Hello again,

It is with pleasure that we announce the availability of SafeStack in the OPNsense ports tree as our latest addition via our valued HardenendBSD friendship. While SafeStack is already deployed for the base operating system, it had not previously been applied to the ports tree.

SafeStack is an exploit mitigation developed by clang/llvm. It helps mitigate stack-based buffer overflows. SafeStack depends on Address Space Layout Randomization (ASLR) in order to be effective. OPNsense fulfils that dependency by including the HardenedBSD ASLR implementation, which follows the original PaX design. Without ASLR, SafeStack is ineffective as an attacker would know where the SafeStack lies in memory and could use that information to her advantage.

It is still rather quiet security-wise. Despite updating OpenSSL, it does not contain any security updates this time.

Here are the full patch notes:


Stay safe,
Your OPNsense team