The published exploit for the sftp configuration vulnerability can be easily mitigated outside of sshd/sftpd. grsecurity (aka, grsec), a popular third-party hardening patch for Linux, can restrict Linux's procfs to lock down /proc/pid/mem from being written to. Linux systems using that option, then, are unaffected by the sftp configuration vulnerability.

EuroBSDCon was a resounding success! Many great presentations were delivered that discussed security and gave the HardenedBSD developers ideas for features to implement. I met a few awesome people for the first time, including Ed Maste and Ilya Bakulin. Ilya Bakulin is a developer who took great interest in our ASLR work. He knows ARM pretty well and took a look at the bug that we were experiencing on ARM in regards to ASLR. Within a few hours, he had a working, stable, production-ready patch for us to merge into the HardenedBSD tree that fully fixes ARM.

The i386 package repo based on the hardened/current/master branch is now live! The packages are signed by us. The RSA certificate used for package signing can be found attached to this post and can additionally be found here. The repository can be found here. We will be updating the i386 repo on a weekly basis.

I had the opportunity to be interviewed by Allan Jude and Kris Moore for the BSDNow video podcast. I had a lot of fun talking with them. I've interacted with them a little bit over the past couple years. They are great hosts and had some terrific questions for me. Great publicity for HardenedBSD.

Welcome to HardenedBSD! This project aims to provide security enhancements to the FreeBSD project. We plan to upstream most, if not all, our projects. As this site is new, please expect changes and occasional downtime.