Announcing the 2018 donation run!

Submitted by Shawn Webb on

We've just published our goals for 2018. We've got a number of new goals planned, some that require new infrastructure. In 2018, we plan to migrate at least 90% of our infrastructure to a single data center in addition to expanding out existing infrastructure.

In addition to the enhancements to the HardenedBSD project itself, here's what we'd like to do with regards to hardware:

  • New nightly build server. Our current nightly build server is aging. It's constantly building HardenedBSD 24/7. We need to replace or augment this server with a newer, more powerful one. $5,000 USD
  • A ThunderX2 server. We have a SoftIron OverDrive 1000, with which we use to build arm64 packages. Building packages on it takes a minimum of two weeks. We need to cut that time to less than one week. $9,000 USD
  • Colocation of servers. We've received a few quotes from a few different providers, and each provider has quotes us around $5,000/year to host our services. In order to colocate our servers, we need to pay a year's worth of hosting in advance. $5,000 USD

HardenedBSD has grown significantly over the past couple years. We are now at the point where filing for 501(c)3 not-for-profit status is advantageous. Once we are granted 501(c)3 status, future donations will become tax deductible. Our accountant has estimated around $2,000 USD in fees. With the hardware, this brings us to a total of $21,000 USD. We plan to split up the donation run into two six-month sprints of $10,500 USD each sprint.

We're always grateful and appreciative of everyone contributes to HardenedBSD.

Stable release: HardenedBSD-stable 10-STABLE v1000050.1

Submitted by op on

HardenedBSD-10-STABLE-v1000050.1 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • HBSD MFC r321963: Rework and simplify the ksyms(4) implementation. (8dd00d8dbc725739245fa99d354bafdff8f8c228)
  • MFC r326872: fix expiration arithmetic in pw after r326738 and MFC. (1e062f6d317b90805e77a7ec1dd96da3b5ed38aa)
  • Fix error state handling in openssl (22fbcdca2ade973c8a6614b1fbf8738254a08f7b) [CVE-2017-3737 FreeBSD-SA-17:12.openssl]
  • MFC r326135: bfd: fix segfault in the ihex parser on malformed ihex file (c5f9120f60a45a1557a7722ef4d8d9fffc9e1c60) [CVE-2014-8503]
  • MFC r326136: bfd: avoid crash on corrupt binaries (e10e409a72215a686ec2b96bcadc3e6487692fe7) [CVE-2014-8501 CVE-2014-8502]
  • Avoid out-of-bounds read in openssl (276fd8048df373d9ac6309a912482c25b5d85695) [CVE-2017-3735 FreeBSD-SA-17:11.openssl]
  • MFC 325039: Rework pass through changes in r305485 to be safer. (00e656a0895cc338b10687bd40ebeaea50587d31)
  • Properly bzero kldstat structure to prevent kernel information leak. (904c1c37dd42b1a1a6cd2fd91a8409ac66bedac5) [FreeBSD-SA-17:10.kldstat CVE-2017-1088]
  • MFH (r325010): don't bother verifying a password that we know is too long. (5ebf270c7d98c29c8cec401366a73a7a9c816410) [CVE-2016-6210]
  • Separate POSIX sem/shmand mqueue objects in jails. (568bd26f8e5f02d7efcfe6fd12855606f8ee4e83)
  • Zero whole struct ptrace_lwpinfo to not leak kernel stack data. (a19cbcf5230a491e382ab392a80fb13721e31918) [CVE-2017-1086]
  • Fix out-of-bounds read in libc/regex. (70a215a5740c4dd64ac4a9e3efc4bf545de55416)
  • Add extended attributes support to fuse kernel module. (cca38407ae55b60986bd6677b6a7464c8dc54538)
  • hbsd-update updates
  • clang updates
  • zfs updates
  • geom updates
  • nfs updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-10-STABLE-v1000050.1-amd64-bootonly.iso) = 572c2482aadcc4a84750cfa5b4e158fb5a22f8c8cda4863978e383b48264fa8de9ad30d973267cca3fca95cd26b2ab117851e0ad620ae475ba9c429a4460a6a2
SHA512 (HardenedBSD-10-STABLE-v1000050.1-amd64-disc1.iso) = b731119acd686b23aed7abd2e15fe6fcd0771977a3d5061b68e6de6ebd3829d049da14e5efa204b768306e86d3443c10e67be282c72ac52143b3cd78476255fc
SHA512 (HardenedBSD-10-STABLE-v1000050.1-amd64-memstick.img) = 0ab7aa228f1cb00f362025db96222b8e7cd7ca7477812e1856803c63392612bbf0f384477ce9217b09ef19b4c336f7082f35fd9c3e8f95fbed77f946fb9d46b0
SHA512 (HardenedBSD-10-STABLE-v1000050.1-amd64-mini-memstick.img) = 46739eb96dbd9e11687cb0ce7c3a88182ce3e9e7c87e80862bac243b2d96cd1d108af6aca1d6e61f1becb6027a2c3cc5d895a8ed3b1961b40e6a0a83fb1742af
SHA512 (HardenedBSD-10-STABLE-v1000050.1-amd64-uefi-bootonly.iso) = 390a21ea4cb2ba6c208cd653a1fa5b33896b8bb68c6cb4932c7a690037f4390507f6406b6274075e7817f69f5123642416123a348a10bf5db42d600b56839529
SHA512 (HardenedBSD-10-STABLE-v1000050.1-amd64-uefi-disc1.iso) = 09a8653cb4818e43424b077e4c4872f0272a156f14f7e8af4328bece967928ace0fce803850056d7d5a667a22a15a8b621a92e45c4d944a7092c5f9a052cd9ee
SHA512 (HardenedBSD-10-STABLE-v1000050.1-amd64-uefi-memstick.img) = 3ce7aad46ba1506bc07df910ea59bf54290baf57ee32fe5efcf7506e4db38fdede243c26bc1d5f240e25d45c12b7e275d45a37135193f4cfea37f8b3cdc8b39d
SHA512 (HardenedBSD-10-STABLE-v1000050.1-amd64-uefi-mini-memstick.img) = 5c219a50583169d3b8ef192088db61691a97c2cacfdb3ba5f31a698ae867f7d4c1803fb7e97880847a753cf659fca53e0daaf9c4c6a0dde7c9c7a4d5fb93cc18

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlpK6VIACgkQgZsRom/9
GI3ZYxAAyzDFF0kl29rRAh85tSfL7IER8Vvtb5ZW2ub7QOiqr3S8KL2QfGBpLi5m
nxLn4M+7R1PhH2D6MRU9b9axe/Q3l+5BZ6ZEKSx3PH/tUJ5636bDvqRMFewW1fsU
Z5JNx9xZ3Vj9+6xIPvFWXIqws4TgMZi1Is03akcN60uoiJ+w6Vt2q0y7WIDq24xn
y1m/hbuuX85x8AjhXPCfJWoFdxf60So6nm4Ft4ExVllyseP4UXaEDhjublB7vxth
joxg46FpGTNGzM0y25ImJLP6c4YB7G+sr3XdR3vU3Vp1zsCjTjNhg88YClrRkr1e
BZ2MTCY0PxSaSSqLoGn815MQBJVCrMvSuzEKcDSfH2ji9qF17qI9mnBnyqInNjRf
1hRFc08QYBAkXz8aY/FXseFReBlN7//jw6tXRxzvepJZu0V9LXPZIlupk1ADAOHk
s6LSlurSe6OgHptDZ8LV7NI6kBoVfQCpCNYknp/BQH6UUhIUSN4O3dV1YZyh5wWj
tDp1QLmQwoYsvUvosEJXDzYbGwb46TKMC0E/RwWVJcX+w5OsbcbLK7ZrvUaU/1x5
XElvMX+bm9Em6Qhy4ojNkNd6ZlFOfI+I1YFFYGfX+f16enLFIKNuUoOFNxYal8yd
koSL+d4Ihwx/88KaI8VAIsxwU7UY02vP/EYBoFehJis72YdiiS0=
=33Sp
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100054.2

Submitted by op on

HardenedBSD-11-STABLE-v1100054.2 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • HBSD: Disable lint(1) by default (74db9a87ccbee248675ea534b4867ef7b45ae116)
  • Update to OpenSSL 1.0.2n (a0b182dd517b681163e5a3b649fa9931c36ca3c4) [FreeBSD-SA-17:12.openssl CVE-2017-3737 CVE-2017-3738]
  • MFC r326074: filter all passwords (not only changed) from periodic passwd backup (c789660d53a74dca1d0c0d2b0cc376418fe5f2d2)
  • MFC r326135: bfd: fix segfault in the ihex parser on malformed ihex file (9d9b278a90fa6d1c7818ba58274a8e0b40569651) [CVE-2014-8503]
  • MFC r326136: bfd: avoid crash on corrupt binaries (e1ecb10d06b8c1a102ddba5501438ea64789a563) [CVE-2014-8501 CVE-2014-8502]
  • evdev updates
  • zfs updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100054.2-amd64-bootonly.iso) = adf64ccb3a60cedd9195d88c6bd7fb0a85fd428a5ee3dd4cb6bae935235b2a3100c99c9722efa43b760a35dc82ea25b637198cc3a17b8894ab56331dfcc62a04
SHA512 (HardenedBSD-11-STABLE-v1100054.2-amd64-disc1.iso) = 9ac8ff7bc605f5264d45e73d625c86b783b62011c7048cef7cf6ddaf51cbd3f94d4a661409967b6599eee7493b2138bb4b52a7ee66df956615b782723c8e8666
SHA512 (HardenedBSD-11-STABLE-v1100054.2-amd64-memstick.img) = 94d27f3d30159b0df25af543fb84327873ea5ef76df7e0f22a66160bce36688b00761e82c972356107aed30ed70b2f61a3ba892024b1777e335ddf88013a782b
SHA512 (HardenedBSD-11-STABLE-v1100054.2-amd64-mini-memstick.img) = 116a72cd219df1ed23d0fccff8be745f600982bae00681fbb35d3ef4994bd9bf091ae4c35114533127edcefdc05c9ff0c25061f7f51daa61b8edb6b03ec060db

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlot8jUACgkQgZsRom/9
GI3a4xAAvx17oUQHPzRZza/qVLuF0VTVy9TDzFTZ32UfpDoiII0MYIfPuvIMXvTR
k/RZa9PxB07oI8jldIW/uXW8UAkQlSmxVegXjemh63aKydMAudXrYM3imN1zV1zp
/f/m1MFiwA98TzwMUZx+nWVZBnuQeDtEKREOBZHV9jcwno3vhA5gn6Vp6RfzE2W7
/oISL3eu9/sShf2of9dRMKmZjKuY+K757ygcf8xk53C6UMdRV+zEopVBQqzPwonZ
n1QBn1mJv4HsvMXuzgRE630MLjfvgqiXflnaGYiNnk9yvOgBKr88fL3gJ1TmTthb
hW2hZFUBRDWfAPCyk5K3tm93LJBXrcl7wJ/xtWQMkKtdsRBKPWkac2UpkUjvtvdc
1Ul5hber1OrEV2JxZhYyTUlzSwjOKIRVZi/MlUdpdq17F2BQpUygbx510Qp05G3D
bDCscWh+qrat+YPbZORi2FQxxbIyUfXUJTKBQahkCtwqnyTIEYlxSwwICwZMFEAP
MdASUvhE5fvZ+RCYTCoC2QMnYtZmC7Z+QEAof5aqhenjawgdL9p4bYvJ+4q1pX1l
M6NqDcbTzyQD7nid84Uvy78eX7NcrmZI/Sk1docw5mlJ/8LBJtZLyJgH8wxPSVQ0
piB1d+GaKBIplXzPaAz91TJ3tBVrS9mPdu3i0poEvZK1PxgQKKk=
=4o8A
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100054.1

Submitted by op on

HardenedBSD-11-STABLE-v1100054.1 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • fixed syslogd - restore host name handling in UDP case (1bbaa032d75dc1aab167b8a6cc5c9116c5e393bc)
  • fixed ARM64 control flow problem (1ea13dc104ea903a34741e363d910a1fb16f31f7) [FreeBSD-SA-Candidate]
  • fixed MAP_GUARRD issues (96cbc3d921794d684acf6e4fe465374bee33ed6c)
  • upgrade to Unicode 10.0.0 (909e9adcdcdc361054c0947ee969961afe431676)
  • ZFS fixes
  • (side note: the recent OpenSSL security issues (FreeBSD-SA-17:11.openssl) are already fixed in previous releases)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100054.1-amd64-bootonly.iso) = 83725667faf1aadb34f154934f8da4790b3fe8993e98dc852d149fee4529625bf5dec04ee04a59dd577cdaaa1b6b6a2378abad39933c9d9c87dd8354757210a2
SHA512 (HardenedBSD-11-STABLE-v1100054.1-amd64-disc1.iso) = 9b0e2243f7b46a395e6c62c7daf279683ad961985e9129ccc30654672d368ea54b8bc718f6a94d74b47dd6aca049146d5dda36a0a1530d7a62d11812cf75f8de
SHA512 (HardenedBSD-11-STABLE-v1100054.1-amd64-memstick.img) = cfe23f59d9969f3bbe958916a02ae830b7b65b506c4000edcf17ab513df0214c71c95700f1e27afa1f5290323bd5b9844bab1b817107ab6828b36b7a4d49cd8d
SHA512 (HardenedBSD-11-STABLE-v1100054.1-amd64-mini-memstick.img) = ddf2e9e6a9fe32d7b104184e14c0abb6261770e00ae1cad37f58a3c8a18dc5cd021fa9e160740387812171dd9ede6fdc6322035ddc70885e7eac15086bfade12

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlofe1QACgkQgZsRom/9
GI0lZhAA5evBJtIaEdpeYbtmlEUHJiXz+D94slp1CLKg2nzcZFU73e8FrkB8zbgA
qzfqq7v2SGzYHRSdI/f7iVDsXnsid9/t2PP9mn8OU0Sc1ZcgWwKNnaCcSf5lzNUz
yGNpuxFMy4OqYfO+CnIzihDYptEt/aFvgkrGYxPURjcM/veVcema9UFuT0lNjlhw
y3lvNouFrhF8k9vWLrZyW3J5Pe4MBTKFGm9thqm/p5fnHI0iCOsQIpLcWlxhMJHh
6GBUW+vszxLQGOxExrYxrIoY5FJyJN7zFwyh7jIhN/+OI9JOgMLPHFniOTpsJ/gm
N0QOTSzNBQ7AGNJBku4M6cEArfDujqwH61wbDOkVUqkG1gRu5AygSDy1nBwmUqSz
m5Of1iSMOl8qcKqjMkPlI+6CTFlcimb14jX6HMl4/WMvoe7dMLXEnfe6hl9/Tcqn
0ctJrNBck2k7vnYTc+4vwpdfnlmrvZqfFah2sOPPmFst9iJ4ahcAoxoRrS/beVn1
0f11GBDEf4BkkqIercR/XKUQmH+50apdypzjTcvLUspNIqlKekivUgDAo6r5hGOp
g1FnhkILpW1Wm6y0kLwt16y4ICculisa95mmbuKZ+gINDZo3hdtTyW+Kz3s+O71j
XrLAoqShGH+Ml/hZDJD7CbmrYbCmJjkTK3J3qSuq4dZJaYvQRyw=
=g8Bo
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100054

Submitted by op on

HardenedBSD-11-STABLE-v1100054 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!
Warning2: reinstallation of pkgs/ports are required due LibreSSL upgrade!

Highlights:

  • Changed AT_PAXFLAG auxvector position (4c04e4a613679510cd16bb13d7974c18e3f54460)
  • Properly bzero kldstat structure to prevent kernel information leak. (3ff3ec467d4eb11cdbf706cf386935d5e58c2e91) [FreeBSD-SA-17:10.kldstat, CVE-2017-1088]
  • CloudABI 0.17 (cf6ac9b4efa43a9c64c5ab311666080a0e8632b1)
  • MFH (r325010): don't bother verifying a password that we know is too long. (b242fe393914310e50673eb62d480ce03706d745) [CVE-2016-6210]

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100054-amd64-bootonly.iso) = 20f6333bcbeceb57788ca945ce9816359d9844c2476956a2d4ffd8cdb7b725b4ce12aca4a9adac67c43fdd0a5fd5b9c87888298a6044a31e3f0a4dcb564fefd3
SHA512 (HardenedBSD-11-STABLE-v1100054-amd64-disc1.iso) = 09af01b113072333cf72f2c933f2335d5e4c9e46d51c82d2a74ebd3f3217c9ba454dc77f30de75c2f805adb56608d147dd6dc520f8cfaa90fa049888f193497d
SHA512 (HardenedBSD-11-STABLE-v1100054-amd64-memstick.img) = 8951648e199157e840f1dc2637ba6516631bda75c28768086ccc5daba7822e874790cf5b1c2a86d428c70858cb1de5a0318c64ee27e8ce51596387d0b74c082b
SHA512 (HardenedBSD-11-STABLE-v1100054-amd64-mini-memstick.img) = 5d6cfc1f89374409efa226da5e6ef793e5e9472a217241e1a21e3c93ebadc9fd967a586dfbe66d454655618cef63721e42402c0a5e3282e1a5db465c208daa26

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAloNK9kACgkQgZsRom/9
GI2qDQ//WQxgSb96jBJ7uXlO9uH9xboZVPzgSP2OfXPFqRvy82Sqr/OFtmVURh1v
8N4zYkVEE4nCKkwiuSFRmRkfygKg1qhQ8hNbpXA3icgITO9ZS6kBIh6ZBkSht8f5
aFgkAEU6CToSodz733oSnaAmGoap6drG2jJ8VlK+IjdXQkrK1mh4g2ETZg03I3ED
vzqAQ5+AT1V4+MzES+K3AV0jnR7nCntLAaEDRgEIcEKA9l4GPfhUNyPnusd3RJNb
vAOJWt7XBJAvWilABDXVPXxObKqhowTKb/+JcEwP0Is8uIzfzplr/E9zmUCCmy5O
u+FQ5H14M+sIfo7KwlXsWStWUhCmOoXR8mLtEAzAV2bZf+/dccrFOE0M3lYu8ZA+
kq09zEN22N3fPU55PIRFyzLlFsRHx2/vFZMf8RvsVbtroHWBqsMudPkd8y8F26aM
HQBHFhmaRmlWmNTJ+Fsh51mwv08CmcY7W0tQztXZWgkKA+uwQV//olOglp9ZVhEJ
LNwRVcAGEwhXJsKeNBzHgiteEYu5kTV7HxiQwMnoIDnN2WT8zkJhetYNQnwMPJIj
LP2/azjbX6nTCZJyLRsLBRu8KGf1g9jW03gWmu8/qUZldS4bgxx4HDnmXazhShgX
zXWQLS9e+K1z2Dg9+7wLHmxK5k9pf9T+SadDPZ14n+DrEjr9qbw=
=Rk9Y
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100053

Submitted by op on

HardenedBSD-11-STABLE-v1100053 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • LibreSSL 2.6.3 (c49b64fc67249a34f0899fdaf83ff409877c0832)
  • Fix infoleak in ptrace_lwpinfo (a9480512504618c725807232b538d3d03adb13c0) [FreeBSD-SA-Candidate, CVE-2017-1086]
  • ZFS channel programs (b6de21de0e6db7018f1a79f4e09e03275f27996f)
  • OpenSSL 1.0.2m (a88f0513c4cf81f98bab740e4f112f1a6d7f4d42) [FreeBSD-SA-Candidate, CVE-2017-3736, CVE-2017-3735]
  • Add extended attributes support to fuse kernel module (4d1ec3df908e0b5948287618d437add1454b15f0)
  • tzdata 2017c (bb786ee507dfb1537c2a2d4bbbc9cb06cfa2cd9f)
  • Linux emulation changes to support newer Linux libdrm (8b3e384829098404bdf42f48c6e808aed906aeb0)
  • Fixes and improvements for x86 LDT handling (5f0b9b87892629c113c13c5a0c5933c1de48bdb9) [FreeBSD-SA-Candidate]

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100053-amd64-bootonly.iso) = bd091a8d0787229e47ea8207728db7ed5244787d17665d11a2e69779073d2a12a3bf4a1938f4c1ee001d84c3a0bf5d14ff0750fed149ffac7d3a6e266afb9bf8
SHA512 (HardenedBSD-11-STABLE-v1100053-amd64-disc1.iso) = ee546baf2e6cc55a8237cf0b96f3b10b8a8a7015bde3662b3bb28a4536c0b7d2179015477c3d3d44cbe252d6e53e348c2bd2a1c0b5e17e84405ef7a6277607ec
SHA512 (HardenedBSD-11-STABLE-v1100053-amd64-memstick.img) = e2213d1f0d4c25f2518148fc9d3a42994fda5b4e3e84ef41ea963e24b1b985cf1defc8dd65cc0bb5349b437527fffde98eee5c50002cc4908c4c0dd642e17bbe
SHA512 (HardenedBSD-11-STABLE-v1100053-amd64-mini-memstick.img) = 524764b81c8a2c8d72719589eb110e7bf44160a250b11d660039930c5678c64b22b8187a4f1e987a2235216f8e0f0a6d4b31f65552f31d633d48ae0a8e004087

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAloJB+oACgkQgZsRom/9
GI1fKxAAonAfV/7yJjWPLvYO3iN3+Cef/Syy7lmHSKydpaABDcC6V0s726Wzfw1r
GGpAcTI3s6Qvz+cJ5gaJfw45912vlsWTD/96Av0PEZWzdCyp4wITG8MrzD0nRUh7
r3y4XFw00McX+zPnDUfBOgo6WkAZneshXbrmxr03Nr8NGM3rpXOnk992lXjnetAU
pzJMr7ZcIr2nN1f+CdFL6uaesZQQpIzUm1LxRM6ef/4I4xaJp7gWALIbmoh6nf2C
ihwgL5T5vGNutROeQKWddr7I4zFt0Rnp6XmulkA8oafVNG4BYSwG7fT6m1WBOEZG
td9heuneIH9ooiFOXSDdrTmQlWYe1PgxD/NsMe1V0bZnuqBaYBbWmvvlcKEOSplf
MaSWPYKefpXCQENzgeuDy9GQ+PgzQbFhmv/7YhKuNWCRoIWGMQAeR0a2jbtyEUUH
9FSYuh6LRNnXPdITsBi2PGBQcViVxRgaaF48XpG54qmgQ5ILS+vTuM90oduqjgVY
XOw22mKVD1mJBlu4+F5PTjYp3rCCyYvFu3oDTe5hVnUDHIDEVyBpD+xdPYARMb4W
HplqkiDUktJoA6vuzoalik7J8eGY9DYucNlKIckv0DHUXQSyfe1+C6b+SFSRXpbo
byaHi0cFAOELr4fjtBu/VIWkkTB1dIsFZfoqk8iWUckfQEcP1Rc=
=Jh14
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 10-STABLE v1000050

Submitted by op on

HardenedBSD-10-STABLE-v1000050 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security and feature update! Recompilation or updating of secadm is required.

Highlights:

  • Update wpa_supplicant/hostapd for 2017-01 vulnerability release. (7aec04ba0072726d6bfd78bd999ad560d9780f9e) [FreeBSD-SA-17:07]
  • Libarchive update (a8e62bf6379d818c85773fb747b79c05929632b5) [FreeBSD-SA-Candidate]
  • hyperv updates
  • ZFS updates
  • hbsd-update improvements
  • HBSD MFC: Correct sense of crypt(3) NULL checks in init(8) and lock(1)
  • HBSD MFC: netsmb: Fix buggy/racy smb_strdupin()
  • HBSD: add kernel side of hbsdcontrol (ddf19424710e7ff34a9e82794c65b35543248941) [see UPDATING-HardenedBSD in src repo]
  • HBSD: fix a possible "time of check to time of use" attack (bfdb3e6118e66e95bb1e823201898dedc3b38701)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-10-STABLE-v1000050-amd64-bootonly.iso) = 966d3a6957976544c04e9e2200bc5717bc9771d1e4f76dd9005c8ac8936c07bf4245afc0118947d47010d16c7f7c244c8bec23e181839056c1549f1c7f2656ec
SHA512 (HardenedBSD-10-STABLE-v1000050-amd64-disc1.iso) = c25eda9ec2eb046f41003d8146aefc734efb2987286c7ee53cc81c8e9de03e63809f8b626c7ea8cb451ad1fac7ed2d006a2266b99e10c59cfc7f55678eb45871
SHA512 (HardenedBSD-10-STABLE-v1000050-amd64-memstick.img) = e9414353ad4d08f68aa8c7f85711772ccfc79b00c4dffad2d6c291d3f94ff3748058bd40c9d6a1d1b97fb16369fc855b776486bfee51eaff77e96005813a9b0d
SHA512 (HardenedBSD-10-STABLE-v1000050-amd64-mini-memstick.img) = c05aba86caa6e2f071aacc9fe602f5a5e20d6cf0ba4542ace41e3b9c79d69c1afc87b65d3cc09f1787042eb4cf8023e1295dc8bae475e6074331d7299e2acce6
SHA512 (HardenedBSD-10-STABLE-v1000050-amd64-uefi-bootonly.iso) = 5a305a274714fd140c4501769b48c46518b59b745bf24814e91028a192f23a086a9777776a82f10e8ab94a450720009fc46b7f89be62fce46ddec729d1c4722e
SHA512 (HardenedBSD-10-STABLE-v1000050-amd64-uefi-disc1.iso) = 2c4a384385e74a578cb3c4b78caebb32979628c6c40ae23b43ce4931efd764f72c46184d7815837a1516e71d45614250caea6d3d58c3fd782c31926fc004bab2
SHA512 (HardenedBSD-10-STABLE-v1000050-amd64-uefi-memstick.img) = de41b6916229ff61eb367b0dd771ca0a27451633706edcdedeab56b17483f146b36c60436e4775436e2ef054a73db0e9bd8f2a5810f9510277c9dfc60e9f7f68
SHA512 (HardenedBSD-10-STABLE-v1000050-amd64-uefi-mini-memstick.img) = f992a82ff485e4e0604f0240ed6a9e9f57d27399eacebc665cc4348dc6a8b7fb21e5bfbe5b66bf59267ab967e72cbb4793452fca9d944cc853a649b1d3e05c55

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlntQTQACgkQgZsRom/9
GI1ULBAA3FnfoSHEEkpBtoMZhT/zaoYAkHZK701M/LcCMK5Gr/UnejfvCLAn8Pgd
s9tf2fjr0W9XwYlqrh9lq3pW0QERc9myMScixlLSgXlDLXKgRVTDsMSbHxwE/FWM
vVEzyS1RzKhs2SfnhytPyRpBXsKC8W8UnlvcaK2N7OE0CosauAimQgnuoP9pw52G
oaS7s1phwaeHANz4TNilnlNL9/I8S/ljxZHCg8mS9qAbGlKi8Limxj3W1OAE5q2v
cPi67fOE7hhABkj0eVZu9erLKwgD6o7IDfVRTFyduCBOdpmk9MFOfcbxWjrvxI4P
FJYGF2Hbbbr6SkFqqvh/nf2MjUBJbc61IHSwLyoYWebu6Jxui02Cq428brei24pH
1ycbCic7jsTApaBfXodr2vCbrCzkCAgzpWQTAO3I0IXXoTjfDGGGfR4MvRQ8eVP7
VEENGFGcNhYIZOftK/8vJgIafCgwRJNv6KKAwzCJVTGi2PIrMyb2Pm7nGeQeokKN
YvwLCfM8ZzjCEwUv/tyZqb+wxo86hwOGw3n5HIBYFycrapLlpDxuKnexCBQbcZj+
DStCVYZKqj8qGjFoQcV+rF5woBW9uO+loulVCIKEOC1eCrstWDi3xQ7NC9xhpXMr
SjbPQrspbu5Oam39mLVxBNb2j5X40uU4BMyNCsDpvA0/sU6iiwU=
=ZVYc
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100052

Submitted by op on

HardenedBSD-11-STABLE-v1100052 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning, this is a security update!

Highlights:

  • MFC r324696: Update wpa_supplicant/hostapd for 2017-01 vulnerability release. (2d112e2354053559738d08a42672a59fee3c57c5) [FreeBSD-SA-17:07, fix for the KRACK WPA issue]
  • Changed AUX vector layout
  • HBSD MFC r324394: random(4): Gather entropy from Pure sources
  • HBSD MFC r324372: random(4): Discard low entropy inputs
  • HBSD MFC r316767: Map DMAP as nx.

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100052-amd64-bootonly.iso) = 2c608383dad93cafbf823c44aad048e464274bd47d093695851926b10ee7f33a8ebe1ff7246943879aabe1b1c782e73fed03f17f2418b6671c0c16c1672e6684
SHA512 (HardenedBSD-11-STABLE-v1100052-amd64-disc1.iso) = 3970ebbf4aec1422ed45b788d5129980e4740bfcb555d0f8dc91542244694408050c48bbc99b6e9d14534a1802a0a73dee7bef4280cc791d06246937209b3464
SHA512 (HardenedBSD-11-STABLE-v1100052-amd64-memstick.img) = df6dc54c41f228e84f3e706e8e6e01a56c763e60bdd0422f57e5949d9bf566d79bc7b0c7cfe129e0c551978a9238590d66ad5e70b64d0c37051a6e76c974f97d
SHA512 (HardenedBSD-11-STABLE-v1100052-amd64-mini-memstick.img) = 8689c252e1211a6e8363a3c083eb0aca073bb08a378120324028a466180cbc062d48c14b2ab054a443d4b9a8d4e21ff27b21f18def975c55dc2029fcdf4c10a5

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlnmsRkACgkQgZsRom/9
GI2EThAA1kqMTRY6u8Eg7DUDrKGMmoskob4r3gFT6tpYUjkueXpUwZYHyNI9mAbS
1MmfvdtASCldjzMirgcaz+squK5JqktLrNbUdhJV7Omb+g/70uoCK4Ges0XBc7nh
vUsBu6PXZPN01gi5L2xQCcue3L5ImYj9nKR5Froy17GUaCAmhRhTdKj6+XxT/OVv
BfIRrGWiAj1Txt78t9IKCAL10ZsZydrFxPT+WC9oZBFB8dNdT3H3orRS5Qp0RVA/
+rTxE22H35VsVsdBhiDK7CFAlGfEJrBN9dK79meFdfxKpkp4701W6QWkBGCwUntz
NMmIhIjsqbZToBG5AycgXW8cTvTKG2bTvfa/lPDdfw82tqBpdQJQp4NExFyva9E1
yG7NL13Fl7pxR69YBWJqV+Y239ZmpF5+BRJnPj+0v0EnQOUuTN8R9jNdqHvq0DIm
9vb3ELiphdZGpcNlmd+zPJq1QQD5Z5RV11SkO8Kwnndyfhw4JBR6qr59ALXev3sI
7YW9mkQL9RSSMOmbzYwmtJ7YSgOceP0qM3i4D7sW5Akh9laJZxz0DnjPkgDs/y9i
eAiUsWp/MkbTAquGqnKU23tKnDU2QDDho1M1ZvxrlJ+yQX9dB6eG0SRsh+ob3vWq
aK8Y2536m6U6KXnijY16++DsraI1AAiVT3JXHL/+EvOh+jcECJQ=
=4WTi
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100051

Submitted by op on

HardenedBSD-11-STABLE-v1100051 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security and feature update

Highlights:

  • HyperV fixes
  • ZFS updates
  • libarchive update (CVE-2017-14166, CVE-2017-14502) (aea515eb9597ea4c4963aa471d4325e351653a2f) [FreeBSD-SA-Candidate]
  • lot of hbsd-update improvements
  • Zero segment registers which contained invalid usermode selectors, when returning to kernel. (6a720c60ec8e6bc3caa3141033b0f54c14c0718d, 2c707ee9d55df4bd64c5928a092aea228426ac99) [FreeBSD-SA-Candidate]
  • make fsck_y_enable more agressive (8430527c119726c7b1fa826dcf935f4681a126a2)
  • HBSD MFC: Correct sense of crypt(3) NULL checks in init(8) and lock(1) (954bfe0ad4ee110a69ab41f78f0494a3e2d4d9d3) [FreeBSD-SA-Candidate]
  • HBSD MFC: netsmb: Fix buggy/racy smb_strdupin() (145ca72398904245c097b37f843a2d7885a16c50) [FreeBSD-SA-Candidate]
  • hbsdcontrol's kernel side implementation for more information please consult with https://github.com/HardenedBSD-stable/hardenedBSD/blob/hardened/11-stabl...
  • LLVM, clang, lldb, lld, compiler-rt and libc++ update to 5.0.0 (12cd91cf4c6b96a24427c0de5374916f2808d263)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100051-amd64-bootonly.iso) = 2a7a0644c4f6539a0763fee344f3ac7a51df62a358a394fc884d51147ca2479cfb6aea600d900dbcf551e5e4331685d8380038849636005f51fd1ff4a391d710
SHA512 (HardenedBSD-11-STABLE-v1100051-amd64-disc1.iso) = 840b8f12b33e4e9328187719af152c14f383e0a5b2749953f84e634bead200ff8794559b63faa6a9ed9b0675ef44be9d6d055f457f514c0107e8b480f2a46159
SHA512 (HardenedBSD-11-STABLE-v1100051-amd64-memstick.img) = 11ce832ec9256846e3eff4d5d661a9ef38d05b7c4857d1975cfec438e38de5d3e804f8401a943753672e469c0bcde6184f3b99bb22e3174b8a1c5e59da5ae9cd
SHA512 (HardenedBSD-11-STABLE-v1100051-amd64-mini-memstick.img) = 5189aeccb1823edde5681c6e5d7276cf2c1777981bb818ed3a3c838a5fe6f5035248da5094161b76ac9f7b574d957d833a19a3641a08f03b6fd74c468ba5140a

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlnhbH0ACgkQgZsRom/9
GI1bfg/+JvEFmHPiEM6m8696no95d3LDv+hInSTMXzDmrKYh47eejtJI0vQcq06Y
GqFkVJr8sMfApKF5dMQJ6f4JsbTnFx4hQONwDIdM3lPhTnxUNfvtT5Vb2TrmOpU6
8hPQ2RRNYkTJVgbP84XhHlQwi3xNnpNKnjJasZiNUBcbooWpprjtkQPx7hGIVXEe
ubTX+na5Ry6i/NPcOYFr7YKPiqWNu/zSKFFeERjW4YnB6RyXsMUIr9nsEs7kjcRi
mIIVu/VMlXhkjGg1IwUPy9V8gA+YHutQ5/V80vVCUUUaFXoUS8t+isofywoCgD92
VX/icmEoK6T1PyVz47pzH+62fwVOn1Ypbz/1329LfNMY1CyNesLPore7bhNEpaBh
wovZH5Y9aJAlIrd53oiSHUGwlF0RROvpoWLC51loMp5IPdJR+6aoU6TinnAyMARd
0QRlLLtal7TO7cXfQE5OYDyVNHiVZgLIDQbNJG8G+pGmYyWQR8LZV/zsk56ti5tK
Lg8ABYEOvoTzG9WaJX27pFnMbzpiHyf5MzPHvA+KoEQibtFZWu8jyz4iHKLq7jB9
OfkSaWV9s87gSKzA0BP7m+Uh1bY1Ka9kTIPXd0n8ym75hGeovr0r52s48i4CpJPo
APTtWgrbgvD6P/uSnSV9hFAw4C9/LBJceEMPpjioctdKNA52wvY=
=pl3g
-----END PGP SIGNATURE-----

Entropy Gathering Enhancements

Submitted by Shawn Webb on

At vBSDCon 2017, W. Dean Freeman and John-Mark Gurney gave a presentation entitled "A Deep Dive into FreeBSD's Kernel RNG." In the course of preparing for the presentation, a number of bugs and non-optimizations were discovered. These included:

  • The fact that after the code refactoring to make room for Fortuna, the code path for mixing entropy gathered from so-called "PURE" sources, such as the RDRND instruction on Intel chips, was broken due to a new check on the bit value in the harvest mask and the fact that the bit could not actually be set.
  • In the random_harvest_queue code path, followed by the majority of entropy sources, entire "harvest_event" structures were being hashed, causing very low min-entropy measurement values when following the non-IID track for entropy source evaluation described in NIST SP800-90B Draft 2.

Working with the HardenedBSD team, these issues have been addressed by W. Dean Freeman and reviewed by John-Mark Gurney in 12-CURRENT. Patches will be made available upstream so that FreeBSD can benefit from both the bug fixes related to pure entropy sources as well as a boost in min-entropy. Additionally, a BSD-licensed userland daemon similar to that found the in GPLv2 licensed rng-tools package has been developed, which allows crypto officers to easily use USB-attached TRNGs to increase entropy fed into the kernel PRNG.

Future work related to this will include importing the NIST_CTR_DRBG module from NetBSD into HardenedBSD and performing a FIPS 140-2 gap analysis against available kernel cryptographic modules to see what additional work needs to be done in order to provide a BSD-based alternative to Linux in the government sphere.

Pages

Subscribe to HardenedBSD RSS