svn commit: r46693 - in head/share: security/advisories security/patches/EN-15:04 security/patches/EN-15:05 xml
Xin LI
delphij at FreeBSD.org
Wed May 13 23:07:22 UTC 2015
Author: delphij
Date: Wed May 13 23:07:20 2015
New Revision: 46693
URL: https://svnweb.freebsd.org/changeset/doc/46693
Log:
Add two recent errata notices.
Added:
head/share/security/advisories/FreeBSD-EN-15:04.freebsd-update.asc (contents, props changed)
head/share/security/advisories/FreeBSD-EN-15:05.ufs.asc (contents, props changed)
head/share/security/patches/EN-15:04/
head/share/security/patches/EN-15:04/freebsd-update-8.patch (contents, props changed)
head/share/security/patches/EN-15:04/freebsd-update-8.patch.asc (contents, props changed)
head/share/security/patches/EN-15:04/freebsd-update.patch (contents, props changed)
head/share/security/patches/EN-15:04/freebsd-update.patch.asc (contents, props changed)
head/share/security/patches/EN-15:05/
head/share/security/patches/EN-15:05/ufs.patch (contents, props changed)
head/share/security/patches/EN-15:05/ufs.patch.asc (contents, props changed)
Modified:
head/share/xml/notices.xml
Added: head/share/security/advisories/FreeBSD-EN-15:04.freebsd-update.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-EN-15:04.freebsd-update.asc Wed May 13 23:07:20 2015 (r46693)
@@ -0,0 +1,156 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-15:04.freebsd-update Errata Notice
+ The FreeBSD Project
+
+Topic: freebsd-update(8) does not ensure the previous upgrade was
+ completed
+
+Category: core
+Module: freebsd-update
+Announced: 2015-05-13
+Credits: Allan Jude
+Affects: All supported versions of FreeBSD.
+Corrected: 2015-05-13 22:36:00 UTC (stable/10, 10.1-STABLE)
+ 2015-05-13 22:52:35 UTC (releng/10.1, 10.1-RELEASE-p10)
+ 2015-05-13 22:36:52 UTC (stable/9, 9.3-STABLE)
+ 2015-05-13 22:52:51 UTC (releng/9.3, 9.3-RELEASE-p14)
+ 2015-05-13 22:39:29 UTC (stable/8, 8.4-STABLE)
+ 2015-05-13 22:52:51 UTC (releng/8.4, 8.4-RELEASE-p28)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.freebsd.org/>.
+
+I. Background
+
+The freebsd-update(8) utility is used to apply binary patches to FreeBSD
+systems installed from official release images, as an alternative to
+rebuilding from source. A freebsd-update(8) build server generates the
+signed update packages, consisting of an index of files and directories
+with checksums before the update, a set of binary patches, and an
+index of files and directories with checksums after the update. The
+client downloads the indexes, verifies the signatures and checksums,
+then downloads and applies the required patches.
+
+II. Problem Description
+
+Binary upgrades using the freebsd-update(8) utility consist of several
+invocations of the freebsd-update(8) utility itself. Each invocation
+performs a different task that depends on the previous invocation being
+successfully completed.
+
+If an upgrade is not thoroughly completed, it is possible for the
+freebsd-update(8) utility to download a subsequent patchset to a system
+with an inconsistent userland and/or kernel. In the case of such an
+incomplete upgrade, the freebsd-update(8) utility may incorrectly
+evaluate the running userland and/or kernel, which can cause binary
+patches to be incorrectly applied. In some situations, it is possible
+for patches to be applied for the incorrect FreeBSD version.
+
+III. Impact
+
+If incorrect patches are applied to the system as a result of a previous
+incomplete upgrade, it is possible that some system services may fail to
+start after rebooting the system, such as if the service is started by an
+executable that depends on a shared library that has been relocated as
+part of the upgrade.
+
+IV. Workaround
+
+No workaround is available, but systems that do not use FreeBSD-provided
+binary updates to upgrade are not affected.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+2) To update your present system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+3) To update your present system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 9.3 and 10.1]
+# fetch https://security.FreeBSD.org/patches/EN-15:04/freebsd-update.patch
+# fetch https://security.FreeBSD.org/patches/EN-15:04/freebsd-update.patch.asc
+# gpg --verify freebsd-update.patch.asc
+
+[FreeBSD 8.4]
+# fetch https://security.FreeBSD.org/patches/EN-15:04/freebsd-update-8.patch
+# fetch https://security.FreeBSD.org/patches/EN-15:04/freebsd-update-8.patch.asc
+# gpg --verify freebsd-update-8.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/8/ r282872
+releng/8.4/ r282874
+stable/9/ r282871
+releng/9.3/ r282874
+stable/10/ r282870
+releng/10.1/ r282873
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://bugs.freebsd.org/196760>
+
+The latest revision of this Errata Notice is available at
+https://security.FreeBSD.org/advisories/FreeBSD-EN-15:04.freebsd-update.asc
+
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.2 (FreeBSD)
+
+iQIcBAEBCgAGBQJVU9dbAAoJEO1n7NZdz2rnCewQAM51TcFY4IZvSJbSe5RLDGRr
+4KsAwkgNW45Z+iUjvg5wnnkXZYau1fadMyQilbrKLk9d0MY1dQlJ7lW0Jkk9q+Oq
+JhXjanQYvIZKK9eYi0gpVVqp9sN57dpv96ZP+CDiJX9FDow7OPGKmEiJgoavahpb
+kg5kOywjDEv/DkttLJgHHmEBK41Gad2Jrz16N6k7mlHFSpFmEGRefaqqPqmLdzs0
+t0liDFI+fIAYOOKgIDG8Gqe3FCqbhnAf3bmkU/gyJKf1o5vPWowo9O5CvGH+mHPl
+hmQBD70d+6kkv6ZH5RxMa38Vc3FpZXmaipdObJyoIoOjBw1UqEV6OwS+810xNDCx
+bwN5q8QP5l/M7SHDO1n/FyP8BVbk6TXVKJ1R+t1bsKd07synL12gVTe0VVm+w0rh
++TVdF7cFRWB1Rp3JFw7cGz47ZFv08AaZ3CzdoH9qCEKOTnJnkyW3L4hceTWjkF8H
+c5gas5Wp3UZeUZ2LT+LcB89W4LSn3Xv3y7AJDsVP9MGHSkjSDGIJKfWiXl/GWHql
+M/zT6WeraOZyOwNr4F9QFp1hYSxvR+Izh7C0nFefBNf8YID3/hiKYNjxkf5Dz+fN
+4A+RVt3COUteAeF5ikPVUiMfJljubingmN5NvTVmKQN6nRm5Pn6rrOouJqf3W0Mh
+QE8Ps/3y/Sw1e/m45snD
+=IdxG
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-EN-15:05.ufs.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-EN-15:05.ufs.asc Wed May 13 23:07:20 2015 (r46693)
@@ -0,0 +1,138 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-15:05.ufs Errata Notice
+ The FreeBSD Project
+
+Topic: Deadlock on reboot with UFS tuned with SU+J
+
+Category: core
+Module: ufs
+Announced: 2015-05-13
+Credits: Konstantin Belousov
+Affects: FreeBSD 10.1
+Corrected: 2015-04-10 02:23:44 UTC (stable/10, 10.1-STABLE)
+ 2015-05-13 22:52:35 UTC (releng/10.1, 10.1-RELEASE-p10)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.freebsd.org/>.
+
+I. Background
+
+The Unix File System (UFS) is one of several filesystems available on
+FreeBSD. UFS supports several optimization features, such as soft updates
+and journaling, both of which keep track of filesystem metadata to ensure
+a consistent state in the event of a crash or power failure.
+
+II. Problem Description
+
+When the root filesystem is configured with soft updates and journaling
+both enabled, which is the default for FreeBSD 10.1-RELEASE installations,
+the system may deadlock after a source-based or binary upgrade when the
+init(8) binary is replaced. The deadlock occurs when issuing reboot(8)
+or shutdown(8), after which the system becomes unresponsive when syncing
+the filesystem.
+
+III. Impact
+
+When the deadlock occurs, a hard system reset or power cycle may be
+required.
+
+IV. Workaround
+
+Systems that do not have soft updates and journaling enabled on a UFS root
+filesystem are unaffected.
+
+It is possible to work around the issue by waiting before issuing reboot(8)
+or shutdown(8) after upgrading the userland. It has been observed that
+deferring the reboot(8) for a period of 60 seconds to be sufficient. It is
+encouraged to issue several sync(8) commands during this period, to help
+ensure the filesystem writes have completed.
+
+Additionally, disabling soft update journaling on the root filesystem can
+also work around the issue.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+2) To update your present system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+3) To update your present system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-15:05/ufs.patch
+# fetch https://security.FreeBSD.org/patches/EN-15:05/ufs.patch.asc
+# gpg --verify ufs.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/10/ r281350
+releng/10.1/ r282873
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://bugs.freebsd.org/195458>
+
+The latest revision of this Errata Notice is available at
+https://security.FreeBSD.org/advisories/FreeBSD-EN-15:05.ufs.asc
+
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.2 (FreeBSD)
+
+iQIcBAEBCgAGBQJVU9dbAAoJEO1n7NZdz2rn3JYP/2HeyHsGEAwl+1NCVLu/Eimj
+wl/jK7Pl2SMWCEAkynkP8Cs5ibCbtzA4SV1RP8OPCF42yQJmk/kzR0Rmuq+LboFC
+QGmus/0Q/JCXqabDEzNx7/tHibeJInveGDf4a4/rg38Q+zO7MYZFmGsWoFEC2RKn
+lEWb/kh5AxMagaj5lns4WHmo0TFlyOUFaJijGxXhHu3IFZwuZB60a5cXJ8OjBulk
+FO7uIcZ7OTP43y4VvvBsFV6bxeFyoMNF8tgB+dsBzatNQhl7yAxWMMEiDUNBEaqV
+mfjKZxHRkB+GGjQwv2Cq4463kNQvwknN9vms536fS7HuecFMITbyD37ySR3pSRoi
+KVGopfpDr0NWjn1/N7UyAsY+6CAYqpsilYvq2slBu2J/Aj6jCyDhPUTnjHKz1m91
+rdyBjkHod9XkLYqwCkJlWjIxnLxCDlv8vwUjOe2/TjCUFO6FIO6lgvCVkgekIlwG
+rPxx+bqfKSarQQSL6a4MWFFYwt79c292A3nodS0sLIL4YRNwQnFvuYVB/qxIWD1x
+ecKJmbL0bm3S1T/qWa89Xh55NWFKs0bxVmjQCWu84re/20+oWcaXFg8Oeqnq+xFV
+ke4EzbxhoU4KWzvsFbc+U+EZhTVLVlnjbAW073Z6QyykfBs2RhudUGB51T/3XB3I
+jAU8LNkMBjZhe7khLFLD
+=BTx0
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/EN-15:04/freebsd-update-8.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/EN-15:04/freebsd-update-8.patch Wed May 13 23:07:20 2015 (r46693)
@@ -0,0 +1,458 @@
+Index: usr.sbin/freebsd-update/freebsd-update.8
+===================================================================
+--- usr.sbin/freebsd-update/freebsd-update.8 (revision 282245)
++++ usr.sbin/freebsd-update/freebsd-update.8 (working copy)
+@@ -25,7 +25,7 @@
+ .\"
+ .\" $FreeBSD$
+ .\"
+-.Dd July 14, 2010
++.Dd March 2, 2015
+ .Dt FREEBSD-UPDATE 8
+ .Os FreeBSD
+ .Sh NAME
+@@ -36,10 +36,12 @@
+ .Op Fl b Ar basedir
+ .Op Fl d Ar workdir
+ .Op Fl f Ar conffile
++.Op Fl F
+ .Op Fl k Ar KEY
+ .Op Fl r Ar newrelease
+ .Op Fl s Ar server
+ .Op Fl t Ar address
++.Op Fl -not-running-from-cron
+ .Cm command ...
+ .Sh DESCRIPTION
+ The
+@@ -49,21 +51,21 @@ updates to the FreeBSD base system.
+ Note that updates are only available if they are being built for the
+ FreeBSD release and architecture being used; in particular, the
+ .Fx
+-Security Team only builds updates for releases shipped in binary form
++Security Team only builds updates for releases shipped in binary form
+ by the
+ .Fx
+ Release Engineering Team, e.g.,
+ .Fx
+-7.3-RELEASE and
++9.3-RELEASE and
+ .Fx
+-8.0, but not
++10.1-RELEASE, but not
+ .Fx
+-6.3-STABLE or
++9.3-STABLE or
+ .Fx
+-9.0-CURRENT.
++11-CURRENT.
+ .Sh OPTIONS
+ The following options are supported:
+-.Bl -tag -width "-f conffile"
++.Bl -tag -width "-r newrelease"
+ .It Fl b Ar basedir
+ Operate on a system mounted at
+ .Ar basedir .
+@@ -81,6 +83,10 @@ Read configuration options from
+ .Ar conffile .
+ (default:
+ .Pa /etc/freebsd-update.conf )
++.It Fl F
++Force
++.Nm Cm fetch
++to proceed where it normally would not, such as an unfinished upgrade
+ .It Fl k Ar KEY
+ Trust an RSA key with SHA256 of
+ .Ar KEY .
+@@ -98,13 +104,21 @@ Mail output of
+ command, if any, to
+ .Ar address .
+ (default: root, or as given in the configuration file.)
++.It Fl -not-running-from-cron
++Force
++.Nm Cm fetch
++to proceed when there is no controlling tty.
++This is for use by automated scripts and orchestration tools.
++Please do not run
++.Nm Cm fetch
++from crontab or similar using this flag, see:
++.Nm Cm cron
+ .El
+ .Sh COMMANDS
+ The
+ .Cm command
+ can be any one of the following:
+-.Pp
+-.Bl -tag -width "-f conffile"
++.Bl -tag -width "rollback"
+ .It Cm fetch
+ Based on the currently installed world and the configuration
+ options set, fetch all available binary updates.
+@@ -128,6 +142,11 @@ Fetch files necessary for upgrading to a
+ Before using this command, make sure that you read the
+ announcement and release notes for the new release in
+ case there are any special steps needed for upgrading.
++Note that this command may require up to 500 MB of space in
++.Ar workdir
++depending on which components of the
++.Fx
++base system are installed.
+ .It Cm install
+ Install the most recently fetched updates or upgrade.
+ .It Cm rollback
+@@ -149,7 +168,7 @@ other than 3AM, to avoid overly imposing
+ on the server(s) hosting the updates.
+ .It
+ In spite of its name,
+-.Cm
++.Nm
+ IDS should not be relied upon as an "Intrusion Detection
+ System", since if the system has been tampered with
+ it cannot be trusted to operate correctly.
+@@ -158,11 +177,11 @@ purposes, make sure you boot from a secu
+ .El
+ .Sh FILES
+ .Bl -tag -width "/etc/freebsd-update.conf"
+-.It /etc/freebsd-update.conf
++.It Pa /etc/freebsd-update.conf
+ Default location of the
+ .Nm
+ configuration file.
+-.It /var/db/freebsd-update/
++.It Pa /var/db/freebsd-update/
+ Default location where
+ .Nm
+ stores temporary files and downloaded updates.
+@@ -170,4 +189,4 @@ stores temporary files and downloaded up
+ .Sh SEE ALSO
+ .Xr freebsd-update.conf 5
+ .Sh AUTHORS
+-.An Colin Percival Aq cperciva at FreeBSD.org
++.An Colin Percival Aq Mt cperciva at FreeBSD.org
+Index: usr.sbin/freebsd-update/freebsd-update.sh
+===================================================================
+--- usr.sbin/freebsd-update/freebsd-update.sh (revision 282245)
++++ usr.sbin/freebsd-update/freebsd-update.sh (working copy)
+@@ -43,12 +43,15 @@ Options:
+ (default: /var/db/freebsd-update/)
+ -f conffile -- Read configuration options from conffile
+ (default: /etc/freebsd-update.conf)
++ -F -- Force a fetch operation to proceed
+ -k KEY -- Trust an RSA key with SHA256 hash of KEY
+ -r release -- Target for upgrade (e.g., 6.2-RELEASE)
+ -s server -- Server from which to fetch updates
+ (default: update.FreeBSD.org)
+ -t address -- Mail output of cron command, if any, to address
+ (default: root)
++ --not-running-from-cron
++ -- Run without a tty, for use by automated tools
+ Commands:
+ fetch -- Fetch updates from server
+ cron -- Sleep rand(3600) seconds, fetch updates, and send an
+@@ -284,6 +287,9 @@ config_TargetRelease () {
+ else
+ return 1
+ fi
++ if echo ${TARGETRELEASE} | grep -qE '^[0-9.]+$'; then
++ TARGETRELEASE="${TARGETRELEASE}-RELEASE"
++ fi
+ }
+
+ # Define what happens to output of utilities
+@@ -396,6 +402,12 @@ init_params () {
+
+ # No commands specified yet
+ COMMANDS=""
++
++ # Force fetch to proceed
++ FORCEFETCH=0
++
++ # Run without a TTY
++ NOTTYOK=0
+ }
+
+ # Parse the command line
+@@ -408,6 +420,12 @@ parse_cmdline () {
+ if [ ! -z "${CONFFILE}" ]; then usage; fi
+ shift; CONFFILE="$1"
+ ;;
++ -F)
++ FORCEFETCH=1
++ ;;
++ --not-running-from-cron)
++ NOTTYOK=1
++ ;;
+
+ # Configuration file equivalents
+ -b)
+@@ -569,7 +587,7 @@ fetch_setup_verboselevel () {
+ # running *-p[0-9]+, strip off the last part; if the
+ # user is running -SECURITY, call it -RELEASE. Chdir
+ # into the working directory.
+-fetch_check_params () {
++fetchupgrade_check_params () {
+ export HTTP_USER_AGENT="freebsd-update (${COMMAND}, `uname -r`)"
+
+ _SERVERNAME_z=\
+@@ -577,6 +595,7 @@ fetch_check_params () {
+ _KEYPRINT_z="Key must be given via -k option or configuration file."
+ _KEYPRINT_bad="Invalid key fingerprint: "
+ _WORKDIR_bad="Directory does not exist or is not writable: "
++ _WORKDIR_bad2="Directory is not on a persistent filesystem: "
+
+ if [ -z "${SERVERNAME}" ]; then
+ echo -n "`basename $0`: "
+@@ -600,6 +619,13 @@ fetch_check_params () {
+ echo ${WORKDIR}
+ exit 1
+ fi
++ case `df -T ${WORKDIR}` in */dev/md[0-9]* | *tmpfs*)
++ echo -n "`basename $0`: "
++ echo -n "${_WORKDIR_bad2}"
++ echo ${WORKDIR}
++ exit 1
++ ;;
++ esac
+ chmod 700 ${WORKDIR}
+ cd ${WORKDIR} || exit 1
+
+@@ -652,9 +678,29 @@ fetch_check_params () {
+ BDHASH=`echo ${BASEDIR} | sha256 -q`
+ }
+
++# Perform sanity checks etc. before fetching updates.
++fetch_check_params () {
++ fetchupgrade_check_params
++
++ if ! [ -z "${TARGETRELEASE}" ]; then
++ echo -n "`basename $0`: "
++ echo -n "-r option is meaningless with 'fetch' command. "
++ echo "(Did you mean 'upgrade' instead?)"
++ exit 1
++ fi
++
++ # Check that we have updates ready to install
++ if [ -f ${BDHASH}-install/kerneldone -a $FORCEFETCH -eq 0 ]; then
++ echo "You have a partially completed upgrade pending"
++ echo "Run '$0 install' first."
++ echo "Run '$0 fetch -F' to proceed anyway."
++ exit 1
++ fi
++}
++
+ # Perform sanity checks etc. before fetching upgrades.
+ upgrade_check_params () {
+- fetch_check_params
++ fetchupgrade_check_params
+
+ # Unless set otherwise, we're upgrading to the same kernel config.
+ NKERNCONF=${KERNCONF}
+@@ -1185,7 +1231,7 @@ fetch_metadata_sanity () {
+ # Some aliases to save space later: ${P} is a character which can
+ # appear in a path; ${M} is the four numeric metadata fields; and
+ # ${H} is a sha256 hash.
+- P="[-+./:=%@_[~[:alnum:]]"
++ P="[-+./:=,%@_[~[:alnum:]]"
+ M="[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+"
+ H="[0-9a-f]{64}"
+
+@@ -1456,7 +1502,7 @@ fetch_inspect_system () {
+ sort -k 3,3 -t '|' > $2.tmp
+ rm filelist
+
+- # Check if an error occured during system inspection
++ # Check if an error occurred during system inspection
+ if [ -f .err ]; then
+ return 1
+ fi
+@@ -2240,6 +2286,19 @@ upgrade_oldall_to_oldnew () {
+ mv $2 $3
+ }
+
++# Helper for upgrade_merge: Return zero true iff the two files differ only
++# in the contents of their RCS tags.
++samef () {
++ X=`sed -E 's/\\$FreeBSD.*\\$/\$FreeBSD\$/' < $1 | ${SHA256}`
++ Y=`sed -E 's/\\$FreeBSD.*\\$/\$FreeBSD\$/' < $2 | ${SHA256}`
++
++ if [ $X = $Y ]; then
++ return 0;
++ else
++ return 1;
++ fi
++}
++
+ # From the list of "old" files in $1, merge changes in $2 with those in $3,
+ # and update $3 to reflect the hashes of merged files.
+ upgrade_merge () {
+@@ -2323,6 +2382,14 @@ upgrade_merge () {
+
+ # Ask the user to handle any files which didn't merge.
+ while read F; do
++ # If the installed file differs from the version in
++ # the old release only due to RCS tag expansion
++ # then just use the version in the new release.
++ if samef merge/old/${F} merge/${OLDRELNUM}/${F}; then
++ cp merge/${RELNUM}/${F} merge/new/${F}
++ continue
++ fi
++
+ cat <<-EOF
+
+ The following file could not be merged automatically: ${F}
+@@ -2337,9 +2404,18 @@ manually...
+ # Ask the user to confirm that he likes how the result
+ # of merging files.
+ while read F; do
+- # Skip files which haven't changed.
+- if [ -f merge/new/${F} ] &&
+- cmp -s merge/old/${F} merge/new/${F}; then
++ # Skip files which haven't changed except possibly
++ # in their RCS tags.
++ if [ -f merge/old/${F} ] && [ -f merge/new/${F} ] &&
++ samef merge/old/${F} merge/new/${F}; then
++ continue
++ fi
++
++ # Skip files where the installed file differs from
++ # the old file only due to RCS tags.
++ if [ -f merge/old/${F} ] &&
++ [ -f merge/${OLDRELNUM}/${F} ] &&
++ samef merge/old/${F} merge/${OLDRELNUM}/${F}; then
+ continue
+ fi
+
+@@ -2526,6 +2602,10 @@ upgrade_run () {
+ # Leave a note behind to tell the "install" command that the kernel
+ # needs to be installed before the world.
+ touch ${BDHASH}-install/kernelfirst
++
++ # Remind the user that they need to run "freebsd-update install"
++ # to install the downloaded bits, in case they didn't RTFM.
++ echo "To install the downloaded upgrades, run \"$0 install\"."
+ }
+
+ # Make sure that all the file hashes mentioned in $@ have corresponding
+@@ -2577,14 +2657,14 @@ backup_kernel_finddir () {
+ while true ; do
+ # Pathname does not exist, so it is OK use that name
+ # for backup directory.
+- if [ ! -e $BACKUPKERNELDIR ]; then
++ if [ ! -e $BASEDIR/$BACKUPKERNELDIR ]; then
+ return 0
+ fi
+
+ # If directory do exist, we only use if it has our
+ # marker file.
+- if [ -d $BACKUPKERNELDIR -a \
+- -e $BACKUPKERNELDIR/.freebsd-update ]; then
++ if [ -d $BASEDIR/$BACKUPKERNELDIR -a \
++ -e $BASEDIR/$BACKUPKERNELDIR/.freebsd-update ]; then
+ return 0
+ fi
+
+@@ -2592,7 +2672,7 @@ backup_kernel_finddir () {
+ # the end and try again.
+ CNT=$((CNT + 1))
+ if [ $CNT -gt 9 ]; then
+- echo "Could not find valid backup dir ($BACKUPKERNELDIR)"
++ echo "Could not find valid backup dir ($BASEDIR/$BACKUPKERNELDIR)"
+ exit 1
+ fi
+ BACKUPKERNELDIR="`echo $BACKUPKERNELDIR | sed -Ee 's/[0-9]\$//'`"
+@@ -2619,17 +2699,17 @@ backup_kernel () {
+ # Remove old kernel backup files. If $BACKUPKERNELDIR was
+ # "not ours", backup_kernel_finddir would have exited, so
+ # deleting the directory content is as safe as we can make it.
+- if [ -d $BACKUPKERNELDIR ]; then
+- rm -fr $BACKUPKERNELDIR
++ if [ -d $BASEDIR/$BACKUPKERNELDIR ]; then
++ rm -fr $BASEDIR/$BACKUPKERNELDIR
+ fi
+
+ # Create directories for backup.
+- mkdir -p $BACKUPKERNELDIR
+- mtree -cdn -p "${KERNELDIR}" | \
+- mtree -Ue -p "${BACKUPKERNELDIR}" > /dev/null
++ mkdir -p $BASEDIR/$BACKUPKERNELDIR
++ mtree -cdn -p "${BASEDIR}/${KERNELDIR}" | \
++ mtree -Ue -p "${BASEDIR}/${BACKUPKERNELDIR}" > /dev/null
+
+ # Mark the directory as having been created by freebsd-update.
+- touch $BACKUPKERNELDIR/.freebsd-update
++ touch $BASEDIR/$BACKUPKERNELDIR/.freebsd-update
+ if [ $? -ne 0 ]; then
+ echo "Could not create kernel backup directory"
+ exit 1
+@@ -2647,8 +2727,8 @@ backup_kernel () {
+ fi
+
+ # Backup all the kernel files using hardlinks.
+- (cd $KERNELDIR && find . -type f $FINDFILTER -exec \
+- cp -pl '{}' ${BACKUPKERNELDIR}/'{}' \;)
++ (cd ${BASEDIR}/${KERNELDIR} && find . -type f $FINDFILTER -exec \
++ cp -pl '{}' ${BASEDIR}/${BACKUPKERNELDIR}/'{}' \;)
+
+ # Re-enable patchname expansion.
+ set +f
+@@ -2746,7 +2826,7 @@ install_files () {
+
+ # Update linker.hints if necessary
+ if [ -s INDEX-OLD -o -s INDEX-NEW ]; then
+- kldxref -R /boot/ 2>/dev/null
++ kldxref -R ${BASEDIR}/boot/ 2>/dev/null
+ fi
+
+ # We've finished updating the kernel.
+@@ -2797,14 +2877,14 @@ Kernel updates have been installed. Ple
+ install_delete INDEX-OLD INDEX-NEW || return 1
+
+ # Rebuild /etc/spwd.db and /etc/pwd.db if necessary.
+- if [ /etc/master.passwd -nt /etc/spwd.db ] ||
+- [ /etc/master.passwd -nt /etc/pwd.db ]; then
+- pwd_mkdb /etc/master.passwd
++ if [ ${BASEDIR}/etc/master.passwd -nt ${BASEDIR}/etc/spwd.db ] ||
++ [ ${BASEDIR}/etc/master.passwd -nt ${BASEDIR}/etc/pwd.db ]; then
++ pwd_mkdb -d ${BASEDIR}/etc ${BASEDIR}/etc/master.passwd
+ fi
+
+ # Rebuild /etc/login.conf.db if necessary.
+- if [ /etc/login.conf -nt /etc/login.conf.db ]; then
+- cap_mkdb /etc/login.conf
++ if [ ${BASEDIR}/etc/login.conf -nt ${BASEDIR}/etc/login.conf.db ]; then
++ cap_mkdb ${BASEDIR}/etc/login.conf
+ fi
+
+ # We've finished installing the world and deleting old files
+@@ -3011,21 +3091,8 @@ IDS_compare () {
+ mv INDEX-NOTMATCHING.tmp INDEX-NOTMATCHING
+
+ # Go through the lines and print warnings.
+- while read LINE; do
+- FPATH=`echo "${LINE}" | cut -f 1 -d '|'`
+- TYPE=`echo "${LINE}" | cut -f 2 -d '|'`
+- OWNER=`echo "${LINE}" | cut -f 3 -d '|'`
+- GROUP=`echo "${LINE}" | cut -f 4 -d '|'`
+- PERM=`echo "${LINE}" | cut -f 5 -d '|'`
+- HASH=`echo "${LINE}" | cut -f 6 -d '|'`
+- LINK=`echo "${LINE}" | cut -f 7 -d '|'`
+- P_TYPE=`echo "${LINE}" | cut -f 8 -d '|'`
+- P_OWNER=`echo "${LINE}" | cut -f 9 -d '|'`
+- P_GROUP=`echo "${LINE}" | cut -f 10 -d '|'`
+- P_PERM=`echo "${LINE}" | cut -f 11 -d '|'`
+- P_HASH=`echo "${LINE}" | cut -f 12 -d '|'`
+- P_LINK=`echo "${LINE}" | cut -f 13 -d '|'`
+-
++ local IFS='|'
++ while read FPATH TYPE OWNER GROUP PERM HASH LINK P_TYPE P_OWNER P_GROUP P_PERM P_HASH P_LINK; do
+ # Warn about different object types.
+ if ! [ "${TYPE}" = "${P_TYPE}" ]; then
+ echo -n "${FPATH} is a "
+@@ -3153,7 +3220,7 @@ get_params () {
+ # Fetch command. Make sure that we're being called
+ # interactively, then run fetch_check_params and fetch_run
+ cmd_fetch () {
+- if [ ! -t 0 ]; then
++ if [ ! -t 0 -a $NOTTYOK -eq 0 ]; then
+ echo -n "`basename $0` fetch should not "
+ echo "be run non-interactively."
+ echo "Run `basename $0` cron instead."
Added: head/share/security/patches/EN-15:04/freebsd-update-8.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/EN-15:04/freebsd-update-8.patch.asc Wed May 13 23:07:20 2015 (r46693)
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.2 (FreeBSD)
+
+iQIcBAABCgAGBQJVU9dpAAoJEO1n7NZdz2rnLP8QAIxBQd1NKef3YVnFMGuppEoy
+Tc9/vhtEZfiI78fvMaLK9uLwKZWLx+JS6HTXNmEWzy6Tg+WX4pYMzGGDxGG2RVSz
+C/Ur1bZVqNvcyKPK5+xO94asFVYcrcuYSbxMbjYPUjH5WTrySznPvjCF3E4puGvZ
+e+FFTvoQ7bwY/qs5drAYo6nK74/rm4YuESxH/3t056vuhSVj8bM12ADHZ+evOzRE
+4DFtxDB+9CdtGmqCfvaF0kJn+6IhwqGsRx1pUvriYdvVYzDa+tJBPDk82P0xphgq
+Lsid+fjQl/3q0c8CgNNvDArYQACqZUZtqrDzxIx+UOvCz5FeowIhWypEPy5Je2YK
+Qnzj6bd4cwF/WwncXGnZDj4Sybv+EJAF+l4s18B9B4v84/M91Gmq+9JgjJQtWPw7
+mI/G7jD3TrYXzzfyIBJJV/6yH/oOwZXZrhHaHHb6s2PuOhEZw5RzG2qXaWhvVQ3p
+3X6+zs2okCrzOm9VYDFJIgVJOo8zVjgX+rqH0A/qjhcZK64sr5gh6F0I4LNwE+AV
+9DFC9ysIG+Cay28XnEQy0lHpA6MBFWpDZnm/qX4jhIscPGG/3mhLpn7N+L62pgxu
+eCAO8wW11w2fcJ575SADcHmQa8rXR/wIbDIx2tmgOFDmJI6MGKj4tU4SUJCm5Blf
+GPWANnnxoBwF2Pe/NLCs
+=vvQY
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/EN-15:04/freebsd-update.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/EN-15:04/freebsd-update.patch Wed May 13 23:07:20 2015 (r46693)
@@ -0,0 +1,152 @@
+Index: usr.sbin/freebsd-update/freebsd-update.8
+===================================================================
+--- usr.sbin/freebsd-update/freebsd-update.8 (revision 282245)
++++ usr.sbin/freebsd-update/freebsd-update.8 (working copy)
+@@ -25,7 +25,7 @@
+ .\"
+ .\" $FreeBSD$
+ .\"
+-.Dd July 14, 2010
++.Dd March 2, 2015
+ .Dt FREEBSD-UPDATE 8
+ .Os FreeBSD
+ .Sh NAME
+@@ -36,10 +36,12 @@
+ .Op Fl b Ar basedir
+ .Op Fl d Ar workdir
+ .Op Fl f Ar conffile
++.Op Fl F
+ .Op Fl k Ar KEY
+ .Op Fl r Ar newrelease
+ .Op Fl s Ar server
+ .Op Fl t Ar address
++.Op Fl -not-running-from-cron
+ .Cm command ...
+ .Sh DESCRIPTION
+ The
+@@ -54,16 +56,16 @@ by the
+ .Fx
+ Release Engineering Team, e.g.,
+ .Fx
+-7.3-RELEASE and
++9.3-RELEASE and
+ .Fx
+-8.0-RELEASE, but not
++10.1-RELEASE, but not
+ .Fx
+-6.3-STABLE or
++9.3-STABLE or
+ .Fx
+-9.0-CURRENT.
++11-CURRENT.
+ .Sh OPTIONS
+ The following options are supported:
+-.Bl -tag -width "-f conffile"
++.Bl -tag -width "-r newrelease"
+ .It Fl b Ar basedir
+ Operate on a system mounted at
+ .Ar basedir .
+@@ -81,6 +83,10 @@ Read configuration options from
+ .Ar conffile .
+ (default:
+ .Pa /etc/freebsd-update.conf )
++.It Fl F
++Force
++.Nm Cm fetch
++to proceed where it normally would not, such as an unfinished upgrade
+ .It Fl k Ar KEY
+ Trust an RSA key with SHA256 of
+ .Ar KEY .
+@@ -98,12 +104,21 @@ Mail output of
+ command, if any, to
+ .Ar address .
+ (default: root, or as given in the configuration file.)
++.It Fl -not-running-from-cron
++Force
++.Nm Cm fetch
++to proceed when there is no controlling tty.
++This is for use by automated scripts and orchestration tools.
++Please do not run
++.Nm Cm fetch
++from crontab or similar using this flag, see:
++.Nm Cm cron
+ .El
+ .Sh COMMANDS
+ The
+ .Cm command
+ can be any one of the following:
+-.Bl -tag -width "-f conffile"
++.Bl -tag -width "rollback"
+ .It Cm fetch
+ Based on the currently installed world and the configuration
+ options set, fetch all available binary updates.
+Index: usr.sbin/freebsd-update/freebsd-update.sh
+===================================================================
+--- usr.sbin/freebsd-update/freebsd-update.sh (revision 282245)
++++ usr.sbin/freebsd-update/freebsd-update.sh (working copy)
+@@ -43,12 +43,15 @@ Options:
+ (default: /var/db/freebsd-update/)
+ -f conffile -- Read configuration options from conffile
+ (default: /etc/freebsd-update.conf)
++ -F -- Force a fetch operation to proceed
+ -k KEY -- Trust an RSA key with SHA256 hash of KEY
+ -r release -- Target for upgrade (e.g., 6.2-RELEASE)
+ -s server -- Server from which to fetch updates
+ (default: update.FreeBSD.org)
+ -t address -- Mail output of cron command, if any, to address
+ (default: root)
++ --not-running-from-cron
++ -- Run without a tty, for use by automated tools
+ Commands:
+ fetch -- Fetch updates from server
+ cron -- Sleep rand(3600) seconds, fetch updates, and send an
+@@ -399,6 +402,12 @@ init_params () {
+
+ # No commands specified yet
+ COMMANDS=""
++
++ # Force fetch to proceed
++ FORCEFETCH=0
++
++ # Run without a TTY
++ NOTTYOK=0
+ }
+
+ # Parse the command line
+@@ -411,6 +420,12 @@ parse_cmdline () {
+ if [ ! -z "${CONFFILE}" ]; then usage; fi
+ shift; CONFFILE="$1"
+ ;;
++ -F)
++ FORCEFETCH=1
++ ;;
++ --not-running-from-cron)
++ NOTTYOK=1
++ ;;
+
+ # Configuration file equivalents
+ -b)
+@@ -665,6 +680,14 @@ fetch_check_params () {
+ echo "(Did you mean 'upgrade' instead?)"
+ exit 1
+ fi
++
++ # Check that we have updates ready to install
++ if [ -f ${BDHASH}-install/kerneldone -a $FORCEFETCH -eq 0 ]; then
++ echo "You have a partially completed upgrade pending"
++ echo "Run '$0 install' first."
++ echo "Run '$0 fetch -F' to proceed anyway."
++ exit 1
++ fi
+ }
+
+ # Perform sanity checks etc. before fetching upgrades.
+@@ -3202,7 +3225,7 @@ get_params () {
+ # Fetch command. Make sure that we're being called
+ # interactively, then run fetch_check_params and fetch_run
+ cmd_fetch () {
+- if [ ! -t 0 ]; then
++ if [ ! -t 0 -a $NOTTYOK -eq 0 ]; then
+ echo -n "`basename $0` fetch should not "
+ echo "be run non-interactively."
+ echo "Run `basename $0` cron instead."
Added: head/share/security/patches/EN-15:04/freebsd-update.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/EN-15:04/freebsd-update.patch.asc Wed May 13 23:07:20 2015 (r46693)
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.2 (FreeBSD)
+
+iQIcBAABCgAGBQJVU9dqAAoJEO1n7NZdz2rnZggQAKiJ0+2WY1gDvdWDkj0BcIcY
+OCig1qDeuZLwDEFfqdqwoEJb7XoYI2tRQu4D/edxe5WAGQNOdIe3cOk/hIvC0Ozi
+O/EpsZSf1RBrDBXdIDXc8C3BPeqcr5OYdc/XMZAoW14BTKU8K6ZsZyvoFcEInp5y
+Qf0MvMB5QwO4e1LSJEVaT3kNLJuEVdoFzYh6h1e5Tlh7tcnrys9eReKO1SsRIEmp
+zmCjfxaAjtftJyw+hxDuid0xkyyi8azPnl3U4JeIMsZE/KIrpAiMTjfnUPznIaai
+x6SgIkKQaK7+43mZ92UOqWM3ELHaxWx55aNfX49aDWBIw4SpFqZAkfKt0FPd3Ws1
+Qdo06D8861mT9klQUsYNPrLed6cku6T1PA+bY6dBE3HpL0wlzm8PGdbPe3lLTcM9
+SP5SMMg8Jwy8oi7foyWeD2cibU5VzZRQEIwcQoI/d0Cayj85Oz6KDEtgwpUYDVL/
+sjrRr6ViA8b3qoS7+Ek9nksGUHg5DPOV9sllWZi2JWYn5tR0boRe16Ecb92chylS
+VIEz0gwCy46VxAXmrTSa4qUM6uIeoMZXx84b/E8R92KvPXdBGMNhCXoEqEFYertd
+prk3LlwUyXbuhkgziBJK6b+zN9ZshL/jY4kjjHCpjd7aNruRnUr9qr43dEJuMOPj
+DuwqCaCT3VTyEObhW6Io
+=bxKG
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/EN-15:05/ufs.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/EN-15:05/ufs.patch Wed May 13 23:07:20 2015 (r46693)
@@ -0,0 +1,313 @@
+Index: sys/ufs/ffs/ffs_softdep.c
+===================================================================
+--- sys/ufs/ffs/ffs_softdep.c (revision 282245)
++++ sys/ufs/ffs/ffs_softdep.c (working copy)
+@@ -735,9 +735,10 @@ static struct malloc_type *memtype[] = {
+ static void check_clear_deps(struct mount *);
+ static void softdep_error(char *, int);
+ static int softdep_process_worklist(struct mount *, int);
+-static int softdep_waitidle(struct mount *);
++static int softdep_waitidle(struct mount *, int);
+ static void drain_output(struct vnode *);
+ static struct buf *getdirtybuf(struct buf *, struct rwlock *, int);
++static int check_inodedep_free(struct inodedep *);
+ static void clear_remove(struct mount *);
+ static void clear_inodedeps(struct mount *);
+ static void unlinked_inodedep(struct mount *, struct inodedep *);
+@@ -1377,6 +1378,10 @@ softdep_flush(addr)
+ mp = (struct mount *)addr;
+ ump = VFSTOUFS(mp);
+ atomic_add_int(&stat_flush_threads, 1);
++ ACQUIRE_LOCK(ump);
++ ump->softdep_flags &= ~FLUSH_STARTING;
++ wakeup(&ump->softdep_flushtd);
++ FREE_LOCK(ump);
+ if (print_threads) {
+ if (stat_flush_threads == 1)
+ printf("Running %s at pid %d\n", bufdaemonproc->p_comm,
+@@ -1389,7 +1394,7 @@ softdep_flush(addr)
+ VFSTOUFS(mp)->softdep_jblocks->jb_suspended))
+ kthread_suspend_check();
+ ACQUIRE_LOCK(ump);
+- if ((ump->softdep_flags & FLUSH_CLEANUP) == 0)
++ if ((ump->softdep_flags & (FLUSH_CLEANUP | FLUSH_EXIT)) == 0)
+ msleep(&ump->softdep_flushtd, LOCK_PTR(ump), PVM,
+ "sdflush", hz / 2);
+ ump->softdep_flags &= ~FLUSH_CLEANUP;
+@@ -1419,11 +1424,9 @@ worklist_speedup(mp)
+
+ ump = VFSTOUFS(mp);
+ LOCK_OWNED(ump);
+- if ((ump->softdep_flags & (FLUSH_CLEANUP | FLUSH_EXIT)) == 0) {
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-doc-all
mailing list