New stable version: HardenedBSD-stable 10-STABLE v46.12

Submitted by op on

HardenedBSD-10-STABLE-v46.12 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: This is a SECURITY UPDATE!

Highlights:

Installers:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-10-STABLE-v46.12-amd64-bootonly.iso) = ad66abde022d64e135c982453b285e2732ded77a87ade9cb24d46ec82385d8d5230094b47eff160a3190023732d0aec8ac960c7d1ec9dbe84c54b0d0d38ec009
SHA512 (HardenedBSD-10-STABLE-v46.12-amd64-disc1.iso) = a39b04e17144642b44b0e1b6adc8a174aa568aaf1fdeb775d7d172826d0933c68d54640032625e4ceec2d50085eb72bcadac05f710dc711adbf93f9f84a9224c
SHA512 (HardenedBSD-10-STABLE-v46.12-amd64-memstick.img) = f0dac00ed97c80b14940813563977582efa6a26db77102830e78d8100f9a0f7691a9e13fad06700dd46c6cbf72a56a5209687caf65a87c39f2a7ecfc8ba2590f
SHA512 (HardenedBSD-10-STABLE-v46.12-amd64-mini-memstick.img) = b1a75e65018f260232445ed1880f0e573e6527e0be6bced64003938cc7d95753f409f5770e71cb3be67a5de19ae1c96f775f39a3945087d9fc5adbc07f75f694
SHA512 (HardenedBSD-10-STABLE-v46.12-amd64-uefi-bootonly.iso) = c0763d816b49e7265704370151ae4e42b44b9fc4b9534ce3ab14e0691c7e4d111a2b7c3e39a144b24318e77b4f6280291d92a9174f3ba872f1fb1c46c48198c4
SHA512 (HardenedBSD-10-STABLE-v46.12-amd64-uefi-disc1.iso) = 08574fd958d58c5f349554a05559c79778f59f916a9877b40a4a52a7bb8869fe749b2cc776eb2958a4e327b5d9617ebd9cad13b2b5bc8ea761593042131ed69f
SHA512 (HardenedBSD-10-STABLE-v46.12-amd64-uefi-memstick.img) = fff7fd50b4e7207dfde29058d8e28ea7f2d07af19419a00ed208315c12e8e082c38b7fc3ccb31c50d86ad9c8d4763014b796204da689159393c642ee50f7c9a8
SHA512 (HardenedBSD-10-STABLE-v46.12-amd64-uefi-mini-memstick.img) = b7d5c2ef974d9ad4f280351475c8934f696c4dadb91273dcd95be1a53a8c08a1bbd2fd4082e9bd3581885fe467aba09a4644a9d8752be8ce4d4ac4a378817b03

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAABCAAGBQJX5NZFAAoJEIGbEaJv/RiNhJAP/3gUY4YzownJFlNpeIJHCLO+
M2dec59ylgFdYVLmhQUBny0i0BaLjFTsw9dBsYZCF8Jw+nSL23bY2NlscVe9Q6kK
R7VfTMgzX8TCQZb/wXprapqnx+iLGLIeX8pqojNLzxSqj1F+LWqwvQc0A4e7E/f/
LSu6M1OppE3M0yWzUCsY+FbZCW7CGsSjcdb9007MoYg+FmfhE8Zmgu6OJyOos95O
aDnAGUwz6/+2QVNg/LIqCLVIuqJxS8IsjBhLOoTwK6DEqf7DnzgsQY0W62l7CTa7
ctD/AW5gtFL61QtgKghDz8ODL4Ckugkh+vJsCu9BPyP44huNQeavrMHtfyBsqvet
Flh2ZU59lsinHM4Jw6obOpHh9O+MeHlyOPsyviBe94UM75J3fgx0gZPH6DpjMvSF
7xMYy0dx2U9lrMzrHZK5iUuSUYp5mHfiL1sugUlOP70ln5TYCb5Vf9gG6HI5VLri
SW3/zgef3eaMEKQgHdKTqIirInWB0ekNUV83lDaCHITNcNsOPL9sVOprhQzEiS6G
VxFbX2GAM8QbaUDNq2LeAaYRfyM83JXJ87rgNpYpo8A+uoUNxxVXqaPjc/DCzWJf
GfCbzJgJcWHMRgQdA6mqxOdcyLilpJ+BU1grwp/bBXFN3A6jBmZeRGQrYNmZkd1n
vLHaV/qBBk7eQPI8PH+9
=VzeW
-----END PGP SIGNATURE-----

New stable version: HardenedBSD-stable 11-STABLE v46.3

Submitted by op on

HardenedBSD-11-STABLE-v46.3 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Installer images: http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

Image checksums:
SHA512 (HardenedBSD-11-STABLE-v46.3-amd64-bootonly.iso) = 68e96fa070b51bfa6446640a24cf9d9fc154496de9d4348c844e94dc5e411cd7f96cf22d7030bd00baf8665875117ff61f73b9d571025cf98b7d348dfc475994
SHA512 (HardenedBSD-11-STABLE-v46.3-amd64-disc1.iso) = 9871f10d88fa3c488a18c764e97940ed663fc4ac308443a1e18f2098093f5ff5a5099d78f948897316ffe9fbe599d011aa6afc8558c61f217b4c3b571beace3d
SHA512 (HardenedBSD-11-STABLE-v46.3-amd64-memstick.img) = cdb9736bf8a33a8b2ca26c8b70b8cfbd22d050d091b54470764c6c2e41f679ab65f1d14cebc78e7b0646346c36c5e2882ad40b4230ce7b77980d7cf9f6a6559a
SHA512 (HardenedBSD-11-STABLE-v46.3-amd64-mini-memstick.img) = d3aa281947e1a692676fd0afaff0b673edd9f65625e37dbb7bcbaaddd842648410806911e19b0ea1ddd2a871bdfe65f3f46d05b8f911fe306c37e392075f4c43

New stable release: HardenedBSD-stable 10-STABLE v46.11

Submitted by op on

HardenedBSD-10-STABLE-v46.11 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

* cron username handling fix (6da7f85) [FreeBSD SA candidate]

Installer images: http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

Image checksums:
SHA512 (HardenedBSD-10-STABLE-v46.11-amd64-bootonly.iso) = 1655afce770b77b924440a39ee3472546bebdea87ea0288816ce5d057e65575691d77d059d82c4cd2121f699462726f20bc6781ffe92e42316aad8b86fb67bc0
SHA512 (HardenedBSD-10-STABLE-v46.11-amd64-disc1.iso) = 0f3cc560cf7bec853ea5515a6799997aa68a0ed53d1653602be56eaafe7056a7a583a92fb4a75c95fe5ef60eb5a7d6204c36aa2526b11606cc420cec520a31ff
SHA512 (HardenedBSD-10-STABLE-v46.11-amd64-memstick.img) = 61febc5845f56864851cccaf179d6087d4c88c5ceb5a3ed0d77668fbe6f8533c6f2341522e14dc62a38d959eeec15f1c85411b437f020faa3a7fdca5f4c4b7fc
SHA512 (HardenedBSD-10-STABLE-v46.11-amd64-mini-memstick.img) = a54cb81dba74a97f11f0faa24bde416101c4e9d267fc36f08e80a265a1282cc8dda37374706d645943fe71f6710f60a280bf62db21815949599d5d97e68ca03a
SHA512 (HardenedBSD-10-STABLE-v46.11-amd64-uefi-bootonly.iso) = 95905c1d8fcbefec57c24f7d7c3181b4e3958c57e281ffcfd26fb38f7b952e21e4c93e28c7d42ce0fd6548c978479674de8af7efd8a7d29aa48c6e3e7c128c89
SHA512 (HardenedBSD-10-STABLE-v46.11-amd64-uefi-disc1.iso) = dad2a2e9ebbd2f7271a03edc788867cf32c584d53f8ec5df9ec116b3bf109300e8bcea137363b8095599517f8dc044275842aa8a4ea07e20693e70db6b157d8d
SHA512 (HardenedBSD-10-STABLE-v46.11-amd64-uefi-memstick.img) = 1253829cefa880b7e80f6213781ac1d20f820666c912b926779dae33d10d40ebb2429b0eeeafab69ac254689788d5ebf11ba40aeb5ee4b57999487e46eebe1f0
SHA512 (HardenedBSD-10-STABLE-v46.11-amd64-uefi-mini-memstick.img) = 4814bf61bf60acfe248f0f23ce7787b4d187ecfa0bf66dc5b55deaa2f06baeb43067a018f2fb7436bce667b92679dab655f1a8c280478b7eeff885ef2fc96e9b

New stable release: HardenedBSD-stable 10-STABLE v46.10

Submitted by op on

HardenedBSD-10-STABLE-v46.10 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

* libarchive update (2e9dcc4) [FreeBSD SA candidate]
* sqlite update (06b3d2e) [FreeBSD SA candidate]

Installer: http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

SHA512 (HardenedBSD-10-STABLE-v46.10-amd64-bootonly.iso) = 837af90b200d18ac1638e35f3f2af6fdd6736af0d8c810b55eeaee34f9a395d9245776e15eb898a8a75d82ba4f8d884d4ba83d5b6ace4d12089b60d1e595374d
SHA512 (HardenedBSD-10-STABLE-v46.10-amd64-disc1.iso) = ff5c5880a00531ed280b94c194e63bdd7eaea3477a43ee2532e0967efe9c87c5f3c237311cc86c5733d399e5ff8fbfaa0092edd3ed06eb166f13784c75987d4b
SHA512 (HardenedBSD-10-STABLE-v46.10-amd64-memstick.img) = 72e601ab0a24e3bf53940183aeccc96ae3115d9e5cec9291afdd700937a5c66478b02eb30a3d88f2ff66425f68e9b6edadbd6c9fbe1cfb327da1f9a65d43cd0e
SHA512 (HardenedBSD-10-STABLE-v46.10-amd64-mini-memstick.img) = fdaab7cf0b9c929c6b8c0f5dcbb3a6dcab0ae4616b2d087dc51a2aec7794ab1b48f7ca634141dcbc657c9fe86828a2472abd572418c5ddfd2a7bdcaeccdb97c5
SHA512 (HardenedBSD-10-STABLE-v46.10-amd64-uefi-bootonly.iso) = 2893c8ec4f2a6fc3cd038ca8da5dc064f55cb85c23ed138a8f325e1c5f48637bf44ad38708de6c81035cf65a770e36c109c9744bf601e966e56a971bfce55606
SHA512 (HardenedBSD-10-STABLE-v46.10-amd64-uefi-disc1.iso) = 355ba1abe8bcb9020543d2359a19cb6c2873aabb9e103c48c2c5005d2786da20ae0e0d228ae1624cf1195c07fae7be601863d0b3f91f4509aa2ec28375ca8ab7
SHA512 (HardenedBSD-10-STABLE-v46.10-amd64-uefi-memstick.img) = e936a1146bfaeb2d5eb4ce7280beaba91713867b72966fe06b6a6e4ce6d0a724f116c66d1880a915c5247afa99847863c5d96aecbbbeb16315febdc314987c58
SHA512 (HardenedBSD-10-STABLE-v46.10-amd64-uefi-mini-memstick.img) = 028bc08f064ff9d0651d52ca6bf80b5c4ce801f13ff634fae4a696388d0e7f7bd510f25f2d488a0cf919a76682efe2a9433ef562b20761eec030e938104be722

New stable version: HardenedBSD-stable 11-STABLE v46.2

Submitted by op on

HardenedBSD-11-STABLE-v46.2 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Installers: http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...
Git repo: https://github.com/HardenedBSD/hardenedBSD-stable.git

Highlights:
libarchive update (CVE fixes, FreeBSD SA candidate)
sqlite update (CVE fixes, FreeBSD SA candidate)

LibreSSL Enabled By Default

Submitted by Shawn Webb on

Bernard Spil has done a wonderful job in importing and maintaining LibreSSL for HardenedBSD. LibreSSL in base has undergone thorough testing over a period of multiple months. We use LibreSSL in our infrastructure. When we publish our first official release, HardenedBSD 11.0-RELEASE, LibreSSL will be the default.

We have now enabled LibreSSL by default in the hardened/current/master branch. We have started a new package build with LibreSSL enabled for that branch. We are also building binary updates that will get pushed out within the next six to eight hours.

New stable version: HardenedBSD-stable 10-STABLE v46.8

Submitted by op on

HardenedBSD-10-STABLE-v46.8 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Headlines:
* bhyve updates
* kaby lake support for e1000
* zfs fixes
* uipc related kernel panic fixes (d36bc76, e19f452)
* rlimits related kernel panic fix (7894a6b)
* enabled kyua test builds by default
* libarchive fixes (97563c8, fad0147)
* hbsd-update updates

PIE, RELRO, and BIND_NOW for ports

Submitted by Shawn Webb on

We have now enabled PIE, RELRO, and BIND_NOW for the whole ports tree. This is a huge leap forwards for HardenedBSD. We now have all of base compiled with PIE + RELRO + BIND_NOW, and now a good portion of ports as well. A good portion of ports should work with PIE, RELRO, and BIND_NOW. In those cases where ports won't compile or run with PIE, check for NOPIE. In those cases where ports won't compile or run with RELRO + BIND_NOW, check for NORELRO. Please note that some ports ignore custom CFLAGS/CXXFLAGS/LDFLAGS and as such will not compile with PIE + RELRO + BIND_NOW enabled.

PIE and RELRO + BIND_NOW are disabled by default for ports that have either kmod or fortran USES flags. Kernel modules cannot be compiled with PIE, RELRO, and BIND_NOW. More research is needed for the fortran ports.

If PIE is disabled by default for a port, but the port maintainer wants to force PIE to be enabled by default, the port maintainer can set EXPLICIT_PIE. The same logic applies for RELRO + BIND_NOW, but with EXPLICIT_RELRO.

A follow-up commit has been made to explicitly disable PIE or RELRO + BIND_NOW for a number of ports. Out of roughly 26,000 ports, only around 400 failed to compile due to PIE or RELRO + BIND_NOW.

Given that there's over 26,100 ports in the tree, HardenedBSD will need to rely on its ever-growing community for runtime testing. Simply compiling an application does not mean that the application will run successfully. As an example, xorg will compile fine with RELRO + BIND_NOW, but due to how it integrates with modules during runtime, it will break. xorg still runs fine with PIE, however.

If you experience issues with a port or package, please file a bug report here.

Pages

Subscribe to HardenedBSD RSS