On armv7, make use of u-boot 2015.07's unified wandboard config to provide a miniroot to cover all current wandboard variations.
!
5.6 and 5.7 SECURITY FIX: the patch utility could become desyncronized processing ed(1)-style diffs. A source code patch exists for 5.6 and 5.7.
Prevent substitution commands ("s///") with a newline in the replacement pattern from confusing patch(1) about the state of the ed(1) child process is in.
Turn off POOL_DEBUG for release.
In httpd(8), repair HSTS header output.
--- 125,131 ----
On armv7, make use of u-boot 2015.07's unified wandboard config to provide a miniroot to cover all current wandboard variations.
!
5.6 and 5.7 SECURITY FIX: the patch utility could become desyncronized processing ed(1)-style diffs. A source code patch exists for 5.6 and 5.7.
Prevent substitution commands ("s///") with a newline in the replacement pattern from confusing patch(1) about the state of the ed(1) child process is in.
Turn off POOL_DEBUG for release.
In httpd(8), repair HSTS header output.
***************
*** 158,165 ****
On mips64, allow coalescing of IPI requests on mips64, to make IPI sending non-blocking.
Enforce tame(2) by disabling all TAME_ flags if tame_fail() is reached, not only if TAME_ABORT is set.
!
5.6 and 5.7 SECURITY FIX: the patch utility could be made to invoke arbitrary commands via the obsolete RCS support when processing a crafted input file. A source code patch exists for 5.6 and 5.7. These patches remove the RCS support.
!
5.6 and 5.7 SECURITY FIX: a kernel memory leak could be triggered by an unprivileged user in a failure case when using execve under systrace. A source code patch exists for 5.6 and 5.7.
In radiusd(8), make the modules priviledge-separated.
In tmux(1), make -q suppress ambiguous option warnings too.
--- 164,171 ----
On mips64, allow coalescing of IPI requests on mips64, to make IPI sending non-blocking.
Enforce tame(2) by disabling all TAME_ flags if tame_fail() is reached, not only if TAME_ABORT is set.
!
5.6 and 5.7 SECURITY FIX: the patch utility could be made to invoke arbitrary commands via the obsolete RCS support when processing a crafted input file. A source code patch exists for 5.6 and 5.7. These patches remove the RCS support.
!
5.6 and 5.7 SECURITY FIX: a kernel memory leak could be triggered by an unprivileged user in a failure case when using execve under systrace. A source code patch exists for 5.6 and 5.7.
In radiusd(8), make the modules priviledge-separated.
In tmux(1), make -q suppress ambiguous option warnings too.
***************
*** 435,441 ****
Flense out dead code (Coverity CIDs 21691 and 21698).
In httpd(8), allow the certificate and key to each be almost 16 kB rather than having a combined total of less than 16 kB.
!
5.6 and 5.7 SECURITY FIX: a TCP socket can become confused and not properly cleanup resources. A source code patch exists for 5.6 and 5.7.
On mips64, let alloc_contiguous_pages() round the allocation size to a page boundary, not to a u-area boundary.
!
On sgi, clear the PIC `write request' memory at initialization time. There is apparently a risk of spurious parity errors if we don't.
Store a unique ID, an interface index, rather than a pointer to the receiving interface in the packet header of every mbuf. This will simplify garbage collection of mbufs and limit problems with dangling ifp pointers.
In syslogd(8), implement -F to stay in the foreground.
--- 650,656 ----
On mips64, let alloc_contiguous_pages() round the allocation size to a page boundary, not to a u-area boundary.
!
On sgi, clear the PIC 'write request' memory at initialization time. There is apparently a risk of spurious parity errors if we don't.
Store a unique ID, an interface index, rather than a pointer to the receiving interface in the packet header of every mbuf. This will simplify garbage collection of mbufs and limit problems with dangling ifp pointers.
In syslogd(8), implement -F to stay in the foreground.
***************
*** 675,682 ****
In pppd(8), use memmove() for potentially overlapping regions.
5.6 and 5.7 SECURITY FIX: several defects from OpenSSL (CVE-2015-1788, CVE-2015-1789, CVE-2015-1792). For more information, see the OpenSSL advisory. A source code patch exists for 5.6 and 5.7.
!
5.6 and 5.7 SECURITY FIX: multiple reliability issues in smtpd. A source code patch exists for 5.6 and 5.7.
In libiberty, prevent an integer overflow leading to a heap-buffer overflow (CVE-2012-3509).
In LibreSSL:
--- 681,688 ----
In pppd(8), use memmove() for potentially overlapping regions.
5.6 and 5.7 SECURITY FIX: several defects from OpenSSL (CVE-2015-1788, CVE-2015-1789, CVE-2015-1792). For more information, see the OpenSSL advisory. A source code patch exists for 5.6 and 5.7.
!
5.6 and 5.7 SECURITY FIX: multiple reliability issues in smtpd. A source code patch exists for 5.6 and 5.7.
In libiberty, prevent an integer overflow leading to a heap-buffer overflow (CVE-2012-3509).
In LibreSSL:
***************
*** 748,754 ****
On sparc, override PIE range constants with a variable which is decided at runtime, in order to only enable PIE on sun4m which has a large enough address space.
In the lazy binding routine, make sure we actually allocate the stack we need, instead of corrupting the caller's stack by mistake. This fixes segfaults in __powerpc_read_tcb() reported on earlier G3 systems.
In relayd(8), fix a memory leak in an error path.
--- 754,760 ----
On sparc, override PIE range constants with a variable which is decided at runtime, in order to only enable PIE on sun4m which has a large enough address space.
In the lazy binding routine, make sure we actually allocate the stack we need, instead of corrupting the caller's stack by mistake. This fixes segfaults in __powerpc_read_tcb() reported on earlier G3 systems.
Enable secureplt by default on alpha.
!
Allow gcc(1) to produce more precise relocation information on alpha. This will be necessary to enable secureplt by default.
Switch m88k ports to binutils 2.17.
In relayd(8), fix a memory leak in an error path.
***************
*** 992,1000 ****
In sshd(8), prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods.
Pass fflag to VOP_POLL so vfs fifo functions can get at the file flags to check FREAD/FWRITE if needed.
Avoid a NULL dereference in fd_getfile_mode().
!
5.6 and 5.7 SECURITY FIX: a remote user can crash httpd(8). A source code patch exists for 5.6 and 5.7.
!
5.6 and 5.7 SECURITY FIX: malformed binaries could trigger kernel panics or view kernel memory A source code patch exists for 5.6 and 5.7.
!
5.6 and 5.7 SECURITY FIX: multiple issues in cpio(1)/pax(1)/tar(1). A source code patch exists for 5.6 and 5.7.
Don't add a separate .got.plt section as it would result in a partially writable GOT. ld.so(1) will properly write-protect the single .got.
In ix(4), set the correct media type for 1000baseLX SFPs.
--- 998,1006 ----
In sshd(8), prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods.
Pass fflag to VOP_POLL so vfs fifo functions can get at the file flags to check FREAD/FWRITE if needed.
Avoid a NULL dereference in fd_getfile_mode().
!
5.6 and 5.7 SECURITY FIX: a remote user can crash httpd(8). A source code patch exists for 5.6 and 5.7.
!
5.6 and 5.7 SECURITY FIX: malformed binaries could trigger kernel panics or view kernel memory A source code patch exists for 5.6 and 5.7.
!
5.6 and 5.7 SECURITY FIX: multiple issues in cpio(1)/pax(1)/tar(1). A source code patch exists for 5.6 and 5.7.
Don't add a separate .got.plt section as it would result in a partially writable GOT. ld.so(1) will properly write-protect the single .got.
In ix(4), set the correct media type for 1000baseLX SFPs.
***************
*** 1134,1140 ****
Rewrite of tmux mouse support which was a mess.
Honour renumber-windows when unlinking a window.
!
5.5, 5.6 and 5.7 SECURITY FIX: logic error in smtpd(8) handling of SNI. A source patch is available for 5.5, 5.6 and 5.7.
Fix incorrect logic in smtpd(8) that could lead to unexpected client disconnect, invalid certificate in SNI negotiation or server crash.
Add support for x2apic mode. This is currently only enabled on hypervisors.
In mandoc(1), if an explicit line break request (.br or .sp) occurs within an .HP block, the next line doesn't hang, but is simply indented.
--- 1140,1146 ----
Rewrite of tmux mouse support which was a mess.
Honour renumber-windows when unlinking a window.
!
5.5, 5.6 and 5.7 SECURITY FIX: logic error in smtpd(8) handling of SNI. A source patch is available for 5.5, 5.6 and 5.7.
Fix incorrect logic in smtpd(8) that could lead to unexpected client disconnect, invalid certificate in SNI negotiation or server crash.
Add support for x2apic mode. This is currently only enabled on hypervisors.
In mandoc(1), if an explicit line break request (.br or .sp) occurs within an .HP block, the next line doesn't hang, but is simply indented.
***************
*** 1380,1387 ****
Fix a memory leak in an error path in LibreSSL (from OpenSSL commit 5e5d53d341fd9a9b9cc0a58eb3690832ca7a511f).
5.6 and 5.7 SECURITY FIX: several crash causing defects in OpenSSL (CVE-2015-0209, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288 and CVE-2015-0289). A source code patch is available for 5.6 and 5.7.
!
5.5 SECURITY FIX: two possible crash causing defects in OpenSSL (CVE-2015-0286 and CVE-2015-0292). A source code patch is available for 5.5.
Fix CVE-2015-0209, CVE-2015-0286, CVE-2015-0287 and CVE-2015-0289 in LibreSSL.
Deal with half-configured control pipes in dwc2, using the same workaround as in ehci(4) and ohci(4).
--- 1386,1393 ----
Fix a memory leak in an error path in LibreSSL (from OpenSSL commit 5e5d53d341fd9a9b9cc0a58eb3690832ca7a511f).
5.6 and 5.7 SECURITY FIX: several crash causing defects in OpenSSL (CVE-2015-0209, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288 and CVE-2015-0289). A source code patch is available for 5.6 and 5.7.
!
5.5 SECURITY FIX: two possible crash causing defects in OpenSSL (CVE-2015-0286 and CVE-2015-0292). A source code patch is available for 5.5.
Fix CVE-2015-0209, CVE-2015-0286, CVE-2015-0287 and CVE-2015-0289 in LibreSSL.
Deal with half-configured control pipes in dwc2, using the same workaround as in ehci(4) and ohci(4).
***************
*** 1395,1401 ****
Reenable the pa1.1 fallback code for sha256 on hppa.
"Handle" wccp2 packets if net.inet.gre.wccp is set to 2 by truncating skipping the wccp 2 header.
!
5.5, 5.6 and 5.7 SECURITY FIX: buffer overflows in libXfont (CVE-2015-1802, CVE-2015-1803 and CVE-2015-1804). A source code patch is available for 5.5, 5.6 and 5.7.
Update to libXfont 1.5.1 which contains fixes for CVE-2015-1802, CVE-2015-1803 and CVE-2015-1804.
Fix swap auto-allocation in disklabel(8) for machines with very little memory.
Replace sort(1) with the implementation from FreeBSD.
--- 1401,1407 ----
Reenable the pa1.1 fallback code for sha256 on hppa.
"Handle" wccp2 packets if net.inet.gre.wccp is set to 2 by truncating skipping the wccp 2 header.
!
5.5, 5.6 and 5.7 SECURITY FIX: buffer overflows in libXfont (CVE-2015-1802, CVE-2015-1803 and CVE-2015-1804). A source code patch is available for 5.5, 5.6 and 5.7.
Update to libXfont 1.5.1 which contains fixes for CVE-2015-1802, CVE-2015-1803 and CVE-2015-1804.
Fix swap auto-allocation in disklabel(8) for machines with very little memory.
Replace sort(1) with the implementation from FreeBSD.
***************
*** 1470,1476 ****
Correct buffer overflow in handling of pax extension headers, caught by the memcpy() overlap check.