The FreeBSD Project has released a security advisory addressing a vulnerability in OpenSSH that affects keystroke timing obfuscation. The flaw, identified as CVE-2024-39894, allows a passive observer to detect keystrokes based on packet timing. This issue impacts FreeBSD versions 14.1 and earlier. Users are advised to upgrade their systems to the latest stable or release branch to mitigate the risk. The advisory provides detailed instructions for applying binary and source code patches.
System logs in FreeBSD are managed by syslog and stored in /var/log/, with log rotation handled by newsyslog. ZFS offers efficient data compression, automatically compressing and decompressing log files. To optimize log storage, ZFS compression can replace traditional syslog compression by configuring newsyslog and syslog settings. This approach simplifies log management, improves compression ratios, and saves storage space while maintaining easy access to log data.
The article explains why relying on AI or Large Language Models (LLMs) for tuning ZFS can lead to misleading and potentially harmful configuration advice. Real-world tests reveal that AI often provides outdated, incorrect, or incomplete recommendations due to its reliance on statistical models and training data. ZFS, a complex file system with numerous adjustable parameters, requires a deep understanding of its parameters and their interactions, which AI cannot consistently provide. The article highlights several examples where AI gave inaccurate advice about ZFS parameters, emphasizing the risks of trusting AI for critical system configurations. Instead, it recommends consulting experienced engineers or upstream contributors for reliable ZFS tuning and support.
The article details the process of implementing Anubis, an anti-AI crawler software, on a FreeBSD server to protect a Forgejo instance. The author noticed increased server load due to AI crawlers and initially used HAProxy with a RegEx-based blocklist to mitigate the issue. However, Anubis was introduced to provide a more effective solution by challenging bots with proof-of-work tasks, significantly reducing server load. The guide includes steps for building Anubis, configuring it as a daemon, and setting up custom policies to differentiate between bots and legitimate users. The solution is tailored for FreeBSD and integrates with HAProxy to ensure smooth operation.
The Valuable News weekly series provides a summary of news, articles, and other interesting content primarily related to UNIX/BSD/Linux systems. This edition covers topics such as Minecraft servers in FreeBSD jails, FreeBSD assembly programming, OpenSSH updates, and more.
Errata patches for Perl have been released for OpenBSD versions 7.5 and 7.6. These updates address issues in Perl and are available for amd64, arm64, and i386 platforms via the syspatch utility.
Theo de Raadt has updated OpenBSD -current to version 7.7-current. This update eliminates the need to use the "-D snap" flag with pkgadd and pkginfo for users running the latest snapshots or source builds. The change reflects the ongoing development and improvements in the OpenBSD project, ensuring smoother package management for users.
rpki-client 9.5 has been released and is available on OpenBSD mirrors. This update is recommended for all users to enhance reliability. Key features include validation of BGP announcements using RPKI, support for OpenBGPD and BIRD, and compatibility with multiple operating systems. The release also addresses errata for better performance and security. Developers encourage community feedback and contributions.
The article discusses the security of FreeBSD Jails compared to Podman containers on Linux. It highlights that FreeBSD Jails are generally more secure and flexible, offering better isolation, restricted kernel syscalls, dedicated network interfaces, and the ability to run firewalls inside Jails. The article also notes that Jails have fewer CVEs and are more battle-tested. Key points include the misconceptions about Podman's security, the flexibility of Jails, and their superior isolation and kernel syscall restrictions. The article concludes that Jails are a more secure option for containerization.
OpenIKED 7.4 has been released and will soon be available in the OpenIKED directory of local OpenBSD mirrors. This version includes several key updates, such as a fix for a double free bug in ECDH, a new configuration option for NAT-T negotiation, and improved config file verification. Additionally, the release tightens apparmor sandboxing on Linux and addresses various bugs and compatibility issues. OpenIKED is compatible with multiple operating systems, including OpenBSD, FreeBSD, NetBSD, macOS, and several Linux distributions. The community is encouraged to provide feedback and contribute to further improvements.
FreeBSD has released an errata notice for updating the root certificate bundle, which is essential for trusting TLS certificates. Several new certificates have been added to the bundle to ensure proper trust for TLS connections. This update affects all supported versions of FreeBSD, and users are advised to upgrade their systems to the latest stable or release branches. No workaround is available, and systems using an internal trust store are unaffected. Users can update via binary patches or source code patches, depending on their system configuration.
FreeBSD has released an errata notice for updating OpenSSL to version 3.0.16, addressing critical vulnerabilities CVE-2024-13176 and CVE-2024-9143. The update is essential for FreeBSD 14.2 users to mitigate risks related to ECDSA timing side-channels and out-of-bounds memory access in elliptic curve APIs. Systems should be updated immediately, and a reboot is required to ensure full protection. No workaround is available, and systems not using "exotic" elliptic curve parameters are less likely to be affected.
The FreeBSD Project has released an errata notice addressing an issue with daemon(8) where it may lose signal events after a change to use kqueue(2). This problem can cause daemon(8) to hang if a SIGTERM is sent after the child process has terminated but before it is restarted. The issue affects FreeBSD 14.2 and 13.4, and users are advised to upgrade to a supported stable or release branch and restart affected daemon(8) processes. No workaround is available, but systems not using the -r option are unaffected.
The FreeBSD Project has released an errata notice to update the expat library to version 2.7.1. This update addresses a stack overflow vulnerability (CVE-2024-8176) in the libexpat library, which could cause crashes in applications like tar(1) when parsing deeply nested XML entity references. While the base system is unlikely to be vulnerable to denial of service (DoS) attacks, system administrators are advised to update to the latest version and restart third-party services or reboot the system if necessary. The update is available for all supported FreeBSD versions.
The FreeBSD Project has released an errata notice for an update to the IANA Time Zone Database. This update addresses changes in future and past timestamps affecting various time zones worldwide. Users are advised to update their systems to ensure accurate time display and functionality. The update is available for all supported FreeBSD versions, and instructions for binary and source code patches are provided. Applications relying on system time, such as cron and syslog, may be impacted if the update is not applied.