git: f33f4dbfb9 - main - Add EN-24:17 and SA-24:17 through SA-24:19.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 29 Oct 2024 21:18:12 UTC
The branch main has been updated by gordon:
URL: https://cgit.FreeBSD.org/doc/commit/?id=f33f4dbfb9ab5291537681c7cef3b8de90519ad2
commit f33f4dbfb9ab5291537681c7cef3b8de90519ad2
Author: Gordon Tetlow <gordon@FreeBSD.org>
AuthorDate: 2024-10-29 21:17:35 +0000
Commit: Gordon Tetlow <gordon@FreeBSD.org>
CommitDate: 2024-10-29 21:17:35 +0000
Add EN-24:17 and SA-24:17 through SA-24:19.
Approved by: so
---
website/data/security/advisories.toml | 12 +
website/data/security/errata.toml | 4 +
.../advisories/FreeBSD-EN-24:17.pam_xdg.asc | 152 +++++++++++++
.../security/advisories/FreeBSD-SA-24:17.bhyve.asc | 155 +++++++++++++
.../security/advisories/FreeBSD-SA-24:18.ctl.asc | 134 +++++++++++
.../security/advisories/FreeBSD-SA-24:19.fetch.asc | 134 +++++++++++
.../static/security/patches/EN-24:17/pam_xdg.patch | 10 +
.../security/patches/EN-24:17/pam_xdg.patch.asc | 16 ++
.../static/security/patches/SA-24:17/bhyve.patch | 253 +++++++++++++++++++++
.../security/patches/SA-24:17/bhyve.patch.asc | 16 ++
website/static/security/patches/SA-24:18/ctl.patch | 21 ++
.../static/security/patches/SA-24:18/ctl.patch.asc | 16 ++
.../static/security/patches/SA-24:19/fetch.patch | 11 +
.../security/patches/SA-24:19/fetch.patch.asc | 16 ++
14 files changed, 950 insertions(+)
diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml
index b88121ea3b..f7562432bd 100644
--- a/website/data/security/advisories.toml
+++ b/website/data/security/advisories.toml
@@ -1,6 +1,18 @@
# Sort advisories by year, month and day
# $FreeBSD$
+[[advisories]]
+name = "FreeBSD-SA-24:19.fetch"
+date = "2024-10-29"
+
+[[advisories]]
+name = "FreeBSD-SA-24:18.ctl"
+date = "2024-10-29"
+
+[[advisories]]
+name = "FreeBSD-SA-24:17.bhyve"
+date = "2024-10-29"
+
[[advisories]]
name = "FreeBSD-SA-24:16.libnv"
date = "2024-09-19"
diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml
index 83dfdc6468..fc4760d668 100644
--- a/website/data/security/errata.toml
+++ b/website/data/security/errata.toml
@@ -1,6 +1,10 @@
# Sort errata notices by year, month and day
# $FreeBSD$
+[[notices]]
+name = "FreeBSD-EN-24:17.pam_xdg"
+date = "2024-10-29"
+
[[notices]]
name = "FreeBSD-EN-24:16.pf"
date = "2024-09-19"
diff --git a/website/static/security/advisories/FreeBSD-EN-24:17.pam_xdg.asc b/website/static/security/advisories/FreeBSD-EN-24:17.pam_xdg.asc
new file mode 100644
index 0000000000..048a02467a
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-24:17.pam_xdg.asc
@@ -0,0 +1,152 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-24:17.pam_xdg Errata Notice
+ The FreeBSD Project
+
+Topic: XDG runtime directory's file descriptor leak at login
+
+Category: core
+Module: pam_xdg
+Announced: 2024-10-29
+Credits: Olivier Certner
+Affects: FreeBSD 14.1
+Corrected: 2024-09-03 13:28:58 UTC (stable/14, 14.1-STABLE)
+ 2024-10-29 18:57:01 UTC (releng/14.1, 14.1-RELEASE-p6)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+pam_xdg(8) is a PAM module which sets up directories and environment
+variables per the XDG Base Directory Specification[1]. In particular, it
+creates a per-user directory to contain non-essential runtime files and sets
+the environment variable XDG_RUNTIME_DIR to point to it.
+
+II. Problem Description
+
+As a user logs in, if the per user XDG_RUNTIME_DIR directory already exists,
+a file descriptor to that directory is leaked in the calling process.
+
+III. Impact
+
+This leaked directory file descriptor is inherited by all descendant processes
+that do not explicitly close it. In particular, it prevents an administrator
+from using jexec(8) or launching a new jail via jail(8), as both commands use
+the jail_attach(2) system call which fails with EPERM if the calling process has
+an open directory in its file descriptor table, as a security measure to prevent
+jail escape.
+
+This file descriptor leak is normally harmless from a security standpoint as the
+XDG_RUNTIME_DIR directory's content is usually readable and modifiable only by
+its owner and its group.
+
+IV. Workaround
+
+Shell primitives can close the leaking file descriptor before running
+jexec(8) or jail(8). For sh-like shells, use 'exec X>&-', where X is the
+number of the leaked file descriptor obtained with 'fstat -p $$'
+
+Alternatively, use a login program or shell that closes all inherited file
+descriptors for root such as sudo(8) or csh(1).
+
+Lastly, on machines not running a Freedesktop-based GUI desktop or some
+that can set XDG_RUNTIME_DIR by itself (e.g., KDE), disable pam_xdg(8)
+completely by commenting the corresponding lines in '/etc/pam.d/system' and
+'/etc/pam.d/xdm'.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security branch
+(releng) dated after the correction date. A reboot is advised following the
+upgrade, or a logout/re-login of your jail working sessions if practical.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+A reboot is advised following the upgrade, or a logout/re-login of your jail
+working sessions if practical.
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-24:17/pam_xdg.patch
+# fetch https://security.FreeBSD.org/patches/EN-24:17/pam_xdg.patch.asc
+# gpg --verify pam_xdg.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+A reboot is advised following the upgrade, or a logout/re-login of your jail
+working sessions if practical.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ 9e8d504bb5a1 stable/14-n268630
+releng/14.1/ accf8cee6dd0 releng/14.1-n267726
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+[1] <URL:https://specifications.freedesktop.org/basedir-spec/latest/>
+[2] <URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=281751>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-24:17.pam_xdg.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmchUCMACgkQbljekB8A
+Gu8//xAAtTW3AJdvvbA58EUdBkz1mb60dhJ0DCBRiE+4kTApym8+PNvzRAib4i5R
+RiZGx/axXvUmP1qVKCgpYjaf3D/vrbBEk4bqrCcgZlPVEWbSm1jrLzFjZNr7vYUn
+AxCaF4RpzkAAku6qV8BuQal2cVpCRt0Ad5CkFArdp8KqeVyZIIf3yM2UQn4nzrxf
+ycZF1GWzvh/izIK2zmaxFVNzYToz4l6qj0Y5t0Mi4OhSq3J63gHv4UhH+/Fn0mnT
+fkd90lCrAQIgu6BZbg9FBJn76y7itSuyIu2MeZdklXnnqTBgFWh+7Wd+79Fq7iHT
+dAuQo4znIJAw5Z5J4rAAm8aqP4joozJoI3xJhP8U4qpj5FYOEn/yJiZmnETUwyh5
+AcNuiRrjJKieskmr0yruGbwVS+dtkNWQcVSgfUWVL77vv/t9ui7c8Ezjkn5amicP
+17m4NmO+HYW/X5ST7FqBx7nrT8c5wMzsiHCtCEpz53oeWUvnPLGz9TKCXUTAbMUU
+IG99B+1pvA4IFOjZ1xO2xKowueekqQLOTavby/tV0aatgkAFlWZKXIDYMV/XEVdL
+/eHij8kT2hoooQdhxuj8jvpKKFIcPqiLF5RTDkhNyXOKZvXSXiC2bgAWLa+pQi8/
+PpKIeWH29fJpQ2hF/b+fKzF7NjYgCs1ZzGrLWC+ziMnthNzzR9s=
+=yn4N
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-24:17.bhyve.asc b/website/static/security/advisories/FreeBSD-SA-24:17.bhyve.asc
new file mode 100644
index 0000000000..1906b0cc8a
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-24:17.bhyve.asc
@@ -0,0 +1,155 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-24:17.bhyve Security Advisory
+ The FreeBSD Project
+
+Topic: Multiple issues in the bhyve hypervisor
+
+Category: core
+Module: bhyve
+Announced: 2024-10-29
+Credits: Synacktiv
+Sponsored by: The FreeBSD Foundation, The Alpha-Omega Project
+Affects: All supported versions of FreeBSD.
+Corrected: 2024-10-19 15:42:15 UTC (stable/14, 14.1-STABLE)
+ 2024-10-29 18:45:36 UTC (releng/14.1, 14.1-RELEASE-p6)
+ 2024-10-19 15:43:46 UTC (stable/13, 13.4-STABLE)
+ 2024-10-29 18:49:55 UTC (releng/13.4, 13.4-RELEASE-p2)
+ 2024-10-29 18:53:41 UTC (releng/13.3, 13.3-RELEASE-p8)
+CVE Name: CVE-2024-51562, CVE-2024-51563, CVE-2024-51564,
+ CVE-2024-51565, CVE-2024-51565
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+bhyve(8) is a hypervisor that runs guest operating systems inside a virtual
+machine.
+
+II. Problem Description
+
+Several vulnerabilities were found in the bhyve hypervisor's device models.
+
+The NVMe driver function nvme_opc_get_log_page is vulnerable to a buffer over-
+read from a guest-controlled value. (CVE-2024-51562)
+
+The virtio_vq_recordon function is subject to a time-of-check to time-of-use
+(TOCTOU) race condition. (CVE-2024-51563)
+
+A guest can trigger an infinite loop in the hda audio driver.
+(CVE-2024-51564)
+
+The hda driver is vulnerable to a buffer over-read from a guest-controlled
+value. (CVE-2024-51565)
+
+The NVMe driver queue processing is vulernable to guest-induced infinite
+loops. (CVE-2024-51565)
+
+III. Impact
+
+Malicious guest virtual machines may be able to perform a denial of service
+(DoS) of the bhyve host, and may read memory within the bhyve process that
+they should not be able to access.
+
+IV. Workaround
+
+No workaround is available. Virtual machines that provide none of the NVMe,
+virtio, and hda devices to the guest are not vulnerable.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+Restart bhyve processes, or reboot the system.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-24:17/bhyve.patch
+# fetch https://security.FreeBSD.org/patches/SA-24:17/bhyve.patch.asc
+# gpg --verify bhyve.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the applicable bhyve processes, or reboot the system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ 86ba5941b132 stable/14-n269162
+releng/14.1/ fcd9a2d8a5bd releng/14.1-n267723
+stable/13/ df1a36fdfae6 stable/13-n258536
+releng/13.4/ 5d07a7e902fa releng/13.4-n258265
+releng/13.3/ adb7b541aea1 releng/13.3-n257475
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-51562>
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-51563>
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-51564>
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-51565>
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-51565>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-24:17.bhyve.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmchUCUACgkQbljekB8A
+Gu/RJhAA5oWfn9F1Tdmwwl5CFbvIjSmHcWdDsTbQ66DrL8HcinrNoBSdhr2xuAQK
+mxsWuUI1V4Wb9Yp0EXjpNB2ZIpjDbEionVK7BEZJ2D09TCi1CFS84CiTdqBlkJ/A
+2K+eQD6BAG+wKu0yRlqu2wA8RgUWob8ORZ9PFyT4XH23OT4F60WUhPJ+917cqCru
+Ye7hKcSy/xaL0J95ZOG+qeuTf9RbBeQ4f+Sq2ERbtPXVRcBs3x2PEjg1ptuKNmst
+Hbvg+fIsfGWf99r50EhBP2yPJ/jNZBhYJ5gX+zdJsyuXRnJwnv2P6WNxFKoh2I2n
+RI4L3rJ7hJVPURhXZ3fkmiQ8qW/VxrR+2H4YxjuD2U7KQg22ZxCCFNFfN7gYI63U
+8/shw6Ez5OQqVyXl/+uD0/P6pnscKsQz9zNix7kI+G9meBZLnyA1/eGB0iFQVjYg
+NxepUWheMsraLX1ytURtI2lY8pr26Fd4xtY0mKpV13ohL59nQZ79fIeot50m8WMP
+++zqqErJa/9mk6MSZ/xXHWUbPLmQmuNyHere4kqvd4dTLLMOe17WB7NrPJch2S23
+BCcnfZNGwP9iPY27CHRStAYI2OIj2iL7oe2Z7jnh+afpcX3r5isxqZf3R6pw7C2a
+fDPHVTfKJ951yBloejhXJcPXdwgYMZ+8nd2MVafrIYD7dTZfCrU=
+=BYuX
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-24:18.ctl.asc b/website/static/security/advisories/FreeBSD-SA-24:18.ctl.asc
new file mode 100644
index 0000000000..d44ada0679
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-24:18.ctl.asc
@@ -0,0 +1,134 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-24:18.ctl Security Advisory
+ The FreeBSD Project
+
+Topic: Unbounded allocation in ctl(4) CAM Target Layer
+
+Category: core
+Module: ctl
+Announced: 2024-10-29
+Credits: Synacktiv
+Sponsored by: The FreeBSD Foundation, The Alpha-Omega Project
+Affects: All supported versions of FreeBSD.
+Corrected: 2024-10-11 15:53:17 UTC (stable/14, 14.1-STABLE)
+ 2024-10-29 18:45:37 UTC (releng/14.1, 14.1-RELEASE-p6)
+ 2024-10-11 15:53:53 UTC (stable/13, 13.4-STABLE)
+ 2024-10-29 18:49:56 UTC (releng/13.4, 13.4-RELEASE-p2)
+ 2024-10-29 18:53:42 UTC (releng/13.3, 13.3-RELEASE-p8)
+CVE Name: CVE-2024-39281
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The ctl subsystem provides SCSI target devices emulation. The bhyve(8)
+hypervisor and ctld(8) iSCSI target daemon make use of ctl.
+
+II. Problem Description
+
+The command ctl_persistent_reserve_out allows the caller to specify an
+arbitrary size which will be passed to the kernel's memory allocator.
+
+III. Impact
+
+A malicious guest could cause a Denial of Service (DoS) on the host.
+
+IV. Workaround
+
+No workaround is available. Systems not using virtio_scsi(4) or ctld(8)
+are not affected.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date, and reboot
+the system.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-24:18/ctl.patch
+# fetch https://security.FreeBSD.org/patches/SA-24:18/ctl.patch.asc
+# gpg --verify ctl.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ 2e7f4728fa73 stable/14-n269070
+releng/14.1/ a8df23541444 releng/14.1-n267724
+stable/13/ 367d8c86a182 stable/13-n258514
+releng/13.4/ e389eb99fb63 releng/13.4-n258266
+releng/13.3/ 9867aebc1d04 releng/13.3-n257476
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39281>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-24:18.ctl.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmchUCcACgkQbljekB8A
+Gu86VhAArJMRQcCCLdF1dflUMBKXROmUUZRHZg/fDS6QvGgZXQ0vKaGsHYjdNS2Z
+oM+RgfsE98CU5FoiqBNdJNlAMX9+/JSN1h2wPD3UJfk/j6TLbj78RMcNnfG9OGSb
+/J626CnpcIz/9ORSVb5FRSe3Ac+aS19Gh7g4wY9RY/sRA2tR9+8A96JdD3nQCkAQ
++oEiB3sNfo9rTxVNtPV7J47HwLcHecfqmUNp1fJ4eWs2utebyG0IoLWI6SlFrx81
+peBImJvVZviZVesEeibTT/nBcbuugq9pGUp5EqVcoZM5VHqN/DIm3uI1jpNzAyvR
+NBoFBBI6+DxUfw3D1MFP6s341Ixmz1UBhqlGewhAryKTGT1Pm0ong69vH96hAEDT
+Q8OnigHESE94O76u61NsaQydjcqnC1gRw0NkRl7FNja4tLDKxKQ72P0tPSYyFSNp
+h7V2F+1g6EbMxWpb19KEjYIF6AAv4ijUc1DseW0NITteofufcm+yytvksOQGKbDm
+Vx8m+6ONqVSs09Bi7bIG0n5yF1qjFyLkWfKs/FiJF5tfu9bdXpm6VG32KSBsaF/2
+O/0h6OKIyHHqOaKr9NgBt78gAknwPdi083ir7HIihzkaGfoMLhkyyss3G+cOa45I
+G3bfpjyQSpqwVgypP9KEogFU0Cb51GkKK3Hed4GyZ88c6C+QcAA=
+=ew5T
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-24:19.fetch.asc b/website/static/security/advisories/FreeBSD-SA-24:19.fetch.asc
new file mode 100644
index 0000000000..aaf3371881
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-24:19.fetch.asc
@@ -0,0 +1,134 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-24:19.fetch Security Advisory
+ The FreeBSD Project
+
+Topic: Certificate revocation list fetch(1) option fails
+
+Category: core
+Module: fetch
+Announced: 2024-10-29
+Credits: Franco Fichtner
+Affects: All supported versions of FreeBSD.
+Corrected: 2024-10-09 11:49:32 UTC (stable/14, 14.1-STABLE)
+ 2024-10-29 18:57:00 UTC (releng/14.1, 14.1-RELEASE-p6)
+ 2024-10-09 11:50:06 UTC (stable/13, 13.4-STABLE)
+ 2024-10-29 18:57:13 UTC (releng/13.4, 13.4-RELEASE-p2)
+ 2024-10-29 18:57:30 UTC (releng/13.3, 13.3-RELEASE-p8)
+CVE Name: CVE-2024-45289
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+Fetch is utility used to retrieve file(s) from URL(s) specified on the command
+line. It supports a --crl option to specify a certificate revocation list
+which contains peer certificates which have been revoked.
+
+II. Problem Description
+
+The fetch(3) library uses environment variables for passing certain
+information, including the revocation file pathname. The environment variable
+name used by fetch(1) to pass the filename to the library was incorrect, in
+effect ignoring the option.
+
+III. Impact
+
+Fetch would still connect to a host presenting a certificate included in the
+revocation file passed to the --crl option.
+
+IV. Workaround
+
+The certificate revocation list file can be specified by the SSL_CRL_FILE
+fetch(3) environment variable rather than using the --crl option to fetch(1).
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-24:19/fetch.patch
+# fetch https://security.FreeBSD.org/patches/SA-24:19/fetch.patch.asc
+# gpg --verify fetch.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ 51676e0a3bd3 stable/14-n269041
+releng/14.1/ 0e8bf366e6c5 releng/14.1-n267725
+stable/13/ 484724578422 stable/13-n258502
+releng/13.4/ 51f6c450d991 releng/13.4-n258267
+releng/13.3/ 9f1314a30b4a releng/13.3-n257477
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45289>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-24:19.fetch.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmchUCkACgkQbljekB8A
+Gu/0RQ//fm2B2XPZPiGADBhuNeC8NsVwFqzNh/Nrxj2bUCel44kU4yGRZ0jADOD+
+URW+0LDs+rOhIV2cw6fZDUwN+/dblFjZiKpQHJF42A1M90hNRfPArbCh6X2h8EAq
+C4Kr6M6tUByfMX2Hf0aj/QNVrar/hirNhM8ZwDXVMxDj+aBSHSUqZCzfgeTy4/nn
+9DJKOaxJ6WKE9OmAEUhSNoPF6AP+ZzU0aOQCs9tUn+OqKDTxLwn0vXSTPaPw4FcR
+YYYIeiIKpqLhZxPhDnLh/Z/J4AleXPLZeL8VFKemopYk5Fi6HOG/f8UjC/GYoFp/
+eHlEY7H1/aRUYJ6FWm4p/cGfxdJOWmkcJax6VQwBNKX23bEzQh9+4RlnE5cPbAio
+w4XeQybgitic/NeKhI8Jt/aFnVQah2i+O/PQRFCsDDVJGqRnjVw7+6Zvl4zEDoTP
+Xx96PXGCW3UZyNgqDo2jgZman1P5GLKtZg6FmGKlc/IrqijVnWfh06fI5nZ7Bo1z
+b8DiCGSQ/W2cL+d2ILj0illAU9g7JO3MDJOl/lchSUTg4XLUI+G201HaR9wRxSo0
+SXYq23CG4Nll6b8tdC6EEnOoc4RgyQIJv+N/oML8enJ15x7teXG+JlWIf0rM2qkf
+Bxn8hBawdfshzuIkLf2X0J6rm8MBj/s9O3j87oD1C37dqp+E4Uo=
+=CEwj
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-24:17/pam_xdg.patch b/website/static/security/patches/EN-24:17/pam_xdg.patch
new file mode 100644
index 0000000000..146c21b8dd
--- /dev/null
+++ b/website/static/security/patches/EN-24:17/pam_xdg.patch
@@ -0,0 +1,10 @@
+--- lib/libpam/modules/pam_xdg/pam_xdg.c.orig
++++ lib/libpam/modules/pam_xdg/pam_xdg.c
+@@ -108,6 +108,7 @@
+ goto out;
+ }
+ } else {
++ close(rt_dir);
+ /* Check that the already create dir is correctly owned */
+ rv = fstatat(rt_dir_prefix, user, &sb, 0);
+ if (rv == -1) {
diff --git a/website/static/security/patches/EN-24:17/pam_xdg.patch.asc b/website/static/security/patches/EN-24:17/pam_xdg.patch.asc
new file mode 100644
index 0000000000..2ae9eff9fc
--- /dev/null
+++ b/website/static/security/patches/EN-24:17/pam_xdg.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmchUCQACgkQbljekB8A
+Gu87qhAAqG9XWYX513F5jhFQD+RZQ9IATGdwBV7AQnLL0PESJm2sQuQqSjxh7ZO9
+q1jwAjSCzPLCXIoRpswUoaj+1IfTt+De+InCriqdGsOG5IlTiDE55L+4r0+BfSa/
+wt3FxgFuz27n6SeASTecH4DRR3rOzDNvgTPW+6AOUhmUMpZEgaiMUGddE3hNwtvH
+g2zvXy6qohq1XN+E2on+xlkHfSwnczAxJapJliDmfF33Nh+dX391pNUw84dkmlQN
+ysWbcNYsnTjHW1Uh65l6oekfYV+YZ2aHaVaqdh1fg6HpftCtJ/AV2DltLJ4XS1P6
+Wha8+IpKw5q3rTq2wyCQXAeDU0zYGjmZcJjnNztajyMeC3rSH8IawZXMz/Qxp63j
+wvz/oielzF9OH94NHqaIUfWA4CJNoyCOvHRmv1uJE7cwNydh/p/p6nCflceHe0wV
+A8nZ6PgVvxsv1i3urVUjG6QnMj85bJMPrav8HYCoprm1o8uXemhhTx3pBZ4ADtAk
+S6OVRhbVX+MYiW09fHhVqx0MTvL2M1TQMAAZhkY/kzCdeduUs6H6Q3k84neQ/EIB
+69QbAMSgQESbHwnbbsltMBWjkQohgxsLfbWomPn6c0G/AJziUwfEfGrHiEw7QmJ/
+b9e7i1Jbp6G1eEWtK01KyY1RqrlVtC6GUTnMWMgoI2+8qkrfWuw=
+=xH4l
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/SA-24:17/bhyve.patch b/website/static/security/patches/SA-24:17/bhyve.patch
new file mode 100644
index 0000000000..d9fd30775d
--- /dev/null
+++ b/website/static/security/patches/SA-24:17/bhyve.patch
@@ -0,0 +1,253 @@
+--- sys/dev/beri/virtio/virtio.c.orig
++++ sys/dev/beri/virtio/virtio.c
+@@ -107,12 +107,17 @@
+ static inline void
+ _vq_record(uint32_t offs, int i, volatile struct vring_desc *vd,
+ struct iovec *iov, int n_iov, uint16_t *flags) {
++ uint32_t len;
++ uint64_t addr;
++
+ if (i >= n_iov)
+ return;
+
+- iov[i].iov_base = paddr_map(offs, be64toh(vd->addr),
+- be32toh(vd->len));
+- iov[i].iov_len = be32toh(vd->len);
++ len = atomic_load_32(&vd->len);
++ addr = atomic_load_64(&vd->addr);
++ iov[i].iov_base = paddr_map(offs, be64toh(addr),
++ be32toh(len));
++ iov[i].iov_len = be32toh(len);
+ if (flags != NULL)
+ flags[i] = be16toh(vd->flags);
+ }
+--- usr.sbin/bhyve/hda_codec.c.orig
++++ usr.sbin/bhyve/hda_codec.c
+@@ -521,7 +521,6 @@
+ payload = cmd_data & 0xffff;
+ }
+
+- assert(cad == hci->cad);
+ assert(hci);
+
+ hops = hci->hops;
+@@ -530,7 +529,10 @@
+ sc = (struct hda_codec_softc *)hci->priv;
+ assert(sc);
+
+- assert(nid < sc->no_nodes);
++ if (cad != hci->cad || nid >= sc->no_nodes) {
++ DPRINTF("Invalid command data");
++ return (-1);
++ }
+
+ if (!hops->response) {
+ DPRINTF("The controller ops does not implement \
+@@ -540,7 +542,8 @@
+
+ switch (verb) {
+ case HDA_CMD_VERB_GET_PARAMETER:
+- res = sc->get_parameters[nid][payload];
++ if (payload < HDA_CODEC_PARAMS_COUNT)
++ res = sc->get_parameters[nid][payload];
+ break;
+ case HDA_CMD_VERB_GET_CONN_LIST_ENTRY:
+ res = sc->conn_list[nid][0];
+--- usr.sbin/bhyve/pci_hda.c.orig
++++ usr.sbin/bhyve/pci_hda.c
+@@ -789,6 +789,11 @@
+ int err;
+
+ corb->wp = hda_get_reg_by_offset(sc, HDAC_CORBWP);
++ if (corb->wp >= corb->size) {
++ DPRINTF("Invalid HDAC_CORBWP %u >= size %u", corb->wp,
++ corb->size);
++ return (-1);
++ }
+
+ while (corb->rp != corb->wp && corb->run) {
+ corb->rp++;
+--- usr.sbin/bhyve/pci_nvme.c.orig
++++ usr.sbin/bhyve/pci_nvme.c
+@@ -265,6 +265,17 @@
+ uint16_t cid; /* Command ID of the submitted AER */
+ };
+
++/** Asynchronous Event Information - Error */
++typedef enum {
++ PCI_NVME_AEI_ERROR_INVALID_DB,
++ PCI_NVME_AEI_ERROR_INVALID_DB_VALUE,
++ PCI_NVME_AEI_ERROR_DIAG_FAILURE,
++ PCI_NVME_AEI_ERROR_PERSISTANT_ERR,
++ PCI_NVME_AEI_ERROR_TRANSIENT_ERR,
++ PCI_NVME_AEI_ERROR_FIRMWARE_LOAD_ERR,
++ PCI_NVME_AEI_ERROR_MAX,
++} pci_nvme_async_event_info_error;
++
+ /** Asynchronous Event Information - Notice */
+ typedef enum {
+ PCI_NVME_AEI_NOTICE_NS_ATTR_CHANGED = 0,
+@@ -1402,7 +1413,7 @@
+ logsize *= sizeof(uint32_t);
+ logoff = ((uint64_t)(command->cdw13) << 32) | command->cdw12;
+
+- DPRINTF("%s log page %u len %u", __func__, logpage, logsize);
++ DPRINTF("%s log page %u offset %lu len %u", __func__, logpage, logoff, logsize);
+
+ switch (logpage) {
+ case NVME_LOG_ERROR:
+@@ -1414,7 +1425,7 @@
+
+ nvme_prp_memcpy(sc->nsc_pi->pi_vmctx, command->prp1,
+ command->prp2, (uint8_t *)&sc->err_log + logoff,
+- MIN(logsize - logoff, sizeof(sc->err_log)),
++ MIN(logsize, sizeof(sc->err_log) - logoff),
+ NVME_COPY_TO_PRP);
+ break;
+ case NVME_LOG_HEALTH_INFORMATION:
+@@ -1437,7 +1448,7 @@
+
+ nvme_prp_memcpy(sc->nsc_pi->pi_vmctx, command->prp1,
+ command->prp2, (uint8_t *)&sc->health_log + logoff,
+- MIN(logsize - logoff, sizeof(sc->health_log)),
++ MIN(logsize, sizeof(sc->health_log) - logoff),
+ NVME_COPY_TO_PRP);
+ break;
+ case NVME_LOG_FIRMWARE_SLOT:
+@@ -1449,7 +1460,7 @@
+
+ nvme_prp_memcpy(sc->nsc_pi->pi_vmctx, command->prp1,
+ command->prp2, (uint8_t *)&sc->fw_log + logoff,
+- MIN(logsize - logoff, sizeof(sc->fw_log)),
++ MIN(logsize, sizeof(sc->fw_log) - logoff),
+ NVME_COPY_TO_PRP);
+ break;
+ case NVME_LOG_CHANGED_NAMESPACE:
+@@ -1461,7 +1472,7 @@
+
+ nvme_prp_memcpy(sc->nsc_pi->pi_vmctx, command->prp1,
+ command->prp2, (uint8_t *)&sc->ns_log + logoff,
+- MIN(logsize - logoff, sizeof(sc->ns_log)),
++ MIN(logsize, sizeof(sc->ns_log) - logoff),
+ NVME_COPY_TO_PRP);
+ memset(&sc->ns_log, 0, sizeof(sc->ns_log));
+ break;
+@@ -2789,6 +2800,38 @@
+ pthread_mutex_unlock(&sq->mtx);
+ }
+
++/*
++ * Check for invalid doorbell write values
++ * See NVM Express Base Specification, revision 2.0
++ * "Asynchronous Event Information - Error Status" for details
++ */
++static bool
++pci_nvme_sq_doorbell_valid(struct nvme_submission_queue *sq, uint64_t value)
++{
++ uint64_t capacity;
++
++ /*
++ * Queue empty : head == tail
++ * Queue full : head is one more than tail accounting for wrap
++ * Therefore, can never have more than (size - 1) entries
++ */
++ if (sq->head == sq->tail)
++ capacity = sq->size - 1;
++ else if (sq->head > sq->tail)
++ capacity = sq->size - (sq->head - sq->tail) - 1;
++ else
++ capacity = sq->tail - sq->head - 1;
++
++ if ((value == sq->tail) || /* same as previous */
++ (value > capacity)) { /* exceeds queue capacity */
++ EPRINTLN("%s: SQ size=%u head=%u tail=%u capacity=%lu value=%lu",
++ __func__, sq->size, sq->head, sq->tail, capacity, value);
++ return false;
++ }
++
++ return true;
++}
++
+ static void
+ pci_nvme_handle_doorbell(struct pci_nvme_softc* sc,
+ uint64_t idx, int is_sq, uint64_t value)
+@@ -2801,22 +2844,34 @@
+ WPRINTF("%s queue index %lu overflow from "
+ "guest (max %u)",
+ __func__, idx, sc->num_squeues);
++ pci_nvme_aen_post(sc, PCI_NVME_AE_TYPE_ERROR,
++ PCI_NVME_AEI_ERROR_INVALID_DB);
++ return;
++ }
++
++ if (sc->submit_queues[idx].qbase == NULL) {
++ WPRINTF("%s write to SQ %lu before created", __func__,
++ idx);
++ pci_nvme_aen_post(sc, PCI_NVME_AE_TYPE_ERROR,
++ PCI_NVME_AEI_ERROR_INVALID_DB);
++ return;
++ }
++
++ if (!pci_nvme_sq_doorbell_valid(&sc->submit_queues[idx], value)) {
++ EPRINTLN("%s write to SQ %lu of %lu invalid", __func__,
++ idx, value);
++ pci_nvme_aen_post(sc, PCI_NVME_AE_TYPE_ERROR,
++ PCI_NVME_AEI_ERROR_INVALID_DB_VALUE);
+ return;
+ }
+
+ atomic_store_short(&sc->submit_queues[idx].tail,
+ (uint16_t)value);
+
+- if (idx == 0) {
++ if (idx == 0)
+ pci_nvme_handle_admin_cmd(sc, value);
+- } else {
++ else {
+ /* submission queue; handle new entries in SQ */
+- if (idx > sc->num_squeues) {
+- WPRINTF("%s SQ index %lu overflow from "
+- "guest (max %u)",
+- __func__, idx, sc->num_squeues);
+- return;
+- }
+ pci_nvme_handle_io_cmd(sc, (uint16_t)idx);
+ }
+ } else {
+@@ -2824,6 +2879,16 @@
+ WPRINTF("%s queue index %lu overflow from "
+ "guest (max %u)",
+ __func__, idx, sc->num_cqueues);
++ pci_nvme_aen_post(sc, PCI_NVME_AE_TYPE_ERROR,
++ PCI_NVME_AEI_ERROR_INVALID_DB);
++ return;
++ }
++
++ if (sc->compl_queues[idx].qbase == NULL) {
++ WPRINTF("%s write to CQ %lu before created", __func__,
++ idx);
++ pci_nvme_aen_post(sc, PCI_NVME_AE_TYPE_ERROR,
++ PCI_NVME_AEI_ERROR_INVALID_DB);
+ return;
+ }
+
+--- usr.sbin/bhyve/virtio.c.orig
++++ usr.sbin/bhyve/virtio.c
+@@ -217,10 +217,15 @@
+ _vq_record(int i, struct vring_desc *vd, struct vmctx *ctx, struct iovec *iov,
+ int n_iov, struct vi_req *reqp)
+ {
++ uint32_t len;
++ uint64_t addr;
++
+ if (i >= n_iov)
+ return;
+- iov[i].iov_base = paddr_guest2host(ctx, vd->addr, vd->len);
+- iov[i].iov_len = vd->len;
++ len = atomic_load_32(&vd->len);
++ addr = atomic_load_64(&vd->addr);
++ iov[i].iov_len = len;
++ iov[i].iov_base = paddr_guest2host(ctx, addr, len);
+ if ((vd->flags & VRING_DESC_F_WRITE) == 0)
+ reqp->readable++;
+ else
diff --git a/website/static/security/patches/SA-24:17/bhyve.patch.asc b/website/static/security/patches/SA-24:17/bhyve.patch.asc
new file mode 100644
index 0000000000..b0e77ab5b8
--- /dev/null
+++ b/website/static/security/patches/SA-24:17/bhyve.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmchUCYACgkQbljekB8A
+Gu+eoRAAix3dCumFvDXgjV0DawuQgEHJWsoGuJTtQYdnRr3W5qw/VwFgoN9h2P8I
+5rmbEC/kUcgdLm5bMe/LBGIF34rqBzd6HdkieU6RYce42h8/8uOqNq1zftbNpv1p
++6yC5fIhUzlCI0RY3QZehcgBihrmKbydQhsmlKCUw6yvDpSMqxQOL23DEXFZIwHM
+IfIaveLcX796Fk8Li4+dx01DzAZ2ziS1TSI+pP/tFay+zn11DtUJQrEUGTI6dGFF
+5RUU0dduPP4Yz+IBLZUyCYVvfczq2nLDlqN53McCRjhPxEu102GrrTkcS1ruzKNS
+CULk1Fmw8Ht6kxCPguicnfj5Rb+Z6XYQViRsH12kyhud40xBfIv/SiuU2dqSb1QN
+/BYcKiE3OYgTpWQaLJCftrzYrYtQGdaEmqfzxnFt6OShjG2mjrs13tEeyAHeKy5I
+UDoXv5Ltq7hnHa2/BsZgY3Dia1IISkE3S0+KvFdt9B0ehCq4gwpu8cbgIBVVpmOb
+YcNPcH0evWfxKyJOwUlBWN5V/gf/C5nRQynHMmqrwKkN9wHvIg4ShMjKn3u5NRWZ
+U2KyDcPnpjC2GfLvK1LQIvRzcLHwdXaAy0tw6EXQtLMvcer0q5kSMUJobiAAmzbe
+cPbvVHNtOB5UA1zv0UFVhiY9BVkq9g9KOgdfc7fzURrZ+QyN6QU=
+=hyaX
+-----END PGP SIGNATURE-----
*** 88 LINES SKIPPED ***