diff options
Diffstat (limited to 'website/static/security/advisories')
| -rw-r--r-- | website/static/security/advisories/FreeBSD-EN-25:18.freebsd-update.asc | 140 | ||||
| -rw-r--r-- | website/static/security/advisories/FreeBSD-SA-25:08.openssl.asc | 207 |
2 files changed, 347 insertions, 0 deletions
diff --git a/website/static/security/advisories/FreeBSD-EN-25:18.freebsd-update.asc b/website/static/security/advisories/FreeBSD-EN-25:18.freebsd-update.asc new file mode 100644 index 0000000000..879a139248 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-25:18.freebsd-update.asc @@ -0,0 +1,140 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-25:18.freebsd-update Errata Notice + The FreeBSD Project + +Topic: freebsd-update(8) installs libraries in incorrect order + +Category: core +Module: freebsd-update +Announced: 2025-09-30 +Credits: Graham Perrin +Affects: All supported versions of FreeBSD. +Corrected: 2025-09-25 19:26:37 UTC (stable/15, 15.0-ALPHA4) + 2025-09-25 19:27:06 UTC (stable/14, 14.3-STABLE) + 2025-09-30 15:37:15 UTC (releng/14.3, 14.3-RELEASE-p4) + 2025-09-30 15:37:24 UTC (releng/14.2, 14.2-RELEASE-p7) + 2025-09-25 19:27:34 UTC (stable/13, 13.5-STABLE) + 2025-09-30 15:37:34 UTC (releng/13.5, 13.5-RELEASE-p5) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +The freebsd-update(8) utility is used to fetch, install, and rollback +binary updates to the FreeBSD base system. In addition to security and +errata updates within a release (its original purpose), freebsd-update(8) +can be used to upgrade to a newer FreeBSD release. + +II. Problem Description + +When installing updates, freebsd-update(8) did not enforce ordering between +the C standard library ("libc") and the system library ("libsys") which was +introduced in FreeBSD 15.0. + +III. Impact + +When using freebsd-update(8) to upgrade a system from FreeBSD 13.x or 14.x to +FreeBSD 15.0, freebsd-update(8) would install a new libc which depends on +libsys before the libsys library existed. This resulted in the rest of the +update failing to install and a mostly-unusable system, with only statically +linked binaries (e.g. in /rescue) functioning. + +IV. Workaround + +No workaround is available, but this misbehaviour only applies to using +freebsd-update(8) to upgrade to FreeBSD 15.0; applying security and errata +updates (including this one) within a release branch is unaffected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-25:18/freebsd-update.patch +# fetch https://security.FreeBSD.org/patches/EN-25:18/freebsd-update.patch.asc +# gpg --verify freebsd-update.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ 8134e7f4b406 stable/15-n280326 +stable/14/ e26928669f39 stable/14-n272484 +releng/14.3/ 978e04ff5bcf releng/14.3-n271445 +releng/14.2/ 3447fea3523b releng/14.2-n269536 +stable/13/ 87eb52f1b061 stable/13-n259445 +releng/13.5/ ab91dd76ff72 releng/13.5-n259177 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=289769> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-25:18.freebsd-update.asc> +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmjb+x0ACgkQbljekB8A +Gu8DQhAAt4nGFTHJcC4dVceeanMY4+p8zUqtrjGP1wO+dgnBbPJuHteMlaK8bi0N +A1f+XRCcbHN7OUZz0k+WgNsFOC583Zg29l+Oe6DvgRzyjUhp7q70/vgEUYbTn2eM +CeXL0GNP9h/UYcqmpot4bO0VvXf9g6qG6qBqYN31eSuDBWcRLLAOzQwbWTLxZYgB +vYDPTqMSOTygGJEiSwGDkywE45N0JvT/GA9kNiu9uh5xL0dQLgwi07BB3+bQ3rNx +hB5sK5EJSa0FcRmpSxXvtQJK5l9eIYkAcFUo0K4/UaSknIFqSOr7j4zS3MOE1PPa +7u+ZJY3SMYg9/YRlRpLs7FGe8t+Oz/1IFgjJ1bJVHZCA55kGaB9toh+wunGsSUHc ++DzPGC0PYmcVLtk75WgjjkofCRCco8Dx3QlLfEUKxzNJFL+LwfE+zi5Pk//GJcr2 +V6RipeMNJGc60N/Zz2X95ut/43/tOBFh157oSXnVFdTbDJ7zc16EvjH99IIwlkEy +pasLr0i0XklormpAyUkddA3z57qy3580/sZf07QUHrQJQfy738qPf1QY6ejk560D +INBXdJk5FNJAYiogMrHyK0N1xX5WHk6qbbiAOmSefFCKcB7uL5CPcu6l8D0sAtyP +CbzuTLGqCWiDBT0aLK1xn1MNQMPT4PL7JhWqrSJnQpicgibqAsg= +=8oNH +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-25:08.openssl.asc b/website/static/security/advisories/FreeBSD-SA-25:08.openssl.asc new file mode 100644 index 0000000000..339a9ce084 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-25:08.openssl.asc @@ -0,0 +1,207 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-25:08.openssl Security Advisory + The FreeBSD Project + +Topic: Multiple vulnerabilities in OpenSSL + +Category: contrib +Module: openssl +Announced: 2025-09-30 +Credits: Stanislav Fort (Aisle Research) +Affects: All supported versions of FreeBSD. +Corrected: 2025-09-30 15:26:14 UTC (stable/15, 15.0-ALPHA4) + 2025-09-30 15:28:38 UTC (stable/14, 14.3-STABLE) + 2025-09-30 15:37:16 UTC (releng/14.3, 14.3-RELEASE-p4) + 2025-09-30 15:37:25 UTC (releng/14.2, 14.2-RELEASE-p7) + 2025-09-30 15:30:02 UTC (stable/13, 13.5-STABLE) + 2025-09-30 15:37:35 UTC (releng/13.5, 13.5-RELEASE-p5) +CVE Name: CVE-2025-9230, CVE-2025-9231, CVE-2025-9232 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a +collaborative effort to develop a robust, commercial-grade, full-featured +Open Source toolkit for the Transport Layer Security (TLS) protocol. It is +also a general-purpose cryptography library. + +II. Problem Description + +* Out-of-bounds read & write in RFC 3211 KEK Unwrap (CVE-2025-9230) +Affects: FreeBSD 15.x, 14.x, and 13.x + +An application trying to decrypt cryptographic message syntax (CMS) messages +encrypted using password based encryption can trigger an out-of-bounds read +and write. + +* Timing side-channel in SM2 algorithm on 64 bit ARM (CVE-2025-9231) +Affects: FreeBSD 15.x only + +A timing side-channel which could potentially allow remote recovery of the +private key exists in the SM2 algorithm implementation on 64-bit ARM +platforms. + +* Out-of-bounds read in HTTP client no_proxy handling (CVE-2025-9232) +Affects: FreeBSD 15.x and 14.x only + +An application using the OpenSSL HTTP client API functions may trigger an +out-of-bounds read if the "no_proxy" environment variable is set and the host +portion of the authority component of the HTTP URL is an IPv6 address. + +III. Impact + +* Out-of-bounds read & write in RFC 3211 KEK Unwrap (CVE-2025-9230) +Affects: FreeBSD 15.x, 14.x, and 13.x + +The out-of-bounds read may trigger a crash which leads to denial of service +for an application. The out-of-bounds write can cause a memory corruption +which can have various consequences including a denial of service or +execution of attacker-supplied code. + +Although the consequences of a successful exploit of this vulnerability +could be severe, the probability that an attacker would be able to +perform it is low. Password based (PWRI) encryption support in CMS +messages is very rarely used. + +* Timing side-channel in SM2 algorithm on 64 bit ARM (CVE-2025-9231) +Affects: FreeBSD 15.x only + +A timing side-channel in SM2 signature computations on 64 bit ARM platforms +could allow recovering the private key by an attacker. + +OpenSSL does not directly support certificates with SM2 keys in TLS, and so +this CVE is not relevant in most TLS contexts. However, it is possible to +add support for such certificates via a custom provider. + +* Out-of-bounds read in HTTP client no_proxy handling (CVE-2025-9232) +Affects: FreeBSD 15.x and 14.x only + +An out-of-bounds read can trigger a crash which leads to denial of service +for an application. + +The OpenSSL HTTP client API functions can be used directly by applications +but they are also used by the OCSP client functions and CMP (Certificate +Management Protocol) client implementation in OpenSSL. However the URLs used +by these implementations are unlikely to be controlled by an attacker. + +In this vulnerable code the out of bounds read can only trigger a crash. +Furthermore the vulnerability requires an attacker-controlled URL to be +passed from an application to the OpenSSL function and the user has to have +a "no_proxy" environment variable set. + +IV. Workaround + +No workaround is available. Several of the issues have mitigating factors. +Please see the Impact section for more details. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 15.x] +# fetch https://security.FreeBSD.org/patches/SA-25:08/openssl-15.patch +# fetch https://security.FreeBSD.org/patches/SA-25:08/openssl-15.patch.asc +# gpg --verify openssl-15.patch.asc + +[FreeBSD 14.x] +# fetch https://security.FreeBSD.org/patches/SA-25:08/openssl-14.patch +# fetch https://security.FreeBSD.org/patches/SA-25:08/openssl-14.patch.asc +# gpg --verify openssl-14.patch.asc + +[FreeBSD 13.5] +# fetch https://security.FreeBSD.org/patches/SA-25:08/openssl-13.patch +# fetch https://security.FreeBSD.org/patches/SA-25:08/openssl-13.patch.asc +# gpg --verify openssl-13.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart all daemons that use the library, or reboot the system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ 4d6fd774b5b3 stable/15-n280387 +stable/14/ 270158508d7c stable/14-n272541 +releng/14.3/ 75d258af9fe9 releng/14.3-n271446 +releng/14.2/ 6a0d914d9c3e releng/14.2-n269537 +stable/13/ c0dbaf2b5dbd stable/13-n259448 +releng/13.5/ ae7c74cfa531 releng/13.5-n259178 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://openssl-library.org/news/secadv/20250930.txt> + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9230> +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9231> +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9232> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-25:08.openssl.asc> +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmjb+z4ACgkQbljekB8A +Gu8kgA//TsqChpypUuth9KRbWpU0noUkxkbIS1CI1YYRmZn6GF52YNhe9enKN4Gc +PeUSZOsfbABv0UGfUPbaD4VifGni/ss/bhSK5nzmfbOLDbnOX1oodLVNhspDjv9K +kJPz7C3zzUrNchCZzDRvrulMXeoYOKmqY/Mc0VViXqeg2k6IqXlCPm62jFc4Glpw +g0pvTyXNhbebuP/XGGYq4nQW2ZUX+Z6yvKqCn8d/7YHRRb48KP7c5LCryUU3UdQa +pjcHX0U8dYsJlQIqWH7HPn9RrWX87EN5v7csZN+fV030lgtnsTsFRK3TxrdTTvxt +JgyNQVXy/RTmd1tQLo1dVZRjdav5MBYVBxgmweL54VcPYngTZWjEY7HjUr0WWU32 +1Fhf7Bs4q+vWalDkyA8nxyXPG4Lq018yRRxwKebsRy2fm5SqlJSK5g7TNRvo0QfM +LnfZItuya9flw6r3I9ypjKaY1WAz5Kzt83yr2be7GzLEDCuCd882JeYwmqyRnUKQ ++/IPbE7VM3oK7lzJfVuKyRxWPXWLxAaEDKNTafSNWfsz/TolyBxsF6obYaZOkw1C +mstsaaMnHdV9+GktwavCRVV6M0WK4o7xvn1nUSHPwKWpq4dfjH7syujeO483+pz3 +tZoLEkWhaNn3KmIQKbl+t+CjzDRoshzZg6Xl1UVoZvrtOyX/IUY= +=nUv2 +-----END PGP SIGNATURE----- |