===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/plus35.html,v
retrieving revision 1.49
retrieving revision 1.50
diff -u -r1.49 -r1.50
--- www/plus35.html 2017/04/07 13:51:34 1.49
+++ www/plus35.html 2017/06/26 17:18:57 1.50
@@ -81,384 +81,384 @@
-- Don't use FD_ZERO(2) in isakmpd(8)'s privsep monitor.
-
- When binding UDP server sockets in isakmpd(8), check the sockaddr buffer is large enough before copying.
+
- Don't use FD_ZERO(2) in isakmpd(8)'s privsep monitor.
+
- When binding UDP server sockets in isakmpd(8), check the sockaddr buffer is large enough before copying.
-
- Add some extra sanity checks for incoming pfsync(4) packets.
+
- Add some extra sanity checks for incoming pfsync(4) packets.
- Fix a kernel memory leak when deleting interface addresses (SIOCDIFADDR).
-
- Add a missing spl(9) around if_down() in vlan(4).
+
- Add a missing spl(9) around if_down() in vlan(4).
-
- In pf(4), properly m_copyback(9) the modified TCP sequence number after demodulation.
+ - In pf(4), properly m_copyback(9) the modified TCP sequence number after demodulation.
[Applied to stable]
- - Fix a use-after-free in carp(4).
-
- Raise carp(4) advskew to 240 while waiting for the pfsync(4) bulk update. This makes sure that other hosts can preempt a host that's booting up but hasn't got its network bearings yet.
+
- Fix a use-after-free in carp(4).
+
- Raise carp(4) advskew to 240 while waiting for the pfsync(4) bulk update. This makes sure that other hosts can preempt a host that's booting up but hasn't got its network bearings yet.
- Fix a check-for-null-then-deref-anyway bug in icmp6.
-
- Fix a cut-and-pasto in pf(4)'s stateful ICMP code.
-
- Unbreak the ICMP checksum when pf(4) sequence number modulation is used.
+ - Fix a cut-and-pasto in pf(4)'s stateful ICMP code.
+
- Unbreak the ICMP checksum when pf(4) sequence number modulation is used.
[Applied to stable]
- - Disable carp error logging (sysctl(3) net.inet.carp.log) by default.
+
- Disable carp error logging (sysctl(3) net.inet.carp.log) by default.
-
- Remove an unnecessary null termination in the isakmpd(8) privsep monitor.
-
- Teach file(1) about OpenBSD-amd64 binaries and coredumps.
-
- Add a small delay before the bulk update to stop pfsync(4) looping unnecessarily.
+
- Remove an unnecessary null termination in the isakmpd(8) privsep monitor.
+
- Teach file(1) about OpenBSD-amd64 binaries and coredumps.
+
- Add a small delay before the bulk update to stop pfsync(4) looping unnecessarily.
-
- Fix ssl(3) rmd160 breakage on sparc64.
-
- Teach tcpdump(8) how to display the new pfsync(4) bulk updates.
-
- Make pfsync(4) stop carp(4) preempting to become master until the bulk state table sync has completed.
-
- Support best-efforts bulk transfers of states when a pfsync(4) syncif is first configured. This allows pfsync+carp clusters to come up gracefully without killing active connections.
-
- Have rc(8) stop carp(4) interfaces on system shutdown.
-
- Add pass rules for the pfsync and carp protocols to the default pf(4) rulebase installed by /etc/rc(8).
-
- Make sure pfsync(4) interfaces are initialised before carp(4) interfaces in /etc/netstart(8).
+
- Fix ssl(3) rmd160 breakage on sparc64.
+
- Teach tcpdump(8) how to display the new pfsync(4) bulk updates.
+
- Make pfsync(4) stop carp(4) preempting to become master until the bulk state table sync has completed.
+
- Support best-efforts bulk transfers of states when a pfsync(4) syncif is first configured. This allows pfsync+carp clusters to come up gracefully without killing active connections.
+
- Have rc(8) stop carp(4) interfaces on system shutdown.
+
- Add pass rules for the pfsync and carp protocols to the default pf(4) rulebase installed by /etc/rc(8).
+
- Make sure pfsync(4) interfaces are initialised before carp(4) interfaces in /etc/netstart(8).
-
- Unbreak routing change handling in carp(4).
+
- Unbreak routing change handling in carp(4).
- Bump OpenSSH to version 3.8.1.
-
- Make pfctl(8)'s '-s osfp' option work by spelling it less like OSPF.
-
- Update pf.os(5) to include OpenBSD 3.5, since that's where it's now at.
-
- Have tn3270(1) check errno instead of setting it.
-
- Fix yet another stray semicolon, this time in aac(4).
-
- Implement firmware downloading for mpt(4).
+
- Make pfctl(8)'s '-s osfp' option work by spelling it less like OSPF.
+
- Update pf.os(5) to include OpenBSD 3.5, since that's where it's now at.
+
- Have tn3270(1) check errno instead of setting it.
+
- Fix yet another stray semicolon, this time in aac(4).
+
- Implement firmware downloading for mpt(4).
-
- Make bge(4) work on 64-bit machines even if they're not alphas.
-
- Have privsep named(8) pass SIGINT to the child process.
+
- Make bge(4) work on 64-bit machines even if they're not alphas.
+
- Have privsep named(8) pass SIGINT to the child process.
- Upgrade Puffy to 3.5 and lock XF4 for release.
-
- Add final pieces of privilege separation for isakmpd(8) and switch it on.
-
- Add pxeboot(8) for i386 and amd64, derived from NetBSD.
-
- Fix another stray semicolon, in tcpdump(8)'s ASN.1 printer this time.
-
- More mpt(4) fixes, more to come.
+
- Add final pieces of privilege separation for isakmpd(8) and switch it on.
+
- Add pxeboot(8) for i386 and amd64, derived from NetBSD.
+
- Fix another stray semicolon, in tcpdump(8)'s ASN.1 printer this time.
+
- More mpt(4) fixes, more to come.
-
- When initialising the new state in pf(4) DIOCADDSTATE, point to the default rule instead of NULL.
+
- When initialising the new state in pf(4) DIOCADDSTATE, point to the default rule instead of NULL.
- Merge parts of XFree86 4.4.0 Release not affected by the new license.
-
- Allow a carp(4) device's state to be set explicitly with ifconfig(8).
-
- Set permissions on the right files for the @owner, @group and @mode directives in pkg_add(1) when -B is in effect.
-
- For wi(4) devices with Prism firmware version 1.6.3 or later, support an enhanced security mode for a hostap where the SSID can be hidden from snoopers.
-
- Speed up bgpd(8) session reestablishment.
-
- Fix timeout issues with eap(4) audio devices.
+
- Allow a carp(4) device's state to be set explicitly with ifconfig(8).
+
- Set permissions on the right files for the @owner, @group and @mode directives in pkg_add(1) when -B is in effect.
+
- For wi(4) devices with Prism firmware version 1.6.3 or later, support an enhanced security mode for a hostap where the SSID can be hidden from snoopers.
+
- Speed up bgpd(8) session reestablishment.
+
- Fix timeout issues with eap(4) audio devices.
- Stop the installer asking for the timezone when upgrading.
-
- Fix spamd(8)'s logging when the blacklist limit is hit.
-
- Allow users with write access to bgpd(8)'s control socket to send queries.
-
- Fix an out-of-bounds read in ssl(3) (CAN-2004-0112). This code isn't used in OpenBSD.
+
- Fix spamd(8)'s logging when the blacklist limit is hit.
+
- Allow users with write access to bgpd(8)'s control socket to send queries.
+
- Fix an out-of-bounds read in ssl(3) (CAN-2004-0112). This code isn't used in OpenBSD.
- Always read at least DEV_BSIZE (512) bytes of the disklabel, some disks have smaller block sizes.
- RELIABILITY FIX: A missing check for a NULL-pointer dereference has been found in ssl(3). A remote attacker can use the bug to cause an OpenSSL application to crash; this may lead to a denial of service.
A source code patch is available.
[Applied to stable]
- - Fix a minor memory leak in isakmpd(8).
+
- Fix a minor memory leak in isakmpd(8).
- Lots of pre-release documentation fixes and additions.
-
- If running at securelevel(7) 2, use the -x option to increase the chances of ntpd using slew mode, since stepping backwards is disabled at this level.
-
- Some mpt(4) stability fixes.
+
- If running at securelevel(7) 2, use the -x option to increase the chances of ntpd using slew mode, since stepping backwards is disabled at this level.
+
- Some mpt(4) stability fixes.
-
- Don't signal mountd(8) from mount(8) when all that's required is a listing of mounts (PR#3695).
-
- Create bgpd(8)'s control socket later in the startup.
-
- Remember to unlock USB wi(4) devices on errors.
-
- Since we've allocated a cache for pax(1), let's go right ahead and use it.
+
- Don't signal mountd(8) from mount(8) when all that's required is a listing of mounts (PR#3695).
+
- Create bgpd(8)'s control socket later in the startup.
+
- Remember to unlock USB wi(4) devices on errors.
+
- Since we've allocated a cache for pax(1), let's go right ahead and use it.
- Remove 'extern int errno' in favour of #include <errno.h> in a number of programs.
-
- Have diff(1) in directory mode skip over anything that's not a regular file or directory, for POSIX reasons.
+
- Have diff(1) in directory mode skip over anything that's not a regular file or directory, for POSIX reasons.
-
- Yet another stray semicolon removed, pax(1) is the lucky program.
-
- Prevent blacklist connections we're tarpitting from maxing out spamd(8)'s available connections. Controllable with the new -B option.
-
- Have wi(4) hostap send an error response if a station sends a bogus challenge instead of just ignoring it.
-
- Make software WEP work on wi(4) devices. Only in BSS (station) and hostap modes for now.
-
- Fix another bug caused by a stray semicolon, this time in tcpdump(8).
-
- daemon(3)ise ifstated(8) earlier.
-
- Some logic fixes and additional error checks in USB wi(4).
-
- Have sensorsd(8) deal gracefully with attempts to initialise unsupported sensor types.
+
- Yet another stray semicolon removed, pax(1) is the lucky program.
+
- Prevent blacklist connections we're tarpitting from maxing out spamd(8)'s available connections. Controllable with the new -B option.
+
- Have wi(4) hostap send an error response if a station sends a bogus challenge instead of just ignoring it.
+
- Make software WEP work on wi(4) devices. Only in BSS (station) and hostap modes for now.
+
- Fix another bug caused by a stray semicolon, this time in tcpdump(8).
+
- daemon(3)ise ifstated(8) earlier.
+
- Some logic fixes and additional error checks in USB wi(4).
+
- Have sensorsd(8) deal gracefully with attempts to initialise unsupported sensor types.
- Fix memory leak caused by a stray semicolon in arla.
-
- panic(9) if an attempt is made to use the kernel arc4random generator too early.
-
- Fix occasional locate.updatedb(8) failures due to a bug in sort(1).
-
- Check chdir(2) return code after chroot(2) in bgpd(8) and isakmpd(8).
-
- Fix a memory leak and a missing break in pf(4) ioctl processing error paths.
-
- Clear struct sockaddr_un before use in syslogc(8).
+
- panic(9) if an attempt is made to use the kernel arc4random generator too early.
+
- Fix occasional locate.updatedb(8) failures due to a bug in sort(1).
+
- Check chdir(2) return code after chroot(2) in bgpd(8) and isakmpd(8).
+
- Fix a memory leak and a missing break in pf(4) ioctl processing error paths.
+
- Clear struct sockaddr_un before use in syslogc(8).
-
- In spamd(8), only shrink the window once we're in the DATA mode. This way, greylisted connections don't get held up by the tiny window but spam bodies are still sent. Very. Slowly.
-
- Restore scsi(4) bus scans to full speed by not checking LUNs that will be skipped anyway.
-
- Fix fd and another memory leak in routed(8).
+
- In spamd(8), only shrink the window once we're in the DATA mode. This way, greylisted connections don't get held up by the tiny window but spam bodies are still sent. Very. Slowly.
+
- Restore scsi(4) bus scans to full speed by not checking LUNs that will be skipped anyway.
+
- Fix fd and another memory leak in routed(8).
- Make the sane_install() tests in the installer match more useful reality.
-
- Check the return code of chdir(2) after the privsep chroot(2) in pflogd(8), syslogd(8) and tcpdump(8).
-
- Disable crypto(9) MAC functions for now, no current hardware can use them.
-
- Some oosiop(4) cleanup based on osiop(4).
-
- In wskbd(4), make the caps lock key do caps lock instead of shift lock (PR#2555).
+
- Check the return code of chdir(2) after the privsep chroot(2) in pflogd(8), syslogd(8) and tcpdump(8).
+
- Disable crypto(9) MAC functions for now, no current hardware can use them.
+
- Some oosiop(4) cleanup based on osiop(4).
+
- In wskbd(4), make the caps lock key do caps lock instead of shift lock (PR#2555).
-
- Make it easier to kill spamd(8) greylisted processes.
-
- Do pfsync(4) interface setup last in /etc/netstart(8), so that hopefully the syncif gets set up beforehand.
+
- Make it easier to kill spamd(8) greylisted processes.
+
- Do pfsync(4) interface setup last in /etc/netstart(8), so that hopefully the syncif gets set up beforehand.
-
- Make bgpctl(8)'s empty-as keyword work.
-
- Extra free-then-NULL paranoia in spamd(8).
-
- Fix wi(4) software WEP on big-endian machines.
-
- Unbreak tail(1) -f mode for filesystems not blessed with kqueue(2) support.
-
- Implement privilege separation for named(8). And there was much rejoicing.
+
- Make bgpctl(8)'s empty-as keyword work.
+
- Extra free-then-NULL paranoia in spamd(8).
+
- Fix wi(4) software WEP on big-endian machines.
+
- Unbreak tail(1) -f mode for filesystems not blessed with kqueue(2) support.
+
- Implement privilege separation for named(8). And there was much rejoicing.
- Plug a rtentry leak when TCP gives up on a cached route (in_pcb.c:in_losing()).
-
- Fix (guess what?) a memory leak in the yacc(1) skeleton code.
-
- Check the payload size more carefully when printing IKE messages in tcpdump(8).
-
- Plug a memory leak in the error path of execve(2).
+ - Fix (guess what?) a memory leak in the yacc(1) skeleton code.
+
- Check the payload size more carefully when printing IKE messages in tcpdump(8).
+
- Plug a memory leak in the error path of execve(2).
[Applied to stable]
- - Preliminary port of the NetBSD oosiop(4) driver, supporting really old NCR SCSI chips on hppa machines.
+
- Preliminary port of the NetBSD oosiop(4) driver, supporting really old NCR SCSI chips on hppa machines.
-
- Unbreak pkg_add(1)'s handling of packages from stdin.
-
- Fix a bug in spamd(8) that stopped custom 450 messages being displayed.
-
- Some apm(4) fixes on i386.
-
- Sync the spamd(8) greylist database after each db operation, to minimise the likelihood of corruption.
-
- Add basic community support to bgpd(8).
-
- Correct a missing malloc(3) error check in bgpctl(8).
-
- Fix byte-ordering problems in routed(8) (PR#3704). Based on NetBSD.
+
- Unbreak pkg_add(1)'s handling of packages from stdin.
+
- Fix a bug in spamd(8) that stopped custom 450 messages being displayed.
+
- Some apm(4) fixes on i386.
+
- Sync the spamd(8) greylist database after each db operation, to minimise the likelihood of corruption.
+
- Add basic community support to bgpd(8).
+
- Correct a missing malloc(3) error check in bgpctl(8).
+
- Fix byte-ordering problems in routed(8) (PR#3704). Based on NetBSD.
- RELIABILITY FIX: Defects in the payload validation and processing functions of isakmpd(8) have been discovered. An attacker could send malformed ISAKMP messages and cause isakmpd to crash or to loop endlessly.
A source code patch is available.
[Applied to stable]
- - Obey the user's 'boot reboot' command at the ddb(4) prompt, even if the system is starting up.
-
- Some signedness paranoia when handling carp(4) sysctls.
-
- Fix missing checks for NULL returned from getpass(3) in login_*(8).
-
- Make bgpd(8) work harder to clean up after itself on exit.
-
- More work on capability announcements in bgpd(8).
-
- Fix an isakmpd(8) crash when deleting an ESP SA with no authentication (PR#2429).
-
- Symlink-handling improvements in pkg_add(1) etc.'s virtual filesystem code.
-
- Simplify the new scsi(4) LUN scanning logic, and print better diagnostics.
-
- New -b option to spamd(8), used to set the local bind address.
+
- Obey the user's 'boot reboot' command at the ddb(4) prompt, even if the system is starting up.
+
- Some signedness paranoia when handling carp(4) sysctls.
+
- Fix missing checks for NULL returned from getpass(3) in login_*(8).
+
- Make bgpd(8) work harder to clean up after itself on exit.
+
- More work on capability announcements in bgpd(8).
+
- Fix an isakmpd(8) crash when deleting an ESP SA with no authentication (PR#2429).
+
- Symlink-handling improvements in pkg_add(1) etc.'s virtual filesystem code.
+
- Simplify the new scsi(4) LUN scanning logic, and print better diagnostics.
+
- New -b option to spamd(8), used to set the local bind address.
-
- Allow the wsdisplay(4) screen blanker to be turned off again (PR#3123).
+
- Allow the wsdisplay(4) screen blanker to be turned off again (PR#3123).
- 3.5-beta -> 3.5.
-
- Increase the ssh(1) X11 cookie lifetime from two to twenty minutes.
-
- Plug some memory leaks in error paths of isakmpd(8).
-
- Fix multicast for recent sk(4) chipsets. From FreeBSD lists.
+
- Increase the ssh(1) X11 cookie lifetime from two to twenty minutes.
+
- Plug some memory leaks in error paths of isakmpd(8).
+
- Fix multicast for recent sk(4) chipsets. From FreeBSD lists.
- Be more thorough when URL-encoding usernames and passwords in the installer.
-
- Prevent the user specifying an interface name longer than IFNAMSIZ in ifconfig(8).
-
- Many, many more memory leak fixes in pfctl(8)'s parser.
-
- Fix a few missing initialisations in ssh-keyscan(1).
+
- Prevent the user specifying an interface name longer than IFNAMSIZ in ifconfig(8).
+
- Many, many more memory leak fixes in pfctl(8)'s parser.
+
- Fix a few missing initialisations in ssh-keyscan(1).
-
- Have pkg_add(1)'s dependency lookup check against local directory listings.
-
- New -A (pretend to be another architecture) and -P (limit distribution type) options to pkg_add(1).
+
- Have pkg_add(1)'s dependency lookup check against local directory listings.
+
- New -A (pretend to be another architecture) and -P (limit distribution type) options to pkg_add(1).
- More memory leak fixes to ifstated(8)'s parser.
- Fix a null deref in ifstated(8).
-
- Have nc(1) print an error message if connect(2) fails.
+
- Have nc(1) print an error message if connect(2) fails.
-
- Plug well-hidden memory leaks in bgpd(8), ifstated(8) and pfctl(8)'s parsers.
-
- Signal-handling tweaks to syslogd(8).
-
- Add mpt(4), a driver for LSI Fusion-MPT SCSI and Fibre Channel devices.
+
- Plug well-hidden memory leaks in bgpd(8), ifstated(8) and pfctl(8)'s parsers.
+
- Signal-handling tweaks to syslogd(8).
+
- Add mpt(4), a driver for LSI Fusion-MPT SCSI and Fibre Channel devices.
-
- Plumb bgpd(8) into /etc/rc(8) and /etc/rc.conf(8).
-
- More memory leak fixes in bgpd(8).
-
- Just chdir("/") in mg(1) instead of panicking if the initial getcwd(3) fails.
-
- Start work on capabilities announcement support in bgpd(8).
-
- Since not rejecting optional attributes in BGP implies acceptance/support, make bgpd(8) reject attributes it doesn't support.
-
- Send outstanding notifications to a bgpd(8) peer returning to the IDLE state.
-
- Stop carp(4) sending duplicate route add/delete messages.
-
- New IdentitiesOnly option for ssh_config(5), useful when an agent has many keys.
-
- Don't leak memory in scandir(3) (FreeBSD PR#7923, from 1998!)
-
- Fix a big greylist-related memory leak in spamd(8).
+
- Plumb bgpd(8) into /etc/rc(8) and /etc/rc.conf(8).
+
- More memory leak fixes in bgpd(8).
+
- Just chdir("/") in mg(1) instead of panicking if the initial getcwd(3) fails.
+
- Start work on capabilities announcement support in bgpd(8).
+
- Since not rejecting optional attributes in BGP implies acceptance/support, make bgpd(8) reject attributes it doesn't support.
+
- Send outstanding notifications to a bgpd(8) peer returning to the IDLE state.
+
- Stop carp(4) sending duplicate route add/delete messages.
+
- New IdentitiesOnly option for ssh_config(5), useful when an agent has many keys.
+
- Don't leak memory in scandir(3) (FreeBSD PR#7923, from 1998!)
+
- Fix a big greylist-related memory leak in spamd(8).
-
- In kdump(1), fix an off-by-one and describe ptrace(2) calls better.
+
- In kdump(1), fix an off-by-one and describe ptrace(2) calls better.
- Allow -stable kernels to build without TCP_ECN.
-
- Fix a few small key handling bugs in svnd(4).
+
- Fix a few small key handling bugs in svnd(4).
-
- Actually use the alternate RADIUS server in login_radius(8).
-
- Make sure that svnd(4) mounts can read their disklablel as svnd, not vnd.
-
- Extend md5(1)'s -c option so it can parse the output of GNU md5sum.
-
- Remove dynamic bufq support from wd(4) due to problems.
-
- Plug some memory leaks in bgpd(8).
+
- Actually use the alternate RADIUS server in login_radius(8).
+
- Make sure that svnd(4) mounts can read their disklablel as svnd, not vnd.
+
- Extend md5(1)'s -c option so it can parse the output of GNU md5sum.
+
- Remove dynamic bufq support from wd(4) due to problems.
+
- Plug some memory leaks in bgpd(8).
- Stop libreadline segfaulting when writing an empty history list to a file (PR#3690).
-
- Fixes to sftp(1)'s progress meter.
-
- Change sshd(8) child processes' proctitle to '[accepted]' after the, uh, accept(2) completes.
+
- Fixes to sftp(1)'s progress meter.
+
- Change sshd(8) child processes' proctitle to '[accepted]' after the, uh, accept(2) completes.
- Repair procfs status output (PR#2102).
- Fix unintentional ordering dependency in kernel module loading and unloading (PR#2910).
-
- Allow forced unmount(2)s of nullfs, procfs (both from PR#2394,) and umapfs.
+
- Allow forced unmount(2)s of nullfs, procfs (both from PR#2394,) and umapfs.
- Fix an off-by-one in procfs so that it can be successfully unmounted (PR#2327).
-
- Clean up badsect(8)'s error reporting (PR#3679).
-
- Start spamd(8) later in /etc/rc(8).
+
- Clean up badsect(8)'s error reporting (PR#3679).
+
- Start spamd(8) later in /etc/rc(8).
-
- Fix an mbuf(9) leak in tun(4) under failure conditions. From NetBSD.
-
- Count mixerctl(1) devices starting at zero instead of stack garbage.
-
- Fix wi(4) reset problems with newer Prism firmware.
-
- Make hostap mode work for Prism wi(4) cards with newer firmware, and disable hostap mode for old firmware.
-
- Socket types and error checks cleanup in talk(1).
-
- 64-bit fixes to brconfig(8).
-
- More features for bgpctl(8)'s 'show rib' command.
-
- Fix a memory leak in dhcpd(8)'s parser.
-
- Use daemon(3) instead of DIY in new dhclient(8).
-
- Start sshd(8) earlier in /etc/rc(8).
-
- Generate new dhclient(8)'s transaction id (xid) using arc4random(3) instead of random(3).
-
- Have dhclient(8) (old and new) exit cleanly if its interface goes away (PR#3648).
-
- New sysctl(3) net.inet.tcp.reasslimit, to control the size of the memory pool for TCP out-of-order segment reassembly that was introduced in the last erratum.
+
- Fix an mbuf(9) leak in tun(4) under failure conditions. From NetBSD.
+
- Count mixerctl(1) devices starting at zero instead of stack garbage.
+
- Fix wi(4) reset problems with newer Prism firmware.
+
- Make hostap mode work for Prism wi(4) cards with newer firmware, and disable hostap mode for old firmware.
+
- Socket types and error checks cleanup in talk(1).
+
- 64-bit fixes to brconfig(8).
+
- More features for bgpctl(8)'s 'show rib' command.
+
- Fix a memory leak in dhcpd(8)'s parser.
+
- Use daemon(3) instead of DIY in new dhclient(8).
+
- Start sshd(8) earlier in /etc/rc(8).
+
- Generate new dhclient(8)'s transaction id (xid) using arc4random(3) instead of random(3).
+
- Have dhclient(8) (old and new) exit cleanly if its interface goes away (PR#3648).
+
- New sysctl(3) net.inet.tcp.reasslimit, to control the size of the memory pool for TCP out-of-order segment reassembly that was introduced in the last erratum.
- RELIABILITY FIX: OpenBSD's TCP/IP stack did not impose limits on how many out-of-order TCP segments are queued in the system. An attacker could send out-of-order TCP segments and trick the system into using all available memory buffers.
A source code patch is available.
[Applied to stable]
- - Strip out all the multiple-interfaces code from new dhclient(8), it's not used any more.
+
- Strip out all the multiple-interfaces code from new dhclient(8), it's not used any more.
- Be sure to call fifofs' reclaim function from its host filesystems (ext2fs, ffs, nfs).
[Applied to stable]
- Give fifofs a real reclaim function to prevent memory leaks on rovocation, and fix a potential null deref.
[Applied to stable]
- Disable the COMPAT_25 compatibility option in GENERIC kernels.
-
- Catch illegally large AS numbers in bgpd(8).
-
- Rewrite of mount_portal(8), complete with IPv6 support.
-
- Cleanup and paranoia in spamdb(8).
-
- Support 'tagged <name>' specifiers on pf(4) anchor rules.
-
- Better IPv4 address validation in spamd(8).
-
- Process NOTE_TRUNCATE messages in tail(1) and unbreak file truncation handling in -f mode (PR#3689).
-
- Allow bgpd(8) to run in route-collector mode, i.e. disable the decision process.
+
- Catch illegally large AS numbers in bgpd(8).
+
- Rewrite of mount_portal(8), complete with IPv6 support.
+
- Cleanup and paranoia in spamdb(8).
+
- Support 'tagged <name>' specifiers on pf(4) anchor rules.
+
- Better IPv4 address validation in spamd(8).
+
- Process NOTE_TRUNCATE messages in tail(1) and unbreak file truncation handling in -f mode (PR#3689).
+
- Allow bgpd(8) to run in route-collector mode, i.e. disable the decision process.
- Build libf2c for GCC3 architectures.
-
- New -d option for nc(1), which disables reading from stdin (PR#3694).
+
- New -d option for nc(1), which disables reading from stdin (PR#3694).
-
- Fix a memory leak when the control socket detaches from bgpd(8).
-
- Make bgpctl(8)'s control socket nonblocking.
+
- Fix a memory leak when the control socket detaches from bgpd(8).
+
- Make bgpctl(8)'s control socket nonblocking.
- Import libf2c from GCC 3.3.2.
-
- Show the number of TCP connections drained (by new tcp_drain()) in netstat(1) output.
-
- Don't stat(2) the compress(1) outfile when running in test mode.
+
- Show the number of TCP connections drained (by new tcp_drain()) in netstat(1) output.
+
- Don't stat(2) the compress(1) outfile when running in test mode.
- Re-enable propolice if the X server is built without module support.
-
- Check the sign of values given to the hw.setperf sysctl(8).
-
- strtol(3) and signedness cleanup in ping(8).
+
- Check the sign of values given to the hw.setperf sysctl(8).
+
- strtol(3) and signedness cleanup in ping(8).
-
- Sync the installer with the ftp(1) fetch-mode fix.
-
- Open a new connection for each file pulled down by ftp(1) in fetch mode. Fixes problems where 'CWD /' does unexpected things.
+
- Sync the installer with the ftp(1) fetch-mode fix.
+
- Open a new connection for each file pulled down by ftp(1) in fetch mode. Fixes problems where 'CWD /' does unexpected things.
- Fix the test that disallows interface unit numbers greater than INT_MAX (to avoid signedness confusion).
- Don't allow leading zeros in cloner interface names.
- Upgrade 3.4-stable to OpenSSH 3.8.
-
- spamd(8) greylist cleanup and fixes.
+
- spamd(8) greylist cleanup and fixes.
-
- In ssh(1), make the read buffer for moduli(5) large enough for 8Kbit primes.
-
- Stop sshd(8) sending DH groups with a primitive generator of zero or one.
-
- Fix a race condition in wi(4) by disabling interrupts before sending an ACK. From NetBSD.
-
- Fix some over-zealous assert()ing in afsd(8).
-
- Add DH group 14 (modp2048) to isakmpd(8)'s list of predefined quick mode suites.
+
- In ssh(1), make the read buffer for moduli(5) large enough for 8Kbit primes.
+
- Stop sshd(8) sending DH groups with a primitive generator of zero or one.
+
- Fix a race condition in wi(4) by disabling interrupts before sending an ACK. From NetBSD.
+
- Fix some over-zealous assert()ing in afsd(8).
+
- Add DH group 14 (modp2048) to isakmpd(8)'s list of predefined quick mode suites.
- 3.4-current -> 3.5-beta.
-
- Remove a null deref and unbreak WSDISPLAY_USEFONT for vga(4).
+
- Remove a null deref and unbreak WSDISPLAY_USEFONT for vga(4).
- Fix an nfsv3-related panic that could occur when linking from a local fs into an NFS mount.
[Applied to stable]
- Add an implementation for the tcp_drain() function, similar to ip_drain().
[Applied to stable]
- - Stop pfctl(8) '-s all' printing the entire OS fingerprint database and all the interfaces.
-
- Interoperability fixes for isakmpd(8), particularly when talking to a Cisco PIX.
+
- Stop pfctl(8) '-s all' printing the entire OS fingerprint database and all the interfaces.
+
- Interoperability fixes for isakmpd(8), particularly when talking to a Cisco PIX.
-
- Don't use a regex when deleting a user from a group with userdel(8), since the username may contain regex special characters. Also, chmod(2) the new group file before moving it into place instead of after.
-
- Fix IP data length calculation in mrinfo(8) and mtrace(8).
-
- Fix ifconfig(8)'s matching of multi-digit interface names, e.g. stop vlan10 matching as vlan1.
+
- Don't use a regex when deleting a user from a group with userdel(8), since the username may contain regex special characters. Also, chmod(2) the new group file before moving it into place instead of after.
+
- Fix IP data length calculation in mrinfo(8) and mtrace(8).
+
- Fix ifconfig(8)'s matching of multi-digit interface names, e.g. stop vlan10 matching as vlan1.
- Add __va_copy() in <stdarg.h>, following old ISO C89 behaviour. Used by GNU software.
-
- Support dumping of the bgpd(8) RIB via bgpctl(8).
-
- Have bgpd(8) check that the nexthop is a valid range (i.e. not a class D, class E or a loopback).
+
- Support dumping of the bgpd(8) RIB via bgpctl(8).
+
- Have bgpd(8) check that the nexthop is a valid range (i.e. not a class D, class E or a loopback).
- Better logging for ifstated(8), taken from bgpd.
-
- More enhancements to bgpd(8)'s filter language.
-
- Include tcps_rcvmemdrop in netstat(1)'s TCP statistics output.
-
- Add 'greylisting' support to spamd(8). Oh yes.
+
- More enhancements to bgpd(8)'s filter language.
+
- Include tcps_rcvmemdrop in netstat(1)'s TCP statistics output.
+
- Add 'greylisting' support to spamd(8). Oh yes.
-
- Remove a sizeof(long)==4 assumption in ld.so(1) that could errnoeously zero four bytes of the next page.
-
- Add -B (destdir) support to pkg_delete(1).
-
- New Loglevel and Logverbose options for isakmpd.conf(5).
-
- Stop pfctl(8) clearing too much when -Fa is used and an anchor is given.
+
- Remove a sizeof(long)==4 assumption in ld.so(1) that could errnoeously zero four bytes of the next page.
+
- Add -B (destdir) support to pkg_delete(1).
+
- New Loglevel and Logverbose options for isakmpd.conf(5).
+
- Stop pfctl(8) clearing too much when -Fa is used and an anchor is given.
-
- Reorder code in dhcrelay(8) so that the server list is zero-filled before we add servers to it, not after.
-
- Allow tuning of bpf(4) buffer sizes via sysctl(8) variables net.bpf.*.
+
- Reorder code in dhcrelay(8) so that the server list is zero-filled before we add servers to it, not after.
+
- Allow tuning of bpf(4) buffer sizes via sysctl(8) variables net.bpf.*.
- Add /usr/local/share/fonts to /etc/fonts/fonts.conf, good for ports.
-
- Fix send_packet() return value checks in dhcrelay(8).
-
- Don't allow 'max-src-nodes' in a pf(4) rule if 'source-track global' is in effect.
-
- Enhancements to bgpd(8)'s filter language.
-
- Stop new dhclient(8) generating a pidfile.
-
- Use getopt(3) instead of DIY in new dhclient(8).
-
- Remove the interface discovery scan from new dhclient(8), and so require an explicit interface name.
-
- Don't allow 'max-src-nodes' option anywhere other than in a 'source-track' pf(4) rule.
+
- Fix send_packet() return value checks in dhcrelay(8).
+
- Don't allow 'max-src-nodes' in a pf(4) rule if 'source-track global' is in effect.
+
- Enhancements to bgpd(8)'s filter language.
+
- Stop new dhclient(8) generating a pidfile.
+
- Use getopt(3) instead of DIY in new dhclient(8).
+
- Remove the interface discovery scan from new dhclient(8), and so require an explicit interface name.
+
- Don't allow 'max-src-nodes' option anywhere other than in a 'source-track' pf(4) rule.
- A number of fifofs fixes from FreeBSD.
- 64 bit-specific binutils fixups. From binutils CVS.
- New slinear16-to-alaw audio format converters. From NetBSD.
-
- Better pread(2) and pwrite(2) error checks in libkvm.
-
- Fix a potential null deref when looking for a free pty(4) device.
-
- A little bounds-check paranoia in procmap(1).
-
- Make malloc(3) options work properly for programs that need ld.so(1).
-
- Build and install procmap(1) by default.
-
- Better heap discovery heuristic for procmap(1),
-
- Explicitly disallow backward jumps in bpf(4) filter programs.
-
- More cleanup and dead code removal in the new dhclient(8).
-
- Remove raw socket fallback code from new dhclient(8), since OpenBSD always uses bpf(4).
+
- Better pread(2) and pwrite(2) error checks in libkvm.
+
- Fix a potential null deref when looking for a free pty(4) device.
+
- A little bounds-check paranoia in procmap(1).
+
- Make malloc(3) options work properly for programs that need ld.so(1).
+
- Build and install procmap(1) by default.
+
- Better heap discovery heuristic for procmap(1),
+
- Explicitly disallow backward jumps in bpf(4) filter programs.
+
- More cleanup and dead code removal in the new dhclient(8).
+
- Remove raw socket fallback code from new dhclient(8), since OpenBSD always uses bpf(4).
- Bump OpenSSH version to 3.8.
-
- Bignum fixes in ssh(1).
-
- Set sshd(8)'s listen socket to non-blocking mode again, reverting the change from 26 Sept 2003.
-
- Fix an objdump(1) segfault on sparc64. From binutils CVS.
+
- Bignum fixes in ssh(1).
+
- Set sshd(8)'s listen socket to non-blocking mode again, reverting the change from 26 Sept 2003.
+
- Fix an objdump(1) segfault on sparc64. From binutils CVS.
- Fix an out-of-bounds read when comparing IPv6 prefixes if the prefix length is 128.
- Add pthread_attr_[gs]etstack(3) and bump libpthread minor version. From FreeBSD libc_r.
-
- String cleaning in fvwm(1) and wm2(1).
+
- String cleaning in fvwm(1) and wm2(1).
- Some cleanup of <pthread.h>. From FreeBSD's libc_r.
- Fix a locking-related crash when using a portal filesystem.
-
- Have pkg_add(1) make a distinction between an unreadable or non-package, and an inaccessible package file.
-
- Fix pciide(4) timeouts at the end of each cdrecord burn.
+
- Have pkg_add(1) make a distinction between an unreadable or non-package, and an inaccessible package file.
+
- Fix pciide(4) timeouts at the end of each cdrecord burn.
- Build sparc64 with gcc3. Gulp.
- Many USB device fixes from NetBSD.
-
- Fix a race in scsi(4), now cdrecord can safely write at high speeds.
+
- Fix a race in scsi(4), now cdrecord can safely write at high speeds.
- Re-fix 'VT black text on black background' and other XFree86 bugs for ATI cards, lost in the recent merge.
-
- Teach passwd(1) about the master.passwd.byname map so it can work in a secure (makedbm -s) environment.
-
- Uncomment and fix code for old tip(1) variables cdelay and ldelay.
-
- Have tcpdump(8)'s pfsync output show the interface being cleared if available.
-
- Update pfsync(4) to cope with interface-specific state clearing with e.g. pfctl -i fxp0 -Fs'.
-
- Add PKG_DESTDIR (-B option) support to pkg_add(1).
+
- Teach passwd(1) about the master.passwd.byname map so it can work in a secure (makedbm -s) environment.
+
- Uncomment and fix code for old tip(1) variables cdelay and ldelay.
+
- Have tcpdump(8)'s pfsync output show the interface being cleared if available.
+
- Update pfsync(4) to cope with interface-specific state clearing with e.g. pfctl -i fxp0 -Fs'.
+
- Add PKG_DESTDIR (-B option) support to pkg_add(1).
- Improvements to the new auto-generated MAKEDEV(8) manual pages.
-
- Allow pkg_add(1) etc. flavor names to contain dots and other special characters.
-
- Set files that ypbind(8) creates to mode 0644 with fchmod(2), just in case they're created with a more restrictive umask(2).
-
- New .Ex, .In and .Rv mdoc(7) macros.
-
- Fix some double-free(3)s in isakmpd(8).
+
- Allow pkg_add(1) etc. flavor names to contain dots and other special characters.
+
- Set files that ypbind(8) creates to mode 0644 with fchmod(2), just in case they're created with a more restrictive umask(2).
+
- New .Ex, .In and .Rv mdoc(7) macros.
+
- Fix some double-free(3)s in isakmpd(8).
- Resurrect old-style fontconfig-config program, still needed by some ports.
-
- Make sure that the guard page is also marked as MALLOC_FREE by free(3), to cut down on bleating #ifdef MALLOC_EXTRA_SANITY.
-
- Basic filtering support for bgpd(8).
-
- Add pfctl(8) -i support to -Fs, -ss, -sq and -w options.
-
- New smartreadlog command for atactl(8) to, well, read SMART logs.
-
- Fix SMART log-related panics in wdc(4).
-
- Have mount(8) report the actual xfs device mounted, and not just 'arla.'
-
- In isakmpd(8), handle SIGINT the same as SIGTERM when running with -d, and dump logs to syslog at LOG_INFO without -d.
-
- Fix a memory leak in tftp(1).
-
- Bring pf(4) queue id semantics into line with tag assignment, and remove last vestiges of userland qid code.
+
- Make sure that the guard page is also marked as MALLOC_FREE by free(3), to cut down on bleating #ifdef MALLOC_EXTRA_SANITY.
+
- Basic filtering support for bgpd(8).
+
- Add pfctl(8) -i support to -Fs, -ss, -sq and -w options.
+
- New smartreadlog command for atactl(8) to, well, read SMART logs.
+
- Fix SMART log-related panics in wdc(4).
+
- Have mount(8) report the actual xfs device mounted, and not just 'arla.'
+
- In isakmpd(8), handle SIGINT the same as SIGTERM when running with -d, and dump logs to syslog at LOG_INFO without -d.
+
- Fix a memory leak in tftp(1).
+
- Bring pf(4) queue id semantics into line with tag assignment, and remove last vestiges of userland qid code.
-
- Stop bc(1) modifying argv and optind while inside the getopt(3) loop.
-
- In gcc3, add a few missing open(2) third options when used with O_CREAT.
-
- Revoke procmap(1)'s privileges immediately after kvm_openfiles(3).
-
- Make sure doesn't call strtoul(3) on non-numbers.
-
- In procmap(1), print the names of missing symbols instead of '(null)'.
+
- Stop bc(1) modifying argv and optind while inside the getopt(3) loop.
+
- In gcc3, add a few missing open(2) third options when used with O_CREAT.
+
- Revoke procmap(1)'s privileges immediately after kvm_openfiles(3).
+
- Make sure doesn't call strtoul(3) on non-numbers.
+
- In procmap(1), print the names of missing symbols instead of '(null)'.
-
- Extra bzero(3) paranoia for data coming out of the scsi(4) xfer pool.
-
- Memory and string cleanup in procmap(1).
-
- Implement kevent(2) and kqueue(2) under FreeBSD emulation, using the native calls.
-
- Fix mishandling of numeric options in sed(1) (PR#3677).
-
- Add -i option to pfctl(8), restricting operations to the given interface. Only -sI implemented for now.
+
- Extra bzero(3) paranoia for data coming out of the scsi(4) xfer pool.
+
- Memory and string cleanup in procmap(1).
+
- Implement kevent(2) and kqueue(2) under FreeBSD emulation, using the native calls.
+
- Fix mishandling of numeric options in sed(1) (PR#3677).
+
- Add -i option to pfctl(8), restricting operations to the given interface. Only -sI implemented for now.
- sparc64 alignment fixes in gcc3 propolice.
-
- const'ify some more pthreads(3) prototypes for POSIX reasons. From FreeBSD libc_r.
-
- In chmod(1), check that 'foo.bar' isn't an existing username before assuming it's old-style user.group and treating it like user:group.
-
- Don't allocate a cluster in tcp_output() when the whole header fits into an mbuf(9).
-
- Add -4 and -6 IP transport selectors to rdate(8). Oh yes.
-
- Add an extra check for a null transport in isakmpd(8) exchanges.
-
- Use off_t instead of long so that tail(1) can handle large offsets.
+
- const'ify some more pthreads(3) prototypes for POSIX reasons. From FreeBSD libc_r.
+
- In chmod(1), check that 'foo.bar' isn't an existing username before assuming it's old-style user.group and treating it like user:group.
+
- Don't allocate a cluster in tcp_output() when the whole header fits into an mbuf(9).
+
- Add -4 and -6 IP transport selectors to rdate(8). Oh yes.
+
- Add an extra check for a null transport in isakmpd(8) exchanges.
+
- Use off_t instead of long so that tail(1) can handle large offsets.
- Remove more unnecessary checks for 8-bit values > 255, this time from libc/ethers.c.
-
- Add a missing realloc(3) failure check in asn1_compile.
+
- Add a missing realloc(3) failure check in asn1_compile.
- Generate the MAKEDEV(8) manpages automagically based on the same information as the MAKEDEV scripts themselves.
-
- gcc(1) propolice fixes on i386.
-
- First cut at procmap(1) from NetBSD (where it's called pmap). Not yet built by default.
+
- gcc(1) propolice fixes on i386.
+
- First cut at procmap(1) from NetBSD (where it's called pmap). Not yet built by default.
-
- New 'split' option in iostat(8) for the newly-separated disk read/write stats.
+
- New 'split' option in iostat(8) for the newly-separated disk read/write stats.
- Check for TDB entries marked as invalid when looking up tcpmd5 connections.
- Record separate disk statistics for read and write operations. Adapted from NetBSD.
-
- In ifstated(8), don't bcopy(3) around a structure containing TAILQ pointers.
+
- In ifstated(8), don't bcopy(3) around a structure containing TAILQ pointers.
- Better SIGHUP handling in ifstated(8).
- Refactor processor speed settings sysctl code (hw.cpuspeed, hw.setperf) for clarity.
-
- Fix broken tcpdump(8) IKE output for certain vendors' phase 1 proposals.
+
- Fix broken tcpdump(8) IKE output for certain vendors' phase 1 proposals.
-
- New driver, bce(4), for Broadcom 4401 10/100Mbps Ethernet devices.
+
- New driver, bce(4), for Broadcom 4401 10/100Mbps Ethernet devices.
- Drop the osigaltstack() compatibility system call.
- Import and merge XFree86-current of 2004/02/13, minus files with the new XFree86 License which contains text developed by The XFree86 Project, Inc (http://www.xfree86.org/) and its contributors.
-
- Make sure all pf(4) anchors get updated after an anchor is removed.
-
- Better signal handling and other cleanup in pflogd(8).
-
- Print textual service and protocol names properly in tcpdump(8) even when -n is specified.
-
- Some cleanup and an additional mode for acss(3).
+
- Make sure all pf(4) anchors get updated after an anchor is removed.
+
- Better signal handling and other cleanup in pflogd(8).
+
- Print textual service and protocol names properly in tcpdump(8) even when -n is specified.
+
- Some cleanup and an additional mode for acss(3).
-
- Disallow em(4) PHY resets when IP is enabled on an interface to prevent lockups when using GigE copper.
-
- Use a hash table instead of a linked list to speed up 802.1q tag -> vlan(4) interface lookup.
-
- New -p flag for pfctl(8), allowing the device to be something other than /dev/pf.
+
- Disallow em(4) PHY resets when IP is enabled on an interface to prevent lockups when using GigE copper.
+
- Use a hash table instead of a linked list to speed up 802.1q tag -> vlan(4) interface lookup.
+
- New -p flag for pfctl(8), allowing the device to be something other than /dev/pf.
- Logging cleanup in ifstated(8).
- Revert some propolice breakage in gcc3.
- 64-bit alignment fixes in ifstated(8).
@@ -466,1124 +466,1124 @@
- RELIABILITY FIX: Several buffer overflows exist in the code parsing font.aliases files in XFree86. Thanks to ProPolice, these cannot be exploited to gain privileges, but they can cause the X server to abort.
A source code patch is available.
[Applied to stable]
- - Add missing volatile to a signal handler flag in dc(1).
+
- Add missing volatile to a signal handler flag in dc(1).
- in tcp_input(), stop an unsigned integer underflow from making the TCP MSS calculation return ridiculously large values when ifp==NULL.
-
- Reduce makewhatis(8)'s newly-increased pickiness a little.
-
- Fix another bug that allows a pf(4) antispoof rule on an interface with no IP addresses to result in all other interfaces blocking all IP packets.
+
- Reduce makewhatis(8)'s newly-increased pickiness a little.
+
- Fix another bug that allows a pf(4) antispoof rule on an interface with no IP addresses to result in all other interfaces blocking all IP packets.
-
- Install bgpd.conf(5) root:wheel, mode 0600 and make bgpd(8) insist it be so.
-
- Reduce the default number of pty(4) devices from 64 to 16, now that additional ptys will be created on demand.
-
- Fix an off-by-one when generating pty(4) device names (ptydevname()).
-
- Make tcpdump(8)'s pfsync(4) output more consistent with other tcpdump output.
-
- Plug an mbuf(9) leak by making ip_fragment() free the mbuf on errors instead of expecting the caller to do it.
+ - Install bgpd.conf(5) root:wheel, mode 0600 and make bgpd(8) insist it be so.
+
- Reduce the default number of pty(4) devices from 64 to 16, now that additional ptys will be created on demand.
+
- Fix an off-by-one when generating pty(4) device names (ptydevname()).
+
- Make tcpdump(8)'s pfsync(4) output more consistent with other tcpdump output.
+
- Plug an mbuf(9) leak by making ip_fragment() free the mbuf on errors instead of expecting the caller to do it.
[Applied to stable]
- Add a flag so that hardware sensors can be marked as invalid if, for example, they're disconnected.
-
- Make picky mode in makewhatis(8) even pickier.
-
- Fix an off-by-one in pf(4)'s interface management code.
-
- Have ndp(8) flush stdout before sleeping in -A mode (KAME pr#584).
-
- In the new dhclient(8), don't send pointless DHCPDISCOVER messages on interfaces that are known to have an inactive link status.
+
- Make picky mode in makewhatis(8) even pickier.
+
- Fix an off-by-one in pf(4)'s interface management code.
+
- Have ndp(8) flush stdout before sleeping in -A mode (KAME pr#584).
+
- In the new dhclient(8), don't send pointless DHCPDISCOVER messages on interfaces that are known to have an inactive link status.
- Allow for the presence of tcpmd5 signatures in the TCP MSS calculation.
-
- Have pfctl(8) display a filter uptime now that we keep track of when it was last enabled.
-
- Make pfsync(4) work on 64-bit alignment-sensitive architectures when IP options are present.
-
- Unbreak ypset(8)'s -h option. From FreeBSD.
-
- Have sysctl(8) politely inform users that pstat(8) with -t is the tool of choice for viewing terminal information.
-
- Support -$ option (disallow '$' in identifiers) and -notraditional in cpp(1) for gcc2.
-
- New ptm device (see pty(4)) that allows non-privileged processes to allocate a properly-permissioned pty. No more setuid(root) xterm(1)!
-
- Stop assuming that tty sysctl(3) variables are quads. Some are now ints.
-
- Dynamically allocate kernel memory for ttys, controlled via sysctl(3)s kern.tty.{maxptys,nptys}. Adapted from NetBSD.
-
- Teach boot(8) how to load read-only data segments for ELF architecture kernels.
+
- Have pfctl(8) display a filter uptime now that we keep track of when it was last enabled.
+
- Make pfsync(4) work on 64-bit alignment-sensitive architectures when IP options are present.
+
- Unbreak ypset(8)'s -h option. From FreeBSD.
+
- Have sysctl(8) politely inform users that pstat(8) with -t is the tool of choice for viewing terminal information.
+
- Support -$ option (disallow '$' in identifiers) and -notraditional in cpp(1) for gcc2.
+
- New ptm device (see pty(4)) that allows non-privileged processes to allocate a properly-permissioned pty. No more setuid(root) xterm(1)!
+
- Stop assuming that tty sysctl(3) variables are quads. Some are now ints.
+
- Dynamically allocate kernel memory for ttys, controlled via sysctl(3)s kern.tty.{maxptys,nptys}. Adapted from NetBSD.
+
- Teach boot(8) how to load read-only data segments for ELF architecture kernels.
- If the i386 bootloader fails, enable interrupts before halting so ctrl-alt-del will work.
-
- Install the edit USD doc, reworked to be an ex(1) tutorial, under /usr/share/docs/usd/11.edit.
-
- In the XF4 Makefile, fix -o operator precedence for the find(1) command when checking for incorrect file permissions.
-
- Add missing MLINKS and do some .Nm macro cleanup to help makewhatis(8).
-
- Don't flush pf(4) stats when using the -e or -d options to pfctl(8). Store the time at which the filter was last enabled.
-
- Unbreak the pf.conf(5) 'set loginterface' command.
-
- Have lex(1) declare errno for c++ users too.
+
- Install the edit USD doc, reworked to be an ex(1) tutorial, under /usr/share/docs/usd/11.edit.
+
- In the XF4 Makefile, fix -o operator precedence for the find(1) command when checking for incorrect file permissions.
+
- Add missing MLINKS and do some .Nm macro cleanup to help makewhatis(8).
+
- Don't flush pf(4) stats when using the -e or -d options to pfctl(8). Store the time at which the filter was last enabled.
+
- Unbreak the pf.conf(5) 'set loginterface' command.
+
- Have lex(1) declare errno for c++ users too.
- Allow libstdc++ to build on architectures with no shared libraries.
-
- Fix a panic when cleaning up after an interface (e.g a PC Card wi(4)) has gone away (PR#3649).
-
- Unstick the -a option from ps(1) (PR#3676).
-
- Sync the installer network startup with changes in netstart(8).
-
- Fix a memory allocation-related panic in pfsync(4) that can occur under very high loads.
+
- Fix a panic when cleaning up after an interface (e.g a PC Card wi(4)) has gone away (PR#3649).
+
- Unstick the -a option from ps(1) (PR#3676).
+
- Sync the installer network startup with changes in netstart(8).
+
- Fix a memory allocation-related panic in pfsync(4) that can occur under very high loads.
- Fix a buffer overflow in XFree font aliasing. From XFree86 CVS.
[Applied to stable]
- Don't fully unroll kernel rijndael code to save some space.
-
- Some fixes to ahc(4), mostly from FreeBSD.
+
- Some fixes to ahc(4), mostly from FreeBSD.
-
- Additional sanity checks when probing scsi(4) luns.
-
- Disable interrupts on a scsi(4) controller for polled commands, fixing a long-standing hang at attach time on i386.
-
- Stop dhclient(8) burping interface information to stderr.
+
- Additional sanity checks when probing scsi(4) luns.
+
- Disable interrupts on a scsi(4) controller for polled commands, fixing a long-standing hang at attach time on i386.
+
- Stop dhclient(8) burping interface information to stderr.
-
- Have libpcap(3) use the kernel default buffer size instead of setting its own size.
-
- Bump the bpf(4) maximum buffer size to 2MB, and the default size to 32KB, to allow for faster networks and larger frame sizes.
-
- Turn on ddb(4) logging (sysctl(3) ddb.log) by default.
-
- Allow bind(2) to work in an IPv6-only (no IPv4) configuration.
-
- First cut of a filtering language for bgpd(8).
-
- Another pass at making dhclient(8)'s code readable.
+
- Have libpcap(3) use the kernel default buffer size instead of setting its own size.
+
- Bump the bpf(4) maximum buffer size to 2MB, and the default size to 32KB, to allow for faster networks and larger frame sizes.
+
- Turn on ddb(4) logging (sysctl(3) ddb.log) by default.
+
- Allow bind(2) to work in an IPv6-only (no IPv4) configuration.
+
- First cut of a filtering language for bgpd(8).
+
- Another pass at making dhclient(8)'s code readable.
-
- Fix a curiously familiar reference-counting bug in uvm(9).
-
- SECURITY FIX: A reference-counting bug exists in the shmat(2) system call that could be used by an attacker to write to kernel memory under certain circumstances. Adapted from FreeBSD.
+ - Fix a curiously familiar reference-counting bug in uvm(9).
+
- SECURITY FIX: A reference-counting bug exists in the shmat(2) system call that could be used by an attacker to write to kernel memory under certain circumstances. Adapted from FreeBSD.
A source code patch is available.
[Applied to stable]
- - Fix a CVS merge error in xterm(1)'s app-defaults file.
-
- Make pfctl(8) -vvsq loop again (PR#3675).
-
- Unbreak the ssh(1) progress meter ETA for files larger than 4GB (OpenSSH bugzilla #791).
-
- Fix a memory leak in dhclient(8) (PR#3668).
-
- If ssh(1) is in privsep mode, pass the SIGALRM from LoginGraceTime expiry through to the child process.
+
- Fix a CVS merge error in xterm(1)'s app-defaults file.
+
- Make pfctl(8) -vvsq loop again (PR#3675).
+
- Unbreak the ssh(1) progress meter ETA for files larger than 4GB (OpenSSH bugzilla #791).
+
- Fix a memory leak in dhclient(8) (PR#3668).
+
- If ssh(1) is in privsep mode, pass the SIGALRM from LoginGraceTime expiry through to the child process.
- Apply the same strict RFC 2460 interpretation used for the IPv6 MTU to the TCP MSS calculation.
- New parser for ifstated(8), and more features. Still more to come.
-
- Fix grep(1)'s ^ and $ anchors that were broken by the recent -w fixes.
-
- For programs that don't support long options, stop getopt(3) treating '--foo' the same way it treats '--', as per POSIX (PR#3666).
+ - Fix grep(1)'s ^ and $ anchors that were broken by the recent -w fixes.
+
- For programs that don't support long options, stop getopt(3) treating '--foo' the same way it treats '--', as per POSIX (PR#3666).
[Applied to stable]
- - Let pfctl(8) deal gracefully with 'modulate state' on rules with protos to which it might not apply in the same way as 'keep state', e.g. 'pass proto {tcp udp} modulate state' is now acceptable.
-
- Don't use a valid user id as a flag value in ps(1).
+
- Let pfctl(8) deal gracefully with 'modulate state' on rules with protos to which it might not apply in the same way as 'keep state', e.g. 'pass proto {tcp udp} modulate state' is now acceptable.
+
- Don't use a valid user id as a flag value in ps(1).
- Remove the earlier fix for the IPv6 MTU crash bug now that the full fix is in place.
- SECURITY FIX: An IPv6 MTU handling problem exists that could be used by an attacker to cause a denial of service attack against hosts with reachable IPv6 TCP ports. Fix this fully by applying a strict interpretation of RFC 2460 section 5, last paragraph.
A source code patch is available.
[Applied to stable]
- - Memory alignment fixes in tcpdump(8).
-
- Huge amount of style(9), ANSI and other cleanup in dhclient(8). More to come.
+
- Memory alignment fixes in tcpdump(8).
+
- Huge amount of style(9), ANSI and other cleanup in dhclient(8). More to come.
-
- Some std:: namespace and other C++ mode fixes for flex(1). From NetBSD.
-
- Fix pfctl(8) macro expansion in tags (PR#3664).
-
- Unbreak and reapply the don't-use-inet_net_pton(3)-without-a-slash fix (PR#3638).
-
- Teach libcrypto(3) how to use the VIA C3 crypto functions for (seriously) accelerated aes-{128,192,256}-cbc.
+
- Some std:: namespace and other C++ mode fixes for flex(1). From NetBSD.
+
- Fix pfctl(8) macro expansion in tags (PR#3664).
+
- Unbreak and reapply the don't-use-inet_net_pton(3)-without-a-slash fix (PR#3638).
+
- Teach libcrypto(3) how to use the VIA C3 crypto functions for (seriously) accelerated aes-{128,192,256}-cbc.
-
- Do temp file cleanup for signals as well as exits in spell(1).
-
- Sanity check memory allocation when attaching wd(4) devices.
-
- Have mg(1) create a buffer list window when started with more than two files, just like emacs.
-
- Fix compile breakage in bridge(4) and netinet6 when pf(4) isn't present.
-
- In ipsecadm(8) monitor mode, reorder memset(3) arguments so it works less like a nop.
-
- For safety, only do pf(4) interface lookups (pfi_index2kif()) if the filter is enabled.
-
- Remove the special-case LBL_ALIGN code in tcpdump(8) and act as if we're always on a platform that requires aligned memory access.
-
- In leave(1), don't allow alarms to be set in the past as this is unlikely to be useful. Also some cleanup based on NetBSD.
+
- Do temp file cleanup for signals as well as exits in spell(1).
+
- Sanity check memory allocation when attaching wd(4) devices.
+
- Have mg(1) create a buffer list window when started with more than two files, just like emacs.
+
- Fix compile breakage in bridge(4) and netinet6 when pf(4) isn't present.
+
- In ipsecadm(8) monitor mode, reorder memset(3) arguments so it works less like a nop.
+
- For safety, only do pf(4) interface lookups (pfi_index2kif()) if the filter is enabled.
+
- Remove the special-case LBL_ALIGN code in tcpdump(8) and act as if we're always on a platform that requires aligned memory access.
+
- In leave(1), don't allow alarms to be set in the past as this is unlikely to be useful. Also some cleanup based on NetBSD.
- On i386, allow userland apps to use the VIA C3 crypto instructions if they're present.
- Temporarily work around an MTU-related crash in IPv6 by simply enforcing a minimum link MTU of 296. Real fix to come.
-
- Add as(1) support for the VIA C3 xmove-rng and xcrypt-{ecb,cbc,cfb,ofb} instructions.
-
- Allow '-' as a valid character in as(1) mnemonics, as required by a few VIA C3 instructions.
-
- Add a 'paper.txt' make(1) target to generate ASCII output for the documents under /usr/share/doc.
+
- Add as(1) support for the VIA C3 xmove-rng and xcrypt-{ecb,cbc,cfb,ofb} instructions.
+
- Allow '-' as a valid character in as(1) mnemonics, as required by a few VIA C3 instructions.
+
- Add a 'paper.txt' make(1) target to generate ASCII output for the documents under /usr/share/doc.
- Sync i386 option USER_LDT code with NetBSD, fixing some ports panics.
- In libpthread, add a simple work-around for deadlocking on recursive readlocks on a rwlock while there are writers waiting (from FreeBSD PR#24641).
- Add ARM support and a new port for cats boards.
- Rename TCP socket option from TCP_SIGNATURE_ENABLE to TCP_MD5SIG.
-
- Build protoize(1) for gcc3.
+
- Build protoize(1) for gcc3.
- Reverse the enable logic for TCP selective acks, so TCP_SACK_DISABLE becomes TCP_SACK_ENABLE.
-
- Really commit -L (localbase) support for pkg_create(1), as well as the related -S and -B options.
-
- Some types cleanup and better SIGCHLD handling in privsep tcpdump(8).
+
- Really commit -L (localbase) support for pkg_create(1), as well as the related -S and -B options.
+
- Some types cleanup and better SIGCHLD handling in privsep tcpdump(8).
-
- Fix an old logic bug in nlist(3) that caused lookups for names with a leading underscore to fail on ELF systems.
-
- Install ex(1) documentation in doc/usd/13.ex.
-
- Back out the scsi(4) attach freeze fix for now.
-
- Sync named(8)'s root.hint file after the IP address change of B.ROOT-SERVERS.NET.
-
- Stop systrace(1) trying to normalize an empty filename.
-
- Enable tcpmd5 on bgpd(8)'s listen socket. For peers configured with md5sig, require accept(2)ed sockets to have signatures enabled.
-
- New TCP_SIGNATURE_ENABLE option to getsockopt(2), allowing a process to check the tcpmd5 status of an accept(2)ed socket.
-
- Support ssh(1) version 2 password change. password-dead must be set to non-zero in login.conf(5) for this to work.
-
- New update-moduli target in /usr/src/etc/Makefile, for regenerating /etc/moduli(5).
+
- Fix an old logic bug in nlist(3) that caused lookups for names with a leading underscore to fail on ELF systems.
+
- Install ex(1) documentation in doc/usd/13.ex.
+
- Back out the scsi(4) attach freeze fix for now.
+
- Sync named(8)'s root.hint file after the IP address change of B.ROOT-SERVERS.NET.
+
- Stop systrace(1) trying to normalize an empty filename.
+
- Enable tcpmd5 on bgpd(8)'s listen socket. For peers configured with md5sig, require accept(2)ed sockets to have signatures enabled.
+
- New TCP_SIGNATURE_ENABLE option to getsockopt(2), allowing a process to check the tcpmd5 status of an accept(2)ed socket.
+
- Support ssh(1) version 2 password change. password-dead must be set to non-zero in login.conf(5) for this to work.
+
- New update-moduli target in /usr/src/etc/Makefile, for regenerating /etc/moduli(5).
-
- Format string fixes and other cleanup for fvwm(1) in the wake of -ansi removal.
-
- Remove -ansi from the list of gcc(1) build options for XFree86.
+
- Format string fixes and other cleanup for fvwm(1) in the wake of -ansi removal.
+
- Remove -ansi from the list of gcc(1) build options for XFree86.
- On i386 systems with SSE2, halve the time taken to zero a page of memory. Based on FreeBSD.
-
- Switch the new sigaltstack(2) code back on again on alpha and sparc64.
-
- Make ddb(4)'s ps /n command show the correct state for a process.
+
- Switch the new sigaltstack(2) code back on again on alpha and sparc64.
+
- Make ddb(4)'s ps /n command show the correct state for a process.
- Reset the TCP keepalive timer to tcp.keepidle (normally four hours) after the three-way handshake completes. (syncache sets it to tcp.keepinittime, normally 150 seconds).
- Allow a single listen socket to be used for connections with and without tcpmd5.
-
- Avoid a long scsi(4) freeze when attaching live scsibus* devices.
-
- Support RFC 3390 'Increasing TCP's initial window' extension, enabled using sysctl(8) net.inet.tcp.rfc3390.
+
- Avoid a long scsi(4) freeze when attaching live scsibus* devices.
+
- Support RFC 3390 'Increasing TCP's initial window' extension, enabled using sysctl(8) net.inet.tcp.rfc3390.
- When TCP is in the SYN_SENT state, don't increase cwnd by 1*MSS on receipt of the SYN/ACK.
- Note that 'pegasos' is not quite the same as 'pegosos'.
-
- Clean up the output from pfctl(8) with '-s all'.
+
- Clean up the output from pfctl(8) with '-s all'.
- Allow the arch-specific bootloaders to change the program name to something other than 'BOOT'.
-
- Use a more reliable reference count when deciding whether or not to free a FIFO vnode(9). Adapted from FreeBSD.
-
- Allow Cisco/Juniper compatible (and keyspace-limiting) ASCII md5sig keys in bgpd(8).
-
- Track the number of ftp or http connections to a host in pkg_add(1). Limit to one connection for now.
-
- New -L option to set (pkg_create(1)) or use (pkg_add(1)) the package LOCALBASE. See bsd.port.mk(5) for details.
-
- Use _exit(2) instead of abort(3) when xfs(1) dies due to an error.
-
- Fix a potential double-free in m_split(9) (PR#3651).
-
- Add privilege separation for tcpdump(8).
+
- Use a more reliable reference count when deciding whether or not to free a FIFO vnode(9). Adapted from FreeBSD.
+
- Allow Cisco/Juniper compatible (and keyspace-limiting) ASCII md5sig keys in bgpd(8).
+
- Track the number of ftp or http connections to a host in pkg_add(1). Limit to one connection for now.
+
- New -L option to set (pkg_create(1)) or use (pkg_add(1)) the package LOCALBASE. See bsd.port.mk(5) for details.
+
- Use _exit(2) instead of abort(3) when xfs(1) dies due to an error.
+
- Fix a potential double-free in m_split(9) (PR#3651).
+
- Add privilege separation for tcpdump(8).
- Move gcc2-specific files into the architecure-specific distribution setlists. Gulp.
-
- Don't dump core in patch(1) when the file can't be found but user says to patch anyway.
-
- Let <cdefs.h> compile on old gcc(1) and even on non-gcc.
-
- Make bgpd(8) ignore extra (maskless) rtsock change messages sent by pppd(8).
+
- Don't dump core in patch(1) when the file can't be found but user says to patch anyway.
+
- Let <cdefs.h> compile on old gcc(1) and even on non-gcc.
+
- Make bgpd(8) ignore extra (maskless) rtsock change messages sent by pppd(8).
- Start work on the amd64 port. Based on work by NetBSD.
-
- New mail-set-margin option for mg(1) mail mode.
-
- Fix ipsecadm(8)'s use of getaddrinfo(3).
-
- In pkg_add(1), exit instead of carrying on regardless when the pre-addition stage fails.
-
- Better pfkeyv2 interface when setting up tcpmd5 in bgpd(8). More to do.
-
- Add support for -f (force) option to pkg_add(1) and pkg_delete(1).
-
- Allow skey(1)-format usernames (user:skey) in sftp(1) (OpenSSH bugzilla #777).
+
- New mail-set-margin option for mg(1) mail mode.
+
- Fix ipsecadm(8)'s use of getaddrinfo(3).
+
- In pkg_add(1), exit instead of carrying on regardless when the pre-addition stage fails.
+
- Better pfkeyv2 interface when setting up tcpmd5 in bgpd(8). More to do.
+
- Add support for -f (force) option to pkg_add(1) and pkg_delete(1).
+
- Allow skey(1)-format usernames (user:skey) in sftp(1) (OpenSSH bugzilla #777).
- In pf_test and pf_test6, immediately drop packets on any interface that doesn't have an associated pfi_kif structure.
- Hash tcpmd5 TDB lookups by source address instead of the spi
- Add missing case for TCP MD5 sigs in SADB_GETPROTO().
-
- Let ipsecadm(8) pass the spi for TCP signatures.
-
- Handle tftpd(8) tsize and timeout options. From FreeBSD, as was the RFC 2347 support.
-
- Add RFC 2347 "TFTP Option Extension" support to tftpd(8). Try to ignore trailing garbage that Apple OpenFirmware can leave where an option should be.
-
- Make the package tools show strerror(3) output when die()ing on filesystem errors.
-
- Allow pkg_delete(1) to handle removal of packages with bogus dependencies, as could be created by earlier versions of the new package tools.
+
- Let ipsecadm(8) pass the spi for TCP signatures.
+
- Handle tftpd(8) tsize and timeout options. From FreeBSD, as was the RFC 2347 support.
+
- Add RFC 2347 "TFTP Option Extension" support to tftpd(8). Try to ignore trailing garbage that Apple OpenFirmware can leave where an option should be.
+
- Make the package tools show strerror(3) output when die()ing on filesystem errors.
+
- Allow pkg_delete(1) to handle removal of packages with bogus dependencies, as could be created by earlier versions of the new package tools.
-
- Major changes to biosboot(8) and installboot(8), supporting EDD (LBA) mode boots and a shift key-triggered CHS fallback mode. For an encore, remove the previous version's 64KB limit on the size of boot(8).
-
- Make pfctl(8) print even an all-zeros netmask, unless the address is all-zeros too.
-
- Take an extra parameter to pthread_stackseg_np(3) to return stack info for any thread instead of just the current thread.
+
- Major changes to biosboot(8) and installboot(8), supporting EDD (LBA) mode boots and a shift key-triggered CHS fallback mode. For an encore, remove the previous version's 64KB limit on the size of boot(8).
+
- Make pfctl(8) print even an all-zeros netmask, unless the address is all-zeros too.
+
- Take an extra parameter to pthread_stackseg_np(3) to return stack info for any thread instead of just the current thread.
- Only call destructors once on ELF architectures. Stops KDE apps moaning on shutdown.
-
- Since dhclient(8), dhcpd(8) and dhcrelay(8) are now using getifaddrs(3), don't create the socket that used to be needed by SIOCGIFCONF.
-
- Have cardbus(4) dump some useful information for non PnP devices.
+
- Since dhclient(8), dhcpd(8) and dhcrelay(8) are now using getifaddrs(3), don't create the socket that used to be needed by SIOCGIFCONF.
+
- Have cardbus(4) dump some useful information for non PnP devices.
- Enable TCP signatures in the GENERIC kernel.
-
- Initial TCP signature support for bgpd(8).
-
- Add 802.11 datalink type support to the pcap(3) library.
+
- Initial TCP signature support for bgpd(8).
+
- Add 802.11 datalink type support to the pcap(3) library.
-
- Stop sd(4) blurting a bunch of Medium Not Present errors for 6-in-1 card readers.
-
- Fix case where grep(1) with the -w option could miss some lines.
-
- Separate ndp(8) from tcpdump(8) (gmt2local() was shared) before the latter begins mutation.
-
- Lock the vnode(9) earlier in ffs_vget() to avoid unbalanced vrele(9) calls.
-
- Have clri(8) use random generation numbers for the inodes it clears instead of just incrementing the old number.
-
- Back out the recent pfctl(8) addresses-without-slashes-are-hosts change for now.
-
- Add a few missing UNIX standards to the mdoc(7) St macro, and update some manpages to use them.
-
- In ssh(1), clear the non-blocking flag on the socket after connection when the ConnectTimeout option is in effect.
-
- Alignment fixes in ping6(8) and traceroute6(8).
-
- Cleanup in traceroute6(8). Make sure the probe packets give very little away about the sending host.
-
- Some *printf(3) type fixes in scsi(4), so very large disks don't appear to have <0 sectors.
-
- Allow scsi(4) debugging to be limited to individual buses as well as specific targets and LUNs.
+
- Stop sd(4) blurting a bunch of Medium Not Present errors for 6-in-1 card readers.
+
- Fix case where grep(1) with the -w option could miss some lines.
+
- Separate ndp(8) from tcpdump(8) (gmt2local() was shared) before the latter begins mutation.
+
- Lock the vnode(9) earlier in ffs_vget() to avoid unbalanced vrele(9) calls.
+
- Have clri(8) use random generation numbers for the inodes it clears instead of just incrementing the old number.
+
- Back out the recent pfctl(8) addresses-without-slashes-are-hosts change for now.
+
- Add a few missing UNIX standards to the mdoc(7) St macro, and update some manpages to use them.
+
- In ssh(1), clear the non-blocking flag on the socket after connection when the ConnectTimeout option is in effect.
+
- Alignment fixes in ping6(8) and traceroute6(8).
+
- Cleanup in traceroute6(8). Make sure the probe packets give very little away about the sending host.
+
- Some *printf(3) type fixes in scsi(4), so very large disks don't appear to have <0 sectors.
+
- Allow scsi(4) debugging to be limited to individual buses as well as specific targets and LUNs.
-
- Don't enable loud debugging for every ahc(4) device by default.
-
- Install vi(1) tutorial docs.
+
- Don't enable loud debugging for every ahc(4) device by default.
+
- Install vi(1) tutorial docs.
-
- Add cradle mode support to xsystrace(1).
-
- Add an rc.conf(8) switch for rpc.yppasswdd(8) and switch it off by default, instead of always running it if there's a YP directory in place.
+
- Add cradle mode support to xsystrace(1).
+
- Add an rc.conf(8) switch for rpc.yppasswdd(8) and switch it off by default, instead of always running it if there's a YP directory in place.
- New program, ifstated(8), which listens for interface state changes and runs commands when it sees them. Work in progress.
-
- Remove seteuid(2) and setuid(2) calls from timedc(8).
-
- New 'cradle mode' for systrace(1).
-
- Add NTFS to the list of partition types that disklabel(8) has names for.
+
- Remove seteuid(2) and setuid(2) calls from timedc(8).
+
- New 'cradle mode' for systrace(1).
+
- Add NTFS to the list of partition types that disklabel(8) has names for.
- Now that our gcc3 has propolice, add USE_GCC3 switch (default is "No") to enable gcc3 build and install.
-
- Fix sftp(1)'s display of long path names.
-
- Enable acss(3) support in ssh(1).
-
- Add acss(3) support to libcrypto, and bump the library minor version.
-
- Liberally sprinkle closefrom(2) where needed.
-
- Speed up scsi(4) probing by not checking for impossible LUNs.
+
- Fix sftp(1)'s display of long path names.
+
- Enable acss(3) support in ssh(1).
+
- Add acss(3) support to libcrypto, and bump the library minor version.
+
- Liberally sprinkle closefrom(2) where needed.
+
- Speed up scsi(4) probing by not checking for impossible LUNs.
-
- Fix the @arch packing list command in pkg_add(1) and pkg_create(1).
-
- Match compress(1) exit codes to GNU gzip, unbreaking perl(1)'s CPAN module.
+ - Fix the @arch packing list command in pkg_add(1) and pkg_create(1).
+
- Match compress(1) exit codes to GNU gzip, unbreaking perl(1)'s CPAN module.
[Applied to stable]
- - Stop mixerctl(1) segfaulting on non-existent fields.
-
- Add a simple 802.3x printer to tcpdump(8).
-
- Allow ftp-proxy(8) to set the outgoing address with the new -a option (PR#3538).
-
- In pfctl(8), only use inet_net_pton(3) on addresses containing a '/', otherwise use inet_pton(3) (PR#3638).
-
- New -S option to nc(1), enabling the TCP MD5 signature option.
-
- Fix collapsing of multiple pfsync(4) update messages into one.
-
- Fix pfsync(4) state timeouts.
-
- As with sysctl(8), remove the need for -w in mixerctl(1).
-
- Propolice fixes for gcc(1).
+
- Stop mixerctl(1) segfaulting on non-existent fields.
+
- Add a simple 802.3x printer to tcpdump(8).
+
- Allow ftp-proxy(8) to set the outgoing address with the new -a option (PR#3538).
+
- In pfctl(8), only use inet_net_pton(3) on addresses containing a '/', otherwise use inet_pton(3) (PR#3638).
+
- New -S option to nc(1), enabling the TCP MD5 signature option.
+
- Fix collapsing of multiple pfsync(4) update messages into one.
+
- Fix pfsync(4) state timeouts.
+
- As with sysctl(8), remove the need for -w in mixerctl(1).
+
- Propolice fixes for gcc(1).
- First propolice version of gcc3.
-
- Add dynamic bufq support to wd(4). Doesn't do very much for now.
+
- Add dynamic bufq support to wd(4). Doesn't do very much for now.
- In kernel main(), initialise timeouts much earlier.
-
- New spamd(8) configuration method, based around OpenBSD mirrors of common spammer lists.
-
- Cleanup and fix tcpdump(8) pfsync protocol output.
-
- Initialise the sftp(1) input file in main() rather than statically.
-
- Some strncpy(3) -> strlcpy(3) in libpcap
+
- New spamd(8) configuration method, based around OpenBSD mirrors of common spammer lists.
+
- Cleanup and fix tcpdump(8) pfsync protocol output.
+
- Initialise the sftp(1) input file in main() rather than statically.
+
- Some strncpy(3) -> strlcpy(3) in libpcap
-
- Use _exit(2) instead of exit(3) from abort(3) so stdio buffers don't get flushed twice.
+
- Use _exit(2) instead of exit(3) from abort(3) so stdio buffers don't get flushed twice.
- Support Intel 852/855/865 AGP chipsets on i386. From NetBSD.
-
- Don't set a fake baud rate for pfsync(4) interfaces.
-
- Only read in as many digits as can legally fit into a field in strptime(3). From NetBSD.
+ - Don't set a fake baud rate for pfsync(4) interfaces.
+
- Only read in as many digits as can legally fit into a field in strptime(3). From NetBSD.
[Applied to stable]
- - Add some delay when reading the address off fxp(4) eeproms, otherwise the result may be garbage.
-
- Actually use the RPC program name cache in tcpdump(8) since we've gone and allocated space for it.
+
- Add some delay when reading the address off fxp(4) eeproms, otherwise the result may be garbage.
+
- Actually use the RPC program name cache in tcpdump(8) since we've gone and allocated space for it.
- Import some chunks of ffs2 support from FreeBSD.
-
- Have pfsync(4) ignore pfsync protocol packets if the interface is not running.
+
- Have pfsync(4) ignore pfsync protocol packets if the interface is not running.
-
- Fix a few ssh(1) memory leaks.
-
- Fix grep(1)'s -b option.
-
- Fix a missing malloc(3) error check in syslogd(8).
-
- New user _tcpdump for upcoming privsep of, uh, tcpdump(8).
-
- Avoid half-open deadlock in ssh(1) (OpenSSH bugzilla #790).
-
- Some sane defaults for afsd.conf(5) and ThisCell(5).
-
- Update sendmail(8) to 8.12.11.
+
- Fix a few ssh(1) memory leaks.
+
- Fix grep(1)'s -b option.
+
- Fix a missing malloc(3) error check in syslogd(8).
+
- New user _tcpdump for upcoming privsep of, uh, tcpdump(8).
+
- Avoid half-open deadlock in ssh(1) (OpenSSH bugzilla #790).
+
- Some sane defaults for afsd.conf(5) and ThisCell(5).
+
- Update sendmail(8) to 8.12.11.
- Throw away #ifdef spaghetti from XFS filesystem code, and enable it in GENERIC.
-
- Remove a double htons() in pfsync(4).
+
- Remove a double htons() in pfsync(4).
- Unbreak '*grep -w -l'.
-
- Fix a missing initialisation in grep(1).
-
- Sync tcpdump(8) DNS display with tcpdump.org to avoid problems with bogus DNS packets.
-
- Allow pflogd(8) to create (safely) its log file if none exists.
-
- Have carp(4) send RTM_IFINFO routing messages on interface state changes.
-
- Prep dhclient(8) for surgery, under src/sbin/dhclient.
+
- Fix a missing initialisation in grep(1).
+
- Sync tcpdump(8) DNS display with tcpdump.org to avoid problems with bogus DNS packets.
+
- Allow pflogd(8) to create (safely) its log file if none exists.
+
- Have carp(4) send RTM_IFINFO routing messages on interface state changes.
+
- Prep dhclient(8) for surgery, under src/sbin/dhclient.
-
- Have rsh(1) run ssh(1) instead of rlogin(1) or telnet(1) when run without a remote command.
+
- Have rsh(1) run ssh(1) instead of rlogin(1) or telnet(1) when run without a remote command.
- Add a bunch of new DNS RR types to <arpa/nameser.h>.
-
- Remove Kerberos IV code from rsh(1).
-
- Major stability improvements to ahc(4).
+
- Remove Kerberos IV code from rsh(1).
+
- Major stability improvements to ahc(4).
-
- Fix a typo causing a null deref in pf(4) IPv6 tcp scrubbing.
-
- New -v option to isakmpd(8) to log successful completion of Phase 1 and 2 exchanges.
-
- Sync mrouted(8) with changes to the raw sockets API affecting packet length.
+
- Fix a typo causing a null deref in pf(4) IPv6 tcp scrubbing.
+
- New -v option to isakmpd(8) to log successful completion of Phase 1 and 2 exchanges.
+
- Sync mrouted(8) with changes to the raw sockets API affecting packet length.
- Fix a string bug and a double free in the PEX font parser.
- Import libobjc from GCC 3.3.2.
- Move libobjc out of the GCC directory and into src/gnu/lib/libobjc.
-
- In tcpdump(8) check that an IKE header is long enough before trying to display it.
-
- Add a pthreads version of closefrom(2).
-
- Remove autoconf stuff from the in-tree sudo(8).
-
- Fix an early-free bug in mg(1) that was breaking compile-goto-error.
-
- Make pflogd(8) less likely to cause logfile corruption on unexpected shutdowns, and more able to detect and deal sensibly with corrupted files on startup.
-
- Synchronise pflogd(8) with the newly privilege-separated syslogd(8).
-
- Unbreak awk(1)'s maketab.c after recent yacc(1) header file generation changes.
-
- Temporarily work around alpha and sparc64 breakage caused by the recent sigaltstack(2) ABI change.
-
- Teach tcpdump(8) about TCP signatures.
-
- Some *printf(3) type cleanup in httpd(8).
-
- Support RTM_IFANNOUNCE messages in route(8)'s monitor command.
-
- Add TCP signature stats display to netstat(1).
-
- Add TCP MD5 signature support to ipsecadm(8).
+
- In tcpdump(8) check that an IKE header is long enough before trying to display it.
+
- Add a pthreads version of closefrom(2).
+
- Remove autoconf stuff from the in-tree sudo(8).
+
- Fix an early-free bug in mg(1) that was breaking compile-goto-error.
+
- Make pflogd(8) less likely to cause logfile corruption on unexpected shutdowns, and more able to detect and deal sensibly with corrupted files on startup.
+
- Synchronise pflogd(8) with the newly privilege-separated syslogd(8).
+
- Unbreak awk(1)'s maketab.c after recent yacc(1) header file generation changes.
+
- Temporarily work around alpha and sparc64 breakage caused by the recent sigaltstack(2) ABI change.
+
- Teach tcpdump(8) about TCP signatures.
+
- Some *printf(3) type cleanup in httpd(8).
+
- Support RTM_IFANNOUNCE messages in route(8)'s monitor command.
+
- Add TCP signature stats display to netstat(1).
+
- Add TCP MD5 signature support to ipsecadm(8).
- In syncache, defer updating the mss until the 3-way handshake is completed.
-
- Use a pool(9) instead of malloc(9) for file locking structures. From NetBSD.
+
- Use a pool(9) instead of malloc(9) for file locking structures. From NetBSD.
- Add syncache and IPv6 support to the resurrected TCP signature code.
-
- In pf(4), remove the predefined 'special' altq IDs, so all qids look alike.
+
- In pf(4), remove the predefined 'special' altq IDs, so all qids look alike.
- Change the type of sigaltstack.ss_size from int to size_t. Rename old syscall to osigaltstack() for compatibility.
-
- Remove extra 'sleep 1' from netstart(8) when doing IPv6 DAD.
-
- Preliminary gcc(1) support for ARM.
-
- Have nm(1) fall back to using pread(2) if mmap(2) fails, as it does for /dev/ksyms.
-
- Don't issue Test Unit Ready to scsi(4) devices until we've checked that 'don't issue Test Unit Ready' quirk isn't needed.
-
- Revamp scsi(4) LUN quirks handling.
+
- Remove extra 'sleep 1' from netstart(8) when doing IPv6 DAD.
+
- Preliminary gcc(1) support for ARM.
+
- Have nm(1) fall back to using pread(2) if mmap(2) fails, as it does for /dev/ksyms.
+
- Don't issue Test Unit Ready to scsi(4) devices until we've checked that 'don't issue Test Unit Ready' quirk isn't needed.
+
- Revamp scsi(4) LUN quirks handling.
-
- Use the right type when checking the magic number in savecore(8).
-
- printf(3) integer type cleanup in netstat(1).
-
- Correct a use-after-free in cvs(1), fixing a coredump when the user hits ^C.
-
- Fix authpf(8) ruleset names that contain the username (PR#3627).
-
- '=' != '==' in fsck(8).
+
- Use the right type when checking the magic number in savecore(8).
+
- printf(3) integer type cleanup in netstat(1).
+
- Correct a use-after-free in cvs(1), fixing a coredump when the user hits ^C.
+
- Fix authpf(8) ruleset names that contain the username (PR#3627).
+
- '=' != '==' in fsck(8).
- Let <ctype.h> compile on non-gcc compilers.
- Reintroduce old TCP MD5 signature (RFC 2385) code from 4.5 years ago, hopefully with a reduced likelihood of kernel borkage.
-
- Improvements to sftp(1) batch mode: Allow batchfile input from stdin, and remove stderr junk (OpenSSH bugzilla #754).
-
- Add IPv6 loopback routes and allow connection to the carp(4) shared IPv6 address from the MASTER host, like for IPv4.
-
- Fix a signed buffer length variable in syslogd(8).
-
- Build local nm(1) and size(1) instead of those from binutils.
-
- Allow ifconfig(8) to show all interfaces of a given type by giving it a device without a unit number, e.g. 'ifconfig vlan'.
-
- Respect the quiet flag in newfs(8) and don't spew cpg warnings.
+
- Improvements to sftp(1) batch mode: Allow batchfile input from stdin, and remove stderr junk (OpenSSH bugzilla #754).
+
- Add IPv6 loopback routes and allow connection to the carp(4) shared IPv6 address from the MASTER host, like for IPv4.
+
- Fix a signed buffer length variable in syslogd(8).
+
- Build local nm(1) and size(1) instead of those from binutils.
+
- Allow ifconfig(8) to show all interfaces of a given type by giving it a device without a unit number, e.g. 'ifconfig vlan'.
+
- Respect the quiet flag in newfs(8) and don't spew cpg warnings.
-
- Change /dev/utty[0-9a-f] entries ucom(4) to /dev/ttyU[0-9a-zA-Z]
-
- In syslogc(8), don't re-terminate a string after strlcat(3).
-
- Sync pf.os(5) with the current p0f development snapshot.
-
- A little string cleaning and extra error checking in swapctl(8).
+
- Change /dev/utty[0-9a-f] entries ucom(4) to /dev/ttyU[0-9a-zA-Z]
+
- In syslogc(8), don't re-terminate a string after strlcat(3).
+
- Sync pf.os(5) with the current p0f development snapshot.
+
- A little string cleaning and extra error checking in swapctl(8).
- Make shared C++ binary linking consistent between GCC 2.95 and GCC 3.
-
- Stop g++(1) adding '-lm -lstdc++' when -shared is present, consistent with gcc(1).
-
- Use closefrom(2) instead of looping up to the fd rlimit in sudo(8). From sudo CVS.
-
- Fix up and install the vi(1) USD docs.
-
- New system call closefrom(2), which closes all descriptors greater than or equal to the given fd. Bump libc and libpthread minor version.
-
- Have tun(4) use klist_invalidate() so ifconfig destroy can work with kqueue(2) enabled.
-
- Add klist_invalidate() function in kqueue(2) to clean up when the event source goes away.
-
- Replace some hairy string code with a single asprintf(3) in sup(1).
+
- Stop g++(1) adding '-lm -lstdc++' when -shared is present, consistent with gcc(1).
+
- Use closefrom(2) instead of looping up to the fd rlimit in sudo(8). From sudo CVS.
+
- Fix up and install the vi(1) USD docs.
+
- New system call closefrom(2), which closes all descriptors greater than or equal to the given fd. Bump libc and libpthread minor version.
+
- Have tun(4) use klist_invalidate() so ifconfig destroy can work with kqueue(2) enabled.
+
- Add klist_invalidate() function in kqueue(2) to clean up when the event source goes away.
+
- Replace some hairy string code with a single asprintf(3) in sup(1).
-
- Remove some portable-only #ifdef code around openpty(3) in ssh(1).
-
- In sysctl(8), making an assignment by using '=' no longer requires a totally redundant -w option.
-
- Remove ugly spaces from sysctl(8) 'var=value' output.
-
- Sync the installer script with recent dhclient(8) changes.
-
- Add IPv4 loopback routes much later in netstart(8).
-
- Make dhclient(8) listen to the routing socket, and quit if anyone downs the interface or deletes an addresses.
-
- Have dhclient-script(8) preserve a preexisting resolv.conf(5) and restore it when exiting.
+
- Remove some portable-only #ifdef code around openpty(3) in ssh(1).
+
- In sysctl(8), making an assignment by using '=' no longer requires a totally redundant -w option.
+
- Remove ugly spaces from sysctl(8) 'var=value' output.
+
- Sync the installer script with recent dhclient(8) changes.
+
- Add IPv4 loopback routes much later in netstart(8).
+
- Make dhclient(8) listen to the routing socket, and quit if anyone downs the interface or deletes an addresses.
+
- Have dhclient-script(8) preserve a preexisting resolv.conf(5) and restore it when exiting.
- Add a missing forward declaration of struct proc in <sys/rwlock.h>.
-
- Remove code in auth_clean(3) that cleared the options list, since login(1) depends on it leaving them alone.
-
- Print only valid sense info in scsi(4).
-
- Correctly a missing bonus points for completed rows bug in tetris(6).
+
- Remove code in auth_clean(3) that cleared the options list, since login(1) depends on it leaving them alone.
+
- Print only valid sense info in scsi(4).
+
- Correctly a missing bonus points for completed rows bug in tetris(6).
-
- Stop tcpdump(8) screwing up the terminal by printing non-printable timed protocol hostnames.
-
- Add a missing initialisation in kvm_open(3).
+
- Stop tcpdump(8) screwing up the terminal by printing non-printable timed protocol hostnames.
+
- Add a missing initialisation in kvm_open(3).
- Reduce the TCP MSS lower bound to 256-(minimal TCP header size) = 216 bytes.
- Don't restrict RFC 2385 TCP signature keys to ASCII-only.
- Fix a memory leak when detaching an Ethernet interface.
-
- In netstart(8) create all routes with the new improved -q option.
-
- Make route(8)'s -q option really quiet.
+
- In netstart(8) create all routes with the new improved -q option.
+
- Make route(8)'s -q option really quiet.
- Back out the storing of parent vnodes, due to exploding ports.
-
- Have sysctl(8) politely tell the user that the tool of choice for viewing a list of processes is ps(1).
+
- Have sysctl(8) politely tell the user that the tool of choice for viewing a list of processes is ps(1).
-
- Carefully work around time_t != long in gdb(1).
-
- Crucially, adjust worms(6)' delay based on the terminal speed.
-
- Types cleanup in jot(1). Mostly from FreeBSD.
-
- Convert fstat(1), ps(1), systat(1), top(1) and w(1) to use the new kvm_getproc2(3) interface.
+
- Carefully work around time_t != long in gdb(1).
+
- Crucially, adjust worms(6)' delay based on the terminal speed.
+
- Types cleanup in jot(1). Mostly from FreeBSD.
+
- Convert fstat(1), ps(1), systat(1), top(1) and w(1) to use the new kvm_getproc2(3) interface.
- Make ELF architectures handle constructors and destructors the way the ELF spec says they should.
-
- Sync sensorsd(8)'s notion of zero Kelvin with that in the kernel.
-
- Fix a typo in ndp(8) affecting the -s (set entry) option.
+
- Sync sensorsd(8)'s notion of zero Kelvin with that in the kernel.
+
- Fix a typo in ndp(8) affecting the -s (set entry) option.
-
- Fix a busted mkdtemp(3) return value check in binutils.
-
- Use proper uid_t and gid_t types in id(1).
-
- New -e option to systrace(1), which sends logs to stderr instead of syslog.
+
- Fix a busted mkdtemp(3) return value check in binutils.
+
- Use proper uid_t and gid_t types in id(1).
+
- New -e option to systrace(1), which sends logs to stderr instead of syslog.
- Promote dirhash to the GENERIC big time.
- Increase the TCP MSS lower bound from 64 to 256 bytes.
-
- sysctl(3)ify dirhash, under vfs.ffs.dirhash_*.
-
- Plug an interface address memory leak in pf(4).
-
- Stop sysctl(3) returning EINVAL for KERN_PROC_KTHREAD.
-
- Logic fixes in diff3(1) where one file has changes but the other does not.
-
- Some scsi(4) probe cleanups and fixes, inspired by NetBSD.
-
- Implement the truly wonderful -p option for diff(1).
-
- Fix an i386 crash in the ahc(4) device probe (PR#3630).
-
- Add a field for the emulation type in the struct returned by the KERN_PROC2 sysctl(3).
-
- Switch pkill(1) and pgrep(1) to kvm_getproc2(3), and so enable the -s option to work.
-
- Add kvm_get{argv,envv,proc}2(3) using KERN_PROC2. Based on NetBSD.
-
- Implement the KERN_PROC2 sysctl(3), allowing ps(1) etc. to be independent of changes to process-related kernel structures. From NetBSD.
-
- On i386, sync fdisk(8)'s built-in MBR image with the recent changes.
+
- sysctl(3)ify dirhash, under vfs.ffs.dirhash_*.
+
- Plug an interface address memory leak in pf(4).
+
- Stop sysctl(3) returning EINVAL for KERN_PROC_KTHREAD.
+
- Logic fixes in diff3(1) where one file has changes but the other does not.
+
- Some scsi(4) probe cleanups and fixes, inspired by NetBSD.
+
- Implement the truly wonderful -p option for diff(1).
+
- Fix an i386 crash in the ahc(4) device probe (PR#3630).
+
- Add a field for the emulation type in the struct returned by the KERN_PROC2 sysctl(3).
+
- Switch pkill(1) and pgrep(1) to kvm_getproc2(3), and so enable the -s option to work.
+
- Add kvm_get{argv,envv,proc}2(3) using KERN_PROC2. Based on NetBSD.
+
- Implement the KERN_PROC2 sysctl(3), allowing ps(1) etc. to be independent of changes to process-related kernel structures. From NetBSD.
+
- On i386, sync fdisk(8)'s built-in MBR image with the recent changes.
- Import generic IEEE 802.11 interface framework from NetBSD.
-
- Have pf(4) do as non-pf udp_input() does, and drop UDP packets with destination port zero, or with zero or oversize payload.
-
- Import pkill(1) and pgrep(1) from NetBSD. Selecting by session ID (-s option) doesn't work yet.
-
- Fix signal handling in the case of an error in inetd(8)'s config file.
-
- Import SYN cache code to deflect SYN flood attacks, controlled with sysctl(3)s net.inet.tcp.syncachelimit and net.inet.tcp.synbucketlimit. From NetBSD, based on work by David Borman.
-
- Unbreak ifconfig destroy on vlan(4) interfaces when MROUTING is defined.
-
- In yacc(1), make sure extern YYSTYPE doesn't get #ifdef'd out when generating a .h file.
+
- Have pf(4) do as non-pf udp_input() does, and drop UDP packets with destination port zero, or with zero or oversize payload.
+
- Import pkill(1) and pgrep(1) from NetBSD. Selecting by session ID (-s option) doesn't work yet.
+
- Fix signal handling in the case of an error in inetd(8)'s config file.
+
- Import SYN cache code to deflect SYN flood attacks, controlled with sysctl(3)s net.inet.tcp.syncachelimit and net.inet.tcp.synbucketlimit. From NetBSD, based on work by David Borman.
+
- Unbreak ifconfig destroy on vlan(4) interfaces when MROUTING is defined.
+
- In yacc(1), make sure extern YYSTYPE doesn't get #ifdef'd out when generating a .h file.
- Keep track of parent vnodes on ufs filesystems, this will be needed soon.
- Add some rwlocks around kernel file descriptor code, avoiding some rare race conditions.
-
- Don't allow a tun(4) cloner interface to be destroyed if there are any outstanding knote(9)s.
-
- Fix a few strlcpy(3) off-by-ones in pfctl(8).
-
- New -F flag for rtsold(8), which automagically sets the inet6 sysctl(3) values it needs. Useful for boot floppies.
-
- Support NOTE_EOF for kqueue(2) read events.
-
- Some string and memory leak cleanup in bgpd(8). Still work in progress.
+
- Don't allow a tun(4) cloner interface to be destroyed if there are any outstanding knote(9)s.
+
- Fix a few strlcpy(3) off-by-ones in pfctl(8).
+
- New -F flag for rtsold(8), which automagically sets the inet6 sysctl(3) values it needs. Useful for boot floppies.
+
- Support NOTE_EOF for kqueue(2) read events.
+
- Some string and memory leak cleanup in bgpd(8). Still work in progress.
- Merge in libstdc++ (gcc 3.3.2) for gcc3.
-
- Only prevent the removal of removable scsi(4) devices.
-
- Merge nm(1) with size(1) under src/usr.bin/nm.
-
- Teach nm(1) all about ELF.
-
- Really stop the compiler optimising away memset(3) calls used to zero sensitive data in sudo(8). From sudo CVS.
+
- Only prevent the removal of removable scsi(4) devices.
+
- Merge nm(1) with size(1) under src/usr.bin/nm.
+
- Teach nm(1) all about ELF.
+
- Really stop the compiler optimising away memset(3) calls used to zero sensitive data in sudo(8). From sudo CVS.
- Major changes to the i386 master boot record, which now uses EDD if available to support booting from a partition more than 8GB from the start of the disk. The 8GB size limit is still in place.
-
- Begin a cleanup of config(8).
-
- Don't ignore the '!' operator on the interface for pf(4) binat rules.
-
- Implement buffered logging in syslogd(8). Logs may be stored in a ring buffer and extracted using a client such as the new syslogc(8).
-
- Add option INET6, rtsol(8) and ping6(8) onto boot floppies/CD images where it will fit.
+
- Begin a cleanup of config(8).
+
- Don't ignore the '!' operator on the interface for pf(4) binat rules.
+
- Implement buffered logging in syslogd(8). Logs may be stored in a ring buffer and extracted using a client such as the new syslogc(8).
+
- Add option INET6, rtsol(8) and ping6(8) onto boot floppies/CD images where it will fit.
-
- Work continues on bgpd(8).
-
- Use fgets(3) instead of fgetln(3) in user(8), killing a sparc64 bus error along the way.
-
- SECURITY FIX: Several message handling flaws in isakmpd(8) have been reported by Thomas Walpuski. These allow an attacker to delete arbitrary SAs.
+ - Work continues on bgpd(8).
+
- Use fgets(3) instead of fgetln(3) in user(8), killing a sparc64 bus error along the way.
+
- SECURITY FIX: Several message handling flaws in isakmpd(8) have been reported by Thomas Walpuski. These allow an attacker to delete arbitrary SAs.
A source code patch is available.
[Applied to stable]
- - In isakmpd(8) only allow an INITIAL-CONTACT when a main-mode SA is in place, and never delete SPIs based on it.
+ - In isakmpd(8) only allow an INITIAL-CONTACT when a main-mode SA is in place, and never delete SPIs based on it.
- gcc3 handles varargs differently, change the kernel sources to deal with it.
-
- Some poll(2)-related fixes to select(2) under pthreads. From FreeBSD.
-
- Fix objcopy(1)'s long options list, unbreaking strip(1)'s -s option and others (PR#3623).
+ - Some poll(2)-related fixes to select(2) under pthreads. From FreeBSD.
+
- Fix objcopy(1)'s long options list, unbreaking strip(1)'s -s option and others (PR#3623).
[Applied to stable]
- - Don't create a pid file for rtsold(8).
-
- If the scsi(4) error code is unknown, at least show the code we didn't have a message for.
+
- Don't create a pid file for rtsold(8).
+
- If the scsi(4) error code is unknown, at least show the code we didn't have a message for.
-
- Use a memory pool(9) instead of MALLOC(9) for inet and inet6 PCBs. From NetBSD five years ago.
-
- Recognise and handle a few more scsi(4) reset conditions.
-
- Bring the scsi(4) error description list up to date with SCSI-3.
-
- Add bgpd(8) control program bgpctl(8).
+
- Use a memory pool(9) instead of MALLOC(9) for inet and inet6 PCBs. From NetBSD five years ago.
+
- Recognise and handle a few more scsi(4) reset conditions.
+
- Bring the scsi(4) error description list up to date with SCSI-3.
+
- Add bgpd(8) control program bgpctl(8).
- For i386 only, incread SHMMAXPGS from 2048 to 8192.
- In the all-architectures kernel config, bump SHMMNI from 32 to 128, and SHMSEG from 8 to 128.
-
- If pkg_add(1) fails in the postinstall script, record the package as a borked install instead of dying with a bunch of unregistered files all over the place.
-
- In libpthread, make poll(2), readv(2) and writev(2) cancellation points too.
+
- If pkg_add(1) fails in the postinstall script, record the package as a borked install instead of dying with a bunch of unregistered files all over the place.
+
- In libpthread, make poll(2), readv(2) and writev(2) cancellation points too.
-
- Undefer and handle pending signals in all code paths of pthread_join(3).
+
- Undefer and handle pending signals in all code paths of pthread_join(3).
- On i386, stop the FPU exception tests hanging amd64 and new Transmeta CPUs.
-
- Have xdm(1)'s Xsession script reap the SSH agent on session shutdown even if the user has a ~/.xsession file.
-
- Make 'vi -r foo' work the way the vi(1) manpage says it should instead of dying.
-
- Many improvements to network interface handling in pf(4). See the commit log for details.
-
- Add svc_getreq_poll(3) and switch libc RPC code to use its poll(2) interface instead of select(2).
-
- Have ssh(1) properly ignore an (unupported) SSH2 password change request and the suggested new password.
-
- Change wait4(2)'s prototype to take a pid_t instead of an int for the first argument, like the manpage says.
+
- Have xdm(1)'s Xsession script reap the SSH agent on session shutdown even if the user has a ~/.xsession file.
+
- Make 'vi -r foo' work the way the vi(1) manpage says it should instead of dying.
+
- Many improvements to network interface handling in pf(4). See the commit log for details.
+
- Add svc_getreq_poll(3) and switch libc RPC code to use its poll(2) interface instead of select(2).
+
- Have ssh(1) properly ignore an (unupported) SSH2 password change request and the suggested new password.
+
- Change wait4(2)'s prototype to take a pid_t instead of an int for the first argument, like the manpage says.
-
- Define _FFR_DEAL_WITH_ERROR_SSL to stop SSL errors sending sendmail(8) into an endless loop.
-
- Don't do TAILQ_REMOVE(3) while inside a TAILQ_FOREACH loop in pfctl(8).
+
- Define _FFR_DEAL_WITH_ERROR_SSL to stop SSL errors sending sendmail(8) into an endless loop.
+
- Don't do TAILQ_REMOVE(3) while inside a TAILQ_FOREACH loop in pfctl(8).
-
- As system startup, run vi.recover after ldconfig(8) so that perl(1) and the MTA can find their shared libraries.
-
- Convert syslogd(8) to use poll(2) instead of select(2) in its main event loop.
-
- Once grep(1) and friends have identified a file as binary, seek back to the beginning before continuing.
-
- Unbreak zgrep(1) when the uncompressed file begins with a newline.
-
- In disklabel(8) add new size unit types '%' and '&' to specify, respectively, percentage of disk size and percentage of remaining disk space.
-
- Allow a precision (-p option) of zero in jot(1).
+
- As system startup, run vi.recover after ldconfig(8) so that perl(1) and the MTA can find their shared libraries.
+
- Convert syslogd(8) to use poll(2) instead of select(2) in its main event loop.
+
- Once grep(1) and friends have identified a file as binary, seek back to the beginning before continuing.
+
- Unbreak zgrep(1) when the uncompressed file begins with a newline.
+
- In disklabel(8) add new size unit types '%' and '&' to specify, respectively, percentage of disk size and percentage of remaining disk space.
+
- Allow a precision (-p option) of zero in jot(1).
- On i386, properly recognise SiS CPUs.
-
- Hack around a reentrancy bug in the cvs(1) server's abnormal exit handler.
-
- Allocate what's required for an identifier in config(8) instead of an arbitrary 500-byte buffer (PR#3614).
+
- Hack around a reentrancy bug in the cvs(1) server's abnormal exit handler.
+
- Allocate what's required for an identifier in config(8) instead of an arbitrary 500-byte buffer (PR#3614).
- Stop libcurses++ fooling with libstdc++ internals so it compiles under gcc3.
-
- Add -4 and -6 options to telnet(1) for IPv4- and IPv6-only operation (PR#1974).
-
- Tag ahc(4) I/O operations requeued as a result of aborts, timeouts etc. so that they're not treated as successfully completed operations.
-
- Update security(8) after the recent join(1) change prompted by PR#2208.
-
- Make join(1) more POSIX for non-matching lines (PR#2208).
-
- Add dirhash feature from FreeBSD, which uses an in-memory hash table for lookups in large directories. Not enabled by default yet. See UFS_DIRHASH in options(4).
-
- Extend the pfsync(4) protocol to allow a peer to query for complete state information should it receive an update for a state it knows nothing about.
-
- Check for oversize allocations earlier in kernel malloc(9).
-
- Fix some peculiar macro token pasting in fvwm(1).
+
- Add -4 and -6 options to telnet(1) for IPv4- and IPv6-only operation (PR#1974).
+
- Tag ahc(4) I/O operations requeued as a result of aborts, timeouts etc. so that they're not treated as successfully completed operations.
+
- Update security(8) after the recent join(1) change prompted by PR#2208.
+
- Make join(1) more POSIX for non-matching lines (PR#2208).
+
- Add dirhash feature from FreeBSD, which uses an in-memory hash table for lookups in large directories. Not enabled by default yet. See UFS_DIRHASH in options(4).
+
- Extend the pfsync(4) protocol to allow a peer to query for complete state information should it receive an update for a state it knows nothing about.
+
- Check for oversize allocations earlier in kernel malloc(9).
+
- Fix some peculiar macro token pasting in fvwm(1).
- Properly initialise the C++ constructor and destructor lists for ELF, killing a gcc3 warning in libstdc++.
-
- In huntd(6), stop doing va_end(3) on the varargs format string.
+
- In huntd(6), stop doing va_end(3) on the varargs format string.
-
- Add a missing zero-fill before contructing pfsync(4) output in tcpdump(8).
-
- Fix a couple of bugs with negative values in fmt_scaled(3), and don't print fractions of bytes.
+
- Add a missing zero-fill before contructing pfsync(4) output in tcpdump(8).
+
- Fix a couple of bugs with negative values in fmt_scaled(3), and don't print fractions of bytes.
-
- Overhaul bgpd(8)'s error handling and logging.
-
- Allow an 'arch' annotation to be stored within packages by pkg_create(1).
-
- Have pkg_add(1) report on the amount of space used on each filesystem.
-
- In bgpd(8), treat localhost network 127/8 as if it were a connected network and don't allow it to be deleted.
-
- Halve the amount of space allocated for AES in ipsec(4) by making the contexts encryption- or decryption-specific.
-
- Enable nexthop verification in bgpd(8).
+
- Overhaul bgpd(8)'s error handling and logging.
+
- Allow an 'arch' annotation to be stored within packages by pkg_create(1).
+
- Have pkg_add(1) report on the amount of space used on each filesystem.
+
- In bgpd(8), treat localhost network 127/8 as if it were a connected network and don't allow it to be deleted.
+
- Halve the amount of space allocated for AES in ipsec(4) by making the contexts encryption- or decryption-specific.
+
- Enable nexthop verification in bgpd(8).
-
- On m68k, m88k, sparc, sparc64 and vax, fix a signed comparison bug in brk(2).
+ - On m68k, m88k, sparc, sparc64 and vax, fix a signed comparison bug in brk(2).
[Applied to stable]
- Update libiberty to that from binutils-2.14.
-
- Add passive mode (no TCP connection to the peer) to bgpd(8).
+
- Add passive mode (no TCP connection to the peer) to bgpd(8).
-
- Huge sync of ahc(4) to NetBSD, which in turn is sync'd to FreeBSD. Many bugs fixed, several left to fix.
-
- Connect bgpd(8) to the build, along with an example bgpd.conf(5) file. Lots of work still needed.
+
- Huge sync of ahc(4) to NetBSD, which in turn is sync'd to FreeBSD. Many bugs fixed, several left to fix.
+
- Connect bgpd(8) to the build, along with an example bgpd.conf(5) file. Lots of work still needed.
- Let the pkg_* tools' new virtual filesystem to cope with mount points with no options, e.g. AFS.
-
- Enable hw.cpuspeed sysctl(3) on macppc.
+
- Enable hw.cpuspeed sysctl(3) on macppc.
-
- Add stubs for pthread_[gs]etconcurrency(3). From FreeBSD.
-
- Fix a descriptor leak in libpthread when doing close(2) on fds 0,1 or 2. Based on a fix in FreeBSD, but implemented differently.
-
- In libpthread, make accept(2), connect(2), recvfrom(2), recvmsg(2), sendmsg(2) and sendto(2) cancellation points as required by POSIX.1-2001. From FreeBSD.
-
- Deallocate xl(4) resources on attach failures.
-
- Enable bus mastering on fxp(4). Oh yes.
-
- New sshd(8) option KerberosGetAFSToken.
-
- Have ifconfig(8) automagically create network pseudo-interfaces.
+
- Add stubs for pthread_[gs]etconcurrency(3). From FreeBSD.
+
- Fix a descriptor leak in libpthread when doing close(2) on fds 0,1 or 2. Based on a fix in FreeBSD, but implemented differently.
+
- In libpthread, make accept(2), connect(2), recvfrom(2), recvmsg(2), sendmsg(2) and sendto(2) cancellation points as required by POSIX.1-2001. From FreeBSD.
+
- Deallocate xl(4) resources on attach failures.
+
- Enable bus mastering on fxp(4). Oh yes.
+
- New sshd(8) option KerberosGetAFSToken.
+
- Have ifconfig(8) automagically create network pseudo-interfaces.
- Mercifully, turn the non-monotonic time warning off #ifndef DEBUG.
-
- Initialise the url(4) MAC address properly (PR#3612).
-
- When sudo(8) is run with -k or -K only complain about missing usernames to stderr and don't log anything, since we may be running in a .logout script at shutdown and the YP etc. daemon may have gone away.
+
- Initialise the url(4) MAC address properly (PR#3612).
+
- When sudo(8) is run with -k or -K only complain about missing usernames to stderr and don't log anything, since we may be running in a .logout script at shutdown and the YP etc. daemon may have gone away.
-
- Fix a remotely exploitable crasher in tcpdump(8)'s l2tp parser (PR#3610).
+ - Fix a remotely exploitable crasher in tcpdump(8)'s l2tp parser (PR#3610).
[Applied to stable]
- - Properly clean up 3DES cipher contexts in ssh(1).
-
- Make sure a signal handler-modified variable in sensorsd(8) is typed as volatile sig_atomic_t.
-
- In wsmoused(8) (and bgpd) don't set up a handler for SIGKILL since that signal isn't passed to the process at all ever.
-
- Fix a pasto (from the recent source-tracking additions) in the implementation of pf(4) DIOCSTART.
+
- Properly clean up 3DES cipher contexts in ssh(1).
+
- Make sure a signal handler-modified variable in sensorsd(8) is typed as volatile sig_atomic_t.
+
- In wsmoused(8) (and bgpd) don't set up a handler for SIGKILL since that signal isn't passed to the process at all ever.
+
- Fix a pasto (from the recent source-tracking additions) in the implementation of pf(4) DIOCSTART.
- Fix end-of-tape handling under pthreads. Fix from FreeBSD PR#56274, including the fix to the fix in FreeBSD PR#59291.
-
- Use a virtual filesystem in pkg_add(1) and pkg_delete(1) so they can test for available space and writeability before attempting to do the real operations.
+
- Use a virtual filesystem in pkg_add(1) and pkg_delete(1) so they can test for available space and writeability before attempting to do the real operations.
- Much work on the new bgpd.
-
- Remove the recursive format string option '%:' from kernel printf(9).
+
- Remove the recursive format string option '%:' from kernel printf(9).
- Change in*_pcbnotify() to return the number of matches.
- Check for multicasts earlier when processing TCP input, to reduce the amount of redundant processing.
-
- For semop(2) calls with a small number of operations, use the stack instead of malloc(9)'d memory to reduce overhead. Adapted from FreeBSD.
-
- Fix some unbounded sscanf(3)s in the usbhid(3) library.
+
- For semop(2) calls with a small number of operations, use the stack instead of malloc(9)'d memory to reduce overhead. Adapted from FreeBSD.
+
- Fix some unbounded sscanf(3)s in the usbhid(3) library.
- On i386, add a driver for the Pentium 4's thermal control circuit.
-
- Stop tcpdump(8) printing garbage pfsync(4) states when the snaplen is less than the sender's MTU.
-
- Have dc(1) handle SIGINT in a rational way, and have bc(1) pass SIGINT to dc to handle in a rational way.
-
- When updating process stats, check for non-monotonically-increasing time from microtime(9), deal with it by doing nothing instead of zeroing the counter, and complain #ifdef DIAGNOSTIC.
+
- Stop tcpdump(8) printing garbage pfsync(4) states when the snaplen is less than the sender's MTU.
+
- Have dc(1) handle SIGINT in a rational way, and have bc(1) pass SIGINT to dc to handle in a rational way.
+
- When updating process stats, check for non-monotonically-increasing time from microtime(9), deal with it by doing nothing instead of zeroing the counter, and complain #ifdef DIAGNOSTIC.
- Enhanced Intel SpeedStep support on i386.
-
- New sysctl(3) variables hw.cpuspeed and hw.setperf on i386, used to control LongRun.
-
- Only modulate the TCP timestamp (pf(4) scrub reassemble tcp) if there's a valid timestamp to be modulated.
+
- New sysctl(3) variables hw.cpuspeed and hw.setperf on i386, used to control LongRun.
+
- Only modulate the TCP timestamp (pf(4) scrub reassemble tcp) if there's a valid timestamp to be modulated.
- Allow ARP replies containing Ethernet multicast addresses, since some HA products want to do this.
-
- Show tcpdump(8) how to recognise IKE NAT-D and NAT-OA payloads.
-
- When isakmpd(8) gives up on a message, show the exchange name in the log.
+
- Show tcpdump(8) how to recognise IKE NAT-D and NAT-OA payloads.
+
- When isakmpd(8) gives up on a message, show the exchange name in the log.
-
- Change pfsync(4) multicast group to 224.0.0.240, and IP protocol (pfsync in protocols(5)) to 240.
+
- Change pfsync(4) multicast group to 224.0.0.240, and IP protocol (pfsync in protocols(5)) to 240.
- New pseudo-user _bgpd with matching group.
-
- Begin spanning tree operation when a bridge(4) interface comes up.
+
- Begin spanning tree operation when a bridge(4) interface comes up.
- New BGP daemon, bgpd. Not complete, and not built by default yet.
-
- Do a real inverse-colour cursor for rasops(9)-based consoles. Based on a similar change in NetBSD.
-
- New kqueue(2) filters NOTE_EOF and NOTE_TRUNCATE.
-
- Add ccd(4) and a newly-shrunken version of ccdconfig(8) to the i386 CD ramdisk kernel.
+
- Do a real inverse-colour cursor for rasops(9)-based consoles. Based on a similar change in NetBSD.
+
- New kqueue(2) filters NOTE_EOF and NOTE_TRUNCATE.
+
- Add ccd(4) and a newly-shrunken version of ccdconfig(8) to the i386 CD ramdisk kernel.
- Update the kernel zlib to 1.2.1.
- Shrink even more the special gzip used for boot floppies. It now does decompress only and is directly compiled in.
- Update userland zlib to 1.2.1, with local fixes. New major version, libz.so.3.0.
-
- Don't let cvs(1) pass null labels through to its diff command when stat(2) fails for an input file.
-
- When filtering on a bridge(4), compare the destination in the filter with the destination address of the packet, not the source address.
-
- New queue(3) macros SLIST_FOREACH_PREVPTR (from FreeBSD) and SLIST_REMOVE_NEXT.
+
- Don't let cvs(1) pass null labels through to its diff command when stat(2) fails for an input file.
+
- When filtering on a bridge(4), compare the destination in the filter with the destination address of the packet, not the source address.
+
- New queue(3) macros SLIST_FOREACH_PREVPTR (from FreeBSD) and SLIST_REMOVE_NEXT.
- Allow cloner interfaces to return an error from their destroy function.
-
- Much string cleaning and abort(3) -> exit(3) in the AFS library.
-
- Stop newsyslog(8) segfaulting when given an empty command (PR#3578).
-
- Fix a couple of missing printf(3) args in monop(6) and mopd(8).
-
- New environment variable MANPAGER for man(1) (PR#3563).
-
- Add app-layer keepalive option 'ServerAliveInterval' to ssh(1), analogous to ClientAliveInterval on the server.
-
- Don't do expensive pfsync(4) processing if noone is using it (i.e. no bpf(4) listeners, and no network synchronisation).
+
- Much string cleaning and abort(3) -> exit(3) in the AFS library.
+
- Stop newsyslog(8) segfaulting when given an empty command (PR#3578).
+
- Fix a couple of missing printf(3) args in monop(6) and mopd(8).
+
- New environment variable MANPAGER for man(1) (PR#3563).
+
- Add app-layer keepalive option 'ServerAliveInterval' to ssh(1), analogous to ClientAliveInterval on the server.
+
- Don't do expensive pfsync(4) processing if noone is using it (i.e. no bpf(4) listeners, and no network synchronisation).
- Shorten or '#ifdef SMALL'-out some long message strings in the kernel.
- A round of boot floppy space-saving begins.
-
- When calculating CPU time usage, check for a time-going-backwards bug in microtime(9) found on some dual-clock systems.
+
- When calculating CPU time usage, check for a time-going-backwards bug in microtime(9) found on some dual-clock systems.
- Fix some fallout from the rlim_t change from signed to unsigned.
-
- Add support for groups 14 through 18 (modp{2048,2072,4096,6144,8192} - see RFC 3526) to isakmpd(8).
-
- Initial support for pf(4) state synchronisation over the network. See pfsync(4).
-
- Make sh(1) and ksh(1) functions work the way the manual page suggests with respect to non-exported environment variables (PR#2450).
-
- Allow pf(4) to track stateful connections based on the source IP address. Especially useful for load balancing configurations.
+
- Add support for groups 14 through 18 (modp{2048,2072,4096,6144,8192} - see RFC 3526) to isakmpd(8).
+
- Initial support for pf(4) state synchronisation over the network. See pfsync(4).
+
- Make sh(1) and ksh(1) functions work the way the manual page suggests with respect to non-exported environment variables (PR#2450).
+
- Allow pf(4) to track stateful connections based on the source IP address. Especially useful for load balancing configurations.
-
- Add awk(1) USD paper in /usr/share/doc/usd/16.awk.
-
- Don't assume that the IKE port is always 500 in isakmpd(8) log output.
+
- Add awk(1) USD paper in /usr/share/doc/usd/16.awk.
+
- Don't assume that the IKE port is always 500 in isakmpd(8) log output.
- Alignment fixes for kernel and libc RMD160 functions.
-
- Initial support for ifconfig destroy in ppp(4) and sl(4)
+
- Initial support for ifconfig destroy in ppp(4) and sl(4)
-
- Don't accept absolute pathnames for module names in cvs(1). From CVS 1.11.10.
-
- Cleanup and POSIXness for join(1). From FreeBSD.
+
- Don't accept absolute pathnames for module names in cvs(1). From CVS 1.11.10.
+
- Cleanup and POSIXness for join(1). From FreeBSD.
- More POSIX type definitions (rlim_t now unsigned, RLIM_SAVED_{CUR,MAX} defined, id_t defined).
-
- Kill annoying pf(4) assertion failure messages, and correct the underlying problem with NAT and table stats (PR#3587).
-
- Fix sis(4) short cable problems properly. From Linux and the datasheets, via FreeBSD.
+
- Kill annoying pf(4) assertion failure messages, and correct the underlying problem with NAT and table stats (PR#3587).
+
- Fix sis(4) short cable problems properly. From Linux and the datasheets, via FreeBSD.
-
- Also for poll(2), add pollfd_t (= struct pollfd) as in Solaris.
-
- Add type nfds_t for poll(2) as per POSIX.
-
- Make pkg_delete(1) flag an attempt to delete a non-existent package as an error.
-
- For IPv6 multicast sockets, validate the get/setsockopt(2) argument more strictly to preventing a local user causing a kernel panic. From KAME.
+
- Also for poll(2), add pollfd_t (= struct pollfd) as in Solaris.
+
- Add type nfds_t for poll(2) as per POSIX.
+
- Make pkg_delete(1) flag an attempt to delete a non-existent package as an error.
+
- For IPv6 multicast sockets, validate the get/setsockopt(2) argument more strictly to preventing a local user causing a kernel panic. From KAME.
- Big register declaration purge in sys/net*.
- Better non-repetitive ID generation for IPv4, IPv6 and resolver query IDs.
-
- Some improvements to authpf(8)'s logging output.
+
- Some improvements to authpf(8)'s logging output.
- Fix up netinet and netinet6 interface lookup code after the introduction of clonable devices.
-
- Clear the exit code when ssh(1) with -N is terminated with SIGTERM.
-
- Sync em(4) with FreeBSD, enabling support for a few more models.
-
- Fix some *printf(char *) silliness in identd(8).
-
- Rename the ssh(1) option KeepAlive to TCPKeepAlive to help people who just won't read manual pages.
-
- Better -n handling for pkg_add(1) and pkg_delete(1) when dependencies are involved.
-
- Make explicit the base package to which pkg_add(1)'s dependency resolution output applies.
-
- Fix error-handling logic in pkg_add(1) that affected the -n option.
-
- In ssh(1) and sshd(8), don't modify argv when parsing the -o option (unbreaks HUP for sshd).
-
- Make ssh(1) option ClientKeepAlive work when the -N option (no login shell) is in effect.
-
- Stop ssh-keygen(1)'s -T option from accepting primes with no known generator.
-
- Add some PostScript docs for lex(1).
-
- Fix some missing printf(3) args in tn3270(1) and kernfs.
-
- Some cleanup in compress(1).
-
- Allow more than one user at a time to use ftp(1) in active mode (PR#3596).
+ - Clear the exit code when ssh(1) with -N is terminated with SIGTERM.
+
- Sync em(4) with FreeBSD, enabling support for a few more models.
+
- Fix some *printf(char *) silliness in identd(8).
+
- Rename the ssh(1) option KeepAlive to TCPKeepAlive to help people who just won't read manual pages.
+
- Better -n handling for pkg_add(1) and pkg_delete(1) when dependencies are involved.
+
- Make explicit the base package to which pkg_add(1)'s dependency resolution output applies.
+
- Fix error-handling logic in pkg_add(1) that affected the -n option.
+
- In ssh(1) and sshd(8), don't modify argv when parsing the -o option (unbreaks HUP for sshd).
+
- Make ssh(1) option ClientKeepAlive work when the -N option (no login shell) is in effect.
+
- Stop ssh-keygen(1)'s -T option from accepting primes with no known generator.
+
- Add some PostScript docs for lex(1).
+
- Fix some missing printf(3) args in tn3270(1) and kernfs.
+
- Some cleanup in compress(1).
+
- Allow more than one user at a time to use ftp(1) in active mode (PR#3596).
[Applied to stable]
- Unbreak xfs symlinks (PR#3552).
[Applied to stable]
- - In patch(1), get a private mapping from mmap(2) instead of a default (file) mapping.
-
- Fix a crash in troff(1).
+
- In patch(1), get a private mapping from mmap(2) instead of a default (file) mapping.
+
- Fix a crash in troff(1).
- Don't drop the newest TCP connection when doing SYN flood avoidance when we meant to drop the oldest.
-
- Fix an endianness bug in gre(4) when sending to ip_output.
+ - Fix an endianness bug in gre(4) when sending to ip_output.
[Applied to stable]
- - In pf(4), make IPv6 redirects to loopback work the same way as for IPv4 and not require an additional route-to line.
-
- Fix a too-low spl(9) in the nfs client code.
-
- New ifconfig(8) option -C (and supporting ioctl(2) SIOCIFGCLONERS) that lists all cloning-capable devices.
-
- New mbuf_tags(9) type ...PF_TRANSLATE_LOCALHOST, used so that pf(4) redirection to localhost doesn't defeat the ability of programs like portmap(8) to tell localhost connections from remote connections.
+
- In pf(4), make IPv6 redirects to loopback work the same way as for IPv4 and not require an additional route-to line.
+
- Fix a too-low spl(9) in the nfs client code.
+
- New ifconfig(8) option -C (and supporting ioctl(2) SIOCIFGCLONERS) that lists all cloning-capable devices.
+
- New mbuf_tags(9) type ...PF_TRANSLATE_LOCALHOST, used so that pf(4) redirection to localhost doesn't defeat the ability of programs like portmap(8) to tell localhost connections from remote connections.
-
- Add ifconfig create support to ppp(4) and sl(4). No ifconfig destroy yet.
-
- Fix regex(3) handling of non-ASCII characters (PR#3594). Fix from FreeBSD.
+
- Add ifconfig create support to ppp(4) and sl(4). No ifconfig destroy yet.
+
- Fix regex(3) handling of non-ASCII characters (PR#3594). Fix from FreeBSD.
-
- Fix grep(1)'s handling of certain patterns containing multiple dots (PR#3597).
-
- Make ifconfig destroy work on tun(4).
+
- Fix grep(1)'s handling of certain patterns containing multiple dots (PR#3597).
+
- Make ifconfig destroy work on tun(4).
-
- Fix an endianness bug that was causing wicontrol(8) to crash.
-
- Set madvise(2) flag MADV_RANDOM for mfs(8) filesystems.
+
- Fix an endianness bug that was causing wicontrol(8) to crash.
+
- Set madvise(2) flag MADV_RANDOM for mfs(8) filesystems.
-
- Validate the SPIs presented in DELETE messages when doing an isakmpd(8) informational exchange.
-
- Have the installer ask whether sshd(8) should be enabled at first boot. The default is to enable it.
-
- Enable multicast reception for em(4).
-
- Do a screen split when more than one file is opened on mg(1)'s command line.
-
- Unbreak mg(1)'s META key support.
+
- Validate the SPIs presented in DELETE messages when doing an isakmpd(8) informational exchange.
+
- Have the installer ask whether sshd(8) should be enabled at first boot. The default is to enable it.
+
- Enable multicast reception for em(4).
+
- Do a screen split when more than one file is opened on mg(1)'s command line.
+
- Unbreak mg(1)'s META key support.
-
- Fix a sign comparison bug in semop(2).
-
- Add cloning support to bridge(4), carp(4), faith(4), gif(4), gre(4), lo(4), tun(4) and vlan(4).
-
- Support for interface 'cloning,' accessed by ifconfig(8) commands create and destroy. E.g. 'ifconfig vlan100 create'
-
- Add a dmesg command to ddb(4).
+
- Fix a sign comparison bug in semop(2).
+
- Add cloning support to bridge(4), carp(4), faith(4), gif(4), gre(4), lo(4), tun(4) and vlan(4).
+
- Support for interface 'cloning,' accessed by ifconfig(8) commands create and destroy. E.g. 'ifconfig vlan100 create'
+
- Add a dmesg command to ddb(4).
- Don't allow too many network interfaces (>65535) to be attached.
- Merge Perl 5.8.2.
- Add an hppa target to gcc3.
-
- Add support for UDP encapsulation of ESP in transport mode (see draft-ietf-ipsec-udp-encaps-XX.txt,) enabled via new sysctl(3) toggle net.inet.esp.udpencap.
-
- Use a consistent, high listen backlog for sshd(8), ssh-agent(1) and forwarding sockets.
-
- Fix an off-by-one in dc(1).
-
- Cosmetic improvements to ssh(1)'s progress meter.
-
- Let bc(1) compile programs with more than 10,000 lines.
-
- Add support for long variable names to bc(1), another non-portable extension.
-
- Add kqueue(2) support to tun(4).
-
- Use now instead of the epoch as the timebase for compat_linux(8) function alarm().
+
- Add support for UDP encapsulation of ESP in transport mode (see draft-ietf-ipsec-udp-encaps-XX.txt,) enabled via new sysctl(3) toggle net.inet.esp.udpencap.
+
- Use a consistent, high listen backlog for sshd(8), ssh-agent(1) and forwarding sockets.
+
- Fix an off-by-one in dc(1).
+
- Cosmetic improvements to ssh(1)'s progress meter.
+
- Let bc(1) compile programs with more than 10,000 lines.
+
- Add support for long variable names to bc(1), another non-portable extension.
+
- Add kqueue(2) support to tun(4).
+
- Use now instead of the epoch as the timebase for compat_linux(8) function alarm().
- Avoid a null-deref in uvm_swap_markbad().
- Check signedness before dereferencing in kernel descriptor management code.
-
- Fix csh(1) variable substitution when shortening strings (PR#3591).
-
- In aliases(5), direct mail for most fake users (e.g. _syslogd) to /dev/null instead of spamming root.
+
- Fix csh(1) variable substitution when shortening strings (PR#3591).
+
- In aliases(5), direct mail for most fake users (e.g. _syslogd) to /dev/null instead of spamming root.
- Add an amd64 target to gcc3.
-
- Add extended register support in dc(1) (-x option,) ready for long variable names support coming to bc(1) soon.
-
- Cleanup of mopd(8).
+
- Add extended register support in dc(1) (-x option,) ready for long variable names support coming to bc(1) soon.
+
- Cleanup of mopd(8).
- Add OpenBSD-specific options to gcc3.
- Import (but do not yet enable) GCC 3.3.2, without the ADA frontend for space reasons.
-
- New ':' (inclusive range) operator for pf(4), works anywhere in pf.conf(5) that '><' (exclusive range) works.
+
- New ':' (inclusive range) operator for pf(4), works anywhere in pf.conf(5) that '><' (exclusive range) works.
-
- Fix the regex in security(8) that tests for valid group names.
-
- More fixes to pf(4) stats gathering.
+
- Fix the regex in security(8) that tests for valid group names.
+
- More fixes to pf(4) stats gathering.
- Fix NFS-over-TCP speed when OpenBSD is serving Linux clients (PR#3561).
-
- Allow systrace(1) to accept usernames ending in '$'.
-
- Fix missing printf(3) arguments in eeprom(8), elf2aout and elf2ecoff.
+
- Allow systrace(1) to accept usernames ending in '$'.
+
- Fix missing printf(3) arguments in eeprom(8), elf2aout and elf2ecoff.
-
- Discard the first 256 bytes of the arc4random(3) keystream as recommended by the "Weaknesses in the Key Scheduling Algorithm of RC4" paper.
-
- Fix a core dump in dc(1) when reading uninitialised array locations.
+
- Discard the first 256 bytes of the arc4random(3) keystream as recommended by the "Weaknesses in the Key Scheduling Algorithm of RC4" paper.
+
- Fix a core dump in dc(1) when reading uninitialised array locations.
- Some gcc3 compatibility cleanup.
-
- Fix SIOCGIFHWADDR under compat_linux(8).
+
- Fix SIOCGIFHWADDR under compat_linux(8).
- Build more components of libiberty in preparation for gcc3.
- Sync libiberty with the version from GCC 3.3.2.
- Sync libedit with that of NetBSD on 8 Nov 2003.
- Move libiberty into src/gnu/lib/libiberty, removing it from the egcs directory. The new library is a sync'd to "somewhere between binutils-2.10 and 2.11" with some local changes.
-
- Avoid a double-free in pcap_setfilter(3).
+
- Avoid a double-free in pcap_setfilter(3).
- Have the kernel's MD5 code use the per-architecture optimised bcopy() instead of its own implementation (PR#3549).
-
- New meaning for the ssh(1) -k option, it's now equivalent to GSSAPIDelegateCredentials=no.
+
- New meaning for the ssh(1) -k option, it's now equivalent to GSSAPIDelegateCredentials=no.
-
- In ssh-keyscan(1), use sysconf(3) to get the maximum fd limit instead of returning an arbitrary number.
-
- Fix an out-of-bounds access typo in the implementation of sysctl(3) KERN_VNODE.
-
- Another getpass(3) return value check, this time in encrypt(1).
-
- Fix a sign overflow in compat_svr4(8) streams code.
-
- Make usernames containing underscores work in systrace(1).
+
- In ssh-keyscan(1), use sysconf(3) to get the maximum fd limit instead of returning an arbitrary number.
+
- Fix an out-of-bounds access typo in the implementation of sysctl(3) KERN_VNODE.
+
- Another getpass(3) return value check, this time in encrypt(1).
+
- Fix a sign overflow in compat_svr4(8) streams code.
+
- Make usernames containing underscores work in systrace(1).
-
- While we're fixing diff(1) return values, fix that of the -q option which got broken when -i was fixed.
-
- Stop the install(1) madvise() change breaking 'make release'.
-
- Stop pfctl(8) allowing an antispoof for an interface without an IP address, since that amounts to blocking all on every other interface. Bad.
-
- Add a few more pkg_create(1) packing list sanity checks.
+
- While we're fixing diff(1) return values, fix that of the -q option which got broken when -i was fixed.
+
- Stop the install(1) madvise() change breaking 'make release'.
+
- Stop pfctl(8) allowing an antispoof for an interface without an IP address, since that amounts to blocking all on every other interface. Bad.
+
- Add a few more pkg_create(1) packing list sanity checks.
-
- Also give cmp(1) and patch(1) the madvise(2) sequential treatment.
-
- Speed up install(1) by using madvise(2) with the MADV_SEQUENTIAL flag.
+
- Also give cmp(1) and patch(1) the madvise(2) sequential treatment.
+
- Speed up install(1) by using madvise(2) with the MADV_SEQUENTIAL flag.
-
- SECURITY FIX: Due to a bug in the parsing of Allow/Deny rules for httpd(8)'s access module, using IP addresses without a netmask on big endian 64-bit platforms causes the rules to fail to match. This only affects sparc64.
+ - SECURITY FIX: Due to a bug in the parsing of Allow/Deny rules for httpd(8)'s access module, using IP addresses without a netmask on big endian 64-bit platforms causes the rules to fail to match. This only affects sparc64.
A source code patch is available.
[Applied to stable]
- - New -o option to kvm_mkdb(8), to put the database somewhere other than /var/db.
-
- Fix return code from diff(1) when the -i option is in use.
+
- New -o option to kvm_mkdb(8), to put the database somewhere other than /var/db.
+
- Fix return code from diff(1) when the -i option is in use.
-
- Build ftp(1) statically linked, to help out when things go wrong.
-
- RELIABILITY FIX: An improper bounds check makes it possible for a local user to cause a crash by passing the semctl(2) and semop(2) functions certain arguments.
+ - Build ftp(1) statically linked, to help out when things go wrong.
+
- RELIABILITY FIX: An improper bounds check makes it possible for a local user to cause a crash by passing the semctl(2) and semop(2) functions certain arguments.
A source code patch is available.
[Applied to stable]
- - RELIABILITY FIX: It is possible for a local user to cause a crash via sysctl(3) with certain arguments.
+ - RELIABILITY FIX: It is possible for a local user to cause a crash via sysctl(3) with certain arguments.
A source code patch is available.
[Applied to stable]
- - Add gcc(1) flags -fnobuiltin-{log,print} for kernel builds on some architectures, the others to be done as test results are collected.
-
- Re-enable build of named(8)'s DNSSEC programs.
+
- Add gcc(1) flags -fnobuiltin-{log,print} for kernel builds on some architectures, the others to be done as test results are collected.
+
- Re-enable build of named(8)'s DNSSEC programs.
-
- More wdc(4) probe fixes, sync'ing with NetBSD.
-
- Fix timed(8) breakage caused by the change from select(2) to poll(2).
+
- More wdc(4) probe fixes, sync'ing with NetBSD.
+
- Fix timed(8) breakage caused by the change from select(2) to poll(2).
-
- Add /etc/rc(8) startup for sensorsd(8).
+
- Add /etc/rc(8) startup for sensorsd(8).
- Merge in BIND v9.2.3.
-
- In crypto(3), enable assembler BN functions on vax, and assembler for most things on i386.
-
- Fix password blinding for non-existent users in sshd(8).
+
- In crypto(3), enable assembler BN functions on vax, and assembler for most things on i386.
+
- Fix password blinding for non-existent users in sshd(8).
- Add new lightweight kernel reader/writer lock code, not used for anything yet.
-
- Performance improvements to pool(9).
-
- In sshd(8), fix the test for a valid authentication context when processing -R port forwards.
+
- Performance improvements to pool(9).
+
- In sshd(8), fix the test for a valid authentication context when processing -R port forwards.
-
- Fix unnecessary delays in wdc(4)'s device probe. From NetBSD.
+
- Fix unnecessary delays in wdc(4)'s device probe. From NetBSD.
- Fix a missing initialisation in libkvm.
-
- Don't expose the contents of named(8)'s rndc.key file when diff'd by security(8).
+
- Don't expose the contents of named(8)'s rndc.key file when diff'd by security(8).
- Merge in Apache 1.3.29 and mod_ssl 2.8.16.
-
- Add a missing bounds check and fix an int overflow in compat_ibcs2(8) (not enabled by default).
+ - Add a missing bounds check and fix an int overflow in compat_ibcs2(8) (not enabled by default).
[Applied to stable]
- - Two more non-portable extensions to bc(1): Add new boolean operators, and allow relational operators to appear anywhere.
-
- Add drop operator 'R' to dc(1).
-
- Replace ssh(1) authentication mechanism 'gssapi' with 'gssapi-with-mic'.
+
- Two more non-portable extensions to bc(1): Add new boolean operators, and allow relational operators to appear anywhere.
+
- Add drop operator 'R' to dc(1).
+
- Replace ssh(1) authentication mechanism 'gssapi' with 'gssapi-with-mic'.
-
- pf(4) stateful connections for generic protocols now work for IPv6 as well as IPv4.
+
- pf(4) stateful connections for generic protocols now work for IPv6 as well as IPv4.
- Pull in a patch from XFree86 4.3, preventing a crash on Riva128 cards.
- Remove win32 support files from the BIND tree.
-
- Set the atime, ctime and mtime of the kernfs boottime file to, uh, the boot time. Useful for find(1).
-
- Fix savecore(8) on big-endian 64-bit architectures.
+
- Set the atime, ctime and mtime of the kernfs boottime file to, uh, the boot time. Useful for find(1).
+
- Fix savecore(8) on big-endian 64-bit architectures.
- More fine-grained CPU type detection on i386.
-
- Test for a NULL return from getpass(3) in bdes(1), pppctl(8) and tn3270(1).
+
- Test for a NULL return from getpass(3) in bdes(1), pppctl(8) and tn3270(1).
-
- Fix bogus read(2) error check in mg(1) when writing a backup file.
-
- Let compress(1) inflate multiple concatenated files just like GNU gzip.
-
- Support in dc(1) for boolean operations soon to appear in bc(1).
-
- Allow the pfctl(8) debug level to be set from pf.conf(5) with 'set debug'.
-
- Some fixes in the ssh(1) GSSAPI client code.
-
- Don't include the KAME interface index (used for IPv6 link-local addresses) in the carp(4) HMAC value.
+
- Fix bogus read(2) error check in mg(1) when writing a backup file.
+
- Let compress(1) inflate multiple concatenated files just like GNU gzip.
+
- Support in dc(1) for boolean operations soon to appear in bc(1).
+
- Allow the pfctl(8) debug level to be set from pf.conf(5) with 'set debug'.
+
- Some fixes in the ssh(1) GSSAPI client code.
+
- Don't include the KAME interface index (used for IPv6 link-local addresses) in the carp(4) HMAC value.
-
- Strip out some slightly pointless tests in wdc(4) for an 8-bit value < n, where n > 255.
-
- Fix a bug in bc(1)'s print statement that left garbage on dc(1)'s stack.
-
- Make bc(1)'s exponentiation operator '^' right- instead of left-associative.
+
- Strip out some slightly pointless tests in wdc(4) for an 8-bit value < n, where n > 255.
+
- Fix a bug in bc(1)'s print statement that left garbage on dc(1)'s stack.
+
- Make bc(1)'s exponentiation operator '^' right- instead of left-associative.
-
- Fix a potential DoS in ftpd(8) where an attacker could tie up the data port for long periods. From FreeBSD.
+ - Fix a potential DoS in ftpd(8) where an attacker could tie up the data port for long periods. From FreeBSD.
[Applied to stable]
- - New behaviour for ssh(1) option VerifyHostKeyDNS, allowing implicit trust for DNSSEC-verified SSHFP records.
-
- Have scp(1) pass through the -q flag to its underlying ssh(1) process, suppressing SSH2 banners.
+
- New behaviour for ssh(1) option VerifyHostKeyDNS, allowing implicit trust for DNSSEC-verified SSHFP records.
+
- Have scp(1) pass through the -q flag to its underlying ssh(1) process, suppressing SSH2 banners.
- Merge in OpenSSL 0.9.7c.
-
- Some nonportable syntactic sugar for dc(1) and bc(1).
-
- free(9)ing stack variables is a bad idea, don't do it in ubsa(4).
-
- Don't leak memory from ld.so(1) if the library name is invalid.
-
- Better parsing of library version numbers in ld.so(1), so 'libpython2.1.so.0.0' and 'libpython2.2.so.0.0' can coexist in peace.
-
- New 'print' statement for bc(1), a non-portable extension.
+
- Some nonportable syntactic sugar for dc(1) and bc(1).
+
- free(9)ing stack variables is a bad idea, don't do it in ubsa(4).
+
- Don't leak memory from ld.so(1) if the library name is invalid.
+
- Better parsing of library version numbers in ld.so(1), so 'libpython2.1.so.0.0' and 'libpython2.2.so.0.0' can coexist in peace.
+
- New 'print' statement for bc(1), a non-portable extension.
-
- Fix ksh(1)'s handling of redirection of a file to the same file, e.g. '2>&2'.
-
- Add more privacy flags to sendmail(8) cf/openbsd-proto.mc, requiring HELO/EHLO and disabling EXPN/VRFY.
+
- Fix ksh(1)'s handling of redirection of a file to the same file, e.g. '2>&2'.
+
- Add more privacy flags to sendmail(8) cf/openbsd-proto.mc, requiring HELO/EHLO and disabling EXPN/VRFY.
- Add a classic paper on password security in /usr/share/doc/smm/17.password.
-
- Send diff(1) output 'no newline at end of file' to stderr instead of stdout, for compatibility.
-
- Stop pkg_add(1) considering as errors attempts to add an already-added package.
+
- Send diff(1) output 'no newline at end of file' to stderr instead of stdout, for compatibility.
+
- Stop pkg_add(1) considering as errors attempts to add an already-added package.
-
- Keep track of errors when adding multiple packages with pkg_add(1), and set a useful error code on return.
+
- Keep track of errors when adding multiple packages with pkg_add(1), and set a useful error code on return.
- Remove the automatic setting of packing-list prefix from the first @cwd.
-
- Restore printing of vlan(4) information in ifconfig(8), accidentally broken when carp(4) was added.
-
- Really fix mg(1) insert-file.
-
- Safer region handling in mg(1).
-
- Restore the terminal correctly when aborting out of mg(1).
-
- Undo the mg(1) insert-file operation properly.
+
- Restore printing of vlan(4) information in ifconfig(8), accidentally broken when carp(4) was added.
+
- Really fix mg(1) insert-file.
+
- Safer region handling in mg(1).
+
- Restore the terminal correctly when aborting out of mg(1).
+
- Undo the mg(1) insert-file operation properly.
-
- Unbreak the anchor rule number returned by pfsync(4).
+
- Unbreak the anchor rule number returned by pfsync(4).
- Avoid a race condition when swapping in a process.
- On i386, fix a crash that occurred with a large number (>1500) of processes (PR#3528).
-
- New 'no sync' state option to prevent state transitions for a particular rule appearing on the pfsync(4) interface.
+
- New 'no sync' state option to prevent state transitions for a particular rule appearing on the pfsync(4) interface.
-
- Check that carp(4) packets are received on a carp-enabled interface.
+
- Check that carp(4) packets are received on a carp-enabled interface.
- Fix setting of the interface index for IPv6 link-local multicast joins.
-
- Stop carp(4) responding to ARPs when the interface is down.
-
- Fix a buffer overflow in sed(1) when doing regex substitutions. From FreeBSD.
+
- Stop carp(4) responding to ARPs when the interface is down.
+
- Fix a buffer overflow in sed(1) when doing regex substitutions. From FreeBSD.
-
- Add non-portable extensions to dc(1): '#' (comment), 'n' (print without newline) and 'a' (byte to char).
-
- Better pkg_add(1) dependency resolution.
+
- Add non-portable extensions to dc(1): '#' (comment), 'n' (print without newline) and 'a' (byte to char).
+
- Better pkg_add(1) dependency resolution.
- Don't call the post-install script of packages that didn't fully install, and allow such packages to be fully removed.
-
- Let pkg_add(1) install packages coming from stdin.
-
- pkg_delete(1) allows the path to an installed package on the command line, so e.g. 'pkg_delete /var/db/pkg/zsh-*' now works.
+
- Let pkg_add(1) install packages coming from stdin.
+
- pkg_delete(1) allows the path to an installed package on the command line, so e.g. 'pkg_delete /var/db/pkg/zsh-*' now works.
- The package tools now automatically use the target of the first @cwd in the packing list as the prefix.
-
- Temporarily back out the recent reordering of interface capability tests and pf_test(). pf(4) rdr rules are now generating some bogus checksums.
-
- In isakmpd(8), require encrypted messages as soon as we have the keystate for it, require DELETE payloads to be accompanied by HASHes, and add validation for HASH payloads without active exchanges.
-
- Allow pf(4) tags to use the same macros as labels (see pf.conf(5)).
-
- Teach gdb(1) about SIGINFO (PR#3173).
-
- Add commented-out LoadModule config lines, along with a short description, for each httpd(8) module in the standard build.
-
- In newfs(8) don't write the magic to the superblock until filesystem creation is completed.
-
- Fix netstat(1)'s display of IPv6 link-local multicast addresses.
+
- Temporarily back out the recent reordering of interface capability tests and pf_test(). pf(4) rdr rules are now generating some bogus checksums.
+
- In isakmpd(8), require encrypted messages as soon as we have the keystate for it, require DELETE payloads to be accompanied by HASHes, and add validation for HASH payloads without active exchanges.
+
- Allow pf(4) tags to use the same macros as labels (see pf.conf(5)).
+
- Teach gdb(1) about SIGINFO (PR#3173).
+
- Add commented-out LoadModule config lines, along with a short description, for each httpd(8) module in the standard build.
+
- In newfs(8) don't write the magic to the superblock until filesystem creation is completed.
+
- Fix netstat(1)'s display of IPv6 link-local multicast addresses.
-
- Redo the wdc(4) drive reset changes, more cautious this time.
-
- Make tcpdump(8)'s -x flag work for pfsync(4) devices.
+
- Redo the wdc(4) drive reset changes, more cautious this time.
+
- Make tcpdump(8)'s -x flag work for pfsync(4) devices.
- Use hash tables where possible for listen socket lookup as well.
-
- Add a route when we're the carp(4) master host, so the local machine can use the common address.
-
- Have pkg_create(1) spot duplicate packaging list entries and die noisily when it does so.
-
- Stop carp(4) pretending that everything it sends to bpf(4) comes from AF_INET6.
-
- Add GNU-compatible 'r' operator (swaps the top two stack items) to dc(1).
-
- Kill an IPv4 pasto in carp(4) IPv6 support when setting the interface address.
+
- Add a route when we're the carp(4) master host, so the local machine can use the common address.
+
- Have pkg_create(1) spot duplicate packaging list entries and die noisily when it does so.
+
- Stop carp(4) pretending that everything it sends to bpf(4) comes from AF_INET6.
+
- Add GNU-compatible 'r' operator (swaps the top two stack items) to dc(1).
+
- Kill an IPv4 pasto in carp(4) IPv6 support when setting the interface address.
- RELIABILITY FIX: It is possible for a local user to cause a system panic by executing a specially crafted binary with an invalid header.
A source code patch is available.
[Applied to stable]
- - Make pkg_delete(1) handle dependencies properly when using package name stems.
-
- Don't try to free a static string when checking ssh(1) host keys.
-
- In regular (non-pf(4)) IP output code, defer the interface tests for hardware IPsec and checksum capability until after pf_test(), since pf might drop the packet, or send it to a different interface.
-
- Make pf(4)-routed packets check the target interface for hardware IPsec and checksum capability.
-
- Fix a memory leak when carp(4) fails to put the interface into promiscuous mode.
-
- Add a missing check in IPv6 carp(4) for an interface on its way down.
+
- Make pkg_delete(1) handle dependencies properly when using package name stems.
+
- Don't try to free a static string when checking ssh(1) host keys.
+
- In regular (non-pf(4)) IP output code, defer the interface tests for hardware IPsec and checksum capability until after pf_test(), since pf might drop the packet, or send it to a different interface.
+
- Make pf(4)-routed packets check the target interface for hardware IPsec and checksum capability.
+
- Fix a memory leak when carp(4) fails to put the interface into promiscuous mode.
+
- Add a missing check in IPv6 carp(4) for an interface on its way down.
-
- Preserve the debug flag when enabling pf(4).
+
- Preserve the debug flag when enabling pf(4).
-
- In top(1), check for signals at the right time and handle stdin failures better.
+
- In top(1), check for signals at the right time and handle stdin failures better.
-
- Have patch(1) determine the filename in same manner as GNU patch.
-
- New --posix option for patch(1) for, uh, strict POSIX conformance.
-
- Set pkgpath in the correct order in pkg_add(1) etc.
-
- Re-add the SATA mode detection and reset-pause-IDENTIFY fixes to wdc(4). Drive reset fixes need further testing.
-
- Allocate the right number of elements in hashinit(9) (PR#3537).
-
- Look up the groupname (not the username) when getting the gid from a tarfile in pkg_add(1) and friends. Also set file ownership before the mode.
-
- Add IPv6 support to carp(4).
+
- Have patch(1) determine the filename in same manner as GNU patch.
+
- New --posix option for patch(1) for, uh, strict POSIX conformance.
+
- Set pkgpath in the correct order in pkg_add(1) etc.
+
- Re-add the SATA mode detection and reset-pause-IDENTIFY fixes to wdc(4). Drive reset fixes need further testing.
+
- Allocate the right number of elements in hashinit(9) (PR#3537).
+
- Look up the groupname (not the username) when getting the gid from a tarfile in pkg_add(1) and friends. Also set file ownership before the mode.
+
- Add IPv6 support to carp(4).
- Sync libedit to NetBSD as of 2003-10-01, with some local string cleaning and history bug fixes. There are some api changes as a result of this update.
- New port, OPENBSD/pegasos.
-
- Fix insufficient length check in route6d(8) (KAME PR#507).
+
- Fix insufficient length check in route6d(8) (KAME PR#507).
-
- Try to deal with strdup(3) failures in init(8).
+
- Try to deal with strdup(3) failures in init(8).
- More detective work from the spelling police, double-word branch.
-
- Fix lc(4) multicast filter initialisation.
+
- Fix lc(4) multicast filter initialisation.
-
- Backout recent wdc(4) reset, identify and mode detection changes, they are breaking things.
-
- Fix pf(4) binat for incoming connections when a netblock (not just a single address) is used as the rule source (PR#3535).
+ - Backout recent wdc(4) reset, identify and mode detection changes, they are breaking things.
+
- Fix pf(4) binat for incoming connections when a netblock (not just a single address) is used as the rule source (PR#3535).
[Applied to stable]
- - RELIABILITY FIX: A user with write permission to httpd.conf or a .htaccess file can crash httpd(8) or potentially run arbitrary code as the user www (although it is believed that ProPolice will prevent code execution).
+ - RELIABILITY FIX: A user with write permission to httpd.conf or a .htaccess file can crash httpd(8) or potentially run arbitrary code as the user www (although it is believed that ProPolice will prevent code execution).
A source code patch is available.
[Applied to stable]
- - Do a better job of finding the proper partition in growfs(8).
-
- Evaluate dependencies earlier in pkg_delete(1), and if the check fails just give a list of the required removals and quit.
-
- Don't die if getsockopt(..., TCP_NODELAY, ...) fails in ssh(1).
+
- Do a better job of finding the proper partition in growfs(8).
+
- Evaluate dependencies earlier in pkg_delete(1), and if the check fails just give a list of the required removals and quit.
+
- Don't die if getsockopt(..., TCP_NODELAY, ...) fails in ssh(1).
-
- In wdc(4), add a pause between a drive reset and an IDENTIFY command, to allow for units that are sick just after a reset.
+
- In wdc(4), add a pause between a drive reset and an IDENTIFY command, to allow for units that are sick just after a reset.
- Don't do ATA mode detection for SATA drives, some drives really don't like it.
-
- Set the skew properly when rescheduling carp(4) advertisements.
-
- Fix an mg(1) startup crash.
-
- Don't schedule a carp(4) advertisement if the interface is on its way down and we run out of mbufs.
-
- Really stop sending advertisements if the carp(4) interface is down.
+
- Set the skew properly when rescheduling carp(4) advertisements.
+
- Fix an mg(1) startup crash.
+
- Don't schedule a carp(4) advertisement if the interface is on its way down and we run out of mbufs.
+
- Really stop sending advertisements if the carp(4) interface is down.
-
- Set the maximum value for sysctl(3) kern.stackgap_random maximum to 256MB.
-
- Remove artificial limit on the number of partitions that may be stretched by growfs(8).
-
- Early support in wi(4) for PRISM 2.5/3 USB adapters. Very limited for now.
-
- Make wdc(4) reset code more like that in FreeBSD and NetBSD, fixing slave device detection when the master behaves strangely.
+
- Set the maximum value for sysctl(3) kern.stackgap_random maximum to 256MB.
+
- Remove artificial limit on the number of partitions that may be stretched by growfs(8).
+
- Early support in wi(4) for PRISM 2.5/3 USB adapters. Very limited for now.
+
- Make wdc(4) reset code more like that in FreeBSD and NetBSD, fixing slave device detection when the master behaves strangely.
-
- Reorganise pf(4) state searches for a 30% memory saving.
+
- Reorganise pf(4) state searches for a 30% memory saving.
- Don't leak mbufs on carp_output() failures.
- Replace a linked list with a hash table for local IP port lookup, dramatically reducing the lookup time (in_pcblookup()) when there are many sockets.
-
- Precompute as much of the carp(4) sha1 hash as possible.
+
- Precompute as much of the carp(4) sha1 hash as possible.
-
- Prevent occasional syslogd(8) hangs on receipt of a SIGHUP with a modified syslog.conf file.
+
- Prevent occasional syslogd(8) hangs on receipt of a SIGHUP with a modified syslog.conf file.
- Remove a few comparisons of an int to NULL.
-
- Do initgroups(3) before chrooting httpd(8) instead of after, since /etc/group may be of use.
-
- Stop the new bpf(4) write filter blocking everything when no filter is set, and so unbreak DHCP.
+
- Do initgroups(3) before chrooting httpd(8) instead of after, since /etc/group may be of use.
+
- Stop the new bpf(4) write filter blocking everything when no filter is set, and so unbreak DHCP.
-
- Only try to remove a dependent package once in pkg_delete(1).
-
- In carp(4), stir in the full inner hash instead of just sizeof(pointer) bytes of it.
+
- Only try to remove a dependent package once in pkg_delete(1).
+
- In carp(4), stir in the full inner hash instead of just sizeof(pointer) bytes of it.
- Finally, stop the long long pause for i386 laptop users with disconnected floppy drives.
-
- Make pkg_info(1) do the right thing with multiple packages sharing a common stem, e.g. multiple responses for 'pkg_info autoconf'.
-
- Allow pkg_delete(1) to work with package name stems. Oh yes.
+
- Make pkg_info(1) do the right thing with multiple packages sharing a common stem, e.g. multiple responses for 'pkg_info autoconf'.
+
- Allow pkg_delete(1) to work with package name stems. Oh yes.
-
- Another missing strdup(3) error check, this time in tn3270(1).
-
- Reduce the amount of logging spamd(8) does by default. The new -v option does verbose logging.
-
- Have privilege-separated syslogd(8) call setgroups when changing dropping privileges, in line with the same change in newly-separated pflogd(8).
+
- Another missing strdup(3) error check, this time in tn3270(1).
+
- Reduce the amount of logging spamd(8) does by default. The new -v option does verbose logging.
+
- Have privilege-separated syslogd(8) call setgroups when changing dropping privileges, in line with the same change in newly-separated pflogd(8).
- Fix a panic when traversing a corrupt msdos filesystem. From NetBSD.
[Applied to stable]
- - Implement privilege separation in pflogd(8). Requires creation of _pflogd user and group.
-
- Add locking and write-filtering to bpf(4), so programs running as non-root can hold bpf descriptors without being able to write whatever they like at the link layer or issue dangerous ioctl(2)s.
-
- Fix dc(1)'s J operator with the new extended comparisons.
-
- Switch carp(4) from keyed sha1 to hmac-sha1.
-
- Implement extended comparison operators in dc(1), to allow for an if ... else construct in bc(1).
-
- Make un-getting a character from a string work the same as from a file in dc(1).
-
- Fix a kqueue(2) file descriptor leak under libpthread.
-
- In libpthread, don't bother resetting O_NONBLOCK on descriptors that are not flagged to survive the imminent execve(2).
+
- Implement privilege separation in pflogd(8). Requires creation of _pflogd user and group.
+
- Add locking and write-filtering to bpf(4), so programs running as non-root can hold bpf descriptors without being able to write whatever they like at the link layer or issue dangerous ioctl(2)s.
+
- Fix dc(1)'s J operator with the new extended comparisons.
+
- Switch carp(4) from keyed sha1 to hmac-sha1.
+
- Implement extended comparison operators in dc(1), to allow for an if ... else construct in bc(1).
+
- Make un-getting a character from a string work the same as from a file in dc(1).
+
- Fix a kqueue(2) file descriptor leak under libpthread.
+
- In libpthread, don't bother resetting O_NONBLOCK on descriptors that are not flagged to survive the imminent execve(2).
-
- Add missing strdup(3) error check in tic(1).
-
- In mg(1), make undo work per-window instead of per-buffer.
+
- Add missing strdup(3) error check in tic(1).
+
- In mg(1), make undo work per-window instead of per-buffer.
- Fix late definition of enum XML_Status in <expat.h>. From expat CVS.
- A huge number of comment spelling fixes all over the tree.
-
- Make ssh(1) choke on too-short GSSAPI OIDs.
+
- Make ssh(1) choke on too-short GSSAPI OIDs.
- Switch over to the new package tools.
-
- In netstart(8), don't try to initialise carp(4) interfaces until after physical interfaces are configured.
-
- Fix an endianness bug in carp(4) sha1 code.
-
- realloc(3) cleanup in ppp(8).
-
- Stop all carp(4) hosts advertising master status when preempt is disabled.
-
- When doing carp(4), only give an error in ifconfig(8) when the user tries to set both of advbase and advskew to zero.
+
- In netstart(8), don't try to initialise carp(4) interfaces until after physical interfaces are configured.
+
- Fix an endianness bug in carp(4) sha1 code.
+
- realloc(3) cleanup in ppp(8).
+
- Stop all carp(4) hosts advertising master status when preempt is disabled.
+
- When doing carp(4), only give an error in ifconfig(8) when the user tries to set both of advbase and advskew to zero.
-
- Correct a missing strdup(3) return value check in nc(1).
-
- Fix numfds==0 case in pthreads-optimised select(2).
-
- Add functions to find package name 'stems' (package names without the version number) and use them in the soon-to-be-enabled new pkg_info(1).
-
- Add direct support in named(8) for SSHFP resource records.
+
- Correct a missing strdup(3) return value check in nc(1).
+
- Fix numfds==0 case in pthreads-optimised select(2).
+
- Add functions to find package name 'stems' (package names without the version number) and use them in the soon-to-be-enabled new pkg_info(1).
+
- Add direct support in named(8) for SSHFP resource records.
-
- Fix bc(1)'s assignment operators (+=, -= etc.)
-
- Add J(jump) and M(mark) operators in dc(1), and use them to implement the continue statement in bc(1).
-
- Fix out-of-bounds reads in make(1), libfreetype and xterm(1).
+
- Fix bc(1)'s assignment operators (+=, -= etc.)
+
- Add J(jump) and M(mark) operators in dc(1), and use them to implement the continue statement in bc(1).
+
- Fix out-of-bounds reads in make(1), libfreetype and xterm(1).
-
- Make the recent vnd(4) numbering change work the way it should.
-
- Enter carp(4), OpenBSD's Common Address Redundancy Protocol for IP high availability and load balancing.
-
- Unbreak httpd(8) SHA1 code on 64-bit architectures.
+
- Make the recent vnd(4) numbering change work the way it should.
+
- Enter carp(4), OpenBSD's Common Address Redundancy Protocol for IP high availability and load balancing.
+
- Unbreak httpd(8) SHA1 code on 64-bit architectures.
- Make sure the inode generation number (obtained using arc4random()) is positive.
-
- pciide(4) DMA reliability fixes. From NetBSD.
+
- pciide(4) DMA reliability fixes. From NetBSD.
-
- strlcpy(3) -> memcpy(3) for non-string buffers in vi(1), along with some extra paranoia.
-
- Check for signals earlier in mountd(8), so they can be handled before we select(2) until a mount request comes in.
+
- strlcpy(3) -> memcpy(3) for non-string buffers in vi(1), along with some extra paranoia.
+
- Check for signals earlier in mountd(8), so they can be handled before we select(2) until a mount request comes in.
- Import new package management tools under src/usr.sbin/pkg_add. Not built by default yet.
- New 'G' malloc.conf option to add a guard page after pagesize-or-larger chunks, and to return less-than-pagesize chunks in random order.
-
- Better SATA support in wdc(4).
-
- Fix faithd(8) args to poll(2).
+
- Better SATA support in wdc(4).
+
- Fix faithd(8) args to poll(2).
- Fix an out-of-bounds read in libcurses.
-
- Have tip(1) return the terminal to a sensible state on fatal errors.
-
- Change malloc(3) so that it aborts the process on any error other than running out of memory. This is different to the 'A' malloc.conf switch that aborts on any error.
+
- Have tip(1) return the terminal to a sensible state on fatal errors.
+
- Change malloc(3) so that it aborts the process on any error other than running out of memory. This is different to the 'A' malloc.conf switch that aborts on any error.
-
- More randomness for temporary directories created by ssh-agent(1) and sshd(8).
-
- Switch on the ssh(1) DNS fingerprint (sshfp) lookup code, previously not build by default. Still needs switched on in the config file.
+
- More randomness for temporary directories created by ssh-agent(1) and sshd(8).
+
- Switch on the ssh(1) DNS fingerprint (sshfp) lookup code, previously not build by default. Still needs switched on in the config file.
- Make e.g. 'MAKEDEV tty08 - tty7f' work.
- Only endian-flip the fragment offset once on IPv6 input.
-
- Do a hardware receive checksum in sk(4) too, working around the fact that sometimes the hardware gets it wrong.
-
- On em(4) devices that support it, offload receive checksum calculation to the hardware. From FreeBSD.
+
- Do a hardware receive checksum in sk(4) too, working around the fact that sometimes the hardware gets it wrong.
+
- On em(4) devices that support it, offload receive checksum calculation to the hardware. From FreeBSD.
- Update timezone files again, this time to tzcode2003d.
-
- Bring bge(4) and brgphy(4) more in line with updates in FreeBSD and NetBSD, both bug fixes and additional device support.
-
- Remember the filename given when using ^X^W in mg(1).
-
- Make shmat(2) under Linux compat work as expected.
-
- Fix a buffer overflow in timedc(8). Found by FreeBSD, fixed differently here.
+
- Bring bge(4) and brgphy(4) more in line with updates in FreeBSD and NetBSD, both bug fixes and additional device support.
+
- Remember the filename given when using ^X^W in mg(1).
+
- Make shmat(2) under Linux compat work as expected.
+
- Fix a buffer overflow in timedc(8). Found by FreeBSD, fixed differently here.
-
- Add division and modulus operator '~' to dc(1).
+
- Add division and modulus operator '~' to dc(1).
- Remove GNU bc and dc from the tree.
- Merge in expat 1.95.6 from XFree86 4.3.99.14.
-
- Search for keys in the ssh(1) agent in reverse order to solve duplicate key problems (OpenSSH bugzilla #684).
-
- ssh(1) option ForwardX11 now has xauth(1) generate untrusted keys by default. Option ForwardX11Trusted restores the old behaviour.
-
- Change vnd(4) major/minor numbering to allow more devices. Requires a MAKEDEV.
+
- Search for keys in the ssh(1) agent in reverse order to solve duplicate key problems (OpenSSH bugzilla #684).
+
- ssh(1) option ForwardX11 now has xauth(1) generate untrusted keys by default. Option ForwardX11Trusted restores the old behaviour.
+
- Change vnd(4) major/minor numbering to allow more devices. Requires a MAKEDEV.
-
- Do nfs-specific 'test -x' stuff in the right order in ksh(1) (PR#3465).
-
- More work on vr(4).
-
- Have the linker generate a warning when using 43compat's getwd(3).
-
- Better calibration code for auich(4). From FreeBSD/NetBSD.
+
- Do nfs-specific 'test -x' stuff in the right order in ksh(1) (PR#3465).
+
- More work on vr(4).
+
- Have the linker generate a warning when using 43compat's getwd(3).
+
- Better calibration code for auich(4). From FreeBSD/NetBSD.
-
- Re-enable the random increment on the return value of uvm_map_hint() (called by uvm_map(9)).
-
- Install a sample config file for sensorsd(8).
-
- Prevent symlink races in systrace(1).
-
- Have GSSAPI default to off in the ssh(1) client as well as the server.
-
- Unbreak pf(4) on 64-bit architectures.
-
- Hack httpd(8) so digest authentication works with IE, Safari, etc. From FreeBSD.
-
- Fix potential signedness bug in fgets(3) (PR#1709).
+
- Re-enable the random increment on the return value of uvm_map_hint() (called by uvm_map(9)).
+
- Install a sample config file for sensorsd(8).
+
- Prevent symlink races in systrace(1).
+
- Have GSSAPI default to off in the ssh(1) client as well as the server.
+
- Unbreak pf(4) on 64-bit architectures.
+
- Hack httpd(8) so digest authentication works with IE, Safari, etc. From FreeBSD.
+
- Fix potential signedness bug in fgets(3) (PR#1709).
- Correct __bounded__ attributes for {MD4,MD5,RMD160,SHA1}DATA functions (PR#3505).
-
- Allow newfs(8) to build small filesystems again by making sure ncyls >= 2.
+ - Allow newfs(8) to build small filesystems again by making sure ncyls >= 2.
[Applied to stable]
- - Plug a memory leak in netstat(1).
-
- Add nfs attribute cache tuning parameters to mount_nfs(8) (Inspired by PR#2567).
-
- Kill a null deref in make(1).
-
- Allow a semicolon to terminate label strings in sed(1), so one-liners with labels can work.
-
- A few string and memory fixes in rup(1).
-
- Stability fixes for vr(4). From FreeBSD.
-
- Add arc4 support to the kernel, and have wi(4) use it instead of rolling its own.
-
- Unbreak sftp(1)'s handling of quotes in pathnames.
+
- Plug a memory leak in netstat(1).
+
- Add nfs attribute cache tuning parameters to mount_nfs(8) (Inspired by PR#2567).
+
- Kill a null deref in make(1).
+
- Allow a semicolon to terminate label strings in sed(1), so one-liners with labels can work.
+
- A few string and memory fixes in rup(1).
+
- Stability fixes for vr(4). From FreeBSD.
+
- Add arc4 support to the kernel, and have wi(4) use it instead of rolling its own.
+
- Unbreak sftp(1)'s handling of quotes in pathnames.
- More propolice fixes and improvements.
-
- Remove httpd(8) addon-breaking newsyslog.conf(5) sample lines.
-
- Install sensorsd(8) by default.
-
- Really really give xfs a poll(2) backend.
-
- Fix a badly broken gcc(1) optimization when calculating structure offsets under certain conditions. See the commit log for details.
-
- Unbreak lge(4) compile.
+
- Remove httpd(8) addon-breaking newsyslog.conf(5) sample lines.
+
- Install sensorsd(8) by default.
+
- Really really give xfs a poll(2) backend.
+
- Fix a badly broken gcc(1) optimization when calculating structure offsets under certain conditions. See the commit log for details.
+
- Unbreak lge(4) compile.
- Update timezone info files to tzcode2003c.
-
- Stop em(4) stripping 802.1q headers from packets in a bridge(4).
-
- Add vlan(4) support to em(4).
-
- Avoid a division-by-zero panic when benchmarking the pchb(4) RNG device.
-
- A couple of read-from-device fixes to an(4). From FreeBSD.
+
- Stop em(4) stripping 802.1q headers from packets in a bridge(4).
+
- Add vlan(4) support to em(4).
+
- Avoid a division-by-zero panic when benchmarking the pchb(4) RNG device.
+
- A couple of read-from-device fixes to an(4). From FreeBSD.
-
- Remove non-free licensed xlock(1) bitmaps.
+
- Remove non-free licensed xlock(1) bitmaps.
- Properly free resources when ffs_mountroot() fails.
-
- Stop isakmpd(8) crashing when the value for LIFE_DURATION is missing.
-
- Back out the new environment variable load in ld.so(1) due to sparc breakage.
+
- Stop isakmpd(8) crashing when the value for LIFE_DURATION is missing.
+
- Back out the new environment variable load in ld.so(1) due to sparc breakage.
- Unbreak the new xfs poll backend.
- Fix a long-standing memory leak in kernel libz (PR#2886). From NetBSD.
-
- Print a more useful error message when a bad port number is given to whois(1).
-
- Fix broken time parsing in kadmin(8) (PR#3292).
+
- Print a more useful error message when a bad port number is given to whois(1).
+
- Fix broken time parsing in kadmin(8) (PR#3292).
-
- Initialise environment variables in ld.so(1) before calling constructors and atexit(3) functions
-
- Have inetd(8) exit if no config file is found.
-
- In sendmail(8) submit.mc/cf, bind the msp to 127.0.0.1 instead of localhost just in case localhost doesn't resolve correctly.
-
- Teach netstat(1) how to deal with KAME embedded scope IDs for -f encap route dumps.
-
- Use arc4random(3) to generate cookies in the XSecurity extension.
-
- Fix a few off-by-ones in gethostbyname(3) and friends.
-
- Allow multiple RCPTs in spamd(8), and stop looping on invalid commands.
-
- Bring in a number of pipe(2) stability fixes from FreeBSD.
+
- Initialise environment variables in ld.so(1) before calling constructors and atexit(3) functions
+
- Have inetd(8) exit if no config file is found.
+
- In sendmail(8) submit.mc/cf, bind the msp to 127.0.0.1 instead of localhost just in case localhost doesn't resolve correctly.
+
- Teach netstat(1) how to deal with KAME embedded scope IDs for -f encap route dumps.
+
- Use arc4random(3) to generate cookies in the XSecurity extension.
+
- Fix a few off-by-ones in gethostbyname(3) and friends.
+
- Allow multiple RCPTs in spamd(8), and stop looping on invalid commands.
+
- Bring in a number of pipe(2) stability fixes from FreeBSD.
-
- Fix httpd(8)'s handling of SSLCertificateChainFile under the chroot.
-
- sshd(8) usage output now dumps the OpenSSL version too.
-
- Don't try to send incomplete IPv4 fragments in the ENOBUFS case. Note that this is a behaviour change from 4.4BSD and applies to output from bridge(4) and pf(4) as well as vanilla IP output.
+
- Fix httpd(8)'s handling of SSLCertificateChainFile under the chroot.
+
- sshd(8) usage output now dumps the OpenSSL version too.
+
- Don't try to send incomplete IPv4 fragments in the ENOBUFS case. Note that this is a behaviour change from 4.4BSD and applies to output from bridge(4) and pf(4) as well as vanilla IP output.
- A couple of endianness fixes when setting the IPv4 output fragment offset.
-
- A couple of minor malloc(3) fixes related to recursive calls and debugging.
+
- A couple of minor malloc(3) fixes related to recursive calls and debugging.
- Clean up IPv6 flowlabel handling.
-
- New IPv6 ID and flowlabel generation code using arc4random(9).
-
- Remove a bad m_cat(9) call when fragmenting outbound IPv6 packets.
-
- Add a missing initialisation in pflog(4) that allowed kernel stack garbage to leak into .pcap files.
-
- Have the libc stack protector code use the kernel __sysctl() call directly instead of using the libc sysctl(3) interface.
-
- Stop reading ~/.signature to pre-fill the Organisation: field in sendbug(1) (PR#3499).
-
- Fixes to event(3) poll code.
-
- Have ftpd(8) listen on both IPv4 and IPv6 ports by default.
-
- Fix an out-of-bounds memory access in kernel compat_ibcs2(8) code.
-
- Add missing check for strdup(3) error in talk(1).
-
- Correct a couple of off-by-ones in banner(1) and ssl(3) (src/ssl/ssl_ciph.c).
+
- New IPv6 ID and flowlabel generation code using arc4random(9).
+
- Remove a bad m_cat(9) call when fragmenting outbound IPv6 packets.
+
- Add a missing initialisation in pflog(4) that allowed kernel stack garbage to leak into .pcap files.
+
- Have the libc stack protector code use the kernel __sysctl() call directly instead of using the libc sysctl(3) interface.
+
- Stop reading ~/.signature to pre-fill the Organisation: field in sendbug(1) (PR#3499).
+
- Fixes to event(3) poll code.
+
- Have ftpd(8) listen on both IPv4 and IPv6 ports by default.
+
- Fix an out-of-bounds memory access in kernel compat_ibcs2(8) code.
+
- Add missing check for strdup(3) error in talk(1).
+
- Correct a couple of off-by-ones in banner(1) and ssl(3) (src/ssl/ssl_ciph.c).
- Fix the code that grows ifindex2ifnet in sys/net/if.c.
-
- Add a stack of missing switch break statements needed after the _dl_errno changes to ld.so(1).
+
- Add a stack of missing switch break statements needed after the _dl_errno changes to ld.so(1).
-
- Teach size(1) how to read ELF objects.
-
- POSIX and interoperability fixes for bc(1) and dc(1),
-
- SECURITY FIX: The use of certain ASN.1 encodings or malformed public keys may allow an attacker to mount a denial of service attack against applications linked with ssl(3). This does not affect OpenSSH.
+ - Teach size(1) how to read ELF objects.
+
- POSIX and interoperability fixes for bc(1) and dc(1),
+
- SECURITY FIX: The use of certain ASN.1 encodings or malformed public keys may allow an attacker to mount a denial of service attack against applications linked with ssl(3). This does not affect OpenSSH.
A source code patch is available.
[Applied to stable]
- - Properly free resources on fxp(4) attach failures.
-
- Some reliability fixes in ahc(4) and siop(4).
-
- Allow sensorsd(8) to daemon(3)ize itself.
-
- Fix an unchecked strdup(3) in getnetgrent(3).
+
- Properly free resources on fxp(4) attach failures.
+
- Some reliability fixes in ahc(4) and siop(4).
+
- Allow sensorsd(8) to daemon(3)ize itself.
+
- Fix an unchecked strdup(3) in getnetgrent(3).
- Fix several kernel networking off-by-ones w.r.t. PRC_NCMDS.
-
- Better error checking for new bc(1) and dc(1).
-
- Make new bc(1) compile on sparc64.
-
- PCI support for hppa through dino(4) bridge driver.
+
- Better error checking for new bc(1) and dc(1).
+
- Make new bc(1) compile on sparc64.
+
- PCI support for hppa through dino(4) bridge driver.
-
- Further realloc(3) cleanup.
-
- Re-engineer the pf(4) ioctl interface to allow near-100% atomicity for 'pfctl -f /etc/pf.conf' commands.
+ - Further realloc(3) cleanup.
+
- Re-engineer the pf(4) ioctl interface to allow near-100% atomicity for 'pfctl -f /etc/pf.conf' commands.
[Applied to stable]
- - Fix bogus getutmp() error check in battlestar(6).
+
- Fix bogus getutmp() error check in battlestar(6).
- Change the xfs backend from select to poll.
-
- Introduce 64-bit byteorder(3) macros.
-
- strdup -> strlcpy in apmd(8), and make sure the socket gets unlinked at exit.
-
- Better malloc(3), realloc(3) and strdup(3) error checks in config(8).
-
- Stop pflogd(8) shouting 'Reopened logfile' at syslog.
-
- Add a number of missing checks for strdup(3) failure.
-
- Add an sscanf(3) bounds check to the neighbour cache file code in ndp(8).
-
- Reorder the pf(4) statistics counter code and fix some miscount bugs.
-
- In isakmpd(8), don't listen on INADDR_ANY if the Listen-on option is specified.
-
- Fix an off-by-one and a bad string bounds length in atc(6).
-
- Don't set sshd(8)'s listen socket to non-blocking mode.
-
- Build the new BSD bc(1) and dc(1) in favour of the GNU versions.
-
- Drop authpf(8)'s 15-character username restriction, it's no longer necessary (PR#3491).
-
- Allocate a buffer large enough to store a full IPX address in ipx_ntoa(3).
-
- Unbreak netstat(1) -i display columns for interfaces with no address.
-
- Stop spamd(8) dying unceremoniously on accept(2) failures.
-
- Make talk(1) retry if accept(2) returns ECONNABORTED (the same as it does for EINTR).
-
- realloc(3) fixes in brconfig(8), dhclient(8), lpd(8), pppd(8) and rwhod(8).
-
- Add a 'recipe' datafile to fortune(6), starting with some barbecue recipes from the hackathon.
-
- Use arc4random(3) instead of srand(3) to generate a more random salt for htpasswd(1).
-
- Start removing unnecessary null checks before doing free(3) on a possibly null pointer.
+
- Introduce 64-bit byteorder(3) macros.
+
- strdup -> strlcpy in apmd(8), and make sure the socket gets unlinked at exit.
+
- Better malloc(3), realloc(3) and strdup(3) error checks in config(8).
+
- Stop pflogd(8) shouting 'Reopened logfile' at syslog.
+
- Add a number of missing checks for strdup(3) failure.
+
- Add an sscanf(3) bounds check to the neighbour cache file code in ndp(8).
+
- Reorder the pf(4) statistics counter code and fix some miscount bugs.
+
- In isakmpd(8), don't listen on INADDR_ANY if the Listen-on option is specified.
+
- Fix an off-by-one and a bad string bounds length in atc(6).
+
- Don't set sshd(8)'s listen socket to non-blocking mode.
+
- Build the new BSD bc(1) and dc(1) in favour of the GNU versions.
+
- Drop authpf(8)'s 15-character username restriction, it's no longer necessary (PR#3491).
+
- Allocate a buffer large enough to store a full IPX address in ipx_ntoa(3).
+
- Unbreak netstat(1) -i display columns for interfaces with no address.
+
- Stop spamd(8) dying unceremoniously on accept(2) failures.
+
- Make talk(1) retry if accept(2) returns ECONNABORTED (the same as it does for EINTR).
+
- realloc(3) fixes in brconfig(8), dhclient(8), lpd(8), pppd(8) and rwhod(8).
+
- Add a 'recipe' datafile to fortune(6), starting with some barbecue recipes from the hackathon.
+
- Use arc4random(3) instead of srand(3) to generate a more random salt for htpasswd(1).
+
- Start removing unnecessary null checks before doing free(3) on a possibly null pointer.
-
- Fix scrambled display when resuming a suspended less(1) process.
-
- Use strlcpy(3) instead of bcopy(3) to avoid overflowing the nodename and netname in an(4).
-
- Fix a couple of off-by-ones in adventure(6).
-
- Fix an out-of-bounds write in the isakmpd(8) privsep monitor code.
-
- Make dlerror(3) clear _dl_errno as expected (PR#3441).
+
- Fix scrambled display when resuming a suspended less(1) process.
+
- Use strlcpy(3) instead of bcopy(3) to avoid overflowing the nodename and netname in an(4).
+
- Fix a couple of off-by-ones in adventure(6).
+
- Fix an out-of-bounds write in the isakmpd(8) privsep monitor code.
+
- Make dlerror(3) clear _dl_errno as expected (PR#3441).
- Correct a couple of off-by-ones in libc.
- Fix overflows in the X font server overflow fix. Sigh.
-
- Add a missing free in cvs(1).
-
- New, BSD-licensed version of bc(1).
-
- Fix an off-by-one in csh(1) (PR#3163).
-
- More realloc(3) fixes.
-
- Fix a bad bounds check that could crash sort(1).
+
- Add a missing free in cvs(1).
+
- New, BSD-licensed version of bc(1).
+
- Fix an off-by-one in csh(1) (PR#3163).
+
- More realloc(3) fixes.
+
- Fix a bad bounds check that could crash sort(1).
-
- More paranoid privsep parent/child communication in syslogd(8).
+
- More paranoid privsep parent/child communication in syslogd(8).
- SECURITY FIX: It is possible for a local user to cause a system panic by flooding it with spoofed ARP requests.
A source code patch is available.
[Applied to stable]
- - A number of realloc(3) fixes (removing instances of the bad idiom described in the manpage) in several programs.
-
- New program sensorsd(8) to monitor hardware sensors as exposed by the hw.sensors sysctl. Not installed yet.
-
- Unbreak tftp(1) put command.
-
- Remove and re-add SHA2 support in isakmpd(8), minus OpenSSL EVP-related fd leaks.
-
- Fix some realloc bugs in pfctl(8) tables code.
+
- A number of realloc(3) fixes (removing instances of the bad idiom described in the manpage) in several programs.
+
- New program sensorsd(8) to monitor hardware sensors as exposed by the hw.sensors sysctl. Not installed yet.
+
- Unbreak tftp(1) put command.
+
- Remove and re-add SHA2 support in isakmpd(8), minus OpenSSL EVP-related fd leaks.
+
- Fix some realloc bugs in pfctl(8) tables code.
- Initial HIFN 7955/7956 crypto accelerator support.
-
- Increase spamd(8) maximum connections from 200 to 800.
+
- Increase spamd(8) maximum connections from 200 to 800.
-
- Install a more complete set of sendmail(8) empty config files under /etc/mail.
+
- Install a more complete set of sendmail(8) empty config files under /etc/mail.
- Throttle 'proc: table is full' messages to once every ten seconds. From NetBSD.
-
- Further improvements to ssh(1)'s fatal exit handling.
-
- Use the much simpler getifaddrs(3) instead of sysctl(3) in rtadvd(8).
-
- Use getaddrinfo(3) for name-to-address resolution in isakmpd(8).
-
- Replace kernel select(2) backends with poll(2) backends. This allows for more complete poll() functionality. From NetBSD.
-
- In mtrace(8) only do mask checks for AF_INET.
-
- Add poll(2) support for event(3).
-
- Fix a few suspect strlcpy(3) calls in ifconfig(8).
+
- Further improvements to ssh(1)'s fatal exit handling.
+
- Use the much simpler getifaddrs(3) instead of sysctl(3) in rtadvd(8).
+
- Use getaddrinfo(3) for name-to-address resolution in isakmpd(8).
+
- Replace kernel select(2) backends with poll(2) backends. This allows for more complete poll() functionality. From NetBSD.
+
- In mtrace(8) only do mask checks for AF_INET.
+
- Add poll(2) support for event(3).
+
- Fix a few suspect strlcpy(3) calls in ifconfig(8).
-
- Allow getopt_long(3) to accept an optional argument separated by whitespace, unlike GNU getopt_long.
-
- Stop tsort(1) reading past the end of its buffer.
-
- Plug a realloc memory leak in mg(1).
-
- Off-by-one fixes in nc(1), pmdb(1), ppp(8), libssl, libpthread and a few in the kernel.
-
- Sync up named(8) with BIND 9.2.2-P3, with support for new zone type 'delegation-only'.
-
- In the new dc(1), make all registers contain zero initially for compatibility.
+
- Allow getopt_long(3) to accept an optional argument separated by whitespace, unlike GNU getopt_long.
+
- Stop tsort(1) reading past the end of its buffer.
+
- Plug a realloc memory leak in mg(1).
+
- Off-by-one fixes in nc(1), pmdb(1), ppp(8), libssl, libpthread and a few in the kernel.
+
- Sync up named(8) with BIND 9.2.2-P3, with support for new zone type 'delegation-only'.
+
- In the new dc(1), make all registers contain zero initially for compatibility.
- Fix, clean up and simplify the installer's handling of yes/no responses from the user.
-
- Use poll(2) instead of select(2) in skey_authenticate(3).
-
- Plug a memory leak in rtadvd(8).
+
- Use poll(2) instead of select(2) in skey_authenticate(3).
+
- Plug a memory leak in rtadvd(8).
- Stop extraneous 'no disk label' warnings in the installer.
-
- Implement hardwareflow (hf) option for tip(1). Off by default.
-
- Fix an out-of-order free() in rpc(3).
-
- Don't leak memory if memory allocation fails in libc rpc(3) code.
+
- Implement hardwareflow (hf) option for tip(1). Off by default.
+
- Fix an out-of-order free() in rpc(3).
+
- Don't leak memory if memory allocation fails in libc rpc(3) code.
-
- Change the ld(1) script to make contructors and destructors in dynamic binaries non-writable.
-
- Completely new BSD-licensed version of dc(1) using the OpenSSL bn(3) routines.
-
- Have scp(1) check for an error code in remote->remote mode.
-
- When chrooting httpd(8), use initgroups(3) so that supplementary group IDs are initialised as well.
-
- Temporarily disable soft interrupts support in usb(4) for stability reasons.
+ - Change the ld(1) script to make contructors and destructors in dynamic binaries non-writable.
+
- Completely new BSD-licensed version of dc(1) using the OpenSSL bn(3) routines.
+
- Have scp(1) check for an error code in remote->remote mode.
+
- When chrooting httpd(8), use initgroups(3) so that supplementary group IDs are initialised as well.
+
- Temporarily disable soft interrupts support in usb(4) for stability reasons.
[Applied to stable]
- - Several abnormal exit handler fixes to ssh(1).
+
- Several abnormal exit handler fixes to ssh(1).
- Better disk device probe on i386.
-
- Correct the signal number validity check in csh(1)'s kill command.
+
- Correct the signal number validity check in csh(1)'s kill command.
-
- Make grep(1)'s binary file test work for gzipped files the same as for other files, testing against isspace(3) as well as isprint(3).
-
- Make sure whois(1) can't zap straight past the beginning of the buffer when removing spaces from line endings.
-
- Stop pfctl(8) checking for a netmask if the address type being examined is a table.
-
- Fix a subtle use-after-free in modload(8).
-
- Some int -> u_int paranoia in ssh(1).
-
- More ssh(1) buffer management fixes (CAN-2003-0682).
+
- Make grep(1)'s binary file test work for gzipped files the same as for other files, testing against isspace(3) as well as isprint(3).
+
- Make sure whois(1) can't zap straight past the beginning of the buffer when removing spaces from line endings.
+
- Stop pfctl(8) checking for a netmask if the address type being examined is a table.
+
- Fix a subtle use-after-free in modload(8).
+
- Some int -> u_int paranoia in ssh(1).
+
- More ssh(1) buffer management fixes (CAN-2003-0682).
- Further EDD detection improvements on i386.
-
- Properly flush the ssh(1) RSA1 public key from memory when its output file cannot be opened (OpenSSH bugzilla #662).
-
- Correct a double-free in the ssh(1) buffer management code (OpenSSH PR#660).
-
- Fix the ssh(1) ConnectTimeout option (OpenSSH PR#656).
+
- Properly flush the ssh(1) RSA1 public key from memory when its output file cannot be opened (OpenSSH bugzilla #662).
+
- Correct a double-free in the ssh(1) buffer management code (OpenSSH PR#660).
+
- Fix the ssh(1) ConnectTimeout option (OpenSSH PR#656).
- On i386, try harder to boot from removable media by allowing for their removal and insertion.
-
- Updated and better-commented openbsd-proto.mc for sendmail(8).
-
- Upgrade sendmail(8) to version 8.12.10. The address parsing security fix went into 3.4 and -stable, but not the full version update.
+
- Updated and better-commented openbsd-proto.mc for sendmail(8).
+
- Upgrade sendmail(8) to version 8.12.10. The address parsing security fix went into 3.4 and -stable, but not the full version update.
- 3.4 -> 3.4-current.