OPNsense 18.7.7 released

submited 09 November 2018

Today we are addressing CVE-2018-18958 regarding an unenforced "deny config write" privilege. The issue was reported by brainrecursion this Monday and subsequently fixed along with several related issues. The "deny config write" privilege coupled with admin or user and group manager rights are affected combinations. It is an uncommon way to configureaccess as the "deny config write" privilege is commonly used for role-based access to non-system services, e.g. captive portals.

As we cannot be sure that no further issues of this sort exist please refrain from using the "deny config write" privilege or at least stop giving access to system services or full admin rights to these users or groups. In the midterm we will be looking for replacements of the current privilege for something that is more generic and robust in enforcement.

Additionally, the update to Suricata 4.0.6 addresses the SMTP crash vulnerability CVE-2018-18956. Since the update does not reboot without an operating system update please manually restart the intrusion detection service.

The BSD community linklog
Made a script? Written a blog post? Found a useful tutorial? Share it with the BSD community here or just enjoy what everyone else has found!


28 May 2020
New fuzzing tool finds 26 USB bugs in Linux, Windows, macOS, and FreeBSD  

Academics say they discovered 26 new vulnerabilities in the USB driver stack employed by operating systems such as Linux, macOs, Windows, and FreeBSD. Only one bug was found in FreeBSD.

BSDNow 352: Introducing Randomness  

A brief introduction to randomness, logs grinding netatalk to a hault, NetBSD core team changes, Using qemu guest agent on OpenBSD kvm/qemu guests, WireGuard patchset for OpenBSD, FreeBSD 12.1 on a laptop, and more.

OpenBSD 6.7 and ffs2 FAQs  

Otto Moerbeek ([email protected]) posted to [email protected] a useful summary of the state of play of FFS2 in the 6.7 release (and, to some extent, -current). In his mail, Otto clarifies some things about the latest release.

Self Hosted S3 Object Storage On FreeNAS With Minio  

Learn how to self-host S3 Object Storage on FreeNAS with Minio with this video tutorial.

BastilleBSD templates updated  

Bastille templates have been updated to include dnsmasq percona and asterisk services on FreeBSD.

27 May 2020
BSD Weekly issue 21  

Developer? You can get a grant from FreeBSD to work on it. Plus the rest of BSD world with the latest releases, news, tutorials and security announcements.

wpa_supplicant updated in DragonFly  

Thanks to Daniel Fojt, wpa_supplicant(8) in DragonFly jumped from version 2.1 to 2.9. There’s a nice changelog for the curious.

Enjoying DiscoverBSD? There is more...

Subscribe to BSD Weekly, our free, once–weekly e-mail round-up of BSD news and articles. It is currated from your content on DiscoverBSD and BSDSec (a deadsimple BSD Security Advisories and Announcements).

You can also support the work on Patreon.
25 May 2020
OpenBSD KDE status  

This short blog post should summarize the KDE/Qt work done in OpenBSD 6.7 and plans for 6.8.

Upgrade your OpenBSD VM  

OpenBSD 6.7 is released! There are two ways you can upgrade your VM. Either use sysupgrade(8) or do a manual upgrade.

OPNsense 20.1.7 released  

OPNsense moves to PHP 7.3 in order to be able to complete testing for the 20.7-BETA online upgrades. It also included is a patch for the packet filter kernel code which could crash with shared forwarding when interfaces disappeared due to use after free in the default network stack path.

DarkMate 12.1  

DarkMate 12.1 is a desktop install script for FreeBSD 12.1. This script helps you set up a desktop system on top of FreeBSD 12.1. It will install PKG, X, MATE, SLiM, some additional tools and set up a 'wheel video' user.

24 May 2020
OpenBSD Errata: May 25th, 2020 (smtpd_sockaddr)  

Errata patches for OpenSMTPD have been released for OpenBSD 6.7. Incorrect use of getpeername(2) storage for outgoing IPv6 connections corrupts stack memory. The nature of the corruption and existing mitigations appear to make this difficult to effectively target. Binary updates for the amd64, i386, and arm64 platforms are available via the syspatch utility. After patching, restart the smtpd service.

load more