Errata notices from Open/Free BSDs plus all the latest from last week.
Releases
No releases.
BSDSec
OpenBSD Errata: April 13, 2025 (perl): Errata patches for Perl have been released for OpenBSD versions 7.5 and 7.6. These updates address issues in Perl and are available for amd64, arm64, and i386 platforms via the syspatch utility.
FreeBSD Errata Notice FreeBSD-EN-25:08.caroot: FreeBSD has released an errata notice for updating the root certificate bundle, which is essential for trusting TLS certificates. Several new certificates have been added to the bundle to ensure proper trust for TLS connections. This update affects all supported versions of FreeBSD, and users are advised to upgrade their systems to the latest stable or release branches. No workaround is available, and systems using an internal trust store are unaffected. Users can update via binary patches or source code patches, depending on their system configuration.
FreeBSD Errata Notice FreeBSD-EN-25:07.openssl: FreeBSD has released an errata notice for updating OpenSSL to version 3.0.16, addressing critical vulnerabilities CVE-2024-13176 and CVE-2024-9143. The update is essential for FreeBSD 14.2 users to mitigate risks related to ECDSA timing side-channels and out-of-bounds memory access in elliptic curve APIs. Systems should be updated immediately, and a reboot is required to ensure full protection. No workaround is available, and systems not using “exotic” elliptic curve parameters are less likely to be affected.
FreeBSD Errata Notice FreeBSD-EN-25:06.daemon: The FreeBSD Project has released an errata notice addressing an issue with daemon(8) where it may lose signal events after a change to use kqueue(2). This problem can cause daemon(8) to hang if a SIGTERM is sent after the child process has terminated but before it is restarted. The issue affects FreeBSD 14.2 and 13.4, and users are advised to upgrade to a supported stable or release branch and restart affected daemon(8) processes. No workaround is available, but systems not using the -r option are unaffected.
FreeBSD Errata Notice FreeBSD-EN-25:05.expat: The FreeBSD Project has released an errata notice to update the expat library to version 2.7.1. This update addresses a stack overflow vulnerability (CVE-2024-8176) in the libexpat library, which could cause crashes in applications like tar(1) when parsing deeply nested XML entity references. While the base system is unlikely to be vulnerable to denial of service (DoS) attacks, system administrators are advised to update to the latest version and restart third-party services or reboot the system if necessary. The update is available for all supported FreeBSD versions.
FreeBSD Errata Notice FreeBSD-EN-25:04.tzdata: The FreeBSD Project has released an errata notice for an update to the IANA Time Zone Database. This update addresses changes in future and past timestamps affecting various time zones worldwide. Users are advised to update their systems to ensure accurate time display and functionality. The update is available for all supported FreeBSD versions, and instructions for binary and source code patches are provided. Applications relying on system time, such as cron and syslog, may be impacted if the update is not applied.
OpenBSD Releases Security Patches for ike, ssh, rpki: OpenBSD has released errata patches for iked, isakmpd, sshd, and rpki-client for versions 7.6 and 7.5. These updates address security vulnerabilities and are available as binary updates for amd64, arm64, and i386 platforms via the syspatch utility. Source code patches can be accessed on the respective errata pages. Users are advised to apply these updates to ensure system security.
As always, it’s worth following BSDSec. RSS feed available.
News
Valuable News 2025/04/14: The Valuable News weekly series provides a summary of news, articles, and other interesting content primarily related to UNIX/BSD/Linux systems. This edition covers topics such as Minecraft servers in FreeBSD jails, FreeBSD assembly programming, OpenSSH updates, and more.
OpenBSD -current is now “7.7-current”: Theo de Raadt has updated OpenBSD -current to version 7.7-current. This update eliminates the need to use the “-D snap” flag with pkg_add and pkg_info for users running the latest snapshots or source builds. The change reflects the ongoing development and improvements in the OpenBSD project, ensuring smoother package management for users.
rpki-client 9.5 Released with Improved Reliability: rpki-client 9.5 has been released and is available on OpenBSD mirrors. This update is recommended for all users to enhance reliability. Key features include validation of BGP announcements using RPKI, support for OpenBGPD and BIRD, and compatibility with multiple operating systems. The release also addresses errata for better performance and security. Developers encourage community feedback and contributions.
OpenIKED 7.4 Released with Bug Fixes and Enhancements: OpenIKED 7.4 has been released and will soon be available in the OpenIKED directory of local OpenBSD mirrors. This version includes several key updates, such as a fix for a double free bug in ECDH, a new configuration option for NAT-T negotiation, and improved config file verification. Additionally, the release tightens apparmor sandboxing on Linux and addresses various bugs and compatibility issues. OpenIKED is compatible with multiple operating systems, including OpenBSD, FreeBSD, NetBSD, macOS, and several Linux distributions. The community is encouraged to provide feedback and contribute to further improvements.
Apple’s Darwin OS and XNU Kernel: A Deep Dive: This post explores the evolution and architecture of Apple’s Darwin OS and the XNU kernel, tracing its roots from Mach and BSD to its modern role in macOS, iOS, and Apple Silicon. The hybrid kernel design balances modularity and performance, combining Mach microkernel features with BSD Unix services. The post details Darwin’s development history, from Mach origins to Apple Silicon adaptations, and examines key components like scheduling, memory management, virtualization, and secure computing. XNU’s resilience and scalability are highlighted as foundational to Apple’s platforms.
Advocating for FreeBSD: A FOSDEM 2025 Trip Report: The FreeBSD Foundation participated in FOSDEM 2025 in Brussels, hosting a stand and engaging with the open-source community. Their team answered numerous questions about FreeBSD, distributed stickers and mugs, and connected with both existing and potential users. The event provided valuable insights into how to better present and explain the benefits of FreeBSD to a wider audience.
New sysctl(8) -f Option Simplifies Configuration: The recent addition of the -f option in sysctl(8) allows users to apply multiple settings from a file in a single command. This update, contributed by Klemens Nanni, streamlines configuration management by eliminating the need for scripting or entering multiple commands. The feature is particularly useful for local edits and integration with config management tools. It will be available in upcoming OpenBSD 7.7 snapshots and releases.
Are FreeBSD Jails Containers?: The article discusses whether FreeBSD Jails can be considered containers. It highlights that FreeBSD Jails, introduced in 2000, are a form of OS-level virtualization similar to containers. The author argues that the term “containers” predates Docker and Linux-based solutions, and FreeBSD Jails fit the original definition. However, some argue that FreeBSD Jails lack the features of modern OCI containers. The article also references opinions from experts like Allan Jude and comparisons with other container technologies like Solaris Zones and HP-UX Containers. Ultimately, the debate centers on whether FreeBSD Jails are containers in the traditional sense or if the term should be reserved for OCI-compliant solutions.
Tutorials
FreeBSD Jails Security: The article discusses the security of FreeBSD Jails compared to Podman containers on Linux. It highlights that FreeBSD Jails are generally more secure and flexible, offering better isolation, restricted kernel syscalls, dedicated network interfaces, and the ability to run firewalls inside Jails. The article also notes that Jails have fewer CVEs and are more battle-tested. Key points include the misconceptions about Podman’s security, the flexibility of Jails, and their superior isolation and kernel syscall restrictions. The article concludes that Jails are a more secure option for containerization.
FreeBSD Netgraph Explained: Inside Kernel-Level Networking: Netgraph is FreeBSD’s powerful, graph-based networking subsystem that supports modular, real-time packet processing inside the kernel. Introduced in FreeBSD 3.4 (1999), it allows developers to create complex networking topologies by connecting nodes in a graph structure. This modularity enables rapid development and deployment of new networking features, making it a powerful tool for developers. Netgraph operates on nodes and hooks, allowing for dynamic assembly of networking configurations. Control messages enable real-time adjustments, providing administrators with granular control over data flow. Its graph-based architecture gives it an advantage in high-performance networking applications, particularly in carrier-grade systems like Juniper’s Junos OS. While Netgraph offers flexibility and performance, it can be complex to manage and requires specialized tools for troubleshooting. It is particularly effective in scenarios like VPNs and firewalls, where dynamic traffic handling and real-time adjustments are crucial.
Did we miss anything?
This newsletter is made from your content on DiscoverBSD and BSDSec. Submit the stuff we missed so it can appear next time.
Do you have an OSS BSD-related project that you would like to showcase in BSD Weekly? Reply to sender and we can showcase you as a sponsor of an issue (for free).
Do you know anyone who would like this newsletter? Consider forwarding and tell them to subscribe.
Thanks for reading and see you next week! Stay safe!