New stable release: HardenedBSD-stable 11-STABLE v46.10

HardenedBSD-11-STABLE-v46.10 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update

Highlights:

  • Update ntpd to 4.2.8p9 (db75d5027e10e6a41b54cb66e21f2fe7480a1618) [FreeBSD-SA-Candidate]
  • Initialize reserved bytes in struct mq_attr (a0c278e1ff9e12b0d2716d96eab8499cd124918b) [FreeBSD-SA-Candidate]
  • Increase the max allowed size of the microcode update blob for x86. (01d99faedd3455353cd536056c4aeb3f97086cc0)
  • HyperV updates
  • ZFS updates
  • VM updates
  • tzdata update

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v46.10-amd64-bootonly.iso) = b044feffd705ac9aa12f5c9fb9a6c3696353dddfe5bf398968b2cadb02e086b964c2010736232d10c08087ee9ff0f86658415a3d401d1d3f8ea5424f06b33060
SHA512 (HardenedBSD-11-STABLE-v46.10-amd64-disc1.iso) = 35d96229be27bcd1c538875becbf9078b5d727657ebac0584799e1a45c791ab9f013837ab4177415477bd4cca599fa657176267407b464b46dd693a075a647a2
SHA512 (HardenedBSD-11-STABLE-v46.10-amd64-memstick.img) = 61f92489daab8c6eb5cbb6d9ee31a040f1603b55a26d3049cda9507e9c374dcfb7fb83e876cdf9f07fb93966a5565dd50b14d95357d9687541d3782c4562b88e
SHA512 (HardenedBSD-11-STABLE-v46.10-amd64-mini-memstick.img) = 0364d36957814afa094d19603c30839c7caed783254e8f1b5de4b893493641386370f678a0c9ce8321be0b5be260c5bc231db55c73f401c2469e29a83366892f

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlg2BSYACgkQgZsRom/9
GI0wnxAAwmJq7LA9WSfSUQixeHqGCXcu6XyoxZJbvluKdbZsacFZYjd4G/wYGYQx
YKZ3ShHTzJIJAbpPg0a2OfNDMtFa20YX/mhcU3/qW9gZMzKMVdO4lAMYFokAQQDL
GCvtzh4QY+XRDhbI3RXr16bYsOSFSjDci7mX1RBui+U3ER7pzcymPuOO8703Rewh
+pffiHSlFragITJo8PDZMLwFwWeq4G92g1YODmrADYzxPDuBF9+ax8Ysgq4nzqPr
mdg/JyLRpz/WE1XSsGuZB6r5yi5CV/XLJb9mBnLXRQyRvHe+zMqO3uvLr1mdcIZV
/TTleLL32FVQXf2+UXfs6w8qy4kqUZT6kLUecV1dixc6HXk4YGkrKLrahKKQWe/Q
lxUo6JhMxQbQCZJY18gDEMiH4kpSmb161BXAjmWHon2vhqCkLnOYxo1tbrEDof6i
Ndz8F9C5MsuZg9a5cnwxKW7xWE0dV7rjMxLQ1dooil1MVRY0Ap7jO3HsyuHiZskU
m+YObvCMHTFbuX/Qrag/f1t6Q1sWvaUSL0o7l2hRS2XSPnaKE1IomPK1i0oJtIKE
DE3Hg6ydL5zQOzkOoC3Gs092Y/RATfw/7SRdwtFrPt+zmFnzK581VFLfqMyvY3lT
Pg3niuMPETIbpWiVcGJGYuFSew/52FCFbHisrMX/367XPThQqww=
=AM8E
-----END PGP SIGNATURE-----


Changelog:

Oliver Pinter + (47):

  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master


ae (2):

  • MFC r308358: Initialize ip6 pointer before use.
  • MFC r308673: Add missing support of named lookup tables to the IPv6 code.


alc (2):

  • MFC r308096, r308098, r308112 With one exception, "hardfault" is used like a "bool". Change that exception and make it a "bool".
  • MFC r308174, r308261 Move and revise a comment about the relation between the object's paging- in-progress count and the vnode. Prior to r188331, we always acquired the vnode lock before incrementing the object's paging-in-progress count. Now, we increment it before attempting to acquire the vnode lock with LK_NOWAIT, but we never sleep acquiring the vnode lock while we have the count incremented.


asomers (2):

  • MFC r307752
  • MFC r307584


avg (12):

  • MFC r307182,307191,307192: rc.d/zfsbe: new script designed for BE support
  • MFC r307994: 3746 ZRLs are racy
  • MFC r307348: aibs / atk0110: add support for querying sensors via GGRP and GITM
  • MFC r307768: jedec_ts: a driver for thermal sensors on memory modules
  • MFC r307903,307904,308039,308050: vmm/svm: iopm_bitmap and msr_bitmap must be contiguous in physical memory
  • MFC r308225: dev/cpuctl: put debug output under CPUCTL_DEBUG rather than DEBUG
  • MFC r308040,308479: nap time between pats is forced to be at most half of the timeout
  • MFC r307195: convert iicsmb to use iicbus_transfer for all operations
  • MFC r308101: hwpmc: fix a race between amd_stop_pmc and amd_intr
  • MFC r308218: Add support for microcode update on newer AMD CPUs (10h+)
  • MFC r308247: MFV r308222: 6051 lzc_receive: allow the caller to read the begin record
  • MFC r308089: zfsbootcfg: a simple tool to set next boot (one time) options for zfsboot


bapt (6):

  • MFC r306782-r306783
  • MFC: r302481
  • MFC r307238:
  • MFC r308139, r308157-r308158
  • MFC r308160:
  • MFC r308477:


cy (1):

  • MFC r307800, r307801


delphij (1):

  • MFC r308957: MFV r308954:


dim (3):

  • MFC r308375:
  • MFC r308487:
  • MFC r308559:


gjb (4):

  • Document SA-16:33-35.
  • MFC r308148, r308150, r308156:
  • MFC r308270: MFV r308265: Update tzdata to 2016i.
  • Fix relnotes build.


gnn (1):

  • MFC: 307541


gonzo (8):

  • MFC r306460:
  • MFC r306899, r307059, r307151
  • MFC r307804-r307805
  • MFC r308189:
  • MFC r308240:
  • MFC r308581:
  • MFC r308428:
  • MFC r308295:


hiren (1):

  • MFC r302474 (By gnn)


hrs (2):

  • MFC r308347:
  • MFC r308348:


hselasky (10):

  • MFC r308144 and r308165: Fixes for virtual T-axis buttons.
  • MFC r308031: Fix indentation and remove duplicate queue stopped stats increment.
  • MFC r307518: Fix device delete child function.
  • MFC r308437 and r308461: Range check the jitter values to avoid bogus sample rate adjustments. The expected deviation should not be more than 1Hz per second. The USB v2.0 specification also mandates this requirement. Refer to chapter 5.12.4.2 about feedback.
  • MFC r308409: When a firmware command times out do not free the command structure to avoid use after free.
  • MFC r308411: Ensure the firmware is notified of any host memory allocation failures. Else firmware commands may time out waiting for host memory.
  • MFC r308412: Correct checksum fields in the "mlx5_mini_cqe8" structure. The fields in question are currently not used.
  • MFC r308413: Query flow table capabilities according to the correct capability bit for infiniband.
  • MFC r308414: Add more firmware related structures and update existing ones in the MLX5 core module. Update the set and query diagnostics counter API.
  • MFC r308416: Add timer to watch the RQ when we are out of mbufs.


jch (1):

  • MFC r307966:


jhb (3):

  • MFC 305836: Remove 'cpu' and 'cpu_class' on amd64.
  • MFC 308142: Move declarations of invpcid_works and pmap_pcid_enabled to pmap.h.
  • MFC 306999: Add a missing word.


jhibbits (1):

  • MFC r304970:


jilles (2):

  • MFC r306585: swapon(8): Update to reality: swapoff ignores -L and the late option in fstab.
  • MFC r307755: swapoff: Remove only late devices with -aL.


kib (33):

  • MFC r307649: Partial workaround for Intel PCI adapters reading past the end of the host-programmed DMA regions.
  • MFC r307626: Add FFS pager, which uses buffer cache read operation to validate pages.
  • MFC r308094: Add unlock_vp() helper.
  • MFC r308108: Split long line instead of unindenting it. Add KASSERT() verifying that a device object with the same handle has the same ops vector.
  • MFC r308109: Remove vnode_locked label and goto.
  • MFC r308113: Remove vm_pager_has_page() declaration.
  • MFC r308114: Change remained internal uses of boolean_t to bool in vm/vm_fault.c.
  • MFC r302797 (by markj): Document DDB's "alltrace" and "show all trace" commands.
  • Merge bde improvements for ddb on x86, mostly for single-stepping and vm86 mode.
  • MFC r307866: Handle broadcast NMIs.
  • MFC r308210: Style fixes.
  • MFC r308211: Remove tautological casts.
  • MFC r308228: Remove remnants of the recursive sleep support.
  • MFC r308019: Remove useless NULL check.
  • MFC r308020: Fix comment formatting.
  • MFC r308021: Use symbolic name for the free cluster number.
  • MFC r308022: Use symbolic name for the value of fully free word in pm_inusemap.
  • MFC r308023: If the fatchain() call in chainalloc() returned an error, revert marking the cluster run as in-use.
  • MFC r308024: Ensure that cluster allocations never allocate clusters outside the volume limits.
  • MFC r308025: Enable vn_io_fault() deadlock avoidance for msdosfs.
  • MFC r308026: Generalize UFS buffer pager.
  • MFC r308027: Use buffer pager for msdosfs.
  • MFC r308028: Use buffer pager for cd9660.
  • MFC r308029: Handle pmap_enter() over an existing 4/2M page in KVA on i386.
  • MFC r308212: Allow some dotdot lookups in capability mode.
  • MFC r308288: Do not sleep in vm_wait() if pagedaemon did not yet started. Panic instead.
  • MFC r308538: Increase the max allowed size of the microcode update blob for x86.
  • MFC r308617: Move common cleanup code into helper.
  • MFC r308642: Initialize reserved bytes in struct mq_attr.
  • MFC r308687: Update hint to utilize user variable.
  • MFC r308688: Assert that there is no unresolved symbols during rtld linking.
  • MFC r308689: Pass CPUID[1] %edx (cpu_feature), %ecx (cpu_feature2) and CPUID[7].%ebx (cpu_stdext_feature), %ecx (cpu_stdext_feature2) to the ifunc resolvers on x86.
  • MFC r308733: Move the fast fault path into the separate function.


lidl (2):

  • MFC r308175: Revisit blacklistd support in ftpd
  • MFC r308567: Fix build when WITHOUT_BLACKLIST=yes is specified


loos (3):

  • Stop abusing from struct ifnet presence to determine the packet direction for dummynet, use the correct argument for that, remove the false coment about the presence of struct ifnet.
  • MFC r308237:
  • Zero etherswitch_vlangroup structure before doing partial assignments.


manu (10):

  • MFC r304291:
  • MFC r304297:
  • MFC r304316:
  • MFC r304318, r304464
  • MFC r304566:
  • MFC r304710:
  • MFC r305739-r305740
  • MFC r302522, r302591-r302592 (by jmcneill)
  • MFC r305689:
  • Remove A10 kernel config file, this should have been done in rr308273


markj (4):

  • MFC r308097: Fix WITNESS hints for pagequeue locks.
  • MFC r306529: cam_periph_ccbwait could return while ccb in progress
  • MFC r306710: CAM ccbq sanity: checks on insert and remove
  • MFC r308694: Plug a lock leak in sysctl_ifmalist().


mav (10):

  • MFC r307857: Fix panic after ZVOL renamed to name invalid for DEVFS.
  • MFC r307318: MFV r307314: 6988 spa_sync() spends half its time in dmu_objset_do_userquota_updates
  • MFC r308049: Improve few debugging log messages.
  • MFC r308051: Matching GUIDs, handle possible race on vdev detach.
  • MFC r308055: Add vdev_reopening support to vdev_geom.
  • MFC r308169: Pass to zvol_log_truncate() same sync values as to zvol_log_write().
  • MFC r308173: Fix ZIL records ordering when ZVOL opened both with and without FSYNC.
  • MFC r308133, r308134: Fix wrong copy/paste in error message.
  • MFC r308464, r308471: Add some device IDs found in my new laptop.
  • MFC r308425: Add support for EIIOE flag in Additional Element Status.


mckusick (1):

  • MFC r307978: Bug 180894 reports that rm -rf on a directory causes kernel panic and reboot. Return EINVAL rather than panic for low directory link count.


mmel (11):

  • MFC r302523,r302528:
  • MFC r306902:
  • MFC r306666:
  • MFC r306667,r306668:
  • MFC r307558:
  • MFC r304459,r305527:
  • MFC r302961,r304460,r304461:
  • MFC r306447,r306477:
  • MFC r307556,r307637:
  • MFC r306897,r306898:
  • MFC r306551,r307557:


pfg (1):

  • MFC r308314: sed(1): add LEGACY_BSDSED_COMPAT compile-time flag.


rmacklem (3):

  • MFC: r307694 A problem w.r.t. interoperation between the FreeBSD NFSv4.1 server with delegations enabled and the Linux NFSv4.1 client was reported in reviews.freebsd.org/D7891. I believe that the FreeBSD server behaviour conforms to the RFC and that the Linux client has a bug. Therefore, I do not think the proposed patch is appropriate. When nfsrv_writedelegifpos is non-zero, the FreeBSD server will issue a write delegation for a read open if possible. The Linux client then erroneously assumes that the credentials used for the read open can write the file. This patch reverses the default value for nfsrv_writedelegifpos to 0 so that the default behaviour is Linux compatible and adds a sysctl that can be used to set nfsrv_writedelegifpos.
  • MFC: r307890 mountd(8) was erroneously setting the sysctl for the old NFS server when the new/default NFS server was running, for the "-n" option.
  • MFC: r307891 Fix the man page to reflect the change done by r307890 to mountd.c so that the "-n" option uses the sysctl for the new NFS server. This is a content change.


sephe (23):

  • MFC 307624
  • MFC 307710-307712,307714
  • MFC 307838,307839
  • MFC 307840,307842
  • MFC 307843
  • MFC 307844
  • MFC 307845
  • MFC 307893
  • MFC 307952,307953,308278
  • MFC 307983
  • MFC 307985-307988
  • MFC 307989-307991,308010
  • MFC 308011,308012
  • MFC 308013-308017
  • MFC 308018,308116
  • MFC 308117-308120
  • MFC 308162
  • MFC 308163
  • MFC 308164
  • MFC 308166,308167
  • MFC 308168
  • MFC 308194
  • MFC 308201


trasz (9):

  • MFC r306071:
  • MFC r303961:
  • MFC r303478:
  • MFC r303477:
  • MFC r303476:
  • MFC r302624:
  • MFC r304570:
  • MFC r305834:
  • MFC r304023: