New stable version: HardenedBSD-stable 11-STABLE v46.3

HardenedBSD-11-STABLE-v46.3 -

Installer images:

Image checksums:
SHA512 (HardenedBSD-11-STABLE-v46.3-amd64-bootonly.iso) = 68e96fa070b51bfa6446640a24cf9d9fc154496de9d4348c844e94dc5e411cd7f96cf22d7030bd00baf8665875117ff61f73b9d571025cf98b7d348dfc475994
SHA512 (HardenedBSD-11-STABLE-v46.3-amd64-disc1.iso) = 9871f10d88fa3c488a18c764e97940ed663fc4ac308443a1e18f2098093f5ff5a5099d78f948897316ffe9fbe599d011aa6afc8558c61f217b4c3b571beace3d
SHA512 (HardenedBSD-11-STABLE-v46.3-amd64-memstick.img) = cdb9736bf8a33a8b2ca26c8b70b8cfbd22d050d091b54470764c6c2e41f679ab65f1d14cebc78e7b0646346c36c5e2882ad40b4230ce7b77980d7cf9f6a6559a
SHA512 (HardenedBSD-11-STABLE-v46.3-amd64-mini-memstick.img) = d3aa281947e1a692676fd0afaff0b673edd9f65625e37dbb7bcbaaddd842648410806911e19b0ea1ddd2a871bdfe65f3f46d05b8f911fe306c37e392075f4c43

New stable release: HardenedBSD-stable 10-STABLE v46.11

HardenedBSD-10-STABLE-v46.11 -

* cron username handling fix (6da7f85) [FreeBSD SA candidate]

Installer images:

Image checksums:
SHA512 (HardenedBSD-10-STABLE-v46.11-amd64-bootonly.iso) = 1655afce770b77b924440a39ee3472546bebdea87ea0288816ce5d057e65575691d77d059d82c4cd2121f699462726f20bc6781ffe92e42316aad8b86fb67bc0
SHA512 (HardenedBSD-10-STABLE-v46.11-amd64-disc1.iso) = 0f3cc560cf7bec853ea5515a6799997aa68a0ed53d1653602be56eaafe7056a7a583a92fb4a75c95fe5ef60eb5a7d6204c36aa2526b11606cc420cec520a31ff
SHA512 (HardenedBSD-10-STABLE-v46.11-amd64-memstick.img) = 61febc5845f56864851cccaf179d6087d4c88c5ceb5a3ed0d77668fbe6f8533c6f2341522e14dc62a38d959eeec15f1c85411b437f020faa3a7fdca5f4c4b7fc
SHA512 (HardenedBSD-10-STABLE-v46.11-amd64-mini-memstick.img) = a54cb81dba74a97f11f0faa24bde416101c4e9d267fc36f08e80a265a1282cc8dda37374706d645943fe71f6710f60a280bf62db21815949599d5d97e68ca03a
SHA512 (HardenedBSD-10-STABLE-v46.11-amd64-uefi-bootonly.iso) = 95905c1d8fcbefec57c24f7d7c3181b4e3958c57e281ffcfd26fb38f7b952e21e4c93e28c7d42ce0fd6548c978479674de8af7efd8a7d29aa48c6e3e7c128c89
SHA512 (HardenedBSD-10-STABLE-v46.11-amd64-uefi-disc1.iso) = dad2a2e9ebbd2f7271a03edc788867cf32c584d53f8ec5df9ec116b3bf109300e8bcea137363b8095599517f8dc044275842aa8a4ea07e20693e70db6b157d8d
SHA512 (HardenedBSD-10-STABLE-v46.11-amd64-uefi-memstick.img) = 1253829cefa880b7e80f6213781ac1d20f820666c912b926779dae33d10d40ebb2429b0eeeafab69ac254689788d5ebf11ba40aeb5ee4b57999487e46eebe1f0
SHA512 (HardenedBSD-10-STABLE-v46.11-amd64-uefi-mini-memstick.img) = 4814bf61bf60acfe248f0f23ce7787b4d187ecfa0bf66dc5b55deaa2f06baeb43067a018f2fb7436bce667b92679dab655f1a8c280478b7eeff885ef2fc96e9b

New stable release: HardenedBSD-stable 10-STABLE v46.10

HardenedBSD-10-STABLE-v46.10 -

* libarchive update (2e9dcc4) [FreeBSD SA candidate]
* sqlite update (06b3d2e) [FreeBSD SA candidate]


SHA512 (HardenedBSD-10-STABLE-v46.10-amd64-bootonly.iso) = 837af90b200d18ac1638e35f3f2af6fdd6736af0d8c810b55eeaee34f9a395d9245776e15eb898a8a75d82ba4f8d884d4ba83d5b6ace4d12089b60d1e595374d
SHA512 (HardenedBSD-10-STABLE-v46.10-amd64-disc1.iso) = ff5c5880a00531ed280b94c194e63bdd7eaea3477a43ee2532e0967efe9c87c5f3c237311cc86c5733d399e5ff8fbfaa0092edd3ed06eb166f13784c75987d4b
SHA512 (HardenedBSD-10-STABLE-v46.10-amd64-memstick.img) = 72e601ab0a24e3bf53940183aeccc96ae3115d9e5cec9291afdd700937a5c66478b02eb30a3d88f2ff66425f68e9b6edadbd6c9fbe1cfb327da1f9a65d43cd0e
SHA512 (HardenedBSD-10-STABLE-v46.10-amd64-mini-memstick.img) = fdaab7cf0b9c929c6b8c0f5dcbb3a6dcab0ae4616b2d087dc51a2aec7794ab1b48f7ca634141dcbc657c9fe86828a2472abd572418c5ddfd2a7bdcaeccdb97c5
SHA512 (HardenedBSD-10-STABLE-v46.10-amd64-uefi-bootonly.iso) = 2893c8ec4f2a6fc3cd038ca8da5dc064f55cb85c23ed138a8f325e1c5f48637bf44ad38708de6c81035cf65a770e36c109c9744bf601e966e56a971bfce55606
SHA512 (HardenedBSD-10-STABLE-v46.10-amd64-uefi-disc1.iso) = 355ba1abe8bcb9020543d2359a19cb6c2873aabb9e103c48c2c5005d2786da20ae0e0d228ae1624cf1195c07fae7be601863d0b3f91f4509aa2ec28375ca8ab7
SHA512 (HardenedBSD-10-STABLE-v46.10-amd64-uefi-memstick.img) = e936a1146bfaeb2d5eb4ce7280beaba91713867b72966fe06b6a6e4ce6d0a724f116c66d1880a915c5247afa99847863c5d96aecbbbeb16315febdc314987c58
SHA512 (HardenedBSD-10-STABLE-v46.10-amd64-uefi-mini-memstick.img) = 028bc08f064ff9d0651d52ca6bf80b5c4ce801f13ff634fae4a696388d0e7f7bd510f25f2d488a0cf919a76682efe2a9433ef562b20761eec030e938104be722

New stable version: HardenedBSD-stable 11-STABLE v46.2

HardenedBSD-11-STABLE-v46.2 -

Git repo:

libarchive update (CVE fixes, FreeBSD SA candidate)
sqlite update (CVE fixes, FreeBSD SA candidate)

LibreSSL Enabled By Default

Bernard Spil has done a wonderful job in importing and maintaining LibreSSL for HardenedBSD. LibreSSL in base has undergone thorough testing over a period of multiple months. We use LibreSSL in our infrastructure. When we publish our first official release, HardenedBSD 11.0-RELEASE, LibreSSL will be the default.

We have now enabled LibreSSL by default in the hardened/current/master branch. We have started a new package build with LibreSSL enabled for that branch. We are also building binary updates that will get pushed out within the next six to eight hours.

New stable version: HardenedBSD-stable 10-STABLE v46.8

HardenedBSD-10-STABLE-v46.8 -

* bhyve updates
* kaby lake support for e1000
* zfs fixes
* uipc related kernel panic fixes (d36bc76, e19f452)
* rlimits related kernel panic fix (7894a6b)
* enabled kyua test builds by default
* libarchive fixes (97563c8, fad0147)
* hbsd-update updates

PIE, RELRO, and BIND_NOW for ports

We have now enabled PIE, RELRO, and BIND_NOW for the whole ports tree. This is a huge leap forwards for HardenedBSD. We now have all of base compiled with PIE + RELRO + BIND_NOW, and now a good portion of ports as well. A good portion of ports should work with PIE, RELRO, and BIND_NOW. In those cases where ports won't compile or run with PIE, check for NOPIE. In those cases where ports won't compile or run with RELRO + BIND_NOW, check for NORELRO. Please note that some ports ignore custom CFLAGS/CXXFLAGS/LDFLAGS and as such will not compile with PIE + RELRO + BIND_NOW enabled.

PIE and RELRO + BIND_NOW are disabled by default for ports that have either kmod or fortran USES flags. Kernel modules cannot be compiled with PIE, RELRO, and BIND_NOW. More research is needed for the fortran ports.

If PIE is disabled by default for a port, but the port maintainer wants to force PIE to be enabled by default, the port maintainer can set EXPLICIT_PIE. The same logic applies for RELRO + BIND_NOW, but with EXPLICIT_RELRO.

A follow-up commit has been made to explicitly disable PIE or RELRO + BIND_NOW for a number of ports. Out of roughly 26,000 ports, only around 400 failed to compile due to PIE or RELRO + BIND_NOW.

Given that there's over 26,100 ports in the tree, HardenedBSD will need to rely on its ever-growing community for runtime testing. Simply compiling an application does not mean that the application will run successfully. As an example, xorg will compile fine with RELRO + BIND_NOW, but due to how it integrates with modules during runtime, it will break. xorg still runs fine with PIE, however.

If you experience issues with a port or package, please file a bug report here.

Vulnerability Update: libarchive

Around three months ago, a post was published (mirror) on GitHub's Gist service. In the report, multiple vulnerabilities against portsnap, freebsd-update, bspatch, and libarchive were detailed. To this date, FreeBSD has been silent on official mailing lists. However, Allan Jude talked very briefly about it on BSDNow. FreeBSD is still vulnerable to the portsnap, freebsd-update, bspatch, and libarchive vulnerabilities.

Shortly after HardenedBSD was made aware of the vulnerabilities, Shawn Webb researched how HardenedBSD was affected. Since HardenedBSD has disabled portsnap and freebsd-update by default, HardenedBSD is not vulnerable to the portsnap and freebsd-update vulnerabilities. HardenedBSD does not have supporting infrastructure for portsnap or freebsd-update. The report detailed four vulnerabilities in libarchive, two of which were fixed with FreeBSD's import of libarchive 3.2.1. The other two were fixed by HardenedBSD commits acc5eaecbe4970cfb96d9549fe7dc8ceb4676557 and 6a6ac73ae630927b2dd996df3cd85c8c612c459c. The second commit has potential for fall-out, so additional testing is being performed.

For binary updates to base, HardenedBSD relies on a tool called hbsd-update, which is enabled by default in base. hbsd-update was affected. hbsd-update updates come in a single tarball that contains multiple file within it. Prior to the series of commits fixing hbsd-update, the outer tarball was not validated prior to extraction. Only the inner files were validated by enforcing digital signatures. The libarchive vulnerabilities could allow a malicious third-party to distribute update archives that could place arbitrary files on the filesystem. To address this issue, the hash of the current hbsd-update is published as part of the DNS TXT record. HardenedBSD's DNS entries are signed with DNSSEC, which hbsd-update now verifies. By utilizing DNSSEC, hbsd-update can ensure that not only the version information is valid, but also the hash of the update archive--effectively turning the DNS TXT record into a digital signature for the outer file. Those who publish their own binary updates using hbsd-update-build are advised to do the same.

Due to the new DNSSEC validation feature in hbsd-update, the unbound-host application has been wired into the base build. FreeBSD includes the code for unbound-host; however, it is not wired into the build. Additionally, we now install the DNSSEC root key 257 as part of the hbsd-update trust store. Since DNSSEC key material is routinely rotated, we will maintain the DNSSEC root key pinning in the trust store long-term.

Once FreeBSD has fixed the issues surrounding libarchive, we at HardenedBSD will evaluate using their fixes. We hope FreeBSD will communicate with their community soon regarding the already-public vulnerabilities.


Subscribe to HardenedBSD RSS