The TrueOS team is pleased to announce the availability of a new STABLE release of the TrueOS project (version 18.03). This is a special release due to the security issues impacting the computing world since the beginning of 2018. In particular, mitigating the “Meltdown” and “Spectre” system exploits make it necessary to update the entire package ecosystem for TrueOS. This release does not replace the scheduled June STABLE update, but provides the necessary and expected security updates for the STABLE release branch of TrueOS, even though this is part-way through our normal release cycle.

Important changes between version 17.12 and 18.03

  • Meltdown” security fixes: This release contains all the fixes to FreeBSD which mitigate the security issues for systems that utilize Intel-based processors when running virtual machines such as FreeBSD jails. Please note that virtual machines or jails must also be updated to a version of FreeBSD or TrueOS which contains these security fixes.
  • “Spectre” security mitigations: This release contains all current mitigations from FreeBSD HEAD for the Spectre memory-isolation attacks (Variant 2). All 3rd-party packages for this release are also compiled with LLVM/Clang 6 (the “retpoline” mitigation strategy). This fixes many memory allocation issues and enforces stricter requirements for code completeness and memory usage within applications. Unfortunately, some 3rd-party applications became unavailable as pre-compiled packages due to non-compliance with these updated standards. These applications are currently being fixed either by the upstream authors or the FreeBSD port maintainers. If there are any concerns about the availability of a critical application for a specific workflow, please search through the changelog of packages between TrueOS 17.12 and 18.03 to verify the status of the application.

 

Most systems will need microcode updates for additional Spectre mitigations. The microcode updates are not enabled by default. This work is considered experimental because it is in active development by the upstream vendors. If desired, the microcode updates are available with the new devcpu-data package, which is available in the Appcafe. Install this package and enable the new microcode_update service to apply the latest runtime code when booting the system.

Important security-based package updates

    • LibreSSL is updated from version 2.6.3 -> 2.6.4
      • Reminder: LibreSSL is used on TrueOS to build any package which does not explicitly require OpenSSL. All applications that utilize the SSL transport layer are now running with the latest security updates.
    • Browser updates: (Keep in mind that many browsers have also implemented their own security mitigations in the aftermath of the Spectre exploit.)
      • Firefox: 57.0.1 -> 58.0.2
      • Chromium: 61.0.3163.100 -> 63.0.3239.132
      • Qt5 Webengine (QupZilla, Falkon, many others): 5.7.1 -> 5.9.4

 

  • All pre-compiled packages for this release are built with the latest versions of LLVM/Clang, unless the package explicitly requires GCC. These packages also utilize the latest compile-time mitigations for memory-access security concerns.

 

 

Package changes between 17.12 and 18.03

Summary of Package Changes:

 

Notes about package statistics:

  • Some packages that have been renamed between releases (like the KDE4 packages) will appear on both the removed list (old name) and the new list (new name) simultaneously.
  • Many of the new packages are the result of the new “flavor” system being activated for Python based ports. Many of these applications now have two packages available, one for Python 2.7 (py27-*) and one for Python 3.6 (py36-*).
  • The updated packages list does not include minor port revision changes. The list only contains packages that had an actual change in the upstream version of the application.