SECURITY FIX: Eilko Bos reported that radius authentication, as implemented by login_radius(8), was not checking the shared secret used for replies sent by the radius server. This could allow an attacker to spoof a reply granting access to the attacker. Note that OpenBSD does not ship with radius authentication enabled.
+
SECURITY FIX: Eilko Bos reported that radius authentication, as implemented by login_radius(8), was not checking the shared secret used for replies sent by the radius server. This could allow an attacker to spoof a reply granting access to the attacker. Note that OpenBSD does not ship with radius authentication enabled. A source code patch is available.
- [Applied to stable]
+ [Applied to stable]
-
Bail out of newfs(8) on errors when making very small filesystems.
+
Bail out of newfs(8) on errors when making very small filesystems.
Move MIPS to 64-bit.
-
Fix copyout(9) of pf(4) anchors with relative paths and wildcards.
-
Track the peer count correctly in bgpd(8) and ntpd(8), fixing memory corruption in both.
-
SECURITY FIX: httpd(8)'s mod_rewrite module can be made to write one zero byte in an arbitrary memory position outside of a char array, causing a DoS or possibly buffer overflows. This would require enabling dbm for mod_rewrite and making use of a malicious dbm file.
+
SECURITY FIX: httpd(8)'s mod_rewrite module can be made to write one zero byte in an arbitrary memory position outside of a char array, causing a DoS or possibly buffer overflows. This would require enabling dbm for mod_rewrite and making use of a malicious dbm file. A source code patch is available.
- [Applied to stable]
-
Stop the mixer resetting emu(4)'s volume to very very loud.
+
Stop the mixer resetting emu(4)'s volume to very very loud.
Make sure kernfs_xread() isn't called with a negative offset.
-
SECURITY FIX: Chris Evans reported several flaws (stack and integer overflows) in the Xpm library code that parses image files (CAN-2004-0687, CAN-2004-0688). Some of these would be exploitable when parsing malicious image files in an application that handles XPM images, if they could escape ProPolice.
+
SECURITY FIX: Chris Evans reported several flaws (stack and integer overflows) in the Xpm library code that parses image files (CAN-2004-0687, CAN-2004-0688). Some of these would be exploitable when parsing malicious image files in an application that handles XPM images, if they could escape ProPolice. A source code patch is available.
- [Applied to stable]
+ [Applied to stable]
-
Stop non-MASTER carp(4) hosts replying to ARP requests, as this upsets some layer 3 switches.
+
Stop non-MASTER carp(4) hosts replying to ARP requests, as this upsets some layer 3 switches.
-
Stop login(1) treating the 'bar' in username foo.bar as a Kerberos instance, that's a krb4 syntax we no longer use.
+
Stop login(1) treating the 'bar' in username foo.bar as a Kerberos instance, that's a krb4 syntax we no longer use.
Fix fd passing problems with S/Key on sparc*.
-
Don't do DNS lookups when reading ntpd(8)'s config, save them for later.
-
In ntpd(8), don't log transient network errors from sendto(2).
-
Show the difference between the expected and received IP checksum in tcpdump(8).
-
Now that tcpdump(8) decodes the IP fragment returned in an ICMP error message, allow the TCP parser to print the source and destination ports from incomplete TCP headers.
-
When tcpdump(8) receives an ICMP error and -vv is in effect, also dump the IP packet embedded in the error message. Based on tcpdump.org.
-
Show the difference between the expected and received IP checksum in tcpdump(8).
+
Now that tcpdump(8) decodes the IP fragment returned in an ICMP error message, allow the TCP parser to print the source and destination ports from incomplete TCP headers.
+
When tcpdump(8) receives an ICMP error and -vv is in effect, also dump the IP packet embedded in the error message. Based on tcpdump.org.
+
When saving a file, have mg(1) check if it's null terminated and prompt the user to add it if desired.
-
Rework ntpd(8)'s DNS handling to better deal with responses containing multiple addresses. Two keywords, 'server' and 'servers', with different semantics.
-
When saving a file, have mg(1) check if it's null terminated and prompt the user to add it if desired.
+
Rework ntpd(8)'s DNS handling to better deal with responses containing multiple addresses. Two keywords, 'server' and 'servers', with different semantics.
+
Fix a systrace(1) problem where argv[0] would be normalised and so break scripts that depend on the original path.
-
Stop logging ntpd(8) responses with bad cookies, so attackers can't spam the log files. Back off logging in general.
-
Don't listen by default in ntpd(8). New 'listen on' directive must be used instead.
-
Allow for multiple IP addresses associated with hostnames listed in ntpd.conf(5).
-
Add a 'trustlevel' for ntpd(8) peers, using the peer's timely network responses to judge its worthiness to affect the clock offset, and to set how often queries are sent.
+
Fix a systrace(1) problem where argv[0] would be normalised and so break scripts that depend on the original path.
+
Stop logging ntpd(8) responses with bad cookies, so attackers can't spam the log files. Back off logging in general.
+
Don't listen by default in ntpd(8). New 'listen on' directive must be used instead.
+
Allow for multiple IP addresses associated with hostnames listed in ntpd.conf(5).
+
Add a 'trustlevel' for ntpd(8) peers, using the peer's timely network responses to judge its worthiness to affect the clock offset, and to set how often queries are sent.
-
Keep track of historical offset and delay values in ntpd(8), for later use in filtering.
-
RELIABILITY FIX: Under certain network load the kernel can run out of stack space. This was encountered in an environment using CARP on a VLAN interface. this issue initially manifested itself as an FPU-related crash on bootup.
+
Keep track of historical offset and delay values in ntpd(8), for later use in filtering.
+
RELIABILITY FIX: Under certain network load the kernel can run out of stack space. This was encountered in an environment using CARP on a VLAN interface. this issue initially manifested itself as an FPU-related crash on bootup. A source code patch is available.
- [Applied to stable]
-
Fix a segfault in routed(8) with rtquery(8) messages from a non-local host (PR#3841).
-
Fix ntpd(8)'s conversion from seconds to microseconds.
-
Don't queue hotplug(4) events if there's no hotplugd(8) running. When the last listening daemon exits, flush pending events.
-
Keep track of the device and inode of objects loaded by ld.so(1), so that it's no longer possible to have the same object loaded from two different locations.
+ [Applied to stable]
+
Fix a segfault in routed(8) with rtquery(8) messages from a non-local host (PR#3841).
+
Fix ntpd(8)'s conversion from seconds to microseconds.
+
Don't queue hotplug(4) events if there's no hotplugd(8) running. When the last listening daemon exits, flush pending events.
+
Keep track of the device and inode of objects loaded by ld.so(1), so that it's no longer possible to have the same object loaded from two different locations.
-
Die nicely if dhclient(8) can't read its config file.
-
Allow shared library revision numbers to be overridden for libOSMesa, libXRes, libxkbfile and libkbui.
-
Remove interface name verification code from pfctl(8), so that once again a rule referring to a non-existent interface simply never fires. This has the handy side-effect of allowing pfctl to be run as non-root again.
-
Remove interface name verification code from pfctl(8), so that once again a rule referring to a non-existent interface simply never fires. This has the handy side-effect of allowing pfctl to be run as non-root again.
+
More narrowing down of isakmpd(8)'s privsep interface.
After switching most of the device drivers to use generic ether_crc32_be(), add a table-driven implementation of this function. From FreeBSD PR#49957.
-
Don't allow nanosleep(2) called with a zero timeout to sleep indefinitely, sleep for at least 1/hz seconds.
-
Add a no-emulation CD boot sector, based on a FreeBSD implementation.
-
Only ignore dhclient(8)-generated RTM_DELADDR messages for a five-second window after process startup, so that new instances of dhclient (started outside this window) cause the older instance to die like before.
-
Teach mkhybrid(8) how to create an El Torito no-emulation boot CD (for i386), with a 2048-byte boot sector.
+
Only ignore dhclient(8)-generated RTM_DELADDR messages for a five-second window after process startup, so that new instances of dhclient (started outside this window) cause the older instance to die like before.
+
Teach mkhybrid(8) how to create an El Torito no-emulation boot CD (for i386), with a 2048-byte boot sector.
Import the generic IEEE 802.11 framework from FreeBSD and NetBSD.
-
Have isakmpd(8) drop IKE messages arriving on port 500 after the NAT-T exchange has switched to port 4500.
-
Allow a bgpd(8) template peer with unknown AS to be an IBGP peer, instead of always being an EBGP peer.
-
Allow the IKE parser in tcpdump(8) to recognise a NAT-T payload.
-
Teach tcpdump(8)'s IKE parser about NAT-T keepalive packets.
-
In bgpd(8), don't reallocate the pollfd array every time the size changes because there's a risk that realloc(3) can fail. Reallocate only when there's a large potential saving.
-
Fix bogus 'panic: cylinder group too big' message from newfs(8).
-
Don't exit dhclient(8) on receipt of an RTM_DELADDR routing message, as this sometimes be generated by the dhclient itself. Instead, exit on RTM_NEWADDR iff an IP address is set that doesn't correspond to our lease. Not a perfect solution.
-
More sftp(1)ls(1) emulation: Don't show .dotfiles unless -a is specified.
-
Handle interface resets gracefully in dhclient(8).
-
Do more retries on st(4) devices to allow the tape drive to recover after a reset.
+
Add a new 'filter drop' flag to bpf(4), so that an interface may be notified that a packet matches a filter and should be dropped.
+
Have isakmpd(8) drop IKE messages arriving on port 500 after the NAT-T exchange has switched to port 4500.
+
Allow a bgpd(8) template peer with unknown AS to be an IBGP peer, instead of always being an EBGP peer.
+
Allow the IKE parser in tcpdump(8) to recognise a NAT-T payload.
+
Teach tcpdump(8)'s IKE parser about NAT-T keepalive packets.
+
In bgpd(8), don't reallocate the pollfd array every time the size changes because there's a risk that realloc(3) can fail. Reallocate only when there's a large potential saving.
+
Fix bogus 'panic: cylinder group too big' message from newfs(8).
+
Don't exit dhclient(8) on receipt of an RTM_DELADDR routing message, as this sometimes be generated by the dhclient itself. Instead, exit on RTM_NEWADDR iff an IP address is set that doesn't correspond to our lease. Not a perfect solution.
+
More sftp(1)ls(1) emulation: Don't show .dotfiles unless -a is specified.
+
Handle interface resets gracefully in dhclient(8).
+
Do more retries on st(4) devices to allow the tape drive to recover after a reset.
New xetc installation fileset, for all X configuration files installed under /etc.
Keep separate, 1-second resolution counters for walltime and uptime, and have code that only needs 1-second resolution use those instead of the microsecond counters.
Clean up properly on in_ifinit() failure.
-
Turn isakmpd(8) NAT-T support on. The crowd goes wild.
-
Implement NAT-T keepalive messages in isakmpd(8).
-
Check that UDP encapsulation is enabled (sysctl(8) net.inet.esp.udpencap) before allowing encapsulated SAs to be created in the kernel.
-
Add bounds-check gcc(1) attributes to libkern strl*() functions, and to strncpy().
-
Implement ls(1)-compatible sorting for sftp(1)'s ls command.
-
Unbreak patch(1) when using standard diffs (i.e. no context).
-
Allow the user to interrupt the setup of a multiplexed ssh(1) connection (if, for example, the master gets wedged) by deferring signal setup until the connection is established.
-
Merge adjacent hunks in diff(1), making the output more like that from GNU diff.
-
Unbreak patch(1) when using standard diffs (i.e. no context).
+
Allow the user to interrupt the setup of a multiplexed ssh(1) connection (if, for example, the master gets wedged) by deferring signal setup until the connection is established.
+
Merge adjacent hunks in diff(1), making the output more like that from GNU diff.
+
Be more careful in isakmpd(8) when evaluating the return code from X509_verify_cert(3).
Add much of the NTP client functionality to ntpd(8).
-
Abort rdate(8) on calloc(3) failure, warnx(3)ing and carrying on is just postponing the inevitable.
-
Add an option (ControlMaster=ask) to require confimation via ssh-askpass(1) before allowing a multiplexed ssh(1) connection.
-
Support environment variable passing over multiplexed ssh(1) connections.
+
Abort rdate(8) on calloc(3) failure, warnx(3)ing and carrying on is just postponing the inevitable.
+
Add an option (ControlMaster=ask) to require confimation via ssh-askpass(1) before allowing a multiplexed ssh(1) connection.
+
Support environment variable passing over multiplexed ssh(1) connections.
Back out the recent IPv6 multicast change so that mandatory groups get joined, but achieve the same result by testing for a new host address before adding the multicast entries.
-
Add '-n' option to last(1) to do the same job as -number in a less ugly way.
+
Add '-n' option to last(1) to do the same job as -number in a less ugly way.
Make <netinet/if_ether.h> safe for inclusion in C++ code.
-
Fix a bad dereference leading to a memory leak in isakmpd(8).
-
Fix a pasto in isakmpd(8)'s message decoder when printing IPv6 address/mask pairs.
+
Fix a bad dereference leading to a memory leak in isakmpd(8).
+
Fix a pasto in isakmpd(8)'s message decoder when printing IPv6 address/mask pairs.
Unbreak the IN6_LOOKUP_MULTI() macro definition.
Add support for new crypto functions on upcoming VIA C3 processors.
Build X on cats systems.
-
Fix a null deref crash in route(8)'s show command.
+
Fix a null deref crash in route(8)'s show command.
Don't add multiple multicast filter entries for a single IPv6 multicast address.
-
Remove the old pf(4) BEGIN*, COMMIT* and ROLLBACK* ioctls.
-
Use the newer pf(4) BEGIN and COMMIT ioctls in authpf(8).
-
Set the relay session id properly for outgoing pppoe(8) packets.
-
Teach patch(1) to detect already-applied diffs when the diff creates a file, or adds to an empty file.
-
In du(1), use a hash table instead of a linear list to keep track of multiply-linked files.
-
After going to the trouble of pulling the tcp6 options into a contiguous region with IP6_EXTHDR_GET, use the returned pointer instead of doing mtod() again.
-
Implement client-side session multiplexing (see ssh_config(5) options ControlMaster and ControlPath) for ssh(1), scp(1) and sftp(1). The server has supported this for some time.
-
Add diffie-hellman-group14-sha1 KEX method support to ssh(1).
+
Just quit rather than panic in cy(4) if interrupts can't be established for PCI.
+
Implement client-side session multiplexing (see ssh_config(5) options ControlMaster and ControlPath) for ssh(1), scp(1) and sftp(1). The server has supported this for some time.
+
Add diffie-hellman-group14-sha1 KEX method support to ssh(1).
-
Don't leak a softc when detaching a carp(4) cloned interface.
+
SECURITY FIX: Multiple vulnerabilities have been found in httpd(8) / mod_ssl. This is the second of two sets of fixes.
CAN-2004-0488: Stack-based buffer overflow ... in mod_ssl, when mod_ssl is configured to trust the issuing CA, may allow attackers to execute arbitrary code via a client certificate with a long subject DN.
CAN-2004-0492: [mod_proxy] Reject responses from a remote server if sent an invalid (negative) Content-Length: header.
SECURITY FIX: As disclosed by Thomas Walpuski, isakmpd(8) is still vulnerable to unauthorized SA deletion. An attacker can delete IPsec tunnels at will.
+ [Applied to stable]
+
Add src/lib/libintl and libc i18n directories to the repository.
First merge of SMP code into the trunk, mainly structures to allow gradual introduction of the new APIs.
Fix IPv4 name-to-address translation, so invalid octet values won't be accepted and CIDR address/mask pairs finally work the way one expects.
-
In tcpdump(8)'s privsep localtime(3) replacement, deal better with timezones with granularity of less than one hour.
-
SECURITY FIX: Multiple remote vulnerabilities have been found in the cvs(1) server that will allow an attacker to crash the server or possibly execute arbitrary code with the same privileges as the CVS server program.
+
In tcpdump(8)'s privsep localtime(3) replacement, deal better with timezones with granularity of less than one hour.
+
SECURITY FIX: Multiple remote vulnerabilities have been found in the cvs(1) server that will allow an attacker to crash the server or possibly execute arbitrary code with the same privileges as the CVS server program. A source code patch is available.
On i386 (ppro and above), use the calibrated value for the CPU speed over the value returned by the CPU itself, fixing PR#3814.
-
Use a dynamically allocated array of pollfds in bgpd(8).
-
Try to prevent isakmpd(8) deleting SAs on receipt of malicious IKE messages.
-
Allow cron(8) to accept crontabs with more strict permissions than is the default.
-
New General Purpose I/O device gpio(4). Only enabled on i386 for now.
-
New '!!<prog>' syntax for syslogd(8), used to force messages from the named program to only go to certain files regardless of the rest of syslog.conf.
-
Update file(1)'s magic to that from file version 4.09, with a few local changes and additions.
+
Allow cron(8) to accept crontabs with more strict permissions than is the default.
+
New General Purpose I/O device gpio(4). Only enabled on i386 for now.
+
New '!!<prog>' syntax for syslogd(8), used to force messages from the named program to only go to certain files regardless of the rest of syslog.conf.
+
Update file(1)'s magic to that from file version 4.09, with a few local changes and additions.
-
Use the old _nointr pool(9) allocator for pf(4) tables.
-
Rearrange the pool(9) allocator code so the old allocation method can be used again.
-
Use the quirks mechanism to fix wdc(4) hangs on Geode SC1100 devices (PR#3729).
-
Mark nullfs memory as M_MISCFSMNT instead of M_UFSMNT.
Swing hppa to gcc3, and enable shared library support.
-
Unbreak xterm(1) jump-scrolling on big-endian 64-bit systems.
+
Unbreak xterm(1) jump-scrolling on big-endian 64-bit systems.
Remove a somewhat useless current-process privilege check in the IPv6 input path. Based on KAME.
-
Compatibility fixes for some sk(4) devices (PR#3061). Workaround from FreeBSD.
+
Compatibility fixes for some sk(4) devices (PR#3061). Workaround from FreeBSD.
-
Initialise the carp(4) interface structure before use.
+
Initialise the carp(4) interface structure before use.
Don't advertise an absurd TCP receive window on 64-bit architectures. From NetBSD.
Some Single UNIX Specification updates in <limits.h>.
-
Better error handling for rm(1)'s -P option. From FreeBSD.
+
Better error handling for rm(1)'s -P option. From FreeBSD.
First cut at a home-grown NTP daemon. Not built by default yet.
-
Remove ugly string code in bpf(4), used when no unit number was given to BIOCSETIF.
+
Remove ugly string code in bpf(4), used when no unit number was given to BIOCSETIF.
Fix a long-standing KAME pasto that was breaking SIOC[DG]LIFADDR.
Remove a bunch of redundant errno declarations.
Use generic crc32 code instead of local efforts in many Ethernet devices.
-
Sync xl(4) with FreeBSD, bringing in a lot of bug fixes and improvements.
-
Check the NTP server clock status returned to rdate(8) and don't use the response if the server thinks its clock is unsynchronised.
-
In uvm_map_clean() (called by msync(2) and madvise(2)), only free writable pages, and don't free copy-on-write pages because the permissions aren't known.
- [Applied to stable]
-
Only call getprotobynumber(3) from ppp(8) when the logging level is high enough to need the result. From FreeBSD.
-
Some Emacs compatibility tweaks to binutils. Use the classic executable start addresses if ld(1) option -Z (disable W^X) is active.
+
Sync xl(4) with FreeBSD, bringing in a lot of bug fixes and improvements.
+
Check the NTP server clock status returned to rdate(8) and don't use the response if the server thinks its clock is unsynchronised.
+
In uvm_map_clean() (called by msync(2) and madvise(2)), only free writable pages, and don't free copy-on-write pages because the permissions aren't known.
+ [Applied to stable]
+
Only call getprotobynumber(3) from ppp(8) when the logging level is high enough to need the result. From FreeBSD.
+
Some Emacs compatibility tweaks to binutils. Use the classic executable start addresses if ld(1) option -Z (disable W^X) is active.
New hotplug(4) device to pass device attach and detach events up to userland. Available for alpha, amd64, i386, macppc and sparc64, only enabled on i386 for now.
-
Use generic CRC code, remove bogus LLADDR use and handle multicast ranges better in nge(4) and sf(4).
+
New hotplug(4) device to pass device attach and detach events up to userland. Available for alpha, amd64, i386, macppc and sparc64, only enabled on i386 for now.
+
Use generic CRC code, remove bogus LLADDR use and handle multicast ranges better in nge(4) and sf(4).
-
Call ld.so(1) contructors after setting up the debugger, similar to recent destructor changes.
-
In cu(1)/tip(1), if one process dies then kill the other ourselves.
-
In rdate(8) NTP mode, send a 64-bit random number as the 'current time' field, which the server copies back in its response. This avoids sending out the current system time, and makes it slightly harder for an attacker to send spoof replies on behalf of the real server.
-
Call ld.so(1) contructors after setting up the debugger, similar to recent destructor changes.
+
In cu(1)/tip(1), if one process dies then kill the other ourselves.
+
In rdate(8) NTP mode, send a 64-bit random number as the 'current time' field, which the server copies back in its response. This avoids sending out the current system time, and makes it slightly harder for an attacker to send spoof replies on behalf of the real server.
+
Include the hostname in syslogd(8) memory-buffered entries.
-
Since the per-arch _dl_bcopy() in ld.so(1) is in all cases a simple for loop and not painstakingly optimised assembler, just use a single machine-independent version.
-
Allow ld.so(1) _dl_find_symbol() to return a pointer to the container object.
-
Handle interface removals gracefully in dhcpd(8), now that poll(2) wakes it up on interface detach.
-
Wake up any poll(2)ing process when a bpf(4) descriptor is closed.
-
If a bpf(4)-monitored interface is detached, send any buffered packets up to userland.
-
Since ULLONG_MAX+1 == 0 mod ULLONG_MAX+1, let the carp(4) sc_counter wrap around all by itself.
+
Include the hostname in syslogd(8) memory-buffered entries.
+
Since the per-arch _dl_bcopy() in ld.so(1) is in all cases a simple for loop and not painstakingly optimised assembler, just use a single machine-independent version.
+
Allow ld.so(1) _dl_find_symbol() to return a pointer to the container object.
+
Handle interface removals gracefully in dhcpd(8), now that poll(2) wakes it up on interface detach.
+
Wake up any poll(2)ing process when a bpf(4) descriptor is closed.
+
If a bpf(4)-monitored interface is detached, send any buffered packets up to userland.
+
SECURITY FIX: With the introduction of IPv6 code in xdm(1), one test on the 'requestPort' resource was deleted by accident. This makes xdm create the chooser socket even if XDMCP is disabled in xdm-config, by setting requestPort to 0. See XFree86 bugzilla for details.
+
SECURITY FIX: With the introduction of IPv6 code in xdm(1), one test on the 'requestPort' resource was deleted by accident. This makes xdm create the chooser socket even if XDMCP is disabled in xdm-config, by setting requestPort to 0. See XFree86 bugzilla for details. A source code patch is available.
- [Applied to stable]
-
Start work on adding the ahd(4) Adaptec PCI/PCI-X Ultra320 SCSI driver from FreeBSD.
Enable the fancy new i386 pagezero code by not resetting it to its old value after setting it up.
-
Allow anchors within anchors in pf(4). More work to come.
+
Allow anchors within anchors in pf(4). More work to come.
Don't recursively call nd6_output() when route allocation fails, just return a host unreachable error.
-
SECURITY FIX: A heap overflow in the cvs(1) server has been discovered that can be exploited by clients sending malformed requests. These clients can then run arbitrary code with the same privileges as the CVS server program.
+
SECURITY FIX: A heap overflow in the cvs(1) server has been discovered that can be exploited by clients sending malformed requests. These clients can then run arbitrary code with the same privileges as the CVS server program. A source code patch is available.
- [Applied to stable]
-
Allow symbolic service- and protocol names in isakmpd(8), so e.g. "Protocol=tcp" now works.
-
SECURITY FIX: A flaw in the Kerberos V kdc(8) server could result in the administrator of a Kerberos realm having the ability to impersonate any principal in any other realm which has established a cross-realm trust with their realm. The flaw is due to inadequate checking of the "transited" field in a Kerberos request. For more details see Heimdal's announcement.
+ [Applied to stable]
+
Allow symbolic service- and protocol names in isakmpd(8), so e.g. "Protocol=tcp" now works.
+
SECURITY FIX: A flaw in the Kerberos V kdc(8) server could result in the administrator of a Kerberos realm having the ability to impersonate any principal in any other realm which has established a cross-realm trust with their realm. The flaw is due to inadequate checking of the "transited" field in a Kerberos request. For more details see Heimdal's announcement. A source code patch is available.
- [Applied to stable]
-
Add word boundary tests to the regexes that find @-commands in pkg_add(1) etc. packing lists.
-
Remove the now-unused dhclient(8) pidfile stuff from /etc/rc(8).
-
Add a separate link type, DLT_PPP_ETHER, for pppoe(8) frames. From NetBSD.
-
Don't skip the graceful shutdown of carp(4) just because the system is being powered down.
-
When carp(4) backs off because of physical interface problems, advertise this fact immediately instead of waiting for the next scheduled announcement.
+
Remove the now-unused dhclient(8) pidfile stuff from /etc/rc(8).
+
Add a separate link type, DLT_PPP_ETHER, for pppoe(8) frames. From NetBSD.
+
Don't skip the graceful shutdown of carp(4) just because the system is being powered down.
+
When carp(4) backs off because of physical interface problems, advertise this fact immediately instead of waiting for the next scheduled announcement.
-
Add a workaround in ppp(8) for the recent multipath routing changes.
-
Fix a two-byte buffer overflow when printing sockaddr structs of unknown type in route(8).
-
Correct error output for bad limit modifiers in csh(1).
+
Add a workaround in ppp(8) for the recent multipath routing changes.
+
Fix a two-byte buffer overflow when printing sockaddr structs of unknown type in route(8).
+
Correct error output for bad limit modifiers in csh(1).
Fix a reference-counting bug in fifofs that could cause certain non-blocking FIFO users (e.g. qmail) to consume 100% CPU.
- [Applied to stable]
-
Interpret ipsecadm(8) cpi and spi parameters as hex even if not preceded by '0x'.
-
Don't print the sendmail(8) version if the helpfile is missing.
-
Build sendmail(8) with -D_FFR_QUEUERETURN_DSN, allowing faster expiration of spam bounces.
-
Unbreak checksum generation when using pf(4) scrub random-id.
-
Change pf(4) routing loop detection so that visiting a packet more than four times is an error, instead of more than once.
- [Applied to stable]
-
Don't abort lint(1) because a child process fails, just move onto the next file.
+
Don't print the sendmail(8) version if the helpfile is missing.
+
Build sendmail(8) with -D_FFR_QUEUERETURN_DSN, allowing faster expiration of spam bounces.
+
Unbreak checksum generation when using pf(4) scrub random-id.
+
Change pf(4) routing loop detection so that visiting a packet more than four times is an error, instead of more than once.
+ [Applied to stable]
+
Don't abort lint(1) because a child process fails, just move onto the next file.
When doing user mounts, inherit the MNT_NOEXEC flag from the mount point. This stops users bypassing noexec by null-mounting the filesystem on top of itself.
-
Filter and lock rbootd(8)'s bpf(4) descriptor before dropping privileges.
-
When a pf(4) scrub rule with the 'reassemble tcp' option is in effect, use RFC1913 PAWS as a means of extending the TCP sequence space by 10 to 18 bits. This makes blind insertion attacks much more difficult, because the timestamp needs to be guessed as well as the TCP sequence number.
-
When a pf(4) scrub rule with the 'reassemble tcp' option is in effect, use RFC1913 PAWS as a means of extending the TCP sequence space by 10 to 18 bits. This makes blind insertion attacks much more difficult, because the timestamp needs to be guessed as well as the TCP sequence number.
+
Teach nm(1) about ELF .plt*, .got*, .init and .fini sections.
The TCP-specific route metrics are rarely used, so use a trimmed down version in the kernel (struct rt_kmetrics) and fake up a full-fat struct rt_metrics on demand for userland compatility.
Apply bridge filter rules to frames destined for the local machine, so a single-interface bridge can do filtering and tagging.
-
Make carp(4) sensitive to its physical interface: If the physical interface drops, so does the carp interface; and have all other carp interfaces back off (i.e. don't preempt, and set high advskew) so this host is unlikely to stay as master.
-
Make carp(4) sensitive to its physical interface: If the physical interface drops, so does the carp interface; and have all other carp interfaces back off (i.e. don't preempt, and set high advskew) so this host is unlikely to stay as master.
+
Break an infinite recursion between tcp_output() and tcp_mtudisc() when the TCP MSS gets to be larger then the interface MTU. Connections will still stall, however.
Allow TCP MSS below the failsafe 216 iff the interface MTU is less than 256.
-
Back out (for now) the em(4) buffer allocation increase (though not the deferred allocation) as it breaks older cards.
-
Allow cron(8) to send mail to logins containing an underscore character.
-
Add direct support in bgpd(8) for ipsec(4) between peers. Manual keying only for now.
-
Much stricter checking of bpf(4) code, preventing arbitrary reads and writes of kernel memory.
- [Applied to stable]
-
Allocate more buffers for em(4) cards, but defer that allocation until ifconfig(8) up and remove it on interface shutdown.
-
Fix route(8)'s display of the gateway when set using an explicit -gateway modifier.
-
When IF_INPUT_ENQUEUE() queues an mbuf(9) with a cluster, check to see if the data in the cluster will fit into the mbuf and if so, copy the data and deallocate the cluster.
-
For fxp(4) and sis(4), permanently allocate only the minimum number of buffers. Allocate and deallocate receive buffers when ifconfig(8) brings the interface up and down respectively.
-
Bandwidth checking fixes in altq(9). Now a bandwidth of zero is allowed, producing a blackhole queue for CBQ and a realtime-only queue for HFSC.
-
Add some htonl(3) paranoia around arc4random(9) calls in pf(4), so that biases in the PRNG won't leak the firewall's byte order.
-
Back out (for now) the em(4) buffer allocation increase (though not the deferred allocation) as it breaks older cards.
+
Allow cron(8) to send mail to logins containing an underscore character.
+
Add direct support in bgpd(8) for ipsec(4) between peers. Manual keying only for now.
+
Much stricter checking of bpf(4) code, preventing arbitrary reads and writes of kernel memory.
+ [Applied to stable]
+
Allocate more buffers for em(4) cards, but defer that allocation until ifconfig(8) up and remove it on interface shutdown.
+
Fix route(8)'s display of the gateway when set using an explicit -gateway modifier.
+
When IF_INPUT_ENQUEUE() queues an mbuf(9) with a cluster, check to see if the data in the cluster will fit into the mbuf and if so, copy the data and deallocate the cluster.
+
For fxp(4) and sis(4), permanently allocate only the minimum number of buffers. Allocate and deallocate receive buffers when ifconfig(8) brings the interface up and down respectively.
+
Bandwidth checking fixes in altq(9). Now a bandwidth of zero is allowed, producing a blackhole queue for CBQ and a realtime-only queue for HFSC.
+
Add some htonl(3) paranoia around arc4random(9) calls in pf(4), so that biases in the PRNG won't leak the firewall's byte order.
+
Add 'neighbor cloning' to bgpd(8), allowing a configuration to be specified for a network/prefixlength pair as well as the peer IP address. The configuration is cloned for each new peer in the given address range.
-
Add tcpdrop sysctl(3), allowing a userland program terminate a TCP connection.
-
Add 'neighbor cloning' to bgpd(8), allowing a configuration to be specified for a network/prefixlength pair as well as the peer IP address. The configuration is cloned for each new peer in the given address range.
+
Add tcpdrop sysctl(3), allowing a userland program terminate a TCP connection.
+
Fix a missing return statement in bgpd(8)'s control connection error path.
Add multipath support to the radix tree, allowing multiple routes to a single destination (though it won't actually get you anywhere just yet). From KAME.
-
Send pfsync(4) packets for IPv6 protocols other than TCP, UDP and ICMP.
+
Send pfsync(4) packets for IPv6 protocols other than TCP, UDP and ICMP.
Sync kernel radix tree code with 4.4BSD-Lite2 via NetBSD.
-
Don't add a PF_GENERATED tag to pf(4) synproxy generated packets for the second handshake, so they can match rules (and create state) on another interface.
+
Don't add a PF_GENERATED tag to pf(4) synproxy generated packets for the second handshake, so they can match rules (and create state) on another interface.
-
Add a 'probability' modifier for pf(4) rules, setting the likelihood with which a rule will trigger.
-
Some additional TCP option length paranoia in pf(4)'s normaliser.
+
Have netstat(1) display the new tcps.rcvacktooold statistic counter.
+
Sync <tree.h> with Niels Provos' version to get rid of a compiler warning for RB_NEXT(3).
-
Port the gcc2 bounds checking support to gcc3, enabled with -Wbounded (see gcc-local(1)).
+
Port the gcc2 bounds checking support to gcc3, enabled with -Wbounded (see gcc-local(1)).
Add some CMSG_ macros to get proper alignment in portalfs. From NetBSD.
-
In isakmpd(8), make sure the KEY_LENGTH attribute is present when checking AES proposals as this is required when acting as responder to SafeNet peers.
-
Don't display rubbish on the first output line from vmstat(8), wait for the stats to stabilise.
+
In isakmpd(8), make sure the KEY_LENGTH attribute is present when checking AES proposals as this is required when acting as responder to SafeNet peers.
+
Don't display rubbish on the first output line from vmstat(8), wait for the stats to stabilise.
Fix the calculation of a raw IPv6 UDP packet's checksum.
-
For dhcpd(8)'s ping probes, just use the pid for the ICMP id like ping(8) does, instead of some architecture-dependent wierdness.
+
For dhcpd(8)'s ping probes, just use the pid for the ICMP id like ping(8) does, instead of some architecture-dependent wierdness.
Merge in new Omron LUNA port (luna88k), based on OpenBSD/mvme88k, NetBSD/luna68k and CMU Mach.
-
As with dhcrelay(8), set a write filter and lock the bpf(4) descriptor before privilege drop in dhcpd(8).
+
As with dhcrelay(8), set a write filter and lock the bpf(4) descriptor before privilege drop in dhcpd(8).
-
Change pw_copy(3) to take the old entry as an additional parameter, allowing both a change of username and a check that the file hasn't changed since it was last read (fixes PR#3698). Adapted from FreeBSD.
-
Set a write filter and lock dhcrelay(8)'s bpf(4) file descriptor before dropping privileges.
-
Drop the port-changing options in dhcrelay(8) too, always use standard ports.
+
Change pw_copy(3) to take the old entry as an additional parameter, allowing both a change of username and a check that the file hasn't changed since it was last read (fixes PR#3698). Adapted from FreeBSD.
+
Set a write filter and lock dhcrelay(8)'s bpf(4) file descriptor before dropping privileges.
+
Drop the port-changing options in dhcrelay(8) too, always use standard ports.
New TCP stat counter tcps.rcvacktooold, counts the number of times we drop very old ACK packets when the sequence number isn't exactly right.
Set the km_page allocator's low watermark to a value that allows the system to boot.
-
Remove the -p (listen port) option of new dhcpd(8).
Bump the default kern.maxclusters to a value high enough to deter all but the most determined tweakers.
-
Remove the GATEWAY config(8) option now that both IP forwarding and mbuf cluster allocation are configurable using sysctl(3).
-
Introduce a new sysctl(3) kern.maxclusters controlling (oddly enough) the maximum number of mbuf clusters. This deprecates the much-abused NMBCLUSTERS config(8) option.
+
Remove the GATEWAY config(8) option now that both IP forwarding and mbuf cluster allocation are configurable using sysctl(3).
+
Introduce a new sysctl(3) kern.maxclusters controlling (oddly enough) the maximum number of mbuf clusters. This deprecates the much-abused NMBCLUSTERS config(8) option.
Use the km_page allocator as the backend for the mbuf and mbuf cluster pools.
-
New km_page pool(9) allocator running in an interrupt-safe kernel thread (kmthread).
+
New km_page pool(9) allocator running in an interrupt-safe kernel thread (kmthread).
Resource starvation checks for sockets:
-
Check the level of mbuf(9) cluster utilisation when doing an accepting a listen socket, and fail if usage is greater than 95% of the hard limit.
-
New API sbcheckreserve() returns ENOBUFS if more than 50% of mbuf(9) clusters are in use
-
Use sbcheckreserve() when accepting a connection, and on setsockopt(2) for SO_SNDBUF and SND_RCVBUF, and allocate minimal buffers in low-memory situations.
+
Check the level of mbuf(9) cluster utilisation when doing an accepting a listen socket, and fail if usage is greater than 95% of the hard limit.
+
New API sbcheckreserve() returns ENOBUFS if more than 50% of mbuf(9) clusters are in use
+
Use sbcheckreserve() when accepting a connection, and on setsockopt(2) for SO_SNDBUF and SND_RCVBUF, and allocate minimal buffers in low-memory situations.
Stop propolice tripping an assert in gcc3.
-
Make spamd(8) display an error if it can't open the /var/db/spamd database for writing, and return a proper error code.
-
Cure the angst in user(8) caused by the non-existence of the /nonexistent directory.
-
Correct new dhcpd(8)'s handling of very long lease times (PR#2888).
-
Fix a propolice bug in gcc(1) and unbreak MySQL (mysql bug id 1442).
+
Make spamd(8) display an error if it can't open the /var/db/spamd database for writing, and return a proper error code.
+
Cure the angst in user(8) caused by the non-existence of the /nonexistent directory.
+
Correct new dhcpd(8)'s handling of very long lease times (PR#2888).
+
Fix a propolice bug in gcc(1) and unbreak MySQL (mysql bug id 1442).
-
Have ssh(1) perform strict permission checks on ~/.ssh/config files and abort unless they're correct.
-
If kernel ipsec(4) and/or ipcomp(4) processing is disabled by sysctl(3), pass any packets through as raw IP to give userland a chance to handle them.
-
Tidy up usb(4) kernel configs in line with recent i386 changes.
-
RELIABILITY FIX: Restore the ability to negotiate tags/wide/sync with some SCSI controllers (siop(4), trm(4) and iha(4)).
+
Have ssh(1) perform strict permission checks on ~/.ssh/config files and abort unless they're correct.
+
If kernel ipsec(4) and/or ipcomp(4) processing is disabled by sysctl(3), pass any packets through as raw IP to give userland a chance to handle them.
+
Since dhcpd(8) can now be invoked legitimately without an interface, don't abort when the user doesn't give any options.
+ [Applied to stable]
+
Since dhcpd(8) can now be invoked legitimately without an interface, don't abort when the user doesn't give any options.
New _tftpd user and group.
-
Make sure m_pullup2(9) copies the M_CLUSTER flag when it creates a new mbuf (PR#3740).
-
Have pf(4) block unconditionally when the input queue congestion flag is set, instead of doing CPU-intensive rule tests.
+
Make sure m_pullup2(9) copies the M_CLUSTER flag when it creates a new mbuf (PR#3740).
+
Have pf(4) block unconditionally when the input queue congestion flag is set, instead of doing CPU-intensive rule tests.
If an interface input queue becomes full, set a new congestion flag in the queue structure. Since a full queue usually indicates processing overload, this flag can be used to allow other subsystems to cooperate in easing the situation.
-
Make netstat(1) show the number of mbuf clusters in use rather than the number of pages.
+
Make netstat(1) show the number of mbuf clusters in use rather than the number of pages.
Fix a ufs directory-related panic (PR#3672). Fix from FreeBSD.
- [Applied to stable]
-
Have the cvs(1) server check for attempts by a client to walk up the directory tree illegally.
-
Undo a non-fix in shared memory sysctl(3) kern.shminfo.shmmni.
- [Applied to stable]
-SECURITY FIX: Pathname validation problems have been found in cvs(1), allowing malicious clients to create files outside the repository, allowing malicious servers to overwrite files outside the local CVS tree on the client and allowing clients to check out files outside the CVS repository.
+ [Applied to stable]
+
Have the cvs(1) server check for attempts by a client to walk up the directory tree illegally.
+
Undo a non-fix in shared memory sysctl(3) kern.shminfo.shmmni.
+ [Applied to stable]
+SECURITY FIX: Pathname validation problems have been found in cvs(1), allowing malicious clients to create files outside the repository, allowing malicious servers to overwrite files outside the local CVS tree on the client and allowing clients to check out files outside the CVS repository. A source code patch is available.
- [Applied to stable]
-
Let bgpctl(8) show IPv6 peer addresses in neighbour view.
-
Now that dhcpd(8) doesn't need to continuously reopen the leases file for writing, have it chroot(2) to /var/empty and drop privileges after starting up.
-
Only open the dhcpd(8) leases file once instead of every time it needs to be written.
-
Set up new dhcpd(8)'s bpf(4) listen filter for the right port.
-
Have mopd(8) do a chroot(2) to /var/empty and drop its privileges.
-
Stop another instance of syslogd(8) from unlinking a socket that's in use.
+
Now that dhcpd(8) doesn't need to continuously reopen the leases file for writing, have it chroot(2) to /var/empty and drop privileges after starting up.
+
Only open the dhcpd(8) leases file once instead of every time it needs to be written.
+
Set up new dhcpd(8)'s bpf(4) listen filter for the right port.
+
Have mopd(8) do a chroot(2) to /var/empty and drop its privileges.
+
Change snprintf(3)'s handling with size==0, in line with a vsnprintf(3) change (rev. 1.5) from years ago.
+
Change snprintf(3)'s handling with size==0, in line with a vsnprintf(3) change (rev. 1.5) from years ago.
Fix a segmentation fault in Xlib when a .Xauthority file contains IPv6 XDM-AUTHORIZATION-1 data (NetBSD PR xsrc/25098).
Rearrange the GENERIC config file so clonable interfaces are together, and without the now-unnecessary device count.
-
When libpthread is poll(2)ing for read- or writability of an fd on behalf of a thread, check the ERR, HUP and NVAL flags as well as the read or write flags.
-
Sync uudecode(1) with FreeBSD, including base64 support.
-
Stop a number of network interfaces moaning about a failed mbuf(9) allocations, the complaint uses mbufs and just makes things worse.
-
Pass SIGINT and SIGQUIT through to syslogd(8)'s privsep child.
-
Move the pf(4) altq, OS fingerprint and table pool(9)s from the default (interrupt context) kmem allocator to the much-larger nointr allocator.
-
If newsyslog.conf(5) doesn't list a user or group, create new files with the uid or gid from the existing file.
-
Force cvs(1) to use the libc getopt(3) implementation instead of its own.
-
Have pfctl(8) check that the file it's trying to open isn't really a directory.
+
When libpthread is poll(2)ing for read- or writability of an fd on behalf of a thread, check the ERR, HUP and NVAL flags as well as the read or write flags.
+
Sync uudecode(1) with FreeBSD, including base64 support.
+
Stop a number of network interfaces moaning about a failed mbuf(9) allocations, the complaint uses mbufs and just makes things worse.
+
Pass SIGINT and SIGQUIT through to syslogd(8)'s privsep child.
+
Move the pf(4) altq, OS fingerprint and table pool(9)s from the default (interrupt context) kmem allocator to the much-larger nointr allocator.
+
If newsyslog.conf(5) doesn't list a user or group, create new files with the uid or gid from the existing file.
+
Force cvs(1) to use the libc getopt(3) implementation instead of its own.
+
Have pfctl(8) check that the file it's trying to open isn't really a directory.
-
Use a more efficient realloc(3) size when displaying long lines in less(1). Speeds things up when, for example, your system crashes in the middle of a build leaving a pile of linefeedless binary crap in the typescript file.
-
After going to the trouble of saving errno before it gets overwritten, use the saved value in pflogd(8)'s error output.
-
Don't try to close invalid file descriptors in the tcpdump(8) privsep code.
-
Have isakmpd(8) set the timezone before privsep so the child has the right zone settings.
-
Within dhclient(8)'s new lease file naming scheme, allow for the -l filename override.
+
Use a more efficient realloc(3) size when displaying long lines in less(1). Speeds things up when, for example, your system crashes in the middle of a build leaving a pile of linefeedless binary crap in the typescript file.
+
After going to the trouble of saving errno before it gets overwritten, use the saved value in pflogd(8)'s error output.
+
Don't try to close invalid file descriptors in the tcpdump(8) privsep code.
+
Have isakmpd(8) set the timezone before privsep so the child has the right zone settings.
+
Within dhclient(8)'s new lease file naming scheme, allow for the -l filename override.
On sparc and sparc64, don't compare a RAMDISK kernel's root filesystem time with the system time, they're unlikely to have much in common.
-
Zero out the key data pointer for unknown isakmpd(8) key types.
+
Zero out the key data pointer for unknown isakmpd(8) key types.
Merge in Perl 5.8.3 and OpenSSL 0.9.7d. No lame new licenses for a change.
-
Now that dhclient(8) needs an instance per interface, having a single lease file won't do so use /var/db/dhclient.leases.<ifname>.
-
Make sure the list dereference when deleting all SAs in isakmpd(8) comes before the delete operation that free(3)s the list node.
-
Change wskbd(4)'s AltGr key handling so shift-altgr-other has the same effect as altgr-shift-other.
-
Never allow pf(4) states propogated via pfsync(4) to overwrite newer states held locally. If an overwrite is attempted, broadcast the newer version to the network to speed resynchronisation.
-
Under Linux emulation, pass madvise(2) straight through to the native syscall.
+
Change wskbd(4)'s AltGr key handling so shift-altgr-other has the same effect as altgr-shift-other.
+
Never allow pf(4) states propogated via pfsync(4) to overwrite newer states held locally. If an overwrite is attempted, broadcast the newer version to the network to speed resynchronisation.
+
Under Linux emulation, pass madvise(2) straight through to the native syscall.
-
RELIABILITY FIX: Reply to in-window SYN with a rate-limited ACK.
+
Better bounds checking in the ramdisk's strategy() routine.
-
Limit the trust between local and remote instances of the rcp(1) and scp(1) programs.
-
Change netstat(1)'s -p option so that, when used without -s, it shows a list of sockets for the given protocol.
-
Let rcmdsh(3) work on hosts without an IPv4 address.
-
Initialise the kqueue(2) subsystem in kernel main() instead of on first use.
+
Limit the trust between local and remote instances of the rcp(1) and scp(1) programs.
+
Change netstat(1)'s -p option so that, when used without -s, it shows a list of sockets for the given protocol.
+
Let rcmdsh(3) work on hosts without an IPv4 address.
+
Initialise the kqueue(2) subsystem in kernel main() instead of on first use.
-
Add IPv6 support to openssl(1)'s s_client command, complete with the usual '-4' and '-6' switches.
-
Reorder checks in ssh(1) so that the IP options check isn't skipped just because UseDNS=no.
+
Add IPv6 support to openssl(1)'s s_client command, complete with the usual '-4' and '-6' switches.
+
Reorder checks in ssh(1) so that the IP options check isn't skipped just because UseDNS=no.
Make /usr/src/Makefile's cross-tools target work again.
-
Have inetd(8) properly use the exec'd program's basename as argv[0] if no arguments are specified.
-
Fix includes search order in GNU ld(1) to help cross-ld builds.
-
Don't byte-swap a variable we'll need later in its original order in GNU ld(1).
+
Have inetd(8) properly use the exec'd program's basename as argv[0] if no arguments are specified.
+
Fix includes search order in GNU ld(1) to help cross-ld builds.
+
Don't byte-swap a variable we'll need later in its original order in GNU ld(1).
On an msdos filesystem with long filenames support enabled, fix some false-positive name matches when an integer multiple of 13 characters match. From NetBSD.
-