From 86e964081b503ce4e65ad8a9363c7883bbff2402 Mon Sep 17 00:00:00 2001 From: Alice Sowerby Date: Mon, 28 Oct 2024 15:02:04 +0000 Subject: [PATCH 1/4] Create update-2024-10.md October update --- .../2024/FreeBSD/update-2024-10.md | 78 +++++++++++++++++++ 1 file changed, 78 insertions(+) create mode 100644 alpha/engagements/2024/FreeBSD/update-2024-10.md diff --git a/alpha/engagements/2024/FreeBSD/update-2024-10.md b/alpha/engagements/2024/FreeBSD/update-2024-10.md new file mode 100644 index 00000000..28b79e80 --- /dev/null +++ b/alpha/engagements/2024/FreeBSD/update-2024-10.md @@ -0,0 +1,78 @@ +# FreeBSD Update - October 2024 + +## Program Overview + +FreeBSD is undertaking one main project and two minor ones: + +**Major:** A code audit of two significant subsystems (the bhyve hypervisor, and the Capsicum sandboxing framework). + +**Minor:** An initial Process Audit and an MFA pilot. + +## Update summary + +The Code Audit has been completed with the release of both the FreeBSD Foundation's Code Audit Report. All Critical and High severity vulnerabilities identified have been addressed through Security Advisories. + +The Process Audit has commenced as scheduled in mid-October. The initial documentation review is underway with stakeholder interviews to follow. + +The MFA pilot remains paused until 2025 as previously announced, allowing the community to focus on existing projects. + +## Code Audit + +### About the code audit + +The code audit was intended to discover and address vulnerabilities in critical subsystems. It also looked to identify classes of vulnerabilities and/or suboptimal coding practices that we could look for and improve across the project, incorporating learnings into our Committer training and onboarding. + +The FreeBSD Foundation appointed a code audit firm, Synacktiv, who conducted the code audit on its behalf. + +### October update + +The Code Audit project has reached its major milestones with the successful release of the FreeBSD Foundation code audit report, including the original Synacktiv Code Audit Report in its appendix. + +The FreeBSD Foundation Code Audit Report was published in October, and included: + - Commentary on the impact of the Synacktiv code report + - Analysis of vulnerability classes identified + - Recommended approach for inspecting remaining codebase + - Comprehensive lessons learned + - Key metrics and findings + +All `Critical` and `High` severity vulnerabilities previously identified have been addressed through the Security Advisories released in September. The security team continues to monitor and address any lower-severity issues identified during the process audit phase. + +Security Advisories have been released as follows: + +| Date | Advisory name | +|------------|--------------------------| +| 2024-09-19 | [FreeBSD-SA-24:16.libnv](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:16.libnv.asc) | +| 2024-09-19 | [FreeBSD-SA-24:15.bhyve](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:15.bhyve.asc) | +| 2024-09-04 | [FreeBSD-SA-24:14.umtx](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:14.umtx.asc) | +| 2024-09-04 | [FreeBSD-SA-24:13.openssl](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:13.openssl.asc) | +| 2024-09-04 | [FreeBSD-SA-24:12.bhyve](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:12.bhyve.asc) | +| 2024-09-04 | [FreeBSD-SA-24:11.ctl](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:11.ctl.asc) | +| 2024-09-04 | [FreeBSD-SA-24:10.bhyve](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:10.bhyve.asc) | +| 2024-09-04 | [FreeBSD-SA-24:09.libnv](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:09.libnv.asc) | + +Note: For the full list of FreeBSD advisories, see the [FreeBSD Security Advisories page](https://www.freebsd.org/security/advisories/). + +## Process Audit + +### October update + +The Process Audit has commenced as planned in mid-October. Current activities include: + +- Initial stakeholder interviews with key project maintainers +- Review of existing documentation and processes +- Mapping of current workflow and decision-making processes +- Identification of initial areas for improvement + +The audit team is following the previously established proforma and working closely with volunteer project maintainers. + +## MFA Pilot + +### October update + +As announced in September, the Multi-Factor Authentication project remains paused until 2025. This decision continues to support the community's focus on existing projects and ensures a sustainable pace of work. Planning for the 2025 implementation will begin in Q4 2024. + +## Notes on the FreeBSD Security team and policies + +The [FreeBSD Security Team](https://www.freebsd.org/administration/#t-secteam) oversees the identification, mitigation, and disclosure of security vulnerabilities within the FreeBSD operating system. They provide timely security advisories, coordinate responses to reported vulnerabilities, and maintain a comprehensive security infrastructure to safeguard FreeBSD systems. Users can access security advisories, security officer reports, and information on security policies and best practices to ensure the security and integrity of their FreeBSD deployments. + +The [FreeBSD vulnerability reporting and disclosure policy](https://www.freebsd.org/security/reporting/) provides guidelines for responsible disclosure, including how to securely communicate vulnerabilities to the FreeBSD Security Team. Additionally, it details the process followed by the Security Team for evaluating, addressing, and disclosing reported vulnerabilities, ensuring timely and transparent handling of security issues within the FreeBSD community. From 006d01043394eddf8ebf9c8f5bdab6881128a984 Mon Sep 17 00:00:00 2001 From: Alice Sowerby Date: Mon, 28 Oct 2024 15:04:33 +0000 Subject: [PATCH 2/4] Update update-2024-10.md Some small edits on Process Audit. --- alpha/engagements/2024/FreeBSD/update-2024-10.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/alpha/engagements/2024/FreeBSD/update-2024-10.md b/alpha/engagements/2024/FreeBSD/update-2024-10.md index 28b79e80..2ccabb27 100644 --- a/alpha/engagements/2024/FreeBSD/update-2024-10.md +++ b/alpha/engagements/2024/FreeBSD/update-2024-10.md @@ -58,12 +58,10 @@ Note: For the full list of FreeBSD advisories, see the [FreeBSD Security Advisor The Process Audit has commenced as planned in mid-October. Current activities include: -- Initial stakeholder interviews with key project maintainers - Review of existing documentation and processes -- Mapping of current workflow and decision-making processes - Identification of initial areas for improvement -The audit team is following the previously established proforma and working closely with volunteer project maintainers. +The audit team is following the previously established proforma and will soon be starting stakeholder interviews with key project maintainers. ## MFA Pilot From 594f1da53dc5c2cdcc783c9709654d58f6716215 Mon Sep 17 00:00:00 2001 From: Alice Sowerby Date: Mon, 4 Nov 2024 15:36:00 +0000 Subject: [PATCH 3/4] Update update-2024-10.md Amend to show future date of report release and to add SA details. --- .../2024/FreeBSD/update-2024-10.md | 21 ++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/alpha/engagements/2024/FreeBSD/update-2024-10.md b/alpha/engagements/2024/FreeBSD/update-2024-10.md index 2ccabb27..04f2df95 100644 --- a/alpha/engagements/2024/FreeBSD/update-2024-10.md +++ b/alpha/engagements/2024/FreeBSD/update-2024-10.md @@ -10,9 +10,9 @@ FreeBSD is undertaking one main project and two minor ones: ## Update summary -The Code Audit has been completed with the release of both the FreeBSD Foundation's Code Audit Report. All Critical and High severity vulnerabilities identified have been addressed through Security Advisories. +The Code Audit has been completed and the release of the FreeBSD Foundation's Code Audit Report is planned for November 18th, 2024. All Critical and High severity vulnerabilities identified have been addressed through Security Advisories. -The Process Audit has commenced as scheduled in mid-October. The initial documentation review is underway with stakeholder interviews to follow. +The Process Audit has begun as planned in mid-October. The initial documentation review is underway with stakeholder interviews to follow. The MFA pilot remains paused until 2025 as previously announced, allowing the community to focus on existing projects. @@ -26,21 +26,28 @@ The FreeBSD Foundation appointed a code audit firm, Synacktiv, who conducted the ### October update -The Code Audit project has reached its major milestones with the successful release of the FreeBSD Foundation code audit report, including the original Synacktiv Code Audit Report in its appendix. +The Code Audit project has reached its conclusion and will be followed up with the release of the FreeBSD Foundation code audit report, including the original Synacktiv Code Audit Report in its appendix. -The FreeBSD Foundation Code Audit Report was published in October, and included: +The FreeBSD Foundation Code Audit Report will be published in mid-November, and includes: - Commentary on the impact of the Synacktiv code report - Analysis of vulnerability classes identified - Recommended approach for inspecting remaining codebase - Comprehensive lessons learned - Key metrics and findings -All `Critical` and `High` severity vulnerabilities previously identified have been addressed through the Security Advisories released in September. The security team continues to monitor and address any lower-severity issues identified during the process audit phase. - +All `Critical` and `High` severity vulnerabilities previously identified have been addressed through the Security Advisories released in September. + +An additional three `Medium` and three `Low` severity issues were disclosed on 29 October 2024 (FreeBSD-SA-24:17.bhyve and FreeBSD-SA-24:18.ctl). + +At the time of writing, there are a small number of issues identified during the code audit of “Low” or “Remark” severity which relate to code cleanliness or robustness. These will be addressed in due course. + + Security Advisories have been released as follows: | Date | Advisory name | |------------|--------------------------| +| 2024-10-29 | [FreeBSD-SA-24:18.ctl](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:18.ctl.asc) | +| 2024-10-29 | [FreeBSD-SA-24:17.bhyve](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:17.bhyve.asc) | | 2024-09-19 | [FreeBSD-SA-24:16.libnv](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:16.libnv.asc) | | 2024-09-19 | [FreeBSD-SA-24:15.bhyve](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:15.bhyve.asc) | | 2024-09-04 | [FreeBSD-SA-24:14.umtx](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:14.umtx.asc) | @@ -67,7 +74,7 @@ The audit team is following the previously established proforma and will soon be ### October update -As announced in September, the Multi-Factor Authentication project remains paused until 2025. This decision continues to support the community's focus on existing projects and ensures a sustainable pace of work. Planning for the 2025 implementation will begin in Q4 2024. +As announced in September, the Multi-Factor Authentication project remains paused until 2025. This decision continues to support the community's focus on existing projects and ensures a sustainable pace of work. ## Notes on the FreeBSD Security team and policies From 2e07da005a5b8162cf1fae080bcf60b5938a50b8 Mon Sep 17 00:00:00 2001 From: Alice Sowerby Date: Thu, 7 Nov 2024 06:35:10 -0800 Subject: [PATCH 4/4] Update update-2024-10.md clarification on which issues are resolved (summary) Signed-off-by: Alice Sowerby --- alpha/engagements/2024/FreeBSD/update-2024-10.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/alpha/engagements/2024/FreeBSD/update-2024-10.md b/alpha/engagements/2024/FreeBSD/update-2024-10.md index 04f2df95..867b234c 100644 --- a/alpha/engagements/2024/FreeBSD/update-2024-10.md +++ b/alpha/engagements/2024/FreeBSD/update-2024-10.md @@ -10,7 +10,7 @@ FreeBSD is undertaking one main project and two minor ones: ## Update summary -The Code Audit has been completed and the release of the FreeBSD Foundation's Code Audit Report is planned for November 18th, 2024. All Critical and High severity vulnerabilities identified have been addressed through Security Advisories. +The Code Audit has been completed and the release of the FreeBSD Foundation's Code Audit Report is planned for November 18th, 2024. All exploitable vulnerabilities identified have been addressed through Security Advisories. The Process Audit has begun as planned in mid-October. The initial documentation review is underway with stakeholder interviews to follow.