HardenedBSD October 2024 Status Report

September was rather busy for me, so I didn't get the monthly status report out. So this status report covers both September and October 2024.

We received a donation of four devices from Protectli. These devices will help us research and develop a censorship- and surveillance-resistant mesh network. More information can be found here.

In the source tree:

  1. Specifying a NULL environment variable in execve is now prohibited. This helps address ROP payloads that simply pass NULL as the envp.
  2. The hardening.kmalloc_zero regression is fixed.
  3. Use clang's C++ hardening integration. For more information, watch this presentation.

In ports:

  1. FORTIFY_SOURCE has been disabled for the following ports:
    • net/samba416
    • devel/libgtop
    • sysutils/grub2-bhyve
    • devel/kronosnet
  2. PIE was disabled for editors/libreoffice
  3. devel/bsddialog build was fixed
  4. PaX MPROTECT was disabled for www/node22
  5. the devel/boost and related ports were fixed
  6. base ranlib version detection was fixed
  7. Default ports llvm version was bumped to 18
  8. hardenedbsd/sourcezap was bumped to 1.2.1
  9. hardenedbsd/portzap was bumped to 1.2.1

In other news, HardenedBSD 13-STABLE is in the process of being archived. Folks who want continued support for 13-STABLE are encouraged to create a free account on our self-hosted GitLab and submit patches. Otherwise, we encourage everyone to enjoy HardenedBSD 14-STABLE and 15-CURRENT.

We are grateful for those who contribute to the project--no matter the form in which the contribution comes. Continued advocacy, patch submissions, financial support, and other contributions are appreciated and needed.