BSD News 15/01/2018

Last week in BSD

Releases: OPNsense
News: OpenBSD, OPNsense, Meltdown, Spectre, Dragon Fly, FreeBSD, Bhyve


BSDSec

OpenBSD Errata: January 14th, 2018 (libssl)

Releases


OPNsense® 18.1 Release Candidate 1

For more than 3 years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing. Over the second half of 2017 well over 500 changes have made it into this first release candidate. Most notably, the firewall NAT rules have been reworked to be more flexible and usable via plugins, which is going to pave the way for subsequent API works on the core firewall functionality. Meltdown and Spectre patches are currently being worked on in FreeBSD, but there is no reliable timeline.


News

An update on Meltdown and Spectre

We have previously issued a short statement with preliminary analysis of Meltdown and Spectre vulnerabilities. This post is an update now that we have an official statement from the FreeBSD project.

Dragonfly More Meltdown fixes

If you’re on the bleeding edge of DragonFly and already updated for Meltdown fixes, there’s a few more commits you’ll want to get. Matthew Dillon wrote a summary of the current status, noting there’s not much you can do for Spectre beyond new hardware.   There is an update to the “defensive browser setup” plan for DragonFly (using –site-per-process) that can help at least with Javascript versions of Spectre.

Dragonfly Even more Meltdown

Are you tired of hearing about Meltdown/Spectre yet?  Doesn’t matter!  The two sysctls for controlling mitigation in DragonFly have been renamed:

machdep.meltdown_mitigation
machdep.spectre_mitigation

They go to hopefully sensible defaults, but Matthew Dillon has done some testing to show the effects of each in various combinations.   (Update: more changes and tests.)  Note that this is not the final mitigation work; compilers (i.e. gcc) are being updated to include workarounds for this, so new gcc -> new compiler in DragonFly -> new defenses.  No silver bullet there, though.

OpenBSD-current now has 'smtpctl spf walk'

If you run a mail service, you probably like to have greylisting in place, via spamd(8) or similar means. However, there are some sites that simply do not play well with greylisting, and for those it's useful to extract SPF information to identify their valid outgoing SMTP hosts.
Now OpenBSD offers a straightforward mechanism to do that and fill your nospamd table, right from the smtpctl utility via the subcommand spf walk. Gilles Chehade (gilles@) describes how in a recent blog post titled spfwalk.
This feature is still in need of testing, so please grab a snapshot and test!

The Spectre of Meltdown | BSD Now 228

We review the information about Spectre & Meltdown thus far, we look at NetBSD memory sanitizer progress, Postgres on ZFS & show you a bit about NomadBSD.




Code stuff

In Other BSDs for 2018/01/13
Microcode updates on DragonFly
IBRS and IBPB support in DragonFly
CPU microcode update code for amd64 for OpenBSD
HAMMER1, mounted and unmounted cleanup

Interesting articles

Handling of CPU bugs disclosure 'incredibly bad': OpenBSD's de Raadt
Running CentOS with Bhyve
July-September 2017 FreeBSD Status Report

SHARE

Jan Hovancik

software developer - guitar player - poetry lover