diff --git a/website/static/security/advisories/FreeBSD-EN-24:01.tzdata.asc b/website/static/security/advisories/FreeBSD-EN-24:01.tzdata.asc index 91d9cb0447..a724f566d8 100644 --- a/website/static/security/advisories/FreeBSD-EN-24:01.tzdata.asc +++ b/website/static/security/advisories/FreeBSD-EN-24:01.tzdata.asc @@ -1,191 +1,191 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-24:01.tzdata Errata Notice The FreeBSD Project Topic: Timezone database information update Category: contrib Module: zoneinfo Announced: 2024-02-14 Affects: All supported versions of FreeBSD Corrected: 2024-02-05 00:30:01 UTC (stable/14, 14.0-STABLE) 2024-02-14 06:21:06 UTC (releng/14.0, 14.0-RELEASE-p5) - 2024-02-05 00:30:42 UTC (stable/13, 13.2-STABLE) + 2024-02-05 00:30:42 UTC (stable/13, 13.3-STABLE) 2024-02-14 06:27:47 UTC (releng/13.2, 13.2-RELEASE-p10) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The IANA Time Zone Database (often called tz or zoneinfo) contains code and data that represent the history of local time for many representative locations around the globe. It is updated periodically to reflect changes made by political bodies to time zone boundaries, UTC offsets, and daylight-saving rules. Leap seconds are occasional adjustments added to -- or potentially subtracted from -- Coordinated Universal Time (UTC). An authoritative list of leap second adjustments is maintained by the International Earth Rotation and Reference Systems Service (IERS). FreeBSD releases install the IANA Time Zone Database in /usr/share/zoneinfo. The tzsetup(8) utility allows the user to specify the default local time zone. Based on the selected time zone, tzsetup(8) copies one of the files from /usr/share/zoneinfo to /etc/localtime. A time zone may also be selected for an individual process by setting its TZ environment variable to a desired time zone name. The latest list of leap seconds at the time of release is installed on FreeBSD in /var/db/ntpd.leap-seconds.list. The startup rc(8) scripts of the ntpd(8) Network Time Protocol implementation included in the FreeBSD base system can periodically download an updated leap-seconds.list file from configurable internet sites. II. Problem Description Several changes to future and past timestamps have been recorded in the IANA Time Zone Database after previous FreeBSD releases were released. This affects many users in different parts of the world. Because of these changes, the data in the zoneinfo files need to be updated. If the local timezone on the running system is affected, tzsetup(8) needs to be run to update /etc/localtime. In the default configuration, the ntpd(8) startup script included with FreeBSD checks for an updated leap-seconds.list on the IETF's web server. As of 2023, the IETF no longer distributes a copy of this file. III. Impact An incorrect time will be displayed on a system configured to use one of the affected time zones if the /usr/share/zoneinfo and /etc/localtime files are not updated, and all applications on the system that rely on the system time, such as cron(8) and syslog(8), will be affected. With the default configuration, FreeBSD systems cannot file updates to the installed leap-seconds.list file. Since no leap second was introduced at the end of 2023, the leap-seconds.list file included with all supported FreeBSD releases is still accurate. Moreover, ntpd(8) is able to receive updated leap second information from its peers. However, a diagnostic warning about an expired leap-seconds.list is printed at startup. IV. Workaround The system administrator can install an updated version of the IANA Time Zone Database from the misc/zoneinfo port and run tzsetup(8). Applications that store and display times in Coordinated Universal Time (UTC) are not affected. The ntpd(8) startup script can be configured to download an updated leap-seconds.list file from IERS with the following rc.conf(5) setting: ntp_leapfile_sources="https://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list" Larger sites, or sites without reliable connectivity to the internet, may wish to point to their locally maintained copy of this file. V. Solution Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Please note that some third party software, for instance PHP, Ruby, Java, Perl and Python, may be using different zoneinfo data sources, in such cases this software must be updated separately. Software packages that are installed via binary packages can be upgraded by executing 'pkg upgrade'. Following the instructions in this Errata Notice will only update the IANA Time Zone Database installed in /usr/share/zoneinfo. Perform one of the following: 1) To update your system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Restart all the affected applications and daemons, or reboot the system. 2) To update your system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/EN-24:01/tzdata-2024a.patch # fetch https://security.FreeBSD.org/patches/EN-24:01/tzdata-2024a.patch.asc # gpg --verify tzdata-2024a.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all the affected applications and daemons, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 26fe22019cb2 stable/14-n266642 releng/14.0/ a3b7bafd2acc releng/14.0-n265409 stable/13/ f4256acec1c9 stable/13-n257384 releng/13.2/ 66bb668fe5f2 releng/13.2-n254660 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- -iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmXMYP4ACgkQbljekB8A -Gu8lBxAA6XgVr3mwvCPgeu8UFa8OeIJzIBgCDv5QFD9BL5NjK5TQuUtc/EqFeuIp -wSR+KC5Lc/NCsi3fX85M4ZI6HnsTBwOVQ5t7xhYxmQvBmzeZWz02UfGIVLuU6/JG -mYjpRRCx1yEyUntzfuXEYNsCLkGWYLuydBfFsL+6tN587dk7A/rRMyzdEDsKApGE -GcP5N7/cKaxNCoDSJonLpX0AbsoQRQJeyhVFgtKWnbPKW9yTeEAZEIG2jqlqOX5O -JQ4Ih3nj4Y4IVVSwPyO5eZYtTc1N1MMixJct63yM4C8IHjCFnxfPASz6+9s8DcAx -BwezcAogXJ0ERuohJe2SXPayEUPqrcPAUXQfwO8kPvAX7VrF97cwfyPY6sf9j7gw -qtHX2e9OPt+oMbXOzgvnIt/p6OZ4SHpfDpiSIIJqk0f+w+qVPeRDKa2SUjWEGphc -GS1wQc+lXqwvlm2DknpESRDOF6nLQfgSm1IFOWin/10kf6mFQR4RnK0lxP2rwZgQ -s1VKhA8zPLrXhB4z/OJod7F2R5nXXfqQwlCmWC8RQjL7T7Bz7NEAIU9zwqIPAQb5 -DTtCBe4dYBt6eeYPFQ8EjD3BfYzqJyT2rXQtnwl9Je/foHqZ6pJrFbQool81aRkq -aCo/OKuzUKNnOLsLwyTTsO/kTqL1ryW/CiFHz7XhD2Y8+YqwOHE= -=7Xjc +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmXMY7QACgkQbljekB8A +Gu+fHhAAmDag450+55aZqz9vmY6yEr9gLH0h6Y+yJpvNegzIXaBT+bltNiuO60Dt +r5N/Q9W5Ovwk2cER+jkZ7jvsY6YCtj1lWlv7w9jW2yRNkhDYwY3NBANgEueUsVww +fsZq9lkhQjrtsWnygCSdd+6qj7FZ0ufs53rs35bYxt0/aYx510wBQ6+i6eV0kS2C +2fSWX26/feCHsjd1wyWSvrw7xA1eq8YxVc1Psx8hCYnqOSxuVhL/PpmP1EXl+gF0 +VBHdnmVMibDGRYpiBKxZD+LGCt/KD2oyBEtCXHohkXmIGhouojeSolL7f8IG25ZM +HW0HjKQSTozcjADl4HQpEE7DIYcxc9O2hW2l6WoEf7KAOitsq7nMQHMVp5qd1BsJ +24NihZJ4LNDCpzC4C0jpX9FpKwzrWjldVCBSMCVTZCo2MW+7WXNNDX4TbN66CPqN +cl8bnBCs9Znn6/JrkBR1Bf5TFrGpowEBw9sMVzp4S/QnZkT14mLgV6wlBq8WYmDz +aspdBTq8GWLekl4wIiCKFBV+C3KluPSDlnFF2utcXNZuBVyXyke2Bxsuul7vXnE8 +nTWwegaWWRg3ki9Lnk3dtxN3/5EQ4KfJZdfouT9DwRt3/Ja0aWqkc4GU9L4K8GkL +ag2CzVlnUiqjsOplONpoKqYrg5vqLfdojOshCs42cNZco5r3USw= +=OaBj -----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-24:02.tty.asc b/website/static/security/advisories/FreeBSD-SA-24:02.tty.asc index 6b40af77f9..efcec789e0 100644 --- a/website/static/security/advisories/FreeBSD-SA-24:02.tty.asc +++ b/website/static/security/advisories/FreeBSD-SA-24:02.tty.asc @@ -1,137 +1,137 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:02.tty Security Advisory The FreeBSD Project Topic: jail(2) information leak Category: core Module: jail Announced: 2024-02-14 Credits: Pawel Jakub Dawidek Affects: All supported versions of FreeBSD. Corrected: 2024-02-12 16:25:54 UTC (stable/14, 14.0-STABLE) 2024-02-14 06:05:46 UTC (releng/14.0, 14.0-RELEASE-p5) - 2024-02-12 16:27:37 UTC (stable/13, 13.2-STABLE) + 2024-02-12 16:27:37 UTC (stable/13, 13.3-STABLE) 2024-02-14 06:06:01 UTC (releng/13.2, 13.2-RELEASE-p10) CVE Name: CVE-2024-25941 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The jail(2) system call allows a system administrator to lock a process and all of its descendants inside an environment with a very limited ability to affect the system outside that environment, even for processes with superuser privileges. It is an extension of, but far more powerful than, the traditional UNIX chroot(2) system call. tty(4) is a general terminal device. II. Problem Description The jail(2) system call has not limited a visiblity of allocated TTYs (the kern.ttys sysctl). This gives rise to an information leak about processes outside the current jail. III. Impact Attacker can get information about TTYs allocated on the host or in other jails. Effectively, the information printed by "pstat -t" may be leaked. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-24:02/tty.patch # fetch https://security.FreeBSD.org/patches/SA-24:02/tty.patch.asc # gpg --verify tty.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 215bb03edc54 stable/14-n266676 releng/14.0/ 4d354159d150 releng/14.0-n265407 stable/13/ 9bff7ec98354 stable/13-n257418 releng/13.2/ 17257e6e9a23 releng/13.2-n254658 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- -iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmXMYRMACgkQbljekB8A -Gu8C7hAAxXasfu+Xn3+voOk5pJvFJd6jWA1ZCvR83YnIqAGibiWvNaMdsdfe4k6x -eEoaQ6maYYu/wjXMZ0HbapTuJPRxwrcG7i2mZ52vSm9glSZO87Lw3oWVIV7eRPpN -pFJtR5bUXns1/dWQgcgFMc/4nNk7NO6gamuK/uwfrDF0aQsYif5pX5DmhkOD/CnQ -CjPWhv6FT94qzUiQrZLSWjCIe/rhNbmbLkhyck4MZP+1aILxsb+BHSaEeBzej2+S -8WisLPKlTwNgpA+DN+sLn28gR1+0Vd5rAv7gvcbWHE3VNvq0ABTwRoZFA4SzHEhL -BNkwMJnMJyR7qj1jWCmfrHptIPpSXtNIvh70yts5/+9nPBDkAYV9U+nJYQTZ40+U -Mn1OfN4ioRfB7bOjVA4J6Ncws4M2ttcOEyk+d8Egd5/7njOGC1sqX0F4FXAtioZF -JATTBd09J9TTZvX5xz6JdK8ZHKc+xtxYiBYg4WQTyVcPg38ONpYarSIQ6XYnNSyP -0Cv1ih5DpxzdEBA+Pu4+dJmZSlyNOJXpmlPKgyiUX0Z085ZqHTMvAXQQS/M7MXai -06d2YnZx4XfGoAhCXZKyvE6J6btiy+t8QNx14tEdtD/ktzAmB3EYHOuuPEFoS44Y -8tafKE9ps5AgWtqXvK7H5NKMwtb9Ry60WSAFfgn0LoFmw8UyBjg= -=HQVb +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmXMY8YACgkQbljekB8A +Gu8vuQ//VNUQjTgpzQhgctLldORwlkshwsHjGgGYdnQqidPk7gznBEHsngKUgZdx +ocXJ/IkDrzUJ3djm+5qa/3c1sCFrKXV77vtOsVU53SSgbCJdtGi40uE4TXFtPzjQ +otdGqQtgzxspx9Z2oJkBqugmfdcMXiE4+FQBTuvkCS0xAoMBcP1iVoXBQCPyWe8b +xGZ/ZDznso+75//Eaj1Szgsh4lZi5M11vDeFKpH4pO3f2O0f/ge1Wtju8EaE0zJQ +cLPCcJTRPXMUnpYt97dCeHgeNoXfjtDSf2XJGl86z1QZ4OBx2VNcpalF6YZtUxAx +LJh5hwXXbLgknSHVctqCecaMz+D7xSX2/pxkjbFflBeZznIJJkmQjStUSUE5Ldad +O8lfcDe5ZmhVWD9o05ccqr8pa2EBkeSL5hDLyatVA3T7UxRlZpfaPnnvvglen1kI +WJo3ciUMp/iSuFp6Dpy/zg5S7DYc5MM3ifWDW5Sd5X2jvuTDAhz98U0gTtKD8BuB +RyGkL46bHculeQO7c4Q/Cd//4h/VOmGpj54ag8sJS6AZ515j1OVmxeFwmNClR2VK +SHbEP8B/vRI8ek1Ja1CY8RghFJ/v9qkntapfpmP7NLDqgKe1htqDz4KHR12NUQjE +hUHAkOJ8bFS+lJG0lrci2gfmmAUQTh5csw0GA4QEUH0nHLRqW/Y= +=dMqk -----END PGP SIGNATURE-----