FreeBSD security patches for pf, RPCSEC_GSS, and TCP stack flaws, BSD Cafe fosters inclusive community, and OpenZFS storage design insights and more.
Releases
No releases.
BSDSec
FreeBSD Security Advisory FreeBSD-SA-26:09.pf: FreeBSD Security Advisory FreeBSD-SA-26:09.pf addresses a vulnerability in the pf packet filter where rules using address range syntax (e.g., x.x.x.x - y.y.y.y) are incorrectly hashed and silently dropped as duplicates. Only the first rule with the same hash is loaded, potentially causing unexpected blocking or filtering behavior. The issue affects FreeBSD 14.x and 15.0, with patches released for stable and release branches as of March 25–26, 2026. Workarounds include rewriting rules with tables or labels, while solutions involve upgrading via pkg, freebsd-update, or applying source patches. The flaw is tracked as CVE-2026-4748.
FreeBSD Security Advisory FreeBSD-SA-26:08.rpcsec_gss: A critical vulnerability in FreeBSD’s RPCSEC_GSS implementation allows remote code execution in the kernel due to insufficient stack buffer validation during packet signature checks. The flaw, identified as CVE-2026-4747, affects all supported FreeBSD versions and does not require prior authentication, enabling unauthenticated attackers to exploit it via maliciously crafted packets sent to the kernel’s NFS server when the kgssapi.ko module is loaded. Userspace applications linked with librpcgss_sec and running an RPC server are also vulnerable, though no such applications exist in FreeBSD’s base system. Patches were released on March 26, 2026, for all affected branches, including stable/15, releng/15.0, and older releases down to 13.5, with no workaround available beyond unloading the vulnerable module. Updates can be applied via pkg, freebsd-update, or manual source patches.
FreeBSD Security Advisory FreeBSD-SA-26:06.tcp: A critical vulnerability in FreeBSD’s TCP stack (CVE-2026-4247) allows remote attackers to trigger an mbuf memory leak by sending crafted packets that exploit the challenge ACK rate-limiting mechanism. The flaw affects FreeBSD 14.x and 15.0, where mbufs are leaked when challenge ACKs exceed the default rate limit of 5 packets per second. Attackers on-path or with established connections can reliably exploit this, while off-path exploitation is possible but harder due to sequence number guessing requirements. The issue stems from improper mbuf handling in tcp_respond() when challenge ACKs are suppressed. Workarounds include disabling rate limiting via net.inet.tcp.ack_war_timewindow=0, though this increases CPU overhead, while permanent fixes require upgrading to patched versions released on March 26, 2026.
As always, it’s worth following BSDSec. RSS feed available.
News
Building a welcoming BSD community with the BSD Cafe: The BSD Cafe is a virtual space inspired by traditional Italian bars, designed to foster a positive and inclusive community around BSD systems and open-source technology. Founded by Stefano Marinelli, it aims to create a serene environment where users—referred to as “bar friends”—can engage in constructive discussions, share knowledge, and collaborate without the toxicity often found on commercial social platforms. The project emphasizes self-hosting, transparency, and ideological autonomy, running services like Mastodon, Matrix, and Lemmy on BSD-based infrastructure while avoiding proprietary or cloud-dependent solutions. Marinelli highlights the challenges of moderation and maintaining a balanced atmosphere, prioritizing open dialogue over censorship while addressing concerns about “toxic positivity.” The BSD Cafe’s success reflects the strength of its community, offering a refuge for technology enthusiasts seeking meaningful interactions.
Valuable News – 2026/03/30: The Valuable News weekly roundup curates notable updates, articles, and tools primarily related to UNIX/BSD/Linux ecosystems. This edition highlights FreeBSD advancements like dual FIB policy routing and native OCI containers, alongside broader topics such as the ZXC compression algorithm, Wine 11’s performance gains for Windows games, and the revival of XMMS with GTK4/PipeWire. Hardware discussions include the 3Dfx Voodoo FPGA revival, Samsung’s discontinuation of SATA SSDs, and AMD’s Ryzen 9 9950X3D2 processor. The roundup also covers AI industry critiques, Firefox 149’s new features, and a multi-stage ZFS/Proxmox backup strategy.
HardenedBSD March 2026 progress update: Key developments include progress on porting Reticulum’s BackboneInterface to HardenedBSD and resolving build issues for 15-STABLE and 16-CURRENT branches, though pkgbase installer support remains unresolved. Updates were made to tools like sourcezap and portzap, along with fixes for snowflake-tor and an upgrade to pkg 2.6.2_1. The report also notes preparations for the next quarterly release and minor security adjustments, such as disabling retpolines for the bootloader.
BSD Now 656 explores OpenZFS storage design and retro computing: This episode of BSD Now covers strategies for designing OpenZFS storage with a focus on independence, failure domains, and migration paths, including a detailed guide on pool architecture. It also discusses the decline of Telnet and conflicting reports about its obsolescence, alongside updates like the PiDP-11/70 build workshop and OpenBSD’s porting efforts on SGI hardware. Additional topics include terminal color palette generation, FreeBSD snapshot strategy changes, and a major update to OpenBSD’s DRM code. The episode wraps with community news such as BSDCan registration and an oral history of Unix.
FreeBSD and OpenZFS for storage independence: Technical independence in storage architecture emphasizes control over data, hardware, and software to avoid vendor lock-in and maintain long-term flexibility. FreeBSD provides a stable, open-source operating system foundation that supports hardware portability across diverse manufacturers and CPU architectures, ensuring compatibility and observability. OpenZFS enhances this independence with its portable, endian-neutral on-disk format, allowing seamless data migration across operating systems and hardware without replatforming. Together, they enable transparent, hardware-agnostic storage solutions that prioritize data integrity, scalability, and long-term adaptability. The community-driven development behind these platforms further ensures resilience, broad compatibility, and continuous evolution independent of single-vendor constraints.
OpenBSD’s Motorola 88000 port documented in new multi-part series: Miod Vallat has begun publishing a detailed account of porting OpenBSD to Motorola’s 88000 RISC architecture as part of his OpenBSD Stories collection. The first two chapters cover the architecture’s obscure history and the initial challenges of reviving support for a long-abandoned platform. The series is planned to span nine chapters, offering technical insights into the porting process and the unique hurdles posed by the 88k hardware. This follows Vallat’s previous work documenting OpenBSD’s adaptation to other niche architectures, including SGI systems. The project reflects ongoing efforts within the OpenBSD community to preserve and extend support for legacy hardware.
Tutorials
OpenBSD 7.8 installation guide for ODROID HC4: This article details the process of installing OpenBSD 7.8 on an ODROID HC4 arm64 board, replacing an earlier unsuccessful attempt with version 7.2 due to multi-disk issues. The guide covers removing the default Petitboot bootloader, compiling a custom u-boot from source, and preparing the OpenBSD installer with HDMI output support. Installation requires an SD card as the USB and SATA ports are non-functional during setup, with the final system booting from a SATA SSD. The article also notes improved multi-disk support in OpenBSD 7.8, power consumption metrics (5W–6.8W), and performance comparisons to an APU4D4 board, highlighting the HC4’s efficiency and capability.
IP Technics switches office lab from Proxmox to FreeBSD and Sylve: A tech firm transitioned its office lab from Proxmox to FreeBSD with Sylve to streamline workflow efficiency and reduce infrastructure management overhead. The shift was driven by the need for a lighter, more native stack that aligned better with repetitive tasks like VM provisioning, storage adjustments, and hardware passthrough testing. FreeBSD’s built-in tools—such as ZFS, bhyve, and jails—provided a simpler, more integrated environment, while Sylve’s minimal management layer avoided unnecessary complexity. Practical benefits included faster image downloads via torrent, on-the-fly VM disk conversions, and an improved web terminal experience. The team emphasized that the change reflected a preference for infrastructure that required less cognitive effort rather than pursuing more ambitious solutions.
Claude Code transforms FreeBSD self-hosting workflows: The article explores how Claude Code, an AI-powered CLI assistant, streamlines complex FreeBSD self-hosting tasks by automating configurations, compiling custom packages, and hardening security. The author details real-world use cases, including deploying Authelia 2FA in minutes, translating Docker-based software into native FreeBSD builds, and optimizing Nginx security headers without manual trial-and-error. While the tool significantly reduces setup time and debugging effort, the author notes occasional over-eagerness in changes and a persistent update issue on FreeBSD that requires community attention. The piece also reflects on how AI assistance shifts the self-hosting experience from hands-on troubleshooting to higher-level system oversight, though some of the traditional “challenge-based” satisfaction is lost. FreeBSD compatibility and context-aware suggestions are highlighted as key strengths.
Running a Plan 9 network on OpenBSD: This guide explains how to set up a Plan 9 distributed system on OpenBSD or other Unix-like systems using emulated components. Plan 9’s architecture separates authentication, file storage, computation, and user terminals into distinct networked services, but this approach simplifies deployment by running all services on a single machine. The file server (u9fs) uses the host’s filesystem, the authentication server (authsrv9) relies on Unix permissions, and the diskless CPU server runs in QEMU, booting from a floppy image. Terminal access is provided via drawterm, a Unix-based Plan 9 terminal emulator. The guide covers IP configuration, user setup, service integration via inetd, and basic terminal usage, offering a practical way to experiment with Plan 9’s network-centric design without dedicated hardware. Appendices detail floppy image creation, system updates, and additional configurations like timezone settings.
Five-Year OpenZFS Storage Design Guide: This article explores strategic OpenZFS storage design for five-year horizons, focusing on media refresh cycles, pool expansion, and hardware independence. It compares mirror and RAIDZ configurations, explaining their trade-offs in capacity efficiency, performance, and resilver behavior over time. The guide emphasizes designing pools with consistent VDEV geometry to enable predictable growth and refresh operations without disruptive migrations. Key practices include symmetric expansion, intentional rebalancing via ZFS send/receive, and maintaining hardware independence through commodity controllers. The approach ensures storage infrastructure can evolve seamlessly while preserving data integrity and minimizing operational risk.
FreeBSD audio diagnostics and optimization: A comprehensive guide to audio diagnostics and optimization in FreeBSD, especially for USB DAC devices and music interfaces operating in bitperfect mode and real-time. Solid documentation of practical solutions for sound system analysis and calibration.
Did we miss anything?
This newsletter is made from your content on DiscoverBSD and BSDSec. Submit the stuff we missed so it can appear next time.
Do you have an OSS BSD-related project that you would like to showcase in BSD Weekly? Reply to sender and we can showcase you as a sponsor of an issue (for free).
Do you know anyone who would like this newsletter? Consider forwarding and tell them to subscribe.
Thanks for reading and see you next week! Stay safe!