BSDSec

deadsimple BSD Security Advisories and Announcements

MidnightBSD 3.1.0 RELEASE

27 August, 2023 by luke@foolishgames.com | midnightbsd 

**

MidnightBSD 3.1

8/27/2023


I’m happy to announce the availability of MidnightBSD 3.1 for amd64 and 
i386.


This release included updates to third-party libraries, bug fixes from 
the 3.0 release, and a new third-party package option: Ravenports 
Universal Package System.


  Upgrade Process


(You can also do this with svnlite using github)


Install git if you don’t have it already

mport install git


Fetch MidnightBSD from git via github.com/midnightbsd/src.git   (assumes 
you don’t have /usr/src populated)


git clone https://github.com/MidnightBSD/src.git


Checkout the stable/3.1 branch

git checkout stable/3.1


cd /usr/src; make clean buildworld buildkernel;
mergemaster -p
make installkernel

reboot

(if it works OK, login and go to /usr/src)

make installworld

mergemaster -iU

mport index

Update installed mports/packages.

rm -rf /usr/lib/perl/5.36.0

cd /usr/src/; make check-old;  then run make delete-old and finally make 
installworld


When you are done, verify that Perl is updated by running perl -v

You should have Perl 5.36.1.


  Bug Fixes and new features


    Ravenports


Ravenports is now available in MidnightBSD for the amd64 architecture.  
The initial installation process will prompt you to bootstrap 
Ravenports.  This will initialize it in /raven/, and you will be able to 
install software packages using /raven/sbin/ravensw.  By default, 
/raven/bin, /raven/sbin, and so on are not on the path. You can add them 
to the path to make running software in your shell easier.  Please visit 
their website to learn more about Ravenports and find quickstart guides. 
http://www.ravenports.com/


You can choose either mports or Ravenports at installation time or use 
packages from both systems.  Please note that mixing packages may have 
some complications, although they are installed in a completely 
different place from mports.


There are various benefits to Ravenports, but a few are more updated 
packages and quite a few unique packages that mports doesn’t provide 
currently. For example, Ravenports has an updated Firefox package available.


You will not see Ravenports presented as an option on an i386 install.


    Mport package manager


There have been a number of improvements in the mport package manager 
for this release.  In 2.4.3, we fixed the XXX rate issue reported.  It 
now displays information about the download and a percentage of the file 
fetched so far.  There is an output bug where it displays the percentage 
with an incorrect decimal place that will be fixed in a later release.  
This only impacts mport use in scripts or other non-interactive terminals.


  *

    mport clean now removes temporary files that might get left behind
    by other operations

  *

    mport clean now removes leftover /var/db/mport/infrastructure/*
    folders that might get left behind prior to a fix for mtree files
    last year. (mostly for older systems)

  *

    mport's internal rmtree functionality has been modified to use
    native C routines rather than executing rm -r as a system command.
    (Please report any issues with removing files in packages on delete
    with this.) This is slightly faster with very large packages. (0.03
    seconds or so)

  *

    mport list updates will now give you better information about why a
    package is not found in the index. If the package is listed in the
    MOVED file in the mports repository, it will tell you if it's
    removed/expired or moved to another location.

Now that MOVED file contents are part of the index, we can start doing 
more intelligent updates in the future. The first package build to 
include this data is the latest amd64 3.1 build.   It will be available 
for i386 on the next package build done on that platform.


    Install Changes


Users are now prompted to try to install appropriate packages for their 
graphics cards.  We don’t yet do autodetection, but it’s a step in the 
right direction for automating installs.


    Miscellaneous Changes


tftpd: introduce new option -S


pf: handle multiple IPv6 fragment headers

pf: fix pf_nv##_array() size check


netstat -i: compute most field widths dynamically


frag6: Avoid a possible integer overflow in fragment handling


lib/libc/string/bcmp.c: fix integer overflow bug


logger(1): fix timestamps in case of long run


libalias: improve handling of invalid SCTP packets


wpa: Enable receiving priority tagged (VID 0) frames


bridge: Log MAC address port flapping


fusefs: update atime on reads when using cached attributes


  Security Fixes

add fix for CVE-2022-25147 (apr-util)

workaround an integer overflow in apr_base64 functions.


Fix CVE-2020-10188 in telnetd


Fix for GELI silently omits the keyfile if read from stdin


Multiple security vulnerabilities have been discovered in the Heimdal 
implementation of the Kerberos 5 network authentication protocols and KDC.


CVE-2022-42898 PAC parse integer overflows

CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and arcfour

CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors

CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec

CVE-2019-14870 Validate client attributes in protocol-transition

CVE-2019-14870 Apply forwardable policy in protocol-transition

CVE-2019-14870 Always lookup impersonate client in DB



  3rd Party Software

Perl 5.36.1

openssl 1.1.1u

zlib 1.2.13 for kernel use

OpenSSH 9.1p1

libarchive 3.6.2

sendmail 8.17.1

libxo 1.0.4

doas 6.3p9

tzdata 2023c

xz 5.2.9

file 5.43

sqlite3 3.40.1

less 551

subversion 1.14.2

mDNSResponder-1096.40.7


  Hardware

ena: Update driver version to v2.6.3


e1000: fix VLAN 0


Fix for Intel 82599 ixgbe device, which reported errors on the interface 
incorrectly.


jedec_dimm(4): Add manufacturing year and week.

e1000: Fix packet loss on 11th gen and later


ixl(4): Fix SR-IOV panics


ixl(4): Add support for I710 devices


ixl(4): Fix VLAN HW filtering


ice(4): Update to 1.34.2-k


ioat: Add Ice Lake ID.


  Known Issues

Mport gives too much output when downloading packages non-interactively.


Mport package creation crashes on a few meta ports.  We’re investigating 
this.  GNUstep is one example.  You can still install all the other 
GNUstep-related ports, just not the metaport.


Ravenports install is not in the path, but we also don’t tell you that 
during bootstrap.


The Perl version was updated, so having a mix of older packages with 3.1 
packages may cause issues with Perl.  Best to update all Perl libraries.


The Mono package is broken on 3.1 in mports.  No ETA on this one.


On VirtualBox 7, Xorg needs over 1GB of RAM allocated to run without 
swapping or crashing.  Occasional VM hangs have also been seen. It works 
fine on bare metal, bhyve, or VMware products.


Download at https://midnightbsd.org/download/

-- 
Lucas Holt
Luke@FoolishGames.com
________________________________________________________
MidnightBSD.org (Free OS)
JustJournal.com (Free blogging)

_______________________________________________
Midnightbsd-security mailing list
Midnightbsd-security@midnightbsd.org
http://www.midnightbsd.org/mailman/listinfo/midnightbsd-security