HardenedBSD -STABLE Updates

Submitted by Shawn Webb on

We at HardenedBSD maintain three repositories for base:

  1. HardenedBSD/hardenedBSD (aka, main repo): This repo is used for official development.
  2. HardenedBSD/hardenedBSD-playground (aka, playground repo): This repo is used for highly experimental code. It may contain code from external sources.
  3. HardenedBSD/hardenedBSD-stable (aka, stable repo): This repo is used to generate installation media. We review each commit prior to pushing to this repo.

As of 05 Apr 2018, binary updates and packages for 11-STABLE and 10-STABLE are built using repo #1 above. However, most people use installation media generated from repo #3 above. The stable repo moves less frequently than the main repo. This can cause issues with how frequently the main repo moves. Most of our users who run 11-STABLE or 10-STABLE update packages frequently, but not the base operating system.

In two weeks from the initial publication of this post (19 Apr 2018), we will switch binary updates and the package repo for 11-STABLE and 10-STABLE to use the stable repository. We do not expect this change to negatively affect our users. In fact, we expect this switch to better suit our users' needs. Users will not need to perform any action as this change should happen transparently.

Binary updates and packages for -CURRENT (aka, hardened/current/master) will still use the main repository.

Stable release: HardenedBSD-stable 11-STABLE v1100055.1

Submitted by op on

HardenedBSD-11-STABLE-v1100055.1 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • Implement mitigation for Spectre version 2 attacks on ARMv7.
  • Limit glyph count in vtfont_load to avoid integer overflow. (5966c5fc6c1941b9d936ad21eb8c8ca9e37a0ec0) [CVE-2018-6917 FreeBSD-SA-18:04.vt]
  • Fix several leaks of kernel stack data through paddings. (6cbc066578e9d120086a39fffc9fb76f3a2ae3b1 5a4de6ef78e289193b2b14c0e68ad00443323813) [FreeBSD-SA-Candidate]
  • MFC r328331: Support configuring arbitrary limits(1) for any rc.conf daemon (0f8014018211d7891dfa72334526a4c5d7201490)
  • MFC r324673: mbuf(9): unbreak m_fragment() (db82dd0a6a9de84e8678be871ebd8821c9802628)
  • LLVM 6.0 (6cd0d336d6427448ee7e76d16538cd3420c27526) [SA-18:03.speculative_execution]
  • Add an option called "random" that combined with "ether" can generate a random MAC address for an Ethernet interface. (8d44e96c549ac602b1bca95375e9c2acffeb5f1d)
  • HBSD MFC r330880: Don't overflow the kernel struct mdio in the MDIOCLIST ioctl. (880d7e96cdd88fdeae5e631ae86db42d2665fa81) [FreeBSD-SA-Candidate]
  • MFC r315522: use INT3 instead of NOP for x86 binary padding (71918e8f61597def8a0205b9b259f791777bbdc9)
  • MFC r324560: allow posix_fallocate in capability mode (232a0597ebf908a011544eb3ca776206859ab837)
  • MFC: r331627 Merge OpenSSL 1.0.2o. (54f770b796bd94590b148914cf8fb487a5e7d885) [CVE-2018-0739 FreeBSD-SA-Candidate]
  • Reject CAMIOGET and CAMIOQUEUE ioctl's on pass(4) in 32-bit compat mode. (afaab4bdf5993f92b5013cb423c5c34216bd1319)
  • MFC r331333: Fix kernel memory disclosure in drm_infobufs (cb7bbdc0771f4360d3d1c58982075bd522ff7079) [FreeBSD-SA-Candidate]
  • MFC r331339: Correct signedness bug in drm_modeset_ctl (54cecb661544f1a1541a1ee37b8b97df6c5eebb1) [FreeBSD-SA-Candidate]
  • MFC r325047: dma: fix use-after-free (f4c0052c8e6632871a26af73b98acafe10d1c9c1) [FreeBSD-SA-Candidate]
  • MFC r330745: Make root mount timeout logic work for filesystems other than ufs
  • Fix information leak in geli(8) integrity mode (c9ede81c61b5d300b5acb89d4167b11f917be4c4) [FreeBSD-SA-Candidate]
  • MFC r330034 Fix a memory leak in syslogd
  • MFC 328102: Save and restore guest debug registers. (5a911c66c42eba7c480f5f566edcabad716ddbe8) [FreeBSD-SA-Candidate]
  • EFI updates
  • I2C updates
  • LinuxKPI updates
  • Raspberry PI updates
  • ZFS updates
  • indent updates
  • less updates
  • makefs updates
  • mlx4 updates
  • mlx5 updates
  • pf updates
  • syscons updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100055.1-amd64-bootonly.iso) = d023527a8e385f69787b5e1e2a9f52849cc9a7b439c4180ca285c753412aa9352da21bd8286b0d60960b626d5d1856c0ba749a135f36f6e39a597455aeeb22e9
SHA512 (HardenedBSD-11-STABLE-v1100055.1-amd64-disc1.iso) = 871fa40b3963ccb31df94f8cc4a83ef931de0c1facc3a0eb1175435c9f996297678e8910968d82d98f0a0cf46391aed568c52ce5261fd5c646d40f3eb18b7107
SHA512 (HardenedBSD-11-STABLE-v1100055.1-amd64-memstick.img) = 1ef4ac1af66a6428550033849b91590f4ed8c6bb075ae8203e306b98d1f4c0b88cfa9c5b41373a580a46ece9f84148a144734f763f1064d9a0763ff262a080fe
SHA512 (HardenedBSD-11-STABLE-v1100055.1-amd64-mini-memstick.img) = 3be90dc646efa29e724324d2220c4616ba23ae28df038d0312750bea9463fc4cdd8385f5617da8b93a8d537e1e7b4134f0d124e723f503dd2656d927b986210d

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlrEsR8ACgkQgZsRom/9
GI2cBRAAl3GIIfyCrzGntsbsPJhB6CA6DsGLGrw6Y8m3PdvNLe7re5HXbHp3WkOA
6XzQ91+Ip7ZX7+CyLtdxAe/mUuqD4zdxRqHehrMCQgXgEeL3SndUrs46iDS0mXhv
rGi8a3mg5nX2JqWvhh4ALThWSf7gn/JqQTVHgvVXClr/ruVJJMfJlYOcQb96aN2g
sQSXnW27Zf8aauGC4SkDip4mRIFrEEVMRILCOeCUDWkDjecOGSZgKyFuV9299ln2
LTocbJBGuYPcj3xRtK8YgRIQ6v/b5gEiZUhUnonOC6OMOAm46fhjRIa5DpcFBOdT
/W4BLML5vKzlXutJKCMJGua+wRwvz348glj+hr5R+oedjNhb6K+EA6Fz3e205UY2
IRRrakEpXVagElp9fgLxc3n+sh3Rm1hsf7undgdslV4oN4+61xdrEEDIOux0OHtX
8/hFd9e3lBctwGl34Mx+d7FcF/CbFBdQjUuk3zp2NFSluk1o8yVLiUQG17Cq6VYd
MeNRL1RlSuAWuxjhL3N7mPwOVn71Z219lTJu84uaHuZn+nTRNS4gKk1I/qdPUuX9
/lY+4T6lqUzzjo3hS99jVwWgAjaunOHbjG0l2yDMeZceQ0PIt9MDAWEjiKnFnJj3
lOpHE0132ApHEmbl+SQDFSrpJaRFOmkbdVT2N4FtsPGNNdmsR6A=
=kv71
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100055

Submitted by op on

HardenedBSD-11-STABLE-v1100055 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security and feature update!

Highlights:

  • HBSD MFC r330539: amd64 - Protect the kernel text, data, and BSS
  • HBSD MFC r315914: Remove buggy adjustment of page tables in db_write_bytes().
  • HBSD MFC r330538: amd64 - Nudge lld to break the kernel read-only and read-write sections into separate 2M pages.
  • HBSD MFC r330511: amd64 - set NX bit on PML4E for recursive page table mappings
  • HBSD MFC r329071: amd64 - align kernel map to 2MB
  • MFC r330027: iconv uses strlen directly on user supplied memory (ad9743ad32a775f3e5953f25e0ab47893ad38fad 8e1404ee8e0ee1f04c0ce4f41955086959ea293e)
  • MFC r320367: Add "Terminus BSD Console" size 32 (0166c5a13a0ad399f712f30b68d2d8154377fc13)
  • MFC r330104: MFV r330102: ntp 4.2.8p11 (9c7570c3132b1eb17c9cd33e73a8ae9f13ba0624) [FreeBSD-SA-18:02.ntp CVE-2018-7182, CVE-2018-7170, CVE-2018-7184, CVE-2018-7185, CVE-2018-7183]
  • MFC r329561: Check packet length to do not make out of bounds access. [FreeBSD-SA-18:01.ipsec CVE-2018-6916]
  • MFC r329254: Ensure memory consistency on COW. (Fixes stability issues on AMD Ryzen machines) (c3179a4c90eee3a08297f783690e9817d6be5600)
  • HBSD MFC r329281: x86 pmap: Make memory mapped via pmap_qenter() non-executable (abe421b3cb0e358ee6fe2c3dab57a5a945204426)
  • HBSD: enable PTI by default, when option PAX specified (c0bb2951db93d36e840f634c984d21ef49a05345)
  • MFC r328083,328096,328116,328119,328120,328128,328135,328153,328157,328166,328177,328199,328202,328205,328468,328470,328624,328625,328627,328628,329214,329297,329365: Meltdown mitigation by PTI, PCID optimization of PTI, and kernel use of IBRS for some mitigations of Spectre. (6dd025b40ee6870bea6ba670f30dcf684edc3f6c) [FreeBSD-SA-Candidate CVE-2017-5715 CVE-2017-5754]
  • MFC r327444, r327449, r327454: vt(4): add support for configurable console palette (416ac1f42d4b12af9f54ca147de4fbbec07302f6)
  • HBSD: allow to set PaX features as jail parameters (45748d2afdd187b48e091f216bd5b7fcaa7668cd)
  • MFC r323683: MFV r323678: file 5.32 (2f9dcccddd60b1712d33383dd42806164ef72050)
  • MFC r328032,r328060,r328243: service(8): Support services in jails (d3a9144a73ad565126e63c40cada6f8f2ede9dd5)
  • MFC (conceptually) r328107: Add /boot/overlays (FDT) (4bc066c359fc4c862855cfd1e3a26977680b7951)
  • add smn(4) driver for AMD System Management Network (2314d2b163a6783ecb1c55d744025054a79319d3)
  • if_iwm driver backport from freebsd/current/master (adds support for Intel 8265 and lot of bugfixes) by eadler@
  • linuxkpi fixes (allows to use latest drm-kmod-next on 11-STABLE) by hselasky@
  • zfs updates
  • loader backports from freebsd/current/master by kevans@
  • opencrypto updates
  • lock primitive optimizations
  • bhyve vmrun.sh updates
  • hbsd-update updates
  • HardenedBSD in kernel cleanups and simplifications
  • mkimg updates
  • libarchive updates
  • nvme subsystem backports

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

CHECKSUM.SHA512.asc:

Stable release: HardenedBSD-stable 11-STABLE v1100054.3

Submitted by op on

HardenedBSD-11-STABLE-v1100054.3 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Note: this was released on 2018-01-13

Highlights:

  • Make it possible to re-evaluate cpu_features. (a586b974f77aedb619baf0454435fa4016339161)
  • Fix a null-pointer dereference and a tautological check in cam_get_device (b55f0a5b31496ea10bd6e1163d13a1d8c26ca291)
  • Do not build lint(1) by default on stable-11, add WITH_LINT to enable building it. (5fb1dbc1862d5ddd058d22fe18063e6c71aeb7bc)
  • Improve the performance of the hpet timer in bhyve guests by making the timer frequency a power of two. (d21bd84ba2d9e4eff99f7a4764ea400d2766f957)
  • fix memory disclosure in hpt* ioctls (8f534ab83139899084a80948e8e2926f2c988fec)
  • ACPICA 20171214. (7e248a6a42be630466c332f690b7379e34abfbf1)
  • crypto/libressl: Update to 2.6.4 (0dfcdb670cdbb43b3a1463c758456ab0f01689ca)
  • Update tcpdump to 4.9.2 (ed596e7fc294f704796e96377235d77adb7bee0e) [CVE-2017-lot-of-numbers-here]
  • hbsd-update updates
  • llvm/clang/lldb/libc++ 5.0.1
  • GELI updates
  • VM updates
  • VFS updates
  • lock primitive updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100054.3-amd64-bootonly.iso) = f14531adfa78667d69c6b3839f304e715bb5aa121d6fa307937e33e30c5f83ff57179a70a4e4fbaddf866f1d27123f6e3acd26b333f0977f62759f829d06b7e8
SHA512 (HardenedBSD-11-STABLE-v1100054.3-amd64-disc1.iso) = 47499cc46e8c437740f99600b96a11cfaaffcb4425f26e9331dfd643cf0cb629c424095cd4993008a97adf65216f8f25522c620adb791470d664b6ae75c185d4
SHA512 (HardenedBSD-11-STABLE-v1100054.3-amd64-memstick.img) = bf8d56c025c5c84714da7b6321086b2acbcb46ad46c548297ed9262bc8b3c75e62f913f7fb942796976a51ccaaf9caa04087522a782a34549a1f8501ac4f06c5
SHA512 (HardenedBSD-11-STABLE-v1100054.3-amd64-mini-memstick.img) = f69002a55be3aa46d25edb75b973a3e12a6a602ce907f4a0e5cb6de756bb417ec37626565d2836a95e88a2051c70595a09863939b3965ebb8d12044b8fc8a191

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlpayEAACgkQgZsRom/9
GI33/hAAyy3BvAutJ8uohh/sW3flyv1tng0L3rqG2fB/fenpjzMWgy0s9Il5NfRu
9X85FtIT51+h0fz1XopvaR8Cc9N6YrsA8P9Vi8xYAilZxPoTnaC4bzGG2QXwed6Q
7FgMTTHfHo9sQ0jUNBgu05P+fLuj/a/TFdZdCVejRjH784nTakUGIv13FGrQWAjB
67C47L4KHWXv7e5EeiCOoQNRxDG6sZ3m3RzI8vY+k3x4NkVrRMeHkjAGsDAnuY4A
wUz83pKKnj8cFN/uSqqcP/4h4YERfZlEGVfUzOedpfLvC6NIKxVgUdDpai8uz/O/
00fBc4JOlA2F8t/ubNXhPAySj+8Rkn/Wfjt9zaeJrrIiI1fH+88cbXSt8Vo6p/CV
HhkKawZgI/bTtNr4Ci73+lsShPo6UiOCWSQibyglzZnPP83cMMQfBrhUVHIPJW1r
bYiEkkSfIK4EGbzpd8asWUYmGzi4HUopEquu7I+e7OQ56DyK/PZ0u3NfP0Ub10Ab
6FprLcXED7sI62F4ZgVtqziqzVqkEcZCsUbi87V4kVVHueWhYOsi/gj8Wp8UOFG7
sduAEQ8wM6yaWZbyVllRi96II5ulsu/66Sh5HfvBmZF5ih6uvyJ9IwU+OS9uZq2I
aGxNOtnA+WLzsL7Hql9kGGXFuDoDanEOFWyedTN+24Tbwm2lBVA=
=mvEc
-----END PGP SIGNATURE-----

Announcing the 2018 donation run!

Submitted by Shawn Webb on

We've just published our goals for 2018. We've got a number of new goals planned, some that require new infrastructure. In 2018, we plan to migrate at least 90% of our infrastructure to a single data center in addition to expanding out existing infrastructure.

In addition to the enhancements to the HardenedBSD project itself, here's what we'd like to do with regards to hardware:

  • New nightly build server. Our current nightly build server is aging. It's constantly building HardenedBSD 24/7. We need to replace or augment this server with a newer, more powerful one. $5,000 USD
  • A ThunderX2 server. We have a SoftIron OverDrive 1000, with which we use to build arm64 packages. Building packages on it takes a minimum of two weeks. We need to cut that time to less than one week. $9,000 USD
  • Colocation of servers. We've received a few quotes from a few different providers, and each provider has quotes us around $5,000/year to host our services. In order to colocate our servers, we need to pay a year's worth of hosting in advance. $5,000 USD

HardenedBSD has grown significantly over the past couple years. We are now at the point where filing for 501(c)3 not-for-profit status is advantageous. Once we are granted 501(c)3 status, future donations will become tax deductible. Our accountant has estimated around $2,000 USD in fees. With the hardware, this brings us to a total of $21,000 USD. We plan to split up the donation run into two six-month sprints of $10,500 USD each sprint.

We're always grateful and appreciative of everyone contributes to HardenedBSD.

Stable release: HardenedBSD-stable 10-STABLE v1000050.1

Submitted by op on

HardenedBSD-10-STABLE-v1000050.1 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • HBSD MFC r321963: Rework and simplify the ksyms(4) implementation. (8dd00d8dbc725739245fa99d354bafdff8f8c228)
  • MFC r326872: fix expiration arithmetic in pw after r326738 and MFC. (1e062f6d317b90805e77a7ec1dd96da3b5ed38aa)
  • Fix error state handling in openssl (22fbcdca2ade973c8a6614b1fbf8738254a08f7b) [CVE-2017-3737 FreeBSD-SA-17:12.openssl]
  • MFC r326135: bfd: fix segfault in the ihex parser on malformed ihex file (c5f9120f60a45a1557a7722ef4d8d9fffc9e1c60) [CVE-2014-8503]
  • MFC r326136: bfd: avoid crash on corrupt binaries (e10e409a72215a686ec2b96bcadc3e6487692fe7) [CVE-2014-8501 CVE-2014-8502]
  • Avoid out-of-bounds read in openssl (276fd8048df373d9ac6309a912482c25b5d85695) [CVE-2017-3735 FreeBSD-SA-17:11.openssl]
  • MFC 325039: Rework pass through changes in r305485 to be safer. (00e656a0895cc338b10687bd40ebeaea50587d31)
  • Properly bzero kldstat structure to prevent kernel information leak. (904c1c37dd42b1a1a6cd2fd91a8409ac66bedac5) [FreeBSD-SA-17:10.kldstat CVE-2017-1088]
  • MFH (r325010): don't bother verifying a password that we know is too long. (5ebf270c7d98c29c8cec401366a73a7a9c816410) [CVE-2016-6210]
  • Separate POSIX sem/shmand mqueue objects in jails. (568bd26f8e5f02d7efcfe6fd12855606f8ee4e83)
  • Zero whole struct ptrace_lwpinfo to not leak kernel stack data. (a19cbcf5230a491e382ab392a80fb13721e31918) [CVE-2017-1086]
  • Fix out-of-bounds read in libc/regex. (70a215a5740c4dd64ac4a9e3efc4bf545de55416)
  • Add extended attributes support to fuse kernel module. (cca38407ae55b60986bd6677b6a7464c8dc54538)
  • hbsd-update updates
  • clang updates
  • zfs updates
  • geom updates
  • nfs updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-10-STABLE-v1000050.1-amd64-bootonly.iso) = 572c2482aadcc4a84750cfa5b4e158fb5a22f8c8cda4863978e383b48264fa8de9ad30d973267cca3fca95cd26b2ab117851e0ad620ae475ba9c429a4460a6a2
SHA512 (HardenedBSD-10-STABLE-v1000050.1-amd64-disc1.iso) = b731119acd686b23aed7abd2e15fe6fcd0771977a3d5061b68e6de6ebd3829d049da14e5efa204b768306e86d3443c10e67be282c72ac52143b3cd78476255fc
SHA512 (HardenedBSD-10-STABLE-v1000050.1-amd64-memstick.img) = 0ab7aa228f1cb00f362025db96222b8e7cd7ca7477812e1856803c63392612bbf0f384477ce9217b09ef19b4c336f7082f35fd9c3e8f95fbed77f946fb9d46b0
SHA512 (HardenedBSD-10-STABLE-v1000050.1-amd64-mini-memstick.img) = 46739eb96dbd9e11687cb0ce7c3a88182ce3e9e7c87e80862bac243b2d96cd1d108af6aca1d6e61f1becb6027a2c3cc5d895a8ed3b1961b40e6a0a83fb1742af
SHA512 (HardenedBSD-10-STABLE-v1000050.1-amd64-uefi-bootonly.iso) = 390a21ea4cb2ba6c208cd653a1fa5b33896b8bb68c6cb4932c7a690037f4390507f6406b6274075e7817f69f5123642416123a348a10bf5db42d600b56839529
SHA512 (HardenedBSD-10-STABLE-v1000050.1-amd64-uefi-disc1.iso) = 09a8653cb4818e43424b077e4c4872f0272a156f14f7e8af4328bece967928ace0fce803850056d7d5a667a22a15a8b621a92e45c4d944a7092c5f9a052cd9ee
SHA512 (HardenedBSD-10-STABLE-v1000050.1-amd64-uefi-memstick.img) = 3ce7aad46ba1506bc07df910ea59bf54290baf57ee32fe5efcf7506e4db38fdede243c26bc1d5f240e25d45c12b7e275d45a37135193f4cfea37f8b3cdc8b39d
SHA512 (HardenedBSD-10-STABLE-v1000050.1-amd64-uefi-mini-memstick.img) = 5c219a50583169d3b8ef192088db61691a97c2cacfdb3ba5f31a698ae867f7d4c1803fb7e97880847a753cf659fca53e0daaf9c4c6a0dde7c9c7a4d5fb93cc18

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlpK6VIACgkQgZsRom/9
GI3ZYxAAyzDFF0kl29rRAh85tSfL7IER8Vvtb5ZW2ub7QOiqr3S8KL2QfGBpLi5m
nxLn4M+7R1PhH2D6MRU9b9axe/Q3l+5BZ6ZEKSx3PH/tUJ5636bDvqRMFewW1fsU
Z5JNx9xZ3Vj9+6xIPvFWXIqws4TgMZi1Is03akcN60uoiJ+w6Vt2q0y7WIDq24xn
y1m/hbuuX85x8AjhXPCfJWoFdxf60So6nm4Ft4ExVllyseP4UXaEDhjublB7vxth
joxg46FpGTNGzM0y25ImJLP6c4YB7G+sr3XdR3vU3Vp1zsCjTjNhg88YClrRkr1e
BZ2MTCY0PxSaSSqLoGn815MQBJVCrMvSuzEKcDSfH2ji9qF17qI9mnBnyqInNjRf
1hRFc08QYBAkXz8aY/FXseFReBlN7//jw6tXRxzvepJZu0V9LXPZIlupk1ADAOHk
s6LSlurSe6OgHptDZ8LV7NI6kBoVfQCpCNYknp/BQH6UUhIUSN4O3dV1YZyh5wWj
tDp1QLmQwoYsvUvosEJXDzYbGwb46TKMC0E/RwWVJcX+w5OsbcbLK7ZrvUaU/1x5
XElvMX+bm9Em6Qhy4ojNkNd6ZlFOfI+I1YFFYGfX+f16enLFIKNuUoOFNxYal8yd
koSL+d4Ihwx/88KaI8VAIsxwU7UY02vP/EYBoFehJis72YdiiS0=
=33Sp
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100054.2

Submitted by op on

HardenedBSD-11-STABLE-v1100054.2 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • HBSD: Disable lint(1) by default (74db9a87ccbee248675ea534b4867ef7b45ae116)
  • Update to OpenSSL 1.0.2n (a0b182dd517b681163e5a3b649fa9931c36ca3c4) [FreeBSD-SA-17:12.openssl CVE-2017-3737 CVE-2017-3738]
  • MFC r326074: filter all passwords (not only changed) from periodic passwd backup (c789660d53a74dca1d0c0d2b0cc376418fe5f2d2)
  • MFC r326135: bfd: fix segfault in the ihex parser on malformed ihex file (9d9b278a90fa6d1c7818ba58274a8e0b40569651) [CVE-2014-8503]
  • MFC r326136: bfd: avoid crash on corrupt binaries (e1ecb10d06b8c1a102ddba5501438ea64789a563) [CVE-2014-8501 CVE-2014-8502]
  • evdev updates
  • zfs updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100054.2-amd64-bootonly.iso) = adf64ccb3a60cedd9195d88c6bd7fb0a85fd428a5ee3dd4cb6bae935235b2a3100c99c9722efa43b760a35dc82ea25b637198cc3a17b8894ab56331dfcc62a04
SHA512 (HardenedBSD-11-STABLE-v1100054.2-amd64-disc1.iso) = 9ac8ff7bc605f5264d45e73d625c86b783b62011c7048cef7cf6ddaf51cbd3f94d4a661409967b6599eee7493b2138bb4b52a7ee66df956615b782723c8e8666
SHA512 (HardenedBSD-11-STABLE-v1100054.2-amd64-memstick.img) = 94d27f3d30159b0df25af543fb84327873ea5ef76df7e0f22a66160bce36688b00761e82c972356107aed30ed70b2f61a3ba892024b1777e335ddf88013a782b
SHA512 (HardenedBSD-11-STABLE-v1100054.2-amd64-mini-memstick.img) = 116a72cd219df1ed23d0fccff8be745f600982bae00681fbb35d3ef4994bd9bf091ae4c35114533127edcefdc05c9ff0c25061f7f51daa61b8edb6b03ec060db

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlot8jUACgkQgZsRom/9
GI3a4xAAvx17oUQHPzRZza/qVLuF0VTVy9TDzFTZ32UfpDoiII0MYIfPuvIMXvTR
k/RZa9PxB07oI8jldIW/uXW8UAkQlSmxVegXjemh63aKydMAudXrYM3imN1zV1zp
/f/m1MFiwA98TzwMUZx+nWVZBnuQeDtEKREOBZHV9jcwno3vhA5gn6Vp6RfzE2W7
/oISL3eu9/sShf2of9dRMKmZjKuY+K757ygcf8xk53C6UMdRV+zEopVBQqzPwonZ
n1QBn1mJv4HsvMXuzgRE630MLjfvgqiXflnaGYiNnk9yvOgBKr88fL3gJ1TmTthb
hW2hZFUBRDWfAPCyk5K3tm93LJBXrcl7wJ/xtWQMkKtdsRBKPWkac2UpkUjvtvdc
1Ul5hber1OrEV2JxZhYyTUlzSwjOKIRVZi/MlUdpdq17F2BQpUygbx510Qp05G3D
bDCscWh+qrat+YPbZORi2FQxxbIyUfXUJTKBQahkCtwqnyTIEYlxSwwICwZMFEAP
MdASUvhE5fvZ+RCYTCoC2QMnYtZmC7Z+QEAof5aqhenjawgdL9p4bYvJ+4q1pX1l
M6NqDcbTzyQD7nid84Uvy78eX7NcrmZI/Sk1docw5mlJ/8LBJtZLyJgH8wxPSVQ0
piB1d+GaKBIplXzPaAz91TJ3tBVrS9mPdu3i0poEvZK1PxgQKKk=
=4o8A
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100054.1

Submitted by op on

HardenedBSD-11-STABLE-v1100054.1 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • fixed syslogd - restore host name handling in UDP case (1bbaa032d75dc1aab167b8a6cc5c9116c5e393bc)
  • fixed ARM64 control flow problem (1ea13dc104ea903a34741e363d910a1fb16f31f7) [FreeBSD-SA-Candidate]
  • fixed MAP_GUARRD issues (96cbc3d921794d684acf6e4fe465374bee33ed6c)
  • upgrade to Unicode 10.0.0 (909e9adcdcdc361054c0947ee969961afe431676)
  • ZFS fixes
  • (side note: the recent OpenSSL security issues (FreeBSD-SA-17:11.openssl) are already fixed in previous releases)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100054.1-amd64-bootonly.iso) = 83725667faf1aadb34f154934f8da4790b3fe8993e98dc852d149fee4529625bf5dec04ee04a59dd577cdaaa1b6b6a2378abad39933c9d9c87dd8354757210a2
SHA512 (HardenedBSD-11-STABLE-v1100054.1-amd64-disc1.iso) = 9b0e2243f7b46a395e6c62c7daf279683ad961985e9129ccc30654672d368ea54b8bc718f6a94d74b47dd6aca049146d5dda36a0a1530d7a62d11812cf75f8de
SHA512 (HardenedBSD-11-STABLE-v1100054.1-amd64-memstick.img) = cfe23f59d9969f3bbe958916a02ae830b7b65b506c4000edcf17ab513df0214c71c95700f1e27afa1f5290323bd5b9844bab1b817107ab6828b36b7a4d49cd8d
SHA512 (HardenedBSD-11-STABLE-v1100054.1-amd64-mini-memstick.img) = ddf2e9e6a9fe32d7b104184e14c0abb6261770e00ae1cad37f58a3c8a18dc5cd021fa9e160740387812171dd9ede6fdc6322035ddc70885e7eac15086bfade12

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlofe1QACgkQgZsRom/9
GI0lZhAA5evBJtIaEdpeYbtmlEUHJiXz+D94slp1CLKg2nzcZFU73e8FrkB8zbgA
qzfqq7v2SGzYHRSdI/f7iVDsXnsid9/t2PP9mn8OU0Sc1ZcgWwKNnaCcSf5lzNUz
yGNpuxFMy4OqYfO+CnIzihDYptEt/aFvgkrGYxPURjcM/veVcema9UFuT0lNjlhw
y3lvNouFrhF8k9vWLrZyW3J5Pe4MBTKFGm9thqm/p5fnHI0iCOsQIpLcWlxhMJHh
6GBUW+vszxLQGOxExrYxrIoY5FJyJN7zFwyh7jIhN/+OI9JOgMLPHFniOTpsJ/gm
N0QOTSzNBQ7AGNJBku4M6cEArfDujqwH61wbDOkVUqkG1gRu5AygSDy1nBwmUqSz
m5Of1iSMOl8qcKqjMkPlI+6CTFlcimb14jX6HMl4/WMvoe7dMLXEnfe6hl9/Tcqn
0ctJrNBck2k7vnYTc+4vwpdfnlmrvZqfFah2sOPPmFst9iJ4ahcAoxoRrS/beVn1
0f11GBDEf4BkkqIercR/XKUQmH+50apdypzjTcvLUspNIqlKekivUgDAo6r5hGOp
g1FnhkILpW1Wm6y0kLwt16y4ICculisa95mmbuKZ+gINDZo3hdtTyW+Kz3s+O71j
XrLAoqShGH+Ml/hZDJD7CbmrYbCmJjkTK3J3qSuq4dZJaYvQRyw=
=g8Bo
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100054

Submitted by op on

HardenedBSD-11-STABLE-v1100054 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!
Warning2: reinstallation of pkgs/ports are required due LibreSSL upgrade!

Highlights:

  • Changed AT_PAXFLAG auxvector position (4c04e4a613679510cd16bb13d7974c18e3f54460)
  • Properly bzero kldstat structure to prevent kernel information leak. (3ff3ec467d4eb11cdbf706cf386935d5e58c2e91) [FreeBSD-SA-17:10.kldstat, CVE-2017-1088]
  • CloudABI 0.17 (cf6ac9b4efa43a9c64c5ab311666080a0e8632b1)
  • MFH (r325010): don't bother verifying a password that we know is too long. (b242fe393914310e50673eb62d480ce03706d745) [CVE-2016-6210]

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100054-amd64-bootonly.iso) = 20f6333bcbeceb57788ca945ce9816359d9844c2476956a2d4ffd8cdb7b725b4ce12aca4a9adac67c43fdd0a5fd5b9c87888298a6044a31e3f0a4dcb564fefd3
SHA512 (HardenedBSD-11-STABLE-v1100054-amd64-disc1.iso) = 09af01b113072333cf72f2c933f2335d5e4c9e46d51c82d2a74ebd3f3217c9ba454dc77f30de75c2f805adb56608d147dd6dc520f8cfaa90fa049888f193497d
SHA512 (HardenedBSD-11-STABLE-v1100054-amd64-memstick.img) = 8951648e199157e840f1dc2637ba6516631bda75c28768086ccc5daba7822e874790cf5b1c2a86d428c70858cb1de5a0318c64ee27e8ce51596387d0b74c082b
SHA512 (HardenedBSD-11-STABLE-v1100054-amd64-mini-memstick.img) = 5d6cfc1f89374409efa226da5e6ef793e5e9472a217241e1a21e3c93ebadc9fd967a586dfbe66d454655618cef63721e42402c0a5e3282e1a5db465c208daa26

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAloNK9kACgkQgZsRom/9
GI2qDQ//WQxgSb96jBJ7uXlO9uH9xboZVPzgSP2OfXPFqRvy82Sqr/OFtmVURh1v
8N4zYkVEE4nCKkwiuSFRmRkfygKg1qhQ8hNbpXA3icgITO9ZS6kBIh6ZBkSht8f5
aFgkAEU6CToSodz733oSnaAmGoap6drG2jJ8VlK+IjdXQkrK1mh4g2ETZg03I3ED
vzqAQ5+AT1V4+MzES+K3AV0jnR7nCntLAaEDRgEIcEKA9l4GPfhUNyPnusd3RJNb
vAOJWt7XBJAvWilABDXVPXxObKqhowTKb/+JcEwP0Is8uIzfzplr/E9zmUCCmy5O
u+FQ5H14M+sIfo7KwlXsWStWUhCmOoXR8mLtEAzAV2bZf+/dccrFOE0M3lYu8ZA+
kq09zEN22N3fPU55PIRFyzLlFsRHx2/vFZMf8RvsVbtroHWBqsMudPkd8y8F26aM
HQBHFhmaRmlWmNTJ+Fsh51mwv08CmcY7W0tQztXZWgkKA+uwQV//olOglp9ZVhEJ
LNwRVcAGEwhXJsKeNBzHgiteEYu5kTV7HxiQwMnoIDnN2WT8zkJhetYNQnwMPJIj
LP2/azjbX6nTCZJyLRsLBRu8KGf1g9jW03gWmu8/qUZldS4bgxx4HDnmXazhShgX
zXWQLS9e+K1z2Dg9+7wLHmxK5k9pf9T+SadDPZ14n+DrEjr9qbw=
=Rk9Y
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100053

Submitted by op on

HardenedBSD-11-STABLE-v1100053 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • LibreSSL 2.6.3 (c49b64fc67249a34f0899fdaf83ff409877c0832)
  • Fix infoleak in ptrace_lwpinfo (a9480512504618c725807232b538d3d03adb13c0) [FreeBSD-SA-Candidate, CVE-2017-1086]
  • ZFS channel programs (b6de21de0e6db7018f1a79f4e09e03275f27996f)
  • OpenSSL 1.0.2m (a88f0513c4cf81f98bab740e4f112f1a6d7f4d42) [FreeBSD-SA-Candidate, CVE-2017-3736, CVE-2017-3735]
  • Add extended attributes support to fuse kernel module (4d1ec3df908e0b5948287618d437add1454b15f0)
  • tzdata 2017c (bb786ee507dfb1537c2a2d4bbbc9cb06cfa2cd9f)
  • Linux emulation changes to support newer Linux libdrm (8b3e384829098404bdf42f48c6e808aed906aeb0)
  • Fixes and improvements for x86 LDT handling (5f0b9b87892629c113c13c5a0c5933c1de48bdb9) [FreeBSD-SA-Candidate]

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100053-amd64-bootonly.iso) = bd091a8d0787229e47ea8207728db7ed5244787d17665d11a2e69779073d2a12a3bf4a1938f4c1ee001d84c3a0bf5d14ff0750fed149ffac7d3a6e266afb9bf8
SHA512 (HardenedBSD-11-STABLE-v1100053-amd64-disc1.iso) = ee546baf2e6cc55a8237cf0b96f3b10b8a8a7015bde3662b3bb28a4536c0b7d2179015477c3d3d44cbe252d6e53e348c2bd2a1c0b5e17e84405ef7a6277607ec
SHA512 (HardenedBSD-11-STABLE-v1100053-amd64-memstick.img) = e2213d1f0d4c25f2518148fc9d3a42994fda5b4e3e84ef41ea963e24b1b985cf1defc8dd65cc0bb5349b437527fffde98eee5c50002cc4908c4c0dd642e17bbe
SHA512 (HardenedBSD-11-STABLE-v1100053-amd64-mini-memstick.img) = 524764b81c8a2c8d72719589eb110e7bf44160a250b11d660039930c5678c64b22b8187a4f1e987a2235216f8e0f0a6d4b31f65552f31d633d48ae0a8e004087

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAloJB+oACgkQgZsRom/9
GI1fKxAAonAfV/7yJjWPLvYO3iN3+Cef/Syy7lmHSKydpaABDcC6V0s726Wzfw1r
GGpAcTI3s6Qvz+cJ5gaJfw45912vlsWTD/96Av0PEZWzdCyp4wITG8MrzD0nRUh7
r3y4XFw00McX+zPnDUfBOgo6WkAZneshXbrmxr03Nr8NGM3rpXOnk992lXjnetAU
pzJMr7ZcIr2nN1f+CdFL6uaesZQQpIzUm1LxRM6ef/4I4xaJp7gWALIbmoh6nf2C
ihwgL5T5vGNutROeQKWddr7I4zFt0Rnp6XmulkA8oafVNG4BYSwG7fT6m1WBOEZG
td9heuneIH9ooiFOXSDdrTmQlWYe1PgxD/NsMe1V0bZnuqBaYBbWmvvlcKEOSplf
MaSWPYKefpXCQENzgeuDy9GQ+PgzQbFhmv/7YhKuNWCRoIWGMQAeR0a2jbtyEUUH
9FSYuh6LRNnXPdITsBi2PGBQcViVxRgaaF48XpG54qmgQ5ILS+vTuM90oduqjgVY
XOw22mKVD1mJBlu4+F5PTjYp3rCCyYvFu3oDTe5hVnUDHIDEVyBpD+xdPYARMb4W
HplqkiDUktJoA6vuzoalik7J8eGY9DYucNlKIckv0DHUXQSyfe1+C6b+SFSRXpbo
byaHi0cFAOELr4fjtBu/VIWkkTB1dIsFZfoqk8iWUckfQEcP1Rc=
=Jh14
-----END PGP SIGNATURE-----

Pages

Subscribe to HardenedBSD RSS