Stable release: HardenedBSD-stable 11-STABLE v1100049

HardenedBSD-11-STABLE-v1100049 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

fsgs base changes in kernel and in libc (43f99b9f1cc2c625779e087ba4866d7c496d5b7b, b1a7a7418e73251aad628dc4f9418e550a9fd3d7)
reworked vlan locking (a62278e0d2b2f8b2d860fb689490dc1b6d11eb33)
HBSD: Update DNSSEC root key 257 (548eb60819e04c5d06671a95f5a7082e194fb7d4)
HBSD MFC: Fix information leak in geli(8) integrity mode (9344d69cc4c04c6555d9684976f57e8387354cf5) [FreeBSD-SA-Candidate]
MFC r323278: Fix an incorrectly used conditional causing buffer overflow in readelf [CVE-2017-1000249]
Fix possible double releasing for SA reference in IPSec. (3bf892e2d5f50a11384e8bf9fb7c14db1bfc0d26) [FreeBSD-SA-Candidate]
HBSD: constify pax_elf()'s mode parameter
HBSD: rename PAX_NOTE_FINALIZED paxflag to PAX_NOTE_PREFER_ACL
HBSD: Bump __HardenedBSD_version after API change
HBSD: API change, swap the first and second argument of pax_elf
HBSD: update mirror list in bsdinstall
HBSD: print out the __{Hardened,Free}BSD_version and version at panic time
HBSD: improve logging - hide early hbsd related boot messages under bootverbose
MFH (r322052): Upgrade OpenSSH to 7.5p1 (7e3dcea1a1c17915cbd33fd8fcec2b5530f8d3d1)
MFC r322590: bpf: Fix incorrect cleanup
MFC r322750: Fix the regression in ipsec introduced in r275710. (4e0ff7d0a944d10581e904bc3057524ce7071e30)
MFC r322677: pw usermod: Properly deal with empty secondary group lists (-G '') (75c367731c924e73c5bd87ab4b974c42917990d8) [FreeBSD-EN-Candidate]
Merge ACPICA 20170728. (1c5a17e1a7dd5063e58cee0a717989c5ce609bdc)
Plug uninitialized stack variable leak in sendfile(2). (d51b637e3144fab948a4d9a7bb312a2930e3d157)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:
SHA512 (HardenedBSD-11-STABLE-v1100049-amd64-bootonly.iso) = 3ff186518876ef188b8a5fc275001613fb91032443a4d122b2d581e09fb5af43d50c388025258c07ca493d241f35c7b5377e0487b28361490b575c5e0ed37a11 SHA512 (HardenedBSD-11-STABLE-v1100049-amd64-disc1.iso) = 6bcfce3349e89e04baa4f4c32e51edd873edb07edb43007ec10bb3b6ebd7e153160051c9e64cb95db4ce2673b832ed6db22f772887c852a5b749bccf867ee6a8 SHA512 (HardenedBSD-11-STABLE-v1100049-amd64-memstick.img) = 194193396409b28e8c8727b868b96dc7abd75a36d43901323b0f3c3827d615f59b9eb89467a820148de71f0b5ab7f7f80997acbaa8befb04faf92261fe6a9df9 SHA512 (HardenedBSD-11-STABLE-v1100049-amd64-mini-memstick.img) = b9145ed2bde8e473be177db9d643101d30f7d5c086828152ddea17335eb3d7025a6888ae097d8006077de92349a81c33595d2f0422d1de88c62a9abd9d3a7a71

CHECKSUM.SHA512.asc:
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlm7OZAACgkQgZsRom/9
GI3iRQ/+PxEz2r0jsddF9KNWtRx2fqita2VRfKmIqtdaXDiS//089T0rzLdJIfXL
Uc52RY28HQuD820t4oaW+gsox0/Dmbb9EzSR27YT09ez7pCNbufaHYH+3SGU2zk4
GFJHNrjHdMPfK++Y7Cqg+kFtDssT/OQmfLYc8eAKnzd3V0GlQnb4fZqJKaqt6Zhz
9+E8N1wWVIwB816IXr2UCvkyR9RQspFg/VP/JOQaQfQad/iVrhJWBzluQCmQzMf1
YankE0TvK2+IVmiLOxa0WCYoaD5Asqrizo28U199SM5YOPWe4hHKS/H8zz7BfieG
2R69zBejVSbCfDBN4S94ASimDo4HOq05ApNXlC0JwzcAUNajBXiv9ANzpyeVVkBv
WPBvDIieaKF2OQlbhVdazaO4EiMYTu5Kqqy3oz9YNXfEP/o9/n/OcB2XNLvfszlu
8/jD7f6SPeXijWzSEE3hOmJZWfQc8DzWBqp9PRyk+GtmkhAG1ldXwrjHvBWBSy+x
telrI/Tf0jvM0mNpNnvifz3CbZz1yK6Rvl/r1tZTue3bJf9ddONR+tnYw5CN0wZ/
fkayr52iDvbFhNO25fwI1W1QiyJFuJPZAewZOe9z240HXnV0mOqqxHbIsLgehlpV
hQiztHlpkUyoijTjmb05knqt8pdE8ptGyErKud2IES6mL7NSIUs=
=DnyR
-----END PGP SIGNATURE-----

Changelog: Oliver Pinter (12):

HBSD: improve logging
HBSD: print out the __{Hardened,Free}BSD_version and version at panic time
HBSD: update mirror list in bsdinstall
Merge remote-tracking branch 'origin/freebsd/11-stable/master' into hardened/11-stable/master
HBSD: resolve merge conflict after openssh update
HBSD: style a little bit the debug info at panic time
HBSD: API change, swap the first and second argument of pax_elf
HBSD: Bump __HardenedBSD_version after API change
HBSD: rename PAX_NOTE_FINALIZED paxflag to PAX_NOTE_PREFER_ACL
HBSD: constify pax_elf()'s mode parameter
Merge remote-tracking branch 'origin/freebsd/11-stable/master' into hardened/11-stable/master
HBSD: fixed merge conflict in bsdinstall

Oliver Pinter + (51):

Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master

Shawn Webb (3):

HBSD: Update DNSSEC root key 257
Merge remote-tracking branch 'origin/freebsd/11-stable/master' into hardened/11-stable/master
HBSD: Resolve merge conflict

ae (4):

MFC r321779: Add inpcb pointer to struct ipsec_ctx_data and pass it to the pfil hook from enc_hhook().
MFC r322310: Add to if_enc(4) ability to capture packets via BPF after pfil processing.
MFC r322750: Fix the regression introduced in r275710.
MFC r323086: Fix possible double releasing for SA reference.

araujo (1):

MFC r321846:

asomers (9):

MFC r320269:
MFC r320737, r320914
MFC r320807:
MFC r320974-r320975, r321001, r321206
MFC r321082:
MFC r321332:
MFC r320255
MFC r322255:
MFC r322546:

benno (1):

MFC r322804: Correct typo in usage string.

cem (4):

HBSD MFC: Audit userspace geom code for leaking memory to disk
HBSD MFC: geom_virstor: Remove wholly unnecessary g_metadata_store copy
HBSD MFC: libgeom: Remove redundant and duplicated code
HBSD MFC: Fix information leak in geli(8) integrity mode

cy (3):

MFC r322749:
MFC r321806:
MFC r322073:

davidcs (4):

MFC r322331 Provide compile option to choose receive processing in either Ithread or Taskqueue Thread.
MFC r322408 Performance enhancements to reduce CPU utililization for large number of TCP connections (order of tens of thousands), with predominantly Transmits.
MFC 322771
MFC r322852 Fix qlnx_tso_check() so that every window of (ETH_TX_LSO_WINDOW_BDS_NUM - nbds_in_hdr) has atleast ETH_TX_LSO_WINDOW_MIN_LEN bytes

des (4):

MFH (r314527,r314576,r314601,r317998): Upgrade OpenSSH to 7.3p1.
MFH (r314306,r314720): Upgrade OpenSSH to 7.4p1.
MFH (r322052): Upgrade OpenSSH to 7.5p1.
MFH (r314888): silence aliasing warning in nvme.h

dim (2):

MFC r323001:
MFC r323014:

ed (1):

MFC r322888:

emaste (19):

MFC r322627: arm64: return error instead of panic in unimplemented ptrace ops
sys/modules: don't build bxe,qlxgbe if the user objects to sourceless ucode
MFC r322680: sa.4: fix spelling of 'suppresses'
MFC r322683: ena.4: fix spelling of 'occurred'
MFC r322677: pw usermod: Properly deal with empty secondary group lists (-G '')
MFC r322581: remove debug files in delete-old* when WITHOUT_DEBUG_FILES
MFC r321293: date: avoid crash on invalid time
MFC r308789 (glebius):
MFC r322798: newvers.sh: accommodate `git worktree`
MFC r323039: octeon_ebt3000_cf: eliminate string literal warning
MFC r323040: xls_ehci: eliminate string literal warning
MFC r323010: hv_vss.4: Fix spelling of 'responsibility'
MFC r323011: usb: Add external "Intenso Memory" disk quirk
MFC r323022: arge: correct bzero sizeof (pointed-to object, not pointer)
MFC r322374: bsdinstall: record DHCP config after obtaining lease
make-memstick.sh: use 'set -e' to abort if any step fails
MFC r323448: bsdinstall: Ignore error return from newaliases(1)
MFC r316802 (cem): bsdinstall(8): Sprinkle a snprintf to fixed size buffer
MFC r321226: bsdinstall: improve checksum mismatch error for snapshots

gjb (3):

MFC r322544: Always expand the full path to the configuration file specified with the '-c' flag.
MFC r322770, r322796:
MFC r322752: Update the tests(7) manual page to note the test suite is installed by default as of 11.0-RELEASE.

glebius (1):

Merge r322321:

gordon (1):

MFC r323278: Fix an incorrectly used conditional causing buffer overflow.

hselasky (1):

MFC r322810 and r322830: Add new mlx5ib(4) driver to the kernel source tree which supports Remote DMA over Converged Ethernet, RoCE, for the ConnectX-4 series of PCI express network cards.

ian (38):

MFC r315089: Document uiomove_frombuf(9).
MFC r315165:
MFC r315167:
MFC r314723: Build the dtb files for the revb1 versions of wandboard.
MFC r315490, r315508:
MFC r315530:
MFC r315572, r315573, r315575, r315578:
MFC r315574, r315576, r315577:
MFC r315589, r315591, r316659, r316661:
MFC r315692: Eliminate a "format string is not a string literal" warning.
MFC r316995: Add support for the Micrel KSZ8081 ethernet PHY.
MFC r316374, r316377:
MFC r316664, r316670, r316972, r316996, r317033:
MFC r319811, r319813:
MFC r319859, r319888:
MFC r319814, r319815, r319818:
MFC r319817: Add a driver for the Vitesse/Microsemi VSC8501 PHY.
MFC r319899: Add missing header dependencies.
MFC r320456:
MFC r320076:
MFC r320460, r320461, r320462, r320463:
MFC r320655, r321933:
MFC r320743:
MFC r320928, r320929:
MFC r321489:
MFC r321686:
MFC r321586:
MFC r321583, r321584:
MFC r320901-r320902, r320996-r320997, r321002, r321048, r321400, r321743, r321745
MFC r321876:
MFC r322465:
MFC r321708-r321712, r321721, r321726-r321727, r321746, r321751, r321791-r321792, r321795, r321798, r321821, r321823, r321826, r321828, r321841, r321934, r322025-r322026, r322282, r322431, r322473, r322475-r322479
MFC r321938, r322015
MFC r322580:
MFC r322373:
MFC r323132-r323133
MFC r322411:
MFC r323341:

jhb (4):

MFC 322436: Don't panic for PT_GETFPREGS.
MFC 322437: Reliably enable debug exceptions on all CPUs.
Add missing #include to fix build after r322761.
MFC 309775,312897: Don't delete /usr/bin/ld if it is lld.

jkim (4):

MFC: r322803
MFC: r319365, r321670
MFC: r321601 (emaste)
MFC: r316627 (kan)

ken (1):

MFC r322410: ------------------------------------------------------------------------ r322410 | ken | 2017-08-11 12:43:52 -0600 (Fri, 11 Aug 2017) | 16 lines

kevans (2):

MFC r321450: bsdgrep(1): Don't exit before processing every file
bsdgrep: add a primitive literal matcher to unbreak fgrep in some scenarios

kib (27):

MFC r322495: Add {rd,wr}{fs,gs}base C wrappers for instructions.
MFC r322496: Print whole machine state on double fault.
MFC r322667,r322706: Improve i386 #UD low-level kdtrace hook.
MFC r322756: Style.
MFC r322718: Use ANSI C declaration for trap_pfault(). Style.
MFC r322719: Trim excessive 'extern' and remove unused declaration.
MFC r322720,r322723: Simplify amd64 trap().
MFC r322947: Add PCI Id for MosChip MCS9900.
MFC r322948: Let g_access() log the actual error number.
MFC r322721: Allow vinvalbuf() to operate with the shared vnode lock.
MFC r322722: Do not drop NFS vnode lock when performing consistency checks.
MFC r322926: Trim excessive 'extern'.
MFC r322927: Use ANSI C declaration for trap_pfault(). Style.
MFC r322928: Remove unused code.
MFC r322929: Simplify i386 trap().
MFC r323102: Add serial comma.
MFC r322757, r322883: Avoid dereferencing potentially freed workitem in softdep_count_dependencies().
MFC r323017: Make the swap_pager_full variable static.
MFC r323018: Adjust interface of swapon_check_swzone() to its actual usage.
MFC r323024: Only make the if_ix module depend on netmap when netmap is configured.
MFC r323054: The nvme module should explicitly declare dependency on the cam.
MFC r322982: Verify that the BPB media descriptor and FAT ID match.
MFC r322984: Style.
MFC r322762, r322799, r322832, r322833: Make WRFSBASE and WRGSBASE instructions functional.
MFC r323217: Fix typos. Stop claiming that two children are created.
MFC r322913: Replace global swhash in swap pager with per-object trie to track swap blocks assigned to the object pages.
MFC 322763: Optimize libc to get and set TLS using the RDFSBASE and RDGSBASE instructions, if supported both by CPU and kernel.

kp (1):

MFC r322590: bpf: Fix incorrect cleanup

lwhsu (1):

MFC r322434:

marius (6):

MFC: r322726
MFC: r308643, r312427
MFC: r312641
MFC: r322986
- Ever since the workaround for the silicon bug of TSO4 causing MAC hangs was committed in r295133, CSUM_TSO gets always disabled by em(4) on the first invocation of em_init_locked() given that at that point no link is established, yet. In turn, this causes CSUM_TSO also to be off when em(4) is used as a parent device for vlan(4), i. e. besides IFCAP_TSO4, also IFCAP_VLAN_HWTSO effectively doesn't work.
MFC: 323382, MFV: r323381

markj (7):

MFC r322773-r322775: Fix an off-by-two in the llquantize() action parameter validation.
MFC r322987: Synchronize page laundering with pmap_extract_and_hold().
MFC r321963: Rework and simplify the ksyms implementation.
MFC r319934: Don't call vm_pager_page_unswapped() when writing or deleting a dirty page.
MFC r319933: Free the request page if an I/O error occurs while reading from swap.
MFC r323166: Use O_CLOEXEC when opening persistent handles in libdtrace.
MFC r323280: Fix indentation.

mav (11):

MFC r322802: Fix off-by-one error when parsing SRAT table.
MFC r322821: Add missing restart_queue initialization.
MFC r323045: Fix flags field decoding in ACPI_NFIT_CONTROL_REGION.
MFC r323047: Make ntb_set_ctx() always generate fake link event.
MFC r323046: Make ntb_transport(4) ready receive early link events.
MFC r322980: Fix fake interrupt when set doorbell is unmasked.
MFC r322981: Mask doorbells while processing them.
MFC r323032, r323053, r323058, r323059, r323084, r323114, r323127: Add NTB driver for PLX/Avago/Broadcom PCIe switches.
MFC r323074: Clear doorbell bits after masking them before processing.
MFC r323126: Make NTB drivers report more info via NewBus methods.
MFC r323128: Increase negotiation polling period from 10ms to 100ms.

mckusick (3):

MFC of 322179, 322463, and 322464:
MFC of 322200, 322201, 322271, and 322297
MFC of 322298 noting MFC 322806 in UPDATING

mjoras (1):

MFC r322548: Rework vlan(4) locking.

ngie (10):

MFC r321387:
MFC r322636:
MFC r322633:
MFC r321456,r321484,r321486:
MFC r321455:
MFC r321702,r321703:
MFC r321704,r321705,r321706:
MFC r320701:
MFC r321952:
Regenerate src.conf(5) based on recent changes to src.opts.mk, etc.

oleg (1):

MFC r322628: Fix BSD label partition end sector calculation.

pfg (3):

MFC r320578:
MFC r320146, r320170, 320842:
MFC r322925: libc: minor indent(1) cleanups.

rlibby (20):

MFC r303188,r303190,r303271,r303438,r303453: Warn flags for gcc 6.1
MFC r316397 (by bde):
MFC r320517:
MFC r320714:
MFC r320977:
MFC r321106:
MFC r321376:
MFC r321864 (by mw):
MFC r322329:
MFC r321668:
MFC r321669:
bhyve: actually call bhyve_caph_cache_catpages
MFC r323003,r323004:
MFC r303723 (by markj):
MFC r316119 (by ngie):
MFC r321284:
MFC r323155:
MFC r322940:
MFC r323192:
MFC r321483 (by ngie):

rmacklem (4):

MFC: r321628 Replace the checks for MNTK_UNMOUNTF with a macro that does the same thing.
MFC: r321675 Fix possible crash for the NFSv4.1 pNFS client.
MFC: r321688 Add kernel support for the NFS client forced dismount "umount -N" option.
MFC: r321689 Add a new "-N" option to umount(8), that does a forced dismount of an NFS mount point.

sobomax (1):

MFC r320048+r320301+r320277:

Uploads:

CHECKSUM.SHA512.txt

CHECKSUM.SHA512.asc_.txt

HardenedBSD

Stable release: HardenedBSD-stable 11-STABLE v1100049

Uploads:

Donate to HardenedBSD

2021 Donation Status

Links

Uploads:

Donate to HardenedBSD

2021 Donation Status

Search form

Links