FreeBSD is undertaking one main project and two minor ones:
Major: A code audit of two significant subsystems (the bhyve hypervisor, and the Capsicum sandboxing framework).
Minor: An initial Process Audit and an MFA pilot.
The Code Audit is on track. All All Critical and High severity vulnerabilities are patched and Security Advisories have been released. The Synacktiv Code Audit Report will be released by the end of September, with a FreeBSD-authored Code Audit Report due in October.
The Process Audit is on track to begin mid-Oct. Preparations are complete and once the FreeBSD-authored Code Audit Report is published we will start on the process audit.
The MFA pilot has been put on pause by the Foundation until 2025 to allow for a sustainable pace for the community on existing projects.
The code audit was intended to discover vulnerabilities in these systems to redress, but also looked to identify classes of vulnerabilities and/or suboptimal coding practices that we can look for across the project and incorporate learnings from into our Committer training and onboarding.
The FreeBSD Foundation appointed a code audit firm, Synacktiv, who conducted the code audit on its behalf.
The Code Audit project is on track to hit its next milestone of releasing the Synacktiv Code Audit Report at the end of September. The Foundation and the Project have been working to resolve the higher severity vulnerabilities identified by Synacktiv during the code review. The release of the report was embargoed prior to fixing these.
All Critical and High severity vulnerabilities have now been fixed and Security Advisories have been released as follows:
| Date | Advisory name |
|---|---|
| 2024-09-19 | FreeBSD-SA-24:16.libnv |
| 2024-09-19 | FreeBSD-SA-24:15.bhyve |
| 2024-09-04 | FreeBSD-SA-24:14.umtx |
| 2024-09-04 | FreeBSD-SA-24:12.bhyve |
| 2024-09-04 | FreeBSD-SA-24:11.ctl |
| 2024-09-04 | FreeBSD-SA-24:10.bhyve |
| 2024-09-04 | FreeBSD-SA-24:09.libnv |
Note: For the full list of FreeBSD advisories, see the FreeBSD Security Advisories page.
The next milestone is to release a FreeBSD-authored Code Audit Report including commentary on the impact of the Synacktiv code report, classes of vulnerabilities identified, suggested approach to inspecting the rest of the code, lessons learned, and metrics. This FreeBSD-authored Code Audit Report is targeted for release during October 2024.
For more information about the code audit, please see earlier updates (June and July 2024) held in this repo.
The Foundation is preparing for the process audit to start in October as planned. Preparation work includes creating the process audit report proforma, and socialising the audit with volunteer project maintainers.
For more information about the objectives and deliverables of the process audit, please see the previous updates (June and July).
The Foundation has made the decision to pause on Multi-Factor Authentication work until next year. This is to allow the community to work at a sustainable pace on existing projects that are in flight.
The FreeBSD Security Team oversees the identification, mitigation, and disclosure of security vulnerabilities within the FreeBSD operating system. They provide timely security advisories, coordinate responses to reported vulnerabilities, and maintain a comprehensive security infrastructure to safeguard FreeBSD systems. Users can access security advisories, security officer reports, and information on security policies and best practices to ensure the security and integrity of their FreeBSD deployments.
The FreeBSD vulnerability reporting and disclosure policy provides guidelines for responsible disclosure, including how to securely communicate vulnerabilities to the FreeBSD Security Team. Additionally, it details the process followed by the Security Team for evaluating, addressing, and disclosing reported vulnerabilities, ensuring timely and transparent handling of security issues within the FreeBSD community.