FreeBSD 15.0 BETA 4, OpenBSD patches smtpd/xserver/libssl, and HardenedBSD updates with TPE enhancements and more.
Releases
FreeBSD 15.0 BETA 4 released: FreeBSD 15.0 has reached its fourth BETA build, now available for amd64, armv7, aarch64, powerpc64, powerpc64le, and riscv64 architectures. The ISO images can be downloaded from most FreeBSD mirror sites, marking a key milestone in the release cycle. This follows prior BETA builds released, each expanding architecture support and refining stability.
BSDSec
OpenBSD smtpd errata patches released for versions 7.7 and 7.8: OpenBSD has issued errata patches for the smtpd mail server affecting versions 7.7 and 7.8. The updates address unspecified issues in the software and are available as binary patches for amd64, arm64, and i386 architectures through the syspatch utility. Users can also apply the fixes manually using source code patches provided on the official OpenBSD errata pages for each version.
OpenBSD errata patches for xserver, unbound, libssl: OpenBSD released security errata updates for xserver, unbound, and libssl affecting versions 7.7 and 7.8. Binary patches are available for amd64, arm64 and i386 architectures via the syspatch utility, while source code fixes can be obtained from the official errata pages.
As always, it’s worth following BSDSec. RSS feed available.
News
Valuable News – 2025/11/03: The Valuable News weekly series curates notable updates, articles, and resources primarily related to UNIX/BSD/Linux systems. This edition highlights FreeBSD’s milestone in reproducible builds without requiring root privileges, OpenIndiana 2025.10’s release, and advancements in Open Container Initiative (OCI) support for FreeBSD. It also covers hardware developments like AMD’s ZEN6 architecture, security concerns with smart devices, and broader tech topics such as privacy issues with Microsoft Teams and Google’s handling of sideloading.
HardenedBSD October 2025 status update: The October 2025 HardenedBSD status report covers developments from both September and October, including the creation of the new 15-STABLE branch and related infrastructure. Key changes in the source tree include initial work on pkgbase installer support, permission checks for user-owned vnodes in Trusted Path Execution (TPE), and adjustments to stack mapping using VMFS_NO_SPACE. Ports updates involved version bumps for net-p2p/heartwood, net-p2p/heartwood-httpd, and ports-mgmt/poudriere-hbsd, along with hardening flag adjustments for www/forgejo and www/forgejo7. Additionally, Shawn Webb presented at BSides Colorado Springs on libhijack enhancements and began improving error handling in {,lib}hbsdcontrol while exploring censorship-resistant mesh networking with Reticulum.
FreeBSD now supports OCI containers with Podman: FreeBSD has joined the Open Container Initiative (OCI), enabling support for OCI-compliant containers using Podman, a lightweight container engine. The integration allows FreeBSD users to run both FreeBSD and Linux containers seamlessly, with simple installation via the podman-suite package and minimal configuration steps like setting up ZFS storage and enabling the Linux compatibility layer. Testing demonstrated smooth execution of containers, including legacy Linux workloads and modern applications like Caddy for web hosting. This development expands FreeBSD’s ecosystem by attracting new users while providing existing users with enhanced containerization capabilities, with documentation and community resources available for further guidance.
NetBSD developer shares GSoC 2025 Mentor Summit experience in Munich: Leonardo Taccari recounted his first attendance at the Google Summer of Code (GSoC) 2025 Mentor Summit in Munich, representing The NetBSD Foundation after nearly a decade of involvement as a student, mentor, and admin. The three-day event brought together 185 mentors from 133 organizations, featuring unconference-style sessions, lightning talks, and social activities like a scavenger hunt and karaoke. Key discussions included AI in open source, handling spammy proposals, diversity in FOSS, and supply chain security tools like SBOM and VEX. Taccari highlighted NetBSD’s participation since 2005, shared travel notes from Munich and Bolzano, and emphasized the summit’s role in fostering collaboration and learning about new projects. The event also included a “chocolate room” tradition and networking opportunities with mentors from other organizations.
NetBSD NAT64 Protocol Translation Enhancements Part 2: The second report from Google Summer of Code 2025 details progress on NAT64 protocol translation in NetBSD’s NPF firewall, building on earlier work to enable IPv6-to-IPv4 communication. The implementation includes core translation logic for rewriting IPv6 headers to IPv4 and vice versa, address mapping functions to embed IPv4 within IPv6 prefixes, and checksum recalculations for transport layers. Configuration support was added to npf.conf(5) for defining NAT64 rules, while testing validated functionality using tools like ping, curl, and packet inspection via tcpdump. The project integrates NAT64 with DNS64, allowing IPv6-only clients to access IPv4 servers, though further refinements remain. Source code and additional details are available in the linked GitHub branch.
OpenSMTPD 7.8.0p0 released with security fixes and improvements: OpenSMTPD 7.8.0p0 introduces several updates, including a fix for CVE-2025-62875 as part of OpenBSD errata 005, which addresses a critical security vulnerability. The release removes support for world-writable mail spools, corrects a typo in address family handling (PF_INET to PF_INET6), and resolves an issue where single-character AUTH PLAIN passwords were incorrectly rejected. Additional improvements include documentation updates, enhanced handling of garbage data on local sockets, and refreshed contributions like mail.local and lockspool. The software remains compatible with LibreSSL as its primary TLS library, though OpenSSL 1.1+ is supported as a secondary option. This version is available for OpenBSD, NetBSD, FreeBSD, DragonFlyBSD, Linux, and macOS, with verification via signify(1) and checksums provided for integrity checks.
LibreSSL 4.1.2 and 4.2.1 released with reliability and portability fixes: LibreSSL versions 4.1.2 and 4.2.1 have been released, available via OpenBSD mirrors, with a key reliability fix addressing a TLSv1.3 issue where servers could incorrectly select groups for HelloRetryRequest messages. The update ensures compatibility by preventing mismatches with client key shares, resolving a problem reported by community contributor dzwdz. Additionally, LibreSSL 4.2.1 includes portable improvements, such as corrected Windows release tarballs, contributed by Markus Friedl and Tess Gauthier. These releases reflect ongoing efforts to modernize the codebase with safer programming practices, while the project encourages community feedback and contributions.
BSD Now 635 covers OpenBSD 7.8 release and enterprise storage: This episode of BSD Now highlights the release of OpenBSD 7.8, detailing its latest features and improvements, alongside a guide on building enterprise-grade storage solutions using Proxmox with ZFS. Additional topics include SSD performance metrics, virtual machine migration from KVM to OmniOS bhyve, and discussions on Ethernet history from the Unix Heritage Society.
OpenBSD proposes BPF socket filtering to enhance daemon security: A proposal on the OpenBSD tech@ mailing list suggests implementing BPF (Berkeley Packet Filter) filtering on arbitrary sockets to restrict the capabilities of compromised daemons using raw sockets. Currently, programs like ping(1) or relayd’s ICMP checks require SOCK_RAW privileges, which—if exploited—grant attackers broad packet-sending abilities, enabling lateral movement. The proposed solution introduces new setsockopt() options (SO_SEND_BPF, SO_RECV_BPF, and SO_BPF_LOCK) to attach BPF programs to sockets, limiting sent/received packets to predefined filters, such as restricting ICMP traffic to specific addresses. Damien Miller’s patch targets OpenBSD -current and could apply to datagram sockets beyond SOCK_RAW, like UDP-based protocols. Discussion is ongoing, with potential testing on daemons like dhcpleased, though broader adoption may require further refinement and integration with existing BPF-based systems.
OpenBSD’s veb(4) virtual Ethernet bridge gains VLAN support: A proposed patch for OpenBSD’s veb(4) virtual Ethernet bridge introduces VLAN awareness, allowing the device to associate MAC addresses with specific VLAN identifiers (VIDs) rather than treating all traffic as part of a single namespace. Previously, veb(4) either blocked VLAN-tagged packets or ignored their tags during MAC lookups, requiring separate bridges or vlan(4) interfaces for each VLAN. The update simplifies configuration by enabling per-port VLAN settings—supporting both untagged and tagged traffic—while maintaining backward compatibility for existing setups. Ports can now be configured with default VIDs for untagged packets or explicit tagged VIDs, reducing the need for multiple bridges or manual vlan(4) interfaces. The changes primarily extend kernel-level forwarding logic and ifconfig(8) commands, with minimal disruption to existing workflows, though configurations using link0 may require adjustments.
DragonFly BSD updates nvi2 to version 2.2.2: DragonFly BSD has updated its default vi editor, nvi2, to version 2.2.2, continuing the legacy of the classic Unix text editor that traces its origins back nearly 50 years. The update reflects ongoing maintenance of the nvi2 project, which remains a lightweight alternative to more modern editors.
FreeBSD Vendor Summit 2025 to convene industry and developers: The 2025 FreeBSD Vendor Summit will take place November 6–7 at NetApp Headquarters in San Jose, California, bringing together organizations using FreeBSD in production and the developers behind the operating system. The event features keynotes on AI in engineering and Karios.ai, technical sessions on FreeBSD 15.0 and pkgbase, and discussions on CHERI memory safety and emerging security trends. Attendees will participate in roadmap planning, operational insights, and networking to align FreeBSD’s development with commercial needs. Registration is required, with details available via Eventbrite and the FreeBSD Foundation’s event page. The summit aims to foster collaboration between industry engineers and FreeBSD contributors.
Tutorials
Highly Available ZFS Pool Setup with iSCSI Mirroring: This guide details configuring a fault-tolerant ZFS storage solution using iSCSI and mirroring across multiple FreeBSD servers to create a highly available SAN without vendor lock-in. The setup leverages ZFS mirroring to span physical servers, with each server contributing a local disk to the pool while using iSCSI to export and access remote disks. A VNET jail running the NFS service ensures seamless failover, with a virtual IP allowing clients to maintain connectivity during transitions. The article covers network configuration, iSCSI target/initiator setup, ZFS pool creation with the multihost property, and jail management for service provisioning. Variations such as multi-server setups, network redundancy, and OS diversity are also discussed to adapt the solution to different requirements.
Did we miss anything?
This newsletter is made from your content on DiscoverBSD and BSDSec. Submit the stuff we missed so it can appear next time.
Do you have an OSS BSD-related project that you would like to showcase in BSD Weekly? Reply to sender and we can showcase you as a sponsor of an issue (for free).
Do you know anyone who would like this newsletter? Consider forwarding and tell them to subscribe.
Thanks for reading and see you next week! Stay safe!