Chris Buechler has announced the availability of pfSense 1.2.2, a security and bug-fix release of the FreeBSD-based firewall system:
pfSense 1.2.2 released! Only five changes from 1.2.1, but we did want to get these issues fixed and an updated version out there:
- setup wizard fix – removing BigPond from the WAN page on the setup wizard caused problems;
- SVG graphs fixed in Google Chrome;
- IPsec reload fix specific to large (100+ sites) deployments;
- bridge creation code changes – there have always been issues when attempting to bridge more than two interfaces;
- FreeBSD updates for two security advisories on January 7, 2009.
Most users on 1.2.1 won’t have any need to upgrade to 1.2.2, but if any of the above applies to you, then upgrade to this version. 1.2.2 should be used for all new installs.
The third issue of the BSD Magazine (January 2009) is out now.
More than 60 pages full of news, great articles, tutorials, how-to’s and extras. This is the table of contents:
6 BSD news
8 DVD contents description
10 NetBSD install (Patrick Pippen)
16 MirOS BSD: the peaceful operating system (Benny Siegert, Thorsten Glaser)
22 BSD Live CD’s – an entry level acquaintance? (Jan Stedehouder)
28 How it works? Opensolaris, FreeBSD, OpenSuSe (David Gurvich)
32 Multi-User Conferencing (Eric Schnoebelen, Michelle Cranmer)
38 GDB and you – part 1 (Carlos Neira)
42 Installing Prelude IDS (Henrik Lund Kramshoj)
46 If it moves! crypt it – hard drive encryption on BSD (Marko Melenovic)
50 Packaging Software for OpenBSD – part 1 (Edd Barrett)
54 Play Music on your Slug with NetBSD (Donald T. Hayford)
62 Interview iwth Simon Burge, Antti Kantee, and Greg Oster (Federico Biancuzzi)
65 Dru Lavigne’s The Best of FreeBSD BAsics (Peter N.M. Hansteen)
For info and subscriptions visit bsdmag.org
Deb Goodkin announced on behalf of the FreeBSD Foundation their gratitude for last year’s donations.
Dear FreeBSD Community,
The FreeBSD Foundation would like to thank everyone for your donations in 2008. We are extremely grateful to everyone who dug deep in their pockets, during these hard times, to help us get very close to our goal.
We raised $282,481 towards our goal of $300,000. With the downturn in the economy, we were very concerned about getting close to our goal. By the end of November, we had only raised $190,000. We sent out a plea for
donations and we received 173 donations in December!
This year we had 450 donors, compared to 374 last year. We were impressed with all the donations received from developers and other volunteers who already put in countless hours supporting the project.
We will be posting our 2009 budget soon, so you can see how we plan to spend the funds.
The FreeBSD Foundation
Source: FreeBSD Advocacy mailinglist
Latest BSD release adds new Sun developed feature but the tech transfer isn’t just one one way:
FreeBSD 7.1 includes numerous improvements over its predecessor FreeBSD 7.0, including Sun Microsystem-developed Dtrace technology as well as new boot options and scalability improvements.
The FreeBSD 7.1 release comes as FreeBSD developers push toward a FreeBSD version 8.0 later this year. The FreeBSD 7.1 release also demonstrates how the open source ecosystem can extend across company lines as well different operating systems. FreeBSD is one of the earliest open source operating system projects and is a direct descendant of the original open source BSD work performed at the University of California, Berkeley.
DTrace is a mature and compelling technology for performance monitoring developed originally by Sun, released as open source as part of OpenSolaris,
FreeBSD core team member Robert Watson told InternetNews.com.
While we have had many tools for specific sorts of analysis in the past, DTrace is an excellent general-purpose framework for managing and presenting trace data, and also allowing us to more easily add new types of tracing.
Watson added that integrating DTrace into FreeBSD would not have been possible without Sun’s contribution of DTrace to the open source world. John Birrell, who did the port, has been in close contact with Sun during his work.
Bryan Cantrill, senior staff engineer at Sun Microsystems, toldInternetNews.com that, in addition to Birrell, several FreeBSD folks attended Sun’s DTrace unconference last year.
DTrace isn’t the only Sun-developed technology found in FreeBSD. The FreeBSD 7.0 release introduced experimental support for Sun’s ZFS filesystem. Plus, the technology transfer goes more than one way between Sun and FreeBSD.
We (the FreeBSD Project) have made a lot of noise about adopting some key OpenSolaris technologies. I’m not sure that the movement of code in the other direction has been as well-publicized, FreeBSD’s Watson said.
Watson argued that OpenSolaris has benefited from adopting the FreeBSD wireless networking framework in its kernel as well as the CIFS file system support in OpenSolaris, which is also from FreeBSD.
Sun denied that the CIFS stack came from FreeBSD. A Sun spokesperson noted that it comes from a company that Sun acquired years ago named Procom. The spokesperson agreed that many of OpenSolaris’s WiFi drivers and kernel WiFi infrastructure (common/io/net80211/) derive from FreeBSD.
Source & full article: internetnews.com (06-01-2008)
The FreeBSD Team has issued 2 security warnings:
- FreeBSD-SA-09:02.openssl - OpenSSL incorrectly checks for malformed signatures
- FreeBSD-SA-09:01.lukemftpd - Cross-site request forgery in lukemftpd(8)
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library.
II. Problem Description
The EVP_VerifyFinal() function from OpenSSL is used to determine if a digital signature is valid. The SSL layer in OpenSSL uses EVP_VerifyFinal(), which in several places checks the return value incorrectly and treats verification errors as a good signature. This is only a problem for DSA and ECDSA keys.
For applications using OpenSSL for SSL connections, an invalid SSL certificate may be interpreted as valid. This could for example be used by an attacker to perform a man-in-the-middle attack.
Other applications which use the OpenSSL EVP API may similarly be affected.
For a workaround, solution and patch etc go here
lukemftpd(8) is a general-purpose implementation of File Transfer Protocol (FTP) server that is shipped with the FreeBSD base system. It is not enabled in default installations but can be enabled as either an inetd(8) server,
or a standard-alone server.
A cross-site request forgery attack is a type of malicious exploit that is mainly targeted to a web browser, by tricking a user trusted by the site into visiting a specially crafted URL, which in turn executes a command which performs some privileged operations on behalf of the trusted user on the victim site.
II. Problem Description
The lukemftpd(8) server splits long commands into several requests. This may result in the server executing a command which is hidden inside another very long command.
This could, with a specifically crafted command, be used in a cross-site request forgery attack.
FreeBSD systems running lukemftpd(8) server could act as a point of privilege escalation in an attack against users using web browser to access trusted FTP sites.
For a workaround, solution and patch etc go here
For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit http://security.FreeBSD.org
Most of you will have heard by now about the BSD Conferences channel on YouTube. At the moment there are 23 videos, but they’re missing subtitles. Murray Stokely writes:
I’d really like to add subtitles to the YouTube metadata as this has been requested by several users. Once we have subtitles they will be automatically machine translated so that users can choose captions in
the language they are most comfortable with.
If you have experience with undertitling or if you’re interested, have a look at this post.
Dru Lavign writes on her blog about the Winter versions of BSDA study DVD:
The newest version of the BSDA Study DVD is finally ready and available for sale from the BSDA Certification website.
Due to the holidays, we won’t start shipping til next Friday, January 9th. Those of you who have already ordered a DVD or are owed a DVD will have yours shipped next Friday. As always, the information available on the DVD is freely available on the Internet–the DVD is a thank you for those who are able to support the BSD Certification effort with a donation of $40 USD. The contents of the DVD include: