HardenedBSD-11-STABLE-v46.14

@opntr opntr released this Jan 28, 2017 · 12394 commits to hardened/10-stable/master since this release

Warning: this is a security update!

Highlights:

  • update to OpenSSL 1.0.2k (4aed7e4) [FreeBSD-SA-candidate]
  • disable Intel's Silicion Debug capability on boot time (0ea6d98)
  • update to xc 5.2.3 (30cbb61)
  • Force -fPIC when building PIEs (c64a53f)

Changelog

Oliver Pinter (3):
      HBSD: Disable and lock Silicon Debug feature on modern Intel CPUs
      HBSD: hide the Silicon Debug CPU capability from bhyve VMM
      HBSD: hide the Silicon Debug CPU capability from bhyve

Oliver Pinter + (35):
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
      Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master

Shawn Webb (11):
      Merge remote-tracking branch 'origin/freebsd/11-stable/master' into hardened/11-stable/master
      HBSD: Force -fPIC when building PIEs
      Merge remote-tracking branch 'origin/freebsd/11-stable/master' into hardened/11-stable/master
      HBSD: Resolve merge conflict
      Merge remote-tracking branch 'origin/freebsd/11-stable/master' into hardened/11-stable/master
      HBSD: Resolve merge conflict
      Merge remote-tracking branch 'origin/freebsd/11-stable/master' into hardened/11-stable/master
      HBSD: Resolve merge conflict
      Merge remote-tracking branch 'upstream/stable/11' into hardened/11-stable/master
      Merge remote-tracking branch 'origin/freebsd/11-stable/master' into hardened/11-stable/master
      HBSD: Resolve merge conflict

ae (3):
      MFC r311679:   Add direction argument to ipsec_setspidx_inpcb() function.
      MFC r309888:   Modify IPv6 statistic accounting in ip6_input().
      MFC r312341:   Initialize IPFW static rules rmlock with RM_RECURSE flag.

amdmi3 (1):
      MFC r310718:

araujo (1):
      MFC r310698:

arybchik (5):
      MFC r311877
      MFC r311961
      MFC r311962
      MFC r311977
      MFC r311983

asomers (3):
      MFC r310118
      MFC r310417
      MFC r310786, r310803, r310985, r311894

avg (3):
      MFC r310630: libkvm: support access to vmm guest memory, allow writes to fwmem and vmm
      MFC r312426: fix a thread preemption regression in schedulers introduced in r270423
      MFC r312532: don't abort writing of a core dump after EFAULT

avos (1):
      MFC r312560: ifconfig(8): fix '-stbc' parameter name.

bapt (4):
      MFC r310201:
      MFC r311953 (by cem)
      MFC r311659:
      MFC r312644, r312650

bz (1):
      MFC r311950:

cperciva (1):
      MFC r312214: Enable IPv6 on EC2 AMIs.

delphij (3):
      MFC r311762: Fix typo.
      MFC r311275: Restructure libz.
      MFC r311504: MFV r311477: xz 5.2.3.

dim (5):
      MFC r311807:
      MFC r311811:
      MFC r311933:
      MFC r311929:
      MFC r311932:

emaste (11):
      newvers.sh: add options to eliminate kernel build metadata
      MFC r310225: Reduce boot loader version string duplication
      MFC r308006: libunwind: consistently add \n to log and trace messages
      MFC r310365: libunwind: make __{de,}register_frame compatible with libgcc API
      MFC r311647: libunwind: add noexec stack annotation
      MFC r310267: Deduplicate loader vers.c Makefile rules
      MFC r311655: libmd: add noexec stack annotation in skein_block_asm.s
      readelf: add PPC64 relocation types
      Add WITH_REPRODUCIBLE_BUILD src.conf(5) knob
      Regen src.conf.5 after r312730 WITH_REPRODUCIBLE_BUILD
      MFC r312288: rtld: do not rely on a populated GOT on amd64

gnn (1):
      MFC 311224

gonzo (2):
      MFC r311888, r311890-r311891
      MFC r311911, r311923

hiren (1):
      MFC r311453

ian (1):
      MFC r308187, r311660, r311693, r311727, r311797:

jah (1):
      MFC r312153, r312191

jhb (6):
      MFC 307538,307948,308602,308603,311151: Move kdump's mksubr into libsysdecode.
      MFC 303946: Remove files unused after pulling system call names from libsysdecode.
      MFC 309589: Rework syscall structure lookups.
      MFC 304492,310721,310734: Update cxgbe info in NOTES.
      MFC 307332,312086: Drop support for using mmap() with /dev/kmem.
      MFC 310028: Use db_lookup_proc() in the DDB 'show procvm' command.

jilles (1):
      MFC r312230: skel: Do not set -o emacs in .shrc.

jkim (1):
      MFC:  r312825

jmcneill (1):
      MFC r310854, r310972

jpaetzel (3):
      MFC 311122
      MFC 310847 310864
      Revert MFC of 310847 and 310864

julian (1):
      MFH: r308671

kan (1):
      MFC r311993: Fix typo in r311971 and now in r312405 too.

kib (26):
      MFC r311447: Some style fixes for getfstat(2)-related code.
      MFC r311452: Do not allocate struct statfs on kernel stack.
      MFC r311523: Remove dead code.
      MFC r311524: Use vnode lock assertion expression, assert exclusive ownership.
      MFC r311525: Lock tmpfs node tn_status updates done under the shared vnode lock.
      MFC r311522: Use type-independent formats for printing nlink_t and ino_t.
      MFC r309710: Add a new populate() pager method and extend device pager ops vector with cdev_pg_populate() to provide device drivers access to it.
      MFC r309711: Implement the populate() pager method for phys pager.
      MFC r309712: Use the populate() driver paging method for i915 driver.
      MFC r311646: Define _POSIX_PRIORITY_SCHEDULING as 0, to account for the kernel option.
      MFC r311780: Use tab for indent.
      MFC r311781: Use standard Versions.def for libprocstat.
      MFC r311815: Forcibly remove the cached items from pseudofs vncache on module unload.
      MFC r311879: Use ANSI C definitions, update comment.
      MFC r311984: For the main binary, postpone enforcing relro read-only protection until copy relocations are done.
      MFC r311651: Export __cxa_thread_atexit_impl as an alias for __cxa_thread_atexit.
      MFC r311886: Fix acquisition of nested write compat rtld locks.
      MFC r311531 (by mjg): Perform a lockless check in tmpfs_itimes.
      MFC r311526 (by mjg): tmpfs: enable MNTK_EXTENDED_SHARED.
      MFC r312124 (by mjg): tmpfs: manage tm_pages_used with atomics.
      MFC r312407: Remove unused union member, fifos on tmpfs are implemented in common code.
      MFC r312409: Style fixes and comment updates.
      MFC r312410: Rework some tmpfs lock assertions.
      MFC r312414: Rename tmpfs_mount member allnode_lock to include namespace prefix.
      MFC r312425: Make tmpfs directory cursor available outside tmpfs_subr.c.
      MFC r312423: Refresh tmpfs(5) man page.

lifanov (1):
      MFC r311650

loos (8):
      MFC r310707:
      MFC r311700:
      MFC r311701:
      MFC r308458, r311157 and r312347:
      MFC r312408:
      MFC r312411:
      MFC r312604 and r312605:
      Fix a crash in netmap when using the emulated mode.

lwhsu (1):
      MFC r311881:

marius (1):
      MFC: r310309, r310340-310341, r311664, r311793-r311794

mav (24):
      MFC r311971: Report random flash storage as non-rotating to GEOM_DISK.
      MFC r311517: Add some more mode page fields.
      MFC r311623: Make do_buff_decode() not read past the end of the buffer.
      MFC r311636: Make 'camcontrol modepage' support subpages.
      MFC r311897: Add checks for received mode page length.
      MFC r310539: Remove CTL_MAX_LUNS from places where it is not required.
      MFC r310555: Some random code cleaning.
      MFC r310575: Fix improperly used nexus.targ_lun.
      MFC r310635: Decouple limits on number of LUNs per port and LUs per CTL.
      MFC r310640, r310643: Add support for revert to defaults (RTD) bit in MODE SELECT.
      MFC r310644: Fix/synchronize field types in struct ctl_modepage_header.
      MFC r310646: Do not update "saved" mode page on every MODE SELECT.
      MFC r310649: Allow more efficient use of private area.
      MFC r311892: Do not wait for HA thread shutdown if scheduler is stopped.
      MFC r311935: Pretend we support some IOCTLs to not scary upper layers.
      MFC r310778, r310782: Improve use of I/O's private area.
      MFC r311680: Make CTL_GETSTATS ioctl return partial data if buffer is small.
      MFC r311787: Allocate memory for prevent flags only for removable LUs.
      MFC r311804: Rewrite CTL statistics in more simple and scalable way.
      MFC r311873: Fix malloc(M_WAITOK) under mutex, introduced at r311787.
      MFC r312026: Improve CAM_CDB_POINTER support.
      MFC r312231: When in kernel, map ctl_scsi_zero_io() to ctl_zero_io().
      MFC r312232: Add under-/overrun support to IOCTL and CAM SIM frontends.
      MFC r312533: Report disk addition errors on `add` or `create` subcommand.

mjg (5):
      MFC r310907:
      MFC r310805:
      MFC r310983:
      MFC r311004:
      MFC r310766,r310767,r310774,r310779:

ngie (46):
      MFC r311548:
      MFC r311710:
      MFC r311711,r311712,r311713:
      MFC r311511:
      MFC r311871:
      MFC r311870:
      MFC r311714:
      MFC r311709:
      MFC r311715:
      MFC r311265,r311274:
      MFC r311268:
      MFC r311282:
      MFC r311290,r311293,r311294:
      MFC r311733:
      MFC r310729:
      MFC r310892,r310894,r310989:
      MFC r311390:
      MFC r311378:
      MFC r311739:
      MFC r310586,r310587,r310588:
      MFC r311381:
      MFC r310950:
      MFC r311227,r311917:
      MFC r311926:
      MFC r311924:
      MFC r311236,r311919:
      MFC r311750,r311754,r311757:
      MFC r311748:
      MFC r309464:
      MFC r311759,r311760:
      MFC r311741,r311761:
      MFC r311758:
      MFC r311742:
      MFC r311740:
      MFC r310655:
      MFC r310656,r311221:
      MFC r311140:
      MFC r312009:
      MFC r311133:
      MFC r312112:
      MFC r312118,r312121:
      MFC r312111:
      MFC r312122:
      MFC r312113:
      MFC r303166: r303166 (by imp):
      MFC r312331: r312331 (by glebius):

np (4):
      MFC r311569, r311657, and r311949.
      MFC r311831 and r311832.
      MFC r311848: cxgbe(4): Attach to the 2x25 debug card.  This is for internal use only.
      MFC r312368: cxgbe/tom: Fix a case where do_pass_accept_req wasn't properly restoring the VNET.

pfg (5):
      MFC r311896 Remove unused __gnu_inline() attribute.
      MFC r311101: libkvm - extend a bit the swap statistics field.
      MFC r311947, r311981:
      MFC r312443: mppc - Finish pluging NETGRAPH_MPPC_COMPRESSION.
      MFC r312538: Addition of clang nullability qualifiers.

rpokala (1):
      MFC r311963: Remove writability requirement for single-mbuf, contiguous- range m_pulldown()

smh (1):
      MFC r311769:

tijl (1):
      MFC r312699:

wblock (4):
      MFC 311527:
      MFC 312083:
      MFC 305887:
      MFC r312547: Mention sendfile(2) by popular demand.

yongari (4):
      MFC r304574-304575,304584: r304574:   Correct DMA channel number selection on AR816x family of   controllers. For Gigabit Ethernet version of AR816x, AR813x/AR815x   except L1D controller, use vendor recommended ASPM parameters.   While here, increase alc_dma_burst array size.  Broken H/W can   return bogus value in theory.
      MFC r304576:   Add Killer E2400 to the supported hardware list.
      MFC r302548:   Belatedly remove CSUM_IP_FRAGS and CSUM_FRAGMENT offloading   capabilities.  It was removed in r243624 and r254804/r271006   respectively.   This file and mbuf(9) needs updates for other offloading   capabilities(i.e. CSUM_SCTP and CSUM_TSO).
      MFC r309527-309528: r309527:   Recognize RealTek ALC1150 7.1 channel HD audio codec.

Installer images: http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/ISO-IMAGES/HardenedBSD-11-STABLE-v46.14/

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v46.14-amd64-bootonly.iso) = e8f65f3cded1cb300ebd49b9af972447a5d9921b981440be3b45d123f42e765e18b733588c3130c73a2ea879d0fb7c8df5d2996101168993d61e73fb494345f8
SHA512 (HardenedBSD-11-STABLE-v46.14-amd64-disc1.iso) = 3d0e0c053bf4722475bcb6f9b5831412097535b13cca470a5a2ee496721528d017ec240493d9e243c03887e9d47300a5a100cc87d1cd85f9943cf2823cd7aa8c
SHA512 (HardenedBSD-11-STABLE-v46.14-amd64-memstick.img) = e633c7ec351519f90555bc69d045892456aaff8e838c04e5bc2afd31531299ecfd4528a81fadb126135a71c918d673fcab9678c7cd4a97a639eaf399f920effe
SHA512 (HardenedBSD-11-STABLE-v46.14-amd64-mini-memstick.img) = d7055dc066c9d7b55be7d1942c9f7ee82714a485b48d17988e27547221a961dd18448f4630bc56de1e782efbbd184fc103292b08a84ac49339cd3374194275fd

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAliOMBwACgkQgZsRom/9
GI0VxBAAyV1lVw3LJpnn9wsul+l+T3VWvYQ3qbxQ12GEJZw7y5jRu38JxHkGI/4X
oWJKFOjoOWaJi4vmHyEDHEJjTKviIX3bHUtcs0kKWXHWhfj5KyFWx8SntEGYnLtC
1NnWmoM6mxYtjn4zeW27etpmtReVM1iWdiNSplqIcPD/1Q5USJPXi8CGKhhpjXaZ
7+BaR7BSP+7QOd4dv19UueYjzSVkYs+Crtl7NEvtUMKntyoLOLBimEb4Ypsm9tvZ
Cp3o2kfQMPNlzuDyenSW1tmqrvyNBpS3AxgZZ8cZLiR/mPEnPwfi0QEjQI41AGGH
6G3OG/Ev28B/Lsj1I9SapOj9NJY7Ny2DfVFzoh/SkE+/0BOeH2pkeT7cA2rnr1j2
FKYxJm3nEzmcXzmNvUIFE019r6hlKiBSjCOnrCcLKDMGEuBKfwcALE0wY9dpY/0a
r4Dyk2PP7T+bdXl8701J5pVwVyFLeRB+WSZ0ZOLNToLRV/BZDnGETQZBPqutAvOZ
UgMjWsIyvE8MUb1Dw8YUdwejBh/4PVg4mUCzE8WdvpSK6thxwlR94qnmEw4IjWX/
f6j/hskDH7VRjbDR+L4jRlM94glWnl1ZYUeBdoeC3NbrCa+Gyszo6pYZALgCI06q
Sl1egODADSokq0f5Y+ADrO6oYxhuVCuycqqnSg2p8jpw/JOL5DM=
=zcMK
-----END PGP SIGNATURE-----

shortlog-HardenedBSD-11-STABLE-v46.14.txt
CHECKSUM.SHA512.txt
CHECKSUM.SHA512.asc.txt

Downloads