BSD News 29/06/2015

Last week in BSD

Releases: pfSense
Other news: DragonFly BSD, pfSense, BSDnow, PC-BSD, FreeBSD, freeNAS, OpenBSD, MidnightBSD

Releases

pfSense 2.2.3-RELEASE Now Available

pfSense® software version 2.2.3 release is now available, bringing a number of bug fixes and some security updates.
Security Fixes
  • pfSense-SA-15_06.webgui: Multiple XSS Vulnerabilities in the pfSense WebGUI
    • The complete list of affected pages and fields is large and all are listed in the linked SA.
  • FreeBSD-SA-15:10.openssl: Multiple OpenSSL vulnerabilities (Including Logjam): CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, CVE-2015-1792, CVE-2015-4000
The bug fixes and changes in this release are detailed here.


News

PC-BSD Documentation can now be Translated Using Pootle

Kris has finished integrating the source files for the PC-BSD Handbook documentation into Pootle, meaning that translators can now use their web browser to translate the Handbook into their native language. As translations are completed, we’ll make sure that the build server generates HTML copies and includes them in /usr/local/share/pcbsd/doc/html (right away for EDGE users and with the next release for PRODUCTION users).
To translate the documentation, go to http://translate.pcbsd.org/translate/, click the “All Projects” drop-down menu, and select “PC-BSD Handbook”. You can then click the link for the language to translate. Currently, German and French are available. If you want to translate to a different language, send an email to the translations mailing list and request that it be added.


Bitrot Group Therapy | BSD Now 95

This time on the show, we'll be talking some ZFS with Sean Chittenden. He's been using it on FreeBSD at Groupon, and has some interesting stories about how it's saved his data. Answers to your emails and all of this week's headlines, on BSD Now - the place to B.. SD.

Seeking Package Mirrors

HardenedBSD is gaining a lot of traction. We maintain our own packages to ensure proper ABI/API compatibility with HardenedBSD. We are looking for those who would be interested in mirroring our package repositories. You'd be looking at 2x50GB per repository. Right now, we only have one repo for 11-CURRENT/amd64. But we will soon be expanding to also building 10-STABLE/amd64 packages as well. We are currently restructuring the way our repo works. Of course, if you decide to become an official mirror, your name will be listed on our donors page. We appreciate the help and support the community has given us already and we look forward to working further with the community as we grow. Please contact us at [email protected] to discuss further details.

Leap Seconds and FreeBSD Article

A new article, FreeBSD Support for Leap Seconds, gives a quick overview of leap second handling. The next leap second will occur at 2015-Jun-30 23:59:60 UTC.

Handling Leap Seconds the OpenBSD Way

Christian Weisberger (naddy@) let us all know what we need to do to prepare for the impending leap second:
As you may have heard, a leap second will be upon us at 23:59:60
UTC on June 30.

The sky will fall, civilization will end, and dinosaurs will roam
the earth again.  Well, maybe not.

Neither the OpenBSD kernel nor OpenNTPD handle leap seconds in any
way.  So what will happen?
Read more...

Code stuff


Interesting articles


Wallpaper of the week 


from http://gnome-look.org/content/preview.php?preview=1&id=39793&file1=39793-1.jpg&file2=&file3=&name=Unix+Wallpaper

BSD News 22/06/2015

BSD News 22/06/2015

Last week in BSD

Releases: MidnightBSD, OPNsense, NetBSD
Other news: SmallWall, DragonFly BSD, pfSense, FreeBSD, MidnightBSD, BSDnow, NetBSD, OPNsense, BSDSec

BSDSec


Releases

MidnightBSD 0.6.1 RELEASE

MidnightBSD 0.6.1 RELEASE fixes several security issues with OpenSSL.
It updates the system to OpenSSL 0.9.8zg.
Users of 0.6 or 07-CURRENT should update their systems via SVN.
You can read more about the issues via the OpenSSL website:
https://www.openssl.org/news/secadv_20150611.txt

OPNsense version 15.1.12 Released

  • src: fix OpenSSL multiple vulnerabilities (SA-15:10.openssl)
  • src: update base system file(1) to 5.22 (EN-15:06)
  • src: improve reliability of ZFS (EN-15:07) [3]
  • src: updated to tzdata2015e [4]
  • ports: openssl 1.0.2c [5], libressl 2.2.0 [6], php 5.6.10 [7], dnsmasq 2.73 [8], smartmontools 6.4 [9]
  • syslogd: disable unmaintained and unused ZMQ patches
  • opnsense-update: gained independent awareness of kernel and base system version
  • opnsense-update: improved the manual page to include all recent changes
  • firmware: bring back /etc/shells support to avoid the unknown shell warning on bootup
  • firmware: always schedule next poll while upgrade is running to accommodate for web server restart delay
  • logs: fix DHCP reverse ordering and update layout
  • wizard: remove false statement about using “dhcp” for LAN setup
  • menu: order interfaces by name
  • captive portal: fix database creation query by avoiding SQL injection syntax that broke due to a recent upstream hardening of the database adapter underneath

 

NetBSD 7.0_RC1

Many changes have been made since 6.0. Here are a few highlights:
  • Greatly improved support for modern Intel and Radeon graphics hardware through a port of the Linux DRM/KMS code. Most X.Org components have been updated as well.
  • ARM multiprocessor support
  • Support for new ARM boards, some of which are listed below:
    • Raspberry Pi 2
    • ODROID-C1
    • BeagleBoard-xM
    • BeagleBone
    • BeagleBone Black
    • Banana Pi
    • Cubieboard 2
    • Cubietruck
    • Merii Hummingbird
    • Marvell ARMADA XP
    • GlobalScale MiraBox
    • Kobo
    • Sharp Netwalker PC-Z1
  • GPT support in sysinst
  • Lua kernel scripting
  • Multiprocessor USB stack
  • Many improvements to NPF, the NetBSD packet filter
  • GCC 4.8.4 (and optionally, LLVM/Clang 3.6.1)
Binaries of NetBSD 7.0_RC1 are available for download at:
http://ftp.netbsd.org/pub/NetBSD/NetBSD-7.0_RC1/
Those who prefer to build from source can either use the netbsd-7-0-RC1 tag or follow the netbsd-7 branch.

Other news

SmallWall documentation

We now have documentation on the website! And some minor fixes to the website... 

BSDNow: Episode 094: Builder's Insurance

This week on the show, we'll be chatting with Marc Espie. He's recently added some additional security measures to dpb, OpenBSD's package building tool, and we'll find out why they're so important. We've also got all this week's news, answers to your emails and even a BSDCan wrap-up, coming up on BSD Now - the place to B.. SD.

Code stuff


Interesting articles


Wallpaper of the week

from http://hdw.eweb4.com/out/842558.html

BSD News 16/06/2015

Last week in BSD

Releases: SmallWall, OPNsesnse, DragonFly BSD
Other news: BSDSec, DragonFly BSD, HardenedBSD, LibreSSL, NetBSD, OPNsense, SmallWall, Wallpaper, SmallWall, NetBSD, BSDnow

Check out DiscoverBSD stats - or some stats for DiscoverBSD, BSD-Links and BSDsec.

BSDSec

 

Releases

SmallWall 1.8.2 released and 1.8.3 bugfix release

A bug was found in syslog in the 1.8.2 build, so there is now a 1.8.3 released to patch that build bug.

DragonFly 4.2 and 4.0.6 branched

The more eagle-eyed may have noticed a branching for DragonFly 4.2, and for DragonFly 4.0.6.  The 4.2 branch is currently only a release candidate, so don’t necessarily change over yet – it’s for testing, not release.
Note that packages for 4.2 are not yet built, so you’ll have to manually specify a package path to install with pkg on 4.2 – for now.. That won’t be the case for the actual release, of course. DragonFly 4.3 users will have to specify PKG_PATH manually to use 4.2 images until new ones are built.  4.2 release candidate users will be fine.  (see comments for correction.)
The 4.0.6 release is mostly to get the recent OpenSSL update into a 4.0.x build.
I am working on image building for both.

DragonFly 4.0.6 image up

 I’ve uploaded DragonFly 4.0.6 ISO and .img files.  (Does that capitalization make sense?)  They should be available at your nearest mirror, or will be shortly. I am still working on the 4.2 release candidate images.

OPNsense version 15.1.11.4 Released

 Here is the full list of changes:
  • notable ports updates: pcre 8.37_1 [1], phalcon 2.0.2 [2], strongswan 5.3.2 [3], sqlite 3.8.10.2 [4]
  • more notable ports: openvpn 2.3.7 [5], openssl 1.0.2b [6], libressl 2.1.7 [7], pkg 1.5.4 [8]
  • opnsense-update: has gained the ability to do package updates as well
  • core: removed unused ssh_tunnel_shell and 3gstats utilities, added sudo to the default utilities
  • captiveportal/traffic shaper: better fix for localhost skip
  • traffic shaper: added ICMP, IGMP, ESP, AH and GRE protocols to selectable protocols
  • core: fixed a bug that prevented our API from working properly with Phalcon 2.0.1 and above
  • backend: added configctl command utility launcher and improved its logging capabilities
  • backend: worked around a performance degradation bug in Python 2.7 on FreeBSD
  • gateways: monitoring via `apinger’ is now turned off by default for all new gateways created (opt-out flipped to opt-in for privacy reasons)
  • firmware: refactored firmware code to use opnsense-update’s new capabilities
  • firmware: fix parsing of packages to be upgraded in fringe cases
  • firmware: fix overzealous caching of available package upgrades
  • users: user with group admins now have `wheel’ group associated with them, allowing them to us `su’ or `sudo’ (if configured)
  • users: do not copy root’s hidden files while creating a new user home directory

Other news

 

First Experimental OPNSense Images With HardenedBSD

One month ago, we announced we were teaming up with OPNSense to provide HardenedBSD-flavored versions of their project. Work started with backporting our work from 11-CURRENT to 10-STABLE. We worked with Franco Fichtner, one of three people currently on the OPNSense core team, to enhance their build scripts. We received hardware donations from Netgate and Deciso. We fixed a number of bugs in secadm and backported Integriforce to 10-STABLE. This month sure has been a busy one.
We're excited to announce today the availability of the first experimental build of OPNSense based on top of HardenedBSD. It features every one of our great exploitation mitigation features and is built with Integriforce baked right in. Most of the network-aware applications are compiled as Position-Independent Executables (PIEs). Please note that since this is our first ever experimental build, we have not worked out binary upgrade paths just yet. You will likely need to do reinstalls for future builds. You can backup your configuration prior to reinstallation and restore the configuration post-installation.
There are two flavors for download: a generic build and a build for the Netgate RCC-VE 4860. The generic build will work on most standard appliances. The Netgate RCC-VE 4860 has a special build due to needing custom serial console settings. If you're not using the Netgate RCC-VE 4860, the generic build is for you.
You can find the builds here. Please note that these builds are experimental. They are not meant for production use. But that still hasn't stopped us from using it in production, since we like to eat our own dogfood. ;)
UPDATE 11 Jun 2015 05:39 EDT: OPNSense has mirrored the generic builds here,

Stacked in Our Favor | BSD Now 93

We're at BSDCan this week, but fear not! We've got a great interview with Sepherosa Ziehau, a DragonFly developer, about their network stack. After that, we'll be discussing different methods of containment and privilege separation. Assuming no polar bears eat us, we'll be back next week with more BSD Now - the place to B.. SD.  

NetBSD CI20 status update

I didn't really have much time to work on more hardware support on CI20 but it's been a while since the last post so here's what I've got:

  • drivers for on-chip ehci and ohci have been added. Ohci works fine, ehci for some reason detects all high speed devices as full speed and hands them over to ohci. No idea why.
  • I2C ports work now, including the onboard RTC. You have to hook up your own battery though.
  • we're no longer limited to 256MB, all RAM is usable now.
  • onboard ethernet is supported by the dme driver.
There's also an unfinished driver for the SD/MMC ports.
The RTC is a bit funny - according to the manual there's a Pericom RTC on iic4 addr 0x68 - not on my preproduction board. I've got something that looks like a PCF8563 at addr 0x51, and so do the production boards that I know of. Some pins on one of the expansion connectors seem to be for a battery but I haven't been able to confirm that yet. Either way, since the main connector is supposed to be Raspberry Pi compatible any RTC module for the RPi should Just Work(tm), with the appropriate line added to the kernel config.
Some more work has been done under the hood, like some preparations for SMP support.

pfsense-tools is back on github

Some people prefer a web-ui for git.  Rather than expose our gitlab instance to the world via a web-ui, we’ve re-enabled access via github.
The process remains the same. You will need to agree to two click-through agreements, first the Contributor License Agreement (either individual or corporate), then the actual license agreement, wherein you basically agree that our marks are valid, that you’ll give credit to the project, and that you won’t call the result pfSense, or anything else that is sufficiently similar to our trademarks to cause confusion.
If you’ve already been through that process, you’ve already been granted access to the team that can view the pfsense-tools repo on github.
If you haven’t put your github username in your pfSense portal profile, then we don’t know who you are on github, and the process won’t work.
Long-term, the goal is to eliminate the need for this repo.  We don’t want to carry a set of discrete patches, and there are well-known examples of better build systems in the world.  More on that in a future post.


Code stuff



Interesting Articles


Wallpaper of the week

from https://www.br0tkasten.de/?page=18

BSD News 08/06/2015

Last week in BSD

Releases: OPNsense
Other news: DragonFly BSD, nginx, FreeBSD, HardenedBSD, freeNAS, DragonFly BSD, OpenSSH

BSDSec

[FreeBSD-Announce] HEADS UP: FreeBSD 8.4 EoL coming soon

Releases

OPNsense version 15.1.11.2 Released  


  • notable ports upgrades: pcre 8.37, pkg 1.5.3, ca_root_nss 3.19.1
  • aliases: fix javascript error that prevented aliases from working
  • traffic shaper: rewrote the feature using standard components on top of the new MVC framework/API (see Firewall: Traffic Shaper)
  • system: enabled first few hundred translations of Simplified Chinese to help the community to progress and review said translation (see System: Settings: General)
  • vpn: all GUI files underwent a thorough coding style refresh
  • firmware: prevent spurious “Module already loaded” errors while upgrading PHP packages

OPNsense version 15.1.11.3 Released 


  • config: improved the deletion of backups
  • wifi: do not launch FreeBSD’s rc scripts on 802.11 attach/detach
  • ipfw: always forward traffic coming from localhost
  • system: apply PSR2 coding style to GUI pages
  • captive portal: apply PSR2 coding style to GUI page

Other news

Nginx and DragonFly 

If you’re using nginx on DragonFly, version 1.9.1 has specific DragonFly speedup options built in.

Microsoft Announces Support for SSH 


Windows admins rejoice! Microsoft's PowerShell Team announced future support for SSH, specifically OpenSSH:
[T]he PowerShell team realized the best option will be for our team to adopt an industry proven solution while providing tight integration with Windows; a solution that Microsoft will deliver in Windows while working closely with subject matter experts across the planet to build it. Based on these goals, I’m pleased to announce that the PowerShell team will support and contribute to the OpenSSH community - Very excited to work with the OpenSSH community to deliver the PowerShell and Windows SSH solution!
A follow up question the reader might have is When and How will the SSH support be available? The team is in the early planning phase, and there’re not exact days yet. However the PowerShell team will provide details in the near future on availability dates.
Emphasis in the original. Wider adoption of secure technologies can only benefit the community. Hopefully that future is actually near, both for deployment and 'support and contribution'. 

BSD After Midnight | BSD Now 92   


Coming up this week, we'll be chatting with Lucas Holt, founder of MidnightBSD. It's a slightly lesser-known fork of FreeBSD, with a focus on easy desktop use. We'll find out what's different about it and why it was created. Answers to your emails and all this week's news, on BSD Now - the place to B.. SD. 

KMS/console in master for DragonFly 

Those changes I mentioned yesterday for text console support?  They’re in DragonFly-master now, along with a loader tunable to turn it on and off.

Code stuff

DragonFly Radeon updates 
HardenedBSD secadm 0.2.3 Released 
USB ethernet adapters and DragonFly 
In Other BSDs for 2015/06/06 

Interesting articles

libvirt/libxl on FreeBSD 
FreeNAS 10 Hackathon 
OpenStack on FreeBSD/Xen Proof of Concept

Wallpaper of the week

via +RandyBelk (album)

BSD News 01/06/15

Last week in BSD

Releases: OPNsense
Other news: Lumina Desktop, pkgsrcCon, BSDnow, Hammer, PC-BSD, DragonFly BSD, Wallpaper

Releases

OPNsense version 15.1.11 Released


Here is the full list of changes for 15.1.11:
  • core: removed unused package dependencies b42-fwcutter, bwi-firmware-kmod, dmidecode, ifstated, pecl-ssh2
  • core: switched back from bind-tools to the latest full bind 9.10 package due to various requests
  • src: fix panic in pf(4) in conjunction with ALTQ[3]
  • src: updated to FreeBSD 10.0-RELEASE-p10[4][5]
  • src: reverted two more custom patches to align with FreeBSD
  • ports: updated to ca_root_nss 3.19, sqlite3 3.8.10.1, php56 5.6.9[6], openssh-portable 6.8p1_7[7]
  • opnsense-update: exclude /etc/tty from the upgrade
  • bsdinstaller: reworked the internals to align to modern port standards
  • captive portal: switched rules generation to new template engine
  • firmware: reimplement the GUI firmware update using MVC code
  • menu: remove collapse/expand inconsistencies
  • dashboard: fix disabled widgets dialog
  • nat: fixed delete of multiple item
  • nat: fix display of disabled rules
  • queues: the legacy ALTQ traffic shaper is now found under “Firewall: Queues” to make room for the upcoming traffic shaper reimplementation based on IPFW/dummynet
  • core: fix faulty read of /var/log/dmesg.boot

OPNsense version 15.1.11.1 Released 


  • crypto: regenerate DH parameters for 1024, 2048 and 4096 bit
  • crypto: tweak the web server config to harden against Logjam


Other news

Announcing pkgsrcCon 2015 in Berlin 


The 10th pkgsrcCon is happening on the weekend of July 4th and 5th 2015 in Berlin. Developers, contributors, and users are all welcome to attend.
More details can be found on the pkgsrcCon 2015 website.
Everyone is welcome to make a presentation. So please do! If you already have title or topic please send an email to [email protected].


HardenedBSD Poll: linuxulator Removal 



The linuxulator (the Linux emulation/translation layer in FreeBSD) has recently undergone a major overhaul. Many of FreeBSD's userbase relies on the linuxulator to provide things like the Adobe Flash Player browser plugin, linux browsers, and certain linux-centric tasks. The linuxulator provides a set of security challenges. It is yet another attack vector. The core HardenedBSD team would like to completely remove the linuxulator from HardenedBSD's codebase.
What would be removed:
  1. linuxulator and its dependents
  2. linprocfs (pending investigation, this might not be removed)
  3. packages that require the linuxulator
Should the linuxulator be removed?

Recent dragonfly-master users: update 



If you were running a version of DragonFly 4.1 (i.e. the master version, not release) built between the 20th and 25th, rebuild.  There’s a UFS bug introduced in that short timeframe.
If you are running 4.0.x release or built your version of DragonFly-master outside of that date range – you are unaffected.

Vox Populi | BSD Now 91   

This week on the show, we've got something pretty different. We went to a Linux convention and asked various people if they've ever tried BSD and what they know about it. Stay tuned for that, all this week's news and, of course, answers to your emails, on BSD Now - the place to B.. SD.


Code stuff

Recent Hammer2 work
More Hammer 2 improvements 
In Other BSDs for 2015/05/30 

Interesting articles

Lumina Desktop Status Update/FAQ 
PC-BSD 10.1.2: an Interview with Kris Moore
[05/29/2015] zfscron - A great idea from the BSDNow podcast to backup your home directory.

Wallpaper of the week

from https://www.freebsd.org/logo.html