@opntr opntr released this Aug 14, 2018 · 213 commits to hardened/11-stable/master since this release

Assets 2

Highlights:

  • HBSD: do not allow to override init_exec by default from loader when the kernel compiled with PAX_HARDENING (19f62c6)
  • HBSD MFC r337774: Reserve page at the physical address zero on amd64. (2be5949) [CVE-2018-3620]
  • Limit IP reassembly queues (b237529 473b73f 3b9d004 9154624 dfb2edc d85d754 54c1ac1 b3822a674366465673f831e3ff2b544e7292f9242762fee5dd30eb9f1896295c63521e86a9b98d06 95d18bdb4de4bc81529cae34a3e1976145d6fcb1f0d4e7bdc43c2e330df8bf6cb1fca39295403ffd) [FreeBSD-SA-18:10.ip CVE-2018-6923]
  • HBSD MFC r337745: MFV r337744: Sync libarchive with vendor. [CVE-2017-14501]
  • MFC r337785: Provide part of the mitigation for L1TF-VMM. (249be55) [CVE-2018-3646]
  • MFC r336855 Fix the long term ULE load balancer so that it actually works. (e2d9372)

Changelog

Oliver Pinter (6):
      HBSD MFC r337773: amd64: ensure that curproc->p_vmspace pmap always matches PCPU curpmap.
      HBSD MFC r337745: MFV r337744: Sync libarchive with vendor..
      HBSD MFC r337774: Reserve page at the physical address zero on amd64.
      Merge remote-tracking branch 'origin/freebsd/11-stable/master' into hardened/11-stable/master
      HBSD: do not allow to override init_exec by default from loader when the kernel compiled with PAX_HARDENING
      HBSD: back out d138fc7b3d368a10326b6eaf70951c553adc7a4f commit due boot problems

Oliver Pinter + (15):
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master

ae (3):
      MFC r336405:   Move invoking of callout_stop(&lle->lle_timer) into llentry_free().
      MFC r336132:   Add "record-state", "set-limit" and "defer-action" rule options to ipfw.
      MFC r331098 (by melifaro):   Fix outgoing TCP/UDP packet drop on arp/ndp entry expiration.

bdrewery (23):
      MFC r335183:
      MFC r335244:
      MFC r335704:
      MFC r335708:
      MFC r335709:
      MFC r310789,r314901:
      MFC r335733:
      MFC r335923:
      MFC r335912:
      MFC r335922:
      MFC r326552:
      MFC r324103:
      MFC r323620:
      MFC r322565,r323323:
      MFC r321492:
      MFC r321491:
      MFC r321333:
      MFC r320286:
      MFC r320191:
      MFC r320274:
      Revert r325808 (MFC r322401) to re-MFC with larger set
      MFC r320280,r320281,r320282,r320283,r320284,r320285,r320692,r322362,r322401,r322402,r336181:
      MFC r326569:

brooks (1):
      MFC r337508:

davidcs (3):
      MFC r336438
      MFC r336680 Update man page with support for 41000 Series adapters
      MFC r336695 Remove support for QLNX_RCV_IN_TASKQ - i.e., Rx only in TaskQ. Added support for LLDP passthru Upgrade ECORE to version 8.33.5.0 Upgrade STORMFW to version 8.33.7.0 Added support for SRIOV

delphij (2):
      MFC r336121+r336127(cem): Don't delete outfile unconditionally.
      Remove mention of FreeBSD 9.x which is EoL'ed now.

dteske (1):
      MFC SVN r336350: Send sysrc(8) error message to stderr (not stdout)

gjb (1):
      MFC r337555, r337556:  r337555:   Update and replace old rc daemons for GCE images.

jtl (11):
      MFC r337775:   Improve hashing of IPv4 fragments.
      MFC r337776:   Improve IPv6 reassembly performance by hashing fragments into buckets.
      MFC r337778:   Add a global limit on the number of IPv4 fragments.
      MFC r337780:   Implement a limit on on the number of IPv4 reassembly queues per bucket.
      MFC r337781:  Make the IPv6 fragment limits be global, rather than per-VNET, limits.
      MFC r337782:   Add a limit of the number of fragments per IPv6 packet.
      MFC r337783:   Implement a limit on on the number of IPv6 reassembly queues per bucket.
      MFC r337784:   Drop 0-byte IPv6 fragments.
      MFC r337786:   Lower the default limits on the IPv4 reassembly queue.
      MFC r337787:   Lower the default limits on the IPv6 reassembly queue.
      MFC r337788:   Update the inet(4) and inet6(4) man pages to reflect the changes made   to the reassembly code in r337778, r337780, r337781, r337782, and   r337783.

kevans (3):
      MFC r337549: libnv: Remove -I${SRCTOP}/sys
      MFC r337331: efirt: Don't enter EFI context early, convert addrs to KVA
      MFC r322325: cat: fix build with -DNO_UDOM_SUPPORT

kib (9):
      MFC r337055: Avoid assertion in /dev/ufssuspend when the suspend ioctl is (incorrectly) called while another suspension is already active.
      MFC r337236: Some updates to vm_map(9).
      MFC r337316: Add END()s for amd64 linux futex support routines.
      MFC r336568: Move OFED libraries libmlx5.so.1 and libibverbs.so.1 to /lib.
      MFC r336569: Move mostly useless examples binaries from OFED, as well as the Subnet Manager, under the new option WITH_OFED_EXTRA, disabled by default.
      MFC r337430, r337436: Add missed handling of local relocs against ifunc target in the obj modules.
      MFC r337774: Reserve page at the physical address zero on amd64.
      MFC r337777: Add definitions related to the L1D flush operation capability and MSR.
      MFC r337785: Provide part of the mitigation for L1TF-VMM.

markj (7):
      MFC r337059: Fix some nits in the unix_passfd tests.
      MFC r337031: Require that MAC label buffers be able to store a non-empty string.
      MFC r336714: Simplify the arm64 implementation of pmap_mincore().
      MFC r337265: Add the required page accounting to kmem_bootstrap_free().
      MFC r337133: Add a rudimentary test for procstat kstack.
      MFC r337425: Recognize ICS1893C PHYs.
      MFC r337426: ifconfig: Fix use of _Noreturn

mmel (1):
      MFC r335249:

oshogbo (1):
      MFC r337189: bhyve: set title before entering capability mode

truckman (1):
      MFC r336855

Installer images: http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/ISO-IMAGES/HardenedBSD-11-STABLE-v1100056.3/

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100056.3-amd64-bootonly.iso) = ebb9bcfff4ae383a5786f1c604d1a8798168b452f3c60c93138987e42248c85c54986d86707e03f18cf5166dae95b18b87ed075bce1829c314007a6988c7248d
SHA512 (HardenedBSD-11-STABLE-v1100056.3-amd64-disc1.iso) = d59e6c829713f8a93bcafd712205598f690d4c4933bc5798f7c727382e84b18450cf2e166b3ff5fabdb410a73873fa238d7a90913de80f25af1ec1cfaa62bffd
SHA512 (HardenedBSD-11-STABLE-v1100056.3-amd64-memstick.img) = 63da6f43b0d280e4af5acd57541bd0b8876910e2ec433e076ece608737c9770672629a009dc6522b366432d69c095860fceab0fac2ed2d1c9f9e9da6f8d6bd4b
SHA512 (HardenedBSD-11-STABLE-v1100056.3-amd64-mini-memstick.img) = 1b720e5735c549b24154d7d12ed945fa3a0fbca55304c344845ae731fcdb0a990f07c299d5e9fb7cf858af4d88392fcfb7b930a070ffd4b2bffadf56a7b260eb

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAltzXYAACgkQgZsRom/9
GI2iexAAk2JlTkOgAjrncC3ooGC3qaCWbPLvt9z+6ZybRTMTvUXmEjVekXVv4wYf
nHKpeN9AMM1ak1fJUJcRvlFMKYoU976ceLgzdxY4OHtFyfaA4EdixpLNRcipbJWZ
8MPpCs8XFjt2jd1hvNKuny2zeBpTvwuS7UC7gQMmZnQXxW05xXl2dJIvv2Z+3/V6
xdziT6czswUmtQGxLnyzfZBbKprFJ4x+ykKxTp4tfHkklKY2hbvgJunjXblRpFnT
UZHQXlt2TF2lL6TBQ+eBRVoARqCybAk6zKn5w9/q8i2/2/g+IXVZfANSP/zq4Uur
VB+xgRPVzfZzFUUjwxTUz5CdEJUl6UnhNkwuTu1jzy5ziWtWGpu16KN0dR86lW9i
MOGXBKk6zZoSnDLR+SZ50FJRpNsjNwJuJC7goEB3WDsGrzM5IBEBdQeimL3hXT5J
H+WCzAE4riyATL1ZmdX5w8ck2rv0KuLGxqzMPySWuwIpK/tDjXiE/8eOGK2Mc+7S
q2tR/2gRDM0+YITQWkW4SvPHBMS+vdQmj31u6Zq1aCVJB/LhuCc06JYSKXDvWcfZ
0TZeGIklkekLlmsN0Y7F7dSzvxY0evh6KQejL0iUgH8HV2CpxExHQcXAd0RrlvYp
60vgNqjGDiKQN5OyFtVWAQgvX0dfgphwx61hnB3SecxSuR06biM=
=4kIf
-----END PGP SIGNATURE-----

shortlog-HardenedBSD-11-STABLE-v1100056.3.txt
CHECKSUM.SHA512.txt
CHECKSUM.SHA512.asc.txt