Stable release: HardenedBSD-stable 11-STABLE v1000048.2

Submitted by op on

HardenedBSD-11-STABLE-v1100048.2 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • updated bsdgrep to 2.6.0 (2cf785f328f3ef2deff0a7d2626b8e1a81e725e7)
  • fixed possible pf DoS (f9ac1ee50cbb2e0b00a3254c9aaf012183e8aaa8)
  • fixed boundary checks in ipsec (d3f829dcedd1db79b00b6840265a0c34bc0b75a3)
  • workaround for AMD Ryzen chips (4571a19dd885caa3f20979daa951df05cb5664a2)
  • enhanced top(1) to filter on multiple usernames (964bec79a958438ada90533f5e21c31b1021cd9a)
  • updated private sqlite3-3.14.1 to sqlite3-3.20.0 (01424a180687a2ef7ed93cd10136c1648d332016)
  • updated subversion 1.9.5 -> 1.9.7 (73778e3432c90e9513caf636fb73b522690d6543)
  • fixed DoS in sshd (4268d8e71d9c42494826885f83f685b02b9353cc) [FreeBSD-SA-17:06.openssh]
  • updated libxo to 0.8.4 (24dec0b179f6eba6d055b33faf478d202bfb11ba)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100048.2-amd64-bootonly.iso) = 08d4e91cb0ec65f9cb9e42a51bc2edb91e7ef5289d84414b313a233d2664b0a03680781a0416e208f528e46fd090aa4c785ea1bf0b6018673861bbd6e890e86a
SHA512 (HardenedBSD-11-STABLE-v1100048.2-amd64-disc1.iso) = e28804ade774cafd0e7ef0322442df6bc062cfa5cb94161b5d148c2e94407ee393b1db8d682daf12162b8c03c428b48da4e78d59326b698c61de11de058a2068
SHA512 (HardenedBSD-11-STABLE-v1100048.2-amd64-memstick.img) = 2bd595b05d5ff18cb71dfd1e4c296aebbd44e43e310cf4d173a324044b74cec73bb74b43c73024c211b776efe53950563d1c54c3a28723c82f3763a1af4191fd
SHA512 (HardenedBSD-11-STABLE-v1100048.2-amd64-mini-memstick.img) = 02494988f613efd82f38bc0853af938b580d30e5f6b3f9a84bdd8022bfcb66d05de4e085af8373dca5d9e082084ca913efa641986a86bebbad819c1ec71b2577

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlmaOrsACgkQgZsRom/9
GI0kaw/+O1+EBRg1I4mdBMzj1ypeBt0G5/6+Q9RuS+653ylJZ1TLs3Z1aMB947So
9JdiTRl3tXTc18cjvu3HlZQa65eMM6Wumk+rVt0f9zct6iVzdpv2Mn+WmAsjKw4n
pMCsKYvtusqZv0DDrX4/A1rh/LMUjdtfoBoiiijPDqNGRQTzYJXLil0E7u0LkGNm
jURWG6SgLJpl2vcowf3mS9o5HcTYusZAOYOFZ0ny6YRvZuWQa+sa4GKfvpHY+dR8
8q46fQLcRpaMpZxFjHqoJAVB0d8cPDT1Czo2dE8g7JKn5fryjhbBNJ6Rz6EP4WqY
wuWQq3NqeTC/SClx0L0XrwBSO1pWeQ7DwvTbYsidAKAaQcMWehW80DsZzPcZj2Pg
O3CDeZTDOLN/2marNcEpFmAdUDxXhoTLhns5cg+7bwjAqhR0s3TBBdAfbUhceNnY
kTKBwsznoQT1873zEvu8sJlReEjU/VT+UNP/kAuQ4s342Tr4wLuneXCURnpaCThr
9kgpNeKNFNn1k2JDbUooLZ8VWOz7r0SpqN8CBKAvCezth2SsW0YH82whOSNb3Z14
nhQlI56kN+XeKjAl730D4DtW2RFA6+T10z+oKzDbGykkDtMj6JY7oDk3TRz+eTP2
YRgyeg9uM31r0xsi0a4WDF4IOdecsQalcozVHs1gZdDIXueX0r4=
=eCVi
-----END PGP SIGNATURE-----


Changelog:

Oliver Pinter + (48):

  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master


Shawn Webb (2):

  • Merge remote-tracking branch 'origin/freebsd/11-stable/master' into hardened/11-stable/master
  • HBSD: Resolve merge conflict


ae (1):

  • MFC r322328: Make user supplied data checks a bit stricter.


avos (1):

  • MFC r322124: rfcomm_pppd.8: fix a typo (SPD -> SDP).


bapt (2):

  • MFC r321812:
  • MFC r313958, r319717, r321810


cy (2):

  • MFC r321605:
  • MFC r322113:


dchagin (2):

  • MFC r321460:
  • MFC r321839:


delphij (4):

  • MFC r321713:
  • MFC r320761:
  • Apply upstream fix:
  • MFC r322527:


dim (1):

  • MFC r321684:


ed (1):

  • MFC r321924:


emaste (6):

  • MFC r321734: bsdinstall: default to UEFI-only boot on arm64
  • MFC r215837: uart: add AX99100 chipset support
  • MFC r321298: acpidump: add ACPI NFIT (NVDIMM Firmware Interface Table)
  • MFC r304000 (maxim): acpidump: move variable initialization out of assert(3)
  • MFC r320736: acpidump: warn and exit loop on invalid subtable length
  • MFC r322356: Mark PROFILE option as broken when targetting mips64


gahr (1):

  • MFC r322139


gavin (1):

  • Merge r316113,316184,316413 from head: - Remove #define PCIS_SERIALBUS_SMBUS_PROGIF, unused since r200091 - Switch device_probe() from large case statement to a lookup table - Add several missing SMBus controllers


gjb (1):

  • Add an errata entry for ruptime(1), rwho(1), and rwhod(8), not included in the rcmds deprecation.


hselasky (29):

  • MFC r321722: Properly range check length of parsed information elements in RSU driver.
  • MFC r320773: Implement fix for BULK IN-token retry mechanism. When the hardware is programmed for infinite IN token retry after NAK, the SAF1761 hardware, however, does not retry the IN-token. This problem is described in the SAF1761 errata, section 18.1.1.
  • MFC r312526: Update firmware interface structures and definitions adding support for new features and commands.
  • MFC r312527: Add runtime support for modifying the SQ and RQ completion event moderation mode. The presence of this feature is indicated through the firmware capabilities.
  • MFC r312528: Make draining a sendqueue more robust.
  • MFC r312536: Allow transmit packet bufring in software to be disabled.
  • MFC r312537: Remove superfluous return statement.
  • MFC r312865: Enforce reading the consumer and producer counters once to ensure consistent return values from the mlx5e_sq_has_room_for() function. The two counters are incremented by different threads under different locks.
  • MFC r312872: Add support for reading advanced diagnostic counters.
  • MFC r312876: Use ffs() to scan for first bit instead of using a for() loop. Minor code refactor while at it.
  • MFC r312983: Make "desc" pointer non-constant inside the mlx5_core_diagnostics_entry structure. This fixes compilation with amd64-xtoolchain-gcc.
  • MFC r312877 and r312878: Minor code refactor as a preparation step for suprise removal of CX-4 PCI device(s), changes: - alloc_entry() now clears bit for page slot entry aswell - update of cmd->ent_arr[] is now under cmd->alloc_lock - complete command if alloc_entry() fails
  • MFC r312875: Make fw_pages statistics counter 64-bit to avoid overflow.
  • MFC r312880: Wait for all VFs pages to be reclaimed before closing EQ pages.
  • MFC r312879: Rename struct fw_page into struct mlx5_fw_page as a preparation step for adding busdma support.
  • MFC r312881: Add support for device surprise removal and other PCI errors.
  • MFC r312882, r321983 and r321984: Use the busdma API to allocate all DMA-able memory.
  • MFC r321985: Ticks are 32-bit in FreeBSD.
  • MFC r321986: Change reject message type when destroying cm_id in ibore.
  • MFC r321780: Make sure on-stack buffer is properly aligned.
  • MFC r321772: Fix broken usage of the mlx4_read_clock() function: - return value has too small width - cycle_t is unsigned and cannot be less than zero
  • MFC r321782: Remove some dead statistics related code and a structure field from the mlx4en driver which is used by its Linux counterpart, but not under FreeBSD.
  • MFC r322305: Increment queue drops in the network statistics when transmitted packets are dropped by the mlx4en(4) driver.
  • MFC r314878: Add support for constant pointer constructs to READ_ONCE() in the LinuxKPI. When the type of the argument is constant the temporary variable cannot be assigned after the barrier. Instead assign the temporary variable by initialization.
  • MFC r322304: Add support for RX and TX statistics when the mlx4en(4) PCI device is in VF or SRIOV mode typically in a virtual machine environment.
  • MFC r322306: Print maximum MTU when trying to set invalid MTU in the mlx4en(4) driver. Useful for debugging.
  • MFC r322248: Fix for mlx4en(4) to properly call m_defrag().
  • MFC r322251: Make sure the received IP header gets 32-bit aligned for short packets in the mlx5en(4) driver.
  • MFC r322250: Count drop events due to lack of PCI bandwidth as queue drops and not as input errors in the mlx5en(4) driver. This improves the sysadmin view of physical port errors.


jkim (1):

  • MFC: r322076


ken (3):

  • MFC r321622, r321623:
  • MFC r320991, r322016:
  • MFC r321502, r321714, r321733, r321737, r321799, r322364:


kevans (27):

  • MFC r313948: bsdgrep: fix EOF handling with --mmap
  • bsdgrep: treat rgrep as grep -r and install rgrep symlink
  • bsdgrep: Fix matching behavior and add regression tests
  • MFC r316750 (ngie): Fix expectations for testcases per bsdgrep vs gnu grep
  • MFC r316492: bsdgrep(1): Rip out "xmalloc" bits
  • MFC r316495: bsdgrep(1): Fix errors with invalid expressions
  • MFC r316542: bsdgrep: Handle special case of single-byte NUL pattern
  • bsdgrep: add -z/--null-data support and update NLS catalogs accordingly
  • bsdgrep: Revise tests based on recent fixes and future changes
  • MFC r317051: bsdgrep: remove output separators between overlapping segments
  • bsdgrep: Use implied working directory for -r if no directories are passed
  • MFC r303444 (ed): Call basename() in a portable way.
  • MFC r317254: bsdgrep: add BSD_GREP_FASTMATCH knob for built-in fastmatch
  • MFC r317665: bsdgrep: fix -w -v matching improperly with certain patterns
  • MFC r317678: bsdgrep: Add GNU compatible version string indicator
  • bsdgrep: fix escape map building when using TRE (BSD_GREP_FASTMATCH)
  • bsdgrep: fix -w flag matching with an empty pattern
  • MFC r317705: bsdgrep: avoid use of magic number for REG_NOSPEC
  • MFC r318004 (ngie): Remove expected failure that no longer fails with gnu grep in base
  • bsdgrep: Don't allow negative context flags, add more tests
  • bsdgrep: fix segfault with --mmap and add relevant test
  • MFC r318571: bsdgrep: emit more than MAX_LINE_MATCHES per line
  • MFC r318574: bsdgrep: Correct per-line line metadata printing
  • bsdgrep: fix build when linking against libgnuregex
  • MFC r318914: bsdgrep: correct assumptions to prepare for chunking
  • MFC r318916: bsdgrep: use safer sizeof() construct
  • bsdgrep: bump version number to 2.6.0 and update copyright information


kib (25):

  • MFC r321512: Mark name_PCTRIE_LOOKUP_LE() generated function unused.
  • MFC r321580: Move rtvals initialization out of the region protected by NFS node lock.
  • MFC r321581: Mark pages after EOF as clean after pageout.
  • MFC r321625: Make the number of children for pctrie node available outside subr_pctrie.c.
  • MFC r321627: Make it possible to request nosys logging to console.
  • MFC r321652: Simplify flow control.
  • MFC r321347: Account for lock recursion when transfering snaplock to the vnode lock in ffs_snapremove().
  • MFC r321348: Unlock correct lock in ffs_snapblkfree().
  • MFC r321349: Improve publication of the newly allocated snapdata.
  • MFC r321730: Remove unused symbols.
  • MFC r321919: Do not call trapsignal() after handling usermode fault or interrupt, when a signal is not intended to be sent.
  • MFC r321608: Use MFENCE to serialize RDTSC on non-Intel CPUs.
  • MFC r321607: Allow to specify targets by absolute paths in libmap.conf.
  • MFC r322050: Relax visibility for some termios symbols.
  • MFC r322059: Fix off by one in calculation of the number of buckets for the pc addresses.
  • MFC r322077: Provide more detailed specification for major(), minor() and makedev().
  • MFC r322171: Explain why delayed invalidation is not required in pmap_protect() and pmap_remove_pages().
  • MFC r322175: Avoid DI recursion when reclaim_pv_chunk() is called from pmap_advise() or pmap_remove().
  • MFC r322256: Fix logic error in the the assert, causing the condition to be always true.
  • MFC r322426: Fix indent.
  • MFC r322456: On i386 with CPUID but without SSE2, set lfence_works to LMB_NONE instead of looping.
  • MFC r322493: Remove confusion in the line explaining syntax of the msr read. Specify words order in the display.
  • MFC r322494: Style.
  • MFC r322550: Typo, the '-6' option selects inet6.
  • MFC r322427: Improve standard compliance for memset_s() and abort_handler_s().


kp (1):

  • MFC r322280: pf_get_sport(): Prevent possible endless loop when searching for an unused nat port


marius (4):

  • MFC: r319350, r321385, r321490, r321588, r321948
  • MFC: r321589
  • MFC: r322097, r322203
  • MFC: r322209


markj (8):

  • MFC r321744: Correct the predicates on which lockstat:::{thread,spin}-spin fire.
  • MFC r321805: Batch v_wire_count decrements in vm_hold_free_pages().
  • MFC r321803: Don't trace running threads that have interrupts disabled.
  • MFC r321884, r321896: Fix a witness assertion that fires when a lock type's class changes.
  • MFC r321843, r321843: Let lockstat use ksyms(4)'s mmap interface.
  • MFC r321847: Batch updates to v_wire_count when freeing page table pages on x86.
  • MFC r322383: Make vm_page_sunbusy() assert that the page is unlocked.
  • MFC r322391: Micro-optimize kmem_unback().


mav (12):

  • MFC r320555, r320576 (by allanjude): Add -s (serial) and -p (physpath) to diskinfo
  • MFC r320683: Add naive benchmark for SSDs in ZFS SLOG role.
  • MFC r320730: Report device descr in addition to ident.
  • MFC r321620: Fix singular/plural "users" output.
  • MFC r321606: adaasync(): Set ADA_STATE_WCACHE based on ADA_FLAG_CAN_WCACHE
  • MFC r321921: Add compat shim part missed at r305197.
  • MFC r321685: Fix IORDY bits definition.
  • MFC r321720, r321856: Attach ichwd(4) only to ISA bus of the LPC bridge.
  • MFC r321794: Improve FHA locality control for NFS read/write requests.
  • MFC r322302: Do not loose CCB flags after r320493.
  • MFC r322308: Add new Intel Lewisburg and Union Point chipset PCI IDs.
  • MFC r322309, r322316: Use "Ibex Peak" codename for "5 Series/3400 Series" chipsets.


mckusick (2):

  • MFC r321816: Avoid reading a snapshot block when it is already in the cache.
  • MFC r322178 Bug 198500 reports bad sysctl values for gjournal cache limit.


mm (1):

  • MFH r321674: Sync libarchive with vendor.


ngie (16):

  • MFC r320702,r320703:
  • Regenerate src.conf(5) per r322099
  • MFC r321951:
  • MFC r321915:
  • MFC r321845:
  • MFC r321849,r321852:
  • MFC r321851:
  • MFC r322023:
  • MFC r321949,r321950,r322101:
  • MFC r322445:
  • MFC r321080:
  • MFC r321954:
  • MFC r321081:
  • MFC r321947:
  • MFC r321959:
  • MFC r305626,r305629,r307863,r322447,r322448,r322449,r322450,r322451:


peter (2):

  • MFC: r322380 Update subversion 1.9.5 -> 1.9.7
  • MFC: r322386 Update private sqlite3-3.14.1 to sqlite3-3.20.0.


pfg (4):

  • MFC r321838: sys/net8021: Add missing braces in setcurchan().
  • MFC r322368, r322371: fnmatch(3): improve POSIX conformance.
  • MFC r316341, r317779, r319071, r319077, r319557, r319558, r319827, r319829:
  • MFC r320145: ext2fs: Add uninit_bg feature support.


phil (1):

  • Import libxo-0.8.4 from HEAD into stable/11


se (1):

  • MFC 321858: Add alternate Turkish keyboard layout F, submitted by Ufur Guler. MFC 321859: While here, adjust a few file and path names in comments.


sephe (7):

  • MFC 321762 hyperv: Add VF bringup scripts and devd rules.
  • MFC 321836,321837
  • MFC 321965 hyperv/kvp: Use proper size macro for adapter id.
  • MFC 322299
  • MFC 322323 by jkim
  • MFC 322483,322485-322487
  • MFC 322488 hyperv: Update copyright for the files changed in 2017


trasz (11):

  • MFC r318182:
  • MFC r318444:
  • MFC r319499:
  • MFC r319775:
  • MFC r319774:
  • MFC r319798:
  • MFC r320671:
  • MFC r321327:
  • MFC r321328:
  • MFC r321329:
  • MFC r321368:


truckman (1):

  • MFC r321899