aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Fix OpenSSL multiple vulnerabilities. [13:03]releng/9.0Xin LI2013-04-02107-628/+2345
| | | | | | | | | | | | | Fix BIND remote denial of service. [13:04] Security: CVE-2013-0166, CVE-2013-0169 Security: FreeBSD-SA-13:03.openssl Security: CVE-2013-2266 Security: FreeBSD-SA-13:04.bind Approved by: so Notes: svn path=/releng/9.0/; revision=249029
* Fix Denial of Service vulnerability in named(8) with DNS64. [13:01]Bjoern A. Zeeb2013-02-194-24/+88
| | | | | | | | | | | | | | Fix Denial of Service vulnerability in libc's glob(3) functionality. [13:02] Security: CVE-2012-5688 Security: FreeBSD-SA-13:01.bind Security: CVE-2010-2632 Security: FreeBSD-SA-13:02.libc Approved by: so (simon, bz) Notes: svn path=/releng/9.0/; revision=246989
* Fix multiple Denial of Service vulnerabilities with named(8).Simon L. B. Nielsen2012-11-228-17/+61
| | | | | | | | | | | | | | | | Fix insufficient message length validation for EAP-TLS messages. Fix Linux compatibility layer input validation error. Security: FreeBSD-SA-12:06.bind Security: FreeBSD-SA-12:07.hostapd Security: FreeBSD-SA-12:08.linux Security: CVE-2012-4244, CVE-2012-5166, CVE-2012-4445, CVE-2012-4576 Approved by: re Approved by: security-officer Notes: svn path=/releng/9.0/; revision=243417
* Fix named(8) DNSSEC validation Denial of Service.Simon L. B. Nielsen2012-08-063-3/+7
| | | | | | | | | | Security: FreeBSD-SA-12:05.bind Security: CVE-2012-3817 Obtained from: ISC Approved by: so (simon) Notes: svn path=/releng/9.0/; revision=239108
* Fix a problem where zero-length RDATA fields can cause named(8) to crash.Bjoern A. Zeeb2012-06-128-25/+76
| | | | | | | | | | | | | | | | | | | [12:03] Correct a privilege escalation when returning from kernel if running FreeBSD/amd64 on non-AMD processors. [12:04] Fix reference count errors in IPv6 code. [EN-12:02] Security: CVE-2012-1667 Security: FreeBSD-SA-12:03.bind Security: CVE-2012-0217 Security: FreeBSD-SA-12:04.sysret Security: FreeBSD-EN-12:02.ipv6refcount Approved by: so (simon, bz) Notes: svn path=/releng/9.0/; revision=236953
* Update the previous openssl fix. [12:01]Bjoern A. Zeeb2012-05-305-11/+16
| | | | | | | | | | | Fix a bug in crypt(3) ignoring characters of a passphrase. [12:02] Security: FreeBSD-SA-12:01.openssl (revised) Security: FreeBSD-SA-12:02.crypt Approved by: so (bz, simon) Notes: svn path=/releng/9.0/; revision=236304
* Fix multiple OpenSSL vulnerabilities.Bjoern A. Zeeb2012-05-0313-40/+166
| | | | | | | | | | Security: CVE-2011-4576, CVE-2011-4619, CVE-2011-4109 Security: CVE-2012-0884, CVE-2012-2110 Security: FreeBSD-SA-12:01.openssl Approved by: so (bz,simon) Notes: svn path=/releng/9.0/; revision=234954
* MFC r229304:Ken Smith2012-01-021-0/+1
| | | | | | | | | | | | > The portion of r225757 that added the packages-9.0-release directory > was supposed to be MFCed closer to the release but that got missed. > > Pointy hat: kensmith Approved by: re (implicit) Notes: svn path=/releng/9.0/; revision=229305
* Ready to start the 9.0-RELEASE builds.Ken Smith2012-01-021-1/+1
| | | | | | | Approved by: re (implicit) Notes: svn path=/releng/9.0/; revision=229283
* Guess when we'll be ready to announce 9.0-RELEASE.Ken Smith2012-01-021-0/+3
| | | | | | | Approved by: re (implicit) Notes: svn path=/releng/9.0/; revision=229282
* Update branch target for 'make update'.Ken Smith2012-01-021-1/+1
| | | | | | | Approved by: re (implicit) Notes: svn path=/releng/9.0/; revision=229262
* MFC r229258:Ken Smith2012-01-021-1/+1
| | | | | | | | | RELENG_9 exists now so updated commented out target branch. Approved by: re (implicit) Notes: svn path=/releng/9.0/; revision=229261
* MFC r229067 (by obrien):Bjoern A. Zeeb2011-12-312-3/+3
| | | | | | | | | Happy 2012 and may 9.0-RELEASE be a good one. Approved by: re (kib) Notes: svn path=/releng/9.0/; revision=229089
* Clean up release/doc for 9.0R. Content updates will follow inHiroki Sato2011-12-30250-44202/+26
| | | | | | | | | stable/9. Approved by: re (kensmith) Notes: svn path=/releng/9.0/; revision=229044
* Fix a problem whereby a corrupt DNS record can cause named to crash. [11:06]Colin Percival2011-12-2312-4/+97
| | | | | | | | | | | | | | | | | | | | | | | Add an API for alerting internal libc routines to the presence of "unsafe" paths post-chroot, and use it in ftpd. [11:07] Fix a buffer overflow in telnetd. [11:08] Make pam_ssh ignore unpassphrased keys unless the "nullok" option is specified. [11:09] Add sanity checking of service names in pam_start. [11:10] Approved by: so (cperciva) Approved by: re (bz) Security: FreeBSD-SA-11:06.bind Security: FreeBSD-SA-11:07.chroot Security: FreeBSD-SA-11:08.telnetd Security: FreeBSD-SA-11:09.pam_ssh Security: FreeBSD-SA-11:10.pam Notes: svn path=/releng/9.0/; revision=228843
* Merge r228472. For the sake of POLA for the whole 9.x timeline addGleb Smirnoff2011-12-191-0/+7
| | | | | | | | | | compatibility support for specifing IPv4 aliases in rc.conf without the "inet" keyword. Approved by: re (bz) Notes: svn path=/releng/9.0/; revision=228706
* MFC r228457:Ruslan Ermilov2011-12-191-3/+7
| | | | | | | | | | The "inet" keyword in the "ifconfig_IF_aliasN" is mandatory for IPv4 aliases to work since network.subr@197139. Approved by: re (bz) Notes: svn path=/releng/9.0/; revision=228704
* MFH r228384: validate the service nameDag-Erling Smørgrav2011-12-131-0/+7
| | | | | | | | | | Approved by: re (kib) Security: some poorly thought out programs allow the user to specify the service name; this patch makes it harder to trick these programs into loading and executing arbitrary code. Notes: svn path=/releng/9.0/; revision=228465
* MFH r228410: check for null passphrases, since openssl doesn'tDag-Erling Smørgrav2011-12-111-7/+18
| | | | | | | | | | Approved by: re (kib) Security: prevents users with unencrypted ssh keys (prohibited unless the nullok option is specified) from logging in by providing a bogus non-null passphrase. Notes: svn path=/releng/9.0/; revision=228414
* MFC r226649, 226651, 226652, 226653:Hiroki Sato2011-12-032-15/+47
| | | | | | | | | | | | | | | | - Fix an issue that 127/8 is not configured when $ifconfig_DEFAULT is not empty. - Add description that IPv6 configuration will be ignored if $ifconfig_IF_ipv6 is empty. - Move a configuration example "inet6 accept_rtadv" to just after the manual GUA configuration. - Add an example of $ipv6_prefix_IF. - Add support for removing addresses added by ipv6_prefix_hostid_addr_up() upon rc.d/netif stop. Approved by: re (bz) Notes: svn path=/releng/9.0/; revision=228247
* MFC r226446:Hiroki Sato2011-12-031-26/+29
| | | | | | | | | | | Fix a problem that an interface unexpectedly becomes IFF_UP by just doing "ifconfing inet6 -ifdisabled" when the interface has ND6_IFF_AUTO_LINKLOCAL flag and no link-local address. Approved by: re (bz) Notes: svn path=/releng/9.0/; revision=228246
* MFC r228194, MF9 r228240:Nathan Whitehorn2011-12-031-12/+11
| | | | | | | | | | | | | Prevent user astonishment by providing the shell option at the end, after any installer-provided configuration files have been copied. This allows users to edit their fstab, if desired, and to see what the installer has placed in rc.conf. Requested by: phk Approved by: re (kensmith) Notes: svn path=/releng/9.0/; revision=228241
* Ready for 9.0-RC3.Ken Smith2011-12-031-1/+1
| | | | | | | Approved by: re (implicit) Notes: svn path=/releng/9.0/; revision=228239
* MFC r228237:Ken Smith2011-12-031-0/+14
| | | | | | | | | | | | | | | > Add a screen that asks if the user would like to enable crash dumps, > giving them a very brief description of the trade-offs. Whether the > user opts in or out add an entry to what will become /etc/rc.conf > explaining what dumpdev is and how to turn on/off crash dumps. The folks > who handle interacting with users submitting PRs have asked for this. > > Reviewed by: nwhitehorn Approved by: re (kib) Notes: svn path=/releng/9.0/; revision=228238
* Upgrade to BIND 9.8.1-P1 to address the following DDOS bug:Doug Barton2011-12-014-18/+21
| | | | | | | | | | | | | | | | | | | | | | | | | Recursive name servers are failing with an assertion: INSIST(! dns_rdataset_isassociated(sigrdataset)) At this time it is not thought that authoritative-only servers are affected, but information about this bug is evolving rapidly. Because it may be possible to trigger this bug even on networks that do not allow untrusted users to access the recursive name servers (perhaps via specially crafted e-mail messages, and/or malicious web sites) it is recommended that ALL operators of recursive name servers upgrade immediately. For more information see: https://www.isc.org/software/bind/advisories/cve-2011-4313 which will be updated as more information becomes available. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4313 Approved by: re (kib) Notes: svn path=/releng/9.0/; revision=228190
* MFC 227389: Remove some debugging printfs.John Baldwin2011-12-011-5/+1
| | | | | | | Approved by: re (bz) Notes: svn path=/releng/9.0/; revision=228188
* MFhead r228150:Gleb Smirnoff2011-12-011-2/+2
| | | | | | | | | | | | Return value should be conditional on return value of pfsync_defer_ptr() PR: kern/162947 Submitted by: Matthieu Kraus <matthieu.kraus s2008.tu-chemnitz.de> Approved by: re (kib) Notes: svn path=/releng/9.0/; revision=228183
* MFC 228093Gabor Kovesdan2011-12-011-6/+8
| | | | | | | | | | | | | | - Fix behavior of --null to match GNU grep MFC 228097 - Call warnx() instead of errx() if a directory is not readable when using a recursive search. This is the expected behavior instead of aborting. Approved by: re (kib) Notes: svn path=/releng/9.0/; revision=228180
* MFC r228122:Doug Barton2011-12-011-2/+2
| | | | | | | | | | If using DESTDIR we need to be sure to create a ${DESTDIR}/var/db/zoneinfo Approved by: re (kensmith) Notes: svn path=/releng/9.0/; revision=228170
* MFC r227482:Doug Barton2011-12-011-6/+12
| | | | | | | | | | | | | | | | | | The default setting, daily_accounting_compress="NO", was causing only 1 old file to be saved, so fix this. While I'm here, fix a very old off-by-one error causing 1 more file than specified in daily_accounting_save to be saved because acct.0 was not taken into account (pun intended). Change that, and use a more thorough method of finding old files to delete. Partly just because this is the right thing to do, but also to silently fix the extra log that would have been left behind forever with the previous method. Approved by: re (kensmith) Notes: svn path=/releng/9.0/; revision=228166
* Adjust branch tag.Sergey Kandaurov2011-11-291-1/+1
| | | | | | | | | This is a direct commit. Approved by: re (kib) Notes: svn path=/releng/9.0/; revision=228139
* MFC: r228028Marius Strobl2011-11-291-5/+6
| | | | | | | | | | | | - Based on a report on sparc64@ move V245 to the list of known working machines. - Mention that V480 with broken centerplanes have a chance of working with the WAR in the upcoming 8.3-RELEASE and 9.0-RELEASE. Approved by: re (kib) Notes: svn path=/releng/9.0/; revision=228135
* MFC r225757,r225764:Sergey Kandaurov2011-11-291-5/+5
| | | | | | | | | | | | | | | | | Update the default cvs tag for RELENG_9 by merging the following revisions: r225757 (by kensmith, partial): Shift head from 9.0-CURRENT to 10.0-CURRENT in preparation for releasing it from the 9.0-RELEASE release cycle code freeze. r225764 (by kensmith): Forgot to add "RELENG_8" to list of CVS tags. Reported by: Milan Obuch <freebsd-current at dino sk> (cvs tag) Approved by: re (kib) Notes: svn path=/releng/9.0/; revision=228131
* MFC: r227666Christian Brueffer2011-11-292-0/+3
| | | | | | | | | Add sfxge(4) to the hardware notes. Approved by: re (bz) Notes: svn path=/releng/9.0/; revision=228129
* MFC: r227960Marius Strobl2011-11-291-1/+1
| | | | | | | | | | | | Increase the CDMA sync timeout for Schizo bridges to 15 seconds as used by OpenSolaris. One second turned out to be not enough for certain loads while 10 seconds were sufficient. Reported by: Peter Jeremy Approved by: re (bz) Notes: svn path=/releng/9.0/; revision=228127
* Merge r228057 from head to releng/9.0:Robert Watson2011-11-281-1/+1
| | | | | | | | | | | | | | | | Change the Makefile in cddl/lib/drti to use bsd.lib.mk instead of bsd.prog.mk -- we need to compile PIC, which requires a library build. With this change, USDT (userspace DTrace probes) work from within shared libraries. PR: kern/159046 Submitted by: Alex Samorukov <samm at os2.kiev.ua> Comments by: Scott Lystig Fritchie <slfritchie at snookles.com> Approved by: re (bz) Notes: svn path=/releng/9.0/; revision=228107
* Merge r228040 from head to releng/9.0:Robert Watson2011-11-282-1/+3
| | | | | | | | | | | Cross-reference capsicum.4 from cap_enter.2 and cap_new.2. Sponsored by: Google, Inc. Approved by: re (kib) Notes: svn path=/releng/9.0/; revision=228106
* Merge r228039 from head to releng/9.0:Robert Watson2011-11-282-0/+121
| | | | | | | | | | | | | Add an introductory Capsicum man page providing a high-level description of its mechanisms, pointing at other pertinent man pages, and cautioning about the experimental status of Capsicum in FreeBSD. Sponsored by: Google, Inc. Approved by: re (kib) Notes: svn path=/releng/9.0/; revision=228105
* Add the sfxge(4) device driver, providing support for 10Gb Ethernet adaptersPhilip Paeps2011-11-2851-0/+38529
| | | | | | | | | | | | | | | | | based on Solarflare SFC9000 family controllers. The driver supports jumbo frames, transmit/receive checksum offload, TCP Segmentation Offload (TSO), Large Receive Offload (LRO), VLAN checksum offload, VLAN TSO, and Receive Side Scaling (RSS) using MSI-X interrupts. This work was sponsored by Solarflare Communications, Inc. My sincere thanks to Ben Hutchings for doing a lot of the hard work! Sponsored by: Solarflare Communications, Inc. Approved by: re (bz) Notes: svn path=/releng/9.0/; revision=228101
* Fast track MFC r228016:Lawrence Stewart2011-11-281-17/+22
| | | | | | | | | | | | | | Plug a TCP reassembly UMA zone leak introduced in r226228 by only using the backup stack queue entry when the zone is exhausted, otherwise we leak a zone allocation each time we plug a hole in the reassembly queue. Reported by: many on freebsd-stable@ (thread: "TCP Reassembly Issues") Tested by: many on freebsd-stable@ (thread: "TCP Reassembly Issues") Reviewed by: bz (very brief sanity check) Approved by: re (kib) Notes: svn path=/releng/9.0/; revision=228059
* MFhead r227901:Gleb Smirnoff2011-11-281-1/+2
| | | | | | | | | | | Fix parsing of redirect_addr argument. PR: kern/162739 Approved by: re (kib) Notes: svn path=/releng/9.0/; revision=228052
* MFC rev. 227283, stable/9 rev. 228043:Marcel Moolenaar2011-11-271-0/+2
| | | | | | | | | | Add check-password.4th and screen.4th to the boot image. They are needed by the loader. Approved by: re (kib) Notes: svn path=/releng/9.0/; revision=228044
* MFC rev. 227629, stable/9 rev 228041:Marcel Moolenaar2011-11-271-1/+1
| | | | | | | | | | | | Wire the kernel text RWX, rather than RX. We're not quite ready for having kernel text non-writable, because we still need to apply relocations. On top of that, the PBVM page table has all pages marked as RWX, so it's an inconsistency to begin with. Approved by: re (kib) Notes: svn path=/releng/9.0/; revision=228042
* MFC r228031:Michael Tuexen2011-11-272-7/+6
| | | | | | | | | | | | Fix a warning reported by arundel@. Fix a bug where the parameter length of a supported address types parameter is set to a wrong value if the kernel is built with with either INET or INET6, but not both. Approved by: re@ Notes: svn path=/releng/9.0/; revision=228037
* MFC r227952:Konstantin Belousov2011-11-271-1/+14
| | | | | | | | | | Fix a race between getvnode() dereferencing half-constructed file and dupfdopen(). Approved by: re (bz) Notes: svn path=/releng/9.0/; revision=228035
* MFC r227485:Konstantin Belousov2011-11-271-3/+63
| | | | | | | | | | | | | | | | | | | | To limit amount of the kernel memory allocated, and to optimize the iteration over the fdsets, kern_select() limits the length of the fdsets copied in by the last valid file descriptor index. If any bit is set in a mask above the limit, current implementation ignores the filedescriptor, instead of returning EBADF. Fix the issue by scanning the tails of fdset before entering the select loop and returning EBADF if any bit above last valid filedescriptor index is set. The performance impact of the additional check is only imposed on the (somewhat) buggy applications that pass bad file descriptors to select(2) or pselect(2). PR: kern/155606, kern/162379 Approved by: re (bz) Notes: svn path=/releng/9.0/; revision=228034
* MFC 225861:Warren Block2011-11-261-17/+16
| | | | | | | | | | | Fix a confusing sentence. Other wording tweaks. Approved by: gjb (mentor) Approved by: re@ (kostikbel) Notes: svn path=/releng/9.0/; revision=227996
* MFC r227661:Konstantin Belousov2011-11-261-0/+2
| | | | | | | | | Free unused allocation on error. Approved by: re (bz) Notes: svn path=/releng/9.0/; revision=227991
* MFC r227660:Konstantin Belousov2011-11-261-0/+1
| | | | | | | | | Fix fd leak. Approved by: re (bz) Notes: svn path=/releng/9.0/; revision=227990
* MFC: r227829, r227844Marius Strobl2011-11-253-4/+5
| | | | | | | | | | | | | - Add a DEVMETHOD_END alias for KOBJMETHOD_END so that along with 'driver_t' and DEVMETHOD() we can fully hide the explicit mention of kobj(9) from device drivers. - Update the device driver examples to use DEVMETHOD_END. Submitted by: jhb Approved by: re (kib) Notes: svn path=/releng/9.0/; revision=227977