BSD News 15/01/2018

Last week in BSD

Releases: OPNsense
News: OpenBSD, OPNsense, Meltdown, Spectre, Dragon Fly, FreeBSD, Bhyve


OpenBSD Errata: January 14th, 2018 (libssl)


OPNsense® 18.1 Release Candidate 1

For more than 3 years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing. Over the second half of 2017 well over 500 changes have made it into this first release candidate. Most notably, the firewall NAT rules have been reworked to be more flexible and usable via plugins, which is going to pave the way for subsequent API works on the core firewall functionality. Meltdown and Spectre patches are currently being worked on in FreeBSD, but there is no reliable timeline.


An update on Meltdown and Spectre

We have previously issued a short statement with preliminary analysis of Meltdown and Spectre vulnerabilities. This post is an update now that we have an official statement from the FreeBSD project.

Dragonfly More Meltdown fixes

If you’re on the bleeding edge of DragonFly and already updated for Meltdown fixes, there’s a few more commits you’ll want to get. Matthew Dillon wrote a summary of the current status, noting there’s not much you can do for Spectre beyond new hardware.   There is an update to the “defensive browser setup” plan for DragonFly (using –site-per-process) that can help at least with Javascript versions of Spectre.

Dragonfly Even more Meltdown

Are you tired of hearing about Meltdown/Spectre yet?  Doesn’t matter!  The two sysctls for controlling mitigation in DragonFly have been renamed:


They go to hopefully sensible defaults, but Matthew Dillon has done some testing to show the effects of each in various combinations.   (Update: more changes and tests.)  Note that this is not the final mitigation work; compilers (i.e. gcc) are being updated to include workarounds for this, so new gcc -> new compiler in DragonFly -> new defenses.  No silver bullet there, though.

OpenBSD-current now has 'smtpctl spf walk'

If you run a mail service, you probably like to have greylisting in place, via spamd(8) or similar means. However, there are some sites that simply do not play well with greylisting, and for those it's useful to extract SPF information to identify their valid outgoing SMTP hosts.
Now OpenBSD offers a straightforward mechanism to do that and fill your nospamd table, right from the smtpctl utility via the subcommand spf walk. Gilles Chehade ([email protected]) describes how in a recent blog post titled spfwalk.
This feature is still in need of testing, so please grab a snapshot and test!

The Spectre of Meltdown | BSD Now 228

We review the information about Spectre & Meltdown thus far, we look at NetBSD memory sanitizer progress, Postgres on ZFS & show you a bit about NomadBSD.

Code stuff

In Other BSDs for 2018/01/13
Microcode updates on DragonFly
IBRS and IBPB support in DragonFly
CPU microcode update code for amd64 for OpenBSD
HAMMER1, mounted and unmounted cleanup

Interesting articles

Handling of CPU bugs disclosure 'incredibly bad': OpenBSD's de Raadt
Running CentOS with Bhyve
July-September 2017 FreeBSD Status Report

BSD News 08/01/2018

Last week in BSD

News: DragonFly BSD, NetBSD, BSDSec, HardenedBSD, Meltdown, Spectre, MirOS, OpenBSD, FreeBSD, BSDnow, 
Releases: HardenedBSD


NetBSD Security Advisory 2018-002: Local DoS in virecover
NetBSD Security Advisory 2018-001: Several vulnerabilities in context handling 


HardenedBSD-stable 10-STABLE v1000050.1

Downloads here, release notes here.


OpenBSD Response to the "Meltdown" Vulnerability

A message to [email protected] from Philip Guenther ([email protected]) provides the first public information from developers regarding the OpenBSD response to the recently announced CPU vulnerabilities:

 So, yes, we the OpenBSD developers are not totally asleep and a handful of
us are working out how to deal with Intel's fuck-up aka the Meltdown
attack.  While we have the advantage of less complexity in this area (e.g.,
no 32bit-on-64bit compat), there's still a pile of details to work through
about what has to be *always* in the page tables vs what can/should/must be
Read it.

Meltdown and Spectre and DragonFly

By now you’ve probably heard of the Meltdown/Spectre attacks.  (background rumors, technical note)  Matthew Dillon’s put together a Meltdown mitigation in DragonFly, done in four commits.
It’s turned off and on by the sysctl machdep.isolated_user_pmap – and defaults to on for Intel CPUs.  Buildworld tests show about a 4-5% performance hit, but that’s only one form of activity, measured, so there will surely be other effects.
Note that Spectre is not mitigated by this commit series, and as I understand it, cannot be realistically fixed in software.
Update: Matthew Dillon posted a summary to [email protected].

MirOS - The Intelpocalypse

The unveiling of the three new CPU bug classes, collected in the two brandbugs “Meltdown” and “Spectre”, has mostly shocked the BSDs; I’ve got it on some authority that even FreeBSD was not informed ahead of time, left alone the others. Thanks to laffer1 from MidnightBSD for a couple of heads-up warnings into our direction!
Here’s what I could gather until now (please do correct me if I’m wrong):
Meltdown is specific to Intel® CPUs with out-of-order execution, that is, all P6-class (Pentium Pro/MMX, Pentium Ⅱ, but not Pentium Ⅰ/MMX) or newer (except old Atom) CPUs. It appears to allow user processes to read kernel memory, but not across VMs, nor to attack a hypervisor. A variant for ARM exists but AMD’s x86 CPUs are supposedly safe. The KAISER/FUCKWIT/UASS/KPTI patches for Linux fix this, at huge performance cost on x86, not so much on ARM, and no cost for unaffected CPU models (runtime detected).
Spectre affects x86, ARM, POWER CPUs and possibly others. I’ve not yet found information on whether it is also limited to CPUs with out-of-order executions, but it seems likely. SPARC CPUs might be safe; Solaris/SPARC64 is safe due to the way its memory addressing works. If the OOO execution assumption is true, 80486 and P5 class x86 CPUs are also safe. This one does allow cross-VM and hypervisor attacks, so if the bare metal CPU is vulnerable, SOL. There does not yet seem to be a generic fix; some hint at having to patch the compiler and recompile everything with a workaround that has a performance cost, even if the CPU is not affected, or was fixed with a microcode update. AMD’s x86 CPUs are partially hit, one of the variants does not work on them.
“CERT recommends throwing away your CPU and buying an non-vulnerable one” (thanks to El Reg), but nobody states which CPUs are not vulnerable.
At the present time, we suggest any MirBSD/i386 instances that run on any CPU other than an 80486 or P5-class (Pentium Ⅰ or a non-PPro MMX) to be restricted to single user or trusted user access only, and no untrusted software including ECMAscript to be run on them.
Watch this space for updates. Oh, and, if you know what you’re (and I’m) talking about, please, again, do provide me with information necessary to provide those updates, both to MirBSD and to this space.

FreeBSD About the Meltdown and Spectre attacks

FreeBSD was made aware of the problems in late December 2017. We're working with CPU vendors and the published papers on these attacks to mitigate them on FreeBSD. Due to the fundamental nature of the attacks, no estimate is yet available for the publication date of patches.

HardenedBSD announcing the 2018 donation run

We've just published our goals for 2018. We've got a number of new goals planned, some that require new infrastructure. In 2018, we plan to migrate at least 90% of our infrastructure to a single data center in addition to expanding out existing infrastructure.

Hello, HelBUG

More user group news: Helsinki, Finland, has a new BSD User Group: HelBUG.  First meeting is February 7th.  There’s no mailing list/site that I know of, yet.

The long core dump | BSD Now 227

We walk through dumping a PS4 kernel in only 6 days, tell you the news that NetBSD 7.1.1 has been released, details on how to run FreeBSD on a Thinkpad T470 & there’s progress in OpenBSD’s pledge.

Code stuff

NetBSD: the LLVM Memory Sanitizer support work in progress
In Other BSDs for 2018/01/06

BSDNews 11/12/2017

BSDNews 11/12/2017

Last week in BSD

News: BSDSec, Dragon Fly, BSDNow, pfSense, OpenBSD. s2k17
Releases: Dragon Fly BSD, OPNsense


[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-17:12.openssl
[FreeBSD-Announce] FreeBSD 11.0 end-of-life
OpenBSD Errata: December 10th, 2017 (mpls)


DragonFly 5.0.2 released

DragonFly 5.0.2 is released.  As you may guess from the version number, this is a bugfix release.  The release tag has the full details.  Update through the normal process of a buildworld/buildkernel, at your leisure.

OPNsense 17.7.9 released

XSS vulnerability in the certificate manager is being fixed that is based on a crafted certificate being imported into the system. PHP was finally updated from 7.0 to 7.1 which should make things a bit faster. Last but not least, the HAProxy plugin by Frank Wall receives a major update for improved usability, several new features and two bug fixes.


Compile once, debug twice | BSD Now 223

Picking a compiler for debuggability, how to port Rust apps to FreeBSD, what the point of Docker is on FreeBSD/Solaris, another EuroBSDcon recap & network manager control in OpenBSD.

Application Detection on pfSense® Software

Thanks to the Snort package and OpenAppID, pfSense is now application-aware.

arm64 platform now officially supported [and has syspatch(8)]

arm64 is now an officially supported platform for OpenBSD. As some readers will have noticed, there's now syspatch(8) support, too.

Code stuff

Boggle, banner, tetris added to Dragon Fly
In Other BSDs for 2017/12/09
Network driver changes: ix, faith
pledge() work in progress

s2k17 Hackathon

OpenBSD is holding hackathons as an attempt to get new changes into the source tree quickly. Here are some reports from the latest:
s2k17 Hackathon Report: Stefan Sperling ([email protected]) on wireless (iwm(4), athn(4) and more) progress

Pic of the week


BSD News 03/12/2017

BSD News 03/12/2017

Last week in BSD

Releases: HardenedBSD
News: BSDSec, FreeBSD, OpenBSD, DragonFly BSD, BSDnow, NetBSD, Vagrant


[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-17:11.openssl
OpenBSD Errata: December 1st, 2017 (fktrace)


Stable release: HardenedBSD-stable 11-STABLE v1100054.1

- fixed syslogd - restore host name handling in UDP case
- fixed ARM64 control flow problem
- fixed MAP_GUARRD issues
- upgrade to Unicode 10.0.0
- ZFS fixes
(side note: the recent OpenSSL security issues (FreeBSD-SA-17:11.openssl) are already fixed in previous releases)


scfb support in DragonFly

If you’re booting DragonFly in UEFI mode, and you have unsupported video (i.e. NVIDIA), there’s the scfb driver for xorg.  It doesn’t support NVIDIA chipsets either, but it gives more options than the generic vesa driver.  It appears to be present in all the BSDs to some extent.

How Netflix works | BSD Now 222

We take a look at two-faced Oracle, cover a FAMP installation, how Netflix works the complex stuff & show you who the patron of yak shaving is.

Code stuff
In Other BSDs for 2017/12/02
World without sharing
The LLVM Thread Sanitizer has been ported to NetBSD

Interesting articles

DragonFly on Vagrant with shared folders

Pic of the week

Fixed the apple root bug.


BSD News 27/11/2017

Last week in BSD

Releases: OPNsense, pfSense
News: BSDSec, DragonFly BSD, BSDnow, OpenBSD, Lumina Desktop, BSD Router, p2k17, Wallpaper


FreeBSD Security Advisory FreeBSD-SA-17:08.ptrace [REVISED]
FreeBSD Security Advisory FreeBSD-SA-17:10.kldstat [REVISED]
[Security-announce] pfSense-SA-17_09.webgui
[Security-announce] pfSense-SA-17_08.webgui
[Security-announce] [UPDATED] pfSense-SA-17_07.packages


OPNsense 17.7.8 released

A shiny new update is available, addressing the recent security advisories from FreeBSD, OpenSSL, Sudo and a number of minor bugs.
To all our 18.1-BETA testers we say this: thank you! The results have been thoroughly positive. If you would like to participate as well, please take a closer look:

pfSense 2.4.2-RELEASE now available

pfSense software version 2.4.2 is a maintenance release bringing security patches and stability fixes for issues present in previous pfSense 2.4.x branch releases.


Remember: don’t kldload i915 too soon

I just wasted an hour trying to figure out why xorg had strange output but no errors on this laptop, and it’s because I had i915_load=”YES” in /boot/loader.conf instead of i915_load=”YES” in /etc/rc.conf.  I’m almost nearly sure I’ve mentioned that before, but if not: here you go.
(though if you never plan to run X, you can put it in loader.conf and everything will just work.)

BSD in Taiwan | BSD Now 221

Allan reports on his trip to BSD Taiwan, new versions of Lumina and GhostBSD are here, a bunch of OpenBSD p2k17 hackathon reports & more!

Pre-DragonFly 4.4 users, take note

If you happen to be running an old version of DragonFly, you may need to do an intermediate upgrade to move to releases after 5.0.  This is in part because of commits to support C++14.  This only applies to version of DragonFly before 4.4.

Code stuff

The strongest KASLR, ever? (latest developments in the Kernel ASLR district)
Lumina Version 1.4.0 Released
Areca update: arcmsr(4)
In Other BSDs for 2017/11/25

Interesting articles

DragonFly: Locking microtests
How to build a BSDRP router lab - [Virtualbox]
Digging into /usr/share/examples

p2k17 Hackathon

OpenBSD is holding hackathons as an attempt to get new changes into the source tree quickly. Here are some reports from the latest:
Reflections on Hackathons
p2k17 Hackathon report: Antoine Jacoutot on ports+packages progress

Wallpaper of the week