The article discusses the security of FreeBSD Jails compared to Podman containers on Linux. It highlights that FreeBSD Jails are generally more secure and flexible, offering better isolation, restricted kernel syscalls, dedicated network interfaces, and the ability to run firewalls inside Jails. The article also notes that Jails have fewer CVEs and are more battle-tested. Key points include the misconceptions about Podman's security, the flexibility of Jails, and their superior isolation and kernel syscall restrictions. The article concludes that Jails are a more secure option for containerization.
OpenIKED 7.4 has been released and will soon be available in the OpenIKED directory of local OpenBSD mirrors. This version includes several key updates, such as a fix for a double free bug in ECDH, a new configuration option for NAT-T negotiation, and improved config file verification. Additionally, the release tightens apparmor sandboxing on Linux and addresses various bugs and compatibility issues. OpenIKED is compatible with multiple operating systems, including OpenBSD, FreeBSD, NetBSD, macOS, and several Linux distributions. The community is encouraged to provide feedback and contribute to further improvements.
FreeBSD has released an errata notice for updating the root certificate bundle, which is essential for trusting TLS certificates. Several new certificates have been added to the bundle to ensure proper trust for TLS connections. This update affects all supported versions of FreeBSD, and users are advised to upgrade their systems to the latest stable or release branches. No workaround is available, and systems using an internal trust store are unaffected. Users can update via binary patches or source code patches, depending on their system configuration.
FreeBSD has released an errata notice for updating OpenSSL to version 3.0.16, addressing critical vulnerabilities CVE-2024-13176 and CVE-2024-9143. The update is essential for FreeBSD 14.2 users to mitigate risks related to ECDSA timing side-channels and out-of-bounds memory access in elliptic curve APIs. Systems should be updated immediately, and a reboot is required to ensure full protection. No workaround is available, and systems not using "exotic" elliptic curve parameters are less likely to be affected.
The FreeBSD Project has released an errata notice addressing an issue with daemon(8) where it may lose signal events after a change to use kqueue(2). This problem can cause daemon(8) to hang if a SIGTERM is sent after the child process has terminated but before it is restarted. The issue affects FreeBSD 14.2 and 13.4, and users are advised to upgrade to a supported stable or release branch and restart affected daemon(8) processes. No workaround is available, but systems not using the -r option are unaffected.
The FreeBSD Project has released an errata notice to update the expat library to version 2.7.1. This update addresses a stack overflow vulnerability (CVE-2024-8176) in the libexpat library, which could cause crashes in applications like tar(1) when parsing deeply nested XML entity references. While the base system is unlikely to be vulnerable to denial of service (DoS) attacks, system administrators are advised to update to the latest version and restart third-party services or reboot the system if necessary. The update is available for all supported FreeBSD versions.
The FreeBSD Project has released an errata notice for an update to the IANA Time Zone Database. This update addresses changes in future and past timestamps affecting various time zones worldwide. Users are advised to update their systems to ensure accurate time display and functionality. The update is available for all supported FreeBSD versions, and instructions for binary and source code patches are provided. Applications relying on system time, such as cron and syslog, may be impacted if the update is not applied.
This post explores the evolution and architecture of Apple’s Darwin OS and the XNU kernel, tracing its roots from Mach and BSD to its modern role in macOS, iOS, and Apple Silicon. The hybrid kernel design balances modularity and performance, combining Mach microkernel features with BSD Unix services. The post details Darwin’s development history, from Mach origins to Apple Silicon adaptations, and examines key components like scheduling, memory management, virtualization, and secure computing. XNU’s resilience and scalability are highlighted as foundational to Apple’s platforms.
Netgraph is FreeBSD's powerful, graph-based networking subsystem that supports modular, real-time packet processing inside the kernel. Introduced in FreeBSD 3.4 (1999), it allows developers to create complex networking topologies by connecting nodes in a graph structure. This modularity enables rapid development and deployment of new networking features, making it a powerful tool for developers. Netgraph operates on nodes and hooks, allowing for dynamic assembly of networking configurations. Control messages enable real-time adjustments, providing administrators with granular control over data flow. Its graph-based architecture gives it an advantage in high-performance networking applications, particularly in carrier-grade systems like Juniper’s Junos OS. While Netgraph offers flexibility and performance, it can be complex to manage and requires specialized tools for troubleshooting. It is particularly effective in scenarios like VPNs and firewalls, where dynamic traffic handling and real-time adjustments are crucial.
OpenBSD has released errata patches for iked, isakmpd, sshd, and rpki-client for versions 7.6 and 7.5. These updates address security vulnerabilities and are available as binary updates for amd64, arm64, and i386 platforms via the syspatch utility. Source code patches can be accessed on the respective errata pages. Users are advised to apply these updates to ensure system security.
The FreeBSD Foundation participated in FOSDEM 2025 in Brussels, hosting a stand and engaging with the open-source community. Their team answered numerous questions about FreeBSD, distributed stickers and mugs, and connected with both existing and potential users. The event provided valuable insights into how to better present and explain the benefits of FreeBSD to a wider audience.
The recent addition of the -f option in sysctl(8) allows users to apply multiple settings from a file in a single command. This update, contributed by Klemens Nanni, streamlines configuration management by eliminating the need for scripting or entering multiple commands. The feature is particularly useful for local edits and integration with config management tools. It will be available in upcoming OpenBSD 7.7 snapshots and releases.
The article discusses whether FreeBSD Jails can be considered containers. It highlights that FreeBSD Jails, introduced in 2000, are a form of OS-level virtualization similar to containers. The author argues that the term "containers" predates Docker and Linux-based solutions, and FreeBSD Jails fit the original definition. However, some argue that FreeBSD Jails lack the features of modern OCI containers. The article also references opinions from experts like Allan Jude and comparisons with other container technologies like Solaris Zones and HP-UX Containers. Ultimately, the debate centers on whether FreeBSD Jails are containers in the traditional sense or if the term should be reserved for OCI-compliant solutions.
The "Valuable News" weekly series provides summaries of news, articles, and updates primarily related to UNIX/BSD/Linux systems. This edition highlights recent developments in OpenBSD, FreeBSD, hardware innovations, and other relevant tech news. Key updates include FreeBSD's progress on laptop support, OpenBSD's advancements, and notable hardware releases like the Bolt Graphics Zeus GPU.
Flua is Lua, built into FreeBSD base, and includes an ever-growing set of libraries to make it even easier to automate FreeBSD.
This guide walks you through setting up a Minecraft server inside a FreeBSD Jails container. Unlike Docker or Podman, FreeBSD Jails offer a secure and lightweight containerization solution. The process involves preparing the FreeBSD environment, creating and configuring the Jail, building the Minecraft server from FreeBSD Ports, and connecting to the server using the Minecraft client. The steps include fetching the FreeBSD base system, setting up the Jail configuration, installing necessary packages, and configuring the Minecraft server. This method ensures a secure and isolated environment for running the Minecraft server.
MidnightBSD versions using xz 2.4.x or higher are vulnerable to a DOS in the multithreaded liblzma decompress code. This includes 3.2.x before 3.2.3 and 4 current before earlier. Patch applied to stable/3.2 branch. 4-current updated to 5.6.3 and then patch applied.