17.9 第三方漏洞与安全公告
FreeBSD 以 pkg audit 查询漏洞数据库(VuXML),为已安装第三方软件包提供 CVE 预警。本节介绍审计命令用法,并解读安全公告(Security Advisory)标准格式。
17.9.1 监控第三方安全问题
pkg 轮询由 FreeBSD 安全团队和 ports 开发者维护的安全问题数据库。可通过 periodic 配置文件自动保持该数据库更新。
具体而言,该数据库默认引用 https://www.vuxml.org/freebsd/index.html 中的数据。
大量使用第三方工具会增加系统入侵风险。如需审计 Ports 中的第三方工具,管理员可更新数据库并查看已安装软件包的已知漏洞:
sh
$ pkg audit -F输出应类似于以下内容:
text
vulnxml file up-to-date
chromium-116.0.5845.96_1 is vulnerable:
chromium -- multiple vulnerabilities
CVE: CVE-2023-4431
CVE: CVE-2023-4427
CVE: CVE-2023-4428
CVE: CVE-2023-4429
CVE: CVE-2023-4430
WWW: https://vuxml.FreeBSD.org/freebsd/5fa332b9-4269-11ee-8290-a8a1599412c6.html
samba413-4.13.17_5 is vulnerable:
samba -- multiple vulnerabilities
CVE: CVE-2023-3347
CVE: CVE-2023-34966
CVE: CVE-2023-34968
CVE: CVE-2022-2127
CVE: CVE-2023-34967
WWW: https://vuxml.FreeBSD.org/freebsd/441e1e1a-27a5-11ee-a156-080027f5fec9.html
2 problem(s) in 2 installed package(s) found.当不存在任何漏洞,或未安装任何第三方软件时,输出内容类似如下:
sh
Fetching vuln.xml.xz: 100% 1199 KiB 1.2 MB/s 00:01
vulnxml file up-to-date
0 problem(s) in 0 package(s) found.在浏览器中打开所显示的 URL,管理员可获取更多漏洞信息。
该信息包含受影响版本(按 FreeBSD port 版本),以及可能涉及安全公告的其他网站。
17.9.2 安全公告
FreeBSD 项目设有安全团队,负责确定各 FreeBSD 版本的终止生命周期(EoL)日期,并为尚未达到 EoL 的受支持版本提供安全更新。更多信息见 FreeBSD 安全页面。
安全团队的职责之一是响应 FreeBSD 操作系统中已报告的安全漏洞。漏洞确认后,安全团队验证修复所需步骤并将修复提交至源代码,随后将详情以“安全公告”形式发布。安全公告发布于 FreeBSD 网站,并邮寄至 FreeBSD 安全通知邮件列表、FreeBSD 安全邮件列表和 FreeBSD 公告邮件列表。
17.9.3 安全公告的格式
以下是一份 FreeBSD 安全公告的示例,来自 https://www.freebsd.org/security/advisories/FreeBSD-SA-26:08.rpcsec_gss.asc,报告的内容是 CVE-2026-4747 Remote code execution via RPCSEC_GSS packet validation:
text
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-26:08.rpcsec_gss Security Advisory
The FreeBSD Project
Topic: Remote code execution via RPCSEC_GSS packet validation
Category: core
Module: rpcsec_gss
Announced: 2026-03-26
Credits: Nicholas Carlini using Claude, Anthropic
Affects: All supported versions of FreeBSD.
Corrected: 2026-03-26 01:25:23 UTC (stable/15, 15.0-STABLE)
2026-03-26 01:11:20 UTC (releng/15.0, 15.0-RELEASE-p5)
2026-03-26 01:28:47 UTC (stable/14, 14.4-STABLE)
2026-03-26 01:14:55 UTC (releng/14.4, 14.4-RELEASE-p1)
2026-03-26 01:16:01 UTC (releng/14.3, 14.3-RELEASE-p10)
2026-03-26 01:30:12 UTC (stable/13, 13.5-STABLE)
2026-03-26 01:34:10 UTC (releng/13.5, 13.5-RELEASE-p11)
CVE Name: CVE-2026-4747
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
Generic Security Services (GSS) is an API which lets applications establish a
private, authenticated communication channel with a server, such as an NFC
server.
RPCSEC_GSS is a module which enables the use of GSS with Sun RPC (rpc(3))
servers. It is implemented in the kernel by the kgssapi.ko kernel module, and
used by the NFS server to enable Kerberos-based authentication and encryption
of traffic between the server and clients. In userspace it is implemented by
the librpcsec_gss library.
II. Problem Description
Each RPCSEC_GSS data packet is validated by a routine which checks a signature
in the packet. This routine copies a portion of the packet into a stack buffer,
but fails to ensure that the buffer is sufficiently large, and a malicious
client can trigger a stack overflow. Notably, this does not require the client
to authenticate itself first.
III. Impact
As kgssapi.ko's RPCSEC_GSS implementation is vulnerable, remote code execution
in the kernel is possible by an authenticated user that is able to send packets
to the kernel's NFS server while kgssapi.ko is loaded into the kernel.
In userspace, applications which have librpcgss_sec loaded and run an RPC server
are vulnerable to remote code execution from any client able to send it packets.
We are not aware of any such applications in the FreeBSD base system.
IV. Workaround
No workaround is available. Kernels that do not have kgssapi.ko loaded are not
vulnerable. In userspace, any daemon linked with librpcgss_sec and running an
RPC server is vulnerable.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Perform one of the following:
1) To update your vulnerable system installed from base system packages:
Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64
platforms, which were installed using base system packages, can be updated
via the pkg(8) utility:
# pkg upgrade -r FreeBSD-base
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system installed from binary distribution sets:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
or the i386 platform on FreeBSD 13, which were not installed using base
system packages, can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-26:08/rpcsec_gss.patch
# fetch https://security.FreeBSD.org/patches/SA-26:08/rpcsec_gss.patch.asc
# gpg --verify rpcsec_gss.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel and the operating system as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and
<URL:https://www.FreeBSD.org/handbook/makeworld.html> and reboot the
system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ 1b00fdc1f3cd stable/15-n282700
releng/15.0/ 4ec1b6213463 releng/15.0-n281013
stable/14/ e5ed09ffd592 stable/14-n273840
releng/14.4/ 7ea03a4238e8 releng/14.4-n273677
releng/14.3/ b6ce88ab9a5f releng/14.3-n271477
stable/13/ 99ec7f9b9e48 stable/13-n259823
releng/13.5/ c4f53a1adbd4 releng/13.5-n259207
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat <commit hash>
Or visit the following URL, replacing NNNNNN with the hash:
<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
<URL:https://www.cve.org/CVERecord?id=CVE-2026-4747>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:08.rpcsec_gss.asc>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnEkWEACgkQbljekB8A
Gu/LsA/9EC3I0xFSAJpbHLVpV4dmCpzhMUn5CU3iJhXOsV4hWip6fJvjHmiRcVDC
luJ/udrLS6izmx4dmZBcEQMSOt2hXK/P/5JgVQCM0f3hXfkLFWGPnA1/wG4hSqjd
nsbHfExgqs4ToWhgfQDaEwgc5d9FQfnQUTk3noXal1FA6o10+9PAA5nmj74ZGtYC
6umspzzJNR8+6EaTftY8nb40DMAAyNMTBu3S2KikiuiqLSuMETyGEHS0ceMZzX0C
D8rWRlaXpNOyVrRPhEuVurF9SB9EghEB1K587Xm0cqpCLT8GsW5FeSkp4VD2Ir0v
7Ghu693vLbmVwm5pQUNr8cf7uO/kLg6Gce3FWlqYteRN+PeuOkx2DRAChm4QMEK2
8Xjix/bS3HT6GkRmHCtwS7IU8L1vw/kAt4uvSV5uyEzRbpGKEbrdZOXFUSjPrY3R
xHAKGosZaZKYJ4rveQOhsS1OoevN7ghhEJJ6PJf1wdYOSwNl41zq8R9LVqos4A+w
fJmIQwoSMPhT7E+XCjrsOrt5TuBHrv5O7871IFxk00rsgJN3W2vTw4epEwRiWpJm
mqv40zoarV4L4Gq3P4PAT8VaiWXTo44qyvu9LV+fnEArtlyfYPNLglC7NJKaeI1D
Ou89dG/+L1GeJlkIVbRj4DUfcpLO0yV1LG/KYvQqr4TCILaddzk=
=K+Bc
-----END PGP SIGNATURE-----每份安全公告均采用以下格式:
- 每份安全公告均由安全官(Security Officer)的 PGP 密钥签名。可在 OpenPGP Keys 中验证安全官公钥。
- 安全公告名称始终以
FreeBSD-SA-开头(意为 FreeBSD 安全公告),后接两位数字年份(如26表示 2026 年,后接冒号)、当年公告序号(08.为第 8 份),再后为受影响应用程序或子系统名称(rpcsec_gss)。 Topic字段概括该漏洞。Category表示系统中受影响的部分,可为core、contrib或ports。core表示漏洞影响 FreeBSD 操作系统核心组件;contrib表示影响随 FreeBSD 附带的软件(如 BIND);ports表示影响通过 Ports Collection 提供的软件。Module字段指组件位置。本例中rpcsec_gss模块受影响,故漏洞影响随操作系统安装的应用程序。Announced字段为安全公告发布日期,表明安全团队已验证问题存在且补丁已提交至 FreeBSD 源代码仓库。Credits字段向发现并报告漏洞的个人或组织致谢。Affects字段说明受此漏洞影响的 FreeBSD 版本。Corrected字段指出版本已更正的日期、时间、时区及版本。括号中为已合并修复的各分支及其版本号。版本标识符含版本号,适用时含补丁级别——字母p后接数字表示补丁序号,便于用户跟踪已应用补丁。CVE Name字段列出公开 CVE 数据库中的公告编号(如果存在)。Background字段提供受影响模块的描述。Problem Description字段解释漏洞,可能含代码缺陷及恶意利用方式等信息。Impact字段说明该问题对系统的潜在影响。Workaround字段指出无法立即修补的系统是否有变通方案。Solution字段给出修补受影响系统的操作说明,该方法经分步测试验证,可使系统修补后安全运行。Correction Details字段列出受影响 Git 分支及包含更正代码的修订号。References字段提供漏洞的其他信息来源。
17.9.4 课后习题
运行
pkg audit -F获取当前系统中所有存在已知漏洞的软件包列表,从中选取一个高危漏洞,在 CVE 数据库查找其详细信息。查阅 FreeBSD 官方网站上发布的所有安全公告(FreeBSD-SA),绘制直方图,展示年代和公告数量。
在测试环境中回退一款软件包到存在已知漏洞的旧版本,运行
pkg audit验证漏洞检测结果,然后修复漏洞后再次运行检测,记录完整的流程。