git: ef4925468d - main - Status/2024Q3/code-audit: add Alpha-Omega report

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Ed Maste <emaste_at_FreeBSD.org>
Date: Mon, 14 Oct 2024 20:22:24 UTC
The branch main has been updated by emaste:

URL: https://cgit.FreeBSD.org/doc/commit/?id=ef4925468dc28270506e80725db86008599d541d

commit ef4925468dc28270506e80725db86008599d541d
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2024-10-11 13:34:18 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2024-10-14 20:21:24 +0000

    Status/2024Q3/code-audit: add Alpha-Omega report
    
    Reviewed by:    status (Pau Amma <pauamma@gundo.com>)
    Sponsored by:   The FreeBSD Foundation
    Differential Revision: https://reviews.freebsd.org/D47057
---
 .../status/report-2024-07-2024-09/code-audit.adoc  | 26 ++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/website/content/en/status/report-2024-07-2024-09/code-audit.adoc b/website/content/en/status/report-2024-07-2024-09/code-audit.adoc
new file mode 100644
index 0000000000..917a8e591d
--- /dev/null
+++ b/website/content/en/status/report-2024-07-2024-09/code-audit.adoc
@@ -0,0 +1,26 @@
+=== Capsicum and Bhyve Code Audit
+
+Contact: Ed Maste <emaste@FreeBSD.org>
+Contact: Pierre Pronchery <pierre@freebsdfoundation.org>
+
+With the support of the link:https://alpha-omega.dev/[Alpha-Omega project], the FreeBSD Foundation undertook code audits of two important subsystems - the bhyve hypervisor, and the Capsicum sandboxing framework.
+In addition to uncovering vulnerabilities in these systems to correct, the audits look to identify classes of vulnerabilities and/or suboptimal coding practices that we can look to address across the project.
+
+The Foundation interviewed several firms, and selected Synacktiv to perform the audit.
+A number of issues with critical and high severity were identified, which have been fixed as documented in security advisories:
+
+* link:https://www.freebsd.org/security/advisories/FreeBSD-SA-24:09.libnv.asc[FreeBSD-SA-24:09.libnv]
+* link:https://www.freebsd.org/security/advisories/FreeBSD-SA-24:10.bhyve.asc[FreeBSD-SA-24:10.bhyve]
+* link:https://www.freebsd.org/security/advisories/FreeBSD-SA-24:11.ctl.asc[FreeBSD-SA-24:11.ctl]
+* link:https://www.freebsd.org/security/advisories/FreeBSD-SA-24:12.bhyve.asc[FreeBSD-SA-24:12.bhyve]
+* link:https://www.freebsd.org/security/advisories/FreeBSD-SA-24:14.umtx.asc[FreeBSD-SA-24:14.umtx]
+* link:https://www.freebsd.org/security/advisories/FreeBSD-SA-24:15.bhyve.asc[FreeBSD-SA-24:15.bhyve]
+* link:https://www.freebsd.org/security/advisories/FreeBSD-SA-24:16.libnv.asc[FreeBSD-SA-24:16.libnv]
+
+Fixes are in progress for a number of lower-severity issues.
+The code audit report will be shared in the near future, after issues above a severity threshold have been addressed.
+The FreeBSD Foundation will also publish a report including commentary on the impact of the Synacktiv code audit report, classes of vulnerabilities identified, and lessons learned.
+
+More information is available in the link:https://github.com/ossf/alpha-omega/tree/main/alpha/engagements/2024/FreeBSD[Alpha-Omega repository].
+
+Sponsor: The FreeBSD Foundation