FreeBSD-SA-11:03.bind Security Advisory
The FreeBSD Project
Topic: Remote packet Denial of Service against named(8) servers
Category: contrib
Module: bind
Announced: 2011-09-28
Credits: Roy Arends
Affects: 8.2-STABLE after 2011-05-28 and prior to the correction date
Corrected: 2011-07-06 00:50:54 UTC (RELENG_8, 8.2-STABLE)
CVE Name: CVE-2011-2464
Note: This advisory concerns a vulnerability which existed only in
the FreeBSD 8-STABLE branch and was fixed over two months prior to the
date of this advisory.
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.
II. Problem Description
A logic error in the BIND code causes the BIND daemon to accept bogus
data, which could cause the daemon to crash.
III. Impact
An attacker able to send traffic to the BIND daemon can cause it to
crash, resulting in a denial of service.
IV. Workaround
No workaround is available, but systems not running the BIND name server
are not affected.
V. Solution
Upgrade your vulnerable system to 8-STABLE dated after the correction
date.
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
CVS:
Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_8
src/contrib/bind9/lib/dns/message.c 1.3.2.3
- -------------------------------------------------------------------------
Subversion:
Branch/path
Revision
- -------------------------------------------------------------------------
stable/8/ r223815
- -------------------------------------------------------------------------
VII. References
http://www.isc.org/software/bind/advisories/cve-2011-2464
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2464
The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-11:03.bind.asc
Wednesday, September 28, 2011
[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-11:04.compress
FreeBSD-SA-11:04.compress Security Advisory
The FreeBSD Project
Topic: Errors handling corrupt compress file in compress(1)
and gzip(1)
Category: core
Module: compress
Announced: 2011-09-28
Credits: Tomas Hoger, Joerg Sonnenberger
Affects: All supported versions of FreeBSD.
Corrected: 2011-09-28 08:47:17 UTC (RELENG_7, 7.4-STABLE)
2011-09-28 08:47:17 UTC (RELENG_7_4, 7.4-RELEASE-p3)
2011-09-28 08:47:17 UTC (RELENG_7_3, 7.3-RELEASE-p7)
2011-09-28 08:47:17 UTC (RELENG_8, 8.2-STABLE)
2011-09-28 08:47:17 UTC (RELENG_8_2, 8.2-RELEASE-p3)
2011-09-28 08:47:17 UTC (RELENG_8_1, 8.1-RELEASE-p5)
2011-09-28 08:47:17 UTC (RELENG_9, 9.0-RC1)
CVE Name: CVE-2011-2895
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
The compress utility reduces the size of files using adaptive Lempel-Ziv
coding, or LZW coding, a lossless data compression algorithm.
Both compress(1) and gzip(1) uses code derived from 4.3BSD compress(1).
II. Problem Description
The code used to decompress a file created by compress(1) does not do
sufficient boundary checks on compressed code words, allowing reference
beyond the decompression table, which may result in a stack overflow or
an infinite loop when the decompressor encounters a corrupted file.
III. Impact
An attacker who can cause a corrupt archive of his choice to be parsed
by uncompress(1) or gunzip(1), can cause these utilities to enter an
infinite loop, to core dump, or possibly to execute arbitrary code
provided by the attacker.
IV. Workaround
No workaround is available, but systems not handling adaptive Lempel-Ziv
compressed files (.Z) from untrusted source are not vulnerable.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to
the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security
branch dated after the correction date.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to FreeBSD 7.4, 7.3,
8.2 and 8.1 systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/SA-11:04/compress.patch
# fetch http://security.FreeBSD.org/patches/SA-11:04/compress.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/usr.bin/compress
# make obj && make depend && make && make install
# cd /usr/src/usr.bin/gzip
# make obj && make depend && make && make install
3) To update your vulnerable system via a binary patch:
Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on
the i386 or amd64 platforms can be updated via the freebsd-update(8)
utility:
# freebsd-update fetch
# freebsd-update install
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
CVS:
Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_7
src/usr.bin/compress/zopen.c 1.12.10.1
src/usr.bin/gzip/zuncompress.c 1.1.4.3
RELENG_7_4
src/UPDATING 1.507.2.36.2.5
src/sys/conf/newvers.sh 1.72.2.18.2.8
src/usr.bin/compress/zopen.c 1.12.26.2
src/usr.bin/gzip/zuncompress.c 1.1.4.1.4.2
RELENG_7_3
src/UPDATING 1.507.2.34.2.9
src/sys/conf/newvers.sh 1.72.2.16.2.11
src/usr.bin/compress/zopen.c 1.12.24.2
src/usr.bin/gzip/zuncompress.c 1.1.4.1.2.2
RELENG_8
src/usr.bin/compress/zopen.c 1.12.22.2
src/usr.bin/gzip/zuncompress.c 1.2.2.3
RELENG_8_2
src/UPDATING 1.632.2.19.2.5
src/sys/conf/newvers.sh 1.83.2.12.2.8
src/usr.bin/compress/zopen.c 1.12.22.1.6.2
src/usr.bin/gzip/zuncompress.c 1.2.2.1.6.2
RELENG_8_1
src/UPDATING 1.632.2.14.2.8
src/sys/conf/newvers.sh 1.83.2.10.2.9
src/usr.bin/compress/zopen.c 1.12.22.1.4.2
src/usr.bin/gzip/zuncompress.c 1.2.2.1.4.2
RELENG_9
src/usr.bin/compress/zopen.c 1.16.2.2
src/usr.bin/gzip/zuncompress.c 1.4.2.2
- -------------------------------------------------------------------------
Subversion:
Branch/path Revision
- -------------------------------------------------------------------------
stable/7/ r225827
releng/7.4/ r225827
releng/7.3/ r225827
stable/8/ r225827
releng/8.2/ r225827
releng/8.1/ r225827
stable/9/ r225827
- -------------------------------------------------------------------------
VII. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2895
The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-11:04.compress.asc
The FreeBSD Project
Topic: Errors handling corrupt compress file in compress(1)
and gzip(1)
Category: core
Module: compress
Announced: 2011-09-28
Credits: Tomas Hoger, Joerg Sonnenberger
Affects: All supported versions of FreeBSD.
Corrected: 2011-09-28 08:47:17 UTC (RELENG_7, 7.4-STABLE)
2011-09-28 08:47:17 UTC (RELENG_7_4, 7.4-RELEASE-p3)
2011-09-28 08:47:17 UTC (RELENG_7_3, 7.3-RELEASE-p7)
2011-09-28 08:47:17 UTC (RELENG_8, 8.2-STABLE)
2011-09-28 08:47:17 UTC (RELENG_8_2, 8.2-RELEASE-p3)
2011-09-28 08:47:17 UTC (RELENG_8_1, 8.1-RELEASE-p5)
2011-09-28 08:47:17 UTC (RELENG_9, 9.0-RC1)
CVE Name: CVE-2011-2895
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
The compress utility reduces the size of files using adaptive Lempel-Ziv
coding, or LZW coding, a lossless data compression algorithm.
Both compress(1) and gzip(1) uses code derived from 4.3BSD compress(1).
II. Problem Description
The code used to decompress a file created by compress(1) does not do
sufficient boundary checks on compressed code words, allowing reference
beyond the decompression table, which may result in a stack overflow or
an infinite loop when the decompressor encounters a corrupted file.
III. Impact
An attacker who can cause a corrupt archive of his choice to be parsed
by uncompress(1) or gunzip(1), can cause these utilities to enter an
infinite loop, to core dump, or possibly to execute arbitrary code
provided by the attacker.
IV. Workaround
No workaround is available, but systems not handling adaptive Lempel-Ziv
compressed files (.Z) from untrusted source are not vulnerable.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to
the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security
branch dated after the correction date.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to FreeBSD 7.4, 7.3,
8.2 and 8.1 systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/SA-11:04/compress.patch
# fetch http://security.FreeBSD.org/patches/SA-11:04/compress.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/usr.bin/compress
# make obj && make depend && make && make install
# cd /usr/src/usr.bin/gzip
# make obj && make depend && make && make install
3) To update your vulnerable system via a binary patch:
Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on
the i386 or amd64 platforms can be updated via the freebsd-update(8)
utility:
# freebsd-update fetch
# freebsd-update install
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
CVS:
Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_7
src/usr.bin/compress/zopen.c 1.12.10.1
src/usr.bin/gzip/zuncompress.c 1.1.4.3
RELENG_7_4
src/UPDATING 1.507.2.36.2.5
src/sys/conf/newvers.sh 1.72.2.18.2.8
src/usr.bin/compress/zopen.c 1.12.26.2
src/usr.bin/gzip/zuncompress.c 1.1.4.1.4.2
RELENG_7_3
src/UPDATING 1.507.2.34.2.9
src/sys/conf/newvers.sh 1.72.2.16.2.11
src/usr.bin/compress/zopen.c 1.12.24.2
src/usr.bin/gzip/zuncompress.c 1.1.4.1.2.2
RELENG_8
src/usr.bin/compress/zopen.c 1.12.22.2
src/usr.bin/gzip/zuncompress.c 1.2.2.3
RELENG_8_2
src/UPDATING 1.632.2.19.2.5
src/sys/conf/newvers.sh 1.83.2.12.2.8
src/usr.bin/compress/zopen.c 1.12.22.1.6.2
src/usr.bin/gzip/zuncompress.c 1.2.2.1.6.2
RELENG_8_1
src/UPDATING 1.632.2.14.2.8
src/sys/conf/newvers.sh 1.83.2.10.2.9
src/usr.bin/compress/zopen.c 1.12.22.1.4.2
src/usr.bin/gzip/zuncompress.c 1.2.2.1.4.2
RELENG_9
src/usr.bin/compress/zopen.c 1.16.2.2
src/usr.bin/gzip/zuncompress.c 1.4.2.2
- -------------------------------------------------------------------------
Subversion:
Branch/path Revision
- -------------------------------------------------------------------------
stable/7/ r225827
releng/7.4/ r225827
releng/7.3/ r225827
stable/8/ r225827
releng/8.2/ r225827
releng/8.1/ r225827
stable/9/ r225827
- -------------------------------------------------------------------------
VII. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2895
The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-11:04.compress.asc
[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-11:05.unix
FreeBSD-SA-11:05.unix Security Advisory
The FreeBSD Project
Topic: Buffer overflow in handling of UNIX socket addresses
Category: core
Module: kern
Announced: 2011-09-28
Credits: Mateusz Guzik
Affects: All supported versions of FreeBSD.
Corrected: 2011-09-28 08:47:17 UTC (RELENG_7, 7.4-STABLE)
2011-09-28 08:47:17 UTC (RELENG_7_4, 7.4-RELEASE-p3)
2011-09-28 08:47:17 UTC (RELENG_7_3, 7.3-RELEASE-p7)
2011-09-28 08:47:17 UTC (RELENG_8, 8.2-STABLE)
2011-09-28 08:47:17 UTC (RELENG_8_2, 8.2-RELEASE-p3)
2011-09-28 08:47:17 UTC (RELENG_8_1, 8.1-RELEASE-p5)
2011-09-28 08:47:17 UTC (RELENG_9, 9.0-RC1)
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
UNIX-domain sockets, also known as "local" sockets, are a mechanism for
interprocess communication. They are similar to Internet sockets (and
utilize the same system calls) but instead of relying on IP addresses
and port numbers, UNIX-domain sockets have addresses in the local file
system address space.
II. Problem Description
When a UNIX-domain socket is attached to a location using the bind(2)
system call, the length of the provided path is not validated. Later,
when this address was returned via other system calls, it is copied into
a fixed-length buffer.
III. Impact
A local user can cause the FreeBSD kernel to panic. It may also be
possible to execute code with elevated privileges ("gain root"), escape
from a jail, or to bypass security mechanisms in other ways.
IV. Workaround
No workaround is available, but systems without untrusted local users
are not vulnerable.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to
the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security
branch dated after the correction date.
2) To update your vulnerable system via a source code patch:
The following patch has been verified to apply to FreeBSD 7.4, 7.3,
8.2 and 8.1 systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/SA-11:05/unix.patch
# fetch http://security.FreeBSD.org/patches/SA-11:05/unix.patch.asc
b) Apply the patch.
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
3) To update your vulnerable system via a binary patch:
Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on
the i386 or amd64 platforms can be updated via the freebsd-update(8)
utility:
# freebsd-update fetch
# freebsd-update install
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
CVS:
Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_7
src/sys/kern/uipc_usrreq.c 1.206.2.13
RELENG_7_4
src/UPDATING 1.507.2.36.2.5
src/sys/conf/newvers.sh 1.72.2.18.2.8
src/sys/kern/uipc_usrreq.c 1.206.2.11.4.2
RELENG_7_3
src/UPDATING 1.507.2.34.2.9
src/sys/conf/newvers.sh 1.72.2.16.2.11
src/sys/kern/uipc_usrreq.c 1.206.2.11.2.2
RELENG_8
src/sys/kern/uipc_usrreq.c 1.233.2.6
RELENG_8_2
src/UPDATING 1.632.2.19.2.5
src/sys/conf/newvers.sh 1.83.2.12.2.8
src/sys/kern/uipc_usrreq.c 1.233.2.2.2.2
RELENG_8_1
src/UPDATING 1.632.2.14.2.8
src/sys/conf/newvers.sh 1.83.2.10.2.9
src/sys/kern/uipc_usrreq.c 1.233.2.1.4.2
RELENG_9
src/sys/kern/uipc_usrreq.c 1.244.2.2
- -------------------------------------------------------------------------
Subversion:
Branch/path Revision
- -------------------------------------------------------------------------
stable/7/ r225827
releng/7.4/ r225827
releng/7.3/ r225827
stable/8/ r225827
releng/8.2/ r225827
releng/8.1/ r225827
stable/9/ r225827
- -------------------------------------------------------------------------
The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-11:05.unix.asc
The FreeBSD Project
Topic: Buffer overflow in handling of UNIX socket addresses
Category: core
Module: kern
Announced: 2011-09-28
Credits: Mateusz Guzik
Affects: All supported versions of FreeBSD.
Corrected: 2011-09-28 08:47:17 UTC (RELENG_7, 7.4-STABLE)
2011-09-28 08:47:17 UTC (RELENG_7_4, 7.4-RELEASE-p3)
2011-09-28 08:47:17 UTC (RELENG_7_3, 7.3-RELEASE-p7)
2011-09-28 08:47:17 UTC (RELENG_8, 8.2-STABLE)
2011-09-28 08:47:17 UTC (RELENG_8_2, 8.2-RELEASE-p3)
2011-09-28 08:47:17 UTC (RELENG_8_1, 8.1-RELEASE-p5)
2011-09-28 08:47:17 UTC (RELENG_9, 9.0-RC1)
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
UNIX-domain sockets, also known as "local" sockets, are a mechanism for
interprocess communication. They are similar to Internet sockets (and
utilize the same system calls) but instead of relying on IP addresses
and port numbers, UNIX-domain sockets have addresses in the local file
system address space.
II. Problem Description
When a UNIX-domain socket is attached to a location using the bind(2)
system call, the length of the provided path is not validated. Later,
when this address was returned via other system calls, it is copied into
a fixed-length buffer.
III. Impact
A local user can cause the FreeBSD kernel to panic. It may also be
possible to execute code with elevated privileges ("gain root"), escape
from a jail, or to bypass security mechanisms in other ways.
IV. Workaround
No workaround is available, but systems without untrusted local users
are not vulnerable.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to
the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security
branch dated after the correction date.
2) To update your vulnerable system via a source code patch:
The following patch has been verified to apply to FreeBSD 7.4, 7.3,
8.2 and 8.1 systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/SA-11:05/unix.patch
# fetch http://security.FreeBSD.org/patches/SA-11:05/unix.patch.asc
b) Apply the patch.
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
3) To update your vulnerable system via a binary patch:
Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on
the i386 or amd64 platforms can be updated via the freebsd-update(8)
utility:
# freebsd-update fetch
# freebsd-update install
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
CVS:
Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_7
src/sys/kern/uipc_usrreq.c 1.206.2.13
RELENG_7_4
src/UPDATING 1.507.2.36.2.5
src/sys/conf/newvers.sh 1.72.2.18.2.8
src/sys/kern/uipc_usrreq.c 1.206.2.11.4.2
RELENG_7_3
src/UPDATING 1.507.2.34.2.9
src/sys/conf/newvers.sh 1.72.2.16.2.11
src/sys/kern/uipc_usrreq.c 1.206.2.11.2.2
RELENG_8
src/sys/kern/uipc_usrreq.c 1.233.2.6
RELENG_8_2
src/UPDATING 1.632.2.19.2.5
src/sys/conf/newvers.sh 1.83.2.12.2.8
src/sys/kern/uipc_usrreq.c 1.233.2.2.2.2
RELENG_8_1
src/UPDATING 1.632.2.14.2.8
src/sys/conf/newvers.sh 1.83.2.10.2.9
src/sys/kern/uipc_usrreq.c 1.233.2.1.4.2
RELENG_9
src/sys/kern/uipc_usrreq.c 1.244.2.2
- -------------------------------------------------------------------------
Subversion:
Branch/path Revision
- -------------------------------------------------------------------------
stable/7/ r225827
releng/7.4/ r225827
releng/7.3/ r225827
stable/8/ r225827
releng/8.2/ r225827
releng/8.1/ r225827
stable/9/ r225827
- -------------------------------------------------------------------------
The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-11:05.unix.asc
Tuesday, September 20, 2011
[FreeBSD-Announce] FreeBSD Status Report April - June, 2011
FreeBSD Quarterly Status Report - April-June, 2011
Introduction
This report covers FreeBSD-related projects between April and June
2011. It is the second of the four reports planned for 2011. Since this
quarter, the work is being focused on the next major version of
FreeBSD, 9.0, which is to be released in September.
Thanks to all the reporters for the excellent work! This report
contains 36 entries and we hope you enjoy reading it.
Please note that the deadline for submissions covering the period
between July and September 2011 is October 15th, 2011.
__________________________________________________________________
Introduction
This report covers FreeBSD-related projects between April and June
2011. It is the second of the four reports planned for 2011. Since this
quarter, the work is being focused on the next major version of
FreeBSD, 9.0, which is to be released in September.
Thanks to all the reporters for the excellent work! This report
contains 36 entries and we hope you enjoy reading it.
Please note that the deadline for submissions covering the period
between July and September 2011 is October 15th, 2011.
__________________________________________________________________
Saturday, September 17, 2011
Foundation Announces Project to Implement xlocale APIs
Dear FreeBSD Community,
The FreeBSD Foundation is pleased to announce that David Chisnall has been awarded a grant to
implement xlocale APIs to enable porting libc++.
The C standard library (libc) is one of the most important parts of a UNIX system as most programs
interact with the kernel through interfaces written in C. Porting code between platforms with similar l
ibc implementations is trivial and if something is supported by libc, higher-level languages can use it
without being reimplemented.
Over time, the C language has slowly evolved to modern multicore systems, but there are still some
places that are problematic. One of these is localization as C began originally had no localization support.
FreeBSD libc and Darwin libc (used by Mac OS X) are similar, making it much easier to port code from
OS X to FreeBSD than from OS X to Linux. The libc used by OS X supports a set of extended locale
functions (xlocale) that allow locale to be set on a per-thread basis.
Additionally, libc++, from the LLVM project, was originally developed on Darwin, so it uses xlocale for
most of the C++ locale support. The lack of this support is the primary obstacle to porting it to FreeBSD.
Once xlocale is supported in FreeBSD libc, we can port libc++ to FreeBSD, giving us an MIT-licensed
C++11 standard library implementation. This, in conjunction with Clang and libcxxrt, means that the
entire C++ stack in FreeBSD will be free of any GNU code. This leaves the linker as the only significant obstacle to a GPL-free FreeBSD 10.
The project will conclude the end of September 2011.
The FreeBSD Foundation
The FreeBSD Foundation is pleased to announce that David Chisnall has been awarded a grant to
implement xlocale APIs to enable porting libc++.
The C standard library (libc) is one of the most important parts of a UNIX system as most programs
interact with the kernel through interfaces written in C. Porting code between platforms with similar l
ibc implementations is trivial and if something is supported by libc, higher-level languages can use it
without being reimplemented.
Over time, the C language has slowly evolved to modern multicore systems, but there are still some
places that are problematic. One of these is localization as C began originally had no localization support.
FreeBSD libc and Darwin libc (used by Mac OS X) are similar, making it much easier to port code from
OS X to FreeBSD than from OS X to Linux. The libc used by OS X supports a set of extended locale
functions (xlocale) that allow locale to be set on a per-thread basis.
Additionally, libc++, from the LLVM project, was originally developed on Darwin, so it uses xlocale for
most of the C++ locale support. The lack of this support is the primary obstacle to porting it to FreeBSD.
Once xlocale is supported in FreeBSD libc, we can port libc++ to FreeBSD, giving us an MIT-licensed
C++11 standard library implementation. This, in conjunction with Clang and libcxxrt, means that the
entire C++ stack in FreeBSD will be free of any GNU code. This leaves the linker as the only significant obstacle to a GPL-free FreeBSD 10.
The project will conclude the end of September 2011.
The FreeBSD Foundation
DIFFUSE for FreeBSD Project Announcement
Dear FreeBSD Community,
The FreeBSD Foundation is pleased to announce that Swinburne University
of Technology's Centre for Advanced Internet Architectures (CAIA) has
been awarded a grant to implement DIFFUSE for FreeBSD.
DIFFUSE (Distributed Firewall and Flow-shaper Using Statistical
Evidence) is an extension to the FreeBSD IPFW firewall subsystem
developed by CAIA <http://www.caia.swin.edu.au>. It allows IPFW to classify traffic based on
statistical properties of flows being observed in realtime, and
instantiate network actions across a distributed set of "action nodes"
for particular flows if required.
This project will tidy up and integrate the existing DIFFUSE prototype <http://www.caia.swin.edu.au/urp/diffuse >
into FreeBSD, and incorporate a number of important new
features. Integration of DIFFUSE into FreeBSD will increase FreeBSD's
utility to designers and implementers of FreeBSD-based networking
infrastructure.
Network architects frequently require the ability to classify different
traffic types flowing across a network, typically using packet
inspection capabilities of base system tools such as ipfw and pf.
Traffic classification then enables the provision of customized service
levels to different traffic types (such as priority packet queuing and
forwarding, or allocation of specific bandwidth guarantees).
DIFFUSE uses machine learning techniques to enable robust and efficient
classification of IP traffic flows based on their unique statistical
properties in addition to traditional inspection of packet header or
payload contents. DIFFUSE also allows traffic classification to occur in
one place (e.g. in the core of a network) and trigger traffic shaping
and differentiation elsewhere (e.g. at the edges of a network). DIFFUSE
has applications in ISP, residential broadband and large corporate
network scenarios to name a few.
The project will conclude the end of October 2011.
The FreeBSD Foundation is pleased to announce that Swinburne University
of Technology's Centre for Advanced Internet Architectures (CAIA) has
been awarded a grant to implement DIFFUSE for FreeBSD.
DIFFUSE (Distributed Firewall and Flow-shaper Using Statistical
Evidence) is an extension to the FreeBSD IPFW firewall subsystem
developed by CAIA <http://www.caia.swin.edu.au>. It allows IPFW to classify traffic based on
statistical properties of flows being observed in realtime, and
instantiate network actions across a distributed set of "action nodes"
for particular flows if required.
This project will tidy up and integrate the existing DIFFUSE prototype <http://www.caia.swin.edu.au/u
into FreeBSD, and incorporate a number of important new
features. Integration of DIFFUSE into FreeBSD will increase FreeBSD's
utility to designers and implementers of FreeBSD-based networking
infrastructure.
Network architects frequently require the ability to classify different
traffic types flowing across a network, typically using packet
inspection capabilities of base system tools such as ipfw and pf.
Traffic classification then enables the provision of customized service
levels to different traffic types (such as priority packet queuing and
forwarding, or allocation of specific bandwidth guarantees).
DIFFUSE uses machine learning techniques to enable robust and efficient
classification of IP traffic flows based on their unique statistical
properties in addition to traditional inspection of packet header or
payload contents. DIFFUSE also allows traffic classification to occur in
one place (e.g. in the core of a network) and trigger traffic shaping
and differentiation elsewhere (e.g. at the edges of a network). DIFFUSE
has applications in ISP, residential broadband and large corporate
network scenarios to name a few.
The project will conclude the end of October 2011.
Saturday, September 10, 2011
pre-orders for 5.0
From OpenBSD: "I have activated pre-orders for the 5.0 release -- it is scheduled for
official release on Nov 1 on the FTP sites. As usual, we try to get
CDs in people's hands slightly a few days before that.
http://www.openbsd.org/orders.html
There are two tshirts available. It's roughly the same image, but it
comes in both white and black.
http://www.openbsd.org/tshirts.html#35
At the same time, I am also releasing the song to accompany the art
for this release.
http://www.openbsd.org/lyrics.html#50
Please keep in mind that donations and CD/tshirt/poster sales, done
twice a year, are crucial to the continuation of the project. It may
seem strange to keep selling such out-dated types of items and
expecting it to keep the project afloat, but so it goes. As collector
items they do pay expenses around here.
Besides donations done along with a CD or tshirt purchase, there are
a few other options for donations and described at:
http://www.openbsd.org/donations.html
http://www.openbsdfoundation.org/
Thanks for continuing to let us make OpenBSD."
official release on Nov 1 on the FTP sites. As usual, we try to get
CDs in people's hands slightly a few days before that.
http://www.openbsd.org/orders.html
There are two tshirts available. It's roughly the same image, but it
comes in both white and black.
http://www.openbsd.org/tshirts.html#35
At the same time, I am also releasing the song to accompany the art
for this release.
http://www.openbsd.org/lyrics.html#50
Please keep in mind that donations and CD/tshirt/poster sales, done
twice a year, are crucial to the continuation of the project. It may
seem strange to keep selling such out-dated types of items and
expecting it to keep the project afloat, but so it goes. As collector
items they do pay expenses around here.
Besides donations done along with a CD or tshirt purchase, there are
a few other options for donations and described at:
http://www.openbsd.org/donations.html
http://www.openbsdfoundation.org/
Thanks for continuing to let us make OpenBSD."
OpenSSH 5.9 released
OpenSSH 5.9 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.
Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
http://www.openssh.com/donations.html
Changes since OpenSSH 5.8
=========================
Features:
* Introduce sandboxing of the pre-auth privsep child using an optional
sshd_config(5) "UsePrivilegeSeparation=sandbox" mode that enables
mandatory restrictions on the syscalls the privsep child can perform.
This intention is to prevent a compromised privsep child from being
used to attack other hosts (by opening sockets and proxying) or
probing local kernel attack surface.
Three concrete sandbox implementation are provided (selected at
configure time): systrace, seatbelt and rlimit.
The systrace sandbox uses systrace(4) in unsupervised "fast-path"
mode, where a list of permitted syscalls is supplied. Any syscall not
on the list results in SIGKILL being sent to the privsep child. Note
that this requires a kernel with the new SYSTR_POLICY_KILL option
(only OpenBSD has this mode at present).
The seatbelt sandbox uses OS X/Darwin sandbox(7) facilities with a
strict (kSBXProfilePureComputation) policy that disables access to
filesystem and network resources.
The rlimit sandbox is a fallback choice for platforms that don't
support a better one; it uses setrlimit() to reset the hard-limit
of file descriptors and processes to zero, which should prevent
the privsep child from forking or opening new network connections.
Sandboxing of the privilege separated child process is currently
experimental but should become the default in a future release.
Native sandboxes for other platforms are welcome (e.g. Capsicum,
Linux pid/net namespaces, etc.)
* Add new SHA256-based HMAC transport integrity modes from
http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt
These modes are hmac-sha2-256, hmac-sha2-256-96, hmac-sha2-512,
and hmac-sha2-512-96, and are available by default in ssh(1) and
sshd(8)
* The pre-authentication sshd(8) privilege separation slave process
now logs via a socket shared with the master process, avoiding the
need to maintain /dev/log inside the chroot.
* ssh(1) now warns when a server refuses X11 forwarding
* sshd_config(5)'s AuthorizedKeysFile now accepts multiple paths,
separated by whitespace. The undocumented AuthorizedKeysFile2
option is deprecated (though the default for AuthorizedKeysFile
includes .ssh/authorized_keys2)
* sshd_config(5): similarly deprecate UserKnownHostsFile2 and
GlobalKnownHostsFile2 by making UserKnownHostsFile and
GlobalKnownHostsFile accept multiple options and default to
include known_hosts2
* Retain key comments when loading v.2 keys. These will be visible
in "ssh-add -l" and other places. bz#439
* ssh(1) and sshd(8): set IPv6 traffic class from IPQoS (as well as
IPv4 ToS/DSCP). bz#1855
* ssh_config(5)'s ControlPath option now expands %L to the host
portion of the destination host name.
* ssh_config(5) "Host" options now support negated Host matching, e.g.
Host *.example.org !c.example.org
User mekmitasdigoat
Will match "a.example.org", "b.example.org", but not "c.example.org"
* ssh_config(5): a new RequestTTY option provides control over when a
TTY is requested for a connection, similar to the existing -t/-tt/-T
ssh(1) commandline options.
* sshd(8): allow GSSAPI authentication to detect when a server-side
failure causes authentication failure and don't count such failures
against MaxAuthTries; bz#1244
* ssh-keygen(1): Add -A option. For each of the key types (rsa1, rsa,
dsa and ecdsa) for which host keys do not exist, generate the host
keys with the default key file path, an empty passphrase, default
bits for the key type, and default comment. This is useful for
system initialisation scripts.
* ssh(1): Allow graceful shutdown of multiplexing: request that a mux
server removes its listener socket and refuse future multiplexing
requests but don't kill existing connections. This may be requested
using "ssh -O stop ..."
* ssh-add(1) now accepts keys piped from standard input. E.g.
"ssh-add - < /path/to/key"
* ssh-keysign(8) now signs hostbased authentication
challenges correctly using ECDSA keys; bz#1858
* sftp(1): document that sftp accepts square brackets to delimit
addresses (useful for IPv6); bz#1847a
* ssh(1): when using session multiplexing, the master process will
change its process title to reflect the control path in use and
when a ControlPersist-ed master is waiting to close; bz#1883 and
bz#1911
* Other minor bugs fixed: 1849 1861 1862 1869 1875 1878 1879 1892
1900 1905 1913
Portable OpenSSH Bugfixes:
* Fix a compilation error in the SELinux support code. bz#1851
* This release removes support for ssh-rand-helper. OpenSSH now
obtains its random numbers directly from OpenSSL or from
a PRNGd/EGD instance specified at configure time.
* sshd(8) now resets the SELinux process execution context before
executing passwd for password changes; bz#1891
* Since gcc >= 4.x ignores all -Wno-options options, test only the
corresponding -W-option when trying to determine whether it is
accepted; bz#1901
* Add ECDSA key generation to the Cygwin ssh-{host,user}-config
scripts.
* Updated .spec and init files for Linux; bz#1920
* Improved SELinux error messages in context change failures and
suppress error messages when attempting to change from the
"unconfined_t" type; bz#1924 bz#1919
* Fix build errors on platforms without dlopen(); bz#1929
Checksums:
==========
- SHA1 (openssh-5.9.tar.gz) = bc0cb728bbc394769f9a2ce5b8cd99dc41e12632
- SHA1 (openssh-5.9p1.tar.gz) = be8878869bb80ce12ca79282768ffa73cc3f05fc
Reporting Bugs:
===============
- Please read http://www.openssh.com/report.html
Security bugs should be reported directly to openssh@openssh.com
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
Ben Lindstrom.
mirrors listed at http://www.openssh.com/ shortly.
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.
Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
http://www.openssh.com/donations.html
Changes since OpenSSH 5.8
=========================
Features:
* Introduce sandboxing of the pre-auth privsep child using an optional
sshd_config(5) "UsePrivilegeSeparation=sandbox" mode that enables
mandatory restrictions on the syscalls the privsep child can perform.
This intention is to prevent a compromised privsep child from being
used to attack other hosts (by opening sockets and proxying) or
probing local kernel attack surface.
Three concrete sandbox implementation are provided (selected at
configure time): systrace, seatbelt and rlimit.
The systrace sandbox uses systrace(4) in unsupervised "fast-path"
mode, where a list of permitted syscalls is supplied. Any syscall not
on the list results in SIGKILL being sent to the privsep child. Note
that this requires a kernel with the new SYSTR_POLICY_KILL option
(only OpenBSD has this mode at present).
The seatbelt sandbox uses OS X/Darwin sandbox(7) facilities with a
strict (kSBXProfilePureComputation) policy that disables access to
filesystem and network resources.
The rlimit sandbox is a fallback choice for platforms that don't
support a better one; it uses setrlimit() to reset the hard-limit
of file descriptors and processes to zero, which should prevent
the privsep child from forking or opening new network connections.
Sandboxing of the privilege separated child process is currently
experimental but should become the default in a future release.
Native sandboxes for other platforms are welcome (e.g. Capsicum,
Linux pid/net namespaces, etc.)
* Add new SHA256-based HMAC transport integrity modes from
http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt
These modes are hmac-sha2-256, hmac-sha2-256-96, hmac-sha2-512,
and hmac-sha2-512-96, and are available by default in ssh(1) and
sshd(8)
* The pre-authentication sshd(8) privilege separation slave process
now logs via a socket shared with the master process, avoiding the
need to maintain /dev/log inside the chroot.
* ssh(1) now warns when a server refuses X11 forwarding
* sshd_config(5)'s AuthorizedKeysFile now accepts multiple paths,
separated by whitespace. The undocumented AuthorizedKeysFile2
option is deprecated (though the default for AuthorizedKeysFile
includes .ssh/authorized_keys2)
* sshd_config(5): similarly deprecate UserKnownHostsFile2 and
GlobalKnownHostsFile2 by making UserKnownHostsFile and
GlobalKnownHostsFile accept multiple options and default to
include known_hosts2
* Retain key comments when loading v.2 keys. These will be visible
in "ssh-add -l" and other places. bz#439
* ssh(1) and sshd(8): set IPv6 traffic class from IPQoS (as well as
IPv4 ToS/DSCP). bz#1855
* ssh_config(5)'s ControlPath option now expands %L to the host
portion of the destination host name.
* ssh_config(5) "Host" options now support negated Host matching, e.g.
Host *.example.org !c.example.org
User mekmitasdigoat
Will match "a.example.org", "b.example.org", but not "c.example.org"
* ssh_config(5): a new RequestTTY option provides control over when a
TTY is requested for a connection, similar to the existing -t/-tt/-T
ssh(1) commandline options.
* sshd(8): allow GSSAPI authentication to detect when a server-side
failure causes authentication failure and don't count such failures
against MaxAuthTries; bz#1244
* ssh-keygen(1): Add -A option. For each of the key types (rsa1, rsa,
dsa and ecdsa) for which host keys do not exist, generate the host
keys with the default key file path, an empty passphrase, default
bits for the key type, and default comment. This is useful for
system initialisation scripts.
* ssh(1): Allow graceful shutdown of multiplexing: request that a mux
server removes its listener socket and refuse future multiplexing
requests but don't kill existing connections. This may be requested
using "ssh -O stop ..."
* ssh-add(1) now accepts keys piped from standard input. E.g.
"ssh-add - < /path/to/key"
* ssh-keysign(8) now signs hostbased authentication
challenges correctly using ECDSA keys; bz#1858
* sftp(1): document that sftp accepts square brackets to delimit
addresses (useful for IPv6); bz#1847a
* ssh(1): when using session multiplexing, the master process will
change its process title to reflect the control path in use and
when a ControlPersist-ed master is waiting to close; bz#1883 and
bz#1911
* Other minor bugs fixed: 1849 1861 1862 1869 1875 1878 1879 1892
1900 1905 1913
Portable OpenSSH Bugfixes:
* Fix a compilation error in the SELinux support code. bz#1851
* This release removes support for ssh-rand-helper. OpenSSH now
obtains its random numbers directly from OpenSSL or from
a PRNGd/EGD instance specified at configure time.
* sshd(8) now resets the SELinux process execution context before
executing passwd for password changes; bz#1891
* Since gcc >= 4.x ignores all -Wno-options options, test only the
corresponding -W-option when trying to determine whether it is
accepted; bz#1901
* Add ECDSA key generation to the Cygwin ssh-{host,user}-config
scripts.
* Updated .spec and init files for Linux; bz#1920
* Improved SELinux error messages in context change failures and
suppress error messages when attempting to change from the
"unconfined_t" type; bz#1924 bz#1919
* Fix build errors on platforms without dlopen(); bz#1929
Checksums:
==========
- SHA1 (openssh-5.9.tar.gz) = bc0cb728bbc394769f9a2ce5b8cd99dc41e12632
- SHA1 (openssh-5.9p1.tar.gz) = be8878869bb80ce12ca79282768ffa73cc3f05fc
Reporting Bugs:
===============
- Please read http://www.openssh.com/report.html
Security bugs should be reported directly to openssh@openssh.com
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
Ben Lindstrom.
Subscribe to:
Posts (Atom)