Introducing OpenNTPd in Base

Over the past few months, Bernard Spil has been hard at work importing OpenNTPd 6.0p1 in HardenedBSD base. Starting with 12-CURRENT, HardenedBSD will ship with OpenNTPd by default. Just like with LibreSSL in base, HardenedBSD users have a choice when building world of which NTP daemon to use. Users who want to use the legacy NTPd can set WITHOUT_OPENNTPD and WITH_NTP in src.conf(5). Bernard will continue maintaining LibreSSL and OpenNTPd in HardenedBSD base.

Users who are upgrading from an existing 12-CURRENT system from source and who use the legacy NTP daemon in base will need to perform the following actions:

  1. Install new world
  2. Run mergemaster or etcupdate
  3. sysrc ntpd_enable="NO"
  4. sysrc local_openntpd_enable="YES"

A binary update will be published within the next 24 hours that contains OpenNTPd in base. Those who use hbsd-update will only need to perform steps 3 and 4 above.

Stack Clash Mitigations

The Stack Clash advisory by Qualys provided detailed insight as to what happens when the heap and the stack meet. The stack grows down and the heap grows up. The stack grows on an as-needed basis. When the stack pointer is decremented beyond an existing page boundary, a page fault happens and the kernel will allocate more space for the stack (assuming the application hasn't hit the stack limit.) If there is an existing memory mapping with PROT_READ and PROT_WRITE set right below the stack, then no page fault occurs and the application will use the mapping as if it were for the stack. Ideally, this should never happen. In order to prevent this from happening, most operating systems (FreeBSD included) implement a "stack guard," which is a guard of one or more pages reserved below the stack, preventing other mappings. A properly implemented stack guard will effectively prevent the heap or other memory mappings from reaching the stack.

FreeBSD provides a stack guard implementation, but has it disabled by default. As discussed in the Qualys report, when enabled, FreeBSD's stack guard implementation had a logic flaw that prevented it from being effective. A proof-of-concept exploit written by HardenedBSD's own Shawn Webb demonstrated Qualys' claims. HardenedBSD had the stack guard enabled by default.

To mitigate Stack Clash, we in HardenedBSD performed the following in 12-CURRENT over the week of 19 Jun 2017 to 24 Jun 2017:

  1. Fixed the flaw in the stack guard implementation that prevented it from being effective.
  2. Increased the size of the stack guard from one 4KB page to 2MB.
  3. Prevented mappings from occurring between the bottom-most limit of the stack and the top of the stack.
  4. (Soon) Modified the per-thread stack guard in libthr to be of random size, minimum 1MB, maximum 5MB.
    • This also randomizes the top-most address of each per-thread stack.

The commits for these changes have been backported to HardenedBSD 11-STABLE. Item #1 has been backported to HardenedBSD 10-STABLE.

On 24 Jun 2017, FreeBSD committed their Stack Clash mitigation. It introduces the concept of MAP_GUARD, which is a special PROT_NONE mapping. It's placed immediately below the bottom-most limit of the stack. It's a really innovative implementation that allows general use of guard pages. Indeed, in a follow-up commit, the RTLD now uses MAP_GUARD for guard pages between shared objects. FreeBSD's stack guard is still a single 4KB page in size, even with Qualys' recommendation to use a minimum of 1MB. On 25 Jun 2017, FreeBSD followed up with a commit to fix a regression that effectively disabled the stack guard in certain edge cases with the new implementation. Overall, FreeBSD's solution to the Stack Clash problem is innovative and even useful outside the context of Stack Clash.

We in HardenedBSD now use a hybrid of both approaches. We've hardened the security.bsd.stack_guard_page sysctl node to a 2MB stack guard. We've made that sysctl node a read-only tunable, configurable only at boot-time. The changes to libthr still stand and the per-thread stack guard size is a random size between 1MB and 5MB. We may look to integrate MAP_GUARD with libthr instead of its reliance on mprotect(PROT_NONE).

Update 25 Jun 2017: The randomization of the per-thread stack guard has been found to be too aggressive. We are investigating this feature and will revisit it soon.

Stable release: HardenedBSD-stable 10-STABLE v1000047

HardenedBSD-10-STABLE-v1000047 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • HBSD: partially backport 13971cb990b78e as fix for CVE-2017-1084
  • Changed __HardenedBSD_version scheme
  • opBSD: plug the last memory protection test in paxtest (cf883c4d3277ebdb2f7011cb64dfcfde8205352c)
  • HBSD MFC: Fix long standing issue in bsdconfig's keymap selection (12c307c4634ee07f297d1d821a77af8eedc72c1a)
  • HBSD: add our third mirror: de-01.installer.hardenedbsd.org @Germany
  • HBSD: add our second mirror: allbsd.org @Japan
  • Implement INHERIT_ZERO for minherit(2)
  • Fix several buffer overflows in realpath(3), and other minor issues [FreeBSD-SA-Candidate]
  • Libarchive update (bd8807fedd6c5daf0cea50b0b09af795fdaa686c)
  • hyperv/kvp: Fix pool direcrory and file permission

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-10-STABLE-v1000047-amd64-bootonly.iso) = 2fa9ff9ba85e25956fbc31bd8c25508ca5328f969fee99bd92e6be1f2e61851ad532e723876c964ad379808eb05f26193252d82145915c5a23d3d698a6efd088
SHA512 (HardenedBSD-10-STABLE-v1000047-amd64-disc1.iso) = b81647c374938520abb0e63eeebe23e715660d078dbbec9d2e828feb4fc14286664527ce4d35a0f569317b098385c5e4d77665ac27a6286a3bb3679864ef522b
SHA512 (HardenedBSD-10-STABLE-v1000047-amd64-memstick.img) = e3179eea6383454559c948f172398ff56b80c29e3c68b888cd7bacb542b760b295b7f3dc73ee2a1fd69e2005a0d6cdfe54fc016bdc78e043d4955906347b2584
SHA512 (HardenedBSD-10-STABLE-v1000047-amd64-mini-memstick.img) = 483e770295e08979207013fda30b3b652d7f4969845fc77959ef71f5c1fa1182931572a5c8a3dbe59e5c81c42b369f9c87559a17cc913d95101af0f3f0448765
SHA512 (HardenedBSD-10-STABLE-v1000047-amd64-uefi-bootonly.iso) = 8bdecf399e6c42d88d8ec02daf95b265d1c781af7c8e8ec7d5ed7c6e242955c261b9d23f811d21d044ce00694fcc9c6dd0018acda101df24657646c90ed8c2f0
SHA512 (HardenedBSD-10-STABLE-v1000047-amd64-uefi-disc1.iso) = d24c1d981b48342fa9eca9545ff8db08b1e0805a176d2eea7b880c145293e2db1c18f01d5a9f019bc5f70d9d8b9ad669dd5da6db287f9e13b0971a3f63e9b363
SHA512 (HardenedBSD-10-STABLE-v1000047-amd64-uefi-memstick.img) = 0c6148d245ec920e8a45666d481c66d81c9aefbeb9ec2887b395d843d216c0a10717b106c562928d4e1439b0b837666629637f9a4ee8f79a0bf8ab71d3d5b915
SHA512 (HardenedBSD-10-STABLE-v1000047-amd64-uefi-mini-memstick.img) = c0645cc7cb4ef946d6565d859736c6cc64a7d78a207533c054a330b911132ef50fe62516d0cb967fd4c5dc8342c0db5f29174d8490e4e020603f3fac9e6cf3ba

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAllPwg4ACgkQgZsRom/9
GI13hA//chLhjM+rMKRSRhcvOnUotoeb5Wf5NZ+WXod6TMHK5jQUrhBivvqpNeEn
6yEolaDkjep2/eYGG5flVL/PxX13JWgVShWTS7Hu3JlOxFANtzt9ckIayaaDJJRS
fhXZgn6LsZw2G8G1PmY3PnynHgB05OrVbz9vf3AFZ6gp5Ju35JNyk9ikYlMZ49Yb
lao/3evASKS6amPCZamrCjtGD0DtoZQegNCa2EjboCshEPnfPKTkTJQzS/W8RSUp
nVIHHWExdCOLW/9byGh28YqnhpKdz+UH/b14cxrM9p2pRYhhigcOcUK2uN6+qQxw
99HsO0ST5Brj3MRVRu1DyFjf5ycKrF0EiUucfD5gtju2zhmN/bNxVo2JTQaiyVcF
rLGmpe2w7Hu9q2JwFRYZQCK0pGgSCarPIfJYhpueHCll7zd1uVMdHuFo2YatvSka
CeiBvxVyXXZ2M4SlImOPLhDNVxutxrQIumzNLaTkZy3XQ5/Ts/tzidosOj1fhyos
yTwXCVRXNfgjeLCZrISA9qTwjVyMgolLCNPMeBfKwR9A0HVq35JHByu3vcCWAz9W
O//b8VCbZIMLcxSu3WtxyIOqMTgJDsov24oFRg1Lezbp/Dol1KTi7LB1qxKYik21
FJ7yt4djaUoaO2WP5IQjjhlflP3M+thz9TpUoeIQYXTw2fzR+58=
=3ZsF
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v46.18

HardenedBSD-11-STABLE-v46.18 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • Based on FreeBSD 11.1-BETA1
  • Security fixes in nandsim (b585a6c019be3fb79ec968c327ea67190565342b) [FreeBSD-SA-Candidate]
  • Update to libpcap 1.8.1
  • Implement INHERIT_ZERO for minherit
  • Support Execute-Never bit in the arm64 pmap (edb010ea9cd5ce05e055474ade71fb8687a74eb6)
  • Enable Privileged Access Never on arm64 (44c9bb43d0bd6f6d94443c9efa27cbaf86a38825)
  • Enable EARLY_AP_STARTUP on amd64 and i386 kernels by default.

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v46.18-amd64-bootonly.iso) = 5aad79d864b01c02871cf152bb1ed30d16f4f68775472034de255fbb2fcb26f7caaacb7e9ed77364201af72582b5b69fc0af55a06cc7066e061b21b9a2341b7d
SHA512 (HardenedBSD-11-STABLE-v46.18-amd64-disc1.iso) = fedf9ffae1f3be5807dd44bc2621acb574cb1cb33a5ca30459b014a3ff2a6238dadc518476ba1ed57fc8eff63bae1c28f91d78b4b6d4dab4bd19d9c276504bee
SHA512 (HardenedBSD-11-STABLE-v46.18-amd64-memstick.img) = 0ccdfa51a25b0f947743a4c1ac0b1aad1a208b69ac9a39f2063ac035fe5236b975a4f485e1f3b29965b3dc51e04168066f0e18e0e5d37c4770248e9bf7abb6ed
SHA512 (HardenedBSD-11-STABLE-v46.18-amd64-mini-memstick.img) = f5d266af8f6a275bb75ce778335342ca010cd91b2420871f96d882d2d333a51a4877c91faefa9e14f86977bcafb7aedb44629955eb871bf82eed370189e9a259

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAllAly0ACgkQgZsRom/9
GI02zBAAogqk6ZrHg5I/mtBk+KX8sWlOLj0ddqyK2emQRSoVolpAhaBcZbAVxQyg
i6Crmgz1sWo5Ztt5UqrGF9+pfcfy6TwyD2qUSSbE1OyawScJaFWzqCDyCVi19Ltz
5EHP9bWJIH9m2kPs5uAHftvhywBJv9SH2wCCZXdy1W/8rLs7IAZjnK18Q1WqFJ/+
KSg80p7sZ4A++jR91cs0+Bt8U153GKspYUNB9SVZyHZUbdy8tKitic//rDXqA3ls
UcpTaBYL53WNIKIiIaVjfuNQDzXB8jDX8jXip7wNgQT+R6Nbr3PORKKuQpaTiu+p
fteIzx1CvRAsGM3N96LQmoAgjTTPBVcHR/pQV/37spP+nfQQHdJ4TkCM/x6rQCsB
VGaOSwlxGgQ+HrBfGXmKF8HcCFQH1oNKo6nQFUmaDkquAIVPLuZ14mJmN2Ke++y7
yEUml01+xeIme+o7uKMQZtyFrYQ86vjQWHPvWIIJ1MzFT8SDuLINZxWoC2LB8kWC
MY/+YCcM4cFx3KMrp3Uutp1xLv5lWs7W9cdf+P61qN8mdnPnbbqEYVDtXZ1+wUki
bxcXPZDBSiv+DxT2YbJf0x5dz9x9jPRQEzYzFHO5b1iCTsjGwJCxGiZXcSXLdJIL
rtL0bqtgbXpeKvs84fk+A1Z3ED4HN1DjjUXguFt9WWOBp2+S3f4=
=M0Ah
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v46.17

HardenedBSD-11-STABLE-v46.17 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • Increased maximum text segment size from 64MB to 256MB
  • Added efivar and related EFI libs
  • Libarchive update
  • Add sets support for ipfw table info/list/flush commands.
  • NFS v4.1 updates
  • pf: Fix possible incorrect IPv6 fragmentation
  • pf: Fix leak of pf_state_keys
  • Fix a use after free panic in ipfilter's fragment processing.
  • HyperV updates
  • Update tcsh to 6.20.00
  • HBSD: Enable SafeStack by default
  • Add ipfw_nptv6 module that implements Network Prefix Translation for IPv6
  • HBSD: Add installation hook scripting to hbsd-update
  • Update clang, llvm, lld, lldb, compiler-rt and libc++ to 4.0.0 release
  • Merge ACPICA 20170303

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v46.17-amd64-bootonly.iso) = c33cefeab424e346087fabd6d4c29dc53b41f9e93e5be285ee16430a502a57d18bcd555d119f111fbb1f68b442c3755acf2822881551113f2d0a4c9dbd1163f2
SHA512 (HardenedBSD-11-STABLE-v46.17-amd64-disc1.iso) = 929298f27adffaa672e985f695f219b4f87f4851f10fdf44e327565f3830737fdd27bb63f6441bf5cd40d7896a76e259341a3f954fadf1363eadf86d68077bb9
SHA512 (HardenedBSD-11-STABLE-v46.17-amd64-memstick.img) = f094f7c131a54b25e680e502298532ca6127c0a4da8788c088ce451494856f2cc76900aa9d0d9196d284c6e3a31de52541d8fe2e844b569a95e5517d7d521d56
SHA512 (HardenedBSD-11-STABLE-v46.17-amd64-mini-memstick.img) = e34fe6bc79bf2a019a624dbffbf52c20ee600a96baf4d85476888f8afeacc47deec1f02339430d004817ec79c049eba59b8b167ed4b81be7f2f80e6ca57bc217

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlkkROEACgkQgZsRom/9
GI2cJw/9FT32rDtODQ+JbDPczIhGmtCG7P3XB1V4i+d/5wWIDw8X0goHRfNT9vKQ
Ilg4LNEGPgkFCtL7AVyZuPUHjtO8Ut8iFOmTRQCwaoM7jtdn0DXvAy6Gc2sk5okh
9S4+050bFQCeVLYGKIcpaeIHwvFw7pW48UhTPguVJWIjx0X5LHiGDsTTq1zC5jFR
fEgvre5zRVea8AFXkFKHJVST+JBHpgfGP+00dTdAHJRezbeZs8OB5a5pCG7JkUJQ
JjZseTdYm9aWRwSmICSNFrMdcMlHemdXBn1LcvdWxi/Ix6dJ1QKoxbrsNCsoZjhL
xLnqUtfU9PpI8tHILhsU1Z7uXgWK4WjC2tc9j4AbVU+7ygfhVpjM9vPnVJB7e7FE
C0gfMz8cmTcPR7mN3YokJ6jscyoTvjkFBuHcOPSzpvNMIhlZo/EM+s2+NuqOW8zI
fq9C6Y7F592cRk/bMzpsXzPfpo+7lmHd4oDZ3JFY1hvsDmE41odcgZzcopgv2QEW
vBDAldKfHyX8sX79ZTH3KYlZZjsrhlx1zKYX4BXvW08iKoenxDdP8Eaty82qaKQN
GqeUT1i8i5mdWP4bRb4ezVz6VIjBUPfXE+PVwHDMmSBcJTpjzQQXDSp6fs+yoTTt
Py4xq9Vw5kcZm5qqpxCltUrkIvGbzHxHSZ25lywU+TZHpGbNDjo=
=YwAD
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 10-STABLE v46.27

HardenedBSD-10-STABLE-v46.27 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • Fixed use after free in ipfilter (f997910e54b19e3bf30bd9f0d17885b0a90b15c5) [FreeBSD-SA-17:04.ipfilter]
  • Update to tcsh 6.20.00
  • Fixed infoleak in VFS (b0da260ac2e82e2e506ddbe6d2a04de7b0c20ef8)
  • Update to ACPICA 20170303

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-10-STABLE-v46.27-amd64-bootonly.iso) = e8a2d420bb034e016418b90c874a132b3c00251386c9f433d36c4b83ef3dcd6b01fa24e931cc3936d1bd3ad04e81b6805d1738f5e00f8aec1522f435b2268ff4
SHA512 (HardenedBSD-10-STABLE-v46.27-amd64-disc1.iso) = 42a973105852dd421a1d6801559d9be0eb85fba6ca1d81f61dd6bfd956b6723c54595256ec0c9bab77270a10770290e60c6bd626dcc29c3c7645b81d08808268
SHA512 (HardenedBSD-10-STABLE-v46.27-amd64-memstick.img) = 5688f39ab6a03d869156d7c524d3addbb45986b0af50f32bf5f5920a103f1df2b7be91bfeaa4ff68be8bea13a87ef418609071d1e4ddb180b1a55386086558f9
SHA512 (HardenedBSD-10-STABLE-v46.27-amd64-mini-memstick.img) = ddfc5e345d53d3061901076845f8773acefba11b0c369a2d8282f01af88ea17d8dcd5d8126390f09c353fac92cff8c810d9a49edda13bcd53746e969b7068834
SHA512 (HardenedBSD-10-STABLE-v46.27-amd64-uefi-bootonly.iso) = 893face3761569d0e3c10f15a8bb015d400f9911eae82dcb7c39362e1a22701035e9f9b73b811fec47177e1cd300ee3002f19e671ba0a1ebf6ebc703be28b4aa
SHA512 (HardenedBSD-10-STABLE-v46.27-amd64-uefi-disc1.iso) = f440988ab3df85e1f55a04c2075916adc7ad88a370c275ec49bf512fcfbf73b9070d1f1295d3cc37208fa7ec0a906465fa41766c88ca072d5ff3110d870a1116
SHA512 (HardenedBSD-10-STABLE-v46.27-amd64-uefi-memstick.img) = 2fc89775504a814df9aadf263f91b7a34dcce9d03af753e5b68cdfbc2a33775be1aee31b2ed5783428424e4b8c07524136e896fa31ff5762996336a8923f8fb4
SHA512 (HardenedBSD-10-STABLE-v46.27-amd64-uefi-mini-memstick.img) = 834653d3631707ef36a35c499504672d931c3786645b89f69601e7f68bb7228588d7dc6caabdafd464ec350ec9a39c23165aee34aa2cbd6fbeb0448d1bab8540

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlkClXoACgkQgZsRom/9
GI0sEw/+JXEp4SgpOjUbebVvCx04HtZ2sdE4Eq81VH6+46qrGFyOdLB0N3aFFneC
ANBAl6cUTWeB2Mn/+AzBg059eJxNasXx8VzftH917d7dGj1JJ89VBgu5GjoiiM29
6io17i5PrAG7tOBeRUYyGqTCTqq7pkYEdBt/S11ccVGpjZWsZl+yr46y7MZy38OV
u/5g0lt3MBCDObgIBNHjIOw2GrAnN9mBWOfgjODK5jzl1gZ30WHmuwfiaA8n4wEP
GtXsq3umtIvUIooz6i1k2AZ84LMBfd6Jht6Z4V8j661TIk+5dWvILHEeUjarkC7l
MrJRNqrvITfrgn3sbn7oFbbclFgzuKJyFXrViOj3AIsLJhugfwy+GOyaCsN4+Qw5
sxzNYNtNCJcCumU306/OhPJaPu+a44koZdLue3eAwo9P4MwdcUagN3arj2KsfYps
CDbgzjF5jkiWjfar5Tbp2zTCMQrexDvUsI7kyjF+N1g4Tq7uA6/GBh2NY2g8tgU1
DI9Y2uFv/reQe/mwWFWRFqaEP/q+ndBNIHYn0I7K2ayPXugJnAr/rvopvmh7+X10
FrlNVHsR2F2imT/uc7wBjSc/awN64atIy65K1LgeGzPwAN/3XD6ocz15xFB6CQ8s
iFvcznlsvp3glSLWxwznivNF0yiUITML9V7YqnPW78OPIYXyfX4=
=6n84
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 10-STABLE v46.26

HardenedBSD-10-STABLE-v46.26 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...



Warning: this is a security update!


Highlights:

  • libarchive update (f0e80d829a6d0ff8bb7a46bd3a18dd6159b14284) [FreeBSD-SA-Candidate]
  • ntpd update to 4.2.8p10 (77b785069d6eae320236013da6d95b7f5b1bed39) [FreeBSD-SA-Candidate]
  • fix signal handling (ee4124b33f70470844978d1c8e4cd6ae062ebb0a)
  • ZFS updates - for more details see /usr/src/UPDATING file
  • fix kernel memory disclosure in sys_nanosleep (bce7b617018c250761c47f5c3f108e921967f532) [FreeBSD-SA-Candidate]
  • fix NULL pointer dereference and panic with shm file pread/pwrite (b99ef16b54afe13145b759e50409e47854084552)
  • discard first 3072 bytes of RC4 keystream (c2d58806b9c8f951eb62c390161af34447d7edd3)
  • apply noexec mount option for mmap(PROT_EXEC) (662245c4d63c9acf32783194220c75fc766710ea)
  • reject userland CCBs that have CAM_UNLOCKED set (18602a4e400bd8760263fa0ca89773f59b70b3ac)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...


CHECKSUM.SHA512:

SHA512 (HardenedBSD-10-STABLE-v46.26-amd64-bootonly.iso) = f4f9cd86dddd0571054bb0c4f773ff851c634e065e85226efb58c346467053bb9dc9a0ba5edb0cc30771578c1cf230f4a657793e93a5bdcba27cc4feac7825d4
SHA512 (HardenedBSD-10-STABLE-v46.26-amd64-disc1.iso) = c127f0c6f606a0d96e7a17899e3bd909db72188c1465667fe728d3f07976e5180861859b6e8eb98860d0ebaf01f60dc24a325e1b326256618bfe63c8d139a8b0
SHA512 (HardenedBSD-10-STABLE-v46.26-amd64-memstick.img) = 61b81f5efab30da279684caeea8e812fa81f8b4f58fa7b3d72340bd41bd12397ecaaaed19b087e32ab229233b0da39e9abdd0fa3fc4e5ddf055340106ba72e60
SHA512 (HardenedBSD-10-STABLE-v46.26-amd64-mini-memstick.img) = bf907e8297bd35717159361f65c6ccd5fc0f69351cf51c9fb96ce2a908a8e354ec8fecff76ce09f4e7449a8dc503a3501b8d535e99e3ad9e6d0a279530029b1e
SHA512 (HardenedBSD-10-STABLE-v46.26-amd64-uefi-bootonly.iso) = db15863f3363b82703823c9ce3b3143a3558d777f7cbb5ab6daedd855f64a005a1c966fa4aa191cfeac464f32fa8a156451fcfba367442b3dd12ab3fa7909e2d
SHA512 (HardenedBSD-10-STABLE-v46.26-amd64-uefi-disc1.iso) = 0648774e3534d2f474a7c192b69fbfaec6612438756f2a3c6f7c6a97e01c775050344b3f970ac372e5c2806b790b8da03c3ce1edc8aab5503d60f508792da5db
SHA512 (HardenedBSD-10-STABLE-v46.26-amd64-uefi-memstick.img) = a458373dc989ab1918818d64c275c6fb86be08732168560fc4451782647844bde2721f8a80640adeb09a0769878e46f2481af6bb0ca768c783d2d6d012a68215
SHA512 (HardenedBSD-10-STABLE-v46.26-amd64-uefi-mini-memstick.img) = da00f398ec94bf4da84ba362bf21a7de229fa0afc1a87ace1f6093d9c1514a6bcbaad8f8e238a736be4fe7ae19ca43dc92a387e6882f274e5181de40e5ea131e



CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAljfrQ0ACgkQgZsRom/9
GI3Rng/9EwffqI+dS55+3JfAD7GMEeIL8LJ4QKg/a2wQ+u3ZA8eb9SbHjyeGQUDF
mTK0HQq6Z2RYyNZ4j/mHb0HhOaxjJx1s+p6+V3tsLjiVbrIIyi6IYGSi9fmJAjkn
PEow75inuB4QcMC3tQhUrynUYBnKc5lS7drpJ0odLQuOFHED9H4Wqx77l5wFIqIs
Ga9wTJLjuKm3XRJJ2mECSEB17jbKroFWEEQN/qlfkFMpufFkJdC9wpAO3aRuRd4h
19dg+FJI2ljPS6PWMp2pHjIEPEIQkstFb/d0Hr8AJu/43g8Cno0eq9ClhORsIGLG
WGwXe9GhQgzjAw6zIXHoyNxTdN7QSzja+hJHN+1h+qWo3HcJqQk8USsKC3z2Gg6/
0TaCEPHV31Pn9vNqTrAHepV63GACRNvP3aCiiKXcsys1HPj0WrMDaBc2gpDlEo4k
bKTHT3s4I8fUsYjgIdm+5xzXUodvMoz1hb8dISBZAI4bV7kae7aJw97B9hv3kZyM
tf0TgEQ+o+Oi5OiDY9wFjmPafLsgHdYAKypcbrE9g5yJx6kmqU37j/g5fXovacew
ZsPNxTCDxuL0pcgRQwQbIJNPAEsJsb9lHEzGpet4rlSHBJguutrddXpNr3cIVPYP
xSSO7QT0c+NEc28EpvlQiZL3GBfN4WIgO1IqmPbV6NNZxH6AlCY=
=hAYR
-----END PGP SIGNATURE-----


Stable release: HardenedBSD-stable 11-STABLE v46.16

HardenedBSD-11-STABLE-v46.16 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

WARNING: this is a security update!

Highlights:

  • update to ntp 4.2.8p10 (9e55018b05bf06a66cff34b38d0513f3e6ce1693) [FreeBSD-SA-Candidate]
  • possible kernel memory discolsure in sys_nanosleep (5e396452e4053c6aecb09fcbd6219d90c350c095) [FreeBSD-SA-Candidate]
  • updated IPSEC subsystem (e6fbe68844bdd64b17c07bde1f7367c92c0ec9d9)
  • fix NULL pointer dereference and panic with shm file pread/pwrite (7169011bf02f04f1750bf7163e144b30eae0c21c) [FreeBSD-SA-Candidate]
  • update to libarchive 3.3.1 [FreeBSD-SA-Candidate]

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v46.16-amd64-bootonly.iso) = c07a2ce93b810f69e6ca9d2c6ad3f6ce1618317c5e4719ac8b3b0fc99f3eba988537b92dee9ea42224c7c011d9ee6897ada8d3c86ff752db2dec5285e7034f35
SHA512 (HardenedBSD-11-STABLE-v46.16-amd64-disc1.iso) = f300998e24f7d1404a74f1d8583c7b2442f484ef87747024cdb41bb6f35443f7e7d4b219372e4b3cdc473e8b579aa4c6d7fe94978e71c56783b3266147de0695
SHA512 (HardenedBSD-11-STABLE-v46.16-amd64-memstick.img) = e80ab66255bb2afd921587b025dc82cfd8970db05fe29ad56e634ce5bacf1106f6f94c1efd8c3251ba3f1fe7442e01f9b45da541d9b2f08b2c8807c9d1a60098
SHA512 (HardenedBSD-11-STABLE-v46.16-amd64-mini-memstick.img) = a15e4056a1c7abaf8533760eb81c19b8c557d1e2b07fdcfcf71ad108f574e1001595aac30693be774af1696d17dd1737e1be739eb05bdb084472d4db9cf87628

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAljdDzoACgkQgZsRom/9
GI1DMQ//TmuA+ThkCqRzOY71AqcKlxYtppaF/SBfadM5M2gTYjhvtBQDQFUDA195
IF+iJy1qqKXHWLShDvZk+szcmrluqwjssCL/CYiCTj0Eym/N3yFttZ9OLTT3sf9s
WlaX+JqJhGG18jwhXS3CEovUTOzd6Q1nFCEaQiEJiuToj3CKFowIb0pr8fDideD/
MwX37eG2gRnGcYJCSWdf+rUpKUTzJk00aY8qr4QhW4Muy5zh8xMQghb50LtmDK6p
V7w2GqFDIeoIOQjp20AHSo5GHPUO2kaHF7DZP4a/GAxl2iPgAnkm+vn16mVtaCQQ
EcL2L3BayDlsOL5YC15wxIMiXm3uDyvAXYG/eV+qENPBC1bSBWgE3VIJz074cSSE
hYnglK7kwGxjZieOW6j8nJIO1IZ7lxTP1guoeB+vKm+jdb+ROPYjkYZVcOj/A4zW
pP2XoYmysrbKBIHcfJ0wZieTToQQEOXkFV9ZHfCwLaElYhEkXzgDC4v7XrdV5eAK
drp8ax0FwHUrXuEYx4wU4OnEFG/RbgAR3Y4ax+2s9wxph+sIRf+eyZ4Sgb5GbYNt
CqMoCneYtAUP9+zO3H4vVouOxSWZpbMqDrVGgpO5h2HM0SB520EXBwjDF7xRr/Pr
rSTyLqnLx4E2U8eUgBYsZmVqp5ehY+CBSbRwWZRubRrF3k6cYIw=
=T6HA
-----END PGP SIGNATURE-----

HardenedBSD Through Tor Hidden Service

HardenedBSD is pleased to announce the availability of its site, package repositories, and binary updates through a Tor hidden service. Please note that at the moment, this is considered experimental and the onion hostname may change. We'll keep this page updated if it does.

For pkg, replace /etc/pkg/HardenedBSD.conf with this configuration file:

HardenedBSD: {
  url: "http://t3a73imee26zfb3d.onion/HardenedBSD/pkg/${ABI}",
  mirror_type: "http",
  signature_type: "fingerprints",
  fingerprints: "/usr/share/keys/pkg",
  enabled: yes
}

And for hbsd-update, replace /etc/hbsd-update.conf with this configuration file:

dnsrec=""
capath="/usr/share/keys/hbsd-update/trusted"
# NOTE: Replace the branch variable with whatever branch you normally use. Check your existing hbsd-update.conf file.
branch="hardened/current/master"
baseurl="http://t3a73imee26zfb3d.onion/HardenedBSD/updates/pub/HardenedBSD/updates/${branch}/$(uname -m)"

Stable release: HardenedBSD-stable 10-STABLE v46.25

HardenedBSD-10-STABLE-v46.25 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • Fix null pointer dereference in zfs_freebsd_setacl() (8f4efc7cdfd6b31d9fd7d4cf5e1b73a6b9da7491) [FreeBSD-SA-Candidate]
  • Libarchive update
  • HBSD: add our first mirror: fr-01.installer.hardenedbsd.org Roubaix@France
  • zlib update to 1.2.11

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-10-STABLE-v46.25-amd64-bootonly.iso) = 244df54c943c52dc9d97ee0d253a06d99b78a3c6916c3361526446a1d3846cb5059e54b9b1393e0184bcfd714ffbf60ece495cbfd9277e4aa99c39b8a52f1c9f
SHA512 (HardenedBSD-10-STABLE-v46.25-amd64-disc1.iso) = 888af8fa7f2e000d474459b08b2f281260252a2aab28d0ca5bad33a8d67e931dd266098c0d6f01504b195ad8252dec8a138abf098b989037167e69948e7bfd4d
SHA512 (HardenedBSD-10-STABLE-v46.25-amd64-memstick.img) = 3bf56a556d7692f77fc68d5c6b707351111aadf8334a3fb9d14506b4b8d73cfc96289260deae9367f23482490147a27450ff99762bd4fe45333e51e33bad45db
SHA512 (HardenedBSD-10-STABLE-v46.25-amd64-mini-memstick.img) = 098bb76dd195837a409b2c86cab00f6fd22e41c457d471521a0dcfd97f1e68966dcea981dea839827d0890ab7ceded9057bcbf99108c85b8f996e4ad424975da
SHA512 (HardenedBSD-10-STABLE-v46.25-amd64-uefi-bootonly.iso) = f12dd735eba76b64aac9e101a62c32768b5d53c48b924860aa46cec43be8e62776659c245b884b94f9c3a175da9ffa82b1c349c5cb2118d7f96e4abce3f26fb4
SHA512 (HardenedBSD-10-STABLE-v46.25-amd64-uefi-disc1.iso) = 124675b8abf436e050d5a569a977a23e9df170089cd50bd3b50f9c5bca66310b031203e8cae85f1a940815a4d076252104414cd49b697cc9b91a39681864fe8a
SHA512 (HardenedBSD-10-STABLE-v46.25-amd64-uefi-memstick.img) = ee67fcf91a503d508e4344319b788f7d08687b9d9672da929586a473baa1e9cac97004993ffd3f124d51ff5707d6193e3886299fa652de7ef8db7d6523cecbe2
SHA512 (HardenedBSD-10-STABLE-v46.25-amd64-uefi-mini-memstick.img) = 13853f2e931490bfbf84b1cc92e2465504e090b40584c57e233ea875c2b6ba15c209ced66ad9cc9c6898d419389964bbc9b8ad10e0251e243514d39fb397bc14

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAli+FWAACgkQgZsRom/9
GI1n+w//bLHitlrVuG42B9sZE4fCElNHVZxlljrMMaw98/QaMlAOhzsO3WTm4hhW
KR5HJ+zXTRQan5qp1e+MclJ+acAb52x7hmrHDwd1RK5dcX7sao577vLxK7fCtahU
xhiw08074+0iZ8cH8L4YPUJJFLiiJbsZPTjWlfIR2f/o2WW4awCFiswEq6Hw6kqf
A2kR/D7vPgAERsBnZO+sfSiYxwOl9PdbFreXrfpqczWLFS/5cI+EO5l5NzkMuIMQ
djMOLVz8WpJSflvI7SRzd5580AwxdV1umvHJ55eoT8oLKSOdCFMl74IKFVaNOh1h
ZgOAlPXaVvIdDNLQ6i/+Gd09VRnWk9li2IiMvjd+b15xbQfSFLoO4RwnNO8ODlIR
0ZYIG39LOl6AJGS7s9GfWX5Gn33yITk+t40Zk2Jhv+ysVbjs1whcpOBZuVpGLwbP
Zq2YlyQVGodRewo2ft0/wpGmOkqWTqBcDTHxnRqYBVyNuW56BVyOQyJbX2h2HdV3
qifOUJp1QBnQqex3DwZ9p2XbZdeG6LWwRVVEtq0WV6ft5VHMOrKPGbGU1Q1QEYNK
VBUMG3IB7IM6XKNKPcHK6MdPjiIhsp7T0dcypXfHXyBsEaQKjcF9Xmwq/zKNQjzF
YCGr2SNoGzbOgtGsws07p9uTLySyMRbY5el+ijT3u4rJhstowpw=
=CSFS
-----END PGP SIGNATURE-----

Pages

Subscribe to HardenedBSD RSS