HardenedBSD-11-STABLE-v1100053 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...
Highlights:
- LibreSSL 2.6.3 (c49b64fc67249a34f0899fdaf83ff409877c0832)
- Fix infoleak in ptrace_lwpinfo (a9480512504618c725807232b538d3d03adb13c0) [FreeBSD-SA-Candidate, CVE-2017-1086]
- ZFS channel programs (b6de21de0e6db7018f1a79f4e09e03275f27996f)
- OpenSSL 1.0.2m (a88f0513c4cf81f98bab740e4f112f1a6d7f4d42) [FreeBSD-SA-Candidate, CVE-2017-3736, CVE-2017-3735]
- Add extended attributes support to fuse kernel module (4d1ec3df908e0b5948287618d437add1454b15f0)
- tzdata 2017c (bb786ee507dfb1537c2a2d4bbbc9cb06cfa2cd9f)
- Linux emulation changes to support newer Linux libdrm (8b3e384829098404bdf42f48c6e808aed906aeb0)
- Fixes and improvements for x86 LDT handling (5f0b9b87892629c113c13c5a0c5933c1de48bdb9) [FreeBSD-SA-Candidate]
Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...
CHECKSUM.SHA512:
SHA512 (HardenedBSD-11-STABLE-v1100053-amd64-bootonly.iso) = bd091a8d0787229e47ea8207728db7ed5244787d17665d11a2e69779073d2a12a3bf4a1938f4c1ee001d84c3a0bf5d14ff0750fed149ffac7d3a6e266afb9bf8
SHA512 (HardenedBSD-11-STABLE-v1100053-amd64-disc1.iso) = ee546baf2e6cc55a8237cf0b96f3b10b8a8a7015bde3662b3bb28a4536c0b7d2179015477c3d3d44cbe252d6e53e348c2bd2a1c0b5e17e84405ef7a6277607ec
SHA512 (HardenedBSD-11-STABLE-v1100053-amd64-memstick.img) = e2213d1f0d4c25f2518148fc9d3a42994fda5b4e3e84ef41ea963e24b1b985cf1defc8dd65cc0bb5349b437527fffde98eee5c50002cc4908c4c0dd642e17bbe
SHA512 (HardenedBSD-11-STABLE-v1100053-amd64-mini-memstick.img) = 524764b81c8a2c8d72719589eb110e7bf44160a250b11d660039930c5678c64b22b8187a4f1e987a2235216f8e0f0a6d4b31f65552f31d633d48ae0a8e004087
CHECKSUM.SHA512.asc:
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAloJB+oACgkQgZsRom/9
GI1fKxAAonAfV/7yJjWPLvYO3iN3+Cef/Syy7lmHSKydpaABDcC6V0s726Wzfw1r
GGpAcTI3s6Qvz+cJ5gaJfw45912vlsWTD/96Av0PEZWzdCyp4wITG8MrzD0nRUh7
r3y4XFw00McX+zPnDUfBOgo6WkAZneshXbrmxr03Nr8NGM3rpXOnk992lXjnetAU
pzJMr7ZcIr2nN1f+CdFL6uaesZQQpIzUm1LxRM6ef/4I4xaJp7gWALIbmoh6nf2C
ihwgL5T5vGNutROeQKWddr7I4zFt0Rnp6XmulkA8oafVNG4BYSwG7fT6m1WBOEZG
td9heuneIH9ooiFOXSDdrTmQlWYe1PgxD/NsMe1V0bZnuqBaYBbWmvvlcKEOSplf
MaSWPYKefpXCQENzgeuDy9GQ+PgzQbFhmv/7YhKuNWCRoIWGMQAeR0a2jbtyEUUH
9FSYuh6LRNnXPdITsBi2PGBQcViVxRgaaF48XpG54qmgQ5ILS+vTuM90oduqjgVY
XOw22mKVD1mJBlu4+F5PTjYp3rCCyYvFu3oDTe5hVnUDHIDEVyBpD+xdPYARMb4W
HplqkiDUktJoA6vuzoalik7J8eGY9DYucNlKIckv0DHUXQSyfe1+C6b+SFSRXpbo
byaHi0cFAOELr4fjtBu/VIWkkTB1dIsFZfoqk8iWUckfQEcP1Rc=
=Jh14
-----END PGP SIGNATURE-----
Changelog:
Bernard Spil (4):
- HBSD: crypto/libressl: Update to 2.6.3
- Merge branch 'hardened/11-stable/master' of https://github.com/HardenedBSD/hardenedBSD into hbsd/hardened/11-stable/master
- HBSD: Update OptionalObsoleteFiles.inc for LibreSSL 2.6
- HBSD: LibreSSL: Fix install of man(5) man-pages
Oliver Pinter (4):
- HBSD: fix build error with WITHOUT_LIBRESS=
- HBSD: fix build error with WITHOUT_LIBRESS= - part 2
- HBSD: clean up LibreSSL related ObsoleteFiles breakage, which will render the system into unbootable state
- HBSD: bump __HardenedBSD_version to 1100053 after LibreSSL 2.6.3 update
Oliver Pinter + (47):
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Shawn Webb (2):
- Merge remote-tracking branch 'origin/freebsd/11-stable/master' into hardened/11-stable/master
- HBSD: Resolve merge conflict
ae (4):
- MFC r324593: Fix regression in handling O_FORWARD_IP opcode after r279948.
- MFC r324592: Return 'errno' value from the table_do_modify_record(), it is expected by table_modify_record().
- MFC r324947: Add IPv6 support for O_TCPDATALEN opcode.
- MFC r325355: Use correct pointer in key_updateaddresses() when updating NAT-T config.
asomers (6):
- MFC r324241:
- MFC r324220:
- MFC r324221:
- MFC r324222:
- MFC r324223:
- MFC r324281:
avg (25):
- MFC r324309: remove heuristic error detection from ddi_strto*()
- MFC r324312: fix the misleading log facility used in devd/zfs.conf
- MFC r324311: sysctl-s in a module should be accessible only when the module is initialized
- Really MFC r309357,r309409: Speling fixes and fix line endings for err_msg output
- MFC r324590: i2c(8): clean up and clarify read operation
- MFC r324011, r324016: MFV r323535: 8585 improve batching done in zil_commit()
- MFC r324343: MFV r316862: 6410 teach zdb to perform object lookups by path
- MFC r324344: MFV r316864: 6392 zdb: introduce -V for verbatim import
- MFC r324345: MFV r316877: 7571 non-present readonly numeric ZFS props do not have default value
- MFC r324346: MFV r316931: 6268 zfs diff confused by moving a file to another directory
- MFC r324347: MFV r316933: 5142 libzfs support raidz root pool (loader project)
- MFC r324348: MFV r316934: 7340 receive manual origin should override automatic origin
- MFC r324349: MFV r322235: 8067 zdb should be able to dump literal embedded block pointer
- MFC r324350: zdb.8: replace with the slighly modified upstream version
- MFC r324425: illumos mutex_init: use SX_NEW instead of bzero
- MFC r324689: iscsi: do not hold the global lock while tearing down a session
- MFC r324694: never retry oustanding requests when terminating iscsi session
- MFC r324957: iscsi_shutdown_post: do nothing if panic-ing
- MFC r324163: MFV r323530,r323533,r323534: 7431 ZFS Channel Programs, and followups
- MFC r324168: MFV r323531: 8521 nvlist memory leak in get_clones_stat() and spa_load_best()
- MFC r324170: MFV r323794: 8605 zfs channel programs: zfs.exists undocumented and non-working
- MFC r324196: MFV r323912: 8592 ZFS channel programs - rollback
- MFC r324197: MFV r323913: 8600 ZFS channel programs - snapshot
- MFC r324757: remove spa_sync_on assert from spa_async_thread_vd
- MFC r324195: MFV r323795: 8604 Avoid unnecessary work search in VFS when unmounting snapshots
avos (1):
- MFC r324672: ifnet(9): split ifc_alloc_unit() (should simplify code flow)
bapt (1):
- MFC r324623:
bdrewery (6):
- MFC r316286:
- struct ksiginfo has MD size, so use it as the padding type to avoid the wrong size.
- Fix struct thread padding field names.
- MFC r318246,r324566,r324668,r324701:
- MFC r320481:
- MFC r318432:
cy (3):
- Sync (make same) the offsetof macro definition in include/ with the definition of the same in sys/sys/. The problem was discovered while working on implementing a new C11 gets_s() for libc. (The new gets_s() requires rsize_t found in include/stddef.h.) The solution to sync the two definitions was suggested by ed@ while discussing D12667.
- MFC r324681, r324738
- MFC r325030:
davidcs (2):
- MFC r324535 Add sanity checks in ql_hw_send() qla_send() to ensure that empty slots in Tx Ring map to empty slot in Tx_buf array before Transmits. If the checks fail further Transmission on that Tx Ring is prevented.
- MFC r324538 Added support driver state capture/retrieval
dim (1):
- MFC r324826:
emaste (4):
- MFC r324594: truss: mention 'H' in usage
- MFC r324595: ANSIfy vm_kern.c
- MFC r324683: write.2: correct maximum nbytes size for EINVAL error
- MFC r325420: lld: accept EINVAL to indicate posix_fallocate is unsupported
eugen (3):
- MFC r324364: ftpd(8): fix user context handling
- MFC r324212:
- MFC r325157,325158:
fsu (2):
- MFC r324620: Add extended attributes support to fuse kernel module.
- MFC r324962: Set doreallocblks sysctl value to zero by default because of possibility of filesystem corruption.
gjb (2):
- Document issuing 'vagrant up' a second time will boot properly if the virtual machine does not yet have a MAC address.
- MFC r325156: Set a default hostname for virtual machine images.
hselasky (8):
- MFC r323916: Extend sysctl description for hw.usb.disable_enumeration .
- MFC r324445: When showing the sleepqueues from the in-kernel debugger, properly dump all the sleepqueues and not just the first one
- MFC r324492: Make sure the IPv6 scope ID gets zeroed inside the GID. Else searching for a valid GID entry based on IPv6 addresses can fail.
- MFC r324490: Add support for parsing and using IPv6 addresses in krping.
- MFC r324491: Use common rdma_ip2gid() function instead of custom mlx5_ip2gid() one.
- MFC r324792: The remote DMA TCP portspace selector, RDMA_PS_TCP, is used for both iWarp and RoCE in ibcore. The selection of RDMA_PS_TCP can not be used to indicate iWarp protocol use. Backport the proper IB device capabilities from Linux upstream to distinguish between iWarp and RoCE. Only allocate the additional socket required for iWarp for RDMA IDs when at least one iWarp device present. This resolves interopability issues between iWarp and RoCE in ibcore
- MFC r325278: Unconditionally include "opt_inet6.h" in the LinuxKPI. This makes sure the INET6 macro gets properly defined, also for kernel module builds.
- MFC r325362: Allow CUSE(3) to free all memory mapped memory by using regular SWAP objects instead of malloc(). The SWAP objects are automagically freed when there are no more consumers. This greatly simplifies the mmap logic inside CUSE(3) in the kernel. This change fixes an issue where mmapped memory can accumulate and never get freed, if many different mmap sizes are needed over time. Further this change fixes memory leaks when the CUSE(3) kernel module is unloaded.
ian (4):
- MFC r323392:
- MFC r323985:
- MFC r323997-r323998
- MFC r314914:
jch (1):
- MFC r324179, r324193:
jilles (1):
- MFC r325017: libnv: Fix strict-aliasing violation with cookie
jkim (5):
- MFC: r307976
- MFC: r316607 (andrew)
- MFC: r318899
- MFC: r307977
- MFC: r325328
ken (1):
- MFC r325371 ------------------------------------------------------------------------ r325371 | ken | 2017-11-03 15:04:22 -0600 (Fri, 03 Nov 2017) | 19 lines
kib (30):
- MFC r324528: In tc_windup(), do not re-calculate bintime.
- MFC r324600, r324716: Evaluate the real size of the sblk_zone.
- MFC r323772, r324302-r324308, r324310, r324313, r324315, r324326, r324330, r324334, r324354-r324355, r324366, r324432-r324433, r324437-r324439: Fixes and improvements for x86 LDT handling.
- MFC r324665: Fix the pv_chunks pc_lru tailq handling in reclaim_pv_chunk().
- MFC r324669: Style.
- MFC r324670: Improve assertion that an ignored or blocked signal is not delivered.
- MFC r324671: Re-evaluate thread' signal mask after ptracestop().
- MFC r324793: In vm_page_free_phys_pglist(), do not take vm_page_queue_free_mtx if there is nothing to do.
- MFC r316304 (by tychon): Reorder includes to placate MIPS build.
- MFC r324853: Remove the support for mknod(S_IFMT), which created dummy vnodes with VBAD type.
- MFC r324926: Expand explanation of atomicity.
- MFC r324824: Check that the page which is freed as zeroed, indeed has all-zero content.
- MFC r325270: Consistently ensure that we do not load MXCSR with reserved bits set.
- MFC r325285, r325447: Restore an optimization that was temporary disabled by r324665.
- MFC r324972: Tweaks to the top swap size calculations.
- MFC r325271: Use designated initializers for pmc sysent and module data.
- MFC r325273: Minor style tweaks.
- MFC r325274: There is no use for dropping Giant in the pmc syscall.
- MFC r325275: In hwpmc, do not double-close the logging file.
- MFC r325276: Be protective and check the po_file validity before dropping the ref.
- MFC r325277: Do not run pmclog_configure_log() without pmc_sx protection.
- MFC r325567: Zero whole struct ptrace_lwpinfo to not leak kernel stack data.
- MFC r324794: Do not overwrite clean blocks on pageout.
- MFC r324807: Take the vm object lock in read mode in vnode_generic_putpages().
- MFC r303627 (by alc): Restore the historical behavior of "sysctl vm.swap_idle_enabled=1".
- MFC r324795: Move swapout code into vm/vm_swapout.c.
- MFC r325386: Convert explicit panic() call to assert.
- MFC r325387: Eliminate unused load.
- MFC r325388: x86: Do not emit unused TD_TID symbols.
- MFC r325389: C++17 requires quick_exit(3) to be async-signal safe.
kp (1):
- MFC r324996:
manu (1):
- MFC r324257-r324258
markj (9):
- MFC r324704: Fix a racy VI_DOOMED check in MNT_VNODE_FOREACH_ALL().
- MFC r324809: Free the right address range if kmem_back() fails in memguard_alloc().
- MFC r324804: Avoid the nbp lookup in the final loop iteration in flushbuflist().
- MFC r324868: Delete declarations of struct pfs_bitmap, removed in r143841.
- MFC r324923: Remove resource_set_*() declarations from sys/bus.h.
- MFC r324920: Fix the VM_NRESERVLEVEL == 0 build.
- MFC r324992: Make drain_output() use bufobj_wwait().
- MFC r325050: Remove workqueue items after updating the workqueue tail pointer.
- MFC r325051: Remove a stale and incorrect comment.
mav (3):
- MFC r324659: Update details of interface capabilities changed by bridge(4).
- MFC r324661: Add Creative vendor ID.
- MFC r324752: Relax per-ifnet cif_vrs list double locking in carp(4).
mmel (2):
- MFC r324660:
- MFC r325103:
ngie (2):
- MFC r324862:
- MFC r324928,r324929:
oshogbo (8):
- MFC r323859: Simplify the code by _not_ expecting success under 'fail'.
- MFC r323852: The 'while (array != NULL) { }' suggests scan-build that array may be initially NULL, which is not possible. Change the loop to 'do {} while (array != NULL)' to satisfy scan-build and assert that array really cannot be NULL just in case.
- MFC r323853: Make the code consistent by always using 'fail' label.
- MFC r323854: Because nvp wasn't initialized on every loop iteration once we jumped to 'fail' on error it was treated as success, because nvp!=NULL. Fix this by not handling success under 'fail' label and by using separate variable for parent nvpair.
- MFC r323851: Remove redundant initialization. Don't use variable - just return the value. Make scan-build happy by casting to 'void *' instead of 'void **'.
- MFC r323856: Free 'value' only once we are done freeing all individual
- MFC r323858: IMHO it is possible that failure will be treated as success because we don't initialize nvp on every loop iteration and the code under 'fail'(!) label detects success by checking of nvp != NULL.
- MFC r323860: Plug memory leak in case when nvlist allocation succeeds, but nvpair allocation fails.
pfg (4):
- MFC r323547, r323598: libedit: add missing bracket.
- MFC r325066: Fix out-of-bounds read in libc/regex.
- MFC r325067: bsnmpd: Only refresh devtree if devd event is a new or removed device.
- MFC r325397: ANSI-fy exec_shell_imgact().
philip (1):
- MFC r325059: import tzdata 2017c
rmacklem (2):
- MFC: r324506 Fix forced dismount when a pNFS mount is hung on a DS.
- MFC: r324639 Fix the client IP address reported by nfsdumpstate for 64bit arch and NFSv4.1.
sbruno (1):
- Merge r323509 and r324994 adding Cavium LiquidIO Driver (lio) to stable/11.
se (1):
- MFC 324721: Add references to sysrc(8) to SEE ALSO. MFC 324823: Mention sysrc(8) as scripting interface for config files.
tijl (2):
- MFC r323692,r323710,r323714,r324628,r324629,r324635,r324636,r324637
- MFC r325232
truckman (1):
- MFC r325008
wulf (5):
- MFC r321397-r321399
- MFC r322695:
- MFC: r324772 ums(4): Unreverse evdev Tilt-axis reporting to match Linux.
- MFC: r324770 bthidd: Fix leds on multireport keyboards broken after r297217
- MFC: r324774 psm(4): Add sanity checks to Synaptics touchpad driver resolution parser.