> For the complete documentation index, see [llms.txt](https://book.bsdcn.org/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://book.bsdcn.org/ask/flat/chapter-30-security-auditing/di-30.3-jie-di-san-fang-lou-dong-yu-an-quan-gong-gao.md). # 30.3 Third-Party Vulnerabilities and Security Advisories FreeBSD uses `pkg audit` to query the vulnerability database (VuXML), providing CVE alerts for installed third-party software packages. This section introduces the audit command usage and explains the standard format of Security Advisories. ## Monitoring Third-Party Security Issues pkg polls a security issue database maintained by the FreeBSD security team and ports developers. This database can be kept automatically up-to-date through the periodic configuration file. Specifically, the database references data from by default. Heavy use of third-party tools increases the risk of system intrusion. To audit third-party tools in Ports, administrators can update the database and check for known vulnerabilities in installed packages: ```sh $ pkg audit -F ``` The output should resemble the following: ``` vulnxml file up-to-date chromium-116.0.5845.96_1 is vulnerable: chromium -- multiple vulnerabilities CVE: CVE-2023-4431 CVE: CVE-2023-4427 CVE: CVE-2023-4428 CVE: CVE-2023-4429 CVE: CVE-2023-4430 WWW: https://vuxml.FreeBSD.org/freebsd/5fa332b9-4269-11ee-8290-a8a1599412c6.html samba413-4.13.17_5 is vulnerable: samba -- multiple vulnerabilities CVE: CVE-2023-3347 CVE: CVE-2023-34966 CVE: CVE-2023-34968 CVE: CVE-2022-2127 CVE: CVE-2023-34967 WWW: https://vuxml.FreeBSD.org/freebsd/441e1e1a-27a5-11ee-a156-080027f5fec9.html 2 problem(s) in 2 installed package(s) found. ``` When there are no vulnerabilities, or no third-party software is installed, the output resembles the following: ```sh Fetching vuln.xml.xz: 100% 1199 KiB 1.2 MB/s 00:01 vulnxml file up-to-date 0 problem(s) in 0 package(s) found. ``` By opening the displayed URL in a browser, administrators can obtain more information about the vulnerability. This information includes the affected versions (by FreeBSD port version) and possibly other websites with relevant security advisories. ## Security Advisories The FreeBSD Project has a security team responsible for determining the end-of-life (EoL) dates for each FreeBSD version and providing security updates for supported versions that have not yet reached EoL. For more information, see the [FreeBSD security page](https://www.freebsd.org/security). One of the responsibilities of the security team is to respond to reported security vulnerabilities in the FreeBSD operating system. Once a vulnerability is confirmed, the security team verifies the steps required for the fix and commits the fix to the source code, then publishes the details as a "Security Advisory." Security advisories are published on the [FreeBSD website](https://www.freebsd.org/security/advisories/) and mailed to the [FreeBSD security notifications mailing list](https://lists.freebsd.org/subscription/freebsd-security-notifications), the [FreeBSD security mailing list](https://lists.freebsd.org/subscription/freebsd-security), and the [FreeBSD announcements mailing list](https://lists.freebsd.org/subscription/freebsd-announce). ## Format of Security Advisories The following is an example of a FreeBSD security advisory from , reporting [CVE-2026-4747 Remote code execution via RPCSEC\_GSS packet validation](https://www.cve.org/CVERecord?id=CVE-2026-4747): ``` -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:08.rpcsec_gss Security Advisory The FreeBSD Project Topic: Remote code execution via RPCSEC_GSS packet validation Category: core Module: rpcsec_gss Announced: 2026-03-26 Credits: Nicholas Carlini using Claude, Anthropic Affects: All supported versions of FreeBSD. Corrected: 2026-03-26 01:25:23 UTC (stable/15, 15.0-STABLE) 2026-03-26 01:11:20 UTC (releng/15.0, 15.0-RELEASE-p5) 2026-03-26 01:28:47 UTC (stable/14, 14.4-STABLE) 2026-03-26 01:14:55 UTC (releng/14.4, 14.4-RELEASE-p1) 2026-03-26 01:16:01 UTC (releng/14.3, 14.3-RELEASE-p10) 2026-03-26 01:30:12 UTC (stable/13, 13.5-STABLE) 2026-03-26 01:34:10 UTC (releng/13.5, 13.5-RELEASE-p11) CVE Name: CVE-2026-4747 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Generic Security Services (GSS) is an API which lets applications establish a private, authenticated communication channel with a server, such as an NFS server. RPCSEC_GSS is a module which enables the use of GSS with Sun RPC (rpc(3)) servers. It is implemented in the kernel by the kgssapi.ko kernel module, and used by the NFS server to enable Kerberos-based authentication and encryption of traffic between the server and clients. In userspace it is implemented by the librpcsec_gss library. II. Problem Description Each RPCSEC_GSS data packet is validated by a routine which checks a signature in the packet. This routine copies a portion of the packet into a stack buffer, but fails to ensure that the buffer is sufficiently large, and a malicious client can trigger a stack overflow. Notably, this does not require the client to authenticate itself first. III. Impact As kgssapi.ko's RPCSEC_GSS implementation is vulnerable, remote code execution in the kernel is possible by an authenticated user that is able to send packets to the kernel's NFS server while kgssapi.ko is loaded into the kernel. In userspace, applications which have librpcgss_sec loaded and run an RPC server are vulnerable to remote code execution from any client able to send it packets. We are not aware of any such applications in the FreeBSD base system. IV. Workaround No workaround is available. Kernels that do not have kgssapi.ko loaded are not vulnerable. In userspace, any daemon linked with librpcgss_sec and running an RPC server is vulnerable. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, which were not installed using base system packages, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:08/rpcsec_gss.patch # fetch https://security.FreeBSD.org/patches/SA-26:08/rpcsec_gss.patch.asc # gpg --verify rpcsec_gss.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel and the operating system as described in and and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 1b00fdc1f3cd stable/15-n282700 releng/15.0/ 4ec1b6213463 releng/15.0-n281013 stable/14/ e5ed09ffd592 stable/14-n273840 releng/14.4/ 7ea03a4238e8 releng/14.4-n273677 releng/14.3/ b6ce88ab9a5f releng/14.3-n271477 stable/13/ 99ec7f9b9e48 stable/13-n259823 releng/13.5/ c4f53a1adbd4 releng/13.5-n259207 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnEkWEACgkQbljekB8A Gu/LsA/9EC3I0xFSAJpbHLVpV4dmCpzhMUn5CU3iJhXOsV4hWip6fJvjHmiRcVDC luJ/udrLS6izmx4dmZBcEQMSOt2hXK/P/5JgVQCM0f3hXfkLFWGPnA1/wG4hSqjd nsbHfExgqs4ToWhgfQDaEwgc5d9FQfnQUTk3noXal1FA6o10+9PAA5nmj74ZGtYC 6umspzzJNR8+6EaTftY8nb40DMAAyNMTBu3S2KikiuiqLSuMETyGEHS0ceMZzX0C D8rWRlaXpNOyVrRPhEuVurF9SB9EghEB1K587Xm0cqpCLT8GsW5FeSkp4VD2Ir0v 7Ghu693vLbmVwm5pQUNr8cf7uO/kLg6Gce3FWlqYteRN+PeuOkx2DRAChm4QMEK2 8Xjix/bS3HT6GkRmHCtwS7IU8L1vw/kAt4uvSV5uyEzRbpGKEbrdZOXFUSjPrY3R xHAKGosZaZKYJ4rveQOhsS1OoevN7ghhEJJ6PJf1wdYOSwNl41zq8R9LVqos4A+w fJmIQwoSMPhT7E+XCjrsOrt5TuBHrv5O7871IFxk00rsgJN3W2vTw4epEwRiWpJm mqv40zoarV4L4Gq3P4PAT8VaiWXTo44qyvu9LV+fnEArtlyfYPNLglC7NJKaeI1D Ou89dG/+L1GeJlkIVbRj4DUfcpLO0yV1LG/KYvQqr4TCILaddzk= =K+Bc -----END PGP SIGNATURE----- ``` Each security advisory follows this format: * Each security advisory is signed with the Security Officer's PGP key. The Security Officer's public key can be verified at [OpenPGP Keys](https://docs.freebsd.org/en/books/handbook/pgpkeys/#pgpkeys). * The security advisory name always begins with `FreeBSD-SA-` (denoting FreeBSD Security Advisory), followed by a two-digit year (e.g., `26` for 2026, followed by a colon), the advisory sequence number for that year (`08.` being the 8th), and then the name of the affected application or subsystem (`rpcsec_gss`). | Field | Description | | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | `Topic` | Summarizes the vulnerability | | `Category` | Indicates the affected part of the system, which can be `core`, `contrib`, or `ports`. `core` indicates the vulnerability affects a core component of the FreeBSD operating system; `contrib` indicates it affects software shipped with FreeBSD (such as BIND); `ports` indicates it affects software available through the Ports Collection | | `Module` | Indicates the component location. In this example, the `rpcsec_gss` module is affected, so the vulnerability affects an application installed with the operating system | | `Announced` | The date the security advisory was published, indicating that the security team has verified the issue exists and the fix has been committed to the FreeBSD source repository | | `Credits` | Acknowledges the individuals or organizations who discovered and reported the vulnerability | | `Affects` | Indicates which FreeBSD versions are affected by this vulnerability | | `Corrected` | Indicates the date, time, timezone, and version when the correction was made. The branches and their version numbers that have the fix merged are shown in parentheses. The version identifier includes the version number and, where applicable, the patch level — the letter `p` followed by a number indicates the patch sequence number, allowing users to track applied patches | | `CVE Name` | Lists the advisory number in the public [CVE database](https://www.cve.org/) (if one exists) | | `Background` | Provides a description of the affected module | | `Problem Description` | Explains the vulnerability, potentially including information about the code defect and how it could be maliciously exploited | | `Impact` | Describes the potential impact of the issue on the system | | `Workaround` | Indicates whether a workaround exists for systems that cannot be immediately patched | | `Solution` | Provides instructions for patching the affected system, a method that has been step-by-step tested and verified to ensure the system operates securely after patching | | `Correction Details` | Lists the affected Git branches and the revision numbers containing the corrected code | | `References` | Provides additional sources of information about the vulnerability | ## Exercises 1. Run `pkg audit -F` to obtain a list of all installed packages with known vulnerabilities, select a high-severity vulnerability from the list, and look up its detailed information in the CVE database. 2. Review all security advisories (FreeBSD-SA) published on the official FreeBSD website and create a histogram showing the year and the number of advisories. 3. In a test environment, downgrade a software package to an older version with a known vulnerability, run `pkg audit` to verify the vulnerability detection result, then fix the vulnerability and run the detection again, documenting the complete process. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.bsdcn.org/ask/flat/chapter-30-security-auditing/di-30.3-jie-di-san-fang-lou-dong-yu-an-quan-gong-gao.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.