Stable release: HardenedBSD-stable 11-STABLE v46.14

HardenedBSD-11-STABLE-v46.14 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

update to OpenSSL 1.0.2k (4aed7e4ccd53660aa6e7f0b024a4ce55a3227abc) [FreeBSD-SA-candidate]
disable Intel's Silicion Debug capability on boot time (0ea6d983779e624ab8949a1f6dce9c8f5d69f620)
update to xc 5.2.3 (30cbb6108bcfbff283ed03041ab29062a73117aa)
Force -fPIC when building PIEs (c64a53fe268b34bc0dac7fccdb7e150e74afa524)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:
SHA512 (HardenedBSD-11-STABLE-v46.14-amd64-bootonly.iso) = e8f65f3cded1cb300ebd49b9af972447a5d9921b981440be3b45d123f42e765e18b733588c3130c73a2ea879d0fb7c8df5d2996101168993d61e73fb494345f8 SHA512 (HardenedBSD-11-STABLE-v46.14-amd64-disc1.iso) = 3d0e0c053bf4722475bcb6f9b5831412097535b13cca470a5a2ee496721528d017ec240493d9e243c03887e9d47300a5a100cc87d1cd85f9943cf2823cd7aa8c SHA512 (HardenedBSD-11-STABLE-v46.14-amd64-memstick.img) = e633c7ec351519f90555bc69d045892456aaff8e838c04e5bc2afd31531299ecfd4528a81fadb126135a71c918d673fcab9678c7cd4a97a639eaf399f920effe SHA512 (HardenedBSD-11-STABLE-v46.14-amd64-mini-memstick.img) = d7055dc066c9d7b55be7d1942c9f7ee82714a485b48d17988e27547221a961dd18448f4630bc56de1e782efbbd184fc103292b08a84ac49339cd3374194275fd

CHECKSUM.SHA512.asc:
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAliOMBwACgkQgZsRom/9
GI0VxBAAyV1lVw3LJpnn9wsul+l+T3VWvYQ3qbxQ12GEJZw7y5jRu38JxHkGI/4X
oWJKFOjoOWaJi4vmHyEDHEJjTKviIX3bHUtcs0kKWXHWhfj5KyFWx8SntEGYnLtC
1NnWmoM6mxYtjn4zeW27etpmtReVM1iWdiNSplqIcPD/1Q5USJPXi8CGKhhpjXaZ
7+BaR7BSP+7QOd4dv19UueYjzSVkYs+Crtl7NEvtUMKntyoLOLBimEb4Ypsm9tvZ
Cp3o2kfQMPNlzuDyenSW1tmqrvyNBpS3AxgZZ8cZLiR/mPEnPwfi0QEjQI41AGGH
6G3OG/Ev28B/Lsj1I9SapOj9NJY7Ny2DfVFzoh/SkE+/0BOeH2pkeT7cA2rnr1j2
FKYxJm3nEzmcXzmNvUIFE019r6hlKiBSjCOnrCcLKDMGEuBKfwcALE0wY9dpY/0a
r4Dyk2PP7T+bdXl8701J5pVwVyFLeRB+WSZ0ZOLNToLRV/BZDnGETQZBPqutAvOZ
UgMjWsIyvE8MUb1Dw8YUdwejBh/4PVg4mUCzE8WdvpSK6thxwlR94qnmEw4IjWX/
f6j/hskDH7VRjbDR+L4jRlM94glWnl1ZYUeBdoeC3NbrCa+Gyszo6pYZALgCI06q
Sl1egODADSokq0f5Y+ADrO6oYxhuVCuycqqnSg2p8jpw/JOL5DM=
=zcMK
-----END PGP SIGNATURE-----

Changelog: Oliver Pinter (3):

HBSD: Disable and lock Silicon Debug feature on modern Intel CPUs
HBSD: hide the Silicon Debug CPU capability from bhyve VMM
HBSD: hide the Silicon Debug CPU capability from bhyve

Oliver Pinter + (35):

Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master

Shawn Webb (11):

Merge remote-tracking branch 'origin/freebsd/11-stable/master' into hardened/11-stable/master
HBSD: Force -fPIC when building PIEs
Merge remote-tracking branch 'origin/freebsd/11-stable/master' into hardened/11-stable/master
HBSD: Resolve merge conflict
Merge remote-tracking branch 'origin/freebsd/11-stable/master' into hardened/11-stable/master
HBSD: Resolve merge conflict
Merge remote-tracking branch 'origin/freebsd/11-stable/master' into hardened/11-stable/master
HBSD: Resolve merge conflict
Merge remote-tracking branch 'upstream/stable/11' into hardened/11-stable/master
Merge remote-tracking branch 'origin/freebsd/11-stable/master' into hardened/11-stable/master
HBSD: Resolve merge conflict

ae (3):

MFC r311679: Add direction argument to ipsec_setspidx_inpcb() function.
MFC r309888: Modify IPv6 statistic accounting in ip6_input().
MFC r312341: Initialize IPFW static rules rmlock with RM_RECURSE flag.

amdmi3 (1):

MFC r310718:

araujo (1):

MFC r310698:

arybchik (5):

MFC r311877
MFC r311961
MFC r311962
MFC r311977
MFC r311983

asomers (3):

MFC r310118
MFC r310417
MFC r310786, r310803, r310985, r311894

avg (3):

MFC r310630: libkvm: support access to vmm guest memory, allow writes to fwmem and vmm
MFC r312426: fix a thread preemption regression in schedulers introduced in r270423
MFC r312532: don't abort writing of a core dump after EFAULT

avos (1):

MFC r312560: ifconfig(8): fix '-stbc' parameter name.

bapt (4):

MFC r310201:
MFC r311953 (by cem)
MFC r311659:
MFC r312644, r312650

bz (1):

MFC r311950:

cperciva (1):

MFC r312214: Enable IPv6 on EC2 AMIs.

delphij (3):

MFC r311762: Fix typo.
MFC r311275: Restructure libz.
MFC r311504: MFV r311477: xz 5.2.3.

dim (5):

MFC r311807:
MFC r311811:
MFC r311933:
MFC r311929:
MFC r311932:

emaste (11):

newvers.sh: add options to eliminate kernel build metadata
MFC r310225: Reduce boot loader version string duplication
MFC r308006: libunwind: consistently add \n to log and trace messages
MFC r310365: libunwind: make __{de,}register_frame compatible with libgcc API
MFC r311647: libunwind: add noexec stack annotation
MFC r310267: Deduplicate loader vers.c Makefile rules
MFC r311655: libmd: add noexec stack annotation in skein_block_asm.s
readelf: add PPC64 relocation types
Add WITH_REPRODUCIBLE_BUILD src.conf(5) knob
Regen src.conf.5 after r312730 WITH_REPRODUCIBLE_BUILD
MFC r312288: rtld: do not rely on a populated GOT on amd64

gnn (1):

MFC 311224

gonzo (2):

MFC r311888, r311890-r311891
MFC r311911, r311923

hiren (1):

MFC r311453

ian (1):

MFC r308187, r311660, r311693, r311727, r311797:

jah (1):

MFC r312153, r312191

jhb (6):

MFC 307538,307948,308602,308603,311151: Move kdump's mksubr into libsysdecode.
MFC 303946: Remove files unused after pulling system call names from libsysdecode.
MFC 309589: Rework syscall structure lookups.
MFC 304492,310721,310734: Update cxgbe info in NOTES.
MFC 307332,312086: Drop support for using mmap() with /dev/kmem.
MFC 310028: Use db_lookup_proc() in the DDB 'show procvm' command.

jilles (1):

MFC r312230: skel: Do not set -o emacs in .shrc.

jkim (1):

MFC: r312825

jmcneill (1):

MFC r310854, r310972

jpaetzel (3):

MFC 311122
MFC 310847 310864
Revert MFC of 310847 and 310864

julian (1):

MFH: r308671

kan (1):

MFC r311993: Fix typo in r311971 and now in r312405 too.

kib (26):

MFC r311447: Some style fixes for getfstat(2)-related code.
MFC r311452: Do not allocate struct statfs on kernel stack.
MFC r311523: Remove dead code.
MFC r311524: Use vnode lock assertion expression, assert exclusive ownership.
MFC r311525: Lock tmpfs node tn_status updates done under the shared vnode lock.
MFC r311522: Use type-independent formats for printing nlink_t and ino_t.
MFC r309710: Add a new populate() pager method and extend device pager ops vector with cdev_pg_populate() to provide device drivers access to it.
MFC r309711: Implement the populate() pager method for phys pager.
MFC r309712: Use the populate() driver paging method for i915 driver.
MFC r311646: Define _POSIX_PRIORITY_SCHEDULING as 0, to account for the kernel option.
MFC r311780: Use tab for indent.
MFC r311781: Use standard Versions.def for libprocstat.
MFC r311815: Forcibly remove the cached items from pseudofs vncache on module unload.
MFC r311879: Use ANSI C definitions, update comment.
MFC r311984: For the main binary, postpone enforcing relro read-only protection until copy relocations are done.
MFC r311651: Export __cxa_thread_atexit_impl as an alias for __cxa_thread_atexit.
MFC r311886: Fix acquisition of nested write compat rtld locks.
MFC r311531 (by mjg): Perform a lockless check in tmpfs_itimes.
MFC r311526 (by mjg): tmpfs: enable MNTK_EXTENDED_SHARED.
MFC r312124 (by mjg): tmpfs: manage tm_pages_used with atomics.
MFC r312407: Remove unused union member, fifos on tmpfs are implemented in common code.
MFC r312409: Style fixes and comment updates.
MFC r312410: Rework some tmpfs lock assertions.
MFC r312414: Rename tmpfs_mount member allnode_lock to include namespace prefix.
MFC r312425: Make tmpfs directory cursor available outside tmpfs_subr.c.
MFC r312423: Refresh tmpfs(5) man page.

lifanov (1):

MFC r311650

loos (8):

MFC r310707:
MFC r311700:
MFC r311701:
MFC r308458, r311157 and r312347:
MFC r312408:
MFC r312411:
MFC r312604 and r312605:
Fix a crash in netmap when using the emulated mode.

lwhsu (1):

MFC r311881:

marius (1):

MFC: r310309, r310340-310341, r311664, r311793-r311794

mav (24):

MFC r311971: Report random flash storage as non-rotating to GEOM_DISK.
MFC r311517: Add some more mode page fields.
MFC r311623: Make do_buff_decode() not read past the end of the buffer.
MFC r311636: Make 'camcontrol modepage' support subpages.
MFC r311897: Add checks for received mode page length.
MFC r310539: Remove CTL_MAX_LUNS from places where it is not required.
MFC r310555: Some random code cleaning.
MFC r310575: Fix improperly used nexus.targ_lun.
MFC r310635: Decouple limits on number of LUNs per port and LUs per CTL.
MFC r310640, r310643: Add support for revert to defaults (RTD) bit in MODE SELECT.
MFC r310644: Fix/synchronize field types in struct ctl_modepage_header.
MFC r310646: Do not update "saved" mode page on every MODE SELECT.
MFC r310649: Allow more efficient use of private area.
MFC r311892: Do not wait for HA thread shutdown if scheduler is stopped.
MFC r311935: Pretend we support some IOCTLs to not scary upper layers.
MFC r310778, r310782: Improve use of I/O's private area.
MFC r311680: Make CTL_GETSTATS ioctl return partial data if buffer is small.
MFC r311787: Allocate memory for prevent flags only for removable LUs.
MFC r311804: Rewrite CTL statistics in more simple and scalable way.
MFC r311873: Fix malloc(M_WAITOK) under mutex, introduced at r311787.
MFC r312026: Improve CAM_CDB_POINTER support.
MFC r312231: When in kernel, map ctl_scsi_zero_io() to ctl_zero_io().
MFC r312232: Add under-/overrun support to IOCTL and CAM SIM frontends.
MFC r312533: Report disk addition errors on `add` or `create` subcommand.

mjg (5):

MFC r310907:
MFC r310805:
MFC r310983:
MFC r311004:
MFC r310766,r310767,r310774,r310779:

ngie (46):

MFC r311548:
MFC r311710:
MFC r311711,r311712,r311713:
MFC r311511:
MFC r311871:
MFC r311870:
MFC r311714:
MFC r311709:
MFC r311715:
MFC r311265,r311274:
MFC r311268:
MFC r311282:
MFC r311290,r311293,r311294:
MFC r311733:
MFC r310729:
MFC r310892,r310894,r310989:
MFC r311390:
MFC r311378:
MFC r311739:
MFC r310586,r310587,r310588:
MFC r311381:
MFC r310950:
MFC r311227,r311917:
MFC r311926:
MFC r311924:
MFC r311236,r311919:
MFC r311750,r311754,r311757:
MFC r311748:
MFC r309464:
MFC r311759,r311760:
MFC r311741,r311761:
MFC r311758:
MFC r311742:
MFC r311740:
MFC r310655:
MFC r310656,r311221:
MFC r311140:
MFC r312009:
MFC r311133:
MFC r312112:
MFC r312118,r312121:
MFC r312111:
MFC r312122:
MFC r312113:
MFC r303166: r303166 (by imp):
MFC r312331: r312331 (by glebius):

np (4):

MFC r311569, r311657, and r311949.
MFC r311831 and r311832.
MFC r311848: cxgbe(4): Attach to the 2x25 debug card. This is for internal use only.
MFC r312368: cxgbe/tom: Fix a case where do_pass_accept_req wasn't properly restoring the VNET.

pfg (5):

MFC r311896 Remove unused __gnu_inline() attribute.
MFC r311101: libkvm - extend a bit the swap statistics field.
MFC r311947, r311981:
MFC r312443: mppc - Finish pluging NETGRAPH_MPPC_COMPRESSION.
MFC r312538: Addition of clang nullability qualifiers.

rpokala (1):

MFC r311963: Remove writability requirement for single-mbuf, contiguous- range m_pulldown()

smh (1):

MFC r311769:

tijl (1):

MFC r312699:

wblock (4):

MFC 311527:
MFC 312083:
MFC 305887:
MFC r312547: Mention sendfile(2) by popular demand.

yongari (4):

MFC r304574-304575,304584: r304574: Correct DMA channel number selection on AR816x family of controllers. For Gigabit Ethernet version of AR816x, AR813x/AR815x except L1D controller, use vendor recommended ASPM parameters. While here, increase alc_dma_burst array size. Broken H/W can return bogus value in theory.
MFC r304576: Add Killer E2400 to the supported hardware list.
MFC r302548: Belatedly remove CSUM_IP_FRAGS and CSUM_FRAGMENT offloading capabilities. It was removed in r243624 and r254804/r271006 respectively. This file and mbuf(9) needs updates for other offloading capabilities(i.e. CSUM_SCTP and CSUM_TSO).
MFC r309527-309528: r309527: Recognize RealTek ALC1150 7.1 channel HD audio codec.

HardenedBSD

Stable release: HardenedBSD-stable 11-STABLE v46.14

Donate to HardenedBSD

2021 Donation Status

Links

Donate to HardenedBSD

2021 Donation Status

Search form

Links