Bash Vulnerability in FreeBSD

As has been widely reported, a major vulnerability in bash has been discovered. This vulnerability, which is being referred to as “Shellshock”, is considerably less severe in FreeBSD than most other Unix-like systems because bash is not in the base system, and FreeBSD does not link /bin/sh to bash by default. However, anyone running a system that uses bash, or especially one that might allow external input into bash environments, should be aware of this issue and patch any potentially vulnerable systems as soon as possible.

Brian Drewery (bdrewery [at] freebsd.org) has patched the FreeBSD bash port to disable function importing from the environment unless an option is set at build time. Packages should be available soon.

Brian also gave the following tips for reducing exposure to this vulnerablity:

The port is fixed with all known public exploits. The package is
building currently.

However bash still allows the crazy exporting of functions and may still
have other parser bugs. I would recommend for the immediate future not
using bash for forced ssh commands as well as these guidelines:

1. Do not ever link /bin/sh to bash. This is why it is such a big
problem on Linux, as system(3) will run bash by default from CGI.
2. Web/CGI users should have shell of /sbin/nologin.
3. Don’t write CGI in shell script / Stop using CGI :)
4. httpd/CGId should never run as root, nor “apache”. Sandbox each
application into its own user.
5. Custom restrictive shells, like scponly, should not be written in bash.
6. SSH authorized_keys/sshd_config forced commands should also not be
written in bash.

Related links:
https://svnweb.freebsd.org/ports?view=revision&revision=369341

http://blog.pcbsd.org/2014/09/bash-shell-bug/

FreeBSD 10.1 BETA 2 released

freebsd-logo-largeThe developers of FreeBSD have released the second beta for version 10.1.

The second BETA build of the 10.1-RELEASE release cycle is now available
on the FTP servers for the amd64, armv6, i386, ia64, powerpc, powerpc64
and sparc64 architectures.

The image checksums follow at the end of this email.

Installer images and memory stick images are available here:

ftp://ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/10.1/

If you notice problems you can report them through the Bugzilla PR
system or on the -stable mailing list.

If you would like to use SVN to do a source based update of an existing
system, use the “stable/10″ branch.

A list of changes since 10.0-RELEASE are available on the stable/10
release notes page here:

http://www.freebsd.org/relnotes/10-STABLE/relnotes/article.html

For the full release notes, head on over the the following link: https://lists.freebsd.org/pipermail/freebsd-stable/2014-September/080177.html

FreeBSD Patches DoS Vulnerability

shutterstock_32990755FreeBSD has patched a denial-of-service vulnerability that could affect a host of third-party packages built atop the UNIX-like operating system.

The vulnerability—found in the way FreeBSD processes TCP packets—was discovered by a member of Juniper Networks’ incident response team. FreeBSD’s advisory warns that a hacker spoofing IP traffic can “tear down” a TCP connection with only two packets if they have knowledge of the target network and both TPC port numbers.

“When a segment with the SYN flag for an already existing connection arrives, the TCP stack tears down the connection, bypassing a check that the sequence number in the segment is in the expected window,” the advisory said.

See more at: http://threatpost.com/freebsd-patches-dos-vulnerability

FreeBSD 10.1-BETA1 now available

freebsd-logo-largeThe first BETA build of the 10.1-RELEASE release cycle is now available on the FTP servers for the amd64, armv6, i386, ia64, powerpc, powerpc64 and sparc64 architectures.

The image checksums follow are included in the original announcement email.

Installer images and memory stick images are available here.

Check out the announcement here, with a list of instructions on how to update: http://freebsdfoundation.blogspot.com/2014/09/freebsd-101-beta1-now-available.html