BSD News 23/03/15

Last week in BSD

Releases: pfSense, GhostBSD, DragonFly, BSDrp
Other news: BSDSec, FreeNAS, DragonFly, LibreSSL, NetBSD, AsiaBSDCon, BSDnow, OpenBSD, OpenSSH, HardenedBSD,


LibreSSL 2.1.5 released 
LibreSSL 2.1.6 released 
libxfont errata 
libre/openssl patches available 
[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-15:06.openssl  
[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-15:06.openssl [REVISED]  
NetBSD Security Advisory 2015-003: NTPd multiple vulnerabilities (CVE-2014-929[3-6]) 
NetBSD Security Advisory 2015-004: Two vulnerabilities in the compatibility layers  
NetBSD Security Advisory 2015-005: buffer overflow in libevent (CVE-2014-6272)  
NetBSD Security Advisory 2015-006: OpenSSL and SSLv3 vulnerabilities 



BSD Router Project

BSDRP 1.55 is out: It includes latest FreeBSD security fixes and pmacct.

2.2.1 RELEASE Now Available 

pfSense® software 2.2.1 release is now available, bringing a number of bug fixes and some security fixes.

DragonFly 4.0.5 out 

I’ve tagged version 4.0.5 of DragonFly, and it’s available at your nearest mirror.  This revision is mostly to incorporate the newest OpenSSL security bump.

GhostBSD 10.1 Alpha 2 now available   

Changes and fix between 10.1-ALPHA1 and 10.1-ALPHA2 include:
  • The PCDM theme file as been fixed which was creating blinking black screen.
  • Macro windows decoration has been fixed.
  • The installer GPT partition problem has been found and fixed in pc-sysintall.
  • Some installer text error has been fix.
  • The user shell selection has been fix from the last change to have csh by default since fish have a bug from the ports.

Other news


 NetBSD ported to Hardkernel ODROID-C1

The Hardkernel ODROID-C1 is a quad-core ARMv7 development board that features an Amlogic S805 SoC (quad-core Cortex-A5 @ 1.5GHz), 1GB RAM and gigabit ethernet for $35 USD.
The ODROID-C1 is the first Cortex-A5 board supported by NetBSD. Matt Thomas (matt@) added initial Cortex-A5 support to the tree, and based on his work I added support for the Amlogic S805 SoC.
NetBSD -current (and soon 7.0) includes support for this board with the ODROID-C1 kernel.

Puffy in a Box | BSD Now 81

We're back from AsiaBSDCon! This week on the show, we'll be talking to Lawrence Teo about how Calyptix uses OpenBSD in their line of commercial routers. They're getting BSD in the hands of Windows admins who don't even realize it.  

Introducing NoExec 

Over the past few months, Oliver has been busy writing a new exploit mitigation feature for HardenedBSD: NoExec. The first part of this project was merged into master tree, and there are still ongoing issues to solve. Our implementation is inspired by PaX's. NoExec prevents pages that are marked as writable from being marked executable as well. It also prevents using mprotect(2) to change a non-executable page to an executable one. This, of course, can cause issues with applications that expect to be able to mark existing pages as executable. Firefox is a good example. You will need to either jail the application in a jail with NoExec turned off or use secadm to turn off NoExec for that application.
This feature bumps the HardenedBSD version number up to 17. We're doing a new package build as well. You'll also get some applications built as Position-Independent Executables (PIEs) with this package build.

Donation request for network SMP development 

 Martin Pieuchot (mpi@) writes in about what's needed for further SMP improvements in the network stack:
If you've been following my contributions to OpenBSD's kernel, you already know that in the past years I've been working on the Network Stack to make it more SMP friendly. All the network hackers present at s2k15 agreed to volunteer me to work on the next step: properly integrate the pseudo-drivers (carp(4), vlan(4), trunk(4)...) in order to take ether_input() out of the kernel lock.
Read more... 

bsdtalk252 - with Brian Callahan  

An interview with admin Brian Callahan. is a free shell provider that runs on OpenBSD.
File Info: 18Min, 8MB.
Ogg Link:

Code stuff

DRM 3.8 update committed 
New sshlockout option 
OpenSSH 6.8 Released
In Other BSDs for 2015/03/21 

Interesting articles

The FreeNAS Hardware Guide You’ve Asked For | Does ZIL Size Matter? Issue #18 
Unifying Mesa ports’ configure 
AsiaBSDCon 2015 Recap

Wallpaper of the week


as found at

BSD News 16/03/15

BSD News 16/03/15

Last week in BSD

Releases: OPNsense, DragonflyBSD, GhostBSD
Other news: NetBSD, DragonFly BSD, pfSense, OpenBSD, BSDNow, TrueNAS, FreeBSD Foundation,


freetype patches available 
libssl patch available 


OPNsense version Released

  • bsdinstaller: work towards embedded installations, e.g. Quick/Easy disk selection
  • opnsense-update: added command line switches and a manual page for usability’s sake
  • opnsense-update: will now remember that the base system is up to date
  • ports: updated to LibreSSL 2.1.4 (for our experimental LibreSSL flavour only)
  • directory layout: collapsed the /conf -> /cf/conf magic into a simple /conf directory (needs a reboot to take effect)
  • certificates: consistently lowered the default lifetime to 1 year
  • captive portal: fixed an issue that prevented traffic forwarding in some cases
  • NAT: do not resolve aliases on display to stay consistent with rules page
  • console menu: rebuilt the firmware upgrade option 12 to work on top of our new pkgng/opnsense-update system
  • crash reporter: can now be found under Diagnostics and was extended to show all parsing errors. The send button is currently disabled but feel free to copy+paste the messages to push them through the usual channels.
  • rc: fixed numerous parse errors in files previously missed by the regression test
  • rc: DHCP lease and RRD graph persistency after reboot, halt and config import (reinstall)
  • UPnP: the shortcuts menu has been reintroduced
  • login: redirect after login now brings up the previously selected page
  • dynamic DNS: fixed validation for custom entries that do not require a hostname
  • dynamic DNS: added support for Duck DNS
  • firewall log widget: fixed multiple bugs and updated style
  • pptp: brought back missing PHP includes
  • core: removed thousands of lines of unused code, style consolidation and path unwinding
  • core: multiple image to glyphicon conversions
  • development: moved pkgng config files out of the src/ directory to avoid tainting the system on core.git live mount
  • development: steady progress on the first MVC framework implementation of the upcoming proxy support

OPNsense version Released   

  • bsdinstaller: fixed the package database wipe on custom install
  • bsdinstaller: install progress bar is now more responsive with regard to individual directories in /usr
  • firmware: removed obsoleted upgrade code and tools following our pkgng/opnsense-update approach
  • miniupnpd: now properly links to the OpenSSL/LibreSSL port
  • ipmitool: now properly links to the OpenSSL/LibreSSL port
  • core: extensive cleanups for PHP shebang usage, wiped numerous unused scripts and unreachable web pages, removed PBI remnants, removed ‘tmp_path’ softcoding to improve readability and git-grep(1) experience, removed stale debug statement that were only marginally useful while bumping the statements to default that indicate real errors
  • console: fixed halt script permissions and switched to synchronous mode
  • sysctl: added net.inet6.ip6.rfc6204w3 to improve the DHCPv6 experience
  • nat: remove target IP hardcoding in automatic rules (props to pfSense for pointing that out to us)
  • rc: fixed missing package database when using the MFS option for /var
  • configd: added a standard rc.d script for easy daemon control
  • mvc: a lot of new code to support general infrastructure for upcoming porting of features, e.g. proxy feature
  • help: adjusted links in the help menu to use HTTPS and improved targeting

DragonFly 4.0.4 out 

DragonFly 4.0 has had a minor point release, to 4.0.4.  There was a bug in the initial install where the rescue image installed on disk would be incorrect.  This was fixed after the first time a build/installworld was done, but might as well have it start out right.  There’s some other small fixes, and the release commit will show you the summary.  Download from your nearest mirror or update normally.

GhostBSD 10.1 Alpha 1 now available  

I am pleased to announce the availability the fist ALPHA build of the 10.1-RELEASE Release cycle which is available on SourceForge for the amd64 and i386 architectures.
Changes and fix between 4.0-RELEASE and 10.1-ALPHA1 include:
  • GDM as been replaced by PCDM
  • Wifimgr is now fully replaced by Networkmgr
  • A beta version of Update Station is now in GhostBSD whish update FreeBSD base system and software
  • The installer partition editor got a lot of improment
  • The installer use the latest pc-sysinstall from PCBSD GitHup
  • GhostBSD is now following the same release number then FreeBSD and PCBSD
The image checksums, ISO images and USB images are available here:

Other news

The PC-BSD Tour II | BSD Now 80 

We're away at AsiaBSDCon this week, but we've still got a packed episode for you. First up is a sequel to the "PC-BSD tour" segment from a while back, highlighting how ZFS boot environments work. After that, Justin Gibbs joins us to talk about the FreeBSD foundation's 15th anniversary. We'll return next week with a normal episode of BSD Now - which is of course, the place to B.. SD.

OpenBSD 5.7 Preorders Started

Yes, you read that right!

Preorders of the upcoming OpenBSD 5.7 release have been enabled at the OpenBSD Store (based in the UK, ships worldwide).

The OpenBSD 5.7 release page is filling out nicely as we speak, and you can look up further details of what you have in store come May 1st by taking a peek at the detailed changelog page.

Now don't just stand there! Go ahead, order a CD set (or a few), or if you'll be downloading anyway, donate!

Update: The first copy has already been sold, just a few moments after the initial commit and before the actual announcement to misc@ (both by deraadt@) went out.

15th Anniversary and Spring Fundraising Kickoff 

Why donate to the Foundation? Your donations will help us continue and increase our support in the following areas:
  • Funding improvement and development projects, including: Native ISCSI kernel Stack, Updated video console (Newcons), UEFI system boot support, Capsicum component framework, IPv6 support in FreeBSD, Auditdistd improvements for FreeBSD cluster, and adding modern AES modes to OpenCrypto (to support IP/SEC).
  • Helping to provide consistent and on-time releases.
  • Educating the public and promoting FreeBSD with tools like our high-quality FreeBSD 10X Brochure and company visits to help
  • facilitate collaboration efforts with the Project.
  • Sponsoring BSD conferences and summits in Europe, Japan, Canada, and the US.
  • Protecting FreeBSD IP and providing legal support to the Project.
  • Purchasing hardware to build and improve FreeBSD project infrastructure.

Code stuff

Raspberry PI 2 support added
Sendmail removed, DMA added 
USB update  
Extra world messages
In Other BSDs for 2015/03/14 

Interesting Articles

5 Fun Things to Do with FreeNAS
Recent developments in pfSense 
TrueNAS 9.3 State of the Union
FreeBSD From the Trenches: Using autofs(5) to Mount Removable Media  
OpenBSD @ AsiaBSDCon: httpd, PIE, and more  

Wallpaper of the week

BSD News 09/03/2015

Last week in BSD

GhostBSD, OpenBSD, BSDSec, FreeBSD, Google Summer of Code, DragonFly BSD, PC-BSD, m0n0wall, s2k15, BSDnow, NetBSD,


FreeBSD 10.0-RELEASE End of Life
errata for X server infoleak
LibreSSL 2.1.4 released


seems to be none

Other news

Ted Unangst: Improving Browser Security

In a recent post to misc@, Ted Unangst (tedu@), outlined some of his upcoming work on improving browser security. Ted writes,
A few words about a project I've started working on today with support from the OpenBSD Foundation.

Summer of Code 2015 Project Ideas Announced 

The OpenBSD foundation has published its Project Ideas List for this year's Google-sponsored Summer of Code. If you're a student with an appropriate background, this could be your chance to take a stab at contributing to the OpenBSD code base, with OpenBSD developers as your mentors.
The Foundation and the OpenBSD project do not guarantee that SOC projects are accepted into the OpenBSD code base, but it's worth trying, isn't it?
Check out the list and see if there's something there you want to spend most of the summer hacking on.

Just Add QEMU | BSD Now 79 

Watch here:

Coming up this time on the show, we'll be talking to Sean Bruno. He's been using poudriere and QEMU to cross compile binary packages, and has some interesting stories to tell about it. We've also got answers to viewer-submitted questions and all this week's news, on BSD Now - the place to B.. SD. 

Tarsnap Mastery book out 

Michael W. Lucas’s Tarsnap Mastery book is out, in electronic form.  While not a strictly BSD news items, it’s a service built on BSD, so worth looking at if you care about that – or about encryption.

Code Stuff

GhostBSD Development News - 03/01/2014
A look at the upcoming features for PC-BSD 10.1.2
s2k15 Hackathon Report: Jonathan Gray on X Graphic Acceleration Improvements, afl fuzzer 
s2k15 Hackathon Report: tedu@ on UVM SMP 
In Other BSDs for 2015/03/07 
CI20 reaches userland 

Interesting Articles

End of the m0n0wall project and alternatives
cache line aliasing effects, or "why is freebsd slower than linux?" 

Wallpaper of the week 

as found at

End of the m0n0wall project and alternatives

So what's m0n0wall?

m0n0wall is a project aimed at creating a complete, embedded firewall software package that, when used together with an embedded PC, provides all the important features of commercial firewall boxes (including ease of use) at a fraction of the price (free software).

m0n0wall is based on a bare-bones version of FreeBSD, along with a web server, PHP and a few other utilities. The entire system configuration is stored in one single XML text file to keep things transparent.

m0n0wall is probably the first UNIX system that has its boot-time configuration done with PHP, rather than the usual shell scripts, and that has the entire system configuration stored in XML format.
Unfortunately,  on 2/15/2015 - End of the m0n0wall project was announced with official reason "there are now better solutions available and under active development".
So where to move now?

As m0n0wall maintainer suggested, people have 2 options, depending on what they need:
  • the same light firewall
  • don't mind more robust solution  
Let's start with people who don't mind migrating to more robust solution "like pfSense, FreeNAS and AskoziaPBX. The newest offspring, OPNsense ... and I encourage all current m0n0wall users to check out OPNsense and contribute...".

"If you are happy with the current feature set of m0n0wall and just need a security patch, bug fix, hardware compatibility update or minor improvement now and then, there are two nascent projects started by former m0n0wall developers/users that may have something for you: SmallWall and t1n1wall."

So what are those projects and what they wanna do?


According to forum, at the moment, the only list of plans is to:
  1. Fix the ipsec bug when l2tp is enabled
  2. Fix an outstanding RA announce problem that fills logs
  3. Add support for ippools
  4. Possibly update DDNS to support NAT and Cloudflare

As author says: "I don't have any plans to change from what m0n0wall was, stay using a RAM based disk system, and keep it small.  I hope to keep it up to date, squash bugs and apply security fixes, and hopefully get the 10.1 version completed , so it supports more hardware."

You can get snapshots at:


Project philosophy according to website
  • Small, lean and elegant code - There is no need for bloat
  • Do one thing, and do it well - This is a security device, not a print server
  • Simple is good - Doing things the right way should be easy
  • Form Follows Function - I like pretty, but not at the expense of performance

"But this is not going to be m0n0wall unchanged. There are some things that I would like to see changed.
  • Re-basing to support newer hardware
  • Adding newer VPN support
  • More attractive UI
  • Easier integration with IDS/SEM systems"
 You may download it

So, what is your escape plan?

Small BSDSec and DiscoverBSD changes

Small BSDSec and DiscoverBSD changes
As I mentioned a bit earlier, there is a need to change hosting for

I am migrating app to heroku and as of now, everything seems to works just fine. You can see it live here:

I am now using domain for email (took some time, right?) and there was no data loss so after everything is finished we will have old SA as well. Not sure when I will finish the migration (I only need to change where domain is), but if you have some troubles with accessing it, that's probably me doing stuff. 


Lately, I have noticed that (without www and so) was redirecting to my domain registrar. You might have noticed as well.

So current status is that all forms of address will now redirect to

Please let me know if there is some problem with it.


I added Google ads. Well, I do not expect to make a lot of money, but when one day I run of free hosts for BSDSec, I plan to use that money.

Two days of adds and someone from France clicked on it and I make €0.04. Not bad ;] 

Feel free to run AdBlock of any kind. I am doing it as well.