HardenedBSD Status Report

We at HardenedBSD have a lot of news to share. On 05 Nov 2019, Oliver Pinter resigned amicably from the project. All of us at HardenedBSD owe Oliver our gratitude and appreciation. This humble project, named by Oliver, was born out of his thesis work and the collaboration with Shawn Webb. Oliver created the HardenedBSD repo on GitHub in April 2013. The HardenedBSD Foundation was formed five years later to carry on this great work.

As I rebuild the HardenedBSD build infrastructure, I will be performing the following user-facing changes:

1. The hardenedBSD-STABLE.git repo will be archived off. HardenedBSD will still utilize the hardenedBSD-Playground.git repo for collaboration with third parties and extremely experimental code.
2. We are slowly transitioning to being fully self-hosted. It is my goal to complete the transition on or before 31 Dec 2019. This means we will stop using GitHub altogether.
3. Downgrading 11-STABLE to community support. Given all that's on my plate, I can only maintain 13-CURRENT and 12-STABLE right now. Therefore, if the community wants 11-STABLE support, the community will need to provide it.
4. git commits performed by our infrastructure will be signed by our dev key. Think: our auto-sync scripts that run every six hours.

Now for random bits of other news:

I am currently working on getting the sync scripts running on the new infrastructure. I'm not too far off, but it will likely take around another week to re-enable the auto-sync.

Our amd64 package builder is experiencing stability issues. Due to some upstream network changes, some packages are failing to sync. Our package repos for 13-CURRENT and 12-STABLE are woefully out-of-date. I'm actively working on this as time permits. I have no ETA for updated repos.

Ben La Monica from The HardenedBSD Foundation is looking into LDAP/Kerberos integration for our infrastructure. We're looking to unify everything in order to enable finer-grained control of our infrastructure along with easier centralized management.

The new build scripts are coming along very nicely. One last change I need to make is to skip the build if no commit happened between the last build and the freshly started one. With commit https://github.com/HardenedBSD/build/commit/7aa3f2f3617db85727ac679ddc62..., the build scripts now track the revision of the source tree. This can be used to check whether there have been any updates since the last successful build.

By the end of November, I hope to turn the build scripts into a port/package. It is my goal to be able to `pkg install` our entire infrastructure.

Given the complete rebuild of our infrastructure, we will no longer use the domain installer.hardenedbsd.org. Our primary mirror is now ci-01.nyi.hardenedbsd.org. I will update our website to reflect the changes.

To our mirror operators: due to the complete rebuild of our infrastructure, I have not yet re-enabled rsync on our primary mirror. I will be taking a different approach to authentication than before. I will provide example steps to convert your existing configuration to the new one.

I'm excruciatingly behind with the administrative side of HardenedBSD. If you have donated and I have not reached out to you, please forgive my tardiness. Know that you're not forgotten and I will get to you soon. HardenedBSD, and especially me, appreciate every contribution, no matter the form it comes in (code, money, advocacy, etc.)

Lastly, I'd like to thank everyone for their patience. I know this downtime has been extensive. I'm grateful to have the opportunity to serve the community in my spare time. Thank you for providing me the opportunity to serve you.

Stable release: HardenedBSD-stable 12-STABLE v1200059.3

HardenedBSD-12-STABLE-v1200059.3 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • MFC r350645: Correct ICMPv6/MLDv2 out-of-bounds memory access (6d7f541fdbb75dd9cc790d444ff37e07c5fdeb3e) [CVE-2019-5608 FreeBSD-SA-19:19.mldv2]
  • MFC r350635: bsnmp: add asn1 message length validation (be804d75b90865776e2d1174d40b6286a0679b950 [CVE-2019-5610 FreeBSD-SA-19:20.bsnmp]
  • MFC 350618: Validate guest-supplied length of headers for TSO transmit requests. (34ae5e48301f4335eab70b8f038cc06466f8c5d5) [CVE-2019-5609 FreeBSD-SA-19:21.bhyve]
  • MFC of 349589, 350070, 350071, 350096, and 350187: Make filesystem-full messages limited per filesystem rather than systemwide; Add "untrusted" option to mount command (7b0bf49d917630384de9b314ec18d4cd34aa8ec3)
  • MFC r350362 r367068: stack protector fixes for LLVM generated codes (ad1889b30609a8069c5c53365124ad27a6ddf907) [FreeBSD-SA-Candidate]
  • HBSD: set LC_COLLATE to C by default (1ec32fd40173ccc1ed7a3d32fef6839d382a76f4)
  • MFC r350310: Fix the turnstile_lock() KPI. (5a909d99e63dfd80e01cf83d49a5f1542492ba3f) [FreeBSD-EN-19:14.epoch FreeBSD-SA-Candidate]

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-12-STABLE-v1200059.3-amd64-bootonly.iso) = 5557676ae6108964f2da47d28803da1912fd70cfa0a9d388e066f78a0e9bad58f7c5a2abad247116f11c7f399f79de2f74bc60c89823c14d6a9ddc8a3597d338
SHA512 (HardenedBSD-12-STABLE-v1200059.3-amd64-disc1.iso) = d49899b7f8b9922da3212c937e1b9ddd29c127002b6c257209694d24b0bc58758c8c785b906bdfe45c3fb8071f3d3bd127ace6d06a4eed3ddc15e3796eb669af
SHA512 (HardenedBSD-12-STABLE-v1200059.3-amd64-memstick.img) = abb3d156c423a55c23070b01a64f705eed33dc833fe56090c00cb6de69d63be2d880f3a4350ae860eaeb5e0b25eb02cddadb154c6d3b31d489f4ab28e8322da0
SHA512 (HardenedBSD-12-STABLE-v1200059.3-amd64-mini-memstick.img) = 1d812808356714e0df7048740e7d7d1e7b6b62de0fb5e0551bbb8e950a40a8f9f241b3c14d26fc9269bb1d00febe027ad65b7f6e60cb3c171d616c965e27e2f7

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAl1Ln+8ACgkQgZsRom/9
GI3ETw/+KH7pzMhOV5/FB1WO5mG76QQQdCOZ6kyBKvq2unOHYl/iWz2vXD098v56
R5yVsofVNameLhSrJUt9ZdavWaXfsUoz+IqNX7oO8n8iwdRhQj2hhq1sKbImOSms
3dfRXxBkuL7uKkf6API7qXU8bkwYsEQ8sIIfD2/ZwU8DwTrILeJK0OHf++SPD2F9
/055Ed+5TEO1eHuKkntT3L1vm80WBHHtKP9U68t87U1FRdwiNmNt8cvgQULEBBri
ZthR5w+QXjOHO1Dp9WQniyelqU9I2AdDYWS01Cc7LC4hhZfMElUJHyv9XjVvpGuM
2saKT5c6siPNrcCzbrSuWzHLbCiMmav/S81eKFMG7DkCPx7KqfKkEC7xZYELM1LA
E3a+SSKz3VQ4tGsgaxKsI3PHDe6XtsqPY0gT13V6okKS8w4XSYq3I+O8MOeh9ruH
WsbfkaZfesLncHEtLomKS+d3W0pCI6I0tfVgOfyfQJIEPdXTYsQUlAoADZse7fOB
sjxPDJU9NInwjFCt+dgr/4P7unKDPPhBTOsm/ideIAXLMhjXG7cvk3FfbfeWx8Yc
9TJsBXzaWiHZdaVagL8dLaUYKPVxQvUrN4bmomqzosxrsbcIv4t7tHIr7MIRbJDM
h0Em3oDmYJmi9zS38nLbd2yMUwja/U6gyXv+Cs1VRL2eXJvVJu8=
=Lquj
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 12-STABLE v1200059.2

HardenedBSD-12-STABLE-v1200059.2 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • MFC r349800,r349801: Fix misc fs fuzzing issues. (abeb80bc5ee82a9a96da492c241fcbe91ad3e22b) [FreeBSD-SA-Candidate]
  • MFC r349802 (from fsu@): Add additional check for 'blocks per group' and 'fragments per group' superblock fields. (fcbcaebd25f0e43b12eb6b7b8302730153258350) [FreeBSD-SA-Candidate]
  • MFC r347695, r347696, r347697, r347957, r349326: Lockless delayed invalidation for amd64 pmap. (388f0c181108947d84d1233cc47b24024bd410e7)
  • MFC r349880: Let linuxulator mprotect mask unsupported bits before calling kern_mprotect. (bc326df65733684bc27deb22858a39981dd6b854)
  • MFC r350260: mqueuefs: fix struct file leak (bcc86242833757585d3c8b9663d8e9c55f8ed3ff) [FreeBSD-SA-19:15.mqueuefs CVE-2019-5603]
  • MFC r350244: bhyve: correct out-of-bounds read in XHCI device emulation (04ce7e77c7a5db5aed779d54632b9b19ed0ba9b0) [FreeBSD-SA-19:16.bhyve CVE-2019-5604]
  • MFC r350156: Fix leak of memory and file refs with sendmsg(2) over unix domain sockets. (19e53c56013af9f42f2e6177da6c6451c44156a4) [FreeBSD-SA-19:17.fd CVE-2019-5607]
  • nand: create device with 0640 permission (88f580f1ce2c81ab9c16df41fc9edf987cf5e792)
  • MFC r349890: telnet: fix a couple of snprintf() buffer overflows (7e735c9feedada921a291c023836b26b6547d032) [FreeBSD-SA-19:12.telnet CVE-2019-0053]
  • MFC r349733: Defer funsetown() calls for a TTY to tty_rel_free(). (4c06d4c0cc403122e743fc35e2f5fdefedb562b1) [FreeBSD-SA-19:13.pts CVE-2019-5606]
  • MFC r349834 Ignore kern.vt.splash_cpu without graphics (b9fd7203ae04df3457cd5c4aca370de6b4ba3646)
  • MFC r349581 netmap: fix two panics with emulated adapter (2672ab35fd1ea58da0a7dcad23925d977425ac1e)
  • MFC r349913: Ensure that mds_handler always points to a valid method. (c411b3266a9f97903667e7ab70fcb1a4a26f977a) [FreeBSD-EN-19:13.mds]
  • MFC r349876: Apply a workaround to be able to build clang 8.0.0 headers with clang 3.4.1, which is still in the stable/10 branch. (4453d146f0d636f8108822c3ef898c73adfdea46)
  • MFC 347238: vmm(4): Pass through RDSEED feature bit to guests (e64222ca6e6aac4bbba4e56ccfb6b136c71ec5d6)
  • MFC 339911,339936,343075,343166,348592: Various AMD CPU-specific fixes. (2c0a81ad596517f49c5069ce32d1ec6754dc0e4a)
  • MFC r349753 netmap: Remove pointer leakage in netmap_mem2.c (b158d710d859111d1370c945ac79f250750cffeb)
  • MFC r349527,349538: Sync libarchive with vendor. (2767b0a23c9249e482b7c9681cac0cce5d832bf0) [FreeBSD-SA-Candidate]
  • cxgbe updates
  • libbe updates
  • bhyve updates
  • LLVM and Clang updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-12-STABLE-v1200059.2-amd64-bootonly.iso) = 825d5f5ac4aae2e7146984d4f267dbb235b72ec4d87037227a44474172d1665976c8cd21a58c2fd5b661a799aee861f3c7e99e25c5a13851fbff76ff9925e1ec
SHA512 (HardenedBSD-12-STABLE-v1200059.2-amd64-disc1.iso) = 517554a50ae942a5689b063188fd2b15fcadd3cf6cd890953072d1e949936a5134fcaee57fbcdac3a2b7f095f90957e9bc62e6962f1e5087218231758c54000f
SHA512 (HardenedBSD-12-STABLE-v1200059.2-amd64-memstick.img) = 6dc3d2b2ffb7d74798b24c5d56cdeea0bad48630a26c5c69ed94f95d9a0e622486d81a44d6fd6823e4944c9b957da2c122f4c741229ded2120200e765213adf9
SHA512 (HardenedBSD-12-STABLE-v1200059.2-amd64-mini-memstick.img) = 1e7c2e6c64d0fcb6687e15fb8f6efe313891a69532f806f8bb1dee333a1b07b8de0d217532c2be41d9459c7b7148efaec469ccf3993385396721c7b4756ee947

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAl0+XtoACgkQgZsRom/9
GI1fSg//eyKb4hpWHplMFgge6EsKzbpnwDUSmTTQ8jnT2oShRoOPJsveRsG3rmln
XUb2mOYm+xDptKzk+EounQbbz99i/BsPJ6TgPoWImhVfGKgFvzfb39BCLyzIaYC2
EiunpoyqpjVnfAYlE9lxea4gPaCZDQTk66uDQHpw0ccXZBV7rh3iM9AWxoftNGke
t3+KOjtLcuDIBtJY7PrE1LCvaQQF6WHmA9s723fjonzVslKZybJckfa3+ABFBDpk
YNZcpK8dUfM0+GniyjHuXppFzHu11I5hoxEapMsgysg4sqUOyzc11N42L5eN86SO
STqAuwJWJm7SYKI5kJPRKYLQNO0b1xKpv4VuJ1NvjRd936HrCETCRZ82WJIgCx6E
lZPasAdNZjqWBxm6LpJFmujqeVjFfdIqTxg1tlYPWXyqNJFJIlgJMHLj3shfnqbq
d2oodVCwJ4cj++V5Vi9erTWJMI7Q2jXqBIYW0lyTRyXatbs1as9XoXLxC1nI3WML
YB3kxbOIyJUAm67wtp4yrS8dkGRIWbNKitWE0mjl3zrmb7oPM0o3MY6Ej1yvk+bV
XHAafX/QW2xv+HNTrcSnkWZdbqVXFdZ9SqXeo0p6piTtpWyInDuQosj0RZgSxTYZ
YCzQNykEC7adikHafAJc6YfQXfM4Pyv617tS9dpVvR8mxRGgHig=
=Yfhd
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 12-STABLE v1200059.1

HardenedBSD-12-STABLE-v1200059.1 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • MFC: r348590, r348591 Modify mountd so that it incrementally updates the kernel exports upon a reload. (8fc34de4348e10c2fe3caa879207e8f680869353)
  • MFC r349098: Add macOS-like three finger drag trackpad gesture to psm(4) (59d69e81f89ec2bf540bd541ca70b98ebed5d56f)
  • MFC r349505: Upgrade to Bzip2 version 1.0.7. (1ab7a3c679d7799521e36a9c39b4a2b80fd38c6b) [CVE-2016-3189 CVE-2019-12900]
  • MFC r349320, r349324: coredump: avoid writing to core files not owned by the effective user. (a6fa17ec3d64e79811898fc7583e84f3f395a918)
  • MFC r349268: nandsim: correct test to avoid out-of-bounds access (331c7e44e797346bb0dfc378df9e0e5817d95f22) [FreeBSD-SA-Candidate]
  • MFC r349627: Remove the CDIOCREADSUBCHANNEL_SYSSPACE ioctl. (38642b530610dedbc0ad196142084e1ca430f7c0) [FreeBSD-SA-19:11.cd_ioctl CVE-2019-5602]
  • MFC r349619: libc: correct iconv buffer overflow (cb54f676c0944a9d5fdcd51694a7b2c22b7a2e56) [FreeBSD-SA-19:09.iconv CVE-2019-5600)
  • MFC r349592: Import tzdata 2019b (13738a6816f88c46ee5bd68fad8fa28190bafb63)
  • MFC r346455-r346458, r348520, r348529, r348817, r348818 psm driver update (da6caf7e1c0ec69c62f78a9d35daaf98537fa3cf)
  • MFC r348993,349135: Sync libarchive with vendor including security fixes (1859a7c1c120cf5f715a3ed1ba33d4803545fc39)
  • MFC r348802: Remove lazy FPU switch support from amd64. (6fc5e4fc0f3d8e3dc5a20afeefcb4b91a14e1b7c)
  • MFC r348764: Allow UMA hash tables to expand faster then 2x in 20 seconds. (2a2c9badd703299881fa77922e15fe59a2c4a10f)
  • MFC r349192: Add the ability to limit how much the code will fragment the RACK send map in response to SACKs. (92a5c7e46d2dd9da06acaada6e80f09025178556) [FreeBSD-SA-19:08.rack CVE-2019-5599]
  • MFC r347949, r347955: Implement the M_NEXTFIT allocation strategy for vmem(9). (fc11b182567b0181381f92b138c27e643b6bb372)
  • MFC r348742: Fix a race between fasttrap and the user breakpoint handler. (932a7c43f8c578b2f7ce11159255f7821a7fd262)
  • MFC r348539: amd64 ef_rt_arch_call: Preserve %rflags around call into EFI RT service. (16f0086b6fe2ab6a7d01baa506bafc3d1e31eba4)
  • MFC r348235: Add `missing` and `or-flush` options to "ipfw table create" command to simplify firewall reloading. (07cb67bb29cc94ecde0224398ccef951224299c5)
  • MFC r348065: Correct the way remaining battery life is calculated (e520b68ee6de2278be76b743e809b021976e768f)
  • MFC r348059: vt efifb: add suspend/resume calls (52c1462530025659fbbc14e6b27dfdcaac5779ba)
  • AHCI and CAM updates
  • RISC-V updates
  • ZFS updates
  • bhyve updates
  • cuse updates
  • cxgbe updates
  • dhclient updates
  • epoch updates
  • iflib updates
  • mountd updates
  • CVE-2019-5601 for UFS is already fixed in our previous release, but you may need to do additional steps, for more information please see FreeBSD's SA: https://www.freebsd.org/security/advisories/FreeBSD-SA-19:10.ufs.asc

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-12-STABLE-v1200059.1-amd64-bootonly.iso) = 18319be6e915849a48765235fd57008e6e93f232cfda46b3d0947d7088222e138f7c3d94c26d721987ee0029070d7b37fef7e5eec356d7e7c2d17e738cf24be3
SHA512 (HardenedBSD-12-STABLE-v1200059.1-amd64-disc1.iso) = 45285fb7c1e63e3e22bd56722f3f8a98c982d8543dddea02cd3cd763e9a0f0672e09810bb5e4e2180db3c6cae79947a6540f05ec0f15133a120535d33da8d477
SHA512 (HardenedBSD-12-STABLE-v1200059.1-amd64-memstick.img) = a0d5aa1afda605ecf8b2165dddac8e42ae01e6a240ac1218c1aede175e0022aee72c7e2ea516654d3205e2d72a64fdef886313246abfc2d4245e1347230ad1ca
SHA512 (HardenedBSD-12-STABLE-v1200059.1-amd64-mini-memstick.img) = a21a72e40d8ed986c28631189bbfa326d87a597b906ba786e378d4f254d352d189fa2eda91a29e0e72d3d23ee1c178e83604b01b773d95708c9130b24e77e056

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAl0kDGoACgkQgZsRom/9
GI1KGw/+L3jLsUowNoNmBzuQT9hq4cLB//HAnpGLJAYCZH0Lue8dhj5JHKGdjRxn
8oR/19iD4kvHn/exZ4dASWSf4ty3BOtAMpjrowFhfmTNM7j0oY3ePAuXFaSnsSZd
Aw96ncjoi7WqZCYqRzNNfyPxO1RA0Cw7Buk5a1PIyKn7u+PUV6Ebs9mwG7xXzHk/
tRboaBJrQw4oVq/PzKxlYM7EZNd1XkiA5EFflnX6LgVxAGzSmZ0eQ1QkfrCeP4Fe
oRizNEk3wbwIGAWtYx3XkDPUmY3kgmb+t8juqaAnXh3WayGhKQ+j6h/zgId6P/gN
Wm5wdGlmDKKRggLfP8Wmex7JEzJsLVpqT3FaeN3+Rhye/wjbGPLcvYpWTaDKiF7y
EZBrwaLpwglce/S/1pp8eSffhBCjQbclIyjRwXavwq5ZkVFhSshc3gD4EjhyyzvE
jfw4daaFfsAyy5JA2cm2N4LRcg4eU7V9TubBLZ8kh0X8IfsqZcvKwgGQ3TU8mB98
3AmqmGJmRdaIyevmA+vraFfO6mYOQB0Q08vTVWmHv7a2QckQG/Jlhh5JF7+dtjQ6
GaS8CUlkWK0+vWPLfo51g//XmpGlwA3bk3q9HEhYGJ5nQ5jCHTHrk3WOMpegBYNV
DIelPadHZ+hm4iC/D36Jfq/KVu2MhSvuhfx458vinzKg+TxoMBQ=
=Ilar
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 12-STABLE v1200059

HardenedBSD-12-STABLE-v1200059 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • MFC r348167, r348168, r348359, r348361: Add posixshmcontrol(1) utility. (a6d485ce245aa9798f9e402c446010f26ab974ba)
  • MFC 347033: Increase the VirtIO segment count to support modern Windows guests. (8fb552d38dcee4f17df31d13ac823568a76c5988)
  • MFC r348052: NDFREE(): Fix unlocking for LOCKPARENT|LOCKLEAF and ndp->ni_dvp == ndp->ni_vp. (7b981e827b29bdf244f703e789cb02e6a37729b9)
  • MFC: r348340 Merge OpenSSL 1.1.1c. (c7f23c34d5a527b166b59c18affdf950c00f454e) [CVE-2019-1543]
  • MFC r346630: Add GRE-in-UDP encapsulation support as defined in RFC8086. (fdaf572e031362aef90f3c22f9b9047d11e9d545)
  • MFC 346649: Don't panic for empty CCM requests. (71cf38a72587fcb47855679e4d7cb03d0bae610c) [FreeBSD-SA-candidate]
  • MFC: r347960: bhyve virtio needs barriers (7532fd50c7e8c7f5ccd2f115a4dc4c4cf5ea0f62)
  • MFC r347698: amd64 pmap: sysctl vm.pmap.pcid_save_cnt should be read-only. (330c65332bc1b5aabee212304b2a35ba45542650)
  • MFC r347216: amd64: fix BUS_SPACE_MAXSIZE to 64bit max value. (489fe9b7411487422c33302cdbe2eb48b8bd6b90)
  • MFC r347570: Specify -z notext when building with -z ifunc-noplt. (3d54d872091ac7fec0390e283884a4a685a4a301)
  • MFC r343985, r344133, r345273 (by bde): Prevent overflow for usertime/systime in caclru1(). (6fc6ab1b7187c5fb8fa31d10c8822f4603768ba5)
  • MFC r346647: [acpi_ibm] Add support for newer Thinkpad models (28e53eb78bba63e7cd921faf4898378824a8d8d4)
  • MFC r347368: x86: Put other CPUs into tight loop when updating Intel microcode from loaded OS. (743eb89b18e3724d8e168b6f6eda45a5c018c78a)
  • MFC r347566: Mitigations for Microarchitectural Data Sampling. (912787467fb48024d8780b3531318feeff1bbbdd) [FreeBSD-SA-19:07.mds CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091]
  • MFC r347133: arm64: Properly restore PAN when done with userspace access in casueword. (e939702ff316aafb6dc3a5e37ffed3a7ef29d536)
  • MFC of 347064, 347066, and 347130 Avoid leaking kernel stack when creating directory names. (0775f68d9024850d97a2384d89aff0916617996b) [FreeBSD-SA-candidate]
  • MFC r346594: Add ATA power mode support to camcontrol (fb397ee57c8c08365ddea8b35e1ae619d1674dab)
  • MFC r346602, r346670-r346671, r347183: tun/tap race fixes (e42a63a0bac36aaf468f1ab6042f3f3b208087c5)
  • HBSD: Add userland plumbing for SpectreV1 mitigation (0eda8358d017fdfa6cf841e0a5918e8674712042)
  • MFC r347139: MFV r347136: Update sqlite3-3.27.2 (3270200) --> sqlite3-3.28.0 (3280000) (937edc9caae05881949f1d5adec523a8943c49ae) [CVE-2019-9937 CVE-2019-9936]
  • MFC r346990: Fix another race between vm_map_protect() and vm_map_wire(). (b306eea91bcace5bd60b1c25f1a5b625a2226d1b)
  • MFC r345576: Merge r345574 from vendor-crypto: upstream: when checking that filenames sent by the server side - ssh (4594eb5f8ed47dff8bdb1e555bdc26ec8448f454)
  • Zero out the file directory entry metadata to reduce disk scavenging disclosure. (f9cd4e1d3edf4a05a109839fc4338b9e7a6b5a8e) [FreeBSD-SA-candidate]
  • HBSD MFC: This update eliminates a kernel stack disclosure bug in UFS/FFS directory entries (81b3a31ed35e05be964abad7374080e8b010a780)
  • MFC r345525: Fix a double free of an SCTP association in an error path. (4350926df0301958d0879d93b510e0c8eeb08799) [FreeBSD-SA-candidate]
  • MFC r345461: Limit the size of messages sent on 1-to-many style SCTP sockets with the SCTP_SENDALL flag. (b1fb067d0a1dcab555fb5859f174e218c9ccab0b)
  • MFC r345797: Add IPv6 transport for bsnmp. (ceaff709e86a05afb78e8ef0e13ca3dd93c89918)
  • MFC r341759, r341796, r341839, r341989, r346591: The following five MFCs update wpa 2.6 --> 2.8. (7494a812d27d369b1105029fceca079471d684f6) [FreeBSD-SA-candidate CVE-2019-9494 VU#871675 CVE-2019-9495 CVE-2019-9496 CVE-2019-9497 CVE-2019-9498 CVE-2019-9499]
  • MFC r345830: Create kernel module to parse Veriexec manifest based on envs (d4e7b8af8c3f2f5c222ab5fa49a6fccebec367b0)
  • MFC r345438,r345842,r346259,r346261: TPM as possible entropy source (12443d58f92f94d7e28f728696d4d189059e99e0)
  • MFC r342084,r342251,r342271,r342285: Introduce TPM2.0 driver (f036b474dc4bec6645039497beabcd97fe2b83c0)
  • MFC r344840: Extend libsecureboot(old libve) to obtain trusted certificates from UEFI and implement revocation (d0a2db0d1fb36f25c570e27238a6e0d76fb42d4b)
  • MFC r345966, r345968: Implement devctl(8) command 'reset', using DEV_RESET /dev/devctl2 ioctl. (3992f8af9955f7de08d08dfe02da8d4ac5cebf3d)
  • After r346168, also merge build infrastructure for LLVM libomp. (3f18402bc61b71a85aac995ef1a77454ea453939)
  • MFC r345425, r345514, r345799, r345800, r345803, r346157: Enable tmpfs rw->ro remounts. (98f1fb40da548d1278689d4c7bfc1e304da2510f)
  • MFC r345293: Update NAT64LSN implementation (cab22fce3d77d127c205601140c959bd8ab2e8af)
  • Revert r344898 (by kib), now that clang 8 has been merged (61688088d29805ea68449a8c443b4be2e8adaa4d)
  • Merge llvm, clang, compiler-rt, libc++, libunwind, lld, lldb and openmp 8.0.0 final release r356365. (37e0a32cb919afa1ddf726ad5244dc0bd8524583)
  • Add support for loader veriexec (69d2666cee810da18c8bad94615027fa8e28e612)
  • MFC r343065, r343373-r343390, r343477 if_iwm driver update (f370d6a9bd8a354e9a3d03992cf3c843e108a24f)
  • MFC r344569, r344618, r344621 r344569: Implement parallel mounting for ZFS filesystem (b0578f749217f485405d4aecaf7587caf9a2e89c)
  • MFC r344502: sh: Add set -o pipefail (038c4614d0217200688309779c9fb408b4e4b015)
  • NFS updates
  • ZFS updates
  • bhyve updates
  • big LinuxKPI updates to catch up Linux v5.0 KPI
  • cxgbe updates
  • elftoolchain updates
  • iflib updates
  • libarchive updates
  • libbe updates
  • llvm updates
  • loader updates
  • lot of SCTP related bugfixes found by syzkaller
  • mlx5 driver updates
  • nvme updates
  • secureboot related updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-12-STABLE-v1200059-amd64-bootonly.iso) = afe98861bf4313eb7dd248feb064cde5bda02ad5a4cfdf2d7dae5fe8f33a69b7782c0462113de940b2a81c6aa2fbf4ad9d7f44b27fc62414a6a79e533bea3204
SHA512 (HardenedBSD-12-STABLE-v1200059-amd64-disc1.iso) = e4601a89d7d6633a7ee7c6642fc073e7660dd4d86c73f6901c6dfb6cc8315c2b907838ebb4506a78c9f12b34d3b77215ba8846e79fcb4be1acbf0af13a3ce79a
SHA512 (HardenedBSD-12-STABLE-v1200059-amd64-memstick.img) = a998f3eef40d3c508624e7c824aaa5741a058670646895987e056d2754e43466e24e3b4d05f499c6dace965a75e96a981db23d1f0a18125b6683e2749a603cf1
SHA512 (HardenedBSD-12-STABLE-v1200059-amd64-mini-memstick.img) = 38885d8a5b1ced86863ac0891a1e93901f5dd0f0ee35ffccd28b4764e20fc899950279a7a623f901fb1627f87dccf00108f4a4b4c3e9b208dcbd1a7e2e2a592c

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlzx6vUACgkQgZsRom/9
GI3G8A//WVETImttEd4i+WkM4tC7E6NKVO+oXKIehKZqQu5G9gmUqwLbvMTY0eP/
K3ea/aioh1DlLlkmvpALTA24Hxuz+OVkEIa+Vml2/eOUS1Bd0FNhN5ihb5JCogsb
Uo4Bjd0p50Bxe55MTnaAuPWbJTLpBKGuboPgOd7GIzSIl0d+omEFNcTJb+24IYyF
icW0dS5E7wQ3VpbGAp9xPvXRUUACrIb0J6yuV237dVQhCYgSOtGcv+/9fh93fbpw
h+IhnyEtDjapUJ/zNwoCGmMtKjN753s5ocLYEzq/LUkBM0LLs17W4bioTNIzhzxr
4YD3qVEhVusbNiYKvwiwKgl6S4LqKQsPLjOixV0EUHfzNpm7ZpfS7oLFE9HNz1td
sBWWWOzizcnvuiL4em3CLkZk4PiuRByUpM0b1X02apZzpfm8ntWM3fxNWRgH/GaX
oJRPMBcoizLleT5qert7w9bhHA5lmaOCbre1rv6A8eCgl0EGH60/0p8VY/2/ikHi
OCXAEdYu2WRTldA6XuR2KYDRGJm7o7Lp8mYm6SnCwQfyqYmKtl7Gb6UdJqKNOWMQ
sThTnl8NMX04bXLvrmWiJGmzyGY1NW4G0pacPNa36m75Ybtq56pg1OZjwGvn0sW6
q+rJj5tDEVCDLdyE8gbE4q4fYgegz+CDJvin/MCvYEQ9xqsWoro=
=By/u
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 12-STABLE v1200058.4

HardenedBSD-12-STABLE-v1200058.4 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • MFC r345078: hwpmc/core: Adopt to upcoming Skylake TSX errata. (4252e660ecb50dfdae262be111061aa85fcb5864)
  • MFC: r344757: Fix double free in case of mount error. (6b0855e01b577ab90fb58fca2fbcd7139e7dc527)
  • MFC: r344754: Do not panic if inode bitmap is corrupted. (d58ea7668a31fbc14f05ba8975a87c1dc5cdb194)
  • MFC: r344755: Fix integer overflow possibility. (66bedc8f13366ff9df84786d1e1e8a864800918f)
  • MFC r344670: Allow FIONBIO and FIOASYNC ioctls on POSIX shm descriptors. (aaa017b23b47f1cb67b49eb8d4939d2aab9159df)
  • MFC r344562: FFS: allow sendfile(2) to work with block sizes greater than the page size (a32149b5deac882f31f0aa448f8ed69244af8a20)
  • HBSD: Revert "MFC r343964, r344121, r344128, r344593, r344594:" Revert of FreeBSD's ASR implementation. (9729cbe04506cba471aaa5a4c25f712ddf4f75a7)
  • MFC r344140,r344141,r344142,r344143,r344388,r344547: Add CBC-MAC authentication. Add AES-CCM encryption, and plumb into OCF. (9b2dd6cb463ad737942a99e34af81c65dfb4d14b)
  • HBSD: same shit like with librt, move libexecinfo's so to /lib (4403befcd40c2c573e428c6b2452cefcb5679ceb)
  • MFC r344494,r344495: evdev: export event device properties through sysctl interface (dd53f13958e1e1306f3cecffbf0af504f5dddf68)
  • Disable WITH_RETPOLINE on stable/12. (4e79588d3043e5f24f223c5a42a662b79d870abc)
  • MFC r344449: scp: validate filenames provided by server against wildcard (531e90823d82662c5e008c9c04fa24a532e7eb48)
  • MFC r344883: nptd 4.2.8p12 --> 4.2.8p13 [FreeBSD-SA-Candidate CVE-2019-8936]
  • MFC r344063,r344088: Sync libarchive with vendor. [FreeBSD-SA-Candidate CVE-2019-1000019 CVE-2019-1000020]
  • MFC: r344602 Merge OpenSSL 1.1.1b. (bd8357d913b260cf55f0818d30ff889d62a702ea)
  • HBSD: Disable cfi-icall for usr.sbin/ppp (c9056e1d8c17af42a6fa933fb1e544b1705ba72f)
  • Merge clang 7.0.1 and several follow-up changes (a39fc2a725d1f743ccd878ef7264dcba56f674de)
  • MFC r343850: contigmalloc: handle M_EXEC. (bcfd287a0368013fdeaec7291890deb4aa10bfd1)
  • ZFS updates
  • ipfw updates
  • pf updates
  • ipfilter cleanups
  • em, igbe updates
  • net80211 updates
  • iflib updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-12-STABLE-v1200058.4-amd64-bootonly.iso) = 0afcc9d2351f50c9dccb6c79ba2da2ea6d81d7729f0f8109061b053a51c5c0b929801c4c5affd603c802ea777d7293477232ca1db5c741556554ab3dbe6049ac
SHA512 (HardenedBSD-12-STABLE-v1200058.4-amd64-disc1.iso) = 79a4255012da260ecd239d941825e5ace4373b25ad112dc0eb36377554ab64a874bf08092e3e258e2cd394a227eab7355909e4b166f61974419145351a44293e
SHA512 (HardenedBSD-12-STABLE-v1200058.4-amd64-memstick.img) = 4f1aa178fc6ff3b38cfc55aaa5a668ef0b92a05afcfcf237a96483e70a8f67869f606e60de5f03a07ef15df004be23ec92225ba69fbc3070231943bddcba9738
SHA512 (HardenedBSD-12-STABLE-v1200058.4-amd64-mini-memstick.img) = efea297d2ae2580b3a95021be6e5c8e24bfb8e700fc5e3924bdb863f80537da604b0162e4b4fc2d8054de3d8f17f32f0cb0f91f4c273e66ce3e26ccfff54b783

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlyTB7MACgkQgZsRom/9
GI3WNA//XiGYLDMkiRWmHgpg4zmEs2ucv3DNwiCuNRsphBtIvTTFYiUyrF8ui3i3
1r52FN/kcVILMwT+b6NZuY54/Xl2E6jdXzJ11ZKQkRc1ZXrdOb/AGXU/jJ+jKpWj
BJYocyLcP+qZEj28ztLA60He0kGIEpmyK9lgpsSShVON0BJ/DIGy0h154nyMTZoz
YFYClcG72MOapmwpNDdntPXa5HpGwiz8r7EGnw3hKLXkngXkegDPQ/pnAkm5gePr
7qOpw/XwZzfH1xDUu721AwlyzjRDDOkL9mNpC3cn3hLJLR8El8YupVMQziUK/FBA
Y0wPPQ/TxNIQwtAM7SZW/p/B1tCpE2k7+BMWcJzEyWtfyr0KcoXW490Asgur9yL1
/v5RnORId64ulzmzXymEpsP8/8ujE0mlyVCh6i6MowwGbHgNkRORUSX0sDnclfOA
wkvmZ5nLQ6KQBhZ2wg2NL4xbjid0YGgirvVF8YnxnMz+k3jfUsqRIU/EZCZzucxa
kukEPNPTZZOtCEaLGC0rl8dfm2eRuxr+lRJ6l/bw68bIM5+x+DycF17UqN8+aeXR
rt9F47Uq8bdK0Rx/0mSawrq3jodGFjiZro4wyrYi11cb2bO/XmagA7QrnvYu5ZnI
QEQoVin8s+WA1cMeXNzs9UJYztKE1hKa1uNLZEAd1GJaFdvqir4=
=WtXM
-----END PGP SIGNATURE-----

HardenedBSD Foundation 2019 Meeting Minutes

On 27 February 2019, the majority of the HardenedBSD Foundation Board of Directors attended its annual early-year planning meeting. It was a very productive meeting, spanning the full allotted hour. Attached is a PDF of the meeting notes.

High-level details:

  • Our 2019 financial goal is $20,000 USD. This will help us replace or augment our aging infrastructure.
  • Provide to the HardenedBSD development team clean-room documentation for the non-documented bits of the grsecurity patchset.
  • Invest in business insurance.
  • Set up bylaws and articles of incorporation.
  • Look at free or reduced cost hosting, possibly at universities.

Tags: 

Stable release: HardenedBSD-stable 12-STABLE v1200058.3

HardenedBSD-12-STABLE-v1200058.3 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • MFC r343784: Avoid leaking fp references when truncating SCM_RIGHTS control messages. (0526a0cabfe1cb63e93947a4d34a050a13d97851) [CVE-2019-5596 FreeBSD-SA-19:02.fd]
  • MFC r343780: amd64: clear callee-preserved registers on syscall exit. (bd0cbe8cc38d2e67c3d4a9f1c6746a31aa213963 CVE-2019-5595 FreeBSD-SA-19:01.syscall]
  • MFC r343587: Add a simple port filter to SIFTR. (ab2d372594adbe95166adfed1d78c0a6c4dc773b)
  • MFC r343060: [drm] Fix off-by-one error when accessing driver-specific ioctl handlers array (c53a074639dd8b3b1cdadd80e6860b2a7ade95f7)
  • MFC r341472: Add ability to request listing and deleting only for dynamic states. (caad386934df5f897739c80b071dc90d8165008d)
  • MFC r343499: rc(8): do not stop dhclient(8) when wpa_supplicant(8) / hostapd(8) is used (0441c4fa5aa5b68927224cfc81ce354772ff10a9)
  • MFC r343418: pf: Fix use-after-free of counters (824b38d7e5213d4a94fefb5e0ddda41f95da6321)
  • MFC r343395: Fix refcounting leaks in IPv6 MLD code leading to loss of IPv6 connectivity. (69483a2f2af7c93450b276cc0a24e6561009cfda)
  • HBSD: Add EFIRT to the HARDENEDBSD amd64 kernel (23220bd7b1eaff08140fe4daa6d0786c7aa713e8)
  • HBSD: Disable cfi-icall for mount_nfs and showmount (924afb0d77fd83485b8ba9c3e0a6927585d37858)
  • MFC of 343449 and 343483 Update tunefs to allow '_' in label names. (3df852382237702f1c262aaad54933bdf5b2fbed)
  • MFC r343363, r343364: Fix an LLE lookup race. (4b6ead634deb05c2b3f0f83b8b1ba3a18708197d) [FreeBSD-EN-19:07.lle]
  • MFC r343089: Limit the user-controllable amount of memory the kernel allocates via IPPROTO_SCTP level socket options. (1d3e563dc53e1190bbc635ba00874e51b1548197)
  • MFC r342857: Avoid overfow in vtruncbuf() (5dafae63da366cedf24d91d32aa54a4b4a4a8640)
  • HBSD: Disable cfi-icall for NFS RPC utilities (d09bc59f69276e1b8b382f3a0ba00cfb2288833d)
  • MFC r343082: Implement shmat(2) flag SHM_REMAP. (58501d93bee4827fa9429db046484bf26a8ad40b)
  • MFC r343286: nfs: Zero the buffers exported by NFSSVC_DUMPCLIENTS and DUMPLOCKS. (0e46cd7fe5be1edad6471bc1add8fa7702596f3f)
  • MFC r343265: hwpmc: Plug memory disclosures from PMC_OP_{GETPMCINFO,GETCPUINFO}. (d5dd66e58281aeb5300f19095ceee3894938de43)
  • MFC linuxulator stack memory disclosure fixes (c69e471dfc3ef2730bde80e755b5656e7ac55e1a)
  • MFC r343017: Handle overflow in calculating max kmem size. (ef32d9a8bb0d37bce34588d49ca5f972475853f0)
  • nvdimm updates
  • pf updates
  • ipfilter updates
  • ipfw updates
  • netmap updates
  • net80211 updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-12-STABLE-v1200058.3-amd64-bootonly.iso) = 75661d8fc8c6508c6e27ad36c1bc18f5a6a43b95e71623d3b227b29e439b4cf835ab3525343e045e91d9db061b7926722b9342c27d6613534eff632f7b5c4567
SHA512 (HardenedBSD-12-STABLE-v1200058.3-amd64-disc1.iso) = 4d368903e3edbe6ca5290b3ad3a4bf2c85455731839a55b38113283ee7e2ffbdf020c983f6d24fed7141af754e55592f5d55b2d334b108b3f3e5b5a0423c1d32
SHA512 (HardenedBSD-12-STABLE-v1200058.3-amd64-memstick.img) = 8debd3c0702cb3733d6bafbff05c6d54838fa4c5be68fb0cda778cc38a2c5fcc8e85009de30d7e96fe7161c6dfb2edfbf430b76f9380829435423c7cf9e1dc69
SHA512 (HardenedBSD-12-STABLE-v1200058.3-amd64-mini-memstick.img) = 6325fa8feeea551c065e6b6009809c6048a1ed4d2ef6fe657ad1e2ed59345bb72f4fdae0950b69491725b0d46680da81b24cb539a439dc8765c9889a15977fde

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlxaN5gACgkQgZsRom/9
GI3aOhAAtAhGQ2nlQI+bll2DSBj2gV1Ph0z3M1zeL6Wyii1JtZLroLmUHoTnkN5P
smCLgPoNXDQlkRlBTjF/UtEuguxEQfa30U3q+lEs3SBprvCK214QXS7fTazs7Im6
vNdyoqGAgGmN6HViybRHL2ZilaxYoQBdl7zimFgphlQ/Qa8p8zkBMv+mZp7wwrDn
kK/1RYlioJsw2bNEYTVTRPy/pBTDolNlkc0z2NZ21V5QObJRxLphrqaY8Yl5B7zV
W+TRDWV+dFcCjiMUxHrzkTWNBcBAlsjZo9bWXPhgxvygqfHzD7J7wbliVkEKLz8N
8nYga5KtlMUBN5IRoRtwOpVLUerfKxmbDvqzyMYR1mLGD3giVXzvGQX5jdaHSkSs
+3lEBXghVrAj0nXHq3r0XZawLi6bOwe9XDfOcSue2CblGlhOpknIvh2bY6gCF1Pt
BcfduhG1QSmL3dcCgkQkmOnqVVVKkraBdUpAZET3OhAsnD+Q/u1aW00TygLlEUh7
Msj4AxCSCqgS0xE/zzLbXwXfGV9RPbJ2LFz4zNuz54mOnUmWD5qd9Yzl2ezyG5c0
w5FWdjlxWPJmJovQEfAOuUJ5UyhjPVMnaTd9W1occNWgHwFk931NRMG/HrG13yWj
oPj2e7HcDrS5guh+m56S6HuZG8lw3nGhT6KyhxfF+TByCYLNMkg=
=C22B
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100056.13

HardenedBSD-11-STABLE-v1100056.13 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • MFC r343784: Avoid leaking fp references when truncating SCM_RIGHTS control messages. (70e1efc1c0f84fb9e92135883a6107e2ef19642e) [CVE-2019-5596 FreeBSD-SA-19:02.fd]
  • MFC r343780: amd64: clear callee-preserved registers on syscall exit. (7ecad8ecb0ef125b47333806ace844e7792294a8) [CVE-2019-5595 FreeBSD-SA-19:01.syscall]
  • MFC r343499: rc(8): do not stop dhclient(8) when wpa_supplicant(8) / hostapd(8) is used (15afe7b042f7cdfad46cc2eca5e59dd9297f6197)
  • MFC r343418: pf: Fix use-after-free of counters (a1b261656792fdc235e151c61ea87b06dd48103a)
  • MFC of 343449 and 343483 Update tunefs to allow '_' in label names. (627115fbab7f0ad32d8d58f2ac948255c86a33a9)
  • MFC r343249: Fix duplicate wpa_supplicant(8) / hostapd(8) startup with devd(8) (396ce8497cb2ae7eed1e297d7edf3396759eaca1)
  • MFC r343089: Limit the user-controllable amount of memory the kernel allocates via IPPROTO_SCTP level socket options. (58e6efc1eb253c25e32671305fb296c75c88e173)
  • MFC r343082: Implement shmat(2) flag SHM_REMAP. (5e5aec12f096e44b4aff26c5b9623f1eea21b72c)
  • MFC r343286: nfs: Zero the buffers exported by NFSSVC_DUMPCLIENTS and DUMPLOCKS. (676ce698dd3e14aac903708b48c9e447e46526f0)
  • MFC r343265: hwpmc: Plug memory disclosures from PMC_OP_{GETPMCINFO,GETCPUINFO}. (99c280e90dcde9a082478af18e6806adae270cf9)
  • MFC linuxulator stack memory disclosure fixes (8139f0a4ce76358213e6802baa237a6e0f4a8f8a)
  • MFC r343043: scp: disallow empty or current directory (ae0b64fb08800073bccfffa0e7ba12fa30dbf669) [CVE-2018-20685]
  • llvm updates
  • ena updates
  • ipfilter updates
  • pf updates
  • net80211 updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100056.13-amd64-bootonly.iso) = 2d3601235daf67914e522ae03e28717af8c8f380a32a57bf6ce01dd1b5c90a2e381766a89abbeda9ac3c4d46b998f0ca9846fb8c59b9370985e56fde126e4836
SHA512 (HardenedBSD-11-STABLE-v1100056.13-amd64-disc1.iso) = 90bcf218e2575331f6f83f7b83e6c058fd1c268ccecdc162be385c95e22aab849c5090c90b03fb46135893ecc75d42341dd3373574cbf2597fc09611e290034a
SHA512 (HardenedBSD-11-STABLE-v1100056.13-amd64-memstick.img) = cffa5583145e6ae2fbd9e12281aaef06fada4886095fa220c4b62464c453873839d8c59b276f0866ee038c96d1494275f0d1852ca39714914d3d5d744fad7c76
SHA512 (HardenedBSD-11-STABLE-v1100056.13-amd64-mini-memstick.img) = a4ec2037cb9d7054a644c12518867bf8f2ba04353e238d5d26e2faf64493eb2bcc65364a245e157193ffa657e7fe6a25ce109272b7a7e3064fd6d18d56f46ee3

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlxavC4ACgkQgZsRom/9
GI2S0Q//fpLION18AZR7veeEBk7hz6KdrvE4xR3I1HYYAsK6L+/IVO3UX04lyhju
Ypu2efMQWuaq0yTpqq7UEgn4lysTEFIruaoMtmto6JMxtnBOdLBwVR8Es/uE23TU
12EEVL/y0c9zb0f7cXzDso6aMZlH/sIUp3LMF6P8XIfo2T+UbqAipWGeTYSwcPTE
+xH5JjfOv4i+0OjVClVB5KH4h8zNGzOFLR6yfx4JCQ96/X5plLx2pTTstvODBSjE
RAFIh3wSISc3tTjAGiJ8P+XiD0+41elF2EutoUcpgRVvazCtnjbXl1ep09y/r0Zj
uiAlVpIoHYBBTFRyvPiefhEzTdOT87xNMdYRvCqxerrHqNwrSAzzw1jtDjzoWNPw
e6Z79gXPSTZWx/sOOETB7M58m2nUeH3cypOKszuf+SroKWor37uxreLjMHCptIHB
SaFh2M7mkKQm9nuaV3TO+oPJPYQb0muiu8ujESm93xS24PfwePmn7jzv3QJCiXFT
MMGMfhiL8DDVXnkBDftTarTX56sba+S4DlQ0SAkaraEfKxn+PzpTgqsUuL4dzXWe
RHwX7+EiP9FoirhKiRn+cRObHU8EAO0628FU38AWZNfJgA7QnCPiTkeQR3oAjiKf
tZwdQOmPlzDyKozvcIIhUQYIOrKBKlWolRSfr5a9o0DVw9fef7c=
=OzKS
-----END PGP SIGNATURE-----


Oliver Pinter (1):

  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master

Oliver Pinter + (48):

  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master

ae (1):

  • MFC 342925: Relax requirement to packet size of CARP protocol and remove version check.

avos (20):

  • MFC r343190: net80211: drop m_pullup call from ieee80211_crypto_decap.
  • MFC r343244: devd.conf(5): add otus(4) into wifi-driver-regex
  • MFC r343249: Fix duplicate wpa_supplicant(8) / hostapd(8) startup with devd(8)
  • MFC r343213: net80211: resolve ioctl <-> detach race for ieee80211com structure
  • MFC r306323: [ath_hal] Add FCC6_FCCA regulatory domain (0x0014).
  • MFC r343341: ifconfig: drop unused macros from ifieee80211.c
  • MFC r343235: iwn(4): drop return code from iwn_*attach functions (they cannot fail)
  • MFC r343340: net80211: fix channel list construction for non-auto operating mode.
  • MFC r343342: net80211: turn channel mode check into assertion.
  • MFC r343234: run(4): add more length checks in Rx path.
  • MFC r343238: urtw(4): add length checks in Rx path.
  • MFC r343472: otus(4): fix a typo in man page (802.11 -> 802.11n)
  • MFC r343473: geom_uzip(4): move NULL pointer KASSERT check before it is dereferenced
  • MFC r343495: wlan.4: improve wording
  • MFC r343497: Unbreak devd.conf(5) regex after r343249
  • MFC r343496: pcf(4): fix parentheses in if condition
  • MFC r343499: rc(8): do not stop dhclient(8) when wpa_supplicant(8) / hostapd(8) is used
  • MFC r343502: Remove RADIUS-related files when WITHOUT_RADIUS_SUPPORT=true is set in src.conf(5)
  • MFC r343576: ndiscvt(8): abort if no IDs were found during conversion.
  • MFC r343541: Drop some unneeded includes from wireless USB drivers.

bapt (2):

  • MFC r340933:
  • MFC: 332990,337892,343546

brooks (3):

  • MFC r343162:
  • MFC r343366:
  • MFC r340242:

cy (5):

  • MFC r343073:
  • MFC r343103:
  • MFC r343486:
  • MFC r343600:
  • MFC r342815:

dab (2):

  • MFC r342770:
  • MFC r342822:

delphij (3):

  • MFC r342845,342846: Port NetBSD improvements:
  • MFC r342856: Added support for the SIOCGI2C ioctl.
  • MFC r343038: Use TD_IS_IDLETHREAD instead of unrolled version.

dim (1):

  • Pull in r337861 from upstream llvm trunk (by Hideki Saito):

emaste (3):

  • MFC r343043: scp: disallow empty or current directory
  • MFC r343153: freebsd-update.8: mandoc -Tlint fixes
  • MFC linuxulator stack memory disclosure fixes

gjb (1):

  • MFC r343259: Correct a typo: was -> way.

gonzo (2):

  • MFC r335675:
  • MFC r339523:

hselasky (5):

  • MFC r342730: Improve USB generic debug messages. Print process ID and name when opening and closing usb/ugenX.Y character device nodes.
  • MFC r342778: Reduce timeout for reading the USB HUB port status to 1000ms and try to filter out dead USB HUB devices by implementing an error counter, so that the USB enumeration thread does not spend all its time reading from non-responding devices, blocking user-space access in the end.
  • MFC r342884: Fix loopback traffic when using non-lo0 link local IPv6 addresses.
  • MFC r343451: Add full support for PCI_ANY_ID when matching PCI IDs in the LinuxKPI.
  • MFC r343453: Add new USB quirk.

jhb (1):

  • MFC 340206: Treat the memory lengths for CHELSIO_T4_GET_MEM as unsigned.

jilles (1):

  • MFC r343105: libedit: Avoid out of bounds read in 'bind' command

joerg (1):

  • MFC r342791: fix a typo in chio(4) (which propagates into chio(1))

kib (9):

  • MFC r343108: Trim whitespace at EoL, use tabs instead of spaces for indent.
  • MFC r343081: Trim spaces at the end of lines.
  • MFC r343086: Remove unused prototype.
  • MFC r343302: Remove unused *_sysinit_flags() declarations.
  • MFC r328433: EMFILE errno documented.
  • MFC r343082: Implement shmat(2) flag SHM_REMAP.
  • MFC r343484: Remove now redundand ifunc relocation code which should have been removed as part of r341441.
  • MFC r343607: Reserve a bit in the FreeBSD feature control note for marking the image as not compatible with ASLR.
  • MFC r343780: amd64: clear callee-preserved registers on syscall exit.

kp (6):

  • MFC r342591,342599:
  • MFC r342989
  • MFC r343130
  • MFC r343041
  • MFC r343295:
  • MFC r343418:

marius (2):

  • MFC: r333745, r333764, r337533, r339375, r341041
  • MFC: r342634 (partial)

markj (6):

  • MFC r342887: Stop setting if_linkmib in vlan(4) ifnets.
  • MFC r342864: Specify the correct option level when emulating SO_PEERCRED.
  • MFC r343265: hwpmc: Plug memory disclosures from PMC_OP_{GETPMCINFO,GETCPUINFO}.
  • MFC r343286: nfs: Zero the buffers exported by NFSSVC_DUMPCLIENTS and DUMPLOCKS.
  • MFC r343348: ocs_fc: Ensure that we zero-initialize memory before copying it out.
  • MFC r343784: Avoid leaking fp references when truncating SCM_RIGHTS control messages.

mav (7):

  • MFC r340425 (by cem): amdsmn(4)/amdtemp(4): Attach to Ryzen 2 hostbridges
  • MFC r340426 (by cem): amdtemp(4): Fix temperature reporting on AMD 2990WX
  • MFC r342977 (by cem): amdtemp(4): Add support for Family 15h, Model >=60h
  • MFC r342400: Increase MTX_POOL_SLEEP_SIZE from 128 to 1024.
  • MFC r342546: Add descriptions to NVMe interrupts.
  • MFC r342558: Switch from mutexes to atomics in GEOM_DEV I/O path.
  • MFC r342557, r342559: Reimplement nvd(4) detach handling.

mckusick (1):

  • MFC of 343449 and 343483

mw (3):

  • MFC: First part of Amazon ENA driver fixes and improvements
  • MFC: Second part of Amazon ENA driver fixes and improvements
  • MFC: r336114:

np (1):

  • MFC r342603: cxgbe(4): Attach to two T540 variants.

nyan (1):

  • MFC: r342964

pfg (2):

  • MFC r343023: msun: reduce diff between src/e_j0.c and src/e_j0f.c
  • MFC r343459: (parcial) ext2fs: Add some extra consistency checks for the superblock.

rgrimes (1):

  • MFC: 325765 (imp) Add notes about overlapping copies.

sef (1):

  • MFC r342928: Change ZFS quotas to return EINVAL when not present (matches man page).

shurd (1):

  • MFC r342855:

tuexen (4):

  • MFC r338137:
  • MFC r338138:
  • MFC r342857:
  • MFC r343089:

vmaffione (4):

  • MFC r343413
  • ixl: remove unnecessary limitations related to netmap
  • MFC r343552
  • netmap: small cleanup on em, lem, igb, ixgbe

wulf (2):

  • MFC r340912,r340913:
  • MFC r340926:

Stable release: HardenedBSD-stable 12-STABLE v1200058.2

HardenedBSD-12-STABLE-v1200058.2 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • MFC r343043: scp: disallow empty or current directory (40c2d4eb5cda74b65cc1d2d1187e11d87e3231d5) [CVE-2018-20685 FreeBSD-SA-candidate]
  • MFC r342887: Stop setting if_linkmib in vlan(4) ifnets. (9752824a67b8e026c748df9f55d7a4dc34cc3e5b) [FreeBSD-SA-candidate]
  • MFC r342849: libbe(3): Don't allow bootfs to be destroyed (43c025931749622500ddd40f733833a2326eb8c3)
  • MFC r342792, r342805: Provide rc_service variable for rc service scripts (43d929cc947061353022f4fd65f384bf5e5b623d)
  • MFC r342966: net80211: fix possible panic for some drivers after r342463 (afe64a5242c51756aa8e7278a93e78bef8ffbccf)
  • MFC r342883: net80211: fix panic when device is removed during initialization (86c848990612b065fd125e3d067494a9ca62d302)
  • MFC r342787: Add a bounds check to the tws(4) passthrough ioctl handler. (09c4a5a5c19860d0f062452a120bf3db56bec588) [FreeBSD-SA-candidate]
  • MFC r342575, r342580: ar: detect and error out on 32-bit symbol table overflow (932f2a3ad15b84e2f4584e8b4cc4930acaa94b36)
  • MFC r342686: Avoid setting PG_U unconditionally in pmap_enter_quick_locked(). (6a790261240984576e7ab3ae4982feda89938f4a)
  • MFC of 342135 and 342290 Properly respond to error from VFS_ROOT() during mount. (3d8c9836cc1b5b82f970b571dabd1cc4c524d6b2)
  • MFC r342362-r342363: config(8) duplicate option handling (b43601807a39b452a3a234d5a9ef33ba0bf6370c)
  • MFC r341101-r341103, r341148, r341391, r341422-r341423, r341454, r341780-r341781, r341805, r342026 Make powerpc booke kernels boot from ubldr. (5f1960a5ad7dcf7320f04827f86d2543a9cec92a)
  • MFC 339899: Make battery emptying rate available as sysctl variable. (fcad6d3887e9e0df176d8d9a4d01ce8e4dd1c780)
  • MFC 339620: Add a "live" mode to ktrdump. (9eec96ef7c166142d06d0bed137f98ee55c3b9e6)
  • MFC 340460: Convert the number of MSI IRQs on x86 from a constant to a tunable. (38147cee96c0cdfbd10ce81c8eb8d11ce87d0c93)
  • MFC: r342286 Fix the NFSv4 server to obey vfs.nfsd.nfs_privport. (9e714b03dcf913fc1daeaab8f970f37bd6a91367)
  • MFC r341998: pf: Fix endless loop on NAT exhaustion with sticky-address (8df6e4a6eaf85ac40c35fe353f2150a99f5685be) [FreeBSD-SA-candidate]
  • MFC r342211: net80211: fix out-of-bounds read in ieee80211_amrr(9) (d8b9265f4a6ad7c6a1e2446b98e7f6e9a7ccd4b8)
  • MFC r341833: pf: Prevent integer overflow in PF when calculating the adaptive timeout. (4e14cefd62c1612b7eba62cd71097429fd6d29fc)
  • MFC r339746,339751,339794,340866,340939,342042: Sync libarchive with vendor. (7e7a6e66b6497594e376667d1b0f653787927a6e)
  • MFC r342183: Update sqlite3-3.23.1 --> sqlite3-3.26.0 (3260000) (5f41f06ad996ced8460e267ae51526eb89dc661d)
  • HBSD: log pkg changes to /var/log/pkg.log (9135625701b316445fd42809c2ccefada1b39c93)
  • MFC r342030: Plug memory leak for AES_*_NIST_GMAC algorithms. (1f3faa484174d1cb5e572cdd3b1910764cfd326c)
  • amd64 string primitive optimizations
  • asmc updates
  • cxgbe updates
  • ichwd updates
  • loader updates
  • mrsas updates
  • netmap updates
  • riscv updates
  • rtwn updates
  • sfxge updates
  • tzdata updates
  • zfs updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-12-STABLE-v1200058.2-amd64-bootonly.iso) = a962a3debf7fe72392e0d2f90bc2df3808f6c301f9ade0f5c6e197ce896723057431c8cd29df494c5ee071694a429c13354b2f34d0ae73cc1952a57f0da8bfec
SHA512 (HardenedBSD-12-STABLE-v1200058.2-amd64-disc1.iso) = a06cd6492e30f1cb121573da0a2e61cb8d0f14e131da26b86bd54fa5dccd62537c0927c950daf13127b39cc5ee476c48c5e6298d128803c6b86c314cf5db976d
SHA512 (HardenedBSD-12-STABLE-v1200058.2-amd64-memstick.img) = 21b4345d6389bb80f145bcfb47ffdfa4f44aef1e14752b4d1edfd867c5f4ecf9c54f6e7babfb422a30fb9a0e00237a1dd3abb2a333faaaee8b12abc5399f515c
SHA512 (HardenedBSD-12-STABLE-v1200058.2-amd64-mini-memstick.img) = 9e274ea3b563fca0b9ff190a876c450ef537248c6270bf14ffa257857da7326ecc1872b3d267f5566b6c13c73912a031e2a397f2f64af9177e519326a35b46d3

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlxCnLsACgkQgZsRom/9
GI2M3BAAjqSbp3xQqHw7gt5wz8lKJRWXmvr9sdSsOjQlqb+4agrXVWdIV1FPpzME
+Xb/DUeCVKLBC3wVHd1BV+r3zZs7dK085k5GQssAjC/VXfkGGa1fU+UYq0Jx35lu
zKovC0ce1WDo7IaF4fmU8fBysnuqOfg/DOxXAcJPHDCiHRXturIEEIhVsa17lSmI
hHZDxqazEqLeKk12isHtVu4EqS33FgzTvxcflnqnH0hgKDXb47pvqDN/F5faM9+C
NO8Fn5Vd5p3676fGuB6EFCN8NLVBjlIEW0bXpCUtnmpwmXGf9nk0AhkQcVkzWbkw
aWCJNbCzQc7LvCtGKbS/3c/lMdkROzhMuUc93VldgaBqCFbBT89fTGUFLq/Ui123
qtAVgv7gQa2S0PzMCHA9Gh7aetHJ1/HwHKQKze2tcHJDqSZJ2ARicxjvpH526WUH
ymcx5BnlCG+sNWt+uOVO2AYKf8nCUk2KD5o5azn0MirEaXOvmYDSVTtjZyn+kIx8
IZvfqUydjchyi7sYiV8mrMyOa52+YLU1AnFDeEByvef2fQGPvvkdn/zINvVsMD83
q4J4xC4TwO5J8bXJk2ZK2rppkLobWXLaYUPb7kzrl7fsWbN36EiTizjW0quE++Mu
Oc0psPw6rD4hfLa9dDXg15b8NWkTDVBqwOzjaH2W5AxKGtB7fVQ=
=ld5O
-----END PGP SIGNATURE-----

Pages

Subscribe to HardenedBSD RSS