FreeBSD is undertaking one main project and two minor ones:
Major: A code audit of two significant subsystems (the bhyve hypervisor, and the Capsicum sandboxing framework).
Minor: An initial Process Audit and an MFA pilot.
The Code Audit has been completed and the release of the FreeBSD Foundation's Code Audit Report is planned for November 18th, 2024. All exploitable vulnerabilities identified have been addressed through Security Advisories.
The Process Audit has begun as planned in mid-October. The initial documentation review is underway with stakeholder interviews to follow.
The MFA pilot remains paused until 2025 as previously announced, allowing the community to focus on existing projects.
The code audit was intended to discover and address vulnerabilities in critical subsystems. It also looked to identify classes of vulnerabilities and/or suboptimal coding practices that we could look for and improve across the project, incorporating learnings into our Committer training and onboarding.
The FreeBSD Foundation appointed a code audit firm, Synacktiv, who conducted the code audit on its behalf.
The Code Audit project has reached its conclusion and will be followed up with the release of the FreeBSD Foundation code audit report, including the original Synacktiv Code Audit Report in its appendix.
The FreeBSD Foundation Code Audit Report will be published in mid-November, and includes:
- Commentary on the impact of the Synacktiv code report
- Analysis of vulnerability classes identified
- Recommended approach for inspecting remaining codebase
- Comprehensive lessons learned
- Key metrics and findings
All Critical and High severity vulnerabilities previously identified have been addressed through the Security Advisories released in September.
An additional three Medium and three Low severity issues were disclosed on 29 October 2024 (FreeBSD-SA-24:17.bhyve and FreeBSD-SA-24:18.ctl).
At the time of writing, there are a small number of issues identified during the code audit of “Low” or “Remark” severity which relate to code cleanliness or robustness. These will be addressed in due course.
Security Advisories have been released as follows:
| Date | Advisory name |
|---|---|
| 2024-10-29 | FreeBSD-SA-24:18.ctl |
| 2024-10-29 | FreeBSD-SA-24:17.bhyve |
| 2024-09-19 | FreeBSD-SA-24:16.libnv |
| 2024-09-19 | FreeBSD-SA-24:15.bhyve |
| 2024-09-04 | FreeBSD-SA-24:14.umtx |
| 2024-09-04 | FreeBSD-SA-24:13.openssl |
| 2024-09-04 | FreeBSD-SA-24:12.bhyve |
| 2024-09-04 | FreeBSD-SA-24:11.ctl |
| 2024-09-04 | FreeBSD-SA-24:10.bhyve |
| 2024-09-04 | FreeBSD-SA-24:09.libnv |
Note: For the full list of FreeBSD advisories, see the FreeBSD Security Advisories page.
The Process Audit has commenced as planned in mid-October. Current activities include:
- Review of existing documentation and processes
- Identification of initial areas for improvement
The audit team is following the previously established proforma and will soon be starting stakeholder interviews with key project maintainers.
As announced in September, the Multi-Factor Authentication project remains paused until 2025. This decision continues to support the community's focus on existing projects and ensures a sustainable pace of work.
The FreeBSD Security Team oversees the identification, mitigation, and disclosure of security vulnerabilities within the FreeBSD operating system. They provide timely security advisories, coordinate responses to reported vulnerabilities, and maintain a comprehensive security infrastructure to safeguard FreeBSD systems. Users can access security advisories, security officer reports, and information on security policies and best practices to ensure the security and integrity of their FreeBSD deployments.
The FreeBSD vulnerability reporting and disclosure policy provides guidelines for responsible disclosure, including how to securely communicate vulnerabilities to the FreeBSD Security Team. Additionally, it details the process followed by the Security Team for evaluating, addressing, and disclosing reported vulnerabilities, ensuring timely and transparent handling of security issues within the FreeBSD community.