From nobody Mon Oct 14 20:22:24 2024 X-Original-To: dev-commits-doc-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XS7v42S9qz5Z68l for ; Mon, 14 Oct 2024 20:22:24 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XS7v421DMz50J4; Mon, 14 Oct 2024 20:22:24 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1728937344; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=eJ9RuBQBlfvn0yYhSJfXrMu/gsXt43LR3Ss64BAUHGs=; b=NGfo7Deg4SXnuL8qSgtaFWSYOKbGocZKxS685lkEb7fEjJhvPUQ7Abe0s+5KNi+7e8w8Sc zXaGA4VFuZYCLB6u/qHwKrqBGvIGOf4l3teqaeho9nmiWgZ9BqiZrFBWzYTcgPYieD4msB 8MMdzn9dEM2OTuCdcHJHHRlA896EdZy/DFHeOESKpzBRWPGmCiqSXm4OvXIhPFWxJtmes7 EnpOPbDvzFdxMamE35GhAeTpKGeburKQKKDDp32BVa/N0z3bXkXUhGqEvfWDL1YDUevmuw 44jv6udpfNSrcifLshGxwjPPXfzh8OySOuao0K9cOMp0HfzuCz5pAHfnld6s9Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1728937344; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=eJ9RuBQBlfvn0yYhSJfXrMu/gsXt43LR3Ss64BAUHGs=; b=GWBznC/Hlp03MHWn6/jDe+wLn9rWu/4kiRgG2XKVN2eFsStNSk6II3Mnsd0so5BKscjPiz eUrpKCwiGCSxT0VBx7TzWcbEI8t0rJMKLOa/Dbsxa+3669uX0CSc5I57Q0kiKAw5jv2L8C ajdcrsLyi0xsemWatzxQV1ZSt8zz5MIEs5+kHiEOZbTnDssGc+IM/FKta2P27aWjxICgAQ Omsi2Strw8C/Va3ckrNP3IQB8Y/n2aW1NEt268s04PghDxwrZjO9REs1tBLgFtXHz5TCJY LAfhVfoMiSwdEklljtQXwleQqTo/3glXeQHniniKLFBehlHHEIgx4iwvlCE+VA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1728937344; a=rsa-sha256; cv=none; b=HXsGP+UjnfCVUx+MI9Zdv0bKMwGu4vXJWmnh5bj6KUPi8fZcBuhgiTrPGpzRXO2T5ZZSyX fUTK9rSsZqHPc0NevwcBJdmASPYRKE1dWOT4NWLtI7FH0lSUfzB+u28kcOOIBGkGybOHbX 2qmNZtDupwegJ8D8Z6EmRsEDA4D5/o3h1Ww9Us6w6NQigXxWBFtnKZsmD6CyA5ff+U0Fq3 thZCFaauBHTzViFHFlYIN/+9YnHON9N2pNeNTWcSB7KcutgISntljmE6vB/yMzZy4YCsmD Ns65oItvzvqNA+1ohtP5+k/jLZOXAYASJ7umaQ4RIA+bAfQPF7CrsbwPgHjAuQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4XS7v41JjTzsYX; Mon, 14 Oct 2024 20:22:24 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 49EKMOhD086227; Mon, 14 Oct 2024 20:22:24 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 49EKMOXZ086224; Mon, 14 Oct 2024 20:22:24 GMT (envelope-from git) Date: Mon, 14 Oct 2024 20:22:24 GMT Message-Id: <202410142022.49EKMOXZ086224@gitrepo.freebsd.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org From: Ed Maste Subject: git: ef4925468d - main - Status/2024Q3/code-audit: add Alpha-Omega report List-Id: Commit messages for all branches of the doc repository List-Archive: https://lists.freebsd.org/archives/dev-commits-doc-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-doc-all@freebsd.org Sender: owner-dev-commits-doc-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: doc X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: ef4925468dc28270506e80725db86008599d541d Auto-Submitted: auto-generated The branch main has been updated by emaste: URL: https://cgit.FreeBSD.org/doc/commit/?id=ef4925468dc28270506e80725db86008599d541d commit ef4925468dc28270506e80725db86008599d541d Author: Ed Maste AuthorDate: 2024-10-11 13:34:18 +0000 Commit: Ed Maste CommitDate: 2024-10-14 20:21:24 +0000 Status/2024Q3/code-audit: add Alpha-Omega report Reviewed by: status (Pau Amma ) Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D47057 --- .../status/report-2024-07-2024-09/code-audit.adoc | 26 ++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/website/content/en/status/report-2024-07-2024-09/code-audit.adoc b/website/content/en/status/report-2024-07-2024-09/code-audit.adoc new file mode 100644 index 0000000000..917a8e591d --- /dev/null +++ b/website/content/en/status/report-2024-07-2024-09/code-audit.adoc @@ -0,0 +1,26 @@ +=== Capsicum and Bhyve Code Audit + +Contact: Ed Maste +Contact: Pierre Pronchery + +With the support of the link:https://alpha-omega.dev/[Alpha-Omega project], the FreeBSD Foundation undertook code audits of two important subsystems - the bhyve hypervisor, and the Capsicum sandboxing framework. +In addition to uncovering vulnerabilities in these systems to correct, the audits look to identify classes of vulnerabilities and/or suboptimal coding practices that we can look to address across the project. + +The Foundation interviewed several firms, and selected Synacktiv to perform the audit. +A number of issues with critical and high severity were identified, which have been fixed as documented in security advisories: + +* link:https://www.freebsd.org/security/advisories/FreeBSD-SA-24:09.libnv.asc[FreeBSD-SA-24:09.libnv] +* link:https://www.freebsd.org/security/advisories/FreeBSD-SA-24:10.bhyve.asc[FreeBSD-SA-24:10.bhyve] +* link:https://www.freebsd.org/security/advisories/FreeBSD-SA-24:11.ctl.asc[FreeBSD-SA-24:11.ctl] +* link:https://www.freebsd.org/security/advisories/FreeBSD-SA-24:12.bhyve.asc[FreeBSD-SA-24:12.bhyve] +* link:https://www.freebsd.org/security/advisories/FreeBSD-SA-24:14.umtx.asc[FreeBSD-SA-24:14.umtx] +* link:https://www.freebsd.org/security/advisories/FreeBSD-SA-24:15.bhyve.asc[FreeBSD-SA-24:15.bhyve] +* link:https://www.freebsd.org/security/advisories/FreeBSD-SA-24:16.libnv.asc[FreeBSD-SA-24:16.libnv] + +Fixes are in progress for a number of lower-severity issues. +The code audit report will be shared in the near future, after issues above a severity threshold have been addressed. +The FreeBSD Foundation will also publish a report including commentary on the impact of the Synacktiv code audit report, classes of vulnerabilities identified, and lessons learned. + +More information is available in the link:https://github.com/ossf/alpha-omega/tree/main/alpha/engagements/2024/FreeBSD[Alpha-Omega repository]. + +Sponsor: The FreeBSD Foundation