As many of you are probably aware, there is a serious security issue that is currently all over the web regarding the GNU BASH shell. We at the PC-BSD project are well aware of the issue, a fix is already in place to plug this security hole, and packages with this fix are currently building. Look for an update to your BASH shell within the next 24 hours in the form of a package update.
As a side note: nothing written by the PC-BSD project uses BASH in any way – and BASH is not built-in to the FreeBSD operating system itself (it is an optional port/package), so the level of severity of this bug is lower on FreeBSD than on other operating systems.
According to the FreeBSD mailing list: Bryan Drewery has already sent a notice that the port is fixed in FreeBSD. However, since he also added some good recommendations in the email for BASH users, we decided to copy that email here for anyone else that is interested.
From: Bryan Drewery – FreeBSD mailing list
The port is fixed with all known public exploits. The package is
However bash still allows the crazy exporting of functions and may still
have other parser bugs. I would recommend for the immediate future not
using bash for forced ssh commands as well as these guidelines:
1. Do not ever link /bin/sh to bash. This is why it is such a big
problem on Linux, as system(3) will run bash by default from CGI.
2. Web/CGI users should have shell of /sbin/nologin.
3. Don’t write CGI in shell script / Stop using CGI 🙂
4. httpd/CGId should never run as root, nor “apache”. Sandbox each
application into its own user.
5. Custom restrictive shells, like scponly, should not be written in bash.
6. SSH authorized_keys/sshd_config forced commands should also not be
written in bash.
For more information the bug itself you can visit arstechnica and read the article by clicking the link below.
Most of you have already heard of the Heartbleed vulnerability, the flaw in OpenSSL encryption. For any of you that may not be aware (which is probably precious few), the Heartbleed vulnerability is basically a flaw that may allow a malicious user to gain access to information that is supposed to be kept safe through OpenSSL. The good news is that the FreeBSD project and PC-BSD have both released fixes that will apply to versions 10.x. If you are currently running a machine with PC-BSD 9.x you are using an earlier version of openSSL that does not have the vulnerability, so no action is necessary to protect yourself from this. If you are running PC-BSD version 10.x make sure to use the “system updater” to apply the security patch to openSSL. After applying the fix reboot your computer and you should be good to go.
Kris has finished a new PBI run-time that will fix a number of stability issues users may have been experiencing while using PBI’s. The fix has also subsequently helped speed up load times for some of the larger PBI’s that may have been hanging or taking a long time to load.
Update Center is moving foward, and has received some fine-tuning this week to help bring it into PC-BSD as the one-stop utility for managing updates. We’d like to add a special thanks to the author Yuri for primary design and layout for the update center. Ken will also be working to help smooth out GUI design elements and help with integrating it fully into PC-BSD.
Other Updates / Bug Fixes:
* Updated openssl packages for 10.0 PRODUCTION/EDGE
* Patched issue with KRDC using FreeRDP version in ports
* A new 9.2 server has been spun up and building PBIs for 9.2 again. (Server failed earlier this week)
* Started work on PBI runtime for Linux compat applications
* Another large chunk of work on Lumina
* Bugfixes for pc-mixer (showing the proper icons)
* Life-Preserver bugfixes
* Large update to the available 10.x PBIs. All updates are finished, a few new applications were also added.
* Bugfixes on a number of PBI’s (waiting on rebuilds to test/approve the new fixed apps)
* Hindi translation project now about 75% complete
Another week bites the dust and we’ve got some fantastic new features heading your way. Just a quick update this week so let’s get right to it. The FreeBSD mailing list has put a call out to the community to know if you are interested in having some custom DirectX patches applied to wine. You can view the e-mail here if it interests you. If you’d like to respond directly to the e-mail list you can do so @ firstname.lastname@example.org.
* Tons of new PBI updates for 10.0
* Committed the new PBI runtime implementation for 10.x
* Fixed some edge cases with new runtime and particular apps
* Added support for running 32bit apps in new PBI runtime
* Patched RTLD and pushed out freebsd-update to prepare systems
* Added improved callback functionality for PBIs to run system commands
* Added umplayer as the new out-of-box default CD audio / DVD video player
* Merged latest FreeBSD ports and Gnome3 / Cinnamon ports
* Added options to set exec= and suid= options on ZFS datasets to installer
* Added “vagrant” development environment utility to PC-BSD base system
* Began builds of EDGE packages with all the above fixes
* Fixed issue with missing English dictionary in KDE text-processing apps
* Fixed bug with Life-Preserver which was pruning snapshots too
aggressively with replication enabled
* Don’t provide localization option to FAT mounting routine for english locales
* Clean up the usage of ntfslabel to make sure that extra outputs don’t get included in the name for Win8 NTFS devices.
Hey PC-BSDers! This week we’re coming at you with some pretty sweet updates to PC-BSD. The mount tray has seen some significant improvement and is now able to mount most audio / dvd formats without a problem. Also windows partition types are now showing up correctly on my test system after building the new mount tray from source. The mount tray will also prompt you to open your disc with a program and will offer you correct suggestions based on the proper package / PBI. Ultimately the mount tray will most likely replace the built in mounting systems in the desktop environments. This is still a little ways off in the future, but the direction we are heading in.
We heard that there were some users that were experiencing problems upgrading and believe we have found the guilty party. I was able to duplicate the same package upgrade problem that was causing updates to 10.0.1 to fail, and asked Allan over at Scale Engine to give us a hand. Allan was able to track down the issue to a faulty distribution server that was interrupting connections and preventing the upgrades randomly. This server has been removed from service at this time and further work is going into preventing this from happening again in the future.
Work has begun to localize PC-BSD into the Hindi language. We’d like to give a shout out to the newest member of our translation team Simran. Thanks for your help and we are excited at the prospect for even more people to be able to use PC-BSD. Our estimated date of completion is 3 weeks from now. If you have an interest in this language please help us spread the word!
Other News / Projects for this week:
* Merged latest ports and gnome3 patches into ‘master’
* Merged in latest VirtualBox versions
* Wrote a userland replacement for the FUSE module to execute PBIs in a faster and less unstable manner (about 90% complete)
* Kicked off new -STABLE builds
* Update 9.x PBI’s
* Add new XDG-compatibility classes in libpcbsd (scanning/listing/filtering system applications)
* New Utility: pc-systemflag (shell) – pc-systemflag is used to set a flag/message on the system for cross-application communication
* Rewrite the pc-systemupdatertray utility to use the new SystemFlagWatcher. Is much simpler and more streamlined now.
* Add system flag usage to pc-softwaremanager for PBI update availability
* Add system flag usage to the pbi-manager (“pbi_update –check-all” usage only)
* Add system flag usage to pc-updatemanager (for all package and system updates/checks)
The week is finally almost over and we’re back for another update on PC-BSD! The majority was spent squashing bugs and performing minor updates to PC-BSD utilities (as well as recovering from the Jet lag from AsiaBSDcon for Kris and Dru)! To check out pictures from the big event have a look at IXsystem’s facebook page here. For a list of some of the changes and updates this week have a look below.
* Fixed missing RDP support for krdc
* Fixed issue installing src / ports for server installs
* Enabled “lz4” compression on root FS by default
* Disabled some FUSE file-cache functionality in PBIFS
* Investigated issues with calls to “vflush” causing fuse to never finish unmounting
* Imported latest stable/10 and started builds
* Imported latest gnome3 / cinnamon changes
* Finished building next Edge package set
* Finished GUI updates and changes to bring them up to our new / current standards
* Added accessibility / shortcut keys for PC-BSD utilities
PC-BSD 10.0.1 Has been released! Check out the release notes from Kris below. Kris is currently out in the field attending AsiaBSDCon so make sure to stop by the FreeBSD booth if you’re in the area and show your support! Work has continued this week on the development of the new PC-BSD mixer although our primary goal this week was to get a bunch of trac tickets fixed, closed, or assigned to someone to take care of them. Thanks as always and enjoy the new updates!
The first PC-BSD 10.0 quarterly update is upon us, and 10.0.1 is now
This update includes a number of important bugfixes, as well as newer
packages and desktops, such as KDE 4.12.2, Cinnamon 2.0 and more. For
more details and updating instructions, refer to the notes below.
* KDE 4.12.2
* Cinnamon 2.0
* Samba 4.1.4
* Stability improvements to PBI subsystems
* Updated GRUB loader, fixing issues related to slow / hanging startup
* Updated AppCafe UI
* Updates to Life-Preserver, including “Classic” backup mode and
* Updated control panel with desktop settings buttons
* PulseAudio 5.0 integration
* Improved Video display auto-detection
* Bugfixes to mouse auto-detection
* Improved LDAP / AD support for login manager
* Misc other bugfixes
Desktop users already running 10.0 can update via Control Panel ->
Package Manager -> Updates.
Server users can update via the “pc-updatemanager” utility.
If package updating fails due to conflict errors, please be sure to
apply all system updates first before trying again.
10.0.1 DVD/USB media can be downloaded from the following URL:
Found a bug in 10.0.1? Please report it (in as much detail as possible)
to our Trac Database.