src, branch releng/13.2

src, branch releng/13.2 FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=releng%2F13.2 2024-07-01T08:54:52Z Add UPDATING entries and bump the branch version. 2024-07-01T08:54:52Z Philip Paeps philip@FreeBSD.org 2024-07-01T08:54:52Z urn:sha1:f0cf0b8266eef39b13917f7bed808daf6d6a2d3e Approved by: so openssh: Fix pre-authentication remote code execution in sshd. 2024-07-01T08:27:37Z Philip Paeps philip@FreeBSD.org 2024-07-01T08:20:01Z urn:sha1:99ad94894edf0585bc8c5a2b2a6eb7162db29a34 Reported by: Qualys Threat Research Unit (TRU) Approved by: so Security: FreeBSD-SA-24:04.openssh Security: CVE-2024-6387 (cherry picked from commit 2abea9df01655633aabbb9bf3204c90722001202) (cherry picked from commit 25cf430cd551158135ef6f0c1aadf273ff3430c9) Add UPDATING entries and bump the branch version. 2024-03-28T05:01:26Z Gordon Tetlow gordon@FreeBSD.org 2024-03-28T03:08:55Z urn:sha1:f5ac4e174fdd3497749e351c27aafb34171c5730 Approved by: so unbound: Vendor import 1.19.1 2024-03-28T05:01:16Z Cy Schubert cy@FreeBSD.org 2023-09-19T04:17:09Z urn:sha1:d9d90e5e42f6a1385d8f1b06297058a37647b1bc Release notes at https://www.nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ Security: CVE-2023-50387, CVE-2023-50868 Security: FreeBSD-SA-24:03.unbound Approved by: so (cherry picked from commit 8f76bb7dad48538c6832c2fb466a433d2a3f8cd5) (cherry picked from commit 4f4adb0576dfbcd0d956db0146c9de7e1bb71563) (cherry picked from commit 948e11aaf420cd7d493cc2e118cacc06d18653fe) (cherry picked from commit f5a091c1f6a068cdc5c3bd23536830de9dfe7b84) (cherry picked from commit 6e71235e558ef579605e7f35b02f983b9a246a4a) (cherry picked from commit 64ac3bca3a6ec8510ae7175cbdd73aa594756e2a) (cherry picked from commit 103ba509e72e3949d22485666949e9705d4af8cd) (cherry picked from commit 2bdab519a5c9822571d005c62adec484cf65c2e7) (cherry picked from commit 5aab39b24ce7437265b94461ffdd9b12c0723658) (cherry picked from commit a077e95570d9cef9882be688dc28303b6257cfd0) (cherry picked from commit 67267734315c6a48db31697f0a0669fa1f985969) (cherry picked from commit 17b51a12dca08f5126600e11181cee9454884e02) (cherry picked from commit b76ef9a7cb8a7c62d10ae8101f41014f34819174) (cherry picked from commit abe4ced2b9de0a3dd44d7e2068cfd7fa2b428c16) if_wg: use proper barriers around pkt->p_state 2024-03-28T03:05:58Z Kyle Evans kevans@FreeBSD.org 2024-03-15T01:19:18Z urn:sha1:8f1f4e60ceb9b8e5eddd54cf1fde62944f56eaa4 Without appropriate load-synchronization to pair with store barriers in wg_encrypt() and wg_decrypt(), the compiler and hardware are often allowed to reorder these loads in wg_deliver_out() and wg_deliver_in() such that we end up with a garbage or intermediate mbuf that we try to pass on. The issue is particularly prevalent with the weaker memory models of !x86 platforms. Switch from the big-hammer wmb() to more explicit acq/rel atomics to both make it obvious what we're syncing up with, and to avoid somewhat hefty fences on platforms that don't necessarily need this. With this patch, my dual-iperf3 reproducer is dramatically more stable than it is without on aarch64. PR: 264115 Reviewed by: andrew, zlei Approved by: so Security: FreeBSD-EN-24:06.wireguard (cherry picked from commit 3705d679a6344c957cae7a1b6372a8bfb8c44f0e) (cherry picked from commit 806e51f81dbae21feb6e7ddd95d2ed2a28b04f8f) kern: fix panic with disabled ttys 2024-03-28T03:05:12Z Ed Maste emaste@FreeBSD.org 2024-02-26T15:38:45Z urn:sha1:f3195cc08ccc99365ec00900a3c1abc59ceefc9c PR: 277240, 277329 Reviewed by: kib (earlier version) Fixes: f1d0a0cbecf2 ("jail: Fix information leak.") MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D44086 Approved by: so Security: FreeBSD-EN-24:05.tty (cherry picked from commit 975d7730828a8bde28c2a0092b6e95c4c4e22f34) (cherry picked from commit 8d22744f5be165a2a82a2a204789e44bbdc5a2ee) (cherry picked from commit a60220bbb5511469fe53fd4290713ba891f8f48a) rc.conf: correct $ntp_leapfile_sources 2024-02-14T06:25:56Z Philip Paeps philip@FreeBSD.org 2023-12-07T05:48:13Z urn:sha1:a839681443b6662571d6b90732baae364c97e9d9 IETF is no longer serving leap-seconds.list. Update to the canonical place. This fixes "service ntpd fetch". IERS is the source of truth for leap seconds. Their leapsecond file is updated most quickly and is always right (unlike the IANA one which often lags). IERS operates this public service for the express purpose of random people downloading it. Their terms of service are compatible with open source (we could include this in our release). Rather than fighting with questions around this because the IANA one changed locations or the auto update script broken, just use this. This is in preference to the NIST ftp copy. NIST is in the process of retiring their FTP services. Sponsored by: Netflix Reviewed by: philip, delphij, cy Differential Revision: https://reviews.freebsd.org/D43752 (cherry picked from commit b1c95af45488bef649e9a84890e2414ff80b3a00) (cherry picked from commit 74a8c6da4f28e691c169aa502713a5aaebc00584) (cherry picked from commit 11da791920ba285f0832f09cb504ac81e35ff8d1) (cherry picked from commit 0eea8292ae8c8e9119520ce54aa82cae491d83b9) Security: FreeBSD-EN-24:01.tzdata Approved by: so (gordon) periodic/daily/480.leapfile-ntpd: only attempt to refresh leap-seconds.list 2024-02-14T06:25:34Z Xin LI delphij@FreeBSD.org 2023-12-03T07:00:32Z urn:sha1:66bb668fe5f2561844f5b79251ea42e1bfce9aee when ntpd is enabled. The leap-seconds.list is used exclusively by ntpd, therefore, do not bother to perform the fetch when ntpd is not enabled. PR: conf/275419 Reviewed by: cy, michaelo, imp Differential Revision: https://reviews.freebsd.org/D42875 (cherry picked from commit 3b3195f6767b39eb33b3523134ef988931c9c86d) (cherry picked from commit 3ef596c6e80562710da09c16558d7351749ea143) Security: FreeBSD-EN-24:01.tzdata Approved by: so (gordon) Add UPDATING entries and bump the branch version. 2024-02-14T06:03:19Z Gordon Tetlow gordon@FreeBSD.org 2024-02-14T06:03:19Z urn:sha1:326f58eade217010f78f1f70ff76e0565bfae2b8 Approved by: so jail: Fix information leak. 2024-02-14T05:48:47Z Pawel Jakub Dawidek pjd@FreeBSD.org 2024-01-17T17:43:55Z urn:sha1:17257e6e9a233df4b18116b8cec98537f8bb0e20 There is a lack of proper visibility checking in kern.ttys sysctl handler which leads to information leak about processes outside the current jail. This can be demonstrated with pstat -t: when called from within a jail, it will output all terminal devices including process groups and session leader process IDs: jail# pstat -t | grep pts/ | head LINE INQ CAN LIN LOW OUTQ USE LOW COL SESS PGID STATE pts/2 1920 0 0 192 1984 0 199 0 4132 27245 Oi pts/3 1920 0 0 192 1984 0 199 16 24890 33627 Oi pts/5 0 0 0 0 0 0 0 25 17758 0 G pts/16 0 0 0 0 0 0 0 0 52495 0 G pts/15 0 0 0 0 0 0 0 25 53446 0 G pts/17 0 0 0 0 0 0 0 6702 33230 0 G pts/19 0 0 0 0 0 0 0 14 1116 0 G pts/0 0 0 0 0 0 0 0 0 2241 0 G pts/23 0 0 0 0 0 0 0 20 15639 0 G pts/6 0 0 0 0 0 0 0 0 44062 93792 G jail# pstat -t | grep pts/ | wc -l 85 Devfs does the filtering correctly and we get only one entry: jail# ls /dev/pts/ 2 Approved by: mzaborski, secteam MFC after: 1 week Sponsored by: Fudo Security Approved by: so Security: FreeBSD-SA-24:02.tty Security: CVE-2024-25941 (cherry picked from commit f1d0a0cbecf2c688061f35adea85bfb29c9ec893) (cherry picked from commit a376108029a20f4ce51476d98f2483a7008ce7b5) (cherry picked from commit 41ac0b4ce00bae061164384f23356a4df6e0e695) (cherry picked from commit 9bff7ec98354a76c171905ce9530f85685725ee7)