HardenedBSD-stable amd64 installers

12-STABLE
git git clone --single-branch --branch hardened/12-stable/master https://github.com/hardenedbsd/hardenedbsd-stable/ hardenedbsd-12-stable
installers http://installer.hardenedbsd.org/hardened_12_stable_master-LAST/
11-STABLE
git git clone --single-branch --branch hardened/11-stable/master https://github.com/hardenedbsd/hardenedbsd-stable/ hardenedbsd-11-stable
installers http://installer.hardenedbsd.org/hardened_11_stable_master-LAST/
PORTS
git git clone --single-branch --branch master https://github.com/hardenedbsd/hardenedbsd-ports/ /usr/ports/
tar.gz fetch -o hardenedbsd-ports.tar.gz 'https://github.com/HardenedBSD/hardenedbsd-ports/archive/master.tar.gz'
zip fetch --no-verify-peer -o hardenedbsd-ports.zip 'https://github.com/HardenedBSD/hardenedbsd-ports/archive/master.zip'

Stable release: HardenedBSD-stable 12-STABLE v1200058.1

HardenedBSD-12-STABLE-v1200058.1 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • MFC r342227: bootpd: validate hardware type (cc913fb4818ab0f1ffdb93ddc0145798964b98ba) [FreeBSD-SA-18:15.bootpd]
  • MFC r339909: Allow changing lagg(4) MTU. (8b8bd1f610ade0928bf728a849b344f74b33dcb3)
  • MFC: r340090, r342056 Merge ACPICA 20181031 and 20181213. (2f4ca9c8f0a8780b44ccba39043972baa0c01a92)
  • MFC r342125: Fix bugs in plugable CC algorithm and siftr sysctls. (92b6550b7f9b8b4b1bb75882de619dadd72851a7) [CVE-candidate]
  • MFC r342127 Revert r331567 CC Cubic: fix underflow for cubic_cwnd() (38ba9644182faa835efb437e0bec504161ba3c69)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-12-STABLE-v1200058.1-amd64-bootonly.iso) = 8f99acab3e53955cf6863b401fda4f45c2424150d6d8390ac891b7529050c4a46389b9ebe2eb440f0fd4f494d105d3e0998cdb509b571e949666291a868495e9
SHA512 (HardenedBSD-12-STABLE-v1200058.1-amd64-disc1.iso) = 0260437d461b57fcaabb3a695684ee6fbba219b3506695a52630a676baa35173e00e59e524b6156f825831b392a4e60bcd4526d8d1813dd91d9e74fa31d89437
SHA512 (HardenedBSD-12-STABLE-v1200058.1-amd64-memstick.img) = c0d3b3d8664d1104187f4f907da7b03aaff6b0cb484774565d0ff1c15515d539ac7c86574c139f715acefb88125de18123e7a4ef1ef951ef30fe1eff565517de
SHA512 (HardenedBSD-12-STABLE-v1200058.1-amd64-mini-memstick.img) = 48972f624b03fb13f92cfcd6f83d7d9e938cb284d9159a0f2e63afbd97c75057bc45a2da1d98884a16a6f71e86eba84b817b40796d7b753b1fb920328691fe41

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlwa9LwACgkQgZsRom/9
GI2SuRAAjzS+OSy5WHPhcTJXHA/KIZzywI3++KY1bhvnR7hVDKHkaOeT/q1Q3z3f
i2w7jSnf76mrmWAQx3h/tshjQ+l51kUdj8Fn7FHsQ2ub7DwVkN05U1V5TJdw84ma
gbmDlnodV257rQUVoUb+OcDXClhrPzvJshKZQgOcq512P3mWvsRfCyTUcbiCyhDk
4IDG68/7Xud3/ZAvP0NQsZ//XbCyHIukl8LoY5ZeOcPW/vePK159PyeKbS5iYRmM
+q58JT71Nc2mz96wgb1QCj3f1w7F4Jpc7VdQ0qAb4Km48g4QrDtBPksx/4bIwU7E
tBbBsvESoRP2b7DTO8FVWvNzclFIg4iL92NcxMv53zPTzXOm3zQ6t3SZk6wM70Xz
NZ551Aqnkip3Y/VxxcUIUmgFIqmM/XaD5zPBgOeaKyNmj96VraPhbCArblHKHZlK
B/KVgFb+5QMHGD/Nk2T05Zn2VG7Qldp37AR4+GeYQGN5yeu9a9NgREPXuJmawB/N
58yQiUZKTVzSsyy9kEFAIgBRaEs8sM+GxmQyqZH4AgikBX22X8oYLsL4L+SE8bYM
7dQHSnjx727tguGvQfst/rIR4ARSmCeoziOHTmrCZbWSGQ4foRW96AshJ3fWAGAT
9OFr6vPLlMzpY4tuNC2+kpNd5jeG9rA3llAkoo3AT6ed0dfQppg=
=nv3j
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100056.11

HardenedBSD-11-STABLE-v1100056.11 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • MFC r342030: Plug memory leak for AES_*_NIST_GMAC algorithms. (1ab95dc20c0f79f2d5b347e572904ef355aec886)
  • MFC r342227: bootpd: validate hardware type (dc1918c7f951e0c048665e5428f341e1cccad25a) [FreeBSD-SA-18:15.bootpd]
  • MFC r339909: Allow changing lagg(4) MTU (d055422cc148b2fffbe4ba2a2fcf0fc887bcddc5)
  • Partial MFC of r342125: Fix bugs in plugable CC algorithm and siftr sysctls. (f445d2ac303ef82d01bdb265c7b73f4eed5d8c99) [CVE-candidate]
  • MFC r341990: Fix a possible mbuf double free in bwn_dma_tx_start(). (84fc627d53884d2d1a08864a55536699ee3a2f52) [CVE-candidate]
  • MFC r341441: Some fixes for LD_BIND_NOW + ifuncs. (65520f2661bfb6e75d862ed693ab66f633a5bc9e)
  • MFC r340046, r340050 Add support ps/2 scancodes for NumLock, ScrollLock and numerical keypad keys (c321d531cfeb7c0408fb4160df20b9c1a2b91d40)
  • MFC r341375: Allow to create swap zone larger than v_page_count / 2. (61710bbfdf016232e290b03ef4e247bc1cb0b8b8)
  • MFC r341008: Fix possible panic during ifnet detach in rtsock. (7a2718d69b304f4e6b9db7b38932cdddcdf12a6f)
  • netmap updates
  • mlx5* security and feature updates
  • infiniband security and feature updates
  • linuxkpi updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100056.11-amd64-bootonly.iso) = ae8bf3897c9a3c76da066cde1781abda0a9ea3b413702d96ba60004d8f264edf1151e84b6cd42e4098d933b344cb54f3fc5bde48b55c1839582d965223bdf41d
SHA512 (HardenedBSD-11-STABLE-v1100056.11-amd64-disc1.iso) = 0b5e100a039300927127ec53e4c28947718435e37056ac23128394e71f67d9c00bd5d4a65110a25d9feadecc074ac85b4b303569ad3c6bca9352e96505fee35d
SHA512 (HardenedBSD-11-STABLE-v1100056.11-amd64-memstick.img) = a33a946d9671104baa39054321bb4a8f81ed2c3a526c7415253ea35c8cd4aec982ced35c9bd482b1761e87bbaf01eaa819d31d05d5b64abf78f303020ccceed8
SHA512 (HardenedBSD-11-STABLE-v1100056.11-amd64-mini-memstick.img) = 5c9151bad95f9bbc14dd3107332c388275696b01238dfac4a21b724f3f0652aac0ee85fae334b1f9c3e16cf2bb53a0e067220fdd980e829005d53c83d3c9b624

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlwcA48ACgkQgZsRom/9
GI3OtA/+Jt9GA3OSNiX2ZhmKnDEwQLjpqK4R9Gv9O5PmelPoTh6HExywnVvWQSYS
3M98Oz393HaoZnw0v9uq6ycKJ1+dwrveSJuOV4Nd+TnMxixEGMjIq4rNsvHxbVNl
tQuJY5MFAgl9s8IaGm7uaDwyxdVDJyA31XocQ38vvaca97s+BxEgGJusEzMvVakV
Hd6xBW0G6CqNzlVoKJhj0rGrLm8vGsMsWBcvNLjh8WUJiy02y9KhuJ6iHYI3Y5Pi
D9Ri6vX+rss0L6pF43K78ihoEsYa55LyTKwCd3kUox0g1zwJSM06PZhNJf36h5uH
oyJNkfqqk7aUsy7bIyEZ5z5UPZtSD9vmpEL6BEFSMd/6f6epfYWE5ghjcMqJ3Vlw
iV8O3oUh5JY7nZnTD25sRZjIBsjrCR5iyHB9niL0T0ZwQmK7aR6Sy61gyidrRCrz
hs0E2Wr07hJlz9UwM+FCPQ7v2/iZGsSLTkcGkX5d1q/480DsbMV3Jo4pABw75ozT
VLFxSdBkiNiAXKJxjeRDXI5scsn2VoUSBRgfycUNQy1iz202tSaiZBwifCgtRW/k
LERX7o5YJC0Qf5J+Y8BHP5gxra8U5PhpjiziNrUdMNG6Mxkj2qlM6UqQzQfGXBKB
+JxBxLyz4Vf8w/RnnhlZ5PAW+mXTCyJvRwK5K0G7Th2dKgM0jFQ=
=h1hi
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 12-STABLE v1200058

Introducing HardenedBSD 12-STABLE

The first public release of hardened/12-stable/master branch, which contains lots of security improvements over 11-STABLE.

Among those improvements are:

  • Non-Cross-DSO Control-Flow Integrity (CFI) for applications on amd64 and arm64. At this time, CFI is not applied to the kernel. More info on CFI is below.
  • Jailed bhyve.
  • Per-jail toggles for unprivileged process debugging (the security.bsd.unprivileged_process_debug sysctl node).
  • Spectre v2 mitigation with retpoline applied to the entirety of base and ports.
  • Symmetric Multi-Threading (SMT) disabled by default (re-enable by setting machdep.hyperthreading_allowed to 1 in loader.conf(5)).
  • Migration of more compiler toolchain components to llvm's implementations (llvm-ar, llvm-nm, and llvm-objdump).
  • Compilation of applications with Link-Time Optimization (LTO).

Non-Cross-DSO CFI

Non-Cross-DSO CFI is an exploit mitigation technique that helps prevent attackers from modifying the behavior of a program and jumping to undefined or arbitrary memory locations. Microsoft has implemented a variant of CFI, which they term Control Flow Guard, or CFG. The PaX team has spent the last few years perfecting their Reuse Attack Protector, RAP. CFI, CFG, and RAP all attempt to accomplish the same goal, with RAP being the most complete and effective implementation. Clang's CFI is stronger than Microsoft's CFG and PaX Team's RAP is stronger than both CFI and CFG. RAP would be a great addition to HardenedBSD; however, it requires a GPLv3 toolchain and is patented.

Clang's CFI requires a linker that supports Link-Time Optimization (LTO). HardenedBSD 12-STABLE ships with lld as the default linker. All CFI schemes have been enabled for nearly all applications in base. Please note that any application that calls function pointers resolved via dlopen + dlsym will require the cfi-icall scheme to be disabled.

Installer images

http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/ISO-IMAGES/HardenedBSD-12-STABLE-v1200058/

CHECKSUM.SHA512

SHA512 (FreeBSD-12.0-STABLE-amd64-bootonly.iso) = ead39af6bc301c96c5a222884b79ec6f3b4d4ea3dedbec9f12526c2ac59360ed4fe681e49eb2982312c9d7d0d0b567751e338318a4f717cb7bed0aaa0ed3a211
SHA512 (FreeBSD-12.0-STABLE-amd64-disc1.iso) = 9b0d77db60c557e6011cc2388b70576834e4305bdb6e05d7f1e9fce95bc6cc119874120c88189753ca2ce117ab167b706a2aa35cf0563f6152407629996e10fc
SHA512 (FreeBSD-12.0-STABLE-amd64-memstick.img) = 97a70f614785df0de323c634b1e6f2b8a5f2d8b53e4584192f95f8f15fc346d31e52183fa19d1513e2e69dd2b002b42004f17e7fe85d8a00fab05a4d49bf999d
SHA512 (FreeBSD-12.0-STABLE-amd64-mini-memstick.img) = 11aff5393fbdbce0840332b70794265b141c083ecc7b2f49a3cbca0618aca55bebbeb7472a984d6d853b4b40751e239daca58b75e40a6334ae5ba128cda4552e

CHECKSUM.SHA512.asc

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlwXGq0ACgkQgZsRom/9
GI2M1w//btTs6Ek9HEcyRgv5kxpXwlf//E7YZNwpgF88CSdRhvfTDmyySjGmotaQ
ZSuL1x+nYVDqPc7vTeSU0wFdYjBWOLJpqecLmHSY+0fbZCRgRFd2pgQgxS6fhybb
M41V57GTQn5ogoeKQsCko2J7L8OzKhJh9c4FWD5L4H7YZTvv5aBWEIVqZvCEGEiY
XJZt2wpMICXwALyeVXSBN2S+DoMj2cD2W40pdbg3DdfVi6cAPZ/YQvPqG7h15+DP
ajFYsdU9UeNSHupp/qB3WkcQDgcnohx8ZbIjmTthHpocQXqKvwTvMHn3pByzoBoI
QYIYs6DEF1XynMDudzb2OtkvoskShpTE0h462VTn6Hm2BDcRlHZU+yNZSP4N8ut6
XNztkYe0b2JyKShUpG1pwkPIBgvM6eNDl5D+XKz2Cru2DEgpC40VVSGz5W7L9eYQ
O5xPKruIUWF6aS5g3/ooBpOAz25hqYHBsd0hPcqczgsfRhcjOSHUCSeiFJwAq7Av
gVN7rrzvHQPY/D1s7k20K+vjku5gOTyICuY5rdmZIOuMmAKbOijgY+Lp595XLneE
wEdvb1vXHbm6P1XhJNP+WPnENu18KHt4xWQ8lnCS0SUlL0qiN2gLvgRDhv22muzh
VSa82LishLniWf9TdMyN7Enxj2jofsMnDXn2vTmCwP9P+U09ipw=
=KDI2
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100056.10

HardenedBSD-11-STABLE-v1100056.10 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • HBSD MFC r341470: ggated: do not expose stack data in sendfail() 370912d064f22772cd539ea28587ca7a1bca6c9c [FreeBSD-SA-candidate]
  • MFC r341442, r341443: Plug memory disclosures via ptrace(2). (600baf4f2d9e7039632b5bf5503097edb31c3da3) [FreeBSD-SA-candidate]
  • MFC r341484 Always treat firmware request and response sizes as unsigned. (5b0911ed9405a15d0fddd237377ecaf0684142a0) [FreeBSD-SA-18:14.bhyve CVE-2018-17160]
  • MFC r337812,r337814,r337820,r341068: Fix several memory leaks (r337812 & r337814). (4a6ee6982ea1014b8d06511c23c76b849fa694f1) [FreeBSD-SA-candidate]
  • MFC r340968: Plug routing sysctl leaks. (fe7eaf6c881cc3948b430c5241b34e2c1189dc03)
  • MFC r340995 Prevent kernel stack disclosure in signal delivery (ee1166b9e2f474622f098aad4dd78869880379c8) [FreeBSD-SA-candidate]
  • MFC r340994 Prevent kernel stack disclosure in getcontext/swapcontext (88ba4e0711d85c593ac41f9c9a054cf4e66d050a) [FreeBSD-EN-18:12.mem CVE-2018-17155]
  • netmap updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100056.10-amd64-bootonly.iso) = 6ca4a5de222683ff4716090d55ffd1b19f50e98b7bef0012e94acf6ef73d61e2aaabe87026e2e58f1df4f797e5dd31130a4bac4d5cee82299bb75d215c5d1462
SHA512 (HardenedBSD-11-STABLE-v1100056.10-amd64-disc1.iso) = 40e2a44bd010fb2b1e14b4b8b90ee86ac86cf0bb9f629c9a121cb24ed2e25fc6b5a3e821b770c483e922fd2a5de535b4ecfde9b759888775f51478e2fb183713
SHA512 (HardenedBSD-11-STABLE-v1100056.10-amd64-memstick.img) = 2e57b96f5d9f75b277792052690947a849ca85a0e0860474b37cce06a623a5f566f60738b762ee6966081847be129a821ca199f17b3f286dafdbdbe6e1c70e0e
SHA512 (HardenedBSD-11-STABLE-v1100056.10-amd64-mini-memstick.img) = a216932ecf6c218b7f8984ca55524c18ab85e5bcce163d11effdf889883e28ba6feb4546ff3e28c9e2a29440f147363ae4444e75f56bd18b6a02176db5f8810c

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlwHBLoACgkQgZsRom/9
GI3zlg//dLtnJmc52UuttbSD1NV2h2hv4mNW/UteFjxGtJgdOCkjRGpx3sI4Vm1j
ks5NPMzi4Wy8r9l/bWv+k/bCvkxvjvt8gQKIBbDt8IauB1Bk+uxeWr3IcLn9eiPV
eC0diLLpUzTkbhN9NbnXbbugrrq4AeWFbOl06HIAw9HJolIYtLInOlH9XZToUItR
kbVD+AXjVmfntDWXPtkgCZdEEPe6zYAUgA39iyrcb5X3y+AVc9hDIoOGfPVoMIRR
rhEu1jwJPuT8C6r2hcareVpmfOESJTljh+yNw9iq/brkNXPW2UcPFwwkt7ajubaP
KW22bl9jGTTqA3JhpPHRwqFjyZzItD9TR4qPr/Fu2WTzYACyjNvWyCK/KJOvS6MX
ewepZ06yUhsLEjEiGpllJ4XipUn8c2hbTXLoKE/JOBvwhxIognoQ8yiEE645Vrb8
VCPLab5CK4y+CSZLEA2DWpiuWO7D/Z8pRIbV0tWKh1HrN5QPOjXeDDi+59t/016v
vb/i8YR0GhHgg3mPYCCUUgMey1e7vIjnmcj0OkZRyyx7bi2fP+37C/XBV9L7bFC7
kLO1pAX7hwWOp/H0dbrJCuLyWFLHjkgNODrxmmYk1OeWQoUT9KX1SFfYCKsNlpAn
Pq+17qjcl/Amswrpmw7a/WfXXLiNA46OyOU/aG9r1Z+8/Emd4YA=
=fwqX
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100056.9

HardenedBSD-11-STABLE-v1100056.9 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • MFC r340899: Plug some kernel memory disclosures via kevent(2). (57fd4999023fbedc45061430d5dbcdb98547b407) [FreeBSD-EN-18:12.mem CVE-2018-17155]
  • MFC r340856: Ensure that directory entry padding bytes are zeroed. (3dc6e9a2e5b3a446ecb0c2c198bca46619f8590d) [FreeBSD-EN-18:12.mem CVE-2018-17155]
  • MFC r339818: rcorder(8): Add support for /etc/rc.resume (9837413dd9835df60a41e4cf3e30338bee65f358)
  • MFC r339808: Prevent ip_input() from panicing due to unprotected access to INADDR_HASH. [CVE candidate]
  • MFC r340783: Plug some networking sysctl leaks. (e1128261727c1eedda33c25158753d4f09545d5b) [FreeBSD-EN-18:12.mem CVE-2018-17155]
  • MFC r340772: Clear unused bytes in ia32_osendsig(). (782079682d680e076598653d244323b8a5b90a8a) [FreeBSD-EN-18:12.mem CVE-2018-17155]
  • MFC r340771: proto: change device permissions to 0600 (91dc34763d7783d5cc2e3d268e4c8ed85ff3b166) [CVE candidate]
  • MFC r340663 (rmacklem): Improve sanity checking for the dircount hint argument to NFSv3's ReaddirPlus and NFSv4's Readdir operations. (3bb4648083f3148398021abd35df925aa5c003f2) [FreeBSD-SA-18:13.nfs CVE-2018-17157 CVE-2018-17158 CVE-2018-17159]
  • MFC r340699: Clear pad bytes in the struct exported by kern.ntp_pll.gettime. 6c88f7d90bde0d335bc0687a41bc141ffb55e2bf [FreeBSD-EN-18:12.mem CVE-2018-17155]
  • MFC r340674: Fix another user address dereference in linux_sendmsg syscall (1162e5190b51c01b6386baec10dbcd0ddcaf4b38)
  • MFC r340631: Do proper copyin of control message data in the Linux sendmsg syscall. (a7710016b5015643786ff0ceb070cae982e80ddb)
  • Merge OpenSSL 1.0.2q (9424b8c43e2d3d7b45201e34799fd5c5193f7f68) [CVE-2018-5407 CVE-2018-0734]
  • MFC r340205: Avoid specifying VM_PROT_EXECUTE in mappings from pipe_map and exec_map. (a1e236f6c4f29f04befe42250d20312424c12deb)
  • MFC r339465: rc.initdiskless: add support for auxiliary NVRAM. (889791af8eb9cb4b19cd96d2891836e4205473f0)
  • MFC 339312,339364: Restore more descriptors during VM exits. (5093c36b3316b62e306dc18ff9e2bf7eac33dbe1) [CVE candidate]
  • MFC 338511: bhyve: Use MAP_GUARD when mapping guest memory ranges. (6dc9464d89d89a37d4d114ba519d004ee25649b5)
  • MFC r340260 (emaste): Avoid buffer underwrite in icmp_error (6033b7ab1ac6064008c8d99b64d95ebb815e1e74) [CVE-2018-17156]
  • HBSD MFC r340205: Avoid specifying VM_PROT_EXECUTE in mappings from pipe_map and exec_map. (a408354173f2c5724a9a603831936ab42c11fe82)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100056.9-amd64-bootonly.iso) = 6ba911b277a345fe7985e68695f2c83d5ff16d13e947084638652d1f5613f76e126d7976e08eab78dff36062e1e3e6958a2e625958cc3086c902a3a753db5945
SHA512 (HardenedBSD-11-STABLE-v1100056.9-amd64-disc1.iso) = 5a395012cbb2d75e478c9d110d0495488721f3814c13053d43c0a0fc833ea84229b46e09632dbdf86248724ef7f9e1cf76326dd95438405dd96cd3237d3614c5
SHA512 (HardenedBSD-11-STABLE-v1100056.9-amd64-memstick.img) = 803dd1d2a0f8560f075406cf3a98a2fb354b75aacb5c2580332111e8a99fbd3a2acc32efa0ae3361d9e5b00d087c23bd916b763002915d739e91ca6503f6f2bd
SHA512 (HardenedBSD-11-STABLE-v1100056.9-amd64-mini-memstick.img) = 9034ebe006ce99ba9dac8550285d9ca3d83b2df8c1146b37209a4822cc3937b7631ecd910805e34581dbec19969b2691aaa53db64bdbd279409a51017a6a70bd

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlv+BkQACgkQgZsRom/9
GI2sug/+NYCxrjbWNpq5BTAmzJ+Ld5BEGDZ0Vh4crVqZAVlPaj+UIiHeAh7wHD3M
hDtNvRPk905YLt7RDdb0ieSf9oeIlqHF/Y1oY0EbQBsxcG3soiltd1QdivjraBDA
rew6WRy1RdxStChJa/ZEbmS9XFMhvfMY89MSta0FTAVYxJq8cltSbnJqHh2H34an
0QF3iIi8G6g5C7cUr6tnZRRk4e+gDhwdzrkUwQc3eA0H5y9galYI/K46GWhKIz5p
qBopHts3zHTnYJjT9k+F1DTp60SPCtDK3WKyiCsCDqoOUODO+9gTcLjQQDgcuG6A
HRmcM/+DCtmmqZPFFTRCQcglfVB1Vu1SuCEhJm/8/43UN2HgtUr7IkGzE8dTmNCs
glDGWJUPEgUPirgwlZhl0XdOgd6XjT+ybempDQaNGFnd1fPuwTcljK5imLZ6txEC
Tj/OGVyNvQla7cPRGqYHL7bMAjd4huRYezj1LLu3uvjnLHPZliv9z/Ijo6U9ssvq
RKrd5cu4wtRUvyPerP0Y7HIkv5To2Zm66ofzN3P04DnMJ+niCOebu+gE7mhiYpbo
6SgS84eWuiKZ+55NVDGrjUta0fKKvqaIjMxSxQnd3iWegEEeLDGgbZLP+IubsyPJ
P2JQahY82EaRCMWPS/BRfxvs28JZYec6Lz1JCrRKmzNQCDrwNJo=
=H8Ge
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100056.8

HardenedBSD-11-STABLE-v1100056.8 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • HBSD MFC r340077: m_pulldown() may reallocate n. Update the oip pointer after the m_pulldown() call. (fec14b22fcff136c352237afb47036d1614ee692) [FreeBSD-SA-Candidate, CVE-2018-4407]
  • MFC 338360,338415,338624,338630,338631,338725: Dynamic x86 IRQ layout. (160aee5ecc8a289fb54eb7b431cdab3017e9d9c3)
  • MFC r339681: Allow the bhyve VNC server to listen on IPv6 for incoming connections. (5e060e63804e1ecc636b29714d32113e483d6c60)
  • MFC 338408: Don't directly dereference a user pointer in the VPD ioctl. (b035f90113747066819a750566d008f6fae812be)
  • hwpmc: Enable hwpmc support for AMD Family 17H devices (1235e4abcc9d407b7f094039bca7531f4444ccc5)
  • MFC r339582: Drop sequencer mutex around uiomove() and make sure we don't move more bytes than is available, else a panic might happen. (4b875542b959aa18eb4a9a3594f6d548298fb59e) [FreeBSD-EN-Candidate, DoS]
  • MFC r339581: Fix off-by-one which can lead to panics. [FreeBSD-SA-Candidate]
  • elfcopy: avoid stripping relocations from static binaries (8e4b64478895d6b9ae0ea05d5962af093d757cfd)
  • MFC r339509: Fix loader.conf(5) "password" feature (9a6d83553b2b9b32be437e7d0a79aeda1162384a)
  • MFC r339547: vlan: Fix panic with lagg and vlan (1fda50699ae90ff2d1eb680f3e24c2f3d5324da6)
  • MFC r339331: bhyve: emulate CLFLUSH and CLFLUSHOPT. (9e85f7a5bf64f3f8ba9db7ef8a9413e94e208652)
  • LLD updates
  • ZFS updates
  • LinuxKPI updates
  • VNET fixes
  • libsysdecode fixes

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100056.8-amd64-bootonly.iso) = e9b4dc37c3914f14573222c3bec8303ba2516783a7daadbba42d9c42cfd1b68c6ed55a9f50c8ff394038ed5885880adaa230e3f89ea335be2e728d09331eac70
SHA512 (HardenedBSD-11-STABLE-v1100056.8-amd64-disc1.iso) = 3a9d91a4b9ffb0c69cde6639bd39896c31e3d140f024b0f66fe113799daa8cf19622b7b06564dbe455481327cb4bf44e8763903f57e01ea2bd460a040b4e3b24
SHA512 (HardenedBSD-11-STABLE-v1100056.8-amd64-memstick.img) = aa7101825ff05262dc1eac97ac8fd34614f82263dc2825a2087c1faf1094cc708f7703e39503ba4469d78db385bb642a6899ee30d6c832c80dc8b267ace88a9a
SHA512 (HardenedBSD-11-STABLE-v1100056.8-amd64-mini-memstick.img) = 633bb097e6bacfe0c1fb6d6de8e8175fb3be91af1632e240aa6a96c237bd7aabae9157cf0d3ec41d1aebbdb40da53a0c2b5fa497e0f564f2670ee6b60a227a42

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlvfps8ACgkQgZsRom/9
GI2AJQ//Z30QApEHelaPy7fcej9N5cJv1rFKxzfqVmt8pvEAA+tGRFoUNMz+7xG6
92u5sGHkfyGV761XqVK7gJXk6eMj2Sl5ITy4c1L3zjGRXutfB/F77eKzsQtA+1cA
Moxz9pwJrFvyL3HouT5CaOysXwlYmJVIqF/P8sHulHImshWnlBg8khHvPesCD7wi
0tb9xdyE3+xAmkqwJMgW1U92TaPOzfwTK5BLbXelw5eWT/qiB2OR9HcFmdfAh/MG
LlvFAeBZh6k298KYjYE0aR7qo35Cu3kD0PfUDmVaZNZpORbFBz1ZcLSMt8sZBHOx
HVPSWTnRbJpuh0SJphvSvnbY++nsT0PbhxVnPiSG/naXKTTYOw1hyPYrJaBXL8n2
gClDR7DRxhUi0F4MqMzqLg05kwwaSu3lwuBwjdS9YjcHV+IyVgA9YK11BbdOecpE
vEpPTjtQpjYFydwQFqUy8FbYhEnBpiJCBB9StM04w4gOOWS/RzMO+GQ+ysjoatlg
C0CxgQ/yuwmlvw8VpKKWYwS5UxTN+XbBX8GCz/8IpBgSajfbrKIGf8wMdptYKdjY
bSy9HgR4XQNBiXeHzXTCra8Z5kive7VlhQsLqfjah8pLcKsHTGzpS7LSlobxTqyh
n+At7jjhYiwgXKKrkcxY4IxqwvY5rtLpb9fcByoGlSpWDgHhoV8=
=lzsa
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100056.7

HardenedBSD-11-STABLE-v1100056.7 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • MFC r333569: cpucontrol: improve Intel microcode revision check (cf3b425994272a0d0b1602846bbe51028fd67442)
  • MFC r339019: clang: allow ifunc resolvers to accept arguments (d10325d074c2f9aeff283511c3acb06b3c1fcb5a)
  • MFC 338976: Don't clear DR6 for debug exceptions from userland. (4de0836180159ccb2485c64e4639544254abd941)
  • MFC r339025: Update x86/ifunc.h. (59e3462397fe61451f33846b1d0c56142b6a816d)
  • MFC r338947: Add "src-ip" or "dst-ip" keyword to the output, when we are printing the rest of rule options. (cfea277e33577e9ec8653cfa010f60a39dde358a)
  • MFC r338216: tftpd: Fix data corruption bug with netascii (6068c2761de987bc97d4c472acdc1076d91fc7e8)
  • MFC r336310: Let geli deal with lost devices without crashing. (35d45fa28dc67d17e535455e202de0584763f70e)
  • ZFS updates
  • cxgbe updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100056.7-amd64-bootonly.iso) = 76e6957dd5124525e62f59baac626eeb4c60b622d64b458aa838e4a374f6bc521647376bf41882a19b0ed5767c445dd4420883ab7b1e095a02e15b5874f18347
SHA512 (HardenedBSD-11-STABLE-v1100056.7-amd64-disc1.iso) = 1e2668998564e26911499875d2d163d9bb120746969dc96d6771f5c7c5213ba9dab434a16ba7c49d891fe8f496df6f08026701231abafa7cb1238a5b4f5fcbff
SHA512 (HardenedBSD-11-STABLE-v1100056.7-amd64-memstick.img) = 6e635997ab76acf56b8b0fc44591049b061a4a7e47ef19e1b6603be245430a0d45566d35e19ae04cb693714c9e871bf8d5dcdc71af0a4625fa537486dc439c91
SHA512 (HardenedBSD-11-STABLE-v1100056.7-amd64-mini-memstick.img) = ef95a77087998ea680d3c463c619ee749aa2b5794abed284cd5976b137c651aa3648c512c1af281f073f763df4d2e9a91f3cb79a5205234d321f950e0537b9f9

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlvH8GcACgkQgZsRom/9
GI1stw/+IM/kl6O9HIeCRZidthUtVA/Rk0ZGrvTilOpRwS+ahZks+D7d0ap8IC4d
WiQtuAOcG+RO0USYmv1Gmn0wh1bm0HhEFh6p/S4hnAgNTnRN1u4u/fBhqy7+jahc
IzBfvyRJ2+ym08trSBJthUtOmEcRvPwFOU7Vqj7cb9OpeAlQF7o5x6p3F5/W4VUf
G029GDJ8wyUQYSgQ+T6GgA96YUeEGNHcDZgUnEhyisyHCh60apYsrgRFKvmTqVff
91W6gRY/FhKgCmOJA1vIeXv5eiWGAlAAYTCWfbcsJ6SQAUzghxZTxUkhJEdy1XSg
XohwIoPU7TUKA7KDi9yP0SDdfCrDOeYlFwsYoOrDjxHLLDFGKNDT0BM3J9M8rh+N
gerwQQxZQ5ZYV8lohg5YSGfcvwgUoq3Th7EyqmtQbODAprvAlQYp8Ly1JuLkblHy
qR2DyoqVZfyEEmpTrt6AB+n5ck8QxZz9iYGSdwcdOKocqIcdZ96Znfo1oJDUMLe0
aYSimT/MTaeTCnjuo7jSz0Bvewi0zWfi5yqeOeE2X0tYlIvuuRh4/g6aovvaZuAJ
ZWOH4klex79aNvVRwqKToeq3OPjOT9D4KVTUnUu0oTRdxy7KAl0+YreGMdZQi7XA
wAheaZb3zZ8u/56EEMwWJwpn0ZvXSQ+BsOX0/USBQi/6+/Ir2Hk=
=S0Uc
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100056.6

HardenedBSD-11-STABLE-v1100056.6 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning:
since this version, the SMT (Hyper Threads, virtual CPUs) is disabled by default, if you want to enable the SMT back, please consult with the specific commit or ask around on IRC (#hardenedbsd on FreeNode)

Highlights:

  • Check to ensure the buffer returned is not NULL. (9359dbab020da232fa5104036f1014d0fa879561) [FreeBSD-EN-18:10.syscall CVE-2018-17154]
  • Restore the inp_vflag and inp_inc.inc_flags fields when the underlying operation fails and the inp could be in an inconsistent state. (854244afa3ccf0baa19ea60569bedd26267cf534) [FreeBSD-EN-18:11.listen CVE-2018-6925]
  • MFC r338982. Clear stack allocated data structure to prevent kernel memory leak. (7d66fd1e932a68e0bd893f0a19724069d5c80ace) [FreeBSD-EN-18:12.mem CVE-2018-17155]
  • MFC r338724: Fix an nvpair leak in vdev_geom_read_config(). (81ef86df2cf70de6e205ddfed8ae1d736239cd22)
  • HBSD: Disable SMT by default (70e728df724ed9cfe0e79f79d6446d00234f2ff7)
  • MFC r338600: Update libarchive to 3.3.3 (85012f82112d6062b2c4179c5ae9734275f4c480)
  • MFC 332454,334009,334122: Various fixes for x86 debug exceptions. (4484bf717c82ee46f15a522b7fc088a3e85f3d5b)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100056.6-amd64-bootonly.iso) = 582ac18f93337df8219bbc2aa707ec85a71c1ef1910b491230fa338d258fc5efd9326775e60a5961a6118196ae04ba7b0c18fb023b30341273c07e37766f4a16
SHA512 (HardenedBSD-11-STABLE-v1100056.6-amd64-disc1.iso) = ba064494fc320654922e17e1ba1e86e231ebe42196b0c2d35e9e3eff63f5b8ae4303a3255b3f8b560a6bbb6f5efad304baffabcd629b8c5e4f92ed1e56f87640
SHA512 (HardenedBSD-11-STABLE-v1100056.6-amd64-memstick.img) = ef229d8d5dff57375859b671e81ef67a0ee4676c9664f0acea4129c1ba0aec3806361479d3363b2f889e1dfcd83343fc2f8aec0b38f27146badf38179d3cfc51
SHA512 (HardenedBSD-11-STABLE-v1100056.6-amd64-mini-memstick.img) = d95c8ed96dbcf3b394a68d9771f12bec1a8ca94cf2a8250d70eccdb23f95c27bdf4239ec81f499b2fd84c38822aa82360f96ad408f743ff369488fec7ef1f14c

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlutXwcACgkQgZsRom/9
GI2tpw//SSzwtC2vbWtbbOTv88TocVuempe9XkX14hKbJSOeUWE9qvXXbpulWvHU
OFqm5B6Y70egSubStfbM3ZKnhUDZYnrNU7SbPZYS7/kUQ9apB6g1njSS4u4Bd4av
a2T+1osOVP46ZNaRHCaFNr3Q+yZhdUg1LgbrC5NhMX7SzX7egts4owD6dsK5vIVH
ig6R5oDWe9fnY8UgMDUuNeEh51hdstW5tPDY70oMDdA0HIj3MWgbGYPTJtS4csH+
t0l5daxdqSuoVapES5mriOl4fYdeGEK37E1Er+Gntzl6a4/6WmTXETnQnsyuQ8cv
9kdg/ewjsvyHDJGdPXkfz+9Lpdoi9qIy19dc8o4oEA4PhDQ261j4uPsoY1nrYKrd
/O6+GqRuvjI9EPx3+RbTT8wSlKRn3UFif63Tidf2bEy/cFhoDVwlv46jnFpyDiwf
PoWR97tcc0lgSCzk2bNPpmWh+1KtL2NvbnkaKoZFn0QHgWnEmUl3c38YqQANHzcc
Gc+Rw1vuJ/3csLxdLhfAq+qkBuqB6QYhKUT0hkpkulBbSh9Z7DcR7IxIQc23Dd0Z
JKlMSnMvd4oZWo+yMqw7G+lXB+8uD6/ct+XgpN0BhYEgK/8v4nJa3K8KPv2RDEbe
uFxc3rFc8b/qfrOjJtK2Ajy1/cOfbKNOWTAYpmzuwn8R1i1csDI=
=0oYP
-----END PGP SIGNATURE-----

Announcing The HardenedBSD Foundation

In June of 2018, we announced our intent to become a not-for-profit, tax-exempt 501(c)(3) organization in the United States. It took a dedicated team months of work behind-the-scenes to make that happen. On 06 September 2018, HardenedBSD Foundation Corp was granted 501(c)(3) status, from which point all US-based persons making donations can deduct the donation from their taxes.

We are grateful for those who contribute to HardenedBSD in whatever way they can. Thank you for making HardenedBSD possible. We look forward to a bright future, driven by a helpful and positive community.

Pages

Subscribe to HardenedBSD RSS