HardenedBSD Through Tor Hidden Service

HardenedBSD is pleased to announce the availability of its site, package repositories, and binary updates through a Tor hidden service. Please note that at the moment, this is considered experimental and the onion hostname may change. We'll keep this page updated if it does.

For pkg, replace /etc/pkg/HardenedBSD.conf with this configuration file:

HardenedBSD: {
  url: "http://t3a73imee26zfb3d.onion/HardenedBSD/pkg/${ABI}",
  mirror_type: "http",
  signature_type: "fingerprints",
  fingerprints: "/usr/share/keys/pkg",
  enabled: yes
}

And for hbsd-update, replace /etc/hbsd-update.conf with this configuration file:

dnsrec=""
capath="/usr/share/keys/hbsd-update/trusted"
# NOTE: Replace the branch variable with whatever branch you normally use. Check your existing hbsd-update.conf file.
branch="hardened/current/master"
baseurl="http://t3a73imee26zfb3d.onion/HardenedBSD/updates/pub/HardenedBSD/updates/${branch}/$(uname -m)"

HardenedBSD-stable 10-STABLE and 11-STABLE amd64 installers

10-STABLE
git git clone --single-branch --branch hardened/10-stable/master https://github.com/hardenedbsd/hardenedbsd-stable/ hardenedbsd-10-stable
installers http://installer.hardenedbsd.org/hardened_10_stable_master-LAST/
11-STABLE
git git clone --single-branch --branch hardened/11-stable/master https://github.com/hardenedbsd/hardenedbsd-stable/ hardenedbsd-11-stable
installers http://installer.hardenedbsd.org/hardened_11_stable_master-LAST/

Stable release: HardenedBSD-stable 11-STABLE v1000048.2

HardenedBSD-11-STABLE-v1100048.2 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • updated bsdgrep to 2.6.0 (2cf785f328f3ef2deff0a7d2626b8e1a81e725e7)
  • fixed possible pf DoS (f9ac1ee50cbb2e0b00a3254c9aaf012183e8aaa8)
  • fixed boundary checks in ipsec (d3f829dcedd1db79b00b6840265a0c34bc0b75a3)
  • workaround for AMD Ryzen chips (4571a19dd885caa3f20979daa951df05cb5664a2)
  • enhanced top(1) to filter on multiple usernames (964bec79a958438ada90533f5e21c31b1021cd9a)
  • updated private sqlite3-3.14.1 to sqlite3-3.20.0 (01424a180687a2ef7ed93cd10136c1648d332016)
  • updated subversion 1.9.5 -> 1.9.7 (73778e3432c90e9513caf636fb73b522690d6543)
  • fixed DoS in sshd (4268d8e71d9c42494826885f83f685b02b9353cc) [FreeBSD-SA-17:06.openssh]
  • updated libxo to 0.8.4 (24dec0b179f6eba6d055b33faf478d202bfb11ba)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100048.2-amd64-bootonly.iso) = 08d4e91cb0ec65f9cb9e42a51bc2edb91e7ef5289d84414b313a233d2664b0a03680781a0416e208f528e46fd090aa4c785ea1bf0b6018673861bbd6e890e86a
SHA512 (HardenedBSD-11-STABLE-v1100048.2-amd64-disc1.iso) = e28804ade774cafd0e7ef0322442df6bc062cfa5cb94161b5d148c2e94407ee393b1db8d682daf12162b8c03c428b48da4e78d59326b698c61de11de058a2068
SHA512 (HardenedBSD-11-STABLE-v1100048.2-amd64-memstick.img) = 2bd595b05d5ff18cb71dfd1e4c296aebbd44e43e310cf4d173a324044b74cec73bb74b43c73024c211b776efe53950563d1c54c3a28723c82f3763a1af4191fd
SHA512 (HardenedBSD-11-STABLE-v1100048.2-amd64-mini-memstick.img) = 02494988f613efd82f38bc0853af938b580d30e5f6b3f9a84bdd8022bfcb66d05de4e085af8373dca5d9e082084ca913efa641986a86bebbad819c1ec71b2577

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlmaOrsACgkQgZsRom/9
GI0kaw/+O1+EBRg1I4mdBMzj1ypeBt0G5/6+Q9RuS+653ylJZ1TLs3Z1aMB947So
9JdiTRl3tXTc18cjvu3HlZQa65eMM6Wumk+rVt0f9zct6iVzdpv2Mn+WmAsjKw4n
pMCsKYvtusqZv0DDrX4/A1rh/LMUjdtfoBoiiijPDqNGRQTzYJXLil0E7u0LkGNm
jURWG6SgLJpl2vcowf3mS9o5HcTYusZAOYOFZ0ny6YRvZuWQa+sa4GKfvpHY+dR8
8q46fQLcRpaMpZxFjHqoJAVB0d8cPDT1Czo2dE8g7JKn5fryjhbBNJ6Rz6EP4WqY
wuWQq3NqeTC/SClx0L0XrwBSO1pWeQ7DwvTbYsidAKAaQcMWehW80DsZzPcZj2Pg
O3CDeZTDOLN/2marNcEpFmAdUDxXhoTLhns5cg+7bwjAqhR0s3TBBdAfbUhceNnY
kTKBwsznoQT1873zEvu8sJlReEjU/VT+UNP/kAuQ4s342Tr4wLuneXCURnpaCThr
9kgpNeKNFNn1k2JDbUooLZ8VWOz7r0SpqN8CBKAvCezth2SsW0YH82whOSNb3Z14
nhQlI56kN+XeKjAl730D4DtW2RFA6+T10z+oKzDbGykkDtMj6JY7oDk3TRz+eTP2
YRgyeg9uM31r0xsi0a4WDF4IOdecsQalcozVHs1gZdDIXueX0r4=
=eCVi
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 10-STABLE v1000048.1

HardenedBSD-10-STABLE-v1000048.1 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • Changed version from 10.3 to 10.4 - as preparation to 10.4-RELEASE per upstream (054e15f186105f319d8373002c677ecce2d95883)
  • bmake update to 20170720
  • HBSD MFC: Restrict permissions on /dev/ksyms to 0400 (5cdd8540724c092c703e9473578ea21cb1473d0a) [FreeBSD-SA-Candidate]
  • Merge MAP_GUARD. (3753ee3ec3e123ae4b62be3b19aaf09bf2e2ef59) [FreeBSD-SA-Candidate, CVE-2017-1084)
  • NFS fixes
  • libarchive update to 3.3.2
  • Add newsyslog capability to write RFC5424 compliant rotation message. (26c6cd37ceae365b6aa9f3203b932d29ad2be3fb)
  • MFC r302145: bsdinstall: increase EFI partition size to 200MB (48ce3b4e3aea30b479095da20d7f04ed723e8451)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-10-STABLE-v1000048.1-amd64-bootonly.iso) = d4f1f2b4f9007b4cf0e50641cb86fc3799855066ecafe5bf896f5411a7450d266f1a811528ce6262dda4a63024a3d6c81e5e4482f120ba0840881e07feb8a8ab
SHA512 (HardenedBSD-10-STABLE-v1000048.1-amd64-disc1.iso) = ab1b008129a3c165e1ae79a964d6361cd4aea9dc6ab912d2e3626817f300830cb0faa828a4931aafcffa751d8413b523050f5ac12d6f5ffb0a057242fd070422
SHA512 (HardenedBSD-10-STABLE-v1000048.1-amd64-memstick.img) = b85691c6bf31cc211801575f9ad4936fc7f4600d1a193267b1a4b4878c163b661c5ec32c9e036c752e00f712903a6a0c97b43c34debb1b8fe484d6f01b52a0ff
SHA512 (HardenedBSD-10-STABLE-v1000048.1-amd64-mini-memstick.img) = e178cece948740c23c5894622e2a995179875011aa607447073d645989c2382adcc61d12fc2e8d5f506e36839660babde027aa7f4ed660bed671fc856caefcc9
SHA512 (HardenedBSD-10-STABLE-v1000048.1-amd64-uefi-bootonly.iso) = f78a4c2ddb262458f40a83d5735b6bbb5a85c0ece5906ec9185bdcce32d41632f5e158c2529c3d62748fe59a57097d66d1f58de90a65cd0aec69120a077c1c59
SHA512 (HardenedBSD-10-STABLE-v1000048.1-amd64-uefi-disc1.iso) = 44f4da7c72bc51f9599cf7cbc158ddcb395df83ad59a610c50663222019b00f8cf7ea0c1fa76e4802d99b13917e4e4bca2533543cd3f26821a4b85f99fd8ad82
SHA512 (HardenedBSD-10-STABLE-v1000048.1-amd64-uefi-memstick.img) = 48f6143b9feb2be99642a04318b3ad2109f3443d39e40469cc71e997562b20373d907fcf179da741b39afc41f0f49eb6cd6192d381c98420fc8a4c9404303158
SHA512 (HardenedBSD-10-STABLE-v1000048.1-amd64-uefi-mini-memstick.img) = c27696bb133ab801e5308665c83db85c56d7ed9ed02e14beae26b795b0f519ec9dbc435d3b6486eb487456f4eb5ffc06b2a349451ed3a2a0745ac3dff3383b32

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlmDyJkACgkQgZsRom/9
GI3WoQ//WC6e0VabjAoPu0im2AuICUnoa+vMAE3NcqZisact/TfCiTHNhQ//KYMU
+ZeTrQ+dJ1ktpj8/Z8kHeF6Y8qIAlvs4Z55lPUxgfLfntvW7+E8KW5Vr4Hx6EH9f
RhmYmcCBioghIWRprQ64dlqPEz4oE/xCt5wEC9IiPc+iejI1IpMwCbjGx89kdHqV
fL9CmV4sVDttWei2kvwlHhlyrJWcpIq5MYWnuQEVt3R9iyrpMEWdSSpubTVUnBjJ
1RxYQq9jVntPmrAdHsvUnrr1DqlOVWgAQr1G5uqYzADNjBlZ1wPlfJzbOgwAAvlK
z6oJ07NFcSYeXabNTLkrNb8qDPLQLfFsPE9/lhZn9tcmQ+OUYLOXRTtBJHNndvhX
O0tEdYn9XkTEdIOKkgbl4UF/sjgJJ8iq/kjrTWzAfejdeaM/ovcVR0xTNXP2Zbyk
xXDVRhgrQDGiLmIClgvzd7ptXXFuR/i2qhY5xe3e/iOVbwIPzlqdzlgehtrWEzz1
jRRajL0hxO7Vghw4jImfKD0vNaPZMXEnQGkx5mZgbJ/CpbZJoh0To2qiEgPwkUDa
aTjw5aVrzEaCp6BVl5eQG8cnxIzdiOgvArH7vYHxjIAsoxoyJ0BjijvM4by/DafP
jOrYAkGJ4I6K6bUQPXlnMAeBrlGIAtBTHJVMwcq8KgaHeOAcMe0=
=K2/O
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1000048.1

HardenedBSD-11-STABLE-v1100048.1 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • Restrict permissions on /dev/ksyms to 0400. (0781c590d2a5138c4c4ba5c214a6f4dbffa25f85) [FreeBSD-SA-Candidate]
  • ZFS updates
  • Add virtio-console support to bhyve (eaaa8cd970f11a0785780896a3e106958bd87fe7)
  • Update to libarchive 3.3.2

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100048.1-amd64-bootonly.iso) = c487f5693e2fac4d722a6cf72084e7fca243ef1864bfa9966c3a3e1fe621c0a92e6496bdf06845b3a6ab66e087df061701f9bc4f00921481ae45e328b026ef17
SHA512 (HardenedBSD-11-STABLE-v1100048.1-amd64-disc1.iso) = 12dc23a7b121b83c5fdcde13eb75456b7d0ab1c47d7591346771ca37533415cebae81c0245a51afe467a9fcb1a342781823a3cf6e971d13fb050b511a835da4a
SHA512 (HardenedBSD-11-STABLE-v1100048.1-amd64-memstick.img) = 28f7d76b8e3ed76a46bd3d1378074171173d0504f8a20cea87d22380a6c4d0e2713f7d20cbe58d5a97632eaabe395b393d4b85dd9d5f29835d85f5fba3e5eb9a
SHA512 (HardenedBSD-11-STABLE-v1100048.1-amd64-mini-memstick.img) = b4c48c49ff4ce4b1ff40f92ce977699ed03e59eff633d20e9fd81712d2980d91edd65665b190d990f109937a0676a3489aa9c3de9044405781b6af5ff5acee76

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlmBLeoACgkQgZsRom/9
GI1HRg/9FRZb0k5hO63oKoVpUL1Qq0lCx7A9tLRwklDAR7uyIPlJNgZFuLMCThOo
AvJYRQ/gmpIVagTTjAZJL4lr786eBX3SxAy/dqxa3DtTgxqoVNHiIZD82WVhkVAr
Ih4U3W4b8RzTRneEjJaSxNlXgwcY8Nitxl6LQMojPOmo+/pBE5FqvkaHC3vMQOZB
RjoubIA6S/fYBxf0Hsdx/ZKpR3FJdsYB345ANSavmQx+y2rcZ3/cUYEPn3dJKy3I
oQVmYS1IzRJFtdcLXUMOqV6y1BGvQoyRvdggr7N3akmxGBFOYTseLzED8F6CipgT
Jwk0sLKuwNtMbHQ0Dpnrk79rJowcoOuj9l6AeTMDyLxrY1NKuqBPL19y5zxZsLhK
u7P9uufgbKG8oty2g/2DOrIODxBETtiPvvvnGLmvb3hL/67VSBEa3wNJ1OnDR8+Q
XD2026MAFPpdJn9olMQFxNp4YT5PvU2TKT6kGdOe8D9vznGjwevrKsi2IL/tojnf
lHoKyC+N3FzGae59q3B8HzNF97sIV0Yx9cPDoSE0QQRMDFAcrsgv1YnGgBeOqP12
RvmOH8PgnGX41JaD5iAZoUUhpGhjehk6/7l33l04k9y+gTaQ9tQRq9gGJ4thNXjn
PJJ7uoMGRZG6W18K+MlNnyLdtYQnao7UPoZuG5asb75op3ha1mY=
=O8kk
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100048

HardenedBSD-11-STABLE-v1100048 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • HBSD: enforce FreeBSD and HardenedBSD KPI version for external modules (19eb04fc68f294072f1535a6e1145062e85ae946)
  • MFC r320906: MFV r320905: Import Heimdal upstream fix for CVE-2017-11103. (b47deba89752334874e76436e1b7ec2f448ad78e) [FreeBSD-SA-17:05.heimdal]
  • Improved hbsd-update and hbsd-update-build
  • Improved NFSv4
  • Added Elastic Network Adapter (ENA) HAL
  • Added MAP_GUARD as solution against StackClash (c3699e91289a5a02b0c16eec22ee4d6ad7d9602e) [CVE-2017-1084]
  • *** [CVE-2017-1083]
  • Add VNC Authentication support for bhyve based on RFC6143 section 7.2.2. (3ea3addc7b1d8a1fd59b52570db518b77505c78d)
  • HBSD: fix broken pax_mprotect transitions (1904c844a0957f44efc638721cfc8b37a8311b42)
  • opBSD: plug the last memory protection test in paxtest (8341b1d91a6f3b470a008e17493973f0ed4d4d6a)
  • HBSD MFC: Fix long standing issue in bsdconfig's keymap selection (b2d080f97546b2fea0a214de8187e8b08f11d7f2)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100048-amd64-bootonly.iso) = e1bd387e938eab7fbd091e15b7c9b32d6794482b508a97077e7869c294b350540d6b4e7d40387272100951a7b658fd822905b584b9d587af7d66fecc969bb996
SHA512 (HardenedBSD-11-STABLE-v1100048-amd64-disc1.iso) = 4610823277ec4cfb083381772a722912e57611fdea740725e06158144ef6298a14b225fb3ebc86b0904487a060ebc9d4dcfb610c85c9590a38c7c2a9112608cc
SHA512 (HardenedBSD-11-STABLE-v1100048-amd64-memstick.img) = d1821a696dd941a7942beeeeb16a85fe3ef123854b69ff2b7b3cd8aa2527abe5e3e6ca89dd7f8613dc8bb00614bd1777f05c03d27febd637c714c6e36b06cd8b
SHA512 (HardenedBSD-11-STABLE-v1100048-amd64-mini-memstick.img) = 8c83720aec219bce62566a6907e8739564eb3043020f641e029d16016330531ad5389441122e8c7a35375846062006714640e9d82728b3d96a88bc2a553e7154

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAllsGL4ACgkQgZsRom/9
GI1b9RAAsVd7XPZdXlVU28lYB6zb6ItBeZsrWRLJUmH/DuTOa9Pc8eFJSLIRFM7e
jzBzOLKJ8xqtKIkNDTh0Rw8Pd02oU7sbT9Gf2teTLRZ251MWuW/xOpC7m8redpuM
sltO+R/6kA2fmh9fJlIlxUTiCCc2Zjnzzezb/qRYugusTjY2tZ/1Ywka8YIhQOF8
AGlkzs8uYP3WRja+9slrQQxN4sVUxvBBo7u4DdNMi6vT45K0RzFtEVOxtSeOtsn0
yDReeKKAqS/QcPJMabBuVX+DNAlhNX3QwKEalecLKx6TugpssZRe/w40hMfaBp/d
AwUBr/t26eShOtbaPMTWTNsvKWsnlxK2i3m9SIXJAqtXK1Tg9uYpPt4hql7/SdT0
9NkXOafZEW94qAE5xV4yHrJlTSvlY4P9+/wVXQEnvwJ/HqrYxri4tDADd3Cx/CSd
IgKbF5qjHbAQAEWF/r8vgsohgaCdr6df2iCcKjD1Qbz5BjAS9bzCKEJW74DgSZIZ
iFdYRTzppEXk1Xy1JqgycrBk6ktDP7hmOxSB/OxybP2MB11WnG4+GilKLwz71cKS
aaRBvGfIlxAJXpqMcTx6pNt+6XYo39IU97XsSItWg5uuwMaM7FX1egwEcdbikwCF
wwXoaBMSPnhur4OFpFfPFqGtcdvUPcwn3rnjxPDqgzEHMIiDzhY=
=4Zsv
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 10-STABLE v1000048

HardenedBSD-10-STABLE-v1000048 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • MFC r320906: MFV r320905: Import upstream heimdal fix for CVE-2017-11103. (3955ce48cb5593628cb375c519160dc0ecb4f210) [FreeBSD-SA-17:05.heimdal](https://security.freebsd.org/advisories/FreeBSD-SA-17:05.heimdal.asc)
  • hbsd-update{,-build} updates
  • enforce FreeBSD and HardenedBSD KPI version for external modules
  • HBSD: fix broken pax_mprotect transitions (9161ed81803212f1aa484144ea3c670f603d601c)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-10-STABLE-v1000048-amd64-bootonly.iso) = c22e3d4ca378240c253349059dc5c8a0e3d3c47dd7a952a25378a45ff1469db5c4ab898b5d243ba093416cbbc88085e59d139d01364e2e4b9637cd4dcf07483c
SHA512 (HardenedBSD-10-STABLE-v1000048-amd64-disc1.iso) = 65dd0cfcb8a8a55a121737fc00ff4eb24c30f33be8e6a7a49720419d28a41d468e7d1a659bd53ab7d6c3f3f182348dc492aba247c7a4bc4eb265f9b70a838b57
SHA512 (HardenedBSD-10-STABLE-v1000048-amd64-memstick.img) = 82761a7742c00ea9ae3d3caea2a7c4eb54a1b19d977050fbb96fa6e9b14aad0839124a1eb30e7bdae01fd32aeeb1c76a2c30c98e04ee17dce2397e38ac7db64f
SHA512 (HardenedBSD-10-STABLE-v1000048-amd64-mini-memstick.img) = 10e9fc97e4cc0eb0a4f5a61641596bd52a5b563a08950dfd079f871ae8703b8bec3e6b0be712bf220493a74411385a6ca638353a4ba4f42ff875161e4e3da123
SHA512 (HardenedBSD-10-STABLE-v1000048-amd64-uefi-bootonly.iso) = e7c6818cb51afd7381f453f41f7f9c16b8c23ad44b7b6b335d08d2b7e23aaa5d85627978a2515f4f0e6bbd7bbc71e235a7f25f981612d11530df50889c0849b9
SHA512 (HardenedBSD-10-STABLE-v1000048-amd64-uefi-disc1.iso) = 22d28027097287f77a238050d6ed698dbfbbbbd8cc9f9778da048343c2ec7bb3d48bf5b83756c024e7b6657f29a6eec45bbc9eed9d7ed9fed86be7a1c030ff07
SHA512 (HardenedBSD-10-STABLE-v1000048-amd64-uefi-memstick.img) = 2b370c6aa8d284ec3495f3c83d747ab818fb6a79f3b97986f89135c36ee9202a76b7300652dad3359dc13b109afb887d2005dc7c858ec9663ac1d103c18430ed
SHA512 (HardenedBSD-10-STABLE-v1000048-amd64-uefi-mini-memstick.img) = 7226ea5068c8f2dedeed6d6bce2ba66864915c9faf775b5540966a2bb4aea1b87d6042c219901cc652fa917b86b35900d4101229b49e561102f41827720168f5

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAllmx7QACgkQgZsRom/9
GI0aMw//SDSlCuSinsB35/5xcfPDpmfbSEp52uOWdlMW2ZwUtN+gqoEiGla32SmS
TT2Guy/PbgxfEKzHY2UyeRVAnKdZVcdJPqvYmLdh/hQoB3/41sx4nVkN+LSTgItz
khVXHtuJEeh+WWtM31ivS3dW+ENbd8qWo2DnKNPdRJjDzM6JE+LlGdX5gEOP7ldH
HhghBzciLHBq17fLEgEzQwLuzQeDjxXywUDZkfJqc7geNRihLj9S/6ogk8guuxDn
jRq6lJvm4KoPlqymKJP50vbYV+FkGH++QwKWLDNcgnvWlZtstqr7GVWmDh5KvPmf
zBvDH4RBhThQUBR6tuIhDePpAqKhGVoW26cd09nYLFKOEyLDWYYbpTPDhPijH5rb
BNd47aObPgayn3pDrYCedrwKhlLVwmR+yuAIaPivVoI3BUIgTDNR+rC8mSeBaqLY
n0hRRCOF8Yz7g6yx4AUfPTrtXbeqkZsZiAtFQLwLXB/M2z1t/roZf+9p2J/zPSs7
V4cjQWYb9zVQOx/LSV2/SvJvaGOoI2vBjciEgSova3T+oR/8QbrrDD9MytiT7kgl
sfRIywkhVnr9NuqUqleyTqPap2xCLNVC9jL5fPjfWmdKcgCaZ5hZQykuxEZKJBOh
fWfvgM3PjBKxwlKw1QbOsNGULIPZ+SeEOwDRiEIZlbRPqpenE48=
=XZJ8
-----END PGP SIGNATURE-----

Introducing OpenNTPd in Base

Over the past few months, Bernard Spil has been hard at work importing OpenNTPd 6.0p1 in HardenedBSD base. Starting with 12-CURRENT, HardenedBSD will ship with OpenNTPd by default. Just like with LibreSSL in base, HardenedBSD users have a choice when building world of which NTP daemon to use. Users who want to use the legacy NTPd can set WITHOUT_OPENNTPD and WITH_NTP in src.conf(5). Bernard will continue maintaining LibreSSL and OpenNTPd in HardenedBSD base.

Users who are upgrading from an existing 12-CURRENT system from source and who use the legacy NTP daemon in base will need to perform the following actions:

  1. Install new world
  2. Run mergemaster or etcupdate
  3. sysrc ntpd_enable="NO"
  4. sysrc local_openntpd_enable="YES"

A binary update will be published within the next 24 hours that contains OpenNTPd in base. Those who use hbsd-update will only need to perform steps 3 and 4 above.

Stack Clash Mitigations

The Stack Clash advisory by Qualys provided detailed insight as to what happens when the heap and the stack meet. The stack grows down and the heap grows up. The stack grows on an as-needed basis. When the stack pointer is decremented beyond an existing page boundary, a page fault happens and the kernel will allocate more space for the stack (assuming the application hasn't hit the stack limit.) If there is an existing memory mapping with PROT_READ and PROT_WRITE set right below the stack, then no page fault occurs and the application will use the mapping as if it were for the stack. Ideally, this should never happen. In order to prevent this from happening, most operating systems (FreeBSD included) implement a "stack guard," which is a guard of one or more pages reserved below the stack, preventing other mappings. A properly implemented stack guard will effectively prevent the heap or other memory mappings from reaching the stack.

FreeBSD provides a stack guard implementation, but has it disabled by default. As discussed in the Qualys report, when enabled, FreeBSD's stack guard implementation had a logic flaw that prevented it from being effective. A proof-of-concept exploit written by HardenedBSD's own Shawn Webb demonstrated Qualys' claims. HardenedBSD had the stack guard enabled by default.

To mitigate Stack Clash, we in HardenedBSD performed the following in 12-CURRENT over the week of 19 Jun 2017 to 24 Jun 2017:

  1. Fixed the flaw in the stack guard implementation that prevented it from being effective.
  2. Increased the size of the stack guard from one 4KB page to 2MB.
  3. Prevented mappings from occurring between the bottom-most limit of the stack and the top of the stack.
  4. (Soon) Modified the per-thread stack guard in libthr to be of random size, minimum 1MB, maximum 5MB.
    • This also randomizes the top-most address of each per-thread stack.

The commits for these changes have been backported to HardenedBSD 11-STABLE. Item #1 has been backported to HardenedBSD 10-STABLE.

On 24 Jun 2017, FreeBSD committed their Stack Clash mitigation. It introduces the concept of MAP_GUARD, which is a special PROT_NONE mapping. It's placed immediately below the bottom-most limit of the stack. It's a really innovative implementation that allows general use of guard pages. Indeed, in a follow-up commit, the RTLD now uses MAP_GUARD for guard pages between shared objects. FreeBSD's stack guard is still a single 4KB page in size, even with Qualys' recommendation to use a minimum of 1MB. On 25 Jun 2017, FreeBSD followed up with a commit to fix a regression that effectively disabled the stack guard in certain edge cases with the new implementation. Overall, FreeBSD's solution to the Stack Clash problem is innovative and even useful outside the context of Stack Clash.

We in HardenedBSD now use a hybrid of both approaches. We've hardened the security.bsd.stack_guard_page sysctl node to a 2MB stack guard. We've made that sysctl node a read-only tunable, configurable only at boot-time. The changes to libthr still stand and the per-thread stack guard size is a random size between 1MB and 5MB. We may look to integrate MAP_GUARD with libthr instead of its reliance on mprotect(PROT_NONE).

Update 25 Jun 2017: The randomization of the per-thread stack guard has been found to be too aggressive. We are investigating this feature and will revisit it soon.

Stable release: HardenedBSD-stable 10-STABLE v1000047

HardenedBSD-10-STABLE-v1000047 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • HBSD: partially backport 13971cb990b78e as fix for CVE-2017-1084
  • Changed __HardenedBSD_version scheme
  • opBSD: plug the last memory protection test in paxtest (cf883c4d3277ebdb2f7011cb64dfcfde8205352c)
  • HBSD MFC: Fix long standing issue in bsdconfig's keymap selection (12c307c4634ee07f297d1d821a77af8eedc72c1a)
  • HBSD: add our third mirror: de-01.installer.hardenedbsd.org @Germany
  • HBSD: add our second mirror: allbsd.org @Japan
  • Implement INHERIT_ZERO for minherit(2)
  • Fix several buffer overflows in realpath(3), and other minor issues [FreeBSD-SA-Candidate]
  • Libarchive update (bd8807fedd6c5daf0cea50b0b09af795fdaa686c)
  • hyperv/kvp: Fix pool direcrory and file permission

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-10-STABLE-v1000047-amd64-bootonly.iso) = 2fa9ff9ba85e25956fbc31bd8c25508ca5328f969fee99bd92e6be1f2e61851ad532e723876c964ad379808eb05f26193252d82145915c5a23d3d698a6efd088
SHA512 (HardenedBSD-10-STABLE-v1000047-amd64-disc1.iso) = b81647c374938520abb0e63eeebe23e715660d078dbbec9d2e828feb4fc14286664527ce4d35a0f569317b098385c5e4d77665ac27a6286a3bb3679864ef522b
SHA512 (HardenedBSD-10-STABLE-v1000047-amd64-memstick.img) = e3179eea6383454559c948f172398ff56b80c29e3c68b888cd7bacb542b760b295b7f3dc73ee2a1fd69e2005a0d6cdfe54fc016bdc78e043d4955906347b2584
SHA512 (HardenedBSD-10-STABLE-v1000047-amd64-mini-memstick.img) = 483e770295e08979207013fda30b3b652d7f4969845fc77959ef71f5c1fa1182931572a5c8a3dbe59e5c81c42b369f9c87559a17cc913d95101af0f3f0448765
SHA512 (HardenedBSD-10-STABLE-v1000047-amd64-uefi-bootonly.iso) = 8bdecf399e6c42d88d8ec02daf95b265d1c781af7c8e8ec7d5ed7c6e242955c261b9d23f811d21d044ce00694fcc9c6dd0018acda101df24657646c90ed8c2f0
SHA512 (HardenedBSD-10-STABLE-v1000047-amd64-uefi-disc1.iso) = d24c1d981b48342fa9eca9545ff8db08b1e0805a176d2eea7b880c145293e2db1c18f01d5a9f019bc5f70d9d8b9ad669dd5da6db287f9e13b0971a3f63e9b363
SHA512 (HardenedBSD-10-STABLE-v1000047-amd64-uefi-memstick.img) = 0c6148d245ec920e8a45666d481c66d81c9aefbeb9ec2887b395d843d216c0a10717b106c562928d4e1439b0b837666629637f9a4ee8f79a0bf8ab71d3d5b915
SHA512 (HardenedBSD-10-STABLE-v1000047-amd64-uefi-mini-memstick.img) = c0645cc7cb4ef946d6565d859736c6cc64a7d78a207533c054a330b911132ef50fe62516d0cb967fd4c5dc8342c0db5f29174d8490e4e020603f3fac9e6cf3ba

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAllPwg4ACgkQgZsRom/9
GI13hA//chLhjM+rMKRSRhcvOnUotoeb5Wf5NZ+WXod6TMHK5jQUrhBivvqpNeEn
6yEolaDkjep2/eYGG5flVL/PxX13JWgVShWTS7Hu3JlOxFANtzt9ckIayaaDJJRS
fhXZgn6LsZw2G8G1PmY3PnynHgB05OrVbz9vf3AFZ6gp5Ju35JNyk9ikYlMZ49Yb
lao/3evASKS6amPCZamrCjtGD0DtoZQegNCa2EjboCshEPnfPKTkTJQzS/W8RSUp
nVIHHWExdCOLW/9byGh28YqnhpKdz+UH/b14cxrM9p2pRYhhigcOcUK2uN6+qQxw
99HsO0ST5Brj3MRVRu1DyFjf5ycKrF0EiUucfD5gtju2zhmN/bNxVo2JTQaiyVcF
rLGmpe2w7Hu9q2JwFRYZQCK0pGgSCarPIfJYhpueHCll7zd1uVMdHuFo2YatvSka
CeiBvxVyXXZ2M4SlImOPLhDNVxutxrQIumzNLaTkZy3XQ5/Ts/tzidosOj1fhyos
yTwXCVRXNfgjeLCZrISA9qTwjVyMgolLCNPMeBfKwR9A0HVq35JHByu3vcCWAz9W
O//b8VCbZIMLcxSu3WtxyIOqMTgJDsov24oFRg1Lezbp/Dol1KTi7LB1qxKYik21
FJ7yt4djaUoaO2WP5IQjjhlflP3M+thz9TpUoeIQYXTw2fzR+58=
=3ZsF
-----END PGP SIGNATURE-----

Pages

Subscribe to HardenedBSD RSS