=================================================================== RCS file: /cvsrepo/anoncvs/cvs/www/plus58.html,v retrieving revision 1.8 retrieving revision 1.9 diff -u -r1.8 -r1.9 --- www/plus58.html 2015/09/04 15:59:50 1.8 +++ www/plus58.html 2015/10/12 18:36:15 1.9 @@ -123,7 +123,7 @@
  • Add linker warnings in case SSLv3_{,client,server}_method are referenced.
  • On macppc, powerpc and socppc, do not save the status register and restore it for machine check exceptions.
  • Revert r1.289 of src/sys/dev/acpi/acpi.c (respect the access size when reading or writing to pci config space). It is locking up suspend or boot on some laptops. -
  • Disable tame(2) with ENOSYS for upcoming release cycle. +
  • Disable tame(2) with ENOSYS for upcoming release cycle.
  • Acquire the kernel lock in pmap_remove(). The reasons for this can't be stated as the committer has been asked to be polite in his commit message.
  • In azalia(4), rework the buffer position reporting code. @@ -143,10 +143,10 @@
  • Add ktracing of structs iovec, msghdr, and cmsghdr for {,p}{read,write}v(), sendmsg(), and recvmsg().
  • In gcc(1), implement support for __builtin_complex() to construct complex values. This is required by the upcoming libm work.
  • In disktab(5) on i386, fix geometry of rdroot entry. -
  • Rather than disabling tame(2) to coredump, leave it enabled but flag that a coredump is happening. This improves behaviour while threaded. +
  • Rather than disabling tame(2) to coredump, leave it enabled but flag that a coredump is happening. This improves behaviour while threaded.
  • On mips64, allow coalescing of IPI requests on mips64, to make IPI sending non-blocking.
  • In sshd(8), permit kbind(2) use in the sandbox. -
  • Enforce tame(2) by disabling all TAME_ flags if tame_fail() is reached, not only if TAME_ABORT is set. +
  • Enforce tame(2) by disabling all TAME_ flags if tame_fail() is reached, not only if TAME_ABORT is set.
  • 5.6 and 5.7 SECURITY FIX: the patch utility could be made to invoke arbitrary commands via the obsolete RCS support when processing a crafted input file.
    A source code patch exists for 5.6 and 5.7. These patches remove the RCS support.
  • 5.6 and 5.7 SECURITY FIX: a kernel memory leak could be triggered by an unprivileged user in a failure case when using execve under systrace.
    A source code patch exists for 5.6 and 5.7.
  • In radiusd(8), make the modules priviledge-separated. @@ -179,13 +179,13 @@
  • Implement quoting support in doas.conf(5).
  • In tail(1), fix a memory leak when -r is used with anything but regular files. -
  • Slam signal handlers harder in tame(2). +
  • Slam signal handlers harder in tame(2).
  • Plug a memory leak in execve(2) with systrace(4).
  • Generate new moduli for ssh.
  • In security(8), don't risk blocking when reading untrusted user files and for additional safety against race attacks, make sure they are regular files.
  • Switch pvbus(4) to fully dynamic autoconf.
  • Add mpw(4) support to ifconfig(8). -
  • In tame(2), always permit kbind (for dynamic linking) and add __thrsigdivert to the SELF list like the other threading calls. +
  • In tame(2), always permit kbind (for dynamic linking) and add __thrsigdivert to the SELF list like the other threading calls.
  • Add a -C option to doas(1) to check config files without running.
  • In acpi(4), respect the access size when reading or writing to pci config space. This fixes battery status passthrough in vmware.
  • Add argument matching support to doas(1). @@ -217,20 +217,20 @@
  • Avoid NULL deref in openssl s_cb (Coverity CID 24956).
  • Don't try to run ECDH if ecdh_checks fails in openssl speed (Coverity CID 72744). -
  • In tame(2), crudely canonicalize paths before taming them. +
  • In tame(2), crudely canonicalize paths before taming them.
  • On octeon, add amdcf(4), a new flash driver that allows access to the internal memory on (at least) D-Link DSR500 machines. -
  • Allow the sched_yield, __thrsleep, __thrwakeup, and __threxit syscalls when using tame(2). This allows threaded programs to work. +
  • Allow the sched_yield, __thrsleep, __thrwakeup, and __threxit syscalls when using tame(2). This allows threaded programs to work.
  • Avoid a possible NULL dereference in openssl(1) s_server (Coverity CID 78873).
  • Add a quirk for Cirrus Logic PD6729: earlier silicon versions of this chip would advertize themselves as multi-function devices while they are not.
  • In syslogd(8), don't accept sockets when syslogd reaches the file descriptor limit. Instead disable the listen event and wait for a second.
  • In openssl(1), avoid dereferencing NULL (Coverity CID 21746). -
  • In tame(2): +
  • In tame(2):
  • In bgpd(8), execute the RDE and session engine process instead of just forking. This way ASLR and stack cookies are per process. -
  • Have tame(2) permit late calls to getpagesize() in programs. +
  • Have tame(2) permit late calls to getpagesize() in programs.
  • In tmux(1), add an option (history-file) for a file to save/restore command prompt history.
  • Plug various memory leaks in libssl.
  • Try to assign a secondary bus number if the BIOS left the CardBus bridge unconfigured. @@ -299,7 +299,7 @@
  • In tcpdump(8), show 11n HTOP primary and secondary channel numbers for 40MHz BSS instead of showing just the primary one and "above" or "below" for secondary.
  • Rename the tps65090 driver to "tpspmic". -
  • Introduce tame(2), a subsystem which restricts programs into a "reduced feature operating model". +
  • Introduce tame(2), a subsystem which restricts programs into a "reduced feature operating model".
  • In libssl, remove the logic responsible for outputting most AES-NI instructions as raw byte sequences.
  • Revert the previous commit in ospfd(8) (properly handle carp interfaces in "backup" mode on start-up), because it breaks on systems without carp.
  • In doas(1), if execvpe fails with ENOENT, print "command not found", like sudo.