FreeBSD bhyve, OpenSSL, GEOM & libfetch security fixes released nixCraft

All supported versions of FreeBSD are affected by various security bugs that need to be applied ASAP. For example, a memory corruption bug exists in the bhyve hypervisor. Another overwrite the stack of ggatec and potentially execute arbitrary code. There are two issues fixed for OpenSSL in this security advisory too. Let us see what and how to fix these security vulnerabilities on FreeBSD.

The excellent news is fixed are released for FreeBSD version 11, 12 and 13 for bhyve, openssl, GEOM and libfetch.

ADVERTISEMENT
Finding FreeBSD version and patch level number

Open the terminal application and then execute the following command at FreeBSD shell or over ssh prompt for remote server hosted at AWS cloud:
$ uname -mrs
FreeBSD 13.0-RELEASE-p3 amd64
$ freebsd-version
13.0-RELEASE-p3

I am going to use the freebsd-update command as follows to fetch update and install them:
sudo freebsd-update fetch

Password:
src component not installed, skipped
Looking up update.FreeBSD.org mirrors... 2 mirrors found.
Fetching metadata signature for 13.0-RELEASE from update1.freebsd.org... done.
Fetching metadata index... done.
Fetching 2 metadata patches.. done.
Applying metadata patches... done.
Inspecting system... done.
Preparing to download files... done.
Fetching 32 patches.....10....20....30. done.
Applying patches... done.
The following files will be updated as part of updating to
13.0-RELEASE-p4:
/bin/freebsd-version
/boot/kernel/kernel
/boot/kernel/virtio_blk.ko
/lib/libcrypto.so.111
/rescue/[
/rescue/bectl
/rescue/bsdlabel
....
..
......
/usr/lib32/libfetch_p.a
/usr/lib32/libssl.a
/usr/lib32/libssl.so.111
/usr/lib32/libssl_p.a
/usr/sbin/bhyve
/usr/sbin/hostapd
/usr/sbin/ntp-keygen
/usr/sbin/wpa_cli
/usr/sbin/wpa_supplicant

Install those updates, execute:
sudo freebsd-update install
Make sure you restart all daemons that use the library, or reboot the system. I decided to reboot the FreeBSD server using the reboot command:
$ sudo reboot
FreeBSD bhyve, openssl, GEOM and libfetch security fixes released

FreeBSD bhyve, openssl, GEOM and libfetch security fixes released

Verification

After reboot, let us verify the FreeBSD version:
$ freebsd-version

freebsd-security-notifications verificationfreebsd-security-notifications verification

FreeBSD 13.0-RELEASE-p4 amd64 running after patching and rebooting my system

Optionally use the pkg command to apply package upgrades to the FreeBSD system too, if any available:
$ sudo pkg update
$ sudo pkg upgrade

Patreon supporters only guides 🤓

  • No ads and tracking
  • In-depth guides for developers and sysadmins at Opensourceflare✨
  • Join my Patreon to support independent content creators and start reading latest guides:

Join Patreon ➔

Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking for upgrades (1 candidates): 100%
Processing candidates (1 candidates): 100%
Checking integrity... done (0 conflicting)
Your packages are up to date.

See how to applying security updates using pkg/freebsd-update on FreeBSD for more information.

Summing up

Fixing security issues under FreeBSD is essential to avoid data loss or system getting owned by bugs. For example, I patched all my FreeBSD 13.x boxes. Please visit the FreeBSD website for general information regarding FreeBSD Security Advisories, including descriptions of the fields above and security branches.

ADVERTISEMENT

Posted by Contributor