Stable release: HardenedBSD-stable 10-STABLE v1000048.1

HardenedBSD-10-STABLE-v1000048.1 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

Changed version from 10.3 to 10.4 - as preparation to 10.4-RELEASE per upstream (054e15f186105f319d8373002c677ecce2d95883)
bmake update to 20170720
HBSD MFC: Restrict permissions on /dev/ksyms to 0400 (5cdd8540724c092c703e9473578ea21cb1473d0a) [FreeBSD-SA-Candidate]
Merge MAP_GUARD. (3753ee3ec3e123ae4b62be3b19aaf09bf2e2ef59) [FreeBSD-SA-Candidate, CVE-2017-1084)
NFS fixes
libarchive update to 3.3.2
Add newsyslog capability to write RFC5424 compliant rotation message. (26c6cd37ceae365b6aa9f3203b932d29ad2be3fb)
MFC r302145: bsdinstall: increase EFI partition size to 200MB (48ce3b4e3aea30b479095da20d7f04ed723e8451)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:
SHA512 (HardenedBSD-10-STABLE-v1000048.1-amd64-bootonly.iso) = d4f1f2b4f9007b4cf0e50641cb86fc3799855066ecafe5bf896f5411a7450d266f1a811528ce6262dda4a63024a3d6c81e5e4482f120ba0840881e07feb8a8ab SHA512 (HardenedBSD-10-STABLE-v1000048.1-amd64-disc1.iso) = ab1b008129a3c165e1ae79a964d6361cd4aea9dc6ab912d2e3626817f300830cb0faa828a4931aafcffa751d8413b523050f5ac12d6f5ffb0a057242fd070422 SHA512 (HardenedBSD-10-STABLE-v1000048.1-amd64-memstick.img) = b85691c6bf31cc211801575f9ad4936fc7f4600d1a193267b1a4b4878c163b661c5ec32c9e036c752e00f712903a6a0c97b43c34debb1b8fe484d6f01b52a0ff SHA512 (HardenedBSD-10-STABLE-v1000048.1-amd64-mini-memstick.img) = e178cece948740c23c5894622e2a995179875011aa607447073d645989c2382adcc61d12fc2e8d5f506e36839660babde027aa7f4ed660bed671fc856caefcc9 SHA512 (HardenedBSD-10-STABLE-v1000048.1-amd64-uefi-bootonly.iso) = f78a4c2ddb262458f40a83d5735b6bbb5a85c0ece5906ec9185bdcce32d41632f5e158c2529c3d62748fe59a57097d66d1f58de90a65cd0aec69120a077c1c59 SHA512 (HardenedBSD-10-STABLE-v1000048.1-amd64-uefi-disc1.iso) = 44f4da7c72bc51f9599cf7cbc158ddcb395df83ad59a610c50663222019b00f8cf7ea0c1fa76e4802d99b13917e4e4bca2533543cd3f26821a4b85f99fd8ad82 SHA512 (HardenedBSD-10-STABLE-v1000048.1-amd64-uefi-memstick.img) = 48f6143b9feb2be99642a04318b3ad2109f3443d39e40469cc71e997562b20373d907fcf179da741b39afc41f0f49eb6cd6192d381c98420fc8a4c9404303158 SHA512 (HardenedBSD-10-STABLE-v1000048.1-amd64-uefi-mini-memstick.img) = c27696bb133ab801e5308665c83db85c56d7ed9ed02e14beae26b795b0f519ec9dbc435d3b6486eb487456f4eb5ffc06b2a349451ed3a2a0745ac3dff3383b32

CHECKSUM.SHA512.asc:
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlmDyJkACgkQgZsRom/9
GI3WoQ//WC6e0VabjAoPu0im2AuICUnoa+vMAE3NcqZisact/TfCiTHNhQ//KYMU
+ZeTrQ+dJ1ktpj8/Z8kHeF6Y8qIAlvs4Z55lPUxgfLfntvW7+E8KW5Vr4Hx6EH9f
RhmYmcCBioghIWRprQ64dlqPEz4oE/xCt5wEC9IiPc+iejI1IpMwCbjGx89kdHqV
fL9CmV4sVDttWei2kvwlHhlyrJWcpIq5MYWnuQEVt3R9iyrpMEWdSSpubTVUnBjJ
1RxYQq9jVntPmrAdHsvUnrr1DqlOVWgAQr1G5uqYzADNjBlZ1wPlfJzbOgwAAvlK
z6oJ07NFcSYeXabNTLkrNb8qDPLQLfFsPE9/lhZn9tcmQ+OUYLOXRTtBJHNndvhX
O0tEdYn9XkTEdIOKkgbl4UF/sjgJJ8iq/kjrTWzAfejdeaM/ovcVR0xTNXP2Zbyk
xXDVRhgrQDGiLmIClgvzd7ptXXFuR/i2qhY5xe3e/iOVbwIPzlqdzlgehtrWEzz1
jRRajL0hxO7Vghw4jImfKD0vNaPZMXEnQGkx5mZgbJ/CpbZJoh0To2qiEgPwkUDa
aTjw5aVrzEaCp6BVl5eQG8cnxIzdiOgvArH7vYHxjIAsoxoyJ0BjijvM4by/DafP
jOrYAkGJ4I6K6bUQPXlnMAeBrlGIAtBTHJVMwcq8KgaHeOAcMe0=
=K2/O
-----END PGP SIGNATURE-----

Changelog: Oliver Pinter (4):

HBSD MFC: Restrict permissions on /dev/ksyms to 0400.
HBSD MFC: Fix style bugs in ksyms.c.
Merge remote-tracking branch 'origin/freebsd/10-stable/master' into hardened/10-stable/master
HBSD: fix merge conflict after MAP_GUARD backport (3753ee3ec3e123ae4b62be3b19aaf09bf2e2ef59)

Oliver Pinter + (46):

Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master

Shawn Webb (1):

Merge remote-tracking branch 'origin/freebsd/10-stable/master' into hardened/10-stable/master

ae (1):

MFC r321203: Add HPE FlexFabric 10Gb 4-port 536FLR-T device id to the bxe(4) driver.

alc (6):

MFC r320498 Clear the MAP_WIREFUTURE flag on the vm map in exec_new_vmspace() when it recycles the current vm space. Otherwise, an mlockall(MCL_FUTURE) could still be in effect on the process after an execve(2), which violates the specification for mlockall(2).
MFC r315621 Use IDX_TO_OFF(), not ptoa(), when converting the difference between two vm_pindex_t's into a vm_ooffset_t.
MFC r320546 When "force" is specified to pmap_invalidate_cache_range(), the given start address is not required to be page aligned. However, the loop within pmap_invalidate_cache_range() that performs the actual cache line invalidations requires that the starting address be truncated to a multiple of the cache line size. This change corrects an error in that truncation.
MFC r319756 Style and comment fixes
MFC r319905
MFC r320077 Change blist_alloc()'s allocation policy from first-fit to next-fit so that disk writes are more likely to be sequential. This change is beneficial on both the solid state and mechanical disks that I've tested. (A similar change in allocation policy was made by DragonFly BSD in 2013 to speed up Poudriere with "stressful memory parameters".)

asomers (7):

MFC r319854:
MFC r320163:
MFC r320165-r320166
Clarify usage of aio(4) with kqueue(2)
MFC r320269:
MFC r320737, r320914
MFC r320807:

avos (1):

MFC r321401: net80211: do not allow to unload rate control module if it is still in use.

bapt (1):

MFC r320988:

bdrewery (1):

MFC r320273:

cy (1):

MFC r321605:

davidcs (3):

MFC 320694 Allow MTU changes without ifconfig down/up
MFC 320705 Release mtx hw_lock before calling pause() in qla_stop() and qla_error_recovery()
MFC 321233 Raise the watchdog timer interval to 2 ticks, there by guaranteeing that it fires between 1ms and 2ms. ` Treat two consecutive occurrences of Heartbeat failures as a legitimate Heartbeat failure

dchagin (15):

MFC r281829 (by trasz@):
MFC r281882(by trasz@):
MFC r292744:
MFC r293907 (glebius@) partially:
MFC r293908:
Temporarily r284696:
MFC r272823:
Regen after r321017. Move the SCTP syscalls to netinet with the rest of the SCTP code.
MFC r284613 (by tuexen@):
MFC r281436 (by mjg@):
MFC r281437 (by mjg@):
MFC r296503:
MFC r297597 (by bapt@):
MFC r298071 (by pfg@):
MFC r305994 (by emaste@):

delphij (5):

MFC r320986:
MFC r320433:
MFC r320468:
MFC r321713:
MFC r320761:

dim (2):

Pull in r229281 from upstream libc++ (by Larisse Voufo):
MFC r321305:

emaste (6):

MFC r319890: Correct bitwise test in mac_bsdextended ugidfw_rule_valid()
MFC r303043: Increase vt(4) framebuffer maximum size
MFC r313547, r313777: fix mouse selection when vt(4) scrolls
MFC r302145: bsdinstall: increase EFI partition size to 200MB
MFC r321218: zfs: Fix a typo in the delay_min_dirty_percent sysctl description
MFC r321436: ar: handle partial writes from archive_write_data

gavin (1):

Merge r316113,316184,316413 from head: - Remove #define PCIS_SERIALBUS_SMBUS_PROGIF, unused since r200091 - Switch device_probe() from large case statement to a lookup table - Add several missing SMBus controllers

gjb (2):

Document SA-17:05.heimdal, EN-17:06.hyperv
MFC r320969: Fix a missing comment marker.

hselasky (11):

MFC r320876: Make sure the mlx4en RX DMA ring gets stamped with software ownership in order to prevent the flow of QP to error in the firmware once UPDATE_QP is called.
MFC r321722: Properly range check length of parsed information elements in RSU driver.
MFC r312526: Update firmware interface structures and definitions adding support for new features and commands.
MFC r312527: Add runtime support for modifying the SQ and RQ completion event moderation mode. The presence of this feature is indicated through the firmware capabilities.
MFC r312528: Make draining a sendqueue more robust.
MFC r312536: Allow transmit packet bufring in software to be disabled.
MFC r312537: Remove superfluous return statement.
MFC r312865: Enforce reading the consumer and producer counters once to ensure consistent return values from the mlx5e_sq_has_room_for() function. The two counters are incremented by different threads under different locks.
MFC r312872: Add support for reading advanced diagnostic counters.
MFC r312876: Use ffs() to scan for first bit instead of using a for() loop. Minor code refactor while at it.
MFC r312983: Make "desc" pointer non-constant inside the mlx5_core_diagnostics_entry structure. This fixes compilation with amd64-xtoolchain-gcc.

jhb (1):

Add deprecation notices for various device drivers removed in 12.0.

ken (2):

MFC r321207: ------------------------------------------------------------------------ r321207 | ken | 2017-07-19 09:39:01 -0600 (Wed, 19 Jul 2017) | 14 lines
MFC r321622, r321623:

kib (6):

MFC r320755,r320762,r320893: BIT_FLS(9).
MFC r320804: Fix handling of one more possible exception on return to usermode.
MFC r320472,r320508,r320509: Make stdio deferred cancel-safe.
MFC r321371: Do not allocate struct kinfo_vmobject on stack.
Merge MAP_GUARD.
Restore layout of struct vm_map_entry after r321717, same as was done in r320889 for stable/11.

marius (3):

Update stable/10 from 10.3-STABLE to 10.4-PRERELEASE as part of the 10.4 release cycle, also belatedly marking the official start of the code slush.
MFC: r281733, r298033, r301131
Apply the other half of merges to sdhci_imx(4) and sdhci_fsl(4) that somehow stayed local when committing r318198, probably due to the associated tree conflicts.

markj (2):

MFC r321639: Restrict permissions on /dev/ksyms to 0400.
MFC r321640: Fix style bugs in ksyms.c.

mav (1):

MFC r320729: Add GEOM::descr attribute for symmetry with GEOM::ident.

mm (1):

MFC r320927,320931,320932: Bump libarchive to 3.3.2

ngie (68):

MFC r318325:
MFC r319834,r319841,r320723,r320724:
MFC r319928:
MFC r319857:
MFC r319857:
MFC r319856,r320172,r320173:
MFC r319846:
MFC r319836:
MFC r307873,r314397,r314399,r314419,r314420,r314533,r316553:
MFC r279992,r280149,r280193,r288223,r288484,r321109:
MFC r316557:
MFC r316549,r316550,r316551,r316554:
MFC r316558:
MFC r318705:
MFC r319844,r319845:
MFC r318695:
MFC r319842:
MFC r268030,r268793,r303212,r319642,r319830:
MFC r319850:
MFC r318255:
MFC r319800,r319806:
MFC r302500,r319339,r319543,r319544,r319551,r321138:
MFC r316552,r319662:
MFC r319048,r319049,r319051,r319054:
MFC r318718,r318719,r318720,r318721:
MFC r318710:
MFC r318704,r318708,r318709:
MFC r318280:
MFC r318707:
MFC r318703:
MFC r318712:
MFC r318706:
MFC r318702:
MFC r319026:
MFC r318693,r318694:
MFC r318722:
MFC r318723:
MFC r312521,r313397:
Relnotes: yes (subtle output/behavior change)
MFC r316602:
MFC r316600:
MFC r316601:
MFC r308160,r309194,r309216:
MFC r304570,r321235:
MFC r308139,r308157,r308158:
MFC r310329: r310329 (by cem):
MFC r269550: r269550 (by peter):
MFC r269550: r269550 (by peter):
MFC note: content changes of r317315 were reversed. .Dd is being updated for diff reduction purposes.
MFC note: only the newsyslog.conf.d change has been backported to unbreak "make distribution" with etc/newsyslog.conf.d/opensm.conf installation. The cron.d and syslog.d changes were omitted by request to avoid churn on ^/stable/{10,11}. Requested by: jhb, peter
MFC r320135:
MFC r318960,r319545,r319546,r319548,r321261:
MFC r316102:
MFC r314653:
MFC r314654:
MFC r314479:
MFC r314454,r314455:
MFC r314475:
MFC r278329:
MFC r290570:
MFC r321240:
MFC r290605,r290606:
MFC r320445:
MFC r320446:
MFC r320443,r320444:
MFC r320441:
MFC Note: ${FILES} documentation change omitted since r299094 will not be MFCed to ^/stable/10 .
MFC r320491:

pfg (1):

MFC r320990, r321011:

philip (1):

MFC r320941: Fix GRE over IPv6 tunnels with IPFW

rmacklem (5):

MFC: r320345 Add support to the NFSv4.1/pNFS client for commits through the DS.
MFC: r320458 Fix an NFSv3 client case that probably never happens.
MFC: r320659 Add a Bugs section that indicates that the nfsuserd doesn't work when jails are being used on the system. It is hoped that the patches in PR#205193 will someday get tested/debugged so that they can be MFC'd to fix this.
MFC: r321248 Update the nfsv4 man page to reflect recent changes to support the newer RFCs (5661 and 7530). The main man changes are for the case of "numbers in strings" for user/groups that RFC7530 allows and avoids use of nfsuserd(8).
MFC: r321314 r320062 introduced a bug when doing NFSv4.1 mounts against some non-FreeBSD servers.

sephe (5):

MFC 321286
MFC 321406
MFC 321407
MFC 321408
MFC 321409

sjg (1):

MFC bmake-20170720

trasz (1):

MFC r320359:

HardenedBSD

Stable release: HardenedBSD-stable 10-STABLE v1000048.1

Donate to HardenedBSD

2021 Donation Status

Links

Donate to HardenedBSD

2021 Donation Status

Search form

Links