diff --git a/website/content/en/status/report-2024-07-2024-09/code-audit.adoc b/website/content/en/status/report-2024-07-2024-09/code-audit.adoc new file mode 100644 --- /dev/null +++ b/website/content/en/status/report-2024-07-2024-09/code-audit.adoc @@ -0,0 +1,26 @@ +=== Capsicum and Bhyve Code Audit + +Contact: Ed Maste +Contact: Pierre Pronchery + +With the support of the link:https://alpha-omega.dev/[Alpha-Omega project], the FreeBSD Foundation undertook code audits of two important subsystems - the bhyve hypervisor, and the Capsicum sandboxing framework. +In addition to uncovering vulnerabilities in these systems to correct, the audits look to identify classes of vulnerabilities and/or suboptimal coding practices that we can look to address across the project. + +The Foundation interviewed several firms, and selected Synacktiv to perform the audit. +A number of issues with critical and high severity were identified, which have been fixed as documented in security advisories: + +* link:https://www.freebsd.org/security/advisories/FreeBSD-SA-24:09.libnv.asc[FreeBSD-SA-24:09.libnv] +* link:https://www.freebsd.org/security/advisories/FreeBSD-SA-24:10.bhyve.asc[FreeBSD-SA-24:10.bhyve] +* link:https://www.freebsd.org/security/advisories/FreeBSD-SA-24:11.ctl.asc[FreeBSD-SA-24:11.ctl] +* link:https://www.freebsd.org/security/advisories/FreeBSD-SA-24:12.bhyve.asc[FreeBSD-SA-24:12.bhyve] +* link:https://www.freebsd.org/security/advisories/FreeBSD-SA-24:14.umtx.asc[FreeBSD-SA-24:14.umtx] +* link:https://www.freebsd.org/security/advisories/FreeBSD-SA-24:15.bhyve.asc[FreeBSD-SA-24:15.bhyve] +* link:https://www.freebsd.org/security/advisories/FreeBSD-SA-24:16.libnv.asc[FreeBSD-SA-24:16.libnv] + +Fixes are in progress for a number of lower-severity issues. +The code audit report will be shared in the near future, after issues above a severity threshold have been addressed. +The FreeBSD Foundation will also publish a report including commentary on the impact of the Synacktiv code audit report, classes of vulnerabilities identified, and lessons learned. + +More information is available in the link:https://github.com/ossf/alpha-omega/tree/main/alpha/engagements/2024/FreeBSD[Alpha-Omega repository]. + +Sponsor: The FreeBSD Foundation