HardenedBSD July 2022 Status Report

12 views
Skip to first unread message

Shawn Webb

unread,
Jul 30, 2022, 11:46:14 AMJul 30
to HardenedBSD Users
Hey all,

This month was a crazy month for me (Shawn Webb). My wife and I adopted a new
puppy, so life has been a bit on the exciting side. I'm hoping to get back into
the swing of things in the next month or two.

With that said, let's get right into it.

In src:

1. TPE and RTLD hardening were merged into 13-STABLE. I had posted a HEADS UP
email on the users@ mailing list[0]. If you build your own ports/packages,
please take note. RTLD hardening can cause issues when building
ports/packages.

In ports:

1. Loic fixed misc/rump
2. Loic fixed sysutils/bareos18-server
3. Loic disabled PaX MPROTECT and PAGEEXEC for lang/python39
4. Loic fixed math/libpgmath
5. Loic fixed building openjdk8 and openjdk11 for 14-CURRENT
6. Loic fixed graphics/scrot
7. Loic fixed devel/objecthash
8. Loic fixed lang/perl5.36
9. Loic fixed GCC 12 and 13-devel
10. Loic fixed net/waypipe
11. Loic fixed devel/vxlog
12. Loic fixed www/vdr-plugin-live
13. Loic fixed comms/telldus-core
14. Loic fixed graphics/enblend
15. Shawn enabled MTP support by default for multimedia/vlc
16. Loic disabled PIE for net/ndpi
17. Ibrahim Kaikaa (Mr.UNIX) disabled PaX SEGVGUARD for memcheck-amd64-freebsd
in devel/valgrind-devel and devel/valgrind
18. Ibrahim Kaikaa disabled PaX MPROTECT for net-im/signal-desktop
19. Ibrahim Kaikaa fixed lang/gcc11

For hbsdfw (the HardenedBSD 13-STABLE fork of OPNsense):

Today (30 Jul 2022), I published a new build[1]. It migrates us to PHP 8.0 and
Python 3.9. It appears that the PHP 8.0 Radius extension (php80-pecl-radius) has
issues, so I removed the package from the build. So if you're testing hbsdfw out
and rely on Radius authentication, you'll want to skip this build.

I haven't had the time to fully bring up the infrastructure needed for in-place
updates for hbsdfw, so the normal process of backing up the running config,
reinstalling with the new build, and restoring the config is needed for this
build and at least the following next few builds.

Please test the build out and let me know how it goes for you. Any message,
whether it's "works fine for me" or "hey, we got a problem" helps me determine
follow-up tasks for this fork.

The default username is "root" and the password is "dynfi". (The reason for the
password being "dynfi" is because we use a forked version of the dynfi build
scripts, which pull in the default dynfi opnsense config.)

SHA256 (hbsdfw_installer_vga_13.1-20220729-224841.iso.xz) =
99876a3ba436a274564f4ce51f83b71f901559d8e49926a18c438b483e3d288c

Size (in bytes): 776240236

[0]: https://groups.google.com/a/hardenedbsd.org/g/users/c/u6HcO415_OE/m/8g2NPClyAwAJ
[1]: https://hardenedbsd.org/~shawn/hbsdfw/hbsdfw_installer_vga_13.1-20220729-224841.iso.xz

Thanks,

--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
signature.asc
Reply all
Reply to author
Forward
0 new messages