BSDFreaks.nl

Op de diverse mirrors zijn de ISO’s van FreeBSD 5.3 release te vinden.

FreeBSD 5.3 heeft een lang traject door gemaakt voordat het gereleased werd. Het is dan ook de bedoeling dat binnenkort de 5.X serie de productie release wordt.

De iso’s zijn hier al te vinden:
[url]ftp://ftp.nl.freebsd.org/pub/FreeBSD/ISO-IMAGES-i386/5.3/[/url]

Scott Long zegt over 5.X serie
[quote]5.x was a tremendous undertaking. SMPng, KSE, UFS2, background fsck,
ULE, ACPI, etc, etc, etc were all incredible tasks. Given that many of
these things were developed and managed by unpaid volunteers, the fact
that we made it to 5-STABLE at all is quite impressive and says a lot
about the quality and determination of all of our developers and users.
However, 4 years was quite a long time to work on it. While 4.x
remained a good work-horse, it suffered from not having needed features
and hardware support. 5.x suffered at the same time from having too
much ambition but not enough developers to efficiently carry it through.[/quote]

Verwacht wordt dat de eerste beta’s van FreeBSD 5.3 in augustus zullen verschijnen. Dit zal dan de eerste stable release zijn in de 5 serie.

Bij [url=http://news.zdnet.co.uk/software/linuxunix/0‚39020390‚39162245‚00.htm] Zdnet[/url] is een artikel te lezen waarin de nieuwe punten van de 5.3 worden toegelicht..

Release engineer Scott Long heeft nog wat meer info gegeven over 5.3. Deze info is te lezen in het status rapport van Mei t/m Juni
[url=http://www.freebsd.org/news/status/report-may-2004-june-2004.html]Status rapport May-June 2004[/url]

Er is een nieuwe release van de BSD variant ekkoBSD.
Wat is ekkoBSD:
[quote]The goal of the ekkoBSD project is to provide a safe‚ secure‚ and simple to administer network operating system. This will be accomplished in a democratic manner‚ with a well-defined hierarchy‚ and an eye towards new ways of thinking.[/quote]

ekkoBSD is te downloaden vanaf de verschillende [url=http://www.ekkobsd.org/download/]mirrors. [/url]. De BSDfreaks server wordt ook gebruikt als mirror.

[url=http://www.ekkobsd.org]ekkoBSD[/url]

Na een aantal RC’s is hij er dan, de nieuwe relase van 4-stable branch. In deze release zijn weer een aantal security fixes gedaan voor: Bind, CVS, OpenSSL en TCP stack bug.

Naast de gebruikelijke security fixes zijn er natuurlijk een aantal verbetering aangebracht. Deze kun je hier terug lezen: [url=http://www.freebsd.org/releases/4.10R/relnotes-i386.html]Changelog[/url]

Zoals het er naar uit ziet zal 4.11 de laatste release in 4 serie zijn:
[quote]The current plans are for one more FreeBSD 4.X release which will be FreeBSD 4.11-RELEASE. It is expected the upcoming FreeBSD 5.3 release will have reached the maturity level most users will be able to migrate to 5.X. Most developer resources continue to be devoted to the 5.X branch.

For more information about FreeBSD release engineering activities, please see:
http://www.FreeBSD.org/releng/[/quote]

Deze versie is verkrijgbaar via de standaard FTP servers en natuurlijk via cvsup.

Er is een gat gevonden in de CVS server. De CVS is vaak aanwezige op de verschillende systemen, als je CVS gebruikt zorg dan dat je je CVS patched.
[quote]
                         e-matters GmbH
                          www.e-matters.de

                      -= Security  Advisory =-

     Advisory: CVS remote vulnerability
 Release Date: 2004/05/19
Last Modified: 2004/05/19
       Author: Stefan Esser [s.esser@e-matters.de]

  Application: CVS feature release <= 1.12.7                CVS stable release  <= 1.11.15      Severity: A vulnerability within CVS allows remote compromise of                CVS servers.          Risk: Critical Vendor Status: Vendor is releasing a bugfixed version.     Reference: http://security.e-matters.de/advisories/072004.html Overview:    Concurrent Versions System (CVS) is the dominant open-source version    control software that allows developers to access the latest code using    a network connection.    Stable CVS releases up to 1.11.15 and CVS feature releases up to 1.12.7    both contain a flaw when deciding if a CVS entry line should get a    modified or unchanged flag attached. This results in a heap overflow    which can be exploited to execute arbitrary code on the CVS server.    This could allow a repository compromise. Details:    While auditing the CVS source a flaw within the handling of modified    and unchanged flag insertion into entry lines was discovered.    When the client sends an entry line to the server an additional byte    is allocated to have enough space for later flagging the entry as    modified or unchanged. In both cases the check if such a flag is    already attached is flawed. This allows to insert M or = chars into    the middle of a user supplied string one by one for every call to    one of these functions.    It should be obvious that already the second call could possibly    overflow the allocated buffer by shifting the part after the    insertion point one char backward. If the alignment of the block    is choosen wisely this is already exploitable by malloc() off-by-one    exploitation techniques. However carefully crafted commands allow    the functions to be called several times to overwrite even more    bytes (although this is not really needed if you want to exploit    this bug on f.e. glibc based systems). Proof of Concept:    e-matters is not going to release an exploit for this vulnerability to    the public. Disclosure Timeline:    02. May 2004 - CVS developers and vendor-sec were notified by email                   Derek Robert Price replied nearly immediately that the                   issue is fixed    03. May 2004 - Pre-notification process of important repositories                   was started    11. May 2004 - Sourceforge discovered that the patch breaks                   compatibility with some pserver protocol violating                   versions of WinCVS/TortoiseCVS    12. May 2004 - Pre-notified repositories were warned about this                   problem with a more compatible patch.    19. May 2004 - Coordinated Public Disclosure CVE Information:    The Common Vulnerabilities and Exposures project (cve.mitre.org) has    assigned the name CAN-2004-0396 to this issue. Recommendation:    Recommended is an immediate update to the new version. Additionally you    should consider running your CVS server chrooted over SSH instead of    using the :pserver: method. You can find a tutorial how to setup such a    server at    http://www.netsys.com/library/papers/chrooted-ssh-cvs-server.txt GPG-Key:    http://security.e-matters.de/gpg_key.asc    pub  1024D/3004C4BC 2004-05-17 e-matters GmbH - Securityteam    Key fingerprint = 3FFB 7C86 7BE8 6981 D1DA  A71A 6F7D 572D 3004 C4BC Copyright 2004 Stefan Esser. All rights reserved. [/quote]

Er is een bug gevonden in de procfs implementatie van OpenBSD, hieronder de melding:
Bron: [url=http://www.openbsd.org/security.html#35]Security announcement[/url]
[quote]
]Incorrect bounds checking in several procfs functions could allow an
unprivileged malicious user to read arbitrary kernel memory, with the
potential to use this information to escalate privilege. OpenBSD does not
mount the proc filesystem by default, and we continue to recommend against
its use.

The cvs -stable branches have been updated to contain a fix, which is also
available in patch form for 3.4 and 3.5.

Credit goes to Deprotect Advisories for
identification of the bug.

Patches:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/006_procfs.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/020_procfs.patch
[/quote]

Er is weer een update van de op security gerichte BSD variant OpenBSD.
De belangrijkste verandering bij deze nieuwe versie is omschakelijking van a.out naar het ELF formaat.

Samenvatting van de Changelog:
[quote]* i386 Platform switched to ELF with OpenBSD/i386 3.4. The ELF executable file format offers greater flexibility in memory layout over the older a.out format, and was required for our W^X implementation on i386. Upgrading by source is NOT an option. Binary upgrades are possible, but very difficult, requiring uninstalling all existing packages before upgrade and reinstalling them after upgrade. There are many other potential issues here, the OpenBSD team HIGHLY recommends you reinstall from scratch. Note that an a.out binary emulation is provided by sysctl for binary-only applications that require it. If you are doing an upgrade, you will almost certainly need to enable this.
* Binary Emulations are disabled by default. This was done to make it more difficult to run a malicious program written for another platform on OpenBSD. This will prevent many ports from working properly until the emulation is activated as needed by use of sysctls. The standard GENERIC kernel has these options included, just disabled. No kernel recompile is needed. For more information, see this article. If you are doing an upgrade, you will almost certainly need to enable compat_aout.
* The 8G limit for the root partition is now gone. The i386 platform now supports booting anywhere within the BIOS supported area of the disk. Yes, this means the 8G limit of previous versions no longer applies. Intelligent partitioning is still highly recommended.
* PXE Booting. The i386 and amd64 platforms now support PXE booting for install.
* New Platforms. OpenBSD has added new platforms for 3.5:
cats, a StrongARM-based development board,
amd64, the AMD 64 bit processor, and
mvme88k, systems based on the Motorola 88000 series RISC processors.
* sparc64 now uses GCC 3.3.2. The sparc64 platform has switched to GCC 3.3.2 instead of the GCC 2.95.3 used on other platforms. Reinstallation is highly recommended over upgrading existing systems. The new cats and amd64 platforms are also using GCC 3.2.2. Local additions like ProPolice and other improvements are, of course, in the new GCC.
* New users and groups. Several new users and groups have been added to OpenBSD due to privilege separation. Upgraders will have to be sure to update their /etc directory carefully to incorporate them, as directed on upgrade-minifaq. [/quote]
De volledige Changelog: [url=http://www.openbsd.org/plus35.html]hier[/url]
Mirrors: [url=http://www.openbsd.org/ftp.html]hier[/url]

Scott Long melde op de FreeBSD Stable list dat de beta van 4.10 is uitgebracht. De grootste verandering is wel de backport van de USB stack van de 5.X serie naar 4.X.

[quote]
I’m pleased to announce the availability of 4.10-BETA for i386.
4.10-BETA for alpha will be following shortly as we work out some
problems. 4.10 is the next step in the 4-STABLE branch, and as
such contains primarily bug fixes and incremental functionality
improvements. One significant new feature is the merging of the
USB stack and drivers from 5.x. This should provide significantly
better USB support from what previously existed in 4.x, and I ask
everyone to test it out as much as possible in the BETA phase.

The BETA phase will last for at least another 10 days and might include
a BETA2 snapshot to address some sysinstall and boot floppy issues
that we recently came across. We ask that everyone thoroughly test
this out so that we can have a stable and successfull 4.10 release.
I would also like to thank Ken Smith for his invaluable help in getting
this released, and I would like to welcome Hiroki Sato to the release
engineering team![/quote]

[url=http://lists.freebsd.org/pipermail/freebsd-stable/2004-April/007026.html]Link[/url]

Bij ONLamp is een interview verschenen met de makers van de OpenBSD’s PF packet filter. In het interview wordt de tot stand koming van PF uit de doeken gedaan. Naast het verleden worden de nieuwe features van PF in OpenBSD 3.5 besproken.

[url=http://www.onlamp.com/pub/a/bsd/2004/04/15/pf_developers.html]Artikel[/url]

Bron: [url=owner-security-announce@openbsd.org]Bron[/url]Due to a bug in the parsing of Allow/Deny rules for httpd’s access
module‚ using IP addresses without a netmask on big endian 64-bit
platforms causes the rules to fail to match. This only affects
sparc64.

The problem is fixed in -current‚ 3.4-stable and 3.3-stable.

Patches are available at:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/014_httpd2.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/019_httpd2.patch