Fix multiple vulnerabilities of OpenSSL. Security: FreeBSD-SA-17:11 Approved by: so
| Delta | File | |
|---|---|---|
| +10 | -2 | crypto/openssl/crypto/bn/asm/x86_64-mont5.pl |
| +10 | -2 | secure/lib/libcrypto/amd64/x86_64-mont5.S |
| +6 | -4 | crypto/openssl/crypto/x509v3/v3_addr.c |
| +4 | -0 | UPDATING |
| +1 | -1 | sys/conf/newvers.sh |
| +31 | -9 | 5 files |
Properly bzero kldstat structure to prevent information leak. [SA-17:10] Approved by: so Security: FreeBSD-SA-17:10.kldstat Security: CVE-2017-1088
| Delta | File | |
|---|---|---|
| +18 | -13 | sys/compat/freebsd32/freebsd32_misc.c |
| +7 | -5 | sys/kern/kern_linker.c |
| +7 | -0 | UPDATING |
| +1 | -1 | sys/conf/newvers.sh |
| +33 | -19 | 4 files |
Fix kernel data leak via ptrace(PT_LWPINFO). [SA-17:08] Approved by: so Security: FreeBSD-SA-17:08.ptrace Security: CVE-2017-1086
| Delta | File | |
|---|---|---|
| +2 | -2 | sys/kern/sys_process.c |
| +2 | -2 | 1 files |
Update timezone database information. [EN-17:09] Approved by: so
| Delta | File | |
|---|---|---|
| +1,034 | -0 | contrib/tzdata/theory.html |
| +0 | -840 | contrib/tzdata/Theory |
| +298 | -284 | contrib/tzdata/southamerica |
| +309 | -234 | contrib/tzdata/asia |
| +399 | -60 | contrib/tzdata/NEWS |
| +193 | -123 | contrib/tzdata/europe |
| +2,233 | -1,541 | 21 files not shown |
| +3,313 | -2,102 | 27 files |
Fix WPA2 protocol vulnerability. [SA-17:07] Approved by: so
| Delta | File | |
|---|---|---|
| +108 | -47 | contrib/wpa/src/rsn_supp/wpa.c |
| +44 | -2 | contrib/wpa/src/rsn_supp/tdls.c |
| +29 | -3 | contrib/wpa/src/ap/wpa_auth.c |
| +16 | -0 | contrib/wpa/wpa_supplicant/wnm_sta.c |
| +12 | -0 | contrib/wpa/src/common/wpa_common.h |
| +10 | -0 | contrib/wpa/src/ap/wpa_auth_ft.c |
| +219 | -52 | 9 files not shown |
| +244 | -53 | 15 files |
Fix OpenSSH Denial of Service vulnerability. [SA-17:06] Fix VNET kernel panic with asynchronous I/O. [EN-17:07] Approved by: so
| Delta | File | |
|---|---|---|
| +7 | -0 | UPDATING |
| +5 | -0 | crypto/openssh/auth-passwd.c |
| +1 | -1 | sys/conf/newvers.sh |
| +2 | -0 | sys/kern/sys_socket.c |
| +15 | -1 | 4 files |
Fix heimdal KDC-REP service name validation vulnerability [SA-17:05] Approved by: so
| Delta | File | |
|---|---|---|
| +5 | -1 | UPDATING |
| +2 | -2 | crypto/heimdal/lib/krb5/ticket.c |
| +1 | -1 | sys/conf/newvers.sh |
| +8 | -4 | 3 files |
Fix ipfilter(4) fragment handling panic. Security: FreeBSD-SA-17:04.ipfilter Approved by: so
| Delta | File | |
|---|---|---|
| +4 | -0 | UPDATING |
| +1 | -1 | sys/conf/newvers.sh |
| +1 | -1 | sys/contrib/ipfilter/netinet/ip_frag.c |
| +6 | -2 | 3 files |
Fix multiple vulnerabilities of ntp. [SA-17:03] Xen migration enhancements. [EN-17:05] Approved by: so
| Delta | File | |
|---|---|---|
| +0 | -9,636 | contrib/ntp/sntp/ltmain.sh |
| +0 | -9,636 | contrib/ntp/ltmain.sh |
| +1,635 | -6,067 | contrib/ntp/configure |
| +1,468 | -5,937 | contrib/ntp/sntp/configure |
| +3,536 | -2,044 | contrib/ntp/sntp/libevent/build-aux/ltmain.sh |
| +1,668 | -1,130 | contrib/ntp/sntp/m4/libtool.m4 |
| +8,307 | -34,450 | 404 files not shown |
| +16,454 | -73,636 | 410 files |
Fix multiple vulnerabilities of OpenSSL. [SA-17:02] Fix system hang when booting when PCI-express HotPlug is enabled. [EN-17:01] Fix NIS master updates are not pushed to NIS slave. [EN-17:02] Fix compatibility with Hyper-V/storage after KB3172614 or KB3179574. [EN-17:03] Make makewhatis output reproducible. [EN-17:04] Approved by: so
| Delta | File | |
|---|---|---|
| +188 | -103 | crypto/openssl/ssl/t1_lib.c |
| +72 | -66 | crypto/openssl/crypto/ui/ui_lib.c |
| +99 | -23 | sys/dev/hyperv/storvsc/hv_storvsc_drv_freebsd.c |
| +36 | -29 | crypto/openssl/INSTALL |
| +28 | -33 | secure/lib/libssl/man/SSL_read.3 |
| +61 | -0 | crypto/openssl/CHANGES |
| +484 | -254 | 475 files not shown |
| +4,739 | -5,862 | 481 files |
Fix multiple vulnerabilities of OpenSSH. Security: FreeBSD-SA-17:01.openssh Security: CVE-2016-10009 Security: CVE-2016-10010 Approved by: so
| Delta | File | |
|---|---|---|
| +34 | -7 | crypto/openssh/ssh-agent.c |
| +13 | -0 | crypto/openssh/ssh-agent.1 |
| +4 | -0 | UPDATING |
| +2 | -2 | crypto/openssh/serverloop.c |
| +1 | -1 | sys/conf/newvers.sh |
| +54 | -10 | 5 files |
Fix multiple vulnerabilities of ntp. Approved by: so
| Delta | File | |
|---|---|---|
| +1,258 | -1,255 | contrib/ntp/ntpd/ntp_parser.c |
| +1,068 | -1,058 | contrib/ntp/ntpd/ntp_keyword.h |
| +1,891 | -5 | contrib/ntp/CommitLog |
| +373 | -371 | contrib/ntp/ntpd/ntp_parser.h |
| +217 | -150 | contrib/ntp/util/ntp-keygen.c |
| +207 | -138 | contrib/ntp/ntpd/ntp_crypto.c |
| +5,014 | -2,977 | 178 files not shown |
| +7,439 | -3,841 | 184 files |
Merge r309688: address regressions in SA-16:37.libc. PR: 215105 Submitted by: <jtd2004a sbcglobal.net> Approved by: so
| Delta | File | |
|---|---|---|
| +5 | -6 | lib/libc/net/linkaddr.c |
| +4 | -0 | UPDATING |
| +1 | -1 | sys/conf/newvers.sh |
| +10 | -7 | 3 files |
Fix possible login(1) argument injection in telnetd(8). [SA-16:36] Fix link_ntoa(3) buffer overflow in libc. [SA-16:37] Fix possible escape from bhyve(8) virtual machine. [SA-16:38] Fix warnings about valid time zone abbreviations. [EN-16:19] Update timezone database information. [EN-16:20] Fix incorrectly defined unicode character(s). [EN-16:21] Security: FreeBSD-SA-16:36.telnetd Security: FreeBSD-SA-16:37.libc Security: FreeBSD-SA-16:38.bhyve Errata Notice: FreeBSD-EN-16:19.tzcode Errata Notice: FreeBSD-EN-16:20.tzdata Errata Notice: FreeBSD-EN-16:21.localedef Approved by: so
| Delta | File | |
|---|---|---|
| +34 | -17 | lib/libc/net/linkaddr.c |
| +14 | -0 | UPDATING |
| +8 | -3 | lib/libvmmapi/vmmapi.c |
| +4 | -3 | contrib/telnet/telnetd/sys_term.c |
| +1 | -1 | sys/conf/newvers.sh |
| +61 | -24 | 5 files |
Merge r308330 by bapt: localedef: Fix ctype dump (fixed wide spread errors) See original commit for longer description. Errata Notice: EN-16:21 Approved by: so
| Delta | File | |
|---|---|---|
| +11 | -12 | usr.bin/localedef/parser.y |
| +3 | -3 | usr.bin/localedef/ctype.c |
| +1 | -1 | contrib/netbsd-tests/lib/libc/locale/t_mbstowcs.c |
| +15 | -16 | 3 files |
Update tzdata to 2016i. Note: because of what appears to be a missing MFC to stable branches, these patches were generated by doing: % rsync -av stable/11/contrib/tzdata releng/11.x/contrib % svn add releng/11.x/contrib/tzdata Errata Notice: EN-16:20 Submitted by: gjb Approved by: so
| Delta | File | |
|---|---|---|
| +3,782 | -0 | contrib/tzdata/NEWS |
| +620 | -262 | contrib/tzdata/europe |
| +840 | -0 | contrib/tzdata/Theory |
| +793 | -0 | contrib/tzdata/Makefile |
| +677 | -0 | contrib/tzdata/backzone |
| +382 | -195 | contrib/tzdata/asia |
| +7,094 | -457 | 20 files not shown |
| +8,211 | -928 | 26 files |
Merge r307358 from stable/11:
Incorporate a change from OpenBSD by millert at OpenBSD.org
Don't warn about valid time zone abbreviations. POSIX
through 2000 says that an abbreviation cannot start with ':', and
cannot contain ',', '-', '+', NUL, or a digit. POSIX from 2001
on changes this rule to say that an abbreviation can contain only
'-', '+', and alphanumeric characters from the portable character
set in the current locale. To be portable to both sets of rules,
an abbreviation must therefore use only ASCII letters." Adapted
from tzcode2015f.
Errata Notice: EN-16:19.tzcode
Submitted by: bapt
Approved by: so
| Delta | File | |
|---|---|---|
| +8 | -16 | contrib/tzcode/zic/zdump.c |
| +3 | -17 | contrib/tzcode/zic/zic.c |
| +11 | -33 | 2 files |
Fix Fix OpenSSH remote Denial of Service vulnerability. Security: FreeBSD-SA-16:33.openssh Approved by: so
| Delta | File | |
|---|---|---|
| +4 | -0 | UPDATING |
| +1 | -1 | sys/conf/newvers.sh |
| +1 | -0 | crypto/openssh/kex.c |
| +6 | -1 | 3 files |
Revised SA-16:15. The initial patch didn't cover all possible overflows based on passing incorrect parameters to sysarch(2). [1] Fix unchecked array reference in the VGA device emulation code. [2] Security: SA-16:15 [1] Security: SA-16:32 [2] Approved by: so
| Delta | File | |
|---|---|---|
| +4 | -4 | usr.sbin/bhyve/vga.c |
| +6 | -0 | UPDATING |
| +4 | -1 | sys/amd64/amd64/sys_machdep.c |
| +1 | -1 | sys/conf/newvers.sh |
| +15 | -6 | 4 files |
EN-16:18: loader may hang during boot A programming error in GELIBoot causes the loader to attempt to read past the end of the disk if the size of the final partition is not a multiple of 4 kB. Merge r306834 from stable/11. Approved by: so
| Delta | File | |
|---|---|---|
| +14 | -6 | sys/boot/geli/geliboot.c |
| +14 | -6 | 1 files |
Update releng/11.0 to 11.0-RELEASE-p1. Approved by: re (implicit) Sponsored by: The FreeBSD Foundation
| Delta | File | |
|---|---|---|
| +1 | -1 | sys/conf/newvers.sh |
| +1 | -1 | 1 files |
MFS r306418: portsnap: only move expected snapshot contents from snap/ to files/ Previously it was possible to smuggle in addional files that would be used by later portsnap runs. Now we only move those files expected to be in the snapshot into files/ and require that there are no unexpected files. This was used by portsnap attacks 2, 3, and 4 in the "non-cryptanalytic attacks against FreeBSD update components" anonymous gist. Approved by: re (gjb)
| Delta | File | |
|---|---|---|
| +7 | -0 | usr.sbin/portsnap/portsnap/portsnap.sh |
| +7 | -0 | 1 files |
Merge from stable/11 bspatch, portsnap, and libarchive fixes:
=== bspatch ===
MFS r306213: bspatch Capsicumization, sanity checks, and other improvements
r304691: bspatch: apply style(9)
Make style changes (and trivial refactoring of open calls) now in order
to reduce noise in diffs for future capsicum changes.
r304807 (allanjude): Capsicumize bspatch
Move all of the fopen() and open() calls to the top of main()
Restrict each FD to least privilege (read/seek only, write only, etc)
cap_enter(), and make all except the output FD read/seek only.
[65 lines not shown]Merge r306343 by jkim: Merge OpenSSL 1.0.2j. Approved by: so Approved by: re (implicit)
Prepare for 11.0-RELEASE builds. Approved by: re (implicit) Sponsored by: The FreeBSD Foundation
| Delta | File | |
|---|---|---|
| +1 | -1 | sys/conf/newvers.sh |
| +1 | -1 | 1 files |
Anticipate when we will be ready to announce 11.0-RELEASE. Approved by: re (implicit) Sponsored by: The FreeBSD Foundation
| Delta | File | |
|---|---|---|
| +3 | -0 | UPDATING |
| +3 | -0 | 1 files |
Statically set __FreeBSD_version for 11.0-RELEASE. Approved by: re (implicit) Sponsored by: The FreeBSD Foundation
| Delta | File | |
|---|---|---|
| +1 | -1 | lib/csu/common/crtbrand.c |
| +1 | -1 | 1 files |
Remove dual-revision entries, and prefer the latter, unbreaking URLs to svnweb. Submitted by: jkim Approved by: re (implicit) Sponsored by: The FreeBSD Foundation
| Delta | File | |
|---|---|---|
| +9 | -10 | release/doc/en_US.ISO8859-1/relnotes/article.xml |
| +9 | -10 | 1 files |
Add a link to the 'installation.html' section for freebsd-update(8) usage information. Suggested by: theraven Approved by: re (implicit) Sponsored by: The FreeBSD Foundation
| Delta | File | |
|---|---|---|
| +6 | -0 | release/doc/en_US.ISO8859-1/relnotes/article.xml |
| +6 | -0 | 1 files |
Change the entity for arm64 from 'aarch64' to 'arm64'. Submitted by: emaste Approved by: re (implicit) Sponsored by: The FreeBSD Foundation
| Delta | File | |
|---|---|---|
| +1 | -1 | release/doc/share/xml/release.ent |
| +1 | -1 | 1 files |