Stable release: HardenedBSD-stable 11-STABLE v1000048.2

Submitted by op on

HardenedBSD-11-STABLE-v1100048.2 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • updated bsdgrep to 2.6.0 (2cf785f328f3ef2deff0a7d2626b8e1a81e725e7)
  • fixed possible pf DoS (f9ac1ee50cbb2e0b00a3254c9aaf012183e8aaa8)
  • fixed boundary checks in ipsec (d3f829dcedd1db79b00b6840265a0c34bc0b75a3)
  • workaround for AMD Ryzen chips (4571a19dd885caa3f20979daa951df05cb5664a2)
  • enhanced top(1) to filter on multiple usernames (964bec79a958438ada90533f5e21c31b1021cd9a)
  • updated private sqlite3-3.14.1 to sqlite3-3.20.0 (01424a180687a2ef7ed93cd10136c1648d332016)
  • updated subversion 1.9.5 -> 1.9.7 (73778e3432c90e9513caf636fb73b522690d6543)
  • fixed DoS in sshd (4268d8e71d9c42494826885f83f685b02b9353cc) [FreeBSD-SA-17:06.openssh]
  • updated libxo to 0.8.4 (24dec0b179f6eba6d055b33faf478d202bfb11ba)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100048.2-amd64-bootonly.iso) = 08d4e91cb0ec65f9cb9e42a51bc2edb91e7ef5289d84414b313a233d2664b0a03680781a0416e208f528e46fd090aa4c785ea1bf0b6018673861bbd6e890e86a
SHA512 (HardenedBSD-11-STABLE-v1100048.2-amd64-disc1.iso) = e28804ade774cafd0e7ef0322442df6bc062cfa5cb94161b5d148c2e94407ee393b1db8d682daf12162b8c03c428b48da4e78d59326b698c61de11de058a2068
SHA512 (HardenedBSD-11-STABLE-v1100048.2-amd64-memstick.img) = 2bd595b05d5ff18cb71dfd1e4c296aebbd44e43e310cf4d173a324044b74cec73bb74b43c73024c211b776efe53950563d1c54c3a28723c82f3763a1af4191fd
SHA512 (HardenedBSD-11-STABLE-v1100048.2-amd64-mini-memstick.img) = 02494988f613efd82f38bc0853af938b580d30e5f6b3f9a84bdd8022bfcb66d05de4e085af8373dca5d9e082084ca913efa641986a86bebbad819c1ec71b2577

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlmaOrsACgkQgZsRom/9
GI0kaw/+O1+EBRg1I4mdBMzj1ypeBt0G5/6+Q9RuS+653ylJZ1TLs3Z1aMB947So
9JdiTRl3tXTc18cjvu3HlZQa65eMM6Wumk+rVt0f9zct6iVzdpv2Mn+WmAsjKw4n
pMCsKYvtusqZv0DDrX4/A1rh/LMUjdtfoBoiiijPDqNGRQTzYJXLil0E7u0LkGNm
jURWG6SgLJpl2vcowf3mS9o5HcTYusZAOYOFZ0ny6YRvZuWQa+sa4GKfvpHY+dR8
8q46fQLcRpaMpZxFjHqoJAVB0d8cPDT1Czo2dE8g7JKn5fryjhbBNJ6Rz6EP4WqY
wuWQq3NqeTC/SClx0L0XrwBSO1pWeQ7DwvTbYsidAKAaQcMWehW80DsZzPcZj2Pg
O3CDeZTDOLN/2marNcEpFmAdUDxXhoTLhns5cg+7bwjAqhR0s3TBBdAfbUhceNnY
kTKBwsznoQT1873zEvu8sJlReEjU/VT+UNP/kAuQ4s342Tr4wLuneXCURnpaCThr
9kgpNeKNFNn1k2JDbUooLZ8VWOz7r0SpqN8CBKAvCezth2SsW0YH82whOSNb3Z14
nhQlI56kN+XeKjAl730D4DtW2RFA6+T10z+oKzDbGykkDtMj6JY7oDk3TRz+eTP2
YRgyeg9uM31r0xsi0a4WDF4IOdecsQalcozVHs1gZdDIXueX0r4=
=eCVi
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 10-STABLE v1000048.1

Submitted by op on

HardenedBSD-10-STABLE-v1000048.1 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • Changed version from 10.3 to 10.4 - as preparation to 10.4-RELEASE per upstream (054e15f186105f319d8373002c677ecce2d95883)
  • bmake update to 20170720
  • HBSD MFC: Restrict permissions on /dev/ksyms to 0400 (5cdd8540724c092c703e9473578ea21cb1473d0a) [FreeBSD-SA-Candidate]
  • Merge MAP_GUARD. (3753ee3ec3e123ae4b62be3b19aaf09bf2e2ef59) [FreeBSD-SA-Candidate, CVE-2017-1084)
  • NFS fixes
  • libarchive update to 3.3.2
  • Add newsyslog capability to write RFC5424 compliant rotation message. (26c6cd37ceae365b6aa9f3203b932d29ad2be3fb)
  • MFC r302145: bsdinstall: increase EFI partition size to 200MB (48ce3b4e3aea30b479095da20d7f04ed723e8451)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-10-STABLE-v1000048.1-amd64-bootonly.iso) = d4f1f2b4f9007b4cf0e50641cb86fc3799855066ecafe5bf896f5411a7450d266f1a811528ce6262dda4a63024a3d6c81e5e4482f120ba0840881e07feb8a8ab
SHA512 (HardenedBSD-10-STABLE-v1000048.1-amd64-disc1.iso) = ab1b008129a3c165e1ae79a964d6361cd4aea9dc6ab912d2e3626817f300830cb0faa828a4931aafcffa751d8413b523050f5ac12d6f5ffb0a057242fd070422
SHA512 (HardenedBSD-10-STABLE-v1000048.1-amd64-memstick.img) = b85691c6bf31cc211801575f9ad4936fc7f4600d1a193267b1a4b4878c163b661c5ec32c9e036c752e00f712903a6a0c97b43c34debb1b8fe484d6f01b52a0ff
SHA512 (HardenedBSD-10-STABLE-v1000048.1-amd64-mini-memstick.img) = e178cece948740c23c5894622e2a995179875011aa607447073d645989c2382adcc61d12fc2e8d5f506e36839660babde027aa7f4ed660bed671fc856caefcc9
SHA512 (HardenedBSD-10-STABLE-v1000048.1-amd64-uefi-bootonly.iso) = f78a4c2ddb262458f40a83d5735b6bbb5a85c0ece5906ec9185bdcce32d41632f5e158c2529c3d62748fe59a57097d66d1f58de90a65cd0aec69120a077c1c59
SHA512 (HardenedBSD-10-STABLE-v1000048.1-amd64-uefi-disc1.iso) = 44f4da7c72bc51f9599cf7cbc158ddcb395df83ad59a610c50663222019b00f8cf7ea0c1fa76e4802d99b13917e4e4bca2533543cd3f26821a4b85f99fd8ad82
SHA512 (HardenedBSD-10-STABLE-v1000048.1-amd64-uefi-memstick.img) = 48f6143b9feb2be99642a04318b3ad2109f3443d39e40469cc71e997562b20373d907fcf179da741b39afc41f0f49eb6cd6192d381c98420fc8a4c9404303158
SHA512 (HardenedBSD-10-STABLE-v1000048.1-amd64-uefi-mini-memstick.img) = c27696bb133ab801e5308665c83db85c56d7ed9ed02e14beae26b795b0f519ec9dbc435d3b6486eb487456f4eb5ffc06b2a349451ed3a2a0745ac3dff3383b32

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlmDyJkACgkQgZsRom/9
GI3WoQ//WC6e0VabjAoPu0im2AuICUnoa+vMAE3NcqZisact/TfCiTHNhQ//KYMU
+ZeTrQ+dJ1ktpj8/Z8kHeF6Y8qIAlvs4Z55lPUxgfLfntvW7+E8KW5Vr4Hx6EH9f
RhmYmcCBioghIWRprQ64dlqPEz4oE/xCt5wEC9IiPc+iejI1IpMwCbjGx89kdHqV
fL9CmV4sVDttWei2kvwlHhlyrJWcpIq5MYWnuQEVt3R9iyrpMEWdSSpubTVUnBjJ
1RxYQq9jVntPmrAdHsvUnrr1DqlOVWgAQr1G5uqYzADNjBlZ1wPlfJzbOgwAAvlK
z6oJ07NFcSYeXabNTLkrNb8qDPLQLfFsPE9/lhZn9tcmQ+OUYLOXRTtBJHNndvhX
O0tEdYn9XkTEdIOKkgbl4UF/sjgJJ8iq/kjrTWzAfejdeaM/ovcVR0xTNXP2Zbyk
xXDVRhgrQDGiLmIClgvzd7ptXXFuR/i2qhY5xe3e/iOVbwIPzlqdzlgehtrWEzz1
jRRajL0hxO7Vghw4jImfKD0vNaPZMXEnQGkx5mZgbJ/CpbZJoh0To2qiEgPwkUDa
aTjw5aVrzEaCp6BVl5eQG8cnxIzdiOgvArH7vYHxjIAsoxoyJ0BjijvM4by/DafP
jOrYAkGJ4I6K6bUQPXlnMAeBrlGIAtBTHJVMwcq8KgaHeOAcMe0=
=K2/O
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1000048.1

Submitted by op on

HardenedBSD-11-STABLE-v1100048.1 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • Restrict permissions on /dev/ksyms to 0400. (0781c590d2a5138c4c4ba5c214a6f4dbffa25f85) [FreeBSD-SA-Candidate]
  • ZFS updates
  • Add virtio-console support to bhyve (eaaa8cd970f11a0785780896a3e106958bd87fe7)
  • Update to libarchive 3.3.2

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100048.1-amd64-bootonly.iso) = c487f5693e2fac4d722a6cf72084e7fca243ef1864bfa9966c3a3e1fe621c0a92e6496bdf06845b3a6ab66e087df061701f9bc4f00921481ae45e328b026ef17
SHA512 (HardenedBSD-11-STABLE-v1100048.1-amd64-disc1.iso) = 12dc23a7b121b83c5fdcde13eb75456b7d0ab1c47d7591346771ca37533415cebae81c0245a51afe467a9fcb1a342781823a3cf6e971d13fb050b511a835da4a
SHA512 (HardenedBSD-11-STABLE-v1100048.1-amd64-memstick.img) = 28f7d76b8e3ed76a46bd3d1378074171173d0504f8a20cea87d22380a6c4d0e2713f7d20cbe58d5a97632eaabe395b393d4b85dd9d5f29835d85f5fba3e5eb9a
SHA512 (HardenedBSD-11-STABLE-v1100048.1-amd64-mini-memstick.img) = b4c48c49ff4ce4b1ff40f92ce977699ed03e59eff633d20e9fd81712d2980d91edd65665b190d990f109937a0676a3489aa9c3de9044405781b6af5ff5acee76

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlmBLeoACgkQgZsRom/9
GI1HRg/9FRZb0k5hO63oKoVpUL1Qq0lCx7A9tLRwklDAR7uyIPlJNgZFuLMCThOo
AvJYRQ/gmpIVagTTjAZJL4lr786eBX3SxAy/dqxa3DtTgxqoVNHiIZD82WVhkVAr
Ih4U3W4b8RzTRneEjJaSxNlXgwcY8Nitxl6LQMojPOmo+/pBE5FqvkaHC3vMQOZB
RjoubIA6S/fYBxf0Hsdx/ZKpR3FJdsYB345ANSavmQx+y2rcZ3/cUYEPn3dJKy3I
oQVmYS1IzRJFtdcLXUMOqV6y1BGvQoyRvdggr7N3akmxGBFOYTseLzED8F6CipgT
Jwk0sLKuwNtMbHQ0Dpnrk79rJowcoOuj9l6AeTMDyLxrY1NKuqBPL19y5zxZsLhK
u7P9uufgbKG8oty2g/2DOrIODxBETtiPvvvnGLmvb3hL/67VSBEa3wNJ1OnDR8+Q
XD2026MAFPpdJn9olMQFxNp4YT5PvU2TKT6kGdOe8D9vznGjwevrKsi2IL/tojnf
lHoKyC+N3FzGae59q3B8HzNF97sIV0Yx9cPDoSE0QQRMDFAcrsgv1YnGgBeOqP12
RvmOH8PgnGX41JaD5iAZoUUhpGhjehk6/7l33l04k9y+gTaQ9tQRq9gGJ4thNXjn
PJJ7uoMGRZG6W18K+MlNnyLdtYQnao7UPoZuG5asb75op3ha1mY=
=O8kk
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100048

Submitted by op on

HardenedBSD-11-STABLE-v1100048 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • HBSD: enforce FreeBSD and HardenedBSD KPI version for external modules (19eb04fc68f294072f1535a6e1145062e85ae946)
  • MFC r320906: MFV r320905: Import Heimdal upstream fix for CVE-2017-11103. (b47deba89752334874e76436e1b7ec2f448ad78e) [FreeBSD-SA-17:05.heimdal]
  • Improved hbsd-update and hbsd-update-build
  • Improved NFSv4
  • Added Elastic Network Adapter (ENA) HAL
  • Added MAP_GUARD as solution against StackClash (c3699e91289a5a02b0c16eec22ee4d6ad7d9602e) [CVE-2017-1084]
  • *** [CVE-2017-1083]
  • Add VNC Authentication support for bhyve based on RFC6143 section 7.2.2. (3ea3addc7b1d8a1fd59b52570db518b77505c78d)
  • HBSD: fix broken pax_mprotect transitions (1904c844a0957f44efc638721cfc8b37a8311b42)
  • opBSD: plug the last memory protection test in paxtest (8341b1d91a6f3b470a008e17493973f0ed4d4d6a)
  • HBSD MFC: Fix long standing issue in bsdconfig's keymap selection (b2d080f97546b2fea0a214de8187e8b08f11d7f2)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100048-amd64-bootonly.iso) = e1bd387e938eab7fbd091e15b7c9b32d6794482b508a97077e7869c294b350540d6b4e7d40387272100951a7b658fd822905b584b9d587af7d66fecc969bb996
SHA512 (HardenedBSD-11-STABLE-v1100048-amd64-disc1.iso) = 4610823277ec4cfb083381772a722912e57611fdea740725e06158144ef6298a14b225fb3ebc86b0904487a060ebc9d4dcfb610c85c9590a38c7c2a9112608cc
SHA512 (HardenedBSD-11-STABLE-v1100048-amd64-memstick.img) = d1821a696dd941a7942beeeeb16a85fe3ef123854b69ff2b7b3cd8aa2527abe5e3e6ca89dd7f8613dc8bb00614bd1777f05c03d27febd637c714c6e36b06cd8b
SHA512 (HardenedBSD-11-STABLE-v1100048-amd64-mini-memstick.img) = 8c83720aec219bce62566a6907e8739564eb3043020f641e029d16016330531ad5389441122e8c7a35375846062006714640e9d82728b3d96a88bc2a553e7154

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAllsGL4ACgkQgZsRom/9
GI1b9RAAsVd7XPZdXlVU28lYB6zb6ItBeZsrWRLJUmH/DuTOa9Pc8eFJSLIRFM7e
jzBzOLKJ8xqtKIkNDTh0Rw8Pd02oU7sbT9Gf2teTLRZ251MWuW/xOpC7m8redpuM
sltO+R/6kA2fmh9fJlIlxUTiCCc2Zjnzzezb/qRYugusTjY2tZ/1Ywka8YIhQOF8
AGlkzs8uYP3WRja+9slrQQxN4sVUxvBBo7u4DdNMi6vT45K0RzFtEVOxtSeOtsn0
yDReeKKAqS/QcPJMabBuVX+DNAlhNX3QwKEalecLKx6TugpssZRe/w40hMfaBp/d
AwUBr/t26eShOtbaPMTWTNsvKWsnlxK2i3m9SIXJAqtXK1Tg9uYpPt4hql7/SdT0
9NkXOafZEW94qAE5xV4yHrJlTSvlY4P9+/wVXQEnvwJ/HqrYxri4tDADd3Cx/CSd
IgKbF5qjHbAQAEWF/r8vgsohgaCdr6df2iCcKjD1Qbz5BjAS9bzCKEJW74DgSZIZ
iFdYRTzppEXk1Xy1JqgycrBk6ktDP7hmOxSB/OxybP2MB11WnG4+GilKLwz71cKS
aaRBvGfIlxAJXpqMcTx6pNt+6XYo39IU97XsSItWg5uuwMaM7FX1egwEcdbikwCF
wwXoaBMSPnhur4OFpFfPFqGtcdvUPcwn3rnjxPDqgzEHMIiDzhY=
=4Zsv
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 10-STABLE v1000048

Submitted by op on

HardenedBSD-10-STABLE-v1000048 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • MFC r320906: MFV r320905: Import upstream heimdal fix for CVE-2017-11103. (3955ce48cb5593628cb375c519160dc0ecb4f210) [FreeBSD-SA-17:05.heimdal](https://security.freebsd.org/advisories/FreeBSD-SA-17:05.heimdal.asc)
  • hbsd-update{,-build} updates
  • enforce FreeBSD and HardenedBSD KPI version for external modules
  • HBSD: fix broken pax_mprotect transitions (9161ed81803212f1aa484144ea3c670f603d601c)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-10-STABLE-v1000048-amd64-bootonly.iso) = c22e3d4ca378240c253349059dc5c8a0e3d3c47dd7a952a25378a45ff1469db5c4ab898b5d243ba093416cbbc88085e59d139d01364e2e4b9637cd4dcf07483c
SHA512 (HardenedBSD-10-STABLE-v1000048-amd64-disc1.iso) = 65dd0cfcb8a8a55a121737fc00ff4eb24c30f33be8e6a7a49720419d28a41d468e7d1a659bd53ab7d6c3f3f182348dc492aba247c7a4bc4eb265f9b70a838b57
SHA512 (HardenedBSD-10-STABLE-v1000048-amd64-memstick.img) = 82761a7742c00ea9ae3d3caea2a7c4eb54a1b19d977050fbb96fa6e9b14aad0839124a1eb30e7bdae01fd32aeeb1c76a2c30c98e04ee17dce2397e38ac7db64f
SHA512 (HardenedBSD-10-STABLE-v1000048-amd64-mini-memstick.img) = 10e9fc97e4cc0eb0a4f5a61641596bd52a5b563a08950dfd079f871ae8703b8bec3e6b0be712bf220493a74411385a6ca638353a4ba4f42ff875161e4e3da123
SHA512 (HardenedBSD-10-STABLE-v1000048-amd64-uefi-bootonly.iso) = e7c6818cb51afd7381f453f41f7f9c16b8c23ad44b7b6b335d08d2b7e23aaa5d85627978a2515f4f0e6bbd7bbc71e235a7f25f981612d11530df50889c0849b9
SHA512 (HardenedBSD-10-STABLE-v1000048-amd64-uefi-disc1.iso) = 22d28027097287f77a238050d6ed698dbfbbbbd8cc9f9778da048343c2ec7bb3d48bf5b83756c024e7b6657f29a6eec45bbc9eed9d7ed9fed86be7a1c030ff07
SHA512 (HardenedBSD-10-STABLE-v1000048-amd64-uefi-memstick.img) = 2b370c6aa8d284ec3495f3c83d747ab818fb6a79f3b97986f89135c36ee9202a76b7300652dad3359dc13b109afb887d2005dc7c858ec9663ac1d103c18430ed
SHA512 (HardenedBSD-10-STABLE-v1000048-amd64-uefi-mini-memstick.img) = 7226ea5068c8f2dedeed6d6bce2ba66864915c9faf775b5540966a2bb4aea1b87d6042c219901cc652fa917b86b35900d4101229b49e561102f41827720168f5

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAllmx7QACgkQgZsRom/9
GI0aMw//SDSlCuSinsB35/5xcfPDpmfbSEp52uOWdlMW2ZwUtN+gqoEiGla32SmS
TT2Guy/PbgxfEKzHY2UyeRVAnKdZVcdJPqvYmLdh/hQoB3/41sx4nVkN+LSTgItz
khVXHtuJEeh+WWtM31ivS3dW+ENbd8qWo2DnKNPdRJjDzM6JE+LlGdX5gEOP7ldH
HhghBzciLHBq17fLEgEzQwLuzQeDjxXywUDZkfJqc7geNRihLj9S/6ogk8guuxDn
jRq6lJvm4KoPlqymKJP50vbYV+FkGH++QwKWLDNcgnvWlZtstqr7GVWmDh5KvPmf
zBvDH4RBhThQUBR6tuIhDePpAqKhGVoW26cd09nYLFKOEyLDWYYbpTPDhPijH5rb
BNd47aObPgayn3pDrYCedrwKhlLVwmR+yuAIaPivVoI3BUIgTDNR+rC8mSeBaqLY
n0hRRCOF8Yz7g6yx4AUfPTrtXbeqkZsZiAtFQLwLXB/M2z1t/roZf+9p2J/zPSs7
V4cjQWYb9zVQOx/LSV2/SvJvaGOoI2vBjciEgSova3T+oR/8QbrrDD9MytiT7kgl
sfRIywkhVnr9NuqUqleyTqPap2xCLNVC9jL5fPjfWmdKcgCaZ5hZQykuxEZKJBOh
fWfvgM3PjBKxwlKw1QbOsNGULIPZ+SeEOwDRiEIZlbRPqpenE48=
=XZJ8
-----END PGP SIGNATURE-----

Introducing OpenNTPd in Base

Submitted by Shawn Webb on

Over the past few months, Bernard Spil has been hard at work importing OpenNTPd 6.0p1 in HardenedBSD base. Starting with 12-CURRENT, HardenedBSD will ship with OpenNTPd by default. Just like with LibreSSL in base, HardenedBSD users have a choice when building world of which NTP daemon to use. Users who want to use the legacy NTPd can set WITHOUT_OPENNTPD and WITH_NTP in src.conf(5). Bernard will continue maintaining LibreSSL and OpenNTPd in HardenedBSD base.

Users who are upgrading from an existing 12-CURRENT system from source and who use the legacy NTP daemon in base will need to perform the following actions:

  1. Install new world
  2. Run mergemaster or etcupdate
  3. sysrc ntpd_enable="NO"
  4. sysrc local_openntpd_enable="YES"

A binary update will be published within the next 24 hours that contains OpenNTPd in base. Those who use hbsd-update will only need to perform steps 3 and 4 above.

Stack Clash Mitigations

Submitted by Shawn Webb on

The Stack Clash advisory by Qualys provided detailed insight as to what happens when the heap and the stack meet. The stack grows down and the heap grows up. The stack grows on an as-needed basis. When the stack pointer is decremented beyond an existing page boundary, a page fault happens and the kernel will allocate more space for the stack (assuming the application hasn't hit the stack limit.) If there is an existing memory mapping with PROT_READ and PROT_WRITE set right below the stack, then no page fault occurs and the application will use the mapping as if it were for the stack. Ideally, this should never happen. In order to prevent this from happening, most operating systems (FreeBSD included) implement a "stack guard," which is a guard of one or more pages reserved below the stack, preventing other mappings. A properly implemented stack guard will effectively prevent the heap or other memory mappings from reaching the stack.

FreeBSD provides a stack guard implementation, but has it disabled by default. As discussed in the Qualys report, when enabled, FreeBSD's stack guard implementation had a logic flaw that prevented it from being effective. A proof-of-concept exploit written by HardenedBSD's own Shawn Webb demonstrated Qualys' claims. HardenedBSD had the stack guard enabled by default.

To mitigate Stack Clash, we in HardenedBSD performed the following in 12-CURRENT over the week of 19 Jun 2017 to 24 Jun 2017:

  1. Fixed the flaw in the stack guard implementation that prevented it from being effective.
  2. Increased the size of the stack guard from one 4KB page to 2MB.
  3. Prevented mappings from occurring between the bottom-most limit of the stack and the top of the stack.
  4. (Soon) Modified the per-thread stack guard in libthr to be of random size, minimum 1MB, maximum 5MB.
    • This also randomizes the top-most address of each per-thread stack.

The commits for these changes have been backported to HardenedBSD 11-STABLE. Item #1 has been backported to HardenedBSD 10-STABLE.

On 24 Jun 2017, FreeBSD committed their Stack Clash mitigation. It introduces the concept of MAP_GUARD, which is a special PROT_NONE mapping. It's placed immediately below the bottom-most limit of the stack. It's a really innovative implementation that allows general use of guard pages. Indeed, in a follow-up commit, the RTLD now uses MAP_GUARD for guard pages between shared objects. FreeBSD's stack guard is still a single 4KB page in size, even with Qualys' recommendation to use a minimum of 1MB. On 25 Jun 2017, FreeBSD followed up with a commit to fix a regression that effectively disabled the stack guard in certain edge cases with the new implementation. Overall, FreeBSD's solution to the Stack Clash problem is innovative and even useful outside the context of Stack Clash.

We in HardenedBSD now use a hybrid of both approaches. We've hardened the security.bsd.stack_guard_page sysctl node to a 2MB stack guard. We've made that sysctl node a read-only tunable, configurable only at boot-time. The changes to libthr still stand and the per-thread stack guard size is a random size between 1MB and 5MB. We may look to integrate MAP_GUARD with libthr instead of its reliance on mprotect(PROT_NONE).

Update 25 Jun 2017: The randomization of the per-thread stack guard has been found to be too aggressive. We are investigating this feature and will revisit it soon.

Stable release: HardenedBSD-stable 10-STABLE v1000047

Submitted by op on

HardenedBSD-10-STABLE-v1000047 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • HBSD: partially backport 13971cb990b78e as fix for CVE-2017-1084
  • Changed __HardenedBSD_version scheme
  • opBSD: plug the last memory protection test in paxtest (cf883c4d3277ebdb2f7011cb64dfcfde8205352c)
  • HBSD MFC: Fix long standing issue in bsdconfig's keymap selection (12c307c4634ee07f297d1d821a77af8eedc72c1a)
  • HBSD: add our third mirror: de-01.installer.hardenedbsd.org @Germany
  • HBSD: add our second mirror: allbsd.org @Japan
  • Implement INHERIT_ZERO for minherit(2)
  • Fix several buffer overflows in realpath(3), and other minor issues [FreeBSD-SA-Candidate]
  • Libarchive update (bd8807fedd6c5daf0cea50b0b09af795fdaa686c)
  • hyperv/kvp: Fix pool direcrory and file permission

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-10-STABLE-v1000047-amd64-bootonly.iso) = 2fa9ff9ba85e25956fbc31bd8c25508ca5328f969fee99bd92e6be1f2e61851ad532e723876c964ad379808eb05f26193252d82145915c5a23d3d698a6efd088
SHA512 (HardenedBSD-10-STABLE-v1000047-amd64-disc1.iso) = b81647c374938520abb0e63eeebe23e715660d078dbbec9d2e828feb4fc14286664527ce4d35a0f569317b098385c5e4d77665ac27a6286a3bb3679864ef522b
SHA512 (HardenedBSD-10-STABLE-v1000047-amd64-memstick.img) = e3179eea6383454559c948f172398ff56b80c29e3c68b888cd7bacb542b760b295b7f3dc73ee2a1fd69e2005a0d6cdfe54fc016bdc78e043d4955906347b2584
SHA512 (HardenedBSD-10-STABLE-v1000047-amd64-mini-memstick.img) = 483e770295e08979207013fda30b3b652d7f4969845fc77959ef71f5c1fa1182931572a5c8a3dbe59e5c81c42b369f9c87559a17cc913d95101af0f3f0448765
SHA512 (HardenedBSD-10-STABLE-v1000047-amd64-uefi-bootonly.iso) = 8bdecf399e6c42d88d8ec02daf95b265d1c781af7c8e8ec7d5ed7c6e242955c261b9d23f811d21d044ce00694fcc9c6dd0018acda101df24657646c90ed8c2f0
SHA512 (HardenedBSD-10-STABLE-v1000047-amd64-uefi-disc1.iso) = d24c1d981b48342fa9eca9545ff8db08b1e0805a176d2eea7b880c145293e2db1c18f01d5a9f019bc5f70d9d8b9ad669dd5da6db287f9e13b0971a3f63e9b363
SHA512 (HardenedBSD-10-STABLE-v1000047-amd64-uefi-memstick.img) = 0c6148d245ec920e8a45666d481c66d81c9aefbeb9ec2887b395d843d216c0a10717b106c562928d4e1439b0b837666629637f9a4ee8f79a0bf8ab71d3d5b915
SHA512 (HardenedBSD-10-STABLE-v1000047-amd64-uefi-mini-memstick.img) = c0645cc7cb4ef946d6565d859736c6cc64a7d78a207533c054a330b911132ef50fe62516d0cb967fd4c5dc8342c0db5f29174d8490e4e020603f3fac9e6cf3ba

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAllPwg4ACgkQgZsRom/9
GI13hA//chLhjM+rMKRSRhcvOnUotoeb5Wf5NZ+WXod6TMHK5jQUrhBivvqpNeEn
6yEolaDkjep2/eYGG5flVL/PxX13JWgVShWTS7Hu3JlOxFANtzt9ckIayaaDJJRS
fhXZgn6LsZw2G8G1PmY3PnynHgB05OrVbz9vf3AFZ6gp5Ju35JNyk9ikYlMZ49Yb
lao/3evASKS6amPCZamrCjtGD0DtoZQegNCa2EjboCshEPnfPKTkTJQzS/W8RSUp
nVIHHWExdCOLW/9byGh28YqnhpKdz+UH/b14cxrM9p2pRYhhigcOcUK2uN6+qQxw
99HsO0ST5Brj3MRVRu1DyFjf5ycKrF0EiUucfD5gtju2zhmN/bNxVo2JTQaiyVcF
rLGmpe2w7Hu9q2JwFRYZQCK0pGgSCarPIfJYhpueHCll7zd1uVMdHuFo2YatvSka
CeiBvxVyXXZ2M4SlImOPLhDNVxutxrQIumzNLaTkZy3XQ5/Ts/tzidosOj1fhyos
yTwXCVRXNfgjeLCZrISA9qTwjVyMgolLCNPMeBfKwR9A0HVq35JHByu3vcCWAz9W
O//b8VCbZIMLcxSu3WtxyIOqMTgJDsov24oFRg1Lezbp/Dol1KTi7LB1qxKYik21
FJ7yt4djaUoaO2WP5IQjjhlflP3M+thz9TpUoeIQYXTw2fzR+58=
=3ZsF
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v46.18

Submitted by op on

HardenedBSD-11-STABLE-v46.18 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • Based on FreeBSD 11.1-BETA1
  • Security fixes in nandsim (b585a6c019be3fb79ec968c327ea67190565342b) [FreeBSD-SA-Candidate]
  • Update to libpcap 1.8.1
  • Implement INHERIT_ZERO for minherit
  • Support Execute-Never bit in the arm64 pmap (edb010ea9cd5ce05e055474ade71fb8687a74eb6)
  • Enable Privileged Access Never on arm64 (44c9bb43d0bd6f6d94443c9efa27cbaf86a38825)
  • Enable EARLY_AP_STARTUP on amd64 and i386 kernels by default.

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v46.18-amd64-bootonly.iso) = 5aad79d864b01c02871cf152bb1ed30d16f4f68775472034de255fbb2fcb26f7caaacb7e9ed77364201af72582b5b69fc0af55a06cc7066e061b21b9a2341b7d
SHA512 (HardenedBSD-11-STABLE-v46.18-amd64-disc1.iso) = fedf9ffae1f3be5807dd44bc2621acb574cb1cb33a5ca30459b014a3ff2a6238dadc518476ba1ed57fc8eff63bae1c28f91d78b4b6d4dab4bd19d9c276504bee
SHA512 (HardenedBSD-11-STABLE-v46.18-amd64-memstick.img) = 0ccdfa51a25b0f947743a4c1ac0b1aad1a208b69ac9a39f2063ac035fe5236b975a4f485e1f3b29965b3dc51e04168066f0e18e0e5d37c4770248e9bf7abb6ed
SHA512 (HardenedBSD-11-STABLE-v46.18-amd64-mini-memstick.img) = f5d266af8f6a275bb75ce778335342ca010cd91b2420871f96d882d2d333a51a4877c91faefa9e14f86977bcafb7aedb44629955eb871bf82eed370189e9a259

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAllAly0ACgkQgZsRom/9
GI02zBAAogqk6ZrHg5I/mtBk+KX8sWlOLj0ddqyK2emQRSoVolpAhaBcZbAVxQyg
i6Crmgz1sWo5Ztt5UqrGF9+pfcfy6TwyD2qUSSbE1OyawScJaFWzqCDyCVi19Ltz
5EHP9bWJIH9m2kPs5uAHftvhywBJv9SH2wCCZXdy1W/8rLs7IAZjnK18Q1WqFJ/+
KSg80p7sZ4A++jR91cs0+Bt8U153GKspYUNB9SVZyHZUbdy8tKitic//rDXqA3ls
UcpTaBYL53WNIKIiIaVjfuNQDzXB8jDX8jXip7wNgQT+R6Nbr3PORKKuQpaTiu+p
fteIzx1CvRAsGM3N96LQmoAgjTTPBVcHR/pQV/37spP+nfQQHdJ4TkCM/x6rQCsB
VGaOSwlxGgQ+HrBfGXmKF8HcCFQH1oNKo6nQFUmaDkquAIVPLuZ14mJmN2Ke++y7
yEUml01+xeIme+o7uKMQZtyFrYQ86vjQWHPvWIIJ1MzFT8SDuLINZxWoC2LB8kWC
MY/+YCcM4cFx3KMrp3Uutp1xLv5lWs7W9cdf+P61qN8mdnPnbbqEYVDtXZ1+wUki
bxcXPZDBSiv+DxT2YbJf0x5dz9x9jPRQEzYzFHO5b1iCTsjGwJCxGiZXcSXLdJIL
rtL0bqtgbXpeKvs84fk+A1Z3ED4HN1DjjUXguFt9WWOBp2+S3f4=
=M0Ah
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v46.17

Submitted by op on

HardenedBSD-11-STABLE-v46.17 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • Increased maximum text segment size from 64MB to 256MB
  • Added efivar and related EFI libs
  • Libarchive update
  • Add sets support for ipfw table info/list/flush commands.
  • NFS v4.1 updates
  • pf: Fix possible incorrect IPv6 fragmentation
  • pf: Fix leak of pf_state_keys
  • Fix a use after free panic in ipfilter's fragment processing.
  • HyperV updates
  • Update tcsh to 6.20.00
  • HBSD: Enable SafeStack by default
  • Add ipfw_nptv6 module that implements Network Prefix Translation for IPv6
  • HBSD: Add installation hook scripting to hbsd-update
  • Update clang, llvm, lld, lldb, compiler-rt and libc++ to 4.0.0 release
  • Merge ACPICA 20170303

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v46.17-amd64-bootonly.iso) = c33cefeab424e346087fabd6d4c29dc53b41f9e93e5be285ee16430a502a57d18bcd555d119f111fbb1f68b442c3755acf2822881551113f2d0a4c9dbd1163f2
SHA512 (HardenedBSD-11-STABLE-v46.17-amd64-disc1.iso) = 929298f27adffaa672e985f695f219b4f87f4851f10fdf44e327565f3830737fdd27bb63f6441bf5cd40d7896a76e259341a3f954fadf1363eadf86d68077bb9
SHA512 (HardenedBSD-11-STABLE-v46.17-amd64-memstick.img) = f094f7c131a54b25e680e502298532ca6127c0a4da8788c088ce451494856f2cc76900aa9d0d9196d284c6e3a31de52541d8fe2e844b569a95e5517d7d521d56
SHA512 (HardenedBSD-11-STABLE-v46.17-amd64-mini-memstick.img) = e34fe6bc79bf2a019a624dbffbf52c20ee600a96baf4d85476888f8afeacc47deec1f02339430d004817ec79c049eba59b8b167ed4b81be7f2f80e6ca57bc217

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlkkROEACgkQgZsRom/9
GI2cJw/9FT32rDtODQ+JbDPczIhGmtCG7P3XB1V4i+d/5wWIDw8X0goHRfNT9vKQ
Ilg4LNEGPgkFCtL7AVyZuPUHjtO8Ut8iFOmTRQCwaoM7jtdn0DXvAy6Gc2sk5okh
9S4+050bFQCeVLYGKIcpaeIHwvFw7pW48UhTPguVJWIjx0X5LHiGDsTTq1zC5jFR
fEgvre5zRVea8AFXkFKHJVST+JBHpgfGP+00dTdAHJRezbeZs8OB5a5pCG7JkUJQ
JjZseTdYm9aWRwSmICSNFrMdcMlHemdXBn1LcvdWxi/Ix6dJ1QKoxbrsNCsoZjhL
xLnqUtfU9PpI8tHILhsU1Z7uXgWK4WjC2tc9j4AbVU+7ygfhVpjM9vPnVJB7e7FE
C0gfMz8cmTcPR7mN3YokJ6jscyoTvjkFBuHcOPSzpvNMIhlZo/EM+s2+NuqOW8zI
fq9C6Y7F592cRk/bMzpsXzPfpo+7lmHd4oDZ3JFY1hvsDmE41odcgZzcopgv2QEW
vBDAldKfHyX8sX79ZTH3KYlZZjsrhlx1zKYX4BXvW08iKoenxDdP8Eaty82qaKQN
GqeUT1i8i5mdWP4bRb4ezVz6VIjBUPfXE+PVwHDMmSBcJTpjzQQXDSp6fs+yoTTt
Py4xq9Vw5kcZm5qqpxCltUrkIvGbzHxHSZ25lywU+TZHpGbNDjo=
=YwAD
-----END PGP SIGNATURE-----

Pages

Subscribe to HardenedBSD RSS