- Cross-site scripting (XSS) vulnerability in FreeNAS before 0.69.2 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.
- Cross-site request forgery (CSRF) vulnerability in the WebGUI in FreeNAS before 0.7RC1 allows remote attackers to hijack the authentication of users for unspecified requests via unknown vectors.
The number 1 rule for any sys admin, is to keep systems and servers up-to-date with the latest security patches. (number 2 rule is to create regular back-ups).
FreeBSD 6.1 suffers from classical check/use race condition on SMP. The bug was fixed in 6.1-STABLE, just before release of 6.2-RELEASE, but was not recognised as security vulnerability.
This code exploits this vulnerability to run root shell.
To find out more about FreeBSD security, refer to the FreeBSD Security Information page.
It is recommended that to keep FreeBSD systems up to date with the latest application security patches installed via ports collection. But, how to upgrade all packages under FreeBSD?
FreeBSD comes with various tools to to install and update software packages. The portmaster command line tool is used to install and update software packages. There are four steps here. Most of the actions listed in this FAQ are written with the assumption that they will be executed by the root user running the csh or bash shell.
- Update FreeBSD Ports Tree
- List All Outdated Packatges FreeBSD Ports Tree
- Read /usr/ports/UPDATING File
- Upgrade All Packages / Ports / Apps
All the details step-by-step can be found here (nixcraft)
On a related note, Richard Bejtlich has updated his draft of “Keeping FreeBSD Applications Up-To-Date“, a follow-up to my 2004 article of the same name that use FreeBSD 5.x for the examples.
The document contains the following sections
- FreeBSD Handbook
- A Common Linux Experience
- Simple Package Installation on FreeBSD
- Checking for Vulnerable Packages with Portaudit
- FreeBSD Package Repositories
- Updating Packages by Deletion and Addition
- Introducing the FreeBSD Ports Tree
- Updatng the FreeBSD Ports Tree
- Installing Portupgrade
- Updating Packages Using Portupgrade
- Removing Packages
- Identifying and Removing Leaf Packages
- Preparing to Build and Install Packages Using the Ports Tree
- Building and Installing Packages Using the Ports Tree: A Simple Example
- Building and Installing Packages Using the Ports Tree: A More Complicated Example
- Install Packages Built on One System to Another System
- Installing Screen Using a Remote FreeBSD Ports Tree
- Reading /usr/ports/UPDATING
- My Common Package Update Process
A PDF can be downloaded from the TaoSecurity website
There’s an article on internetnews.com by Sean Michael Kerner on the new routing architecture in FreeBSD 8.0:
“Though the open source FreeBSD operating system has changed in many aspects over the last 16 years of its life, one item that has remained relatively static is its underlying network routing architecture.
No more: It’s getting an overhaul with the upcoming FreeBSD 8.0 release.
FreeBSD 8.0, due out next month, will include a new routing architecture that takes advantage of parallel processing capabilities. According to its developers, the update will provide FreeBSD 8.0 with a faster more advanced routing architecture than the legacy architecture.
It’s an important change for FreeBSD, which has emerged as a key open source operating system for networking vendors, with players like Juniper,Coyote Point, Blue Coat and others offering their own network operating systems that are based on FreeBSD.
The new routing architecture was written Qing Li, senior architect at Blue Coat, as a way to give back to the open source community.
“Blue Coat’s ProxySG networking kernel was partially derived from the FreeBSD kernel. Blue Coat is a sponsor of my open source development work, so this is a good way to contribute to the open source community.”
Li told InternetNews.com
The new routing architecture in FreeBSD 8 is also about optimization, as it reduces data dependencies across networking layers. The end result is a routing architecture that can take better advantage of multi-core, parallel processing CPUs.
“The new routing technology works on both multi-core as well as single-core CPUs. The performance gain is most visible in the multi-core situation, though.”
But making changes also has important implications for BSD 8.0, since a key goal of the release is about ensuring a degree of compatibility with prior releases and the existing software ecosystem.
“Since the rewrite affects fundamental packet processing and the operation of protocols within the networking kernel, I had to ensure regression risk was low and compatibility was high,” Li said. “For example, those applications that are part of the ports, which interact with the kernel (e.g. retrieving the routing information, waiting for notification about routing table changes ) will continue to compile and operate semantically correct.”
In a technical paper that Li is publishing and talking about today at a conference in Spain, Li explained that the legacy version of the FreeBSD routing architecture actually reduced parallelism on SMP (define) and parallel architectures.
“As a result of the dependency between L2 and L3 (define), the processing through these two layers was single-threaded. A common parallel TCP/IP protocol stack design is to allow L2 and higher layer processing to run independently of each other, having each processor managing different protocols. The aforementioned locking contention increased processor stalling and prevented one from benefiting from more advanced hardware platforms.”
Li wrote in his paper
According to Li, contention locks consumed as much as 47 percent of a CPU’s time with the legacy routing architecture, determined through a test with eight transmitting threads.
“With the new split L2/L3 design, the L2 and L3 references can be cached in the protocol control block for connected sockets or in a flow table for unconnected sockets and forwarding. Thus we see that very little of the CPU time is now spent in the locking primitives even when there are [eight] transmitting threads.”
The whole article can be read here.
The FreeBSD team has unfrozen the development branch for -HEAD (eventually leading to a 9.0-RELEASE), meaning 8.0 is around the corner and work on FreeBSD 9 can be started.
More about FreeBSD Release Enginering.
Tutorial video on configuring Traffic Shaping to provide priority for VoIP for Asterisk on a pfSense Firewall.
Ken Smith has announced the third of the BETA builds for the FreeBSD-8.0. All major work related to new features in 8.0 has been completed and we are shifting into “bugfix only” mode for the balance of the release cycle. Debugging features (e.g. WITNESS) are still enabled but will be removed from stable/8 between now and RC1 so performance is still impacted a bit by that. Also note that, as mentioned previously on the mailing lists, we did do a shared library version bump after BETA2 was announced (bump was done July 19th with svn commit r195767) so if you update a system that was last rebuilt earlier than that it would be a good idea to rebuild all user-level applications including the ports/packages.
The current release target date is the 3rd week of September. Two Release Candidate builds (RC’s) are expected to ge done, RC1 builds scheduled for next weekend. As you probably know our schedules often slip but that’s the current target. More information about the current state of the release is available here:
BSD Mag has created a promotional flyer for give-away. It includes subscription information and a discount code. Help us handing these out to spread the word about BSD Magazine, .
A PDF copy is availabe from Dru’s slideshare.
Also, if you haven’t subscribed to BSD Mag because you didn’t know what you would subscribe for, you can now download BSD Magazine’s 3 previous issues – all available for download. If you like them, why not subscribe?
FreeBSD developer Poul-Henning Kamp (phk) has sued Lenovo in Denmark (Google translation, original here) over their refusal to refund the Windows Vista Business license, even though he declined the EULA during installation. Lenovo argues that they sell the computer as a full product, and that they cannot refund it partially, such as the power supply or the OS even if people intend to use a different one. This seems to be contrary to previous rulings in the EU where Acer and HP has been forced to refund the ‘Microsoft tax.’
“It is clear from Lenovo’s website to your computer comes with Windows Vista Business installed and any reasonable customer should expect that the general license terms for Windows Vista applies, including the previous paragraph.
“Nowhere on the Lenovo website, I have been able to find any indication that Microsoft’s standard license was not valid for the copy of Windows Vista Business that came with your computer.
“Lenovo has certainly lots of Microsoft-paid “advertising” on their website where they write that “Lenovo recommends Windows Vista”, but a recommendation is not a requirement.
“My first contention is that Lenovo should live up to the wording of the agreement text explicitly makes them the one party that they themselves cause presented at the computer screen when you turn the first time and explicitly described the screen as only being an requirements for using Windows Vista Business and not the computer as a whole.”
Good for Poul.