FreeBSD is undertaking one main project and two minor ones:
Major: A code audit of two significant subsystems (the bhyve hypervisor, and the Capsicum sandboxing framework).
Minor: An initial Process Audit and an MFA pilot.
The Code Audit has been completed and the FreeBSD Foundation's Code Audit Report was released on November 18th, 2024. All exploitable vulnerabilities identified have been addressed through Security Advisories.
The Process Audit began as planned in mid-October. The initial documentation review is complete and stakeholder feedback has been gathered. The report is now being prepared for a projected release date of mid-December 2024.
The MFA pilot remains paused until 2025 as previously announced, allowing the community to focus on existing projects.
The code audit was intended to discover and address vulnerabilities in critical subsystems. It also looked to identify classes of vulnerabilities and/or suboptimal coding practices that we could look for and improve across the project, incorporating learnings into our Committer training and onboarding.
The FreeBSD Foundation appointed a code audit firm, Synacktiv, who conducted the code audit on its behalf.
The Code Audit project has reached its conclusion. The FreeBSD Foundation code audit report is now available, and includes the original Synacktiv Code Audit Report in its appendix. A press release was also issued by the Foundation.
The FreeBSD Foundation Code Audit Report includes:
- Commentary on the impact of the Synacktiv code report
- Analysis of vulnerability classes identified
- Recommended approach for inspecting remaining codebase
- Comprehensive lessons learned
- Key metrics and findings
All Critical, High, Medium and Low severity vulnerabilities previously identified have been addressed through the Security Advisories released in September and October.
Security Advisories have been released as follows:
| Date | Advisory name |
|---|---|
| 2024-10-29 | FreeBSD-SA-24:18.ctl |
| 2024-10-29 | FreeBSD-SA-24:17.bhyve |
| 2024-09-19 | FreeBSD-SA-24:16.libnv |
| 2024-09-19 | FreeBSD-SA-24:15.bhyve |
| 2024-09-04 | FreeBSD-SA-24:14.umtx |
| 2024-09-04 | FreeBSD-SA-24:12.bhyve |
| 2024-09-04 | FreeBSD-SA-24:11.ctl |
| 2024-09-04 | FreeBSD-SA-24:10.bhyve |
| 2024-09-04 | FreeBSD-SA-24:09.libnv |
Note: For the full list of FreeBSD advisories, see the FreeBSD Security Advisories page.
The Process Audit has commenced as planned in mid-October. Current activities include:
- Outreach for stakeholder feedback, canvassing the FreeBSD Project's management teams for input on how the current development processes could be improved.
- Drafting the Process Audit report to include this feedback and to identify any areas for improvement. To include recommendations for next steps and potential projects that could benefit from external funding.
The audit team is following a previously established proforma to ensure that the key areas of development process are addressed.
As announced in September, the Multi-Factor Authentication project remains paused until 2025. This decision continues to support the community's focus on existing projects and ensures a sustainable pace of work.
The FreeBSD Security Team oversees the identification, mitigation, and disclosure of security vulnerabilities within the FreeBSD operating system. They provide timely security advisories, coordinate responses to reported vulnerabilities, and maintain a comprehensive security infrastructure to safeguard FreeBSD systems. Users can access security advisories, security officer reports, and information on security policies and best practices to ensure the security and integrity of their FreeBSD deployments.
The FreeBSD vulnerability reporting and disclosure policy provides guidelines for responsible disclosure, including how to securely communicate vulnerabilities to the FreeBSD Security Team. Additionally, it details the process followed by the Security Team for evaluating, addressing, and disclosing reported vulnerabilities, ensuring timely and transparent handling of security issues within the FreeBSD community.