ViewVC Help

View File | Revision Log | Show Annotations | Download File | View Changeset | Root Listing

root/src/trunk/UPDATING

Comparing trunk/UPDATING (file contents):
Revision 6711 by laffer1, Tue Jul 1 12:24:57 2014 UTC vs.
Revision 7555 by laffer1, Thu May 19 12:38:41 2016 UTC

#	Line 1 | Line 1
1		Updating Information for MidnightBSD users.
2
3	+	20160519:
4	+	Kernel Security updates
5	+
6	+	atkbd(4) - Incorrect signedness comparison in the ioctl(2) handler allows a malicious
7	+	local user to overwrite a portion of the kernel memory.
8	+
9	+	Incorrect argument handling in sendmsg(2)
10	+
11	+	Incorrect argument handling in the socket code allows malicious local
12	+	user to overwrite large portion of the kernel memory.
13	+
14	+	20160505:
15	+	OpenSSL security patch
16	+
17	+	The padding check in AES-NI CBC MAC was rewritten to be in constant time
18	+	by making sure that always the same bytes are read and compared against
19	+	either the MAC or padding bytes. But it no longer checked that there was
20	+	enough data to have both the MAC and padding bytes. [CVE-2016-2107]
21	+
22	+	An overflow can occur in the EVP_EncodeUpdate() function which is used for
23	+	Base64 encoding of binary data. [CVE-2016-2105]
24	+
25	+	An overflow can occur in the EVP_EncryptUpdate() function, however it is
26	+	believed that there can be no overflows in internal code due to this problem.
27	+	[CVE-2016-2106]
28	+
29	+	When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
30	+	a short invalid encoding can casuse allocation of large amounts of memory
31	+	potentially consuming excessive resources or exhausting memory.
32	+	[CVE-2016-2109]
33	+
34	+	20160412:
35	+	0.8 stable branch created. Continue development as 0.9.
36	+
37	+	Fix several issues with wait6 system call addition.
38	+
39	+	20160409:
40	+	libmport now supports two new plist formats:
41	+	@(root,wheel,4775) myfile
42	+	@dir(root,wheel,775) mydir
43	+
44	+	On delete, absoluate paths are now handled properly.
45	+
46	+	20160317:
47	+	OpenSSH doesn't have the luck of the Irish.
48	+
49	+	Fix a security issue with OpenSSH X11 forwarding that can allow an attacker
50	+	run shell commands on the call to xauth.
51	+
52	+	Incorrect argument validation in sysarch(2)
53	+
54	+	A special combination of sysarch(2) arguments, specify a request to
55	+	uninstall a set of descriptors from the LDT.  The start descriptor
56	+	is cleared and the number of descriptors are provided.  Due to invalid
57	+	use of a signed intermediate value in the bounds checking during argument
58	+	validity verification, unbound zero'ing of the process LDT and adjacent
59	+	memory can be initiated from usermode.
60	+
61	+	Patch obtained from FreeBSD.
62	+
63	+	20160229:
64	+	top now displays information on ZFS arc cache.
65	+
66	+	20160228:
67	+	llvm + clang 3.3 is now the default compiler in MidnightBSD.
68	+
69	+	20160222:
70	+	Introduce pipe2 to linux emulation layer.
71	+
72	+	20160114:
73	+	OpenSSL
74	+
75	+	The signature verification routines will crash with a NULL pointer dereference
76	+	if presented with an ASN.1 signature using the RSA PSS algorithm and absent
77	+	mask generation function parameter. [CVE-2015-3194]
78	+
79	+	When presented with a malformed X509_ATTRIBUTE structure, OpenSSL will leak
80	+	memory. [CVE-2015-3195]
81	+
82	+	If PSK identity hints are received by a multi-threaded client then the values
83	+	are incorrectly updated in the parent SSL_CTX structure.  [CVE-2015-3196]
84	+
85	+	Fix security on bsnmpd configuration file during installation.
86	+
87	+	TCP MD5 signature denial of service
88	+
89	+	A programming error in processing a TCP connection with both TCP_MD5SIG
90	+	and TCP_NOOPT socket options may lead to kernel crash.
91	+
92	+	SCTP
93	+
94	+	A lack of proper input checks in the ICMPv6 processing in the SCTP stack
95	+	can lead to either a failed kernel assertion or to a NULL pointer
96	+	dereference.  In either case, a kernel panic will follow.
97	+
98	+	20160102:
99	+	Happy New Year
100	+
101	+	20151101:
102	+	Increase kern.ipc.somaxconn default to 256.
103	+
104	+	20151017:
105	+	Add initial statistics api to libmport and a driver to print
106	+	it in mport(1).
107	+
108	+	20151002:
109	+	Revised rpcbind(8) patch to fix issues with NIS
110	+
111	+	20150930:
112	+	In rpcbind(8), netbuf structures are copied directly, which would result in
113	+	two netbuf structures that reference to one shared address buffer.  When one
114	+	of the two netbuf structures is freed, access to the other netbuf structure
115	+	would result in an undefined result that may crash the rpcbind(8) daemon.
116	+
117	+	20150926:
118	+	libmport now supports @preexec, @postexec, @preunexec and @postunexec
119	+	to replace @exec and @unexec.
120	+
121	+	pre exec runs afer pre-install scripts but before actual installation
122	+
123	+	post exec runs after install but before post install scripts and
124	+	pkg message.
125	+
126	+	pre unexec runs before pre uninstall scripts
127	+
128	+	post unexec runs before de-install scripts and after file removal.
129	+
130	+	20150917:
131	+	Fix kqueue write events for files > 2GB
132	+
133	+	20150825:
134	+	kernel:
135	+	fix a security issue on amd64 where the GS segment CPU register can be changed via
136	+	userland value in kernel mode by using an IRET with #SS or #NP exceptions.
137	+
138	+	openssh:
139	+	A programming error in the privileged monitor process of the sshd(8)
140	+	service may allow the username of an already-authenticated user to be
141	+	overwritten by the unprivileged child process.
142	+
143	+	A use-after-free error in the privileged monitor process of he sshd(8)
144	+	service may be deterministically triggered by the actions of a
145	+	compromised unprivileged child process.
146	+
147	+	A use-after-free error in the session multiplexing code in the sshd(8)
148	+	service may result in unintended termination of the connection.
149	+
150	+	20150818:
151	+	expat security fix
152	+
153	+	20150815:
154	+	libc changes:
155	+	setmode(3) now returns errno consistently on error.
156	+	libc will compile without error using clang
157	+
158	+	20150814:
159	+	wait6 system call added.
160	+
161	+	date(1) now handles non numeric numbers passed to -r
162	+	like GNU coreutils for improved compatibility.
163	+
164	+	20150811:
165	+	ata(4) AMD Hudson2 SATA controller support.
166	+	Intel lynxpoint SATA.
167	+
168	+	Fix some const warnings when building several device drivers
169	+	with llvm/clang.
170	+
171	+	Sync cas(4) with FreeBSD 9-stable.
172	+
173	+	Fix some minor issues with ath(4).
174	+
175	+	20150809:
176	+	xz 5.0.8
177	+
178	+	20150808:
179	+	libmport now logs installation and removal of packages to syslog.
180	+
181	+	20150805:
182	+	routed - fix a potential security issue where traffic from outside
183	+	the network can disrupt routing.
184	+
185	+	bsd patch - fix a bug with ed(1) scripts allowing unsanitized input
186	+	to run.
187	+
188	+	20150802:
189	+	jansson 2.7 library added. (libjansson is a JSON library in C)
190	+
191	+	20150728:
192	+	Heimdal 1.5.2 (kerberos implementation)
193	+
194	+	OpenSSL 1.0.1o
195	+
196	+	cpucontrol(8) now supports VIA CPUs. Synced with FreeBSD 9.2.
197	+
198	+	TCP Resassemly resource exhaustion bug:
199	+	There is a mistake with the introduction of VNET, which converted the
200	+	global limit on the number of segments that could belong to reassembly
201	+	queues into a per-VNET limit.  Because mbufs are allocated from a
202	+	global pool, in the presence of a sufficient number of VNETs, the
203	+	total number of mbufs attached to reassembly queues can grow to the
204	+	total number of mbufs in the system, at which point all network
205	+	traffic would cease.
206	+	Obtained from: FreeBSD 8
207	+
208	+	OpenSSH
209	+
210	+	Fix two security vulnerabilities:
211	+	OpenSSH clients does not correctly verify DNS SSHFP records when a server
212	+	offers a certificate. [CVE-2014-2653]
213	+
214	+	OpenSSH servers which are configured to allow password authentication
215	+	using PAM (default) would allow many password attempts. A bug allows
216	+	MaxAuthTries to be bypassed. [CVE-2015-5600]
217	+
218	+
219	+	Switch to bsdpatch (from FreeBSD & OpenBSD)
220	+
221	+	20150726:
222	+	BSD Sort updated
223	+
224	+	sqlite 3.8.10.2
225	+
226	+	20150725:
227	+	Import reallocarray from OpenBSD's libc.
228	+
229	+	The reallocarray() function is similar to realloc() except it operates on
230	+	nmemb members of size size and checks for integer overflow in the
231	+	calculation nmemb * size.
232	+
233	+	20150722:
234	+	Fix a bug where TCP connections transitioning to LAST_ACK
235	+	state can get stuck. This can result in a denial of service.
236	+
237	+	20150715:
238	+	libmport now supports @shell and @sample in plists. This means that
239	+	a shell port can automatically add an entry to /etc/shells and remove
240	+	it upon uninstallation. For sample files, a copy is made without the
241	+	.sample extension if one does not exist and it is removed automatically
242	+	only if the md5 hash of the two files is the same.
243	+
244	+	20150709:
245	+	flex 2.5.39
246	+
247	+	20150702:
248	+	ZFS in MidnightBSD now supports lz4 compression. You can enable it
249	+	with zfs set compression=lz4 pool/path.
250	+
251	+	Verify it's working with
252	+	zfs get compressratio pool/path
253	+	du -h -s *
254	+
255	+	Note you must write new data when turning on compression to see
256	+	changes. Existing files are not compressed.
257	+
258	+	Note: While we used the same basic implementation of lz4 that
259	+	FreeBSD and OpenZFS uses, we did not yet implement features support
260	+	and the zfs version still reports 28. This may come in a future update
261	+	to ZFS.
262	+
263	+	20150621:
264	+	libmport now automatically stops services when deleting packages.
265	+
266	+	The package must have installed an rc.d script in /usr/local/etc
267	+	for this to work. This is equivalent to running service <name> onestop
268	+
269	+	20150618:
270	+	Sendmail
271	+
272	+	With the recent changes to OpenSSL to block 512 bit certificates,
273	+	sendmail can't connect with TLS to some servers.
274	+
275	+	Increase the default size to 1024 bit for client connections to
276	+	match the server configuration.
277	+
278	+	ZFS
279	+
280	+	Added ZFS TRIM support which is enabled by default. To disable
281	+	ZFS TRIM support set vfs.zfs.trim.enabled=0 in loader.conf.
282	+
283	+	Creating new ZFS pools and adding new devices to existing pools
284	+	first performs a full device level TRIM which can take a significant
285	+	amount of time. The sysctl vfs.zfs.vdev.trim_on_init can be set to 0
286	+	to disable this behaviour.
287	+
288	+	ZFS TRIM requires the underlying device support BIO_DELETE which
289	+	is currently provided by methods such as ATA TRIM and SCSI UNMAP
290	+	via CAM, which are typically supported by SSD's.
291	+
292	+	Stats for ZFS TRIM can be monitored by looking at the sysctl's
293	+	under kstat.zfs.misc.zio_trim.
294	+
295	+	rc.d
296	+
297	+	Reworked handling of cleanvar and FILESYSTEMS so that FILESYSTEMS
298	+	implies everything is mounted and ready to go.
299	+
300	+	Changed how ip6addressctl maps IPv6 on startup.
301	+
302	+	20150613:
303	+	tzdata 2015d
304	+
305	+	20150612:
306	+	OpenSSL 0.9.8zg
307	+
308	+	20150419:
309	+	MidnightBSD 0.6 stable branch created. Continue 0.7
310	+	development.
311	+
312	+	20150418:
313	+	sqlite 3.8.9
314	+
315	+	20150407:
316	+	Fix two security vulnerabilities:
317	+
318	+	The previous fix for IGMP had an overflow issue. This has been corrected.
319	+
320	+	ipv6: The Neighbor Discover Protocol allows a local router to advertise a
321	+	suggested Current Hop Limit value of a link, which will replace
322	+	Current Hop Limit on an interface connected to the link on the MidnightBSD
323	+	system.
324	+
325	+	20150319:
326	+	OpenSSL 0.9.8.zf
327	+
328	+	mksh R50e
329	+
330	+	Apple mDNSResponder 561.1.1
331	+
332	+	20150306:
333	+	Upgrade OpenSSL to 0.9.8ze
334	+
335	+	20150225:
336	+	Fix two security vulnerabilities.
337	+
338	+	1. BIND servers which are configured to perform DNSSEC validation and which
339	+	are using managed keys (which occurs implicitly when using
340	+	"dnssec-validation auto;" or "dnssec-lookaside auto;") may exhibit
341	+	unpredictable behavior due to the use of an improperly initialized
342	+	variable.
343	+
344	+	CVE-2015-1349
345	+
346	+	2. An integer overflow in computing the size of IGMPv3 data buffer can result
347	+	in a buffer which is too small for the requested operation.
348	+
349	+	This can result in a DOS attack.
350	+
351	+	20141211:
352	+	Fix a security issue with file and libmagic that can allow
353	+	an attacker to create a denial of service attack on any
354	+	program that uses libmagic.
355	+
356	+	20141109:
357	+	Fix building perl during buildworld when the GDBM port is installed.
358	+
359	+	20141106:
360	+	tzdata 2014i
361	+
362	+	20141102:
363	+	serf 1.3.8
364	+
365	+	20141031:
366	+	tnftp 20141031 fixes a security vulnerability with tnftp,
367	+	CVE-2014-8517.
368	+
369	+	20141028:
370	+	OpenSSL 0.9.8zc
371	+
372	+	20141021:
373	+	Fix several security vulnerabilities in routed, rtsold,
374	+	and namei with respect to Capsicum sandboxes looking up
375	+	nonexistent path names and leaking memory.
376	+
377	+	The input path in routed(8) will accept queries from any source and
378	+	attempt to answer them.  However, the output path assumes that the
379	+	destination address for the response is on a directly connected
380	+	network.
381	+
382	+	Due to a missing length check in the code that handles DNS parameters,
383	+	a malformed router advertisement message can result in a stack buffer
384	+	overflow in rtsold(8).
385	+
386	+	20141011:
387	+	mksh R50d - fix field splitting regression and null
388	+	pointer dereference
389	+
390	+	xz 5.0.7
391	+
392	+	OpenSSH 6.6p1
393	+
394	+	20141004:
395	+	mksh R50c - security update for environment var bug with
396	+	foo vs foo+
397	+
398	+	20141002:
399	+	sqlite 3.8.6
400	+
401	+	sudo 1.7.8 - some issues with the current version, but we're slowly
402	+	getting up to date.
403	+
404	+	20141001:
405	+	mksh R50b
406	+
407	+	libmport now supports plist commands @dir, @owner, @group, @mode.
408	+
409	+	sudo 1.7.6p2
410	+
411	+	20140916:
412	+	Fix a security issue with TCP SYN.
413	+
414	+	When a segment with the SYN flag for an already existing connection arrives,
415	+	the TCP stack tears down the connection, bypassing a check that the
416	+	sequence number in the segment is in the expected window.
417	+
418	+	20140909:
419	+	Fixed a bug with our clearenv(3) implementation that caused segfaults
420	+	with some programs including Dovecot.
421	+
422	+	OpenSSL security patch:
423	+
424	+	The receipt of a specifically crafted DTLS handshake message may cause OpenSSL
425	+	to consume large amounts of memory. [CVE-2014-3506]
426	+
427	+	The receipt of a specifically crafted DTLS packet could cause OpenSSL to leak
428	+	memory. [CVE-2014-3507]
429	+
430	+	A flaw in OBJ_obj2txt may cause pretty printing functions such as
431	+	X509_name_oneline, X509_name_print_ex et al. to leak some information from
432	+	the stack. [CVE-2014-3508]
433	+
434	+	OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject to
435	+	a denial of service attack. [CVE-2014-3510]
436	+
437	+	20140902:
438	+	We're now 0.6-CURRENT
439	+
440	+	Update USB quirks to support K70 Corsair keyboard, and several
441	+	other devices.
442	+
443	+	20140827:
444	+	Perl 5.18.2
445	+
446	+	20140728:
447	+	Jails now run shutdown scripts.
448	+
449	+	20140710:
450	+	Fix a vulnerability in the control message API. A buffer is not properly cleared
451	+	before sharing with userland.
452	+
453		20140701:
454		MKSH R50
455

Diff Legend

–	Removed lines
+	Added lines
<	Changed lines
>	Changed lines