Word got out that we didn't support SSL/TLS on our site due to lack of funding. A couple companies reached out to us to offer us free SSL/TLS certificates. Thanks to DigiCert, as of today, HardenedBSD's main site and package repository is now running SSL/TLS! We will update our Jenkins server with SSL/TLS over the next week. We've also started signing all the release media in our nightly builds with a GPG key created for the dev team. The GPG key's Key ID is 0xE57D5B654BB5228E and its fingerprint is 2FB0 10E7 4676 C06C 23C5 7687 E57D 5B65 4BB5 228E.

We're proud to release the first release candidate of secadm 0.1. We've added a few new features and fixed a few bugs. Continue reading for the changelog and download links.

The jls command causes kernel panic in certain cases.

Relative easy to trigger the bug, just try the following PoC:
$ sudo jail -n crashme -c ip4=new persist
$ jls

As we mentioned in our blog article about the Offset2lib attack, we wanted to make our ASLR a little more secure against these types of attacks. One of the ways we can strengthen our ASLR implementation is by randomization the order in which shared objects get loaded when a program starts up. This removes one more piece of determinism and can further frustrate an attacker. We've now implemented it.

The recently disclosed offset2lib attack against Linux's default ASLR implementation has generated a lot of chatter. As mentioned in the paper, ASLR implementations based off of PaX's--which is the case for HardenedBSD--are generally secured against this attack. Our whitepaper describes how we calculate separate offsets for the execution base, mmap, and the stack.