FreeBSD Security Advisory

FreeBSD-SA-09:16.rtld
FreeBSD-SA-09:17.freebsd-update
FreeBSD-SA-09:15.ssl

m0n0wall 1.3 final released

Manuel Kasper has announced that m0n0wall 1.3 is "now good enough for production" after three years in beta. m0n0wall 1.3 is now based on a "bare-bones version" of FreeBSD 6.4 and incorporates a web server and PHP to provide web access to the firewall functionality, keeping it's entire system configuration in a single XML text file for transparency. m0n0wall 1.3 includes support for IPv6, IPsec traffic support in the firewall, IPsec NAT-T, DPD and dynamic tunnels and "countless bug fixes and other improvements".

(more...)

FreeBSD Security Advisory

A short time ago a "local root" exploit was posted to the full-disclosure mailing list; as the name suggests, this allows a local user to execute arbitrary code as root.

Normally it is the policy of the FreeBSD Security Team to not publicly discuss security issues until an advisory is ready, but in this case since exploit code is already widely available I want to make a patch available ASAP. Due to the short timeline, it is possible that this patch will not be the final version which is provided when an advisory is sent out; it is even possible (although highly doubtful) that this patch does not fully fix the issue or introduces new issues -- in short,
use at your own risk (even more than usual).

(more...)

Welcome to FreeBSD 8!

In this article I will write about the latest release from FreeBSD, 8.0. This is a major version that offers new functionality and much improved parts of the code.

FreeBSD 8.0-RELEASE Available

The FreeBSD Release Engineering Team is pleased to announce the availability of FreeBSD 8.0-RELEASE. This release starts off the new 8-STABLE branch which improves on the functionality of FreeBSD 7.X and introduces many new features. Some of the highlights:

- Xen Dom-U, VirtualBox guest and host, hierarchal jails

- NFSv3 GSSAPI support, experimental NFSv4 client and server

- 802.11s D3.03 wireless mesh networking and Virtual Access Point support
- ZFS no longer in experimental status

- ground-up rewrite of USB, including USB target support

- continued SMP scalability improvements in many areas, especially VFS

- revised network link layer subsystem

- experimental MIPS architecture support

(more...)

Securing Network Services with FreeBSD Jails

In this article by Christer Edwards, we will explore FreeBSD Jails. FreeBSD Jails are a kernel-level security mechanism which allows you to safely segregate processes within a sandbox environment. Jails are commonly used to secure production network services like DNS or Email by restricting what a process can access. In the case of a malicious attack on one service, all other Jailed processes would remain secure. FreeBSD Jails securely limits, in an administratively simple way, the amount of damage an attacker can do to a server.

Creating A Jail With VNC Server On FreeBSD

This article explains how you can run a VNC server from within a jail on FreeBSD.

FreeNAS 0.7 adds ZFS support

The FreeNAS developers have announced the availability of version 0.7 of FreeNAS (code named Khasadar), a FreeBSD-based Network-attached storage (NAS) UNIX-like server operating system. FreeNAS includes a full Web configuration graphical user interface (GUI) and supports the FTP, NFS, CIFS (Samba), AFP, rsync and iSCSI protocols and software RAID (0,1,5).

FreeBSD 8.0-RC3 Available

The third and hopefully last of the Release Candidates for the FreeBSD 8.0 release cycle is now available. Unless something catastrophic comes up within the next couple of days we will begin the final builds for 8.0-RELEASE.

There is one known issue with the igb(4) driver we are still deciding whether or not to fix as part of 8.0-RELEASE versus doing an Errata Notice for it some time after the release is out. It has been patched in head, and the SVN commit for it is r199192. If any of you are able to give that patch a try on a machine with the igb(4) NIC it would be appreciated.

FreeBSD: How to use Meta Ports to install group of ports

Often, after a fresh new installation of FreeBSD, we have a set of programs we want to install. The conventional method would be installing it one by one in /usr/ports. Today, we will use meta ports to install the set of applications by just one “make install clean” rather then “cd” into individual directories and do “make install clean” for every ports.

Meta ports are, as the name implies, ports file that describe about the program we are installing. The ports file describe where & what to install for this ports to work. A sample of “where” would be “where to download the source“, “where to install it” and so on. As for “what“, it would be “what to install to fulfill the dependencies“. In this post, we will take advantage of this “what“. We will define the dependencies as the list of programs we want to install so that the ports will install it.

pfSense book now available for purchase!

Authored by pfSense co-founder Chris Buechler and pfSense developer Jim Pingle, The Definitive Guide to pfSense covers installation and basic configuration through advanced networking and firewalling of the popular open source firewall and router distribution.
This book is designed to be a friendly step-by-step guide to common networking and security tasks, plus a thorough reference of pfSense’s capabilities.

Portmaster funding proposal

Doug Barton wrote in the @announce mailing list,

I have launched an initiative to give the community the opportunity to fund further development work on portmaster. As much as I love doing this work I need to be able to support myself and my family and the kinds of features that users have requested (such as package support) will take a lot of time to implement correctly.

The URL is here: http://dougbarton.us/portmaster-proposal.html

Several users have been kind enough to send donations and I have updated the web page to indicate the work that has been completed, and that which is in progress.

If you have any interest in funding this project take a look at that web page. Of course additional ideas for features are also welcome.

FreeBSD 8.0 RC2 available.

The second of the Release Candidates for the FreeBSD 8.0 release cycle is now available. At this point we feel most of what has been discovered during public testing that is feasible to fix as part of the release process has been addressed. So the current plan is to have 8.0-RC3 in about two weeks.

Details about the current target schedule along with much more detail about the current status of the release is available here:

http://wiki.freebsd.org/8.0TODO

If you notice problems you can report them through the normal Gnats PR system or on the freebsd-current mailing list. I do cross-post announcements to freebsd-stable because this particular release is "about to become a stable branch" but when it comes to watching for issues related to the release most of the developers pay more attention to the freebsd-current list.

ISO images for all supported architectures are available on the FTP sites, and a "memory stick" image is available for amd64/i386 architectures. For amd64/i386 architectures the cdrom and memstick images include the documentation packages but no other packages. The DVD image includes the packages that will probably be available on the official release media but is subject to change between now and release. For sparc64 there is now a livefs cdrom, disc1 includes the documentation packages, and the DVD image has the set of packages that currently build for sparc64 (which is a sub-set of the set provided for amd64/i386).

The night of 1000 jails

As FreeBSD 8.0 is right around the corner it's the right time to get it some more exposure. Just for kicks I got the idea to stress the Jails subsystem - the cheap (both in $$$ and resource requirements) OS-level virtualization technology present in FreeBSD for nearly 10 years now. Behold... the bootup of 1,000, count them - 1,000 virtual machines on a single host with 4 GB of RAM.

Flattened Device Tree Project Announcement

The FreeBSD Foundation is pleased to announce another funded project!

Rafal Jaworowski and Semihalf has been awarded a grant to provide FreeBSD with support for the flattened device tree (FDT) technology. This project allows for describing hardware resources of a computer system and their dependencies in a platform-neutral and portable way.

The main consumers of this functionality are embedded systems whose hardware resources assignment cannot be probed or self-discovered.

The FDT idea is inherited from Open Firmware IEEE 1275 device-tree notion (part of the regular Open Firmware implementation), and among other deployments is used as a basis for Power.org's embedded platform reference specification (ePAPR).

"Thanks to this project, embedded FreeBSD platforms will grow in a uniform and extensible way of representing hardware devices, compliant with industry standards (ePAPR, Open Firmware), independent of architecture and platform (portable across ARM, MIPS, PowerPC etc.)," said Rafal Jaworoski, FreeBSD Developer.

HAST Project Announcement

The FreeBSD Foundation is pleased to announce a new funded project!

Pawel Jakub Dawidek has been awarded a grant to implement storage replication software that will enable users to use the FreeBSD operating system for highly available configurations where data has to be shared across the cluster nodes. The project is partly being funded by OMCnet Internet Service (GmbH www.omc.net) and TransIP BV (www.transip.nl).

The software will allow for synchronous block-level replication of any storage media (GEOM providers, using FreeBSD nomenclature) over the TCP/IP network and for fast failure recovery. HAST will provide storage using GEOM infrastructure, which means it will be file system and application independent and could be combined with any existing GEOM class. In case of a master node failure, the cluster will be able to switch to the slave node, check and mount UFS file system or import ZFS pool and continue to work without missing a single bit of data.