New stable version: HardenedBSD-stable 11-STABLE v46.4

Submitted by op on

HardenedBSD-11-STABLE-v46.4 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: This is a SECURITY UPDATE!

Highlights:

  • changed pam_ssh support: ssh1 removed, ed25519 added
  • Windows 2k8's hyperv boot fix
  • bspatch fixes [FreeBSD SA candidate]
  • OpenSSL update to 1.0.2i [FreeBSD-SA-16:26.openssl]
  • libarchive update (2855e58) [FreeBSD SA candidate]

Installers:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v46.4-amd64-bootonly.iso) = 6c89699c03c0e09d9418d760803ae00fac07b250a52adb27da09ff0f442e137deb1b5a4a2006989f799396f27a9a2fb1e0e1ef2524a7410d9d67e72a3ab10adf
SHA512 (HardenedBSD-11-STABLE-v46.4-amd64-disc1.iso) = b99c7bf72073f8c0c44251466dee2594a6e71bf0ebdf0916d787dca1f3feac1f48aeb587635c929f69e3cc0585fbdf17a531bb8f0c7cd380c2cb3cbfda801d88
SHA512 (HardenedBSD-11-STABLE-v46.4-amd64-memstick.img) = 0205ca2a34e8af05d1f328aa687a3f48e5a94b62f9873b12145f0d4269353e58f4df4749b86e4d70df809708e3cdd50a1739261f25dfb67682d21747a4bc4e53
SHA512 (HardenedBSD-11-STABLE-v46.4-amd64-mini-memstick.img) = 53589107b4177e9705cdf5efd2c5da9f6a16279d2885a8a040a1d30f30cad1a8ac22a04566288781f4e5d6fe99a6f8e377ea86693fe506c7b4ce2ac73b14d123

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAABCAAGBQJX6HceAAoJEIGbEaJv/RiNFIUP/1nQqwWn8DJNzBQhCrdkoQy1
j5FkxFEQ3Ql2+F1TVCQpUDbKlzVTnmZ8QKFmpm6mMCwMHY93oxURFXmh2zPaXSXq
paPWef/it+cNc0DoLrOgLh1zu5PxyE0CJB97Nht3oJuM/PhhW+PK7h0fzeRjl7Sf
wvnKVxccZWzu58FdhcevWT+vfFyYNq2DSo5hBouDD+FjOjhxnBbGhNSkWyQ0xYeL
TBBRho9cgvJ1ipkVjGepJNJ0ZQBR8HyIuMJvy8mE0WKGwvDQc58LaJBRN67L+FoE
ugqyLg64iE7qJMcB/sIz+K+oC6+EjEfKIlS8Qh9ivCF1S/aoWunJ9wfQLWjngr3h
95sfwdvbOnJhBV6+BioQH2GDep5sCph82TAFcqfu4Mt7r/3X3sZGAWYuW27LSOYt
0tHVIPJv/+Img/QnBOlGHZHooh4UzBwTrC9dzUibGJOapJt+OcBQ9o1fopXOLfMV
ko3osqXOpYOLvn+2ZljPouqWiUfYZrj+CCEFI6uOwJdNRgvm7jf52DFXTP3dbOg8
cGTW5dfiaeqtQgVknlM6iVLl5F9JvdWJIroP2+0E5f8YEC//tkBA5vaFPnDso3JD
3n31rXzN7OKLwF8QbebAuZuwoyWdCmEHpIsmMRsf5TacAA73vfGl3qVE2oZ80VTo
6sRnEFeq8Bl0WVTgXFte
=CUnd
-----END PGP SIGNATURE-----

Changelog:

Oliver Pinter (1):
HBSD: prepare the cherry-pick of proper libarchive fix(53359a8ebc373b953ea95eb20baa9d9d92f735e9)

Oliver Pinter + (31):
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master

ache (1):
MFC r305841

ae (1):
MFC r305778: Fix swap tables between sets when this functional is enabled.

andrew (14):
MFC 305767: Add a warning about a known erratum we have observed on ThunderX pass 1.1. As this is evaluation hardware with only a few users, and there is a lack of information add a warning when booting on this hardware.
MFC 305771, 305772: Fix the arm64 kernel build when DDB is disabled, debug_monitor.c depends on DDB, and is unused when it's disabled.
MFC 305605: Don't panic when we don't handle a userland exception, not all we may see are currently handled.
MFC 303744: Remove the pvh_global_lock lock from the arm64 pmap. It is unneeded on arm64 as invalidation will have completed before the pmap_invalidate_* functions have complete.
MFC 303903: Implement pmap_align_superpage on arm64 based on the amd64 implementation. This will be needed when superpage support is added.
MFC 303904: Uncomment the vm.kvm_size and vm.kvm_free sysctls. These work as expected so there is no reason to leave them commented out.
MFC 304004, 304596, 304598, 304599, 304600, 304604, 304620, 304685, 304687, 304688, 304689, 304746, 304749, 304750, 304806, 305071, 305191: Merge arm64 superpage support, however leave it disabled by default.
MFC 305545: Only call cpu_icache_sync_range when inserting an executable page. If the page is non-executable the contents of the i-cache are unimportant so this call is just adding unneeded overhead when inserting pages.
MFC 305546: When synchronising the instruction and data caches we only need to clean the data cache to the point of unification. This is the point where the two caches are unified to a single unified cache so cleaning past here is just extra unneeded work.
MFC 305128: Also handle instruction traps. We might hit these when the page we are executing is being promoted to a superpage.
MFC 305607: Trap msr/mrs instructions. These are privileged arm64 instructions and shouldn't normally be used.
MFC r304892: Print both the kernel read and write translation in DDB when asking for a virtual to physical translation. These may be different, e.g. when a page is mapped as read-only.
MFC 305285: Add a pc_clock pcpu field and use it to implement cpu_est_clockrate. This will allow drivers that manage the clock frequency to communicate this with the reset of the kernel.
MFC 304799: Map coherent memory in a non-coherent dma tag as uncached. This is similar to what the 32-bit arm code does, with the exception that it always assumes the tag is non-coherent.

asomers (2):
MFC r302778
MFC r304162

avg (9):
MFC r305535: amdsbwd: add support for FCH in family 16h models 30h-3Fh processors
MFC r303111: Document list of supported chipsets.
MFC r303113: Cross-link some SMBus controller drivers man pages.
MFC r305596: intpm.4 update supported hardware list
MFC r305600: amdsbwd.4: update supported hardware list
MFC r305603: intpm: do not try attaching to unsupported controller revisions
MFC r305604: intpm: better clean up resources after a failed attachment
MFC r305606: intpm: make sure to register smbus driver before intpm driver
MFC r305602: intpm: fix attachment to supported AMD FCHs

avos (1):
MFC r305470:

badger (1):
MFC r305956: Add manpage for rctl_* system calls

bde (1):
MFC r305380:

dchagin (1):
MFC r305896:

dim (1):
MFC r305430:

emaste (10):
MFC r303674: readelf: report ARM program and section header types
MFC r304151: elfcopy: silence GCC 5.3 unitialized variable warning
MFC r304160: elfcopy: add elf64-littleaarch64 output target support
MFC r304191: elfcopy: correct comment typo
MFC r305130: Update to ELF Tool Chain r3490
MFC r305160: Set UEFI boot loader PE/COFF timestamps to known value for reproducible builds
MFC r303335: apply some style(9) to kbd: make function name start in column 1
MFC r303670: Add ELFOSABI_ARM_AEABI ELF OSABI constant
MFC r303677: Move/add ARM ELF PHDR types to elf_common.h
MFC bspatch Capsicumization, sanity checks, and other improvements

gnn (2):
MFC: 304825 Unlike Solaris, in FreeBSD p_args can be 0 so check for that instead of walking down to ar_args blindly.
MFC: 305066,305304,305312

grehan (4):
MFC r302546 Implement right shift/ctl, and convert the VNC/xorg scancode of 0xff03 into right-alt.
MFC r302972,r303349
MFC r303352 - Change the fbuf "vga" parameter to "vga=on|io|off". "io" is the default, and allows VGA i/o registers to be accessed. This is required by Win7/2k8 graphics guests that use a combination of BIOS int10 and UEFI. "off" disables all VGA i/o and mem accesses. "on" is not yet hooked up, but will enable full VGA rendering.
MFC r305061 Invert calloc(3) argument order

hselasky (14):
MFC r305421: Resolve deadlock between device_detach() and usbd_do_request_flags() by reviving the SX control request lock and refining which lock protects the common scratch area in "struct usb_device".
MFC r305590: Correctly map the USB mouse tilt delta values into buttons 5 and 6 instead of 3 and 4 which is used for the scroll wheel, according to X.org.
MFC r305867: Update the MLX5 core module: - Add new firmware commands and update existing ones. - Add more firmware related structures and update existing ones. - Some minor fixes, like adding missing \n to some prints.
MFC r305868: mlx5en: Separate the sendqueue from using the mlx5e_channel structure.
MFC r305869: mlx5en: Minor completion queue control path code refactor.
MFC r305870: mlx5en: Make the mlx5e_open_cq() and mlx5e_close_cq() functions global.
MFC r305871: mlx5en: Optimise away duplicate UAR pointers.
MFC r305872: mlx5en: Properly declare doorbell lock for 32-bit CPUs.
MFC r305873: mlx5en: Factor out common sendqueue code for use with rate limiting SQs.
MFC r305874: mlx5en: Allow setting the software MTU size below 1500 bytes
MFC r305875: mlx5en: Verify port type is ethernet before creating network device
MFC r305876: mlx5en: Remove unused pdev pointer.
MFC r305877: mlx5en: Fix duplicate mbuf free-by-code.
MFC r305804: Make the callout structure in the boot loader's kernel shim more similar to the kernel one.

jhb (1):
MFC 305624: Document PCI_HP and PCI_IOV kernel options and various tunables in pci(4).

jhibbits (1):
MFC r305894:

jkim (1):
MFC: r306193

karels (1):
MFC r304713:

kevlo (2):
MFC r305575:
MFC r306102:

kib (12):
MFC r305129: Make swapoff reliable.
MFC r305744: Fix typo in comment.
MFC r304285: Implement userspace gettimeofday(2) with HPET timecounter.
MFC r305939: Remove trailing space.
MFC r305592: Partially lift suspension when ffs_reload() finished with cgs and going to re-read inodes.
MFC r305593: There is no need to upgrade the last dvp lock on lookups for modifying operations. Instead of upgrading, assert that the lock is exclusive. Explain the cause in comments.
MFC r305594: In softdep_prealloc(), return early not only for snapshots, but for the quota files as well.
MFC r305595: In dqsync(), when called from quotactl(), um_quotas entry might appear cleared since nothing prevents completion of the parallel quotaoff. There is nothing to sync in this case, and no reason to panic.
MFC r305597: When extending directory inode in ufs_direnter(), adjust i_endoff.
MFC r305598: When logging unlikely UFS_TRUNCATE() failure in ufs_direnter(), include error code.
MFC r305599: Do not leak transient ENOLCK error from flush_newblk_dep() loop.
MFC r305601: On rename, do not perform truncation of dirhash if the vnode truncation failed.

markj (2):
MFC r305425: Remove an unreachable return statement from ARM's minidumpsys().
MFC r305363: Remove redefinitions of some kernel types from mbuf.d.

mav (7):
MFC r305679: Switch random_get_pseudo_bytes() shim to arc4rand().
MFC r305536: Fix channel initialization in FBS mode.
MFC r305123: Fix kernel panic when inheriting properties without default.
MFC r305591: Decode ATA Status Return descriptor.
MFC r305608: "ATA pass through information available" is not an error.
MFC r305609: "Extended copy information available" is not an error either.
MFC r305610: Don't report to devd statuses that CAM doesn't consider errors.

mm (2):
MFC r305422: Sync libarchive with vendor
HBSD MFC: MFV r305816: Sync libarchive with vendor including important security fixes. (dfb2179f22587dff6eeae3ed56a8afc4a)

ngie (4):
MFC r305018,r305019,r305020:
MFC r305033,r305041,r305170:
MFC r305356:
MFC r305357:

roberto (1):
MFC: 304626,304635: r304626: Add support for Ed25519 keys. r304635: Remove support for SSH1, already disabled in our OpenSSH.

sephe (2):
MFC 305177 net/vlan: Shift for pri is 13 (pri mask 0xe000) not 1.
MFC 306015

will (1):
MFC r305484: