BSD News 09/11/2015

Last week in BSD

Releases: HardenedBSD, OPNsense, pfSense
Other news: BSDnow, BSDSec, FreeBSD, HardenedBSD, LibreSSL, OPNsense. DragonFly BSD, pfSense,




HardenedBSD-stable 10-STABLE and 11-CURRENT amd64 installers

git git clone --single-branch --branch hardened/10-stable/master hardenedbsd-10-stable
git git clone --single-branch --branch hardened/current/master hardenedbsd-current


OPNsense 15.7.18 Released

It took a while to track down a NTP regression with FreeBSD that turned out to be a flaw in the kernel itself. That’s now fixed for all FreeBSD versions. Thanks everyone for helping out here again. :)
This update brings quite a few fixes, especially with regard to VMware and Xen virtualisation plugins. If you are in need of such plugins for seamless guest support the installation is quite painless:
# pkg install os-vmware
# pkg install os-xen
In case of VMware, the masterplan is that vmx network devices will be persistent after reboot so that such devices can be embedded into the config.xml. Let us know how that works for you guys. Needless to say, we’ll keep working on making plugins accessible through the GUI with our next major version that is 16.1.
We’ve also been working on ironing out further IPsec hiccups and adding more features to the captive portal in the development version. Oh, and this: fresh images based on 15.7.18 will be available a couple of days after this release.
Here are the full patch notes:
  • plugins: updated the VMware plugin to support early boot for persistent vmx(4) device access
  • plugins: added the Xen plugin for automatic guest support
  • openvpn: fix server not saving interface without IP
  • crash reporter: remember email for continuous feedback
  • crash reporter: Suhosin PHP module no longer triggers crash reports
  • crash reporter: fixed 10 assorted crash reports
  • languages: fix all apply button prompts for non-English translations
  • languages: updated German and French via
  • backend: added simple plugin hooks for boot up, early boot up and shutdown
  • GUI: hooked up the authentication backend rewrite
  • dhcp: remove illegal ifconfig tag in custom dhclient script
  • virtual ips: make subnet selectable on ipalias
  • ipsec: flip ipv4/ipv6 subnet options in phase2
  • ipsec: fix issue when using both tunnels and roadwarrior
  • ipsec: listen to disabled ipsec nat entries
  • ipsec: do not overwrite settings for rekey/reauth
  • proxy: fix error on saving special URL characters
  • aliases: fix missing url table items
  • aliases: hide minus when not applicable
  • ntp: don’t trigger set_gps_default on page load
  • captive portal (development): clean rewrite of RADIUS authentication/accounting
  • captive portal (development): added a session overview feature to the new
  • captive portal (development): fixed template download file name in Google Chrome
  • src: Implement pubkey support for pkg(7) bootstrap [1]
  • src: rpcbind remote denial of service [2]
  • src: Applications exiting due to segmentation violation on a correct memory address [3]
  • src: tzdata updated to 2015g [4]
  • ports: ntp 4.2.8p4 [5]
  • ports: pkg 1.6.1 [6] [7]
  • ports: sqlite 3.9.1 [8]
  • ports: suricata 2.0.9 [9]
  • ports: php 5.6.15 [10]


2.2.5-RELEASE Now Available!

 pfSense® software version 2.2.5 is now available. This release includes a number of bug fixes and some security updates.
Today is also the 11 year birthday of the project. While work started in late summer 2004, the domains were registered and the project made public on November 5, 2004. Thanks to everyone that has helped make the project a great success for 11 years. Things just keep getting better, and the best is yet to come.
Security Fixes and Errata
  • pfSense-SA-15_08.webgui: Multiple Stored XSS Vulnerabilities in the pfSense WebGUI
    • The complete list of affected pages and fields is listed in the linked SA.
  • Updated to FreeBSD 10.1-RELEASE-p24
    • FreeBSD-SA-15:25.ntp Multiple vulnerabilities in NTP [REVISED]
    • FreeBSD-SA-15:14.bsdpatch: Due to insufficient sanitization of the input patch stream, it is possible for a patch file to cause patch(1) to run commands in addition to the desired SCCS or RCS commands.
    • FreeBSD-SA-15:16.openssh: OpenSSH client does not correctly verify DNS SSHFP records when a server offers a certificate. CVE-2014-2653 OpenSSH servers which are configured to allow password authentication using PAM (default) would allow many password attempts.
    • FreeBSD-SA-15:18.bsdpatch: Due to insufficient sanitization of the input patch stream, it is possible for a patch file to cause patch(1) to pass certain ed(1) scripts to the ed(1) editor, which would run commands.
    • FreeBSD-SA-15:20.expat: Multiple integer overflows have been discovered in the XML_GetBuffer() function in the expat library.
    • FreeBSD-SA-15:21.amd64: If the kernel-mode IRET instruction generates an #SS or #NP exception, but the exception handler does not properly ensure that the right GS register base for kernel is reloaded, the userland GS segment may be used in the context of the kernel exception handler.
    • FreeBSD-SA-15:22.openssh: A programming error in the privileged monitor process of the sshd(8) service may allow the username of an already-authenticated user to be overwritten by the unprivileged child process. A use-after-free error in the privileged monitor process of the sshd(8) service may be deterministically triggered by the actions of a compromised unprivileged child process. A use-after-free error in the session multiplexing code in the sshd(8) service may result in unintended termination of the connection.
The bug fixes and changes in this release are detailed here.


OpenBGPd and route filters

Many moons ago, OpenBGPd was extensively used throughout the networking world as a Route Server. However, over the years, many have stopped using it and have migrated away to other implementations. Recently, I have been getting more involved with the networking community, so I decided to ask "why?" Read more...

Call For Donations Update

On 11 July 2015, we announced a Call For Donations. The community has been very gracious towards us. As of today, we have now exceeded our goal. We are grateful to each and every one of our donors, no matter the amount they contributed or in what form. HardenedBSD is growing and we need all the help we can get. We would especially like to thank Xinuos and ISC for their sizable contributions.
Here's what we've managed to do so far with the donations provided:
  • Replace two failing hard drives in the package building server along with ordering two extra for hot spares.
  • Purchase multiple ARM and ARM64 development boards for porting and testing efforts.
  • Stickers!
  • Minor expenses for conferences.
  • Hosting expenses.
  • Other hardware replacement and acquisition.
In January of 2016, work will start for becoming a 501(C)(3) not-for-profit organization in the United States. This will mean that US-based donations will be tax-deductible, giving a tangible incentive for donations.
We couldn't have done all of this had it not been for all the generous contributions, large and small. Even though we've reached our goal, we're still accepting donations. The more that comes in, the more that we can accomplish. We look forward to the coming year and the advancements we'll make.

BSD-Schooling | BSD Now 114

Allan is out of town this week at another Developer Summit but we have a great episode coming up with Brian Callahan where we discuss BSD in education. Also, news & a lot of user feedback to get to, so sit back & relax, more BSD is coming your way right now!

Code stuff


Jan Hovancik

software developer - guitar player - poetry lover