From 0d2d1e6597a171c7df99da2f741a76369fbb83de Mon Sep 17 00:00:00 2001 From: Alice Sowerby Date: Mon, 25 Nov 2024 14:12:20 +0000 Subject: [PATCH 1/3] Create update-2024-11.md Adding November report --- .../2024/FreeBSD/update-2024-11.md | 78 +++++++++++++++++++ 1 file changed, 78 insertions(+) create mode 100644 alpha/engagements/2024/FreeBSD/update-2024-11.md diff --git a/alpha/engagements/2024/FreeBSD/update-2024-11.md b/alpha/engagements/2024/FreeBSD/update-2024-11.md new file mode 100644 index 00000000..9caa2549 --- /dev/null +++ b/alpha/engagements/2024/FreeBSD/update-2024-11.md @@ -0,0 +1,78 @@ +# FreeBSD Update - November 2024 + +## Program Overview + +FreeBSD is undertaking one main project and two minor ones: + +**Major:** A code audit of two significant subsystems (the bhyve hypervisor, and the Capsicum sandboxing framework). + +**Minor:** An initial Process Audit and an MFA pilot. + +## Update summary + +The Code Audit has been completed and the FreeBSD Foundation's Code Audit Report was released on November 18th, 2024. All exploitable vulnerabilities identified have been addressed through Security Advisories. + +The Process Audit began as planned in mid-October. The initial documentation review is complete and stakeholder feedback has been gathered. The report is now being prepared for a projected release date of mid-December 2024. + +The MFA pilot remains paused until 2025 as previously announced, allowing the community to focus on existing projects. + +## Code Audit + +### About the code audit + +The code audit was intended to discover and address vulnerabilities in critical subsystems. It also looked to identify classes of vulnerabilities and/or suboptimal coding practices that we could look for and improve across the project, incorporating learnings into our Committer training and onboarding. + +The FreeBSD Foundation appointed a code audit firm, Synacktiv, who conducted the code audit on its behalf. + +### October update + +The Code Audit project has reached its conclusion. The [FreeBSD Foundation code audit report](https://freebsdfoundation.org/wp-content/uploads/2024/11/2024_Code_Audit_Capsicum_Bhyve_FreeBSD_Foundation.pdf) is now available, and includes the original Synacktiv Code Audit Report in its appendix. A [press release](https://freebsdfoundation.org/news-and-events/latest-news/freebsd-foundation-releases-bhyve-and-capsicum-security-audit-funded-by-alpha-omega-project/) was also issued by the Foundation. + +The FreeBSD Foundation Code Audit Report includes: + - Commentary on the impact of the Synacktiv code report + - Analysis of vulnerability classes identified + - Recommended approach for inspecting remaining codebase + - Comprehensive lessons learned + - Key metrics and findings + +All `Critical`, `High`, `Medium` and `Low` severity vulnerabilities previously identified have been addressed through the Security Advisories released in September and October. + +Security Advisories have been released as follows: + +| Date | Advisory name | +|------------|--------------------------| +| 2024-10-29 | [FreeBSD-SA-24:18.ctl](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:18.ctl.asc) | +| 2024-10-29 | [FreeBSD-SA-24:17.bhyve](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:17.bhyve.asc) | +| 2024-09-19 | [FreeBSD-SA-24:16.libnv](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:16.libnv.asc) | +| 2024-09-19 | [FreeBSD-SA-24:15.bhyve](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:15.bhyve.asc) | +| 2024-09-04 | [FreeBSD-SA-24:14.umtx](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:14.umtx.asc) | +| 2024-09-04 | [FreeBSD-SA-24:13.openssl](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:13.openssl.asc) | +| 2024-09-04 | [FreeBSD-SA-24:12.bhyve](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:12.bhyve.asc) | +| 2024-09-04 | [FreeBSD-SA-24:11.ctl](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:11.ctl.asc) | +| 2024-09-04 | [FreeBSD-SA-24:10.bhyve](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:10.bhyve.asc) | +| 2024-09-04 | [FreeBSD-SA-24:09.libnv](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:09.libnv.asc) | + +Note: For the full list of FreeBSD advisories, see the [FreeBSD Security Advisories page](https://www.freebsd.org/security/advisories/). + +## Process Audit + +### November update + +The Process Audit has commenced as planned in mid-October. Current activities include: + +- Outreach for stakeholder feedback, canvassing the FreeBSD Project's management teams for input on how the current development processes could be improved. +- Drafting the Process Audit report to include this feedback and to identify any areas for improvement. To include recommendations for next steps and potential projects that could benefit from external funding. + +The audit team is following a previously established proforma to ensure that the key areas of development process are addressed. + +## MFA Pilot + +### November update + +As announced in September, the Multi-Factor Authentication project remains paused until 2025. This decision continues to support the community's focus on existing projects and ensures a sustainable pace of work. + +## Notes on the FreeBSD Security team and policies + +The [FreeBSD Security Team](https://www.freebsd.org/administration/#t-secteam) oversees the identification, mitigation, and disclosure of security vulnerabilities within the FreeBSD operating system. They provide timely security advisories, coordinate responses to reported vulnerabilities, and maintain a comprehensive security infrastructure to safeguard FreeBSD systems. Users can access security advisories, security officer reports, and information on security policies and best practices to ensure the security and integrity of their FreeBSD deployments. + +The [FreeBSD vulnerability reporting and disclosure policy](https://www.freebsd.org/security/reporting/) provides guidelines for responsible disclosure, including how to securely communicate vulnerabilities to the FreeBSD Security Team. Additionally, it details the process followed by the Security Team for evaluating, addressing, and disclosing reported vulnerabilities, ensuring timely and transparent handling of security issues within the FreeBSD community. \ No newline at end of file From 84e516d74910c6431bbc3a31e6d3c56f25a4f9e5 Mon Sep 17 00:00:00 2001 From: Alice Sowerby Date: Wed, 27 Nov 2024 15:11:16 +0000 Subject: [PATCH 2/3] Update update-2024-09.md remove openssl Signed-off-by: Alice Sowerby --- alpha/engagements/2024/FreeBSD/update-2024-09.md | 1 - 1 file changed, 1 deletion(-) diff --git a/alpha/engagements/2024/FreeBSD/update-2024-09.md b/alpha/engagements/2024/FreeBSD/update-2024-09.md index fdf24446..cfe1fb4e 100644 --- a/alpha/engagements/2024/FreeBSD/update-2024-09.md +++ b/alpha/engagements/2024/FreeBSD/update-2024-09.md @@ -34,7 +34,6 @@ All `Critical` and `High` severity vulnerabilities have now been fixed and Secur | 2024-09-19 | [FreeBSD-SA-24:16.libnv](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:16.libnv.asc) | | 2024-09-19 | [FreeBSD-SA-24:15.bhyve](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:15.bhyve.asc) | | 2024-09-04 | [FreeBSD-SA-24:14.umtx](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:14.umtx.asc) | -| 2024-09-04 | [FreeBSD-SA-24:13.openssl](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:13.openssl.asc) | | 2024-09-04 | [FreeBSD-SA-24:12.bhyve](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:12.bhyve.asc) | | 2024-09-04 | [FreeBSD-SA-24:11.ctl](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:11.ctl.asc) | | 2024-09-04 | [FreeBSD-SA-24:10.bhyve](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:10.bhyve.asc) | From cf36f240b21ccc0072f736e8a425964e5336263a Mon Sep 17 00:00:00 2001 From: Alice Sowerby Date: Wed, 27 Nov 2024 15:11:50 +0000 Subject: [PATCH 3/3] Update update-2024-11.md remove Openssl Signed-off-by: Alice Sowerby --- alpha/engagements/2024/FreeBSD/update-2024-11.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/alpha/engagements/2024/FreeBSD/update-2024-11.md b/alpha/engagements/2024/FreeBSD/update-2024-11.md index 9caa2549..b376ec36 100644 --- a/alpha/engagements/2024/FreeBSD/update-2024-11.md +++ b/alpha/engagements/2024/FreeBSD/update-2024-11.md @@ -46,7 +46,6 @@ Security Advisories have been released as follows: | 2024-09-19 | [FreeBSD-SA-24:16.libnv](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:16.libnv.asc) | | 2024-09-19 | [FreeBSD-SA-24:15.bhyve](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:15.bhyve.asc) | | 2024-09-04 | [FreeBSD-SA-24:14.umtx](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:14.umtx.asc) | -| 2024-09-04 | [FreeBSD-SA-24:13.openssl](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:13.openssl.asc) | | 2024-09-04 | [FreeBSD-SA-24:12.bhyve](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:12.bhyve.asc) | | 2024-09-04 | [FreeBSD-SA-24:11.ctl](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:11.ctl.asc) | | 2024-09-04 | [FreeBSD-SA-24:10.bhyve](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:10.bhyve.asc) | @@ -75,4 +74,4 @@ As announced in September, the Multi-Factor Authentication project remains pause The [FreeBSD Security Team](https://www.freebsd.org/administration/#t-secteam) oversees the identification, mitigation, and disclosure of security vulnerabilities within the FreeBSD operating system. They provide timely security advisories, coordinate responses to reported vulnerabilities, and maintain a comprehensive security infrastructure to safeguard FreeBSD systems. Users can access security advisories, security officer reports, and information on security policies and best practices to ensure the security and integrity of their FreeBSD deployments. -The [FreeBSD vulnerability reporting and disclosure policy](https://www.freebsd.org/security/reporting/) provides guidelines for responsible disclosure, including how to securely communicate vulnerabilities to the FreeBSD Security Team. Additionally, it details the process followed by the Security Team for evaluating, addressing, and disclosing reported vulnerabilities, ensuring timely and transparent handling of security issues within the FreeBSD community. \ No newline at end of file +The [FreeBSD vulnerability reporting and disclosure policy](https://www.freebsd.org/security/reporting/) provides guidelines for responsible disclosure, including how to securely communicate vulnerabilities to the FreeBSD Security Team. Additionally, it details the process followed by the Security Team for evaluating, addressing, and disclosing reported vulnerabilities, ensuring timely and transparent handling of security issues within the FreeBSD community.