BSD News 06/07/2015

Last week in BSD

Releases: DragonFly BSD, OPNsense
News:  OctoPkg, FreeBSD, Raspberry Pi, BSDTalk, HardenedBSD, DragonFly BSD, OpenBSD, OPNsense, BSDnow



DragonFly 4.2.0 released

DragonFly 4.2 is officially released!  You can go to the 4.2 release page for details, go to the mirrors page to download, or read my [email protected] post for upgrade steps.
Update: news stories and commentary seen on, Hacker News, and
There’s a minor update for DragonFly 4.2 – this covers a problem with i915 support, so it’s worth upgrading if you have an Intel video chipset. 

OPNsense version 15.7 Released

While the summer is hot, we push forward to what now is 15.7 — nicknamed ‘Brave Badger’ — right in front of you. A lot of effort went into this project during the past 6 months, and we dare say it has been worth all of it. We would like to thank our followers and friends and feedback givers and forum lurkers and contributors and doubters and supporters that helped to make 15.7 what it is. We wouldn’t be here without any of you. Thank you.
In itself, 15.7 is a simple upgrade from 15.1.12 which we recommend to everyone. What changes is that development will move to a different branch so that from now on regressions are less likely and therefore stability will increase further. The provided images may also be the only ones for the next 6 months as we are confident in their longevity and the online upgrade path. We have also bumped the LibreSSL flavour to a production-ready state and encourage everyone to try it out. The installer’s import configuration tool coupled with a quick and easy installation can help you move from OpenSSL to LibreSSL and back seamlessly.
The biggest addition is the intrusion detection integration (suricata) as well as new local and remote blacklists options for the proxy server (squid).
Security-wise, it has been rather quiet with only a few CVEs in third-party tools. Please see the full patch notes for details and references:
  • kernel: borrowed a dummynet / ipnat patch from m0n0wall to enable symmetric traffic shaping when NAT is involved
  • kernel: fix recurse lock panic for tmpfs in conjunction with unionfs
  • kernel: applied two stable patches that prevent squid from crashing [1]
  • kernel: retired ALTQ support
  • base: sendmail TLS/DH Interoperability Improvement [2]
  • base: improved iconv(3) UTF-7 support [3]
  • base: inconsistency between locale and rune locale states [4]
  • notable ports updates: phalcon 2.0.3 [5], curl 7.43.0_2 [6], openssh 6.8p1_8, python 2.7.10 [7], perl 5.20.2_5 [8], ntp 4.2.8p3 [9], libxml2 [10] 2.9.2_3, openldap24-server 2.4.41 [11]
  • opnsense-update: will no longer try to reinstall the installed version after a fresh installation
  • bsdinstaller: bring back cpdup to error out on low memory installation (you need 1 GB of RAM, or work around installation using the nano image)
  • traffic shaper: removed legacy queues support in favour of the new traffic shaper functionality
  • traffic shaper: allow direct enable/disable toggle
  • proxy: fix the initial daemon start on bootup
  • proxy: added LAN as the default interface configuration
  • proxy: local and remote blacklists with regex support
  • intrusion detection: initial release of our IDS GUI based on suricata
  • gateways: monitoring mode gained IPv6 support
  • captive portal: fix idle timeout bug
  • captive portal: d
  • not delete the wrong zone when having multiple configurations
  • captive portal: removed include files from exposed web directory
  • backend: always regenerate users and groups to avoid corruption after an unclean shutdown
  • backend: wait for configd socket to come up to address a startup race issue
  • backend: clean up configd socket on exit
  • backend: fixed regression that prevented user scripts from being started via /etc/rc.conf
  • gateways: only show apinger in services when monitoring is enabled for a gateway
  • languages: brought Simplified Chinese to 49% completed, German to 30% completed
  • universal plug and play: make page invoke static to remove exploitability of the legacy packages framework
  • crash reporter: finally enabled the send button and provides human-readable feedback whether the submission was complete
  • console: added non-interactive interface assignment for headless deployments
  • ssh: disable password authentication on factory reset to align with the standard configuration
  • diagnostics: avoid duplicated calls of gethostbyaddr() in NDP table view
  • users: prompt for old password on password change to prevent account hijacking
  • users: stripped the impossible scponly user privileges since said utility has never been part of our ecosystem
Images can be found on any of our mirrors, but they may take a few hours to sync.

Other news

Lost Technology | BSD Now 96

 Coming up this week, we'll be talking with Jun Ebihara about some lesser-known CPU architectures in NetBSD. He'll tell us what makes these old (and often forgotten) machines so interesting. As usual, we've also got answers to your emails and all this week's news on BSD Now - the place to B.. SD. 

bsdtalk254 - PFsense and FreeNAS with Ken Worster

An interview with Ken Worster who is presenting on topics which include PFSense and FreeNAS in schools at the Technology Teacher ME conference in Bethel Maine.
Ogg Link:

PC-BSD 10.2-PRE-RELEASE and 11.0-CURRENT Images Available for Testing

The PC-BSD project is pleased to announce the availability of two new testing images: 10.2-PRERELEASE and 11.0-CURRENTJULY2015.
WARNING: These images are considered “bleeding-edge” and should be treated as such.
The DVD/USB ISO files can now be downloaded from the following URLs:
This is a great way to test features and report bugs well before the release cycle begins for the next major releases.
To report bugs in PC-BSD, use
To report FreeBSD / Port / Kernel / World bugs, use
To update from 10.1-RELEASE:
# pc-updatemanager chbranch 10.2-RELEASE
# pc-updatemanager chbranch 11.0-CURRENTJULY2015
This process will take a while, downloading new packages / world / kernel for the system. When done you can reboot, and the updater will finish up the update process.

Intel® System Studio 2016 for FreeBSD* Beta

Intel has released the beta version of their C++ compiler for FreeBSD. Thanks to Kittur Ganesh (Intel) for informing us about this software. Intel® System Studio (ISS) 2016 for FreeBSD* Beta provides a comprehensive embedded tool suite solution for developing, optimizing, tuning and deploying 64-bit system and application C, C++ code running natively on FreeBSD*

HardenedBSD Introducing True Stack Randomization

When we first implemented ASLR for FreeBSD, we implemented the stack randomization portion as a random gap. This means that the base address for the stack remained constant, but where applications started utilizing the stack would change randomly. We have now implemented true stack randomization. The base address for the stack is now randomized. We still utilize a random stack gap on top of true stack randomization to provide further entropy and security. This means that we can effectively achieve 42 bits of entropy for the stack. This change breaks KBI and we have bumped the HardenedBSD version up to 26 with this change. We will be doing a new package build to ensure packages are up-to-date with this change.
You can find the git commit here. For more details about how the PaX Team recommends doing stack randomization, take a look here.

Code stuff

Interesting Articles

Wallpaper of the week


Jan Hovancik

software developer - guitar player - poetry lover