| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
| |
Fix performance regression in libc hash(3). [EN-16:06]
Fix excessive latency in x86 IPI delivery. [EN-16:07]
Fix memory leak in ZFS. [EN-16:08]
Approved by: so
|
|
|
|
|
|
|
|
|
|
| |
MFH (r296633): upgrade to 7.2p2 (fixes xauth command injection bug)
MFH (r296634): re-add aes-cbc to server-side default cipher list
MFH (r296651, r296657): fix gcc build of pam_ssh
PR: 207679
Security: CVE-2016-3115
Approved by: re (marius)
|
|
|
|
|
| |
Relnotes: yes
Approved by: re (so@ implicit)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
MFH (r285975, r287143): register mergeinfo for security fixes
MFH (r294497, r294498, r295139): internal documentation
MFH (r294328): upgrade to openssh 6.7p1, re-add libwrap
MFH (r294332): upgrade to openssh 6.8p1
MFH (r294367): update pam_ssh for api changes
MFH (r294909): switch usedns back on
MFH (r294336): upgrade to openssh 6.9p1
MFH (r294495): re-enable dsa keys
MFH (r294464): upgrade to openssh 7.0p1
MFH (r294496): upgrade to openssh 7.1p2
Approved by: re (gjb)
Relnotes: yes
|
|
|
|
| |
Relnotes: yes
|
|
|
|
| |
Remove the HPN and None cipher patches.
|
|
|
|
|
|
| |
r294320, r294322, r294324, r294330, r294469, r294494, r294466)
Reduce diffs to head in preparation for removing HPN and None.
|
| |
|
|
|
|
|
| |
Security: SA-16:07.openssh
Security: CVE-2016-0777
|
| |
|
|
|
|
| |
Security: FreeBSD-SA-15:22.openssh
|
|
|
|
|
|
| |
Fix resource exhaustion in TCP reassembly. [SA-15:15]
Fix OpenSSH multiple vulnerabilities. [SA-15:16]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ssh: canonicize the host name before looking it up in the host file
Re-apply r99054 by des in 2002. This was accidentally dropped
by the update to OpenSSH 6.5p1 (r261320).
This change is actually taken from r387082 of
ports/security/openssh-portable/files/patch-ssh.c
Differential Revision: https://reviews.freebsd.org/D3103
PR: 198043
Approved by: re (gjb), kib (mentor)
Sponsored by: Dell Inc.
Relnotes: yes
|
|
|
|
|
|
|
| |
Merge OpenSSL 1.0.1p.
Approved by: re (gjb)
Relnotes: yes
|
| |
|
|
|
|
|
|
|
|
|
| |
Merge OpenSSL 1.0.1o.
Note it is instantly merged because it restores ABI compatibility broken by
the previous OpenSSL 1.0.1n.
Relnotes: yes
|
|
|
|
| |
Merge OpenSSL 1.0.1n.
|
|
|
|
| |
Use proper CHAN_TCP_PACKET_DEFAULT for agent forwarding when HPN disabled.
|
|
|
|
| |
Document "none" for VersionAddendum.
|
|
|
|
|
|
| |
Merge OpenSSL 1.0.1m.
Relnotes: yes
|
|
|
|
|
|
|
|
|
| |
- Revert a portion of ASN1 change per suggested by OpenBSD
and OpenSSL developers. The change was removed from the
formal OpenSSL release and does not solve security issue.
- Properly fix CVE-2015-0209 and CVE-2015-0288.
Pointy hat to: delphij
|
|
|
|
|
|
|
|
|
|
| |
Security: FreeBSD-SA-15:06.openssl
Security: CVE-2015-0209
Security: CVE-2015-0286
Security: CVE-2015-0287
Security: CVE-2015-0288
Security: CVE-2015-0289
Security: CVE-2015-0293
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update most userspace consumers of capability.h to use capsicum.h instead.
auditdistd is not updated as I will make the change upstream and then do a
vendor import sometime in the next week or two.
Note that a significant fraction does not apply, as FreeBSD 10 doesn't
contain a Capsicumised ping, casperd, libcasper, etc. When these features
are merged, the capsicum.h change will need to be merged with them.
Sponsored by: Google, Inc.
|
|
|
|
|
|
| |
Merge OpenSSL 1.0.1l.
Relnotes: yes
|
|
|
|
| |
Merge OpenSSL 1.0.1k.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
r264400:
NO_MAN= has been deprecated in favor of MAN= for some time, go ahead
and finish the job. ncurses is now the only Makefile in the tree that
uses it since it wasn't a simple mechanical change, and will be
addressed in a future commit.
r265836:
Remove last two NO_MAN= in the tree. In both of these cases, MAN= is
what is needed.
|
|
|
|
|
|
| |
Merge OpenSSL 1.0.1j.
Relnotes: yes
|
|
|
|
|
|
|
|
| |
Include the gssapi_krb5 library in KRB5_LDFLAGS.
PR: 156245
Approved by: re (marius)
Sponsored by: The FreeBSD Foundation
|
|
|
|
| |
Merge OpenSSL 1.0.1i.
|
|
|
|
|
|
| |
Merge OpenSSL 1.0.1h.
Approved by: so (delphij)
|
|
|
|
|
|
| |
Security: CVE-2014-0195, CVE-2014-0221, CVE-2014-0224,
CVE-2014-3470
Security: SA-14:14.openssl
|
|
|
|
|
|
| |
Obtained from: OpenBSD
Security: FreeBSD-SA-14:09.openssl
Security: CVE-2014-0198
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix OpenSSL use-after-free vulnerability.
Fix TCP reassembly vulnerability.
Security: FreeBSD-SA-14:07.devfs
Security: CVE-2014-3001
Security: FreeBSD-SA-14:08.tcp
Security: CVE-2014-3000
Security: FreeBSD-SA-14:09.openssl
Security: CVE-2010-5298
|
| |
|
|
|
|
| |
MFH (r264308): restore p level in debugging output
|
|
|
|
| |
Merge OpenSSL 1.0.1f and 1.0.1g.
|
|
|
|
|
| |
Fix "Heartbleed" vulnerability and ECDSA Cache Side-channel
Attack in OpenSSL. [SA-14:06]
|
|
|
|
| |
Fix installations that use kernels without CAPABILITIES support.
|
|
|
|
| |
MFH (r261340): enable sandboxing by default
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Apply vendor commits:
197e0ea Fix for TLS record tampering bug. (CVE-2013-4353).
3462896 For DTLS we might need to retransmit messages from the
previous session so keep a copy of write context in DTLS
retransmission buffers instead of replacing it after
sending CCS. (CVE-2013-6450).
ca98926 When deciding whether to use TLS 1.2 PRF and record hash
algorithms use the version number in the corresponding
SSL_METHOD structure instead of the SSL structure. The
SSL structure version is sometimes inaccurate.
Note: OpenSSL 1.0.2 and later effectively do this already.
(CVE-2013-6449).
Security: CVE-2013-4353
Security: CVE-2013-6449
Security: CVE-2013-6450
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Apply patch from upstream Heimdal for encoding fix
RFC 4402 specifies the implementation of the gss_pseudo_random()
function for the krb5 mechanism (and the C bindings therein).
The implementation uses a PRF+ function that concatenates the output
of individual krb5 pseudo-random operations produced with a counter
and seed. The original implementation of this function in Heimdal
incorrectly encoded the counter as a little-endian integer, but the
RFC specifies the counter encoding as big-endian. The implementation
initializes the counter to zero, so the first block of output (16 octets,
for the modern AES enctypes 17 and 18) is unchanged. (RFC 4402 specifies
that the counter should begin at 1, but both existing implementations
begin with zero and it looks like the standard will be re-issued, with
test vectors, to begin at zero.)
This is upstream's commit f85652af868e64811f2b32b815d4198e7f9017f6,
from 13 October, 2013:
% Fix krb5's gss_pseudo_random() (n is big-endian)
%
% The first enctype RFC3961 prf output length's bytes are correct because
% the little- and big-endian representations of unsigned zero are the
% same. The second block of output was wrong because the counter was not
% being encoded as big-endian.
%
% This change could break applications. But those applications would not
% have been interoperating with other implementations anyways (in
% particular: MIT's).
Bump __FreeBSD_version accordingly and add a note in UPDATING.
Approved by: hrs (mentor, src committer)
|
|
|
|
| |
Approved by: re (kib)
|
|
|
|
|
|
| |
Security: CVE-2013-4548
Security: FreeBSD-SA-13:14.openssh
Approved by: re (implicit)
|
|
|
|
|
|
|
|
|
| |
repeat performance by introducing a script that runs configure with and
without Kerberos, diffs the result and generates krb5_config.h, which
contains the preprocessor macros that need to be defined in the Kerberos
case and undefined otherwise.
Approved by: re (marius)
|
|\
| |
| |
| |
| |
| |
| | |
didn't use them. This will make future merges from the vendor tree much
easier.
Approved by: re (gjb)
|
|\ \
| |/
| |
| | |
Approved by: re (gjb)
|
| |
| |
| |
| |
| |
| |
| |
| | |
LDNS. With that setting, OpenSSH will silently accept host keys that
match verified SSHFP records. If an SSHFP record exists but could not
be verified, OpenSSH will print a message and prompt the user as usual.
Approved by: re (blanket)
|
|\ \
| |/
| |
| |
| |
| |
| |
| |
| | |
branch but never merged to head. They were inadvertantly left out when
6.1p1 was merged to head. It didn't make any difference at the time,
because they were unused, but one of them is required for DNS-based host
key verification.
Approved by: re (blanket)
|
| |
| |
| |
| | |
MFC after: 3 days
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Check DTLS_BAD_VER for version number.
The version check for DTLS1_VERSION was redundant as
DTLS1_VERSION > TLS1_1_VERSION, however we do need to
check for DTLS1_BAD_VER for compatibility.
Requested by: zi
Approved by: benl
|