Issue 6
Published February 5, 2020

Main topic of this week is FreeBSD 7 Days Challenge to get users started with FreeBSD. There were a lot of releases and security advisories this week, as well. We also cover all the rest of BSD world with the latest news and tutorials.

FreeBSD 7 Days Challenge

FreeBSD is an excellent platform to build out a production server environment. It also makes for a great desktop environment. Whatever the use case is we want people to understand FreeBSD well enough (and quickly enough) to achieve their goals with as little friction as possible.

The 7 Days Challenge will have people running on FreeBSD within the seven days.

  • Getting user onboard with FreeBSD quickly
  • Helping the user to understand basic concepts like the file system layout and core system utilities
  • Walking users through common FreeBSD use cases, such as desktop environments
  • Maintaining an installation after the fact to keep it secure and stable
  • Using FreeBSD as a development or production environment for software development and more
  • Putting FreeBSD on the front line as a production platform for hosting enterprise grade solutions
  • Allowing for the continued use of modern technologies and concepts to manage FreeBSD installations
  • And more...

Releases

As the last preparations for 20.1 are underway, a quick relief is here for the End-Of-Life release of the 19.7 series with a tiny number of updates.

OPNsense 20.1 was then released, nicknamed "Keen Kingfisher". It is a subtle improvement on sustainable firewall experience. This release adds VXLAN and additional loopback device support, IPsec public key authentication and elliptic curve TLS certificate creation amongst others. Third party software has been updated to their latest versions. The logging frontend was rewritten for MVC with seamless API support. On the far side the documentation increased in quality as well as quantity and now presents itself in a familiar menu layout.

FreeNAS 11.3 has a year's worth of improvements and features a much improved Replication Engine, managing SMB ACLs via the FreeNAS web user-interface, SMB Shadow Copies being enabled by default for new shares, an iSCSI wizard, dashboard updates, ZFS performance optimizations, new APIs, and much more.

Second release candidate for NetBSD 9.0 is available. Since the start of the release process a lot of improvements went into the branch - nearly 700 pullups were processed. This includes usbnet (a common framework for usb ethernet drivers), aarch64 stability enhancements and lots of new hardware support, installer/sysinst fixes and changes to the NVMM (hardware virtualization) interface.

BSDSec

It is upgrade time!

Errata patches for OpenSMTPD have been released for OpenBSD 6.5 and 6.6.

  • smtpd can crash on opportunistic TLS downgrade, causing a denial of service
  • an incorrect check allows an attacker to trick mbox delivery into executing arbitrary commands as root and lmtp delivery into executing arbitrary commands as an unprivileged user

Binary updates for the amd64, i386, and arm64 platforms are available via the syspatch utility. After patching, restart the smtpd service.

New FreeBSD errata notices has been released:

  • FreeBSD-EN-20:02.nmount - A userland process authorized to mount filesystems can possibly trigger a kernel panic
  • FreeBSD-EN-20:01.ssp - Affected programs will abort and log a "stack overflow detected" message to syslog(3)

Consider upgrading your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date.

Also, 3 new FreeBSD Security Advisories has been released:

  • FreeBSD-SA-20:02.ipsec - an attacker who can capture and inject packets could cause an action that was intentionally performed once to be repeated
  • FreeBSD-SA-20:03.thrmisc - sensitive kernel data may be disclosed
  • FreeBSD-SA-20:01.libfetch - an attacker in control of the URL to be fetched (possibly via HTTP redirect) may cause a heap buffer overflow, resulting in program misbehavior or malicious code execution Consider upgrading your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date.

libfetch has a vulnerability, and now it has been fixed on DragonFly in current and release.

News

Anatomy of OpenBSD's OpenSMTPD hijack hole: How a malicious sender address can lead to remote pwnage. Infosec biz Qualys discovered and this week disclosed CVE-2020-7247, a root privilege-escalation and remote code execution flaw in OpenSMTPD. It can be exploited locally by a normal user to execute shell commands as root, if using the daemon's default configuration, or locally and remotely if the daemon is using its "uncommented" default configuration, in which it listens on all interfaces and accepts external mail. Getting root access means it's game over: the machine is now yours. This article discusses what could have prevented escalation despite the bug.

Filters have been a long awaited feature in OpenSMTPD. This article describes how filters are implemented and what to expect. Switching to new config is not too hard and can be done in minutes. The new config is also a new queue that is not backwards compatible. The easiest way is to flush the mail queue before switching.

HardenedBSD has been working on deploying Tor Onion Service v3 nodes across their build infrastructure. Public portion of this is now completed. Read more to find various onion service hostnames and their match to the infrastructure.

Out this weekend is Lumina 1.6 as the latest release of this Qt-powered desktop environment originally developed by iXsystems as part of PC-BSD / TrueOS. Lumina 1.6 is the new release and their first version update in nine months. Lumina 1.6 is primarily carrying bug fixes and minor improvements but there is detection for Void Linux, new default keyboard shortcuts, and other small changes.

Hikari is a stacking window manager with tiling support that has also work-in-progress code for serving as a Wayland compositor. However, unlike most X11 window managers and Wayland compositors being focused on Linux systems, Hikari is BSD-focused. Hikari was presented at this weekend's Free Open-Source Developers' European Meeting (FOSDEM) in Brussels as a window manager / compositor initially targeting FreeBSD but is being ported ultimately to other platforms as well: Hikari can also be built for OpenBSD and the Wayland support should work on Linux systems.

Tutorials

FDE on OpenBSD.Amsterdam opinionated VM: OBSD.ams provides VMs with unencrypted disks. This means the VM will be able to boot on its own in case the vmd(8) host reboots. As far as we could see from their Twitter account, there are not that much crashes. But the host would reboot from time to time (for system updates or upgrades). If that’s a problem, one should probably not use FDE (Full Disk Encryption); or should be ready to connect to the console to enter the passphrase.

Ditch your Playstation! Throw away your Xbox! Become the REAL PC Master race game player - Console game player that is... Just a small look at six games for the terminal in FreeBSD.

Install OpenBSD on dedibox with full-disk encryption: "dedibox" servers at servers available at online.ne. OpenBSD is not officially supported so you have to work-around. Running full-disk encrypted OpenBSD there is a piece of cake.

More

As always, there are more sources of BSD goodness. Latest BSD Now talks about Hyperbola Developer interview, why you should migrate from Linux to BSD, FreeBSD is an amazing OS, improving the ptrace(2) API in LLVM 10, First FreeBSD conference in Australia, and a guide to containers on FreeNAS.

The Valuable News weekly series is dedicated to providing summary about news, articles and other interesting stuff mostly but not always related to the UNIX or BSD systems. The latest is from 2020-02-03.

In Other BSDs for 2020/02/01 is out, too.

Did we miss anything?

This newsletter is made from your content on DiscoverBSD and BSDSec. Submit the stuff we missed so it can appear next time.

Do you know anyone who would like this newsletter? Consider forwarding and tell them to subscribe.

Thanks for reading and see you next week!