Entropy Gathering Enhancements

At vBSDCon 2017, W. Dean Freeman and John-Mark Gurney gave a presentation entitled "A Deep Dive into FreeBSD's Kernel RNG." In the course of preparing for the presentation, a number of bugs and non-optimizations were discovered. These included:

  • The fact that after the code refactoring to make room for Fortuna, the code path for mixing entropy gathered from so-called "PURE" sources, such as the RDRND instruction on Intel chips, was broken due to a new check on the bit value in the harvest mask and the fact that the bit could not actually be set.
  • In the random_harvest_queue code path, followed by the majority of entropy sources, entire "harvest_event" structures were being hashed, causing very low min-entropy measurement values when following the non-IID track for entropy source evaluation described in NIST SP800-90B Draft 2.

Working with the HardenedBSD team, these issues have been addressed by W. Dean Freeman and reviewed by John-Mark Gurney in 12-CURRENT. Patches will be made available upstream so that FreeBSD can benefit from both the bug fixes related to pure entropy sources as well as a boost in min-entropy. Additionally, a BSD-licensed userland daemon similar to that found the in GPLv2 licensed rng-tools package has been developed, which allows crypto officers to easily use USB-attached TRNGs to increase entropy fed into the kernel PRNG.

Future work related to this will include importing the NIST_CTR_DRBG module from NetBSD into HardenedBSD and performing a FIPS 140-2 gap analysis against available kernel cryptographic modules to see what additional work needs to be done in order to provide a BSD-based alternative to Linux in the government sphere.

Stable release: HardenedBSD-stable 11-STABLE v1100050

HardenedBSD-11-STABLE-v1100050 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • HBSD: pull in upstream fix for pwait hang when watching its own pid (09401513dde5740de4b088e39333d8011f210786)
  • Removed HARDEN_RANDOMPID kernel knob
  • HBSD: rework MAP_GUARD footshooting prevention (c694b8039615f1e4e59ef299ea36d6aa93a13269)
  • HBSD: Enable EARLY_AP_STARTUP kernel config option - fixes Xen boot issues (b179d012d10d53a6331ff74e8485bc280c254f40)
  • MFV r320195: bhyveload: correctly query size of disks (2239cf6be006a2c35505c12569689f845fa3da2b)
  • HBSD: merged back LibreSSL 2.5.5 and enabled by default in 11-STABLE (37565403fa31bc816a59893dc50598e242801371) (with lot of commits from Bernard)
  • Add sysctls for ZFS ARC shrinking and growing values (d991ae815445d3666cddf457fe576ecdbb07a013)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100050-amd64-bootonly.iso) = 8d11dcb3b300bfb7c05a52893564a8eca7727624833634c8c0f0b3a9fc8fa3fe80de277fbc563f77252e3266591e77b26300be214919fef6902d9576a58bc846
SHA512 (HardenedBSD-11-STABLE-v1100050-amd64-disc1.iso) = fb64fd300ea10972db2081d800ec08532fef8a899d6b463b0d321d98cbe2e995150fb27a707ece45e0219c6cc44b99120555d6339a23035b087b00a07d698889
SHA512 (HardenedBSD-11-STABLE-v1100050-amd64-memstick.img) = ec8efddf21fbb1064b796d1f7db3845fa0e54437c364837eefb7f11974929c41598b13fa6b8bd16abee6997939ea629c8a4abc794f353dfeca04c183ffdde032
SHA512 (HardenedBSD-11-STABLE-v1100050-amd64-mini-memstick.img) = 2a0cc547d94438d52a51e587cdd49f7b37af7e1398299e96973b892b7778b44a63ce9a34df6b5827e6ab33e889825f6a292e6ca5981bd5116e79ed64f2414ebd

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlnIXq4ACgkQgZsRom/9
GI0euRAAnE9UJ3DR3HGD5yXNhCuY6oyWk1hjZYbv0kxrNgr/CWI6Qq9tzHY6cmvL
lERxtAv6iusuwhOGEX5Mg1HmtcapI229wQV4mHbtat5EuWtB+u8R09f0DQbwLwWt
ArOYFVeg7RQT/n04sIzZuh+Knx+q5cfkgOi3FR/4RUDDTJOXACC0qkwXyt/FuVto
os8JNESHZ1fJR5T7qWpFlyJFpRJyZNS/I4huZufqSXQdtPWHswDyNpa8tTTwDV53
sQ/RjV9BcwqOrg0PVYgnqdAGOXAl9y2feEWHOrmwCLqyt2tY1MWyD+FGvzqWKJQk
4wXQDfkcp3DLQrjOzjwUv0luPghq1v8tsKr0PW5mZYzOW1k24vz6JAXsQ7DjoQIg
nYjvNPxZ8lBn/vkmJs2/ZODPVft2jAwZLEFR7Bhp7gyE/b8Dpsanpcl876nc0Hhf
ajWOyg3Zl7DaACnDAPasbOZ1p3xe6AzcC5X7BYigZ+utkusntbJ2mRdlFV5TbPZo
im4at4Ylo+nY8w4alpwAFc4Fwh5dDkcd1TV3Oi6VxRaDEOoHZ32o87yLgUxo1XTi
R2ysFt8zHLrhDM28KtZcrTTC8hPUVehxKUt1g1KZcfSWnIH90NfC0p1LwqOTTLiN
1HadK6g+Za3tInTeRL5DGB5UcpbuY26jPhm4i16fEHhwuNbt4hA=
=Z4iz
-----END PGP SIGNATURE-----

HardenedBSD 11-STABLE Now Ships With LibreSSL

HardenedBSD 11-STABLE has now migrated to LibreSSL as the default cryptography library in base. We've already published a binary update for you hbsd-update users.

The 11-STABLE package repo was taken offline until it could be freshly rebuilt. The rebuild process has been completed and the repo is back online. You will, of course, need to update base before updating packages.

Because of the severity of this type of change, you will need to reinstall all the packages on your system.

Instructions for reinstalling packages:

1. If you use secadm: secadm flush
2. pkg-static clean -y
3. pkg-static upgrade -f
4. If you use secadm: service secadm start

Stable release: HardenedBSD-stable 10-STABLE v1000049

HardenedBSD-10-STABLE-v1000049 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • HBSD: Update DNSSEC root key 257 (d51b7839b2dcab876f28f411885396344f1dc360)
  • MFC r322677: pw usermod: handle empty secondary group lists (-G '') (9cbb330f2197dd7d1108f4ce49def97e3b3b22e0) [FreeBSD-SA-Candidate]
  • MFC r322678: pw useradd: Validate the user name before creating the entry (73846ec2976bad87e4e8059d5b0264b3b6827e02) [FreeBSD-SA-Candidate]
  • MFC: r321293 date: avoid crash on invalid time (d014d3453df98ac0a22f7a78147ae516fd5847f8) [FreeBSD-SA-Candidate]
  • MFC r323278: Fix an incorrectly used conditional causing buffer overflow. (cec050ba26dc8cd492c6c67a1ee9cc237129c281) [CVE-2017-1000249]
  • HBSD: constify pax_elf()'s mode parameter (a660c9522a293e4801c3c0ca0a6e2c714cf24350)
  • HBSD: rename PAX_NOTE_FINALIZED paxflag to PAX_NOTE_PREFER_ACL (d4a5dab0a48488c2e2a4f2aeb8c6ff7bb517c989)
  • HBSD: API change, swap the first and second argument of pax_elf (2135308c19bae799fd30b8918c4f1911bd78e75d)
  • HBSD: update mirror list in bsdinstall
  • HBSD: print out the __{Hardened,Free}BSD_version and version at panic time (0a7d696ae6ef71ea624ac6879e2943945b81669b)
  • HBSD: improve logging - hide early hardenedbsd related boot messages under bootverbose
  • Upgrade OpenSSH to 7.3p1. (b3ef7b369b144d0f58083c3965742583f3ab7190) [FreeBSD-SA-Candidate]
  • HBSD MFC: r319365, r321670 Merge ACPICA 20170728.
  • HBSD: disable coredump helper for devctl (389bdb5b707bd9702d6086be918b4df59a9a4372)
  • HBSD MFC: Stop masking FSGSBASE and SMEP features under monitors.

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-10-STABLE-v1000049-amd64-bootonly.iso) = 5c3c682db8a57124c2852ecbc3ccbeded6fac7534b04aac1b434035ffa64a6048b520f4d3ae4a76d06f1d2f994b74d40392a1b70e89d6abdcd9c1299a179dffe
SHA512 (HardenedBSD-10-STABLE-v1000049-amd64-disc1.iso) = 1434b67f2192f96ce01e5a3ff1880b0166fa9d75963d114d68eea03cd6e6985497419e7c4afd604d461c072b3bc119d0693b7b39b658e376a830c395ee00a35b
SHA512 (HardenedBSD-10-STABLE-v1000049-amd64-memstick.img) = 3c727b04ea288bf985c85aef8f81de9d22bce99884f79f61496142a8de70d73ada0aaa9d0a5e987149caee5c7ec9c7b3b5368af5155cd96068528bd124a6bd4b
SHA512 (HardenedBSD-10-STABLE-v1000049-amd64-mini-memstick.img) = b69249bacb713b976f3799f95b7737ddc48b62e96e92e1fc166fbb23f536a7401935060d506fd39c87c1a675e03d061472b6956be1a45c161602109fdd4be6ca
SHA512 (HardenedBSD-10-STABLE-v1000049-amd64-uefi-bootonly.iso) = 400d1967dbcfc01071bd9cd744bc6a49ef1b5f7553491311bcb39f7685605f37495ff6f9f31565203d7103cbfeea79e4f5ccd2d9e9e801a62e7b752d72ce2acf
SHA512 (HardenedBSD-10-STABLE-v1000049-amd64-uefi-disc1.iso) = b2cd9572970eda037ee149c09d172f6431bd236aec992cae895e8898e3ca007003265f2b98b93322a19331b0a4f1b5a481adfa6250e5f1165daf3e24098d53e6
SHA512 (HardenedBSD-10-STABLE-v1000049-amd64-uefi-memstick.img) = e053d87807fcfe574f6f41fbb22f01f2395a7273e5f0397136569753532d366b06bc30b3a020bec54ac59a62d1ec708ee10c10a1fb13de352b72cb10e2a2ff8b
SHA512 (HardenedBSD-10-STABLE-v1000049-amd64-uefi-mini-memstick.img) = 0409c88284cc9d14f2c64978e713845c5a581ea5bbe77b424383becf39a9a05c0c3c92d29bd2bc7235035bbd35a16db9a677d8a9a01251eab097002f01c81b6f

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlm8eTcACgkQgZsRom/9
GI3qTA/+NrQJL2m4aelDXcOJbERPyXmTt/r6Lew2ZVKWo1BGG3ukkksIO4ixmfXH
tbbkQj+RDFfK8QmRHFUSz7kur7A/D79ia5CKXDUMoNAw2mMA8oiO5SgcPv3hShyV
a7miKcszaRL8brrFEzZ5ZU7YhJ/d50oEcbhU06fe07V4I1p0mSGfX0Xq144tE3vA
bFjFwZIu1EYQSpVPERtsl+7nB/F1FIHvbnpKakS04N2utuFzUmjfdMaS1/Is5kr0
VRGlboa7wx0SlWuWwHMRiFIzRYojaN6Vl+X+4clVE23q0vGfhHVmvxyGncench3P
5/jNjdkNXS5GSfdkbzFeDyZ54V7UIlf87AzxOS4d1yYgA/o7HUZjeFhD4EWLQOf1
0QX5hhMw7sa8zIO9IWLLulaerpI+AP1zFg/AFF+g2BF/szl7Bcf+LMwzfIVYSjaj
TszokJIrUahDDe3odhEVoQAqpn3nDHhzbDzo2FjWWmNUz3Mh1i9RyPTzCBcrf2M5
P23/ZFc41StAGSRUm1Cmla97OLWPR4MkwqtivM8VEug2nMYcsl+ZXMKMVlBd/5Bc
gfLNzpWCvEvQw8s9jCZAYMD4uAHSbYevOxEykOj+JJHNdGxqOadwWRQV/YJlPMC3
2/hHXFQ+nGeytsKDHRalGX35amvqymARtf9ZcynL757cThz1TPo=
=TWDw
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100049

HardenedBSD-11-STABLE-v1100049 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • fsgs base changes in kernel and in libc (43f99b9f1cc2c625779e087ba4866d7c496d5b7b, b1a7a7418e73251aad628dc4f9418e550a9fd3d7)
  • reworked vlan locking (a62278e0d2b2f8b2d860fb689490dc1b6d11eb33)
  • HBSD: Update DNSSEC root key 257 (548eb60819e04c5d06671a95f5a7082e194fb7d4)
  • HBSD MFC: Fix information leak in geli(8) integrity mode (9344d69cc4c04c6555d9684976f57e8387354cf5) [FreeBSD-SA-Candidate]
  • MFC r323278: Fix an incorrectly used conditional causing buffer overflow in readelf [CVE-2017-1000249]
  • Fix possible double releasing for SA reference in IPSec. (3bf892e2d5f50a11384e8bf9fb7c14db1bfc0d26) [FreeBSD-SA-Candidate]
  • HBSD: constify pax_elf()'s mode parameter
  • HBSD: rename PAX_NOTE_FINALIZED paxflag to PAX_NOTE_PREFER_ACL
  • HBSD: Bump __HardenedBSD_version after API change
  • HBSD: API change, swap the first and second argument of pax_elf
  • HBSD: update mirror list in bsdinstall
  • HBSD: print out the __{Hardened,Free}BSD_version and version at panic time
  • HBSD: improve logging - hide early hbsd related boot messages under bootverbose
  • MFH (r322052): Upgrade OpenSSH to 7.5p1 (7e3dcea1a1c17915cbd33fd8fcec2b5530f8d3d1)
  • MFC r322590: bpf: Fix incorrect cleanup
  • MFC r322750: Fix the regression in ipsec introduced in r275710. (4e0ff7d0a944d10581e904bc3057524ce7071e30)
  • MFC r322677: pw usermod: Properly deal with empty secondary group lists (-G '') (75c367731c924e73c5bd87ab4b974c42917990d8) [FreeBSD-EN-Candidate]
  • Merge ACPICA 20170728. (1c5a17e1a7dd5063e58cee0a717989c5ce609bdc)
  • Plug uninitialized stack variable leak in sendfile(2). (d51b637e3144fab948a4d9a7bb312a2930e3d157)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100049-amd64-bootonly.iso) = 3ff186518876ef188b8a5fc275001613fb91032443a4d122b2d581e09fb5af43d50c388025258c07ca493d241f35c7b5377e0487b28361490b575c5e0ed37a11
SHA512 (HardenedBSD-11-STABLE-v1100049-amd64-disc1.iso) = 6bcfce3349e89e04baa4f4c32e51edd873edb07edb43007ec10bb3b6ebd7e153160051c9e64cb95db4ce2673b832ed6db22f772887c852a5b749bccf867ee6a8
SHA512 (HardenedBSD-11-STABLE-v1100049-amd64-memstick.img) = 194193396409b28e8c8727b868b96dc7abd75a36d43901323b0f3c3827d615f59b9eb89467a820148de71f0b5ab7f7f80997acbaa8befb04faf92261fe6a9df9
SHA512 (HardenedBSD-11-STABLE-v1100049-amd64-mini-memstick.img) = b9145ed2bde8e473be177db9d643101d30f7d5c086828152ddea17335eb3d7025a6888ae097d8006077de92349a81c33595d2f0422d1de88c62a9abd9d3a7a71

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlm7OZAACgkQgZsRom/9
GI3iRQ/+PxEz2r0jsddF9KNWtRx2fqita2VRfKmIqtdaXDiS//089T0rzLdJIfXL
Uc52RY28HQuD820t4oaW+gsox0/Dmbb9EzSR27YT09ez7pCNbufaHYH+3SGU2zk4
GFJHNrjHdMPfK++Y7Cqg+kFtDssT/OQmfLYc8eAKnzd3V0GlQnb4fZqJKaqt6Zhz
9+E8N1wWVIwB816IXr2UCvkyR9RQspFg/VP/JOQaQfQad/iVrhJWBzluQCmQzMf1
YankE0TvK2+IVmiLOxa0WCYoaD5Asqrizo28U199SM5YOPWe4hHKS/H8zz7BfieG
2R69zBejVSbCfDBN4S94ASimDo4HOq05ApNXlC0JwzcAUNajBXiv9ANzpyeVVkBv
WPBvDIieaKF2OQlbhVdazaO4EiMYTu5Kqqy3oz9YNXfEP/o9/n/OcB2XNLvfszlu
8/jD7f6SPeXijWzSEE3hOmJZWfQc8DzWBqp9PRyk+GtmkhAG1ldXwrjHvBWBSy+x
telrI/Tf0jvM0mNpNnvifz3CbZz1yK6Rvl/r1tZTue3bJf9ddONR+tnYw5CN0wZ/
fkayr52iDvbFhNO25fwI1W1QiyJFuJPZAewZOe9z240HXnV0mOqqxHbIsLgehlpV
hQiztHlpkUyoijTjmb05knqt8pdE8ptGyErKud2IES6mL7NSIUs=
=DnyR
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 10-STABLE v1000048.2

HardenedBSD-10-STABLE-v1000048.2 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • hyperv/hn: Implemented transparent mode network VF (ca9be1048e1114e0e543779418164a706bcbc1ca)
  • pluged memory leak in arge_encap (d79c06e0f7634d387815823261c842b0cc7f3cc5)
  • based on freebsd/stable/10 from 10.4-BETA1 state
  • fixed sshd DoS (74fc8942a90af0a3150be3420f9ad6815b98e6c2) [FreeBSD-SA-17:06.openssh]
  • updated bmake to 20170720
  • fixed UFS snapshot handlings

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-10-STABLE-v1000048.2-amd64-bootonly.iso) = f050424321507f9ed24f9cf41c0ba841f4aa53356867ef21a9c4ccb2d72acfc41f914cd83ac6f49449277bd42e29cd6cef19c6f35b25c49fcf6d508ef6edaa2e
SHA512 (HardenedBSD-10-STABLE-v1000048.2-amd64-disc1.iso) = 81a44cbd6135a596971b0a2135c9ab9e1920231f14e152075ecce1f402042f2d5ceacde93dbfc1bf2c8d0129c3ce4597374f7a1b1a84372b57ba49fd75effa7c
SHA512 (HardenedBSD-10-STABLE-v1000048.2-amd64-memstick.img) = e7d69c3787aa83231f2462bea1321208a45bb498593040719069ced55c86c6b09faa8d6a31052f1f00977d74276573661f3aa34277cbd6d58cb2286dcc505e66
SHA512 (HardenedBSD-10-STABLE-v1000048.2-amd64-mini-memstick.img) = 0b133fb18cf85c71d692ab3b508aead98eb2e77a3ccb45ef9abe315de0fa818e767d9b6f09c99f43b0566cb9e77bdc78b4f30c69d406fb6e15159387c7da8243
SHA512 (HardenedBSD-10-STABLE-v1000048.2-amd64-uefi-bootonly.iso) = 8451d20d95a34675aaea71779a69458e1bf6dcab83f32eeb7073e81bfd6dbae7dce8edf5297944829a92045b7a880d0069070c19eab95cc6594746ce3d3d8b16
SHA512 (HardenedBSD-10-STABLE-v1000048.2-amd64-uefi-disc1.iso) = ac6d9a38dcce63da5a507ab9bf8a275949e0695d49b0ed7a00a3c5cca1ef01e2a61d2e0f1b06f5092a39121259fdcae121d14fa6ea972e585d04afc3e1f410b1
SHA512 (HardenedBSD-10-STABLE-v1000048.2-amd64-uefi-memstick.img) = 7d6c3e3ba92cdc7349cfd38c2eb2dacdb004ad304a66677e719d683d7e2bf6e5255b5288fca4640d049c7fa5228082b8c0474a2ea01cb28388b74c687fef1ca8
SHA512 (HardenedBSD-10-STABLE-v1000048.2-amd64-uefi-mini-memstick.img) = 03b21c0d1ad28f6fe59d5c9d4a54462107356b5113e327eeee70f3e0e1e1f72c524dd524227d8bc19d5c5ad1b174431261955be08d0e877bd86fbf802b8d1bfe

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlmbg4IACgkQgZsRom/9
GI0nOQ/8CpFZJyG5lXLyR856BWUrdUZJpFFT7sgzdcVVb7IADPvLxH+DL4oJamNm
ndfbMJad+geek5XvMtyySGeDTTal98n7ugzdbA8ff07MnTa5cAYqJmPuF3J4ysW7
0RPseTP8oPQB+Qpe9H6Lvp8otc7iPYd0cfPg7AVFf09VQBR73Hyy5iwKH2c5gSF0
2ZLL4YaKwog3ri8604DVQ1hmH8hRSWMIvC4czbTXftuaw+8j+H18nsR202kU7Nwr
EdVskD8I22lW4TKkqtEDUIeiAeRnKp5rzQ7VjzYsGvtL9br3C6I0mKUWc8SVf0Xf
gXTJA8u9mjM1ktUoSsoqww8aDi640AERiCEAA9TTwEz5yQ0OWEZwtCqg6yjDAHvZ
s9ieoutb7H5buzrqjFALZAQrazrTv+TrqEm1ivrUGLp5+Cos/qHd9U1/KyuR6VlO
Sz39Ur/wkv5FpaEr/SuspwLK6HyEyQ6VVXroTF8iDmPALmSlEApQVXRtJ9dLdr6W
juVV5nDXBjNO/uq1BOmq2bRhaVkX6j27ZoM1b154rDTOeBFVWOSOp3u9qQ6GRcpr
t4tfe/DlTbYf/O/5I1B8ArtRtScitgfLLZFAA5lkHQiuaBhYXNNmrck5cO+ftejs
yRO91wxLrRSN2UHKY0oMSgARhOeiHTwYshLtR8lE/YlrToFHN1k=
=gTss
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1000048.2

HardenedBSD-11-STABLE-v1100048.2 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • updated bsdgrep to 2.6.0 (2cf785f328f3ef2deff0a7d2626b8e1a81e725e7)
  • fixed possible pf DoS (f9ac1ee50cbb2e0b00a3254c9aaf012183e8aaa8)
  • fixed boundary checks in ipsec (d3f829dcedd1db79b00b6840265a0c34bc0b75a3)
  • workaround for AMD Ryzen chips (4571a19dd885caa3f20979daa951df05cb5664a2)
  • enhanced top(1) to filter on multiple usernames (964bec79a958438ada90533f5e21c31b1021cd9a)
  • updated private sqlite3-3.14.1 to sqlite3-3.20.0 (01424a180687a2ef7ed93cd10136c1648d332016)
  • updated subversion 1.9.5 -> 1.9.7 (73778e3432c90e9513caf636fb73b522690d6543)
  • fixed DoS in sshd (4268d8e71d9c42494826885f83f685b02b9353cc) [FreeBSD-SA-17:06.openssh]
  • updated libxo to 0.8.4 (24dec0b179f6eba6d055b33faf478d202bfb11ba)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100048.2-amd64-bootonly.iso) = 08d4e91cb0ec65f9cb9e42a51bc2edb91e7ef5289d84414b313a233d2664b0a03680781a0416e208f528e46fd090aa4c785ea1bf0b6018673861bbd6e890e86a
SHA512 (HardenedBSD-11-STABLE-v1100048.2-amd64-disc1.iso) = e28804ade774cafd0e7ef0322442df6bc062cfa5cb94161b5d148c2e94407ee393b1db8d682daf12162b8c03c428b48da4e78d59326b698c61de11de058a2068
SHA512 (HardenedBSD-11-STABLE-v1100048.2-amd64-memstick.img) = 2bd595b05d5ff18cb71dfd1e4c296aebbd44e43e310cf4d173a324044b74cec73bb74b43c73024c211b776efe53950563d1c54c3a28723c82f3763a1af4191fd
SHA512 (HardenedBSD-11-STABLE-v1100048.2-amd64-mini-memstick.img) = 02494988f613efd82f38bc0853af938b580d30e5f6b3f9a84bdd8022bfcb66d05de4e085af8373dca5d9e082084ca913efa641986a86bebbad819c1ec71b2577

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlmaOrsACgkQgZsRom/9
GI0kaw/+O1+EBRg1I4mdBMzj1ypeBt0G5/6+Q9RuS+653ylJZ1TLs3Z1aMB947So
9JdiTRl3tXTc18cjvu3HlZQa65eMM6Wumk+rVt0f9zct6iVzdpv2Mn+WmAsjKw4n
pMCsKYvtusqZv0DDrX4/A1rh/LMUjdtfoBoiiijPDqNGRQTzYJXLil0E7u0LkGNm
jURWG6SgLJpl2vcowf3mS9o5HcTYusZAOYOFZ0ny6YRvZuWQa+sa4GKfvpHY+dR8
8q46fQLcRpaMpZxFjHqoJAVB0d8cPDT1Czo2dE8g7JKn5fryjhbBNJ6Rz6EP4WqY
wuWQq3NqeTC/SClx0L0XrwBSO1pWeQ7DwvTbYsidAKAaQcMWehW80DsZzPcZj2Pg
O3CDeZTDOLN/2marNcEpFmAdUDxXhoTLhns5cg+7bwjAqhR0s3TBBdAfbUhceNnY
kTKBwsznoQT1873zEvu8sJlReEjU/VT+UNP/kAuQ4s342Tr4wLuneXCURnpaCThr
9kgpNeKNFNn1k2JDbUooLZ8VWOz7r0SpqN8CBKAvCezth2SsW0YH82whOSNb3Z14
nhQlI56kN+XeKjAl730D4DtW2RFA6+T10z+oKzDbGykkDtMj6JY7oDk3TRz+eTP2
YRgyeg9uM31r0xsi0a4WDF4IOdecsQalcozVHs1gZdDIXueX0r4=
=eCVi
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 10-STABLE v1000048.1

HardenedBSD-10-STABLE-v1000048.1 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • Changed version from 10.3 to 10.4 - as preparation to 10.4-RELEASE per upstream (054e15f186105f319d8373002c677ecce2d95883)
  • bmake update to 20170720
  • HBSD MFC: Restrict permissions on /dev/ksyms to 0400 (5cdd8540724c092c703e9473578ea21cb1473d0a) [FreeBSD-SA-Candidate]
  • Merge MAP_GUARD. (3753ee3ec3e123ae4b62be3b19aaf09bf2e2ef59) [FreeBSD-SA-Candidate, CVE-2017-1084)
  • NFS fixes
  • libarchive update to 3.3.2
  • Add newsyslog capability to write RFC5424 compliant rotation message. (26c6cd37ceae365b6aa9f3203b932d29ad2be3fb)
  • MFC r302145: bsdinstall: increase EFI partition size to 200MB (48ce3b4e3aea30b479095da20d7f04ed723e8451)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-10-STABLE-v1000048.1-amd64-bootonly.iso) = d4f1f2b4f9007b4cf0e50641cb86fc3799855066ecafe5bf896f5411a7450d266f1a811528ce6262dda4a63024a3d6c81e5e4482f120ba0840881e07feb8a8ab
SHA512 (HardenedBSD-10-STABLE-v1000048.1-amd64-disc1.iso) = ab1b008129a3c165e1ae79a964d6361cd4aea9dc6ab912d2e3626817f300830cb0faa828a4931aafcffa751d8413b523050f5ac12d6f5ffb0a057242fd070422
SHA512 (HardenedBSD-10-STABLE-v1000048.1-amd64-memstick.img) = b85691c6bf31cc211801575f9ad4936fc7f4600d1a193267b1a4b4878c163b661c5ec32c9e036c752e00f712903a6a0c97b43c34debb1b8fe484d6f01b52a0ff
SHA512 (HardenedBSD-10-STABLE-v1000048.1-amd64-mini-memstick.img) = e178cece948740c23c5894622e2a995179875011aa607447073d645989c2382adcc61d12fc2e8d5f506e36839660babde027aa7f4ed660bed671fc856caefcc9
SHA512 (HardenedBSD-10-STABLE-v1000048.1-amd64-uefi-bootonly.iso) = f78a4c2ddb262458f40a83d5735b6bbb5a85c0ece5906ec9185bdcce32d41632f5e158c2529c3d62748fe59a57097d66d1f58de90a65cd0aec69120a077c1c59
SHA512 (HardenedBSD-10-STABLE-v1000048.1-amd64-uefi-disc1.iso) = 44f4da7c72bc51f9599cf7cbc158ddcb395df83ad59a610c50663222019b00f8cf7ea0c1fa76e4802d99b13917e4e4bca2533543cd3f26821a4b85f99fd8ad82
SHA512 (HardenedBSD-10-STABLE-v1000048.1-amd64-uefi-memstick.img) = 48f6143b9feb2be99642a04318b3ad2109f3443d39e40469cc71e997562b20373d907fcf179da741b39afc41f0f49eb6cd6192d381c98420fc8a4c9404303158
SHA512 (HardenedBSD-10-STABLE-v1000048.1-amd64-uefi-mini-memstick.img) = c27696bb133ab801e5308665c83db85c56d7ed9ed02e14beae26b795b0f519ec9dbc435d3b6486eb487456f4eb5ffc06b2a349451ed3a2a0745ac3dff3383b32

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlmDyJkACgkQgZsRom/9
GI3WoQ//WC6e0VabjAoPu0im2AuICUnoa+vMAE3NcqZisact/TfCiTHNhQ//KYMU
+ZeTrQ+dJ1ktpj8/Z8kHeF6Y8qIAlvs4Z55lPUxgfLfntvW7+E8KW5Vr4Hx6EH9f
RhmYmcCBioghIWRprQ64dlqPEz4oE/xCt5wEC9IiPc+iejI1IpMwCbjGx89kdHqV
fL9CmV4sVDttWei2kvwlHhlyrJWcpIq5MYWnuQEVt3R9iyrpMEWdSSpubTVUnBjJ
1RxYQq9jVntPmrAdHsvUnrr1DqlOVWgAQr1G5uqYzADNjBlZ1wPlfJzbOgwAAvlK
z6oJ07NFcSYeXabNTLkrNb8qDPLQLfFsPE9/lhZn9tcmQ+OUYLOXRTtBJHNndvhX
O0tEdYn9XkTEdIOKkgbl4UF/sjgJJ8iq/kjrTWzAfejdeaM/ovcVR0xTNXP2Zbyk
xXDVRhgrQDGiLmIClgvzd7ptXXFuR/i2qhY5xe3e/iOVbwIPzlqdzlgehtrWEzz1
jRRajL0hxO7Vghw4jImfKD0vNaPZMXEnQGkx5mZgbJ/CpbZJoh0To2qiEgPwkUDa
aTjw5aVrzEaCp6BVl5eQG8cnxIzdiOgvArH7vYHxjIAsoxoyJ0BjijvM4by/DafP
jOrYAkGJ4I6K6bUQPXlnMAeBrlGIAtBTHJVMwcq8KgaHeOAcMe0=
=K2/O
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1000048.1

HardenedBSD-11-STABLE-v1100048.1 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • Restrict permissions on /dev/ksyms to 0400. (0781c590d2a5138c4c4ba5c214a6f4dbffa25f85) [FreeBSD-SA-Candidate]
  • ZFS updates
  • Add virtio-console support to bhyve (eaaa8cd970f11a0785780896a3e106958bd87fe7)
  • Update to libarchive 3.3.2

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100048.1-amd64-bootonly.iso) = c487f5693e2fac4d722a6cf72084e7fca243ef1864bfa9966c3a3e1fe621c0a92e6496bdf06845b3a6ab66e087df061701f9bc4f00921481ae45e328b026ef17
SHA512 (HardenedBSD-11-STABLE-v1100048.1-amd64-disc1.iso) = 12dc23a7b121b83c5fdcde13eb75456b7d0ab1c47d7591346771ca37533415cebae81c0245a51afe467a9fcb1a342781823a3cf6e971d13fb050b511a835da4a
SHA512 (HardenedBSD-11-STABLE-v1100048.1-amd64-memstick.img) = 28f7d76b8e3ed76a46bd3d1378074171173d0504f8a20cea87d22380a6c4d0e2713f7d20cbe58d5a97632eaabe395b393d4b85dd9d5f29835d85f5fba3e5eb9a
SHA512 (HardenedBSD-11-STABLE-v1100048.1-amd64-mini-memstick.img) = b4c48c49ff4ce4b1ff40f92ce977699ed03e59eff633d20e9fd81712d2980d91edd65665b190d990f109937a0676a3489aa9c3de9044405781b6af5ff5acee76

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlmBLeoACgkQgZsRom/9
GI1HRg/9FRZb0k5hO63oKoVpUL1Qq0lCx7A9tLRwklDAR7uyIPlJNgZFuLMCThOo
AvJYRQ/gmpIVagTTjAZJL4lr786eBX3SxAy/dqxa3DtTgxqoVNHiIZD82WVhkVAr
Ih4U3W4b8RzTRneEjJaSxNlXgwcY8Nitxl6LQMojPOmo+/pBE5FqvkaHC3vMQOZB
RjoubIA6S/fYBxf0Hsdx/ZKpR3FJdsYB345ANSavmQx+y2rcZ3/cUYEPn3dJKy3I
oQVmYS1IzRJFtdcLXUMOqV6y1BGvQoyRvdggr7N3akmxGBFOYTseLzED8F6CipgT
Jwk0sLKuwNtMbHQ0Dpnrk79rJowcoOuj9l6AeTMDyLxrY1NKuqBPL19y5zxZsLhK
u7P9uufgbKG8oty2g/2DOrIODxBETtiPvvvnGLmvb3hL/67VSBEa3wNJ1OnDR8+Q
XD2026MAFPpdJn9olMQFxNp4YT5PvU2TKT6kGdOe8D9vznGjwevrKsi2IL/tojnf
lHoKyC+N3FzGae59q3B8HzNF97sIV0Yx9cPDoSE0QQRMDFAcrsgv1YnGgBeOqP12
RvmOH8PgnGX41JaD5iAZoUUhpGhjehk6/7l33l04k9y+gTaQ9tQRq9gGJ4thNXjn
PJJ7uoMGRZG6W18K+MlNnyLdtYQnao7UPoZuG5asb75op3ha1mY=
=O8kk
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100048

HardenedBSD-11-STABLE-v1100048 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • HBSD: enforce FreeBSD and HardenedBSD KPI version for external modules (19eb04fc68f294072f1535a6e1145062e85ae946)
  • MFC r320906: MFV r320905: Import Heimdal upstream fix for CVE-2017-11103. (b47deba89752334874e76436e1b7ec2f448ad78e) [FreeBSD-SA-17:05.heimdal]
  • Improved hbsd-update and hbsd-update-build
  • Improved NFSv4
  • Added Elastic Network Adapter (ENA) HAL
  • Added MAP_GUARD as solution against StackClash (c3699e91289a5a02b0c16eec22ee4d6ad7d9602e) [CVE-2017-1084]
  • *** [CVE-2017-1083]
  • Add VNC Authentication support for bhyve based on RFC6143 section 7.2.2. (3ea3addc7b1d8a1fd59b52570db518b77505c78d)
  • HBSD: fix broken pax_mprotect transitions (1904c844a0957f44efc638721cfc8b37a8311b42)
  • opBSD: plug the last memory protection test in paxtest (8341b1d91a6f3b470a008e17493973f0ed4d4d6a)
  • HBSD MFC: Fix long standing issue in bsdconfig's keymap selection (b2d080f97546b2fea0a214de8187e8b08f11d7f2)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100048-amd64-bootonly.iso) = e1bd387e938eab7fbd091e15b7c9b32d6794482b508a97077e7869c294b350540d6b4e7d40387272100951a7b658fd822905b584b9d587af7d66fecc969bb996
SHA512 (HardenedBSD-11-STABLE-v1100048-amd64-disc1.iso) = 4610823277ec4cfb083381772a722912e57611fdea740725e06158144ef6298a14b225fb3ebc86b0904487a060ebc9d4dcfb610c85c9590a38c7c2a9112608cc
SHA512 (HardenedBSD-11-STABLE-v1100048-amd64-memstick.img) = d1821a696dd941a7942beeeeb16a85fe3ef123854b69ff2b7b3cd8aa2527abe5e3e6ca89dd7f8613dc8bb00614bd1777f05c03d27febd637c714c6e36b06cd8b
SHA512 (HardenedBSD-11-STABLE-v1100048-amd64-mini-memstick.img) = 8c83720aec219bce62566a6907e8739564eb3043020f641e029d16016330531ad5389441122e8c7a35375846062006714640e9d82728b3d96a88bc2a553e7154

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAllsGL4ACgkQgZsRom/9
GI1b9RAAsVd7XPZdXlVU28lYB6zb6ItBeZsrWRLJUmH/DuTOa9Pc8eFJSLIRFM7e
jzBzOLKJ8xqtKIkNDTh0Rw8Pd02oU7sbT9Gf2teTLRZ251MWuW/xOpC7m8redpuM
sltO+R/6kA2fmh9fJlIlxUTiCCc2Zjnzzezb/qRYugusTjY2tZ/1Ywka8YIhQOF8
AGlkzs8uYP3WRja+9slrQQxN4sVUxvBBo7u4DdNMi6vT45K0RzFtEVOxtSeOtsn0
yDReeKKAqS/QcPJMabBuVX+DNAlhNX3QwKEalecLKx6TugpssZRe/w40hMfaBp/d
AwUBr/t26eShOtbaPMTWTNsvKWsnlxK2i3m9SIXJAqtXK1Tg9uYpPt4hql7/SdT0
9NkXOafZEW94qAE5xV4yHrJlTSvlY4P9+/wVXQEnvwJ/HqrYxri4tDADd3Cx/CSd
IgKbF5qjHbAQAEWF/r8vgsohgaCdr6df2iCcKjD1Qbz5BjAS9bzCKEJW74DgSZIZ
iFdYRTzppEXk1Xy1JqgycrBk6ktDP7hmOxSB/OxybP2MB11WnG4+GilKLwz71cKS
aaRBvGfIlxAJXpqMcTx6pNt+6XYo39IU97XsSItWg5uuwMaM7FX1egwEcdbikwCF
wwXoaBMSPnhur4OFpFfPFqGtcdvUPcwn3rnjxPDqgzEHMIiDzhY=
=4Zsv
-----END PGP SIGNATURE-----

Pages

Subscribe to HardenedBSD RSS