=================================================================== RCS file: /cvsrepo/anoncvs/cvs/www/plus58.html,v retrieving revision 1.5 retrieving revision 1.6 diff -c -r1.5 -r1.6 *** www/plus58.html 2015/08/09 18:57:31 1.5 --- www/plus58.html 2015/09/01 22:29:36 1.6 *************** *** 75,80 **** --- 75,495 ----

On armv7, make use of u-boot 2015.07's unified wandboard config to provide a miniroot to cover all current wandboard variations. +
5.6 and 5.7 SECURITY FIX: the patch utility could become desyncronized processing ed(1)-style diffs.
A source code patch exists for 5.6 and 5.7. +
Prevent substitution commands ("s///") with a newline in the replacement pattern from confusing patch(1) about the state of the ed(1) child process is in. +
Turn off POOL_DEBUG for release. +
In httpd(8), repair HSTS header output. +
Fix pty permissions in sshd(8). +
In the installer, make "without-password" the default answer to the "Allow root ssh login?" question. +
Change the sshd_config(5) PermitRootLogin default to "without-password". +
In ksh(1), fix the baskslash-escaped codes ("\nnn") usage in PS1. + +
Allow ssh_config(5) and sshd_config(5) kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it. +
In envy(4), properly recover when interrupts are blocked for too long. This fixes permanent distortion on MP systems. +
In relayd(8), fix a bug where other than the last of multiple forward rules in http protocols would be ignored. +
Add linker warnings in case SSLv3_{,client,server}_method are referenced. +
On macppc, powerpc and socppc, do not save the status register and restore it for machine check exceptions. +
Revert r1.289 of src/sys/dev/acpi/acpi.c (respect the access size when reading or writing to pci config space). It is locking up suspend or boot on some laptops. +
Disable tame(2) with ENOSYS for upcoming release cycle. +
Acquire the kernel lock in pmap_remove(). The reasons for this can't be stated as the committer has been asked to be polite in his commit message. +
In azalia(4), rework the buffer position reporting code. + +
Build r300g and r600g on macppc and sparc64. +
Make the Gallium r300 works on big-endian architectures. +
In case the system misses enough audio interrupts for DMA pointers to wrap, recover by detecting and compensating for the missed interrupts. This fixes certain audio hangs on MP machines. +
In libsndio and audioctl(1), use the new AUDIO_GETPOS ioctl instead of AUDIO_GETxOFFS and AUDIO_xERROR. +
Add the AUDIO_GETPOS ioctl to fetch a snapshot of the 4 counters returned by AUDIO_GETxOFFS and AUDIO_xERROR ioctls. +
In mandoc(1), remove the hack of scrolling forward and backward with +G1G. Instead, when using a pager, use another temporary file for the formatted page(s). +
For unix domain sequenced packet socket pairs, don't report an EMSGSIZE error when the sent message was not too large. +
In doas(1), fix keepenv handling. +
In pkg_add(1), make -B cope with bad checksums. +
Implement pf(4) divert-reply for raw sockets. +
Do not link an ICMP6 socket to the pf state. +
In httpd(8), add HSTS to fcgi responses. + +
Add ktracing of structs iovec, msghdr, and cmsghdr for {,p}{read,write}v(), sendmsg(), and recvmsg(). +
In gcc(1), implement support for __builtin_complex() to construct complex values. This is required by the upcoming libm work. +
In disktab(5) on i386, fix geometry of rdroot entry. +
Rather than disabling tame(2) to coredump, leave it enabled but flag that a coredump is happening. This improves behaviour while threaded. +
On mips64, allow coalescing of IPI requests on mips64, to make IPI sending non-blocking. +
In sshd(8), permit kbind(2) use in the sandbox. +
Enforce tame(2) by disabling all TAME_ flags if tame_fail() is reached, not only if TAME_ABORT is set. +
5.6 and 5.7 SECURITY FIX: the patch utility could be made to invoke arbitrary commands via the obsolete RCS support when processing a crafted input file.
A source code patch exists for 5.6 and 5.7. These patches remove the RCS support. +
5.6 and 5.7 SECURITY FIX: a kernel memory leak could be triggered by an unprivileged user in a failure case when using execve under systrace.
A source code patch exists for 5.6 and 5.7. +
In radiusd(8), make the modules priviledge-separated. +
In tmux(1), make -q suppress ambiguous option warnings too. + +
In doas(1): +
- Implement command matching without execution. +
- Don't exit when the command line is too long to log. +
+
In patch(1), remove support for automatically checking files out of RCS. This may cause patch to be tricked into running arbitrary shell code with a specially crafted diff. +
In disktab(5) on amd64, fix ba# attribute in rdroot entry. +
Update to terminfo 20150725. + +
On alpha, ensure pci_intr_map() will perform proper interrupt swizzling for devices behind a bridge, if the SRM didn't pick an interrupt line for them. +
On alpha, adapt the way the vga(4) textmode is obtained in order to support the Alphabook 1. +
Add basic support for tag priorities to mandoc(1) + +
In libsndio, fix an arithmetic mistake causing errors when there are more xruns on the record side than on the play side. +
In sndiod(8), clear watchdog timer when device is closed. This fixes a use-after-free in error code paths when the device is closed before the audio is stopped. +
Improve syntax error reporting for doas.conf(5). + +
Prevent a use-after-free in bnx(4). +
In pkg_add(1), change the expansion of %m and %c in installpath to the snapshots folder during -beta. +
Revert attempted GPT code cleanup. +
In httpd(8), escape the " character in the authentication realm. +
Make npppd(8) use libradius. + +
Disable GPT support. It appears to create broken spoofed labels for empty disks. +
Implement quoting support in doas.conf(5). +
In tail(1), fix a memory leak when -r is used with anything but regular files. + +
Slam signal handlers harder in tame(2). +
Plug a memory leak in execve(2) with systrace(4). +
Generate new moduli for ssh. +
In security(8), don't risk blocking when reading untrusted user files and for additional safety against race attacks, make sure they are regular files. +
Switch pvbus(4) to fully dynamic autoconf. +
Add mpw(4) support to ifconfig(8). +
In tame(2), always permit kbind (for dynamic linking) and add __thrsigdivert to the SELF list like the other threading calls. +
Add a -C option to doas(1) to check config files without running. +
In acpi(4), respect the access size when reading or writing to pci config space. This fixes battery status passthrough in vmware. +
Add argument matching support to doas(1). + +
In ldpd(8): +
- Improve handling of addresses on ldpe. +
- Add configuration reload support. +
- Record all fields of the received label mappings. +
- Add VPLS signaling support. +
- Fix several IPC synchronization issues. +
- Improve the show lib command. +
- Re-enable the reload command. +
- Introduce two show commands for l2vpns. +
+
Add radius(8) and radiusctl(8). +
On amd64 and i386, add pvbus(4), a pseudo-bus to attach non-PCI paravirtual devices and buses. +
In mandoc(1), call the pager without the -T option if the temporary file cannot be created. +
Add the radius library. This will be used by the RADIUS server and client programs to manipulate RADIUS packets. +
In ospfd(8), fix a segfault at startup. +
In libssl, correct #if/else logic in BIO's dgram_ctrl (Coverity CID 72741). +
In pflow(4), use the kernel socket interface (sosend(9) etc.) instead of shoving packets directly into the network stack with ip_output(). +
In backgammon(6), ensure the computer's men actually move when the computer's move is printed. +
In snmpd(8), properly encode IpAddress, Gauge32, and Counter32 varbinds received from subagents. +
Improve tty(4) hiwat handling. +
Implement MPLS pseudowire (mpw(4)) to be used with VPLS and VPWS. +
In openssl(1): +
- Avoid NULL deref in openssl s_cb (Coverity CID 24956). +
- Don't try to run ECDH if ecdh_checks fails in openssl speed (Coverity CID 72744). +
+
In tame(2), crudely canonicalize paths before taming them. +
On octeon, add amdcf(4), a new flash driver that allows access to the internal memory on (at least) D-Link DSR500 machines. +
Allow the sched_yield, __thrsleep, __thrwakeup, and __threxit syscalls when using tame(2). This allows threaded programs to work. +
Avoid a possible NULL dereference in openssl(1) s_server (Coverity CID 78873). +
Add a quirk for Cirrus Logic PD6729: earlier silicon versions of this chip would advertize themselves as multi-function devices while they are not. +
In syslogd(8), don't accept sockets when syslogd reaches the file descriptor limit. Instead disable the listen event and wait for a second. +
In openssl(1), avoid dereferencing NULL (Coverity CID 21746). +
In tame(2): +
- Don't dereference NULL FILE pointers. +
- Don't let any ioctls through with invalid file descriptors. +
+
In bgpd(8), execute the RDE and session engine process instead of just forking. This way ASLR and stack cookies are per process. +
Have tame(2) permit late calls to getpagesize() in programs. +
In tmux(1), add an option (history-file) for a file to save/restore command prompt history. +
Plug various memory leaks in libssl. +
Try to assign a secondary bus number if the BIOS left the CardBus bridge unconfigured. +
In httpd(8), ensure http_path is escaped before using it in Location redirection. +
In tmux(1), correct the tsl/fsl sequence to ]0 not ]2. +
On alpha, avoid having always to follow two pointers in copy{in,out}{,str} to get to the address of the onfault handler. + +
In openssl(1): +
- Warn when rename() fails in openssl apps (Coverity CIDs 78795 and 78803). +
- Remove check that is never true (Coverity CID 78799). +
- Check return value in openssl s_socket (Coverity CID 21655). +
- Check return value for ENGINE_ctrl and ENGINE_ctrl_cmd (Coverity CID 21645). +
+
Add kbind(2), a syscall for ld.so to use to securely and efficiently update memory for lazy binding. +
In doas(1), use a minimal set of stripped environment variables so that root shells read the right .kshrc. +
On alpha and powerpc, make pmap_remove() grab the kernel lock. This makes MP machines work again with the unlocked reaper. +
In octeon iobus, get rid of the static list of children devices and use only a lookup table for address hints where needed. +
In netstart(8), bring up pflow last as it might send with a source address that is on any of the other interfaces. +
In LibreSSL, remove the RSAX engine. +
Allow line continuations with backslashes in doas.conf(5). +
Make iwm(4) show command codes of unhandled firmware replies. +
Change uvm_page[re]alloc_multi to actually use the flags passed in, and return a value so that they may be called with UVM_PLA_NOWAIT. +
In ldpd(8): +
- Remove incomplete support for unnecessary modes of operation. +
- Rework label mapping algorithms to be more in line with the RFC. +
- Add full multipath support. +
- Send label withdraws when appropriate. +
- Add label withdraw/release wildcard support. +
- Implement MD5 authentication support. +
+
In the installer, use the %c and %a fields in pkg.conf. +
Show the tame flag in ps(1). +
In ldpd(8): +
- Send only the best routes to lde. +
- On RTM_CHANGE, remove the old route before installing the new one. +
- On IMSG_CTL_KROUTE_ADDR, show all nexthops for multpath routes. +
- Uninstall associated label bindings when a neighbor is down. +
+
In the install(1), do not use the mode set for the target file as the directory mode when using -D. +
Enable GPT kernel support. +
Define several new C99 macros in math.h. +
In the nextafterl(3) ld80 implementation, make exponents of x and y signed and fix esx and esy comparisons. +
In the unbound(8) rc.d(8) script, no longer gerate control keys/certificates if control-enable is used. +
unbound(8), enable the control socket by default without using keys/certificates for authentication. +
On mips64, add proper kernel locking in fpe_branch_emulate(). This avoids race conditions that could corrupt amap entries. +
On octeon, avoid a deadlock caused by disabled IPIs. +
In httpd(8), handle error returns from bufferevent_write(). +
Use two 2q caches for the buffer cache, moving previously warm buffers from the first queue to the second. +
Use DEV_BSIZE instead of 512 where appropriate in the kernel. This starts laying the groundwork to allow disks with other sector sizes. +
Adapt pms(4) so that the synaptics trackpad in the Dell L400 laptop can move the cursor in X. +
In fuse(4), implement basic fh functions to avoid a panic. +
In script(1), establish the SIGCHLD handler in the parent process only. + +
In mandoc(1), do not fork and exec gunzip(1), but just link with libz instead. +
Plug a potential memory leak in pf(4). +
In ktrace(2), make KTR_SYSRET records variables variables sized, leaving out the retval on error, including a long long retval on successful lseek(), and including a register_t retval for other successes. This fixes lseek reporting on ILP32 archs. +
In openssl(1): +
- Correctly check the return value of strtoll(3) (Coverity CID 105339). +
- Free a variable on error (Coverity CID 78826). +
- Free a variable before potentially reusing it (Coverity CID 78824). +
- Only close a descriptor if not already closed (Coverity CID 78916). +
+
In tcpdump(8), show 11n HTOP primary and secondary channel numbers for 40MHz BSS instead of showing just the primary one and "above" or "below" for secondary. +
Rename the tps65090 driver to "tpspmic". +
Introduce tame(2), a subsystem which restricts programs into a "reduced feature operating model". +
In libssl, remove the logic responsible for outputting most AES-NI instructions as raw byte sequences. +
Revert the previous commit in ospfd(8) (properly handle carp interfaces in "backup" mode on start-up), because it breaks on systems without carp. +
In doas(1), if execvpe fails with ENOENT, print "command not found", like sudo. +
On exynos, make the keyboard driver poll until it can be improved more. +
In snmpd(8) and relayd(8), don't return failure for agentx messages with 0-length payloads. This allows snmpd to properly handle ping messages from agentx subagents. +
In libssl, abort when ENGINE_remove fails (Coverity CID 21656). +
Make tcpdump(8) show HTOP elements in 11n management frames. +
In bioctl(8), remove the restriction to disallow the use of a passphrase file during initial creation of a crypto volume. +
Remove workarounds in httpd(8) and syslogd(8) now that tls_write(3) has short write semantics. +
Give tls_write(3) similar short write semantics as write(2), so implementing daemons with libevent buffers will be easier. +
In ftp(1) and ntpd(8), handle short writes and TLS_{READ,WRITE}_AGAIN around tls_write(). +
In route(8), make all commands accepting the "-priority" switch recognize aliases for common priorities. +
In libssl, don't dereference NULL (Coverity CID 78910). +
In ntpd(8), prevent the tls constraint state machine from getting hung on STATE_INVALID. +
In libssl, remove the SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER workaround. +
In snmpd(8), fix malformed packets when returning "no such object/entry" errors for snmp requests. +
In virtio(4), do the relatively expensive ISR read without kernel lock. +
In bgpctl(8), tag dynamic routes with a "D". +
In relayd(8), fix unbounded buffer growth. In the case of a slow client reading large files, we would consume large amounts of memory. +
In ospfd(8), properly handle carp(4) interfaces in "backup" mode on start-up. +
Abstract the routing table internals behind an rtable_* API. +
In acpicpu(4), if _CST provides a C2 or C3 but lacks a C1 that we understand, provide a fallback C1 state using "halt". +
In libssl, check the return value of ASN1_STRING_set() (Coverity CIDs 24810 and 24846). +
In install(1), add -D to create the full destination path before installing the source into it. +
In ssh: +
- Skip uninitialised PKCS#11 slots (bz#2427). +
- Don't ignore PKCS#11 hosted keys that return empty CKA_ID (bz#2429). +
+
In sshd(8), only query each keyboard-interactive device once per authentication request regardless of how many times it is listed. +
In doas(1), add -s as a shorthand for "doas $SHELL". +
In httpd(8), allow to change the default media type globally or per-location. +
In mandoc(1), insist that manual page file name extensions must begin with a digit lest pkg.conf(5) be shown when pkg(5) is asked for. + +
Support HTTP Strict Transport Security (HSTS) in httpd(8). +
Have tftpd(8) provide a block of random data when clients request the file /etc/random.seed. +
In mandoc(1), clean up the temporary file when the process dies from a signal. +
In libssl, remove support for the SSL_OP_TLS_D5_BUG compat hack from SSLeay. +
On alpha, correctly set up interrupts. Now the kernel no longer get stuck with an SCSI interrupt storm at the end of autoconf. +
In snmpd(8), use RTF_CONNECTED to properly track connected routes. +
On alpha, check for errors in the status register after performing a PCI configuration space read, for errors may not cause a machine check. This makes phantom PCI devices disappear on alphabook. +
Allow route(8) to show all routes with a priority or all routes without a specific priority. +
Allow sysctl(3) to show all routes with a priority or all routes without a specific priority. +
Plug a leak in libssl (Coverity CID 78897). +
Drop promiscuously received packets if the trunk(4) interface is not in promiscuous mode. +
Add the _dpb, _pbuild, _pfetch users to do dpb multi-user builds. +
On amd64 and i386, avoid assigning low addresses to PCI BARs. These addresses will never actually be routed to the PCI bus and therefore guaranteed not to work. +
In mandoc(1), add initial support for less(1) -T and :t ctags(1)-like functionality to jump to the definitions of various terms inside manual pages. +
Make sound cards work on older PowerMacs. +
Fix MPLS routing when receiving packet with multiple labels. +
Release the kernel lock while tearing down the uvm map in the reaper. This speeds up workloads that fork a lot of processes and, more importantly, reduces latency. +
Prevent non-ACPI uniprocessor i386 machines with NX/PAE from panicing in pcibiosattach. +
In ldpd(8), filter routes based on RTF_LLINFO and RTF_BROADCAST flags and use RTF_CONNECTED to properly track connected routes. +
In httpd(8), always set PATH_INFO. +
In sed(1), add the -i flag to do in-place editing. +
In ripd(8), filter routes by RTF_LLINFO and RTF_BROADCAST and use RTF_CONNECTED to determine if a route is connected or not. +
In binutils 2.17, correctly consume mandatory 0x66 prefix when disassembling aes{dec{,last},enc{,last},imc} instructions (a regression in 2.17) and correctly disassemble aeskeygenassist. +
Plug a leak in openssl(1) (Coverity CID 78877). +
In ospfd(8) and ospf6d(8), filter broadcast and llinfo routes, and adjust the tracking of connected routes to the new way. +
In bpgd(8), only filter RTF_LLINFO or RTF_BROADCAST routes out but not RTF_LOCAL ones since we need those for loopback and point-to-point interfaces. +
Make tcpdump(8) decode the country element in 802.11 mgmt frames. +
Announce an IP address after inserting its corresponding RTF_LOCAL route and not during the SIOCSIFADDR ioctl. This way addresses are not announced when an error occurs. +
Manage spd entries by using the radix api directly instead of reaching around through the routing table. +
Fix a regression introduced by the M_PROTO1 loop prevention cleaning because gif(4) was abusing this flag to figure out if the packet was coming from a bridge(4).q +
Make rcctl(8) return 0 when using "getall". +
Make tcpdump(8) display BSS load information contained in 802.11 mgmt frames. +
Update to NSD 4.1.3. +
Enable exynos on armv7. +
Remove support for SSLv3 from openssl(1) ciphers, s_client, s_server and s_time. +
In iked(8), assign the correct destination port value for the destination netmask. This repairs setup of SPD flows that specify port only on the one side of the from-to specification. +
Prevent a double free in tmux(1). +
In sndiod(8), fix hangs during clean-up after the audio device is disconnected or an unrecoverable error is detected. +
In libssl and openssl(1), remove workaround for TLS padding bug from SSLeay days. + +
In sshd(8), fix an incorrect test for SSH1 keys when compiled without SSH1 support. +
Prevent syslogd(8) from writing too much data into the log file. +
Make doas(1) fail if /etc/doas.conf is g+w or o+w or is not owned by root. +
On amd64 and i386, remove the 4-second delay on reboot and shutdown that was added 8 years ago to "workaround MP timeout/splhigh/scsi race at reboot time". The issue probably has been fixed by now. +
Allow (almost) any non-space character to be a part of "word" in doas.conf(5). This allows weird commands like /bin/echo to be used for real. +
Remove the IP_ROUTETOETHER pseudo-option. It is hack to support return-rst on bridge(4). +
Make tcpdump(8) show 11n HT capabilities in 802.11 management frames. +
Introduce doas(1). +
In drm(4), introduce a Linux-compatible wait_event API and use it in the inteldrm code. +
In libssl, enforce V_ASN1_OCTET_STRING type before accessing the object as octet string (OpenSSL RT #3683). +
In httpd(8), prevent having the whole file in RAM when it is read from disk faster than being sent to the client. +
Fix Coverity CID 78921 in openssl(1). +
Fix Perl srand() to be a deterministic pseudorandom stream. +
Plug a memory leak in libssl (Coverity CID 105348). +
Ensure the signs of cacosh(3) and cacoshf(3) are correct. + +
On amd64 and i386, move grab/release of the kernel_lock for softintrs from the ASM stubs to softintr_dispatch(). +
In getty(8), remove ancient support for edited hostnames. +
In btree(3) and recno(3), remove the stubby not working mmaped file support. +
In libssl: +
- Check the return value of all used functions in OCSP_REQUEST_print() (Coverity CID 78796). +
- After reading a password with terminal echo off, restore the terminal to its original state instead of blindly turning echo on. +
+
Update to Unbound 1.5.4. +
In axen(4): +
- Ignore the 4-byte trailing padding of each received packet when copying to the upper layer. +
- Add USB 3.0 related code. +
+
Update to libdrm 2.4.62. +
Refix memory handling for machines with less than 256M broken by r1.64 of src/sys/arch/octeon/octeon/machdep.c. +
In httpd(8), use vis(3) instead of url_encode() for some values like User-Agent. +
In libssl, fix a few Coverity CIDs including 125063. +
Recognize CARP interfaces when sending packet to a multicast address. +
On arm and armv7, account for the fact that the exynos gic is not at a fixed offset from periphbase. +
In urtw(4), fix error code paths to not panic the kernel. This makes the driver work with somewhat flaky urtw(4) devices. +
In libssl: +
- The previous fix for Coverity CID 21785 did not cope correctly with the case where seed_len != 0 and seed_in == NULL. Since this situation is an error anyway, bail out early. +
- Do not allow TS_check_signer_name() with signer == NULL from int_TS_RESP_verify_token() (Coverity CID 21710). +
- Avoid leaking objects upon error. +
- Fix unchecked allocations, and make sure we do not leak upon error (Coverity CID 21739 and more). +
- Fix a memory leak (Coverity CID 78836). +
- Fix a possible 32-byte buffer overrun (Coverity CID 78869). +
- Fix two theoretical NULL pointer dereferences which can only happen if you have seriously corrupted your memory (Coverity CIDs 21708 and 21721). Also plug a memory leak. +
- Remove dead code (Coverity CID 21688). +
- Flense out dead code (Coverity CIDs 21691 and 21698). +
+
In httpd(8), allow the certificate and key to each be almost 16 kB rather than having a combined total of less than 16 kB. +
5.6 and 5.7 SECURITY FIX: a TCP socket can become confused and not properly cleanup resources.
A source code patch exists for 5.6 and 5.7. +
In httpd(8): +
- Fix memory leaks that can occur when config_getserver() fails. +
- Explicitly check for and handle EOF on a TLS connection. +
+
In rc.d(8), require an exact match of the process name and argument list by default. +
Match another Netgear WG111T on uath(4). +
In rc.d(8), always use the default flags when running !start so that rc.d scripts launched with -f can be properly stopped, checked and reloaded. +
In ugold(4), add support for newer PCsensor TEMPerHUM thermo- and hygrometers. +
In sshd(1), fix a NULL dereference when SSHv1 is enabled. +
Make "openssl pkeyutl -verify" return exit code 0 on success. + +
Fix a crash caused by uath(4) if device init fails. +
In rcctl(8): +
- Deprecate the getall subcommand +
- Implement a new ls subcommand to list daemons according to the argument. +
- Make it possible to get the daemon_class. +
+
In tcpdump(8), move the BIOCGSTATS ioctl operation done by the tcpdump process into a service provided by the privsep monitor. +
In devname(3), fall back to scanning /dev if /var/run/dev.db does not exist. +
In find(1), fix a segmentation fault and a use-after-free. +
Avoid a situation where we do not set the tcp persist timer after a zero window condition. + +
On octeon, do not attempt to configure octhci. It is superseded by dwc2. +
In tmux(1): +
- Revert to marking lines as wrapped on newlines. This fixes problems with capturep -J. +
- Add a -s flag to show-environment to output Bourne shell commands à la ssh-agent. +
- Add a format to show if client is a control client. +
- Fix a few problems when running out of file descriptors. +
- Ignore environment variables that are too long to send to the server. +
- Reset G0/G1 state when resetting everything else with send-keys -R. +
+
First stab at making the hppa mpsafe. +
In devname(3), don't write a warning to stderr if the db cannot be opened. This avoids bogus warnings in chroots. + +
In tcpdump(8), don't consider \v and \f printable characters. +
In cwm(1), introduce "groupsearch" for group menu search. +
In xhci(4), do not trust the hardware when it says that the number of remaining bytes to transfer is superior to the length of the transfer. + +
On i386, amd64 and sparc64, don't call pool_put(9) while holding a mutex to prevent lock ordering problems between the per-pmap mutexes and the kernel lock. This happens because pool_put(9) may grab the kernel lock when it decides to free a pool page. +
In ssh, turn off DSA by default. Add HostKeyAlgorithms to the server and PubkeyAcceptedKeyTypes to the client side so it can be turned back on. + +
In syslogd(8), ensure the privsep parent and syslogd child are kept in sync if the fd limit is reached. +
Disable pool_gc on m88k if MULTIPROCESSOR. +
Avoid a double free in syslogd(8). +
On amd64, prevent possible interrupt recursion before unwinding the stack. +
In ssh, re-enable ed25519-certs if compiled without OpenSSL. + +
In fdisk(8), dDo not attempt to read a disk sector worth of data from the file containing the MBR template. This allows fdisk(8) to work on 4096-byte disks again. +
In file(1), properly handle files >= 4 GB on 32-bit architectures. +
Switch "openssl dhparam" default from 512 to 2048 bits. +
Fix a use-after-free in et(4). +
Unify the mutex implementations on all the mips64 platforms. +
In pf(4), avoid strange state match and create behavior when IPsec is involved. +
Make bgpd(8) properly handle interface routes since they no longer have a "gateway" sockaddr of type AF_LINK. +
Use a new RTF_CONNECTED flag for interface (connected) routes. +
Disallow userland from setting RTF_LOCAL and RTF_BROADCAST. +
Replace MFREE(9) with m_freem(9). + +
In ddb(4), return the correct file name entry from the DWARF line table. +
In iked(8), repair policy-ikesa-linking. +
In vi(1), fix a regression caused by timespec changes when run without a file to edit. +
In syslogd(8), add the -T option to accept messages on a TCP socket. +
Unbreak option parsing in libfuse. +
Make non-kms pci video drivers work again on platforms other than i386 and amd64. + +
On armv7, use u-boot.img instead of u-boot.bin on the panda and beagle. +
In comsat(8), don't discard comsat messages with trailing whitespace. +
Add IPv6 support to mail.local(8). +
In tmux(1), update the environment with -E when attach-session used on an already attached session or switch-client used on the current session. + +
Let syslogd(8) run with non-blocking sockets. + +
On vax, replace the manual buf list management with a fifo bufq. +
In qe(4), count outgoing packets. + +
Remove sudo; it has moved to ports. +
Revert r1.111 of xenocara/app/cwm/kbfunc.c: it broke application menu searching. +
Add static PIE support to sparc. +
On sparc, correctly handle relative-type relocations. + +
In ssh(1), turn off the 1024-bit diffie-hellman-group1-sha1 key exchange method. +
In ssh: +
- Remove support for legacy v00 certificates. +
- Refuse to generate or accept RSA keys smaller than 1024 bits. +
+
Put KERNEL_LOCK/KERNEL_UNLOCK around the pipex destination for mbufs until it is properly MP-protected. +
On i386, tweak MUTEX_ASSERT_LOCKED and MUTEX_ASSERT_UNLOCKED to only look at the owner. +
On i386, make pmap_enter(9), pmap_remove(9) and pmap_page_protect(9) safe to use without holding the kernel lock. Unfortunately there still seems to be an issue that causes deadlocks under pressure. +
On m88k, fix MUTEX_ASSERT_LOCKED and MUTEX_ASSERT_UNLOCKED so that they check whether the mutex is locked by the current CPU rather than any CPU. + +
Introduce shared reference pointers (srp). +
Compile-time disable SSH version 1 again.
In ssh, better refuse ForwardX11Trusted=no connections attempted after ForwardX11Timeout expires.
In syslogd(8), add a -U option to specify an explicit address to receive UDP packets. *************** *** 271,277 ****
In tmux(1), make "new -d" work without unsetting $TMUX.
Add the new rtwn(4) for RTL8188CE wifi cards.
Check for a resolv.conf update the first time the resolver is used after pid has changed. !
Add support for em(4) on the Teak 3020, a system based on the Intel Tolopai (EP80579).
Prevent a kernel panic on macppc caused by the kernel perfpolicy code.
In tmux(1):
- In tmux(1), make "new -d" work without unsetting $TMUX.
- Add the new rtwn(4) for RTL8188CE wifi cards.
- Check for a resolv.conf update the first time the resolver is used after pid has changed. !
- Add support for em(4) on the Teak 3020, a system based on the Intel Tolopai (EP80579).
- Prevent a kernel panic on macppc caused by the kernel perfpolicy code.
- In tmux(1):