diff options
Diffstat (limited to 'website/static/security/advisories')
6 files changed, 917 insertions, 0 deletions
diff --git a/website/static/security/advisories/FreeBSD-EN-25:15.arm64.asc b/website/static/security/advisories/FreeBSD-EN-25:15.arm64.asc new file mode 100644 index 0000000000..e2da868709 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-25:15.arm64.asc @@ -0,0 +1,137 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-25:15.arm64 Errata Notice + The FreeBSD Project + +Topic: arm64 syscall(2) allows unprivileged user to panic kernel + +Category: core +Module: arm64 +Announced: 2025-09-16 +Credits: Juniper Networks, Inc. +Affects: All supported versions of FreeBSD. +Corrected: 2025-08-25 15:23:01 UTC (stable/14, 14.3-STABLE) + 2025-09-16 16:31:06 UTC (releng/14.3, 14.3-RELEASE-p3) + 2025-09-16 16:31:17 UTC (releng/14.2, 14.2-RELEASE-p6) + 2025-08-25 15:23:22 UTC (stable/13, 13.5-STABLE) + 2025-09-16 16:31:26 UTC (releng/13.5, 13.5-RELEASE-p4) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +The FreeBSD arm64 kernel implements a 32-bit compatibility layer, enabling +execution of unmodified 32-bit arm binaries on a 64-bit system. + +FreeBSD implements a pseudo system call, syscall(2), which lets the caller +invoke a system call selected using the first system call argument. + +II. Problem Description + +The 32-bit compatibility layer implements syscall(2). It performs some +validation of the system call parameters and explicitly calls panic() to +panic the system if an unexpected state is reached. + +It is possible to construct a program which can reach this unexpected state, +resulting in a panic. In particular, no particular privileges are required +to do so. + +III. Impact + +An unprivileged user may be able to trigger a panic. + +IV. Workaround + +No workaround is available. Non-arm64 platforms are unaffected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-25:15/arm64.patch +# fetch https://security.FreeBSD.org/patches/EN-25:15/arm64.patch.asc +# gpg --verify arm64.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 17d87881a363 stable/14-n272249 +releng/14.3/ 99012995b4c6 releng/14.3-n271440 +releng/14.2/ 722746b39e6e releng/14.2-n269534 +stable/13/ 98ac13c4baf5 stable/13-n259404 +releng/13.5/ 751971e55454 releng/13.5-n259175 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-25:15.arm64.asc> +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmjJlBEACgkQbljekB8A +Gu+13w//fHfH1hAOg+FGwV3ZoMh2oEVd+VmkLg/CdghL9T+dGwqzIMOliXMKhaZq +Nzk++lmKlzdpuDEqaw1ikj+bJ+knhrZyAziTlxpB2uly6K119hchAU5TQK2M6D4W +8aQWxeJMPxobsfxi9JciVMWcQK9XsurwUzlCDuLvGgUMPPaMVdy89U86NnKo66eE +fjK2l1Mc730wtisTuTLkY1SHPBchvm20ehu8BVpx4eBEHnecqRaUxQHy2yxTi+/0 +IKrwnpvz8S7/QLcED6TSCKsuLDY/uOx8x6N9PlHHvcLay/ImyvhTPavREld/b3nM +YC8fFb7bjguPZCC222nr/J+/YkD+2+EqVHPOAq7HxVT0uqss7BL9qwIywg0CIhvT +G3fw121L7cwXI/f/Hw6coVTFHnNXUB48FyIFkEXPdMxrNBUSE/KejYjkkJ2YaRir +kXZboMMOoxIf0NPNmv78v+PBj3jpbPP2epjhIk0I5D6uNzdjXEqRlRNgBhqc01Qn +veu+1tEox5Y0Zp4Mum0EipuTaZMjeT4hwmt9zwogsYEZFnyIvilzIOc3zEFRB4Y2 +IB1EUkw49V/zzHn5KnVujaUiVOdVUxe6G8txFcPIT66mPdJZmKO1fbD3pR/0NDj6 +Smj07jNL8PskCLuoe0MmMFiNJI3CHTh+6Ly39j5UpnSsPCPRTyM= +=58zg +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-25:16.vfs.asc b/website/static/security/advisories/FreeBSD-EN-25:16.vfs.asc new file mode 100644 index 0000000000..648944e6a9 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-25:16.vfs.asc @@ -0,0 +1,131 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-25:16.vfs Errata Notice + The FreeBSD Project + +Topic: copy_file_range(2) fails to set output parameters + +Category: core +Module: vfs +Announced: 2025-09-16 +Affects: FreeBSD 14.3 +Corrected: 2025-08-23 21:25:20 UTC (stable/14, 14.3-STABLE) + 2025-09-16 16:31:07 UTC (releng/14.3, 14.3-RELEASE-p3) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +copy_file_range(2) is a system call which takes two file descriptors as input +and copies data from one file to the other. + +II. Problem Description + +The copy_file_range(2) system call accepts two optional pointer arguments, +inoffp and outoffp. When non-NULL, the kernel is to use their values to +determine the starting offsets for the input and output files, respectively. +In this case, the seek offset corresponding to the file descriptor is not +used or updated. + +When finishing the copy, the kernel is supposed to write updated offsets to +the pointed-to values. However, it does not do so. + +III. Impact + +Applications which rely on this behaviour may behave incorrectly. No such +applications exist in the base system. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r now + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-25:16/vfs.patch +# fetch https://security.FreeBSD.org/patches/EN-25:16/vfs.patch.asc +# gpg --verify vfs.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 2fd0083fcc23 stable/14-n272229 +releng/14.3/ d1e981cbf3bd releng/14.3-n271441 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=288985> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-25:16.vfs.asc> +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmjJlBMACgkQbljekB8A +Gu8ZLxAAql8vK7+rcHUDI0gKQu9TC2jlNC7EZcDwMupCnbjXFv8mSbC48XWeXUYk +j6DLDK8BWGOs4+1xftFlHCgu4yPLm7YhcgiUIhqlViAhNBfwIH9YDP/3heYEkvBn +Ns6sh/jtRkB3t+j1fbrcMFZZT2G1plCr4GTZS1fEE+YXQ6NNwo90liSi5dDh2m2Y +1OvLjdRwVj/BzVNqygiVJGXkof2SS3KsoVMv8CsoBZnSgvXyIPjgBhqJIjzh6my7 +BqRmylf+8tZXAKCR0Ylp6qFdI1gEcxWNXyadfUuigAoQFiAFSOX/T1NYYtpK7koH +IROnhKxU6TKj1EhvPrV40I+vdwBYczTZlXIFRrQw0CI7sDIus53T94rmUaqwfY+L +0yiW7gnqwujzaFkv6u9biAoVvm0FHuqq+tsOeB5k344nQ5BrbzMKVatPw2J3HG53 +alalSlMQzgKZYfCkQPemzusVJIlkazJ5r2kMeHzKukfMtjCLyOP+K/evo+Y0HCHh +eOwNoRLNdLra92GGlk643bKBx8pbC4J+FYXq7/+/MHQkAFX8GWZ5XoMjqIaq/e1r +poa72xNwSFrPLbbWkBXf/kknifVv98/VPRE4guzgwNjBo5wVUNzRhhVUsSmzEHPe +3ris0e+OD+te5gqfp5+cKaQS7RUXItXtGO/FzJHl+mmkEfrkD9I= +=q5E4 +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-25:17.bnxt.asc b/website/static/security/advisories/FreeBSD-EN-25:17.bnxt.asc new file mode 100644 index 0000000000..df6b461cfc --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-25:17.bnxt.asc @@ -0,0 +1,140 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-25:17.bnxt Errata Notice + The FreeBSD Project + +Topic: bnxt(4) fails to set media type in some cases + +Category: core +Module: bnxt +Announced: 2025-09-16 +Affects: FreeBSD 14.3 +Corrected: 2025-06-22 07:18:55 UTC (stable/14, 14.3-STABLE) + 2025-09-16 16:31:08 UTC (releng/14.3, 14.3-RELEASE-p3) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +The bnxt(4) driver provides support for Broadcom NetXtreme-C/NetXtreme-E Family +of Ethernet controllers. A key function of the driver is to report the various +supported physical media types and operational modes (e.g., 1000base-T, +40GBASE-AOC, full-duplex, autoselect) to the operating system's ifmedia +interface. This allows network administrators to view and configure the +interface link settings. + +II. Problem Description + +A logic error was introduced into the bnxt(4) driver which prevented the proper +population of the supported media list for several physical connection types. +Inside the function responsible for building this list, a switch statement +incorrectly used return statements instead of break statements. This caused +the function to exit prematurely after identifying certain media types, +including common BASE-T (copper), 40G Active Optical Cable (AOC), and 1G-CX +connections, before the corresponding speed and duplex options could be +registered with the network subsystem. + +III. Impact + +For network controllers using the affected media types, the driver fails to +advertise any supported link modes. An administrator running ifconfig(8) on +the interface would see incorrect media (unknown). Because of this, the +network interface may be unable to establish a link, as the operating system +cannot properly configure it or initiate auto-negotiation. The network port +will be unusable. + +IV. Workaround + +No workaround is available. Only systems that uses bnxt(4) device with the +affected media types are affected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r now + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-25:17/bnxt.patch +# fetch https://security.FreeBSD.org/patches/EN-25:17/bnxt.patch.asc +# gpg --verify bnxt.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 33f65f12eba1 stable/14-n271757 +releng/14.3/ c07b1838f9c9 releng/14.3-n271442 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=33f65f12eba1> + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=287395> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-25:17.bnxt.asc> +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmjJlBUACgkQbljekB8A +Gu//GBAAu3k3rFlqFKbSgq38xldf8fFngj/IuLa4BjB2lcTa7Rpy+6vxlFxXyqVk +9VVXf+tkXNhQ5ngY52SqMDdlG0OQdr+rwPcB8bI2nw+1DW1FRMVvBN7PlJrGgs2N +OtE6I4Wy+IK7vyzEgs8P3Kq3U7oXQVz/jJ3n1DmmjxlKfNqlo3eOGDlNZgTdFF2h +NbZUW4CGZTQxV4Ihq7Zg99bJw38o6WkOjkBkd7/djQfLm9aufVoWPN7SDaVnDun0 +vtWTTXrxsmPfVZB0sxdhYLjKPX+4GdVype0k3A26K50dTNVh5GAhWzH1LqFS6BR4 +DveE4/02bjaTAqK1XW+08JoGqibzmOTt8mUOlKL1aomACgmFc2Lzj33Qd6z1JdJB +6XYTcAoi2Kz94VHBMYjgWOBjiw66YryEyNpHJkFCfWnA3jgZB9TKZn2FZPxGBbvM +6an5ZcjaKHv1X+en2Fh8Ri1Hq4CKN/SmI/Sp0B28hXv8MQCNOnTqxqgdKgg2xQnD +0BasLt7y8y4rAHed+znWW1gRHWLP9q4FLqdvargtdMO81N2n/fm8jKe+SD2YNfTQ +Nvs29hRzs/thxI1gJMhDmmHkprGOyy6fzdZLtUjqhPh2l/YvHq32i/iNKpVfCy5v +hHpd38wxOpTs5nk4qbVZlS2DgRuTSO/VU0IMphaIwBhwHkZaoWY= +=jvzm +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-25:18.freebsd-update.asc b/website/static/security/advisories/FreeBSD-EN-25:18.freebsd-update.asc new file mode 100644 index 0000000000..879a139248 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-25:18.freebsd-update.asc @@ -0,0 +1,140 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-25:18.freebsd-update Errata Notice + The FreeBSD Project + +Topic: freebsd-update(8) installs libraries in incorrect order + +Category: core +Module: freebsd-update +Announced: 2025-09-30 +Credits: Graham Perrin +Affects: All supported versions of FreeBSD. +Corrected: 2025-09-25 19:26:37 UTC (stable/15, 15.0-ALPHA4) + 2025-09-25 19:27:06 UTC (stable/14, 14.3-STABLE) + 2025-09-30 15:37:15 UTC (releng/14.3, 14.3-RELEASE-p4) + 2025-09-30 15:37:24 UTC (releng/14.2, 14.2-RELEASE-p7) + 2025-09-25 19:27:34 UTC (stable/13, 13.5-STABLE) + 2025-09-30 15:37:34 UTC (releng/13.5, 13.5-RELEASE-p5) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +The freebsd-update(8) utility is used to fetch, install, and rollback +binary updates to the FreeBSD base system. In addition to security and +errata updates within a release (its original purpose), freebsd-update(8) +can be used to upgrade to a newer FreeBSD release. + +II. Problem Description + +When installing updates, freebsd-update(8) did not enforce ordering between +the C standard library ("libc") and the system library ("libsys") which was +introduced in FreeBSD 15.0. + +III. Impact + +When using freebsd-update(8) to upgrade a system from FreeBSD 13.x or 14.x to +FreeBSD 15.0, freebsd-update(8) would install a new libc which depends on +libsys before the libsys library existed. This resulted in the rest of the +update failing to install and a mostly-unusable system, with only statically +linked binaries (e.g. in /rescue) functioning. + +IV. Workaround + +No workaround is available, but this misbehaviour only applies to using +freebsd-update(8) to upgrade to FreeBSD 15.0; applying security and errata +updates (including this one) within a release branch is unaffected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-25:18/freebsd-update.patch +# fetch https://security.FreeBSD.org/patches/EN-25:18/freebsd-update.patch.asc +# gpg --verify freebsd-update.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ 8134e7f4b406 stable/15-n280326 +stable/14/ e26928669f39 stable/14-n272484 +releng/14.3/ 978e04ff5bcf releng/14.3-n271445 +releng/14.2/ 3447fea3523b releng/14.2-n269536 +stable/13/ 87eb52f1b061 stable/13-n259445 +releng/13.5/ ab91dd76ff72 releng/13.5-n259177 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=289769> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-25:18.freebsd-update.asc> +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmjb+x0ACgkQbljekB8A +Gu8DQhAAt4nGFTHJcC4dVceeanMY4+p8zUqtrjGP1wO+dgnBbPJuHteMlaK8bi0N +A1f+XRCcbHN7OUZz0k+WgNsFOC583Zg29l+Oe6DvgRzyjUhp7q70/vgEUYbTn2eM +CeXL0GNP9h/UYcqmpot4bO0VvXf9g6qG6qBqYN31eSuDBWcRLLAOzQwbWTLxZYgB +vYDPTqMSOTygGJEiSwGDkywE45N0JvT/GA9kNiu9uh5xL0dQLgwi07BB3+bQ3rNx +hB5sK5EJSa0FcRmpSxXvtQJK5l9eIYkAcFUo0K4/UaSknIFqSOr7j4zS3MOE1PPa +7u+ZJY3SMYg9/YRlRpLs7FGe8t+Oz/1IFgjJ1bJVHZCA55kGaB9toh+wunGsSUHc ++DzPGC0PYmcVLtk75WgjjkofCRCco8Dx3QlLfEUKxzNJFL+LwfE+zi5Pk//GJcr2 +V6RipeMNJGc60N/Zz2X95ut/43/tOBFh157oSXnVFdTbDJ7zc16EvjH99IIwlkEy +pasLr0i0XklormpAyUkddA3z57qy3580/sZf07QUHrQJQfy738qPf1QY6ejk560D +INBXdJk5FNJAYiogMrHyK0N1xX5WHk6qbbiAOmSefFCKcB7uL5CPcu6l8D0sAtyP +CbzuTLGqCWiDBT0aLK1xn1MNQMPT4PL7JhWqrSJnQpicgibqAsg= +=8oNH +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-25:08.openssl.asc b/website/static/security/advisories/FreeBSD-SA-25:08.openssl.asc new file mode 100644 index 0000000000..339a9ce084 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-25:08.openssl.asc @@ -0,0 +1,207 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-25:08.openssl Security Advisory + The FreeBSD Project + +Topic: Multiple vulnerabilities in OpenSSL + +Category: contrib +Module: openssl +Announced: 2025-09-30 +Credits: Stanislav Fort (Aisle Research) +Affects: All supported versions of FreeBSD. +Corrected: 2025-09-30 15:26:14 UTC (stable/15, 15.0-ALPHA4) + 2025-09-30 15:28:38 UTC (stable/14, 14.3-STABLE) + 2025-09-30 15:37:16 UTC (releng/14.3, 14.3-RELEASE-p4) + 2025-09-30 15:37:25 UTC (releng/14.2, 14.2-RELEASE-p7) + 2025-09-30 15:30:02 UTC (stable/13, 13.5-STABLE) + 2025-09-30 15:37:35 UTC (releng/13.5, 13.5-RELEASE-p5) +CVE Name: CVE-2025-9230, CVE-2025-9231, CVE-2025-9232 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a +collaborative effort to develop a robust, commercial-grade, full-featured +Open Source toolkit for the Transport Layer Security (TLS) protocol. It is +also a general-purpose cryptography library. + +II. Problem Description + +* Out-of-bounds read & write in RFC 3211 KEK Unwrap (CVE-2025-9230) +Affects: FreeBSD 15.x, 14.x, and 13.x + +An application trying to decrypt cryptographic message syntax (CMS) messages +encrypted using password based encryption can trigger an out-of-bounds read +and write. + +* Timing side-channel in SM2 algorithm on 64 bit ARM (CVE-2025-9231) +Affects: FreeBSD 15.x only + +A timing side-channel which could potentially allow remote recovery of the +private key exists in the SM2 algorithm implementation on 64-bit ARM +platforms. + +* Out-of-bounds read in HTTP client no_proxy handling (CVE-2025-9232) +Affects: FreeBSD 15.x and 14.x only + +An application using the OpenSSL HTTP client API functions may trigger an +out-of-bounds read if the "no_proxy" environment variable is set and the host +portion of the authority component of the HTTP URL is an IPv6 address. + +III. Impact + +* Out-of-bounds read & write in RFC 3211 KEK Unwrap (CVE-2025-9230) +Affects: FreeBSD 15.x, 14.x, and 13.x + +The out-of-bounds read may trigger a crash which leads to denial of service +for an application. The out-of-bounds write can cause a memory corruption +which can have various consequences including a denial of service or +execution of attacker-supplied code. + +Although the consequences of a successful exploit of this vulnerability +could be severe, the probability that an attacker would be able to +perform it is low. Password based (PWRI) encryption support in CMS +messages is very rarely used. + +* Timing side-channel in SM2 algorithm on 64 bit ARM (CVE-2025-9231) +Affects: FreeBSD 15.x only + +A timing side-channel in SM2 signature computations on 64 bit ARM platforms +could allow recovering the private key by an attacker. + +OpenSSL does not directly support certificates with SM2 keys in TLS, and so +this CVE is not relevant in most TLS contexts. However, it is possible to +add support for such certificates via a custom provider. + +* Out-of-bounds read in HTTP client no_proxy handling (CVE-2025-9232) +Affects: FreeBSD 15.x and 14.x only + +An out-of-bounds read can trigger a crash which leads to denial of service +for an application. + +The OpenSSL HTTP client API functions can be used directly by applications +but they are also used by the OCSP client functions and CMP (Certificate +Management Protocol) client implementation in OpenSSL. However the URLs used +by these implementations are unlikely to be controlled by an attacker. + +In this vulnerable code the out of bounds read can only trigger a crash. +Furthermore the vulnerability requires an attacker-controlled URL to be +passed from an application to the OpenSSL function and the user has to have +a "no_proxy" environment variable set. + +IV. Workaround + +No workaround is available. Several of the issues have mitigating factors. +Please see the Impact section for more details. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 15.x] +# fetch https://security.FreeBSD.org/patches/SA-25:08/openssl-15.patch +# fetch https://security.FreeBSD.org/patches/SA-25:08/openssl-15.patch.asc +# gpg --verify openssl-15.patch.asc + +[FreeBSD 14.x] +# fetch https://security.FreeBSD.org/patches/SA-25:08/openssl-14.patch +# fetch https://security.FreeBSD.org/patches/SA-25:08/openssl-14.patch.asc +# gpg --verify openssl-14.patch.asc + +[FreeBSD 13.5] +# fetch https://security.FreeBSD.org/patches/SA-25:08/openssl-13.patch +# fetch https://security.FreeBSD.org/patches/SA-25:08/openssl-13.patch.asc +# gpg --verify openssl-13.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart all daemons that use the library, or reboot the system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ 4d6fd774b5b3 stable/15-n280387 +stable/14/ 270158508d7c stable/14-n272541 +releng/14.3/ 75d258af9fe9 releng/14.3-n271446 +releng/14.2/ 6a0d914d9c3e releng/14.2-n269537 +stable/13/ c0dbaf2b5dbd stable/13-n259448 +releng/13.5/ ae7c74cfa531 releng/13.5-n259178 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://openssl-library.org/news/secadv/20250930.txt> + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9230> +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9231> +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9232> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-25:08.openssl.asc> +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmjb+z4ACgkQbljekB8A +Gu8kgA//TsqChpypUuth9KRbWpU0noUkxkbIS1CI1YYRmZn6GF52YNhe9enKN4Gc +PeUSZOsfbABv0UGfUPbaD4VifGni/ss/bhSK5nzmfbOLDbnOX1oodLVNhspDjv9K +kJPz7C3zzUrNchCZzDRvrulMXeoYOKmqY/Mc0VViXqeg2k6IqXlCPm62jFc4Glpw +g0pvTyXNhbebuP/XGGYq4nQW2ZUX+Z6yvKqCn8d/7YHRRb48KP7c5LCryUU3UdQa +pjcHX0U8dYsJlQIqWH7HPn9RrWX87EN5v7csZN+fV030lgtnsTsFRK3TxrdTTvxt +JgyNQVXy/RTmd1tQLo1dVZRjdav5MBYVBxgmweL54VcPYngTZWjEY7HjUr0WWU32 +1Fhf7Bs4q+vWalDkyA8nxyXPG4Lq018yRRxwKebsRy2fm5SqlJSK5g7TNRvo0QfM +LnfZItuya9flw6r3I9ypjKaY1WAz5Kzt83yr2be7GzLEDCuCd882JeYwmqyRnUKQ ++/IPbE7VM3oK7lzJfVuKyRxWPXWLxAaEDKNTafSNWfsz/TolyBxsF6obYaZOkw1C +mstsaaMnHdV9+GktwavCRVV6M0WK4o7xvn1nUSHPwKWpq4dfjH7syujeO483+pz3 +tZoLEkWhaNn3KmIQKbl+t+CjzDRoshzZg6Xl1UVoZvrtOyX/IUY= +=nUv2 +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-25:09.netinet.asc b/website/static/security/advisories/FreeBSD-SA-25:09.netinet.asc new file mode 100644 index 0000000000..49fe1c653f --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-25:09.netinet.asc @@ -0,0 +1,162 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-25:09.netinet Security Advisory + The FreeBSD Project + +Topic: SO_REUSEPORT_LB breaks connect(2) for UDP sockets + +Category: core +Module: netinet +Announced: 2025-10-22 +Credits: MSc. student Omer Ben Simhon and Prof. Amit Klein, + both from the Hebrew University School of Computer + Science and Engineering +Affects: All supported versions of FreeBSD. +Corrected: 2025-10-22 15:48:25 UTC (stable/15, 15.0-STABLE) + 2025-10-22 15:50:30 UTC (releng/15.0, 15.0-BETA2-p1) + 2025-10-22 15:48:51 UTC (stable/14, 14.3-STABLE) + 2025-10-22 15:51:57 UTC (releng/14.3, 14.3-RELEASE-p5) + 2025-10-22 15:49:32 UTC (stable/13, 13.4-STABLE) + 2025-10-22 15:53:35 UTC (releng/13.5, 13.5-RELEASE-p6) +CVE Name: CVE-2025-24934 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +SO_REUSEPORT_LB is a socket option, set by setsockopt(2), which allows multiple +TCP or UDP sockets to bind to the same socket address, creating a +load-balancing group. Incoming packets and connections are distributed evenly +among sockets in a group. This helps network services avoid scalability +bottlenecks caused by having a single TCP listening socket. In particular, it +is expected that sockets belonging to a load-balancing group will accept +packets from any source address. + +II. Problem Description + +Connected sockets are not intended to belong to load-balancing groups. +However, the kernel failed to check the connection state of sockets when adding +them to load-balancing groups. Furthermore, when looking up the destination +socket for an incoming packet, the kernel will match a socket belonging to a +load-balancing group even if it is connected. + +Connected sockets are only supposed to receive packets originating from the +connected host. The above behavior violates this contract. + +III. Impact + +Software which sets SO_REUSEPORT_LB on a socket and then connects it to a host +will not observe any problems. However, due to its membership in a +load-balancing group, that socket will receive packets originating from any +host. This breaks the contract of the connect(2) and implied connect via +sendto(2), and may leave the application vulnerable to spoofing attacks. + +IV. Workaround + +No workaround is available. Software which does not use SO_REUSEPORT_LB is +not affected. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 15.x] +# fetch https://security.FreeBSD.org/patches/SA-25:09/netinet-15.patch +# fetch https://security.FreeBSD.org/patches/SA-25:09/netinet-15.patch.asc +# gpg --verify netinet-15.patch.asc + +[FreeBSD 14.x] +# fetch https://security.FreeBSD.org/patches/SA-25:09/netinet-14.patch +# fetch https://security.FreeBSD.org/patches/SA-25:09/netinet-14.patch.asc +# gpg --verify netinet-14.patch.asc + +[FreeBSD 13.x] +# fetch https://security.FreeBSD.org/patches/SA-25:09/netinet-13.patch +# fetch https://security.FreeBSD.org/patches/SA-25:09/netinet-13.patch.asc +# gpg --verify netinet-13.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ ef159100ec2b stable/15-n280782 +releng/15.0/ 98c539667881 releng/15.0-n280723 +stable/14/ e276759b3687 stable/14-n272700 +releng/14.3/ 058bcb57cd4b releng/14.3-n271448 +stable/13/ df888c8f41f6 stable/13-n259508 +releng/13.5/ 90e14aa082d3 releng/13.5-n259180 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24934> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-25:09.netinet.asc> +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmj5CrEACgkQbljekB8A +Gu98YQ//dMMpEdKapK6bBM++8HoSWeydnoUifFqu3LiDXcDTgQ6jVsmwQ/QOUPll +bOB7etdtu+FQEI4yl8d9w98TrXC8Mvl6p+dZ3SkIglLNeVmouiot+VDBpoOr/EPq +xXf6dGlkDneYTsAFXwDKe48vmisdWd1trtYhVuE6qWq54AH4Y3dv0+DOMIdlKbPc +GHFLRoJ/eEJH+3QAhL8Ozdp2WySUWHPMsScBRldcrhariXzEQ9KcM6TJx8mYGKta +DYeezna1DQ87wU8Zs5fKfhUS6q/YJcXr9Te5P1xirmcmgr2frJW1DjfWKI8oQ9ru +2mn6oedSu6nRFjpYzO9tS/7svC8Hkyyr1rsZujRkC5cMRwY2DovU653GoaOwadMc +gig8CvOeb1srD1kMnFyGfa54VTbGZCZ261bnGdUc9BCL8ARtv6q4KNTRofkYrCLP +YwGTxEsCVdNbtDGv5nLJ/V7RfAUMnp9YuYpHc0Auttt6cUW6DI3nGQg+LlfoCJ0n +JESXa3Fry0GcFWiPB6oigyFSH6c3Ml+E7TiUYAZOtQ4cqJG1v9x1Lv5BQ1dz5vah +J24oGW2uI6Xp0TbvIFBd6KCFZSa/dS9sq486norj17X7ktZ7EeVVpm4vRBtDEo4N +k2WdkjcWfSM5uLnYLZR+rp+1rhtSIxw3gZaoJLl18p+9NMOFBH4= +=RgID +-----END PGP SIGNATURE----- |