Stable release: HardenedBSD-stable 10-STABLE v1000050

HardenedBSD-10-STABLE-v1000050 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security and feature update! Recompilation or updating of secadm is required.

Highlights:

Update wpa_supplicant/hostapd for 2017-01 vulnerability release. (7aec04ba0072726d6bfd78bd999ad560d9780f9e) [FreeBSD-SA-17:07]
Libarchive update (a8e62bf6379d818c85773fb747b79c05929632b5) [FreeBSD-SA-Candidate]
hyperv updates
ZFS updates
hbsd-update improvements
HBSD MFC: Correct sense of crypt(3) NULL checks in init(8) and lock(1)
HBSD MFC: netsmb: Fix buggy/racy smb_strdupin()
HBSD: add kernel side of hbsdcontrol (ddf19424710e7ff34a9e82794c65b35543248941) [see UPDATING-HardenedBSD in src repo]
HBSD: fix a possible "time of check to time of use" attack (bfdb3e6118e66e95bb1e823201898dedc3b38701)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:
SHA512 (HardenedBSD-10-STABLE-v1000050-amd64-bootonly.iso) = 966d3a6957976544c04e9e2200bc5717bc9771d1e4f76dd9005c8ac8936c07bf4245afc0118947d47010d16c7f7c244c8bec23e181839056c1549f1c7f2656ec SHA512 (HardenedBSD-10-STABLE-v1000050-amd64-disc1.iso) = c25eda9ec2eb046f41003d8146aefc734efb2987286c7ee53cc81c8e9de03e63809f8b626c7ea8cb451ad1fac7ed2d006a2266b99e10c59cfc7f55678eb45871 SHA512 (HardenedBSD-10-STABLE-v1000050-amd64-memstick.img) = e9414353ad4d08f68aa8c7f85711772ccfc79b00c4dffad2d6c291d3f94ff3748058bd40c9d6a1d1b97fb16369fc855b776486bfee51eaff77e96005813a9b0d SHA512 (HardenedBSD-10-STABLE-v1000050-amd64-mini-memstick.img) = c05aba86caa6e2f071aacc9fe602f5a5e20d6cf0ba4542ace41e3b9c79d69c1afc87b65d3cc09f1787042eb4cf8023e1295dc8bae475e6074331d7299e2acce6 SHA512 (HardenedBSD-10-STABLE-v1000050-amd64-uefi-bootonly.iso) = 5a305a274714fd140c4501769b48c46518b59b745bf24814e91028a192f23a086a9777776a82f10e8ab94a450720009fc46b7f89be62fce46ddec729d1c4722e SHA512 (HardenedBSD-10-STABLE-v1000050-amd64-uefi-disc1.iso) = 2c4a384385e74a578cb3c4b78caebb32979628c6c40ae23b43ce4931efd764f72c46184d7815837a1516e71d45614250caea6d3d58c3fd782c31926fc004bab2 SHA512 (HardenedBSD-10-STABLE-v1000050-amd64-uefi-memstick.img) = de41b6916229ff61eb367b0dd771ca0a27451633706edcdedeab56b17483f146b36c60436e4775436e2ef054a73db0e9bd8f2a5810f9510277c9dfc60e9f7f68 SHA512 (HardenedBSD-10-STABLE-v1000050-amd64-uefi-mini-memstick.img) = f992a82ff485e4e0604f0240ed6a9e9f57d27399eacebc665cc4348dc6a8b7fb21e5bfbe5b66bf59267ab967e72cbb4793452fca9d944cc853a649b1d3e05c55

CHECKSUM.SHA512.asc:
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlntQTQACgkQgZsRom/9
GI1ULBAA3FnfoSHEEkpBtoMZhT/zaoYAkHZK701M/LcCMK5Gr/UnejfvCLAn8Pgd
s9tf2fjr0W9XwYlqrh9lq3pW0QERc9myMScixlLSgXlDLXKgRVTDsMSbHxwE/FWM
vVEzyS1RzKhs2SfnhytPyRpBXsKC8W8UnlvcaK2N7OE0CosauAimQgnuoP9pw52G
oaS7s1phwaeHANz4TNilnlNL9/I8S/ljxZHCg8mS9qAbGlKi8Limxj3W1OAE5q2v
cPi67fOE7hhABkj0eVZu9erLKwgD6o7IDfVRTFyduCBOdpmk9MFOfcbxWjrvxI4P
FJYGF2Hbbbr6SkFqqvh/nf2MjUBJbc61IHSwLyoYWebu6Jxui02Cq428brei24pH
1ycbCic7jsTApaBfXodr2vCbrCzkCAgzpWQTAO3I0IXXoTjfDGGGfR4MvRQ8eVP7
VEENGFGcNhYIZOftK/8vJgIafCgwRJNv6KKAwzCJVTGi2PIrMyb2Pm7nGeQeokKN
YvwLCfM8ZzjCEwUv/tyZqb+wxo86hwOGw3n5HIBYFycrapLlpDxuKnexCBQbcZj+
DStCVYZKqj8qGjFoQcV+rF5woBW9uO+loulVCIKEOC1eCrstWDi3xQ7NC9xhpXMr
SjbPQrspbu5Oam39mLVxBNb2j5X40uU4BMyNCsDpvA0/sU6iiwU=
=ZVYc
-----END PGP SIGNATURE-----

Changelog: Oliver Pinter (16):

Merge remote-tracking branch 'origin/freebsd/10-stable/master' into hardened/10-stable/master
HBSD: resolve merge conflict in rtld.c after af2751ed9fdfb8d9efe2f9b32ccb402ab5f94756
HBSD: resolve merge conflict in release/Makefile after a3c81b6ad82652cfa97c5a0a84cd99c1ed1a0cae
HBSD: resolve merge conflict in release/Makefile after a3c81b6ad82652cfa97c5a0a84cd99c1ed1a0cae - part II.
HBSD: fix a possible "time of check to time of use" attack
HBSD: allow to override hbsdcontrol settings with ACLs
HBSD: add kernel side of hbsdcontrol
HBSD: log PREFER_ACL (EXPLICIT_ACL) in pax_logs
HBSD: after the recent changes, bump by copyright years
HBSD: add hbsdcontrol.sh as demonstration tool to examples directory
HBSD: bump __HardenedBSD_version to 1000050 after hbsdcontrol merge
HBSD: extend the UPDATING-HardenedBSD about the new kernel knobs
HBSD: improve log message in execve
HBSD MFC: netsmb: Fix buggy/racy smb_strdupin()
HBSD MFC: Correct sense of crypt(3) NULL checks in init(8) and lock(1)
HBSD MFC r324225: ppp(8): Fix various bugs in NOPAM section of auth_CheckPassw2

Oliver Pinter + (50):

Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master

Shawn Webb (5):

HBSD: Teach hbsd-update to populate chroots.
HBSD: Use the local resolver by default
HBSD: Teach hbsd-update to not download updates
HBSD: Teach hbsd-update to not update base
HBSD: Do not default to using the local resolver

avg (27):

MFC r319212: fix indentation
MFC r319746,r319747,r319769: 8269 dtrace stddev aggregation is normalized incorrectly
MFV r318962: Allow PROBE_SPINUP to fail in CAM ATA transport
MFV r320195: bhyveload: correctly query size of disks
MFC r320266: jedec_ts: add support for devices manufactured by IDT
MFC r320151: remove bogus declaration of malloc from tcp_wrappers
MFC r320352: zfs: port vdev_file part of illumos change 3306
MFC r321471: spa_import_rootpool should be able to handle an imported root pool
MFC r322228: MFV r322227: 8377 Panic in bookmark deletion
MFC r322241: MFV r322240: 8491 uberblock on-disk padding to reserve space for smoothly merging zpool checkpoint & MMP in ZFS
MFC r323482: zfs_ctldir: remove obsolete / bogus ARGSUSED lint directives
MFC r323540: jedec_ts: add many more devices from various vendors
MFC r323479,r323491: zfs: tighten debug versions of ZTOV and VTOZ
MFC r323480: zfs_get_vfs: reference a requested filesystem instead of vfs_busy-ing it
MFC r323522: slightly simplify zfs_vptocnp
MFC r323918: MFV r323917: 8648 Fix range locking in ZIL commit codepath
MFC r323481: zfsvfs_hold: assert that the busied filesystem can not be unmounted
MFC r323483: zfsctl_snapdir_lookup should be able to handle an uncovered vnode
MFC r323791: MFV r323790: 8567 Inconsistent return value in zpool_read_label
MFC r323578,r323769: dounmount: do not release the mount point's reference on the covered vnode
MFC r323524: MFV r316932: 6280 libzfs: unshare_one() could fail with EZFS_SHARENFSFAILED
MFC r323525: MFV r323523: 8331 zfs_unshare returns wrong error code for smb unshare failure
MFC r323528: MFV r323527: 5815 libzpool's panic function doesn't set global panicstr
MFC r323612: gmirror: treat ENXIO as disk disconnect, not media error
MFC r324309: remove heuristic error detection from ddi_strto*()
MFC r324312: fix the misleading log facility used in devd/zfs.conf
MFC r324311: sysctl-s in a module should be accessible only when the module is initialized

avos (1):

MFC r324672: ifnet(9): split ifc_alloc_unit() (should simplify code flow)

bapt (1):

MFC r323160:

brooks (3):

MFC r324243:
MFC r320999:
MFC r321256:

cy (5):

MFC r322112:
MFC r323478:
MFC r323715:
MFC r323945 and 323962
MFC r324249, 324260, and 324277

davidcs (7):

MFC r323781 Update minidump template for version 5.4.66
MFC r323782 Add sysctl "enable_minidump" to turn on/off automatic minidump retrieval
MFC r323824 1. ql_hw.c: In ql_hw_send() return EINVAL when TSO framelength exceeds max supported length by HW.(davidcs) 2. ql_os.c: In qla_send() call bus_dmamap_unload before freeing mbuf or recreating dmmamap.(davidcs) In qla_fp_taskqueue() Add additional checks for IFF_DRV_RUNNING Fix qla_clear_tx_buf() call bus_dmamap_sync() before freeing mbuf.
MFC r324026 Fix delete all multicast addresses
MFC r324065 Tx Ring Shadow Consumer Index Register needs to be cleared prior to passing it's physical address to the FW during Tx Create Context.
MFC r324535 Add sanity checks in ql_hw_send() qla_send() to ensure that empty slots in Tx Ring map to empty slot in Tx_buf array before Transmits. If the checks fail further Transmission on that Tx Ring is prevented.
MFC r324538 Added support driver state capture/retrieval

dteske (1):

MFC SVN r295342-295344

emaste (2):

MFC r324594: truss: mention 'H' in usage
MFC r324595: ANSIfy vm_kern.c

eugen (1):

MFC r323873, r324081: Unprotected modification of ng_iface(4) private data leads to kernel panic. Fix a race with per-node read-mostly lock and refcounting for a hook.

gjb (4):

- Prune stale entries from 10.3-RELEASE. - Prune entries from errata.xml and security.xml. - Update versions to reflect 10.4-RELEASE.
MFC r323812: Bootstrap etcupdate(8) and mergemaster(8) databases when creating virtual machine images and embedded images, similar to what is done when extracting base.txz to the target root filesystem in a new installation.
MFC r323924: Revert r323812 from release/tools/arm.subr, which has broken the build on arm/armv6 images.
Fix a path in a Subversion example. While here, recommend https.

gordon (1):

Update wpa_supplicant/hostapd for 2017-01 vulnerability release.

hselasky (7):

MFC r322530 and r323220: Add new USB quirk(s).
MFC r324202: Make sure the doorbell lock is valid for the i386 version of the mlx5en(4) driver.
MFC r315405, r323351 and r323364: Add helper function similar to ip_dev_find() to the LinuxKPI to lookup a network device by its IPv6 address in the given VNET.
MFC r315404: Add basic support for VIMAGE to the LinuxKPI and ibcore.
MFC r289568, r300676, r300677, r300719, r300720 and r300721: Implement LinuxKPI module parameters as SYSCTLs.
MFC r323916: Extend sysctl description for hw.usb.disable_enumeration .
MFC r324445: When showing the sleepqueues from the in-kernel debugger, properly dump all the sleepqueues and not just the first one

jhb (7):

MFC 322270: Fix a NULL pointer dereference in mly_user_command().
MFC 323025: Read max_stack_flags from correct object.
MFC 323631: Add an -a flag to getconf.
MFC 323994: Log signal number passed to PT_STEP requests in KTR_PTRACE traces.
MFC 324072: Add UMA_ALIGNOF().
MFC 324073: Use UMA_ALIGNOF() for name cache UMA zones.
MFC 324039: Don't defer wakeup()s for completed journal workitems.

jkim (1):

MFC: r323840

kp (1):

MFC r323864

marius (7):

MFC: r322669
Unbreak netmap(4) support in ixgbe(4) after r315333: - Both ixgbe_netmap.c and ixv_netmap.c assumed a netmap(4) driver newer than what's actually in stable/10. - Additionally, at the bottom line ixv_netmap.c did exactly the same as ixgbe_netmap.c, i. e. used IXGBE_TDH() as appropriate for PFs only instead of IXGBE_VFTDH() and tried to configure CRC stripping although the corresponding registers aren't available to VFs in the first place.
MFC: r320916
MFC: r275751
MFC: r285215
- Akin r302691 in head, synchronize the build stripping for the disc1 image with that of the bootonly image (but similarly modulo games and groff(1)) as the amd64 disc1 image is overflowing. This also removes the defunct WITHOUT_ATF. - Remove the misspelled WITHOUT_INSTALLIB (also in place with correct spelling, i. e. WITHOUT_INSTALLLIB) from the bootonly image build stripping.
Now that 10.4-RELEASE is out, move stable/10 back to STABLE.

mckusick (1):

MFC of 324456.

mm (1):

MFH r324148: Sync libarchive with vendor.

ngie (12):

MFC r321845:
MFC r322441:
MFC r314601: r314601 (by des):
MFC r322951:
MFC r321952:
Regenerate src.conf(5) per r324140
MFC r322635:
Revert r324132
MFC r322951:
MFC note: MK_LIBSOFT doesn't apply to ^/stable/10 .
MFC r324478:
MFC r324497:

pfg (1):

MFC r322368, r322371: fnmatch(3): improve POSIX conformance.

rmacklem (3):

MFC: r323689 Fix bogus FREAD with NFSV4OPEN_ACCESSREAD. No functional change.
MFC: r323978 Change a panic to an error return.
MFC: r324074 Fix a memory leak that occurred in the pNFS client.

sephe (13):

MFC 322488
MFC 323170
MFC 323175
MFC 323176
MFC 323727,324316
MFC 323728,323729
MFC 324048
MFC 324049,324077
MFC 324050
MFC 324487
MFC 324488
MFC 324489,324516
MFC 324517

Uploads:

shortlog-HardenedBSD-10-STABLE-v1000050.txt

CHECKSUM.SHA512.txt

CHECKSUM.SHA512.asc_.txt

HardenedBSD

Stable release: HardenedBSD-stable 10-STABLE v1000050

Uploads:

Donate to HardenedBSD

2021 Donation Status

Links

Uploads:

Donate to HardenedBSD

2021 Donation Status

Search form

Links