1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE article PUBLIC "-//FreeBSD//DTD DocBook XML V4.5-Based Extension//EN"
3 "../../../share/xml/freebsd45.dtd" [
4 <!ENTITY % release PUBLIC "-//FreeBSD//ENTITIES Release Specification//EN" "release.ent">
10 <title>&os; &release; Errata </title>
16 <pubdate>$FreeBSD$</pubdate>
20 <holder role="mailto:doc@FreeBSD.org">The &os; Documentation Project</holder>
23 <legalnotice id="trademarks" role="trademarks">
32 <para>This document lists errata items for &os; &release;,
33 containing significant information discovered after the release
34 or too late in the release cycle to be otherwise included in the
35 release documentation.
36 This information includes security advisories, as well as news
37 relating to the software or documentation that could affect its
38 operation or usability. An up-to-date version of this document
39 should always be consulted before installing this version of
42 <para>This errata document for &os; &release;
43 will be maintained until the release of &os; &release.next;.</para>
47 <title>Introduction</title>
49 <para>This errata document contains <quote>late-breaking news</quote>
51 Before installing this version, it is important to consult this
52 document to learn about any post-release discoveries or problems
53 that may already have been found and fixed.</para>
55 <para>Any version of this errata document actually distributed
56 with the release (for example, on a CDROM distribution) will be
57 out of date by definition, but other copies are kept updated on
58 the Internet and should be consulted as the <quote>current
59 errata</quote> for this release. These other copies of the
60 errata are located at <ulink
61 url="http://www.FreeBSD.org/releases/"></ulink>, plus any sites
62 which keep up-to-date mirrors of this location.</para>
64 <para>Source and binary snapshots of &os; &release.branch; also
65 contain up-to-date copies of this document (as of the time of
68 <para>For a list of all &os; CERT security advisories, see <ulink
69 url="http://www.FreeBSD.org/security/"></ulink> or <ulink
70 url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/"></ulink>.</para>
74 <title>Security Advisories</title>
76 <para>The following security advisories pertain to &os; &release;.
77 For more information, consult the individual advisories available from
78 <ulink url="http://security.FreeBSD.org/"></ulink>.</para>
80 <informaltable frame="none" pgwide="1">
82 <colspec colwidth="1*" />
83 <colspec colwidth="1*" />
84 <colspec colwidth="3*" />
87 <entry>Advisory</entry>
95 <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-12:01.openssl.asc"
96 >SA-12:01.openssl</ulink></entry>
98 <entry>03 May 2012</entry>
100 <entry><para>OpenSSL multiple vulnerabilities</para></entry>
104 <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-12:02.crypt.asc"
105 >SA-12:02.crypt</ulink></entry>
107 <entry>30 May 2012</entry>
109 <entry><para>Incorrect crypt() hashing</para></entry>
113 <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-12:03.bind.asc"
114 >SA-12:03.bind</ulink></entry>
116 <entry>12 June 2012</entry>
118 <entry><para>Incorrect handling of zero-length RDATA fields in named(8)</para></entry>
122 <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-12:04.sysret.asc"
123 >SA-12:04.sysret</ulink></entry>
125 <entry>12 June 2012</entry>
127 <entry><para>Privilege escalation when returning from kernel</para></entry>
131 <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-12:05.bind.asc"
132 >SA-12:05.bind</ulink></entry>
134 <entry>06 August 2012</entry>
136 <entry><para>named(8) DNSSEC validation Denial of Service</para></entry>
140 <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-12:06.bind.asc"
141 >SA-12:06.bind</ulink></entry>
143 <entry>22 November 2012</entry>
145 <entry><para>Multiple Denial of Service vulnerabilities with named(8)</para></entry>
149 <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-12:07.hostapd.asc"
150 >SA-12:07.hostapd</ulink></entry>
152 <entry>22 November 2012</entry>
154 <entry><para>Insufficient message length validation for EAP-TLS messages</para></entry>
158 <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-12:08.linux.asc"
159 >SA-12:08.linux</ulink></entry>
161 <entry>22 November 2012</entry>
163 <entry><para>Linux compatibility layer input validation error</para></entry>
167 <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-13:02.libc.asc"
168 >SA-13:02.libc</ulink></entry>
170 <entry>19 February 2013</entry>
172 <entry><para>glob(3) related resource exhaustion</para></entry>
176 <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-13:03.openssl.asc"
177 >SA-13:03.openssl</ulink></entry>
179 <entry>02 April 2013</entry>
181 <entry><para>OpenSSL multiple vulnerabilities</para></entry>
185 <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-13:04.bind.asc"
186 >SA-13:04.bind</ulink></entry>
188 <entry>02 April 2013</entry>
190 <entry><para>BIND remote denial of service</para></entry>
194 <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-13:05.nfsserver.asc"
195 >SA-13:05.nfsserver</ulink></entry>
197 <entry>29 April 2013</entry>
199 <entry><para>Insufficient input validation in the NFS server</para></entry>
206 <sect1 id="open-issues">
207 <title>Open Issues</title>
209 <para>[20130609] There is incompatibility in &man.jail.8;
210 configuration because the &man.jail.8; utility and
211 <filename>rc.d/jail</filename> script has been changed. More
212 specifically, the following &man.sysctl.8; variables cannot be
213 used to set the default parameters for jails:</para>
215 <programlisting>security.jail.mount_zfs_allowed
216 security.jail.mount_procfs_allowed
217 security.jail.mount_nullfs_allowed
218 security.jail.mount_devfs_allowed
219 security.jail.mount_allowed
220 security.jail.chflags_allowed
221 security.jail.allow_raw_sockets
222 security.jail.sysvipc_allowed
223 security.jail.socket_unixiproute_only
224 security.jail.set_hostname_allowed</programlisting>
226 <para>These could be set by manually using &man.sysctl.8; utility,
227 the &man.sysctl.conf.5; file, or for some of them the following
228 variables in &man.rc.conf.5;:</para>
230 <programlisting>jail_set_hostname_allow="yes"
231 jail_socket_unixiproute_only="yes"
232 jail_sysvipc_allow="yes"</programlisting>
234 <para>These parameters must now be specified in
235 <varname>jail_parameters</varname> (or
236 <varname>jail_<replaceable>jailname</replaceable>_parameters</varname>
237 for per-jail configuration) in &man.rc.conf.5;. For
240 <programlisting>jail_parameters="allow.sysvipc allow.raw_sockets"</programlisting>
242 <para>The valid keywords are the following. For more detail, see
243 &man.jail.8; manual page.</para>
245 <programlisting>allow.set_hostname
255 allow.socket_af</programlisting>
257 <para>[20130608] &os; &release; no longer supports &os; CVS
258 repository. Some documents mistakenly refer to
259 <literal>RELENG_8_4_0_RELEASE</literal> as CVS tag for the release and
260 <literal>RELENG_8_4</literal> as CVS branch tag for the
261 &release; security branch. However, &os; Project no longer
262 supports &os; CVS repository and &release; has been released by
263 using &os; subversion repository instead.
264 <literal>RELENG_8_4</literal> corresponds to
265 <literal>svn://svn.FreeBSD.org/base/releng/8.4</literal>, and
266 <literal>RELENG_8_4_0_RELEASE</literal> corresponds to
267 <literal>svn://svn.FreeBSD.org/base/release/8.4.0</literal>.
268 Please note that &os; source tree for &release; and its security
269 branch cannot be updated by using official CVSup servers.</para>
271 <para>[20130607] (removed about a &man.bge.4; network interface
272 driver issue because it was incorrect)</para>
274 <para>[20130606] The &man.fxp.4; network interface driver may not
275 work well with the &man.dhclient.8; utility. More specifically,
276 if the <filename>/etc/rc.conf</filename> has the following
279 <programlisting>ifconfig_fxp0="DHCP"</programlisting>
281 <para>to activate a DHCP client to configure the network
282 interface, the following notification messages are displayed and
283 the &man.dhclient.8; utility keeps trying to initialize the
284 network interface forever.</para>
286 <screen>kernel: fxp0: link state changed to UP
287 kernel: fxp0: link state changed to DOWN</screen>
289 <para>A patch to fix this issue will be released as an Errata
293 <sect1 id="late-news">
294 <title>Late-Breaking News and Corrections</title>
296 <para>[20130606] As described in &os; &release; Release Notes,
297 &os; ZFS subsystem has been updated to support feature flags for
298 ZFS pools. However, the default version number of a newly
299 created ZFS pool is still <literal>28</literal>.</para>
301 <para>This is because &os; 9.0 and 9.1 do not support the feature
302 flags. This means ZFS pools with feature flag support cannot be
303 used on &os; 9.0 and 9.1. An 8.X system with v28 ZFS pools can
304 be upgraded to 9.X with no problem. Note that &man.zfs.8;
305 <command>send</command> and <command>receive</command> commands
306 do not work between pools with different versions. Once a ZFS
307 pool is upgraded from v28, there is no way to upgrade the system
308 to &os; 9.0 and 9.1. &os; 9.2 and later will support ZFS pools
309 with feature flags.</para>
311 <para>To create a ZFS pool with feature flag support, use the
312 &man.zpool.8; <command>create</command> command and then the
313 &man.zpool.8; <command>upgrade</command> command.</para>