Bash Vulnerability in FreeBSD

As has been widely reported, a major vulnerability in bash has been discovered. This vulnerability, which is being referred to as “Shellshock”, is considerably less severe in FreeBSD than most other Unix-like systems because bash is not in the base system, and FreeBSD does not link /bin/sh to bash by default. However, anyone running a system that uses bash, or especially one that might allow external input into bash environments, should be aware of this issue and patch any potentially vulnerable systems as soon as possible.

Brian Drewery (bdrewery [at] freebsd.org) has patched the FreeBSD bash port to disable function importing from the environment unless an option is set at build time. Packages should be available soon.

Brian also gave the following tips for reducing exposure to this vulnerablity:

The port is fixed with all known public exploits. The package is
building currently.

However bash still allows the crazy exporting of functions and may still
have other parser bugs. I would recommend for the immediate future not
using bash for forced ssh commands as well as these guidelines:

1. Do not ever link /bin/sh to bash. This is why it is such a big
problem on Linux, as system(3) will run bash by default from CGI.
2. Web/CGI users should have shell of /sbin/nologin.
3. Don’t write CGI in shell script / Stop using CGI :)
4. httpd/CGId should never run as root, nor “apache”. Sandbox each
application into its own user.
5. Custom restrictive shells, like scponly, should not be written in bash.
6. SSH authorized_keys/sshd_config forced commands should also not be
written in bash.

Related links:
https://svnweb.freebsd.org/ports?view=revision&revision=369341

http://blog.pcbsd.org/2014/09/bash-shell-bug/

GhostBSD 4.0 RC 3 Karine edition now available

ghostbsd_1The developers of GhostBSD have made available the third release candidate for version 4.0.

Changes and fix between 4.0-RC2 and 4.0-RC3 include:

  • SpiderOak was not compilable and it is missing in the system.
  • GhostBSD Network Manager aded on i386

Warning:

Updating software using “pkg upgrade” will corrupt xorg and might corrupt GDM too. The solution is to use update the software that you want to update with “pkg install” , you can see the list of update by doing “pkg upgrade -n”, “pkg install” automatically update software dependency. Be sure to not upgrade xorg-server, xorg-drivers, and any xf86 with “pkg” use “portupgrade”

A special thanks to those who had reported any issues.

Where to download:

The image checksums, ISO images and USB images are available here:
http://www.ghostbsd.org/download-4.0

Check out the official announcement here: http://ghostbsd.org/4.0-rc3

pfSense 2.2 enters BETA

pfsenseThe developers of pfSense have released the BETA version for 2.2.

The 2.2 release has now reached the beta milestone. This means the release is feature complete, a comprehensive list of new features and changes can be found here, and should stay relatively stable throughout the remainder of the development process. That’s not to say it’s production ready though, our developers are using it in production and have been for months, but unless you have a solid understanding of the underlying system and can manually verify the configuration, 2.2 is not yet for you (young padawan).

If you have a non-critical environment where you can try it out, you can find the latest build on the snapshot server. Please report your experiences on the 2.2 board on the forum. Note that snapshots have the risk of changes being made in the source very frequently, and you may get a snapshot from a point in time that caught part but not all of certain changes.

Check out the official announcement here: https://blog.pfsense.org/?p=1449

Download the BETA version here: http://snapshots.pfsense.org/

PC-BSD 10.0.3 update released

pcbsdThe PC-BSD team is pleased to announce the availability of the next PC-BSD quarterly package update, version 10.0.3!

This update includes a number of important bug-fixes, as well as newer packages and desktops. Packages such as Chromium 37.0.2062.94, Cinnamon 2.2.14, Lumina 0.6.2 and more. This release also includes a CD-sized ISO of TrueOS, for users who want to install a server without X. For more details and updating instructions, refer to the notes below.

We are already hard at work on the next major release of PC-BSD, 10.1 later this fall, which will include FreeBSD 10.1-RELEASE under the hood. Users interested in following along with development should sign up for our Testing mailing list.

Check out the official announcement with the list of changes here: http://blog.pcbsd.org/2014/09/pc-bsd-10-0-3-quarterly-package-update-released/

New Lumina source repro and FreeBSD port (PC-BSD)

pcbsdBy popular demand, the source tree for the Lumina project has just been moved to its own repository within the main PC-BSD project tree on GitHub.

In addition to this, an official FreeBSD port for Lumina was just committed to the FreeBSD ports tree which uses the new repo.

By the way, here is a quick usage summary for those that are interested in how “light” Lumina 0.6.2 is on PC-BSD 10.0.3:

System: Netbook with a single 1.6GHz atom processor and 2GB of memory (Fresh installation of PC-BSD 10.0.3 with Lumina 0.6.2)

Usage: ~0.20.4% CPU and ~120MB active memory use (no apps running except an xterm with “top” after a couple minutes for the PC-BSD tray applications to start up and settle down)

Check out the official announcement here: http://blog.pcbsd.org/2014/09/new-lumina-source-repo-and-freebsd-port/

GhostBSD 4.0 RC 1 now available

ghostbsd_1The developers of GhostBSD have made available the first release candidate for version 4.0.

Changes and fix between 4.0-BETA3 and 4.0-RC1 include:

  • Xconfig from 3.5 was added back to system
  • A script is added to do configuration on the first boot of the new intallation
  • fix software dependency

A special thanks to those who had reported any issues.

Where to download:

The image checksums, ISO images and USB images are available here:
http://www.ghostbsd.org/download-4.0

Check out the official post here: http://www.ghostbsd.org/4.0-rc1