≡ Menu

FreeBSD

There was random number generator vulnerability in Debian OpenSSL package and similar packages in derived distributions such as Ubuntu / others. Many of our regular readers would like to know:

Can bug present in the Debian OpenSSL packages affect Red Hat / FreeBSD / CentOS Linux workstation / server users?

Short answer, yes.

All keys generated using Debian OpenSSL package must be replaced on other system including FreeBSD / CentOS / RHEL etc as all keys considered as compromized. OpenSSL, OpenSSH and OpenVPN are badly effected. For example, if you use OpenSSH key to get into other Linux / UNIX servers and if key-pair is generated with a vulnerable OpenSSL library, you are at the risk as the key can be reproduced easily.

Bottom, line you need to update keys on other boxes too.

FreeBSD has issued updated version of its Apache package. This release considered as important and encourage users of all prior versions to upgrade.

Cross-site request forgery (CSRF) vulnerability in the balancer-manager in mod_proxy_balancer for Apache HTTP Server 2.2.x allows remote attackers to gain privileges via unpsecified vectors.

The ap_proxy_http_process_response function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server 2.0.63 and 2.2.8 does not limit the number of forwarded interim responses, which allows remote HTTP servers to cause a denial of service (memory consumption) via a large number of interim responses.

How do I upgrade Apache under FreeBSD?

Simply run the following two commands:
# portsnap fetch extract
# portupgrade -a
# portversion

OpenOffice.org version 2.3 has been released and available for the download. OpenOffice.org is a multiplatform and multilingual office suite and an open-source alternative to MS-Office suite. It is compatible with all other major office suites, the product is free to download, use, and distribute.

Download OpenOffice.Org 2.3

=> Available for download now, OpenOffice.org 2.3 incorporates an extensive array of new features and enhancements to all its core components, and protects users from newly discovered security vulnerabilities.

Updating FreeBSD server system is quite easy. You can apply security patch to keep freebsd system up to date.

Required tools aka software

You need to have following tools on system
(a) portmanager - FreeBSD ultimate ports update utility.

(b) portsnap - It is a system for securely distributing the FreeBSD ports tree. Approximately once an hour, a snapshot of the ports tree is generated, repackaged, and cryptographically signed. The resulting files are then distributed via HTTP.

(c) pkg_version - List the installed version of the package is older than the current version.

All of the above utilities work together to keeping FreeBSD up to date :)

FreeBSD install portsnap (for older system version <6.0)

On FreeBSD 6.0+, portsnap is contained in the FreeBSD base (core) system. You only need to to install portsanp as follows for older FreeBSD system:
# cd /usr/ports/ports-mgmt/portsnap
# make install clean

FreeBSD install portmanager

Simply type the following command:
# cd /usr/ports/ports-mgmt/portmanager
# make install clean

Upgrade FreeBSD ports collection

Run portsnap as follows:
# portsnap fetch extract
OR
# portsnap fetch
# portsnap extract

Output:

Looking up portsnap.FreeBSD.org mirrors... 4 mirrors found.
Fetching public key from portsnap3.FreeBSD.org... done.
Fetching snapshot tag from portsnap3.FreeBSD.org... done.
Fetching snapshot metadata... done.
Fetching snapshot generated at Sun Aug  5 19:38:18 CDT 2007:
b73e908500446b6593a4f763b8b2128490e733547cdaa7100% of   49 MB  195 kBps 00m00s
Extracting snapshot... done.
Verifying snapshot integrity... done.
Fetching snapshot tag from portsnap3.FreeBSD.org... done.
Fetching snapshot metadata... done.
Updating from Sun Aug  5 19:38:18 CDT 2007 to Mon Aug  6 05:58:34 CDT 2007.
Fetching 4 metadata patches... done.
Applying metadata patches... done.
Fetching 0 metadata files... done.
Fetching 18 patches.....10.... done.
Applying patches... done.
Fetching 0 new ports or files... done.
....
..
...

Display outdated ports list

You can list outdated ports list with pkg_version command:
# pkg_version -vIL=
OR
# pkg_version -vIL'<'
Output:

bash-3.1.17                         <   needs updating (index has 3.2.17_2)
gettext-0.14.5_2                    <   needs updating (index has 0.16.1_3)
libtool-1.5.22_2                    <   needs updating (index has 1.5.22_4)
linux_base-fc-4_9                   <   needs updating (index has 4_10)
....
......
.

Where,

  • v : Enable verbose output.
  • I : Use only the index file for determining if a package is out of date (faster result)
  • L= : Limit the output to those packages whose status flag does not match = (the installed version of the package is current.)
  • L'<' : Limit the output to those packages whose status flag does not match < (the installed version of the package is older than the current version.)

Update FreeBSD packages / software

Now run portmanager to upgrade installed ports:
# portmanager -u

It will updates ports in the correct order based on their dependencies. If a port fails to "make" during update it is marked as ignored. Portmanager will continue updating any ports not marked as "ignored" so long as they are not dependent on the ignored port. Also note that it may take some time if you have large number of application installed.

If you need to upgrade all installed ports with logging, enter:
# portmanager -u -l

How do I upgrade a single software only?

portmanager allows you to update a single port and all of its dependencies. For example update port called bash i.e. bash shell (shells/bash), enter:
# portmanager shells/bash -l -u -f

How do I apply update again?

In order to update system again just type the following command:
# portsnap fetch
# portsnap update
# portmanager -u -l

How do I apply binary security updates for FreeBSD?

Latest version includes a tool called freebsd-update (thanks to Bok for pointing out this tool). The freebsd-update tool is used to fetch, install, and rollback binary updates to the FreeBSD base system.

Fetch updates

Use fetch option to get all available binary updates:
# freebsd-update fetch
Output:

Looking up update.FreeBSD.org mirrors... 1 mirrors found.
Fetching public key from update1.FreeBSD.org... done.
Fetching metadata signature from update1.FreeBSD.org... done.
Fetching metadata index... done.
Fetching 2 metadata files... done.
Inspecting system... done.
Preparing to download files... done.
Fetching 18 patches.....10.... done.
Applying patches... done.
The following files will be updated as part of updating to 6.2-RELEASE-p7:
/boot/kernel/kernel
/etc/rc.d/jail
....
.....
/usr/lib/libmagic.so.2
/usr/sbin/dnssec-signzone
/usr/sbin/freebsd-update
/usr/sbin/lwresd
/usr/sbin/named
/usr/sbin/named-checkconf
/usr/sbin/named-checkzone
/usr/sbin/tcpdump
WARNING: FreeBSD 6.2-RELEASE is approaching its End-of-Life date.
It is strongly recommended that you upgrade to a newer
release within the next 5 months.

Install updates

Install the most recently fetched updates:
# freebsd-update install
Output:

Installing updates... done.

Rollback updates

Optional: You can uninstall most recently installed updates:

# freebsd-update  rollback  

Reboot system

You must reboot FreeBSD to take advntage of newly patched kernel:
$ uname -a
Output:

FreeBSD vip-1.freebsd.nixcraft.com 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Fri Jan 12 10:40:27 UTC 2007
root@dessler.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386

$ sudo reboot
After reboot verify system:
$ uname -a
Output:

FreeBSD vip-1.freebsd.nixcraft.com 6.2-RELEASE-p4 FreeBSD 6.2-RELEASE-p4 #0: Thu Apr 26 17:40:53 UTC 2007     root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  i386

Further readings:

Updated for accuracy.

Packet Filter aka PF is OpenBSD's system for filtering TCP/IP traffic / NAT software. I always like the simplicity offered by PF firewall. There is a new article that explains the PF performance monitoring:

The PF (packet filter) firewall package was introduced in OpenBSD 3.0, and has since been ported to the FreeBSD and NetBSD Operating Systems. PF contains a stateful packet inspection engine, the ability to replicate state information to a backup firewall, a flexible self optimizing rule engine, QOS support, and the ability to collect performance metrics. These metrics can be useful for gauging the performance of a firewall platform, and provide a way to trend firewall performance over time. This article will describe several utilities that can be used to monitor the health and performance of a PF firewall.

On a related note you may find our FreeBSD firewall startup guide quite useful.

Monitoring PF firewalls for health and performance [prefetch.net]

Quick way to switch from KDE to GNOME or viceversa

This tip is submitted by reader Zacharie:

switchdesk is the command to switch from KDE to GNOME or viceversa. This command provides a simple method of choosing between the various desktop environments available under Fedora Core, Cent OS and Red Hat Enterprise Linux.

If X Windows is running, switchdesk will bring up a dialog box which allows the user to choose between the available desktops installed on the system.

Task: To switch from GNOME to KDE, use the command

$ switchdesk kde

Task: To switch from KDE to GNOME, use the command

$ switchdesk gnome

Please note that file ~/.Xclients, ~/.Xclients-default stores the currently selected desktop.

A note about other distros/BSD

switchdesk is RedHat and friends only command. If you are using different Linux distribution or FreeBSD, open ~/.xinitrc file and type full path to your desktop manager. For example, to use xfce4 desktop:
$ vi .xinitrc
Append following line (your path may be different use, which command to get exact path):
/usr/X11R6/bin/startxfce4

Save and close the file. Enjoy new desktop.

While login you will see option for different desktops (provided that all of them are installed). Usually this is located below Username / password box or lower left button. Just select appropriate desktop (KDE/XFC4 etc).

Load KDE while running Gnome

You can load KDE while running Gnome desktop (thanks to sweta for pointing it out):
Just open your gnome terminal and type the command:
$ startkde &

whowatch is a interactive, ncurses-based, process and users monitoring tool, which updates information in real time. This is a perfect tool for local and remote servers. With this tool you can easily answer following question:
"How do I know who are logged on in using telnet , ssh, ftp etc and what resources are they are using?"

Output of whowatch command

It displays information about the users currently logged on to the machine, in real-time. Besides standard information (login name, tty, host, user's process), the type of the connection (ie. telnet or ssh) is shown. Display of users command line can be switch
to tty idle time. Certain user can be selected and his processes tree may be viewed as well as tree of all system processes. Tree may be displayed with additional column that shows owner of each process. In the process tree mode SIGINT and SIGKILL signals can be sent to the selected process. Killing processes is just as simple and fun as deleting lines on the screen.

How do I install whowatch tool?

If you are using Debian Linux, type the following command:
# apt-get install whowatch

If you are using FreeBSD, type the any one of the following command:
# pkg_add -r -v whowatch

You can also use ports collection under FreeBSD:
# cd /ports/sysutils/whowatch
# make; make install; make clean

ALTERNATIVELY, download from official website.

How do I use whowatch?

Simply type whowatch at command prompt:
$ whowatch

Default output:
Who watch output

Detailed information about process / user

who-watch-output-3.png

Menu (press F9 key to activate menu option)

who-watch-output-4.png