Stable release: HardenedBSD-stable 10-STABLE v46.26

HardenedBSD-10-STABLE-v46.26 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...



Warning: this is a security update!


Highlights:

  • libarchive update (f0e80d829a6d0ff8bb7a46bd3a18dd6159b14284) [FreeBSD-SA-Candidate]
  • ntpd update to 4.2.8p10 (77b785069d6eae320236013da6d95b7f5b1bed39) [FreeBSD-SA-Candidate]
  • fix signal handling (ee4124b33f70470844978d1c8e4cd6ae062ebb0a)
  • ZFS updates - for more details see /usr/src/UPDATING file
  • fix kernel memory disclosure in sys_nanosleep (bce7b617018c250761c47f5c3f108e921967f532) [FreeBSD-SA-Candidate]
  • fix NULL pointer dereference and panic with shm file pread/pwrite (b99ef16b54afe13145b759e50409e47854084552)
  • discard first 3072 bytes of RC4 keystream (c2d58806b9c8f951eb62c390161af34447d7edd3)
  • apply noexec mount option for mmap(PROT_EXEC) (662245c4d63c9acf32783194220c75fc766710ea)
  • reject userland CCBs that have CAM_UNLOCKED set (18602a4e400bd8760263fa0ca89773f59b70b3ac)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...


CHECKSUM.SHA512:

SHA512 (HardenedBSD-10-STABLE-v46.26-amd64-bootonly.iso) = f4f9cd86dddd0571054bb0c4f773ff851c634e065e85226efb58c346467053bb9dc9a0ba5edb0cc30771578c1cf230f4a657793e93a5bdcba27cc4feac7825d4
SHA512 (HardenedBSD-10-STABLE-v46.26-amd64-disc1.iso) = c127f0c6f606a0d96e7a17899e3bd909db72188c1465667fe728d3f07976e5180861859b6e8eb98860d0ebaf01f60dc24a325e1b326256618bfe63c8d139a8b0
SHA512 (HardenedBSD-10-STABLE-v46.26-amd64-memstick.img) = 61b81f5efab30da279684caeea8e812fa81f8b4f58fa7b3d72340bd41bd12397ecaaaed19b087e32ab229233b0da39e9abdd0fa3fc4e5ddf055340106ba72e60
SHA512 (HardenedBSD-10-STABLE-v46.26-amd64-mini-memstick.img) = bf907e8297bd35717159361f65c6ccd5fc0f69351cf51c9fb96ce2a908a8e354ec8fecff76ce09f4e7449a8dc503a3501b8d535e99e3ad9e6d0a279530029b1e
SHA512 (HardenedBSD-10-STABLE-v46.26-amd64-uefi-bootonly.iso) = db15863f3363b82703823c9ce3b3143a3558d777f7cbb5ab6daedd855f64a005a1c966fa4aa191cfeac464f32fa8a156451fcfba367442b3dd12ab3fa7909e2d
SHA512 (HardenedBSD-10-STABLE-v46.26-amd64-uefi-disc1.iso) = 0648774e3534d2f474a7c192b69fbfaec6612438756f2a3c6f7c6a97e01c775050344b3f970ac372e5c2806b790b8da03c3ce1edc8aab5503d60f508792da5db
SHA512 (HardenedBSD-10-STABLE-v46.26-amd64-uefi-memstick.img) = a458373dc989ab1918818d64c275c6fb86be08732168560fc4451782647844bde2721f8a80640adeb09a0769878e46f2481af6bb0ca768c783d2d6d012a68215
SHA512 (HardenedBSD-10-STABLE-v46.26-amd64-uefi-mini-memstick.img) = da00f398ec94bf4da84ba362bf21a7de229fa0afc1a87ace1f6093d9c1514a6bcbaad8f8e238a736be4fe7ae19ca43dc92a387e6882f274e5181de40e5ea131e



CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAljfrQ0ACgkQgZsRom/9
GI3Rng/9EwffqI+dS55+3JfAD7GMEeIL8LJ4QKg/a2wQ+u3ZA8eb9SbHjyeGQUDF
mTK0HQq6Z2RYyNZ4j/mHb0HhOaxjJx1s+p6+V3tsLjiVbrIIyi6IYGSi9fmJAjkn
PEow75inuB4QcMC3tQhUrynUYBnKc5lS7drpJ0odLQuOFHED9H4Wqx77l5wFIqIs
Ga9wTJLjuKm3XRJJ2mECSEB17jbKroFWEEQN/qlfkFMpufFkJdC9wpAO3aRuRd4h
19dg+FJI2ljPS6PWMp2pHjIEPEIQkstFb/d0Hr8AJu/43g8Cno0eq9ClhORsIGLG
WGwXe9GhQgzjAw6zIXHoyNxTdN7QSzja+hJHN+1h+qWo3HcJqQk8USsKC3z2Gg6/
0TaCEPHV31Pn9vNqTrAHepV63GACRNvP3aCiiKXcsys1HPj0WrMDaBc2gpDlEo4k
bKTHT3s4I8fUsYjgIdm+5xzXUodvMoz1hb8dISBZAI4bV7kae7aJw97B9hv3kZyM
tf0TgEQ+o+Oi5OiDY9wFjmPafLsgHdYAKypcbrE9g5yJx6kmqU37j/g5fXovacew
ZsPNxTCDxuL0pcgRQwQbIJNPAEsJsb9lHEzGpet4rlSHBJguutrddXpNr3cIVPYP
xSSO7QT0c+NEc28EpvlQiZL3GBfN4WIgO1IqmPbV6NNZxH6AlCY=
=hAYR
-----END PGP SIGNATURE-----




Changelog:

Oliver Pinter (4):

  • HBSD MFC: Reject userland CCBs that have CAM_UNLOCKED set.
  • HBSD MFC: zero this struct as it depends upon it...
  • HBSD MFC: port noexec mount option for mmap fix 68b818dcb54455b15cb23bec21e9ec0da5926b9e to 10-STABLE
  • Merge remote-tracking branch 'origin/freebsd/10-stable/master' into hardened/10-stable/master




Oliver Pinter + (56):

  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
  • Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master




ae (2):

  • MFC r314430: When IPv6 fragments reassembly is complete, update mbuf's csum_data and csum_flags using information from all fragments. This fixes dropping of reassembled packets due to wrong checksum when the IPv6 checksum offloading is enabled on a network card.
  • MFC r315192: Ignore ifnet renaming in the bpf ifnet departure handler.




amdmi3 (1):

  • MFC r315242: Fix late and noauto with geli swap




avg (14):

  • MFC r314058: zfs: lower priority of zio_write_issue threads by four
  • qlxgbe: add GCC_MS_EXTENSIONS to CFLAGS to make old base GCC happy
  • MFC r314666: ioat: don't specify inline for function with variable argument list
  • MFC r314274: l2arc: fix write size calculation broken by Compressed ARC commit
  • MFC r314864: firewire/sbp: try to improve locking, plus a few style nits
  • MFC r314912: MFV r314910: 7843 get_clones_stat() is suboptimal for lots of clones
  • MFC r314913: MFV r314911: 7867 ARC space accounting leak
  • MFC r315074: actually implement proc:::lwp-exit probe
  • MFC r315075: trace thread running state when a thread is run for the first time
  • MFC r315083: aacraid: fix build with AACRAID_DEBUG=2
  • MFC r314048,r314194: reimplement zfsctl (.zfs) support
  • add UPDATING entry for r315844, MFC of re-worked .zfs code
  • MFC r315076: zfs: provide a special vptocnp method for the .zfs vnode
  • revert r315841, MFC of r315083: not applicable to this branch




badger (3):

  • MFC r313733:
  • MFC r313992, r314075, r314118, r315484:
  • MFC r315412, r314852:




bdrewery (3):

  • MFC r314714:
  • Bump __FreeBSD_version for libmd changes in r314143.
  • MFC r314709,r314790,r314794:




cy (5):

  • MFC r314627:
  • MFC r312886:
  • MFC r314768:
  • MFC r314896:
  • MFC r311103 (ian):




davidcs (2):

  • MFC r314062 add bus_dmamap_unload in ql_free_dmabuf()
  • MFC r314365 1. state checks in bxe_tx_mq_start_locked() and bxe_tx_mq_start() to sync threads during interface down or detach. 2. add sysctl to set pause frame parameters 3. increase max segs for TSO packets to BXE_TSO_MAX_SEGMENTS (32) 4. add debug messages for PHY 5. HW LRO support restricted to FreeBSD versions 8.x and above.




dchagin (1):

  • MFC r303464 (by brooks@):




delphij (2):

  • MFC r315225:
  • MFC r315871: MFV r315791: ntp 4.2.8p10.




des (7):

  • MFH (r314528): update to reflect the state of SHA-1
  • MFH (r314554): fix date in previous commit
  • MFH (r314598): load default options before requesting ticket
  • MFH (r300602): the NAS identifier is a string, not an integer
  • MFH (r303289): update example section
  • MFH (r313974,r314596): open .netrc early in case we want to drop privs MFH (r314396,r315143): fix a crash caused by an incorrect format string MFH (r314701): fix handling of 416 errors when requesting a range MFH (r315455): fix parsing of IP literals (square brackets)
  • Subset of upstream r902 which fixes custom prompts.




dexuan (1):

  • MFC: 314547, 314770, 314828, 314891, 314956, 314962, 315235




dim (5):

  • MFC r314061:
  • MFC r310232:
  • Pull in r283944 from upstream libc++ trunk (by Eric Fiselier):
  • MFC r315745:
  • Synchronize libcxxrt in stable/10 with stable/11.




ed (1):

  • MFC r315732:




erj (4):

  • ixgbe(4): Update to 3.2.11-k
  • ixgbe(4): Fix VF build failure on i386 caused by r315333
  • ixgbe(4): Fix build breakage when only compiling ix(4)
  • ixgbe(4): Re-add mutex lock call that was dropped in a previous commit.




grehan (1):

  • MFC r315361 and r315364: Hide MONITORX/MWAITX from guests.




hselasky (8):

  • MFC r310806:
  • MFC r312338:
  • MFC r312424:
  • MFC r312551:
  • MFC r313778:
  • MFC r313941:
  • MFC r314328:
  • MFC r314553:




ian (1):

  • MFC r314918, r314919:




jamie (1):

  • MFC r316022,r316023:




jilles (1):

  • MFC r314637: sh: Add some already working tests that exercise new code paths




jpaetzel (1):

  • MFC 313879




kib (5):

  • MFC r314429: Initialize pcb_save for thread0.
  • MFC r314960: Fix typo in comment.
  • MFC r315155: Ktracing kevent(2) calls with unusual arguments might leads to an overly large allocation requests.
  • MFC r315453: When clearing altsigstack settings on exec, do it to the right thread.
  • MFC r315588: Update the list of cpudev ioctls which require write access.




kp (2):

  • MFC r314810:
  • MFC 315529




loos (1):

  • MFC of r314281:




markj (1):

  • MFC r313841, r313850: Prevent CPU migration when checking the DTrace nofault flag on x86.




mav (50):

  • MFC r314374: Add safety check against too long CDB.
  • MFC r314592: Fix JSON output.
  • MFC r314307: Add support for SIMs without autosense.
  • MFC r314308: Fix LUN enabling on wildcard target, as done by CTL.
  • MFC r314786: Import mpr(4) driver P12 to P14 diff from vendor site.
  • MFC r314548: Completely skip cache flushing for not supporting log devices.
  • MFC r314549: Execute last ZIO of log commit synchronously.
  • MFC r314908: When chunking large DIOCGDELETE, do it on stripe edge.
  • MFC r314952: Fix unused variable when built without INVARIANT_SUPPORT.
  • MFC r303874 (by trasz): Remove NULL check after M_WAITOK allocation from mpt(4).
  • MFC r308423 (by scottl): Fix the fallout from r308268 (mpt driver causes endless witness warnings in VMWare and elsewhere) with the precision of a dull, rusty butter knife.
  • MFC r311305 (by asomers): Always null-terminate ccb_pathinq.(sim_vid|hba_vid|dev_name)
  • MFC r314966: Report FC link speed.
  • MFC r314968: Report some more data in XPT_PATH_INQ.
  • MFC r314967: Add support for XPT_GET_SIM_KNOB in FC mode.
  • MFC r314998: Fix FC target mode in mpt(4), broken in multiple ways.
  • MFC r315002: Improve residuals reporting in target mode.
  • MFC r315004: Add PIM_EXTLUNS support to mpt(4).
  • MFC r315067: Partially fix target task management requests handling.
  • MFC r315025: Switch work_queue from TAILQ to STAILQ.
  • MFC r315030: Abort all ATIOs and INOTs queued to SIM on LUN disable.
  • MFC r315022: Request change of SIM target role only when it is different.
  • MFC r315082: Allow XPT_GDEV_STATS for UNCONFIGURED devices.
  • MFC r315084: Increase device openings to tagged maximum.
  • MFC r315087, r315146: Improve ctl(4) description, including frontends and backends.
  • MFC r315163: Remove strange config_intrhook_establish() magic.
  • MFC r315160: Remove code for unsupported FreeBSD versions.
  • MFC r315161: Try to slight untangle I/O and loop status handling.
  • MFC 315229: Remove remnant of r315163.
  • MFC r299849 (by trasz): Remove NULL checks after M_WAITOK allocations from isp(4).
  • MFC r315234: Improvements around attach, reset and detach.
  • MFC r315236: Remove dangerous and questionable isp_mboxcmd_qnw() call.
  • MFC r315273: Remove tangled isp_mbox_continue() mechanism.
  • MFC r315279: Remove some dead/broken code paths around async handling
  • MFC r315711: Fix printing bits above first eight.
  • MFC r315298: Fix ancient bug from r84597, which broke 23xx after r315234.
  • MFC r315303: Fix panic when SIM dereferenced before allocation.
  • MFC r315307: Refactor interrupt handling.
  • MFC r315327: Remove not very useful ATIO/INOT stats.
  • MFC r315478: Do some notify acks cleanup.
  • MFC r315482: Use isp_target_put_entry() in places where it can be.
  • MFC r315485: Remove dead remnants of SPI target.
  • MFC r315488: Extend nt_lun to full 8 byte.
  • MFC r315489: Move RQSTYPE_ABTS_RCVD parsing into generic code.
  • MFC r315507: Reorganize RQSTYPE_NOTIFY handling for chips
  • MFC r315533: Move 24xx RQSTYPE_NOTIFY handling to generic code.
  • MFC r315534: Remove some dead stuff.
  • MFC r315536: Move
  • MFC r315545: Remove hackish code delaying ATIOs to unknown virtual port.
  • Fix build broken by different size of lun_id_t.




mm (2):

  • MFC r314571: Update libarchive to version 3.3.1 (and sync with latest vendor dist)
  • MFC r315636,315876,316095: Sync libarchive with vendor




mmokhi (1):

  • MFC r314996: Fix NULL pointer dereference and panic with shm file pread/pwrite.




ngie (64):

  • MFC r314450,r313439:
  • MFC r313438:
  • MFC r314226:
  • MFC r314242:
  • MFC r314240:
  • MFC r314239:
  • MFC r314644:
  • MFC r314189,r314190,r314191:
  • MFC r314233:
  • MFC r314545:
  • MFC r314542:
  • MFC r314793,r314796,r314797,r314798,r314799,r314800,r314801,r314802,r314803,r314804,r314805:
  • MFC r314807:
  • MFC r314830:
  • MFC r274130: r274130 (by bapt):
  • MFC r314895:
  • MFC r315114:
  • MFC r315111:
  • MFC r314924:
  • MFC r315113:
  • MFC r314954:
  • MFC r311601:
  • MFC r315132,r315133,r315186:
  • MFC r315202:
  • MFC r315199,r315200,r315203:
  • MFC r315206:
  • MFC r314241,r315228:
  • MFC r315320:
  • MFC r315654:
  • MFC r315363,r315365:
  • MFC r315360:
  • MFC r315595,r315603:
  • MFC r315690:
  • MFC r315641,r315642:
  • MFC r314245:
  • MFC r315639:
  • MFC r315647:
  • MFC r315686,r315688:
  • MFC r313436,r313437,r313438,r314587,r315687:
  • MFC r315699:
  • MFC r315738:
  • Fix -Wformat issue with r316140, which broke i386/GENERIC
  • MFC r315734:
  • MFC r314372:
  • MFC r315796:
  • MFC r315774:
  • MFC r315759,r315761:
  • MFstable/11 r316229:
  • MFC r315797:
  • MFC r316049:
  • MFC r315789:
  • MFC r315772:
  • MFC r315802:
  • MFC r315788:
  • MFC r315803:
  • MFC r315795:
  • MFC r315762:
  • MFC r316050,r316051:
  • MFC r315798:
  • MFC r315776:
  • MFC r316080,r316081,r316115:
  • MFC r316108:
  • MFC r316107:
  • MFC r316106:




np (2):

  • MFC r314814 and r315325.
  • MFC r315201, r315920, r315921, r315922, r316008, and r316062.




pfg (7):

  • MFC r314505: Split the ficl CFLAGS when they refer to an arch-specific include path.
  • Revert 294545: Bringing back ext4: add support for reading sparse files
  • MFC r314145, r314158 vxge(4): double assignments.
  • MFC r314321: dc(1): Merge minor changes from OpenBSD.
  • MFC r315187: libc: mall cleanup.
  • MFC r315426, MFV r315425: one-true-awk: have calloc(3) do the multiplication.
  • MFC r315212, r315213, r315214, r315215: mkimg(1): let calloc(3) do the multiplication. nscd(8): let calloc(3) do the multiplying. mpsutil(8): let calloc(3) do the multiplying. ypbind(8): let calloc(3) do the multiplying.




royger (3):

  • MFC r314841:
  • MFC r314840:
  • xen/netfront: release resources on removal




sephe (1):

  • MFC 314382,314483-314485




sevan (14):

  • MFC 315964 ftp.microsoft.com is dead and the document was not archived, point to the full protocol spec document instead. Fix spelling mistake flagged by igor. Rephrase bad sentence flagged by igor.
  • MFC 312684
  • MFC r309552
  • MFC r281759
  • MFC r312692
  • MFC r309192
  • MFC r270771 Add canonical population of a disk / thumb drive from an image example.
  • MFC r270831
  • MFC r285645
  • MFC r306715
  • MFC r306617
  • MFC r306616
  • MFC r266586
  • MFC r306733




truckman (1):

  • MFC r315516




vangyzen (5):

  • MFC r313817
  • MFC r314055
  • MFC r313820
  • MFC r314626
  • MFC r315510