From owner-freebsd-announce@freebsd.org Mon Jul 27 02:40:07 2015 Return-Path: Delivered-To: freebsd-announce@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0B2829ABDD7 for ; Mon, 27 Jul 2015 02:40:07 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from dmz-mailsec-scanner-5.mit.edu (dmz-mailsec-scanner-5.mit.edu [18.7.68.34]) by mx1.freebsd.org (Postfix) with ESMTP id 1A72515B2 for ; Mon, 27 Jul 2015 02:40:05 +0000 (UTC) (envelope-from kaduk@mit.edu) X-AuditID: 12074422-f79d26d0000026d6-51-55b59a03ae96 Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-5.mit.edu (Symantec Messaging Gateway) with SMTP id 8D.E6.09942.40A95B55; Sun, 26 Jul 2015 22:40:04 -0400 (EDT) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id t6R2e34e026425 for ; Sun, 26 Jul 2015 22:40:03 -0400 Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t6R2dx4D026441 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Sun, 26 Jul 2015 22:40:03 -0400 Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id t6R2dwS5025165; Sun, 26 Jul 2015 22:39:58 -0400 (EDT) Date: Sun, 26 Jul 2015 22:39:58 -0400 (EDT) From: Benjamin Kaduk X-X-Sender: kaduk@multics.mit.edu To: freebsd-announce@FreeBSD.org Message-ID: User-Agent: Alpine 1.10 (GSO 962 2008-03-14) MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrAIsWRmVeSWpSXmKPExsUixCmqrMsya2uowd277BZfD09gdWD0mPFp PksAYxSXTUpqTmZZapG+XQJXxsavX1gKNhxkrXh8pZe1gXHlYpYuRk4OCQETicOvf7JC2GIS F+6tZwOxhQQWM0nc+lDaxcgFZF9hlNi7byEzhPOUSeLezINsEE4Do0R71xywFhYBbYnmZavB bDYBNYn1K64xQ4xVlNh8ahKYLSKgINHSv5YJxBYWsJPYc6gLqJ6Dg1fAUeLudx2QsKiAjsTq /VPAruMVEJQ4OfMJmM0sECDx+eVrxgmM/LOQpGYhSUHY6hIHPl2EsrUl7t9sY1vAyLKKUTYl t0o3NzEzpzg1Wbc4OTEvL7VI11QvN7NELzWldBMjKDDZXZR2MP48qHSIUYCDUYmHV0N9a6gQ a2JZcWXuIUZJDiYlUd4vkptDhfiS8lMqMxKLM+KLSnNSiw8xSnAwK4nwPo4CKudNSaysSi3K h0lJc7AoifNu+sEXIiSQnliSmp2aWpBaBJOV4eBQkuCtngHUKFiUmp5akZaZU4KQZuLgBBnO AzRcBKSGt7ggMbc4Mx0if4pRl+PRtGtrmYRY8vLzUqXEeXtAigRAijJK8+DmwBLKK0ZxoLeE edeBVPEAkxHcpFdAS5iAlnj2bAFZUpKIkJJqYFxw8O7qKKfUiedZJRQUgyZEtruc1Fl8Y1eu 1vSm/DRvfqHPb1/u269aHZtUdMWq49gs3tUzHVdcrGA3/XI9kO3bXXuWCuO3nCHhBuWSx+t9 OrtXNCk+2r8mi6VMm5XhSMnpoypKHFfcmLhjVga63WEMeVeedYdr1a4KX05OxaIXn7f8WzX3 mBJLcUaioRZzUXEiAK6m3eYDAwAA X-Mailman-Approved-At: Mon, 27 Jul 2015 02:41:52 +0000 Content-Type: TEXT/PLAIN; charset=UTF-8 Content-Transfer-Encoding: QUOTED-PRINTABLE X-Content-Filtered-By: Mailman/MimeDel 2.1.20 Subject: [FreeBSD-Announce] FreeBSD Quarterly Status Report - Second Quarter 2015 X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Jul 2015 02:40:07 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 FreeBSD Project Quarterly Status Report: April - June 2015 The second quarter of 2015, from April to June, was another period of busy activity for FreeBSD. This report is the largest we have published so far. The cluster and release engineering teams continued to improve the structures that support FreeBSD's build, maintenance, and installation. Projects ran the gamut from security and speed improvements to virtualization and storage appliances. New kernel drivers and capabilities were added, while work to make FreeBSD run on various ARM architectures continued at a rapid pace. The Ports Collection grew, even while adding capabilities and fixing problems. Outside projects like pkgsrc have become interested in adding support. Documentation was a major focus, one that is often complimented by people new to FreeBSD. BSDCan 2015 was a great success, turning many hours of sleep deprivation into an even greater amount of inspiration. As always, a great deal of this activity was directly sponsored by the Foundation. The project's status as a first-class operating system owes a great deal to the Foundation's past and ongoing work. The number and detail of these reports really gives only a tiny glimpse of all that is happening. A huge portion of FreeBSD development takes place all the time, including bug fixes, feature improvements, rewrites, and imports of new code. This ongoing work is difficult, time-consuming, and, far too often, unrecognized. We should take a moment to consider and thank not just the contributors listed here, but also the end users, bug submitters, port maintainers, coders, security analysts, infrastructure defenders, tinkerers, scientists, designers, questioners, answerers, rule makers, testers, documenters, sysadmins, dogmatists, iconoclasts, and crazed geniuses who make FreeBSD such an effective and useful operating system. If you are reading this, you are one of these people, too. Thank you. --Warren Block __________________________________________________________________ This status report was compiled by Benjamin Kaduk and Warren Block. Please submit status reports for the third quarter of 2015 (July to September) by October 7, 2015. __________________________________________________________________ FreeBSD Team Reports * FreeBSD Cluster Administration Team * FreeBSD Release Engineering Team * The FreeBSD Core Team Projects * Address Space Layout Randomization (ASLR) * bhyve * Linux Binary Emulation Layer Upgrade * Mellanox iSCSI Extensions For RDMA (iSER) Support * Multipath TCP for FreeBSD * OpenBSM * OPNsense * Root Remount * ZFSguru Kernel * 1-Wire Kernel Driver Implementation * Adding PCIe Hot-plug Support * CloudABI: Capability-Based Runtime Environment * Rewritten PCID Support * Sleep States Enhancements on x86 * Warner's ARMv6 Hard Float Experiment Architectures * FreeBSD on Cavium ThunderX (arm64) * FreeBSD/arm64 Userland Programs * Cleanup on pw(8) Ports * KDE on FreeBSD * Official Packages * Ports Collection * The Graphics Stack on FreeBSD * Wine/FreeBSD * Xfce on FreeBSD Documentation * Documentation Working Group at BSDCan * FreeBSD Mastery: ZFS Now Available * Leap Seconds Article * New Documentation Committers * The FreeBSD German Documentation Project Google Summer of Code * GSoC 2015: libc Security Extensions * Multiqueue Testing Miscellaneous * BSDCan 2015 * FreeBSD Support in pkgsrc * The FreeBSD Foundation * ZFS Support for UEFI Boot/Loader __________________________________________________________________ FreeBSD Cluster Administration Team Contact: FreeBSD Cluster Administration Team The FreeBSD Cluster Administration Team consists of the people responsible for administering the machines that the project relies on for its distributed work and communications to be synchronised. In this quarter, the team has been extremely busy with work both visible and invisible from outside of the FreeBSD infrastructure. * Migrated reference machines used by FreeBSD developers to the new machines purchased by the FreeBSD Foundation at New York Internet * Separated email services (and single-point-of-failure cases) from the machine that has been handling this task for over 18 years, to new, single-purpose service installations * Reorganized the infrastructure, serving repositories hosted by svn.freebsd.org to GeoDNS-backed mirrors, all with a single, official SSL certificate * Increased multi-site redundancy for public and non-public services throughout, at present, eight world-wide geographic sites While an enormous amount of this work was volunteer-driven, resources (time and hardware) were generously provided by the FreeBSD Foundation. This project is sponsored by The FreeBSD Foundation (time and hardware). __________________________________________________________________ FreeBSD Release Engineering Team Links FreeBSD 10.2-RELEASE schedule URL: https://www.freebsd.org/releases/10.2R/schedule.html FreeBSD development snapshots URL: http://ftp.freebsd.org/pub/FreeBSD/snapshots/ISO-IMAGES/ FreeBSD development snapshots announcements list URL: https://lists.freebsd.org/pipermail/freebsd-snapshots/ Contact: FreeBSD Release Engineering Team The FreeBSD Release Engineering Team is responsible for setting and publishing release schedules for official project releases of FreeBSD, announcing code freezes, and maintaining the respective branches, among other things. The FreeBSD 10.2-RELEASE cycle began in mid-June, with the final release expected to be available in late August, and as this quarterly status update shows, FreeBSD 10.2-RELEASE is going to be a very exciting release. The FreeBSD Release Engineering Team has been extremely busy this quarter, with much of the focus targeted at adding support for additional hardware and integration with third-party hosting providers (aka "cloud" hosting). Following up on the work done by Andrew Turner to port FreeBSD to the arm64 (aarch64) architecture, the Release Engineering build tools were updated to produce FreeBSD/aarch64 memory stick images and virtual machine images for use with Qemu (emulators/qemu-devel). At present, the Qemu virtual machine images require an external EFI file to boot. Details on how to boot FreeBSD/aarch64 virtual machine images are available in the linked FreeBSD development snapshot announcement email archives. Last quarter, several parts of the build tools were rewritten to allow greater extensibility and granularity, which has simplified the code required for new virtual machine images. In collaboration with several developers, the Release Engineering build tools were updated to provide new support for several hosting providers, as well as provide mechanisms to automatically upload (and publish, where possible) FreeBSD virtual machine images. This quarter, in addition to the existing support for the Microsoft Azure platform, the build tools also natively support: * Amazon EC2 (thanks to Colin Percival) * Google Compute Engine (thanks to Steve Wills) * Vagrant/Hashicorp Atlas (thanks to Brad Davis) The FreeBSD Release Engineering Team would like to thank these developers for all of the work that went into making this possible, and would like to especially thank Marcel Moolenaar for all of his work on the mkimg(1) utility, especially for adding support for the various file formats requested. In addition to the enhancements to the virtual machine build tools, a significant amount of work went into refactoring the build code used to produce FreeBSD/arm images. With much of the logic resembling how the Crochet utility (written by Tim Kientzle) works, and a significant amount of work, input, and advice from Ian Lepore, Warner Losh, Andrew Turner, Luiz Otavio O Souza, and a large number of contributors on the freebsd-arm@FreeBSD.org mailing list, the FreeBSD Release Engineering tools now natively support producing FreeBSD/arm images without external build tools. At present, the build tools support building FreeBSD/arm images for: * BEAGLEBONE * CUBOX/HUMMINGBOARD * GUMSTIX * RPI-B * RPI2 (FreeBSD-CURRENT only) * PANDABOARD * WANDBOARD The FreeBSD Release Engineering Team would like to thank each of these people for their support and input, and would like to especially thank Tim Kientzle for his work on Crochet. Without it, we might not have been able to produce images for the various boards that we are able to now. For more information on what else has changed in FreeBSD since 10.1-RELEASE, see the FreeBSD 10.1-STABLE release notes (which will become the release notes for 10.2-RELEASE). Additionally, Glen Barber would like to thank Jim Thompson for providing a BeagleBone Black board (replacing one that no longer worked), and Benjamin Perrault for providing a PandaBoard ES, both of which are used for locally testing the images produced by the build tools. Last, and certainly not least, Glen Barber would also like to thank the FreeBSD Foundation for their support, and for providing the resources (time and hardware) required to make all of the items mentioned in this status report possible. This project is sponsored by The FreeBSD Foundation. __________________________________________________________________ The FreeBSD Core Team Contact: FreeBSD Core Team The FreeBSD Core Team constitutes the project's "Board of Directors", responsible for deciding the project's overall goals and direction as well as managing specific areas of the FreeBSD project landscape. In order to help attract fresh developer talent to FreeBSD, Core has a general policy to make available an up-to-the-minute suite of developer tools and services. Core has long been encouraging FreeBSD committers to make full use of the project's Phabricator instance at https://reviews.FreeBSD.org, and now has supported the Phabricator admins in opening access to anyone interested enough to sign up for an account. Further developments under consideration include setting up a FreeBSD.org OAuth 2 provider and permitting OAuth-style Single Sign-On access to most FreeBSD web-based services. Developers and members of the public would additionally be able to use credentials from other providers such as GitHub, Twitter, or Google to authenticate themselves to FreeBSD web services. Mark Murray raised a problem he has been having for some time with getting adequate security review of his proposed changes to random(9). This is an extremely security sensitive area of the kernel where errors can have disastrous consequences. Core has been able to drum up a number of reviewers and they have made significant progress in simplifying the design, eliminating some difficult portions of code, and reducing any potential attack surface. Work is still ongoing and Core remains open to the idea of bringing in external reviewers with specialist cryptographic knowledge. Dag-Erling Sm=C3=B8rgrav resigned as Security Officer towards the end of May. Core was sorry to see him step down, but unanimously pleased to welcome his nominee and former deputy, Xin Li, as his successor. Xin has since appointed Gleb Smirnoff (who also happens to be a current member of core) as his new deputy. Between them and Core they have some fairly radical ideas under discussion about how to improve the project's responsiveness to security issues. In mid-June, a change to style(9) was proposed, and resulted in much lively discussion. Warner Losh conducted an informal poll with Phabricator and the change was approved and committed within a couple of days. Unfortunately, complaints were raised about the timing and voting methods and Core was called upon to arbitrate. The change was backed out voluntarily, a new poll was held with more time to vote, and the change was approved. During this period we had two new commit bits awarded, and one taken in for safekeeping. Welcome aboard to Chris Torek and Mariusz Zaborski, and we were very sorry indeed to see Steve Kargl decide to call it a day. __________________________________________________________________ Address Space Layout Randomization (ASLR) Links HardenedBSD URL: https://hardenedbsd.org/ True Stack Randomization URL: https://hardenedbsd.org/article/shawn-webb/2015-06-30/introducing-= true-stack-randomization Announcing ASLR Completion URL: https://hardenedbsd.org/article/shawn-webb/2015-07-06/announcing-a= slr-completion Call for Donations URL: https://hardenedbsd.org/article/shawn-webb/2015-07-11/call-donatio= ns SoldierX URL: https://www.soldierx.com/ Contact: Shawn Webb Contact: Oliver Pinter Contact: HardenedBSD HardenedBSD is a downstream distribution of FreeBSD aimed at implementing exploit mitigation and security technologies. The HardenedBSD development team has focused on several key features, one being Address Space Layout Randomization (ASLR). ASLR is a computer security technique that aids in mitigating low-level vulnerabilities such as buffer overflows. ASLR randomizes the memory layout of running applications to prevent an attacker from knowing where a given vulnerability lies in memory. This last quarter, the HardenedBSD team has finalized the core implementation of ASLR. We implemented true stack randomization along with a random stack gap. This change allows us to apply 42 bits of entropy to the stack, the highest of any operating system. We bumped the hardening.pax.aslr.stack_len sysctl(8) to 42 by default on amd64. We also now randomize the Virtual Dynamic Shared Object (VDSO). The VDSO is one or more pages of memory shared between the kernel and the userland. On amd64, it contains the signal trampoline and timing code (gettimeofday(4), for example). With these two changes, the ASLR implementation is now complete. There are still tasks to work on, however. We need to update our documentation and enhance a few pieces of code. Our ASLR implementation is in use in production by HardenedBSD and is performing robustly. Additionally, we are currently running a fundraiser to help us establish a not-for-profit organization and for hardware updates. We have received a lot of help from the community and we greatly appreciate the help. We need further help to take the project to the next level. We look forward to working with the FreeBSD project in providing excellent security. This project is sponsored by SoldierX. Open tasks: 1. Update the aslr(4) manpage and the wiki page. 2. Improve the Shared Object load order feature with Michael Zandi's improvements. 3. Re-port the ASLR work to vanilla FreeBSD. Include the custom work requested by FreeBSD developers. 4. Close the existing review on Phabricator. 5. Open multiple smaller reviews for pieces of the ASLR patch that can be split out logically. 6. Perform a special backport to HardenedBSD 10-STABLE for OPNSense to pull in. 7. golang segfaults in HardenedBSD. Help would be nice in debugging. __________________________________________________________________ bhyve Links bhyve FAQ and talks URL: http://www.bhyve.org Contact: Peter Grehan Contact: Neel Natu Contact: Tycho Nightingale Contact: Allan Jude Contact: Alexander Motin Contact: Marcelo Araujo bhyve is a hypervisor that runs on the FreeBSD/amd64 platform. At present, it runs FreeBSD (8.x or later), Linux i386/x64, OpenBSD i386/amd64, and NetBSD/amd64 guests. Current development is focused on enabling additional guest operating systems and implementing features found in other hypervisors. bhyve BoF at BSDCan 2015 A bhyve BoF was held during lunch hour at BSDCan 2015. It was attended by approximately 60 people. Michael Dexter showed Windows Server 2012 running inside bhyve. Common themes that came up during the discussion were: bhyve configuration, libvirt and OpenStack integration, best practices, bhyve with ZFS, additional guest support and live migration. Google Summer of Code 2015 A number of bhyve-related proposals were submitted for GSoC 2015 and these four were accepted: * NE2000 device emulation * Porting bhyve to ARM * ptnetmap support in bhyve * PXE boot support in bhyveload A number of improvements were made to bhyve this quarter: * GEOM storage backend now works properly with bhyve. * Device model enhancements and new instruction emulations to support Windows guests. * Improve virtio-net performance by disabling queue notifications when not needed. * The dtrace FBT provider now works properly with vmm.ko. Marcelo Araujo and Allan Jude created a rough patch to make bhyve parse a config file to replace the existing method of configuration by command line invocation. The rapid pace of advancement in bhyve resulted in requiring a much more complex config file. A new design for the config file, with support for the plugin architecture that will eventually be introduced into bhyve, is now being discussed. Open tasks: 1. Improve documentation. 2. bhyveucl is a script for starting bhyve instances based on a libUCL config file. More information at https://github.com/allanjude/bhyveucl. 3. Add support for virtio-scsi. 4. Flexible networking backend: wanproxy, vhost-net 5. Support running bhyve as non-root. 6. Add filters for popular VM file formats (VMDK, VHD, QCOW2). 7. Implement an abstraction layer for video (no X11 or SDL in base system). 8. Suspend/resume support. 9. Live Migration. 10. Nested VT-x support (bhyve in bhyve). 11. Support for other architectures (ARM, MIPS, PPC). __________________________________________________________________ Linux Binary Emulation Layer Upgrade Links Emulation team on FreeBSD wiki URL: https://wiki.FreeBSD.org/Emulation Contact: Allan Jude Contact: Dmitry Chagin Contact: Ed Maste Contact: Edward Tomasz Napiera=C5=82a Contact: Johannes Meixner Contact: FreeBSD Emulation Team The FreeBSD emulation team has done extensive work on polishing FreeBSD's Linux emulation layer. After more than a year and a half, Dmitry Chagin's changes to the Linux binary emulation layer were merged into FreeBSD 11.0-CURRENT. Before merging the more than 115 individual changes into base/head, Ed Maste and Edward Tomasz Napiera=C5=82a were a= ble to help by reviewing and improving the code quality. Work has begun on backporting these changes into FreeBSD 10-STABLE, with the current 10.2 release cycle in mind. We hope to have that backport ready before 10.2-PRERELEASE turns into 10.2-RELEASE. In that same vein, Allan Jude was able to upload and improve a recent Differential Revision that will eventually lead to our having both 32-bit and 64-bit ports for CentOS 6. Port review activity started during the BSDCan conference's developer summit, and will be continued extensively during the Cambridge Developer Summit. We are currently expecting to have both Fedora 10, Centos 6 32-bit- and CentOS 6 64-bit-compatible frameworks available by Q4/2015. Call for Help: Contributing People can contribute to the Emulation team's efforts by testing the CentOS 64-bit changes on a FreeBSD 11.0-CURRENT system. Please use Bugzilla to report any bugs or oddities encountered. For the ambitious: we are planning to start working on a CentOS 7 framework. CentOS7 is 64-bit only, uses a newer kernel, and has systemd, so this work is highly experimental. We hope to have a usable port by Q2/2016. This project is sponsored by Perceivon Hosting Inc., ScaleEngine Inc., and The FreeBSD Foundation. Open tasks: 1. Test 64-bit Linux emulation on 11.0-CURRENT 2. Backport 64-bit Linux emulation to 10-STABLE 3. Review 64-bit CentOS 6 ports and merge changes 4. Create/heavily update existing 64-bit CentOS 7 ports 5. Anyone who would like to get in touch should not hesitate to contact any of the emulation@ team members. Similarly, a mail to emulation@FreeBSD.org is always welcome. __________________________________________________________________ Mellanox iSCSI Extensions For RDMA (iSER) Support Links iser-freebsd on GitHub URL: https://github.com/sagigrimberg/iser-freebsd Contact: Max Gurtovoy Contact: Sagi Grimberg Building on the new in-kernel iSCSI initiator stack released in FreeBSD 10.0 and the recently added iSCSI offload interface, Mellanox Technologies has begun developing iSCSI extensions for RDMA (iSER) initiator support to enable efficient data movement using the hardware offload capabilities of Mellanox's 10, 40, 56 and 100 Gigabit IB/Ethernet adapters. Remote Direct Memory Access (RDMA) has been shown to have a great value for storage applications. RDMA infrastructure provides benefits such as Zero-Copy, CPU offload, Reliable transport, Fabric consolidation, and many more. The iSER protocol eliminates some of the bottlenecks in the traditional iSCSI/TCP stack, provides low latency and high throughput, and is well suited for latency aware workloads. This work includes a new ICL module that implements the iSER initiator. The iSCSI stack is slightly modified to support some extra features such as asynchronous IO completions, unmapped data buffers, and data-transfer offloads. The user will be able to choose iSER as the iSCSI transport with iscsictl. The project is in its beta phase. Recent additions include: * Rebased on top of 11-CURRENT (r284921) * Added discovery over iSER support * HA and automatic session re-establishment support * Split iSER from iSCSI module In addition, the iser driver has been and continues to be thoroughly tested. The test suite includes: * traffic * FS tests * compliance tests * traffic failover/failback * session recovery * dynamic module load/unload The code is ready for inclusion and will be released under the BSD license. This project is sponsored by Mellanox Technologies. __________________________________________________________________ Multipath TCP for FreeBSD Links MPTCP Project Website URL: http://caia.swin.edu.au/newtcp/mptcp Contact: Nigel Williams Multipath TCP (MPTCP) is an extension to TCP that allows for the use of multiple network interfaces on a standard TCP session. The addition of new addresses and scheduling of data across these occurs transparently from the perspective of the TCP application. The goal of this project is to deliver an MPTCP kernel patch that interoperates with the reference MPTCP implementation, along with additional enhancements to aid network research. The patch now supports the core mechanisms of the MPTCP protocol (multi-address operation, data-level retransmission, etc). Recent additions include improved socket-option handling and the transfer of some logging output to DTRACE. The patch has been updated to build against r285254 of HEAD. A patch (v0.5) is currently being tested and will be made available to the public shortly, with a plan to release further patches on a more frequent basis following that. This project is sponsored by FreeBSD Foundation. Open tasks: 1. Complete documentation and testing for release of the v0.5 patch. 2. Release Technical Report describing the implementation of v0.5. __________________________________________________________________ OpenBSM Links OpenBSM: Open Source Basic Security Module (BSM) Audit Implementation URL: http://www.openbsm.org/ openbsm on GitHub URL: https://github.com/openbsm/openbsm Contact: Robert Watson Contact: Christian Brueffer Contact: TrustedBSD audit mailing list OpenBSM is a BSD-licensed implementation of Sun's Basic Security Module (BSM) API and file format. It is the user space side of the CAPP Audit implementations in FreeBSD and Mac OS X. Additionally, the audit trail processing tools are expected to work on Linux. After a period of dormancy, the project is slowly picking up steam again. The OpenBSM source code repository was migrated from FreeBSD's Perforce server to GitHub. We hope this will make the code more accessible and stimulate outside contributions. In addition to the repository migration, automated build testing using Travis CI has been enabled, and initial steps towards a new test release have been made. Open tasks: 1. Test the code on GitHub on different releases of Mac OS X and Linux. Especially testing on Mac OS X 10.9 (Mavericks) and newer would be greatly appreciated. __________________________________________________________________ OPNsense Links OPNsense website URL: https://opnsense.org OPNsense source code URL: https://github.com/opnsense Contact: Franco Fichtner Contact: Ad Schellevis Contact: Jos Schellevis OPNsense is a fork of pfSense that aims to follow FreeBSD's code base and ecosystem quickly and closely while retaining the parent's powerful firewall capabilities. The new 15.7 release includes efforts such as firmware upgrades and packaging fully based on pkg, weekly security updates, the replacement of ALTQ-based traffic shaping with IPFW/dummynet, and production-ready LibreSSL integration as an alternative to OpenSSL. Contributors and testers are welcome as we work on redesigning plugin support, rework the GUI according to modern coding standards (MVC) and privilege separation. This project is sponsored by Deciso. __________________________________________________________________ Root Remount Contact: Edward Tomasz Napiera=C5=82a One of the long missing features of FreeBSD was the ability to boot with a temporary rootfs, configure the kernel to be able to access the real rootfs, and then replace the temporary root with the real one. In Linux, the functionality is known as pivot_root. The reroot project aims to provide similar functionality in a different, slightly more user-friendly way: rerooting. Simply put, from the user point of view it looks like the system performs a partial shutdown, killing all processes and unmounting the rootfs, and then partial bringup, mounting the new rootfs, running init, and running the startup scripts as usual. The project is in the late implementation phase. A working prototype was written, and work is in process to rewrite it in an architecturally nicer way. This project is sponsored by The FreeBSD Foundation. Open tasks: 1. Complete debugging __________________________________________________________________ ZFSguru Links ZFSguru URL: http://zfsguru.com Contact: Jason Edwards ZFSguru is a multifunctional server appliance with a strong emphasis on storage. ZFSguru began as simple web-interface frontend to ZFS, but has since grown into a FreeBSD derivative with its own infrastructure. The scope of the project has also grown with the inclusion of add-on packages that add functionality beyond the traditional NAS functionality found in similar product like FreeNAS and NAS4Free. ZFSguru aims to be a true multifunctional server appliance that is extremely easy to set up and can unite both novice and more experienced users in a single user interface. The modular nature of the project combats the danger of bloat, whilst still allowing extended functionality to be easily deployed. The ZFSguru project is nearing the release of version 0.3, a major milestone for the project. In this new version, major work has been done on fundamentals. An overview: * New build infrastructure allows for frequent releases of system images and services in a semi-automated way. * New GuruDB database allows for a growing number of system images and servers, and provides good caching to accelerate pages. * Redesigned installation procedure, and addition of new distributions Root-on-RAM and Root-on-Media aside from the already supported Root-on-ZFS. * Both LiveCD and USB images will be provided. The USB image also has UEFI boot support working alongside the regular MBR boot support so both are available. * Many overhauled libraries and additions to the web interface. * Many improvements to services, such as the new Gnome 3 graphical environment. ZFSguru version 0.3 will be released on the first of August. __________________________________________________________________ 1-Wire Kernel Driver Implementation Links 1-Wire Stuff: Basics and Temperature URL: https://reviews.freebsd.org/D2956 Contact: Warner Losh This is a kernel driver implemetation of the Dallas Semiconductor 1-Wire bus in a generic fashion. While temperature sensors are the only devices initially supported, other devices should be easy to add. Multiple devices on one bus are supported. Both normal and overdrive modes are supported. Multiple temperature sensors have been well tested, but there is a high bit error rate. There are indications that this is due to bad bit-read times. The code is written with enough resilience to cope with the problem by retrying, and the error rate is low enough that a couple of retries paper over many marginal issues. Open tasks: 1. Implement the overdrive device. Add overdrive capability to owc and provide an own method to allow the presentation drivers to know when it is safe to use the overdrive ROM commands. 2. Implement the Identification device. This device just has a class of 1 and no registers. 3. Implement non-FDT gpiobus attachment. 4. Test overdrive timings. 5. Implement other attachments for things like serial port or specialized 1-Wire controllers. 6. Use the system clock to implement more precise delays to improve the error rate. 7. Use interrupt mode for GPIO pins to time the transitions of the line to determine the bit values without busy waiting. Use FreeBSD's fine-grained sleeping to do the same for write-one and write-zero routines. 8. Review the code at the URL above. 9. Test the code on a device other than a RPi, RPi 2, or BeagleBone Black. 10. Test the code on architectures besides armv6. 11. Implement streamlined temperature mode where the convert_t command is broadcast and a callback reads the values for all the devices detected on the bus. 12. Implement parasitic power mode. __________________________________________________________________ Adding PCIe Hot-plug Support Links PCIe Hot-plug P4 Branch URL: http://p4db.freebsd.org/depotTreeBrowser.cgi?FSPC=3D//depot/projec= ts/pciehotplug Commit adding bridge save/restore. URL: https://svnweb.freebsd.org/changeset/base/r281874 Github branch with patches URL: https://github.com/FreeBSDFoundation/freebsd/tree/pciehp Contact: John-Mark Gurney PCI Express (PCIe) hot-plug is used on both laptops and servers to allow peripheral devices to be added or removed while the system is running. Laptops commonly include hot-pluggable PCIe as either an ExpressCard slot or a Thunderbolt interface. ExpressCard has built in USB support that is already supported by FreeBSD, but ExpressCard PCIe devices like Gigabit Ethernet adapters and eSATA cards are only supported when they are present at boot, and removal may cause FreeBSD to crash. The goal of this project is to allow these devices to be inserted and removed while FreeBSD is running. The work will provide the basic infrastructure to support adding and removing devices, though it is expected that additional work will be needed to update individual drivers to support hot-plug. Current testing is focused on getting a simple UART device functional. Basic hot swap is functional. A set of the patches is now available on github.com. This project is sponsored by The FreeBSD Foundation. Open tasks: 1. Get suspend/resume functional by save/restoring necessary registers. This should be addressed by r281874. 2. Make sure that upon suspend, devices are removed so that any hardware changes made while the machine is suspended are correctly handled. 3. Improve how state transitions are handled, possibly by using a proper state machine. __________________________________________________________________ CloudABI: Capability-Based Runtime Environment Links CloudABI on GitHub URL: https://github.com/NuxiNL/cloudlibc FreeBSD patchset on GitHub URL: https://github.com/NuxiNL/freebsd Contact: Ed Schouten CloudABI is a compact UNIX-like runtime environment that is purely based on capability-based security (Capsicum). All features that are incompatible with this model have been removed. Advantages of using a pure capability-based environment include improved security, testability, and reusability. CloudABI should make it possible to run arbitrary third-party executables directly on top of FreeBSD without any impact on system security, making it a good building block for a cluster/cloud computing setup. See the project on GitHub for a more detailed explanation. Last month I added a number of packages for the FreeBSD Ports tree. We now have a full C/C++ cross compiler that can be installed very easily (devel/cloudabi-toolchain). I also imported a tool called cloudabi-run that can be used to start programs safely, only granting access to files and network sockets listed in the program's configuration file (sysutils/cloudabi-utils). I have also imported some kernelspace modifications into the FreeBSD source tree for executing CloudABI programs. After all of these changes have been imported, just loading a kernel module will allow executing CloudABI programs. Right now, the "cloudabi" branch on GitHub is still required. This project is sponsored by Nuxi, the Netherlands. Open tasks: 1. Polish up the kernelspace modifications and send them out for review. 2. Complete the Linux and NetBSD kernel patchsets and send those out to the respective maintainers. __________________________________________________________________ Rewritten PCID Support Links Commit r282684 URL: https://svnweb.freebsd.org/base?view=3Drevision&revision=3D282684 Contact: Konstantin Belousov A Process-Context Identifier (PCID) is a performance-enhancing feature of the Translation Lookaside Buffer (TLB) on Intel processors, introduced with the Sandy Bridge micro-architecture. It allows the TLB to simultaneously cache translation information for several address spaces, and gives an opportunity for the operating system context switch code to avoid flushing the TLB upon process switch. Each cached translation is tagged with some context identifier, and at context switch time, the operating system instructs the processor which context is becoming active. The feature slightly reduces context switch time by avoiding TLB flushes, and more importantly, reduces the warm-up period for a thread after context switch. FreeBSD already used PCID, but the existing implementation had several shortcomings. The amd64 pmap (the machine-dependent portion of the virtual memory subsystem) maintained a bitmap of all CPUs which ever loaded a translation for the given address space, and avoided TLB flush on the context switch. The bitmap was used to direct Inter-Processor Interrupts to the marked CPU when the operating system needed to perform TLB invalidation. The most significant deficiency of the old implementation was the increase of TLB invalidation IPIs, since the bitmap could only grow until a full TLB shootdown was performed. It increased the TLB rate, which negated the positive effects of avoiding TLB flushes on large machines. Secondarily, the bitmap maintenance in both the pmap and the context code was quite complicated, leading to bugs. These issues resulted in the PCID feature being disabled by default. The new PCID implementation uses an algorithm described in the U. Vahalia book "UNIX Internals: The New Frontiers". The algorithm is already used, for example, by the MIPS pmap for assigning Address Space Identifiers (ASIDs) to software-managed TLB entries. The pmap maintains a per-CPU generation count, which is assigned to the next unused PCID when the context is activated on CPU. TLB invalidation includes resetting the generation count, which causes reallocation of the PCID when a context switch is performed. As result, the new implementation issues exactly the same amount of shootdown IPIs as a pmap which does not utilize PCID. Another change included with the PCID rewrite is a move of the address space switching code from assembler to C source, making the algorithm easier to understand and validate. Measurements done with hwpmc(4) on a Haswell machine indicated that the new implementation reduced the TLB miss rate by up to 10 times, without an increase in TLB shootdown IPIs. The rewrite was committed to HEAD at r282684. Note: AMD processors do not have the PCID feature for host paging (AMD provides ASIDs for SVM use). But it is likely that AMD processors do cache TLB translations for different address spaces transparently, and snoop writes to the page tables to invalidate the caches. This project is sponsored by The FreeBSD Foundation. __________________________________________________________________ Sleep States Enhancements on x86 Links Commit r282678 URL: https://svnweb.freebsd.org/base?view=3Drevision&revision=3D282678 Contact: Konstantin Belousov The ACPI specication defines CPU Cx states, which are idle states. Methods to enter the state and miscellaneous information like the state-leave latency are returned by the _CST ACPI method. To save energy and reduce useless heating, the operating system enters a Cx state when the CPU has no work to do. C0 is the non-idle state, while C1, C2, and C3 (defined by ACPI) each represent an idle state with sequentially more energy saving, but also with higher latency of leave and possibly greater secondary costs. For example, C1 is entered by executing the HLT instruction and has no architecturally visible side effects, while entering C3 drops the CPU cache and usually requires special chipset programming to correctly handle requests from I/O devices to the CPU. Do not confuse Cx, Px and Sx: Cx states are only meaningful when the system is in the fully operational state S0; Px states are only meaningful when the system is not in the idle state, C0. Modern Intel CPUs enter Cx (x >=3D 1) states with the dedicated instruction MWAIT, which enters a specified low-power state until a specific write is observed by the CPU bus logic. There is a complimentary MONITOR instruction to set the monitored bus address. The legacy port I/O method of entering Cx state is emulated by CPU microcode, which intercepts the port I/O and executes MWAIT internally. Using MWAIT as the method of entering Cx requires following processor-specific procedures, which are communicated to the operating system by the vendor-specific extensions in _CST. The operating system must indicate readiness to support MWAIT when calling _CST. Claimed benefits of using MWAIT are reduced latencies of leaving the idle state, and visibility of more deep states than defined by the common ACPI specification. Still, modern Intel platforms report deep states as C2 to avoid the not needed bus-mastering avoidance. The new code asks ACPI for the Intel vendor-specific _CST extensions, parses them, and uses MWAIT Cx entrance methods when available. The change was committed as r282678 to HEAD. For Linux, Intel provides a driver which does not depend on the ACPI tables to use MWAIT for entering Cx states. For all Intel CPUs after Core2, the driver contains the description of the Cx mode latencies and quirks, eliminating dependency on correct BIOS information, since the BIOS information is often incorrect. The approach of porting the Linux driver was considered by several people, but all evaluators independently concluded that the project cannot maintain such an approach without direct involvement from Intel. During the work, around 500 lines of identical code between the i386 and amd64 versions of idle handling were moved to a common location x86/x86/cpu_machdep.c. Now the i386 and amd64 machdep.c files contain only unique machine-dependent routines. This advance depended on John Baldwin's elimination of the unmaintained Xen PVM i386 port. This project is sponsored by The FreeBSD Foundation. __________________________________________________________________ Warner's ARMv6 Hard Float Experiment Links Moving armv6 from Soft Float to Hard Float URL: https://wiki.freebsd.org/armv6tohardfloat Contact: Warner Losh The plan for the transition to hard float on ARMv6 involved having a new MACHINE_ARCH. That seemed expedient, but inelegant to me. The kernel can easily run both soft and hard floating point binaries, assuming that the proper libraries are available. As an experiment, I have been investigating how hard it would be to just start generating hard float binaries starting with FreeBSD 11.0 and what issues this causes. I am most interested in the source, the effects on ports, and any binary/package upgrade issues from FreeBSD 10.X to 11. If successful, this will allow the project to move more quickly away from a soft-floating point default. Users upgrading from FreeBSD 10 will automatically be upgraded to hard float. All supported ARMv6 and ARMv7 processors have hardware floating point, so this will not be a problem for the vast majority of users. In addition, many of the build scripts know about all values of MACHINE_ARCH, and not changing the MACHINE_ARCH will allow those scripts to continue to function without additional changes. I am about three fourths of the way through investigating this possibility and coding up solutions to the problems encountered so far. The risks from this experiment are that it will encounter unforseen dependencies. This could force us to go with the original plan for migration to hard floating point. The hope for this experiment is to pave the way for using the superior hard floating point in FreeBSD 11 with minimal impact to our users and their current build scripts and processes. Backwards compatibility will be ensured with the libsoft tasks if users need to run FreeBSD 10.X ARMv6 softfloat binaries on FreeBSD 11.0 with its new hardfloat libraries. Packages should automatically update once the new hardfloat packages are put into place. Open tasks: 1. Building seat belts into ld.so to not cross-thread libraries of differing floating point implementations. 2. Clang should properly mark hard versus soft floating point .os. This is a minor issue, since ld handles things correctly. 3. libsoft, the analog of lib32, needs to be completed. 4. Patches to flip the switch from soft to hard for builds for armv6. Some additional code needed to build soft float may be needed for the prior task. __________________________________________________________________ FreeBSD on Cavium ThunderX (arm64) Links FreeBSD Wiki: arm64 page URL: http://wiki.freebsd.org/arm64 Video: FreeBSD on the 48-core ThunderX (ARMv8) URL: https://youtu.be/lLgc4FJLJ3Y Contact: Dominik Ermel Contact: Wojciech Macek Contact: Michal Stanek Contact: Zbigniew Bodek Since the previous report, ThunderX gained SMP support and FreeBSD is now running on 48 real-life ARMv8 CPU cores! The newly introduced functionality was based on initial foundational work submitted by Andrew Turner and Robin Randhawa, with emulation as the primary target. Semihalf's efforts focused on hardware, and include: * Multicore support for the newer Generic Interrupt Controller GICv3 * Numerous bug fixes for: + pmap(9) - memory attributes and TLB management + locore.S - secondary core initialization + IPI (inter-processor interrupts) + Per-CPU timers + Size of early UMA allocations + Cache maintenance + Exceptions handling + Stack issues * ThunderX-specific changes and quirks This support was introduced to the public at the FreeBSD 2015 Developer Summit in Ottawa at a demo held by Semihalf and the FreeBSD Foundation. Cavium's ThunderX server CRB (Customer Reference Board) is now capable of booting SMP FreeBSD from both the hard disk and from an NFS root using a PCIe networking card. The example setup is now available on the FreeBSD test cluster hosted at Sentex Communications. ThunderX support changes are currently being reviewed and integrated into mainline FreeBSD. This project is sponsored by The FreeBSD Foundation, ARM Ltd., Cavium, and Semihalf. Open tasks: 1. Upstream ThunderX support to FreeBSD HEAD 2. Support for multi-socket configuration of ThunderX (96 CPUs connected through coherent fabric) 3. Implement VNIC support (ThunderX networking controller) __________________________________________________________________ FreeBSD/arm64 Links FreeBSD arm64 wiki URL: https://wiki.freebsd.org/arm64 Contact: Andrew Turner Contact: Ed Maste Contact: Ruslan Bukin Since the last status report, support for building FreeBSD for AArch64 (arm64) has been committed to Subversion. This has initially been targeting qemu, with more hardware support being added after review. Support for ACPI, SMP, DTrace, and hwpmc has been added. ACPI is able to enumerate devices and get to the mountroot prompt. Further work is needed to get into userland. SMP has been tested on qemu with two cores, and work is under way to support SMP on hardware. The hwpmc driver includes support for the Cortex-A53, Cortex-A57, and Cortex-A72 cores from ARM. Poudriere has been used with user-mode qemu to test building packages. Over 14,000 ports were successfully built. A number of issues have been found and fixed from this first run. These fixes should unblock about 5,000 additional ports. This project is sponsored by The FreeBSD Foundation, ABT Systems Ltd, and ARM Ltd. Open tasks: 1. Port to more SoCs 2. Test Poudriere on native hardware __________________________________________________________________ Cleanup on pw(8) Contact: Baptiste Daroussin pw(8) is the utility to create, delete, and modify users. This tool has remained mostly untouched since its creation, but needed updating. Lots of cleanup has been done: * Deduplication of code * Reduction of complexity by splitting into smaller functions * Reuse of existing code in base: + sbuf(9) for buffered string + stringlist(3) for string arrays + gr_utils (from libutil) instead of homemade group manipulation + strptime(3) to parse time strings * Added validation on most input options, fixing some serious bugs due to bad usage of atoi(3) * many regression tests added to test for regressions due to all of these changes A new feature was added: pw -R rootdir cmd which allows cross manipulation of users. Open tasks: 1. More cleanup. 2. More regression tests. 3. LDAP support? __________________________________________________________________ KDE on FreeBSD Links KDE on FreeBSD website URL: https://freebsd.kde.org/ KDE ports staging area URL: https://freebsd.kde.org/area51.php KDE on FreeBSD wiki URL: https://wiki.freebsd.org/KDE KDE/FreeBSD mailing list URL: https://mail.kde.org/mailman/listinfo/kde-freebsd Development repository for integrating KDE 5 URL: https://github.com/tcberner/kde5 Contact: KDE on FreeBSD team The KDE on FreeBSD team focuses on packaging and making sure that the experience of KDE and Qt on FreeBSD is as good as possible. Brad Davis has been working on CMake, resulting in an update to version 3.2.3 being committed to ports. Overall, we have updated the following ports in this quarter: * CMake 3.2.3 (committed to ports) * Qt 4.8.7 (committed to area51) * Qt 5.4.1 (refinements committed to ports) Open tasks: 1. Put more effort into the Qt5-related ports: KDE Frameworks 5 (currently worked on by Tobias Berner) and PyQt 5. __________________________________________________________________ Official Packages Links Package Status URL: http://pkg-status.FreeBSD.org Contact: Bryan Drewery Contact: Ports Management Team Contact: Sean Bruno x86 Packages With the help of the FreeBSD Foundation providing more build servers, we have increased the build frequency of packages from weekly to about every other day. Packages are provided for all currently supported releases and head on i386 and amd64 from the ports head branch, and quarterly packages for FreeBSD 10.1 and 9.3 release branches. We are using eight different systems for building packages. The build process has been fully automated and is more fault tolerant now. More details on this will be available in an upcoming FreeBSD Journal article. About eleven servers are used for daily test builds. To make it simpler for everyone to find the status and results of these builds, pkg-status.FreeBSD.org has been developed by Bryan Drewery. Its intent is to show all systems and builds in nearly real-time. It is currently in a beta stage and will be improved over time. At the time of this writing, it is temporarily down, but will be restored soon. ARM/MIPS Packages The FreeBSD Foundation purchased servers for the project to begin building and providing ARM and MIPS packages. These packages are currently built from x86 systems using QEMU. More details on this can be found in the BSDCan 2015 Presentation. The work to do this has been shepherded by Sean Bruno and has had help from many people including but not limited to Juergen Lock, Stacey Son, Ed Maste, Peter Wemm, Alexander Kabaev, Adrian Chadd, Baptiste Daroussin, Bryan Drewery, Dimitry Andric, Andrew Turner, Warner Losh, Ian Lapore, and Brooks Davis. We are currently targeting packages for head on mips, mips64 and armv6. Each set takes one to two weeks to build on QEMU. They will be provided on a best effort basis for now on the default repository of pkg.FreeBSD.org. This project is sponsored by FreeBSD Foundation (package building hardware). Open tasks: 1. Portmgr met at BSDCan and decided that the default package set should be provided based on the Ports Quarterly branch. This will provide more stable packages by default and allow users who wish to have the bleeding edge to use the head packages. The Quarterly branch is currently updated in full every three months from head and otherwise receives security and critical fixes. Moving towards this plan will also require a change to how we update the Quarterly branch. More details will be provided later. 2. Performance and stability of QEMU continues to improve. Native cross-building support in ports needs more work and testing to be viable. 3. The package builds currently run from a crontab every other day. Some of the builds take two hours (incremental), while others can take up to 30 hours for a full build. An open task here is to implement a better OS ABI check to see if incremental builds can be done, or if a full rebuild is needed when an SA/EN comes out. The plan for this is detailed at https://lists.freebsd.org/pipermail/freebsd-arch/2015-April/017025. html. Another open task is to implement a master queue coordinator to start the next builds as soon as all others are done. This will also allow improving the pkg-status site's view of everything. __________________________________________________________________ Ports Collection Links The Ports Collection URL: http://www.FreeBSD.org/ports/ Contributing to Ports URL: http://www.freebsd.org/doc/en_US.ISO8859-1/articles/contributing-p= orts/ FreeBSD Ports Monitoring System URL: http://portsmon.freebsd.org/index.html Ports Management Team URL: http://www.freebsd.org/portmgr/index.html portmgr Blog URL: http://blogs.freebsdish.org/portmgr/ portmgr on Twitter URL: http://www.twitter.com/freebsd_portmgr/ portmgr on Facebook URL: http://www.facebook.com/portmgr portmgr on Google+ URL: http://plus.google.com/communities/108335846196454338383 Contact: Frederic Culot Contact: FreeBSD Ports Management Team As of the end of the second quarter, the ports tree holds nearly 25,000 ports and the PR count is about 1,800. Once again, the tree saw more activity than during the previous quarter, with almost 8,000 commits performed by 153 active committers. On the other hand, the number of problem reports closed decreased slightly, with a bit less than 1,700 problem reports fixed. In the second quarter, several commit bits were taken in for safekeeping, following an inactivity period of more than 18 months (clsung, dhn, obrien, tmseck), or on committer's request (sahil). Two new developers were granted a ports commit bit (Michael Moll - mmoll@, and Bernard Spil - brnrd@). On the management side, pgollucci@ started his four-month term as portmgr-lurker in June, and no changes were made to the portmgr team during the second quarter. This quarter also saw the release of the second quarterly branch, namely 2015Q2. On this branch, 39 committers applied 305 patches, which is more than twice as many updates as during the last quarter. On the quality assurance side, 30 exp-runs were performed to validate sensitive updates or cleanups. Amongst those noticeable changes are the update to pkg 1.5.4, three new USES (waf, gnustep, jpeg), the Perl default switch to 5.20, Ruby to 2.1.6, Firefox 38.0.6, and Chromium 43.0.2357.130. Open tasks: 1. As in the previous quarter, a tremendous amount of work was done on the tree to update major ports and to close even more PRs than in 2015 Q1, but as always, any additional help is greatly appreciated! __________________________________________________________________ The Graphics Stack on FreeBSD Links Graphics stack roadmap and supported hardware matrix URL: https://wiki.freebsd.org/Graphics Graphics stack team blog URL: http://blogs.freebsdish.org/graphics/ Ports development tree on GitHub URL: https://github.com/freebsd/freebsd-ports-graphics Contact: FreeBSD Graphics Team The members of the graphics team were lacking spare time during this quarter, and only few things could be improved. Our ports development tree still holds an update to Mesa 10.6 along with many cleanups and bug fixes. (It was 10.5 in the previous quarterly report.) Initially, we planned to commit it in early July, just after the FreeBSD 8.4-RELEASE end-of-life date, but the EOL was delayed to the 31st of July. Therefore, we will send a Call For Testers near the end of July, with the update to be committed in early August. Of course, the update can still be obtained and tested directly from the Ports development tree by using the mesa-next branch. Several smaller updates to X.Org-related ports were committed to the Ports tree. The work on the i915 kernel driver update made no progress during this quarter due to the lack of free time. Fortunately, it can resume in Q3 with the hope to have something ready to test in September 2015. The update to the DRM device-independent code was merged to stable/10. This means it will be available in the upcoming FreeBSD 10.2-RELEASE. Recently, the website hosting our blog has been down frequently. It is again the case at the time of this writing. We exported the data the last time it was up, so we will probably move to another system. Of course, the URL will change as well. Open tasks: 1. See the Graphics wiki page for up-to-date information. __________________________________________________________________ Wine/FreeBSD Links Wine wiki URL: http://wiki.FreeBSD.org/Wine Wine on amd64 wiki URL: http://wiki.FreeBSD.org/i386-Wine Wine homepage URL: http://www.winehq.org Contact: Gerald Pfeifer Contact: David Naylor This quarter has seen seven updates to the wine-devel port that closely tracks upstream development as well as updates to its helper ports (wine-gecko-devel and wine-mono-devel): * Stable releases: 1.6.2 (1 port revision) * Development releases: 1.7.40 through 1.7.46 The i386-wine-devel port has packages built for amd64 for FreeBSD 8.4, 9.1+, 10.1+ and CURRENT. Accomplishments include: * Rename wine-compholio to wine-staging (to match upstream developments). Future development on Wine will focus on: * Add the getdirentries(2) patch to the wine-devel port. * Redevelop and upstream the getdirentries(2) patch. * Redevelop and upstream the kernel32 Makefile patch. * Add support to the i386-wine port for pkg 1.5 (library conflicts currently prevent support). * Add support for Windows 32-bit on Windows 64-bit (WoW64): + Reduce the i386-wine port to just the components required for WoW64. + Rename the i386-wine port to wow64. + Make the wine ports depend on the wow64 ports when built on amd64. + Investigate and verify the interactions between Wine64 and WoW64. + Investigate possible update approaches for the wow64 ports (that have to be pre-compiled) and how updating with the wine ports will work. Maintaining and improving Wine is a major undertaking that directly impacts end-users on FreeBSD (including many gamers). If you are interested in helping please contact us. We will happily accept patches, suggest areas of focus or have a chat. Open tasks: 1. Open Tasks and Known Problems (see the Wine wiki) 2. FreeBSD/amd64 integration (see the i386-Wine wiki) 3. Porting Windows 32-bit on Windows 64-bit (WoW64) __________________________________________________________________ Xfce on FreeBSD Links FreeBSD Xfce Project URL: https://wiki.freebsd.org/Xfce FreeBSD Xfce Repository URL: https://www.assembla.com/code/xfce4/subversion/nodes Contact: FreeBSD Xfce Team Xfce is a free software desktop environment for Unix and Unix-like platforms, such as FreeBSD. It aims to be fast and lightweight, while still being visually appealing and easy to use. During this quarter, the team has kept these applications up-to-date: * audio/xfce4-pulseaudio-plugin 0.2.3 * deskutils/orage 4.12.1 * deskutils/xfce4-notes-plugin 1.8.1 * misc/xfce4-weather-plugin 0.8.6 * science/xfce4-equake-plugin 1.3.7 * sysutils/xfburn 0.5.4 * sysutils/xfce4-power-manager 1.5.0 (committed to ports), 1.5.2 (committed to devel repository) * x11/libexo 0.10.6 * x11/xfce4-dashboard 0.4.2 * x11-fm/thunar 1.6.10 * x11-wm/xfce4-desktop 4.12.2 * x11-wm/xfce4-wm 4.12.3 * www/midori 0.5.10 Mathieu Arnold (mat@) committed PR 197878, updating the Xfce section in the Porter's Handbook. We also follow the unstable releases (available in our experimental repository) of: * sysutils/garcon 0.5.0 (supports both GTK2 and GTK3 toolkits) * x11/xfce4-dashboard 0.5.0 * x11/xfce4-hotcorner-plugin 0.0.2 (new plugin) Open tasks: 1. Create documentation for the usage of sysutils/xfce4-power-manager (it needs some love, PR 199166). Some hidden features were introduced in the 1.5.1 release, and as we also support ConsoleKit2 (a fork of sysutils/consolekit), help for users is required. __________________________________________________________________ Documentation Working Group at BSDCan Links BSDCan URL: http://www.bsdcan.org/ reStructured Text URL: http://docutils.sourceforge.net/rst.html Markdown URL: http://daringfireball.net/projects/markdown/ AsciiDoc URL: http://asciidoc.org/ FreeBSD Wiki URL: https://wiki.freebsd.org/ FreeBSD Web Site URL: https://www.freebsd.org/ Annotator URL: http://annotatorjs.org/ Annotator Backend Stores URL: https://github.com/openannotation/annotator/wiki#backend-stores Contact: FreeBSD Documentation Team During the Developer Summit held in the two days before BSDCan, a documentation working group meeting was held. We discussed some of the biggest opportunities available to the documentation team. Modernizing our translation system was, again, a major topic. Making it easier for translators to do their work is vitally important. Translations make FreeBSD much more accessible for non-English speakers, and those people and the translators themselves often become valuable technical contributors in other areas. Progress was made in this area, and we hope to have more news soon. Methods of making it easier for people to contribute to documentation was another major topic. At present, we use DocBook XML for articles and books, and mdoc(7) for man pages. These markup languages are not very welcoming for new users. There are simpler documentation markup languages like reStructured Text (RST), Markdown, and AsciiDoc that take less time to learn and use. In fact, these markup systems are all similar to each other. These systems tend to be more oriented towards visual appearance rather than the semantic markup of our present systems, although there might be ways to work around that. Following the theme of making contributing easier, we also discussed whether access to the FreeBSD Wiki can be more easily granted, facilitating user contributions. After the wiki was set up, automated account creation abuse forced access to be limited. It is tricky to allow submissions yet keep the quality of submitted information usefully high. Due to the markup systems used, it is difficult to review documents for the quality of their information. Annotator is a Javascript system that allows adding notes to an existing web page. This would allow us to hold content-only reviews of documentation web pages. Reviewers would not see markup, so they could concentrate only on whether the information was accurate and complete. To use this as desired, we need some help with ports and testing. Open tasks: 1. Complete a port for the backend storage component of Annotator. Preferably this would be the lowest overhead and most open-licensed version available. Assistance from those familiar with Python and Javascript web development is welcome. __________________________________________________________________ FreeBSD Mastery: ZFS Now Available Links FreeBSD Mastery: ZFS URL: http://www.zfsbook.com Michael W. Lucas URL: https://www.michaelwlucas.com Contact: Michael Lucas The first ZFS book is now available at your favorite bookstore. Find a whole bunch of links at zfsbook.com. Work is proceeding apace on "FreeBSD Mastery: Advanced ZFS" and "FreeBSD Mastery: Specialty Filesystems." Lucas hopes to have FMAZ complete and available before the next status report. __________________________________________________________________ Leap Seconds Article Links Leap Seconds Article URL: https://www.freebsd.org/doc/en_US.ISO8859-1/articles/leap-seconds/= article.html Contact: Warren Block As the leap second scheduled for the end of June approached, Bartek Rutkowski and others raised questions about how FreeBSD handled leap seconds. Leap seconds have caused serious problems for other operating systems in the last few years, and there was understandable concern. It was reasonably pointed out that FreeBSD had encountered leap seconds before, and would be fine this time also. Still, the absence of reported problems is not really a substitute for a description of what to expect and how to know if a system is prepared. To address concerns and also provide a resource for future leap seconds, several experts were pestered relentlessly, with the results compiled into a short article. Beyond merely allaying fears about what might happen, this article received positive responses on the web for how it demonstrated FreeBSD's maturity and preparedness. Great thanks for their patience and expertise are owed to Peter Jeremy, Poul-Henning Kamp, Ian Lepore, Xin LI, Warner Losh, and George Neville-Neil. Open tasks: 1. Compile other short articles on things that FreeBSD does really well. Of particular interest are features that make life easier for sysadmins, or how problems on other systems are dealt with or even made non-problems on FreeBSD. __________________________________________________________________ New Documentation Committers Links FreeBSD Porter's Handbook URL: https://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook= / FreeBSD Web Site URL: https://www.freebsd.org/ FreeBSD Foundation Web Site URL: https://www.freebsdfoundation.org/ Contact: FreeBSD Documentation Engineering Team Two new documentation committers were added to the team in the second quarter of 2015. Mathieu Arnold is a member of the FreeBSD Ports Management Team. Over the past year, he has worked on many large and complex updates to keep the Porter's Handbook current, and continues to update this important document. Anne Dickison is Marketing Director for the FreeBSD Foundation. She will focus on updating and improving the FreeBSD main web site. We welcome both new committers and look forward to their additional contributions! __________________________________________________________________ The FreeBSD German Documentation Project Links Main German Documentation Project page URL: https://www.freebsd.org/de/docs.html How you can help with German translations URL: https://people.freebsd.org/~jkois/FreeBSDde/de/ Contact: Bj=C3=B6rn Heidotting Contact: Johann Kois Contact: Benedict Reuschling The FreeBSD German Documentation project maintains the German translations of FreeBSD's documents such as the Handbook and the website. In the second quarter of 2015, we managed to catch up with the translation work of the Handbook. Two chapters are now back in sync with their English reference chapters: filesystems and ZFS. The former was mainly done by Bj=C3=B6rn Heidotting as part of his mentee process. = The latter was done by Benedict Reuschling, with valuable corrections by Bj=C3=B6rn. Additionally, we updated many of our translation markers from pre-SVN times. This will help us get an overview of the outstanding work in each chapter. We are working on integrating this into our website using a script, so people can see which chapters need the most work or are most up-to-date. Johann made efforts to update the FreeBSD Documentation Project Primer as well, so that translators willing to help us can read the information in German. He also made efforts to revive the Documentation Project website, which was previously hosted elsewhere, but disappeared. Now, it is tied into the German FreeBSD.org website again and has the same look and feel. Occasionally, people contact us and offer their help with the translation effort. We are happy to help newcomers get to know everything about the translation process and look forward to more contributions. Even small updates make a big difference and if you are considering helping, please contact us. Open tasks: 1. Continue translating the Handbook and website into German. 2. Integrate a script that shows outstanding work into the German documentation webpages. __________________________________________________________________ GSoC 2015: libc Security Extensions Links Project Wiki Page URL: https://wiki.freebsd.org/SummerOfCode2015/FreeBSDLibcSecurityExten= sions Code Review Differential URL: https://reviews.freebsd.org/D3043 Contact: Pedro Giffuni Contact: Oliver Pinter As part of this year's Google Summer of Code, we have been adding support for the _FORTIFY_SOURCE extension to libc. This extension uses the GCC builtin_object_size information to prevent buffer overflows in existing code. The compiler and the C library can effectively detect a set of common programming mistakes. A mixed version of the NetBSD and Android implementations has been ported and is currently undergoing heavy testing. On FreeBSD, this code has already found two small bugs. On the other hand, the FreeBSD codebase is extremely useful to test the framework. This project is sponsored by Google Summer of Code Program. Open tasks: 1. Code review and more buildworld testing with GCC. 2. Integration tests, especially on non-x86 platforms. 3. Documentation: the framework is relatively popular on GNU libc but we still have to work on better documentation. 4. Testing and possibly integrating with ports. 5. We will have to re-schedule the GSoC project, as we were expecting to spend less time on this. __________________________________________________________________ Multiqueue Testing Links Multiqueue Testing Project URL: https://wiki.freebsd.org/SummerOfCode2015/MultiqueueTestingProject Contact: Tiwei Bie Contact: Hiren Panchasara The aim of this project is to design and implement an infrastructure to validate that a number of the network stack's multiqueue behaviours are as expected. It mainly consists of extending tap(4) to provide the same RSS behaviours as the hardware multiqueue network cards, developing simple test applications using multiqueue tap(4) and socket(2), adding hooks in each layer of the network stack to collect the per-ring per-cpu per-layer statistics, and extending netstat(1) to report these statistics. At present, most parts of this project have been implemented. The focus is on the code review, and API/KPI freeze. This project is sponsored by Google Summer of Code 2015. __________________________________________________________________ BSDCan 2015 Links BSDCan 2015 URL: http://www.bsdcan.org/2015/ BSDCan 2015 Video Playlist URL: https://www.youtube.com/playlist?list=3DPLWW0CjV-TafY0NqFDvD4k31Ct= nX-CGn8f Contact: Dan Langille BSDCan, a conference for people working on and with 4.4BSD-based operating systems and related projects, was held in Ottawa, Ontario on June 12 and 13. A two-day FreeBSD developer summit event preceded it on June 10 and 11. This was the largest BSDCan ever, with over 280 attendees, up by more than 40 people over the 2014 event. There were a record number of speakers and talks. An additional room and "track" was added to provide even more choices for concurrent talks on both days of the conference. Social media response to the whole conference has been very positive. The keynote talk by Stephen Bourne was very popular. So popular, in fact, that the main conference room could not hold all the attendees. An overflow room with live video was set up to hold the extra people. The video of the presentation has had over 6300 views in the first twelve days. Andrew Tanenbaum's talk on reimplementing NetBSD using a MicroKernel was so well-attended it was standing room only. There were many other excellent talks, and we recommend browsing through the playlist in the links above. Activity was not limited to the talks. Each night, the "Hacker Lounge" was used by developers to cooperate and interact on projects. Embedded projects were popular this year, as FreeBSD was installed directly on wireless routers. The very successful and well-attended closing event, held at the Lowerton Brewery, provided an elegant closure to the whole conference. We would like to thank everyone who made BSDCan 2015 such a success, and look forward to next year! __________________________________________________________________ FreeBSD Support in pkgsrc Links pkgsrc home page URL: https://www.pkgsrc.org BulkTracker: Track bulk build status URL: http://bulktracker.appspot.com Blog posts on pkgsrc URL: https://www.geeklan.co.uk/?tag=3Dpkgsrc Contact: Sevan Janiyan pkgsrc is a fork of the FreeBSD Ports Collection by the NetBSD project with a focus on portability and multi-platform support. At present, pkgsrc supports building packages on 23 different platforms from a single tree, including FreeBSD While pkgsrc is not a replacement for ports in most use cases, it holds a unique position in mixed-platform environments where software needs to be the same version across all systems and built in a consistent manner, saving the user from having to resort to manually building programs or re-implementing a mechanism to do so. With the recent 2015Q2 release earlier this month, it is now possible to generate over 14000 packages on FreeBSD 10.1-RELEASE (up from 12800 last quarter). Work is in progress to add pkg support to pkgsrc. Open tasks: 1. Improve platform support to skip libusb on FreeBSD where libusb is bundled in base. This is causing the biggest breakage at the moment. 2. Expand the effort to the -STABLE and -CURRENT branches and, if possible, architectures other than amd64. Contributing shell access to such machines would be helpful (an unprivileged account is sufficient). __________________________________________________________________ The FreeBSD Foundation Links Foundation website URL: http://www.FreeBSDFoundation.org/ FreeBSD Journal URL: http://freebsdjournal.com/ Contact: Deb Goodkin The FreeBSD Foundation is a 501(c)(3) non-profit organization dedicated to supporting and promoting the FreeBSD Project and community worldwide. Funding comes from individual and corporate donations and is used to fund and manage development projects, conferences and developer summits, and provide travel grants to FreeBSD developers. The Foundation purchases hardware to improve and maintain FreeBSD infrastructure and publishes FreeBSD white papers and marketing material to promote, educate, and advocate for the FreeBSD Project. The Foundation also represents the FreeBSD Project in executing contracts, license agreements, and other legal arrangements that require a recognized legal entity. Here are some highlights of what we did to help FreeBSD during the last quarter: * We were a Platinum Sponsor for BSDCan 2015 and the sponsor for the Ottawa developer and vendor summits. We were pleased to provide 12 travel grants for FreeBSD contributors to attend the conference and have opportunities to meet face-to-face with other FreeBSD contributors. You can read some of their trip reports here. In celebration of our 15th anniversary we provided a delicious FreeBSD cake, which was happily devoured by conference attendees. Various Foundation team members gave talks, attended talks, participated in doc sprints, worked on efforts to improve FreeBSD, worked at our booth, and spent time talking to our constituents about areas where we can help with FreeBSD. Foundation members gave these talks: + Anne Dickison: "FreeBSD Advocacy: How you can spread the word" + Kirk McKusick: "An Introduction to the Implementation of ZFS" + George Neville-Neil: "Measure Twice, Code Once" and "Cambridge L41: Teaching Advanced Operating Systems with FreeBSD" + Ed Maste: "The LLDB Debugger in FreeBSD" and Ed Maste also ran the Vendor Summit. * We held our annual board meeting in Ottawa. We are pleased to announce the addition of Benedict Reuschling to our board of directors. Read his interview here. The current board of directors and officers were all re-elected. You can find out who is on our board here. We spent the day planning our 12-month goals, project roadmapping, FreeBSD education offerings, fundraising, and advocacy efforts. * Dru Lavigne promoted and gave a presentation on FreeBSD at LinuxFest Northwest 2015. * We have committed to sponsoring several upcoming conferences: vBSDCon, womENcourage 2015, EuroBSDCon 2015, Grace Hopper conference, BSDCon Brasil, Cambridge Developer Summit, and OpenZFS. You'll also find us at OSCON, July 21-23, and the SNIA Storage Developer Conference, Sept 21-24. * Fundraising So far, we have raised $361,000 for 2015 from over 500 donors. Juniper became a Gold level donor. We are actively approaching commercial FreeBSD users for Silver-plus donations, and asking large tech companies for separate women in tech funding, to help us recruit more women to the FreeBSD Project. We are also asking companies for funding to help with our FreeBSD education efforts. * We had the pleasure of hosting Groff the BSD Goat here in Colorado in April. * Infrastructure Support The Foundation funded almost $50,000 of equipment to support FreeBSD infrastructure. Most of this went towards new and upgraded servers at the NYI facility. We sent Glen Barber there to install the new servers. You can read all about his trip. * Advocacy Work The FreeBSD Journal has over 9200 subscribers, with a 98% renewal rate. Our marketing director, Anne Dickison, was busy providing advocacy work for the Project. She helped provide more FreeBSD marketing literature and material. This included the cool I Choose FreeBSD sticker and very popular I Love FreeBSD temporary tattoos that are available at conferences. We published April, May, and June Foundation Newsletters to highlight the work being done by the Foundation to support FreeBSD. These newsletters also include company FreeBSD testimonials, upcoming events where FreeBSD will be promoted, and the new From the Trenches articles from FreeBSD contributor experiences working with FreeBSD. * One of the Foundation's responsibilities is to protect FreeBSD intellectual property (IP). This includes protecting the FreeBSD trademarks. We granted trademark usage permission to various companies who want to show their support for FreeBSD. To get permission to use the trademarks, interested parties must agree to our Trademark Usage Terms and Conditions. * Project Development Work George Neville-Neil signed up new universities to look at the FreeBSD course including George Washington University, Johns Hopkins, and UC Santa Cruz. He is working with Verisign on the DevSummit that will be held at vBSDCon. He also worked with ARM to set up meeting with 18 hardware and silicon vendors at the ARM Partner Meeting in August. Ed Maste continued managing the FreeBSD/arm64 porting project. He also continued with updates to the ELF Toolchain tools in the FreeBSD base system and incorporated a set of fixes from the upstream project to fix issues with the strip tool. Ed investigated and fixed a set of outstanding issues with the new vt(4) console in the FreeBSD installer. Staff member Edward Napiera=C5=82a committed a number of bug fix mer= ges to the stable/10 branch for inclusion in FreeBSD 10.2, and continued investigation of a project to support runtime switching of the root file system. He merged a large number of improvements to the autofs automount daemon. He also supported FreeBSD developer Dmitry Chagin's work on 64-bit Linux binary emulation support by reviewing the extensive patch set. Those changes are now committed to FreeBSD's Subversion tree, and will arrive in FreeBSD 11.0. Staff member Konstantin Belousov continued development on the Intel DMA remap (DMAR) and Process Context Identifier (PCID) infrastructure projects. Kostik also contributed an extensive set of changes to multiple aspects of FreeBSD: stability improvements in the virtual memory subsystem, improved compatibility in options handling in the runtime loader, thread library improvements, and GDB debugger enhancements. Glen Barber, who is a Foundation employee, is also a release engineer for the Project. Here are some highlights of what he did to help the Project: + Added support to the release build code in 11-CURRENT for producing FreeBSD/aarch64 (arm64) memory stick images and virtual machine disk images for use within Qemu. + Worked with Colin Percival and Brad Davis on testing and refining the release build code to support building Amazon EC2 images, and Vagrant images for Hashicorp Atlas, respectively. + Reworked the FreeBSD/arm build code to provide a fully-native build infrastructure for the existing images (BEAGLEBONE, RPI-B, PANDABOARD, WANDBOARD), and add support for additional images (GUMSTIX, CUBOX/HUMMINGBOARD). + Wrote several additional utilities to reduce human error in several areas of Release Engineering, including producing the filesystem hierarchy used by the FTP mirrors, enhancements to the internal build scripts used by Release Engineering, and support for automatically uploading and publishing virtual machine images. + While attending BSDCan 2015, Glen worked with several developers and teams on various items, such as discussing packaging the base system with pkg(8), migrating internal FreeBSD servers to the new machines the Foundation purchased for the NYI facility, and discussing further possible future enhancements to the FreeBSD build infrastructure. + Started the 10.2-RELEASE cycle. __________________________________________________________________ ZFS Support for UEFI Boot/Loader Contact: Eric McCorkle UEFI-enabled boot1.efi and loader.efi have been modified to support loading and booting from a ZFS filesystem. The patch currently works with buildworld, and successfully boots on a test machine with a ZFS partition. In addition, the ZFS-enabled loader.efi can be treated as a chainloader using ZFS-enabled GRUB. The work on boot1.efi also reorganizes the code somewhat, splitting out the filesystem-specific parts into a modular framework. Open tasks: 1. More testing is needed for the following use cases: ZFS with GRUB+loader.efi, ZFS with boot1+loader.efi, UFS with boot1+loader.efi (to test the modularization of boot1.efi) 2. Have boot1.efi check partition type GUIDs before probing for filesystems. 3. Get patch accepted upstream and committed. __________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGgBAEBCgAGBQJVtZjoAAoJECjZpvNk63USYBEMILUlzfPMfNdW7MnlKxVft5WE sZ2DS04wfIHAEHDAjScZHKN0rAgyOHT72VTRvO2KEkpm2OEtMnIVY5sH31NbnFUy m90iYXWksXBDzYHGNiNbkYKprjIp0Rz0gGefCxQrDrA2tt4HPjIyuwdl1xmhT8O6 vt3AJPCEz5MjQL42ETQ78fn117i5iSECCkOgRC4H4vH//n4zxjJWgmkhrc6gXljf 9b3rOw/A3fVTvaDR7pzhrnQ+QjGsW7BgTMh7JZybbCKT+Yj7n29iVWpEVp7FQcgB sPJ4Rcei8BUBaCfvoND6bzWKEfuxteqriJFKNazlMRQFDEuHl6jHYH5QXfJsZFr/ etHrPnIWO9qOveNs7ANYQyT6LaFEyKLz2osi63uvVIjS3DBNZ8v9C7jEzvAmKEpl G8j9nOMKwMDqMpRNlDfD8Utu+0eQDveqCaqer8utgjMH8UgkAhmNP9oLNXhb38Dp URmZunSSZOVxmXioxTiro3/1TxUvu+I1LS8asLfho1zpDgM=3D =3DOj0n -----END PGP SIGNATURE----- From owner-freebsd-announce@freebsd.org Tue Jul 28 20:30:26 2015 Return-Path: Delivered-To: freebsd-announce@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 52E689ADD2F for ; Tue, 28 Jul 2015 20:30:26 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 48516B98; Tue, 28 Jul 2015 20:30:26 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1035) id 471E5174D; Tue, 28 Jul 2015 20:30:26 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20150728203026.471E5174D@freefall.freebsd.org> Date: Tue, 28 Jul 2015 20:30:26 +0000 (UTC) Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-15:15.tcp X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jul 2015 20:30:26 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-15:15.tcp Security Advisory The FreeBSD Project Topic: Resource exhaustion in TCP reassembly Category: core Module: inet Announced: 2015-07-28 Credits: Patrick Kelsey (Norse Corporation) Affects: All supported versions of FreeBSD. Corrected: 2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE) 2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2) 2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1) 2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16) 2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE) 2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21) 2015-07-28 19:58:54 UTC (stable/8, 8.4-STABLE) 2015-07-28 19:59:22 UTC (releng/8.4, 8.4-RELEASE-p35) CVE Name: CVE-2015-1417 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The Transmission Control Protocol (TCP) of the TCP/IP protocol suite provides a connection-oriented, reliable, sequence-preserving data stream service. The underlying simple and potentially unreliable IP datagram communication protocol may deliver segments out of order, therefore, the TCP receiver would need to reassemble the segments into their original sequence to provide a reliable octet stream. Because the reassembly requires additional resources to keep the queued segments, historically resource exhaustion in the TCP reassembly path has been prevented by limiting the total number of segments that could belong to reassembly queues to a small fraction (1/16) of the total number of mbuf clusters in the system. VNET is a technique to virtualize the network stack, first introduced in FreeBSD 8.0. It changes global resources in the network stack into per network stack resources, so that a virtual network stack can be attached to a jailed prison and the prison can have unrestricted access to the virtual network stack. VNET is not enabled by default and has to be enabled by recompiling the kernel. II. Problem Description There is a mistake with the introduction of VNET, which converted the global limit on the number of segments that could belong to reassembly queues into a per-VNET limit. Because mbufs are allocated from a global pool, in the presence of a sufficient number of VNETs, the total number of mbufs attached to reassembly queues can grow to the total number of mbufs in the system, at which point all network traffic would cease. III. Impact An attacker who can establish concurrent TCP connections across a sufficient number of VNETs and manipulate the inbound packet streams such that the maximum number of mbufs are enqueued on each reassembly queue can cause mbuf cluster exhaustion on the target system, resulting in a Denial of Service condition. As the default per-VNET limit on the number of segments that can belong to reassembly queues is 1/16 of the total number of mbuf clusters in the system, only systems that have 16 or more VNET instances are vulnerable. IV. Workaround FreeBSD 8.x, 9.x and 10.x systems that do not make use of VNETs (option VIMAGE) are not affected. The support has to be specifically compiled into a custom kernel, so its use is not common. For affected systems, the system administrators may consider reducing the net.inet.tcp.reass.maxsegments tunable to the value of kern.ipc.nmbclusters divided by one greater than the total number of VNETs that are going to be used in the system in order to prevent a Denial of Service via this vulnerability. For example, if there are 16 VNETs in the system, the net.inet.tcp.reass.maxsegments tunable should be set to kern.ipc.nmbclusters / 17. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install And reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.2] # fetch https://security.FreeBSD.org/patches/SA-15:15/tcp.patch # fetch https://security.FreeBSD.org/patches/SA-15:15/tcp.patch.asc # gpg --verify tcp.patch.asc [FreeBSD 9.3 and 10.1] # fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-9.3-10.1.patch # fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-9.3-10.1.patch.asc # gpg --verify tcp-9.3-10.1.patch.asc [FreeBSD 8.4] # fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-8.patch # fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-8.patch.asc # gpg --verify tcp-8.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r285977 releng/8.4/ r285980 stable/9/ r285977 releng/9.3/ r285980 stable/10/ r285976 releng/10.1/ r285979 releng/10.2/ r285978 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.6 (FreeBSD) iQIcBAEBCgAGBQJVt+FcAAoJEO1n7NZdz2rnOAgQAKw0jR1Eb/USmcXlFpfMrmUr Z6UWHsPqE9CwDJaFddrFBRyjCsbeBv4LmPyVcOKJoqspEb8P52GtBNDe9vqcco1U C+KpcQQKWTQmu170AdLAIRVvLjoNEX0C09ig4XMbKpisrmQ8zLXavTbTw8FlbPXq o9t0nFgPKsDfaXJF3Oas41K/NsBj4hdqnfx+R7KeOaJ6sSwiFGbRxqQ+GG3k+79a RI+KVLpw4QV/IkhXKzl416o6uk7eWnJu72GohdrxPvXYWHBVSBkSiT7pLl3O5C7r 7+dpYyF9f4K0gnXLuATNixNS2/lL2WaJANb75ku7WnY2I5Yjx1oM2r5kE2eJ6Z/c WXGnDE9/8SOVURqMwnpQgzVGopKZags0+X7FJAYKeW4/nWyUEAmDlQ+9dY7o/I0M urFD+bsSxnrlGLLzjX55zKM1qyGlhNokowSusVeNlSEOl8/QV57CuyQDZ0wdAiUd R2yl+fFxRKn4AeCMuKkEsoExLhISI7Uuz8Hjia7g0yJWfYjEjAWLcFpan/QmhwcP 4PMg+2ZuPC0uUoXqCMBqu3d0NAaae4cOCzx8WCZUaaF3DwhRnUcld+XesV/h3SNo kn3ygFyOVWrCd7bSsEd00qqUwUN/cp/uYTqlbI9im89Emaa7/mYR/i3sq2/MRagr 2oio8OdZ8wwRuER4Jpq9 =PC1V -----END PGP SIGNATURE----- From owner-freebsd-announce@freebsd.org Tue Jul 28 20:30:26 2015 Return-Path: Delivered-To: freebsd-announce@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6040A9ADD32 for ; Tue, 28 Jul 2015 20:30:26 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 55AA1B9C; Tue, 28 Jul 2015 20:30:26 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1035) id 550C81759; Tue, 28 Jul 2015 20:30:26 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20150728203026.550C81759@freefall.freebsd.org> Date: Tue, 28 Jul 2015 20:30:26 +0000 (UTC) Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-15:16.openssh X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jul 2015 20:30:26 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-15:16.openssh Security Advisory The FreeBSD Project Topic: OpenSSH multiple vulnerabilities Category: contrib Module: openssh Announced: 2015-07-28 Affects: All supported versions of FreeBSD. Corrected: 2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE) 2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2) 2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1) 2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16) 2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE) 2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21) 2015-07-28 19:58:54 UTC (stable/8, 8.4-STABLE) 2015-07-28 19:59:22 UTC (releng/8.4, 8.4-RELEASE-p35) CVE Name: CVE-2014-2653, CVE-2015-5600 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background OpenSSH is an implementation of the SSH protocol suite, providing an encrypted and authenticated transport for a variety of services, including remote shell access. The security of the SSH connection relies on the server authenticating itself to the client as well as the user authenticating itself to the server. SSH servers uses host keys to verify their identity. RFC 4255 has defined a method of verifying SSH host keys using Domain Name System Security (DNSSEC), by publishing the key fingerprint using DNS with "SSHFP" resource record. RFC 6187 has defined methods to use a signature by a trusted certification authority to bind a given public key to a given digital identity with X.509v3 certificates. The PAM (Pluggable Authentication Modules) library provides a flexible framework for user authentication and session setup / teardown. OpenSSH uses PAM for password authentication by default. II. Problem Description OpenSSH clients does not correctly verify DNS SSHFP records when a server offers a certificate. [CVE-2014-2653] OpenSSH servers which are configured to allow password authentication using PAM (default) would allow many password attempts. III. Impact A malicious server may be able to force a connecting client to skip DNS SSHFP record check and require the user to perform manual host verification of the host key fingerprint. This could allow man-in-the-middle attack if the user does not carefully check the fingerprint. [CVE-2014-2653] A remote attacker may effectively bypass MaxAuthTries settings, which would enable them to brute force passwords. [CVE-2015-5600] IV. Workaround Systems that do not use OpenSSH are not affected. There is no workaround for CVE-2014-2653, but the problem only affects networks where DNSsec and SSHFP is properly configured. Users who uses SSH should always check server host key fingerprints carefully when prompted. System administrators can set: UsePAM no In their /etc/ssh/sshd_config and restart sshd service to workaround the problem described as CVE-2015-5600 at expense of losing features provided by the PAM framework. We recommend system administrators to disable password based authentication completely, and use key based authentication exclusively in their SSH server configuration, when possible. This would eliminate the possibility of being ever exposed to password brute force attack. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. SSH service has to be restarted after the update. A reboot is recommended but not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install SSH service has to be restarted after the update. A reboot is recommended but not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 9.3, 10.1, 10.2] # fetch https://security.FreeBSD.org/patches/SA-15:16/openssh.patch # fetch https://security.FreeBSD.org/patches/SA-15:16/openssh.patch.asc # gpg --verify openssh.patch.asc [FreeBSD 8.4] # fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8.patch # fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8.patch.asc # gpg --verify openssh-8.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the SSH service, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r285977 releng/8.4/ r285980 stable/9/ r285977 releng/9.3/ r285980 stable/10/ r285976 releng/10.1/ r285979 releng/10.2/ r285978 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.6 (FreeBSD) iQIcBAEBCgAGBQJVt+FdAAoJEO1n7NZdz2rnPxEQAIFMhBzUuAEEeG3GoO6o6DQn 7ZVPdd+EdijDk0VAZbaa3NyeVGTNSEQhjpL/lSkIQUQT+yEAUUsUCVWu0T8OpCN0 UT6JlYhV+AwQVyWujlTjspQ3Ba3Kn3o76MCzvdIQWPTzD1yCZqRmpZ1eSjonmySZ ts+kVDCV2ZJyWACOdG2GXHSmTraIErn0J1YaLg++c8nHUvb+TNo2/8viBGJINhdP bvA6fzYPpAzgaq5EEKevySLUnUfUE2Nx5LGD2CUx/hMu7K8y2h4SR2fKmpyBauNS 4VHSssX6KjxZCYctCEsUgCokWYzt9fepyBsCiS9Vx4mTwat8Vuiz2zB1lCOwM97v iDbkcmR/ixElrXSBb5+wrhOpBLnYtHFTNPx8dRz39wdb1MxJQqyOOb8KtDSlFMmQ l5Lk1vTEcZQjWvmCV9XjVlPqcHnX4wNnV+IgUnQTnhQlbe0YgszdLAi5XZDGBmtA DHuLfBy1091KYBoP641GRuldsq6/r6DUzyZuQJ+p30BDUEfkUAptIEnQWA2l3Y8W /10eels29WJhV9N7WWo4pbADA54+DLvi0T/46R9WRbM9bA/dsqK9G5wmREaKCqmX ccQUFrruxJTn7TV4QbN69ABEkOFCyQjqecP2GqA2N/5AAUsV47WC/VtKgOPp4FZ6 E0SkAoNzIighyNk54U9p =6PBw -----END PGP SIGNATURE----- From owner-freebsd-announce@freebsd.org Tue Jul 28 20:30:26 2015 Return-Path: Delivered-To: freebsd-announce@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6E1099ADD38 for ; Tue, 28 Jul 2015 20:30:26 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 63FBEBA0; Tue, 28 Jul 2015 20:30:26 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1035) id 6355A1765; Tue, 28 Jul 2015 20:30:26 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20150728203026.6355A1765@freefall.freebsd.org> Date: Tue, 28 Jul 2015 20:30:26 +0000 (UTC) Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-15:17.bind X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jul 2015 20:30:26 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-15:17.bind Security Advisory The FreeBSD Project Topic: BIND remote denial of service vulnerability Category: contrib Module: bind Announced: 2015-07-28 Credits: ISC Affects: FreeBSD 8.x and FreeBSD 9.x. Corrected: 2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE) 2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21) 2015-07-28 19:58:54 UTC (stable/8, 8.4-STABLE) 2015-07-28 19:59:22 UTC (releng/8.4, 8.4-RELEASE-p35) CVE Name: CVE-2015-5477 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet Domain Name Server. II. Problem Description An error in the handling of TKEY queries can be exploited by an attacker for use as a denial-of-service vector, as a constructed packet can use the defect to trigger a REQUIRE assertion failure, causing BIND to exit. III. Impact A remote attacker can trigger a crash of a name server. Both recursive and authoritative servers are affected, and the exposure can not be mitigated by either ACLs or configuration options limiting or denying service because the exploitable code occurs early in the packet handling, before checks enforcing those boundaries. IV. Workaround No workaround is available, but systems that are not running BIND are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. The named service has to be restarted after the update. A reboot is recommended but not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install The named service has to be restarted after the update. A reboot is recommended but not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-15:17/bind.patch # fetch https://security.FreeBSD.org/patches/SA-15:17/bind.patch.asc # gpg --verify bind.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r285977 releng/8.4/ r285980 stable/9/ r285977 releng/9.3/ r285980 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.6 (FreeBSD) iQIcBAEBCgAGBQJVt+FdAAoJEO1n7NZdz2rnmAQQAK66bHEYirTecgswG+eiePfU lcX46GdLU/OQ/3MHpmc6XQKz9kpJ+Inh8K8IvAJ1SXH41zk/xOtUgqbkUcgkGrS1 gBVKUC8SF82ll/1FUlORoJc+g+TQgax00Il/GweRVoL0RpU9S/YSnc6OLc0nWzBq osweYaHBNRL6lBmUtAHYu1tyvGvHLlfTNk6NCtUxtWeXKe+urYFx4ViJKCU8dJ+U F26nQb/3vH93WOEaNjSDHYWypl9qtous5hpOtXr76ofhID67EyOKmPPEC5+6jP/6 wkdMu7loVewI5K7ZF+zaNxr8CQESurCRkMX3qJSBNCfSw55sdcfKl4BO65SCxLH7 vXoh+B+Wbof2n3xAcEJNufOdiRQfTxlP1UMWIy00wvdB+VcOCDdD7TUB1kksxzpy aXxePRdKLjvkPDiWy17BBpxq8JIfy+41a+N7Fm/hDgUJOYGDAMr27WJLx8MHzY3k +B014IVvTnHkf0yo5ue5raTpgUr0TVCfwD3eqJOM9iUuOI8vj9h44FpP6R8KNyQA mVI/wikVJfYAgmAkHqqRVEHeA8aWJsVNkmrKLHFDkLDdw6umr7oOHfXQo1hk7k7V +2JEa09kp2AYNGYZkiFG/7jiCZ9GLCvAzKW1v1g8fRsBl+QA1PjW0Rg7HcRmZiwM VfNsARSWl2y/t8Gnrfgx =40iD -----END PGP SIGNATURE----- From owner-freebsd-announce@freebsd.org Tue Jul 28 20:30:26 2015 Return-Path: Delivered-To: freebsd-announce@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 452749ADD2C for ; Tue, 28 Jul 2015 20:30:26 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 3ADF8B94; Tue, 28 Jul 2015 20:30:26 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1035) id 39AEF1744; Tue, 28 Jul 2015 20:30:26 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20150728203026.39AEF1744@freefall.freebsd.org> Date: Tue, 28 Jul 2015 20:30:26 +0000 (UTC) Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-15:14.bsdpatch X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jul 2015 20:30:26 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-15:14.bsdpatch Security Advisory The FreeBSD Project Topic: shell injection vulnerability in patch(1) Category: contrib Module: patch Announced: 2015-07-28 Credits: Martin Natano Affects: FreeBSD 10.x. Corrected: 2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE) 2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2) 2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1) 2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16) CVE Name: CVE-2015-1416 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The patch(1) utility takes a patch file produced by the diff(1) program and apply the differences to an original file, producing a patched version. The patch(1) utility supports certain version control systems, namely SCCS and RCS, and attempts to get or check out the file before applying a patch, if the original file do not already exist. II. Problem Description Due to insufficient sanitization of the input patch stream, it is possible for a patch file to cause patch(1) to run commands in addition to the desired SCCS or RCS commands. III. Impact This issue could be exploited to execute arbitrary commands as the user invoking patch(1) against a specically crafted patch file, which could be leveraged to obtain elevated privileges. IV. Workaround No workaround is available, but systems where a privileged user does not make use of patches without proper validation are not affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. A reboot is not required after updating. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install A reboot is not required after updating. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-15:14/bsdpatch.patch # fetch https://security.FreeBSD.org/patches/SA-15:14/bsdpatch.patch.asc # gpg --verify bsdpatch.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/10/ r285976 releng/10.1/ r285978 releng/10.2/ r285979 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.6 (FreeBSD) iQIcBAEBCgAGBQJVt+JfAAoJEO1n7NZdz2rnmAAP/37DmuKX127SHD4Au3a1xy2F 90RP1doqTzpq2w3wzn8JPPK/IUxG6yjDWUk097/aadSMSiUWi/RyTERe68ZNHDia IkcTnvF1308OM91yAJDogTKyCpomZwWqkhDhT8qRIkRijr7gr0q3SYF2Uqrj+QKy fvhJrEEjhv9Lgw8I1qmnxWCpcmkKaW2Fm1eqplYlPOIwJky+2+Ddzv5PcjtQTjye tNIkF9D+ILmGFbotKbNPDKSxapreLOsyDnf0W9QMURi7UolF9AClZnerfVZUWy78 4lJdbC9q5bf/FNUDv2o928hMgG+cc+blaH8AGXGOgxOx3ok0XWp3xEWRJnggyrZX P6NN39u6yFSIrYaNHEwYLFGCIeA0nGWVLupq5h6WwJ+mhCpHz90kMw/5unlXc/wS mfFVMeoFiqL227qBgB4azQkiBjN/fVsqPcMv/xk0PNYHaRPS/DASRYPSJF2gXY7h fjemohKs9wmyc78nyrnayffPQ6hkXvVzw9zMfLJ1XWg/Fa/5X4u/POggivzGI4ia yrvp3zd4avNbEVwlirTxxYgQJ1X44JwTP3Tkq11fea9WJcJtjLTWpIwrHSd8PHEg n3r4bo52iPyaGORGUw3Zhx93gOse+I3ayXmBEVJLGDONlEdUf/uju0kSIyCXn4ab LvnW7evT5KHA0rh5B07E =JTtx -----END PGP SIGNATURE----- From owner-freebsd-announce@freebsd.org Thu Jul 30 10:28:58 2015 Return-Path: Delivered-To: freebsd-announce@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7F3B99AB6D0 for ; Thu, 30 Jul 2015 10:28:58 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 73E20181; Thu, 30 Jul 2015 10:28:58 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1035) id 72B881261; Thu, 30 Jul 2015 10:28:58 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20150730102858.72B881261@freefall.freebsd.org> Date: Thu, 30 Jul 2015 10:28:58 +0000 (UTC) Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-15:16.openssh [REVISED] X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jul 2015 10:28:58 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-15:16.openssh Security Advisory The FreeBSD Project Topic: OpenSSH multiple vulnerabilities Category: contrib Module: openssh Announced: 2015-07-28, revised on 2015-07-30 Affects: All supported versions of FreeBSD. Corrected: 2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE) 2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2) 2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1) 2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16) 2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE) 2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21) 2015-07-30 10:09:07 UTC (stable/8, 8.4-STABLE) 2015-07-30 10:09:31 UTC (releng/8.4, 8.4-RELEASE-p36) CVE Name: CVE-2014-2653, CVE-2015-5600 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . 0. Revision history v1.0 2015-02-25 Initial release. v1.1 2015-07-30 Revised patch for FreeBSD 8.x to address regression when keyboard interactive authentication is used. I. Background OpenSSH is an implementation of the SSH protocol suite, providing an encrypted and authenticated transport for a variety of services, including remote shell access. The security of the SSH connection relies on the server authenticating itself to the client as well as the user authenticating itself to the server. SSH servers uses host keys to verify their identity. RFC 4255 has defined a method of verifying SSH host keys using Domain Name System Security (DNSSEC), by publishing the key fingerprint using DNS with "SSHFP" resource record. RFC 6187 has defined methods to use a signature by a trusted certification authority to bind a given public key to a given digital identity with X.509v3 certificates. The PAM (Pluggable Authentication Modules) library provides a flexible framework for user authentication and session setup / teardown. OpenSSH uses PAM for password authentication by default. II. Problem Description OpenSSH clients does not correctly verify DNS SSHFP records when a server offers a certificate. [CVE-2014-2653] OpenSSH servers which are configured to allow password authentication using PAM (default) would allow many password attempts. III. Impact A malicious server may be able to force a connecting client to skip DNS SSHFP record check and require the user to perform manual host verification of the host key fingerprint. This could allow man-in-the-middle attack if the user does not carefully check the fingerprint. [CVE-2014-2653] A remote attacker may effectively bypass MaxAuthTries settings, which would enable them to brute force passwords. [CVE-2015-5600] IV. Workaround Systems that do not use OpenSSH are not affected. There is no workaround for CVE-2014-2653, but the problem only affects networks where DNSsec and SSHFP is properly configured. Users who uses SSH should always check server host key fingerprints carefully when prompted. System administrators can set: UsePAM no In their /etc/ssh/sshd_config and restart sshd service to workaround the problem described as CVE-2015-5600 at expense of losing features provided by the PAM framework. We recommend system administrators to disable password based authentication completely, and use key based authentication exclusively in their SSH server configuration, when possible. This would eliminate the possibility of being ever exposed to password brute force attack. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. SSH service has to be restarted after the update. A reboot is recommended but not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install SSH service has to be restarted after the update. A reboot is recommended but not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 9.3, 10.1, 10.2] # fetch https://security.FreeBSD.org/patches/SA-15:16/openssh.patch # fetch https://security.FreeBSD.org/patches/SA-15:16/openssh.patch.asc # gpg --verify openssh.patch.asc [FreeBSD 8.4] # fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8.patch # fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8.patch.asc # gpg --verify openssh-8.patch.asc # fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8-errata.patc # fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8-errata.patch.asc # gpg --verify openssh-8-errata.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the SSH service, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r286067 releng/8.4/ r286068 stable/9/ r285977 releng/9.3/ r285980 stable/10/ r285976 releng/10.1/ r285979 releng/10.2/ r285978 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.6 (FreeBSD) iQIcBAEBCgAGBQJVufuCAAoJEO1n7NZdz2rnHHAQALfjXH/WyrgpHxw1YFipwFSD bl+HLbdvMVbfBxLV7eVBK9RPQiyoxwocmU0uMdiNEIWt2llczTLEl/wtUjj6f4Ko K6E7AAOgOX4zdQxBd2502FvXC1oNbDEvK8X3M4MzPHAG4QRgXNffRGYvClmbayck 2i+bjcHdKAEwFJjHk4wXOQ0yhdF6Q36bH0N3kPV9z7sAt3tuzSWhvtX6QQSyeuCJ ie2db9CdSUnFhYELJnVMpVTf3ppMqUT6QEe45LmsGA6F8yWdMaW2vtMdJq6xFVYP INCUVyOlDRu0TibjLUpXu4KugeDgyTXy9oz4SRdnpcUWz33fM6aSgOkpiM1h05ja BJrs0HZbkjCwtD+8a0buoyIKb9NBIsDKbrec5g8AEDkAHjRzraLGAXUYwkFeyqYJ j+ll5r5iu5fc4s8QM+ySlGCW8V9Ix8FX7Rr7FhAWLSKEldDsnCRjG4EfrAcd1HiC PleAnLv4uKwfSugIBIEs5ls7+TzWytW8nnEpMEerXUD894suFIycOT6eoUYF/CCT I1nHWSITw4HSj8+wBvrhxwZCRqIMOAZB+3jzrwRE+QZkghoWnPnqrCn9uLkdndq5 ewgz6PiuYC8Zx0Z6trA72oV+XjTKu2d6eO5tRpe9aAmhPmfBWg3fXYltVzTzF9IE r0z98qmTEPiTDi8dr+K/ =GsXJ -----END PGP SIGNATURE----- From owner-freebsd-announce@freebsd.org Fri Jul 31 15:44:45 2015 Return-Path: Delivered-To: freebsd-announce@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5B0A39AF623 for ; Fri, 31 Jul 2015 15:44:45 +0000 (UTC) (envelope-from vmiller@verisign.com) Received: from mail-qg0-f97.google.com (mail-qg0-f97.google.com [209.85.192.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 15F5C1D77 for ; Fri, 31 Jul 2015 15:44:44 +0000 (UTC) (envelope-from vmiller@verisign.com) Received: by qgal74 with SMTP id l74so3864849qga.2 for ; Fri, 31 Jul 2015 08:44:38 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:thread-topic:thread-index:date :message-id:accept-language:content-language:user-agent:content-type :mime-version; bh=h5XTqGI932SadSQYvTJUqRcp4hqQMkWsvPRTgtsvGNE=; b=Jkg1ZwQAYtjgACOXPop07FNxm/lGkSBKM+xj4RsNF4QAPJz3bOKbeSNTTmChMmdWWm +REBrBlULMt5a6EeFPOKh07ZG3lD5Cjg3wsVqjXT7mSVLp1Cp4g2VsXtnDPOgSVsxQyu 5bfq9r6gfOd9o/t1d3xNLN9GtSPK3wR+VnmEGnC106A61Q7NZnGDefuW3CTNyDVzklH3 sgXIQXt3RxGuWSCYs7RCllY3nBkm3qxmZiVNuccii8Hz22pXm7s3CN+QYtk7d33pUvVW syT0WIB7IxzL04hgTI0Kf53/WOBQrhYHFNQqh/nA4DwL5PodLGTe5TVvl77EZlbXa2gD o6vA== X-Gm-Message-State: ALoCoQlBkza3OALVPak1sG3y1Gm2eV1tzkFr0dZC5CiyHH/aXLNodmogpmb1tkg7DtsDpOPbpfHufOK4dmlb53QKB2oDQWoK2Q== X-Received: by 10.55.27.92 with SMTP id b89mr5284230qkb.80.1438357073695; Fri, 31 Jul 2015 08:37:53 -0700 (PDT) Received: from brn1lxmailout01.verisign.com (brn1lxmailout01.verisign.com. [72.13.63.41]) by smtp-relay.gmail.com with ESMTPS id 17sm1578908qky.3.2015.07.31.08.37.53 (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 31 Jul 2015 08:37:53 -0700 (PDT) X-Relaying-Domain: verisign.com Received: from brn1wnexcas01.vcorp.ad.vrsn.com (brn1wnexcas01 [10.173.152.205]) by brn1lxmailout01.verisign.com (8.13.8/8.13.8) with ESMTP id t6VFbqAZ010988 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 31 Jul 2015 11:37:52 -0400 Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0174.001; Fri, 31 Jul 2015 11:37:52 -0400 From: "Miller, Vincent (Rick)" To: "freebsd-advocacy@freebsd.org" , "freebsd-announce@freebsd.org" Thread-Topic: vBSDcon: September 11 - 13, 2015 Thread-Index: AQHQy6bcaB2MFh7mEUSYqEgIAfEkDg== Date: Fri, 31 Jul 2015 15:37:52 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.4.6.141106 x-originating-ip: [10.173.152.4] MIME-Version: 1.0 X-Mailman-Approved-At: Fri, 31 Jul 2015 16:19:24 +0000 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.20 Subject: [FreeBSD-Announce] vBSDcon: September 11 - 13, 2015 X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Jul 2015 15:44:45 -0000 Hi all, vBSDcon is a technical conference for the various BSD communities that is h= osted by Verisign for users and developers of BSD-based systems. vBSDcon 2= 015 is being held in Reston, VA from September 11 - 13, 2015 at the Sherato= n Reston hotel. vBSDcon is an ideal event for systems and network administ= rators, developers, and engineers with a focus on BSD-based technologies. = The early bird registration rate of $75.00 is available through August 13, = 2015 at vBSDcon.com. The vBSDcon program is a single track conference with plenary talks and unc= onference activities like Birds of A Feather sessions and Lightning Talks a= nd, as a bonus, we are hosting The FreeBSD Foundation to operate a one-day = FreeBSD Developer=92s Summit on September 11, 2015. Speakers from across N= orth America and Europe will cover the topics below during plenary sessions= : FreeBSD Virtualization Options by Michael Dexter Made to Measure: Network Performance Analysis in FreeBSD by George Neville-= Neil and JimThompson What is EdgeBSD by Pierre Pronchery Blacklist=92d: A NetBSD project by Christos Zoulas getdns, A New Stub Resolver by Willem Toorop Interesting Things You Didn=92t Know You Could Do With ZFS by Allan Jude HardenedBSD Internals by Shawn Webb Improving MemGuard support for UMA on FreeBSD by Chang-Hsien Tsai Devio.us, the Free OpenBSD Shell Provider and Online BSD User Group: Techni= cal and Social Lessons Learned from Half a Decade of Service by Brian Calla= han and Bryce Chidester vBSDcon provides space for a hacker lounge and doc sprint open to all BSD c= ommunities including, but not limited to, FreeBSD, OpenBSD, NetBSD, and mor= e. The space is unmoderated so you can setup in these spaces following the= conclusion of daily conference activities to accomplish work on your proje= cts or documentation while away from the office. We=92d like to give a big shout out to all of our sponsors up to this point= who have invested in you as a community... Platinum Sponsor: XinuOS Developer=92s Summit Sponsor: The FreeBSD Foundation Gold Sponsor: Cisco Talos Security Mid-Conference Social Sponsor: iXsystems, Inc Tote Bag Sponsor: RootBSD Silver Sponsor: Daemon Security Sponsorship opportunities are still available. Organizations interested in= support the event and community are encouraged to contact us at vBSDcon@ve= risign.com. -- Vincent (Rick) Miller Systems Engineer vmiller@verisign.com t: 703-948-4395 m: 703-581-3068 12061 Bluemont Way, Reston, VA 20190 http://www.vbsdcon.com http://www.verisigninc.com From owner-freebsd-announce@freebsd.org Sat Aug 1 00:56:21 2015 Return-Path: Delivered-To: freebsd-announce@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A390B9B0F79 for ; Sat, 1 Aug 2015 00:56:21 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 8F86F1B91 for ; Sat, 1 Aug 2015 00:56:21 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1035) id 8DAF119FE; Sat, 1 Aug 2015 00:56:21 +0000 (UTC) From: FreeBSD Security Officer To: freebsd-announce@FreeBSD.org Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20150801005621.8DAF119FE@freefall.freebsd.org> Date: Sat, 1 Aug 2015 00:56:21 +0000 (UTC) Subject: [FreeBSD-Announce] FreeBSD 8.4 and 8-STABLE end-of-life X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Aug 2015 00:56:21 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Dear FreeBSD community, FreeBSD 8.4 and 8-STABLE have reached their end-of-life and will no longer be supported by the FreeBSD Security Team. Users of FreeBSD 8.x are strongly encouraged to upgrade to a newer release as soon as possible. The currently supported branches and releases and their expected end-of-life dates are: +----------------------------------------------------------------------------+ | Branch | Release | Type | Release Date | Estimated EoL | +-----------+------------+--------+------------------+-----------------------+ |stable/9 |n/a |n/a |n/a |last release + 2 years | +-----------+------------+--------+------------------+-----------------------+ |releng/9.3 |9.3-RELEASE |Extended|July 16, 2014 |December 31, 2016 | +-----------+------------+--------+------------------+-----------------------+ |stable/10 |n/a |n/a |n/a |last release + 2 years | +-----------+------------+--------+------------------+-----------------------+ |releng/10.1|10.1-RELEASE|Extended|November 14, 2014 |December 31, 2016 | +----------------------------------------------------------------------------+ Please refer to https://security.freebsd.org/ for an up-to-date list of supported releases and the latest security advisories. - -- Xin Li FreeBSD Security Officer -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.6 (FreeBSD) iQIcBAEBCgAGBQJVvBgUAAoJEO1n7NZdz2rn48QP/RZZd0ijZb1PQOuFdQuwUBcA jyYCIoY+bsmypuOKpArR8icUIefvlQ+9Sty+IZrcac5dS71kZjY3tX95ReEz1KaK ZoxCl6eUg12g3J5nkNYnaH2gC/H+FClR07vmgpn6SBGh+tZOESEehfTn8HZO/DsV cwhnDm/xat5ZWst10xm+QaXyM/hzIwkxEfORXHCs0cdSmazvHmiqp/bKNn3l2bzI GoBlMNB/I8gHBSGMQSWfFOFTs5F1N/CyZ+hY1/cg15qXe66Zmq9HmxyruNgkSJbn Q34Nt9RvUA6F8EsxRxhEsOy2h8iJcqebQ7BnCGaGkbtS/AaGgzJW4U8UFgNSc36p 7zyYo1oPDs34u+BmgFtiFdcER7bsGQDovKLhNLYbpl2msZGTy+q8FeERfLRnXQ6M xgrOL11KcuuKqdtV/9Xhv+SuzCSIAlJ6KvrMHCkmywveYBiCvzVyADGC+UaRsBHd uEHJ8h3RIpMR5Qwdrd/rBAQNl8bovhoj3BICBY8HQpOwJYNZ+IdBa3T3I8oWXTZy LHWJhoAlnDduHg/QkAv+XuAuD4kyEo/x4DtLqXvTVDUUBkUhYM4Casqee/Bxt7gS GsjJ/iEiyBGwRK4vVSFhI7PvQlJ/gNaL15ROfuNBY8BBmeNnqirwIaWu5kDmmwFX K2u9SsWaBeTwtT2yAvZu =EnmG -----END PGP SIGNATURE-----