Issue 131
Published December 7, 2022

All the latest news, releases and tutorials from the BSD world.


OPNsense 22.7.9 released: A quick update to address the new FreeBSD security advisory for ping utility as well as Suricata. The DNS block list was rewritten in Python and there will be a couple of cool additions for it in the foreseeable future.

FreeBSD 12.4-RELEASE Now Available: The FreeBSD Release Engineering Team is pleased to announce the availability of FreeBSD 12.4-RELEASE. This is the fifth release of the stable/12 branch. Some of the highlights: The ena(4) kernel driver has been updated to 2.6.1. The if_epair(4) driver now allows multiple cores to be used to process traffic to improve performance. The unbound(8) utility has been updated to version 1.16.3. The telnetd(8) daemon has been deprecated. The tcpdump(1) utility now allow users to set a number on rules which will be exposed as part of the pflog header. OpenSSL has been updated to 1.1.1q. OpenSSH has been updated to 9.1p1. The LLVM toolchain suite has been updated to version 13.0.0. The dma(8) utility has been updated to snapshot 2022-01-27. The file(1) utility has been updated to version 5.43. The libarchive(3) library has been updated to version 3.6.0. And much more…​


FreeBSD Security Advisory FreeBSD-SA-22:14.heimdal [REVISED]: Multiple security vulnerabilities have been discovered in the Heimdal implementation of the Kerberos 5 network authentication protocols and KDC. - - CVE-2022-42898 PAC parse integer overflows - - CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and arcfour - - CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors - - CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec - - CVE-2019-14870 Validate client attributes in protocol-transition - - CVE-2019-14870 Apply forwardable policy in protocol-transition - - CVE-2019-14870 Always lookup impersonate client in DB

FreeBSD Errata Notice FreeBSD-EN-22:28.heimdal: The patch released with FreeBSD-SA-22:14.heimdal included an inadvertently merged block of code which prevents the KDC from issuing valid tickets.

FreeBSD Security Advisory ping reads raw IP packets from the network to process responses in the pr_pack() function. As part of processing a response ping has to reconstruct the IP header, the ICMP header and if present a "quoted packet," which represents the packet that generated an ICMP error. The quoted packet again has an IP header and an ICMP header. The pr_pack() copies received IP and ICMP headers into stack buffers for further processing. In so doing, it fails to take into account the possible presence of IP option headers following the IP header in either the response or the quoted packet. When IP options are present, pr_pack() overflows the destination buffer by up to 40 bytes.

As always, it's worth following BSDSec. RSS feed and Twitter account available.


Help the OpenBSD Foundation Reach Its 2022 Funding Goal: The OpenBSD Foundation, which is central to funding the OpenBSD project, needs your help to reach its 2022 Fundraising Goal of $300,000. At the time of writing, the amount raised in 2022 stands at a little over 50% of the stated goal.

BSD Now 483: ZFS Time Machine : Research Unix Version 6 in the Open SIMH PDP-11 Emulator, The Hot Tub Time Machine is Your ZFS Turn-Back-Time Method, NFS on NetBSD: server and client side, HardenedBSD October 2022 Status Report, Nushell : Introduction, and more.

Help the OpenBSD Foundation Reach Its 2022 Funding Goal: The OpenBSD Foundation, which is central to funding the OpenBSD project, needs your help to reach its 2022 Fundraising Goal of $300,000.


Authentication gateway with SSH on OpenBSD: A neat feature in OpenBSD is the program authpf, an authenticating gateway using SSH. Basically, it allows to dynamically configure the local firewall PF by connecting/disconnecting into a user account over SSH, either to toggle an IP into a table or rules through a PF anchor.

Running OpenZFS – Choosing Between FreeBSD and Linux: Age-old discussion: ZFS running on Linux or FreeBSD? We're not going to set out to tell you which operating system you should use. Both choices are excellent — but we’ll lay out how different (or alike) it is to run OpenZFS on either to help anyone on the fence decide which OS to use beneath our favorite filesystem.

Did we miss anything?

This newsletter is made from your content on DiscoverBSD and BSDSec. Submit the stuff we missed so it can appear next time.

Do you have an OSS BSD-related project that you would like to showcase in BSD Weekly? Reply to sender and we can showcase you as a sponsor of an issue (for free).

Do you know anyone who would like this newsletter? Consider forwarding and tell them to subscribe.

Thanks for reading and see you next week! Stay safe!

Become a Sponsor! Become a Patron!