src, branch releng/12.3 FreeBSD source tree Add UPDATING entries and bump version 2023-12-05T18:32:16+00:00 Mark Johnston markj@FreeBSD.org 2023-12-05T18:32:16+00:00 da6997b05390d57773aa1bd66993942438aa8258 Approved by: so 
Approved by:	so
pf: remove incorrect fragmentation check 2023-12-05T18:31:14+00:00 Kristof Provost kp@FreeBSD.org 2023-11-29T18:06:31+00:00 1f8724dd18b0d57ccc74086040411bb1f0059be0 We do not need to check PFDESC_IP_REAS while tracking TCP state. Moreover, this check incorrectly considers no-data packets (e.g. RST) to be in-window when this flag is not set. Sponsored by: Rubicon Communications, LLC ("Netgate") Approved by: so Security: FreeBSD-SA-23:17.pf (cherry picked from commit 6284d5f76d6bd2d97fe287c5adabf59c79688eda) (cherry picked from commit 0415f0554b72b93a1986292d28f679594f6ce6a6) 
We do not need to check PFDESC_IP_REAS while tracking TCP state.
Moreover, this check incorrectly considers no-data packets (e.g. RST) to
be in-window when this flag is not set.

Sponsored by:	Rubicon Communications, LLC ("Netgate")
Approved by:	so
Security:	FreeBSD-SA-23:17.pf

(cherry picked from commit 6284d5f76d6bd2d97fe287c5adabf59c79688eda)
(cherry picked from commit 0415f0554b72b93a1986292d28f679594f6ce6a6)
Add UPDATING entries and bump version. 2023-02-16T18:01:02+00:00 Gordon Tetlow gordon@FreeBSD.org 2023-02-16T17:55:44+00:00 7f1c8b021bfe060e14e176ef7af3f2259ac6f78a Approved by: so 
Approved by:	so
Fix multiple OpenSSL vulnerabilities. 2023-02-16T18:00:54+00:00 Gordon Tetlow gordon@FreeBSD.org 2023-02-16T17:25:39+00:00 afb60ed7d8a1e91163200fbf0d85b27a1237ea48 Approved by: so Security: FreeBSD-SA-23:03.openssl Security: CVE-2023-0286 Security: CVE-2023-0215 Security: CVE-2022-4450 Security: CVE-2022-4304 
Approved by:	so
Security:	FreeBSD-SA-23:03.openssl
Security:	CVE-2023-0286
Security:	CVE-2023-0215
Security:	CVE-2022-4450
Security:	CVE-2022-4304
Add UPDATING entries and bump version. 2023-02-08T18:10:08+00:00 Gordon Tetlow gordon@FreeBSD.org 2023-02-08T16:58:20+00:00 138c4a1553a19254dd6b427c0de13337c91ba5b9 Approved by: so 
Approved by:	so
geli: split the initalization of HMAC 2023-02-08T18:09:41+00:00 Mariusz Zaborski oshogbo@FreeBSD.org 2023-02-08T16:41:06+00:00 5e1ad8bebd36392eeaa898fe2fc5348bd5e5c863 GELI allows to read a user key from a standard input. However if user initialize multiple providers at once, the standard input will be empty for the second and next providers. This caused GELI to encrypt a master key with an empty key file. This commits initialize the HMAC with the key file, and then reuse the finalized structure to generate different encryption keys for different providers. Reported by: Nathan Dorfman Tested by: philip Approved by: so Security: FreeBSD-SA-23:01.geli Security: CVE-2023-0751 (cherry picked from commit 5fff09660e06a66bed6482da9c70df328e16bbb6) (cherry picked from commit a5afaf4e9abd8d5e6cce5d6c433d2276bf9b8721) 
GELI allows to read a user key from a standard input.
However if user initialize multiple providers at once, the standard
input will be empty for the second and next providers.
This caused GELI to encrypt a master key with an empty key file.

This commits initialize the HMAC with the key file, and then reuse the
finalized structure to generate different encryption keys for different
providers.

Reported by:	Nathan Dorfman
Tested by:	philip
Approved by:	so
Security:	FreeBSD-SA-23:01.geli
Security:	CVE-2023-0751

(cherry picked from commit 5fff09660e06a66bed6482da9c70df328e16bbb6)
(cherry picked from commit a5afaf4e9abd8d5e6cce5d6c433d2276bf9b8721)
ixgbe: workaround errata about UDP frames with zero checksum 2023-02-08T16:32:26+00:00 Andrey V. Elsukov ae@FreeBSD.org 2022-11-10T09:34:40+00:00 f31403bfdd79be98e11a00cccf4b6707e006ba7a Intel 82599 has errata related to IPv4 UDP frames with zero checksum. It reports such datagrams with L4 integrity errors in IXGBE_XEC register. And after afb1aa4e6df2 commit such errors are reported via IFCOUNTER_IERRORS. This confuses users, since actually all frames are handled correctly by the system. To workaround the problem, let's ignore the XEC register value for 82599 cards for now. PR: 266048 Discussed with: erj Sponsored by: Yandex LLC Approved by: so Security: FreeBSD-EN-23:04.ixgbe (cherry picked from commit 8526120ad41ca47367b43f8f4459e0fa61285571) (cherry picked from commit fe9c4deda9d4aa2c5bed75071f8006bd2a0734a2) 
Intel 82599 has errata related to IPv4 UDP frames with zero checksum.
It reports such datagrams with L4 integrity errors in IXGBE_XEC
register. And after afb1aa4e6df2 commit such errors are reported
via IFCOUNTER_IERRORS. This confuses users, since actually all frames
are handled correctly by the system.
To workaround the problem, let's ignore the XEC register value for
82599 cards for now.

PR:		266048
Discussed with:	erj
Sponsored by:	Yandex LLC
Approved by:	so
Security:	FreeBSD-EN-23:04.ixgbe

(cherry picked from commit 8526120ad41ca47367b43f8f4459e0fa61285571)
(cherry picked from commit fe9c4deda9d4aa2c5bed75071f8006bd2a0734a2)
contrib/tzdata: import tzdata 2022g 2023-02-08T16:11:52+00:00 Philip Paeps philip@FreeBSD.org 2022-11-30T01:36:28+00:00 d4745a8681160931692d9d399174842b1f07cc94 Changes: https://github.com/eggert/tz/blob/2022g/NEWS tzdata 2022g and later split America/Ciudad_Juarez from America/Ojinaga. Ensure this file is removed in builds WITHOUT_ZONEINFO. Approved by: so Security: FreeBSD-EN-23:01.tzdata (cherry picked from commit cf1ad5351036884e0a2e21d1bc9b712448467741) (cherry picked from commit 821549a9dfdf69f533feb84914b09450cd7311b6) (cherry picked from commit e2861c40b1aac3e4592a7d618418914b8f13c1dc) 
Changes: https://github.com/eggert/tz/blob/2022g/NEWS

tzdata 2022g and later split America/Ciudad_Juarez from America/Ojinaga.
Ensure this file is removed in builds WITHOUT_ZONEINFO.

Approved by:	so
Security:	FreeBSD-EN-23:01.tzdata

(cherry picked from commit cf1ad5351036884e0a2e21d1bc9b712448467741)
(cherry picked from commit 821549a9dfdf69f533feb84914b09450cd7311b6)
(cherry picked from commit e2861c40b1aac3e4592a7d618418914b8f13c1dc)
Add UPDATING entries and bump version. 2022-11-29T23:12:50+00:00 Gordon Tetlow gordon@FreeBSD.org 2022-11-29T23:12:50+00:00 04043434d294cef8e39275444b46e9f36e2eb0e9 Approved by: so 
Approved by:	so
heimdal: Fix: Too large time skew, client time 1970-01-01T01:00:00 2022-11-29T23:04:04+00:00 Cy Schubert cy@FreeBSD.org 2022-11-17T15:43:29+00:00 62b8c69d298c08bb443e9e27d26bd5b1ebcd7175 Part of ed549cb0c53f zeroed out a data structure in the resulting code-file when a TUTCTime type was freed. This part of the patch applies to Heimdal 7.1+ and not our Heimdal 1.5.2. PR: 267827 Reported by: Peter Much <pmc@citylink.dinoex.sub.org> Tested by: Peter Much <pmc@citylink.dinoex.sub.org> Approved by: so Security: FreeBSD-EN-22:28.heimdal Fixes: ed549cb0c53f (cherry picked from commit f556a05c49261af3d373c599d05fa250f3563b59) (cherry picked from commit 5afe36c8b79547cda2bdd7297e5e2507a9135945) 
Part of ed549cb0c53f zeroed out a data structure in the resulting code-file
when a TUTCTime type was freed. This part of the patch applies to Heimdal
7.1+ and not our Heimdal 1.5.2.

PR:		267827
Reported by:	Peter Much <pmc@citylink.dinoex.sub.org>
Tested by:	Peter Much <pmc@citylink.dinoex.sub.org>
Approved by:	so
Security:	FreeBSD-EN-22:28.heimdal
Fixes:		ed549cb0c53f

(cherry picked from commit f556a05c49261af3d373c599d05fa250f3563b59)
(cherry picked from commit 5afe36c8b79547cda2bdd7297e5e2507a9135945)