parser +might find in the XML document (like start tags). + +The FreeBSD base system ships libexpat as libbsdxml for components that +need to parse XML data. Some of these applications use the XML parser +on trusted data from the kernel, for instance the geom(8) configuration +utilities, while other applications, like tar(1), cpio(1) and +unbound-anchor(8), may use the XML parser on input from network or the +user. + +II. Problem Description + +A stack overflow bug exists in the libexpat library due to the way it +handles recursive entity expansion in XML documents. When parsing an +XML document with deeply nested entity references, libexpat can be +forced to recurse indefinitely, exhausting the stack space and causing a +crash. + +III. Impact + +This stack overflow could cause e.g. tar(1) to crash. Owing to the +limited number of ways libbsdxml is used in FreeBSD, the base system is +not likely to be vulnerable to denial of service (DoS) or exploitable memory +corruption. + +IV. Workaround + +No workaround is available, but the problem only manifests when the +affected system needs to process data from an untrusted source. + +Because the library is used by many third party applications, we advise +system administrators to check and make sure that they have the latest +expat version as well, and restart all third party services, or reboot +the system. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 13.4, 14.2] +# fetch https://security.FreeBSD.org/patches/EN-25:05/expat-13.4-14.2.patch +# fetch https://security.FreeBSD.org/patches/EN-25:05/expat-13.4-14.2.patch.asc +# gpg --verify expat-13.4-14.2.patch.asc + +[FreeBSD 13.5] +# fetch https://security.FreeBSD.org/patches/EN-25:05/expat-13.5.patch +# fetch https://security.FreeBSD.org/patches/EN-25:05/expat-13.5.patch.asc +# gpg --verify expat-13.5.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch -E < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +The FreeBSD base system does not install daemons that use the library. +A reboot is not required after updating the base system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ fd4592006b13 stable/14-n271000 +releng/14.2/ 700e7384dfbf releng/14.2-n269520 +stable/13/ 5630672e6f6d stable/13-n259244 +releng/13.5/ dec0bf8096b3 releng/13.5-n259164 +releng/13.4/ e3fd2734314d releng/13.4-n258281 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmf38DUACgkQbljekB8A +Gu8jQA/6AtsNwonBza6fjbkQaDeGbyEn2agOvkZ8R0tF+QKnYLVt63O52r9VmTeG +s5/yLjcXKqo4Bnk9x3+BiDzA6x2LQrma8QRuvz+eLrRyGK2Ux0L5py0lNb9CqTsc +/jS+5dU18nOA4v9P+UMj6NWXAxlgJ3LVVGgSLZxjXLkyZHzzUnQHiQnY4DeWzAh6 +tTY/EeNjVd3LPIDmpomHSsrt+ayD13+SNdADNWY3mColCS4ew8duiOIoACpj8J99 +LI6hfUjninjmkPbgUmRnX5akh35uxcOhANFuyHlr5GMsh/h76BJ1FT64oZtBwWTQ +Zy/hF6fBOb42NJMUuIu7yNEgYg2Yb8fgb0+zfFtBih5U/KBGD/yD3mst3lAAVPZS +Q25e3U9zbyVyykZg5RdKVWy1PSI2FG7uNb+f1Jz8xPPgcCF9edjJLHD2lcTZVprR +bJPeFXf5MJjgzSafLxon4jA/6rnoqUaML1Cbi6DIVhC4hgsBCzMzcTedo7gjP6Ab +6c6msxXLha0Q7eBUH10uoh+I91AMERBJZpEEaX8PN9GtRZi+lvn04GW2UbjRnBpY +eKL/9RGeW8WRMwwututtzSbFLk8iSzcOto2iVClkkybOQAau78kTpnMhGyRav/UQ +zezIRE2X/Ob34wZK3WxQRGuIVx40Ci0ZNly2w6wRTmak9twgP6U= +=9pZP +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-25:06.daemon.asc b/website/static/security/advisories/FreeBSD-EN-25:06.daemon.asc new file mode 100644 index 0000000000..f137953431 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-25:06.daemon.asc @@ -0,0 +1,135 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-25:06.daemon Errata Notice + The FreeBSD Project + +Topic: daemon(8) missing signals + +Category: core +Module: daemon +Announced: 2025-04-10 +Affects: FreeBSD 14.2 and FreeBSD 13.4 +Corrected: 2024-12-10 23:05:46 UTC (stable/14, 14.2-STABLE) + 2025-04-10 14:57:41 UTC (releng/14.2, 14.2-RELEASE-p3) + 2024-12-10 23:06:11 UTC (stable/13, 13.4-STABLE) + 2025-04-10 14:59:37 UTC (releng/13.4, 13.4-RELEASE-p5) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +daemon(8) can be sent some signals to control its behavior: SIGHUP to re-open +its output file, or SIGTERM to cleanly terminate the child and shutdown. + +II. Problem Description + +Following a change to use kqueue(2) to manage signals, daemon(8) would lose +signal events that occur while it waits to restart the supervised process. + +III. Impact + +The most notable impact is that daemon(8) may hang if a SIGTERM is sent to it +after the child has gone away, and before it is restarted. + +Note that FreeBSD 13.5 is not affected. FreeBSD 13.5-PRERELEASE and later +builds of stable/13 include the fix. + +IV. Workaround + +No workaround is available. daemon(8) invocations that do not use -r are not +affected, with a larger -R argument being specified making it more likely to +hit the problematic window. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date, and restart any daemon(8) +processes that may be affected or reboot the system. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-25:06/daemonpatch +# fetch https://security.FreeBSD.org/patches/EN-25:06/daemonpatch.asc +# gpg --verify daemon.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart the applicable daemons, or reboot the system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 7ea2874eadf9 stable/14-n269895 +releng/14.2/ 4651d400f100 releng/14.2-n269521 +stable/13/ 4bb1a558a281 stable/13-n258848 +releng/13.4/ a1f4a530dea3 releng/13.4-n258282 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmf38DgACgkQbljekB8A +Gu97DRAAgNI+V5TOsP2a9hiQgQ5B1Za6gc28a0mFlhbl6CQn2CdaOrTGFMGXEHVv ++vXXwewBS8N1+fUloDiC6oLi7N9mwt8sI4U3jSnNc1LZhXBDohM0Pv67AOr7GfDp +i+rkYJeGV4uVPKaHbnxWo1LTO+/oJH8N4b4kvIlyzv+C3TRNi3aFarcA+dnw7woK +xL1qTk7uCcgvUn9zh6xlvGKHK605WqwQ3HcBv6sfghGzBdfhkArkMg45ww0z7Xoy +1viVwrdZOIFWMKngPaRypPonp1UZmEOCIT5UzkZv8u2vctJufZEF3mWwQHLYxZg4 +1wSTF0YgwrLBsdkLveU9YLG1YWDFIs3XhfMT3ES6PXvNLfDSKH6xrnjcdeki4wtN +wapUu+cKAmB9Itpa7jbyY3pgvqOhmCEprxZ8fAxB55iGIsuWx2jY70j0n6Dko5Z+ +AAxdIz6WmCakzpUC5q+cX0A3v33qtPZvzR3iH3ZTYsTYp7B/oKRZ6kW4snTaM/Id +5yI+4vZdVxfWEKWo3b+JWQEi/qRdZpnaRuBK9g7bCEPPv69dVpXfI1hXnczdZrQn +etdF21cnVyWt5brcpDBTk+0s1a2OA7kDqp1sQ/cTgoBEdVW317UDu+esgVzXkQmu +LpPBTXqnBUNhlwiL//APijkcd1iV53RUR3ylL/tC6j04nrURFxE= +=64Co +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-25:07.openssl.asc b/website/static/security/advisories/FreeBSD-EN-25:07.openssl.asc new file mode 100644 index 0000000000..d32ced3c9d --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-25:07.openssl.asc @@ -0,0 +1,178 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-25:07.openssl Errata Notice + The FreeBSD Project + +Topic: Update OpenSSL to 3.0.16 + +Category: contrib +Module: openssl +Announced: 2025-04-10 +Affects: FreeBSD 14.2 +Corrected: 2025-03-25 21:07:59 UTC (stable/14, 14.2-STABLE) + 2025-04-10 14:57:42 UTC (releng/14.2, 14.2-RELEASE-p3) +CVE Name: CVE-2024-13176, CVE-2024-9143 + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a +collaborative effort to develop a robust, commercial-grade, full-featured Open +Source toolkit for the Transport Layer Security (TLS) protocol. It is also a +general-purpose cryptography library. + +II. Problem Description + +Automated security vulnerability scanners report that OpenSSL 3.0.15, included +with FreeBSD 14.2, is affected by CVE-2024-13176 and CVE-2024-9143. + +1) CVE-2024-13176 + +A timing side-channel which could potentially allow recovering the private key +exists in the ECDSA signature computation. + +2) CVE-2024-9143 + +Use of the low-level GF(2^m) elliptic curve APIs with untrusted explicit +values for the field polynomial can lead to out-of-bounds memory reads or +writes. + +III. Impact + +1) CVE-2024-13176 + +There is a timing signal of around 300 nanoseconds when the top word of the +inverted ECDSA nonce value is zero. This can happen with significant +probability only for some of the supported elliptic curves. In particular the +NIST P-521 curve is affected. + +To be able to measure this leak, the attacker process must either be located +in the same physical computer or must have a very fast network connection with +low latency. + +2) CVE-2024-9143 + +Applications working with "exotic" explicit binary (GF(2^m)) curve parameters, +that make it possible to represent invalid field polynomials with a zero +constant term, via the EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(), +and various supporting BN_GF2m_*() or similar APIs, may terminate abruptly as +a result of reading or writing outside of array bounds. Remote code execution +cannot easily be ruled out. + +In all the protocols involving Elliptic Curve Cryptography known to the +OpenSSL developers either only "named curves" are supported, or, if explicit +curve parameters are supported, they specify an X9.62 encoding of binary +(GF(2^m)) curves that can't represent problematic input values. Thus the +likelihood of existence of a vulnerable application is low. + +In particular, the X9.62 encoding is used for ECC keys in X.509 certificates, +so problematic inputs cannot occur in the context of processing X.509 +certificates. Any problematic use-cases would have to be using an "exotic" +curve encoding. + +IV. Workaround + +No workaround is available. + +Systems not using base versions of OpenSSL are not affected. + +Systems not exposed to low-latency adversaries and systems not using "exotic" +elliptic curve parameters are not affected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. A reboot is required following +the upgrade to ensure that all applications and kernel code has been rebuilt with +OpenSSL 3.0.16-provided code. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install + +The system should be rebooted after installing the update to ensure that all +applications are using OpenSSL 3.0.16. + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-25:07/openssl.patch +# fetch https://security.FreeBSD.org/patches/EN-25:07/openssl.patch.asc +# gpg --verify openssl.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart all daemons that use the library, or reboot the system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ cb29db243bd0 stable/14-n270826 +releng/14.2/ 862cd6b8fa9d releng/14.2-n269522 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmf38DoACgkQbljekB8A +Gu/03hAAhIoD5XT/ynR4g20mOs4e03spEnJSJARO6ZGSCdI7zis5dWjnWADu1gPi +GND4THVdOI50WDyg2kyvKivt06ykfxcfAzSV3mqn+mECsOjGknfs0UAmjc6ilW28 +PPA8QnJjYYKI+EGSFnG510MZWUTZKlldJ86ECnn7xh4xrOsMBKSK53Fjy8y96Tc2 +AUBzfu8uc0t9YdSCQlYp+T5ZEM8mXYiGbQBj+ZnLyVIhWjSWiR89wjUA7hjp0UQV +rzKEqx9kvPNLPLRT0belbzohSIwKiCYjL3ryqsMiCliGRn1Gyii7oLIOkVPIZNyt +QRCyifi/q5SdkYb3nkSzNlE7cYCDN2Qpnkdn6fVwxEjFgtsbG+Ljni/IXvFqf7A1 +6LNZsBLiYFGrEha9yxiI1av0jO81Ktbu2U1QUosT1T856FGR6/1KKQzUfmL1JJY7 +G0LTIrrzTJuuVeYe2f3AtwNpk+zjHH4plCORd7psdj5MwWtAAt5AifC7J0sdLcjj +V552p2qV18RBhY38zEpY8JmWxXukLp0IuKJjYLtP81I2g3JrSUkVvycyMmACKVm1 +wzOgeAwA4qlfOaYaOffeouaMFrOqR9UGBdtiwxCiuerU3ZWhG1eXwHYTwfhBC9U4 +eB7YiAdGz/xI1GK6OsfbCxWISXYiN+QXDIkSkdK4p3VPvjkVQeA= +=HLnD +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-25:08.caroot.asc b/website/static/security/advisories/FreeBSD-EN-25:08.caroot.asc new file mode 100644 index 0000000000..cfbbd2968c --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-25:08.caroot.asc @@ -0,0 +1,148 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-25:08.caroot Errata Notice + The FreeBSD Project + +Topic: Root certificate bundle update + +Category: core +Module: caroot +Announced: 2025-04-10 +Credits: michaelo@FreeBSD.org +Affects: All supported versions of FreeBSD. +Corrected: 2025-03-20 10:18:27 UTC (stable/14, 14.2-STABLE) + 2025-04-10 14:57:44 UTC (releng/14.2, 14.2-RELEASE-p3) + 2025-03-20 11:32:44 UTC (stable/13, 13.5-STABLE) + 2025-04-10 14:59:03 UTC (releng/13.5, 13.5-RELEASE-p1) + 2025-04-10 14:59:38 UTC (releng/13.4, 13.4-RELEASE-p5) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +The root certificate bundle is the trust store that is used by OpenSSL +programs and libraries to aid in determining whether it should trust a given +TLS certificate. + +II. Problem Description + +Several certificates were added to the bundle after the latest release of +FreeBSD 13.4, 13.5, and 14.2. + +III. Impact + +TLS connections using the missing root certificates as a trust anchor would +not be trusted causing an error. + +IV. Workaround + +No workaround is available. Software that uses an internal trust store is not +affected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install + +Users of FreeBSD Update should ensure that freebsd-update(8) is allowed to +create and delete files. This is allowed by default. + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 14.2] +# fetch https://security.FreeBSD.org/patches/EN-25:08/caroot-14.2.patch +# fetch https://security.FreeBSD.org/patches/EN-25:08/caroot-14.2.patch.asc +# gpg --verify caroot-14.2.patch.asc + +[FreeBSD 13.5] +# fetch https://security.FreeBSD.org/patches/EN-25:08/caroot-13.5.patch +# fetch https://security.FreeBSD.org/patches/EN-25:08/caroot-13.5.patch.asc +# gpg --verify caroot-13.5.patch.asc + +[FreeBSD 13.4] +# fetch https://security.FreeBSD.org/patches/EN-25:08/caroot-13.4.patch +# fetch https://security.FreeBSD.org/patches/EN-25:08/caroot-13.4.patch.asc +# gpg --verify caroot-13.4.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch -E < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart all daemons that use OpenSSL, or reboot the system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 7577dae4d672 stable/14-n270816 +releng/14.2/ 23d06bb83d0a releng/14.2-n269523 +stable/13/ f89c056e1184 stable/13-n259216 +releng/13.5/ 74176002ff9f releng/13.5-n259165 +releng/13.4/ e8e9cb97d094 releng/13.4-n258283 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmf38DwACgkQbljekB8A +Gu+y3BAAqgGHlCNdHu/XmCADpI+yNT30mBCN+eOQ7B5R5Ao9E65b2MdveoOScARA +wmleXASx7clmCJwUITlEC0H57omcEYk5y0o7//NalbaFNI5c3SA6TWSca3BaHoo+ +TkgRvu0vrAdT2nrqmpBPEQR1uVUyEa2bLuTSe+PwN00kIs70RSzHapAhUtfDA3ZV +PDimqQZSnAEvC6hWyrpZfWPXiKnFoUr+reS+zcBpslFy8CN0ybj2g5PmC38hxj16 +GTk5HFYrK8hi1iCw+nvu+s4A7BU58CxIu1Z4ieOUC8GpJj7TAA92Q+Jn8642gvkm +n9mZJiAcjq+OYfTE199xuV5XhF+dOv6maRm4dX8m1+B5SCYhpoM47fY55xnWJcOY +j/sK6JKpJypiMd5cyuzXTs1RiI6zujkwCTNRfh7FvR0WeywdBzMRYB8TFZs7pg+/ +ZCNoyookgMHEEVBoei+FGmAE0nSErqQTvIHhvIAL57xQ1sh5ArrrPnus5Se3xGhU +xwSMVFyVtnww79zI26czK6Fup3DaxStozw2D2As3f2PYAoXstjfL/JIWIZSJflno +oYj9noXzWNo7s6hG3NAUKllvq3Mb5m4eIZHQrLRWHY39Wij+6hyKj9kshLwQ6Lg9 +eDE8LLSbSNqgTuy9BfoS4OXIpYQl4aYLovqultTEjTe0iu2XKdc= +=JUPU +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/EN-25:04/tzdata-2025b.patch b/website/static/security/patches/EN-25:04/tzdata-2025b.patch new file mode 100644 index 0000000000..fc854ac613 --- /dev/null +++ b/website/static/security/patches/EN-25:04/tzdata-2025b.patch @@ -0,0 +1,274 @@ +--- contrib/tzdata/NEWS.orig ++++ contrib/tzdata/NEWS +@@ -1,15 +1,40 @@ + News for the tz database + ++Release 2025b - 2025-03-22 13:40:46 -0700 ++ ++ Briefly: ++ New zone for Aysén Region in Chile which moves from -04/-03 to -03. ++ ++ Changes to future timestamps ++ ++ Chile's Aysén Region moves from -04/-03 to -03 year-round, joining ++ Magallanes Region. The region will not change its clocks on ++ 2025-04-05 at 24:00, diverging from America/Santiago and creating a ++ new zone America/Coyhaique. (Thanks to Yonathan Dossow.) Model ++ this as a change to standard offset effective 2025-03-20. ++ ++ Changes to past timestamps ++ ++ Iran switched from +04 to +0330 on 1978-11-10 at 24:00, not at ++ year end. (Thanks to Roozbeh Pournader.) ++ ++ Changes to code ++ ++ 'zic -l TIMEZONE -d . -l /some/other/file/system' no longer ++ attempts to create an incorrect symlink, and no longer has a ++ read buffer underflow. (Problem reported by Evgeniy Gorbanev.) ++ ++ + Release 2025a - 2025-01-15 10:47:24 -0800 + + Briefly: +- Paraguay adopts permanent -03 starting spring 2024. ++ Paraguay adopted permanent -03 starting spring 2024. + Improve pre-1991 data for the Philippines. + Etc/Unknown is now reserved. + + Changes to future timestamps + +- Paraguay will stop changing its clocks after the spring-forward ++ Paraguay stopped changing its clocks after the spring-forward + transition on 2024-10-06, so it is now permanently at -03. + (Thanks to Heitor David Pinto and Even Scharning.) + This affects timestamps starting 2025-03-22, as well as the +--- contrib/tzdata/asia.orig ++++ contrib/tzdata/asia +@@ -1500,6 +1500,16 @@ + # (UIT No. 143 17.XI.1977) and not 23 September (UIT No. 141 13.IX.1977). + # UIT is the Operational Bulletin of International Telecommunication Union. + ++# From Roozbeh Pournader (2025-03-18): ++# ... the exact time of Iran's transition from +0400 to +0330 ... was Friday ++# 1357/8/19 AP=1978-11-10. Here's a newspaper clip from the Ettela'at ++# newspaper, dated 1357/8/14 AP=1978-11-05, translated from Persian ++# (at https://w.wiki/DUEY): ++# Following the government's decision about returning the official time ++# to the previous status, the spokesperson for the Ministry of Energy ++# announced today: At the hour 24 of Friday 19th of Aban (=1978-11-10), ++# the country's time will be pulled back half an hour. ++# + # From Roozbeh Pournader (2003-03-15): + # This is an English translation of what I just found (originally in Persian). + # The Gregorian dates in brackets are mine: +@@ -1627,7 +1637,7 @@ + Zone Asia/Tehran 3:25:44 - LMT 1916 + 3:25:44 - TMT 1935 Jun 13 # Tehran Mean Time + 3:30 Iran %z 1977 Oct 20 24:00 +- 4:00 Iran %z 1979 ++ 4:00 Iran %z 1978 Nov 10 24:00 + 3:30 Iran %z + + +--- contrib/tzdata/northamerica.orig ++++ contrib/tzdata/northamerica +@@ -1611,6 +1611,15 @@ + # For more on Orillia, see: Daubs K. Bold attempt at daylight saving + # time became a comic failure in Orillia. Toronto Star 2017-07-08. + # https://www.thestar.com/news/insight/2017/07/08/bold-attempt-at-daylight-saving-time-became-a-comic-failure-in-orillia.html ++# From Paul Eggert (2025-03-20): ++# Also see the 1912-06-17 front page of The Evening Sunbeam, ++# reproduced in: Richardson M. "Daylight saving was a confusing ++# time in Orillia" in the 2025-03-15 Orillia Matters. Richardson writes, ++# "The first Sunday after the switch was made, [DST proponent and ++# Orillia mayor William Sword] Frost walked into church an hour late. ++# This became a symbol of the downfall of daylight saving in Orillia." ++# The mayor became known as "Daylight Bill". ++# https://www.orilliamatters.com/local-news/column-daylight-saving-was-a-confusing-time-in-orillia-10377529 + + # From Mark Brader (2010-03-06): + # +--- contrib/tzdata/southamerica.orig ++++ contrib/tzdata/southamerica +@@ -1246,35 +1246,45 @@ + # dates to 2014. + # DST End: last Saturday of April 2014 (Sun 27 Apr 2014 03:00 UTC) + # DST Start: first Saturday of September 2014 (Sun 07 Sep 2014 04:00 UTC) +-# http://www.diariooficial.interior.gob.cl//media/2014/02/19/do-20140219.pdf ++# From Tim Parenti (2025-03-22): ++# Decreto 307 of 2014 of the Ministry of the Interior and Public Security, ++# promulgated 2014-01-30 and published 2014-02-19: *** 25658 LINES SKIPPED ***