Security Updates

Reporting Security Issues

Below are instructions for reporting issues. We do not have a bug bounty program. That's for large companies that make money. We are a volunteer open source project.

OS

For new issues that aren't already public, report security vulnerabilities to security@midnightbsd.org or via the GitHub private vulnerability feature.

For publicly disclosed issues, create a pull request at https://github.com/MidnightBSD/midnightbsd-vulns with the details. You may also create a PR to fix it on the src repository.

mports & Magus

Report security vulnerabilities to security@midnightbsd.org or create a pull request or issue on the mports repository for ports/packages that need updates. Also report Magus security issues here.

MidnightBSD Infrastructure

Report security vulnerabilities to security@midnightbsd.org.

The following are not vulnerabilities:

mport Software Packages

mport audit can be used to check for security issues with packages on mport versions included with MidnightBSD 3.0.2 and higher

To detect vulnerable software packages installed on the system, install the security advisory client. mport install security-advisory-client. Then simply run advisory.pl to check your system.

For third party security advisories related to packages, try the Security Advisory website.

MidnightBSD Security Advisories

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

others are listed below

February 13, 2023

MidnightBSD 2.2.7

tzdata 2022g

January 16, 2022

MidnightBSD 2.1.3

mport package manager (20121217)

Bug fix for HyperV support in Windows 2022 server.

Fix register restore for SSE/XMM

November 04, 2021

MidnightBSD 2.1.2

Updated mport 2.2.0 code with bugfixes and new plist features.

Updated tzdata to fix some DST changes in asia

Update root certificates bundle

December 20, 2020

libarchive 3.5.0

Update caroot certs

unbound 1.13.0

July 23, 2020

MidnightBSD 1.2.5 (in git)

Fix a 30 year old bug in mountd.

July 10, 2020

MidnightBSD 1.2.4, 1.1.4 (in git)

update libmport to fix several package installation bugs including permissions not getting set properly and path issues.

July 9, 2020

MidnightBSD 1.2.3 (in git)

Security update for sqlite3. Update to 3.32.3

Update unbound to 1.10.1

January 18, 2019

Updated in current for security issues:

OpenSSH 7.5p1 OpenSSL 1.0.2p Perl 5.28.0

October 25, 2016

MidnightBSD 0.8.3 RELEASE

Revised patch to address a problem pointed out by ahaha from Chaitin Tech.

October 1, 2016

MidnightBSD 0.8.2 RELEASE

Fix a regression with OpenSSL security.

Sendmail 8.15.2

October 27, 2014

0.5.4 RELEASE

libmport fix for packages

October 11, 2014

0.5.2-RELEASE

Fixed a regression with mksh R50c.

February 1, 2014

0.4-RELEASE-p7

Fix a minor annoyance with the default dot.profile and ssh-agent

November 29, 2013

MidnightBSD 0.4-RELEASE-p5

libc's iconv support includes an optimization that is imcompatible with gettext's msgfmt command. By turning off this optimization, we gain compatiblity with several GNU packages.

May 30, 2012

MidnightBSD 0.3-RELEASE-p8

Fix a problem with cyrpt's DES implementation when used with non 7-bit ascii passwords.

May 30, 2012

MidnightBSD 0.3-RELEASE-p7

An additional problem in OpenSSL was identified related to the previous (p6) patch.

Add SGC and BUF_MEM_grow_clean(3) bug fixes.

November 4, 2011

MidnightBSD 0.3-RELEASE-p4

Fix a problem with unix socket handling caused by the recent patch to unix socket path handling. This allows network apps to work under the linuxolator again.

March 10, 2007

While many of the DST changes were imported last year, we decided to cover all cases and import the latest tzdata2007c. Users concerned about DST changes should update their sources and rebuild. The java ports may not have DST changes in place. We will review that issue.