hardenedbsd.org Header Art


No announcement yet.

HardenedBSD July 2022 Status Report

  • Filter
  • Time
  • Show
Clear All
new posts

  • HardenedBSD July 2022 Status Report

    This month was a crazy month for me (Shawn Webb). My wife and I adopted a new puppy, so life has been a bit on the exciting side. I'm hoping to get back into the swing of things in the next month or two.

    With that said, let's get right into it.

    In src:
    1. TPE and RTLD hardening were merged into 13-STABLE. I had posted a HEADS UP email on the users@ mailing list[0]. If you build your own ports/packages, please take note. RTLD hardening can cause issues when building ports/packages.

    In ports:
    1. Loic fixed misc/rump
    2. Loic fixed sysutils/bareos18-server
    3. Loic disabled PaX MPROTECT and PAGEEXEC for lang/python39
    4. Loic fixed math/libpgmath
    5. Loic fixed building openjdk8 and openjdk11 for 14-CURRENT
    6. Loic fixed graphics/scrot
    7. Loic fixed devel/objecthash
    8. Loic fixed lang/perl5.36
    9. Loic fixed GCC 12 and 13-devel
    10. Loic fixed net/waypipe
    11. Loic fixed devel/vxlog
    12. Loic fixed www/vdr-plugin-live
    13. Loic fixed comms/telldus-core
    14. Loic fixed graphics/enblend
    15. Shawn enabled MTP support by default for multimedia/vlc
    16. Loic disabled PIE for net/ndpi
    17. Ibrahim Kaikaa (Mr.UNIX) disabled PaX SEGVGUARD for memcheck-amd64-freebsd in devel/valgrind-devel and devel/valgrind
    18. Ibrahim Kaikaa disabled PaX MPROTECT for net-im/signal-desktop
    19. Ibrahim Kaikaa fixed lang/gcc11

    For hbsdfw (the HardenedBSD 13-STABLE fork of OPNsense):

    Today (30 Jul 2022), I published a new build[1]. It migrates us to PHP 8.0 and Python 3.9. It appears that the PHP 8.0 Radius extension (php80-pecl-radius) has issues, so I removed the package from the build. So if you're testing hbsdfw out and rely on Radius authentication, you'll want to skip this build.

    I haven't had the time to fully bring up the infrastructure needed for in-place updates for hbsdfw, so the normal process of backing up the running config, reinstalling with the new build, and restoring the config is needed for this build and at least the following next few builds.

    Please test the build out and let me know how it goes for you. Any message, whether it's "works fine for me" or "hey, we got a problem" helps me determine follow-up tasks for this fork.

    The default username is "root" and the password is "dynfi". (The reason for the password being "dynfi" is because we use a forked version of the dynfi build scripts, which pull in the default dynfi opnsense config.)

    SHA256 (hbsdfw_installer_vga_13.1-20220729-224841.iso.xz) =
    99876a3ba436a274564f4ce51f83b71f901559d8e49926a18c 438b483e3d288c

    [0]: https://groups.google.com/a/hardened...m/8g2NPClyAwAJ
    [1]: https://hardenedbsd.org/~shawn/hbsdf...-224841.iso.xz