===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/plus58.html,v
retrieving revision 1.5
retrieving revision 1.6
diff -c -r1.5 -r1.6
*** www/plus58.html 2015/08/09 18:57:31 1.5
--- www/plus58.html 2015/09/01 22:29:36 1.6
***************
*** 75,80 ****
--- 75,495 ----
+
+ - On armv7, make use of u-boot 2015.07's unified wandboard config to provide a miniroot to cover all current wandboard variations.
+
- 5.6 and 5.7 SECURITY FIX: the patch utility could become desyncronized processing ed(1)-style diffs.
A source code patch exists for 5.6 and 5.7.
+ - Prevent substitution commands ("s///") with a newline in the replacement pattern from confusing patch(1) about the state of the ed(1) child process is in.
+
- Turn off POOL_DEBUG for release.
+
- In httpd(8), repair HSTS header output.
+
- Fix pty permissions in sshd(8).
+
- In the installer, make "without-password" the default answer to the "Allow root ssh login?" question.
+
- Change the sshd_config(5) PermitRootLogin default to "without-password".
+
- In ksh(1), fix the baskslash-escaped codes ("\nnn") usage in PS1.
+
+
- Allow ssh_config(5) and sshd_config(5) kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it.
+
- In envy(4), properly recover when interrupts are blocked for too long. This fixes permanent distortion on MP systems.
+
- In relayd(8), fix a bug where other than the last of multiple forward rules in http protocols would be ignored.
+
- Add linker warnings in case SSLv3_{,client,server}_method are referenced.
+
- On macppc, powerpc and socppc, do not save the status register and restore it for machine check exceptions.
+
- Revert r1.289 of src/sys/dev/acpi/acpi.c (respect the access size when reading or writing to pci config space). It is locking up suspend or boot on some laptops.
+
- Disable tame(2) with ENOSYS for upcoming release cycle.
+
- Acquire the kernel lock in pmap_remove(). The reasons for this can't be stated as the committer has been asked to be polite in his commit message.
+
- In azalia(4), rework the buffer position reporting code.
+
+
- Build r300g and r600g on macppc and sparc64.
+
- Make the Gallium r300 works on big-endian architectures.
+
- In case the system misses enough audio interrupts for DMA pointers to wrap, recover by detecting and compensating for the missed interrupts. This fixes certain audio hangs on MP machines.
+
- In libsndio and audioctl(1), use the new AUDIO_GETPOS ioctl instead of AUDIO_GETxOFFS and AUDIO_xERROR.
+
- Add the AUDIO_GETPOS ioctl to fetch a snapshot of the 4 counters returned by AUDIO_GETxOFFS and AUDIO_xERROR ioctls.
+
- In mandoc(1), remove the hack of scrolling forward and backward with +G1G. Instead, when using a pager, use another temporary file for the formatted page(s).
+
- For unix domain sequenced packet socket pairs, don't report an EMSGSIZE error when the sent message was not too large.
+
- In doas(1), fix keepenv handling.
+
- In pkg_add(1), make -B cope with bad checksums.
+
- Implement pf(4) divert-reply for raw sockets.
+
- Do not link an ICMP6 socket to the pf state.
+
- In httpd(8), add HSTS to fcgi responses.
+
+
- Add ktracing of structs iovec, msghdr, and cmsghdr for {,p}{read,write}v(), sendmsg(), and recvmsg().
+
- In gcc(1), implement support for __builtin_complex() to construct complex values. This is required by the upcoming libm work.
+
- In disktab(5) on i386, fix geometry of rdroot entry.
+
- Rather than disabling tame(2) to coredump, leave it enabled but flag that a coredump is happening. This improves behaviour while threaded.
+
- On mips64, allow coalescing of IPI requests on mips64, to make IPI sending non-blocking.
+
- In sshd(8), permit kbind(2) use in the sandbox.
+
- Enforce tame(2) by disabling all TAME_ flags if tame_fail() is reached, not only if TAME_ABORT is set.
+
- 5.6 and 5.7 SECURITY FIX: the patch utility could be made to invoke arbitrary commands via the obsolete RCS support when processing a crafted input file.
A source code patch exists for 5.6 and 5.7. These patches remove the RCS support.
+ - 5.6 and 5.7 SECURITY FIX: a kernel memory leak could be triggered by an unprivileged user in a failure case when using execve under systrace.
A source code patch exists for 5.6 and 5.7.
+ - In radiusd(8), make the modules priviledge-separated.
+
- In tmux(1), make -q suppress ambiguous option warnings too.
+
+
- In doas(1):
+
+ - Implement command matching without execution.
+
- Don't exit when the command line is too long to log.
+
+ - In patch(1), remove support for automatically checking files out of RCS. This may cause patch to be tricked into running arbitrary shell code with a specially crafted diff.
+
- In disktab(5) on amd64, fix ba# attribute in rdroot entry.
+
- Update to terminfo 20150725.
+
+
- On alpha, ensure pci_intr_map() will perform proper interrupt swizzling for devices behind a bridge, if the SRM didn't pick an interrupt line for them.
+
- On alpha, adapt the way the vga(4) textmode is obtained in order to support the Alphabook 1.
+
- Add basic support for tag priorities to mandoc(1)
+
+
- In libsndio, fix an arithmetic mistake causing errors when there are more xruns on the record side than on the play side.
+
- In sndiod(8), clear watchdog timer when device is closed. This fixes a use-after-free in error code paths when the device is closed before the audio is stopped.
+
- Improve syntax error reporting for doas.conf(5).
+
+
- Prevent a use-after-free in bnx(4).
+
- In pkg_add(1), change the expansion of %m and %c in installpath to the snapshots folder during -beta.
+
- Revert attempted GPT code cleanup.
+
- In httpd(8), escape the " character in the authentication realm.
+
- Make npppd(8) use libradius.
+
+
- Disable GPT support. It appears to create broken spoofed labels for empty disks.
+
- Implement quoting support in doas.conf(5).
+
- In tail(1), fix a memory leak when -r is used with anything but regular files.
+
+
- Slam signal handlers harder in tame(2).
+
- Plug a memory leak in execve(2) with systrace(4).
+
- Generate new moduli for ssh.
+
- In security(8), don't risk blocking when reading untrusted user files and for additional safety against race attacks, make sure they are regular files.
+
- Switch pvbus(4) to fully dynamic autoconf.
+
- Add mpw(4) support to ifconfig(8).
+
- In tame(2), always permit kbind (for dynamic linking) and add __thrsigdivert to the SELF list like the other threading calls.
+
- Add a -C option to doas(1) to check config files without running.
+
- In acpi(4), respect the access size when reading or writing to pci config space. This fixes battery status passthrough in vmware.
+
- Add argument matching support to doas(1).
+
+
- In ldpd(8):
+
+ - Improve handling of addresses on ldpe.
+
- Add configuration reload support.
+
- Record all fields of the received label mappings.
+
- Add VPLS signaling support.
+
- Fix several IPC synchronization issues.
+
- Improve the show lib command.
+
- Re-enable the reload command.
+
- Introduce two show commands for l2vpns.
+
+ - Add radius(8) and radiusctl(8).
+
- On amd64 and i386, add pvbus(4), a pseudo-bus to attach non-PCI paravirtual devices and buses.
+
- In mandoc(1), call the pager without the -T option if the temporary file cannot be created.
+
- Add the radius library. This will be used by the RADIUS server and client programs to manipulate RADIUS packets.
+
- In ospfd(8), fix a segfault at startup.
+
- In libssl, correct #if/else logic in BIO's dgram_ctrl (Coverity CID 72741).
+
- In pflow(4), use the kernel socket interface (sosend(9) etc.) instead of shoving packets directly into the network stack with ip_output().
+
- In backgammon(6), ensure the computer's men actually move when the computer's move is printed.
+
- In snmpd(8), properly encode IpAddress, Gauge32, and Counter32 varbinds received from subagents.
+
- Improve tty(4) hiwat handling.
+
- Implement MPLS pseudowire (mpw(4)) to be used with VPLS and VPWS.
+
- In openssl(1):
+
+ - Avoid NULL deref in openssl s_cb (Coverity CID 24956).
+
- Don't try to run ECDH if ecdh_checks fails in openssl speed (Coverity CID 72744).
+
+ - In tame(2), crudely canonicalize paths before taming them.
+
- On octeon, add amdcf(4), a new flash driver that allows access to the internal memory on (at least) D-Link DSR500 machines.
+
- Allow the sched_yield, __thrsleep, __thrwakeup, and __threxit syscalls when using tame(2). This allows threaded programs to work.
+
- Avoid a possible NULL dereference in openssl(1) s_server (Coverity CID 78873).
+
- Add a quirk for Cirrus Logic PD6729: earlier silicon versions of this chip would advertize themselves as multi-function devices while they are not.
+
- In syslogd(8), don't accept sockets when syslogd reaches the file descriptor limit. Instead disable the listen event and wait for a second.
+
- In openssl(1), avoid dereferencing NULL (Coverity CID 21746).
+
- In tame(2):
+
+ - Don't dereference NULL FILE pointers.
+
- Don't let any ioctls through with invalid file descriptors.
+
+ - In bgpd(8), execute the RDE and session engine process instead of just forking. This way ASLR and stack cookies are per process.
+
- Have tame(2) permit late calls to getpagesize() in programs.
+
- In tmux(1), add an option (history-file) for a file to save/restore command prompt history.
+
- Plug various memory leaks in libssl.
+
- Try to assign a secondary bus number if the BIOS left the CardBus bridge unconfigured.
+
- In httpd(8), ensure http_path is escaped before using it in Location redirection.
+
- In tmux(1), correct the tsl/fsl sequence to ]0 not ]2.
+
- On alpha, avoid having always to follow two pointers in copy{in,out}{,str} to get to the address of the onfault handler.
+
+
- In openssl(1):
+
+ - Warn when rename() fails in openssl apps (Coverity CIDs 78795 and 78803).
+
- Remove check that is never true (Coverity CID 78799).
+
- Check return value in openssl s_socket (Coverity CID 21655).
+
- Check return value for ENGINE_ctrl and ENGINE_ctrl_cmd (Coverity CID 21645).
+
+ - Add kbind(2), a syscall for ld.so to use to securely and efficiently update memory for lazy binding.
+
- In doas(1), use a minimal set of stripped environment variables so that root shells read the right .kshrc.
+
- On alpha and powerpc, make pmap_remove() grab the kernel lock. This makes MP machines work again with the unlocked reaper.
+
- In octeon iobus, get rid of the static list of children devices and use only a lookup table for address hints where needed.
+
- In netstart(8), bring up pflow last as it might send with a source address that is on any of the other interfaces.
+
- In LibreSSL, remove the RSAX engine.
+
- Allow line continuations with backslashes in doas.conf(5).
+
- Make iwm(4) show command codes of unhandled firmware replies.
+
- Change uvm_page[re]alloc_multi to actually use the flags passed in, and return a value so that they may be called with UVM_PLA_NOWAIT.
+
- In ldpd(8):
+
+ - Remove incomplete support for unnecessary modes of operation.
+
- Rework label mapping algorithms to be more in line with the RFC.
+
- Add full multipath support.
+
- Send label withdraws when appropriate.
+
- Add label withdraw/release wildcard support.
+
- Implement MD5 authentication support.
+
+ - In the installer, use the %c and %a fields in pkg.conf.
+
- Show the tame flag in ps(1).
+
- In ldpd(8):
+
+ - Send only the best routes to lde.
+
- On RTM_CHANGE, remove the old route before installing the new one.
+
- On IMSG_CTL_KROUTE_ADDR, show all nexthops for multpath routes.
+
- Uninstall associated label bindings when a neighbor is down.
+
+ - In the install(1), do not use the mode set for the target file as the directory mode when using -D.
+
- Enable GPT kernel support.
+
- Define several new C99 macros in math.h.
+
- In the nextafterl(3) ld80 implementation, make exponents of x and y signed and fix esx and esy comparisons.
+
- In the unbound(8) rc.d(8) script, no longer gerate control keys/certificates if control-enable is used.
+
- unbound(8), enable the control socket by default without using keys/certificates for authentication.
+
- On mips64, add proper kernel locking in fpe_branch_emulate(). This avoids race conditions that could corrupt amap entries.
+
- On octeon, avoid a deadlock caused by disabled IPIs.
+
- In httpd(8), handle error returns from bufferevent_write().
+
- Use two 2q caches for the buffer cache, moving previously warm buffers from the first queue to the second.
+
- Use DEV_BSIZE instead of 512 where appropriate in the kernel. This starts laying the groundwork to allow disks with other sector sizes.
+
- Adapt pms(4) so that the synaptics trackpad in the Dell L400 laptop can move the cursor in X.
+
- In fuse(4), implement basic fh functions to avoid a panic.
+
- In script(1), establish the SIGCHLD handler in the parent process only.
+
+
- In mandoc(1), do not fork and exec gunzip(1), but just link with libz instead.
+
- Plug a potential memory leak in pf(4).
+
- In ktrace(2), make KTR_SYSRET records variables variables sized, leaving out the retval on error, including a long long retval on successful lseek(), and including a register_t retval for other successes. This fixes lseek reporting on ILP32 archs.
+
- In openssl(1):
+
+ - Correctly check the return value of strtoll(3) (Coverity CID 105339).
+
- Free a variable on error (Coverity CID 78826).
+
- Free a variable before potentially reusing it (Coverity CID 78824).
+
- Only close a descriptor if not already closed (Coverity CID 78916).
+
+ - In tcpdump(8), show 11n HTOP primary and secondary channel numbers for 40MHz BSS instead of showing just the primary one and "above" or "below" for secondary.
+
- Rename the tps65090 driver to "tpspmic".
+
- Introduce tame(2), a subsystem which restricts programs into a "reduced feature operating model".
+
- In libssl, remove the logic responsible for outputting most AES-NI instructions as raw byte sequences.
+
- Revert the previous commit in ospfd(8) (properly handle carp interfaces in "backup" mode on start-up), because it breaks on systems without carp.
+
- In doas(1), if execvpe fails with ENOENT, print "command not found", like sudo.
+
- On exynos, make the keyboard driver poll until it can be improved more.
+
- In snmpd(8) and relayd(8), don't return failure for agentx messages with 0-length payloads. This allows snmpd to properly handle ping messages from agentx subagents.
+
- In libssl, abort when ENGINE_remove fails (Coverity CID 21656).
+
- Make tcpdump(8) show HTOP elements in 11n management frames.
+
- In bioctl(8), remove the restriction to disallow the use of a passphrase file during initial creation of a crypto volume.
+
- Remove workarounds in httpd(8) and syslogd(8) now that tls_write(3) has short write semantics.
+
- Give tls_write(3) similar short write semantics as write(2), so implementing daemons with libevent buffers will be easier.
+
- In ftp(1) and ntpd(8), handle short writes and TLS_{READ,WRITE}_AGAIN around tls_write().
+
- In route(8), make all commands accepting the "-priority" switch recognize aliases for common priorities.
+
- In libssl, don't dereference NULL (Coverity CID 78910).
+
- In ntpd(8), prevent the tls constraint state machine from getting hung on STATE_INVALID.
+
- In libssl, remove the SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER workaround.
+
- In snmpd(8), fix malformed packets when returning "no such object/entry" errors for snmp requests.
+
- In virtio(4), do the relatively expensive ISR read without kernel lock.
+
- In bgpctl(8), tag dynamic routes with a "D".
+
- In relayd(8), fix unbounded buffer growth. In the case of a slow client reading large files, we would consume large amounts of memory.
+
- In ospfd(8), properly handle carp(4) interfaces in "backup" mode on start-up.
+
- Abstract the routing table internals behind an rtable_* API.
+
- In acpicpu(4), if _CST provides a C2 or C3 but lacks a C1 that we understand, provide a fallback C1 state using "halt".
+
- In libssl, check the return value of ASN1_STRING_set() (Coverity CIDs 24810 and 24846).
+
- In install(1), add -D to create the full destination path before installing the source into it.
+
- In ssh:
+
+ - Skip uninitialised PKCS#11 slots (bz#2427).
+
- Don't ignore PKCS#11 hosted keys that return empty CKA_ID (bz#2429).
+
+ - In sshd(8), only query each keyboard-interactive device once per authentication request regardless of how many times it is listed.
+
- In doas(1), add -s as a shorthand for "doas $SHELL".
+
- In httpd(8), allow to change the default media type globally or per-location.
+
- In mandoc(1), insist that manual page file name extensions must begin with a digit lest pkg.conf(5) be shown when pkg(5) is asked for.
+
+
- Support HTTP Strict Transport Security (HSTS) in httpd(8).
+
- Have tftpd(8) provide a block of random data when clients request the file /etc/random.seed.
+
- In mandoc(1), clean up the temporary file when the process dies from a signal.
+
- In libssl, remove support for the SSL_OP_TLS_D5_BUG compat hack from SSLeay.
+
- On alpha, correctly set up interrupts. Now the kernel no longer get stuck with an SCSI interrupt storm at the end of autoconf.
+
- In snmpd(8), use RTF_CONNECTED to properly track connected routes.
+
- On alpha, check for errors in the status register after performing a PCI configuration space read, for errors may not cause a machine check. This makes phantom PCI devices disappear on alphabook.
+
- Allow route(8) to show all routes with a priority or all routes without a specific priority.
+
- Allow sysctl(3) to show all routes with a priority or all routes without a specific priority.
+
- Plug a leak in libssl (Coverity CID 78897).
+
- Drop promiscuously received packets if the trunk(4) interface is not in promiscuous mode.
+
- Add the _dpb, _pbuild, _pfetch users to do dpb multi-user builds.
+
- On amd64 and i386, avoid assigning low addresses to PCI BARs. These addresses will never actually be routed to the PCI bus and therefore guaranteed not to work.
+
- In mandoc(1), add initial support for less(1) -T and :t ctags(1)-like functionality to jump to the definitions of various terms inside manual pages.
+
- Make sound cards work on older PowerMacs.
+
- Fix MPLS routing when receiving packet with multiple labels.
+
- Release the kernel lock while tearing down the uvm map in the reaper. This speeds up workloads that fork a lot of processes and, more importantly, reduces latency.
+
- Prevent non-ACPI uniprocessor i386 machines with NX/PAE from panicing in pcibiosattach.
+
- In ldpd(8), filter routes based on RTF_LLINFO and RTF_BROADCAST flags and use RTF_CONNECTED to properly track connected routes.
+
- In httpd(8), always set PATH_INFO.
+
- In sed(1), add the -i flag to do in-place editing.
+
- In ripd(8), filter routes by RTF_LLINFO and RTF_BROADCAST and use RTF_CONNECTED to determine if a route is connected or not.
+
- In binutils 2.17, correctly consume mandatory 0x66 prefix when disassembling aes{dec{,last},enc{,last},imc} instructions (a regression in 2.17) and correctly disassemble aeskeygenassist.
+
- Plug a leak in openssl(1) (Coverity CID 78877).
+
- In ospfd(8) and ospf6d(8), filter broadcast and llinfo routes, and adjust the tracking of connected routes to the new way.
+
- In bpgd(8), only filter RTF_LLINFO or RTF_BROADCAST routes out but not RTF_LOCAL ones since we need those for loopback and point-to-point interfaces.
+
- Make tcpdump(8) decode the country element in 802.11 mgmt frames.
+
- Announce an IP address after inserting its corresponding RTF_LOCAL route and not during the SIOCSIFADDR ioctl. This way addresses are not announced when an error occurs.
+
- Manage spd entries by using the radix api directly instead of reaching around through the routing table.
+
- Fix a regression introduced by the M_PROTO1 loop prevention cleaning because gif(4) was abusing this flag to figure out if the packet was coming from a bridge(4).q
+
- Make rcctl(8) return 0 when using "getall".
+
- Make tcpdump(8) display BSS load information contained in 802.11 mgmt frames.
+
- Update to NSD 4.1.3.
+
- Enable exynos on armv7.
+
- Remove support for SSLv3 from openssl(1) ciphers, s_client, s_server and s_time.
+
- In iked(8), assign the correct destination port value for the destination netmask. This repairs setup of SPD flows that specify port only on the one side of the from-to specification.
+
- Prevent a double free in tmux(1).
+
- In sndiod(8), fix hangs during clean-up after the audio device is disconnected or an unrecoverable error is detected.
+
- In libssl and openssl(1), remove workaround for TLS padding bug from SSLeay days.
+
+
- In sshd(8), fix an incorrect test for SSH1 keys when compiled without SSH1 support.
+
- Prevent syslogd(8) from writing too much data into the log file.
+
- Make doas(1) fail if /etc/doas.conf is g+w or o+w or is not owned by root.
+
- On amd64 and i386, remove the 4-second delay on reboot and shutdown that was added 8 years ago to "workaround MP timeout/splhigh/scsi race at reboot time". The issue probably has been fixed by now.
+
- Allow (almost) any non-space character to be a part of "word" in doas.conf(5). This allows weird commands like /bin/echo to be used for real.
+
- Remove the IP_ROUTETOETHER pseudo-option. It is hack to support return-rst on bridge(4).
+
- Make tcpdump(8) show 11n HT capabilities in 802.11 management frames.
+
- Introduce doas(1).
+
- In drm(4), introduce a Linux-compatible wait_event API and use it in the inteldrm code.
+
- In libssl, enforce V_ASN1_OCTET_STRING type before accessing the object as octet string (OpenSSL RT #3683).
+
- In httpd(8), prevent having the whole file in RAM when it is read from disk faster than being sent to the client.
+
- Fix Coverity CID 78921 in openssl(1).
+
- Fix Perl srand() to be a deterministic pseudorandom stream.
+
- Plug a memory leak in libssl (Coverity CID 105348).
+
- Ensure the signs of cacosh(3) and cacoshf(3) are correct.
+
+
- On amd64 and i386, move grab/release of the kernel_lock for softintrs from the ASM stubs to softintr_dispatch().
+
- In getty(8), remove ancient support for edited hostnames.
+
- In btree(3) and recno(3), remove the stubby not working mmaped file support.
+
- In libssl:
+
+ - Check the return value of all used functions in OCSP_REQUEST_print() (Coverity CID 78796).
+
- After reading a password with terminal echo off, restore the terminal to its original state instead of blindly turning echo on.
+
+ - Update to Unbound 1.5.4.
+
- In axen(4):
+
+ - Ignore the 4-byte trailing padding of each received packet when copying to the upper layer.
+
- Add USB 3.0 related code.
+
+ - Update to libdrm 2.4.62.
+
- Refix memory handling for machines with less than 256M broken by r1.64 of src/sys/arch/octeon/octeon/machdep.c.
+
- In httpd(8), use vis(3) instead of url_encode() for some values like User-Agent.
+
- In libssl, fix a few Coverity CIDs including 125063.
+
- Recognize CARP interfaces when sending packet to a multicast address.
+
- On arm and armv7, account for the fact that the exynos gic is not at a fixed offset from periphbase.
+
- In urtw(4), fix error code paths to not panic the kernel. This makes the driver work with somewhat flaky urtw(4) devices.
+
- In libssl:
+
+ - The previous fix for Coverity CID 21785 did not cope correctly with the case where seed_len != 0 and seed_in == NULL. Since this situation is an error anyway, bail out early.
+
- Do not allow TS_check_signer_name() with signer == NULL from int_TS_RESP_verify_token() (Coverity CID 21710).
+
- Avoid leaking objects upon error.
+
- Fix unchecked allocations, and make sure we do not leak upon error (Coverity CID 21739 and more).
+
- Fix a memory leak (Coverity CID 78836).
+
- Fix a possible 32-byte buffer overrun (Coverity CID 78869).
+
- Fix two theoretical NULL pointer dereferences which can only happen if you have seriously corrupted your memory (Coverity CIDs 21708 and 21721). Also plug a memory leak.
+
- Remove dead code (Coverity CID 21688).
+
- Flense out dead code (Coverity CIDs 21691 and 21698).
+
+ - In httpd(8), allow the certificate and key to each be almost 16 kB rather than having a combined total of less than 16 kB.
+
- 5.6 and 5.7 SECURITY FIX: a TCP socket can become confused and not properly cleanup resources.
A source code patch exists for 5.6 and 5.7.
+ - In httpd(8):
+
+ - Fix memory leaks that can occur when config_getserver() fails.
+
- Explicitly check for and handle EOF on a TLS connection.
+
+ - In rc.d(8), require an exact match of the process name and argument list by default.
+
- Match another Netgear WG111T on uath(4).
+
- In rc.d(8), always use the default flags when running !start so that rc.d scripts launched with -f can be properly stopped, checked and reloaded.
+
- In ugold(4), add support for newer PCsensor TEMPerHUM thermo- and hygrometers.
+
- In sshd(1), fix a NULL dereference when SSHv1 is enabled.
+
- Make "openssl pkeyutl -verify" return exit code 0 on success.
+
+
- Fix a crash caused by uath(4) if device init fails.
+
- In rcctl(8):
+
+ - Deprecate the getall subcommand
+
- Implement a new ls subcommand to list daemons according to the argument.
+
- Make it possible to get the daemon_class.
+
+ - In tcpdump(8), move the BIOCGSTATS ioctl operation done by the tcpdump process into a service provided by the privsep monitor.
+
- In devname(3), fall back to scanning /dev if /var/run/dev.db does not exist.
+
- In find(1), fix a segmentation fault and a use-after-free.
+
- Avoid a situation where we do not set the tcp persist timer after a zero window condition.
+
+
- On octeon, do not attempt to configure octhci. It is superseded by dwc2.
+
- In tmux(1):
+
+ - Revert to marking lines as wrapped on newlines. This fixes problems with capturep -J.
+
- Add a -s flag to show-environment to output Bourne shell commands à la ssh-agent.
+
- Add a format to show if client is a control client.
+
- Fix a few problems when running out of file descriptors.
+
- Ignore environment variables that are too long to send to the server.
+
- Reset G0/G1 state when resetting everything else with send-keys -R.
+
+ - First stab at making the hppa mpsafe.
+
- In devname(3), don't write a warning to stderr if the db cannot be opened. This avoids bogus warnings in chroots.
+
+
- In tcpdump(8), don't consider \v and \f printable characters.
+
- In cwm(1), introduce "groupsearch" for group menu search.
+
- In xhci(4), do not trust the hardware when it says that the number of remaining bytes to transfer is superior to the length of the transfer.
+
+
- On i386, amd64 and sparc64, don't call pool_put(9) while holding a mutex to prevent lock ordering problems between the per-pmap mutexes and the kernel lock. This happens because pool_put(9) may grab the kernel lock when it decides to free a pool page.
+
- In ssh, turn off DSA by default. Add HostKeyAlgorithms to the server and PubkeyAcceptedKeyTypes to the client side so it can be turned back on.
+
+
- In syslogd(8), ensure the privsep parent and syslogd child are kept in sync if the fd limit is reached.
+
- Disable pool_gc on m88k if MULTIPROCESSOR.
+
- Avoid a double free in syslogd(8).
+
- On amd64, prevent possible interrupt recursion before unwinding the stack.
+
- In ssh, re-enable ed25519-certs if compiled without OpenSSL.
+
+
- In fdisk(8), dDo not attempt to read a disk sector worth of data from the file containing the MBR template. This allows fdisk(8) to work on 4096-byte disks again.
+
- In file(1), properly handle files >= 4 GB on 32-bit architectures.
+
- Switch "openssl dhparam" default from 512 to 2048 bits.
+
- Fix a use-after-free in et(4).
+
- Unify the mutex implementations on all the mips64 platforms.
+
- In pf(4), avoid strange state match and create behavior when IPsec is involved.
+
- Make bgpd(8) properly handle interface routes since they no longer have a "gateway" sockaddr of type AF_LINK.
+
- Use a new RTF_CONNECTED flag for interface (connected) routes.
+
- Disallow userland from setting RTF_LOCAL and RTF_BROADCAST.
+
- Replace MFREE(9) with m_freem(9).
+
+
- In ddb(4), return the correct file name entry from the DWARF line table.
+
- In iked(8), repair policy-ikesa-linking.
+
- In vi(1), fix a regression caused by timespec changes when run without a file to edit.
+
- In syslogd(8), add the -T option to accept messages on a TCP socket.
+
- Unbreak option parsing in libfuse.
+
- Make non-kms pci video drivers work again on platforms other than i386 and amd64.
+
+
- On armv7, use u-boot.img instead of u-boot.bin on the panda and beagle.
+
- In comsat(8), don't discard comsat messages with trailing whitespace.
+
- Add IPv6 support to mail.local(8).
+
- In tmux(1), update the environment with -E when attach-session used on an already attached session or switch-client used on the current session.
+
+
- Let syslogd(8) run with non-blocking sockets.
+
+
- On vax, replace the manual buf list management with a fifo bufq.
+
- In qe(4), count outgoing packets.
+
+
- Remove sudo; it has moved to ports.
+
- Revert r1.111 of xenocara/app/cwm/kbfunc.c: it broke application menu searching.
+
- Add static PIE support to sparc.
+
- On sparc, correctly handle relative-type relocations.
+
+
- In ssh(1), turn off the 1024-bit diffie-hellman-group1-sha1 key exchange method.
+
- In ssh:
+
+ - Remove support for legacy v00 certificates.
+
- Refuse to generate or accept RSA keys smaller than 1024 bits.
+
+ - Put KERNEL_LOCK/KERNEL_UNLOCK around the pipex destination for mbufs until it is properly MP-protected.
+
- On i386, tweak MUTEX_ASSERT_LOCKED and MUTEX_ASSERT_UNLOCKED to only look at the owner.
+
- On i386, make pmap_enter(9), pmap_remove(9) and pmap_page_protect(9) safe to use without holding the kernel lock. Unfortunately there still seems to be an issue that causes deadlocks under pressure.
+
- On m88k, fix MUTEX_ASSERT_LOCKED and MUTEX_ASSERT_UNLOCKED so that they check whether the mutex is locked by the current CPU rather than any CPU.
+
+
- Introduce shared reference pointers (srp).
+
- Compile-time disable SSH version 1 again.
- In ssh, better refuse ForwardX11Trusted=no connections attempted after ForwardX11Timeout expires.
- In syslogd(8), add a -U option to specify an explicit address to receive UDP packets.
***************
*** 271,277 ****
- In tmux(1), make "new -d" work without unsetting $TMUX.
- Add the new rtwn(4) for RTL8188CE wifi cards.
- Check for a resolv.conf update the first time the resolver is used after pid has changed.
!
- Add support for em(4) on the Teak 3020, a system based on the Intel Tolopai (EP80579).
- Prevent a kernel panic on macppc caused by the kernel perfpolicy code.
- In tmux(1):
--- 686,692 ----
- In tmux(1), make "new -d" work without unsetting $TMUX.
- Add the new rtwn(4) for RTL8188CE wifi cards.
- Check for a resolv.conf update the first time the resolver is used after pid has changed.
!
- Add support for em(4) on the Teak 3020, a system based on the Intel Tolopai (EP80579).
- Prevent a kernel panic on macppc caused by the kernel perfpolicy code.
- In tmux(1):