deadsimple BSD Security Advisories and Announcements

MidnightBSD 1.2.7-RELEASE

MidnightBSD 1.2.7 is now available and includes the following fixes:

       Fix several bugs with the base system.

	Don't attempt to measure TSC skew in VMs with dtrace.

	Fix a bug with em(4) driver for Intel Gigabit NICs related to link state.

	Fix a crash with NFSv4 server.

	USB xhci: Remove power bit from super speed root hub port status register to fix warm reset. 
	Also set the max exit latency to 0 because we don't support link power management. 

	Don't report stale signal info in ptrace_lwpinfo.

	Audio: change default mic level to 25. 

This is also the first ISO release since 1.2.0 and includes the following changes from previous git only releases:

	MidnightBSD 1.2.6 RELEASE

	A missing length validation code common to these three drivers means that a
	malicious USB device could write beyond the end of an allocated network
	packet buffer.

	- smsc(4), supporting SMSC (now Microchip) devices
	- muge(4), supporting Microchip devices
	- cdceem(4), supporting USB Communication Device Class compatible devices

	sendmsg security fix

	When handling a 32-bit sendmsg(2) call, the compat32 subsystem copies the
	control message to be transmitted (if any) into kernel memory, and adjusts
	alignment of control message headers.  The code which performs this work
	contained a time-of-check to time-of-use (TOCTOU) vulnerability which allows a
	malicious userspace program to modify control message headers after they were
	validated by the kernel.

	MidnightBSD 1.2.5 RELEASE
	Fix a 30 year old bug in mountd.

        MidnightBSD 1.2.4 RELEASE
        update libmport to fix several package installation bugs

	MidnightBSD 1.2.3 RELEASE

	Security update for sqlite3. Update to  3.32.3

	Update unbound to 1.10.1

	MidnightBSD 1.2.2 release

	Fixed a security issue in libalias.

	The FTP packet handler in libalias incorrectly calculates some packet
	lengths.  This may result in disclosing small amounts of memory from the
	kernel (for the in-kernel NAT implementation) or from the process space for
	natd (for the userspace implementation).

	Updated tzdata to 2020a. 

	MidnightBSD 1.2.1 release

	Bugfixes for package management and module builds.

Lucas Holt
________________________________________________________ (Free OS) (Free blogging)

Midnightbsd-security mailing list