FreeBSD security updates, KDE Plasma 6.4 on OpenBSD, HardenedBSD status report and more.
Releases
No releases.
BSDSec
FreeBSD Security Advisory: Use-after-free in xz decoder: The FreeBSD Security Advisory FreeBSD-SA-25:06.xz addresses a use-after-free vulnerability in the multi-threaded xz decoder. This issue, identified as CVE-2025-31115, affects FreeBSD 13.5 and 14.2. An attacker could exploit this vulnerability using a crafted .xz file to crash the decoder or execute arbitrary code. There is no workaround, but systems not using multi-threaded xz decoding are unaffected. Users are advised to upgrade their systems to a supported FreeBSD stable or release branch dated after the correction date. Binary patches and source code patches are available for updating vulnerable systems.
FreeBSD Errata Notice: ENA Driver Fix for Nitro Instances: The FreeBSD Errata Notice FreeBSD-EN-25:11.ena addresses a critical issue with the ena(4) driver used in Amazon EC2 instances. The driver’s failure to initialize a stack variable can lead to device resets and kernel panics on Nitro v4 or newer instances. This problem arises when using 128-byte wide LLQ entries, either through sysctl settings or ENA Express feature activation. The notice provides workarounds, such as forcing LLQ width to 256, and solutions, including system updates via binary patches or source code patches. The correction has been implemented in various FreeBSD branches, with specific commit hashes and revisions detailed for stable and release branches.
FreeBSD ZFS Encryption Bug Fix: FreeBSD released an errata notice addressing a bug in ZFS encryption. The issue causes corruption in ZFS replication streams from encrypted datasets, leading to spurious checksum errors and pool export failures. The problem affects all supported FreeBSD versions. Users are advised to upgrade their systems to a supported FreeBSD stable or release branch dated after the correction date. The notice provides instructions for updating via binary patch or source code patch, with a reboot required after the upgrade.
FreeBSD Errata Notice: libc C++ Library Crash Fix: The FreeBSD Errata Notice addresses a critical issue in dynamically-loaded C++ libraries that crash at exit due to uncalled destructors. This problem affects FreeBSD versions 13.5 and 14.2, causing crashes when programs exit after libraries have been unloaded. The notice provides no workaround but offers solutions via binary or source code patches. Users are advised to update their systems and restart affected services or reboot. The issue is corrected in specific stable and release branches, with detailed instructions for applying patches and verifying updates.
FreeBSD 13.4 End-of-Life Announcement: As of July 1st, 2025, FreeBSD 13.4 has reached its end-of-life and will no longer receive support from the FreeBSD Security Team. Users are strongly advised to upgrade to a newer release. Currently supported branches include stable/14, releng/14.3, releng/14.2, stable/13, and releng/13.5, with their respective end-of-life dates listed.
As always, it’s worth following BSDSec. RSS feed available.
News
Valuable News Summary for 2025/07/07: The Valuable News weekly series provides a concise summary of news and articles primarily related to UNIX/BSD/Linux systems. This edition covers various topics including the release of FreeBSD tools like nsysctl and updates on projects such as Podman and ZFS integration. It also highlights community events like the EuroBSDCon 2025 Travel Grant and discussions on X11Libre porting.
pkgsrc-2025Q2 Release Announcement: The pkgsrc developers have announced the 87th quarterly release of pkgsrc, a cross-platform packaging system containing over 29,000 packages. This release includes 132 new packages, 2,593 updates, and the removal of 168 packages. Notable updates include Firefox, GIMP, and Ruby. Additionally, support for several operating systems has been discontinued, and the default JPEG implementation has been changed to libjpeg-turbo. Users may need to force-delete libjpeg and rebuild dependent packages. Instructions for using the binary package manager and retrieving pkgsrc are provided.
KDE Plasma 6.4 Released for OpenBSD: KDE Plasma 6.4 has been released for OpenBSD, thanks to the efforts of Rafael Sadowski and others. This update includes the separation of KWin into KWin-X11 and KWin (Wayland), indicating a shift towards Wayland support. The update also features the Aurorae theme engine for KWin window decorations and various bug fixes.
Funding and Advancements in BSD Projects: This episode of BSD Now covers various topics related to BSD projects and their advancements. Key points include a review of a year of funded FreeBSD development, highlighting the progress and improvements made possible through funding. The episode also delves into ZFS performance tuning, offering insights on optimizing workloads for better efficiency. Additionally, it provides a quick guide on three different methods to try FreeBSD in under five minutes, making it accessible for newcomers. The episode features a report from the j2k25 hackathon, detailing contributions such as installer improvements and low battery optimizations. Lastly, it announces NetBSD’s participation in the Google Summer of Code, welcoming new contributors to the project.
HardenedBSD June 2025 Status Report: The HardenedBSD June 2025 status report covers updates from both May and June 2025, focusing on pkgbase and build infrastructure improvements. Key developments include experimental pkgbase repos for HardenedBSD, which are not yet recommended for production use, and research on descriptor randomization for enhanced security. Notable changes in the src tree involve updates to hbsd-update, RTLD fixes, and netlink support for userland. In the ports tree, various ports were updated and fixed, including emulators/virtualbox-ose and databases/redis. The report also highlights the need for donations to support infrastructure upgrades, particularly for a new HVAC unit to cool the server room, with an estimated cost of $7,000 - $9,000 USD.
Tutorials
Install and Configure Galene Video Meeting Server on FreeBSD: The guide provides a comprehensive walkthrough for installing and configuring the Galene video meeting server on FreeBSD. It begins with an introduction to Galene, highlighting its use as a videoconference server (SFU) that is easy to deploy and requires moderate server resources. The guide then outlines the requirements, including a recent FreeBSD install and optional ZFS. It covers the base FreeBSD setup, Galene installation, and configuration, including creating ZFS datasets for Galene, installing the Galene package, and configuring the Galene setup file. Additionally, it discusses adding a valid SSL certificate, configuring Galene to start up with the system, and testing the Galene installation.
Setting Up Poudriere in a FreeBSD VNET Jail: The article provides a detailed guide on setting up Poudriere, a tool for creating and testing FreeBSD packages, inside a FreeBSD VNET Jail. It begins with configuring the host system, including setting up the network, creating necessary directories, and configuring system settings. The guide then proceeds to the jail setup, where it covers the installation of required packages, configuration of Poudriere, and setting up the necessary environment for building packages. Key steps include fetching the FreeBSD base system, configuring the jail’s network settings, and installing essential tools like Poudriere, Git, and ccache. The article also explains how to configure Poudriere to use a specific FreeBSD release and ports tree, and how to start a bulk build of a package. The guide is aimed at users with some experience in FreeBSD, providing them with a clear path to set up a Poudriere environment within a VNET Jail.
Installing FreeBSD on Unsupported Providers with mfsBSD: This guide explains how to install FreeBSD on hosting providers that do not officially support it using mfsBSD. The process involves booting the server in rescue mode, downloading the mfsBSD image, and writing it to the server’s disk using the dd command. After rebooting, users can connect via SSH, change the root password, and proceed with the standard FreeBSD installation. The guide highlights the benefits of FreeBSD, such as service isolation in jails and ZFS snapshots, and addresses the limitations imposed by providers that only support Linux distributions. The author emphasizes the importance of avoiding IT monocultures and provides a practical solution for those seeking to use FreeBSD.
Guide to Jekyll Publishing on FreeBSD: The blog post discusses the author’s experience with setting up Jekyll, a static website generator, on FreeBSD. The author encountered compatibility issues with Ruby 3.3 and decided to use Ruby 3.2 instead. The post provides a step-by-step guide on how to install and configure Ruby 3.2, including setting the default version in /etc/make.conf and installing bundler from ports. The author also encountered issues with upgrading Jekyll and provides a workaround. The post concludes with the author expressing their frustration with Ruby and their desire to switch to a more modern static site generator.
Did we miss anything?
This newsletter is made from your content on DiscoverBSD and BSDSec. Submit the stuff we missed so it can appear next time.
Do you have an OSS BSD-related project that you would like to showcase in BSD Weekly? Reply to sender and we can showcase you as a sponsor of an issue (for free).
Do you know anyone who would like this newsletter? Consider forwarding and tell them to subscribe.
Thanks for reading and see you next week! Stay safe!