News MidnightBSD News

From the MidnightBSD developer blog

Thu, 22 Aug 2013 04:00

0.4-RELEASE-p2 : Fix IP MULTICAST and SCTP vulnerabilities

Fix two security vulnerabilities.

Fix an integer overflow in IP_MSFILTER (IP MULTICAST). This could be exploited to read memory by a user process.
When initializing the SCTP state cookie being sent in INIT-ACK chunks,
a buffer allocated from the kernel stack is not completely initialized.
Patches obtained from: FreeBSD
...

Wed, 17 Jul 2013 04:00

Bug in 0.4-RELEASE

We've identified a bug related to package management in MidnightBSD .0.4-RELEASE.

The hash check that is part of libmport is improperly working. This means you can't install packages with the mport command.

To work around this issue, please checkout the 0.4-RELEASE source from CVS using the directions onthe site and then rebuild and install libmport.

cd /usr/src/lib/libmport

make

make install

...

Mon, 08 Jul 2013 04:00

Downloading MidnightBSD

In addition to our mirrors, we have some other options for downloading 0.4 release popping up.

...

Sat, 06 Jul 2013 04:00

MidnightBSD 0.4-RELEASE

MidnightBSD 0.4 has been released on July 5, 2013. It includes many new features, but
of particular interest is the new package management tool, mport.
This release is a bit different from previous releases in that we plan to update
packages during the support period for 0.4. Rather than upload packages and
sit on them for the life of the release, you will be able to download updated
packages for i386 and amd64 periodically.
Due to this new feature, our initial package offering is smaller than we've done
for previous releases as many things had to get migrated and updated. We plan
to expand the packages available in the coming weeks.
In addition to mport, we've imported a large number of features from FreeBSD 9.1
including ZFS with ZPOOL 28/dedup support, LLVM + CLANG in base, migration to GPT
as the default in the installer, bsdinstall, BSD licensed sort and grep,
cpucontrol(8), and UFS2 + SUJ (journaling). We've also imported the newer FreeBSD
USB stack, NFSv4 client, syscons, and CAM based ATA.
Support for newer hardware includes Intel Sandybridge and Ivy Bridge graphics,
various wifi chipsets, updates to Intel and Realtek ethernet adapters, and acpi.
The default system compiler is still GCC 4.2, but it has been updated to a newer release.
We also removed libobjc from base as it was GCC specific and we want to migrate to
libobjc2. We offer libobjc2 in mports and it will work with GCC and LLVM.
MidnightBSD now has it's own GPT partition types and offers a new search command,
msearch.
libc gains strnlen(3), memrchr(3), stpncpy(3).
We've also imported and updated many third party libraries:
bzip2 version 1.0.6
Diffutils 3.2
FILE 5.05
OpenSSH 5.8p2
SQLite 3.7.15.2
MKSH R44
NetBSD's iconv
BIND 9.8
tcsh 6.18.01
Perl 5.14.2
mDNSResponder 333.10
less v436
libarchive 3.0.3
libdialog (lgpl version)
libffi 3.0.10
wide-dhcpv6
openresolv
sendmail 8.14.5
sudo 1.7.4-p6
tzdata_2012j
This release is a bit disruptive due to the number of changes, but it was decided
to move forward with it due to the age of 0.3-RELEASE. The next release is planned

as a stability release and meant to work on desktop related functionality.

...

Wed, 26 Jun 2013 04:00

MidnightBSD Update

There have been two snapshots release in the last few months, i386 and amd64. The former appears to be bug free and was created this month. You can find it in the snapshots directory under i386 and0.4-130610-SNAP. The amd64 snap has a few bugs, but can be installed.

Both of these snapshots are for 0.4-CURRENT. Recently, we created a branch for 0.4 and there are a few large big fixes and one security update since the snapshots were released. It is strongly recommended to rebuild from the 0.4 branch after installing a snapshot.

There are currently no packages for i386 available. The index does not work with the newer mport tool in RELENG_0_4. As the ports tree is in the middle of a major update, it's not stable enough to release packages yet. I'm working on this problem.

Most notebly QT4 is broken right now. X.org ports, dbus, gcc and many other ports have been updated in the last month. There have been many architecture changes to the mports/Mk extensions as well. We now support some FreeBSD ports USES statements (pathfix, charset, ncurses, pkgconfig) which makes migrating ports from FreeBSD easier.

Magus has been running lately and churning out test builds of packages. The results for the last 3 runs were quite bad.

...

Sun, 14 Apr 2013 04:00

0.4 amd64 snap on FTP

We have a new snapshot uploading to the FTP server. It's the first snap in a year. This snapshot is a little buggy, but does allow you to install MidnightBSD.

Please note there are many changes from 0.3-RELEASE:

1. Uses new midnightbsd partition types: mnbsd-ufs, mnbsd-boot, etc on GPT

2. ZFS is much newer than 0.3. If you upgrade your pools, you can't use them with 0.3 anymore.

3. KMS with Intel Ivy Bridge graphics

4. Installer is completely different

5. hastd

6. updated mksh, BIND, tcsh, file, diff, binutils, mDNSResponder, libffi, openpam, openresolv, tnftp, tzcode, tzdata, wpa, xz, compiler_rt, sqlite3, ncurses, netcat, pf, traceroute, perl, openssh, openssl, less

7. updated from FreeBSD: make ipfw & ash, forth menus for the loader, bsdinstall, bsd sort, new USB stack, new cam based ATA, geom

8. llvm + clang

mport is the default package manager!

Major hardware support updates.. several wifi adapters, etc.

...

Wed, 20 Feb 2013 05:00

New Magus run

Here's the latest run from magus. Package count was just shy of 1800. Many of these failures are related to Java ports. I've made a change tonight to fix most of these.

238 0.4 amd64 active 2013-02-19 16:13:36
...

Tue, 19 Feb 2013 05:00

Latest magus run results

We started up our package build cluster again. A run was queued up on the 10th and run over the weekend on the new server hardware. The results are much better than I expected after such a long time without magus.

ID OSVersion Arch Status Created
237 0.4 amd64 active 2013-02-10 16:49:31
...

Thu, 31 Jan 2013 05:00

0.4-CURRENT progress

There have been many updates in current lately. BIND 9.8 is in progress.

Here's a brief changelog.

20130125:
        MKSH R41 imported

20130122:
        OpenSSH 5.8p2 imported

        SQLite 3.7.15.2 imported

        Fixed a longstanding bug in libmport extrating new index
files.


...

Thu, 31 Jan 2013 05:00

MidnightBSD 0.3-RELEASE-p10

Fix a longstanding bug with libmport's return status. As this affects installation of ports, an update was applied to this branch. This is not a security update and not needed for pkg_tools.

...

Tue, 03 Jul 2012 04:00

MidnightBSD 0.3-RELEASE-p9

MidnightBSD 0.3-RELEASE-p9

Bind vulnerability related to resource records.  See CVE-2012-1667.


...

Tue, 03 Jul 2012 04:00

0.3-RELEASE-p8

MidnightBSD 0.3-RELEASE-p8

Fix a problem with cyrpt's DES
implementation when used with non 7-bit ascii passwords.


...

Thu, 31 May 2012 04:00

0.3-RELEASE-p7

MidnightBSD 0.3-RELEASE-p7 fixes a new security issue found in OpenSSL. It is recommended for all users.

0.4-CURRENT has also been updated.

...

Thu, 03 May 2012 04:00

MidnightBSD 0.3-RELEASE-p6

Several security issues have been addressed in OpenSSL in the latest security update for MidnightBSD. 0.3-RELEASE-p6 and 0.4-CURRENT have been patched to work around these issues.

OpenSSL failes to clear the bytes used as block cipher padding in SSL 3.0
records when operating as a client or a server that accept SSL 3.0
handshakes. As a result, in each record, up to 15 bytes of uninitialized
memory may be sent, encrypted, to the SSL peer. This could include
sensitive contents of previously freed memory. [CVE-2011-4576]

OpenSSL support for handshake restarts for server gated cryptograpy (SGC)
can be used in a denial-of-service attack. [CVE-2011-4619]

If an application uses OpenSSL's certificate policy checking when
verifying X509 certificates, by enabling the X509_V_FLAG_POLICY_CHECK
flag, a policy check failure can lead to a double-free. [CVE-2011-4109]

A weakness in the OpenSSL PKCS #7 code can be exploited using
Bleichenbacher's attack on PKCS #1 v1.5 RSA padding also known as the
million message attack (MMA). [CVE-2012-0884]

The asn1_d2i_read_bio() function, used by the d2i_*_bio and d2i_*_fp
functions, in OpenSSL contains multiple integer errors that can cause
memory corruption when parsing encoded ASN.1 data. This error can occur
on systems that parse untrusted ASN.1 data, such as X.509 certificates

or RSA public keys. [CVE-2012-2110]

...

Sat, 24 Mar 2012 04:00

New ZFS Documentation

I've created some basic ZFS documentation on the website. This is in addition to some content on the wiki. Anyone interested in using ZFS on MidnightBSD may wish to look at it as a starting point. It doesn't replace the man pages though.

...