generated from ossf/project-template
-
Notifications
You must be signed in to change notification settings - Fork 52
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #411 from emaste/freebsd
2024-08 FreeBSD update
- Loading branch information
Showing
1 changed file
with
64 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,64 @@ | ||
| # FreeBSD Update - August 2024 | ||
|
|
||
| ## Program Overview | ||
| FreeBSD is undertaking one main project and two minor ones: | ||
|
|
||
| **Major:** A code audit of two significant subsystems (the bhyve hypervisor, and the Capsicum sandboxing framework). | ||
|
|
||
| **Minor:** An initial Process Audit and an MFA pilot. | ||
|
|
||
| ## Update summary | ||
| We have had some reduced bandwidth this month due to summer vacations and incoming new projects. We have, however, made some meaningful progress thanks to the ongoing engagement and support of our volunteer project maintainers. | ||
|
|
||
| We are working our way through the vulnerabilities uncovered by Synacktiv in their code audit. Once those with the highest severity have been resolved we will be able to release Synacktiv's report. | ||
|
|
||
| The Process Audit and the MFA pilot are still in planning phase as their start dates are in October and September 2024 respectively. There is some risk around the MFA pilot start date slipping due to program resource constraints. We are working to address these. | ||
|
|
||
| ## Code Audit | ||
|
|
||
| ### About the code audit | ||
| The code audit was intended to discover vulnerabilities in these systems to | ||
| redress, but also looked to identify classes of vulnerabilities and/or | ||
| suboptimal coding practices that we can look for across the project and | ||
| incorporate learnings from into our Committer training and onboarding. | ||
|
|
||
| The FreeBSD Foundation appointed a code audit firm, Synacktiv, who conducted the code audit on its behalf. | ||
|
|
||
| ### August update | ||
| Work this month has been in collaboration with FreeBSD project volunteers, focused on resolving vulnerabilities from the Synacktiv code audit that have `Critical` and `High` severity. Security Advisories will be released if needed according to the FreeBSD Project's existing [Security Processes](https://www.freebsd.org/security/) and [vulnerability reporting procedure](https://www.freebsd.org/security/reporting/). | ||
|
|
||
| The Synacktiv report will be released once these processes have been completed. Tentative date for this is September 30, 2024. | ||
|
|
||
| Lower severity vulnerabilities that have now been fixed include: | ||
|
|
||
| * [HYP-16: Kernel heap info leak in ctl_request_sense](https://cgit.FreeBSD.org/src/commit/?id=db87c98168b1605f067d283fa36a710369c3849d) | ||
| * [HYP-21: fbaddr updated when vm_mmap_memseg fails](https://cgit.FreeBSD.org/src/commit/?id=85707cfdaddc179af8bd2623091eb1b8c58fed4a) | ||
| * [CAP-04: Kernel uninitialized heap memory read due to missing error check in acl_copyin](https://cgit.FreeBSD.org/src/commit/?id=6ee6c7b146643170602091e8c330314e4ef47b42) | ||
| * [CAP-05: Kernel iov counter is not decremented in pipe write buffer](https://cgit.FreeBSD.org/src/commit/?id=d8ff42e816848a0d4a427755b46b8560cb86ebc8) | ||
|
|
||
| As a followup to CAP-04 we [added the `__result_use_check` function attribute](https://cgit.FreeBSD.org/src/commit/?id=ef9fc9609a1ff53047577aa7cf51246fc04c954b) to turn any similar future misuse into a compile-time error. | ||
|
|
||
| For more information about the code audit, please see earlier updates (June and July 2024) held in this repo. | ||
|
|
||
| The Foundation is also working with the bhyve and Capsicum subsystem maintainer teams to identify classes of vulnerabilities indicated by the code audit findings. Tentative date for completion is September 30, 2024. | ||
|
|
||
| The final Alpha-Omega code audit report where we provide commentary, findings, and additional recommendations is targeted for October 15, 2024. | ||
|
|
||
| ## Process Audit | ||
| ### August update | ||
|
|
||
| The Foundation is preparing for the process audit to start in October as planned. Preparation work includes creating the process audit report proforma, and socialising the audit with volunteer project maintainers. | ||
|
|
||
| For more information about the objectives and deliverables of the process audit, please see the previous updates (June and July). | ||
|
|
||
| ## MFA Pilot | ||
| ### August update | ||
|
|
||
| We have had some reduced bandwidth this month due to summer vacations and incoming new projects. We are currently creating a project and person spec to see whether we can appoint a contractor or vendor to assist with the project. | ||
|
|
||
| ## Notes on the FreeBSD Security team and policies | ||
|
|
||
| The [FreeBSD Security Team](https://www.freebsd.org/administration/#t-secteam) oversees the identification, mitigation, and disclosure of security vulnerabilities within the FreeBSD operating system. They provide timely security advisories, coordinate responses to reported vulnerabilities, and maintain a comprehensive security infrastructure to safeguard FreeBSD systems. Users can access security advisories, security officer reports, and information on security policies and best practices to ensure the security and integrity of their FreeBSD deployments. | ||
|
|
||
| The [FreeBSD vulnerability reporting and disclosure policy](https://www.freebsd.org/security/reporting/) provides guidelines for responsible disclosure, including how to securely communicate vulnerabilities to the FreeBSD Security Team. Additionally, it details the process followed by the Security Team for evaluating, addressing, and disclosing reported vulnerabilities, ensuring timely and transparent handling of security issues within the FreeBSD community. | ||
|
|