LibreSSL 3.2.1 Released

 ---------- Forwarded message ---------

From: Brent Cook <busterb@gmail.com>

Date: Tue, Aug 25, 2020 at 11:20 AM

This is the second development release from the 3.2.x series, which will

eventually be part of OpenBSD 6.8. 

The LibreSSL project continues improvement of the codebase to reflect modern,

safe programming practices. We welcome feedback and improvements from the

broader community. Thanks to all of the contributors who helped make this

release possible.

[openssh-unix-announce] Announce: OpenSSH 8.4 released

 ---------- Forwarded message ---------

From: Damien Miller <djm@openbsd.org>

Date: Sep 27, 2020 6:59PM

Future deprecation notice

=========================

It is now possible[1] to perform chosen-prefix attacks against the

SHA-1 algorithm for less than USD$50K. For this reason, we will be

disabling the "ssh-rsa" public key signature algorithm by default in a

near-future release.

This algorithm is unfortunately still used widely despite the

existence of better alternatives, being the only remaining public key

signature algorithm specified by the original SSH RFCs.

The better alternatives include:

 * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These

   algorithms have the advantage of using the same key type as

   "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been

   supported since OpenSSH 7.2 and are already used by default if the

   client and server support them.

 * The ssh-ed25519 signature algorithm. It has been supported in

   OpenSSH since release 6.5.

 * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These

   have been supported by OpenSSH since release 5.7.

To check whether a server is using the weak ssh-rsa public key

algorithm, for host authentication, try to connect to it after

removing the ssh-rsa algorithm from ssh(1)'s allowed list:

    ssh -oHostKeyAlgorithms=-ssh-rsa user@host

If the host key verification fails and no other supported host key

types are available, the server software on that host should be

upgraded.

We intend to enable UpdateHostKeys by default in the next OpenSSH

release. This will assist the client by automatically migrating to

better algorithms. Users may consider enabling this option manually.

[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and

    Application to the PGP Web of Trust" Leurent, G and Peyrin, T

    (2020) https://eprint.iacr.org/2020/014.pdf

LibreSSL 3.1.4 Released

 ---------- Forwarded message ---------

From: Brent Cook <busterb@gmail.com>

Date: Tue, Aug 18, 2020 at 1:55 AM

We have released LibreSSL 3.1.4, which will be arriving in the LibreSSL directory of your local OpenBSD mirror soon. It includes interoperability and bug fixes for the TLSv1.3 client.

The LibreSSL project continues improvement of the codebase to reflect modern, safe programming practices. We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible.

TrendLabs: OpenSMTPD Vulnerability (CVE-2020-8794) Can Lead to Root Privilege Escalation and Remote Code Execution

Figure 3. Lines injected to envelope for older versions

REF: https://blog.trendmicro.com/trendlabs-security-intelligence/opensmtpd-vulnerability-cve-2020-8794-can-lead-to-root-privilege-escalation-and-remote-code-execution/

New Spleen font for OpenBSD 6.5 console

REF: https://mobile.twitter.com/ao_kenji/status/1083956639076560896

OpenBSD 6.5 released -- Apr 24 2019

---------- Forwarded message ---------
From: Theo de Raadt
Date: Wed, Apr 24, 2019 at 9:49 PM

OpenBSD 6.5 builds finished a week early, so the May 1 dated code can
go out the door 1 week early.

----------------------------------- OpenBSD 6.5 RELEASED -------------------------------------------------

May 1, 2019.

We are pleased to announce the official release of OpenBSD 6.5.
This is our 46th release.  We remain proud of OpenBSD's record of more
than twenty years with only two remote holes in the default install.

As in our previous releases, 6.5 provides significant improvements,
including new features, in nearly all areas of the system...

OpenBSD 6.4 released - Oct 18, 2018

---------- Forwarded message ---------
From: Theo de Raadt
Date: Thu, Oct 18, 2018 at 10:24 PM
...
We are pleased to announce the official release of OpenBSD 6.4.
This is our 45th release.  We remain proud of OpenBSD's record of more
than twenty years with only two remote holes in the default install.

As in our previous releases, 6.4 provides significant improvements,
including new features, in nearly all areas of the system...

The README (https://ftp.OpenBSD.org/pub/OpenBSD/6.4/README) file
explains how to deal with these source files.
...

Monitoring system on OpenBSD

---------- Forwarded message ---------
From: Tom Smyth
Date: Fri, Oct 5, 2018 at 11:13 AM

Librenms would be worth a look i believe it has email alerting
and snmp support needs php and mysql
Zabbix   ...havent used this one but it has monitoring functionality ...
If you are monitoring alot of systems, make sure your storage can
cope with alot of I/O or you will see annoying gaps in your graphs
so use SSDs and make sure that when formatting the system
that you align with 1MB offset ...  2048 sectors  (instead the default
64 bytes)

Peace
Tom Smyth

Dual boot OpenBSD with DragonFly BSD

---------- Forwarded message ---------
From: Heppler, J. Scott
Date: Tue, Oct 9, 2018 at 12:05 AM

This theoretically is doable but will be a challenge.  Your options will
also swing on whether the laptop you purchase will boot an old MBR
scheme or is restricted to GPT/UEFI.  DragonflyBSD has instructions on
multibooting an older MBR.

https://www.dragonflybsd.org/docs/handbook/Booting/

If you need GPT/UEFI, then you choosing a bootloader that is capable of
GPT/UEFI dual booting.  According to OpenBSD FAQ,  Grub2 or reFIND
will work. 

https://www.openbsd.org/faq/faq4.html#Multibooting
--
J. Scott Heppler

OpenBSD Routing Domains

Two OpenBSD Routing Domains

REF: https://www.packetmischief.ca/2011/09/20/virtualizing-the-openbsd-routing-table/

OpenBSD: SMT Disabled by Default in -current

SMT (Simultanious Multi Threading) implementations typically share
TLBs and L1 caches between threads.  This can make cache timing
attacks a lot easier and we strongly suspect that this will make
several spectre-class bugs exploitable.  Especially on Intel's SMT
implementation which is better known as Hypter-threading. 

REF: https://undeadly.org/cgi?action=article;sid=20180620110722

bsdmag: Virtualization on ARMv8-A

The Latest Issue: bhyvearm64: Virtualization on ARMv8-A

Dear Readers,

Summer is here! A season which appeals to affection and sentiments, and of course, vacation time isn’t complete without a touch of laziness. As Ella sang: ‘Summertime, and the livin' is easy’, it’s indeed a good time. I hope you will work on unfinished projects, explore the latest technologies, and encounter numerous exciting tasks. Here, we concertedly continue to publish great lectures for you and take pride in them as well. Therefore, as you’ll be enjoying a sunset view on your porch, have a quick read at our BSD Magazine issue to crown the special day.

Now, let’s have a glimpse of what our experts prepared for you.

In Brief
Ewa & The BSD Team
This column presents the latest coverage of breaking news, events, product releases, and trending topics from the BSD sector.

Illumos Containers Using OmniOSce
Carlos Neira
Containers have been around almost two decades, starting with FreeBSD jails implementation around 2000. Thereafter, Sun Microsystems took a step further and implemented Solaris Zones around 2004, which was based on FreeBSD’s jails. Both containerization technologies allow you to partition your machine further and give you more mileage for your money as it is lighter than hardware virtualization. This means performance is better as applications run on bare metal. Enhanced security, such that if a zone or jail is compromised, the attacker is confined to that virtual host. We will learn about Solaris Zones using an Illumos derivative called OmniOSce, and instructions that could be applied to other Illumos based distributions.

bhyvearm64: Virtualization on ARMv8-A
Alexandru Elisei
Virtualization is the process of creating a virtual machine that acts like the real hardware for the guest operating system. Efficient virtualization requires hardware features that reduce the overhead usually associated with using virtual machines. Looking to enter the server market, ARM has developed the ARMv8-A architecture which offers such features. We have ported the FreeBSD bhyve hypervisor port to this architecture and we have called the port bhyvearm64.

iSCSI On FreeBSD
Abdorrahman Homaei
iSCSI is a protocol that gives you the ability to share storage over a network at block level. It’s like connecting new storage to your computer and can format it as you wish. In iSCSI terminology, the computer that shares the storage is known as the target, and the clients which access the iSCSI storage are called initiators. FreeBSD originally supports kernel-based iSCSI target and initiator. Many people are not sure about choosing between DAS (Block-Level directly), NAS (File-Level over the network) and SAN (Block-Level over the network). Don’t settle for storage based on the amount of space only, rather, the answers to these important questions should act as a guiding principle. What is your storage expansion policy? What is your backup policy?

HTTP/2 and PHP with Apache on FreeBSD: Not as Simple as it Seems
Bob Cromwell
In an earlier article, I showed you how to run FreeBSD on Google Compute Engine, running an Apache web server with PHP. Now, let's see how to improve its performance with the latest version of HTTP. HTTP/2 has significant advantages over earlier versions, however, it and PHP don't work together "out of the box" on FreeBSD, and what appears to be the appropriate fix breaks an otherwise functioning web server. Follow my investigation of the mystery, and at the end, I'll have assembled a working configuration for you.

Self Exposure: Redundant Firewalls with OpenBSD, CARP and pfsync
Daniele Mazzocchio
Firewalls are among the most critical components in network infrastructure, since their failure may cause entire groups of machines to go offline. The damage may range from the public (web, mail, DNS, etc.) servers to become unreachable from the outside world up to being unable to surf this website!

Expert Speak by E.G. Nadhan: Just Takes 5 Seconds to Grow Your Team Culture
E.G. Nathan
How many times have you been in a situation where you are about to sharply critique a co-worker, a colleague, or an acquaintance for something they did not do right? Well, as it turns out, Gallup’s workplace research suggests praise should outweigh criticism by a 5-to-1 margin. Five praises for one criticism (if at all there is one).

Interview with Joel Knight
Ewa & The BSD Team
Joel Knight is an original contributing author to the OpenBSD PF User’s Guide (www.openbsd.org/faq/pf) and the original author of some of the native OpenBSD SNMP MIBs (packetmischief.ca/openbsd-snmp-mibs, cvsweb.openbsd.org/cgi-bin/cvsweb/src/share/snmp/). He’s contributed some minor patches to the OpenBSD pf(4) subsystem and network stack over the years.

Online shopping and electronic transactions are revolutionizing the way business is being carried out, both for individuals and corporate entities. Are we entering a golden age of choice, or should the Latin phrase Caveat Emptor be embedded on every “accept” button for Internet sales?
Rob Somerville
I’ve just been ripped off of £153.25 for a Samsung Galaxy J5 mobile phone, or to be more accurate, Amazon has, along with approximately 1,000 other customers who have paid exorbitant amounts of money to a clearly fraudulent storefront that has exploited a subtle flaw in the E-commerce model that Amazon, eBay, and PayPal operate.

If any questions arise in your mind during or after reading the articles, please feel free to contact me via email: ewa@bsdmag.org. We hope you enjoy reading this issue and develop new skills with our magazine.

Thank you,
Ewa & The BSD team

REF: https://bsdmag.org/download/bhyvearm64-virtualization-on-armv8-a/

New BSD Issue is Out! LLVM and Sanitizers in BSD!

Table of Contents

In Brief
Ewa & The BSD Team
This column presents the latest coverage of breaking news, events, product releases, and trending topics from the BSD sector.

Practical ZFS On FreeBSD
Abdorrahman Homaei
ZFS is an advanced file system that was originally developed by Sun. It combines the roles of volume manager and file system to realize unique advantages. ZFS is aware of the underlying structure of the disks. It can detect low-level interrupt and provide RAID mechanism. ZFS is also capable of sharing its volume separately. ZFS’s awareness of the physical layout of the disks lets you grow your storage without any hassle. Additionally, it has different properties that can be applied to each file system, giving many advantages of creating a number of different file systems and datasets rather than a single monolithic file system.

LLVM and Sanitizers in BSD
David Carlier
LLVM and clang frontend is available on various BSD as the main compiler for FreeBSD x86, ppc, and arm since the 10.x ( was fully optional in the previous 9.x branch), OpenBSD x86 and arm since 6.2, NetBSD x86, arm, ppc, and sparc64. LLVM provides the frontends and various tools, and there are different types of sanitizers to help with debugging applications.

C Programming, UNIX and Main Data Structures
Rafael Santiago de Souza Netto
Nowadays, UNIX stands more as a model for an operating system to follow than as an operating system implementation. In the beginning, UNIX as a software was originally written at Bell Labs by two famous developers, Kenneth Thompson and Dennis Ritchie.

Monitoring OpenBSD using CollectD, InfluxDB, and Grafana
Joel Carnat
www.tumfatig.net
In a “get pretty graphs” mood, I’m looking at what can be done regarding OpenBSD monitoring using the CollectD collector and Grafana dashboard renderer. OpenBSD 6.2-current provides InfluxDB and Grafana packages, a great stack for pretty reportings.

Expert Speak by E.G. Nadhan
From Unconscious Bias to Unbiased Consciousness
E.G. Nadhan
A member of the audience attending a panel session on Unconscious Bias accidentally referred to the topic as Unbiased Consciousness. Perhaps, it was no accident and was a sublime message instead about the world to come – a world where we are consciously unbiased rather than being unconsciously biased. However, this utopian world can become real only if proactive actions are taken to combat such mindsets that may not be in our control.

With Facebook attempting to slam the privacy stable door well after the horse has bolted, the corporate giant has suspended over 200 applications which snarfed large amounts of profile data. What does the future hold for this global platform?
Rob Somerville
I have a certain degree of sympathy for Mark Zuckerberg after being hauled before Congress in light of the Cambridge Analytica fiasco. Inevitably, any cutting-edge technology will eventually feel the hot breath of the establishment breathing down on it, be it via indirect legislation or as in the case of Mark Zuckerberg, in a personal appearance before “the powers that be” to give account.

REF: https://bsdmag.org/download/debugging-applications/

FSF: Zerocat Chipflasher "board-edition-1" now FSF-certified to Respect Your Freedom

From May 14

The FSF has awarded Respects Your Freedom (RYF) certification to the Zerocat Chipflasher board-edition-1. The RYF certification mark means that the product meets the FSF's standards in regard to users' freedom, control over the product, and privacy. The Chipflasher enables users to flash devices such as laptops, allowing them to replace proprietary software with free software like Libreboot. While users are able to purchase RYF-certified laptops that already come with Libreboot pre-loaded, for the first time ever they are capable of freeing their own laptops using an RYF-certified device.

These first ten limited edition boards are signed by Kai Mertens, chief developer of The Zerocat Label, and will help to fund additional production and future development of RYF-certified devices.

REF: https://www.fsf.org/free-software-supporter/2018/june

BSD Magazine: Shadowsocks Proxy Server On FreeBSD

TABLE OF CONTENTS

In Brief
Ewa & The BSD Team

Quickstart with Kubernetes and GKE (Part 2/2)
Leonardo Neves

Shadowsocks Proxy Server On FreeBSD
Abdorrahman Homaei

Introduction to MDB
Carlos Neira

OpenBSD 6.3
Albert Hui

Interview with Sanel Zukan, Founder & CEO of Hedron
The BSD Team

Expert Speak by E.G.Nadhan
5 Imperatives for Catalysts of Change
E.G. Nadhan

Column
The doves and the hawks are gathering for a showdown, be it in geopolitics or the Internet. Facebook and Cambridge Analytica, the West, and Russia are all walking on a tightrope. Brinkmanship is the current name of the game. Who is going to come out on top?
Rob Somerville

The bsdly.net traplist dumps are now served https only

---------- Forwarded message ----------
From: Peter N. M. Hansteen
Date: Sat, Apr 14, 2018 at 5:55 PM
Subject: The bsdly.net traplist dumps are now served https only (forced redirect)
To: OpenBSD general usage list

While looking for something else entirely in my webserver logs I notice
that there are several hosts that try to fetch the hourly traplist dumps
https://www.bsdly.net/~peter/bsdly.net.traplist but via http and ignore
the redirect to https.

Both sites (https://www.bsdly.net/~peter/bsdly.net.traplist and the
slightly better connected
https://home.nuug.no/~peter/bsdly.net.traplist) now force https, so if
you are running some kind of out of date fetching setup, please update
to something modern.

I also notice that there are fetches from other operating systems, but
hopefully anyone interested in OpenBSD spamd(8) will check here
occasionally.

All the best,
Peter
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

BSD magazine 2018 March

REF: https://bsdmag.org/download/table-level-security-postgresql/

[openssh-unix-announce] Announce: OpenSSH 7.7 released

---------- Forwarded message ----------
From: Damien Miller
Date: 2018-04-03 8:15 GMT+08:00
Subject: [openssh-unix-announce] Announce: OpenSSH 7.7 released
To: openssh-unix-announce@mindrot.org

OpenSSH 7.7 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
http://www.openssh.com/donations.html

Caddy Web Server On FreeBSD

Caddy Web Server On FreeBSD

Dear Readers,

I hope this finds you well and in a happy mood since the start of Spring. Today, I am pleased to announce the release of the BSD Magazine issue. I hope it will bring lots of joy, happiness, and fulfilment to you. This is also a special time for those who are waiting for Easter celebration like me. I am optimistic that the holiday period brings hope and faith to sustain us in the coming days. Thus, take delight during this period. If any question arises in your mind during or after reading the articles, please feel free to contact me. We hope you enjoy reading this issue and develop your new skills with our magazine!

Thank you and Happy Easter,

Ewa & the BSD team

INSIDE

In Brief
Ewa & The BSD Team

How to Manage Multiple Perl 6 Installations with Rakudobrew
Luca Ferrari

Quickstart with Kubernetes and GKE (Part 1/2)
Leonardo Neves

Kubernetes..! Era of Innovation
Moustafa Nabil El-Zeny

Open vSwitch Overview
Albert Hui

How to Add a New System Tunable to FreeBSD
Carlos Neira

Caddy Web Server On FreeBSD
Abdorrahman Homaei

OpenBSD and The State of Gaming
David Carlier

Presentation
How to Assist the Business World with OTRS?
María Polett Ramos

Column
With the latest chemical attack in the UK that has critically injured two individuals and seriously injured a serving police officer, what are the geopolitical, media, and technical implications of this latest outrage?
Rob Somerville

REF: www.bsdmag.org

Improve Your PostgreSQL Skills

(Course #10) Improve Your PostgreSQL Skills

This course will allow readers to get a better understanding of PostgreSQL. The course aims to present the readers with a solid knowledge of PostgreSQL building blocks, including the plpgsql language and how it can be used to build stored procedures and triggers. Advanced features like Common Table Expression and Window Functions will be presented, allowing the user to improve her SQL skills and know how to write better and more readable queries.
The reader will know how to manage and understand its database cluster thanks to glance at the PostgreSQL catalog and statistic collector. Last, readers will learn how to handle master-slave replication, a core feature of PostgreSQL.

Module 1

Stored procedures
The plpgsql language
The DO block
Glance at plperl
Triggers
DML Trigger Types
Implementing triggers with plpgsql
Cursors
Introduction of cursors
Example of usage of a cursor

Module 2

Users and Permission Management
Users, Groups and Roles
Allowing permissions and denying permissions
Row Level Security
Rules
Introduction to the Query Rewrite System
An example of rule
Views
Dynamic views
Materialized Views
Test your skills

Questions

• How is a group of users implemented in PostgreSQL?
• What is the difference between a DO INSTEAD and a DO ALSO rule?
• How many type of views does PostgreSQL support?

Exercises

• Create a table foo with exactly two columns: pk an interger auto-increment primary key and t as unlimited string. Fill the table with a couple of records and then create a dynamic view and a materialized one. Populate the materialized view, then delete the contento of foo and see what changes in the views.
• Open a transaction, place a couple of records into foo and revert the changes.
• Create a user group developers, and the following users into the group: dev_a, dev_b, dev_c. Configure PostgreSQL to allow all developers but dev_c to connect to your database.

Module 3

Common Table Expression
Introduction to CTEs
An example of move
Recursive CTEs
Window Functions
Introduction to Window Functions
A few useful window functions

Module 4

Indexes
Configuring the Server
Monitor the database activity
pg_stat_activity
pg_locks
Autovacuum
Test your skill

Questions

• What is the purpose of a recursive CTE?
• What does the OVER clause does?
• What information does the pg_stat_activity contain?

Exercises

• Suppose you have the table dir defined and populated as follows:

pk | name | child_of | dir
—-+———+———-+—–
1 | / | | t
2 | bin | 1 | t
3 | tmp | 1 | t
4 | home | 1 | t
5 | luca | 4 | t
6 | Desktop | 5 | t
7 | emacs | 2 | f
8 | cat.png | 6 | f

• Write a recursive CTE that builds the full path of each entry where dir = f.
• Begin a transaction on a terminal, without closing such transaction open a new terminal and extract the start time and backend pid of the opened transaction.
• Create a CTE that deletes the content of the above dir directory showing thru a SELECT the deleted rows.

Module 5

Point in Time Recovery
Streaming Replication
Glance at Logical Replication
Test your skills

Questions

• What is a physical backup and what do you need to get it working?
• Beginning a base/physical backup with pg_base_backup() is dangerous with respect to normal operativity of the cluster?
• What is the main difference between physical and logical replication?

Exercises

• Set up a base backup of the cluster with pg_basebackup command line tool.
• Configure a streaming replication from your main cluster to another instance running on a different TCP/IP port on the very same machine.

Instructor: Luca Ferrari

REF: www.bsdmag.orgbsd