Stable release: HardenedBSD-stable 10-STABLE v1000048

HardenedBSD-10-STABLE-v1000048 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

MFC r320906: MFV r320905: Import upstream heimdal fix for CVE-2017-11103. (3955ce48cb5593628cb375c519160dc0ecb4f210) [FreeBSD-SA-17:05.heimdal](https://security.freebsd.org/advisories/FreeBSD-SA-17:05.heimdal.asc)
hbsd-update{,-build} updates
enforce FreeBSD and HardenedBSD KPI version for external modules
HBSD: fix broken pax_mprotect transitions (9161ed81803212f1aa484144ea3c670f603d601c)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:
SHA512 (HardenedBSD-10-STABLE-v1000048-amd64-bootonly.iso) = c22e3d4ca378240c253349059dc5c8a0e3d3c47dd7a952a25378a45ff1469db5c4ab898b5d243ba093416cbbc88085e59d139d01364e2e4b9637cd4dcf07483c SHA512 (HardenedBSD-10-STABLE-v1000048-amd64-disc1.iso) = 65dd0cfcb8a8a55a121737fc00ff4eb24c30f33be8e6a7a49720419d28a41d468e7d1a659bd53ab7d6c3f3f182348dc492aba247c7a4bc4eb265f9b70a838b57 SHA512 (HardenedBSD-10-STABLE-v1000048-amd64-memstick.img) = 82761a7742c00ea9ae3d3caea2a7c4eb54a1b19d977050fbb96fa6e9b14aad0839124a1eb30e7bdae01fd32aeeb1c76a2c30c98e04ee17dce2397e38ac7db64f SHA512 (HardenedBSD-10-STABLE-v1000048-amd64-mini-memstick.img) = 10e9fc97e4cc0eb0a4f5a61641596bd52a5b563a08950dfd079f871ae8703b8bec3e6b0be712bf220493a74411385a6ca638353a4ba4f42ff875161e4e3da123 SHA512 (HardenedBSD-10-STABLE-v1000048-amd64-uefi-bootonly.iso) = e7c6818cb51afd7381f453f41f7f9c16b8c23ad44b7b6b335d08d2b7e23aaa5d85627978a2515f4f0e6bbd7bbc71e235a7f25f981612d11530df50889c0849b9 SHA512 (HardenedBSD-10-STABLE-v1000048-amd64-uefi-disc1.iso) = 22d28027097287f77a238050d6ed698dbfbbbbd8cc9f9778da048343c2ec7bb3d48bf5b83756c024e7b6657f29a6eec45bbc9eed9d7ed9fed86be7a1c030ff07 SHA512 (HardenedBSD-10-STABLE-v1000048-amd64-uefi-memstick.img) = 2b370c6aa8d284ec3495f3c83d747ab818fb6a79f3b97986f89135c36ee9202a76b7300652dad3359dc13b109afb887d2005dc7c858ec9663ac1d103c18430ed SHA512 (HardenedBSD-10-STABLE-v1000048-amd64-uefi-mini-memstick.img) = 7226ea5068c8f2dedeed6d6bce2ba66864915c9faf775b5540966a2bb4aea1b87d6042c219901cc652fa917b86b35900d4101229b49e561102f41827720168f5

CHECKSUM.SHA512.asc:
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAllmx7QACgkQgZsRom/9
GI0aMw//SDSlCuSinsB35/5xcfPDpmfbSEp52uOWdlMW2ZwUtN+gqoEiGla32SmS
TT2Guy/PbgxfEKzHY2UyeRVAnKdZVcdJPqvYmLdh/hQoB3/41sx4nVkN+LSTgItz
khVXHtuJEeh+WWtM31ivS3dW+ENbd8qWo2DnKNPdRJjDzM6JE+LlGdX5gEOP7ldH
HhghBzciLHBq17fLEgEzQwLuzQeDjxXywUDZkfJqc7geNRihLj9S/6ogk8guuxDn
jRq6lJvm4KoPlqymKJP50vbYV+FkGH++QwKWLDNcgnvWlZtstqr7GVWmDh5KvPmf
zBvDH4RBhThQUBR6tuIhDePpAqKhGVoW26cd09nYLFKOEyLDWYYbpTPDhPijH5rb
BNd47aObPgayn3pDrYCedrwKhlLVwmR+yuAIaPivVoI3BUIgTDNR+rC8mSeBaqLY
n0hRRCOF8Yz7g6yx4AUfPTrtXbeqkZsZiAtFQLwLXB/M2z1t/roZf+9p2J/zPSs7
V4cjQWYb9zVQOx/LSV2/SvJvaGOoI2vBjciEgSova3T+oR/8QbrrDD9MytiT7kgl
sfRIywkhVnr9NuqUqleyTqPap2xCLNVC9jL5fPjfWmdKcgCaZ5hZQykuxEZKJBOh
fWfvgM3PjBKxwlKw1QbOsNGULIPZ+SeEOwDRiEIZlbRPqpenE48=
=XZJ8
-----END PGP SIGNATURE-----

Introducing OpenNTPd in Base

Over the past few months, Bernard Spil has been hard at work importing OpenNTPd 6.0p1 in HardenedBSD base. Starting with 12-CURRENT, HardenedBSD will ship with OpenNTPd by default. Just like with LibreSSL in base, HardenedBSD users have a choice when building world of which NTP daemon to use. Users who want to use the legacy NTPd can set WITHOUT_OPENNTPD and WITH_NTP in src.conf(5). Bernard will continue maintaining LibreSSL and OpenNTPd in HardenedBSD base.

Users who are upgrading from an existing 12-CURRENT system from source and who use the legacy NTP daemon in base will need to perform the following actions:

Install new world
Run mergemaster or etcupdate
sysrc ntpd_enable="NO"
sysrc local_openntpd_enable="YES"

A binary update will be published within the next 24 hours that contains OpenNTPd in base. Those who use hbsd-update will only need to perform steps 3 and 4 above.

Stack Clash Mitigations

The Stack Clash advisory by Qualys provided detailed insight as to what happens when the heap and the stack meet. The stack grows down and the heap grows up. The stack grows on an as-needed basis. When the stack pointer is decremented beyond an existing page boundary, a page fault happens and the kernel will allocate more space for the stack (assuming the application hasn't hit the stack limit.) If there is an existing memory mapping with PROT_READ and PROT_WRITE set right below the stack, then no page fault occurs and the application will use the mapping as if it were for the stack. Ideally, this should never happen. In order to prevent this from happening, most operating systems (FreeBSD included) implement a "stack guard," which is a guard of one or more pages reserved below the stack, preventing other mappings. A properly implemented stack guard will effectively prevent the heap or other memory mappings from reaching the stack.

FreeBSD provides a stack guard implementation, but has it disabled by default. As discussed in the Qualys report, when enabled, FreeBSD's stack guard implementation had a logic flaw that prevented it from being effective. A proof-of-concept exploit written by HardenedBSD's own Shawn Webb demonstrated Qualys' claims. HardenedBSD had the stack guard enabled by default.

To mitigate Stack Clash, we in HardenedBSD performed the following in 12-CURRENT over the week of 19 Jun 2017 to 24 Jun 2017:

Fixed the flaw in the stack guard implementation that prevented it from being effective.
Increased the size of the stack guard from one 4KB page to 2MB.
Prevented mappings from occurring between the bottom-most limit of the stack and the top of the stack.
(Soon) Modified the per-thread stack guard in libthr to be of random size, minimum 1MB, maximum 5MB.
- This also randomizes the top-most address of each per-thread stack.

The commits for these changes have been backported to HardenedBSD 11-STABLE. Item #1 has been backported to HardenedBSD 10-STABLE.

On 24 Jun 2017, FreeBSD committed their Stack Clash mitigation. It introduces the concept of MAP_GUARD, which is a special PROT_NONE mapping. It's placed immediately below the bottom-most limit of the stack. It's a really innovative implementation that allows general use of guard pages. Indeed, in a follow-up commit, the RTLD now uses MAP_GUARD for guard pages between shared objects. FreeBSD's stack guard is still a single 4KB page in size, even with Qualys' recommendation to use a minimum of 1MB. On 25 Jun 2017, FreeBSD followed up with a commit to fix a regression that effectively disabled the stack guard in certain edge cases with the new implementation. Overall, FreeBSD's solution to the Stack Clash problem is innovative and even useful outside the context of Stack Clash.

We in HardenedBSD now use a hybrid of both approaches. We've hardened the security.bsd.stack_guard_page sysctl node to a 2MB stack guard. We've made that sysctl node a read-only tunable, configurable only at boot-time. The changes to libthr still stand and the per-thread stack guard size is a random size between 1MB and 5MB. We may look to integrate MAP_GUARD with libthr instead of its reliance on mprotect(PROT_NONE).

Update 25 Jun 2017: The randomization of the per-thread stack guard has been found to be too aggressive. We are investigating this feature and will revisit it soon.

Stable release: HardenedBSD-stable 10-STABLE v1000047

HardenedBSD-10-STABLE-v1000047 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

HBSD: partially backport 13971cb990b78e as fix for CVE-2017-1084
Changed __HardenedBSD_version scheme
opBSD: plug the last memory protection test in paxtest (cf883c4d3277ebdb2f7011cb64dfcfde8205352c)
HBSD MFC: Fix long standing issue in bsdconfig's keymap selection (12c307c4634ee07f297d1d821a77af8eedc72c1a)
HBSD: add our third mirror: de-01.installer.hardenedbsd.org @Germany
HBSD: add our second mirror: allbsd.org @Japan
Implement INHERIT_ZERO for minherit(2)
Fix several buffer overflows in realpath(3), and other minor issues [FreeBSD-SA-Candidate]
Libarchive update (bd8807fedd6c5daf0cea50b0b09af795fdaa686c)
hyperv/kvp: Fix pool direcrory and file permission

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:
SHA512 (HardenedBSD-10-STABLE-v1000047-amd64-bootonly.iso) = 2fa9ff9ba85e25956fbc31bd8c25508ca5328f969fee99bd92e6be1f2e61851ad532e723876c964ad379808eb05f26193252d82145915c5a23d3d698a6efd088 SHA512 (HardenedBSD-10-STABLE-v1000047-amd64-disc1.iso) = b81647c374938520abb0e63eeebe23e715660d078dbbec9d2e828feb4fc14286664527ce4d35a0f569317b098385c5e4d77665ac27a6286a3bb3679864ef522b SHA512 (HardenedBSD-10-STABLE-v1000047-amd64-memstick.img) = e3179eea6383454559c948f172398ff56b80c29e3c68b888cd7bacb542b760b295b7f3dc73ee2a1fd69e2005a0d6cdfe54fc016bdc78e043d4955906347b2584 SHA512 (HardenedBSD-10-STABLE-v1000047-amd64-mini-memstick.img) = 483e770295e08979207013fda30b3b652d7f4969845fc77959ef71f5c1fa1182931572a5c8a3dbe59e5c81c42b369f9c87559a17cc913d95101af0f3f0448765 SHA512 (HardenedBSD-10-STABLE-v1000047-amd64-uefi-bootonly.iso) = 8bdecf399e6c42d88d8ec02daf95b265d1c781af7c8e8ec7d5ed7c6e242955c261b9d23f811d21d044ce00694fcc9c6dd0018acda101df24657646c90ed8c2f0 SHA512 (HardenedBSD-10-STABLE-v1000047-amd64-uefi-disc1.iso) = d24c1d981b48342fa9eca9545ff8db08b1e0805a176d2eea7b880c145293e2db1c18f01d5a9f019bc5f70d9d8b9ad669dd5da6db287f9e13b0971a3f63e9b363 SHA512 (HardenedBSD-10-STABLE-v1000047-amd64-uefi-memstick.img) = 0c6148d245ec920e8a45666d481c66d81c9aefbeb9ec2887b395d843d216c0a10717b106c562928d4e1439b0b837666629637f9a4ee8f79a0bf8ab71d3d5b915 SHA512 (HardenedBSD-10-STABLE-v1000047-amd64-uefi-mini-memstick.img) = c0645cc7cb4ef946d6565d859736c6cc64a7d78a207533c054a330b911132ef50fe62516d0cb967fd4c5dc8342c0db5f29174d8490e4e020603f3fac9e6cf3ba

CHECKSUM.SHA512.asc:
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAllPwg4ACgkQgZsRom/9
GI13hA//chLhjM+rMKRSRhcvOnUotoeb5Wf5NZ+WXod6TMHK5jQUrhBivvqpNeEn
6yEolaDkjep2/eYGG5flVL/PxX13JWgVShWTS7Hu3JlOxFANtzt9ckIayaaDJJRS
fhXZgn6LsZw2G8G1PmY3PnynHgB05OrVbz9vf3AFZ6gp5Ju35JNyk9ikYlMZ49Yb
lao/3evASKS6amPCZamrCjtGD0DtoZQegNCa2EjboCshEPnfPKTkTJQzS/W8RSUp
nVIHHWExdCOLW/9byGh28YqnhpKdz+UH/b14cxrM9p2pRYhhigcOcUK2uN6+qQxw
99HsO0ST5Brj3MRVRu1DyFjf5ycKrF0EiUucfD5gtju2zhmN/bNxVo2JTQaiyVcF
rLGmpe2w7Hu9q2JwFRYZQCK0pGgSCarPIfJYhpueHCll7zd1uVMdHuFo2YatvSka
CeiBvxVyXXZ2M4SlImOPLhDNVxutxrQIumzNLaTkZy3XQ5/Ts/tzidosOj1fhyos
yTwXCVRXNfgjeLCZrISA9qTwjVyMgolLCNPMeBfKwR9A0HVq35JHByu3vcCWAz9W
O//b8VCbZIMLcxSu3WtxyIOqMTgJDsov24oFRg1Lezbp/Dol1KTi7LB1qxKYik21
FJ7yt4djaUoaO2WP5IQjjhlflP3M+thz9TpUoeIQYXTw2fzR+58=
=3ZsF
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v46.18

HardenedBSD-11-STABLE-v46.18 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

Based on FreeBSD 11.1-BETA1
Security fixes in nandsim (b585a6c019be3fb79ec968c327ea67190565342b) [FreeBSD-SA-Candidate]
Update to libpcap 1.8.1
Implement INHERIT_ZERO for minherit
Support Execute-Never bit in the arm64 pmap (edb010ea9cd5ce05e055474ade71fb8687a74eb6)
Enable Privileged Access Never on arm64 (44c9bb43d0bd6f6d94443c9efa27cbaf86a38825)
Enable EARLY_AP_STARTUP on amd64 and i386 kernels by default.

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:
SHA512 (HardenedBSD-11-STABLE-v46.18-amd64-bootonly.iso) = 5aad79d864b01c02871cf152bb1ed30d16f4f68775472034de255fbb2fcb26f7caaacb7e9ed77364201af72582b5b69fc0af55a06cc7066e061b21b9a2341b7d SHA512 (HardenedBSD-11-STABLE-v46.18-amd64-disc1.iso) = fedf9ffae1f3be5807dd44bc2621acb574cb1cb33a5ca30459b014a3ff2a6238dadc518476ba1ed57fc8eff63bae1c28f91d78b4b6d4dab4bd19d9c276504bee SHA512 (HardenedBSD-11-STABLE-v46.18-amd64-memstick.img) = 0ccdfa51a25b0f947743a4c1ac0b1aad1a208b69ac9a39f2063ac035fe5236b975a4f485e1f3b29965b3dc51e04168066f0e18e0e5d37c4770248e9bf7abb6ed SHA512 (HardenedBSD-11-STABLE-v46.18-amd64-mini-memstick.img) = f5d266af8f6a275bb75ce778335342ca010cd91b2420871f96d882d2d333a51a4877c91faefa9e14f86977bcafb7aedb44629955eb871bf82eed370189e9a259

CHECKSUM.SHA512.asc:
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAllAly0ACgkQgZsRom/9
GI02zBAAogqk6ZrHg5I/mtBk+KX8sWlOLj0ddqyK2emQRSoVolpAhaBcZbAVxQyg
i6Crmgz1sWo5Ztt5UqrGF9+pfcfy6TwyD2qUSSbE1OyawScJaFWzqCDyCVi19Ltz
5EHP9bWJIH9m2kPs5uAHftvhywBJv9SH2wCCZXdy1W/8rLs7IAZjnK18Q1WqFJ/+
KSg80p7sZ4A++jR91cs0+Bt8U153GKspYUNB9SVZyHZUbdy8tKitic//rDXqA3ls
UcpTaBYL53WNIKIiIaVjfuNQDzXB8jDX8jXip7wNgQT+R6Nbr3PORKKuQpaTiu+p
fteIzx1CvRAsGM3N96LQmoAgjTTPBVcHR/pQV/37spP+nfQQHdJ4TkCM/x6rQCsB
VGaOSwlxGgQ+HrBfGXmKF8HcCFQH1oNKo6nQFUmaDkquAIVPLuZ14mJmN2Ke++y7
yEUml01+xeIme+o7uKMQZtyFrYQ86vjQWHPvWIIJ1MzFT8SDuLINZxWoC2LB8kWC
MY/+YCcM4cFx3KMrp3Uutp1xLv5lWs7W9cdf+P61qN8mdnPnbbqEYVDtXZ1+wUki
bxcXPZDBSiv+DxT2YbJf0x5dz9x9jPRQEzYzFHO5b1iCTsjGwJCxGiZXcSXLdJIL
rtL0bqtgbXpeKvs84fk+A1Z3ED4HN1DjjUXguFt9WWOBp2+S3f4=
=M0Ah
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v46.17

HardenedBSD-11-STABLE-v46.17 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

Increased maximum text segment size from 64MB to 256MB
Added efivar and related EFI libs
Libarchive update
Add sets support for ipfw table info/list/flush commands.
NFS v4.1 updates
pf: Fix possible incorrect IPv6 fragmentation
pf: Fix leak of pf_state_keys
Fix a use after free panic in ipfilter's fragment processing.
HyperV updates
Update tcsh to 6.20.00
HBSD: Enable SafeStack by default
Add ipfw_nptv6 module that implements Network Prefix Translation for IPv6
HBSD: Add installation hook scripting to hbsd-update
Update clang, llvm, lld, lldb, compiler-rt and libc++ to 4.0.0 release
Merge ACPICA 20170303

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:
SHA512 (HardenedBSD-11-STABLE-v46.17-amd64-bootonly.iso) = c33cefeab424e346087fabd6d4c29dc53b41f9e93e5be285ee16430a502a57d18bcd555d119f111fbb1f68b442c3755acf2822881551113f2d0a4c9dbd1163f2 SHA512 (HardenedBSD-11-STABLE-v46.17-amd64-disc1.iso) = 929298f27adffaa672e985f695f219b4f87f4851f10fdf44e327565f3830737fdd27bb63f6441bf5cd40d7896a76e259341a3f954fadf1363eadf86d68077bb9 SHA512 (HardenedBSD-11-STABLE-v46.17-amd64-memstick.img) = f094f7c131a54b25e680e502298532ca6127c0a4da8788c088ce451494856f2cc76900aa9d0d9196d284c6e3a31de52541d8fe2e844b569a95e5517d7d521d56 SHA512 (HardenedBSD-11-STABLE-v46.17-amd64-mini-memstick.img) = e34fe6bc79bf2a019a624dbffbf52c20ee600a96baf4d85476888f8afeacc47deec1f02339430d004817ec79c049eba59b8b167ed4b81be7f2f80e6ca57bc217

CHECKSUM.SHA512.asc:
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlkkROEACgkQgZsRom/9
GI2cJw/9FT32rDtODQ+JbDPczIhGmtCG7P3XB1V4i+d/5wWIDw8X0goHRfNT9vKQ
Ilg4LNEGPgkFCtL7AVyZuPUHjtO8Ut8iFOmTRQCwaoM7jtdn0DXvAy6Gc2sk5okh
9S4+050bFQCeVLYGKIcpaeIHwvFw7pW48UhTPguVJWIjx0X5LHiGDsTTq1zC5jFR
fEgvre5zRVea8AFXkFKHJVST+JBHpgfGP+00dTdAHJRezbeZs8OB5a5pCG7JkUJQ
JjZseTdYm9aWRwSmICSNFrMdcMlHemdXBn1LcvdWxi/Ix6dJ1QKoxbrsNCsoZjhL
xLnqUtfU9PpI8tHILhsU1Z7uXgWK4WjC2tc9j4AbVU+7ygfhVpjM9vPnVJB7e7FE
C0gfMz8cmTcPR7mN3YokJ6jscyoTvjkFBuHcOPSzpvNMIhlZo/EM+s2+NuqOW8zI
fq9C6Y7F592cRk/bMzpsXzPfpo+7lmHd4oDZ3JFY1hvsDmE41odcgZzcopgv2QEW
vBDAldKfHyX8sX79ZTH3KYlZZjsrhlx1zKYX4BXvW08iKoenxDdP8Eaty82qaKQN
GqeUT1i8i5mdWP4bRb4ezVz6VIjBUPfXE+PVwHDMmSBcJTpjzQQXDSp6fs+yoTTt
Py4xq9Vw5kcZm5qqpxCltUrkIvGbzHxHSZ25lywU+TZHpGbNDjo=
=YwAD
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 10-STABLE v46.27

HardenedBSD-10-STABLE-v46.27 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

Fixed use after free in ipfilter (f997910e54b19e3bf30bd9f0d17885b0a90b15c5) [FreeBSD-SA-17:04.ipfilter]
Update to tcsh 6.20.00
Fixed infoleak in VFS (b0da260ac2e82e2e506ddbe6d2a04de7b0c20ef8)
Update to ACPICA 20170303

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:
SHA512 (HardenedBSD-10-STABLE-v46.27-amd64-bootonly.iso) = e8a2d420bb034e016418b90c874a132b3c00251386c9f433d36c4b83ef3dcd6b01fa24e931cc3936d1bd3ad04e81b6805d1738f5e00f8aec1522f435b2268ff4 SHA512 (HardenedBSD-10-STABLE-v46.27-amd64-disc1.iso) = 42a973105852dd421a1d6801559d9be0eb85fba6ca1d81f61dd6bfd956b6723c54595256ec0c9bab77270a10770290e60c6bd626dcc29c3c7645b81d08808268 SHA512 (HardenedBSD-10-STABLE-v46.27-amd64-memstick.img) = 5688f39ab6a03d869156d7c524d3addbb45986b0af50f32bf5f5920a103f1df2b7be91bfeaa4ff68be8bea13a87ef418609071d1e4ddb180b1a55386086558f9 SHA512 (HardenedBSD-10-STABLE-v46.27-amd64-mini-memstick.img) = ddfc5e345d53d3061901076845f8773acefba11b0c369a2d8282f01af88ea17d8dcd5d8126390f09c353fac92cff8c810d9a49edda13bcd53746e969b7068834 SHA512 (HardenedBSD-10-STABLE-v46.27-amd64-uefi-bootonly.iso) = 893face3761569d0e3c10f15a8bb015d400f9911eae82dcb7c39362e1a22701035e9f9b73b811fec47177e1cd300ee3002f19e671ba0a1ebf6ebc703be28b4aa SHA512 (HardenedBSD-10-STABLE-v46.27-amd64-uefi-disc1.iso) = f440988ab3df85e1f55a04c2075916adc7ad88a370c275ec49bf512fcfbf73b9070d1f1295d3cc37208fa7ec0a906465fa41766c88ca072d5ff3110d870a1116 SHA512 (HardenedBSD-10-STABLE-v46.27-amd64-uefi-memstick.img) = 2fc89775504a814df9aadf263f91b7a34dcce9d03af753e5b68cdfbc2a33775be1aee31b2ed5783428424e4b8c07524136e896fa31ff5762996336a8923f8fb4 SHA512 (HardenedBSD-10-STABLE-v46.27-amd64-uefi-mini-memstick.img) = 834653d3631707ef36a35c499504672d931c3786645b89f69601e7f68bb7228588d7dc6caabdafd464ec350ec9a39c23165aee34aa2cbd6fbeb0448d1bab8540

CHECKSUM.SHA512.asc:
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlkClXoACgkQgZsRom/9
GI0sEw/+JXEp4SgpOjUbebVvCx04HtZ2sdE4Eq81VH6+46qrGFyOdLB0N3aFFneC
ANBAl6cUTWeB2Mn/+AzBg059eJxNasXx8VzftH917d7dGj1JJ89VBgu5GjoiiM29
6io17i5PrAG7tOBeRUYyGqTCTqq7pkYEdBt/S11ccVGpjZWsZl+yr46y7MZy38OV
u/5g0lt3MBCDObgIBNHjIOw2GrAnN9mBWOfgjODK5jzl1gZ30WHmuwfiaA8n4wEP
GtXsq3umtIvUIooz6i1k2AZ84LMBfd6Jht6Z4V8j661TIk+5dWvILHEeUjarkC7l
MrJRNqrvITfrgn3sbn7oFbbclFgzuKJyFXrViOj3AIsLJhugfwy+GOyaCsN4+Qw5
sxzNYNtNCJcCumU306/OhPJaPu+a44koZdLue3eAwo9P4MwdcUagN3arj2KsfYps
CDbgzjF5jkiWjfar5Tbp2zTCMQrexDvUsI7kyjF+N1g4Tq7uA6/GBh2NY2g8tgU1
DI9Y2uFv/reQe/mwWFWRFqaEP/q+ndBNIHYn0I7K2ayPXugJnAr/rvopvmh7+X10
FrlNVHsR2F2imT/uc7wBjSc/awN64atIy65K1LgeGzPwAN/3XD6ocz15xFB6CQ8s
iFvcznlsvp3glSLWxwznivNF0yiUITML9V7YqnPW78OPIYXyfX4=
=6n84
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 10-STABLE v46.26

HardenedBSD-10-STABLE-v46.26 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

libarchive update (f0e80d829a6d0ff8bb7a46bd3a18dd6159b14284) [FreeBSD-SA-Candidate]
ntpd update to 4.2.8p10 (77b785069d6eae320236013da6d95b7f5b1bed39) [FreeBSD-SA-Candidate]
fix signal handling (ee4124b33f70470844978d1c8e4cd6ae062ebb0a)
ZFS updates - for more details see /usr/src/UPDATING file
fix kernel memory disclosure in sys_nanosleep (bce7b617018c250761c47f5c3f108e921967f532) [FreeBSD-SA-Candidate]
fix NULL pointer dereference and panic with shm file pread/pwrite (b99ef16b54afe13145b759e50409e47854084552)
discard first 3072 bytes of RC4 keystream (c2d58806b9c8f951eb62c390161af34447d7edd3)
apply noexec mount option for mmap(PROT_EXEC) (662245c4d63c9acf32783194220c75fc766710ea)
reject userland CCBs that have CAM_UNLOCKED set (18602a4e400bd8760263fa0ca89773f59b70b3ac)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:
SHA512 (HardenedBSD-10-STABLE-v46.26-amd64-bootonly.iso) = f4f9cd86dddd0571054bb0c4f773ff851c634e065e85226efb58c346467053bb9dc9a0ba5edb0cc30771578c1cf230f4a657793e93a5bdcba27cc4feac7825d4 SHA512 (HardenedBSD-10-STABLE-v46.26-amd64-disc1.iso) = c127f0c6f606a0d96e7a17899e3bd909db72188c1465667fe728d3f07976e5180861859b6e8eb98860d0ebaf01f60dc24a325e1b326256618bfe63c8d139a8b0 SHA512 (HardenedBSD-10-STABLE-v46.26-amd64-memstick.img) = 61b81f5efab30da279684caeea8e812fa81f8b4f58fa7b3d72340bd41bd12397ecaaaed19b087e32ab229233b0da39e9abdd0fa3fc4e5ddf055340106ba72e60 SHA512 (HardenedBSD-10-STABLE-v46.26-amd64-mini-memstick.img) = bf907e8297bd35717159361f65c6ccd5fc0f69351cf51c9fb96ce2a908a8e354ec8fecff76ce09f4e7449a8dc503a3501b8d535e99e3ad9e6d0a279530029b1e SHA512 (HardenedBSD-10-STABLE-v46.26-amd64-uefi-bootonly.iso) = db15863f3363b82703823c9ce3b3143a3558d777f7cbb5ab6daedd855f64a005a1c966fa4aa191cfeac464f32fa8a156451fcfba367442b3dd12ab3fa7909e2d SHA512 (HardenedBSD-10-STABLE-v46.26-amd64-uefi-disc1.iso) = 0648774e3534d2f474a7c192b69fbfaec6612438756f2a3c6f7c6a97e01c775050344b3f970ac372e5c2806b790b8da03c3ce1edc8aab5503d60f508792da5db SHA512 (HardenedBSD-10-STABLE-v46.26-amd64-uefi-memstick.img) = a458373dc989ab1918818d64c275c6fb86be08732168560fc4451782647844bde2721f8a80640adeb09a0769878e46f2481af6bb0ca768c783d2d6d012a68215 SHA512 (HardenedBSD-10-STABLE-v46.26-amd64-uefi-mini-memstick.img) = da00f398ec94bf4da84ba362bf21a7de229fa0afc1a87ace1f6093d9c1514a6bcbaad8f8e238a736be4fe7ae19ca43dc92a387e6882f274e5181de40e5ea131e

CHECKSUM.SHA512.asc:
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAljfrQ0ACgkQgZsRom/9
GI3Rng/9EwffqI+dS55+3JfAD7GMEeIL8LJ4QKg/a2wQ+u3ZA8eb9SbHjyeGQUDF
mTK0HQq6Z2RYyNZ4j/mHb0HhOaxjJx1s+p6+V3tsLjiVbrIIyi6IYGSi9fmJAjkn
PEow75inuB4QcMC3tQhUrynUYBnKc5lS7drpJ0odLQuOFHED9H4Wqx77l5wFIqIs
Ga9wTJLjuKm3XRJJ2mECSEB17jbKroFWEEQN/qlfkFMpufFkJdC9wpAO3aRuRd4h
19dg+FJI2ljPS6PWMp2pHjIEPEIQkstFb/d0Hr8AJu/43g8Cno0eq9ClhORsIGLG
WGwXe9GhQgzjAw6zIXHoyNxTdN7QSzja+hJHN+1h+qWo3HcJqQk8USsKC3z2Gg6/
0TaCEPHV31Pn9vNqTrAHepV63GACRNvP3aCiiKXcsys1HPj0WrMDaBc2gpDlEo4k
bKTHT3s4I8fUsYjgIdm+5xzXUodvMoz1hb8dISBZAI4bV7kae7aJw97B9hv3kZyM
tf0TgEQ+o+Oi5OiDY9wFjmPafLsgHdYAKypcbrE9g5yJx6kmqU37j/g5fXovacew
ZsPNxTCDxuL0pcgRQwQbIJNPAEsJsb9lHEzGpet4rlSHBJguutrddXpNr3cIVPYP
xSSO7QT0c+NEc28EpvlQiZL3GBfN4WIgO1IqmPbV6NNZxH6AlCY=
=hAYR
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v46.16

HardenedBSD-11-STABLE-v46.16 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

WARNING: this is a security update!

Highlights:

update to ntp 4.2.8p10 (9e55018b05bf06a66cff34b38d0513f3e6ce1693) [FreeBSD-SA-Candidate]
possible kernel memory discolsure in sys_nanosleep (5e396452e4053c6aecb09fcbd6219d90c350c095) [FreeBSD-SA-Candidate]
updated IPSEC subsystem (e6fbe68844bdd64b17c07bde1f7367c92c0ec9d9)
fix NULL pointer dereference and panic with shm file pread/pwrite (7169011bf02f04f1750bf7163e144b30eae0c21c) [FreeBSD-SA-Candidate]
update to libarchive 3.3.1 [FreeBSD-SA-Candidate]

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:
SHA512 (HardenedBSD-11-STABLE-v46.16-amd64-bootonly.iso) = c07a2ce93b810f69e6ca9d2c6ad3f6ce1618317c5e4719ac8b3b0fc99f3eba988537b92dee9ea42224c7c011d9ee6897ada8d3c86ff752db2dec5285e7034f35 SHA512 (HardenedBSD-11-STABLE-v46.16-amd64-disc1.iso) = f300998e24f7d1404a74f1d8583c7b2442f484ef87747024cdb41bb6f35443f7e7d4b219372e4b3cdc473e8b579aa4c6d7fe94978e71c56783b3266147de0695 SHA512 (HardenedBSD-11-STABLE-v46.16-amd64-memstick.img) = e80ab66255bb2afd921587b025dc82cfd8970db05fe29ad56e634ce5bacf1106f6f94c1efd8c3251ba3f1fe7442e01f9b45da541d9b2f08b2c8807c9d1a60098 SHA512 (HardenedBSD-11-STABLE-v46.16-amd64-mini-memstick.img) = a15e4056a1c7abaf8533760eb81c19b8c557d1e2b07fdcfcf71ad108f574e1001595aac30693be774af1696d17dd1737e1be739eb05bdb084472d4db9cf87628

CHECKSUM.SHA512.asc:
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAljdDzoACgkQgZsRom/9
GI1DMQ//TmuA+ThkCqRzOY71AqcKlxYtppaF/SBfadM5M2gTYjhvtBQDQFUDA195
IF+iJy1qqKXHWLShDvZk+szcmrluqwjssCL/CYiCTj0Eym/N3yFttZ9OLTT3sf9s
WlaX+JqJhGG18jwhXS3CEovUTOzd6Q1nFCEaQiEJiuToj3CKFowIb0pr8fDideD/
MwX37eG2gRnGcYJCSWdf+rUpKUTzJk00aY8qr4QhW4Muy5zh8xMQghb50LtmDK6p
V7w2GqFDIeoIOQjp20AHSo5GHPUO2kaHF7DZP4a/GAxl2iPgAnkm+vn16mVtaCQQ
EcL2L3BayDlsOL5YC15wxIMiXm3uDyvAXYG/eV+qENPBC1bSBWgE3VIJz074cSSE
hYnglK7kwGxjZieOW6j8nJIO1IZ7lxTP1guoeB+vKm+jdb+ROPYjkYZVcOj/A4zW
pP2XoYmysrbKBIHcfJ0wZieTToQQEOXkFV9ZHfCwLaElYhEkXzgDC4v7XrdV5eAK
drp8ax0FwHUrXuEYx4wU4OnEFG/RbgAR3Y4ax+2s9wxph+sIRf+eyZ4Sgb5GbYNt
CqMoCneYtAUP9+zO3H4vVouOxSWZpbMqDrVGgpO5h2HM0SB520EXBwjDF7xRr/Pr
rSTyLqnLx4E2U8eUgBYsZmVqp5ehY+CBSbRwWZRubRrF3k6cYIw=
=T6HA
-----END PGP SIGNATURE-----

HardenedBSD Through Tor Hidden Service

HardenedBSD is pleased to announce the availability of its site, package repositories, and binary updates through a Tor hidden service. Please note that at the moment, this is considered experimental and the onion hostname may change. We'll keep this page updated if it does.

For pkg, replace /etc/pkg/HardenedBSD.conf with this configuration file:

HardenedBSD: {
  url: "http://lkiw4tmbudbr43hbyhm636sarn73vuow77czzohdbqdpjuq3vdzvenyd.onion/HardenedBSD/pkg/${ABI}",
  mirror_type: "http",
  signature_type: "fingerprints",
  fingerprints: "/usr/share/keys/pkg",
  enabled: yes
}

And for hbsd-update, replace /etc/hbsd-update.conf with this configuration file:

dnsrec=""
capath="/usr/share/keys/hbsd-update/trusted"
# NOTE: Replace the branch variable with whatever branch you normally use. Check your existing hbsd-update.conf file.
branch="hardened/current/master"
baseurl="lkiw4tmbudbr43hbyhm636sarn73vuow77czzohdbqdpjuq3vdzvenyd.onion/HardenedBSD/updates/pub/HardenedBSD/updates/${branch}/$(uname -m)"

HardenedBSD

Stable release: HardenedBSD-stable 10-STABLE v1000048

Introducing OpenNTPd in Base

Stack Clash Mitigations

Stable release: HardenedBSD-stable 10-STABLE v1000047

Stable release: HardenedBSD-stable 11-STABLE v46.18

Stable release: HardenedBSD-stable 11-STABLE v46.17

Stable release: HardenedBSD-stable 10-STABLE v46.27

Stable release: HardenedBSD-stable 10-STABLE v46.26

HardenedBSD-10-STABLE-v46.26 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Stable release: HardenedBSD-stable 11-STABLE v46.16

HardenedBSD Through Tor Hidden Service

Pages

Donate to HardenedBSD

2021 Donation Status

Links

HardenedBSD-10-STABLE-v46.26 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Pages

Donate to HardenedBSD

2021 Donation Status

Search form

Links