git: a7ac9239fb - main - website: Add EN-24:14 and SA-24:05 through SA-24:08.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 07 Aug 2024 14:41:20 UTC
The branch main has been updated by gordon:
URL: https://cgit.FreeBSD.org/doc/commit/?id=a7ac9239fbae263d9bdd9d50486b3150f8c579d8
commit a7ac9239fbae263d9bdd9d50486b3150f8c579d8
Author: Gordon Tetlow <gordon@FreeBSD.org>
AuthorDate: 2024-08-07 14:38:10 +0000
Commit: Gordon Tetlow <gordon@FreeBSD.org>
CommitDate: 2024-08-07 14:38:10 +0000
website: Add EN-24:14 and SA-24:05 through SA-24:08.
Approved by: so
---
website/data/security/advisories.toml | 16 +
website/data/security/errata.toml | 4 +
.../advisories/FreeBSD-EN-24:14.ifconfig.asc | 150 +++++
.../security/advisories/FreeBSD-SA-24:05.pf.asc | 155 ++++++
.../advisories/FreeBSD-SA-24:06.ktrace.asc | 139 +++++
.../advisories/FreeBSD-SA-24:07.nfsclient.asc | 145 +++++
.../advisories/FreeBSD-SA-24:08.openssh.asc | 150 +++++
.../security/patches/EN-24:14/ifconfig.patch | 26 +
.../security/patches/EN-24:14/ifconfig.patch.asc | 16 +
.../static/security/patches/SA-24:05/pf-13.patch | 615 ++++++++++++++++++++
.../security/patches/SA-24:05/pf-13.patch.asc | 16 +
.../static/security/patches/SA-24:05/pf-14.patch | 616 +++++++++++++++++++++
.../security/patches/SA-24:05/pf-14.patch.asc | 16 +
.../static/security/patches/SA-24:06/ktrace.patch | 11 +
.../security/patches/SA-24:06/ktrace.patch.asc | 16 +
.../security/patches/SA-24:07/nfsclient-13.patch | 201 +++++++
.../patches/SA-24:07/nfsclient-13.patch.asc | 16 +
.../security/patches/SA-24:07/nfsclient-14.patch | 201 +++++++
.../patches/SA-24:07/nfsclient-14.patch.asc | 16 +
.../static/security/patches/SA-24:08/openssh.patch | 19 +
.../security/patches/SA-24:08/openssh.patch.asc | 16 +
21 files changed, 2560 insertions(+)
diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml
index d0945c9078..cd751f68a5 100644
--- a/website/data/security/advisories.toml
+++ b/website/data/security/advisories.toml
@@ -1,6 +1,22 @@
# Sort advisories by year, month and day
# $FreeBSD$
+[[advisories]]
+name = "FreeBSD-SA-24:08.openssh"
+date = "2024-08-07"
+
+[[advisories]]
+name = "FreeBSD-SA-24:07.nfsclient"
+date = "2024-08-07"
+
+[[advisories]]
+name = "FreeBSD-SA-24:06.ktrace"
+date = "2024-08-07"
+
+[[advisories]]
+name = "FreeBSD-SA-24:05.pf"
+date = "2024-08-07"
+
[[advisories]]
name = "FreeBSD-SA-24:04.openssh"
date = "2024-07-01"
diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml
index 885339ab1d..47a42d0b59 100644
--- a/website/data/security/errata.toml
+++ b/website/data/security/errata.toml
@@ -1,6 +1,10 @@
# Sort errata notices by year, month and day
# $FreeBSD$
+[[notices]]
+name = "FreeBSD-EN-24:14.ifconfig"
+date = "2024-08-07"
+
[[notices]]
name = "FreeBSD-EN-24:13.libc++"
date = "2024-06-19"
diff --git a/website/static/security/advisories/FreeBSD-EN-24:14.ifconfig.asc b/website/static/security/advisories/FreeBSD-EN-24:14.ifconfig.asc
new file mode 100644
index 0000000000..b71e288bf5
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-24:14.ifconfig.asc
@@ -0,0 +1,150 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-24:14.ifconfig Errata Notice
+ The FreeBSD Project
+
+Topic: Incorrect ifconfig netmask assignment
+
+Category: core
+Module: ifconfig
+Announced: 2024-08-07
+Affects: FreeBSD 14.0 and later
+Corrected: 2024-06-15 15:24:59 UTC (stable/14, 14.1-STABLE)
+ 2024-08-07 13:44:28 UTC (releng/14.1, 14.1-RELEASE-p3)
+ 2024-08-07 13:44:41 UTC (releng/14.0, 14.0-RELEASE-p9)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+Prior to the advent of classless inter-domain routing (CIDR), the IPv4
+address space was divided into classes based on how many of an address's
+most-significant bits were set. Since the class dictated the network
+mask, it was not necessary to specify the mask when configuring an
+interface. Even after CIDR was introduced, FreeBSD continued to allow
+the network mask to be omitted, for backward compatibility reasons.
+
+II. Problem Description
+
+When FreeBSD switched from using ioctl(2) to using Netlink sockets to
+configure network interfaces, the logic for determining the default mask
+in cases where one was not explicitly provided was inadvertantly
+inverted, resulting in class A addresses getting a prefix size of 24
+instead of 8, and vice versa for class C addresses. Class B addresses
+were not affected.
+
+III. Impact
+
+FreeBSD hosts which still rely on default network mask assignment and
+have addresses in the old class A (0.0.0.0-127.255.255.255) or class C
+(192.0.0.0-223.255.255.255) ranges will have an incorrect network mask.
+The exact consequences will vary depending on the direction of the error
+and the relative positions of the affected host and its default router
+within the local address space. Affected hosts should still be able to
+communicate with at least a subset of their local network, and may also
+be able to communicate with a subset of the wider network, but will
+typically lose the ability to communicate with any address which is not
+within both the actual local address space and the misconfigured local
+address space. This may include their default router.
+
+IV. Workaround
+
+Make sure to always specify either a network mask or a prefix size when
+adding IPv4 addresses to network interfaces. For instance, in a VM with
+a paravirtualized network interface and an IPv4 address of 192.0.2.5
+(historically class C), use either of the following in /etc/rc.conf or
+/etc/rc.conf.d/network:
+
+ ifconfig_vtnet0="inet 192.0.2.5/24"
+
+or
+
+ ifconfig_vtnet0="inet 192.0.2.5 netmask 255.255.255.0"
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-24:14/ifconfig.patch
+# fetch https://security.FreeBSD.org/patches/EN-24:14/ifconfig.patch.asc
+# gpg --verify ifconfig.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ 048ad7a9ef9f stable/14-n267957
+releng/14.1/ b9115dba07e8 releng/14.1-n267692
+releng/14.0/ 01792dd7f27b releng/14.0-n265424
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-24:14.ifconfig.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmazhZwACgkQbljekB8A
+Gu/6HBAA1PB3WA8wuqi2iebMvqZ1iM0Oh0sb9JotX8VFpO7zWpIHImITbLvWjYEm
+0YMb62mJNiKBVxRf0p1SWhOqRJcJAVNxU8U8wb6p7UJ2LXnLgU7t3kLNVdKN+Yq5
+jIMBOHpIJz/na/LsOEtxtneCvnNL+lOQ4NkHLKfFOUtf0PkAn2nUVnYyA+PGH/3l
+VQFxSCQCB3CxNMeiI5R2x9ZdaESfNdn/qh6vZcca2fl6seWMQaoqwzxrtBS1VXsR
+1LofhqJsOvIDOkKS5SFLIGMfPdETl2jmd+YrG9ujXWYcyvaQxfRE66RRT1AROCXb
++vD8MXc7q3gtjAV398iYdMwf7eqbPngX6xZCLPs6PR96eaa1tGTK0+cdan7CfHFB
+WahFo1md9kORCq2DLkLhekdJjy1+4J9KsMjGWLYRILZNPHU/IvAGFS1czFMPmTbm
+V1IHWeszDUPgjKlp0m59CsGjwcyJnIeZBnTMiMQ5EM29zEOUdgCayz2/v6JaEgwb
+7xCb5x0HzyR0hM4GDG8ccNe8VQFSm6McRSWb77zXnB5Lp2aCug9VwuUN1mJNdQVp
+3O5tm+Wd5HeA15YubO4aQ3aUTdsk92BZ9cxorn2dOTlE8vyxmqLk7KYs0644Dzmv
+IxRNYmBfb/trIWDLW7QZTVXtoSpTjdNvQG0+yEAFDTfTuAe0qVM=
+=+Q9R
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-24:05.pf.asc b/website/static/security/advisories/FreeBSD-SA-24:05.pf.asc
new file mode 100644
index 0000000000..0c6d2b859d
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-24:05.pf.asc
@@ -0,0 +1,155 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-24:05.pf Security Advisory
+ The FreeBSD Project
+
+Topic: pf incorrectly matches different ICMPv6 states in the state table
+
+Category: core
+Module: pf
+Announced: 2024-08-07
+Credits: Enrico Bassetti e.bassetti@tudelft.nl
+ (Cybersecurity @ TU Delft, SPRITZ Group @ UniPD)
+Affects: All supported versions of FreeBSD.
+Corrected: 2024-07-31 07:41:11 UTC (stable/14, 14.0-STABLE)
+ 2024-08-07 13:44:25 UTC (releng/14.1, 14.1-RELEASE-p3)
+ 2024-08-07 13:44:46 UTC (releng/14.0, 14.0-RELEASE-p9)
+ 2024-07-31 07:41:12 UTC (stable/13, 13.3-STABLE)
+ 2024-08-07 13:44:57 UTC (releng/13.3, 13.3-RELEASE-p5)
+CVE Name: CVE-2024-6640
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+pf is an Internet Protocol packet filter originally written for OpenBSD. pf
+uses a state table to determine whether to allow a packet that is from a
+known/already open transmission. It identifies ICMPv6 states based on the
+address family, protocol, addresses, and the ID.
+
+Normally, states are created by outgoing packets, or by incoming packets
+matching 'pass' rules. A packet that do not match any rule will be blocked
+or allowed depending on the default rule.
+
+ICMPv6 Neighbor Discovery has to be allowed in the firewall for IPv6 to work
+properly in broadcast networks, such as Ethernet.
+
+II. Problem Description
+
+In ICMPv6 Neighbor Discovery (ND), the ID is always 0. When pf is configured
+to allow ND and block incoming Echo Requests, a crafted Echo Request packet
+after a Neighbor Solicitation (NS) can trigger an Echo Reply. The packet has
+to come from the same host as the NS and have a zero as identifier to match
+the state created by the Neighbor Discovery and allow replies to be
+generated.
+
+III. Impact
+
+ICMPv6 packets with identifier value of zero bypass firewall rules written on
+the assumption that the incoming packets are going to create a state in the
+state table.
+
+IV. Workaround
+
+No workaround is available but systems not using the pf firewall are not
+affected.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 13.3]
+# fetch https://security.FreeBSD.org/patches/SA-24:05/pf-13.patch
+# fetch https://security.FreeBSD.org/patches/SA-24:05/pf-13.patch.asc
+# gpg --verify pf.patch.asc
+
+[FreeBSD 14.0 & FreeBSD 14.1]
+# fetch https://security.FreeBSD.org/patches/SA-24:05/pf-14.patch
+# fetch https://security.FreeBSD.org/patches/SA-24:05/pf-14.patch.asc
+# gpg --verify pf.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ 3382c691dc6a stable/14-n268277
+releng/14.1/ a66d33fcf334 releng/14.1-n267690
+releng/14.0/ ca9580967e74 releng/14.0-n265428
+stable/13/ 05f91f8dd5ce stable/13-n258160
+releng/13.3/ 5eb30c313cb0 releng/13.3-n257443
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6640>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-24:05.pf.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmazhasACgkQbljekB8A
+Gu9/0Q//S/qcyIxnQ1V8Gz8ghAQuJu8OlTdYV9OexFSKExcbc9FYK6LwhSUfPtHf
+Bx9KowhQCH2D1X33qHRUCWVhDMhgpvHmg/+ajnm0IP/+nc+ZnNFCC0Ew5b/mk7Uw
+jQAxW54/RSe1Cnl11T4RTcPI7YhGTej8T5T8dm2TlCdTI3m7xS/zfR3e4x89yrmW
+gVUBG54udbSSzxMDJk2rbr9anoinzaI0eiXY/rnb729OTU6y4SmJ9ZZZwXs+bRpP
+AUE7Zgj7pNrWC1CxTMy6XLdPE/L/8Yxz9mOFpyJcHahoEHcMH+5DKQePGa4mQgnS
+N8Srtrxx3Ipz5/zzOPr+O0BbOh8m7KMXU/J8Y3aHpUzbnr+IfGEUHBukN93M3qbV
+Qkw9iW+5HZ45P16Fyaj2cq7He7F39/7B/DhfjLldbUOnWGPmn3JrWkvONL++iAyI
++vOrfGubyTtwgSdZGDcv+FUrL6af6nQzFBBgv4z4TpHN+BTcwA5c6JwuOlvMc5ZY
+ISh8WItjxmK5Gh27H7JBGKwWDnKYjqkRcgJ7QZd7dmjo2bzOlnKV0eYk51eBvoIh
+FV4YGAgMPxCJGBrl54/0F5+C8zl0cjNlEhnyyl2IEBbPbnfmvpNw3tMbJdPfEUhF
+DK+j5IkDU/4sNrV/dmeD+K+u/3xgDxtUv6IjH2odmADtlCbOV80=
+=/mRR
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-24:06.ktrace.asc b/website/static/security/advisories/FreeBSD-SA-24:06.ktrace.asc
new file mode 100644
index 0000000000..1c157f0203
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-24:06.ktrace.asc
@@ -0,0 +1,139 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-24:06.ktrace Security Advisory
+ The FreeBSD Project
+
+Topic: ktrace(2) fails to detach when executing a setuid binary
+
+Category: core
+Module: ktrace
+Announced: 2024-08-07
+Affects: All supported versions of FreeBSD
+Corrected: 2024-08-07 13:41:53 UTC (stable/14, 14.1-STABLE)
+ 2024-08-07 13:44:29 UTC (releng/14.1, 14.1-RELEASE-p3)
+ 2024-08-07 13:44:47 UTC (releng/14.0, 14.0-RELEASE-p9)
+ 2024-08-07 13:42:10 UTC (stable/13, 13.3-STABLE)
+ 2024-08-07 13:44:59 UTC (releng/13.3, 13.3-RELEASE-p5)
+CVE Name: CVE-2024-6760
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The ktrace utility enables kernel trace logging for the specified processes,
+commonly used for diagnostic or debugging purposes. The kernel operations
+that are traced include system calls, namei translations, signal processing,
+and I/O as well as data associated with these operations.
+
+II. Problem Description
+
+A logic bug in the code which disables kernel tracing for setuid programs
+meant that tracing was not disabled when it should have, allowing
+unprivileged users to trace and inspect the behavior of setuid programs.
+
+III. Impact
+
+The bug may be used by an unprivileged user to read the contents of files to
+which they would not otherwise have access, such as the local password
+database.
+
+IV. Workaround
+
+No workaround is available.
+
+I/O tracing can be disabled by setting the kern.ktrace.genio_size sysctl to
+0, but other information recorded by ktrace, such as system call arguments,
+can still be leaked.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-24:06/ktrace.patch
+# fetch https://security.FreeBSD.org/patches/SA-24:06/ktrace.patch.asc
+# gpg --verify ktrace.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ 8b400c8488f0 stable/14-n268423
+releng/14.1/ 22d04990cee5 releng/14.1-n267693
+releng/14.0/ c39fb98e4740 releng/14.0-n265429
+stable/13/ f702110bc4bc stable/13-n258224
+releng/13.3/ 769536bcb5c3 releng/13.3-n257445
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://www.cve.org/CVERecord?id=CVE-2024-6760>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-24:06.ktrace.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmazha0ACgkQbljekB8A
+Gu/6ThAAvKUJFwdRV/rSRyGEOTWJE+dv1Qig000xhD6g42yKpfGShaNFUTSvMPG+
+kLtpN41SRN/LXyNyQfk3GL2SmphB2V9nlJ+FM2PEmi4hMrWoiNi6uX9MmSheFbp3
+QbDAh5+2sRo66AUXjUX118cK1ruqQjRRMVSW6D8hOeDv64Wvg01L0R3ls1ZsdXYL
+5wYuTRNh2ciyMEHQ0QUz8X38qebdPSV/8aVNSZYinwtYE+wGWbpmUCQoqgtLlnT9
+3UqIy68KVj4+TNYoZuQkK5/Ur9YG884YlNpzsJ6peX8U0gjQhG1BfqEPAylTZn/6
+vPp0LtJ0fRRZs0a6XJQ+rBxhuh22vLLFLXI9jSthCcNdJhRFFnnY9nFoB0/EOpIH
+I6i94dEExCeGkWcpPB2wyrQGPcRTik9h57vsTaHcnEAPWu1fO2OckUILZVsMs7Yp
+WXePdrVfTke1hIzk5DAc5PYJ1IKcN49m/+GhXjLz8aCcy9RadJPpJDe2HSltgfTn
+xvxAudY+58f6518getIfvU4tAA1DVw2Y9zRoRhdlXLiVDayBkCOFRMMBY1cWOk9o
+aUnbQ9PYO2h7iyzSvqgWDLIy7fIdLZnyuflSVtJ4KUnetk2hU5kxb0VZFx10+z7l
+dsTyXGdb04olDMvURtgn5eQotbJzn+KLqi3vOmQ92uAGSsLeH70=
+=3iOc
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-24:07.nfsclient.asc b/website/static/security/advisories/FreeBSD-SA-24:07.nfsclient.asc
new file mode 100644
index 0000000000..ee3f20bf8b
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-24:07.nfsclient.asc
@@ -0,0 +1,145 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-24:07.nfsclient Security Advisory
+ The FreeBSD Project
+
+Topic: NFS client accepts file names containing path separators
+
+Category: core
+Module: NFS client
+Announced: 2024-08-07
+Credits: Apple Security Engineering and Architecture (SEAR)
+Affects: All supported versions of FreeBSD
+Corrected: 2024-07-27 03:54:45 UTC (stable/14, 14.1-STABLE)
+ 2024-08-07 13:44:21 UTC (releng/14.1, 14.1-RELEASE-p3)
+ 2024-08-07 13:44:39 UTC (releng/14.0, 14.0-RELEASE-p9)
+ 2024-07-28 04:14:54 UTC (stable/13, 13.3-STABLE)
+ 2024-08-07 13:44:52 UTC (releng/13.3, 13.3-RELEASE-p5)
+CVE Name: CVE-2024-6759
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The Network File System (NFS) is a distributed file system that allows remote
+systems to access files and directories over a network as if they were local.
+FreeBSD includes both server and client implementations of NFS.
+
+II. Problem Description
+
+When mounting a remote filesystem using NFS, the kernel did not sanitize
+remotely provided filenames for the path separator character, "/". This
+allows readdir(3) and related functions to return filesystem entries with
+names containing additional path components.
+
+III. Impact
+
+The lack of validation described above gives rise to a confused deputy
+problem. For example, a program copying files from an NFS mount could be
+tricked into copying from outside the intended source directory, and/or to a
+location outside the intended destination directory.
+
+IV. Workaround
+
+No workaround is available. Note that for the problem to occur, the NFS
+server would have to deliberately inject altered paths into RPC replies, or
+a MITM would have to be altering NFS traffic.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 13.3]
+# fetch https://security.FreeBSD.org/patches/SA-24:07/nfclient-13.patch
+# fetch https://security.FreeBSD.org/patches/SA-24:07/nfclient-13.patch.asc
+# gpg --verify nfsclient-13.patch.asc
+
+[FreeBSD 14.0 & FreeBSD 14.1]
+# fetch https://security.FreeBSD.org/patches/SA-24:07/nfclient-14.patch
+# fetch https://security.FreeBSD.org/patches/SA-24:07/nfclient-14.patch.asc
+# gpg --verify nfsclient-14.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ 9328ded386d5 stable/14-n268239
+releng/14.1/ 8533e927afc1 releng/14.1-n267686
+releng/14.0/ 4e7bf17e9db8 releng/14.0-n265422
+stable/13/ 0172b5145ad9 stable/13-n258140
+releng/13.3/ 3d5cb2b9a97c releng/13.3-n257439
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://www.cve.org/CVERecord?id=CVE-2024-6759>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-24:07.nfsclient.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmazha8ACgkQbljekB8A
+Gu80VxAAsDhdNW5FHcXEBZXbfR6fsShdWGQo8rCY1R1Buq8uhPI4bdzXCFrgUKM7
+Rm5P+zfZNcTYtM0epU1Fiz2BhjsKVfKIOMIBmuMik9xMBfeHnTihKGFBZ+TFj7i8
+1Kv/NE+oCn99jKZS7sZVNBvdbDMNBq4Em0vixXGRnKlEpa3r8b7niLuB0rHa97//
+gzIP5GvhUTsMaw3TwCAkVnZDrx+AoAU0dbLVIFf07P4mEt7StGd76C1dq4a6+3ZV
+s3Gqm16H8nYan5NJzpH2SIhcav4YyDuSD1eS8isyLn5bybpROdYQT7tCAfplpR2X
+pX0oQ8FRlslodV/wWaGNnCTNTYoSTj0jf77CM4fd8ERdKKmhC6x9zHsDyJBzH5Ku
+E6JlY9IvM0fL2N4KPDpNjF/U8RmNWDcxxaaou/6uohWdg977CX8uP1wfSL/4Sw6u
+SvqfDwwqd5BRE4KiqMFE024zgeogeJU7i21747HKs4nxWlNuPhVrWRjrarRhYlc2
+M4l2te7OQMjVPtbYhO4DXnDMqNgN37Qf2srgBiAnlOpmRX5Trgj4pw6DGQlSVoWO
+xY8fO02xAZuRUKgNA/TEvmRVuZx0LaLkl49xQjB8DxSvggYVFbJaY2HpfjnktmN0
+ZuMlcw0h/cv9UEFn3FWy0147xN/cjXjozvACmDUWhG0LdiUcnzc=
+=tJAo
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-24:08.openssh.asc b/website/static/security/advisories/FreeBSD-SA-24:08.openssh.asc
new file mode 100644
index 0000000000..c9aefa9e68
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-24:08.openssh.asc
@@ -0,0 +1,150 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-24:08.openssh Security Advisory
+ The FreeBSD Project
+
+Topic: OpenSSH pre-authentication async signal safety issue
+
+Category: contrib
+Module: openssh
+Announced: 2024-08-07
+Affects: All supported versions of FreeBSD.
+Corrected: 2024-08-06 19:43:54 UTC (stable/14, 14.1-STABLE)
+ 2024-08-07 13:44:26 UTC (releng/14.1, 14.1-RELEASE-p3)
+ 2024-08-07 13:44:40 UTC (releng/14.0, 14.0-RELEASE-p9)
+ 2024-08-06 19:46:19 UTC (stable/13, 13.3-STABLE)
+ 2024-08-07 13:44:58 UTC (releng/13.3, 13.3-RELEASE-p5)
+CVE Name: CVE-2024-7589
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+OpenSSH is an implementation of the SSH protocol suite, providing an
+encrypted and authenticated transport for a variety of services, including
+remote shell access.
+
+II. Problem Description
+
+A signal handler in sshd(8) may call a logging function that is not async-
+signal-safe. The signal handler is invoked when a client does not
+authenticate within the LoginGraceTime seconds (120 by default). This signal
+handler executes in the context of the sshd(8)'s privileged code, which is
+not sandboxed and runs with full root privileges.
+
+This issue is another instance of the problem in CVE-2024-6387 addressed by
+FreeBSD-SA-24:04.openssh. The faulty code in this case is from the
+integration of blacklistd in OpenSSH in FreeBSD.
+
+III. Impact
+
+As a result of calling functions that are not async-signal-safe in the
+privileged sshd(8) context, a race condition exists that a determined
+attacker may be able to exploit to allow an unauthenticated remote code
+execution as root.
+
+IV. Workaround
+
+If sshd(8) cannot be updated, this signal handler race condition can be
+mitigated by setting LoginGraceTime to 0 in /etc/ssh/sshd_config and
+restarting sshd(8). This makes sshd(8) vulnerable to a denial of service
+(the exhaustion of all MaxStartups connections), but makes it safe from the
+remote code execution presented in this advisory.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date, and
+restart sshd.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-24:08/openssh.patch
+# fetch https://security.FreeBSD.org/patches/SA-24:08/openssh.patch.asc
+# gpg --verify openssh.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the applicable daemons, or reboot the system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ 73466449a9bf stable/14-n268414
+releng/14.1/ 450425089212 releng/14.1-n267691
+releng/14.0/ c4ade13d5498 releng/14.0-n265423
+stable/13/ d5f16ef6463d stable/13-n258221
+releng/13.3/ f41c11d7f209 releng/13.3-n257444
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://www.cve.org/CVERecord?id=CVE-2006-5051>
+
+<URL:https://www.cve.org/CVERecord?id=CVE-2024-6387>
+
+<URL:https://www.cve.org/CVERecord?id=CVE-2024-7589>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-24:08.openssh.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmazhbIACgkQbljekB8A
+Gu8uDBAA6gj9o4DXfVMHeZCFKr3WT/g3wPbilTk2xmvzkYoCkAMFC2PZ48wbxK7U
+/tXvVC5Hs7OO0jkZXgCNiLsUe4kzgEPeutsyi3x5i6uWlLA+I03UZyPdwFgkBM75
+w4IYeut6nMfiozJmiy7ekmxdjO1f+IGMy/yoa46gUr0524TyNjqF//p1wAePTF75
+WgvZrGEildEuZk6lHp3/sm1fmv4HxG5EmNmzlzWcj/jjMnOAe5Cbf8qpcKe42V5Y
+vBj8Cm6lVtOaviuT4XXnmkQro3uejeUq6z+LYwM7Pcs26OIeRgz9kzLNB2EXEwR7
+GNJDwzUbKvaOfvTnZao8KWqdw3fbS9Un39SJAAs32Y+5sqAcUnmRbdHa1pEFZ2rx
+F9moYxZ3/xuQhxzNmMqXMyAfWrlJcoX1Tc5hVSh2Rn0TWpH17BMTs3FVdtoaP2iG
+owhwdPLXBvePkNa/FSARVfhunrFDIBEwBQd3pN5TJRCmKdzvNqmxJsL6Z2y7Ib48
+EkFaw90t9kRg1+87YUjMQlhwNVww/yLzDzdZ137bRAeJtP3i7ZdbEVqUZGQvubCE
+2eDDaYuEj4RM3UElIlHRj2Z8YlXgfmgr2BcbLpqgP3cXw6McS0POG4Pw4z4Wyshn
+prFtFlMFqJbAqlNQkXfdVquu/V8BSay0iLaEy69t4KBVp4DFsf4=
+=TDgI
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-24:14/ifconfig.patch b/website/static/security/patches/EN-24:14/ifconfig.patch
new file mode 100644
index 0000000000..80bc33028f
--- /dev/null
+++ b/website/static/security/patches/EN-24:14/ifconfig.patch
@@ -0,0 +1,26 @@
+--- sbin/ifconfig/af_inet.c.orig
++++ sbin/ifconfig/af_inet.c
+@@ -440,7 +440,7 @@
+ static void
+ in_setdefaultmask_nl(void)
+ {
+- struct in_px *px = sintab_nl[ADDR];
++ struct in_px *px = sintab_nl[ADDR];
+
+ in_addr_t i = ntohl(px->addr.s_addr);
+
+@@ -451,11 +451,11 @@
+ * we should return an error rather than warning.
+ */
+ if (IN_CLASSA(i))
+- px->plen = IN_CLASSA_NSHIFT;
++ px->plen = 32 - IN_CLASSA_NSHIFT;
+ else if (IN_CLASSB(i))
+- px->plen = IN_CLASSB_NSHIFT;
++ px->plen = 32 - IN_CLASSB_NSHIFT;
+ else
+- px->plen = IN_CLASSC_NSHIFT;
++ px->plen = 32 - IN_CLASSC_NSHIFT;
+ px->maskset = true;
+ }
+ #endif
diff --git a/website/static/security/patches/EN-24:14/ifconfig.patch.asc b/website/static/security/patches/EN-24:14/ifconfig.patch.asc
new file mode 100644
index 0000000000..0019542641
--- /dev/null
+++ b/website/static/security/patches/EN-24:14/ifconfig.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmazhaMACgkQbljekB8A
+Gu/swxAAzAKd+3rr/cfRw0A2eh264D+y29FyjsMONJ7MUeGil8yHLAW1mF35uVAl
+7VVeGM2z3KMkuI57yrmV2qqFmY5kmHMaJQ806JfC8a7QmwSpFb34P7Ti3JgnQBPw
+8+iaa0PkbBKkj4SM3D5RRCic+oz5XxFg8gjsFzJwil6t48rsZuqGby6U/MUtswbz
+NI4Qs/koxjuyWwougPqEcqL3feCO3leV4dXV6V211nT+zRlrFf0p4/bzbN4hRz81
+xn+w7xrwB85LxOyuz8XLb/Akqih+g/AXZf4hOBxDlPdVWdYmMBG8Ze1QIuO1Drzj
+1cxGAuzxzJEKWNjIuXvDxebLA9PbF+S/BYl+a8bFETBBnfazylA0ONYsU+CjOnYB
+RhJT7Z+65hFVNK3DqfQ7B0PYXwkZgZC60I4Kfl3FOu9RnM5R+aYxRhfhjKZBdIA5
+rTftpcUWt9ZDs0ZuHLTcNcwcmUrJ6Kb/qy8Q7yZ8XJHm8GD63fOLYZ5ayBCZsG3u
+EoEJ0/lz4u4A6mRkfGG08MT0Rv0ek6B0lVURlgS7lSmiLRTRCzJ8n0IzXJq3w8xl
+53Q0GDH+UNBJlM2H8QKNTb5+Dl0AlOm/C6MbGci+8xdTRp7bPeU5rfsh9vHUQ1vn
+fUatggjLfsgWJHRnQD4t8ll0yz7muppsDj02ejGn6DcDUZ5Xots=
+=iSB0
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/SA-24:05/pf-13.patch b/website/static/security/patches/SA-24:05/pf-13.patch
new file mode 100644
index 0000000000..e41ace722d
--- /dev/null
+++ b/website/static/security/patches/SA-24:05/pf-13.patch
@@ -0,0 +1,615 @@
+--- sys/netpfil/pf/pf.c.orig
++++ sys/netpfil/pf/pf.c
+@@ -276,6 +276,8 @@
+ u_int16_t, u_int8_t, sa_family_t);
+ static int pf_modulate_sack(struct mbuf *, int, struct pf_pdesc *,
+ struct tcphdr *, struct pf_state_peer *);
++int pf_icmp_mapping(struct pf_pdesc *, u_int8_t, int *,
++ int *, u_int16_t *, u_int16_t *);
+ static void pf_change_icmp(struct pf_addr *, u_int16_t *,
+ struct pf_addr *, struct pf_addr *, u_int16_t,
+ u_int16_t *, u_int16_t *, u_int16_t *,
+@@ -316,6 +318,10 @@
+ static int pf_test_state_udp(struct pf_kstate **, int,
+ struct pfi_kkif *, struct mbuf *, int,
+ void *, struct pf_pdesc *);
++int pf_icmp_state_lookup(struct pf_state_key_cmp *,
++ struct pf_pdesc *, struct pf_kstate **, struct mbuf *,
++ int, struct pfi_kkif *, u_int16_t, u_int16_t,
++ int, int *, int);
+ static int pf_test_state_icmp(struct pf_kstate **, int,
+ struct pfi_kkif *, struct mbuf *, int,
+ void *, struct pf_pdesc *, u_short *);
+@@ -369,6 +375,7 @@
+ extern struct proc *pf_purge_proc;
+
+ VNET_DEFINE(struct pf_limit, pf_limits[PF_LIMIT_MAX]);
++enum { PF_ICMP_MULTI_NONE, PF_ICMP_MULTI_SOLICITED, PF_ICMP_MULTI_LINK };
+
+ #define PACKET_UNDO_NAT(_m, _pd, _off, _s, _dir) \
+ do { \
+@@ -1689,6 +1696,172 @@
+ return (false);
+ }
+
++int
++pf_icmp_mapping(struct pf_pdesc *pd, u_int8_t type,
++ int *icmp_dir, int *multi, u_int16_t *virtual_id, u_int16_t *virtual_type)
++{
++ /*
++ * ICMP types marked with PF_OUT are typically responses to
++ * PF_IN, and will match states in the opposite direction.
++ * PF_IN ICMP types need to match a state with that type.
++ */
++ *icmp_dir = PF_OUT;
++ *multi = PF_ICMP_MULTI_LINK;
++ /* Queries (and responses) */
++ switch (pd->af) {
++#ifdef INET
++ case AF_INET:
++ switch (type) {
++ case ICMP_ECHO:
++ *icmp_dir = PF_IN;
++ case ICMP_ECHOREPLY:
++ *virtual_type = ICMP_ECHO;
++ *virtual_id = pd->hdr.icmp.icmp_id;
++ break;
++
++ case ICMP_TSTAMP:
++ *icmp_dir = PF_IN;
++ case ICMP_TSTAMPREPLY:
++ *virtual_type = ICMP_TSTAMP;
++ *virtual_id = pd->hdr.icmp.icmp_id;
++ break;
++
++ case ICMP_IREQ:
++ *icmp_dir = PF_IN;
++ case ICMP_IREQREPLY:
++ *virtual_type = ICMP_IREQ;
++ *virtual_id = pd->hdr.icmp.icmp_id;
++ break;
++
++ case ICMP_MASKREQ:
++ *icmp_dir = PF_IN;
++ case ICMP_MASKREPLY:
++ *virtual_type = ICMP_MASKREQ;
++ *virtual_id = pd->hdr.icmp.icmp_id;
++ break;
++
*** 1747 LINES SKIPPED ***