FreeBSD 8.4-RELEASE Errata

The FreeBSD Project

FreeBSD is a registered trademark of the FreeBSD Foundation.

Intel, Celeron, EtherExpress, i386, i486, Itanium, Pentium, and Xeon are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

SPARC, SPARC64, SPARCengine, and UltraSPARC are trademarks of SPARC International, Inc in the United States and other countries. SPARC International, Inc owns all of the SPARC trademarks and under licensing agreements allows the proper use of these trademarks by its members.

Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this document, and the FreeBSD Project was aware of the trademark claim, the designations have been followed by the or the ® symbol.

Last modified on 2013-06-13 by hrs.

Table of Contents

1. Introduction
2. Security Advisories
3. Open Issues
4. Late-Breaking News and Corrections

Abstract

This document lists errata items for FreeBSD 8.4-RELEASE, containing significant information discovered after the release or too late in the release cycle to be otherwise included in the release documentation. This information includes security advisories, as well as news relating to the software or documentation that could affect its operation or usability. An up-to-date version of this document should always be consulted before installing this version of FreeBSD.

This errata document for FreeBSD 8.4-RELEASE will be maintained until the release of FreeBSD 8.5-RELEASE.

1. Introduction

This errata document contains late-breaking news about FreeBSD 8.4-RELEASE Before installing this version, it is important to consult this document to learn about any post-release discoveries or problems that may already have been found and fixed.

Any version of this errata document actually distributed with the release (for example, on a CDROM distribution) will be out of date by definition, but other copies are kept updated on the Internet and should be consulted as the current errata for this release. These other copies of the errata are located at http://www.FreeBSD.org/releases/, plus any sites which keep up-to-date mirrors of this location.

Source and binary snapshots of FreeBSD 8.4-STABLE also contain up-to-date copies of this document (as of the time of the snapshot).

For a list of all FreeBSD CERT security advisories, see http://www.FreeBSD.org/security/ or ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/.

2. Security Advisories

The following security advisories pertain to FreeBSD 8.4-RELEASE. For more information, consult the individual advisories available from http://security.FreeBSD.org/.

AdvisoryDateTopic
SA-12:01.openssl03 May 2012

OpenSSL multiple vulnerabilities

SA-12:02.crypt30 May 2012

Incorrect crypt() hashing

SA-12:03.bind12 June 2012

Incorrect handling of zero-length RDATA fields in named(8)

SA-12:04.sysret12 June 2012

Privilege escalation when returning from kernel

SA-12:05.bind06 August 2012

named(8) DNSSEC validation Denial of Service

SA-12:06.bind22 November 2012

Multiple Denial of Service vulnerabilities with named(8)

SA-12:07.hostapd22 November 2012

Insufficient message length validation for EAP-TLS messages

SA-12:08.linux22 November 2012

Linux compatibility layer input validation error

SA-13:02.libc19 February 2013

glob(3) related resource exhaustion

SA-13:03.openssl02 April 2013

OpenSSL multiple vulnerabilities

SA-13:04.bind02 April 2013

BIND remote denial of service

SA-13:05.nfsserver29 April 2013

Insufficient input validation in the NFS server

3. Open Issues

[20130613] The vtnet(4) network interface driver displays the following message upon configuration when using QEMU 1.4.1 and later:

vtnet0: error setting host MAC filter table

This message is harmless when the interface has only one MAC address. The patch for this issue is filed to a PR kern/178955.

[20130609] There is incompatibility in jail(8) configuration because the jail(8) utility and rc.d/jail script has been changed. More specifically, the following sysctl(8) variables cannot be used to set the default parameters for jails:

security.jail.mount_zfs_allowed
security.jail.mount_procfs_allowed
security.jail.mount_nullfs_allowed
security.jail.mount_devfs_allowed
security.jail.mount_allowed
security.jail.chflags_allowed
security.jail.allow_raw_sockets
security.jail.sysvipc_allowed
security.jail.socket_unixiproute_only
security.jail.set_hostname_allowed

These could be set by manually using sysctl(8) utility, the sysctl.conf(5) file, or for some of them the following variables in rc.conf(5):

jail_set_hostname_allow="yes"
jail_socket_unixiproute_only="yes"
jail_sysvipc_allow="yes"

These parameters must now be specified in jail_parameters (or jail_jailname_parameters for per-jail configuration) in rc.conf(5). For example:

jail_parameters="allow.sysvipc allow.raw_sockets"

The valid keywords are the following. For more detail, see jail(8) manual page.

allow.set_hostname
allow.sysvipc
allow.raw_sockets
allow.chflags
allow.mount
allow.mount.devfs
allow.mount.nullfs
allow.mount.procfs
allow.mount.zfs
allow.quotas
allow.socket_af

[20130608] FreeBSD 8.4-RELEASE no longer supports FreeBSD CVS repository. Some documents mistakenly refer to RELENG_8_4_0_RELEASE as CVS tag for the release and RELENG_8_4 as CVS branch tag for the 8.4-RELEASE security branch. However, FreeBSD Project no longer supports FreeBSD CVS repository and 8.4-RELEASE has been released by using FreeBSD subversion repository instead. RELENG_8_4 corresponds to svn://svn.FreeBSD.org/base/releng/8.4, and RELENG_8_4_0_RELEASE corresponds to svn://svn.FreeBSD.org/base/release/8.4.0. Please note that FreeBSD source tree for 8.4-RELEASE and its security branch cannot be updated by using official CVSup servers.

[20130607] (removed about a bge(4) network interface driver issue because it was incorrect)

[20130606] The fxp(4) network interface driver may not work well with the dhclient(8) utility. More specifically, if the /etc/rc.conf has the following line:

ifconfig_fxp0="DHCP"

to activate a DHCP client to configure the network interface, the following notification messages are displayed and the dhclient(8) utility keeps trying to initialize the network interface forever.

kernel: fxp0: link state changed to UP
kernel: fxp0: link state changed to DOWN

A patch to fix this issue will be released as an Errata Notice.

4. Late-Breaking News and Corrections

[20130606] As described in FreeBSD 8.4-RELEASE Release Notes, FreeBSD ZFS subsystem has been updated to support feature flags for ZFS pools. However, the default version number of a newly created ZFS pool is still 28.

This is because FreeBSD 9.0 and 9.1 do not support the feature flags. This means ZFS pools with feature flag support cannot be used on FreeBSD 9.0 and 9.1. An 8.X system with v28 ZFS pools can be upgraded to 9.X with no problem. Note that zfs(8) send and receive commands do not work between pools with different versions. Once a ZFS pool is upgraded from v28, there is no way to upgrade the system to FreeBSD 9.0 and 9.1. FreeBSD 9.2 and later will support ZFS pools with feature flags.

To create a ZFS pool with feature flag support, use the zpool(8) create command and then the zpool(8) upgrade command.