From owner-svn-src-stable-9@FreeBSD.ORG Tue Dec 18 06:55:14 2012 Return-Path: Delivered-To: svn-src-stable-9@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9702954D; Tue, 18 Dec 2012 06:55:14 +0000 (UTC) (envelope-from hrs@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id 77EF08FC12; Tue, 18 Dec 2012 06:55:14 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.5/8.14.5) with ESMTP id qBI6tEGL077352; Tue, 18 Dec 2012 06:55:14 GMT (envelope-from hrs@svn.freebsd.org) Received: (from hrs@localhost) by svn.freebsd.org (8.14.5/8.14.5/Submit) id qBI6tEsD077348; Tue, 18 Dec 2012 06:55:14 GMT (envelope-from hrs@svn.freebsd.org) Message-Id: <201212180655.qBI6tEsD077348@svn.freebsd.org> From: Hiroki Sato Date: Tue, 18 Dec 2012 06:55:14 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org Subject: svn commit: r244379 - in stable/9/release/doc: en_US.ISO8859-1/errata en_US.ISO8859-1/relnotes en_US.ISO8859-1/share/xml share/xml X-SVN-Group: stable-9 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable-9@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for only the 9-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Dec 2012 06:55:14 -0000 Author: hrs Date: Tue Dec 18 06:55:13 2012 New Revision: 244379 URL: http://svnweb.freebsd.org/changeset/base/244379 Log: - Trim old entries. - Update errata items. - Bump &release.*; Modified: stable/9/release/doc/en_US.ISO8859-1/errata/article.xml stable/9/release/doc/en_US.ISO8859-1/relnotes/article.xml stable/9/release/doc/en_US.ISO8859-1/share/xml/release.dsl stable/9/release/doc/share/xml/release.dsl stable/9/release/doc/share/xml/release.ent Modified: stable/9/release/doc/en_US.ISO8859-1/errata/article.xml ============================================================================== --- stable/9/release/doc/en_US.ISO8859-1/errata/article.xml Tue Dec 18 06:37:23 2012 (r244378) +++ stable/9/release/doc/en_US.ISO8859-1/errata/article.xml Tue Dec 18 06:55:13 2012 (r244379) @@ -1,22 +1,3 @@ - - -%entities; - - -%release; - - -]]> - -]]> - -]]> -]> - + + +%entities; + +%release; +]>
- &os; &release; Errata + &os; +<![ %release.type.current [ + &release.current; +]]> +<![ %release.type.snapshot [ + &release.prev; +]]> +<![ %release.type.release [ + &release.current; +]]> + Errata The &os; Project @@ -132,11 +130,10 @@ - - - - - + + + + Advisory Date @@ -146,194 +143,68 @@ - SA-11:01.mountd - 20 April 2011 - Network ACL mishandling in &man.mountd.8; + SA-12:01.openssl + 3 May 2012 + OpenSSL multiple vulnerabilities - SA-11:02.bind - 28 May 2011 - BIND remote DoS with large RRSIG RRsets and negative - caching + SA-12:02.crypt + 30 May 2012 + Incorrect crypt() hashing - SA-11:04.compress - 28 September 2011 - Errors handling corrupt compress file in - &man.compress.1; and &man.gzip.1; + SA-12:03.bind + 12 June 2012 + Incorrect handling of zero-length RDATA fields in &man.named.8; - SA-11:05.unix - 28 September 2011 - Buffer overflow in handling of UNIX socket - addresses + SA-12:04.sysret + 12 June 2012 + Privilege escalation when returning from kernel - SA-11:06.bind - 23 December 2011 - Remote packet Denial of Service against &man.named.8; - servers + SA-12:05.bind + 6 August 2012 + &man.named.8; DNSSEC validation Denial of Service - SA-11:07.chroot - 23 December 2011 - Code execution via chrooted ftpd + SA-12:06.bind + 22 November 2012 + Multiple Denial of Service vulnerabilities with &man.named.8; - SA-11:08.telnetd - 23 December 2011 - telnetd code execution vulnerability + SA-12:07.hostapd + 22 November 2012 + Insufficient message length validation for EAP-TLS messages - SA-11:09.pam_ssh - 23 December 2011 - pam_ssh improperly grants access when user account has - unencrypted SSH private keys - - - - SA-11:10.pam - 23 December 2011 - pam_start() does not validate - service names + SA-12:08.linux + 22 November 2012 + Linux compatibility layer input validation error - - Open Issues - - - - In some releases prior to &release.current;, upgrading - by using &man.freebsd-update.8; can fail. This issue has - been fixed by a change in Errata Notice EN-12:01. For more - information, see - - - - &os; &release.current; includes - several changes to improve resource management of PCI - devices. Some x86 machines may not boot or may have devices - that no longer attach when using ACPI as a result of these - changes. This can be worked around by setting a - &man.loader.8; tunable - debug.acpi.disabled to - hostres. To do this, enter the following - lines at the loader prompt: - - set debug.acpi.disabled="hostres" -boot - - Or, put the following line into - /boot/loader.conf: - - debug.acpi.disabled="hostres" - - - - A &man.devctl.4; event upon arrival of a &man.ugen.4; - device has been changed. The event now includes - ugen and cdev - variables instead of device-name. This - change can prevent the following &man.devd.8; rule which - worked in a previous releases from working: - - attach 0 { - match "device-name" "ugen[0-9]+.[0-9]+"; - action "/path/to/script /dev/$device-name"; -} - - This should be updated to the following: - - attach 0 { - match "subsystem" "DEVICE"; - match "type" "ATTACH"; - match "cdev" "ugen[0-9]+.[0-9]+"; - action "/path/to/script /dev/$cdev"; -} - - - - The &os; &release.current; Release Notes should have - mentioned that SSM (Source-Specific Multicast) MLDv2 now - uses ALLOW_NEW_SOURCES and - BLOCK_OLD_SOURCES record types to signal - a join or a leave by default. This conforms RFC 4604, - Using Internet Group Management Protocol Version 3 - (IGMPv3) and Multicast Listener Discovery Protocol Version 2 - (MLDv2) for Source-Specific Multicast. A new - &man.sysctl.8; variable - net.inet6.mld.use_allow which controls - the behavior has been added. The default value is - 1 (use - ALLOW_NEW_SOURCES and - BLOCK_OLD_SOURCES). - - - - &release.current; fails to configure an interface - specified in the &man.rc.conf.5; variable - ipv6_prefix_IF - when the interface does not have a corresponding - ifconfig_IF_ipv6 - variable. This problem will be fixed in the future - releases. To work around this problem on &release.current;, - add an - ifconfig_IF_ipv6 - line for each interface specified in - ipv6_prefix_IF - as the following: - - ipv6_prefix_em0="2001:db8:1:0 2001:db8:2:0" -ifconfig_em0_ipv6="inet6 auto_linklocal" - - - - In &release.current; the &os; USB subsystem supports USB - 3.0 by the &man.xhci.4; driver. However, a bug that could - prevent it from working with a USB 3.0 hub has been found - and fixed after the release date. This means - &release.current; and prior do not work with a USB 3.0 hub. - This problem has been fixed in HEAD and will be merged into - the 9-STABLE branch. - - - - Late-Breaking News -No news. -]]> - -No news. -]]> - -No news. -]]> -
Modified: stable/9/release/doc/en_US.ISO8859-1/relnotes/article.xml ============================================================================== --- stable/9/release/doc/en_US.ISO8859-1/relnotes/article.xml Tue Dec 18 06:37:23 2012 (r244378) +++ stable/9/release/doc/en_US.ISO8859-1/relnotes/article.xml Tue Dec 18 06:55:13 2012 (r244379) @@ -70,1303 +70,10 @@ - What's New + What's New - This section describes - the most user-visible new or changed features in &os; - since &release.prev;. - - Typical release note items - document recent security advisories issued after - &release.prev;, - new drivers or hardware support, new commands or options, - major bug fixes, or contributed software upgrades. They may also - list changes to major ports/packages or release engineering - practices. Clearly the release notes cannot list every single - change made to &os; between releases; this document focuses - primarily on security advisories, user-visible changes, and major - architectural improvements. - - - Security Advisories - - Problems described in the following security advisories have - been fixed. For more information, consult the individual - advisories available from - . - - - - - - - - - Advisory - Date - Topic - - - - - - SA-11:01.mountd - 20 April 2011 - Network ACL mishandling in &man.mountd.8; - - - - SA-11:02.bind - 28 May 2011 - BIND remote DoS with large RRSIG RRsets and negative - caching - - - - SA-11:04.compress - 28 September 2011 - Errors handling corrupt compress file in - &man.compress.1; and &man.gzip.1; - - - - SA-11:05.unix - 28 September 2011 - Buffer overflow in handling of UNIX socket - addresses - - - - SA-11:06.bind - 23 December 2011 - Remote packet Denial of Service against &man.named.8; - servers - - - - SA-11:07.chroot - 23 December 2011 - Code execution via chrooted ftpd - - - - SA-11:08.telnetd - 23 December 2011 - telnetd code execution vulnerability - - - - SA-11:09.pam_ssh - 23 December 2011 - pam_ssh improperly grants access when user account has - unencrypted SSH private keys - - - - SA-11:10.pam - 23 December 2011 - pam_start() does not validate - service names - - - - - - - - Kernel Changes - - The &os; kernel now supports Capsicum - Capability Mode. Capsicum is a set of features for sandboxing - support, using a capability model in which the capabilities - are file descriptors. Two new kernel options - CAPABILITIES and - CAPABILITY_MODE have been added to the - GENERIC kernel. For more information - about Capsicum, see . - - The &os; - &man.dtrace.1; framework now supports - systrace for system calls of - linux32 and freebsd32 on - &os;/&arch.amd64;. Two new - systrace_linux32 and - systrace_freebsd32 kernel modules provide - support for tracing compat system calls in addition to the native - system call tracing provided by the - systrace module. - - The - &os; ELF image activator now supports the - PT_GNU_STACK program header. This is - disabled by default. New &man.sysctl.8; variables - kern.elf32.nxstack and - kern.elf64.nxstack allow enabling - PT_GNU_STACK for the specified ABIs - (e.g. elf32 for 32-bit ABI). - - The &man.hhook.9; (Helper Hook) - and &man.khelp.9; (Kernel Helpers) KPIs have been implemented. - These are a kind of superset of &man.pfil.9; framework for - more general use in the kernel. The &man.hhook.9; KPI - provides a way for kernel subsystems to export hook points - that &man.khelp.9; modules can hook to provide enhanced or new - functionality to the kernel. The &man.khelp.9; KPI provides a - framework for managing &man.khelp.9; modules, which indirectly - use the &man.hhook.9; KPI to register their hook functions - with hook points of interest within the kernel. These allow a - structured way to dynamically extend the kernel at runtime in - an ABI preserving manner. - - A &man.loader.8; - tunable hw.memtest.tests has been added. - This controls whether to perform memory testing at boot time - or not. The default value is 1 (perform a - memory test). - - A new resource accounting API has been - implemented. It can keep per-process, per-jail, and - per-loginclass resource accounting information. Note that - this is not built nor installed by default. To build and - install them, specify options RACCT in the - kernel configuration file and rebuild the base system as - described in the &os; - Handbook. - - A new resource-limiting API has been - implemented. It works in conjunction with the - RACCT resource accounting implementation - and takes user-configurable actions based on the set of rules - it maintains and the current resource usage. The &man.rctl.8; - utility has been added to manage the rules in userland. Note - that this is not built nor installed by default. To build and - install them, specify options RCTL in the - kernel configuration file and rebuild the base system as - described in the &os; - Handbook. - - The &man.sendmsg.2; and &man.recvmsg.2; - system calls in the &os; Linux ABI compatibility have been - improved. - - The &man.open.2; and &man.fhopen.2; - system calls now support the O_CLOEXEC flag, - which allows setting the FD_CLOEXEC flag for the - newly created file descriptor. This is standardized in IEEE - Std 1003.1-2008 (POSIX, Single UNIX Specification Version - 4). - - The &man.posix.fallocate.2; system call has - been implemented. This is a function in POSIX to ensure that - a part of the storage for regular file data is allocated on the - file system storage media. - - Two new system calls - setloginclass(2) and - getloginclass(2) have been added. This - makes it possible for the kernel to track the login class a - process is assigned to, which is required for the - RCTL resource limiting framework. - - &os; now supports executing - &os; 1/&arch.i386; a.out binaries on &os;/&arch.amd64;. Note - that this is not built nor installed by default. To build and - install them, specify options COMPAT_43 in - the kernel configuration file and rebuild the base system as - described in the &os; - Handbook. - - The following - &man.sysctl.8; variables have been added to show the availability - of various kernel features: - - - - - - - - &man.sysctl.8; variable name - Description - - - - - - kern.features.ufs_acl - ACL (Access Control List) support in UFS - - - - kern.features.ufs_gjournal - journaling support through &man.gjournal.8; for - UFS - - - - kern.features.ufs_quota - UFS disk quotas support - - - - kern.features.ufs_quota64 - 64-bit UFS disk quotas support - - - - kern.features.softupdates - FFS soft-updates support - - - - kern.features.ffs_snapshot - FFS snapshot support - - - - kern.features.nfsclient - NFS client (old implementation) - - - - kern.features.nfscl - NFS client (new implementation) - - - - kern.features.nfsserver - NFS server (old implementation) - - - - kern.features.nfsd - NFS server (new implementation) - - - - kern.features.kdtrace_hooks - Kernel DTrace hooks which are required to load - DTrace kernel modules - - - - kern.features.ktr - Kernel support for KTR kernel tracing facility - - - - kern.features.ktrace - Kernel support for system call tracing - - - - kern.features.hwpmc_hooks - Kernel support for HW PMC - - - - kern.features.sysv_msg - System V message queues support - - - - kern.features.sysv_sem - System V semaphores support - - - - kern.features.p1003_1b_mqueue - POSIX P1003.1B message queues support - - - - kern.features.p1003_1b_semaphores - POSIX P1003.1B semaphores support - - - - kern.features.kposix_priority_scheduling - POSIX P1003.1B real-time extensions - - - - kern.features.stack - Support for capturing the kernel stack - - - - kern.features.sysv_shm - System V shared memory segments support - - - - kern.features.pps_sync - Support usage of external PPS signal by kernel PLL - - - - kern.features.regression - Kernel support for interfaces necessary for - regression testing - - - - kern.features.invariant_support - Support for modules compiled with the INVARIANTS option - - - - kern.features.zero_copy_sockets - Zero copy sockets support - - - - kern.features.libmchain - mchain library - - - - kern.features.scbus - SCSI devices support - - - - kern.features.mac - Mandatory Access Control Framework support - - - - kern.features.audit - BSM audit support - - - - kern.features.geom_gate - GEOM Gate module - - - - kern.features.geom_uzip - GEOM uzip read-only compressed disks support - - - - kern.features.geom_cache - GEOM cache module - - - - kern.features.geom_mirror - GEOM mirroring support - - - - kern.features.geom_stripe - GEOM striping support - - - - kern.features.geom_concat - GEOM concatenation support - - - - kern.features.geom_raid3 - GEOM RAID-3 functionality - - - - kern.features.geom_fox - GEOM FOX redundant path mitigation support - - - - kern.features.geom_multipath - GEOM multipath support - - - - kern.features.g_virstor - GEOM virtual storage support - - - - kern.features.geom_bde - GEOM-based Disk Encryption - - - - kern.features.geom_eli - GEOM crypto module - - - - kern.features.geom_journal - GEOM journaling support - - - - kern.features.geom_shsec - GEOM shared secret device support - - - - kern.features.geom_vol - GEOM support for volume names from UFS superblocks - - - - kern.features.geom_label - GEOM labeling support - - - - kern.features.geom_sunlabel - GEOM Sun/Solaris partitioning support - - - - kern.features.geom_bsd - GEOM BSD disklabels support - - - - kern.features.geom_pc98 - GEOM NEC PC9800 partitioning support - - - - kern.features.geom_linux_lvm - GEOM Linux LVM partitioning support - - - - kern.features.geom_part_pc98 - GEOM partitioning class for PC-9800 disk partitions - - - - kern.features.geom_part_vtoc8 - GEOM partitioning class for SMI VTOC8 disk labels - - - - kern.features.geom_part_bsd - GEOM partitioning class for BSD disklabels - - - - kern.features.geom_part_ebr - GEOM partitioning class for extended boot records support - - - - kern.features.geom_part_ebr_compat - GEOM EBR partitioning class: - backward-compatible partition names - - - - kern.features.geom_part_gpt - GEOM partitioning class for GPT partitions - support - - - - kern.features.geom_part_apm - GEOM partitioning class for Apple-style - partitions - - - - kern.features.geom_part_mbr - GEOM partitioning class for MBR support - - - - - - - Boot Loader Changes - - The default boot loader menu has been - updated. - - The &man.loader.8; loader - now supports PBVM (Pre-Boot Virtual Memory). This allows - linking the kernel at a fixed virtual address without having to - make any assumptions about the physical memory layout. The - PBVM also allows fine control of the address where the - kernel and its modules are to be loaded. - - - - Hardware Support - - &os;/powerpc now - supports Sony Playstation 3 using the OtherOS feature - available on firmwares 3.15 and earlier. - - A new &man.loader.8; tunable - machdep.disable_tsc has been added. - Setting this to a non-zero value disables use of TSC (Time - Stamp Counter) by turning off boot-time CPU frequency - calibration, DELAY(9) with TSC, and using TSC as a CPU - ticker. Another new &man.loader.8; tunable - machdep.disable_tsc_calibration allows to - skip the TSC frequency calibration only. This is useful when - one wants to use the nominal frequency of the chip in Intel - processors, for example. - - The &os; &man.usb.4; - subsystem now supports USB 3.0 by default. - - The &os; &man.usb.4; subsystem now - supports USB packet filter. This allows to capture packets - which go through each USB host controller. The - implementation is almost based on &man.bpf.4; code. - The userland program &man.usbdump.8; has been added. - - - Network Interface Support - - A bug in the &man.alc.4; driver which - could make AR8152-based network interfaces stop working - has been fixed. - - A bxe(4) driver for Broadcom - NetXtreme II 10GbE controllers (BCM57710, BCM57711, - BCM57711E) has been added. - - The &man.cxgb.4; driver has been - updated to version 7.11.0. - - A &man.cxgbe.4; driver for Chelsio - T4 (Terminator 4) based 10Gb/1Gb adapters has been - added. - - The &man.dc.4; driver - now works correctly in kernels with the - option. - - The &man.em.4; driver has been - updated to version 7.3.2. - - The &man.igb.4; driver has been - updated to version 2.2.5. - - The &man.igb.4; driver now supports - Intel I350 PCIe Gigabit Ethernet controllers. - - The &man.ixgbe.4; driver has been - updated to version 2.3.8. - - Firmware images in the &man.iwn.4; - driver for 1000, 5000, 6000, and 6500 series cards have been - updated. - - A bug in the &man.msk.4; driver has been - fixed. It could prevent RX checksum offloading from - working. - - A bug in the &man.nfe.4; driver which - could prevent reinitialization after changing the MTU has - been fixed. - - A bug in the &man.ral.4; and &man.run.4; - drivers which could prevent hostap mode - from working has been fixed. - - A rdcphy(4) driver for RDC Semiconductor - R6040 10/100 PHY has been added. - - The &man.re.4; driver now supports - RTL8168E/8111E-VL PCIe Gigabit Ethernet controllers and - RTL8401E PCIe Fast Ethernet controllers. - - The &man.re.4; driver now supports - TX interrupt moderation on RTL810xE PCIe Fast Ethernet - controllers. - - The &man.re.4; driver now supports - another mechanism for RX interrupt moderation because of - performance problems. A &man.sysctl.8; variable - dev.re.N.int_rx_mod - has been added to control amount of time to delay RX - interrupt processing, in units of microsecond. Setting it - to 0 completely disables RX interrupt - moderation. A &man.loader.8; tunable - hw.re.intr_filter controls whether the - old mechanism utilizing MSI/MSI-X capability on - supported controllers is used or not. When set to - a non-zero value, the &man.re.4; driver uses the old - mechanism. The default value is 0 and - this tunable has no effect on controllers without MSI/MSI-X - capability. - - The &man.re.4; driver now - supports TSO (TCP Segmentation Offload) on RealTek - RTL8168/8111 C or later controllers. Note that this is - disabled by default because broken frames can be sent - under certain conditions. - - The &man.re.4; driver now - supports enabling TX and/or RX checksum offloading - independently from each other. Note that TX IP checksum - is disabled on some RTL8168C-based network interfaces - because it can generate an incorrect IP checksum when the - packet contains IP options. - - A bug in the &man.re.4; driver has - been fixed. It could cause a panic when receiving a jumbo - frame on an RTL8169C, 8169D, or 8169E controller-based - network interface. - - The &man.re.4; driver now supports - RTL8105E PCIe Fast Ethernet controllers. - - The rlphy(4) driver now supports the - Realtek RTL8201E 10/100 PHY found in RTL8105E - controllers. - - A bug in the &man.sis.4; driver has - been fixed. It could prevent a proper reinitialization - on DP83815, DP83816, and SiS 900/7016 controllers when the - configuration of multicast packet handling and/or - promiscuous mode is changed. - - A bug in the &man.vlan.4; pseudo interface - han been fixed. It could have a random interface - identifier in an automatically configured IPv6 link-local - address, instead of one generated with the parent - interface's IEEE 802 48-bit MAC address and an algorithm - described in RFC 4291. - - A &man.vte.4; driver for RDC R6040 Fast - Ethernet controllers, which are commonly found on the Vortex86 - System On a Chip, has been added. - - A &man.vxge.4; driver for the Neterion - X3100 10GbE Server/Storage adapter has been added. - - A bug in the &man.wpi.4; driver has been - fixed. It could display the following error messages and - result in the device being unusable: - *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***