Stable release: HardenedBSD-stable 11-STABLE v46.18

HardenedBSD-11-STABLE-v46.18 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • Based on FreeBSD 11.1-BETA1
  • Security fixes in nandsim (b585a6c019be3fb79ec968c327ea67190565342b) [FreeBSD-SA-Candidate]
  • Update to libpcap 1.8.1
  • Implement INHERIT_ZERO for minherit
  • Support Execute-Never bit in the arm64 pmap (edb010ea9cd5ce05e055474ade71fb8687a74eb6)
  • Enable Privileged Access Never on arm64 (44c9bb43d0bd6f6d94443c9efa27cbaf86a38825)
  • Enable EARLY_AP_STARTUP on amd64 and i386 kernels by default.

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v46.18-amd64-bootonly.iso) = 5aad79d864b01c02871cf152bb1ed30d16f4f68775472034de255fbb2fcb26f7caaacb7e9ed77364201af72582b5b69fc0af55a06cc7066e061b21b9a2341b7d
SHA512 (HardenedBSD-11-STABLE-v46.18-amd64-disc1.iso) = fedf9ffae1f3be5807dd44bc2621acb574cb1cb33a5ca30459b014a3ff2a6238dadc518476ba1ed57fc8eff63bae1c28f91d78b4b6d4dab4bd19d9c276504bee
SHA512 (HardenedBSD-11-STABLE-v46.18-amd64-memstick.img) = 0ccdfa51a25b0f947743a4c1ac0b1aad1a208b69ac9a39f2063ac035fe5236b975a4f485e1f3b29965b3dc51e04168066f0e18e0e5d37c4770248e9bf7abb6ed
SHA512 (HardenedBSD-11-STABLE-v46.18-amd64-mini-memstick.img) = f5d266af8f6a275bb75ce778335342ca010cd91b2420871f96d882d2d333a51a4877c91faefa9e14f86977bcafb7aedb44629955eb871bf82eed370189e9a259

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAllAly0ACgkQgZsRom/9
GI02zBAAogqk6ZrHg5I/mtBk+KX8sWlOLj0ddqyK2emQRSoVolpAhaBcZbAVxQyg
i6Crmgz1sWo5Ztt5UqrGF9+pfcfy6TwyD2qUSSbE1OyawScJaFWzqCDyCVi19Ltz
5EHP9bWJIH9m2kPs5uAHftvhywBJv9SH2wCCZXdy1W/8rLs7IAZjnK18Q1WqFJ/+
KSg80p7sZ4A++jR91cs0+Bt8U153GKspYUNB9SVZyHZUbdy8tKitic//rDXqA3ls
UcpTaBYL53WNIKIiIaVjfuNQDzXB8jDX8jXip7wNgQT+R6Nbr3PORKKuQpaTiu+p
fteIzx1CvRAsGM3N96LQmoAgjTTPBVcHR/pQV/37spP+nfQQHdJ4TkCM/x6rQCsB
VGaOSwlxGgQ+HrBfGXmKF8HcCFQH1oNKo6nQFUmaDkquAIVPLuZ14mJmN2Ke++y7
yEUml01+xeIme+o7uKMQZtyFrYQ86vjQWHPvWIIJ1MzFT8SDuLINZxWoC2LB8kWC
MY/+YCcM4cFx3KMrp3Uutp1xLv5lWs7W9cdf+P61qN8mdnPnbbqEYVDtXZ1+wUki
bxcXPZDBSiv+DxT2YbJf0x5dz9x9jPRQEzYzFHO5b1iCTsjGwJCxGiZXcSXLdJIL
rtL0bqtgbXpeKvs84fk+A1Z3ED4HN1DjjUXguFt9WWOBp2+S3f4=
=M0Ah
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v46.17

HardenedBSD-11-STABLE-v46.17 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • Increased maximum text segment size from 64MB to 256MB
  • Added efivar and related EFI libs
  • Libarchive update
  • Add sets support for ipfw table info/list/flush commands.
  • NFS v4.1 updates
  • pf: Fix possible incorrect IPv6 fragmentation
  • pf: Fix leak of pf_state_keys
  • Fix a use after free panic in ipfilter's fragment processing.
  • HyperV updates
  • Update tcsh to 6.20.00
  • HBSD: Enable SafeStack by default
  • Add ipfw_nptv6 module that implements Network Prefix Translation for IPv6
  • HBSD: Add installation hook scripting to hbsd-update
  • Update clang, llvm, lld, lldb, compiler-rt and libc++ to 4.0.0 release
  • Merge ACPICA 20170303

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v46.17-amd64-bootonly.iso) = c33cefeab424e346087fabd6d4c29dc53b41f9e93e5be285ee16430a502a57d18bcd555d119f111fbb1f68b442c3755acf2822881551113f2d0a4c9dbd1163f2
SHA512 (HardenedBSD-11-STABLE-v46.17-amd64-disc1.iso) = 929298f27adffaa672e985f695f219b4f87f4851f10fdf44e327565f3830737fdd27bb63f6441bf5cd40d7896a76e259341a3f954fadf1363eadf86d68077bb9
SHA512 (HardenedBSD-11-STABLE-v46.17-amd64-memstick.img) = f094f7c131a54b25e680e502298532ca6127c0a4da8788c088ce451494856f2cc76900aa9d0d9196d284c6e3a31de52541d8fe2e844b569a95e5517d7d521d56
SHA512 (HardenedBSD-11-STABLE-v46.17-amd64-mini-memstick.img) = e34fe6bc79bf2a019a624dbffbf52c20ee600a96baf4d85476888f8afeacc47deec1f02339430d004817ec79c049eba59b8b167ed4b81be7f2f80e6ca57bc217

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlkkROEACgkQgZsRom/9
GI2cJw/9FT32rDtODQ+JbDPczIhGmtCG7P3XB1V4i+d/5wWIDw8X0goHRfNT9vKQ
Ilg4LNEGPgkFCtL7AVyZuPUHjtO8Ut8iFOmTRQCwaoM7jtdn0DXvAy6Gc2sk5okh
9S4+050bFQCeVLYGKIcpaeIHwvFw7pW48UhTPguVJWIjx0X5LHiGDsTTq1zC5jFR
fEgvre5zRVea8AFXkFKHJVST+JBHpgfGP+00dTdAHJRezbeZs8OB5a5pCG7JkUJQ
JjZseTdYm9aWRwSmICSNFrMdcMlHemdXBn1LcvdWxi/Ix6dJ1QKoxbrsNCsoZjhL
xLnqUtfU9PpI8tHILhsU1Z7uXgWK4WjC2tc9j4AbVU+7ygfhVpjM9vPnVJB7e7FE
C0gfMz8cmTcPR7mN3YokJ6jscyoTvjkFBuHcOPSzpvNMIhlZo/EM+s2+NuqOW8zI
fq9C6Y7F592cRk/bMzpsXzPfpo+7lmHd4oDZ3JFY1hvsDmE41odcgZzcopgv2QEW
vBDAldKfHyX8sX79ZTH3KYlZZjsrhlx1zKYX4BXvW08iKoenxDdP8Eaty82qaKQN
GqeUT1i8i5mdWP4bRb4ezVz6VIjBUPfXE+PVwHDMmSBcJTpjzQQXDSp6fs+yoTTt
Py4xq9Vw5kcZm5qqpxCltUrkIvGbzHxHSZ25lywU+TZHpGbNDjo=
=YwAD
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 10-STABLE v46.27

HardenedBSD-10-STABLE-v46.27 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • Fixed use after free in ipfilter (f997910e54b19e3bf30bd9f0d17885b0a90b15c5) [FreeBSD-SA-17:04.ipfilter]
  • Update to tcsh 6.20.00
  • Fixed infoleak in VFS (b0da260ac2e82e2e506ddbe6d2a04de7b0c20ef8)
  • Update to ACPICA 20170303

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-10-STABLE-v46.27-amd64-bootonly.iso) = e8a2d420bb034e016418b90c874a132b3c00251386c9f433d36c4b83ef3dcd6b01fa24e931cc3936d1bd3ad04e81b6805d1738f5e00f8aec1522f435b2268ff4
SHA512 (HardenedBSD-10-STABLE-v46.27-amd64-disc1.iso) = 42a973105852dd421a1d6801559d9be0eb85fba6ca1d81f61dd6bfd956b6723c54595256ec0c9bab77270a10770290e60c6bd626dcc29c3c7645b81d08808268
SHA512 (HardenedBSD-10-STABLE-v46.27-amd64-memstick.img) = 5688f39ab6a03d869156d7c524d3addbb45986b0af50f32bf5f5920a103f1df2b7be91bfeaa4ff68be8bea13a87ef418609071d1e4ddb180b1a55386086558f9
SHA512 (HardenedBSD-10-STABLE-v46.27-amd64-mini-memstick.img) = ddfc5e345d53d3061901076845f8773acefba11b0c369a2d8282f01af88ea17d8dcd5d8126390f09c353fac92cff8c810d9a49edda13bcd53746e969b7068834
SHA512 (HardenedBSD-10-STABLE-v46.27-amd64-uefi-bootonly.iso) = 893face3761569d0e3c10f15a8bb015d400f9911eae82dcb7c39362e1a22701035e9f9b73b811fec47177e1cd300ee3002f19e671ba0a1ebf6ebc703be28b4aa
SHA512 (HardenedBSD-10-STABLE-v46.27-amd64-uefi-disc1.iso) = f440988ab3df85e1f55a04c2075916adc7ad88a370c275ec49bf512fcfbf73b9070d1f1295d3cc37208fa7ec0a906465fa41766c88ca072d5ff3110d870a1116
SHA512 (HardenedBSD-10-STABLE-v46.27-amd64-uefi-memstick.img) = 2fc89775504a814df9aadf263f91b7a34dcce9d03af753e5b68cdfbc2a33775be1aee31b2ed5783428424e4b8c07524136e896fa31ff5762996336a8923f8fb4
SHA512 (HardenedBSD-10-STABLE-v46.27-amd64-uefi-mini-memstick.img) = 834653d3631707ef36a35c499504672d931c3786645b89f69601e7f68bb7228588d7dc6caabdafd464ec350ec9a39c23165aee34aa2cbd6fbeb0448d1bab8540

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlkClXoACgkQgZsRom/9
GI0sEw/+JXEp4SgpOjUbebVvCx04HtZ2sdE4Eq81VH6+46qrGFyOdLB0N3aFFneC
ANBAl6cUTWeB2Mn/+AzBg059eJxNasXx8VzftH917d7dGj1JJ89VBgu5GjoiiM29
6io17i5PrAG7tOBeRUYyGqTCTqq7pkYEdBt/S11ccVGpjZWsZl+yr46y7MZy38OV
u/5g0lt3MBCDObgIBNHjIOw2GrAnN9mBWOfgjODK5jzl1gZ30WHmuwfiaA8n4wEP
GtXsq3umtIvUIooz6i1k2AZ84LMBfd6Jht6Z4V8j661TIk+5dWvILHEeUjarkC7l
MrJRNqrvITfrgn3sbn7oFbbclFgzuKJyFXrViOj3AIsLJhugfwy+GOyaCsN4+Qw5
sxzNYNtNCJcCumU306/OhPJaPu+a44koZdLue3eAwo9P4MwdcUagN3arj2KsfYps
CDbgzjF5jkiWjfar5Tbp2zTCMQrexDvUsI7kyjF+N1g4Tq7uA6/GBh2NY2g8tgU1
DI9Y2uFv/reQe/mwWFWRFqaEP/q+ndBNIHYn0I7K2ayPXugJnAr/rvopvmh7+X10
FrlNVHsR2F2imT/uc7wBjSc/awN64atIy65K1LgeGzPwAN/3XD6ocz15xFB6CQ8s
iFvcznlsvp3glSLWxwznivNF0yiUITML9V7YqnPW78OPIYXyfX4=
=6n84
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 10-STABLE v46.26

HardenedBSD-10-STABLE-v46.26 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...



Warning: this is a security update!


Highlights:

  • libarchive update (f0e80d829a6d0ff8bb7a46bd3a18dd6159b14284) [FreeBSD-SA-Candidate]
  • ntpd update to 4.2.8p10 (77b785069d6eae320236013da6d95b7f5b1bed39) [FreeBSD-SA-Candidate]
  • fix signal handling (ee4124b33f70470844978d1c8e4cd6ae062ebb0a)
  • ZFS updates - for more details see /usr/src/UPDATING file
  • fix kernel memory disclosure in sys_nanosleep (bce7b617018c250761c47f5c3f108e921967f532) [FreeBSD-SA-Candidate]
  • fix NULL pointer dereference and panic with shm file pread/pwrite (b99ef16b54afe13145b759e50409e47854084552)
  • discard first 3072 bytes of RC4 keystream (c2d58806b9c8f951eb62c390161af34447d7edd3)
  • apply noexec mount option for mmap(PROT_EXEC) (662245c4d63c9acf32783194220c75fc766710ea)
  • reject userland CCBs that have CAM_UNLOCKED set (18602a4e400bd8760263fa0ca89773f59b70b3ac)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...


CHECKSUM.SHA512:

SHA512 (HardenedBSD-10-STABLE-v46.26-amd64-bootonly.iso) = f4f9cd86dddd0571054bb0c4f773ff851c634e065e85226efb58c346467053bb9dc9a0ba5edb0cc30771578c1cf230f4a657793e93a5bdcba27cc4feac7825d4
SHA512 (HardenedBSD-10-STABLE-v46.26-amd64-disc1.iso) = c127f0c6f606a0d96e7a17899e3bd909db72188c1465667fe728d3f07976e5180861859b6e8eb98860d0ebaf01f60dc24a325e1b326256618bfe63c8d139a8b0
SHA512 (HardenedBSD-10-STABLE-v46.26-amd64-memstick.img) = 61b81f5efab30da279684caeea8e812fa81f8b4f58fa7b3d72340bd41bd12397ecaaaed19b087e32ab229233b0da39e9abdd0fa3fc4e5ddf055340106ba72e60
SHA512 (HardenedBSD-10-STABLE-v46.26-amd64-mini-memstick.img) = bf907e8297bd35717159361f65c6ccd5fc0f69351cf51c9fb96ce2a908a8e354ec8fecff76ce09f4e7449a8dc503a3501b8d535e99e3ad9e6d0a279530029b1e
SHA512 (HardenedBSD-10-STABLE-v46.26-amd64-uefi-bootonly.iso) = db15863f3363b82703823c9ce3b3143a3558d777f7cbb5ab6daedd855f64a005a1c966fa4aa191cfeac464f32fa8a156451fcfba367442b3dd12ab3fa7909e2d
SHA512 (HardenedBSD-10-STABLE-v46.26-amd64-uefi-disc1.iso) = 0648774e3534d2f474a7c192b69fbfaec6612438756f2a3c6f7c6a97e01c775050344b3f970ac372e5c2806b790b8da03c3ce1edc8aab5503d60f508792da5db
SHA512 (HardenedBSD-10-STABLE-v46.26-amd64-uefi-memstick.img) = a458373dc989ab1918818d64c275c6fb86be08732168560fc4451782647844bde2721f8a80640adeb09a0769878e46f2481af6bb0ca768c783d2d6d012a68215
SHA512 (HardenedBSD-10-STABLE-v46.26-amd64-uefi-mini-memstick.img) = da00f398ec94bf4da84ba362bf21a7de229fa0afc1a87ace1f6093d9c1514a6bcbaad8f8e238a736be4fe7ae19ca43dc92a387e6882f274e5181de40e5ea131e



CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAljfrQ0ACgkQgZsRom/9
GI3Rng/9EwffqI+dS55+3JfAD7GMEeIL8LJ4QKg/a2wQ+u3ZA8eb9SbHjyeGQUDF
mTK0HQq6Z2RYyNZ4j/mHb0HhOaxjJx1s+p6+V3tsLjiVbrIIyi6IYGSi9fmJAjkn
PEow75inuB4QcMC3tQhUrynUYBnKc5lS7drpJ0odLQuOFHED9H4Wqx77l5wFIqIs
Ga9wTJLjuKm3XRJJ2mECSEB17jbKroFWEEQN/qlfkFMpufFkJdC9wpAO3aRuRd4h
19dg+FJI2ljPS6PWMp2pHjIEPEIQkstFb/d0Hr8AJu/43g8Cno0eq9ClhORsIGLG
WGwXe9GhQgzjAw6zIXHoyNxTdN7QSzja+hJHN+1h+qWo3HcJqQk8USsKC3z2Gg6/
0TaCEPHV31Pn9vNqTrAHepV63GACRNvP3aCiiKXcsys1HPj0WrMDaBc2gpDlEo4k
bKTHT3s4I8fUsYjgIdm+5xzXUodvMoz1hb8dISBZAI4bV7kae7aJw97B9hv3kZyM
tf0TgEQ+o+Oi5OiDY9wFjmPafLsgHdYAKypcbrE9g5yJx6kmqU37j/g5fXovacew
ZsPNxTCDxuL0pcgRQwQbIJNPAEsJsb9lHEzGpet4rlSHBJguutrddXpNr3cIVPYP
xSSO7QT0c+NEc28EpvlQiZL3GBfN4WIgO1IqmPbV6NNZxH6AlCY=
=hAYR
-----END PGP SIGNATURE-----


Stable release: HardenedBSD-stable 11-STABLE v46.16

HardenedBSD-11-STABLE-v46.16 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

WARNING: this is a security update!

Highlights:

  • update to ntp 4.2.8p10 (9e55018b05bf06a66cff34b38d0513f3e6ce1693) [FreeBSD-SA-Candidate]
  • possible kernel memory discolsure in sys_nanosleep (5e396452e4053c6aecb09fcbd6219d90c350c095) [FreeBSD-SA-Candidate]
  • updated IPSEC subsystem (e6fbe68844bdd64b17c07bde1f7367c92c0ec9d9)
  • fix NULL pointer dereference and panic with shm file pread/pwrite (7169011bf02f04f1750bf7163e144b30eae0c21c) [FreeBSD-SA-Candidate]
  • update to libarchive 3.3.1 [FreeBSD-SA-Candidate]

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v46.16-amd64-bootonly.iso) = c07a2ce93b810f69e6ca9d2c6ad3f6ce1618317c5e4719ac8b3b0fc99f3eba988537b92dee9ea42224c7c011d9ee6897ada8d3c86ff752db2dec5285e7034f35
SHA512 (HardenedBSD-11-STABLE-v46.16-amd64-disc1.iso) = f300998e24f7d1404a74f1d8583c7b2442f484ef87747024cdb41bb6f35443f7e7d4b219372e4b3cdc473e8b579aa4c6d7fe94978e71c56783b3266147de0695
SHA512 (HardenedBSD-11-STABLE-v46.16-amd64-memstick.img) = e80ab66255bb2afd921587b025dc82cfd8970db05fe29ad56e634ce5bacf1106f6f94c1efd8c3251ba3f1fe7442e01f9b45da541d9b2f08b2c8807c9d1a60098
SHA512 (HardenedBSD-11-STABLE-v46.16-amd64-mini-memstick.img) = a15e4056a1c7abaf8533760eb81c19b8c557d1e2b07fdcfcf71ad108f574e1001595aac30693be774af1696d17dd1737e1be739eb05bdb084472d4db9cf87628

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAljdDzoACgkQgZsRom/9
GI1DMQ//TmuA+ThkCqRzOY71AqcKlxYtppaF/SBfadM5M2gTYjhvtBQDQFUDA195
IF+iJy1qqKXHWLShDvZk+szcmrluqwjssCL/CYiCTj0Eym/N3yFttZ9OLTT3sf9s
WlaX+JqJhGG18jwhXS3CEovUTOzd6Q1nFCEaQiEJiuToj3CKFowIb0pr8fDideD/
MwX37eG2gRnGcYJCSWdf+rUpKUTzJk00aY8qr4QhW4Muy5zh8xMQghb50LtmDK6p
V7w2GqFDIeoIOQjp20AHSo5GHPUO2kaHF7DZP4a/GAxl2iPgAnkm+vn16mVtaCQQ
EcL2L3BayDlsOL5YC15wxIMiXm3uDyvAXYG/eV+qENPBC1bSBWgE3VIJz074cSSE
hYnglK7kwGxjZieOW6j8nJIO1IZ7lxTP1guoeB+vKm+jdb+ROPYjkYZVcOj/A4zW
pP2XoYmysrbKBIHcfJ0wZieTToQQEOXkFV9ZHfCwLaElYhEkXzgDC4v7XrdV5eAK
drp8ax0FwHUrXuEYx4wU4OnEFG/RbgAR3Y4ax+2s9wxph+sIRf+eyZ4Sgb5GbYNt
CqMoCneYtAUP9+zO3H4vVouOxSWZpbMqDrVGgpO5h2HM0SB520EXBwjDF7xRr/Pr
rSTyLqnLx4E2U8eUgBYsZmVqp5ehY+CBSbRwWZRubRrF3k6cYIw=
=T6HA
-----END PGP SIGNATURE-----

HardenedBSD Through Tor Hidden Service

HardenedBSD is pleased to announce the availability of its site, package repositories, and binary updates through a Tor hidden service. Please note that at the moment, this is considered experimental and the onion hostname may change. We'll keep this page updated if it does.

For pkg, replace /etc/pkg/HardenedBSD.conf with this configuration file:

HardenedBSD: {
  url: "http://dxsj6ifxytlgq33k.onion/HardenedBSD/pkg/${ABI}",
  mirror_type: "http",
  signature_type: "fingerprints",
  fingerprints: "/usr/share/keys/pkg",
  enabled: yes
}

And for hbsd-update, replace /etc/hbsd-update.conf with this configuration file:

dnsrec=""
capath="/usr/share/keys/hbsd-update/trusted"
# NOTE: Replace the branch variable with whatever branch you normally use. Check your existing hbsd-update.conf file.
branch="hardened/current/master"
baseurl="http://dxsj6ifxytlgq33k.onion/HardenedBSD/updates/pub/HardenedBSD/updates/${branch}/$(uname -m)"

Stable release: HardenedBSD-stable 10-STABLE v46.25

HardenedBSD-10-STABLE-v46.25 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • Fix null pointer dereference in zfs_freebsd_setacl() (8f4efc7cdfd6b31d9fd7d4cf5e1b73a6b9da7491) [FreeBSD-SA-Candidate]
  • Libarchive update
  • HBSD: add our first mirror: fr-01.installer.hardenedbsd.org Roubaix@France
  • zlib update to 1.2.11

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-10-STABLE-v46.25-amd64-bootonly.iso) = 244df54c943c52dc9d97ee0d253a06d99b78a3c6916c3361526446a1d3846cb5059e54b9b1393e0184bcfd714ffbf60ece495cbfd9277e4aa99c39b8a52f1c9f
SHA512 (HardenedBSD-10-STABLE-v46.25-amd64-disc1.iso) = 888af8fa7f2e000d474459b08b2f281260252a2aab28d0ca5bad33a8d67e931dd266098c0d6f01504b195ad8252dec8a138abf098b989037167e69948e7bfd4d
SHA512 (HardenedBSD-10-STABLE-v46.25-amd64-memstick.img) = 3bf56a556d7692f77fc68d5c6b707351111aadf8334a3fb9d14506b4b8d73cfc96289260deae9367f23482490147a27450ff99762bd4fe45333e51e33bad45db
SHA512 (HardenedBSD-10-STABLE-v46.25-amd64-mini-memstick.img) = 098bb76dd195837a409b2c86cab00f6fd22e41c457d471521a0dcfd97f1e68966dcea981dea839827d0890ab7ceded9057bcbf99108c85b8f996e4ad424975da
SHA512 (HardenedBSD-10-STABLE-v46.25-amd64-uefi-bootonly.iso) = f12dd735eba76b64aac9e101a62c32768b5d53c48b924860aa46cec43be8e62776659c245b884b94f9c3a175da9ffa82b1c349c5cb2118d7f96e4abce3f26fb4
SHA512 (HardenedBSD-10-STABLE-v46.25-amd64-uefi-disc1.iso) = 124675b8abf436e050d5a569a977a23e9df170089cd50bd3b50f9c5bca66310b031203e8cae85f1a940815a4d076252104414cd49b697cc9b91a39681864fe8a
SHA512 (HardenedBSD-10-STABLE-v46.25-amd64-uefi-memstick.img) = ee67fcf91a503d508e4344319b788f7d08687b9d9672da929586a473baa1e9cac97004993ffd3f124d51ff5707d6193e3886299fa652de7ef8db7d6523cecbe2
SHA512 (HardenedBSD-10-STABLE-v46.25-amd64-uefi-mini-memstick.img) = 13853f2e931490bfbf84b1cc92e2465504e090b40584c57e233ea875c2b6ba15c209ced66ad9cc9c6898d419389964bbc9b8ad10e0251e243514d39fb397bc14

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAli+FWAACgkQgZsRom/9
GI1n+w//bLHitlrVuG42B9sZE4fCElNHVZxlljrMMaw98/QaMlAOhzsO3WTm4hhW
KR5HJ+zXTRQan5qp1e+MclJ+acAb52x7hmrHDwd1RK5dcX7sao577vLxK7fCtahU
xhiw08074+0iZ8cH8L4YPUJJFLiiJbsZPTjWlfIR2f/o2WW4awCFiswEq6Hw6kqf
A2kR/D7vPgAERsBnZO+sfSiYxwOl9PdbFreXrfpqczWLFS/5cI+EO5l5NzkMuIMQ
djMOLVz8WpJSflvI7SRzd5580AwxdV1umvHJ55eoT8oLKSOdCFMl74IKFVaNOh1h
ZgOAlPXaVvIdDNLQ6i/+Gd09VRnWk9li2IiMvjd+b15xbQfSFLoO4RwnNO8ODlIR
0ZYIG39LOl6AJGS7s9GfWX5Gn33yITk+t40Zk2Jhv+ysVbjs1whcpOBZuVpGLwbP
Zq2YlyQVGodRewo2ft0/wpGmOkqWTqBcDTHxnRqYBVyNuW56BVyOQyJbX2h2HdV3
qifOUJp1QBnQqex3DwZ9p2XbZdeG6LWwRVVEtq0WV6ft5VHMOrKPGbGU1Q1QEYNK
VBUMG3IB7IM6XKNKPcHK6MdPjiIhsp7T0dcypXfHXyBsEaQKjcF9Xmwq/zKNQjzF
YCGr2SNoGzbOgtGsws07p9uTLySyMRbY5el+ijT3u4rJhstowpw=
=CSFS
-----END PGP SIGNATURE-----

Introducing CFI

Control Flow Integrity, or CFI, is an exploit mitigation technique that helps prevent attackers from modifying the behavior of a program and jumping to undefined or arbitrary memory locations. Microsoft has implemented a variant of CFI, which they term Control Flow Guard, or CFG. The PaX team has spent the last few years perfecting their Reuse Attack Protector, RAP. CFI, CFG, and RAP all attempt to accomplish the same goal, with RAP being the most complete and effective implementation. Clang's CFI is stronger than Microsoft's CFG and PaX Team's RAP is stronger than both CFI and CFG. RAP would be a great addition to HardenedBSD; however, it requires a GPLv3 toolchain and is patent-pending.

HardenedBSD is excited to announce the integration of Clang's CFI into base. CFI is enabled by default in HardenedBSD 12-CURRENT on amd64 and can be disabled by setting WITHOUT_CFI in src.conf. CFI is not applicable to architectures other than amd64, though Shawn is working on porting SafeStack to arm64.

Clang's CFI requires a linker that supports Link-Time Optimization (LTO). On 02 March 2017, version 4.0.0 of the lld linker from the llvm project was imported into both FreeBSD and HardenedBSD. lld 4.0.0 is the first version of lld that is usable in base and provides HardenedBSD with a linker that supports LTO. We have been working hard over the past few months in developing and testing the integration of Clang's CFI in HardenedBSD's base. All CFI schemes have been enabled for all of base in HardenedBSD 12-CURRENT/amd64, with the exception of the cfi-icall scheme for a handful of applications. It is possible that we may need to disable the cfi-icall scheme for more applications and we'll need to rely on our user base to identify edge cases. Any application that calls function pointers resolved via dlopen+dlsym will require the cfi-icall scheme to be disabled.

At this time, we have not applied CFI to shared libraries (aka, cross-DSO CFI). We are working on cross-DSO CFI support in base, though a few core modifications will need to be made. Upon initial investigation, we need to make llvm-ar and llvm-nm the default ar and nm and we need to build the libclang_rt.cfi static library. Once we gain that support, we should be able to enable cfi-icall across the board. Just as with SafeStack, cross-DSO CFI requires both ASLR and W^X in order to be effective. If an attacker knows the memory layout of an application, the attacker might be able to craft a data-only attack, modifying the CFI control data.

As of this writing, the following applications have cfi-icall disabled:

  1. /sbin/md5
  2. /usr/bin/less
  3. /usr/bin/mail
  4. /usr/bin/top
  5. /usr/bin/tsort
  6. /usr/bin/vi
  7. /usr/sbin/bhyveload
  8. /usr/sbin/pwd_mkdb
  9. /usr/sbin/sendmail
  10. /usr/sbin/services

Stable release: HardenedBSD-stable 10-STABLE v46.24

HardenedBSD-10-STABLE-v46.24 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • kyua updates
  • libarchive update (d7477941dbaca1a8f2916a367c2926e5fd74c7e6) [FreeBSD-SA-candidate]
  • hbsd-update improvements (a999c2ec59793a37e6735fa71854287e5921be25)
  • uipc related backports in kernel
  • tmpfs improvements
  • force disable Intel SDBG on HardenedBSD (28e49bc844977cee7afdb388482216378595eb2f)
  • xz update to 5.2.3 (76a56147f47a4e614999c919abd680746d455bfb)
  • openssl security fix (a12ba8665d8c2f94852d5f819104a9a69bc4c8b7)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-10-STABLE-v46.24-amd64-bootonly.iso) = 729f51b5d17c7bd18d8b3c45950ad8bccef267a185c7f08b1291103c1a70e01514466bb35d0e229722131f83518abf64608e1170ce49a650d1c63a2fd8ddfea2
SHA512 (HardenedBSD-10-STABLE-v46.24-amd64-disc1.iso) = 7ba707a3c415c45bd6ebe697ac944a5295342296584227f5ab726ee02574b830057618250f5e6b9afd15a7413b1dff363b4651151e9e5ce515a5ec593e20b48b
SHA512 (HardenedBSD-10-STABLE-v46.24-amd64-memstick.img) = 6af15c6c68b74340e72f145613122613c205a6fea10175ebaee16c7016be75a246bb844a71c94cda9a861201f6e906ab8238da53e5fea2935f1d055f6eb41950
SHA512 (HardenedBSD-10-STABLE-v46.24-amd64-mini-memstick.img) = 55bc8f7ee6844bdbbe03c7e9bb7b584e6758caa76c4ff2e977506ba9a60bcde4cba41e9170a4ba08702c02e3bb86d0353c9cc276e14e440725fd9d5427ad11a9
SHA512 (HardenedBSD-10-STABLE-v46.24-amd64-uefi-bootonly.iso) = 758bd02830f962c57d4a479eed7640bba7cb86f5c7962376427f924dc0d588f35d4bf9e60efd063c8d1b39ea600f89672b45de063173b4d2e0373093b16acd3c
SHA512 (HardenedBSD-10-STABLE-v46.24-amd64-uefi-disc1.iso) = acec39871086c8f2c44d7b0daefaec167416de6b42baa0b540c00207ea4299ac27069e46377d1b35d4452079d2c543a9f99f646881d709e07e493314241e3a5c
SHA512 (HardenedBSD-10-STABLE-v46.24-amd64-uefi-memstick.img) = 74bc4e9db2ceac1ab0bb1deaea9790dcbb7fab4ce82a320c2c1a8779f47d423404ca06fa3d526e6b4b13ba83ebdf418000f0b84d8d1d8fa4bd36d948e322383a
SHA512 (HardenedBSD-10-STABLE-v46.24-amd64-uefi-mini-memstick.img) = b3ad4ed8e501e74b49a443d0ad1b84e218cd86886155ada55d0e8354eff7e0db71047d3cd3cd07daf9e16c622e73d88d24be060b44fc7e6fd1ad6c26394d20ad

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlijpNgACgkQgZsRom/9
GI3CUBAAtw8z0IDFr/XoR8cXeIN/tpx4VxwiiJkZO/gXeZ2Kyr5Oei+9CVg2RlRB
x5Z79N8RHdX96Gpj8zIPAceoqDYxt7y1lSr7/voT9vN9eSrQQIoFMhT/uBa7d63J
rcZWUQlbnYxnBkmdvot90159robt6Ba7EuPLP+47hRR2Gzo3T7yvZR55RCA7SltU
bD/fxDeg9jwmMykl4j0KPgxRtq7pvvyeXr1Le+MyBuevHwxwUjylid1VdnpcdpHd
UARyTOoynVno52NrWLg5bL/UDItJmIWZi/JVZf0Qyd0c0eu/4qOXF8BQS4Mx7A+Q
o5Qtuu2Zc5Dg22MJv8Svs2jv6XO5/YdfDDH5pAd73Wu4kFjxSzzji8eTOsUU80xB
Z20MUorsbdFZ1kmeuFxSXmpo0YZR1ZjjmeFgNBESaKeJlsU5L1zKf/6GOKD2PIeQ
nn6//PZBlzV/BaNADOEohiyPV+rBGdAIw/pBhj0ov4f+FwiXL+T/013KgaM2ozbY
1vZrZ5yryA6Wg+bwGAb2lnFpeUfzNagBhldAAXAWmZzwo6MoMm+0e+ghnxxyf+YO
Zv9J0PqoVq1Jv6pSqQ3zdL6lXiximdBiS8YgsDP2z+2Q/pIvA1E/lNYkPvWQ65d5
oC4EbCP0tghB2tSqbYHkCrLKK+VHLfj+igyjUPsA5nGiil2v/6U=
=4J91
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v46.14

HardenedBSD-11-STABLE-v46.14 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • update to OpenSSL 1.0.2k (4aed7e4ccd53660aa6e7f0b024a4ce55a3227abc) [FreeBSD-SA-candidate]
  • disable Intel's Silicion Debug capability on boot time (0ea6d983779e624ab8949a1f6dce9c8f5d69f620)
  • update to xc 5.2.3 (30cbb6108bcfbff283ed03041ab29062a73117aa)
  • Force -fPIC when building PIEs (c64a53fe268b34bc0dac7fccdb7e150e74afa524)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v46.14-amd64-bootonly.iso) = e8f65f3cded1cb300ebd49b9af972447a5d9921b981440be3b45d123f42e765e18b733588c3130c73a2ea879d0fb7c8df5d2996101168993d61e73fb494345f8
SHA512 (HardenedBSD-11-STABLE-v46.14-amd64-disc1.iso) = 3d0e0c053bf4722475bcb6f9b5831412097535b13cca470a5a2ee496721528d017ec240493d9e243c03887e9d47300a5a100cc87d1cd85f9943cf2823cd7aa8c
SHA512 (HardenedBSD-11-STABLE-v46.14-amd64-memstick.img) = e633c7ec351519f90555bc69d045892456aaff8e838c04e5bc2afd31531299ecfd4528a81fadb126135a71c918d673fcab9678c7cd4a97a639eaf399f920effe
SHA512 (HardenedBSD-11-STABLE-v46.14-amd64-mini-memstick.img) = d7055dc066c9d7b55be7d1942c9f7ee82714a485b48d17988e27547221a961dd18448f4630bc56de1e782efbbd184fc103292b08a84ac49339cd3374194275fd

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAliOMBwACgkQgZsRom/9
GI0VxBAAyV1lVw3LJpnn9wsul+l+T3VWvYQ3qbxQ12GEJZw7y5jRu38JxHkGI/4X
oWJKFOjoOWaJi4vmHyEDHEJjTKviIX3bHUtcs0kKWXHWhfj5KyFWx8SntEGYnLtC
1NnWmoM6mxYtjn4zeW27etpmtReVM1iWdiNSplqIcPD/1Q5USJPXi8CGKhhpjXaZ
7+BaR7BSP+7QOd4dv19UueYjzSVkYs+Crtl7NEvtUMKntyoLOLBimEb4Ypsm9tvZ
Cp3o2kfQMPNlzuDyenSW1tmqrvyNBpS3AxgZZ8cZLiR/mPEnPwfi0QEjQI41AGGH
6G3OG/Ev28B/Lsj1I9SapOj9NJY7Ny2DfVFzoh/SkE+/0BOeH2pkeT7cA2rnr1j2
FKYxJm3nEzmcXzmNvUIFE019r6hlKiBSjCOnrCcLKDMGEuBKfwcALE0wY9dpY/0a
r4Dyk2PP7T+bdXl8701J5pVwVyFLeRB+WSZ0ZOLNToLRV/BZDnGETQZBPqutAvOZ
UgMjWsIyvE8MUb1Dw8YUdwejBh/4PVg4mUCzE8WdvpSK6thxwlR94qnmEw4IjWX/
f6j/hskDH7VRjbDR+L4jRlM94glWnl1ZYUeBdoeC3NbrCa+Gyszo6pYZALgCI06q
Sl1egODADSokq0f5Y+ADrO6oYxhuVCuycqqnSg2p8jpw/JOL5DM=
=zcMK
-----END PGP SIGNATURE-----

Pages

Subscribe to HardenedBSD RSS