Fix multiple vulnerabilities of ntp.

Approved by: so

Merge r309688: address regressions in SA-16:37.libc.

PR: 215105
Submitted by: <jtd2004a sbcglobal.net>
Approved by: so

Fix possible login(1) argument injection in telnetd(8). [SA-16:36]
Fix link_ntoa(3) buffer overflow in libc. [SA-16:37]
Fix warnings about valid time zone abbreviations. [EN-16:19]
Update timezone database information. [EN-16:20]

Security: FreeBSD-SA-16:36.telnetd
Security: FreeBSD-SA-16:37.libc
Errata Notice: FreeBSD-EN-16:19.tzcode
Errata Notice: FreeBSD-EN-16:20.tzdata
Approved by: so

Fix BIND remote Denial of Service vulnerability. [SA-16:34]

Fix OpenSSL remote DoS vulnerability. [SA-16:35]

Security: FreeBSD-SA-16:34.bind
Security: FreeBSD-SA-16:35.openssl
Approved by: so

Revised SA-16:15. The initial patch didn't cover all possible overflows
based on passing incorrect parameters to sysarch(2).

Security: SA-16:15
Approved by: so

Fix BIND remote Denial of Service vulnerability. [SA-16:28]

Fix bspatch heap overflow vulnerability. [SA-16:29]

Fix multiple portsnap vulnerabilities. [SA-16:30]

Approved by: so

Apply upstream revision 3612ff6fcec0e3d1f2a598135fe12177c0419582:

Fix overflow check in BN_bn2dec()
Fix an off by one error in the overflow check added by 07bed46
("Check for errors in BN_bn2dec()").

This fixes a regression introduced in SA-16:26.openssl.

Submitted by: jkim
PR: 212921
Approved by: so

Fix multiple OpenSSL vulnerabilitites.

Approved by: so
Security: FreeBSD-SA-16:26.openssl

Fix bspatch heap overflow vulnerability. [SA-16:25]

Fix freebsd-update(8) support of FreeBSD 11.0 release
distribution. [EN-16:09]

Approved by: so

Fix multiple ntp vulnerabilities.

Security: FreeBSD-SA-16:24.ntp
Approved by: so

Fix kernel stack disclosure in Linux compatibility layer. [SA-16:20]
Fix kernel stack disclosure in 4.3BSD compatibility layer. [SA-16:21]

Security: SA-16:20
Security: SA-16:21
Approved by: so

- Use unsigned version of min() when handling arguments of SETFKEY ioctl.
- Validate that user supplied control message length in sendmsg(2)
is not negative.

Security: SA-16:18
Security: CVE-2016-1886
Security: SA-16:19
Security: CVE-2016-1887
Submitted by: C Turt <cturt hardenedbsd.org>
Approved by: so

Fix multiple OpenSSL vulnerabilitites. [SA-16:17]

Fix memory leak in ZFS. [EN-16:08]

Approved by: so

Fix ntp multiple vulnerabilities.

Approved by: so

o Fix OpenSSH xauth(1) command injection. [SA-16:14]
o Fix incorrect argument validation in sysarch(2). [SA-16:15]

Security: FreeBSD-SA-16:14.openssh-xauth, CVE-2016-3115
Security: FreeBSD-SA-16:15.sysarch, CVE-2016-1885
Approved by: so

Fix multiple vulnerabilities of BIND. [SA-16:13]

Fix a regression with OpenSSL patch. [SA-16:12]

Approved by: so

Fix multiple OpenSSL vulnerabilities.

Security: FreeBSD-SA-16:12.openssl
Approved by: so

Fix OpenSSL SSLv2 ciphersuite downgrade vulnerability.

Security: CVE-2015-3197
Security: FreeBSD-SA-16:11.openssl
Approved by: so

Fix BIND remote denial of service vulnerability. [SA-16:08]

Fix multiple vulnerabilities of ntp. [SA-16:09]

Fix Linux compatibility layer issetugid(2) system call
vulnerability. [SA-16:10]

Security: FreeBSD-SA-16:08.bind
Security: FreeBSD-SA-16:09.ntp
Security: FreeBSD-SA-16:10.linux
Approved by: so

Fix OpenSSH client information leak.

Security: SA-16:07.openssh
Security: CVE-2016-0777
Approved by: so

o Fix invalid TCP checksums with pf(4). [EN-16:02.pf]
o Fix YP/NIS client library critical bug. [EN-16:03.yplib]
o Fix SCTP ICMPv6 error message vulnerability. [SA-16:01.sctp]
o Fix ntp panic threshold bypass vulnerability. [SA-16:02.ntp]
o Fix Linux compatibility layer incorrect futex handling. [SA-16:03.linux]
o Fix Linux compatibility layer setgroups(2) system call. [SA-16:04.linux]
o Fix TCP MD5 signature denial of service. [SA-16:05.tcp]
o Fix insecure default bsnmpd.conf permissions. [SA-16:06.bsnmpd]

Errata: FreeBSD-EN-16:02.pf
Errata: FreeBSD-EN-16:03.yplib
Security: FreeBSD-SA-16:01.sctp, CVE-2016-1879
Security: FreeBSD-SA-16:02.ntp, CVE-2015-5300
Security: FreeBSD-SA-16:03.linux, CVE-2016-1880
Security: FreeBSD-SA-16:04.linux, CVE-2016-1881
Security: FreeBSD-SA-16:05.tcp, CVE-2016-1882
Security: FreeBSD-SA-16:06.bsnmpd, CVE-2015-5677
Approved by: so

Fix BIND remote denial of service vulnerability. [SA-15:27]

Security: FreeBSD-SA-15:27.bind
Security: CVE-2015-8000
Approved by: so

Fix OpenSSL multiple vulnerabilities.

Security: FreeBSD-SA-15:26.openssl
Approved by: so

o Fix regressions related to SA-15:25 upgrade of NTP. [1]
o Fix kqueue write events never fired for files greater 2GB. [2]
o Fix kpplications exiting due to segmentation violation on a correct
memory address. [3]

PR: 204046 [1]
PR: 204203 [1]
Errata Notice: FreeBSD-EN-15:19.kqueue [2]
Errata Notice: FreeBSD-EN-15:20.vm [3]
Approved by: so

Upgrade NTP to 4.2.8p4.

Security: FreeBSD-SA-15:25.ntp
Security: CVE-2015-7871
Security: CVE-2015-7855
Security: CVE-2015-7854
Security: CVE-2015-7853
Security: CVE-2015-7852
Security: CVE-2015-7851
Security: CVE-2015-7850
Security: CVE-2015-7849
Security: CVE-2015-7848
Security: CVE-2015-7701
Security: CVE-2015-7703
Security: CVE-2015-7704, CVE-2015-7705
Security: CVE-2015-7691, CVE-2015-7692, CVE-2015-7702
Approved by: so

Fix a regression with SA-15:24 patch that prevented NIS from
working.

Approved by: so

The Sun RPC framework uses a netbuf structure to represent the
transport specific form of a universal transport address. The
structure is expected to be opaque to consumers. In the current
implementation, the structure contains a pointer to a buffer
that holds the actual address.

In rpcbind(8), netbuf structures are copied directly, which would
result in two netbuf structures that reference to one shared
address buffer. When one of the two netbuf structures is freed,
access to the other netbuf structure would result in an undefined
result that may crash the rpcbind(8) daemon.

Fix this by making a copy of the buffer that is going to be freed
instead of doing a shallow copy.

Security: FreeBSD-SA-15:24.rpcbind
Security: CVE-2015-7236
Approved by: so

Implement pubkey support for pkg(7) bootstrap. [EN-15:18]

Approved by: so

Fix remote denial of service vulnerability when parsing malformed
key.

Security: CVE-2015-5722
Security: FreeBSD-SA-15:23.bind
Approved by: so

Fix local privilege escalation in IRET handler. [SA-15:21]

Fix OpenSSH multiple vulnerabilities. [SA-15:22]

Fix insufficient check of unsupported pkg(7) signature methods.
[EN-15:15]

Approved by: so

Fix multiple integer overflows in expat.

Security: CVE-2015-1283
Security: FreeBSD-SA-15:20.expat
Approved by: so

Fix routed remote denial of service vulnerability. [SA-15:19]

Approved by: so

Fix resource exhaustion in TCP reassembly. [SA-15:15]

Fix OpenSSH multiple vulnerabilities. [SA-15:16]

Fix BIND remote denial of service vulnerability. [SA-15:17]

Approved by: so

Fix resource exhaustion due to sessions stuck in LAST_ACK state.

Security: CVE-2015-5358
Security: SA-15:13.tcp
Submitted by: Jonathan Looney (Juniper SIRT)
Approved by: so

Fix BIND resolver remote denial of service when validating.

Security: CVE-2015-4620
Security: FreeBSD-SA-15:11.bind
Approved by: so

[EN-15:08] Revised: Improvements to sendmail TLS/DH interoperability.

[EN-15:09] Fix inconsistency between locale and rune locale states.

Approved by: so

Raise the default for sendmail client connections to 1024-bit DH
parameters to imporve TLS/DH interoperability with newer SSL/TLS
suite, notably OpenSSL after FreeBSD 10.1-RELEASE-p12 (FreeBSD-
SA-15:10.openssl).

This is MFC of r284436 (gshapiro), the original commit message
was:

===
The import of openssl to address the FreeBSD-SA-15:10.openssl security
advisory includes a change which rejects handshakes with DH parameters
below 768 bits. sendmail releases prior to 8.15.2 (not yet released),
defaulted to a 512 bit DH parameter setting for client connections.
This commit chages that default to 1024 bits. sendmail 8.15.2, when
released well use a default of 2048 bits.
===

Reported by: Frank Seltzer
Errata Notice: FreeBSD-EN-15:08.sendmail
Approved by: so

Fix OpenSSL multiple vulnerabilities.

Security: FreeBSD-SA-15:10.openssl
Approved by: so

Update base system file(1) to 5.22 to address multiple denial of
service issues. [EN-15:06]

Approved by: so

Fix bug with freebsd-update(8) that does not ensure the previous
upgrade was completed. [EN-15:04]

Approved by: so

Improve patch for SA-15:04.igmp to solve a potential buffer overflow.

Fix multiple vulnerabilities of ntp. [SA-15:07]

Fix Denial of Service with IPv6 Router Advertisements. [SA-15:09]

Approved by: so

Fix issues with original SA-15:06.openssl commit:

- Revert a portion of ASN1 change per suggested by OpenBSD
and OpenSSL developers. The change was removed from the
formal OpenSSL release and does not solve security issue.
- Properly fix CVE-2015-0209 and CVE-2015-0288.

Approved by: so

Fix multiple OpenSSL vulnerabilities.

Security: FreeBSD-SA-15:06.openssl
Security: CVE-2015-0209
Security: CVE-2015-0286
Security: CVE-2015-0287
Security: CVE-2015-0288
Security: CVE-2015-0289
Security: CVE-2015-0293
Approved by: so

Fix integer overflow in IGMP protocol. [SA-15:04]

Fix BIND remote denial of service vulnerability. [SA-15:05]

Fix vt(4) crash with improper ioctl parameters. [EN-15:01]

Updated base system OpenSSL to 0.9.8zd. [EN-15:02]

Fix freebsd-update libraries update ordering issue. [EN-15:03]

Approved by: so

Fix SCTP SCTP_SS_VALUE kernel memory corruption and disclosure vulnerability
and SCTP stream reset vulnerability.

Security: FreeBSD-SA-15:02.kmem
Security: CVE-2014-8612
Security: FreeBSD-SA-15:03.sctp
Security: CVE-2014-8613
Approved by: so

Fix multiple vulnerabilities in OpenSSL. [SA-15:01]

Approved by: so

[SA-14:31] Fix multiple vulnerabilities in NTP suite.
[EN-14:13] Fix directory deletion issue in freebsd-update.

Approved by: so

Fix multiple vulnerabilities in file(1) and libmagic(3).

Security: FreeBSD-SA-14:28.file
Security: CVE-2014-3710, CVE-2014-8116, CVE-2014-8117

Fix BIND remote denial of service vulnerability.

Security: FreeBSD-SA-14:29.bind
Security: CVE-2014-8500

Approved by: so

[SA-14:25] Fix kernel stack disclosure in setlogin(2) / getlogin(2).
[SA-14:26] Fix remote command execution in ftp(1).
[EN-14:12] Fix NFSv4 and ZFS cache consistency issue.

Approved by: so (des)

Time zone data file update. [EN-14:10]

Change crypt(3) default hashing algorithm back to DES. [EN-14:11]

Approved by: so

Fix rtsold(8) remote buffer overflow vulnerability. [SA-14:20]

Fix routed(8) remote denial of service vulnerability. [SA-14:21]

Fix memory leak in sandboxed namei lookup. [SA-14:22]

Fix OpenSSL multiple vulnerabilities. [SA-14:23]

Approved by: so

Fix Denial of Service in TCP packet processing.

Security: FreeBSD-SA-14:19.tcp
Approved by: so

Fix multiple OpenSSL vulnerabilities:

The receipt of a specifically crafted DTLS handshake message may cause OpenSSL
to consume large amounts of memory. [CVE-2014-3506]

The receipt of a specifically crafted DTLS packet could cause OpenSSL to leak
memory. [CVE-2014-3507]

A flaw in OBJ_obj2txt may cause pretty printing functions such as
X509_name_oneline, X509_name_print_ex et al. to leak some information from
the stack. [CVE-2014-3508]

OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject to
a denial of service attack. [CVE-2014-3510]

Security: CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, CVE-2014-3510
Security: FreeBSD-SA-14:18.openssl
Approved by: so

Anticipate when we will announce 9.3-RELEASE.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Remove svn:mergeinfo carried over from stable/9.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Fix a regression with SA-15:24 patch that prevented NIS from
working.

Approved by: so

The Sun RPC framework uses a netbuf structure to represent the
transport specific form of a universal transport address. The
structure is expected to be opaque to consumers. In the current
implementation, the structure contains a pointer to a buffer
that holds the actual address.

In rpcbind(8), netbuf structures are copied directly, which would
result in two netbuf structures that reference to one shared
address buffer. When one of the two netbuf structures is freed,
access to the other netbuf structure would result in an undefined
result that may crash the rpcbind(8) daemon.

Fix this by making a copy of the buffer that is going to be freed
instead of doing a shallow copy.

Security: FreeBSD-SA-15:24.rpcbind
Security: CVE-2015-7236
Approved by: so

Implement pubkey support for pkg(7) bootstrap. [EN-15:18]

Approved by: so

Fix remote denial of service vulnerability when parsing malformed
key.

Security: CVE-2015-5722
Security: FreeBSD-SA-15:23.bind
Approved by: so

Fix local privilege escalation in IRET handler. [SA-15:21]

Fix OpenSSH multiple vulnerabilities. [SA-15:22]

Fix insufficient check of unsupported pkg(7) signature methods.
[EN-15:15]

Approved by: so

Fix multiple integer overflows in expat.

Security: CVE-2015-1283
Security: FreeBSD-SA-15:20.expat
Approved by: so

Fix routed remote denial of service vulnerability. [SA-15:19]

Approved by: so

Fix resource exhaustion in TCP reassembly. [SA-15:15]

Fix OpenSSH multiple vulnerabilities. [SA-15:16]

Fix BIND remote denial of service vulnerability. [SA-15:17]

Approved by: so

Fix resource exhaustion due to sessions stuck in LAST_ACK state.

Security: CVE-2015-5358
Security: SA-15:13.tcp
Submitted by: Jonathan Looney (Juniper SIRT)
Approved by: so

Fix BIND resolver remote denial of service when validating.

Security: CVE-2015-4620
Security: FreeBSD-SA-15:11.bind
Approved by: so

[EN-15:08] Revised: Improvements to sendmail TLS/DH interoperability.

[EN-15:09] Fix inconsistency between locale and rune locale states.

Approved by: so

Raise the default for sendmail client connections to 1024-bit DH
parameters to imporve TLS/DH interoperability with newer SSL/TLS
suite, notably OpenSSL after FreeBSD 10.1-RELEASE-p12 (FreeBSD-
SA-15:10.openssl).

This is MFC of r284436 (gshapiro), the original commit message
was:

===
The import of openssl to address the FreeBSD-SA-15:10.openssl security
advisory includes a change which rejects handshakes with DH parameters
below 768 bits. sendmail releases prior to 8.15.2 (not yet released),
defaulted to a 512 bit DH parameter setting for client connections.
This commit chages that default to 1024 bits. sendmail 8.15.2, when
released well use a default of 2048 bits.
===

Reported by: Frank Seltzer
Errata Notice: FreeBSD-EN-15:08.sendmail
Approved by: so

Fix OpenSSL multiple vulnerabilities.

Security: FreeBSD-SA-15:10.openssl
Approved by: so

Update base system file(1) to 5.22 to address multiple denial of
service issues. [EN-15:06]

Approved by: so

Fix bug with freebsd-update(8) that does not ensure the previous
upgrade was completed. [EN-15:04]

Approved by: so

Improve patch for SA-15:04.igmp to solve a potential buffer overflow.

Fix multiple vulnerabilities of ntp. [SA-15:07]

Fix Denial of Service with IPv6 Router Advertisements. [SA-15:09]

Approved by: so

Fix issues with original SA-15:06.openssl commit:

- Revert a portion of ASN1 change per suggested by OpenBSD
and OpenSSL developers. The change was removed from the
formal OpenSSL release and does not solve security issue.
- Properly fix CVE-2015-0209 and CVE-2015-0288.

Approved by: so

Fix multiple OpenSSL vulnerabilities.

Security: FreeBSD-SA-15:06.openssl
Security: CVE-2015-0209
Security: CVE-2015-0286
Security: CVE-2015-0287
Security: CVE-2015-0288
Security: CVE-2015-0289
Security: CVE-2015-0293
Approved by: so

Fix integer overflow in IGMP protocol. [SA-15:04]

Fix BIND remote denial of service vulnerability. [SA-15:05]

Fix vt(4) crash with improper ioctl parameters. [EN-15:01]

Updated base system OpenSSL to 0.9.8zd. [EN-15:02]

Fix freebsd-update libraries update ordering issue. [EN-15:03]

Approved by: so

Fix SCTP SCTP_SS_VALUE kernel memory corruption and disclosure vulnerability
and SCTP stream reset vulnerability.

Security: FreeBSD-SA-15:02.kmem
Security: CVE-2014-8612
Security: FreeBSD-SA-15:03.sctp
Security: CVE-2014-8613
Approved by: so

Fix multiple vulnerabilities in OpenSSL. [SA-15:01]

Approved by: so

[SA-14:31] Fix multiple vulnerabilities in NTP suite.
[EN-14:13] Fix directory deletion issue in freebsd-update.

Approved by: so

Fix multiple vulnerabilities in file(1) and libmagic(3).

Security: FreeBSD-SA-14:28.file
Security: CVE-2014-3710, CVE-2014-8116, CVE-2014-8117

Fix BIND remote denial of service vulnerability.

Security: FreeBSD-SA-14:29.bind
Security: CVE-2014-8500

Approved by: so

[SA-14:25] Fix kernel stack disclosure in setlogin(2) / getlogin(2).
[SA-14:26] Fix remote command execution in ftp(1).
[EN-14:12] Fix NFSv4 and ZFS cache consistency issue.

Approved by: so (des)

Time zone data file update. [EN-14:10]

Change crypt(3) default hashing algorithm back to DES. [EN-14:11]

Approved by: so

Fix rtsold(8) remote buffer overflow vulnerability. [SA-14:20]

Fix routed(8) remote denial of service vulnerability. [SA-14:21]

Fix memory leak in sandboxed namei lookup. [SA-14:22]

Fix OpenSSL multiple vulnerabilities. [SA-14:23]

Approved by: so

Fix Denial of Service in TCP packet processing.

Security: FreeBSD-SA-14:19.tcp
Approved by: so

Fix multiple OpenSSL vulnerabilities:

The receipt of a specifically crafted DTLS handshake message may cause OpenSSL
to consume large amounts of memory. [CVE-2014-3506]

The receipt of a specifically crafted DTLS packet could cause OpenSSL to leak
memory. [CVE-2014-3507]

A flaw in OBJ_obj2txt may cause pretty printing functions such as
X509_name_oneline, X509_name_print_ex et al. to leak some information from
the stack. [CVE-2014-3508]

OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject to
a denial of service attack. [CVE-2014-3510]

Security: CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, CVE-2014-3510
Security: FreeBSD-SA-14:18.openssl
Approved by: so

Anticipate when we will announce 9.3-RELEASE.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Remove svn:mergeinfo carried over from stable/9.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation