HardenedBSD-stable 10-STABLE and 11-STABLE amd64 installers

10-STABLE
git git clone --single-branch --branch hardened/10-stable/master https://github.com/hardenedbsd/hardenedbsd-stable/ hardenedbsd-10-stable
installers http://installer.hardenedbsd.org/hardened_10_stable_master-LAST/
11-STABLE
git git clone --single-branch --branch hardened/11-stable/master https://github.com/hardenedbsd/hardenedbsd-stable/ hardenedbsd-11-stable
installers http://installer.hardenedbsd.org/hardened_11_stable_master-LAST/
PORTS
git git clone --single-branch --branch master https://github.com/hardenedbsd/hardenedbsd-ports/ /usr/ports/
tar.gz fetch -o hardenedbsd-ports.tar.gz 'https://github.com/HardenedBSD/hardenedbsd-ports/archive/master.tar.gz'
zip fetch --no-verify-peer -o hardenedbsd-ports.zip 'https://github.com/HardenedBSD/hardenedbsd-ports/archive/master.zip'

Stable release: HardenedBSD-stable 11-STABLE v1100054.1

HardenedBSD-11-STABLE-v1100054.1 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • fixed syslogd - restore host name handling in UDP case (1bbaa032d75dc1aab167b8a6cc5c9116c5e393bc)
  • fixed ARM64 control flow problem (1ea13dc104ea903a34741e363d910a1fb16f31f7) [FreeBSD-SA-Candidate]
  • fixed MAP_GUARRD issues (96cbc3d921794d684acf6e4fe465374bee33ed6c)
  • upgrade to Unicode 10.0.0 (909e9adcdcdc361054c0947ee969961afe431676)
  • ZFS fixes
  • (side note: the recent OpenSSL security issues (FreeBSD-SA-17:11.openssl) are already fixed in previous releases)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100054.1-amd64-bootonly.iso) = 83725667faf1aadb34f154934f8da4790b3fe8993e98dc852d149fee4529625bf5dec04ee04a59dd577cdaaa1b6b6a2378abad39933c9d9c87dd8354757210a2
SHA512 (HardenedBSD-11-STABLE-v1100054.1-amd64-disc1.iso) = 9b0e2243f7b46a395e6c62c7daf279683ad961985e9129ccc30654672d368ea54b8bc718f6a94d74b47dd6aca049146d5dda36a0a1530d7a62d11812cf75f8de
SHA512 (HardenedBSD-11-STABLE-v1100054.1-amd64-memstick.img) = cfe23f59d9969f3bbe958916a02ae830b7b65b506c4000edcf17ab513df0214c71c95700f1e27afa1f5290323bd5b9844bab1b817107ab6828b36b7a4d49cd8d
SHA512 (HardenedBSD-11-STABLE-v1100054.1-amd64-mini-memstick.img) = ddf2e9e6a9fe32d7b104184e14c0abb6261770e00ae1cad37f58a3c8a18dc5cd021fa9e160740387812171dd9ede6fdc6322035ddc70885e7eac15086bfade12

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlofe1QACgkQgZsRom/9
GI0lZhAA5evBJtIaEdpeYbtmlEUHJiXz+D94slp1CLKg2nzcZFU73e8FrkB8zbgA
qzfqq7v2SGzYHRSdI/f7iVDsXnsid9/t2PP9mn8OU0Sc1ZcgWwKNnaCcSf5lzNUz
yGNpuxFMy4OqYfO+CnIzihDYptEt/aFvgkrGYxPURjcM/veVcema9UFuT0lNjlhw
y3lvNouFrhF8k9vWLrZyW3J5Pe4MBTKFGm9thqm/p5fnHI0iCOsQIpLcWlxhMJHh
6GBUW+vszxLQGOxExrYxrIoY5FJyJN7zFwyh7jIhN/+OI9JOgMLPHFniOTpsJ/gm
N0QOTSzNBQ7AGNJBku4M6cEArfDujqwH61wbDOkVUqkG1gRu5AygSDy1nBwmUqSz
m5Of1iSMOl8qcKqjMkPlI+6CTFlcimb14jX6HMl4/WMvoe7dMLXEnfe6hl9/Tcqn
0ctJrNBck2k7vnYTc+4vwpdfnlmrvZqfFah2sOPPmFst9iJ4ahcAoxoRrS/beVn1
0f11GBDEf4BkkqIercR/XKUQmH+50apdypzjTcvLUspNIqlKekivUgDAo6r5hGOp
g1FnhkILpW1Wm6y0kLwt16y4ICculisa95mmbuKZ+gINDZo3hdtTyW+Kz3s+O71j
XrLAoqShGH+Ml/hZDJD7CbmrYbCmJjkTK3J3qSuq4dZJaYvQRyw=
=g8Bo
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100054

HardenedBSD-11-STABLE-v1100054 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!
Warning2: reinstallation of pkgs/ports are required due LibreSSL upgrade!

Highlights:

  • Changed AT_PAXFLAG auxvector position (4c04e4a613679510cd16bb13d7974c18e3f54460)
  • Properly bzero kldstat structure to prevent kernel information leak. (3ff3ec467d4eb11cdbf706cf386935d5e58c2e91) [FreeBSD-SA-17:10.kldstat, CVE-2017-1088]
  • CloudABI 0.17 (cf6ac9b4efa43a9c64c5ab311666080a0e8632b1)
  • MFH (r325010): don't bother verifying a password that we know is too long. (b242fe393914310e50673eb62d480ce03706d745) [CVE-2016-6210]

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100054-amd64-bootonly.iso) = 20f6333bcbeceb57788ca945ce9816359d9844c2476956a2d4ffd8cdb7b725b4ce12aca4a9adac67c43fdd0a5fd5b9c87888298a6044a31e3f0a4dcb564fefd3
SHA512 (HardenedBSD-11-STABLE-v1100054-amd64-disc1.iso) = 09af01b113072333cf72f2c933f2335d5e4c9e46d51c82d2a74ebd3f3217c9ba454dc77f30de75c2f805adb56608d147dd6dc520f8cfaa90fa049888f193497d
SHA512 (HardenedBSD-11-STABLE-v1100054-amd64-memstick.img) = 8951648e199157e840f1dc2637ba6516631bda75c28768086ccc5daba7822e874790cf5b1c2a86d428c70858cb1de5a0318c64ee27e8ce51596387d0b74c082b
SHA512 (HardenedBSD-11-STABLE-v1100054-amd64-mini-memstick.img) = 5d6cfc1f89374409efa226da5e6ef793e5e9472a217241e1a21e3c93ebadc9fd967a586dfbe66d454655618cef63721e42402c0a5e3282e1a5db465c208daa26

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAloNK9kACgkQgZsRom/9
GI2qDQ//WQxgSb96jBJ7uXlO9uH9xboZVPzgSP2OfXPFqRvy82Sqr/OFtmVURh1v
8N4zYkVEE4nCKkwiuSFRmRkfygKg1qhQ8hNbpXA3icgITO9ZS6kBIh6ZBkSht8f5
aFgkAEU6CToSodz733oSnaAmGoap6drG2jJ8VlK+IjdXQkrK1mh4g2ETZg03I3ED
vzqAQ5+AT1V4+MzES+K3AV0jnR7nCntLAaEDRgEIcEKA9l4GPfhUNyPnusd3RJNb
vAOJWt7XBJAvWilABDXVPXxObKqhowTKb/+JcEwP0Is8uIzfzplr/E9zmUCCmy5O
u+FQ5H14M+sIfo7KwlXsWStWUhCmOoXR8mLtEAzAV2bZf+/dccrFOE0M3lYu8ZA+
kq09zEN22N3fPU55PIRFyzLlFsRHx2/vFZMf8RvsVbtroHWBqsMudPkd8y8F26aM
HQBHFhmaRmlWmNTJ+Fsh51mwv08CmcY7W0tQztXZWgkKA+uwQV//olOglp9ZVhEJ
LNwRVcAGEwhXJsKeNBzHgiteEYu5kTV7HxiQwMnoIDnN2WT8zkJhetYNQnwMPJIj
LP2/azjbX6nTCZJyLRsLBRu8KGf1g9jW03gWmu8/qUZldS4bgxx4HDnmXazhShgX
zXWQLS9e+K1z2Dg9+7wLHmxK5k9pf9T+SadDPZ14n+DrEjr9qbw=
=Rk9Y
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100053

HardenedBSD-11-STABLE-v1100053 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • LibreSSL 2.6.3 (c49b64fc67249a34f0899fdaf83ff409877c0832)
  • Fix infoleak in ptrace_lwpinfo (a9480512504618c725807232b538d3d03adb13c0) [FreeBSD-SA-Candidate, CVE-2017-1086]
  • ZFS channel programs (b6de21de0e6db7018f1a79f4e09e03275f27996f)
  • OpenSSL 1.0.2m (a88f0513c4cf81f98bab740e4f112f1a6d7f4d42) [FreeBSD-SA-Candidate, CVE-2017-3736, CVE-2017-3735]
  • Add extended attributes support to fuse kernel module (4d1ec3df908e0b5948287618d437add1454b15f0)
  • tzdata 2017c (bb786ee507dfb1537c2a2d4bbbc9cb06cfa2cd9f)
  • Linux emulation changes to support newer Linux libdrm (8b3e384829098404bdf42f48c6e808aed906aeb0)
  • Fixes and improvements for x86 LDT handling (5f0b9b87892629c113c13c5a0c5933c1de48bdb9) [FreeBSD-SA-Candidate]

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100053-amd64-bootonly.iso) = bd091a8d0787229e47ea8207728db7ed5244787d17665d11a2e69779073d2a12a3bf4a1938f4c1ee001d84c3a0bf5d14ff0750fed149ffac7d3a6e266afb9bf8
SHA512 (HardenedBSD-11-STABLE-v1100053-amd64-disc1.iso) = ee546baf2e6cc55a8237cf0b96f3b10b8a8a7015bde3662b3bb28a4536c0b7d2179015477c3d3d44cbe252d6e53e348c2bd2a1c0b5e17e84405ef7a6277607ec
SHA512 (HardenedBSD-11-STABLE-v1100053-amd64-memstick.img) = e2213d1f0d4c25f2518148fc9d3a42994fda5b4e3e84ef41ea963e24b1b985cf1defc8dd65cc0bb5349b437527fffde98eee5c50002cc4908c4c0dd642e17bbe
SHA512 (HardenedBSD-11-STABLE-v1100053-amd64-mini-memstick.img) = 524764b81c8a2c8d72719589eb110e7bf44160a250b11d660039930c5678c64b22b8187a4f1e987a2235216f8e0f0a6d4b31f65552f31d633d48ae0a8e004087

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAloJB+oACgkQgZsRom/9
GI1fKxAAonAfV/7yJjWPLvYO3iN3+Cef/Syy7lmHSKydpaABDcC6V0s726Wzfw1r
GGpAcTI3s6Qvz+cJ5gaJfw45912vlsWTD/96Av0PEZWzdCyp4wITG8MrzD0nRUh7
r3y4XFw00McX+zPnDUfBOgo6WkAZneshXbrmxr03Nr8NGM3rpXOnk992lXjnetAU
pzJMr7ZcIr2nN1f+CdFL6uaesZQQpIzUm1LxRM6ef/4I4xaJp7gWALIbmoh6nf2C
ihwgL5T5vGNutROeQKWddr7I4zFt0Rnp6XmulkA8oafVNG4BYSwG7fT6m1WBOEZG
td9heuneIH9ooiFOXSDdrTmQlWYe1PgxD/NsMe1V0bZnuqBaYBbWmvvlcKEOSplf
MaSWPYKefpXCQENzgeuDy9GQ+PgzQbFhmv/7YhKuNWCRoIWGMQAeR0a2jbtyEUUH
9FSYuh6LRNnXPdITsBi2PGBQcViVxRgaaF48XpG54qmgQ5ILS+vTuM90oduqjgVY
XOw22mKVD1mJBlu4+F5PTjYp3rCCyYvFu3oDTe5hVnUDHIDEVyBpD+xdPYARMb4W
HplqkiDUktJoA6vuzoalik7J8eGY9DYucNlKIckv0DHUXQSyfe1+C6b+SFSRXpbo
byaHi0cFAOELr4fjtBu/VIWkkTB1dIsFZfoqk8iWUckfQEcP1Rc=
=Jh14
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 10-STABLE v1000050

HardenedBSD-10-STABLE-v1000050 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security and feature update! Recompilation or updating of secadm is required.

Highlights:

  • Update wpa_supplicant/hostapd for 2017-01 vulnerability release. (7aec04ba0072726d6bfd78bd999ad560d9780f9e) [FreeBSD-SA-17:07]
  • Libarchive update (a8e62bf6379d818c85773fb747b79c05929632b5) [FreeBSD-SA-Candidate]
  • hyperv updates
  • ZFS updates
  • hbsd-update improvements
  • HBSD MFC: Correct sense of crypt(3) NULL checks in init(8) and lock(1)
  • HBSD MFC: netsmb: Fix buggy/racy smb_strdupin()
  • HBSD: add kernel side of hbsdcontrol (ddf19424710e7ff34a9e82794c65b35543248941) [see UPDATING-HardenedBSD in src repo]
  • HBSD: fix a possible "time of check to time of use" attack (bfdb3e6118e66e95bb1e823201898dedc3b38701)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-10-STABLE-v1000050-amd64-bootonly.iso) = 966d3a6957976544c04e9e2200bc5717bc9771d1e4f76dd9005c8ac8936c07bf4245afc0118947d47010d16c7f7c244c8bec23e181839056c1549f1c7f2656ec
SHA512 (HardenedBSD-10-STABLE-v1000050-amd64-disc1.iso) = c25eda9ec2eb046f41003d8146aefc734efb2987286c7ee53cc81c8e9de03e63809f8b626c7ea8cb451ad1fac7ed2d006a2266b99e10c59cfc7f55678eb45871
SHA512 (HardenedBSD-10-STABLE-v1000050-amd64-memstick.img) = e9414353ad4d08f68aa8c7f85711772ccfc79b00c4dffad2d6c291d3f94ff3748058bd40c9d6a1d1b97fb16369fc855b776486bfee51eaff77e96005813a9b0d
SHA512 (HardenedBSD-10-STABLE-v1000050-amd64-mini-memstick.img) = c05aba86caa6e2f071aacc9fe602f5a5e20d6cf0ba4542ace41e3b9c79d69c1afc87b65d3cc09f1787042eb4cf8023e1295dc8bae475e6074331d7299e2acce6
SHA512 (HardenedBSD-10-STABLE-v1000050-amd64-uefi-bootonly.iso) = 5a305a274714fd140c4501769b48c46518b59b745bf24814e91028a192f23a086a9777776a82f10e8ab94a450720009fc46b7f89be62fce46ddec729d1c4722e
SHA512 (HardenedBSD-10-STABLE-v1000050-amd64-uefi-disc1.iso) = 2c4a384385e74a578cb3c4b78caebb32979628c6c40ae23b43ce4931efd764f72c46184d7815837a1516e71d45614250caea6d3d58c3fd782c31926fc004bab2
SHA512 (HardenedBSD-10-STABLE-v1000050-amd64-uefi-memstick.img) = de41b6916229ff61eb367b0dd771ca0a27451633706edcdedeab56b17483f146b36c60436e4775436e2ef054a73db0e9bd8f2a5810f9510277c9dfc60e9f7f68
SHA512 (HardenedBSD-10-STABLE-v1000050-amd64-uefi-mini-memstick.img) = f992a82ff485e4e0604f0240ed6a9e9f57d27399eacebc665cc4348dc6a8b7fb21e5bfbe5b66bf59267ab967e72cbb4793452fca9d944cc853a649b1d3e05c55

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlntQTQACgkQgZsRom/9
GI1ULBAA3FnfoSHEEkpBtoMZhT/zaoYAkHZK701M/LcCMK5Gr/UnejfvCLAn8Pgd
s9tf2fjr0W9XwYlqrh9lq3pW0QERc9myMScixlLSgXlDLXKgRVTDsMSbHxwE/FWM
vVEzyS1RzKhs2SfnhytPyRpBXsKC8W8UnlvcaK2N7OE0CosauAimQgnuoP9pw52G
oaS7s1phwaeHANz4TNilnlNL9/I8S/ljxZHCg8mS9qAbGlKi8Limxj3W1OAE5q2v
cPi67fOE7hhABkj0eVZu9erLKwgD6o7IDfVRTFyduCBOdpmk9MFOfcbxWjrvxI4P
FJYGF2Hbbbr6SkFqqvh/nf2MjUBJbc61IHSwLyoYWebu6Jxui02Cq428brei24pH
1ycbCic7jsTApaBfXodr2vCbrCzkCAgzpWQTAO3I0IXXoTjfDGGGfR4MvRQ8eVP7
VEENGFGcNhYIZOftK/8vJgIafCgwRJNv6KKAwzCJVTGi2PIrMyb2Pm7nGeQeokKN
YvwLCfM8ZzjCEwUv/tyZqb+wxo86hwOGw3n5HIBYFycrapLlpDxuKnexCBQbcZj+
DStCVYZKqj8qGjFoQcV+rF5woBW9uO+loulVCIKEOC1eCrstWDi3xQ7NC9xhpXMr
SjbPQrspbu5Oam39mLVxBNb2j5X40uU4BMyNCsDpvA0/sU6iiwU=
=ZVYc
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100052

HardenedBSD-11-STABLE-v1100052 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning, this is a security update!

Highlights:

  • MFC r324696: Update wpa_supplicant/hostapd for 2017-01 vulnerability release. (2d112e2354053559738d08a42672a59fee3c57c5) [FreeBSD-SA-17:07, fix for the KRACK WPA issue]
  • Changed AUX vector layout
  • HBSD MFC r324394: random(4): Gather entropy from Pure sources
  • HBSD MFC r324372: random(4): Discard low entropy inputs
  • HBSD MFC r316767: Map DMAP as nx.

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100052-amd64-bootonly.iso) = 2c608383dad93cafbf823c44aad048e464274bd47d093695851926b10ee7f33a8ebe1ff7246943879aabe1b1c782e73fed03f17f2418b6671c0c16c1672e6684
SHA512 (HardenedBSD-11-STABLE-v1100052-amd64-disc1.iso) = 3970ebbf4aec1422ed45b788d5129980e4740bfcb555d0f8dc91542244694408050c48bbc99b6e9d14534a1802a0a73dee7bef4280cc791d06246937209b3464
SHA512 (HardenedBSD-11-STABLE-v1100052-amd64-memstick.img) = df6dc54c41f228e84f3e706e8e6e01a56c763e60bdd0422f57e5949d9bf566d79bc7b0c7cfe129e0c551978a9238590d66ad5e70b64d0c37051a6e76c974f97d
SHA512 (HardenedBSD-11-STABLE-v1100052-amd64-mini-memstick.img) = 8689c252e1211a6e8363a3c083eb0aca073bb08a378120324028a466180cbc062d48c14b2ab054a443d4b9a8d4e21ff27b21f18def975c55dc2029fcdf4c10a5

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlnmsRkACgkQgZsRom/9
GI2EThAA1kqMTRY6u8Eg7DUDrKGMmoskob4r3gFT6tpYUjkueXpUwZYHyNI9mAbS
1MmfvdtASCldjzMirgcaz+squK5JqktLrNbUdhJV7Omb+g/70uoCK4Ges0XBc7nh
vUsBu6PXZPN01gi5L2xQCcue3L5ImYj9nKR5Froy17GUaCAmhRhTdKj6+XxT/OVv
BfIRrGWiAj1Txt78t9IKCAL10ZsZydrFxPT+WC9oZBFB8dNdT3H3orRS5Qp0RVA/
+rTxE22H35VsVsdBhiDK7CFAlGfEJrBN9dK79meFdfxKpkp4701W6QWkBGCwUntz
NMmIhIjsqbZToBG5AycgXW8cTvTKG2bTvfa/lPDdfw82tqBpdQJQp4NExFyva9E1
yG7NL13Fl7pxR69YBWJqV+Y239ZmpF5+BRJnPj+0v0EnQOUuTN8R9jNdqHvq0DIm
9vb3ELiphdZGpcNlmd+zPJq1QQD5Z5RV11SkO8Kwnndyfhw4JBR6qr59ALXev3sI
7YW9mkQL9RSSMOmbzYwmtJ7YSgOceP0qM3i4D7sW5Akh9laJZxz0DnjPkgDs/y9i
eAiUsWp/MkbTAquGqnKU23tKnDU2QDDho1M1ZvxrlJ+yQX9dB6eG0SRsh+ob3vWq
aK8Y2536m6U6KXnijY16++DsraI1AAiVT3JXHL/+EvOh+jcECJQ=
=4WTi
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100051

HardenedBSD-11-STABLE-v1100051 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security and feature update

Highlights:

  • HyperV fixes
  • ZFS updates
  • libarchive update (CVE-2017-14166, CVE-2017-14502) (aea515eb9597ea4c4963aa471d4325e351653a2f) [FreeBSD-SA-Candidate]
  • lot of hbsd-update improvements
  • Zero segment registers which contained invalid usermode selectors, when returning to kernel. (6a720c60ec8e6bc3caa3141033b0f54c14c0718d, 2c707ee9d55df4bd64c5928a092aea228426ac99) [FreeBSD-SA-Candidate]
  • make fsck_y_enable more agressive (8430527c119726c7b1fa826dcf935f4681a126a2)
  • HBSD MFC: Correct sense of crypt(3) NULL checks in init(8) and lock(1) (954bfe0ad4ee110a69ab41f78f0494a3e2d4d9d3) [FreeBSD-SA-Candidate]
  • HBSD MFC: netsmb: Fix buggy/racy smb_strdupin() (145ca72398904245c097b37f843a2d7885a16c50) [FreeBSD-SA-Candidate]
  • hbsdcontrol's kernel side implementation for more information please consult with https://github.com/HardenedBSD-stable/hardenedBSD/blob/hardened/11-stabl...
  • LLVM, clang, lldb, lld, compiler-rt and libc++ update to 5.0.0 (12cd91cf4c6b96a24427c0de5374916f2808d263)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100051-amd64-bootonly.iso) = 2a7a0644c4f6539a0763fee344f3ac7a51df62a358a394fc884d51147ca2479cfb6aea600d900dbcf551e5e4331685d8380038849636005f51fd1ff4a391d710
SHA512 (HardenedBSD-11-STABLE-v1100051-amd64-disc1.iso) = 840b8f12b33e4e9328187719af152c14f383e0a5b2749953f84e634bead200ff8794559b63faa6a9ed9b0675ef44be9d6d055f457f514c0107e8b480f2a46159
SHA512 (HardenedBSD-11-STABLE-v1100051-amd64-memstick.img) = 11ce832ec9256846e3eff4d5d661a9ef38d05b7c4857d1975cfec438e38de5d3e804f8401a943753672e469c0bcde6184f3b99bb22e3174b8a1c5e59da5ae9cd
SHA512 (HardenedBSD-11-STABLE-v1100051-amd64-mini-memstick.img) = 5189aeccb1823edde5681c6e5d7276cf2c1777981bb818ed3a3c838a5fe6f5035248da5094161b76ac9f7b574d957d833a19a3641a08f03b6fd74c468ba5140a

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlnhbH0ACgkQgZsRom/9
GI1bfg/+JvEFmHPiEM6m8696no95d3LDv+hInSTMXzDmrKYh47eejtJI0vQcq06Y
GqFkVJr8sMfApKF5dMQJ6f4JsbTnFx4hQONwDIdM3lPhTnxUNfvtT5Vb2TrmOpU6
8hPQ2RRNYkTJVgbP84XhHlQwi3xNnpNKnjJasZiNUBcbooWpprjtkQPx7hGIVXEe
ubTX+na5Ry6i/NPcOYFr7YKPiqWNu/zSKFFeERjW4YnB6RyXsMUIr9nsEs7kjcRi
mIIVu/VMlXhkjGg1IwUPy9V8gA+YHutQ5/V80vVCUUUaFXoUS8t+isofywoCgD92
VX/icmEoK6T1PyVz47pzH+62fwVOn1Ypbz/1329LfNMY1CyNesLPore7bhNEpaBh
wovZH5Y9aJAlIrd53oiSHUGwlF0RROvpoWLC51loMp5IPdJR+6aoU6TinnAyMARd
0QRlLLtal7TO7cXfQE5OYDyVNHiVZgLIDQbNJG8G+pGmYyWQR8LZV/zsk56ti5tK
Lg8ABYEOvoTzG9WaJX27pFnMbzpiHyf5MzPHvA+KoEQibtFZWu8jyz4iHKLq7jB9
OfkSaWV9s87gSKzA0BP7m+Uh1bY1Ka9kTIPXd0n8ym75hGeovr0r52s48i4CpJPo
APTtWgrbgvD6P/uSnSV9hFAw4C9/LBJceEMPpjioctdKNA52wvY=
=pl3g
-----END PGP SIGNATURE-----

Entropy Gathering Enhancements

At vBSDCon 2017, W. Dean Freeman and John-Mark Gurney gave a presentation entitled "A Deep Dive into FreeBSD's Kernel RNG." In the course of preparing for the presentation, a number of bugs and non-optimizations were discovered. These included:

  • The fact that after the code refactoring to make room for Fortuna, the code path for mixing entropy gathered from so-called "PURE" sources, such as the RDRND instruction on Intel chips, was broken due to a new check on the bit value in the harvest mask and the fact that the bit could not actually be set.
  • In the random_harvest_queue code path, followed by the majority of entropy sources, entire "harvest_event" structures were being hashed, causing very low min-entropy measurement values when following the non-IID track for entropy source evaluation described in NIST SP800-90B Draft 2.

Working with the HardenedBSD team, these issues have been addressed by W. Dean Freeman and reviewed by John-Mark Gurney in 12-CURRENT. Patches will be made available upstream so that FreeBSD can benefit from both the bug fixes related to pure entropy sources as well as a boost in min-entropy. Additionally, a BSD-licensed userland daemon similar to that found the in GPLv2 licensed rng-tools package has been developed, which allows crypto officers to easily use USB-attached TRNGs to increase entropy fed into the kernel PRNG.

Future work related to this will include importing the NIST_CTR_DRBG module from NetBSD into HardenedBSD and performing a FIPS 140-2 gap analysis against available kernel cryptographic modules to see what additional work needs to be done in order to provide a BSD-based alternative to Linux in the government sphere.

Stable release: HardenedBSD-stable 11-STABLE v1100050

HardenedBSD-11-STABLE-v1100050 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • HBSD: pull in upstream fix for pwait hang when watching its own pid (09401513dde5740de4b088e39333d8011f210786)
  • Removed HARDEN_RANDOMPID kernel knob
  • HBSD: rework MAP_GUARD footshooting prevention (c694b8039615f1e4e59ef299ea36d6aa93a13269)
  • HBSD: Enable EARLY_AP_STARTUP kernel config option - fixes Xen boot issues (b179d012d10d53a6331ff74e8485bc280c254f40)
  • MFV r320195: bhyveload: correctly query size of disks (2239cf6be006a2c35505c12569689f845fa3da2b)
  • HBSD: merged back LibreSSL 2.5.5 and enabled by default in 11-STABLE (37565403fa31bc816a59893dc50598e242801371) (with lot of commits from Bernard)
  • Add sysctls for ZFS ARC shrinking and growing values (d991ae815445d3666cddf457fe576ecdbb07a013)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100050-amd64-bootonly.iso) = 8d11dcb3b300bfb7c05a52893564a8eca7727624833634c8c0f0b3a9fc8fa3fe80de277fbc563f77252e3266591e77b26300be214919fef6902d9576a58bc846
SHA512 (HardenedBSD-11-STABLE-v1100050-amd64-disc1.iso) = fb64fd300ea10972db2081d800ec08532fef8a899d6b463b0d321d98cbe2e995150fb27a707ece45e0219c6cc44b99120555d6339a23035b087b00a07d698889
SHA512 (HardenedBSD-11-STABLE-v1100050-amd64-memstick.img) = ec8efddf21fbb1064b796d1f7db3845fa0e54437c364837eefb7f11974929c41598b13fa6b8bd16abee6997939ea629c8a4abc794f353dfeca04c183ffdde032
SHA512 (HardenedBSD-11-STABLE-v1100050-amd64-mini-memstick.img) = 2a0cc547d94438d52a51e587cdd49f7b37af7e1398299e96973b892b7778b44a63ce9a34df6b5827e6ab33e889825f6a292e6ca5981bd5116e79ed64f2414ebd

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlnIXq4ACgkQgZsRom/9
GI0euRAAnE9UJ3DR3HGD5yXNhCuY6oyWk1hjZYbv0kxrNgr/CWI6Qq9tzHY6cmvL
lERxtAv6iusuwhOGEX5Mg1HmtcapI229wQV4mHbtat5EuWtB+u8R09f0DQbwLwWt
ArOYFVeg7RQT/n04sIzZuh+Knx+q5cfkgOi3FR/4RUDDTJOXACC0qkwXyt/FuVto
os8JNESHZ1fJR5T7qWpFlyJFpRJyZNS/I4huZufqSXQdtPWHswDyNpa8tTTwDV53
sQ/RjV9BcwqOrg0PVYgnqdAGOXAl9y2feEWHOrmwCLqyt2tY1MWyD+FGvzqWKJQk
4wXQDfkcp3DLQrjOzjwUv0luPghq1v8tsKr0PW5mZYzOW1k24vz6JAXsQ7DjoQIg
nYjvNPxZ8lBn/vkmJs2/ZODPVft2jAwZLEFR7Bhp7gyE/b8Dpsanpcl876nc0Hhf
ajWOyg3Zl7DaACnDAPasbOZ1p3xe6AzcC5X7BYigZ+utkusntbJ2mRdlFV5TbPZo
im4at4Ylo+nY8w4alpwAFc4Fwh5dDkcd1TV3Oi6VxRaDEOoHZ32o87yLgUxo1XTi
R2ysFt8zHLrhDM28KtZcrTTC8hPUVehxKUt1g1KZcfSWnIH90NfC0p1LwqOTTLiN
1HadK6g+Za3tInTeRL5DGB5UcpbuY26jPhm4i16fEHhwuNbt4hA=
=Z4iz
-----END PGP SIGNATURE-----

HardenedBSD 11-STABLE Now Ships With LibreSSL

HardenedBSD 11-STABLE has now migrated to LibreSSL as the default cryptography library in base. We've already published a binary update for you hbsd-update users.

The 11-STABLE package repo was taken offline until it could be freshly rebuilt. The rebuild process has been completed and the repo is back online. You will, of course, need to update base before updating packages.

Because of the severity of this type of change, you will need to reinstall all the packages on your system.

Instructions for reinstalling packages:

1. If you use secadm: secadm flush
2. pkg-static clean -y
3. pkg-static upgrade -f
4. If you use secadm: service secadm start

Pages

Subscribe to HardenedBSD RSS