From owner-svn-src-releng@FreeBSD.ORG Sun Mar 31 18:35:03 2013 Return-Path: Delivered-To: svn-src-releng@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 9DFC0383; Sun, 31 Mar 2013 18:35:03 +0000 (UTC) (envelope-from mm@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id 8DF449B3; Sun, 31 Mar 2013 18:35:03 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r2VIZ3Xo045640; Sun, 31 Mar 2013 18:35:03 GMT (envelope-from mm@svn.freebsd.org) Received: (from mm@localhost) by svn.freebsd.org (8.14.6/8.14.5/Submit) id r2VIZ3fJ045637; Sun, 31 Mar 2013 18:35:03 GMT (envelope-from mm@svn.freebsd.org) Message-Id: <201303311835.r2VIZ3fJ045637@svn.freebsd.org> From: Martin Matuska Date: Sun, 31 Mar 2013 18:35:03 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r248955 - in releng/8.4: cddl/contrib/opensolaris/cmd/zdb sys/cddl/contrib/opensolaris/uts/common/fs/zfs X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Mar 2013 18:35:03 -0000 Author: mm Date: Sun Mar 31 18:35:02 2013 New Revision: 248955 URL: http://svnweb.freebsd.org/changeset/base/248955 Log: MFC r247852: Import ZFS bpobj bugfix from vendor. Illumos ZFS issues: 3603 panic from bpobj_enqueue_subobj() 3604 zdb should print bpobjs more verbosely Approved by: re (marius) Modified: releng/8.4/cddl/contrib/opensolaris/cmd/zdb/zdb.c releng/8.4/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/bpobj.c releng/8.4/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/dmu.c Directory Properties: releng/8.4/cddl/contrib/opensolaris/ (props changed) releng/8.4/sys/ (props changed) releng/8.4/sys/cddl/ (props changed) releng/8.4/sys/cddl/contrib/opensolaris/ (props changed) Modified: releng/8.4/cddl/contrib/opensolaris/cmd/zdb/zdb.c ============================================================================== --- releng/8.4/cddl/contrib/opensolaris/cmd/zdb/zdb.c Sun Mar 31 18:31:58 2013 (r248954) +++ releng/8.4/cddl/contrib/opensolaris/cmd/zdb/zdb.c Sun Mar 31 18:35:02 2013 (r248955) @@ -1189,7 +1189,7 @@ dump_bpobj_cb(void *arg, const blkptr_t } static void -dump_bpobj(bpobj_t *bpo, char *name) +dump_bpobj(bpobj_t *bpo, char *name, int indent) { char bytes[32]; char comp[32]; @@ -1199,31 +1199,56 @@ dump_bpobj(bpobj_t *bpo, char *name) return; zdb_nicenum(bpo->bpo_phys->bpo_bytes, bytes); - if (bpo->bpo_havesubobj) { + if (bpo->bpo_havesubobj && bpo->bpo_phys->bpo_subobjs != 0) { zdb_nicenum(bpo->bpo_phys->bpo_comp, comp); zdb_nicenum(bpo->bpo_phys->bpo_uncomp, uncomp); - (void) printf("\n %s: %llu local blkptrs, %llu subobjs, " - "%s (%s/%s comp)\n", - name, (u_longlong_t)bpo->bpo_phys->bpo_num_blkptrs, + (void) printf(" %*s: object %llu, %llu local blkptrs, " + "%llu subobjs, %s (%s/%s comp)\n", + indent * 8, name, + (u_longlong_t)bpo->bpo_object, + (u_longlong_t)bpo->bpo_phys->bpo_num_blkptrs, (u_longlong_t)bpo->bpo_phys->bpo_num_subobjs, bytes, comp, uncomp); + + for (uint64_t i = 0; i < bpo->bpo_phys->bpo_num_subobjs; i++) { + uint64_t subobj; + bpobj_t subbpo; + int error; + VERIFY0(dmu_read(bpo->bpo_os, + bpo->bpo_phys->bpo_subobjs, + i * sizeof (subobj), sizeof (subobj), &subobj, 0)); + error = bpobj_open(&subbpo, bpo->bpo_os, subobj); + if (error != 0) { + (void) printf("ERROR %u while trying to open " + "subobj id %llu\n", + error, (u_longlong_t)subobj); + continue; + } + dump_bpobj(&subbpo, "subobj", indent + 1); + } } else { - (void) printf("\n %s: %llu blkptrs, %s\n", - name, (u_longlong_t)bpo->bpo_phys->bpo_num_blkptrs, bytes); + (void) printf(" %*s: object %llu, %llu blkptrs, %s\n", + indent * 8, name, + (u_longlong_t)bpo->bpo_object, + (u_longlong_t)bpo->bpo_phys->bpo_num_blkptrs, + bytes); } if (dump_opt['d'] < 5) return; - (void) printf("\n"); - (void) bpobj_iterate_nofree(bpo, dump_bpobj_cb, NULL, NULL); + if (indent == 0) { + (void) bpobj_iterate_nofree(bpo, dump_bpobj_cb, NULL, NULL); + (void) printf("\n"); + } } static void dump_deadlist(dsl_deadlist_t *dl) { dsl_deadlist_entry_t *dle; + uint64_t unused; char bytes[32]; char comp[32]; char uncomp[32]; @@ -1242,14 +1267,24 @@ dump_deadlist(dsl_deadlist_t *dl) (void) printf("\n"); + /* force the tree to be loaded */ + dsl_deadlist_space_range(dl, 0, UINT64_MAX, &unused, &unused, &unused); + for (dle = avl_first(&dl->dl_tree); dle; dle = AVL_NEXT(&dl->dl_tree, dle)) { - (void) printf(" mintxg %llu -> obj %llu\n", - (longlong_t)dle->dle_mintxg, - (longlong_t)dle->dle_bpobj.bpo_object); + if (dump_opt['d'] >= 5) { + char buf[128]; + (void) snprintf(buf, sizeof (buf), "mintxg %llu -> ", + (longlong_t)dle->dle_mintxg, + (longlong_t)dle->dle_bpobj.bpo_object); - if (dump_opt['d'] >= 5) - dump_bpobj(&dle->dle_bpobj, ""); + dump_bpobj(&dle->dle_bpobj, buf, 0); + } else { + (void) printf("mintxg %llu -> obj %llu\n", + (longlong_t)dle->dle_mintxg, + (longlong_t)dle->dle_bpobj.bpo_object); + + } } } @@ -1272,7 +1307,7 @@ fuid_table_destroy() * print uid or gid information. * For normal POSIX id just the id is printed in decimal format. * For CIFS files with FUID the fuid is printed in hex followed by - * the doman-rid string. + * the domain-rid string. */ static void print_idstr(uint64_t id, const char *id_type) @@ -2529,10 +2564,11 @@ dump_zpool(spa_t *spa) if (dump_opt['d'] || dump_opt['i']) { dump_dir(dp->dp_meta_objset); if (dump_opt['d'] >= 3) { - dump_bpobj(&spa->spa_deferred_bpobj, "Deferred frees"); + dump_bpobj(&spa->spa_deferred_bpobj, + "Deferred frees", 0); if (spa_version(spa) >= SPA_VERSION_DEADLISTS) { dump_bpobj(&spa->spa_dsl_pool->dp_free_bpobj, - "Pool snapshot frees"); + "Pool snapshot frees", 0); } if (spa_feature_is_active(spa, Modified: releng/8.4/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/bpobj.c ============================================================================== --- releng/8.4/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/bpobj.c Sun Mar 31 18:31:58 2013 (r248954) +++ releng/8.4/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/bpobj.c Sun Mar 31 18:35:02 2013 (r248955) @@ -20,7 +20,7 @@ */ /* * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright (c) 2012 by Delphix. All rights reserved. + * Copyright (c) 2013 by Delphix. All rights reserved. */ #include @@ -414,6 +414,12 @@ bpobj_enqueue_subobj(bpobj_t *bpo, uint6 VERIFY3U(0, ==, dmu_buf_hold(bpo->bpo_os, subsubobjs, 0, FTAG, &subdb, 0)); + /* + * Make sure that we are not asking dmu_write() + * to write more data than we have in our buffer. + */ + VERIFY3U(subdb->db_size, >=, + numsubsub * sizeof (subobj)); dmu_write(bpo->bpo_os, bpo->bpo_phys->bpo_subobjs, bpo->bpo_phys->bpo_num_subobjs * sizeof (subobj), numsubsub * sizeof (subobj), subdb->db_data, tx); Modified: releng/8.4/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/dmu.c ============================================================================== --- releng/8.4/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/dmu.c Sun Mar 31 18:31:58 2013 (r248954) +++ releng/8.4/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/dmu.c Sun Mar 31 18:35:02 2013 (r248955) @@ -1712,7 +1712,7 @@ dmu_object_info_from_dnode(dnode_t *dn, doi->doi_checksum = dn->dn_checksum; doi->doi_compress = dn->dn_compress; doi->doi_physical_blocks_512 = (DN_USED_BYTES(dnp) + 256) >> 9; - doi->doi_max_offset = (dnp->dn_maxblkid + 1) * dn->dn_datablksz; + doi->doi_max_offset = (dn->dn_maxblkid + 1) * dn->dn_datablksz; doi->doi_fill_count = 0; for (int i = 0; i < dnp->dn_nblkptr; i++) doi->doi_fill_count += dnp->dn_blkptr[i].blk_fill; From owner-svn-src-releng@FreeBSD.ORG Sun Mar 31 18:51:35 2013 Return-Path: Delivered-To: svn-src-releng@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id B751C70C; Sun, 31 Mar 2013 18:51:35 +0000 (UTC) (envelope-from mm@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id 9B232A14; Sun, 31 Mar 2013 18:51:35 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r2VIpZQ9051052; Sun, 31 Mar 2013 18:51:35 GMT (envelope-from mm@svn.freebsd.org) Received: (from mm@localhost) by svn.freebsd.org (8.14.6/8.14.5/Submit) id r2VIpY4q051049; Sun, 31 Mar 2013 18:51:34 GMT (envelope-from mm@svn.freebsd.org) Message-Id: <201303311851.r2VIpY4q051049@svn.freebsd.org> From: Martin Matuska Date: Sun, 31 Mar 2013 18:51:34 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r248957 - in releng/8.4/cddl/contrib/opensolaris/cmd: zdb zpool X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Mar 2013 18:51:35 -0000 Author: mm Date: Sun Mar 31 18:51:34 2013 New Revision: 248957 URL: http://svnweb.freebsd.org/changeset/base/248957 Log: MFC r248267: Import minor ZFS changes from vendor Illumos ZFS issues: 3604 zdb should print bpobjs more verbosely (fix zdb hang) 3606 zpool status -x shouldn't warn about old on-disk format Approved by: re (marius) Modified: releng/8.4/cddl/contrib/opensolaris/cmd/zdb/zdb.c releng/8.4/cddl/contrib/opensolaris/cmd/zpool/zpool.8 releng/8.4/cddl/contrib/opensolaris/cmd/zpool/zpool_main.c Directory Properties: releng/8.4/cddl/contrib/opensolaris/ (props changed) Modified: releng/8.4/cddl/contrib/opensolaris/cmd/zdb/zdb.c ============================================================================== --- releng/8.4/cddl/contrib/opensolaris/cmd/zdb/zdb.c Sun Mar 31 18:39:11 2013 (r248956) +++ releng/8.4/cddl/contrib/opensolaris/cmd/zdb/zdb.c Sun Mar 31 18:51:34 2013 (r248957) @@ -1225,6 +1225,7 @@ dump_bpobj(bpobj_t *bpo, char *name, int continue; } dump_bpobj(&subbpo, "subobj", indent + 1); + bpobj_close(&subbpo); } } else { (void) printf(" %*s: object %llu, %llu blkptrs, %s\n", Modified: releng/8.4/cddl/contrib/opensolaris/cmd/zpool/zpool.8 ============================================================================== --- releng/8.4/cddl/contrib/opensolaris/cmd/zpool/zpool.8 Sun Mar 31 18:39:11 2013 (r248956) +++ releng/8.4/cddl/contrib/opensolaris/cmd/zpool/zpool.8 Sun Mar 31 18:51:34 2013 (r248957) @@ -25,7 +25,7 @@ .\" .\" $FreeBSD$ .\" -.Dd November 15, 2012 +.Dd March 14, 2013 .Dt ZPOOL 8 .Os .Sh NAME @@ -1608,14 +1608,15 @@ is specified, the command exits after .Ar count reports are printed. .Pp -If a scrub or resilver is in progress, this command reports the percentage done -and the estimated time to completion. Both of these are only approximate, +If a scrub or resilver is in progress, this command reports the percentage +done and the estimated time to completion. Both of these are only approximate, because the amount of data in the pool and the other workloads on the system can change. .Bl -tag -width indent .It Fl x Only display status for pools that are exhibiting errors or are otherwise unavailable. +Warnings about pools not using the latest on-disk format will not be included. .It Fl v Displays verbose data error information, printing out a complete list of all data errors since the last complete pool scrub. Modified: releng/8.4/cddl/contrib/opensolaris/cmd/zpool/zpool_main.c ============================================================================== --- releng/8.4/cddl/contrib/opensolaris/cmd/zpool/zpool_main.c Sun Mar 31 18:39:11 2013 (r248956) +++ releng/8.4/cddl/contrib/opensolaris/cmd/zpool/zpool_main.c Sun Mar 31 18:51:34 2013 (r248957) @@ -4030,7 +4030,10 @@ status_callback(zpool_handle_t *zhp, voi * If we were given 'zpool status -x', only report those pools with * problems. */ - if (reason == ZPOOL_STATUS_OK && cbp->cb_explain) { + if (cbp->cb_explain && + (reason == ZPOOL_STATUS_OK || + reason == ZPOOL_STATUS_VERSION_OLDER || + reason == ZPOOL_STATUS_FEAT_DISABLED)) { if (!cbp->cb_allpools) { (void) printf(gettext("pool '%s' is healthy\n"), zpool_get_name(zhp)); From owner-svn-src-releng@FreeBSD.ORG Mon Apr 1 09:56:21 2013 Return-Path: Delivered-To: svn-src-releng@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 00D514FB; Mon, 1 Apr 2013 09:56:20 +0000 (UTC) (envelope-from tijl@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id D912FFAC; Mon, 1 Apr 2013 09:56:20 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r319uK0M015216; Mon, 1 Apr 2013 09:56:20 GMT (envelope-from tijl@svn.freebsd.org) Received: (from tijl@localhost) by svn.freebsd.org (8.14.6/8.14.5/Submit) id r319uKtB015215; Mon, 1 Apr 2013 09:56:20 GMT (envelope-from tijl@svn.freebsd.org) Message-Id: <201304010956.r319uKtB015215@svn.freebsd.org> From: Tijl Coosemans Date: Mon, 1 Apr 2013 09:56:20 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r248966 - releng/8.4/sys/kern X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Apr 2013 09:56:21 -0000 Author: tijl Date: Mon Apr 1 09:56:20 2013 New Revision: 248966 URL: http://svnweb.freebsd.org/changeset/base/248966 Log: MFS r248880: - Fix two possible overflows when testing if ELF program headers are on the first page: 1. Cast uint16_t operands in a multiplication to unsigned int because otherwise the implicit promotion to int results in a signed multiplication that can overflow and the behaviour on integer overflow is undefined. 2. Replace (offset + size > PAGE_SIZE) with (size > PAGE_SIZE - offset) because the sum may overflow. - Use the same tests to see if the path to the interpreter is on the first page. There's no overflow here because size is already limited by MAXPATHLEN, but the compiler optimises the new tests better. Also fix an off-by-one error. - Simplify tests to see if an ELF note program header is on the first page. This also fixes an off-by-one error. Reviewed by: kib Approved by: re (glebius) Modified: releng/8.4/sys/kern/imgact_elf.c Directory Properties: releng/8.4/sys/ (props changed) releng/8.4/sys/kern/ (props changed) Modified: releng/8.4/sys/kern/imgact_elf.c ============================================================================== --- releng/8.4/sys/kern/imgact_elf.c Mon Apr 1 00:44:20 2013 (r248965) +++ releng/8.4/sys/kern/imgact_elf.c Mon Apr 1 09:56:20 2013 (r248966) @@ -629,9 +629,8 @@ __elfN(load_file)(struct proc *p, const } /* Only support headers that fit within first page for now */ - /* (multiplication of two Elf_Half fields will not overflow) */ if ((hdr->e_phoff > PAGE_SIZE) || - (hdr->e_phentsize * hdr->e_phnum) > PAGE_SIZE - hdr->e_phoff) { + (u_int)hdr->e_phentsize * hdr->e_phnum > PAGE_SIZE - hdr->e_phoff) { error = ENOEXEC; goto fail; } @@ -713,7 +712,7 @@ __CONCAT(exec_, __elfN(imgact))(struct i */ if ((hdr->e_phoff > PAGE_SIZE) || - (hdr->e_phoff + hdr->e_phentsize * hdr->e_phnum) > PAGE_SIZE) { + (u_int)hdr->e_phentsize * hdr->e_phnum > PAGE_SIZE - hdr->e_phoff) { /* Only support headers in first page for now */ return (ENOEXEC); } @@ -732,8 +731,8 @@ __CONCAT(exec_, __elfN(imgact))(struct i if (phdr[i].p_type == PT_INTERP) { /* Path to interpreter */ if (phdr[i].p_filesz > MAXPATHLEN || - phdr[i].p_offset >= PAGE_SIZE || - phdr[i].p_offset + phdr[i].p_filesz >= PAGE_SIZE) + phdr[i].p_offset > PAGE_SIZE || + phdr[i].p_filesz > PAGE_SIZE - phdr[i].p_offset) return (ENOEXEC); interp = imgp->image_header + phdr[i].p_offset; interp_name_len = phdr[i].p_filesz; @@ -1417,9 +1416,8 @@ __elfN(parse_notes)(struct image_params const char *note_name; int i; - if (pnote == NULL || pnote->p_offset >= PAGE_SIZE || - pnote->p_filesz > PAGE_SIZE || - pnote->p_offset + pnote->p_filesz >= PAGE_SIZE) + if (pnote == NULL || pnote->p_offset > PAGE_SIZE || + pnote->p_filesz > PAGE_SIZE - pnote->p_offset) return (FALSE); note = note0 = (const Elf_Note *)(imgp->image_header + pnote->p_offset); From owner-svn-src-releng@FreeBSD.ORG Tue Apr 2 17:11:08 2013 Return-Path: Delivered-To: svn-src-releng@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 61E3C163; Tue, 2 Apr 2013 17:11:08 +0000 (UTC) (envelope-from dteske@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id 54C6A16C; Tue, 2 Apr 2013 17:11:08 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r32HB8fj069955; Tue, 2 Apr 2013 17:11:08 GMT (envelope-from dteske@svn.freebsd.org) Received: (from dteske@localhost) by svn.freebsd.org (8.14.6/8.14.5/Submit) id r32HB8m6069954; Tue, 2 Apr 2013 17:11:08 GMT (envelope-from dteske@svn.freebsd.org) Message-Id: <201304021711.r32HB8m6069954@svn.freebsd.org> From: Devin Teske Date: Tue, 2 Apr 2013 17:11:08 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r249027 - releng/8.4/usr.sbin/sysinstall X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Apr 2013 17:11:08 -0000 Author: dteske Date: Tue Apr 2 17:11:07 2013 New Revision: 249027 URL: http://svnweb.freebsd.org/changeset/base/249027 Log: MFS8 r249023: Oops, r240972 (Add DEBUG kernel distribution) forgot to make said distribution optional (such as the long-standing "local" distribution; also optional). This fixes a regression in the install process when the user selects "All" as the distribution-set. This is a direct commit to stable/8. PR: bin/177309 Reviewed by: eadler Approved by: re (glebius) Modified: releng/8.4/usr.sbin/sysinstall/dist.c Directory Properties: releng/8.4/usr.sbin/sysinstall/ (props changed) Modified: releng/8.4/usr.sbin/sysinstall/dist.c ============================================================================== --- releng/8.4/usr.sbin/sysinstall/dist.c Tue Apr 2 16:50:50 2013 (r249026) +++ releng/8.4/usr.sbin/sysinstall/dist.c Tue Apr 2 17:11:07 2013 (r249027) @@ -756,7 +756,9 @@ distExtract(char *parent, Distribution * &me[i] == BASE_DIST); if (!status) { dialog_clear_norefresh(); - if (me[i].my_bit != DIST_LOCAL) { + if (me[i].my_bit != DIST_LOCAL && + me[i].my_bit != DIST_KERNEL_DEBUG) + { status = msgYesNo("Unable to transfer the %s distribution from\n%s.\n\n" "Do you want to try to retrieve it again?", me[i].my_name, mediaDevice->name); @@ -767,7 +769,7 @@ distExtract(char *parent, Distribution * status = FALSE; } else { - // ignore any failures with DIST_LOCAL + // ignore any failures with DIST_LOCAL/_KERNEL_DEBUG status = TRUE; } } @@ -906,8 +908,8 @@ distExtractAll(dialogMenuItem *self) if ((old_dists & DIST_KERNEL) && !(Dists & DIST_KERNEL)) status |= installFixupKernel(self, old_kernel); - /* Clear any local dist flags now */ - Dists &= ~DIST_LOCAL; + /* Clear any optional dist flags now */ + Dists &= ~(DIST_LOCAL|DIST_KERNEL_DEBUG); if (Dists) { int col = 0; From owner-svn-src-releng@FreeBSD.ORG Tue Apr 2 17:34:49 2013 Return-Path: Delivered-To: svn-src-releng@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 7B547AAD; Tue, 2 Apr 2013 17:34:49 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id 6A8502E9; Tue, 2 Apr 2013 17:34:49 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r32HYnGh076276; Tue, 2 Apr 2013 17:34:49 GMT (envelope-from delphij@svn.freebsd.org) Received: (from delphij@localhost) by svn.freebsd.org (8.14.6/8.14.5/Submit) id r32HYgxX076233; Tue, 2 Apr 2013 17:34:42 GMT (envelope-from delphij@svn.freebsd.org) Message-Id: <201304021734.r32HYgxX076233@svn.freebsd.org> From: Xin LI Date: Tue, 2 Apr 2013 17:34:42 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r249029 - in releng: 8.3 8.3/crypto/openssl 8.3/crypto/openssl/apps 8.3/crypto/openssl/crypto 8.3/crypto/openssl/crypto/asn1 8.3/crypto/openssl/crypto/bio 8.3/crypto/openssl/crypto/bn 8... X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Apr 2013 17:34:49 -0000 Author: delphij Date: Tue Apr 2 17:34:42 2013 New Revision: 249029 URL: http://svnweb.freebsd.org/changeset/base/249029 Log: Fix OpenSSL multiple vulnerabilities. [13:03] Fix BIND remote denial of service. [13:04] Security: CVE-2013-0166, CVE-2013-0169 Security: FreeBSD-SA-13:03.openssl Security: CVE-2013-2266 Security: FreeBSD-SA-13:04.bind Approved by: so Added: releng/8.3/crypto/openssl/ssl/s3_cbc.c releng/9.0/crypto/openssl/ssl/s3_cbc.c releng/9.1/crypto/openssl/ssl/s3_cbc.c Modified: releng/8.3/UPDATING releng/8.3/crypto/openssl/CHANGES releng/8.3/crypto/openssl/Configure releng/8.3/crypto/openssl/FAQ releng/8.3/crypto/openssl/LICENSE releng/8.3/crypto/openssl/Makefile releng/8.3/crypto/openssl/NEWS releng/8.3/crypto/openssl/README releng/8.3/crypto/openssl/apps/apps.c releng/8.3/crypto/openssl/apps/asn1pars.c releng/8.3/crypto/openssl/apps/cms.c releng/8.3/crypto/openssl/apps/dhparam.c releng/8.3/crypto/openssl/apps/openssl.cnf releng/8.3/crypto/openssl/apps/pkcs12.c releng/8.3/crypto/openssl/apps/s_client.c releng/8.3/crypto/openssl/apps/s_server.c releng/8.3/crypto/openssl/apps/x509.c releng/8.3/crypto/openssl/config releng/8.3/crypto/openssl/crypto/asn1/a_object.c releng/8.3/crypto/openssl/crypto/asn1/a_strex.c releng/8.3/crypto/openssl/crypto/asn1/a_strnid.c releng/8.3/crypto/openssl/crypto/asn1/a_verify.c releng/8.3/crypto/openssl/crypto/asn1/asn1.h releng/8.3/crypto/openssl/crypto/asn1/asn_mime.c releng/8.3/crypto/openssl/crypto/asn1/x_name.c releng/8.3/crypto/openssl/crypto/asn1/x_pubkey.c releng/8.3/crypto/openssl/crypto/bio/bf_buff.c releng/8.3/crypto/openssl/crypto/bio/bio.h releng/8.3/crypto/openssl/crypto/bio/bss_dgram.c releng/8.3/crypto/openssl/crypto/bn/asm/mo-586.pl releng/8.3/crypto/openssl/crypto/bn/asm/ppc.pl releng/8.3/crypto/openssl/crypto/bn/bn_blind.c releng/8.3/crypto/openssl/crypto/bn/bn_gf2m.c releng/8.3/crypto/openssl/crypto/bn/bn_word.c releng/8.3/crypto/openssl/crypto/cms/cms.h releng/8.3/crypto/openssl/crypto/cms/cms_enc.c releng/8.3/crypto/openssl/crypto/cms/cms_env.c releng/8.3/crypto/openssl/crypto/cms/cms_io.c releng/8.3/crypto/openssl/crypto/cms/cms_lcl.h releng/8.3/crypto/openssl/crypto/cms/cms_smime.c releng/8.3/crypto/openssl/crypto/comp/c_rle.c releng/8.3/crypto/openssl/crypto/conf/conf_api.c releng/8.3/crypto/openssl/crypto/cryptlib.c releng/8.3/crypto/openssl/crypto/crypto.h releng/8.3/crypto/openssl/crypto/ec/ec2_smpl.c releng/8.3/crypto/openssl/crypto/ec/ec_key.c releng/8.3/crypto/openssl/crypto/ec/ecp_smpl.c releng/8.3/crypto/openssl/crypto/ecdsa/ecdsatest.c releng/8.3/crypto/openssl/crypto/ecdsa/ecs_ossl.c releng/8.3/crypto/openssl/crypto/evp/evp_test.c releng/8.3/crypto/openssl/crypto/o_init.c releng/8.3/crypto/openssl/crypto/ocsp/ocsp_lib.c releng/8.3/crypto/openssl/crypto/ocsp/ocsp_vfy.c releng/8.3/crypto/openssl/crypto/opensslv.h releng/8.3/crypto/openssl/crypto/perlasm/cbc.pl releng/8.3/crypto/openssl/crypto/pkcs7/pk7_smime.c releng/8.3/crypto/openssl/crypto/rc4/asm/rc4-x86_64.pl releng/8.3/crypto/openssl/crypto/rc4/rc4_skey.c releng/8.3/crypto/openssl/crypto/rsa/rsa_eay.c releng/8.3/crypto/openssl/crypto/rsa/rsa_oaep.c releng/8.3/crypto/openssl/crypto/symhacks.h releng/8.3/crypto/openssl/crypto/x509/x509_vfy.c releng/8.3/crypto/openssl/crypto/x509v3/v3_addr.c releng/8.3/crypto/openssl/crypto/x509v3/v3_asid.c releng/8.3/crypto/openssl/doc/HOWTO/proxy_certificates.txt releng/8.3/crypto/openssl/doc/apps/CA.pl.pod releng/8.3/crypto/openssl/doc/apps/ca.pod releng/8.3/crypto/openssl/doc/apps/dgst.pod releng/8.3/crypto/openssl/doc/crypto/engine.pod releng/8.3/crypto/openssl/doc/ssl/SSL_clear.pod releng/8.3/crypto/openssl/engines/e_capi.c releng/8.3/crypto/openssl/engines/e_capi_err.h releng/8.3/crypto/openssl/fips/fips_canister.c releng/8.3/crypto/openssl/openssl.spec releng/8.3/crypto/openssl/ssl/Makefile releng/8.3/crypto/openssl/ssl/bio_ssl.c releng/8.3/crypto/openssl/ssl/d1_both.c releng/8.3/crypto/openssl/ssl/d1_clnt.c releng/8.3/crypto/openssl/ssl/d1_enc.c releng/8.3/crypto/openssl/ssl/d1_lib.c releng/8.3/crypto/openssl/ssl/d1_pkt.c releng/8.3/crypto/openssl/ssl/d1_srvr.c releng/8.3/crypto/openssl/ssl/s2_clnt.c releng/8.3/crypto/openssl/ssl/s2_pkt.c releng/8.3/crypto/openssl/ssl/s2_srvr.c releng/8.3/crypto/openssl/ssl/s3_both.c releng/8.3/crypto/openssl/ssl/s3_clnt.c releng/8.3/crypto/openssl/ssl/s3_enc.c releng/8.3/crypto/openssl/ssl/s3_lib.c releng/8.3/crypto/openssl/ssl/s3_pkt.c releng/8.3/crypto/openssl/ssl/s3_srvr.c releng/8.3/crypto/openssl/ssl/ssl.h releng/8.3/crypto/openssl/ssl/ssl_ciph.c releng/8.3/crypto/openssl/ssl/ssl_err.c releng/8.3/crypto/openssl/ssl/ssl_lib.c releng/8.3/crypto/openssl/ssl/ssl_locl.h releng/8.3/crypto/openssl/ssl/t1_enc.c releng/8.3/crypto/openssl/ssl/t1_lib.c releng/8.3/crypto/openssl/util/fipslink.pl releng/8.3/crypto/openssl/util/libeay.num releng/8.3/crypto/openssl/util/mkerr.pl releng/8.3/crypto/openssl/util/pl/VC-32.pl releng/8.3/secure/lib/libcrypto/Makefile.inc releng/8.3/secure/lib/libssl/Makefile releng/8.3/sys/conf/newvers.sh releng/9.0/UPDATING releng/9.0/crypto/openssl/CHANGES releng/9.0/crypto/openssl/Configure releng/9.0/crypto/openssl/FAQ releng/9.0/crypto/openssl/LICENSE releng/9.0/crypto/openssl/Makefile releng/9.0/crypto/openssl/NEWS releng/9.0/crypto/openssl/README releng/9.0/crypto/openssl/apps/apps.c releng/9.0/crypto/openssl/apps/asn1pars.c releng/9.0/crypto/openssl/apps/cms.c releng/9.0/crypto/openssl/apps/dhparam.c releng/9.0/crypto/openssl/apps/openssl.cnf releng/9.0/crypto/openssl/apps/pkcs12.c releng/9.0/crypto/openssl/apps/s_client.c releng/9.0/crypto/openssl/apps/s_server.c releng/9.0/crypto/openssl/apps/x509.c releng/9.0/crypto/openssl/config releng/9.0/crypto/openssl/crypto/asn1/a_object.c releng/9.0/crypto/openssl/crypto/asn1/a_strex.c releng/9.0/crypto/openssl/crypto/asn1/a_strnid.c releng/9.0/crypto/openssl/crypto/asn1/a_verify.c releng/9.0/crypto/openssl/crypto/asn1/asn1.h releng/9.0/crypto/openssl/crypto/asn1/asn_mime.c releng/9.0/crypto/openssl/crypto/asn1/x_name.c releng/9.0/crypto/openssl/crypto/asn1/x_pubkey.c releng/9.0/crypto/openssl/crypto/bio/bf_buff.c releng/9.0/crypto/openssl/crypto/bio/bio.h releng/9.0/crypto/openssl/crypto/bio/bss_dgram.c releng/9.0/crypto/openssl/crypto/bn/asm/mo-586.pl releng/9.0/crypto/openssl/crypto/bn/asm/ppc.pl releng/9.0/crypto/openssl/crypto/bn/bn_blind.c releng/9.0/crypto/openssl/crypto/bn/bn_gf2m.c releng/9.0/crypto/openssl/crypto/bn/bn_word.c releng/9.0/crypto/openssl/crypto/cms/cms.h releng/9.0/crypto/openssl/crypto/cms/cms_enc.c releng/9.0/crypto/openssl/crypto/cms/cms_env.c releng/9.0/crypto/openssl/crypto/cms/cms_io.c releng/9.0/crypto/openssl/crypto/cms/cms_lcl.h releng/9.0/crypto/openssl/crypto/cms/cms_smime.c releng/9.0/crypto/openssl/crypto/comp/c_rle.c releng/9.0/crypto/openssl/crypto/conf/conf_api.c releng/9.0/crypto/openssl/crypto/cryptlib.c releng/9.0/crypto/openssl/crypto/crypto.h releng/9.0/crypto/openssl/crypto/ec/ec2_smpl.c releng/9.0/crypto/openssl/crypto/ec/ec_key.c releng/9.0/crypto/openssl/crypto/ec/ecp_smpl.c releng/9.0/crypto/openssl/crypto/ecdsa/ecdsatest.c releng/9.0/crypto/openssl/crypto/ecdsa/ecs_ossl.c releng/9.0/crypto/openssl/crypto/evp/evp_test.c releng/9.0/crypto/openssl/crypto/o_init.c releng/9.0/crypto/openssl/crypto/ocsp/ocsp_lib.c releng/9.0/crypto/openssl/crypto/ocsp/ocsp_vfy.c releng/9.0/crypto/openssl/crypto/opensslv.h releng/9.0/crypto/openssl/crypto/perlasm/cbc.pl releng/9.0/crypto/openssl/crypto/pkcs7/pk7_smime.c releng/9.0/crypto/openssl/crypto/rc4/asm/rc4-x86_64.pl releng/9.0/crypto/openssl/crypto/rc4/rc4_skey.c releng/9.0/crypto/openssl/crypto/rsa/rsa_eay.c releng/9.0/crypto/openssl/crypto/rsa/rsa_oaep.c releng/9.0/crypto/openssl/crypto/symhacks.h releng/9.0/crypto/openssl/crypto/x509/x509_vfy.c releng/9.0/crypto/openssl/crypto/x509v3/v3_addr.c releng/9.0/crypto/openssl/crypto/x509v3/v3_asid.c releng/9.0/crypto/openssl/doc/HOWTO/proxy_certificates.txt releng/9.0/crypto/openssl/doc/apps/CA.pl.pod releng/9.0/crypto/openssl/doc/apps/ca.pod releng/9.0/crypto/openssl/doc/apps/dgst.pod releng/9.0/crypto/openssl/doc/crypto/engine.pod releng/9.0/crypto/openssl/doc/ssl/SSL_clear.pod releng/9.0/crypto/openssl/engines/e_capi.c releng/9.0/crypto/openssl/engines/e_capi_err.h releng/9.0/crypto/openssl/fips/fips_canister.c releng/9.0/crypto/openssl/openssl.spec releng/9.0/crypto/openssl/ssl/Makefile releng/9.0/crypto/openssl/ssl/bio_ssl.c releng/9.0/crypto/openssl/ssl/d1_both.c releng/9.0/crypto/openssl/ssl/d1_clnt.c releng/9.0/crypto/openssl/ssl/d1_enc.c releng/9.0/crypto/openssl/ssl/d1_lib.c releng/9.0/crypto/openssl/ssl/d1_pkt.c releng/9.0/crypto/openssl/ssl/d1_srvr.c releng/9.0/crypto/openssl/ssl/s2_clnt.c releng/9.0/crypto/openssl/ssl/s2_pkt.c releng/9.0/crypto/openssl/ssl/s2_srvr.c releng/9.0/crypto/openssl/ssl/s3_both.c releng/9.0/crypto/openssl/ssl/s3_clnt.c releng/9.0/crypto/openssl/ssl/s3_enc.c releng/9.0/crypto/openssl/ssl/s3_lib.c releng/9.0/crypto/openssl/ssl/s3_pkt.c releng/9.0/crypto/openssl/ssl/s3_srvr.c releng/9.0/crypto/openssl/ssl/ssl.h releng/9.0/crypto/openssl/ssl/ssl_ciph.c releng/9.0/crypto/openssl/ssl/ssl_err.c releng/9.0/crypto/openssl/ssl/ssl_lib.c releng/9.0/crypto/openssl/ssl/ssl_locl.h releng/9.0/crypto/openssl/ssl/t1_enc.c releng/9.0/crypto/openssl/ssl/t1_lib.c releng/9.0/crypto/openssl/util/fipslink.pl releng/9.0/crypto/openssl/util/libeay.num releng/9.0/crypto/openssl/util/mkerr.pl releng/9.0/crypto/openssl/util/pl/VC-32.pl releng/9.0/lib/bind/config.h releng/9.0/secure/lib/libcrypto/Makefile.inc releng/9.0/secure/lib/libssl/Makefile releng/9.0/sys/conf/newvers.sh releng/9.1/UPDATING releng/9.1/crypto/openssl/CHANGES releng/9.1/crypto/openssl/Configure releng/9.1/crypto/openssl/FAQ releng/9.1/crypto/openssl/Makefile releng/9.1/crypto/openssl/NEWS releng/9.1/crypto/openssl/README releng/9.1/crypto/openssl/apps/Makefile releng/9.1/crypto/openssl/apps/apps.c releng/9.1/crypto/openssl/apps/dhparam.c releng/9.1/crypto/openssl/apps/s_server.c releng/9.1/crypto/openssl/crypto/asn1/a_strex.c releng/9.1/crypto/openssl/crypto/asn1/a_verify.c releng/9.1/crypto/openssl/crypto/asn1/x_pubkey.c releng/9.1/crypto/openssl/crypto/bn/bn_word.c releng/9.1/crypto/openssl/crypto/cryptlib.c releng/9.1/crypto/openssl/crypto/crypto.h releng/9.1/crypto/openssl/crypto/o_init.c releng/9.1/crypto/openssl/crypto/ocsp/ocsp_vfy.c releng/9.1/crypto/openssl/crypto/opensslv.h releng/9.1/crypto/openssl/crypto/rsa/rsa_oaep.c releng/9.1/crypto/openssl/crypto/symhacks.h releng/9.1/crypto/openssl/doc/apps/CA.pl.pod releng/9.1/crypto/openssl/engines/e_capi.c releng/9.1/crypto/openssl/openssl.spec releng/9.1/crypto/openssl/ssl/Makefile releng/9.1/crypto/openssl/ssl/d1_enc.c releng/9.1/crypto/openssl/ssl/d1_pkt.c releng/9.1/crypto/openssl/ssl/s2_clnt.c releng/9.1/crypto/openssl/ssl/s2_pkt.c releng/9.1/crypto/openssl/ssl/s3_both.c releng/9.1/crypto/openssl/ssl/s3_clnt.c releng/9.1/crypto/openssl/ssl/s3_enc.c releng/9.1/crypto/openssl/ssl/s3_pkt.c releng/9.1/crypto/openssl/ssl/s3_srvr.c releng/9.1/crypto/openssl/ssl/ssl.h releng/9.1/crypto/openssl/ssl/ssl_err.c releng/9.1/crypto/openssl/ssl/ssl_lib.c releng/9.1/crypto/openssl/ssl/ssl_locl.h releng/9.1/crypto/openssl/ssl/t1_enc.c releng/9.1/crypto/openssl/ssl/t1_lib.c releng/9.1/crypto/openssl/util/libeay.num releng/9.1/lib/bind/config.h releng/9.1/secure/lib/libcrypto/Makefile.inc releng/9.1/secure/lib/libssl/Makefile releng/9.1/sys/conf/newvers.sh Modified: releng/8.3/UPDATING ============================================================================== --- releng/8.3/UPDATING Tue Apr 2 17:29:17 2013 (r249028) +++ releng/8.3/UPDATING Tue Apr 2 17:34:42 2013 (r249029) @@ -15,6 +15,9 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8. debugging tools present in HEAD were left in place because sun4v support still needs work to become production ready. +20130402: p7 FreeBSD-SA-13:03.openssl + Fix multiple vulnerabilities in OpenSSL. + 20130218: p6 FreeBSD-SA-13:02.libc Fix Denial of Service vulnerability in libc's glob(3) functionality. Modified: releng/8.3/crypto/openssl/CHANGES ============================================================================== --- releng/8.3/crypto/openssl/CHANGES Tue Apr 2 17:29:17 2013 (r249028) +++ releng/8.3/crypto/openssl/CHANGES Tue Apr 2 17:34:42 2013 (r249029) @@ -2,6 +2,171 @@ OpenSSL CHANGES _______________ + Changes between 0.9.8x and 0.9.8y [5 Feb 2013] + + *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time. + + This addresses the flaw in CBC record processing discovered by + Nadhem Alfardan and Kenny Paterson. Details of this attack can be found + at: http://www.isg.rhul.ac.uk/tls/ + + Thanks go to Nadhem Alfardan and Kenny Paterson of the Information + Security Group at Royal Holloway, University of London + (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and + Emilia Käsper for the initial patch. + (CVE-2013-0169) + [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson] + + *) Return an error when checking OCSP signatures when key is NULL. + This fixes a DoS attack. (CVE-2013-0166) + [Steve Henson] + + *) Call OCSP Stapling callback after ciphersuite has been chosen, so + the right response is stapled. Also change SSL_get_certificate() + so it returns the certificate actually sent. + See http://rt.openssl.org/Ticket/Display.html?id=2836. + (This is a backport) + [Rob Stradling ] + + *) Fix possible deadlock when decoding public keys. + [Steve Henson] + + Changes between 0.9.8w and 0.9.8x [10 May 2012] + + *) Sanity check record length before skipping explicit IV in DTLS + to fix DoS attack. + + Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic + fuzzing as a service testing platform. + (CVE-2012-2333) + [Steve Henson] + + *) Initialise tkeylen properly when encrypting CMS messages. + Thanks to Solar Designer of Openwall for reporting this issue. + [Steve Henson] + + Changes between 0.9.8v and 0.9.8w [23 Apr 2012] + + *) The fix for CVE-2012-2110 did not take into account that the + 'len' argument to BUF_MEM_grow and BUF_MEM_grow_clean is an + int in OpenSSL 0.9.8, making it still vulnerable. Fix by + rejecting negative len parameter. (CVE-2012-2131) + [Tomas Hoger ] + + Changes between 0.9.8u and 0.9.8v [19 Apr 2012] + + *) Check for potentially exploitable overflows in asn1_d2i_read_bio + BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer + in CRYPTO_realloc_clean. + + Thanks to Tavis Ormandy, Google Security Team, for discovering this + issue and to Adam Langley for fixing it. + (CVE-2012-2110) + [Adam Langley (Google), Tavis Ormandy, Google Security Team] + + Changes between 0.9.8t and 0.9.8u [12 Mar 2012] + + *) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness + in CMS and PKCS7 code. When RSA decryption fails use a random key for + content decryption and always return the same error. Note: this attack + needs on average 2^20 messages so it only affects automated senders. The + old behaviour can be reenabled in the CMS code by setting the + CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where + an MMA defence is not necessary. + Thanks to Ivan Nestlerode for discovering + this issue. (CVE-2012-0884) + [Steve Henson] + + *) Fix CVE-2011-4619: make sure we really are receiving a + client hello before rejecting multiple SGC restarts. Thanks to + Ivan Nestlerode for discovering this bug. + [Steve Henson] + + Changes between 0.9.8s and 0.9.8t [18 Jan 2012] + + *) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109. + Thanks to Antonio Martin, Enterprise Secure Access Research and + Development, Cisco Systems, Inc. for discovering this bug and + preparing a fix. (CVE-2012-0050) + [Antonio Martin] + + Changes between 0.9.8r and 0.9.8s [4 Jan 2012] + + *) Nadhem Alfardan and Kenny Paterson have discovered an extension + of the Vaudenay padding oracle attack on CBC mode encryption + which enables an efficient plaintext recovery attack against + the OpenSSL implementation of DTLS. Their attack exploits timing + differences arising during decryption processing. A research + paper describing this attack can be found at: + http://www.isg.rhul.ac.uk/~kp/dtls.pdf + Thanks go to Nadhem Alfardan and Kenny Paterson of the Information + Security Group at Royal Holloway, University of London + (www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann + and Michael Tuexen + for preparing the fix. (CVE-2011-4108) + [Robin Seggelmann, Michael Tuexen] + + *) Stop policy check failure freeing same buffer twice. (CVE-2011-4109) + [Ben Laurie, Kasper ] + + *) Clear bytes used for block padding of SSL 3.0 records. + (CVE-2011-4576) + [Adam Langley (Google)] + + *) Only allow one SGC handshake restart for SSL/TLS. Thanks to George + Kadianakis for discovering this issue and + Adam Langley for preparing the fix. (CVE-2011-4619) + [Adam Langley (Google)] + + *) Prevent malformed RFC3779 data triggering an assertion failure. + Thanks to Andrew Chi, BBN Technologies, for discovering the flaw + and Rob Austein for fixing it. (CVE-2011-4577) + [Rob Austein ] + + *) Fix ssl_ciph.c set-up race. + [Adam Langley (Google)] + + *) Fix spurious failures in ecdsatest.c. + [Emilia Käsper (Google)] + + *) Fix the BIO_f_buffer() implementation (which was mixing different + interpretations of the '..._len' fields). + [Adam Langley (Google)] + + *) Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than + BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent + threads won't reuse the same blinding coefficients. + + This also avoids the need to obtain the CRYPTO_LOCK_RSA_BLINDING + lock to call BN_BLINDING_invert_ex, and avoids one use of + BN_BLINDING_update for each BN_BLINDING structure (previously, + the last update always remained unused). + [Emilia Käsper (Google)] + + *) Fix SSL memory handling for (EC)DH ciphersuites, in particular + for multi-threaded use of ECDH. + [Adam Langley (Google)] + + *) Fix x509_name_ex_d2i memory leak on bad inputs. + [Bodo Moeller] + + *) Add protection against ECDSA timing attacks as mentioned in the paper + by Billy Bob Brumley and Nicola Tuveri, see: + + http://eprint.iacr.org/2011/232.pdf + + [Billy Bob Brumley and Nicola Tuveri] + + Changes between 0.9.8q and 0.9.8r [8 Feb 2011] + + *) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014 + [Neel Mehta, Adam Langley, Bodo Moeller (Google)] + + *) Fix bug in string printing code: if *any* escaping is enabled we must + escape the escape character (backslash) or the resulting string is + ambiguous. + [Steve Henson] + Changes between 0.9.8p and 0.9.8q [2 Dec 2010] *) Disable code workaround for ancient and obsolete Netscape browsers Modified: releng/8.3/crypto/openssl/Configure ============================================================================== --- releng/8.3/crypto/openssl/Configure Tue Apr 2 17:29:17 2013 (r249028) +++ releng/8.3/crypto/openssl/Configure Tue Apr 2 17:34:42 2013 (r249029) @@ -162,6 +162,7 @@ my %table=( "debug-ben-openbsd","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::", "debug-ben-openbsd-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::", "debug-ben-debug", "gcc:$gcc_devteam_warn -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DDEBUG_SAFESTACK -ggdb3 -O2 -pipe::(unknown)::::::", +"debug-ben-debug-64", "gcc:$gcc_devteam_warn -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "debug-ben-debug-noopt", "gcc:$gcc_devteam_warn -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DDEBUG_SAFESTACK -ggdb3 -pipe::(unknown)::::::", "debug-ben-strict", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::", "debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", @@ -172,10 +173,10 @@ my %table=( "debug-steve-opt", "gcc:$gcc_devteam_warn -m64 -O3 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -g -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "debug-steve", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -m32 -g -pedantic -Wno-long-long -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared", "debug-steve-linux-pseudo64", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DOPENSSL_NO_ASM -g -mcpu=i486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:SIXTY_FOUR_BIT:${no_asm}:dlfcn:linux-shared", -"debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"debug-levitte-linux-elf-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"debug-levitte-linux-noasm-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -ggdb -g3 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -ggdb -g3 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-levitte-linux-elf-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -DPEDANTIC -ggdb -g3 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-levitte-linux-noasm-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -DPEDANTIC -ggdb -g3 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "debug-geoff","gcc:-DBN_DEBUG -DBN_DEBUG_RAND -DBN_STRICT -DPURIFY -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_ASM -DOPENSSL_NO_INLINE_ASM -DL_ENDIAN -DTERMIO -DPEDANTIC -O1 -ggdb2 -Wall -Werror -Wundef -pedantic -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wsign-compare -Wmissing-prototypes -Wmissing-declarations -Wno-long-long::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "debug-linux-pentium","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentium -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn", "debug-linux-ppro","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentiumpro -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn", @@ -371,6 +372,9 @@ my %table=( "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${no_asm}", "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${no_asm}", +# Android: Linux but without -DTERMIO and pointers to headers and libs. +"android","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + #### *BSD [do see comment about ${BSDthreads} above!] "BSD-generic32","gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "BSD-x86", "gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -Wall::${BSDthreads}:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:dlfcn:bsd-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -425,8 +429,8 @@ my %table=( "aix64-gcc","gcc:-maix64 -O -DB_ENDIAN::-pthread:AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR::aix_ppc64.o::::::::::dlfcn:aix-shared::-maix64 -shared -Wl,-G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X64", # Below targets assume AIX 5. Idea is to effectively disregard $OBJECT_MODE # at build time. $OBJECT_MODE is respected at ./config stage! -"aix-cc", "cc:-q32 -O -DB_ENDIAN -qmaxmem=16384 -qro -qroconst::-qthreaded:AIX::BN_LLONG RC4_CHAR::aix_ppc32.o::::::::::dlfcn:aix-shared::-q32 -G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 32", -"aix64-cc", "cc:-q64 -O -DB_ENDIAN -qmaxmem=16384 -qro -qroconst::-qthreaded:AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR::aix_ppc64.o::::::::::dlfcn:aix-shared::-q64 -G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 64", +"aix-cc", "cc:-q32 -O -DB_ENDIAN -qmaxmem=16384 -qro -qroconst::-qthreaded -D_THREAD_SAFE:AIX::BN_LLONG RC4_CHAR::aix_ppc32.o::::::::::dlfcn:aix-shared::-q32 -G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 32", +"aix64-cc", "cc:-q64 -O -DB_ENDIAN -qmaxmem=16384 -qro -qroconst::-qthreaded -D_THREAD_SAFE:AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR::aix_ppc64.o::::::::::dlfcn:aix-shared::-q64 -G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 64", # # Cray T90 and similar (SDSC) Modified: releng/8.3/crypto/openssl/FAQ ============================================================================== --- releng/8.3/crypto/openssl/FAQ Tue Apr 2 17:29:17 2013 (r249028) +++ releng/8.3/crypto/openssl/FAQ Tue Apr 2 17:34:42 2013 (r249029) @@ -10,6 +10,7 @@ OpenSSL - Frequently Asked Questions * Why aren't tools like 'autoconf' and 'libtool' used? * What is an 'engine' version? * How do I check the authenticity of the OpenSSL distribution? +* How does the versioning scheme work? [LEGAL] Legal questions @@ -82,7 +83,7 @@ OpenSSL - Frequently Asked Questions * Which is the current version of OpenSSL? The current version is available from . -OpenSSL 1.0.0c was released on Dec 2nd, 2010. +OpenSSL 1.0.1d was released on Feb 5th, 2013. In addition to the current stable release, you can also access daily snapshots of the OpenSSL development version at . Note that the online documents refer to the very latest development versions of OpenSSL and may include features not present in released versions. If in doubt refer to the documentation -that came with the version of OpenSSL you are using. +that came with the version of OpenSSL you are using. The pod format +documentation is included in each OpenSSL distribution under the docs +directory. For information on parts of libcrypto that are not yet documented, you might want to read Ariel Glenn's documentation on SSLeay 0.9, OpenSSL's @@ -173,6 +176,19 @@ just do: pgp TARBALL.asc +* How does the versioning scheme work? + +After the release of OpenSSL 1.0.0 the versioning scheme changed. Letter +releases (e.g. 1.0.1a) can only contain bug and security fixes and no +new features. Minor releases change the last number (e.g. 1.0.2) and +can contain new features that retain binary compatibility. Changes to +the middle number are considered major releases and neither source nor +binary compatibility is guaranteed. + +Therefore the answer to the common question "when will feature X be +backported to OpenSSL 1.0.0/0.9.8?" is "never" but it could appear +in the next minor release. + [LEGAL] ======================================================================= * Do I need patent licenses to use OpenSSL? @@ -284,7 +300,7 @@ current directory in this case, but this Check out the CA.pl(1) manual page. This provides a simple wrapper round the 'req', 'verify', 'ca' and 'pkcs12' utilities. For finer control check out the manual pages for the individual utilities and the certificate -extensions documentation (currently in doc/openssl.txt). +extensions documentation (in ca(1), req(1), x509v3_config(5) ) * Why can't I create certificate requests? Modified: releng/8.3/crypto/openssl/LICENSE ============================================================================== --- releng/8.3/crypto/openssl/LICENSE Tue Apr 2 17:29:17 2013 (r249028) +++ releng/8.3/crypto/openssl/LICENSE Tue Apr 2 17:34:42 2013 (r249029) @@ -12,7 +12,7 @@ --------------- /* ==================================================================== - * Copyright (c) 1998-2008 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2011 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions Modified: releng/8.3/crypto/openssl/Makefile ============================================================================== --- releng/8.3/crypto/openssl/Makefile Tue Apr 2 17:29:17 2013 (r249028) +++ releng/8.3/crypto/openssl/Makefile Tue Apr 2 17:34:42 2013 (r249029) @@ -4,7 +4,7 @@ ## Makefile for OpenSSL ## -VERSION=0.9.8q +VERSION=0.9.8y MAJOR=0 MINOR=9.8 SHLIB_VERSION_NUMBER=0.9.8 Modified: releng/8.3/crypto/openssl/NEWS ============================================================================== --- releng/8.3/crypto/openssl/NEWS Tue Apr 2 17:29:17 2013 (r249028) +++ releng/8.3/crypto/openssl/NEWS Tue Apr 2 17:34:42 2013 (r249029) @@ -5,6 +5,45 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 0.9.8x and OpenSSL 0.9.8y: + + o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169 + o Fix OCSP bad key DoS attack CVE-2013-0166 + + Major changes between OpenSSL 0.9.8w and OpenSSL 0.9.8x: + + o Fix DTLS record length checking bug CVE-2012-2333 + + Major changes between OpenSSL 0.9.8v and OpenSSL 0.9.8w: + + o Fix for CVE-2012-2131 (corrected fix for 0.9.8 and CVE-2012-2110) + + Major changes between OpenSSL 0.9.8u and OpenSSL 0.9.8v: + + o Fix for ASN1 overflow bug CVE-2012-2110 + + Major changes between OpenSSL 0.9.8t and OpenSSL 0.9.8u: + + o Fix for CMS/PKCS#7 MMA CVE-2012-0884 + o Corrected fix for CVE-2011-4619 + o Various DTLS fixes. + + Major changes between OpenSSL 0.9.8s and OpenSSL 0.9.8t: + + o Fix for DTLS DoS issue CVE-2012-0050 + + Major changes between OpenSSL 0.9.8r and OpenSSL 0.9.8s: + + o Fix for DTLS plaintext recovery attack CVE-2011-4108 + o Fix policy check double free error CVE-2011-4109 + o Clear block padding bytes of SSL 3.0 records CVE-2011-4576 + o Only allow one SGC handshake restart for SSL/TLS CVE-2011-4619 + o Check for malformed RFC3779 data CVE-2011-4577 + + Major changes between OpenSSL 0.9.8q and OpenSSL 0.9.8r: + + o Fix for security issue CVE-2011-0014 + Major changes between OpenSSL 0.9.8p and OpenSSL 0.9.8q: o Fix for security issue CVE-2010-4180 @@ -181,6 +220,11 @@ o Added initial support for Win64. o Added alternate pkg-config files. + Major changes between OpenSSL 0.9.7l and OpenSSL 0.9.7m: + + o FIPS 1.1.1 module linking. + o Various ciphersuite selection fixes. + Major changes between OpenSSL 0.9.7k and OpenSSL 0.9.7l: o Introduce limits to prevent malicious key DoS (CVE-2006-2940) Modified: releng/8.3/crypto/openssl/README ============================================================================== --- releng/8.3/crypto/openssl/README Tue Apr 2 17:29:17 2013 (r249028) +++ releng/8.3/crypto/openssl/README Tue Apr 2 17:34:42 2013 (r249029) @@ -1,7 +1,7 @@ - OpenSSL 0.9.8q 2 Dec 2010 + OpenSSL 0.9.8y 5 Feb 2013 - Copyright (c) 1998-2009 The OpenSSL Project + Copyright (c) 1998-2011 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson All rights reserved. Modified: releng/8.3/crypto/openssl/apps/apps.c ============================================================================== --- releng/8.3/crypto/openssl/apps/apps.c Tue Apr 2 17:29:17 2013 (r249028) +++ releng/8.3/crypto/openssl/apps/apps.c Tue Apr 2 17:34:42 2013 (r249029) @@ -2052,7 +2052,7 @@ X509_NAME *parse_name(char *subject, lon X509_NAME *n = NULL; int nid; - if (!buf || !ne_types || !ne_values) + if (!buf || !ne_types || !ne_values || !mval) { BIO_printf(bio_err, "malloc error\n"); goto error; @@ -2156,6 +2156,7 @@ X509_NAME *parse_name(char *subject, lon OPENSSL_free(ne_values); OPENSSL_free(ne_types); OPENSSL_free(buf); + OPENSSL_free(mval); return n; error: @@ -2164,6 +2165,8 @@ error: OPENSSL_free(ne_values); if (ne_types) OPENSSL_free(ne_types); + if (mval) + OPENSSL_free(mval); if (buf) OPENSSL_free(buf); return NULL; Modified: releng/8.3/crypto/openssl/apps/asn1pars.c ============================================================================== --- releng/8.3/crypto/openssl/apps/asn1pars.c Tue Apr 2 17:29:17 2013 (r249028) +++ releng/8.3/crypto/openssl/apps/asn1pars.c Tue Apr 2 17:34:42 2013 (r249029) @@ -408,6 +408,7 @@ static int do_generate(BIO *bio, char *g atyp = ASN1_generate_nconf(genstr, cnf); NCONF_free(cnf); + cnf = NULL; if (!atyp) return -1; Modified: releng/8.3/crypto/openssl/apps/cms.c ============================================================================== --- releng/8.3/crypto/openssl/apps/cms.c Tue Apr 2 17:29:17 2013 (r249028) +++ releng/8.3/crypto/openssl/apps/cms.c Tue Apr 2 17:34:42 2013 (r249029) @@ -226,6 +226,8 @@ int MAIN(int argc, char **argv) else if (!strcmp(*args,"-camellia256")) cipher = EVP_camellia_256_cbc(); #endif + else if (!strcmp (*args, "-debug_decrypt")) + flags |= CMS_DEBUG_DECRYPT; else if (!strcmp (*args, "-text")) flags |= CMS_TEXT; else if (!strcmp (*args, "-nointern")) @@ -611,7 +613,7 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "-certsout file certificate output file\n"); BIO_printf (bio_err, "-signer file signer certificate file\n"); BIO_printf (bio_err, "-recip file recipient certificate file for decryption\n"); - BIO_printf (bio_err, "-skeyid use subject key identifier\n"); + BIO_printf (bio_err, "-keyid use subject key identifier\n"); BIO_printf (bio_err, "-in file input file\n"); BIO_printf (bio_err, "-inform arg input format SMIME (default), PEM or DER\n"); BIO_printf (bio_err, "-inkey file input private key (if not signer or recipient)\n"); @@ -1013,6 +1015,8 @@ int MAIN(int argc, char **argv) ret = 4; if (operation == SMIME_DECRYPT) { + if (flags & CMS_DEBUG_DECRYPT) + CMS_decrypt(cms, NULL, NULL, NULL, NULL, flags); if (secret_key) { Modified: releng/8.3/crypto/openssl/apps/dhparam.c ============================================================================== --- releng/8.3/crypto/openssl/apps/dhparam.c Tue Apr 2 17:29:17 2013 (r249028) +++ releng/8.3/crypto/openssl/apps/dhparam.c Tue Apr 2 17:34:42 2013 (r249029) @@ -332,7 +332,6 @@ bad: BIO_printf(bio_err,"This is going to take a long time\n"); if(!dh || !DH_generate_parameters_ex(dh, num, g, &cb)) { - if(dh) DH_free(dh); ERR_print_errors(bio_err); goto end; } Modified: releng/8.3/crypto/openssl/apps/openssl.cnf ============================================================================== --- releng/8.3/crypto/openssl/apps/openssl.cnf Tue Apr 2 17:29:17 2013 (r249028) +++ releng/8.3/crypto/openssl/apps/openssl.cnf Tue Apr 2 17:34:42 2013 (r249029) @@ -142,7 +142,7 @@ localityName = Locality Name (eg, city organizationalUnitName = Organizational Unit Name (eg, section) #organizationalUnitName_default = -commonName = Common Name (eg, YOUR name) +commonName = Common Name (e.g. server FQDN or YOUR name) commonName_max = 64 emailAddress = Email Address Modified: releng/8.3/crypto/openssl/apps/pkcs12.c ============================================================================== --- releng/8.3/crypto/openssl/apps/pkcs12.c Tue Apr 2 17:29:17 2013 (r249028) +++ releng/8.3/crypto/openssl/apps/pkcs12.c Tue Apr 2 17:34:42 2013 (r249029) @@ -659,7 +659,7 @@ int MAIN(int argc, char **argv) if (!twopass) BUF_strlcpy(macpass, pass, sizeof macpass); - if (options & INFO) BIO_printf (bio_err, "MAC Iteration %ld\n", p12->mac->iter ? ASN1_INTEGER_get (p12->mac->iter) : 1); + if ((options & INFO) && p12->mac) BIO_printf (bio_err, "MAC Iteration %ld\n", p12->mac->iter ? ASN1_INTEGER_get (p12->mac->iter) : 1); if(macver) { #ifdef CRYPTO_MDEBUG CRYPTO_push_info("verify MAC"); Modified: releng/8.3/crypto/openssl/apps/s_client.c ============================================================================== --- releng/8.3/crypto/openssl/apps/s_client.c Tue Apr 2 17:29:17 2013 (r249028) +++ releng/8.3/crypto/openssl/apps/s_client.c Tue Apr 2 17:34:42 2013 (r249029) @@ -345,13 +345,7 @@ int MAIN(int argc, char **argv) char *jpake_secret = NULL; #endif -#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) meth=SSLv23_client_method(); -#elif !defined(OPENSSL_NO_SSL3) - meth=SSLv3_client_method(); -#elif !defined(OPENSSL_NO_SSL2) - meth=SSLv2_client_method(); -#endif apps_startup(); c_Pause=0; Modified: releng/8.3/crypto/openssl/apps/s_server.c ============================================================================== --- releng/8.3/crypto/openssl/apps/s_server.c Tue Apr 2 17:29:17 2013 (r249028) +++ releng/8.3/crypto/openssl/apps/s_server.c Tue Apr 2 17:34:42 2013 (r249029) @@ -781,13 +781,7 @@ int MAIN(int argc, char *argv[]) tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING}; #endif -#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) meth=SSLv23_server_method(); -#elif !defined(OPENSSL_NO_SSL3) - meth=SSLv3_server_method(); -#elif !defined(OPENSSL_NO_SSL2) - meth=SSLv2_server_method(); -#endif local_argc=argc; local_argv=argv; @@ -1556,6 +1550,12 @@ end: if (dpass) OPENSSL_free(dpass); #ifndef OPENSSL_NO_TLSEXT + if (tlscstatp.host) + OPENSSL_free(tlscstatp.host); + if (tlscstatp.port) + OPENSSL_free(tlscstatp.port); + if (tlscstatp.path) + OPENSSL_free(tlscstatp.path); if (ctx2 != NULL) SSL_CTX_free(ctx2); if (s_cert2) X509_free(s_cert2); Modified: releng/8.3/crypto/openssl/apps/x509.c ============================================================================== --- releng/8.3/crypto/openssl/apps/x509.c Tue Apr 2 17:29:17 2013 (r249028) +++ releng/8.3/crypto/openssl/apps/x509.c Tue Apr 2 17:34:42 2013 (r249029) @@ -969,7 +969,7 @@ bad: else { pk=load_key(bio_err, - keyfile, FORMAT_PEM, 0, + keyfile, keyformat, 0, passin, e, "request key"); if (pk == NULL) goto end; } Modified: releng/8.3/crypto/openssl/config ============================================================================== --- releng/8.3/crypto/openssl/config Tue Apr 2 17:29:17 2013 (r249028) +++ releng/8.3/crypto/openssl/config Tue Apr 2 17:34:42 2013 (r249029) @@ -790,6 +790,10 @@ esac # options="$options -DATALLA" #fi +($CC -Wa,--help -c -o /dev/null -x assembler /dev/null 2>&1 | \ + grep \\--noexecstack) 2>&1 > /dev/null && \ + options="$options -Wa,--noexecstack" + # gcc < 2.8 does not support -march=ultrasparc if [ "$OUT" = solaris-sparcv9-gcc -a $GCCVER -lt 28 ] then Modified: releng/8.3/crypto/openssl/crypto/asn1/a_object.c ============================================================================== --- releng/8.3/crypto/openssl/crypto/asn1/a_object.c Tue Apr 2 17:29:17 2013 (r249028) +++ releng/8.3/crypto/openssl/crypto/asn1/a_object.c Tue Apr 2 17:34:42 2013 (r249029) @@ -139,7 +139,7 @@ int a2d_ASN1_OBJECT(unsigned char *out, ASN1err(ASN1_F_A2D_ASN1_OBJECT,ASN1_R_INVALID_DIGIT); goto err; } - if (!use_bn && l > (ULONG_MAX / 10L)) + if (!use_bn && l >= ((ULONG_MAX - 80) / 10L)) { use_bn = 1; if (!bl) @@ -294,7 +294,7 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT /* Sanity check OID encoding: can't have leading 0x80 in * subidentifiers, see: X.690 8.19.2 */ - for (i = 0, p = *pp + 1; i < len - 1; i++, p++) + for (i = 0, p = *pp; i < len; i++, p++) { if (*p == 0x80 && (!i || !(p[-1] & 0x80))) { Modified: releng/8.3/crypto/openssl/crypto/asn1/a_strex.c ============================================================================== --- releng/8.3/crypto/openssl/crypto/asn1/a_strex.c Tue Apr 2 17:29:17 2013 (r249028) +++ releng/8.3/crypto/openssl/crypto/asn1/a_strex.c Tue Apr 2 17:34:42 2013 (r249029) @@ -74,6 +74,11 @@ #define CHARTYPE_BS_ESC (ASN1_STRFLGS_ESC_2253 | CHARTYPE_FIRST_ESC_2253 | CHARTYPE_LAST_ESC_2253) +#define ESC_FLAGS (ASN1_STRFLGS_ESC_2253 | \ + ASN1_STRFLGS_ESC_QUOTE | \ + ASN1_STRFLGS_ESC_CTRL | \ + ASN1_STRFLGS_ESC_MSB) + /* Three IO functions for sending data to memory, a BIO and * and a FILE pointer. @@ -148,6 +153,13 @@ static int do_esc_char(unsigned long c, if(!io_ch(arg, tmphex, 3)) return -1; return 3; } + /* If we get this far and do any escaping at all must escape + * the escape character itself: backslash. + */ + if (chtmp == '\\' && flags & ESC_FLAGS) { + if(!io_ch(arg, "\\\\", 2)) return -1; + return 2; + } if(!io_ch(arg, &chtmp, 1)) return -1; return 1; } @@ -292,11 +304,6 @@ static const signed char tag2nbyte[] = { 4, -1, 2 /* 28-30 */ }; -#define ESC_FLAGS (ASN1_STRFLGS_ESC_2253 | \ - ASN1_STRFLGS_ESC_QUOTE | \ - ASN1_STRFLGS_ESC_CTRL | \ - ASN1_STRFLGS_ESC_MSB) - /* This is the main function, print out an * ASN1_STRING taking note of various escape * and display options. Returns number of @@ -560,6 +567,7 @@ int ASN1_STRING_to_UTF8(unsigned char ** if(mbflag == -1) return -1; mbflag |= MBSTRING_FLAG; stmp.data = NULL; + stmp.length = 0; ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag, B_ASN1_UTF8STRING); if(ret < 0) return ret; *out = stmp.data; Modified: releng/8.3/crypto/openssl/crypto/asn1/a_strnid.c ============================================================================== --- releng/8.3/crypto/openssl/crypto/asn1/a_strnid.c Tue Apr 2 17:29:17 2013 (r249028) +++ releng/8.3/crypto/openssl/crypto/asn1/a_strnid.c Tue Apr 2 17:34:42 2013 (r249029) @@ -96,7 +96,7 @@ unsigned long ASN1_STRING_get_default_ma * default: the default value, Printable, T61, BMP. */ -int ASN1_STRING_set_default_mask_asc(char *p) +int ASN1_STRING_set_default_mask_asc(const char *p) { unsigned long mask; char *end; Modified: releng/8.3/crypto/openssl/crypto/asn1/a_verify.c ============================================================================== --- releng/8.3/crypto/openssl/crypto/asn1/a_verify.c Tue Apr 2 17:29:17 2013 (r249028) +++ releng/8.3/crypto/openssl/crypto/asn1/a_verify.c Tue Apr 2 17:34:42 2013 (r249029) @@ -138,6 +138,12 @@ int ASN1_item_verify(const ASN1_ITEM *it unsigned char *buf_in=NULL; int ret= -1,i,inl; + if (!pkey) + { + ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ERR_R_PASSED_NULL_PARAMETER); + return -1; + } + EVP_MD_CTX_init(&ctx); i=OBJ_obj2nid(a->algorithm); type=EVP_get_digestbyname(OBJ_nid2sn(i)); Modified: releng/8.3/crypto/openssl/crypto/asn1/asn1.h ============================================================================== --- releng/8.3/crypto/openssl/crypto/asn1/asn1.h Tue Apr 2 17:29:17 2013 (r249028) +++ releng/8.3/crypto/openssl/crypto/asn1/asn1.h Tue Apr 2 17:34:42 2013 (r249029) @@ -1051,7 +1051,7 @@ ASN1_STRING *ASN1_pack_string(void *obj, ASN1_STRING *ASN1_item_pack(void *obj, const ASN1_ITEM *it, ASN1_OCTET_STRING **oct); void ASN1_STRING_set_default_mask(unsigned long mask); -int ASN1_STRING_set_default_mask_asc(char *p); +int ASN1_STRING_set_default_mask_asc(const char *p); unsigned long ASN1_STRING_get_default_mask(void); int ASN1_mbstring_copy(ASN1_STRING **out, const unsigned char *in, int len, int inform, unsigned long mask); Modified: releng/8.3/crypto/openssl/crypto/asn1/asn_mime.c ============================================================================== --- releng/8.3/crypto/openssl/crypto/asn1/asn_mime.c Tue Apr 2 17:29:17 2013 (r249028) +++ releng/8.3/crypto/openssl/crypto/asn1/asn_mime.c Tue Apr 2 17:34:42 2013 (r249029) @@ -418,9 +418,9 @@ ASN1_VALUE *SMIME_read_ASN1(BIO *bio, BI if(strcmp(hdr->value, "application/x-pkcs7-signature") && strcmp(hdr->value, "application/pkcs7-signature")) { - sk_MIME_HEADER_pop_free(headers, mime_hdr_free); ASN1err(ASN1_F_SMIME_READ_ASN1,ASN1_R_SIG_INVALID_MIME_TYPE); ERR_add_error_data(2, "type: ", hdr->value); + sk_MIME_HEADER_pop_free(headers, mime_hdr_free); sk_BIO_pop_free(parts, BIO_vfree); return NULL; } @@ -790,12 +790,17 @@ static int mime_hdr_addparam(MIME_HEADER static int mime_hdr_cmp(const MIME_HEADER * const *a, const MIME_HEADER * const *b) { + if (!(*a)->name || !(*b)->name) + return !!(*a)->name - !!(*b)->name; + return(strcmp((*a)->name, (*b)->name)); } static int mime_param_cmp(const MIME_PARAM * const *a, const MIME_PARAM * const *b) { + if (!(*a)->param_name || !(*b)->param_name) + return !!(*a)->param_name - !!(*b)->param_name; return(strcmp((*a)->param_name, (*b)->param_name)); } Modified: releng/8.3/crypto/openssl/crypto/asn1/x_name.c ============================================================================== --- releng/8.3/crypto/openssl/crypto/asn1/x_name.c Tue Apr 2 17:29:17 2013 (r249028) +++ releng/8.3/crypto/openssl/crypto/asn1/x_name.c Tue Apr 2 17:34:42 2013 (r249029) @@ -196,7 +196,9 @@ static int x509_name_ex_d2i(ASN1_VALUE * *val = nm.a; *in = p; return ret; - err: +err: + if (nm.x != NULL) + X509_NAME_free(nm.x); ASN1err(ASN1_F_X509_NAME_EX_D2I, ERR_R_NESTED_ASN1_ERROR); return 0; } Modified: releng/8.3/crypto/openssl/crypto/asn1/x_pubkey.c ============================================================================== --- releng/8.3/crypto/openssl/crypto/asn1/x_pubkey.c Tue Apr 2 17:29:17 2013 (r249028) +++ releng/8.3/crypto/openssl/crypto/asn1/x_pubkey.c Tue Apr 2 17:34:42 2013 (r249029) @@ -367,7 +367,19 @@ EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *k goto err; } - key->pkey = ret; + /* Check to see if another thread set key->pkey first */ + CRYPTO_w_lock(CRYPTO_LOCK_EVP_PKEY); + if (key->pkey) + { + CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY); + EVP_PKEY_free(ret); + ret = key->pkey; + } + else + { + key->pkey = ret; + CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY); + } CRYPTO_add(&ret->references, 1, CRYPTO_LOCK_EVP_PKEY); return(ret); err: Modified: releng/8.3/crypto/openssl/crypto/bio/bf_buff.c ============================================================================== --- releng/8.3/crypto/openssl/crypto/bio/bf_buff.c Tue Apr 2 17:29:17 2013 (r249028) +++ releng/8.3/crypto/openssl/crypto/bio/bf_buff.c Tue Apr 2 17:34:42 2013 (r249029) @@ -209,7 +209,7 @@ start: /* add to buffer and return */ if (i >= inl) { - memcpy(&(ctx->obuf[ctx->obuf_len]),in,inl); + memcpy(&(ctx->obuf[ctx->obuf_off+ctx->obuf_len]),in,inl); ctx->obuf_len+=inl; return(num+inl); } @@ -219,7 +219,7 @@ start: { if (i > 0) /* lets fill it up if we can */ { - memcpy(&(ctx->obuf[ctx->obuf_len]),in,i); + memcpy(&(ctx->obuf[ctx->obuf_off+ctx->obuf_len]),in,i); in+=i; inl-=i; num+=i; @@ -294,9 +294,9 @@ static long buffer_ctrl(BIO *b, int cmd, case BIO_C_GET_BUFF_NUM_LINES: ret=0; p1=ctx->ibuf; - for (i=ctx->ibuf_off; iibuf_len; i++) + for (i=0; iibuf_len; i++) { - if (p1[i] == '\n') ret++; + if (p1[ctx->ibuf_off + i] == '\n') ret++; } break; case BIO_CTRL_WPENDING: @@ -399,17 +399,18 @@ static long buffer_ctrl(BIO *b, int cmd, for (;;) { BIO_clear_retry_flags(b); - if (ctx->obuf_len > ctx->obuf_off) + if (ctx->obuf_len > 0) { r=BIO_write(b->next_bio, &(ctx->obuf[ctx->obuf_off]), - ctx->obuf_len-ctx->obuf_off); + ctx->obuf_len); #if 0 -fprintf(stderr,"FLUSH [%3d] %3d -> %3d\n",ctx->obuf_off,ctx->obuf_len-ctx->obuf_off,r); +fprintf(stderr,"FLUSH [%3d] %3d -> %3d\n",ctx->obuf_off,ctx->obuf_len,r); #endif BIO_copy_next_retry(b); if (r <= 0) return((long)r); ctx->obuf_off+=r; + ctx->obuf_len-=r; } else { Modified: releng/8.3/crypto/openssl/crypto/bio/bio.h ============================================================================== --- releng/8.3/crypto/openssl/crypto/bio/bio.h Tue Apr 2 17:29:17 2013 (r249028) +++ releng/8.3/crypto/openssl/crypto/bio/bio.h Tue Apr 2 17:34:42 2013 (r249029) @@ -145,6 +145,7 @@ extern "C" { /* #endif */ #define BIO_CTRL_DGRAM_QUERY_MTU 40 /* as kernel for current MTU */ +#define BIO_CTRL_DGRAM_GET_FALLBACK_MTU 47 #define BIO_CTRL_DGRAM_GET_MTU 41 /* get cached value for MTU */ #define BIO_CTRL_DGRAM_SET_MTU 42 /* set cached value for * MTU. want to use this @@ -321,6 +322,15 @@ DECLARE_STACK_OF(BIO) typedef struct bio_f_buffer_ctx_struct { + /* Buffers are setup like this: + * + * <---------------------- size -----------------------> + * +---------------------------------------------------+ + * | consumed | remaining | free space | + * +---------------------------------------------------+ + * <-- off --><------- len -------> + */ + /* BIO *bio; */ /* this is now in the BIO struct */ int ibuf_size; /* how big is the input buffer */ int obuf_size; /* how big is the output buffer */ Modified: releng/8.3/crypto/openssl/crypto/bio/bss_dgram.c ============================================================================== --- releng/8.3/crypto/openssl/crypto/bio/bss_dgram.c Tue Apr 2 17:29:17 2013 (r249028) +++ releng/8.3/crypto/openssl/crypto/bio/bss_dgram.c Tue Apr 2 17:34:42 2013 (r249029) @@ -57,7 +57,6 @@ * */ -#ifndef OPENSSL_NO_DGRAM #include #include @@ -65,6 +64,7 @@ #include "cryptlib.h" #include +#ifndef OPENSSL_NO_DGRAM #if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) #include @@ -288,7 +288,6 @@ static int dgram_read(BIO *b, char *out, */ dgram_adjust_rcv_timeout(b); ret=recvfrom(b->num,out,outl,0,&peer,(void *)&peerlen); - dgram_reset_rcv_timeout(b); if ( ! data->connected && ret >= 0) BIO_ctrl(b, BIO_CTRL_DGRAM_SET_PEER, 0, &peer); @@ -302,6 +301,8 @@ static int dgram_read(BIO *b, char *out, data->_errno = get_last_socket_error(); } } + + dgram_reset_rcv_timeout(b); } return(ret); } @@ -493,6 +494,9 @@ static long dgram_ctrl(BIO *b, int cmd, ret = 0; #endif break; + case BIO_CTRL_DGRAM_GET_FALLBACK_MTU: + ret = 576 - 20 - 8; + break; case BIO_CTRL_DGRAM_GET_MTU: return data->mtu; break; @@ -654,9 +658,13 @@ static int BIO_dgram_should_retry(int i) { err=get_last_socket_error(); -#if defined(OPENSSL_SYS_WINDOWS) && 0 /* more microsoft stupidity? perhaps not? Ben 4/1/99 */ - if ((i == -1) && (err == 0)) - return(1); +#if defined(OPENSSL_SYS_WINDOWS) + /* If the socket return value (i) is -1 + * and err is unexpectedly 0 at this point, + * the error code was overwritten by + * another system call before this error + * handling is called. + */ #endif return(BIO_dgram_non_fatal_error(err)); @@ -719,7 +727,6 @@ int BIO_dgram_non_fatal_error(int err) } return(0); } -#endif static void get_current_time(struct timeval *t) { @@ -737,3 +744,5 @@ static void get_current_time(struct time gettimeofday(t, NULL); #endif } + +#endif Modified: releng/8.3/crypto/openssl/crypto/bn/asm/mo-586.pl ============================================================================== --- releng/8.3/crypto/openssl/crypto/bn/asm/mo-586.pl Tue Apr 2 17:29:17 2013 (r249028) +++ releng/8.3/crypto/openssl/crypto/bn/asm/mo-586.pl Tue Apr 2 17:34:42 2013 (r249029) @@ -539,8 +539,10 @@ $sbit=$num; &jle (&label("sqradd")); &mov ($carry,"edx"); - &lea ("edx",&DWP(0,$sbit,"edx",2)); + &add ("edx","edx"); &shr ($carry,31); + &add ("edx",$sbit); + &adc ($carry,0); &set_label("sqrlast"); &mov ($word,$_n0); &mov ($inp,$_np); Modified: releng/8.3/crypto/openssl/crypto/bn/asm/ppc.pl ============================================================================== --- releng/8.3/crypto/openssl/crypto/bn/asm/ppc.pl Tue Apr 2 17:29:17 2013 (r249028) +++ releng/8.3/crypto/openssl/crypto/bn/asm/ppc.pl Tue Apr 2 17:34:42 2013 (r249029) @@ -1039,7 +1039,7 @@ sub data { addze r11,r0 #mul_add_c(a[3],b[2],c3,c1,c2); $LD r6,`3*$BNSZ`(r4) - $LD r7,`2*$BNSZ`(r4) + $LD r7,`2*$BNSZ`(r5) $UMULL r8,r6,r7 $UMULH r9,r6,r7 addc r12,r8,r12 Modified: releng/8.3/crypto/openssl/crypto/bn/bn_blind.c ============================================================================== --- releng/8.3/crypto/openssl/crypto/bn/bn_blind.c Tue Apr 2 17:29:17 2013 (r249028) +++ releng/8.3/crypto/openssl/crypto/bn/bn_blind.c Tue Apr 2 17:34:42 2013 (r249029) @@ -123,7 +123,7 @@ struct bn_blinding_st BIGNUM *mod; /* just a reference */ unsigned long thread_id; /* added in OpenSSL 0.9.6j and 0.9.7b; * used only by crypto/rsa/rsa_eay.c, rsa_lib.c */ - unsigned int counter; + int counter; unsigned long flags; BN_MONT_CTX *m_ctx; int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, @@ -157,7 +157,10 @@ BN_BLINDING *BN_BLINDING_new(const BIGNU if (BN_get_flags(mod, BN_FLG_CONSTTIME) != 0) BN_set_flags(ret->mod, BN_FLG_CONSTTIME); - ret->counter = BN_BLINDING_COUNTER; + /* Set the counter to the special value -1 + * to indicate that this is never-used fresh blinding + * that does not need updating before first use. */ + ret->counter = -1; return(ret); err: if (ret != NULL) BN_BLINDING_free(ret); @@ -186,7 +189,10 @@ int BN_BLINDING_update(BN_BLINDING *b, B goto err; } - if (--(b->counter) == 0 && b->e != NULL && + if (b->counter == -1) + b->counter = 0; + + if (++b->counter == BN_BLINDING_COUNTER && b->e != NULL && !(b->flags & BN_BLINDING_NO_RECREATE)) { /* re-create blinding parameters */ @@ -201,8 +207,8 @@ int BN_BLINDING_update(BN_BLINDING *b, B ret=1; err: - if (b->counter == 0) - b->counter = BN_BLINDING_COUNTER; + if (b->counter == BN_BLINDING_COUNTER) + b->counter = 0; return(ret); } @@ -223,6 +229,12 @@ int BN_BLINDING_convert_ex(BIGNUM *n, BI return(0); } + if (b->counter == -1) + /* Fresh blinding, doesn't need updating. */ + b->counter = 0; + else if (!BN_BLINDING_update(b,ctx)) + return(0); + if (r != NULL) { if (!BN_copy(r, b->Ai)) ret=0; @@ -243,22 +255,19 @@ int BN_BLINDING_invert_ex(BIGNUM *n, con int ret; bn_check_top(n); - if ((b->A == NULL) || (b->Ai == NULL)) - { - BNerr(BN_F_BN_BLINDING_INVERT_EX,BN_R_NOT_INITIALIZED); - return(0); - } if (r != NULL) ret = BN_mod_mul(n, n, r, b->mod, ctx); else - ret = BN_mod_mul(n, n, b->Ai, b->mod, ctx); - - if (ret >= 0) { - if (!BN_BLINDING_update(b,ctx)) + if (b->Ai == NULL) + { + BNerr(BN_F_BN_BLINDING_INVERT_EX,BN_R_NOT_INITIALIZED); return(0); + } + ret = BN_mod_mul(n, n, b->Ai, b->mod, ctx); } + bn_check_top(n); return(ret); } Modified: releng/8.3/crypto/openssl/crypto/bn/bn_gf2m.c ============================================================================== --- releng/8.3/crypto/openssl/crypto/bn/bn_gf2m.c Tue Apr 2 17:29:17 2013 (r249028) +++ releng/8.3/crypto/openssl/crypto/bn/bn_gf2m.c Tue Apr 2 17:34:42 2013 (r249029) @@ -607,6 +607,7 @@ int BN_GF2m_mod_inv(BIGNUM *r, const BIG { while (!BN_is_odd(u)) { *** DIFF OUTPUT TRUNCATED AT 1000 LINES *** From owner-svn-src-releng@FreeBSD.ORG Tue Apr 2 19:33:36 2013 Return-Path: Delivered-To: svn-src-releng@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 18391424; Tue, 2 Apr 2013 19:33:36 +0000 (UTC) (envelope-from gavin@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id 0A697303; Tue, 2 Apr 2013 19:33:36 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r32JXZEC024035; Tue, 2 Apr 2013 19:33:35 GMT (envelope-from gavin@svn.freebsd.org) Received: (from gavin@localhost) by svn.freebsd.org (8.14.6/8.14.5/Submit) id r32JXZqg024034; Tue, 2 Apr 2013 19:33:35 GMT (envelope-from gavin@svn.freebsd.org) Message-Id: <201304021933.r32JXZqg024034@svn.freebsd.org> From: Gavin Atkinson Date: Tue, 2 Apr 2013 19:33:35 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r249031 - releng/8.4/lib/libc/stdlib X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Apr 2013 19:33:36 -0000 Author: gavin Date: Tue Apr 2 19:33:35 2013 New Revision: 249031 URL: http://svnweb.freebsd.org/changeset/base/249031 Log: When r241373 was merged, one file appears to have been missed from the commit. Merge it: Remove undefined behavior from sranddev() and srandomdev(). This doesn't actually work with any modern C compiler: In particular, both clang and modern gcc verisons silently elide any xor operation with 'junk'. No mergeinfo changes with this commit as r241475 already updated the mergeinfo. Approved by: re (jpaetzel) Modified: releng/8.4/lib/libc/stdlib/random.c Modified: releng/8.4/lib/libc/stdlib/random.c ============================================================================== --- releng/8.4/lib/libc/stdlib/random.c Tue Apr 2 19:07:11 2013 (r249030) +++ releng/8.4/lib/libc/stdlib/random.c Tue Apr 2 19:33:35 2013 (r249031) @@ -315,10 +315,9 @@ srandomdev() if (!done) { struct timeval tv; - unsigned long junk; gettimeofday(&tv, NULL); - srandom((getpid() << 16) ^ tv.tv_sec ^ tv.tv_usec ^ junk); + srandom((getpid() << 16) ^ tv.tv_sec ^ tv.tv_usec); return; } From owner-svn-src-releng@FreeBSD.ORG Thu Apr 4 23:36:15 2013 Return-Path: Delivered-To: svn-src-releng@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 3FB8EF0C; Thu, 4 Apr 2013 23:36:15 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id 3041C340; Thu, 4 Apr 2013 23:36:15 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r34NaEh6045767; Thu, 4 Apr 2013 23:36:14 GMT (envelope-from delphij@svn.freebsd.org) Received: (from delphij@localhost) by svn.freebsd.org (8.14.6/8.14.5/Submit) id r34NaEhT045766; Thu, 4 Apr 2013 23:36:14 GMT (envelope-from delphij@svn.freebsd.org) Message-Id: <201304042336.r34NaEhT045766@svn.freebsd.org> From: Xin LI Date: Thu, 4 Apr 2013 23:36:14 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r249116 - releng/8.4/cddl/contrib/opensolaris/cmd/zpool X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Apr 2013 23:36:15 -0000 Author: delphij Date: Thu Apr 4 23:36:14 2013 New Revision: 249116 URL: http://svnweb.freebsd.org/changeset/base/249116 Log: MFS r249068 [1],249100,249114 [2]: Limit the creation version to 28 by default to avoid surprises when user "upgrade" to 9.1-RELEASE, which predates the merge of feature flags support to stable/9 (r243674) and is the latest stable/9 release at this time. Users who want the new features can still do "zpool upgrade" after pool creation, or by explicitly specifying feature flags and/or disabling all feature flags at creation time. Reviewed by: mm [1], Matthew Ahrens [2] Approved by: re (jpaetzel) Modified: releng/8.4/cddl/contrib/opensolaris/cmd/zpool/zpool_main.c Directory Properties: releng/8.4/cddl/contrib/opensolaris/ (props changed) Modified: releng/8.4/cddl/contrib/opensolaris/cmd/zpool/zpool_main.c ============================================================================== --- releng/8.4/cddl/contrib/opensolaris/cmd/zpool/zpool_main.c Thu Apr 4 23:19:51 2013 (r249115) +++ releng/8.4/cddl/contrib/opensolaris/cmd/zpool/zpool_main.c Thu Apr 4 23:36:14 2013 (r249116) @@ -856,6 +856,16 @@ zpool_do_create(int argc, char **argv) } } +#ifdef __FreeBSD__ + /* Compatiblity with FreeBSD 9.0 and 9.1: Use version 28 if unspecified */ + if (enable_all_pool_feat && !prop_list_contains_feature(props)) { + if (add_prop_list(zpool_prop_to_name( + ZPOOL_PROP_VERSION), "28", &props, B_TRUE)) + goto errout; + enable_all_pool_feat = B_FALSE; + } +#endif /* __FreeBSD__ */ + argc -= optind; argv += optind; From owner-svn-src-releng@FreeBSD.ORG Fri Apr 5 00:57:11 2013 Return-Path: Delivered-To: svn-src-releng@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id C8EE62EF; Fri, 5 Apr 2013 00:57:11 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id BA36C7FD; Fri, 5 Apr 2013 00:57:11 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r350vBL2069479; Fri, 5 Apr 2013 00:57:11 GMT (envelope-from gjb@svn.freebsd.org) Received: (from gjb@localhost) by svn.freebsd.org (8.14.6/8.14.5/Submit) id r350vB8P069477; Fri, 5 Apr 2013 00:57:11 GMT (envelope-from gjb@svn.freebsd.org) Message-Id: <201304050057.r350vB8P069477@svn.freebsd.org> From: Glen Barber Date: Fri, 5 Apr 2013 00:57:11 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r249122 - releng/8.4/sys/conf X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Apr 2013 00:57:11 -0000 Author: gjb (doc,ports committer) Date: Fri Apr 5 00:57:10 2013 New Revision: 249122 URL: http://svnweb.freebsd.org/changeset/base/249122 Log: - Update releng/8.4 branch to -RC1 status Approved by: re (jpaetzel) Modified: releng/8.4/sys/conf/newvers.sh Modified: releng/8.4/sys/conf/newvers.sh ============================================================================== --- releng/8.4/sys/conf/newvers.sh Fri Apr 5 00:26:29 2013 (r249121) +++ releng/8.4/sys/conf/newvers.sh Fri Apr 5 00:57:10 2013 (r249122) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="8.4" -BRANCH="BETA1" +BRANCH="RC1" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi From owner-svn-src-releng@FreeBSD.ORG Fri Apr 5 04:08:05 2013 Return-Path: Delivered-To: svn-src-releng@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 09705BE3; Fri, 5 Apr 2013 04:08:05 +0000 (UTC) (envelope-from hrs@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id EC81FEC9; Fri, 5 Apr 2013 04:08:04 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r35484P1026581; Fri, 5 Apr 2013 04:08:04 GMT (envelope-from hrs@svn.freebsd.org) Received: (from hrs@localhost) by svn.freebsd.org (8.14.6/8.14.5/Submit) id r35484LS026576; Fri, 5 Apr 2013 04:08:04 GMT (envelope-from hrs@svn.freebsd.org) Message-Id: <201304050408.r35484LS026576@svn.freebsd.org> From: Hiroki Sato Date: Fri, 5 Apr 2013 04:08:04 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r249128 - in releng/8.4/release/doc: de_DE.ISO8859-1 en_US.ISO8859-1/errata en_US.ISO8859-1/installation en_US.ISO8859-1/relnotes fr_FR.ISO8859-1 ja_JP.eucJP ru_RU.KOI8-R share/examples... X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Apr 2013 04:08:05 -0000 Author: hrs Date: Fri Apr 5 04:08:03 2013 New Revision: 249128 URL: http://svnweb.freebsd.org/changeset/base/249128 Log: Trim old imformation and bump version numbers. Approved by: re (implicit) Deleted: releng/8.4/release/doc/de_DE.ISO8859-1/ releng/8.4/release/doc/fr_FR.ISO8859-1/ releng/8.4/release/doc/ja_JP.eucJP/ releng/8.4/release/doc/ru_RU.KOI8-R/ releng/8.4/release/doc/zh_CN.GB2312/ Modified: releng/8.4/release/doc/en_US.ISO8859-1/errata/article.xml releng/8.4/release/doc/en_US.ISO8859-1/installation/article.xml releng/8.4/release/doc/en_US.ISO8859-1/relnotes/article.xml releng/8.4/release/doc/share/examples/Makefile.relnotesng releng/8.4/release/doc/share/xml/release.ent Modified: releng/8.4/release/doc/en_US.ISO8859-1/errata/article.xml ============================================================================== --- releng/8.4/release/doc/en_US.ISO8859-1/errata/article.xml Fri Apr 5 02:15:10 2013 (r249127) +++ releng/8.4/release/doc/en_US.ISO8859-1/errata/article.xml Fri Apr 5 04:08:03 2013 (r249128) @@ -41,7 +41,7 @@ $FreeBSD$ - 2011 + 2013 The &os; Documentation Project @@ -83,7 +83,7 @@ - will be maintained until the release of &os; &release.next;. + will be maintained until the EoL of &os; &release.branch; branch. @@ -167,13 +167,6 @@ Late-Breaking News and Corrections - A bug in OpenSSL that could cause - it to parse past the end of the message was found at the late - stage of &release.bugfix; release process. The &release.bugfix; - includes a fix for this issue by importing relevant parts from - the OpenSSL CVS. This could be triggered by an incorrectly - formatted ClientHello SSL/TLS handshake messages. The details - can be found at . + No news. Modified: releng/8.4/release/doc/en_US.ISO8859-1/installation/article.xml ============================================================================== --- releng/8.4/release/doc/en_US.ISO8859-1/installation/article.xml Fri Apr 5 02:15:10 2013 (r249127) +++ releng/8.4/release/doc/en_US.ISO8859-1/installation/article.xml Fri Apr 5 04:08:03 2013 (r249128) @@ -21,7 +21,7 @@ $FreeBSD$ - 2012 + 2013 The &os; Documentation Project @@ -62,8 +62,8 @@ . The branch tag to use for updating the source is - RELENG_8_3 for CVS. For SVN use - releng/8.3. + RELENG_8_4 for CVS. For SVN use + releng/8.4. @@ -73,11 +73,11 @@ upgrades of &arch.i386; and &arch.amd64; systems running earlier FreeBSD releases. Systems running 7.[01234]-RELEASE, - 8.[012]-RELEASE, - 8.3-BETA1, or - 8.3-RC[12] can upgrade as follows: + 8.[0123]-RELEASE, + 8.4-BETA1, or + 8.4-RC[12] can upgrade as follows: - &prompt.root; freebsd-update upgrade -r 8.3-RELEASE + &prompt.root; freebsd-update upgrade -r 8.4-RELEASE During this process, FreeBSD Update may ask the user to help by merging some configuration files or by confirming that Modified: releng/8.4/release/doc/en_US.ISO8859-1/relnotes/article.xml ============================================================================== --- releng/8.4/release/doc/en_US.ISO8859-1/relnotes/article.xml Fri Apr 5 02:15:10 2013 (r249127) +++ releng/8.4/release/doc/en_US.ISO8859-1/relnotes/article.xml Fri Apr 5 04:08:03 2013 (r249128) @@ -16,7 +16,8 @@ $FreeBSD$ - 2011 + 2013 + The &os; Documentation Project @@ -118,6 +119,7 @@ advisories available from . + - - SA-10:10.openssl - 29 November 2010 - OpenSSL multiple vulnerabilities - +--> Kernel Changes - The maximum number of pages - used for DMA bounce buffer pool has been increased from 256 to - 1024. - - The default value of - kern.hz has been increased from 100 to - 1000. - - The SMP kernel now works on - MPC7400-based Apple desktop machines such as - PowerMac3,3. - - &os;/powerpc now supports - DMA bounce buffer which is required on systems with larger RAM - than 4GB. - - &os;/mips support has been - improved. It now supports SMP on a SWARM with a dual-core - Sibyte processor. - - &os;/mips now supports Netlogic Microsystems' - XLR and XLS multi-core processor families. - - &os;/sparc64 now supports - reservation-based physical memory allocation which provides - better performance. - - &os;/amd64 now always sets - the KVA space as equal to or larger than physical memory size. - The default size was calculated based on one-third of the - physical memory size by a code derived from one for i386. It - has been changed because constraints for memory space are not - severe on amd64 and this change would help to prevent a - kmem_map too small panic which often occurs - when using ZFS. - - CPU topology detection - for Intel CPUs has been improved. - - ACPI suspend/resume - functionality support has been improved. - - &os; kernel now - supports kern_fpu_enter() and - kern_fpu_leave() KPIs which allow the - kernel subsystems to use XMM register files used in Intel SSE - (Streaming SIMD Extensions). - - The &man.acpi.4; - driver now uses ACPI Reset Register capability by default only - when a flag in the FADT which indicates it is available. This - behavior was controlled by a &man.sysctl.8; variable - hw.acpi.handle_reboot and the default value - was always set to 0. - - The &man.acpi.4; - driver now supports new loader tunables - hw.acpi.install_interface and - hw.acpi.remove_interface. For more - details, see &man.acpi.4; manual page. - - The &man.alq.9; support has been - improved. The alq_writen() and - alq_getn() KPIs have been extended to - support variable length messages, which is enabled at ALQ - creation time depending on the arguments passed to - alq_open(). Also, the - ALQ_NOACTIVATE and - ALQ_ORDERED flags have been added to allow - ALQ consumers to have more control over I/O scheduling and - resource acquisition respectively. These extensions are fully - backward compatible. - - The &man.alq.9; support is now provided - as a kernel module alq.ko. - - The &man.ddb.8; kernel debugger now - supports an optional delay in reset and - reboot commands. This allows an - administrator to break the system into debugger and trigger - automatic textdump when an unattended panic occurs. - - The &man.ddb.8; kernel debugger now - supports a show cdev command. This - displays the list of all created cdev's, consisting of devfs - node name and struct cdev address. - - The &os; GENERIC - kernel is now compiled with and - options. From 8.2-RELEASE the - kernel supports displaying a stack trace on panic by using - &man.stack.9; facility with no debugger backend like - &man.ddb.8;. Note that this does not change the default - behaviors of the GENERIC kernel on - panic. - - The following - &man.sysctl.8; variables are also now loader tunables: - vm.kmem_size, - vm.kmem_size_max, and - vm.kmem_size_min, - debug.kdb.stop_cpus, - debug.trace_on_panic, and - kern.sync_on_panic. Also, new - &man.sysctl.8; variables vm.kmem_map_size - for the current kmem map size and - vm.kmem_map_free for largest contiguous - free range in kmem map, vfs.ncsizefactor - for size factor for namecache, and - vfs.ncnegfactor for ratio of negative - namecache entries have been added. - - The &os; &man.memguard.9; framework has - been improved to make it able to detect use-after-free of - allocated memories over a longer time. For more details, see - &man.memguard.9; manual page. - - PT_LWPINFO request to - obtain information about the kernel thread that caused the - traced process to stop in the &man.ptrace.2; process tracing - and debugging facility has been improved. It now reports - system call entry and leave events, as well as availability of - siginfo_t accompanying the reported - signal. - - The &os; &man.crypto.4; framework - (opencrypto) now supports XTS-AES (XEX-TCB-CTS, or XEX-based - Tweaked Code Book mode with CipherText Stealing), which is - defined in IEEE Std. 1619-2007. - - Xen HVM support in - &os;/amd64 kernel has been improved. For more details, see - &man.xen.4; manual page. - - The qpi(4) pseudo bus - driver has been added. This supports extra PCI buses on Intel - QPI chipsets where various hardware such as memory controllers - for each socket is connected. + Boot Loader Changes - &os; now fully supports GPT (GUID - Partition Table). Checksums of primary header and primary - partition table are verified properly now. - - Memory - management issues that prevented &os; OpenFirmware loader - and netbooting from working have been fixed. - - The &man.pxeboot.8; now uses NFS - version 3 instead of version 2 by default. + Hardware Support - The &man.aesni.4; - driver has been added. This supports AES accelerator on - Intel CPUs and accelerates AES operations for - &man.crypto.4;. - - The &man.aibs.4; - driver has been added. This supports the hardware sensors - in ASUS motherboards and replaces the &man.acpi.aiboost.4; - driver. - - The &man.coretemp.4; - driver now supports Xeon 5500/5600 series. - - &os;/powerpc now - supports the I2C bus in Apple System Management Unit. - - A device driver that - supports CPU temperature sensors on PowerMac 11,2 has been - added. - - The &man.ehci.4;, &man.ohci.4;, and - &man.uhci.4; driver now support LOW speed BULK transfer - mode. - - The &man.ichwd.4; - driver now supports Intel NM10 Express chipset watchdog - timer. - - The &man.tpm.4; driver, which supports - Trusted Platform Module has been added. - - The xhci(4) driver, which supports - Extensible Host Controller Interface (xHCI) and USB 3.0, has - been added. + Multimedia Support - The &os; Linux emulation subsystem now supports the - video4linux API. This requires - native video4linux hardware - drivers such as the ones provided by multimedia/pwcbsd and multimedia/webcamd. - - MIDI input buffer size in the - &man.uaudio.4; driver has been changed. This fixes a - problem where the input appears several seconds - late. - - An issue in the &man.uaudio.4; - driver that prevented some USB audio devices from working - has been fixed. + Network Interface Support - The &man.alc.4; driver now supports - Atheros AR8151/AR8152 PCIe Gigabit/Fast Ethernet - controllers. - - A bug in the &man.alc.4; driver was - fixed that could lead to a system freeze when the system - was booted without a cable plugged in. This symptom was - found in AR8132 on EEE PC. - - The TX interrupt moderation timer in - the &man.alc.4; driver has been reduced from 50ms to 1ms. - The 50ms timer resulted in a poor UDP performance. - - The &man.axe.4; driver - has been improved for stability and better performance on - the TX packet rate. - - The &man.bge.4; driver now supports - BCM5718 x2 PCI Express dual-port gigabit Ethernet - controller family. This family is the successor to the - BCM5714/BCM5715 family and supports IPv4/IPv6 checksum - offloading, TSO, VLAN hardware tagging, jumbo frames, - MSI/MSIX, IOV, RSS and TSS. The current version of the - driver supports all hardware features except IOV and - RSS/TSS. - - A bug in the &man.bge.4; driver which - prevented TSO from working in BCM57780 has been - fixed. - - A bug in the &man.bge.4; driver that - could wrongly disable the TX checksum offloading feature - as well when one tries to disable only the RX checksum - offloading has been fixed. - - Some improvements for reliability of - the &man.bge.4; driver with BCM5906 controller has been - made. - - The &man.bge.4; driver now supports - hardware MAC statistics in controller's internal memory - for BCM5705 or newer Broadcom controllers. These counters - can be accessed via &man.sysctl.8; variable - dev.bge.N.stats.* - and provide useful information to diagnose driver - issues. - - UDP checksum offloading in the - &man.bge.4; driver has been disabled by default. This is - because Broadcom controllers have a bug which can generate - UDP datagrams with checksum value 0 - when TX UDP checksum offloading is enabled. The checksum - offloading can be enabled by using the following loader - tunable: - - dev.bge.N.forced_udpcsum - - A bug in the &man.bge.4; driver that - could lead to poor performance on a system with more than - 4 GB RAM has been fixed. The cause was that all of - Broadcom controllers except the BCM5755 and later have a - bug in 4 GB-boundary DMA processing and used the bounce - buffer in an inefficient way. - - The &man.bwi.4; driver, which supports - Broadcom BCM430* and BCM431* family Wireless Ethernet - controllers, has been added. This is not compiled into - the GENERIC kernel because there are - some problems. The kernel module - if_bwi.ko is available and can be - loaded without recompiling the kernel to enable this - driver. - - A bug in the &man.bwn.4; driver that - prevented WPA authentication from working has been - fixed. - - A bug in the &man.cdce.4; driver has - been fixed. - - The &man.cxgb.4; driver now supports - the following new &man.sysctl.8; variables: - hw.cxgb.nfilters sets the maximum - number of entries in the hardware filter table, - dev.cxgbc.N.pkt_timestamp - provides packet timestamp instead of connection hash, and - dev.cxgbc.N.core_clock - provides the core clock frequency in kHz. - - The &man.em.4; driver has been updated to version - 7.1.9. - - The &man.igb.4; driver has been updated to version - 2.0.7. - - The &man.em.4; and &man.igb.4; drivers - now provide statistics counters as &man.sysctl.8; MIB - objects. - - The &man.em.4; and &man.igb.4; drivers - now support the &man.led.4; interface via - /dev/led/emN - and - /dev/led/igbN - for identification LED control. The following command - line makes the LED blink on em0: - - &prompt.root; echo f2 > /dev/led/em0 - - The &man.epair.4; virtual Ethernet - interface driver now supports explicit UP/DOWN linkstate. - This fixes an issue when it is used with the &man.carp.4; - protocol. - - The &man.fxp.4; driver now supports - TSO over VLAN on i82550 and i82551 controllers. - - The &man.iwn.4; driver now supports - Intel Wireless WiFi Link 6000 series. The firmware has - been updated to version 9.221.4.1. - - The &man.ixgbe.4; - driver is now also provided as a kernel module. - - The &man.ixgbe.4; - driver has been updated to version 2.3.8. It now supports - 82599, better interrupt handling, hardware assist to LRO, - VM SRIOV interface, and so on. - - The - &man.miibus.4; has been rewritten for the generic IEEE - 802.3 annex 31B full duplex flow control support. The - &man.alc.4;, &man.bge.4;, &man.bce.4;, &man.cas.4;, - &man.fxp.4;, &man.gem.4;, &man.jme.4;, &man.msk.4;, - &man.nfe.4;, &man.re.4;, &man.stge.4;, and &man.xl.4; - drivers along with atphy(4), bmtphy(4), brgphy(4), - e1000phy(4), gentbi(4), inphy(4), ip1000phy(4), jmphy(4), - nsgphy(4), nsphyter(4), and &man.rgephy.4; have been - updated to support flow control via this facility. - - The &man.mwlfw.4; - driver is now also provided as a kernel module. - - A bug in the &man.mxge.4; driver - that prevented TSO from working has been fixed. - - The &man.nfe.4; driver now supports - WoL (Wake on LAN). - - The &man.re.4; driver now supports - 64-bit DMA addressing for RTL810xE/RTL8168/RTL8111 PCIe - controllers. - - The &man.re.4; driver now supports - hardware interrupt moderation of TX completion interrupts - on RTL8169/RTL8168 controllers. - - The &man.rl.4; driver now supports WoL - (Wake on LAN) on RTL8139B or newer controllers. - - The &man.rl.4; driver now supports - reading hardware statistics counters by setting a - &man.sysctl.8; variable - dev.rl.N.stats - to 1. - - The &man.rl.4; driver now supports a - device hint to change a way of register access. Although - some newer RTL8139 controllers support memory-mapped - register access, it is difficult to detect the support - automatically. For this reason the driver uses I/O - mapping by default and provides the following device hint. - If it is set to 0, the driver uses - memory mapping for register access. - - hint.rl.N.prefer_iomap="0" - - Note that the default value is 1. - - The &man.rl.4; driver has improved - interrupt handling. It now has better TX performance - under high RX load. - - A bug in the &man.sk.4; driver has - been fixed. It did not program the station address for - Yukon controllers and overriding the station address with - &man.ifconfig.8; was not possible. - - The &man.sk.4; driver now disables TX - checksum offloading by default. This is because some - revisions of the Yukon controller generate corrupted frames. - The checksum offloading can be enabled manually by using - option in the &man.ifconfig.8; - utility. - - The &man.sis.4; driver - now works on all supported platforms. Some stability and - performance issues have also been fixed. - - The &man.sis.4; driver now supports - WoL (Wake on LAN) on NS DP8315 controller. - - A tunable - dev.sis.N.manual_pad - for the &man.sis.4; driver has been added. This controls - whether padding with 0x00 for short frames is done by CPU, - rather than the controller. The reason why this tunable - has been added is that NS DP83815/DP83816 pads them with - 0xff though RFC 1042 specifies it should be 0x00. The - tunable is disabled by default, which means padding with - 0xff is used because padding with 0x00 by software needs - extra CPU cycles. Enabling manual_pad, - by setting this &man.sysctl.8; variable to a non-zero - value, forces the use of software padding. - - The &man.ste.4; driver now supports - a device hint to change the device register access mode. - The driver uses memory-mapped register access by default, - but this caused stability problems with some old IC Plus - Corp (formerly Sundace) controllers. The following device - hint makes the driver use I/O mapping for register - access: - - hint.ste.N.prefer_iomap="1" - - The &man.xl.4; driver now supports - WoL (Wake on LAN). Note that not all controllers support - this functionality and some need an additional remote - wakeup cable. + Network Protocols - An issue in the &man.carp.4; pseudo - interface and linkstate changes of the underlying interfaces - has been fixed. This happened when a &man.carp.4; interface - was created before the underlying interface and its - linkstate became UP. - - A bug in the &man.ipfw.4; - packet filter subsystem has been fixed. The &man.sysctl.8; - variable net.inet.ip.fw.one_pass did not - work for netgraph action and in-kernel - NAT. - - A new loader tunable - net.link.ifqmaxlen has been added. It - specifies the default value of send interface queue length. - The default value for this parameter is - 50. - - The ngtee action in - the &man.ipfw.4; packet filter subsystem has been changed. - It no longer accepts a packet. - - A possible panic in the &man.ipfw.4; - pseudo interface for logging has been fixed. - - IPsec flow distribution has been - improved for more parallel processing. - - A bug in the &os; IPv4 stack that - prevented adding a proxy ARP entry over &man.netgraph.4; - interfaces has been fixed. - - A bug in the &os; IPv6 stack that - prevented an in the &man.ping6.8; - utility from working with - net.inet6.ip6.use_defaultzone=1 has been - fixed. - - The &man.lagg.4; interface now - supports a &man.sysctl.8; variable - net.link.lagg.failover_rx_all. This - controls whether to accept input packets on any link in a - failover lagg. - - The &man.ng.eiface.4; &man.netgraph.4; - node now supports VLAN-compatible MTU and an MTU size which - is larger than 1500. - - The &man.ng.ether.4; &man.netgraph.4; - node now supports interface transfer between multiple virtual - network stacks by &man.ifconfig.8; vnet - command. A &man.ng.ether.4; node associated with a network - interface is now destroyed and recreated when the network - interface is moved to another vnet. - - A new &man.netgraph.4; node - &man.ng.patch.4; has been added. This performs data - modification of packets passing through. Modifications are - restricted to a subset of C language operations on unsigned - integers of 8, 16, 32 or 64-bit size. - - An ICMP unreachable problem in the - &man.pf.4; packet filter subsystem when TSO support is - enabled has been fixed. - - The TCP bandwidth delay product window - limiting algorithm controlled by the &man.sysctl.8; variable - net.inet.tcp.inflight.enable is now - disabled by default. It has been found that this algorithm - is inefficient on a fast network with smaller RTT than 10ms. - It had been enabled by default since 5.2-RELEASE, and then - had been disabled only if the RTT was lesser than 10ms since - 7.0-RELEASE. Pluggable TCP congestion control algorithm - modules are planned to be added for the future - releases. - - A bug in &os; TCP Path MTU discovery - which could lead to a wrong calculation for an MTU smaller - than 256 octets has been fixed. Note that this bug did not - affect MTUs equal to or larger than 256 octets. - - The &os; TCP reassembly - implementation has been improved. A long-standing - accounting bug affecting SMP systems has been fixed and the - net.inet.tcp.reass.maxqlen &man.sysctl.8; - variable has been retired in favor of a per-connection - dynamic limit based on the receive socket buffer size. &os; - receivers now handle packet loss (particularly losses caused - by queue overflows) significantly better than before which - improves connection throughput. - - The TCP initial window increase in RFC - 3390 which can be controlled by a &man.sysctl.8; variable - net.inet.tcp.rfc3390 now reduces the - congestion window to the restart window if a TCP connection - has been idle for one retransmit timeout or more. For more - details, see RFC 5681 Section 4.1. - - The &man.siftr.4;, Statistical - Information For TCP Research (SIFTR) kernel module has been - added. This is a facility that logs a range of statistics - on active TCP connections to a log file. It provides the - ability to make highly granular measurements of TCP - connection state, aimed at system administrators, developers - and researchers. - - &os; virtual network stack (vnet) now - supports IPv4 multicast routing. - - The IEEE 802.11s element identifiers have - been updated to reflect the final version of the amendment. This - update breaks compatibility with older mesh setups but is necessary - as the previous IDs are used by another amendment leading to - unexpected results when trying to associate with an accesspoint - using the affected IDs. + Disks and Storage - The &man.ahci.4; driver now disables NCQ - and PMP support on VIA VT8251 because they are unreliable - under load. - - The &man.ahci.4; driver now uses 15 - seconds for device reset timeout instead of 10 seconds - because some devices need 10 - 12 seconds to spin up. - - The &man.arcmsr.4; driver - has been updated to version 1.20.00.19. - - The &man.ada.4; driver now supports a - new &man.sysctl.8; variable - kern.cam.ada.spindown_shutdown which - controls whether or not to spin-down disks when shutting - down if the device supports the functionality. The default - value is 1. - - The &man.ata.4; driver - now supports limiting initial ATA mode for devices via - device hints - hint.devname.unit.devN.mode or - hint.devname.unit.mode. - The valid values are the same as ones supported in the - &man.atacontrol.8; and &man.camcontrol.8; utilities. - - The &man.ata.4; driver now disables - cable status check on both controller and device side - when the loader tunable - hw.ata.ata_dma_check_80pin is - 0. The check on controller side was - performed regardless of this loader tunable. - - The &man.ata.4; driver now reports - SATA power management capabilities to the &man.CAM.4; layer when - is enabled. This allows a device - to initiate transitions if controller configured to accept - it. This makes - hint.ata.N.pm_level=1 - mode work. - - The &man.ata.4; driver has been - improved on hotplugging and connection speed reporting - support for some Intel SATA controllers including ICH5 and - ICH8+ operating in legacy mode. - - An issue of device detection of - Serverworks K2 SATA controllers in the &man.ata.4; has been fixed. - - A bug in the &man.ata.4; driver that - prevented some Silicon Image chipsets from working on big - endian systems has been fixed. - - The &man.gconcat.8; GEOM class now - supports kernel crash dump. The dumping is performed to the - component where a dump partition begins. - - A bug in the &man.geli.8; GEOM class - on little endian platforms has been fixed. The metadata - version for newly created providers has been updated to - 4 due to this. Providers with the older - versions are fully interoperable with 8.2-RELEASE and later - by being treated as ones with the native byte order flag - automatically. - - The &man.geli.8; GEOM class now - supports a &man.sysctl.8; variable - kern.geom.eli.overwrites. This specifies - the number of times on-disk keys should be overwritten when - destroying them. The default value is - 5. - - The &man.geli.8; GEOM class has been - improved for preventing the same encryption key from being - used in 2^20 blocks (sectors). - - The &man.geli.8; GEOM class now uses - XTS-AES mode by default. - - A &man.sysctl.8; variable - kern.geom.eli.debug now allows a value - -1. This means turn off any log messages - of the &man.geli.8; GEOM class. - - The &man.mpt.4; driver now supports - larger I/O sizes which the device and &man.CAM.4; subsystem - can support. This was limited to 64KB, and the number of - scatter/gather segments was limited to 33 on platforms with - 4K pages. - - The &man.twa.4; - driver has been updated. The version number is - 3.80.06.003. + File Systems - The &man.linprocfs.5; Linux process - file system now supports - proc/$$/environment. - - The &os; NFS client now supports a - kernel environment variable - boot.nfsroot.nfshandlelen. This lets the - diskless root file system on boot to use NFS version 3 and - the specified file handle length. If this variable is not - set, NFS version 2 is used. - - The ZFS on-disk format has been updated - to version 15. - - The ZFS metaslab code has been updated. - This provides a noticeable improvement on write speed, - especially on pools with less than 30% of free space. The - related OpenSolaris Bug IDs are 6826241, 6869229, 6918420, - and 6917066. - - The ZFS now supports offlining of log - devices. The related OpenSolaris Bug IDs are 6599442, - 6726045, and 6803605. - - Performance improvements for the ZFS - have been imported from OpenSolaris. They include caching of - ACL permission checks, faster handling of &man.stat.2;, - mitigation of mutex lock contention. The related - OpenSolaris Bug IDs are 6802734, 6844861, 6848431, 6775100, - 6827779, 6857433, 6860318, 6865875, 6867395, 6868276, and - 6870564. - - The default value of - vfs.zfs.vdev.max_pending has been - decreased from 35 to 10 (OpenSolaris Bug ID is 6891731) to - improve latency. - - Various bugs in the ZFS subsystem have been fixed. The - related OpenSolaris Bug IDs are: 6328632, 6396518, 6501037, - 6504953, 6542860, 6551866, 6572357, 6572376, 6582163, - 6586537, 6595194, 6596237, 6604992, 6621164, 6623978, - 6633095, 6635482, 6664765, 6674216, 6696242, 6696858, - 6702206, 6710376, 6713916, 6717022, 6722540, 6722991, - 6737463, 6739487, 6739553, 6740164, 6745863, 6747596, - 6747698, 6748436, 6755435, 6757430, 6758107, 6759986, - 6759999, 6761100, 6761406, 6764124, 6765294, 6767129, - 6769612, 6770866, 6774713, 6774886, 6775697, 6776104, - 6776548, 6780491, 6784104, 6784108, 6785914, 6788152, - 6788830, 6789318, 6790064, 6790345, 6790687, 6791064, - 6791066, 6791071, 6791101, 6792134, 6792139, 6792884, - 6793430, 6794136, 6794570, 6794830, 6797109, 6797118, - 6798384, 6798878, 6799895, 6800184, 6800942, 6801507, - 6801810, 6803343, 6803822, 6804954, 6807339, 6807765, - 6809340, 6809683, 6809691, 6810367, 6815592, 6815893, - 6816124, 6818183, 6821169, 6821170, 6822816, 6824006, - 6824062, 6824968, 6826466, 6826468, 6826469, 6826470, - 6826471, 6826472, 6827260, 6830237, 6830541, 6833162, - 6833711, 6833999, 6834217, 6836714, 6836768, 6838062, - 6838344, 6841321, 6843014, 6843069, 6843235, 6844069, - 6844900, 6847229, 6848242, 6856634, 6857012, 6861983, - 6862984, 6863610, 6870564, 6880764, 6882227, 6892298, - 6898245, 6906110, 6906946, 6939941, 6950219, 6951024, and - 6953403. + Userland Changes - The &man.arp.8; utility has been improved. - It now runs faster even when a single interface has a number - of aliases. - - A bug in the &man.b64decode.1; utility that - prevented an option from handling arbitrary - breaks in a base64 encoded string has been fixed. - - The &man.calendar.1; utility now supports - repeating events which span multiple years, lunar events, and - solar events. - - The &man.dhclient.8; utility now reports a - reason for exiting and the 10-second period in which the - &man.dhclient.8; ignores routing messages has been changed to - start just after dhclient-script starts - instead of just after it finished. This change fixes a - symptom that &man.dhclient.8; silently exits under a certain - condition. - - Userland support for the &man.dtrace.1; - subsystem has been added. This allows inspection of userland - software itself and its correlation with the kernel, thus - allowing a much better picture of what exactly is going on - behind the scenes. The &man.dtruss.1; utility has been added - and the libproc library has been updated - to support the facility. - - The &man.du.1; utility now supports a - - option to display entries that exceeds the value of - threshold. If the value is - negative, it displays entries with a value less than the - absolute value of threshold. - - The &man.fdisk.8; utility now supports - partitions which are provided by &man.gjournal.8; or - &man.geli.8; GEOM classes. - - The &man.gcore.1; utility now supports an - flag which forces a full dump of all the - segments except for the malformed ones. - - The &man.geli.8; utility now supports - resize subcommand to resize encrypted file - systems after growing it. - - The &man.geli.8; utility now supports - suspend and resume - subcommands. The suspend subcommand makes - &man.geli.8; devices wait for all in-flight I/O requests, - suspend new I/O requests, remove all &man.geli.8; sensitive - data from the kernel memory (like encryption keys) and will - wait for either geli resume or - geli detach command. For more - information, see &man.geli.8; manual page. - - The &man.geli.8; utility now checks the - metadata provider size strictly. If the check fails, the - provider is not attached. A new option - can override this behavior. - - The &man.geli.8; utility now supports - and - - options for loading passphrase from a file. - - The gethost*(), - getnet*(), and - getproto*() functions now set the errno - to ERANGE and the NSS backend terminates - with NS_RETURN when the result buffer size - is too small. - - The &man.gpart.8; utility now supports a - resize command to resize partitions for all - schemes but EBR. - - The &man.gpart.8; utility now supports - backup and restore - subcommands to backup partition tables and restore - them. - - The &man.gpart.8; utility now handles - given geom/provider names with and without - /dev/ prefix. - - The &man.gpart.8; utility now supports - an option for the - destroy subcommand. This option forces - destroying of the partition table even if it is not - empty. - - The &man.gpart.8; utility now supports a - recover subcommand for GPT partition - tables. A corrupted GPT is now marked when the following - three types of corruption: - - - - Primary GPT header or table is corrupted. - - - - Secondary GPT header or table is corrupted. - - - - Secondary GPT header is not located at the last LBA. - - - - Changes to the corrupted GPT table are not allowed except - for destroy and recover - subcommands. - - The &man.gpart.8; utility now supports - GPT_ENT_ATTR_BOOTME, - GPT_ENT_ATTR_BOOTONCE, and - GPT_ENT_ATTR_BOOTFAILED attributes in GPT. - The attribute keywords in the command line are - bootme, bootonce, and - bootfailed respectively. - - An issue in the &man.newfs.8; utility - has been fixed. A UFS1 file system created with 64KB - blocksize was incorrectly recognized as one with a broken - superblock. This is because the &os; kernel checks a - partition first for a UFS2 superblock at 64KB offset while it - is possible that a UFS1 file systems with 64KB blocksize has - an alternative superblock at the same location. For example, - a file system created by newfs -U -O 1 -b 65536 -f - 8192 could lead to this symptom. *** DIFF OUTPUT TRUNCATED AT 1000 LINES *** From owner-svn-src-releng@FreeBSD.ORG Fri Apr 5 20:41:47 2013 Return-Path: Delivered-To: svn-src-releng@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 42E25D19; Fri, 5 Apr 2013 20:41:47 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id 1C6C7CEF; Fri, 5 Apr 2013 20:41:47 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r35KfkwK021277; Fri, 5 Apr 2013 20:41:46 GMT (envelope-from gjb@svn.freebsd.org) Received: (from gjb@localhost) by svn.freebsd.org (8.14.6/8.14.5/Submit) id r35Kfk1A021276; Fri, 5 Apr 2013 20:41:46 GMT (envelope-from gjb@svn.freebsd.org) Message-Id: <201304052041.r35Kfk1A021276@svn.freebsd.org> From: Glen Barber Date: Fri, 5 Apr 2013 20:41:46 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r249169 - releng/8.4/release/doc/en_US.ISO8859-1/relnotes X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Apr 2013 20:41:47 -0000 Author: gjb (doc,ports committer) Date: Fri Apr 5 20:41:46 2013 New Revision: 249169 URL: http://svnweb.freebsd.org/changeset/base/249169 Log: Document that, although ZFS pool feature flags are available, 8.4-RC1 and later ZFS pool version defaults to version 28 to prevent problems with upgrading to FreeBSD 9.1-RELEASE. Feature flags can be enabled by explicitly running: zpool upgrade Approved by: re (delphij) Modified: releng/8.4/release/doc/en_US.ISO8859-1/relnotes/article.xml Modified: releng/8.4/release/doc/en_US.ISO8859-1/relnotes/article.xml ============================================================================== --- releng/8.4/release/doc/en_US.ISO8859-1/relnotes/article.xml Fri Apr 5 20:24:51 2013 (r249168) +++ releng/8.4/release/doc/en_US.ISO8859-1/relnotes/article.xml Fri Apr 5 20:41:46 2013 (r249169) @@ -190,7 +190,37 @@ File Systems - + ZFS is upgraded to support zpool feature flags. ZFS + pool creation defaults to version 28 allowing upgrades to + &os; 9.1-RELEASE, which does not support + zpool feature flags. + + Users who wish to enable these features can upgrade + storage pools created on &os; 8.4-RC1 and later by + running zpool upgrade. + + The new features available are: + + + + async_destroy: allows a ZFS + dataset to be destroyed asynchronously, reclaiming space + by a background process. + + + + empty_bpobj: improves performance + and reduces disk space needed by snapshots. + + + + lz4_compress: a new high + performance compression algorithm thatfeatures better + performance and compression ratio than lzjb. + + + + For more information, see &man.zpool-features.7;.