FreeBSD 14.4 security & hardware updates, NetBSD 11.0 RC2 testing, and OpenBSD drm(4) Linux 6.1.18 alignment and more.
Releases
FreeBSD 14.4-RELEASE updates and security advisories: FreeBSD 14.4-RELEASE introduces security patches, userland improvements, and hardware support updates as part of the 14-STABLE branch. Key security advisories address vulnerabilities in OpenSSL, libarchive, xz, and jail escape risks, alongside fixes for network stack issues like SO_REUSEPORT_LB and unbound cache poisoning. Userland changes include updates to utilities like diff(1), jail(8), and bsdinstall(8), with new features such as stable MAC addresses for epair(4) and encrypted swap file support. The release also enhances cloud support via nuageinit(7) improvements, adds 9P filesystem support for bhyve(8), and updates drivers for Intel Ethernet, NVMe, and wireless chips. Documentation has been expanded with new manuals for DTrace providers, Ethernet switch controllers, and clarified behavior in tools like ipfw(8) and mtree(8).
NetBSD 11.0 RC2 released for testing: The NetBSD project has announced the second release candidate for NetBSD 11.0, urging community testing before the final release. This version addresses issues from the first candidate, including improvements to the ftp client for large file downloads, updates to tmux, reliability fixes for blocklistd, and corrections in the Mesa library. The release branch, nearly a year old, now offers split ISO images—smaller CD/R-sized versions and full-featured DVD variants—with users encouraged to select the latter unless constrained by media size. Installation notes and download links are provided for multiple architectures, including ARM devices via dedicated bootable images. Feedback on issues can be submitted through mailing lists or the project’s problem report system.
BSDSec
OpenBSD Errata: March 4, 2026 (pledgepaths unveil_mount): OpenBSD released errata patches on March 4, 2026, addressing vulnerabilities in the kernel’s pledge() system call (specifically tmppath) and the unveil() system call (related to unmount operations) for versions 7.7 and 7.8. Binary updates for amd64, arm64, and i386 architectures are available via the syspatch utility, while source patches are provided on the official errata pages. Users may need to update certain ports or packages before applying the kernel fixes to ensure compatibility. The patches aim to resolve potential security gaps in path restrictions and mount-related operations enforced by these system calls.
OpenBSD Errata: March 2, 2026 (tmppath): OpenBSD released errata patches addressing a vulnerability in the pledge("tmppath") implementation within the ldconfig utility for versions 7.7 and 7.8. The flaw could allow improper filesystem access during temporary file operations, posing a potential security risk. Binary updates are available for amd64, arm64, and i386 architectures via the syspatch utility, while source code patches can be obtained from the official errata pages for each version.
As always, it’s worth following BSDSec. RSS feed available.
News
OpenBSD updates drm(4) subsystem to Linux 6.1.18 level: A significant update to OpenBSD-current’s drm(4) (Direct Rendering Manager) subsystem aligns its codebase with Linux 6.1.18, as committed by Jonathan Gray. This extensive change arrives late in the development cycle, signaling its inclusion in the upcoming OpenBSD 7.9 release. The update was sponsored by the OpenBSD Foundation, highlighting its role in funding critical development work. The commit underscores ongoing efforts to modernize graphics support while maintaining OpenBSD’s security and stability focus. The timing suggests broader hardware compatibility and performance improvements for the next major release.
Valuable News – 2026/03/09: The Valuable News weekly roundup curates notable updates and articles primarily focused on UNIX, BSD, and Linux systems, filtering key developments from the overwhelming flow of online information. This edition highlights a range of topics, including the release of nanobrew, a fast macOS package manager, and updates like FreeBSD Git Weeklyand NetBSD 11.0 RC2.
BSD Now 653: Filesystem comparisons and BSD advancements: This episode of BSD Now explores a technical comparison between ZFS and BTRFS, examining their architectural differences, feature sets, and stability considerations. It also covers unconventional implementations like running RHEL and Slackware on ZFS-root setups, including encrypted configurations, while highlighting OpenIndiana’s efforts to modernize Solaris’ IPS package management system using Rust. Additional topics include FreeBSD’s jail memory metrics for resource monitoring, a WireGuard VPN setup guide for OpenBSD, and a discussion on Tcl as an underrated yet highly productive programming language.
HardenedBSD February 2026 development update: The February 2026 HardenedBSD status report highlights ongoing efforts to resolve a persistent kernel crash in the 15-STABLE branch, with progress narrowing the issue to a specific commit window. Development also includes research into mesh networking projects like Meshtastic and Reticulum, aiming to create a censorship-resistant network proof-of-concept within six months. Key updates include kernel hardening contributions, ports maintenance like the addition of hardenedbsd/ctrl, and plans to migrate repositories from GitLab to Radicle. The report also mentions community engagement through a local Hackers N’ Hops demonstration and upcoming priorities like reviving the hbsdfw firewall build system.
NetBSD Jails: Jails for NetBSD introduces an experimental kernel-enforced isolation model designed to bridge the gap between simple chroot environments and full virtualization like Xen. The system integrates directly with NetBSD’s security framework, providing strong process isolation, configurable hardening profiles, and supervised service execution without external dependencies. It emphasizes operational simplicity, offering centralized logging, snapshot-based telemetry (CPU, memory, process counts), and host-visible supervision while maintaining compatibility with existing NetBSD workflows. The project avoids container ecosystems or virtualization overhead, instead focusing on a lightweight, inspectable isolation primitive with explicit boundaries. Security relies on kernel correctness, and the model is intended for workload separation rather than high-risk trust isolation.
Tutorials
Designing OpenZFS Storage for Independence: This article explores strategies for achieving storage independence using OpenZFS by addressing four key facets: lifecycle control, component choice, interoperability, and exit strategy. It emphasizes the importance of open-source software for operational autonomy, allowing organizations to avoid vendor lock-in and maintain sovereignty over their data. The article discusses OpenZFS’s flexibility across CPU architectures, operating systems, and storage hardware, including HDDs, SSDs, and NVMe devices, while highlighting its compatibility with protocols like SMB, NFS, and iSCSI. It also covers pool architecture design, failure domain planning, and migration paths to ensure seamless transitions between systems. The focus is on creating resilient, portable storage solutions that prioritize long-term independence and minimize risks associated with hardware or software changes.
DIY Home Network Setup with OpenBSD, OpenWrt, and Pi-hole: This guide details a custom home network configuration using OpenBSD as a router, OpenWrt as a wireless access point, and Pi-hole for network-wide ad blocking. The OpenBSD router handles firewall rules via pf.conf, DHCP assignments, and DNS resolution through Unbound, with detailed configurations provided for each service. The OpenWrt device operates in AP-only mode, managing WiFi while delegating DHCP and DNS to the OpenBSD router. Pi-hole integrates as a dedicated ad-blocking DNS server, forwarding queries to Quad9 as a fallback. The setup emphasizes security with default-deny firewall rules, anti-spoofing measures, and DNS hardening, while maintaining simplicity with clear instructions for each component. Costs are minimized using affordable hardware like a Raspberry Pi Zero and a repurposed D-Link router.
Sprinkling a little Cinnamon on GhostBSD: The default desktops in GhostBSD are very nice, be they Mate or XFCE - but what of the others? In this video they have a look at Cinnamon and see whether it is any good.
Did we miss anything?
This newsletter is made from your content on DiscoverBSD and BSDSec. Submit the stuff we missed so it can appear next time.
Do you have an OSS BSD-related project that you would like to showcase in BSD Weekly? Reply to sender and we can showcase you as a sponsor of an issue (for free).
Do you know anyone who would like this newsletter? Consider forwarding and tell them to subscribe.
Thanks for reading and see you next week! Stay safe!