=================================================================== RCS file: /cvsrepo/anoncvs/cvs/www/plus.html,v retrieving revision 1.1393 retrieving revision 1.1394 diff -c -r1.1393 -r1.1394 *** www/plus.html 2016/07/28 22:47:22 1.1393 --- www/plus.html 2016/08/02 21:20:46 1.1394 *************** *** 81,86 **** --- 81,300 ----

In sndiod(8), avoid triggering watchdog time-outs which prevent sndiod from resuming. +
Update perl Time::HiRes to 1.9739. +
Bump LibreSSL to 2.4.2. +
In rtadvd(8), prevent a NULL dereference. +
In malloc(3), adapt the S option: add C, and remove F and P. +
In inet6(4), restore the automagically added /64 route on p2p interfaces in order to send traffic to link-local addresses without default route. + +
In ssh(1), explicitly check for 100% completion in the progress meter. This avoids a potential floating point rounding error which could cause the progress meter to report 99% on completion. +
In vi(1), if /tmp/vi.recover doesn't exist, don't create it. Warn once that it doesn't exist, afterwards fail silently. +
In smtpd(8), explicitely enclose SMTP transactions between BEGIN and COMMIT/ROLLBACK filter events. +
In ioapic(4/amd64), don't write to the read-only RIRR bit in the IOAPIC redirection register. This may subsequently block interrupt delivery. + +
In nc(1), add the -M and -m options to specify the outgoing and incoming minimum TTL. +
In fts_open(3): +
- Do not return an error if one of the paths in argv is empty. This prevents programs using fts(3) from reporting an error if one of the paths is empty. +
- When the list passed is empty, return EINVAL instead of pretending to succeed. This avoids a NULL pointer dereference in a later fts_read(3) call. +
+
Add the net.inet.ip.arptimeout and net.inet.ip.arpdown sysctl(8)'s for ARP timers. +
In bgpd(8), use IPV6_MINHOPCOUNT to finish implementing ttl-security for IPv6. +
Update to xkeyboard-config 2.18. +
In pkg_info(1), implement -z that uses is-branch info to produce "complete" stem--[flavor][%branch] listing. +
Add UDP unicast and multicast support for IP_MINTTL and IPV6_MINHOPCOUNT. + +
On vmm(4/amd64), fix a panic when CPUs fail to spin up for other reasons during boot. +
On amd64 and i386, enable the UMIP feature if present. +
Enable ure(4) on the architectures where url(4) already is. +
5.9 SECURITY FIX: Correct a problem that could result in incorrect parsing/encoding of times in OCSP messages.
A source code patch is available for 5.9. +
Repair kill(2) on zombie processes. +
In ldpd(8), fix a logic bug causing the advertised transport connection preference (LDPoIPv4 or LDPoIPv6) not to be respected. +
In iwn(4), revert the implementation of iwn_update_htprot(). We are still seeing links dropping upon HT protection updates with some iwn chips. +
Restore the sys_o58_kill system call. This provides a clean transition for runtimes that make direct system calls. +
Make the IPV6_UNICAST_HOPS socket option usable for incoming TCP connections. +
In ip6(4), implement IPV6_MINHOPCOUNT support. +
In doas(1), revise environment handling. Add a "setenv" keyword to doas.conf(5) for manipulating the environment, the "keepenv" now means only retain everything. +
Add ure(4), a driver for Realtek RTL8152 10/100 USB Ethernet adapters. +
In pkg_add(1), make scp:// work with PKG_CACHE. + +
In bcrypt(3), increase the minimum for auto rounds to 6. +
In login.conf(5), use auto rounds for bcrypt (on amd64, i386, macppc and sparc64). +
Dynamically attach cpsw(4/armv7) with the FDT. +
Dynamically attach tiiic(4/armv7) using the FDT. Only match on omap4 compatible controllers such as the one in the am335x on BeagleBone Black. + +
Dynamically attach omdog(4/armv7) using the FDT. +
In pkg_add(1), recognize @option is-branch. +
Fix a pledge(2) issue with "fdisk /dev/tty". +
In libcrypto: +
- Fix the ocsp code to actually check for errors when comparing time values. Ensure that it only compared GERNERALIZEDTIME values as per RFC6960. +
- Ensure that OCSP uses Generalized Time on requests as per RFC6960. +
+ +
In pf(4), make nat-to usable by in rules and together with divert-to. Collisions with existing states are found and produce a "NAT proxy port allocation failed" message. +
Update to nsd 4.1.10. + +
Log to syslogd(8) when the dmesg(8) buffer overflows and messages are lost. +
When pf_test() returns something but PF_PASS, set error to EACCES instead of EHOSTUNREACH. On the latter, ip_forward() can generate undesired ICMP errors. +
In pax(1), allow creation of devices or fifo without -p. + +
In sshd(8), fix AuthenticationMethods during configuration re-parse. +
In fec(4/armv7), fetch MAC address from FDT. +
In unbound(8): +
- Update to unbound 1.5.9. +
- Fix a segfault in the -h option. +
- Fix QNAME minimisation with various broken DNS servers, often found at CDNs. +
+
In cn30xxgmx(4/octeon), add support for the second GMX interface on the Octeon II. This enables ports eth[0-3] on 8-port EdgeRouters. +
In iwm(4): +
- Explicitly send multicast frames at the lowest rate, instead of picking a rate from the firmware RS table. +
- Pass the correct Tx rate to BPF (tcpdump(8)) for 5GHz. +
- Don't loop over CCK rates when building the Link-Quality command's RS table for 5GHz. +
- Let the firmware deal with DTIM and TSF information details by itself. Fixes some association issues with 8260 hardware. +
- Clear the in_assoc flag when going down. +
+ +
Add hyperv(4), the main Hyper-V nexus driver (work in progress). +
On amd64, set up the Hyper-V hypercall page and an IDT vector. +
In bgpd(8), dvmrpd(8), eigrpd(8), hostapd(8), httpd(8), ifstated(8), iked(8), ipsecctl(8), iscsictl(8), ldapd(8), ldpd(8), ospf6d(8), ospfd(8), pfctl(8), relayd(8), ripd(8), smtpd(8), snmpd(8), vmd(8), ypldap(8), do not allow whitespace in macro names, i.e. "this is" = "a variable". +
In ld.so(1), when handling DT_TEXTREL only set the mapping to READ+WRITE, ignore possible EXEC permission for the section, because the proper permission is set late, and there are no thread concerns in this case. This avoids W^X issues. +
In efifb(4), add support for drawing a console on a coreboot framebuffer. This is useful on chromebooks that have no legacy vga device or, for newer chipsets, a full console and X with wsfb(4). +
In pf.conf(5), change the parser to make af-to on pass out rules an error. This fixes a bug where a nonworking configuration could be loaded. +
On m88k, add sc_cookie in sigcontext, as same as other ports. +
In audioctl(1): +
- Reimplement it using new API in a simper way. +
- Group all encoding parameters in a single string (ex. "s16le") so that we use the same naming scheme as aucat, sndiod and many ports. +
- Remove "properties" as they are not used any longer. +
- Remove the list of encodings as there's no benefit in having it. +
- Add the -q option, to look like sysctl(8). +
- Remove the unused -a option. +
- Stop using symlinks in /dev. +
+ +
In libcrypto, disable DSA_FLAG_NO_EXP_CONSTTIME, always enable constant-time behavior. +
In openssl(1), fix a bug loading the default certificate path locations. The files would only be loaded if the CAfile or CApath locations were succesfully loaded first. +
In ld(1), make creation of text-relocations a fatal error by default, with -znotext to permit it and -ztext to reenable the default of forbidding it. +
In bgpd(8), show the "nexthop 1.2.3.4 now valid: via 192.168.0.1" message only in debug mode. +
Add ds1307(4), an I2C driver for the Maxim DS1307 Real Time Clock chip. +
In iwm(4), send PHY DB commands as async commands. This change makes it work better in RAMDISK kernels. + +
Make umb(4) also work with devices that implement both NCM 1.0 and MBIM. +
Dynamically attach omap uart with FDT. +
Remove the lockmgr(9) API. +
In rcctl(8): +
- Cache the result of often used functions. +
- Implement "rcctl get|getdef all". +
+ +
In ldpd(8): +
- Fix a use-after-free. +
- Fix a memory leak. +
- Fix removal of dual-stack neighbors. +
+
In cn30xxgmx(4), make the 1 Gbps SGMII settings the default to define a consistent set of parameters even if a link is down. +
Add the net.inet.tcp.rootonly and net.inet.udp.rootonly sysctl(8)'s, to mark which ports cannot be bound to by non-root users. +
In iwm(4), plug some memory leaks in error paths. + +
Dynamically attach ommmc(4/armv7) with FDT. +
In ldpd(8): +
- Fix a small LIB-LFIB synchronization issue. +
- Do not allow configuring the same interface for both LDP and VPLS. +
+
In smtpd(8), also add missing date or message-id when listening on the submit port. + +
In sshd_config(5), ban AuthenticationMethods="" and accept AuthenticationMethods=any for the default behaviour of not requiring multiple authentication (bz#2398). +
In pfctl(8), allow "include" in inline anchors. +
In tmux(1), allow a command to be specified to display-panes rather than always just selecting the pane. +
In acpitoshiba(4), enable suspend/hibernate fn keys. + +
In smtpd(8): +
- Rework the format of the "Received" header so that the TLS part does not violate the RFC. +
- Increase number of connections a local address is allowed to establish, and decrease the delay between transactions in the same session. +
- Properly reset the transaction when a filter rejects a message. +
+
Add umb(4), a driver for the Mobile Broadband Interface Model (MBIM) to provide support for USB MBIM devices. +
In tmux(1): +
- Add -F to list-commands. +
- Automatically exit all modes after 180 seconds of inactivity and if there is pending output. +
+ +
In ssh(1), remove "POSSIBLE BREAK-IN ATTEMPT!" from log message about forward and reverse DNS not matching (part of bz#2585). +
Update to tzdata2016e. +
In pkg_add(1), restrict %m and friends to "separate words" so they won't collide with branch specifiers. +
In pppoe(4) and sppp(4), don't hardcode vlan/queue priority for pppoe packets, but instead inherit it from the new "llprio" setting on the pppoe(4) interface. +
In the timeout_add_*(3), prevent a round to zero. +
In pkg_add(1), implement "pkgname%branch" which can be used to restrict matches to a branch matching the pkgpath(7). + +
Dynamically attach imxdog(4) using the FDT. +
Avoid socket splicing loops: if the same mbuf is spliced 128 times, assume that there is a loop and abort the splicing. +
In ldpd(8): +
- Rework the handling of Hello packets in order to improve IPv6 support. +
- Implement a timeout for the session initialization FSM. This prevents neighbors stuck in the initialization FSM to linger forever as long as the associated transport connection is up. +
- Implement support for the Configuration Sequence Number TLV. +
+
In utvfu(4), start/stop the audio bulk thread as the consumer opens/closes device. +
In uvm_map(9), avoid grabbing the kernel lock for interrupt-safe pools. +
In uhidev(4), do not execute the callback if the device is beeing detached. This should prevent a race triggering a use-after-free. +
Correct the pledge for "disklabel(8) -R -[fF]". + +
Dynamically fec(4/armv7) using the FDT. +
In sxie(4/armv7) and sxiuart(4/armv7), handle both the nintr 1 (allwinner a10/cortex a8) and nintr 3 (allwinner a20/cortex a7) cases. + +
On armv7, ignore everything from ":" onward in stdout-path when finding the console node. Characters after this are device-specific settings. +
Dynamically attach imxuart using the FDT. +
In exuart(4/armv7), override the address found with FDT if the board ID is c210, because the qemu smdkc210 target uses serial0 for console while the exynos4210-universal_c210 dtb specifies stdout as serial2. +
Dynamically attach sxiuart using the FDT. +
Dynamically attach sxie(4/armv7) using the FDT. + +
In ldpd(8): +
- Fix parsing of multiple optional TLVs in label and notification messages. This fixes IxANVL LDP test 15.3. +
- Make it possible to parse unknown TLVs in the future. +
- Send an "Unknown FEC" Notification for unexpected wildcard FECs. This fixes ANVL LDP test 15.6. +
- Add missing ntohl(3) when recording a label request. This fixes the following ANVL LDP tests: 1.5 and 9.4. +
- Parse the whole Hello packet before processing it. This fixes a bug where we could create a dynamic targeted neighbor in response to a malformed packet. +
+
In ifconfig(8), add the "llprio" parameter to set the priority of packets that do not go through pf(4). +
In acpi(4), don't attempt to attach acpitimer(4) if the timer isn't present. The power management timer has been made optional in ACPI 5.0A. +
In tetris(6), when eliding a row, clear the invisible row zero, so that no columns can become unusable during game play. + +
In ldpd(8): +
- Send a fatal notification when the last hello adjacency is deleted. This fixes the following ANVL LDP tests: 7.17 and 23.3. +
- Do not shut down the session upon receiving unknown messages. This fixes IxANVL LDP test 22.13. +
- Set the Message ID for Hello messages too. +
+
Dynamically attach imxesdhc(4/armv7) using the FDT. +
Add SGMII support and PHY addresses for 8-port EdgeRouters. This makes plain RJ45 ports eth[4-7] usable. +
Dynamically attach i.MX6 ahci(4) using the FDT. + +
In ldpd(8): +
- Add one more safety check for Initialization messages. This fixes the following ANVL LDP tests: 6.5, 6.6 and 6.11. +
- Change what is considered a NACK for our Initialization messages. This fixes the following ANVL LDP tests: 6.19, 6.21 and 6.22. +
- Discard Hello packet if advertised transport address is of different AF. This fixes IxANVL LDP test 5.13. +
- Fix quick reconnect when the transport address is changed. +
+
Remove octhci(4). It has been superseded by dwctwo(4). +
Do the full W^X check on hppa and mips64. +
On armv7, use FDT to find the console to initialise. +
Attach acpitoshiba(4) on Libretto, Dynabook and SPA40 laptops. +
Enforce W^X and map W|X segments without X permission initially. The dynamic linker will make these read-only and add back X permission after relocation processing. +
In ld.so(1), some ELF ABIs still require a PLT that is both writable and executable. To avoid W^X violations, initially map such segments as writable and non-executable, and change the mapping to non-writable and executable after initial relocation processing. + +
In ld.so(1), accommodate ELF ABIs that require a PLT that is both writable and executable, without causing W^X violations.
In sshd(8), revert src/usr.bin/ssh/kexgexs.c r1.28 ("Check min and max sizes sent by the client"). It caused "key_verify failed for server_host_key" in clients that send a DH-GEX min value less that DH_GRP_MIN.
In doas.conf(5), revert the setenv feature.