Stable release: HardenedBSD-stable 12-STABLE v1200058.4

Submitted by op on

HardenedBSD-12-STABLE-v1200058.4 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • MFC r345078: hwpmc/core: Adopt to upcoming Skylake TSX errata. (4252e660ecb50dfdae262be111061aa85fcb5864)
  • MFC: r344757: Fix double free in case of mount error. (6b0855e01b577ab90fb58fca2fbcd7139e7dc527)
  • MFC: r344754: Do not panic if inode bitmap is corrupted. (d58ea7668a31fbc14f05ba8975a87c1dc5cdb194)
  • MFC: r344755: Fix integer overflow possibility. (66bedc8f13366ff9df84786d1e1e8a864800918f)
  • MFC r344670: Allow FIONBIO and FIOASYNC ioctls on POSIX shm descriptors. (aaa017b23b47f1cb67b49eb8d4939d2aab9159df)
  • MFC r344562: FFS: allow sendfile(2) to work with block sizes greater than the page size (a32149b5deac882f31f0aa448f8ed69244af8a20)
  • HBSD: Revert "MFC r343964, r344121, r344128, r344593, r344594:" Revert of FreeBSD's ASR implementation. (9729cbe04506cba471aaa5a4c25f712ddf4f75a7)
  • MFC r344140,r344141,r344142,r344143,r344388,r344547: Add CBC-MAC authentication. Add AES-CCM encryption, and plumb into OCF. (9b2dd6cb463ad737942a99e34af81c65dfb4d14b)
  • HBSD: same shit like with librt, move libexecinfo's so to /lib (4403befcd40c2c573e428c6b2452cefcb5679ceb)
  • MFC r344494,r344495: evdev: export event device properties through sysctl interface (dd53f13958e1e1306f3cecffbf0af504f5dddf68)
  • Disable WITH_RETPOLINE on stable/12. (4e79588d3043e5f24f223c5a42a662b79d870abc)
  • MFC r344449: scp: validate filenames provided by server against wildcard (531e90823d82662c5e008c9c04fa24a532e7eb48)
  • MFC r344883: nptd 4.2.8p12 --> 4.2.8p13 [FreeBSD-SA-Candidate CVE-2019-8936]
  • MFC r344063,r344088: Sync libarchive with vendor. [FreeBSD-SA-Candidate CVE-2019-1000019 CVE-2019-1000020]
  • MFC: r344602 Merge OpenSSL 1.1.1b. (bd8357d913b260cf55f0818d30ff889d62a702ea)
  • HBSD: Disable cfi-icall for usr.sbin/ppp (c9056e1d8c17af42a6fa933fb1e544b1705ba72f)
  • Merge clang 7.0.1 and several follow-up changes (a39fc2a725d1f743ccd878ef7264dcba56f674de)
  • MFC r343850: contigmalloc: handle M_EXEC. (bcfd287a0368013fdeaec7291890deb4aa10bfd1)
  • ZFS updates
  • ipfw updates
  • pf updates
  • ipfilter cleanups
  • em, igbe updates
  • net80211 updates
  • iflib updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-12-STABLE-v1200058.4-amd64-bootonly.iso) = 0afcc9d2351f50c9dccb6c79ba2da2ea6d81d7729f0f8109061b053a51c5c0b929801c4c5affd603c802ea777d7293477232ca1db5c741556554ab3dbe6049ac
SHA512 (HardenedBSD-12-STABLE-v1200058.4-amd64-disc1.iso) = 79a4255012da260ecd239d941825e5ace4373b25ad112dc0eb36377554ab64a874bf08092e3e258e2cd394a227eab7355909e4b166f61974419145351a44293e
SHA512 (HardenedBSD-12-STABLE-v1200058.4-amd64-memstick.img) = 4f1aa178fc6ff3b38cfc55aaa5a668ef0b92a05afcfcf237a96483e70a8f67869f606e60de5f03a07ef15df004be23ec92225ba69fbc3070231943bddcba9738
SHA512 (HardenedBSD-12-STABLE-v1200058.4-amd64-mini-memstick.img) = efea297d2ae2580b3a95021be6e5c8e24bfb8e700fc5e3924bdb863f80537da604b0162e4b4fc2d8054de3d8f17f32f0cb0f91f4c273e66ce3e26ccfff54b783

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlyTB7MACgkQgZsRom/9
GI3WNA//XiGYLDMkiRWmHgpg4zmEs2ucv3DNwiCuNRsphBtIvTTFYiUyrF8ui3i3
1r52FN/kcVILMwT+b6NZuY54/Xl2E6jdXzJ11ZKQkRc1ZXrdOb/AGXU/jJ+jKpWj
BJYocyLcP+qZEj28ztLA60He0kGIEpmyK9lgpsSShVON0BJ/DIGy0h154nyMTZoz
YFYClcG72MOapmwpNDdntPXa5HpGwiz8r7EGnw3hKLXkngXkegDPQ/pnAkm5gePr
7qOpw/XwZzfH1xDUu721AwlyzjRDDOkL9mNpC3cn3hLJLR8El8YupVMQziUK/FBA
Y0wPPQ/TxNIQwtAM7SZW/p/B1tCpE2k7+BMWcJzEyWtfyr0KcoXW490Asgur9yL1
/v5RnORId64ulzmzXymEpsP8/8ujE0mlyVCh6i6MowwGbHgNkRORUSX0sDnclfOA
wkvmZ5nLQ6KQBhZ2wg2NL4xbjid0YGgirvVF8YnxnMz+k3jfUsqRIU/EZCZzucxa
kukEPNPTZZOtCEaLGC0rl8dfm2eRuxr+lRJ6l/bw68bIM5+x+DycF17UqN8+aeXR
rt9F47Uq8bdK0Rx/0mSawrq3jodGFjiZro4wyrYi11cb2bO/XmagA7QrnvYu5ZnI
QEQoVin8s+WA1cMeXNzs9UJYztKE1hKa1uNLZEAd1GJaFdvqir4=
=WtXM
-----END PGP SIGNATURE-----

HardenedBSD Foundation 2019 Meeting Minutes

Submitted by Shawn Webb on

On 27 February 2019, the majority of the HardenedBSD Foundation Board of Directors attended its annual early-year planning meeting. It was a very productive meeting, spanning the full allotted hour. Attached is a PDF of the meeting notes.

High-level details:

  • Our 2019 financial goal is $20,000 USD. This will help us replace or augment our aging infrastructure.
  • Provide to the HardenedBSD development team clean-room documentation for the non-documented bits of the grsecurity patchset.
  • Invest in business insurance.
  • Set up bylaws and articles of incorporation.
  • Look at free or reduced cost hosting, possibly at universities.

Tags: 

Stable release: HardenedBSD-stable 12-STABLE v1200058.3

Submitted by op on

HardenedBSD-12-STABLE-v1200058.3 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • MFC r343784: Avoid leaking fp references when truncating SCM_RIGHTS control messages. (0526a0cabfe1cb63e93947a4d34a050a13d97851) [CVE-2019-5596 FreeBSD-SA-19:02.fd]
  • MFC r343780: amd64: clear callee-preserved registers on syscall exit. (bd0cbe8cc38d2e67c3d4a9f1c6746a31aa213963 CVE-2019-5595 FreeBSD-SA-19:01.syscall]
  • MFC r343587: Add a simple port filter to SIFTR. (ab2d372594adbe95166adfed1d78c0a6c4dc773b)
  • MFC r343060: [drm] Fix off-by-one error when accessing driver-specific ioctl handlers array (c53a074639dd8b3b1cdadd80e6860b2a7ade95f7)
  • MFC r341472: Add ability to request listing and deleting only for dynamic states. (caad386934df5f897739c80b071dc90d8165008d)
  • MFC r343499: rc(8): do not stop dhclient(8) when wpa_supplicant(8) / hostapd(8) is used (0441c4fa5aa5b68927224cfc81ce354772ff10a9)
  • MFC r343418: pf: Fix use-after-free of counters (824b38d7e5213d4a94fefb5e0ddda41f95da6321)
  • MFC r343395: Fix refcounting leaks in IPv6 MLD code leading to loss of IPv6 connectivity. (69483a2f2af7c93450b276cc0a24e6561009cfda)
  • HBSD: Add EFIRT to the HARDENEDBSD amd64 kernel (23220bd7b1eaff08140fe4daa6d0786c7aa713e8)
  • HBSD: Disable cfi-icall for mount_nfs and showmount (924afb0d77fd83485b8ba9c3e0a6927585d37858)
  • MFC of 343449 and 343483 Update tunefs to allow '_' in label names. (3df852382237702f1c262aaad54933bdf5b2fbed)
  • MFC r343363, r343364: Fix an LLE lookup race. (4b6ead634deb05c2b3f0f83b8b1ba3a18708197d) [FreeBSD-EN-19:07.lle]
  • MFC r343089: Limit the user-controllable amount of memory the kernel allocates via IPPROTO_SCTP level socket options. (1d3e563dc53e1190bbc635ba00874e51b1548197)
  • MFC r342857: Avoid overfow in vtruncbuf() (5dafae63da366cedf24d91d32aa54a4b4a4a8640)
  • HBSD: Disable cfi-icall for NFS RPC utilities (d09bc59f69276e1b8b382f3a0ba00cfb2288833d)
  • MFC r343082: Implement shmat(2) flag SHM_REMAP. (58501d93bee4827fa9429db046484bf26a8ad40b)
  • MFC r343286: nfs: Zero the buffers exported by NFSSVC_DUMPCLIENTS and DUMPLOCKS. (0e46cd7fe5be1edad6471bc1add8fa7702596f3f)
  • MFC r343265: hwpmc: Plug memory disclosures from PMC_OP_{GETPMCINFO,GETCPUINFO}. (d5dd66e58281aeb5300f19095ceee3894938de43)
  • MFC linuxulator stack memory disclosure fixes (c69e471dfc3ef2730bde80e755b5656e7ac55e1a)
  • MFC r343017: Handle overflow in calculating max kmem size. (ef32d9a8bb0d37bce34588d49ca5f972475853f0)
  • nvdimm updates
  • pf updates
  • ipfilter updates
  • ipfw updates
  • netmap updates
  • net80211 updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-12-STABLE-v1200058.3-amd64-bootonly.iso) = 75661d8fc8c6508c6e27ad36c1bc18f5a6a43b95e71623d3b227b29e439b4cf835ab3525343e045e91d9db061b7926722b9342c27d6613534eff632f7b5c4567
SHA512 (HardenedBSD-12-STABLE-v1200058.3-amd64-disc1.iso) = 4d368903e3edbe6ca5290b3ad3a4bf2c85455731839a55b38113283ee7e2ffbdf020c983f6d24fed7141af754e55592f5d55b2d334b108b3f3e5b5a0423c1d32
SHA512 (HardenedBSD-12-STABLE-v1200058.3-amd64-memstick.img) = 8debd3c0702cb3733d6bafbff05c6d54838fa4c5be68fb0cda778cc38a2c5fcc8e85009de30d7e96fe7161c6dfb2edfbf430b76f9380829435423c7cf9e1dc69
SHA512 (HardenedBSD-12-STABLE-v1200058.3-amd64-mini-memstick.img) = 6325fa8feeea551c065e6b6009809c6048a1ed4d2ef6fe657ad1e2ed59345bb72f4fdae0950b69491725b0d46680da81b24cb539a439dc8765c9889a15977fde

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlxaN5gACgkQgZsRom/9
GI3aOhAAtAhGQ2nlQI+bll2DSBj2gV1Ph0z3M1zeL6Wyii1JtZLroLmUHoTnkN5P
smCLgPoNXDQlkRlBTjF/UtEuguxEQfa30U3q+lEs3SBprvCK214QXS7fTazs7Im6
vNdyoqGAgGmN6HViybRHL2ZilaxYoQBdl7zimFgphlQ/Qa8p8zkBMv+mZp7wwrDn
kK/1RYlioJsw2bNEYTVTRPy/pBTDolNlkc0z2NZ21V5QObJRxLphrqaY8Yl5B7zV
W+TRDWV+dFcCjiMUxHrzkTWNBcBAlsjZo9bWXPhgxvygqfHzD7J7wbliVkEKLz8N
8nYga5KtlMUBN5IRoRtwOpVLUerfKxmbDvqzyMYR1mLGD3giVXzvGQX5jdaHSkSs
+3lEBXghVrAj0nXHq3r0XZawLi6bOwe9XDfOcSue2CblGlhOpknIvh2bY6gCF1Pt
BcfduhG1QSmL3dcCgkQkmOnqVVVKkraBdUpAZET3OhAsnD+Q/u1aW00TygLlEUh7
Msj4AxCSCqgS0xE/zzLbXwXfGV9RPbJ2LFz4zNuz54mOnUmWD5qd9Yzl2ezyG5c0
w5FWdjlxWPJmJovQEfAOuUJ5UyhjPVMnaTd9W1occNWgHwFk931NRMG/HrG13yWj
oPj2e7HcDrS5guh+m56S6HuZG8lw3nGhT6KyhxfF+TByCYLNMkg=
=C22B
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100056.13

Submitted by op on

HardenedBSD-11-STABLE-v1100056.13 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • MFC r343784: Avoid leaking fp references when truncating SCM_RIGHTS control messages. (70e1efc1c0f84fb9e92135883a6107e2ef19642e) [CVE-2019-5596 FreeBSD-SA-19:02.fd]
  • MFC r343780: amd64: clear callee-preserved registers on syscall exit. (7ecad8ecb0ef125b47333806ace844e7792294a8) [CVE-2019-5595 FreeBSD-SA-19:01.syscall]
  • MFC r343499: rc(8): do not stop dhclient(8) when wpa_supplicant(8) / hostapd(8) is used (15afe7b042f7cdfad46cc2eca5e59dd9297f6197)
  • MFC r343418: pf: Fix use-after-free of counters (a1b261656792fdc235e151c61ea87b06dd48103a)
  • MFC of 343449 and 343483 Update tunefs to allow '_' in label names. (627115fbab7f0ad32d8d58f2ac948255c86a33a9)
  • MFC r343249: Fix duplicate wpa_supplicant(8) / hostapd(8) startup with devd(8) (396ce8497cb2ae7eed1e297d7edf3396759eaca1)
  • MFC r343089: Limit the user-controllable amount of memory the kernel allocates via IPPROTO_SCTP level socket options. (58e6efc1eb253c25e32671305fb296c75c88e173)
  • MFC r343082: Implement shmat(2) flag SHM_REMAP. (5e5aec12f096e44b4aff26c5b9623f1eea21b72c)
  • MFC r343286: nfs: Zero the buffers exported by NFSSVC_DUMPCLIENTS and DUMPLOCKS. (676ce698dd3e14aac903708b48c9e447e46526f0)
  • MFC r343265: hwpmc: Plug memory disclosures from PMC_OP_{GETPMCINFO,GETCPUINFO}. (99c280e90dcde9a082478af18e6806adae270cf9)
  • MFC linuxulator stack memory disclosure fixes (8139f0a4ce76358213e6802baa237a6e0f4a8f8a)
  • MFC r343043: scp: disallow empty or current directory (ae0b64fb08800073bccfffa0e7ba12fa30dbf669) [CVE-2018-20685]
  • llvm updates
  • ena updates
  • ipfilter updates
  • pf updates
  • net80211 updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100056.13-amd64-bootonly.iso) = 2d3601235daf67914e522ae03e28717af8c8f380a32a57bf6ce01dd1b5c90a2e381766a89abbeda9ac3c4d46b998f0ca9846fb8c59b9370985e56fde126e4836
SHA512 (HardenedBSD-11-STABLE-v1100056.13-amd64-disc1.iso) = 90bcf218e2575331f6f83f7b83e6c058fd1c268ccecdc162be385c95e22aab849c5090c90b03fb46135893ecc75d42341dd3373574cbf2597fc09611e290034a
SHA512 (HardenedBSD-11-STABLE-v1100056.13-amd64-memstick.img) = cffa5583145e6ae2fbd9e12281aaef06fada4886095fa220c4b62464c453873839d8c59b276f0866ee038c96d1494275f0d1852ca39714914d3d5d744fad7c76
SHA512 (HardenedBSD-11-STABLE-v1100056.13-amd64-mini-memstick.img) = a4ec2037cb9d7054a644c12518867bf8f2ba04353e238d5d26e2faf64493eb2bcc65364a245e157193ffa657e7fe6a25ce109272b7a7e3064fd6d18d56f46ee3

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlxavC4ACgkQgZsRom/9
GI2S0Q//fpLION18AZR7veeEBk7hz6KdrvE4xR3I1HYYAsK6L+/IVO3UX04lyhju
Ypu2efMQWuaq0yTpqq7UEgn4lysTEFIruaoMtmto6JMxtnBOdLBwVR8Es/uE23TU
12EEVL/y0c9zb0f7cXzDso6aMZlH/sIUp3LMF6P8XIfo2T+UbqAipWGeTYSwcPTE
+xH5JjfOv4i+0OjVClVB5KH4h8zNGzOFLR6yfx4JCQ96/X5plLx2pTTstvODBSjE
RAFIh3wSISc3tTjAGiJ8P+XiD0+41elF2EutoUcpgRVvazCtnjbXl1ep09y/r0Zj
uiAlVpIoHYBBTFRyvPiefhEzTdOT87xNMdYRvCqxerrHqNwrSAzzw1jtDjzoWNPw
e6Z79gXPSTZWx/sOOETB7M58m2nUeH3cypOKszuf+SroKWor37uxreLjMHCptIHB
SaFh2M7mkKQm9nuaV3TO+oPJPYQb0muiu8ujESm93xS24PfwePmn7jzv3QJCiXFT
MMGMfhiL8DDVXnkBDftTarTX56sba+S4DlQ0SAkaraEfKxn+PzpTgqsUuL4dzXWe
RHwX7+EiP9FoirhKiRn+cRObHU8EAO0628FU38AWZNfJgA7QnCPiTkeQR3oAjiKf
tZwdQOmPlzDyKozvcIIhUQYIOrKBKlWolRSfr5a9o0DVw9fef7c=
=OzKS
-----END PGP SIGNATURE-----


Oliver Pinter (1):

  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master

Oliver Pinter + (48):

  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master

ae (1):

  • MFC 342925: Relax requirement to packet size of CARP protocol and remove version check.

avos (20):

  • MFC r343190: net80211: drop m_pullup call from ieee80211_crypto_decap.
  • MFC r343244: devd.conf(5): add otus(4) into wifi-driver-regex
  • MFC r343249: Fix duplicate wpa_supplicant(8) / hostapd(8) startup with devd(8)
  • MFC r343213: net80211: resolve ioctl <-> detach race for ieee80211com structure
  • MFC r306323: [ath_hal] Add FCC6_FCCA regulatory domain (0x0014).
  • MFC r343341: ifconfig: drop unused macros from ifieee80211.c
  • MFC r343235: iwn(4): drop return code from iwn_*attach functions (they cannot fail)
  • MFC r343340: net80211: fix channel list construction for non-auto operating mode.
  • MFC r343342: net80211: turn channel mode check into assertion.
  • MFC r343234: run(4): add more length checks in Rx path.
  • MFC r343238: urtw(4): add length checks in Rx path.
  • MFC r343472: otus(4): fix a typo in man page (802.11 -> 802.11n)
  • MFC r343473: geom_uzip(4): move NULL pointer KASSERT check before it is dereferenced
  • MFC r343495: wlan.4: improve wording
  • MFC r343497: Unbreak devd.conf(5) regex after r343249
  • MFC r343496: pcf(4): fix parentheses in if condition
  • MFC r343499: rc(8): do not stop dhclient(8) when wpa_supplicant(8) / hostapd(8) is used
  • MFC r343502: Remove RADIUS-related files when WITHOUT_RADIUS_SUPPORT=true is set in src.conf(5)
  • MFC r343576: ndiscvt(8): abort if no IDs were found during conversion.
  • MFC r343541: Drop some unneeded includes from wireless USB drivers.

bapt (2):

  • MFC r340933:
  • MFC: 332990,337892,343546

brooks (3):

  • MFC r343162:
  • MFC r343366:
  • MFC r340242:

cy (5):

  • MFC r343073:
  • MFC r343103:
  • MFC r343486:
  • MFC r343600:
  • MFC r342815:

dab (2):

  • MFC r342770:
  • MFC r342822:

delphij (3):

  • MFC r342845,342846: Port NetBSD improvements:
  • MFC r342856: Added support for the SIOCGI2C ioctl.
  • MFC r343038: Use TD_IS_IDLETHREAD instead of unrolled version.

dim (1):

  • Pull in r337861 from upstream llvm trunk (by Hideki Saito):

emaste (3):

  • MFC r343043: scp: disallow empty or current directory
  • MFC r343153: freebsd-update.8: mandoc -Tlint fixes
  • MFC linuxulator stack memory disclosure fixes

gjb (1):

  • MFC r343259: Correct a typo: was -> way.

gonzo (2):

  • MFC r335675:
  • MFC r339523:

hselasky (5):

  • MFC r342730: Improve USB generic debug messages. Print process ID and name when opening and closing usb/ugenX.Y character device nodes.
  • MFC r342778: Reduce timeout for reading the USB HUB port status to 1000ms and try to filter out dead USB HUB devices by implementing an error counter, so that the USB enumeration thread does not spend all its time reading from non-responding devices, blocking user-space access in the end.
  • MFC r342884: Fix loopback traffic when using non-lo0 link local IPv6 addresses.
  • MFC r343451: Add full support for PCI_ANY_ID when matching PCI IDs in the LinuxKPI.
  • MFC r343453: Add new USB quirk.

jhb (1):

  • MFC 340206: Treat the memory lengths for CHELSIO_T4_GET_MEM as unsigned.

jilles (1):

  • MFC r343105: libedit: Avoid out of bounds read in 'bind' command

joerg (1):

  • MFC r342791: fix a typo in chio(4) (which propagates into chio(1))

kib (9):

  • MFC r343108: Trim whitespace at EoL, use tabs instead of spaces for indent.
  • MFC r343081: Trim spaces at the end of lines.
  • MFC r343086: Remove unused prototype.
  • MFC r343302: Remove unused *_sysinit_flags() declarations.
  • MFC r328433: EMFILE errno documented.
  • MFC r343082: Implement shmat(2) flag SHM_REMAP.
  • MFC r343484: Remove now redundand ifunc relocation code which should have been removed as part of r341441.
  • MFC r343607: Reserve a bit in the FreeBSD feature control note for marking the image as not compatible with ASLR.
  • MFC r343780: amd64: clear callee-preserved registers on syscall exit.

kp (6):

  • MFC r342591,342599:
  • MFC r342989
  • MFC r343130
  • MFC r343041
  • MFC r343295:
  • MFC r343418:

marius (2):

  • MFC: r333745, r333764, r337533, r339375, r341041
  • MFC: r342634 (partial)

markj (6):

  • MFC r342887: Stop setting if_linkmib in vlan(4) ifnets.
  • MFC r342864: Specify the correct option level when emulating SO_PEERCRED.
  • MFC r343265: hwpmc: Plug memory disclosures from PMC_OP_{GETPMCINFO,GETCPUINFO}.
  • MFC r343286: nfs: Zero the buffers exported by NFSSVC_DUMPCLIENTS and DUMPLOCKS.
  • MFC r343348: ocs_fc: Ensure that we zero-initialize memory before copying it out.
  • MFC r343784: Avoid leaking fp references when truncating SCM_RIGHTS control messages.

mav (7):

  • MFC r340425 (by cem): amdsmn(4)/amdtemp(4): Attach to Ryzen 2 hostbridges
  • MFC r340426 (by cem): amdtemp(4): Fix temperature reporting on AMD 2990WX
  • MFC r342977 (by cem): amdtemp(4): Add support for Family 15h, Model >=60h
  • MFC r342400: Increase MTX_POOL_SLEEP_SIZE from 128 to 1024.
  • MFC r342546: Add descriptions to NVMe interrupts.
  • MFC r342558: Switch from mutexes to atomics in GEOM_DEV I/O path.
  • MFC r342557, r342559: Reimplement nvd(4) detach handling.

mckusick (1):

  • MFC of 343449 and 343483

mw (3):

  • MFC: First part of Amazon ENA driver fixes and improvements
  • MFC: Second part of Amazon ENA driver fixes and improvements
  • MFC: r336114:

np (1):

  • MFC r342603: cxgbe(4): Attach to two T540 variants.

nyan (1):

  • MFC: r342964

pfg (2):

  • MFC r343023: msun: reduce diff between src/e_j0.c and src/e_j0f.c
  • MFC r343459: (parcial) ext2fs: Add some extra consistency checks for the superblock.

rgrimes (1):

  • MFC: 325765 (imp) Add notes about overlapping copies.

sef (1):

  • MFC r342928: Change ZFS quotas to return EINVAL when not present (matches man page).

shurd (1):

  • MFC r342855:

tuexen (4):

  • MFC r338137:
  • MFC r338138:
  • MFC r342857:
  • MFC r343089:

vmaffione (4):

  • MFC r343413
  • ixl: remove unnecessary limitations related to netmap
  • MFC r343552
  • netmap: small cleanup on em, lem, igb, ixgbe

wulf (2):

  • MFC r340912,r340913:
  • MFC r340926:

Stable release: HardenedBSD-stable 12-STABLE v1200058.2

Submitted by op on

HardenedBSD-12-STABLE-v1200058.2 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • MFC r343043: scp: disallow empty or current directory (40c2d4eb5cda74b65cc1d2d1187e11d87e3231d5) [CVE-2018-20685 FreeBSD-SA-candidate]
  • MFC r342887: Stop setting if_linkmib in vlan(4) ifnets. (9752824a67b8e026c748df9f55d7a4dc34cc3e5b) [FreeBSD-SA-candidate]
  • MFC r342849: libbe(3): Don't allow bootfs to be destroyed (43c025931749622500ddd40f733833a2326eb8c3)
  • MFC r342792, r342805: Provide rc_service variable for rc service scripts (43d929cc947061353022f4fd65f384bf5e5b623d)
  • MFC r342966: net80211: fix possible panic for some drivers after r342463 (afe64a5242c51756aa8e7278a93e78bef8ffbccf)
  • MFC r342883: net80211: fix panic when device is removed during initialization (86c848990612b065fd125e3d067494a9ca62d302)
  • MFC r342787: Add a bounds check to the tws(4) passthrough ioctl handler. (09c4a5a5c19860d0f062452a120bf3db56bec588) [FreeBSD-SA-candidate]
  • MFC r342575, r342580: ar: detect and error out on 32-bit symbol table overflow (932f2a3ad15b84e2f4584e8b4cc4930acaa94b36)
  • MFC r342686: Avoid setting PG_U unconditionally in pmap_enter_quick_locked(). (6a790261240984576e7ab3ae4982feda89938f4a)
  • MFC of 342135 and 342290 Properly respond to error from VFS_ROOT() during mount. (3d8c9836cc1b5b82f970b571dabd1cc4c524d6b2)
  • MFC r342362-r342363: config(8) duplicate option handling (b43601807a39b452a3a234d5a9ef33ba0bf6370c)
  • MFC r341101-r341103, r341148, r341391, r341422-r341423, r341454, r341780-r341781, r341805, r342026 Make powerpc booke kernels boot from ubldr. (5f1960a5ad7dcf7320f04827f86d2543a9cec92a)
  • MFC 339899: Make battery emptying rate available as sysctl variable. (fcad6d3887e9e0df176d8d9a4d01ce8e4dd1c780)
  • MFC 339620: Add a "live" mode to ktrdump. (9eec96ef7c166142d06d0bed137f98ee55c3b9e6)
  • MFC 340460: Convert the number of MSI IRQs on x86 from a constant to a tunable. (38147cee96c0cdfbd10ce81c8eb8d11ce87d0c93)
  • MFC: r342286 Fix the NFSv4 server to obey vfs.nfsd.nfs_privport. (9e714b03dcf913fc1daeaab8f970f37bd6a91367)
  • MFC r341998: pf: Fix endless loop on NAT exhaustion with sticky-address (8df6e4a6eaf85ac40c35fe353f2150a99f5685be) [FreeBSD-SA-candidate]
  • MFC r342211: net80211: fix out-of-bounds read in ieee80211_amrr(9) (d8b9265f4a6ad7c6a1e2446b98e7f6e9a7ccd4b8)
  • MFC r341833: pf: Prevent integer overflow in PF when calculating the adaptive timeout. (4e14cefd62c1612b7eba62cd71097429fd6d29fc)
  • MFC r339746,339751,339794,340866,340939,342042: Sync libarchive with vendor. (7e7a6e66b6497594e376667d1b0f653787927a6e)
  • MFC r342183: Update sqlite3-3.23.1 --> sqlite3-3.26.0 (3260000) (5f41f06ad996ced8460e267ae51526eb89dc661d)
  • HBSD: log pkg changes to /var/log/pkg.log (9135625701b316445fd42809c2ccefada1b39c93)
  • MFC r342030: Plug memory leak for AES_*_NIST_GMAC algorithms. (1f3faa484174d1cb5e572cdd3b1910764cfd326c)
  • amd64 string primitive optimizations
  • asmc updates
  • cxgbe updates
  • ichwd updates
  • loader updates
  • mrsas updates
  • netmap updates
  • riscv updates
  • rtwn updates
  • sfxge updates
  • tzdata updates
  • zfs updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-12-STABLE-v1200058.2-amd64-bootonly.iso) = a962a3debf7fe72392e0d2f90bc2df3808f6c301f9ade0f5c6e197ce896723057431c8cd29df494c5ee071694a429c13354b2f34d0ae73cc1952a57f0da8bfec
SHA512 (HardenedBSD-12-STABLE-v1200058.2-amd64-disc1.iso) = a06cd6492e30f1cb121573da0a2e61cb8d0f14e131da26b86bd54fa5dccd62537c0927c950daf13127b39cc5ee476c48c5e6298d128803c6b86c314cf5db976d
SHA512 (HardenedBSD-12-STABLE-v1200058.2-amd64-memstick.img) = 21b4345d6389bb80f145bcfb47ffdfa4f44aef1e14752b4d1edfd867c5f4ecf9c54f6e7babfb422a30fb9a0e00237a1dd3abb2a333faaaee8b12abc5399f515c
SHA512 (HardenedBSD-12-STABLE-v1200058.2-amd64-mini-memstick.img) = 9e274ea3b563fca0b9ff190a876c450ef537248c6270bf14ffa257857da7326ecc1872b3d267f5566b6c13c73912a031e2a397f2f64af9177e519326a35b46d3

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlxCnLsACgkQgZsRom/9
GI2M3BAAjqSbp3xQqHw7gt5wz8lKJRWXmvr9sdSsOjQlqb+4agrXVWdIV1FPpzME
+Xb/DUeCVKLBC3wVHd1BV+r3zZs7dK085k5GQssAjC/VXfkGGa1fU+UYq0Jx35lu
zKovC0ce1WDo7IaF4fmU8fBysnuqOfg/DOxXAcJPHDCiHRXturIEEIhVsa17lSmI
hHZDxqazEqLeKk12isHtVu4EqS33FgzTvxcflnqnH0hgKDXb47pvqDN/F5faM9+C
NO8Fn5Vd5p3676fGuB6EFCN8NLVBjlIEW0bXpCUtnmpwmXGf9nk0AhkQcVkzWbkw
aWCJNbCzQc7LvCtGKbS/3c/lMdkROzhMuUc93VldgaBqCFbBT89fTGUFLq/Ui123
qtAVgv7gQa2S0PzMCHA9Gh7aetHJ1/HwHKQKze2tcHJDqSZJ2ARicxjvpH526WUH
ymcx5BnlCG+sNWt+uOVO2AYKf8nCUk2KD5o5azn0MirEaXOvmYDSVTtjZyn+kIx8
IZvfqUydjchyi7sYiV8mrMyOa52+YLU1AnFDeEByvef2fQGPvvkdn/zINvVsMD83
q4J4xC4TwO5J8bXJk2ZK2rppkLobWXLaYUPb7kzrl7fsWbN36EiTizjW0quE++Mu
Oc0psPw6rD4hfLa9dDXg15b8NWkTDVBqwOzjaH2W5AxKGtB7fVQ=
=ld5O
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100056.12

Submitted by op on

HardenedBSD-11-STABLE-v1100056.12 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • MFC r305074-r305075, r327275, r327570: newfs_msdos updates (5c2dc4965571d306fec98cc07f59e3d9b0770f35)
  • MFC r342640: Ensure buffer is nul-terminated. (a5529f8274c6e262a96221ef07ceb11e0e0639bc)
  • MFC r342966: net80211: fix possible panic for some drivers after r342464 (d72ddcc7912e0b3078dcd31123a58ae3e5ab1014)
  • MFC r342883: net80211: fix panic when device is removed during initialization (7f8b81b93a714b7a8807d32e1bde933651f70f97)
  • MFC r342810: powerd(8): allow to force a method of battery state query (48d38e36ce7fd50398514fe106ae73ff57d84b0d)
  • MFC r342787: Add a bounds check to the tws(4) passthrough ioctl handler. (5a404946700fc485ddc81aa41a97bbe6333ac014)
  • MFC r342686: Avoid setting PG_U unconditionally in pmap_enter_quick_locked(). (6b926a8ea46f4dfac7d8d6d9a311de9ecd9bdcf7)
  • MFC r342362-r342363: config(8) duplicate option handling (0368474a6a610d15c7de92010fde161d9e465180)
  • MFC 339899: Make battery emptying rate available as sysctl variable. (6bb14494cc5721af5f373f1f6f82225e41c7d935)
  • MFC: r342286 Fix the NFSv4 server to obey vfs.nfsd.nfs_privport (4b9098849df19a547ce70e31e6bd5975a27abc03)
  • MFC r341998: pf: Fix endless loop on NAT exhaustion with sticky-address (955c6a36425f6f83bc210ca3178b73219555a550)
  • MFC r342211: net80211: fix out-of-bounds read in ieee80211_amrr(9) (a94de320dbe8ed631d21535fd5a797f757d3bb08)
  • MFC r339746,339751,339794,340866,340939,342042: Sync libarchive with vendor. (250ab274d51bec04e50452ba7196798e4336897f)
  • MFC r333352 & r342183: Update sqlite3-3.23.1 --> sqlite3-3.26.0 (3260000)
  • ZFS updates
  • sfxge updates
  • mrsas updates
  • netmap updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100056.12-amd64-bootonly.iso) = 56ecd76d13f1dc47414681137fd2dfac2172c0fc2705d25eb4120adac5a60159f97e442d0bc0f45a52feef5c76f208f5d38dab569f48ecc57cf3e74d7b2ae543
SHA512 (HardenedBSD-11-STABLE-v1100056.12-amd64-disc1.iso) = 0b9440b1f6df1dd70601555d00135bfe6bb9fe3ac1ec2e079675dd6be3683710a994f1715c8e113a8aecf896e0ff218f6bae35bc596247854096a526bd0219e7
SHA512 (HardenedBSD-11-STABLE-v1100056.12-amd64-memstick.img) = eea300215730ea9cac2ebdeb6221116bae4b93ea0e5be6e86ceeadc3eb89918eb0d6b41d250bc4d3ee9f8206ee41f9228ca79e9a3bd0ce1712b122004fc54869
SHA512 (HardenedBSD-11-STABLE-v1100056.12-amd64-mini-memstick.img) = e913c02d3c9bcdb1274ceaba7e43a1abf422ebefa6a4d9915c02df1c36a1238748ff296266878e8ce3a1397ee69ed2a383a0123e54f1cacf5033714b9e68c883

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlw+ocEACgkQgZsRom/9
GI27NhAAjGZtV4QOnHYmFNFDvUb98GM+XmAKhHusH3Kwg6r8Rkpu0cxnafOb0bIv
uQ7EZLi43U5YLqqaytSjeVRaQ9RlEVIfkIRF4ZmMkwGP2yZKOyill0zRLX4ywwVJ
KLZNtqJmYllvdBcGe8Pe99+gt8LR+9tc/32bV7AEQqWBlrYNYimwk1jw2VHRqhZ7
JYlOTHvYekTlkXrwYxybXFxkYK5SKYUhh6yZbJ1QTtEnZo+EmzSl2QtVoPKLywC1
MHXYayrupu4x62OvMb6bo0AIY/8XQWXYloXUEHq9cr2xV86qdIttW/A9Krwtdq6z
3Th+TvXjisZd62aAJjbzr3rfm/7uN4KFDdLwsmogj/DYWJnteFZQWb7/Y4wsWSI0
5XiHCI1tk3zEihN06PJZ3yN3z+KFwPW7hK+DgWW0KtFBcrbNkWfWom5HafcpCBgl
E9nYlWwos2ZJZ1/BYqoFdQIYpoKwMFUdPWCqeq+r3CGGGxvlIOXYkD2cTRXx7l5T
YHmrBYYDXevdfdaaFdp13hJy/yaqPM7e6vIe7ZGCNcYKcpGWiZOXKiJDfuL6Pnh6
88AYJwVXcJCQa5ek5VOYgZ3pX2eDg1KDeUjqJ+cYXHZ4fngEyhM4wnbVu4+6hmhA
Al5yDTYZ0JcrzmcF3Mj5WIAcyt0a6WFH506GsBgZz1d9+6knX5I=
=RgXk
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 12-STABLE v1200058.1

Submitted by op on

HardenedBSD-12-STABLE-v1200058.1 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • MFC r342227: bootpd: validate hardware type (cc913fb4818ab0f1ffdb93ddc0145798964b98ba) [FreeBSD-SA-18:15.bootpd]
  • MFC r339909: Allow changing lagg(4) MTU. (8b8bd1f610ade0928bf728a849b344f74b33dcb3)
  • MFC: r340090, r342056 Merge ACPICA 20181031 and 20181213. (2f4ca9c8f0a8780b44ccba39043972baa0c01a92)
  • MFC r342125: Fix bugs in plugable CC algorithm and siftr sysctls. (92b6550b7f9b8b4b1bb75882de619dadd72851a7) [CVE-candidate]
  • MFC r342127 Revert r331567 CC Cubic: fix underflow for cubic_cwnd() (38ba9644182faa835efb437e0bec504161ba3c69)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-12-STABLE-v1200058.1-amd64-bootonly.iso) = 8f99acab3e53955cf6863b401fda4f45c2424150d6d8390ac891b7529050c4a46389b9ebe2eb440f0fd4f494d105d3e0998cdb509b571e949666291a868495e9
SHA512 (HardenedBSD-12-STABLE-v1200058.1-amd64-disc1.iso) = 0260437d461b57fcaabb3a695684ee6fbba219b3506695a52630a676baa35173e00e59e524b6156f825831b392a4e60bcd4526d8d1813dd91d9e74fa31d89437
SHA512 (HardenedBSD-12-STABLE-v1200058.1-amd64-memstick.img) = c0d3b3d8664d1104187f4f907da7b03aaff6b0cb484774565d0ff1c15515d539ac7c86574c139f715acefb88125de18123e7a4ef1ef951ef30fe1eff565517de
SHA512 (HardenedBSD-12-STABLE-v1200058.1-amd64-mini-memstick.img) = 48972f624b03fb13f92cfcd6f83d7d9e938cb284d9159a0f2e63afbd97c75057bc45a2da1d98884a16a6f71e86eba84b817b40796d7b753b1fb920328691fe41

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlwa9LwACgkQgZsRom/9
GI2SuRAAjzS+OSy5WHPhcTJXHA/KIZzywI3++KY1bhvnR7hVDKHkaOeT/q1Q3z3f
i2w7jSnf76mrmWAQx3h/tshjQ+l51kUdj8Fn7FHsQ2ub7DwVkN05U1V5TJdw84ma
gbmDlnodV257rQUVoUb+OcDXClhrPzvJshKZQgOcq512P3mWvsRfCyTUcbiCyhDk
4IDG68/7Xud3/ZAvP0NQsZ//XbCyHIukl8LoY5ZeOcPW/vePK159PyeKbS5iYRmM
+q58JT71Nc2mz96wgb1QCj3f1w7F4Jpc7VdQ0qAb4Km48g4QrDtBPksx/4bIwU7E
tBbBsvESoRP2b7DTO8FVWvNzclFIg4iL92NcxMv53zPTzXOm3zQ6t3SZk6wM70Xz
NZ551Aqnkip3Y/VxxcUIUmgFIqmM/XaD5zPBgOeaKyNmj96VraPhbCArblHKHZlK
B/KVgFb+5QMHGD/Nk2T05Zn2VG7Qldp37AR4+GeYQGN5yeu9a9NgREPXuJmawB/N
58yQiUZKTVzSsyy9kEFAIgBRaEs8sM+GxmQyqZH4AgikBX22X8oYLsL4L+SE8bYM
7dQHSnjx727tguGvQfst/rIR4ARSmCeoziOHTmrCZbWSGQ4foRW96AshJ3fWAGAT
9OFr6vPLlMzpY4tuNC2+kpNd5jeG9rA3llAkoo3AT6ed0dfQppg=
=nv3j
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100056.11

Submitted by op on

HardenedBSD-11-STABLE-v1100056.11 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • MFC r342030: Plug memory leak for AES_*_NIST_GMAC algorithms. (1ab95dc20c0f79f2d5b347e572904ef355aec886)
  • MFC r342227: bootpd: validate hardware type (dc1918c7f951e0c048665e5428f341e1cccad25a) [FreeBSD-SA-18:15.bootpd]
  • MFC r339909: Allow changing lagg(4) MTU (d055422cc148b2fffbe4ba2a2fcf0fc887bcddc5)
  • Partial MFC of r342125: Fix bugs in plugable CC algorithm and siftr sysctls. (f445d2ac303ef82d01bdb265c7b73f4eed5d8c99) [CVE-candidate]
  • MFC r341990: Fix a possible mbuf double free in bwn_dma_tx_start(). (84fc627d53884d2d1a08864a55536699ee3a2f52) [CVE-candidate]
  • MFC r341441: Some fixes for LD_BIND_NOW + ifuncs. (65520f2661bfb6e75d862ed693ab66f633a5bc9e)
  • MFC r340046, r340050 Add support ps/2 scancodes for NumLock, ScrollLock and numerical keypad keys (c321d531cfeb7c0408fb4160df20b9c1a2b91d40)
  • MFC r341375: Allow to create swap zone larger than v_page_count / 2. (61710bbfdf016232e290b03ef4e247bc1cb0b8b8)
  • MFC r341008: Fix possible panic during ifnet detach in rtsock. (7a2718d69b304f4e6b9db7b38932cdddcdf12a6f)
  • netmap updates
  • mlx5* security and feature updates
  • infiniband security and feature updates
  • linuxkpi updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100056.11-amd64-bootonly.iso) = ae8bf3897c9a3c76da066cde1781abda0a9ea3b413702d96ba60004d8f264edf1151e84b6cd42e4098d933b344cb54f3fc5bde48b55c1839582d965223bdf41d
SHA512 (HardenedBSD-11-STABLE-v1100056.11-amd64-disc1.iso) = 0b5e100a039300927127ec53e4c28947718435e37056ac23128394e71f67d9c00bd5d4a65110a25d9feadecc074ac85b4b303569ad3c6bca9352e96505fee35d
SHA512 (HardenedBSD-11-STABLE-v1100056.11-amd64-memstick.img) = a33a946d9671104baa39054321bb4a8f81ed2c3a526c7415253ea35c8cd4aec982ced35c9bd482b1761e87bbaf01eaa819d31d05d5b64abf78f303020ccceed8
SHA512 (HardenedBSD-11-STABLE-v1100056.11-amd64-mini-memstick.img) = 5c9151bad95f9bbc14dd3107332c388275696b01238dfac4a21b724f3f0652aac0ee85fae334b1f9c3e16cf2bb53a0e067220fdd980e829005d53c83d3c9b624

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlwcA48ACgkQgZsRom/9
GI3OtA/+Jt9GA3OSNiX2ZhmKnDEwQLjpqK4R9Gv9O5PmelPoTh6HExywnVvWQSYS
3M98Oz393HaoZnw0v9uq6ycKJ1+dwrveSJuOV4Nd+TnMxixEGMjIq4rNsvHxbVNl
tQuJY5MFAgl9s8IaGm7uaDwyxdVDJyA31XocQ38vvaca97s+BxEgGJusEzMvVakV
Hd6xBW0G6CqNzlVoKJhj0rGrLm8vGsMsWBcvNLjh8WUJiy02y9KhuJ6iHYI3Y5Pi
D9Ri6vX+rss0L6pF43K78ihoEsYa55LyTKwCd3kUox0g1zwJSM06PZhNJf36h5uH
oyJNkfqqk7aUsy7bIyEZ5z5UPZtSD9vmpEL6BEFSMd/6f6epfYWE5ghjcMqJ3Vlw
iV8O3oUh5JY7nZnTD25sRZjIBsjrCR5iyHB9niL0T0ZwQmK7aR6Sy61gyidrRCrz
hs0E2Wr07hJlz9UwM+FCPQ7v2/iZGsSLTkcGkX5d1q/480DsbMV3Jo4pABw75ozT
VLFxSdBkiNiAXKJxjeRDXI5scsn2VoUSBRgfycUNQy1iz202tSaiZBwifCgtRW/k
LERX7o5YJC0Qf5J+Y8BHP5gxra8U5PhpjiziNrUdMNG6Mxkj2qlM6UqQzQfGXBKB
+JxBxLyz4Vf8w/RnnhlZ5PAW+mXTCyJvRwK5K0G7Th2dKgM0jFQ=
=h1hi
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 12-STABLE v1200058

Submitted by op on

Introducing HardenedBSD 12-STABLE

The first public release of hardened/12-stable/master branch, which contains lots of security improvements over 11-STABLE.

Among those improvements are:

  • Non-Cross-DSO Control-Flow Integrity (CFI) for applications on amd64 and arm64. At this time, CFI is not applied to the kernel. More info on CFI is below.
  • Jailed bhyve.
  • Per-jail toggles for unprivileged process debugging (the security.bsd.unprivileged_process_debug sysctl node).
  • Spectre v2 mitigation with retpoline applied to the entirety of base and ports.
  • Symmetric Multi-Threading (SMT) disabled by default (re-enable by setting machdep.hyperthreading_allowed to 1 in loader.conf(5)).
  • Migration of more compiler toolchain components to llvm's implementations (llvm-ar, llvm-nm, and llvm-objdump).
  • Compilation of applications with Link-Time Optimization (LTO).

Non-Cross-DSO CFI

Non-Cross-DSO CFI is an exploit mitigation technique that helps prevent attackers from modifying the behavior of a program and jumping to undefined or arbitrary memory locations. Microsoft has implemented a variant of CFI, which they term Control Flow Guard, or CFG. The PaX team has spent the last few years perfecting their Reuse Attack Protector, RAP. CFI, CFG, and RAP all attempt to accomplish the same goal, with RAP being the most complete and effective implementation. Clang's CFI is stronger than Microsoft's CFG and PaX Team's RAP is stronger than both CFI and CFG. RAP would be a great addition to HardenedBSD; however, it requires a GPLv3 toolchain and is patented.

Clang's CFI requires a linker that supports Link-Time Optimization (LTO). HardenedBSD 12-STABLE ships with lld as the default linker. All CFI schemes have been enabled for nearly all applications in base. Please note that any application that calls function pointers resolved via dlopen + dlsym will require the cfi-icall scheme to be disabled.

Installer images

http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/ISO-IMAGES/HardenedBSD-12-STABLE-v1200058/

CHECKSUM.SHA512

SHA512 (FreeBSD-12.0-STABLE-amd64-bootonly.iso) = ead39af6bc301c96c5a222884b79ec6f3b4d4ea3dedbec9f12526c2ac59360ed4fe681e49eb2982312c9d7d0d0b567751e338318a4f717cb7bed0aaa0ed3a211
SHA512 (FreeBSD-12.0-STABLE-amd64-disc1.iso) = 9b0d77db60c557e6011cc2388b70576834e4305bdb6e05d7f1e9fce95bc6cc119874120c88189753ca2ce117ab167b706a2aa35cf0563f6152407629996e10fc
SHA512 (FreeBSD-12.0-STABLE-amd64-memstick.img) = 97a70f614785df0de323c634b1e6f2b8a5f2d8b53e4584192f95f8f15fc346d31e52183fa19d1513e2e69dd2b002b42004f17e7fe85d8a00fab05a4d49bf999d
SHA512 (FreeBSD-12.0-STABLE-amd64-mini-memstick.img) = 11aff5393fbdbce0840332b70794265b141c083ecc7b2f49a3cbca0618aca55bebbeb7472a984d6d853b4b40751e239daca58b75e40a6334ae5ba128cda4552e

CHECKSUM.SHA512.asc

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlwXGq0ACgkQgZsRom/9
GI2M1w//btTs6Ek9HEcyRgv5kxpXwlf//E7YZNwpgF88CSdRhvfTDmyySjGmotaQ
ZSuL1x+nYVDqPc7vTeSU0wFdYjBWOLJpqecLmHSY+0fbZCRgRFd2pgQgxS6fhybb
M41V57GTQn5ogoeKQsCko2J7L8OzKhJh9c4FWD5L4H7YZTvv5aBWEIVqZvCEGEiY
XJZt2wpMICXwALyeVXSBN2S+DoMj2cD2W40pdbg3DdfVi6cAPZ/YQvPqG7h15+DP
ajFYsdU9UeNSHupp/qB3WkcQDgcnohx8ZbIjmTthHpocQXqKvwTvMHn3pByzoBoI
QYIYs6DEF1XynMDudzb2OtkvoskShpTE0h462VTn6Hm2BDcRlHZU+yNZSP4N8ut6
XNztkYe0b2JyKShUpG1pwkPIBgvM6eNDl5D+XKz2Cru2DEgpC40VVSGz5W7L9eYQ
O5xPKruIUWF6aS5g3/ooBpOAz25hqYHBsd0hPcqczgsfRhcjOSHUCSeiFJwAq7Av
gVN7rrzvHQPY/D1s7k20K+vjku5gOTyICuY5rdmZIOuMmAKbOijgY+Lp595XLneE
wEdvb1vXHbm6P1XhJNP+WPnENu18KHt4xWQ8lnCS0SUlL0qiN2gLvgRDhv22muzh
VSa82LishLniWf9TdMyN7Enxj2jofsMnDXn2vTmCwP9P+U09ipw=
=KDI2
-----END PGP SIGNATURE-----

Stable release: HardenedBSD-stable 11-STABLE v1100056.10

Submitted by op on

HardenedBSD-11-STABLE-v1100056.10 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

  • HBSD MFC r341470: ggated: do not expose stack data in sendfail() 370912d064f22772cd539ea28587ca7a1bca6c9c [FreeBSD-SA-candidate]
  • MFC r341442, r341443: Plug memory disclosures via ptrace(2). (600baf4f2d9e7039632b5bf5503097edb31c3da3) [FreeBSD-SA-candidate]
  • MFC r341484 Always treat firmware request and response sizes as unsigned. (5b0911ed9405a15d0fddd237377ecaf0684142a0) [FreeBSD-SA-18:14.bhyve CVE-2018-17160]
  • MFC r337812,r337814,r337820,r341068: Fix several memory leaks (r337812 & r337814). (4a6ee6982ea1014b8d06511c23c76b849fa694f1) [FreeBSD-SA-candidate]
  • MFC r340968: Plug routing sysctl leaks. (fe7eaf6c881cc3948b430c5241b34e2c1189dc03)
  • MFC r340995 Prevent kernel stack disclosure in signal delivery (ee1166b9e2f474622f098aad4dd78869880379c8) [FreeBSD-SA-candidate]
  • MFC r340994 Prevent kernel stack disclosure in getcontext/swapcontext (88ba4e0711d85c593ac41f9c9a054cf4e66d050a) [FreeBSD-EN-18:12.mem CVE-2018-17155]
  • netmap updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100056.10-amd64-bootonly.iso) = 6ca4a5de222683ff4716090d55ffd1b19f50e98b7bef0012e94acf6ef73d61e2aaabe87026e2e58f1df4f797e5dd31130a4bac4d5cee82299bb75d215c5d1462
SHA512 (HardenedBSD-11-STABLE-v1100056.10-amd64-disc1.iso) = 40e2a44bd010fb2b1e14b4b8b90ee86ac86cf0bb9f629c9a121cb24ed2e25fc6b5a3e821b770c483e922fd2a5de535b4ecfde9b759888775f51478e2fb183713
SHA512 (HardenedBSD-11-STABLE-v1100056.10-amd64-memstick.img) = 2e57b96f5d9f75b277792052690947a849ca85a0e0860474b37cce06a623a5f566f60738b762ee6966081847be129a821ca199f17b3f286dafdbdbe6e1c70e0e
SHA512 (HardenedBSD-11-STABLE-v1100056.10-amd64-mini-memstick.img) = a216932ecf6c218b7f8984ca55524c18ab85e5bcce163d11effdf889883e28ba6feb4546ff3e28c9e2a29440f147363ae4444e75f56bd18b6a02176db5f8810c

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlwHBLoACgkQgZsRom/9
GI3zlg//dLtnJmc52UuttbSD1NV2h2hv4mNW/UteFjxGtJgdOCkjRGpx3sI4Vm1j
ks5NPMzi4Wy8r9l/bWv+k/bCvkxvjvt8gQKIBbDt8IauB1Bk+uxeWr3IcLn9eiPV
eC0diLLpUzTkbhN9NbnXbbugrrq4AeWFbOl06HIAw9HJolIYtLInOlH9XZToUItR
kbVD+AXjVmfntDWXPtkgCZdEEPe6zYAUgA39iyrcb5X3y+AVc9hDIoOGfPVoMIRR
rhEu1jwJPuT8C6r2hcareVpmfOESJTljh+yNw9iq/brkNXPW2UcPFwwkt7ajubaP
KW22bl9jGTTqA3JhpPHRwqFjyZzItD9TR4qPr/Fu2WTzYACyjNvWyCK/KJOvS6MX
ewepZ06yUhsLEjEiGpllJ4XipUn8c2hbTXLoKE/JOBvwhxIognoQ8yiEE645Vrb8
VCPLab5CK4y+CSZLEA2DWpiuWO7D/Z8pRIbV0tWKh1HrN5QPOjXeDDi+59t/016v
vb/i8YR0GhHgg3mPYCCUUgMey1e7vIjnmcj0OkZRyyx7bi2fP+37C/XBV9L7bFC7
kLO1pAX7hwWOp/H0dbrJCuLyWFLHjkgNODrxmmYk1OeWQoUT9KX1SFfYCKsNlpAn
Pq+17qjcl/Amswrpmw7a/WfXXLiNA46OyOU/aG9r1Z+8/Emd4YA=
=fwqX
-----END PGP SIGNATURE-----

Pages

Subscribe to HardenedBSD RSS