by Rob
Na een lange tijd van testen is dan eindelijke release 5.4 uitgebracht. In de nieuwe versie zijn een aantal veranderingen doorgevoerd:
– Verbeterde support voor meer dan 4Gb aan geheugen
– De netwerk stack en drivers zijn verbeterd door betere locks (MPSAFE)
– [url=http://kerneltrap.org/node/1021]Carp[/url] is toegevoegd
– Aantal nieuwe disk controllers
Volledige lijst is [url=http://www.freebsd.org/releases/5.4R/relnotes.html]hier[/url] te vinden
by Rob
In de Legacy development branch van FreeBSD is een nieuwe versie uitgekomen. Het gaat om versie 4.11 en deze kan zowel via het [url=http://people.freebsd.org/~kensmith/4.11-torrent/]BitTorrent-netwerk[/url] worden gedownload en vanaf een [url=ftp://ftp.nl.freebsd.org/pub/FreeBSD/]FTP-server.[/url]
De release notes zijn te lang om hier weer te geven, dus we volstaan met een [url=http://www.freebsd.org/releases/4.11R/relnotes-i386.html]link[/url] naar de pagina en sluiten af met enkele woorden van Ken Smith, de release engineer van FreeBSD:
[quote]
The Release Engineering Team is happy to announce the availability of FreeBSD 4.11-RELEASE, the latest release of the FreeBSD Legacy development branch. Since FreeBSD 4.10-RELEASE in May 2004 we have made conservative updates to a number of software programs in the base system, dealt with known security issues, and made many bugfixes.
For a complete list of new features, known problems, and late-breaking news, please see the release notes and errata list.
FreeBSD 4.11 will become the first “Errata Branch”. In addition to Security fixes other well-tested fixes to basic functionality will be committed to the RELENG_4_11 branch after the release. Both Security Advisories and Errata Notices are announced on the freebsd-announce@freebsd.org mailing list.
This is expected to be the last release from the RELENG_4 branch. Most of the Developers are now focused on the RELENG_5 branch, or on the cutting edge development in HEAD.[/quote]
by Rob
by Rob
Op de diverse mirrors zijn de ISO’s van FreeBSD 5.3 release te vinden.
FreeBSD 5.3 heeft een lang traject door gemaakt voordat het gereleased werd. Het is dan ook de bedoeling dat binnenkort de 5.X serie de productie release wordt.
De iso’s zijn hier al te vinden:
[url]ftp://ftp.nl.freebsd.org/pub/FreeBSD/ISO-IMAGES-i386/5.3/[/url]
Scott Long zegt over 5.X serie
[quote]5.x was a tremendous undertaking. SMPng, KSE, UFS2, background fsck,
ULE, ACPI, etc, etc, etc were all incredible tasks. Given that many of
these things were developed and managed by unpaid volunteers, the fact
that we made it to 5-STABLE at all is quite impressive and says a lot
about the quality and determination of all of our developers and users.
However, 4 years was quite a long time to work on it. While 4.x
remained a good work-horse, it suffered from not having needed features
and hardware support. 5.x suffered at the same time from having too
much ambition but not enough developers to efficiently carry it through.[/quote]
by Rob
Verwacht wordt dat de eerste beta’s van FreeBSD 5.3 in augustus zullen verschijnen. Dit zal dan de eerste stable release zijn in de 5 serie.
Bij [url=http://news.zdnet.co.uk/software/linuxunix/0‚39020390‚39162245‚00.htm] Zdnet[/url] is een artikel te lezen waarin de nieuwe punten van de 5.3 worden toegelicht..
Release engineer Scott Long heeft nog wat meer info gegeven over 5.3. Deze info is te lezen in het status rapport van Mei t/m Juni
[url=http://www.freebsd.org/news/status/report-may-2004-june-2004.html]Status rapport May-June 2004[/url]
by Rob
Er is een nieuwe release van de BSD variant ekkoBSD.
Wat is ekkoBSD:
[quote]The goal of the ekkoBSD project is to provide a safe‚ secure‚ and simple to administer network operating system. This will be accomplished in a democratic manner‚ with a well-defined hierarchy‚ and an eye towards new ways of thinking.[/quote]
ekkoBSD is te downloaden vanaf de verschillende [url=http://www.ekkobsd.org/download/]mirrors. [/url]. De BSDfreaks server wordt ook gebruikt als mirror.
[url=http://www.ekkobsd.org]ekkoBSD[/url]
by Rob
Na een aantal RC’s is hij er dan, de nieuwe relase van 4-stable branch. In deze release zijn weer een aantal security fixes gedaan voor: Bind, CVS, OpenSSL en TCP stack bug.
Naast de gebruikelijke security fixes zijn er natuurlijk een aantal verbetering aangebracht. Deze kun je hier terug lezen: [url=http://www.freebsd.org/releases/4.10R/relnotes-i386.html]Changelog[/url]
Zoals het er naar uit ziet zal 4.11 de laatste release in 4 serie zijn:
[quote]The current plans are for one more FreeBSD 4.X release which will be FreeBSD 4.11-RELEASE. It is expected the upcoming FreeBSD 5.3 release will have reached the maturity level most users will be able to migrate to 5.X. Most developer resources continue to be devoted to the 5.X branch.
For more information about FreeBSD release engineering activities, please see:
http://www.FreeBSD.org/releng/[/quote]
Deze versie is verkrijgbaar via de standaard FTP servers en natuurlijk via cvsup.
by Rob
Er is een gat gevonden in de CVS server. De CVS is vaak aanwezige op de verschillende systemen, als je CVS gebruikt zorg dan dat je je CVS patched.
[quote]
e-matters GmbH
www.e-matters.de
-= Security Advisory =-
Advisory: CVS remote vulnerability
Release Date: 2004/05/19
Last Modified: 2004/05/19
Author: Stefan Esser [s.esser@e-matters.de]
Application: CVS feature release <= 1.12.7 CVS stable release <= 1.11.15 Severity: A vulnerability within CVS allows remote compromise of CVS servers. Risk: Critical Vendor Status: Vendor is releasing a bugfixed version. Reference: http://security.e-matters.de/advisories/072004.html Overview: Concurrent Versions System (CVS) is the dominant open-source version control software that allows developers to access the latest code using a network connection. Stable CVS releases up to 1.11.15 and CVS feature releases up to 1.12.7 both contain a flaw when deciding if a CVS entry line should get a modified or unchanged flag attached. This results in a heap overflow which can be exploited to execute arbitrary code on the CVS server. This could allow a repository compromise. Details: While auditing the CVS source a flaw within the handling of modified and unchanged flag insertion into entry lines was discovered. When the client sends an entry line to the server an additional byte is allocated to have enough space for later flagging the entry as modified or unchanged. In both cases the check if such a flag is already attached is flawed. This allows to insert M or = chars into the middle of a user supplied string one by one for every call to one of these functions. It should be obvious that already the second call could possibly overflow the allocated buffer by shifting the part after the insertion point one char backward. If the alignment of the block is choosen wisely this is already exploitable by malloc() off-by-one exploitation techniques. However carefully crafted commands allow the functions to be called several times to overwrite even more bytes (although this is not really needed if you want to exploit this bug on f.e. glibc based systems). Proof of Concept: e-matters is not going to release an exploit for this vulnerability to the public. Disclosure Timeline: 02. May 2004 - CVS developers and vendor-sec were notified by email Derek Robert Price replied nearly immediately that the issue is fixed 03. May 2004 - Pre-notification process of important repositories was started 11. May 2004 - Sourceforge discovered that the patch breaks compatibility with some pserver protocol violating versions of WinCVS/TortoiseCVS 12. May 2004 - Pre-notified repositories were warned about this problem with a more compatible patch. 19. May 2004 - Coordinated Public Disclosure CVE Information: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0396 to this issue. Recommendation: Recommended is an immediate update to the new version. Additionally you should consider running your CVS server chrooted over SSH instead of using the :pserver: method. You can find a tutorial how to setup such a server at http://www.netsys.com/library/papers/chrooted-ssh-cvs-server.txt GPG-Key: http://security.e-matters.de/gpg_key.asc pub 1024D/3004C4BC 2004-05-17 e-matters GmbH - Securityteam Key fingerprint = 3FFB 7C86 7BE8 6981 D1DA A71A 6F7D 572D 3004 C4BC Copyright 2004 Stefan Esser. All rights reserved. [/quote]
by Rob
Er is een bug gevonden in de procfs implementatie van OpenBSD, hieronder de melding:
Bron: [url=http://www.openbsd.org/security.html#35]Security announcement[/url]
[quote]
]Incorrect bounds checking in several procfs functions could allow an
unprivileged malicious user to read arbitrary kernel memory, with the
potential to use this information to escalate privilege. OpenBSD does not
mount the proc filesystem by default, and we continue to recommend against
its use.
The cvs -stable branches have been updated to contain a fix, which is also
available in patch form for 3.4 and 3.5.
Credit goes to Deprotect Advisories
identification of the bug.
Patches:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/006_procfs.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/020_procfs.patch
[/quote]
by Rob
Er is weer een update van de op security gerichte BSD variant OpenBSD.
De belangrijkste verandering bij deze nieuwe versie is omschakelijking van a.out naar het ELF formaat.
Samenvatting van de Changelog:
[quote]* i386 Platform switched to ELF with OpenBSD/i386 3.4. The ELF executable file format offers greater flexibility in memory layout over the older a.out format, and was required for our W^X implementation on i386. Upgrading by source is NOT an option. Binary upgrades are possible, but very difficult, requiring uninstalling all existing packages before upgrade and reinstalling them after upgrade. There are many other potential issues here, the OpenBSD team HIGHLY recommends you reinstall from scratch. Note that an a.out binary emulation is provided by sysctl for binary-only applications that require it. If you are doing an upgrade, you will almost certainly need to enable this.
* Binary Emulations are disabled by default. This was done to make it more difficult to run a malicious program written for another platform on OpenBSD. This will prevent many ports from working properly until the emulation is activated as needed by use of sysctls. The standard GENERIC kernel has these options included, just disabled. No kernel recompile is needed. For more information, see this article. If you are doing an upgrade, you will almost certainly need to enable compat_aout.
* The 8G limit for the root partition is now gone. The i386 platform now supports booting anywhere within the BIOS supported area of the disk. Yes, this means the 8G limit of previous versions no longer applies. Intelligent partitioning is still highly recommended.
* PXE Booting. The i386 and amd64 platforms now support PXE booting for install.
* New Platforms. OpenBSD has added new platforms for 3.5:
cats, a StrongARM-based development board,
amd64, the AMD 64 bit processor, and
mvme88k, systems based on the Motorola 88000 series RISC processors.
* sparc64 now uses GCC 3.3.2. The sparc64 platform has switched to GCC 3.3.2 instead of the GCC 2.95.3 used on other platforms. Reinstallation is highly recommended over upgrading existing systems. The new cats and amd64 platforms are also using GCC 3.2.2. Local additions like ProPolice and other improvements are, of course, in the new GCC.
* New users and groups. Several new users and groups have been added to OpenBSD due to privilege separation. Upgraders will have to be sure to update their /etc directory carefully to incorporate them, as directed on upgrade-minifaq. [/quote]
De volledige Changelog: [url=http://www.openbsd.org/plus35.html]hier[/url]
Mirrors: [url=http://www.openbsd.org/ftp.html]hier[/url]