Last week in BSD
Releases: HardenedBSD, OPNsense, pfSenseOther news: BSDnow, BSDSec, FreeBSD, HardenedBSD, LibreSSL, OPNsense. DragonFly BSD, pfSense,
BSDSec
Releases
HardenedBSD-stable 10-STABLE and 11-CURRENT amd64 installers
| 10-STABLE |
|
||||
|---|---|---|---|---|---|
| 11-CURRENT |
|
OPNsense 15.7.18 Released
This update brings quite a few fixes, especially with regard to VMware and Xen virtualisation plugins. If you are in need of such plugins for seamless guest support the installation is quite painless:
# pkg install os-vmware
# pkg install os-xen
In case of VMware, the masterplan is that vmx network devices will be persistent after reboot so that such devices can be embedded into the config.xml. Let us know how that works for you guys. Needless to say, we’ll keep working on making plugins accessible through the GUI with our next major version that is 16.1.
We’ve also been working on ironing out further IPsec hiccups and adding more features to the captive portal in the development version. Oh, and this: fresh images based on 15.7.18 will be available a couple of days after this release.
Here are the full patch notes:
- plugins: updated the VMware plugin to support early boot for persistent vmx(4) device access
- plugins: added the Xen plugin for automatic guest support
- openvpn: fix server not saving interface without IP
- crash reporter: remember email for continuous feedback
- crash reporter: Suhosin PHP module no longer triggers crash reports
- crash reporter: fixed 10 assorted crash reports
- languages: fix all apply button prompts for non-English translations
- languages: updated German and French via https://translate.opnsense.org
- backend: added simple plugin hooks for boot up, early boot up and shutdown
- GUI: hooked up the authentication backend rewrite
- dhcp: remove illegal ifconfig tag in custom dhclient script
- virtual ips: make subnet selectable on ipalias
- ipsec: flip ipv4/ipv6 subnet options in phase2
- ipsec: fix issue when using both tunnels and roadwarrior
- ipsec: listen to disabled ipsec nat entries
- ipsec: do not overwrite settings for rekey/reauth
- proxy: fix error on saving special URL characters
- aliases: fix missing url table items
- aliases: hide minus when not applicable
- ntp: don’t trigger set_gps_default on page load
- captive portal (development): clean rewrite of RADIUS authentication/accounting
- captive portal (development): added a session overview feature to the new
- captive portal (development): fixed template download file name in Google Chrome
- src: Implement pubkey support for pkg(7) bootstrap [1]
- src: rpcbind remote denial of service [2]
- src: Applications exiting due to segmentation violation on a correct memory address [3]
- src: tzdata updated to 2015g [4]
- ports: ntp 4.2.8p4 [5]
- ports: pkg 1.6.1 [6] [7]
- ports: sqlite 3.9.1 [8]
- ports: suricata 2.0.9 [9]
- ports: php 5.6.15 [10]
2.2.5-RELEASE Now Available!
pfSense® software version 2.2.5 is now available. This release includes a number of bug fixes and some security updates.
Today is also the 11 year birthday of the project. While work started
in late summer 2004, the domains were registered and the project made
public on November 5, 2004. Thanks to everyone that has helped make the
project a great success for 11 years. Things just keep getting
better, and the best is yet to come.Security Fixes and Errata
-
pfSense-SA-15_08.webgui: Multiple Stored XSS Vulnerabilities in the pfSense WebGUI
- The complete list of affected pages and fields is listed in the linked SA.
- Updated to FreeBSD 10.1-RELEASE-p24
- FreeBSD-SA-15:25.ntp Multiple vulnerabilities in NTP [REVISED]
- FreeBSD-SA-15:14.bsdpatch: Due to insufficient sanitization of the input patch stream, it is possible for a patch file to cause patch(1) to run commands in addition to the desired SCCS or RCS commands.
- FreeBSD-SA-15:16.openssh: OpenSSH client does not correctly verify DNS SSHFP records when a server offers a certificate. CVE-2014-2653 OpenSSH servers which are configured to allow password authentication using PAM (default) would allow many password attempts.
- FreeBSD-SA-15:18.bsdpatch: Due to insufficient sanitization of the input patch stream, it is possible for a patch file to cause patch(1) to pass certain ed(1) scripts to the ed(1) editor, which would run commands.
- FreeBSD-SA-15:20.expat: Multiple integer overflows have been discovered in the XML_GetBuffer() function in the expat library.
- FreeBSD-SA-15:21.amd64: If the kernel-mode IRET instruction generates an #SS or #NP exception, but the exception handler does not properly ensure that the right GS register base for kernel is reloaded, the userland GS segment may be used in the context of the kernel exception handler.
- FreeBSD-SA-15:22.openssh: A programming error in the privileged monitor process of the sshd(8) service may allow the username of an already-authenticated user to be overwritten by the unprivileged child process. A use-after-free error in the privileged monitor process of the sshd(8) service may be deterministically triggered by the actions of a compromised unprivileged child process. A use-after-free error in the session multiplexing code in the sshd(8) service may result in unintended termination of the connection.
News
OpenBGPd and route filters
Many moons ago, OpenBGPd was extensively used throughout the
networking world as a Route Server. However, over the years, many have
stopped using it and have migrated away to other implementations.
Recently, I have been getting more involved with the networking
community, so I decided to ask "why?"
Read more...
Call For Donations Update
On 11 July 2015, we announced a Call For Donations.
The community has been very gracious towards us. As of today, we have
now exceeded our goal. We are grateful to each and every one of our
donors, no matter the amount they contributed or in what form.
HardenedBSD is growing and we need all the help we can get. We would
especially like to thank Xinuos and ISC for their sizable contributions.
Here's what we've managed to do so far with the donations provided:
We couldn't have done all of this had it not been for all the generous contributions, large and small. Even though we've reached our goal, we're still accepting donations. The more that comes in, the more that we can accomplish. We look forward to the coming year and the advancements we'll make.
Here's what we've managed to do so far with the donations provided:
- Replace two failing hard drives in the package building server along with ordering two extra for hot spares.
- Purchase multiple ARM and ARM64 development boards for porting and testing efforts.
- Stickers!
- Minor expenses for conferences.
- Hosting expenses.
- Other hardware replacement and acquisition.
We couldn't have done all of this had it not been for all the generous contributions, large and small. Even though we've reached our goal, we're still accepting donations. The more that comes in, the more that we can accomplish. We look forward to the coming year and the advancements we'll make.
BSD-Schooling | BSD Now 114
Allan is out of town this week at another Developer Summit but
we have a great episode coming up with Brian Callahan where we discuss
BSD in education. Also, news & a lot of user feedback to get to, so
sit back & relax, more BSD is coming your way right now!
0 comments:
Post a Comment