MidnightBSD Release Notes

(10/31/2019) MidnightBSD 1.2

I’m happy to announce the availability of MidnightBSD 1.2 for amd64 and i386. This release focused on updating base system libraries and security. A significant effort has been put into updating various mports.

Portsnap is now included in the base system. You can use it to fetch mports. As this is a relatively new feature, please report any issues.

Bug Fixes

Fixed spell(1) by bringing back deroff(1).

Fixed a bug with the mdnsd startup script (/etc/rc.d/mdnsd) where it wouldn't modify the /etc/nsswitch.conf properly when enabling mDNSresponder.

Security fixes

The kernel driver for /dev/midistat implements a handler for read(2). This handler is not thread-safe, and a multi-threaded program can exploit races in the handler to cause it to copy out kernel memory outside the boundaries of midistat's data buffer.

System calls operating on file descriptors obtain a reference to relevant struct file which due to a programming error was not always put back, which in turn could be used to overflow the counter of affected struct file.

Security patch for CVE-2019-5611.

Due do a missing check in the code of m_pulldown(9) data returned may not be contiguous as requested by the caller.

Fix some buffer overflows in telnet client

The code which handles a close(2) of a descriptor created by posix_openpt(2) fails to undo the configuration which causes SIGIO to be raised. This bug can lead to a write-after-free of kernel memory.

Due to insufficient initialization of memory copied to userland in the components listed above small amounts of kernel memory may be disclosed to userland processes.

3rd party software

OpenSSH 7.9p1

bzip2 1.0.7

bsnmp bug fix - A function extracting the length from type-length-value encoding is not properly validating the submitted length.

Hardware

jedec_dimm - some modules falsely report supporting temp sensors. Handle this better.

Some work was also completed on the USB stack.

add some quirks for sandisk sdcz48_32 ultra 32gb, ploytec spl crimson rev 1, edirol ua-25ex

Fix for reception of large full speed isochronous frames via the transaction translator.

In xhci(4) there is no stream ID in the completion TRB. instead interate all the stream idds in stream mode to find the matching USB transfer.

Fix a lost completion event issue towards libusb(3).

Reduce timeout for reading the USB HUB port status to 1000ms and try to filter out dead USB HUB devices by implemention of an error counter.

Mport Package Manager

Several bug fixes to existing SQL queries were done in this release. It should improve lookups of packages when searching or installing updates. Error handling improvements were also done.

Some bug fixes around absolute paths should improve installation when plists contain absoluate paths.

You may choose an alternate package mirror location by setting the configuration after install.

Lookup current setting: mport config get mirror_region

Set the a new mirror location: mport config set mirror_region jp

Known Issues

Several issues were reported with the 1.0 release an the LiveCD functionality. These have not been corrected yet. We recommend installing MidnightBSD in a virtual machine to try it out before committing to dedicated hardware with it.

If you are updating an existing system, after installing 1.2, you can use mport upgrade to update packages with 1.2 versions. It is recommended that you delete /usr/mports/Packages and run mport clean to remove old package remnants.

You may use svnlite (part of the base system) to checkout mports or src, if you do not wish to install the svn package.

e.g.

cd /usr/ && svnlite co http://svn.midnightbsd.org/svn/mports/trunk mports

mports moved to github and you can also use the git package to fetch updated mports with cd /usr/ && git clone https://github.com/midnightbsd/mports.git

portsnap is also available in this release and can be used to update mports also.

first use: portsnap fetch extract

then: portsnap fetch update

See the man page for more information.