In this BSD Now episode, hosts Kris Moore and Allan Jude interview Sebastian Wiedenroth regarding pkgsrc. They discuss its roots, as well as the conference that surrounds it. Hit play below to tune in:
The developers of pfSense have made available version 2.2.4. Several changes noted are security fixes, PHP update, webGUI update, and more. Download here or check out the full post below.
pfSense® software version 2.2.4 release is now available, bringing a number of bug fixes and some security updates.
Security Fixes and Errata
- pfSense-SA-15_07.webgui: Multiple Stored XSS Vulnerabilities in the pfSense WebGUI
- The complete list of affected pages and fields is listed in the linked SA.
- FreeBSD-SA-15:13.tcp: Resource exhaustion due to sessions stuck in LAST_ACK state. Note this only applies to scenarios where ports listening on pfSense itself (not things passed through via NAT, routing or bridging) are opened to untrusted networks. This doesn’t apply to the default configuration.
- Note: FreeBSD-SA-15:13.openssl does not apply to pfSense. pfSense did not include a vulnerable version of OpenSSL, and thus was not vulnerable.
- Further fixes for file corruption in various cases during an unclean shut down (crash, power loss, etc.). #4523
- Fixed pw in FreeBSD to address passwd/group corruption
- Fixed config.xml writing to use fsync properly to avoid cases when it could end up empty. #4803
- Removed the ‘sync’ option from filesystems for new full installs and full upgrades now that the real fix is in place.
- Removed softupdates and journaling (AKA SU+J) from NanoBSD, they remain on full installs. #4822
- The forcesync patch for #2401 is still considered harmful to the filesystem and has been kept out. As such, there may be some noticeable slowness with NanoBSD on certain slower disks, especially CF cards and to a lesser extent, SD cards. If this is a problem, the filesystem may be kept read-write on a permanent basis using the option on Diagnostics > NanoBSD. With the other above changes, risk is minimal. We advise replacing the affected CF/SD media by a new, faster card as soon as possible. #4822
- Upgraded PHP to 5.5.27 to address CVE-2015-3152 #4832
- Lowered SSH LoginGraceTime from 2 minutes to 30 seconds to mitigate the impact of MaxAuthTries bypass bug. Note Sshlockout will lock out offending IPs in all past, current and future versions. #4875
Bug Fixes and Change List
FreeBSD has released their second quarter status report for 2015. Visit the link for a full, comprehensive report of what the developers have been up to so far.
The second quarter of 2015, from April to June, was another period of busy activity for FreeBSD. This report is the largest we have published so far.
The cluster and release engineering teams continued to improve the structures that support FreeBSD’s build, maintenance, and installation. Projects ran the gamut from security and speed improvements to virtualization and storage appliances. New kernel drivers and capabilities were added, while work to make FreeBSD run on various ARM architectures continued at a rapid pace. The Ports Collection grew, even while adding capabilities and fixing problems. Outside projects like pkgsrc have become interested in adding support. Documentation was a major focus, one that is often complimented by people new to FreeBSD. BSDCan 2015 was a great success, turning many hours of sleep deprivation into an even greater amount of inspiration.
As always, a great deal of this activity was directly sponsored by the Foundation. The project’s status as a first-class operating system owes a great deal to the Foundation’s past and ongoing work.
The number and detail of these reports really gives only a tiny glimpse of all that is happening. A huge portion of FreeBSD development takes place all the time, including bug fixes, feature improvements, rewrites, and imports of new code. This ongoing work is difficult, time-consuming, and, far too often, unrecognized. We should take a moment to consider and thank not just the contributors listed here, but also the end users, bug submitters, port maintainers, coders, security analysts, infrastructure defenders, tinkerers, scientists, designers, questioners, answerers, rule makers, testers, documenters, sysadmins, dogmatists, iconoclasts, and crazed geniuses who make FreeBSD such an effective and useful operating system. If you are reading this, you are one of these people, too. Thank you.
The folks at HardenedBSD have made available version 11-CURRENT. HardenedBSD is a “security-enhanced fork of FreeBSD”.
- SHA256 hashes for published images: CHECKSUMS.SHA256
- CD ISO: HardenedBSD-11-CURRENT_hardenedbsd-stable-master-amd64-disc1.iso
- USB memstick: HardenedBSD-11-CURRENT_hardenedbsd-stable-master-amd64-memstick.img
- source code via git:
git clone --single-branch --branch hardened/current/master https://github.com/hardenedbsd/hardenedbsd-stable/ hardenedbsd-current
The developers of FreeBSD have made available version 10.2-RC2. Follow the newsletter link to see the whole list of changes and full details.
The second RC build of the 10.2-RELEASE release cycle is now available. Installation images are available for: o amd64 GENERIC o i386 GENERIC o ia64 GENERIC o powerpc GENERIC o powerpc64 GENERIC64 o sparc64 GENERIC The image checksums follow at the end of this email. FreeBSD/arm SD card images are available for: o BEAGLEBONE o CUBOX-HUMMINGBOARD o GUMSTIX o RPI-B o PANDABOARD o WANDBOARD Note: For convenience for those without console access to supported arm devices, a default 'freebsd' user exists for ssh(1) login. The password is 'freebsd', which it is strongly recommended to change after gaining access to the system. Additionally, the 'root' user password is 'root', which is also recommended to change. All images can be downloaded from: ftp://ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/10.2/
Here goes another tutorial by user tdrss, this time we are shown how to get Secure Shell (ssh) running on FreeBSD.
Bottom Line: connecting to other computers over the network can be a risky proposition. In the “days of yore,” *NIX systems would use a program called telnet. One glaring security problem with this command was the user’s password was sent unencrypted over the network.
Secure Shell (ssh) was developed to overcome this deficiency.
This Instructable will show you how to get ssh and its corresponding daemon sshd running on your FreeBSD system.
Step 1: Configure the Secure Shell daemon (sshd)
Your FreeBSD system should be using a version of OpenSSH, a group of network connectivity tools to connect securely to remote machines. OpenSSH encrypts all traffic across connections to minimize exploitation through eavesdropping, spoofing and man-in-the-middle attacks.
First step: See if you have SSH keys already installed:
Download FastoNoSQL, a GUI platform for NoSQL databases, version 0.1.4 for FreeBSD here.
– See more at: http://fastonosql.com/#sthash.wPVqC29g.dpuf
Download Redis, Memcached, SSDB GUI Manager for FreeBSD
The latest stable version:
64 bit FreeBSD 0.1.4 Archive (.tar.gz) — recommended
This short tutorial by user tdrss will show you how to keep your FreeBSD system up to date, ensuring you are secure and protected from the latest bugs.
To keep your system working smoothly, OS manufacturers release patches and upgrades on a regular basis. The FreeBSD OS is no different; its benefactor, the FreeBSD Foundation ensures that OS updates are on a regular, scheduled basis. Additional installed software also may require updates to ensure smooth running code. These ports and packages are maintained in central repository to ensure easy dissemination to the widest audience.
What does this mean for you? A very easy and rapid way to keep your system up-to-date and in tip-top shape!
Step 1: Verify a few things.
Know which version of FreeBSD you are running. For this example, I am running FreeBSD 10.1 (as of this writing, this is the most current version). So I can expect only minor updates to the 10.1 code. If you were running 8.x or 9x, you would have to make minor OS updates (e.g. 9.1 to 9.2 or 8.2. to 8.3), before a major version update (e.g. 8.x to 9.x)
Ensure you have a steady internet connection. Updates are downloaded from the ‘net, so if your connection is spotty, the software will Time-Out, and you will have to accomplish the updates at a later time.
This tutorial by user tdrss shows us how to add more users to an existing FreeBSD installation.
While most system administrators and power users will roll their eyes at this Instructable, I present it simply to present another way of administering your FreeBSD system. Any novice sysadmin (if they are worth their salt) has done something stupid while logged into the “superuser” root account. I am not discouraging the use of root (when applicable), but allowing you a thin safety-net between any mistakes you might make.
Step 1: Decide on your (new) username and purpose
I have created user accounts that were compartmentalized. For example, one account was to solely update a webpage and associated database. Another was for my music server. While seemingly cumbersome, the less privileges you give a user account, the less problem you will have if someone breaks into the account and attempts to do harm.
For this Instructable, I am creating an account that will be equal to root (for all intents and purposes), but provide “safeguards” to make you think twice before executing a command. For these examples, I am naming the account knight… as in “protector of the realm.”
Step 2: Use adduser to…Add User
Being logged in as root (initially), type in:
This FreeBSD announcement is regarding mirror changes on svn.freebsd.org. As noted, the update serves to improve security and will not interrupt any activities.
There have been some updates to the project-operated svn mirrors. The current status is here: https://www.freebsd.org/doc/handbook/svn.htmlThe changes should improve robustness and security and are not intended to be disruptive. Of note: * "svn.freebsd.org" is now geo-dns routed to a mirror, with failover. * "svn.freebsd.org" is now the recommended location for general use. * https://svn.freebsd.org now has a real certificate and use of https is encouraged. * The old mirror names are deprecated and no longer documented but are expected to continue to be usable for the foreseeable future. For future checkouts, you should use svn.freebsd.org rather than the deprecated mirror names. Before using the https method, you should ensure that you have the 'security/ca_root_nss' package installed, for example: # pkg install ca_root_nss