I've been working today on deploying Tor Onion Service v3 nodes across our build infrastructure. I'm happy to announce that the public portion of this is now completed. Below you will find various onion service hostnames and their match to our infrastructure.

hardenedbsd.org: lkiw4tmbudbr43hbyhm636sarn73vuow77czzohdbqdpjuq3vdzvenyd.onion
ci-01.nyi.hardenedbsd.org: qspcqclhifj3tcpojsbwoxgwanlo2wakti2ia4wozxjcldkxmw2yj3yd.onion
ci-03.md.hardenedbsd.org: eqvnohly4tjrkpwatdhgptftabpesofirnhz5kq7jzn4zd6ernpvnpqd.onion
ci-04.md.hardenedbsd.org: rfqabq2w65nhdkukeqwf27r7h5xfh53h3uns6n74feeyl7s5fbjxczqd.onion
git-01.md.hardenedbsd.org: dacxzjk3kq5mmepbdd3ai2ifynlzxsnpl2cnkfhridqfywihrfftapid.onion

A GPG-signed version of this post is here: https://groups.google.com/a/hardenedbsd.org/d/msg/users/hmEL0qAE3J8/mLjs...

We at HardenedBSD would like to wish the community a happy end to 2019 and a joyful beginning to 2020.

Just today, we finished putting all the pieces in places to migrate away from GitHub. HardenedBSD's build infrastructure is now fully self-hosted. We plan to make the repos on GitHub read-only by the end of January.

We will still maintain a presence on GitHub. The repos will still live on at GitHub. However, they will be a read-only mirror of our self-hosted source-of-truth repository at git-01.md.hardenedbsd.org.

Going forward, please file bug reports and pull requests at our Gitea server: https://git-01.md.hardenedbsd.org/

We will likely make a more appealing subdomain (perhaps git.hardenedbsd.org) later. We'll keep everyone updated if/when we do.

We will update our site accordingly soon. Happy holidays and we hope the community enjoys this little end-of-year gift. :-)

We at HardenedBSD have a lot of news to share. On 05 Nov 2019, Oliver Pinter resigned amicably from the project. All of us at HardenedBSD owe Oliver our gratitude and appreciation. This humble project, named by Oliver, was born out of his thesis work and the collaboration with Shawn Webb. Oliver created the HardenedBSD repo on GitHub in April 2013. The HardenedBSD Foundation was formed five years later to carry on this great work.

As I rebuild the HardenedBSD build infrastructure, I will be performing the following user-facing changes:

1. The hardenedBSD-STABLE.git repo will be archived off. HardenedBSD will still utilize the hardenedBSD-Playground.git repo for collaboration with third parties and extremely experimental code.
2. We are slowly transitioning to being fully self-hosted. It is my goal to complete the transition on or before 31 Dec 2019. This means we will stop using GitHub altogether.
3. Downgrading 11-STABLE to community support. Given all that's on my plate, I can only maintain 13-CURRENT and 12-STABLE right now. Therefore, if the community wants 11-STABLE support, the community will need to provide it.
4. git commits performed by our infrastructure will be signed by our dev key. Think: our auto-sync scripts that run every six hours.

Now for random bits of other news:

I am currently working on getting the sync scripts running on the new infrastructure. I'm not too far off, but it will likely take around another week to re-enable the auto-sync.

Our amd64 package builder is experiencing stability issues. Due to some upstream network changes, some packages are failing to sync. Our package repos for 13-CURRENT and 12-STABLE are woefully out-of-date. I'm actively working on this as time permits. I have no ETA for updated repos.

Ben La Monica from The HardenedBSD Foundation is looking into LDAP/Kerberos integration for our infrastructure. We're looking to unify everything in order to enable finer-grained control of our infrastructure along with easier centralized management.

The new build scripts are coming along very nicely. One last change I need to make is to skip the build if no commit happened between the last build and the freshly started one. With commit https://github.com/HardenedBSD/build/commit/7aa3f2f3617db85727ac679ddc62..., the build scripts now track the revision of the source tree. This can be used to check whether there have been any updates since the last successful build.

By the end of November, I hope to turn the build scripts into a port/package. It is my goal to be able to `pkg install` our entire infrastructure.

Given the complete rebuild of our infrastructure, we will no longer use the domain installer.hardenedbsd.org. Our primary mirror is now ci-01.nyi.hardenedbsd.org. I will update our website to reflect the changes.

To our mirror operators: due to the complete rebuild of our infrastructure, I have not yet re-enabled rsync on our primary mirror. I will be taking a different approach to authentication than before. I will provide example steps to convert your existing configuration to the new one.

I'm excruciatingly behind with the administrative side of HardenedBSD. If you have donated and I have not reached out to you, please forgive my tardiness. Know that you're not forgotten and I will get to you soon. HardenedBSD, and especially me, appreciate every contribution, no matter the form it comes in (code, money, advocacy, etc.)

Lastly, I'd like to thank everyone for their patience. I know this downtime has been extensive. I'm grateful to have the opportunity to serve the community in my spare time. Thank you for providing me the opportunity to serve you.

HardenedBSD-12-STABLE-v1200059.2 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

• MFC r349800,r349801: Fix misc fs fuzzing issues. (abeb80bc5ee82a9a96da492c241fcbe91ad3e22b) [FreeBSD-SA-Candidate]
• MFC r349802 (from fsu@): Add additional check for 'blocks per group' and 'fragments per group' superblock fields. (fcbcaebd25f0e43b12eb6b7b8302730153258350) [FreeBSD-SA-Candidate]
• MFC r347695, r347696, r347697, r347957, r349326: Lockless delayed invalidation for amd64 pmap. (388f0c181108947d84d1233cc47b24024bd410e7)
• MFC r349880: Let linuxulator mprotect mask unsupported bits before calling kern_mprotect. (bc326df65733684bc27deb22858a39981dd6b854)
• MFC r350260: mqueuefs: fix struct file leak (bcc86242833757585d3c8b9663d8e9c55f8ed3ff) [FreeBSD-SA-19:15.mqueuefs CVE-2019-5603]
• MFC r350244: bhyve: correct out-of-bounds read in XHCI device emulation (04ce7e77c7a5db5aed779d54632b9b19ed0ba9b0) [FreeBSD-SA-19:16.bhyve CVE-2019-5604]
• MFC r350156: Fix leak of memory and file refs with sendmsg(2) over unix domain sockets. (19e53c56013af9f42f2e6177da6c6451c44156a4) [FreeBSD-SA-19:17.fd CVE-2019-5607]
• nand: create device with 0640 permission (88f580f1ce2c81ab9c16df41fc9edf987cf5e792)
• MFC r349890: telnet: fix a couple of snprintf() buffer overflows (7e735c9feedada921a291c023836b26b6547d032) [FreeBSD-SA-19:12.telnet CVE-2019-0053]
• MFC r349733: Defer funsetown() calls for a TTY to tty_rel_free(). (4c06d4c0cc403122e743fc35e2f5fdefedb562b1) [FreeBSD-SA-19:13.pts CVE-2019-5606]
• MFC r349834 Ignore kern.vt.splash_cpu without graphics (b9fd7203ae04df3457cd5c4aca370de6b4ba3646)
• MFC r349581 netmap: fix two panics with emulated adapter (2672ab35fd1ea58da0a7dcad23925d977425ac1e)
• MFC r349913: Ensure that mds_handler always points to a valid method. (c411b3266a9f97903667e7ab70fcb1a4a26f977a) [FreeBSD-EN-19:13.mds]
• MFC r349876: Apply a workaround to be able to build clang 8.0.0 headers with clang 3.4.1, which is still in the stable/10 branch. (4453d146f0d636f8108822c3ef898c73adfdea46)
• MFC 347238: vmm(4): Pass through RDSEED feature bit to guests (e64222ca6e6aac4bbba4e56ccfb6b136c71ec5d6)
• MFC 339911,339936,343075,343166,348592: Various AMD CPU-specific fixes. (2c0a81ad596517f49c5069ce32d1ec6754dc0e4a)
• MFC r349753 netmap: Remove pointer leakage in netmap_mem2.c (b158d710d859111d1370c945ac79f250750cffeb)
• MFC r349527,349538: Sync libarchive with vendor. (2767b0a23c9249e482b7c9681cac0cce5d832bf0) [FreeBSD-SA-Candidate]
• cxgbe updates
• libbe updates
• bhyve updates
• LLVM and Clang updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-12-STABLE-v1200059.2-amd64-bootonly.iso) = 825d5f5ac4aae2e7146984d4f267dbb235b72ec4d87037227a44474172d1665976c8cd21a58c2fd5b661a799aee861f3c7e99e25c5a13851fbff76ff9925e1ec
SHA512 (HardenedBSD-12-STABLE-v1200059.2-amd64-disc1.iso) = 517554a50ae942a5689b063188fd2b15fcadd3cf6cd890953072d1e949936a5134fcaee57fbcdac3a2b7f095f90957e9bc62e6962f1e5087218231758c54000f
SHA512 (HardenedBSD-12-STABLE-v1200059.2-amd64-memstick.img) = 6dc3d2b2ffb7d74798b24c5d56cdeea0bad48630a26c5c69ed94f95d9a0e622486d81a44d6fd6823e4944c9b957da2c122f4c741229ded2120200e765213adf9
SHA512 (HardenedBSD-12-STABLE-v1200059.2-amd64-mini-memstick.img) = 1e7c2e6c64d0fcb6687e15fb8f6efe313891a69532f806f8bb1dee333a1b07b8de0d217532c2be41d9459c7b7148efaec469ccf3993385396721c7b4756ee947

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAl0+XtoACgkQgZsRom/9
GI1fSg//eyKb4hpWHplMFgge6EsKzbpnwDUSmTTQ8jnT2oShRoOPJsveRsG3rmln
XUb2mOYm+xDptKzk+EounQbbz99i/BsPJ6TgPoWImhVfGKgFvzfb39BCLyzIaYC2
EiunpoyqpjVnfAYlE9lxea4gPaCZDQTk66uDQHpw0ccXZBV7rh3iM9AWxoftNGke
t3+KOjtLcuDIBtJY7PrE1LCvaQQF6WHmA9s723fjonzVslKZybJckfa3+ABFBDpk
YNZcpK8dUfM0+GniyjHuXppFzHu11I5hoxEapMsgysg4sqUOyzc11N42L5eN86SO
STqAuwJWJm7SYKI5kJPRKYLQNO0b1xKpv4VuJ1NvjRd936HrCETCRZ82WJIgCx6E
lZPasAdNZjqWBxm6LpJFmujqeVjFfdIqTxg1tlYPWXyqNJFJIlgJMHLj3shfnqbq
d2oodVCwJ4cj++V5Vi9erTWJMI7Q2jXqBIYW0lyTRyXatbs1as9XoXLxC1nI3WML
YB3kxbOIyJUAm67wtp4yrS8dkGRIWbNKitWE0mjl3zrmb7oPM0o3MY6Ej1yvk+bV
XHAafX/QW2xv+HNTrcSnkWZdbqVXFdZ9SqXeo0p6piTtpWyInDuQosj0RZgSxTYZ
YCzQNykEC7adikHafAJc6YfQXfM4Pyv617tS9dpVvR8mxRGgHig=
=Yfhd
-----END PGP SIGNATURE-----

HardenedBSD-12-STABLE-v1200059 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

• MFC r348167, r348168, r348359, r348361: Add posixshmcontrol(1) utility. (a6d485ce245aa9798f9e402c446010f26ab974ba)
• MFC 347033: Increase the VirtIO segment count to support modern Windows guests. (8fb552d38dcee4f17df31d13ac823568a76c5988)
• MFC r348052: NDFREE(): Fix unlocking for LOCKPARENT|LOCKLEAF and ndp->ni_dvp == ndp->ni_vp. (7b981e827b29bdf244f703e789cb02e6a37729b9)
• MFC: r348340 Merge OpenSSL 1.1.1c. (c7f23c34d5a527b166b59c18affdf950c00f454e) [CVE-2019-1543]
• MFC r346630: Add GRE-in-UDP encapsulation support as defined in RFC8086. (fdaf572e031362aef90f3c22f9b9047d11e9d545)
• MFC 346649: Don't panic for empty CCM requests. (71cf38a72587fcb47855679e4d7cb03d0bae610c) [FreeBSD-SA-candidate]
• MFC: r347960: bhyve virtio needs barriers (7532fd50c7e8c7f5ccd2f115a4dc4c4cf5ea0f62)
• MFC r347698: amd64 pmap: sysctl vm.pmap.pcid_save_cnt should be read-only. (330c65332bc1b5aabee212304b2a35ba45542650)
• MFC r347216: amd64: fix BUS_SPACE_MAXSIZE to 64bit max value. (489fe9b7411487422c33302cdbe2eb48b8bd6b90)
• MFC r347570: Specify -z notext when building with -z ifunc-noplt. (3d54d872091ac7fec0390e283884a4a685a4a301)
• MFC r343985, r344133, r345273 (by bde): Prevent overflow for usertime/systime in caclru1(). (6fc6ab1b7187c5fb8fa31d10c8822f4603768ba5)
• MFC r346647: [acpi_ibm] Add support for newer Thinkpad models (28e53eb78bba63e7cd921faf4898378824a8d8d4)
• MFC r347368: x86: Put other CPUs into tight loop when updating Intel microcode from loaded OS. (743eb89b18e3724d8e168b6f6eda45a5c018c78a)
• MFC r347566: Mitigations for Microarchitectural Data Sampling. (912787467fb48024d8780b3531318feeff1bbbdd) [FreeBSD-SA-19:07.mds CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091]
• MFC r347133: arm64: Properly restore PAN when done with userspace access in casueword. (e939702ff316aafb6dc3a5e37ffed3a7ef29d536)
• MFC of 347064, 347066, and 347130 Avoid leaking kernel stack when creating directory names. (0775f68d9024850d97a2384d89aff0916617996b) [FreeBSD-SA-candidate]
• MFC r346594: Add ATA power mode support to camcontrol (fb397ee57c8c08365ddea8b35e1ae619d1674dab)
• MFC r346602, r346670-r346671, r347183: tun/tap race fixes (e42a63a0bac36aaf468f1ab6042f3f3b208087c5)
• HBSD: Add userland plumbing for SpectreV1 mitigation (0eda8358d017fdfa6cf841e0a5918e8674712042)
• MFC r347139: MFV r347136: Update sqlite3-3.27.2 (3270200) --> sqlite3-3.28.0 (3280000) (937edc9caae05881949f1d5adec523a8943c49ae) [CVE-2019-9937 CVE-2019-9936]
• MFC r346990: Fix another race between vm_map_protect() and vm_map_wire(). (b306eea91bcace5bd60b1c25f1a5b625a2226d1b)
• MFC r345576: Merge r345574 from vendor-crypto: upstream: when checking that filenames sent by the server side - ssh (4594eb5f8ed47dff8bdb1e555bdc26ec8448f454)
• Zero out the file directory entry metadata to reduce disk scavenging disclosure. (f9cd4e1d3edf4a05a109839fc4338b9e7a6b5a8e) [FreeBSD-SA-candidate]
• HBSD MFC: This update eliminates a kernel stack disclosure bug in UFS/FFS directory entries (81b3a31ed35e05be964abad7374080e8b010a780)
• MFC r345525: Fix a double free of an SCTP association in an error path. (4350926df0301958d0879d93b510e0c8eeb08799) [FreeBSD-SA-candidate]
• MFC r345461: Limit the size of messages sent on 1-to-many style SCTP sockets with the SCTP_SENDALL flag. (b1fb067d0a1dcab555fb5859f174e218c9ccab0b)
• MFC r345797: Add IPv6 transport for bsnmp. (ceaff709e86a05afb78e8ef0e13ca3dd93c89918)
• MFC r341759, r341796, r341839, r341989, r346591: The following five MFCs update wpa 2.6 --> 2.8. (7494a812d27d369b1105029fceca079471d684f6) [FreeBSD-SA-candidate CVE-2019-9494 VU#871675 CVE-2019-9495 CVE-2019-9496 CVE-2019-9497 CVE-2019-9498 CVE-2019-9499]
• MFC r345830: Create kernel module to parse Veriexec manifest based on envs (d4e7b8af8c3f2f5c222ab5fa49a6fccebec367b0)
• MFC r345438,r345842,r346259,r346261: TPM as possible entropy source (12443d58f92f94d7e28f728696d4d189059e99e0)
• MFC r342084,r342251,r342271,r342285: Introduce TPM2.0 driver (f036b474dc4bec6645039497beabcd97fe2b83c0)
• MFC r344840: Extend libsecureboot(old libve) to obtain trusted certificates from UEFI and implement revocation (d0a2db0d1fb36f25c570e27238a6e0d76fb42d4b)
• MFC r345966, r345968: Implement devctl(8) command 'reset', using DEV_RESET /dev/devctl2 ioctl. (3992f8af9955f7de08d08dfe02da8d4ac5cebf3d)
• After r346168, also merge build infrastructure for LLVM libomp. (3f18402bc61b71a85aac995ef1a77454ea453939)
• MFC r345425, r345514, r345799, r345800, r345803, r346157: Enable tmpfs rw->ro remounts. (98f1fb40da548d1278689d4c7bfc1e304da2510f)
• MFC r345293: Update NAT64LSN implementation (cab22fce3d77d127c205601140c959bd8ab2e8af)
• Revert r344898 (by kib), now that clang 8 has been merged (61688088d29805ea68449a8c443b4be2e8adaa4d)
• Merge llvm, clang, compiler-rt, libc++, libunwind, lld, lldb and openmp 8.0.0 final release r356365. (37e0a32cb919afa1ddf726ad5244dc0bd8524583)
• Add support for loader veriexec (69d2666cee810da18c8bad94615027fa8e28e612)
• MFC r343065, r343373-r343390, r343477 if_iwm driver update (f370d6a9bd8a354e9a3d03992cf3c843e108a24f)
• MFC r344569, r344618, r344621 r344569: Implement parallel mounting for ZFS filesystem (b0578f749217f485405d4aecaf7587caf9a2e89c)
• MFC r344502: sh: Add set -o pipefail (038c4614d0217200688309779c9fb408b4e4b015)
• NFS updates
• ZFS updates
• bhyve updates
• big LinuxKPI updates to catch up Linux v5.0 KPI
• cxgbe updates
• elftoolchain updates
• iflib updates
• libarchive updates
• libbe updates
• llvm updates
• loader updates
• lot of SCTP related bugfixes found by syzkaller
• mlx5 driver updates
• nvme updates
• secureboot related updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-12-STABLE-v1200059-amd64-bootonly.iso) = afe98861bf4313eb7dd248feb064cde5bda02ad5a4cfdf2d7dae5fe8f33a69b7782c0462113de940b2a81c6aa2fbf4ad9d7f44b27fc62414a6a79e533bea3204
SHA512 (HardenedBSD-12-STABLE-v1200059-amd64-disc1.iso) = e4601a89d7d6633a7ee7c6642fc073e7660dd4d86c73f6901c6dfb6cc8315c2b907838ebb4506a78c9f12b34d3b77215ba8846e79fcb4be1acbf0af13a3ce79a
SHA512 (HardenedBSD-12-STABLE-v1200059-amd64-memstick.img) = a998f3eef40d3c508624e7c824aaa5741a058670646895987e056d2754e43466e24e3b4d05f499c6dace965a75e96a981db23d1f0a18125b6683e2749a603cf1
SHA512 (HardenedBSD-12-STABLE-v1200059-amd64-mini-memstick.img) = 38885d8a5b1ced86863ac0891a1e93901f5dd0f0ee35ffccd28b4764e20fc899950279a7a623f901fb1627f87dccf00108f4a4b4c3e9b208dcbd1a7e2e2a592c

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlzx6vUACgkQgZsRom/9
GI3G8A//WVETImttEd4i+WkM4tC7E6NKVO+oXKIehKZqQu5G9gmUqwLbvMTY0eP/
K3ea/aioh1DlLlkmvpALTA24Hxuz+OVkEIa+Vml2/eOUS1Bd0FNhN5ihb5JCogsb
Uo4Bjd0p50Bxe55MTnaAuPWbJTLpBKGuboPgOd7GIzSIl0d+omEFNcTJb+24IYyF
icW0dS5E7wQ3VpbGAp9xPvXRUUACrIb0J6yuV237dVQhCYgSOtGcv+/9fh93fbpw
h+IhnyEtDjapUJ/zNwoCGmMtKjN753s5ocLYEzq/LUkBM0LLs17W4bioTNIzhzxr
4YD3qVEhVusbNiYKvwiwKgl6S4LqKQsPLjOixV0EUHfzNpm7ZpfS7oLFE9HNz1td
sBWWWOzizcnvuiL4em3CLkZk4PiuRByUpM0b1X02apZzpfm8ntWM3fxNWRgH/GaX
oJRPMBcoizLleT5qert7w9bhHA5lmaOCbre1rv6A8eCgl0EGH60/0p8VY/2/ikHi
OCXAEdYu2WRTldA6XuR2KYDRGJm7o7Lp8mYm6SnCwQfyqYmKtl7Gb6UdJqKNOWMQ
sThTnl8NMX04bXLvrmWiJGmzyGY1NW4G0pacPNa36m75Ybtq56pg1OZjwGvn0sW6
q+rJj5tDEVCDLdyE8gbE4q4fYgegz+CDJvin/MCvYEQ9xqsWoro=
=By/u
-----END PGP SIGNATURE-----