ViewVC Help

View File | Revision Log | Show Annotations | Download File | View Changeset | Root Listing

root/src/trunk/UPDATING

Comparing trunk/UPDATING (file contents):
Revision 2485 by laffer1, Thu Jan 1 22:52:48 2009 UTC vs.
Revision 8465 by laffer1, Sun Sep 18 22:20:09 2016 UTC

#	Line 1 | Line 1
1	<	Updating Information for MidnightBSD users
1	>	Updating Information for MidnightBSD users.
2
3	<	Items affecting the mports and packages system can be found in
4	<	/usr/mports/UPDATING.
3	>	20160916:
4	>	The random(4) support for the VIA hardware random number
5	>	generator (`PADLOCK') is no longer enabled unconditionally.
6	>	Add the PADLOCK_RNG option in the custom kernel config if
7	>	needed.  The GENERIC kernels on i386 and amd64 do include the
8	>	option, so the change only affects the custom kernel
9	>	configurations.
10
11	<	20080101:
11	>	A new version of ZFS (pool version 5000) has been merged.
12	>	Starting with this version the old system of ZFS pool versioning
13	>	is superseded by "feature flags". This concept enables forward
14	>	compatibility against certain future changes in functionality of ZFS
15	>	pools. The first two read-only compatible "feature flags" for ZFS
16	>	pools are "com.delphix:async_destroy" and "com.delphix:empty_bpobj".
17	>	For more information read the new zpool-features(7) manual page.
18	>	Please refer to the "ZFS notes" section of this file for information
19	>	on upgrading boot ZFS pools.
20	>
21	>	20160906:
22	>	Add support for the MosChip MCS9904 four serial ports
23	>	controller.
24	>
25	>	Add support for walltimestamp in DTrace.
26	>
27	>	Various gdb improvments.
28	>
29	>	ZFS
30	>	Import the zio nop-write improvement from Illumos. To reduce I/O,
31	>	nop-write omits overwriting data if the checksum (cryptographically
32	>	secure) of new data matches the checksum of existing data.
33	>	It also saves space if snapshots are in use.
34	>
35	>	It currently works only on datasets with enabled compression, disabled
36	>	deduplication and sha256 checksums.
37	>
38	>	Add loader(8) tunable to enable/disable nopwrite functionality:
39	>	vfs.zfs.nopwrite_enabled
40	>
41	>	Introduce a new dataset aclmode setting "restricted" to protect ACL's
42	>	being destroyed or corrupted by a drive-by chmod.
43	>
44	>	New loader-only tunables:
45	>	vfs.zfs.sync_pass_deferred_free
46	>	vfs.zfs.sync_pass_dont_compress
47	>	vfs.zfs.sync_pass_rewrite
48	>
49	>	chkgrp(8) add support for q flag
50	>
51	>	Fix problem with the Samsung 840 PRO series SSD detection.
52	>	The device reports support for SATA Asynchronous Notification in its
53	>	IDENTIFY data, but returns error on attempt to enable that feature.
54	>	Make SATA XPT of CAM only report these errors, but not fail the device.
55	>
56	>	20160905:
57	>	Add a resource limit for the total number of kqueues
58	>	available to the user. Kqueue now saves the ucred of the
59	>	allocating thread, to correctly decrement the counter on close.
60	>	Based on FreeBSD SVN 256849
61	>
62	>	Import netcat from OpenBSD 5.2
63	>
64	>	20160904:
65	>	Introduced experimental TCP sysctls starting with
66	>	net.inet.tcp.experimental.initcwnd10
67	>
68	>	20160814:
69	>	switched default desktop port to midnightbsd-desktop. This gives us flexibility to change it
70	>	in the release after the fact.
71	>
72	>	tzdata 2016a
73	>
74	>	20160811:
75	>	libdispatch 210
76	>
77	>	Added quirks for several models of SSDs to enable advanced format/4k mode. List includes
78	>	Samsung 830, 840, 850 and 750 series, Intel x25 and a few Toshiba models. Also
79	>	added WD Red drives.
80	>
81	>	Updated list of pci device vendors.
82	>
83	>	Updated list of usb devices.
84	>
85	>	20160807:
86	>	Implement several changes to libmport to fix some memory corruption issues.
87	>
88	>	20160806:
89	>	sqlite3 3.13.0
90	>
91	>	20160805:
92	>	Merged fixes for libmport that improve error handling when installing packages. Also
93	>	support mkdir -p like behavior for plist entries.
94	>
95	>	20160531:
96	>	Fix four security issues with MidnightBSD.
97	>
98	>	The implementation of TIOCGSERIAL ioctl(2) does not clear the output
99	>	struct before sending to userland in the linux emulation layer.
100	>
101	>	The compat 43 stat(2) system call exposes kernel stack to userland.
102	>
103	>	libarchive - CVE-2015-2304 and CVE-2013-0211 fix issues with
104	>	cpio directory traversal and an integer signedness error in the archive
105	>	write zip data routine.
106	>
107	>
108	>	20160528:
109	>	Fixed minor issues with mined(1) and msearch(1).
110	>
111	>	20160526:
112	>	Add support for Ivybridge and Haswell Intel CPUs to hwpmc(4).
113	>
114	>	Fix libpmc(3) build with clang compiler.
115	>
116	>	20160519:
117	>	Kernel Security updates
118	>
119	>	atkbd(4) - Incorrect signedness comparison in the ioctl(2) handler allows a malicious
120	>	local user to overwrite a portion of the kernel memory.
121	>
122	>	Incorrect argument handling in sendmsg(2)
123	>
124	>	Incorrect argument handling in the socket code allows malicious local
125	>	user to overwrite large portion of the kernel memory.
126	>
127	>	20160505:
128	>	OpenSSL security patch
129	>
130	>	The padding check in AES-NI CBC MAC was rewritten to be in constant time
131	>	by making sure that always the same bytes are read and compared against
132	>	either the MAC or padding bytes. But it no longer checked that there was
133	>	enough data to have both the MAC and padding bytes. [CVE-2016-2107]
134	>
135	>	An overflow can occur in the EVP_EncodeUpdate() function which is used for
136	>	Base64 encoding of binary data. [CVE-2016-2105]
137	>
138	>	An overflow can occur in the EVP_EncryptUpdate() function, however it is
139	>	believed that there can be no overflows in internal code due to this problem.
140	>	[CVE-2016-2106]
141	>
142	>	When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
143	>	a short invalid encoding can casuse allocation of large amounts of memory
144	>	potentially consuming excessive resources or exhausting memory.
145	>	[CVE-2016-2109]
146	>
147	>	20160412:
148	>	0.8 stable branch created. Continue development as 0.9.
149	>
150	>	Fix several issues with wait6 system call addition.
151	>
152	>	20160409:
153	>	libmport now supports two new plist formats:
154	>	@(root,wheel,4775) myfile
155	>	@dir(root,wheel,775) mydir
156	>
157	>	On delete, absoluate paths are now handled properly.
158	>
159	>	20160317:
160	>	OpenSSH doesn't have the luck of the Irish.
161	>
162	>	Fix a security issue with OpenSSH X11 forwarding that can allow an attacker
163	>	run shell commands on the call to xauth.
164	>
165	>	Incorrect argument validation in sysarch(2)
166	>
167	>	A special combination of sysarch(2) arguments, specify a request to
168	>	uninstall a set of descriptors from the LDT.  The start descriptor
169	>	is cleared and the number of descriptors are provided.  Due to invalid
170	>	use of a signed intermediate value in the bounds checking during argument
171	>	validity verification, unbound zero'ing of the process LDT and adjacent
172	>	memory can be initiated from usermode.
173	>
174	>	Patch obtained from FreeBSD.
175	>
176	>	20160229:
177	>	top now displays information on ZFS arc cache.
178	>
179	>	20160228:
180	>	llvm + clang 3.3 is now the default compiler in MidnightBSD.
181	>
182	>	20160222:
183	>	Introduce pipe2 to linux emulation layer.
184	>
185	>	20160114:
186	>	OpenSSL
187	>
188	>	The signature verification routines will crash with a NULL pointer dereference
189	>	if presented with an ASN.1 signature using the RSA PSS algorithm and absent
190	>	mask generation function parameter. [CVE-2015-3194]
191	>
192	>	When presented with a malformed X509_ATTRIBUTE structure, OpenSSL will leak
193	>	memory. [CVE-2015-3195]
194	>
195	>	If PSK identity hints are received by a multi-threaded client then the values
196	>	are incorrectly updated in the parent SSL_CTX structure.  [CVE-2015-3196]
197	>
198	>	Fix security on bsnmpd configuration file during installation.
199	>
200	>	TCP MD5 signature denial of service
201	>
202	>	A programming error in processing a TCP connection with both TCP_MD5SIG
203	>	and TCP_NOOPT socket options may lead to kernel crash.
204	>
205	>	SCTP
206	>
207	>	A lack of proper input checks in the ICMPv6 processing in the SCTP stack
208	>	can lead to either a failed kernel assertion or to a NULL pointer
209	>	dereference.  In either case, a kernel panic will follow.
210	>
211	>	20160102:
212	>	Happy New Year
213	>
214	>	20151101:
215	>	Increase kern.ipc.somaxconn default to 256.
216	>
217	>	20151017:
218	>	Add initial statistics api to libmport and a driver to print
219	>	it in mport(1).
220	>
221	>	20151002:
222	>	Revised rpcbind(8) patch to fix issues with NIS
223	>
224	>	20150930:
225	>	In rpcbind(8), netbuf structures are copied directly, which would result in
226	>	two netbuf structures that reference to one shared address buffer.  When one
227	>	of the two netbuf structures is freed, access to the other netbuf structure
228	>	would result in an undefined result that may crash the rpcbind(8) daemon.
229	>
230	>	20150926:
231	>	libmport now supports @preexec, @postexec, @preunexec and @postunexec
232	>	to replace @exec and @unexec.
233	>
234	>	pre exec runs afer pre-install scripts but before actual installation
235	>
236	>	post exec runs after install but before post install scripts and
237	>	pkg message.
238	>
239	>	pre unexec runs before pre uninstall scripts
240	>
241	>	post unexec runs before de-install scripts and after file removal.
242	>
243	>	20150917:
244	>	Fix kqueue write events for files > 2GB
245	>
246	>	20150825:
247	>	kernel:
248	>	fix a security issue on amd64 where the GS segment CPU register can be changed via
249	>	userland value in kernel mode by using an IRET with #SS or #NP exceptions.
250	>
251	>	openssh:
252	>	A programming error in the privileged monitor process of the sshd(8)
253	>	service may allow the username of an already-authenticated user to be
254	>	overwritten by the unprivileged child process.
255	>
256	>	A use-after-free error in the privileged monitor process of he sshd(8)
257	>	service may be deterministically triggered by the actions of a
258	>	compromised unprivileged child process.
259	>
260	>	A use-after-free error in the session multiplexing code in the sshd(8)
261	>	service may result in unintended termination of the connection.
262	>
263	>	20150818:
264	>	expat security fix
265	>
266	>	20150815:
267	>	libc changes:
268	>	setmode(3) now returns errno consistently on error.
269	>	libc will compile without error using clang
270	>
271	>	20150814:
272	>	wait6 system call added.
273	>
274	>	date(1) now handles non numeric numbers passed to -r
275	>	like GNU coreutils for improved compatibility.
276	>
277	>	20150811:
278	>	ata(4) AMD Hudson2 SATA controller support.
279	>	Intel lynxpoint SATA.
280	>
281	>	Fix some const warnings when building several device drivers
282	>	with llvm/clang.
283	>
284	>	Sync cas(4) with FreeBSD 9-stable.
285	>
286	>	Fix some minor issues with ath(4).
287	>
288	>	20150809:
289	>	xz 5.0.8
290	>
291	>	20150808:
292	>	libmport now logs installation and removal of packages to syslog.
293	>
294	>	20150805:
295	>	routed - fix a potential security issue where traffic from outside
296	>	the network can disrupt routing.
297	>
298	>	bsd patch - fix a bug with ed(1) scripts allowing unsanitized input
299	>	to run.
300	>
301	>	20150802:
302	>	jansson 2.7 library added. (libjansson is a JSON library in C)
303	>
304	>	20150728:
305	>	Heimdal 1.5.2 (kerberos implementation)
306	>
307	>	OpenSSL 1.0.1o
308	>
309	>	cpucontrol(8) now supports VIA CPUs. Synced with FreeBSD 9.2.
310	>
311	>	TCP Resassemly resource exhaustion bug:
312	>	There is a mistake with the introduction of VNET, which converted the
313	>	global limit on the number of segments that could belong to reassembly
314	>	queues into a per-VNET limit.  Because mbufs are allocated from a
315	>	global pool, in the presence of a sufficient number of VNETs, the
316	>	total number of mbufs attached to reassembly queues can grow to the
317	>	total number of mbufs in the system, at which point all network
318	>	traffic would cease.
319	>	Obtained from: FreeBSD 8
320	>
321	>	OpenSSH
322	>
323	>	Fix two security vulnerabilities:
324	>	OpenSSH clients does not correctly verify DNS SSHFP records when a server
325	>	offers a certificate. [CVE-2014-2653]
326	>
327	>	OpenSSH servers which are configured to allow password authentication
328	>	using PAM (default) would allow many password attempts. A bug allows
329	>	MaxAuthTries to be bypassed. [CVE-2015-5600]
330	>
331	>
332	>	Switch to bsdpatch (from FreeBSD & OpenBSD)
333	>
334	>	20150726:
335	>	BSD Sort updated
336	>
337	>	sqlite 3.8.10.2
338	>
339	>	20150725:
340	>	Import reallocarray from OpenBSD's libc.
341	>
342	>	The reallocarray() function is similar to realloc() except it operates on
343	>	nmemb members of size size and checks for integer overflow in the
344	>	calculation nmemb * size.
345	>
346	>	20150722:
347	>	Fix a bug where TCP connections transitioning to LAST_ACK
348	>	state can get stuck. This can result in a denial of service.
349	>
350	>	20150715:
351	>	libmport now supports @shell and @sample in plists. This means that
352	>	a shell port can automatically add an entry to /etc/shells and remove
353	>	it upon uninstallation. For sample files, a copy is made without the
354	>	.sample extension if one does not exist and it is removed automatically
355	>	only if the md5 hash of the two files is the same.
356	>
357	>	20150709:
358	>	flex 2.5.39
359	>
360	>	20150702:
361	>	ZFS in MidnightBSD now supports lz4 compression. You can enable it
362	>	with zfs set compression=lz4 pool/path.
363	>
364	>	Verify it's working with
365	>	zfs get compressratio pool/path
366	>	du -h -s *
367	>
368	>	Note you must write new data when turning on compression to see
369	>	changes. Existing files are not compressed.
370	>
371	>	Note: While we used the same basic implementation of lz4 that
372	>	FreeBSD and OpenZFS uses, we did not yet implement features support
373	>	and the zfs version still reports 28. This may come in a future update
374	>	to ZFS.
375	>
376	>	20150621:
377	>	libmport now automatically stops services when deleting packages.
378	>
379	>	The package must have installed an rc.d script in /usr/local/etc
380	>	for this to work. This is equivalent to running service <name> onestop
381	>
382	>	20150618:
383	>	Sendmail
384	>
385	>	With the recent changes to OpenSSL to block 512 bit certificates,
386	>	sendmail can't connect with TLS to some servers.
387	>
388	>	Increase the default size to 1024 bit for client connections to
389	>	match the server configuration.
390	>
391	>	ZFS
392	>
393	>	Added ZFS TRIM support which is enabled by default. To disable
394	>	ZFS TRIM support set vfs.zfs.trim.enabled=0 in loader.conf.
395	>
396	>	Creating new ZFS pools and adding new devices to existing pools
397	>	first performs a full device level TRIM which can take a significant
398	>	amount of time. The sysctl vfs.zfs.vdev.trim_on_init can be set to 0
399	>	to disable this behaviour.
400	>
401	>	ZFS TRIM requires the underlying device support BIO_DELETE which
402	>	is currently provided by methods such as ATA TRIM and SCSI UNMAP
403	>	via CAM, which are typically supported by SSD's.
404	>
405	>	Stats for ZFS TRIM can be monitored by looking at the sysctl's
406	>	under kstat.zfs.misc.zio_trim.
407	>
408	>	rc.d
409	>
410	>	Reworked handling of cleanvar and FILESYSTEMS so that FILESYSTEMS
411	>	implies everything is mounted and ready to go.
412	>
413	>	Changed how ip6addressctl maps IPv6 on startup.
414	>
415	>	20150613:
416	>	tzdata 2015d
417	>
418	>	20150612:
419	>	OpenSSL 0.9.8zg
420	>
421	>	20150419:
422	>	MidnightBSD 0.6 stable branch created. Continue 0.7
423	>	development.
424	>
425	>	20150418:
426	>	sqlite 3.8.9
427	>
428	>	20150407:
429	>	Fix two security vulnerabilities:
430	>
431	>	The previous fix for IGMP had an overflow issue. This has been corrected.
432	>
433	>	ipv6: The Neighbor Discover Protocol allows a local router to advertise a
434	>	suggested Current Hop Limit value of a link, which will replace
435	>	Current Hop Limit on an interface connected to the link on the MidnightBSD
436	>	system.
437	>
438	>	20150319:
439	>	OpenSSL 0.9.8.zf
440	>
441	>	mksh R50e
442	>
443	>	Apple mDNSResponder 561.1.1
444	>
445	>	20150306:
446	>	Upgrade OpenSSL to 0.9.8ze
447	>
448	>	20150225:
449	>	Fix two security vulnerabilities.
450	>
451	>	1. BIND servers which are configured to perform DNSSEC validation and which
452	>	are using managed keys (which occurs implicitly when using
453	>	"dnssec-validation auto;" or "dnssec-lookaside auto;") may exhibit
454	>	unpredictable behavior due to the use of an improperly initialized
455	>	variable.
456	>
457	>	CVE-2015-1349
458	>
459	>	2. An integer overflow in computing the size of IGMPv3 data buffer can result
460	>	in a buffer which is too small for the requested operation.
461	>
462	>	This can result in a DOS attack.
463	>
464	>	20141211:
465	>	Fix a security issue with file and libmagic that can allow
466	>	an attacker to create a denial of service attack on any
467	>	program that uses libmagic.
468	>
469	>	20141109:
470	>	Fix building perl during buildworld when the GDBM port is installed.
471	>
472	>	20141106:
473	>	tzdata 2014i
474	>
475	>	20141102:
476	>	serf 1.3.8
477	>
478	>	20141031:
479	>	tnftp 20141031 fixes a security vulnerability with tnftp,
480	>	CVE-2014-8517.
481	>
482	>	20141028:
483	>	OpenSSL 0.9.8zc
484	>
485	>	20141021:
486	>	Fix several security vulnerabilities in routed, rtsold,
487	>	and namei with respect to Capsicum sandboxes looking up
488	>	nonexistent path names and leaking memory.
489	>
490	>	The input path in routed(8) will accept queries from any source and
491	>	attempt to answer them.  However, the output path assumes that the
492	>	destination address for the response is on a directly connected
493	>	network.
494	>
495	>	Due to a missing length check in the code that handles DNS parameters,
496	>	a malformed router advertisement message can result in a stack buffer
497	>	overflow in rtsold(8).
498	>
499	>	20141011:
500	>	mksh R50d - fix field splitting regression and null
501	>	pointer dereference
502	>
503	>	xz 5.0.7
504	>
505	>	OpenSSH 6.6p1
506	>
507	>	20141004:
508	>	mksh R50c - security update for environment var bug with
509	>	foo vs foo+
510	>
511	>	20141002:
512	>	sqlite 3.8.6
513	>
514	>	sudo 1.7.8 - some issues with the current version, but we're slowly
515	>	getting up to date.
516	>
517	>	20141001:
518	>	mksh R50b
519	>
520	>	libmport now supports plist commands @dir, @owner, @group, @mode.
521	>
522	>	sudo 1.7.6p2
523	>
524	>	20140916:
525	>	Fix a security issue with TCP SYN.
526	>
527	>	When a segment with the SYN flag for an already existing connection arrives,
528	>	the TCP stack tears down the connection, bypassing a check that the
529	>	sequence number in the segment is in the expected window.
530	>
531	>	20140909:
532	>	Fixed a bug with our clearenv(3) implementation that caused segfaults
533	>	with some programs including Dovecot.
534	>
535	>	OpenSSL security patch:
536	>
537	>	The receipt of a specifically crafted DTLS handshake message may cause OpenSSL
538	>	to consume large amounts of memory. [CVE-2014-3506]
539	>
540	>	The receipt of a specifically crafted DTLS packet could cause OpenSSL to leak
541	>	memory. [CVE-2014-3507]
542	>
543	>	A flaw in OBJ_obj2txt may cause pretty printing functions such as
544	>	X509_name_oneline, X509_name_print_ex et al. to leak some information from
545	>	the stack. [CVE-2014-3508]
546	>
547	>	OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject to
548	>	a denial of service attack. [CVE-2014-3510]
549	>
550	>	20140902:
551	>	We're now 0.6-CURRENT
552	>
553	>	Update USB quirks to support K70 Corsair keyboard, and several
554	>	other devices.
555	>
556	>	20140827:
557	>	Perl 5.18.2
558	>
559	>	20140728:
560	>	Jails now run shutdown scripts.
561	>
562	>	20140710:
563	>	Fix a vulnerability in the control message API. A buffer is not properly cleared
564	>	before sharing with userland.
565	>
566	>	20140701:
567	>	MKSH R50
568	>
569	>	20140630:
570	>	File 5.19
571	>
572	>	20140605:
573	>	Fix four security issues with OpenSSL
574	>
575	>	20140604:
576	>	Sendmail failed to properly set close-on-exec for open file descriptors.
577	>
578	>	ktrace page fault kernel trace entries were set to an incorrect size which resulted
579	>	in a leak of information.
580	>
581	>	20140430:
582	>	Fix a TCP reassembly bug that could result in a DOS attack
583	>	of the system. It may be possible to obtain portions
584	>	of kernel memory as well.
585	>
586	>	20140411:
587	>	Update zlib to 1.2.7
588	>
589	>	20140122:
590	>	Support for username with length 32. Previous limit was 16
591	>
592	>	20140114:
593	>	Fix two security vulnerabilities.
594	>
595	>	bsnmpd contains a stack overflow when sent certain queries.
596	>
597	>	bind 9.8 when using NSEC3-signed zones zones, will crash with special
598	>	crafted packets.
599	>
600	>	20131228:
601	>	Imported FreeBSD 9.2 usb stack (plus z87 patches from stable)
602	>
603	>	Updated em(4), igb(4) and ixgbe(4)
604	>
605	>	MidnightBSD now works with Z87 Intel chipsets.
606	>
607	>	20131207:
608	>	Remove sparc64 architecture. It hasn't been working for awhile
609	>	and it's not useful for desktops anymore.
610	>
611	>	20131205:
612	>	OpenSSH 6.4p1
613	>
614	>	20131203:
615	>	Perl 5.18.1 imported.
616	>
617	>	Update less to v458
618	>
619	>	20131130:
620	>	Remove named from base. We still include the client utilities for
621	>	now until replacements can be found.
622	>
623	>	20131004:
624	>	rarpd supports vlan(4) and has a pid flag. (from FreeBSD)
625	>
626	>	20130917:
627	>	Support for 65,536 routing tables was added.  A new fib specific
628	>	field has been added to mbuf.  This is an increase from 16.
629	>
630	>	20130910:
631	>	Security updates: (kern.osreldate 5001)
632	>
633	>	nullfs(5)
634	>
635	>	The nullfs(5) implementation of the VOP_LINK(9) VFS operation does not
636	>	check whether the source and target of the link are both in the same
637	>	nullfs instance.  It is therefore possible to create a hardlink from a
638	>	location in one nullfs instance to a file in another, as long as the
639	>	underlying (source) filesystem is the same.
640	>
641	>	ifioctl
642	>
643	>	As is commonly the case, the IPv6 and ATM network layer ioctl request
644	>	handlers are written in such a way that an unrecognized request is
645	>	passed on unmodified to the link layer, which will either handle it or
646	>	return an error code.
647	>
648	>	Network interface drivers, however, assume that the SIOCSIFADDR,
649	>	SIOCSIFBRDADDR, SIOCSIFDSTADDR and SIOCSIFNETMASK requests have been
650	>	handled at the network layer, and therefore do not perform input
651	>	validation or verify the caller's credentials.  Typical link-layer
652	>	actions for these requests may include marking the interface as "up"
653	>	and resetting the underlying hardware.
654	>
655	>	20130824:
656	>	Fix a bug in sendmail 8.14.7 that interferes with how it
657	>	handles AAAA records interoperating with Microsoft DNS servers.
658	>	FreeBSD has already reported this to Sendmail and a fix
659	>	will be included in the next release.
660	>
661	>	Subversion 1.8.1 is now in the base system as a static
662	>	binary.  It has limited functionality, but can be used to
663	>	checkout/commit code.  It is named svnlite.
664	>
665	>	20130822:
666	>	Fix two security vulnerabilities.
667	>
668	>	Fix an integer overflow in IP_MSFILTER (IP MULTICAST).
669	>	This could be exploited to read memory by a user process.
670	>
671	>	When initializing the SCTP state cookie being sent in INIT-ACK chunks,
672	>	a buffer allocated from the kernel stack is not completely initialized.
673	>
674	>	Import xz 5.0.4
675	>
676	>	Import sqlite 3.7.17
677	>
678	>	Import BIND 9.8.5-P2
679	>
680	>	20130814:
681	>	mksh R48 imported.
682	>
683	>	Sendmail 8.14.7 imported.
684	>
685	>	20130717:
686	>	libmport bug was fixed causing hash verification to fail.
687	>
688	>	virtio(4) imported from FreeBSD 9-stable. SCSI support not
689	>	included.
690	>
691	>	20130612:
692	>	RELENG_0_4 created for 0.4. Development continues on 0.5.
693	>
694	>	20130402:
695	>	Update BIND and OpenSSL to resolve security advisories.
696	>
697	>	20130305:
698	>	MKSH R44 imported.
699	>
700	>	20130213:
701	>	MKSH R42b imported
702	>
703	>	20130211:
704	>	MKSH R42 imported
705	>
706	>	20130125:
707	>	MKSH R41 imported
708	>
709	>	20130122:
710	>	OpenSSH 5.8p2 imported
711	>
712	>	SQLite 3.7.15.2 imported
713	>
714	>	Fixed a longstanding bug in libmport extrating new index files.
715	>
716	>	20120710:
717	>	BSD licensed sort imported from FreeBSD-CURRENT
718	>
719	>	For now, GNU sort is installed as gnusort, but it will
720	>	go away in time.
721	>
722	>	20120708:
723	>	tcsh 6.18.01 imported.
724	>
725	>	NetBSD's iconv imported.
726	>
727	>	libc gains strnlen(3), memrchr(3), stpncpy(3).
728	>
729	>	20120612:
730	>	BIND security update related to CVE-2012-1667.
731	>
732	>	Zero length resource records can cause BIND to crash resulting
733	>	in a DOS attack or information disclosure.
734	>
735	>	20120407:
736	>	mksh R40f (fixes regression)
737	>
738	>	20120328:
739	>	mksh R40e
740	>
741	>	Perl 5.14.2
742	>
743	>	20120229:
744	>	cpucontrol(8) and cpuctl(4) added from FreeBSD 7-stable.
745	>
746	>	20120209:
747	>	mDNSResponder 333.10 imported
748	>
749	>	20111227:
750	>	import raid5 module for GEOM, graid5(8)
751	>
752	>	This is experimental and known to use a lot of kernel
753	>	memory.
754	>
755	>	20111223:
756	>	telnetd: fix a root exploit from a fixed buffer that was not checked
757	>
758	>	pam: don't allow escape from policy path.  Exploitable in KDE, etc.
759	>
760	>	Fix pam_ssh module:
761	>
762	>	If the pam_ssh module is enabled, attackers may be able to gain access
763	>	to user accounts which have unencrypted SSH private keys.
764	>
765	>	This has to due with the way that openssl works.  It ignores unencrpted data.
766	>
767	>	Fix security issue with chroot and ftpd.
768	>
769	>	nsdispatch(3) doesn't know it's working in a chroot and some
770	>	operations can cause files to get reloaded causing a security
771	>	hole in things like ftpd.
772	>
773	>	20111217:
774	>	libdialog/dialog upgraded to an lgpl version. As it's not
775	>	backwardly compatable, include the old libdialog as libodialog
776	>
777	>	20111212:
778	>	mksh r40d imported
779	>
780	>	20111210:
781	>	re(4) and rl(4) updated to support new chips.
782	>
783	>	GEOM synced with FreeBSD 7-stable.
784	>
785	>	MidnightBSD GPT partition types created in sys/gpt.h and
786	>	setup in boot loader and GEOM.
787	>
788	>	amdsbwd(4) (amd watchdog for south bridge) updated to support
789	>	8xx series chipset.
790	>
791	>	20111207:
792	>	import bsd grep from FreeBSD/OpenBSD.
793	>
794	>	MK_BSD_GREP controls which grep is installed
795	>	as grep with the other as bsdgrep or gnugrep.
796	>
797	>	20111122:
798	>	mksh vR40c imported.
799	>
800	>	20111117:
801	>	BIND 9.6 ESV R5 P1
802	>
803	>	20111107:
804	>	tzdata 2011n
805	>
806	>	20111026:
807	>	mDNSResponder v320
808	>
809	>	BIND 9.6 ESV R5
810	>
811	>	20111022:
812	>	cflow 0.0.6 imported
813	>
814	>	20111020:
815	>	less v436 imported
816	>
817	>	amdsbwd(4) AMD southbridge watchdog
818	>
819	>	20111019:
820	>	awk 20110810 imported
821	>
822	>	et(4) Agere Gigabit Ethernet/Fast Ethernet driver added, but
823	>	not included in GENERIC kernel.  The kernel module needs
824	>	testing before we can include it in GENERIC.
825	>
826	>	intr_bind code ported to allow an IRQ to be bound to one
827	>	specific CPU core.
828	>
829	>	20111017:
830	>	Time Zone Data v. 2011l (Released 10 October 2011)
831	>
832	>	Updated list of countries (iso3166) to work with new timezone data.
833	>
834	>	20111015:
835	>	Introduce CPU Affinity in MidnightBSD. cpuset(1) can be used
836	>	to control which core or group of cores can be used for a given
837	>	process. Several new system calls were added to support this
838	>	functionality in the running kernel and for 32bit binary
839	>	compatibility on amd64.
840	>
841	>	The scheduler default has been changed to ULE in i386 and
842	>	amd64.  Changes were made to both schedulers (4BSD AND ULE)
843	>	for this feature.
844	>
845	>	This work is based on Jeff Roberson's FreeBSD 7.1 patches.
846	>
847	>	20111004:
848	>	Fix a problem with unix socket handling caused by the recent
849	>	patch to unix socket path handling. This allows network
850	>	apps to work under the linuxolator again.
851	>
852	>	20111001:
853	>	Import libfetch & fetch(1) from FreeBSD 9. Passive FTP is
854	>	now default and an environment variable must be set to use
855	>	active.
856	>
857	>	20110930:
858	>	Introduce quirks handling for several umass devices including
859	>	USB cameras.  Add workaround for Cyberpower UPS devices.
860	>
861	>	Bring in further bug fixes from FreeBSD and NetBSD for alc(4).
862	>	Stale ip/tcp header pointers are no longer used, lockups fixed
863	>	when network cable is unplugged on bootup, enable TX checksum
864	>	offloading.
865	>
866	>	Add a new man page for gcache(8), a useful geom class when
867	>	working with large raid3 sets.
868	>
869	>	Restore previous workaround for Cypress pata storage controller.
870	>
871	>	20110929:
872	>	Sync ath(4) with FreeBSD 7.3.
873	>
874	>	The following modules are no longer available, and should be
875	>	removed from loader.conf:
876	>	ath_hal ath_rate_amrr ath_rate_onoe ath_rate_sample
877	>
878	>	alc(4) would hibernate when a cable was unplugged and often
879	>	required bring the interface down and up to "wake up" so that
880	>	a connection could be established.  Disable hibernation.
881	>
882	>	20110928:
883	>	Fix security issues with gzip and compress related to .Z
884	>	files that are corrupted.
885	>
886	>	Fix path validation with unix domain sockets.
887	>
888	>	20110917:
889	>	Remove dependance on mports perl for generating releases as
890	>	it's in the base system.
891	>
892	>	20110914:
893	>	Import xz 5.0.3 with liblzma 5.0.3
894	>
895	>	20110813:
896	>	synced the sparc64 GENERIC kernel configuration with amd64.
897	>
898	>	20110806:
899	>	sqlite 3.7.7.1 imported
900	>
901	>	msearch(1), libmsearch and msearch.import added.  msearch(1) provides
902	>	a full text search command line tool.  libmsearch can also be used
903	>	to build a graphical based search in the future. You can enable
904	>	index building for msearch in periodic.conf or manually run the
905	>	/usr/libexec/msearch.index tool.  Full text indexes take considerable
906	>	space in /var.  I'm using approximately 500MB currently.
907	>
908	>	Fix a long standing bug with the periodic script to check package
909	>	versions.  This will be obsolete with mport though.
910	>
911	>	20110710:
912	>	kdb_enter_why added to MidnightBSD to allow the kernel debugger to
913	>	know why it's in use and thus script can be run.
914	>
915	>	Yet another problem with the perl manifest was fixed
916	>
917	>	20110709:
918	>	cpufreq(1) is a new utility to monitor CPU frequency which may change
919	>	with use of powerd(8) and cpufreq(4).
920	>
921	>	20110612:
922	>	Update mksh to R40
923	>
924	>	Catch up ObsoleteFiles.inc to remove Perl 5.10.x.  Good to run when
925	>	updating current (cd /usr/src && make check-old)
926	>
927	>	20110528:
928	>	Fix CVE-2011-1910 in BIND 9.6.x.  This affects caching resolvers.
929	>
930	>	20110526:
931	>	newfs:
932	>	Raised the default blocksize for UFS/FFS filesystems from
933	>	16K to 32K and the default fragment size from 2K to 4K.
934	>
935	>	This should slightly imporve performance on "advanced format"
936	>	hard drives such as the WD EARS drives. Drives of this type
937	>	have emulation modes that slow down with lower sizes.  Of course
938	>	the drive must still be aligned properly when using fdisk.
939	>
940	>	20110521:
941	>	mport tool now has a deleteall command.  This can be used to remove
942	>	all packages from a system.
943	>
944	>	A few bugs with the perl 5.14 import have been fixed.
945	>
946	>	20110518:
947	>	Perl 5.14.0
948	>
949	>	20110517:
950	>	Sendmail 8.14.5
951	>
952	>	20110314:
953	>	DRM/DRI code updated to support newer video cards. (FreeBSD 7.1)
954	>
955	>	cdevpriv wrappers added
956	>
957	>	nss_mdns hack introduced to work around linking problem.
958	>
959	>	dnsextd fixed after update to mDNSResponder code.
960	>
961	>	20110308:
962	>	Introduce liblzma & xz 5.0.1 to the base system
963	>
964	>	Patch for OpenSSL security issue CVE-2011-0014.
965	>
966	>	"OSREVISION 4004"
967	>
968	>	nsswitch module for multicast dns (nss_mdns) added.
969	>
970	>	tzdata2011c
971	>
972	>	20110220:
973	>	cam(4) syncronized with FreeBSD 7.3.
974	>
975	>	20110219:
976	>	amdtemp(4) updated to support sensors framework.
977	>
978	>	20110217:
979	>	Perl 5.10.1 imported
980	>
981	>	20110216:
982	>	Introduce igb(4) and split Intel Gigabit Ethernet adapters between
983	>	igb(4) and em(4).  Newer devices use igb(4).  The code has moved
984	>	to sys/dev/e1000 for both devices in the kernel. igb(4) has
985	>	been placed in GENERIC on i386 and amd64.
986	>
987	>	Update bfe(4) to support newer devices and WOL.
988	>
989	>	20110215:
990	>	age(4) added.
991	>
992	>	20110208:
993	>	BIND 9.6.3 which fixes a bug with DNSSEC records getting added.
994	>
995	>	20110206:
996	>	eeemon(4) added to monitor Asus Eee PC.
997	>
998	>	20110205:
999	>	OpenSSH 5.7p1
1000	>
1001	>	GNU sort 6.9 (coreutils)
1002	>
1003	>	20110203:
1004	>	one true awk 20100523 imported
1005	>
1006	>	sqlite 3.7.5
1007	>
1008	>	OpenSSL 0.9.8q
1009	>
1010	>	20110202:
1011	>	tcsh 6.17.00
1012	>
1013	>	file 5.05
1014	>
1015	>	20110122:
1016	>	Import it(4) and lm(4), with support for Super I/O hardware monitors. This
1017	>	uses the sensors framework ported by Constantine A. Murenin (GSOC2007)
1018	>
1019	>	20110120:
1020	>	BIND 9.6.2-P3
1021	>
1022	>	sudo 1.7.4-p6
1023	>
1024	>	20110115:
1025	>	Add experimental jme(4) for Jmicron ethernet devices.
1026	>
1027	>	20101130:
1028	>	A double free exists in the SSL client ECDH handling code, when
1029	>	processing specially crafted public keys with invalid prime
1030	>	numbers. [CVE-2010-2939]
1031	>
1032	>	20101120:
1033	>	Several portions of the kernel and userland code related to UFS file
1034	>	systems (and UFS2) cannot properly handle inode counts above 2^31 due
1035	>	to use of int types.  Based on a patch from FreeBSD, I've modified
1036	>	our UFS2 implementation to handle unsigned values for inode counts
1037	>	which should allow for file systems greater than 16TB.
1038	>
1039	>	newfs and growfs was also modified.
1040	>
1041	>	20101110:
1042	>	Fix a security issue with pseudofs which could result in running code in kernel
1043	>	context or a kernel panic depending on system configuration.  This affects file
1044	>	systems such as procfs for instance.
1045	>
1046	>	20101021:
1047	>	sysrc is a utility to print and modify name/value pairs in /etc/rc.conf easily.
1048	>	This is similar to functions present in many linux distros. The utility was
1049	>	written by Devin Teske for FreeBSD.
1050	>
1051	>	20100920:
1052	>	bzip2 security patch for integer overflow.
1053	>
1054	>	20100905:
1055	>	MidnightBSD RELENG_0_3 branch created.  Aggressive development continues here
1056	>	for 0.4.
1057	>
1058	>	20100902:
1059	>	Fix a security issue with libutil that allows users to bypass cpu limits in
1060	>	login.conf in some cases.  This combined with OpenSSH for example can allow
1061	>	the user to get more resources than they're allowed.
1062	>
1063	>	20100822:
1064	>	Import Apple's mDNSResponder (mdnsd).
1065	>
1066	>	20100814:
1067	>	libdispatch added to MidnightBSD.  This provides functionality found in
1068	>	Mac OS X's GCD.  We do not have blocks support yet.  As this code is
1069	>	licensed under Apache 2, we create a new MK_APACHE option so that
1070	>	it's not required for all users to run code under a license they
1071	>	may not like.
1072	>
1073	>	20100713:
1074	>	mbuf readonly fix related to sendfile(2) data corruption.
1075	>
1076	>	20100704:
1077	>	brainfuck(1) imported from MirBSD.
1078	>
1079	>	20100505:
1080	>	zlib 1.2.5
1081	>
1082	>	20100430:
1083	>	Sudo 1.7.2p6 imported
1084	>
1085	>	20100321:
1086	>	Update zlib to 1.2.4
1087	>
1088	>	20100319:
1089	>	Removed i586 from default i386 generic kernel.
1090	>
1091	>	20100317:
1092	>	Update to tzdata2010e (time zones).  This includes changes in
1093	>	Mexico.
1094	>
1095	>	Add support for several newer sound cards via hda including
1096	>	ATI and Realtek chipsets.
1097	>
1098	>	20100313:
1099	>	CPU detection has been changed.  VIA Padlock detection added.
1100	>
1101	>	20100312:
1102	>	Fix a number of bugs and compiler warnings in libmport. Handle
1103	>	plus signs in paths for mport.check-fake
1104	>
1105	>	20100311:
1106	>	mksh R39c
1107	>
1108	>	20100309:
1109	>	Sudo 1.7.2p5
1110	>
1111	>	sqlite3 3.6.23
1112	>
1113	>	mksh R39b
1114	>
1115	>	libffi (ffi) 3.0.9
1116	>
1117	>	20100206:
1118	>	WITHOUT_LIB32 is no longer needed on AMD64.  GCC was fixed to
1119	>	properly pass arguments to ld.
1120	>
1121	>	re(4) and rl(4) have been updated to support several new
1122	>	realtek chipsets.  Performance has been improved on re(4).
1123	>
1124	>	20100204:
1125	>	Fix a bug cropping up on AMD64 MidnightBSD with sftp
1126	>	segfaulting.
1127	>
1128	>	20100116:
1129	>	Import ash changes from FreeBSD (bin/sh) 8-Stable.
1130	>
1131	>	BIND 9.6.1-P2
1132	>
1133	>	20100110:
1134	>	Import Sendmail 8.14.4. Fix for SSL vulnerability.
1135	>
1136	>	posix_spawn(3) added to MidnightBSD libc.  Users may need to build and
1137	>	install libc before doing a full buildworld when upating from 0.2 or
1138	>	older current systems.
1139	>
1140	>	kqueue(2) was modified to support portions of libdispatch functionality.
1141	>
1142	>	20100106:
1143	>	Bind security update.  Fix a bug with DNSSEC that causes negative
1144	>	cache entries and thus a possible DNS cache poisoning attack.
1145	>
1146	>	Fix a bug in ZFS that can reset permissions on system crashes.
1147	>
1148	>	20091228:
1149	>	amdtemp(4) was added.  It allows one to monitor to the temperature
1150	>	of an AMD CPU such as a Phenom.
1151	>
1152	>	20091205:
1153	>	OpenSSL security fix
1154	>
1155	>	The SSL version 3 and TLS protocols support session renegotiation without
1156	>	cryptographically tying the new session parameters to the old parameters.
1157	>
1158	>	20091128:
1159	>	OpenBSD sensors framework imported including sensorsd(8)
1160	>
1161	>	20091126:
1162	>	OpenNTPD 4.4 import
1163	>
1164	>	Update OpenSSH to 5.3p1
1165	>
1166	>	mksh R39
1167	>
1168	>	20091124:
1169	>	cpdup updated from DragonFly to 1.15
1170	>
1171	>	tzdata2009s updated with latest timezone data for November 2009.
1172	>
1173	>	20091010:
1174	>	amd64 users should use WITHOUT_LIB32=yes in /etc/make.conf for now
1175	>	to test current.
1176	>
1177	>	Revert unicode filename fixes from ntfs code.  This was causing chaos
1178	>	on amd64 systems.
1179	>
1180	>	20091006:
1181	>	Update timezone data with tzdata2009n with the Pakistan and
1182	>	Argentina changes.
1183	>
1184	>	Sync several userland utilities with versions from FreeBSD 7.0 in
1185	>	sbin and usr.sbin.
1186	>
1187	>	20090919:
1188	>	Update timezone data with tzdate2009m from September 2009.
1189	>
1190	>	20090729:
1191	>	Patch for Bind 9 security vulnerability. a dynmaic update packet
1192	>	can trigger an assertion and cause named to exit
1193	>
1194	>	20090606:
1195	>	Remove PCC from the base system.  This compiler will not work
1196	>	as a system compiler for us as we've got some userland investment
1197	>	in C++ code and may have Objective-C in the future.  We're stuck
1198	>	with a solution that supports these three languages at a minimum.
1199	>
1200	>	I had wanted to keep it as an optional compiler because it is
1201	>	fast, however too many users want to try to use it for the base
1202	>	system which makes no sense.
1203	>
1204	>	A hack was added for Cypress based usb hard drive enclosures to
1205	>	the kernel.  This should cut down on commands it claims to support
1206	>	but does not (at the cam layer).  Found while testing ZFS on
1207	>	an external device.
1208	>
1209	>	20090520:
1210	>	The powerd daemon no longer starts automatically to improve
1211	>	compatibility with many systems.  However, there is a new
1212	>	installer option in the startup section to enable it. This
1213	>	makes it easier to enable for users that have working systems. I                thought it was only a problem on older hardware, but it freaks
1214	>	out my new Phenom too.
1215	>
1216	>	20090502:
1217	>	OpenSSH 5.2p1 import
1218	>
1219	>	ale(4) connected to the build. (kernel module only)
1220	>
1221	>	20090501:
1222	>	Imported makefs utility from NetBSD/FreeBSD
1223	>
1224	>	20090422:
1225	>	OpenSSL security update
1226	>
1227	>	The function ASN1_STRING_print_ex does not properly validate the lengths
1228	>	of BMPString or UniversalString objects before attempting to print them.
1229	>
1230	>	20090415:
1231	>	Created a Symbol.map for libc/ohash symbols
1232	>
1233	>	Updated several usr/bin usr/sbin utilities.
1234	>
1235	>	Corrected a bug with Makefile.inc1 causing the bootstrap
1236	>	tools to fail.
1237	>
1238	>	20090405:
1239	>	xorg 7.4 wants to configure its input devices via hald which does not
1240	>	yet work with USB. If the keyboard/mouse does not work in xorg then
1241	>	add
1242	>	Option "AllowEmptyInput" "off"
1243	>	to your ServerLayout section.  This will cause X to use the configured
1244	>	kbd and mouse sections from your xorg.conf
1245	>
1246	>	20090403:
1247	>	mksh was disconnected a few day ago do to bugs with
1248	>	buildworld and mports.  Now, connect it back
1249	>	for use as /bin/sh with a conditional called
1250	>	MK_ASH.  By default, ash is the standard /bin/sh
1251	>	but we may change this later.  This will allow further
1252	>	testing by users and developers of mksh without
1253	>	causing an unpleasant default experience.  In the
1254	>	long run, we need to fix mksh compatibility.
1255	>
1256	>	20090328:
1257	>	Bring in mksh R37 from CVS. The dot.mkshrc files for root
1258	>	and skel were changed.  mksh(1) now replaces ash aka sh(1)
1259	>	as the default /bin/sh.  Please report bugs with
1260	>	ports, etc. The ash code will remain in the repo for awhile
1261	>	as I decide if we'll add something like MK_SHELL_ASH as
1262	>	an optional build parameter.
1263	>
1264	>	ahd was disconnected from the lint environment until
1265	>	the compiler bug is sorted (by updating gcc?)
1266	>
1267	>	Remove freebsd-tips from fortune files and change the
1268	>	default for login and profile.
1269	>
1270	>	20090327:
1271	>	Update libarchive to 2.5.5, tar, and add bsdcpio.
1272	>
1273	>	Also previously, ctriv has been connecting Perl 5.10
1274	>	to the build (part of os).  This will have an impact
1275	>	on mports.
1276	>
1277	>	20090325:
1278	>	Update Bind to 9.4.3-P1
1279	>
1280	>	Update mksh to R36b
1281	>
1282	>	Update tcpdump to 3.9.8, fix libpcap to work with current.
1283	>
1284	>	Update pnpinfo, sync with FreeBSD.
1285	>
1286	>	20090115:
1287	>	Fix a problem with DNSSEC and BIND.
1288	>
1289	>	20090110:
1290	>	For applications using OpenSSL for SSL connections, an invalid SSL
1291	>	certificate may be interpreted as valid.  This could for example be
1292	>	used by an attacker to perform a man-in-the-middle attack.
1293	>
1294	>	Other applications which use the OpenSSL EVP API may similarly be
1295	>	affected.
1296	>
1297	>	Stop cross site request forgery attacks in lukemftpd
1298	>
1299	>	20090104:
1300	>	Import GNU libreadline 5.2
1301	>
1302	>	20090101:
1303		Update time zone data to 2008i.
1304
1305		20081231:
#	Line 633 | Line 1929 | Contact Warner Losh if you have any questions about yo
1929		this document.
1930
1931		$FreeBSD: src/UPDATING,v 1.416.2.18 2006/02/22 11:51:57 yar Exp $
1932	<	$MidnightBSD: src/UPDATING,v 1.46 2008/12/31 15:01:20 laffer1 Exp $
1932	>	$MidnightBSD$

Comparing trunk/UPDATING (property cvs2svn:cvs-rev):
Revision 2485 by laffer1, Thu Jan 1 22:52:48 2009 UTC vs.
Revision 8465 by laffer1, Sun Sep 18 22:20:09 2016 UTC

#	Line 1 | Line 0
1	–	1.47

Comparing trunk/UPDATING (property svn:keywords):
Revision 2485 by laffer1, Thu Jan 1 22:52:48 2009 UTC vs.
Revision 8465 by laffer1, Sun Sep 18 22:20:09 2016 UTC

#	Line 0 | Line 1
1	+	MidnightBSD=%H

Diff Legend

–	Removed lines
+	Added lines
<	Changed lines
>	Changed lines