FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- Certificate revocation list fetch(1) option fails

Affected packages
14.1 <= FreeBSD < 14.1_6
13.4 <= FreeBSD < 13.4_2
13.3 <= FreeBSD < 13.3_8

Details

VuXML ID ce0f52e1-a174-11ef-9a62-002590c1f29c
Discovery 2024-10-29
Entry 2024-11-13

Problem Description:

The fetch(3) library uses environment variables for passing certain information, including the revocation file pathname. The environment variable name used by fetch(1) to pass the filename to the library was incorrect, in effect ignoring the option.

Impact:

Fetch would still connect to a host presenting a certificate included in the revocation file passed to the --crl option.

References

CVE Name CVE-2024-45289
FreeBSD Advisory SA-24:19.fetch