To find out if the FreeBSD version you’re running is affected and to read about the solutions to fix these issues, check out the links to the individual advisories.
Not directly related to these breaches, but still in the realm of security, Poul-Henning Kamp, the author of md5crypt(), has said that md5crypt() is no longer secure despite being recommended as a password hashing function. md5crypt is used to encrypt passwords on some FreeBSD systems.
The md5crypt password scrambler was created in 1995 by yours truly and was, back then, a sufficiently strong protection for passwords.
New research has shown that it can be run at a rate close to 1 million checks per second on COTS GPU hardware, which means that it is as prone to brute-force attacks as the DES based UNIX crypt was back in 1995: Any 8 character password can be found in a couple of days.
As the author of md5crypt, I implore everybody to migrate to a stronger password scrambler without undue delay.
Below some miscelaneous links to FreeBSD related news and updates:
KDE/FreeBSD Bulletin with recent FreeBSD KDE ports related updates.
PC-BSD 20120605 Snapshot now available for testing. There’s also a BSD Talk interview (BSDTalk 2016) with Kris Moore, founder of the PC-BSD project, which was recorded during BSDCan 2012. Kris talks about the features going into PC-BSD 9.1.
FreeBSD, a world apart (translatedfrom Spanish with Google Translate) – interesting blog post with some FreeBSDD background information. I like the collection of open source logos.
Phipps has already been spearheading an OSI reform process, working with the rest of the board to open up the organisation. That process has led to the creation of Open Source Initiative affiliation, bringing the Apache Software Foundation, FreeBSD, Eclipse, Mozilla, Debian, and Creative Commons, along with other organisations, on board as affiliates.
Martin Wilke has put out a call for people to help him test xorg 7.7, an open source implementation of the X Window System.
The FreeBSD Xorg Team is pleased to announce Xorg 7.7 Release. We are very happy to be able to Call for testing shortly after the Xorg team annouced 7.7 release. This CFT is also open for discussion on how we should move forward with xorg release as we are facing some issues and we would like to ask for your opinion. Right now we have 2 existing xorg versions in our Ports Tree. The situation is quite bad due to our poor graphic card support. That means we do not have much choice but to take it as how it is now. But with regards to mesa support, we have to face some new challenges.
Read the whole post and the instructions here: [CFT] Xorg 7.7 ready for testing!
Martin Cracauer, a FreeBSD developer, went to BSDCan 2012 and wrote up his experience on the Open Source at Google blog: BSDCan 2012 – “The technical BSD conference”. I’m sure this will have been read by many with an open source interst (26716 RSS followers). Good marketing!
The FreeBSD Foundation funded some FreeBSD developers’ and contributors’ travel expenses. In return they have sumarised what the did at BSDCan, how they got involved and what it means to them.
Read the feedback from:
- Marius Strobl
- Daichi Goto
- Mark Linimon
- Julien Laffaye
- Giovanni Trematerra
- Brooks Davis
- Thomas Abthorpe
- Warren Block
- Davide Italiano
Some of the BSDCan presentations can be viewed here, in case you missed them.
iXsystems’ TrueNAS Unified Storage Appliances will continue to leverage Fusion ioMemory technology for powerful, high-performance storage solutions.
From the press release: iXsystems Renews Collaboration Agreement with Fusion-io
You may have guessed, but there are many, different reasons. The following are some reasons why FreeBSD is still alive and FreeBSD users don’t have a need to migrate to Linux:
- The FreeBSD community focuses more on the technology than on licensing and ‘evangelism’
- FreeBSD is Stable. Simple!
- Well-structured, complete operating system (i.e. filesystem, kernel and its config, etc)
- The ports system; it’s stable and mostly up-to-date
- FreeBSD known for its ability to handle heavy network traffic with high performance and rock solid reliability
- FreeBSD is the system of choice for high performance network
- A kick-ass combo of features and very server-focused.
- FreeBSD is NOT Linux = FreeBSD is stable, reliable, simple
- FreeBSD is not as fragmented as Linux
- The one community. There’s one community, always willing to help out.
- The BSD license. Contrary to popular belief, it has brought a lot of high quality development to FreeBSD
- Universal toolkit. FreeBSD scales easily from the thinnest embedded system, to various desktops to huge servers — all with the same familiar tools and environment.
These and other reasons can now be found on the Why Use FreeBSD wiki page.
Obviously, since we all have different likings and requirements, FreeBSD won’t be of use to all. Based on feedback from the mailinglist Phoronix also summarised the reasons why not to use FreeBSD.
Thanks to Charles Rapenne for reminding me to post this.
The crypt(3) function performs password hashing with additional code added to deter key search attempts.
II. Problem Description
There is a programming error in the DES implementation used in crypt() when handling input which contains characters that can not be represented with 7-bit ASCII.
When the input contains characters with only the most significant bit set (0x80), that character and all characters after it will be ignored.
For a workaround and solution, check out the security advisory: FreeBSD-SA-12:02.crypt
BSDCan 2012 is over. For developers there’s now (more) development work to do, for those of us who could not attend time to watch the videos.
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library.
II. Problem Description
OpenSSL failes to clear the bytes used as block cipher padding in SSL 3.0 records when operating as a client or a server that accept SSL 3.0 handshakes. As a result, in each record, up to 15 bytes of uninitialized memory may be sent, encrypted, to the SSL peer. This could include sensitive contents of previously freed memory.
OpenSSL support for handshake restarts for server gated cryptograpy (SGC) can be used in a denial-of-service attack.
To find out more about the impact, a work-around and solution, check out the advisory page:FreeBSD Security Advisory (openssl)