As many of you are probably aware, there is a serious security issue that is currently all over the web regarding the GNU BASH shell. We at the PC-BSD project are well aware of the issue, a fix is already in place to plug this security hole, and packages with this fix are currently building. Look for an update to your BASH shell within the next 24 hours in the form of a package update.
As a side note: nothing written by the PC-BSD project uses BASH in any way — and BASH is not built-in to the FreeBSD operating system itself (it is an optional port/package), so the level of severity of this bug is lower on FreeBSD than on other operating systems.
According to the FreeBSD mailing list: Bryan Drewery has already sent a notice that the port is fixed in FreeBSD. However, since he also added some good recommendations in the email for BASH users, we decided to copy that email here for anyone else that is interested.
From: Bryan Drewery — FreeBSD mailing list
The port is fixed with all known public exploits. The package is
However bash still allows the crazy exporting of functions and may still
have other parser bugs. I would recommend for the immediate future not
using bash for forced ssh commands as well as these guidelines:
1. Do not ever link /bin/sh to bash. This is why it is such a big
problem on Linux, as system(3) will run bash by default from CGI.
2. Web/CGI users should have shell of /sbin/nologin.
3. Don’t write CGI in shell script / Stop using CGI
4. httpd/CGId should never run as root, nor “apache”. Sandbox each
application into its own user.
5. Custom restrictive shells, like scponly, should not be written in bash.
6. SSH authorized_keys/sshd_config forced commands should also not be
written in bash.
For more information the bug itself you can visit arstechnica and read the article by clicking the link below.
PC-BSD 10.0.3-RC2 ISO images are now available for testing.
Users on the EDGE package set, or 10.0.3-RC1 can update to the newer set with the following commands:
# pkg update –f
# pkg upgrade
# pc-extractoverlay ports
This update brings in the newer pkgng 1.3.7, which may need to re-install many of your packages in order to properly fix an issue with shared-library version detection in previous pkgng releases.
The current plan is to release 10.0.3 early next week, so please let us know of any issues right away via our RedMine bug tracker.
PC-BSD 10.0.2-RC2 images are now online for testing from our download site.
This will (hopefully) be our last RC before releasing 10.0.2 officially sometime on or around the 23rd. We have addressed or fixed most tickets related to the 10.0.2 release, so if you are still running into any issues, please report them using our Trac database.
Users running EDGE or earlier 10.0.2 images can upgrade their packages to the RC2 versions via AppCafe or Package Manager.
Thanks for all your help testing, and the issues reported so far!
The next 10.0.2-PRERELEASE ISO is now available for testing and can be downloaded from
If you have a spare system or virtual machine, consider testing this image. If you find any bugs, report them at https://trac.pcbsd.org so we can take a look at fixing them before 10.0.2 is released later this month.
NOTE: if you plan to use AppCafe in this image, go to Configure -> Repository Settings and change it to “Edge”. Do this before attempting to upgrade within AppCafe; otherwise, if you reboot or logout, you will not be able to successfully log back in again.
PC-BSD has long been very flexible about how you can install software. You have PBI’s, packages, and ports available with just a couple clicks or via a couple of simple terminal commands. For a long time the PBI format has served as an excellent solution for people who may need an offline package install, or just simply prefer the ease and simplicity the PBI format has to offer especially via the AppCafe. Perhaps the “Achilles’ Heel” of this situation is that we have also been severely limited on the amount of software that the AppCafe has to offer as packages had to first be converted into the PBI format.
This week we are announcing a radical change that we think will benefit all PC-BSD users in ways that were previously unthinkable. The PC-BSD team has begun work during the last couple of weeks redesigning our PC-BSD utilities (AppCafe, Update Center) to work with our pkgng software repository that we are currently building to contain detailed information about all the software available through packages and PBIs. What this means for you is that in the near future PC-BSD will have a much broader software pool to pull from, and will not be limited anymore by only having a small subset of PBI’s. You will now be able to install packages and PBI’s in one place, while also being able to update and manage both in one place.
You may be asking yourself “why the change?”. Over the last several months we have noticed a considerable amount of our time has been going into compatibility and fixes for PBIs. So much time in fact that other important development had to be postponed and / or sidelined while we worked on bringing PBIs up to speed. We are hoping by adopting appcafe and the PBI format to work in tandem with pkgng, that we will be able to refocus our efforts on other important endeavours.
We will have more information available soon as development continues on how you can get involved with testing out the new features and submitting ideas to help the project along. Let us know what you think about the changes. Are we headed in the right direction? Do you have ideas related to the redesign that you’d like to contribute? Let us know!
Much larger software library. Instead of 800 available appcafe applications think more like 10000+
Detailed information on all the software available including packages in one place
Ability to search and filter your results to show
Improved compatibility across desktop environments
New rating system is being developed for grading the quality of packages in the AppCafe library
Most of you have already heard of the Heartbleed vulnerability, the flaw in OpenSSL encryption. For any of you that may not be aware (which is probably precious few), the Heartbleed vulnerability is basically a flaw that may allow a malicious user to gain access to information that is supposed to be kept safe through OpenSSL. The good news is that the FreeBSD project and PC-BSD have both released fixes that will apply to versions 10.x. If you are currently running a machine with PC-BSD 9.x you are using an earlier version of openSSL that does not have the vulnerability, so no action is necessary to protect yourself from this. If you are running PC-BSD version 10.x make sure to use the “system updater” to apply the security patch to openSSL. After applying the fix reboot your computer and you should be good to go.
Kris has finished a new PBI run-time that will fix a number of stability issues users may have been experiencing while using PBI’s. The fix has also subsequently helped speed up load times for some of the larger PBI’s that may have been hanging or taking a long time to load.
Update Center is moving foward, and has received some fine-tuning this week to help bring it into PC-BSD as the one-stop utility for managing updates. We’d like to add a special thanks to the author Yuri for primary design and layout for the update center. Ken will also be working to help smooth out GUI design elements and help with integrating it fully into PC-BSD.
Other Updates / Bug Fixes:
* Updated openssl packages for 10.0 PRODUCTION/EDGE
* Patched issue with KRDC using FreeRDP version in ports
* A new 9.2 server has been spun up and building PBIs for 9.2 again. (Server failed earlier this week)
* Started work on PBI runtime for Linux compat applications
* Another large chunk of work on Lumina
* Bugfixes for pc-mixer (showing the proper icons)
* Life-Preserver bugfixes
* Large update to the available 10.x PBIs. All updates are finished, a few new applications were also added.
* Bugfixes on a number of PBI’s (waiting on rebuilds to test/approve the new fixed apps)
* Hindi translation project now about 75% complete