Home LibreSSL
Showing posts with label LibreSSL. Show all posts
Showing posts with label LibreSSL. Show all posts

BSD News 13/11/2017

BSD News 13/11/2017
Add Comment

Last week in BSD

News: BSDSec, p2k17, LibreSSL, DragonFly BSD, BSDnow, Minix, OpenBSD
Releases: DragonFly BSD

BSDSec

LibreSSL 2.6.3 Released

Releases

DragonFly 5.0.1 released

This is a bugfix release, adding HAMMER2 support in initrd, among other cleanup commits.

News

We love the ARC | BSD Now 219

Papers we love: ARC by Bryan Cantrill, SSD caching adventures with ZFS, OpenBSD full disk encryption setup & a Perl5 Slack Syslog BSD daemon.

DragonFlyBSD: kernel ppp gone; ppp still there

The ppp kernel module has been removed. It’s still possible to run ppp(8) in userland, with tun(4), so it’s only a change in strategy, not result.

Dragonfly BSD: sys_pipe reoptimized

sys_pipe has been modified to avoid contention on DragonFly, which means better performance as tasks get handed between processors.

Interesting articles

MINIX — The most popular OS in the world, thanks to Intel

In Other BSDs for 2017/11/11


p2k17 Hackathon

OpenBSD is holding hackathons as an attempt to get new changes into the source tree quickly. Here are some reports from the latest: 
Jeremy Evans on ruby progress, postgresql and webdriver work
Read More»

BSDNews 11/07/2016

BSDNews 11/07/2016
Add Comment

Last 2 weeks in BSD

Releases: OPNsense
Other news: BSDSec, FreeBSD, EuroBSDCon, Lumina Desktop, DragonFly BSD, BSDnow, HardenedBSD, LibreSSL, Hammer2, NetBSD

BSDSec


Releases

OPNsense 16.1.18 released

  • system: properly run fsck on boot if needed
  • system: new Cron page and API now available for general use
  • system: QR codes are now generated locally in the browser (contributed by Fabian Franz)
  • system: harden serial config write against power failures
  • system: allow serial config to attach to all available ttys
  • system: added missing ACL entry for LDAP user import page
  • system: reworked log page layout and dependencies
  • firmware: detach / reattach support for upgrade page
  • firmware: mirror and flavour selection moved to respective page
  • interfaces: improvements for 4G devices (sponsored by OSNet.eu[1])
  • interfaces: debug mode and logging for rtsold in DHCPv6 mode
  • dhcp: separate pages for router advertisements and service control
  • dhcp: IPv6 server as a stand-alone process for service control
  • dhcp: fixed and improved writing of dynamic DNSconfiguration
  • ports: python 2.7.11_3[2], unbound 1.5.9[3], curl 7.49.1[4], openssl 1.0.2_14[5], sudo 1.8.17p1[6], php 5.6.23[7], pcre 8.39[8], haproxy 1.6.6[9]
  • src: tzdata updated to 2016e[10]
  • src: fix pf fragement timeout[11]


News

Lumina 1.0.0 sources frozen

The source tree for the Lumina desktop has just been soft-frozen in preparation for the upcoming release of version 1.0.0 in mid-August (tentatively targeting August 8th for final reviews/checks).
This means that all interface elements (GUI’s, widgets, etc) as well as any text which requires translation may no longer be changed without approval from both Ken Moore and the documentation team (basically only things like bug fixes or spelling errors).
This is now the time to go through and perform any translations of the Lumina desktop in preparation for the release. You can see the current translation progress and help perform translations on the PC-BSD translations website.
We have also created a new tarball of the Lumina source tree on github (v1.0.0-Beta2) so that package distributors have time to audit their current build systems and ensure that the Lumina files/binaries are being packaged properly (please report any packaging issues ASAP so that we can adjust things as necessary). This is very important as a few binary names and install locations for files have changed, and some optional dependencies have changed as well (“compton” may be used instead of “xcompmgr” for example).

Kisumu digital library and DragonFly

There’s a new digital library in Kisumu, Kenya – and it’s running DragonFly for file storage.

The place to B... A Robot! | BSD Now 148

This week on the show, Allan & I are going to be showing you a very interesting interview we did talking about using FreeBSD to drive a Robot! You won’t want to miss this one. That plus all the latest news, heading your way right now!
View attached file (674 MB, video/mp4)

A Wild Dexter Appears! | BSD Now 149

Today on the show, we are going to be chatting with Michael Dexter about a variety of topics, but of course including bhyve! That plus the latest news is heading your way right now on BSDNow, the place to B….SD!
View attached file (907 MB, video/mp4)
 

A single function for creating a new port

In my two previous posts I talked about creating a new port and copying a port from head to a branch. The goal of this post is the creation of a new function: CreatePortOnBranch($category_name, $port_name, $CommitBranch) The failed start I started out with this stored procedure: Running it gave this message: # select CreatePort('sysutils', 'bacula-server', [...]

LibreSSL Package Repo

We are pleased to announce the availability of the LibreSSL package repo for 11-CURRENT/amd64. This repo is based off of the LibreSSL-in-base branch (hardened/current/master-libressl) that Bernard Spil has been working on. Going forward, along with providing binary updates for that branch via hbsd-update(8), we will also provide binary packages. We will also provide binary packages soon for the LibreSSL 10-STABLE branch (hardened/10-stable/master-libressl). Having both the feature branches along with package repos will allow us to investigate making LibreSSL the standard in HardenedBSD.
We would like to thank Bernard Spil for his continuous hard work. We're glad to have him on the team. Thanks to him, HardenedBSD is the first downstream FreeBSD project to have both LibreSSL in base along with a package repo that matches.

Code stuff


Interesting articles


Read More»

BSD News 16/05/2016

BSD News 16/05/2016
Add Comment

Last week in BSD

Releases: HardenedBSD, SoloBSD
Other news: BSDnow, OpenBSD, p2k16, LibreSSL, DragonFlyBSD, FreeBSD

BSDSec

seems to be none SA warnings

Releases

New stable version: HardenedBSD-stable HardenedBSD-10-STABLE-v44.6

HardenedBSD-10-STABLE-v44.6 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...
 

SoloBSD 10.3-STABLE-v44.6

Aventuras BSDeras by Guillermo García Rojas C.
There is a new build of SoloBSD 10.3-STABLE based on the latest HardenedBSD stable branch version 44.6
Changelog v44.6
- Switched to Python3.5 interpreter.
- Now with PIE on base!
You can grab it from Here. (60.6 Mb)
root password: solobsd
 

News

BSD Likes Ike! | BSD Now 141

This week on the show, we have all the latest news & stories! Plus we’ll be hearing more about OpnSense from the man himself, Ike! Sit tight, the show starts now on your place to B…SD!
View attached file (652 MB, video/mp4)
 

Code stuff

libressl - more vague promises

Interesting articles


Wallpaper of the week
Read More»

BSD News 09/05/2016

BSD News 09/05/2016
Add Comment

Last week in BSD

Releases:SoloBSD, HardenedBSD,
Other news:BSDSec, FreeBSD, OpenBSD, pkgsrc, SoloBSD, HardenedBSD, BSDnow, DragonFly BSD, LibreSSL, MirOS


BSDSec

Releases

SoloBSD 10.3-STABLE-v44.5

There is a new build of SoloBSD 10.3-STABLE based on the latest HardenedBSD stable branch version 44.5
- Changelog v44.5
- Python3.5 interpreter has been added.
You can grab it from Here. (58.7 Mb)
root password: solobsd

New stable version: HardenedBSD-stable 11-CURRENT v46.1

HardenedBSD-11-CURRENT-v46.1 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

News

Tracing it back to BSD | BSD Now 140

This week on BSDNow, Allan is back in down from Europe! We’ll get to hear some of his wrap-up and get caught up on the latest BSD news. That plus our interview about Backtrace.io! Keep it tuned to BSDNow, the place to B….SD!
View attached file (587 MB, video/mp4)

modules.local now possible

If you happen to be testing kernel modules, DragonFly can now load them from a modules.local directory.  This keeps modules that aren’t part of the base system, separate.  This is probably of most use to developers.  Set local_modules=”YES” in rc.conf to enable.

LibreSSL in HardenedBSD Base

A few months ago, we added Bernard Spil to the HardenedBSD team with a goal to bring in and maintain LibreSSL in base. Given the effort involved in maintaining such a complex piece of software, we at HardenedBSD have made the decision to keep it as a feature branch in the playground repo for now. Those who wish to check out Bernard's awesome, hard work can check out the repo here. We will soon start auto-syncing that feature branch on our normal six-hour cycle and we will produce periodic binary updates. As of today, the first binary update has been published. You can use this hbsd-update.conf file to tell hbsd-update to switch to the LibreSSL branch. If you wish to compile your own version of HardenedBSD with LibreSSL base, you will need to add WITH_LIBRESSL=yes to src.conf.
We would like to thank Bernard for volunteering. He has been a tremendous help. Here is a teaser screenshot.

New SSH hostkey for fish, taking over AnonCVS/AnonRSYNC service

As announced in the earlier wlog entry about server reorg I’ve now switched over most services from the soon-to-be-defunct eurynome to fish, with gecko2’s www.ig42.org providing the redirection HTTP vhost for hostname-less mirbsd.org requests (i.e. people who don’t know how this works) and, soon, fallback HTTP services should they be needed. (He’s trusted with the SSL key and certificate.)
This also involves switching SSH hostkeys for AnonCVS, unfortunately; I’ve taken the chance to generate a fresh key for fish. Look in /MirOS/ for the files (gzsig(1) signed) hostkeys.gz or (PGP signed) hostkeys.asc for a less-dependent source for the new keys.


Code stuff

Interesting articles


Read More»

BSDNews 28/03/2016

Add Comment

Last week in BSD

Releases: HardenedBSD, FreeNAS, OPNsense
Other news: BSDSec, HardenedBSD, LibreSSL, MidnightBSD, BSDnow, BSDTalk, DragonFly BSD


BSDSec


Releases

New stable release: HardenedBSD-stable 10-STABLE v44

HardenedBSD-10-STABLE-v44 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...
 

FreeNAS 9.10

Jordan Hubbard has announced the release of a new version of FreeNAS, a network attached storage project that is based on FreeBSD. The new version, FreeNAS 9.10, features the same user interface as the earlier 9.3 series, but with an updated FreeBSD core. "This is an interim release between the 9.3 series and 10 (which is still a few months away), using the same UI and middleware that everyone is used to from 9.3 but with new OS underpinnings, specifically FreeBSD 10.3-RC3. Coincident with this release of 9.10, we are also placing 9.3 into maintenance mode and will only be pushing further updates to the 9.3-STABLE train in response to the most critical security advisories or product flaws. We therefore strongly suggest that all current users of 9.3 upgrade to 9.10 in order to continue to benefit from the ongoing maintenance and bug fix work we will be doing on the 9.10-STABLE train. Most, if not all, bug fixes will be made exclusively to the 9.10-STABLE train in reaction to tickets filed on http://bugs.freenas.org. Again: Users who choose to stay on the 9.3-STABLE train will see only the most critical bug fixes and no new features or non-essential enhancements." This release also supports USB 3.0 devices and USB network adapters. Further information is available in the release announcement and release notes. Download: FreeNAS-9.10-RELEASE.iso (405MB, SHA256).

OPNsense 16.1.8 released

This quick 16.1.8 release is not a big update, but it means a lot. We have finished our full sweep of the GUI to update the look and feel of all pages and made the code ready for what is to come now: new features that are on our roadmap for 16.7. The first one will be the HTTPS proxy, but there is also NetFlow and improved statistics / reporting on the shortlist.
A day after 16.1.7 was out last week, FreeBSD 10.2-RELEASE-p14 was announced. Of the four patches enclosed, the two Hyper-V patches we have already brought to OPNsense over a month ago, the OpenSSH patch does not apply since we only use the port and already had it up-to-date. That leaves us with only one patch that we are shipping now to complete the experience.
Attention to everyone using OpenVPN + cryptodev acceleration: the cryptodev module along with older crypto drivers has been removed from the kernel itself, which means that if you need to keep using it, go to System: Settings: Misc and reconfigure your crypto hardware including an enable of cryptodev usage.
New images based on 16.1.8 will be out early next week.
Here are the full patch notes:
  • src: updated tzdata to version 2016b[1]
  • src: fix incorrect argument validation in sysarch[2]
  • src: fix pfi_table_update: cannot set new addresses
  • src: added APU2 temperature sensor support
  • ports: unbound 1.5.8[3], sudo 1.8.16[4], pcre 8.38[5]
  • proxy: better matching for overlapping URLs
  • universal plug and play: refactored pages for improved look and feel
  • vpn: refactored L2TP and PPTP pages for improved look and feel
  • openvpn: fix missed configure stage for Peer to Peer (TLS/SSL) mode
  • system: reworked the behaviour of thermal and crypto modules
  • firewall: tweaked a few rule indicator icons to improve clarity
  • firewall: improved alias validation on edit
  • interfaces: also add previous DHCP override fixes for IPv6
  • language: updated French and German

[1] http://mm.icann.org/pipermail/tz-announce/2016-March/000036.html
[2] https://www.freebsd.org/security/advisories/FreeBSD-SA-16:15.sysarch.asc
[3] http://www.unbound.net/download.html
[4] https://www.sudo.ws/stable.html#1.8.16
[5] http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup
Het bericht OPNsense 16.1.8 released verscheen eerst op OPNsense.


News

MidnightBSD with Lucas Holt

MidnightBSD is around for more than 10 years, but still, the most of BSD users are not familiar with it. That's why we decided to have a quick chat with Lucas Holt, MidnightBSD's founder and lead developer. We will talk about how he got started and what he is working on right now. 

 
Lucas Holt is currently a Senior Application/Programmer Analyst - Team Lead at the University of Michigan. In his own words, MidnightBSD is a heavily modified version of FreeBSD 9.1 with a custom package manager, the sensors framework, ZFS, utilities from NetBSD, OpenBSD, DragonFly and MirBSD, and a good start on a desktop system.

 

Marking up the Ports tree | BSD Now 134

This week on the show, Allan & Kris have gotten a bit more sleep since AsiaBSDCon, which is excellent since there is a LOT of news to cover. That plus our interview with Ports SecTeam member Mark Felder. So keep it tuned to BSDNow, the place to B...SD!
View attached file (808 MB, video/mp4)


bsdtalk263 - joshua stein and Brandon Mercer

This episode is brought to you by ftp, the Internet file transfer program, which first appeared in 4.2BSD.
An interview with the hosts of the Garbage Podcast, joshua stein and Brandon Mercer. You can find their podcast at http://garbage.fm/
File Info: 17Min, 8MB.
Ogg Link: https://archive.org/download/bsdtalk263/bsdtalk263.ogg

clang in DragonFly, soon

John Marino has added the starting framework to use clang as the alternate base compiler in DragonFly.  Note that it’s not hooked into the build yet.  This is the first non-GCC compiler added into DragonFly, so there’s some work yet before you can have an all-clang system.  This should replace GCC 4.7, which is the current alternate compiler.  GCC 5.0 is the default, if you didn’t know.
Note that clang is present in dports, so it’s already been available for general use, for some time.  This framework is for building DragonFly itself.

Code stuff 

Read More»

BSD News 07/03/2016

BSD News 07/03/2016
Add Comment

Last week in BSD

Releases:SoloBSD, OPNsense, HardenedBSD
Other news:FreeBSD, LibreSSL, OpenBSD, pkgsrc, NetBSD, BSDnow, MirOS, Wallpaper


BSDSec

none warnings


Releases

RELEASE: SoloBSD 10.3-BETA3-v41

RELEASE: SoloBSD 10.3-BETA3-v41.1

There is a new build of SoloBSD 10.3-BETA3 based on the latest HardenedBSD stable branch version 41.1
You can grab it from Here. (42.2 Mb)
root password: solobsd


New stable version: HardenedBSD-stable HardenedBSD-10-STABLE-v41.1

New stable release: HardenedBSD-stable 11-CURRENT v42

HardenedBSD-11-CURRENT-v42 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

OPNsense 16.1.5 released

full patch notes:
  • ports: squid 3.5.15[1], unbound 1.5.7 hotfix[2], pkg 1.6.4 hotfix[3], openssl 1.0.2g[4]
  • services: infrastructure rework for plugin additions
  • openvpn: added copy/move to client-specific overrides
  • openvpn: allow binding client-specific overrides to specific server(s)
  • openvpn: service on/off toggle via overview pages
  • openvpn: fix problem with service status display
  • openvpn: when services are disabled, make sure a reconfigure will always stop the associated process
  • vpn: transform PPTP, L2TP and PPPoE servers to plugin addition to be removed from base install for 16.7
  • vpn: add proper service probing for PPTP, L2TP and PPPoE servers
  • interfaces: added RFC 4638 support (MTU > 1492 in PPPoE)
  • ntp: disable when no servers are set
  • language: updates for Chinese, French and German

[1] http://ftp.meisei-u.ac.jp/mirror/squid/squid-3.5.15-RELEASENOTES.html
[2] https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=729
[3] https://github.com/freebsd/pkg/issues/1394
[4] https://www.openssl.org/news/secadv/20160301.txt

News

FreeBSD Project to participate in Google Summer of Code 2016

The FreeBSD Project is pleased to announce its participation in Google's 2016 Summer of Code program, which funds summer students to participate in open source projects. This will be the FreeBSD Project's twelfth year in the program, having mentored over 180 successful students through summer-long coding projects between 2005 and 2015.

Past successful projects have included improvements to Linux ABI emulation, NFSv4 ACLs, TCP regression testing, FUSE file system support, and countless other projects. Many students go on to become FreeBSD developers, as well as participating in FreeBSD developer events around the world through continuing support from the FreeBSD Foundation.

Prospective participants are invited to apply; more information is available, including proposal and deadline information, on the FreeBSD Summer Projects page.


LibreSSL not affected by DROWN attack

As noted by Bernard Spil, the OpenSSL bugs disclosed on 2016-03-01 have very little impact on LibreSSL, especially on OpenBSD. However, we will briefly mention the two high-profile issues:



  • LibreSSL (on any platform) is not affected by DROWN. Support for SSLv2 was flensed out quite a while ago.
  • Cachebleed is local-only, and requires a lot effort to get. This is thought to be very difficult to exploit on OpenBSD due to many of the normal mitigations on an OpenBSD system. Other systems without such mitigations may not be so lucky. Edit: Update from Bob Beck (beck@):

    •  

    OpenBSD 5.9 network improvements

    There are no doubt many eyes on OpenBSD's continuing network SMP renovation. Hrvoje Popovski writes in to tell us about some performance testing he's been doing:
    My name is Hrvoje Popovski, I'm a husband, a father of 3 little kids and network engineer at University of Zagreb University Computing Centre – SRCE. Somewhere around the beginning of 2015, I got one server to play with that luckily had four em(4) (Intel I350) and two ix(4) (Intel 82599) onboard NICs. Around that time, developers started to throw out some interesting MP diffs, and I couldn't resist trying them. So I started to beg my boss and people around me to buy or lend me some PCs or servers to generate traffic with the MP diffs. I don't know how, but two Dell servers came to my lab...
    Read more...

    Stable pkgsrc-2015Q4 branch released

    The pkgsrc developers are proud to announce the pkgsrc-2015Q3 branch. There are 16846 possible packages in pkgsrc-2015Q4, up from 16764 last quarter. Notable new packages this quarter include kodi (home media center software previously known as xbmc), php-baikal (a CardDAV/CalDAV server), freecol (a Colonization clone), unicorn (a CPU emulator framework), and clang-static-analyzer.

    BSD Behind The Chalkboard | BSD Now 131

    This week on the show, we have an interview with Jamie McParland of the Newburg public school district in Oregon. We are going to get an inside look at how they use BSD in various aspects operations across their network, as well as bringing you the latest news and questions. Keep it tuned to BSDNow, the place to B...SD!
    View attached file (652 MB, video/mp4)

    Pre-orders for 5.9 are up!

    OpenBSD 5.9 is shaping up to be quite a big release, and pre-orders for the CD sets have just been activated. Read more...


    Code stuff



    Interesting articles

    LibreSSL in HardenedBSD base Part I
    LibreSSL in HardenedBSD base Part II

    Wallpaper of the week 


    https://hdwallpapers.press/openbsd_technology_unix_hd-wallpaper-8277/
    Read More»

    BSD News 01/02/2016

    BSD News 01/02/2016
    Add Comment

    Last week in BSD

    Releases: OPNsesne, HardenedBSD
    Other news:Talks, HardenedBSD, NetBSD, Minix, FreeBSD, DragonFly BSD, ZFS, HardenedBSD, PC-BSD, OPNsense, LibreSSL, BSDSec, BSDTalk

    BSDSec


    Releases 

    OPNsense 16.1 Released

    It has been more than a year since OPNsense first came out. Back then it was FreeBSD 10.0. Not even two months after, 10.1 was introduced along with the opnsense-update utility. Today is the day for FreeBSD 10.2, the latest and greatest release currently available for broader driver support and stability improvements. 16.1 is nick-named “Crafty Coyote” in honour of our beloved childhood TV sessions. It is the accumulation of 6 months of work, having had our focus on reengineering the captive portal, native intrusion prevention, plugin support, and transforming the reporting frontend into something more modern and flexible just to name a few[1]. Apart from the recently published security advisories (see patch notes below), we have included a quick navigation feature which can be activated by pressing (TAB) followed by search keywords and hitting (ENTER) to go to the desired page. Last but not least, a larger batch of improvements and fixes went into assorted sections of the GUI that certainly help to get your work done without ending up dazed and confused.
     

    HardenedBSD New development versions.

    New stable versions: HardenedBSD-stable 10-STABLE and 11-CURRENT v40

    New stable versions: HardenedBSD-stable 10-STABLE and 11-CURRENT v40.1

    HardenedBSD-10-STABLE-v40.1 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...
    ---------------------------------------
    [hardenedbsd] HBSD: Don't check for ZFS KLD when non-root.
    [hardenedbsd] HBSD: Harden KLD-related syscalls
    [hardenedbsd] HBSD: Add /proc to the hbsd-update's skipped files list.
    [hardenedbsd/freebsd] HBSD: ktrace: tidy up ktrstruct
    [freebsd] Merge OpenSSL 1.0.1r.
    [freebsd] Add EFI ZFS boot support
    [freebsd] e1000 driver update
    HardenedBSD-11-CURRENT-v40.1 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...
    ------------------------------------------
    [hardenedbsd] HBSD: Don't check for ZFS KLD when non-root.
    [freebsd] Merge OpenSSL 1.0.2f. (SA candidate)
    [hardenedbsd] HBSD: Add /proc to the installer's skipped files list.

    News

    A Reimplementation of NetBSD Using a Microkernel

    This talk covers some of the history of Minix 3, what it is and why Andrew started the project, and how after years of fighting it why he realized that Minix 3 should be more like BSD than being its own thing.
    Join the discussion  on site. 

    New Member - CTurt

    We've added a new member to the HardenedBSD team! CTurt will be working with us to research, exploit, and produce patches for kernel-level vulnerabilities. We'll be working on getting these kernel security enhancements upstreamed to FreeBSD after the fixes have been deemed stable in HardenedBSD first.

    License corrections for DragonFly

    This has no effect on the actual operation of DragonFly, but it makes me feel better that it’s done: Rimvydas Jasinskas has gone through DragonFly source and removed the unnecessary 3rd BSD license clause, which is no longer needed.

    illuminating the future on PC-BSD | BSD Now 126

    This week on BSDNow, we are going to be talking to Ken Moore about the Lumina desktop environment, where it stands now and looking ahead. Then Allan turns the tables and interviews both myself and Ken about new ongoings in PC-BSD land. Stay tuned, lots of exciting show is coming your way right now on BSDNow, the place to B...SD!
    View attached file (699 MB, video/mp4)
     

    bsdtalk261 - Jails and System Management with Kris Moore

    An interview with Kris Moore about the Warden jail management system, iocage, and progress on a new system management API.

    File Info: 30Min, 14MB.

    Ogg Link: https://archive.org/download/BSDTalk261/BSDTalk261.ogg 

    Code stuff 


    Interesting articles

    Wallpaper of the week 

     from http://hdw.eweb4.com/out/637260.html
    Read More»

    BSD News 09/11/2015

    BSD News 09/11/2015
    Add Comment

    Last week in BSD

    Releases: HardenedBSD, OPNsense, pfSense
    Other news: BSDnow, BSDSec, FreeBSD, HardenedBSD, LibreSSL, OPNsense. DragonFly BSD, pfSense,


    BSDSec


    Releases 

     

    HardenedBSD-stable 10-STABLE and 11-CURRENT amd64 installers

    10-STABLE
    git git clone --single-branch --branch hardened/10-stable/master https://github.com/hardenedbsd/hardenedbsd-stable/ hardenedbsd-10-stable
    installers http://installer.hardenedbsd.org/releases/hardened_10_stable_master-LAST/
    11-CURRENT
    git git clone --single-branch --branch hardened/current/master https://github.com/hardenedbsd/hardenedbsd-stable/ hardenedbsd-current
    installers http://installer.hardenedbsd.org/releases/hardened_current_master-LAST/

     

    OPNsense 15.7.18 Released


    It took a while to track down a NTP regression with FreeBSD that turned out to be a flaw in the kernel itself. That’s now fixed for all FreeBSD versions. Thanks everyone for helping out here again. :)
    This update brings quite a few fixes, especially with regard to VMware and Xen virtualisation plugins. If you are in need of such plugins for seamless guest support the installation is quite painless:
    # pkg install os-vmware
    # pkg install os-xen
    In case of VMware, the masterplan is that vmx network devices will be persistent after reboot so that such devices can be embedded into the config.xml. Let us know how that works for you guys. Needless to say, we’ll keep working on making plugins accessible through the GUI with our next major version that is 16.1.
    We’ve also been working on ironing out further IPsec hiccups and adding more features to the captive portal in the development version. Oh, and this: fresh images based on 15.7.18 will be available a couple of days after this release.
    Here are the full patch notes:
    • plugins: updated the VMware plugin to support early boot for persistent vmx(4) device access
    • plugins: added the Xen plugin for automatic guest support
    • openvpn: fix server not saving interface without IP
    • crash reporter: remember email for continuous feedback
    • crash reporter: Suhosin PHP module no longer triggers crash reports
    • crash reporter: fixed 10 assorted crash reports
    • languages: fix all apply button prompts for non-English translations
    • languages: updated German and French via https://translate.opnsense.org
    • backend: added simple plugin hooks for boot up, early boot up and shutdown
    • GUI: hooked up the authentication backend rewrite
    • dhcp: remove illegal ifconfig tag in custom dhclient script
    • virtual ips: make subnet selectable on ipalias
    • ipsec: flip ipv4/ipv6 subnet options in phase2
    • ipsec: fix issue when using both tunnels and roadwarrior
    • ipsec: listen to disabled ipsec nat entries
    • ipsec: do not overwrite settings for rekey/reauth
    • proxy: fix error on saving special URL characters
    • aliases: fix missing url table items
    • aliases: hide minus when not applicable
    • ntp: don’t trigger set_gps_default on page load
    • captive portal (development): clean rewrite of RADIUS authentication/accounting
    • captive portal (development): added a session overview feature to the new
    • captive portal (development): fixed template download file name in Google Chrome
    • src: Implement pubkey support for pkg(7) bootstrap [1]
    • src: rpcbind remote denial of service [2]
    • src: Applications exiting due to segmentation violation on a correct memory address [3]
    • src: tzdata updated to 2015g [4]
    • ports: ntp 4.2.8p4 [5]
    • ports: pkg 1.6.1 [6] [7]
    • ports: sqlite 3.9.1 [8]
    • ports: suricata 2.0.9 [9]
    • ports: php 5.6.15 [10]

     

    2.2.5-RELEASE Now Available!

     pfSense® software version 2.2.5 is now available. This release includes a number of bug fixes and some security updates.
    Today is also the 11 year birthday of the project. While work started in late summer 2004, the domains were registered and the project made public on November 5, 2004. Thanks to everyone that has helped make the project a great success for 11 years. Things just keep getting better, and the best is yet to come.
    Security Fixes and Errata
    • pfSense-SA-15_08.webgui: Multiple Stored XSS Vulnerabilities in the pfSense WebGUI
      • The complete list of affected pages and fields is listed in the linked SA.
    • Updated to FreeBSD 10.1-RELEASE-p24
      • FreeBSD-SA-15:25.ntp Multiple vulnerabilities in NTP [REVISED]
      • FreeBSD-SA-15:14.bsdpatch: Due to insufficient sanitization of the input patch stream, it is possible for a patch file to cause patch(1) to run commands in addition to the desired SCCS or RCS commands.
      • FreeBSD-SA-15:16.openssh: OpenSSH client does not correctly verify DNS SSHFP records when a server offers a certificate. CVE-2014-2653 OpenSSH servers which are configured to allow password authentication using PAM (default) would allow many password attempts.
      • FreeBSD-SA-15:18.bsdpatch: Due to insufficient sanitization of the input patch stream, it is possible for a patch file to cause patch(1) to pass certain ed(1) scripts to the ed(1) editor, which would run commands.
      • FreeBSD-SA-15:20.expat: Multiple integer overflows have been discovered in the XML_GetBuffer() function in the expat library.
      • FreeBSD-SA-15:21.amd64: If the kernel-mode IRET instruction generates an #SS or #NP exception, but the exception handler does not properly ensure that the right GS register base for kernel is reloaded, the userland GS segment may be used in the context of the kernel exception handler.
      • FreeBSD-SA-15:22.openssh: A programming error in the privileged monitor process of the sshd(8) service may allow the username of an already-authenticated user to be overwritten by the unprivileged child process. A use-after-free error in the privileged monitor process of the sshd(8) service may be deterministically triggered by the actions of a compromised unprivileged child process. A use-after-free error in the session multiplexing code in the sshd(8) service may result in unintended termination of the connection.
    The bug fixes and changes in this release are detailed here.

    News 

    OpenBGPd and route filters

    Many moons ago, OpenBGPd was extensively used throughout the networking world as a Route Server. However, over the years, many have stopped using it and have migrated away to other implementations. Recently, I have been getting more involved with the networking community, so I decided to ask "why?" Read more...

    Call For Donations Update

    On 11 July 2015, we announced a Call For Donations. The community has been very gracious towards us. As of today, we have now exceeded our goal. We are grateful to each and every one of our donors, no matter the amount they contributed or in what form. HardenedBSD is growing and we need all the help we can get. We would especially like to thank Xinuos and ISC for their sizable contributions.
    Here's what we've managed to do so far with the donations provided:
    • Replace two failing hard drives in the package building server along with ordering two extra for hot spares.
    • Purchase multiple ARM and ARM64 development boards for porting and testing efforts.
    • Stickers!
    • Minor expenses for conferences.
    • Hosting expenses.
    • Other hardware replacement and acquisition.
    In January of 2016, work will start for becoming a 501(C)(3) not-for-profit organization in the United States. This will mean that US-based donations will be tax-deductible, giving a tangible incentive for donations.
    We couldn't have done all of this had it not been for all the generous contributions, large and small. Even though we've reached our goal, we're still accepting donations. The more that comes in, the more that we can accomplish. We look forward to the coming year and the advancements we'll make.


    BSD-Schooling | BSD Now 114

    Allan is out of town this week at another Developer Summit but we have a great episode coming up with Brian Callahan where we discuss BSD in education. Also, news & a lot of user feedback to get to, so sit back & relax, more BSD is coming your way right now!
    View attached file (576 MB, video/mp4)

    Code stuff


    Read More»

    BSD News 28/09/2015

    BSD News 28/09/2015
    Add Comment

    Last week in BSD

    Releases: OPNsense
    Other news: DragonFly BSD, l2k15, BSDSec, LibreSSL, OpenBSD, OPNsense, BSDTalk, BSDnow,

    BSDSec


    Releases

    From the third-party and/or security side not much has happened recently. We’re shipping the latest Bind and Squid, for details see the provided links. Here are the full patch notes:
    • config: don’t set login auto-complete on factory reset
    • config: fix faulty timezone on factory reset
    • config: improve config migration path for legacy config imports
    • config: new home in system section for the config history and backups
    • config: improved the config history differential view
    • notable port upgrades: bind 9.10.3 [1], squid 3.5.9 [2]
    • firmware: added Supranet Communications mirror (Middleton, US)
    • firewall: reworked rules, schedules, virtual ip, nat and aliases pages
    • users: removed special handling of the `all’ group
    • crash reporter: fixed 9 minor problem reports
    • wireless: only advertise supported modes of operation
    • system: fix theme selection for user-added themes
    • menu: fix expand on all interface edit pages
    • ntp: improve service status probing
    • diagnostics: fix authentication tester to work in conjunction with translations
    • languages: added French translation (33% complete)
    • languages: updated German translation (57% complete)
      •  

    News 

    bsdtalk257 - NetBSD Developer Christos Zoulas

    An interview with NetBSD developer Christos Zoulas at vBSDCon 2015.
    File Info: 15Min, 7MB.
    Ogg Link: https://archive.org/download/bsdtalk257/bsdtalk257.ogg

    OpenBSD 5.8 CD sets and swag shipping soon

    The OpenBSD 5.8 pre-orders are about to ship. The OpenBSD Store twitter account tweeted with a picture of soon-to-be-shipped CD sets on Saturday, September 26th:
    OpenBSD 5.8 stock has arrived. Shipping isn't too far off. Get your orders in! :-) pic.twitter.com/S4wUAO7yrE
    — OpenBSD Store (@openbsdeurope) September 26, 2015
    Get your orders in! There are T-shirts and various other swag to be had, too.

    DragonFly 4.0 users should upgrade

    If you happen to still be running DragonFly 4.0 – that’s two releases ago and not supported – you may be noticing less ports are building.  There’s been enough significant changes in DragonFly since that release that it’s reducing the number of buildable ports.
    DragonFly 4.0 to 4.2 is not a difficult jump, so jump when you can.  The converse of this, of course, is that there’s even more building on 4.2 and DragonFly-current.

    ServeUp BSD | BSD Now 108

    This week on the show, Allan is heading to Sweden, but we have a great interview with Andrew Pantyukhin to bring you. We will be discussing everything from contributions to FreeBSD, which technologies worked best in the datacenter, config management & more!
    View attached file (502 MB, video/mp4)
     

    XDC2015: DragonFly and graphics

    There’s been a lot of improvements to DragonFly and graphics support recently, and Francois Tigeot gave a talk at the 2015 X.Org Developer’s Conference outlining just how much has changed.  He’s posted the slides.

    Code stuff



    Wallpaper of the week 

    from https://hdwallpapers.cat/bsd_freebsd_technology_unix_hd-wallpaper-8281/

    Read More»

    BSD News 31/08/2015

    BSD News 31/08/2015
    Add Comment

    Last week in BSD

    Releases: OPNsense
    Other news:  OPNsense, LibreSSL, pfSense, OpenBSD, BSDnow, NextBSD, Wallpaper, NetBSD, DragonFly BSD


    BSDSec


    Releases

    OPNsense 15.7.10 Released

    Here are the full patch notes:
    • src: Multiple integer overflows in expat (libbsdxml) XML parser [1]
    • src: bumped tzdata to 2015f [2]
    • ports: curl 7.44.0 [3], ca_root_nss 3.20, openssh-portable 7.1p1_1 [4], sqlite3 3.8.11.1 [5], phalcon 2.0.7 [6], pcre 8.37_4 [7]
    • crash reporter: create custom reports on demand
    • certificates: ca generation issues with recent LibreSSL
    • dns resolver: switched to ports-based Unbound (1.5.4) as per FreeBSD handbook
    • menu: moved the crash reporter to system category for visibility
    • menu: added hot-plugging support for upcoming plugins
    • acl: added hot-plugging support for upcoming plugins
    • ipsec: fix faulty behaviour on configuration changes
    • console: switched halt and reboot numbering
    • languages: bring German to 51% completed
    • graphs: remove obsolete CPU graph pages 

    OPNsense 15.7.11 Released

    Here are the full patch notes:
    • dns resolver: switch unbound to use libevent to address “too many fds” log message
    • firmware: os-update package was renamed to opnsense-update so “os-“ can be our plugin prefix
    • firewall: fix alias page not being available due to a dirty config.xml sample entry
    • ipsec: fix pages throwing warnings due to a dirty config.xml sample entry
    • ipsec: fix hash algorithm and protocol settings behaviour
    • openvpn: honour TLS authentication disable
    • themes: fix theme selection fallback not working in new components
    • diagnostics: unhide routing table header

    News

    pfsense-tools is gone again, this time forever

    As some have noticed, we’ve changed the build system for pfSense such that the very need for the pfsense-tools repo has been removed.
    While the pfsense-tools repo still exists, it’s not used for pfSense version 2.3 and later.
    The former structure, where a set of discrete patches were kept against a given version of the FreeBSD source and ports trees, has now been replaced by a system where those patches are kept on a vendor branch of these trees.  This improves both the process of bringing new versions of FreeBSD and ports to pfSense and the process of upstreaming changes we make to these.  By upstreaming, we make both FreeBSD and pfSense better.
    These changes have been a long-time coming.  There has been sustained effort toward this type of setup since September 2012.
    There are still many parts of the build scripts that need to change, and we will continue to improve these, along with the rest of pfSense software.  As one example of where we’re headed, after base-as-pkg is done in FreeBSD 11, with only a few more changes on our tree, we should be able to build pfSense using only the build tools from FreeBSD.

    OpenBSD 5.8, Another Song

    The second of an anticipated four songs for the OpenBSD 5.8 release has ben published, this one written and performed by Alexandre Ratchov (ratchov@). In the announcement he says:
    For the 20th anniversary release of OpenBSD, I have contributed this
    short sound track:

    http://www.openbsd.org/lyrics.html#58b
    Read more...

    Beverly Hills 25519 | BSD Now 104

    Coming up this week on the show, we'll be talking with Damien Miller of the OpenSSH team. We will be discussing some of the changes in their latest 7.0 release, including phasing out older crypto and changing one of the defaults that might surprise you.
    View attached file (520 MB, video/mp4)
     

    Call for Testing: Using tame() in userland

    Theo de Raadt (deraadt@) has just released a call for testing of an initial conversions of programs in OpenBSD base to use the tame(2) API: 
    This is for those of you interested in tame, and skilled enough to
play along.
    Read more... 
     

    Clarifying NextBSD's Near Term Expectations

    A dissatisfied discussion of the NextBSD talk being "just marketing" was brought to my attention recently. The gist of it is that the premature publicity resulting from Jordan's recent BAFUG talk has inadverently created expectations that we're not delivering on.
    What works (and does not) now:
    • The basic ecosystem of launchd, notifyd, asld, and libdispatch work.
    • These can be installed by cloning the NextBSD repo from github, building GENERIC or MACHTEST kernels, installing a new world on an existing 10.x or CURRENT system, and then following the instructions in the README.
    • Launchd will start the initial jobs that are part of the repo now.
    • At this moment the release ISO installer does not work due to an interaction between launchd and the environment created by make release for the installer.
    What will work in the very near future:
    • Somewhere between this weekend and mid-September we will have the installer working. This means that an existing FreeBSD install won't be necessary to try out NextBSD. This is obviously pretty rudimentary and even before the unanticipated wave of interest a source of displeasure for me. Under 'Milestones' I refer to this as Milestone 0.
    • The remaining issues currently fall in to Milestone 1 and I expect to have them addressed by the end of September. At that time the system should, in some sense, be complete with future work being to convert rc and to tie notifyd in to potential consumers.

    Code stuff



    Wallpaper of the week

    from http://wallpapers.mi9.com/wallpaper/openbsd-picture_36248/

    Read More»

    BSD News 16/06/2015

    Add Comment

    Last week in BSD

    Releases: SmallWall, OPNsesnse, DragonFly BSD
    Other news: BSDSec, DragonFly BSD, HardenedBSD, LibreSSL, NetBSD, OPNsense, SmallWall, Wallpaper, SmallWall, NetBSD, BSDnow

    Check out DiscoverBSD stats - or some stats for DiscoverBSD, BSD-Links and BSDsec.

    BSDSec

     

    Releases

    SmallWall 1.8.2 released and 1.8.3 bugfix release

    A bug was found in syslog in the 1.8.2 build, so there is now a 1.8.3 released to patch that build bug.

    DragonFly 4.2 and 4.0.6 branched

    The more eagle-eyed may have noticed a branching for DragonFly 4.2, and for DragonFly 4.0.6.  The 4.2 branch is currently only a release candidate, so don’t necessarily change over yet – it’s for testing, not release.
    Note that packages for 4.2 are not yet built, so you’ll have to manually specify a package path to install with pkg on 4.2 – for now.. That won’t be the case for the actual release, of course. DragonFly 4.3 users will have to specify PKG_PATH manually to use 4.2 images until new ones are built.  4.2 release candidate users will be fine.  (see comments for correction.)
    The 4.0.6 release is mostly to get the recent OpenSSL update into a 4.0.x build.
    I am working on image building for both.

    DragonFly 4.0.6 image up

     I’ve uploaded DragonFly 4.0.6 ISO and .img files.  (Does that capitalization make sense?)  They should be available at your nearest mirror, or will be shortly. I am still working on the 4.2 release candidate images.

    OPNsense version 15.1.11.4 Released

     Here is the full list of changes:
    • notable ports updates: pcre 8.37_1 [1], phalcon 2.0.2 [2], strongswan 5.3.2 [3], sqlite 3.8.10.2 [4]
    • more notable ports: openvpn 2.3.7 [5], openssl 1.0.2b [6], libressl 2.1.7 [7], pkg 1.5.4 [8]
    • opnsense-update: has gained the ability to do package updates as well
    • core: removed unused ssh_tunnel_shell and 3gstats utilities, added sudo to the default utilities
    • captiveportal/traffic shaper: better fix for localhost skip
    • traffic shaper: added ICMP, IGMP, ESP, AH and GRE protocols to selectable protocols
    • core: fixed a bug that prevented our API from working properly with Phalcon 2.0.1 and above
    • backend: added configctl command utility launcher and improved its logging capabilities
    • backend: worked around a performance degradation bug in Python 2.7 on FreeBSD
    • gateways: monitoring via `apinger’ is now turned off by default for all new gateways created (opt-out flipped to opt-in for privacy reasons)
    • firmware: refactored firmware code to use opnsense-update’s new capabilities
    • firmware: fix parsing of packages to be upgraded in fringe cases
    • firmware: fix overzealous caching of available package upgrades
    • users: user with group admins now have `wheel’ group associated with them, allowing them to us `su’ or `sudo’ (if configured)
    • users: do not copy root’s hidden files while creating a new user home directory

    Other news

     

    First Experimental OPNSense Images With HardenedBSD

    One month ago, we announced we were teaming up with OPNSense to provide HardenedBSD-flavored versions of their project. Work started with backporting our work from 11-CURRENT to 10-STABLE. We worked with Franco Fichtner, one of three people currently on the OPNSense core team, to enhance their build scripts. We received hardware donations from Netgate and Deciso. We fixed a number of bugs in secadm and backported Integriforce to 10-STABLE. This month sure has been a busy one.
    We're excited to announce today the availability of the first experimental build of OPNSense based on top of HardenedBSD. It features every one of our great exploitation mitigation features and is built with Integriforce baked right in. Most of the network-aware applications are compiled as Position-Independent Executables (PIEs). Please note that since this is our first ever experimental build, we have not worked out binary upgrade paths just yet. You will likely need to do reinstalls for future builds. You can backup your configuration prior to reinstallation and restore the configuration post-installation.
    There are two flavors for download: a generic build and a build for the Netgate RCC-VE 4860. The generic build will work on most standard appliances. The Netgate RCC-VE 4860 has a special build due to needing custom serial console settings. If you're not using the Netgate RCC-VE 4860, the generic build is for you.
    You can find the builds here. Please note that these builds are experimental. They are not meant for production use. But that still hasn't stopped us from using it in production, since we like to eat our own dogfood. ;)
    UPDATE 11 Jun 2015 05:39 EDT: OPNSense has mirrored the generic builds here,

    Stacked in Our Favor | BSD Now 93

    We're at BSDCan this week, but fear not! We've got a great interview with Sepherosa Ziehau, a DragonFly developer, about their network stack. After that, we'll be discussing different methods of containment and privilege separation. Assuming no polar bears eat us, we'll be back next week with more BSD Now - the place to B.. SD.  

    NetBSD CI20 status update

    I didn't really have much time to work on more hardware support on CI20 but it's been a while since the last post so here's what I've got:

    • drivers for on-chip ehci and ohci have been added. Ohci works fine, ehci for some reason detects all high speed devices as full speed and hands them over to ohci. No idea why.
    • I2C ports work now, including the onboard RTC. You have to hook up your own battery though.
    • we're no longer limited to 256MB, all RAM is usable now.
    • onboard ethernet is supported by the dme driver.
    There's also an unfinished driver for the SD/MMC ports.
    The RTC is a bit funny - according to the manual there's a Pericom RTC on iic4 addr 0x68 - not on my preproduction board. I've got something that looks like a PCF8563 at addr 0x51, and so do the production boards that I know of. Some pins on one of the expansion connectors seem to be for a battery but I haven't been able to confirm that yet. Either way, since the main connector is supposed to be Raspberry Pi compatible any RTC module for the RPi should Just Work(tm), with the appropriate line added to the kernel config.
    Some more work has been done under the hood, like some preparations for SMP support.

    pfsense-tools is back on github

    Some people prefer a web-ui for git.  Rather than expose our gitlab instance to the world via a web-ui, we’ve re-enabled access via github.
    The process remains the same. You will need to agree to two click-through agreements, first the Contributor License Agreement (either individual or corporate), then the actual license agreement, wherein you basically agree that our marks are valid, that you’ll give credit to the project, and that you won’t call the result pfSense, or anything else that is sufficiently similar to our trademarks to cause confusion.
    If you’ve already been through that process, you’ve already been granted access to the team that can view the pfsense-tools repo on github.
    If you haven’t put your github username in your pfSense portal profile, then we don’t know who you are on github, and the process won’t work.
    Long-term, the goal is to eliminate the need for this repo.  We don’t want to carry a set of discrete patches, and there are well-known examples of better build systems in the world.  More on that in a future post.


    Code stuff



    Interesting Articles


    Wallpaper of the week

    from https://www.br0tkasten.de/?page=18

    Read More»
    Subscribe to: Posts ( Atom )