FreeBSD Security Information
Introduction
This web page is designed to assist both new and experienced users in the area of FreeBSD security. FreeBSD takes security very seriously and is constantly working on making the operating system as secure as possible.
Table of Contents
- How and where to report a FreeBSD security issue
- Information about the FreeBSD Security Officer
- Information handling policies
- Supported FreeBSD Releases
- Unsupported FreeBSD Releases
Other Security Links
- Charter for the Security Officer and Team
- List of FreeBSD Security Advisories
- List of FreeBSD Errata Notices
- Reading FreeBSD Security Advisories
How and where to report a FreeBSD security issue
All FreeBSD security issues should be reported to the FreeBSD Security Team or, if a higher level of confidentiality is required, PGP encrypted to the Security Officer Team using the Security Officer PGP key. All reports should at least contain:
- A description of the vulnerability.
- What versions of FreeBSD seem to be affected if possible.
- Any plausible workaround.
- Example code if possible.
After this information has been reported the Security Officer or a Security Team delegate will get back with you.
Spam filters
Due to high volume of spam the main security contact mail addresses are subject to spam filtering. If you cannot contact the FreeBSD Security Officers or Security Team due to spam filters (or suspect your mail has been filtered), please send mail to security-officer-XXXX@FreeBSD.org with XXXX replaced with 3432 instead of the normal addresses. Note that this address will be changed periodically so check back here for the latest address. Mails to this address will go to the FreeBSD Security Officer Team.
The FreeBSD Security Officer Team and the FreeBSD Security Team
In order that the FreeBSD Project may respond to vulnerability reports in a timely manner, there are three members of the Security Officer mail alias: the Security Officer, Deputy Security Officer, and one Core Team member. Therefore, messages sent to the <[email protected]> mail alias are currently delivered to:
Simon L. B. Nielsen <[email protected]> | Security Officer |
Colin Percival <[email protected]> | Security Officer Emeritus |
Robert Watson <[email protected]> | Release Engineering liaison, TrustedBSD Project liaison, system security architecture expert |
The Security Officer is supported by the FreeBSD Security Team <[email protected]>, a small group of committers vetted by the Security Officer.
Information handling policies
As a general policy, the FreeBSD Security Officer favors full disclosure of vulnerability information after a reasonable delay to permit safe analysis and correction of a vulnerability, as well as appropriate testing of the correction, and appropriate coordination with other affected parties.
The Security Officer will notify one or more of the FreeBSD Cluster Admins of vulnerabilities that put the FreeBSD Project's resources under immediate danger.
The Security Officer may bring additional FreeBSD developers or outside developers into discussion of a submitted security vulnerability if their expertise is required to fully understand or correct the problem. Appropriate discretion will be exercised to minimize unnecessary distribution of information about the submitted vulnerability, and any experts brought in will act in accordance of Security Officer policies. In the past, experts have been brought in based on extensive experience with highly complex components of the operating system, including FFS, the VM system, and the network stack.
If a FreeBSD release process is underway, the FreeBSD Release Engineer may also be notified that a vulnerability exists, and its severity, so that informed decisions may be made regarding the release cycle and any serious security bugs present in software associated with an up-coming release. If requested, the Security Officer will not share information regarding the nature of the vulnerability with the Release Engineer, limiting information flow to existence and severity.
The FreeBSD Security Officer has close working relationships with a number of other organizations, including third-party vendors that share code with FreeBSD (the OpenBSD, NetBSD and DragonFlyBSD projects, Apple, and other vendors deriving software from FreeBSD, as well as the Linux vendor security list), as well as organizations that track vulnerabilities and security incidents, such as CERT. Frequently vulnerabilities may extend beyond the scope of the FreeBSD implementation, and (perhaps less frequently) may have broad implications for the global networking community. Under such circumstances, the Security Officer may wish to disclose vulnerability information to these other organizations: if you do not wish the Security Officer to do this, please indicate so explicitly in any submissions.
Submitters should be careful to explicitly document any special information handling requirements.
If the submitter of a vulnerability is interested in a coordinated disclosure process with the submitter and/or other vendors, this should be indicated explicitly in any submissions. In the absence of explicit requests, the FreeBSD Security Officer will select a disclosure schedule that reflects both a desire for timely disclosure and appropriate testing of any solutions. Submitters should be aware that if the vulnerability is being actively discussed in public forums (such as bugtraq), and actively exploited, the Security Officer may choose not to follow a proposed disclosure timeline in order to provide maximum protection for the user community.
Submissions may be protected using PGP. If desired, responses will also be protected using PGP.
Supported FreeBSD Releases
The FreeBSD Security Officer provides security advisories for several branches of FreeBSD development. These are the -STABLE Branches and the Security Branches. (Advisories are not issued for the -CURRENT Branch.)
The -STABLE branch tags have names like RELENG_7. The corresponding builds have names like FreeBSD 7.0-STABLE.
Each FreeBSD Release has an associated Security Branch. The Security Branch tags have names like RELENG_7_0. The corresponding builds have names like FreeBSD 7.0-RELEASE-p1.
Issues affecting the FreeBSD Ports Collection are covered in the FreeBSD VuXML document.
Each branch is supported by the Security Officer for a limited time only, and is designated as one of `Early adopter', `Normal', or `Extended'. The designation is used as a guideline for determining the lifetime of the branch as follows.
- Early adopter
- Releases which are published from the -CURRENT branch will be supported by the Security Officer for a minimum of 6 months after the release.
- Normal
- Releases which are published from a -STABLE branch will be supported by the Security Officer for a minimum of 12 months after the release, and for sufficient additional time (if needed) to ensure that there is a newer release for at least 3 months before the older Normal release expires.
- Extended
- Selected releases (normally every second release plus the last release from each -STABLE branch) will be supported by the Security Officer for a minimum of 24 months after the release, and for sufficient additional time (if needed) to ensure that there is a newer Extended release for at least 3 months before the older Extended release expires.
The current designation and estimated lifetimes of the currently supported branches are given below. The Estimated EoL (end-of-life) column gives the earliest date on which that branch is likely to be dropped. Please note that these dates may be extended into the future, but only extenuating circumstances would lead to a branch's support being dropped earlier than the date listed.
Branch | Release | Type | Release Date | Estimated EoL |
---|---|---|---|---|
RELENG_7 | n/a | n/a | n/a | February 28, 2013 |
RELENG_7_4 | 7.4-RELEASE | Extended | February 24, 2011 | February 28, 2013 |
RELENG_8 | n/a | n/a | n/a | last release + 2 years |
RELENG_8_3 | 8.3-RELEASE | Extended | April 18, 2012 | April 30, 2014 |
RELENG_9 | n/a | n/a | n/a | last release + 2 years |
RELENG_9_0 | 9.0-RELEASE | Normal | January 10, 2012 | March 31, 2013 |
RELENG_9_1 | 9.1-RELEASE | Extended | December 30, 2012 | December 31, 2014 |
Older releases are not maintained and users are strongly encouraged to upgrade to one of the supported releases mentioned above.
Advisories are sent to the following FreeBSD mailing lists:
The list of released advisories can be found on the FreeBSD Security Advisories page.
Advisories are always signed using the FreeBSD Security Officer PGP key and are archived, along with their associated patches, at the http://security.FreeBSD.org/ web server in the advisories and patches subdirectories.
Unsupported FreeBSD Releases
The following releases are no longer supported but are listed here for reference purposes.
Branch | Release | Type | Release Date | EoL |
---|---|---|---|---|
RELENG_4 | n/a | n/a | n/a | January 31, 2007 |
RELENG_4_11 | 4.11-RELEASE | Extended | January 25, 2005 | January 31, 2007 |
RELENG_5 | n/a | n/a | n/a | May 31, 2008 |
RELENG_5_3 | 5.3-RELEASE | Extended | November 6, 2004 | October 31, 2006 |
RELENG_5_4 | 5.4-RELEASE | Normal | May 9, 2005 | October 31, 2006 |
RELENG_5_5 | 5.5-RELEASE | Extended | May 25, 2006 | May 31, 2008 |
RELENG_6 | n/a | n/a | n/a | November 30, 2010 |
RELENG_6_0 | 6.0-RELEASE | Normal | November 4, 2005 | January 31, 2007 |
RELENG_6_1 | 6.1-RELEASE | Extended | May 9, 2006 | May 31, 2008 |
RELENG_6_2 | 6.2-RELEASE | Normal | January 15, 2007 | May 31, 2008 |
RELENG_6_3 | 6.3-RELEASE | Extended | January 18, 2008 | January 31, 2010 |
RELENG_6_4 | 6.4-RELEASE | Extended | November 28, 2008 | November 30, 2010 |
RELENG_7_0 | 7.0-RELEASE | Normal | February 27, 2008 | April 30, 2009 |
RELENG_7_1 | 7.1-RELEASE | Extended | January 4, 2009 | February 28, 2011 |
RELENG_7_2 | 7.2-RELEASE | Normal | May 4, 2009 | June 30, 2010 |
RELENG_7_3 | 7.3-RELEASE | Extended | March 23, 2010 | March 31, 2012 |
RELENG_8_0 | 8.0-RELEASE | Normal | November 25, 2009 | November 30, 2010 |
RELENG_8_1 | 8.1-RELEASE | Extended | July 23, 2010 | July 31, 2012 |
RELENG_8_2 | 8.2-RELEASE | Normal | February 24, 2011 | July 31, 2012 |