Fix a bug in crypt(3) ignoring characters of a passphrase. [12:02]
Security: FreeBSD-SA-12:01.openssl (revised)
Security: FreeBSD-SA-12:02.crypt
Approved by: so (bz, simon)
> The portion of r225757 that added the packages-9.0-release directory
> was supposed to be MFCed closer to the release but that got missed.
>
> Pointy hat: kensmith
Approved by: re (implicit)
Add an API for alerting internal libc routines to the presence of
"unsafe" paths post-chroot, and use it in ftpd. [11:07]
Fix a buffer overflow in telnetd. [11:08]
Make pam_ssh ignore unpassphrased keys unless the "nullok" option is
specified. [11:09]
Add sanity checking of service names in pam_start. [11:10]
Approved by: so (cperciva)
Approved by: re (bz)
Security: FreeBSD-SA-11:06.bind
Security: FreeBSD-SA-11:07.chroot
Security: FreeBSD-SA-11:08.telnetd
Security: FreeBSD-SA-11:09.pam_ssh
Security: FreeBSD-SA-11:10.pam
Approved by: re (kib)
Security: some poorly thought out programs allow the user to specify
the service name; this patch makes it harder to trick these
programs into loading and executing arbitrary code.
Approved by: re (kib)
Security: prevents users with unencrypted ssh keys (prohibited
unless the nullok option is specified) from logging in
by providing a bogus non-null passphrase.
- Fix an issue that 127/8 is not configured when $ifconfig_DEFAULT is not empty.
- Add description that IPv6 configuration will be ignored if $ifconfig_IF_ipv6
is empty.
- Move a configuration example "inet6 accept_rtadv" to just after the manual
GUA configuration.
- Add an example of $ipv6_prefix_IF.
- Add support for removing addresses added by ipv6_prefix_hostid_addr_up()
upon rc.d/netif stop.
Approved by: re (bz)
Fix a problem that an interface unexpectedly becomes IFF_UP by
just doing "ifconfing inet6 -ifdisabled" when the interface has
ND6_IFF_AUTO_LINKLOCAL flag and no link-local address.
Approved by: re (bz)
Prevent user astonishment by providing the shell option at the end, after
any installer-provided configuration files have been copied. This allows
users to edit their fstab, if desired, and to see what the installer has
placed in rc.conf.
Requested by: phk
Approved by: re (kensmith)
> Add a screen that asks if the user would like to enable crash dumps,
> giving them a very brief description of the trade-offs. Whether the
> user opts in or out add an entry to what will become /etc/rc.conf
> explaining what dumpdev is and how to turn on/off crash dumps. The folks
> who handle interacting with users submitting PRs have asked for this.
>
> Reviewed by: nwhitehorn
Approved by: re (kib)
Recursive name servers are failing with an assertion:
INSIST(! dns_rdataset_isassociated(sigrdataset))
At this time it is not thought that authoritative-only servers
are affected, but information about this bug is evolving rapidly.
Because it may be possible to trigger this bug even on networks
that do not allow untrusted users to access the recursive name
servers (perhaps via specially crafted e-mail messages, and/or
malicious web sites) it is recommended that ALL operators of
recursive name servers upgrade immediately.
For more information see:
https://www.isc.org/software/bind/advisories/cve-2011-4313
which will be updated as more information becomes available.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4313
Approved by: re (kib)
Return value should be conditional on return value of pfsync_defer_ptr()
PR: kern/162947
Submitted by: Matthieu Kraus <matthieu.kraus s2008.tu-chemnitz.de>
Approved by: re (kib)
- Fix behavior of --null to match GNU grep
MFC 228097
- Call warnx() instead of errx() if a directory is not readable when using
a recursive search. This is the expected behavior instead of aborting.
Approved by: re (kib)
The default setting, daily_accounting_compress="NO", was causing
only 1 old file to be saved, so fix this.
While I'm here, fix a very old off-by-one error causing 1 more
file than specified in daily_accounting_save to be saved because
acct.0 was not taken into account (pun intended). Change that, and
use a more thorough method of finding old files to delete. Partly
just because this is the right thing to do, but also to silently
fix the extra log that would have been left behind forever with the
previous method.
Approved by: re (kensmith)
- Based on a report on sparc64@ move V245 to the list of known working
machines.
- Mention that V480 with broken centerplanes have a chance of working with
the WAR in the upcoming 8.3-RELEASE and 9.0-RELEASE.
Approved by: re (kib)
Update the default cvs tag for RELENG_9 by merging the following revisions:
r225757 (by kensmith, partial):
Shift head from 9.0-CURRENT to 10.0-CURRENT in preparation for releasing
it from the 9.0-RELEASE release cycle code freeze.
r225764 (by kensmith):
Forgot to add "RELENG_8" to list of CVS tags.
Reported by: Milan Obuch <freebsd-current at dino sk> (cvs tag)
Approved by: re (kib)
Increase the CDMA sync timeout for Schizo bridges to 15 seconds as used by
OpenSolaris. One second turned out to be not enough for certain loads while
10 seconds were sufficient.
Reported by: Peter Jeremy
Approved by: re (bz)
Change the Makefile in cddl/lib/drti to use bsd.lib.mk instead of
bsd.prog.mk -- we need to compile PIC, which requires a library build.
With this change, USDT (userspace DTrace probes) work from within
shared libraries.
PR: kern/159046
Submitted by: Alex Samorukov <samm at os2.kiev.ua>
Comments by: Scott Lystig Fritchie <slfritchie at snookles.com>
Approved by: re (bz)
Add an introductory Capsicum man page providing a high-level description of
its mechanisms, pointing at other pertinent man pages, and cautioning about
the experimental status of Capsicum in FreeBSD.
Sponsored by: Google, Inc.
Approved by: re (kib)
based on Solarflare SFC9000 family controllers. The driver supports jumbo
frames, transmit/receive checksum offload, TCP Segmentation Offload (TSO),
Large Receive Offload (LRO), VLAN checksum offload, VLAN TSO, and Receive Side
Scaling (RSS) using MSI-X interrupts.
This work was sponsored by Solarflare Communications, Inc.
My sincere thanks to Ben Hutchings for doing a lot of the hard work!
Sponsored by: Solarflare Communications, Inc.
Approved by: re (bz)
Plug a TCP reassembly UMA zone leak introduced in r226228 by only using the
backup stack queue entry when the zone is exhausted, otherwise we leak a zone
allocation each time we plug a hole in the reassembly queue.
Reported by: many on freebsd-stable@ (thread: "TCP Reassembly Issues")
Tested by: many on freebsd-stable@ (thread: "TCP Reassembly Issues")
Reviewed by: bz (very brief sanity check)
Approved by: re (kib)
Wire the kernel text RWX, rather than RX. We're not quite ready
for having kernel text non-writable, because we still need to
apply relocations. On top of that, the PBVM page table has all
pages marked as RWX, so it's an inconsistency to begin with.
Approved by: re (kib)
Fix a warning reported by arundel@.
Fix a bug where the parameter length of a supported address types
parameter is set to a wrong value if the kernel is built with
with either INET or INET6, but not both.
Approved by: re@
To limit amount of the kernel memory allocated, and to optimize the
iteration over the fdsets, kern_select() limits the length of the
fdsets copied in by the last valid file descriptor index. If any bit
is set in a mask above the limit, current implementation ignores the
filedescriptor, instead of returning EBADF.
Fix the issue by scanning the tails of fdset before entering the
select loop and returning EBADF if any bit above last valid
filedescriptor index is set. The performance impact of the additional
check is only imposed on the (somewhat) buggy applications that pass
bad file descriptors to select(2) or pselect(2).
PR: kern/155606, kern/162379
Approved by: re (bz)
- Add a DEVMETHOD_END alias for KOBJMETHOD_END so that along with 'driver_t'
and DEVMETHOD() we can fully hide the explicit mention of kobj(9) from
device drivers.
- Update the device driver examples to use DEVMETHOD_END.
Submitted by: jhb
Approved by: re (kib)
