Fix brokenness in top on big-endian 32-bit systems introduced when
changing format_k2 to take a long long. Because itoa is defined as a K&R
C function, without prototyping its arguments, format_k2 passed a 64-bit
value, but itoa() received only the first word, showing '0' in all memory
fields.
Remove GNU cpio after fix of CVE-2010-0624.
Note that this is actually a no-op for most users, as this GNU
cpio was broken on -HEAD and 8-STABLE since last March until
the recent fix.
FreeBSD 8.0+ uses BSD cpio by default and the code is being
actively maintained.
the problems related to the handling of broken DNSSEC trust chains.
This fix is only relevant for those who have DNSSEC validation
enabled and configure trust anchors from third parties, either
manually, or through a system like DLV.
The rmt client in GNU cpio could have a heap overflow when a malicious
remote tape service returns deliberately crafted packets containing
more data than requested.
Fix this by checking the returned amount of data and bail out when it
is more than what we requested.
PR: gnu/145010
Submitted by: naddy
Reviewed by: imp
Security: CVE-2010-0624
Add interface description capability as inspired by OpenBSD. Thanks for
rwatson@, jhb@, brooks@ and others for feedback to the old implementation!
Sponsored by: iXsystems, Inc.
Upgrade to BIND 9.6.1-P3.
This version address the following vulnerabilities:
BIND 9 Cache Update from Additional Section
https://www.isc.org/advisories/CVE-2009-4022v6http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4022
A nameserver with DNSSEC validation enabled may incorrectly add
unauthenticated records to its cache that are received during the
resolution of a recursive client query
BIND 9 DNSSEC validation code could cause bogus NXDOMAIN responses
https://www.isc.org/advisories/CVE-2010-0097http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0097
There was an error in the DNSSEC NSEC/NSEC3 validation code that could
cause bogus NXDOMAIN responses (that is, NXDOMAIN responses for records
proven by NSEC or NSEC3 to exist) to be cached as if they had validated
correctly
These issues only affect systems with DNSSEC validation enabled.
Adapt OpenBSD pf's "sloopy" TCP state machine which is useful for Direct
Server Return mode, where not all packets would be visible to the load
balancer or gateway.
This commit should be reverted when we merge future pf versions. The
benefit it would provide is that this version does not break any existing
public interface and thus won't be a problem if we want to MFC it to
earlier FreeBSD releases.
Discussed with: mlaier
Obtained from: OpenBSD
Sponsored by: iXsystems, Inc.
Change gcc to assume a default machine architecture of 486 instead of 386
on "i386". Doing it in the compiler is deemed to be less fragile then
attempting to provide a default -march setting via bsd.cpu.mk. FreeBSD
itself has not supported plain 386 CPUs since 5.x.
Properly support -fPIE by linking PIE binaries with specially-built
Scrt1.o instead of crt1.o, since the later is built as non-PIC.
Separate i386-elf crt1.c into the pure assembler part and C code,
supplying all data extracted by assembler stub as explicit parameters.
Hide and localize _start1 symbol used as an interface between asm and
C code.
Add a minimal change to prevent NULL deference in ee(1).
To repeat the problem, one can press "Ctrl+C" and then enter "0".
Submitted by: Alexander Best <alexbestms wwu de>
PR: bin/137707
This patch or something similar will likely be included in a future
BIND release.
PR: bin/138061
Submitted by: Michael Baker <michael.baker@diversit.com.au>
Original patch submitted by: Volker <volker@vwsoft.com>
Patch reviewed and tweaked by: ISC
Update to BIND 9.6.1-P2. The vulnerability this is designed to fix is
related to DNSSEC validation on a resolving name server that allows
access to untrusted users. If your system does not fall into all 3 of
these categories you do not need to update immediately.
Fix a problem with high CPU consumption (up to 30%) by bsnmpd on a loaded system.
Instead of constantly calling the mibII_idle function when the server is not busy
call the function only once every 10 seconds to avoid bsnmpd constantly doing
gettimeofday syscalls. Make the idle polling interval confugurable via
begemotIfDataPoll.
Pull upstream patch to fix ee(1) crash when received SIGWINCH:
modify _nc_wgetch() to check for a -1 in the fifo, e.g., after a
SIGWINCH, and discard that value, to avoid confusing application
(patch by Eygene Ryabinkin, FreeBSD bin/136223).
PR: 136223
Submitted by: Eygene Ryabinkin
Obtained from: ncurses-5.7-20091024 snapshot
Fix tcsh losing history when tcsh terminates because the pty beneath it
is closed.
Diagnosed by Ted Anderson:
New signal queuing logic was introduced in 6.15 and allows the signal handlers
to be run explicitly by calling handle_pending_signals, instead of
immediately when the signal is delivered. This function is called at
various places, typically when receiving a EINTR from a slow system call
such as read or write. In the pty exit case, it was called from xwrite,
called from flush, while printing the "exit" message after receiving EOF
when reading from the pty (note that the read did not return EINTR but
zero bytes, indicating EOF). The SIGHUP handler, phup(), called
rechist, which opened the history file and began writing the merged
history to it. This process invoked flush recursively to actually write
the data. In this case, however, the flush noticed it was being called
recursively and decided fail by calling stderror.
My conclusion was that the signal was being handled at a bad time. But
whether to fix flush not to care about the recursive call, or to handle
the signal some other time and when to handle it, was unclear to me.
However, by adding an extra call to handle_pending_signals, just after
process() returns to main(), I was able to avoid the truncated history
after network outages and similar failures. I verified this fix in
version 6.17.
Approved by: re (kib)
- Add AS lookup functionality to traceroute6(8) as well.
- Support for IPv6 transport for AS lookup.
- Introduce $RA_SERVER to set whois server.
- Support for 4 byte ASN.
- ANSIfy function declaration in as.c.
Approved by: re (kib)
Explicitly line up the CPU state labels with the calculated starting column
that takes into account the width of the largest CPU ID. On systems with
> 10 CPUs the labels for the first 10 CPUs were not lined up properly
otherwise.
Approved by: re (kib)
addresses several minor issues:
- Fix audit_event definitions of AUE_OPENAT_RWT and AUE_OPENAT_RWTC.
- Fix build on Linux.
- Fix printing of class masks in the audump tool.
MFC after: 3 weeks
Obtained from: TrustedBSD Project
Approved by: re (kib)
Major changes from v429:
* Don't pass "-" to non-pipe LESSOPEN unless it starts with "-".
* Allow a fraction as the argument to the -# (--shift) option.
* Fix highlight bug when underlined/overstruck text matches at end of line.
* Fix non-regex searches with ctrl-R.
Approved by: re (kensmith, kib)
Receipt of a specially-crafted dynamic update message may
cause BIND 9 servers to exit. This vulnerability affects all
servers -- it is not limited to those that are configured to
allow dynamic updates. Access controls will not provide an
effective workaround.
More details can be found here: https://www.isc.org/node/474
All BIND users are encouraged to update to a patched version ASAP.
Approved by: re (re -> SO -> dougb)
of just blowing up. A very similar change to this exists which is
GPLv3 licensed, this is my own change.
This problem was triggered by running the Boost regression tests.
See also: http://gcc.gnu.org/bugzilla/show_bug.cgi?id=31899
Reviewed by: luigi
Approved by: re (kib)
contrib/openbsm and a subset also imported into sys/security/audit.
This patch release addresses several minor issues:
- Fixes to AUT_SOCKUNIX token parsing.
- IPv6 support for au_to_me(3).
- Improved robustness in the parsing of audit_control, especially long
flags/naflags strings and whitespace in all fields.
- Add missing conversion of a number of FreeBSD/Mac OS X errnos to/from BSM
error number space.
MFC after: 3 weeks
Obtained from: TrustedBSD Project
Sponsored by: Apple, Inc.
Approved by: re (kib)
compiled with stack protector.
Use libssp_nonshared library to pull __stack_chk_fail_local symbol into
each library that needs it instead of pulling it from libc. GCC
generates local calls to this function which result in absolute
relocations put into position-independent code segment, making dynamic
loader do extra work every time given shared library is being relocated
and making affected text pages non-shareable.
Reviewed by: kib
Approved by: re (kib)
o add missing Status and Reason codes
o parse/display Action frames
o parse/display Mesh data frames
o parse/display BA frames
Reviewed by: rpaulo
Approved by: re (kib)
/boot/kernel/hptrr.ko
/etc/mail/*.cf
/lib/libcrypto.so.5
/usr/bin/ntpq
/usr/sbin/amd
/usr/sbin/iasl
/usr/sbin/ntpd
/usr/sbin/ntpdate
/usr/sbin/ntpdc
There does not appear to be any purpose to having these timestamps, and
they have the irritating consequence that the aforementioned files will
be different every time they are rebuilt.
After this commit, the only remaining build timestamps are in the kernel,
the boot loaders, /usr/include/osreldate.h (the year in the copyright
notice), and lib*.a (the timestamps on all of the included .o files).
Reviewed by: scottl (hptrr), gshapiro (sendmail), simon (openssl),
roberto (ntp), jkim (acpica)
Approved by: re (kib)
changes from the 9.6.1rc1 version. The first 2 only affect DNSSEC.
named could incorrectly delete NSEC3 records for
empty nodes when processing a update request.
Accept DS responses from delegation only zones.
"delegation-only" was not being accepted in
delegation-only type zones.
- update for getrlimit(2) manpage;
- support for setting RLIMIT_SWAP in login class;
- addition to the limits(1) and sh and csh limit-setting builtins;
- tuning(7) documentation on the sysctls controlling overcommit.
In collaboration with: pho
Reviewed by: alc
Approved by: re (kensmith)
even if some appear to have (partially) corrupted stack traces.
E.g. kernel crashdumps typically have stack weirdness at
userland-kernel boundary.
Obtained from: vendor/upstream (CVS rev 1.118 of stack.c)
Reviewed by: emaste
Approved by: jhb
