Stable release: HardenedBSD-stable 11-STABLE v1100056.10

Submitted by op on

HardenedBSD-11-STABLE-v1100056.10 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • HBSD MFC r341470: ggated: do not expose stack data in sendfail() 370912d064f22772cd539ea28587ca7a1bca6c9c [FreeBSD-SA-candidate]
  • MFC r341442, r341443: Plug memory disclosures via ptrace(2). (600baf4f2d9e7039632b5bf5503097edb31c3da3) [FreeBSD-SA-candidate]
  • MFC r341484 Always treat firmware request and response sizes as unsigned. (5b0911ed9405a15d0fddd237377ecaf0684142a0) [FreeBSD-SA-18:14.bhyve CVE-2018-17160]
  • MFC r337812,r337814,r337820,r341068: Fix several memory leaks (r337812 & r337814). (4a6ee6982ea1014b8d06511c23c76b849fa694f1) [FreeBSD-SA-candidate]
  • MFC r340968: Plug routing sysctl leaks. (fe7eaf6c881cc3948b430c5241b34e2c1189dc03)
  • MFC r340995 Prevent kernel stack disclosure in signal delivery (ee1166b9e2f474622f098aad4dd78869880379c8) [FreeBSD-SA-candidate]
  • MFC r340994 Prevent kernel stack disclosure in getcontext/swapcontext (88ba4e0711d85c593ac41f9c9a054cf4e66d050a) [FreeBSD-EN-18:12.mem CVE-2018-17155]
  • netmap updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100056.10-amd64-bootonly.iso) = 6ca4a5de222683ff4716090d55ffd1b19f50e98b7bef0012e94acf6ef73d61e2aaabe87026e2e58f1df4f797e5dd31130a4bac4d5cee82299bb75d215c5d1462
SHA512 (HardenedBSD-11-STABLE-v1100056.10-amd64-disc1.iso) = 40e2a44bd010fb2b1e14b4b8b90ee86ac86cf0bb9f629c9a121cb24ed2e25fc6b5a3e821b770c483e922fd2a5de535b4ecfde9b759888775f51478e2fb183713
SHA512 (HardenedBSD-11-STABLE-v1100056.10-amd64-memstick.img) = 2e57b96f5d9f75b277792052690947a849ca85a0e0860474b37cce06a623a5f566f60738b762ee6966081847be129a821ca199f17b3f286dafdbdbe6e1c70e0e
SHA512 (HardenedBSD-11-STABLE-v1100056.10-amd64-mini-memstick.img) = a216932ecf6c218b7f8984ca55524c18ab85e5bcce163d11effdf889883e28ba6feb4546ff3e28c9e2a29440f147363ae4444e75f56bd18b6a02176db5f8810c

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlwHBLoACgkQgZsRom/9
GI3zlg//dLtnJmc52UuttbSD1NV2h2hv4mNW/UteFjxGtJgdOCkjRGpx3sI4Vm1j
ks5NPMzi4Wy8r9l/bWv+k/bCvkxvjvt8gQKIBbDt8IauB1Bk+uxeWr3IcLn9eiPV
eC0diLLpUzTkbhN9NbnXbbugrrq4AeWFbOl06HIAw9HJolIYtLInOlH9XZToUItR
kbVD+AXjVmfntDWXPtkgCZdEEPe6zYAUgA39iyrcb5X3y+AVc9hDIoOGfPVoMIRR
rhEu1jwJPuT8C6r2hcareVpmfOESJTljh+yNw9iq/brkNXPW2UcPFwwkt7ajubaP
KW22bl9jGTTqA3JhpPHRwqFjyZzItD9TR4qPr/Fu2WTzYACyjNvWyCK/KJOvS6MX
ewepZ06yUhsLEjEiGpllJ4XipUn8c2hbTXLoKE/JOBvwhxIognoQ8yiEE645Vrb8
VCPLab5CK4y+CSZLEA2DWpiuWO7D/Z8pRIbV0tWKh1HrN5QPOjXeDDi+59t/016v
vb/i8YR0GhHgg3mPYCCUUgMey1e7vIjnmcj0OkZRyyx7bi2fP+37C/XBV9L7bFC7
kLO1pAX7hwWOp/H0dbrJCuLyWFLHjkgNODrxmmYk1OeWQoUT9KX1SFfYCKsNlpAn
Pq+17qjcl/Amswrpmw7a/WfXXLiNA46OyOU/aG9r1Z+8/Emd4YA=
=fwqX
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100056.9

Submitted by op on

HardenedBSD-11-STABLE-v1100056.9 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • MFC r340899: Plug some kernel memory disclosures via kevent(2). (57fd4999023fbedc45061430d5dbcdb98547b407) [FreeBSD-EN-18:12.mem CVE-2018-17155]
  • MFC r340856: Ensure that directory entry padding bytes are zeroed. (3dc6e9a2e5b3a446ecb0c2c198bca46619f8590d) [FreeBSD-EN-18:12.mem CVE-2018-17155]
  • MFC r339818: rcorder(8): Add support for /etc/rc.resume (9837413dd9835df60a41e4cf3e30338bee65f358)
  • MFC r339808: Prevent ip_input() from panicing due to unprotected access to INADDR_HASH. [CVE candidate]
  • MFC r340783: Plug some networking sysctl leaks. (e1128261727c1eedda33c25158753d4f09545d5b) [FreeBSD-EN-18:12.mem CVE-2018-17155]
  • MFC r340772: Clear unused bytes in ia32_osendsig(). (782079682d680e076598653d244323b8a5b90a8a) [FreeBSD-EN-18:12.mem CVE-2018-17155]
  • MFC r340771: proto: change device permissions to 0600 (91dc34763d7783d5cc2e3d268e4c8ed85ff3b166) [CVE candidate]
  • MFC r340663 (rmacklem): Improve sanity checking for the dircount hint argument to NFSv3's ReaddirPlus and NFSv4's Readdir operations. (3bb4648083f3148398021abd35df925aa5c003f2) [FreeBSD-SA-18:13.nfs CVE-2018-17157 CVE-2018-17158 CVE-2018-17159]
  • MFC r340699: Clear pad bytes in the struct exported by kern.ntp_pll.gettime. 6c88f7d90bde0d335bc0687a41bc141ffb55e2bf [FreeBSD-EN-18:12.mem CVE-2018-17155]
  • MFC r340674: Fix another user address dereference in linux_sendmsg syscall (1162e5190b51c01b6386baec10dbcd0ddcaf4b38)
  • MFC r340631: Do proper copyin of control message data in the Linux sendmsg syscall. (a7710016b5015643786ff0ceb070cae982e80ddb)
  • Merge OpenSSL 1.0.2q (9424b8c43e2d3d7b45201e34799fd5c5193f7f68) [CVE-2018-5407 CVE-2018-0734]
  • MFC r340205: Avoid specifying VM_PROT_EXECUTE in mappings from pipe_map and exec_map. (a1e236f6c4f29f04befe42250d20312424c12deb)
  • MFC r339465: rc.initdiskless: add support for auxiliary NVRAM. (889791af8eb9cb4b19cd96d2891836e4205473f0)
  • MFC 339312,339364: Restore more descriptors during VM exits. (5093c36b3316b62e306dc18ff9e2bf7eac33dbe1) [CVE candidate]
  • MFC 338511: bhyve: Use MAP_GUARD when mapping guest memory ranges. (6dc9464d89d89a37d4d114ba519d004ee25649b5)
  • MFC r340260 (emaste): Avoid buffer underwrite in icmp_error (6033b7ab1ac6064008c8d99b64d95ebb815e1e74) [CVE-2018-17156]
  • HBSD MFC r340205: Avoid specifying VM_PROT_EXECUTE in mappings from pipe_map and exec_map. (a408354173f2c5724a9a603831936ab42c11fe82)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100056.9-amd64-bootonly.iso) = 6ba911b277a345fe7985e68695f2c83d5ff16d13e947084638652d1f5613f76e126d7976e08eab78dff36062e1e3e6958a2e625958cc3086c902a3a753db5945
SHA512 (HardenedBSD-11-STABLE-v1100056.9-amd64-disc1.iso) = 5a395012cbb2d75e478c9d110d0495488721f3814c13053d43c0a0fc833ea84229b46e09632dbdf86248724ef7f9e1cf76326dd95438405dd96cd3237d3614c5
SHA512 (HardenedBSD-11-STABLE-v1100056.9-amd64-memstick.img) = 803dd1d2a0f8560f075406cf3a98a2fb354b75aacb5c2580332111e8a99fbd3a2acc32efa0ae3361d9e5b00d087c23bd916b763002915d739e91ca6503f6f2bd
SHA512 (HardenedBSD-11-STABLE-v1100056.9-amd64-mini-memstick.img) = 9034ebe006ce99ba9dac8550285d9ca3d83b2df8c1146b37209a4822cc3937b7631ecd910805e34581dbec19969b2691aaa53db64bdbd279409a51017a6a70bd

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlv+BkQACgkQgZsRom/9
GI2sug/+NYCxrjbWNpq5BTAmzJ+Ld5BEGDZ0Vh4crVqZAVlPaj+UIiHeAh7wHD3M
hDtNvRPk905YLt7RDdb0ieSf9oeIlqHF/Y1oY0EbQBsxcG3soiltd1QdivjraBDA
rew6WRy1RdxStChJa/ZEbmS9XFMhvfMY89MSta0FTAVYxJq8cltSbnJqHh2H34an
0QF3iIi8G6g5C7cUr6tnZRRk4e+gDhwdzrkUwQc3eA0H5y9galYI/K46GWhKIz5p
qBopHts3zHTnYJjT9k+F1DTp60SPCtDK3WKyiCsCDqoOUODO+9gTcLjQQDgcuG6A
HRmcM/+DCtmmqZPFFTRCQcglfVB1Vu1SuCEhJm/8/43UN2HgtUr7IkGzE8dTmNCs
glDGWJUPEgUPirgwlZhl0XdOgd6XjT+ybempDQaNGFnd1fPuwTcljK5imLZ6txEC
Tj/OGVyNvQla7cPRGqYHL7bMAjd4huRYezj1LLu3uvjnLHPZliv9z/Ijo6U9ssvq
RKrd5cu4wtRUvyPerP0Y7HIkv5To2Zm66ofzN3P04DnMJ+niCOebu+gE7mhiYpbo
6SgS84eWuiKZ+55NVDGrjUta0fKKvqaIjMxSxQnd3iWegEEeLDGgbZLP+IubsyPJ
P2JQahY82EaRCMWPS/BRfxvs28JZYec6Lz1JCrRKmzNQCDrwNJo=
=H8Ge
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100056.8

Submitted by op on

HardenedBSD-11-STABLE-v1100056.8 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • HBSD MFC r340077: m_pulldown() may reallocate n. Update the oip pointer after the m_pulldown() call. (fec14b22fcff136c352237afb47036d1614ee692) [FreeBSD-SA-Candidate, CVE-2018-4407]
  • MFC 338360,338415,338624,338630,338631,338725: Dynamic x86 IRQ layout. (160aee5ecc8a289fb54eb7b431cdab3017e9d9c3)
  • MFC r339681: Allow the bhyve VNC server to listen on IPv6 for incoming connections. (5e060e63804e1ecc636b29714d32113e483d6c60)
  • MFC 338408: Don't directly dereference a user pointer in the VPD ioctl. (b035f90113747066819a750566d008f6fae812be)
  • hwpmc: Enable hwpmc support for AMD Family 17H devices (1235e4abcc9d407b7f094039bca7531f4444ccc5)
  • MFC r339582: Drop sequencer mutex around uiomove() and make sure we don't move more bytes than is available, else a panic might happen. (4b875542b959aa18eb4a9a3594f6d548298fb59e) [FreeBSD-EN-Candidate, DoS]
  • MFC r339581: Fix off-by-one which can lead to panics. [FreeBSD-SA-Candidate]
  • elfcopy: avoid stripping relocations from static binaries (8e4b64478895d6b9ae0ea05d5962af093d757cfd)
  • MFC r339509: Fix loader.conf(5) "password" feature (9a6d83553b2b9b32be437e7d0a79aeda1162384a)
  • MFC r339547: vlan: Fix panic with lagg and vlan (1fda50699ae90ff2d1eb680f3e24c2f3d5324da6)
  • MFC r339331: bhyve: emulate CLFLUSH and CLFLUSHOPT. (9e85f7a5bf64f3f8ba9db7ef8a9413e94e208652)
  • LLD updates
  • ZFS updates
  • LinuxKPI updates
  • VNET fixes
  • libsysdecode fixes

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100056.8-amd64-bootonly.iso) = e9b4dc37c3914f14573222c3bec8303ba2516783a7daadbba42d9c42cfd1b68c6ed55a9f50c8ff394038ed5885880adaa230e3f89ea335be2e728d09331eac70
SHA512 (HardenedBSD-11-STABLE-v1100056.8-amd64-disc1.iso) = 3a9d91a4b9ffb0c69cde6639bd39896c31e3d140f024b0f66fe113799daa8cf19622b7b06564dbe455481327cb4bf44e8763903f57e01ea2bd460a040b4e3b24
SHA512 (HardenedBSD-11-STABLE-v1100056.8-amd64-memstick.img) = aa7101825ff05262dc1eac97ac8fd34614f82263dc2825a2087c1faf1094cc708f7703e39503ba4469d78db385bb642a6899ee30d6c832c80dc8b267ace88a9a
SHA512 (HardenedBSD-11-STABLE-v1100056.8-amd64-mini-memstick.img) = 633bb097e6bacfe0c1fb6d6de8e8175fb3be91af1632e240aa6a96c237bd7aabae9157cf0d3ec41d1aebbdb40da53a0c2b5fa497e0f564f2670ee6b60a227a42

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlvfps8ACgkQgZsRom/9
GI2AJQ//Z30QApEHelaPy7fcej9N5cJv1rFKxzfqVmt8pvEAA+tGRFoUNMz+7xG6
92u5sGHkfyGV761XqVK7gJXk6eMj2Sl5ITy4c1L3zjGRXutfB/F77eKzsQtA+1cA
Moxz9pwJrFvyL3HouT5CaOysXwlYmJVIqF/P8sHulHImshWnlBg8khHvPesCD7wi
0tb9xdyE3+xAmkqwJMgW1U92TaPOzfwTK5BLbXelw5eWT/qiB2OR9HcFmdfAh/MG
LlvFAeBZh6k298KYjYE0aR7qo35Cu3kD0PfUDmVaZNZpORbFBz1ZcLSMt8sZBHOx
HVPSWTnRbJpuh0SJphvSvnbY++nsT0PbhxVnPiSG/naXKTTYOw1hyPYrJaBXL8n2
gClDR7DRxhUi0F4MqMzqLg05kwwaSu3lwuBwjdS9YjcHV+IyVgA9YK11BbdOecpE
vEpPTjtQpjYFydwQFqUy8FbYhEnBpiJCBB9StM04w4gOOWS/RzMO+GQ+ysjoatlg
C0CxgQ/yuwmlvw8VpKKWYwS5UxTN+XbBX8GCz/8IpBgSajfbrKIGf8wMdptYKdjY
bSy9HgR4XQNBiXeHzXTCra8Z5kive7VlhQsLqfjah8pLcKsHTGzpS7LSlobxTqyh
n+At7jjhYiwgXKKrkcxY4IxqwvY5rtLpb9fcByoGlSpWDgHhoV8=
=lzsa
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100056.7

Submitted by op on

HardenedBSD-11-STABLE-v1100056.7 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • MFC r333569: cpucontrol: improve Intel microcode revision check (cf3b425994272a0d0b1602846bbe51028fd67442)
  • MFC r339019: clang: allow ifunc resolvers to accept arguments (d10325d074c2f9aeff283511c3acb06b3c1fcb5a)
  • MFC 338976: Don't clear DR6 for debug exceptions from userland. (4de0836180159ccb2485c64e4639544254abd941)
  • MFC r339025: Update x86/ifunc.h. (59e3462397fe61451f33846b1d0c56142b6a816d)
  • MFC r338947: Add "src-ip" or "dst-ip" keyword to the output, when we are printing the rest of rule options. (cfea277e33577e9ec8653cfa010f60a39dde358a)
  • MFC r338216: tftpd: Fix data corruption bug with netascii (6068c2761de987bc97d4c472acdc1076d91fc7e8)
  • MFC r336310: Let geli deal with lost devices without crashing. (35d45fa28dc67d17e535455e202de0584763f70e)
  • ZFS updates
  • cxgbe updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100056.7-amd64-bootonly.iso) = 76e6957dd5124525e62f59baac626eeb4c60b622d64b458aa838e4a374f6bc521647376bf41882a19b0ed5767c445dd4420883ab7b1e095a02e15b5874f18347
SHA512 (HardenedBSD-11-STABLE-v1100056.7-amd64-disc1.iso) = 1e2668998564e26911499875d2d163d9bb120746969dc96d6771f5c7c5213ba9dab434a16ba7c49d891fe8f496df6f08026701231abafa7cb1238a5b4f5fcbff
SHA512 (HardenedBSD-11-STABLE-v1100056.7-amd64-memstick.img) = 6e635997ab76acf56b8b0fc44591049b061a4a7e47ef19e1b6603be245430a0d45566d35e19ae04cb693714c9e871bf8d5dcdc71af0a4625fa537486dc439c91
SHA512 (HardenedBSD-11-STABLE-v1100056.7-amd64-mini-memstick.img) = ef95a77087998ea680d3c463c619ee749aa2b5794abed284cd5976b137c651aa3648c512c1af281f073f763df4d2e9a91f3cb79a5205234d321f950e0537b9f9

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlvH8GcACgkQgZsRom/9
GI1stw/+IM/kl6O9HIeCRZidthUtVA/Rk0ZGrvTilOpRwS+ahZks+D7d0ap8IC4d
WiQtuAOcG+RO0USYmv1Gmn0wh1bm0HhEFh6p/S4hnAgNTnRN1u4u/fBhqy7+jahc
IzBfvyRJ2+ym08trSBJthUtOmEcRvPwFOU7Vqj7cb9OpeAlQF7o5x6p3F5/W4VUf
G029GDJ8wyUQYSgQ+T6GgA96YUeEGNHcDZgUnEhyisyHCh60apYsrgRFKvmTqVff
91W6gRY/FhKgCmOJA1vIeXv5eiWGAlAAYTCWfbcsJ6SQAUzghxZTxUkhJEdy1XSg
XohwIoPU7TUKA7KDi9yP0SDdfCrDOeYlFwsYoOrDjxHLLDFGKNDT0BM3J9M8rh+N
gerwQQxZQ5ZYV8lohg5YSGfcvwgUoq3Th7EyqmtQbODAprvAlQYp8Ly1JuLkblHy
qR2DyoqVZfyEEmpTrt6AB+n5ck8QxZz9iYGSdwcdOKocqIcdZ96Znfo1oJDUMLe0
aYSimT/MTaeTCnjuo7jSz0Bvewi0zWfi5yqeOeE2X0tYlIvuuRh4/g6aovvaZuAJ
ZWOH4klex79aNvVRwqKToeq3OPjOT9D4KVTUnUu0oTRdxy7KAl0+YreGMdZQi7XA
wAheaZb3zZ8u/56EEMwWJwpn0ZvXSQ+BsOX0/USBQi/6+/Ir2Hk=
=S0Uc
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100056.6

Submitted by op on

HardenedBSD-11-STABLE-v1100056.6 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning:
since this version, the SMT (Hyper Threads, virtual CPUs) is disabled by default, if you want to enable the SMT back, please consult with the specific commit or ask around on IRC (#hardenedbsd on FreeNode)

Highlights:

  • Check to ensure the buffer returned is not NULL. (9359dbab020da232fa5104036f1014d0fa879561) [FreeBSD-EN-18:10.syscall CVE-2018-17154]
  • Restore the inp_vflag and inp_inc.inc_flags fields when the underlying operation fails and the inp could be in an inconsistent state. (854244afa3ccf0baa19ea60569bedd26267cf534) [FreeBSD-EN-18:11.listen CVE-2018-6925]
  • MFC r338982. Clear stack allocated data structure to prevent kernel memory leak. (7d66fd1e932a68e0bd893f0a19724069d5c80ace) [FreeBSD-EN-18:12.mem CVE-2018-17155]
  • MFC r338724: Fix an nvpair leak in vdev_geom_read_config(). (81ef86df2cf70de6e205ddfed8ae1d736239cd22)
  • HBSD: Disable SMT by default (70e728df724ed9cfe0e79f79d6446d00234f2ff7)
  • MFC r338600: Update libarchive to 3.3.3 (85012f82112d6062b2c4179c5ae9734275f4c480)
  • MFC 332454,334009,334122: Various fixes for x86 debug exceptions. (4484bf717c82ee46f15a522b7fc088a3e85f3d5b)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100056.6-amd64-bootonly.iso) = 582ac18f93337df8219bbc2aa707ec85a71c1ef1910b491230fa338d258fc5efd9326775e60a5961a6118196ae04ba7b0c18fb023b30341273c07e37766f4a16
SHA512 (HardenedBSD-11-STABLE-v1100056.6-amd64-disc1.iso) = ba064494fc320654922e17e1ba1e86e231ebe42196b0c2d35e9e3eff63f5b8ae4303a3255b3f8b560a6bbb6f5efad304baffabcd629b8c5e4f92ed1e56f87640
SHA512 (HardenedBSD-11-STABLE-v1100056.6-amd64-memstick.img) = ef229d8d5dff57375859b671e81ef67a0ee4676c9664f0acea4129c1ba0aec3806361479d3363b2f889e1dfcd83343fc2f8aec0b38f27146badf38179d3cfc51
SHA512 (HardenedBSD-11-STABLE-v1100056.6-amd64-mini-memstick.img) = d95c8ed96dbcf3b394a68d9771f12bec1a8ca94cf2a8250d70eccdb23f95c27bdf4239ec81f499b2fd84c38822aa82360f96ad408f743ff369488fec7ef1f14c

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlutXwcACgkQgZsRom/9
GI2tpw//SSzwtC2vbWtbbOTv88TocVuempe9XkX14hKbJSOeUWE9qvXXbpulWvHU
OFqm5B6Y70egSubStfbM3ZKnhUDZYnrNU7SbPZYS7/kUQ9apB6g1njSS4u4Bd4av
a2T+1osOVP46ZNaRHCaFNr3Q+yZhdUg1LgbrC5NhMX7SzX7egts4owD6dsK5vIVH
ig6R5oDWe9fnY8UgMDUuNeEh51hdstW5tPDY70oMDdA0HIj3MWgbGYPTJtS4csH+
t0l5daxdqSuoVapES5mriOl4fYdeGEK37E1Er+Gntzl6a4/6WmTXETnQnsyuQ8cv
9kdg/ewjsvyHDJGdPXkfz+9Lpdoi9qIy19dc8o4oEA4PhDQ261j4uPsoY1nrYKrd
/O6+GqRuvjI9EPx3+RbTT8wSlKRn3UFif63Tidf2bEy/cFhoDVwlv46jnFpyDiwf
PoWR97tcc0lgSCzk2bNPpmWh+1KtL2NvbnkaKoZFn0QHgWnEmUl3c38YqQANHzcc
Gc+Rw1vuJ/3csLxdLhfAq+qkBuqB6QYhKUT0hkpkulBbSh9Z7DcR7IxIQc23Dd0Z
JKlMSnMvd4oZWo+yMqw7G+lXB+8uD6/ct+XgpN0BhYEgK/8v4nJa3K8KPv2RDEbe
uFxc3rFc8b/qfrOjJtK2Ajy1/cOfbKNOWTAYpmzuwn8R1i1csDI=
=0oYP
-----END PGP SIGNATURE-----

Announcing The HardenedBSD Foundation

Submitted by Shawn Webb on

In June of 2018, we announced our intent to become a not-for-profit, tax-exempt 501(c)(3) organization in the United States. It took a dedicated team months of work behind-the-scenes to make that happen. On 06 September 2018, HardenedBSD Foundation Corp was granted 501(c)(3) status, from which point all US-based persons making donations can deduct the donation from their taxes.

We are grateful for those who contribute to HardenedBSD in whatever way they can. Thank you for making HardenedBSD possible. We look forward to a bright future, driven by a helpful and positive community.

Stable release: HardenedBSD-stable 11-STABLE v1100056.5

Submitted by op on

HardenedBSD-11-STABLE-v1100056.5 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • MFC 338603: Correct ELF header parsing code to prevent invalid ELF sections from (4bfdb79b43e74833a67eb9d7f2afcf632b136917) [FreeBSD-SA-18:12.elf CVE-2018-6924]
  • MFC r338126: MFV r338092: ntp 4.2.8p12. (900dde8260d39322fa4c1816fcc5978c204071d2) [CVE-2018-12327]
  • MFC r338068, r338113: Update L1TF workaround to sustain L1D pollution from NMI. (d9d4e900945e90a783c711019255120ffc7a4163)
  • MFC r333063: Update ELF Tool Chain to r3614 (e90f3bfc9bb4deb6c5da699ebe5ad305ee6391e1)
  • MFC r337505, r337865, r337869: dd status=progress (8c00a8c01e99dcdb8ef723f02b90e98fb6f2444c)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100056.5-amd64-bootonly.iso) = 5b0deba102a2c9da3fe3fcc015c3217b95ad63a01d83a0c33a6934f805486f8f0482ef6e60d3f209c4a996bd309cccb404b84cc5ded2724589f95f12106a660c
SHA512 (HardenedBSD-11-STABLE-v1100056.5-amd64-disc1.iso) = 5b37ba3d75559d8cf9745f9b9c1898f402636949159ef9dc0a40dec31a0d839bd68cd3ca73aa69eef7c2adbf7fe18a6ac6363000cf7930c34cc0b2964be0e29c
SHA512 (HardenedBSD-11-STABLE-v1100056.5-amd64-memstick.img) = c8b90115ae6585da0288d6017b896d23bfbd68ea821d04585422cfce36edef61507f076264c03f7298fbc8104f79ebb42d68c3ac4d9542e8795d26ce0ddc8946
SHA512 (HardenedBSD-11-STABLE-v1100056.5-amd64-mini-memstick.img) = d76c735ff59bd2ebccdd13e353c2ccd2694aa056d1d656df16ae65dadd589ce26062184a18e2bfaba4acde7290c2aecd7ecbe6031dcd4f7c4b443ce0e1afbeec

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAluZ1ZUACgkQgZsRom/9
GI37txAAkyqAsGx0mCUsKu8JWnnhw3DG1n0KMRJ+aSvWYIGL+b0fN4kTivhBKSVs
Ln/FKfvymQ5jVLDSOXRbwI9hd/Kadm967Vp0/lI2wBZfsrJ6oPUMs0cfCzJ8ZE9/
i76lCY8icS1Wl/eTKA5dPwSZSuJcYVbxXhg4zK2pMssOfFTGhycHGd86Znvfe/LM
qlybRqG4uC70rWQc3IgqrgMa1/cvCMSmKb792l2Bfs2FmLoXatxYtkjsWtnMWDQL
TGTcv0fOL5NRSXRlJj4QP+4NNpKq3ThN3kW2svJZzqMZRG+QZsIm7kfIbmleXHWQ
54r26dj1C74oR1r8CAC2OyiDJaGx19a7FXM/gdg/9AuTyMO4kEX7DyJhRAxZBchi
hr/uF+uiKS1BTXQOd2/Xjb8bkPl1TRnCa7N+BZoEToHWIUHCeiHRMD5K85Kyvue8
OA3ruhtW9dDYcq8WVoWSaAJdZpWQZGM3iPfwNI2P5YgdRGBDg51dYgMq2ofDueCc
0XJkeU+ysp+tlYPmYhLIqhZR1vA4iLzlXPa+0srITQJWbkS0WC+0cZqPgtyyIGBp
lQc8VWu+ncCKluZzndgff6SBE8404YRjgt8VQvJZqE2P1gZMwN4oGLmLnnyQVdYu
Qj98k0AkvLD2t7//cAFP62HTazpMfodhOt9ny2F0Zw9UEnSbTKk=
=sBkB
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100056.4

Submitted by op on

HardenedBSD-11-STABLE-v1100056.4 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • MFC r337773, r337838, r338112, r338202: Fixes for early EFIRT usage on amd64. (ebd8a26815cca310cec2634d2c159f5c03367f36)
  • MFC r337615: Fix a really subtle miscompile due to a somewhat glaring bug in EFLAGS copy lowering. (24eeeec9837c397f3dcdd8d7f6e68d2eb8114852)
  • MFC: r336839 Modify the NFSv4.1 server so that it allows ReclaimComplete as done by ESXi 6.7. (121df03ce024a9e8f52afc369903523b8607fc4d)
  • MFC r337969: pf: Limit the maximum number of fragments per packet (340f9f0f5ef86c2de708a6a82f7dc94b37ceca5b) [CVE-2018-5391]
  • HBSD: hook in hbsdcontrol into build (09a80cfc44e479cae28e5bd4a7f3970222507271)
  • HBSD: import upstream version e41faa644bf9c4b8ca79d85fe4119bd712317616 of hbsdcontrol (1326740583ee131c05b459c5085d686c558311bd)
  • MFH r337745: Sync libarchive with vendor.. (02f8199a18902245444f96f92bed334497db0b0d) [CVE-2017-14501]
  • MFC: r337791 Merge OpenSSL 1.0.2p. (04b30e35ca24b7e1150eba96db7fba2bf700cfaf) [CVE-2018-0732 CVE-2018-0737]
  • MFC r337819 (cy@): MFV r337818: WPA: Ignore unauthenticated encrypted EAPOL-Key data (89cd8f5e63ae09cb29e9f67a407235435f791104) [CVE-2018-14526 FreeBSD-SA-18:11.hostapd]
  • MFC r336203, r336499, r336501-r336502, r336506, r336510, r336512-r336513, r336515, r336528-r336531 Update wpa 2.5 --> 2.6. (2c0c29a3880db47098b28cff7a47fe20486cbab2)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100056.4-amd64-bootonly.iso) = c39f7dc83fa405852bdf0d67ddd9767248d51089d267a7c63033d7bb10a525341f1406ac1856d32d9004fa271ae70c94bf2726fd40de57f55a2bc14d757668cc
SHA512 (HardenedBSD-11-STABLE-v1100056.4-amd64-disc1.iso) = 0ad47e752f7e309d6651b249429022f5e9970c169162af4f20fe1aff99f07be533f5a18e453ea2dbfb513e256fb37cf009ba0d09fb7e7f58ed6a36a245400c90
SHA512 (HardenedBSD-11-STABLE-v1100056.4-amd64-memstick.img) = 3f1723169babd884f960328165e32aff9e8fe5eabafcbb8c67e6cf317fae19ce3740e54dd80ccbef9ba0ba14087aabc85745b5e707a9dce30a6278357723916d
SHA512 (HardenedBSD-11-STABLE-v1100056.4-amd64-mini-memstick.img) = 763803d0d996b381a15eb54491684269ee09407366b75fa68d82cb8e1e3f10dd5b9b2ea6908be237c7cbd364f980eab8b40c5694fe46ebb87c7190b5a6972d7d

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAluDUNgACgkQgZsRom/9
GI3xJxAAndi77pvbsXre+A0/LQ6B9rFd6ZUHj/Jk2yWZGF/A7Yr5VVEgBNzuff9y
3iU/Ma9SGBG5jTSo/LxIvZhw/cibp1U87+8Kisf9iGqbgXNKWlZNHeK9uzH+g2Zp
lNVxuLGFSeBULm3PijOBsMRTlxmT7Y9i54wNGB3pmLB1b8tXCasMaw8ivbjlW0B8
mjNml9XNrSxPl+nO8u3dfRGAa55PGdwe9mN7fKFB9DAyjG4S68UDhax8/p3Q8WNE
I4FlPNsRujc+M+qSupl5j4xxbBuwsLz93chC6e8DBBD604Pllk5o0C41XJ07yEQE
QxQSpXwvKwztf5IkooP8OTPKkdmuM2W0KWuwWp+/Y4zhQDG5SseBy12xvSFMKB/z
d5vw9FwTg0N0PD5ZYW0mHagWWeyyT+HVSQdxt8GK5iAnyIRe7bP0UjDjyBVMgqHp
d6BFYPi6Qg4hjD6bZCyqLo4oDjsEQrdr6d1ijk+8LyMdQtnHPjRn5c7avqqkQFrc
99jtK2Y/zZuXj4D1OmGvpz0+btaQ6suJHc2rWqRcID02U/gwnD3zoTF5I852KpAv
H1rnK60C0BdFEAwEjcwZKq28mtTIsfsKBRTeuTUZIk8ij2xx7y8+9e8n25kYJbOS
dSg1WSgfLYttR6Cqv66a9NXWC1IaF5RXlVN4BCB/9L9yKpj9CK4=
=j6H/
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100056.3

Submitted by op on

HardenedBSD-11-STABLE-v1100056.3 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • HBSD: do not allow to override init_exec by default from loader when the kernel compiled with PAX_HARDENING (19f62c611d729b0e11aeea09cca92b8a2357e086)
  • HBSD MFC r337774: Reserve page at the physical address zero on amd64. (2be594934556ef121ee095b76cbed845cf51fbb3) [CVE-2018-3620]
  • Limit IP reassembly queues (b237529341a40e980dbbb8998bd029dd805f976f 473b73fec73ba098937b1deb304cbb285fed289a 3b9d004b0f08c95203a2a61bdb293a075470d55e 9154624e12ec34b0048dd9ca7159a4b7fdda80e7 dfb2edc8f5fa836a42011e06d48ee99560312081 d85d7540a7fc2cf733c4a655a4c9b28fb6acf42c 54c1ac1408df4b7b0186933e804da8a5a622c24f b3822a674366465673f831e3ff2b544e7292f9242762fee5dd30eb9f1896295c63521e86a9b98d06 95d18bdb4de4bc81529cae34a3e1976145d6fcb1f0d4e7bdc43c2e330df8bf6cb1fca39295403ffd) [FreeBSD-SA-18:10.ip CVE-2018-6923]
  • HBSD MFC r337745: MFV r337744: Sync libarchive with vendor. [CVE-2017-14501]
  • MFC r337785: Provide part of the mitigation for L1TF-VMM. (249be5558ae7f7a429466ea46764dfb581133a03) [CVE-2018-3646]
  • MFC r336855 Fix the long term ULE load balancer so that it actually works. (e2d93727643b74f67085eb874430e0e9eeb57641)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100056.3-amd64-bootonly.iso) = ebb9bcfff4ae383a5786f1c604d1a8798168b452f3c60c93138987e42248c85c54986d86707e03f18cf5166dae95b18b87ed075bce1829c314007a6988c7248d
SHA512 (HardenedBSD-11-STABLE-v1100056.3-amd64-disc1.iso) = d59e6c829713f8a93bcafd712205598f690d4c4933bc5798f7c727382e84b18450cf2e166b3ff5fabdb410a73873fa238d7a90913de80f25af1ec1cfaa62bffd
SHA512 (HardenedBSD-11-STABLE-v1100056.3-amd64-memstick.img) = 63da6f43b0d280e4af5acd57541bd0b8876910e2ec433e076ece608737c9770672629a009dc6522b366432d69c095860fceab0fac2ed2d1c9f9e9da6f8d6bd4b
SHA512 (HardenedBSD-11-STABLE-v1100056.3-amd64-mini-memstick.img) = 1b720e5735c549b24154d7d12ed945fa3a0fbca55304c344845ae731fcdb0a990f07c299d5e9fb7cf858af4d88392fcfb7b930a070ffd4b2bffadf56a7b260eb

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAltzXYAACgkQgZsRom/9
GI2iexAAk2JlTkOgAjrncC3ooGC3qaCWbPLvt9z+6ZybRTMTvUXmEjVekXVv4wYf
nHKpeN9AMM1ak1fJUJcRvlFMKYoU976ceLgzdxY4OHtFyfaA4EdixpLNRcipbJWZ
8MPpCs8XFjt2jd1hvNKuny2zeBpTvwuS7UC7gQMmZnQXxW05xXl2dJIvv2Z+3/V6
xdziT6czswUmtQGxLnyzfZBbKprFJ4x+ykKxTp4tfHkklKY2hbvgJunjXblRpFnT
UZHQXlt2TF2lL6TBQ+eBRVoARqCybAk6zKn5w9/q8i2/2/g+IXVZfANSP/zq4Uur
VB+xgRPVzfZzFUUjwxTUz5CdEJUl6UnhNkwuTu1jzy5ziWtWGpu16KN0dR86lW9i
MOGXBKk6zZoSnDLR+SZ50FJRpNsjNwJuJC7goEB3WDsGrzM5IBEBdQeimL3hXT5J
H+WCzAE4riyATL1ZmdX5w8ck2rv0KuLGxqzMPySWuwIpK/tDjXiE/8eOGK2Mc+7S
q2tR/2gRDM0+YITQWkW4SvPHBMS+vdQmj31u6Zq1aCVJB/LhuCc06JYSKXDvWcfZ
0TZeGIklkekLlmsN0Y7F7dSzvxY0evh6KQejL0iUgH8HV2CpxExHQcXAd0RrlvYp
60vgNqjGDiKQN5OyFtVWAQgvX0dfgphwx61hnB3SecxSuR06biM=
=4kIf
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100056.2

Submitted by op on

HardenedBSD-11-STABLE-v1100056.2 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • HBSD MFC r333405: Remove PG_U from the rest of the kernel pmap ptes. (6840ef5d2739bb01a0dc7d192316bd18eb24967b)
  • crypto/libressl: Security update to 2.6.5 (ace3164bc710f03d7978019792dedb0a236c52e0)
  • MFC r336761 & r336781: Allow a EVFILT_TIMER kevent to be updated. (a1143bbcefc092238acc75578211f8938cddd8c8)
  • MFC r337384: Address concerns about CPU usage while doing TCP reassembly. (db2e2eea0366604ed65e6f50824471e22035f343) [FreeBSD-SA-18:08.tcp CVE-2018-6922]
  • MFC r336919, r336924: efirt: Add tunable to allow disabling EFI Runtime Services
  • Libarchive update (3ff094362c83c79ca9d501ec9e52a11690e8beff) [CVE-2017-14503]
  • HBSD MFC r313168: Fix VIMAGE-related bugs in TFO. (7a58c5a57aba467d77542a81e797330c3b4ec0bf)
  • HBSD MFC r333885: ctf dwarf: don't report "no dwarf entry" as if it were an error (c4bda35c98a3d1f587b7d6235b8d23161922070e)
  • MFC r336763: Add workarounds for several Ryzen erratas, on amd64. (b26157613a63f16d4822e421cd65ebf5524af67a)
  • MFC: r336357 Modify the reasons for not issuing a delegation in the NFSv4.1 server. (88b6d0a280d23369b39c11398cacc17ff7f39da3)
  • MFC r336683: Extend ranges of the critical sections to ensure that context switch code never sees FPU pcb flags not consistent with the hardware state. (e0245aeafd4d0ab7073f8d616840077f69e15a2a)
  • MFC r336188: Improve bhyve exit(3) error code. (ff4bc3fee787254597b6a515f16495b20ed620c9)
  • HBSD: Really bring hbsd-update current (630cab9f8eeee3907157f181c4c7a4d8183babff)
  • mlx5 updates
  • ofed updates
  • arm64 updates
  • msun updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100056.2-amd64-bootonly.iso) = 2f75e591853aa932b8a6576ff5499b530fbddd0974a19463cd88b269e9faed6021282204485240486608033b3e05d9ed65463849263785efe9a97b7cc0065a50
SHA512 (HardenedBSD-11-STABLE-v1100056.2-amd64-disc1.iso) = 25545b3ab97265b53984609886b5bd2941a4140a742d5285816bbb37720584a20e8d9f16fa001eb854aa27c498a6341af0e48848109aceafea0086ab451527bc
SHA512 (HardenedBSD-11-STABLE-v1100056.2-amd64-memstick.img) = 3d6080deccb880b1e228636869598e0763cb40d4ec1a228d82b39f9a169cec1f5c846db3ccc2045e654ec8880c27c2e9be4b873c6201c5bae3060a6b923106fc
SHA512 (HardenedBSD-11-STABLE-v1100056.2-amd64-mini-memstick.img) = cb49fa02e29d9aacf18d84e94bcdfe0d90f874903047dcb4bf06aae40ec54b0b4f68114a38d54599d04a0f972ffd1f60d9ddfbb2a06e5c3a2a4682cf59d934c1

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAltrW9gACgkQgZsRom/9
GI1MVRAA0xwNbOIVimbAyxqmkYuF1DhqgJmLT2Gr3pN9pg03LLpGH0f6rVCi/cKM
Sr1rY3O7eOSUvc6vhQroQT3B1APU2YCEv3VO3vY0oc9wcw1qpcogkHrsjlxUlMlD
B4PaiUtHCyHiYI5xfMKt+/kmwLUUOSapUhfv1A3HfpQOJrd7jCtBekhOjZJHbVAH
ZDJnsjio4P7aXxIm7LGxuk8EU+C8Sj+oqGZpSqsfjoaBvTvqDTSSII1z1HoLCHDx
Zmx2zSX5dhwLHvbs89sTfd2WU3898r0FRibMnKZFPsoLGzEzrMjQRxnY8IS328Gj
FPbcWGgjT0P/NdhKe+HXyhmrq/ZQLZJEqbSz5x528ZXboQvQA5JXeXqstnqNWQiv
OO9C9qtXD/uLgW76FYBiEElhS/G1bD5FrCzLfIzuBcrmx2Un+FNt/vrB3EjSlk8L
Zyhfa6tb+n3t44J1HYMSgzQ+7ulOrZrYkT2we3qN2p+JnzKBAWIpIXKz/g/r0dRw
K9tAyBCqEGXpNE521i24G26gurm7HqzamrvwphNW71ju3TEd9PZDqi++3Bm6aF3J
mADB7Tts8JBmD0fkp/8lyCiIlonmCVdQZ7cJMkVX6i+yLBvEG91fKq3c37zKuT2R
FMYnU4PIf/AdzNASWYBwVVJZ7dNkgSHUJyU1zXvkjuchvNA/tiw=
=eU3I
-----END PGP SIGNATURE-----

Pages

Subscribe to HardenedBSD RSS