FreeBSD Foundation Upcoming Events

The Foundation is pleased to attend a number of events over the coming months:

EuroBSDcon '14EuroBSDCon 2014

September 27-28, Sofia, Bulgaria

 

Diversity '14USENIX Diversity ’14

October 5, 2014, Broomfield CO

 

OSDI'14USENIX OSDI ’14

October 6-8, 2014, Broomfield, CO

 

GraceHopper 2014Grace Hopper Celebration

October 8-10, 2014, Phoenix, AZ

 

MeetBSD 2014MeetBSD California 2014

November 1-2, 2014, San Jose, CA

 

LISA14USENIX LISA ’14

November 9-14, 2014, Seattle, WA

 

For a description of each event, head on over to the following link: https://www.freebsdfoundation.org/activities/upcoming_events

Bash Vulnerability in FreeBSD

As has been widely reported, a major vulnerability in bash has been discovered. This vulnerability, which is being referred to as “Shellshock”, is considerably less severe in FreeBSD than most other Unix-like systems because bash is not in the base system, and FreeBSD does not link /bin/sh to bash by default. However, anyone running a system that uses bash, or especially one that might allow external input into bash environments, should be aware of this issue and patch any potentially vulnerable systems as soon as possible.

Brian Drewery (bdrewery [at] freebsd.org) has patched the FreeBSD bash port to disable function importing from the environment unless an option is set at build time. Packages should be available soon.

Brian also gave the following tips for reducing exposure to this vulnerablity:

The port is fixed with all known public exploits. The package is
building currently.

However bash still allows the crazy exporting of functions and may still
have other parser bugs. I would recommend for the immediate future not
using bash for forced ssh commands as well as these guidelines:

1. Do not ever link /bin/sh to bash. This is why it is such a big
problem on Linux, as system(3) will run bash by default from CGI.
2. Web/CGI users should have shell of /sbin/nologin.
3. Don’t write CGI in shell script / Stop using CGI :)
4. httpd/CGId should never run as root, nor “apache”. Sandbox each
application into its own user.
5. Custom restrictive shells, like scponly, should not be written in bash.
6. SSH authorized_keys/sshd_config forced commands should also not be
written in bash.

Related links:
https://svnweb.freebsd.org/ports?view=revision&revision=369341

http://blog.pcbsd.org/2014/09/bash-shell-bug/

FreeBSD 10.1 BETA 2 released

freebsd-logo-largeThe developers of FreeBSD have released the second beta for version 10.1.

The second BETA build of the 10.1-RELEASE release cycle is now available
on the FTP servers for the amd64, armv6, i386, ia64, powerpc, powerpc64
and sparc64 architectures.

The image checksums follow at the end of this email.

Installer images and memory stick images are available here:

ftp://ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/10.1/

If you notice problems you can report them through the Bugzilla PR
system or on the -stable mailing list.

If you would like to use SVN to do a source based update of an existing
system, use the “stable/10″ branch.

A list of changes since 10.0-RELEASE are available on the stable/10
release notes page here:

http://www.freebsd.org/relnotes/10-STABLE/relnotes/article.html

For the full release notes, head on over the the following link: https://lists.freebsd.org/pipermail/freebsd-stable/2014-September/080177.html

GhostBSD 4.0 RC 3 Karine edition now available

ghostbsd_1The developers of GhostBSD have made available the third release candidate for version 4.0.

Changes and fix between 4.0-RC2 and 4.0-RC3 include:

  • SpiderOak was not compilable and it is missing in the system.
  • GhostBSD Network Manager aded on i386

Warning:

Updating software using “pkg upgrade” will corrupt xorg and might corrupt GDM too. The solution is to use update the software that you want to update with “pkg install” , you can see the list of update by doing “pkg upgrade -n”, “pkg install” automatically update software dependency. Be sure to not upgrade xorg-server, xorg-drivers, and any xf86 with “pkg” use “portupgrade”

A special thanks to those who had reported any issues.

Where to download:

The image checksums, ISO images and USB images are available here:
http://www.ghostbsd.org/download-4.0

Check out the official announcement here: http://ghostbsd.org/4.0-rc3

pfSense 2.2 enters BETA

pfsenseThe developers of pfSense have released the BETA version for 2.2.

The 2.2 release has now reached the beta milestone. This means the release is feature complete, a comprehensive list of new features and changes can be found here, and should stay relatively stable throughout the remainder of the development process. That’s not to say it’s production ready though, our developers are using it in production and have been for months, but unless you have a solid understanding of the underlying system and can manually verify the configuration, 2.2 is not yet for you (young padawan).

If you have a non-critical environment where you can try it out, you can find the latest build on the snapshot server. Please report your experiences on the 2.2 board on the forum. Note that snapshots have the risk of changes being made in the source very frequently, and you may get a snapshot from a point in time that caught part but not all of certain changes.

Check out the official announcement here: https://blog.pfsense.org/?p=1449

Download the BETA version here: http://snapshots.pfsense.org/

FreeBSD Patches DoS Vulnerability

shutterstock_32990755FreeBSD has patched a denial-of-service vulnerability that could affect a host of third-party packages built atop the UNIX-like operating system.

The vulnerability—found in the way FreeBSD processes TCP packets—was discovered by a member of Juniper Networks’ incident response team. FreeBSD’s advisory warns that a hacker spoofing IP traffic can “tear down” a TCP connection with only two packets if they have knowledge of the target network and both TPC port numbers.

“When a segment with the SYN flag for an already existing connection arrives, the TCP stack tears down the connection, bypassing a check that the sequence number in the segment is in the expected window,” the advisory said.

See more at: http://threatpost.com/freebsd-patches-dos-vulnerability