version 1.8, 2015/09/04 15:59:50 |
version 1.9, 2015/10/12 18:36:15 |
|
|
<li>Add linker warnings in case SSLv3_{,client,server}_method are referenced. |
<li>Add linker warnings in case SSLv3_{,client,server}_method are referenced. |
<li>On macppc, powerpc and socppc, do not save the status register and restore it for machine check exceptions. |
<li>On macppc, powerpc and socppc, do not save the status register and restore it for machine check exceptions. |
<li>Revert r1.289 of src/sys/dev/acpi/acpi.c (respect the access size when reading or writing to pci config space). It is locking up suspend or boot on some laptops. |
<li>Revert r1.289 of src/sys/dev/acpi/acpi.c (respect the access size when reading or writing to pci config space). It is locking up suspend or boot on some laptops. |
<li>Disable <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man2/tame.2">tame(2)</a> with ENOSYS for upcoming release cycle. |
<li>Disable <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-5.8/man2/tame.2">tame(2)</a> with ENOSYS for upcoming release cycle. |
<li>Acquire the kernel lock in pmap_remove(). The reasons for this can't be stated as the committer has been asked to be polite in his commit message. |
<li>Acquire the kernel lock in pmap_remove(). The reasons for this can't be stated as the committer has been asked to be polite in his commit message. |
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man4/azalia.4">azalia(4)</a>, rework the buffer position reporting code. |
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man4/azalia.4">azalia(4)</a>, rework the buffer position reporting code. |
<!-- 2015-07-28 --> |
<!-- 2015-07-28 --> |
|
|
<li>Add ktracing of structs iovec, msghdr, and cmsghdr for {,p}{read,write}v(), sendmsg(), and recvmsg(). |
<li>Add ktracing of structs iovec, msghdr, and cmsghdr for {,p}{read,write}v(), sendmsg(), and recvmsg(). |
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/gcc.1">gcc(1)</a>, implement support for __builtin_complex() to construct complex values. This is required by the upcoming libm work. |
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/gcc.1">gcc(1)</a>, implement support for __builtin_complex() to construct complex values. This is required by the upcoming libm work. |
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/disktab.5">disktab(5)</a> on i386, fix geometry of rdroot entry. |
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/disktab.5">disktab(5)</a> on i386, fix geometry of rdroot entry. |
<li>Rather than disabling <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man2/tame.2">tame(2)</a> to coredump, leave it enabled but flag that a coredump is happening. This improves behaviour while threaded. |
<li>Rather than disabling <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-5.8/man2/tame.2">tame(2)</a> to coredump, leave it enabled but flag that a coredump is happening. This improves behaviour while threaded. |
<li>On mips64, allow coalescing of IPI requests on mips64, to make IPI sending non-blocking. |
<li>On mips64, allow coalescing of IPI requests on mips64, to make IPI sending non-blocking. |
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/sshd.8">sshd(8)</a>, permit <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man2/kbind.2">kbind(2)</a> use in the sandbox. |
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/sshd.8">sshd(8)</a>, permit <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man2/kbind.2">kbind(2)</a> use in the sandbox. |
<li>Enforce <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man2/tame.2">tame(2)</a> by disabling all TAME_ flags if tame_fail() is reached, not only if TAME_ABORT is set. |
<li>Enforce <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-5.8/man2/tame.2">tame(2)</a> by disabling all TAME_ flags if tame_fail() is reached, not only if TAME_ABORT is set. |
<li><font color="#e00000">5.6 and 5.7 SECURITY FIX: the patch utility could be made to invoke arbitrary commands via the obsolete RCS support when processing a crafted input file.</font><br>A source code patch exists for <a href="errata56.html#029_patch">5.6</a> and <a href="errata57.html#012_execve">5.7</a>. These patches remove the RCS support. |
<li><font color="#e00000">5.6 and 5.7 SECURITY FIX: the patch utility could be made to invoke arbitrary commands via the obsolete RCS support when processing a crafted input file.</font><br>A source code patch exists for <a href="errata56.html#029_patch">5.6</a> and <a href="errata57.html#012_execve">5.7</a>. These patches remove the RCS support. |
<li><font color="#e00000">5.6 and 5.7 SECURITY FIX: a kernel memory leak could be triggered by an unprivileged user in a failure case when using execve under systrace.</font><br>A source code patch exists for <a href="errata56.html#028_execve">5.6</a> and <a href="errata57.html#011_execve">5.7</a>. |
<li><font color="#e00000">5.6 and 5.7 SECURITY FIX: a kernel memory leak could be triggered by an unprivileged user in a failure case when using execve under systrace.</font><br>A source code patch exists for <a href="errata56.html#028_execve">5.6</a> and <a href="errata57.html#011_execve">5.7</a>. |
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/radiusd.8">radiusd(8)</a>, make the modules priviledge-separated. |
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/radiusd.8">radiusd(8)</a>, make the modules priviledge-separated. |
|
|
<li>Implement quoting support in <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/doas.5">doas.conf(5)</a>. |
<li>Implement quoting support in <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/doas.5">doas.conf(5)</a>. |
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/tail.1">tail(1)</a>, fix a memory leak when -r is used with anything but regular files. |
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/tail.1">tail(1)</a>, fix a memory leak when -r is used with anything but regular files. |
<!-- 2015-07-21 --> |
<!-- 2015-07-21 --> |
<li>Slam signal handlers harder in <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man2/tame.2">tame(2)</a>. |
<li>Slam signal handlers harder in <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-5.8/man2/tame.2">tame(2)</a>. |
<li>Plug a memory leak in <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man2/execve.2">execve(2)</a> with <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man4/systrace.4">systrace(4)</a>. |
<li>Plug a memory leak in <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man2/execve.2">execve(2)</a> with <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man4/systrace.4">systrace(4)</a>. |
<li>Generate new moduli for ssh. |
<li>Generate new moduli for ssh. |
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/security.8">security(8)</a>, don't risk blocking when reading untrusted user files and for additional safety against race attacks, make sure they are regular files. |
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/security.8">security(8)</a>, don't risk blocking when reading untrusted user files and for additional safety against race attacks, make sure they are regular files. |
<li>Switch <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man4/pvbus.4">pvbus(4)</a> to fully dynamic autoconf. |
<li>Switch <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man4/pvbus.4">pvbus(4)</a> to fully dynamic autoconf. |
<li>Add <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man4/mpw.4">mpw(4)</a> support to <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/ifconfig.8">ifconfig(8)</a>. |
<li>Add <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man4/mpw.4">mpw(4)</a> support to <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/ifconfig.8">ifconfig(8)</a>. |
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man2/tame.2">tame(2)</a>, always permit kbind (for dynamic linking) and add __thrsigdivert to the SELF list like the other threading calls. |
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-5.8/man2/tame.2">tame(2)</a>, always permit kbind (for dynamic linking) and add __thrsigdivert to the SELF list like the other threading calls. |
<li>Add a -C option to <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/doas.1">doas(1)</a> to check config files without running. |
<li>Add a -C option to <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/doas.1">doas(1)</a> to check config files without running. |
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man4/acpi.4">acpi(4)</a>, respect the access size when reading or writing to pci config space. This fixes battery status passthrough in vmware. |
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man4/acpi.4">acpi(4)</a>, respect the access size when reading or writing to pci config space. This fixes battery status passthrough in vmware. |
<li>Add argument matching support to <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/doas.1">doas(1)</a>. |
<li>Add argument matching support to <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/doas.1">doas(1)</a>. |
|
|
<li>Avoid NULL deref in openssl s_cb (Coverity CID 24956). |
<li>Avoid NULL deref in openssl s_cb (Coverity CID 24956). |
<li>Don't try to run ECDH if ecdh_checks fails in openssl speed (Coverity CID 72744). |
<li>Don't try to run ECDH if ecdh_checks fails in openssl speed (Coverity CID 72744). |
</ul> |
</ul> |
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man2/tame.2">tame(2)</a>, crudely canonicalize paths before taming them. |
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-5.8/man2/tame.2">tame(2)</a>, crudely canonicalize paths before taming them. |
<li>On octeon, add <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man4/octeon/amdcf.4">amdcf(4)</a>, a new flash driver that allows access to the internal memory on (at least) D-Link DSR500 machines. |
<li>On octeon, add <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man4/octeon/amdcf.4">amdcf(4)</a>, a new flash driver that allows access to the internal memory on (at least) D-Link DSR500 machines. |
<li>Allow the sched_yield, __thrsleep, __thrwakeup, and __threxit syscalls when using <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man2/tame.2">tame(2)</a>. This allows threaded programs to work. |
<li>Allow the sched_yield, __thrsleep, __thrwakeup, and __threxit syscalls when using <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-5.8/man2/tame.2">tame(2)</a>. This allows threaded programs to work. |
<li>Avoid a possible NULL dereference in <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/openssl.1">openssl(1)</a> s_server (Coverity CID 78873). |
<li>Avoid a possible NULL dereference in <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/openssl.1">openssl(1)</a> s_server (Coverity CID 78873). |
<li>Add a quirk for Cirrus Logic PD6729: earlier silicon versions of this chip would advertize themselves as multi-function devices while they are not. |
<li>Add a quirk for Cirrus Logic PD6729: earlier silicon versions of this chip would advertize themselves as multi-function devices while they are not. |
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/syslogd.8">syslogd(8)</a>, don't accept sockets when syslogd reaches the file descriptor limit. Instead disable the listen event and wait for a second. |
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/syslogd.8">syslogd(8)</a>, don't accept sockets when syslogd reaches the file descriptor limit. Instead disable the listen event and wait for a second. |
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/openssl.1">openssl(1)</a>, avoid dereferencing NULL (Coverity CID 21746). |
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/openssl.1">openssl(1)</a>, avoid dereferencing NULL (Coverity CID 21746). |
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man2/tame.2">tame(2)</a>: |
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-5.8/man2/tame.2">tame(2)</a>: |
<ul> |
<ul> |
<li>Don't dereference NULL FILE pointers. |
<li>Don't dereference NULL FILE pointers. |
<li>Don't let any ioctls through with invalid file descriptors. |
<li>Don't let any ioctls through with invalid file descriptors. |
</ul> |
</ul> |
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/bpgd.8">bgpd(8)</a>, execute the RDE and session engine process instead of just forking. This way ASLR and stack cookies are per process. |
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/bpgd.8">bgpd(8)</a>, execute the RDE and session engine process instead of just forking. This way ASLR and stack cookies are per process. |
<li>Have <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man2/tame.2">tame(2)</a> permit late calls to getpagesize() in programs. |
<li>Have <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-5.8/man2/tame.2">tame(2)</a> permit late calls to getpagesize() in programs. |
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/tmux.1">tmux(1)</a>, add an option (history-file) for a file to save/restore command prompt history. |
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/tmux.1">tmux(1)</a>, add an option (history-file) for a file to save/restore command prompt history. |
<li>Plug various memory leaks in libssl. |
<li>Plug various memory leaks in libssl. |
<li>Try to assign a secondary bus number if the BIOS left the CardBus bridge unconfigured. |
<li>Try to assign a secondary bus number if the BIOS left the CardBus bridge unconfigured. |
|
|
</ul> |
</ul> |
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/tcpdump.8">tcpdump(8)</a>, show 11n HTOP primary and secondary channel numbers for 40MHz BSS instead of showing just the primary one and "above" or "below" for secondary. |
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/tcpdump.8">tcpdump(8)</a>, show 11n HTOP primary and secondary channel numbers for 40MHz BSS instead of showing just the primary one and "above" or "below" for secondary. |
<li>Rename the tps65090 driver to "tpspmic". |
<li>Rename the tps65090 driver to "tpspmic". |
<li>Introduce <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man2/tame.2">tame(2)</a>, a subsystem which restricts programs into a "reduced feature operating model". |
<li>Introduce <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-5.8/man2/tame.2">tame(2)</a>, a subsystem which restricts programs into a "reduced feature operating model". |
<li>In libssl, remove the logic responsible for outputting most AES-NI instructions as raw byte sequences. |
<li>In libssl, remove the logic responsible for outputting most AES-NI instructions as raw byte sequences. |
<li>Revert the previous commit in <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/ospfd.8">ospfd(8)</a> (properly handle carp interfaces in "backup" mode on start-up), because it breaks on systems without carp. |
<li>Revert the previous commit in <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/ospfd.8">ospfd(8)</a> (properly handle carp interfaces in "backup" mode on start-up), because it breaks on systems without carp. |
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/doas.1">doas(1)</a>, if execvpe fails with ENOENT, print "command not found", like sudo. |
<li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/doas.1">doas(1)</a>, if execvpe fails with ENOENT, print "command not found", like sudo. |