Stable release: HardenedBSD-stable 11-STABLE v1100056.3

Submitted by op on

HardenedBSD-11-STABLE-v1100056.3 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • HBSD: do not allow to override init_exec by default from loader when the kernel compiled with PAX_HARDENING (19f62c611d729b0e11aeea09cca92b8a2357e086)
  • HBSD MFC r337774: Reserve page at the physical address zero on amd64. (2be594934556ef121ee095b76cbed845cf51fbb3) [CVE-2018-3620]
  • Limit IP reassembly queues (b237529341a40e980dbbb8998bd029dd805f976f 473b73fec73ba098937b1deb304cbb285fed289a 3b9d004b0f08c95203a2a61bdb293a075470d55e 9154624e12ec34b0048dd9ca7159a4b7fdda80e7 dfb2edc8f5fa836a42011e06d48ee99560312081 d85d7540a7fc2cf733c4a655a4c9b28fb6acf42c 54c1ac1408df4b7b0186933e804da8a5a622c24f b3822a674366465673f831e3ff2b544e7292f9242762fee5dd30eb9f1896295c63521e86a9b98d06 95d18bdb4de4bc81529cae34a3e1976145d6fcb1f0d4e7bdc43c2e330df8bf6cb1fca39295403ffd) [FreeBSD-SA-18:10.ip CVE-2018-6923]
  • HBSD MFC r337745: MFV r337744: Sync libarchive with vendor. [CVE-2017-14501]
  • MFC r337785: Provide part of the mitigation for L1TF-VMM. (249be5558ae7f7a429466ea46764dfb581133a03) [CVE-2018-3646]
  • MFC r336855 Fix the long term ULE load balancer so that it actually works. (e2d93727643b74f67085eb874430e0e9eeb57641)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100056.3-amd64-bootonly.iso) = ebb9bcfff4ae383a5786f1c604d1a8798168b452f3c60c93138987e42248c85c54986d86707e03f18cf5166dae95b18b87ed075bce1829c314007a6988c7248d
SHA512 (HardenedBSD-11-STABLE-v1100056.3-amd64-disc1.iso) = d59e6c829713f8a93bcafd712205598f690d4c4933bc5798f7c727382e84b18450cf2e166b3ff5fabdb410a73873fa238d7a90913de80f25af1ec1cfaa62bffd
SHA512 (HardenedBSD-11-STABLE-v1100056.3-amd64-memstick.img) = 63da6f43b0d280e4af5acd57541bd0b8876910e2ec433e076ece608737c9770672629a009dc6522b366432d69c095860fceab0fac2ed2d1c9f9e9da6f8d6bd4b
SHA512 (HardenedBSD-11-STABLE-v1100056.3-amd64-mini-memstick.img) = 1b720e5735c549b24154d7d12ed945fa3a0fbca55304c344845ae731fcdb0a990f07c299d5e9fb7cf858af4d88392fcfb7b930a070ffd4b2bffadf56a7b260eb

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAltzXYAACgkQgZsRom/9
GI2iexAAk2JlTkOgAjrncC3ooGC3qaCWbPLvt9z+6ZybRTMTvUXmEjVekXVv4wYf
nHKpeN9AMM1ak1fJUJcRvlFMKYoU976ceLgzdxY4OHtFyfaA4EdixpLNRcipbJWZ
8MPpCs8XFjt2jd1hvNKuny2zeBpTvwuS7UC7gQMmZnQXxW05xXl2dJIvv2Z+3/V6
xdziT6czswUmtQGxLnyzfZBbKprFJ4x+ykKxTp4tfHkklKY2hbvgJunjXblRpFnT
UZHQXlt2TF2lL6TBQ+eBRVoARqCybAk6zKn5w9/q8i2/2/g+IXVZfANSP/zq4Uur
VB+xgRPVzfZzFUUjwxTUz5CdEJUl6UnhNkwuTu1jzy5ziWtWGpu16KN0dR86lW9i
MOGXBKk6zZoSnDLR+SZ50FJRpNsjNwJuJC7goEB3WDsGrzM5IBEBdQeimL3hXT5J
H+WCzAE4riyATL1ZmdX5w8ck2rv0KuLGxqzMPySWuwIpK/tDjXiE/8eOGK2Mc+7S
q2tR/2gRDM0+YITQWkW4SvPHBMS+vdQmj31u6Zq1aCVJB/LhuCc06JYSKXDvWcfZ
0TZeGIklkekLlmsN0Y7F7dSzvxY0evh6KQejL0iUgH8HV2CpxExHQcXAd0RrlvYp
60vgNqjGDiKQN5OyFtVWAQgvX0dfgphwx61hnB3SecxSuR06biM=
=4kIf
-----END PGP SIGNATURE-----


Changelog:

Oliver Pinter (6):

  • HBSD MFC r337773: amd64: ensure that curproc->p_vmspace pmap always matches PCPU curpmap.
  • HBSD MFC r337745: MFV r337744: Sync libarchive with vendor..
  • HBSD MFC r337774: Reserve page at the physical address zero on amd64.
  • Merge remote-tracking branch 'origin/freebsd/11-stable/master' into hardened/11-stable/master
  • HBSD: do not allow to override init_exec by default from loader when the kernel compiled with PAX_HARDENING
  • HBSD: back out d138fc7b3d368a10326b6eaf70951c553adc7a4f commit due boot problems


Oliver Pinter + (15):

  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master


ae (3):

  • MFC r336405: Move invoking of callout_stop(&lle->lle_timer) into llentry_free().
  • MFC r336132: Add "record-state", "set-limit" and "defer-action" rule options to ipfw.
  • MFC r331098 (by melifaro): Fix outgoing TCP/UDP packet drop on arp/ndp entry expiration.


bdrewery (23):

  • MFC r335183:
  • MFC r335244:
  • MFC r335704:
  • MFC r335708:
  • MFC r335709:
  • MFC r310789,r314901:
  • MFC r335733:
  • MFC r335923:
  • MFC r335912:
  • MFC r335922:
  • MFC r326552:
  • MFC r324103:
  • MFC r323620:
  • MFC r322565,r323323:
  • MFC r321492:
  • MFC r321491:
  • MFC r321333:
  • MFC r320286:
  • MFC r320191:
  • MFC r320274:
  • Revert r325808 (MFC r322401) to re-MFC with larger set
  • MFC r320280,r320281,r320282,r320283,r320284,r320285,r320692,r322362,r322401,r322402,r336181:
  • MFC r326569:


brooks (1):

  • MFC r337508:


davidcs (3):

  • MFC r336438
  • MFC r336680 Update man page with support for 41000 Series adapters
  • MFC r336695 Remove support for QLNX_RCV_IN_TASKQ - i.e., Rx only in TaskQ. Added support for LLDP passthru Upgrade ECORE to version 8.33.5.0 Upgrade STORMFW to version 8.33.7.0 Added support for SRIOV


delphij (2):

  • MFC r336121+r336127(cem): Don't delete outfile unconditionally.
  • Remove mention of FreeBSD 9.x which is EoL'ed now.


dteske (1):

  • MFC SVN r336350: Send sysrc(8) error message to stderr (not stdout)


gjb (1):

  • MFC r337555, r337556: r337555: Update and replace old rc daemons for GCE images.


jtl (11):

  • MFC r337775: Improve hashing of IPv4 fragments.
  • MFC r337776: Improve IPv6 reassembly performance by hashing fragments into buckets.
  • MFC r337778: Add a global limit on the number of IPv4 fragments.
  • MFC r337780: Implement a limit on on the number of IPv4 reassembly queues per bucket.
  • MFC r337781: Make the IPv6 fragment limits be global, rather than per-VNET, limits.
  • MFC r337782: Add a limit of the number of fragments per IPv6 packet.
  • MFC r337783: Implement a limit on on the number of IPv6 reassembly queues per bucket.
  • MFC r337784: Drop 0-byte IPv6 fragments.
  • MFC r337786: Lower the default limits on the IPv4 reassembly queue.
  • MFC r337787: Lower the default limits on the IPv6 reassembly queue.
  • MFC r337788: Update the inet(4) and inet6(4) man pages to reflect the changes made to the reassembly code in r337778, r337780, r337781, r337782, and r337783.


kevans (3):

  • MFC r337549: libnv: Remove -I${SRCTOP}/sys
  • MFC r337331: efirt: Don't enter EFI context early, convert addrs to KVA
  • MFC r322325: cat: fix build with -DNO_UDOM_SUPPORT


kib (9):

  • MFC r337055: Avoid assertion in /dev/ufssuspend when the suspend ioctl is (incorrectly) called while another suspension is already active.
  • MFC r337236: Some updates to vm_map(9).
  • MFC r337316: Add END()s for amd64 linux futex support routines.
  • MFC r336568: Move OFED libraries libmlx5.so.1 and libibverbs.so.1 to /lib.
  • MFC r336569: Move mostly useless examples binaries from OFED, as well as the Subnet Manager, under the new option WITH_OFED_EXTRA, disabled by default.
  • MFC r337430, r337436: Add missed handling of local relocs against ifunc target in the obj modules.
  • MFC r337774: Reserve page at the physical address zero on amd64.
  • MFC r337777: Add definitions related to the L1D flush operation capability and MSR.
  • MFC r337785: Provide part of the mitigation for L1TF-VMM.


markj (7):

  • MFC r337059: Fix some nits in the unix_passfd tests.
  • MFC r337031: Require that MAC label buffers be able to store a non-empty string.
  • MFC r336714: Simplify the arm64 implementation of pmap_mincore().
  • MFC r337265: Add the required page accounting to kmem_bootstrap_free().
  • MFC r337133: Add a rudimentary test for procstat kstack.
  • MFC r337425: Recognize ICS1893C PHYs.
  • MFC r337426: ifconfig: Fix use of _Noreturn


mmel (1):

  • MFC r335249:


oshogbo (1):

  • MFC r337189: bhyve: set title before entering capability mode


truckman (1):

  • MFC r336855

Uploads: 

Plain text icon shortlog-HardenedBSD-11-STABLE-v1100056.3.txt
Plain text icon CHECKSUM.SHA512.txt
Plain text icon CHECKSUM.SHA512.asc_.txt