From owner-svn-doc-head@FreeBSD.ORG Sun Jun 9 15:10:56 2013 Return-Path: Delivered-To: svn-doc-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 18F12B9D; Sun, 9 Jun 2013 15:10:56 +0000 (UTC) (envelope-from hrs@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id 07F601D29; Sun, 9 Jun 2013 15:10:56 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id r59FAud4054809; Sun, 9 Jun 2013 15:10:56 GMT (envelope-from hrs@svn.freebsd.org) Received: (from hrs@localhost) by svn.freebsd.org (8.14.7/8.14.5/Submit) id r59FAuuK054808; Sun, 9 Jun 2013 15:10:56 GMT (envelope-from hrs@svn.freebsd.org) Message-Id: <201306091510.r59FAuuK054808@svn.freebsd.org> From: Hiroki Sato Date: Sun, 9 Jun 2013 15:10:56 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r41887 - head/en_US.ISO8859-1/htdocs/releases/8.4R X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Jun 2013 15:10:56 -0000 Author: hrs Date: Sun Jun 9 15:10:55 2013 New Revision: 41887 URL: http://svnweb.freebsd.org/changeset/doc/41887 Log: Regen from r251576. Modified: head/en_US.ISO8859-1/htdocs/releases/8.4R/errata.html Modified: head/en_US.ISO8859-1/htdocs/releases/8.4R/errata.html ============================================================================== --- head/en_US.ISO8859-1/htdocs/releases/8.4R/errata.html Sun Jun 9 14:29:03 2013 (r41886) +++ head/en_US.ISO8859-1/htdocs/releases/8.4R/errata.html Sun Jun 9 15:10:55 2013 (r41887) @@ -1,5 +1,5 @@ -FreeBSD 8.4-RELEASE Errata

FreeBSD 8.4-RELEASE Errata

+FreeBSD 8.4-RELEASE Errata

FreeBSD 8.4-RELEASE Errata

The FreeBSD Project

FreeBSD is a registered trademark of the FreeBSD Foundation.

Intel, Celeron, EtherExpress, i386, @@ -14,7 +14,7 @@ as trademarks. Where those designations appear in this document, and the FreeBSD Project was aware of the trademark claim, the designations have been followed by the or the - ® symbol.

Last modified on 2013-06-08 by hrs.

Abstract

This document lists errata items for FreeBSD 8.4-RELEASE, + ® symbol.

Last modified on 2013-06-09 by hrs.


Abstract

This document lists errata items for FreeBSD 8.4-RELEASE, containing significant information discovered after the release or too late in the release cycle to be otherwise included in the release documentation. @@ -37,7 +37,39 @@ contain up-to-date copies of this document (as of the time of the snapshot).

For a list of all FreeBSD CERT security advisories, see http://www.FreeBSD.org/security/ or ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/.

2. Security Advisories

The following security advisories pertain to FreeBSD 8.4-RELEASE. For more information, consult the individual advisories available from - http://security.FreeBSD.org/.

AdvisoryDateTopic
SA-12:01.openssl03 May 2012

OpenSSL multiple vulnerabilities

SA-12:02.crypt30 May 2012

Incorrect crypt() hashing

SA-12:03.bind12 June 2012

Incorrect handling of zero-length RDATA fields in named(8)

SA-12:04.sysret12 June 2012

Privilege escalation when returning from kernel

SA-12:05.bind06 August 2012

named(8) DNSSEC validation Denial of Service

SA-12:06.bind22 November 2012

Multiple Denial of Service vulnerabilities with named(8)

SA-12:07.hostapd22 November 2012

Insufficient message length validation for EAP-TLS messages

SA-12:08.li nux22 November 2012Linux compatibility layer input validation error

SA-13:02.libc19 February 2013

glob(3) related resource exhaustion

SA-13:03.openssl02 April 2013

OpenSSL multiple vulnerabilities

SA-13:04.bind02 April 2013

BIND remote denial of service

SA-13:05.nfsserver29 April 2013

Insufficient input validation in the NFS server

3. Open Issues

[20130608] FreeBSD 8.4-RELEASE no longer supports FreeBSD CVS + http://security.FreeBSD.org/.

AdvisoryDateTopic
SA-12:01.openssl03 May 2012

OpenSSL multiple vulnerabilities

SA-12:02.crypt30 May 2012

Incorrect crypt() hashing

SA-12:03.bind12 June 2012

Incorrect handling of zero-length RDATA fields in named(8)

SA-12:04.sysret12 June 2012

Privilege escalation when returning from kernel

SA-12:05.bind06 August 2012

named(8) DNSSEC validation Denial of Service

SA-12:06.bind22 November 2012

Multiple Denial of Service vulnerabilities with named(8)

SA-12:07.hostapd22 November 2012

Insufficient message length validation for EAP-TLS messages

SA-12:08.li nux22 November 2012Linux compatibility layer input validation error

SA-13:02.libc19 February 2013

glob(3) related resource exhaustion

SA-13:03.openssl02 April 2013

OpenSSL multiple vulnerabilities

SA-13:04.bind02 April 2013

BIND remote denial of service

SA-13:05.nfsserver29 April 2013

Insufficient input validation in the NFS server

3. Open Issues

[20130609] There is incompatibility in jail(8) + configuration because the jail(8) utility and + rc.d/jail script has been changed. More + specifically, the following sysctl(8) variables cannot be + used to set the default parameters for jails:

security.jail.mount_zfs_allowed
+security.jail.mount_procfs_allowed
+security.jail.mount_nullfs_allowed
+security.jail.mount_devfs_allowed
+security.jail.mount_allowed
+security.jail.chflags_allowed
+security.jail.allow_raw_sockets
+security.jail.sysvipc_allowed
+security.jail.socket_unixiproute_only
+security.jail.set_hostname_allowed

These could be set by manually using sysctl(8) utility, + the sysctl.conf(5) file, or for some of them the following + variables in rc.conf(5):

jail_set_hostname_allow="yes"
+jail_socket_unixiproute_only="yes"
+jail_sysvipc_allow="yes"

These parameters must now be specified in + jail_parameters (or + jail_jailname_parameters + for per-jail configuration) in rc.conf(5). For + example:

jail_parameters="allow.sysvipc allow.raw_sockets"

The valid keywords are the following. For more detail, see + jail(8) manual page.

allow.set_hostname
+allow.sysvipc
+allow.raw_sockets
+allow.chflags
+allow.mount
+allow.mount.devfs
+allow.mount.nullfs
+allow.mount.procfs
+allow.mount.zfs
+allow.quotas
+allow.socket_af

[20130608] FreeBSD 8.4-RELEASE no longer supports FreeBSD CVS repository. Some documents mistakenly refer to RELENG_8_4_0_RELEASE as CVS tag for the release and RELENG_8_4 as CVS branch tag for the @@ -49,12 +81,8 @@ RELENG_8_4_0_RELEASE corresponds to svn://svn.FreeBSD.org/base/release/8.4.0. Please note that FreeBSD source tree for 8.4-RELEASE and its security - branch cannot be updated by using official CVSup servers.

[20130607] The bge(4) network interface driver has an - issue when TSO (TCP Segmentation Offload) is enabled. It causes - intermittent reset and re-initialization.

A workaround is disabling the TSO feature. One can disable - it by adding the following line into the rc.conf(5) - file:

ifconfig_bge0="-tso"

or by using the ifconfig(8) utility manually:

# ifconfig bge0 -tso

A patch to fix this issue will be released as an Errata - Notice.

[20130606] The fxp(4) network interface driver may not + branch cannot be updated by using official CVSup servers.

[20130607] (removed about a bge(4) network interface + driver issue because it was incorrect)

[20130606] The fxp(4) network interface driver may not work well with the dhclient(8) utility. More specifically, if the /etc/rc.conf has the following line:

ifconfig_fxp0="DHCP"

to activate a DHCP client to configure the network