diff --git a/website/static/security/advisories/FreeBSD-EN-24:01.tzdata.asc b/website/static/security/advisories/FreeBSD-EN-24:01.tzdata.asc
index 91d9cb0447..a724f566d8 100644
--- a/website/static/security/advisories/FreeBSD-EN-24:01.tzdata.asc
+++ b/website/static/security/advisories/FreeBSD-EN-24:01.tzdata.asc
@@ -1,191 +1,191 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-24:01.tzdata Errata Notice
The FreeBSD Project
Topic: Timezone database information update
Category: contrib
Module: zoneinfo
Announced: 2024-02-14
Affects: All supported versions of FreeBSD
Corrected: 2024-02-05 00:30:01 UTC (stable/14, 14.0-STABLE)
2024-02-14 06:21:06 UTC (releng/14.0, 14.0-RELEASE-p5)
- 2024-02-05 00:30:42 UTC (stable/13, 13.2-STABLE)
+ 2024-02-05 00:30:42 UTC (stable/13, 13.3-STABLE)
2024-02-14 06:27:47 UTC (releng/13.2, 13.2-RELEASE-p10)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
.
I. Background
The IANA Time Zone Database (often called tz or zoneinfo) contains code and
data that represent the history of local time for many representative
locations around the globe. It is updated periodically to reflect changes
made by political bodies to time zone boundaries, UTC offsets, and
daylight-saving rules.
Leap seconds are occasional adjustments added to -- or potentially subtracted
from -- Coordinated Universal Time (UTC). An authoritative list of leap
second adjustments is maintained by the International Earth Rotation and
Reference Systems Service (IERS).
FreeBSD releases install the IANA Time Zone Database in /usr/share/zoneinfo.
The tzsetup(8) utility allows the user to specify the default local time
zone. Based on the selected time zone, tzsetup(8) copies one of the files
from /usr/share/zoneinfo to /etc/localtime. A time zone may also be selected
for an individual process by setting its TZ environment variable to a desired
time zone name.
The latest list of leap seconds at the time of release is installed on FreeBSD
in /var/db/ntpd.leap-seconds.list. The startup rc(8) scripts of the ntpd(8)
Network Time Protocol implementation included in the FreeBSD base system can
periodically download an updated leap-seconds.list file from configurable
internet sites.
II. Problem Description
Several changes to future and past timestamps have been recorded in the IANA
Time Zone Database after previous FreeBSD releases were released. This
affects many users in different parts of the world. Because of these
changes, the data in the zoneinfo files need to be updated. If the local
timezone on the running system is affected, tzsetup(8) needs to be run to
update /etc/localtime.
In the default configuration, the ntpd(8) startup script included with FreeBSD
checks for an updated leap-seconds.list on the IETF's web server. As of 2023,
the IETF no longer distributes a copy of this file.
III. Impact
An incorrect time will be displayed on a system configured to use one of the
affected time zones if the /usr/share/zoneinfo and /etc/localtime files are
not updated, and all applications on the system that rely on the system time,
such as cron(8) and syslog(8), will be affected.
With the default configuration, FreeBSD systems cannot file updates to the
installed leap-seconds.list file. Since no leap second was introduced at the
end of 2023, the leap-seconds.list file included with all supported FreeBSD
releases is still accurate. Moreover, ntpd(8) is able to receive updated leap
second information from its peers. However, a diagnostic warning about an
expired leap-seconds.list is printed at startup.
IV. Workaround
The system administrator can install an updated version of the IANA Time Zone
Database from the misc/zoneinfo port and run tzsetup(8).
Applications that store and display times in Coordinated Universal Time (UTC)
are not affected.
The ntpd(8) startup script can be configured to download an updated
leap-seconds.list file from IERS with the following rc.conf(5) setting:
ntp_leapfile_sources="https://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list"
Larger sites, or sites without reliable connectivity to the internet, may wish
to point to their locally maintained copy of this file.
V. Solution
Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
Please note that some third party software, for instance PHP, Ruby, Java,
Perl and Python, may be using different zoneinfo data sources, in such cases
this software must be updated separately. Software packages that are
installed via binary packages can be upgraded by executing 'pkg upgrade'.
Following the instructions in this Errata Notice will only update the IANA
Time Zone Database installed in /usr/share/zoneinfo.
Perform one of the following:
1) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
utility:
# freebsd-update fetch
# freebsd-update install
Restart all the affected applications and daemons, or reboot the system.
2) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-24:01/tzdata-2024a.patch
# fetch https://security.FreeBSD.org/patches/EN-24:01/tzdata-2024a.patch.asc
# gpg --verify tzdata-2024a.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in .
Restart all the affected applications and daemons, or reboot the system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/14/ 26fe22019cb2 stable/14-n266642
releng/14.0/ a3b7bafd2acc releng/14.0-n265409
stable/13/ f4256acec1c9 stable/13-n257384
releng/13.2/ 66bb668fe5f2 releng/13.2-n254660
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat
Or visit the following URL, replacing NNNNNN with the hash:
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
The latest revision of this advisory is available at
-----BEGIN PGP SIGNATURE-----
-iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmXMYP4ACgkQbljekB8A
-Gu8lBxAA6XgVr3mwvCPgeu8UFa8OeIJzIBgCDv5QFD9BL5NjK5TQuUtc/EqFeuIp
-wSR+KC5Lc/NCsi3fX85M4ZI6HnsTBwOVQ5t7xhYxmQvBmzeZWz02UfGIVLuU6/JG
-mYjpRRCx1yEyUntzfuXEYNsCLkGWYLuydBfFsL+6tN587dk7A/rRMyzdEDsKApGE
-GcP5N7/cKaxNCoDSJonLpX0AbsoQRQJeyhVFgtKWnbPKW9yTeEAZEIG2jqlqOX5O
-JQ4Ih3nj4Y4IVVSwPyO5eZYtTc1N1MMixJct63yM4C8IHjCFnxfPASz6+9s8DcAx
-BwezcAogXJ0ERuohJe2SXPayEUPqrcPAUXQfwO8kPvAX7VrF97cwfyPY6sf9j7gw
-qtHX2e9OPt+oMbXOzgvnIt/p6OZ4SHpfDpiSIIJqk0f+w+qVPeRDKa2SUjWEGphc
-GS1wQc+lXqwvlm2DknpESRDOF6nLQfgSm1IFOWin/10kf6mFQR4RnK0lxP2rwZgQ
-s1VKhA8zPLrXhB4z/OJod7F2R5nXXfqQwlCmWC8RQjL7T7Bz7NEAIU9zwqIPAQb5
-DTtCBe4dYBt6eeYPFQ8EjD3BfYzqJyT2rXQtnwl9Je/foHqZ6pJrFbQool81aRkq
-aCo/OKuzUKNnOLsLwyTTsO/kTqL1ryW/CiFHz7XhD2Y8+YqwOHE=
-=7Xjc
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmXMY7QACgkQbljekB8A
+Gu+fHhAAmDag450+55aZqz9vmY6yEr9gLH0h6Y+yJpvNegzIXaBT+bltNiuO60Dt
+r5N/Q9W5Ovwk2cER+jkZ7jvsY6YCtj1lWlv7w9jW2yRNkhDYwY3NBANgEueUsVww
+fsZq9lkhQjrtsWnygCSdd+6qj7FZ0ufs53rs35bYxt0/aYx510wBQ6+i6eV0kS2C
+2fSWX26/feCHsjd1wyWSvrw7xA1eq8YxVc1Psx8hCYnqOSxuVhL/PpmP1EXl+gF0
+VBHdnmVMibDGRYpiBKxZD+LGCt/KD2oyBEtCXHohkXmIGhouojeSolL7f8IG25ZM
+HW0HjKQSTozcjADl4HQpEE7DIYcxc9O2hW2l6WoEf7KAOitsq7nMQHMVp5qd1BsJ
+24NihZJ4LNDCpzC4C0jpX9FpKwzrWjldVCBSMCVTZCo2MW+7WXNNDX4TbN66CPqN
+cl8bnBCs9Znn6/JrkBR1Bf5TFrGpowEBw9sMVzp4S/QnZkT14mLgV6wlBq8WYmDz
+aspdBTq8GWLekl4wIiCKFBV+C3KluPSDlnFF2utcXNZuBVyXyke2Bxsuul7vXnE8
+nTWwegaWWRg3ki9Lnk3dtxN3/5EQ4KfJZdfouT9DwRt3/Ja0aWqkc4GU9L4K8GkL
+ag2CzVlnUiqjsOplONpoKqYrg5vqLfdojOshCs42cNZco5r3USw=
+=OaBj
-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-24:02.tty.asc b/website/static/security/advisories/FreeBSD-SA-24:02.tty.asc
index 6b40af77f9..efcec789e0 100644
--- a/website/static/security/advisories/FreeBSD-SA-24:02.tty.asc
+++ b/website/static/security/advisories/FreeBSD-SA-24:02.tty.asc
@@ -1,137 +1,137 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-24:02.tty Security Advisory
The FreeBSD Project
Topic: jail(2) information leak
Category: core
Module: jail
Announced: 2024-02-14
Credits: Pawel Jakub Dawidek
Affects: All supported versions of FreeBSD.
Corrected: 2024-02-12 16:25:54 UTC (stable/14, 14.0-STABLE)
2024-02-14 06:05:46 UTC (releng/14.0, 14.0-RELEASE-p5)
- 2024-02-12 16:27:37 UTC (stable/13, 13.2-STABLE)
+ 2024-02-12 16:27:37 UTC (stable/13, 13.3-STABLE)
2024-02-14 06:06:01 UTC (releng/13.2, 13.2-RELEASE-p10)
CVE Name: CVE-2024-25941
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
The jail(2) system call allows a system administrator to lock a process
and all of its descendants inside an environment with a very limited
ability to affect the system outside that environment, even for
processes with superuser privileges. It is an extension of, but
far more powerful than, the traditional UNIX chroot(2) system call.
tty(4) is a general terminal device.
II. Problem Description
The jail(2) system call has not limited a visiblity of allocated TTYs
(the kern.ttys sysctl). This gives rise to an information leak about
processes outside the current jail.
III. Impact
Attacker can get information about TTYs allocated on the host or in other
jails. Effectively, the information printed by "pstat -t" may be leaked.
IV. Workaround
No workaround is available.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date
and reboot.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-24:02/tty.patch
# fetch https://security.FreeBSD.org/patches/SA-24:02/tty.patch.asc
# gpg --verify tty.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
and reboot the
system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/14/ 215bb03edc54 stable/14-n266676
releng/14.0/ 4d354159d150 releng/14.0-n265407
stable/13/ 9bff7ec98354 stable/13-n257418
releng/13.2/ 17257e6e9a23 releng/13.2-n254658
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat
Or visit the following URL, replacing NNNNNN with the hash:
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
The latest revision of this advisory is available at
-----BEGIN PGP SIGNATURE-----
-iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmXMYRMACgkQbljekB8A
-Gu8C7hAAxXasfu+Xn3+voOk5pJvFJd6jWA1ZCvR83YnIqAGibiWvNaMdsdfe4k6x
-eEoaQ6maYYu/wjXMZ0HbapTuJPRxwrcG7i2mZ52vSm9glSZO87Lw3oWVIV7eRPpN
-pFJtR5bUXns1/dWQgcgFMc/4nNk7NO6gamuK/uwfrDF0aQsYif5pX5DmhkOD/CnQ
-CjPWhv6FT94qzUiQrZLSWjCIe/rhNbmbLkhyck4MZP+1aILxsb+BHSaEeBzej2+S
-8WisLPKlTwNgpA+DN+sLn28gR1+0Vd5rAv7gvcbWHE3VNvq0ABTwRoZFA4SzHEhL
-BNkwMJnMJyR7qj1jWCmfrHptIPpSXtNIvh70yts5/+9nPBDkAYV9U+nJYQTZ40+U
-Mn1OfN4ioRfB7bOjVA4J6Ncws4M2ttcOEyk+d8Egd5/7njOGC1sqX0F4FXAtioZF
-JATTBd09J9TTZvX5xz6JdK8ZHKc+xtxYiBYg4WQTyVcPg38ONpYarSIQ6XYnNSyP
-0Cv1ih5DpxzdEBA+Pu4+dJmZSlyNOJXpmlPKgyiUX0Z085ZqHTMvAXQQS/M7MXai
-06d2YnZx4XfGoAhCXZKyvE6J6btiy+t8QNx14tEdtD/ktzAmB3EYHOuuPEFoS44Y
-8tafKE9ps5AgWtqXvK7H5NKMwtb9Ry60WSAFfgn0LoFmw8UyBjg=
-=HQVb
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmXMY8YACgkQbljekB8A
+Gu8vuQ//VNUQjTgpzQhgctLldORwlkshwsHjGgGYdnQqidPk7gznBEHsngKUgZdx
+ocXJ/IkDrzUJ3djm+5qa/3c1sCFrKXV77vtOsVU53SSgbCJdtGi40uE4TXFtPzjQ
+otdGqQtgzxspx9Z2oJkBqugmfdcMXiE4+FQBTuvkCS0xAoMBcP1iVoXBQCPyWe8b
+xGZ/ZDznso+75//Eaj1Szgsh4lZi5M11vDeFKpH4pO3f2O0f/ge1Wtju8EaE0zJQ
+cLPCcJTRPXMUnpYt97dCeHgeNoXfjtDSf2XJGl86z1QZ4OBx2VNcpalF6YZtUxAx
+LJh5hwXXbLgknSHVctqCecaMz+D7xSX2/pxkjbFflBeZznIJJkmQjStUSUE5Ldad
+O8lfcDe5ZmhVWD9o05ccqr8pa2EBkeSL5hDLyatVA3T7UxRlZpfaPnnvvglen1kI
+WJo3ciUMp/iSuFp6Dpy/zg5S7DYc5MM3ifWDW5Sd5X2jvuTDAhz98U0gTtKD8BuB
+RyGkL46bHculeQO7c4Q/Cd//4h/VOmGpj54ag8sJS6AZ515j1OVmxeFwmNClR2VK
+SHbEP8B/vRI8ek1Ja1CY8RghFJ/v9qkntapfpmP7NLDqgKe1htqDz4KHR12NUQjE
+hUHAkOJ8bFS+lJG0lrci2gfmmAUQTh5csw0GA4QEUH0nHLRqW/Y=
+=dMqk
-----END PGP SIGNATURE-----