git: a7ac9239fb - main - website: Add EN-24:14 and SA-24:05 through SA-24:08.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 07 Aug 2024 14:41:20 UTC
The branch main has been updated by gordon: URL: https://cgit.FreeBSD.org/doc/commit/?id=a7ac9239fbae263d9bdd9d50486b3150f8c579d8 commit a7ac9239fbae263d9bdd9d50486b3150f8c579d8 Author: Gordon Tetlow <gordon@FreeBSD.org> AuthorDate: 2024-08-07 14:38:10 +0000 Commit: Gordon Tetlow <gordon@FreeBSD.org> CommitDate: 2024-08-07 14:38:10 +0000 website: Add EN-24:14 and SA-24:05 through SA-24:08. Approved by: so --- website/data/security/advisories.toml | 16 + website/data/security/errata.toml | 4 + .../advisories/FreeBSD-EN-24:14.ifconfig.asc | 150 +++++ .../security/advisories/FreeBSD-SA-24:05.pf.asc | 155 ++++++ .../advisories/FreeBSD-SA-24:06.ktrace.asc | 139 +++++ .../advisories/FreeBSD-SA-24:07.nfsclient.asc | 145 +++++ .../advisories/FreeBSD-SA-24:08.openssh.asc | 150 +++++ .../security/patches/EN-24:14/ifconfig.patch | 26 + .../security/patches/EN-24:14/ifconfig.patch.asc | 16 + .../static/security/patches/SA-24:05/pf-13.patch | 615 ++++++++++++++++++++ .../security/patches/SA-24:05/pf-13.patch.asc | 16 + .../static/security/patches/SA-24:05/pf-14.patch | 616 +++++++++++++++++++++ .../security/patches/SA-24:05/pf-14.patch.asc | 16 + .../static/security/patches/SA-24:06/ktrace.patch | 11 + .../security/patches/SA-24:06/ktrace.patch.asc | 16 + .../security/patches/SA-24:07/nfsclient-13.patch | 201 +++++++ .../patches/SA-24:07/nfsclient-13.patch.asc | 16 + .../security/patches/SA-24:07/nfsclient-14.patch | 201 +++++++ .../patches/SA-24:07/nfsclient-14.patch.asc | 16 + .../static/security/patches/SA-24:08/openssh.patch | 19 + .../security/patches/SA-24:08/openssh.patch.asc | 16 + 21 files changed, 2560 insertions(+) diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml index d0945c9078..cd751f68a5 100644 --- a/website/data/security/advisories.toml +++ b/website/data/security/advisories.toml @@ -1,6 +1,22 @@ # Sort advisories by year, month and day # $FreeBSD$ +[[advisories]] +name = "FreeBSD-SA-24:08.openssh" +date = "2024-08-07" + +[[advisories]] +name = "FreeBSD-SA-24:07.nfsclient" +date = "2024-08-07" + +[[advisories]] +name = "FreeBSD-SA-24:06.ktrace" +date = "2024-08-07" + +[[advisories]] +name = "FreeBSD-SA-24:05.pf" +date = "2024-08-07" + [[advisories]] name = "FreeBSD-SA-24:04.openssh" date = "2024-07-01" diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml index 885339ab1d..47a42d0b59 100644 --- a/website/data/security/errata.toml +++ b/website/data/security/errata.toml @@ -1,6 +1,10 @@ # Sort errata notices by year, month and day # $FreeBSD$ +[[notices]] +name = "FreeBSD-EN-24:14.ifconfig" +date = "2024-08-07" + [[notices]] name = "FreeBSD-EN-24:13.libc++" date = "2024-06-19" diff --git a/website/static/security/advisories/FreeBSD-EN-24:14.ifconfig.asc b/website/static/security/advisories/FreeBSD-EN-24:14.ifconfig.asc new file mode 100644 index 0000000000..b71e288bf5 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-24:14.ifconfig.asc @@ -0,0 +1,150 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-24:14.ifconfig Errata Notice + The FreeBSD Project + +Topic: Incorrect ifconfig netmask assignment + +Category: core +Module: ifconfig +Announced: 2024-08-07 +Affects: FreeBSD 14.0 and later +Corrected: 2024-06-15 15:24:59 UTC (stable/14, 14.1-STABLE) + 2024-08-07 13:44:28 UTC (releng/14.1, 14.1-RELEASE-p3) + 2024-08-07 13:44:41 UTC (releng/14.0, 14.0-RELEASE-p9) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +Prior to the advent of classless inter-domain routing (CIDR), the IPv4 +address space was divided into classes based on how many of an address's +most-significant bits were set. Since the class dictated the network +mask, it was not necessary to specify the mask when configuring an +interface. Even after CIDR was introduced, FreeBSD continued to allow +the network mask to be omitted, for backward compatibility reasons. + +II. Problem Description + +When FreeBSD switched from using ioctl(2) to using Netlink sockets to +configure network interfaces, the logic for determining the default mask +in cases where one was not explicitly provided was inadvertantly +inverted, resulting in class A addresses getting a prefix size of 24 +instead of 8, and vice versa for class C addresses. Class B addresses +were not affected. + +III. Impact + +FreeBSD hosts which still rely on default network mask assignment and +have addresses in the old class A (0.0.0.0-127.255.255.255) or class C +(192.0.0.0-223.255.255.255) ranges will have an incorrect network mask. +The exact consequences will vary depending on the direction of the error +and the relative positions of the affected host and its default router +within the local address space. Affected hosts should still be able to +communicate with at least a subset of their local network, and may also +be able to communicate with a subset of the wider network, but will +typically lose the ability to communicate with any address which is not +within both the actual local address space and the misconfigured local +address space. This may include their default router. + +IV. Workaround + +Make sure to always specify either a network mask or a prefix size when +adding IPv4 addresses to network interfaces. For instance, in a VM with +a paravirtualized network interface and an IPv4 address of 192.0.2.5 +(historically class C), use either of the following in /etc/rc.conf or +/etc/rc.conf.d/network: + + ifconfig_vtnet0="inet 192.0.2.5/24" + +or + + ifconfig_vtnet0="inet 192.0.2.5 netmask 255.255.255.0" + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-24:14/ifconfig.patch +# fetch https://security.FreeBSD.org/patches/EN-24:14/ifconfig.patch.asc +# gpg --verify ifconfig.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 048ad7a9ef9f stable/14-n267957 +releng/14.1/ b9115dba07e8 releng/14.1-n267692 +releng/14.0/ 01792dd7f27b releng/14.0-n265424 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-24:14.ifconfig.asc> +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmazhZwACgkQbljekB8A +Gu/6HBAA1PB3WA8wuqi2iebMvqZ1iM0Oh0sb9JotX8VFpO7zWpIHImITbLvWjYEm +0YMb62mJNiKBVxRf0p1SWhOqRJcJAVNxU8U8wb6p7UJ2LXnLgU7t3kLNVdKN+Yq5 +jIMBOHpIJz/na/LsOEtxtneCvnNL+lOQ4NkHLKfFOUtf0PkAn2nUVnYyA+PGH/3l +VQFxSCQCB3CxNMeiI5R2x9ZdaESfNdn/qh6vZcca2fl6seWMQaoqwzxrtBS1VXsR +1LofhqJsOvIDOkKS5SFLIGMfPdETl2jmd+YrG9ujXWYcyvaQxfRE66RRT1AROCXb ++vD8MXc7q3gtjAV398iYdMwf7eqbPngX6xZCLPs6PR96eaa1tGTK0+cdan7CfHFB +WahFo1md9kORCq2DLkLhekdJjy1+4J9KsMjGWLYRILZNPHU/IvAGFS1czFMPmTbm +V1IHWeszDUPgjKlp0m59CsGjwcyJnIeZBnTMiMQ5EM29zEOUdgCayz2/v6JaEgwb +7xCb5x0HzyR0hM4GDG8ccNe8VQFSm6McRSWb77zXnB5Lp2aCug9VwuUN1mJNdQVp +3O5tm+Wd5HeA15YubO4aQ3aUTdsk92BZ9cxorn2dOTlE8vyxmqLk7KYs0644Dzmv +IxRNYmBfb/trIWDLW7QZTVXtoSpTjdNvQG0+yEAFDTfTuAe0qVM= +=+Q9R +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-24:05.pf.asc b/website/static/security/advisories/FreeBSD-SA-24:05.pf.asc new file mode 100644 index 0000000000..0c6d2b859d --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-24:05.pf.asc @@ -0,0 +1,155 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-24:05.pf Security Advisory + The FreeBSD Project + +Topic: pf incorrectly matches different ICMPv6 states in the state table + +Category: core +Module: pf +Announced: 2024-08-07 +Credits: Enrico Bassetti e.bassetti@tudelft.nl + (Cybersecurity @ TU Delft, SPRITZ Group @ UniPD) +Affects: All supported versions of FreeBSD. +Corrected: 2024-07-31 07:41:11 UTC (stable/14, 14.0-STABLE) + 2024-08-07 13:44:25 UTC (releng/14.1, 14.1-RELEASE-p3) + 2024-08-07 13:44:46 UTC (releng/14.0, 14.0-RELEASE-p9) + 2024-07-31 07:41:12 UTC (stable/13, 13.3-STABLE) + 2024-08-07 13:44:57 UTC (releng/13.3, 13.3-RELEASE-p5) +CVE Name: CVE-2024-6640 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +pf is an Internet Protocol packet filter originally written for OpenBSD. pf +uses a state table to determine whether to allow a packet that is from a +known/already open transmission. It identifies ICMPv6 states based on the +address family, protocol, addresses, and the ID. + +Normally, states are created by outgoing packets, or by incoming packets +matching 'pass' rules. A packet that do not match any rule will be blocked +or allowed depending on the default rule. + +ICMPv6 Neighbor Discovery has to be allowed in the firewall for IPv6 to work +properly in broadcast networks, such as Ethernet. + +II. Problem Description + +In ICMPv6 Neighbor Discovery (ND), the ID is always 0. When pf is configured +to allow ND and block incoming Echo Requests, a crafted Echo Request packet +after a Neighbor Solicitation (NS) can trigger an Echo Reply. The packet has +to come from the same host as the NS and have a zero as identifier to match +the state created by the Neighbor Discovery and allow replies to be +generated. + +III. Impact + +ICMPv6 packets with identifier value of zero bypass firewall rules written on +the assumption that the incoming packets are going to create a state in the +state table. + +IV. Workaround + +No workaround is available but systems not using the pf firewall are not +affected. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date +and reboot. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 13.3] +# fetch https://security.FreeBSD.org/patches/SA-24:05/pf-13.patch +# fetch https://security.FreeBSD.org/patches/SA-24:05/pf-13.patch.asc +# gpg --verify pf.patch.asc + +[FreeBSD 14.0 & FreeBSD 14.1] +# fetch https://security.FreeBSD.org/patches/SA-24:05/pf-14.patch +# fetch https://security.FreeBSD.org/patches/SA-24:05/pf-14.patch.asc +# gpg --verify pf.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 3382c691dc6a stable/14-n268277 +releng/14.1/ a66d33fcf334 releng/14.1-n267690 +releng/14.0/ ca9580967e74 releng/14.0-n265428 +stable/13/ 05f91f8dd5ce stable/13-n258160 +releng/13.3/ 5eb30c313cb0 releng/13.3-n257443 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6640> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-24:05.pf.asc> +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmazhasACgkQbljekB8A +Gu9/0Q//S/qcyIxnQ1V8Gz8ghAQuJu8OlTdYV9OexFSKExcbc9FYK6LwhSUfPtHf +Bx9KowhQCH2D1X33qHRUCWVhDMhgpvHmg/+ajnm0IP/+nc+ZnNFCC0Ew5b/mk7Uw +jQAxW54/RSe1Cnl11T4RTcPI7YhGTej8T5T8dm2TlCdTI3m7xS/zfR3e4x89yrmW +gVUBG54udbSSzxMDJk2rbr9anoinzaI0eiXY/rnb729OTU6y4SmJ9ZZZwXs+bRpP +AUE7Zgj7pNrWC1CxTMy6XLdPE/L/8Yxz9mOFpyJcHahoEHcMH+5DKQePGa4mQgnS +N8Srtrxx3Ipz5/zzOPr+O0BbOh8m7KMXU/J8Y3aHpUzbnr+IfGEUHBukN93M3qbV +Qkw9iW+5HZ45P16Fyaj2cq7He7F39/7B/DhfjLldbUOnWGPmn3JrWkvONL++iAyI ++vOrfGubyTtwgSdZGDcv+FUrL6af6nQzFBBgv4z4TpHN+BTcwA5c6JwuOlvMc5ZY +ISh8WItjxmK5Gh27H7JBGKwWDnKYjqkRcgJ7QZd7dmjo2bzOlnKV0eYk51eBvoIh +FV4YGAgMPxCJGBrl54/0F5+C8zl0cjNlEhnyyl2IEBbPbnfmvpNw3tMbJdPfEUhF +DK+j5IkDU/4sNrV/dmeD+K+u/3xgDxtUv6IjH2odmADtlCbOV80= +=/mRR +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-24:06.ktrace.asc b/website/static/security/advisories/FreeBSD-SA-24:06.ktrace.asc new file mode 100644 index 0000000000..1c157f0203 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-24:06.ktrace.asc @@ -0,0 +1,139 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-24:06.ktrace Security Advisory + The FreeBSD Project + +Topic: ktrace(2) fails to detach when executing a setuid binary + +Category: core +Module: ktrace +Announced: 2024-08-07 +Affects: All supported versions of FreeBSD +Corrected: 2024-08-07 13:41:53 UTC (stable/14, 14.1-STABLE) + 2024-08-07 13:44:29 UTC (releng/14.1, 14.1-RELEASE-p3) + 2024-08-07 13:44:47 UTC (releng/14.0, 14.0-RELEASE-p9) + 2024-08-07 13:42:10 UTC (stable/13, 13.3-STABLE) + 2024-08-07 13:44:59 UTC (releng/13.3, 13.3-RELEASE-p5) +CVE Name: CVE-2024-6760 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The ktrace utility enables kernel trace logging for the specified processes, +commonly used for diagnostic or debugging purposes. The kernel operations +that are traced include system calls, namei translations, signal processing, +and I/O as well as data associated with these operations. + +II. Problem Description + +A logic bug in the code which disables kernel tracing for setuid programs +meant that tracing was not disabled when it should have, allowing +unprivileged users to trace and inspect the behavior of setuid programs. + +III. Impact + +The bug may be used by an unprivileged user to read the contents of files to +which they would not otherwise have access, such as the local password +database. + +IV. Workaround + +No workaround is available. + +I/O tracing can be disabled by setting the kern.ktrace.genio_size sysctl to +0, but other information recorded by ktrace, such as system call arguments, +can still be leaked. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-24:06/ktrace.patch +# fetch https://security.FreeBSD.org/patches/SA-24:06/ktrace.patch.asc +# gpg --verify ktrace.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 8b400c8488f0 stable/14-n268423 +releng/14.1/ 22d04990cee5 releng/14.1-n267693 +releng/14.0/ c39fb98e4740 releng/14.0-n265429 +stable/13/ f702110bc4bc stable/13-n258224 +releng/13.3/ 769536bcb5c3 releng/13.3-n257445 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://www.cve.org/CVERecord?id=CVE-2024-6760> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-24:06.ktrace.asc> +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmazha0ACgkQbljekB8A +Gu/6ThAAvKUJFwdRV/rSRyGEOTWJE+dv1Qig000xhD6g42yKpfGShaNFUTSvMPG+ +kLtpN41SRN/LXyNyQfk3GL2SmphB2V9nlJ+FM2PEmi4hMrWoiNi6uX9MmSheFbp3 +QbDAh5+2sRo66AUXjUX118cK1ruqQjRRMVSW6D8hOeDv64Wvg01L0R3ls1ZsdXYL +5wYuTRNh2ciyMEHQ0QUz8X38qebdPSV/8aVNSZYinwtYE+wGWbpmUCQoqgtLlnT9 +3UqIy68KVj4+TNYoZuQkK5/Ur9YG884YlNpzsJ6peX8U0gjQhG1BfqEPAylTZn/6 +vPp0LtJ0fRRZs0a6XJQ+rBxhuh22vLLFLXI9jSthCcNdJhRFFnnY9nFoB0/EOpIH +I6i94dEExCeGkWcpPB2wyrQGPcRTik9h57vsTaHcnEAPWu1fO2OckUILZVsMs7Yp +WXePdrVfTke1hIzk5DAc5PYJ1IKcN49m/+GhXjLz8aCcy9RadJPpJDe2HSltgfTn +xvxAudY+58f6518getIfvU4tAA1DVw2Y9zRoRhdlXLiVDayBkCOFRMMBY1cWOk9o +aUnbQ9PYO2h7iyzSvqgWDLIy7fIdLZnyuflSVtJ4KUnetk2hU5kxb0VZFx10+z7l +dsTyXGdb04olDMvURtgn5eQotbJzn+KLqi3vOmQ92uAGSsLeH70= +=3iOc +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-24:07.nfsclient.asc b/website/static/security/advisories/FreeBSD-SA-24:07.nfsclient.asc new file mode 100644 index 0000000000..ee3f20bf8b --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-24:07.nfsclient.asc @@ -0,0 +1,145 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-24:07.nfsclient Security Advisory + The FreeBSD Project + +Topic: NFS client accepts file names containing path separators + +Category: core +Module: NFS client +Announced: 2024-08-07 +Credits: Apple Security Engineering and Architecture (SEAR) +Affects: All supported versions of FreeBSD +Corrected: 2024-07-27 03:54:45 UTC (stable/14, 14.1-STABLE) + 2024-08-07 13:44:21 UTC (releng/14.1, 14.1-RELEASE-p3) + 2024-08-07 13:44:39 UTC (releng/14.0, 14.0-RELEASE-p9) + 2024-07-28 04:14:54 UTC (stable/13, 13.3-STABLE) + 2024-08-07 13:44:52 UTC (releng/13.3, 13.3-RELEASE-p5) +CVE Name: CVE-2024-6759 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The Network File System (NFS) is a distributed file system that allows remote +systems to access files and directories over a network as if they were local. +FreeBSD includes both server and client implementations of NFS. + +II. Problem Description + +When mounting a remote filesystem using NFS, the kernel did not sanitize +remotely provided filenames for the path separator character, "/". This +allows readdir(3) and related functions to return filesystem entries with +names containing additional path components. + +III. Impact + +The lack of validation described above gives rise to a confused deputy +problem. For example, a program copying files from an NFS mount could be +tricked into copying from outside the intended source directory, and/or to a +location outside the intended destination directory. + +IV. Workaround + +No workaround is available. Note that for the problem to occur, the NFS +server would have to deliberately inject altered paths into RPC replies, or +a MITM would have to be altering NFS traffic. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 13.3] +# fetch https://security.FreeBSD.org/patches/SA-24:07/nfclient-13.patch +# fetch https://security.FreeBSD.org/patches/SA-24:07/nfclient-13.patch.asc +# gpg --verify nfsclient-13.patch.asc + +[FreeBSD 14.0 & FreeBSD 14.1] +# fetch https://security.FreeBSD.org/patches/SA-24:07/nfclient-14.patch +# fetch https://security.FreeBSD.org/patches/SA-24:07/nfclient-14.patch.asc +# gpg --verify nfsclient-14.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 9328ded386d5 stable/14-n268239 +releng/14.1/ 8533e927afc1 releng/14.1-n267686 +releng/14.0/ 4e7bf17e9db8 releng/14.0-n265422 +stable/13/ 0172b5145ad9 stable/13-n258140 +releng/13.3/ 3d5cb2b9a97c releng/13.3-n257439 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://www.cve.org/CVERecord?id=CVE-2024-6759> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-24:07.nfsclient.asc> +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmazha8ACgkQbljekB8A +Gu80VxAAsDhdNW5FHcXEBZXbfR6fsShdWGQo8rCY1R1Buq8uhPI4bdzXCFrgUKM7 +Rm5P+zfZNcTYtM0epU1Fiz2BhjsKVfKIOMIBmuMik9xMBfeHnTihKGFBZ+TFj7i8 +1Kv/NE+oCn99jKZS7sZVNBvdbDMNBq4Em0vixXGRnKlEpa3r8b7niLuB0rHa97// +gzIP5GvhUTsMaw3TwCAkVnZDrx+AoAU0dbLVIFf07P4mEt7StGd76C1dq4a6+3ZV +s3Gqm16H8nYan5NJzpH2SIhcav4YyDuSD1eS8isyLn5bybpROdYQT7tCAfplpR2X +pX0oQ8FRlslodV/wWaGNnCTNTYoSTj0jf77CM4fd8ERdKKmhC6x9zHsDyJBzH5Ku +E6JlY9IvM0fL2N4KPDpNjF/U8RmNWDcxxaaou/6uohWdg977CX8uP1wfSL/4Sw6u +SvqfDwwqd5BRE4KiqMFE024zgeogeJU7i21747HKs4nxWlNuPhVrWRjrarRhYlc2 +M4l2te7OQMjVPtbYhO4DXnDMqNgN37Qf2srgBiAnlOpmRX5Trgj4pw6DGQlSVoWO +xY8fO02xAZuRUKgNA/TEvmRVuZx0LaLkl49xQjB8DxSvggYVFbJaY2HpfjnktmN0 +ZuMlcw0h/cv9UEFn3FWy0147xN/cjXjozvACmDUWhG0LdiUcnzc= +=tJAo +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-24:08.openssh.asc b/website/static/security/advisories/FreeBSD-SA-24:08.openssh.asc new file mode 100644 index 0000000000..c9aefa9e68 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-24:08.openssh.asc @@ -0,0 +1,150 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-24:08.openssh Security Advisory + The FreeBSD Project + +Topic: OpenSSH pre-authentication async signal safety issue + +Category: contrib +Module: openssh +Announced: 2024-08-07 +Affects: All supported versions of FreeBSD. +Corrected: 2024-08-06 19:43:54 UTC (stable/14, 14.1-STABLE) + 2024-08-07 13:44:26 UTC (releng/14.1, 14.1-RELEASE-p3) + 2024-08-07 13:44:40 UTC (releng/14.0, 14.0-RELEASE-p9) + 2024-08-06 19:46:19 UTC (stable/13, 13.3-STABLE) + 2024-08-07 13:44:58 UTC (releng/13.3, 13.3-RELEASE-p5) +CVE Name: CVE-2024-7589 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +OpenSSH is an implementation of the SSH protocol suite, providing an +encrypted and authenticated transport for a variety of services, including +remote shell access. + +II. Problem Description + +A signal handler in sshd(8) may call a logging function that is not async- +signal-safe. The signal handler is invoked when a client does not +authenticate within the LoginGraceTime seconds (120 by default). This signal +handler executes in the context of the sshd(8)'s privileged code, which is +not sandboxed and runs with full root privileges. + +This issue is another instance of the problem in CVE-2024-6387 addressed by +FreeBSD-SA-24:04.openssh. The faulty code in this case is from the +integration of blacklistd in OpenSSH in FreeBSD. + +III. Impact + +As a result of calling functions that are not async-signal-safe in the +privileged sshd(8) context, a race condition exists that a determined +attacker may be able to exploit to allow an unauthenticated remote code +execution as root. + +IV. Workaround + +If sshd(8) cannot be updated, this signal handler race condition can be +mitigated by setting LoginGraceTime to 0 in /etc/ssh/sshd_config and +restarting sshd(8). This makes sshd(8) vulnerable to a denial of service +(the exhaustion of all MaxStartups connections), but makes it safe from the +remote code execution presented in this advisory. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, and +restart sshd. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-24:08/openssh.patch +# fetch https://security.FreeBSD.org/patches/SA-24:08/openssh.patch.asc +# gpg --verify openssh.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart the applicable daemons, or reboot the system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 73466449a9bf stable/14-n268414 +releng/14.1/ 450425089212 releng/14.1-n267691 +releng/14.0/ c4ade13d5498 releng/14.0-n265423 +stable/13/ d5f16ef6463d stable/13-n258221 +releng/13.3/ f41c11d7f209 releng/13.3-n257444 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://www.cve.org/CVERecord?id=CVE-2006-5051> + +<URL:https://www.cve.org/CVERecord?id=CVE-2024-6387> + +<URL:https://www.cve.org/CVERecord?id=CVE-2024-7589> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-24:08.openssh.asc> +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmazhbIACgkQbljekB8A +Gu8uDBAA6gj9o4DXfVMHeZCFKr3WT/g3wPbilTk2xmvzkYoCkAMFC2PZ48wbxK7U +/tXvVC5Hs7OO0jkZXgCNiLsUe4kzgEPeutsyi3x5i6uWlLA+I03UZyPdwFgkBM75 +w4IYeut6nMfiozJmiy7ekmxdjO1f+IGMy/yoa46gUr0524TyNjqF//p1wAePTF75 +WgvZrGEildEuZk6lHp3/sm1fmv4HxG5EmNmzlzWcj/jjMnOAe5Cbf8qpcKe42V5Y +vBj8Cm6lVtOaviuT4XXnmkQro3uejeUq6z+LYwM7Pcs26OIeRgz9kzLNB2EXEwR7 +GNJDwzUbKvaOfvTnZao8KWqdw3fbS9Un39SJAAs32Y+5sqAcUnmRbdHa1pEFZ2rx +F9moYxZ3/xuQhxzNmMqXMyAfWrlJcoX1Tc5hVSh2Rn0TWpH17BMTs3FVdtoaP2iG +owhwdPLXBvePkNa/FSARVfhunrFDIBEwBQd3pN5TJRCmKdzvNqmxJsL6Z2y7Ib48 +EkFaw90t9kRg1+87YUjMQlhwNVww/yLzDzdZ137bRAeJtP3i7ZdbEVqUZGQvubCE +2eDDaYuEj4RM3UElIlHRj2Z8YlXgfmgr2BcbLpqgP3cXw6McS0POG4Pw4z4Wyshn +prFtFlMFqJbAqlNQkXfdVquu/V8BSay0iLaEy69t4KBVp4DFsf4= +=TDgI +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/EN-24:14/ifconfig.patch b/website/static/security/patches/EN-24:14/ifconfig.patch new file mode 100644 index 0000000000..80bc33028f --- /dev/null +++ b/website/static/security/patches/EN-24:14/ifconfig.patch @@ -0,0 +1,26 @@ +--- sbin/ifconfig/af_inet.c.orig ++++ sbin/ifconfig/af_inet.c +@@ -440,7 +440,7 @@ + static void + in_setdefaultmask_nl(void) + { +- struct in_px *px = sintab_nl[ADDR]; ++ struct in_px *px = sintab_nl[ADDR]; + + in_addr_t i = ntohl(px->addr.s_addr); + +@@ -451,11 +451,11 @@ + * we should return an error rather than warning. + */ + if (IN_CLASSA(i)) +- px->plen = IN_CLASSA_NSHIFT; ++ px->plen = 32 - IN_CLASSA_NSHIFT; + else if (IN_CLASSB(i)) +- px->plen = IN_CLASSB_NSHIFT; ++ px->plen = 32 - IN_CLASSB_NSHIFT; + else +- px->plen = IN_CLASSC_NSHIFT; ++ px->plen = 32 - IN_CLASSC_NSHIFT; + px->maskset = true; + } + #endif diff --git a/website/static/security/patches/EN-24:14/ifconfig.patch.asc b/website/static/security/patches/EN-24:14/ifconfig.patch.asc new file mode 100644 index 0000000000..0019542641 --- /dev/null +++ b/website/static/security/patches/EN-24:14/ifconfig.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmazhaMACgkQbljekB8A +Gu/swxAAzAKd+3rr/cfRw0A2eh264D+y29FyjsMONJ7MUeGil8yHLAW1mF35uVAl +7VVeGM2z3KMkuI57yrmV2qqFmY5kmHMaJQ806JfC8a7QmwSpFb34P7Ti3JgnQBPw +8+iaa0PkbBKkj4SM3D5RRCic+oz5XxFg8gjsFzJwil6t48rsZuqGby6U/MUtswbz +NI4Qs/koxjuyWwougPqEcqL3feCO3leV4dXV6V211nT+zRlrFf0p4/bzbN4hRz81 +xn+w7xrwB85LxOyuz8XLb/Akqih+g/AXZf4hOBxDlPdVWdYmMBG8Ze1QIuO1Drzj +1cxGAuzxzJEKWNjIuXvDxebLA9PbF+S/BYl+a8bFETBBnfazylA0ONYsU+CjOnYB +RhJT7Z+65hFVNK3DqfQ7B0PYXwkZgZC60I4Kfl3FOu9RnM5R+aYxRhfhjKZBdIA5 +rTftpcUWt9ZDs0ZuHLTcNcwcmUrJ6Kb/qy8Q7yZ8XJHm8GD63fOLYZ5ayBCZsG3u +EoEJ0/lz4u4A6mRkfGG08MT0Rv0ek6B0lVURlgS7lSmiLRTRCzJ8n0IzXJq3w8xl +53Q0GDH+UNBJlM2H8QKNTb5+Dl0AlOm/C6MbGci+8xdTRp7bPeU5rfsh9vHUQ1vn +fUatggjLfsgWJHRnQD4t8ll0yz7muppsDj02ejGn6DcDUZ5Xots= +=iSB0 +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-24:05/pf-13.patch b/website/static/security/patches/SA-24:05/pf-13.patch new file mode 100644 index 0000000000..e41ace722d --- /dev/null +++ b/website/static/security/patches/SA-24:05/pf-13.patch @@ -0,0 +1,615 @@ +--- sys/netpfil/pf/pf.c.orig ++++ sys/netpfil/pf/pf.c +@@ -276,6 +276,8 @@ + u_int16_t, u_int8_t, sa_family_t); + static int pf_modulate_sack(struct mbuf *, int, struct pf_pdesc *, + struct tcphdr *, struct pf_state_peer *); ++int pf_icmp_mapping(struct pf_pdesc *, u_int8_t, int *, ++ int *, u_int16_t *, u_int16_t *); + static void pf_change_icmp(struct pf_addr *, u_int16_t *, + struct pf_addr *, struct pf_addr *, u_int16_t, + u_int16_t *, u_int16_t *, u_int16_t *, +@@ -316,6 +318,10 @@ + static int pf_test_state_udp(struct pf_kstate **, int, + struct pfi_kkif *, struct mbuf *, int, + void *, struct pf_pdesc *); ++int pf_icmp_state_lookup(struct pf_state_key_cmp *, ++ struct pf_pdesc *, struct pf_kstate **, struct mbuf *, ++ int, struct pfi_kkif *, u_int16_t, u_int16_t, ++ int, int *, int); + static int pf_test_state_icmp(struct pf_kstate **, int, + struct pfi_kkif *, struct mbuf *, int, + void *, struct pf_pdesc *, u_short *); +@@ -369,6 +375,7 @@ + extern struct proc *pf_purge_proc; + + VNET_DEFINE(struct pf_limit, pf_limits[PF_LIMIT_MAX]); ++enum { PF_ICMP_MULTI_NONE, PF_ICMP_MULTI_SOLICITED, PF_ICMP_MULTI_LINK }; + + #define PACKET_UNDO_NAT(_m, _pd, _off, _s, _dir) \ + do { \ +@@ -1689,6 +1696,172 @@ + return (false); + } + ++int ++pf_icmp_mapping(struct pf_pdesc *pd, u_int8_t type, ++ int *icmp_dir, int *multi, u_int16_t *virtual_id, u_int16_t *virtual_type) ++{ ++ /* ++ * ICMP types marked with PF_OUT are typically responses to ++ * PF_IN, and will match states in the opposite direction. ++ * PF_IN ICMP types need to match a state with that type. ++ */ ++ *icmp_dir = PF_OUT; ++ *multi = PF_ICMP_MULTI_LINK; ++ /* Queries (and responses) */ ++ switch (pd->af) { ++#ifdef INET ++ case AF_INET: ++ switch (type) { ++ case ICMP_ECHO: ++ *icmp_dir = PF_IN; ++ case ICMP_ECHOREPLY: ++ *virtual_type = ICMP_ECHO; ++ *virtual_id = pd->hdr.icmp.icmp_id; ++ break; ++ ++ case ICMP_TSTAMP: ++ *icmp_dir = PF_IN; ++ case ICMP_TSTAMPREPLY: ++ *virtual_type = ICMP_TSTAMP; ++ *virtual_id = pd->hdr.icmp.icmp_id; ++ break; ++ ++ case ICMP_IREQ: ++ *icmp_dir = PF_IN; ++ case ICMP_IREQREPLY: ++ *virtual_type = ICMP_IREQ; ++ *virtual_id = pd->hdr.icmp.icmp_id; ++ break; ++ ++ case ICMP_MASKREQ: ++ *icmp_dir = PF_IN; ++ case ICMP_MASKREPLY: ++ *virtual_type = ICMP_MASKREQ; ++ *virtual_id = pd->hdr.icmp.icmp_id; ++ break; ++ *** 1747 LINES SKIPPED ***