FreeBSD security advisories, Journal issue and more.
Releases
No releases.
BSDSec
FreeBSD Security Advisory FreeBSD-SA-26:02.jail: A security flaw in FreeBSD 14.3 and 13.5 allows a privileged user inside a jail to escape filesystem confinement when the allow.mount.nullfs option is enabled. The issue stems from a limitation in the kernel’s path lookup logic, permitting nullfs-mounted directories to bypass the jail’s chroot restrictions. Systems without this option enabled remain unaffected, but no workaround exists for vulnerable configurations. Patches and binary updates are available for affected releases, with corrections dated between June 2025 and January 2026. The vulnerability is tracked as CVE-2025-15547.
FreeBSD Security Advisory FreeBSD-SA-26:01.openssl: FreeBSD released a security advisory addressing multiple vulnerabilities in OpenSSL affecting versions 1.1.1, 3.0, and 3.5 across FreeBSD 13.5, 14.3, and 15.0. The issues range from improper validation and NULL pointer dereferences to out-of-bounds writes and stack buffer overflows, potentially leading to information disclosure or remote code execution. Corrections were applied on January 27, 2026, with patches available for affected branches, and users are advised to update via binary patches or source code fixes. The advisory references 12 CVEs, with detailed descriptions available in the linked OpenSSL security notice.
FreeBSD Errata Notice FreeBSD-EN-26:03.vm: FreeBSD Errata Notice FreeBSD-EN-26:03.vm addresses a critical bug in the virtual memory subsystem where the page fault handler fails to zero memory allocations under certain conditions. This flaw affects all supported FreeBSD versions and violates the expected behavior of mmap(2) with the MAP_ANON flag, which guarantees zero-filled memory. The issue has been observed to cause process crashes, though no workaround exists beyond applying official patches. Corrections have been backported to stable and release branches (15.0, 14.3, and 13.5), with binary updates available via freebsd-update for amd64/arm64 (and i386 on 13.x) or manual source patches for other architectures. The advisory provides detailed steps for verification, patching, and kernel recompilation where necessary.
FreeBSD Errata Notice FreeBSD-EN-26:02.arm64: FreeBSD Errata Notice FreeBSD-EN-26:02.arm64 addresses a bug in arm64 systems using Scalable Vector Extension (SVE) where signal handling could cause unexpected crashes. The issue arises when the kernel saves a thread’s SVE register context to userspace without proper alignment, leading to potential failures during context restoration. Affected versions include FreeBSD 15.0 and 14.3, with corrections applied to stable and release branches as of January 2026. No workaround exists, but systems without SVE or non-arm64 architectures remain unaffected. Updates are available via binary patches or source code fixes, with detailed instructions provided for both methods.
FreeBSD Errata Notice FreeBSD-EN-26:01.devinfo: FreeBSD Errata Notice FreeBSD-EN-26:01.devinfo addresses a regression in the devinfo(8) utility introduced during FreeBSD 15.0’s development. The issue arose when adapting the tool to use the libxo library, which unintentionally altered human-readable output formatting and broke compatibility with tools parsing its output, including the Intel nvmupdate utility. No workaround exists, but the problem has been corrected in stable/15 and releng/15.0 branches as of late 2025 and January 2026, respectively. Users can apply fixes via binary patches using freebsd-update(8) or by manually patching and recompiling the source code.
As always, it’s worth following BSDSec. RSS feed available.
News
Valuable News – 2026/02/02: The Valuable News weekly roundup curates notable updates, articles, and resources primarily focused on UNIX/BSD/Linux ecosystems. This edition highlights projects like smolBSD for minimal NetBSD Docker images, AutoBSD for automated FreeBSD installations, and Clawdbot for FreeBSD ports. It also covers hardware experiments such as running FreeBSD on LoongArch mini PCs and retro computing with 486 systems. Additional topics include comparisons between ZFS and Btrfs, advancements in FreeType rendering, and the release of OPNsense 26.1 with threat intelligence features. The roundup further explores niche BSD distributions like WiBSD, GNU/Hurd’s progress, and community-driven initiatives such as SonicDE for KDE/X11 preservation. The Usual Suspects section provides links to recurring BSD/UNIX news sources, podcasts, and video channels for ongoing updates.
HardenedBSD January 2026 infrastructure and development updates: The January 2026 report highlights HardenedBSD’s infrastructure improvements, including migrating package repositories to a local server with greater storage capacity and planning full automation of builds and syncing. Development efforts focused on merging commits from hardened/current to hardened/15-stable, addressing installer crashes in 15-STABLE, and experimenting with mesh networking tools like Meshtastic and Reticulum. Key changes in the source include disabling WITNESS vnode lock checks due to FreeBSD filesystem updates, opting ipfw into automatic variable initialization, and removing an outdated MAC hook for jail destruction. Port updates included bumping ftp/curl to 8.18.0, updating Reticulum, and enabling ZEROREG for OpenSSL 3, which may impact performance. The report also acknowledges ongoing work on filesystem-related kernel panics and community contributions.
FreeBSD Journal Q4 2025 issue released: The October–December 2025 edition of the FreeBSD Journal is now available, with a focus on FreeBSD 15.0 and its technical advancements. This issue covers updates to storage and sound subsystems, system security enhancements, developer tooling improvements, and community initiatives like Google Summer of Code 2025 participation. Featured articles include Universal Flash Storage integration, credential transitions with mdo(1) and mac_do(4), and guides on building U-Boot, alongside regular columns such as the 2026 Events Calendar and a Foundation letter. The journal remains freely accessible in HTML and PDF formats, serving as a quarterly resource for the FreeBSD community. Contributions from developers and writers highlight ongoing projects and innovations within the ecosystem.
Tutorials
150 MB Minimal FreeBSD Installation Guide: This article explores achieving an ultra-minimal FreeBSD 15.0 installation using the PKGBASE system, reducing disk usage to approximately 150 MB. The process involves a standard offline installation with ZFS compression, followed by selective removal of non-essential packages while preserving core functionality. Key steps include locking critical packages like FreeBSD-libarchive, FreeBSD-openssl-lib, FreeBSD-xz-lib, and FreeBSD-libucl to maintain pkg(8) functionality, then removing development and optional sets. The guide also details modifying the pkg(8) SQLite database to prevent automatic reinstallation of removed packages during upgrades. Additional space savings can be achieved by removing unused kernel modules. The approach is experimental and unsupported, recommended only for test environments, with warnings about potential system breakage. The article concludes that while space savings are possible, modern storage capacities make such extreme minimization less critical than package management and system integrity.
ZFS vs Btrfs: Key architectural and stability differences: ZFS and Btrfs both integrate filesystem and volume management but were designed with fundamentally different priorities that shape their reliability and use cases. ZFS emerged from Sun Microsystems with a focus on enterprise-grade data integrity, featuring end-to-end checksumming, self-healing capabilities, and RAID-Z for fault tolerance, making it the preferred choice for production environments where stability is critical. Btrfs, developed for Linux, prioritizes flexibility with features like writable snapshots and dynamic device management, but its RAID implementations remain unstable and recovery tools are less robust. While Btrfs excels in desktop and lightweight workloads, ZFS dominates in large-scale deployments due to its mature architecture, consistent performance under load, and comprehensive tooling for monitoring and repair. The choice between them ultimately depends on whether flexibility or reliability is the higher priority for the storage system.
Configuring Time Machine backups in a FreeBSD jail: This guide details setting up macOS Time Machine backups within a FreeBSD jail using Samba and ZFS storage. It covers jail creation with BastilleBSD, including network configuration options (VNET or inherited), and storage setup with dedicated ZFS datasets for each user. The process involves creating system users, configuring Samba with Time Machine-specific settings like fruit:aapl and fruit:time machine, and enabling services like Avahi for network discovery. The solution allows macOS clients to securely back up to a FreeBSD server while leveraging ZFS features like quotas and snapshots for efficient storage management.
Did we miss anything?
This newsletter is made from your content on DiscoverBSD and BSDSec. Submit the stuff we missed so it can appear next time.
Do you have an OSS BSD-related project that you would like to showcase in BSD Weekly? Reply to sender and we can showcase you as a sponsor of an issue (for free).
Do you know anyone who would like this newsletter? Consider forwarding and tell them to subscribe.
Thanks for reading and see you next week! Stay safe!