- Instead of including protocol info in diffs, strip them before adding
deltatext and take this into account when applying the diff later.
- Don't use strlen when the string in the RCS file may contain garbage. This got
caught in the checksumming before, but was not fixed until now. Instead of
using strlen, pass the token length when adding log and text entries to a
delta. Add an extra length parameter to duptext() to record the token length.
- When adding new branches to a file, add them in at the tail instead of the
head of the list to get correct ordering when writing out.
- Input stream when diffing was opened twice.
- Don't expand keywords in diffs between deltas.
contrib/openbsm (svn merge) and sys/{bsm,security/audit} (manual merge).
- Add OpenBSM contrib tree to include paths for audit(8) and auditd(8).
- Merge support for new tokens, fixes to existing token generation to
audit_bsm_token.c.
- Synchronize bsm includes and definitions.
OpenBSM history for imported revisions below for reference.
MFC after: 1 month
Sponsored by: Apple Inc.
Obtained from: TrustedBSD Project
--
OpenBSM 1.1 alpha 2
- Include files in OpenBSM are now broken out into two parts: library builds
required solely for user space, and system includes, which may also be
required for use in the kernels of systems integrating OpenBSM. Submitted
by Stacey Son.
- Configure option --with-native-includes allows forcing the use of native
include for system includes, rather than the versions bundled with OpenBSM.
This is intended specifically for platforms that ship OpenBSM, have adapted
versions of the system includes in a kernel source tree, and will use the
OpenBSM build infrastructure with an unmodified OpenBSM distribution,
allowing the customized system includes to be used with the OpenBSM build.
Submitted by Stacey Son.
- Various strcpy()'s/strcat()'s have been changed to strlcpy()'s/strlcat()'s
or asprintf(). Added compat/strlcpy.h for Linux.
- Remove compatibility defines for old Darwin token constant names; now only
BSM token names are provided and used.
- Add support for extended header tokens, which contain space for information
on the host generating the record.
- Add support for setting extended host information in the kernel, which is
used for setting host information in extended header tokens. The
audit_control file now supports a "host" parameter which can be used by
auditd to set the information; if not present, the kernel parameters won't
be set and auditd uses unextended headers for records that it generates.
OpenBSM 1.1 alpha 1
- Add option to auditreduce(1) which allows users to invert sense of
matching, such that BSM records that do not match, are selected.
- Fix bug in audit_write() where we commit an incomplete record in the
event there is an error writing the subject token. This was submitted
by Diego Giagio.
- Build support for Mac OS X 10.5.1 submitted by Eric Hall.
- Fix a bug which resulted in host XML attributes not being arguments so
that const strings can be passed as arguments to tokens. This patch was
submitted by Xin LI.
- Modify the -m option so users can select more then one audit event.
- For Mac OS X, added Mach IPC support for audit trigger messages.
- Fixed a bug in getacna() which resulted in a locking problem on Mac OS X.
- Added LOG_PERROR flag to openlog when -d option is used with auditd.
- AUE events added for Mac OS X Leopard system calls.
- Handle the case where a repository may have been copied, and the symlinks have
not been preserved. CVSup removes the files and creates the symlinks, so
enable this behaviour in csup as well.
- While there, fix comments and style issues.
- Use internal xmalloc instead of malloc.
- Include missing header after warnings.
- Fix unneeded printouts.
- Fix a bug when checking the CO_NORSYNC flag.
- This also removes $FreeBSD$ from two now unmodifed source files
ncurses/tinfo/lib_raw.c and ncurses/tinfo/lib_baudrate.c
MFC after: 2 months (after 7.1 and 6.4 are released)
Some time ago I got some reports MPSAFE TTY broke telnetd(8). Even
though it turned out to be a different problem within the TTY code, I
spotted a small issue with telnetd(8). Instead of allocating PTY's using
openpty(3) or posix_openpt(2), it used its own PTY allocation routine.
This means that telnetd(8) still uses /dev/ptyXX-style devices.
I've also increased the size of line[]. Even though 16 should be enough,
we already use 13 bytes ("/dev/pts/999", including '\0'). 32 bytes gives
us a little more freedom.
Also enable -DSTREAMSPTY. Otherwise telnetd(8) strips the PTY's pathname
to the latest slash instead of just removing "/dev/" (e.g. /dev/pts/0 ->
0, instead of pts/0).
Reviewed by: rink
previously in order to ensure it fit properly in the bufer when encoded.
This prevents a debugging printf from firing if a source or destination
host name for an smb mount exceeds 15 characters.
MFC after: 3 days
Obtained from: Apple, Inc.
files if the client supports it. The support is implemented with an API to
operate on files, calculating the rolling checksum and md5 checksum for the
blocks etc.
- Remove unneeded stream_filter_stop and stream_flush before stream_close.
different version has been committed upstream in the libpcap vendor branch.
This will allow people to experiment with zero-copy bpf(4) without requiring
external patches.
Note to enable this functionality:
sysctl net.bpf.zerocopy_enable=1
By default, libpcap will use the legacy buffering method unless this sysctl
variable is set to 1.
For the details about zero-copy bpf(4) implementation see svn change r177548.
Requested by: many
Discussed with: sam
In collaboration with: rwatson
loop pointed out by cognet@ that occurs when calling strtod() with a
string representing a number between DBL_MAX and 2*DBL_MAX, when the
rounding mode is anything other than the default.
Note: As the first merge since the conversion to svn, it includes many
propset changes to get the proper svn:eol-style and svn:mime-type on the
files (as merged from the fixed up vendor/dist area).
MFC after: 3 days
operating systems. Previously, gcc would inhibit the generation of
fsqrt, fsin, and several other floating point instructions, for the
benefit of the old in-kernel math emulator, which was removed over 5
years ago.
This works around a bug in HP-UX's telnet client and also gives a much
saner user experience when using FreeBSD's telnet client.
PR: bin/19405
Submitted by: Joel Ray Holveck joelh of gnu.org
MFC after: 1 month
own purposes. To pull this off, it defines _KERNEL before including the
headers where these structures are defined. This leads to no end of
trouble when some of these headers, or other headers that they include,
change, as demonstrated by r180755.
The quick fix in this particular case is to define _WANT_FILE instead of
_KERNEL, conditional on __FreeBSD__. A better long-term fix is left as
an exercise to the reader.
The xgetpass() function pushes a cleanup entry for &osa, but then
attempts to flush the stack until an entry matching &sa. The two
object pointers do not match, so the stack is popped too much,
and then cleanup_until calls abort() when it unexpectedly hits
the bottom of the cleanup stack.
Reported by: Paul B. Mahol, onemda at gmail.com,
Pietro Cerutti, gahr at gahr.ch
PR: bin/124191
Reviewed by: mp, kris
MFC after: 2 days
the patch from ISC for lib/bind9/check.c and deletion of unused
files in lib/bind.
This version will by default randomize the UDP query source port
(and sequence number of course) for every query.
In order to take advantage of this randomization users MUST have an
appropriate firewall configuration to allow UDP queries to be sent and
answers to be received on random ports; and users MUST NOT specify a
port number using the query-source[-v6] options.
The avoid-v[46]-udp-ports options exist for users who wish to eliminate
certain port numbers from being chosen by named for this purpose. See
the ARM Chatper 6 for more information.
Also please note, this issue applies only to UDP query ports. A random
ephemeral port is always chosen for TCP queries.
This issue applies primarily to name servers whose main purpose is to
resolve random queries (sometimes referred to as "caching" servers, or
more properly as "resolving" servers), although even an "authoritative"
name server will make some queries, primarily at startup time.
All users of BIND are strongly encouraged to upgrade to the latest
version, and to utilize the source port randomization feature.
This update addresses issues raised in:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447http://www.kb.cert.org/vuls/id/800113http://tools.ietf.org/html/draft-ietf-dnsext-forgery-resilience
conflicts due to radically different approaches to security and bug fixes.
In some cases I re-started from the vendor version and reimplemented our
patches. Fortunately, this is not enabled by default in -current.
for FreeBSD as well.
This is the fix for __gthread_active_p() returning false positives
which was committed as rev. 1.1.1.8.2.1 to RELENG_7 but now looped
back to the vendor branch via the GCC repository and relicensed to
be GPLv2 by me.
Thanks go to gerald@ for getting the fix approved upstream and for
committing to the GCC repository.
PR: 119289
Approved by: core
and netgraph in gernal). This also allows to add queues for an interface
that is not yet existing (you have to provide the bandwidth for the
interface, however).
PR: kern/106400, kern/117827
MFC after: 2 weeks
rev 1.27 ("iso8601" option keyword) revs 1.12/1.10/1.5/1.4 ($CVSHeader$
support) rev 1.2 ($CVS_LOCAL_BRANCH_NUM support for local commit
feature of cvsup) into version 1.11-20080310.
rev 1.4 (1.12 CVSROOT/config keyword expansion forward compatability)
into version 1.11-20080310.
Note the vendor has also added some forward compatability support.
We should determine if we can live with just the vendor's method.
"CVS_OPTIONS"), rev 1.14 ('-g' option to support shared-group access),
rev 1.7 ('-R' read-only repository mode), rev 1.6 (support for checking
out from a read-only repository), revs 1.4 & 1.5 ("tagexpand=")
into version 1.11-20080310. Note the vendor accepted my "blame" alias.
-T CVS/Template support, rev 1.9: new long flag that causes cvs to ignore
the CVSROOT/passwd file, rev 1.3: support for checking out from a read-only
repository, rev. 1.2: support for local $Id$ keyword into cvs 1.11-20080310.
rev 1.2: fix a problem sometimes seen when doing checkouts from a local repo
and committing via remote cvs (a cvs -d override of the mismatched CVS/Root
files was missing) into cvs 1.11-20080310.
Note that rev 1.4 (default CVS_RSH to "ssh") will not be handled thru the
vendor's config.h.
find the corresponding AS for that IP (-a switch).
We can also choose a different whois server with the -A switch. The
default is whois.radb.net.
Obtained from: NetBSD
Reviewed by: bms, njl (mentor)
Approved by: njl (mentor)
times when it shouldn't). The PR's patch has been incorporated upstream
as magic.c rev 1.46.
PR: 107676
Submitted by: Dr. Markus Waldeck <waldeck@gmx.de>
cplus_demangle_type. This is the rev 1.50-1.51 change.
Our addr2line, etc.. would crash if used on C++ code that contains
certain symbol types. One example is
_ZN13PatternDriver23StringScalarDeleteValueC1ERKNS_25ConflateStringScalarValueERKNS_25AbstractStringScalarValueERKNS_12TemplateEnumINS_12pdcomplementELZNS_16complement_namesEELZNS_14COMPLEMENTENUMEEEE
rev 1.27 ("iso8601" option keyword) revs 1.12/1.10/1.5/1.4 ($CVSHeader$
support) rev 1.2 ($CVS_LOCAL_BRANCH_NUM support for local commit
feature of cvsup) into version 1.11.22.
Note rev 1.21 ("-D date" checkout bug relating to 1.1.1.1 vs 1.1
revisions), rev 1.13 (allow -D'date' with -r'branch' on a checkout),
rev 1.6 (use xstrdup rather than strdup) are fixed in the vendor sources
rev 1.17 (environtmental var "CVS_OPTIONS"), rev 1.14 ('-g' option to
support shared-group access), rev 1.7 ('-R' read-only repository mode),
rev 1.6 (support for checking out from a read-only repository),
revs 1.4 & 1.5 ("tagexpand=") into version 1.11.22.
Merge rev 1.14: comprehensive -T CVS/Template support, rev 1.9: new long
flag that causes cvs to ignore the CVSROOT/passwd file, rev 1.3: support
for checking out from a read-only repository, rev. 1.2: support for local
$Id$ keyword into cvs 1.11.22.
Note that rev 1.4 (make verifymsg extra useful) is OBE.
rev 1.4: flip the default for CVS_RSH to "ssh", rev 1.2: fix a problem
sometimes seen when doing checkouts from a local repo and committing
via remote cvs (a cvs -d override of the mismatched CVS/Root files was
missing) into cvs 1.11.22.
cplus_demangle_type. This is the rev 1.50-1.51 change.
Our addr2line, etc.. would crash if used on C++ code that contains
certain symbol types. One example is
_ZN13PatternDriver23StringScalarDeleteValueC1ERKNS_25ConflateStringScalarValueERKNS_25AbstractStringScalarValueERKNS_12TemplateEnumINS_12pdcomplementELZNS_16complement_namesEELZNS_14COMPLEMENTENUMEEEE
CVSROOT/config file options that control keyword expansion. cvs-1.12 has
its own $Id$ expansion controls and they're configured in CVSROOT/config
rather than CVSROOT/options. The problem is that current cvs-1.11.x
doesn't understand the future keywords.....
Add trivial forward support for the new keywords for when cvs-1.12
hits the tree down the road. CVSROOT/options won't be going away - cvsup
uses it.