Stable release: HardenedBSD-stable 11-STABLE v46.13

Submitted by op on

HardenedBSD-11-STABLE-v46.13 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • Fix multiple OpenSSH vulnerabilities. (6fd1410cc2d705293edb0ae5770cc28507893106) [https://security.freebsd.org/advisories/FreeBSD-SA-17:01.openssh.asc]
  • Changed settings for newsyslog (30d7a97741a4aa2e5059ce55bebac16fab)
  • Added /var/log/pkg.log log to store the packages lifecycle
  • Added support for SafeStack - disabled by default
  • Hypver-V updates
  • Clang 3.9.0
  • am-utils 6.2
  • hbsd-update-build cross-build support (b856ea99242c90b8c61879914f79fc6a19ec9fd4)
  • file 5.29
  • regression fix for SA-16:37.libc (6a7e18ff00902471666a295326db834bf51d175a)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v46.13-amd64-bootonly.iso) = 5ab50a1b2b6f5ababcc7ba31979b1054e867da4f171062630c2ddfac5e1886637a427fe4a00d2dafa3170864983f001aef6dc0296eee01fa348fef07034dae1f
SHA512 (HardenedBSD-11-STABLE-v46.13-amd64-disc1.iso) = 53e08090a71199d2328b080a79053554ac27855c38dbff9cc7b4428a652f7841909ace3f7be70753e998f4db679b166bd8f073e619ad55172db8fab5472f209b
SHA512 (HardenedBSD-11-STABLE-v46.13-amd64-memstick.img) = 33fe65a6b0bd537a5cf772448765b8fac148743008b8be478076a83783889c3beecb334075aad5bbba0ae8724df287f800c8fb5ce1cf6133010ad911a55d0743
SHA512 (HardenedBSD-11-STABLE-v46.13-amd64-mini-memstick.img) = 71b458cdd3913e3328791354e7ec6179a765d420b33cbaa5e34a06a112c82dc6741562f2d508c3f614ff0d1ba295546859eed72692acdcf460d4bd515356008c

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlh28NAACgkQgZsRom/9
GI188BAAnzE0yfMjnG/bpCfCCE9j4HeB7X5F8jnEDmRjiE3X1V+smau9+ILHaZgi
rCafXmM82gUkqTqmHitBVAJUJbNH0PhnmP0O0ohRf2/jbjAVGaly0R50Gj1LH89P
2fttYC97WifiJQffAKZBGnMYZw2zSUa8iio6IZHZh+v7QQwckjiSdhqvxu9tQnyu
W5E8H9hSZg1vwx4I0it41Kc2uxiUUwHvUadfW7gOBXQfSFwUcBn+AHlw62ifU0H1
v3GM10Ej8+4hIh9dkwO2QihjqKk36wd2LScrj6G1KcBVDf13l2+GxUnPrSZIKody
/rW7MHl4N++WFFIxqe2XusrP8I3P+sUoCnuwZNeILu4224UhqX0rR42MUs2ufo7Y
c/fCNdccLDMp4BblzF1/5AYTfUrX/FgmnH/n+44RiTT+IeA6QYGrjs+LEsrd1bvN
6RcERt4SiDOg923TolHO5dSuhQaNCMcWQhZB4B2Govc7QBLufEX9cjJVXV/RNVBP
24bqbTdXhCz6XSY0Fccb727ZcU8LeX0HN8iDc1qVjhCVmC28Tk1MRe+KDHyNAJrl
eqdeQNLV8NBy4yjtU9cMY2QrpTGxojBXpakQBtFK/sbyu5cde2hqP5A2uv9Yw+kX
soxImzgbLieOifOiA/uZfZASJNZb9K2qmigtRirrKiRK8wLOgbY=
=SZ2C
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 10-STABLE v46.23

Submitted by op on

HardenedBSD-10-STABLE-v46.23 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • Fix multiple OpenSSH vulnerabilities. (01991d8d9a5ef8038fb70e3084e07d1eaeed4e0d) [https://security.freebsd.org/advisories/FreeBSD-SA-17:01.openssh.asc]
  • Skylake support for hwpmc
  • Changed settings for newsyslog (7043b7898cf46d234e9b718d477802ed7805377d)
  • Added /var/log/pkg.log log to store the packages lifecycle
  • Update to ACPICA 2016122 to fix Skylake issues
  • Hyper-V updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-10-STABLE-v46.23-amd64-bootonly.iso) = beaeb17d9e57d1cbb99ffc42720ce02c47da022774d15c1e7572f7b740218934687fb881e952eaaf0876a14b15458f592fcdd1c9681873be0f53f57894167f5d
SHA512 (HardenedBSD-10-STABLE-v46.23-amd64-disc1.iso) = 97e534f74b9b05c75eb883190517509204ad5d45793822b7d70d82bbdab4a6bca81d06122c144fdc0f17d26e08f12a9dd50e3ce0ad855689320e0d4ea63cdd5c
SHA512 (HardenedBSD-10-STABLE-v46.23-amd64-memstick.img) = e55c0cbb1494854b84ebd0a32d60c259f2341e100c81c6eaa60faeb95e94aaee6dd855583b1575e2b0dc971f392236c19f8e5759b94df83bdbd70beeaa0eaa5f
SHA512 (HardenedBSD-10-STABLE-v46.23-amd64-mini-memstick.img) = f3df1e031cc56c1abba6cf1577c079b6f9234bac04b6c4ee290c6982cbece49cdc0d0980a3bfe14e28a27c5c796387c4c5a3131e2afe439e6cf0966bad5c7eb3
SHA512 (HardenedBSD-10-STABLE-v46.23-amd64-uefi-bootonly.iso) = 2201d710301b936a7726b82ba5ebd00210d4fef2bb555ee685e9425c29bf4433c95af4cbdb85a26981f00edff4397ff321c39f40b830812abf24c99d0b373ee7
SHA512 (HardenedBSD-10-STABLE-v46.23-amd64-uefi-disc1.iso) = b98006e8905200449cbf50c0e9dcb99a6705eccf9ee21be5d80bade5dd2762da4a16a51d8722cc4db557a7d35b0cf07d7b33e378a9ccac88c46f76f701e57b93
SHA512 (HardenedBSD-10-STABLE-v46.23-amd64-uefi-memstick.img) = a48329729e328b12b90930b1231b3720af41fdf44e7e6c2f2c1cd8307811da4089ab13fa17e66c5098d9320120f1a1eaf34d6a3b29e67520b9aa2371daa36b76
SHA512 (HardenedBSD-10-STABLE-v46.23-amd64-uefi-mini-memstick.img) = 0c71b037d5569da32b87fd749477c51e7d8756f08613b99660a294ae1d502d3d235d5d4323ab82ada3f0922a40a439dafdc309fdb92a435224aa591b32e9cf00

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlh21KwACgkQgZsRom/9
GI1qrA/8CizObUwE2nzZG7PXq0c4si1W/cVeMKFGvrp5MkSLG7hZfxtnNJmck1rF
dS/nNRQ2P1Rur4MI+m1GR33D3uF2bTV03YNXtclJ8D/R3eeYRd0Ee8V8cOh/ZcVa
BukZPhvlWiwJmhMacZh2cv+b85GUbaE9VzWhAYNffKtUeFJMHLhmJmILoHigdwRN
RCUKMl/oQZqcegxFnAoxmStJgkEui8HcrsoKprsWmWon4pmerMw5hkbPq8PBntea
nC79eVWy00QSWeloRHncLnFLQxWpcO2FU5HH3cpXGNV0JXE4G7ihxPaz3KMc318G
Ptvme6nMfKULZMDBVXd7XpXJP56x9fCUlGmJrhumMBfDyv8mAkTud7aJx0yS9PAc
Orl82U3Jbk2BAX/FJjeQhGUoNYKyrBQp19T5/hJO00MqEc+/xkxdQNjc7Cd3f8jL
P/BDdUwqZFEmVjZTONamBaKA5HazD+LXuJv107qTLxO257xwoSJbwlccFh/rcHrE
vgBpULno486o84fEzyOUe4gME04U2VjwlsGF+FCtAIwgciQc1gLXZRfXXLv1KfU1
kzww4hKMy/ubfdoLRawXYCM6AB+AjMg0eoVIYBQaWyV/I/AA2rYHzycanxCaU1yy
O4Mwbl50UW2pnHq5Ebq+I++g2QZTQ07KzPiPPq2UCh7Dz5jkJ9g=
=RvOg
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 10-STABLE v46.22

Submitted by op on

HardenedBSD-10-STABLE-v46.22 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • Updated amd from am-utils 6.1.5 to 6.2. (78047153f3f320f60a8264a8a33abb8636dbfc7c)
  • Updated hbsd-update-build to cross-build (99496b88337ff9bc63e69f8128011d3bf5ccfb31)
  • Updated segvguard
  • Updated libarchive [FreeBSD-SA-Candidate]
  • Updated file to 5.29 (884efc61f7391700d81bb717ea62d897524b2184)
  • Fixed integer truncation in uipc_accf (0be920e8edf4ba492677df6ab6f14d3b9b2b6245) [FreeBSD-SA-Candidate]
  • Lot of various MFCs, see the git log for them

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-10-STABLE-v46.22-amd64-bootonly.iso) = 15af65eaa70174c06a8f22ff455b76bc1007ed6548d8b399ba6195b5df000797a3cbeca76adfc85a28befe4257c7ec3b012a35bd5b756d6170b9d53079aa9cae
SHA512 (HardenedBSD-10-STABLE-v46.22-amd64-disc1.iso) = e4f5b8ebc9633aaf0d5ea8d57a9f7834271abd457515c595fab40b2dc8dcb80438e9d30f6ef8f1dee658164e7ebfa20d63546157a2502985a06d24be8b6ccabc
SHA512 (HardenedBSD-10-STABLE-v46.22-amd64-memstick.img) = d61deb3e9aeac9a719acbef190701621414b1bbffeae398e5775fb4e9368547b543a2fa13a6003b598b10034a6255871c59ebdaab92acb9a987bed51008ca284
SHA512 (HardenedBSD-10-STABLE-v46.22-amd64-mini-memstick.img) = 13ce2d0bd82f2112e658deb363fa08587f4016c37bac91ea8668d308924129545733a8b7b68bef5b5f0a675287934059665e94686fe47e844b3992a652daf68b
SHA512 (HardenedBSD-10-STABLE-v46.22-amd64-uefi-bootonly.iso) = be43f99c0ad6edea347e011c2c8e72b9a2d70caaff7d48a8416dd2e53877fa6f3558047edb8df930d9beed76a354002bd3cbc3a2b5cb90f26b9b4fb6e45a902b
SHA512 (HardenedBSD-10-STABLE-v46.22-amd64-uefi-disc1.iso) = f9dbc1180c07661578141844d0151c82e5912121a0457959d1a28d2874a06b897d19390f03bcb43be6f57e8dd6b2a3bf8b4f6b756efa54e15fc925cba9e0b618
SHA512 (HardenedBSD-10-STABLE-v46.22-amd64-uefi-memstick.img) = f65e83999aaa7f3c347b53a83f34b49d5e413a1a9c7d4a7c87e5086b600051ed668e94c759fcf4e8ca113ac138f782236cf275c256ebabb5c29b264e2b08fc1a
SHA512 (HardenedBSD-10-STABLE-v46.22-amd64-uefi-mini-memstick.img) = 1464759ebdaa767f5a9d44d6cf04975e30bb6ae92a8e32f1e8e4545892a2983cbdf3ac05a7a944e0a49440d1fdb720903376055f84c01787356aa9cbb1c50f5e

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlhegzEACgkQgZsRom/9
GI1H/g/8CGGXdeW2PEA3OUd6uhiHOLJraPMma0ABbQ2PwJ7xjRF3+i1AdwXqr8kE
GRHFXFF0elZIPq2bQ6AxwrYEehkP8PpMwSd4xe06CV87ZG0MNYTq401REyyPAKU1
/sJdn8Ms1XcGiaaT2R7tdE+ETpymYy8NCHpnSHw0ploWBgDYLoIWHoyyGMalqSrM
3ZQ2GDH/gMRFc0rlcFOGHRxNk+CQSp4bCyic24pqhZw/Rrjo4d0KnOSAOla+5thZ
/s48MGopkLwcRdxFq0GGfo4ls6QZezkp7JCHZfCXPsIzbOdrnBdO/zFYD6En/JOy
Abaw7PYG1mOWp5COWbYdImS5R7yCblRBPgQBnrNAWnyRNRqBq4kIOJA2HX8xrIIE
EzqH/L+kVgCtHFaeZwy7Oz+TiDw+mY39tOKRDDVIuaMAbutMWJodXuAM3bL5V1Zu
d+awV9eojp2PrDFb/2dhfnFLwG++OOS5mp/jqaqkTwzgyjNeY4dTSfWfRP5aZ2DH
hF9Wu6Fa/+S71wY6r/Ai+P2kvrmo+FWkYA3i8Pqf+lVSGxlOesOSkcYiDViSWgGD
lb0uFSbx0vzSQnBl8yjLfkblvuxFlTPOTgmE0LcE130RqsFumU4LVXeaKYv9zw6v
2Jyl9GJLjuUwb6xNWP1jvMBHzqrUgYQSa0oeL4Kxw8RbGSZuD80=
=mECJ
-----END PGP SIGNATURE-----

Binary Updates for aarch64

Submitted by Shawn Webb on

Our tool for building binary updates for base, hbsd-update-build, has now been taught how to cross-build. As of today, those who are experimenting with aarch64 devices like the Raspberry Pi 3 (RPI3) and Pine64 will be able to receive binary updates from HardenedBSD.

Since hbsd-update stages the binary update in /tmp, which is rather limited in size on most aarch64 dev boards, users will need to tell hbsd-update to use a different temporary directory:

# mkdir /root/tmp
# env TMPDIR=/root/tmp hbsd-update

Please note that aarch64 support is still a major work-in-progress both on FreeBSD's and HardenedBSD's side. Shawn Webb is working with both Ed Schouten and Ed Maste to resolve a few issues with lld 3.9.1. Once those issues are resolved, using aarch64 will become much easier for the average person.

Though this work is primarily targeted for aarch64 cross-building, it can be used with other architectures, like arm and i386 (i386 would need a follow-up commit). HardenedBSD plans only to provide binary updates for amd64 and aarch64 at this time.

New stable release: HardenedBSD-stable 10-STABLE v46.21

Submitted by op on

HardenedBSD-10-STABLE-v46.21 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • HBSD: fix for FreeBSD-SA-16:37.libc (CVE-2016-6559) improper boundary checking - b66bee517d74e7395ba293bc2f41cc8273f0acdf 54ef6264f7f041d711a6f2a6afeedd2f3646bdd9

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-10-STABLE-v46.21-amd64-bootonly.iso) = 75580ab43e32dd5fecf439d4880b5820d96eb96975c5977c0a9ea7cc6dcc39584b1489cb45747833db706ea806775342bcd99ad85359f666dd09323361a220ad
SHA512 (HardenedBSD-10-STABLE-v46.21-amd64-disc1.iso) = c656ac66693d68bfddd8909ea58dceff64f6b28607909615ce331359e70fcc4e3fe9427a27f410ff810d68849de907bb82d340afb5f784e43b7777b87fec036d
SHA512 (HardenedBSD-10-STABLE-v46.21-amd64-memstick.img) = fbb5f60f5a708cf8d44e3434eb4226329d7c6fbd49781755f8be355931323cf75c506a4ba8e3a82ec68643cc254b6cf434705a25b0ea52357f857c69b2ad87f8
SHA512 (HardenedBSD-10-STABLE-v46.21-amd64-mini-memstick.img) = 7b2cfe0075d1d58e21c64359b2d143389be8932c93c12242b17eb463bc0ebd9df0efd564402608ccccc9fc81912896dea859f978c88b998576954bd61604efb6
SHA512 (HardenedBSD-10-STABLE-v46.21-amd64-uefi-bootonly.iso) = dcfd6952056243a5989954bafad5396845520b011e6bd5da536b0ffbf3951c04caa5bc1bbee2e0b1cf8c4616819b859a0c51f2ae73a7538d06248b97d59511e7
SHA512 (HardenedBSD-10-STABLE-v46.21-amd64-uefi-disc1.iso) = 58a1ff92b43ed12933cbaf3436ec78cab6e1863f09eea9db15e16756975e31a1f9bccebd8d13a6af84d6931ec5f5ed9bf7c71b85c03d72a73ef7ab33dcd548ef
SHA512 (HardenedBSD-10-STABLE-v46.21-amd64-uefi-memstick.img) = 77224a1e23d460ec48e5df1c51c6876840817c79590818440e16a92eabb64119e87063763236a75f4a48781165af7e628ca403551fde03f070c16b674ce62db8
SHA512 (HardenedBSD-10-STABLE-v46.21-amd64-uefi-mini-memstick.img) = 52d2d2c46ab0797d87a3903deef608d5918a31ff2e1f9ff5c2e470cc9ea34c1388a3bcb942acb2a40b701789be511b38e6a709e187a1bb303a824c8c339b69bd

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlhIXH0ACgkQgZsRom/9
GI0ACg/+KhecsVMDb/vDD6ttn7NZJmQXia2nsoi0aw0FbqEeksK2cAlbKTr13yBU
OCyFg8zbDM/y1WEcS0Rs2StvqhRWoOU0G8L1H5sWFbQCxdYUZ1ndsbTZaaTSBlky
SQnzAdChWXVQsFXFAjEFA6i8xaHTvHIwxt0Fhw4oEO1FsaBDIY73Db8E3u4C9Cnz
tJuMyZKff6HffhHeBbzNT6eBM84J0r1yodIj7w1/Ep1PJLpEMNrn9IK55AIfxf+X
q7gSV8TKAMt3w0nnthJHN25vHQa7KcgbJYbiqoFVc54Hrm0sBZROwc17nx1+qClh
Qp+MbgK4flWMviL686OAnh7H5lwLLTX9tsMpqb4qC0C0YlvbxaNsenkv5z7cU2vi
E8vPLyiTs+k7Bes1jPpcZmVTE2v8Biu+H7HtPxWbY46GeqGZQ6VWjhIyDrbYCO3n
koDqlcfT7TDkIIqIAVJnidh9MXc5xZdFc9hZI0og507Wog0/ruCigHEjBNAmm6N9
wB04WjM1PrAh7JSGUXpmaDuUliu+m8MF4Jzk0cbk9N8gU4lqMgm3IOb6QR9oHi4i
CK098e1P6rHpdOG1wDsxy0YCDSbS7dOx26onE+2PXbaKx6t72M6sXr4ASZjQ+/e4
StlOllTbOP1KDtr8gZxctTXyjzPcMaEkHEeilzJrvysGAJ1o/H0=
=SVW7
-----END PGP SIGNATURE-----

New stable release: HardenedBSD-stable 11-STABLE v46.12

Submitted by op on

HardenedBSD-11-STABLE-v46.12 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • HBSD: fix for FreeBSD-SA-16:37.libc (CVE-2016-6559) improper boundary checking - b66bee517d74e7395ba293bc2f41cc8273f0acdf 54ef6264f7f041d711a6f2a6afeedd2f3646bdd9

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v46.12-amd64-bootonly.iso) = d1e8f7ab85cb80f155ffedff3bbd57847064bed3f3b2ea2f3ead2abddac041e007ff3ba6670373c2288620c00ffb11c3416c973840e5ccb08e03ae42b6fe4266
SHA512 (HardenedBSD-11-STABLE-v46.12-amd64-disc1.iso) = ba868e62c3e907e6e7c8751bddabffc4cca70f4ad7d447e88f68c1dd7c6d7974f8144110ffbdcdca704d7ea4f1e1a2de72562166ee12daa8db1c0632b5befa61
SHA512 (HardenedBSD-11-STABLE-v46.12-amd64-memstick.img) = 0a9f13ef94820deeac880f29e136f2fe904f30990800caddbedff12265cb5faa23252daa1273214c08a79211066d444d585644bbf7027384be938068f9a59886
SHA512 (HardenedBSD-11-STABLE-v46.12-amd64-mini-memstick.img) = c8e636881c0f651cc44d95f97539a7e6b0ebbbea046b66aed63ae1284ae336746c61c7961c241febd386f4f48ec57b0dac3311a9093357f4c606210c9f2a0847

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlhIfBQACgkQgZsRom/9
GI1SihAA4IQh1ptiQ4e52xcv16qoyqK5aZ5XRMFNLyudd/gRuxf7VEtjn5iHTvSH
KEBjHd2lEid0ELiGxKp5OjTLoRNNI3qe0Bzga3fBAbqKkAu2pnI5gpjM3ELt3OLd
/Eojw77mVILWeGdF9ZpYWQIPK6uDUvX/h6IOSkD7Y11ZXts5fjJBGLAhIKg2h0lS
3vyK2dYzDlCWhC6hm2tfxWeB0HeLad/FodS6wijOnlBoaXxrY2k8erIkGJjikb9h
G51hrWOTCoWPxAZ5FQreumyFckNRj9znKvzPrAVC3wjzlqJRuUZCqW0u5EY7ydXG
V5BO91cqc1eJb7gDsGQtzXWxUh3t6Lba9aHNdDpppdW5Sjt0flGWyt0pUptzHpB7
20iojO9UTJ/ba0VoqjNTzmq/Xh51BmNzlh1fvE13hKZAwAq2H3XVYccb9CRcitk9
Jh3A0incGx/qwmr/BmakYiBpvD/2+l5lBepeI4OumINbg8yPLHydk1jZUju3O+y1
cEKD9OjfCZpYbYgeFgmSq+Pzc2QFAKC8RsiMu9+5hHke9UBo0uUxxxTH43/KMF/f
77TveeYhu6XSRQ1xyNZOUPiPZGfBWZ7I33drDRoBXoMLX8ACEteawQjX/mVJbSJB
IZv5V4X8ejusH3StDtPwb7YiFEl2cP+ODIQXsjxtqaM5SA/y9i8=
=jspS
-----END PGP SIGNATURE-----

New stable release: HardenedBSD-stable 10-STABLE v46.20

Submitted by op on

HardenedBSD-10-STABLE-v46.20 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

WARNING: this is a security update!

Highlights:

  • FreeBSD-SA-16:38.bhyve - integer overflow in bhyve - 02a6052b3f42f24b9015e26ef196c33cdaf56719
  • FreeBSD-SA-16:37.libc - buffer overflow in libc - 6eec5c0ac4990b2cf298afce48e0ea2529fa645c
  • FreeBSD-SA-16:36.telnetd - insufficient error checking in telnetd - d50c6c5b00e248bc0ebd39164e5b7d56af49d701
  • ACPICA update to fix issues with recent Skylake CPU based systems
  • SVN update to 1.9.5
  • bhyve: stability and performance improvement for dbgport

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-10-STABLE-v46.20-amd64-bootonly.iso) = bc9012bd9af9b9a9e1458a5b73f509250a82b90fa0d54126b3ea13630b0f6dea8a42457c049d396b073c52a5199d477ffe892e64bf3fd129c310392cfd440197
SHA512 (HardenedBSD-10-STABLE-v46.20-amd64-disc1.iso) = bf585c79fd8cc0bf481e84a369eb76fb30b1bf1dd5c328d43b51e8b88f2033485b94b2be8025758774b95e5fbf67fe620a62ba62fec93d70ed156b41721fc99e
SHA512 (HardenedBSD-10-STABLE-v46.20-amd64-memstick.img) = 298f39484d6403403a9213c399d309706ad4c3eaa7181136180af019bea66ff2862d52d9e15c095de58207eccea1791a6fafe13e3e7e4677070fc0cb8c6399c8
SHA512 (HardenedBSD-10-STABLE-v46.20-amd64-mini-memstick.img) = 1725c96a19c9cdb9429c951d1b21eca5c1804a9c5d8cbbdd376eb783759b046f8105e2d94d5091b4d00725584d89dade2df2e6128803ee55b98e24af99f93a58
SHA512 (HardenedBSD-10-STABLE-v46.20-amd64-uefi-bootonly.iso) = 1a55a48c7ea229c7b994262619db606b40424682a480978d6a95cb1ef29bfef2c8589b89ff27af31a1d4f63a63c4cc96b63dd084b8dcb6fe61cb461677243aa5
SHA512 (HardenedBSD-10-STABLE-v46.20-amd64-uefi-disc1.iso) = 00ea40e7afe74072feeb9cddd990eb482aed3259e20a754c0f38ddb1e7d7c63da9886be4740662d48f69334fe0b4dc3fac5195a62f9ca4e4b08c3ee81f6df834
SHA512 (HardenedBSD-10-STABLE-v46.20-amd64-uefi-memstick.img) = 46ccc6a8e8684d34867c811efbc3f87c4225fdc5b789235952630052b100a508b2012a6c3b30b703952835bc772d9b99a2687283c9330a6cb8f543eba31ba59b
SHA512 (HardenedBSD-10-STABLE-v46.20-amd64-uefi-mini-memstick.img) = 00815ec0284ccdfc56a5c877555306b444af525a64b78af7a72e1c5efb2ace936345ccba787df4737628cd728aa449e4d0a802e9040811a82a576eed08d13de1

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlhHJzEACgkQgZsRom/9
GI1VbxAAveup7QZKBQSZn3fWgUcdW5C91iqD78UqdGuO07fh8GU7akbh69emf1h7
OLgXSgjxw2PGi2Lt+PxlhMgxTs9KHe20/dX14nOGQnJbRZphH2ZhsyIo1a2Ir94V
qx1d1ha1xSqYMm3xMaj27/Q6aks23lEF5DL+qwNJ6dnpgaU4/K297K+vt5ixtD6H
bxSy3kqSTg2MSx0EiITguoR0c40zocKiqs6QnqIPddgGo5nIeFgktviDH2StthjA
SkqqB7O/Hi8M1ePDOJlFWGuWjZXoc+s+6Y/JdV6FnJv905clrjiVG6wPoV7naPGJ
PVZBjjdjn9i/roF327C3kFagGc7tDLb18xHFJWr6jiOvg5vRNsAoepjwIPSRcUh9
iJPptUgcqBPrpvaBZyZaQsfh5sor7BCYmt7nfS3FU5aaGqTrKawtwqMeF3ID3Q5k
Q+aOxUz/cXQnLSURXG8RyrIfk0I1a4aQoE47lPnlWZ3HHBBYV7/h1sE8sTkuP6pO
OjpadzPF5M4+LMA5qzGKCC+Oo7sISJ55HQjdQa1x3WV1ok7Ph/BfMcj6/v08OTh+
Fauingu+ZoZbj/rQcPN6t/dS4n2JEeeD/KX2JWII4ogP2znIIrZmprOhrKAtG8OF
AHZxVq5/AjXgaBrLPBe5BhDEEA2jKn0e3ifLh+iI8Mfs+5uT8vY=
=7uYD
-----END PGP SIGNATURE-----

New stable release: HardenedBSD-stable 11-STABLE v46.11

Submitted by op on

HardenedBSD-11-STABLE-v46.11 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

WARNING: this a security update!

Highlights:

  • FreeBSD-SA-16:38.bhyve - integer overflow in bhyve - f836007bd73e9e537d2aa37f997452952dc86d84
  • FreeBSD-SA-16:37.libc - buffer overflow in libc - 8ce24fbbdcb70e8a23953f5da6f4687b334c3f84
  • FreeBSD-SA-16:36.telnetd - insufficient error checking in telnetd - b3dac027c0c7df4a5b85edb1c34742a467493508
  • SVN update to 1.9.5
  • bhyve: stability and performance improvement for dbgport
  • updated default HARDENEDBSD kernel config
  • Hyper-V updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v46.11-amd64-bootonly.iso) = bf0cb0253e6c3b037782d46f7d518934d707e679b876cd8d095255f7132e0c4a0010223b0372e6a14816d224a16cc803ed4fb1f1b236c474d92cb0f09d9a645d
SHA512 (HardenedBSD-11-STABLE-v46.11-amd64-disc1.iso) = b67f247bb254b123bdc82080ebf02c4acef5112a4cedc0adade853c1905838102f58abb8c2a83902beffd6f1265b58a1e26be6c22777f88fc550f3989982cbb2
SHA512 (HardenedBSD-11-STABLE-v46.11-amd64-memstick.img) = 492d0ca285db1db830501ec3078e36236a99cd20f61c6bc0973a0da88f8a9cb7f11051d18cf0a1019421aa94617782c78787fec36af207f67574541d17bc74f1
SHA512 (HardenedBSD-11-STABLE-v46.11-amd64-mini-memstick.img) = 23a494a96584f84951a02f053c4d1e4388a7e4f39535a62021ccb3c106faf4e3f78282ba8df4c8b2b61d5627de40051ecf6efb86c708ba55ed87fc56f1d8182c

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlhHXZsACgkQgZsRom/9
GI0UaxAA4i8gmc2xFdsEvfdV69eiObuH+lt7Oa9Ig8yzoHb4hNDZAAz7oPQC6Ila
/eP7+ZLNdCV/OwkkfQzfpGz/yRo0LOxxS2H6bWaIxAMgAVb7O79g0PLcAOUtBDQ/
zZPJ8KQbNtfNDAxqPkDd1h4bBRfLdeg0uYp2eORdv5ff+ElqN7J6pX+WP2oTmKiX
5GdiEUWLxyLg0fJAgZpNGsSkbU1AA9wFsJDJFcxh7zQC8cC2sor+/2a8TKy3YGLB
qRYANiDdwZmXdeIOHxV70k+gN0ra/yxZCP+3813bnOmBzZjX3DsJ2TpmSJK6EYMd
zRKvTl3Lhgz4oDF9Tr00ob4jExDapAKTgg3ZxuzYW1QG8vpd8RqJbnsRTRE3vVxD
gW6y8U5xviQdO38d8xkeaMIxz5t4EHcr0d4rQhtjnI0sz+QQajZkwOkuqFgJ7TN7
ayR541g8ksju30RfdXMuGtn/ZVFOSKN8cCxohqAw37iC18uy7wyT/naNVJFpru9Q
M1PhNbhbSS7Npawr12aZu+B29keZ3S8Y6reyk1j92UUtkcw3utHN6CLlmpweXpga
I9b0wMj2gtbXAvRsfQfra4zK0OK77+R3xm7cpNhfCbsRh0zhs3Idzu0YJy5yxT/G
q1fRbZmVxQOELfhSn9XSmKcecajCCbsB+cMfobD9eeDbVZUZdqk=
=XzZQ
-----END PGP SIGNATURE-----

New Ports Tree

Submitted by Shawn Webb on

We sync with FreeBSD's GitHub repos every six hours via an automated process. Our automated sync process sends us an email with the status of the sync: if it succeeded or if it failed. If the process fails, it tells us why. Having this automated sync process allows us to follow FreeBSD closely and manage the occasional merge conflict with ease.

Late in the evening on Thursday, 01 December 2016, we noticed that the sync failed for the ports tree with hundreds of merge conflicts. Even files HardenedBSD hasn't changed were in conflict with upstream FreeBSD. Around the same time, other people outside of both FreeBSD and HardenedBSD noticed something was wrong. It turns out that FreeBSD's script to convert from subversion to git had issues. FreeBSD has given a brief post-mortem on what happened. The problem affects any project downstream of FreeBSD that uses FreeBSD's ports mirror on GitHub.

On Friday, 02 December 2016, we started looking into the issue. On Saturday, 03 December 2016, we stopped the automated sync process for our ports tree. We made the decision that because the FreeBSD's ports tree's history had been rewritten, causing commit hashes to be different and merge conflicts with hundreds of files we never changed, we would recreate our ports tree from scratch. We have imported the core of our changes to the ports tree as a single atomic commit. As such, we will lose the history behind all the changes we made to the ports tree. If you followed or watched our ports tree through GitHub's interface, you'll need to follow or watch it again. We're running an experimental package build right now to make sure our ports tree is still sane.

As part of FreeBSD's post-mortem, they noted that the same thing can and likely will happen with the source (src) tree. We are investigating what we can do on our end to mitigate any short- and long-term issues stemming from FreeBSD's subversion to git conversion process for both the ports and src trees. Obviously, losing the commit history for the src tree is much more serious. We are working hard to prevent that from happening.

Introducing SafeStack

Submitted by Shawn Webb on

We are excited to announce SafeStack in HardenedBSD base, along with the availability of SafeStack in ports! SafeStack is part of the Code Pointer Integrity (CPI) project within clang. For those running HardenedBSD 12-CURRENT (the hardened/current/master branch) on amd64, you can enjoy the benefits of SafeStack. Simply sync your source tree and rebuild world (you'll likely want to rebuild kernel to match world, of course). SafeStack is enabled by default for amd64 only. It is not ready for other architectures (like aarch64). Additionally, SafeStack is only applicable to applications, not shared objects.

Since SafeStack is still in early stages of development, we will not be enabling SafeStack globally for ports like we do with PIE and RELRO+BIND_NOW. Instead, we will add a flag to commonly-used ports entries that will tell our ports hardening framework to use SafeStack for that port. Users always have the option to opt-in or out a port via the config.

As the lld project becomes more mature, we'll make sure to test other CPI features. We hope to incorporate more CPI features in the future.

UPDATE 28 November 2016 - More Info:
Not many people may know what SafeStack is. Below is more information.

SafeStack is an exploit mitigation technique that creates two stacks: one for data that needs to be kept safe, such as return addresses and function pointers; and an unsafe stack for everything else. SafeStack promises a low performance penalty (typically around 0.1%).

SafeStack requires both ASLR and W^X in order to be effective. With HardenedBSD satisfying both of those prerequisites, SafeStack was deemed to be an excellent candidate for default inclusion in HardenedBSD. Starting with HardenedBSD 12-CURRENT, it is enabled by default for amd64. Support for non-amd64 architectures is limited by upstream clang.

As of 28 November 2016, with clang 3.9.0, SafeStack only supports being applied to applications and not shared libraries. Multiple patches have been submitted to clang by third parties to add support for shared libraries. As such, SafeStack is still undergoing active development.

SafeStack has been made available to the HardenedBSD ports tree as well. Unlike PIE and RELRO+BIND_NOW, it is not enabled globally for the ports tree. Some ports, like ports-mgmt/pkg have SafeStack enabled by default. Only those ports that have been tested to work fine will have SafeStack enabled by default. Users are able to toggle SafeStack by using the config target. Additionally, the SafeStack option is only applicable to amd64 architectures. Attempting to enable SafeStack for a non-amd64 port build will result in a NO-OP. SafeStack will simply not be applied.

Here's some good weekend reading for you if you'd like more info about SafeStack and CFI/CPI in general:

  1. SafeStack - Clang documentation
  2. Fine-Grained Control-Flow Integrity through Binary Hardening (PDF)
  3. Control-Flow Bending: On the Effectiveness of Control-Flow Integrity (PDF
  4. Code-Pointer Integrity (PDF)

Pages

Subscribe to HardenedBSD RSS