MeetBSD California 2012

MeetBSD California returns for its third biennial installment!

On behalf of the MeetBSD California 2012 team, it's my pleasure to
invite all of you to MeetBSD California 2012. It will take place
Saturday and Sunday, November 3rd and 4th, 2012 at the Yahoo! campus
in Sunnyvale, CA. It will feature one day of scheduled talks on
Saturday followed by one day of unConference-style community-scheduled
emergent activities on Sunday.

We're looking forward to another engaging and interesting conference!
By combining scheduled talks and community-driven events like
lightning talks and hacking sessions, we hope that everyone will get
the most out of this year's activities.

Registration is open now; register before June 30th to get an early
bird discount of $10 off the normal $75 entrance fee.

The conference hotel is the Sheraton Sunnyvale. A special conference
rate is available which includes complimentary wireless internet. Use
this link to reserve rooms:
https://www.starwoodmeeting.com/StarGroupsWeb/booking/reservation?id=1205228308&key=66BBA
The special conference rate expires on October 18th, so plan
accordingly.

The Conference Afterparty will be held at the Sheraton Sunnyvale in
the Sterling Ballroom on the evening of Saturday the 3rd. Be ready to
have fun and relax with your fellow hackers and enthusiasts from all
over the world!

To keep up with information about MeetBSD California 2012, follow us
on Twitter http://twitter.com/#!/MeetBSDCA, "Like" us on Facebook at
http://www.facebook.com/MeetbsdCalifornia, follow us on Google Plus at
http://plus.google.com/109740340769158691256, or keep visiting
http://www.meetbsd.com.

Conference registration link: https://www.meetbsd.com/registration
Travel/hotel information: https://www.meetbsd.com/travel
See the announcement here:
http://www.ixsystems.com/resources/ix/news/ixsystems-announces-meetbsd-california-2012.html

Cheers,
-matt

[FreeBSD-Announce] MeetBSD California 2012

MeetBSD California returns for its third biennial installment!

On behalf of the MeetBSD California 2012 team, it's my pleasure to
invite all of you to MeetBSD California 2012. It will take place
Saturday and Sunday, November 3rd and 4th, 2012 at the Yahoo! campus
in Sunnyvale, CA. It will feature one day of scheduled talks on
Saturday followed by one day of unConference-style community-scheduled
emergent activities on Sunday.

We're looking forward to another engaging and interesting conference!
By combining scheduled talks and community-driven events like
lightning talks and hacking sessions, we hope that everyone will get
the most out of this year's activities.

Registration is open now; register before June 30th to get an early
bird discount of $10 off the normal $75 entrance fee.

The conference hotel is the Sheraton Sunnyvale. A special conference
rate is available which includes complimentary wireless internet. Use
this link to reserve rooms:
https://www.starwoodmeeting.com/StarGroupsWeb/booking/reservation?id=1205228308&key=66BBA
The special conference rate expires on October 18th, so plan
accordingly.

The Conference Afterparty will be held at the Sheraton Sunnyvale in
the Sterling Ballroom on the evening of Saturday the 3rd. Be ready to
have fun and relax with your fellow hackers and enthusiasts from all
over the world!

To keep up with information about MeetBSD California 2012, follow us
on Twitter http://twitter.com/#!/MeetBSDCA, "Like" us on Facebook at
http://www.facebook.com/MeetbsdCalifornia, follow us on Google Plus at
http://plus.google.com/109740340769158691256, or keep visiting
http://www.meetbsd.com.

Conference registration link: https://www.meetbsd.com/registration
Travel/hotel information: https://www.meetbsd.com/travel
See the announcement here:
http://www.ixsystems.com/resources/ix/news/ixsystems-announces-meetbsd-california-2012.html

Cheers,
-matt
_______________________________________________
freebsd-announce@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"

[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-12:02.crypt

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-12:02.crypt Security Advisory
The FreeBSD Project

Topic: Incorrect crypt() hashing

Category: core
Module: libcrypt
Announced: 2012-05-30
Credits: Rubin Xu, Joseph Bonneau, Donting Yu
Affects: All supported versions of FreeBSD.
Corrected: 2012-05-30 12:01:28 UTC (RELENG_7, 7.4-STABLE)
2012-05-30 12:01:28 UTC (RELENG_7_4, 7.4-RELEASE-p8)
2012-05-30 12:01:28 UTC (RELENG_8, 8.3-STABLE)
2012-05-30 12:01:28 UTC (RELENG_8_3, 8.3-RELEASE-p2)
2012-05-30 12:01:28 UTC (RELENG_8_2, 8.2-RELEASE-p8)
2012-05-30 12:01:28 UTC (RELENG_8_1, 8.1-RELEASE-p10)
2012-05-30 12:01:28 UTC (RELENG_9, 9.0-STABLE)
2012-05-30 12:01:28 UTC (RELENG_9_0, 9.0-RELEASE-p2)
CVE Name: CVE-2012-2143

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

The crypt(3) function performs password hashing with additional code added
to deter key search attempts.

II. Problem Description

There is a programming error in the DES implementation used in crypt()
when handling input which contains characters that can not be represented
with 7-bit ASCII.

III. Impact

When the input contains characters with only the most significant bit set
(0x80), that character and all characters after it will be ignored.

IV. Workaround

No workaround is available, but systems not using crypt(), or which only
use it to handle 7-bit ASCII are not vulnerable. Note that, because
DES does not have the computational complexity to defeat brute force
search on modern computers, it is not recommended for new applications.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE, 8-STABLE, or 9-STABLE,
or to the RELENG_7_4, RELENG_8_3, RELENG_8_2, RELENG_8_1, or RELENG_9_0
security branch dated after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 7.4,
8.3, 8.2, 8.1 and 9.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-12:02/crypt.patch
# fetch http://security.FreeBSD.org/patches/SA-12:02/crypt.patch.asc

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/libcrypt
# make obj && make depend && make && make install

NOTE: On the amd64 platform, the above procedure will not update the
lib32 (i386 compatibility) libraries. On amd64 systems where the i386
compatibility libraries are used, the operating system should instead
be recompiled as described in
<URL:http://www.FreeBSD.org/handbook/makeworld.html>

3) To update your vulnerable system via a binary patch:

Systems running 7.4-RELEASE, 8.3-RELEASE, 8.2-RELEASE, 8.1-RELEASE,
or 9.0-RELEASE on the i386 or amd64 platforms can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_7
src/secure/lib/libcrypt/crypt-des.c 1.16.24.1
RELENG_7_4
src/UPDATING 1.507.2.36.2.10
src/sys/conf/newvers.sh 1.72.2.18.2.13
src/secure/lib/libcrypt/crypt-des.c 1.16.40.2
RELENG_8
src/secure/lib/libcrypt/crypt-des.c 1.16.36.2
RELENG_8_3
src/UPDATING 1.632.2.26.2.4
src/sys/conf/newvers.sh 1.83.2.15.2.6
src/secure/lib/libcrypt/crypt-des.c 1.16.36.1.8.2
RELENG_8_2
src/UPDATING 1.632.2.19.2.10
src/sys/conf/newvers.sh 1.83.2.12.2.13
src/secure/lib/libcrypt/crypt-des.c 1.16.36.1.6.2
RELENG_8_1
src/UPDATING 1.632.2.14.2.13
src/sys/conf/newvers.sh 1.83.2.10.2.14
src/secure/lib/libcrypt/crypt-des.c 1.16.36.1.4.2
RELENG_9
src/secure/lib/libcrypt/crypt-des.c 1.16.42.2
RELENG_9_0
src/UPDATING 1.702.2.4.2.4
src/sys/conf/newvers.sh 1.95.2.4.2.6
src/secure/lib/libcrypt/crypt-des.c 1.16.42.1.2.2
- -------------------------------------------------------------------------

Subversion:

Branch/path Revision
- -------------------------------------------------------------------------
stable/7/ r236304
releng/7.4/ r236304
stable/8/ r236304
releng/8.3/ r236304
releng/8.2/ r236304
releng/8.1/ r236304
stable/9/ r236304
releng/9.0/ r236304
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2143

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-12:02.crypt.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (FreeBSD)

iEYEARECAAYFAk/GEsoACgkQFdaIBMps37JSYQCfZGZceQY4D53qgR9JbI79ZNht
/GIAnjnhxlCnF27cWOhqxkkTWM6f45IM
=7CVu
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-announce@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"

[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-12:01.openssl

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-12:01.openssl Security Advisory
The FreeBSD Project

Topic: OpenSSL multiple vulnerabilities

Category: contrib
Module: openssl
Announced: 2012-05-03
Credits: Adam Langley, George Kadianakis, Ben Laurie,
Ivan Nestlerode, Tavis Ormandy
Affects: All supported versions of FreeBSD.
Corrected: 2012-05-30 12:01:28 UTC (RELENG_7, 7.4-STABLE)
2012-05-30 12:01:28 UTC (RELENG_7_4, 7.4-RELEASE-p8)
2012-05-30 12:01:28 UTC (RELENG_8, 8.3-STABLE)
2012-05-30 12:01:28 UTC (RELENG_8_3, 8.3-RELEASE-p2)
2012-05-30 12:01:28 UTC (RELENG_8_2, 8.2-RELEASE-p8)
2012-05-30 12:01:28 UTC (RELENG_8_1, 8.1-RELEASE-p10)
2012-05-30 12:01:28 UTC (RELENG_9, 9.0-STABLE)
2012-05-30 12:01:28 UTC (RELENG_9_0, 9.0-RELEASE-p2)
CVE Name: CVE-2011-4576, CVE-2011-4619, CVE-2011-4109,
CVE-2012-0884, CVE-2012-2110

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

0. Revision History

v1.0 2012-05-02 Initial release.
v1.1 2012-05-30 Updated patch to add SGC and BUF_MEM_grow_clean(3) bug
fixes.

I. Background

FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.

II. Problem Description

OpenSSL fails to clear the bytes used as block cipher padding in SSL 3.0
records when operating as a client or a server that accept SSL 3.0
handshakes. As a result, in each record, up to 15 bytes of uninitialized
memory may be sent, encrypted, to the SSL peer. This could include
sensitive contents of previously freed memory. [CVE-2011-4576]

OpenSSL support for handshake restarts for server gated cryptography (SGC)
can be used in a denial-of-service attack. [CVE-2011-4619]

If an application uses OpenSSL's certificate policy checking when
verifying X509 certificates, by enabling the X509_V_FLAG_POLICY_CHECK
flag, a policy check failure can lead to a double-free. [CVE-2011-4109]

A weakness in the OpenSSL PKCS #7 code can be exploited using
Bleichenbacher's attack on PKCS #1 v1.5 RSA padding also known as the
million message attack (MMA). [CVE-2012-0884]

The asn1_d2i_read_bio() function, used by the d2i_*_bio and d2i_*_fp
functions, in OpenSSL contains multiple integer errors that can cause
memory corruption when parsing encoded ASN.1 data. This error can occur
on systems that parse untrusted ASN.1 data, such as X.509 certificates
or RSA public keys. [CVE-2012-2110]

III. Impact

Sensitive contents of the previously freed memory can be exposed
when communicating with a SSL 3.0 peer. However, FreeBSD OpenSSL
version does not support SSL_MODE_RELEASE_BUFFERS SSL mode and
therefore have a single write buffer per connection. That write buffer
is partially filled with non-sensitive, handshake data at the beginning
of the connection and, thereafter, only records which are longer than
any previously sent record leak any non-encrypted data. This, combined
with the small number of bytes leaked per record, serves to limit to
severity of this issue. [CVE-2011-4576]

Denial of service can be caused in the OpenSSL server application
supporting server gated cryptography by performing multiple handshake
restarts. [CVE-2011-4619]

The double-free, when an application performs X509 certificate policy
checking, can lead to denial of service in that application.
[CVE-2011-4109]

A weakness in the OpenSSL PKCS #7 code can lead to a successful
Bleichenbacher attack. Only users of PKCS #7 decryption operations are
affected. A successful attack needs on average 2^20 messages. In
practice only automated systems will be affected as humans will not be
willing to process this many messages. SSL/TLS applications are not
affected. [CVE-2012-0884]

The vulnerability in the asn1_d2i_read_bio() OpenSSL function can lead
to a potentially exploitable attack via buffer overflow. The SSL/TLS
code in OpenSSL is not affected by this issue, nor are applications
using the memory based ASN.1 functions. There are no applications in
FreeBSD base system affected by this issue, though some 3rd party
consumers of these functions might be vulnerable when processing
untrusted ASN.1 data. [CVE-2012-2110]

The patch provided with the initial version of this advisory introduced
bug to the Server Gated Cryptography (SGC) handshake code, that could
cause SGC handshake to fail for a legitimate client. The updated patch
also fixes the return error code in the BUF_MEM_grow_clean(3) function in the
buffer size check code introduced by the CVE-2012-2110 fix.

IV. Workaround

No workaround is available.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE, 8-STABLE or 9-STABLE,
or to the RELENG_7_4, RELENG_8_3, RELENG_8_2, RELENG_8_1, RELENG_9_0
security branch dated after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 7.4, 8.3,
8.2, 8.1, and 9.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-12:01/openssl2.patch
# fetch http://security.FreeBSD.org/patches/SA-12:01/openssl2.patch.asc

NOTE: The patch distributed at the time of the original advisory fixed
the security vulnerability, but introduced a bug to the SGC handshake
code that can cause the SGC handshake to fail for a legitimate client.
Systems to which the original patch was applied should be patched with
the following corrective patch, which contains only the additional
changes required to fix the newly-introduced SGC handshake bug. The
updated patch also corrects an error code for an error check introduced
in the original patch.

# fetch http://security.FreeBSD.org/patches/SA-12:01/openssl-sgc-fix.patch
# fetch http://security.FreeBSD.org/patches/SA-12:01/openssl-sgc-fix.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system as described in
<URL: http://www.freebsd.org/handbook/makeworld.html> and reboot the
system.

NOTE: Any third-party applications, including those installed from the
FreeBSD ports collection, which are statically linked to libcrypto(3)
should be recompiled in order to use the corrected code.

3) To update your vulnerable system via a binary patch:

Systems running 7.4-RELEASE, 8.3-RELEASE, 8.2-RELEASE, 8.1-RELEASE or
9.0-RELEASE on the i386 or amd64 platforms can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_7
src/crypto/openssl/crypto/buffer/buffer.c 1.1.1.4.2.3
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.1.1.13.2.2
src/crypto/openssl/crypto/mem.c 1.1.1.8.2.2
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.1.1.1.2.2
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.1.1.2.2.2
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.2.1
src/crypto/openssl/ssl/ssl.h 1.1.1.16.2.3
src/crypto/openssl/ssl/ssl_err.c 1.1.1.11.2.3
src/crypto/openssl/ssl/s3_enc.c 1.1.1.13.2.2
src/crypto/openssl/ssl/s3_srvr.c 1.1.1.17.2.8
src/crypto/openssl/ssl/ssl3.h 1.1.1.6.2.2
RELENG_7_4
src/UPDATING 1.507.2.36.2.10
src/sys/conf/newvers.sh 1.72.2.18.2.13
src/crypto/openssl/crypto/buffer/buffer.c 1.1.1.4.2.1.2.2
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.1.1.13.2.1.2.1
src/crypto/openssl/crypto/mem.c 1.1.1.8.2.1.2.1
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.1.1.1.2.1.2.1
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.1.1.2.2.1.2.1
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.20.1
src/crypto/openssl/ssl/ssl.h 1.1.1.16.2.2.2.1
src/crypto/openssl/ssl/ssl_err.c 1.1.1.11.2.2.2.1
src/crypto/openssl/ssl/s3_enc.c 1.1.1.13.2.1.2.1
src/crypto/openssl/ssl/s3_srvr.c 1.1.1.17.2.5.2.2
src/crypto/openssl/ssl/ssl3.h 1.1.1.6.2.1.2.1
RELENG_8
src/crypto/openssl/crypto/buffer/buffer.c 1.2.2.2
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.1.1.13.10.2
src/crypto/openssl/crypto/mem.c 1.2.2.1
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.2.2.1
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.2.2.2
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.10.1
src/crypto/openssl/ssl/ssl.h 1.2.2.2
src/crypto/openssl/ssl/ssl_err.c 1.2.2.2
src/crypto/openssl/ssl/s3_enc.c 1.2.2.2
src/crypto/openssl/ssl/s3_srvr.c 1.3.2.6
src/crypto/openssl/ssl/ssl3.h 1.2.2.2
RELENG_8_3
src/UPDATING 1.632.2.26.2.4
src/sys/conf/newvers.sh 1.83.2.15.2.6
src/crypto/openssl/crypto/buffer/buffer.c 1.2.14.2
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.1.1.13.10.1.4.1
src/crypto/openssl/crypto/mem.c 1.2.14.1
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.2.14.1
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.2.2.1.6.1
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.26.1
src/crypto/openssl/ssl/ssl.h 1.2.2.1.6.1
src/crypto/openssl/ssl/ssl_err.c 1.2.2.1.6.1
src/crypto/openssl/ssl/s3_enc.c 1.2.2.1.4.1
src/crypto/openssl/ssl/s3_srvr.c 1.3.2.4.2.2
src/crypto/openssl/ssl/ssl3.h 1.2.2.1.6.1
RELENG_8_2
src/UPDATING 1.632.2.19.2.10
src/sys/conf/newvers.sh 1.83.2.12.2.13
src/crypto/openssl/crypto/buffer/buffer.c 1.2.8.2
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.1.1.13.10.1.2.1
src/crypto/openssl/crypto/mem.c 1.2.8.1
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.2.8.1
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.2.2.1.4.1
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.18.1
src/crypto/openssl/ssl/ssl.h 1.2.2.1.4.1
src/crypto/openssl/ssl/ssl_err.c 1.2.2.1.4.1
src/crypto/openssl/ssl/s3_enc.c 1.2.2.1.2.1
src/crypto/openssl/ssl/s3_srvr.c 1.3.2.3.2.2
src/crypto/openssl/ssl/ssl3.h 1.2.2.1.4.1
RELENG_8_1
src/UPDATING 1.632.2.14.2.13
src/sys/conf/newvers.sh 1.83.2.10.2.14
src/crypto/openssl/crypto/buffer/buffer.c 1.2.6.2
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.1.1.13.16.1
src/crypto/openssl/crypto/mem.c 1.2.6.1
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.2.6.1
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.2.2.1.2.1
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.16.1
src/crypto/openssl/ssl/ssl.h 1.2.2.1.2.1
src/crypto/openssl/ssl/ssl_err.c 1.2.2.1.2.1
src/crypto/openssl/ssl/s3_enc.c 1.2.6.1
src/crypto/openssl/ssl/s3_srvr.c 1.3.2.2.2.2
src/crypto/openssl/ssl/ssl3.h 1.2.2.1.2.1
RELENG_9
src/crypto/openssl/crypto/buffer/buffer.c 1.2.10.2
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.2.2.1
src/crypto/openssl/crypto/mem.c 1.2.10.1
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.2.10.1
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.3.2.1
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.22.1
src/crypto/openssl/ssl/ssl.h 1.3.2.1
src/crypto/openssl/ssl/ssl_err.c 1.3.2.1
src/crypto/openssl/ssl/s3_enc.c 1.3.2.1
src/crypto/openssl/ssl/s3_srvr.c 1.7.2.2
src/crypto/openssl/ssl/ssl3.h 1.3.2.1
RELENG_9_0
src/UPDATING 1.702.2.4.2.4
src/sys/conf/newvers.sh 1.95.2.4.2.6
src/crypto/openssl/crypto/buffer/buffer.c 1.2.12.2
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.2.4.1
src/crypto/openssl/crypto/mem.c 1.2.12.1
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.2.12.1
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.3.4.1
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.24.1
src/crypto/openssl/ssl/ssl.h 1.3.4.1
src/crypto/openssl/ssl/ssl_err.c 1.3.4.1
src/crypto/openssl/ssl/s3_enc.c 1.3.4.1
src/crypto/openssl/ssl/s3_srvr.c 1.7.4.2
src/crypto/openssl/ssl/ssl3.h 1.3.4.1
- -------------------------------------------------------------------------

Subversion:

Branch/path Revision
- -------------------------------------------------------------------------
stable/7/ r236304
releng/7.4/ r236304
stable/8/ r236304
releng/8.3/ r236304
releng/8.2/ r236304
releng/8.1/ r236304
stable/9/ r236304
releng/9.0/ r236304
- -------------------------------------------------------------------------

VII. References

http://www.openssl.org/news/secadv_20120419.txt
http://www.openssl.org/news/secadv_20120312.txt
http://www.openssl.org/news/secadv_20120104.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4576
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4619
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4109
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0884
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2110
http://lists.openwall.net/full-disclosure/2012/04/19/4

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-12:01.openssl.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (FreeBSD)

iEYEARECAAYFAk/GEsMACgkQFdaIBMps37IOkwCgj6lSWidx+sk/C/seNNBmQfN8
36sAn2OQg0TEYq9xPf8yd0hrPICuDyGK
=T8ip
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-announce@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"

[FreeBSD-Announce] FreeBSD Quarterly Status Report January-March, 2012

FreeBSD Quarterly Status Report January-March, 2012

Introduction

This report covers FreeBSD-related projects between January and March
2012. It is the first of the four reports planned for 2012. This
quarter was highlighted by releasing the next major version of FreeBSD,
9.0, which was finally released in the beginning of January 2012. The
FreeBSD Project dedicates the FreeBSD 9.0-RELEASE to the memory of
Dennis M. Ritchie, one of the founding fathers of the UNIXŽ operating
system. Our release engineering team has been also busy with
preparation of the 8.3-RELEASE, which was publicly announced in April.

Thanks to all the reporters for the excellent work! This report
contains 27 entries and we hope you enjoy reading it.

Please note that the deadline for submissions covering the period
between April and June 2012 is July 15th, 2012.
__________________________________________________________________

Projects

* FreeBSD Services Control
* GNU-Free C++11 Stack
* Growing filesystems online
* The FreeNAS Project

User-land Programs

* Clang Replacing GCC in the Base System
* Replacing the Regular Expression Code
* The bsdconfig(8) utility

FreeBSD Team Reports

* Release Engineering Team Status Report
* The FreeBSD Foundation Team Report

Kernel

* DTrace Probes for the linuxulator
* HDMI/DisplayPort Audio Support in HDA Sound Driver (snd_hda)
* Improved hwpmc(9) Support for MIPS
* isci(4) SAS Driver

Network Infrastructure

* Atheros 802.11n Support
* IPv6 Performance Analysis
* Multi-FIB: IPv6 Support and Other Enhancements

Documentation

* The FreeBSD Japanese Documentation Project

Architectures

* FreeBSD/arm on Various TI Boards
* FreeBSD/powerpc on Freescale QorIQ DPAA
* NAND File System, NAND Flash Framework, NAND Simulator
* Porting DTrace to MIPS and ARM

Ports

* A New linux_base Port Based Upon CentOS
* BSD-licensed sort Utility (GNU sort Replacement)
* KDE/FreeBSD
* Perl Ports Testing
* The FreeBSD Haskell Ports
* The FreeBSD Ports Collection
__________________________________________________________________

A New linux_base Port Based Upon CentOS

Contact: Alexander Leidinger <netchild@FreeBSD.org>

We got a PR with a linux_based port which is based upon CentOS 6.
Currently this can only be used as a test environment, as it depends
upon a more recent linux kernel version, than the linuxulator provides.

As of this writing, I'm in the process of preparing a commit of this
port.

Open tasks:

1. Repocopy by portmgr.
2. Add conflicts in other linux_base ports.
3. Commit the CentOS based one.
4. Some cleanup.
__________________________________________________________________

Atheros 802.11n Support

URL: http://wiki.FreeBSD.org/AdrianChadd/AtherosTxAgg
URL: http://wiki.FreeBSD.org/dev/ath(4)

Contact: Adrian Chadd <adrian@FreeBSD.org>

802.11n station and hostap support is now fully functional, sans
correct hostap side power saving. TX aggregation and TX BAR handling is
implemented.

Station chip power saving is not implemented at all yet, it's not in
the scope of this work.

Testers should disable bgscan (-bgscan) as scan/bgscan will simply drop
any traffic in the TX/RX queues, causing potential traffic stalls.

Open tasks:

1. Fix up hostap side power save handling.
2. Implement filtered frames support in the driver.
3. Fix scan/bgscan to correctly buffer and retransmit frames when
going off channel, so frames are not just "dropped" - this causes
issues in the aggregation sessions and may cause traffic stalls.
4. Test/fix any issues with adhoc 802.11n support.
__________________________________________________________________

BSD-licensed sort Utility (GNU sort Replacement)

URL: http://www.FreeBSD.org/cgi/cvsweb.cgi/ports/textproc/bsdsort/
URL:
http://pubs.opengroup.org/onlinepubs/9699919799/utilities/sort.html

Contact: Oleg Moskalenko <oleg.moskalenko@citrix.com>
Contact: Gábor Kövesdán <gabor@FreeBSD.org>

Currently the BSD sort reached usable stable stage. It is stable, it is
as fast as the GNU sort, and it supports multi-byte locales (this is
something that GNU sort does not do correctly). BSD sort has all
features of GNU sort 5.3.0 (version included into FreeBSD) with some
extra features and bug fixes.

Open tasks:

1. Add BSD sort into HEAD as an alternative, installed as bsdsort. If
proven to work as expected, change it to the default sort version
and remove GNU sort.
2. Investigate the possibility of a multi-threaded sort implementation
and implement it, if it proves more efficient.
3. Upgrade BSD sort features to include some obscure new features in
the latest GNU sort version 8.15.
__________________________________________________________________

Clang Replacing GCC in the Base System

URL: http://wiki.FreeBSD.org/BuildingFreeBSDWithClang

Contact: Brooks Davis <brooks@FreeBSD.org>
Contact: David Chisnall <theraven@FreeBSD.org>
Contact: Dimitry Andric <dim@FreeBSD.org>
Contact: Ed Schouten <ed@FreeBSD.org>
Contact: Pawel Worach <pawel.worach@gmail.com>
Contact: Roman Divacky <rdivacky@FreeBSD.org>

Both FreeBSD 10.0-CURRENT and 9.0-STABLE now have Clang 3.0 release
installed by default. At least on 10.0-CURRENT, both world and the
GENERIC kernel can be completely built without any -Werror warnings.
This may not be the case for all custom kernel configurations yet.

As of r231057, there is a WITH_CLANG_EXTRAS option for src.conf(5),
which will enable a number of additional LLVM and Clang tools, such as
'llc' and 'opt'. These tools are mainly useful for people that want to
manipulate LLVM bitcode (.bc) and LLVM assembly language (.ll) files,
or want to tinker with LLVM and Clang themselves.

Also, as of r232322, there is a WITH_CLANG_IS_CC option for
src.conf(5), which will install Clang as /usr/bin/cc, /usr/bin/c++ and
/usr/bin/cpp, making it the default system compiler. Unless you also
use the WITHOUT_GCC option, gcc will still be available as
/usr/bin/gcc, /usr/bin/g++ and /usr/bin/gcpp.

The intent is to switch on this option by default rather sooner than
later, so we can start preparing for shipping 10.0-RELEASE with Clang
as as the default system compiler, and deprecating gcc.

In other news, we will import a newer snapshot of Clang soon, since
upstream LLVM/Clang has already announced their 3.1 release will be
branched April 16, 2012. Most likely, the actual 3.1 release will be
follow a few weeks later, after which we will do another import.

Last but not least, there are many ports people working on making our
ports compile properly with Clang. Fixes are checked in on a very
regular basis now, and full exp-runs with Clang are also done fairly
regularly. Of course, there are always a few difficult cases,
especially with very old software that will not even compile with newer
versions of gcc, let alone clang.

Open tasks:

1. One of the most important tasks at the moment is to actually build
and run your entire FreeBSD system with Clang, as much as possible.
Any compile-time or run-time problems should be reported to the
appropriate mailing list, or filed as a PR. If you have patches
and/or workarounds, that would be even better.
2. Clang should have gotten better support for cross-compiling after
3.0, so as soon as a 3.1 version is imported, we will need to look
at ways to get the FreeBSD world and kernels to cross-compile. This
is mainly of use for ARM and MIPS, which are architectures you
usually do not want to build natively on.
3. Help to make unwilling ports build with Clang is always needed, and
greatly appreciated. Please mail the maintainer of your favorite
port with patches, or file PRs.
__________________________________________________________________

DTrace Probes for the linuxulator

Contact: Alexander Leidinger <netchild@FreeBSD.org>

Recently DTrace in the kernel was improved to be able to load kernel
modules with static dtrace providers after the dtrace modules. This
allows me to commit my linuxulator specific static provider work to
-CURRENT.

Together with the linuxulator DTrace probes I developed some D scripts
to check various code paths in the linuxulator. Those scripts check
various error cases which may be interesting to verify userland code,
but also linuxulator internals like locks.

As of this writing I'm in the process of updating a test machine to a
more recent -current to prepare the commit.
__________________________________________________________________

FreeBSD Services Control

URL: http://people.FreeBSD.org/~trhodes/fsc/

Contact: Tom Rhodes <trhodes@FreeBSD.org>

After a while of moving and getting a new job, I finally got back to
this project (also thanks to several submissions by Julian Fagir), a
new version has been uploaded along with a short description page. The
current version supports more options, a configuration file, and
updated rc.d script. It also includes manual page updates and an
optional debugging mode.
__________________________________________________________________

FreeBSD/arm on Various TI Boards

URL: http://svnweb.FreeBSD.org/base/projects/armv6/sys/arm/ti/

Contact: Ben Gray <bgray@FreeBSD.org>
Contact: Olivier Houchard <cognet@FreeBSD.org>
Contact: Damjan Marion <dmarion@FreeBSD.org>
Contact: Oleksandr Tymoshenko <gonzo@FreeBSD.org>

The goal of this project is to get FreeBSD running on various popular
boards that use TI-based SoCs like OMAP3, OMAP4, AM335x. Project covers
some ARM generic Cortex-A components: GIC (Generic Interrupt
Controller), PL310 L2 Cache Controller and SCU.

PandaBoard (TI OMAP4430) and PandaBoard ES (OMAP4460) Dual core ARM
Cortex-A9 board support includes: USB, onboard Ethernet over USB, GPIO,
I2C and MMC/SD card drivers. Board works in multiuser mode over NFS
root.

BeagleBone (TI AM3358/AM3359) single core ARM Cortex-A8 based board
support currently includes: Ethernet, L2 cache, GPIO, I2C. Board works
in multiuser mode over NFS root.

Open tasks:

1. Completing missing peripherals: DMA, SPI, MMC/SD, Video, Audio.
2. Completing SMP support and testing.
3. Importing BeagleBoard (OMAP3) code to SVN.
4. Improving overall stability and performance.
__________________________________________________________________

FreeBSD/powerpc on Freescale QorIQ DPAA

URL:
http://www.freescale.com/webapp/sps/site/prod_summary.jsp?code=P2040
URL:
http://www.freescale.com/webapp/sps/site/prod_summary.jsp?code=P3041
URL:
http://www.freescale.com/webapp/sps/site/prod_summary.jsp?code=P5020
URL:
http://www.freescale.com/webapp/sps/site/homepage.jsp?code=64BIT&fsrch=
1&sr=1

Contact: Michal Dubiel <md@semihalf.com>
Contact: Rafal Jaworowski <raj@semihalf.com>
Contact: Piotr Ziecik <kosmo@semihalf.com>

This work is bringing up the FreeBSD on Freescale QorIQ Data Path
Acceleration Architecture (DPAA) system-on-chips along with device
drivers for integrated peripherals. Since the last status report, the
following support has been added:
* Ethernet (full network functionality using Regular Mode of DPAA
infrastructure)
* QorIQ P5020 SoC (e5500 core in legacy 32-bit mode)
* P5020 QorIQ Development System support
* Initial support for Enhanced SDHC

The next step is:
* e5500 core in native 64-bit mode

Related publications:
* Michal Dubiel, Piotr Ziecik, "FreeBSD on Freescale QorIQ Data Path
Acceleration Architecture Devices", AsiaBSDCon, March 2012, Tokyo,
Japan.
__________________________________________________________________

GNU-Free C++11 Stack

Contact: David Chisnall <theraven@FreeBSD.org>

Since the last status report, the combination of libc++ and libcxxrt
has received some additional testing and gained some new features
including support for ARM EABI. With clang 3.1, we now pass all of the
C++11 atomics tests.

The xlocale implementation (required for libc++) has been tested with a
variety of ports that were originally written for the Darwin
implementation, and bugs that this testing uncovered have been fixed.
This should be released in 9.1.

In -CURRENT, we are now building libsupc++ as a shared library. This
provides the ABI layer and building it as a shared library means that
we can replace it with libcxxrt easily. If you are running -CURRENT,
please try using libmap.conf to enable libcxxrt instead of libsupc++.

If libstdc++ is using libcxxrt, you can now link against both libraries
that are using libstdc++ and libc++, making the migration slightly
easier, although you cannot pass STL objects between libraries using
different STL versions.

We still need a replacement for some parts of libgcc_s and for the
linker, but we're on track for a BSD licensed C++ stack in 10.0.

Open tasks:

1. Test ports with libc++. Hopefully most will Just Work, but others
may need patches or have a hard dependency on libstdc++.
2. Enable building libc++ by default. This is dependent upon building
with clang, because the version of gcc in the base system does not
support C++11 and so can not be used to build libc++.
3. Removing libstdc++ from the base system and making it available
through ports for backwards compatibility.
__________________________________________________________________

Growing filesystems online

Contact: Edward Tomasz Napierala <trasz@FreeBSD.org>

The goal of this project is to make it possible to grow a filesystem,
both UFS and ZFS, while it's mounted read-write. This includes changes
to both filesystems, GEOM infrastructure, and the da(4) driver. For
testing purposes, I've also added resizing to mdconfig(8) and
implemented LUN resizing in CAM Target Layer.

From the system administrator point of view, this makes it possible to
resize mounted partition using gpart(8) and then resize the filesystem
on it using growfs(8) - all without unmounting it first; especially
useful if it's a root filesystem.

All the functionality works and is in the process of being refined,
reviewed and merged to HEAD.

This project is sponsored by The FreeBSD Foundation.

Open tasks:

1. The write suspension infrastructure (/dev/ufssuspend) implemented
to make resizing possible makes it also possible to implement
online tunefs(8) and fsck(8).
2. Right now, there is no way for a GEOM class to veto resizing --
classes are notified about resize and they can either adapt, or
wither. Many classes store their metadata in the last sector,
though, so resizing a partition containing e.g. gmirror will make
it inoperable. It would be nice if geom_mirror(4) could veto
resizing, so the administrator attempting to shoot himself in the
foot would get a warning.
__________________________________________________________________

HDMI/DisplayPort Audio Support in HDA Sound Driver (snd_hda)

Contact: Alexander Motin <mav@FreeBSD.org>

snd_hda(4) driver got number of improvements to better support
HDMI/DisplayPort audio, such as:
* Added fetching EDID-Like Data from the CODEC and video driver,
describing audio capabilities of the display device.
* Added setting HDMI/DP-specific CODEC options, such as number of
channels, speakers configuration and channels mapping.
* Added support for more multichannel formats. For HDMI and
DisplayPort device now supported: 2.0, 2.1, 3.0, 3.1, 4.0, 4.1,
5.0, 5.1, 6.0, 6.1, 7.0 and 7.1 channels.
* Added support for compressed streams passthrough with data rate
6.144 - 24Mbps, such as DTS-HD Master Audio or Dolby TrueHD.
* Added support for HDA bus multiplexing to handle higher data rates
(up to 92, 184 or more Mbps, depending on hardware capabilities).
It allows to handle several 192/24/8 LPCM playback streams
simultaneously.

Above functionality was successfully tested on NVIDIA GT210 and GT520
video cards with nvidia-driver-290.10 driver. HDMI audio on older
NVIDIA ION and Geforce 8300 boards still does not work for unknown
reason. There are also successful reports about Intel video with latest
KMS-based drivers. Support for ATI cards is limited to older cards,
because video driver supporting newer cards does not support HDMI
audio.

The code was committed to HEAD and merged to 9-STABLE branch.

Project sponsored by iXsystems, Inc.

Open tasks:

1. Make better use of received EDID-Like Data.
2. Identify and fix problem with older NVIDIA cards.
__________________________________________________________________

Improved hwpmc(9) Support for MIPS

Contact: Oleksandr Tymoshenko <gonzo@FreeBSD.org>

hwpmc(9) for MIPS has been reworked. The changes include:
* msip24k code was split to CPU-specific and arch-specific parts to
make adding support for new CPUs easier
* Added support for Octeon PMC
* Added sampling support for MIPS in general
__________________________________________________________________

IPv6 Performance Analysis

URL: http://people.FreeBSD.org/~bz/bench/

Contact: Bjoern A. Zeeb <bz@FreeBSD.org>

IPv6 performance numbers were often seen (significantly) lower on
FreeBSD when compared to IPv4. Continuing last years IPv6-only kernel
efforts this project looked at various reasons for this and started
fixing some.

As part of the project a benchmark framework was created that could
carry out various tests including reboots in between runs and gather
results reproducibly without user intervention. It allows regular
benchmarking with minimal configuration and easy future extension for
more benchmarks.

As a result of the initial analysis, UDP locking and route lookups were
improved, and delayed checksumming, TSO6 and LRO support for IPv6 were
implemented. Following this checksum "offload" for IPv6 on loopback was
enabled and various further individual improvements, both locking and
general code changes, as well as a reduction of the cache size
footprint were carried out. Some of the changes were equally applied to
IPv4.

Performance numbers on physical and loopback interfaces are on par with
IPv4 when using offload support with TCP/IPv6, which is a huge
improvement. UDP and non-offload numbers on IPv6 have generally
improved but are still lower than on IPv4 and will need future work to
catch up with a decade of IPv4 benchmarking and code path
optimizations. UDP IPv6 minimal size send path packets per second (pps)
numbers however have increased beating IPv4 when sending to a local
discard device.

This gets us really close to being able to prefer IPv6 by default
without causing loopback performance regressions. For physical
interfaces, cxgb(4) in HEAD already supports IPv6 TCP offload and
LRO/v6 support was added. To be able to get more test results on
different hardware, both ixgbe(4) and cxgbe(4) were also updated to
support TSO6 and LRO with IPv6.

Some of the insights gained from this work will help upcoming
discussions on both the lower/link-layer overhaul as well as for the
mbuf changes to prepare our stack for more, future improvements (ahead
of time).

I once again want to thank the FreeBSD Foundation and iXsystems for
their support of the project, as well as George Neville-Neil for
providing review.

Having set the start to close one of the biggest feature parity gaps
left I will continue to improve IPv6 code paths and hope that we will
see more contributions and independent results from the community as
well soon.

Open tasks:

1. Carefully merge code changes to SVN.
__________________________________________________________________

isci(4) SAS Driver

Contact: Jim Harris <jimharris@FreeBSD.org>

An Intel-supported isci(4) driver, for the integrated SAS controller in
Intel's C600 chipsets, is now available in head, stable/9, stable/8 and
stable/7.

The isci(4) driver will also be part of the FreeBSD 8.3 release.
__________________________________________________________________

KDE/FreeBSD

URL: http://FreeBSD.kde.org
URL: http://FreeBSD.kde.org/area51.php

Contact: KDE FreeBSD <kde@FreeBSD.org>

The team has made many releases and upstreamed many fixes and patches.
The latest round of releases include:
* KDE SC: 4.7.4 (in ports) and 4.8.0, 4.8.1, 4.8.2 (in area51)
* Qt: 4.8.0, 4.8.1 (in area51)
* PyQt: 4.9.1; SIP: 4.13.2 (in area51)
* KDevelop: 2.3.0; KDevPlatform: 1.3.0 (in area51)
* Calligra: 2.3.87 (in area51)
* Amarok: 2.5.0
* CMake: 2.8.7

Due to the prolonged port freeze the KDE team has not been able to
update KDE in Ports as it is considered a intrusive change.

The team is always looking for more testers and porters so please
contact us at kde@FreeBSD.org and visit our home page at
http://FreeBSD.kde.org.

Open tasks:

1. Testing KDE SC 4.8.2.
2. Testing KDE PIM 4.8.2.
3. Testing phonon-gstreamer and phonon-vlc as the phonon-xine backend
was deprecated (but will remain in the ports for now).
4. Testing the Calligra beta releases (in the area51 repository).
__________________________________________________________________

Multi-FIB: IPv6 Support and Other Enhancements

URL: http://svnweb.FreeBSD.org/base/projects/multi-fibv6/

Contact: Bjoern A. Zeeb <bz@FreeBSD.org>
Contact: Alexander V. Chernikov <melifaro@FreeBSD.org>

In 2008 the multiple forwarding information base (FIB) feature was
introduced for IPv4 allowing up to 16 distinct forwarding ("routing")
tables in the kernel. Thanks to the sponsorship from Cisco Systems,
Inc. this feature is now also available for IPv6 and one of the bigger
IPv6 feature-parity gaps is closed. The changes have been integrated to
HEAD, were merged back to stable/9 and stable/8 and will be part of
future releases for these branches. A backport to stable/7 is also
available in the project branch. If more than one FIB is requested,
IPv6 FIBs will be added along the extra IPv4 FIBs without any special
configuration needed and programs like netstat and setfib, as well as
ipfw, etc. were extended to seamlessly support the multi-FIB feature on
both address families.

Thanks to the help of Alexander V. Chernikov all usage of the multi-FIB
feature is now using the boot-time variable rather than depending on
the compile time option. In HEAD this now allows us you to use the
multi-FIB feature with GENERIC kernels not needing to recompile your
own anymore. The former kernel option can still be used to set a
default value if desired. Otherwise the net.fibs loader tunable can be
used to request more than one IPv6 and IPv4 FIB at boot time.

Last, routing sockets are now aware of FIBs and will only show the
routing messages targeted at the FIB attached to. This allows route
monitor or routing daemons to get selective updates for just a specific
FIB.
__________________________________________________________________

NAND File System, NAND Flash Framework, NAND Simulator

URL: http://svnweb.FreeBSD.org/base/projects/nand/

Contact: Grzegorz Bernacki <gjb@semihalf.com>
Contact: Mateusz Guzik <mjg@semihalf.com>

The NAND Flash stack consists of a driver framework for NAND
controllers and memory chips, a NAND device simulator and a fault
tolerant, log-structured file system, accompanied by tools, utilities
and documentation.

NAND FS support merged into "nand" project branch:
* NAND FS filesystem
* NAND FS userland tools

NAND Framework and NAND simulator merged into "nand" project
branch:
* NAND framework: nandbus, generic nand chips drivers
* NAND Flash controllers (NFC) drivers for NAND Simulator and Marvell
MV-78100 (ARM)
* NAND tool (which allows to erase, write/read pages/oob, etc.

The next steps include:
* Fix bugs
* Merge into HEAD

Work on this project is supported by the FreeBSD Foundation and Juniper
Networks.
__________________________________________________________________

Perl Ports Testing

URL: http://wiki.FreeBSD.org/Perl#Test_Dependencies

Contact: Steve Wills <swills@FreeBSD.org>

Many Perl modules in ports come with test cases included with their
source. This project's goal is to ensure that all these tests pass.
Significant progress has been made on this project. The change to build
perl with -pthread was committed and no issues have been reported. Many
ports have had missing dependencies added and/or other changes and
approximately 90% of p5- ports pass tests. Work is being done on
bringing testing support out of ports tinderbox.

Open tasks:

1. Finish work on patch to bring testing support to ports.
2. Add additional support for testing other types of ports such as
python and ruby.
__________________________________________________________________

Porting DTrace to MIPS and ARM

Contact: Oleksandr Tymoshenko <gonzo@FreeBSD.org>

The major part of DTrace has been ported to MIPS platform. Supported
ABIs: o32 and n64. n32 has not been tested yet. MIPS implementation
passes 853 of 927 tests from DTrace test suite.

The fbt provider and userland DTrace are not supported yet.

The port to ARM is in progress.

Open tasks:

1. Userland DTrace support for MIPS.
2. Investigate amount of effort required for getting fbt provider work
at least partially.
3. Find proper solution for cross-platform CTF data generation
(required for ARM).
__________________________________________________________________

Release Engineering Team Status Report

URL: http://www.FreeBSD.org/releng/

Contact: Release Engineering Team <re@FreeBSD.org>

On behalf of the FreeBSD Project the Release Engineering Team was are
pleased to announce the release of the FreeBSD 8.3-RELEASE on April
18th, 2012.

With the FreeBSD 8.3 release cycle completed our focus shifts to
preparing for the FreeBSD 9.1-RELEASE. A schedule will be posted
shortly, with the release target date set for mid-July 2012.
__________________________________________________________________

Replacing the Regular Expression Code

URL: http://svnweb.FreeBSD.org/base/user/gabor/tre-integration/
URL: http://laurikari.net/tre/
URL:
http://www.tdk.aut.bme.hu/Files/TDK2011/POSIX-regularis-kifejezesek1.pd
f

Contact: Gábor Kövesdán <gabor@FreeBSD.org>

Since the last status report, there has been a significant progress in
optimizing TRE. The multiple pattern heuristic code is mostly finished
and it distinguishes several different cases to speed up pattern
matching. It extracts literal fragments from the original patterns and
uses a multiple pattern matching algorithm to find any occurrence. GNU
grep uses the Commentz-Walter algorithm, which is an automaton-based
algorithm, while in this project, it has been decided to use a
Wu-Manber algorithm, which is more efficient and also easier to
implement. In the current state, it does not work entirely yet and some
cases, like the REG_ICASE flag are not yet covered. This is the next
major step to complete this multiple pattern interface. In the
development branch, BSD grep is already modified to use this new
interface so it can be used for testing and debugging purposes.

Open tasks:

1. Finish multiple pattern heuristic regex matching.
2. Implement GNU-specific regex extensions.
3. Test standard-compliance and correct behavior.
__________________________________________________________________

The bsdconfig(8) utility

URL: http://druidbsd.cvs.sf.net/viewvc/druidbsd/bsdconfig/
URL: http://druidbsd.sf.net/download/bsdconfig/bsdconfig-20120512-1.svg
URL:
http://druidbsd.sf.net/download/bsdconfig/bsdconfig-20120512-1i.svg

Contact: Devin Teske <dteske@FreeBSD.org>
Contact: Ron McDowell <rcm@fuzzwad.org>

Approaching 20,000 lines of sh(1) code, the bsdconfig(8) tool is
approximately 70% complete. Upon completion of this project,
bsdconfig(8) will represent (in conjunction with already-existing
bsdinstall(8)) a complete set of utilities capable of purposefully
deprecating sysinstall(8) in FreeBSD 9 and higher. This project has
been a labor of love for Ron McDowell and I for over 90 days now and we
are approaching the completion of this wonderful tool.

Open tasks:

1. The "installer suite" modules for acquiring/installing binary
packages and additional distribution sets. Startup services module.
__________________________________________________________________

The FreeBSD Foundation Team Report

URL: www.FreeBSDFoundation.org

Contact: Deb Goodkin <deb@FreeBSDFoundation.org>

The Foundation sponsored AsiaBSDCon 2012 which was held in Tokyo,
Japan, March 22-25. We were represented at SCALE on Jan 21 and NELF on
March 17. This quarter we plan on being at ILF (Indiana LinuxFest)
April 14th, BSDCan May 11-12, and SELF (Southeast LinuxFest) June 9.

We are proud to be a gold sponsor of BSDCan 2012, which will be held in
Ottawa, Canada, May 11-12. We are sponsoring 14 developers to attend
the conference.

We kicked off three foundation funded projects -- Growing Filesystems
Online by Edward Tomasz Napierala, Implementing auditdistd daemon by
Pawel Jakub Dawidek, and NAND Flash Support by Semihalf.

We are pleased to announce the addition of George Neville-Neil to our
board of directors. Deb Goodkin, our Director of Operations, was
interviewed by bsdtalk.

We announced a call for project proposals. We will accept proposals
until April 30th. Please read Project Proposal Procedures to find out
more.

FreeBSD 9.0 was released and we are proud to say we funded 7 of the new
features!
__________________________________________________________________

The FreeBSD Haskell Ports

URL: http://wiki.FreeBSD.org/Haskell
URL: https://github.com/freebsd-haskell/freebsd-haskell/
URL: https://github.com/freebsd-haskell/hsporter/
URL: https://github.com/freebsd-haskell/hsmtk/

Contact: Gábor PÁLI <pgj@FreeBSD.org>
Contact: Ashish SHUKLA <ashish@FreeBSD.org>

We are proud announce that the FreeBSD Haskell Team has committed the
Haskell Platform 2011.4.0.0 update, GHC 7.0.4 update, existing port
updates, as well new port additions to FreeBSD ports repository, which
were pending due to freeze for 9.0-RELEASE. Some of the new ports which
were committed include Yesod, Happstack, wxHaskell, gitit, Threadscope,
etc. and the count of Haskell ports in FreeBSD Ports tree is now almost
300. All of these updates will be available as part of upcoming
8.3-RELEASE.

We started project hsporter to automate creation of new FreeBSD Haskell
ports from .cabal file, as well as update existing ports. We also
published scripts which we were using in the FreeBSD Haskell project
under the project hsmtk.

Open tasks:

1. Test GHC to work with clang/LLVM.
2. Add an option to the lang/ghc port to be able to build it with
already installed GHC instead of requiring a separate GHC boostrap
tarball.
3. Add more ports to the Ports Collection.
__________________________________________________________________

The FreeBSD Japanese Documentation Project

URL: http://www.FreeBSD.org/ja/
URL: http://www.jp.FreeBSD.org/doc-jp/

Contact: Hiroki Sato <hrs@FreeBSD.org>
Contact: Ryusuke Suzuki <ryusuke@FreeBSD.org>

The same as before, the outdated contents in the www/ja subtree were
updated to the latest versions in the English counterpart. The updating
work of the outdated translations in the www/ja subtree is almost
complete. Only the translations of the release documents for old
releases may be outdated.

During this period, we translated the 9.0-RELEASE announcement and
published it in a timely manner. It seems that the Japanese version of
the release announcement is important for Japanese people as this page
has frequently been referenced.

For FreeBSD Handbook, translation work of the "cutting-edge" section is
still on-going. Some updates in the "printing" and the "linuxemu"
section were done.

Open tasks:

1. Further translation work of outdated documents in both
doc/ja_JP.eucJP and www/ja.
__________________________________________________________________

The FreeBSD Ports Collection

URL: http://www.FreeBSD.org/ports/
URL:
http://www.FreeBSD.org/doc/en_US.ISO8859-1/articles/contributing-ports/
URL: http://portsmon.FreeBSD.org/index.html
URL: http://www.FreeBSD.org/portmgr/index.html
URL: http://blogs.FreeBSDish.org/portmgr/
URL: http://www.twitter.com/freebsd_portmgr/
URL: http://www.facebook.com/portmgr

Contact: Thomas Abthorpe <portmgr-secretary@FreeBSD.org>
Contact: Port Management Team <portmgr@FreeBSD.org>

The ports tree slowly climbs above 23,000 ports. The PR count still
remains at about 1100.

In Q1 we added 2 new committers, took in 2 commit bits for safe
keeping, and had one committer return to ports work.

The Ports Management team have been running -exp runs on an ongoing
basis, verifying how base system updates may affect the ports tree, as
well as providing QA runs for major ports updates. Of note, -exp runs
were done for:
* Ports validation in the FreeBSD 10 environment
* Updates to bison, libtool and libiconv
* Set java/opendjdk6 as default java
* Tests with clang set as default
* Update to devel/boost and friends
* Update of audio/sdl and friends
* Tests for changes in the ports licensing infrastructure
* Update to devel/ruby1[8|9]
* Update to postresql
* Update to apr
* Checks for new x11/xorg
* Security update to security/gnutls
* Ongoing validation of infrastructure with pkgng

A lot of focus during this period was put into getting the ports tree
into a ready state for FreeBSD 8.3, including preparing packages for
the release.

Beat Gaetzi has been doing ongoing tests with the ports tree to ensure
a smooth transition from CVS to Subversion.

Open tasks:

1. Looking for help getting ports to build with clang.
2. Looking for help with Tier-2 architectures.
3. ports broken by src changes.
4. ports failing on pointyhat.
5. ports failing on pointyhat-west.
6. ports that are marked as BROKEN.
7. When did that port break?
8. Most ports PRs are assigned, we now need to focus on testing,
committing and closing.
__________________________________________________________________

The FreeNAS Project

URL: http://www.FreeNAS.org

Contact: Josh Paetzel <jpaetzel@FreeBSD.org>
Contact: Xin Li <delphij@FreeBSD.org>

FreeNAS 8.0.4 was released last month, which marks the end of the 8.0.x
branch in FreeNAS.

FreeNAS 8.2.0 is in BETA currently, and will hopefully be released by
the end of April.

It features a number of improvements over the 8.0.x line, including
plugin support, (the ability to run arbitrary software in jails), as
well as better integration between command line ZFS and the GUI.

Once 8.2.0 is out it will be quickly followed up with 8.3.0, which will
include a number of driver updates as well as the long awaited ZFS v28.
__________________________________________________________________

(c) 1995-2012 The FreeBSD Project. All rights reserved.
_______________________________________________
freebsd-announce@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"

[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-12:01.openssl

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-12:01.openssl Security Advisory
The FreeBSD Project

Topic: OpenSSL multiple vulnerabilities

Category: contrib
Module: openssl
Announced: 2012-05-03
Credits: Adam Langley, George Kadianakis, Ben Laurie,
Ivan Nestlerode, Tavis Ormandy
Affects: All supported versions of FreeBSD.
Corrected: 2012-05-03 15:25:11 UTC (RELENG_7, 7.4-STABLE)
2012-05-03 15:25:11 UTC (RELENG_7_4, 7.4-RELEASE-p7)
2012-05-03 15:25:11 UTC (RELENG_8, 8.3-STABLE)
2012-05-03 15:25:11 UTC (RELENG_8_3, 8.3-RELEASE-p1)
2012-05-03 15:25:11 UTC (RELENG_8_2, 8.2-RELEASE-p7)
2012-05-03 15:25:11 UTC (RELENG_8_1, 8.1-RELEASE-p9)
2012-05-03 15:25:11 UTC (RELENG_9, 9.0-STABLE)
2012-05-03 15:25:11 UTC (RELENG_9_0, 9.0-RELEASE-p1)
CVE Name: CVE-2011-4576, CVE-2011-4619, CVE-2011-4109,
CVE-2012-0884, CVE-2012-2110

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.

II. Problem Description

OpenSSL failes to clear the bytes used as block cipher padding in SSL 3.0
records when operating as a client or a server that accept SSL 3.0
handshakes. As a result, in each record, up to 15 bytes of uninitialized
memory may be sent, encrypted, to the SSL peer. This could include
sensitive contents of previously freed memory. [CVE-2011-4576]

OpenSSL support for handshake restarts for server gated cryptograpy (SGC)
can be used in a denial-of-service attack. [CVE-2011-4619]

If an application uses OpenSSL's certificate policy checking when
verifying X509 certificates, by enabling the X509_V_FLAG_POLICY_CHECK
flag, a policy check failure can lead to a double-free. [CVE-2011-4109]

A weakness in the OpenSSL PKCS #7 code can be exploited using
Bleichenbacher's attack on PKCS #1 v1.5 RSA padding also known as the
million message attack (MMA). [CVE-2012-0884]

The asn1_d2i_read_bio() function, used by the d2i_*_bio and d2i_*_fp
functions, in OpenSSL contains multiple integer errors that can cause
memory corruption when parsing encoded ASN.1 data. This error can occur
on systems that parse untrusted ASN.1 data, such as X.509 certificates
or RSA public keys. [CVE-2012-2110]

III. Impact

Sensitive contents of the previously freed memory can be exposed
when communicating with a SSL 3.0 peer. However, FreeBSD OpenSSL
version does not support SSL_MODE_RELEASE_BUFFERS SSL mode and
therefore have a single write buffer per connection. That write buffer
is partially filled with non-sensitive, handshake data at the beginning
of the connection and, thereafter, only records which are longer than
any previously sent record leak any non-encrypted data. This, combined
with the small number of bytes leaked per record, serves to limit to
severity of this issue. [CVE-2011-4576]

Denial of service can be caused in the OpenSSL server application
supporting server gated cryptograpy by performing multiple handshake
restarts. [CVE-2011-4619]

The double-free, when an application performs X509 certificate policy
checking, can lead to denial of service in that application.
[CVE-2011-4109]

A weakness in the OpenSSL PKCS #7 code can lead to a successful
Bleichenbacher attack. Only users of PKCS #7 decryption operations are
affected. A successful attack needs on average 2^20 messages. In
practice only automated systems will be affected as humans will not be
willing to process this many messages. SSL/TLS applications are not
affected. [CVE-2012-0884]

The vulnerability in the asn1_d2i_read_bio() OpenSSL function can lead
to a potentially exploitable attack via buffer overflow. The SSL/TLS
code in OpenSSL is not affected by this issue, nor are applications
using the memory based ASN.1 functions. There are no applications in
FreeBSD base system affected by this issue, though some 3rd party
consumers of these functions might be vulnerable when processing
untrusted ASN.1 data. [CVE-2012-2110]

IV. Workaround

No workaround is available.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE, 8-STABLE or 9-STABLE,
or to the RELENG_7_4, RELENG_8_3, RELENG_8_2, RELENG_8_1, RELENG_9_0
security branch dated after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 7.4, 8.3,
8.2, 8.1, and 9.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-12:01/openssl.patch
# fetch http://security.FreeBSD.org/patches/SA-12:01/openssl.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system as described in
<URL: http://www.freebsd.org/handbook/makeworld.html> and reboot the
system.

NOTE: Any third-party applications, including those installed from the
FreeBSD ports collection, which are statically linked to libcrypto(3)
should be recompiled in order to use the corrected code.

3) To update your vulnerable system via a binary patch:

Systems running 7.4-RELEASE, 8.3-RELEASE, 8.2-RELEASE, 8.1-RELEASE or
9.0-RELEASE on the i386 or amd64 platforms can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch Revision
Path
- - -------------------------------------------------------------------------
RELENG_7
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.1.1.13.2.2
src/crypto/openssl/crypto/mem.c 1.1.1.8.2.2
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.1.1.1.2.2
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.1.1.2.2.2
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.2.1
src/crypto/openssl/crypto/buffer/buffer.c 1.1.1.4.2.2
src/crypto/openssl/ssl/ssl_err.c 1.1.1.11.2.3
src/crypto/openssl/ssl/s3_srvr.c 1.1.1.17.2.7
src/crypto/openssl/ssl/ssl.h 1.1.1.16.2.3
src/crypto/openssl/ssl/s3_enc.c 1.1.1.13.2.2
src/crypto/openssl/ssl/ssl3.h 1.1.1.6.2.2
RELENG_7_4
src/UPDATING 1.507.2.36.2.9
src/sys/conf/newvers.sh 1.72.2.18.2.12
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.1.1.13.2.1.2.1
src/crypto/openssl/crypto/mem.c 1.1.1.8.2.1.2.1
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.1.1.1.2.1.2.1
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.1.1.2.2.1.2.1
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.20.1
src/crypto/openssl/crypto/buffer/buffer.c 1.1.1.4.2.1.2.1
src/crypto/openssl/ssl/ssl_err.c 1.1.1.11.2.2.2.1
src/crypto/openssl/ssl/s3_srvr.c 1.1.1.17.2.5.2.1
src/crypto/openssl/ssl/ssl.h 1.1.1.16.2.2.2.1
src/crypto/openssl/ssl/s3_enc.c 1.1.1.13.2.1.2.1
src/crypto/openssl/ssl/ssl3.h 1.1.1.6.2.1.2.1
RELENG_8
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.1.1.13.10.2
src/crypto/openssl/crypto/mem.c 1.2.2.1
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.2.2.1
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.2.2.2
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.10.1
src/crypto/openssl/crypto/buffer/buffer.c 1.2.2.1
src/crypto/openssl/ssl/ssl_err.c 1.2.2.2
src/crypto/openssl/ssl/s3_srvr.c 1.3.2.5
src/crypto/openssl/ssl/ssl.h 1.2.2.2
src/crypto/openssl/ssl/s3_enc.c 1.2.2.2
src/crypto/openssl/ssl/ssl3.h 1.2.2.2
RELENG_8_3
src/UPDATING 1.632.2.26.2.3
src/sys/conf/newvers.sh 1.83.2.15.2.5
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.1.1.13.10.1.4.1
src/crypto/openssl/crypto/mem.c 1.2.14.1
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.2.14.1
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.2.2.1.6.1
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.26.1
src/crypto/openssl/crypto/buffer/buffer.c 1.2.14.1
src/crypto/openssl/ssl/ssl_err.c 1.2.2.1.6.1
src/crypto/openssl/ssl/s3_srvr.c 1.3.2.4.2.1
src/crypto/openssl/ssl/ssl.h 1.2.2.1.6.1
src/crypto/openssl/ssl/s3_enc.c 1.2.2.1.4.1
src/crypto/openssl/ssl/ssl3.h 1.2.2.1.6.1
RELENG_8_2
src/UPDATING 1.632.2.19.2.9
src/sys/conf/newvers.sh 1.83.2.12.2.12
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.1.1.13.10.1.2.1
src/crypto/openssl/crypto/mem.c 1.2.8.1
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.2.8.1
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.2.2.1.4.1
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.18.1
src/crypto/openssl/crypto/buffer/buffer.c 1.2.8.1
src/crypto/openssl/ssl/ssl_err.c 1.2.2.1.4.1
src/crypto/openssl/ssl/s3_srvr.c 1.3.2.3.2.1
src/crypto/openssl/ssl/ssl.h 1.2.2.1.4.1
src/crypto/openssl/ssl/s3_enc.c 1.2.2.1.2.1
src/crypto/openssl/ssl/ssl3.h 1.2.2.1.4.1
RELENG_8_1
src/UPDATING 1.632.2.14.2.12
src/sys/conf/newvers.sh 1.83.2.10.2.13
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.1.1.13.16.1
src/crypto/openssl/crypto/mem.c 1.2.6.1
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.2.6.1
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.2.2.1.2.1
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.16.1
src/crypto/openssl/crypto/buffer/buffer.c 1.2.6.1
src/crypto/openssl/ssl/ssl_err.c 1.2.2.1.2.1
src/crypto/openssl/ssl/s3_srvr.c 1.3.2.2.2.1
src/crypto/openssl/ssl/ssl.h 1.2.2.1.2.1
src/crypto/openssl/ssl/s3_enc.c 1.2.6.1
src/crypto/openssl/ssl/ssl3.h 1.2.2.1.2.1
RELENG_9
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.2.2.1
src/crypto/openssl/crypto/mem.c 1.2.10.1
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.2.10.1
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.3.2.1
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.22.1
src/crypto/openssl/crypto/buffer/buffer.c 1.2.10.1
src/crypto/openssl/ssl/ssl_err.c 1.3.2.1
src/crypto/openssl/ssl/s3_srvr.c 1.7.2.1
src/crypto/openssl/ssl/ssl.h 1.3.2.1
src/crypto/openssl/ssl/s3_enc.c 1.3.2.1
src/crypto/openssl/ssl/ssl3.h 1.3.2.1
RELENG_9_0
src/UPDATING 1.702.2.4.2.3
src/sys/conf/newvers.sh 1.95.2.4.2.5
src/crypto/openssl/crypto/pkcs7/pk7_doit.c 1.2.4.1
src/crypto/openssl/crypto/mem.c 1.2.12.1
src/crypto/openssl/crypto/x509v3/pcy_map.c 1.2.12.1
src/crypto/openssl/crypto/x509v3/pcy_tree.c 1.3.4.1
src/crypto/openssl/crypto/asn1/a_d2i_fp.c 1.1.1.3.24.1
src/crypto/openssl/crypto/buffer/buffer.c 1.2.12.1
src/crypto/openssl/ssl/ssl_err.c 1.3.4.1
src/crypto/openssl/ssl/s3_srvr.c 1.7.4.1
src/crypto/openssl/ssl/ssl.h 1.3.4.1
src/crypto/openssl/ssl/s3_enc.c 1.3.4.1
src/crypto/openssl/ssl/ssl3.h 1.3.4.1
- - -------------------------------------------------------------------------

Subversion:

Branch/path Revision
- - -------------------------------------------------------------------------
stable/7/ r234954
releng/7.4/ r234954
stable/8/ r234954
releng/8.3/ r234954
releng/8.2/ r234954
releng/8.1/ r234954
stable/9/ r234954
releng/9.0/ r234954
- - -------------------------------------------------------------------------

VII. References

http://www.openssl.org/news/secadv_20120419.txt
http://www.openssl.org/news/secadv_20120312.txt
http://www.openssl.org/news/secadv_20120104.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4576
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4619
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4109
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0884
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2110
http://lists.openwall.net/full-disclosure/2012/04/19/4

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-12:01.openssl.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (FreeBSD)

iEYEARECAAYFAk+ipzUACgkQFdaIBMps37I7pACeI7zZ21vj+6AVz5+15OP4foXm
N1IAn2rMThkptUz62e0QDCv3tJKW6N9i
=ko2h
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-announce@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"

OpenBSD 5.1 released May 1, 2012

- OpenBSD 5.1 RELEASED -------------------------------------------------

May 1, 2012.

We are pleased to announce the official release of OpenBSD 5.1.
This is our 31st release on CD-ROM (and 31th via FTP). We remain
proud of OpenBSD's record of more than ten years with only two remote
holes in the default install.

As in our previous releases, 5.1 provides significant improvements,
including new features, in nearly all areas of the system:

- Improved hardware support, including:
o umsm(4) supports additional mobile broadband devices.
o Non-GigE ale(4) devices can now establish link to a GigE link partner.
o Support for Intel 82580 has been added to em(4).
o Support for MegaRAID 9240 has been added to mfi(4).
o Support for Nuvoton NCT6776F has been added to lm(4).
o Support for Centrino Advanced-N 6205 has been added to iwn(4).
o Support for SiS 1182/1183 SATA has been added to pciide(4).
o Support for Synaptics touch pads through the synaptics(4) X.Org
input driver is now enabled by default.
o Support for Intel Sandy Bridge integrated graphics cards has been
added to the intel(4) X.Org driver.
o Assembler implementation of the AES-GCM mode for new Intel and
future AMD CPUs has been added.
o usb(4) probes bus after resume, improves functionality for some laptops.

- Generic network stack improvements:
o RFC4638 MTU negotiation for pppoe(4).
o npppdctl(8) replaced with npppctl(8), written from scratch.
Includes support for IPv6 as tunnel source address.
o Improve performance (throughput and loss rate) for PPTP, pppd(8)
or L2TP(/IPsec) on unstable latency networks (eg mobile).
o Improved IPv6 fragment handling.
o Many robustness improvements for IEEE 802.11 (particularly hostap).
o Improved vlan priority support, including mapping to interface queues.
o Initial rdomains support for IPv6.
o Robustness improvements for carp(4).
o Various IPv6 and rdomain related improvements for carp(4).

- Routing daemons and other userland network improvements:
o fstat(8) now displays routing table ID and socket-splicing information
and ps can display routing table ID.
o traceroute(8) and traceroute6(8) can look up ASNs for each hop.
o snmpd(8) adds a MIB to show statistics for carp(4) interfaces.
o bgpctl(8) parses and display MRT routing table dumps.
o ntpd(8) supports multiple rdomains.
o When ospfd(8) detects route socket overflow, it now delays before
it reloads the fib.
o Improved and more consistent ToS support in various network
tools (tcpbench(8), nc(8), ping(8), traceroute(8)).
o Initial inport of login_yubikey(8) for logging in using yubikeys.

- pf(4) improvements:
o One-shot rule support for pf(4), for use with proxies via anchors.
o NAT64 support in PF using the af-to keyword.
o Much improved IPv6 fragment handling.
o Various enhancements with ICMP and especially ICMPv6 states
o Improved IPv6 Neighbor Discovery and Multicast Listener Discovery handling.
o pfctl(8) now prints port numbers instead of service names by default.
o Netflow v9 and ipfix support for pflow(4).
o Many pfsync(4) fixes and improvements including jumbo frames and
automatically requesting a bulk update after a physical interface
comes online.

- Assorted improvements:
o Improved locale support.
o Support for MSG_NOSIGNAL.
o KERN_PROC_CWD sysctl(3) for fetching the path to a process's
working directory.
o Improved fnmatch(3), glob(3), and regcomp(3) implementations
to resist DoS attacks.
o Lots of HISTORY and AUTHORS information added to manpages.
o Improved checking of file-offset wraparound.
o pwrite(2)/pwritev(2) now correctly by ignored O_APPEND.
o Improved conformance of header files with standards.
o Improved cancelation support in both user-threads (libpthread)
and rthreads.
o Improved correctness of execing, coredumping, signal delivery,
alternate signal stacks, blocking socket accepts(), mutexes
and condition variables, per-thread errno, symbol binding,
and ktracing when rthreads are in use.
o Architecture-independent kernel support for thread-control-block
handling for rthreads.
o Small improvements to Linux compat (only available on i386).
o Multiple bugs have been fixed in the Intel 10Gb driver ix(4).
o softraid(4) now supports a concatenating discipline.
o On amd64, i386, and sparc64, the root filesystem can reside in
a softraid(4) volume. The kernel needs to be booted from a
non-softraid partition.
o On amd64, the system can be booted from a softraid(4) RAID1 volume.
o aucat(1) adds a "device number" component in sndio(7) device
names, allowing a single aucat instance to handle all audio
and MIDI services.
o Built-in sndiod(1) sound daemon now uses default rate 48kHz and
the default block size 10ms. These settings ensure video players
and programs using MTC are smooth by default.
o Many updates to smtpd(8): a new scheduler_backend API introduced,
more MIME 1.0 support added, new filter callbacks for network events,
improved DNS error reporting and envelope handling, and the
purge/ directory is now cleared via a privilege-separated child.
o tmux(1) is extended to support a larger history, minimizes redundant
log messages and does some code reordering for more local and less
global variables. Support is added for the ESC[s and ESC[u
save/restore cursor-position key sequences. $HOME (or ~) may now
be used as default-path in tmux.conf.
o Enhanced cwm(1) event support, added {r,}cycleingroup to cycle
through clients belonging to the same group as the active client,
simplified color initialization.
o The mg(1) emacs-like editor: now uses absolute filenames while
pushing and popping off the stack. In dired mode: corrected
cursor movements and added missing keybindings.

- OpenSSH 6.0:
o New features:
- ssh-keygen(1): add optional checkpoints for moduli screening.
- ssh-add(1): new -k option to load plain keys (skipping
certificates).
- sshd(8): add wildcard support to PermitOpen, allowing things
like "PermitOpen localhost:*". (bz#1857)
- ssh(1): support for cancelling local and remote port forwards
via the multiplex socket. Use "ssh -O cancel -L xx:xx:xx -R
yy:yy:yy user@host" to request the cancellation of the
specified forwardings.
- support cancellation of local/dynamic forwardings from ~C commandline.
o The following significant bugs have been fixed in this release:
- ssh(1): ensure that $DISPLAY contains only valid characters
before using it to extract xauth data so that it can't be
used to play local shell metacharacter games.
- ssh(1): unbreak remote port forwarding with dynamic allocated
listen ports.
- scp(1): uppress adding '--' to remote commandlines when the
first argument does not start with '-'. Saves breakage on
some difficult-to-upgrade embedded/router platforms.
- ssh(1) and sshd(8): fix typo in IPQoS parsing: there is
no "AF14" class, but there is an "AF21" class.
- ssh(1) and sshd(8): do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT
during rekeying.
- ssh(1): skip attempting to create ~/.ssh when -F is passed.
- sshd(8): unbreak stdio forwarding when ControlPersist is
in use. (bz#1943)
- sshd(8): send tty break to pty master instead of (probably
already closed) slave side. (bz#1859)
- sftp(1): silence error spam for "ls */foo" in directory
with files. (bz#1683)
- Fixed a number of memory and file descriptor leaks.

- Over 7,000 ports, major performance and stability improvements in
the package build process
o Downloading of distfiles is simpler, can resume interrupted
download, discover file moves, and expire old files. Distfiles
mirror sites now use the new and improved method.
o Dependency handling during ports build and package creation is
at least twice as fast, twenty times as fast in pathological
cases. This also affects user scripts such as out-of-date
o More checks are done during package builds, for increased
user friendliness
o The long term process of documenting the infrastructure
is now 100% done.
o The distributed ports builder (dpb) can now clean up old
dependencies, thus helping package builds be more reproducible.
This found tens of hidden build dependencies in the ports tree already.
o The semantics of pkg_add -a have been nailed down and a few minor
bugs have been fixed.
o The arch-dependent issues are better classified, leading to
better builds on old architectures in some complicated cases.
In particular, dpb explicitly purges from memory info about
packages it cannot build and stuff that depends on it,
leading to better life on sparc and vax which have very small
data-size limits.
o dpb recognizes full builds and trims some duplicate package builds

- Many pre-built packages for each architecture:
o i386: 7229 o sparc64: 6599
o alpha: 5943 o sh: 2459
o amd64: 7181 o powerpc: 6852
o sparc: 4152 o arm: 5536
o hppa: 6159 o vax: 2199
o mips64: 5785 o mips64el: 5807

- Some highlights:
o Gnome 3.2.1 o KDE 3.5.10
o Xfce 4.8.3 o MySQL 5.1.60
o PostgreSQL 9.1.2 o Postfix 2.8.8
o OpenLDAP 2.3.43 and 2.4.26 o GHC 7.0.4
o Mozilla Firefox 3.5.19, 3.6.25 and 9.0.1
o Mozilla Thunderbird 9.0.1 o LibreOffice 3.4.5.2
o Emacs 21.4, 22.3 and 23.4 o Vim 7.3.154
o PHP 5.2.17 and 5.3.10 o Python 2.5.4, 2.7.1 and 3.2.2
o Ruby 1.8.7.357 and 1.9.3.0 o Tcl 8.5.11
o Jdk 1.7 o Mono 2.10.6
o Chromium 16.0.912.77 o Groff 1.21

- As usual, steady improvements in manual pages and other documentation.
o Base system and Xenocara manuals are now installed as source code,
making grep(1) more useful in /usr/share/man/ and /usr/X11R6/man/.
o If both formatted and source versions of manuals are installed,
man(1) automatically displays the newer version of each page.

- The system includes the following major components from outside suppliers:
o Xenocara (based on X.Org 7.6 with xserver 1.11.4 + patches,
freetype 2.4.8, fontconfig 2.8.0, Mesa 7.10.3, xterm 276,
xkeyboard-config 2.5 and more)
o Gcc 4.2.1 (+patches), 3.3.5 (+ patches) and 2.95.3 (+ patches)
o Perl 5.12.2 (+ patches)
o Our improved and secured version of Apache 1.3, with SSL/TLS
and DSO support
o OpenSSL 1.0.0f (+ patches)
o Sendmail 8.14.5, with libmilter
o Bind 9.4.2-P2 (+ patches)
o Lynx 2.8.7rel.2 with HTTPS and IPv6 support (+ patches)
o Sudo 1.7.2p8
o Ncurses 5.7
o Heimdal 0.7.2 (+ patches)
o Arla 0.35.7
o Binutils 2.15 (+ patches)
o Gdb 6.3 (+ patches)
o Less 444 (+ patches)
o Awk Aug 10, 2011 version

If you'd like to see a list of what has changed between OpenBSD 5.0
and 5.1, look at

http://www.OpenBSD.org/plus51.html

Even though the list is a summary of the most important changes
made to OpenBSD, it still is a very very long list.

------------------------------------------------------------------------
- SECURITY AND ERRATA --------------------------------------------------

We provide patches for known security threats and other important
issues discovered after each CD release. As usual, between the
creation of the OpenBSD 5.1 FTP/CD-ROM binaries and the actual 5.1
release date, our team found and fixed some new reliability problems
(note: most are minor and in subsystems that are not enabled by
default). Our continued research into security means we will find
new security problems -- and we always provide patches as soon as
possible. Therefore, we advise regular visits to

http://www.OpenBSD.org/security.html
and
http://www.OpenBSD.org/errata.html

Security patch announcements are sent to the security-announce@OpenBSD.org
mailing list. For information on OpenBSD mailing lists, please see:

http://www.OpenBSD.org/mail.html

------------------------------------------------------------------------
- CD-ROM SALES ---------------------------------------------------------

OpenBSD 5.1 is also available on CD-ROM. The 3-CD set costs $50 CDN and
is available via mail order and from a number of contacts around the
world. The set includes a colourful booklet which carefully explains the
installation of OpenBSD. A new set of cute little stickers is also
included (sorry, but our FTP mirror sites do not support STP, the Sticker
Transfer Protocol). As an added bonus, the second CD contains an audio
track, a song entitled "Bug Busters". MP3 and OGG versions of
the audio track can be found on the first CD.

Lyrics (and an explanation) for the songs may be found at:

http://www.OpenBSD.org/lyrics.html#51

Profits from CD sales are the primary income source for the OpenBSD
project -- in essence selling these CD-ROM units ensures that OpenBSD
will continue to make another release six months from now.

The OpenBSD 5.1 CD-ROMs are bootable on the following four platforms:

o i386
o amd64
o macppc
o sparc64

(Other platforms must boot from floppy, network, or other method).

For more information on ordering CD-ROMs, see:

http://www.OpenBSD.org/orders.html

The above web page lists a number of places where OpenBSD CD-ROMs
can be purchased from. For our default mail order, go directly to:

https://https.OpenBSD.org/cgi-bin/order

All of our developers strongly urge you to buy a CD-ROM and support
our future efforts. Additionally, donations to the project are
highly appreciated, as described in more detail at:

http://www.OpenBSD.org/goals.html#funding

------------------------------------------------------------------------
- OPENBSD FOUNDATION ---------------------------------------------------

For those unable to make their contributions as straightforward gifts,
the OpenBSD Foundation (http://www.openbsdfoundation.org) is a Canadian
not-for-profit corporation that can accept larger contributions and
issue receipts. In some situations, their receipt may qualify as a
business expense write-off, so this is certainly a consideration for
some organizations or businesses. There may also be exposure benefits
since the Foundation may be interested in participating in press releases.
In turn, the Foundation then uses these contributions to assist OpenBSD's
infrastructure needs. Contact the foundation directors at
directors@openbsdfoundation.org for more information.

------------------------------------------------------------------------
- T-SHIRT SALES --------------------------------------------------------

The OpenBSD distribution companies also sell tshirts and polo shirts.
And our users like them, too. We have a variety of shirts available,
with the new and old designs, from our web ordering system at, as
described above.

-----------------------------------------------------------------------
- FTP INSTALLS ---------------------------------------------------------

If you choose not to buy an OpenBSD CD-ROM, OpenBSD can be easily
installed via FTP or HTTP downloads. Typically you need a single
small piece of boot media (e.g., a boot floppy) and then the rest
of the files can be installed from a number of locations, including
directly off the Internet. Follow this simple set of instructions
to ensure that you find all of the documentation you will need
while performing an install via FTP or HTTP. With the CD-ROMs,
the necessary documentation is easier to find.

1) Read either of the following two files for a list of ftp/http
mirrors which provide OpenBSD, then choose one near you:

http://www.OpenBSD.org/ftp.html
ftp://ftp.OpenBSD.org/pub/OpenBSD/5.1/ftplist

As of Nov 1, 2011, the following ftp mirror sites have the 5.1 release:

ftp://ftp.eu.openbsd.org/pub/OpenBSD/5.1/ Stockholm, Sweden
ftp://ftp.bytemine.net/pub/OpenBSD/5.1/ Oldenburg, Germany
ftp://ftp.ch.openbsd.org/pub/OpenBSD/5.1/ Zurich, Switzerland
ftp://ftp.fr.openbsd.org/pub/OpenBSD/5.1/ Paris, France
ftp://ftp5.eu.openbsd.org/pub/OpenBSD/5.1/ Vienna, Austria
ftp://mirror.aarnet.edu.au/pub/OpenBSD/5.1/ Brisbane, Australia
ftp://ftp.usa.openbsd.org/pub/OpenBSD/5.1/ CO, USA
ftp://ftp5.usa.openbsd.org/pub/OpenBSD/5.1/ CA, USA
ftp://obsd.cec.mtu.edu/pub/OpenBSD/5.1/ Michigan, USA

The release is also available at the master site:

ftp://ftp.openbsd.org/pub/OpenBSD/5.1/ Alberta, Canada

However it is strongly suggested you use a mirror.

Other mirror sites may take a day or two to update.

2) Connect to that ftp mirror site and go into the directory
pub/OpenBSD/5.1/ which contains these files and directories.
This is a list of what you will see:

ANNOUNCEMENT armish/ mvme68k/ sparc64/
Changelogs/ ftplist mvme88k/ src.tar.gz
HARDWARE hp300/ packages/ sys.tar.gz
PACKAGES hppa/ ports.tar.gz tools/
PORTS i386/ root.mail vax/
README landisk/ sgi/ xenocara.tar.gz
alpha/ mac68k/ socppc/ zaurus/
amd64/ macppc/ sparc/

It is quite likely that you will want at LEAST the following
files which apply to all the architectures OpenBSD supports.

README - generic README
HARDWARE - list of hardware we support
PORTS - description of our "ports" tree
PACKAGES - description of pre-compiled packages
root.mail - a copy of root's mail at initial login.
(This is really worthwhile reading).

3) Read the README file. It is short, and a quick read will make
sure you understand what else you need to fetch.

4) Next, go into the directory that applies to your architecture,
for example, i386. This is a list of what you will see:

INSTALL.i386 cd51.iso floppyB51.fs pxeboot*
INSTALL.linux cdboot* floppyC51.fs xbase51.tgz
MD5 cdbr* game51.tgz xetc51.tgz
base51.tgz cdemu51.iso index.txt xfont51.tgz
bsd* comp51.tgz install51.iso xserv51.tgz
bsd.mp* etc51.tgz man51.tgz xshare51.tgz
bsd.rd* floppy51.fs misc51.tgz

If you are new to OpenBSD, fetch _at least_ the file INSTALL.i386
and the appropriate floppy*.fs or install51.iso files. Consult the
INSTALL.i386 file if you don't know which of the floppy images
you need (or simply fetch all of them).

If you use the install51.iso file (roughly 250MB in size), then you
do not need the various *.tgz files since they are contained on that
one-step ISO-format install CD.

5) If you are an expert, follow the instructions in the file called
README; otherwise, use the more complete instructions in the
file called INSTALL.i386. INSTALL.i386 may tell you that you
need to fetch other files.

6) Just in case, take a peek at:

http://www.OpenBSD.org/errata.html

This is the page where we talk about the mistakes we made while
creating the 5.1 release, or the significant bugs we fixed
post-release which we think our users should have fixes for.
Patches and workarounds are clearly described there.

Note: If you end up needing to write a raw floppy using Windows,
you can use "fdimage.exe" located in the pub/OpenBSD/5.1/tools
directory to do so.

------------------------------------------------------------------------
- X.ORG FOR MOST ARCHITECTURES -----------------------------------------

X.Org has been integrated more closely into the system. This release
contains X.Org 7.6. Most of our architectures ship with X.Org, including
amd64, sparc, sparc64 and macppc. During installation, you can install
X.Org quite easily. Be sure to try out xdm(1) and see how we have
customized it for OpenBSD.

------------------------------------------------------------------------
- PORTS TREE -----------------------------------------------------------

The OpenBSD ports tree contains automated instructions for building
third party software. The software has been verified to build and
run on the various OpenBSD architectures. The 5.1 ports collection,
including many of the distribution files, is included on the 3-CD
set. Please see the PORTS file for more information.

Note: some of the most popular ports, e.g., the Apache web server
and several X applications, come standard with OpenBSD. Also, many
popular ports have been pre-compiled for those who do not desire
to build their own binaries (see BINARY PACKAGES, below).

------------------------------------------------------------------------
- BINARY PACKAGES WE PROVIDE -------------------------------------------

A large number of binary packages are provided. Please see the PACKAGES
file (ftp://ftp.OpenBSD.org/pub/OpenBSD/5.1/PACKAGES) for more details.

------------------------------------------------------------------------
- SYSTEM SOURCE CODE ---------------------------------------------------

The CD-ROMs contain source code for all the subsystems explained
above, and the README (ftp://ftp.OpenBSD.org/pub/OpenBSD/5.1/README)
file explains how to deal with these source files. For those who
are doing an FTP install, the source code for all four subsystems
can be found in the pub/OpenBSD/5.1/ directory:

xenocara.tar.gz ports.tar.gz src.tar.gz sys.tar.gz

------------------------------------------------------------------------
- THANKS ---------------------------------------------------------------

Ports tree and package building by Jasper Lievisse Adriaanse,
Landry Breuil, Michael Erdely, Stuart Henderson, Peter Hessler,
Paul Irofti, Antoine Jacoutot, Robert Nagy, and Christian Weisgerber.
System builds by Theo de Raadt, Mark Kettenis, and Miod Vallat.
X11 builds by Todd Fries and Miod Vallat. ISO-9660 filesystem
layout by Theo de Raadt.

We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use. We would also like
to thank those who pre-ordered the 5.1 CD-ROM or bought our previous
CD-ROMs. Those who did not support us financially have still helped
us with our goal of improving the quality of the software.

Our developers are:

Alexander Bluhm, Alexander Hall, Alexander Schrijver,
Alexander Yurchenko, Alexandr Shadchin, Alexandre Ratchov,
Anil Madhavapeddy, Anthony J. Bentley, Antoine Jacoutot,
Ariane van der Steldt, Austin Hook, Benoit Lecocq, Bernd Ahlers,
Bob Beck, Bret Lambert, Bryan Steele, Camiel Dobbelaar,
Can Erkin Acar, Charles Longeau, Chris Kuethe, Christian Weisgerber,
Christiano F. Haesbaert, Claudio Jeker, Dale Rahn, Damien Bergamini,
Damien Miller, Darren Tucker, David Coppa, David Gwynne, David Hill,
David Krause, Edd Barrett, Eric Faurot, Federico G. Schwindt,
Felix Kronlage, Gilles Chehade, Giovanni Bechis, Gleydson Soares,
Henning Brauer, Ian Darwin, Igor Sobrado, Ingo Schwarze,
Jacek Masiulaniec, Jakob Schlyter, Janne Johansson, Jason George,
Jason McIntyre, Jason Meltzer, Jasper Lievisse Adriaanse,
Jeremy Evans, Jim Razmus II, Joel Knight, Joel Sing, Joerg Zinke,
Jolan Luff, Jonathan Armani, Jonathan Gray, Jonathan Matthew,
Jordan Hargrave, Joshua Elsasser, Joshua Stein, Kenji Aoyama,
Kenneth R Westerback, Kevin Lo, Kevin Steves, Kurt Miller,
Landry Breuil, Laurent Fanis, Luke Tymowski, Marc Espie,
Marco Pfatschbacher, Marcus Glocker, Mark Kettenis, Mark Lumsden,
Mark Uemura, Markus Friedl, Martin Pieuchot, Martynas Venckus,
Mats O Jansson, Matthew Dempsky, Matthias Kilian, Matthieu Herrb,
Michael Erdely, Mike Belopuhov, Mike Larkin, Miod Vallat,
Nayden Markatchev, Nicholas Marriott, Nick Holland, Nigel Taylor,
Nikolay Sturm, Okan Demirmen, Otto Moerbeek, Owain Ainsworth,
Pascal Stumpf, Paul de Weerd, Paul Irofti, Peter Hessler,
Peter Valchev, Philip Guenther, Pierre-Emmanuel Andre,
Pierre-Yves Ritschard, Remi Pointel, Reyk Floeter, Robert Nagy,
Ryan Freeman, Ryan Thomas McBride, Sasano, Sebastian Benoit,
Sebastian Reitenbach, Simon Bertrang, Simon Perreault,
Stefan Sperling, Stephan A. Rickauer, Steven Mestdagh,
Stuart Cassoff, Stuart Henderson, Takuya Asada, Ted Unangst,
Theo de Raadt, Thordur I Bjornsson, Tobias Stoeckmann,
Tobias Weingartner, Todd C. Miller, Todd Fries, Uwe Stuehler,
Will Maier, William Yodlowsky, Yasuoka Masahiko, Yojiro Uo