Prior to this we substring matched and allowed a leading .
on a SAN DNSname constraint. This is not correct, as with
a DNSname constraint, it may exacly match or match zero or
more additional components on the front of the candidte to
match.
Spotted by Haruto Kimura <hkimura2026 at gmail.com>
ok tb@ kenjiro@
Document RETURN value for timegm(3)
APIs with in-band errors that conflate the error with a legitimate return
value are about the worst you can get. Near and dear to my heart is the API
aptly described as "gibbering eidritch horror" by beck: ASN1_INTEGER_get(3).
Adapt the wording of its RETURN VALUES to timegm() and mktime(), for which
Dec 31, 1969 at 23:59:59 will yield the error return -1 and thereby errata.
Missing docs pointed out by claudio a while back and yesterday by deraadt
ok deraadt millert
At the end of parsing the http response header do some sanity checks
to ensure that the response includes all needed data.
Right now only the presence of a Location header is checked if a HTTP
redirect was returned (e.g. a 301 status).
Different fix for a report from Daniel Anderson
from claudio@; OK tb@
rpki-client: fix incorrect error exit in x509_get_time()
A UTCTime represents a time between Jan 1, 1950 and Dec 31, 2049. This
includes Dec 31, 1969, 23:59:59 UTC, which translates to epoch -1 when
converted as a time_t. timegm()'s in-band error conflates this time with
its error return, so a hard error for this creates a DoS.
Instead, return an error for ASN.1 times that translate to negative time_t
and bubble up the error to reject the RPKI product as malformed. Real life
notBefore (or equivalent) are in the ongoing millenium, although strictly
[8 lines not shown]
At the end of parsing the http response header do some sanity checks
to ensure that the response includes all needed data.
Right now only the presence of a Location header is checked if a HTTP
redirect was returned (e.g. a 301 status).
Different fix for a report from Daniel Anderson
from claudio@; OK tb@
rpki-client: fix incorrect error exit in x509_get_time()
A UTCTime represents a time between Jan 1, 1950 and Dec 31, 2049. This
includes Dec 31, 1969, 23:59:59 UTC, which translates to epoch -1 when
converted as a time_t. timegm()'s in-band error conflates this time with
its error return, so a hard error for this creates a DoS.
Instead, return an error for ASN.1 times that translate to negative time_t
and bubble up the error to reject the RPKI product as malformed. Real life
notBefore (or equivalent) are in the ongoing millenium, although strictly
[8 lines not shown]
These programs spin if they receive a RA from the local network with
ND option with length 0. from Daniel Wade
from deraadt@; ok florian
this is errata/7.7/035_v6daemons.patch.sig
These programs spin if they receive a RA from the local network with
ND option with length 0. from Daniel Wade
from deraadt@; ok florian
this is errata/7.8/029_v6daemons.patch.sig
The fault handling code that deals with getting back from swap for an
anon does not expect failures because we are short on memory. These
are synchronous operations so we're expected to wait on memory to
become available. This got broken in rev 1.178 (Back out the
pagedaemon "oom" reserve and sleeping point). Bring back the code to
allocate bounce memory using uvm_pglistalloc(9) but only use it for
the !async case (which will never be use by the pagedaemon).
This fixes random segfaults when under memory pressure and init dying
with SIGILL because it can't copy out a signal frame to the stack when
it happens to trigger such a segfault.
With deraadt@, who wrote the code to consolidate the allocation of
bounce memory.
ok deraadt@
decrease the agressiveness of inactive growth from the previous commit.
A small increase is enough; if not enough free is created in one round,
it will be created the next time.
long discussions with kirill
Fix CCR ROAIPAddressFamily sort order
RFC 9582 section 4.3.3 defines the canonical form of ipAddrBlocks.
Thanks to Bart Bakker from RIPE NCC for reporting.
OK tb@
rpki-client: fix incorrect error exit in x509_get_time()
A UTCTime represents a time between Jan 1, 1950 and Dec 31, 2049. This
includes Dec 31, 1969, 23:59:59 UTC, which translates to epoch -1 when
converted as a time_t. timegm()'s in-band error conflates this time with
its error return, so a hard error for this creates a DoS.
Instead, return an error for ASN.1 times that translate to negative time_t
and bubble up the error to reject the RPKI product as malformed. Real life
notBefore (or equivalent) are in the ongoing millenium, although strictly
speaking this is not guaranteed since Validity windows need not nest.
Thanks to Yuheng Zhang, Qi Wang, Jianjun Chen from Tsinghua University,
and Teatime Lab for reporting.
ok claudio job
rpki-client: ignore malformed revocationDate in CRLs
Do not treat x509_get_time() failure as a hard error in file mode.
Just skip the entry we can't format and emit a warning.
ok claudio
check the prefix (cidr) len for an allowedip is valid.
ie, don't allow prefixes greater than 32 or 128 bits for ipv4 and
ipv6 respectively.
found by Daniel Wade (danjwade95 at gmail dot com), who also suggested
the fix.
ok deraadt@ jmatthew@
These programs spin if they receive a RA from the local network with
ND option with length 0. from Daniel Wade
ok florian
this will be errata 7.7/036_v6daemons.patch and 7.8/030_v6daemons.patch
drm/amd/display: Fix DCE LVDS handling
From Alex Deucher
24ce568f7553a55404cddf8f0fca2a7c0ea9451c in linux-6.18.y/6.18.22
90d239cc53723c1a3f89ce08eac17bf3a9e9f2d4 in mainline linux
drm/amd/pm: disable OD_FAN_CURVE if temp or pwm range invalid for smu v13
From Yang Wang
ba9be472a438ea348f0fffaaebf541960ee643db in linux-6.18.y/6.18.22
3e6dd28a11083e83e11a284d99fcc9eb748c321c in mainline linux
drm/amdgpu/pm: drop SMU driver if version not matched messages
From Alex Deucher
2b8ae82d85d75347984297ed60d5005622992f6b in linux-6.18.y/6.18.22
a3ffaa5b397f4df9d6ac16b10583e9df8e6fa471 in mainline linux
drm/amdgpu: Change AMDGPU_VA_RESERVED_TRAP_SIZE to 64KB
From Donet Tom
77c918eaa4c916751769242567407f61c6af142a in linux-6.18.y/6.18.22
4487571ef17a30d274600b3bd6965f497a881299 in mainline linux
drm/amdgpu: validate doorbell_offset in user queue creation
From Junrui Luo
3543005a42d7e8e12b21897ef6798541bf7cbcd3 in linux-6.18.y/6.18.22
a018d1819f158991b7308e4f74609c6c029b670c in mainline linux
