From owner-svn-src-releng@freebsd.org Wed Mar 7 05:53:37 2018 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id ED01CF2EA3F; Wed, 7 Mar 2018 05:53:36 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 980D17F445; Wed, 7 Mar 2018 05:53:36 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 92F151D760; Wed, 7 Mar 2018 05:53:36 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w275ralB087948; Wed, 7 Mar 2018 05:53:36 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w275rZaw087939; Wed, 7 Mar 2018 05:53:35 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201803070553.w275rZaw087939@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Wed, 7 Mar 2018 05:53:35 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r330566 - in releng: 10.3 10.3/sys/conf 10.3/sys/netipsec 10.4 10.4/sys/conf 10.4/sys/netipsec 11.1 11.1/sys/conf 11.1/sys/netipsec X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in releng: 10.3 10.3/sys/conf 10.3/sys/netipsec 10.4 10.4/sys/conf 10.4/sys/netipsec 11.1 11.1/sys/conf 11.1/sys/netipsec X-SVN-Commit-Revision: 330566 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2018 05:53:37 -0000 Author: gordon Date: Wed Mar 7 05:53:35 2018 New Revision: 330566 URL: https://svnweb.freebsd.org/changeset/base/330566 Log: Fix ipsec validation and use-after-free. [SA-18:01.ipsec] Approved by: so Security: FreeBSD-SA-18:01.ipsec Security: CVE-2018-6916 Modified: releng/10.3/UPDATING releng/10.3/sys/conf/newvers.sh releng/10.3/sys/netipsec/xform_ah.c releng/10.4/UPDATING releng/10.4/sys/conf/newvers.sh releng/10.4/sys/netipsec/xform_ah.c releng/11.1/UPDATING releng/11.1/sys/conf/newvers.sh releng/11.1/sys/netipsec/xform_ah.c Modified: releng/10.3/UPDATING ============================================================================== --- releng/10.3/UPDATING Wed Mar 7 05:47:48 2018 (r330565) +++ releng/10.3/UPDATING Wed Mar 7 05:53:35 2018 (r330566) @@ -16,6 +16,19 @@ from older versions of FreeBSD, try WITHOUT_CLANG to b stable/10, and then rebuild without this option. The bootstrap process from older version of current is a bit fragile. +20180307 p27 FreeBSD-SA-18:01.ipsec + FreeBSD-SA-18:02.ntp + FreeBSD-EN-18:01.tzdata + FreeBSD-EN-18:02.file + + Fix ipsec validation and use-after-free. [SA-18:01.ipsec] + + Fix multiple vulnerabilities in ntp. [SA-18:02.ntp] + + Update timezone database information. [EN-18:01.tzdata] + + Update file(1) to new version with security update. [EN-18:02.file] + 20171209 p26 FreeBSD-SA-17:12.openssl Fix OpenSSL error state vulnerability. Modified: releng/10.3/sys/conf/newvers.sh ============================================================================== --- releng/10.3/sys/conf/newvers.sh Wed Mar 7 05:47:48 2018 (r330565) +++ releng/10.3/sys/conf/newvers.sh Wed Mar 7 05:53:35 2018 (r330566) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="10.3" -BRANCH="RELEASE-p26" +BRANCH="RELEASE-p27" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/10.3/sys/netipsec/xform_ah.c ============================================================================== --- releng/10.3/sys/netipsec/xform_ah.c Wed Mar 7 05:47:48 2018 (r330565) +++ releng/10.3/sys/netipsec/xform_ah.c Wed Mar 7 05:53:35 2018 (r330566) @@ -615,6 +615,16 @@ ah_input(struct mbuf *m, struct secasvar *sav, int ski m_freem(m); return EACCES; } + if (skip + authsize + rplen > m->m_pkthdr.len) { + DPRINTF(("%s: bad mbuf length %u (expecting %lu)" + " for packet in SA %s/%08lx\n", __func__, + m->m_pkthdr.len, (u_long) (skip + authsize + rplen), + ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), + (u_long) ntohl(sav->spi))); + AHSTAT_INC(ahs_badauthl); + error = EACCES; + goto bad; + } AHSTAT_ADD(ahs_ibytes, m->m_pkthdr.len - skip - hl); /* Get crypto descriptors. */ @@ -680,6 +690,9 @@ ah_input(struct mbuf *m, struct secasvar *sav, int ski /* Zeroize the authenticator on the packet. */ m_copyback(m, skip + rplen, authsize, ipseczeroes); + /* Save ah_nxt, since ah pointer can become invalid after "massage" */ + hl = ah->ah_nxt; + /* "Massage" the packet headers for crypto processing. */ error = ah_massage_headers(&m, sav->sah->saidx.dst.sa.sa_family, skip, ahx->type, 0); @@ -704,7 +717,7 @@ ah_input(struct mbuf *m, struct secasvar *sav, int ski tc->tc_spi = sav->spi; tc->tc_dst = sav->sah->saidx.dst; tc->tc_proto = sav->sah->saidx.proto; - tc->tc_nxt = ah->ah_nxt; + tc->tc_nxt = hl; tc->tc_protoff = protoff; tc->tc_skip = skip; tc->tc_ptr = (caddr_t) mtag; /* Save the mtag we've identified. */ Modified: releng/10.4/UPDATING ============================================================================== --- releng/10.4/UPDATING Wed Mar 7 05:47:48 2018 (r330565) +++ releng/10.4/UPDATING Wed Mar 7 05:53:35 2018 (r330566) @@ -16,6 +16,19 @@ from older versions of FreeBSD, try WITHOUT_CLANG to b stable/10, and then rebuild without this option. The bootstrap process from older version of current is a bit fragile. +20180307 p6 FreeBSD-SA-18:01.ipsec + FreeBSD-SA-18:02.ntp + FreeBSD-EN-18:01.tzdata + FreeBSD-EN-18:02.file + + Fix ipsec validation and use-after-free. [SA-18:01.ipsec] + + Fix multiple vulnerabilities in ntp. [SA-18:02.ntp] + + Update timezone database information. [EN-18:01.tzdata] + + Update file(1) to new version with security update. [EN-18:02.file] + 20171209 p5 FreeBSD-SA-17:12.openssl Fix OpenSSL error state vulnerability. Modified: releng/10.4/sys/conf/newvers.sh ============================================================================== --- releng/10.4/sys/conf/newvers.sh Wed Mar 7 05:47:48 2018 (r330565) +++ releng/10.4/sys/conf/newvers.sh Wed Mar 7 05:53:35 2018 (r330566) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="10.4" -BRANCH="RELEASE-p5" +BRANCH="RELEASE-p6" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/10.4/sys/netipsec/xform_ah.c ============================================================================== --- releng/10.4/sys/netipsec/xform_ah.c Wed Mar 7 05:47:48 2018 (r330565) +++ releng/10.4/sys/netipsec/xform_ah.c Wed Mar 7 05:53:35 2018 (r330566) @@ -615,6 +615,16 @@ ah_input(struct mbuf *m, struct secasvar *sav, int ski m_freem(m); return EACCES; } + if (skip + authsize + rplen > m->m_pkthdr.len) { + DPRINTF(("%s: bad mbuf length %u (expecting %lu)" + " for packet in SA %s/%08lx\n", __func__, + m->m_pkthdr.len, (u_long) (skip + authsize + rplen), + ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), + (u_long) ntohl(sav->spi))); + AHSTAT_INC(ahs_badauthl); + error = EACCES; + goto bad; + } AHSTAT_ADD(ahs_ibytes, m->m_pkthdr.len - skip - hl); /* Get crypto descriptors. */ @@ -680,6 +690,9 @@ ah_input(struct mbuf *m, struct secasvar *sav, int ski /* Zeroize the authenticator on the packet. */ m_copyback(m, skip + rplen, authsize, ipseczeroes); + /* Save ah_nxt, since ah pointer can become invalid after "massage" */ + hl = ah->ah_nxt; + /* "Massage" the packet headers for crypto processing. */ error = ah_massage_headers(&m, sav->sah->saidx.dst.sa.sa_family, skip, ahx->type, 0); @@ -704,7 +717,7 @@ ah_input(struct mbuf *m, struct secasvar *sav, int ski tc->tc_spi = sav->spi; tc->tc_dst = sav->sah->saidx.dst; tc->tc_proto = sav->sah->saidx.proto; - tc->tc_nxt = ah->ah_nxt; + tc->tc_nxt = hl; tc->tc_protoff = protoff; tc->tc_skip = skip; tc->tc_ptr = (caddr_t) mtag; /* Save the mtag we've identified. */ Modified: releng/11.1/UPDATING ============================================================================== --- releng/11.1/UPDATING Wed Mar 7 05:47:48 2018 (r330565) +++ releng/11.1/UPDATING Wed Mar 7 05:53:35 2018 (r330566) @@ -16,6 +16,19 @@ from older versions of FreeBSD, try WITHOUT_CLANG and the tip of head, and then rebuild without this option. The bootstrap process from older version of current across the gcc/clang cutover is a bit fragile. +20180307 p7 FreeBSD-SA-18:01.ipsec + FreeBSD-SA-18:02.ntp + FreeBSD-EN-18:01.tzdata + FreeBSD-EN-18:02.file + + Fix ipsec validation and use-after-free. [SA-18:01.ipsec] + + Fix multiple vulnerabilities in ntp. [SA-18:02.ntp] + + Update timezone database information. [EN-18:01.tzdata] + + Update file(1) to new version with security update. [EN-18:02.file] + 20171209 p6 FreeBSD-SA-17:12.openssl Fix multiple vulnerabilities of OpenSSL. Modified: releng/11.1/sys/conf/newvers.sh ============================================================================== --- releng/11.1/sys/conf/newvers.sh Wed Mar 7 05:47:48 2018 (r330565) +++ releng/11.1/sys/conf/newvers.sh Wed Mar 7 05:53:35 2018 (r330566) @@ -44,7 +44,7 @@ TYPE="FreeBSD" REVISION="11.1" -BRANCH="RELEASE-p6" +BRANCH="RELEASE-p7" if [ -n "${BRANCH_OVERRIDE}" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/11.1/sys/netipsec/xform_ah.c ============================================================================== --- releng/11.1/sys/netipsec/xform_ah.c Wed Mar 7 05:47:48 2018 (r330565) +++ releng/11.1/sys/netipsec/xform_ah.c Wed Mar 7 05:53:35 2018 (r330566) @@ -598,6 +598,16 @@ ah_input(struct mbuf *m, struct secasvar *sav, int ski error = EACCES; goto bad; } + if (skip + authsize + rplen > m->m_pkthdr.len) { + DPRINTF(("%s: bad mbuf length %u (expecting %lu)" + " for packet in SA %s/%08lx\n", __func__, + m->m_pkthdr.len, (u_long) (skip + authsize + rplen), + ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), + (u_long) ntohl(sav->spi))); + AHSTAT_INC(ahs_badauthl); + error = EACCES; + goto bad; + } AHSTAT_ADD(ahs_ibytes, m->m_pkthdr.len - skip - hl); /* Get crypto descriptors. */ @@ -642,6 +652,9 @@ ah_input(struct mbuf *m, struct secasvar *sav, int ski /* Zeroize the authenticator on the packet. */ m_copyback(m, skip + rplen, authsize, ipseczeroes); + /* Save ah_nxt, since ah pointer can become invalid after "massage" */ + hl = ah->ah_nxt; + /* "Massage" the packet headers for crypto processing. */ error = ah_massage_headers(&m, sav->sah->saidx.dst.sa.sa_family, skip, ahx->type, 0); @@ -664,7 +677,7 @@ ah_input(struct mbuf *m, struct secasvar *sav, int ski /* These are passed as-is to the callback. */ xd->sav = sav; - xd->nxt = ah->ah_nxt; + xd->nxt = hl; xd->protoff = protoff; xd->skip = skip; xd->cryptoid = cryptoid; From owner-svn-src-releng@freebsd.org Wed Mar 7 05:58:28 2018 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 165DFF2ECA4; Wed, 7 Mar 2018 05:58:28 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B6E897F636; Wed, 7 Mar 2018 05:58:27 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id AD5951D765; Wed, 7 Mar 2018 05:58:27 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w275wRSu088177; Wed, 7 Mar 2018 05:58:27 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w275wPGe088165; Wed, 7 Mar 2018 05:58:25 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201803070558.w275wPGe088165@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Wed, 7 Mar 2018 05:58:25 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r330567 - in releng: 10.3/contrib/ntp 10.3/contrib/ntp/adjtimed 10.3/contrib/ntp/clockstuff 10.3/contrib/ntp/html 10.3/contrib/ntp/html/drivers 10.3/contrib/ntp/include 10.3/contrib/ntp... X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in releng: 10.3/contrib/ntp 10.3/contrib/ntp/adjtimed 10.3/contrib/ntp/clockstuff 10.3/contrib/ntp/html 10.3/contrib/ntp/html/drivers 10.3/contrib/ntp/include 10.3/contrib/ntp/include/isc 10.3/contrib... X-SVN-Commit-Revision: 330567 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2018 05:58:28 -0000 Author: gordon Date: Wed Mar 7 05:58:24 2018 New Revision: 330567 URL: https://svnweb.freebsd.org/changeset/base/330567 Log: Fix multiple vulnerabilities in ntp. [SA-18:02.ntp] Approved by: so Security: FreeBSD-SA-18:02.ntp Security: CVE-2018-7182 Security: CVE-2018-7170 Security: CVE-2018-7184 Security: CVE-2018-7185 Security: CVE-2018-7183 Added: releng/10.3/contrib/ntp/sntp/harden/ releng/10.3/contrib/ntp/sntp/harden/README releng/10.3/contrib/ntp/sntp/harden/default releng/10.3/contrib/ntp/sntp/harden/freebsd10 releng/10.3/contrib/ntp/sntp/harden/freebsd11 releng/10.3/contrib/ntp/sntp/harden/freebsd12 releng/10.3/contrib/ntp/sntp/harden/linux releng/10.3/contrib/ntp/sntp/harden/netbsd7.0 releng/10.3/contrib/ntp/sntp/harden/netbsd7.99 releng/10.3/contrib/ntp/sntp/m4/ntp_af_unspec.m4 releng/10.3/contrib/ntp/sntp/m4/ntp_harden.m4 releng/10.3/contrib/ntp/sntp/scripts/genHardFlags releng/10.3/contrib/ntp/sntp/tests/testconf.yml releng/10.4/contrib/ntp/sntp/m4/ntp_af_unspec.m4 releng/10.4/contrib/ntp/sntp/tests/testconf.yml releng/11.1/contrib/ntp/sntp/m4/ntp_af_unspec.m4 releng/11.1/contrib/ntp/sntp/tests/testconf.yml Modified: releng/10.3/contrib/ntp/ChangeLog releng/10.3/contrib/ntp/Makefile.am releng/10.3/contrib/ntp/Makefile.in releng/10.3/contrib/ntp/NEWS releng/10.3/contrib/ntp/aclocal.m4 releng/10.3/contrib/ntp/adjtimed/Makefile.in releng/10.3/contrib/ntp/clockstuff/Makefile.in releng/10.3/contrib/ntp/configure releng/10.3/contrib/ntp/configure.ac releng/10.3/contrib/ntp/html/access.html releng/10.3/contrib/ntp/html/accopt.html releng/10.3/contrib/ntp/html/authentic.html releng/10.3/contrib/ntp/html/drivers/driver18.html releng/10.3/contrib/ntp/html/drivers/driver40.html releng/10.3/contrib/ntp/html/keygen.html releng/10.3/contrib/ntp/html/miscopt.html releng/10.3/contrib/ntp/html/monopt.html releng/10.3/contrib/ntp/html/ntpq.html releng/10.3/contrib/ntp/include/Makefile.in releng/10.3/contrib/ntp/include/isc/Makefile.in releng/10.3/contrib/ntp/include/ntp.h releng/10.3/contrib/ntp/include/ntp_calendar.h releng/10.3/contrib/ntp/include/ntp_config.h releng/10.3/contrib/ntp/include/ntp_fp.h releng/10.3/contrib/ntp/include/ntp_keyacc.h releng/10.3/contrib/ntp/include/ntp_request.h releng/10.3/contrib/ntp/include/ntp_stdlib.h releng/10.3/contrib/ntp/include/ntpd.h releng/10.3/contrib/ntp/include/recvbuff.h releng/10.3/contrib/ntp/include/ssl_applink.c releng/10.3/contrib/ntp/kernel/Makefile.in releng/10.3/contrib/ntp/kernel/sys/Makefile.in releng/10.3/contrib/ntp/libntp/Makefile.in releng/10.3/contrib/ntp/libntp/a_md5encrypt.c releng/10.3/contrib/ntp/libntp/adjtime.c releng/10.3/contrib/ntp/libntp/authkeys.c releng/10.3/contrib/ntp/libntp/authreadkeys.c releng/10.3/contrib/ntp/libntp/libssl_compat.c releng/10.3/contrib/ntp/libntp/ntp_calendar.c releng/10.3/contrib/ntp/libntp/ssl_init.c releng/10.3/contrib/ntp/libntp/statestr.c releng/10.3/contrib/ntp/libntp/systime.c releng/10.3/contrib/ntp/libntp/work_thread.c releng/10.3/contrib/ntp/libparse/Makefile.in releng/10.3/contrib/ntp/ntpd/Makefile.in releng/10.3/contrib/ntp/ntpd/complete.conf.in releng/10.3/contrib/ntp/ntpd/invoke-ntp.conf.texi releng/10.3/contrib/ntp/ntpd/invoke-ntp.keys.texi releng/10.3/contrib/ntp/ntpd/invoke-ntpd.texi releng/10.3/contrib/ntp/ntpd/keyword-gen-utd releng/10.3/contrib/ntp/ntpd/keyword-gen.c releng/10.3/contrib/ntp/ntpd/ntp.conf.5man releng/10.3/contrib/ntp/ntpd/ntp.conf.5mdoc releng/10.3/contrib/ntp/ntpd/ntp.conf.def releng/10.3/contrib/ntp/ntpd/ntp.conf.html releng/10.3/contrib/ntp/ntpd/ntp.conf.man.in releng/10.3/contrib/ntp/ntpd/ntp.conf.mdoc.in releng/10.3/contrib/ntp/ntpd/ntp.keys.5man releng/10.3/contrib/ntp/ntpd/ntp.keys.5mdoc releng/10.3/contrib/ntp/ntpd/ntp.keys.def releng/10.3/contrib/ntp/ntpd/ntp.keys.html releng/10.3/contrib/ntp/ntpd/ntp.keys.man.in releng/10.3/contrib/ntp/ntpd/ntp.keys.mdoc.in releng/10.3/contrib/ntp/ntpd/ntp_config.c releng/10.3/contrib/ntp/ntpd/ntp_control.c releng/10.3/contrib/ntp/ntpd/ntp_crypto.c releng/10.3/contrib/ntp/ntpd/ntp_io.c releng/10.3/contrib/ntp/ntpd/ntp_keyword.h releng/10.3/contrib/ntp/ntpd/ntp_leapsec.c releng/10.3/contrib/ntp/ntpd/ntp_parser.c releng/10.3/contrib/ntp/ntpd/ntp_parser.h releng/10.3/contrib/ntp/ntpd/ntp_peer.c releng/10.3/contrib/ntp/ntpd/ntp_proto.c releng/10.3/contrib/ntp/ntpd/ntp_refclock.c releng/10.3/contrib/ntp/ntpd/ntp_request.c releng/10.3/contrib/ntp/ntpd/ntp_restrict.c releng/10.3/contrib/ntp/ntpd/ntp_scanner.c releng/10.3/contrib/ntp/ntpd/ntp_util.c releng/10.3/contrib/ntp/ntpd/ntpd-opts.c releng/10.3/contrib/ntp/ntpd/ntpd-opts.h releng/10.3/contrib/ntp/ntpd/ntpd.1ntpdman releng/10.3/contrib/ntp/ntpd/ntpd.1ntpdmdoc releng/10.3/contrib/ntp/ntpd/ntpd.c releng/10.3/contrib/ntp/ntpd/ntpd.html releng/10.3/contrib/ntp/ntpd/ntpd.man.in releng/10.3/contrib/ntp/ntpd/ntpd.mdoc.in releng/10.3/contrib/ntp/ntpd/ntpsim.c releng/10.3/contrib/ntp/ntpd/refclock_gpsdjson.c releng/10.3/contrib/ntp/ntpd/refclock_jjy.c releng/10.3/contrib/ntp/ntpd/refclock_palisade.c releng/10.3/contrib/ntp/ntpd/refclock_parse.c releng/10.3/contrib/ntp/ntpdate/Makefile.in releng/10.3/contrib/ntp/ntpdc/Makefile.in releng/10.3/contrib/ntp/ntpdc/invoke-ntpdc.texi releng/10.3/contrib/ntp/ntpdc/layout.std releng/10.3/contrib/ntp/ntpdc/ntpdc-opts.c releng/10.3/contrib/ntp/ntpdc/ntpdc-opts.h releng/10.3/contrib/ntp/ntpdc/ntpdc.1ntpdcman releng/10.3/contrib/ntp/ntpdc/ntpdc.1ntpdcmdoc releng/10.3/contrib/ntp/ntpdc/ntpdc.c releng/10.3/contrib/ntp/ntpdc/ntpdc.html releng/10.3/contrib/ntp/ntpdc/ntpdc.man.in releng/10.3/contrib/ntp/ntpdc/ntpdc.mdoc.in releng/10.3/contrib/ntp/ntpdc/ntpdc_ops.c releng/10.3/contrib/ntp/ntpq/Makefile.am releng/10.3/contrib/ntp/ntpq/Makefile.in releng/10.3/contrib/ntp/ntpq/invoke-ntpq.texi releng/10.3/contrib/ntp/ntpq/ntpq-opts.c releng/10.3/contrib/ntp/ntpq/ntpq-opts.def releng/10.3/contrib/ntp/ntpq/ntpq-opts.h releng/10.3/contrib/ntp/ntpq/ntpq-subs.c releng/10.3/contrib/ntp/ntpq/ntpq.1ntpqman releng/10.3/contrib/ntp/ntpq/ntpq.1ntpqmdoc releng/10.3/contrib/ntp/ntpq/ntpq.c releng/10.3/contrib/ntp/ntpq/ntpq.html releng/10.3/contrib/ntp/ntpq/ntpq.man.in releng/10.3/contrib/ntp/ntpq/ntpq.mdoc.in releng/10.3/contrib/ntp/ntpq/ntpq.texi releng/10.3/contrib/ntp/ntpsnmpd/Makefile.in releng/10.3/contrib/ntp/ntpsnmpd/invoke-ntpsnmpd.texi releng/10.3/contrib/ntp/ntpsnmpd/netsnmp_daemonize.c releng/10.3/contrib/ntp/ntpsnmpd/ntpsnmpd-opts.c releng/10.3/contrib/ntp/ntpsnmpd/ntpsnmpd-opts.h releng/10.3/contrib/ntp/ntpsnmpd/ntpsnmpd.1ntpsnmpdman releng/10.3/contrib/ntp/ntpsnmpd/ntpsnmpd.1ntpsnmpdmdoc releng/10.3/contrib/ntp/ntpsnmpd/ntpsnmpd.html releng/10.3/contrib/ntp/ntpsnmpd/ntpsnmpd.man.in releng/10.3/contrib/ntp/ntpsnmpd/ntpsnmpd.mdoc.in releng/10.3/contrib/ntp/packageinfo.sh releng/10.3/contrib/ntp/parseutil/Makefile.in releng/10.3/contrib/ntp/scripts/Makefile.in releng/10.3/contrib/ntp/scripts/build/Makefile.in releng/10.3/contrib/ntp/scripts/build/UpdatePoint releng/10.3/contrib/ntp/scripts/calc_tickadj/Makefile.in releng/10.3/contrib/ntp/scripts/calc_tickadj/calc_tickadj.1calc_tickadjman releng/10.3/contrib/ntp/scripts/calc_tickadj/calc_tickadj.1calc_tickadjmdoc releng/10.3/contrib/ntp/scripts/calc_tickadj/calc_tickadj.html releng/10.3/contrib/ntp/scripts/calc_tickadj/calc_tickadj.man.in releng/10.3/contrib/ntp/scripts/calc_tickadj/calc_tickadj.mdoc.in releng/10.3/contrib/ntp/scripts/calc_tickadj/invoke-calc_tickadj.texi releng/10.3/contrib/ntp/scripts/invoke-plot_summary.texi releng/10.3/contrib/ntp/scripts/invoke-summary.texi releng/10.3/contrib/ntp/scripts/lib/Makefile.in releng/10.3/contrib/ntp/scripts/ntp-wait/Makefile.in releng/10.3/contrib/ntp/scripts/ntp-wait/invoke-ntp-wait.texi releng/10.3/contrib/ntp/scripts/ntp-wait/ntp-wait-opts releng/10.3/contrib/ntp/scripts/ntp-wait/ntp-wait.1ntp-waitman releng/10.3/contrib/ntp/scripts/ntp-wait/ntp-wait.1ntp-waitmdoc releng/10.3/contrib/ntp/scripts/ntp-wait/ntp-wait.html releng/10.3/contrib/ntp/scripts/ntp-wait/ntp-wait.man.in releng/10.3/contrib/ntp/scripts/ntp-wait/ntp-wait.mdoc.in releng/10.3/contrib/ntp/scripts/ntpsweep/Makefile.in releng/10.3/contrib/ntp/scripts/ntpsweep/invoke-ntpsweep.texi releng/10.3/contrib/ntp/scripts/ntpsweep/ntpsweep-opts releng/10.3/contrib/ntp/scripts/ntpsweep/ntpsweep.1ntpsweepman releng/10.3/contrib/ntp/scripts/ntpsweep/ntpsweep.1ntpsweepmdoc releng/10.3/contrib/ntp/scripts/ntpsweep/ntpsweep.html releng/10.3/contrib/ntp/scripts/ntpsweep/ntpsweep.man.in releng/10.3/contrib/ntp/scripts/ntpsweep/ntpsweep.mdoc.in releng/10.3/contrib/ntp/scripts/ntptrace/Makefile.in releng/10.3/contrib/ntp/scripts/ntptrace/invoke-ntptrace.texi releng/10.3/contrib/ntp/scripts/ntptrace/ntptrace-opts releng/10.3/contrib/ntp/scripts/ntptrace/ntptrace.1ntptraceman releng/10.3/contrib/ntp/scripts/ntptrace/ntptrace.1ntptracemdoc releng/10.3/contrib/ntp/scripts/ntptrace/ntptrace.html releng/10.3/contrib/ntp/scripts/ntptrace/ntptrace.man.in releng/10.3/contrib/ntp/scripts/ntptrace/ntptrace.mdoc.in releng/10.3/contrib/ntp/scripts/plot_summary-opts releng/10.3/contrib/ntp/scripts/plot_summary.1plot_summaryman releng/10.3/contrib/ntp/scripts/plot_summary.1plot_summarymdoc releng/10.3/contrib/ntp/scripts/plot_summary.html releng/10.3/contrib/ntp/scripts/plot_summary.man.in releng/10.3/contrib/ntp/scripts/plot_summary.mdoc.in releng/10.3/contrib/ntp/scripts/summary-opts releng/10.3/contrib/ntp/scripts/summary.1summaryman releng/10.3/contrib/ntp/scripts/summary.1summarymdoc releng/10.3/contrib/ntp/scripts/summary.html releng/10.3/contrib/ntp/scripts/summary.man.in releng/10.3/contrib/ntp/scripts/summary.mdoc.in releng/10.3/contrib/ntp/scripts/update-leap/Makefile.in releng/10.3/contrib/ntp/scripts/update-leap/invoke-update-leap.texi releng/10.3/contrib/ntp/scripts/update-leap/update-leap-opts releng/10.3/contrib/ntp/scripts/update-leap/update-leap.1update-leapman releng/10.3/contrib/ntp/scripts/update-leap/update-leap.1update-leapmdoc releng/10.3/contrib/ntp/scripts/update-leap/update-leap.html releng/10.3/contrib/ntp/scripts/update-leap/update-leap.in releng/10.3/contrib/ntp/scripts/update-leap/update-leap.man.in releng/10.3/contrib/ntp/scripts/update-leap/update-leap.mdoc.in releng/10.3/contrib/ntp/sntp/Makefile.in releng/10.3/contrib/ntp/sntp/check-libntp.mf releng/10.3/contrib/ntp/sntp/configure releng/10.3/contrib/ntp/sntp/crypto.c releng/10.3/contrib/ntp/sntp/crypto.h releng/10.3/contrib/ntp/sntp/include/version.def releng/10.3/contrib/ntp/sntp/include/version.texi releng/10.3/contrib/ntp/sntp/invoke-sntp.texi releng/10.3/contrib/ntp/sntp/m4/ntp_libevent.m4 releng/10.3/contrib/ntp/sntp/m4/ntp_openssl.m4 releng/10.3/contrib/ntp/sntp/m4/version.m4 releng/10.3/contrib/ntp/sntp/main.c releng/10.3/contrib/ntp/sntp/networking.c releng/10.3/contrib/ntp/sntp/sntp-opts.c releng/10.3/contrib/ntp/sntp/sntp-opts.def releng/10.3/contrib/ntp/sntp/sntp-opts.h releng/10.3/contrib/ntp/sntp/sntp.1sntpman releng/10.3/contrib/ntp/sntp/sntp.1sntpmdoc releng/10.3/contrib/ntp/sntp/sntp.html releng/10.3/contrib/ntp/sntp/sntp.man.in releng/10.3/contrib/ntp/sntp/sntp.mdoc.in releng/10.3/contrib/ntp/sntp/tests/Makefile.am releng/10.3/contrib/ntp/sntp/tests/Makefile.in releng/10.3/contrib/ntp/sntp/tests/crypto.c releng/10.3/contrib/ntp/sntp/tests/keyFile.c releng/10.3/contrib/ntp/sntp/tests/packetHandling.c releng/10.3/contrib/ntp/sntp/tests/packetProcessing.c releng/10.3/contrib/ntp/sntp/tests/run-crypto.c releng/10.3/contrib/ntp/sntp/tests/run-keyFile.c releng/10.3/contrib/ntp/sntp/tests/run-kodDatabase.c releng/10.3/contrib/ntp/sntp/tests/run-kodFile.c releng/10.3/contrib/ntp/sntp/tests/run-networking.c releng/10.3/contrib/ntp/sntp/tests/run-packetHandling.c releng/10.3/contrib/ntp/sntp/tests/run-packetProcessing.c releng/10.3/contrib/ntp/sntp/tests/run-t-log.c releng/10.3/contrib/ntp/sntp/tests/run-utilities.c releng/10.3/contrib/ntp/sntp/unity/auto/generate_test_runner.rb releng/10.3/contrib/ntp/sntp/utilities.c releng/10.3/contrib/ntp/sntp/version.c releng/10.3/contrib/ntp/util/Makefile.in releng/10.3/contrib/ntp/util/invoke-ntp-keygen.texi releng/10.3/contrib/ntp/util/ntp-keygen-opts.c releng/10.3/contrib/ntp/util/ntp-keygen-opts.def releng/10.3/contrib/ntp/util/ntp-keygen-opts.h releng/10.3/contrib/ntp/util/ntp-keygen.1ntp-keygenman releng/10.3/contrib/ntp/util/ntp-keygen.1ntp-keygenmdoc releng/10.3/contrib/ntp/util/ntp-keygen.html releng/10.3/contrib/ntp/util/ntp-keygen.man.in releng/10.3/contrib/ntp/util/ntp-keygen.mdoc.in releng/10.3/usr.sbin/ntp/config.h releng/10.3/usr.sbin/ntp/doc/ntp-keygen.8 releng/10.3/usr.sbin/ntp/doc/ntp.conf.5 releng/10.3/usr.sbin/ntp/doc/ntp.keys.5 releng/10.3/usr.sbin/ntp/doc/ntpd.8 releng/10.3/usr.sbin/ntp/doc/ntpdc.8 releng/10.3/usr.sbin/ntp/doc/ntpq.8 releng/10.3/usr.sbin/ntp/doc/sntp.8 releng/10.3/usr.sbin/ntp/ntp-keygen/Makefile releng/10.3/usr.sbin/ntp/ntptime/Makefile releng/10.3/usr.sbin/ntp/scripts/mkver releng/10.3/usr.sbin/ntp/sntp/Makefile releng/10.4/contrib/ntp/ChangeLog releng/10.4/contrib/ntp/Makefile.am releng/10.4/contrib/ntp/Makefile.in releng/10.4/contrib/ntp/NEWS releng/10.4/contrib/ntp/aclocal.m4 releng/10.4/contrib/ntp/adjtimed/Makefile.in releng/10.4/contrib/ntp/clockstuff/Makefile.in releng/10.4/contrib/ntp/configure releng/10.4/contrib/ntp/configure.ac releng/10.4/contrib/ntp/html/access.html releng/10.4/contrib/ntp/html/accopt.html releng/10.4/contrib/ntp/html/authentic.html releng/10.4/contrib/ntp/html/drivers/driver18.html releng/10.4/contrib/ntp/html/drivers/driver40.html releng/10.4/contrib/ntp/html/keygen.html releng/10.4/contrib/ntp/html/miscopt.html releng/10.4/contrib/ntp/html/monopt.html releng/10.4/contrib/ntp/html/ntpq.html releng/10.4/contrib/ntp/include/Makefile.in releng/10.4/contrib/ntp/include/isc/Makefile.in releng/10.4/contrib/ntp/include/ntp.h releng/10.4/contrib/ntp/include/ntp_calendar.h releng/10.4/contrib/ntp/include/ntp_config.h releng/10.4/contrib/ntp/include/ntp_fp.h releng/10.4/contrib/ntp/include/ntp_keyacc.h releng/10.4/contrib/ntp/include/ntp_request.h releng/10.4/contrib/ntp/include/ntp_stdlib.h releng/10.4/contrib/ntp/include/ntpd.h releng/10.4/contrib/ntp/include/recvbuff.h releng/10.4/contrib/ntp/include/ssl_applink.c releng/10.4/contrib/ntp/kernel/Makefile.in releng/10.4/contrib/ntp/kernel/sys/Makefile.in releng/10.4/contrib/ntp/libntp/Makefile.in releng/10.4/contrib/ntp/libntp/a_md5encrypt.c releng/10.4/contrib/ntp/libntp/adjtime.c releng/10.4/contrib/ntp/libntp/authkeys.c releng/10.4/contrib/ntp/libntp/authreadkeys.c releng/10.4/contrib/ntp/libntp/libssl_compat.c releng/10.4/contrib/ntp/libntp/ntp_calendar.c releng/10.4/contrib/ntp/libntp/ssl_init.c releng/10.4/contrib/ntp/libntp/statestr.c releng/10.4/contrib/ntp/libntp/systime.c releng/10.4/contrib/ntp/libntp/work_thread.c releng/10.4/contrib/ntp/libparse/Makefile.in releng/10.4/contrib/ntp/ntpd/Makefile.in releng/10.4/contrib/ntp/ntpd/complete.conf.in releng/10.4/contrib/ntp/ntpd/invoke-ntp.conf.texi releng/10.4/contrib/ntp/ntpd/invoke-ntp.keys.texi releng/10.4/contrib/ntp/ntpd/invoke-ntpd.texi releng/10.4/contrib/ntp/ntpd/keyword-gen-utd releng/10.4/contrib/ntp/ntpd/keyword-gen.c releng/10.4/contrib/ntp/ntpd/ntp.conf.5man releng/10.4/contrib/ntp/ntpd/ntp.conf.5mdoc releng/10.4/contrib/ntp/ntpd/ntp.conf.def releng/10.4/contrib/ntp/ntpd/ntp.conf.html releng/10.4/contrib/ntp/ntpd/ntp.conf.man.in releng/10.4/contrib/ntp/ntpd/ntp.conf.mdoc.in releng/10.4/contrib/ntp/ntpd/ntp.keys.5man releng/10.4/contrib/ntp/ntpd/ntp.keys.5mdoc releng/10.4/contrib/ntp/ntpd/ntp.keys.def releng/10.4/contrib/ntp/ntpd/ntp.keys.html releng/10.4/contrib/ntp/ntpd/ntp.keys.man.in releng/10.4/contrib/ntp/ntpd/ntp.keys.mdoc.in releng/10.4/contrib/ntp/ntpd/ntp_config.c releng/10.4/contrib/ntp/ntpd/ntp_control.c releng/10.4/contrib/ntp/ntpd/ntp_crypto.c releng/10.4/contrib/ntp/ntpd/ntp_io.c releng/10.4/contrib/ntp/ntpd/ntp_keyword.h releng/10.4/contrib/ntp/ntpd/ntp_leapsec.c releng/10.4/contrib/ntp/ntpd/ntp_parser.c releng/10.4/contrib/ntp/ntpd/ntp_parser.h releng/10.4/contrib/ntp/ntpd/ntp_peer.c releng/10.4/contrib/ntp/ntpd/ntp_proto.c releng/10.4/contrib/ntp/ntpd/ntp_refclock.c releng/10.4/contrib/ntp/ntpd/ntp_request.c releng/10.4/contrib/ntp/ntpd/ntp_restrict.c releng/10.4/contrib/ntp/ntpd/ntp_scanner.c releng/10.4/contrib/ntp/ntpd/ntp_util.c releng/10.4/contrib/ntp/ntpd/ntpd-opts.c releng/10.4/contrib/ntp/ntpd/ntpd-opts.h releng/10.4/contrib/ntp/ntpd/ntpd.1ntpdman releng/10.4/contrib/ntp/ntpd/ntpd.1ntpdmdoc releng/10.4/contrib/ntp/ntpd/ntpd.c releng/10.4/contrib/ntp/ntpd/ntpd.html releng/10.4/contrib/ntp/ntpd/ntpd.man.in releng/10.4/contrib/ntp/ntpd/ntpd.mdoc.in releng/10.4/contrib/ntp/ntpd/ntpsim.c releng/10.4/contrib/ntp/ntpd/refclock_gpsdjson.c releng/10.4/contrib/ntp/ntpd/refclock_jjy.c releng/10.4/contrib/ntp/ntpd/refclock_palisade.c releng/10.4/contrib/ntp/ntpd/refclock_parse.c releng/10.4/contrib/ntp/ntpdate/Makefile.in releng/10.4/contrib/ntp/ntpdc/Makefile.in releng/10.4/contrib/ntp/ntpdc/invoke-ntpdc.texi releng/10.4/contrib/ntp/ntpdc/layout.std releng/10.4/contrib/ntp/ntpdc/ntpdc-opts.c releng/10.4/contrib/ntp/ntpdc/ntpdc-opts.h releng/10.4/contrib/ntp/ntpdc/ntpdc.1ntpdcman releng/10.4/contrib/ntp/ntpdc/ntpdc.1ntpdcmdoc releng/10.4/contrib/ntp/ntpdc/ntpdc.c releng/10.4/contrib/ntp/ntpdc/ntpdc.html releng/10.4/contrib/ntp/ntpdc/ntpdc.man.in releng/10.4/contrib/ntp/ntpdc/ntpdc.mdoc.in releng/10.4/contrib/ntp/ntpdc/ntpdc_ops.c releng/10.4/contrib/ntp/ntpq/Makefile.am releng/10.4/contrib/ntp/ntpq/Makefile.in releng/10.4/contrib/ntp/ntpq/invoke-ntpq.texi releng/10.4/contrib/ntp/ntpq/ntpq-opts.c releng/10.4/contrib/ntp/ntpq/ntpq-opts.def releng/10.4/contrib/ntp/ntpq/ntpq-opts.h releng/10.4/contrib/ntp/ntpq/ntpq-subs.c releng/10.4/contrib/ntp/ntpq/ntpq.1ntpqman releng/10.4/contrib/ntp/ntpq/ntpq.1ntpqmdoc releng/10.4/contrib/ntp/ntpq/ntpq.c releng/10.4/contrib/ntp/ntpq/ntpq.html releng/10.4/contrib/ntp/ntpq/ntpq.man.in releng/10.4/contrib/ntp/ntpq/ntpq.mdoc.in releng/10.4/contrib/ntp/ntpq/ntpq.texi releng/10.4/contrib/ntp/ntpsnmpd/Makefile.in releng/10.4/contrib/ntp/ntpsnmpd/invoke-ntpsnmpd.texi releng/10.4/contrib/ntp/ntpsnmpd/netsnmp_daemonize.c releng/10.4/contrib/ntp/ntpsnmpd/ntpsnmpd-opts.c releng/10.4/contrib/ntp/ntpsnmpd/ntpsnmpd-opts.h releng/10.4/contrib/ntp/ntpsnmpd/ntpsnmpd.1ntpsnmpdman releng/10.4/contrib/ntp/ntpsnmpd/ntpsnmpd.1ntpsnmpdmdoc releng/10.4/contrib/ntp/ntpsnmpd/ntpsnmpd.html releng/10.4/contrib/ntp/ntpsnmpd/ntpsnmpd.man.in releng/10.4/contrib/ntp/ntpsnmpd/ntpsnmpd.mdoc.in releng/10.4/contrib/ntp/packageinfo.sh releng/10.4/contrib/ntp/parseutil/Makefile.in releng/10.4/contrib/ntp/scripts/Makefile.in releng/10.4/contrib/ntp/scripts/build/Makefile.in releng/10.4/contrib/ntp/scripts/build/UpdatePoint releng/10.4/contrib/ntp/scripts/calc_tickadj/Makefile.in releng/10.4/contrib/ntp/scripts/calc_tickadj/calc_tickadj.1calc_tickadjman releng/10.4/contrib/ntp/scripts/calc_tickadj/calc_tickadj.1calc_tickadjmdoc releng/10.4/contrib/ntp/scripts/calc_tickadj/calc_tickadj.html releng/10.4/contrib/ntp/scripts/calc_tickadj/calc_tickadj.man.in releng/10.4/contrib/ntp/scripts/calc_tickadj/calc_tickadj.mdoc.in releng/10.4/contrib/ntp/scripts/calc_tickadj/invoke-calc_tickadj.texi releng/10.4/contrib/ntp/scripts/invoke-plot_summary.texi releng/10.4/contrib/ntp/scripts/invoke-summary.texi releng/10.4/contrib/ntp/scripts/lib/Makefile.in releng/10.4/contrib/ntp/scripts/ntp-wait/Makefile.in releng/10.4/contrib/ntp/scripts/ntp-wait/invoke-ntp-wait.texi releng/10.4/contrib/ntp/scripts/ntp-wait/ntp-wait-opts releng/10.4/contrib/ntp/scripts/ntp-wait/ntp-wait.1ntp-waitman releng/10.4/contrib/ntp/scripts/ntp-wait/ntp-wait.1ntp-waitmdoc releng/10.4/contrib/ntp/scripts/ntp-wait/ntp-wait.html releng/10.4/contrib/ntp/scripts/ntp-wait/ntp-wait.man.in releng/10.4/contrib/ntp/scripts/ntp-wait/ntp-wait.mdoc.in releng/10.4/contrib/ntp/scripts/ntpsweep/Makefile.in releng/10.4/contrib/ntp/scripts/ntpsweep/invoke-ntpsweep.texi releng/10.4/contrib/ntp/scripts/ntpsweep/ntpsweep-opts releng/10.4/contrib/ntp/scripts/ntpsweep/ntpsweep.1ntpsweepman releng/10.4/contrib/ntp/scripts/ntpsweep/ntpsweep.1ntpsweepmdoc releng/10.4/contrib/ntp/scripts/ntpsweep/ntpsweep.html releng/10.4/contrib/ntp/scripts/ntpsweep/ntpsweep.man.in releng/10.4/contrib/ntp/scripts/ntpsweep/ntpsweep.mdoc.in releng/10.4/contrib/ntp/scripts/ntptrace/Makefile.in releng/10.4/contrib/ntp/scripts/ntptrace/invoke-ntptrace.texi releng/10.4/contrib/ntp/scripts/ntptrace/ntptrace-opts releng/10.4/contrib/ntp/scripts/ntptrace/ntptrace.1ntptraceman releng/10.4/contrib/ntp/scripts/ntptrace/ntptrace.1ntptracemdoc releng/10.4/contrib/ntp/scripts/ntptrace/ntptrace.html releng/10.4/contrib/ntp/scripts/ntptrace/ntptrace.man.in releng/10.4/contrib/ntp/scripts/ntptrace/ntptrace.mdoc.in releng/10.4/contrib/ntp/scripts/plot_summary-opts releng/10.4/contrib/ntp/scripts/plot_summary.1plot_summaryman releng/10.4/contrib/ntp/scripts/plot_summary.1plot_summarymdoc releng/10.4/contrib/ntp/scripts/plot_summary.html releng/10.4/contrib/ntp/scripts/plot_summary.man.in releng/10.4/contrib/ntp/scripts/plot_summary.mdoc.in releng/10.4/contrib/ntp/scripts/summary-opts releng/10.4/contrib/ntp/scripts/summary.1summaryman releng/10.4/contrib/ntp/scripts/summary.1summarymdoc releng/10.4/contrib/ntp/scripts/summary.html releng/10.4/contrib/ntp/scripts/summary.man.in releng/10.4/contrib/ntp/scripts/summary.mdoc.in releng/10.4/contrib/ntp/scripts/update-leap/Makefile.in releng/10.4/contrib/ntp/scripts/update-leap/invoke-update-leap.texi releng/10.4/contrib/ntp/scripts/update-leap/update-leap-opts releng/10.4/contrib/ntp/scripts/update-leap/update-leap.1update-leapman releng/10.4/contrib/ntp/scripts/update-leap/update-leap.1update-leapmdoc releng/10.4/contrib/ntp/scripts/update-leap/update-leap.html releng/10.4/contrib/ntp/scripts/update-leap/update-leap.in releng/10.4/contrib/ntp/scripts/update-leap/update-leap.man.in releng/10.4/contrib/ntp/scripts/update-leap/update-leap.mdoc.in releng/10.4/contrib/ntp/sntp/Makefile.in releng/10.4/contrib/ntp/sntp/check-libntp.mf releng/10.4/contrib/ntp/sntp/configure releng/10.4/contrib/ntp/sntp/crypto.c releng/10.4/contrib/ntp/sntp/crypto.h releng/10.4/contrib/ntp/sntp/harden/linux releng/10.4/contrib/ntp/sntp/include/version.def releng/10.4/contrib/ntp/sntp/include/version.texi releng/10.4/contrib/ntp/sntp/invoke-sntp.texi releng/10.4/contrib/ntp/sntp/m4/ntp_harden.m4 releng/10.4/contrib/ntp/sntp/m4/ntp_libevent.m4 releng/10.4/contrib/ntp/sntp/m4/ntp_openssl.m4 releng/10.4/contrib/ntp/sntp/m4/version.m4 releng/10.4/contrib/ntp/sntp/main.c releng/10.4/contrib/ntp/sntp/networking.c releng/10.4/contrib/ntp/sntp/sntp-opts.c releng/10.4/contrib/ntp/sntp/sntp-opts.def releng/10.4/contrib/ntp/sntp/sntp-opts.h releng/10.4/contrib/ntp/sntp/sntp.1sntpman releng/10.4/contrib/ntp/sntp/sntp.1sntpmdoc releng/10.4/contrib/ntp/sntp/sntp.html releng/10.4/contrib/ntp/sntp/sntp.man.in releng/10.4/contrib/ntp/sntp/sntp.mdoc.in releng/10.4/contrib/ntp/sntp/tests/Makefile.am releng/10.4/contrib/ntp/sntp/tests/Makefile.in releng/10.4/contrib/ntp/sntp/tests/crypto.c releng/10.4/contrib/ntp/sntp/tests/keyFile.c releng/10.4/contrib/ntp/sntp/tests/packetHandling.c releng/10.4/contrib/ntp/sntp/tests/packetProcessing.c releng/10.4/contrib/ntp/sntp/tests/run-crypto.c releng/10.4/contrib/ntp/sntp/tests/run-keyFile.c releng/10.4/contrib/ntp/sntp/tests/run-kodDatabase.c releng/10.4/contrib/ntp/sntp/tests/run-kodFile.c releng/10.4/contrib/ntp/sntp/tests/run-networking.c releng/10.4/contrib/ntp/sntp/tests/run-packetHandling.c releng/10.4/contrib/ntp/sntp/tests/run-packetProcessing.c releng/10.4/contrib/ntp/sntp/tests/run-t-log.c releng/10.4/contrib/ntp/sntp/tests/run-utilities.c releng/10.4/contrib/ntp/sntp/unity/auto/generate_test_runner.rb releng/10.4/contrib/ntp/sntp/utilities.c releng/10.4/contrib/ntp/sntp/version.c releng/10.4/contrib/ntp/util/Makefile.in releng/10.4/contrib/ntp/util/invoke-ntp-keygen.texi releng/10.4/contrib/ntp/util/ntp-keygen-opts.c releng/10.4/contrib/ntp/util/ntp-keygen-opts.def releng/10.4/contrib/ntp/util/ntp-keygen-opts.h releng/10.4/contrib/ntp/util/ntp-keygen.1ntp-keygenman releng/10.4/contrib/ntp/util/ntp-keygen.1ntp-keygenmdoc releng/10.4/contrib/ntp/util/ntp-keygen.html releng/10.4/contrib/ntp/util/ntp-keygen.man.in releng/10.4/contrib/ntp/util/ntp-keygen.mdoc.in releng/10.4/usr.sbin/ntp/config.h releng/10.4/usr.sbin/ntp/doc/ntp-keygen.8 releng/10.4/usr.sbin/ntp/doc/ntp.conf.5 releng/10.4/usr.sbin/ntp/doc/ntp.keys.5 releng/10.4/usr.sbin/ntp/doc/ntpd.8 releng/10.4/usr.sbin/ntp/doc/ntpdc.8 releng/10.4/usr.sbin/ntp/doc/ntpq.8 releng/10.4/usr.sbin/ntp/doc/sntp.8 releng/10.4/usr.sbin/ntp/ntp-keygen/Makefile releng/10.4/usr.sbin/ntp/ntptime/Makefile releng/10.4/usr.sbin/ntp/scripts/mkver releng/11.1/contrib/ntp/ChangeLog releng/11.1/contrib/ntp/Makefile.am releng/11.1/contrib/ntp/Makefile.in releng/11.1/contrib/ntp/NEWS releng/11.1/contrib/ntp/aclocal.m4 releng/11.1/contrib/ntp/adjtimed/Makefile.in releng/11.1/contrib/ntp/clockstuff/Makefile.in releng/11.1/contrib/ntp/configure releng/11.1/contrib/ntp/configure.ac releng/11.1/contrib/ntp/html/access.html releng/11.1/contrib/ntp/html/accopt.html releng/11.1/contrib/ntp/html/authentic.html releng/11.1/contrib/ntp/html/drivers/driver18.html releng/11.1/contrib/ntp/html/drivers/driver40.html releng/11.1/contrib/ntp/html/keygen.html releng/11.1/contrib/ntp/html/miscopt.html releng/11.1/contrib/ntp/html/monopt.html releng/11.1/contrib/ntp/html/ntpq.html releng/11.1/contrib/ntp/include/Makefile.in releng/11.1/contrib/ntp/include/isc/Makefile.in releng/11.1/contrib/ntp/include/ntp.h releng/11.1/contrib/ntp/include/ntp_calendar.h releng/11.1/contrib/ntp/include/ntp_config.h releng/11.1/contrib/ntp/include/ntp_fp.h releng/11.1/contrib/ntp/include/ntp_keyacc.h releng/11.1/contrib/ntp/include/ntp_request.h releng/11.1/contrib/ntp/include/ntp_stdlib.h releng/11.1/contrib/ntp/include/ntpd.h releng/11.1/contrib/ntp/include/recvbuff.h releng/11.1/contrib/ntp/include/ssl_applink.c releng/11.1/contrib/ntp/kernel/Makefile.in releng/11.1/contrib/ntp/kernel/sys/Makefile.in releng/11.1/contrib/ntp/libntp/Makefile.in releng/11.1/contrib/ntp/libntp/a_md5encrypt.c releng/11.1/contrib/ntp/libntp/adjtime.c releng/11.1/contrib/ntp/libntp/authkeys.c releng/11.1/contrib/ntp/libntp/authreadkeys.c releng/11.1/contrib/ntp/libntp/libssl_compat.c releng/11.1/contrib/ntp/libntp/ntp_calendar.c releng/11.1/contrib/ntp/libntp/ssl_init.c releng/11.1/contrib/ntp/libntp/statestr.c releng/11.1/contrib/ntp/libntp/systime.c releng/11.1/contrib/ntp/libntp/work_thread.c releng/11.1/contrib/ntp/libparse/Makefile.in releng/11.1/contrib/ntp/ntpd/Makefile.in releng/11.1/contrib/ntp/ntpd/complete.conf.in releng/11.1/contrib/ntp/ntpd/invoke-ntp.conf.texi releng/11.1/contrib/ntp/ntpd/invoke-ntp.keys.texi releng/11.1/contrib/ntp/ntpd/invoke-ntpd.texi releng/11.1/contrib/ntp/ntpd/keyword-gen-utd releng/11.1/contrib/ntp/ntpd/keyword-gen.c releng/11.1/contrib/ntp/ntpd/ntp.conf.5man releng/11.1/contrib/ntp/ntpd/ntp.conf.5mdoc releng/11.1/contrib/ntp/ntpd/ntp.conf.def releng/11.1/contrib/ntp/ntpd/ntp.conf.html releng/11.1/contrib/ntp/ntpd/ntp.conf.man.in releng/11.1/contrib/ntp/ntpd/ntp.conf.mdoc.in releng/11.1/contrib/ntp/ntpd/ntp.keys.5man releng/11.1/contrib/ntp/ntpd/ntp.keys.5mdoc releng/11.1/contrib/ntp/ntpd/ntp.keys.def releng/11.1/contrib/ntp/ntpd/ntp.keys.html releng/11.1/contrib/ntp/ntpd/ntp.keys.man.in releng/11.1/contrib/ntp/ntpd/ntp.keys.mdoc.in releng/11.1/contrib/ntp/ntpd/ntp_config.c releng/11.1/contrib/ntp/ntpd/ntp_control.c releng/11.1/contrib/ntp/ntpd/ntp_crypto.c releng/11.1/contrib/ntp/ntpd/ntp_io.c releng/11.1/contrib/ntp/ntpd/ntp_keyword.h releng/11.1/contrib/ntp/ntpd/ntp_leapsec.c releng/11.1/contrib/ntp/ntpd/ntp_parser.c releng/11.1/contrib/ntp/ntpd/ntp_parser.h releng/11.1/contrib/ntp/ntpd/ntp_peer.c releng/11.1/contrib/ntp/ntpd/ntp_proto.c releng/11.1/contrib/ntp/ntpd/ntp_refclock.c releng/11.1/contrib/ntp/ntpd/ntp_request.c releng/11.1/contrib/ntp/ntpd/ntp_restrict.c releng/11.1/contrib/ntp/ntpd/ntp_scanner.c releng/11.1/contrib/ntp/ntpd/ntp_util.c releng/11.1/contrib/ntp/ntpd/ntpd-opts.c releng/11.1/contrib/ntp/ntpd/ntpd-opts.h releng/11.1/contrib/ntp/ntpd/ntpd.1ntpdman releng/11.1/contrib/ntp/ntpd/ntpd.1ntpdmdoc releng/11.1/contrib/ntp/ntpd/ntpd.c releng/11.1/contrib/ntp/ntpd/ntpd.html releng/11.1/contrib/ntp/ntpd/ntpd.man.in releng/11.1/contrib/ntp/ntpd/ntpd.mdoc.in releng/11.1/contrib/ntp/ntpd/ntpsim.c releng/11.1/contrib/ntp/ntpd/refclock_gpsdjson.c releng/11.1/contrib/ntp/ntpd/refclock_jjy.c releng/11.1/contrib/ntp/ntpd/refclock_palisade.c releng/11.1/contrib/ntp/ntpd/refclock_parse.c releng/11.1/contrib/ntp/ntpdate/Makefile.in releng/11.1/contrib/ntp/ntpdc/Makefile.in releng/11.1/contrib/ntp/ntpdc/invoke-ntpdc.texi releng/11.1/contrib/ntp/ntpdc/layout.std releng/11.1/contrib/ntp/ntpdc/ntpdc-opts.c releng/11.1/contrib/ntp/ntpdc/ntpdc-opts.h releng/11.1/contrib/ntp/ntpdc/ntpdc.1ntpdcman releng/11.1/contrib/ntp/ntpdc/ntpdc.1ntpdcmdoc releng/11.1/contrib/ntp/ntpdc/ntpdc.c releng/11.1/contrib/ntp/ntpdc/ntpdc.html releng/11.1/contrib/ntp/ntpdc/ntpdc.man.in releng/11.1/contrib/ntp/ntpdc/ntpdc.mdoc.in releng/11.1/contrib/ntp/ntpdc/ntpdc_ops.c releng/11.1/contrib/ntp/ntpq/Makefile.am releng/11.1/contrib/ntp/ntpq/Makefile.in releng/11.1/contrib/ntp/ntpq/invoke-ntpq.texi releng/11.1/contrib/ntp/ntpq/ntpq-opts.c releng/11.1/contrib/ntp/ntpq/ntpq-opts.def releng/11.1/contrib/ntp/ntpq/ntpq-opts.h releng/11.1/contrib/ntp/ntpq/ntpq-subs.c releng/11.1/contrib/ntp/ntpq/ntpq.1ntpqman releng/11.1/contrib/ntp/ntpq/ntpq.1ntpqmdoc releng/11.1/contrib/ntp/ntpq/ntpq.c releng/11.1/contrib/ntp/ntpq/ntpq.html releng/11.1/contrib/ntp/ntpq/ntpq.man.in releng/11.1/contrib/ntp/ntpq/ntpq.mdoc.in releng/11.1/contrib/ntp/ntpq/ntpq.texi releng/11.1/contrib/ntp/ntpsnmpd/Makefile.in releng/11.1/contrib/ntp/ntpsnmpd/invoke-ntpsnmpd.texi releng/11.1/contrib/ntp/ntpsnmpd/netsnmp_daemonize.c releng/11.1/contrib/ntp/ntpsnmpd/ntpsnmpd-opts.c releng/11.1/contrib/ntp/ntpsnmpd/ntpsnmpd-opts.h releng/11.1/contrib/ntp/ntpsnmpd/ntpsnmpd.1ntpsnmpdman releng/11.1/contrib/ntp/ntpsnmpd/ntpsnmpd.1ntpsnmpdmdoc releng/11.1/contrib/ntp/ntpsnmpd/ntpsnmpd.html releng/11.1/contrib/ntp/ntpsnmpd/ntpsnmpd.man.in releng/11.1/contrib/ntp/ntpsnmpd/ntpsnmpd.mdoc.in releng/11.1/contrib/ntp/packageinfo.sh releng/11.1/contrib/ntp/parseutil/Makefile.in releng/11.1/contrib/ntp/scripts/Makefile.in releng/11.1/contrib/ntp/scripts/build/Makefile.in releng/11.1/contrib/ntp/scripts/build/UpdatePoint releng/11.1/contrib/ntp/scripts/calc_tickadj/Makefile.in releng/11.1/contrib/ntp/scripts/calc_tickadj/calc_tickadj.1calc_tickadjman releng/11.1/contrib/ntp/scripts/calc_tickadj/calc_tickadj.1calc_tickadjmdoc releng/11.1/contrib/ntp/scripts/calc_tickadj/calc_tickadj.html releng/11.1/contrib/ntp/scripts/calc_tickadj/calc_tickadj.man.in releng/11.1/contrib/ntp/scripts/calc_tickadj/calc_tickadj.mdoc.in releng/11.1/contrib/ntp/scripts/calc_tickadj/invoke-calc_tickadj.texi releng/11.1/contrib/ntp/scripts/invoke-plot_summary.texi releng/11.1/contrib/ntp/scripts/invoke-summary.texi releng/11.1/contrib/ntp/scripts/lib/Makefile.in releng/11.1/contrib/ntp/scripts/ntp-wait/Makefile.in releng/11.1/contrib/ntp/scripts/ntp-wait/invoke-ntp-wait.texi releng/11.1/contrib/ntp/scripts/ntp-wait/ntp-wait-opts releng/11.1/contrib/ntp/scripts/ntp-wait/ntp-wait.1ntp-waitman releng/11.1/contrib/ntp/scripts/ntp-wait/ntp-wait.1ntp-waitmdoc releng/11.1/contrib/ntp/scripts/ntp-wait/ntp-wait.html releng/11.1/contrib/ntp/scripts/ntp-wait/ntp-wait.man.in releng/11.1/contrib/ntp/scripts/ntp-wait/ntp-wait.mdoc.in releng/11.1/contrib/ntp/scripts/ntpsweep/Makefile.in releng/11.1/contrib/ntp/scripts/ntpsweep/invoke-ntpsweep.texi releng/11.1/contrib/ntp/scripts/ntpsweep/ntpsweep-opts releng/11.1/contrib/ntp/scripts/ntpsweep/ntpsweep.1ntpsweepman releng/11.1/contrib/ntp/scripts/ntpsweep/ntpsweep.1ntpsweepmdoc releng/11.1/contrib/ntp/scripts/ntpsweep/ntpsweep.html releng/11.1/contrib/ntp/scripts/ntpsweep/ntpsweep.man.in releng/11.1/contrib/ntp/scripts/ntpsweep/ntpsweep.mdoc.in releng/11.1/contrib/ntp/scripts/ntptrace/Makefile.in releng/11.1/contrib/ntp/scripts/ntptrace/invoke-ntptrace.texi releng/11.1/contrib/ntp/scripts/ntptrace/ntptrace-opts releng/11.1/contrib/ntp/scripts/ntptrace/ntptrace.1ntptraceman releng/11.1/contrib/ntp/scripts/ntptrace/ntptrace.1ntptracemdoc releng/11.1/contrib/ntp/scripts/ntptrace/ntptrace.html releng/11.1/contrib/ntp/scripts/ntptrace/ntptrace.man.in releng/11.1/contrib/ntp/scripts/ntptrace/ntptrace.mdoc.in releng/11.1/contrib/ntp/scripts/plot_summary-opts releng/11.1/contrib/ntp/scripts/plot_summary.1plot_summaryman releng/11.1/contrib/ntp/scripts/plot_summary.1plot_summarymdoc releng/11.1/contrib/ntp/scripts/plot_summary.html releng/11.1/contrib/ntp/scripts/plot_summary.man.in releng/11.1/contrib/ntp/scripts/plot_summary.mdoc.in releng/11.1/contrib/ntp/scripts/summary-opts releng/11.1/contrib/ntp/scripts/summary.1summaryman releng/11.1/contrib/ntp/scripts/summary.1summarymdoc releng/11.1/contrib/ntp/scripts/summary.html releng/11.1/contrib/ntp/scripts/summary.man.in releng/11.1/contrib/ntp/scripts/summary.mdoc.in releng/11.1/contrib/ntp/scripts/update-leap/Makefile.in releng/11.1/contrib/ntp/scripts/update-leap/invoke-update-leap.texi releng/11.1/contrib/ntp/scripts/update-leap/update-leap-opts releng/11.1/contrib/ntp/scripts/update-leap/update-leap.1update-leapman releng/11.1/contrib/ntp/scripts/update-leap/update-leap.1update-leapmdoc releng/11.1/contrib/ntp/scripts/update-leap/update-leap.html releng/11.1/contrib/ntp/scripts/update-leap/update-leap.in releng/11.1/contrib/ntp/scripts/update-leap/update-leap.man.in releng/11.1/contrib/ntp/scripts/update-leap/update-leap.mdoc.in releng/11.1/contrib/ntp/sntp/Makefile.in releng/11.1/contrib/ntp/sntp/check-libntp.mf releng/11.1/contrib/ntp/sntp/configure releng/11.1/contrib/ntp/sntp/crypto.c releng/11.1/contrib/ntp/sntp/crypto.h releng/11.1/contrib/ntp/sntp/harden/linux releng/11.1/contrib/ntp/sntp/include/version.def releng/11.1/contrib/ntp/sntp/include/version.texi releng/11.1/contrib/ntp/sntp/invoke-sntp.texi releng/11.1/contrib/ntp/sntp/m4/ntp_harden.m4 releng/11.1/contrib/ntp/sntp/m4/ntp_libevent.m4 releng/11.1/contrib/ntp/sntp/m4/ntp_openssl.m4 releng/11.1/contrib/ntp/sntp/m4/version.m4 releng/11.1/contrib/ntp/sntp/main.c releng/11.1/contrib/ntp/sntp/networking.c releng/11.1/contrib/ntp/sntp/sntp-opts.c releng/11.1/contrib/ntp/sntp/sntp-opts.def releng/11.1/contrib/ntp/sntp/sntp-opts.h releng/11.1/contrib/ntp/sntp/sntp.1sntpman releng/11.1/contrib/ntp/sntp/sntp.1sntpmdoc releng/11.1/contrib/ntp/sntp/sntp.html releng/11.1/contrib/ntp/sntp/sntp.man.in releng/11.1/contrib/ntp/sntp/sntp.mdoc.in releng/11.1/contrib/ntp/sntp/tests/Makefile.am releng/11.1/contrib/ntp/sntp/tests/Makefile.in releng/11.1/contrib/ntp/sntp/tests/crypto.c releng/11.1/contrib/ntp/sntp/tests/keyFile.c releng/11.1/contrib/ntp/sntp/tests/packetHandling.c releng/11.1/contrib/ntp/sntp/tests/packetProcessing.c releng/11.1/contrib/ntp/sntp/tests/run-crypto.c releng/11.1/contrib/ntp/sntp/tests/run-keyFile.c releng/11.1/contrib/ntp/sntp/tests/run-kodDatabase.c releng/11.1/contrib/ntp/sntp/tests/run-kodFile.c releng/11.1/contrib/ntp/sntp/tests/run-networking.c releng/11.1/contrib/ntp/sntp/tests/run-packetHandling.c releng/11.1/contrib/ntp/sntp/tests/run-packetProcessing.c releng/11.1/contrib/ntp/sntp/tests/run-t-log.c releng/11.1/contrib/ntp/sntp/tests/run-utilities.c releng/11.1/contrib/ntp/sntp/unity/auto/generate_test_runner.rb releng/11.1/contrib/ntp/sntp/utilities.c releng/11.1/contrib/ntp/sntp/version.c releng/11.1/contrib/ntp/util/Makefile.in releng/11.1/contrib/ntp/util/invoke-ntp-keygen.texi releng/11.1/contrib/ntp/util/ntp-keygen-opts.c releng/11.1/contrib/ntp/util/ntp-keygen-opts.def releng/11.1/contrib/ntp/util/ntp-keygen-opts.h releng/11.1/contrib/ntp/util/ntp-keygen.1ntp-keygenman releng/11.1/contrib/ntp/util/ntp-keygen.1ntp-keygenmdoc releng/11.1/contrib/ntp/util/ntp-keygen.html releng/11.1/contrib/ntp/util/ntp-keygen.man.in releng/11.1/contrib/ntp/util/ntp-keygen.mdoc.in releng/11.1/usr.sbin/ntp/config.h releng/11.1/usr.sbin/ntp/doc/ntp-keygen.8 releng/11.1/usr.sbin/ntp/doc/ntp.conf.5 releng/11.1/usr.sbin/ntp/doc/ntp.keys.5 releng/11.1/usr.sbin/ntp/doc/ntpd.8 releng/11.1/usr.sbin/ntp/doc/ntpdc.8 releng/11.1/usr.sbin/ntp/doc/ntpq.8 releng/11.1/usr.sbin/ntp/doc/sntp.8 releng/11.1/usr.sbin/ntp/ntp-keygen/Makefile releng/11.1/usr.sbin/ntp/ntptime/Makefile releng/11.1/usr.sbin/ntp/scripts/mkver Modified: releng/10.3/contrib/ntp/ChangeLog ============================================================================== --- releng/10.3/contrib/ntp/ChangeLog Wed Mar 7 05:53:35 2018 (r330566) +++ releng/10.3/contrib/ntp/ChangeLog Wed Mar 7 05:58:24 2018 (r330567) @@ -1,6 +1,107 @@ --- -(4.2.8p10-win-beta1) 2017/03/21 Released by Harlan Stenn -(4.2.8p10) + +* [Sec 3454] Unauthenticated packet can reset authenticated interleave + associations. HStenn. +* [Sec 3453] Interleaved symmetric mode cannot recover from bad state. HStenn. +* [Sec 3415] Permit blocking authenticated symmetric/passive associations. + Implement ippeerlimit. HStenn, JPerlinger. +* [Sec 3414] ntpq: decodearr() can write beyond its 'buf' limits + - initial patch by , extended by +* [Sec 3412] ctl_getitem(): Don't compare names past NUL. +* [Sec 3012] Sybil vulnerability: noepeer support. HStenn, JPerlinger. +* [Bug 3457] OpenSSL FIPS mode regression +* [Bug 3455] ntpd doesn't use scope id when binding multicast + - applied patch by Sean Haugh +* [Bug 3452] PARSE driver prints uninitialized memory. +* [Bug 3450] Dubious error messages from plausibility checks in get_systime() + - removed error log caused by rounding/slew, ensured postcondition +* [Bug 3447] AES-128-CMAC (fixes) + - refactoring the MAC code, too +* [Bug 3441] Validate the assumption that AF_UNSPEC is 0. stenn@ntp.org +* [Bug 3439] When running multiple commands / hosts in ntpq... + - applied patch by ggarvey +* [Bug 3438] Negative values and values > 999 days in... + - applied patch by ggarvey (with minor mods) +* [Bug 3437] ntpd tries to open socket with AF_UNSPEC domain + - applied patch (with mods) by Miroslav Lichvar +* [Bug 3435] anchor NTP era alignment +* [Bug 3433] sntp crashes when run with -a. +* [Bug 3430] ntpq dumps core (SIGSEGV) for "keytype md2" + - fixed several issues with hash algos in ntpd, sntp, ntpq, + ntpdc and the test suites +* [Bug 3424] Trimble Thunderbolt 1024 week millenium bug + - initial patch by Daniel Pouzzner +* [Bug 3423] QNX adjtime() implementation error checking is + wrong +* [Bug 3417] ntpq ifstats packet counters can be negative + made IFSTATS counter quantities unsigned +* [Bug 3411] problem about SIGN(6) packet handling for ntp-4.2.8p10 + - raised receive buffer size to 1200 +* [Bug 3408] refclock_jjy.c: Avoid a wrong report of the coverity static + analysis tool. +* [Bug 3405] update-leap.in: general cleanup, HTTPS support. Paul McMath. +* [Bug 3404] Fix openSSL DLL usage under Windows + - fix/drop assumptions on OpenSSL libs directory layout +* [Bug 3399] NTP: linker error in 4.2.8p10 during Linux cross-compilation + - initial patch by timeflies@mail2tor.com +* [Bug 3398] tests fail with core dump + - patch contributed by Alexander Bluhm +* [Bug 3397] ctl_putstr() asserts that data fits in its buffer + rework of formatting & data transfer stuff in 'ntp_control.c' + avoids unecessary buffers and size limitations. +* [Bug 3394] Leap second deletion does not work on ntpd clients + - fixed handling of dynamic deletion w/o leap file +* [Bug 3391] ntpd segfaults on startup due to small warmup thread stack size + - increased mimimum stack size to 32kB +* [Bug 3367] Faulty LinuxPPS NMEA clock support in 4.2.8 + - reverted handling of PPS kernel consumer to 4.2.6 behavior +* [Bug 3365] Updates driver40(-ja).html and miscopt.html +* [Bug 3358] Spurious KoD log messages in .INIT. phase. HStenn. +* [Bug 3016] wrong error position reported for bad ":config pool" + - fixed location counter & ntpq output +* [Bug 2900] libntp build order problem. HStenn. +* [Bug 2878] Tests are cluttering up syslog +* [Bug 2737] Wrong phone number listed for USNO. ntp-bugs@bodosom.net, + perlinger@ntp.org +* [Bug 2557] Fix Thunderbolt init. ntp-bugs@bodosom.net, perlinger@ntp. +* [Bug 948] Trustedkey config directive leaks memory. +* Use strlcpy() to copy strings, not memcpy(). HStenn. +* Typos. HStenn. +* test_ntp_scanner_LDADD needs ntpd/ntp_io.o. HStenn. +* refclock_jjy.c: Add missing "%s" to an msyslog() call. HStenn. +* Build ntpq and libntpq.a with NTP_HARD_*FLAGS. perlinger@ntp.org +* Fix trivial warnings from 'make check'. perlinger@ntp.org +* Fix bug in the override portion of the compiler hardening macro. HStenn. +* record_raw_stats(): Log entire packet. Log writes. HStenn. +* AES-128-CMAC support. BInglis, HStenn, JPerlinger. +* sntp: tweak key file logging. HStenn. +* sntp: pkt_output(): Improve debug output. HStenn. +* update-leap: updates from Paul McMath. +* When using pkg-config, report --modversion. HStenn. +* Clean up libevent configure checks. HStenn. +* sntp: show the IP of who sent us a crypto-NAK. HStenn. +* Allow .../N to specify subnet bits for IPs in ntp.keys. HStenn, JPerlinger. +* authistrustedip() - use it in more places. HStenn, JPerlinger. +* New sysstats: sys_lamport, sys_tsrounding. HStenn. +* Update ntp.keys .../N documentation. HStenn. +* Distribute testconf.yml. HStenn. +* Add DPRINTF(2,...) lines to receive() for packet drops. HStenn. +* Rename the configuration flag fifo variables. HStenn. +* Improve saveconfig output. HStenn. +* Decode restrict flags on receive() debug output. HStenn. +* Decode interface flags on receive() debug output. HStenn. +* Warn the user if deprecated "driftfile name WanderThreshold" is used. HStenn. +* Update the documentation in ntp.conf.def . HStenn. +* restrictions() must return restrict flags and ippeerlimit. HStenn. +* Update ntpq peer documentation to describe the 'p' type. HStenn. +* Rename restrict 'flags' to 'rflags. Use an enum for the values. HStenn. +* Provide dump_restricts() for debugging. HStenn. +* Use consistent 4th arg type for [gs]etsockopt. JPerlinger. +* Some tests might need LIBM. HStenn. +* update-leap: Allow -h/--help early. HStenn. + +--- +(4.2.8p10) 2017/03/21 Released by Harlan Stenn * [Sec 3389] NTP-01-016: Denial of Service via Malformed Config (Pentest report 01.2017) Modified: releng/10.3/contrib/ntp/Makefile.am ============================================================================== --- releng/10.3/contrib/ntp/Makefile.am Wed Mar 7 05:53:35 2018 (r330566) +++ releng/10.3/contrib/ntp/Makefile.am Wed Mar 7 05:58:24 2018 (r330567) @@ -5,10 +5,10 @@ NULL = # moved sntp first to get libtool and libevent built. SUBDIRS = \ - sntp \ scripts \ include \ libntp \ + sntp \ libparse \ ntpd \ ntpdate \ Modified: releng/10.3/contrib/ntp/Makefile.in ============================================================================== --- releng/10.3/contrib/ntp/Makefile.in Wed Mar 7 05:53:35 2018 (r330566) +++ releng/10.3/contrib/ntp/Makefile.in Wed Mar 7 05:58:24 2018 (r330567) @@ -99,6 +99,7 @@ am__aclocal_m4_deps = $(top_srcdir)/sntp/libopts/m4/li $(top_srcdir)/sntp/m4/ltsugar.m4 \ $(top_srcdir)/sntp/m4/ltversion.m4 \ $(top_srcdir)/sntp/m4/lt~obsolete.m4 \ + $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \ $(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \ $(top_srcdir)/sntp/m4/ntp_compiler.m4 \ $(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \ @@ -523,10 +524,10 @@ NULL = # moved sntp first to get libtool and libevent built. SUBDIRS = \ - sntp \ scripts \ include \ libntp \ + sntp \ libparse \ ntpd \ ntpdate \ Modified: releng/10.3/contrib/ntp/NEWS ============================================================================== --- releng/10.3/contrib/ntp/NEWS Wed Mar 7 05:53:35 2018 (r330566) +++ releng/10.3/contrib/ntp/NEWS Wed Mar 7 05:58:24 2018 (r330567) @@ -1,4 +1,331 @@ -- +NTP 4.2.8p11 (Harlan Stenn , 2018/02/27) + +NOTE: this NEWS file will be undergoing more revisions. + +Focus: Security, Bug fixes, enhancements. + +Severity: MEDIUM + +This release fixes 2 low-/medium-, 1 informational/medum-, and 2 low-severity +vulnerabilities in ntpd, one medium-severity vulernability in ntpq, and +provides 65 other non-security fixes and improvements: + +* NTP Bug 3454: Unauthenticated packet can reset authenticated interleaved + association (LOW/MED) + Date Resolved: Stable (4.2.8p11) 27 Feb 2018 + References: Sec 3454 / CVE-2018-7185 / VU#961909 + Affects: ntp-4.2.6, up to but not including ntp-4.2.8p11. + CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) This could score between + 2.9 and 6.8. + CVSS3: LOW 3.1 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L This could + score between 2.6 and 3.1 + Summary: + The NTP Protocol allows for both non-authenticated and + authenticated associations, in client/server, symmetric (peer), + and several broadcast modes. In addition to the basic NTP + operational modes, symmetric mode and broadcast servers can + support an interleaved mode of operation. In ntp-4.2.8p4 a bug + was inadvertently introduced into the protocol engine that + allows a non-authenticated zero-origin (reset) packet to reset + an authenticated interleaved peer association. If an attacker + can send a packet with a zero-origin timestamp and the source + IP address of the "other side" of an interleaved association, + the 'victim' ntpd will reset its association. The attacker must + continue sending these packets in order to maintain the + disruption of the association. In ntp-4.0.0 thru ntp-4.2.8p6, + interleave mode could be entered dynamically. As of ntp-4.2.8p7, + interleaved mode must be explicitly configured/enabled. + Mitigation: + Implement BCP-38. + Upgrade to 4.2.8p11, or later, from the NTP Project Download Page + or the NTP Public Services Project Download Page. + If you are unable to upgrade to 4.2.8p11 or later and have + 'peer HOST xleave' lines in your ntp.conf file, remove the + 'xleave' option. + Have enough sources of time. + Properly monitor your ntpd instances. + If ntpd stops running, auto-restart it without -g . + Credit: + This weakness was discovered by Miroslav Lichvar of Red Hat. + +* NTP Bug 3453: Interleaved symmetric mode cannot recover from bad + state (LOW/MED) + Date Resolved: Stable (4.2.8p11) 27 Feb 2018 + References: Sec 3453 / CVE-2018-7184 / VU#961909 + Affects: ntpd in ntp-4.2.8p4, up to but not including ntp-4.2.8p11. + CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) + Could score between 2.9 and 6.8. + CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L + Could score between 2.6 and 6.0. + Summary: + The fix for NtpBug2952 was incomplete, and while it fixed one + problem it created another. Specifically, it drops bad packets + before updating the "received" timestamp. This means a + third-party can inject a packet with a zero-origin timestamp, + meaning the sender wants to reset the association, and the + transmit timestamp in this bogus packet will be saved as the + most recent "received" timestamp. The real remote peer does + not know this value and this will disrupt the association until + the association resets. + Mitigation: + Implement BCP-38. + Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page + or the NTP Public Services Project Download Page. + Use authentication with 'peer' mode. + Have enough sources of time. + Properly monitor your ntpd instances. + If ntpd stops running, auto-restart it without -g . + Credit: + This weakness was discovered by Miroslav Lichvar of Red Hat. + +* NTP Bug 3415: Provide a way to prevent authenticated symmetric passive + peering (LOW) + Date Resolved: Stable (4.2.8p11) 27 Feb 2018 + References: Sec 3415 / CVE-2018-7170 / VU#961909 + Sec 3012 / CVE-2016-1549 / VU#718152 + Affects: All ntp-4 releases up to, but not including 4.2.8p7, and + 4.3.0 up to, but not including 4.3.92. Resolved in 4.2.8p11. + CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) + CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N + Summary: + ntpd can be vulnerable to Sybil attacks. If a system is set up to + use a trustedkey and if one is not using the feature introduced in + ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to + specify which IPs can serve time, a malicious authenticated peer + -- i.e. one where the attacker knows the private symmetric key -- + can create arbitrarily-many ephemeral associations in order to win + the clock selection of ntpd and modify a victim's clock. Three + additional protections are offered in ntp-4.2.8p11. One is the + new 'noepeer' directive, which disables symmetric passive + ephemeral peering. Another is the new 'ippeerlimit' directive, + which limits the number of peers that can be created from an IP. + The third extends the functionality of the 4th field in the + ntp.keys file to include specifying a subnet range. + Mitigation: + Implement BCP-38. + Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page + or the NTP Public Services Project Download Page. + Use the 'noepeer' directive to prohibit symmetric passive + ephemeral associations. + Use the 'ippeerlimit' directive to limit the number of peers + that can be created from an IP. + Use the 4th argument in the ntp.keys file to limit the IPs and + subnets that can be time servers. + Have enough sources of time. + Properly monitor your ntpd instances. + If ntpd stops running, auto-restart it without -g . + Credit: + This weakness was reported as Bug 3012 by Matthew Van Gundy of + Cisco ASIG, and separately by Stefan Moser as Bug 3415. + +* ntpq Bug 3414: decodearr() can write beyond its 'buf' limits (Medium) + Date Resolved: 27 Feb 2018 + References: Sec 3414 / CVE-2018-7183 / VU#961909 + Affects: ntpq in ntp-4.2.8p6, up to but not including ntp-4.2.8p11. + CVSS2: MED 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) + CVSS3: MED 5.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L + Summary: + ntpq is a monitoring and control program for ntpd. decodearr() + is an internal function of ntpq that is used to -- wait for it -- + decode an array in a response string when formatted data is being + displayed. This is a problem in affected versions of ntpq if a + maliciously-altered ntpd returns an array result that will trip this + bug, or if a bad actor is able to read an ntpq request on its way to + a remote ntpd server and forge and send a response before the remote + ntpd sends its response. It's potentially possible that the + malicious data could become injectable/executable code. + Mitigation: + Implement BCP-38. + Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page + or the NTP Public Services Project Download Page. + Credit: + This weakness was discovered by Michael Macnair of Thales e-Security. + +* NTP Bug 3412: ctl_getitem(): buffer read overrun leads to undefined + behavior and information leak (Info/Medium) + Date Resolved: 27 Feb 2018 + References: Sec 3412 / CVE-2018-7182 / VU#961909 + Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p11. + CVSS2: INFO 0.0 - MED 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 0.0 if C:N + CVSS3: NONE 0.0 - MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + 0.0 if C:N + Summary: + ctl_getitem() is used by ntpd to process incoming mode 6 packets. + A malicious mode 6 packet can be sent to an ntpd instance, and + if the ntpd instance is from 4.2.8p6 thru 4.2.8p10, that will + cause ctl_getitem() to read past the end of its buffer. + Mitigation: + Implement BCP-38. + Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page + or the NTP Public Services Project Download Page. + Have enough sources of time. + Properly monitor your ntpd instances. + If ntpd stops running, auto-restart it without -g . + Credit: + This weakness was discovered by Yihan Lian of Qihoo 360. + +* NTP Bug 3012: Sybil vulnerability: ephemeral association attack + Also see Bug 3415, above. + Date Mitigated: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 + Date Resolved: Stable (4.2.8p11) 27 Feb 2018 + References: Sec 3012 / CVE-2016-1549 / VU#718152 + Affects: All ntp-4 releases up to, but not including 4.2.8p7, and + 4.3.0 up to, but not including 4.3.92. Resolved in 4.2.8p11. + CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) + CVSS3: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N + Summary: + ntpd can be vulnerable to Sybil attacks. If a system is set up + to use a trustedkey and if one is not using the feature + introduced in ntp-4.2.8p6 allowing an optional 4th field in the + ntp.keys file to specify which IPs can serve time, a malicious + authenticated peer -- i.e. one where the attacker knows the + private symmetric key -- can create arbitrarily-many ephemeral + associations in order to win the clock selection of ntpd and + modify a victim's clock. Two additional protections are + offered in ntp-4.2.8p11. One is the 'noepeer' directive, which + disables symmetric passive ephemeral peering. The other extends + the functionality of the 4th field in the ntp.keys file to + include specifying a subnet range. + Mitigation: + Implement BCP-38. + Upgrade to 4.2.8p11, or later, from the NTP Project Download Page or + the NTP Public Services Project Download Page. + Use the 'noepeer' directive to prohibit symmetric passive + ephemeral associations. + Use the 'ippeerlimit' directive to limit the number of peer + associations from an IP. + Use the 4th argument in the ntp.keys file to limit the IPs + and subnets that can be time servers. + Properly monitor your ntpd instances. + Credit: + This weakness was discovered by Matthew Van Gundy of Cisco ASIG. + +* Bug fixes: + [Bug 3457] OpenSSL FIPS mode regression + [Bug 3455] ntpd doesn't use scope id when binding multicast + - applied patch by Sean Haugh + [Bug 3452] PARSE driver prints uninitialized memory. + [Bug 3450] Dubious error messages from plausibility checks in get_systime() + - removed error log caused by rounding/slew, ensured postcondition + [Bug 3447] AES-128-CMAC (fixes) + - refactoring the MAC code, too + [Bug 3441] Validate the assumption that AF_UNSPEC is 0. stenn@ntp.org + [Bug 3439] When running multiple commands / hosts in ntpq... + - applied patch by ggarvey + [Bug 3438] Negative values and values > 999 days in... + - applied patch by ggarvey (with minor mods) + [Bug 3437] ntpd tries to open socket with AF_UNSPEC domain + - applied patch (with mods) by Miroslav Lichvar + [Bug 3435] anchor NTP era alignment + [Bug 3433] sntp crashes when run with -a. + [Bug 3430] ntpq dumps core (SIGSEGV) for "keytype md2" + - fixed several issues with hash algos in ntpd, sntp, ntpq, + ntpdc and the test suites + [Bug 3424] Trimble Thunderbolt 1024 week millenium bug + - initial patch by Daniel Pouzzner + [Bug 3423] QNX adjtime() implementation error checking is + wrong + [Bug 3417] ntpq ifstats packet counters can be negative + made IFSTATS counter quantities unsigned + [Bug 3411] problem about SIGN(6) packet handling for ntp-4.2.8p10 + - raised receive buffer size to 1200 + [Bug 3408] refclock_jjy.c: Avoid a wrong report of the coverity static + analysis tool. + [Bug 3405] update-leap.in: general cleanup, HTTPS support. Paul McMath. + [Bug 3404] Fix openSSL DLL usage under Windows + - fix/drop assumptions on OpenSSL libs directory layout + [Bug 3399] NTP: linker error in 4.2.8p10 during Linux cross-compilation + - initial patch by timeflies@mail2tor.com + [Bug 3398] tests fail with core dump + - patch contributed by Alexander Bluhm + [Bug 3397] ctl_putstr() asserts that data fits in its buffer + rework of formatting & data transfer stuff in 'ntp_control.c' + avoids unecessary buffers and size limitations. + [Bug 3394] Leap second deletion does not work on ntpd clients + - fixed handling of dynamic deletion w/o leap file + [Bug 3391] ntpd segfaults on startup due to small warmup thread stack size + - increased mimimum stack size to 32kB + [Bug 3367] Faulty LinuxPPS NMEA clock support in 4.2.8 + - reverted handling of PPS kernel consumer to 4.2.6 behavior + [Bug 3365] Updates driver40(-ja).html and miscopt.html + [Bug 3358] Spurious KoD log messages in .INIT. phase. HStenn. + [Bug 3016] wrong error position reported for bad ":config pool" + - fixed location counter & ntpq output + [Bug 2900] libntp build order problem. HStenn. + [Bug 2878] Tests are cluttering up syslog + [Bug 2737] Wrong phone number listed for USNO. ntp-bugs@bodosom.net, + perlinger@ntp.org + [Bug 2557] Fix Thunderbolt init. ntp-bugs@bodosom.net, perlinger@ntp. + [Bug 948] Trustedkey config directive leaks memory. + Use strlcpy() to copy strings, not memcpy(). HStenn. + Typos. HStenn. + test_ntp_scanner_LDADD needs ntpd/ntp_io.o. HStenn. + refclock_jjy.c: Add missing "%s" to an msyslog() call. HStenn. + Build ntpq and libntpq.a with NTP_HARD_*FLAGS. perlinger@ntp.org + Fix trivial warnings from 'make check'. perlinger@ntp.org + Fix bug in the override portion of the compiler hardening macro. HStenn. + record_raw_stats(): Log entire packet. Log writes. HStenn. + AES-128-CMAC support. BInglis, HStenn, JPerlinger. + sntp: tweak key file logging. HStenn. + sntp: pkt_output(): Improve debug output. HStenn. + update-leap: updates from Paul McMath. + When using pkg-config, report --modversion. HStenn. + Clean up libevent configure checks. HStenn. + sntp: show the IP of who sent us a crypto-NAK. HStenn. + Allow .../N to specify subnet bits for IPs in ntp.keys. HStenn, JPerlinger. + authistrustedip() - use it in more places. HStenn, JPerlinger. + New sysstats: sys_lamport, sys_tsrounding. HStenn. + Update ntp.keys .../N documentation. HStenn. + Distribute testconf.yml. HStenn. + Add DPRINTF(2,...) lines to receive() for packet drops. HStenn. + Rename the configuration flag fifo variables. HStenn. + Improve saveconfig output. HStenn. + Decode restrict flags on receive() debug output. HStenn. + Decode interface flags on receive() debug output. HStenn. + Warn the user if deprecated "driftfile name WanderThreshold" is used. HStenn. + Update the documentation in ntp.conf.def . HStenn. + restrictions() must return restrict flags and ippeerlimit. HStenn. + Update ntpq peer documentation to describe the 'p' type. HStenn. + Rename restrict 'flags' to 'rflags. Use an enum for the values. HStenn. + Provide dump_restricts() for debugging. HStenn. + Use consistent 4th arg type for [gs]etsockopt. JPerlinger. + +* Other items: + +* update-leap needs the following perl modules: + Net::SSLeay + IO::Socket::SSL + +* New sysstats variables: sys_lamport, sys_tsrounding +See them with: ntpq -c "rv 0 ss_lamport,ss_tsrounding" +sys_lamport counts the number of observed Lamport violations, while +sys_tsrounding counts observed timestamp rounding events. + +* New ntp.conf items: + +- restrict ... noepeer +- restrict ... ippeerlimit N + +The 'noepeer' directive will disallow all ephemeral/passive peer +requests. + +The 'ippeerlimit' directive limits the number of time associations +for each IP in the designated set of addresses. This limit does not +apply to explicitly-configured associations. A value of -1, the current +default, means an unlimited number of associations may connect from a +single IP. 0 means "none", etc. Ordinarily the only way multiple +associations would come from the same IP would be if the remote side +was using a proxy. But a trusted machine might become compromised, +in which case an attacker might spin up multiple authenticated sessions +from different ports. This directive should be helpful in this case. + +* New ntp.keys feature: Each IP in the optional list of IPs in the 4th +field may contain a /subnetbits specification, which identifies the +scope of IPs that may use this key. This IP/subnet restriction can be +used to limit the IPs that may use the key in most all situations where +a key is used. +-- NTP 4.2.8p10 (Harlan Stenn , 2017/03/21) Focus: Security, Bug fixes, enhancements. @@ -960,7 +1287,7 @@ following 9 low- and medium-severity vulnerabilities: Implement BCP-38. Upgrade to 4.2.8p7, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page - Properly monitor your =ntpd= instances + Properly monitor your ntpd instances Credit: This weakness was discovered by Stephen Gray and Matthew Van Gundy of Cisco ASIG. @@ -1029,7 +1356,7 @@ following 9 low- and medium-severity vulnerabilities: Implement BCP-38. Upgrade to 4.2.8p7, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page - Properly monitor your =ntpd= instances + Properly monitor your ntpd instances Credit: This weakness was discovered by Yihan Lian of the Cloud Security Team, Qihoo 360. @@ -1266,7 +1593,7 @@ following 1 low- and 8 medium-severity vulnerabilities Configure 'ntpd' to get time from multiple sources. Upgrade to 4.2.8p6, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page. - Monitor your 'ntpd= instances. + Monitor your 'ntpd' instances. Credit: This weakness was discovered by Matthey Van Gundy and Jonathan Gardner of Cisco ASIG. Modified: releng/10.3/contrib/ntp/aclocal.m4 ============================================================================== --- releng/10.3/contrib/ntp/aclocal.m4 Wed Mar 7 05:53:35 2018 (r330566) +++ releng/10.3/contrib/ntp/aclocal.m4 Wed Mar 7 05:58:24 2018 (r330567) @@ -1339,6 +1339,7 @@ m4_include([sntp/m4/ltoptions.m4]) m4_include([sntp/m4/ltsugar.m4]) m4_include([sntp/m4/ltversion.m4]) m4_include([sntp/m4/lt~obsolete.m4]) +m4_include([sntp/m4/ntp_af_unspec.m4]) m4_include([sntp/m4/ntp_cacheversion.m4]) m4_include([sntp/m4/ntp_compiler.m4]) m4_include([sntp/m4/ntp_crosscompile.m4]) Modified: releng/10.3/contrib/ntp/adjtimed/Makefile.in ============================================================================== --- releng/10.3/contrib/ntp/adjtimed/Makefile.in Wed Mar 7 05:53:35 2018 (r330566) +++ releng/10.3/contrib/ntp/adjtimed/Makefile.in Wed Mar 7 05:58:24 2018 (r330567) @@ -108,6 +108,7 @@ am__aclocal_m4_deps = $(top_srcdir)/sntp/libopts/m4/li $(top_srcdir)/sntp/m4/ltsugar.m4 \ $(top_srcdir)/sntp/m4/ltversion.m4 \ $(top_srcdir)/sntp/m4/lt~obsolete.m4 \ + $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \ $(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \ $(top_srcdir)/sntp/m4/ntp_compiler.m4 \ $(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \ @@ -952,7 +953,6 @@ install-exec-hook: # check-libntp: ../libntp/libntp.a - @echo stamp > $@ ../libntp/libntp.a: cd ../libntp && $(MAKE) $(AM_MAKEFLAGS) libntp.a Modified: releng/10.3/contrib/ntp/clockstuff/Makefile.in ============================================================================== --- releng/10.3/contrib/ntp/clockstuff/Makefile.in Wed Mar 7 05:53:35 2018 (r330566) +++ releng/10.3/contrib/ntp/clockstuff/Makefile.in Wed Mar 7 05:58:24 2018 (r330567) @@ -101,6 +101,7 @@ am__aclocal_m4_deps = $(top_srcdir)/sntp/libopts/m4/li $(top_srcdir)/sntp/m4/ltsugar.m4 \ $(top_srcdir)/sntp/m4/ltversion.m4 \ $(top_srcdir)/sntp/m4/lt~obsolete.m4 \ + $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \ $(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \ $(top_srcdir)/sntp/m4/ntp_compiler.m4 \ $(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \ @@ -793,7 +794,6 @@ uninstall-am: check-libntp: ../libntp/libntp.a - @echo stamp > $@ ../libntp/libntp.a: cd ../libntp && $(MAKE) $(AM_MAKEFLAGS) libntp.a Modified: releng/10.3/contrib/ntp/configure ============================================================================== --- releng/10.3/contrib/ntp/configure Wed Mar 7 05:53:35 2018 (r330566) +++ releng/10.3/contrib/ntp/configure Wed Mar 7 05:58:24 2018 (r330567) @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for ntp 4.2.8p10. +# Generated by GNU Autoconf 2.69 for ntp 4.2.8p11. # # Report bugs to . # @@ -590,8 +590,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='ntp' PACKAGE_TARNAME='ntp' -PACKAGE_VERSION='4.2.8p10' -PACKAGE_STRING='ntp 4.2.8p10' +PACKAGE_VERSION='4.2.8p11' +PACKAGE_STRING='ntp 4.2.8p11' PACKAGE_BUGREPORT='http://bugs.ntp.org./' PACKAGE_URL='http://www.ntp.org./' @@ -944,6 +944,7 @@ ac_user_opts=' enable_option_checking enable_silent_rules enable_dependency_tracking +with_hardenfile with_locfile enable_shared enable_static @@ -1613,7 +1614,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures ntp 4.2.8p10 to adapt to many kinds of systems. +\`configure' configures ntp 4.2.8p11 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1683,7 +1684,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of ntp 4.2.8p10:";; + short | recursive ) echo "Configuration of ntp 4.2.8p11:";; esac cat <<\_ACEOF @@ -1699,6 +1700,7 @@ Optional Features and Packages: do not reject slow dependency extractors --disable-dependency-tracking speeds up one-time build + --with-hardenfile=XXX os-specific or "/dev/null" --with-locfile=XXX os-specific or "legacy" --enable-shared[=PKGS] build shared libraries [default=no] --enable-static[=PKGS] build static libraries [default=yes] @@ -1921,7 +1923,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -ntp configure 4.2.8p10 +ntp configure 4.2.8p11 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2630,7 +2632,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by ntp $as_me 4.2.8p10, which was +It was created by ntp $as_me 4.2.8p11, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3631,7 +3633,7 @@ fi # Define the identity of the package. PACKAGE='ntp' - VERSION='4.2.8p10' + VERSION='4.2.8p11' cat >>confdefs.h <<_ACEOF @@ -6581,11 +6583,11 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu $as_echo_n "checking for compile/link hardening flags... " >&6; } -# Check whether --with-locfile was given. -if test "${with_locfile+set}" = set; then : - withval=$with_locfile; +# Check whether --with-hardenfile was given. +if test "${with_hardenfile+set}" = set; then : + withval=$with_hardenfile; else - with_locfile=no + with_hardenfile=no fi @@ -6593,12 +6595,12 @@ fi ( \ SENTINEL_DIR="$PWD" && \ cd $srcdir/sntp && \ - case "$with_locfile" in \ + case "$with_hardenfile" in \ yes|no|'') \ scripts/genHardFlags -d "$SENTINEL_DIR" \ ;; \ *) \ - scripts/genHardFlags -d "$SENTINEL_DIR" -f "$with_locfile" \ + scripts/genHardFlags -d "$SENTINEL_DIR" -f "$with_hardenfile" \ ;; \ esac \ ) > genHardFlags.i 2> genHardFlags.err @@ -15937,8 +15939,13 @@ $as_echo_n "checking if libevent $ntp_libevent_min_ver if $PKG_CONFIG --atleast-version=$ntp_libevent_min_version libevent then ntp_use_local_libevent=no - { $as_echo "$as_me:${as_lineno-$LINENO}: Using the installed libevent" >&5 -$as_echo "$as_me: Using the installed libevent" >&6;} + ntp_libevent_version="`$PKG_CONFIG --modversion libevent`" + case "$ntp_libevent_version" in + *.*) ;; + *) ntp_libevent_version='(unknown)' ;; + esac + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes, version $ntp_libevent_version" >&5 +$as_echo "yes, version $ntp_libevent_version" >&6; } CFLAGS_LIBEVENT=`$PKG_CONFIG --cflags libevent_pthreads` CPPFLAGS_LIBEVENT=`$PKG_CONFIG --cflags-only-I libevent` # HMS: I hope the following is accurate. @@ -15966,8 +15973,6 @@ $as_echo "$as_me: Using the installed libevent" >&6;} LDADD_LIBEVENT="$LDADD_LIBEVENT -levent_pthreads" esac LDADD_LIBEVENT="$LDADD_LIBEVENT -levent_core" - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } else ntp_use_local_libevent=yes # HMS: do we only need to do this if LIBISC_PTHREADS_NOTHREADS @@ -26468,6 +26473,36 @@ fi done + + +# We could do a cv check here, but is it worth it? + +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + + #include + #ifndef AF_UNSPEC + #include "Bletch: AF_UNSPEC is undefined!" + #endif + #if AF_UNSPEC != 0 + #include "Bletch: AF_UNSPEC != 0" + #endif + +int +main () +{ +{ $as_echo "$as_me:${as_lineno-$LINENO}: AF_UNSPEC is zero, as expected." >&5 +$as_echo "$as_me: AF_UNSPEC is zero, as expected." >&6;} + ; + return 0; +} + +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + { $as_echo "$as_me:${as_lineno-$LINENO}: checking return type of signal handlers" >&5 $as_echo_n "checking return type of signal handlers... " >&6; } if ${ac_cv_type_signal+:} false; then : @@ -30114,8 +30149,13 @@ $as_echo_n "checking pkg-config for $pkg... " >&6; } VER_SUFFIX=o ntp_openssl=yes ntp_openssl_from_pkg_config=yes - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } + ntp_openssl_version="`$PKG_CONFIG --modversion $pkg`" + case "$ntp_openssl_version" in + *.*) ;; + *) ntp_openssl_version='(unknown)' ;; + esac + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes, version $ntp_openssl_version" >&5 +$as_echo "yes, version $ntp_openssl_version" >&6; } break fi @@ -33924,7 +33964,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by ntp $as_me 4.2.8p10, which was +This file was extended by ntp $as_me 4.2.8p11, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -33991,7 +34031,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -ntp config.status 4.2.8p10 +ntp config.status 4.2.8p11 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" Modified: releng/10.3/contrib/ntp/configure.ac ============================================================================== --- releng/10.3/contrib/ntp/configure.ac Wed Mar 7 05:53:35 2018 (r330566) +++ releng/10.3/contrib/ntp/configure.ac Wed Mar 7 05:58:24 2018 (r330567) @@ -528,6 +528,8 @@ AC_CHECK_HEADERS([sys/timex.h], [], [], [ #endif ]) +NTP_AF_UNSPEC + AC_TYPE_SIGNAL AC_TYPE_OFF_T AC_STRUCT_TM dnl defines TM_IN_SYS_TIME used by refclock_parse.c Modified: releng/10.3/contrib/ntp/html/access.html ============================================================================== --- releng/10.3/contrib/ntp/html/access.html Wed Mar 7 05:53:35 2018 (r330566) +++ releng/10.3/contrib/ntp/html/access.html Wed Mar 7 05:58:24 2018 (r330567) @@ -19,7 +19,7 @@ color: #FF0000;

giffrom Pogo, Walt Kelly

The skunk watches for intruders and sprays.

Last update: - 11-Sep-2010 05:53 + 26-Jul-2017 20:10 UTC


Related Links

@@ -32,7 +32,7 @@ color: #FF0000;

The ACL is specified as a list of restrict commands in the following format:

restrict address [mask mask] [flag][...]

The address argument expressed in dotted-quad form is the address of a host or network. Alternatively, the address argument can be a valid host DNS name. The mask argument expressed in IPv4 or IPv6 numeric address form defaults to all mask bits on, meaning that the address is treated as the address of an individual host. A default entry (address 0.0.0.0, mask 0.0.0.0 for IPv4 and address :: mask :: for IPv6) is always the first entry in the list. restrict default, with no mask option, modifies both IPv4 and IPv6 default entries. restrict source configures a template restriction automatically added at runtime for each association, whether configured, ephemeral, or preemptable, and removed when the association is demobilized.

-

Some flags have the effect to deny service, some have the effect to enable service and some are conditioned by other flags. The flags. are not orthogonal, in that more restrictive flags will often make less restrictive ones redundant. The flags that deny service are classed in two categories, those that restrict time service and those that restrict informational queries and attempts to do run-time reconfiguration of the server.

+

Some flags have the effect to deny service, some have the effect to enable service and some are conditioned by other flags. The flags are not orthogonal, in that more restrictive flags will often make less restrictive ones redundant. The flags that deny service are classed in two categories, those that restrict time service and those that restrict informational queries and attempts to do run-time reconfiguration of the server.

An example may clarify how it works. Our campus has two class-B networks, 128.4 for the ECE and CIS departments and 128.175 for the rest of campus. Let's assume (not true!) that subnet 128.4.1 homes critical services like class rosters and spread sheets. A suitable ACL might look like this:

 restrict default nopeer					# deny new associations

Modified: releng/10.3/contrib/ntp/html/accopt.html
==============================================================================
--- releng/10.3/contrib/ntp/html/accopt.html	Wed Mar  7 05:53:35 2018	(r330566)
+++ releng/10.3/contrib/ntp/html/accopt.html	Wed Mar  7 05:58:24 2018	(r330567)
@@ -3,89 +3,185 @@
 
 
 
-Access Control Commands and Options
-
+Access Control Commands and Options 
 
 
 
 
 
Access Control Commands and Options

-giffrom Pogo, Walt Kelly
+giffrom Pogo,
+Walt Kelly
 
The skunk watches for intruders and sprays.

-
Last update:
-  13-Nov-2014  03:00
-  UTC

+
Last update: 7-Jan-2018 23:56 UTC

 

 
Related Links

-
-
+
+
 

 
Commands and Options

-
Unless noted otherwise, further information about these ccommands is on the Access Control Support page.

+
Unless noted otherwise, further information about these ccommands is on
+the Access Control Support page.

 

-  
discard [ average avg ][ minimum min ] [ monitor prob ]

-  
Set the parameters of the rate control facility which protects the server from client abuse. If the limited flag is present in the ACL, packets that violate these limits are discarded. If, in addition, the kod flag is present, a kiss-o'-death packet is returned. See the Rate Management page for further information. The options are:
+  
discard [ average avg ][ minimum min ]
+      [ monitor prob ]

+  
Set the parameters of the rate control facility which protects the
+    server from client abuse. If the limited flag is present in the
+    ACL, packets that violate these limits are discarded. If, in addition,
+    the kod flag is present, a kiss-o'-death packet is
+    returned. See the Rate Management page for
+    further information. The options are:
     

       
average avg

-      
Specify the minimum average interpacket spacing (minimum average headway
-        time) in log2 s with default 3.

+      
Specify the minimum average interpacket spacing (minimum average
+        headway time) in log2 s with default 3.

       
minimum min

-      
Specify the minimum interpacket spacing (guard time) in seconds with default 2.

+      
Specify the minimum interpacket spacing (guard time) in seconds
+	with default 2.

       
monitor

-      
Specify the probability of being recorded for packets that overflow the MRU list size limit set by mru maxmem or mru maxdepth. This is a performance optimization for servers with aggregate arrivals of 1000 packets per second or more.

+      
Specify the probability of being recorded for packets that
+	overflow the MRU list size limit set by mru maxmem
+	or mru maxdepth. This is a performance optimization for
+	servers with aggregate arrivals of 1000 packets per second or
+	more.

     

   

-  
restrict default [flag][...]

-    restrict source [flag][...]

-    restrict address [mask mask] [flag][...]

-  
The address argument expressed in dotted-quad form is the address of a host or network. Alternatively, the address argument can be a valid host DNS name. The mask argument expressed in IPv4 or IPv6 numeric address form defaults to all mask bits on, meaning that the address is treated as the address of an individual host. A default entry (address 0.0.0.0,	mask 0.0.0.0 for IPv4 and address :: mask :: for IPv6) is always the first entry in the list. restrict default, with no mask option, modifies both IPv4 and IPv6 default entries. restrict source configures a template restriction automatically added at runtime for each association, whether configured, ephemeral, or preemptible, and removed when the association is demobilized.

-  
Some flags have the effect to deny service, some  have the effect to enable service and some are  conditioned by other flags. The  flags. are not orthogonal, in that more restrictive flags will often make less restrictive ones redundant. The flags that deny service are classed in two categories, those that restrict time service and those that restrict informational queries and attempts to do run-time reconfiguration of the server. One or more of the following flags may be specified:

+  
restrict [-4 | -6] default [ippeerlimit num]
+      [flag][...]
  restrict source [ippeerlimit num]
+      [flag][...]
  restrict address [mask mask]
+      [ippeerlimit num] [flag][...]

+  
The address argument expressed in IPv4 or IPv6 numeric
+    address form is the address of a host or network. Alternatively,
+    the address argument can be a valid host DNS
+    name. The mask argument expressed in IPv4 or IPv6
+    numeric address form defaults to all mask bits on, meaning that
+    the address is treated as the address of an individual
+    host. A default entry (address 0.0.0.0, mask 0.0.0.0 for IPv4 and
+    address :: mask :: for IPv6) is always the first entry in the
+    list. restrict default, with no mask option, modifies both IPv4
+    and IPv6 default entries. restrict source configures a template
+    restriction automatically added at runtime for each association, whether
+    configured, ephemeral, or preemptible, and removed when the association
+    is demobilized.

+  
The optional ippeerlimit takes a numeric argument that
+    indicates how many incoming (at present) peer requests will be permitted
+    for each IP, regardless of whether or not the request comes from an
+    authenticated source.  A value of -1 means "unlimited", which is the
+    current default.  A value of 0 means "none".  Ordinarily one would
+    expect at most 1 of these sessions to exist per IP, however if the
+    remote side is operating thru a proxy there would be one association for
+    each remote peer at that IP.

+  
Some flags have the effect to deny service, some have the effect to
+    enable service and some are conditioned by other flags. The flags are
+    not orthogonal, in that more restrictive flags will often make less
+    restrictive ones redundant. The flags that deny service are classed in
+    two categories, those that restrict time service and those that restrict
+    informational queries and attempts to do run-time reconfiguration of the
+    server. One or more of the following flags may be specified:

   

     

       
flake

-      
Discard received NTP packets with probability 0.1; that is, on average drop one packet in ten. This is for testing and amusement. The name comes from Bob Braden's flakeway, which once did a similar thing for early Internet testing.

+      
Discard received NTP packets with probability 0.1; that is, on
+	average drop one packet in ten. This is for testing and
+	amusement. The name comes from Bob Braden's flakeway, which
+	once did a similar thing for early Internet testing.

       
ignore

-      
Deny packets of all kinds, including ntpq and ntpdc queries.

+      
Deny packets of all kinds, including ntpq
+	and ntpdc queries.

       
kod

-      
Send a kiss-o'-death (KoD) packet if the limited flag is present and a packet violates the rate limits established by the discard command. KoD packets are themselves rate limited for each source address separately. If the kod flag is used in a restriction which does not have the limited flag, no KoD responses will result.

+      
Send a kiss-o'-death (KoD) packet if the limited flag is
+	present and a packet violates the rate limits established by
+	the discard command. KoD packets are themselves rate
+	limited for each source address separately. If the kod flag
+	is used in a restriction which does not have the limited
+	flag, no KoD responses will result.

       
limited

-      
Deny time service if the packet violates the rate limits established by the discard command. This does not apply to ntpq and ntpdc queries.

+      
Deny time service if the packet violates the rate limits
+	established by the discard command. This does not apply
+	to ntpq and ntpdc queries.

       
lowpriotrap

-      
Declare traps set by matching hosts to be low priority. The number of traps a server can maintain is limited (the current limit is 3). Traps are usually assigned on a first come, first served basis, with later trap requestors being denied service. This flag modifies the assignment algorithm by allowing low priority traps to be overridden by later requests for normal priority traps.

+      
Declare traps set by matching hosts to be low priority. The number
+	of traps a server can maintain is limited (the current limit is
+	3). Traps are usually assigned on a first come, first served basis,
+	with later trap requestors being denied service. This flag modifies
+	the assignment algorithm by allowing low priority traps to be
+	overridden by later requests for normal priority traps.

       
mssntp

-      
Enable Microsoft Windows MS-SNTP authentication using Active Directory services. Note: Potential users should be aware that these services involve a TCP connection to another process that could potentially block, denying services to other users. Therefore, this flag should be used only for a dedicated  server with no clients other than MS-SNTP.

+      
Enable Microsoft Windows MS-SNTP authentication using Active
+	Directory services. Note: Potential users
+	should be aware that these services involve a TCP connection to
+	another process that could potentially block, denying services to
+	other users. Therefore, this flag should be used only for a
+	dedicated server with no clients other than MS-SNTP.

+      
noepeer

+      
Deny packets that would mobilize an ephemeral peering association,
+	even if authenticated.

       
nomodify

-      
Deny ntpq and ntpdc queries which attempt to modify the state of the server (i.e., run time reconfiguration). Queries which return information are permitted.

+      
Deny ntpq and ntpdc queries which attempt to
+	modify the state of the server (i.e., run time
+	reconfiguration). Queries which return information are
+	permitted.

       
noquery

-      
Deny ntpq and ntpdc queries. Time service is not affected.

+      
Deny ntpq and ntpdc queries. Time service is not
+	affected.

       
nopeer

-      
Deny packets that might mobilize an association unless authenticated. This includes broadcast, symmetric-active and manycast server packets when a configured association does not exist. It also includes pool associations, so if you want to use servers from a pool directive and also want to use nopeer by default, you'll want a "restrict source ..." line as well that does not include the nopeer directive.  Note that this flag does not apply to packets that do not attempt to mobilize an association. 

+      
Deny packets that might mobilize an association unless
+	authenticated. This includes broadcast, symmetric-active and
+	manycast server packets when a configured association does not
+	exist. It also includes pool associations, so if you want
+	to use servers from a pool directive and also want to
+	use nopeer by default, you'll want a "restrict source
+	..." line as well that does not include
+	the nopeer directive.  Note that this flag does not apply
+	to packets that do not attempt to mobilize an association. 

       
noserve

-      
Deny all packets except ntpq and ntpdc queries.

+      
Deny all packets except ntpq and ntpdc
+	queries.

       
notrap

-      
Decline to provide mode 6 control message trap service to matching hosts. The trap service is a subsystem of the ntpdc control message protocol which is intended for use by remote event logging programs.

+      
Decline to provide mode 6 control message trap service to matching
+	hosts. The trap service is a subsystem of the ntpdc control
+	message protocol which is intended for use by remote event logging
+	programs.

       
notrust

-      
Deny packets that are not cryptographically authenticated. Note carefully how this flag interacts with the auth option of the enable and disable commands. If auth is enabled, which is the default, authentication is required for all packets that might mobilize  an association. If auth is disabled, but the notrust flag is not present, an association can be mobilized whether or not authenticated. If auth is disabled, but the notrust flag is present, authentication is required only for the specified address/mask range. 

+      
Deny packets that are not cryptographically authenticated. Note
+	carefully how this flag interacts with the auth option of
+	the enable and disable commands. If auth
+	is enabled, which is the default, authentication is required for all
+	packets that might mobilize an association. If auth is
+	disabled, but the notrust flag is not present, an
+	association can be mobilized whether or not
+	authenticated. If auth is disabled, but
+	the notrust flag is present, authentication is required
+	only for the specified address/mask range. 

       
ntpport

-      
This is actually a match algorithm modifier, rather than a restriction
-        flag. Its presence causes the restriction entry to be matched only if the
-        source port in the packet is the standard NTP UDP port (123). A restrict line
-        containing ntpport is considered more specific than one with the

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***

From owner-svn-src-releng@freebsd.org  Wed Mar  7 06:01:46 2018
Return-Path: 
Delivered-To: svn-src-releng@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8E3A2F2EFC0;
 Wed,  7 Mar 2018 06:01:45 +0000 (UTC)
 (envelope-from gordon@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 40A6A7F8A1;
 Wed,  7 Mar 2018 06:01:45 +0000 (UTC)
 (envelope-from gordon@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 3B4831D7C0;
 Wed,  7 Mar 2018 06:01:45 +0000 (UTC)
 (envelope-from gordon@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w2761jOI090060;
 Wed, 7 Mar 2018 06:01:45 GMT (envelope-from gordon@FreeBSD.org)
Received: (from gordon@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id w2761ivn090051;
 Wed, 7 Mar 2018 06:01:44 GMT (envelope-from gordon@FreeBSD.org)
Message-Id: <201803070601.w2761ivn090051@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: gordon set sender to
 gordon@FreeBSD.org using -f
From: Gordon Tetlow 
Date: Wed, 7 Mar 2018 06:01:44 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r330568 - in releng: 10.3/contrib/tzdata
 10.4/contrib/tzdata 11.1/contrib/tzdata
X-SVN-Group: releng
X-SVN-Commit-Author: gordon
X-SVN-Commit-Paths: in releng: 10.3/contrib/tzdata 10.4/contrib/tzdata
 11.1/contrib/tzdata
X-SVN-Commit-Revision: 330568
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree 
List-Unsubscribe: , 
 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: ,
 
X-List-Received-Date: Wed, 07 Mar 2018 06:01:46 -0000

Author: gordon
Date: Wed Mar  7 06:01:44 2018
New Revision: 330568
URL: https://svnweb.freebsd.org/changeset/base/330568

Log:
  Update timezone database information. [EN-18:01.tzdata]
  
  Approved by:	so
  Security:	FreeBSD-EN-18:01.tzdata

Modified:
  releng/10.3/contrib/tzdata/Makefile
  releng/10.3/contrib/tzdata/NEWS
  releng/10.3/contrib/tzdata/README
  releng/10.3/contrib/tzdata/africa
  releng/10.3/contrib/tzdata/asia
  releng/10.3/contrib/tzdata/australasia
  releng/10.3/contrib/tzdata/backzone
  releng/10.3/contrib/tzdata/europe
  releng/10.3/contrib/tzdata/leap-seconds.list
  releng/10.3/contrib/tzdata/leapseconds
  releng/10.3/contrib/tzdata/northamerica
  releng/10.3/contrib/tzdata/southamerica
  releng/10.3/contrib/tzdata/theory.html
  releng/10.3/contrib/tzdata/version
  releng/10.3/contrib/tzdata/zishrink.awk
  releng/10.3/contrib/tzdata/zone.tab
  releng/10.3/contrib/tzdata/zone1970.tab
  releng/10.4/contrib/tzdata/Makefile
  releng/10.4/contrib/tzdata/NEWS
  releng/10.4/contrib/tzdata/README
  releng/10.4/contrib/tzdata/africa
  releng/10.4/contrib/tzdata/asia
  releng/10.4/contrib/tzdata/australasia
  releng/10.4/contrib/tzdata/backzone
  releng/10.4/contrib/tzdata/europe
  releng/10.4/contrib/tzdata/leap-seconds.list
  releng/10.4/contrib/tzdata/leapseconds
  releng/10.4/contrib/tzdata/northamerica
  releng/10.4/contrib/tzdata/southamerica
  releng/10.4/contrib/tzdata/theory.html
  releng/10.4/contrib/tzdata/version
  releng/10.4/contrib/tzdata/zishrink.awk
  releng/10.4/contrib/tzdata/zone.tab
  releng/10.4/contrib/tzdata/zone1970.tab
  releng/11.1/contrib/tzdata/Makefile
  releng/11.1/contrib/tzdata/NEWS
  releng/11.1/contrib/tzdata/README
  releng/11.1/contrib/tzdata/africa
  releng/11.1/contrib/tzdata/asia
  releng/11.1/contrib/tzdata/australasia
  releng/11.1/contrib/tzdata/backzone
  releng/11.1/contrib/tzdata/europe
  releng/11.1/contrib/tzdata/leap-seconds.list
  releng/11.1/contrib/tzdata/leapseconds
  releng/11.1/contrib/tzdata/northamerica
  releng/11.1/contrib/tzdata/southamerica
  releng/11.1/contrib/tzdata/theory.html
  releng/11.1/contrib/tzdata/version
  releng/11.1/contrib/tzdata/zishrink.awk
  releng/11.1/contrib/tzdata/zone.tab
  releng/11.1/contrib/tzdata/zone1970.tab

Modified: releng/10.3/contrib/tzdata/Makefile
==============================================================================
--- releng/10.3/contrib/tzdata/Makefile	Wed Mar  7 05:58:24 2018	(r330567)
+++ releng/10.3/contrib/tzdata/Makefile	Wed Mar  7 06:01:44 2018	(r330568)
@@ -42,37 +42,64 @@ POSIXRULES=	America/New_York
 # Also see TZDEFRULESTRING below, which takes effect only
 # if the time zone files cannot be accessed.
 
-# Everything gets put in subdirectories of. . .
 
-TOPDIR=		/usr/local
+# Installation locations.
+#
+# The defaults are suitable for Debian, except that if REDO is
+# posix_right or right_posix then files that Debian puts under
+# /usr/share/zoneinfo/posix and /usr/share/zoneinfo/right are instead
+# put under /usr/share/zoneinfo-posix and /usr/share/zoneinfo-leaps,
+# respectively.  Problems with the Debian approach are discussed in
+# the commentary for the right_posix rule (below).
 
+# Destination directory, which can be used for staging.
+# 'make DESTDIR=/stage install' installs under /stage (e.g., to
+# /stage/etc/localtime instead of to /etc/localtime).  Files under
+# /stage are not intended to work as-is, but can be copied by hand to
+# the root directory later.  If DESTDIR is empty, 'make install' does
+# not stage, but installs directly into production locations.
+DESTDIR =
+
+# Everything is installed into subdirectories of TOPDIR, and used there.
+# TOPDIR should be empty (meaning the root directory),
+# or a directory name that does not end in "/".
+# TOPDIR should be empty or an absolute name unless you're just testing.
+TOPDIR =
+
+# The default local time zone is taken from the file TZDEFAULT.
+TZDEFAULT = $(TOPDIR)/etc/localtime
+
+# The subdirectory containing installed program and data files, and
+# likewise for installed files that can be shared among architectures.
+# These should be relative file names.
+USRDIR = usr
+USRSHAREDIR = $(USRDIR)/share
+
 # "Compiled" time zone information is placed in the "TZDIR" directory
 # (and subdirectories).
-# Use an absolute path name for TZDIR unless you're just testing the software.
 # TZDIR_BASENAME should not contain "/" and should not be ".", ".." or empty.
-
 TZDIR_BASENAME=	zoneinfo
-TZDIR=		$(TOPDIR)/etc/$(TZDIR_BASENAME)
+TZDIR = $(TOPDIR)/$(USRSHAREDIR)/$(TZDIR_BASENAME)
 
-# Types to try, as an alternative to time_t.  int64_t should be first.
-TIME_T_ALTERNATIVES= int64_t int32_t uint32_t uint64_t
+# The "tzselect" and (if you do "make INSTALL") "date" commands go in:
+BINDIR = $(TOPDIR)/$(USRDIR)/bin
 
-# The "tzselect", "zic", and "zdump" commands get installed in. . .
+# The "zdump" command goes in:
+ZDUMPDIR = $(BINDIR)
 
-ETCDIR=		$(TOPDIR)/etc
+# The "zic" command goes in:
+ZICDIR = $(TOPDIR)/$(USRDIR)/sbin
 
-# If you "make INSTALL", the "date" command gets installed in. . .
-
-BINDIR=		$(TOPDIR)/bin
-
 # Manual pages go in subdirectories of. . .
+MANDIR = $(TOPDIR)/$(USRSHAREDIR)/man
 
-MANDIR=		$(TOPDIR)/man
-
 # Library functions are put in an archive in LIBDIR.
+LIBDIR = $(TOPDIR)/$(USRDIR)/lib
 
-LIBDIR=		$(TOPDIR)/lib
 
+# Types to try, as an alternative to time_t.  int64_t should be first.
+TIME_T_ALTERNATIVES = int64_t int32_t uint32_t uint64_t
+
 # If you want only POSIX time, with time values interpreted as
 # seconds since the epoch (not counting leap seconds), use
 #	REDO=		posix_only
@@ -105,11 +132,14 @@ REDO=		posix_right
 TZDATA_TEXT=	leapseconds tzdata.zi
 
 # For backward-compatibility links for old zone names, use
+#	BACKWARD=	backward
+# If you also want the link US/Pacific-New, even though it is confusing
+# and is planned to be removed from the database eventually, use
 #	BACKWARD=	backward pacificnew
 # To omit these links, use
 #	BACKWARD=
 
-BACKWARD=	backward pacificnew
+BACKWARD=	backward
 
 # If you want out-of-scope and often-wrong data from the file 'backzone', use
 #	PACKRATDATA=	backzone
@@ -313,7 +343,7 @@ ZFLAGS=
 
 # How to use zic to install tz binary files.
 
-ZIC_INSTALL=	$(ZIC) -d $(DESTDIR)$(TZDIR) $(LEAPSECONDS)
+ZIC_INSTALL=	$(ZIC) -d '$(DESTDIR)$(TZDIR)' $(LEAPSECONDS)
 
 # The name of a Posix-compliant 'awk' on your system.
 AWK=		awk
@@ -341,8 +371,8 @@ SGML_CATALOG_FILES= \
 VALIDATE = nsgmls
 VALIDATE_FLAGS = -s -B -wall -wno-unused-param
 VALIDATE_ENV = \
-  SGML_CATALOG_FILES=$(SGML_CATALOG_FILES) \
-  SGML_SEARCH_PATH=$(SGML_SEARCH_PATH) \
+  SGML_CATALOG_FILES='$(SGML_CATALOG_FILES)' \
+  SGML_SEARCH_PATH='$(SGML_SEARCH_PATH)' \
   SP_CHARSET_FIXED=YES \
   SP_ENCODING=UTF-8
 
@@ -396,7 +426,7 @@ GZIPFLAGS=	-9n
 #MAKE=		make
 
 cc=		cc
-CC=		$(cc) -DTZDIR=\"$(TZDIR)\"
+CC=		$(cc) -DTZDIR='"$(TZDIR)"'
 
 AR=		ar
 
@@ -421,18 +451,19 @@ MANTXTS=	newctime.3.txt newstrftime.3.txt newtzset.3.t
 			date.1.txt
 COMMON=		calendars CONTRIBUTING LICENSE Makefile \
 			NEWS README theory.html version
-WEB_PAGES=	tz-art.htm tz-how-to.html tz-link.htm
+WEB_PAGES=	tz-art.html tz-how-to.html tz-link.html
 DOCS=		$(MANS) date.1 $(MANTXTS) $(WEB_PAGES)
 PRIMARY_YDATA=	africa antarctica asia australasia \
 		europe northamerica southamerica
-YDATA=		$(PRIMARY_YDATA) etcetera $(BACKWARD)
+YDATA=		$(PRIMARY_YDATA) etcetera
 NDATA=		systemv factory
-TDATA=		$(YDATA) $(NDATA)
+TDATA_TO_CHECK=	$(YDATA) $(NDATA) backward pacificnew
+TDATA=		$(YDATA) $(NDATA) $(BACKWARD)
 ZONETABLES=	zone1970.tab zone.tab
 TABDATA=	iso3166.tab $(TZDATA_TEXT) $(ZONETABLES)
 LEAP_DEPS=	leapseconds.awk leap-seconds.list
-TZDATA_ZI_DEPS=	zishrink.awk $(TDATA) $(PACKRATDATA)
-DATA=		$(YDATA) $(NDATA) backzone iso3166.tab leap-seconds.list \
+TZDATA_ZI_DEPS=	zishrink.awk version $(TDATA) $(PACKRATDATA)
+DATA=		$(TDATA_TO_CHECK) backzone iso3166.tab leap-seconds.list \
 			leapseconds yearistype.sh $(ZONETABLES)
 AWK_SCRIPTS=	checklinks.awk checktab.awk leapseconds.awk zishrink.awk
 MISC=		$(AWK_SCRIPTS) zoneinfo2tdf.pl
@@ -457,7 +488,7 @@ VERSION_DEPS= \
 		newctime.3 newstrftime.3 newtzset.3 northamerica \
 		pacificnew private.h \
 		southamerica strftime.c systemv theory.html \
-		time2posix.3 tz-art.htm tz-how-to.html tz-link.htm \
+		time2posix.3 tz-art.html tz-how-to.html tz-link.html \
 		tzfile.5 tzfile.h tzselect.8 tzselect.ksh \
 		workman.sh yearistype.sh \
 		zdump.8 zdump.c zic.8 zic.c \
@@ -473,35 +504,41 @@ all:		tzselect yearistype zic zdump libtz.a $(TABDATA)
 ALL:		all date $(ENCHILADA)
 
 install:	all $(DATA) $(REDO) $(MANS)
-		mkdir -p $(DESTDIR)$(ETCDIR) $(DESTDIR)$(TZDIR) \
-			$(DESTDIR)$(LIBDIR) \
-			$(DESTDIR)$(MANDIR)/man3 $(DESTDIR)$(MANDIR)/man5 \
-			$(DESTDIR)$(MANDIR)/man8
-		$(ZIC_INSTALL) -l $(LOCALTIME) -p $(POSIXRULES)
-		cp -f $(TABDATA) $(DESTDIR)$(TZDIR)/.
-		cp tzselect zic zdump $(DESTDIR)$(ETCDIR)/.
-		cp libtz.a $(DESTDIR)$(LIBDIR)/.
-		$(RANLIB) $(DESTDIR)$(LIBDIR)/libtz.a
-		cp -f newctime.3 newtzset.3 $(DESTDIR)$(MANDIR)/man3/.
-		cp -f tzfile.5 $(DESTDIR)$(MANDIR)/man5/.
-		cp -f tzselect.8 zdump.8 zic.8 $(DESTDIR)$(MANDIR)/man8/.
+		mkdir -p '$(DESTDIR)$(BINDIR)' \
+			'$(DESTDIR)$(ZDUMPDIR)' '$(DESTDIR)$(ZICDIR)' \
+			'$(DESTDIR)$(LIBDIR)' \
+			'$(DESTDIR)$(MANDIR)/man3' '$(DESTDIR)$(MANDIR)/man5' \
+			'$(DESTDIR)$(MANDIR)/man8'
+		$(ZIC_INSTALL) -l $(LOCALTIME) -p $(POSIXRULES) \
+			-t '$(DESTDIR)$(TZDEFAULT)'
+		cp -f $(TABDATA) '$(DESTDIR)$(TZDIR)/.'
+		cp tzselect '$(DESTDIR)$(BINDIR)/.'
+		cp zdump '$(DESTDIR)$(ZDUMPDIR)/.'
+		cp zic '$(DESTDIR)$(ZICDIR)/.'
+		cp libtz.a '$(DESTDIR)$(LIBDIR)/.'
+		$(RANLIB) '$(DESTDIR)$(LIBDIR)/libtz.a'
+		cp -f newctime.3 newtzset.3 '$(DESTDIR)$(MANDIR)/man3/.'
+		cp -f tzfile.5 '$(DESTDIR)$(MANDIR)/man5/.'
+		cp -f tzselect.8 zdump.8 zic.8 '$(DESTDIR)$(MANDIR)/man8/.'
 
 INSTALL:	ALL install date.1
-		mkdir -p $(DESTDIR)$(BINDIR) $(DESTDIR)$(MANDIR)/man1
-		cp date $(DESTDIR)$(BINDIR)/.
-		cp -f date.1 $(DESTDIR)$(MANDIR)/man1/.
+		mkdir -p '$(DESTDIR)$(BINDIR)' '$(DESTDIR)$(MANDIR)/man1'
+		cp date '$(DESTDIR)$(BINDIR)/.'
+		cp -f date.1 '$(DESTDIR)$(MANDIR)/man1/.'
 
 version:	$(VERSION_DEPS)
 		{ (type git) >/dev/null 2>&1 && \
 		  V=`git describe --match '[0-9][0-9][0-9][0-9][a-z]*' \
 				--abbrev=7 --dirty` || \
-		  V=$(VERSION); } && \
+		  V='$(VERSION)'; } && \
 		printf '%s\n' "$$V" >$@.out
 		mv $@.out $@
 
 # This file can be tailored by setting BACKWARD, PACKRATDATA, etc.
 tzdata.zi:	$(TZDATA_ZI_DEPS)
-		LC_ALL=C $(AWK) -f zishrink.awk $(TDATA) $(PACKRATDATA) >$@.out
+		version=`sed 1q version` && \
+		  LC_ALL=C $(AWK) -v version="$$version" -f zishrink.awk \
+		    $(TDATA) $(PACKRATDATA) >$@.out
 		mv $@.out $@
 
 version.h:	version
@@ -529,12 +566,13 @@ leapseconds:	$(LEAP_DEPS)
 # Arguments to pass to submakes of install_data.
 # They can be overridden by later submake arguments.
 INSTALLARGS = \
- BACKWARD=$(BACKWARD) \
- DESTDIR=$(DESTDIR) \
+ BACKWARD='$(BACKWARD)' \
+ DESTDIR='$(DESTDIR)' \
  LEAPSECONDS='$(LEAPSECONDS)' \
  PACKRATDATA='$(PACKRATDATA)' \
- TZDIR=$(TZDIR) \
- YEARISTYPE=$(YEARISTYPE) \
+ TZDEFAULT='$(TZDEFAULT)' \
+ TZDIR='$(TZDIR)' \
+ YEARISTYPE='$(YEARISTYPE)' \
  ZIC='$(ZIC)'
 
 # 'make install_data' installs one set of tz binary files.
@@ -558,16 +596,16 @@ right_only:
 # You must replace all of $(TZDIR) to switch from not using leap seconds
 # to using them, or vice versa.
 right_posix:	right_only
-		rm -fr $(DESTDIR)$(TZDIR)-leaps
-		ln -s $(TZDIR_BASENAME) $(DESTDIR)$(TZDIR)-leaps || \
-		  $(MAKE) $(INSTALLARGS) TZDIR=$(TZDIR)-leaps right_only
-		$(MAKE) $(INSTALLARGS) TZDIR=$(TZDIR)-posix posix_only
+		rm -fr '$(DESTDIR)$(TZDIR)-leaps'
+		ln -s '$(TZDIR_BASENAME)' '$(DESTDIR)$(TZDIR)-leaps' || \
+		  $(MAKE) $(INSTALLARGS) TZDIR='$(TZDIR)-leaps' right_only
+		$(MAKE) $(INSTALLARGS) TZDIR='$(TZDIR)-posix' posix_only
 
 posix_right:	posix_only
-		rm -fr $(DESTDIR)$(TZDIR)-posix
-		ln -s $(TZDIR_BASENAME) $(DESTDIR)$(TZDIR)-posix || \
-		  $(MAKE) $(INSTALLARGS) TZDIR=$(TZDIR)-posix posix_only
-		$(MAKE) $(INSTALLARGS) TZDIR=$(TZDIR)-leaps right_only
+		rm -fr '$(DESTDIR)$(TZDIR)-posix'
+		ln -s '$(TZDIR_BASENAME)' '$(DESTDIR)$(TZDIR)-posix' || \
+		  $(MAKE) $(INSTALLARGS) TZDIR='$(TZDIR)-posix' posix_only
+		$(MAKE) $(INSTALLARGS) TZDIR='$(TZDIR)-leaps' right_only
 
 # This obsolescent rule is present for backwards compatibility with
 # tz releases 2014g through 2015g.  It should go away eventually.
@@ -633,7 +671,7 @@ check_character_set: $(ENCHILADA)
 			$(MISC) $(SOURCES) $(WEB_PAGES) \
 			CONTRIBUTING LICENSE Makefile README \
 			version tzdata.zi && \
-		! grep -Env $(SAFE_SHARP_LINE) $(TDATA) backzone \
+		! grep -Env $(SAFE_SHARP_LINE) $(TDATA_TO_CHECK) backzone \
 			leapseconds yearistype.sh zone.tab && \
 		! grep -Env $(OK_LINE) $(ENCHILADA); \
 	}
@@ -641,14 +679,16 @@ check_character_set: $(ENCHILADA)
 check_white_space: $(ENCHILADA)
 		patfmt=' \t|[\f\r\v]' && pat=`printf "$$patfmt\\n"` && \
 		! grep -En "$$pat" $(ENCHILADA)
-		! grep -n '[[:space:]]$$' $(ENCHILADA)
+		! grep -n '[[:space:]]$$' \
+			$$(ls $(ENCHILADA) | grep -Fvx leap-seconds.list)
 
 PRECEDES_FILE_NAME = ^(Zone|Link[[:space:]]+[^[:space:]]+)[[:space:]]+
 FILE_NAME_COMPONENT_TOO_LONG = \
   $(PRECEDES_FILE_NAME)[^[:space:]]*[^/[:space:]]{15}
 
-check_name_lengths: $(TDATA) backzone
-		! grep -En '$(FILE_NAME_COMPONENT_TOO_LONG)' $(TDATA) backzone
+check_name_lengths: $(TDATA_TO_CHECK) backzone
+		! grep -En '$(FILE_NAME_COMPONENT_TOO_LONG)' \
+			$(TDATA_TO_CHECK) backzone
 
 CHECK_CC_LIST = { n = split($$1,a,/,/); for (i=2; i<=n; i++) print a[1], a[i]; }
 
@@ -662,8 +702,8 @@ check_sorted: backward backzone iso3166.tab zone.tab z
 		$(AWK) '/^[^#]/ $(CHECK_CC_LIST)' zone1970.tab | \
 		  LC_ALL=C sort -cu
 
-check_links:	checklinks.awk $(TDATA)
-		$(AWK) -f checklinks.awk $(TDATA)
+check_links:	checklinks.awk $(TDATA_TO_CHECK)
+		$(AWK) -f checklinks.awk $(TDATA_TO_CHECK)
 		$(AWK) -f checklinks.awk tzdata.zi
 
 check_tables:	checktab.awk $(PRIMARY_YDATA) $(ZONETABLES)
@@ -764,12 +804,12 @@ set-timestamps.out: $(ENCHILADA)
 
 check_public:
 		$(MAKE) maintainer-clean
-		$(MAKE) "CFLAGS=$(GCC_DEBUG_FLAGS)" ALL
+		$(MAKE) CFLAGS='$(GCC_DEBUG_FLAGS)' ALL
 		mkdir -p public.dir
-		for i in $(TDATA) tzdata.zi; do \
+		for i in $(TDATA_TO_CHECK) tzdata.zi; do \
 		  $(zic) -v -d public.dir $$i 2>&1 || exit; \
 		done
-		$(zic) -v -d public.dir $(TDATA)
+		$(zic) -v -d public.dir $(TDATA_TO_CHECK)
 		rm -fr public.dir
 
 # Check that the code works under various alternative
@@ -790,8 +830,11 @@ check_time_t_alternatives:
 		    REDO='$(REDO)' \
 		    install && \
 		  diff $$quiet_option -r \
-		    time_t.dir/int64_t/etc/zoneinfo \
-		    time_t.dir/$$type/etc/zoneinfo && \
+		    time_t.dir/int64_t/etc \
+		    time_t.dir/$$type/etc && \
+		  diff $$quiet_option -r \
+		    time_t.dir/int64_t/usr/share \
+		    time_t.dir/$$type/usr/share && \
 		  case $$type in \
 		  int32_t) range=-2147483648,2147483647;; \
 		  uint32_t) range=0,4294967296;; \
@@ -800,9 +843,9 @@ check_time_t_alternatives:
 		  *) range=-10000000000,10000000000;; \
 		  esac && \
 		  echo checking $$type zones ... && \
-		  time_t.dir/int64_t/etc/zdump -V -t $$range $$zones \
+		  time_t.dir/int64_t/usr/bin/zdump -V -t $$range $$zones \
 		      >time_t.dir/int64_t.out && \
-		  time_t.dir/$$type/etc/zdump -V -t $$range $$zones \
+		  time_t.dir/$$type/usr/bin/zdump -V -t $$range $$zones \
 		      >time_t.dir/$$type.out && \
 		  diff -u time_t.dir/int64_t.out time_t.dir/$$type.out \
 		    || exit; \

Modified: releng/10.3/contrib/tzdata/NEWS
==============================================================================
--- releng/10.3/contrib/tzdata/NEWS	Wed Mar  7 05:58:24 2018	(r330567)
+++ releng/10.3/contrib/tzdata/NEWS	Wed Mar  7 06:01:44 2018	(r330568)
@@ -1,5 +1,147 @@
 News for the tz database
 
+Release 2018c - 2018-01-22 23:00:44 -0800
+
+  Briefly:
+  Revert Irish changes that relied on negative DST offsets.
+
+  Changes to tm_isdst
+
+    Revert the 2018a change to Europe/Dublin.  As before, this change
+    does not affect UT offsets or abbreviations; it affects only
+    whether timestamps are considered to be standard time or
+    daylight-saving time, as expressed in the tm_isdst flag of C's
+    struct tm type.  This reversion is intended to be a temporary
+    workaround for problems discovered with downstream uses of
+    releases 2018a and 2018b, which implemented Irish time by using
+    negative DST offsets in the Eire rules of the 'europe' file.
+    Although negative DST offsets have been part of tzcode for many
+    years and are supported by many platforms, they were not
+    documented before 2018a and ICU and OpenJDK do not currently
+    support them.  A mechanism to export data to platforms lacking
+    support for negative DST is planned to be developed before the
+    change is reapplied.  (Problems reported by Deborah Goldsmith and
+    Stephen Colebourne.)
+
+  Changes to past time stamps
+
+    Japanese DST transitions (1948-1951) were Sundays at 00:00, not
+    Saturdays or Sundays at 02:00.  (Thanks to Takayuki Nikai.)
+
+  Changes to build procedure
+
+    The build procedure now works around mawk 1.3.3's lack of support
+    for character class expressions.  (Problem reported by Ohyama.)
+
+
+Release 2018b - 2018-01-17 23:24:48 -0800
+
+  Briefly:
+  Fix a packaging problem in tz2018a, which was missing 'pacificnew'.
+
+  Changes to build procedure
+
+    The distribution now contains the file 'pacificnew' again.
+    This file was inadvertantly omitted in the 2018a distribution.
+    (Problem reported by Matias Fonzo.)
+
+
+Release 2018a - 2018-01-12 22:29:21 -0800
+
+  Briefly:
+  São Tomé and Príncipe switched from +00 to +01.
+  Brazil's DST will now start on November's first Sunday.
+  Ireland's standard time is now in the summer, not the winter.
+  Use Debian-style installation locations, instead of 4.3BSD-style.
+  New zic option -t.
+
+  Changes to past and future time stamps
+
+    São Tomé and Príncipe switched from +00 to +01 on 2018-01-01 at
+    01:00.  (Thanks to Steffen Thorsen and Michael Deckers.)
+
+  Changes to future time stamps
+
+    Starting in 2018 southern Brazil will begin DST on November's
+    first Sunday instead of October's third Sunday.  (Thanks to
+    Steffen Thorsen.)
+
+  Changes to past time stamps
+
+    A discrepancy of 4 s in timestamps before 1931 in South Sudan has
+    been corrected.  The 'backzone' and 'zone.tab' files did not agree
+    with the 'africa' and 'zone1970.tab' files.  (Problem reported by
+    Michael Deckers.)
+
+    The abbreviation invented for Bolivia Summer Time (1931-2) is now
+    BST instead of BOST, to be more consistent with the convention
+    used for Latvian Summer Time (1918-9) and for British Summer Time.
+
+  Changes to tm_isdst
+
+    Change Europe/Dublin so that it observes Irish Standard Time (UT
+    +01) in summer and GMT (as negative daylight-saving) in winter,
+    instead of observing standard time (GMT) in winter and Irish
+    Summer Time (UT +01) in summer.  This change does not affect UT
+    offsets or abbreviations; it affects only whether timestamps are
+    considered to be standard time or daylight-saving time, as
+    expressed in the tm_isdst flag of C's struct tm type.
+    (Discrepancy noted by Derick Rethans.)
+
+  Changes to build procedure
+
+    The default installation locations have been changed to mostly
+    match Debian circa 2017, instead of being designed as an add-on to
+    4.3BSD circa 1986.  This affects the Makefile macros TOPDIR,
+    TZDIR, MANDIR, and LIBDIR.  New Makefile macros TZDEFAULT, USRDIR,
+    USRSHAREDIR, BINDIR, ZDUMPDIR, and ZICDIR let installers tailor
+    locations more precisely.  (This responds to suggestions from
+    Brian Inglis and from Steve Summit.)
+
+    The default installation procedure no longer creates the
+    backward-compatibility link US/Pacific-New, which causes
+    confusion during user setup (e.g., see Debian bug 815200).
+    Use 'make BACKWARD="backward pacificnew"' to create the link
+    anyway, for now.  Eventually we plan to remove the link entirely.
+
+    tzdata.zi now contains a version-number comment.
+    (Suggested by Tom Lane.)
+
+    The Makefile now quotes values like BACKWARD more carefully when
+    passing them to the shell.  (Problem reported by Zefram.)
+
+    Builders no longer need to specify -DHAVE_SNPRINTF on platforms
+    that have snprintf and use pre-C99 compilers.  (Problem reported
+    by Jon Skeet.)
+
+  Changes to code
+
+    zic has a new option -t FILE that specifies the location of the
+    file that determines local time when TZ is unset.  The default for
+    this location can be configured via the new TZDEFAULT makefile
+    macro, which defaults to /etc/localtime.
+
+    Diagnostics and commentary now distinguish UT from UTC more
+    carefully; see theory.html for more information about UT vs UTC.
+
+    zic has been ported to GCC 8's -Wstringop-truncation option.
+    (Problem reported by Martin Sebor.)
+
+  Changes to documentation and commentary
+
+    The zic man page now documents the longstanding behavior that
+    times and years can be out of the usual range, with negative times
+    counting backwards from midnight and with year 0 preceding year 1.
+    (Problem reported by Michael Deckers.)
+
+    The theory.html file now mentions the POSIX limit of six chars
+    per abbreviation, and lists alphabetic abbreviations used.
+
+    The files tz-art.htm and tz-link.htm have been renamed to
+    tz-art.html and tz-link.html, respectively, for consistency with
+    other file names and to simplify web server configuration.
+
+
 Release 2017c - 2017-10-20 14:49:34 -0700
 
   Briefly:
@@ -895,8 +1037,8 @@ Release 2015f - 2015-08-10 18:06:56 -0700
     (Thanks to Jon Skeet and Arthur David Olson.)  Constraints on
     simultaneity are now documented.
 
-    The two characters '%z' in a zone format now stand for the UTC
-    offset, e.g., '-07' for seven hours behind UTC and '+0530' for
+    The two characters '%z' in a zone format now stand for the UT
+    offset, e.g., '-07' for seven hours behind UT and '+0530' for
     five hours and thirty minutes ahead.  This better supports time
     zone abbreviations conforming to POSIX.1-2001 and later.
 
@@ -1019,13 +1161,13 @@ Release 2015c - 2015-04-11 08:55:55 -0700
       The spring 1988 transition was 1988-10-09, not 1988-10-02.
       The fall 1990 transition was 1990-03-11, not 1990-03-18.
 
-      Assume no UTC offset change for Pacific/Easter on 1890-01-01,
+      Assume no UT offset change for Pacific/Easter on 1890-01-01,
       and omit all transitions on Pacific/Easter from 1942 through 1946
       since we have no data suggesting that they existed.
 
     One more zone has been turned into a link, as it differed
     from an existing zone only for older time stamps.  As usual,
-    this change affects UTC offsets in pre-1970 time stamps only.
+    this change affects UT offsets in pre-1970 time stamps only.
     The zone's old contents have been moved to the 'backzone' file.
     The affected zone is America/Montreal.
 
@@ -1055,7 +1197,7 @@ Release 2015b - 2015-03-19 23:28:11 -0700
 
     Some more zones have been turned into links, when they differed
     from existing zones only for older time stamps.  As usual,
-    these changes affect UTC offsets in pre-1970 time stamps only.
+    these changes affect UT offsets in pre-1970 time stamps only.
     Their old contents have been moved to the 'backzone' file.
     The affected zones are: America/Antigua, America/Cayman,
     Pacific/Midway, and Pacific/Saipan.
@@ -1107,7 +1249,7 @@ Release 2015a - 2015-01-29 22:35:20 -0800
 
     Some more zones have been turned into links, when they differed
     from existing zones only for older time stamps.  As usual,
-    these changes affect UTC offsets in pre-1970 time stamps only.
+    these changes affect UT offsets in pre-1970 time stamps only.
     Their old contents have been moved to the 'backzone' file.
     The affected zones are: Asia/Aden, Asia/Bahrain, Asia/Kuwait,
     and Asia/Muscat.
@@ -1154,7 +1296,7 @@ Release 2014j - 2014-11-10 17:37:11 -0800
 
     Some more zones have been turned into links, when they differed
     from existing zones only for older time stamps.  As usual,
-    these changes affect UTC offsets in pre-1970 time stamps only.
+    these changes affect UT offsets in pre-1970 time stamps only.
     Their old contents have been moved to the 'backzone' file.
     The affected zones are: Africa/Addis_Ababa, Africa/Asmara,
     Africa/Dar_es_Salaam, Africa/Djibouti, Africa/Kampala,
@@ -1244,7 +1386,7 @@ Release 2014h - 2014-09-25 18:59:03 -0700
 
     Some more zones have been turned into links, when they differed
     from existing zones only for older timestamps.  As usual,
-    these changes affect UTC offsets in pre-1970 timestamps only.
+    these changes affect UT offsets in pre-1970 timestamps only.
     Their old contents have been moved to the 'backzone' file.
     The affected zones are: Africa/Blantyre, Africa/Bujumbura,
     Africa/Gaborone, Africa/Harare, Africa/Kigali, Africa/Lubumbashi,
@@ -1329,7 +1471,7 @@ Release 2014g - 2014-08-28 12:31:23 -0700
 
     Some more zones have been turned into links, when they differed
     from existing zones only for older timestamps.  As usual,
-    these changes affect UTC offsets in pre-1970 timestamps only.
+    these changes affect UT offsets in pre-1970 timestamps only.
     Their old contents have been moved to the 'backzone' file.
     The affected zones are: Africa/Bangui, Africa/Brazzaville,
     Africa/Douala, Africa/Kinshasa, Africa/Libreville, Africa/Luanda,
@@ -1479,7 +1621,7 @@ Release 2014f - 2014-08-05 17:42:36 -0700
     standard and daylight saving time the abbreviations are AEST and AEDT
     instead of the former EST for both; similarly, ACST/ACDT, ACWST/ACWDT,
     and AWST/AWDT are now used instead of the former CST, CWST, and WST.
-    This change does not affect UTC offsets, only time zone abbreviations.
+    This change does not affect UT offsets, only time zone abbreviations.
     (Thanks to Rich Tibbett and many others.)
 
     Asia/Novokuznetsk shifts from NOVT to KRAT (remaining on UT +07)
@@ -1516,8 +1658,8 @@ Release 2014f - 2014-08-05 17:42:36 -0700
     Treindl sent helpful translations of two papers by Guo Qingsheng.)
 
     Some zones have been turned into links, when they differed from existing
-    zones only for older UTC offsets where data entries were likely invented.
-    These changes affect UTC offsets in pre-1970 timestamps only.  This is
+    zones only for older UT offsets where data entries were likely invented.
+    These changes affect UT offsets in pre-1970 timestamps only.  This is
     similar to the change in release 2013e, except this time for western
     Africa.  The affected zones are: Africa/Bamako, Africa/Banjul,
     Africa/Conakry, Africa/Dakar, Africa/Freetown, Africa/Lome,

Modified: releng/10.3/contrib/tzdata/README
==============================================================================
--- releng/10.3/contrib/tzdata/README	Wed Mar  7 05:58:24 2018	(r330567)
+++ releng/10.3/contrib/tzdata/README	Wed Mar  7 06:01:44 2018	(r330568)
@@ -11,14 +11,14 @@ changes made by political bodies to time zone boundari
 and daylight-saving rules.
 
 See  or the
-file tz-link.htm for how to acquire the code and data.  Once acquired,
+file tz-link.html for how to acquire the code and data.  Once acquired,
 read the comments in the file 'Makefile' and make any changes needed
 to make things right for your system, especially if you are using some
 platform other than GNU/Linux.  Then run the following commands,
 substituting your desired installation directory for "$HOME/tzdir":
 
 	make TOPDIR=$HOME/tzdir install
-	$HOME/tzdir/etc/zdump -v America/Los_Angeles
+	$HOME/tzdir/usr/bin/zdump -v America/Los_Angeles
 
 Historical local time information has been included here to:
 

Modified: releng/10.3/contrib/tzdata/africa
==============================================================================
--- releng/10.3/contrib/tzdata/africa	Wed Mar  7 05:58:24 2018	(r330567)
+++ releng/10.3/contrib/tzdata/africa	Wed Mar  7 06:01:44 2018	(r330568)
@@ -158,7 +158,6 @@ Link Africa/Abidjan Africa/Freetown	# Sierra Leone
 Link Africa/Abidjan Africa/Lome		# Togo
 Link Africa/Abidjan Africa/Nouakchott	# Mauritania
 Link Africa/Abidjan Africa/Ouagadougou	# Burkina Faso
-Link Africa/Abidjan Africa/Sao_Tome	# São Tomé and Príncipe
 Link Africa/Abidjan Atlantic/St_Helena	# St Helena
 
 # Djibouti
@@ -425,7 +424,7 @@ Link Africa/Nairobi Indian/Mayotte
 #
 # The Nautical Almanac for the Year 1970, p 264, is the source for -0:44:30.
 #
-# In 1972 Liberia was the last country to switch from a UTC offset
+# In 1972 Liberia was the last country to switch from a UT offset
 # that was not a multiple of 15 or 20 minutes.  The 1972 change was on
 # 1972-01-07, according to an entry dated 1972-01-04 on p 330 of:
 # Presidential Papers: First year of the administration of
@@ -1037,6 +1036,19 @@ Zone	Indian/Reunion	3:41:52 -	LMT	1911 Jun # Saint-Den
 #	Inaccessible, Nightingale: uninhabited
 
 # São Tomé and Príncipe
+
+# From Steffen Thorsen (2018-01-08):
+# Multiple sources tell that São Tomé changed from UTC to UTC+1 as
+# they entered the year 2018.
+# From Michael Deckers (2018-01-08):
+# the switch is from 01:00 to 02:00 ... [Decree No. 25/2017]
+# http://www.mnec.gov.st/index.php/publicacoes/documentos/file/90-decreto-lei-n-25-2017
+
+Zone	Africa/Sao_Tome	 0:26:56 -	LMT	1884
+			-0:36:45 -	LMT	1912 # Lisbon Mean Time
+			 0:00	-	GMT	2018 Jan  1 01:00
+			 1:00	-	WAT
+
 # Senegal
 # See Africa/Abidjan.
 

Modified: releng/10.3/contrib/tzdata/asia
==============================================================================
--- releng/10.3/contrib/tzdata/asia	Wed Mar  7 05:58:24 2018	(r330567)
+++ releng/10.3/contrib/tzdata/asia	Wed Mar  7 06:01:44 2018	(r330568)
@@ -50,7 +50,7 @@
 #	9:00 KST  KDT	Korea when at +09
 #	9:30 ACST	Australian Central Standard Time
 # Otherwise, these tables typically use numeric abbreviations like +03
-# and +0330 for integer hour and minute UTC offsets.  Although earlier
+# and +0330 for integer hour and minute UT offsets.  Although earlier
 # editions invented alphabetic time zone abbreviations for every
 # offset, this did not reflect common practice.
 #
@@ -647,17 +647,17 @@ Zone	Asia/Hong_Kong	7:36:42 -	LMT	1904 Oct 30
 # time", in which abolished the adoption of Western Standard Time in
 # western islands (listed above), which means the whole Japan
 # territory, including later occupations, adopt Japan Central Time
-# (UTC+9). The adoption began on Oct 1, 1937. The original text can
+# (UT+9). The adoption began on Oct 1, 1937. The original text can
 # be found on Wikisource:
 # https://ja.wikisource.org/wiki/明治二十八年勅令第百六十七號標準時ニ關スル件中改正ノ件
 #
-# That is, the time zone of Taipei switched to UTC+9 on Oct 1, 1937.
+# That is, the time zone of Taipei switched to UT+9 on Oct 1, 1937.
 
 # From Yu-Cheng Chuang (2014-07-02):
-# I've found more evidence about when the time zone was switched from UTC+9
-# back to UTC+8 after WW2.  I believe it was on Sep 21, 1945.  In a document
+# I've found more evidence about when the time zone was switched from UT+9
+# back to UT+8 after WW2.  I believe it was on Sep 21, 1945.  In a document
 # during Japanese era [1] in which the officer told the staff to change time
-# zone back to Western Standard Time (UTC+8) on Sep 21.  And in another
+# zone back to Western Standard Time (UT+8) on Sep 21.  And in another
 # history page of National Cheng Kung University [2], on Sep 21 there is a
 # note "from today, switch back to Western Standard Time".  From these two
 # materials, I believe that the time zone change happened on Sep 21.  And
@@ -1464,17 +1464,17 @@ Zone	Asia/Jerusalem	2:20:54 -	LMT	1880
 # of the Japanese wanted to scrap daylight-saving time, as opposed to 30% who
 # wanted to keep it.)
 
-# From Paul Eggert (2006-03-22):
-# Shanks & Pottenger write that DST in Japan during those years was as follows:
+# From Takayuki Nikai (2018-01-19):
+# The source of information is Japanese law.
+# http://www.shugiin.go.jp/internet/itdb_housei.nsf/html/houritsu/00219480428029.htm
+# http://www.shugiin.go.jp/internet/itdb_housei.nsf/html/houritsu/00719500331039.htm
+# ... In summary, it is written as follows.  From 24:00 on the first Saturday
+# in May, until 0:00 on the day after the second Saturday in September.
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
-Rule	Japan	1948	only	-	May	Sun>=1	2:00	1:00	D
-Rule	Japan	1948	1951	-	Sep	Sat>=8	2:00	0	S
-Rule	Japan	1949	only	-	Apr	Sun>=1	2:00	1:00	D
-Rule	Japan	1950	1951	-	May	Sun>=1	2:00	1:00	D
-# but the only locations using it (for birth certificates, presumably, since
-# their audience is astrologers) were US military bases.  For now, assume
-# that for most purposes daylight-saving time was observed; otherwise, what
-# would have been the point of the 1951 poll?
+Rule	Japan	1948	only	-	May	Sat>=1	24:00	1:00	D
+Rule	Japan	1948	1951	-	Sep	Sun>=9	 0:00	0	S
+Rule	Japan	1949	only	-	Apr	Sat>=1	24:00	1:00	D
+Rule	Japan	1950	1951	-	May	Sat>=1	24:00	1:00	D
 
 # From Hideyuki Suzuki (1998-11-09):
 # 'Tokyo' usually stands for the former location of Tokyo Astronomical
@@ -1505,7 +1505,7 @@ Rule	Japan	1950	1951	-	May	Sun>=1	2:00	1:00	D
 #
 # ...the Showa Emperor announced Ordinance No. 529 of Showa Year 12 ... which
 # means the whole Japan territory, including later occupations, adopt Japan
-# Central Time (UTC+9). The adoption began on Oct 1, 1937.
+# Central Time (UT+9). The adoption began on Oct 1, 1937.
 # https://ja.wikisource.org/wiki/明治二十八年勅令第百六十七號標準時ニ關スル件中改正ノ件
 
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
@@ -2066,8 +2066,8 @@ Zone Asia/Kuching	7:21:20	-	LMT	1926 Mar
 
 # Maldives
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
-Zone	Indian/Maldives	4:54:00 -	LMT	1880 # Male
-			4:54:00	-	MMT	1960 # Male Mean Time
+Zone	Indian/Maldives	4:54:00 -	LMT	1880 # Malé
+			4:54:00	-	MMT	1960 # Malé Mean Time
 			5:00	-	+05
 
 # Mongolia

Modified: releng/10.3/contrib/tzdata/australasia
==============================================================================
--- releng/10.3/contrib/tzdata/australasia	Wed Mar  7 05:58:24 2018	(r330567)
+++ releng/10.3/contrib/tzdata/australasia	Wed Mar  7 06:01:44 2018	(r330568)
@@ -683,8 +683,8 @@ Zone Pacific/Guadalcanal 10:39:48 -	LMT	1912 Oct # Hon
 # From Steffen Thorsen (2012-07-25)
 # ... we double checked by calling hotels and offices based in Tokelau asking
 # about the time there, and they all told a time that agrees with UTC+13....
-# Shanks says UTC-10 from 1901 [but] ... there is a good chance the change
-# actually was to UTC-11 back then.
+# Shanks says UT-10 from 1901 [but] ... there is a good chance the change
+# actually was to UT-11 back then.
 #
 # From Paul Eggert (2012-07-25)
 # A Google Books snippet of Appendix to the Journals of the House of
@@ -1450,7 +1450,7 @@ Zone	Pacific/Wallis	12:15:20 -	LMT	1901
 #
 # From Paul Eggert (2006-03-22):
 # The Department of Internal Affairs (DIA) maintains a brief history,
-# as does Carol Squires; see tz-link.htm for the full references.
+# as does Carol Squires; see tz-link.html for the full references.
 # Use these sources in preference to Shanks & Pottenger.
 #
 # For Chatham, IATA SSIM (1991/1999) gives the NZ rules but with

Modified: releng/10.3/contrib/tzdata/backzone
==============================================================================
--- releng/10.3/contrib/tzdata/backzone	Wed Mar  7 05:58:24 2018	(r330567)
+++ releng/10.3/contrib/tzdata/backzone	Wed Mar  7 06:01:44 2018	(r330568)
@@ -145,11 +145,6 @@ Zone	Africa/Gaborone	1:43:40 -	LMT	1885
 Zone	Africa/Harare	2:04:12 -	LMT	1903 Mar
 			2:00	-	CAT
 
-# South Sudan
-Zone	Africa/Juba	2:06:24 -	LMT	1931
-			2:00	Sudan	CA%sT	2000 Jan 15 12:00
-			3:00	-	EAT
-
 # Uganda
 Zone	Africa/Kampala	2:09:40 -	LMT	1928 Jul
 			3:00	-	EAT	1930
@@ -241,11 +236,6 @@ Zone Africa/Ouagadougou	-0:06:04 -	LMT	1912
 Zone Africa/Porto-Novo	0:10:28	-	LMT	1912 Jan  1
 			0:00	-	GMT	1934 Feb 26
 			1:00	-	WAT
-
-# São Tomé and Príncipe
-Zone	Africa/Sao_Tome	 0:26:56 -	LMT	1884
-			-0:36:32 -	LMT	1912 # Lisbon Mean Time
-			 0:00	-	GMT
 
 # Mali (northern)
 Zone	Africa/Timbuktu	-0:12:04 -	LMT	1912

Modified: releng/10.3/contrib/tzdata/europe
==============================================================================
--- releng/10.3/contrib/tzdata/europe	Wed Mar  7 05:58:24 2018	(r330567)
+++ releng/10.3/contrib/tzdata/europe	Wed Mar  7 06:01:44 2018	(r330568)
@@ -68,14 +68,15 @@
 #        0:00       WET  WEST WEMT  Western Europe
 #        0:19:32.13 AMT* NST*       Amsterdam, Netherlands Summer (1835-1937)
 #        1:00       BST             British Standard (1968-1971)
+#        1:00       IST  GMT        Irish Standard (1968-) with winter DST
 #        1:00       CET  CEST CEMT  Central Europe
 #        1:00:14    SET             Swedish (1879-1899)
 #        1:36:34    RMT* LST*       Riga, Latvian Summer (1880-1926)*
 #        2:00       EET  EEST       Eastern Europe
 #        3:00       MSK  MSD  MDST* Moscow
 
-# From Peter Ilieve (1994-12-04),
-# The original six [EU members]: Belgium, France, (West) Germany, Italy,
+# From Peter Ilieve (1994-12-04), re EEC/EC/EU members:
+# The original six: Belgium, France, (West) Germany, Italy,
 # Luxembourg, the Netherlands.
 # Plus, from 1 Jan 73: Denmark, Ireland, United Kingdom.
 # Plus, from 1 Jan 81: Greece.
@@ -278,16 +279,31 @@
 # The following claim by Shanks & Pottenger is possible though doubtful;
 # we'll ignore it for now.
 #     * Dublin's 1971-10-31 switch was at 02:00, even though London's was 03:00.
+
+# From Paul Eggert (2017-12-04):
 #
+# Dunsink Observatory (8 km NW of Dublin's center) was to Dublin as
+# Greenwich was to London.  For example:
 #
-# Whitman says Dublin Mean Time was -0:25:21, which is more precise than
-# Shanks & Pottenger.
-# Perhaps this was Dunsink Observatory Time, as Dunsink Observatory
-# (8 km NW of Dublin's center) seemingly was to Dublin as Greenwich was
-# to London.  For example:
-#
 #   "Timeball on the ballast office is down.  Dunsink time."
 #   -- James Joyce, Ulysses
+#
+# The abbreviation DMT stood for "Dublin Mean Time" or "Dunsink Mean Time";
+# this being Ireland, opinions differed.
+#
+# Whitman says Dublin/Dunsink Mean Time was UT-00:25:21, which agrees
+# with measurements of recent visitors to the Meridian Room of Dunsink
+# Observatory; see Malone D. Dunsink and timekeeping. 2016-01-24.
+# .  Malone
+# writes that the Nautical Almanac listed UT-00:25:22 until 1896, when
+# it moved to UT-00:25:21.1 (I confirmed that the 1893 edition used
+# the former and the 1896 edition used the latter).  Evidently the
+# news of this change propagated slowly, as Milne 1899 still lists
+# UT-00:25:22 and cites the International Telegraph Bureau.  As it is
+# not clear that there was any practical significance to the change
+# from UT-00:25:22 to UT-00:25:21.1 in civil timekeeping, omit this
+# transition for now and just use the latter value, omitting its
+# fraction since our format cannot represent fractions.
 
 # "Countess Markievicz ... claimed that the [1916] abolition of Dublin Mean Time
 # was among various actions undertaken by the 'English' government that
@@ -347,12 +363,28 @@
 # regulations. I spoke this morning with the Secretary of the Department of
 # Justice (tel +353 1 678 9711) who confirmed to me that the correct name is
 # "Irish Summer Time", abbreviated to "IST".
+#
+# From Paul Eggert (2017-12-07):
+# The 1996 anonymous contributor's goal was to determine the correct
+# abbreviation for summer time in Dublin and so the contributor
+# focused on the "IST", not on the "Irish Summer Time".  Though the
+# "IST" was correct, the "Irish Summer Time" appears to have been an
+# error, as Ireland's Standard Time (Amendment) Act, 1971 states that
+# standard time in Ireland remains at UT +01 and is observed in
+# summer, and that Greenwich mean time is observed in winter.  (Thanks
+# to Derick Rethans for pointing out the error.)  That is, when
+# Ireland amended the 1968 act that established UT +01 as Irish
+# Standard Time, it left standard time unchanged and established GMT
+# as a negative daylight saving time in winter.  So, in this database
+# IST stands for Irish Summer Time for timestamps before 1968, and for
+# Irish Standard Time after that.  See:
+# http://www.irishstatutebook.ie/eli/1971/act/17/enacted/en/print
 
 # Michael Deckers (2017-06-01) gave the following URLs for Ireland's
 # Summer Time Act, 1925 and Summer Time Orders, 1926 and 1947:
-# http://www.irishstatutebook.ie/eli/1925/act/8/enacted/en/print.html
-# http://www.irishstatutebook.ie/eli/1926/sro/919/made/en/print.html
-# http://www.irishstatutebook.ie/eli/1947/sro/71/made/en/print.html
+# http://www.irishstatutebook.ie/eli/1925/act/8/enacted/en/print
+# http://www.irishstatutebook.ie/eli/1926/sro/919/made/en/print
+# http://www.irishstatutebook.ie/eli/1947/sro/71/made/en/print
 
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
 # Summer Time Act, 1916
@@ -476,9 +508,23 @@ Link	Europe/London	Europe/Jersey
 Link	Europe/London	Europe/Guernsey
 Link	Europe/London	Europe/Isle_of_Man
 
+# From Paul Eggert (2018-01-19):
+# The following is like GB-Eire and EU, except with standard time in
+# summer and negative daylight saving time in winter.
+# Although currently commented out, this will need to become uncommented
+# once the ICU/OpenJDK workaround is removed; see below.
+# Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
+#Rule	Eire	1971	only	-	Oct	31	 2:00u	-1:00	GMT
+#Rule	Eire	1972	1980	-	Mar	Sun>=16	 2:00u	0	IST
+#Rule	Eire	1972	1980	-	Oct	Sun>=23	 2:00u	-1:00	GMT
+#Rule	Eire	1981	max	-	Mar	lastSun	 1:00u	0	IST
+#Rule	Eire	1981	1989	-	Oct	Sun>=23	 1:00u	-1:00	GMT
+#Rule	Eire	1990	1995	-	Oct	Sun>=22	 1:00u	-1:00	GMT
+#Rule	Eire	1996	max	-	Oct	lastSun	 1:00u	-1:00	GMT
+
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Europe/Dublin	-0:25:00 -	LMT	1880 Aug  2
-			-0:25:21 -	DMT	1916 May 21  2:00s # Dublin MT
+			-0:25:21 -	DMT	1916 May 21  2:00s
 			-0:25:21 1:00	IST	1916 Oct  1  2:00s
 			 0:00	GB-Eire	%s	1921 Dec  6 # independence
 			 0:00	GB-Eire	GMT/IST	1940 Feb 25  2:00s
@@ -487,16 +533,33 @@ Zone	Europe/Dublin	-0:25:00 -	LMT	1880 Aug  2
 			 0:00	1:00	IST	1947 Nov  2  2:00s
 			 0:00	-	GMT	1948 Apr 18  2:00s
 			 0:00	GB-Eire	GMT/IST	1968 Oct 27
+# From Paul Eggert (2018-01-18):
+# The next line should look like this:
+#			 1:00	Eire	IST/GMT
+# However, in January 2018 we discovered that the Eire rules cause
+# problems with tests for ICU:
+# https://mm.icann.org/pipermail/tz/2018-January/025825.html
+# and with tests for OpenJDK:
+# https://mm.icann.org/pipermail/tz/2018-January/025822.html
+# To work around this problem, use a traditional approximation for
+# time stamps after 1971-10-31 02:00 UTC, to give ICU and OpenJDK
+# developers breathing room to fix bugs.  This approximation has
+# correct UTC offsets, but results in tm_isdst flags are the reverse
+# of what they should be.  This workaround is temporary and should be
+# removed reasonably soon.
 			 1:00	-	IST	1971 Oct 31  2:00u
 			 0:00	GB-Eire	GMT/IST	1996
 			 0:00	EU	GMT/IST
+# End of workaround for ICU and OpenJDK bugs.
 
+
 ###############################################################################
 
 # Europe
 
-# EU rules are for the European Union, previously known as the EC, EEC,
-# Common Market, etc.
+# The following rules are for the European Union and for its
+# predecessor organization, the European Communities.
+# For brevity they are called "EU rules" elsewhere in this file.
 
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
 Rule	EU	1977	1980	-	Apr	Sun>=1	 1:00u	1:00	S
@@ -929,7 +992,7 @@ Zone	Europe/Prague	0:57:44 -	LMT	1850
 # The page http://www.retsinfo.dk/_GETDOCI_/ACCN/A18930008330-REGL
 # confirms this, and states that the law was put forth 1893-03-29.
 #
-# The EU treaty with effect from 1973:
+# The EU [actually, EEC and Euratom] treaty with effect from 1973:
 # http://www.retsinfo.dk/_GETDOCI_/ACCN/A19722110030-REGL
 #
 # This provoked a new law from 1974 to make possible summer time changes
@@ -985,9 +1048,10 @@ Zone Atlantic/Faroe	-0:27:04 -	LMT	1908 Jan 11 # Tórs
 # East Greenland and Franz Josef Land, but we don't know their time zones.
 # My source for this is Wilhelm Dege's book mentioned under Svalbard.
 #
-# From Paul Eggert (2006-03-22):
-# Greenland joined the EU as part of Denmark, obtained home rule on 1979-05-01,
-# and left the EU on 1985-02-01.  It therefore should have been using EU
+# From Paul Eggert (2017-12-10):
+# Greenland joined the European Communities as part of Denmark,
+# obtained home rule on 1979-05-01, and left the European Communities
+# on 1985-02-01.  It therefore should have been using EU
 # rules at least through 1984.  Shanks & Pottenger say Scoresbysund and Godthåb
 # used C-Eur rules after 1980, but IATA SSIM (1991/1996) says they use EU
 # rules since at least 1991.  Assume EU rules since 1980.
@@ -1301,7 +1365,7 @@ Zone	Europe/Paris	0:09:21 -	LMT	1891 Mar 15  0:01
 # From Markus Kuhn (1998-09-29):
 # The German time zone web site by the Physikalisch-Technische
 # Bundesanstalt contains DST information back to 1916.
-# [See tz-link.htm for the URL.]
+# [See tz-link.html for the URL.]
 
 # From Jörg Schilling (2002-10-23):
 # In 1945, Berlin was switched to Moscow Summer time (GMT+4) by
@@ -1398,7 +1462,7 @@ Zone	Europe/Athens	1:34:52 -	LMT	1895 Sep 14
 			1:00	Greece	CE%sT	1944 Apr  4
 			2:00	Greece	EE%sT	1981
 			# Shanks & Pottenger say it switched to C-Eur in 1981;
-			# go with EU instead, since Greece joined it on Jan 1.
+			# go with EU rules instead, since Greece joined Jan 1.
 			2:00	EU	EE%sT
 
 # Hungary
@@ -2097,7 +2161,7 @@ Zone	Europe/Warsaw	1:24:00 -	LMT	1880
 # IATA SSIM (1991/1992) reports that the Azores were at -1:00.
 # IATA SSIM (1993-02) says +0:00; later issues (through 1996-09) say -1:00.
 # Guess that the Azores changed to EU rules in 1992 (since that's when Portugal
-# harmonized with the EU), and that they stayed +0:00 that winter.
+# harmonized with EU rules), and that they stayed +0:00 that winter.
 #
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
 # DSH writes that despite Decree 1,469 (1915), the change to the clocks was not
@@ -2772,9 +2836,9 @@ Zone Asia/Omsk		 4:53:30 -	LMT	1919 Nov 14
 #
 # https://regnum.ru/news/society/1957270.html
 # has some historical data for Altai Krai:
-# before 1957: west part on UTC+6, east on UTC+7
-# after 1957: UTC+7
-# since 1995: UTC+6
+# before 1957: west part on UT+6, east on UT+7
+# after 1957: UT+7
+# since 1995: UT+6
 # http://barnaul.rusplt.ru/index/pochemu_altajskij_kraj_okazalsja_v_neprivychnom_chasovom_pojase-17648.html
 # confirms that and provides more details including 1995-05-28 transition date.
 
@@ -3581,6 +3645,17 @@ Zone	Europe/Zurich	0:34:08 -	LMT	1853 Jul 16 # See abo
 # From Paul Eggert (2016-09-07):
 # The change is permanent, so this is the new standard time in Turkey.
 # It takes effect today, which is not much notice.
+
+# From Kıvanç Yazan (2017-10-28):
+# Turkey will go back to Daylight Saving Time starting 2018-10.
+# http://www.resmigazete.gov.tr/eskiler/2017/10/20171028-5.pdf
+#
+# From Even Scharning (2017-11-08):

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***

From owner-svn-src-releng@freebsd.org  Wed Mar  7 06:04:27 2018
Return-Path: 
Delivered-To: svn-src-releng@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 10726F2F1B3;
 Wed,  7 Mar 2018 06:04:27 +0000 (UTC)
 (envelope-from gordon@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id AFA837FBF0;
 Wed,  7 Mar 2018 06:04:26 +0000 (UTC)
 (envelope-from gordon@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 907121D8F0;
 Wed,  7 Mar 2018 06:04:26 +0000 (UTC)
 (envelope-from gordon@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w2764Qpc093266;
 Wed, 7 Mar 2018 06:04:26 GMT (envelope-from gordon@FreeBSD.org)
Received: (from gordon@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id w2764Pr2093260;
 Wed, 7 Mar 2018 06:04:25 GMT (envelope-from gordon@FreeBSD.org)
Message-Id: <201803070604.w2764Pr2093260@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: gordon set sender to
 gordon@FreeBSD.org using -f
From: Gordon Tetlow 
Date: Wed, 7 Mar 2018 06:04:25 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r330569 - in releng: 10.3/contrib/file
 10.3/contrib/file/doc 10.3/contrib/file/magic 10.3/contrib/file/magic/Magdir
 10.3/contrib/file/python 10.3/contrib/file/src 10.3/contrib/file/test...
X-SVN-Group: releng
X-SVN-Commit-Author: gordon
X-SVN-Commit-Paths: in releng: 10.3/contrib/file 10.3/contrib/file/doc
 10.3/contrib/file/magic 10.3/contrib/file/magic/Magdir
 10.3/contrib/file/python 10.3/contrib/file/src 10.3/contrib/file/tests
 10.3/lib/libmagic 10.4/...
X-SVN-Commit-Revision: 330569
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree 
List-Unsubscribe: , 
 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: ,
 
X-List-Received-Date: Wed, 07 Mar 2018 06:04:27 -0000

Author: gordon
Date: Wed Mar  7 06:04:25 2018
New Revision: 330569
URL: https://svnweb.freebsd.org/changeset/base/330569

Log:
  Update file(1) to new version with security update. [EN-18:02.file]
  
  Approved by:	so
  Security:	FreeBSD-EN-18:02.file
  Security:	CVE-2017-1000249

Added:
  releng/10.3/contrib/file/magic/Magdir/algol68
  releng/10.3/contrib/file/magic/Magdir/apache
  releng/10.3/contrib/file/magic/Magdir/application
  releng/10.3/contrib/file/magic/Magdir/apt
  releng/10.3/contrib/file/magic/Magdir/ber
  releng/10.3/contrib/file/magic/Magdir/bhl
  releng/10.3/contrib/file/magic/Magdir/bioinformatics
  releng/10.3/contrib/file/magic/Magdir/coff
  releng/10.3/contrib/file/magic/Magdir/coverage
  releng/10.3/contrib/file/magic/Magdir/der
  releng/10.3/contrib/file/magic/Magdir/finger
  releng/10.3/contrib/file/magic/Magdir/flif
  releng/10.3/contrib/file/magic/Magdir/gconv
  releng/10.3/contrib/file/magic/Magdir/gpu
  releng/10.3/contrib/file/magic/Magdir/microfocus
  releng/10.3/contrib/file/magic/Magdir/pc88
  releng/10.3/contrib/file/magic/Magdir/pc98
  releng/10.3/contrib/file/magic/Magdir/polyml
  releng/10.3/contrib/file/magic/Magdir/psl
  releng/10.3/contrib/file/magic/Magdir/vacuum-cleaner
  releng/10.3/contrib/file/magic/Magdir/webassembly
  releng/10.3/contrib/file/magic/Magdir/x68000
  releng/10.3/contrib/file/magic/Magdir/yara
  releng/10.3/contrib/file/src/der.c
  releng/10.3/contrib/file/src/der.h
  releng/10.3/contrib/file/src/dprintf.c
  releng/10.3/contrib/file/tests/hddrawcopytool.result
  releng/10.4/contrib/file/magic/Magdir/apache
  releng/10.4/contrib/file/magic/Magdir/bhl
  releng/10.4/contrib/file/magic/Magdir/gconv
  releng/10.4/contrib/file/magic/Magdir/gpu
  releng/10.4/contrib/file/magic/Magdir/webassembly
  releng/10.4/contrib/file/magic/Magdir/yara
  releng/10.4/contrib/file/tests/hddrawcopytool.result
  releng/11.1/contrib/file/magic/Magdir/apache
  releng/11.1/contrib/file/magic/Magdir/bhl
  releng/11.1/contrib/file/magic/Magdir/gconv
  releng/11.1/contrib/file/magic/Magdir/gpu
  releng/11.1/contrib/file/magic/Magdir/webassembly
  releng/11.1/contrib/file/magic/Magdir/yara
  releng/11.1/contrib/file/tests/hddrawcopytool.result
Deleted:
  releng/10.3/contrib/file/python/README
  releng/10.3/contrib/file/src/magic.h
Modified:
  releng/10.3/contrib/file/ChangeLog
  releng/10.3/contrib/file/README
  releng/10.3/contrib/file/TODO
  releng/10.3/contrib/file/aclocal.m4
  releng/10.3/contrib/file/config.guess
  releng/10.3/contrib/file/config.h.in
  releng/10.3/contrib/file/config.sub
  releng/10.3/contrib/file/configure
  releng/10.3/contrib/file/configure.ac
  releng/10.3/contrib/file/doc/file.man
  releng/10.3/contrib/file/doc/libmagic.man
  releng/10.3/contrib/file/doc/magic.man
  releng/10.3/contrib/file/ltmain.sh
  releng/10.3/contrib/file/magic/Localstuff
  releng/10.3/contrib/file/magic/Magdir/adventure
  releng/10.3/contrib/file/magic/Magdir/amanda
  releng/10.3/contrib/file/magic/Magdir/amigaos
  releng/10.3/contrib/file/magic/Magdir/android
  releng/10.3/contrib/file/magic/Magdir/animation
  releng/10.3/contrib/file/magic/Magdir/apple
  releng/10.3/contrib/file/magic/Magdir/archive
  releng/10.3/contrib/file/magic/Magdir/att3b
  releng/10.3/contrib/file/magic/Magdir/audio
  releng/10.3/contrib/file/magic/Magdir/blackberry
  releng/10.3/contrib/file/magic/Magdir/blender
  releng/10.3/contrib/file/magic/Magdir/c-lang
  releng/10.3/contrib/file/magic/Magdir/cad
  releng/10.3/contrib/file/magic/Magdir/cafebabe
  releng/10.3/contrib/file/magic/Magdir/claris
  releng/10.3/contrib/file/magic/Magdir/clipper
  releng/10.3/contrib/file/magic/Magdir/commands
  releng/10.3/contrib/file/magic/Magdir/compress
  releng/10.3/contrib/file/magic/Magdir/console
  releng/10.3/contrib/file/magic/Magdir/cups
  releng/10.3/contrib/file/magic/Magdir/database
  releng/10.3/contrib/file/magic/Magdir/diff
  releng/10.3/contrib/file/magic/Magdir/dolby
  releng/10.3/contrib/file/magic/Magdir/dump
  releng/10.3/contrib/file/magic/Magdir/dyadic
  releng/10.3/contrib/file/magic/Magdir/editors
  releng/10.3/contrib/file/magic/Magdir/elf
  releng/10.3/contrib/file/magic/Magdir/filesystems
  releng/10.3/contrib/file/magic/Magdir/flash
  releng/10.3/contrib/file/magic/Magdir/fonts
  releng/10.3/contrib/file/magic/Magdir/fortran
  releng/10.3/contrib/file/magic/Magdir/fsav
  releng/10.3/contrib/file/magic/Magdir/games
  releng/10.3/contrib/file/magic/Magdir/gcc
  releng/10.3/contrib/file/magic/Magdir/geo
  releng/10.3/contrib/file/magic/Magdir/gnu
  releng/10.3/contrib/file/magic/Magdir/gpt
  releng/10.3/contrib/file/magic/Magdir/gringotts
  releng/10.3/contrib/file/magic/Magdir/hitachi-sh
  releng/10.3/contrib/file/magic/Magdir/ibm370
  releng/10.3/contrib/file/magic/Magdir/ibm6000
  releng/10.3/contrib/file/magic/Magdir/icc
  releng/10.3/contrib/file/magic/Magdir/images
  releng/10.3/contrib/file/magic/Magdir/intel
  releng/10.3/contrib/file/magic/Magdir/isz
  releng/10.3/contrib/file/magic/Magdir/java
  releng/10.3/contrib/file/magic/Magdir/jpeg
  releng/10.3/contrib/file/magic/Magdir/kerberos
  releng/10.3/contrib/file/magic/Magdir/kml
  releng/10.3/contrib/file/magic/Magdir/linux
  releng/10.3/contrib/file/magic/Magdir/lisp
  releng/10.3/contrib/file/magic/Magdir/m4
  releng/10.3/contrib/file/magic/Magdir/mach
  releng/10.3/contrib/file/magic/Magdir/macintosh
  releng/10.3/contrib/file/magic/Magdir/make
  releng/10.3/contrib/file/magic/Magdir/maple
  releng/10.3/contrib/file/magic/Magdir/marc21
  releng/10.3/contrib/file/magic/Magdir/mathematica
  releng/10.3/contrib/file/magic/Magdir/metastore
  releng/10.3/contrib/file/magic/Magdir/meteorological
  releng/10.3/contrib/file/magic/Magdir/mime
  releng/10.3/contrib/file/magic/Magdir/misctools
  releng/10.3/contrib/file/magic/Magdir/modem
  releng/10.3/contrib/file/magic/Magdir/mozilla
  releng/10.3/contrib/file/magic/Magdir/msdos
  releng/10.3/contrib/file/magic/Magdir/msvc
  releng/10.3/contrib/file/magic/Magdir/msx
  releng/10.3/contrib/file/magic/Magdir/mup
  releng/10.3/contrib/file/magic/Magdir/nasa
  releng/10.3/contrib/file/magic/Magdir/netbsd
  releng/10.3/contrib/file/magic/Magdir/netscape
  releng/10.3/contrib/file/magic/Magdir/nitpicker
  releng/10.3/contrib/file/magic/Magdir/os2
  releng/10.3/contrib/file/magic/Magdir/os9
  releng/10.3/contrib/file/magic/Magdir/pbf
  releng/10.3/contrib/file/magic/Magdir/pdf
  releng/10.3/contrib/file/magic/Magdir/pdp
  releng/10.3/contrib/file/magic/Magdir/perl
  releng/10.3/contrib/file/magic/Magdir/pgf
  releng/10.3/contrib/file/magic/Magdir/pgp
  releng/10.3/contrib/file/magic/Magdir/printer
  releng/10.3/contrib/file/magic/Magdir/project
  releng/10.3/contrib/file/magic/Magdir/psdbms
  releng/10.3/contrib/file/magic/Magdir/python
  releng/10.3/contrib/file/magic/Magdir/riff
  releng/10.3/contrib/file/magic/Magdir/ruby
  releng/10.3/contrib/file/magic/Magdir/sccs
  releng/10.3/contrib/file/magic/Magdir/scientific
  releng/10.3/contrib/file/magic/Magdir/sendmail
  releng/10.3/contrib/file/magic/Magdir/sequent
  releng/10.3/contrib/file/magic/Magdir/sgml
  releng/10.3/contrib/file/magic/Magdir/sharc
  releng/10.3/contrib/file/magic/Magdir/sinclair
  releng/10.3/contrib/file/magic/Magdir/sketch
  releng/10.3/contrib/file/magic/Magdir/sql
  releng/10.3/contrib/file/magic/Magdir/ssl
  releng/10.3/contrib/file/magic/Magdir/sysex
  releng/10.3/contrib/file/magic/Magdir/terminfo
  releng/10.3/contrib/file/magic/Magdir/vms
  releng/10.3/contrib/file/magic/Magdir/vmware
  releng/10.3/contrib/file/magic/Magdir/vorbis
  releng/10.3/contrib/file/magic/Magdir/windows
  releng/10.3/contrib/file/magic/Magdir/wordprocessors
  releng/10.3/contrib/file/magic/Magdir/xenix
  releng/10.3/contrib/file/magic/Magdir/xilinx
  releng/10.3/contrib/file/magic/Magdir/xwindows
  releng/10.3/contrib/file/magic/Makefile.am
  releng/10.3/contrib/file/magic/Makefile.in
  releng/10.3/contrib/file/python/magic.py
  releng/10.3/contrib/file/python/setup.py
  releng/10.3/contrib/file/src/Makefile.am
  releng/10.3/contrib/file/src/Makefile.in
  releng/10.3/contrib/file/src/apprentice.c
  releng/10.3/contrib/file/src/ascmagic.c
  releng/10.3/contrib/file/src/cdf.c
  releng/10.3/contrib/file/src/cdf.h
  releng/10.3/contrib/file/src/cdf_time.c
  releng/10.3/contrib/file/src/compress.c
  releng/10.3/contrib/file/src/file.c
  releng/10.3/contrib/file/src/file.h
  releng/10.3/contrib/file/src/file_opts.h
  releng/10.3/contrib/file/src/fmtcheck.c
  releng/10.3/contrib/file/src/fsmagic.c
  releng/10.3/contrib/file/src/funcs.c
  releng/10.3/contrib/file/src/is_tar.c
  releng/10.3/contrib/file/src/magic.c
  releng/10.3/contrib/file/src/magic.h.in
  releng/10.3/contrib/file/src/print.c
  releng/10.3/contrib/file/src/readcdf.c
  releng/10.3/contrib/file/src/readelf.c
  releng/10.3/contrib/file/src/readelf.h
  releng/10.3/contrib/file/src/softmagic.c
  releng/10.3/contrib/file/src/vasprintf.c
  releng/10.3/contrib/file/tests/Makefile.am
  releng/10.3/contrib/file/tests/Makefile.in
  releng/10.3/contrib/file/tests/test.c
  releng/10.3/lib/libmagic/Makefile
  releng/10.3/lib/libmagic/config.h
  releng/10.4/contrib/file/ChangeLog
  releng/10.4/contrib/file/aclocal.m4
  releng/10.4/contrib/file/config.guess
  releng/10.4/contrib/file/config.sub
  releng/10.4/contrib/file/configure
  releng/10.4/contrib/file/configure.ac
  releng/10.4/contrib/file/doc/file.man
  releng/10.4/contrib/file/doc/libmagic.man
  releng/10.4/contrib/file/doc/magic.man
  releng/10.4/contrib/file/magic/Localstuff
  releng/10.4/contrib/file/magic/Magdir/adventure
  releng/10.4/contrib/file/magic/Magdir/amanda
  releng/10.4/contrib/file/magic/Magdir/amigaos
  releng/10.4/contrib/file/magic/Magdir/android
  releng/10.4/contrib/file/magic/Magdir/animation
  releng/10.4/contrib/file/magic/Magdir/apple
  releng/10.4/contrib/file/magic/Magdir/archive
  releng/10.4/contrib/file/magic/Magdir/att3b
  releng/10.4/contrib/file/magic/Magdir/audio
  releng/10.4/contrib/file/magic/Magdir/blackberry
  releng/10.4/contrib/file/magic/Magdir/blender
  releng/10.4/contrib/file/magic/Magdir/c-lang
  releng/10.4/contrib/file/magic/Magdir/cad
  releng/10.4/contrib/file/magic/Magdir/cafebabe
  releng/10.4/contrib/file/magic/Magdir/clipper
  releng/10.4/contrib/file/magic/Magdir/coff
  releng/10.4/contrib/file/magic/Magdir/commands
  releng/10.4/contrib/file/magic/Magdir/compress
  releng/10.4/contrib/file/magic/Magdir/console
  releng/10.4/contrib/file/magic/Magdir/cups
  releng/10.4/contrib/file/magic/Magdir/database
  releng/10.4/contrib/file/magic/Magdir/der
  releng/10.4/contrib/file/magic/Magdir/diff
  releng/10.4/contrib/file/magic/Magdir/dolby
  releng/10.4/contrib/file/magic/Magdir/dump
  releng/10.4/contrib/file/magic/Magdir/dyadic
  releng/10.4/contrib/file/magic/Magdir/editors
  releng/10.4/contrib/file/magic/Magdir/filesystems
  releng/10.4/contrib/file/magic/Magdir/flash
  releng/10.4/contrib/file/magic/Magdir/fonts
  releng/10.4/contrib/file/magic/Magdir/fsav
  releng/10.4/contrib/file/magic/Magdir/games
  releng/10.4/contrib/file/magic/Magdir/geo
  releng/10.4/contrib/file/magic/Magdir/gnu
  releng/10.4/contrib/file/magic/Magdir/gpt
  releng/10.4/contrib/file/magic/Magdir/gringotts
  releng/10.4/contrib/file/magic/Magdir/hitachi-sh
  releng/10.4/contrib/file/magic/Magdir/ibm370
  releng/10.4/contrib/file/magic/Magdir/ibm6000
  releng/10.4/contrib/file/magic/Magdir/icc
  releng/10.4/contrib/file/magic/Magdir/images
  releng/10.4/contrib/file/magic/Magdir/intel
  releng/10.4/contrib/file/magic/Magdir/isz
  releng/10.4/contrib/file/magic/Magdir/jpeg
  releng/10.4/contrib/file/magic/Magdir/kerberos
  releng/10.4/contrib/file/magic/Magdir/kml
  releng/10.4/contrib/file/magic/Magdir/linux
  releng/10.4/contrib/file/magic/Magdir/lisp
  releng/10.4/contrib/file/magic/Magdir/m4
  releng/10.4/contrib/file/magic/Magdir/macintosh
  releng/10.4/contrib/file/magic/Magdir/make
  releng/10.4/contrib/file/magic/Magdir/maple
  releng/10.4/contrib/file/magic/Magdir/marc21
  releng/10.4/contrib/file/magic/Magdir/mathematica
  releng/10.4/contrib/file/magic/Magdir/metastore
  releng/10.4/contrib/file/magic/Magdir/meteorological
  releng/10.4/contrib/file/magic/Magdir/microfocus
  releng/10.4/contrib/file/magic/Magdir/mime
  releng/10.4/contrib/file/magic/Magdir/misctools
  releng/10.4/contrib/file/magic/Magdir/modem
  releng/10.4/contrib/file/magic/Magdir/mozilla
  releng/10.4/contrib/file/magic/Magdir/msdos
  releng/10.4/contrib/file/magic/Magdir/msvc
  releng/10.4/contrib/file/magic/Magdir/msx
  releng/10.4/contrib/file/magic/Magdir/mup
  releng/10.4/contrib/file/magic/Magdir/nasa
  releng/10.4/contrib/file/magic/Magdir/netbsd
  releng/10.4/contrib/file/magic/Magdir/netscape
  releng/10.4/contrib/file/magic/Magdir/nitpicker
  releng/10.4/contrib/file/magic/Magdir/os2
  releng/10.4/contrib/file/magic/Magdir/os9
  releng/10.4/contrib/file/magic/Magdir/pbf
  releng/10.4/contrib/file/magic/Magdir/pc88
  releng/10.4/contrib/file/magic/Magdir/pc98
  releng/10.4/contrib/file/magic/Magdir/pdf
  releng/10.4/contrib/file/magic/Magdir/pdp
  releng/10.4/contrib/file/magic/Magdir/perl
  releng/10.4/contrib/file/magic/Magdir/pgf
  releng/10.4/contrib/file/magic/Magdir/pgp
  releng/10.4/contrib/file/magic/Magdir/printer
  releng/10.4/contrib/file/magic/Magdir/project
  releng/10.4/contrib/file/magic/Magdir/psdbms
  releng/10.4/contrib/file/magic/Magdir/python
  releng/10.4/contrib/file/magic/Magdir/riff
  releng/10.4/contrib/file/magic/Magdir/ruby
  releng/10.4/contrib/file/magic/Magdir/sccs
  releng/10.4/contrib/file/magic/Magdir/scientific
  releng/10.4/contrib/file/magic/Magdir/sendmail
  releng/10.4/contrib/file/magic/Magdir/sequent
  releng/10.4/contrib/file/magic/Magdir/sgml
  releng/10.4/contrib/file/magic/Magdir/sharc
  releng/10.4/contrib/file/magic/Magdir/sketch
  releng/10.4/contrib/file/magic/Magdir/sql
  releng/10.4/contrib/file/magic/Magdir/ssl
  releng/10.4/contrib/file/magic/Magdir/sysex
  releng/10.4/contrib/file/magic/Magdir/terminfo
  releng/10.4/contrib/file/magic/Magdir/vms
  releng/10.4/contrib/file/magic/Magdir/vmware
  releng/10.4/contrib/file/magic/Magdir/vorbis
  releng/10.4/contrib/file/magic/Magdir/windows
  releng/10.4/contrib/file/magic/Magdir/xenix
  releng/10.4/contrib/file/magic/Magdir/xilinx
  releng/10.4/contrib/file/magic/Magdir/xwindows
  releng/10.4/contrib/file/magic/Makefile.am
  releng/10.4/contrib/file/magic/Makefile.in
  releng/10.4/contrib/file/python/magic.py
  releng/10.4/contrib/file/src/apprentice.c
  releng/10.4/contrib/file/src/cdf.c
  releng/10.4/contrib/file/src/cdf.h
  releng/10.4/contrib/file/src/cdf_time.c
  releng/10.4/contrib/file/src/compress.c
  releng/10.4/contrib/file/src/der.c
  releng/10.4/contrib/file/src/file.h
  releng/10.4/contrib/file/src/fsmagic.c
  releng/10.4/contrib/file/src/funcs.c
  releng/10.4/contrib/file/src/is_tar.c
  releng/10.4/contrib/file/src/magic.c
  releng/10.4/contrib/file/src/magic.h.in
  releng/10.4/contrib/file/src/print.c
  releng/10.4/contrib/file/src/readcdf.c
  releng/10.4/contrib/file/src/readelf.c
  releng/10.4/contrib/file/src/readelf.h
  releng/10.4/contrib/file/src/softmagic.c
  releng/10.4/contrib/file/src/vasprintf.c
  releng/10.4/contrib/file/tests/Makefile.am
  releng/10.4/contrib/file/tests/Makefile.in
  releng/10.4/contrib/file/tests/test.c
  releng/10.4/lib/libmagic/config.h
  releng/11.1/contrib/file/ChangeLog
  releng/11.1/contrib/file/aclocal.m4
  releng/11.1/contrib/file/config.guess
  releng/11.1/contrib/file/config.sub
  releng/11.1/contrib/file/configure
  releng/11.1/contrib/file/configure.ac
  releng/11.1/contrib/file/doc/file.man
  releng/11.1/contrib/file/doc/libmagic.man
  releng/11.1/contrib/file/doc/magic.man
  releng/11.1/contrib/file/magic/Localstuff
  releng/11.1/contrib/file/magic/Magdir/adventure
  releng/11.1/contrib/file/magic/Magdir/amanda
  releng/11.1/contrib/file/magic/Magdir/amigaos
  releng/11.1/contrib/file/magic/Magdir/android
  releng/11.1/contrib/file/magic/Magdir/animation
  releng/11.1/contrib/file/magic/Magdir/apple
  releng/11.1/contrib/file/magic/Magdir/archive
  releng/11.1/contrib/file/magic/Magdir/att3b
  releng/11.1/contrib/file/magic/Magdir/audio
  releng/11.1/contrib/file/magic/Magdir/blackberry
  releng/11.1/contrib/file/magic/Magdir/blender
  releng/11.1/contrib/file/magic/Magdir/c-lang
  releng/11.1/contrib/file/magic/Magdir/cad
  releng/11.1/contrib/file/magic/Magdir/cafebabe
  releng/11.1/contrib/file/magic/Magdir/clipper
  releng/11.1/contrib/file/magic/Magdir/coff
  releng/11.1/contrib/file/magic/Magdir/commands
  releng/11.1/contrib/file/magic/Magdir/compress
  releng/11.1/contrib/file/magic/Magdir/console
  releng/11.1/contrib/file/magic/Magdir/cups
  releng/11.1/contrib/file/magic/Magdir/database
  releng/11.1/contrib/file/magic/Magdir/der
  releng/11.1/contrib/file/magic/Magdir/diff
  releng/11.1/contrib/file/magic/Magdir/dolby
  releng/11.1/contrib/file/magic/Magdir/dump
  releng/11.1/contrib/file/magic/Magdir/dyadic
  releng/11.1/contrib/file/magic/Magdir/editors
  releng/11.1/contrib/file/magic/Magdir/filesystems
  releng/11.1/contrib/file/magic/Magdir/flash
  releng/11.1/contrib/file/magic/Magdir/fonts
  releng/11.1/contrib/file/magic/Magdir/fsav
  releng/11.1/contrib/file/magic/Magdir/games
  releng/11.1/contrib/file/magic/Magdir/geo
  releng/11.1/contrib/file/magic/Magdir/gnu
  releng/11.1/contrib/file/magic/Magdir/gpt
  releng/11.1/contrib/file/magic/Magdir/gringotts
  releng/11.1/contrib/file/magic/Magdir/hitachi-sh
  releng/11.1/contrib/file/magic/Magdir/ibm370
  releng/11.1/contrib/file/magic/Magdir/ibm6000
  releng/11.1/contrib/file/magic/Magdir/icc
  releng/11.1/contrib/file/magic/Magdir/images
  releng/11.1/contrib/file/magic/Magdir/intel
  releng/11.1/contrib/file/magic/Magdir/isz
  releng/11.1/contrib/file/magic/Magdir/jpeg
  releng/11.1/contrib/file/magic/Magdir/kerberos
  releng/11.1/contrib/file/magic/Magdir/kml
  releng/11.1/contrib/file/magic/Magdir/linux
  releng/11.1/contrib/file/magic/Magdir/lisp
  releng/11.1/contrib/file/magic/Magdir/m4
  releng/11.1/contrib/file/magic/Magdir/macintosh
  releng/11.1/contrib/file/magic/Magdir/make
  releng/11.1/contrib/file/magic/Magdir/maple
  releng/11.1/contrib/file/magic/Magdir/marc21
  releng/11.1/contrib/file/magic/Magdir/mathematica
  releng/11.1/contrib/file/magic/Magdir/metastore
  releng/11.1/contrib/file/magic/Magdir/meteorological
  releng/11.1/contrib/file/magic/Magdir/microfocus
  releng/11.1/contrib/file/magic/Magdir/mime
  releng/11.1/contrib/file/magic/Magdir/misctools
  releng/11.1/contrib/file/magic/Magdir/modem
  releng/11.1/contrib/file/magic/Magdir/mozilla
  releng/11.1/contrib/file/magic/Magdir/msdos
  releng/11.1/contrib/file/magic/Magdir/msvc
  releng/11.1/contrib/file/magic/Magdir/msx
  releng/11.1/contrib/file/magic/Magdir/mup
  releng/11.1/contrib/file/magic/Magdir/nasa
  releng/11.1/contrib/file/magic/Magdir/netbsd
  releng/11.1/contrib/file/magic/Magdir/netscape
  releng/11.1/contrib/file/magic/Magdir/nitpicker
  releng/11.1/contrib/file/magic/Magdir/os2
  releng/11.1/contrib/file/magic/Magdir/os9
  releng/11.1/contrib/file/magic/Magdir/pbf
  releng/11.1/contrib/file/magic/Magdir/pc88
  releng/11.1/contrib/file/magic/Magdir/pc98
  releng/11.1/contrib/file/magic/Magdir/pdf
  releng/11.1/contrib/file/magic/Magdir/pdp
  releng/11.1/contrib/file/magic/Magdir/perl
  releng/11.1/contrib/file/magic/Magdir/pgf
  releng/11.1/contrib/file/magic/Magdir/pgp
  releng/11.1/contrib/file/magic/Magdir/printer
  releng/11.1/contrib/file/magic/Magdir/project
  releng/11.1/contrib/file/magic/Magdir/psdbms
  releng/11.1/contrib/file/magic/Magdir/python
  releng/11.1/contrib/file/magic/Magdir/riff
  releng/11.1/contrib/file/magic/Magdir/ruby
  releng/11.1/contrib/file/magic/Magdir/sccs
  releng/11.1/contrib/file/magic/Magdir/scientific
  releng/11.1/contrib/file/magic/Magdir/sendmail
  releng/11.1/contrib/file/magic/Magdir/sequent
  releng/11.1/contrib/file/magic/Magdir/sgml
  releng/11.1/contrib/file/magic/Magdir/sharc
  releng/11.1/contrib/file/magic/Magdir/sketch
  releng/11.1/contrib/file/magic/Magdir/sql
  releng/11.1/contrib/file/magic/Magdir/ssl
  releng/11.1/contrib/file/magic/Magdir/sysex
  releng/11.1/contrib/file/magic/Magdir/terminfo
  releng/11.1/contrib/file/magic/Magdir/vms
  releng/11.1/contrib/file/magic/Magdir/vmware
  releng/11.1/contrib/file/magic/Magdir/vorbis
  releng/11.1/contrib/file/magic/Magdir/windows
  releng/11.1/contrib/file/magic/Magdir/xenix
  releng/11.1/contrib/file/magic/Magdir/xilinx
  releng/11.1/contrib/file/magic/Magdir/xwindows
  releng/11.1/contrib/file/magic/Makefile.am
  releng/11.1/contrib/file/magic/Makefile.in
  releng/11.1/contrib/file/python/magic.py
  releng/11.1/contrib/file/src/apprentice.c
  releng/11.1/contrib/file/src/cdf.c
  releng/11.1/contrib/file/src/cdf.h
  releng/11.1/contrib/file/src/cdf_time.c
  releng/11.1/contrib/file/src/compress.c
  releng/11.1/contrib/file/src/der.c
  releng/11.1/contrib/file/src/file.h
  releng/11.1/contrib/file/src/fsmagic.c
  releng/11.1/contrib/file/src/funcs.c
  releng/11.1/contrib/file/src/is_tar.c
  releng/11.1/contrib/file/src/magic.c
  releng/11.1/contrib/file/src/magic.h.in
  releng/11.1/contrib/file/src/print.c
  releng/11.1/contrib/file/src/readcdf.c
  releng/11.1/contrib/file/src/readelf.c
  releng/11.1/contrib/file/src/readelf.h
  releng/11.1/contrib/file/src/softmagic.c
  releng/11.1/contrib/file/src/vasprintf.c
  releng/11.1/contrib/file/tests/Makefile.am
  releng/11.1/contrib/file/tests/Makefile.in
  releng/11.1/contrib/file/tests/test.c
  releng/11.1/lib/libmagic/config.h

Modified: releng/10.3/contrib/file/ChangeLog
==============================================================================
--- releng/10.3/contrib/file/ChangeLog	Wed Mar  7 06:01:44 2018	(r330568)
+++ releng/10.3/contrib/file/ChangeLog	Wed Mar  7 06:04:25 2018	(r330569)
@@ -1,3 +1,157 @@
+2017-09-02  11:53  Christos Zoulas 
+
+	* release 5.32
+
+2017-08-28  16:37  Christos Zoulas 
+
+	* Always reset state in {file,buffer}_apprentice (Krzysztof Wilczynski)
+
+2017-08-27  03:55  Christos Zoulas 
+
+	* Fix always true condition (Thomas Jarosch)
+
+2017-05-24  17:30  Christos Zoulas 
+
+	* pickier parsing of numeric values in magic files.
+
+2017-05-23  17:55  Christos Zoulas 
+
+	* PR/615 add magic_getflags()
+
+2017-05-23  13:55  Christos Zoulas 
+
+	* release 5.31
+
+2017-03-17  20:32  Christos Zoulas 
+
+	* remove trailing spaces from magic files
+	* refactor is_tar
+	* better bounds checks for cdf
+
+2017-02-10  12:24  Christos Zoulas 
+
+	* release 5.30
+
+2017-02-07  23:27  Christos Zoulas 
+
+	* If we exceeded the offset in a search return no match
+	  (Christoph Biedl)
+	* Be more lenient on corrupt CDF files (Christoph Biedl)
+
+2017-02-04  16:46  Christos Zoulas 
+
+	* pacify ubsan sign extension (oss-fuzz/524)
+
+2017-02-01  12:42  Christos Zoulas 
+
+	* off by one in cdf parsing (PR/593)
+	* report debugging sections in elf (PR/591)
+
+2016-11-06  10:52  Christos Zoulas 
+
+	* Allow @@@ in extensions
+	* Add missing overflow check in der magic (Jonas Wagner)
+
+2016-10-25  10:40  Christos Zoulas 
+	
+	* release 5.29
+
+2016-10-24  11:20  Christos Zoulas 
+
+	* der getlength overflow (Jonas Wagner)
+	* multiple magic file load failure (Christoph Biedl)
+
+2016-10-17  11:26  Christos Zoulas 
+
+	* CDF parsing improvements (Guy Helmer)
+
+2016-07-20   7:26  Christos Zoulas 
+
+	* Add support for signed indirect offsets
+
+2016-07-18   7:41  Christos Zoulas 
+
+	* cat /dev/null | file - should print empty (Christoph Biedl)
+
+2016-07-05  15:20  Christos Zoulas 
+
+	* Bump string size from 64 to 96.
+
+2016-06-13  20:20  Christos Zoulas 
+
+	* PR/556: Fix separators on annotations.
+
+2016-06-13  19:40  Christos Zoulas 
+
+	* release 5.28
+	* fix leak on allocation failure
+
+2016-06-01   1:20  Christos Zoulas 
+
+	* PR/555: Avoid overflow for offset > nbytes
+	* PR/550: Segv on DER parsing:
+	    - use the correct variable for length
+	    - set offset to 0 on failure.
+
+2016-05-13  12:00  Christos Zoulas 
+	
+	* release 5.27
+
+2016-04-18   9:35  Christos Zoulas 
+	
+	* Errors comparing DER entries or computing offsets
+	  are just indications of malformed non-DER files.
+	  Don't print them.
+	* Offset comparison was off-by-one.
+	* Fix compression code (Werner Fink)
+	* Put new bytes constant in the right file (not the generated one)
+
+2016-04-16  18:34  Christos Zoulas 
+	
+	* release 5.26
+
+2016-03-31  13:50  Christos Zoulas 
+
+	* make the number of bytes read from files configurable.
+
+2016-03-21  13:40  Christos Zoulas 
+
+	* Add bounds checks for DER code (discovered by Thomas Jarosch)
+	* Change indirect recursion limit to indirect use count and
+	  bump from 15 to 50 to prevent abuse.
+
+2016-03-13  20:39  Christos Zoulas 
+
+	* Add -00 which prints filename\0description\0
+
+2016-03-01  13:28  Christos Zoulas 
+
+	* Fix ID3 indirect parsing
+
+2016-01-19  10:18  Christos Zoulas 
+
+	* add DER parsing capability
+
+2015-11-13  10:35  Christos Zoulas 
+
+	* provide dprintf(3) for the OS's that don't have it.
+
+2015-11-11  16:25  Christos Zoulas 
+
+	* redo the compression code report decompression errors
+
+2015-11-10  23:25  Christos Zoulas 
+
+	* REG_STARTEND code is not working as expected, delete it.
+
+2015-11-09  16:05  Christos Zoulas 
+
+	* Add zlib support if we have it.
+
+2015-11-05  11:22  Christos Zoulas 
+
+	* PR/492: compression forking was broken with magic_buffer.
+
 2015-09-16   9:50  Christos Zoulas 
 	
 	* release 5.25
@@ -287,7 +441,7 @@
 		`
 2013-11-06  14:40  Christos Zoulas 
 
-	* fix erroneous non-zero exit code from non-existant file and message
+	* fix erroneous non-zero exit code from non-existent file and message
 
 2013-10-29  14:25  Christos Zoulas 
 

Modified: releng/10.3/contrib/file/README
==============================================================================
--- releng/10.3/contrib/file/README	Wed Mar  7 06:01:44 2018	(r330568)
+++ releng/10.3/contrib/file/README	Wed Mar  7 06:04:25 2018	(r330569)
@@ -1,6 +1,6 @@
 ## README for file(1) Command ##
 
-    @(#) $File: README,v 1.49 2015/01/02 20:23:04 christos Exp $
+    @(#) $File: README,v 1.50 2016/04/16 22:40:54 christos Exp $
 
 Mailing List: file@mx.gw.com  
 Mailing List archives: http://mx.gw.com/pipermail/file/  
@@ -67,17 +67,41 @@ in magic(5) format please, to the maintainer, Christos
 COPYING - read this first.  
 README - read this second (you are currently reading this file).  
 INSTALL - read on how to install
+src/localtime_r.c
+src/magic.c
+src/magic.h
+src/mygetopt.h
+src/newtest2.c
+src/newtest3.c
+src/pread.c
+src/print.c
+src/readcdf.c
+src/readelf.c
+src/readelf.h
+src/regex.c
+src/regex2.c
+src/softmagic.c
+src/strcasestr.c
+src/strlcat.c
+src/strlcpy.c
+src/strndup.c
+src/tar.h
+src/teststrchr.c
+src/vasprintf.c
+src/x.c
 src/apprentice.c - parses /etc/magic to learn magic  
-src/asctime_r.c - replacement for OS's that don't have it.  
 src/apptype.c - used for OS/2 specific application type magic  
-src/asprintf.c - replacement for OS's that don't have it.  
 src/ascmagic.c - third & last set of tests, based on hardwired assumptions.  
 src/asctime_r.c - replacement for OS's that don't have it.  
 src/asprintf.c - replacement for OS's that don't have it.  
+src/asctime_r.c - replacement for OS's that don't have it.  
+src/asprintf.c - replacement for OS's that don't have it.  
 src/cdf.[ch] - parser for Microsoft Compound Document Files  
 src/cdf_time.c - time converter for CDF.  
 src/compress.c - handles decompressing files to look inside.  
 src/ctime_r.c - replacement for OS's that don't have it.  
+src/der.[ch] - parser for Distinguished Encoding Rules
+src/dprintf.c - replacement for OS's that don't have it.
 src/elfclass.h - common code for elf 32/64.
 src/encoding.c - handles unicode encodings  
 src/file.c - the main program  
@@ -88,10 +112,13 @@ src/fsmagic.c - first set of tests the program runs, b
 src/funcs.c - utilility functions  
 src/getline.c - replacement for OS's that don't have it.  
 src/getopt_long.c - replacement for OS's that don't have it.  
-src/is_tar.c, tar.h - knows about tarchives (courtesy John Gilmore).  
-src/names.h - header file for ascmagic.c  
+src/gmtime_r.c - replacement for OS's that don't have it.  
+src/is_tar.c, tar.h - knows about Tape ARchive format (courtesy John Gilmore).  
+src/localtime_r.c - replacement for OS's that don't have it.  
 src/magic.h.in - source file for magic.h
+src/mygetopt.h - replacement for OS's that don't have it.  
 src/magic.c - the libmagic api  
+src/names.h - header file for ascmagic.c  
 src/pread.c - replacement for OS's that don't have it.  
 src/print.c - print results, errors, warnings.  
 src/readcdf.c - CDF wrapper.  

Modified: releng/10.3/contrib/file/TODO
==============================================================================
--- releng/10.3/contrib/file/TODO	Wed Mar  7 06:01:44 2018	(r330568)
+++ releng/10.3/contrib/file/TODO	Wed Mar  7 06:04:25 2018	(r330569)
@@ -6,7 +6,6 @@ file, not here. More speculative material can live her
 listed in the BUGS section of the man page had been fixed!)
 
 ---
-
 It would be nice to simplify file considerably. For example,
 reimplement the apprentice and non-pattern magic methods in Python,
 and compile the magic patterns to a giant regex (or something similar;
@@ -15,8 +14,23 @@ small amount of C is needed (because fast execution is
 required for soft magic, not the more detailed information given by
 hard-wired routines). In this regard, note that hplip, which is
 BSD-licensed, has a magic reimplementation in Python.
-
+---
 Read the kerberos magic entry for more ideas.
-
+---
 Write a string merger to make magic entry sizes dynamic.
 Strings will be converted to offsets from the string table.
+---
+Programming language support, we can introduce the concept of a group
+of rules where n rules need to match before the rule is positive. This
+could require structural changes to the matching code :-(
+
+0	group	2	# require 2 matches
+# rule 1
+>0	....
+...
+# rule 2
+>0	....
+...
+
+christos
+

Modified: releng/10.3/contrib/file/aclocal.m4
==============================================================================
--- releng/10.3/contrib/file/aclocal.m4	Wed Mar  7 06:01:44 2018	(r330568)
+++ releng/10.3/contrib/file/aclocal.m4	Wed Mar  7 06:04:25 2018	(r330569)
@@ -21,7 +21,7 @@ If you have problems, you may need to regenerate the b
 To do so, use the procedure documented by the package, typically 'autoreconf'.])])
 
 # visibility.m4 serial 5 (gettext-0.18.2)
-dnl Copyright (C) 2005, 2008, 2010-2014 Free Software Foundation, Inc.
+dnl Copyright (C) 2005, 2008, 2010-2016 Free Software Foundation, Inc.
 dnl This file is free software; the Free Software Foundation
 dnl gives unlimited permission to copy and/or distribute it,
 dnl with or without modifications, as long as this notice is preserved.

Modified: releng/10.3/contrib/file/config.guess
==============================================================================
--- releng/10.3/contrib/file/config.guess	Wed Mar  7 06:01:44 2018	(r330568)
+++ releng/10.3/contrib/file/config.guess	Wed Mar  7 06:04:25 2018	(r330569)
@@ -1,14 +1,12 @@
 #! /bin/sh
 # Attempt to guess a canonical system name.
-#   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-#   2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010,
-#   2011, 2012 Free Software Foundation, Inc.
+#   Copyright 1992-2017 Free Software Foundation, Inc.
 
-timestamp='2012-02-10'
+timestamp='2017-01-01'
 
 # This file is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
+# the Free Software Foundation; either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful, but
@@ -22,20 +20,18 @@ timestamp='2012-02-10'
 # As a special exception to the GNU General Public License, if you
 # distribute this file as part of a program that contains a
 # configuration script generated by Autoconf, you may include it under
-# the same distribution terms that you use for the rest of that program.
-
-
-# Originally written by Per Bothner.  Please send patches (context
-# diff format) to  and include a ChangeLog
-# entry.
+# the same distribution terms that you use for the rest of that
+# program.  This Exception is an additional permission under section 7
+# of the GNU General Public License, version 3 ("GPLv3").
 #
-# This script attempts to guess a canonical system name similar to
-# config.sub.  If it succeeds, it prints the system name on stdout, and
-# exits with 0.  Otherwise, it exits with 1.
+# Originally written by Per Bothner; maintained since 2000 by Ben Elliston.
 #
 # You can get the latest version of this script from:
-# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD
+# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess
+#
+# Please send patches to .
 
+
 me=`echo "$0" | sed -e 's,.*/,,'`
 
 usage="\
@@ -54,9 +50,7 @@ version="\
 GNU config.guess ($timestamp)
 
 Originally written by Per Bothner.
-Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000,
-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012
-Free Software Foundation, Inc.
+Copyright 1992-2017 Free Software Foundation, Inc.
 
 This is free software; see the source for copying conditions.  There is NO
 warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@@ -138,6 +132,27 @@ UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEAS
 UNAME_SYSTEM=`(uname -s) 2>/dev/null`  || UNAME_SYSTEM=unknown
 UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown
 
+case "${UNAME_SYSTEM}" in
+Linux|GNU|GNU/*)
+	# If the system lacks a compiler, then just pick glibc.
+	# We could probably try harder.
+	LIBC=gnu
+
+	eval $set_cc_for_build
+	cat <<-EOF > $dummy.c
+	#include 
+	#if defined(__UCLIBC__)
+	LIBC=uclibc
+	#elif defined(__dietlibc__)
+	LIBC=dietlibc
+	#else
+	LIBC=gnu
+	#endif
+	EOF
+	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC' | sed 's, ,,g'`
+	;;
+esac
+
 # Note: order is significant - the case branches are not exclusive.
 
 case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
@@ -153,19 +168,29 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE
 	# Note: NetBSD doesn't particularly care about the vendor
 	# portion of the name.  We always set it to "unknown".
 	sysctl="sysctl -n hw.machine_arch"
-	UNAME_MACHINE_ARCH=`(/sbin/$sysctl 2>/dev/null || \
-	    /usr/sbin/$sysctl 2>/dev/null || echo unknown)`
+	UNAME_MACHINE_ARCH=`(uname -p 2>/dev/null || \
+	    /sbin/$sysctl 2>/dev/null || \
+	    /usr/sbin/$sysctl 2>/dev/null || \
+	    echo unknown)`
 	case "${UNAME_MACHINE_ARCH}" in
 	    armeb) machine=armeb-unknown ;;
 	    arm*) machine=arm-unknown ;;
 	    sh3el) machine=shl-unknown ;;
 	    sh3eb) machine=sh-unknown ;;
 	    sh5el) machine=sh5le-unknown ;;
+	    earmv*)
+		arch=`echo ${UNAME_MACHINE_ARCH} | sed -e 's,^e\(armv[0-9]\).*$,\1,'`
+		endian=`echo ${UNAME_MACHINE_ARCH} | sed -ne 's,^.*\(eb\)$,\1,p'`
+		machine=${arch}${endian}-unknown
+		;;
 	    *) machine=${UNAME_MACHINE_ARCH}-unknown ;;
 	esac
 	# The Operating System including object format, if it has switched
-	# to ELF recently, or will in the future.
+	# to ELF recently (or will in the future) and ABI.
 	case "${UNAME_MACHINE_ARCH}" in
+	    earm*)
+		os=netbsdelf
+		;;
 	    arm*|i386|m68k|ns32k|sh3*|sparc|vax)
 		eval $set_cc_for_build
 		if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \
@@ -182,6 +207,13 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE
 		os=netbsd
 		;;
 	esac
+	# Determine ABI tags.
+	case "${UNAME_MACHINE_ARCH}" in
+	    earm*)
+		expr='s/^earmv[0-9]/-eabi/;s/eb$//'
+		abi=`echo ${UNAME_MACHINE_ARCH} | sed -e "$expr"`
+		;;
+	esac
 	# The OS release
 	# Debian GNU/NetBSD machines have a different userland, and
 	# thus, need a distinct triplet. However, they do not need
@@ -192,18 +224,26 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE
 		release='-gnu'
 		;;
 	    *)
-		release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'`
+		release=`echo ${UNAME_RELEASE} | sed -e 's/[-_].*//' | cut -d. -f1,2`
 		;;
 	esac
 	# Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM:
 	# contains redundant information, the shorter form:
 	# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used.
-	echo "${machine}-${os}${release}"
+	echo "${machine}-${os}${release}${abi}"
 	exit ;;
+    *:Bitrig:*:*)
+	UNAME_MACHINE_ARCH=`arch | sed 's/Bitrig.//'`
+	echo ${UNAME_MACHINE_ARCH}-unknown-bitrig${UNAME_RELEASE}
+	exit ;;
     *:OpenBSD:*:*)
 	UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'`
 	echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE}
 	exit ;;
+    *:LibertyBSD:*:*)
+	UNAME_MACHINE_ARCH=`arch | sed 's/^.*BSD\.//'`
+	echo ${UNAME_MACHINE_ARCH}-unknown-libertybsd${UNAME_RELEASE}
+	exit ;;
     *:ekkoBSD:*:*)
 	echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE}
 	exit ;;
@@ -216,6 +256,9 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE
     *:MirBSD:*:*)
 	echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE}
 	exit ;;
+    *:Sortix:*:*)
+	echo ${UNAME_MACHINE}-unknown-sortix
+	exit ;;
     alpha:OSF1:*:*)
 	case $UNAME_RELEASE in
 	*4.0)
@@ -232,42 +275,42 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE
 	ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^  The alpha \(.*\) processor.*$/\1/p' | head -n 1`
 	case "$ALPHA_CPU_TYPE" in
 	    "EV4 (21064)")
-		UNAME_MACHINE="alpha" ;;
+		UNAME_MACHINE=alpha ;;
 	    "EV4.5 (21064)")
-		UNAME_MACHINE="alpha" ;;
+		UNAME_MACHINE=alpha ;;
 	    "LCA4 (21066/21068)")
-		UNAME_MACHINE="alpha" ;;
+		UNAME_MACHINE=alpha ;;
 	    "EV5 (21164)")
-		UNAME_MACHINE="alphaev5" ;;
+		UNAME_MACHINE=alphaev5 ;;
 	    "EV5.6 (21164A)")
-		UNAME_MACHINE="alphaev56" ;;
+		UNAME_MACHINE=alphaev56 ;;
 	    "EV5.6 (21164PC)")
-		UNAME_MACHINE="alphapca56" ;;
+		UNAME_MACHINE=alphapca56 ;;
 	    "EV5.7 (21164PC)")
-		UNAME_MACHINE="alphapca57" ;;
+		UNAME_MACHINE=alphapca57 ;;
 	    "EV6 (21264)")
-		UNAME_MACHINE="alphaev6" ;;
+		UNAME_MACHINE=alphaev6 ;;
 	    "EV6.7 (21264A)")
-		UNAME_MACHINE="alphaev67" ;;
+		UNAME_MACHINE=alphaev67 ;;
 	    "EV6.8CB (21264C)")
-		UNAME_MACHINE="alphaev68" ;;
+		UNAME_MACHINE=alphaev68 ;;
 	    "EV6.8AL (21264B)")
-		UNAME_MACHINE="alphaev68" ;;
+		UNAME_MACHINE=alphaev68 ;;
 	    "EV6.8CX (21264D)")
-		UNAME_MACHINE="alphaev68" ;;
+		UNAME_MACHINE=alphaev68 ;;
 	    "EV6.9A (21264/EV69A)")
-		UNAME_MACHINE="alphaev69" ;;
+		UNAME_MACHINE=alphaev69 ;;
 	    "EV7 (21364)")
-		UNAME_MACHINE="alphaev7" ;;
+		UNAME_MACHINE=alphaev7 ;;
 	    "EV7.9 (21364A)")
-		UNAME_MACHINE="alphaev79" ;;
+		UNAME_MACHINE=alphaev79 ;;
 	esac
 	# A Pn.n version is a patched version.
 	# A Vn.n version is a released version.
 	# A Tn.n version is a released field test version.
 	# A Xn.n version is an unreleased experimental baselevel.
 	# 1.2 uses "1.2" for uname -r.
-	echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
+	echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz`
 	# Reset EXIT trap before exiting to avoid spurious non-zero exit code.
 	exitcode=$?
 	trap '' 0
@@ -302,7 +345,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE
     arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*)
 	echo arm-acorn-riscix${UNAME_RELEASE}
 	exit ;;
-    arm:riscos:*:*|arm:RISCOS:*:*)
+    arm*:riscos:*:*|arm*:RISCOS:*:*)
 	echo arm-unknown-riscos
 	exit ;;
     SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*)
@@ -340,16 +383,16 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE
 	exit ;;
     i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*)
 	eval $set_cc_for_build
-	SUN_ARCH="i386"
+	SUN_ARCH=i386
 	# If there is a compiler, see if it is configured for 64-bit objects.
 	# Note that the Sun cc does not turn __LP64__ into 1 like gcc does.
 	# This test works for both compilers.
-	if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then
+	if [ "$CC_FOR_BUILD" != no_compiler_found ]; then
 	    if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \
-		(CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \
+		(CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \
 		grep IS_64BIT_ARCH >/dev/null
 	    then
-		SUN_ARCH="x86_64"
+		SUN_ARCH=x86_64
 	    fi
 	fi
 	echo ${SUN_ARCH}-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
@@ -374,7 +417,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE
 	exit ;;
     sun*:*:4.2BSD:*)
 	UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null`
-	test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3
+	test "x${UNAME_RELEASE}" = x && UNAME_RELEASE=3
 	case "`/bin/arch`" in
 	    sun3)
 		echo m68k-sun-sunos${UNAME_RELEASE}
@@ -560,8 +603,9 @@ EOF
 	else
 		IBM_ARCH=powerpc
 	fi
-	if [ -x /usr/bin/oslevel ] ; then
-		IBM_REV=`/usr/bin/oslevel`
+	if [ -x /usr/bin/lslpp ] ; then
+		IBM_REV=`/usr/bin/lslpp -Lqc bos.rte.libc |
+			   awk -F: '{ print $3 }' | sed s/[0-9]*$/0/`
 	else
 		IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE}
 	fi
@@ -598,13 +642,13 @@ EOF
 		    sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null`
 		    sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null`
 		    case "${sc_cpu_version}" in
-		      523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0
-		      528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1
+		      523) HP_ARCH=hppa1.0 ;; # CPU_PA_RISC1_0
+		      528) HP_ARCH=hppa1.1 ;; # CPU_PA_RISC1_1
 		      532)                      # CPU_PA_RISC2_0
 			case "${sc_kernel_bits}" in
-			  32) HP_ARCH="hppa2.0n" ;;
-			  64) HP_ARCH="hppa2.0w" ;;
-			  '') HP_ARCH="hppa2.0" ;;   # HP-UX 10.20
+			  32) HP_ARCH=hppa2.0n ;;
+			  64) HP_ARCH=hppa2.0w ;;
+			  '') HP_ARCH=hppa2.0 ;;   # HP-UX 10.20
 			esac ;;
 		    esac
 		fi
@@ -643,11 +687,11 @@ EOF
 		    exit (0);
 		}
 EOF
-		    (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy`
+		    (CCOPTS="" $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy`
 		    test -z "$HP_ARCH" && HP_ARCH=hppa
 		fi ;;
 	esac
-	if [ ${HP_ARCH} = "hppa2.0w" ]
+	if [ ${HP_ARCH} = hppa2.0w ]
 	then
 	    eval $set_cc_for_build
 
@@ -660,12 +704,12 @@ EOF
 	    # $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess
 	    # => hppa64-hp-hpux11.23
 
-	    if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) |
+	    if echo __LP64__ | (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) |
 		grep -q __LP64__
 	    then
-		HP_ARCH="hppa2.0w"
+		HP_ARCH=hppa2.0w
 	    else
-		HP_ARCH="hppa64"
+		HP_ARCH=hppa64
 	    fi
 	fi
 	echo ${HP_ARCH}-hp-hpux${HPUX_REV}
@@ -770,14 +814,14 @@ EOF
 	echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
 	exit ;;
     F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*)
-	FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
-	FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
+	FUJITSU_PROC=`uname -m | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz`
+	FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'`
 	FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
 	echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
 	exit ;;
     5000:UNIX_System_V:4.*:*)
-	FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
-	FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'`
+	FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'`
+	FUJITSU_REL=`echo ${UNAME_RELEASE} | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/ /_/'`
 	echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
 	exit ;;
     i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*)
@@ -801,10 +845,13 @@ EOF
     i*:CYGWIN*:*)
 	echo ${UNAME_MACHINE}-pc-cygwin
 	exit ;;
+    *:MINGW64*:*)
+	echo ${UNAME_MACHINE}-pc-mingw64
+	exit ;;
     *:MINGW*:*)
 	echo ${UNAME_MACHINE}-pc-mingw32
 	exit ;;
-    i*:MSYS*:*)
+    *:MSYS*:*)
 	echo ${UNAME_MACHINE}-pc-msys
 	exit ;;
     i*:windows32*:*)
@@ -852,21 +899,21 @@ EOF
 	exit ;;
     *:GNU:*:*)
 	# the GNU system
-	echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'`
+	echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-${LIBC}`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'`
 	exit ;;
     *:GNU/*:*:*)
 	# other systems with GNU libc and userland
-	echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-gnu
+	echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr "[:upper:]" "[:lower:]"``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC}
 	exit ;;
     i*86:Minix:*:*)
 	echo ${UNAME_MACHINE}-pc-minix
 	exit ;;
     aarch64:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
 	exit ;;
     aarch64_be:Linux:*:*)
 	UNAME_MACHINE=aarch64_be
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
 	exit ;;
     alpha:Linux:*:*)
 	case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
@@ -879,59 +926,60 @@ EOF
 	  EV68*) UNAME_MACHINE=alphaev68 ;;
 	esac
 	objdump --private-headers /bin/sh | grep -q ld.so.1
-	if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi
-	echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC}
+	if test "$?" = 0 ; then LIBC=gnulibc1 ; fi
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
 	exit ;;
+    arc:Linux:*:* | arceb:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+	exit ;;
     arm*:Linux:*:*)
 	eval $set_cc_for_build
 	if echo __ARM_EABI__ | $CC_FOR_BUILD -E - 2>/dev/null \
 	    | grep -q __ARM_EABI__
 	then
-	    echo ${UNAME_MACHINE}-unknown-linux-gnu
+	    echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
 	else
 	    if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \
 		| grep -q __ARM_PCS_VFP
 	    then
-		echo ${UNAME_MACHINE}-unknown-linux-gnueabi
+		echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabi
 	    else
-		echo ${UNAME_MACHINE}-unknown-linux-gnueabihf
+		echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabihf
 	    fi
 	fi
 	exit ;;
     avr32*:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
 	exit ;;
     cris:Linux:*:*)
-	echo ${UNAME_MACHINE}-axis-linux-gnu
+	echo ${UNAME_MACHINE}-axis-linux-${LIBC}
 	exit ;;
     crisv32:Linux:*:*)
-	echo ${UNAME_MACHINE}-axis-linux-gnu
+	echo ${UNAME_MACHINE}-axis-linux-${LIBC}
 	exit ;;
+    e2k:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+	exit ;;
     frv:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
 	exit ;;
     hexagon:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
 	exit ;;
     i*86:Linux:*:*)
-	LIBC=gnu
-	eval $set_cc_for_build
-	sed 's/^	//' << EOF >$dummy.c
-	#ifdef __dietlibc__
-	LIBC=dietlibc
-	#endif
-EOF
-	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC'`
-	echo "${UNAME_MACHINE}-pc-linux-${LIBC}"
+	echo ${UNAME_MACHINE}-pc-linux-${LIBC}
 	exit ;;
     ia64:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
 	exit ;;
+    k1om:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+	exit ;;
     m32r*:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
 	exit ;;
     m68*:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
 	exit ;;
     mips:Linux:*:* | mips64:Linux:*:*)
 	eval $set_cc_for_build
@@ -950,54 +998,69 @@ EOF
 	#endif
 EOF
 	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'`
-	test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; }
+	test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; }
 	;;
-    or32:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
+    mips64el:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
 	exit ;;
+    openrisc*:Linux:*:*)
+	echo or1k-unknown-linux-${LIBC}
+	exit ;;
+    or32:Linux:*:* | or1k*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+	exit ;;
     padre:Linux:*:*)
-	echo sparc-unknown-linux-gnu
+	echo sparc-unknown-linux-${LIBC}
 	exit ;;
     parisc64:Linux:*:* | hppa64:Linux:*:*)
-	echo hppa64-unknown-linux-gnu
+	echo hppa64-unknown-linux-${LIBC}
 	exit ;;
     parisc:Linux:*:* | hppa:Linux:*:*)
 	# Look for CPU level
 	case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in
-	  PA7*) echo hppa1.1-unknown-linux-gnu ;;
-	  PA8*) echo hppa2.0-unknown-linux-gnu ;;
-	  *)    echo hppa-unknown-linux-gnu ;;
+	  PA7*) echo hppa1.1-unknown-linux-${LIBC} ;;
+	  PA8*) echo hppa2.0-unknown-linux-${LIBC} ;;
+	  *)    echo hppa-unknown-linux-${LIBC} ;;
 	esac
 	exit ;;
     ppc64:Linux:*:*)
-	echo powerpc64-unknown-linux-gnu
+	echo powerpc64-unknown-linux-${LIBC}
 	exit ;;
     ppc:Linux:*:*)
-	echo powerpc-unknown-linux-gnu
+	echo powerpc-unknown-linux-${LIBC}
 	exit ;;
+    ppc64le:Linux:*:*)
+	echo powerpc64le-unknown-linux-${LIBC}
+	exit ;;
+    ppcle:Linux:*:*)
+	echo powerpcle-unknown-linux-${LIBC}
+	exit ;;
+    riscv32:Linux:*:* | riscv64:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+	exit ;;
     s390:Linux:*:* | s390x:Linux:*:*)
-	echo ${UNAME_MACHINE}-ibm-linux
+	echo ${UNAME_MACHINE}-ibm-linux-${LIBC}
 	exit ;;
     sh64*:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
 	exit ;;
     sh*:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
 	exit ;;
     sparc:Linux:*:* | sparc64:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
 	exit ;;
     tile*:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
 	exit ;;
     vax:Linux:*:*)
-	echo ${UNAME_MACHINE}-dec-linux-gnu
+	echo ${UNAME_MACHINE}-dec-linux-${LIBC}
 	exit ;;
     x86_64:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-pc-linux-${LIBC}
 	exit ;;
     xtensa*:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
 	exit ;;
     i*86:DYNIX/ptx:4*:*)
 	# ptx 4.0 does uname -s correctly, with DYNIX/ptx in there.
@@ -1073,7 +1136,7 @@ EOF
 	# uname -m prints for DJGPP always 'pc', but it prints nothing about
 	# the processor, so we play safe by assuming i586.
 	# Note: whatever this is, it MUST be the same as what config.sub
-	# prints for the "djgpp" host, or else GDB configury will decide that
+	# prints for the "djgpp" host, or else GDB configure will decide that
 	# this is a cross-build.
 	echo i586-pc-msdosdjgpp
 	exit ;;
@@ -1201,6 +1264,9 @@ EOF
     BePC:Haiku:*:*)	# Haiku running on Intel PC compatible.
 	echo i586-pc-haiku
 	exit ;;
+    x86_64:Haiku:*:*)
+	echo x86_64-unknown-haiku
+	exit ;;
     SX-4:SUPER-UX:*:*)
 	echo sx4-nec-superux${UNAME_RELEASE}
 	exit ;;
@@ -1219,6 +1285,9 @@ EOF
     SX-8R:SUPER-UX:*:*)
 	echo sx8r-nec-superux${UNAME_RELEASE}
 	exit ;;
+    SX-ACE:SUPER-UX:*:*)
+	echo sxace-nec-superux${UNAME_RELEASE}
+	exit ;;
     Power*:Rhapsody:*:*)
 	echo powerpc-apple-rhapsody${UNAME_RELEASE}
 	exit ;;
@@ -1227,24 +1296,36 @@ EOF
 	exit ;;
     *:Darwin:*:*)
 	UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown
-	case $UNAME_PROCESSOR in
-	    i386)
-		eval $set_cc_for_build
-		if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then
-		  if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \
-		      (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \
-		      grep IS_64BIT_ARCH >/dev/null
-		  then
-		      UNAME_PROCESSOR="x86_64"
-		  fi
-		fi ;;
-	    unknown) UNAME_PROCESSOR=powerpc ;;
-	esac
+	eval $set_cc_for_build
+	if test "$UNAME_PROCESSOR" = unknown ; then
+	    UNAME_PROCESSOR=powerpc
+	fi
+	if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then
+	    if [ "$CC_FOR_BUILD" != no_compiler_found ]; then
+		if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \
+		    (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \
+		    grep IS_64BIT_ARCH >/dev/null
+		then
+		    case $UNAME_PROCESSOR in
+			i386) UNAME_PROCESSOR=x86_64 ;;
+			powerpc) UNAME_PROCESSOR=powerpc64 ;;
+		    esac
+		fi
+	    fi
+	elif test "$UNAME_PROCESSOR" = i386 ; then
+	    # Avoid executing cc on OS X 10.9, as it ships with a stub
+	    # that puts up a graphical alert prompting to install
+	    # developer tools.  Any system running Mac OS X 10.7 or
+	    # later (Darwin 11 and later) is required to have a 64-bit
+	    # processor. This is not true of the ARM version of Darwin
+	    # that Apple uses in portable devices.
+	    UNAME_PROCESSOR=x86_64
+	fi
 	echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE}
 	exit ;;
     *:procnto*:*:* | *:QNX:[0123456789]*:*)
 	UNAME_PROCESSOR=`uname -p`
-	if test "$UNAME_PROCESSOR" = "x86"; then
+	if test "$UNAME_PROCESSOR" = x86; then
 		UNAME_PROCESSOR=i386
 		UNAME_MACHINE=pc
 	fi
@@ -1256,7 +1337,7 @@ EOF
     NEO-?:NONSTOP_KERNEL:*:*)
 	echo neo-tandem-nsk${UNAME_RELEASE}
 	exit ;;
-    NSE-?:NONSTOP_KERNEL:*:*)
+    NSE-*:NONSTOP_KERNEL:*:*)
 	echo nse-tandem-nsk${UNAME_RELEASE}
 	exit ;;
     NSR-?:NONSTOP_KERNEL:*:*)
@@ -1275,7 +1356,7 @@ EOF
 	# "uname -m" is not consistent, so use $cputype instead. 386
 	# is converted to i386 for consistency with other x86
 	# operating systems.
-	if test "$cputype" = "386"; then
+	if test "$cputype" = 386; then
 	    UNAME_MACHINE=i386
 	else
 	    UNAME_MACHINE="$cputype"
@@ -1317,7 +1398,7 @@ EOF
 	echo i386-pc-xenix
 	exit ;;
     i*86:skyos:*:*)
-	echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE}` | sed -e 's/ .*$//'
+	echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE} | sed -e 's/ .*$//'`
 	exit ;;
     i*86:rdos:*:*)
 	echo ${UNAME_MACHINE}-pc-rdos
@@ -1328,174 +1409,25 @@ EOF
     x86_64:VMkernel:*:*)
 	echo ${UNAME_MACHINE}-unknown-esx
 	exit ;;
+    amd64:Isilon\ OneFS:*:*)
+	echo x86_64-unknown-onefs
+	exit ;;
 esac
 
-#echo '(No uname command or uname output not recognized.)' 1>&2
-#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2
-
-eval $set_cc_for_build
-cat >$dummy.c <
-# include 
-#endif
-main ()
-{
-#if defined (sony)
-#if defined (MIPSEB)
-  /* BFD wants "bsd" instead of "newsos".  Perhaps BFD should be changed,
-     I don't know....  */
-  printf ("mips-sony-bsd\n"); exit (0);
-#else
-#include 
-  printf ("m68k-sony-newsos%s\n",
-#ifdef NEWSOS4
-	"4"
-#else
-	""
-#endif
-	); exit (0);
-#endif
-#endif
-
-#if defined (__arm) && defined (__acorn) && defined (__unix)
-  printf ("arm-acorn-riscix\n"); exit (0);
-#endif
-
-#if defined (hp300) && !defined (hpux)
-  printf ("m68k-hp-bsd\n"); exit (0);

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***

From owner-svn-src-releng@freebsd.org  Wed Mar  7 17:16:42 2018
Return-Path: 
Delivered-To: svn-src-releng@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 392FDF41AB9;
 Wed,  7 Mar 2018 17:16:42 +0000 (UTC)
 (envelope-from gordon@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id DF83281ED3;
 Wed,  7 Mar 2018 17:16:41 +0000 (UTC)
 (envelope-from gordon@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id DA5C024ADE;
 Wed,  7 Mar 2018 17:16:41 +0000 (UTC)
 (envelope-from gordon@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w27HGfr1030617;
 Wed, 7 Mar 2018 17:16:41 GMT (envelope-from gordon@FreeBSD.org)
Received: (from gordon@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id w27HGfUZ030615;
 Wed, 7 Mar 2018 17:16:41 GMT (envelope-from gordon@FreeBSD.org)
Message-Id: <201803071716.w27HGfUZ030615@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: gordon set sender to
 gordon@FreeBSD.org using -f
From: Gordon Tetlow 
Date: Wed, 7 Mar 2018 17:16:41 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r330611 - in releng: 10.3/sys/netipsec 10.4/sys/netipsec
X-SVN-Group: releng
X-SVN-Commit-Author: gordon
X-SVN-Commit-Paths: in releng: 10.3/sys/netipsec 10.4/sys/netipsec
X-SVN-Commit-Revision: 330611
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree 
List-Unsubscribe: , 
 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: ,
 
X-List-Received-Date: Wed, 07 Mar 2018 17:16:42 -0000

Author: gordon
Date: Wed Mar  7 17:16:41 2018
New Revision: 330611
URL: https://svnweb.freebsd.org/changeset/base/330611

Log:
  Correct patch for ipsec vulnerability.
  
  Approved by:	so
  Security:	FreeBSD-SA-18:01.netipsec

Modified:
  releng/10.3/sys/netipsec/xform_ah.c
  releng/10.4/sys/netipsec/xform_ah.c

Modified: releng/10.3/sys/netipsec/xform_ah.c
==============================================================================
--- releng/10.3/sys/netipsec/xform_ah.c	Wed Mar  7 17:08:07 2018	(r330610)
+++ releng/10.3/sys/netipsec/xform_ah.c	Wed Mar  7 17:16:41 2018	(r330611)
@@ -619,11 +619,11 @@ ah_input(struct mbuf *m, struct secasvar *sav, int ski
 		DPRINTF(("%s: bad mbuf length %u (expecting %lu)"
 		    " for packet in SA %s/%08lx\n", __func__,
 		    m->m_pkthdr.len, (u_long) (skip + authsize + rplen),
-		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
+		    ipsec_address(&sav->sah->saidx.dst),
 		    (u_long) ntohl(sav->spi)));
 		AHSTAT_INC(ahs_badauthl);
-		error = EACCES;
-		goto bad;
+		m_freem(m);
+		return EACCES;
 	}
 	AHSTAT_ADD(ahs_ibytes, m->m_pkthdr.len - skip - hl);
 

Modified: releng/10.4/sys/netipsec/xform_ah.c
==============================================================================
--- releng/10.4/sys/netipsec/xform_ah.c	Wed Mar  7 17:08:07 2018	(r330610)
+++ releng/10.4/sys/netipsec/xform_ah.c	Wed Mar  7 17:16:41 2018	(r330611)
@@ -619,11 +619,11 @@ ah_input(struct mbuf *m, struct secasvar *sav, int ski
 		DPRINTF(("%s: bad mbuf length %u (expecting %lu)"
 		    " for packet in SA %s/%08lx\n", __func__,
 		    m->m_pkthdr.len, (u_long) (skip + authsize + rplen),
-		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
+		    ipsec_address(&sav->sah->saidx.dst),
 		    (u_long) ntohl(sav->spi)));
 		AHSTAT_INC(ahs_badauthl);
-		error = EACCES;
-		goto bad;
+		m_freem(m);
+		return EACCES;
 	}
 	AHSTAT_ADD(ahs_ibytes, m->m_pkthdr.len - skip - hl);
 

From owner-svn-src-releng@freebsd.org  Thu Mar  8 06:17:08 2018
Return-Path: 
Delivered-To: svn-src-releng@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id AE364F36DE9;
 Thu,  8 Mar 2018 06:17:08 +0000 (UTC)
 (envelope-from gordon@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 5D98487B6C;
 Thu,  8 Mar 2018 06:17:08 +0000 (UTC)
 (envelope-from gordon@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 53E4050BC;
 Thu,  8 Mar 2018 06:17:08 +0000 (UTC)
 (envelope-from gordon@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w286H8aY025240;
 Thu, 8 Mar 2018 06:17:08 GMT (envelope-from gordon@FreeBSD.org)
Received: (from gordon@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id w286H7AF025236;
 Thu, 8 Mar 2018 06:17:07 GMT (envelope-from gordon@FreeBSD.org)
Message-Id: <201803080617.w286H7AF025236@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: gordon set sender to
 gordon@FreeBSD.org using -f
From: Gordon Tetlow 
Date: Thu, 8 Mar 2018 06:17:07 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r330631 - in releng: 10.3 10.3/sys/conf 10.4 10.4/sys/conf
X-SVN-Group: releng
X-SVN-Commit-Author: gordon
X-SVN-Commit-Paths: in releng: 10.3 10.3/sys/conf 10.4 10.4/sys/conf
X-SVN-Commit-Revision: 330631
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree 
List-Unsubscribe: , 
 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: ,
 
X-List-Received-Date: Thu, 08 Mar 2018 06:17:08 -0000

Author: gordon
Date: Thu Mar  8 06:17:07 2018
New Revision: 330631
URL: https://svnweb.freebsd.org/changeset/base/330631

Log:
  Bump newvers and document the updated patch for SA-18:01.ipsec
  
  Approved by:	so
  Security:	FreeBSD-SA-18:01.ipsec
  Security:	CVE-2018-6916

Modified:
  releng/10.3/UPDATING
  releng/10.3/sys/conf/newvers.sh
  releng/10.4/UPDATING
  releng/10.4/sys/conf/newvers.sh

Modified: releng/10.3/UPDATING
==============================================================================
--- releng/10.3/UPDATING	Thu Mar  8 05:41:53 2018	(r330630)
+++ releng/10.3/UPDATING	Thu Mar  8 06:17:07 2018	(r330631)
@@ -16,6 +16,10 @@ from older versions of FreeBSD, try WITHOUT_CLANG to b
 stable/10, and then rebuild without this option. The bootstrap process from
 older version of current is a bit fragile.
 
+20180308	p28	FreeBSD-SA-18:01.ipsec [revised]
+
+	Fix ipsec validation and use-after-free.
+
 20180307	p27	FreeBSD-SA-18:01.ipsec
 			FreeBSD-SA-18:02.ntp
 			FreeBSD-EN-18:01.tzdata

Modified: releng/10.3/sys/conf/newvers.sh
==============================================================================
--- releng/10.3/sys/conf/newvers.sh	Thu Mar  8 05:41:53 2018	(r330630)
+++ releng/10.3/sys/conf/newvers.sh	Thu Mar  8 06:17:07 2018	(r330631)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="10.3"
-BRANCH="RELEASE-p27"
+BRANCH="RELEASE-p28"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/10.4/UPDATING
==============================================================================
--- releng/10.4/UPDATING	Thu Mar  8 05:41:53 2018	(r330630)
+++ releng/10.4/UPDATING	Thu Mar  8 06:17:07 2018	(r330631)
@@ -16,6 +16,10 @@ from older versions of FreeBSD, try WITHOUT_CLANG to b
 stable/10, and then rebuild without this option. The bootstrap process from
 older version of current is a bit fragile.
 
+20180307	p7	FreeBSD-SA-18:01.ipsec [revised]
+
+	Fix ipsec validation and use-after-free.
+
 20180307	p6	FreeBSD-SA-18:01.ipsec
 			FreeBSD-SA-18:02.ntp
 			FreeBSD-EN-18:01.tzdata

Modified: releng/10.4/sys/conf/newvers.sh
==============================================================================
--- releng/10.4/sys/conf/newvers.sh	Thu Mar  8 05:41:53 2018	(r330630)
+++ releng/10.4/sys/conf/newvers.sh	Thu Mar  8 06:17:07 2018	(r330631)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="10.4"
-BRANCH="RELEASE-p6"
+BRANCH="RELEASE-p7"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi