June HardenedBSD Foundation Update

We at HardenedBSD are working towards starting up a 501(c)(3) not-for-profit organization in the USA. Setting up this organization will allow future donations to be tax deductible. We've made progress and would like to share with you the current state of affairs.

We have identified, sent invitations out, and received acceptance letters from seven people who will serve on the HardenedBSD Foundation Board of Directors. You can find their bios below. In the latter half of June 2018 or the beginning half of July 2018, we will meet for the first time as a board and formally begin the process of creating the documentation needed to submit to the local, state, and federal tax services.

Here's a brief introduction to those who will serve on the board:

  1. W. Dean Freeman (Advisor): Dean has ten years of professional experience with deploying and securing Unix and networking systems, including assessing systems security for government certification and assessing the efficacy of security products. He was introduced to Unix via FreeBSD 2.2.8 on an ISP shell account as a teenager. Formerly, he was the Snort port maintainer for FreeBSD while working in the Sourcefire VRT, and has contributed entropy-related patches to the FreeBSD and HardenedBSD projects -- a topic on which he presented at vBSDCon 2017.
  2. Ben La Monica (Advisor): Ben is a Senior Technology Manager of Software Engineering at Morningstar, Inc and has been developing software for over 15 years in a variety of languages. He advocates open source software and enjoys tinkering with electronics and home automation.
  3. George Saylor (Vice President): George is a Technical Directory at G2, Inc. Mr. Saylor has over 28 years of information systems and security experience in a broad range of disciplines. His core focus areas are automation and standards in the event correlation space as well as penetration and exploitoation of computer systems. Mr Saylor was also a co-founder of the OpenSCAP project.
  4. Christian Severt (Advisor): Christian is an information security engineer. He served in the U.S. Navy administering classified Command, Control, Communication, Computers & Intelligence (C4I) systems. Christian also volunteers with the Seattle Privacy Coalition.
  5. Virginia Suydan (Treasury, secretary, and general administrator): Accountant and general administrator for the HardenedBSD Foundation. She has worked with Shawn Webb for tax and accounting purposes for over six years.
  6. Shawn Webb (President and Director): Co-founder of HardenedBSD and all-around infosec wonk. He has worked and played in the infosec industry, doing both offensive and defensive research, for around fifteen years. He loves open source technologies and likes to frustrate the bad guys.
  7. Ben Welch (Advisor): Ben is currently a Security Engineer at G2, Inc. He graduated from Pennsylvania College of Technology with a Bachelors in Information Assurance and Security. Ben likes long walks, beaches, candlelight dinners, and attending various conferences like BSides and ShmooCon.

Stable release: HardenedBSD-stable 11-STABLE v1100055.3

HardenedBSD-11-STABLE-v1100055.3 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • mfc r333368: prepare db# handler for deferred trigger of watchpoints. (5801fdddeba7acdc937cef898a45653c6af7a131) [cve-2018-8897, freebsd-sa-18:06.debugreg]
  • Turn off IBRS on suspend. (dbda57b58572831fa594ed380c7e5a9b87104694)
  • MFC r333247: Import tzdata 2018e (2beb6fbb124ec882449f77288cac650ffa862ab3)
  • MFC r333234: zfs_ioctl: avoid out-of-bound read (e7e4020489d1cdcbc338e0d6b916ec2beef71205) [FreeBSD-SA-Candidate]
  • MFC r332559: mountd: fix a crash when getgrouplist reports too many groups (e6e3f0e40308826bdaa17640f676d5ce98890a24) [FreeBSD-SA-Candidate]
  • Carefully update stack guard bytes inside __guard_setup(). (1086bca876f4a7d526450143227151e6544d2afb)
  • Correct undesirable interaction between caching of %cr4 in bhyve and invltlb_glob(). (1135b57649ecea7452dbae3245610ce03e6394df)
  • Handle Apollo Lake errata APL31. (6fd5da7f06d3412cef113820f484da4551ee8ab7)
  • Add PROC_PDEATHSIG_SET to procctl interface. (a31a7b88e5e784593cf07c3d8c39e1d68769511f)
  • Fix use of pointer after being set NULL. In NFS. (4223ca8e51c2eda332673d16f0dbf27e533a17a1)
  • Add hybrid ISO/memstick image support (47b459549c41e783f81dc1c71f5f5e1cb3454f50)
  • bnxt updates
  • clang updates
  • e1000 updates
  • hyperv updates
  • iflib updates
  • ixl updates
  • makefs updates
  • mlx5 updates
  • zfs updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100055.3-amd64-bootonly.iso) = e84a88f6909dee4155b6eb70d4471f0c07271f23d1df3c227def32e3e47d5cf78e5bd4c4150c0796ce52c79d61af0915136bf595bf598f898f777af5967e7156
SHA512 (HardenedBSD-11-STABLE-v1100055.3-amd64-disc1.iso) = c3ddf6e6c439b53419442f56773b39e60f75e56cd9f28b4bfccf9623f478d63c307f4851eea75df785058d30f60e981b0c5342c11e1259796a0a0b4c3af0ccd9
SHA512 (HardenedBSD-11-STABLE-v1100055.3-amd64-memstick.img) = 52b1597b74b6f83591ae7a2e678e4129e6ab3cfe07dfa5db8bf6748247c8137853806ea5e6dcb749540874dd35b673e19a9625d07d19d037b50f894ffea442cc
SHA512 (HardenedBSD-11-STABLE-v1100055.3-amd64-mini-memstick.img) = 69c7709b601f5287a1b7a1938d52c8681648175402bc096b5793ba1f8f253b48ca3a019f2e70ad9e32857e812147951eb42c8fb2bec40e098f4ab40d68bfa521

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlryWWcACgkQgZsRom/9
GI1bABAAwJM+ZF9W3DGS2YCsMbNGHXWICmSWrqGO7Wa4B1s2JfhoIHOi4W7rDWfB
cBr++IkTf3bh0g7A38OJ2s8HWpDZ0IEAzl3KSNHtpvKMKJ6uuBeM79mLb5nAxQQM
lrApsfJ6njSu/kvwaKJLu20pZd1g1EqplC9PQ8D+UTDq9wgfDc0m3gaE7jOGc81Z
OIgw12pVg7bIur2EQVWyNpbEvCBQSTf1w9Ce7RZ2w7irGvptlB/AbrVPKLHraZTV
R6pVHUZnJ8KRvu0S5DpO0Gzr+H9gtfWypVs8H2ys1nn38/tZVpUVQC3S+0X3cSX2
kZbX7WPPK6z+XJF0e0V2V/7DuPPHkqkDe9tNkl+lVLDDwYlEIXVwgC9lRJR1+bML
uwY4VEH8Py2mZw7r8up0i1bNtfo2J+NOaJTvE549W+120zSgKrlzlz95p/jhP3Wj
NYyDOV/gPuxDXbpJEbWbA0XECmS+ijAQ61238/WTh9Gas6gAwXI3EVrm8DEYkpqn
Aj11++8Rh7WOEf6N0rWMy0NciZMLix/tcnoaGeABN6XsyieRTvAnrV/nJM+tbtti
5CxcnyVo4VYrh4zpY7hrF14PifM8WIKlN838N7Bkg3CL+xsWgDDcbs86ayY7B4a1
Bi+JZ95N8UIS00jJbRIbYjhcpHAiuwHbk1ZmAPbdMj76RFjMSbo=
=lVsG
-----END PGP SIGNATURE-----

HardenedBSD Switching Back to OpenSSL

Over a year ago, HardenedBSD switched to LibreSSL as the default cryptographic library in base for 12-CURRENT. 11-STABLE followed suit later on. Bernard Spil has done an excellent job at keeping our users up-to-date with the latest security patches from LibreSSL.

After recently updating 12-CURRENT to LibreSSL 2.7.2 from 2.6.4, it has become increasingly clear to us that performing major upgrades requires a team larger than a single person. Upgrading to 2.7.2 caused a lot of fallout in our ports tree. As of 28 Apr 2018, several ports we consider high priority are still broken. As it stands right now, it would take Bernard a significant amount of his spare personal time to fix these issues.

Until we have a multi-person team dedicated to maintaining LibreSSL in base along with the patches required in ports, HardenedBSD will use OpenSSL going forward as the default crypographic library in base. LibreSSL will co-exist with OpenSSL in the source tree, as it does now. However, MK_LIBRESSL will default to "no" instead of the current "yes". Bernard will continue maintaining LibreSSL in base along with addressing the various problematic ports entries.

To provide our users with ample time to plan and perform updates, we will wait a period of two months prior to making the switch. The switch will occur on 01 Jul 2018 and will be performed simultaneously in 12-CURRENT and 11-STABLE. HardenedBSD will archive a copy of the LibreSSL-centric package repositories and binary updates for base for a period of around six months after the switch (expiring the package repos on 01 Jan 2019). This essentially gives our users eight full months for an upgrade path.

As part of the switch back to OpenSSL, the default NTP daemon in base will switch back from OpenNTPd to ISC NTP. Users who have local_openntpd_enable="YES" set in rc.conf will need to switch back to ntpd_enable="YES".

Users who build base from source will want to fully clean their object directories. Any and all packages that link with libcrypto or libssl will need to be rebuilt or reinstalled.

With the community's help, we look forward to the day when we can make the switch back to LibreSSL. We at HardenedBSD believe that providing our users options to rid themselves of software monocultures can better increase security and manage risk.

Stable release: HardenedBSD-stable 11-STABLE v1100055.2

HardenedBSD-11-STABLE-v1100055.2 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • Update stable/11 from 11.1-STABLE to 11.2-PRERELEASE (94c28bf78654f162c5208e948a30ab3309be8016)
  • MFC r332452: Update vt(4) "Terminus BSD Console" font to v4.46 (9c729368074a9cf26e68fe351521b9e4fc34272d)
  • Fix double asking of GELI password during boot (328e5ffed1a056f76c9a377fc7e02d66171e004e)
  • Fix efibootmgr on 11-STABLE (d8ec2e24869d562150ecc3d8eda4dafebc25e570)
  • HBSD MFC r330110: Add kernel retpoline option for amd64 (610cfa850332237f8a9cc8092ecb1eba991c2f2f)
  • MFC efibootmgr: r326725-r326728, ... (b166cff0a1647a873d17bfeacf8b5e24e918a4a5)
  • MFC r332045: Fix kernel memory disclosure in tcp_ctloutput (81f1d66df2de7298ccce84f89e9153c429d06952) [FreeBSD-SA-Candidate]
  • MFC r332042: Fix kernel memory disclosure in linux_ioctl_socket (66d2c2b6be81d73a9275aa5de0b8efae9fb2ba1a) [FreeBSD-SA-Candidate]
  • MFC r332034: linux_ioctl_hdio: fix kernel memory disclosure (fd3044f1ded864688b8531485782ce0738b744ad) [FreeBSD-SA-Candidate]
  • MFC r330356 (eadler): sys/linux: Fix a few potential infoleaks in Linux IPC (5ec3811964aea39995dd4808597840472917ea9a) [FreeBSD-SA-Candidate]
  • EFIRT fixes (c0df00c84bce385d540936df30cf3bfb5b5a1ec4)
  • MFC r330354 (eadler): sys/fuse: fix off by one error (9272ccc837315f7485064286c0ba1d434b8dfd1b) [FreeBSD-SA-Candidate]
  • automount updates
  • bhyve updates
  • ipfw updates
  • loader updates
  • pf updates
  • sctp updates
  • vt updates
  • zfs updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:
SHA512 (HardenedBSD-11-STABLE-v1100055.2-amd64-bootonly.iso) = 530257bfc3d35b450f1080a2468fc2acc05133840a25a2d531d50e23b13f45018d9ce00790d4f86a8882854cc838ebf8e1f26ffef3254aeda9aca8894d81e796
SHA512 (HardenedBSD-11-STABLE-v1100055.2-amd64-disc1.iso) = 420993d25e5106dbd5018c4d6562b98dcd7a6b2e346b8eb8a9682d4dfcc97e24d79269a14a428c51a57d1df121770cfdea486aad7a4e722e71c610abcb007149
SHA512 (HardenedBSD-11-STABLE-v1100055.2-amd64-memstick.img) = 0615d0b403c1fc651b36ba4846af8587d5a2996993ec277baf478104486b06ced464a2d80516bf286b6e21bee58a8bce422ad3ddccd3a4fc76a09af4cf3c8fd0
SHA512 (HardenedBSD-11-STABLE-v1100055.2-amd64-mini-memstick.img) = 636f6510bfe2362204124ae392def900c6e7cde06b640c696297e8eba17e365d62a9b06970e58aa6d62c5d2ba6ff34206705f32f68c31a386c42905d77d32262

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlraVKIACgkQgZsRom/9
GI3OuRAAolxT7rybAnEVOWtfrobZv2c9ZIVhz2rGNCPGPlaauLzCBzUAZA0xwduA
Upk1G4ZRApUPAoFHsaooJ4+SaheyUaGxG3YMb+QzQ3+roHdtpGf8QbdKqYWBWkN3
cJy3zduIt1jD9K3Nf1Vbm8aifVmvQsOChiNx9gIZ1th67UwTgDkb8RL0LG5I202b
tGNQrdv8mu17968E44U8AoJ+m3eEa5wQPywKu1lnmxde/FZOSl6faxXX9L3MJWtr
hUMigBEOcYXYZWc7fMF1gyXld/tasO7T8qX44dWRp8uMWyqWnMu2NRq/h2MBwu0/
tii140Zr260jQyp3twL2Gxtqm1Nhvs21QUKP5u1oRO3riLuVxFpdI4r7MoBKx4ug
4fEpYDkKmMkN1VUVmg4CfYRvEZauWqOmtAPqPthNrnzWtC+39/UTOgMjYHL7qf9N
wl32od7ISs0yE7bdvCe8BPpsJYh3ZOraCqBoy2F1x9i5aVZmZ/rRqbC4/cPpYNzp
mMtbHYLzvtt8HWnzx8SOeKWomuZfW6SBeBS3xVRtBdlilDj3xb8SuALtgwuBTtVp
8rypuWlKIzCtc4CjLKncN5cCVjnWAU/1zFXjrLokSb5wrEAPam/HYquc7gozjYXq
+BA/sJzoMNWxfNRf/vs664xEIEK0rt5K+68RuKZKfdLqh9G6Huo=
=JHSI
-----END PGP SIGNATURE-----

HardenedBSD -STABLE Updates

We at HardenedBSD maintain three repositories for base:

  1. HardenedBSD/hardenedBSD (aka, main repo): This repo is used for official development.
  2. HardenedBSD/hardenedBSD-playground (aka, playground repo): This repo is used for highly experimental code. It may contain code from external sources.
  3. HardenedBSD/hardenedBSD-stable (aka, stable repo): This repo is used to generate installation media. We review each commit prior to pushing to this repo.

As of 05 Apr 2018, binary updates and packages for 11-STABLE and 10-STABLE are built using repo #1 above. However, most people use installation media generated from repo #3 above. The stable repo moves less frequently than the main repo. This can cause issues with how frequently the main repo moves. Most of our users who run 11-STABLE or 10-STABLE update packages frequently, but not the base operating system.

In two weeks from the initial publication of this post (19 Apr 2018), we will switch binary updates and the package repo for 11-STABLE and 10-STABLE to use the stable repository. We do not expect this change to negatively affect our users. In fact, we expect this switch to better suit our users' needs. Users will not need to perform any action as this change should happen transparently.

Binary updates and packages for -CURRENT (aka, hardened/current/master) will still use the main repository.

Stable release: HardenedBSD-stable 11-STABLE v1100055.1

HardenedBSD-11-STABLE-v1100055.1 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • Implement mitigation for Spectre version 2 attacks on ARMv7.
  • Limit glyph count in vtfont_load to avoid integer overflow. (5966c5fc6c1941b9d936ad21eb8c8ca9e37a0ec0) [CVE-2018-6917 FreeBSD-SA-18:04.vt]
  • Fix several leaks of kernel stack data through paddings. (6cbc066578e9d120086a39fffc9fb76f3a2ae3b1 5a4de6ef78e289193b2b14c0e68ad00443323813) [FreeBSD-SA-Candidate]
  • MFC r328331: Support configuring arbitrary limits(1) for any rc.conf daemon (0f8014018211d7891dfa72334526a4c5d7201490)
  • MFC r324673: mbuf(9): unbreak m_fragment() (db82dd0a6a9de84e8678be871ebd8821c9802628)
  • LLVM 6.0 (6cd0d336d6427448ee7e76d16538cd3420c27526) [SA-18:03.speculative_execution]
  • Add an option called "random" that combined with "ether" can generate a random MAC address for an Ethernet interface. (8d44e96c549ac602b1bca95375e9c2acffeb5f1d)
  • HBSD MFC r330880: Don't overflow the kernel struct mdio in the MDIOCLIST ioctl. (880d7e96cdd88fdeae5e631ae86db42d2665fa81) [FreeBSD-SA-Candidate]
  • MFC r315522: use INT3 instead of NOP for x86 binary padding (71918e8f61597def8a0205b9b259f791777bbdc9)
  • MFC r324560: allow posix_fallocate in capability mode (232a0597ebf908a011544eb3ca776206859ab837)
  • MFC: r331627 Merge OpenSSL 1.0.2o. (54f770b796bd94590b148914cf8fb487a5e7d885) [CVE-2018-0739 FreeBSD-SA-Candidate]
  • Reject CAMIOGET and CAMIOQUEUE ioctl's on pass(4) in 32-bit compat mode. (afaab4bdf5993f92b5013cb423c5c34216bd1319)
  • MFC r331333: Fix kernel memory disclosure in drm_infobufs (cb7bbdc0771f4360d3d1c58982075bd522ff7079) [FreeBSD-SA-Candidate]
  • MFC r331339: Correct signedness bug in drm_modeset_ctl (54cecb661544f1a1541a1ee37b8b97df6c5eebb1) [FreeBSD-SA-Candidate]
  • MFC r325047: dma: fix use-after-free (f4c0052c8e6632871a26af73b98acafe10d1c9c1) [FreeBSD-SA-Candidate]
  • MFC r330745: Make root mount timeout logic work for filesystems other than ufs
  • Fix information leak in geli(8) integrity mode (c9ede81c61b5d300b5acb89d4167b11f917be4c4) [FreeBSD-SA-Candidate]
  • MFC r330034 Fix a memory leak in syslogd
  • MFC 328102: Save and restore guest debug registers. (5a911c66c42eba7c480f5f566edcabad716ddbe8) [FreeBSD-SA-Candidate]
  • EFI updates
  • I2C updates
  • LinuxKPI updates
  • Raspberry PI updates
  • ZFS updates
  • indent updates
  • less updates
  • makefs updates
  • mlx4 updates
  • mlx5 updates
  • pf updates
  • syscons updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100055.1-amd64-bootonly.iso) = d023527a8e385f69787b5e1e2a9f52849cc9a7b439c4180ca285c753412aa9352da21bd8286b0d60960b626d5d1856c0ba749a135f36f6e39a597455aeeb22e9
SHA512 (HardenedBSD-11-STABLE-v1100055.1-amd64-disc1.iso) = 871fa40b3963ccb31df94f8cc4a83ef931de0c1facc3a0eb1175435c9f996297678e8910968d82d98f0a0cf46391aed568c52ce5261fd5c646d40f3eb18b7107
SHA512 (HardenedBSD-11-STABLE-v1100055.1-amd64-memstick.img) = 1ef4ac1af66a6428550033849b91590f4ed8c6bb075ae8203e306b98d1f4c0b88cfa9c5b41373a580a46ece9f84148a144734f763f1064d9a0763ff262a080fe
SHA512 (HardenedBSD-11-STABLE-v1100055.1-amd64-mini-memstick.img) = 3be90dc646efa29e724324d2220c4616ba23ae28df038d0312750bea9463fc4cdd8385f5617da8b93a8d537e1e7b4134f0d124e723f503dd2656d927b986210d

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlrEsR8ACgkQgZsRom/9
GI2cBRAAl3GIIfyCrzGntsbsPJhB6CA6DsGLGrw6Y8m3PdvNLe7re5HXbHp3WkOA
6XzQ91+Ip7ZX7+CyLtdxAe/mUuqD4zdxRqHehrMCQgXgEeL3SndUrs46iDS0mXhv
rGi8a3mg5nX2JqWvhh4ALThWSf7gn/JqQTVHgvVXClr/ruVJJMfJlYOcQb96aN2g
sQSXnW27Zf8aauGC4SkDip4mRIFrEEVMRILCOeCUDWkDjecOGSZgKyFuV9299ln2
LTocbJBGuYPcj3xRtK8YgRIQ6v/b5gEiZUhUnonOC6OMOAm46fhjRIa5DpcFBOdT
/W4BLML5vKzlXutJKCMJGua+wRwvz348glj+hr5R+oedjNhb6K+EA6Fz3e205UY2
IRRrakEpXVagElp9fgLxc3n+sh3Rm1hsf7undgdslV4oN4+61xdrEEDIOux0OHtX
8/hFd9e3lBctwGl34Mx+d7FcF/CbFBdQjUuk3zp2NFSluk1o8yVLiUQG17Cq6VYd
MeNRL1RlSuAWuxjhL3N7mPwOVn71Z219lTJu84uaHuZn+nTRNS4gKk1I/qdPUuX9
/lY+4T6lqUzzjo3hS99jVwWgAjaunOHbjG0l2yDMeZceQ0PIt9MDAWEjiKnFnJj3
lOpHE0132ApHEmbl+SQDFSrpJaRFOmkbdVT2N4FtsPGNNdmsR6A=
=kv71
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100055

HardenedBSD-11-STABLE-v1100055 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security and feature update!

Highlights:

  • HBSD MFC r330539: amd64 - Protect the kernel text, data, and BSS
  • HBSD MFC r315914: Remove buggy adjustment of page tables in db_write_bytes().
  • HBSD MFC r330538: amd64 - Nudge lld to break the kernel read-only and read-write sections into separate 2M pages.
  • HBSD MFC r330511: amd64 - set NX bit on PML4E for recursive page table mappings
  • HBSD MFC r329071: amd64 - align kernel map to 2MB
  • MFC r330027: iconv uses strlen directly on user supplied memory (ad9743ad32a775f3e5953f25e0ab47893ad38fad 8e1404ee8e0ee1f04c0ce4f41955086959ea293e)
  • MFC r320367: Add "Terminus BSD Console" size 32 (0166c5a13a0ad399f712f30b68d2d8154377fc13)
  • MFC r330104: MFV r330102: ntp 4.2.8p11 (9c7570c3132b1eb17c9cd33e73a8ae9f13ba0624) [FreeBSD-SA-18:02.ntp CVE-2018-7182, CVE-2018-7170, CVE-2018-7184, CVE-2018-7185, CVE-2018-7183]
  • MFC r329561: Check packet length to do not make out of bounds access. [FreeBSD-SA-18:01.ipsec CVE-2018-6916]
  • MFC r329254: Ensure memory consistency on COW. (Fixes stability issues on AMD Ryzen machines) (c3179a4c90eee3a08297f783690e9817d6be5600)
  • HBSD MFC r329281: x86 pmap: Make memory mapped via pmap_qenter() non-executable (abe421b3cb0e358ee6fe2c3dab57a5a945204426)
  • HBSD: enable PTI by default, when option PAX specified (c0bb2951db93d36e840f634c984d21ef49a05345)
  • MFC r328083,328096,328116,328119,328120,328128,328135,328153,328157,328166,328177,328199,328202,328205,328468,328470,328624,328625,328627,328628,329214,329297,329365: Meltdown mitigation by PTI, PCID optimization of PTI, and kernel use of IBRS for some mitigations of Spectre. (6dd025b40ee6870bea6ba670f30dcf684edc3f6c) [FreeBSD-SA-Candidate CVE-2017-5715 CVE-2017-5754]
  • MFC r327444, r327449, r327454: vt(4): add support for configurable console palette (416ac1f42d4b12af9f54ca147de4fbbec07302f6)
  • HBSD: allow to set PaX features as jail parameters (45748d2afdd187b48e091f216bd5b7fcaa7668cd)
  • MFC r323683: MFV r323678: file 5.32 (2f9dcccddd60b1712d33383dd42806164ef72050)
  • MFC r328032,r328060,r328243: service(8): Support services in jails (d3a9144a73ad565126e63c40cada6f8f2ede9dd5)
  • MFC (conceptually) r328107: Add /boot/overlays (FDT) (4bc066c359fc4c862855cfd1e3a26977680b7951)
  • add smn(4) driver for AMD System Management Network (2314d2b163a6783ecb1c55d744025054a79319d3)
  • if_iwm driver backport from freebsd/current/master (adds support for Intel 8265 and lot of bugfixes) by eadler@
  • linuxkpi fixes (allows to use latest drm-kmod-next on 11-STABLE) by hselasky@
  • zfs updates
  • loader backports from freebsd/current/master by kevans@
  • opencrypto updates
  • lock primitive optimizations
  • bhyve vmrun.sh updates
  • hbsd-update updates
  • HardenedBSD in kernel cleanups and simplifications
  • mkimg updates
  • libarchive updates
  • nvme subsystem backports

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

CHECKSUM.SHA512.asc:

Stable release: HardenedBSD-stable 11-STABLE v1100054.3

HardenedBSD-11-STABLE-v1100054.3 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Note: this was released on 2018-01-13

Highlights:

  • Make it possible to re-evaluate cpu_features. (a586b974f77aedb619baf0454435fa4016339161)
  • Fix a null-pointer dereference and a tautological check in cam_get_device (b55f0a5b31496ea10bd6e1163d13a1d8c26ca291)
  • Do not build lint(1) by default on stable-11, add WITH_LINT to enable building it. (5fb1dbc1862d5ddd058d22fe18063e6c71aeb7bc)
  • Improve the performance of the hpet timer in bhyve guests by making the timer frequency a power of two. (d21bd84ba2d9e4eff99f7a4764ea400d2766f957)
  • fix memory disclosure in hpt* ioctls (8f534ab83139899084a80948e8e2926f2c988fec)
  • ACPICA 20171214. (7e248a6a42be630466c332f690b7379e34abfbf1)
  • crypto/libressl: Update to 2.6.4 (0dfcdb670cdbb43b3a1463c758456ab0f01689ca)
  • Update tcpdump to 4.9.2 (ed596e7fc294f704796e96377235d77adb7bee0e) [CVE-2017-lot-of-numbers-here]
  • hbsd-update updates
  • llvm/clang/lldb/libc++ 5.0.1
  • GELI updates
  • VM updates
  • VFS updates
  • lock primitive updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100054.3-amd64-bootonly.iso) = f14531adfa78667d69c6b3839f304e715bb5aa121d6fa307937e33e30c5f83ff57179a70a4e4fbaddf866f1d27123f6e3acd26b333f0977f62759f829d06b7e8
SHA512 (HardenedBSD-11-STABLE-v1100054.3-amd64-disc1.iso) = 47499cc46e8c437740f99600b96a11cfaaffcb4425f26e9331dfd643cf0cb629c424095cd4993008a97adf65216f8f25522c620adb791470d664b6ae75c185d4
SHA512 (HardenedBSD-11-STABLE-v1100054.3-amd64-memstick.img) = bf8d56c025c5c84714da7b6321086b2acbcb46ad46c548297ed9262bc8b3c75e62f913f7fb942796976a51ccaaf9caa04087522a782a34549a1f8501ac4f06c5
SHA512 (HardenedBSD-11-STABLE-v1100054.3-amd64-mini-memstick.img) = f69002a55be3aa46d25edb75b973a3e12a6a602ce907f4a0e5cb6de756bb417ec37626565d2836a95e88a2051c70595a09863939b3965ebb8d12044b8fc8a191

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlpayEAACgkQgZsRom/9
GI33/hAAyy3BvAutJ8uohh/sW3flyv1tng0L3rqG2fB/fenpjzMWgy0s9Il5NfRu
9X85FtIT51+h0fz1XopvaR8Cc9N6YrsA8P9Vi8xYAilZxPoTnaC4bzGG2QXwed6Q
7FgMTTHfHo9sQ0jUNBgu05P+fLuj/a/TFdZdCVejRjH784nTakUGIv13FGrQWAjB
67C47L4KHWXv7e5EeiCOoQNRxDG6sZ3m3RzI8vY+k3x4NkVrRMeHkjAGsDAnuY4A
wUz83pKKnj8cFN/uSqqcP/4h4YERfZlEGVfUzOedpfLvC6NIKxVgUdDpai8uz/O/
00fBc4JOlA2F8t/ubNXhPAySj+8Rkn/Wfjt9zaeJrrIiI1fH+88cbXSt8Vo6p/CV
HhkKawZgI/bTtNr4Ci73+lsShPo6UiOCWSQibyglzZnPP83cMMQfBrhUVHIPJW1r
bYiEkkSfIK4EGbzpd8asWUYmGzi4HUopEquu7I+e7OQ56DyK/PZ0u3NfP0Ub10Ab
6FprLcXED7sI62F4ZgVtqziqzVqkEcZCsUbi87V4kVVHueWhYOsi/gj8Wp8UOFG7
sduAEQ8wM6yaWZbyVllRi96II5ulsu/66Sh5HfvBmZF5ih6uvyJ9IwU+OS9uZq2I
aGxNOtnA+WLzsL7Hql9kGGXFuDoDanEOFWyedTN+24Tbwm2lBVA=
=mvEc
-----END PGP SIGNATURE-----

Announcing the 2018 donation run!

We've just published our goals for 2018. We've got a number of new goals planned, some that require new infrastructure. In 2018, we plan to migrate at least 90% of our infrastructure to a single data center in addition to expanding out existing infrastructure.

In addition to the enhancements to the HardenedBSD project itself, here's what we'd like to do with regards to hardware:

  • New nightly build server. Our current nightly build server is aging. It's constantly building HardenedBSD 24/7. We need to replace or augment this server with a newer, more powerful one. $5,000 USD
  • A ThunderX2 server. We have a SoftIron OverDrive 1000, with which we use to build arm64 packages. Building packages on it takes a minimum of two weeks. We need to cut that time to less than one week. $9,000 USD
  • Colocation of servers. We've received a few quotes from a few different providers, and each provider has quotes us around $5,000/year to host our services. In order to colocate our servers, we need to pay a year's worth of hosting in advance. $5,000 USD

HardenedBSD has grown significantly over the past couple years. We are now at the point where filing for 501(c)3 not-for-profit status is advantageous. Once we are granted 501(c)3 status, future donations will become tax deductible. Our accountant has estimated around $2,000 USD in fees. With the hardware, this brings us to a total of $21,000 USD. We plan to split up the donation run into two six-month sprints of $10,500 USD each sprint.

We're always grateful and appreciative of everyone contributes to HardenedBSD.

Stable release: HardenedBSD-stable 10-STABLE v1000050.1

HardenedBSD-10-STABLE-v1000050.1 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • HBSD MFC r321963: Rework and simplify the ksyms(4) implementation. (8dd00d8dbc725739245fa99d354bafdff8f8c228)
  • MFC r326872: fix expiration arithmetic in pw after r326738 and MFC. (1e062f6d317b90805e77a7ec1dd96da3b5ed38aa)
  • Fix error state handling in openssl (22fbcdca2ade973c8a6614b1fbf8738254a08f7b) [CVE-2017-3737 FreeBSD-SA-17:12.openssl]
  • MFC r326135: bfd: fix segfault in the ihex parser on malformed ihex file (c5f9120f60a45a1557a7722ef4d8d9fffc9e1c60) [CVE-2014-8503]
  • MFC r326136: bfd: avoid crash on corrupt binaries (e10e409a72215a686ec2b96bcadc3e6487692fe7) [CVE-2014-8501 CVE-2014-8502]
  • Avoid out-of-bounds read in openssl (276fd8048df373d9ac6309a912482c25b5d85695) [CVE-2017-3735 FreeBSD-SA-17:11.openssl]
  • MFC 325039: Rework pass through changes in r305485 to be safer. (00e656a0895cc338b10687bd40ebeaea50587d31)
  • Properly bzero kldstat structure to prevent kernel information leak. (904c1c37dd42b1a1a6cd2fd91a8409ac66bedac5) [FreeBSD-SA-17:10.kldstat CVE-2017-1088]
  • MFH (r325010): don't bother verifying a password that we know is too long. (5ebf270c7d98c29c8cec401366a73a7a9c816410) [CVE-2016-6210]
  • Separate POSIX sem/shmand mqueue objects in jails. (568bd26f8e5f02d7efcfe6fd12855606f8ee4e83)
  • Zero whole struct ptrace_lwpinfo to not leak kernel stack data. (a19cbcf5230a491e382ab392a80fb13721e31918) [CVE-2017-1086]
  • Fix out-of-bounds read in libc/regex. (70a215a5740c4dd64ac4a9e3efc4bf545de55416)
  • Add extended attributes support to fuse kernel module. (cca38407ae55b60986bd6677b6a7464c8dc54538)
  • hbsd-update updates
  • clang updates
  • zfs updates
  • geom updates
  • nfs updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-10-STABLE-v1000050.1-amd64-bootonly.iso) = 572c2482aadcc4a84750cfa5b4e158fb5a22f8c8cda4863978e383b48264fa8de9ad30d973267cca3fca95cd26b2ab117851e0ad620ae475ba9c429a4460a6a2
SHA512 (HardenedBSD-10-STABLE-v1000050.1-amd64-disc1.iso) = b731119acd686b23aed7abd2e15fe6fcd0771977a3d5061b68e6de6ebd3829d049da14e5efa204b768306e86d3443c10e67be282c72ac52143b3cd78476255fc
SHA512 (HardenedBSD-10-STABLE-v1000050.1-amd64-memstick.img) = 0ab7aa228f1cb00f362025db96222b8e7cd7ca7477812e1856803c63392612bbf0f384477ce9217b09ef19b4c336f7082f35fd9c3e8f95fbed77f946fb9d46b0
SHA512 (HardenedBSD-10-STABLE-v1000050.1-amd64-mini-memstick.img) = 46739eb96dbd9e11687cb0ce7c3a88182ce3e9e7c87e80862bac243b2d96cd1d108af6aca1d6e61f1becb6027a2c3cc5d895a8ed3b1961b40e6a0a83fb1742af
SHA512 (HardenedBSD-10-STABLE-v1000050.1-amd64-uefi-bootonly.iso) = 390a21ea4cb2ba6c208cd653a1fa5b33896b8bb68c6cb4932c7a690037f4390507f6406b6274075e7817f69f5123642416123a348a10bf5db42d600b56839529
SHA512 (HardenedBSD-10-STABLE-v1000050.1-amd64-uefi-disc1.iso) = 09a8653cb4818e43424b077e4c4872f0272a156f14f7e8af4328bece967928ace0fce803850056d7d5a667a22a15a8b621a92e45c4d944a7092c5f9a052cd9ee
SHA512 (HardenedBSD-10-STABLE-v1000050.1-amd64-uefi-memstick.img) = 3ce7aad46ba1506bc07df910ea59bf54290baf57ee32fe5efcf7506e4db38fdede243c26bc1d5f240e25d45c12b7e275d45a37135193f4cfea37f8b3cdc8b39d
SHA512 (HardenedBSD-10-STABLE-v1000050.1-amd64-uefi-mini-memstick.img) = 5c219a50583169d3b8ef192088db61691a97c2cacfdb3ba5f31a698ae867f7d4c1803fb7e97880847a753cf659fca53e0daaf9c4c6a0dde7c9c7a4d5fb93cc18

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlpK6VIACgkQgZsRom/9
GI3ZYxAAyzDFF0kl29rRAh85tSfL7IER8Vvtb5ZW2ub7QOiqr3S8KL2QfGBpLi5m
nxLn4M+7R1PhH2D6MRU9b9axe/Q3l+5BZ6ZEKSx3PH/tUJ5636bDvqRMFewW1fsU
Z5JNx9xZ3Vj9+6xIPvFWXIqws4TgMZi1Is03akcN60uoiJ+w6Vt2q0y7WIDq24xn
y1m/hbuuX85x8AjhXPCfJWoFdxf60So6nm4Ft4ExVllyseP4UXaEDhjublB7vxth
joxg46FpGTNGzM0y25ImJLP6c4YB7G+sr3XdR3vU3Vp1zsCjTjNhg88YClrRkr1e
BZ2MTCY0PxSaSSqLoGn815MQBJVCrMvSuzEKcDSfH2ji9qF17qI9mnBnyqInNjRf
1hRFc08QYBAkXz8aY/FXseFReBlN7//jw6tXRxzvepJZu0V9LXPZIlupk1ADAOHk
s6LSlurSe6OgHptDZ8LV7NI6kBoVfQCpCNYknp/BQH6UUhIUSN4O3dV1YZyh5wWj
tDp1QLmQwoYsvUvosEJXDzYbGwb46TKMC0E/RwWVJcX+w5OsbcbLK7ZrvUaU/1x5
XElvMX+bm9Em6Qhy4ojNkNd6ZlFOfI+I1YFFYGfX+f16enLFIKNuUoOFNxYal8yd
koSL+d4Ihwx/88KaI8VAIsxwU7UY02vP/EYBoFehJis72YdiiS0=
=33Sp
-----END PGP SIGNATURE-----

Pages

Subscribe to HardenedBSD RSS