diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml index 3c30ea9bd5..1a44fe400f 100644 --- a/website/data/security/advisories.toml +++ b/website/data/security/advisories.toml @@ -1,2887 +1,2915 @@ # Sort advisories by year, month and day # $FreeBSD$ +[[advisories]] +name = "FreeBSD-SA-26:24.cap_net" +date = "2026-05-20" + +[[advisories]] +name = "FreeBSD-SA-26:23.bsdinstall" +date = "2026-05-20" + +[[advisories]] +name = "FreeBSD-SA-26:22.libcasper" +date = "2026-05-20" + +[[advisories]] +name = "FreeBSD-SA-26:21.ptrace" +date = "2026-05-20" + +[[advisories]] +name = "FreeBSD-SA-26:20.fusefs" +date = "2026-05-20" + +[[advisories]] +name = "FreeBSD-SA-26:19.file" +date = "2026-05-20" + +[[advisories]] +name = "FreeBSD-SA-26:18.setcred" +date = "2026-05-20" + [[advisories]] name = "FreeBSD-SA-26:17.libnv" date = "2026-04-29" [[advisories]] name = "FreeBSD-SA-26:16.libnv" date = "2026-04-29" [[advisories]] name = "FreeBSD-SA-26:15.dhclient" date = "2026-04-29" [[advisories]] name = "FreeBSD-SA-26:14.pf" date = "2026-04-29" [[advisories]] name = "FreeBSD-SA-26:13.exec" date = "2026-04-29" [[advisories]] name = "FreeBSD-SA-26:12.dhclient" date = "2026-04-29" [[advisories]] name = "FreeBSD-SA-26:11.amd64" date = "2026-04-21" [[advisories]] name = "FreeBSD-SA-26:10.tty" date = "2026-04-21" [[advisories]] name = "FreeBSD-SA-26:09.pf" date = "2026-03-26" [[advisories]] name = "FreeBSD-SA-26:08.rpcsec_gss" date = "2026-03-26" [[advisories]] name = "FreeBSD-SA-26:07.nvmf" date = "2026-03-26" [[advisories]] name = "FreeBSD-SA-26:06.tcp" date = "2026-03-26" [[advisories]] name = "FreeBSD-SA-26:05.route" date = "2026-02-24" [[advisories]] name = "FreeBSD-SA-26:04.jail" date = "2026-02-24" [[advisories]] name = "FreeBSD-SA-26:03.blocklistd" date = "2026-02-10" [[advisories]] name = "FreeBSD-SA-26:02.jail" date = "2026-01-27" [[advisories]] name = "FreeBSD-SA-26:01.openssl" date = "2026-01-27" [[advisories]] name = "FreeBSD-SA-25:12.rtsold" date = "2025-12-16" [[advisories]] name = "FreeBSD-SA-25:11.ipfw" date = "2025-12-16" [[advisories]] name = "FreeBSD-SA-25:10.unbound" date = "2025-11-26" [[advisories]] name = "FreeBSD-SA-25:09.netinet" date = "2025-10-22" [[advisories]] name = "FreeBSD-SA-25:08.openssl" date = "2025-09-30" [[advisories]] name = "FreeBSD-SA-25:07.libarchive" date = "2025-08-08" [[advisories]] name = "FreeBSD-SA-25:06.xz" date = "2025-07-02" [[advisories]] name = "FreeBSD-SA-25:05.openssh" date = "2025-02-21" [[advisories]] name = "FreeBSD-SA-25:04.ktrace" date = "2025-01-29" [[advisories]] name = "FreeBSD-SA-25:03.etcupdate" date = "2025-01-29" [[advisories]] name = "FreeBSD-SA-25:02.fs" date = "2025-01-29" [[advisories]] name = "FreeBSD-SA-25:01.openssh" date = "2025-01-29" [[advisories]] name = "FreeBSD-SA-24:19.fetch" date = "2024-10-29" [[advisories]] name = "FreeBSD-SA-24:18.ctl" date = "2024-10-29" [[advisories]] name = "FreeBSD-SA-24:17.bhyve" date = "2024-10-29" [[advisories]] name = "FreeBSD-SA-24:16.libnv" date = "2024-09-19" [[advisories]] name = "FreeBSD-SA-24:15.bhyve" date = "2024-09-19" [[advisories]] name = "FreeBSD-SA-24:14.umtx" date = "2024-09-04" [[advisories]] name = "FreeBSD-SA-24:13.openssl" date = "2024-09-04" [[advisories]] name = "FreeBSD-SA-24:12.bhyve" date = "2024-09-04" [[advisories]] name = "FreeBSD-SA-24:11.ctl" date = "2024-09-04" [[advisories]] name = "FreeBSD-SA-24:10.bhyve" date = "2024-09-04" [[advisories]] name = "FreeBSD-SA-24:09.libnv" date = "2024-09-04" [[advisories]] name = "FreeBSD-SA-24:08.openssh" date = "2024-08-07" [[advisories]] name = "FreeBSD-SA-24:07.nfsclient" date = "2024-08-07" [[advisories]] name = "FreeBSD-SA-24:06.ktrace" date = "2024-08-07" [[advisories]] name = "FreeBSD-SA-24:05.pf" date = "2024-08-07" [[advisories]] name = "FreeBSD-SA-24:04.openssh" date = "2024-07-01" [[advisories]] name = "FreeBSD-SA-24:03.unbound" date = "2024-03-28" [[advisories]] name = "FreeBSD-SA-24:02.tty" date = "2024-02-14" [[advisories]] name = "FreeBSD-SA-24:01.bhyveload" date = "2024-02-14" [[advisories]] name = "FreeBSD-SA-23:19.openssh" date = "2023-12-19" [[advisories]] name = "FreeBSD-SA-23:18.nfsclient" date = "2023-12-12" [[advisories]] name = "FreeBSD-SA-23:17.pf" date = "2023-12-05" [[advisories]] name = "FreeBSD-SA-23:16.cap_net" date = "2023-11-08" [[advisories]] name = "FreeBSD-SA-23:15.stdio" date = "2023-11-08" [[advisories]] name = "FreeBSD-SA-23:14.smccc" date = "2023-10-03" [[advisories]] name = "FreeBSD-SA-23:13.capsicum" date = "2023-10-03" [[advisories]] name = "FreeBSD-SA-23:12.msdosfs" date = "2023-10-03" [[advisories]] name = "FreeBSD-SA-23:11.wifi" date = "2023-09-06" [[advisories]] name = "FreeBSD-SA-23:10.pf" date = "2023-09-06" [[advisories]] name = "FreeBSD-SA-23:09.pam_krb5" date = "2023-08-01" [[advisories]] name = "FreeBSD-SA-23:08.ssh" date = "2023-08-01" [[advisories]] name = "FreeBSD-SA-23:07.bhyve" date = "2023-08-01" [[advisories]] name = "FreeBSD-SA-23:06.ipv6" date = "2023-08-01" [[advisories]] name = "FreeBSD-SA-23:05.openssh" date = "2023-06-21" [[advisories]] name = "FreeBSD-SA-23:04.pam_krb5" date = "2023-06-21" [[advisories]] name = "FreeBSD-SA-23:03.openssl" date = "2023-02-16" [[advisories]] name = "FreeBSD-SA-23:02.openssh" date = "2023-02-16" [[advisories]] name = "FreeBSD-SA-23:01.geli" date = "2023-02-08" [[advisories]] name = "FreeBSD-SA-22:15.ping" date = "2022-11-29" [[advisories]] name = "FreeBSD-SA-22:14.heimdal" date = "2022-11-15" [[advisories]] name = "FreeBSD-SA-22:13.zlib" date = "2022-08-30" [[advisories]] name = "FreeBSD-SA-22:12.lib9p" date = "2022-08-09" [[advisories]] name = "FreeBSD-SA-22:11.vm" date = "2022-08-09" [[advisories]] name = "FreeBSD-SA-22:10.aio" date = "2022-08-09" [[advisories]] name = "FreeBSD-SA-22:09.elf" date = "2022-08-09" [[advisories]] name = "FreeBSD-SA-22:08.zlib" date = "2022-04-06" [[advisories]] name = "FreeBSD-SA-22:07.wifi_meshid" date = "2022-04-06" [[advisories]] name = "FreeBSD-SA-22:06.ioctl" date = "2022-04-06" [[advisories]] name = "FreeBSD-SA-22:05.bhyve" date = "2022-04-06" [[advisories]] name = "FreeBSD-SA-22:04.netmap" date = "2022-04-06" [[advisories]] name = "FreeBSD-SA-22:03.openssl" date = "2022-03-15" [[advisories]] name = "FreeBSD-SA-22:02.wifi" date = "2022-03-15" [[advisories]] name = "FreeBSD-SA-22:01.vt" date = "2022-01-11" [[advisories]] name = "FreeBSD-SA-21:17.openssl" date = "2021-08-24" [[advisories]] name = "FreeBSD-SA-21:16.openssl" date = "2021-08-24" [[advisories]] name = "FreeBSD-SA-21:15.libfetch" date = "2021-08-24" [[advisories]] name = "FreeBSD-SA-21:14.ggatec" date = "2021-08-24" [[advisories]] name = "FreeBSD-SA-21:13.bhyve" date = "2021-08-24" [[advisories]] name = "FreeBSD-SA-21:12.libradius" date = "2021-05-26" [[advisories]] name = "FreeBSD-SA-21:11.smap" date = "2021-05-26" [[advisories]] name = "FreeBSD-SA-21:10.jail_mount" date = "2021-04-06" [[advisories]] name = "FreeBSD-SA-21:09.accept_filter" date = "2021-04-06" [[advisories]] name = "FreeBSD-SA-21:08.vm" date = "2021-04-06" [[advisories]] name = "FreeBSD-SA-21:07.openssl" date = "2021-03-25" [[advisories]] name = "FreeBSD-SA-21:06.xen" date = "2021-02-24" [[advisories]] name = "FreeBSD-SA-21:05.jail_chdir" date = "2021-02-24" [[advisories]] name = "FreeBSD-SA-21:04.jail_remove" date = "2021-02-24" [[advisories]] name = "FreeBSD-SA-21:03.pam_login_access" date = "2021-02-24" [[advisories]] name = "FreeBSD-SA-21:02.xenoom" date = "2021-01-29" [[advisories]] name = "FreeBSD-SA-21:01.fsdisclosure" date = "2021-01-29" [[advisories]] name = "FreeBSD-SA-20:33.openssl" date = "2020-12-08" [[advisories]] name = "FreeBSD-SA-20:32.rtsold" date = "2020-12-01" [[advisories]] name = "FreeBSD-SA-20:31.icmp6" date = "2020-12-01" [[advisories]] name = "FreeBSD-SA-20:30.ftpd" date = "2020-09-15" [[advisories]] name = "FreeBSD-SA-20:29.bhyve_svm" date = "2020-09-15" [[advisories]] name = "FreeBSD-SA-20:28.bhyve_vmcs" date = "2020-09-15" [[advisories]] name = "FreeBSD-SA-20:27.ure" date = "2020-09-15" [[advisories]] name = "FreeBSD-SA-20:26.dhclient" date = "2020-09-02" [[advisories]] name = "FreeBSD-SA-20:25.sctp" date = "2020-09-02" [[advisories]] name = "FreeBSD-SA-20:24.ipv6" date = "2020-09-02" [[advisories]] name = "FreeBSD-SA-20:23.sendmsg" date = "2020-08-05" [[advisories]] name = "FreeBSD-SA-20:22.sqlite" date = "2020-08-05" [[advisories]] name = "FreeBSD-SA-20:21.usb_net" date = "2020-08-05" [[advisories]] name = "FreeBSD-SA-20:20.ipv6" date = "2020-07-08" [[advisories]] name = "FreeBSD-SA-20:19.unbound" date = "2020-07-08" [[advisories]] name = "FreeBSD-SA-20:18.posix_spawnp" date = "2020-07-08" [[advisories]] name = "FreeBSD-SA-20:17.usb" date = "2020-06-09" [[advisories]] name = "FreeBSD-SA-20:16.cryptodev" date = "2020-05-12" [[advisories]] name = "FreeBSD-SA-20:15.cryptodev" date = "2020-05-12" [[advisories]] name = "FreeBSD-SA-20:14.sctp" date = "2020-05-12" [[advisories]] name = "FreeBSD-SA-20:13.libalias" date = "2020-05-12" [[advisories]] name = "FreeBSD-SA-20:12.libalias" date = "2020-05-12" [[advisories]] name = "FreeBSD-SA-20:11.openssl" date = "2020-04-21" [[advisories]] name = "FreeBSD-SA-20:10.ipfw" date = "2020-04-21" [[advisories]] name = "FreeBSD-SA-20:09.ntp" date = "2020-03-19" [[advisories]] name = "FreeBSD-SA-20:08.jail" date = "2020-03-19" [[advisories]] name = "FreeBSD-SA-20:07.epair" date = "2020-03-19" [[advisories]] name = "FreeBSD-SA-20:06.if_ixl_ioctl" date = "2020-03-19" [[advisories]] name = "FreeBSD-SA-20:05.if_oce_ioctl" date = "2020-03-19" [[advisories]] name = "FreeBSD-SA-20:04.tcp" date = "2020-03-19" [[advisories]] name = "FreeBSD-SA-20:03.thrmisc" date = "2020-01-28" [[advisories]] name = "FreeBSD-SA-20:02.ipsec" date = "2020-01-28" [[advisories]] name = "FreeBSD-SA-20:01.libfetch" date = "2020-01-28" [[advisories]] name = "FreeBSD-SA-19:26.mcu" date = "2019-11-12" [[advisories]] name = "FreeBSD-SA-19:25.mcepsc" date = "2019-11-12" [[advisories]] name = "FreeBSD-SA-19:24.mqueuefs" date = "2019-08-20" [[advisories]] name = "FreeBSD-SA-19:23.midi" date = "2019-08-20" [[advisories]] name = "FreeBSD-SA-19:22.mbuf" date = "2019-08-20" [[advisories]] name = "FreeBSD-SA-19:21.bhyve" date = "2019-08-06" [[advisories]] name = "FreeBSD-SA-19:20.bsnmp" date = "2019-08-06" [[advisories]] name = "FreeBSD-SA-19:19.mldv2" date = "2019-08-06" [[advisories]] name = "FreeBSD-SA-19:18.bzip2" date = "2019-08-06" [[advisories]] name = "FreeBSD-SA-19:17.fd" date = "2019-07-24" [[advisories]] name = "FreeBSD-SA-19:16.bhyve" date = "2019-07-24" [[advisories]] name = "FreeBSD-SA-19:15.mqueuefs" date = "2019-07-24" [[advisories]] name = "FreeBSD-SA-19:14.freebsd32" date = "2019-07-24" [[advisories]] name = "FreeBSD-SA-19:13.pts" date = "2019-07-24" [[advisories]] name = "FreeBSD-SA-19:12.telnet" date = "2019-07-24" [[advisories]] name = "FreeBSD-SA-19:11.cd_ioctl" date = "2019-07-02" [[advisories]] name = "FreeBSD-SA-19:10.ufs" date = "2019-07-02" [[advisories]] name = "FreeBSD-SA-19:09.iconv" date = "2019-07-02" [[advisories]] name = "FreeBSD-SA-19:08.rack" date = "2019-06-19" [[advisories]] name = "FreeBSD-SA-19:07.mds" date = "2019-05-14" [[advisories]] name = "FreeBSD-SA-19:06.pf" date = "2019-05-14" [[advisories]] name = "FreeBSD-SA-19:05.pf" date = "2019-05-14" [[advisories]] name = "FreeBSD-SA-19:04.ntp" date = "2019-05-14" [[advisories]] name = "FreeBSD-SA-19:03.wpa" date = "2019-05-14" [[advisories]] name = "FreeBSD-SA-19:02.fd" date = "2019-02-05" [[advisories]] name = "FreeBSD-SA-19:01.syscall" date = "2019-02-05" [[advisories]] name = "FreeBSD-SA-18:15.bootpd" date = "2018-12-19" [[advisories]] name = "FreeBSD-SA-18:14.bhyve" date = "2018-12-04" [[advisories]] name = "FreeBSD-SA-18:13.nfs" date = "2018-11-27" [[advisories]] name = "FreeBSD-SA-18:12.elf" date = "2018-09-12" [[advisories]] name = "FreeBSD-SA-18:11.hostapd" date = "2018-08-14" [[advisories]] name = "FreeBSD-SA-18:10.ip" date = "2018-08-14" [[advisories]] name = "FreeBSD-SA-18:09.l1tf" date = "2018-08-14" [[advisories]] name = "FreeBSD-SA-18:08.tcp" date = "2018-08-06" [[advisories]] name = "FreeBSD-SA-18:07.lazyfpu" date = "2018-06-21" [[advisories]] name = "FreeBSD-SA-18:06.debugreg" date = "2018-05-08" [[advisories]] name = "FreeBSD-SA-18:05.ipsec" date = "2018-04-04" [[advisories]] name = "FreeBSD-SA-18:04.vt" date = "2018-04-04" [[advisories]] name = "FreeBSD-SA-18:03.speculative_execution" date = "2018-03-14" [[advisories]] name = "FreeBSD-SA-18:02.ntp" date = "2018-03-07" [[advisories]] name = "FreeBSD-SA-18:01.ipsec" date = "2018-03-07" [[advisories]] name = "FreeBSD-SA-17:12.openssl" date = "2017-12-09" [[advisories]] name = "FreeBSD-SA-17:11.openssl" date = "2017-11-29" [[advisories]] name = "FreeBSD-SA-17:10.kldstat" date = "2017-11-15" [[advisories]] name = "FreeBSD-SA-17:09.shm" date = "2017-11-15" [[advisories]] name = "FreeBSD-SA-17:08.ptrace" date = "2017-11-15" [[advisories]] name = "FreeBSD-SA-17:07.wpa" date = "2017-10-17" [[advisories]] name = "FreeBSD-SA-17:06.openssh" date = "2017-08-10" [[advisories]] name = "FreeBSD-SA-17:05.heimdal" date = "2017-07-12" [[advisories]] name = "FreeBSD-SA-17:04.ipfilter" date = "2017-04-27" [[advisories]] name = "FreeBSD-SA-17:03.ntp" date = "2017-04-12" [[advisories]] name = "FreeBSD-SA-17:02.openssl" date = "2017-02-23" [[advisories]] name = "FreeBSD-SA-17:01.openssh" date = "2017-01-11" [[advisories]] name = "FreeBSD-SA-16:39.ntp" date = "2016-12-22" [[advisories]] name = "FreeBSD-SA-16:38.bhyve" date = "2016-12-06" [[advisories]] name = "FreeBSD-SA-16:37.libc" date = "2016-12-06" [[advisories]] name = "FreeBSD-SA-16:36.telnetd" date = "2016-12-06" [[advisories]] name = "FreeBSD-SA-16:35.openssl" date = "2016-11-02" [[advisories]] name = "FreeBSD-SA-16:34.bind" date = "2016-11-02" [[advisories]] name = "FreeBSD-SA-16:33.openssh" date = "2016-11-02" [[advisories]] name = "FreeBSD-SA-16:32.bhyve" date = "2016-10-25" [[advisories]] name = "FreeBSD-SA-16:31.libarchive" date = "2016-10-10" [[advisories]] name = "FreeBSD-SA-16:30.portsnap" date = "2016-10-10" [[advisories]] name = "FreeBSD-SA-16:29.bspatch" date = "2016-10-10" [[advisories]] name = "FreeBSD-SA-16:28.bind" date = "2016-10-10" [[advisories]] name = "FreeBSD-SA-16:27.openssl" date = "2016-10-10" [[advisories]] name = "FreeBSD-SA-16:26.openssl" date = "2016-09-23" [[advisories]] name = "FreeBSD-SA-16:25.bspatch" date = "2016-07-25" [[advisories]] name = "FreeBSD-SA-16:24.ntp" date = "2016-06-04" [[advisories]] name = "FreeBSD-SA-16:23.libarchive" date = "2016-05-31" [[advisories]] name = "FreeBSD-SA-16:22.libarchive" date = "2016-05-31" [[advisories]] name = "FreeBSD-SA-16:21.43bsd" date = "2016-05-31" [[advisories]] name = "FreeBSD-SA-16:20.linux" date = "2016-05-31" [[advisories]] name = "FreeBSD-SA-16:19.sendmsg" date = "2016-05-17" [[advisories]] name = "FreeBSD-SA-16:18.atkbd" date = "2016-05-17" [[advisories]] name = "FreeBSD-SA-16:17.openssl" date = "2016-05-04" [[advisories]] name = "FreeBSD-SA-16:16.ntp" date = "2016-04-29" [[advisories]] name = "FreeBSD-SA-16:15.sysarch" date = "2016-03-16" [[advisories]] name = "FreeBSD-SA-16:14.openssh" date = "2016-03-16" [[advisories]] name = "FreeBSD-SA-16:13.bind" date = "2016-03-10" [[advisories]] name = "FreeBSD-SA-16:12.openssl" date = "2016-03-10" [[advisories]] name = "FreeBSD-SA-16:11.openssl" date = "2016-01-30" [[advisories]] name = "FreeBSD-SA-16:10.linux" date = "2016-01-27" [[advisories]] name = "FreeBSD-SA-16:09.ntp" date = "2016-01-27" [[advisories]] name = "FreeBSD-SA-16:08.bind" date = "2016-01-27" [[advisories]] name = "FreeBSD-SA-16:07.openssh" date = "2016-01-14" [[advisories]] name = "FreeBSD-SA-16:06.bsnmpd" date = "2016-01-14" [[advisories]] name = "FreeBSD-SA-16:05.tcp" date = "2016-01-14" [[advisories]] name = "FreeBSD-SA-16:04.linux" date = "2016-01-14" [[advisories]] name = "FreeBSD-SA-16:03.linux" date = "2016-01-14" [[advisories]] name = "FreeBSD-SA-16:02.ntp" date = "2016-01-14" [[advisories]] name = "FreeBSD-SA-16:01.sctp" date = "2016-01-14" [[advisories]] name = "FreeBSD-SA-15:27.bind" date = "2015-12-16" [[advisories]] name = "FreeBSD-SA-15:26.openssl" date = "2015-12-06" [[advisories]] name = "FreeBSD-SA-15:25.ntp" date = "2015-10-26" [[advisories]] name = "FreeBSD-SA-15:24.rpcbind" date = "2015-09-29" [[advisories]] name = "FreeBSD-SA-15:23.bind" date = "2015-09-02" [[advisories]] name = "FreeBSD-SA-15:22.openssh" date = "2015-08-25" [[advisories]] name = "FreeBSD-SA-15:21.amd64" date = "2015-08-25" [[advisories]] name = "FreeBSD-SA-15:20.expat" date = "2015-08-18" [[advisories]] name = "FreeBSD-SA-15:19.routed" date = "2015-08-05" [[advisories]] name = "FreeBSD-SA-15:18.bsdpatch" date = "2015-08-05" [[advisories]] name = "FreeBSD-SA-15:17.bind" date = "2015-07-28" [[advisories]] name = "FreeBSD-SA-15:16.openssh" date = "2015-07-28" [[advisories]] name = "FreeBSD-SA-15:15.tcp" date = "2015-07-28" [[advisories]] name = "FreeBSD-SA-15:14.bsdpatch" date = "2015-07-28" [[advisories]] name = "FreeBSD-SA-15:13.tcp" date = "2015-07-21" [[advisories]] name = "FreeBSD-SA-15:12.openssl" date = "2015-07-09" [[advisories]] name = "FreeBSD-SA-15:11.bind" date = "2015-07-07" [[advisories]] name = "FreeBSD-SA-15:10.openssl" date = "2015-06-12" [[advisories]] name = "FreeBSD-SA-15:09.ipv6" date = "2015-04-07" [[advisories]] name = "FreeBSD-SA-15:08.bsdinstall" date = "2015-04-07" [[advisories]] name = "FreeBSD-SA-15:07.ntp" date = "2015-04-07" [[advisories]] name = "FreeBSD-SA-15:06.openssl" date = "2015-03-19" [[advisories]] name = "FreeBSD-SA-15:05.bind" date = "2015-02-25" [[advisories]] name = "FreeBSD-SA-15:04.igmp" date = "2015-02-25" [[advisories]] name = "FreeBSD-SA-15:03.sctp" date = "2015-01-27" [[advisories]] name = "FreeBSD-SA-15:02.kmem" date = "2015-01-27" [[advisories]] name = "FreeBSD-SA-15:01.openssl" date = "2015-01-14" [[advisories]] name = "FreeBSD-SA-14:31.ntp" date = "2014-12-23" [[advisories]] name = "FreeBSD-SA-14:30.unbound" date = "2014-12-17" [[advisories]] name = "FreeBSD-SA-14:29.bind" date = "2014-12-10" [[advisories]] name = "FreeBSD-SA-14:28.file" date = "2014-12-10" [[advisories]] name = "FreeBSD-SA-14:27.stdio" date = "2014-12-10" [[advisories]] name = "FreeBSD-SA-14:26.ftp" date = "2014-11-04" [[advisories]] name = "FreeBSD-SA-14:25.setlogin" date = "2014-11-04" [[advisories]] name = "FreeBSD-SA-14:24.sshd" date = "2014-11-04" [[advisories]] name = "FreeBSD-SA-14:23.openssl" date = "2014-10-21" [[advisories]] name = "FreeBSD-SA-14:22.namei" date = "2014-10-21" [[advisories]] name = "FreeBSD-SA-14:21.routed" date = "2014-10-21" [[advisories]] name = "FreeBSD-SA-14:20.rtsold" date = "2014-10-21" [[advisories]] name = "FreeBSD-SA-14:19.tcp" date = "2014-09-16" [[advisories]] name = "FreeBSD-SA-14:18.openssl" date = "2014-09-09" [[advisories]] name = "FreeBSD-SA-14:17.kmem" date = "2014-07-08" [[advisories]] name = "FreeBSD-SA-14:16.file" date = "2014-06-24" [[advisories]] name = "FreeBSD-SA-14:15.iconv" date = "2014-06-24" [[advisories]] name = "FreeBSD-SA-14:14.openssl" date = "2014-06-05" [[advisories]] name = "FreeBSD-SA-14:13.pam" date = "2014-06-03" [[advisories]] name = "FreeBSD-SA-14:12.ktrace" date = "2014-06-03" [[advisories]] name = "FreeBSD-SA-14:11.sendmail" date = "2014-06-03" [[advisories]] name = "FreeBSD-SA-14:10.openssl" date = "2014-05-13" [[advisories]] name = "FreeBSD-SA-14:09.openssl" date = "2014-04-30" [[advisories]] name = "FreeBSD-SA-14:08.tcp" date = "2014-04-30" [[advisories]] name = "FreeBSD-SA-14:07.devfs" date = "2014-04-30" [[advisories]] name = "FreeBSD-SA-14:06.openssl" date = "2014-04-08" [[advisories]] name = "FreeBSD-SA-14:05.nfsserver" date = "2014-04-08" [[advisories]] name = "FreeBSD-SA-14:04.bind" date = "2014-01-14" [[advisories]] name = "FreeBSD-SA-14:03.openssl" date = "2014-01-14" [[advisories]] name = "FreeBSD-SA-14:02.ntpd" date = "2014-01-14" [[advisories]] name = "FreeBSD-SA-14:01.bsnmpd" date = "2014-01-14" [[advisories]] name = "FreeBSD-SA-13:14.openssh" date = "2013-11-19" [[advisories]] name = "FreeBSD-SA-13:13.nullfs" date = "2013-09-10" [[advisories]] name = "FreeBSD-SA-13:12.ifioctl" date = "2013-09-10" [[advisories]] name = "FreeBSD-SA-13:11.sendfile" date = "2013-09-10" [[advisories]] name = "FreeBSD-SA-13:10.sctp" date = "2013-08-22" [[advisories]] name = "FreeBSD-SA-13:09.ip_multicast" date = "2013-08-22" [[advisories]] name = "FreeBSD-SA-13:08.nfsserver" date = "2013-07-26" [[advisories]] name = "FreeBSD-SA-13:07.bind" date = "2013-07-26" [[advisories]] name = "FreeBSD-SA-13:06.mmap" date = "2013-06-18" [[advisories]] name = "FreeBSD-SA-13:05.nfsserver" date = "2013-04-29" [[advisories]] name = "FreeBSD-SA-13:04.bind" date = "2013-04-02" [[advisories]] name = "FreeBSD-SA-13:03.openssl" date = "2013-04-02" [[advisories]] name = "FreeBSD-SA-13:02.libc" date = "2013-02-19" [[advisories]] name = "FreeBSD-SA-13:01.bind" date = "2013-02-19" [[advisories]] name = "FreeBSD-SA-12:08.linux" date = "2012-11-22" [[advisories]] name = "FreeBSD-SA-12:07.hostapd" date = "2012-11-22" [[advisories]] name = "FreeBSD-SA-12:06.bind" date = "2012-11-22" [[advisories]] name = "FreeBSD-SA-12:05.bind" date = "2012-08-06" [[advisories]] name = "FreeBSD-SA-12:04.sysret" date = "2012-06-12" [[advisories]] name = "FreeBSD-SA-12:03.bind" date = "2012-06-12" [[advisories]] name = "FreeBSD-SA-12:02.crypt" date = "2012-05-30" [[advisories]] name = "FreeBSD-SA-12:01.openssl" date = "2012-05-30" [[advisories]] name = "FreeBSD-SA-11:10.pam" date = "2011-12-23" [[advisories]] name = "FreeBSD-SA-11:09.pam_ssh" date = "2011-12-23" [[advisories]] name = "FreeBSD-SA-11:08.telnetd" date = "2011-12-23" [[advisories]] name = "FreeBSD-SA-11:07.chroot" date = "2011-12-23" [[advisories]] name = "FreeBSD-SA-11:06.bind" date = "2011-12-23" [[advisories]] name = "FreeBSD-SA-11:05.unix" date = "2011-09-28" [[advisories]] name = "FreeBSD-SA-11:04.compress" date = "2011-09-28" [[advisories]] name = "FreeBSD-SA-11:03.bind" date = "2011-09-28" [[advisories]] name = "FreeBSD-SA-11:02.bind" date = "2011-05-28" [[advisories]] name = "FreeBSD-SA-11:01.mountd" date = "2011-04-20" [[advisories]] name = "FreeBSD-SA-10:10.openssl" date = "2010-11-29" [[advisories]] name = "FreeBSD-SA-10:09.pseudofs" date = "2010-11-10" [[advisories]] name = "FreeBSD-SA-10:08.bzip2" date = "2010-09-20" [[advisories]] name = "FreeBSD-SA-10:07.mbuf" date = "2010-07-13" [[advisories]] name = "FreeBSD-SA-10:06.nfsclient" date = "2010-05-27" [[advisories]] name = "FreeBSD-SA-10:05.opie" date = "2010-05-27" [[advisories]] name = "FreeBSD-SA-10:04.jail" date = "2010-05-27" [[advisories]] name = "FreeBSD-SA-10:03.zfs" date = "2010-01-06" [[advisories]] name = "FreeBSD-SA-10:02.ntpd" date = "2010-01-06" [[advisories]] name = "FreeBSD-SA-10:01.bind" date = "2010-01-06" [[advisories]] name = "FreeBSD-SA-09:17.freebsd-update" date = "2009-12-03" [[advisories]] name = "FreeBSD-SA-09:16.rtld" date = "2009-12-03" [[advisories]] name = "FreeBSD-SA-09:15.ssl" date = "2009-12-03" [[advisories]] name = "FreeBSD-SA-09:14.devfs" date = "2009-10-02" [[advisories]] name = "FreeBSD-SA-09:13.pipe" date = "2009-10-02" [[advisories]] name = "FreeBSD-SA-09:12.bind" date = "2009-07-29" [[advisories]] name = "FreeBSD-SA-09:11.ntpd" date = "2009-06-10" [[advisories]] name = "FreeBSD-SA-09:10.ipv6" date = "2009-06-10" [[advisories]] name = "FreeBSD-SA-09:09.pipe" date = "2009-06-10" [[advisories]] name = "FreeBSD-SA-09:08.openssl" date = "2009-04-22" [[advisories]] name = "FreeBSD-SA-09:07.libc" date = "2009-04-22" [[advisories]] name = "FreeBSD-SA-09:06.ktimer" date = "2009-03-23" [[advisories]] name = "FreeBSD-SA-09:05.telnetd" date = "2009-02-16" [[advisories]] name = "FreeBSD-SA-09:04.bind" date = "2009-01-13" [[advisories]] name = "FreeBSD-SA-09:03.ntpd" date = "2009-01-13" [[advisories]] name = "FreeBSD-SA-09:02.openssl" date = "2009-01-07" [[advisories]] name = "FreeBSD-SA-09:01.lukemftpd" date = "2009-01-07" [[advisories]] name = "FreeBSD-SA-08:13.protosw" date = "2008-12-23" [[advisories]] name = "FreeBSD-SA-08:12.ftpd" date = "2008-12-23" [[advisories]] name = "FreeBSD-SA-08:11.arc4random" date = "2008-11-24" [[advisories]] name = "FreeBSD-SA-08:10.nd6" date = "2008-10-02" [[advisories]] name = "FreeBSD-SA-08:09.icmp6" date = "2008-09-03" [[advisories]] name = "FreeBSD-SA-08:08.nmount" date = "2008-09-03" [[advisories]] name = "FreeBSD-SA-08:07.amd64" date = "2008-09-03" [[advisories]] name = "FreeBSD-SA-08:06.bind" date = "2008-07-13" [[advisories]] name = "FreeBSD-SA-08:05.openssh" date = "2008-04-17" [[advisories]] name = "FreeBSD-SA-08:04.ipsec" date = "2008-02-14" [[advisories]] name = "FreeBSD-SA-08:03.sendfile" date = "2008-02-14" [[advisories]] name = "FreeBSD-SA-08:02.libc" date = "2008-01-14" [[advisories]] name = "FreeBSD-SA-08:01.pty" date = "2008-01-14" [[advisories]] name = "FreeBSD-SA-07:10.gtar" date = "2007-11-29" [[advisories]] name = "FreeBSD-SA-07:09.random" date = "2007-11-29" [[advisories]] name = "FreeBSD-SA-07:08.openssl" date = "2007-10-03" [[advisories]] name = "FreeBSD-SA-07:07.bind" date = "2007-08-01" [[advisories]] name = "FreeBSD-SA-07:06.tcpdump" date = "2007-08-01" [[advisories]] name = "FreeBSD-SA-07:05.libarchive" date = "2007-07-12" [[advisories]] name = "FreeBSD-SA-07:04.file" date = "2007-05-23" [[advisories]] name = "FreeBSD-SA-07:03.ipv6" date = "2007-04-26" [[advisories]] name = "FreeBSD-SA-07:02.bind" date = "2007-02-09" [[advisories]] name = "FreeBSD-SA-07:01.jail" date = "2007-01-11" [[advisories]] name = "FreeBSD-SA-06:26.gtar" date = "2006-12-06" [[advisories]] name = "FreeBSD-SA-06:25.kmem" date = "2006-12-06" [[advisories]] name = "FreeBSD-SA-06:24.libarchive" date = "2006-11-08" [[advisories]] name = "FreeBSD-SA-06:22.openssh" date = "2006-09-30" [[advisories]] name = "FreeBSD-SA-06:23.openssl" date = "2006-09-28" [[advisories]] name = "FreeBSD-SA-06:21.gzip" date = "2006-09-19" [[advisories]] name = "FreeBSD-SA-06:20.bind" date = "2006-09-06" [[advisories]] name = "FreeBSD-SA-06:19.openssl" date = "2006-09-06" [[advisories]] name = "FreeBSD-SA-06:18.ppp" date = "2006-08-23" [[advisories]] name = "FreeBSD-SA-06:17.sendmail" date = "2006-06-14" [[advisories]] name = "FreeBSD-SA-06:16.smbfs" date = "2006-05-31" [[advisories]] name = "FreeBSD-SA-06:15.ypserv" date = "2006-05-31" [[advisories]] name = "FreeBSD-SA-06:14.fpu" date = "2006-04-19" [[advisories]] name = "FreeBSD-SA-06:13.sendmail" date = "2006-03-22" [[advisories]] name = "FreeBSD-SA-06:12.opie" date = "2006-03-22" [[advisories]] name = "FreeBSD-SA-06:11.ipsec" date = "2006-03-22" [[advisories]] name = "FreeBSD-SA-06:10.nfs" date = "2006-03-01" [[advisories]] name = "FreeBSD-SA-06:09.openssh" date = "2006-03-01" [[advisories]] name = "FreeBSD-SA-06:08.sack" date = "2006-02-01" [[advisories]] name = "FreeBSD-SA-06:07.pf" date = "2006-01-25" [[advisories]] name = "FreeBSD-SA-06:06.kmem" date = "2006-01-25" [[advisories]] name = "FreeBSD-SA-06:05.80211" date = "2006-01-18" [[advisories]] name = "FreeBSD-SA-06:04.ipfw" date = "2006-01-11" [[advisories]] name = "FreeBSD-SA-06:03.cpio" date = "2006-01-11" [[advisories]] name = "FreeBSD-SA-06:02.ee" date = "2006-01-11" [[advisories]] name = "FreeBSD-SA-06:01.texindex" date = "2006-01-11" [[advisories]] name = "FreeBSD-SA-05:21.openssl" date = "2005-10-11" [[advisories]] name = "FreeBSD-SA-05:20.cvsbug" date = "2005-09-07" [[advisories]] name = "FreeBSD-SA-05:19.ipsec" date = "2005-07-27" [[advisories]] name = "FreeBSD-SA-05:18.zlib" date = "2005-07-27" [[advisories]] name = "FreeBSD-SA-05:17.devfs" date = "2005-07-20" [[advisories]] name = "FreeBSD-SA-05:16.zlib" date = "2005-07-06" [[advisories]] name = "FreeBSD-SA-05:15.tcp" date = "2005-06-29" [[advisories]] name = "FreeBSD-SA-05:14.bzip2" date = "2005-06-29" [[advisories]] name = "FreeBSD-SA-05:13.ipfw" date = "2005-06-29" [[advisories]] name = "FreeBSD-SA-05:12.bind9" date = "2005-06-09" [[advisories]] name = "FreeBSD-SA-05:11.gzip" date = "2005-06-09" [[advisories]] name = "FreeBSD-SA-05:10.tcpdump" date = "2005-06-09" [[advisories]] name = "FreeBSD-SA-05:09.htt" date = "2005-05-13" [[advisories]] name = "FreeBSD-SA-05:08.kmem" date = "2005-05-06" [[advisories]] name = "FreeBSD-SA-05:07.ldt" date = "2005-05-06" [[advisories]] name = "FreeBSD-SA-05:06.iir" date = "2005-05-06" [[advisories]] name = "FreeBSD-SA-05:05.cvs" date = "2005-04-22" [[advisories]] name = "FreeBSD-SA-05:04.ifconf" date = "2005-04-15" [[advisories]] name = "FreeBSD-SA-05:03.amd64" date = "2005-04-06" [[advisories]] name = "FreeBSD-SA-05:02.sendfile" date = "2005-04-04" [[advisories]] name = "FreeBSD-SA-05:01.telnet" date = "2005-03-28" [[advisories]] name = "FreeBSD-SA-04:17.procfs" date = "2004-12-01" [[advisories]] name = "FreeBSD-SA-04:16.fetch" date = "2004-11-18" [[advisories]] name = "FreeBSD-SA-04:15.syscons" date = "2004-10-04" [[advisories]] name = "FreeBSD-SA-04:14.cvs" date = "2004-09-19" [[advisories]] name = "FreeBSD-SA-04:13.linux" date = "2004-06-30" [[advisories]] name = "FreeBSD-SA-04:12.jailroute" date = "2004-06-07" [[advisories]] name = "FreeBSD-SA-04:11.msync" date = "2004-05-19" [[advisories]] name = "FreeBSD-SA-04:10.cvs" date = "2004-05-19" [[advisories]] name = "FreeBSD-SA-04:09.kadmind" date = "2004-05-05" [[advisories]] name = "FreeBSD-SA-04:08.heimdal" date = "2004-05-05" [[advisories]] name = "FreeBSD-SA-04:07.cvs" date = "2004-04-15" [[advisories]] name = "FreeBSD-SA-04:06.ipv6" date = "2004-03-29" [[advisories]] name = "FreeBSD-SA-04:05.openssl" date = "2004-03-17" [[advisories]] name = "FreeBSD-SA-04:04.tcp" date = "2004-03-02" [[advisories]] name = "FreeBSD-SA-04:03.jail" date = "2004-02-25" [[advisories]] name = "FreeBSD-SA-04:02.shmat" date = "2004-02-05" [[advisories]] name = "FreeBSD-SA-04:01.mksnap_ffs" date = "2004-01-30" [[advisories]] name = "FreeBSD-SA-03:19.bind" date = "2003-11-28" [[advisories]] name = "FreeBSD-SA-03:15.openssh" date = "2003-10-05" [[advisories]] name = "FreeBSD-SA-03:18.openssl" date = "2003-10-03" [[advisories]] name = "FreeBSD-SA-03:17.procfs" date = "2003-10-03" [[advisories]] name = "FreeBSD-SA-03:16.filedesc" date = "2003-10-02" [[advisories]] name = "FreeBSD-SA-03:14.arp" date = "2003-09-23" [[advisories]] name = "FreeBSD-SA-03:13.sendmail" date = "2003-09-17" [[advisories]] name = "FreeBSD-SA-03:12.openssh" date = "2003-09-16" [[advisories]] name = "FreeBSD-SA-03:11.sendmail" date = "2003-08-26" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1170" [[advisories]] name = "FreeBSD-SA-03:10.ibcs2" date = "2003-08-10" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1164" [[advisories]] name = "FreeBSD-SA-03:09.signal" date = "2003-08-10" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1163" [[advisories]] name = "FreeBSD-SA-03:08.realpath" date = "2003-08-03" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1158" [[advisories]] name = "FreeBSD-SN-03:02" date = "2003-04-08" [[advisories]] name = "FreeBSD-SN-03:01" date = "2003-04-07" [[advisories]] name = "FreeBSD-SA-03:07.sendmail" date = "2003-03-30" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1122" [[advisories]] name = "FreeBSD-SA-03:06.openssl" date = "2003-03-21" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1118" [[advisories]] name = "FreeBSD-SA-03:05.xdr" date = "2003-03-20" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1117" [[advisories]] name = "FreeBSD-SA-03:04.sendmail" date = "2003-03-03" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1112" [[advisories]] name = "FreeBSD-SA-03:03.syncookies" date = "2003-02-24" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1106" [[advisories]] name = "FreeBSD-SA-03:02.openssl" date = "2003-02-24" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1105" [[advisories]] name = "FreeBSD-SA-03:01.cvs" date = "2003-02-04" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1100" [[advisories]] name = "FreeBSD-SA-02:44.filedesc" date = "2003-01-07" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1090" [[advisories]] name = "FreeBSD-SA-02:43.bind" date = "2002-11-15" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1084" [[advisories]] name = "FreeBSD-SA-02:41.smrsh" date = "2002-11-15" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1082" [[advisories]] name = "FreeBSD-SA-02:42.resolv" date = "2002-11-12" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1083" [[advisories]] name = "FreeBSD-SA-02:40.kadmind" date = "2002-11-12" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1081" [[advisories]] name = "FreeBSD-SN-02:06" date = "2002-10-10" [[advisories]] name = "FreeBSD-SA-02:39.libkvm" date = "2002-09-16" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1051" [[advisories]] name = "FreeBSD-SN-02:05" date = "2002-08-28" [[advisories]] name = "FreeBSD-SA-02:38.signed-error" date = "2002-08-19" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1041" [[advisories]] name = "FreeBSD-SA-02:37.kqueue" date = "2002-08-05" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1033" [[advisories]] name = "FreeBSD-SA-02:36.nfs" date = "2002-08-05" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1032" [[advisories]] name = "FreeBSD-SA-02:35.ffs" date = "2002-08-05" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1031" [[advisories]] name = "FreeBSD-SA-02:33.openssl" date = "2002-08-05" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1023" [[advisories]] name = "FreeBSD-SA-02:34.rpc" date = "2002-08-01" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1024" [[advisories]] name = "FreeBSD-SA-02:32.pppd" date = "2002-07-31" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1022" [[advisories]] name = "FreeBSD-SA-02:31.openssh" date = "2002-07-15" [[advisories]] name = "FreeBSD-SA-02:30.ktrace" date = "2002-07-12" [[advisories]] name = "FreeBSD-SA-02:29.tcpdump" date = "2002-07-12" [[advisories]] name = "FreeBSD-SA-02:28.resolv" date = "2002-06-26" [[advisories]] name = "FreeBSD-SN-02:04" date = "2002-06-19" [[advisories]] name = "FreeBSD-SA-02:27.rc" date = "2002-05-29" [[advisories]] name = "FreeBSD-SA-02:26.accept" date = "2002-05-29" [[advisories]] name = "FreeBSD-SN-02:03" date = "2002-05-28" [[advisories]] name = "FreeBSD-SA-02:25.bzip2" date = "2002-05-20" [[advisories]] name = "FreeBSD-SA-02:24.k5su" date = "2002-05-20" [[advisories]] name = "FreeBSD-SN-02:02" date = "2002-05-13" [[advisories]] name = "FreeBSD-SA-02:23.stdio" date = "2002-04-22" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1021" [[advisories]] name = "FreeBSD-SA-02:22.mmap" date = "2002-04-18" [[advisories]] name = "FreeBSD-SA-02:21.tcpip" date = "2002-04-17" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/980" [[advisories]] name = "FreeBSD-SA-02:20.syncache" date = "2002-04-16" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/979" [[advisories]] name = "FreeBSD-SN-02:01" date = "2002-03-30" [[advisories]] name = "FreeBSD-SA-02:19.squid" date = "2002-03-26" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/960" [[advisories]] name = "FreeBSD-SA-02:18.zlib" date = "2002-03-18" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/978" [[advisories]] name = "FreeBSD-SA-02:17.mod_frontpage" date = "2002-03-12" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/954" [[advisories]] name = "FreeBSD-SA-02:16.netscape" date = "2002-03-12" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/953" [[advisories]] name = "FreeBSD-SA-02:15.cyrus-sasl" date = "2002-03-12" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/952" [[advisories]] name = "FreeBSD-SA-02:14.pam-pgsql" date = "2002-03-12" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/951" [[advisories]] name = "FreeBSD-SA-02:13.openssh" date = "2002-03-07" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/945" [[advisories]] name = "FreeBSD-SA-02:12.squid" date = "2002-02-21" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/938" [[advisories]] name = "FreeBSD-SA-02:11.snmp" date = "2002-02-12" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/936" [[advisories]] name = "FreeBSD-SA-02:10.rsync" date = "2002-02-06" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/928" [[advisories]] name = "FreeBSD-SA-02:09.fstatfs" date = "2002-02-06" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/927" [[advisories]] name = "FreeBSD-SA-02:08.exec" date = "2002-01-24" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/923" [[advisories]] name = "FreeBSD-SA-02:07.k5su" date = "2002-01-18" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/912" [[advisories]] name = "FreeBSD-SA-02:06.sudo" date = "2002-01-16" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/909" [[advisories]] name = "FreeBSD-SA-02:05.pine" date = "2002-01-04" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/894" [[advisories]] name = "FreeBSD-SA-02:04.mutt" date = "2002-01-04" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/893" [[advisories]] name = "FreeBSD-SA-02:03.mod_auth_pgsql" date = "2002-01-04" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/892" [[advisories]] name = "FreeBSD-SA-02:02.pw" date = "2002-01-04" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/891" [[advisories]] name = "FreeBSD-SA-02:01.pkg_add" date = "2002-01-04" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/898" [[advisories]] name = "FreeBSD-SA-01:64.wu-ftpd" date = "2001-12-04" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/870" [[advisories]] name = "FreeBSD-SA-01:63.openssh" date = "2001-12-02" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/871" [[advisories]] name = "FreeBSD-SA-01:62.uucp" date = "2001-10-08" [[advisories]] name = "FreeBSD-SA-01:61.squid" date = "2001-10-08" [[advisories]] name = "FreeBSD-SA-01:60.procmail" date = "2001-09-24" [[advisories]] name = "FreeBSD-SA-01:59.rmuser" date = "2001-09-04" [[advisories]] name = "FreeBSD-SA-01:58.lpd" date = "2001-08-30" [[advisories]] name = "FreeBSD-SA-01:57.sendmail" date = "2001-08-27" [[advisories]] name = "FreeBSD-SA-01:56.tcp_wrappers" date = "2001-08-23" [[advisories]] name = "FreeBSD-SA-01:55.procfs" date = "2001-08-21" [[advisories]] name = "FreeBSD-SA-01:54.ports-telnetd" date = "2001-08-20" [[advisories]] name = "FreeBSD-SA-01:53.ipfw" date = "2001-08-17" [[advisories]] name = "FreeBSD-SA-01:52.fragment" date = "2001-08-06" [[advisories]] name = "FreeBSD-SA-01:51.openssl" date = "2001-07-30" [[advisories]] name = "FreeBSD-SA-01:50.windowmaker" date = "2001-07-27" [[advisories]] name = "FreeBSD-SA-01:49.telnetd" date = "2001-07-23" [[advisories]] name = "FreeBSD-SA-01:48.tcpdump" date = "2001-07-17" [[advisories]] name = "FreeBSD-SA-01:47.xinetd" date = "2001-07-10" [[advisories]] name = "FreeBSD-SA-01:46.w3m" date = "2001-07-10" [[advisories]] name = "FreeBSD-SA-01:45.samba" date = "2001-07-10" [[advisories]] name = "FreeBSD-SA-01:44.gnupg" date = "2001-07-10" [[advisories]] name = "FreeBSD-SA-01:43.fetchmail" date = "2001-07-10" [[advisories]] name = "FreeBSD-SA-01:42.signal" date = "2001-07-10" [[advisories]] name = "FreeBSD-SA-01:41.hanterm" date = "2001-07-09" [[advisories]] name = "FreeBSD-SA-01:40.fts" date = "2001-06-04" [[advisories]] name = "FreeBSD-SA-01:39.tcp-isn" date = "2001-05-02" [[advisories]] name = "FreeBSD-SA-01:38.sudo" date = "2001-04-23" [[advisories]] name = "FreeBSD-SA-01:37.slrn" date = "2001-04-23" [[advisories]] name = "FreeBSD-SA-01:36.samba" date = "2001-04-23" [[advisories]] name = "FreeBSD-SA-01:35.licq" date = "2001-04-23" [[advisories]] name = "FreeBSD-SA-01:34.hylafax" date = "2001-04-23" [[advisories]] name = "FreeBSD-SA-01:33.ftpd-glob" date = "2001-04-17" [[advisories]] name = "FreeBSD-SA-01:32.ipfilter" date = "2001-04-16" [[advisories]] name = "FreeBSD-SA-01:31.ntpd" date = "2001-04-06" [[advisories]] name = "FreeBSD-SA-01:30.ufs-ext2fs" date = "2001-03-22" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/738" [[advisories]] name = "FreeBSD-SA-01:29.rwhod" date = "2001-03-12" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/732" [[advisories]] name = "FreeBSD-SA-01:28.timed" date = "2001-03-12" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/731" [[advisories]] name = "FreeBSD-SA-01:27.cfengine" date = "2001-03-12" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/730" [[advisories]] name = "FreeBSD-SA-01:26.interbase" date = "2001-03-12" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/729" [[advisories]] name = "FreeBSD-SA-01:23.icecast" date = "2001-03-12" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/728" [[advisories]] name = "FreeBSD-SA-01:25.kerberosIV" date = "2001-02-14" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/716" [[advisories]] name = "FreeBSD-SA-01:24.ssh" date = "2001-02-12" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/715" [[advisories]] name = "FreeBSD-SA-01:22.dc20ctrl" date = "2001-02-07" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/714" [[advisories]] name = "FreeBSD-SA-01:21.ja-elvis" date = "2001-02-07" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/713" [[advisories]] name = "FreeBSD-SA-01:20.mars_nwe" date = "2001-02-07" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/712" [[advisories]] name = "FreeBSD-SA-01:19.ja-klock" date = "2001-02-07" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/707" [[advisories]] name = "FreeBSD-SA-01:18.bind" date = "2001-01-31" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/706" [[advisories]] name = "FreeBSD-SA-01:17.exmh" date = "2001-01-29" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/705" [[advisories]] name = "FreeBSD-SA-01:16.mysql" date = "2001-01-29" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/704" [[advisories]] name = "FreeBSD-SA-01:15.tinyproxy" date = "2001-01-29" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/703" [[advisories]] name = "FreeBSD-SA-01:14.micq" date = "2001-01-29" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/702" [[advisories]] name = "FreeBSD-SA-01:13.sort" date = "2001-01-29" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/701" [[advisories]] name = "FreeBSD-SA-01:12.periodic" date = "2001-01-29" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/700" [[advisories]] name = "FreeBSD-SA-01:11.inetd" date = "2001-01-29" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/699" [[advisories]] name = "FreeBSD-SA-01:10.bind" date = "2001-01-23" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/698" [[advisories]] name = "FreeBSD-SA-01:09.crontab" date = "2001-01-23" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/697" [[advisories]] name = "FreeBSD-SA-01:08.ipfw" date = "2001-01-23" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/696" [[advisories]] name = "FreeBSD-SA-01:07.xfree86" date = "2001-01-23" [[advisories]] name = "FreeBSD-SA-01:06.zope" date = "2001-01-15" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/669" [[advisories]] name = "FreeBSD-SA-01:05.stunnel" date = "2001-01-15" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/668" [[advisories]] name = "FreeBSD-SA-01:04.joe" date = "2001-01-15" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/667" [[advisories]] name = "FreeBSD-SA-01:03.bash1" date = "2001-01-15" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/666" [[advisories]] name = "FreeBSD-SA-01:02.syslog-ng" date = "2001-01-15" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/665" [[advisories]] name = "FreeBSD-SA-01:01.openssh" date = "2001-01-15" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/664" [[advisories]] name = "FreeBSD-SA-00:81.ethereal" date = "2000-12-20" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/651" [[advisories]] name = "FreeBSD-SA-00:80.halflifeserver" date = "2000-12-20" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/650" [[advisories]] name = "FreeBSD-SA-00:79.oops" date = "2000-12-20" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/649" [[advisories]] name = "FreeBSD-SA-00:78.bitchx" date = "2000-12-20" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/648" [[advisories]] name = "FreeBSD-SA-00:77.procfs" date = "2000-12-18" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/647" [[advisories]] name = "FreeBSD-SA-00:76.tcsh-csh" date = "2000-11-20" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/628" [[advisories]] name = "FreeBSD-SA-00:75.php" date = "2000-11-20" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/627" [[advisories]] name = "FreeBSD-SA-00:74.gaim" date = "2000-11-20" [[advisories]] name = "FreeBSD-SA-00:73.thttpd" date = "2000-11-20" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/626" [[advisories]] name = "FreeBSD-SA-00:72.curl" date = "2000-11-20" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/625" [[advisories]] name = "FreeBSD-SA-00:71.mgetty" date = "2000-11-20" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/624" [[advisories]] name = "FreeBSD-SA-00:70.ppp-nat" date = "2000-11-14" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/623" [[advisories]] name = "FreeBSD-SA-00:69.telnetd" date = "2000-11-14" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/622" [[advisories]] name = "FreeBSD-SA-00:68.ncurses" date = "2000-11-13" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/621" [[advisories]] name = "FreeBSD-SA-00:67.gnupg" date = "2000-11-10" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/620" [[advisories]] name = "FreeBSD-SA-00:66.netscape" date = "2000-11-06" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/619" [[advisories]] name = "FreeBSD-SA-00:65.xfce" date = "2000-11-06" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/618" [[advisories]] name = "FreeBSD-SA-00:64.global" date = "2000-11-06" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/617" [[advisories]] name = "FreeBSD-SA-00:63.getnameinfo" date = "2000-11-01" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/589" [[advisories]] name = "FreeBSD-SA-00:62.top" date = "2000-11-01" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/616" [[advisories]] name = "FreeBSD-SA-00:61.tcpdump" date = "2000-10-31" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/615" [[advisories]] name = "FreeBSD-SA-00:60.boa" date = "2000-10-30" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/586" [[advisories]] name = "FreeBSD-SA-00:59.pine" date = "2000-10-30" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/585" [[advisories]] name = "FreeBSD-SA-00:58.chpass" date = "2000-10-30" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/584" [[advisories]] name = "FreeBSD-SA-00:57.muh" date = "2000-10-13" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/570" [[advisories]] name = "FreeBSD-SA-00:56.lprng" date = "2000-10-13" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/569" [[advisories]] name = "FreeBSD-SA-00:55.xpdf" date = "2000-10-13" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/568" [[advisories]] name = "FreeBSD-SA-00:54.fingerd" date = "2000-10-13" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/567" [[advisories]] name = "FreeBSD-SA-00:52.tcp-iss" date = "2000-10-06" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/561" [[advisories]] name = "FreeBSD-SA-00:53.catopen" date = "2000-09-27" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/562" [[advisories]] name = "FreeBSD-SA-00:51.mailman" date = "2000-09-13" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/550" [[advisories]] name = "FreeBSD-SA-00:50.listmanager" date = "2000-09-13" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/549" [[advisories]] name = "FreeBSD-SA-00:49.eject" date = "2000-09-13" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/548" [[advisories]] name = "FreeBSD-SA-00:48.xchat" date = "2000-09-13" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/547" [[advisories]] name = "FreeBSD-SA-00:47.pine" date = "2000-09-13" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/546" [[advisories]] name = "FreeBSD-SA-00:46.screen" date = "2000-09-13" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/545" [[advisories]] name = "FreeBSD-SA-00:45.esound" date = "2000-08-31" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/526" [[advisories]] name = "FreeBSD-SA-00:44.xlock" date = "2000-08-28" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/523" [[advisories]] name = "FreeBSD-SA-00:43.brouted" date = "2000-08-28" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/520" [[advisories]] name = "FreeBSD-SA-00:42.linux" date = "2000-08-28" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/530" [[advisories]] name = "FreeBSD-SA-00:41.elf" date = "2000-08-28" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/527" [[advisories]] name = "FreeBSD-SA-00:40.mopd" date = "2000-08-28" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/521" [[advisories]] name = "FreeBSD-SA-00:39.netscape" date = "2000-08-28" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/528" [[advisories]] name = "FreeBSD-SA-00:38.zope" date = "2000-08-14" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/525" [[advisories]] name = "FreeBSD-SA-00:37.cvsweb" date = "2000-08-14" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/524" [[advisories]] name = "FreeBSD-SA-00:36.ntop" date = "2000-08-14" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/531" [[advisories]] name = "FreeBSD-SA-00:35.proftpd" date = "2000-08-14" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/522" [[advisories]] name = "FreeBSD-SA-00:34.dhclient" date = "2000-08-14" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/529" [[advisories]] name = "FreeBSD-SA-00:33.kerberosIV" date = "2000-07-12" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/488" [[advisories]] name = "FreeBSD-SA-00:32.bitchx" date = "2000-07-05" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/487" [[advisories]] name = "FreeBSD-SA-00:31.canna" date = "2000-07-05" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/486" [[advisories]] name = "FreeBSD-SA-00:30.openssh" date = "2000-07-05" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/485" [[advisories]] name = "FreeBSD-SA-00:29.wu-ftpd" date = "2000-07-05" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/489" [[advisories]] name = "FreeBSD-SA-00:28.majordomo" date = "2000-07-05" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/484" [[advisories]] name = "FreeBSD-SA-00:27.XFree86-4" date = "2000-07-05" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/483" [[advisories]] name = "FreeBSD-SA-00:26.popper" date = "2000-07-05" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/482" [[advisories]] name = "FreeBSD-SA-00:24.libedit" date = "2000-07-05" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/481" [[advisories]] name = "FreeBSD-SA-00:23.ip-options" date = "2000-06-19" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/480" [[advisories]] name = "FreeBSD-SA-00:25.alpha-random" date = "2000-06-12" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/473" [[advisories]] name = "FreeBSD-SA-00:22.apsfilter" date = "2000-06-07" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/461" [[advisories]] name = "FreeBSD-SA-00:21.ssh" date = "2000-06-07" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/459" [[advisories]] name = "FreeBSD-SA-00:20.krb5" date = "2000-05-26" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/452" [[advisories]] name = "FreeBSD-SA-00:19.semconfig" date = "2000-05-23" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/451" [[advisories]] name = "FreeBSD-SA-00:18.gnapster.knapster" date = "2000-05-09" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/429" [[advisories]] name = "FreeBSD-SA-00:17.libmytinfo" date = "2000-05-09" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/442" [[advisories]] name = "FreeBSD-SA-00:16.golddig" date = "2000-05-09" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/439" [[advisories]] name = "FreeBSD-SA-00:15.imap-uw" date = "2000-04-24" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/438" [[advisories]] name = "FreeBSD-SA-00:14.imap-uw" date = "2000-04-24" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/441" [[advisories]] name = "FreeBSD-SA-00:13.generic-nqs" date = "2000-04-19" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/437" [[advisories]] name = "FreeBSD-SA-00:12.healthd" date = "2000-04-10" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/436" [[advisories]] name = "FreeBSD-SA-00:11.ircii" date = "2000-04-10" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/440" [[advisories]] name = "FreeBSD-SA-00:10.orville-write" date = "2000-03-15" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/408" [[advisories]] name = "FreeBSD-SA-00:09.mtr" date = "2000-03-15" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/408" [[advisories]] name = "FreeBSD-SA-00:08.lynx" date = "2000-03-15" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/407" [[advisories]] name = "FreeBSD-SA-00:07.mh" date = "2000-03-15" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/411" [[advisories]] name = "FreeBSD-SA-00:06.htdig" date = "2000-03-01" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/403" [[advisories]] name = "FreeBSD-SA-00:05.mysql" date = "2000-02-28" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/402" [[advisories]] name = "FreeBSD-SA-00:04.delegate" date = "2000-02-19" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/392" [[advisories]] name = "FreeBSD-SA-00:03.asmon" date = "2000-02-19" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/391" [[advisories]] name = "FreeBSD-SA-00:02.procfs" date = "2000-01-24" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/380" [[advisories]] name = "FreeBSD-SA-00:01.make" date = "2000-01-19" [[advisories]] name = "FreeBSD-SA-99:06.amd" date = "1999-09-16" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/318" [[advisories]] name = "FreeBSD-SA-99:05.fts" date = "1999-09-15" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/313" [[advisories]] name = "FreeBSD-SA-99:04.core" date = "1999-09-15" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/312" [[advisories]] name = "FreeBSD-SA-99:03.ftpd" date = "1999-09-05" link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/311" [[advisories]] name = "FreeBSD-SA-99:02.profil" date = "1999-09-04" [[advisories]] name = "FreeBSD-SA-99:01.chflags" date = "1999-09-04" [[advisories]] name = "FreeBSD-SA-98:08.fragment" date = "1998-11-04" [[advisories]] name = "FreeBSD-SA-98:07.rst" date = "1998-10-13" [[advisories]] name = "FreeBSD-SA-98:06.icmp" date = "1998-06-10" [[advisories]] name = "FreeBSD-SA-98:05.nfs" date = "1998-06-04" [[advisories]] name = "FreeBSD-SA-98:04.mmap" date = "1998-06-02" [[advisories]] name = "FreeBSD-SA-98:03.ttcp" date = "1998-05-14" [[advisories]] name = "FreeBSD-SA-98:02.mmap" date = "1998-03-12" [[advisories]] name = "FreeBSD-SA-97:06.f00f" date = "1997-12-09" [[advisories]] name = "FreeBSD-SA-98:01.land" date = "1997-12-01" [[advisories]] name = "FreeBSD-SA-97:05.open" date = "1997-10-29" [[advisories]] name = "FreeBSD-SA-97:04.procfs" date = "1997-08-19" [[advisories]] name = "FreeBSD-SA-97:03.sysinstall" date = "1997-04-07" [[advisories]] name = "FreeBSD-SA-97:02.lpd" date = "1997-03-26" [[advisories]] name = "FreeBSD-SA-97:01.setlocale" date = "1997-02-05" [[advisories]] name = "FreeBSD-SA-96:21.talkd" date = "1997-01-18" [[advisories]] name = "FreeBSD-SA-96:20.stack-overflow" date = "1996-12-16" [[advisories]] name = "FreeBSD-SA-96:19.modstat" date = "1996-12-10" [[advisories]] name = "FreeBSD-SA-96:18.lpr" date = "1996-11-25" [[advisories]] name = "FreeBSD-SA-96:17.rzsz" date = "1996-07-16" [[advisories]] name = "FreeBSD-SA-96:16.rdist" date = "1996-07-12" [[advisories]] name = "FreeBSD-SA-96:15.ppp" date = "1996-07-04" [[advisories]] name = "FreeBSD-SA-96:12.perl" date = "1996-06-28" [[advisories]] name = "FreeBSD-SA-96:14.ipfw" date = "1996-06-24" [[advisories]] name = "FreeBSD-SA-96:13.comsat" date = "1996-06-05" [[advisories]] name = "FreeBSD-SA-96:11.man" date = "1996-05-21" [[advisories]] name = "FreeBSD-SA-96:10.mount_union" date = "1996-05-17" [[advisories]] name = "FreeBSD-SA-96:09.vfsload" date = "1996-05-17" [[advisories]] name = "FreeBSD-SA-96:02.apache" date = "1996-04-22" [[advisories]] name = "FreeBSD-SA-96:08.syslog" date = "1996-04-21" [[advisories]] name = "FreeBSD-SA-96:01.sliplogin" date = "1996-04-21" [[advisories]] name = "FreeBSD-SA-96:03.sendmail-suggestion" date = "1996-04-20" diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml index 494f54d35d..6cb37b7b15 100644 --- a/website/data/security/errata.toml +++ b/website/data/security/errata.toml @@ -1,1115 +1,1119 @@ # Sort errata notices by year, month and day # $FreeBSD$ +[[notices]] +name = "FreeBSD-EN-26:13.freebsd-update" +date = "2026-05-20" + [[notices]] name = "FreeBSD-EN-26:12.freebsd-update" date = "2026-05-01" [[notices]] name = "FreeBSD-EN-26:11.dhclient" date = "2026-05-01" [[notices]] name = "FreeBSD-EN-26:10.amd64" date = "2026-04-29" [[notices]] name = "FreeBSD-EN-26:09.tzdata" date = "2026-04-29" [[notices]] name = "FreeBSD-EN-26:08.pf" date = "2026-04-29" [[notices]] name = "FreeBSD-EN-26:07.pkgbase" date = "2026-04-21" [[notices]] name = "FreeBSD-EN-26:06.timerfd" date = "2026-04-21" [[notices]] name = "FreeBSD-EN-26:05.vm" date = "2026-04-21" [[notices]] name = "FreeBSD-EN-26:04.arm64" date = "2026-02-10" [[notices]] name = "FreeBSD-EN-26:03.vm" date = "2026-01-27" [[notices]] name = "FreeBSD-EN-26:02.arm64" date = "2026-01-27" [[notices]] name = "FreeBSD-EN-26:01.devinfo" date = "2026-01-27" [[notices]] name = "FreeBSD-EN-25:20.vmm" date = "2025-12-16" [[notices]] name = "FreeBSD-EN-25:19.zfs" date = "2025-12-16" [[notices]] name = "FreeBSD-EN-25:18.freebsd-update" date = "2025-09-30" [[notices]] name = "FreeBSD-EN-25:17.bnxt" date = "2025-09-16" [[notices]] name = "FreeBSD-EN-25:16.vfs" date = "2025-09-16" [[notices]] name = "FreeBSD-EN-25:15.arm64" date = "2025-09-16" [[notices]] name = "FreeBSD-EN-25:14.route" date = "2025-08-08" [[notices]] name = "FreeBSD-EN-25:13.wlan_tkip" date = "2025-08-08" [[notices]] name = "FreeBSD-EN-25:12.efi" date = "2025-08-08" [[notices]] name = "FreeBSD-EN-25:11.ena" date = "2025-07-02" [[notices]] name = "FreeBSD-EN-25:10.zfs" date = "2025-07-02" [[notices]] name = "FreeBSD-EN-25:09.libc" date = "2025-07-02" [[notices]] name = "FreeBSD-EN-25:08.caroot" date = "2025-04-10" [[notices]] name = "FreeBSD-EN-25:07.openssl" date = "2025-04-10" [[notices]] name = "FreeBSD-EN-25:06.daemon" date = "2025-04-10" [[notices]] name = "FreeBSD-EN-25:05.expat" date = "2025-04-10" [[notices]] name = "FreeBSD-EN-25:04.tzdata" date = "2025-04-10" [[notices]] name = "FreeBSD-EN-25:03.tzdata" date = "2025-01-29" [[notices]] name = "FreeBSD-EN-25:02.audit" date = "2025-01-29" [[notices]] name = "FreeBSD-EN-25:01.rpc" date = "2025-01-29" [[notices]] name = "FreeBSD-EN-24:17.pam_xdg" date = "2024-10-29" [[notices]] name = "FreeBSD-EN-24:16.pf" date = "2024-09-19" [[notices]] name = "FreeBSD-EN-24:15.calendar" date = "2024-09-04" [[notices]] name = "FreeBSD-EN-24:14.ifconfig" date = "2024-08-07" [[notices]] name = "FreeBSD-EN-24:13.libc++" date = "2024-06-19" [[notices]] name = "FreeBSD-EN-24:12.killpg" date = "2024-06-19" [[notices]] name = "FreeBSD-EN-24:11.ldns" date = "2024-06-19" [[notices]] name = "FreeBSD-EN-24:10.zfs" date = "2024-06-19" [[notices]] name = "FreeBSD-EN-24:09.zfs" date = "2024-04-24" [[notices]] name = "FreeBSD-EN-24:08.kerberos" date = "2024-03-28" [[notices]] name = "FreeBSD-EN-24:07.clang" date = "2024-03-28" [[notices]] name = "FreeBSD-EN-24:06.wireguard" date = "2024-03-28" [[notices]] name = "FreeBSD-EN-24:05.tty" date = "2024-03-28" [[notices]] name = "FreeBSD-EN-24:04.ip" date = "2024-02-14" [[notices]] name = "FreeBSD-EN-24:03.kqueue" date = "2024-02-14" [[notices]] name = "FreeBSD-EN-24:02.libutil" date = "2024-02-14" [[notices]] name = "FreeBSD-EN-24:01.tzdata" date = "2024-02-14" [[notices]] name = "FreeBSD-EN-23:22.vfs" date = "2023-12-05" [[notices]] name = "FreeBSD-EN-23:21.tty" date = "2023-12-05" [[notices]] name = "FreeBSD-EN-23:20.vm" date = "2023-12-05" [[notices]] name = "FreeBSD-EN-23:19.pkgbase" date = "2023-12-05" [[notices]] name = "FreeBSD-EN-23:18.openzfs" date = "2023-12-05" [[notices]] name = "FreeBSD-EN-23:17.ossl" date = "2023-12-05" [[notices]] name = "FreeBSD-EN-23:16.openzfs" date = "2023-12-01" [[notices]] name = "FreeBSD-EN-23:15.sanitizer" date = "2023-12-01" [[notices]] name = "FreeBSD-EN-23:14.regcomp" date = "2023-11-08" [[notices]] name = "FreeBSD-EN-23:13.freebsd-update" date = "2023-11-08" [[notices]] name = "FreeBSD-EN-23:12.freebsd-update" date = "2023-10-03" [[notices]] name = "FreeBSD-EN-23:11.caroot" date = "2023-09-06" [[notices]] name = "FreeBSD-EN-23:10.pci" date = "2023-09-06" [[notices]] name = "FreeBSD-EN-23:09.freebsd-update" date = "2023-09-06" [[notices]] name = "FreeBSD-EN-23:08.vnet" date = "2023-08-01" [[notices]] name = "FreeBSD-EN-23:07.mpr" date = "2023-06-21" [[notices]] name = "FreeBSD-EN-23:06.loader" date = "2023-06-21" [[notices]] name = "FreeBSD-EN-23:05.tzdata" date = "2023-06-21" [[notices]] name = "FreeBSD-EN-23:04.ixgbe" date = "2023-02-08" [[notices]] name = "FreeBSD-EN-23:03.ena" date = "2023-02-08" [[notices]] name = "FreeBSD-EN-23:02.sdhci" date = "2023-02-08" [[notices]] name = "FreeBSD-EN-23:01.tzdata" date = "2023-02-08" [[notices]] name = "FreeBSD-EN-22:28.heimdal" date = "2022-11-29" [[notices]] name = "FreeBSD-EN-22:27.loader" date = "2022-11-01" [[notices]] name = "FreeBSD-EN-22:26.cam" date = "2022-11-01" [[notices]] name = "FreeBSD-EN-22:25.tcp" date = "2022-11-01" [[notices]] name = "FreeBSD-EN-22:24.zfs" date = "2022-11-01" [[notices]] name = "FreeBSD-EN-22:23.vm" date = "2022-11-01" [[notices]] name = "FreeBSD-EN-22:22.tzdata" date = "2022-11-01" [[notices]] name = "FreeBSD-EN-22:21.zfs" date = "2022-11-01" [[notices]] name = "FreeBSD-EN-22:20.tzdata" date = "2022-08-30" [[notices]] name = "FreeBSD-EN-22:19.pam_exec" date = "2022-08-09" [[notices]] name = "FreeBSD-EN-22:18.wifi" date = "2022-08-09" [[notices]] name = "FreeBSD-EN-22:17.cam" date = "2022-08-09" [[notices]] name = "FreeBSD-EN-22:16.kqueue" date = "2022-08-09" [[notices]] name = "FreeBSD-EN-22:15.pf" date = "2022-04-06" [[notices]] name = "FreeBSD-EN-22:14.tzdata" date = "2022-03-22" [[notices]] name = "FreeBSD-EN-22:13.zfs" date = "2022-03-21" [[notices]] name = "FreeBSD-EN-22:12.zfs" date = "2022-03-15" [[notices]] name = "FreeBSD-EN-22:11.zfs" date = "2022-03-15" [[notices]] name = "FreeBSD-EN-22:10.zfs" date = "2022-03-15" [[notices]] name = "FreeBSD-EN-22:09.freebsd-update" date = "2022-03-15" [[notices]] name = "FreeBSD-EN-22:08.i386" date = "2022-02-01" [[notices]] name = "FreeBSD-EN-22:07.la57" date = "2022-02-01" [[notices]] name = "FreeBSD-EN-22:06.libalias" date = "2022-01-11" [[notices]] name = "FreeBSD-EN-22:05.tail" date = "2022-01-11" [[notices]] name = "FreeBSD-EN-22:04.pcid" date = "2022-01-11" [[notices]] name = "FreeBSD-EN-22:03.hyperv" date = "2022-01-11" [[notices]] name = "FreeBSD-EN-22:02.xsave" date = "2022-01-11" [[notices]] name = "FreeBSD-EN-22:01.fsck_ffs" date = "2022-01-11" [[notices]] name = "FreeBSD-EN-21:29.tzdata" date = "2021-11-03" [[notices]] name = "FreeBSD-EN-21:28.vmci" date = "2021-11-03" [[notices]] name = "FreeBSD-EN-21:27.caroot" date = "2021-11-03" [[notices]] name = "FreeBSD-EN-21:26.libevent" date = "2021-11-03" [[notices]] name = "FreeBSD-EN-21:25.bhyve" date = "2021-08-24" [[notices]] name = "FreeBSD-EN-21:24.libcrypto" date = "2021-08-24" [[notices]] name = "FreeBSD-EN-21:23.virtio_blk" date = "2021-08-24" [[notices]] name = "FreeBSD-EN-21:22.linux_futex" date = "2021-06-29" [[notices]] name = "FreeBSD-EN-21:21.ipfw" date = "2021-06-29" [[notices]] name = "FreeBSD-EN-21:20.vlan" date = "2021-06-29" [[notices]] name = "FreeBSD-EN-21:19.libcasper" date = "2021-06-29" [[notices]] name = "FreeBSD-EN-21:18.libc++" date = "2021-06-29" [[notices]] name = "FreeBSD-EN-21:17.libradius" date = "2021-06-01" [[notices]] name = "FreeBSD-EN-21:16.bc" date = "2021-05-26" [[notices]] name = "FreeBSD-EN-21:15.virtio" date = "2021-05-26" [[notices]] name = "FreeBSD-EN-21:14.pms" date = "2021-05-26" [[notices]] name = "FreeBSD-EN-21:13.mpt" date = "2021-05-26" [[notices]] name = "FreeBSD-EN-21:12.divert" date = "2021-05-26" [[notices]] name = "FreeBSD-EN-21:11.aesni" date = "2021-05-26" [[notices]] name = "FreeBSD-EN-21:10.lldb" date = "2021-04-06" [[notices]] name = "FreeBSD-EN-21:09.pf" date = "2021-04-06" [[notices]] name = "FreeBSD-EN-21:08.freebsd-update" date = "2021-02-24" [[notices]] name = "FreeBSD-EN-21:07.caroot" date = "2021-02-24" [[notices]] name = "FreeBSD-EN-21:06.microcode" date = "2021-02-24" [[notices]] name = "FreeBSD-EN-21:05.libatomic" date = "2021-01-29" [[notices]] name = "FreeBSD-EN-21:04.zfs" date = "2021-01-29" [[notices]] name = "FreeBSD-EN-21:03.vnet" date = "2021-01-29" [[notices]] name = "FreeBSD-EN-21:02.extattr" date = "2021-01-29" [[notices]] name = "FreeBSD-EN-21:01.tzdata" date = "2021-01-29" [[notices]] name = "FreeBSD-EN-20:22.callout" date = "2020-12-01" [[notices]] name = "FreeBSD-EN-20:21.ipfw" date = "2020-12-01" [[notices]] name = "FreeBSD-EN-20:20.tzdata" date = "2020-12-01" [[notices]] name = "FreeBSD-EN-20:19.audit" date = "2020-12-01" [[notices]] name = "FreeBSD-EN-20:18.getfsstat" date = "2020-09-02" [[notices]] name = "FreeBSD-EN-20:17.linuxthread" date = "2020-09-02" [[notices]] name = "FreeBSD-EN-20:16.vmx" date = "2020-08-05" [[notices]] name = "FreeBSD-EN-20:15.mps" date = "2020-07-08" [[notices]] name = "FreeBSD-EN-20:14.linuxkpi" date = "2020-07-08" [[notices]] name = "FreeBSD-EN-20:13.bhyve" date = "2020-07-08" [[notices]] name = "FreeBSD-EN-20:12.iflib" date = "2020-06-09" [[notices]] name = "FreeBSD-EN-20:11.ena" date = "2020-06-09" [[notices]] name = "FreeBSD-EN-20:10.build" date = "2020-05-12" [[notices]] name = "FreeBSD-EN-20:09.igb" date = "2020-05-12" [[notices]] name = "FreeBSD-EN-20:08.tzdata" date = "2020-05-12" [[notices]] name = "FreeBSD-EN-20:07.quotad" date = "2020-04-21" [[notices]] name = "FreeBSD-EN-20:06.ipv6" date = "2020-03-19" [[notices]] name = "FreeBSD-EN-20:05.mlx5en" date = "2020-03-19" [[notices]] name = "FreeBSD-EN-20:04.pfctl" date = "2020-03-19" [[notices]] name = "FreeBSD-EN-20:03.sshd" date = "2020-03-19" [[notices]] name = "FreeBSD-EN-20:02.nmount" date = "2020-01-28" [[notices]] name = "FreeBSD-EN-20:01.ssp" date = "2020-01-28" [[notices]] name = "FreeBSD-EN-19:19.loader" date = "2019-11-12" [[notices]] name = "FreeBSD-EN-19:18.tzdata" date = "2019-10-23" [[notices]] name = "FreeBSD-EN-19:17.ipfw" date = "2019-08-20" [[notices]] name = "FreeBSD-EN-19:16.bhyve" date = "2019-08-20" [[notices]] name = "FreeBSD-EN-19:15.libunwind" date = "2019-08-06" [[notices]] name = "FreeBSD-EN-19:14.epoch" date = "2019-08-06" [[notices]] name = "FreeBSD-EN-19:13.mds" date = "2019-07-24" [[notices]] name = "FreeBSD-EN-19:12.tzdata" date = "2019-07-02" [[notices]] name = "FreeBSD-EN-19:11.net" date = "2019-06-19" [[notices]] name = "FreeBSD-EN-19:10.scp" date = "2019-05-14" [[notices]] name = "FreeBSD-EN-19:09.xinstall" date = "2019-05-14" [[notices]] name = "FreeBSD-EN-19:08.tzdata" date = "2019-05-14" [[notices]] name = "FreeBSD-EN-19:07.lle" date = "2019-02-05" [[notices]] name = "FreeBSD-EN-19:06.dtrace" date = "2019-02-05" [[notices]] name = "FreeBSD-EN-19:05.kqueue" date = "2019-01-09" [[notices]] name = "FreeBSD-EN-19:04.tzdata" date = "2019-01-09" [[notices]] name = "FreeBSD-EN-19:03.sqlite" date = "2019-01-09" [[notices]] name = "FreeBSD-EN-19:02.tcp" date = "2019-01-09" [[notices]] name = "FreeBSD-EN-19:01.cc_cubic" date = "2019-01-09" [[notices]] name = "FreeBSD-EN-18:18.zfs" date = "2018-12-19" [[notices]] name = "FreeBSD-EN-18:17.vm" date = "2018-12-19" [[notices]] name = "FreeBSD-EN-18:16.ptrace" date = "2018-12-19" [[notices]] name = "FreeBSD-EN-18:15.loader" date = "2018-11-27" [[notices]] name = "FreeBSD-EN-18:14.tzdata" date = "2018-11-27" [[notices]] name = "FreeBSD-EN-18:13.icmp" date = "2018-11-27" [[notices]] name = "FreeBSD-EN-18:12.mem" date = "2018-09-27" [[notices]] name = "FreeBSD-EN-18:11.listen" date = "2018-09-27" [[notices]] name = "FreeBSD-EN-18:10.syscall" date = "2018-09-27" [[notices]] name = "FreeBSD-EN-18:09.ip" date = "2018-09-27" [[notices]] name = "FreeBSD-EN-18:08.lazyfpu" date = "2018-09-12" [[notices]] name = "FreeBSD-EN-18:07.pmap" date = "2018-06-21" [[notices]] name = "FreeBSD-EN-18:06.tzdata" date = "2018-05-08" [[notices]] name = "FreeBSD-EN-18:05.mem" date = "2018-05-08" [[notices]] name = "FreeBSD-EN-18:04.mem" date = "2018-04-04" [[notices]] name = "FreeBSD-EN-18:03.tzdata" date = "2018-04-04" [[notices]] name = "FreeBSD-EN-18:02.file" date = "2018-03-07" [[notices]] name = "FreeBSD-EN-18:01.tzdata" date = "2018-03-07" [[notices]] name = "FreeBSD-EN-17:09.tzdata" date = "2017-11-02" [[notices]] name = "FreeBSD-EN-17:08.pf" date = "2017-08-10" [[notices]] name = "FreeBSD-EN-17:07.vnet" date = "2017-08-10" [[notices]] name = "FreeBSD-EN-17:06.hyperv" date = "2017-07-12" [[notices]] name = "FreeBSD-EN-17:05.xen" date = "2017-04-12" [[notices]] name = "FreeBSD-EN-17:04.mandoc" date = "2017-02-23" [[notices]] name = "FreeBSD-EN-17:03.hyperv" date = "2017-02-23" [[notices]] name = "FreeBSD-EN-17:02.yp" date = "2017-02-23" [[notices]] name = "FreeBSD-EN-17:01.pcie" date = "2017-02-23" [[notices]] name = "FreeBSD-EN-16:21.localedef" date = "2016-12-06" [[notices]] name = "FreeBSD-EN-16:20.tzdata" date = "2016-12-06" [[notices]] name = "FreeBSD-EN-16:19.tzcode" date = "2016-12-06" [[notices]] name = "FreeBSD-EN-16:18.loader" date = "2016-10-25" [[notices]] name = "FreeBSD-EN-16:17.vm" date = "2016-10-25" [[notices]] name = "FreeBSD-EN-16:16.hv_storvsc" date = "2016-08-12" [[notices]] name = "FreeBSD-EN-16:15.vmbus" date = "2016-08-12" [[notices]] name = "FreeBSD-EN-16:14.hv_storvsc" date = "2016-08-12" [[notices]] name = "FreeBSD-EN-16:13.vmbus" date = "2016-08-12" [[notices]] name = "FreeBSD-EN-16:12.hv_storvsc" date = "2016-08-12" [[notices]] name = "FreeBSD-EN-16:11.vmbus" date = "2016-08-12" [[notices]] name = "FreeBSD-EN-16:10.dhclient" date = "2016-08-12" [[notices]] name = "FreeBSD-EN-16:09.freebsd-update" date = "2016-07-25" [[notices]] name = "FreeBSD-EN-16:08.zfs" date = "2016-05-04" [[notices]] name = "FreeBSD-EN-16:07.ipi" date = "2016-05-04" [[notices]] name = "FreeBSD-EN-16:06.libc" date = "2016-05-04" [[notices]] name = "FreeBSD-EN-16:05.hv_netvsc" date = "2016-03-16" [[notices]] name = "FreeBSD-EN-16:04.hyperv" date = "2016-03-16" [[notices]] name = "FreeBSD-EN-16:03.yplib" date = "2016-01-14" [[notices]] name = "FreeBSD-EN-16:02.pf" date = "2016-01-14" [[notices]] name = "FreeBSD-EN-16:01.filemon" date = "2016-01-14" [[notices]] name = "FreeBSD-EN-15:20.vm" date = "2015-11-04" [[notices]] name = "FreeBSD-EN-15:19.kqueue" date = "2015-11-04" [[notices]] name = "FreeBSD-EN-15:18.pkg" date = "2015-09-16" [[notices]] name = "FreeBSD-EN-15:17.libc" date = "2015-09-16" [[notices]] name = "FreeBSD-EN-15:16.pw" date = "2015-09-16" [[notices]] name = "FreeBSD-EN-15:15.pkg" date = "2015-08-25" [[notices]] name = "FreeBSD-EN-15:14.ixgbe" date = "2015-08-25" [[notices]] name = "FreeBSD-EN-15:13.vidcontrol" date = "2015-08-18" [[notices]] name = "FreeBSD-EN-15:12.netstat" date = "2015-08-18" [[notices]] name = "FreeBSD-EN-15:11.toolchain" date = "2015-08-18" [[notices]] name = "FreeBSD-EN-15:10.iconv" date = "2015-06-30" [[notices]] name = "FreeBSD-EN-15:09.xlocale" date = "2015-06-30" [[notices]] name = "FreeBSD-EN-15:08.sendmail" date = "2015-06-18" [[notices]] name = "FreeBSD-EN-15:07.zfs" date = "2015-06-09" [[notices]] name = "FreeBSD-EN-15:06.file" date = "2015-06-09" [[notices]] name = "FreeBSD-EN-15:05.ufs" date = "2015-05-13" [[notices]] name = "FreeBSD-EN-15:04.freebsd-update" date = "2015-05-13" [[notices]] name = "FreeBSD-EN-15:03.freebsd-update" date = "2015-02-25" [[notices]] name = "FreeBSD-EN-15:02.openssl" date = "2015-02-25" [[notices]] name = "FreeBSD-EN-15:01.vt" date = "2015-02-25" [[notices]] name = "FreeBSD-EN-14:13.freebsd-update" date = "2014-12-23" [[notices]] name = "FreeBSD-EN-14:12.zfs" date = "2014-11-04" [[notices]] name = "FreeBSD-EN-14:11.crypt" date = "2014-10-22" [[notices]] name = "FreeBSD-EN-14:10.tzdata" date = "2014-10-22" [[notices]] name = "FreeBSD-EN-14:09.jail" date = "2014-07-08" [[notices]] name = "FreeBSD-EN-14:08.heimdal" date = "2014-06-24" [[notices]] name = "FreeBSD-EN-14:07.pmap" date = "2014-06-24" [[notices]] name = "FreeBSD-EN-14:06.exec" date = "2014-06-03" [[notices]] name = "FreeBSD-EN-14:05.ciss" date = "2014-05-13" [[notices]] name = "FreeBSD-EN-14:04.kldxref" date = "2014-05-13" [[notices]] name = "FreeBSD-EN-14:03.pkg" date = "2014-05-13" [[notices]] name = "FreeBSD-EN-14:02.mmap" date = "2014-01-14" [[notices]] name = "FreeBSD-EN-14:01.random" date = "2014-01-14" [[notices]] name = "FreeBSD-EN-13:05.freebsd-update" date = "2013-11-28" [[notices]] name = "FreeBSD-EN-13:04.freebsd-update" date = "2013-10-26" [[notices]] name = "FreeBSD-EN-13:03.mfi" date = "2013-08-22" [[notices]] name = "FreeBSD-EN-13:01.fxp" date = "2013-06-28" [[notices]] name = "FreeBSD-EN-13:02.vtnet" date = "2013-06-28" [[notices]] name = "FreeBSD-EN-12:02.ipv6refcount" date = "2012-06-12" [[notices]] name = "FreeBSD-EN-12:01.freebsd-update" date = "2012-01-04" [[notices]] name = "FreeBSD-EN-10:02.sched_ule" date = "2010-02-27" [[notices]] name = "FreeBSD-EN-10:01.freebsd" date = "2010-01-06" [[notices]] name = "FreeBSD-EN-09:05.null" date = "2009-10-02" [[notices]] name = "FreeBSD-EN-09:04.fork" date = "2009-06-24" [[notices]] name = "FreeBSD-EN-09:03.fxp" date = "2009-06-24" [[notices]] name = "FreeBSD-EN-09:02.bce" date = "2009-06-24" [[notices]] name = "FreeBSD-EN-09:01.kenv" date = "2009-03-23" [[notices]] name = "FreeBSD-EN-08:02.tcp" date = "2008-06-19" [[notices]] name = "FreeBSD-EN-08:01.libpthread" date = "2008-04-17" [[notices]] name = "FreeBSD-EN-07:05.freebsd-update" date = "2007-03-15" [[notices]] name = "FreeBSD-EN-07:04.zoneinfo" date = "2007-02-28" [[notices]] name = "FreeBSD-EN-07:03.rc.d_jail" date = "2007-02-28" [[notices]] name = "FreeBSD-EN-07:02.net" date = "2007-02-28" [[notices]] name = "FreeBSD-EN-07:01.nfs" date = "2007-02-14" [[notices]] name = "FreeBSD-EN-06:02.net" date = "2006-08-28" [[notices]] name = "FreeBSD-EN-06:01.jail" date = "2006-07-07" [[notices]] name = "FreeBSD-EN-05:04.nfs" date = "2005-12-19" [[notices]] name = "FreeBSD-EN-05:03.ipi" date = "2005-01-16" [[notices]] name = "FreeBSD-EN-05:02.sk" date = "2005-01-06" [[notices]] name = "FreeBSD-EN-05:01.nfs" date = "2005-01-05" [[notices]] name = "FreeBSD-EN-04:01.twe" date = "2004-06-28" diff --git a/website/static/security/advisories/FreeBSD-EN-26:13.freebsd-update.asc b/website/static/security/advisories/FreeBSD-EN-26:13.freebsd-update.asc new file mode 100644 index 0000000000..6369b75b23 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-26:13.freebsd-update.asc @@ -0,0 +1,166 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-26:13.freebsd-update Errata Notice + The FreeBSD Project + +Topic: freebsd-update attempts to merge a generated file + +Category: core +Module: freebsd-update +Announced: 2026-05-20 +Affects: All supported versions of FreeBSD. +Corrected: 2026-05-19 13:59:37 UTC (stable/15, 15.0-STABLE) + 2026-05-20 19:39:27 UTC (releng/15.0, 15.0-RELEASE-p9) + 2026-05-19 13:59:57 UTC (stable/14, 14.4-STABLE) + 2026-05-20 19:39:53 UTC (releng/14.4, 14.4-RELEASE-p5) + 2026-05-20 19:40:31 UTC (releng/14.3, 14.3-RELEASE-p14) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +The freebsd-update utility is used both to apply binary updates for security +advisories and errata notices, and to upgrade from one FreeBSD release to +another. + +In the latter scenario, when it detects local changes to a configuration file +which is affected by the upgrade, freebsd-update will perform a three-way +merge and prompt the user to manually resolve any conflicts between local and +incoming changes. + +The certctl utility has been used since FreeBSD 12.0 to manage a hashed +directory of root certificates for use when validating TLS server +certificates. Since FreeBSD 15.0, certctl also maintains a bundle for the +benefit of applications which either do not support the hashed directory +format or need to preload the trust store prior to entering capability mode, +a chroot, or similar. + +II. Problem Description + +When upgrading from FreeBSD 15.0 to FreeBSD 15.1, freebsd-update incorrectly +treats the certificate bundle /etc/ssl/cert.pem as a configuration file. In +most cases, the three-way merge results in conflicts which the user is then +asked to resolve. The bundle is not human-readable, and merging it serves no +purpose since freebsd-update regenerates the entire certificate store at the +end of the upgrade. + +When upgrading from an older FreeBSD release to FreeBSD 15.0 or 15.1, if +/etc/ssl/cert.pem is present (e.g. as provided by the ETCSYMLINK option of +the security/ca_root_nss port, or manually created by an administrator), +freebsd-update will emit a non-fatal error message and pause until the user +acknowledges the message. + +III. Impact + +Users upgrading from 15.0 to 15.1 may be presented with one or more merge +conflicts in thousands of lines of Base64-encoded ASN.1 data. + +Users upgrading from older releases to 15.0 or 15.1 may encounter a non-fatal +error message with no clear resolution, reducing user confidence in the +upgrade process. + +IV. Workaround + +If prompted to resolve conflicts, exit the editor and force freebsd-update +to accept the unmerged file by typing "ACCEPT" (all upper-case, without the +quotes). The bundle will be regenerated at the end of the upgrade process +and the system will be fully functional. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your system installed from base system packages: + +Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 +platforms, which were installed using base system packages, can be updated +via the pkg(8) utility: + +# pkg upgrade -r FreeBSD-base + +2) To update your system installed from binary distribution sets: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms +which were not installed using base system packages can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-26:13/freebsd-update.patch +# fetch https://security.FreeBSD.org/patches/EN-26:13/freebsd-update.patch.asc +# gpg --verify freebsd-update.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ b97f143b6ca9 stable/15-n283610 +releng/15.0/ 2709755d39f5 releng/15.0-n281037 +stable/14/ 7d9c1d3895b3 stable/14-n274144 +releng/14.4/ 081a9e933033 releng/14.4-n273701 +releng/14.3/ a1b3818746e3 releng/14.3-n271501 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKGEbFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvgJQP/RY20Qr2cM3gsEsVSt5+ +xXS/yCXu+IZq/ALOzw4RvqzdqvVzlA3U2VgSXpucnkrV0rABc7yxLbmvTVj6GOG7 +yvKXSmV58akQoUbnOtwHZF4x+4A9+Y3BzGIWUrzh014ll4MyhGw/4ekFiu36J0Mg +QBDPkAy+3jrCTE3i2aAF1w1gLYdyIfDwGYQHqpPCsMmGhHuleogGqmhc5pH2J30g +fPRLe8a4njizX5aT15TZvo6U5sQC6tll4DBUqTWh6k49XxSELKQwYgXhqhespI++ +yZ327VPwkVgaYI0C96LCV5SVB811BvFAKXKzjItKOWpJyg6HpB8hiSEubqlWW7zX +vltqLyf8qe15wZPvrs1kgX2kH9ZJXYwJ9W5z5kY8sk/DCYos+bxtEQ47CU5u6/nF +h01i3mAwOdh0/br7Y7hRS4eekNg9XUpu9dakJdhpJjbRylS6I6wK/C/f89L+qmgP +4jq20TCFHQ2riVHxhOG3nSGkP+5CsIUnjg94x/EKK9xA9DZb0D5/Vy+hQYhJ5qza +q5TKkv72vb32LKFKvzXXJbCrRlJr6bmCOMXYRGZwDzKzfd5jrVwzlIfooiaQ28bj +g2egNBCe69H0SboydGi6J4yciBn3TeBHilfPuDLxs2eRZmYFd4wVD4wnigsysL2J +JETeDqmCxDDqbzhIYf3XL7Pt +=zyAg +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-26:18.setcred.asc b/website/static/security/advisories/FreeBSD-SA-26:18.setcred.asc new file mode 100644 index 0000000000..2b0e4d6640 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-26:18.setcred.asc @@ -0,0 +1,170 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-26:18.setcred Security Advisory + The FreeBSD Project + +Topic: Stack buffer overflow via setcred(2) + +Category: core +Module: setcred +Announced: 2026-05-20 +Credits: Ryan of Calif.io +Credits: Przemyslaw Frasunek +Affects: All supported versions of FreeBSD. +Corrected: 2026-01-06 13:34:30 UTC (stable/15, 15.0-STABLE) + 2026-05-20 19:39:28 UTC (releng/15.0, 15.0-RELEASE-p9) + 2026-05-20 19:37:54 UTC (stable/14, 14.4-STABLE) + 2026-05-20 19:39:54 UTC (releng/14.4, 14.4-RELEASE-p5) + 2026-05-20 19:40:32 UTC (releng/14.3, 14.3-RELEASE-p14) +CVE Name: CVE-2026-45250 + +This vulnerability was independently reported by multiple parties prior to +publication. + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +System calls are the programmatic interface through which user-space +processes request services from the operating system kernel, providing a +controlled boundary between unprivileged application code and privileged +kernel operations. + +setcred(2) is a system call which enables a privileged process to atomically +set its full credential set, including the real, effective, and saved user +and group identifiers, as well as the list of supplementary groups. It is +intended for use by programs such as login(1) and PAM(3)-aware authentication +frameworks that must transition a process into a target user context in a +single, race-free operation, replacing the need for multiple discrete calls +to setuid(2), setgid(2), and setgroups(2). + +II. Problem Description + +The setcred(2) system call is only available to privileged users. However, +before the privilege level of the caller is checked, the user-supplied list +of supplementary groups is copied into a fixed-size kernel stack buffer +without first validating its length. If the supplied list exceeds the +capacity of that buffer, a stack buffer overflow occurs. + +III. Impact + +Because the bounds check on the supplementary groups list occurs after the +kernel stack buffer has already been written, an unprivileged local user may +trigger the overflow without holding any special privilege. Successful +exploitation may allow an attacker to execute arbitrary code in the context +of the kernel, allowing an unprivileged local user to gain elevated +privileges on the affected system. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, +and reboot the system. + +Perform one of the following: + +1) To update your vulnerable system installed from base system packages: + +Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 +platforms, which were installed using base system packages, can be updated +via the pkg(8) utility: + +# pkg upgrade -r FreeBSD-base +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system installed from binary distribution sets: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms +which were not installed using base system packages can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 15.x] +# fetch https://security.FreeBSD.org/patches/SA-26:18/setcred-15.patch +# fetch https://security.FreeBSD.org/patches/SA-26:18/setcred-15.patch.asc +# gpg --verify setcred-15.patch.asc + +[FreeBSD 14.x] +# fetch https://security.FreeBSD.org/patches/SA-26:18/setcred-14.patch +# fetch https://security.FreeBSD.org/patches/SA-26:18/setcred-14.patch.asc +# gpg --verify setcred-14.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ b6cba9028457 stable/15-n281743 +releng/15.0/ d98c0a494a42 releng/15.0-n281038 +stable/14/ 8eb0bbbd2e46 stable/14-n274162 +releng/14.4/ 34da5845b8d4 releng/14.4-n273702 +releng/14.3/ bfff5c180193 releng/14.3-n271502 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKGobFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvSpsP/38o7yHdNEMNMPPOBtKZ +2dn/vmcOo1srkhUx0kl2EVBzirSDsTVkWfUq1Txg5JA7/pG3On/YiaAmUMi9jHqy +q0tgkyO/scKGWNDYmFIA9QAXAwwSUZnT+eEwt3IawOzquezD/qr++CCimntSUzsu +IP3oMFYaw9JvMF6Z6tTfcYYA02CF7nRrtIJtrxfWkgyDoMoikHsNW4o2LXJTz4bV +2uk7BuQKbDc3gxoEBYd0bulXBa9DHsrfS59eEnbb8txrBjt21aQGjBY8SJSoFyYh +yZixmadpZ9J4oTBc03hOO2Z2BN5f/QficGIU4t0wj0A8EcsrspFMDRj2xd/5zi86 +VLqiQf6WJbgVyytUe5aYbBPC6eH2TRnMWaOERbocNS6xQKcYpZYqwnVZ77n6tPb4 +wKQd+qKYM74lf0BPCBc60h7yo9e6Qd8puGolyL05qdZVB+c3m0qB000gsyNFytFs +kQSovaXFf4r0DCEuBixE/Ic5ADwl7A4pCIxqwWwJlnrj77XCobNEQJtajkrapXsU +MSLQ20RuRiVNesgyjP9dZCk8enuOl96TwrvdkyqvSJgb0Gw3XEeyCWT4dAE+Fh3A +n8RhQeY6YWWk+DOiuw5Q5v2PyoBNoV8jV2AjeXzhIOQsyWGeSYQ2GeFu6PW3UyzQ +olNjUPjprNwteRkUuGHmE3zQ +=6aG+ +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-26:19.file.asc b/website/static/security/advisories/FreeBSD-SA-26:19.file.asc new file mode 100644 index 0000000000..ccac947f7d --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-26:19.file.asc @@ -0,0 +1,173 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-26:19.file Security Advisory + The FreeBSD Project + +Topic: Kernel use-after-free via file descriptor syscalls + +Category: core +Module: file +Announced: 2026-05-20 +Credits: 75Acol, Lexpl0it, fcgboy, and robinzeng2015 +Credits: Ryan at Calif.io +Affects: All supported versions of FreeBSD. +Corrected: 2026-05-20 19:36:37 UTC (stable/15, 15.0-STABLE) + 2026-05-20 19:39:31 UTC (releng/15.0, 15.0-RELEASE-p9) + 2026-05-20 19:37:57 UTC (stable/14, 14.4-STABLE) + 2026-05-20 19:39:57 UTC (releng/14.4, 14.4-RELEASE-p5) + 2026-05-20 19:40:34 UTC (releng/14.3, 14.3-RELEASE-p14) +CVE Name: CVE-2026-45251 + +This vulnerability was independently reported by multiple parties prior to +publication. The reporters' findings prompted a broader review by the +FreeBSD Security Team, which identified additional occurrences of the same +issue in related code. All known exploitable instances are corrected by this +update. + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +FreeBSD implements a number of file descriptor types. Traditionally file +descriptors are used to perform file or network I/O, but other variants +exist such as process descriptors, which enable operations on a particular +process. + +The select(2) and poll(2) system calls allow applications to wait for events +related to the object to which a file descriptor refers. These system calls +are implemented for many different file descriptor types. For instance, a +process descriptor may be used with either system call to wait for the target +process to exit. + +II. Problem Description + +A file descriptor can be closed while a thread is blocked in a poll(2) or +select(2) call waiting for that descriptor. Because the blocked thread does +not hold a reference to the underlying object, this closure may result in the +object being freed while the thread remains blocked. In this situation, the +kernel must remove the blocked thread from the per-object wait queue prior to +freeing the object. + +In the case of some file descriptor types, the kernel failed to unlink +blocked threads from the object before freeing it. When the blocked thread +is subsequently woken, it accesses memory that has already been freed +resulting in a use-after-free vulnerability. + +III. Impact + +The use-after-free vulnerability may be triggered by an unprivileged local +user and can be exploited to obtain superuser privileges. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, and +reboot the system. + +Perform one of the following: + +1) To update your vulnerable system installed from base system packages: + +Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 +platforms, which were installed using base system packages, can be updated +via the pkg(8) utility: + +# pkg upgrade -r FreeBSD-base +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system installed from binary distribution sets: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms +which were not installed using base system packages can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 15.x] +# fetch https://security.FreeBSD.org/patches/SA-26:19/file-15.patch +# fetch https://security.FreeBSD.org/patches/SA-26:19/file-15.patch.asc +# gpg --verify file-15.patch.asc + +[FreeBSD 14.x] +# fetch https://security.FreeBSD.org/patches/SA-26:19/file-14.patch +# fetch https://security.FreeBSD.org/patches/SA-26:19/file-14.patch.asc +# gpg --verify file-14.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ 53a78e582a6f stable/15-n283641 +releng/15.0/ af79f4148450 releng/15.0-n281041 +stable/14/ b90b25c3779e stable/14-n274164 +releng/14.4/ 8d8694c224e2 releng/14.4-n273704 +releng/14.3/ 659818009d15 releng/14.3-n271504 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKG4bFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvA78P/iRlQXxVUpth5tRn2FiC +lseIWOmh3DVI1OjwFQ30VydwnA5rlOqPPTpF2hsT0ee3ExS6pUKITi3735BmkPvT +KvnOKkY9A2DdzXJQ9eZvrVJRN1/VlKx8Us1VmWWRxPHghmcqqTY0wN2lFcsyqcpN +6Wdi51z+X5sLWZZsLsvqAskWiCNqUzBSSWqCTLEW0tBD9AoW2BPQcpAeEmx4MDch +Hk2/pecoUL2T/hu3bjo60CTp3R7E4gPt9wM5Ejf32vwsW0sTNkTmy7HbZCNmYHZw +R764O4i4poDzccTiXxuhXdrIDXmRQwTyB9d6S12OmP8ec8dAQzm9p5xl4HoHhOho +9zTMCiLoU+ApN1H+bXqN9JvmZ9hfxGqdPaJgZRkQ11xRHg8tz48SigON/vxlbYff +ln9EJ+NGEcskrbUAG8cUCJ3/a8A7xLQo07TpvyddeUc6ufk+nFEBzNS3rpaFNy5y +GqFIOzqISRSsE1tf6rrItULQEKWtOMUYvAbrcLRwPAQ1cav+sOv9YlfpW36s1+mc +CyuXDh3pbN5biajjImGO1CYN92mq/Jfz/cRnvQub+78T+4w6yAxj53fBNg97tIOI +b7EISAnbgGj5akQRGJXJ84iuYij9xTPEOCSbfgAqsWXKz6l/bgSoVUhq/e0/dXKA +sr+3pjhi5P7N66SvO+7iEpYI +=iM1b +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-26:20.fusefs.asc b/website/static/security/advisories/FreeBSD-SA-26:20.fusefs.asc new file mode 100644 index 0000000000..d6516c54e6 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-26:20.fusefs.asc @@ -0,0 +1,164 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-26:20.fusefs Security Advisory + The FreeBSD Project + +Topic: Heap overflow in FUSE_LISTXATTR + +Category: core +Module: fusefs +Announced: 2026-05-20 +Credits: Joshua Rogers of AISLE Research Team +Affects: All supported versions of FreeBSD. +Corrected: 2026-05-20 19:36:38 UTC (stable/15, 15.0-STABLE) + 2026-05-20 19:39:32 UTC (releng/15.0, 15.0-RELEASE-p9) + 2026-05-20 19:37:58 UTC (stable/14, 14.4-STABLE) + 2026-05-20 19:39:58 UTC (releng/14.4, 14.4-RELEASE-p5) + 2026-05-20 19:40:36 UTC (releng/14.3, 14.3-RELEASE-p14) +CVE Name: CVE-2026-45252 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +The fusefs file system delegates file system operations to a userspace +daemon. This daemon ordinarily requires root privileges to operate. When +the "vfs.usermount" sysctl is set to 1 (not the default), unprivileged users +are permitted to run such daemons and mount fusefs file systems. + +II. Problem Description + +When a fusefs file system implements extended attributes, the kernel may send +a FUSE_LISTXATTR message to the userspace daemon to retrieve the list of extended +attributes for a given file. The FUSE protocol requires the daemon to return +a packed list of NUL-terminated strings. The fusefs kernel module calls +strlen() on this daemon-supplied buffer without first verifying that the +entire list is NUL-terminated. + +III. Impact + +If a malicious daemon sends a non-NUL-terminated list, the fusefs kernel +module may read beyond the end of one heap-allocated buffer and potentially +write beyond the end of a second buffer. A malicious daemon could disclose +up to 253 bytes of kernel heap memory, or it could inject up to 250 +attacker-controlled bytes into unallocated kernel heap space. + +IV. Workaround + +No workaround is available, but systems that do not load the fusefs kernel +module or set vfs.usermount=1 are unaffected. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, and +reboot the system. + +Perform one of the following: + +1) To update your vulnerable system installed from base system packages: + +Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 +platforms, which were installed using base system packages, can be updated +via the pkg(8) utility: + +# pkg upgrade -r FreeBSD-base +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system installed from binary distribution sets: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms +which were not installed using base system packages can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 15.0] +# fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-15.patch +# fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-15.patch.asc +# gpg --verify fusefs-15.patch.asc + +[FreeBSD 14.4] +# fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-14.4.patch +# fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-14.4.patch.asc +# gpg --verify fusefs-14.4.patch.asc + +[FreeBSD 14.3] +# fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-14.3.patch +# fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-14.3.patch.asc +# gpg --verify fusefs-14.3.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ df3f3fa82775 stable/15-n283642 +releng/15.0/ 0dd8b983db3c releng/15.0-n281042 +stable/14/ 25148c51c8c6 stable/14-n274165 +releng/14.4/ 6a299460f159 releng/14.4-n273705 +releng/14.3/ 53f3bf4ee1ce releng/14.3-n271505 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKHIbFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvobkP/R3O3bwsnJkhG1NQ6pKh +UFcwpZ8TSAqtccHZRQz2zoKTqu/EeClT7Bdgw/Qa8gbZ7IfZgS8AJaR7e4fgpE96 +AhHU6cbyZrpwvWUatIKgX57032+M1ioMiz9g0KbGg4W4WKe/QHj4yt45F7qRfLNb +BD7Qp7E0XtV+UrNXkhOQQmHyVTpB85tK/e5Yc+vcSgAQ3LWrzwO4zED4f78e3faw +oiLm1oE/Vx0jfrRKsnCECdJS532xlfH6iJ2/2ZXfUthGQmZQe34wOMwYS0EcaGZV +TQoLwsg5qLj4hJOGMCZk4X4TjrkoQquWdsAQetB8tqXIyw7QEgbMIIbhS3mQZ5CW +aEq3wbYMowxCMb/6Dd/R56wDqyGI2Z6GHmUT58M0OSIIISfsD+UHOCW2lrQQ5zrI +o1O/IFAvqsmCN6JQzFgC3KC8BLLZWzxf5Bun6yOls/YA31zOXAen0isnbOvVnGot +42Dy65fENCUQMt+p3eDDLQzxDhlqGAGbiqysBmxwTA5Wqc4furv7O0wmBPwOOGeH +NqlKYsqO9u4kEW2lTCPs7R5+wsc+EACc07kikDQgp1m59JlkMfmXU4Kbcgw9r4GR +9OWtidfTCDGmt9mXzJVKaBurgJ1iqsBfzzLamWo0iDpUMgUP7VA9jVjVbUmtjH1V +qAWdXCXwrbOr+eA50IIPxkal +=HzW3 +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-26:21.ptrace.asc b/website/static/security/advisories/FreeBSD-SA-26:21.ptrace.asc new file mode 100644 index 0000000000..187aabe5cb --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-26:21.ptrace.asc @@ -0,0 +1,163 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-26:21.ptrace Security Advisory + The FreeBSD Project + +Topic: Missing validation in ptrace(PT_SC_REMOTE) + +Category: core +Module: ptrace +Announced: 2026-05-20 +Credits: Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, + and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai +Credits: Ryan at Calif.io +Affects: All supported versions of FreeBSD. +Corrected: 2026-05-20 19:36:40 UTC (stable/15, 15.0-STABLE) + 2026-05-20 19:39:34 UTC (releng/15.0, 15.0-RELEASE-p9) + 2026-05-20 19:37:59 UTC (stable/14, 14.4-STABLE) + 2026-05-20 19:39:59 UTC (releng/14.4, 14.4-RELEASE-p5) + 2026-05-20 19:40:37 UTC (releng/14.3, 14.3-RELEASE-p14) +CVE Name: CVE-2026-45253 + +This vulnerability was independently reported by multiple parties prior to +publication. + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +The ptrace(2) system call provides facilities for a debugger to control the +execution of a target process and to obtain status information about it. +Among other capabilities, it permits a debugger to execute arbitrary system +calls in the target process via the PT_SC_REMOTE operation. + +II. Problem Description + +ptrace(PT_SC_REMOTE) failed to properly validate parameters for the syscall(2) +and __syscall(2) meta-system calls. As a result, a user with the ability to +debug a process may trigger arbitrary code execution in the kernel, even if +the target process has no special privileges. + +III. Impact + +The missing validation allows an unprivileged local user to escalate +privileges, potentially gaining full control of the affected system. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, and +reboot the system. + +Perform one of the following: + +1) To update your vulnerable system installed from base system packages: + +Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 +platforms, which were installed using base system packages, can be updated +via the pkg(8) utility: + +# pkg upgrade -r FreeBSD-base +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system installed from binary distribution sets: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms +which were not installed using base system packages can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 15.0] +# fetch https://security.FreeBSD.org/patches/SA-26:21/ptrace-15.patch +# fetch https://security.FreeBSD.org/patches/SA-26:21/ptrace-15.patch.asc +# gpg --verify ptrace-15.patch.asc + +[FreeBSD 14.4] +# fetch https://security.FreeBSD.org/patches/SA-26:21/ptrace-14.4.patch +# fetch https://security.FreeBSD.org/patches/SA-26:21/ptrace-14.4.patch.asc +# gpg --verify ptrace-14.4.patch.asc + +[FreeBSD 14.3] +# fetch https://security.FreeBSD.org/patches/SA-26:21/ptrace-14.3.patch +# fetch https://security.FreeBSD.org/patches/SA-26:21/ptrace-14.3.patch.asc +# gpg --verify ptrace-14.3.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ 3b4afab9add2 stable/15-n283643 +releng/15.0/ fd24dd0b38a8 releng/15.0-n281043 +stable/14/ fac902a3e039 stable/14-n274166 +releng/14.4/ c21d23f0f8be releng/14.4-n273706 +releng/14.3/ 45bd421661c4 releng/14.3-n271506 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKHcbFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvLd0QAOQGyaTmlTQJTS+EIPMU ++poVU59Fe4L+/+H8LSibnCPBbycH1bv6m9e906s/za0IBLGVq7PhY0U1YtPO5++J +A86nLzgqk4hEU5RWmA3+dnLYrIxOf3fVvSev/XAZe/1eWwcljYRCtqLV+IBmyxeZ +amfYoXliUTuZHO+r+88HVAgDy6efZ3IlnHF9iMlpsF0IFezpgFh4E6tiJk9/pMlz +wuXpHCm34rEjy6bvQaDP9G1zXGszrEatT25d9rKZnHscZCQuRgtpLaOVCuH8oDca ++1PFTfTNJnepH9Ir1nSaYLViZdHfuDK40CafZm54q4669AramrySoxNJlnNHOiMK +DN4aqxMfW5xCEEK+fIJYqTyW2L3WzRJ8tm3bF/zzsMYTsNmclcklzmuMNqsGQls1 +TGIhb+J+e0vkdZOpuJaT65pmGaF2dJeBvwNsIMJgtY3yotUPbDFD1ALNVUwIkKYh +m68XK0Ykw93ySLjbORUVFLP5nv5PvYtubAy37q5tskN6hXLlyX5a0QxIL5T5u0jx +hwDnyl4UAHGmkBM8U0CnaQbixP/yV0p5q+3NtpBurHB74tov593/U1eroydDywRl +Mw2R3k7AFIC5CszwMA6J0l3W2tLq/j7tcTQ/8CNgPpP/TPVntQxQShxB93F+/MdX +n9D4phEb7cKk4Y9QIBKkdbYZ +=egz5 +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-26:22.libcasper.asc b/website/static/security/advisories/FreeBSD-SA-26:22.libcasper.asc new file mode 100644 index 0000000000..996f09c663 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-26:22.libcasper.asc @@ -0,0 +1,155 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-26:22.libcasper Security Advisory + The FreeBSD Project + +Topic: select(2) file descriptor set overflow causes stack overflow + +Category: core +Module: libcasper +Announced: 2026-05-20 +Credits: Joshua Rogers of AISLE Research Team +Affects: All supported versions of FreeBSD. +Corrected: 2026-05-20 19:36:41 UTC (stable/15, 15.0-STABLE) + 2026-05-20 19:39:35 UTC (releng/15.0, 15.0-RELEASE-p9) + 2026-05-20 19:38:00 UTC (stable/14, 14.4-STABLE) + 2026-05-20 19:40:00 UTC (releng/14.4, 14.4-RELEASE-p5) + 2026-05-20 19:40:38 UTC (releng/14.3, 14.3-RELEASE-p14) +CVE Name: CVE-2026-39461 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +libcasper(3) allows Capsicum-sandboxed applications to access system +interfaces that are otherwise unavailable within the sandbox. It is +used by numerous programs in the base system. + +II. Problem Description + +libcasper(3) communicates with helper processes via UNIX domain sockets, and +uses the select(2) system call to wait for data to become available. +However, it does not verify that its socket descriptor fits within +select(2)'s descriptor set size limit of FD_SETSIZE (1024). + +III. Impact + +An attacker able to cause an application using libcasper(3) to allocate large +file descriptors, e.g., by opening many descriptors and executing a program +which is not careful to close them upon startup, may trigger stack +corruption. If the target application runs with setuid root privileges, this +could be used to escalate local privileges. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system installed from base system packages: + +Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 +platforms, which were installed using base system packages, can be updated +via the pkg(8) utility: + +# pkg upgrade -r FreeBSD-base +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system installed from binary distribution sets: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, which were not installed using base +system packages, can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 15.x] +# fetch https://security.FreeBSD.org/patches/SA-26:22/libcasper-15.patch +# fetch https://security.FreeBSD.org/patches/SA-26:22/libcasper-15.patch.asc +# gpg --verify libcasper-15.patch.asc + +[FreeBSD 14.x] +# fetch https://security.FreeBSD.org/patches/SA-26:22/libcasper-14.patch +# fetch https://security.FreeBSD.org/patches/SA-26:22/libcasper-14.patch.asc +# gpg --verify libcasper-14.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart the applicable daemons, or reboot the system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ 23929d729d1a stable/15-n283644 +releng/15.0/ e22f3f55c360 releng/15.0-n281044 +stable/14/ 9e74d5e2e5e4 stable/14-n274167 +releng/14.4/ ae34dd1a391f releng/14.4-n273707 +releng/14.3/ cbec31838173 releng/14.3-n271507 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKHsbFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrveQAP/iyv1O1XI6tSrRictadU +9tBJFE5WlWGPrB8ID/12nLsKaTM5hzbA1G+v8c3So3FaSEl+m7D8BTri4X0XPibQ +5Pp4v67MO+yqsNxOjwyqAizOnD5bk/sEUuBV5JijZuqsAiEWFw5l0dKDU83zt3vu +hyk8/eeKuIxEwDiWQoeE32RM3BupY1ClWp46kiSjvOVzUK04miHQjgFFnVqkBuI7 +DeanTjzCw3g+RQNTRKVGE2LYRLFHka6m4Z5RYT7beFOLdlD58T7lvQLl3l3f2QSR +hXcq5RxAhf4omPkm432fIdd4nev4gti3rxJC76NM2rIHGeSlRd4O7MHreNwNkU2O +8Rv8IWMCM20zZCtbov7q8XbTqKp8JXSJ/8g15iZuZ4wk+THnpRy7dsRe5eYQvVbB +J/zBKB9xMXGp69+88uZHDsSSoS841pkZ61+MlxeK4xC3MO6tlTO0Hannhmy8WCb4 +U5GimvX3EcvhGeBWRvPTdPJY9EcrDPDU2djaiFzPZZ7rrUjR8YJ685fyj161nnb+ +ibubcwiz7ygQu8b9T0rc1AV5ZTAC/QAlRarDpRNx2Ynh/FlZ89n+N5LnSHwGXc/v +/P+ob/5AqdLfyofw5pcx/FVuAiK4bjqDGGYuZw1tplg/L7AV3k87zIMYdCgr3e95 +PyQCsFAG014gMVETPGHKm6/7 +=ypPx +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-26:23.bsdinstall.asc b/website/static/security/advisories/FreeBSD-SA-26:23.bsdinstall.asc new file mode 100644 index 0000000000..4da2ce8d17 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-26:23.bsdinstall.asc @@ -0,0 +1,155 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-26:23.bsdinstall Security Advisory + The FreeBSD Project + +Topic: Remote code execution via installer Wi-Fi access point scans + +Category: core +Module: bsdinstall +Announced: 2026-05-20 +Credits: Austin Ralls +Affects: All supported versions of FreeBSD. +Corrected: 2026-05-20 19:36:43 UTC (stable/15, 15.0-STABLE) + 2026-05-20 19:39:37 UTC (releng/15.0, 15.0-RELEASE-p9) + 2026-05-20 19:38:03 UTC (stable/14, 14.4-STABLE) + 2026-05-20 19:40:02 UTC (releng/14.4, 14.4-RELEASE-p5) + 2026-05-20 19:40:40 UTC (releng/14.3, 14.3-RELEASE-p14) +CVE Name: CVE-2026-45255 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +bsdinstall and bsdconfig are utilities that provide an interactive +configuration mechanism for FreeBSD. Among other functionality, they can be +used to configure FreeBSD to automatically join a Wi-Fi network. + +II. Problem Description + +When bsdinstall or bsdconfig are prompted to scan for nearby Wi-Fi networks, +they build up a list of network names and use bsddialog(1) to prompt the user +to select a network. This is implemented using a shell script, and the code +which handled network names was not careful to prevent expansion by the +shell. As a result, a suitably crafted network name can be used to execute +commands via a subshell. + +III. Impact + +The problem can be exploited to execute code as root on the system running +bsdinstall or bsdconfig. The attacker would need to create an access point +with a specially crafted name and be within range of a Wi-Fi scan. Note that +bsdinstall and bsdconfig are vulnerable as soon as the user prompts them to +scan for nearby networks; they do not need to actually select the malicious +network. + +IV. Workaround + +Avoid using bsdinstall or bsdconfig to scan for Wi-Fi networks, and instead +configure Wi-Fi manually. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system installed from base system packages: + +Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 +platforms, which were installed using base system packages, can be updated +via the pkg(8) utility: + +# pkg upgrade -r FreeBSD-base + +2) To update your vulnerable system installed from binary distribution sets: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms +which were not installed using base system packages can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 15.x] +# fetch https://security.FreeBSD.org/patches/SA-26:23/bsdinstall-15.patch +# fetch https://security.FreeBSD.org/patches/SA-26:23/bsdinstall-15.patch.asc +# gpg --verify bsdinstall-15.patch.asc + +[FreeBSD 14.x] +# fetch https://security.FreeBSD.org/patches/SA-26:23/bsdinstall-14.patch +# fetch https://security.FreeBSD.org/patches/SA-26:23/bsdinstall-14.patch.asc +# gpg --verify bsdinstall-14.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ 6f5674b97fd6 stable/15-n283646 +releng/15.0/ b89f48ade920 releng/15.0-n281046 +stable/14/ f15df0adbcd2 stable/14-n274170 +releng/14.4/ dd50cc216e4d releng/14.4-n273709 +releng/14.3/ 9cb0be8381f7 releng/14.3-n271509 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKH8bFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvTloP/0369bPHpZf0yt9C2VEk +NyOeFq+58zQGrz+RRrXA6Vg2xNdaD3fcjpVzAoqzscuE2T7VqZkpi6cS+cbzEE40 +NXX+d7qPgd5udqJR4gL8+90KWj7yQ9Wl0tnbV8wTLE6km/Dma+MXuDJrIqUl8Tsb +q9hXGPfeymptS2vkR1Nj3VxEhDg0CCQz3bGD1sln7Oj63amX8HkHO9MwW8zHTyGj +pcMqEF2sN3Zz0WyyaBf5XS9G0EP0BpicDIcF1NiwYbPi0rlA/nU/zjACfao7lEJk +/XCq/iBKQsOiicvNGhoms/ku4YLNQv/L40FSJFNm8wmUsJD4fh6ll2+5Rm88666e +gJUcBiLEzlKFogiel4JLqXMBaAZseV6Py8B+puAYh2eFCa/3aF6w2QppMj4jIHCL +xEC/XUoBXN+34riiOCkPuSPqmgktvw7oZOBuk5DpV6qt7kdkInZ9i4HQnR13dhlF +vLW88oyuO+2dUn+LiLaHi6f7gxkHcgyOOa/N60D95E9+d6Aop9otyMxNRFbSiQ7I +x13B4j9ONtdAwL0uYJ+HPNHIfGTBHtpFzt62JfKdWqbSa5oVQrU5aq6wfMjMVupI +sYCq+XNTN0MVr4iHowDPqwuEi0+RBoPOQPIXFZRfJr4uTdeim5dzX6fjfe95KIps +3nJWEVEXVF/FiFWL3C+Lk3Cv +=Y3q0 +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-26:24.cap_net.asc b/website/static/security/advisories/FreeBSD-SA-26:24.cap_net.asc new file mode 100644 index 0000000000..8d7866d034 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-26:24.cap_net.asc @@ -0,0 +1,160 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-26:24.cap_net Security Advisory + The FreeBSD Project + +Topic: Incorrect libcap_net limitation list manipulation + +Category: core +Module: libcap_net +Announced: 2026-05-20 +Credits: Joshua Rogers of AISLE Research Team +Affects: All supported versions of FreeBSD. +Corrected: 2026-05-19 23:03:59 UTC (stable/15, 15.0-STABLE) + 2026-05-20 19:39:38 UTC (releng/15.0, 15.0-RELEASE-p9) + 2026-05-19 23:04:13 UTC (stable/14, 14.4-STABLE) + 2026-05-20 19:40:03 UTC (releng/14.4, 14.4-RELEASE-p5) + 2026-05-20 19:40:41 UTC (releng/14.3, 14.3-RELEASE-p14) +CVE Name: CVE-2026-45254 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +libcasper(3) allows Capsicum-sandboxed applications to define and use system +interfaces which are otherwise not available in a capability sandbox, through +implementing special services. One of these services, libcap_net, enables +networking capabilities within the restricted environment. + +Casper services allow the application to define fine-grained limits on each +operation handled by the service. Each service maintains a specific list of +permitted operations. Certain operations can be further restricted by +specifying an explicit list of allowed names. For example, libcap_net allows +the application to limit the addresses to which the application may bind or +connect. If it attempts to use libcap_net to bind or connect to addresses +outside the allowed list, the operation will fail. + +In keeping with Capsicum's capability model, once a set of limits is applied, +subsequent adjustments may only narrow the set of permitted operations to a +subset of the current one. + +II. Problem Description + +In the case of the cap_net service, when a key present in the old limit was +omitted from the new limit, the missing key was treated as "allow any" +instead of being rejected. + +III. Impact + +In certain scenarios, an application that had previously restricted a subset +of network operations could ask for a new limit that extended the permissions +of the process. + +IV. Workaround + +No workaround is available. Note that no FreeBSD base system software is +affected by this issue. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system installed from base system packages: + +Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 +platforms, which were installed using base system packages, can be updated +via the pkg(8) utility: + +# pkg upgrade -r FreeBSD-base +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system installed from binary distribution sets: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms +which were not installed using base system packages can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-26:24/cap_net.patch +# fetch https://security.FreeBSD.org/patches/SA-26:24/cap_net.patch.asc +# gpg --verify cap_net.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart all daemons that use the library, or reboot the system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ 7eb3fd691d64 stable/15-n283630 +releng/15.0/ f69df16fcc20 releng/15.0-n281047 +stable/14/ b79faca1c596 stable/14-n274156 +releng/14.4/ f977328c7277 releng/14.4-n273710 +releng/14.3/ b3baecf08405 releng/14.3-n271510 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKIMbFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvCBgQANie9vi7Gg5seuAZqAjF +JozB+Gs6qaHzHu1CcsDSjbm3Sx5l7p5vbdTR/qsdj9WJbORSI7l5CgB175s8Dbcn +PrBYNHCa/+lQEMjRkxGrQF9+qr0W48jrARBgauqqzrYTXHAtLGG1e4S6s83w0IJP +wZ/3zoEOb7dzcfvxOXSSa+BGcIirmzctg886IH1+EvQKluARzAMxFhNTMwbMMRe7 +k0duMSU7KIlh2C23aMLUPlj1Su52gbiSMz3fDgl4i1cbo3xnQPQNWZnnlu8u+ZCB +2pXQoNag7AHTzaOMvOtIyYKXfR9OLdPa4Ii6D38s6WTUb5q0GmS6G7ISYOAnTM+3 +TEvH2uhOpq8bySWb6TEx1ppedyIwZ+awocQ9XUeDvarJGCCTlBQ3kV08TMKKZxPA +/DOWHJ9KSgKku9sKaLpbTNacpDmkipIEgKZdicifA9KpvH7frBlvwVsTzERVm/qy +SVySVCqSE5fpYo6FN3Mo0GfN3EnBU2aYpPRx3RHvzKHTbQSU7iaNOu+Iki6GJuiH +HTQ6oaWHmNAkotNN5tAdmDXrm9wnMncCbMT1JHrtEDanJWgKWEovhK1mw6LhHlg1 +K+bvyTB6LyZYnOZXhb9540tXfyrmjdTzM/jNMZL1Z5AYjy1FfDdTxH460gIsy6PU +f4TRsebl2L+EThYrx6pjoj5D +=K5/f +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/EN-26:13/freebsd-update.patch b/website/static/security/patches/EN-26:13/freebsd-update.patch new file mode 100644 index 0000000000..317583071a --- /dev/null +++ b/website/static/security/patches/EN-26:13/freebsd-update.patch @@ -0,0 +1,11 @@ +--- usr.sbin/freebsd-update/freebsd-update.sh.orig ++++ usr.sbin/freebsd-update/freebsd-update.sh +@@ -2576,7 +2576,7 @@ + + # Some files need special treatment. + case ${F} in +- /etc/spwd.db | /etc/pwd.db | /etc/login.conf.db) ++ /etc/spwd.db | /etc/pwd.db | /etc/login.conf.db | /etc/ssl/cert.pem) + # Don't merge these -- we're rebuild them + # after updates are installed. + cp merge/old/${F} merge/new/${F} diff --git a/website/static/security/patches/EN-26:13/freebsd-update.patch.asc b/website/static/security/patches/EN-26:13/freebsd-update.patch.asc new file mode 100644 index 0000000000..af91392b93 --- /dev/null +++ b/website/static/security/patches/EN-26:13/freebsd-update.patch.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJPBAABCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKGkbFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvFPUP/RdMliKc4ZoFZcXJtLCH +fUAAsi+ypPYpy+/8dJs8QGmkUD/ypzcZCHp6drAV6dnjkJL9J3HexUnFPnMAErOV +yQYqyL8bZfxhbbvlYEPT8eFmpARdMMT648lUmtiR8Eoh/YcX1hjsVRDmMNMdq9hn +XCwffFhvgtjxvaVePJn8K6WnN+Yze4JxO5qSFxcAPP9MlKID0Y+BMlXnXfaJn+c/ +F/GCjJLObn0N58BKwB5gyOAGZVP8HyUvOB+LSL/Sw6c+OcOCPnMT6BQeN2dzlPlo +Pw3ccZu81ZNOmYIR+f3TTSCngTGgmKQafvO7TQUdKbpaDMtwL6VeZqarlAgascNb +UccstnGYZ4RnlCsjdh7+vv4CgGVQzDrvVPiQFxYHZpzyc1sXht8Ecl4iImepsBmN +O7k0SlDGoBJ+0GLJDIDa5FMTPUuroyLYTrBDu0MRvLrhrfYrOlnakFkNb/8V0uYC +7PmBtc78u/KDtvzvBwYy8ycufkweRsMuNqCDSXI7LvS304iOCLfv/U0F+HWDJ/e2 +bFtiK8pcmXE44YP0xmU0YBPadQSOO4yrJV5WDuH8dTzZNE752oeGtlSjKpR1zwsC +ahT6tGsCdCy2+v6Oy/5ekGD7EofIZ9/z33rr9xGwtWuuYPtX3nnY4Q1Z3p5DOWJ9 +4IetBflMI9TI84oAcIB5WCTe +=Zmj1 +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-26:18/setcred-14.patch b/website/static/security/patches/SA-26:18/setcred-14.patch new file mode 100644 index 0000000000..82444a9083 --- /dev/null +++ b/website/static/security/patches/SA-26:18/setcred-14.patch @@ -0,0 +1,15 @@ +--- sys/kern/kern_prot.c.orig ++++ sys/kern/kern_prot.c +@@ -527,10 +527,10 @@ + */ + *groups = wcred->sc_supp_groups_nb < CRED_SMALLGROUPS_NB ? + smallgroups : malloc((wcred->sc_supp_groups_nb + 1) * +- sizeof(*groups), M_TEMP, M_WAITOK); ++ sizeof(gid_t), M_TEMP, M_WAITOK); + + error = copyin(wcred->sc_supp_groups, *groups + 1, +- wcred->sc_supp_groups_nb * sizeof(*groups)); ++ wcred->sc_supp_groups_nb * sizeof(gid_t)); + if (error != 0) + return (error); + wcred->sc_supp_groups = *groups + 1; diff --git a/website/static/security/patches/SA-26:18/setcred-14.patch.asc b/website/static/security/patches/SA-26:18/setcred-14.patch.asc new file mode 100644 index 0000000000..fb4b8b1fd6 --- /dev/null +++ b/website/static/security/patches/SA-26:18/setcred-14.patch.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJPBAABCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKGwbFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvyUAQAOW9vodMeIny/sYwja/h +i5tiMAYzjX6fT81v8VRRMBu32VRwCp9Y93nhuDlCmrEOr0BUw1makjSX1LKTXU1U +9Qe22KInT51Ri79z2Q4R8IynYSXACqvBcFXOtrtybbC2Vi41wJKUz7DUXZrVS4+N +5uBqJ/jYI3/Yxf04vragPa8Zv6ZdXlmkwcMia5HvFgITKT7FfItHxJC9df3UHj5a +Hi1BA+vQgmJKd8a19rwSJtquMLh1tKDL8M1FQ4fkXi0uKvnSuEy5B4JBm9TbyNnl +yP/22eVLVNmEuTiS5uhsuOchtKv/hBHYLarcciBlta6Foiw7YyqiXUgX2NwhNSUa +lSJR8b87Zrt79JhbyC2tfJ1KUHHVWEalOKgjgg40Zrbqs1AfAD8iNzfGo4hWSM3X +6o7CuVYsu4KmMVWP4qCYrjkdyHt++Cs3c9a+s2gLdP3egZAjnuuOtD9Pg6P8ZzZw +PeOI4MyGjKN2EDTa5/X6jKCl79ygU2vkhhbcvhBu53T8UUyLp7RmCw173y/bjm9K +nbN7pVtcLj8nUKKqzxZv5ZiRdZcoj7J/EWhvUb9Uz7EYqc9Qx1VEAl2bWUBGttBS +ReQkMQiC2ilfNowLKvSlnporTH30UW5JlaBzkMG1go2CBVQNEV3umX4nXTQiYlSp +qKQvsqfNgxBdCTDq6FsNCu65 +=BocE +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-26:18/setcred-15.patch b/website/static/security/patches/SA-26:18/setcred-15.patch new file mode 100644 index 0000000000..9cb65a3574 --- /dev/null +++ b/website/static/security/patches/SA-26:18/setcred-15.patch @@ -0,0 +1,15 @@ +--- sys/kern/kern_prot.c.orig ++++ sys/kern/kern_prot.c +@@ -554,10 +554,10 @@ + */ + *groups = wcred->sc_supp_groups_nb <= CRED_SMALLGROUPS_NB ? + smallgroups : malloc(wcred->sc_supp_groups_nb * +- sizeof(*groups), M_TEMP, M_WAITOK); ++ sizeof(gid_t), M_TEMP, M_WAITOK); + + error = copyin(wcred->sc_supp_groups, *groups, +- wcred->sc_supp_groups_nb * sizeof(*groups)); ++ wcred->sc_supp_groups_nb * sizeof(gid_t)); + if (error != 0) + return (error); + wcred->sc_supp_groups = *groups; diff --git a/website/static/security/patches/SA-26:18/setcred-15.patch.asc b/website/static/security/patches/SA-26:18/setcred-15.patch.asc new file mode 100644 index 0000000000..7dad72c15d --- /dev/null +++ b/website/static/security/patches/SA-26:18/setcred-15.patch.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJPBAABCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKG0bFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvIiQQAOUHGIICFi6oBcTzbnl3 +yFA/Gm3j9S2zjHcfN3TSOTbuuBNxx2sy7JLdDsG45VRGVdK1sS3gtQv65mey4rXD +U5tTbkIJaGnPYFfwoYBppFGcQtjhzgqt2YWatkOr28GPv5EKRY0NfPwqObaiMJy/ +L2StoZFwlFGe104dNmqLyDZ5/lDEWAXZgCaZRElk7odOT7wjnZJEcJKqIw1FDrXP +FrrZPZBbt4hha0KdyFY2A/ddM6Mnve14LoLW10nCFOpQH1+DMORSMoGdXuoFDWDX +K4nL5scWSbJnkQY5PBmJo6kN2mGMkMLCwpYbAyr6WXeS8WDF9bE8/I6C4EFa4JsG +D4aynWbE6VpJ35thyKd4p4+YI7VXuLtYVKdlJE0GGNV92qBb2pwCAtjVqfAogDMj +B1DuG+fcUPEtNS/aBn1A1BdM7UPTNDrp5X6L35e5MqVBU8ScWCgi0zQiscY3LvmR +BigmHWVeUcStLM+cCSAedhwKhXvJkpsoRVqzvLkIba+mL77YJh10s8zTzPWrlFV0 +k3G3U5yw/vhRIvkhoe6V5k4aw0lcNY4DDWai8xTjgd4T8hM+k7syjw8Q3uHBESyv +dag0q/OHLrSA/DLUhOjnHtfDaKjNAsfkW1QJINbGaZbbWrL8WB4jUZ1Lu7SPNHxj +It9S1CwDOvNRusx0xDnkUQUU +=i9RG +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-26:19/file-14.patch b/website/static/security/patches/SA-26:19/file-14.patch new file mode 100644 index 0000000000..327f123923 --- /dev/null +++ b/website/static/security/patches/SA-26:19/file-14.patch @@ -0,0 +1,203 @@ +--- sys/dev/netmap/netmap_freebsd.c.orig ++++ sys/dev/netmap/netmap_freebsd.c +@@ -119,6 +119,7 @@ + taskqueue_drain(si->ntfytq, &si->ntfytask); + taskqueue_free(si->ntfytq); + si->ntfytq = NULL; ++ seldrain(&si->si); + knlist_delete(&si->si.si_note, curthread, /*islocked=*/0); + knlist_destroy(&si->si.si_note); + /* now we don't need the mutex anymore */ +--- sys/kern/sys_procdesc.c.orig ++++ sys/kern/sys_procdesc.c +@@ -273,6 +273,7 @@ + KASSERT((pd->pd_flags & PDF_CLOSED), + ("procdesc_free: !PDF_CLOSED")); + ++ seldrain(&pd->pd_selinfo); + knlist_destroy(&pd->pd_selinfo.si_note); + PROCDESC_LOCK_DESTROY(pd); + free(pd, M_PROCDESC); +@@ -315,10 +316,7 @@ + procdesc_free(pd); + return (1); + } +- if (pd->pd_flags & PDF_SELECTED) { +- pd->pd_flags &= ~PDF_SELECTED; +- selwakeup(&pd->pd_selinfo); +- } ++ selwakeup(&pd->pd_selinfo); + KNOTE_LOCKED(&pd->pd_selinfo.si_note, NOTE_EXIT); + PROCDESC_UNLOCK(pd); + return (0); +@@ -433,10 +431,8 @@ + PROCDESC_LOCK(pd); + if (pd->pd_flags & PDF_EXITED) + revents |= POLLHUP; +- if (revents == 0) { ++ else + selrecord(td, &pd->pd_selinfo); +- pd->pd_flags |= PDF_SELECTED; +- } + PROCDESC_UNLOCK(pd); + return (revents); + } +--- sys/sys/procdesc.h.orig ++++ sys/sys/procdesc.h +@@ -86,7 +86,6 @@ + * Flags for the pd_flags field. + */ + #define PDF_CLOSED 0x00000001 /* Descriptor has closed. */ +-#define PDF_SELECTED 0x00000002 /* Issue selwakeup(). */ + #define PDF_EXITED 0x00000004 /* Process exited. */ + #define PDF_DAEMON 0x00000008 /* Don't exit when procdesc closes. */ + +--- tests/sys/kern/Makefile.orig ++++ tests/sys/kern/Makefile +@@ -27,6 +27,7 @@ + .endif + ATF_TESTS_C+= ktrace_test + ATF_TESTS_C+= module_test ++ATF_TESTS_C+= procdesc + ATF_TESTS_C+= ptrace_test + TEST_METADATA.ptrace_test+= timeout="15" + ATF_TESTS_C+= reaper +@@ -85,6 +86,7 @@ + LIBADD.kcov+= pthread + CFLAGS.ktls_test+= -DOPENSSL_API_COMPAT=0x10100000L + LIBADD.ktls_test+= crypto util ++LIBADD.procdesc+= pthread + LIBADD.socket_msg_waitall+= pthread + LIBADD.socket_splice+= pthread + LIBADD.sendfile_helper+= pthread +--- /dev/null ++++ tests/sys/kern/procdesc.c +@@ -0,0 +1,128 @@ ++/*- ++ * SPDX-License-Identifier: BSD-2-Clause ++ * ++ * Copyright (c) 2026 ConnectWise ++ * Copyright (c) 2026 Mark Johnston ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE ++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL ++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT ++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY ++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF ++ * SUCH DAMAGE. ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++#include ++ ++#include ++ ++/* Tests for procdesc(4) that aren't specific to any one syscall */ ++ ++static void * ++poll_procdesc(void *arg) ++{ ++ struct pollfd pfd; ++ ++ pfd.fd = *(int *)arg; ++ pfd.events = POLLHUP; ++ (void)poll(&pfd, 1, 5000); ++ return ((void *)(uintptr_t)pfd.revents); ++} ++ ++/* ++ * Regression test to exercise the case where a procdesc is closed while a ++ * thread is poll()ing it. ++ */ ++ATF_TC_WITHOUT_HEAD(poll_close_race); ++ATF_TC_BODY(poll_close_race, tc) ++{ ++ pthread_t thr; ++ pid_t pid; ++ uintptr_t revents; ++ int error, pd; ++ ++ pid = pdfork(&pd, PD_DAEMON); ++ ATF_REQUIRE_MSG(pid >= 0, "pdfork: %s", strerror(errno)); ++ if (pid == 0) { ++ pause(); ++ _exit(0); ++ } ++ ++ error = pthread_create(&thr, NULL, poll_procdesc, &pd); ++ ATF_REQUIRE_MSG(error == 0, "pthread_create: %s", strerror(error)); ++ ++ /* Wait for the thread to block in poll(2). */ ++ usleep(250000); ++ ++ ATF_REQUIRE_MSG(close(pd) == 0, "close: %s", strerror(errno)); ++ ++ error = pthread_join(thr, (void *)&revents); ++ ATF_REQUIRE_MSG(error == 0, "pthread_join: %s", strerror(error)); ++ ATF_REQUIRE_EQ(revents, POLLNVAL); ++} ++ ++/* ++ * Verify that poll(2) of a procdesc returns POLLHUP when the process exits. ++ */ ++ATF_TC_WITHOUT_HEAD(poll_exit_wakeup); ++ATF_TC_BODY(poll_exit_wakeup, tc) ++{ ++ pthread_t thr; ++ uintptr_t revents; ++ pid_t pid; ++ int error, pd; ++ ++ pid = pdfork(&pd, PD_DAEMON); ++ ATF_REQUIRE_MSG(pid >= 0, "pdfork: %s", strerror(errno)); ++ if (pid == 0) { ++ pause(); ++ _exit(0); ++ } ++ ++ error = pthread_create(&thr, NULL, poll_procdesc, &pd); ++ ATF_REQUIRE_MSG(error == 0, "pthread_create: %s", strerror(error)); ++ ++ /* Wait for the thread to block in poll(2). */ ++ usleep(250000); ++ ++ ATF_REQUIRE_MSG(pdkill(pd, SIGKILL) == 0, ++ "pdkill: %s", strerror(errno)); ++ ++ error = pthread_join(thr, (void *)&revents); ++ ATF_REQUIRE_MSG(error == 0, "pthread_join: %s", strerror(error)); ++ ATF_REQUIRE_EQ(revents, POLLHUP); ++ ++ ATF_REQUIRE_MSG(close(pd) == 0, "close: %s", strerror(errno)); ++} ++ ++ATF_TP_ADD_TCS(tp) ++{ ++ ATF_TP_ADD_TC(tp, poll_close_race); ++ ATF_TP_ADD_TC(tp, poll_exit_wakeup); ++ ++ return (atf_no_error()); ++} diff --git a/website/static/security/patches/SA-26:19/file-14.patch.asc b/website/static/security/patches/SA-26:19/file-14.patch.asc new file mode 100644 index 0000000000..3ed9fafc3a --- /dev/null +++ b/website/static/security/patches/SA-26:19/file-14.patch.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJPBAABCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKG8bFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvNpoP/jb1grG0Pi0UGPNjwt/V +nrNT+blyuF/QgBj59Qs8ukTjZ9pkPCYtRFGPRvE046gLGgZxtRflqSchT7MHFi11 +EOe1QX74PFqHYNuTlBndaidapx3J6TOe+KbrriG7yWsaYbjpI7iiu+ebsU4arU8L +60N/EAiES6Eu8T7uQysOWXNbI0Tp0zehwK/W7Z9H2iiGtggU25MFMgcdFj+onwH+ +qKznW5/2xHiv3/P4k83RMkbSKb0oLAvUvTIGuMSTaLtr1sGkkajrKmxJiiGYZuGK +Zfw3wEWBZdTs5QM51CAnkqQaDEwxmUsOn70onXeeiTjcpzr7aTwVqSzd6NgJ+xkv +rr1gbfBDRgJW3Uk3/wOwAUGk4a6E3kDW3u2lc6hPD3TfTjrrBlE/XaT0Lkc//Trz +up2ebnjRaai9fsMjhA62k2H+hNXsioAzOe/t3aAEjTcCHKqLtyJ0cGEhAmfJvxE6 +c7h6q17hxNnT6fhfqqdfZ4c+JUBA3jiio/RQVL1/x+NzJiZxjRnzct28tuN9Y8am +BepYRa6pWSet8s7J8L5KNREmBHEgwLwqybKXCEJpjoQn9cQXTTb5M8eJkIa+V86q +nMDZ6TONl1OHeqiH7uhB47W38+jXGWeFMSromI5+spoKLax3m5zlJwkULMJJi8Vk +UAdh/UQz3TX+Bw129dVDQES+ +=J8vU +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-26:19/file-15.patch b/website/static/security/patches/SA-26:19/file-15.patch new file mode 100644 index 0000000000..53ebcbf036 --- /dev/null +++ b/website/static/security/patches/SA-26:19/file-15.patch @@ -0,0 +1,467 @@ +--- sys/dev/netmap/netmap_freebsd.c.orig ++++ sys/dev/netmap/netmap_freebsd.c +@@ -119,6 +119,7 @@ + taskqueue_drain(si->ntfytq, &si->ntfytask); + taskqueue_free(si->ntfytq); + si->ntfytq = NULL; ++ seldrain(&si->si); + knlist_delete(&si->si.si_note, curthread, /*islocked=*/0); + knlist_destroy(&si->si.si_note); + /* now we don't need the mutex anymore */ +--- sys/kern/kern_jaildesc.c.orig ++++ sys/kern/kern_jaildesc.c +@@ -197,10 +197,7 @@ + JAILDESC_LOCK(jd); + if (hint == NOTE_JAIL_REMOVE) { + jd->jd_flags |= JDF_REMOVED; +- if (jd->jd_flags & JDF_SELECTED) { +- jd->jd_flags &= ~JDF_SELECTED; +- selwakeup(&jd->jd_selinfo); +- } ++ selwakeup(&jd->jd_selinfo); + } + KNOTE_LOCKED(&jd->jd_selinfo.si_note, hint); + JAILDESC_UNLOCK(jd); +@@ -257,6 +254,7 @@ + } + prison_free(pr); + } ++ seldrain(&jd->jd_selinfo); + knlist_destroy(&jd->jd_selinfo.si_note); + JAILDESC_LOCK_DESTROY(jd); + free(jd, M_JAILDESC); +@@ -276,10 +274,8 @@ + JAILDESC_LOCK(jd); + if (jd->jd_flags & JDF_REMOVED) + revents |= POLLHUP; +- if (revents == 0) { ++ else + selrecord(td, &jd->jd_selinfo); +- jd->jd_flags |= JDF_SELECTED; +- } + JAILDESC_UNLOCK(jd); + return (revents); + } +--- sys/kern/sys_procdesc.c.orig ++++ sys/kern/sys_procdesc.c +@@ -270,6 +270,7 @@ + KASSERT((pd->pd_flags & PDF_CLOSED), + ("procdesc_free: !PDF_CLOSED")); + ++ seldrain(&pd->pd_selinfo); + knlist_destroy(&pd->pd_selinfo.si_note); + PROCDESC_LOCK_DESTROY(pd); + free(pd, M_PROCDESC); +@@ -312,10 +313,7 @@ + procdesc_free(pd); + return (1); + } +- if (pd->pd_flags & PDF_SELECTED) { +- pd->pd_flags &= ~PDF_SELECTED; +- selwakeup(&pd->pd_selinfo); +- } ++ selwakeup(&pd->pd_selinfo); + KNOTE_LOCKED(&pd->pd_selinfo.si_note, NOTE_EXIT); + PROCDESC_UNLOCK(pd); + return (0); +@@ -430,10 +428,8 @@ + PROCDESC_LOCK(pd); + if (pd->pd_flags & PDF_EXITED) + revents |= POLLHUP; +- if (revents == 0) { ++ else + selrecord(td, &pd->pd_selinfo); +- pd->pd_flags |= PDF_SELECTED; +- } + PROCDESC_UNLOCK(pd); + return (revents); + } +--- sys/sys/jaildesc.h.orig ++++ sys/sys/jaildesc.h +@@ -71,7 +71,6 @@ + /* + * Flags for the jd_flags field + */ +-#define JDF_SELECTED 0x00000001 /* issue selwakeup() */ + #define JDF_REMOVED 0x00000002 /* jail was removed */ + #define JDF_OWNING 0x00000004 /* closing descriptor removes jail */ + +--- sys/sys/procdesc.h.orig ++++ sys/sys/procdesc.h +@@ -86,7 +86,6 @@ + * Flags for the pd_flags field. + */ + #define PDF_CLOSED 0x00000001 /* Descriptor has closed. */ +-#define PDF_SELECTED 0x00000002 /* Issue selwakeup(). */ + #define PDF_EXITED 0x00000004 /* Process exited. */ + #define PDF_DAEMON 0x00000008 /* Don't exit when procdesc closes. */ + +--- tests/sys/kern/Makefile.orig ++++ tests/sys/kern/Makefile +@@ -22,6 +22,7 @@ + ATF_TESTS_C+= fdgrowtable_test + ATF_TESTS_C+= getdirentries_test + ATF_TESTS_C+= jail_lookup_root ++ATF_TESTS_C+= jaildesc + ATF_TESTS_C+= inotify_test + ATF_TESTS_C+= kill_zombie + .if ${MK_OPENSSL} != "no" +@@ -31,6 +32,7 @@ + ATF_TESTS_C+= listener_wakeup + ATF_TESTS_C+= module_test + ATF_TESTS_C+= prace ++ATF_TESTS_C+= procdesc + ATF_TESTS_C+= ptrace_test + TEST_METADATA.ptrace_test+= timeout="15" + ATF_TESTS_C+= reaper +@@ -84,6 +86,7 @@ + + LIBADD.copy_file_range+= md + LIBADD.jail_lookup_root+= jail util ++LIBADD.jaildesc+= pthread + CFLAGS.sys_getrandom+= -I${SRCTOP}/sys/contrib/zstd/lib + LIBADD.sys_getrandom+= zstd + LIBADD.sys_getrandom+= c +@@ -95,6 +98,7 @@ + CFLAGS.ktls_test+= -DOPENSSL_API_COMPAT=0x10100000L + LIBADD.ktls_test+= crypto util + LIBADD.listener_wakeup+= pthread ++LIBADD.procdesc+= pthread + LIBADD.shutdown_dgram+= pthread + LIBADD.socket_msg_waitall+= pthread + LIBADD.socket_splice+= pthread +--- /dev/null ++++ tests/sys/kern/jaildesc.c +@@ -0,0 +1,201 @@ ++/* ++ * Copyright (c) 2026 Mark Johnston ++ * ++ * SPDX-License-Identifier: BSD-2-Clause ++ */ ++ ++#include ++#include ++#include ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++/* ++ * Create a persistent jail and return an owning descriptor for it. ++ * The jail is removed when the returned descriptor is closed. ++ */ ++static int ++create_jail(const char *name) ++{ ++ struct iovec iov[8]; ++ int desc, jid, n; ++ ++ desc = -1; ++ n = 0; ++ iov[n].iov_base = __DECONST(void *, "name"); ++ iov[n++].iov_len = strlen("name") + 1; ++ iov[n].iov_base = __DECONST(void *, name); ++ iov[n++].iov_len = strlen(name) + 1; ++ iov[n].iov_base = __DECONST(void *, "path"); ++ iov[n++].iov_len = strlen("path") + 1; ++ iov[n].iov_base = __DECONST(void *, "/"); ++ iov[n++].iov_len = strlen("/") + 1; ++ iov[n].iov_base = __DECONST(void *, "persist"); ++ iov[n++].iov_len = strlen("persist") + 1; ++ iov[n].iov_base = NULL; ++ iov[n++].iov_len = 0; ++ iov[n].iov_base = __DECONST(void *, "desc"); ++ iov[n++].iov_len = strlen("desc") + 1; ++ iov[n].iov_base = &desc; ++ iov[n++].iov_len = sizeof(desc); ++ jid = jail_set(iov, n, JAIL_CREATE | JAIL_OWN_DESC); ++ ATF_REQUIRE_MSG(jid >= 0, "jail_set: %s", strerror(errno)); ++ return (desc); ++} ++ ++static void * ++poll_jaildesc(void *arg) ++{ ++ struct pollfd pfd; ++ ++ pfd.fd = *(int *)arg; ++ pfd.events = POLLHUP; ++ (void)poll(&pfd, 1, 5000); ++ return ((void *)(uintptr_t)pfd.revents); ++} ++ ++/* ++ * Regression test for the case where a jail descriptor is closed while a ++ * thread is blocking in poll(2) on it. ++ */ ++ATF_TC(poll_close_race); ++ATF_TC_HEAD(poll_close_race, tc) ++{ ++ atf_tc_set_md_var(tc, "require.user", "root"); ++} ++ATF_TC_BODY(poll_close_race, tc) ++{ ++ pthread_t thr; ++ uintptr_t revents; ++ int error, jd; ++ ++ jd = create_jail("jaildesc_poll_close_race"); ++ ++ error = pthread_create(&thr, NULL, poll_jaildesc, &jd); ++ ATF_REQUIRE_MSG(error == 0, "pthread_create: %s", strerror(error)); ++ ++ /* Wait for the thread to block in poll(2). */ ++ usleep(250000); ++ ++ ATF_REQUIRE_MSG(close(jd) == 0, "close: %s", strerror(errno)); ++ ++ error = pthread_join(thr, (void *)&revents); ++ ATF_REQUIRE_MSG(error == 0, "pthread_join: %s", strerror(error)); ++ ATF_REQUIRE_EQ(revents, POLLNVAL); ++} ++ ++/* ++ * Verify that poll(2) of a jail descriptor returns POLLHUP when the jail ++ * is removed. ++ */ ++ATF_TC(poll_remove_wakeup); ++ATF_TC_HEAD(poll_remove_wakeup, tc) ++{ ++ atf_tc_set_md_var(tc, "require.user", "root"); ++} ++ATF_TC_BODY(poll_remove_wakeup, tc) ++{ ++ pthread_t thr; ++ uintptr_t revents; ++ int error, jd; ++ ++ jd = create_jail("jaildesc_poll_remove_wakeup"); ++ ++ error = pthread_create(&thr, NULL, poll_jaildesc, &jd); ++ ATF_REQUIRE_MSG(error == 0, "pthread_create: %s", strerror(error)); ++ ++ /* Wait for the thread to block in poll(2). */ ++ usleep(250000); ++ ++ ATF_REQUIRE_MSG(jail_remove_jd(jd) == 0, ++ "jail_remove_jd: %s", strerror(errno)); ++ ++ error = pthread_join(thr, (void *)&revents); ++ ATF_REQUIRE_MSG(error == 0, "pthread_join: %s", strerror(error)); ++ ATF_REQUIRE_EQ(revents, POLLHUP); ++ ++ ATF_REQUIRE_MSG(close(jd) == 0, "close: %s", strerror(errno)); ++} ++ ++static int ++get_jaildesc(const char *name) ++{ ++ struct iovec iov[4]; ++ char namebuf[MAXHOSTNAMELEN]; ++ int desc, jid, n; ++ ++ strlcpy(namebuf, name, sizeof(namebuf)); ++ desc = -1; ++ n = 0; ++ iov[n].iov_base = __DECONST(void *, "name"); ++ iov[n++].iov_len = strlen("name") + 1; ++ iov[n].iov_base = namebuf; ++ iov[n++].iov_len = sizeof(namebuf); ++ iov[n].iov_base = __DECONST(void *, "desc"); ++ iov[n++].iov_len = strlen("desc") + 1; ++ iov[n].iov_base = &desc; ++ iov[n++].iov_len = sizeof(desc); ++ jid = jail_get(iov, n, JAIL_GET_DESC); ++ ATF_REQUIRE_MSG(jid >= 0, "jail_get: %s", strerror(errno)); ++ return (desc); ++} ++ ++/* ++ * Regression test for the same use-after-free as poll_close_race, but with a ++ * non-owning JAIL_GET_DESC descriptor obtained without root privileges. ++ */ ++ATF_TC(poll_close_race_get_desc); ++ATF_TC_HEAD(poll_close_race_get_desc, tc) ++{ ++ atf_tc_set_md_var(tc, "require.user", "root"); ++} ++ATF_TC_BODY(poll_close_race_get_desc, tc) ++{ ++ struct passwd *pw; ++ pthread_t thr; ++ uintptr_t revents; ++ int error, jd, owning_jd; ++ ++ /* Create the jail as root; keep the owning descriptor for cleanup. */ ++ owning_jd = create_jail("jaildesc_poll_close_get_desc"); ++ ++ /* ++ * Drop root privileges. jail_get(2) with JAIL_GET_DESC does not ++ * require PRIV_JAIL_REMOVE, so a non-root process in the host prison ++ * can obtain a read-only descriptor for any visible jail. ++ */ ++ pw = getpwnam("nobody"); ++ ATF_REQUIRE_MSG(pw != NULL, "getpwnam: %s", strerror(errno)); ++ ATF_REQUIRE_MSG(setuid(pw->pw_uid) == 0, "setuid: %s", strerror(errno)); ++ ++ jd = get_jaildesc("jaildesc_poll_close_get_desc"); ++ ++ error = pthread_create(&thr, NULL, poll_jaildesc, &jd); ++ ATF_REQUIRE_MSG(error == 0, "pthread_create: %s", strerror(error)); ++ ++ /* Wait for the thread to block in poll(2). */ ++ usleep(250000); ++ ++ ATF_REQUIRE_MSG(close(jd) == 0, "close: %s", strerror(errno)); ++ ++ error = pthread_join(thr, (void *)&revents); ++ ATF_REQUIRE_MSG(error == 0, "pthread_join: %s", strerror(error)); ++ ATF_REQUIRE_EQ(revents, POLLNVAL); ++ ++ ATF_REQUIRE_MSG(close(owning_jd) == 0, "close: %s", strerror(errno)); ++} ++ ++ATF_TP_ADD_TCS(tp) ++{ ++ ATF_TP_ADD_TC(tp, poll_close_race); ++ ATF_TP_ADD_TC(tp, poll_remove_wakeup); ++ ATF_TP_ADD_TC(tp, poll_close_race_get_desc); ++ ++ return (atf_no_error()); ++} +--- /dev/null ++++ tests/sys/kern/procdesc.c +@@ -0,0 +1,128 @@ ++/*- ++ * SPDX-License-Identifier: BSD-2-Clause ++ * ++ * Copyright (c) 2026 ConnectWise ++ * Copyright (c) 2026 Mark Johnston ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE ++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL ++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT ++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY ++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF ++ * SUCH DAMAGE. ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++#include ++ ++#include ++ ++/* Tests for procdesc(4) that aren't specific to any one syscall */ ++ ++static void * ++poll_procdesc(void *arg) ++{ ++ struct pollfd pfd; ++ ++ pfd.fd = *(int *)arg; ++ pfd.events = POLLHUP; ++ (void)poll(&pfd, 1, 5000); ++ return ((void *)(uintptr_t)pfd.revents); ++} ++ ++/* ++ * Regression test to exercise the case where a procdesc is closed while a ++ * thread is poll()ing it. ++ */ ++ATF_TC_WITHOUT_HEAD(poll_close_race); ++ATF_TC_BODY(poll_close_race, tc) ++{ ++ pthread_t thr; ++ pid_t pid; ++ uintptr_t revents; ++ int error, pd; ++ ++ pid = pdfork(&pd, PD_DAEMON); ++ ATF_REQUIRE_MSG(pid >= 0, "pdfork: %s", strerror(errno)); ++ if (pid == 0) { ++ pause(); ++ _exit(0); ++ } ++ ++ error = pthread_create(&thr, NULL, poll_procdesc, &pd); ++ ATF_REQUIRE_MSG(error == 0, "pthread_create: %s", strerror(error)); ++ ++ /* Wait for the thread to block in poll(2). */ ++ usleep(250000); ++ ++ ATF_REQUIRE_MSG(close(pd) == 0, "close: %s", strerror(errno)); ++ ++ error = pthread_join(thr, (void *)&revents); ++ ATF_REQUIRE_MSG(error == 0, "pthread_join: %s", strerror(error)); ++ ATF_REQUIRE_EQ(revents, POLLNVAL); ++} ++ ++/* ++ * Verify that poll(2) of a procdesc returns POLLHUP when the process exits. ++ */ ++ATF_TC_WITHOUT_HEAD(poll_exit_wakeup); ++ATF_TC_BODY(poll_exit_wakeup, tc) ++{ ++ pthread_t thr; ++ uintptr_t revents; ++ pid_t pid; ++ int error, pd; ++ ++ pid = pdfork(&pd, PD_DAEMON); ++ ATF_REQUIRE_MSG(pid >= 0, "pdfork: %s", strerror(errno)); ++ if (pid == 0) { ++ pause(); ++ _exit(0); ++ } ++ ++ error = pthread_create(&thr, NULL, poll_procdesc, &pd); ++ ATF_REQUIRE_MSG(error == 0, "pthread_create: %s", strerror(error)); ++ ++ /* Wait for the thread to block in poll(2). */ ++ usleep(250000); ++ ++ ATF_REQUIRE_MSG(pdkill(pd, SIGKILL) == 0, ++ "pdkill: %s", strerror(errno)); ++ ++ error = pthread_join(thr, (void *)&revents); ++ ATF_REQUIRE_MSG(error == 0, "pthread_join: %s", strerror(error)); ++ ATF_REQUIRE_EQ(revents, POLLHUP); ++ ++ ATF_REQUIRE_MSG(close(pd) == 0, "close: %s", strerror(errno)); ++} ++ ++ATF_TP_ADD_TCS(tp) ++{ ++ ATF_TP_ADD_TC(tp, poll_close_race); ++ ATF_TP_ADD_TC(tp, poll_exit_wakeup); ++ ++ return (atf_no_error()); ++} diff --git a/website/static/security/patches/SA-26:19/file-15.patch.asc b/website/static/security/patches/SA-26:19/file-15.patch.asc new file mode 100644 index 0000000000..d15ac5c435 --- /dev/null +++ b/website/static/security/patches/SA-26:19/file-15.patch.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJPBAABCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKHAbFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvUPwQAL4Td5qsO6YRMxxoyd9Y +h59xkv7KCPmLOXRLgAf+Aqxof0lqVGbxOx2e9ULzyL2InRvKEsbFCMthdYyWcR0f +CRTLqPFWq6sAAd2s1ensgTMMn89Ei7ZJoqjPFF7Cl9EBdPRvROf+8aDLD7BXhxO4 +jwoQY0b0FR/IhhP7sfMUEy3Lg2D6E68rrFV6EvKj0CQPentHY3GFSKYh6RcOmBYP +V1xRl27vTQOfrjIoPPSKTKyVulfjPb7k2ZNsrNozEwdG541ZGddafk+V59siyBxZ +zt7WBNPPdqSZUOrdWEfy0WS7ejzVk+EtZejNDT5IyJciZfc+2/EGHJDHD4/13UDJ +lUC4a5cuvSm6bf8qk1lnz1ISfPxayYK3T53lU/axasIlqOdj3jFwWl+EyMDQLmfq +lxMskYbDobbuxmRstpET9uTQB+uAu2yg2+eej/FGzdT5p+R/54dS6kdeuU2JNFXD +KJrlll92vMCm1U9gzW5rzzUb78xXWLl4k07PHvauaqActWXZyDPOUGH7a/Ik57BG +2kO/EzPJZvhpYbhM7Zidfot+b9X+gO4v9YsFy02XdZhRgblIlzyvtDkl2l7drlC7 +j8fzQiEEHJxnMwhj5bxpE028cRg8XszVXgAYGHeEJMqc2mbkMh5yAVgUZX10GZtc +lJGd4WA1yrr618fLIvXGz+re +=3h0D +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-26:20/fusefs-14.3.patch b/website/static/security/patches/SA-26:20/fusefs-14.3.patch new file mode 100644 index 0000000000..35b68cec8f --- /dev/null +++ b/website/static/security/patches/SA-26:20/fusefs-14.3.patch @@ -0,0 +1,146 @@ +--- sys/fs/fuse/fuse_ipc.h.orig ++++ sys/fs/fuse/fuse_ipc.h +@@ -238,6 +238,7 @@ + #define FSESS_WARN_WB_CACHE_INCOHERENT 0x400000 /* WB cache incoherent */ + #define FSESS_WARN_ILLEGAL_INODE 0x800000 /* Illegal inode for new file */ + #define FSESS_WARN_READLINK_EMBEDDED_NUL 0x1000000 /* corrupt READLINK output */ ++#define FSESS_WARN_LSEXTATTR_NUL 0x20000000 /* Non nul-terminated xattr list */ + #define FSESS_MNTOPTS_MASK ( \ + FSESS_DAEMON_CAN_SPY | FSESS_PUSH_SYMLINKS_IN | \ + FSESS_DEFAULT_PERMISSIONS | FSESS_INTR) +--- sys/fs/fuse/fuse_vnops.c.orig ++++ sys/fs/fuse/fuse_vnops.c +@@ -2806,8 +2806,8 @@ + * bsd_list, bsd_list_len - output list compatible with bsd vfs + */ + static int +-fuse_xattrlist_convert(char *prefix, const char *list, int list_len, +- char *bsd_list, int *bsd_list_len) ++fuse_xattrlist_convert(struct fuse_data *data, char *prefix, const char *list, ++ int list_len, char *bsd_list, int *bsd_list_len) + { + int len, pos, dist_to_next, prefix_len; + +@@ -2816,7 +2816,13 @@ + prefix_len = strlen(prefix); + + while (pos < list_len && list[pos] != '\0') { +- dist_to_next = strlen(&list[pos]) + 1; ++ dist_to_next = strnlen(&list[pos], list_len - pos - 1) + 1; ++ if (list[pos + dist_to_next - 1] != '\0') { ++ fuse_warn(data, FSESS_WARN_LSEXTATTR_NUL, ++ "The FUSE server returned a non nul-terminated " ++ "LISTXATTR response."); ++ return (EIO); ++ } + if (bcmp(&list[pos], prefix, prefix_len) == 0 && + list[pos + prefix_len] == extattr_namespace_separator) { + len = dist_to_next - +@@ -2872,6 +2878,7 @@ + struct fuse_listxattr_in *list_xattr_in; + struct fuse_listxattr_out *list_xattr_out; + struct mount *mp = vnode_mount(vp); ++ struct fuse_data *data = fuse_get_mpdata(mp); + struct thread *td = ap->a_td; + struct ucred *cred = ap->a_cred; + char *prefix; +@@ -2949,8 +2956,6 @@ + linux_list = fdi.answ; + /* FUSE doesn't allow the server to return more data than requested */ + if (fdi.iosize > linux_list_len) { +- struct fuse_data *data = fuse_get_mpdata(mp); +- + fuse_warn(data, FSESS_WARN_LSEXTATTR_LONG, + "server returned " + "more extended attribute data than requested; " +@@ -2967,7 +2972,7 @@ + * FreeBSD's format before giving it to the user. + */ + bsd_list = malloc(linux_list_len, M_TEMP, M_WAITOK); +- err = fuse_xattrlist_convert(prefix, linux_list, linux_list_len, ++ err = fuse_xattrlist_convert(data, prefix, linux_list, linux_list_len, + bsd_list, &bsd_list_len); + if (err != 0) + goto out; +--- tests/sys/fs/fusefs/xattr.cc.orig ++++ tests/sys/fs/fusefs/xattr.cc +@@ -448,6 +448,79 @@ + ASSERT_TRUE(WIFSIGNALED(status)); + } + ++/* ++ * A buggy or malicious server returns a list that isn't nul-terminated. The ++ * kernel should handle it gracefully. ++ */ ++TEST_F(Listxattr, not_nul_terminated) ++{ ++ uint64_t ino = 42; ++ int ns = EXTATTR_NAMESPACE_USER; ++ char *data; ++ const char expected[4] = {3, 'f', 'o', 'o'}; ++ const char first[255] = "user.foo\0system.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; ++ const uint8_t badlist[9] = {'u', 's', 'e', 'r', '.', 'f', 'o', 'o', 'd'}; ++ Sequence seq; ++ ++ EXPECT_LOOKUP(FUSE_ROOT_ID, RELPATH) ++ .WillRepeatedly(Invoke( ++ ReturnImmediate([=](auto in __unused, auto& out) { ++ SET_OUT_HEADER_LEN(out, entry); ++ out.body.entry.attr.mode = S_IFREG | 0644; ++ out.body.entry.nodeid = ino; ++ out.body.entry.attr.nlink = 1; ++ out.body.entry.attr_valid = UINT64_MAX; ++ out.body.entry.entry_valid = UINT64_MAX; ++ }))); ++ ++ /* ++ * On the first LISTXATTRS call, return a big attribute just to fill ++ * the heap with non-NUL data. ++ */ ++ expect_listxattr(ino, 0, ++ ReturnImmediate([&](auto in __unused, auto& out) { ++ out.body.listxattr.size = sizeof(first); ++ SET_OUT_HEADER_LEN(out, listxattr); ++ }), &seq ++ ); ++ expect_listxattr(ino, sizeof(first), ++ ReturnImmediate([&](auto in __unused, auto& out) { ++ memcpy((void*)out.body.bytes, first, sizeof(first)); ++ out.header.len = sizeof(fuse_out_header) + sizeof(first); ++ }), &seq ++ ); ++ /* ++ * On the second LISTXATTRS call, return a malformed list with no NUL ++ * termination. The heap might still be full of the data from the ++ * first call. ++ */ ++ expect_listxattr(ino, 0, ++ ReturnImmediate([&](auto in __unused, auto& out) { ++ out.body.listxattr.size = sizeof(badlist); ++ SET_OUT_HEADER_LEN(out, listxattr); ++ }), &seq ++ ); ++ expect_listxattr(ino, sizeof(badlist), ++ ReturnImmediate([&](auto in __unused, auto& out) { ++ memset((void*)out.body.bytes, 'x', sizeof(first)); ++ memcpy((void*)out.body.bytes, badlist, sizeof(badlist)); ++ out.header.len = sizeof(fuse_out_header) + sizeof(badlist); ++ }), &seq ++ ); ++ ++ data = new char[1024]; ++ ++ ASSERT_EQ(static_cast(sizeof(expected)), ++ extattr_list_file(FULLPATH, ns, data, sizeof(data))) ++ << strerror(errno); ++ /* ++ * Receiving this malformed list, the kernel should log it to dmesg and ++ * report an IO error to the caller. ++ */ ++ ASSERT_EQ(-1, extattr_list_file(FULLPATH, ns, data, sizeof(data))); ++ EXPECT_EQ(EIO, errno); ++} ++ + /* + * Get the size of the list that it would take to list no extended attributes + */ diff --git a/website/static/security/patches/SA-26:20/fusefs-14.3.patch.asc b/website/static/security/patches/SA-26:20/fusefs-14.3.patch.asc new file mode 100644 index 0000000000..0f3c9741eb --- /dev/null +++ b/website/static/security/patches/SA-26:20/fusefs-14.3.patch.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJPBAABCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKHMbFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvlI0QALm6fFHg0EXsCNa/fEx6 +oSYsueeAZgVd4T+gXdQ2Qj/Ne6LImFJiRiG2m9yhIEVCZA2l54r5UP5IpGag+g0S +h1H8JEs2VYrc/Z7+E2xD2e3bKhwyJ5DDcoHbGALkFFaVvGDibC79yqzmBHmkBdZr +W5DBi6YuMlDqoZVMZps00qNRnUjbLWNZXafEiuNBf1suUv14hhyI/DD+SPEXWvDG +IXXeEO5zA7IxecZSUHZak9DQL234c/gR/+tkgVKwgY+42e9AqcTIOFTDgyZFJ56V +OgJ5BFsFWO0lFxYPmKRvUPs2DnsvEkN+L9meT5G8BxCC3QybeBRuFoi4/5mLTNAf +gEU6Fg/XIs/cHnRxq2nfqKigdvULAEeqqUZCIZLnPLxx5DKr42PCv5ExalV+UbTW +826x6NQ5CNM/MncBpQJwfdwVLc3gOo+jx96I1t9Fe1RMzdho0wj2/rd9gjElkAv7 +ffDtKraDy/m2559Bmu9dLYBokeeFMtLvvGgoHMAyum3QgottdLOkqquvGETM1voP +2dWNuynDmzf+hFIVN5LgL21TaJbYFvS0MZNmYKGyu6Lqx+9KvYyDdy/T0UGWflU0 +mSbDcCflqUfxdqo50lNzaFhn9KLAA5KhO3DcggeCEVS1ylxN+d85j4qPkROF4I6E +DEYgzjfPApOkOUqpNXFCvtye +=Bk3h +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-26:20/fusefs-14.4.patch b/website/static/security/patches/SA-26:20/fusefs-14.4.patch new file mode 100644 index 0000000000..a598821095 --- /dev/null +++ b/website/static/security/patches/SA-26:20/fusefs-14.4.patch @@ -0,0 +1,146 @@ +--- sys/fs/fuse/fuse_ipc.h.orig ++++ sys/fs/fuse/fuse_ipc.h +@@ -240,6 +240,7 @@ + #define FSESS_WARN_READLINK_EMBEDDED_NUL 0x1000000 /* corrupt READLINK output */ + #define FSESS_WARN_DOT_LOOKUP 0x2000000 /* Inconsistent . LOOKUP response */ + #define FSESS_WARN_INODE_MISMATCH 0x4000000 /* ino != nodeid */ ++#define FSESS_WARN_LSEXTATTR_NUL 0x20000000 /* Non nul-terminated xattr list */ + #define FSESS_MNTOPTS_MASK ( \ + FSESS_DAEMON_CAN_SPY | FSESS_PUSH_SYMLINKS_IN | \ + FSESS_DEFAULT_PERMISSIONS | FSESS_INTR) +--- sys/fs/fuse/fuse_vnops.c.orig ++++ sys/fs/fuse/fuse_vnops.c +@@ -2794,8 +2794,8 @@ + * bsd_list, bsd_list_len - output list compatible with bsd vfs + */ + static int +-fuse_xattrlist_convert(char *prefix, const char *list, int list_len, +- char *bsd_list, int *bsd_list_len) ++fuse_xattrlist_convert(struct fuse_data *data, char *prefix, const char *list, ++ int list_len, char *bsd_list, int *bsd_list_len) + { + int len, pos, dist_to_next, prefix_len; + +@@ -2804,7 +2804,13 @@ + prefix_len = strlen(prefix); + + while (pos < list_len && list[pos] != '\0') { +- dist_to_next = strlen(&list[pos]) + 1; ++ dist_to_next = strnlen(&list[pos], list_len - pos - 1) + 1; ++ if (list[pos + dist_to_next - 1] != '\0') { ++ fuse_warn(data, FSESS_WARN_LSEXTATTR_NUL, ++ "The FUSE server returned a non nul-terminated " ++ "LISTXATTR response."); ++ return (EIO); ++ } + if (bcmp(&list[pos], prefix, prefix_len) == 0 && + list[pos + prefix_len] == extattr_namespace_separator) { + len = dist_to_next - +@@ -2860,6 +2866,7 @@ + struct fuse_listxattr_in *list_xattr_in; + struct fuse_listxattr_out *list_xattr_out; + struct mount *mp = vnode_mount(vp); ++ struct fuse_data *data = fuse_get_mpdata(mp); + struct thread *td = ap->a_td; + struct ucred *cred = ap->a_cred; + char *prefix; +@@ -2937,8 +2944,6 @@ + linux_list = fdi.answ; + /* FUSE doesn't allow the server to return more data than requested */ + if (fdi.iosize > linux_list_len) { +- struct fuse_data *data = fuse_get_mpdata(mp); +- + fuse_warn(data, FSESS_WARN_LSEXTATTR_LONG, + "server returned " + "more extended attribute data than requested; " +@@ -2955,7 +2960,7 @@ + * FreeBSD's format before giving it to the user. + */ + bsd_list = malloc(linux_list_len, M_TEMP, M_WAITOK); +- err = fuse_xattrlist_convert(prefix, linux_list, linux_list_len, ++ err = fuse_xattrlist_convert(data, prefix, linux_list, linux_list_len, + bsd_list, &bsd_list_len); + if (err != 0) + goto out; +--- tests/sys/fs/fusefs/xattr.cc.orig ++++ tests/sys/fs/fusefs/xattr.cc +@@ -448,6 +448,79 @@ + ASSERT_TRUE(WIFSIGNALED(status)); + } + ++/* ++ * A buggy or malicious server returns a list that isn't nul-terminated. The ++ * kernel should handle it gracefully. ++ */ ++TEST_F(Listxattr, not_nul_terminated) ++{ ++ uint64_t ino = 42; ++ int ns = EXTATTR_NAMESPACE_USER; ++ char *data; ++ const char expected[4] = {3, 'f', 'o', 'o'}; ++ const char first[255] = "user.foo\0system.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; ++ const uint8_t badlist[9] = {'u', 's', 'e', 'r', '.', 'f', 'o', 'o', 'd'}; ++ Sequence seq; ++ ++ EXPECT_LOOKUP(FUSE_ROOT_ID, RELPATH) ++ .WillRepeatedly(Invoke( ++ ReturnImmediate([=](auto in __unused, auto& out) { ++ SET_OUT_HEADER_LEN(out, entry); ++ out.body.entry.attr.mode = S_IFREG | 0644; ++ out.body.entry.nodeid = ino; ++ out.body.entry.attr.nlink = 1; ++ out.body.entry.attr_valid = UINT64_MAX; ++ out.body.entry.entry_valid = UINT64_MAX; ++ }))); ++ ++ /* ++ * On the first LISTXATTRS call, return a big attribute just to fill ++ * the heap with non-NUL data. ++ */ ++ expect_listxattr(ino, 0, ++ ReturnImmediate([&](auto in __unused, auto& out) { ++ out.body.listxattr.size = sizeof(first); ++ SET_OUT_HEADER_LEN(out, listxattr); ++ }), &seq ++ ); ++ expect_listxattr(ino, sizeof(first), ++ ReturnImmediate([&](auto in __unused, auto& out) { ++ memcpy((void*)out.body.bytes, first, sizeof(first)); ++ out.header.len = sizeof(fuse_out_header) + sizeof(first); ++ }), &seq ++ ); ++ /* ++ * On the second LISTXATTRS call, return a malformed list with no NUL ++ * termination. The heap might still be full of the data from the ++ * first call. ++ */ ++ expect_listxattr(ino, 0, ++ ReturnImmediate([&](auto in __unused, auto& out) { ++ out.body.listxattr.size = sizeof(badlist); ++ SET_OUT_HEADER_LEN(out, listxattr); ++ }), &seq ++ ); ++ expect_listxattr(ino, sizeof(badlist), ++ ReturnImmediate([&](auto in __unused, auto& out) { ++ memset((void*)out.body.bytes, 'x', sizeof(first)); ++ memcpy((void*)out.body.bytes, badlist, sizeof(badlist)); ++ out.header.len = sizeof(fuse_out_header) + sizeof(badlist); ++ }), &seq ++ ); ++ ++ data = new char[1024]; ++ ++ ASSERT_EQ(static_cast(sizeof(expected)), ++ extattr_list_file(FULLPATH, ns, data, sizeof(data))) ++ << strerror(errno); ++ /* ++ * Receiving this malformed list, the kernel should log it to dmesg and ++ * report an IO error to the caller. ++ */ ++ ASSERT_EQ(-1, extattr_list_file(FULLPATH, ns, data, sizeof(data))); ++ EXPECT_EQ(EIO, errno); ++} ++ + /* + * Get the size of the list that it would take to list no extended attributes + */ diff --git a/website/static/security/patches/SA-26:20/fusefs-14.4.patch.asc b/website/static/security/patches/SA-26:20/fusefs-14.4.patch.asc new file mode 100644 index 0000000000..2c328bce9d --- /dev/null +++ b/website/static/security/patches/SA-26:20/fusefs-14.4.patch.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJPBAABCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKHQbFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvTEYP/ji9A2XSR2utdOfiMp7d +I3Bhy66qAxYmC3xcVDwQLMe5z/7BK6lgJFfLp6Lq6cFAvKYy+cwY9iR85fAcGK60 +cInncCgFpgl3apNzBQrSg28kD2v1bIM80oaeM/uBJc2WIjKPeu5Z7DdniHiiUxae +jknvhojwpCkd3KCktqrpW6IBHI1TtXuHJWpDPBWr9KbxEcTWUku4gfnXkLvq8yoi +9YrMnWIK0zP322BbpEgujQengsoT2dYOQgj2YqXegLgrEiXWn/OdcmqSLSTKTl4W +5Zdmf90hZbvUMD4jnumXAEoCG++oopec0uFkTPuFLuXTqZhSFeTAT+9P6vepyc6i +EpoGEaSJjDlAdbpf/usp69ReROr6DHje67bMUcTpDWQXlv3fho8UirCMhOU8qAdI +ZQS6ogJgTxz29sEfgD+raaiQYte7p3pFIA41RwXpN9g87hyMGk41GRxZMpyRtN44 +W8OUOUf1bwGpNcyu9J/z8WZ7eNT4iwuRw13IeQ7jUcz1bIt7GlnV8TiyFCc+ZsvW +PzWx15zuWO751AzwnuUJkOR7H+xCZT48aOj5WvegdAIBpqMSz3R2veecyGsEjfRE +pe9z06/2dNR9ZPCxW+1yA9iBZr46D+wWXAD4TCNajHDXIRUBu18blhITQmTbHqeO +Ok5rj3IHx1CRL4kNgWDjtzHe +=ZCVv +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-26:20/fusefs-15.patch b/website/static/security/patches/SA-26:20/fusefs-15.patch new file mode 100644 index 0000000000..ff6e838f45 --- /dev/null +++ b/website/static/security/patches/SA-26:20/fusefs-15.patch @@ -0,0 +1,147 @@ +--- sys/fs/fuse/fuse_ipc.h.orig ++++ sys/fs/fuse/fuse_ipc.h +@@ -240,6 +240,7 @@ + #define FSESS_WARN_READLINK_EMBEDDED_NUL 0x1000000 /* corrupt READLINK output */ + #define FSESS_WARN_DOT_LOOKUP 0x2000000 /* Inconsistent . LOOKUP response */ + #define FSESS_WARN_INODE_MISMATCH 0x4000000 /* ino != nodeid */ ++#define FSESS_WARN_LSEXTATTR_NUL 0x20000000 /* Non nul-terminated xattr list */ + #define FSESS_MNTOPTS_MASK ( \ + FSESS_DAEMON_CAN_SPY | FSESS_PUSH_SYMLINKS_IN | \ + FSESS_DEFAULT_PERMISSIONS | FSESS_INTR) +--- sys/fs/fuse/fuse_vnops.c.orig ++++ sys/fs/fuse/fuse_vnops.c +@@ -2841,8 +2841,8 @@ + * bsd_list, bsd_list_len - output list compatible with bsd vfs + */ + static int +-fuse_xattrlist_convert(char *prefix, const char *list, int list_len, +- char *bsd_list, int *bsd_list_len) ++fuse_xattrlist_convert(struct fuse_data *data, char *prefix, const char *list, ++ int list_len, char *bsd_list, int *bsd_list_len) + { + int len, pos, dist_to_next, prefix_len; + +@@ -2851,7 +2851,14 @@ + prefix_len = strlen(prefix); + + while (pos < list_len && list[pos] != '\0') { +- dist_to_next = strlen(&list[pos]) + 1; ++ dist_to_next = strnlen(&list[pos], list_len - pos - 1) + 1; ++ if (list[pos + dist_to_next - 1] != '\0') { ++ fuse_warn(data, FSESS_WARN_LSEXTATTR_NUL, ++ "The FUSE server returned a non nul-terminated " ++ "LISTXATTR response."); ++ return (EXTERROR(EIO, ++ "The FUSE server returned a malformed list")); ++ } + if (bcmp(&list[pos], prefix, prefix_len) == 0 && + list[pos + prefix_len] == extattr_namespace_separator) { + len = dist_to_next - +@@ -2907,6 +2914,7 @@ + struct fuse_listxattr_in *list_xattr_in; + struct fuse_listxattr_out *list_xattr_out; + struct mount *mp = vnode_mount(vp); ++ struct fuse_data *data = fuse_get_mpdata(mp); + struct thread *td = ap->a_td; + struct ucred *cred = ap->a_cred; + char *prefix; +@@ -2987,8 +2995,6 @@ + linux_list = fdi.answ; + /* FUSE doesn't allow the server to return more data than requested */ + if (fdi.iosize > linux_list_len) { +- struct fuse_data *data = fuse_get_mpdata(mp); +- + fuse_warn(data, FSESS_WARN_LSEXTATTR_LONG, + "server returned " + "more extended attribute data than requested; " +@@ -3005,7 +3011,7 @@ + * FreeBSD's format before giving it to the user. + */ + bsd_list = malloc(linux_list_len, M_TEMP, M_WAITOK); +- err = fuse_xattrlist_convert(prefix, linux_list, linux_list_len, ++ err = fuse_xattrlist_convert(data, prefix, linux_list, linux_list_len, + bsd_list, &bsd_list_len); + if (err != 0) + goto out; +--- tests/sys/fs/fusefs/xattr.cc.orig ++++ tests/sys/fs/fusefs/xattr.cc +@@ -492,6 +492,79 @@ + ASSERT_TRUE(WIFSIGNALED(status)); + } + ++/* ++ * A buggy or malicious server returns a list that isn't nul-terminated. The ++ * kernel should handle it gracefully. ++ */ ++TEST_F(Listxattr, not_nul_terminated) ++{ ++ uint64_t ino = 42; ++ int ns = EXTATTR_NAMESPACE_USER; ++ char *data; ++ const char expected[4] = {3, 'f', 'o', 'o'}; ++ const char first[255] = "user.foo\0system.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; ++ const uint8_t badlist[9] = {'u', 's', 'e', 'r', '.', 'f', 'o', 'o', 'd'}; ++ Sequence seq; ++ ++ EXPECT_LOOKUP(FUSE_ROOT_ID, RELPATH) ++ .WillRepeatedly(Invoke( ++ ReturnImmediate([=](auto in __unused, auto& out) { ++ SET_OUT_HEADER_LEN(out, entry); ++ out.body.entry.attr.mode = S_IFREG | 0644; ++ out.body.entry.nodeid = ino; ++ out.body.entry.attr.nlink = 1; ++ out.body.entry.attr_valid = UINT64_MAX; ++ out.body.entry.entry_valid = UINT64_MAX; ++ }))); ++ ++ /* ++ * On the first LISTXATTRS call, return a big attribute just to fill ++ * the heap with non-NUL data. ++ */ ++ expect_listxattr(ino, 0, ++ ReturnImmediate([&](auto in __unused, auto& out) { ++ out.body.listxattr.size = sizeof(first); ++ SET_OUT_HEADER_LEN(out, listxattr); ++ }), &seq ++ ); ++ expect_listxattr(ino, sizeof(first), ++ ReturnImmediate([&](auto in __unused, auto& out) { ++ memcpy((void*)out.body.bytes, first, sizeof(first)); ++ out.header.len = sizeof(fuse_out_header) + sizeof(first); ++ }), &seq ++ ); ++ /* ++ * On the second LISTXATTRS call, return a malformed list with no NUL ++ * termination. The heap might still be full of the data from the ++ * first call. ++ */ ++ expect_listxattr(ino, 0, ++ ReturnImmediate([&](auto in __unused, auto& out) { ++ out.body.listxattr.size = sizeof(badlist); ++ SET_OUT_HEADER_LEN(out, listxattr); ++ }), &seq ++ ); ++ expect_listxattr(ino, sizeof(badlist), ++ ReturnImmediate([&](auto in __unused, auto& out) { ++ memset((void*)out.body.bytes, 'x', sizeof(first)); ++ memcpy((void*)out.body.bytes, badlist, sizeof(badlist)); ++ out.header.len = sizeof(fuse_out_header) + sizeof(badlist); ++ }), &seq ++ ); ++ ++ data = new char[1024]; ++ ++ ASSERT_EQ(static_cast(sizeof(expected)), ++ extattr_list_file(FULLPATH, ns, data, sizeof(data))) ++ << strerror(errno); ++ /* ++ * Receiving this malformed list, the kernel should log it to dmesg and ++ * report an IO error to the caller. ++ */ ++ ASSERT_EQ(-1, extattr_list_file(FULLPATH, ns, data, sizeof(data))); ++ EXPECT_EQ(EIO, errno); ++} ++ + /* + * Get the size of the list that it would take to list no extended attributes + */ diff --git a/website/static/security/patches/SA-26:20/fusefs-15.patch.asc b/website/static/security/patches/SA-26:20/fusefs-15.patch.asc new file mode 100644 index 0000000000..9a7b7393e8 --- /dev/null +++ b/website/static/security/patches/SA-26:20/fusefs-15.patch.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJPBAABCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKHUbFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv0+cP/0P7o4+JOhW/CAe6DdQI +90ZMElw9Q/ceD4P63RTby9oFCIG1l+hEMfCeH9CoaRXuTelIrX8g+O5o+9ED3oPc +FpPj/baTFXoq8ZnxoT18ZtGqsF/pjpZlEZx4vFLILjXMnmun9WC7Bw2X51gUxh46 +XoilE/ofXmTebRRn/cslae3DTOBezMPO59QVg+qvdQEzoPxTF6YWtGW+775ZiSEo +i0jxBvTqNe17QKZnjMO5Mr7ZlCAmG10z8ygmWOXbtIyaSSq8I1UKzUBhnq4UUC1E +BW7YtbYBu/ZIG9Wyg4apcN7Rb4krg2J/5wWaZnJYxLNEWM1wTjR1Mg/AFsV/1mav +ueJBEkGRfGcTH/UbCi4nMBTizN18dATdkbQSuffU+BeTLYjylS15nramtI5BJcVa +M2XHMVFHNvQB0bVyRwTXvwXggwSXDnIPeB/k3w+3usyY/xQ66cf5KfaNFZ/MJcRv +hukTFXwRFt5q6Q0Emnt4whti+gn4HQNnfFHJONdXXPU2X05CGGHtg5/qTdm8wLKm +iO8ggc3i/15gAdaPKwkWMwQyifwQ4kNYPttwqkrTz+kyCuhzftHuWNJ+ZRnh+99a +pPNuTMZd9ZOTkjX0DebEbPZD9CZ4qiwquOMnUJ07b6xTa02BHk63D0SDIVl4vV9R +9u08BlmYuNc2zTAFit1MychY +=gqpB +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-26:21/ptrace-14.3.patch b/website/static/security/patches/SA-26:21/ptrace-14.3.patch new file mode 100644 index 0000000000..1c357dd9e0 --- /dev/null +++ b/website/static/security/patches/SA-26:21/ptrace-14.3.patch @@ -0,0 +1,164 @@ +--- sys/kern/kern_sig.c.orig ++++ sys/kern/kern_sig.c +@@ -2677,23 +2677,26 @@ + struct sysentvec *sv; + struct sysent *se; + register_t rv_saved[2]; ++ unsigned int sc; + int error, nerror; +- int sc; + bool audited, sy_thr_static; + +- sv = p->p_sysent; +- if (sv->sv_table == NULL || sv->sv_size < tsr->ts_sa.code) { +- tsr->ts_ret.sr_error = ENOSYS; +- return; +- } +- + sc = tsr->ts_sa.code; + if (sc == SYS_syscall || sc == SYS___syscall) { ++ if (tsr->ts_nargs == 0) { ++ tsr->ts_ret.sr_error = EINVAL; ++ return; ++ } + sc = tsr->ts_sa.args[0]; + memmove(&tsr->ts_sa.args[0], &tsr->ts_sa.args[1], + sizeof(register_t) * (tsr->ts_nargs - 1)); + } + ++ sv = p->p_sysent; ++ if (sv->sv_table == NULL || sc >= sv->sv_size) { ++ tsr->ts_ret.sr_error = ENOSYS; ++ return; ++ } + tsr->ts_sa.callp = se = &sv->sv_table[sc]; + + VM_CNT_INC(v_syscall); +--- tests/sys/kern/ptrace_test.c.orig ++++ tests/sys/kern/ptrace_test.c +@@ -4363,6 +4363,25 @@ + REQUIRE_EQ(close(pd), 0); + } + ++static void ++pt_sc_remote(pid_t pid, struct ptrace_sc_remote *pscr, int error, ++ syscallarg_t ret) ++{ ++ pid_t wpid; ++ int status; ++ ++ ATF_REQUIRE(ptrace(PT_SC_REMOTE, pid, (caddr_t)pscr, sizeof(*pscr)) != ++ -1); ++ ATF_REQUIRE_EQ(pscr->pscr_ret.sr_error, error); ++ if (error == 0) ++ ATF_REQUIRE_EQ(pscr->pscr_ret.sr_retval[0], ret); ++ ++ wpid = waitpid(pid, &status, 0); ++ REQUIRE_EQ(wpid, pid); ++ ATF_REQUIRE(WIFSTOPPED(status)); ++ REQUIRE_EQ(WSTOPSIG(status), SIGSTOP); ++} ++ + /* + * Try using PT_SC_REMOTE to get the PID of a traced child process. + */ +@@ -4370,8 +4389,7 @@ + ATF_TC_BODY(ptrace__PT_SC_REMOTE_getpid, tc) + { + struct ptrace_sc_remote pscr; +- pid_t fpid, wpid; +- int status; ++ pid_t fpid; + + ATF_REQUIRE((fpid = fork()) != -1); + if (fpid == 0) { +@@ -4384,35 +4402,62 @@ + pscr.pscr_syscall = SYS_getpid; + pscr.pscr_nargs = 0; + pscr.pscr_args = NULL; +- ATF_REQUIRE(ptrace(PT_SC_REMOTE, fpid, (caddr_t)&pscr, sizeof(pscr)) != +- -1); +- ATF_REQUIRE_MSG(pscr.pscr_ret.sr_error == 0, +- "remote getpid failed with error %d", pscr.pscr_ret.sr_error); +- ATF_REQUIRE_MSG(pscr.pscr_ret.sr_retval[0] == fpid, +- "unexpected return value %jd instead of %d", +- (intmax_t)pscr.pscr_ret.sr_retval[0], fpid); +- +- wpid = waitpid(fpid, &status, 0); +- REQUIRE_EQ(wpid, fpid); +- ATF_REQUIRE(WIFSTOPPED(status)); +- REQUIRE_EQ(WSTOPSIG(status), SIGSTOP); ++ pt_sc_remote(fpid, &pscr, 0, fpid); + + pscr.pscr_syscall = SYS_getppid; + pscr.pscr_nargs = 0; + pscr.pscr_args = NULL; +- ATF_REQUIRE(ptrace(PT_SC_REMOTE, fpid, (caddr_t)&pscr, sizeof(pscr)) != +- -1); +- ATF_REQUIRE_MSG(pscr.pscr_ret.sr_error == 0, +- "remote getppid failed with error %d", pscr.pscr_ret.sr_error); +- ATF_REQUIRE_MSG(pscr.pscr_ret.sr_retval[0] == getpid(), +- "unexpected return value %jd instead of %d", +- (intmax_t)pscr.pscr_ret.sr_retval[0], fpid); ++ pt_sc_remote(fpid, &pscr, 0, getpid()); ++ ++ ATF_REQUIRE(ptrace(PT_DETACH, fpid, (caddr_t)1, 0) != -1); ++} ++ ++ATF_TC_WITHOUT_HEAD(ptrace__PT_SC_REMOTE_syscall_validation); ++ATF_TC_BODY(ptrace__PT_SC_REMOTE_syscall_validation, tc) ++{ ++ struct ptrace_sc_remote pscr; ++ quad_t code; ++ int status; ++ pid_t fpid, wpid; ++ ++ code = SYS_MAXSYSCALL; ++ ++ ATF_REQUIRE((fpid = fork()) != -1); ++ if (fpid == 0) { ++ trace_me(); ++ exit(0); ++ } + + wpid = waitpid(fpid, &status, 0); + REQUIRE_EQ(wpid, fpid); + ATF_REQUIRE(WIFSTOPPED(status)); + REQUIRE_EQ(WSTOPSIG(status), SIGSTOP); + ++ pscr.pscr_syscall = SYS_MAXSYSCALL; ++ pscr.pscr_nargs = 0; ++ pscr.pscr_args = NULL; ++ pt_sc_remote(fpid, &pscr, ENOSYS, 0); ++ ++ pscr.pscr_syscall = SYS_syscall; ++ pscr.pscr_nargs = 0; ++ pscr.pscr_args = NULL; ++ pt_sc_remote(fpid, &pscr, EINVAL, 0); ++ ++ pscr.pscr_syscall = SYS_syscall; ++ pscr.pscr_nargs = 1; ++ pscr.pscr_args = (syscallarg_t *)&code; ++ pt_sc_remote(fpid, &pscr, ENOSYS, 0); ++ ++ pscr.pscr_syscall = SYS___syscall; ++ pscr.pscr_nargs = 0; ++ pscr.pscr_args = NULL; ++ pt_sc_remote(fpid, &pscr, EINVAL, 0); ++ ++ pscr.pscr_syscall = SYS___syscall; ++ pscr.pscr_nargs = 1; ++ pscr.pscr_args = (syscallarg_t *)&code; ++ pt_sc_remote(fpid, &pscr, ENOSYS, 0); ++ + ATF_REQUIRE(ptrace(PT_DETACH, fpid, (caddr_t)1, 0) != -1); + } + +@@ -4529,6 +4574,7 @@ + ATF_TP_ADD_TC(tp, ptrace__procdesc_wait_child); + ATF_TP_ADD_TC(tp, ptrace__procdesc_reparent_wait_child); + ATF_TP_ADD_TC(tp, ptrace__PT_SC_REMOTE_getpid); ++ ATF_TP_ADD_TC(tp, ptrace__PT_SC_REMOTE_syscall_validation); + ATF_TP_ADD_TC(tp, ptrace__reap_kill_stopped); + + return (atf_no_error()); diff --git a/website/static/security/patches/SA-26:21/ptrace-14.3.patch.asc b/website/static/security/patches/SA-26:21/ptrace-14.3.patch.asc new file mode 100644 index 0000000000..9f47bb999a --- /dev/null +++ b/website/static/security/patches/SA-26:21/ptrace-14.3.patch.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJPBAABCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKHgbFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvlAMP/10MF70q2uwHdVYqJ8R8 +LNy+2BJDPiPerGbCnbjqtD8ciDAvMRMD6413kMyOrfpMQePSUwyz2y7ByxJPOeca +xkzoCebhuwpf6iXZJQa86OyTR64hDBbGLl4SF9r8Kmd9icSm79AQXmYxRoXeqsJX +x/DHY2q08M2nclIAggF6c10zLvtPdOmJNVTvMcFeEt+gsV6RwRIbvk+5nYLMIBlU ++SQ9M/Q0mYuAlEUZAqtJOPC2iOoetyO6arBr76RhBOB6nxced60QrKZLY/sRdBaE +TTpdkWV5O/E8lj8IbSwzZx8saHo/BS5mT9yJivbDrFSQ6oLds0SZEtGOkXWFLfCR +/aLnp6vypCIWcJ/BkS5hfqP3sAw4nTuGBD9EtG4tdcqV+ys2NFT6vIOo2oJTKuys +JcYmGs1lP0a9iT2DM3SOW1C6CIU/mDmpeZ1uJv11a9ZUo4KSQA7WJhm4NpSke5AP +7+omM3heH+RWzgbysrPywHGIygzWFzhWi6lrE/ys8OC7mHizR+B3DAAhAmdAKa7k +AQMeIIghg5NphPYO8/tBml1QJ3q6oHp4ohkPIppmiI3M3nUxJH3yb/S9klnM3CM4 +pwCYTQn/ph8519OFr4Hjn/RylZvjmdoIthwImZlX2xfyMhZoWFlFRAg+MzR784Yy +FDCL4ifSXzPjx9xqeryZ61fk +=vTiT +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-26:21/ptrace-14.4.patch b/website/static/security/patches/SA-26:21/ptrace-14.4.patch new file mode 100644 index 0000000000..0dd7cdc3a3 --- /dev/null +++ b/website/static/security/patches/SA-26:21/ptrace-14.4.patch @@ -0,0 +1,154 @@ +--- sys/kern/kern_sig.c.orig ++++ sys/kern/kern_sig.c +@@ -2692,23 +2692,26 @@ + struct sysentvec *sv; + struct sysent *se; + register_t rv_saved[2]; ++ unsigned int sc; + int error, nerror; +- int sc; + bool audited, sy_thr_static; + +- sv = p->p_sysent; +- if (sv->sv_table == NULL || sv->sv_size < tsr->ts_sa.code) { +- tsr->ts_ret.sr_error = ENOSYS; +- return; +- } +- + sc = tsr->ts_sa.code; + if (sc == SYS_syscall || sc == SYS___syscall) { ++ if (tsr->ts_nargs == 0) { ++ tsr->ts_ret.sr_error = EINVAL; ++ return; ++ } + sc = tsr->ts_sa.args[0]; + memmove(&tsr->ts_sa.args[0], &tsr->ts_sa.args[1], + sizeof(register_t) * (tsr->ts_nargs - 1)); + } + ++ sv = p->p_sysent; ++ if (sv->sv_table == NULL || sc >= sv->sv_size) { ++ tsr->ts_ret.sr_error = ENOSYS; ++ return; ++ } + tsr->ts_sa.callp = se = &sv->sv_table[sc]; + + VM_CNT_INC(v_syscall); +--- tests/sys/kern/ptrace_test.c.orig ++++ tests/sys/kern/ptrace_test.c +@@ -4363,6 +4363,25 @@ + REQUIRE_EQ(close(pd), 0); + } + ++static void ++pt_sc_remote(pid_t pid, struct ptrace_sc_remote *pscr, int error, ++ syscallarg_t ret) ++{ ++ pid_t wpid; ++ int status; ++ ++ ATF_REQUIRE(ptrace(PT_SC_REMOTE, pid, (caddr_t)pscr, sizeof(*pscr)) != ++ -1); ++ ATF_REQUIRE_EQ(pscr->pscr_ret.sr_error, error); ++ if (error == 0) ++ ATF_REQUIRE_EQ(pscr->pscr_ret.sr_retval[0], ret); ++ ++ wpid = waitpid(pid, &status, 0); ++ REQUIRE_EQ(wpid, pid); ++ ATF_REQUIRE(WIFSTOPPED(status)); ++ REQUIRE_EQ(WSTOPSIG(status), SIGSTOP); ++} ++ + /* + * Try using PT_SC_REMOTE to get the PID of a traced child process. + */ +@@ -4387,35 +4406,62 @@ + pscr.pscr_syscall = SYS_getpid; + pscr.pscr_nargs = 0; + pscr.pscr_args = NULL; +- ATF_REQUIRE(ptrace(PT_SC_REMOTE, fpid, (caddr_t)&pscr, sizeof(pscr)) != +- -1); +- ATF_REQUIRE_MSG(pscr.pscr_ret.sr_error == 0, +- "remote getpid failed with error %d", pscr.pscr_ret.sr_error); +- ATF_REQUIRE_MSG(pscr.pscr_ret.sr_retval[0] == fpid, +- "unexpected return value %jd instead of %d", +- (intmax_t)pscr.pscr_ret.sr_retval[0], fpid); +- +- wpid = waitpid(fpid, &status, 0); +- REQUIRE_EQ(wpid, fpid); +- ATF_REQUIRE(WIFSTOPPED(status)); +- REQUIRE_EQ(WSTOPSIG(status), SIGSTOP); ++ pt_sc_remote(fpid, &pscr, 0, fpid); + + pscr.pscr_syscall = SYS_getppid; + pscr.pscr_nargs = 0; + pscr.pscr_args = NULL; +- ATF_REQUIRE(ptrace(PT_SC_REMOTE, fpid, (caddr_t)&pscr, sizeof(pscr)) != +- -1); +- ATF_REQUIRE_MSG(pscr.pscr_ret.sr_error == 0, +- "remote getppid failed with error %d", pscr.pscr_ret.sr_error); +- ATF_REQUIRE_MSG(pscr.pscr_ret.sr_retval[0] == getpid(), +- "unexpected return value %jd instead of %d", +- (intmax_t)pscr.pscr_ret.sr_retval[0], fpid); ++ pt_sc_remote(fpid, &pscr, 0, getpid()); ++ ++ ATF_REQUIRE(ptrace(PT_DETACH, fpid, (caddr_t)1, 0) != -1); ++} ++ ++ATF_TC_WITHOUT_HEAD(ptrace__PT_SC_REMOTE_syscall_validation); ++ATF_TC_BODY(ptrace__PT_SC_REMOTE_syscall_validation, tc) ++{ ++ struct ptrace_sc_remote pscr; ++ quad_t code; ++ int status; ++ pid_t fpid, wpid; ++ ++ code = SYS_MAXSYSCALL; ++ ++ ATF_REQUIRE((fpid = fork()) != -1); ++ if (fpid == 0) { ++ trace_me(); ++ exit(0); ++ } + + wpid = waitpid(fpid, &status, 0); + REQUIRE_EQ(wpid, fpid); + ATF_REQUIRE(WIFSTOPPED(status)); + REQUIRE_EQ(WSTOPSIG(status), SIGSTOP); + ++ pscr.pscr_syscall = SYS_MAXSYSCALL; ++ pscr.pscr_nargs = 0; ++ pscr.pscr_args = NULL; ++ pt_sc_remote(fpid, &pscr, ENOSYS, 0); ++ ++ pscr.pscr_syscall = SYS_syscall; ++ pscr.pscr_nargs = 0; ++ pscr.pscr_args = NULL; ++ pt_sc_remote(fpid, &pscr, EINVAL, 0); ++ ++ pscr.pscr_syscall = SYS_syscall; ++ pscr.pscr_nargs = 1; ++ pscr.pscr_args = (syscallarg_t *)&code; ++ pt_sc_remote(fpid, &pscr, ENOSYS, 0); ++ ++ pscr.pscr_syscall = SYS___syscall; ++ pscr.pscr_nargs = 0; ++ pscr.pscr_args = NULL; ++ pt_sc_remote(fpid, &pscr, EINVAL, 0); ++ ++ pscr.pscr_syscall = SYS___syscall; ++ pscr.pscr_nargs = 1; ++ pscr.pscr_args = (syscallarg_t *)&code; ++ pt_sc_remote(fpid, &pscr, ENOSYS, 0); ++ + ATF_REQUIRE(ptrace(PT_DETACH, fpid, (caddr_t)1, 0) != -1); + } + +@@ -4658,6 +4704,7 @@ + ATF_TP_ADD_TC(tp, ptrace__procdesc_wait_child); + ATF_TP_ADD_TC(tp, ptrace__procdesc_reparent_wait_child); + ATF_TP_ADD_TC(tp, ptrace__PT_SC_REMOTE_getpid); ++ ATF_TP_ADD_TC(tp, ptrace__PT_SC_REMOTE_syscall_validation); + ATF_TP_ADD_TC(tp, ptrace__reap_kill_stopped); + ATF_TP_ADD_TC(tp, ptrace__PT_ATTACH_no_EINTR); + ATF_TP_ADD_TC(tp, ptrace__PT_DETACH_continued); diff --git a/website/static/security/patches/SA-26:21/ptrace-14.4.patch.asc b/website/static/security/patches/SA-26:21/ptrace-14.4.patch.asc new file mode 100644 index 0000000000..7b82a1c802 --- /dev/null +++ b/website/static/security/patches/SA-26:21/ptrace-14.4.patch.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJPBAABCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKHkbFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrviIQP/0J+7WsDP2sa3qN/bPca +m6rVHn83Jo8wnPSaUwUHqiWWCsXZBKSWpMcUneQoknmqArC7l2SNPAhXv3EH01fi +ot63ojivc6/Fi0LPhnLC0XSvOePelm9EAkIuYny106q4mWDO0AQIKLks8AMWyJF7 +nEqUzVkXegoasWYmcS+9s0ddS+mVZdNm9Ajd+7gohX2T1/SK3FgIdJMZaDLx4cUV +3B+44iS557PZLTpEjBSESxVM9132HFY16Fz3HUI6i+Cohrnip9KmSAFbutqmKARa +08xfFDGeuLgkxZJFoiBmF9o3QxiutRlTeGl3l2A2WIKkMuIf4UtEMMaD+9KrMIpP +idi0Sa9utRVc1TKRg2hjb2121b7ZAM3SaCvBbunBmV8Kv051sVRcoElG4QsmZgxf +4rwpSBLQdtIBTjvSwhzTwnPJLcb6Lehb2ntZ55NDelSru/3DODEX7oKqKfst3Bgv +QM+L/UYmedbb9qCe58tCgXOE9GEXn8pL7URUT7zv0zf6nX+Tc4viS9TO8lG65wU6 +c8/QnDt9kxts6/Nzfe5JAnSMxPLExuc7Cka6n625nB0L/q81rCvWISwUpJFa49in +mbeuih5Jggpn/kZ+ifFQIpK59rpHShzumTdIWMZubJOSALjpAXFynvC1si/k/W6/ +xxi7tyKq1Tb/SRsXWk4ChxNZ +=c4Yi +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-26:21/ptrace-15.patch b/website/static/security/patches/SA-26:21/ptrace-15.patch new file mode 100644 index 0000000000..97f0d5f84c --- /dev/null +++ b/website/static/security/patches/SA-26:21/ptrace-15.patch @@ -0,0 +1,154 @@ +--- sys/kern/kern_sig.c.orig ++++ sys/kern/kern_sig.c +@@ -2678,23 +2678,26 @@ + struct sysentvec *sv; + struct sysent *se; + register_t rv_saved[2]; ++ unsigned int sc; + int error, nerror; +- int sc; + bool audited, sy_thr_static; + +- sv = p->p_sysent; +- if (sv->sv_table == NULL || sv->sv_size < tsr->ts_sa.code) { +- tsr->ts_ret.sr_error = ENOSYS; +- return; +- } +- + sc = tsr->ts_sa.code; + if (sc == SYS_syscall || sc == SYS___syscall) { ++ if (tsr->ts_nargs == 0) { ++ tsr->ts_ret.sr_error = EINVAL; ++ return; ++ } + sc = tsr->ts_sa.args[0]; + memmove(&tsr->ts_sa.args[0], &tsr->ts_sa.args[1], + sizeof(register_t) * (tsr->ts_nargs - 1)); + } + ++ sv = p->p_sysent; ++ if (sv->sv_table == NULL || sc >= sv->sv_size) { ++ tsr->ts_ret.sr_error = ENOSYS; ++ return; ++ } + tsr->ts_sa.callp = se = &sv->sv_table[sc]; + + VM_CNT_INC(v_syscall); +--- tests/sys/kern/ptrace_test.c.orig ++++ tests/sys/kern/ptrace_test.c +@@ -4362,6 +4362,25 @@ + REQUIRE_EQ(close(pd), 0); + } + ++static void ++pt_sc_remote(pid_t pid, struct ptrace_sc_remote *pscr, int error, ++ syscallarg_t ret) ++{ ++ pid_t wpid; ++ int status; ++ ++ ATF_REQUIRE(ptrace(PT_SC_REMOTE, pid, (caddr_t)pscr, sizeof(*pscr)) != ++ -1); ++ ATF_REQUIRE_EQ(pscr->pscr_ret.sr_error, error); ++ if (error == 0) ++ ATF_REQUIRE_EQ(pscr->pscr_ret.sr_retval[0], ret); ++ ++ wpid = waitpid(pid, &status, 0); ++ REQUIRE_EQ(wpid, pid); ++ ATF_REQUIRE(WIFSTOPPED(status)); ++ REQUIRE_EQ(WSTOPSIG(status), SIGSTOP); ++} ++ + /* + * Try using PT_SC_REMOTE to get the PID of a traced child process. + */ +@@ -4386,35 +4405,62 @@ + pscr.pscr_syscall = SYS_getpid; + pscr.pscr_nargs = 0; + pscr.pscr_args = NULL; +- ATF_REQUIRE(ptrace(PT_SC_REMOTE, fpid, (caddr_t)&pscr, sizeof(pscr)) != +- -1); +- ATF_REQUIRE_MSG(pscr.pscr_ret.sr_error == 0, +- "remote getpid failed with error %d", pscr.pscr_ret.sr_error); +- ATF_REQUIRE_MSG(pscr.pscr_ret.sr_retval[0] == fpid, +- "unexpected return value %jd instead of %d", +- (intmax_t)pscr.pscr_ret.sr_retval[0], fpid); +- +- wpid = waitpid(fpid, &status, 0); +- REQUIRE_EQ(wpid, fpid); +- ATF_REQUIRE(WIFSTOPPED(status)); +- REQUIRE_EQ(WSTOPSIG(status), SIGSTOP); ++ pt_sc_remote(fpid, &pscr, 0, fpid); + + pscr.pscr_syscall = SYS_getppid; + pscr.pscr_nargs = 0; + pscr.pscr_args = NULL; +- ATF_REQUIRE(ptrace(PT_SC_REMOTE, fpid, (caddr_t)&pscr, sizeof(pscr)) != +- -1); +- ATF_REQUIRE_MSG(pscr.pscr_ret.sr_error == 0, +- "remote getppid failed with error %d", pscr.pscr_ret.sr_error); +- ATF_REQUIRE_MSG(pscr.pscr_ret.sr_retval[0] == getpid(), +- "unexpected return value %jd instead of %d", +- (intmax_t)pscr.pscr_ret.sr_retval[0], fpid); ++ pt_sc_remote(fpid, &pscr, 0, getpid()); ++ ++ ATF_REQUIRE(ptrace(PT_DETACH, fpid, (caddr_t)1, 0) != -1); ++} ++ ++ATF_TC_WITHOUT_HEAD(ptrace__PT_SC_REMOTE_syscall_validation); ++ATF_TC_BODY(ptrace__PT_SC_REMOTE_syscall_validation, tc) ++{ ++ struct ptrace_sc_remote pscr; ++ quad_t code; ++ int status; ++ pid_t fpid, wpid; ++ ++ code = SYS_MAXSYSCALL; ++ ++ ATF_REQUIRE((fpid = fork()) != -1); ++ if (fpid == 0) { ++ trace_me(); ++ exit(0); ++ } + + wpid = waitpid(fpid, &status, 0); + REQUIRE_EQ(wpid, fpid); + ATF_REQUIRE(WIFSTOPPED(status)); + REQUIRE_EQ(WSTOPSIG(status), SIGSTOP); + ++ pscr.pscr_syscall = SYS_MAXSYSCALL; ++ pscr.pscr_nargs = 0; ++ pscr.pscr_args = NULL; ++ pt_sc_remote(fpid, &pscr, ENOSYS, 0); ++ ++ pscr.pscr_syscall = SYS_syscall; ++ pscr.pscr_nargs = 0; ++ pscr.pscr_args = NULL; ++ pt_sc_remote(fpid, &pscr, EINVAL, 0); ++ ++ pscr.pscr_syscall = SYS_syscall; ++ pscr.pscr_nargs = 1; ++ pscr.pscr_args = (syscallarg_t *)&code; ++ pt_sc_remote(fpid, &pscr, ENOSYS, 0); ++ ++ pscr.pscr_syscall = SYS___syscall; ++ pscr.pscr_nargs = 0; ++ pscr.pscr_args = NULL; ++ pt_sc_remote(fpid, &pscr, EINVAL, 0); ++ ++ pscr.pscr_syscall = SYS___syscall; ++ pscr.pscr_nargs = 1; ++ pscr.pscr_args = (syscallarg_t *)&code; ++ pt_sc_remote(fpid, &pscr, ENOSYS, 0); ++ + ATF_REQUIRE(ptrace(PT_DETACH, fpid, (caddr_t)1, 0) != -1); + } + +@@ -4657,6 +4703,7 @@ + ATF_TP_ADD_TC(tp, ptrace__procdesc_wait_child); + ATF_TP_ADD_TC(tp, ptrace__procdesc_reparent_wait_child); + ATF_TP_ADD_TC(tp, ptrace__PT_SC_REMOTE_getpid); ++ ATF_TP_ADD_TC(tp, ptrace__PT_SC_REMOTE_syscall_validation); + ATF_TP_ADD_TC(tp, ptrace__reap_kill_stopped); + ATF_TP_ADD_TC(tp, ptrace__PT_ATTACH_no_EINTR); + ATF_TP_ADD_TC(tp, ptrace__PT_DETACH_continued); diff --git a/website/static/security/patches/SA-26:21/ptrace-15.patch.asc b/website/static/security/patches/SA-26:21/ptrace-15.patch.asc new file mode 100644 index 0000000000..609bfc84b7 --- /dev/null +++ b/website/static/security/patches/SA-26:21/ptrace-15.patch.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJPBAABCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKHobFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv+mIP/jrd2IsNHPhHsbnSjg16 +fbLtDSzIBAA5NT8ELxD21EvUVrQlIIakjdxmBs9GyssUDQMWdhXJvVUg+Buk0WPo +U6sLJU8KfA1r8R3BVvwQVUilIOZd3rbf2p8v+SnilKxLtHThm0N8N05og4k9J4wj +sbN5cXapiaLeQlrGD9e7qDQRTrxO9XG4qxvipUtjgGqgOPxhfAvPxylieWrQwr80 +V+wpX/gbGLr8psmwYk/4XNkd4tHI4OguNzyOaCgMfcb16AueQBxzgkexlZ1GIxgY +VF8LMr8w/Qfh2ukjTtgvpKJ8G7TDqoZTxqs+c3mxuW66AxX20x8i+WRlo4X0VTjm +lTd77Fejoyff6DI8yIDmTaCblX2OLyZFsoi8cY3TRkK6BVDvW08bSE3ztZZwJO4e +oFVZsONII8GBTRf2yjhOxLaJpheRsff75AqSwTpy8w9XkqQ70n7K8OUsWmHTN2VK +ZpCMGIu6tX7ShxnigVrA3o0O30fg3VuvVqnsbyA7jDyjzUjpywwd12zcQ+0eZz8U +1i2XH/hmZ+0dxArVB19QQ/I2vBSQvqYdRxwmitVOWpxZLWWr6FDLMS8BumHXn2IN +oNbDdiClPyW7+CpJzfrxA5kcnZsBF/aBi/xRZtV/xof4M5LhYDYzbdDWJYgEmW4p +JSVYiYuiRnJmeWi01UJYGWr6 +=I125 +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-26:22/libcasper-14.patch b/website/static/security/patches/SA-26:22/libcasper-14.patch new file mode 100644 index 0000000000..7cddb28b48 --- /dev/null +++ b/website/static/security/patches/SA-26:22/libcasper-14.patch @@ -0,0 +1,539 @@ +--- lib/libcasper/libcasper/libcasper_impl.h.orig ++++ lib/libcasper/libcasper/libcasper_impl.h +@@ -54,6 +54,8 @@ + void service_start(struct service *service, int sock, int procfd); + const char *service_name(struct service *service); + int service_get_channel_flags(struct service *service); ++bool service_have_connections(void); ++bool service_poll_dispatch(void); + + /* Private service connection functions. */ + struct service_connection *service_connection_add(struct service *service, +@@ -64,10 +66,6 @@ + int service_connection_clone( + struct service *service, + struct service_connection *sconn); +-struct service_connection *service_connection_first( +- struct service *service); +-struct service_connection *service_connection_next( +- struct service_connection *sconn); + cap_channel_t *service_connection_get_chan( + const struct service_connection *sconn); + int service_connection_get_sock( +--- lib/libcasper/libcasper/libcasper_service.c.orig ++++ lib/libcasper/libcasper/libcasper_service.c +@@ -223,10 +223,6 @@ + void + casper_main_loop(int fd) + { +- fd_set fds; +- struct casper_service *casserv; +- struct service_connection *sconn, *sconntmp; +- int sock, maxfd, ret; + + if (zygote_init() < 0) + _exit(1); +@@ -236,55 +232,10 @@ + */ + service_register_core(fd); + +- for (;;) { +- FD_ZERO(&fds); +- FD_SET(fd, &fds); +- maxfd = -1; +- TAILQ_FOREACH(casserv, &casper_services, cs_next) { +- /* We handle only core services. */ +- if (!CSERVICE_IS_CORE(casserv)) +- continue; +- for (sconn = service_connection_first(casserv->cs_service); +- sconn != NULL; +- sconn = service_connection_next(sconn)) { +- sock = service_connection_get_sock(sconn); +- FD_SET(sock, &fds); +- maxfd = sock > maxfd ? sock : maxfd; +- } +- } +- if (maxfd == -1) { +- /* Nothing to do. */ +- _exit(0); +- } +- maxfd++; +- +- +- assert(maxfd <= (int)FD_SETSIZE); +- ret = select(maxfd, &fds, NULL, NULL, NULL); +- assert(ret == -1 || ret > 0); /* select() cannot timeout */ +- if (ret == -1) { +- if (errno == EINTR) +- continue; ++ while (service_have_connections()) { ++ if (!service_poll_dispatch()) + _exit(1); +- } +- +- TAILQ_FOREACH(casserv, &casper_services, cs_next) { +- /* We handle only core services. */ +- if (!CSERVICE_IS_CORE(casserv)) +- continue; +- for (sconn = service_connection_first(casserv->cs_service); +- sconn != NULL; sconn = sconntmp) { +- /* +- * Prepare for connection to be removed from +- * the list on failure. +- */ +- sconntmp = service_connection_next(sconn); +- sock = service_connection_get_sock(sconn); +- if (FD_ISSET(sock, &fds)) { +- service_message(casserv->cs_service, +- sconn); +- } +- } +- } + } ++ ++ _exit(0); + } +--- lib/libcasper/libcasper/service.c.orig ++++ lib/libcasper/libcasper/service.c +@@ -30,8 +30,7 @@ + * SUCH DAMAGE. + */ + +-#include +-#include ++#include + #include + #include + #include +@@ -42,6 +41,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -72,7 +72,8 @@ + int sc_magic; + cap_channel_t *sc_chan; + nvlist_t *sc_limits; +- TAILQ_ENTRY(service_connection) sc_next; ++ struct service *sc_service; ++ size_t sc_pollidx; + }; + + #define SERVICE_MAGIC 0x5e91ce +@@ -82,9 +83,90 @@ + uint64_t s_flags; + service_limit_func_t *s_limit; + service_command_func_t *s_command; +- TAILQ_HEAD(, service_connection) s_connections; + }; + ++#define POLLSET_CHUNK 8 ++static struct pollfd *pollset_pfds; ++static struct service_connection **pollset_conns; ++static size_t pollset_cap; ++static size_t pollset_size; ++ ++static int ++pollset_add(struct service_connection *sconn, int sock) ++{ ++ size_t i, newcap; ++ void *p; ++ ++ for (i = 0; i < pollset_size; i++) { ++ if (pollset_pfds[i].fd < 0) ++ break; ++ } ++ if (i == pollset_size) { ++ newcap = roundup2(pollset_size + 1, POLLSET_CHUNK); ++ if (newcap > pollset_cap) { ++ p = reallocarray(pollset_pfds, newcap, ++ sizeof(*pollset_pfds)); ++ if (p == NULL) ++ return (-1); ++ pollset_pfds = p; ++ p = reallocarray(pollset_conns, newcap, ++ sizeof(*pollset_conns)); ++ if (p == NULL) ++ return (-1); ++ pollset_conns = p; ++ pollset_cap = newcap; ++ } ++ pollset_size++; ++ } ++ pollset_pfds[i].fd = sock; ++ pollset_pfds[i].events = POLLIN; ++ pollset_pfds[i].revents = 0; ++ pollset_conns[i] = sconn; ++ sconn->sc_pollidx = i; ++ return (0); ++} ++ ++static void ++pollset_remove(struct service_connection *sconn) ++{ ++ ++ pollset_pfds[sconn->sc_pollidx].fd = -1; ++ pollset_conns[sconn->sc_pollidx] = NULL; ++} ++ ++bool ++service_have_connections(void) ++{ ++ size_t i; ++ ++ for (i = 0; i < pollset_size; i++) { ++ if (pollset_pfds[i].fd >= 0) ++ return (true); ++ } ++ return (false); ++} ++ ++bool ++service_poll_dispatch(void) ++{ ++ size_t i; ++ int ret; ++ ++ do { ++ ret = poll(pollset_pfds, pollset_size, -1); ++ } while (ret == -1 && errno == EINTR); ++ if (ret == -1) ++ return (false); ++ ++ for (i = 0; i < pollset_size; i++) { ++ if (pollset_pfds[i].revents == 0) ++ continue; ++ service_message(pollset_conns[i]->sc_service, ++ pollset_conns[i]); ++ } ++ return (true); ++} ++ + struct service * + service_alloc(const char *name, service_limit_func_t *limitfunc, + service_command_func_t *commandfunc, uint64_t flags) +@@ -102,7 +184,6 @@ + service->s_limit = limitfunc; + service->s_command = commandfunc; + service->s_flags = flags; +- TAILQ_INIT(&service->s_connections); + service->s_magic = SERVICE_MAGIC; + + return (service); +@@ -111,13 +192,16 @@ + void + service_free(struct service *service) + { +- struct service_connection *sconn; ++ size_t i; + + assert(service->s_magic == SERVICE_MAGIC); + + service->s_magic = 0; +- while ((sconn = service_connection_first(service)) != NULL) +- service_connection_remove(service, sconn); ++ for (i = 0; i < pollset_size; i++) { ++ if (pollset_conns[i] != NULL && ++ pollset_conns[i]->sc_service == service) ++ service_connection_remove(service, pollset_conns[i]); ++ } + free(service->s_name); + free(service); + } +@@ -154,8 +238,16 @@ + return (NULL); + } + } ++ sconn->sc_service = service; ++ if (pollset_add(sconn, sock) == -1) { ++ serrno = errno; ++ nvlist_destroy(sconn->sc_limits); ++ (void)cap_unwrap(sconn->sc_chan, NULL); ++ free(sconn); ++ errno = serrno; ++ return (NULL); ++ } + sconn->sc_magic = SERVICE_CONNECTION_MAGIC; +- TAILQ_INSERT_TAIL(&service->s_connections, sconn, sc_next); + return (sconn); + } + +@@ -167,7 +259,7 @@ + assert(service->s_magic == SERVICE_MAGIC); + assert(sconn->sc_magic == SERVICE_CONNECTION_MAGIC); + +- TAILQ_REMOVE(&service->s_connections, sconn, sc_next); ++ pollset_remove(sconn); + sconn->sc_magic = 0; + nvlist_destroy(sconn->sc_limits); + cap_close(sconn->sc_chan); +@@ -197,31 +289,6 @@ + return (sock[1]); + } + +-struct service_connection * +-service_connection_first(struct service *service) +-{ +- struct service_connection *sconn; +- +- assert(service->s_magic == SERVICE_MAGIC); +- +- sconn = TAILQ_FIRST(&service->s_connections); +- assert(sconn == NULL || +- sconn->sc_magic == SERVICE_CONNECTION_MAGIC); +- return (sconn); +-} +- +-struct service_connection * +-service_connection_next(struct service_connection *sconn) +-{ +- +- assert(sconn->sc_magic == SERVICE_CONNECTION_MAGIC); +- +- sconn = TAILQ_NEXT(sconn, sc_next); +- assert(sconn == NULL || +- sconn->sc_magic == SERVICE_CONNECTION_MAGIC); +- return (sconn); +-} +- + cap_channel_t * + service_connection_get_chan(const struct service_connection *sconn) + { +@@ -330,14 +397,6 @@ + nvlist_destroy(nvlout); + } + +-static int +-fd_add(fd_set *fdsp, int maxfd, int fd) +-{ +- +- FD_SET(fd, fdsp); +- return (fd > maxfd ? fd : maxfd); +-} +- + const char * + service_name(struct service *service) + { +@@ -418,9 +477,6 @@ + void + service_start(struct service *service, int sock, int procfd) + { +- struct service_connection *sconn, *sconntmp; +- fd_set fds; +- int maxfd, nfds; + + assert(service != NULL); + assert(service->s_magic == SERVICE_MAGIC); +@@ -430,43 +486,9 @@ + if (service_connection_add(service, sock, NULL) == NULL) + _exit(1); + +- for (;;) { +- FD_ZERO(&fds); +- maxfd = -1; +- for (sconn = service_connection_first(service); sconn != NULL; +- sconn = service_connection_next(sconn)) { +- maxfd = fd_add(&fds, maxfd, +- service_connection_get_sock(sconn)); +- } +- +- assert(maxfd >= 0); +- assert(maxfd + 1 <= (int)FD_SETSIZE); +- nfds = select(maxfd + 1, &fds, NULL, NULL, NULL); +- if (nfds < 0) { +- if (errno != EINTR) +- _exit(1); +- continue; +- } else if (nfds == 0) { +- /* Timeout. */ +- abort(); +- } +- +- for (sconn = service_connection_first(service); sconn != NULL; +- sconn = sconntmp) { +- /* +- * Prepare for connection to be removed from the list +- * on failure. +- */ +- sconntmp = service_connection_next(sconn); +- if (FD_ISSET(service_connection_get_sock(sconn), &fds)) +- service_message(service, sconn); +- } +- if (service_connection_first(service) == NULL) { +- /* +- * No connections left, exiting. +- */ +- break; +- } ++ while (service_have_connections()) { ++ if (!service_poll_dispatch()) ++ _exit(1); + } + + _exit(0); +--- lib/libcasper/tests/Makefile.orig ++++ lib/libcasper/tests/Makefile +@@ -1,5 +1,13 @@ ++.include + +-.PATH: ${SRCTOP}/tests +-KYUAFILE= yes ++PACKAGE= tests ++ ++ATF_TESTS_C= cap_main_test ++ ++.if ${MK_CASPER} != "no" ++LIBADD+= casper ++CFLAGS+= -DWITH_CASPER ++.endif ++LIBADD+= nv + + .include +--- /dev/null ++++ lib/libcasper/tests/cap_main_test.c +@@ -0,0 +1,142 @@ ++/*- ++ * SPDX-License-Identifier: BSD-2-Clause ++ * ++ * Copyright (c) 2026 Mariusz Zaborski ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND ++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE ++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL ++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT ++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY ++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF ++ * SUCH DAMAGE. ++ */ ++ ++#include ++#include ++ ++#include ++#include ++#include ++#include ++ ++#include ++ ++#include ++ ++#define NCONNECTIONS (FD_SETSIZE + 64) ++#define FD_HEADROOM 64 ++ ++/* Test that file descriptors past FD_SETSIZE (1024) work. */ ++ATF_TC_WITHOUT_HEAD(many_connections); ++ATF_TC_BODY(many_connections, tc) ++{ ++ struct rlimit rl; ++ cap_channel_t *chan; ++ cap_channel_t **clones; ++ size_t i; ++ ++ if (getrlimit(RLIMIT_NOFILE, &rl) != 0) ++ atf_tc_skip("getrlimit: %s", strerror(errno)); ++ if (rl.rlim_max < NCONNECTIONS + FD_HEADROOM) ++ atf_tc_skip("RLIMIT_NOFILE hard cap %ju below required %d", ++ (uintmax_t)rl.rlim_max, NCONNECTIONS + FD_HEADROOM); ++ rl.rlim_cur = rl.rlim_max; ++ ATF_REQUIRE_MSG(setrlimit(RLIMIT_NOFILE, &rl) == 0, ++ "setrlimit: %s", strerror(errno)); ++ ++ chan = cap_init(); ++ ATF_REQUIRE_MSG(chan != NULL, "cap_init failed: %s", strerror(errno)); ++ ++ clones = calloc(NCONNECTIONS, sizeof(*clones)); ++ ATF_REQUIRE(clones != NULL); ++ ++ /* ++ * Every cap_clone(3) adds one more connection to the helper. ++ * After this loop the helper is watching more fds than an ++ * fd_set can hold. ++ */ ++ for (i = 0; i < NCONNECTIONS; i++) { ++ clones[i] = cap_clone(chan); ++ ATF_REQUIRE_MSG(clones[i] != NULL, ++ "cap_clone failed at %zu/%d: %s", ++ i, NCONNECTIONS, strerror(errno)); ++ } ++ ++ for (i = 0; i < NCONNECTIONS; i++) ++ cap_close(clones[i]); ++ free(clones); ++ cap_close(chan); ++} ++ ++#define CHURN_CONNECTIONS 50 ++#define CHURN_CLOSE_STEP 5 ++ ++/* Test that gaps in the file descriptor list do not break casper. */ ++ATF_TC_WITHOUT_HEAD(connection_churn); ++ATF_TC_BODY(connection_churn, tc) ++{ ++ cap_channel_t *chan, *survivor, *extra; ++ cap_channel_t *clones[CHURN_CONNECTIONS]; ++ size_t i, survivor_idx; ++ ++ chan = cap_init(); ++ ATF_REQUIRE_MSG(chan != NULL, "cap_init failed: %s", strerror(errno)); ++ ++ for (i = 0; i < CHURN_CONNECTIONS; i++) { ++ clones[i] = cap_clone(chan); ++ ATF_REQUIRE_MSG(clones[i] != NULL, ++ "cap_clone failed at %zu: %s", i, strerror(errno)); ++ } ++ ++ /* ++ * Close every Nth clone. ++ */ ++ for (i = 0; i < CHURN_CONNECTIONS; i += CHURN_CLOSE_STEP) { ++ cap_close(clones[i]); ++ clones[i] = NULL; ++ } ++ ++ /* ++ * Force a poll() cycle: the helper handles POLLIN on chan and ++ * POLLHUP on the closed clones in the same walk. ++ */ ++ extra = cap_clone(chan); ++ ATF_REQUIRE_MSG(extra != NULL, "cap_clone after churn failed: %s", ++ strerror(errno)); ++ ++ /* A surviving clone must still round-trip. */ ++ survivor_idx = 1; ++ survivor = cap_clone(clones[survivor_idx]); ++ ATF_REQUIRE_MSG(survivor != NULL, ++ "cap_clone on survivor failed: %s", strerror(errno)); ++ ++ cap_close(survivor); ++ cap_close(extra); ++ for (i = 0; i < CHURN_CONNECTIONS; i++) { ++ if (clones[i] != NULL) ++ cap_close(clones[i]); ++ } ++ cap_close(chan); ++} ++ ++ATF_TP_ADD_TCS(tp) ++{ ++ ++ ATF_TP_ADD_TC(tp, many_connections); ++ ATF_TP_ADD_TC(tp, connection_churn); ++ return (atf_no_error()); ++} diff --git a/website/static/security/patches/SA-26:22/libcasper-14.patch.asc b/website/static/security/patches/SA-26:22/libcasper-14.patch.asc new file mode 100644 index 0000000000..1754ed5247 --- /dev/null +++ b/website/static/security/patches/SA-26:22/libcasper-14.patch.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJPBAABCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKH0bFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvE1wQAIFN2hAU+76Vf5P6J1w9 +ERxUl9XWB+9e+KCvpJzVprwpM6sLm3/04snX5J3dk3/GJ7ngYEmwO0K8fqF8pqTI +N040UkRk0pIdNPmfzrGZO7vbPhdJeLgiCozzS4x8NLVY297S7pD7chLqw42noJlu +qZ+RLbaBz+5jeyLnO5y4x40GYuUrQPkD3ksRMr9MXDrN/VJZp48mEBc5fpTe+dTG +Ina5PB33C70V/Hu7KtPYCvEMhT139ZY/X6zBXJWkFac+yy5Iw5XpQGgtxmiU53ti +Rfjg1h3lC/mQD1lIvdDBXxhwASqbiqKLBjtl2j+HJbXTw6F1STHr3fl2stPcRu5O +e4cTEfULoraVKhvUa2/rVc3O9UiWT6ttJeqiLSFLMPje+EzsRRPv7BURIgjCX4ZO +XbaAS0lPr49tqhDssSN8V4EUaRe4cJm1/bB+1xydpEKmm/5lbvQyA3GMyKau4jEH +85/E6d6oi0LOK4o5V89tSo0kNiozWHe/uHcZqLCS0FNHtjAhrky+EynKlBD8aQED +IA+O1RJnFENxG8R6aC290KCDupYG3LBxXavYxm8RA5fIStvQX2srpRoUuCAEh9Dr +Nwv+nHZZK4yRssf04uwurf/3SUvuOt06fCkzkQxdFByxgjEVFw2LukYaIExtVYH8 +czK6p++bNvfTzQNAx+Mx/4zS +=hxFw +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-26:22/libcasper-15.patch b/website/static/security/patches/SA-26:22/libcasper-15.patch new file mode 100644 index 0000000000..fa89b524a3 --- /dev/null +++ b/website/static/security/patches/SA-26:22/libcasper-15.patch @@ -0,0 +1,538 @@ +--- lib/libcasper/libcasper/libcasper_impl.h.orig ++++ lib/libcasper/libcasper/libcasper_impl.h +@@ -54,6 +54,8 @@ + void service_start(struct service *service, int sock, int procfd); + const char *service_name(struct service *service); + int service_get_channel_flags(struct service *service); ++bool service_have_connections(void); ++bool service_poll_dispatch(void); + + /* Private service connection functions. */ + struct service_connection *service_connection_add(struct service *service, +@@ -64,10 +66,6 @@ + int service_connection_clone( + struct service *service, + struct service_connection *sconn); +-struct service_connection *service_connection_first( +- struct service *service); +-struct service_connection *service_connection_next( +- struct service_connection *sconn); + cap_channel_t *service_connection_get_chan( + const struct service_connection *sconn); + int service_connection_get_sock( +--- lib/libcasper/libcasper/libcasper_service.c.orig ++++ lib/libcasper/libcasper/libcasper_service.c +@@ -222,10 +222,6 @@ + void + casper_main_loop(int fd) + { +- fd_set fds; +- struct casper_service *casserv; +- struct service_connection *sconn, *sconntmp; +- int sock, maxfd, ret; + + if (zygote_init() < 0) + _exit(1); +@@ -235,55 +231,10 @@ + */ + service_register_core(fd); + +- for (;;) { +- FD_ZERO(&fds); +- FD_SET(fd, &fds); +- maxfd = -1; +- TAILQ_FOREACH(casserv, &casper_services, cs_next) { +- /* We handle only core services. */ +- if (!CSERVICE_IS_CORE(casserv)) +- continue; +- for (sconn = service_connection_first(casserv->cs_service); +- sconn != NULL; +- sconn = service_connection_next(sconn)) { +- sock = service_connection_get_sock(sconn); +- FD_SET(sock, &fds); +- maxfd = sock > maxfd ? sock : maxfd; +- } +- } +- if (maxfd == -1) { +- /* Nothing to do. */ +- _exit(0); +- } +- maxfd++; +- +- +- assert(maxfd <= (int)FD_SETSIZE); +- ret = select(maxfd, &fds, NULL, NULL, NULL); +- assert(ret == -1 || ret > 0); /* select() cannot timeout */ +- if (ret == -1) { +- if (errno == EINTR) +- continue; ++ while (service_have_connections()) { ++ if (!service_poll_dispatch()) + _exit(1); +- } +- +- TAILQ_FOREACH(casserv, &casper_services, cs_next) { +- /* We handle only core services. */ +- if (!CSERVICE_IS_CORE(casserv)) +- continue; +- for (sconn = service_connection_first(casserv->cs_service); +- sconn != NULL; sconn = sconntmp) { +- /* +- * Prepare for connection to be removed from +- * the list on failure. +- */ +- sconntmp = service_connection_next(sconn); +- sock = service_connection_get_sock(sconn); +- if (FD_ISSET(sock, &fds)) { +- service_message(casserv->cs_service, +- sconn); +- } +- } +- } + } ++ ++ _exit(0); + } +--- lib/libcasper/libcasper/service.c.orig ++++ lib/libcasper/libcasper/service.c +@@ -30,7 +30,7 @@ + * SUCH DAMAGE. + */ + +-#include ++#include + #include + #include + #include +@@ -41,6 +41,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -71,7 +72,8 @@ + int sc_magic; + cap_channel_t *sc_chan; + nvlist_t *sc_limits; +- TAILQ_ENTRY(service_connection) sc_next; ++ struct service *sc_service; ++ size_t sc_pollidx; + }; + + #define SERVICE_MAGIC 0x5e91ce +@@ -81,9 +83,90 @@ + uint64_t s_flags; + service_limit_func_t *s_limit; + service_command_func_t *s_command; +- TAILQ_HEAD(, service_connection) s_connections; + }; + ++#define POLLSET_CHUNK 8 ++static struct pollfd *pollset_pfds; ++static struct service_connection **pollset_conns; ++static size_t pollset_cap; ++static size_t pollset_size; ++ ++static int ++pollset_add(struct service_connection *sconn, int sock) ++{ ++ size_t i, newcap; ++ void *p; ++ ++ for (i = 0; i < pollset_size; i++) { ++ if (pollset_pfds[i].fd < 0) ++ break; ++ } ++ if (i == pollset_size) { ++ newcap = roundup2(pollset_size + 1, POLLSET_CHUNK); ++ if (newcap > pollset_cap) { ++ p = reallocarray(pollset_pfds, newcap, ++ sizeof(*pollset_pfds)); ++ if (p == NULL) ++ return (-1); ++ pollset_pfds = p; ++ p = reallocarray(pollset_conns, newcap, ++ sizeof(*pollset_conns)); ++ if (p == NULL) ++ return (-1); ++ pollset_conns = p; ++ pollset_cap = newcap; ++ } ++ pollset_size++; ++ } ++ pollset_pfds[i].fd = sock; ++ pollset_pfds[i].events = POLLIN; ++ pollset_pfds[i].revents = 0; ++ pollset_conns[i] = sconn; ++ sconn->sc_pollidx = i; ++ return (0); ++} ++ ++static void ++pollset_remove(struct service_connection *sconn) ++{ ++ ++ pollset_pfds[sconn->sc_pollidx].fd = -1; ++ pollset_conns[sconn->sc_pollidx] = NULL; ++} ++ ++bool ++service_have_connections(void) ++{ ++ size_t i; ++ ++ for (i = 0; i < pollset_size; i++) { ++ if (pollset_pfds[i].fd >= 0) ++ return (true); ++ } ++ return (false); ++} ++ ++bool ++service_poll_dispatch(void) ++{ ++ size_t i; ++ int ret; ++ ++ do { ++ ret = poll(pollset_pfds, pollset_size, -1); ++ } while (ret == -1 && errno == EINTR); ++ if (ret == -1) ++ return (false); ++ ++ for (i = 0; i < pollset_size; i++) { ++ if (pollset_pfds[i].revents == 0) ++ continue; ++ service_message(pollset_conns[i]->sc_service, ++ pollset_conns[i]); ++ } ++ return (true); ++} ++ + struct service * + service_alloc(const char *name, service_limit_func_t *limitfunc, + service_command_func_t *commandfunc, uint64_t flags) +@@ -101,7 +184,6 @@ + service->s_limit = limitfunc; + service->s_command = commandfunc; + service->s_flags = flags; +- TAILQ_INIT(&service->s_connections); + service->s_magic = SERVICE_MAGIC; + + return (service); +@@ -110,13 +192,16 @@ + void + service_free(struct service *service) + { +- struct service_connection *sconn; ++ size_t i; + + assert(service->s_magic == SERVICE_MAGIC); + + service->s_magic = 0; +- while ((sconn = service_connection_first(service)) != NULL) +- service_connection_remove(service, sconn); ++ for (i = 0; i < pollset_size; i++) { ++ if (pollset_conns[i] != NULL && ++ pollset_conns[i]->sc_service == service) ++ service_connection_remove(service, pollset_conns[i]); ++ } + free(service->s_name); + free(service); + } +@@ -153,8 +238,16 @@ + return (NULL); + } + } ++ sconn->sc_service = service; ++ if (pollset_add(sconn, sock) == -1) { ++ serrno = errno; ++ nvlist_destroy(sconn->sc_limits); ++ (void)cap_unwrap(sconn->sc_chan, NULL); ++ free(sconn); ++ errno = serrno; ++ return (NULL); ++ } + sconn->sc_magic = SERVICE_CONNECTION_MAGIC; +- TAILQ_INSERT_TAIL(&service->s_connections, sconn, sc_next); + return (sconn); + } + +@@ -166,7 +259,7 @@ + assert(service->s_magic == SERVICE_MAGIC); + assert(sconn->sc_magic == SERVICE_CONNECTION_MAGIC); + +- TAILQ_REMOVE(&service->s_connections, sconn, sc_next); ++ pollset_remove(sconn); + sconn->sc_magic = 0; + nvlist_destroy(sconn->sc_limits); + cap_close(sconn->sc_chan); +@@ -196,31 +289,6 @@ + return (sock[1]); + } + +-struct service_connection * +-service_connection_first(struct service *service) +-{ +- struct service_connection *sconn; +- +- assert(service->s_magic == SERVICE_MAGIC); +- +- sconn = TAILQ_FIRST(&service->s_connections); +- assert(sconn == NULL || +- sconn->sc_magic == SERVICE_CONNECTION_MAGIC); +- return (sconn); +-} +- +-struct service_connection * +-service_connection_next(struct service_connection *sconn) +-{ +- +- assert(sconn->sc_magic == SERVICE_CONNECTION_MAGIC); +- +- sconn = TAILQ_NEXT(sconn, sc_next); +- assert(sconn == NULL || +- sconn->sc_magic == SERVICE_CONNECTION_MAGIC); +- return (sconn); +-} +- + cap_channel_t * + service_connection_get_chan(const struct service_connection *sconn) + { +@@ -329,14 +397,6 @@ + nvlist_destroy(nvlout); + } + +-static int +-fd_add(fd_set *fdsp, int maxfd, int fd) +-{ +- +- FD_SET(fd, fdsp); +- return (fd > maxfd ? fd : maxfd); +-} +- + const char * + service_name(struct service *service) + { +@@ -417,9 +477,6 @@ + void + service_start(struct service *service, int sock, int procfd) + { +- struct service_connection *sconn, *sconntmp; +- fd_set fds; +- int maxfd, nfds; + + assert(service != NULL); + assert(service->s_magic == SERVICE_MAGIC); +@@ -429,43 +486,9 @@ + if (service_connection_add(service, sock, NULL) == NULL) + _exit(1); + +- for (;;) { +- FD_ZERO(&fds); +- maxfd = -1; +- for (sconn = service_connection_first(service); sconn != NULL; +- sconn = service_connection_next(sconn)) { +- maxfd = fd_add(&fds, maxfd, +- service_connection_get_sock(sconn)); +- } +- +- assert(maxfd >= 0); +- assert(maxfd + 1 <= (int)FD_SETSIZE); +- nfds = select(maxfd + 1, &fds, NULL, NULL, NULL); +- if (nfds < 0) { +- if (errno != EINTR) +- _exit(1); +- continue; +- } else if (nfds == 0) { +- /* Timeout. */ +- abort(); +- } +- +- for (sconn = service_connection_first(service); sconn != NULL; +- sconn = sconntmp) { +- /* +- * Prepare for connection to be removed from the list +- * on failure. +- */ +- sconntmp = service_connection_next(sconn); +- if (FD_ISSET(service_connection_get_sock(sconn), &fds)) +- service_message(service, sconn); +- } +- if (service_connection_first(service) == NULL) { +- /* +- * No connections left, exiting. +- */ +- break; +- } ++ while (service_have_connections()) { ++ if (!service_poll_dispatch()) ++ _exit(1); + } + + _exit(0); +--- lib/libcasper/tests/Makefile.orig ++++ lib/libcasper/tests/Makefile +@@ -1,6 +1,13 @@ +-.PATH: ${SRCTOP}/tests ++.include + + PACKAGE= tests +-KYUAFILE= yes ++ ++ATF_TESTS_C= cap_main_test ++ ++.if ${MK_CASPER} != "no" ++LIBADD+= casper ++CFLAGS+= -DWITH_CASPER ++.endif ++LIBADD+= nv + + .include +--- /dev/null ++++ lib/libcasper/tests/cap_main_test.c +@@ -0,0 +1,142 @@ ++/*- ++ * SPDX-License-Identifier: BSD-2-Clause ++ * ++ * Copyright (c) 2026 Mariusz Zaborski ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND ++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE ++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL ++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT ++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY ++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF ++ * SUCH DAMAGE. ++ */ ++ ++#include ++#include ++ ++#include ++#include ++#include ++#include ++ ++#include ++ ++#include ++ ++#define NCONNECTIONS (FD_SETSIZE + 64) ++#define FD_HEADROOM 64 ++ ++/* Test that file descriptors past FD_SETSIZE (1024) work. */ ++ATF_TC_WITHOUT_HEAD(many_connections); ++ATF_TC_BODY(many_connections, tc) ++{ ++ struct rlimit rl; ++ cap_channel_t *chan; ++ cap_channel_t **clones; ++ size_t i; ++ ++ if (getrlimit(RLIMIT_NOFILE, &rl) != 0) ++ atf_tc_skip("getrlimit: %s", strerror(errno)); ++ if (rl.rlim_max < NCONNECTIONS + FD_HEADROOM) ++ atf_tc_skip("RLIMIT_NOFILE hard cap %ju below required %d", ++ (uintmax_t)rl.rlim_max, NCONNECTIONS + FD_HEADROOM); ++ rl.rlim_cur = rl.rlim_max; ++ ATF_REQUIRE_MSG(setrlimit(RLIMIT_NOFILE, &rl) == 0, ++ "setrlimit: %s", strerror(errno)); ++ ++ chan = cap_init(); ++ ATF_REQUIRE_MSG(chan != NULL, "cap_init failed: %s", strerror(errno)); ++ ++ clones = calloc(NCONNECTIONS, sizeof(*clones)); ++ ATF_REQUIRE(clones != NULL); ++ ++ /* ++ * Every cap_clone(3) adds one more connection to the helper. ++ * After this loop the helper is watching more fds than an ++ * fd_set can hold. ++ */ ++ for (i = 0; i < NCONNECTIONS; i++) { ++ clones[i] = cap_clone(chan); ++ ATF_REQUIRE_MSG(clones[i] != NULL, ++ "cap_clone failed at %zu/%d: %s", ++ i, NCONNECTIONS, strerror(errno)); ++ } ++ ++ for (i = 0; i < NCONNECTIONS; i++) ++ cap_close(clones[i]); ++ free(clones); ++ cap_close(chan); ++} ++ ++#define CHURN_CONNECTIONS 50 ++#define CHURN_CLOSE_STEP 5 ++ ++/* Test that gaps in the file descriptor list do not break casper. */ ++ATF_TC_WITHOUT_HEAD(connection_churn); ++ATF_TC_BODY(connection_churn, tc) ++{ ++ cap_channel_t *chan, *survivor, *extra; ++ cap_channel_t *clones[CHURN_CONNECTIONS]; ++ size_t i, survivor_idx; ++ ++ chan = cap_init(); ++ ATF_REQUIRE_MSG(chan != NULL, "cap_init failed: %s", strerror(errno)); ++ ++ for (i = 0; i < CHURN_CONNECTIONS; i++) { ++ clones[i] = cap_clone(chan); ++ ATF_REQUIRE_MSG(clones[i] != NULL, ++ "cap_clone failed at %zu: %s", i, strerror(errno)); ++ } ++ ++ /* ++ * Close every Nth clone. ++ */ ++ for (i = 0; i < CHURN_CONNECTIONS; i += CHURN_CLOSE_STEP) { ++ cap_close(clones[i]); ++ clones[i] = NULL; ++ } ++ ++ /* ++ * Force a poll() cycle: the helper handles POLLIN on chan and ++ * POLLHUP on the closed clones in the same walk. ++ */ ++ extra = cap_clone(chan); ++ ATF_REQUIRE_MSG(extra != NULL, "cap_clone after churn failed: %s", ++ strerror(errno)); ++ ++ /* A surviving clone must still round-trip. */ ++ survivor_idx = 1; ++ survivor = cap_clone(clones[survivor_idx]); ++ ATF_REQUIRE_MSG(survivor != NULL, ++ "cap_clone on survivor failed: %s", strerror(errno)); ++ ++ cap_close(survivor); ++ cap_close(extra); ++ for (i = 0; i < CHURN_CONNECTIONS; i++) { ++ if (clones[i] != NULL) ++ cap_close(clones[i]); ++ } ++ cap_close(chan); ++} ++ ++ATF_TP_ADD_TCS(tp) ++{ ++ ++ ATF_TP_ADD_TC(tp, many_connections); ++ ATF_TP_ADD_TC(tp, connection_churn); ++ return (atf_no_error()); ++} diff --git a/website/static/security/patches/SA-26:22/libcasper-15.patch.asc b/website/static/security/patches/SA-26:22/libcasper-15.patch.asc new file mode 100644 index 0000000000..ba65d33054 --- /dev/null +++ b/website/static/security/patches/SA-26:22/libcasper-15.patch.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJPBAABCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKH4bFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv3kEQAMJU7f++QUOGUqTiANS4 +69poIhn4KaawwwzRRblcMRVYVhBZoT92YJUOauXILbNsqQZjQ5K4kdW/mgBk3ivw +v7P8y3Bc9t/ZWX4Z9tBB5KmmDhMKdShWTHaHZiCYliJGW+Yzaki/zPBJ+R3vPETd +Cm/X8rvxjMh4tM9HTqaNCrT+DfjAYxS/CCi+mUaNKiP6tLSPAUWYfc2WtBY85OvS +sRVxFBpFPtVwxuVM0XhAIBrPq9fIxILdT3bLi7Q85epLjstoXirCzEjpqhnYE/6m +huyAZCe54qWt+ZhdiRwsLUV/Asom3cLlkuBv0c4QK4tfpZaQqyysAB8+QrNLZ7L8 +V+SnBu8RwEWlsviIf0aWkVnM/YKyoTPs3Wqm7yuWgMz0DuiVuNUs99wLWwDmeAwX +2XA86LsLpi5MPgd7oX2Py4XUKtkiVS7zuKRYW/i5DqSCarUm+wV3v/5EoYwNHVmD +P+Idbe9XkwwYYT+MIHmxYAi2E/jmCvp2RA724K/Iy10Nv0vKz4bbf69P9RPfSnrM +d+H1A6o4LEo5tGS+gcln9rTyg3PME1fXGri1vLT8JJauTQfn1OV0KX2LsZKHAq1i +O4P6M6iUuqupwEAOiqZ39olo241exOzsyP7mXPIwYtS1xi/npWEHrwz2rHEPvD2X +XoXsfguRWHH1Gu7LatZ+XlFm +=B6VF +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-26:23/bsdinstall-14.patch b/website/static/security/patches/SA-26:23/bsdinstall-14.patch new file mode 100644 index 0000000000..ed81ef5e70 --- /dev/null +++ b/website/static/security/patches/SA-26:23/bsdinstall-14.patch @@ -0,0 +1,102 @@ +--- usr.sbin/bsdconfig/share/media/wlan.subr.orig ++++ usr.sbin/bsdconfig/share/media/wlan.subr +@@ -813,6 +813,7 @@ + [ $nmatches -le ${#DIALOG_MENU_TAGS} ] || break + f_substr -v tag "$DIALOG_MENU_TAGS" $nmatches 1 + ++ f_shell_escape "$wssid" wssid + f_wireless_describe WIRELESS_$n help + menu_list1="$menu_list1 + '$tag $wssid' '$wbssid' '$help' +@@ -1076,6 +1077,7 @@ + while [ $n -lt $nunique ]; do + n=$(( $n + 1 )) + menuitem_$n get ssid ssid ++ f_shell_escape "$ssid" ssid + + menuitem_$n get nconfigs nconfigs + desc="$nconfigs $msg_configured_lc" +@@ -1184,6 +1186,7 @@ + while [ $n -lt $nunique ]; do + n=$(( $n + 1 )) + menuitem_$n get ssid ssid ++ f_shell_escape "$ssid" ssid + + desc= + if [ "$DIALOG_MENU_WLAN_SHOW_ALL" ]; then +--- usr.sbin/bsdinstall/scripts/wlanconfig.orig ++++ usr.sbin/bsdinstall/scripts/wlanconfig +@@ -147,6 +147,34 @@ + country_set "$regdomain" "$country" + } + ++dialog_network_select() ++{ ++ local ssid flags height width rows prompt ++ ++ # Avoid using eval on untrusted data. ++ set -- ++ while IFS=$'\t' read -r ssid flags; do ++ [ -n "$ssid" ] || continue ++ set -- "$@" "$ssid" "$flags" ++ done <&1 >&$DIALOG_TERMINAL_PASSTHRU_FD ++} ++ + ############################################################ MAIN + + : > "$BSDINSTALL_TMPETC/wpa_supplicant.conf" +@@ -213,27 +241,14 @@ + + f_eval_catch -dk SCAN_RESULTS wlanconfig wpa_cli "wpa_cli scan_results" + NETWORKS=$( echo "$SCAN_RESULTS" | awk -F '\t' ' +- /..:..:..:..:..:../ && $5 { printf "\"%s\"\t\"%s\"\n", $5, $4 } ++ /..:..:..:..:..:../ && $5 { print $5 "\t" $4 } + ' | sort | uniq ) + + if [ ! "$NETWORKS" ]; then + f_dialog_title "$msg_error" + f_yesno "No wireless networks were found. Rescan?" && continue + else +- f_dialog_title "Network Selection" +- prompt="Select a wireless network to connect to." +- f_dialog_menu_size height width rows "$DIALOG_TITLE" \ +- "$DIALOG_BACKTITLE" "$prompt" "" $menu_list +- NETWORK=$( eval $DIALOG \ +- --title \"\$DIALOG_TITLE\" \ +- --backtitle \"\$DIALOG_BACKTITLE\" \ +- --extra-button \ +- --extra-label \"Rescan\" \ +- --menu \"\$prompt\" \ +- $height $width $rows \ +- $NETWORKS \ +- 2>&1 >&$DIALOG_TERMINAL_PASSTHRU_FD +- ) ++ NETWORK=$( dialog_network_select ) + fi + retval=$? + f_dialog_data_sanitize NETWORK +@@ -270,7 +285,7 @@ + done + + [ "$ENCRYPTION" ] || ENCRYPTION=$( echo "$NETWORKS" | +- awk -F '\t' "/^\"$NETWORK\"\t/ { print \$2 }" ) ++ awk -F '\t' "/^$NETWORK\t/ { print \$2 }" ) + + if echo "$ENCRYPTION" | grep -q PSK; then + PASS=$( $DIALOG \ diff --git a/website/static/security/patches/SA-26:23/bsdinstall-14.patch.asc b/website/static/security/patches/SA-26:23/bsdinstall-14.patch.asc new file mode 100644 index 0000000000..1a58120aa4 --- /dev/null +++ b/website/static/security/patches/SA-26:23/bsdinstall-14.patch.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJPBAABCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKIAbFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvVmgP/ikDqOYGMuEuPfDArmAt +px7cSmVbijPdRRJLcYvboUfRsT/5PtYIJiVTRdr6kG/BH9xz28XNwzm6IfyUbsEO +XwlgRkincO4zXJq6F6ZKJSiHJaM1Px6IkccIRLcZYILzVfULagoQ+OVxkMSntiCR +KRSiqeoG5qBswUbU3jxtlfpKv3Ayk+H4+u7ELPi/zxLXLOuZWgjm8/oF/KJx4CmQ +eqnBaWxd5zswLG+jZ7PZ3wc2s5qw0b2xbOHPdjxyikvkaqgc38cbjJQBKHzfCrpi +4KBkqs9tZY9QotNzZDznfgnJS3skymRJs9uDrhQwO/StC+iu4WuscU/73OWt/x2Z +QKJ3WKyJVfVvSeoQqF0h98ynWeUvA/7cqpBnaJCZXlQaRrMrlz8bV83HiE3968hP +AUKdLGEdUWiaZI2sFsVvE/s7794UCQrpd4piODqhcr5VOX9Gp06h1ShCZREIpd0v +lfgen3d8PNcH7sXFFAMerlvqZbL/YZuaWPk/izOHP0dNC04OCM4+3SMO3IFYBc3l +VcTKTu5GcwmURn687E/YoL/2x6Edikz7xmm33lRqTAs5Qn8ohsTs0b4igpZuRQSo +VTjOiwO78akyfYM8AiASwu0qLlgh6nO1n/wBHRIAmFztChWBGyBQTsRvYb1uTA8J +67ktHpJ1y1tnRuCV0ar7RoJL +=hjx8 +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-26:23/bsdinstall-15.patch b/website/static/security/patches/SA-26:23/bsdinstall-15.patch new file mode 100644 index 0000000000..69d23b373b --- /dev/null +++ b/website/static/security/patches/SA-26:23/bsdinstall-15.patch @@ -0,0 +1,102 @@ +--- usr.sbin/bsdconfig/share/media/wlan.subr.orig ++++ usr.sbin/bsdconfig/share/media/wlan.subr +@@ -813,6 +813,7 @@ + [ $nmatches -le ${#DIALOG_MENU_TAGS} ] || break + f_substr -v tag "$DIALOG_MENU_TAGS" $nmatches 1 + ++ f_shell_escape "$wssid" wssid + f_wireless_describe WIRELESS_$n help + menu_list1="$menu_list1 + '$tag $wssid' '$wbssid' '$help' +@@ -1076,6 +1077,7 @@ + while [ $n -lt $nunique ]; do + n=$(( $n + 1 )) + menuitem_$n get ssid ssid ++ f_shell_escape "$ssid" ssid + + menuitem_$n get nconfigs nconfigs + desc="$nconfigs $msg_configured_lc" +@@ -1184,6 +1186,7 @@ + while [ $n -lt $nunique ]; do + n=$(( $n + 1 )) + menuitem_$n get ssid ssid ++ f_shell_escape "$ssid" ssid + + desc= + if [ "$DIALOG_MENU_WLAN_SHOW_ALL" ]; then +--- usr.sbin/bsdinstall/scripts/wlanconfig.orig ++++ usr.sbin/bsdinstall/scripts/wlanconfig +@@ -147,6 +147,34 @@ + country_set "$regdomain" "$country" + } + ++dialog_network_select() ++{ ++ local ssid flags height width rows prompt ++ ++ # Avoid using eval on untrusted data. ++ set -- ++ while IFS=$'\t' read -r ssid flags; do ++ [ -n "$ssid" ] || continue ++ set -- "$@" "$ssid" "$flags" ++ done <&1 >&$DIALOG_TERMINAL_PASSTHRU_FD ++} ++ + ############################################################ MAIN + + : > "$BSDINSTALL_TMPETC/wpa_supplicant.conf" +@@ -213,27 +241,14 @@ + + f_eval_catch -dk SCAN_RESULTS wlanconfig wpa_cli "wpa_cli scan_results" + NETWORKS=$( echo "$SCAN_RESULTS" | awk -F '\t' ' +- /..:..:..:..:..:../ && $5 { printf "\"%s\"\t\"%s\"\n", $5, $4 } ++ /..:..:..:..:..:../ && $5 { print $5 "\t" $4 } + ' | sort | uniq ) + + if [ ! "$NETWORKS" ]; then + f_dialog_title "$msg_error" + f_yesno "No wireless networks were found. Rescan?" && continue + else +- f_dialog_title "Network Selection" +- prompt="Select a wireless network to connect to." +- f_dialog_menu_size height width rows "$DIALOG_TITLE" \ +- "$DIALOG_BACKTITLE" "$prompt" "" $NETWORKS +- NETWORK=$( eval $DIALOG \ +- --title \"\$DIALOG_TITLE\" \ +- --backtitle \"\$DIALOG_BACKTITLE\" \ +- --extra-button \ +- --extra-label \"Rescan\" \ +- --menu \"\$prompt\" \ +- $height $width $rows \ +- $NETWORKS \ +- 2>&1 >&$DIALOG_TERMINAL_PASSTHRU_FD +- ) ++ NETWORK=$( dialog_network_select ) + fi + retval=$? + f_dialog_data_sanitize NETWORK +@@ -270,7 +285,7 @@ + done + + [ "$ENCRYPTION" ] || ENCRYPTION=$( echo "$NETWORKS" | +- awk -F '\t' "/^\"$NETWORK\"\t/ { print \$2 }" ) ++ awk -F '\t' "/^$NETWORK\t/ { print \$2 }" ) + + if echo "$ENCRYPTION" | grep -q PSK; then + PASS=$( $DIALOG \ diff --git a/website/static/security/patches/SA-26:23/bsdinstall-15.patch.asc b/website/static/security/patches/SA-26:23/bsdinstall-15.patch.asc new file mode 100644 index 0000000000..d015b06731 --- /dev/null +++ b/website/static/security/patches/SA-26:23/bsdinstall-15.patch.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJPBAABCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKIEbFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv1e0P/RqYWzbb1NdABp3BvIay +D0WebRVJuItsRDdalt0cXumP76UGTa1KVKawVE6OSkzM3cQ0hktBHFd16uDlLH0n +M3uO61BCz0hPJcalO4PAxT1QO1SOA5bVY1FWB0wvSL1mj9OS35YCbbaxFqlwcTrJ +CDjBXyC4CAD4drbOMmfLKLHCkB7gb1TKgN4gpXsMEyhkeOrBBwKg94p6xdqYfxdI +yn6kX54BKcDy0fgVnWgtVufpNLqz5wNlShw6TsNM07Mu91yFX5n9jv1jaQet1+Jd +QGi1n0r9evuun5BbBzeX2GU6Hq7xwRUYueTEyzPJGn8TBzzjLacEUDGuDA4hDRhI +Y9F/wQJdVJN2Pa5e3CtNXc8VQ1V/W92vAkPAzqPEJDsXWa/qp14bS4GpdXWlwFHj +ucvI00hC/6kmlhTpa4RjtMUG22qkOeIABoy6ah23qTICVQr29E9nMgLS8wQWDR52 +rgM6iX6sQ3mOAleFIqT12kaiT8nE7IJnMTRTjoKBkG6iaePuIdFNkrrQAML04TzO +TMdHsE4qjgFhI7in2LxVuJIlGLqGDt7uj6M36px2vYvVPu6s8758SpYeiIXGfHnR +L7Ihv4P8M48tBIp4yGp10HwYwEBY+CON7NsRCk/gANTBAnPfiHWsjZaH4ZR6f8mg +nQqftY90HhsoCa1C/SRm/HKa +=mgO8 +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-26:24/cap_net.patch b/website/static/security/patches/SA-26:24/cap_net.patch new file mode 100644 index 0000000000..d2fdd5c208 --- /dev/null +++ b/website/static/security/patches/SA-26:24/cap_net.patch @@ -0,0 +1,60 @@ +--- lib/libcasper/services/cap_net/cap_net.c.orig ++++ lib/libcasper/services/cap_net/cap_net.c +@@ -1122,12 +1122,37 @@ + return (0); + } + ++/* ++ * If the old sublimit restricted a subkey, the new one must too; ++ * a missing subkey means "allow any" at request time. ++ */ ++static bool ++verify_subkeys_present(const nvlist_t *oldfunclimits, ++ const nvlist_t *newfunclimit) ++{ ++ void *cookie; ++ const char *name; ++ ++ if (oldfunclimits == NULL) ++ return (true); ++ ++ cookie = NULL; ++ while ((name = nvlist_next(oldfunclimits, NULL, &cookie)) != NULL) { ++ if (!nvlist_exists(newfunclimit, name)) ++ return (false); ++ } ++ return (true); ++} ++ + static bool + verify_only_sa_newlimts(const nvlist_t *oldfunclimits, + const nvlist_t *newfunclimit) + { + void *cookie; + ++ if (!verify_subkeys_present(oldfunclimits, newfunclimit)) ++ return (false); ++ + cookie = NULL; + while (nvlist_next(newfunclimit, NULL, &cookie) != NULL) { + void *sacookie; +@@ -1200,6 +1225,9 @@ + LIMIT_NV_ADDR2NAME, NULL); + } + ++ if (!verify_subkeys_present(oldfunclimits, newfunclimit)) ++ return (false); ++ + cookie = NULL; + while (nvlist_next(newfunclimit, NULL, &cookie) != NULL) { + if (strcmp(cnvlist_name(cookie), "sockaddr") == 0) { +@@ -1258,6 +1286,9 @@ + LIMIT_NV_NAME2ADDR, NULL); + } + ++ if (!verify_subkeys_present(oldfunclimits, newfunclimit)) ++ return (false); ++ + cookie = NULL; + while (nvlist_next(newfunclimit, NULL, &cookie) != NULL) { + if (strcmp(cnvlist_name(cookie), "hosts") == 0) { diff --git a/website/static/security/patches/SA-26:24/cap_net.patch.asc b/website/static/security/patches/SA-26:24/cap_net.patch.asc new file mode 100644 index 0000000000..ad87a51dd7 --- /dev/null +++ b/website/static/security/patches/SA-26:24/cap_net.patch.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJPBAABCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKIQbFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvlq4P/272F0oQ3tEr9MPfrErE +L74yVBNk7EDAJqniPUlFL7sRqpnFem0K2TBSj55j/nGbONYDkBTppM0cN8zsrbyq +iZkF1c6qPPZtq1brDxY5ZQQokUS3+XcOyW13d7ImT8cdh0o+WpfAtEPFYQa/yrM1 +IkQMmkiWMp+/XX6C3wYjYAFlbztx0aRrh7f54FUk6uQL58cdbWH2ZuH74cMkv6AW +0fIBRkwpfqpjTN90BRZq/2ePIVw7e2rw6aqNqAyOURIQAIYY8sucEK5r2YosieMU +SJIpB1ejW6S6egAvuHXx4OD6Xqw4TouCo9GnaPf+PQvER8eQvvUJAfHfJeAjj5+I +5QmGDXz47Zn9fSLiSKrzk4rkGuHHcNGyCbwuYtRXoBlLoRrWousP59KYO1kR63gv +1p7fPitzqHXCfdohN8xkv2RtSWTU9jUXb6h5rEyI5SdBB6kX0w4BbwW5qXwmGWtM +282ey6jNVCIi+xeJ1xwSeHcSuHHj6AhtOANxM2I1xNMhmCMcAX65cGCg0EVYhO6X +9BQXyVJXdojVUNOP3NV1OjbXvSFHHaIJ0iBJOJ38GUl377AXW+KW0cp5yggbZMhD +J3dRdAqTZO9FObwJF86Zd1xyuqySIqVnnycBTboNwoKkRDvRib8vwwQCBCoWSMwj +ge/Ki9+fl13Q/5uoW/dWyf4J +=ci2w +-----END PGP SIGNATURE-----