gmane.os.freebsd.announce

New channel on YouTube for BSD technical talks

Murray Stokely — 2008-12-04T00:54:45

I'm pleased to announce the availability of a dedicated YouTube channel for technical lectures about FreeBSD and other BSD operating systems : http://www.youtube.com/bsdconferences This channel allows us to post full hour long lectures from FreeBSD conferences. The first four videos that Julian Elisher recorded at MeetBSD 2008 have been posted : Isolating Cluster Jobs for Performance and Predictability, Brooks Davis, MeetBSD 2008 BSD Certification, Dru Lavigne, MeetBSD 2008 Embedding FreeBSD, Warner Losh, MeetBSD 2008 FreeBSD Foundation Update & Recognition, Robert Watson, MeetBSD 2008 This channel provides the rich YouTube API for extracting and embedding these videos in other websites. You can also simply subscribe to the RSS feed in your feedreader to be notified when new videos are posted. Work is ongoing to integrate the video content here with the multimedia area of the FreeBSD web site. If you have video content from a previous BSD conference that you would like to see added to this channel, please let me know. Thanks to the Google Open Source Program Office for their help in setting up this special channel for the BSD community. - Murray _______________________________________________ freebsd-announce< at >freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-announce To unsubscribe, send any mail to "freebsd-announce-unsubscribe< at >freebsd.org"

FreeBSD Foundation Project Announcement

Deb Goodkin — 2008-12-03T16:42:46

Dear FreeBSD Community, The FreeBSD Foundation is very pleased to announce the next in a series of developer grants. This grant has been awarded to Lawrence Stewart and Swinburne University of Technology's Centre for Advanced Internet Architectures (CAIA, http://caia.swin.edu.au) for improvements to the FreeBSD TCP stack. This three-part project will include implementing Appropriate Byte Counting (ABC) RFC3465 support, adapting and merging CAIA's Statistical Information for TCP Research (SIFTR) TCP analysis tool into FreeBSD, and making improvements to the TCP reassembly queue. "These changes target both improved performance and improved quality of the FreeBSD TCP stack through feature enhancements and integrated testing," said Professor Grenville Armitage, CAIA's Director. He also added, "We use FreeBSD daily in our IP networking research testbeds and for our centre's various servers, so we're looking forward to contributing these TCP improvements to the FreeBSD community." "Supporting the technology transfer of advanced systems research, such as CAIA's work on the FreeBSD network stack, is a critically important role for The FreeBSD Foundation to play," said Robert Watson, president of The FreeBSD Foundation. The project will be completed by July 2009. Sincerely, The FreeBSD Foundation _______________________________________________ freebsd-announce< at >freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-announce To unsubscribe, send any mail to "freebsd-announce-unsubscribe< at >freebsd.org"

FreeBSD 6.4-RELEASE Available

Ken Smith — 2008-11-28T18:11:17

The FreeBSD Release Engineering Team is pleased to announce the availability of FreeBSD 6.4-RELEASE. At this time 6.4-RELEASE is expected to be the last of the 6-STABLE releases. Some of the highlights: - New and much-improved NFS Lock Manager (NLM) client - Support for the Camellia cipher - boot loader changes allow, among other things, booting from USB devices and booting from GPT-labeled devices with GPT-enabled BIOSes - DVD install ISO images for amd64/i386 - KDE updated to 3.5.10, GNOME updated to 2.22.3 - Updates for BIND, sendmail, OpenPAM, and others For a complete list of new features and known problems, please see the online release notes and errata list, available at: http://www.FreeBSD.org/releases/6.4R/relnotes.html http://www.FreeBSD.org/releases/6.4R/errata.html For more information about FreeBSD release engineering activities, please see: http://www.FreeBSD.org/releng/ The FreeBSD Security Team intends to support 6.4-RELEASE until November 30th, 2010. Availability ------------- FreeBSD 6.4-RELEASE is now available for the amd64, i386, pc98, and sparc64 architectures. The builds for the alpha architecture have not completed yet and will be announced later. FreeBSD 6.4-RELEASE can be installed from bootable ISO images or over the network; the required files can be downloaded via FTP or BitTorrent as described in the sections below. While some of the smaller FTP mirrors may not carry all architectures, they will all generally contain the more common ones, such as i386 and amd64. MD5 and SHA256 hashes for the release ISO images are included at the bottom of this message. The contents of the ISO images provided as part of the release has changed for most of the architectures. Using the i386 architecture as an example, there are ISO images named "bootonly", "disc1", "disc2", "disc3", "docs", and "dvd1". The "bootonly" image is suitable for booting a machine to do a network based installation using FTP or NFS. The "disc1", "disc2", and "disc3" images are CDROM-sized (700MB media) and are used to do a full installation that includes a basic set of packages and does not require network access to an FTP or NFS server during the installation. In addition, "disc1" supports booting into a "live CD-based filesystem" and system rescue mode. The "docs" image has all of the documentation for all supported languages. The "dvd1" image is DVD-sized and includes everything that is on the CDROM discs. So "dvd1" can be used to do a full installation that includes a basic set of packages, it has all of the documentation for all supported languages, and it can be used for booting into a "live CD-based filesystem" and system rescue mode. Most people will find that "disc1", "disc2" and "disc3" are all that are needed if their machine does not have a DVD-capable drive. For people with machines that do have a DVD-capable drive "dvd1" should be all that is required. If you intend to install ports from source instead of using the pre-built packages included with the release only "disc1" is needed. FreeBSD 6.4-RELEASE can also be purchased on CD-ROM from several vendors. One of the vendors that will be offering FreeBSD 6.4-based products is: ~ FreeBSD Mall, Inc. http://www.freebsdmall.com/ BitTorrent ---------- 6.4-RELEASE ISOs are available via BitTorrent. A collection of torrent files to download the images is available at: http://torrents.freebsd.org:8080/ FTP --- At the time of this announcement the following FTP sites have FreeBSD 6.4-RELEASE available. ftp://ftp.freebsd.org/pub/FreeBSD/ ftp://ftp3.freebsd.org/pub/FreeBSD/ ftp://ftp7.freebsd.org/pub/FreeBSD/ ftp://ftp9.freebsd.org/pub/FreeBSD/ ftp://ftp10.freebsd.org/pub/FreeBSD/ ftp://ftp12.freebsd.org/pub/FreeBSD/ ftp://ftp.at.freebsd.org/pub/FreeBSD/ ftp://ftp.cz.freebsd.org/pub/FreeBSD/ ftp://ftp.dk.freebsd.org/pub/FreeBSD/ ftp://ftp.fi.freebsd.org/pub/FreeBSD/ ftp://ftp.fr.freebsd.org/pub/FreeBSD/ ftp://ftp2.ie.freebsd.org/pub/FreeBSD/ ftp://ftp.se.freebsd.org/pub/FreeBSD/ ftp://ftp.si.freebsd.org/pub/FreeBSD/ ftp://ftp1.ru.freebsd.org/pub/FreeBSD/ ftp://ftp2.uk.freebsd.org/pub/FreeBSD/ ftp://ftp3.us.freebsd.org/pub/FreeBSD/ ftp://ftp7.us.freebsd.org/pub/FreeBSD/ ftp://ftp9.us.freebsd.org/pub/FreeBSD/ ftp://ftp11.us.freebsd.org/pub/FreeBSD/ However before trying these sites you may want to check your regional mirror(s) first by going to: ftp://ftp..FreeBSD.org/pub/FreeBSD Any additional mirror sites will be labeled ftp2, ftp3 and so on. More information about FreeBSD mirror sites can be found at: http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mirrors-ftp.html For instructions on installing FreeBSD, please see Chapter 2 of The FreeBSD Handbook. It provides a complete installation walk-through for users new to FreeBSD, and can be found online at: http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/install.html FreeBSD Update -------------- The freebsd-update(8) utility supports binary upgrades of i386 and amd64 systems running earlier FreeBSD releases. Systems running 6.3-RELEASE, 6.4-BETA, 6.4-RC1, or 6.4-RC2 can upgrade as follows: # freebsd-update upgrade -r 6.4-RELEASE During this process, FreeBSD Update may ask the user to help by merging some configuration files or by confirming that the automatically performed merging was done correctly. # freebsd-update install The system must be rebooted with the newly installed kernel before continuing. # shutdown -r now After rebooting, freebsd-update needs to be run again to install the new userland components, and the system needs to be rebooted again: # freebsd-update install # shutdown -r now Note that FreeBSD Update stores downloaded upgrades in /var/db/freebsd-update, so at least 400MB should be free in /var before running freebsd-update; if the /var partition is too small, the -d option to freebsd-update can be used to indicate that the upgrades should be stored in a different directory. For more information, see: http://www.daemonology.net/blog/2007-11-10-freebsd-minor-version-upgrade.html Acknowledgments ---------------- Many companies donated equipment, network access, or man-hours to finance the release engineering activities for FreeBSD 6.4 including The FreeBSD Foundation, FreeBSD Systems, Hewlett-Packard, Yahoo!, Network Appliances, and Sentex Communications. The release engineering team for 6.4-RELEASE includes: Ken Smith FreeBSD.org> Release Engineering, amd64, i386, sparc64 Release Building, Mirror Site Coordination Robert Watson FreeBSD.org> Release Engineering, Security Konstantin Belousov FreeBSD.org>Release Engineering Marc Fonvieille FreeBSD.org>Release Engineering, Documentation Maxime Henrion FreeBSD.org>Release Engineering Bruce A. Mah FreeBSD.org>Release Engineering, Documentation George Neville-Neil FreeBSD.org> Release Engineering Hiroki Sato FreeBSD.org>Release Engineering, Documentation Murray Stokely FreeBSD.org> Release Engineering Wilko Bulte FreeBSD.org> Alpha Release Building Takahashi Yoshihiro FreeBSD.org> PC98 Release Building Kris Kennaway FreeBSD.org> Package Building Joe Marcus Clarke FreeBSD.org> Package Building Erwin Lansing FreeBSD.org> Package Building Mark Linimon FreeBSD.org> Package Building Pav Lucistnik FreeBSD.org> Package Building Colin Percival FreeBSD.org> Security Officer Peter Wemm FreeBSD.org> Bittorrent Coordination Trademark --------- FreeBSD is a registered trademark of The FreeBSD Foundation. ISO Image Checksums ------------------- MD5 (6.4-RELEASE-amd64-bootonly.iso) = 922fa2b990b3fd58bc558e08707dec47 MD5 (6.4-RELEASE-amd64-disc1.iso) = 33e9801d546a9bd379d97c4dc9bf833f MD5 (6.4-RELEASE-amd64-disc2.iso) = 10e4a74cd4e80b52845adbabeb017532 MD5 (6.4-RELEASE-amd64-disc3.iso) = 986d99df8a44cb3e8647b53e1551a56b MD5 (6.4-RELEASE-amd64-docs.iso) = be48876a37812fa19fb67aebe0c847de MD5 (6.4-RELEASE-amd64-dvd1.iso) = efd0dd71c5b13b8464d8a7fce8a90cbc MD5 (6.4-RELEASE-i386-bootonly.iso) = d3704b309b224fadeba29423511fbcff MD5 (6.4-RELEASE-i386-disc1.iso) = 3bf0054bf0d650c1c7289e3076f2a24f MD5 (6.4-RELEASE-i386-disc2.iso) = 2e5c68f0e8e82907e28394248973f2f6 MD5 (6.4-RELEASE-i386-disc3.iso) = 75c4b9ed4bfc836471ca6aad7ff071db MD5 (6.4-RELEASE-i386-docs.iso) = a7e89a2006b34d5904ce74c907932918 MD5 (6.4-RELEASE-i386-dvd1.iso) = 01d1b4445bbb70e643e7a096562ca4a3 MD5 (6.4-RELEASE-pc98-bootonly.iso) = 6137dac091894d4eb620b02a94e3ddb6 MD5 (6.4-RELEASE-pc98-disc1.iso) = 1ac648575affdb79e6f345b1210fee1b MD5 (6.4-RELEASE-sparc64-bootonly.iso) = 060cdc6c4fbcc96dcc13a88c09005079 MD5 (6.4-RELEASE-sparc64-disc1.iso) = 2e2f264f9cdbfd73c531943631174dac MD5 (6.4-RELEASE-sparc64-docs.iso) = 33187d3f0459dbb2d1145aa8a4731497 SHA256 (6.4-RELEASE-amd64-bootonly.iso) = 228cfe8b5d06bdf3131a656972d94919b594371464e5f1c68e068af17b88f382 SHA256 (6.4-RELEASE-amd64-disc1.iso) = 6e8f24e153d78518268129db62e5efd3cd7b75e428a3c22bddf89eb901efa79e SHA256 (6.4-RELEASE-amd64-disc2.iso) = 33697f3290e9754baada1feeb560f5797a8794f80ea36ecc8b0305c0ab32f07a SHA256 (6.4-RELEASE-amd64-disc3.iso) = 59905ac81bc49be620e6a1465aba667be78b9276d999d820cca30357b073c263 SHA256 (6.4-RELEASE-amd64-docs.iso) = 1bf1445e2cf19c108adfa973cab26891c3c9ee19664de3650f38fc11c67d9f9e SHA256 (6.4-RELEASE-amd64-dvd1.iso) = 88a0bd7818ecc2c26a6d304bffa9257f9bd192d6fb3b51ab1b538a5ef0e78130 SHA256 (6.4-RELEASE-i386-bootonly.iso) = 82377be5c922610e7613f70066919da6d39c1e3fc753b6b925eae9bdd22ac946 SHA256 (6.4-RELEASE-i386-disc1.iso) = c4f688013a27632e97caefc71296f59c9597abdb4e724385130d72dbd9abd218 SHA256 (6.4-RELEASE-i386-disc2.iso) = 4936aaede7c55c29f1acb07724a86690ae220f53ba2f67b441f15fa0a4b282e8 SHA256 (6.4-RELEASE-i386-disc3.iso) = 0c0ea48e2a07f2fc78c7d9448ad7cc24ffd224bbe4a9c1f7731358d7ce00d377 SHA256 (6.4-RELEASE-i386-docs.iso) = 13ef3a3fe8799b71130ac2041e63156b30751d292d9d2df68f2b4a4318cbcc98 SHA256 (6.4-RELEASE-i386-dvd1.iso) = 40b70eb8b36a5a13ef012592335d8e53cb9dea129a8b59971a999e84659ec6a8 SHA256 (6.4-RELEASE-pc98-bootonly.iso) = 2d0fc39c377c8bf6e3ff1ab61b8ecd9b94231e3331bc442be7f26b37ed4cf59d SHA256 (6.4-RELEASE-pc98-disc1.iso) = dd2679fe503f7936fd4f7a6f5aa30e9c699d7eb78d382bef46eb9106dd0ab892 SHA256 (6.4-RELEASE-sparc64-bootonly.iso) = eeabf33aa11cc764f41ea9bb50ae9109817953a60d22ed4af8c6bf61885ed648 SHA256 (6.4-RELEASE-sparc64-disc1.iso) = c20f0a43732d72071cfdc17d788f3e04c1ac33e5ba122ce82fbd705ade482860 SHA256 (6.4-RELEASE-sparc64-docs.iso) = 1728658de8be72e62afbc10bc50243cf07c532b8b4cf7426c5f74f09dc5b8243

FreeBSD Foundation Project Announcement

Deb Goodkin — 2008-11-26T16:10:36

Dear FreeBSD Community, The FreeBSD Foundation is pleased to announce continued funding of the network stack virtualization project, made possible by a grant from NLNet. The virtualized network stack will significantly enhance FreeBSD's jail functionality, allowing jails to have their own complete and locally administered network stacks, including firewalls, routing, and IPsec configurations. The Foundation will be sponsoring Bjoern Zeeb, a FreeBSD network developer, to enhance the existing prototype, now being merged into FreeBSD 8.x, as well as provide code review. Sincerely, The FreeBSD Foundation _______________________________________________ freebsd-announce< at >freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-announce To unsubscribe, send any mail to "freebsd-announce-unsubscribe< at >freebsd.org"

FreeBSD Security AdvisoryFreeBSD-SA-08:11.arc4random

FreeBSD Security Advisories — 2008-11-24T17:47:13

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-08.11.arc4random Security Advisory The FreeBSD Project Topic: arc4random(9) predictable sequence vulnerability Category: core Module: sys Announced: 2008-11-24 Credits: Robert Woolley, Mark Murray, Maxim Dounin, Ruslan Ermilov Affects: All supported versions of FreeBSD. Corrected: 2008-11-24 17:39:39 UTC (RELENG_7, 7.1-PRERELEASE) 2008-11-24 17:39:39 UTC (RELENG_7_0, 7.0-RELEASE-p6) 2008-11-24 17:39:39 UTC (RELENG_6, 6.4-STABLE) 2008-11-24 17:39:39 UTC (RELENG_6_4, 6.4-RELEASE) 2008-11-24 17:39:39 UTC (RELENG_6_3, 6.3-RELEASE-p6) CVE Name: CVE-2008-5162 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background arc4random(9) is a generic-purpose random number generator based on the key stream generator of the RC4 cipher. It is expected to be cryptographically strong, and used throughout the FreeBSD kernel for a variety of purposes, some of which rely on its cryptographic strength. arc4random(9) is periodically reseeded with entropy from the FreeBSD kernel's Yarrow random number generator, which gathers entropy from a variety of sources including hardware interrupts. During the boot process, additional entropy is provided to the Yarrow random number generator from userland, helping to ensure that adequate entropy is present for cryptographic purposes. II. Problem Description When the arc4random(9) random number generator is initialized, there may be inadequate entropy to meet the needs of kernel systems which rely on arc4random(9); and it may take up to 5 minutes before arc4random(9) is reseeded with secure entropy from the Yarrow random number generator. III. Impact All security-related kernel subsystems that rely on a quality random number generator are subject to a wide range of possible attacks for the 300 seconds after boot or until 64k of random data is consumed. The list includes: * GEOM ELI providers with onetime keys. When a provider is configured in a way so that it gets attached at the same time during boot (e.g. it uses the rc subsystem to initialize) it might be possible for an attacker to recover the encrypted data. * GEOM shsec providers. The GEOM shsec subsytem is used to split a shared secret between two providers so that it can be recovered when both of them are present. This is done by writing the random sequence to one of providers while appending the result of the random sequence on the other host to the original data. If the provider was created within the first 300 seconds after booting, it might be possible for an attacker to extract the original data with access to only one of the two providers between which the secret data is split. * System processes started early after boot may receive predictable IDs. * The 802.11 network stack uses arc4random(9) to generate initial vectors (IV) for WEP encryption when operating in client mode and WEP authentication challenges when operating in hostap mode, which may be insecure. * The IPv4, IPv6 and TCP/UDP protocol implementations rely on a quality random number generator to produce unpredictable IP packet identifiers, initial TCP sequence numbers and outgoing port numbers. During the first 300 seconds after booting, it may be easier for an attacker to execute IP session hijacking, OS fingerprinting, idle scanning, or in some cases DNS cache poisoning and blind TCP data injection attacks. * The kernel RPC code uses arc4random(9) to retrieve transaction identifiers, which might make RPC clients vulnerable to hijacking attacks. IV. Workaround No workaround is available for affected systems. V. Solution NOTE WELL: Any GEOM shsec providers which were created or written to during the first 300 seconds after booting should be re-created after applying this security update. Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the RELENG_7_0, or RELENG_6_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3 and 7.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 7.x] # fetch http://security.FreeBSD.org/patches/SA-08:11/arc4random.patch # fetch http://security.FreeBSD.org/patches/SA-08:11/arc4random.patch.asc [FreeBSD 6.x] # fetch http://security.FreeBSD.org/patches/SA-08:11/arc4random6x.patch # fetch http://security.FreeBSD.org/patches/SA-08:11/arc4random6x.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_6 src/sys/dev/random/randomdev.c 1.59.2.2 src/sys/dev/random/randomdev_soft.c 1.11.2.3 RELENG_6_4 src/UPDATING 1.416.2.40.2.2 src/sys/dev/random/randomdev.c 1.59.2.1.8.2 src/sys/dev/random/randomdev_soft.c 1.11.2.2.6.2 RELENG_6_3 src/UPDATING 1.416.2.37.2.11 src/sys/conf/newvers.sh 1.69.2.15.2.10 src/sys/dev/random/randomdev.c 1.59.2.1.6.1 src/sys/dev/random/randomdev_soft.c 1.11.2.2.4.1 RELENG_7 src/sys/dev/random/randomdev.c 1.61.2.1 src/sys/dev/random/randomdev_soft.c 1.15.2.1 RELENG_7_0 src/UPDATING 1.507.2.3.2.10 src/sys/conf/newvers.sh 1.72.2.5.2.10 src/sys/dev/random/randomdev.c 1.61.4.1 src/sys/dev/random/randomdev_soft.c 1.15.4.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5162 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-08:11.arc4random.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iEYEARECAAYFAkkq550ACgkQFdaIBMps37K3SwCfcj0iiFxH2tljR1N7/qhXWiW1 N/cAoIjgcsh6sZG/upobud4TVme9QJPf =SKuK -----END PGP SIGNATURE----- _______________________________________________ freebsd-announce< at >freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-announce To unsubscribe, send any mail to "freebsd-announce-unsubscribe< at >freebsd.org"

Official FreeBSD Forums

Brad Davis — 2008-11-16T16:04:03

Dear FreeBSD users, The FreeBSD project is finally, after much work, pleased to announce the availability of an official FreeBSD web based discussion forum. It is our hope that this forum will serve as a public support channel for FreeBSD users around the world and as a complement to our fine mailing lists. You can register and start using our new service here: http://forums.FreeBSD.org The structure of the forum is still in a late beta stage, so if you have ideas, suggestions for improvements or bug reports, send them to: forum-moderators at FreeBSD dot org. Please also have a look at our rules before you create your first thread or post your first message. You can find our official list of forum rules here: http://forums.freebsd.org/faq.php?faq=vb_faq#faq_rules Also, FreeBSD developers (people with commit access to our CVS/SVN trees) can be distinguished by having an '< at >' character at the end of their username. It is our hope that both users and developers will find this new service useful. Please help spread the word. Sincerely, The FreeBSD Forums Admin Team _______________________________________________ freebsd-announce< at >freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-announce To unsubscribe, send any mail to "freebsd-announce-unsubscribe< at >freebsd.org"

Foundation Project Announcement

Deb Goodkin — 2008-11-12T15:54:20

Dear FreeBSD Community, The FreeBSD Foundation is pleased to announce one of the projects from the accepted project proposals! The project is to make FreeBSD tolerate the removal of active disk devices, such as when a USB flash device with a mounted filesystems is physically detached by a user. Currently the system may panic in this situation. The work involves adding proper reference counting to strategic portions of the kernel and modifying filesystems to properly handle "device lost" errors. Edward Tomasz Napierala is the developer working on this project. "We are very excited to be able to fund this project, which we know is of great interest to our users, especially in the desktop space," said Robert Watson, president of The FreeBSD Foundation. Robert also said, "The removable USB disk causing a crash turns out to be our #1 reported bug." "I am very happy to have the opportunity to work on this exciting project," said Edward Tomasz Napierala, FreeBSD developer. "It's just wrong when the system panics because you removed the pendrive!," he added. The project will be completed by February 2009. Sincerely, The FreeBSD Foundation _______________________________________________ freebsd-announce< at >freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-announce To unsubscribe, send any mail to "freebsd-announce-unsubscribe< at >freebsd.org"

meetBSD California - 5 Days Left!

Matt Olander — 2008-11-10T19:47:17

Hi everyone, There are only 5 days left until meetBSD California at the Googleplex in Mountain View, California starting Saturday, November 15th at 10am. The first meetBSD in the United States also marks the 15th Anniversary of the FreeBSD operating system, which will be commemorated with an After-Party on Saturday night hosted at the Buddha Lounge. We still have a few spots left (around 25-30, I believe) but registration will be closing at some point over the next few days, so if you've been putting off registering, now is the time! The conference is *free* to attend and only $50 dollars for you and a guest to attend the After-Party, which includes dinner and drinks :-) More information as well as the registration form can be found at http://www.meetBSD.com . If you are attending the conference but not the party, leave the party checkbox blank and select Mail-In Payment and you will not be billed. See you all there! -matt

Foundation End-of-Year Fund Raising Drive!

Deb Goodkin — 2008-10-24T15:03:05

Dear FreeBSD Community, The FreeBSD Foundation is kicking off our End-of-Year Fund Raising Drive! Our goal this year is to raise over $300,000. So far we have raised over $181,000 this year. We are little more than half way to our goal. That’s where you come in… Why do we need donations? The goal of the FreeBSD Project is to provide software that may be used for any purpose -- and without strings attached. Our mission is to support the FreeBSD Project and community. Our funding comes from people like you – those who are determined to keep FreeBSD free! How have we spent the money this year? • Sponsored FreeBSD related conferences like BSDCan, EuroBSDCon, AsiaBSDCon, meetBSD, and NYCBSDCon. We also sponsored FreeBSD developer summits in Ottawa and Cambridge. • Provided 22 travel grants and funding to individuals to attend these conferences this year. • Provided legal support for the project on issues like understanding the GPLv3 impact on FreeBSD, providing a privacy policy, trademark ownership and permission, and other legal issues that come up. • Provided grants for projects that improve FreeBSD, like Java binaries, Network Stack Virtualization, and Improving Hardware Performance Counter Support. • Provided equipment for developers working to improve FreeBSD and projects like the NetPerf cluster. Facilitated donation of NetApp filer, 32-core hardware, and 10 Gigabit equipment for project continuity planning and the NetPerf Cluster. Your financial support is critical for the FreeBSD Project. Please help us keep FreeBSD free. Go to http://www.freebsdfoundation.org/donate/ to donate (any amount will help). And thank you for your continued support of the FreeBSD Foundation. Thank You, The FreeBSD Foundation _______________________________________________ freebsd-announce< at >freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-announce To unsubscribe, send any mail to "freebsd-announce-unsubscribe< at >freebsd.org"

Accepting Travel Grant Applications for meetBSD

Deb Goodkin — 2008-10-23T17:46:25

Calling all FreeBSD developers needing assistance with travel expenses to MeetBSD. The FreeBSD Foundation will be providing a limited number of travel grants to individuals requesting assistance. Please fill out and submit the Travel Grant Request Application at http://www.freebsdfoundation.org/documents/TravelRequestForm.pdf by October 31, 2008 to apply for this grant. How it works: This program is open to FreeBSD developers of all sorts (kernel hackers, documentation authors, bugbusters, system administrators, etc). In some cases we are also able to fund non-developers, such as active community members and FreeBSD advocates. (1) You request funding based on a realistic and economical estimate of travel costs (economy airfare, trainfare, ...), accommodations (conference hotel and sharing a room), and registration or tutorial fees. If there are other sponsors willing to cover costs, such as your employer or the conference, we prefer you talk to them first, as our budget is limited. We are happy to split costs with you or another sponsor, such as just covering airfare or board. If we are an official sponsor of a conference and you are speaking at the conference, we expect that conference to cover your travel costs, and will most likely not approve your direct request to us. (2) We review your application and if approved, authorize you to seek reimbursement up to a limit. We consider several factors, including our overall and per-event budgets, and (quite importantly) the benefit to the community by funding your travel. Most rejected applications are rejected because of an over-all limit on travel budget for the event or year, due to unrealistic or uneconomical costing, or because there is an unclear or unconvincing argument that funding the application will directly benefit the FreeBSD Project. Please take these points into consideration when writing your application. (3) We reimburse costs based on actuals (receipts), and by check or bank transfer. We require you submit a report on your trip, which we may show to current or potential sponsors, and may include in our quarterly newsletter. There's some flexibility in the mechanism, so talk to us if something about the model doesn't quite work for you or if you have any questions. The travel grant program is one of the most effective ways we can spend money to help support the FreeBSD Project, as it helps developers get together in the same place at the same time, and helps advertise and advocate FreeBSD in the larger community. Thank You, The FreeBSD Foundation _______________________________________________ freebsd-announce< at >freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-announce To unsubscribe, send any mail to "freebsd-announce-unsubscribe< at >freebsd.org"

meetBSD California - FreeBSD 15 Year AnniversaryParty - 3 weeks!

Matt Olander — 2008-10-22T18:15:18

Hi all, The 2 day meetBSD conference and FreeBSD 15 year Anniversary party at the Googleplex in Mountain View, California on November 15th and 16th is a little over 3 weeks away! If you haven't registered for the conference yet, please do so if you are planning on attending. The conference is free to attend and the party is $50 dollars for you and a guest. This includes catered dinner and drinks at a private party being held at the Buddha Lounge in Mountain View. Although the conference is free, you *must* register in advance, no registrations will be accepted at the door. Don't miss out on some great talks, good food, awesome schwag, andthe chance to celebrate FreeBSD's 15th birthday with the rest of the community! You can sign up and find more information including the conference schedule, speaker info, and venue directions and information at http://www.meetBSD.com. There will also be a 2 day FreeBSD Developer's Summit the 2 days following meetBSD. More information on the FreeBSD developer's summit is at http://wiki.freebsd.org/200811DevSummit. See you there! -matt -- Matt Olander meetBSD California www.meetbsd.com _______________________________________________ freebsd-announce< at >freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-announce To unsubscribe, send any mail to "freebsd-announce-unsubscribe< at >freebsd.org"

Reminder for EuroBSDCon 2008

Program Committee — 2008-10-09T09:56:11

Hi, This is a reminder about the upcoming (next week!) EuroBSDCon 2008 conference, held this year in Strasburg, FRANCE. Registration is here: http://eurobsdcon2008.eventbrite.com/ It also allows registration (and displays the schedule) for tutorials. http://2008.eurobsdcon.org/ The talks schedule is available here : http://2008.eurobsdcon.org/talks.html The tutorials schedule is available here : http://2008.eurobsdcon.org/tutorials.html There is a 20% discount for students (use discount code Student when registering). You can also for a travel grant to the FreeBSD Foundation for details ask board< at >FreeBSDFoundation.org For FreeBSD developers, there is also the FreeBSD DevSummit. See http://wiki.freebsd.org/200810DevSummit It is open to all src/www/doc/ports committers & guests. We hope to see you all next week ! _______________________________________________ freebsd-announce< at >freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-announce To unsubscribe, send any mail to "freebsd-announce-unsubscribe< at >freebsd.org"

FreeBSD Security Advisory FreeBSD-SA-08:10.nd6

FreeBSD Security Advisories — 2008-10-02T00:39:19

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-08:10.nd6 Security Advisory The FreeBSD Project Topic: IPv6 Neighbor Discovery Protocol routing vulnerability Category: core Module: sys_netinet6 Announced: 2008-10-01 Credits: David Miles Affects: All supported versions of FreeBSD. Corrected: 2008-10-01 00:32:59 UTC (RELENG_7, 7.1-PRERELEASE) 2008-10-01 00:32:59 UTC (RELENG_7_0, 7.0-RELEASE-p5) 2008-10-01 00:32:59 UTC (RELENG_6, 6.4-PRERELEASE) 2008-10-01 00:32:59 UTC (RELENG_6_3, 6.3-RELEASE-p5) CVE Name: CVE-2008-2476 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background IPv6 nodes use the Neighbor Discovery protocol to determine the link-layer address of other nodes, find routers, and maintain reachability information. The Neighbor Discovery protocol uses Neighbor Solicitation (ICMPv6 type 135) to query target nodes for their link-layer addresses. II. Problem Description IPv6 routers may allow "on-link" IPv6 nodes to create and update the router's neighbor cache and forwarding information. A malicious IPv6 node sharing a common router but on a different physical segment from another node may be able to spoof Neighbor Discovery messages, allowing it to update router information for the victim node. III. Impact An attacker on a different physical network connected to the same IPv6 router as another node could redirect IPv6 traffic intended for that node. This could lead to denial of service or improper access to private network traffic. IV. Workaround Firewall packet filters can be used to filter incoming Neighbor Solicitation messages but may interfere with normal IPv6 operation if not configured carefully. Reverse path forwarding checks could be used to make gateways, such as routers or firewalls, drop Neighbor Solicitation messages from nodes with unexpected source addresses on a particular interface. IPv6 router administrators are encouraged to read RFC 3756 for further discussion of Neighbor Discovery security implications. V. Solution NOTE WELL: The solution described below causes IPv6 Neighbor Discovery Neighbor Solicitation messages from non-neighbors to be ignored. This can be re-enabled if required by setting the newly added net.inet6.icmp6.nd6_onlink_ns_rfc4861 sysctl to a non-zero value. Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the RELENG_7_0, or RELENG_6_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3 and 7.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 6.3] # fetch http://security.FreeBSD.org/patches/SA-08:10/nd6-6.patch # fetch http://security.FreeBSD.org/patches/SA-08:10/nd6-6.patch.asc [FreeBSD 7.0] # fetch http://security.FreeBSD.org/patches/SA-08:10/nd6-7.patch # fetch http://security.FreeBSD.org/patches/SA-08:10/nd6-7.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_6 src/sys/netinet6/in6.h 1.36.2.10 src/sys/netinet6/in6_proto.c 1.32.2.10 src/sys/netinet6/nd6.h 1.19.2.4 src/sys/netinet6/nd6_nbr.c 1.29.2.11 RELENG_6_3 src/UPDATING 1.416.2.37.2.10 src/sys/conf/newvers.sh 1.69.2.15.2.9 src/sys/netinet6/in6.h 1.36.2.8.2.1 src/sys/netinet6/in6_proto.c 1.32.2.8.2.1 src/sys/netinet6/nd6.h 1.19.2.2.6.1 src/sys/netinet6/nd6_nbr.c 1.29.2.9.2.1 RELENG_7 src/sys/netinet6/in6.h 1.51.2.2 src/sys/netinet6/in6_proto.c 1.46.2.3 src/sys/netinet6/nd6.h 1.21.2.2 src/sys/netinet6/nd6_nbr.c 1.47.2.3 RELENG_7_0 src/UPDATING 1.507.2.3.2.9 src/sys/conf/newvers.sh 1.72.2.5.2.9 src/sys/netinet6/in6.h 1.51.4.1 src/sys/netinet6/in6_proto.c 1.46.4.1 src/sys/netinet6/nd6.h 1.21.4.1 src/sys/netinet6/nd6_nbr.c 1.47.4.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2476 http://www.kb.cert.org/vuls/id/472363 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-08:10.nd6.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iEYEARECAAYFAkjkF2cACgkQFdaIBMps37KWWgCZAfug94zPIdkzW0tdIdSDzH/0 j18AnjypvJrRtzeQqhJkRU9wQWozgWvj =ieTi -----END PGP SIGNATURE----- _______________________________________________ freebsd-announce< at >freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-announce To unsubscribe, send any mail to "freebsd-announce-unsubscribe< at >freebsd.org"

Registration Open for EuroBSDCon 2008

Marc Simon — 2008-09-26T09:39:14

Hi, We're glad to announce that registration is finally open for EuroBSDCon 2008 in Strasbourg. http://eurobsdcon2008.eventbrite.com/ It also allows registration (and displays the schedule) for tutorials. Later this day, the links will be made available on the website : http://2008.eurobsdcon.org/ The talks schedule is available here : http://2008.eurobsdcon.org/talks.html The tutorials schedule is available here : dule is available here : http://2008.eurobsdcon.org/tutorials.html There is a 20% discount for students (use discount code Student when registering). We hope to see you all in three weeks !

19 Days Until NYCBSDCon 2008

Steven Kreuzer — 2008-09-23T01:44:30

NYCBSDCon begins in a few weeks, so make sure you register as soon as possible. http://www.nycbsdcon.org/2008/register.html NYCBSDCon brings together the best and brightest of the BSD communities from the New York area and beyond. The conference costs $95, including breakfast and lunch on both days, in addition to a number of other extras. Full-time students and Columbia University affiliates pay only $50 with valid identification. This year's schedule is impressive: from file systems and the portable C compiler to system and network management, we are thrilled to be able to provide such strong content. A full array of BSD developers and systems administrators are speaking, including Pawel Dawidek, Michael Lucas, Jason Wright and DragonFlyBSD's Matt Dillon. And Jason Dixon looks to top his 2006 presentation on "Is BSD Dying?" with a look at "BSD versus the GPL." While the conference officially begins on Saturday morning, October 11th, attendees will be gathering on Friday night at Havanna Central, just across from Columbia University. More information, including the schedule and transportation options, can be found at http://www.nycbsdcon.org. _______________________________________________ freebsd-announce< at >freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-announce To unsubscribe, send any mail to "freebsd-announce-unsubscribe< at >freebsd.org"

Another successful Summer of Code

Murray Stokely — 2008-09-19T22:41:44

Congratulations to the successful students and their FreeBSD Project mentors for participating in another productive Google Summer of Code. This program encourages students to contribute to an open source project over the summer break with generous funding from Google. We have had a total of over 70 successful students working on FreeBSD as part of this program from 2005 through 2008. These student projects included security research, improved installation tools, filesystems work, new utilities, and more. Many of the students have continued working on their FreeBSD projects even after the official close of the program. We have gained nearly a dozen new FreeBSD committers from previous summer of code projects already, and more are in the process of formally joining the project. Information about the student projects is available from our Summer of Code wiki (http://wiki.FreeBSD.org/SummerOfCode2008) and all of the code is checked into Perforce. A summary of each individual project by the students themselves is provided on the wiki and the text is included below. Please join us in congratulating these students and thanking them for their significant contributions to FreeBSD this summer. Regards, - Murray Stokely Robert Watson (FreeBSD Summer of Code Organizers) 2008 Student Projects : 1. Implementation of MPLS on FreeBSD 2. TCP/IP regression test suite (tcptest) 3. Porting Open Solaris Dtrace Toolkit to FreeBSD 4. Adding .db support to pkg_tools --> pkg_improved 5. Porting BSD-licensed text-processing tools from OpenBSD 6. Multibyte collation support 7. VM Algorithm Improvement 8. TCP anomaly detector 9. FreeBSD auditing system testing 10. Dynamic memory allocation for dirhash in UFS2 11. Reference implementation of the SNTP client 12. NFSv4 ACLs 13. Enhancing FreeBSD's Libarchive 14. Allowing for parallel builds in the FreeBSD Ports Collection 15. Ports license auditing infrastructure 16. Improving layer2 filtering 17. Porting FreeBSD to Efika (PPC bring up) 18. Audit Firewall Events from Kernel 19. ShinyBSD * Project: Implementation of MPLS in FreeBSD Student: Ryan French Mentor: Andre Oppermann Summary: MPLS is a networking protocol used for routing information quickly and efficiently. It is used extensively in the internet's backbone networks. Over the course of the program, code has been ported to FreeBSD from the OpendBSD/NetBSD operating systems. Basic functionality of sending and receiving packets was the main goal of the project, but unfortunately this was not acheived. It is very close to having this functionality, but there are a ffew minor bugs preventing the code from integrating fully with the FreeBSD networking stack. This project will continue to be worked on until sending, receiving, label swapping, tunnels, and the LDP daemon has been successfully implemented. Ready to enter CVS/SVN: No. * Project: TCP/IP regression test suite (tcptest) Student: Victor Hugo Bilouro Mentor: George V. Neville-Neil Summary: As a testing tool, it can perform regression, protocol conformance, and fuzz tests. The tool may also be employed as an aid to protocol developers and both testing and debugging of firewalls/routers. It's built on top of PCS(Packet Construction Set) "PCS is a set of Python modules and objects that make building network protocol code easier for the protocol developer. PCS enables testing at OSI layers 3, 4, and 5. " Tcptest mainly is a python module and one script for each test covered (more then one per script often) The module count with methods acting as fasteners, doing things like (a)three way handshake, (b)active/passive close and (c)several createXX and assertXX, where XX=(ip, tcp, rst, urg, fin, syn, psh, so on...) As the tests are being created, the number of 'fasteners' are growing, turning each moment easier to create new tests. Use of small tests. So we can cover a wide range of traffics, events and transitions predetermined separately. The development would be like a protocol, but without covering all possible events and transitions, only traffic previously determined. Instead of targeting a TCP Finite State Machine (FSM) like the implementation of TCP/IP protocols, the development will be based towards flow of packets, where traffic is composed of packets that are sent and received in a previously registered way. Links: http://wiki.freebsd.org/VictorBilouro/TCP-IP_regression_test_suite (project wiki) http://perforce.freebsd.org/depotTreeBrowser.cgi?FSPC=//depot/projects/soc2008/bilouro_tcptest/src (freebsd repository) http://code.google.com/p/tcptest/ (source code download) http://bilouro.com/tcptest (source code documentation) http://pcs.sf.net - Packet Construction Set * Project: Porting Open Solaris Dtrace Toolkit to FreeBSD Student: Liqun Li Mentor: John Birrell Summary: Sun Open Solaris Dtrace is pretty useful feature.Users can find performance bottlenecks with Dtrace in real production environment. Since many probes implemented in Open Solaris are not supported in FreeBSD. so when we port Dtrace Toolkit to FreeBSD, main job is to find whether this probe is supported by FreeBSD, if so, find it; if not, develop one to support this function. This summer, at first, I went throught all DTK script commands, found some of them work directly. But most do not. Under my mentor John Birrell careful help, I retrieved the respective system variables FreeBSD kernel, and ended up making system/uname.d work. In addition, I tried to make sar-c.d work under FreeBSD. Since we need to investigate into Son Open Solaris Kernel to find how Open Solaris defines the probe and what probes it needs, this work is realy time consuming, not done yet. From this project, I got to know much about FreeBSD kernel and Dtrace probes. I found kernel hacking/coding pretty interesting. Ready to enter SVN/CVS: not decided * Project: Adding .db support to pkg_tools --> pkg_improved Student: Anders Nore Mentor: Florent Thoumie Summary: This project is a replication of the pkg_install tools with several new features and speed improvements due to the caching of some package-information to a B-Tree Berkeley DB file. Some of the new features is the adding of installtime to the installed packages +CONTENTS file, human-readable size-output in pkg_info(1), progress indication to pkg_add's remote option. Installtime range searches with pkg_info(1) and pkg_delete(1) similar to that of version search is now available using the -M option. A new tool pkg_convert(1), caches some parts of the existing /var/db/pkg/ flat database into a Berkeley DB file, and the tools check for this file and uses it for speed improvements if it's available and updates it according to pkg_{add|delete}'s. You can also use pkg_convert(1) to view the entries in the cache. The tools will give you an indication if the database is corrupt, and it's fully recoverable by using pkg_convert(1). Two bugs in the existing pkg_tools have also been discovered and fixed, everything is ofcourse backwards-compatible with the older/original pkg_install tools. * Project: Porting BSD-licensed text-processing tools from OpenBSD Student: Gábor Kövesdán Mentor: Max Khon Summary: At the moment, BSD grep seems to be ready and highly compatible with the GNU version. However, there are differences in the regex handling, which is a result of the different interpretations, that the different regex libraries use and thus it is not really possible to fix at the level of grep. As for diff, some progress has been made, but some important features are still missing. The sort utility seemed to be badly constructed concerning the wide character support and the overall implementation. Because of these difficulties, the efforts were prioritized for grep and diff. Probably sort needs a complete rewrite or at least an extreme amount of modifications. Ready to enter CVS/SVN: If we can accept the regex differencies in grep, it is ready to enter SVN after some thorough testing. As for diff and sort, they can be installed via the Ports Collection. * Project: Multibyte collation support Student: Konrad Jankowski Mentor: Diomidis Spinellis Summary: Collation is what allows for current language/encoding correct sorting/ordering of strings. This project aimed to add proper collation in UTF-8 encodings for all languages for FreeBSD. This summer I have accomplished: + imported data from the Unicode Consortium: POSIX locale files and regression test data + written converter scripts to extract collation data from this files + ported Apple's version of colldef (which is our version, but much extended by them) + extended the colldef even more, to work on collation data from the Unicode Consortium + added some performance improvements, the biggest one not used by default now (no time to test yet) - reading the charmap only once for all languages + ported Apple version of strcoll, wcscoll, strxfrm, wcsxfrm and locale/collate.c, taking out xlocale (rationale on wiki) + Written regression test scripts. It appeared that Apple's code doesn't full Unicode Collation Algorithm - the part which deals with expansions. It is needed for half of languages to pass the more advanced regression tests. + for last few days I'm working on implementing expansions, I'll not rest until they work + I wasn't able to start writing manpages and create a megapatch agains HEAD, I'll do that when the algorithm is 100% correct for all the languages. Current informatin will be available on my wiki: http://wiki.freebsd.org/KonradJankowski/Collation Ready to enter SVS/CVS: After finishing expansion support and cleanup. * Project: VM Algorithm Improvement Student: Mayur Shardul Mentor: Jeff Roberson Summary: A new data structure, viz. radix tree, was implemented and used for management of the resident pages. The objective is efficient use of memory and faster performance. The biggest challenge was to service insert requests on the data structure without blocking. Because of this constraint the memory allocation failures were not acceptable, to solve the problem the required memory was allocated at the boot time. Both the data structures were used in parallel to check the correctness and we also benchmarked the data structures and found that radix trees gave much better performance over splay trees. Ready to enter SVS/CVS: We will investigate some more approaches to handle allocation failures before the new data structure goes in CVS. * Project: TCP anomaly detector Student: Rui Paulo Mentor: Andre Oppermann Summary: The TCP Anomaly Detector (tcpad, for short) project went reasonably well. I'm currently tracking some bugs and lowering the number of false positives. tcpad tries to monitor your TCP connections and detect non-conformant hosts. It does this by sniffing packets on the wire and creating, what I would like to call, a virtual TCP stack on each end. When an error is detected, tcpad creates a pcap file with all the packets exchanged between the two hosts and the state of each virtual TCP stack. tcpad is still being developed, so expect it to "detect" dozens of "problems" after running for some minutes. I was a bit late developing results because the SoC began before my exams did (I was still having classes), but now, that "damage" is partly fixed. ;-) Overall, this SoC was a really interesting learning experience. I must say that my TCP knowledge has increased a few points. :-) Andre Oppermann is my mentor. I blogged a bit about this project at http://blogs.freebsdish.org/rpaulo/ . The wiki page is at http://wiki.freebsd.org/RuiPaulo/TCPAnomaly . Ready to enter SVS/CVS: No. * Project: FreeBSD auditing system testing Student: Vincenzo Iozzo Mentor: Attilio Rao Summary: The project was focused on testing the audit system. The first part of the project consisted of writing a patch for /dev/auditpipe in order to preselect events by process' pid. The second half was focused on creating a testing framework for audit. Some auxiliary functions and modules were written. what's missing: - More abstraction in the framework - More tests for events * Project: Dynamic memory allocation for dirhash in UFS2 Student: Nick Barkas Mentor: David Malone Summary: Modified dirhash code in perforce is now able to free up memory used by older dirhashes when the VM system invokes vm_lowmem events. This will allow the default dirhash_maxmem value to be increased, improving performance on large directory lookups when there is memory to spare on they system. There are versions of the low memory event handling code for both -CURRENT and 7-STABLE. A number of tests have been run showing the new event handler seems to work properly. I intend to do further testing and benchmarking to find the best default values to use for vfs.ufs.dirhash_reclaimage (the number of seconds a dirhash can sit unused before the dirhash low memeory event handler will unconditionally delete it) and the minimum percentage of memory that will be freed upon vm_lowmem events even if there are not enough hashes older than dirhash_reclaimage (currently this is hard coded to 10%). I would also like to add some code to choose a reasonable new default vfs.ufs.dirhash_maxmem value based upon the amount of memory in the system, set automatically at boot time and tunable via sysctl. Once these tweaks have been made I plan to ask for testing from more users to shake out any bugs or potential workloads where the new code may hurt overall performance. Current details about status are on the wiki here: http://wiki.freebsd.org/DirhashDynamicMemory * Project: Reference implementation of the SNTP client Student: Johannes Maximilian Kühn Mentor: Harlan Stenn Summary: A reference implementation of the SNTP client based on the latest ntpv4 document. SNTP is a lightweight client that enables admins to synchronize with NTP servers. SNTP's networking code is written protocol independent and should work with almost any protocol like IPv4 or IPv6. SNTP supports MD5 authentication to verify the authencity of the queried server. Ready to enter CVS: Not determined yet. * Project: NFSv4 ACLs Student: Edward Tomasz Napierala Mentor: Robert Watson Summary: The aim of my GSoC project was to implement NFSv4 ACLs in a similar way POSIX.1e ACLs are supported. That was done by extending user utilities (setfacl(1)/getfacl(1)), libc API and adding neccessary kernel stuff, for ACL storage and enforcement on both UFS and ZFS. Regression tests were implemented to ensure correct operation. Semantics is supposed to be identical to the one in SunOS. There is also a wrapper (distributed separately) that implements SunOS-compatible acl(2)/facl(2) API, to make porting applications like Samba easier. Ready to enter CVS: not yet * Project: Enhancing FreeBSD's Libarchive Student: Anselm Strauss Mentor: Tim Kientzle Summary: The idea was to work on some missing parts of Libarchive. Despite the many goals, only few of them could be implemented. So far the project contributed a ZIP writer with tests. It supports basic functionality, except compression, ZIP64 and some fancy features of the ZIP specification. Work will now continue free from GSOC. It will include finishing the ZIP writer, and working a bit on the other goals, like PAX frontend, and others. Ready to enter CVS: not yet * Project: Allowing for parallel builds in the FreeBSD Ports Collection Student: David Forsythe Mentor: Mark Linimon Summary: This project added locks to targets taken from bsd.port.mk that could perform conflicting operations if multiple builds were running at the same time. First, fake-pkg was modified to obtain a lock over PKG_DBDIR to prevent clobbering of the database in case more than one port tries to register at a time. Next, a lock called BASE_LOCK was added for every port to obtain at the beginning of a build. This lock is located in a ports directory, and prevents any port from being built by multiple make processes. Locks were then added for other sensitive targets, and the pkg_install tools were modified to honor locks on PKG_DBDIR. Once these locks were added, a new variable, FAKE_J, to take advantage of makes -j flag. This allows make to fork multiple processes to handle dependencies and fetching, without passing the -j flag onto the actual build of a port. Ready to enter SVN/CVS: Probably not. * Project: Ports license auditing infrastructure Student: Alejandro Pulver Mentor: Brooks Davis Summary: This project is about adding license support to the Ports Collection, so ports with certain licenses can be identified. The ports makefile part is functional (may need some adjustements though): definition of licenses by port, notions of permissions (sell and redistribute, for distfiles and packages) replacing NO_{PACKAGE,CDROM} and RESTRICTED, configuration (one-time, and saved; with checksum in case the license changes), verbose/diagnostic output of the internal processing logic (how it is accepted or rejected, if by the user, by default or by saved configuration), registration of license information and license itself in the package (so that both packages and ports can be searched for properties such as license types or restrictions), and more can be easily added to the current code. The license database (a list of them and their properties) was going to be mirrored from FOSSology: a tool to analyze software licenses. We're working on getting FOSSology to automatically classify ports (I've sent suggestions and patches to the developers, who accepted them and provided very good support). So for the moment it's not usable (at least licenses/properties are defined manually, and each port is marked manually to indicate its license). I'll continue working on the FOSSology's port, and on the missing features such as multiple licenses support (AND, OR, etc). For more information see the wiki page: Ports license auditing infrastructure Ready to enter SVN/CVS: not yet * Project: Improving layer2 filtering Student: Gleb Kurtsou Mentor: Andrew Thompson Summary: Project aimed to improve layer2 filtering in ipfw and pf. All of the project goals are achieved: pfil framework is extended to handle ethernet packets, ipfw layer2 filtering is greatly simplified, added l2filter and l2tag per interface flags. Both ipfw and pf firewalls support filtering by ethernet addresses, support stateful filtering with ethernet addresses and firewall's lookup tables are extended to contain ethernet addresses. ipfw was extended to perform arp packet filtering: arp-op, src-arp and dst-arp options added. Details and usage examples are on my blog: http://blogs.freebsdish.org/gleb/ Ready to enter CVS: Not yet, diff is submitted to freebsd-net< at > for public review. * Project: Porting FreeBSD to Efika (PPC bring up) Student: Przemek Witaszczyk (vi0< at >) Mentor: Rafal Jaworowski (raj< at >) Summary: The main aim of the project is to port FreeBSD operating system to MPC5200B evaluation board. Among subleading tasks, there were objectives such as making kernel proceed to device drivers initialization, modelling newbus hierarchy of devices, writing the programmable interrupt controller driver, writing the PCI driver. The ultimate goal is reaching multiuser mode. As for now, half of the project is realized. After solving a few difficult problems at the basic level (binary interface issues with entry point to the SmartFirmware on the device), the boot procedure reaches the device drivers initialization stage, and hits the PIC driver init. At this point, the driver skeleton is constructed and is called. The driver uses ofwbus bus driver which intermediates between the openfirmware and the FreeBSD newbus devices hierarchy. After completing the PIC driver, I'll be in the position to write the remaining drivers for peripherals integrated on the MPC5200B chip using the newbus architecture. I am determined to continue the work on the project after the formal GSoC end date in order to bring at least the interrupt controller driver to operation.. More info available at project's wiki : http://wiki.freebsd.org/PrzemekWitaszczyk and at my GSoC 2008 blog: http://bitbay.blogspot.com/ Ready to enter SVN: not yet, at least PIC driver required. * Project: Audit Firewall Events from Kernel Student: Diego Giagio (diego< at >) Mentor: Christian Peron (csjp< at >) Summary: This project is part of TrustedBSD project and aims to provide auditing support to security-related events generated by various firewall implementations on FreeBSD such as IPFW, PF and IPFILTER. Currently both administrative events (such as add/remove rules) and network events (such as network connection establishment) are being audited on IPFW. This means that all IPFW security-related events are already being audited the way we planned it to. Although PF and IPFILTER auditing support aren't yet finished, all the hard infrastructure work needed to implement that is already committed. The next step is basically finish implementing PF and IPFILTER's auditing support. On the IPFW side, my research showed that the way it handles statefull connections (even before my work) needs improvement. I will also work on this. I will keep working on this project in order to polish every rough edge we might find. Once this is finished, I'll probably begin working on other interesting TrustedBSD projects. More information can be found here: http://wiki.freebsd.org/DiegoGiagio/Audit_Firewall_Events_from_Kernel Ready to enter SVN: Not determined yet, perhaps parts of it. * Project: Create a tiny operating system from FreeBSD Student: James Harrison Mentor: Warner Losh (bsdimp< at >) Summary: This project was a success and a failure at the same time. I started work imagining that I would be creating, genuinely creating, a new tiny operating system from FreeBSD. This was to be a worthy goal, a challenging goal, and overall a fun goal. I imagined it would involve making a bunch of shell scripts for stripping out various parts of the OS, integrate a custom kernel, and bob's your mother's brother, everything's done. This was even reflected in the name of the project; it's the same approach as TinyBSD, so I called mine ShinyBSD as a kind of homage. Instead, I gained respect for TinyBSD, which is a fantastic tool. A truly, truly, fantastic tool. Ultimately, with just a few tweaks, it could do exactly what I needed it to do; building a small OS has been completed for some time. The second portion was to cross compile and boot an arm device. I had more hardware issues than you can shake a large stick at, so though I can verify that I was working hard on cross compiling, I cannot verify that the cross compiled product I had made sense as a bootable image. I've started configuring qemu now to see if I can verify via that. In discussion with my mentor, I believe a profitable method of applying my knowedge post-GSOC is to get a Makefile prepared for TinyBSD that cross compiles out of the box. Ready to enter SVN: Not yet, though when the Makefile is complete it would be good to offer it up for inclusion in base. _______________________________________________ freebsd-announce< at >freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-announce To unsubscribe, send any mail to "freebsd-announce-unsubscribe< at >freebsd.org"

NYCBSDCon 2008 Registration Is Open

George Rosamond — 2008-09-11T02:42:59

We are proud to announce the release of the speaker's schedule and that registration is now open for NYCBSDCon 2008. The conference will be held at Columbia University on October 11 and 12 in Manhattan. The speaker line-up is an impressive list of developers and systems administrators from all of the BSD projects. We strongly encourage everyone to register as soon as possible. Early registration is $95 and includes not just the meetings, but also breakfast and lunch for both Saturday and Sunday. Walk-ins will be charged $145. With valid current identification, the Columbia University staff, students and faculty rate is $50. Other full-time students can also receive this discounted rate with valid identification. Friday evening, attendees will be gathering at Havanna Central at 2911 Broadway between 113th and 114th streets beginning at 7 pm. That will also be the location for the Saturday night social. There are plenty of other non-presentation activities such as: * The BSD Certification Group will be holding BSDA exams. There will be general Unix review cram sessions over the course of the conference. * Live on-site reporting of the conference happenings will be provided by BSDTalk's Will Backman. * Birds of a Feather (BoF's) Any conference profits will be donated to the BSD projects, as done in years past. More information is available at the NYCBSDCon 2008 website. _______________________________________________ freebsd-announce< at >freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-announce To unsubscribe, send any mail to "freebsd-announce-unsubscribe< at >freebsd.org"

FreeBSD Security Advisory FreeBSD-SA-08:09.icmp6

FreeBSD Security Advisories — 2008-09-03T20:13:20

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-08:09.icmp6 Security Advisory The FreeBSD Project Topic: Remote kernel panics on IPv6 connections Category: core Module: sys_netinet6 Announced: 2008-09-03 Credits: Tom Parker, Bjoern A. Zeeb Affects: All supported versions of FreeBSD. Corrected: 2008-09-03 19:09:47 UTC (RELENG_7, 7.1-PRERELEASE) 2008-09-03 19:09:47 UTC (RELENG_7_0, 7.0-RELEASE-p4) 2008-09-03 19:09:47 UTC (RELENG_6, 6.4-PRERELEASE) 2008-09-03 19:09:47 UTC (RELENG_6_3, 6.3-RELEASE-p4) CVE Name: CVE-2008-3530 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background IPv6 nodes use ICMPv6 amongst other things to report errors encountered while processing packets. The 'Packet Too Big Message' is sent in case a node cannot forward a packet because the size of the packet is larger than the MTU of next-hop link. II. Problem Description In case of an incoming ICMPv6 'Packet Too Big Message', there is an insufficient check on the proposed new MTU for a path to the destination. III. Impact When the kernel is configured to process IPv6 packets and has active IPv6 TCP sockets, a specifically crafted ICMPv6 'Packet Too Big Message' could cause the TCP stack of the kernel to panic, IV. Workaround Systems without INET6 / IPv6 support are not vulnerable and neither are systems which do not listen on any IPv6 TCP sockets and have no active IPv6 connections. Filter ICMPv6 'Packet Too Big Messages' using a firewall, but this will at the same time break PMTU support for IPv6 connections. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE or 7-STABLE, or to the RELENG_6_3 or RELENG_7_0 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3 and FreeBSD 7.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-08:09/icmp6.patch # fetch http://security.FreeBSD.org/patches/SA-08:09/icmp6.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_6 src/sys/netinet6/icmp6.c 1.62.2.11 RELENG_6_3 src/UPDATING 1.416.2.37.2.9 src/sys/conf/newvers.sh 1.69.2.15.2.8 src/sys/netinet6/icmp6.c 1.62.2.9.2.1 RELENG_7 src/sys/netinet6/icmp6.c 1.80.2.7 RELENG_7_0 src/UPDATING 1.507.2.3.2.8 src/sys/conf/newvers.sh 1.72.2.5.2.8 src/sys/netinet6/icmp6.c 1.80.4.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3530 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-08:09.icmp6.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iD8DBQFIvu2hFdaIBMps37IRAjxxAJwIIXP+ALAZkvG5m687PC+92BtXTwCfUZdS AvvrO0r+UAa6bn1H9mFf9So= =MBB1 -----END PGP SIGNATURE----- _______________________________________________ freebsd-announce< at >freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-announce To unsubscribe, send any mail to "freebsd-announce-unsubscribe< at >freebsd.org"

FreeBSD Security Advisory FreeBSD-SA-08:08.nmount

FreeBSD Security Advisories — 2008-09-03T20:13:13

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-08:08.nmount Security Advisory The FreeBSD Project Topic: nmount(2) local arbitrary code execution Category: core Module: sys_kern Announced: 2008-09-03 Credits: James Gritton Affects: FreeBSD 7.0-RELEASE, FreeBSD 7.0-STABLE Corrected: 2008-09-03 19:09:47 UTC (RELENG_7, 7.1-PRERELEASE) 2008-09-03 19:09:47 UTC (RELENG_7_0, 7.0-RELEASE-p4) CVE Name: CVE-2008-3531 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The mount(2) and nmount(2) system calls are used by various utilities in the base system to graft a file system object on to the file system tree to a given mount point. It is possible to allow unprivileged users to utililize these system calls by setting the vfs.usermount sysctl(8) variable. II. Problem Description Various user defined input such as mount points, devices, and mount options are prepared and passed as arguments to nmount(2) into the kernel. Under certain error conditions, user defined data will be copied into a stack allocated buffer stored in the kernel without sufficient bounds checking. III. Impact If the system is configured to allow unprivileged users to mount file systems, it is possible for a local adversary to exploit this vulnerability and execute code in the context of the kernel. IV. Workaround It is possible to work around this issue by allowing only privileged users to mount file systems by running the following sysctl(8) command: # sysctl vfs.usermount=0 V. Solution NOTE WELL: Even with this fix allowing users to mount arbitrary media should not be considered safe. Most of the file systems in FreeBSD was not built to protect safeguard against malicious devices. While such bugs in file systems are fixed when found, a complete audit has not been perfomed on the file system code. Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE, or to the RELENG_7_0 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 7.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-08:08/nmount.patch # fetch http://security.FreeBSD.org/patches/SA-08:08/nmount.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_7 src/sys/kern/vfs_mount.c 1.265.2.10 RELENG_7_0 src/UPDATING 1.507.2.3.2.8 src/sys/conf/newvers.sh 1.72.2.5.2.8 src/sys/kern/vfs_mount.c 1.265.2.1.2.2 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3531 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-08:08.nmount.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iD8DBQFIvu2eFdaIBMps37IRAl9BAJ9Jnp+agN06pBkzPDwEnOT83MNd6QCghOFX yvNI1gVmhAQ7MXOUvPoLcLk= =EsCn -----END PGP SIGNATURE----- _______________________________________________ freebsd-announce< at >freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-announce To unsubscribe, send any mail to "freebsd-announce-unsubscribe< at >freebsd.org"

FreeBSD Security Advisory FreeBSD-SA-08:07.amd64

FreeBSD Security Advisories — 2008-09-03T20:13:04

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-08:07.amd64 Security Advisory The FreeBSD Project Topic: amd64 swapgs local privilege escalation Category: core Module: sys_amd64_amd64 Announced: 2008-09-03 Credits: Nate Eldredge Affects: All supported FreeBSD/amd64 versions. Corrected: 2008-08-21 09:58:18 UTC (RELENG_7, 7.0-STABLE) 2008-09-03 19:09:47 UTC (RELENG_7_0, 7.0-RELEASE-p4) 2008-09-03 19:09:47 UTC (RELENG_6, 6.4-PRERELEASE) 2008-09-03 19:09:47 UTC (RELENG_6_3, 6.3-RELEASE-p4) CVE Name: CVE-2008-3890 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD/amd64 is commonly used on 64bit systems with AMD and Intel CPU's. For Intel CPU's this architecture is known as EM64T or Intel 64. The gs segment CPU register is used by both user processes and the kernel to convieniently access state data. User processes use it to manage per-thread data, and the kernel uses it to manage per-processor data. As the processor enters and leaves the kernel it uses the 'swapgs' instruction to toggle between the kernel and user values for the gs register. The kernel stores critical information in its per-processor data block. This includes the currently executing process and its credentials. As the processor switches between user and kernel level, a number of checks are performed in order to implement the privilege protection system. If the processor detects a problem while attempting to switch privilege levels it generates a trap - typically general protection fault (GPF). In that case, the processor aborts the return to the user level process and re-enters the kernel. The FreeBSD kernel allows the user process to be notified of such an event by a signal (SIGSEGV or SIGBUS). II. Problem Description If a General Protection Fault happens on a FreeBSD/amd64 system while it is returning from an interrupt, trap or system call, the swapgs CPU instruction may be called one extra time when it should not resulting in userland and kernel state being mixed. III. Impact A local attacker can by causing a General Protection Fault while the kernel is returning from an interrupt, trap or system call while manipulating stack frames and, run arbitrary code with kernel privileges. The vulnerability can be used to gain kernel / supervisor privilege. This can for example be used by normal users to gain root privileges, to break out of jails, or bypass Mandatory Access Control (MAC) restrictions. IV. Workaround No workaround is available, but only systems running the 64 bit FreeSD/amd64 kernels are vulnerable. Systems with 64 bit capable CPUs, but running the 32 bit FreeBSD/i386 kernel are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the RELENG_7_0, or RELENG_6_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3 and 7.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-08:07/amd64.patch # fetch http://security.FreeBSD.org/patches/SA-08:07/amd64.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_6 src/sys/amd64/amd64/exception.S 1.125.2.3 RELENG_6_3 src/UPDATING 1.416.2.37.2.9 src/sys/conf/newvers.sh 1.69.2.15.2.8 src/sys/amd64/amd64/exception.S 1.125.2.2.2.1 RELENG_7 src/sys/amd64/amd64/exception.S 1.129.2.2 RELENG_7_0 src/UPDATING 1.507.2.3.2.8 src/sys/conf/newvers.sh 1.72.2.5.2.8 src/sys/amd64/amd64/exception.S 1.129.2.1.2.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3890 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-08:07.amd64.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iD8DBQFIvu2TFdaIBMps37IRAqt8AJsGd/2WDuMZYUeOcVKekHEHZWRoMACdGnVs 0JZMykjScj7GbrsOlOW3uQg= =bs1z -----END PGP SIGNATURE----- _______________________________________________ freebsd-announce< at >freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-announce To unsubscribe, send any mail to "freebsd-announce-unsubscribe< at >freebsd.org"

Java Installable Packages Now Available

Deb Goodkin — 2008-08-27T17:12:47

Dear FreeBSD Community, The FreeBSD Foundation is pleased to announce the availability of the Java JDK and JRE 6.0 binary installable packages for FreeBSD 6.x and 7.x on the i386 and amd64 architectures! The binaries are available at http://www.freebsdfoundation.org/downloads/java.shtml. We would like to thank Kurt Miller for his hard work on this project. We would also like to thank Greg Lewis and Jung-uk Kim from the FreeBSD Java Project for their help and support. These releases would not be possible without the help of the volunteers developing Java for FreeBSD, Sun Microsystems, and your donations! We hope you will consider making a donation to help us fund more development projects to improve FreeBSD. Please go to http://www.freebsdfoundation.org/donate/ to find out how to make a donation. Sincerely, The FreeBSD Foundation _______________________________________________ freebsd-announce< at >freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-announce To unsubscribe, send any mail to "freebsd-announce-unsubscribe< at >freebsd.org"