From matt at ixsystems.com Mon Nov 10 12:14:00 2008
From: matt at ixsystems.com (Matt Olander)
Date: Mon Nov 10 12:36:22 2008
Subject: [FreeBSD-Announce] meetBSD California - 5 Days Left!
Message-ID: <2018F825-5EC6-4B64-A57F-0D4366004E89@ixsystems.com>
Hi everyone,
There are only 5 days left until meetBSD California at the Googleplex
in Mountain View, California starting Saturday, November 15th at 10am.
The first meetBSD in the United States also marks the 15th Anniversary
of the FreeBSD operating system, which will be commemorated with an
After-Party on Saturday night hosted at the Buddha Lounge.
We still have a few spots left (around 25-30, I believe) but
registration will be closing at some point over the next few days, so
if you've been putting off registering, now is the time! The
conference is *free* to attend and only $50 dollars for you and a
guest to attend the After-Party, which includes dinner and drinks :-)
More information as well as the registration form can be found at http://www.meetBSD.com
. If you are attending the conference but not the party, leave the
party checkbox blank and select Mail-In Payment and you will not be
billed.
See you all there!
-matt
--
Matt Olander
meetBSD Conference Team
From deb at freebsd.org Wed Nov 12 07:54:06 2008
From: deb at freebsd.org (Deb Goodkin)
Date: Wed Nov 12 08:56:20 2008
Subject: [FreeBSD-Announce] Foundation Project Announcement
Message-ID: <491AFC2C.2030107@freebsd.org>
Dear FreeBSD Community,
The FreeBSD Foundation is pleased to announce one of the projects from
the accepted project proposals!
The project is to make FreeBSD tolerate the removal of active disk
devices, such as when a USB flash device with a mounted filesystems is
physically detached by a user. Currently the system may panic in this
situation. The work involves adding proper reference counting to
strategic portions of the kernel and modifying filesystems to properly
handle "device lost" errors.
Edward Tomasz Napierala is the developer working on this project.
"We are very excited to be able to fund this project, which we know is
of great interest to our users, especially in the desktop space," said
Robert Watson, president of The FreeBSD Foundation.
Robert also said, "The removable USB disk causing a crash turns out to
be our #1 reported bug."
"I am very happy to have the opportunity to work on this exciting
project," said Edward Tomasz Napierala, FreeBSD developer. "It's just
wrong when the system panics because you removed the pendrive!," he added.
The project will be completed by February 2009.
Sincerely,
The FreeBSD Foundation
From brd at FreeBSD.org Sun Nov 16 08:16:37 2008
From: brd at FreeBSD.org (Brad Davis)
Date: Sun Nov 16 08:18:38 2008
Subject: [FreeBSD-Announce] Official FreeBSD Forums
Message-ID: <20081116160403.GC79046@valentine.liquidneon.com>
Dear FreeBSD users,
The FreeBSD project is finally, after much work, pleased to announce the
availability of an official FreeBSD web based discussion forum. It is
our hope that this forum will serve as a public support channel for
FreeBSD users around the world and as a complement to our fine mailing
lists.
You can register and start using our new service here:
http://forums.FreeBSD.org
The structure of the forum is still in a late beta stage, so if you have
ideas, suggestions for improvements or bug reports, send them to:
forum-moderators at FreeBSD dot org.
Please also have a look at our rules before you create your first thread
or post your first message. You can find our official list of forum
rules here:
http://forums.freebsd.org/faq.php?faq=vb_faq#faq_rules
Also, FreeBSD developers (people with commit access to our CVS/SVN trees)
can be distinguished by having an '@' character at the end of their
username.
It is our hope that both users and developers will find this new service
useful. Please help spread the word.
Sincerely,
The FreeBSD Forums Admin Team
From security-advisories at freebsd.org Mon Nov 24 09:47:13 2008
From: security-advisories at freebsd.org (FreeBSD Security Advisories)
Date: Mon Nov 24 09:47:20 2008
Subject: [FreeBSD-Announce] FreeBSD Security Advisory
FreeBSD-SA-08:11.arc4random
Message-ID: <200811241747.mAOHlDSE034716@freefall.freebsd.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-08.11.arc4random Security Advisory
The FreeBSD Project
Topic: arc4random(9) predictable sequence vulnerability
Category: core
Module: sys
Announced: 2008-11-24
Credits: Robert Woolley, Mark Murray, Maxim Dounin, Ruslan Ermilov
Affects: All supported versions of FreeBSD.
Corrected: 2008-11-24 17:39:39 UTC (RELENG_7, 7.1-PRERELEASE)
2008-11-24 17:39:39 UTC (RELENG_7_0, 7.0-RELEASE-p6)
2008-11-24 17:39:39 UTC (RELENG_6, 6.4-STABLE)
2008-11-24 17:39:39 UTC (RELENG_6_4, 6.4-RELEASE)
2008-11-24 17:39:39 UTC (RELENG_6_3, 6.3-RELEASE-p6)
CVE Name: CVE-2008-5162
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
arc4random(9) is a generic-purpose random number generator based on the
key stream generator of the RC4 cipher. It is expected to be
cryptographically strong, and used throughout the FreeBSD kernel for a
variety of purposes, some of which rely on its cryptographic strength.
arc4random(9) is periodically reseeded with entropy from the FreeBSD
kernel's Yarrow random number generator, which gathers entropy from a
variety of sources including hardware interrupts. During the boot
process, additional entropy is provided to the Yarrow random number
generator from userland, helping to ensure that adequate entropy is
present for cryptographic purposes.
II. Problem Description
When the arc4random(9) random number generator is initialized, there may
be inadequate entropy to meet the needs of kernel systems which rely on
arc4random(9); and it may take up to 5 minutes before arc4random(9) is
reseeded with secure entropy from the Yarrow random number generator.
III. Impact
All security-related kernel subsystems that rely on a quality random
number generator are subject to a wide range of possible attacks for the
300 seconds after boot or until 64k of random data is consumed. The list
includes:
* GEOM ELI providers with onetime keys. When a provider is configured in
a way so that it gets attached at the same time during boot (e.g. it
uses the rc subsystem to initialize) it might be possible for an
attacker to recover the encrypted data.
* GEOM shsec providers. The GEOM shsec subsytem is used to split a shared
secret between two providers so that it can be recovered when both of
them are present. This is done by writing the random sequence to one
of providers while appending the result of the random sequence on the
other host to the original data. If the provider was created within the
first 300 seconds after booting, it might be possible for an attacker
to extract the original data with access to only one of the two providers
between which the secret data is split.
* System processes started early after boot may receive predictable IDs.
* The 802.11 network stack uses arc4random(9) to generate initial vectors
(IV) for WEP encryption when operating in client mode and WEP
authentication challenges when operating in hostap mode, which may be
insecure.
* The IPv4, IPv6 and TCP/UDP protocol implementations rely on a quality
random number generator to produce unpredictable IP packet identifiers,
initial TCP sequence numbers and outgoing port numbers. During the
first 300 seconds after booting, it may be easier for an attacker to
execute IP session hijacking, OS fingerprinting, idle scanning, or in
some cases DNS cache poisoning and blind TCP data injection attacks.
* The kernel RPC code uses arc4random(9) to retrieve transaction
identifiers, which might make RPC clients vulnerable to hijacking
attacks.
IV. Workaround
No workaround is available for affected systems.
V. Solution
NOTE WELL: Any GEOM shsec providers which were created or written to
during the first 300 seconds after booting should be re-created after
applying this security update.
Perform one of the following:
1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the
RELENG_7_0, or RELENG_6_3 security branch dated after the correction
date.
2) To patch your present system:
The following patches have been verified to apply to FreeBSD 6.3 and
7.0 systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 7.x]
# fetch http://security.FreeBSD.org/patches/SA-08:11/arc4random.patch
# fetch http://security.FreeBSD.org/patches/SA-08:11/arc4random.patch.asc
[FreeBSD 6.x]
# fetch http://security.FreeBSD.org/patches/SA-08:11/arc4random6x.patch
# fetch http://security.FreeBSD.org/patches/SA-08:11/arc4random6x.patch.asc
b) Apply the patch.
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
and reboot the
system.
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_6
src/sys/dev/random/randomdev.c 1.59.2.2
src/sys/dev/random/randomdev_soft.c 1.11.2.3
RELENG_6_4
src/UPDATING 1.416.2.40.2.2
src/sys/dev/random/randomdev.c 1.59.2.1.8.2
src/sys/dev/random/randomdev_soft.c 1.11.2.2.6.2
RELENG_6_3
src/UPDATING 1.416.2.37.2.11
src/sys/conf/newvers.sh 1.69.2.15.2.10
src/sys/dev/random/randomdev.c 1.59.2.1.6.1
src/sys/dev/random/randomdev_soft.c 1.11.2.2.4.1
RELENG_7
src/sys/dev/random/randomdev.c 1.61.2.1
src/sys/dev/random/randomdev_soft.c 1.15.2.1
RELENG_7_0
src/UPDATING 1.507.2.3.2.10
src/sys/conf/newvers.sh 1.72.2.5.2.10
src/sys/dev/random/randomdev.c 1.61.4.1
src/sys/dev/random/randomdev_soft.c 1.15.4.1
- -------------------------------------------------------------------------
VII. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5162
The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-08:11.arc4random.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)
iEYEARECAAYFAkkq550ACgkQFdaIBMps37K3SwCfcj0iiFxH2tljR1N7/qhXWiW1
N/cAoIjgcsh6sZG/upobud4TVme9QJPf
=SKuK
-----END PGP SIGNATURE-----
From deb at freebsd.org Wed Nov 26 08:10:46 2008
From: deb at freebsd.org (Deb Goodkin)
Date: Wed Nov 26 08:54:28 2008
Subject: [FreeBSD-Announce] FreeBSD Foundation Project Announcement
Message-ID: <492D74FC.3070407@freebsd.org>
Dear FreeBSD Community,
The FreeBSD Foundation is pleased to announce continued funding of the
network stack virtualization project, made possible by a grant from
NLNet. The virtualized network stack will significantly enhance
FreeBSD's jail functionality, allowing jails to have their own complete
and locally administered network stacks, including firewalls, routing,
and IPsec configurations. The Foundation will be sponsoring Bjoern Zeeb,
a FreeBSD network developer, to enhance the existing prototype, now
being merged into FreeBSD 8.x, as well as provide code review.
Sincerely,
The FreeBSD Foundation
From kensmith at FreeBSD.org Fri Nov 28 10:22:28 2008
From: kensmith at FreeBSD.org (Ken Smith)
Date: Fri Nov 28 10:22:37 2008
Subject: [FreeBSD-Announce] FreeBSD 6.4-RELEASE Available
Message-ID: <20081128181117.GA19512@myers.cse.buffalo.edu>
The FreeBSD Release Engineering Team is pleased to announce the availability
of FreeBSD 6.4-RELEASE. At this time 6.4-RELEASE is expected to be the
last of the 6-STABLE releases. Some of the highlights:
- New and much-improved NFS Lock Manager (NLM) client
- Support for the Camellia cipher
- boot loader changes allow, among other things, booting
from USB devices and booting from GPT-labeled devices
with GPT-enabled BIOSes
- DVD install ISO images for amd64/i386
- KDE updated to 3.5.10, GNOME updated to 2.22.3
- Updates for BIND, sendmail, OpenPAM, and others
For a complete list of new features and known problems, please see the
online release notes and errata list, available at:
http://www.FreeBSD.org/releases/6.4R/relnotes.html
http://www.FreeBSD.org/releases/6.4R/errata.html
For more information about FreeBSD release engineering activities,
please see:
http://www.FreeBSD.org/releng/
The FreeBSD Security Team intends to support 6.4-RELEASE until
November 30th, 2010.
Availability
-------------
FreeBSD 6.4-RELEASE is now available for the amd64, i386, pc98, and sparc64
architectures. The builds for the alpha architecture have not completed
yet and will be announced later. FreeBSD 6.4-RELEASE can be installed
from bootable ISO images or over the network; the required files can be
downloaded via FTP or BitTorrent as described in the sections below.
While some of the smaller FTP mirrors may not carry all architectures,
they will all generally contain the more common ones, such as i386 and
amd64.
MD5 and SHA256 hashes for the release ISO images are included at the
bottom of this message.
The contents of the ISO images provided as part of the release has changed
for most of the architectures. Using the i386 architecture as an example,
there are ISO images named "bootonly", "disc1", "disc2", "disc3", "docs",
and "dvd1". The "bootonly" image is suitable for booting a machine to do
a network based installation using FTP or NFS. The "disc1", "disc2", and
"disc3" images are CDROM-sized (700MB media) and are used to do a full
installation that includes a basic set of packages and does not require
network access to an FTP or NFS server during the installation. In addition,
"disc1" supports booting into a "live CD-based filesystem" and system rescue
mode. The "docs" image has all of the documentation for all supported
languages. The "dvd1" image is DVD-sized and includes everything that is
on the CDROM discs. So "dvd1" can be used to do a full installation that
includes a basic set of packages, it has all of the documentation for all
supported languages, and it can be used for booting into a "live CD-based
filesystem" and system rescue mode. Most people will find that "disc1",
"disc2" and "disc3" are all that are needed if their machine does not have
a DVD-capable drive. For people with machines that do have a DVD-capable
drive "dvd1" should be all that is required. If you intend to install ports
from source instead of using the pre-built packages included with the release
only "disc1" is needed.
FreeBSD 6.4-RELEASE can also be purchased on CD-ROM from several
vendors. One of the vendors that will be offering FreeBSD 6.4-based
products is:
~ FreeBSD Mall, Inc. http://www.freebsdmall.com/
BitTorrent
----------
6.4-RELEASE ISOs are available via BitTorrent. A collection of torrent
files to download the images is available at:
http://torrents.freebsd.org:8080/
FTP
---
At the time of this announcement the following FTP sites have
FreeBSD 6.4-RELEASE available.
ftp://ftp.freebsd.org/pub/FreeBSD/
ftp://ftp3.freebsd.org/pub/FreeBSD/
ftp://ftp7.freebsd.org/pub/FreeBSD/
ftp://ftp9.freebsd.org/pub/FreeBSD/
ftp://ftp10.freebsd.org/pub/FreeBSD/
ftp://ftp12.freebsd.org/pub/FreeBSD/
ftp://ftp.at.freebsd.org/pub/FreeBSD/
ftp://ftp.cz.freebsd.org/pub/FreeBSD/
ftp://ftp.dk.freebsd.org/pub/FreeBSD/
ftp://ftp.fi.freebsd.org/pub/FreeBSD/
ftp://ftp.fr.freebsd.org/pub/FreeBSD/
ftp://ftp2.ie.freebsd.org/pub/FreeBSD/
ftp://ftp.se.freebsd.org/pub/FreeBSD/
ftp://ftp.si.freebsd.org/pub/FreeBSD/
ftp://ftp1.ru.freebsd.org/pub/FreeBSD/
ftp://ftp2.uk.freebsd.org/pub/FreeBSD/
ftp://ftp3.us.freebsd.org/pub/FreeBSD/
ftp://ftp7.us.freebsd.org/pub/FreeBSD/
ftp://ftp9.us.freebsd.org/pub/FreeBSD/
ftp://ftp11.us.freebsd.org/pub/FreeBSD/
However before trying these sites you may want to check your regional
mirror(s) first by going to:
ftp://ftp..FreeBSD.org/pub/FreeBSD
Any additional mirror sites will be labeled ftp2, ftp3 and so on.
More information about FreeBSD mirror sites can be found at:
http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mirrors-ftp.html
For instructions on installing FreeBSD, please see Chapter 2 of The
FreeBSD Handbook. It provides a complete installation walk-through
for users new to FreeBSD, and can be found online at:
http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/install.html
FreeBSD Update
--------------
The freebsd-update(8) utility supports binary upgrades of i386 and amd64
systems running earlier FreeBSD releases. Systems running 6.3-RELEASE,
6.4-BETA, 6.4-RC1, or 6.4-RC2 can upgrade as follows:
# freebsd-update upgrade -r 6.4-RELEASE
During this process, FreeBSD Update may ask the user to help by merging
some configuration files or by confirming that the automatically performed
merging was done correctly.
# freebsd-update install
The system must be rebooted with the newly installed kernel before continuing.
# shutdown -r now
After rebooting, freebsd-update needs to be run again to install the new
userland components, and the system needs to be rebooted again:
# freebsd-update install
# shutdown -r now
Note that FreeBSD Update stores downloaded upgrades in /var/db/freebsd-update,
so at least 400MB should be free in /var before running freebsd-update; if
the /var partition is too small, the -d option to freebsd-update can be used
to indicate that the upgrades should be stored in a different directory.
For more information, see:
http://www.daemonology.net/blog/2007-11-10-freebsd-minor-version-upgrade.html
Acknowledgments
----------------
Many companies donated equipment, network access, or man-hours to
finance the release engineering activities for FreeBSD 6.4 including
The FreeBSD Foundation, FreeBSD Systems, Hewlett-Packard, Yahoo!,
Network Appliances, and Sentex Communications.
The release engineering team for 6.4-RELEASE includes:
Ken Smith Release Engineering,
amd64, i386, sparc64 Release Building,
Mirror Site Coordination
Robert Watson Release Engineering, Security
Konstantin Belousov Release Engineering
Marc Fonvieille Release Engineering, Documentation
Maxime Henrion Release Engineering
Bruce A. Mah Release Engineering, Documentation
George Neville-Neil Release Engineering
Hiroki Sato Release Engineering, Documentation
Murray Stokely Release Engineering
Wilko Bulte Alpha Release Building
Takahashi Yoshihiro PC98 Release Building
Kris Kennaway Package Building
Joe Marcus Clarke Package Building
Erwin Lansing Package Building
Mark Linimon Package Building
Pav Lucistnik Package Building
Colin Percival Security Officer
Peter Wemm Bittorrent Coordination
Trademark
---------
FreeBSD is a registered trademark of The FreeBSD Foundation.
ISO Image Checksums
-------------------
MD5 (6.4-RELEASE-amd64-bootonly.iso) = 922fa2b990b3fd58bc558e08707dec47
MD5 (6.4-RELEASE-amd64-disc1.iso) = 33e9801d546a9bd379d97c4dc9bf833f
MD5 (6.4-RELEASE-amd64-disc2.iso) = 10e4a74cd4e80b52845adbabeb017532
MD5 (6.4-RELEASE-amd64-disc3.iso) = 986d99df8a44cb3e8647b53e1551a56b
MD5 (6.4-RELEASE-amd64-docs.iso) = be48876a37812fa19fb67aebe0c847de
MD5 (6.4-RELEASE-amd64-dvd1.iso) = efd0dd71c5b13b8464d8a7fce8a90cbc
MD5 (6.4-RELEASE-i386-bootonly.iso) = d3704b309b224fadeba29423511fbcff
MD5 (6.4-RELEASE-i386-disc1.iso) = 3bf0054bf0d650c1c7289e3076f2a24f
MD5 (6.4-RELEASE-i386-disc2.iso) = 2e5c68f0e8e82907e28394248973f2f6
MD5 (6.4-RELEASE-i386-disc3.iso) = 75c4b9ed4bfc836471ca6aad7ff071db
MD5 (6.4-RELEASE-i386-docs.iso) = a7e89a2006b34d5904ce74c907932918
MD5 (6.4-RELEASE-i386-dvd1.iso) = 01d1b4445bbb70e643e7a096562ca4a3
MD5 (6.4-RELEASE-pc98-bootonly.iso) = 6137dac091894d4eb620b02a94e3ddb6
MD5 (6.4-RELEASE-pc98-disc1.iso) = 1ac648575affdb79e6f345b1210fee1b
MD5 (6.4-RELEASE-sparc64-bootonly.iso) = 060cdc6c4fbcc96dcc13a88c09005079
MD5 (6.4-RELEASE-sparc64-disc1.iso) = 2e2f264f9cdbfd73c531943631174dac
MD5 (6.4-RELEASE-sparc64-docs.iso) = 33187d3f0459dbb2d1145aa8a4731497
SHA256 (6.4-RELEASE-amd64-bootonly.iso) = 228cfe8b5d06bdf3131a656972d94919b594371464e5f1c68e068af17b88f382
SHA256 (6.4-RELEASE-amd64-disc1.iso) = 6e8f24e153d78518268129db62e5efd3cd7b75e428a3c22bddf89eb901efa79e
SHA256 (6.4-RELEASE-amd64-disc2.iso) = 33697f3290e9754baada1feeb560f5797a8794f80ea36ecc8b0305c0ab32f07a
SHA256 (6.4-RELEASE-amd64-disc3.iso) = 59905ac81bc49be620e6a1465aba667be78b9276d999d820cca30357b073c263
SHA256 (6.4-RELEASE-amd64-docs.iso) = 1bf1445e2cf19c108adfa973cab26891c3c9ee19664de3650f38fc11c67d9f9e
SHA256 (6.4-RELEASE-amd64-dvd1.iso) = 88a0bd7818ecc2c26a6d304bffa9257f9bd192d6fb3b51ab1b538a5ef0e78130
SHA256 (6.4-RELEASE-i386-bootonly.iso) = 82377be5c922610e7613f70066919da6d39c1e3fc753b6b925eae9bdd22ac946
SHA256 (6.4-RELEASE-i386-disc1.iso) = c4f688013a27632e97caefc71296f59c9597abdb4e724385130d72dbd9abd218
SHA256 (6.4-RELEASE-i386-disc2.iso) = 4936aaede7c55c29f1acb07724a86690ae220f53ba2f67b441f15fa0a4b282e8
SHA256 (6.4-RELEASE-i386-disc3.iso) = 0c0ea48e2a07f2fc78c7d9448ad7cc24ffd224bbe4a9c1f7731358d7ce00d377
SHA256 (6.4-RELEASE-i386-docs.iso) = 13ef3a3fe8799b71130ac2041e63156b30751d292d9d2df68f2b4a4318cbcc98
SHA256 (6.4-RELEASE-i386-dvd1.iso) = 40b70eb8b36a5a13ef012592335d8e53cb9dea129a8b59971a999e84659ec6a8
SHA256 (6.4-RELEASE-pc98-bootonly.iso) = 2d0fc39c377c8bf6e3ff1ab61b8ecd9b94231e3331bc442be7f26b37ed4cf59d
SHA256 (6.4-RELEASE-pc98-disc1.iso) = dd2679fe503f7936fd4f7a6f5aa30e9c699d7eb78d382bef46eb9106dd0ab892
SHA256 (6.4-RELEASE-sparc64-bootonly.iso) = eeabf33aa11cc764f41ea9bb50ae9109817953a60d22ed4af8c6bf61885ed648
SHA256 (6.4-RELEASE-sparc64-disc1.iso) = c20f0a43732d72071cfdc17d788f3e04c1ac33e5ba122ce82fbd705ade482860
SHA256 (6.4-RELEASE-sparc64-docs.iso) = 1728658de8be72e62afbc10bc50243cf07c532b8b4cf7426c5f74f09dc5b8243
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-announce/attachments/20081128/566b7c65/attachment.pgp