PC-BSD at Ohio Linux Fest

Several members of the PC-BSD and FreeBSD Projects will be at Ohio LinuxFest, to be held at the Greater Columbus Convention Center in Columbus, OH on October 24–26. Paid and free registration is available for this event.

Ken Moore will present “Lumina DE: A new desktop environment for PC-BSD” on Friday, October 11 at 11:00. Dru Lavigne will present “A Sneak Peak at FreeNAS 9.3″ on Friday, October 24 at 15:00. Dan Langille will present “Virtualization with FreeBSD Jails, ezjail, and ZFS” on Saturday, October 25 at 14:00.

There will be a FreeBSD booth in the expo area. Expo hours are 17:00–19:00 on Friday, October 24 and 8:00–17:00 on Saturday, October 25. As usual, we’ll have cool swag, PC-BSD DVDs, FreeNAS CDs, and will accept donations to the FreeBSD Foundation.

The BSDA certification exam will be available at 16:00 on Saturday, October 25 and at 10:00 on Sunday, October 26. The cost for the exam is $75.

PC-BSD at All Things Open

There will be a FreeBSD booth in the expo area of All Things Open, to be held at the Raleigh Convention Center in Raleigh, NC on October 22–23. Registration is required for this event.

Expo hours are from 8:00–17:00 on Tuesday, October 21 and Wednesday, October 22. As usual, we’ll have some cool swag, PC-BSD DVDs, FreeNAS CDs, and brochures. We will also accept donations to the FreeBSD Foundation.

SSLv3

UPDATE 2014-10-14 23:40 UTC The details have been published: meet the SSL POODLE attack.

UPDATE 2014-10-15 11:15 UTC Simpler server test method, corrected info about browsers

UPDATE 2014-10-15 16:00 UTC More information about client testing

El Reg posted an article earlier today about a purported flaw in SSL 3.0 which may or may not be real, but it’s been a bad year for SSL, we’re all on edge, and we’d rather be safe than sorry. So let’s take it at face value and see what we can do to protect ourselves. If nothing else, it will force us to inspect our systems and make conscious decisions about their configuration instead of trusting the default settings. What can we do?

The answer is simple: there is no reason to support SSL 3.0 these days. TLS 1.0 is fifteen years old and supported by every browser that matters and over 99% of websites. TLS 1.1 and TLS 1.2 are eight and six years old, respectively, and are supported by the latest versions of all major browsers (except for Safari on Mac OS X 10.8 or older), but are not as widely supported on the server side. So let’s disable SSL 2.0 and 3.0 and make sure that TLS 1.0, 1.1 and 1.2 are enabled.

What to do next

Test your server

The Qualys SSL Labs SSL Server Test analyzes a server and calculates a score based on the list of supported protocols and algorithms, the strength and validity of the server certificate, which mitigation techniques are implemented, and many other factors. It takes a while, but is well worth it. Anything less than a B is a disgrace.

If you’re in a hurry, the following command will attempt to connect to your server using SSL 2.0 or 3.0:

:|openssl s_client -ssl3 -connect www.example.net:443

If the last line it prints is DONE, you have work to do.

Fix your server

Disable SSL 2.0 and 3.0 and enable TLS 1.0, 1.1 and 1.2 and forward secrecy (ephemeral Diffie-Hellman).

For Apache users, the following line goes a long way:

SSLProtocol ALL -SSLv3 -SSLv2

It disables SSL 2.0 and 3.0, but does not modify the algorithm preference list, so your server may still prefer older, weaker ciphers and hashes over more recent, stronger ones. Nor does it enable Forward Secrecy.

The Mozilla wiki has an excellent guide for the most widely used web servers and proxies.

Test your client

The Poodle Test website will show you a picture of a poodle if your browser is vulnerable and a terrier otherwise. It is the easiest, quickest way I know of to test your client.

Qualys SSL Labs also have an SSL Client Test which does much the same for your client as the SSL Server Test does for your server; unfortunately, it is not able to reliably determine whether your browser supports SSL 3.0.

Fix your client

On Windows, use the Advanced tab in the Internet Properties dialog (confusingly not searchable by that name, search for “internet options” or “proxy server” instead) to disable SSL 2.0 and 3.0 for all browsers.

On Linux and BSD:

  • Firefox: open and set security.tls.version.min to 1. You can force this setting for all users by adding lockPref("security.tls.version.min", 1); to your system-wide Mozilla configuration file. Support for SSL 3.0 will be removed in the next release.

  • Chrome: open and select “show advanced settings”. There should be an HTTP/SSL section which lets you disable SSL 3.0 is apparently no way to disable SSL 3.0. Support for SSL 3.0 will be removed in the next release.

I do not have any information about Safari and Opera. Please comment (or email me) if you know how to disable SSL 3.0 in these browsers.

Good luck, and stay safe.

FreeBSD 10.1-RC2 Now Available

The second RC build of the 10.1-RELEASE release cycle is now available on the FTP servers for the amd64, armv6, i386, ia64, powerpc, powerpc64 and sparc64 architectures.

The image checksums follow are included in the original announcement email.

Installer images and memory stick images are available here.

If you notice problems you can report them through the Bugzilla PR system or on the -stable mailing list.

If you would like to use SVN to do a source based update of an existing system, use the "releng/10.1" branch.

A list of changes since 10.0-RELEASE are available here.

Changes between 10.1-RC1 and 10.1-RC2 include:
  • Fix XHCI driver for devices which have more than 15 physical root HUB ports.
  • Fix old iSCSI initiator to work with new CAM locking.
  • Fix page length reported for Block Limits VPD page.
  • Add QCOW v1 & v2 support to mkimg(1).
Pre-installed virtual machine images for 10.1-RC2 are also available for amd64 and i386 architectures.  The images are located here.

The disk images are available in QCOW2, VHD, VMDK, and raw disk image formats.  The image download size is approximately 135 MB, which decompress to a 20GB sparse image.

The partition layout is:
  • 512k - freebsd-boot GPT partition type (bootfs GPT label)
  • 1GB  - freebsd-swap GPT partition type (swapfs GPT label)
  • ~17GB - freebsd-ufs GPT partition type (rootfs GPT label)
To install packages from the dvd1.iso installer, create and mount the /dist directory:

# mkdir -p /dist
# mount -t cd9660 /dev/cd0 /dist

Next, install pkg(8) from the DVD:
 

# env REPOS_DIR=/dist/packages/repos pkg bootstrap

At this point, pkg-add(8) can be used to install additional packages from the DVD.  Please note, the REPOS_DIR environment variable should be used each time using the DVD as the package repository, otherwise conflicts with packages from the upstream mirrors may occur when they are fetched.  For example, to install Gnome and Xorg, run:
 

# env REPOS_DIR=/dist/packages/repos pkg install \
  xorg-server xorg gnome2 [...]

The freebsd-update(8) utility supports binary upgrades of amd64 and i386 systems running earlier FreeBSD releases.  Systems running earlier
FreeBSD releases can upgrade as follows:

# freebsd-update upgrade -r 10.1-RC2

During this process, freebsd-update(8) may ask the user to help by merging some configuration files or by confirming that the automatically
performed merging was done correctly.

# freebsd-update install

The system must be rebooted with the newly installed kernel before continuing.


# shutdown -r now

After rebooting, freebsd-update needs to be run again to install the new userland components:


# freebsd-update install
It is recommended to rebuild and install all applications if possible, especially if upgrading from an earlier FreeBSD release, for example,
FreeBSD 8.x.  Alternatively, the user can install misc/compat9x and other compatibility libraries, afterwards the system must be rebooted
into the new userland:

# shutdown -r now

Finally, after rebooting, freebsd-update needs to be run again to remove stale files:

# freebsd-update install

Love FreeBSD?  Support this and future releases with a donation to the FreeBSD Foundation!

FreeBSD 10.1-RC2 Available

The second RC build for the FreeBSD 10.1 release cycle is now available. ISO images for the amd64, armv6, i386, ia64, powerpc, powerpc64 and sparc64 architectures are available on most of our FreeBSD mirror sites.

Testers: CentOS 6.5 Emulation and New AppCafe

For those of you on Edge and who wish to test the new Linux emulation and the new Appcafe, Kris has posted the instructions:

CentOS 6.5 emulation has been made the default for the EDGE packages going out this weekend. This replaces the legacy f10 package set. I’ve tested / confirmed that Flash works properly, haven’t tried net-im/skype4 yet, but a package is available for those who want to try.

I’ve seen a few issues doing the update here with PKG. It seems often the conflict detection won’t remove f10 on its own, so I’ve had to do this:

# pkg update –f
# pkg delete linux_base-f10\*
# pkg install nvidia-driver (Skip this if you don’t use nvidia drivers)
# pkg install pcbsd-base
# pkg upgrade
# pc-extractoverlay ports
# reboot

After reboot, you need to recreate the flash plugin:

% flashpluginctl off && flashpluginctl on

Let us know any issues you see with the newer linux emulation layer.

Also, if you run into problems launching / navigating the newer AppCafe, please open bug reports asap. We are working to stabilize that as quickly as possible. Bug reports should be created at bugs.pcbsd.org.

 

FreeBSD 10.1-RC1 Now Available

The first RC build of the 10.1-RELEASE release cycle is now available on the FTP servers for the amd64, armv6, i386, ia64, powerpc, powerpc64 and sparc64 architectures.

The image checksums follow are included in the original announcement email.

Installer images and memory stick images are available here.

If you notice problems you can report them through the Bugzilla PR system or on the -stable mailing list.

If you would like to use SVN to do a source based update of an existing system, use the "releng/10.1" branch.

A list of changes since 10.0-RELEASE are available here.

Changes between 10.1-BETA3 and 10.1-RC1 include:
  • A bug that would cause all processes to appear to have the parent PID of '1' has been fixed.
  • Various updates to bsdinstall(8) and bsdconfig(8).
  • The Hyper-V KVP (key-value pair) driver has been added, and enabled by default on amd64 and i386 architectures.
Pre-installed virtual machine images for 10.1-RC1 are also available for amd64 and i386 architectures.  The images are located here.

The disk images are available in QCOW2, VHD, VMDK, and raw disk image formats.  The image download size is approximately 135 MB, which decompress to a 20GB sparse image.

The partition layout is:
  • 512k - freebsd-boot GPT partition type (bootfs GPT label)
  • 1GB  - freebsd-swap GPT partition type (swapfs GPT label)
  • ~17GB - freebsd-ufs GPT partition type (rootfs GPT label)
To install packages from the dvd1.iso installer, create and mount the /dist directory:

# mkdir -p /dist
# mount -t cd9660 /dev/cd0 /dist

Next, install pkg(8) from the DVD:
 

# env REPOS_DIR=/dist/packages/repos pkg bootstrap

At this point, pkg-add(8) can be used to install additional packages from the DVD.  Please note, the REPOS_DIR environment variable should be used each time using the DVD as the package repository, otherwise conflicts with packages from the upstream mirrors may occur when they are fetched.  For example, to install Gnome and Xorg, run:
 

# env REPOS_DIR=/dist/packages/repos pkg install \
  xorg-server xorg gnome2 [...]

The freebsd-update(8) utility supports binary upgrades of amd64 and i386 systems running earlier FreeBSD releases.  Systems running earlier
FreeBSD releases can upgrade as follows:

# freebsd-update upgrade -r 10.1-BETA3

During this process, freebsd-update(8) may ask the user to help by merging some configuration files or by confirming that the automatically
performed merging was done correctly.

# freebsd-update install

The system must be rebooted with the newly installed kernel before continuing.


# shutdown -r now

After rebooting, freebsd-update needs to be run again to install the new userland components:


# freebsd-update install
It is recommended to rebuild and install all applications if possible, especially if upgrading from an earlier FreeBSD release, for example,
FreeBSD 8.x.  Alternatively, the user can install misc/compat9x and other compatibility libraries, afterwards the system must be rebooted
into the new userland:

# shutdown -r now

Finally, after rebooting, freebsd-update needs to be run again to remove stale files:

# freebsd-update install

Love FreeBSD?  Support this and future releases with a donation to the FreeBSD Foundation!

FreeBSD 10.1-RC1 Available

The first RC build for the FreeBSD 10.1 release cycle is now available. ISO images for the amd64, armv6, i386, ia64, powerpc, powerpc64 and sparc64 architectures are available on most of our FreeBSD mirror sites.

Foundation at Grace Hopper Celebration of Women in Computing

The FreeBSD Foundation is excited to be participating in the Grace Hopper Celebration of Women in Computing conference to be held in Phoenix, AZ on October 8-10. As many of you know, Rear Admiral Grace Hopper was a pioneer in computing, inventor of the first compiler, and the first person to record a (literal) bug. This year's annual conference in her honor has a full registration of 8,000 women computing technologists from all over the world.

The Foundation is a Silver non-profit sponsor for this event and will have a booth in the Expo area. In addition to informational brochures and Foundation pens, we'll be giving away some stickers created for this event. The stickers say "I choose FreeBSD because I know my ability to create the future has nothing to do with my gender and everything to do with my skills".

As part of this year's Grace Hopper Open Source Day on October 8, Dru Lavigne will be presenting "An Introduction to FreeBSD" at 14:00 in rooms South 164-166.

Shteryana Shopova will be hosting a lunchtime table topic on FreeBSD at table #12 on October 9 from 12:45 to 15:30.

Registration has closed for this event as it has reached its maximum capacity. However, if you know a woman technologist who is attending, let her know about the FreeBSD booth, presentation, and lunchtime table topic.

bsdtalk245 – Looking for a new /home

Just a short update about the server that houses the podcast files.  University IT consolidation has created some unplanned changes, but I hope to have a new server spun up soon.  Also, curious to hear what all of you use for your home directory on the Internet.

File Info: 7Min, 3MB.

Ogg Link: https://archive.org/download/bsdtalk245/bsdtalk245.ogg

Cavium to Sponsor FreeBSD ARMv8 Based Implementation, PR Newswire, Cavium, Inc.

Cavium, Inc., a leading provider of semiconductor products that enable intelligent processing for enterprise, data center, cloud, wired and wireless networking announced today that it is collaborating with the FreeBSD Foundation to develop and deliver the first ARMv8 reference design and implementation of the FreeBSD Operating System based on the ThunderX workload optimized processor family for next generation Data Center and Cloud workloads.

FreeBSD 10.1-BETA3 Now Available

The third BETA build of the 10.1-RELEASE release cycle is now available on the FTP servers for the amd64, armv6, i386, ia64, powerpc, powerpc64 and sparc64 architectures.

This is expected to be the final BETA release of the 10.1-RELEASE cycle.

The image checksums follow are included in the original announcement email.

Installer images and memory stick images are available here.

If you notice problems you can report them through the Bugzilla PR system or on the -stable mailing list.

If you would like to use SVN to do a source based update of an existing system, use the "stable/10" branch.

A list of changes since 10.0-RELEASE are available on the stable/10 release notes page.

Changes between 10.1-BETA2 and 10.1-BETA3 include:
  • Support for serial and null console has been added to the UEFI boot loader.
  • A potential panic triggered by referencing a device that has been renamed has been fixed in the cam(4) subsystem.
  • OpenPAM has been updated to the Ourouparia (20140912) release.
  • New sysctls have been added to vt(4) to enable or disable potentially dangerous key combinations (such as reboot, halt, and break to debugger).
  • The mkimg(1) utility has been updated to allow creating empty partition entries.
  • The GEOM_ELI class will now cache passphrases for disk decryption, which allows the system to boot after the first passphrase entry if the remaining disks on the system use the same passphrase.
  • Support for controlling mfi(4) controller properties has been added to mfiutil(8).
  • The /usr/lib32/compat shared library directory has been added to the default ld-elf32.so.1 path.
  • Use of "no" for a Norwegian keymap file is now permitted in rc.conf(5).
  • Several bug fixes to autofs(5) have been implemented.
Pre-installed virtual machine images for 10.1-BETA3 are also available for amd64 and i386 architectures.  The images are located here.

The disk images are available in QCOW2, VHD, VMDK, and raw disk image formats.  The image download size is approximately 135 MB, which decompress to a 20GB sparse image.

The partition layout is:
  • 512k - freebsd-boot GPT partition type (bootfs GPT label)
  • 1GB  - freebsd-swap GPT partition type (swapfs GPT label)
  • ~17GB - freebsd-ufs GPT partition type (rootfs GPT label)
To install packages from the dvd1.iso installer, create and mount the /dist directory:

# mkdir -p /dist
# mount -t cd9660 /dev/cd0 /dist

Next, install pkg(8) from the DVD:
 

# env REPOS_DIR=/dist/packages/repos pkg bootstrap

At this point, pkg-add(8) can be used to install additional packages from the DVD.  Please note, the REPOS_DIR environment variable should be used each time using the DVD as the package repository, otherwise conflicts with packages from the upstream mirrors may occur when they are fetched.  For example, to install Gnome and Xorg, run:
 

# env REPOS_DIR=/dist/packages/repos pkg install \
  xorg-server xorg gnome2 [...]

The freebsd-update(8) utility supports binary upgrades of amd64 and i386 systems running earlier FreeBSD releases.  Systems running earlier
FreeBSD releases can upgrade as follows:

# freebsd-update upgrade -r 10.1-BETA3

During this process, freebsd-update(8) may ask the user to help by merging some configuration files or by confirming that the automatically
performed merging was done correctly.

# freebsd-update install

The system must be rebooted with the newly installed kernel before continuing.


# shutdown -r now

After rebooting, freebsd-update needs to be run again to install the new userland components:


# freebsd-update install
It is recommended to rebuild and install all applications if possible, especially if upgrading from an earlier FreeBSD release, for example,
FreeBSD 8.x.  Alternatively, the user can install misc/compat9x and other compatibility libraries, afterwards the system must be rebooted
into the new userland:

# shutdown -r now

Finally, after rebooting, freebsd-update needs to be run again to remove stale files:

# freebsd-update install

Love FreeBSD?  Support this and future releases with a donation to the FreeBSD Foundation!

FreeBSD 10.1-BETA3 Available

The third BETA build for the FreeBSD 10.1 release cycle is now available. ISO images for the amd64, armv6, i386, ia64, powerpc, powerpc64 and sparc64 architectures are available on most of our FreeBSD mirror sites.

BASH shell bug

As many of you are probably aware, there is a serious security issue that is currently all over the web regarding the GNU BASH shell.  We at the PC-BSD project are well aware of the issue, a fix is already in place to plug this security hole, and packages with this fix are currently building. Look for an update to your BASH shell within the next 24 hours in the form of a package update.

As a side note: nothing written by the PC-BSD project uses BASH in any way — and BASH is not built-in to the  FreeBSD operating system itself (it is an optional port/package), so the level of severity of this bug is lower on FreeBSD than on other operating systems.

According to the FreeBSD mailing list: Bryan Drewery has already sent a notice that the port is fixed in FreeBSD. However, since he also added some good recommendations in the email for BASH users, we decided to copy that email here for anyone else that is interested.
_______________

From: Bryan Drewery — FreeBSD mailing list

The port is fixed with all known public exploits. The package is
building currently.

However bash still allows the crazy exporting of functions and may still
have other parser bugs. I would recommend for the immediate future not
using bash for forced ssh commands as well as these guidelines:

1. Do not ever link /bin/sh to bash. This is why it is such a big
problem on Linux, as system(3) will run bash by default from CGI.
2. Web/CGI users should have shell of /sbin/nologin.
3. Don’t write CGI in shell script / Stop using CGI :)
4. httpd/CGId should never run as root, nor “apache”. Sandbox each
application into its own user.
5. Custom restrictive shells, like scponly, should not be written in bash.
6. SSH authorized_keys/sshd_config forced commands should also not be
written in bash.
_______________

For more information the bug itself you can visit arstechnica and read the article by clicking the link below.

http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/

Parole de Tux : Tux et FreeBSD [french], Captain Posix, Captain Posix

"Parole de Tux" is a Belgian monthly podcast which talks about news and technical topics regarding Free and Open Source Software. For the first time, this episode is dedicated to FreeBSD. The guest, a FreeBSD developer, sums up the history of the BSDs and their differences. He then briefly explains similarities and differences between a typical Linux distribution and FreeBSD before moving on to the main topic: the graphics stack, and how FreeBSD performs in this area.

FreeBSD 10.1-BETA2 Now Available

The second BETA build of the 10.1-RELEASE release cycle is now available on the FTP servers for the amd64, armv6, i386, ia64, powerpc, powerpc64 and sparc64 architectures.

The image checksums follow are included in the original announcement email.

Installer images and memory stick images are available here.

If you notice problems you can report them through the Bugzilla PR system or on the -stable mailing list.

If you would like to use SVN to do a source based update of an existing system, use the "stable/10" branch.

A list of changes since 10.0-RELEASE are available on the stable/10 release notes page.

Changes between 10.1-BETA1 and 10.1-BETA2 include:
  • UEFI-capable memory stick images and CDROM/DVDROM images are now build by default for the 10.1-RELEASE cycle.
  • The gssapi_krb5 library is now included in the gssapi(3) build.
  • The default motd(5) text has been changed to clarify the included information and including references to additional resources.
  • A potential crash in ctld(8) has been fixed when a getaddrinfo(3) call fails.
  • Fix Denial of Service in TCP packet processing.  [SA-14:19.tcp]
  • Support for Promise TX8660 8-port 3Gbps HBA has been added.
  • A crash in clang(1) triggered by debuginfo has been fixed.
  • The kern.features sysctl(8) will now report if SCTP is available in the running kernel.
  • Parsing IPv6 nameserver lines in unbound(8) has been fixed.
  • A crash in pam(3) has been fixed if neither PAM_RHOST or PAM_TTY are set.
  • Several bug fixes and improvements to the vt(4) driver have been merged from FreeBSD-Current.
  • The bsdinstall(8) screen prompting if the user would like to use a chroot(8) shell within the newly-installed system for further configuration now defaults to 'No.'
  • Several optimizations to the math(3) library have been merged, including new implementations for C99 functions expl(), coshl(), sinhl(), tanhl(), erfl() and erfcl().
Pre-installed virtual machine images for 10.1-BETA2 are also available for amd64 and i386 architectures.  The images are located here.

The disk images are available in QCOW2, VHD, VMDK, and raw disk image formats.  The image download size is approximately 135 MB, which decompress to a 20GB sparse image.

The partition layout is:
  • 512k - freebsd-boot GPT partition type (bootfs GPT label)
  • 1GB  - freebsd-swap GPT partition type (swapfs GPT label)
  • ~17GB - freebsd-ufs GPT partition type (rootfs GPT label)
To install packages from the dvd1.iso installer, create and mount the /dist directory:

# mkdir -p /dist
# mount -t cd9660 /dev/cd0 /dist

Next, install pkg(8) from the DVD:
 

# env REPOS_DIR=/dist/packages/repos pkg add \
  /dist/packages/freebsd:10:*:*/All/pkg-*.txz

At this point, pkg-add(8) can be used to install additional packages from the DVD.  Please note, the REPOS_DIR environment variable should be used each time using the DVD as the package repository, otherwise conflicts with packages from the upstream mirrors may occur when they are fetched.  For example, to install the Subversion, Gnome, and Xorg, run:
 

# env REPOS_DIR=/dist/packages/repos pkg install \
  xorg-server xorg gnome2 [...]

The freebsd-update(8) utility supports binary upgrades of amd64 and i386 systems running earlier FreeBSD releases.  Systems running earlier
FreeBSD releases can upgrade as follows:

# freebsd-update upgrade -r 10.1-BETA2

During this process, freebsd-update(8) may ask the user to help by merging some configuration files or by confirming that the automatically
performed merging was done correctly.

# freebsd-update install

The system must be rebooted with the newly installed kernel before continuing.


# shutdown -r now

After rebooting, freebsd-update needs to be run again to install the new userland components:


# freebsd-update install
It is recommended to rebuild and install all applications if possible, especially if upgrading from an earlier FreeBSD release, for example,
FreeBSD 8.x.  Alternatively, the user can install misc/compat9x and other compatibility libraries, afterwards the system must be rebooted
into the new userland:

# shutdown -r now

Finally, after rebooting, freebsd-update needs to be run again to remove stale files:

# freebsd-update install

Love FreeBSD?  Support this and future releases with a donation to the FreeBSD Foundation!

FreeBSD 10.1-BETA2 Available

The second BETA build for the FreeBSD 10.1 release cycle is now available. ISO images for the amd64, armv6, i386, ia64, powerpc, powerpc64 and sparc64 architectures are available on most of our FreeBSD mirror sites.