FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=releng%2F14.2 2025-04-10T14:38:58Z 2025-04-10T14:38:58Z Michael Osipov michaelo@FreeBSD.org 2025-03-07T18:58:55Z urn:sha1:23d06bb83d0a189e8903526257dd6b556da89d69 Summary: - Seven (7) new roots - Four (4) distrusted roots - Fifteen (15) removed (expired) roots Approved by: so Security: FreeBSD-EN-25:08.caroot Reviewed by: kevans Differential Revision: https://reviews.freebsd.org/D49294 (cherry picked from commit 0100da4deb96e15acf72d7655127c6faafa4148f) (cherry picked from commit 7577dae4d67216c602dc11e2388d190a2c9dc9ff) 2025-04-10T14:38:58Z Enji Cooper ngie@FreeBSD.org 2025-03-14T06:40:59Z urn:sha1:862cd6b8fa9df7057bad47d01ccaf36a959e9166 This release incorporates the following bug fixes and mitigations: - [CVE-2024-13176](https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176 - [CVE-2024-9143](https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143) Release notes can be found at: https://openssl-library.org/news/openssl-3.0-notes/index.html Approved by: so Security: FreeBSD-EN-25:07.openssl Differential Revision: https://reviews.freebsd.org/D49296 Differential Revision: https://reviews.freebsd.org/D49297 (cherry picked from commit 0d0c8621fd181e507f0fb50ffcca606faf66a8c2) (cherry picked from commit cb29db243bd09d16604435639ae43ef7af0ea254) (cherry picked from commit d2a55e6a9348bb55038dbc6b727ab041085f22db) (cherry picked from commit 0d61082e3c64a43f52ec5f1bf3d85671d97d9514) 2024-09-28T03:50:47Z Enji Cooper ngie@FreeBSD.org 2024-09-08T04:30:17Z urn:sha1:cc43f991ab3e46ec16f3f1395160805f01bf932e This release incorporates the following bug fixes and mitigations: - Fixed possible denial of service in X.509 name checks ([CVE-2024-6119]) - Fixed possible buffer overread in SSL_select_next_proto() ([CVE-2024-5535]) Release notes can be found at: https://openssl-library.org/news/openssl-3.0-notes/index.html Co-authored-by: gordon MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D46602 Merge commit '108164cf95d9594884c2dcccba2691335e6f221b' (cherry picked from commit a7148ab39c03abd4d1a84997c70bf96f15dd2a09) Update config/build info for OpenSSL 3.0.15 This is a companion commit to the OpenSSL 3.0.15 update. `opensslv.h` was regenerated via the following process: ``` cd crypto/openssl ./config git reset --hard gmake include/openssl/opensslv.h ``` `Makefile.inc` has been updated to match. MFC after: 1 week MFC with: a7148ab39c03abd4d1a84997c70bf96f15dd2a09 Differential Revision: https://reviews.freebsd.org/D46603 (cherry picked from commit cc717b574d7faa2e0b2de1a985076286cef74187) sys/crypto/openssl: update powerpc* ASM This change updates the crypto powerpc* ASM via the prescribed process documented in `crypto/openssl/FREEBSD-upgrade`. This change syncs the ASM with 3.0.15's generated ASM. MFC after: 1 week MFC with: a7148ab39c03abd4d1a84997c70bf96f15dd2a09 MFC with: cc717b574d7faa2e0b2de1a985076286cef74187 Differential Revision: https://reviews.freebsd.org/D46604 (cherry picked from commit 77864b545b0aaa91bc78b1156c477825007a6233) 2024-09-07T04:17:19Z Gordon Tetlow gordon@FreeBSD.org 2024-08-04T21:10:46Z urn:sha1:3d8501d90e246602a6343a760f6ac8d9e2730306 To comply with FIPS 140 guidance, you must be using a specifically validated and approved version of the fips module. Currently, only OpenSSL 3.0.8 and 3.0.9 have been approved by NIST for FIPS 140 validation. As such, we need to stop shipping later versions of the module in the base system. Differential Revision: https://reviews.freebsd.org/D46223 (cherry picked from commit 86dd740dd73aa88477ff450b2359abda1ad68534) 2024-06-29T20:29:19Z Enji Cooper ngie@FreeBSD.org 2024-06-26T23:41:47Z urn:sha1:dd43e907c7c0caec8867e42fa1fcfea4ac4c87f6 This is a companion commit to the OpenSSL 3.0.14 update. MFC after: 3 days MFC with: 44096ebd22ddd0081a357011714eff8963614b65 (cherry picked from commit 303596eac3f5a7fed63f1084028d811919d37eaf) 2024-03-29T13:53:05Z Mark Johnston markj@FreeBSD.org 2023-12-04T17:29:11Z urn:sha1:0b9dffed30bad28cf9b9d356480f38065db3051f OpenSSL itself keeps only a single copy of this header. Do the same in sys/crypto/openssl to avoid the extra maintenance burden. This requires adjusting the include paths for generated asm files. No functional change intended. Reported by: jrtc27 Reviewed by: jhb MFC after: 3 months Differential Revision: https://reviews.freebsd.org/D42866 (cherry picked from commit e655cc70dfcda5cfedb5a1d9bef1e87d55519f64) 2024-02-13T19:14:51Z Kyle Evans kevans@FreeBSD.org 2024-02-11T06:33:12Z urn:sha1:9fc1d78e39d5a56e3041e11898b14cfb9a3e8a47 Changes: - One (1) modified - Eight (8) added - One (1) expired, now untrusted MFC after: 3 days (cherry picked from commit 0d3b2bdbf719ac6b5719a47387558ca9c34a4b2c) 2024-02-05T16:06:08Z Cy Schubert cy@FreeBSD.org 2024-02-03T00:34:36Z urn:sha1:e72329a4e8a57c49334377670151ce77776abf74 Reported by: "Herbert J. Skuhra" <herbert@gojira.at> Fixes: 9eb4e0b42d7c (cherry picked from commit 74fe298c8299fdb8c8f761728ddd245b0c3fe04a) 2024-01-07T19:31:11Z Ed Maste emaste@FreeBSD.org 2024-01-05T03:16:30Z urn:sha1:a25789646d7130f5be166cac63d5c8b2b07c4706 From the release notes, > This release contains a number of security fixes, some small features > and bugfixes. The most significant change in 9.6p1 is a set of fixes for a newly- discovered weakness in the SSH transport protocol. The fix was already merged into FreeBSD and released as FreeBSD-SA-23:19.openssh. Full release notes at https://www.openssh.com/txt/release-9.6 Relnotes: Yes Sponsored by: The FreeBSD Foundation (cherry picked from commit 069ac18495ad8fde2748bc94b0f80a50250bb01d) 2024-01-07T19:31:11Z Ed Maste emaste@FreeBSD.org 2022-10-11T19:27:51Z urn:sha1:53a984a36f3c27f3e272ea6a8f5efa49ad0c2685 Upstream is now https://github.com/zoulasc/blocklist/. Rename the contrib directory and update Makefiles to match, in advance of the next vendor branch update. Sponsored by: The FreeBSD Foundation (cherry picked from commit 5f4c09dd85bff675e0ca63c55ea3c517e0fddfcc)