the bitrig patrick_stable branch has been created by patrick. it is 5320 commits behind master, and 16 commits ahead.
commit 71062ed0326e240acd418fcacf1c1fcba9686a6d diff: https://github.com/bitrig/bitrig/commit/71062ed author: Patrick Wildt <patr...@blueri.se> date: Thu Mar 19 15:48:00 2015 +0100 OpenBSD 5.6 errata 20, March 19, 2015 Fix several crash causing defects from OpenSSL. These include: CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp CVE-2015-0287 - ASN.1 structure reuse memory corruption CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref CVE-2015-0289 - PKCS7 NULL pointer dereferences Several other issues did not apply or were already fixed. Refer to https://www.openssl.org/news/secadv_20150319.txt M lib/libssl/src/crypto/asn1/a_int.c M lib/libssl/src/crypto/asn1/a_set.c M lib/libssl/src/crypto/asn1/a_type.c M lib/libssl/src/crypto/asn1/d2i_pr.c M lib/libssl/src/crypto/asn1/d2i_pu.c M lib/libssl/src/crypto/asn1/n_pkey.c M lib/libssl/src/crypto/asn1/tasn_dec.c M lib/libssl/src/crypto/asn1/x_x509.c M lib/libssl/src/crypto/ec/ec_asn1.c M lib/libssl/src/crypto/pkcs7/pk7_doit.c M lib/libssl/src/crypto/pkcs7/pk7_lib.c M lib/libssl/src/crypto/x509/x509_req.c M lib/libssl/src/ssl/d1_lib.c commit a2f80a48cf842ddd39a60b565851e37ee39bddf9 diff: https://github.com/bitrig/bitrig/commit/a2f80a4 author: Patrick Wildt <patr...@blueri.se> date: Thu Mar 19 15:46:00 2015 +0100 OpenBSD 5.6 errata 17, Mar 13, 2015: Don't permit TLS client connections to be downgraded to weak keys. M lib/libssl/src/ssl/d1_clnt.c M lib/libssl/src/ssl/s3_clnt.c M lib/libssl/src/ssl/ssl_cert.c M lib/libssl/src/ssl/ssl_locl.h commit efcbded8e7cdbfd48d3ff362b49faf0770dfb2f8 diff: https://github.com/bitrig/bitrig/commit/efcbded author: Martin Natano <nat...@natano.net> date: Sun Mar 8 08:34:46 2015 +0100 Fix a kernel freeze in mmrw(). The io length was truncated to zero via overflow, so the io loop never finished and the kernel hangs in a busy loop. The overflow was caused by passing a variable of type size_t to min() from libkern, which expects an unsigned int argument. I hereby declare min(), imin(), lmin() and their *max() counterparts as dangerous, or at least hard to use correctly - new code shouldn't use those functions! The busy loop can be triggered by any user with a read() of size 2**32. See the following test program: --- int main(void) { char p[1]; int fd; ssize_t n; fd = open("/dev/zero", O_RDONLY); if (fd == -1) err(1, "open"); n = read(fd, NULL, (size_t)1 << 32); if (n == -1) err(1, "read"); (void)close(fd); return (0); } --- ok pedro@ M sys/arch/amd64/amd64/mem.c commit 8425294fee2c566c56940716cb05dbfa3f93b589 diff: https://github.com/bitrig/bitrig/commit/8425294 author: Pedro Martelletto <pe...@ambientworks.net> date: Tue Jan 27 21:28:23 2015 +0100 Don't leak buffers in wapbl_doio(). Mark the buffer with B_INVAL so it is disposed of by brelse(). OK patrick@. M sys/kern/vfs_wapbl.c commit cfdcb026927167badd77a345b2074ce22662f653 diff: https://github.com/bitrig/bitrig/commit/cfdcb02 author: Alexander Bluhm <bl...@cvs.openbsd.org> date: Mon Jan 5 23:14:37 2015 +0000 Fix CVE-2014-6272 in Libevent 1.4 from upstream: - https://github.com/libevent/libevent/commit/7b21c4eabf1f3946d3f63cce1319c490caab8ecf - For this fix, we need to make sure that passing too-large inputs to the evbuffer functions can't make us do bad things with the heap. On top of that do: - Update libevent version to 1.4.15-stable. - Use SIZE_MAX from limits.h instead of a private define. - Do not declare 'size_t need' twice to avoid a compiler warning. OK sthen M lib/libevent/buffer.c M lib/libevent/event.h commit dcc357b948a535cc254168aaed7aa67e874efec8 diff: https://github.com/bitrig/bitrig/commit/dcc357b author: pedro martelletto <pe...@ambientworks.net> date: Thu Dec 11 14:36:55 2014 +0100 correctly set nread when parsing floats fixes a botch up by yours truly that broke scanf() with %n after %f in 6659d2ba. i blame immigrants on benefits. ok natano@ marco@ haesbaert@ M lib/libc/stdio/vfscanf.c commit e72665eec00a00bfe4f44e2057fac95da529287f diff: https://github.com/bitrig/bitrig/commit/e72665e author: pedro martelletto <pe...@ambientworks.net> date: Fri Dec 5 09:41:33 2014 +0100 fix i2d_X509_NAME() error checking use int instead of size_t to store the return of i2d_X509_NAME(), fixing a < 0 check for error. ok patrick@ M sbin/iked/ikev2.c commit c2711f886dcd8b7a5e26503002165fd692c3cd3b diff: https://github.com/bitrig/bitrig/commit/c2711f8 author: pedro martelletto <pe...@ambientworks.net> date: Fri Dec 5 07:45:09 2014 +0100 fix intermittent iked crashes in ca_reload(), set iovcnt according to the number of iov entries filled. there are four cases we need to be concerned with: 1. certificate revocation lists (CRLs) have been configured in this case, we load the CRLs and issue one IMSG_CERTREQ message to the ikev2 process with the list of revoked certificates. (iovcnt = 2) 2. valid certificates have been configured in this case, we load the certificates and issue one IMSG_CERTREQ message to the ikev2 process with the list of valid certificates. (iovcnt = 1) 3. CRLs *and* valid certificates have been configured in this case, we load the CRLs and issue one initial IMSG_CERTREQ message to the ikev2 process with the list of revoked certificates, i.e we do step 1. however, we also do step 2, with a twist: we send a second IMSG_CERTREQ message to the ikev2 process with a list of revoked certificates *and* a list of valid certificates. ikev2 discards previously received IMSG_CERTREQ messages once it receives a new one, so this works. (iovcnt = 2 for both messages) 4. no CRLs and no valid certificates have been configured in this case, we send an empty IMSG_CERTREQ message to the ikev2 process. (iovcnt = 1) ok patrick@ M sbin/iked/ca.c commit 13d7392408095e87f8295b9b79bd2c26c9b3fa87 diff: https://github.com/bitrig/bitrig/commit/13d7392 author: Patrick Wildt <patr...@blueri.se> date: Sat Nov 29 10:45:59 2014 +0100 Fix git branch in kernel bootup msg for branches with '/'. Branches that use '/', like our stable branches, were not shown correctly in the bootup message. This is caused by cut cutting at '/' and only using the 3rd field. To fix this, let cut show every field after the 2nd. ok natano@ M sys/conf/newvers.sh commit 430c74f1680d36cf8fe01e33d04087268a96b9a8 diff: https://github.com/bitrig/bitrig/commit/430c74f author: Patrick Wildt <patr...@blueri.se> date: Wed Dec 10 21:48:23 2014 +0100 Implement a fix from OpenBSD 5.6-stable: Backport fix for CVE-2014-8602 - Limit the number of fetches performed for a DNS query, to avoid the resolver being tricked into following an endless series of delegations, consuming a lot of resources. Many DNS recursive resolvers are affected by this bug (including BIND, Unbound, and PowerDNS recursor). More details at: http://www.unbound.net/pipermail/unbound-users/2014-December/003662.html Diff from florian@, tested by myself. ok pedro@ M usr.sbin/unbound/iterator/iterator.c M usr.sbin/unbound/iterator/iterator.h commit 66782d866d747df956148d863aebd73f96cdfd6d diff: https://github.com/bitrig/bitrig/commit/66782d8 author: Patrick Wildt <patr...@blueri.se> date: Wed Dec 3 20:31:18 2014 +0100 Implement a fix from OpenBSD 5.6-stable: httpd was developed very rapidly in the weeks before 5.6 release, and it has a few flaws. It would be nice to get these flaws fully remediated before the next release, and that requires the community to want to use it. Therefore here is a "jumbo" patch that brings in the most important fixes. committing on behalf of reyk@ M usr.sbin/httpd/config.c M usr.sbin/httpd/http.h M usr.sbin/httpd/httpd.c M usr.sbin/httpd/httpd.h M usr.sbin/httpd/logger.c M usr.sbin/httpd/parse.y M usr.sbin/httpd/server.c M usr.sbin/httpd/server_fcgi.c M usr.sbin/httpd/server_file.c M usr.sbin/httpd/server_http.c commit ddd5f23457555f3583ce718bb10721c6772cb1de diff: https://github.com/bitrig/bitrig/commit/ddd5f23 author: Patrick Wildt <patr...@blueri.se> date: Wed Dec 3 20:27:10 2014 +0100 Implement a fix from OpenBSD 5.6-stable: backport the correct fix for overlapping memcpy which caused corrupt MACs ok pedro@ M sys/net/if_ethersubr.c commit ee4d85b388ed2e1adb50e6b75e5d0224a0696703 diff: https://github.com/bitrig/bitrig/commit/ee4d85b author: Patrick Wildt <patr...@blueri.se> date: Wed Dec 3 20:26:35 2014 +0100 Implement a fix from OpenBSD 5.6-stable: Check the header fields of GRE and MPPE packets strictly. ok pedro@ M sys/net/pipex.c M sys/net/pipex_local.h commit 811a48828a52da21f829bf8bee067db31d0b0b5d diff: https://github.com/bitrig/bitrig/commit/811a488 author: Patrick Wildt <patr...@blueri.se> date: Wed Dec 3 20:21:14 2014 +0100 Implement a fix from OpenBSD 5.6-stable: backport fix to avoid null deref with invalid hostnames ok pedro@ M lib/libc/asr/gethostnamadr_async.c M lib/libc/asr/getnetnamadr_async.c commit 0a58fbe8e122038f27e9fb6342c5f7bef842f7b4 diff: https://github.com/bitrig/bitrig/commit/0a58fbe author: Patrick Wildt <patr...@blueri.se> date: Wed Dec 3 20:20:28 2014 +0100 Implement a fix from OpenBSD 5.6-stable: backport 1.34. Don't crash without HTTP version. ok pedro@ M usr.sbin/relayd/relay_http.c commit b14f9c5db9faf74af59d142495779117624a4e67 diff: https://github.com/bitrig/bitrig/commit/b14f9c5 author: Patrick Wildt <patr...@blueri.se> date: Wed Dec 3 20:18:32 2014 +0100 Implement a fix from OpenBSD 5.6-stable: backport 1.100: support for $2b$ hashes. ok deraadt ok pedro@ M usr.sbin/user/user.c
