diff options
Diffstat (limited to 'website/static/security/advisories/FreeBSD-EN-25:10.zfs.asc')
| -rw-r--r-- | website/static/security/advisories/FreeBSD-EN-25:10.zfs.asc | 145 |
1 files changed, 145 insertions, 0 deletions
diff --git a/website/static/security/advisories/FreeBSD-EN-25:10.zfs.asc b/website/static/security/advisories/FreeBSD-EN-25:10.zfs.asc new file mode 100644 index 0000000000..61bd74761c --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-25:10.zfs.asc @@ -0,0 +1,145 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-25:10.zfs Errata Notice + The FreeBSD Project + +Topic: Corruption in ZFS replication streams from encrypted datasets + +Category: contrib +Module: zfs +Announced: 2025-07-02 +Credits: Klara, Inc. +Affects: All supported versions of FreeBSD. +Corrected: 2025-06-21 22:05:40 UTC (stable/14, 14.3-STABLE) + 2025-07-02 18:27:44 UTC (releng/14.3, 14.3-RELEASE-p1) + 2025-07-02 18:28:09 UTC (releng/14.2, 14.2-RELEASE-p4) + 2025-06-27 20:07:48 UTC (stable/13, 13.5-STABLE) + 2025-07-02 18:28:29 UTC (releng/13.5, 13.5-RELEASE-p2) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +ZFS is an advanced and scalable file system originally developed by Sun +Microsystems for its Solaris operating system. ZFS was integrated as part of +the FreeBSD starting with FreeBSD 7.0, and it has since become a prominent +and preferred choice for storage management. + +II. Problem Description + +ZFS has built-in replication and backup functionality, which serializes a +filesystem for transport to another system, known as "ZFS send". ZFS send +also supports incremental updates between a pair of snapshots. When sending +an encrypted dataset, the dataset can either be left encrypted for +transit/receipt (raw mode), or decrypted. During a decrypting (normal) send, +a bug in the code caused some metadata (key mappings) in the snapshots to be +decrypted in memory, but not properly released. As a result, the key mappings +used for decryption were not freed from the in-memory table. + +III. Impact + +The leaked mappings can cause two problems. The first is that they can result +in spurious checksum errors when they are incorrectly used to access data +later. In the second case, in order to export a pool, ZFS requires that all +the mappings be freed. These leaked mappings were never cleaned up, resulting +in any attempt to export the pool causing the command to hang. + +IV. Workaround + +No workaround is available. Systems not using ZFS, or not using ZFS native +encryption are unaffected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. A reboot is required following the +upgrade. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install +# reboot + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-25:10/zfs.patch +# fetch https://security.FreeBSD.org/patches/EN-25:10/zfs.patch.asc +# gpg --verify zfs.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 6abe6a8a0d54 stable/14-n271756 +releng/14.3/ cb24a62cd75b releng/14.3-n271433 +releng/14.2/ c5feebf38389 releng/14.2-n269526 +stable/13/ eae830109571 stable/13-n259318 +releng/13.5/ 4d9c4ecf6a48 releng/13.5-n259168 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://github.com/openzfs/zfs/pull/17340> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-25:10.zfs.asc> +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmhlfSMACgkQbljekB8A +Gu8z2hAAzcl0BfP5P3suB3ywY8dbh8LZ/MbKrN+VOgdrP00plRFhVMpL8W+v7MjX +t3fDU3wEg+1PNEJ3j20vTCH4qdwuRQiuWo/MRz/7/kF21PufMx34pLGQd7ghG6q/ +1PGqxgs4C4snSJsgixzgxyedTZsO5D4ZKL3o8s5DPfvHR7bnSI7MdHFg7DynvpU6 +pcYZ7bZL1WhzTG4lL32oDFZqmLGac5iwiJPekVzJwlkSmoYlc8ScMV43FpDdGCfD +5jbalhD0T/r4+Uzc+dTPulHjR8Q4YQ5XTZJvo5am9JV4HoQztASDsGw2Av9SpMKz +TAehn5A48J+E3hcKncKivoRlSAA3EF/LTfCH/9ZLLEaEl3qbmp/iSPwuC9KWH8u/ +4E44tlTWDXfnr1UTnqqYwrq+SoY/UDQ0DWOXPEanS2BTSxzu3I/MI9OWzR0eZaow +KDw7P4NFTnGLZ1ZWeGj2vrqrDDjb5SHqj8y0T1oyCqASph/t5e5AAsRzNp2Zr+YL +nKAJAr5TEFIpYEjAsTj8WY+fu+KUOgh4sQpXe9xrD++aIRR64VbIJE6XSNo1TOtu +TzXS7ysRZmZygoJOqCldsti7jUdlX5Pn31x4IRCaJAcQzfngZYyIQDLwkxg4b6LQ +VLgtP7hmulByj7XBkCpekGb6kYoudIDqPP+vR+LSWgbzEyZ1LIo= +=rdcw +-----END PGP SIGNATURE----- |