1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
|
<!DOCTYPE HTML PUBLIC "-//FreeBSD//DTD HTML 4.01 Transitional-Based Extension//EN" [
<!ENTITY base CDATA "..">
<!ENTITY date "$FreeBSD: www/en/security/security.sgml,v 1.223 2012/01/10 18:07:15 cperciva Exp $">
<!ENTITY title "FreeBSD Security Information">
<!ENTITY % navinclude.support "INCLUDE">
<!ENTITY % developers PUBLIC "-//FreeBSD//ENTITIES FreeBSD Developers Entities//EN"> %developers;
]>
<!-- $FreeBSD: www/en/security/security.sgml,v 1.223 2012/01/10 18:07:15 cperciva Exp $ -->
<html>
&header;
<h2>Introduction</h2>
<p>This web page is designed to assist both new and experienced
users in the area of FreeBSD security. FreeBSD takes security
very seriously and is constantly working on making the operating
system as secure as possible.</p>
<h2>Table of Contents</h2>
<ul>
<li><a href="#how">How and where to report a FreeBSD security issue</a></li>
<li><a href="#sec">Information about the FreeBSD Security Officer</a></li>
<li><a href="#pol">Information handling policies</a></li>
<li><a href="#sup">Supported FreeBSD Releases</a></li>
<li><a href="#unsup">Unsupported FreeBSD Releases</a></li>
</ul>
<h2>Other Security Links</h2>
<ul>
<li><a href="charter.html">Charter for the Security Officer and Team</a></li>
<li><a href="advisories.html">List of FreeBSD Security Advisories</a></li>
<li><a href="notices.html">List of FreeBSD Errata Notices</a></li>
<li><a href="&base;/doc/en_US.ISO8859-1/books/handbook/security-advisories.html">
Reading FreeBSD Security Advisories</a></li>
</ul>
<a name="how"></a>
<h2>How and where to report a FreeBSD security issue</h2>
<p>All FreeBSD security issues should be reported to the <a
href="mailto:secteam@FreeBSD.org">FreeBSD Security Team</a>
or, if a higher level of confidentiality is required, PGP encrypted to the <a
href="mailto:security-officer@FreeBSD.org">Security Officer Team</a>
using the <a href="so_public_key.asc">Security Officer PGP key</a>.
All reports should at least contain:</p>
<ul>
<li>A description of the vulnerability.</li>
<li>What versions of FreeBSD seem to be affected if possible.</li>
<li>Any plausible workaround.</li>
<li>Example code if possible.</li>
</ul>
<p>After this information has been reported the Security Officer or
a Security Team delegate will get back with you.</p>
<h3>Spam filters</h3>
<p>Due to high volume of spam the main security contact mail
addresses are subject to spam filtering. If you cannot contact
the FreeBSD Security Officers or Security Team due to spam filters
(or suspect your mail has been filtered), please send mail to
<tt>security-officer-<em>XXXX</em>@FreeBSD.org</tt> with
<em>XXXX</em> replaced with <tt>3432</tt> instead of the normal
addresses. Note that this address will be changed periodically so
check back here for the latest address. Mails to this address
will go to the FreeBSD Security Officer Team.</p>
<a name=sec></a>
<h2>The FreeBSD Security Officer Team and the FreeBSD Security Team</h2>
<p>In order that the FreeBSD Project may respond to vulnerability
reports in a timely manner, there are three members of the Security
Officer mail alias: the Security Officer,
Deputy Security Officer, and one Core Team member.
Therefore, messages sent to the <a
href="mailto:security-officer@FreeBSD.org"><security-officer@FreeBSD.org></a>
mail alias are currently delivered to:</p>
<table>
<tr valign="top">
<td>&a.cperciva; <a
href="mailto:cperciva@FreeBSD.org"><cperciva@FreeBSD.org></a></td>
<td>Security Officer</td>
</tr>
<tr valign="top">
<td>&a.simon; <a
href="mailto:simon@FreeBSD.org"><simon@FreeBSD.org></a></td>
<td>Deputy Security Officer</td>
</tr>
<tr valign="top">
<td>&a.rwatson; <a
href="mailto:rwatson@FreeBSD.org"><rwatson@FreeBSD.org></a></td>
<td>FreeBSD Core Team liaison, Release Engineering liaison,<br>
TrustedBSD Project liaison, system security architecture expert</td>
</tr>
</table>
<p>The Security Officer is supported by the <a
href="&base;/administration.html#t-secteam" >FreeBSD Security
Team</a> <a
href="mailto:secteam@FreeBSD.org"><secteam@FreeBSD.org></a>,
a small group of committers vetted by the Security Officer.</p>
<a name="pol"></a>
<h2>Information handling policies</h2>
<p>As a general policy, the FreeBSD Security Officer favors full
disclosure of vulnerability information after a reasonable delay
to permit safe analysis and correction of a vulnerability, as well
as appropriate testing of the correction, and appropriate
coordination with other affected parties.</p>
<p>The Security Officer <em>will</em> notify one or more of the
FreeBSD Cluster Admins of
vulnerabilities that put the FreeBSD Project's resources under
immediate danger.</p>
<p>The Security Officer may bring additional FreeBSD developers or
outside developers into discussion of a submitted security
vulnerability if their expertise is required to fully understand
or correct the problem. Appropriate discretion will be exercised
to minimize unnecessary distribution of information about the
submitted vulnerability, and any experts brought in will act in
accordance of Security Officer policies. In the past, experts
have been brought in based on extensive experience with highly
complex components of the operating system, including FFS, the VM
system, and the network stack.</p>
<p>If a FreeBSD release process is underway, the FreeBSD Release
Engineer may also be notified that a vulnerability exists, and its
severity, so that informed decisions may be made regarding the
release cycle and any serious security bugs present in software
associated with an up-coming release. If requested, the Security
Officer will not share information regarding the nature of the
vulnerability with the Release Engineer, limiting information flow
to existence and severity.</p>
<p>The FreeBSD Security Officer has close working relationships with
a number of other organizations, including third-party vendors
that share code with FreeBSD (the OpenBSD, NetBSD and DragonFlyBSD
projects, Apple, and other vendors deriving software from FreeBSD,
as well as the Linux vendor security list), as well as
organizations that track vulnerabilities and security incidents,
such as CERT. Frequently vulnerabilities may extend beyond the
scope of the FreeBSD implementation, and (perhaps less frequently)
may have broad implications for the global networking community.
Under such circumstances, the Security Officer may wish to
disclose vulnerability information to these other organizations:
if you do not wish the Security Officer to do this, please
indicate so explicitly in any submissions.</p>
<p>Submitters should be careful to explicitly document any special
information handling requirements.</p>
<p>If the submitter of a vulnerability is interested in a
coordinated disclosure process with the submitter and/or other
vendors, this should be indicated explicitly in any submissions.
In the absence of explicit requests, the FreeBSD Security Officer
will select a disclosure schedule that reflects both a desire for
timely disclosure and appropriate testing of any solutions.
Submitters should be aware that if the vulnerability is being
actively discussed in public forums (such as bugtraq), and
actively exploited, the Security Officer may choose not to follow
a proposed disclosure timeline in order to provide maximum
protection for the user community.</p>
<p>Submissions may be protected using PGP. If desired, responses
will also be protected using PGP.</p>
<a name="sup"></a>
<h2>Supported FreeBSD Releases</h2>
<p>The FreeBSD Security Officer provides security advisories for
several branches of FreeBSD development. These are the
<em>-STABLE Branches</em> and the <em>Security Branches</em>.
(Advisories are not issued for the <em>-CURRENT Branch</em>.)</p>
<ul>
<li><p>The -STABLE branch tags have
names like <tt>RELENG_7</tt>. The corresponding builds have
names like <tt>FreeBSD 7.0-STABLE</tt>.</p></li>
<li><p>Each FreeBSD Release has an associated Security Branch.
The Security Branch tags have names like <tt>RELENG_7_0</tt>.
The corresponding builds have names like <tt>FreeBSD
7.0-RELEASE-p1</tt>.</p></li>
</ul>
<p>Issues affecting the FreeBSD Ports Collection are covered in <a
href="http://vuxml.FreeBSD.org/">the FreeBSD VuXML
document</a>.</p>
<p>Each branch is supported by the Security Officer for a limited
time only, and is designated as one of `<em>Early adopter</em>',
`<em>Normal</em>', or `<em>Extended</em>'. The designation is
used as a guideline for determining the lifetime of the branch as
follows.</p>
<dl>
<dt>Early adopter</dt>
<dd>Releases which are published from the -CURRENT branch will be
supported by the Security Officer for a minimum of 6 months after
the release.</dd>
<dt>Normal</dt>
<dd>Releases which are published from a -STABLE branch will be
supported by the Security Officer for a minimum of 12 months after the
release, and for sufficient additional time (if needed) to ensure
that there is a newer release for at least 3 months before the
older Normal release expires.
</dd>
<dt>Extended</dt>
<dd>Selected releases (normally every second release plus the last
release from each -STABLE branch) will be supported by the
Security Officer for a minimum of 24 months after the release,
and for sufficient additional time (if needed) to ensure that
there is a newer Extended release for at least 3 months before the
older Extended release expires.
</dd>
</dl>
<a name="supported-branches"></a>
<p>The current designation and estimated lifetimes of the currently
supported branches are given below. The <em>Estimated EoL
(end-of-life)</em> column gives the earliest date on which that
branch is likely to be dropped. Please note that these dates may
be extended into the future, but only extenuating circumstances
would lead to a branch's support being dropped earlier than the
date listed.</p>
<!--
Please also update www/en/releng/index.sgml when updating this
list of supported branches.
-->
<table class="tblbasic">
<tr>
<th>Branch</th>
<th>Release</th>
<th>Type</th>
<th>Release Date</th>
<th>Estimated EoL</th>
</tr>
<tr>
<td>RELENG_7</td>
<td>n/a</td>
<td>n/a</td>
<td>n/a</td>
<td>February 28, 2013</td>
</tr>
<tr>
<td>RELENG_7_4</td>
<td>7.4-RELEASE</td>
<td>Extended</td>
<td>February 24, 2011</td>
<td>February 28, 2013</td>
</tr>
<tr>
<td>RELENG_8</td>
<td>n/a</td>
<td>n/a</td>
<td>n/a</td>
<td>last release + 2 years</td>
</tr>
<tr>
<td>RELENG_8_1</td>
<td>8.1-RELEASE</td>
<td>Extended</td>
<td>July 23, 2010</td>
<td>July 31, 2012</td>
</tr>
<tr>
<td>RELENG_8_2</td>
<td>8.2-RELEASE</td>
<td>Normal</td>
<td>February 24, 2011</td>
<td>July 31, 2012</td>
</tr>
<tr>
<td>RELENG_8_3</td>
<td>8.3-RELEASE</td>
<td>Extended</td>
<td>April 18, 2012</td>
<td>April 30, 2014</td>
</tr>
<tr>
<td>RELENG_9</td>
<td>n/a</td>
<td>n/a</td>
<td>n/a</td>
<td>last release + 2 years</td>
</tr>
<tr>
<td>RELENG_9_0</td>
<td>9.0-RELEASE</td>
<td>Normal</td>
<td>January 10, 2012</td>
<td>January 31, 2013</td>
</tr>
</table>
<p>Older releases are not maintained and users are strongly
encouraged to upgrade to one of the supported releases mentioned
above.</p>
<p>Advisories are sent to the following FreeBSD mailing lists:</p>
<ul>
<li>FreeBSD-security-notifications@FreeBSD.org</li>
<li>FreeBSD-security@FreeBSD.org</li>
<li>FreeBSD-announce@FreeBSD.org</li>
</ul>
<p>The list of released advisories can be found on the <a
href="advisories.html">FreeBSD Security Advisories</a> page.</p>
<p>Advisories are always signed using the FreeBSD Security Officer
<a href="so_public_key.asc">PGP
key</a> and are archived, along with their associated patches, at
the <a href="http://security.FreeBSD.org/">http://security.FreeBSD.org/</a>
web server in the <a
href="http://security.FreeBSD.org/advisories/">advisories</a> and <a
href="http://security.FreeBSD.org/patches/">patches</a>
subdirectories.</p>
<a name="unsup"></a>
<h2>Unsupported FreeBSD Releases</h2>
<p>The following releases are no longer supported but are listed
here for reference purposes.</p>
<table class="tblbasic">
<tr>
<th>Branch</th>
<th>Release</th>
<th>Type</th>
<th>Release Date</th>
<th>EoL</th>
</tr>
<tr>
<td>RELENG_4</td>
<td>n/a</td>
<td>n/a</td>
<td>n/a</td>
<td>January 31, 2007</td>
</tr>
<tr>
<td>RELENG_4_11</td>
<td>4.11-RELEASE</td>
<td>Extended</td>
<td>January 25, 2005</td>
<td>January 31, 2007</td>
</tr>
<tr>
<td>RELENG_5</td>
<td>n/a</td>
<td>n/a</td>
<td>n/a</td>
<td>May 31, 2008</td>
</tr>
<tr>
<td>RELENG_5_3</td>
<td>5.3-RELEASE</td>
<td>Extended</td>
<td>November 6, 2004</td>
<td>October 31, 2006</td>
</tr>
<tr>
<td>RELENG_5_4</td>
<td>5.4-RELEASE</td>
<td>Normal</td>
<td>May 9, 2005</td>
<td>October 31, 2006</td>
</tr>
<tr>
<td>RELENG_5_5</td>
<td>5.5-RELEASE</td>
<td>Extended</td>
<td>May 25, 2006</td>
<td>May 31, 2008</td>
</tr>
<tr>
<td>RELENG_6</td>
<td>n/a</td>
<td>n/a</td>
<td>n/a</td>
<td>November 30, 2010</td>
</tr>
<tr>
<td>RELENG_6_0</td>
<td>6.0-RELEASE</td>
<td>Normal</td>
<td>November 4, 2005</td>
<td>January 31, 2007</td>
</tr>
<tr>
<td>RELENG_6_1</td>
<td>6.1-RELEASE</td>
<td>Extended</td>
<td>May 9, 2006</td>
<td>May 31, 2008</td>
</tr>
<tr>
<td>RELENG_6_2</td>
<td>6.2-RELEASE</td>
<td>Normal</td>
<td>January 15, 2007</td>
<td>May 31, 2008</td>
</tr>
<tr>
<td>RELENG_6_3</td>
<td>6.3-RELEASE</td>
<td>Extended</td>
<td>January 18, 2008</td>
<td>January 31, 2010</td>
</tr>
<tr>
<td>RELENG_6_4</td>
<td>6.4-RELEASE</td>
<td>Extended</td>
<td>November 28, 2008</td>
<td>November 30, 2010</td>
</tr>
<tr>
<td>RELENG_7_0</td>
<td>7.0-RELEASE</td>
<td>Normal</td>
<td>February 27, 2008</td>
<td>April 30, 2009</td>
</tr>
<tr>
<td>RELENG_7_1</td>
<td>7.1-RELEASE</td>
<td>Extended</td>
<td>January 4, 2009</td>
<td>February 28, 2011</td>
</tr>
<tr>
<td>RELENG_7_2</td>
<td>7.2-RELEASE</td>
<td>Normal</td>
<td>May 4, 2009</td>
<td>June 30, 2010</td>
</tr>
<tr>
<td>RELENG_7_3</td>
<td>7.3-RELEASE</td>
<td>Extended</td>
<td>March 23, 2010</td>
<td>March 31, 2012</td>
</tr>
<tr>
<td>RELENG_8_0</td>
<td>8.0-RELEASE</td>
<td>Normal</td>
<td>November 25, 2009</td>
<td>November 30, 2010</td>
</tr>
</table>
&footer;
</body>
</html>
|
