aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Add UPDATING entries and bump version.releng/11.4Gordon Tetlow2021-08-242-1/+14
| | | | Approved by: so
* Fix multiple vulnerabilities in OpenSSL.Gordon Tetlow2021-08-243-1/+32
| | | | | | | Approved by: so Security: SA-21:17.openssl Security: CVE-2021-23840 Security: CVE-2021-23841
* Fix libfetch out of bounds read.Gordon Tetlow2021-08-241-1/+4
| | | | | | Approved by: so Security: SA-21:15.libfetch Security: CVE-2021-36159
* Fix remote code execution in ggatec(8).Gordon Tetlow2021-08-241-0/+20
| | | | | | Approved by: so Security: SA-21:14.ggatec Security: CVE-2021-29630
* Fix missing error handling in bhyve(8) device models.Gordon Tetlow2021-08-242-5/+7
| | | | | | Approved by: so Security: SA-21:13.bhyve Security: CVE-2021-29631
* Add UPDATING entries and bump versionMark Johnston2021-06-292-1/+8
| | | | Approved by: so
* linux(4): Prevent integer overflow in futex_requeue.Dmitry Chagin2021-06-291-7/+16
| | | | | | | | | | | To prevent a signed integer overflow in futex_requeue add a sanity check to catch negative values of nrwake or nrrequeue. Approved by: so Security: EN-21:22.linux_futex (cherry picked from commit 25b09d6f398ea8a260ee8e2e8209fd76c61e13ee) (cherry picked from commit f80ee27f447abc7baeb413cc0a7b7c21f9d32f8b)
* libcasper: add missing unistd.hMariusz Zaborski2021-06-291-0/+1
| | | | | | | Approved by: so Reported by: Arrigo Marchiori <ardovm (at) yahoo.it> (cherry picked from commit b4fe6fbab236a0fd37ebafb4d3bb15856f99596c)
* libcasper: fix descriptors numbersMariusz Zaborski2021-06-294-16/+50
| | | | | | | | | | | | | | | | | | | Casper services expect that the first 3 descriptors (stdin/stdout/stderr) will point to /dev/null. Which Casper will ensure later. The Casper services are forked from the original process. If the initial process closes one of those descriptors, Casper may reuse one of them for it on purpose. If this is the case, then renumarate the descriptors used by Casper to higher numbers. This is done already after the fork, so it doesn't break the parent process. Approved by: so Security: EN-21:19.libcasper PR: 255339 Reported by: Borja Marcos <borjam (at) sarenet.es> Tested by: jkim@ (cherry picked from commit aa310ebfba3d49a0b6b03a103b969731a8136a73) (cherry picked from commit 6c0a51837f4ba242ea723a887c3b6120d9335c8f)
* Add UPDATING entries and bump versionMark Johnston2021-06-012-1/+5
| | | | Approved by: so
* libradius: Fix attribute length validation in rad_get_attr(3)Mark Johnston2021-06-011-1/+6
| | | | | | | | | | | | | | | | | The length of the attribute header needs to be excluded when comparing the attribute length against the length of the packet. Otherwise, validation may incorrectly fail when fetching the final attribute in a message. Approved by: so Security: FreeBSD-EN-21:17.libradius Fixes: 8d5c78130 ("libradius: Fix input validation bugs") Reported by: Peter Eriksson Tested by: Peter Eriksson Sponsored by: The FreeBSD Foundation (cherry picked from commit 6bb5699d2b59491097bc21ffa3c097cdd4853f89) (cherry picked from commit f9972532343bb1eb101bf7afef2966972eea3b5e)
* Add UPDATING entries and bump versionMark Johnston2021-05-262-1/+5
| | | | Approved by: so
* libradius: Fix input validation bugsMark Johnston2021-05-261-15/+29
| | | | | | | | | | Approved by: so Security: FreeBSD-SA-21:12.libradius Security: CVE-2021-29629 Sponsored by: The FreeBSD Foundation (cherry picked from commit 8d5c7813061dfa0b187500dfe3aeea7a28181c13) (cherry picked from commit 5e90dfc54f864651fd98087c6e1f1cbce203b20c)
* Add UPDATING entries and bump versionMark Johnston2021-04-062-1/+8
| | | | Approved by: so
* mount: Disallow mounting over a jail rootMark Johnston2021-04-061-0/+5
| | | | | | | | | Discussed with: jamie Approved by: so Security: CVE-2020-25584 Security: FreeBSD-SA-21:10.jail_mount (cherry picked from commit 6f7815083ad66c34bad0dfa08c7033ff670b3be1)
* vm_fault: Shoot down multiply mapped COW source page mappingsMark Johnston2021-04-061-0/+27
| | | | | | | | | | Reviewed by: kib, rlibby Discussed with: alc Approved by: so Security: CVE-2021-29626 Security: FreeBSD-SA-21:08.vm (cherry picked from commit 71a0b26df14a18b720faaa924bd4e18fcb9638d5)
* Add UPDATING entry and bump versionMark Johnston2021-02-242-1/+17
| | | | Approved by: so
* pam_login_access: Fix negative entry matching logicMark Johnston2021-02-241-3/+3
| | | | | | | | | | PR: 252194 Approved by: so Security: CVE-2020-25580 Security: FreeBSD-SA-21:03.pam_login_access (cherry picked from commit 6ab923cbca8759503a08683a5978b9ebf5efd607) (cherry picked from commit dae05d22d64ea218abe5883be539c2b41c20b1fb)
* xen-blkback: fix leak of grant maps on ring setup failureRoger Pau Monné2021-02-241-0/+21
| | | | | | | | | | | | | | | | | | | | | Multi page rings are mapped using a single hypercall that gets passed an array of grants to map. One of the grants in the array failing to map would lead to the failure of the whole ring setup operation, but there was no cleanup of the rest of the grant maps in the array that could have likely been created as a result of the hypercall. Add proper cleanup on the failure path during ring setup to unmap any grants that could have been created. This is part of XSA-361. Approved by: so Security: CVE-2021-26932 Security: FreeBSD-SA-21:06.xen Sponsored by: Citrix Systems R&D (cherry picked from commit 808d4aad1022a2a33d222663b0c9badde30b9d45) (cherry picked from commit 89238773a37f4fc8f0bf3ccca3aa03874478f194)
* MFC freebsd-update: unconditionally regenerate passwd/login.conf filesKyle Evans2021-02-241-11/+3
| | | | | | | | | | | | | | | | | | | | | | | | | The existing logic is nice in theory, but in practice freebsd-update will not preserve the timestamps on these files. When doing a major upgrade, e.g. from 12.1-RELEASE -> 12.2-RELEASE, pwd.mkdb et al. appear in the INDEX and we clobber the timestamp several times in the process of packaging up the existing system into /var/db/freebsd-update/files and extracting for comparisons. This leads to these files not getting regenerated when they're most likely to be needed. Measures could be taken to preserve timestamps, but it's unclear whether the complexity and overhead of doing so is really outweighed by the marginal benefit. I observed this issue when pkg subsequently failed to install a package that wanted to add a user, claiming that the user was removed in the process. bapt@ pointed to this pre-existing bug with freebsd-update as the cause. PR: 234014, 232921 Approved by: so Security: FreeBSD-EN-21:08.freebsd-update (cherry picked from commit ebebc41e4cfe44b8e8fd881badf2fa2c4be65aa4) (cherry picked from commit cd7da1deb581122c94c3735b78fafdd04ce77b67)
* MFC jail: Change both root and working directories in jail_attach(2)Jamie Gritton2021-02-244-6/+42
| | | | | | | | | | | | | | | | | | jail_attach(2) performs an internal chroot operation, leaving it up to the calling process to assure the working directory is inside the jail. Add a matching internal chdir operation to the jail's root. Also ignore kern.chroot_allow_open_directories, and always disallow the operation if there are any directory descriptors open. Approved by: so Security: CVE-2020-25582 Security: FreeBSD-SA-21:05.jail_chdir Reported by: mjg Approved by: markj, kib (cherry picked from commit d4380c0cdd0517dc038403dd5c99242ce78bdeb5) (cherry picked from commit 570121808a76b85b2709502fb15618dd1e5296f1)
* MFC jail: Handle a possible race between jail_remove(2) and fork(2)Jamie Gritton2021-02-243-0/+25
| | | | | | | | | | | | | | | | | | | | jail_remove(2) includes a loop that sends SIGKILL to all processes in a jail, but skips processes in PRS_NEW state. Thus it is possible the a process in mid-fork(2) during jail removal can survive the jail being removed. Add a prison flag PR_REMOVE, which is checked before the new process returns. If the jail is being removed, the process will then exit. Also check this flag in jail_attach(2) which has a similar issue. Approved by: so Security: CVE-2020-25581 Security: FreeBSD-SA-21:04.jail_remove Reported by: mjg Approved by: kib (cherry picked from commit cc7b73065302005ebc4a19503188c8d6d5eb923d) (cherry picked from commit c837631bd47af73d03e3d8907f1e58b88403007c)
* Add UPDATING entry and bump versionEd Maste2021-01-292-1/+17
| | | | Approved by: so
* xen: allow limiting the amount of duplicated pending xenstore watchesRoger Pau Monné2021-01-296-4/+51
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Xenstore watches received are queued in a list and processed in a deferred thread. Such queuing was done without any checking, so a guest could potentially trigger a resource starvation against the FreeBSD kernel if such kernel is watching any user-controlled xenstore path. Allowing limiting the amount of pending events a watch can accumulate to prevent a remote guest from triggering this resource starvation issue. For the PV device backends and frontends this limitation is only applied to the other end /state node, which is limited to 1 pending event, the rest of the watched paths can still have unlimited pending watches because they are either local or controlled by a privileged domain. The xenstore user-space device gets special treatment as it's not possible for the kernel to know whether the paths being watched by user-space processes are controlled by a guest domain. For this reason watches set by the xenstore user-space device are limited to 1000 pending events. Note this can be modified using the max_pending_watch_events sysctl of the device. This is XSA-349. Sponsored by: Citrix Systems R&D MFC after: 3 days (cherry picked from commit 4e4e43dc9e1afc863670a031cc5cc75eb5e668d6) Note the xenstore user-space device part of this backport is dropped, as in stable/11 the device doesn't support setting up watches. (cherry picked from commit d9bd043f93df1a31ef16d2198d720a0a0831357f) Approved by: so Security: XSA-349, CVE-2020-29568
* xen/xenstore: remove unused functionsRoger Pau Monné2021-01-292-98/+0
| | | | | | | | | | | Those helpers are not used, so remove them. No functional change. Sponsored by: Citrix Systems R&D MFC after: 3 days (cherry picked from commit 720e27fff49e896fd774d355ba029b74b63fe278) Approved by: so
* msdosfs: Fix a leak of dirent padding bytesMark Johnston2021-01-291-0/+1
| | | | | | | | | | | | | | | This was missed in r340856 / commit 6d2e2df764199f0a15fd743e79599391959cc17d. Three bytes from the kernel stack may be leaked when reading directory entries. Reported by: Syed Faraz Abrar <faraz@elttam.com> Sponsored by: The FreeBSD Foundation (cherry picked from commit 599f90446376370eb365a0fde857ea2b5766873a) (cherry picked from commit 6d0a2f9d2ffce3d94c9a523d7779f791355d3677) Approved by: so Security: CVE-2020-25579
* MFC r364753: Add atomic and bswap functions to libcompiler_rtDimitry Andric2021-01-292-17/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There have been several mentions on our mailing lists about missing atomic functions in our system libraries (e.g. __atomic_load_8 and friends), and recently I saw __bswapdi2 and __bswapsi2 mentioned too. To address this, add implementations for the functions from compiler-rt to the system compiler support libraries, e.g. libcompiler_rt.a and and libgcc_s.so. This also needs a small fixup in compiler-rt's atomic.c, to ensure that 32-bit mips can build correctly. Bump __FreeBSD_version to make it easier for port maintainers to detect when these functions were added. Differential Revision: https://reviews.freebsd.org/D26159 MFC r364782: After r364753, there should be no need to suppress -Watomic-alignment warnings anymore for compiler-rt's atomic.c. This occurred because the IS_LOCK_FREE_8 macro was not correctly defined to 0 for mips, and this caused the compiler to emit a runtime call to __atomic_is_lock_free(), and that triggers the warning. MFC r365509: Follow-up r364753 by enabling compiler-rt's atomic implementation only for clang, as it uses clang specific builtins, and does not compile correctly with gcc. Note that gcc packages usually come with their own libatomic, providing these primitives. MFC r365588: Follow-up r364753 by only using arm's stdatomic.c implementation, as it already covers the functions in compiler-rt's atomic.c, leading to conflicts when linking. PR: 230888 (cherry picked from commit 7c73d99e6cf7b69630856acac4a2ab82f5c9f218) Approved by: so
* ffs: avoid creating corrupt extattrfileEd Maste2021-01-291-1/+1
| | | | | | | | | | This is part of r312416 / e6790841f749, suggested by ml@netfence.it, and will stop the kernel from creating corrupt extattr. PR: 244089 (cherry picked from commit eebccaae36722f62bc8f05e6c71b867d69faca5f) Approved by: so
* contrib/tzdata: import tzdata 2021aPhilip Paeps2021-01-295-10/+24
| | | | | | | | | | | Merge commit '4cd7e1071de16a7392b0e466287f13e9e6f2081a' Changes: https://github.com/eggert/tz/blob/2021a/NEWS (cherry picked from commit 8c5bef2eb24cb191c87712a56a9860d8c29415a0) (cherry picked from commit 09bdde595dd761fd3499b0b0eb085088b3d3276d) Approved by: so
* MFC: contrib/tzdata: import tzdata 2020fPhilip Paeps2021-01-294-6/+18
| | | | | | | | | | | Merge commit '96b88ac701b35ce68425046d4be8f51cb75b5d5b' into main Changes: https://github.com/eggert/tz/blob/2020f/NEWS (cherry picked from commit e35a01eec6926bfb5c088ca8961079b51a067bf3) (cherry picked from commit c41eeeac3cad996cc9194dc675cd78568a4a380f) Approved by: so
* MFC: contrib/tzdata: import tzdata 2020ePhilip Paeps2021-01-2916-172/+816
| | | | | | | | | Changes: https://github.com/eggert/tz/blob/2020e/NEWS (cherry picked from commit dc505d53dcc15636aea9df8c03298f8c32147fa9) (cherry picked from commit 57d2cb51419cbd7a92214cc57c2145340946efc7) Approved by: so
* Fix OpenSSL NULL pointer de-reference.Gordon Tetlow2020-12-147-7/+90
| | | | | | | | | Approved by: so Security: FreeBSD-SA-20:33.openssl Security: CVE-2020-1971 Notes: svn path=/releng/11.4/; revision=368643
* Add UPDATING entries and bump version.Gordon Tetlow2020-12-012-1/+17
| | | | | | | Approved by: so Notes: svn path=/releng/11.4/; revision=368257
* Fix multiple vulnerabilities in rtsold.Gordon Tetlow2020-12-011-6/+18
| | | | | | | | | Approved by: so Security: FreeBSD-SA-20:32.rtsold Security: CVE-2020-25577 Notes: svn path=/releng/11.4/; revision=368256
* Fix ICMPv6 use-after-free in error message handling.Gordon Tetlow2020-12-011-9/+4
| | | | | | | | | Approved by: so Security: FreeBSD-SA-20:31.icmp6 Security: CVE-2020-7469 Notes: svn path=/releng/11.4/; revision=368255
* Update timezone database information.Gordon Tetlow2020-12-0119-336/+640
| | | | | | | | Approved by: so Security: FreeBSD-EN-20:20.tzdata Notes: svn path=/releng/11.4/; revision=368251
* Add UPDATING entries and bump version.Gordon Tetlow2020-09-152-1/+15
| | | | | | | | Approved by: so Approved by: re (implicit for releng/12.2) Notes: svn path=/releng/11.4/; revision=365782
* Fix ftpd privilege escalation via ftpchroot.Gordon Tetlow2020-09-151-4/+11
| | | | | | | | | | Approved by: so Approved by: re (implicit for releng/12.2) Security: FreeBSD-SA-20:30.ftpd Security: CVE-2020-7468 Notes: svn path=/releng/11.4/; revision=365781
* Fix bhyve SVM guest escape.Gordon Tetlow2020-09-151-2/+11
| | | | | | | | | | | | | This actually has a patch to sys/amd64/vmm/amd/svm.c that was accidentally committed as part of r365779. Approved by: so Approved by: re (implicit for releng/12.2) Security: FreeBSD-SA-20:29.bhyve_svm Security: CVE-2020-7467 Notes: svn path=/releng/11.4/; revision=365780
* Fix bhyve privilege escalation via VMCS access.Gordon Tetlow2020-09-152-37/+73
| | | | | | | | | | Approved by: so Approved by: re (implicit for releng/12.2) Security: FreeBSD-SA-20:28.bhyve_vmcs Security: CVE-2020-24718 Notes: svn path=/releng/11.4/; revision=365779
* Fix ure device driver susceptible to packet-in-packet attack.Gordon Tetlow2020-09-151-1/+3
| | | | | | | | | | Approved by: so Approved by: re (implicit for releng/12.2) Security: FreeBSD-SA-20:27.ure Security: CVE-2020-7464 Notes: svn path=/releng/11.4/; revision=365778
* Add UPDATING entries and bump version.Gordon Tetlow2020-09-022-1/+14
| | | | | | | Approved by: so Notes: svn path=/releng/11.4/; revision=365258
* Fix dhclient heap overflow.Gordon Tetlow2020-09-021-0/+2
| | | | | | | | | Approved by: so Security: FreeBSD-SA-20:26.dhclient Security: CVE-2020-7461 Notes: svn path=/releng/11.4/; revision=365257
* Fix SCTP socket use-after-free.Gordon Tetlow2020-09-026-25/+56
| | | | | | | | | Approved by: so Security: FreeBSD-SA-20:25.sctp Security: CVE-2020-7463 Notes: svn path=/releng/11.4/; revision=365256
* Fix getfsstat compatibility system call panic.Gordon Tetlow2020-09-021-0/+2
| | | | | | | | Approved by: so Security: FreeBSD-EN-20:18.getfsstat Notes: svn path=/releng/11.4/; revision=365254
* Fix FreeBSD Linux ABI kernel panic.Gordon Tetlow2020-09-021-14/+26
| | | | | | | | Approved by: so Security: FreeBSD-EN-20:17.linuxthread Notes: svn path=/releng/11.4/; revision=365253
* Add UPDATING entries and bump version.Gordon Tetlow2020-08-052-1/+11
| | | | | | | Approved by: so Notes: svn path=/releng/11.4/; revision=363924
* Fix sendmsg(2) privilege escalation.Gordon Tetlow2020-08-051-59/+71
| | | | | | | | | Approved by: so Security: FreeBSD-SA-20:23.sendmsg Security: CVE-2020-7460 Notes: svn path=/releng/11.4/; revision=363923
* Fix multiple vulnerabilities in sqlite3.Gordon Tetlow2020-08-0511-7380/+12716
| | | | | | | | | | | | | | | Approved by: so Security: FreeBSD-SA-20:22.sqlite Security: CVE-2020-11655 Security: CVE-2020-11656 Security: CVE-2020-13434 Security: CVE-2020-13435 Security: CVE-2020-13630 Security: CVE-2020-13631 Security: CVE-2020-13632 Notes: svn path=/releng/11.4/; revision=363922
* Fix memory corruption in USB network device drivers.Gordon Tetlow2020-08-051-2/+11
| | | | | | | | | Approved by: so Security: FreeBSD-SA-20:21.usb_net Security: CVE-2020-7459 Notes: svn path=/releng/11.4/; revision=363921
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-17 02:06:11 +0000