Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

November FreeBSD update #439

Merged
merged 3 commits into from
Dec 3, 2024
Merged

November FreeBSD update #439

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
0d2d1e6
Create update-2024-11.md
alice-sowerby Nov 25, 2024
84e516d
Update update-2024-09.md
alice-sowerby Nov 27, 2024
cf36f24
Update update-2024-11.md
alice-sowerby Nov 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion alpha/engagements/2024/FreeBSD/update-2024-09.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,6 @@ All `Critical` and `High` severity vulnerabilities have now been fixed and Secur
| 2024-09-19 | [FreeBSD-SA-24:16.libnv](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:16.libnv.asc) |
| 2024-09-19 | [FreeBSD-SA-24:15.bhyve](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:15.bhyve.asc) |
| 2024-09-04 | [FreeBSD-SA-24:14.umtx](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:14.umtx.asc) |
| 2024-09-04 | [FreeBSD-SA-24:13.openssl](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:13.openssl.asc) |
| 2024-09-04 | [FreeBSD-SA-24:12.bhyve](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:12.bhyve.asc) |
| 2024-09-04 | [FreeBSD-SA-24:11.ctl](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:11.ctl.asc) |
| 2024-09-04 | [FreeBSD-SA-24:10.bhyve](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:10.bhyve.asc) |
Expand Down
77 changes: 77 additions & 0 deletions alpha/engagements/2024/FreeBSD/update-2024-11.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
# FreeBSD Update - November 2024

## Program Overview

FreeBSD is undertaking one main project and two minor ones:

**Major:** A code audit of two significant subsystems (the bhyve hypervisor, and the Capsicum sandboxing framework).

**Minor:** An initial Process Audit and an MFA pilot.

## Update summary

The Code Audit has been completed and the FreeBSD Foundation's Code Audit Report was released on November 18th, 2024. All exploitable vulnerabilities identified have been addressed through Security Advisories.

The Process Audit began as planned in mid-October. The initial documentation review is complete and stakeholder feedback has been gathered. The report is now being prepared for a projected release date of mid-December 2024.

The MFA pilot remains paused until 2025 as previously announced, allowing the community to focus on existing projects.

## Code Audit

### About the code audit

The code audit was intended to discover and address vulnerabilities in critical subsystems. It also looked to identify classes of vulnerabilities and/or suboptimal coding practices that we could look for and improve across the project, incorporating learnings into our Committer training and onboarding.

The FreeBSD Foundation appointed a code audit firm, Synacktiv, who conducted the code audit on its behalf.

### October update

The Code Audit project has reached its conclusion. The [FreeBSD Foundation code audit report](https://freebsdfoundation.org/wp-content/uploads/2024/11/2024_Code_Audit_Capsicum_Bhyve_FreeBSD_Foundation.pdf) is now available, and includes the original Synacktiv Code Audit Report in its appendix. A [press release](https://freebsdfoundation.org/news-and-events/latest-news/freebsd-foundation-releases-bhyve-and-capsicum-security-audit-funded-by-alpha-omega-project/) was also issued by the Foundation.

The FreeBSD Foundation Code Audit Report includes:
- Commentary on the impact of the Synacktiv code report
- Analysis of vulnerability classes identified
- Recommended approach for inspecting remaining codebase
- Comprehensive lessons learned
- Key metrics and findings

All `Critical`, `High`, `Medium` and `Low` severity vulnerabilities previously identified have been addressed through the Security Advisories released in September and October.

Security Advisories have been released as follows:

| Date | Advisory name |
|------------|--------------------------|
| 2024-10-29 | [FreeBSD-SA-24:18.ctl](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:18.ctl.asc) |
| 2024-10-29 | [FreeBSD-SA-24:17.bhyve](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:17.bhyve.asc) |
| 2024-09-19 | [FreeBSD-SA-24:16.libnv](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:16.libnv.asc) |
| 2024-09-19 | [FreeBSD-SA-24:15.bhyve](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:15.bhyve.asc) |
| 2024-09-04 | [FreeBSD-SA-24:14.umtx](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:14.umtx.asc) |
| 2024-09-04 | [FreeBSD-SA-24:12.bhyve](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:12.bhyve.asc) |
| 2024-09-04 | [FreeBSD-SA-24:11.ctl](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:11.ctl.asc) |
| 2024-09-04 | [FreeBSD-SA-24:10.bhyve](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:10.bhyve.asc) |
| 2024-09-04 | [FreeBSD-SA-24:09.libnv](https://www.freebsd.org/security/advisories/FreeBSD-SA-24:09.libnv.asc) |

Note: For the full list of FreeBSD advisories, see the [FreeBSD Security Advisories page](https://www.freebsd.org/security/advisories/).

## Process Audit

### November update

The Process Audit has commenced as planned in mid-October. Current activities include:

- Outreach for stakeholder feedback, canvassing the FreeBSD Project's management teams for input on how the current development processes could be improved.
- Drafting the Process Audit report to include this feedback and to identify any areas for improvement. To include recommendations for next steps and potential projects that could benefit from external funding.

The audit team is following a previously established proforma to ensure that the key areas of development process are addressed.

## MFA Pilot

### November update

As announced in September, the Multi-Factor Authentication project remains paused until 2025. This decision continues to support the community's focus on existing projects and ensures a sustainable pace of work.

## Notes on the FreeBSD Security team and policies

The [FreeBSD Security Team](https://www.freebsd.org/administration/#t-secteam) oversees the identification, mitigation, and disclosure of security vulnerabilities within the FreeBSD operating system. They provide timely security advisories, coordinate responses to reported vulnerabilities, and maintain a comprehensive security infrastructure to safeguard FreeBSD systems. Users can access security advisories, security officer reports, and information on security policies and best practices to ensure the security and integrity of their FreeBSD deployments.

The [FreeBSD vulnerability reporting and disclosure policy](https://www.freebsd.org/security/reporting/) provides guidelines for responsible disclosure, including how to securely communicate vulnerabilities to the FreeBSD Security Team. Additionally, it details the process followed by the Security Team for evaluating, addressing, and disclosing reported vulnerabilities, ensuring timely and transparent handling of security issues within the FreeBSD community.
Loading