Stable release: HardenedBSD-stable 11-STABLE v1100051

HardenedBSD-11-STABLE-v1100051 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security and feature update

Highlights:

  • HyperV fixes
  • ZFS updates
  • libarchive update (CVE-2017-14166, CVE-2017-14502) (aea515eb9597ea4c4963aa471d4325e351653a2f) [FreeBSD-SA-Candidate]
  • lot of hbsd-update improvements
  • Zero segment registers which contained invalid usermode selectors, when returning to kernel. (6a720c60ec8e6bc3caa3141033b0f54c14c0718d, 2c707ee9d55df4bd64c5928a092aea228426ac99) [FreeBSD-SA-Candidate]
  • make fsck_y_enable more agressive (8430527c119726c7b1fa826dcf935f4681a126a2)
  • HBSD MFC: Correct sense of crypt(3) NULL checks in init(8) and lock(1) (954bfe0ad4ee110a69ab41f78f0494a3e2d4d9d3) [FreeBSD-SA-Candidate]
  • HBSD MFC: netsmb: Fix buggy/racy smb_strdupin() (145ca72398904245c097b37f843a2d7885a16c50) [FreeBSD-SA-Candidate]
  • hbsdcontrol's kernel side implementation for more information please consult with https://github.com/HardenedBSD-stable/hardenedBSD/blob/hardened/11-stabl...
  • LLVM, clang, lldb, lld, compiler-rt and libc++ update to 5.0.0 (12cd91cf4c6b96a24427c0de5374916f2808d263)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100051-amd64-bootonly.iso) = 2a7a0644c4f6539a0763fee344f3ac7a51df62a358a394fc884d51147ca2479cfb6aea600d900dbcf551e5e4331685d8380038849636005f51fd1ff4a391d710
SHA512 (HardenedBSD-11-STABLE-v1100051-amd64-disc1.iso) = 840b8f12b33e4e9328187719af152c14f383e0a5b2749953f84e634bead200ff8794559b63faa6a9ed9b0675ef44be9d6d055f457f514c0107e8b480f2a46159
SHA512 (HardenedBSD-11-STABLE-v1100051-amd64-memstick.img) = 11ce832ec9256846e3eff4d5d661a9ef38d05b7c4857d1975cfec438e38de5d3e804f8401a943753672e469c0bcde6184f3b99bb22e3174b8a1c5e59da5ae9cd
SHA512 (HardenedBSD-11-STABLE-v1100051-amd64-mini-memstick.img) = 5189aeccb1823edde5681c6e5d7276cf2c1777981bb818ed3a3c838a5fe6f5035248da5094161b76ac9f7b574d957d833a19a3641a08f03b6fd74c468ba5140a

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlnhbH0ACgkQgZsRom/9
GI1bfg/+JvEFmHPiEM6m8696no95d3LDv+hInSTMXzDmrKYh47eejtJI0vQcq06Y
GqFkVJr8sMfApKF5dMQJ6f4JsbTnFx4hQONwDIdM3lPhTnxUNfvtT5Vb2TrmOpU6
8hPQ2RRNYkTJVgbP84XhHlQwi3xNnpNKnjJasZiNUBcbooWpprjtkQPx7hGIVXEe
ubTX+na5Ry6i/NPcOYFr7YKPiqWNu/zSKFFeERjW4YnB6RyXsMUIr9nsEs7kjcRi
mIIVu/VMlXhkjGg1IwUPy9V8gA+YHutQ5/V80vVCUUUaFXoUS8t+isofywoCgD92
VX/icmEoK6T1PyVz47pzH+62fwVOn1Ypbz/1329LfNMY1CyNesLPore7bhNEpaBh
wovZH5Y9aJAlIrd53oiSHUGwlF0RROvpoWLC51loMp5IPdJR+6aoU6TinnAyMARd
0QRlLLtal7TO7cXfQE5OYDyVNHiVZgLIDQbNJG8G+pGmYyWQR8LZV/zsk56ti5tK
Lg8ABYEOvoTzG9WaJX27pFnMbzpiHyf5MzPHvA+KoEQibtFZWu8jyz4iHKLq7jB9
OfkSaWV9s87gSKzA0BP7m+Uh1bY1Ka9kTIPXd0n8ym75hGeovr0r52s48i4CpJPo
APTtWgrbgvD6P/uSnSV9hFAw4C9/LBJceEMPpjioctdKNA52wvY=
=pl3g
-----END PGP SIGNATURE-----

Entropy Gathering Enhancements

At vBSDCon 2017, W. Dean Freeman and John-Mark Gurney gave a presentation entitled "A Deep Dive into FreeBSD's Kernel RNG." In the course of preparing for the presentation, a number of bugs and non-optimizations were discovered. These included:

  • The fact that after the code refactoring to make room for Fortuna, the code path for mixing entropy gathered from so-called "PURE" sources, such as the RDRND instruction on Intel chips, was broken due to a new check on the bit value in the harvest mask and the fact that the bit could not actually be set.
  • In the random_harvest_queue code path, followed by the majority of entropy sources, entire "harvest_event" structures were being hashed, causing very low min-entropy measurement values when following the non-IID track for entropy source evaluation described in NIST SP800-90B Draft 2.

Working with the HardenedBSD team, these issues have been addressed by W. Dean Freeman and reviewed by John-Mark Gurney in 12-CURRENT. Patches will be made available upstream so that FreeBSD can benefit from both the bug fixes related to pure entropy sources as well as a boost in min-entropy. Additionally, a BSD-licensed userland daemon similar to that found the in GPLv2 licensed rng-tools package has been developed, which allows crypto officers to easily use USB-attached TRNGs to increase entropy fed into the kernel PRNG.

Future work related to this will include importing the NIST_CTR_DRBG module from NetBSD into HardenedBSD and performing a FIPS 140-2 gap analysis against available kernel cryptographic modules to see what additional work needs to be done in order to provide a BSD-based alternative to Linux in the government sphere.

Stable release: HardenedBSD-stable 11-STABLE v1100050

HardenedBSD-11-STABLE-v1100050 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • HBSD: pull in upstream fix for pwait hang when watching its own pid (09401513dde5740de4b088e39333d8011f210786)
  • Removed HARDEN_RANDOMPID kernel knob
  • HBSD: rework MAP_GUARD footshooting prevention (c694b8039615f1e4e59ef299ea36d6aa93a13269)
  • HBSD: Enable EARLY_AP_STARTUP kernel config option - fixes Xen boot issues (b179d012d10d53a6331ff74e8485bc280c254f40)
  • MFV r320195: bhyveload: correctly query size of disks (2239cf6be006a2c35505c12569689f845fa3da2b)
  • HBSD: merged back LibreSSL 2.5.5 and enabled by default in 11-STABLE (37565403fa31bc816a59893dc50598e242801371) (with lot of commits from Bernard)
  • Add sysctls for ZFS ARC shrinking and growing values (d991ae815445d3666cddf457fe576ecdbb07a013)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100050-amd64-bootonly.iso) = 8d11dcb3b300bfb7c05a52893564a8eca7727624833634c8c0f0b3a9fc8fa3fe80de277fbc563f77252e3266591e77b26300be214919fef6902d9576a58bc846
SHA512 (HardenedBSD-11-STABLE-v1100050-amd64-disc1.iso) = fb64fd300ea10972db2081d800ec08532fef8a899d6b463b0d321d98cbe2e995150fb27a707ece45e0219c6cc44b99120555d6339a23035b087b00a07d698889
SHA512 (HardenedBSD-11-STABLE-v1100050-amd64-memstick.img) = ec8efddf21fbb1064b796d1f7db3845fa0e54437c364837eefb7f11974929c41598b13fa6b8bd16abee6997939ea629c8a4abc794f353dfeca04c183ffdde032
SHA512 (HardenedBSD-11-STABLE-v1100050-amd64-mini-memstick.img) = 2a0cc547d94438d52a51e587cdd49f7b37af7e1398299e96973b892b7778b44a63ce9a34df6b5827e6ab33e889825f6a292e6ca5981bd5116e79ed64f2414ebd

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlnIXq4ACgkQgZsRom/9
GI0euRAAnE9UJ3DR3HGD5yXNhCuY6oyWk1hjZYbv0kxrNgr/CWI6Qq9tzHY6cmvL
lERxtAv6iusuwhOGEX5Mg1HmtcapI229wQV4mHbtat5EuWtB+u8R09f0DQbwLwWt
ArOYFVeg7RQT/n04sIzZuh+Knx+q5cfkgOi3FR/4RUDDTJOXACC0qkwXyt/FuVto
os8JNESHZ1fJR5T7qWpFlyJFpRJyZNS/I4huZufqSXQdtPWHswDyNpa8tTTwDV53
sQ/RjV9BcwqOrg0PVYgnqdAGOXAl9y2feEWHOrmwCLqyt2tY1MWyD+FGvzqWKJQk
4wXQDfkcp3DLQrjOzjwUv0luPghq1v8tsKr0PW5mZYzOW1k24vz6JAXsQ7DjoQIg
nYjvNPxZ8lBn/vkmJs2/ZODPVft2jAwZLEFR7Bhp7gyE/b8Dpsanpcl876nc0Hhf
ajWOyg3Zl7DaACnDAPasbOZ1p3xe6AzcC5X7BYigZ+utkusntbJ2mRdlFV5TbPZo
im4at4Ylo+nY8w4alpwAFc4Fwh5dDkcd1TV3Oi6VxRaDEOoHZ32o87yLgUxo1XTi
R2ysFt8zHLrhDM28KtZcrTTC8hPUVehxKUt1g1KZcfSWnIH90NfC0p1LwqOTTLiN
1HadK6g+Za3tInTeRL5DGB5UcpbuY26jPhm4i16fEHhwuNbt4hA=
=Z4iz
-----END PGP SIGNATURE-----

HardenedBSD 11-STABLE Now Ships With LibreSSL

HardenedBSD 11-STABLE has now migrated to LibreSSL as the default cryptography library in base. We've already published a binary update for you hbsd-update users.

The 11-STABLE package repo was taken offline until it could be freshly rebuilt. The rebuild process has been completed and the repo is back online. You will, of course, need to update base before updating packages.

Because of the severity of this type of change, you will need to reinstall all the packages on your system.

Instructions for reinstalling packages:

1. If you use secadm: secadm flush
2. pkg-static clean -y
3. pkg-static upgrade -f
4. If you use secadm: service secadm start

Stable release: HardenedBSD-stable 10-STABLE v1000049

HardenedBSD-10-STABLE-v1000049 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • HBSD: Update DNSSEC root key 257 (d51b7839b2dcab876f28f411885396344f1dc360)
  • MFC r322677: pw usermod: handle empty secondary group lists (-G '') (9cbb330f2197dd7d1108f4ce49def97e3b3b22e0) [FreeBSD-SA-Candidate]
  • MFC r322678: pw useradd: Validate the user name before creating the entry (73846ec2976bad87e4e8059d5b0264b3b6827e02) [FreeBSD-SA-Candidate]
  • MFC: r321293 date: avoid crash on invalid time (d014d3453df98ac0a22f7a78147ae516fd5847f8) [FreeBSD-SA-Candidate]
  • MFC r323278: Fix an incorrectly used conditional causing buffer overflow. (cec050ba26dc8cd492c6c67a1ee9cc237129c281) [CVE-2017-1000249]
  • HBSD: constify pax_elf()'s mode parameter (a660c9522a293e4801c3c0ca0a6e2c714cf24350)
  • HBSD: rename PAX_NOTE_FINALIZED paxflag to PAX_NOTE_PREFER_ACL (d4a5dab0a48488c2e2a4f2aeb8c6ff7bb517c989)
  • HBSD: API change, swap the first and second argument of pax_elf (2135308c19bae799fd30b8918c4f1911bd78e75d)
  • HBSD: update mirror list in bsdinstall
  • HBSD: print out the __{Hardened,Free}BSD_version and version at panic time (0a7d696ae6ef71ea624ac6879e2943945b81669b)
  • HBSD: improve logging - hide early hardenedbsd related boot messages under bootverbose
  • Upgrade OpenSSH to 7.3p1. (b3ef7b369b144d0f58083c3965742583f3ab7190) [FreeBSD-SA-Candidate]
  • HBSD MFC: r319365, r321670 Merge ACPICA 20170728.
  • HBSD: disable coredump helper for devctl (389bdb5b707bd9702d6086be918b4df59a9a4372)
  • HBSD MFC: Stop masking FSGSBASE and SMEP features under monitors.

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-10-STABLE-v1000049-amd64-bootonly.iso) = 5c3c682db8a57124c2852ecbc3ccbeded6fac7534b04aac1b434035ffa64a6048b520f4d3ae4a76d06f1d2f994b74d40392a1b70e89d6abdcd9c1299a179dffe
SHA512 (HardenedBSD-10-STABLE-v1000049-amd64-disc1.iso) = 1434b67f2192f96ce01e5a3ff1880b0166fa9d75963d114d68eea03cd6e6985497419e7c4afd604d461c072b3bc119d0693b7b39b658e376a830c395ee00a35b
SHA512 (HardenedBSD-10-STABLE-v1000049-amd64-memstick.img) = 3c727b04ea288bf985c85aef8f81de9d22bce99884f79f61496142a8de70d73ada0aaa9d0a5e987149caee5c7ec9c7b3b5368af5155cd96068528bd124a6bd4b
SHA512 (HardenedBSD-10-STABLE-v1000049-amd64-mini-memstick.img) = b69249bacb713b976f3799f95b7737ddc48b62e96e92e1fc166fbb23f536a7401935060d506fd39c87c1a675e03d061472b6956be1a45c161602109fdd4be6ca
SHA512 (HardenedBSD-10-STABLE-v1000049-amd64-uefi-bootonly.iso) = 400d1967dbcfc01071bd9cd744bc6a49ef1b5f7553491311bcb39f7685605f37495ff6f9f31565203d7103cbfeea79e4f5ccd2d9e9e801a62e7b752d72ce2acf
SHA512 (HardenedBSD-10-STABLE-v1000049-amd64-uefi-disc1.iso) = b2cd9572970eda037ee149c09d172f6431bd236aec992cae895e8898e3ca007003265f2b98b93322a19331b0a4f1b5a481adfa6250e5f1165daf3e24098d53e6
SHA512 (HardenedBSD-10-STABLE-v1000049-amd64-uefi-memstick.img) = e053d87807fcfe574f6f41fbb22f01f2395a7273e5f0397136569753532d366b06bc30b3a020bec54ac59a62d1ec708ee10c10a1fb13de352b72cb10e2a2ff8b
SHA512 (HardenedBSD-10-STABLE-v1000049-amd64-uefi-mini-memstick.img) = 0409c88284cc9d14f2c64978e713845c5a581ea5bbe77b424383becf39a9a05c0c3c92d29bd2bc7235035bbd35a16db9a677d8a9a01251eab097002f01c81b6f

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlm8eTcACgkQgZsRom/9
GI3qTA/+NrQJL2m4aelDXcOJbERPyXmTt/r6Lew2ZVKWo1BGG3ukkksIO4ixmfXH
tbbkQj+RDFfK8QmRHFUSz7kur7A/D79ia5CKXDUMoNAw2mMA8oiO5SgcPv3hShyV
a7miKcszaRL8brrFEzZ5ZU7YhJ/d50oEcbhU06fe07V4I1p0mSGfX0Xq144tE3vA
bFjFwZIu1EYQSpVPERtsl+7nB/F1FIHvbnpKakS04N2utuFzUmjfdMaS1/Is5kr0
VRGlboa7wx0SlWuWwHMRiFIzRYojaN6Vl+X+4clVE23q0vGfhHVmvxyGncench3P
5/jNjdkNXS5GSfdkbzFeDyZ54V7UIlf87AzxOS4d1yYgA/o7HUZjeFhD4EWLQOf1
0QX5hhMw7sa8zIO9IWLLulaerpI+AP1zFg/AFF+g2BF/szl7Bcf+LMwzfIVYSjaj
TszokJIrUahDDe3odhEVoQAqpn3nDHhzbDzo2FjWWmNUz3Mh1i9RyPTzCBcrf2M5
P23/ZFc41StAGSRUm1Cmla97OLWPR4MkwqtivM8VEug2nMYcsl+ZXMKMVlBd/5Bc
gfLNzpWCvEvQw8s9jCZAYMD4uAHSbYevOxEykOj+JJHNdGxqOadwWRQV/YJlPMC3
2/hHXFQ+nGeytsKDHRalGX35amvqymARtf9ZcynL757cThz1TPo=
=TWDw
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100049

HardenedBSD-11-STABLE-v1100049 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • fsgs base changes in kernel and in libc (43f99b9f1cc2c625779e087ba4866d7c496d5b7b, b1a7a7418e73251aad628dc4f9418e550a9fd3d7)
  • reworked vlan locking (a62278e0d2b2f8b2d860fb689490dc1b6d11eb33)
  • HBSD: Update DNSSEC root key 257 (548eb60819e04c5d06671a95f5a7082e194fb7d4)
  • HBSD MFC: Fix information leak in geli(8) integrity mode (9344d69cc4c04c6555d9684976f57e8387354cf5) [FreeBSD-SA-Candidate]
  • MFC r323278: Fix an incorrectly used conditional causing buffer overflow in readelf [CVE-2017-1000249]
  • Fix possible double releasing for SA reference in IPSec. (3bf892e2d5f50a11384e8bf9fb7c14db1bfc0d26) [FreeBSD-SA-Candidate]
  • HBSD: constify pax_elf()'s mode parameter
  • HBSD: rename PAX_NOTE_FINALIZED paxflag to PAX_NOTE_PREFER_ACL
  • HBSD: Bump __HardenedBSD_version after API change
  • HBSD: API change, swap the first and second argument of pax_elf
  • HBSD: update mirror list in bsdinstall
  • HBSD: print out the __{Hardened,Free}BSD_version and version at panic time
  • HBSD: improve logging - hide early hbsd related boot messages under bootverbose
  • MFH (r322052): Upgrade OpenSSH to 7.5p1 (7e3dcea1a1c17915cbd33fd8fcec2b5530f8d3d1)
  • MFC r322590: bpf: Fix incorrect cleanup
  • MFC r322750: Fix the regression in ipsec introduced in r275710. (4e0ff7d0a944d10581e904bc3057524ce7071e30)
  • MFC r322677: pw usermod: Properly deal with empty secondary group lists (-G '') (75c367731c924e73c5bd87ab4b974c42917990d8) [FreeBSD-EN-Candidate]
  • Merge ACPICA 20170728. (1c5a17e1a7dd5063e58cee0a717989c5ce609bdc)
  • Plug uninitialized stack variable leak in sendfile(2). (d51b637e3144fab948a4d9a7bb312a2930e3d157)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100049-amd64-bootonly.iso) = 3ff186518876ef188b8a5fc275001613fb91032443a4d122b2d581e09fb5af43d50c388025258c07ca493d241f35c7b5377e0487b28361490b575c5e0ed37a11
SHA512 (HardenedBSD-11-STABLE-v1100049-amd64-disc1.iso) = 6bcfce3349e89e04baa4f4c32e51edd873edb07edb43007ec10bb3b6ebd7e153160051c9e64cb95db4ce2673b832ed6db22f772887c852a5b749bccf867ee6a8
SHA512 (HardenedBSD-11-STABLE-v1100049-amd64-memstick.img) = 194193396409b28e8c8727b868b96dc7abd75a36d43901323b0f3c3827d615f59b9eb89467a820148de71f0b5ab7f7f80997acbaa8befb04faf92261fe6a9df9
SHA512 (HardenedBSD-11-STABLE-v1100049-amd64-mini-memstick.img) = b9145ed2bde8e473be177db9d643101d30f7d5c086828152ddea17335eb3d7025a6888ae097d8006077de92349a81c33595d2f0422d1de88c62a9abd9d3a7a71

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlm7OZAACgkQgZsRom/9
GI3iRQ/+PxEz2r0jsddF9KNWtRx2fqita2VRfKmIqtdaXDiS//089T0rzLdJIfXL
Uc52RY28HQuD820t4oaW+gsox0/Dmbb9EzSR27YT09ez7pCNbufaHYH+3SGU2zk4
GFJHNrjHdMPfK++Y7Cqg+kFtDssT/OQmfLYc8eAKnzd3V0GlQnb4fZqJKaqt6Zhz
9+E8N1wWVIwB816IXr2UCvkyR9RQspFg/VP/JOQaQfQad/iVrhJWBzluQCmQzMf1
YankE0TvK2+IVmiLOxa0WCYoaD5Asqrizo28U199SM5YOPWe4hHKS/H8zz7BfieG
2R69zBejVSbCfDBN4S94ASimDo4HOq05ApNXlC0JwzcAUNajBXiv9ANzpyeVVkBv
WPBvDIieaKF2OQlbhVdazaO4EiMYTu5Kqqy3oz9YNXfEP/o9/n/OcB2XNLvfszlu
8/jD7f6SPeXijWzSEE3hOmJZWfQc8DzWBqp9PRyk+GtmkhAG1ldXwrjHvBWBSy+x
telrI/Tf0jvM0mNpNnvifz3CbZz1yK6Rvl/r1tZTue3bJf9ddONR+tnYw5CN0wZ/
fkayr52iDvbFhNO25fwI1W1QiyJFuJPZAewZOe9z240HXnV0mOqqxHbIsLgehlpV
hQiztHlpkUyoijTjmb05knqt8pdE8ptGyErKud2IES6mL7NSIUs=
=DnyR
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 10-STABLE v1000048.2

HardenedBSD-10-STABLE-v1000048.2 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • hyperv/hn: Implemented transparent mode network VF (ca9be1048e1114e0e543779418164a706bcbc1ca)
  • pluged memory leak in arge_encap (d79c06e0f7634d387815823261c842b0cc7f3cc5)
  • based on freebsd/stable/10 from 10.4-BETA1 state
  • fixed sshd DoS (74fc8942a90af0a3150be3420f9ad6815b98e6c2) [FreeBSD-SA-17:06.openssh]
  • updated bmake to 20170720
  • fixed UFS snapshot handlings

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-10-STABLE-v1000048.2-amd64-bootonly.iso) = f050424321507f9ed24f9cf41c0ba841f4aa53356867ef21a9c4ccb2d72acfc41f914cd83ac6f49449277bd42e29cd6cef19c6f35b25c49fcf6d508ef6edaa2e
SHA512 (HardenedBSD-10-STABLE-v1000048.2-amd64-disc1.iso) = 81a44cbd6135a596971b0a2135c9ab9e1920231f14e152075ecce1f402042f2d5ceacde93dbfc1bf2c8d0129c3ce4597374f7a1b1a84372b57ba49fd75effa7c
SHA512 (HardenedBSD-10-STABLE-v1000048.2-amd64-memstick.img) = e7d69c3787aa83231f2462bea1321208a45bb498593040719069ced55c86c6b09faa8d6a31052f1f00977d74276573661f3aa34277cbd6d58cb2286dcc505e66
SHA512 (HardenedBSD-10-STABLE-v1000048.2-amd64-mini-memstick.img) = 0b133fb18cf85c71d692ab3b508aead98eb2e77a3ccb45ef9abe315de0fa818e767d9b6f09c99f43b0566cb9e77bdc78b4f30c69d406fb6e15159387c7da8243
SHA512 (HardenedBSD-10-STABLE-v1000048.2-amd64-uefi-bootonly.iso) = 8451d20d95a34675aaea71779a69458e1bf6dcab83f32eeb7073e81bfd6dbae7dce8edf5297944829a92045b7a880d0069070c19eab95cc6594746ce3d3d8b16
SHA512 (HardenedBSD-10-STABLE-v1000048.2-amd64-uefi-disc1.iso) = ac6d9a38dcce63da5a507ab9bf8a275949e0695d49b0ed7a00a3c5cca1ef01e2a61d2e0f1b06f5092a39121259fdcae121d14fa6ea972e585d04afc3e1f410b1
SHA512 (HardenedBSD-10-STABLE-v1000048.2-amd64-uefi-memstick.img) = 7d6c3e3ba92cdc7349cfd38c2eb2dacdb004ad304a66677e719d683d7e2bf6e5255b5288fca4640d049c7fa5228082b8c0474a2ea01cb28388b74c687fef1ca8
SHA512 (HardenedBSD-10-STABLE-v1000048.2-amd64-uefi-mini-memstick.img) = 03b21c0d1ad28f6fe59d5c9d4a54462107356b5113e327eeee70f3e0e1e1f72c524dd524227d8bc19d5c5ad1b174431261955be08d0e877bd86fbf802b8d1bfe

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlmbg4IACgkQgZsRom/9
GI0nOQ/8CpFZJyG5lXLyR856BWUrdUZJpFFT7sgzdcVVb7IADPvLxH+DL4oJamNm
ndfbMJad+geek5XvMtyySGeDTTal98n7ugzdbA8ff07MnTa5cAYqJmPuF3J4ysW7
0RPseTP8oPQB+Qpe9H6Lvp8otc7iPYd0cfPg7AVFf09VQBR73Hyy5iwKH2c5gSF0
2ZLL4YaKwog3ri8604DVQ1hmH8hRSWMIvC4czbTXftuaw+8j+H18nsR202kU7Nwr
EdVskD8I22lW4TKkqtEDUIeiAeRnKp5rzQ7VjzYsGvtL9br3C6I0mKUWc8SVf0Xf
gXTJA8u9mjM1ktUoSsoqww8aDi640AERiCEAA9TTwEz5yQ0OWEZwtCqg6yjDAHvZ
s9ieoutb7H5buzrqjFALZAQrazrTv+TrqEm1ivrUGLp5+Cos/qHd9U1/KyuR6VlO
Sz39Ur/wkv5FpaEr/SuspwLK6HyEyQ6VVXroTF8iDmPALmSlEApQVXRtJ9dLdr6W
juVV5nDXBjNO/uq1BOmq2bRhaVkX6j27ZoM1b154rDTOeBFVWOSOp3u9qQ6GRcpr
t4tfe/DlTbYf/O/5I1B8ArtRtScitgfLLZFAA5lkHQiuaBhYXNNmrck5cO+ftejs
yRO91wxLrRSN2UHKY0oMSgARhOeiHTwYshLtR8lE/YlrToFHN1k=
=gTss
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1000048.2

HardenedBSD-11-STABLE-v1100048.2 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • updated bsdgrep to 2.6.0 (2cf785f328f3ef2deff0a7d2626b8e1a81e725e7)
  • fixed possible pf DoS (f9ac1ee50cbb2e0b00a3254c9aaf012183e8aaa8)
  • fixed boundary checks in ipsec (d3f829dcedd1db79b00b6840265a0c34bc0b75a3)
  • workaround for AMD Ryzen chips (4571a19dd885caa3f20979daa951df05cb5664a2)
  • enhanced top(1) to filter on multiple usernames (964bec79a958438ada90533f5e21c31b1021cd9a)
  • updated private sqlite3-3.14.1 to sqlite3-3.20.0 (01424a180687a2ef7ed93cd10136c1648d332016)
  • updated subversion 1.9.5 -> 1.9.7 (73778e3432c90e9513caf636fb73b522690d6543)
  • fixed DoS in sshd (4268d8e71d9c42494826885f83f685b02b9353cc) [FreeBSD-SA-17:06.openssh]
  • updated libxo to 0.8.4 (24dec0b179f6eba6d055b33faf478d202bfb11ba)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100048.2-amd64-bootonly.iso) = 08d4e91cb0ec65f9cb9e42a51bc2edb91e7ef5289d84414b313a233d2664b0a03680781a0416e208f528e46fd090aa4c785ea1bf0b6018673861bbd6e890e86a
SHA512 (HardenedBSD-11-STABLE-v1100048.2-amd64-disc1.iso) = e28804ade774cafd0e7ef0322442df6bc062cfa5cb94161b5d148c2e94407ee393b1db8d682daf12162b8c03c428b48da4e78d59326b698c61de11de058a2068
SHA512 (HardenedBSD-11-STABLE-v1100048.2-amd64-memstick.img) = 2bd595b05d5ff18cb71dfd1e4c296aebbd44e43e310cf4d173a324044b74cec73bb74b43c73024c211b776efe53950563d1c54c3a28723c82f3763a1af4191fd
SHA512 (HardenedBSD-11-STABLE-v1100048.2-amd64-mini-memstick.img) = 02494988f613efd82f38bc0853af938b580d30e5f6b3f9a84bdd8022bfcb66d05de4e085af8373dca5d9e082084ca913efa641986a86bebbad819c1ec71b2577

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlmaOrsACgkQgZsRom/9
GI0kaw/+O1+EBRg1I4mdBMzj1ypeBt0G5/6+Q9RuS+653ylJZ1TLs3Z1aMB947So
9JdiTRl3tXTc18cjvu3HlZQa65eMM6Wumk+rVt0f9zct6iVzdpv2Mn+WmAsjKw4n
pMCsKYvtusqZv0DDrX4/A1rh/LMUjdtfoBoiiijPDqNGRQTzYJXLil0E7u0LkGNm
jURWG6SgLJpl2vcowf3mS9o5HcTYusZAOYOFZ0ny6YRvZuWQa+sa4GKfvpHY+dR8
8q46fQLcRpaMpZxFjHqoJAVB0d8cPDT1Czo2dE8g7JKn5fryjhbBNJ6Rz6EP4WqY
wuWQq3NqeTC/SClx0L0XrwBSO1pWeQ7DwvTbYsidAKAaQcMWehW80DsZzPcZj2Pg
O3CDeZTDOLN/2marNcEpFmAdUDxXhoTLhns5cg+7bwjAqhR0s3TBBdAfbUhceNnY
kTKBwsznoQT1873zEvu8sJlReEjU/VT+UNP/kAuQ4s342Tr4wLuneXCURnpaCThr
9kgpNeKNFNn1k2JDbUooLZ8VWOz7r0SpqN8CBKAvCezth2SsW0YH82whOSNb3Z14
nhQlI56kN+XeKjAl730D4DtW2RFA6+T10z+oKzDbGykkDtMj6JY7oDk3TRz+eTP2
YRgyeg9uM31r0xsi0a4WDF4IOdecsQalcozVHs1gZdDIXueX0r4=
=eCVi
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 10-STABLE v1000048.1

HardenedBSD-10-STABLE-v1000048.1 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • Changed version from 10.3 to 10.4 - as preparation to 10.4-RELEASE per upstream (054e15f186105f319d8373002c677ecce2d95883)
  • bmake update to 20170720
  • HBSD MFC: Restrict permissions on /dev/ksyms to 0400 (5cdd8540724c092c703e9473578ea21cb1473d0a) [FreeBSD-SA-Candidate]
  • Merge MAP_GUARD. (3753ee3ec3e123ae4b62be3b19aaf09bf2e2ef59) [FreeBSD-SA-Candidate, CVE-2017-1084)
  • NFS fixes
  • libarchive update to 3.3.2
  • Add newsyslog capability to write RFC5424 compliant rotation message. (26c6cd37ceae365b6aa9f3203b932d29ad2be3fb)
  • MFC r302145: bsdinstall: increase EFI partition size to 200MB (48ce3b4e3aea30b479095da20d7f04ed723e8451)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-10-STABLE-v1000048.1-amd64-bootonly.iso) = d4f1f2b4f9007b4cf0e50641cb86fc3799855066ecafe5bf896f5411a7450d266f1a811528ce6262dda4a63024a3d6c81e5e4482f120ba0840881e07feb8a8ab
SHA512 (HardenedBSD-10-STABLE-v1000048.1-amd64-disc1.iso) = ab1b008129a3c165e1ae79a964d6361cd4aea9dc6ab912d2e3626817f300830cb0faa828a4931aafcffa751d8413b523050f5ac12d6f5ffb0a057242fd070422
SHA512 (HardenedBSD-10-STABLE-v1000048.1-amd64-memstick.img) = b85691c6bf31cc211801575f9ad4936fc7f4600d1a193267b1a4b4878c163b661c5ec32c9e036c752e00f712903a6a0c97b43c34debb1b8fe484d6f01b52a0ff
SHA512 (HardenedBSD-10-STABLE-v1000048.1-amd64-mini-memstick.img) = e178cece948740c23c5894622e2a995179875011aa607447073d645989c2382adcc61d12fc2e8d5f506e36839660babde027aa7f4ed660bed671fc856caefcc9
SHA512 (HardenedBSD-10-STABLE-v1000048.1-amd64-uefi-bootonly.iso) = f78a4c2ddb262458f40a83d5735b6bbb5a85c0ece5906ec9185bdcce32d41632f5e158c2529c3d62748fe59a57097d66d1f58de90a65cd0aec69120a077c1c59
SHA512 (HardenedBSD-10-STABLE-v1000048.1-amd64-uefi-disc1.iso) = 44f4da7c72bc51f9599cf7cbc158ddcb395df83ad59a610c50663222019b00f8cf7ea0c1fa76e4802d99b13917e4e4bca2533543cd3f26821a4b85f99fd8ad82
SHA512 (HardenedBSD-10-STABLE-v1000048.1-amd64-uefi-memstick.img) = 48f6143b9feb2be99642a04318b3ad2109f3443d39e40469cc71e997562b20373d907fcf179da741b39afc41f0f49eb6cd6192d381c98420fc8a4c9404303158
SHA512 (HardenedBSD-10-STABLE-v1000048.1-amd64-uefi-mini-memstick.img) = c27696bb133ab801e5308665c83db85c56d7ed9ed02e14beae26b795b0f519ec9dbc435d3b6486eb487456f4eb5ffc06b2a349451ed3a2a0745ac3dff3383b32

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlmDyJkACgkQgZsRom/9
GI3WoQ//WC6e0VabjAoPu0im2AuICUnoa+vMAE3NcqZisact/TfCiTHNhQ//KYMU
+ZeTrQ+dJ1ktpj8/Z8kHeF6Y8qIAlvs4Z55lPUxgfLfntvW7+E8KW5Vr4Hx6EH9f
RhmYmcCBioghIWRprQ64dlqPEz4oE/xCt5wEC9IiPc+iejI1IpMwCbjGx89kdHqV
fL9CmV4sVDttWei2kvwlHhlyrJWcpIq5MYWnuQEVt3R9iyrpMEWdSSpubTVUnBjJ
1RxYQq9jVntPmrAdHsvUnrr1DqlOVWgAQr1G5uqYzADNjBlZ1wPlfJzbOgwAAvlK
z6oJ07NFcSYeXabNTLkrNb8qDPLQLfFsPE9/lhZn9tcmQ+OUYLOXRTtBJHNndvhX
O0tEdYn9XkTEdIOKkgbl4UF/sjgJJ8iq/kjrTWzAfejdeaM/ovcVR0xTNXP2Zbyk
xXDVRhgrQDGiLmIClgvzd7ptXXFuR/i2qhY5xe3e/iOVbwIPzlqdzlgehtrWEzz1
jRRajL0hxO7Vghw4jImfKD0vNaPZMXEnQGkx5mZgbJ/CpbZJoh0To2qiEgPwkUDa
aTjw5aVrzEaCp6BVl5eQG8cnxIzdiOgvArH7vYHxjIAsoxoyJ0BjijvM4by/DafP
jOrYAkGJ4I6K6bUQPXlnMAeBrlGIAtBTHJVMwcq8KgaHeOAcMe0=
=K2/O
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1000048.1

HardenedBSD-11-STABLE-v1100048.1 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • Restrict permissions on /dev/ksyms to 0400. (0781c590d2a5138c4c4ba5c214a6f4dbffa25f85) [FreeBSD-SA-Candidate]
  • ZFS updates
  • Add virtio-console support to bhyve (eaaa8cd970f11a0785780896a3e106958bd87fe7)
  • Update to libarchive 3.3.2

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100048.1-amd64-bootonly.iso) = c487f5693e2fac4d722a6cf72084e7fca243ef1864bfa9966c3a3e1fe621c0a92e6496bdf06845b3a6ab66e087df061701f9bc4f00921481ae45e328b026ef17
SHA512 (HardenedBSD-11-STABLE-v1100048.1-amd64-disc1.iso) = 12dc23a7b121b83c5fdcde13eb75456b7d0ab1c47d7591346771ca37533415cebae81c0245a51afe467a9fcb1a342781823a3cf6e971d13fb050b511a835da4a
SHA512 (HardenedBSD-11-STABLE-v1100048.1-amd64-memstick.img) = 28f7d76b8e3ed76a46bd3d1378074171173d0504f8a20cea87d22380a6c4d0e2713f7d20cbe58d5a97632eaabe395b393d4b85dd9d5f29835d85f5fba3e5eb9a
SHA512 (HardenedBSD-11-STABLE-v1100048.1-amd64-mini-memstick.img) = b4c48c49ff4ce4b1ff40f92ce977699ed03e59eff633d20e9fd81712d2980d91edd65665b190d990f109937a0676a3489aa9c3de9044405781b6af5ff5acee76

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlmBLeoACgkQgZsRom/9
GI1HRg/9FRZb0k5hO63oKoVpUL1Qq0lCx7A9tLRwklDAR7uyIPlJNgZFuLMCThOo
AvJYRQ/gmpIVagTTjAZJL4lr786eBX3SxAy/dqxa3DtTgxqoVNHiIZD82WVhkVAr
Ih4U3W4b8RzTRneEjJaSxNlXgwcY8Nitxl6LQMojPOmo+/pBE5FqvkaHC3vMQOZB
RjoubIA6S/fYBxf0Hsdx/ZKpR3FJdsYB345ANSavmQx+y2rcZ3/cUYEPn3dJKy3I
oQVmYS1IzRJFtdcLXUMOqV6y1BGvQoyRvdggr7N3akmxGBFOYTseLzED8F6CipgT
Jwk0sLKuwNtMbHQ0Dpnrk79rJowcoOuj9l6AeTMDyLxrY1NKuqBPL19y5zxZsLhK
u7P9uufgbKG8oty2g/2DOrIODxBETtiPvvvnGLmvb3hL/67VSBEa3wNJ1OnDR8+Q
XD2026MAFPpdJn9olMQFxNp4YT5PvU2TKT6kGdOe8D9vznGjwevrKsi2IL/tojnf
lHoKyC+N3FzGae59q3B8HzNF97sIV0Yx9cPDoSE0QQRMDFAcrsgv1YnGgBeOqP12
RvmOH8PgnGX41JaD5iAZoUUhpGhjehk6/7l33l04k9y+gTaQ9tQRq9gGJ4thNXjn
PJJ7uoMGRZG6W18K+MlNnyLdtYQnao7UPoZuG5asb75op3ha1mY=
=O8kk
-----END PGP SIGNATURE-----

Pages

Subscribe to HardenedBSD RSS