BSDSec

deadsimple BSD Security Advisories and Announcements

MidnightBSD 0.7 RELEASE

I’m happy to announce the availability of MidnightBSD 0.7 RELEASE.  You can download it from the MidnightBSD website at http://www.midnightbsd.org/

0.7-RELEASE NOTES

Security
Enhancements
Removed Features
New Software Versions
mports & package tools

This release is primarily for stabilization, ZFS and mport package tool enhancements. 

Upgrading from source:
	When upgrading from 0.6, you will need to install
	src/kerberos5/lib/libroken before building world.

This release is dedicated to Midnight the cat. He passed away this year after a battle with cancer. 

Security

expat
Multiple integer overflows have been discovered in the XML_GetBuffer() function in the expat library.

kernel
fix a security issue on amd64 where the GS segment CPU register can be changed via
userland value in kernel mode by using an IRET with #SS or #NP exceptions.

TCP Reassembly resource exhaustion bug:
There is a mistake with the introduction of VNET, which converted the
global limit on the number of segments that could belong to reassembly
queues into a per-VNET limit.  Because mbufs are allocated from a
global pool, in the presence of a sufficient number of VNETs, the
total number of mbufs attached to reassembly queues can grow to the
total number of mbufs in the system, at which point all network
traffic would cease.

Fix a bug where TCP connections transitioning to LAST_ACK state can get stuck. This can result in a denial of service.

OpenSSH
A programming error in the privileged monitor process of the sshd(8)
service may allow the username of an already-authenticated user to be
overwritten by the unprivileged child process.

A use-after-free error in the privileged monitor process of he sshd(8)
service may be deterministically triggered by the actions of a
compromised unprivileged child process.

A use-after-free error in the session multiplexing code in the sshd(8)
service may result in unintended termination of the connection.

OpenSSH clients does not correctly verify DNS SSHFP records when a server
offers a certificate. [CVE-2014-2653]

OpenSSH servers which are configured to allow password authentication
using PAM (default) would allow many password attempts. A bug allows
MaxAuthTries to be bypassed. [CVE-2015-5600]

routed 
Fix a potential security issue where traffic from outside the network can disrupt routing.

Sendmail
With the recent changes to OpenSSL to block 512 bit certificates, sendmail can't connect with TLS to some servers.

Increase the default size to 1024 bit for client connections to match the server configuration.

Enhancements

libc changes:
	setmode(3) now returns errno consistently on error.
	libc will compile without error using clang

wait6 system call added.

date(1) now handles non numeric numbers passed to -r like GNU coreutils for improved compatibility.

ata(4) AMD Hudson2 SATA controller support. 
Intel lynxpoint SATA.

Fix some const warnings when building several device drivers with llvm/clang.

Sync cas(4) with FreeBSD 9-stable.

Fix some minor issues with ath(4).

Fix a potential bootstrapping issue when upgrading from 0.6 to 0.7. m4 and kerberos were updated and must be built in a certain sequence or else the build will fail.

cpucontrol(8) now supports VIA CPUs. 

Switch to bsdpatch (from FreeBSD & OpenBSD);  fix a bug with ed(1) scripts allowing unsanitized input to run.

Import reallocarray from OpenBSD's libc.  
The reallocarray() function is similar to realloc() except it operates on nmemb members of size size and checks for integer overflow in the calculation nmemb * size.

ZFS
Added ZFS TRIM support which is enabled by default. To disable ZFS TRIM support set vfs.zfs.trim.enabled=0 in loader.conf.

Creating new ZFS pools and adding new devices to existing pools first performs a full device level TRIM which can take a significant amount of time. The sysctl vfs.zfs.vdev.trim_on_init can be set to 0 to disable this behaviour.

ZFS TRIM requires the underlying device support BIO_DELETE which is currently provided by methods such as ATA TRIM and SCSI UNMAP via CAM, which are typically supported by SSD's.

Stats for ZFS TRIM can be monitored by looking at the sysctl's under kstat.zfs.misc.zio_trim.

ZFS in MidnightBSD now supports lz4 compression. You can enable it with zfs set compression=lz4 pool/path. Verify it's working with 
	zfs get compressratio pool/path
	du -h -s *
Note you must write new data when turning on compression to see changes. Existing files are not compressed. 

While we used the same basic implementation of lz4 that FreeBSD and OpenZFS uses, we did not yet implement features support and the zfs version still reports 28. This may come in a future update to ZFS.

rc.d
	Reworked handling of cleanvar and FILESYSTEMS so that FILESYSTEMS
	implies everything is mounted and ready to go.

	Changed how ip6addressctl maps IPv6 on startup.

Removed Features

This may be the last release with i386 support. We’re considering dropping it and focusing on amd64 as most modern PCs are 64 bit capable.

New Software Versions

BSD Sort updated from FreeBSD
flex 2.5.39
Heimdal 1.5.2 (kerberos implementation)
Jansson 2.7 library added. (libjansson is a JSON library in C)
OpenSSL 1.0.1o  (previously on 0.9.8 branch)
sqlite 3.8.10.2
tzdata 2015d
xz 5.0.8
mports & package tools

0.7 currently has approximately 2000 packages for this release.  A lot of work has been done on mports and the goal is to get a working desktop metaport by the end of the year. We currently have updated the following:

CUPS
Gimp
Gnome 3 (in progress)
GNUStep and related ports
Gtk 3
OpenJDK 6 & 7 are building from ports (no packages yet)
Python 2 & 3
Midori
Qt 4
Webkit
X.org

libmport now logs installation and removal of packages to syslog.

libmport now supports @shell and @sample in plists. This means that a shell port can automatically add an entry to /etc/shells and remove it upon uninstallation. For sample files, a copy is made without the .sample extension if one does not exist and it is removed automatically only if the md5 hash of the two files is the same. 

libmport now automatically stops services when deleting packages. The package must have installed an rc.d script in /usr/local/etc for this to work. This is equivalent to running service <name> onestop

If you are updating an existing system, after installing 0.7, you can use mport upgrade to update packages with 0.7 versions. It is recommended that you delete /usr/mports/Packages and run mport clean to remove old package remnants.

You may use svnlite (part of the base system) to checkout mports or src, if you do not wish to install the svn package.   

e.g. 
cd /usr/ && svnlite co http://svn.midnightbsd.org/svn/mports/trunk mports 


Lucas Holt
Luke@FoolishGames.com
________________________________________________________
MidnightBSD.org (Free OS)
JustJournal.com (Free blogging)





_______________________________________________
Midnightbsd-security mailing list
Midnightbsd-security@midnightbsd.org
http://www.midnightbsd.org/mailman/listinfo/midnightbsd-security