aboutsummaryrefslogtreecommitdiff
path: root/en_US.ISO8859-1/htdocs/security/security.xml
blob: bc386c96c662f857bc8d1bd0cbfce1d4bddae084 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//FreeBSD//DTD XHTML 1.0 Transitional-Based Extension//EN"
"http://www.FreeBSD.org/XML/share/xml/xhtml10-freebsd.dtd" [
<!ENTITY title "FreeBSD Security Information">
]>
<!-- $FreeBSD$ -->

<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <title>&title;</title>

    <cvs:keyword xmlns:cvs="http://www.FreeBSD.org/XML/CVS">$FreeBSD$</cvs:keyword>
  </head>

  <body class="navinclude.support">

  <h2>Introduction</h2>

  <p>FreeBSD takes security very seriously and its developers are
    constantly working on making the operating system as secure as
    possible.  This page will provide information about what to do in
    the event of a security vulnerability affecting your system</p>

  <h2>Table of Contents</h2>

  <ul>
    <li><a href="#reporting">Reporting FreeBSD security
	incidents</a></li>
    <li><a href="#recent">Recent FreeBSD security
	vulnerabilities</a></li>
    <li><a href="#advisories">Understanding FreeBSD security
	advisories</a></li>
    <li><a href="#how">How to update your
	system</a></li>
    <li><a href="#sup">Supported FreeBSD releases</a></li>
    <li><a href="#model">The FreeBSD support model</a></li>
  </ul>

  <a name="reporting"></a>
  <h2>Reporting FreeBSD security incidents</h2>

  <p>FreeBSD security issues specific to the base system
    should be reported via email to the <a
      href="mailto:secteam@FreeBSD.org">FreeBSD Security Team</a>
    or, if a higher level of confidentiality is required, via PGP
    encrypted email to the <a
      href="mailto:security-officer@FreeBSD.org">Security Officer
      Team</a>
    using the <a href="so_public_key.asc">Security Officer PGP
      key</a>.
    Additional information can be found at the <a
      href="reporting.html">reporting FreeBSD security incidents</a>
    page.</p>

  <a name="when-reporting"></a>
  <h2>When is a Security Advisory considered?</h2>

  <p>For every issue that gets reported, an internal tracking number is
    created, unless something is very obviously not a security issue.
    To determine whether or not a Security Advisory is warranted we use
    the following scheme:</p>

  <ul>
    <li>Is it a privilege escalation vulnerability?</li>
    <li>Is it a code injection vulnerability?</li>
    <li>Is it a memory disclosure or dataleak vulnerability?
      <ul>
	<li>From either the kernel</li>
	<li>From a privileged process</li>
	<li>From a process owned by another user?</li>
      </ul>
    </li>
    <li>Is it a Denial of Service vulnerability?
      <ul>
	<li>Only when remotely exploitable, where remotely means that it
	  comes from a different broadcast domain, so ARP and/or NDP based
	  attacks do not qualify.</li>
      </ul>
    </li>
    <li>Is it an unassisted jailbreak vulnerability?</li>
    <li>Is it a malfunction that could lead to generating insecure crypto keys,
      such as a PRNG bug?</li>
  </ul>

  <p>For items that fall under these categories, a Security Advisory is very likely.
    Items that are not on this list are looked into individually and it will be determined
    then whether or not it will receive a Security Advisory or an Errata Notice.</p>

  <p>Once it had been determined that a Security Advisory is warranted, either the
    submitter delivers a CVE number if he/she already requested one, or we use one
    from the FreeBSD pool available.</p>

  <a name="recent"></a>
  <h2>Recent FreeBSD security vulnerabilities</h2>

  <p>A full list of all security vulnerabilities affecting the base
    system can be found <a href="advisories.html">on this
      page</a>.</p>

  <a name="advisories"></a>
  <h2>Understanding FreeBSD security advisories</h2>

  <p>Advisories affecting the base system are sent to the following
    mailing lists:</p>

  <ul>
    <li>FreeBSD-security-notifications@FreeBSD.org</li>
    <li>FreeBSD-security@FreeBSD.org</li>
    <li>FreeBSD-announce@FreeBSD.org</li>
  </ul>

  <p>The list of released advisories can be found on the <a
      href="advisories.html">FreeBSD Security Advisories</a> page.</p>

  <p>Advisories are always signed using the FreeBSD Security Officer
    <a href="so_public_key.asc">PGP key</a> and are archived, along
    with their associated patches, at the <a
      href="http://security.FreeBSD.org/">http://security.FreeBSD.org/</a>
    web server in the <a
      href="http://security.FreeBSD.org/advisories/">advisories</a>
    and <a href="http://security.FreeBSD.org/patches/">patches</a>
    subdirectories.</p>

  <p>The FreeBSD Security Officer provides security advisories for
    <em>-STABLE Branches</em> and the <em>Security Branches</em>.
    (Advisories are not issued for the <em>-CURRENT Branch</em>,
    which is primarily oriented towards &os; developers.)</p>

  <ul>
    <li><p>The -STABLE branch tags have names like <tt>stable/10</tt>.
      The corresponding builds have names like <tt>FreeBSD
      10.1-STABLE</tt>.</p></li>

    <li><p>Each FreeBSD Release has an associated Security Branch.
      The Security Branch tags have names like <tt>releng/10.1</tt>.
      The corresponding builds have names like <tt>FreeBSD
      10.1-RELEASE-p4</tt>.</p></li>
  </ul>

  <p>Issues affecting the FreeBSD Ports Collection are covered
    separately in <a href="http://vuxml.FreeBSD.org/">the FreeBSD
      VuXML document</a>.</p>

  <a name="how"></a>
  <h2>How to update your system</h2>

  <p>For users that have previously installed a binary version of &os;
    (e.g., &rel.current; or &rel2.current;),
    commands:</p>

  <tt># freebsd-update fetch<br />
    # freebsd-update install</tt>

  <p>If that fails, follow the other instructions in the security
    advisory you care about.</p>

  <p>Note that the above procedure is only for users who have
    previously installed a binary distribution.  Those who have
    built from source will need to update their source tree to
    upgrade.</p>

  <a name="sup"></a>
  <h2>Supported FreeBSD releases</h2>

  <p>Each release is supported by the Security Officer for a limited
    time only.</p>

  <p>The designation and expected lifetime of all currently supported
    branches
    and their respective releases
    are given below.  The <em>Expected EoL (end-of-life)</em>
    column indicates the earliest date on which support for that
    branch or release will end.  Please note that these dates may be
    pushed back if circumstances warrant it.</p>

  <p><a href="unsupported.html">Older releases</a>
    are not supported and users are strongly
    encouraged to upgrade to one of these supported releases:</p>

  <!--
      Please also update head/en_US.ISO8859-1/htdocs/releng/index.xml
      when updating this list of supported branches.
  -->
  <table class="tblbasic">
    <tr>
      <th>Branch</th>
      <th>Release</th>
      <th>Type</th>
      <th>Release Date</th>
      <th>Expected EoL</th>
    </tr>
    <tr>
      <td>stable/12</td>
      <td>n/a</td>
      <td>n/a</td>
      <td>n/a</td>
      <td>June 30, 2024</td>
    </tr>
    <tr>
      <td>releng/12.0</td>
      <td>12.0-RELEASE</td>
      <td>n/a</td>
      <td>December 11, 2018</td>
      <td>12.1-RELEASE + 3 months</td>
    </tr>
    <tr>
      <td>stable/11</td>
      <td>n/a</td>
      <td>n/a</td>
      <td>n/a</td>
      <td>September 30, 2021</td>
    </tr>
    <tr>
      <td>releng/11.2</td>
      <td>11.2-RELEASE</td>
      <td>n/a</td>
      <td>June 28, 2018</td>
      <td>11.3-RELEASE + 3 months</td>
    </tr>
    <tr>
      <td>releng/11.3</td>
      <td>11.3-RELEASE</td>
      <td>n/a</td>
      <td>July 9, 2019</td>
      <td>11.4-RELEASE + 3 months (or September 30, 2021)</td>
    </tr>
  </table>

  <p>In the run-up to a release, a number of -BETA and -RC releases
    may be published for testing purposes.  These releases are only
    supported for a few weeks, as resources permit, and will not be
    listed as supported on this page.  Users are strongly discouraged
    from running these releases on production systems.</p>

  <a name="model"></a>
  <h2>The FreeBSD support model</h2>

  <p>Under the current support model, each major version's stable branch
    is explicitly supported for 5 years, while each individual point
    release is only supported for three months after the next point
    release.</p>

  <p>The details and rationale behind this model can be found in the
    <a
      href="https://lists.freebsd.org/pipermail/freebsd-announce/2015-February/001624.html">official
      announcement</a> sent in February 2015.</p>

</body>
</html>