| Age | Commit message (Collapse) | Author |
|---|
|
add --label option to prefix the output instead of filename.
allow using - to mean stdin.
ok deraadt
|
|
fixes compiler warning via deraadt
|
|
Tested by Andre Stoebe and Remi Locherer.
ok deraadt, tb
|
|
|
|
|
|
|
|
root anchor changed in unbound 1.9.3, "Add hex print of trust anchor
pointer to trust anchor file temp name to make it unique, for libunbound
created multiple contexts".
This isn't allowed by unbound-anchor's unveil; adjust to unveil the
parent directory (typically /var/unbound/db, but generated from the
filename).
ok florian@ tb@
|
|
ok jca@ deraadt@ claudio@ visa@
|
|
ok ratchov@
|
|
by uninitialized garbage. Crash in snmp(1) found by
regress/usr.sbin/snmpd.
OK martijn@
|
|
|
|
freed up some space on the tx ring. This fixes stalls seen in tcpbench.
ok dlg@ patrick@ kettenis@
|
|
ok visa@, kn@
|
|
ok visa@, kn@
|
|
ok visa@, kn@, cheloha@
|
|
|
|
sweep tree to correct NDIINT op and flags ahead of time. document
the requirement. This allows KERNELPATH to be used to bypass
unveil for crash dumps with nosuidcoredump=2 or 3
ok visa@ deraadt@ florian@
|
|
|
|
|
|
as found the hard way by d.rauschenb@gmail on an old fujitsu siemens
machine, reading all of hw (notable hw.setperf) can have unexpected
side-effects. ok deraadt
|
|
PS-poll and BA-req frames are in fact being processed.
Do not count such frames as discarded control frames.
OK phessler kn mpi
|
|
ok deraadt@, patrick@
|
|
get_process_info() returns a pointer to the global handle later only be
used in format_next_process(); treat this struct handle as such without
casting the pointer to caddr_t and back again.
No object change.
OK millert deraadt
|
|
SETORDER() can assign from function arguments directly without additional
identical structs in each function.
No object change.
OK millert
|
|
only where it's needed (and confuses test(1) on at least OS X in portable).
|
|
|
|
From Kai-Heng Feng
2c60da90ec4467adec602e1b81b3ca256f581031 in linux 4.19.y/4.19.77
bb264220d9316f6bd7c1fd84b8da398c93912931 in mainline linux
|
|
From Ahzo
d47636913bda8255652805eb29b9638e6d9311c1 in linux 4.19.y/4.19.77
f659bb6dae58c113805f92822e4c16ddd3156b79 in mainline linux
|
|
needed for next round of 4.19 patches
|
|
Basic implementation: we just retry once, and make no attempt (yet) to
parse any Retry-After header.
The idea is to work around cdn.openbsd.org sometimes replying with a 503
for reasons unknown. According to juanfra@ it sets "Retry-After: 0" so
this minimal implementation should be enough.
Different diff from espie@, test case from sthen@, input from
millert@, ok millert@ deraadt@
|
|
/sys/arch/amd64/include/pctr.h. Adjust the manual page.
ok deraadt@
|
|
sections; despite being a RELA arch, ld.so was making assumptions about
the initialization of the targeted location.
Add the relative relocation optimization, handling relocations
covered by the DT_RELACOUNT value in a tight loop.
ok mpi@ deraadt@
|
|
|
|
added IPI support on armv7.
|
|
also came up with the initial implementation.
ok drahn@, jsg@
|
|
chris@ seems to have hit this one too
ok dlg@
|
|
gif may have needed it when you could switch modes with gif, but
now that's handled by if_etherip.c. ip_ether.c is empty, so we can
plan to remove it.
ok visa@ jca@ deraadt@
|
|
and skip 'protected' symbols when identifying which functions will be
subjects of lazy resolution
|
|
so that we can operate on libs from other archs
|
|
ok mlarkin@, mpi@, krw@, deraadt@
|
|
|
|
original diff from sven falempin, tweaked a bit by myself;
ok sthen
|
|
|
|
MPLS VPN cluesticks supplied by Dylan Hall
ok claudio@ jmc@
|
|
(Note that the CMS code is currently disabled.)
Port of Edlinger's Fix for CVE-2019-1563 from OpenSSL 1.1.1 (old license)
tests from bluhm@
ok jsing
commit e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f
Author: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Sun Sep 1 00:16:28 2019 +0200
Fix a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey
An attack is simple, if the first CMS_recipientInfo is valid but the
second CMS_recipientInfo is chosen ciphertext. If the second
recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
encryption key will be replaced by garbage, and the message cannot be
decoded, but if the RSA decryption fails, the correct encryption key is
used and the recipient will not notice the attack.
As a work around for this potential attack the length of the decrypted
key must be equal to the cipher default key length, in case the
certifiate is not given and all recipientInfo are tried out.
The old behaviour can be re-enabled in the CMS code by setting the
CMS_DEBUG_DECRYPT flag.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9777)
(cherry picked from commit 5840ed0cd1e6487d247efbc1a04136a41d7b3a37)
|
|
ok mpi@
|
|
The recent EC group cofactor change results in stricter validation,
which causes the EC_GROUP_set_generator() call to fail.
Issue reported and fix tested by rsadowski@
ok tb@
|
|
These are internal only for now and will be made public at a later date.
The RSA_padding_{add,check}_PKCS1_OAEP() functions become wrappers around
the *_mgf1() variant.
ok tb@ inoguchi@ (as part of a larger diff)
|
|
commit the pending work and therefore start a new worklist. The delayed
commits can cause such situations to happen and there is no reason to
panic because of this.
Problem found by jmc@
OK benno@
|
|
openssl s_server has an arbitrary read vulnerability on Windows when run with
the -WWW or -HTTP options, due to an incomplete path check logic. Thanks to
Jobert Abma for reporting.
ok tb@
|
