The OpenBSD project announced today plans to disable support for Intel CPU hyper-threading due to security concerns regarding the theoretical threat of more "Spectre-class bugs." Bleeping Computer reports: Hyper-threading (HT) is Intel's proprietary implementation of Simultaneous Multithreading (SMT), a technology that allows processors to run parallel operations on different cores of the same multi-core CPU. The feature has been added to all Intel CPUs released since 2002 and has come enabled by default, with Intel citing its performance boost as the main reason for its inclusion.

But today, Mark Kettenis of the OpenBSD project, said the OpenBSD team was removing support for Intel HT because, by design, this technology just opens the door for more timing attacks. Timing attacks are a class of cryptographic attacks through which a third-party observer can deduce the content of encrypted data by recording and analyzing the time taken to execute cryptographic algorithms. The OpenBSD team is now stepping in to provide a new setting to disable HT support because "many modern machines no longer provide the ability to disable hyper-threading in the BIOS setup."

BrianFagioli writes: GNOME 3.28 is the latest version of GNOME 3, and is the result of 6 months' hard work by the GNOME community. It contains several major new features, as well as many smaller improvements and bug fixes. In total, the release incorporates 24105 changes, made by approximately 778 contributors.

The Project explains, "GNOME 3.28 comes with more beautiful things! First, and most significantly, GNOME's default interface font (called Cantarell) has undergone a significant update. Character forms and spacing have been evolved, so that text is more readable and attractive. Several new weights have also been added -- light and extra bold -- which are being used to produce interfaces that are both modern and beautiful. Other beautiful things include GNOME's collection of background wallpapers, which has been updated to include a lovely set of photographs, and the selection of profile pictures, which has been completely updated with attractive new images to pick from."

Unfortunately, you can't just click on a button and upgrade to GNOME 3.28 today. Actually, for the most part, you will need to wait for it to become available for your operating system. Sadly, this can take a while. Fedora users, for instance, will have to wait for a major OS upgrade for it to become available.

itwbennett writes: The BSDs have lost the battle for mindshare to Linux, and that may well bode ill for the future sustainability of the BSDs as viable, secure operating systems, writes CSO's JM Porup. The reason why is a familiar refrain: more eyeballs mean more secure code. Porup cites the work of Ilja von Sprundel, director of penetration testing at IOActive, who, noting the "small number of reported BSD kernel vulnerabilities compared to Linux," dug into BSD source code. His search 'easily' turned up about 115 kernel bugs. Porup looks at the relative security of OpenBSD, FreeBSD and NetBSD, the effect on Mac OS, and why, despite FreeBSD's relative popularity, OpenBSD may be the most likely to survive.

troublemaker_23 quotes ITWire: Disclosure of the Meltdown and Spectre vulnerabilities, which affect mainly Intel CPUs, was handled "in an incredibly bad way" by both Intel and Google, the leader of the OpenBSD project Theo de Raadt claims. "Only Tier-1 companies received advance information, and that is not responsible disclosure -- it is selective disclosure," De Raadt told iTWire in response to queries. "Everyone below Tier-1 has just gotten screwed."
In the interview de Raadt also faults intel for moving too fast in an attempt to beat their competition. "There are papers about the risky side-effects of speculative loads -- people knew... Intel engineers attended the same conferences as other company engineers, and read the same papers about performance enhancing strategies -- so it is hard to believe they ignored the risky aspects. I bet they were instructed to ignore the risk."

He points out this will make it more difficult to develop kernel software, since "Suddenly the trickiest parts of a kernel need to do backflips to cope with problems deep in the micro-architecture." And he also complains that Intel "has been exceedingly clever to mix Meltdown (speculative loads) with a separate issue (Spectre). This is pulling the wool over the public's eyes..."

"It is a scandal, and I want repaired processors for free."

24 years after its release, NetBSD is getting a security upgrade -- specifically, Address Space Layout Randomization (ASLR). An anonymous reader writes: Support for Kernel ASLR was added on NetBSD-amd64 a few weeks ago. KASLR basically randomizes the address of the kernel, and makes it harder to exploit several classes of vulnerabilities [including privilege escalations and remote code execution]. It is still a work-in-progress, but it's already fully functional, and can be used following the instructions on this post from the NetBSD blog. It will be available starting from NetBSD 9, but may be backported to NetBSD 8 once it is stabilized.
NetBSD says they're the first BSD system to support ASLR.

basscomm writes: OpenBSD 6.2 has now been released. Check out the release notes if you're into that kind of thing. Some of the new features and systems include improved hardware support, vmm(4)/ vmd(8) improvements, IEEE 802.11 wireless stack improvements, generic network stack improvements, installer improvements, routing daemons and other userland network improvements, security improvements and more. Here is the full list of changes.

Billly Gates writes: Linux is not the only free open-source operating system. FreeBSD, which is based off of the historical BSD Unix in which TCP/IP was developed on from the University of California at Berkeley, has been updated. It does not include systemd nor PulseAudio and is popular in many web server installations and networking devices. FreeBSD 11.1 is out with improvements in UEFI and Amazon cloud support in addition to updated userland programs. EFI improvements including a new utility efivar(8) to manage UEFI variables, EFI boot from TFTP or NFS, as well as Microsoft Hyper-V UEFI and Secure Boot for generation 2 virtual machines for both Windows Server and Windows 10 Professional hosts. FreeBSD 11.1 also has extended support Amazon Cloud features. A new networking stack for Amazon has been added with the ena(4) driver, which adds support for Amazon EC2 platform. This also adds support for using Amazon EC2 NFS shares and support for the Amazon Elastic Filesystem for NFS. For application updates, FreeBSD 11.1 Clang, LLVM, LLD, LLDB, and libc++ to version 4.0.0. ZFS has been updated too with a new zfsbootcfg with minor performance improvements. Downloads are here which include Sparc, PowerPC, and even custom SD card images for Raspberry Pi, Beagle-bone and other devices.

msm1267 writes: Linux, BSD, Solaris and other open source systems are vulnerable to a local privilege escalation vulnerability known as Stack Clash that allows an attacker to execute code at root. Major Linux and open source distributors made patches available Monday, and systems running Linux, OpenBSD, NetBSD, FreeBSD or Solaris on i386 or amd64 hardware should be updated soon.

The risk presented by this flaw, CVE-2017-1000364, becomes elevated especially if attackers are already present on a vulnerable system. They would now be able to chain this vulnerability with other critical issues, including the recently addressed Sudo vulnerability, and then run arbitrary code with the highest privileges, said researchers at Qualys who discovered the vulnerability.

New submitter fisted writes: The NetBSD Project is pleased to announce NetBSD 7.1, the first feature update of the NetBSD 7 release branch. It represents a selected subset of fixes deemed important for security or stability reasons, as well as new features and enhancements. Some highlights of the 7.1 release are:

-Support for Raspberry Pi Zero.
-Initial DRM/KMS support for NVIDIA graphics cards via nouveau (Disabled by default. Uncomment nouveau and nouveaufb in your kernel config to test).
The addition of vioscsi, a driver for the Google Compute Engine disk.
-Linux compatibility improvements, allowing, e.g., the use of Adobe Flash Player 24.
-wm(4): C2000 KX and 2.5G support; Wake On Lan support; 82575 and newer SERDES based systems now work.
-ODROID-C1 Ethernet now works.
-Numerous bug fixes and stability improvements.

NetBSD is free. All of the code is under non-restrictive licenses, and may be used without paying royalties to anyone. Free support services are available via our mailing lists and website. Commercial support is available from a variety of sources. More extensive information on NetBSD is available from http://www.NetBSD.org. You can download NetBSD 7.1 from one of these mirror sites.

An anonymous reader writes: "After spending six months in development, the NetBSD 7.0.2 release is now available for those running NetBSD 7.0 or NetBSD 7.0.1," reports Softpedia, "but also for those who are still using an older version of the BSD-based operating system and haven't managed to upgrade their systems, bringing them a collection of security patches and recent software updates." Release engineer Soren Jacobsen wrote that "It represents a selected subset of fixes deemed important for security or stability reasons. If you are running an earlier release of NetBSD, we strongly suggest updating to 7.0.2."

The security fixes eliminate a race condition in mail.local(8), and also update OpenSSL, ntp and BIND. In addition, "there are various MIPS pmap improvements, a patch for an NFS (Network File System) crash, as well as a crash that occurred when attempting to mount an FSS snapshot as read and write. NetBSD 7.0.2 also fixes an issue with the UFS1 file system when it was created outside the operating system." Download NetBSD 7.0.2 at one of these mirror sites.

Long-time Slashdot reader basscomm writes, "After a couple of delays, FreeBSD 11 has been released. Check out the release notes here." The FreeBSD Foundation writes: The latest release continues to pioneer the field of copyfree-licensed, open source operating systems by including new architecture support, performance improvements, toolchain enhancements and support for contemporary wireless chipsets. The new features and improvements bring about an even more robust operating system that both companies and end users alike benefit greatly from using.
FreeBSD 11 supports both the ARMv8 and RISC-V architectures, and also supports the 802.11n wireless networking standard. In addition, OpenSSH has been updated to 7.2p2, and OpenSSH DSA key generation has been disabled by default, so "It is important to update OpenSSH keys prior to upgrading."

386BSD was last released back in 1994 with a series of articles in Dr. Dobb's Journal -- but then developers for this BSD-based operating system started migrating to both FreeBSD and NetBSD. An anonymous Slashdot reader writes: The last known public release was version 0.1. Until Wednesday, when Lynne Jolitz, one of the co-authors of 386BSD, released the source code to version 1.0 as well as 2.0 on Github.

386BSD takes us back to the days when you could count every file in your Unix distribution and more importantly, read and understand all of your OS source code. 386BSD is also the missing link between BSD and Linux. One can find fragments of Linus Torvalds's math emulation code in the source code of 386BSD. To quote Linus: "If 386BSD had been available when I started on Linux, Linux would probably never had happened."
Though it was designed for Intel 80386 microprocessors, there's already instructions for launching it on the hosted hardware virtualization service Qemu.

Long-time Slashdot reader DeQueue writes: Back in 2011 Fabrice Bellard, the initiator of the QEMU emulator, wrote a PC emulator in JavaScript that let you boot Linux in your browser. But he didn't stop there.

On his website he now has images that let you boot Oberon, Arch Linux, FreeDOS, OpenBSD, Solar OS and more recent versions of Linux such as 2.6 or 3.18 (the 3.18 image includes internet access). You can also boot to a CD image, or a floppy image, or a hard drive disk image on your local machine. And, if you don't need yet another operating system on your computer, you can even boot to Bootchess and play chess

prisoninmate quotes a report from Softpedia: By following a rolling release model, TrueOS promises to be a cutting-edge and modern FreeBSD-based operating system for your personal computer, designed with security and simplicity in mind -- all while being stable enough to be deployed on servers. TrueOS will also make use of the security technologies from the OpenBSD project, and you can get your hands on the first Beta ISO images right now. The development team promises to offer you weekly ISO images of TrueOS, but you won't have to download anything anymore due to constant updates thanks to the rolling release model. TrueOS will use LibreSSL instead of OpenSSL, offer Linux DRM 4.7 compatibility for supporting for Intel Skylake, Haswell, and Broadwell graphics, and uses the pkg package manage system by default. "TrueOS combines the convenience of a rolling release distribution with the failsafe technology of boot environments, resulting in a system that is both current and reliable. TrueOS now tracks FreeBSD's 'Current' brand and merges features from select FreeBSD developer branches to enhance support for newer hardware and technologies," reads today's announcement.

LichtSpektren writes: Version 6.0 of the free operating system OpenBSD has just been released. This release features much improved hardware and armv7 support, a new tool called proot for building software ports in an isolated chroot environment, W^X that is now strictly enforced by default, and removal of official support for Linux emulation, usermount, and systrace. The release announcement can be read here. The release is OpenBSD's 40th release on CD-ROM and 41st release via FTP/HTTP.

Slashdot reader disccomp shares an article from Ars Technica: In an advisory posted Wednesday, Juniper officials said they just fixed a bug in the company's Junos operating system that allowed adversaries to masquerade as trusted parties. The impersonation could be carried out by presenting a forged cryptographic certificate that was signed by the attacker rather than by a trusted certificate authority that normally vets the identity of the credential holder...

"It seems that Junos was accepting specially crafted, invalid certificates as trusted," said Stephen Checkoway, a computer scientist at the University of Illinois at Chicago who recently focused on security in Juniper products. "This would enable anyone to create a VPN connection and gain access to the private network, e.g., a private, corporate network."

Reader itwbennett writes: Researchers from Cisco Systems' Talos group have found three memory corruption errors in the widely used open-source library libarchive that can result in arbitrary code execution and can be exploited by passing specially crafted files to applications that contain the vulnerable code. "The library is used by file and package managers included in many Linux and BSD systems, as well as by components and tools in OS X and Chrome OS," writes Lucian Constantin. "Developers can also include the library's code in their own projects, so it's hard to know how many other applications or firmware packages contain it." (Original blog post) So, while the libarchive maintainers have released patches for the flaws, it will likely take a long time for them to trickle down through all the affected projects.

An anonymous reader writes: Linux turns 25 this year(!!). To mark the event, IEEE Spectrum has a piece on the history of Linux and why it succeeded where others failed. In an accompanying question and answer with Linus Torvalds, Torvalds explains the combination of youthful chutzpah, openness to other's ideas, and a willingness to unwind technical decisions that he thinks were critical to the OS's development: "I credit the fact that I didn't know what the hell I was setting myself up for for a lot of the success of Linux. [...] The thing about bad technical decisions is that you can always undo them. [...] I'd rather make a decision that turns out to be wrong later than waffle about possible alternatives for too long."

prisoninmate writes: What's ubuntuBSD? Well, it's not that hard to figure out yourself, but just in case you're not sure, we can tell you that ubuntuBSD promises to bring the power of the FreeBSD kernel to Ubuntu Linux. The best part of using the FreeBSD kernel is that you'll end up using the famous Z File System, or ZFS. Xfce is also included along with the popular Firefox, LibreOffice, and Ubuntu Software Center apps. ubuntuBSD is inspired by the Debian GNU/kFreeBSD project, it is hosted on SourceForge, and has been created by Jon Boden.

An anonymous reader writes: After almost a year of development, bug fixing and cleanup, BorgBackup 1.0.0 has been released. BorgBackup is a fork of the Attic-Backup project — a deduplicating, compressing, encrypting and authenticating backup program for Linux, FreeBSD, Mac OS X and other unixoid operating systems (Windows may also work using CygWin, but that is rather experimental/unsupported). It works on 32bit as well as on 64bit platforms, x86/x64 and ARM CPUs (maybe as well on others, but these are the tested ones). For Linux, FreeBSD and Mac OS X, there are single-file binaries which can be just copied onto a system and contain everything needed (Python, libraries, BorgBackup itself). Of course, it can be also installed from source. BorgBackup is FOSS (BSD License) and implemented in Python 3 (91%), speed critical parts are in C or Cython (9%).