As many of you are probably aware, there is a serious security issue that is currently all over the web regarding the GNU BASH shell. We at the PC-BSD project are well aware of the issue, a fix is already in place to plug this security hole, and packages with this fix are currently building. Look for an update to your BASH shell within the next 24 hours in the form of a package update.
As a side note: nothing written by the PC-BSD project uses BASH in any way — and BASH is not built-in to the FreeBSD operating system itself (it is an optional port/package), so the level of severity of this bug is lower on FreeBSD than on other operating systems.
According to the FreeBSD mailing list: Bryan Drewery has already sent a notice that the port is fixed in FreeBSD. However, since he also added some good recommendations in the email for BASH users, we decided to copy that email here for anyone else that is interested.
From: Bryan Drewery — FreeBSD mailing list
The port is fixed with all known public exploits. The package is
However bash still allows the crazy exporting of functions and may still
have other parser bugs. I would recommend for the immediate future not
using bash for forced ssh commands as well as these guidelines:
1. Do not ever link /bin/sh to bash. This is why it is such a big
problem on Linux, as system(3) will run bash by default from CGI.
2. Web/CGI users should have shell of /sbin/nologin.
3. Don’t write CGI in shell script / Stop using CGI
4. httpd/CGId should never run as root, nor “apache”. Sandbox each
application into its own user.
5. Custom restrictive shells, like scponly, should not be written in bash.
6. SSH authorized_keys/sshd_config forced commands should also not be
written in bash.
For more information the bug itself you can visit arstechnica and read the article by clicking the link below.
Most of you have already heard of the Heartbleed vulnerability, the flaw in OpenSSL encryption. For any of you that may not be aware (which is probably precious few), the Heartbleed vulnerability is basically a flaw that may allow a malicious user to gain access to information that is supposed to be kept safe through OpenSSL. The good news is that the FreeBSD project and PC-BSD have both released fixes that will apply to versions 10.x. If you are currently running a machine with PC-BSD 9.x you are using an earlier version of openSSL that does not have the vulnerability, so no action is necessary to protect yourself from this. If you are running PC-BSD version 10.x make sure to use the “system updater” to apply the security patch to openSSL. After applying the fix reboot your computer and you should be good to go.
Kris has finished a new PBI run-time that will fix a number of stability issues users may have been experiencing while using PBI’s. The fix has also subsequently helped speed up load times for some of the larger PBI’s that may have been hanging or taking a long time to load.
Update Center is moving foward, and has received some fine-tuning this week to help bring it into PC-BSD as the one-stop utility for managing updates. We’d like to add a special thanks to the author Yuri for primary design and layout for the update center. Ken will also be working to help smooth out GUI design elements and help with integrating it fully into PC-BSD.
Other Updates / Bug Fixes:
* Updated openssl packages for 10.0 PRODUCTION/EDGE
* Patched issue with KRDC using FreeRDP version in ports
* A new 9.2 server has been spun up and building PBIs for 9.2 again. (Server failed earlier this week)
* Started work on PBI runtime for Linux compat applications
* Another large chunk of work on Lumina
* Bugfixes for pc-mixer (showing the proper icons)
* Life-Preserver bugfixes
* Large update to the available 10.x PBIs. All updates are finished, a few new applications were also added.
* Bugfixes on a number of PBI’s (waiting on rebuilds to test/approve the new fixed apps)
* Hindi translation project now about 75% complete
The PC-BSD development team has been abuzz this week with awesome suggestions on how we can standardize the way we write PC-BSD utilities and software. Ã‚Â One thing weÃ¢â‚¬â„¢ve begun to realize is that as more people are contributing to the project, it is ever more important to make sure that there are clear standards for development. Ã‚Â Even our primary developers will admit itÃ¢â‚¬â„¢s easy to forget to use the same icon pack, or file menu layout when you get busy writing the main program. Ã‚Â Going forward you can expect these standards to impact most of the PC-BSD utilities and programs you use everyday, although in a relatively minor way. Ã‚Â Everything will still function the exact same, but whether or not you are using AppCafe or the Warden you can expect the file menu layout / program layout to follow the same general rules. Ã‚Â For more information please check out Ã¢â‚¬Å“Becoming a DeveloperÃ¢â‚¬ï¿½ in the PC-BSD 10.1 wiki. Ã‚Â If youÃ¢â‚¬â„¢d like to join the discussion you can emailÃ‚Â [email protected]
IÃ¢â‚¬â„¢ve seen some discussion lately about the life cycle of PC-BSD branches. Ã‚Â I sat down with Kris Moore in IRC and asked if he wouldnÃ¢â‚¬â„¢t mind clarifying the release cycle for our users. Ã‚Â Kris answered the general rule of thumb you can use is a branch will continue to be supported for 6 months after the next branch is released. Ã‚Â The updates include all of the things you would expect like new PBI and security updates. Ã‚Â So for users of 9.2 you can expect support to continue through June of 2014. Ã‚Â 9 Stable was a Ã¢â‚¬Å“experimentalÃ¢â‚¬ï¿½ branch and is no longer supported at this time. Ã‚Â Users of 9 Stable are encouraged to upgrade to 9.2 or 10.0 Release to continue to receive important updates.
You can expect to see tons of improvements coming up for PC-BSD 10.1. Ã‚Â One of the biggest being Kris and Yuri have been working to fix Linux jail support in the Warden. Ã‚Â A handful of commits went into the tree today that will address the previous problems users have been having with Linux jails. Ã‚Â Kris has continued to refine the Warden and PBI systems to fix some bugs that were causing major stability issues in certain scenarios. Ã‚Â Minor cosmetic changes are coming for most PC-BSD utilities to bring them up to the same standards outlined in the Ã¢â‚¬Å“Become a DeveloperÃ¢â‚¬ï¿½ section in the PC-BSD 10.1 wiki.
ThatÃ¢â‚¬â„¢s it for this week folks. Ã‚Â Lots of good things in the works so stay tuned to the blog for more important PC-BSD news!
You can feel it in the air canâ€™t you? Â That time when we gather with family and friends, sit down to eat a great meal, and let the dog eat half the turkey. Â Oh wait maybe that was just Kris last yearâ€¦doh! Â All kidding aside Check out all these amazing gifts that have been neatly placed under our Â â€œports tree
When Kris told me he wanted me to help act as a QA for the PC-BSD project it never occurred to me that someone had to test all those nifty PBIâ€™s in the appcafe when thereâ€™s a big release. Â Let me tell you after a week of testing PBIâ€™s I have a whole new appreciation for what Ken does on a weekly basis. Â Thankfully the weekend is finally here, and itâ€™s time to look at what else has been going on over this last week.
Over 200 PBIâ€™s have been populated in to the PC-BSD 10 Stable Appcafe. Â We are plugging away at approving and testing more, but it is hard to know just how long it will take. Â Most of what I would consider the â€œimportant
As many of you are now aware, part of the FreeBSD build infrastructure was compromised recently. Many people have been contacting us asking how this relates to PC-BSD users. We currently locally compile and distribute all of our own packages, and at this time it looks like nothing on the PC-BSD side was impacted.
However if you are a power-user and have been manually using pkg_add to install packages from the FreeBSD package cluster, you may wish to remove these packages and rebuild from source. For more details regarding the security compromise, please take a look at the official FreeBSD page.