Copyright © 2013 The FreeBSD Documentation Project
FreeBSD is a registered trademark of the FreeBSD Foundation.
Intel, Celeron, EtherExpress, i386, @@ -14,7 +14,7 @@ as trademarks. Where those designations appear in this document, and the FreeBSD Project was aware of the trademark claim, the designations have been followed by the “™” or the - “®” symbol.
Table of Contents
Abstract
This document lists errata items for FreeBSD 8.4-RELEASE, + “®” symbol.
Table of Contents
Abstract
This document lists errata items for FreeBSD 8.4-RELEASE, containing significant information discovered after the release or too late in the release cycle to be otherwise included in the release documentation. @@ -37,7 +37,39 @@ contain up-to-date copies of this document (as of the time of the snapshot).
For a list of all FreeBSD CERT security advisories, see http://www.FreeBSD.org/security/ or ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/.
The following security advisories pertain to FreeBSD 8.4-RELEASE. For more information, consult the individual advisories available from - http://security.FreeBSD.org/.
| Advisory | Date | Topic |
|---|---|---|
| SA-12:01.openssl | 03 May 2012 | OpenSSL multiple vulnerabilities |
| SA-12:02.crypt | 30 May 2012 | Incorrect crypt() hashing |
| SA-12:03.bind | 12 June 2012 | Incorrect handling of zero-length RDATA fields in named(8) |
| SA-12:04.sysret | 12 June 2012 | Privilege escalation when returning from kernel |
| SA-12:05.bind | 06 August 2012 | named(8) DNSSEC validation Denial of Service |
| SA-12:06.bind | 22 November 2012 | Multiple Denial of Service vulnerabilities with named(8) |
| SA-12:07.hostapd | 22 November 2012 | Insufficient message length validation for EAP-TLS messages |
| SA-12:08.linux | 22 November 2012 | Linux compatibility layer input validation error |
| SA-13:02.libc | 19 February 2013 | glob(3) related resource exhaustion |
| SA-13:03.openssl | 02 April 2013 | OpenSSL multiple vulnerabilities |
| SA-13:04.bind | 02 April 2013 | BIND remote denial of service |
| SA-13:05.nfsserver | 29 April 2013 | Insufficient input validation in the NFS server |
[20130608] FreeBSD 8.4-RELEASE no longer supports FreeBSD CVS + http://security.FreeBSD.org/.
| Advisory | Date | Topic |
|---|---|---|
| SA-12:01.openssl | 03 May 2012 | OpenSSL multiple vulnerabilities |
| SA-12:02.crypt | 30 May 2012 | Incorrect crypt() hashing |
| SA-12:03.bind | 12 June 2012 | Incorrect handling of zero-length RDATA fields in named(8) |
| SA-12:04.sysret | 12 June 2012 | Privilege escalation when returning from kernel |
| SA-12:05.bind | 06 August 2012 | named(8) DNSSEC validation Denial of Service |
| SA-12:06.bind | 22 November 2012 | Multiple Denial of Service vulnerabilities with named(8) |
| SA-12:07.hostapd | 22 November 2012 | Insufficient message length validation for EAP-TLS messages |
| SA-12:08.linux | 22 November 2012 | Linux compatibility layer input validation error |
| SA-13:02.libc | 19 February 2013 | glob(3) related resource exhaustion |
| SA-13:03.openssl | 02 April 2013 | OpenSSL multiple vulnerabilities |
| SA-13:04.bind | 02 April 2013 | BIND remote denial of service |
| SA-13:05.nfsserver | 29 April 2013 | Insufficient input validation in the NFS server |
[20130609] There is incompatibility in jail(8)
+ configuration because the jail(8) utility and
+ rc.d/jail script has been changed. More
+ specifically, the following sysctl(8) variables cannot be
+ used to set the default parameters for jails:
security.jail.mount_zfs_allowed +security.jail.mount_procfs_allowed +security.jail.mount_nullfs_allowed +security.jail.mount_devfs_allowed +security.jail.mount_allowed +security.jail.chflags_allowed +security.jail.allow_raw_sockets +security.jail.sysvipc_allowed +security.jail.socket_unixiproute_only +security.jail.set_hostname_allowed
These could be set by manually using sysctl(8) utility, + the sysctl.conf(5) file, or for some of them the following + variables in rc.conf(5):
jail_set_hostname_allow="yes" +jail_socket_unixiproute_only="yes" +jail_sysvipc_allow="yes"
These parameters must now be specified in
+ jail_parameters (or
+ jail_
+ for per-jail configuration) in rc.conf(5). For
+ example:jailname_parameters
jail_parameters="allow.sysvipc allow.raw_sockets"
The valid keywords are the following. For more detail, see + jail(8) manual page.
allow.set_hostname +allow.sysvipc +allow.raw_sockets +allow.chflags +allow.mount +allow.mount.devfs +allow.mount.nullfs +allow.mount.procfs +allow.mount.zfs +allow.quotas +allow.socket_af
[20130608] FreeBSD 8.4-RELEASE no longer supports FreeBSD CVS
repository. Some documents mistakenly refer to
RELENG_8_4_0_RELEASE as CVS tag for the release and
RELENG_8_4 as CVS branch tag for the
@@ -49,12 +81,8 @@
RELENG_8_4_0_RELEASE corresponds to
svn://svn.FreeBSD.org/base/release/8.4.0.
Please note that FreeBSD source tree for 8.4-RELEASE and its security
- branch cannot be updated by using official CVSup servers.
[20130607] The bge(4) network interface driver has an - issue when TSO (TCP Segmentation Offload) is enabled. It causes - intermittent reset and re-initialization.
A workaround is disabling the TSO feature. One can disable - it by adding the following line into the rc.conf(5) - file:
ifconfig_bge0="-tso"or by using the ifconfig(8) utility manually:
#ifconfigbge0-tso
A patch to fix this issue will be released as an Errata - Notice.
[20130606] The fxp(4) network interface driver may not + branch cannot be updated by using official CVSup servers.
[20130607] (removed about a bge(4) network interface + driver issue because it was incorrect)
[20130606] The fxp(4) network interface driver may not
work well with the dhclient(8) utility. More specifically,
if the /etc/rc.conf has the following
line:
ifconfig_fxp0="DHCP"
to activate a DHCP client to configure the network