Import tzdata 2019c.

Approved by: so
Security: FreeBSD-EN-19:18.tzdata

Bump version information and add UPDATING entries.

Approved by: so

Fix reference count overflow in mqueuefs.

Approved by: so
Security: FreeBSD-SA-19:24.mqueuefs
Security: CVE-2019-5603

Fix kernel memory disclosure from /dev/midistat.

Approved by: so
Security: FreeBSD-SA-19:23.midi
Security: CVE-2019-5612

Fix IPv6 remote denial of service.

Approved by: so
Security: FreeBSD-SA-19:22.mbuf
Security: CVE-2019-5611

Bump version information and add UPDATING entries.

Approved by: so

Fix insufficient validation of guest-supplied data (e1000 device).

Approved by: so
Security: FreeBSD-SA-19:21.bhyve
Security: CVE-2019-5609

Fix insufficient message length validation in bsnmp library.

Approved by: so
Security: FreeBSD-SA-19:20.bsnmp
Security: CVE-2019-5610

Fix ICMPv6 / MLDv2 out-of-bounds memory access.

Approved by: so
Security: FreeBSD-SA-19:19.mldv2
Security: CVE-2019-5608

Fix multiple vulnerabilities in bzip2.

Approved by: so
Security: FreeBSD-SA-19:18.bzip2
Security: CVE-2016-3189
Security: CVE-2019-12900

Fix incorrect exception handling.

Approved by: so
Security: FreeBSD-EN-19:15.libunwind

Bump version information and update UPDATING.

Approved by: so

Fix file descriptor reference count leak.

Approved by: so
Security: FreeBSD-SA-19:17.fd
Security: CVE-2019-5607

Fix byhve out-of-bounds read in XHCI device.

Approved by: so
Security: FreeBSD-SA-19:16.bhyve
Security: CVE-2019-5604

Fix reference count overflow in mqueuefs.

Approved by: so
Security: FreeBSD-SA-19:15.mqueuefs
Security: CVE-2019-5603

Fix kernel memory disclosure in freebsd32_ioctl.

Approved by: so
Security: FreeBSD-SA-19:14.freebsd32
Security: CVE-2019-5605

Fix pts write-after-free.

Approved by: so
Security: FreeBSD-SA-19:13.pts
Security: CVE-2019-5606

Fix multiple telnet client vulnerabilities.

Approved by: so
Security: FreeBSD-SA-19:12.telnet
Security: CVE-2019-0053

Fix panic from Intel CPU vulnerability mitigation.

Approved by: so
Security: FreeBSD-EN-19:13.mds

Update UPDATING and bump newvers.sh

Approved by: so
Approved by: re (implicit)

Fix privilege escalation in cd(4) driver.

Approved by: so
Approved by: re (implicit)
Security: FreeBSD-SA-19:11.cd_ioctl
Security: CVE-2019-5602

Fix kernel stack disclosure in UFS/FFS.

Approved by: so
Security: FreeBSD-SA-19:10.ufs
Security: CVE-2019-5601

Fix iconv buffer overflow.

Approved by: so
Approved by: re (implicit)
Security: FreeBSD-SA-19:09.iconv

Import tzdata 2019b.

Approved by: so
Approved by: re (implicit)
Security: FreeBSD-EN-19:12.tzdata

Bump newvers.sh and add UPDATING block.

Approved by: so

Mitigations for Microarchitectural Data Sampling.

Approved by: so
Security: FreeBSD-SA-19:07.mds
Security: CVE-2018-12126
Security: CVE-2018-12127
Security: CVE-2018-12130
Security: CVE-2019-11091

Fix ICMP/ICMP6 packet filter bypass in pf.

Approved by: so
Security: FreeBSD-SA-19:06.pf
Security: CVE-2019-5598

Fix IPv6 fragment reassembly panic in pf

Approved by: so
Security: FreeBSD-SA-19:05.pf
Security: CVE-2019-5597

Update ntpd to 4.2.8p13 to fix authenticated denial of service.

Approved by: so
Security: FreeBSD-SA-19:04.ntp
Security: CVE-2019-8936

Update hostapd/wpa_supplicant to 2.8 to fix multiple vulnerabilities.

Approved by: so
Security: FreeBSD-SA-19:03.wpa
Security: CVE-2019-9494
Security: CVE-2019-9495
Security: CVE-2019-9496
Security: CVE-2019-9497
Security: CVE-2019-9498
Security: CVE-2019-9499
Security: CVE-2019-11555

Fix partially matching relative paths in xinstall.

Approved by: so
Security: FreeBSD-EN-19:09.xinstall

Import tzdata 2019a.

Approved by: so
Security: FreeBSD-EN-19:08.tzdata

UPDATING and newvers entries for 11.2-p9

Approved by: so
Security: FreeBSD-SA-19:01.syscall

amd64: clear callee-preserved registers on syscall exit

Submitted by: kib
Approved by: so
Security: CVE-2019-5595
Security: FreeBSD-SA-19:01.syscall

UPDATING and newvers entries for 11.2-p8

Approved by: so
Security: FreeBSD-EN-19:03.sqlite
Security: FreeBSD-EN-19:04.tzdata
Security: FreeBSD-EN-19:05.kqueue

MFS11 r340904: Avoid unsynchronized updates to kn_status.

Approved by: so
Security: FreeBSD-EN-19:05.kqueue

MFS11 r342668: Import tzdata 2018h, 2018i

Approved by: so
Security: FreeBSD-EN-19:04.tzdata

MFS11 r342292: MFC r333352 & r342183:

r333352: Update private sqlite from sqlite3-3.20.0 to sqlite3-3.23.1
r342183: Update sqlite3-3.23.1 --> sqlite3-3.26.0 (3260000)

PR: 234113
Approved by: so
Security: FreeBSD-EN-19:03.sqlite

11.2-RELEASE-p7 UPDATING

Approved by: so
Security: FreeBSD-SA-18:15.bootpd
Security: FreeBSD-EN-18:16.ptrace
Security: FreeBSD-EN-18:17.vm
Security: FreeBSD-EN-18:18.zfs

MFS11 r342229: bootpd: validate hardware type

Due to insufficient validation of network-provided data it may have been
possible for a malicious actor to craft a bootp packet which could cause
a stack buffer overflow.

admbugs: 850
Reported by: Reno Robert
Reviewed by: markj
Approved by: so
Security: FreeBSD-SA-18:15.bootpd
Sponsored by: The FreeBSD Foundation

MFS11 r341828: Resolve a hang in ZFS during vnode reclaimation

  This is caused by a deadlock between zil_commit() and zfs_zget()
  Add a way for zfs_zget() to break out of the retry loop in the common case

PR: 229614, 231117
Submitted by: allanjude
Approved by: so
Security: FreeBSD-EN-18:18.zfs
Sponsored by: Klara Systems, The FreeBSD Foundation

MFS11 r341401: Update the free page count when blacklisting pages.

PR: 231296
Submitted by: markj
Approved by: so
Security: FreeBSD-EN-18:17.vm
Sponsored by: The FreeBSD Foundation

MFS11 r340290: Only clear a pending thread event if one is pending.

This fixes a panic when attaching to an already-stopped process.

Also do some other clean ups for control flow of sendsig section.

Submitted by: markj
Approved by: so
Security: FreeBSD-EN-18:16.ptrace
Sponsored by: The FreeBSD Foundation

Fix insufficient bounds checking in bhyve(8) device model. [SA-18:14.bhyve]

Submitted by:   jhb
Reported by:    Reno Robert
Approved by:    so
Security:       FreeBSD-SA-18:14.bhyve
Security:       CVE-2018-17160

Fix deferred kernel loading breaks loader password. [EN-18:15.loader]

Submitted by: dteske
Approved by: so
Security: FreeBSD-EN-18:15.loader

Timezone database information update. [EN-18:14.tzdata]

Approved by: so
Security: FreeBSD-EN-18:14.tzdata

Fix ICMP buffer underwrite. [EN-18:13.icmp]

Approved by: so
Security: FreeBSD-EN-18:13.icmp
Security: CVE-2018-17156

Fix multiple vulnerabilities in NFS server code. [SA-18:13.nfs]

Reported by: Jakub Jirasek, Secunia Research at Flexera
Approved by: so
Security: FreeBSD-SA-18:13.nfs
Security: CVE-2018-17157
Security: CVE-2018-17158
Security: CVE-2018-17159

Fix small kernel memory disclosures. [EN-18:12.mem]

Reported by: Thomas Barabosch, Fraunhofer FKIE
Approved by: so
Security: FreeBSD-EN-18:12.mem
Security: CVE-2018-17155

Fix DoS in listen syscall over IPv6 socket. [EN-18:11.listen]

Reported by: Jakub Jirasek, Secunia Research at Flexera
Approved by: so
Security: FreeBSD-EN-18:11.listen
Security: CVE-2018-6925

Fix NULL pointer dereference in freebsd4_getfsstat. [EN-18:10.syscall]

Reported by: Thomas Barabosch, Fraunhofer FKIE
Approved by: so
Security: FreeBSD-EN-18:10.syscall
Security: CVE-2018-17154

Fix regression in IPv6 fragment reassembly. [EN-18:09.ip]

Approved by: so
Security: FreeBSD-EN-18:09.ip

Fix regression in Lazy FPU remediation. [EN-18:08.lazyfpu]

Approved by: so
Security: FreeBSD-EN-18:08.lazyfpu

Fix improper elf header parsing. [SA-18:12.elf]

Approved by: so
Security: FreeBSD-SA-18:12.elf
Security: CVE-2018-6924

Revis manual pages. [SA-18:08.tcp]

Fix L1 Terminal Fault (L1TF) kernel information disclosure.
[SA-18:09.l1tf]

Fix resource exhaustion in IP fragment reassembly. [SA-18:10.ip]

Fix unauthenticated EAPOL-Key decryption vulnerability.
[SA-18:11.hostapd]

Approved by: so

Bump patch level and document them.

Approved by: so

Address concerns about CPU usage while doing TCP reassembly.

Currently, the per-queue limit is a function of the receive buffer
size and the MSS.  In certain cases (such as connections with large
receive buffers), the per-queue segment limit can be quite large.
Because we process segments as a linked list, large queues may not
perform acceptably.

The better long-term solution is to make the queue more efficient.
But, in the short-term, we can provide a way for a system
administrator to set the maximum queue size.

We set the default queue limit to 100.  This is an effort to balance
performance with a sane resource limit.  Depending on their
environment, goals, etc., an administrator may choose to modify this
limit in either direction.

Approved by: so
Security: FreeBSD-SA-18:08.tcp
Security: CVE-2018-6922

- Switch releng/11.2 to -RELEASE.
- Add the anticipated 11.2-RELEASE date to UPDATING.
- Set a static __FreeBSD_version.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Final touches to 11.2-RELEASE release notes:
- Remove an empty section that was left over from a previous commit
  to prune empty sections.
- Add a note about a late discovered issue with zfsd(8) (Bugzilla
  228750).  Fix a sentence stop while here.
- Document SA-18:07, which had been included in RC3.
- Fix FreeBSD versions in the installation.html page.

Approved by: re (implicit, relnotes)
Sponsored by: The FreeBSD Foundation

Update releng/11.2 to RC3 as part of the 11.2-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

MFC rr335072, r335089:
Enable eager FPU context switch on i386 and amd64.
CVE: CVE-2018-3665

MFC r335131
Remove printf() in #NM handler.

MFC r335132:
Reorganize code flow in fpudna()/npxdna().

Approved by: re (gjb)

MFS11 r335088 (dim):
 MFC rr334886:
  Add missed libc++ entries to (Optional)ObsoleteFiles.inc

  Some of these were removed during the libc++ 5.0.0 import, others
  were added in the libc++ 6.0.0 import.

Approved by: re (marius)
Sponsored by: The FreeBSD Foundation

MFS11 r334872 (ram):
 MFC r334657:
  Issue: Utility hangs when  OCS_IOCTL_CMD_MGMT_GET_ALL called in
  parallel on port 0 and port 1.

  Fix: Using static structure for results is corrupting the second
  ioctl request. Removed static for results structure.

Approved by: re (marius)
Sponsored by: The FreeBSD Foundation

Switch releng/11.2 to RC2 as part of the 11.2-RELEASE cycle, following
r334860.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Fix the ordering of where '$bootable' is set in the second
variable setting, which was moved around as part of prior
commits that were subsequently reverted.

This is a direct commit to releng/11.2.

Approved by: re (kib)
Sponsored by: The FreeBSD Foundation

Revert releng/11.2 back to RC1 temporarily, as an additional fix
for amd64 ISOs is required.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Rename releng/11.2 to RC2 as part of the 11.2-RELEASE cycle, following
r334839.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Restore r332345 and r332346 from head, merged to stable/11 as
part of r333006, which was reverted in r334735.

r332345 fixes makefs(8) invocation after head revision r331843,
where makefs(8) was updated to be in sync with NetBSD.

r332346 fixes the $bootable variable position so the platformid
option is correctly applied.

This is a direct commit to releng/11.2, as these two revisions
were part of a total of four revisions merge to stable/11 (at
the time) in r333006.

Approved by: re (bdrewery)
Sponsored by: The FreeBSD Foundation

Revert releng/11.2 back to RC1 due to an issue discovered with
amd64 ISOs, pending a fix to be committed shortly.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Update releng/11.2 to RC2 as part of the 11.2-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

MFstable/11 334801

Improve compliance with RFC 4895 and RFC 6458.

Silently dicard SCTP chunks which have been requested to be
authenticated but are received unauthenticated no matter if support
for SCTP authentication has been negotiated. This improves compliance
with RFC 4895.

When the application uses the SCTP_AUTH_CHUNK socket option to
request a chunk to be received in an authenticated way, enable
the SCTP authentication extension for the end-point. This improves
compliance with RFC 6458.

Discussed with: Peter Lei
Approved by: re (marius@)

Fix a typo.

Spotted by: adamw
Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Add xml:id attributes for diff reduction.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Fix a grammatical error.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Connect the installation page to the build.
Update the release version in installation/article.xml.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Document pkg(8) version.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

relnotes/article.xml:
- Remove empty sections.
- Move the 'hardware support' section, containing only
  driver information, to the 'device drivers' section.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Document r334789, dhclient(8) allow to superscede interface-mtu

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

errata/article.xml:
- Prune stale entries from 11.1-RELEASE.
- Add an xml:id for diff reduction.

hardware/article.xml:
- Add an xml:id for diff reduction.

installation/article.xml:
- Add an xml:id for diff reduction.

readme/article.xml:
- Fix a malformed URL and mailing list reference.

readme/article.xml:
- Update the xml:id to match that used by readme/article.xml
  for consistency.

release.ent:
- Update versions, and switch from 'snapshot' to 'release'.

security.xml:
- Remove reference to 10.x.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

MFC: r334443 (by cem@) MF stable/11: r334787

dhclient(8): allow to supersede interface-mtu option

In some cases broken DHCP servers might send invalid MTU value, so allow to
use 'supersede' in dhclient.conf to override this. When superseded value is
0, MTU value is not updated at all.

PR: 206721
Submitted by: novel@
Reported by: <jimp AT pfsense.org>
Approved by: re (gjb)
Relnotes: yes (potentially surprising behavior change w/ broken dhcpd mtu)
Differential Revision: https://reviews.freebsd.org/D15484

MFstable/11 334732:

Don't overflow a buffer if we receive an INIT or INIT-ACK chunk
without a RANDOM parameter but with a CHUNKS or HMAC-ALGO parameter.
Please note that sending this combination violates the specification.

Thanks to Ronald E. Crane for reporting the issue for the userland
stack.

Approved by: re (gjb@)

MFstable/11 334731

Limit the retransmission timer for SYN-ACKs by TCPTV_REXMTMAX.

Use the same logic to handle the SYN-ACK retransmission when sent from
the syn cache code as when sent from the main code.

Approved by: re (gjb@)
Sponsored by: Netflix, Inc.

MFstable/11 r334730

Ensure net.inet.tcp.syncache.rexmtlimit is limited by TCP_MAXRXTSHIFT.

If the sysctl variable is set to a value larger than TCP_MAXRXTSHIFT+1,
the array tcp_syn_backoff[] is accessed out of bounds.

Discussed with: jtl@
Approved by: re (gjb)
Sponsored by: Netflix, Inc.

Remove the r333006 entry following r334735.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Revert r333006:

 This revision implemented hybrid ISOs for the amd64
 architecture, however it was discovered to have caused
 a regression in booting legacy-mode (BIOS/CSM).

 This restores the way ISOs were previously created, as
 the cause (and differences between head and stable/11
 and releng/11.2) have not been entirely identified.

Approved by: re (marius)
Sponsored by: The FreeBSD Foundation

MFstable/11 r334728:

Ensure we are not dereferencing a NULL pointer.

CID: 1385266
Approved by: re (marius@)

Fix two grammatical errors.

Reported by: adamw
Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Add xml:id to the article tag for diff reduction when regenerating
the relnotes page.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Document r333343, ixl(4) version 1.9.9-k.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Adjust wording for r334444 to be more consistent with the text
for i386 memstick images.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Document r333417, smartpqi(4) addition.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Document r333166, Apollo Lake boot issue fix.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Document r334444, amd64 memstick images now use MBR instead of GPT.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Document r334458, libxo(3) version 0.9.0.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Document r332040, ocs_fc(4) addition.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Document r331058, ng_pppoe(4) user-supplied Host-Uniq tag support.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Document r329581, fix to ICMPv6 redirects.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Document r329010, loader(8) quote parsing improvements.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Document r327920, SW_WATCHDOG is now dynamic.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Document r325730, ipfw(4) Dummynet AQM packet marking L2/L3.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation