As many of you are probably aware, there is a serious security issue that is currently all over the web regarding the GNU BASH shell. We at the PC-BSD project are well aware of the issue, a fix is already in place to plug this security hole, and packages with this fix are currently building. Look for an update to your BASH shell within the next 24 hours in the form of a package update.
As a side note: nothing written by the PC-BSD project uses BASH in any way – and BASH is not built-in to the FreeBSD operating system itself (it is an optional port/package), so the level of severity of this bug is lower on FreeBSD than on other operating systems.
According to the FreeBSD mailing list: Bryan Drewery has already sent a notice that the port is fixed in FreeBSD. However, since he also added some good recommendations in the email for BASH users, we decided to copy that email here for anyone else that is interested.
From: Bryan Drewery – FreeBSD mailing list
The port is fixed with all known public exploits. The package is
However bash still allows the crazy exporting of functions and may still
have other parser bugs. I would recommend for the immediate future not
using bash for forced ssh commands as well as these guidelines:
1. Do not ever link /bin/sh to bash. This is why it is such a big
problem on Linux, as system(3) will run bash by default from CGI.
2. Web/CGI users should have shell of /sbin/nologin.
3. Don’t write CGI in shell script / Stop using CGI 🙂
4. httpd/CGId should never run as root, nor “apache”. Sandbox each
application into its own user.
5. Custom restrictive shells, like scponly, should not be written in bash.
6. SSH authorized_keys/sshd_config forced commands should also not be
written in bash.
For more information the bug itself you can visit arstechnica and read the article by clicking the link below.
Most of you have already heard of the Heartbleed vulnerability, the flaw in OpenSSL encryption. For any of you that may not be aware (which is probably precious few), the Heartbleed vulnerability is basically a flaw that may allow a malicious user to gain access to information that is supposed to be kept safe through OpenSSL. The good news is that the FreeBSD project and PC-BSD have both released fixes that will apply to versions 10.x. If you are currently running a machine with PC-BSD 9.x you are using an earlier version of openSSL that does not have the vulnerability, so no action is necessary to protect yourself from this. If you are running PC-BSD version 10.x make sure to use the “system updater” to apply the security patch to openSSL. After applying the fix reboot your computer and you should be good to go.
Kris has finished a new PBI run-time that will fix a number of stability issues users may have been experiencing while using PBI’s. The fix has also subsequently helped speed up load times for some of the larger PBI’s that may have been hanging or taking a long time to load.
Update Center is moving foward, and has received some fine-tuning this week to help bring it into PC-BSD as the one-stop utility for managing updates. We’d like to add a special thanks to the author Yuri for primary design and layout for the update center. Ken will also be working to help smooth out GUI design elements and help with integrating it fully into PC-BSD.
Other Updates / Bug Fixes:
* Updated openssl packages for 10.0 PRODUCTION/EDGE
* Patched issue with KRDC using FreeRDP version in ports
* A new 9.2 server has been spun up and building PBIs for 9.2 again. (Server failed earlier this week)
* Started work on PBI runtime for Linux compat applications
* Another large chunk of work on Lumina
* Bugfixes for pc-mixer (showing the proper icons)
* Life-Preserver bugfixes
* Large update to the available 10.x PBIs. All updates are finished, a few new applications were also added.
* Bugfixes on a number of PBI’s (waiting on rebuilds to test/approve the new fixed apps)
* Hindi translation project now about 75% complete
The PC-BSD development team has been abuzz this week with awesome suggestions on how we can standardize the way we write PC-BSD utilities and software. One thing we’ve begun to realize is that as more people are contributing to the project, it is ever more important to make sure that there are clear standards for development. Even our primary developers will admit it’s easy to forget to use the same icon pack, or file menu layout when you get busy writing the main program. Going forward you can expect these standards to impact most of the PC-BSD utilities and programs you use everyday, although in a relatively minor way. Everything will still function the exact same, but whether or not you are using AppCafe or the Warden you can expect the file menu layout / program layout to follow the same general rules. For more information please check out “Becoming a Developer” in the PC-BSD 10.1 wiki. If you’d like to join the discussion you can email firstname.lastname@example.org.
I’ve seen some discussion lately about the life cycle of PC-BSD branches. I sat down with Kris Moore in IRC and asked if he wouldn’t mind clarifying the release cycle for our users. Kris answered the general rule of thumb you can use is a branch will continue to be supported for 6 months after the next branch is released. The updates include all of the things you would expect like new PBI and security updates. So for users of 9.2 you can expect support to continue through June of 2014. 9 Stable was a “experimental” branch and is no longer supported at this time. Users of 9 Stable are encouraged to upgrade to 9.2 or 10.0 Release to continue to receive important updates.
You can expect to see tons of improvements coming up for PC-BSD 10.1. One of the biggest being Kris and Yuri have been working to fix Linux jail support in the Warden. A handful of commits went into the tree today that will address the previous problems users have been having with Linux jails. Kris has continued to refine the Warden and PBI systems to fix some bugs that were causing major stability issues in certain scenarios. Minor cosmetic changes are coming for most PC-BSD utilities to bring them up to the same standards outlined in the “Become a Developer” section in the PC-BSD 10.1 wiki.
That’s it for this week folks. Lots of good things in the works so stay tuned to the blog for more important PC-BSD news!
You can feel it in the air can’t you? That time when we gather with family and friends, sit down to eat a great meal, and let the dog eat half the turkey. Oh wait maybe that was just Kris last year…doh! All kidding aside Check out all these amazing gifts that have been neatly placed under our “ports tree” (pun intended).
10.0 PBI Approvals have been moving allowing at a quick pace and the appcafe should now be populated with approximately 400 PBI’s for public consumption. Please report any issues you are having directly to trac and we will work on fixing individual PBI’s after approvals are finished.
In some exciting news Kris has announced that we are merging the GNOME3 / MATE /Cinnamon desktops into our 10.0 ports tree. Be advised we are still working to resolve issues with these desktops in the base system and they are more than likely not fully functional at this time. We will be testing and resolving issues as quickly as possible to try to get these ready for all of you.
FreeBSD will be releasing a security update that applies to SSH in the next few days. If you are not a SSH user this bugfix won’t necessarily do anything for you, but it never hurts to be fully up to date just in case.
Bug fixes galore this week! PCDM has been updated now to correctly display the correct language chosen during selection, however it is still being tested and should officially be ready sometime in the very near future. Kris has added a ZFS dataset options to PC-BSD’s new text-installer front-end for greater flexibility for power users.
That’s it for this week folks, and remember feeding thanksgiving leftovers to your dog makes everyone sad. See you guys next week!
When Kris told me he wanted me to help act as a QA for the PC-BSD project it never occurred to me that someone had to test all those nifty PBI’s in the appcafe when there’s a big release. Let me tell you after a week of testing PBI’s I have a whole new appreciation for what Ken does on a weekly basis. Thankfully the weekend is finally here, and it’s time to look at what else has been going on over this last week.
Over 200 PBI’s have been populated in to the PC-BSD 10 Stable Appcafe. We are plugging away at approving and testing more, but it is hard to know just how long it will take. Most of what I would consider the “important” PBI’s have been approved. Firefox, Chromium, and Thunderbird being just a handful.
Many of you will be excited to find out that adobe flash is working perfectly on chromium in my 10.0 KDE box. I listen to youtube playlists all week and didn’t find a single video that wouldn’t load. Other sites that appear to be working include Vimeo, Hulu, and Amazon. I have not heard if this fix is being backported to 9.3, but I will let you guys know when we find out.
This week many PC-BSD programs received some necessary bug fixes and updates. Some of the updates include network detection in package / update manager, nvidia graphic detection, as well as security updates for PCDM. If you are experiencing an annoying bug that you’ve just been ignoring in version 10.0 now is the time to create a bug ticket on trac. Keep in mind the newest 10.0 iso is the “stable” branch not “current” when reporting bugs.
If you are still experiencing any difficulty with extremely slow download speeds, or downloads that continue to fail after multiple tries, make sure to send me an e-mail at email@example.com. The information we are looking for is the output of the host command in pc-bsd, or if you are not using PC-BSD as your primary desktop we can use your IP address assigned by your ISP to try and search for the log file of the failed download. I’m sure it gos without saying, but please keep your IP confidential and send it directly to me if you can help us with that information.
Enjoy your weekend!
As many of you are now aware, part of the FreeBSD build infrastructure was compromised recently. Many people have been contacting us asking how this relates to PC-BSD users. We currently locally compile and distribute all of our own packages, and at this time it looks like nothing on the PC-BSD side was impacted.
However if you are a power-user and have been manually using pkg_add to install packages from the FreeBSD package cluster, you may wish to remove these packages and rebuild from source. For more details regarding the security compromise, please take a look at the official FreeBSD page.