pfSense 2.2.4-RELEASE Now Available!

The developers of pfSense have made available version 2.2.4. Several changes noted are security fixes, PHP update, webGUI update, and more. Download here or check out the full post below.

Original: https://blog.pfsense.org/?p=1833

pfSense

pfSense® software version 2.2.4 release is now available, bringing a number of bug fixes and some security updates.

Security Fixes and Errata

  • pfSense-SA-15_07.webgui: Multiple Stored XSS Vulnerabilities in the pfSense WebGUI
    • The complete list of affected pages and fields is listed in the linked SA.
  • FreeBSD-SA-15:13.tcp: Resource exhaustion due to sessions stuck in LAST_ACK state. Note this only applies to scenarios where ports listening on pfSense itself (not things passed through via NAT, routing or bridging) are opened to untrusted networks. This doesn’t apply to the default configuration.
  • Note: FreeBSD-SA-15:13.openssl does not apply to pfSense. pfSense did not include a vulnerable version of OpenSSL, and thus was not vulnerable.
  • Further fixes for file corruption in various cases during an unclean shut down (crash, power loss, etc.). #4523
    • Fixed pw in FreeBSD to address passwd/group corruption
    • Fixed config.xml writing to use fsync properly to avoid cases when it could end up empty. #4803
    • Removed the ‘sync’ option from filesystems for new full installs and full upgrades now that the real fix is in place.
    • Removed softupdates and journaling (AKA SU+J) from NanoBSD, they remain on full installs. #4822
  • The forcesync patch for #2401 is still considered harmful to the filesystem and has been kept out. As such, there may be some noticeable slowness with NanoBSD on certain slower disks, especially CF cards and to a lesser extent, SD cards. If this is a problem, the filesystem may be kept read-write on a permanent basis using the option on Diagnostics > NanoBSD. With the other above changes, risk is minimal. We advise replacing the affected CF/SD media by a new, faster card as soon as possible. #4822
  • Upgraded PHP to 5.5.27 to address CVE-2015-3152 #4832
  • Lowered SSH LoginGraceTime from 2 minutes to 30 seconds to mitigate the impact of MaxAuthTries bypass bug. Note Sshlockout will lock out offending IPs in all past, current and future versions. #4875

Bug Fixes and Change List

The bug fixes and changes in this release are detailed here.

[Read more…]

FreeBSD Second Quarter 2015 Status Report

FreeBSD has released their second quarter status report for 2015. Visit the link for a full, comprehensive report of what the developers have been up to so far.

Original: https://www.freebsd.org/news/status/report-2015-04-2015-06.html

docThe second quarter of 2015, from April to June, was another period of busy activity for FreeBSD. This report is the largest we have published so far.

The cluster and release engineering teams continued to improve the structures that support FreeBSD’s build, maintenance, and installation. Projects ran the gamut from security and speed improvements to virtualization and storage appliances. New kernel drivers and capabilities were added, while work to make FreeBSD run on various ARM architectures continued at a rapid pace. The Ports Collection grew, even while adding capabilities and fixing problems. Outside projects like pkgsrc have become interested in adding support. Documentation was a major focus, one that is often complimented by people new to FreeBSD. BSDCan 2015 was a great success, turning many hours of sleep deprivation into an even greater amount of inspiration.

As always, a great deal of this activity was directly sponsored by the Foundation. The project’s status as a first-class operating system owes a great deal to the Foundation’s past and ongoing work.

The number and detail of these reports really gives only a tiny glimpse of all that is happening. A huge portion of FreeBSD development takes place all the time, including bug fixes, feature improvements, rewrites, and imports of new code. This ongoing work is difficult, time-consuming, and, far too often, unrecognized. We should take a moment to consider and thank not just the contributors listed here, but also the end users, bug submitters, port maintainers, coders, security analysts, infrastructure defenders, tinkerers, scientists, designers, questioners, answerers, rule makers, testers, documenters, sysadmins, dogmatists, iconoclasts, and crazed geniuses who make FreeBSD such an effective and useful operating system. If you are reading this, you are one of these people, too. Thank you.

—Warren Block

HardenedBSD 11-CURRENT amd64 (x86-64) installers

The folks at HardenedBSD have made available version 11-CURRENT. HardenedBSD is a “security-enhanced fork of FreeBSD”.

Original: http://hardenedbsd.org/article/oliver-pinter/2015-07-24/hardenedbsd-11-current-amd64-x86-64-installers

FreeBSD 10.2-RC2 Now Available

The developers of FreeBSD have made available version 10.2-RC2. Follow the newsletter link to see the whole list of changes and full details.

Original: https://lists.freebsd.org/pipermail/freebsd-stable/2015-August/082966.html

lacisbsdsignedThe second RC build of the 10.2-RELEASE release cycle is now available.

Installation images are available for:

o amd64 GENERIC
o i386 GENERIC
o ia64 GENERIC
o powerpc GENERIC
o powerpc64 GENERIC64
o sparc64 GENERIC

The image checksums follow at the end of this email.

FreeBSD/arm SD card images are available for:

o BEAGLEBONE
o CUBOX-HUMMINGBOARD
o GUMSTIX
o RPI-B
o PANDABOARD
o WANDBOARD

Note:  For convenience for those without console access to supported arm
devices, a default 'freebsd' user exists for ssh(1) login.  The password
is 'freebsd', which it is strongly recommended to change after gaining
access to the system.  Additionally, the 'root' user password is 'root',
which is also recommended to change.

All images can be downloaded from:

  ftp://ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/10.2/

[Read more…]

Run Secure Shell (ssh) on FreeBSD

Here goes another tutorial by user , this time we are shown how to get Secure Shell (ssh) running on FreeBSD.

Original: http://www.instructables.com/id/Run-Secure-Shell-ssh-on-FreeBSD/

trustyteenieBottom Line: connecting to other computers over the network can be a risky proposition. In the “days of yore,” *NIX systems would use a program called telnet. One glaring security problem with this command was the user’s password was sent unencrypted over the network.

Secure Shell (ssh) was developed to overcome this deficiency.

This Instructable will show you how to get ssh and its corresponding daemon sshd running on your FreeBSD system.

Step 1: Configure the Secure Shell daemon (sshd)

Picture of Configure the Secure Shell daemon (sshd)
etc ssh.jpg

Your FreeBSD system should be using a version of OpenSSH, a group of network connectivity tools to connect securely to remote machines. OpenSSH encrypts all traffic across connections to minimize exploitation through eavesdropping, spoofing and man-in-the-middle attacks.

First step: See if you have SSH keys already installed:

[Read more…]

Keep your FreeBSD system up-to-date

This short tutorial by user will show you how to keep your FreeBSD system up to date, ensuring you are secure and protected from the latest bugs.

http://www.instructables.com/id/Keep-your-FreeBSD-system-up-to-date/

powerTo keep your system working smoothly, OS manufacturers release patches and upgrades on a regular basis. The FreeBSD OS is no different; its benefactor, the FreeBSD Foundation ensures that OS updates are on a regular, scheduled basis. Additional installed software also may require updates to ensure smooth running code. These ports and packages are maintained in central repository to ensure easy dissemination to the widest audience.

What does this mean for you? A very easy and rapid way to keep your system up-to-date and in tip-top shape!

Step 1: Verify a few things.

Picture of Verify a few things.

Know which version of FreeBSD you are running. For this example, I am running FreeBSD 10.1 (as of this writing, this is the most current version). So I can expect only minor updates to the 10.1 code. If you were running 8.x or 9x, you would have to make minor OS updates (e.g. 9.1 to 9.2 or 8.2. to 8.3), before a major version update (e.g. 8.x to 9.x)

Ensure you have a steady internet connection. Updates are downloaded from the ‘net, so if your connection is spotty, the software will Time-Out, and you will have to accomplish the updates at a later time.

[Read more…]

How (and why) to Add User(s) to FreeBSD

This tutorial by user shows us how to add more users to an existing FreeBSD installation.

http://www.instructables.com/id/How-and-why-to-Add-Users-to-FreeBSD/?ALLSTEPS

2015-05-20_14-44-34While most system administrators and power users will roll their eyes at this Instructable, I present it simply to present another way of administering your FreeBSD system. Any novice sysadmin (if they are worth their salt) has done something stupid while logged into the “superuser” root account. I am not discouraging the use of root (when applicable), but allowing you a thin safety-net between any mistakes you might make.

Step 1: Decide on your (new) username and purpose

I have created user accounts that were compartmentalized. For example, one account was to solely update a webpage and associated database. Another was for my music server. While seemingly cumbersome, the less privileges you give a user account, the less problem you will have if someone breaks into the account and attempts to do harm.

For this Instructable, I am creating an account that will be equal to root (for all intents and purposes), but provide “safeguards” to make you think twice before executing a command. For these examples, I am naming the account knight… as in “protector of the realm.”

Step 2: Use adduser to…Add User

Being logged in as root (initially), type in:

[Read more…]

[FreeBSD-Announce] Updates regarding FreeBSD.org svn mirrors

This FreeBSD announcement is regarding mirror changes on svn.freebsd.org. As noted, the update serves to improve security and will not interrupt any activities.

Original: https://www.mail-archive.com/freebsd-announce@freebsd.org/msg00662.html

freebsd_logo_text

There have been some updates to the project-operated svn mirrors.  The current 
status is here:
  https://www.freebsd.org/doc/handbook/svn.html
The changes should improve robustness and security and are not intended to be 
disruptive.

Of note:
* "svn.freebsd.org" is now geo-dns routed to a mirror, with failover.
* "svn.freebsd.org" is now the recommended location for general use.
* https://svn.freebsd.org now has a real certificate and use of https is 
encouraged.
* The old mirror names are deprecated and no longer documented but are 
expected to continue to be usable for the foreseeable future.

For future checkouts, you should use svn.freebsd.org rather than the 
deprecated mirror names.

Before using the https method, you should ensure that you have the 
'security/ca_root_nss' package installed, for example:
# pkg install ca_root_nss

[Read more…]