Regen cert.pem
ok sthen
New Roots for existing CA:
/CN=Atos TrustedRoot Root CA ECC TLS 2021/O=Atos/C=DE
/CN=Atos TrustedRoot Root CA RSA TLS 2021/O=Atos/C=DE
New CA:
BEIJING CERTIFICATE AUTHORITY
/C=CN/O=BEIJING CERTIFICATE AUTHORITY/CN=BJCA Global Root CA1
/C=CN/O=BEIJING CERTIFICATE AUTHORITY/CN=BJCA Global Root CA2
Two E-Tugra roots were removed due to a breach:
/C=TR/L=Ankara/O=E-Tugra EBG A.S./OU=E-Tugra Trust Center/CN=E-Tugra Global Root CA ECC v3
/C=TR/L=Ankara/O=E-Tugra EBG A.S./OU=E-Tugra Trust Center/CN=E-Tugra Global Root CA RSA v3
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/C-HrP1SEq1A
Removed expired root:
[14 lines not shown]
Add NULL check before dereferencing inp_seclevel.
In some cases inp may be NULL, so check that before passing
inp->inp_seclevel to ipsp_spd_lookup() or ip_output().
Missed in previous commit.
Remove some trailing whitespace
x509_prn.c r1.6 changed the output of 'openssl -in foo.pem -noout -text'
by removing trailing whitespace from non-critical certificate extensions.
Committing the difference now to reduces noise in an upcoming diff.
There's some trailing whitespace remaining. That's because we try to print
a BMPString in an User Notice's Explicit Text with "%*s". That doesn't work
so well with an encoding full of NULs...
The uploader tail shortcut to skip dir postprocessing should also check
if ignore_dir_times is set. In that case preserve_times loses its meaning.
OK tb@
Add --no-O and --no-omit-dir-times options. For some reason the real
rsync has these options and so should ours. These strange --no-XYZ
options are undocumented and are there just for compatibility.
OK tb@ job@
Add arm64 bti pads for range extension thunks.
Large arm64 binaries like chromium use range extension thunks
for accessing plt entries. Add bti landing pads for the
additional indirection.
upstream commit: 60827df765156cee6cca3dc5049388dde9dac1c0
ok kettenis@
Remove inp parameter from ip_output().
ip_output() received inp as parameter. This is only used to lookup
the IPsec level of the socket. Reasoning about MP locking is much
easier if only relevant data is passed around. Convert ip_output()
to receive constant inp_seclevel as argument and mark it as protected
by net lock.
OK mvs@
Fix read/write past buffer end
From upstream commit:
From 7047915eef37fccd93e7cd985c29fe6be54650b6 Mon Sep 17 00:00:00 2001
From: Karl Williamson <khw at cpan.org>
Date: Sat, 9 Sep 2023 11:59:09 -0600
Subject: [PATCH] Fix read/write past buffer end: perl-security#140
A package name may be specified in a \p{...} regular expression
construct. If unspecified, "utf8::" is assumed, which is the package
all official Unicode properties are in. By specifying a different
package, one can create a user-defined property with the same
unqualified name as a Unicode one. Such a property is defined by a sub
whose name begins with "Is" or "In", and if the sub wishes to refer to
an official Unicode property, it must explicitly specify the "utf8::".
S_parse_uniprop_string() is used to parse the interior of both \p{} and
the user-defined sub lines.
[27 lines not shown]
vmm(4)/vmx: pass correct vpid value to invvpid.
While vmm's use of invvpid in the vmx vcpu run loop is questionable
since we require and use EPT, the vpid value is unquestionably wrong
in these calls.
ok mlarkin@
Fix oslog support and be more forgiving when we see messages that we don't
recognize. Fixes booting with newer firmware (such as the firmware
currently installed by the Asahi installer).
ok tobhe@