⚠ This page contains old, outdated, obsolete, … historic or WIP content! No warranties e.g. for correctness!

Jump to binary updates

Source updates

By upgrading to the MIRBSD_10 branch on CVS in the src module, you gain the following fixes:

• Pull up mksh R36b.
• Fix content of htmd10.ngz dist set.
• Update /etc/ssh/ssh_known_hosts
• Remove BSDstats script, as the site is constantly broken, see wlog for details.
• Pull up mksh R35.
• Under some circumstances, arc4random(9) was not properly initialised until the next write to arandom(4), RNDSTIRARC4 ioctl(2), or (in -current) slow pool full event. This usually was not an issue since /etc/rc and the installer re-set arandom(4) at boot.
• A positive leap second will be introduced at the end of December 2008.
• Add support for __restrict__ and __packed on PCC
• Add support for the xsrv10.ngz dist set in the installer
• Data passed to the KERN_ARND sysctl(3) (sysctl(8) kern.arandom) was improperly read, leading to out-of-bounds kernel memory access
• The installer now uses rdate(8)+ntpd(8) instead of the deprecated -s flag to ntpd(8), disables core dumps, and defaults the aperture driver – xf86(4) – to enabled if an X server is installed
• ntpd(8) -s (and -S) options are now deprecated
• Use CPUID for FPU detection (from OpenBSD), to enable GeodeLX CPUs to work
• Pull up mksh-R34(beta), new /etc/skel/.mkshrc, fixed profile
• Update /etc/ssh/ssh_known_hosts
• Merge sendmail 8.14.3 plugging a use-after-free bug
• Merge OpenSSH 5.0 and some OpenSSL security fixes from OpenBSD
• Work around one of the CVE-2008-1391 cases in strtod(3), add some more overflow checking in the printf(3) function suite
• Add support for the fixes10.ngz dist set in the installer
• Plug a memory leak in normally unused -P option in rm(1)
• Fix SIGSEGV in sendmail(8) occuring under certain occations (included in first binary update)
• Sync bxinst.i386 (stand-alone bootxx/PBR) with actual version built, cosmetics (included in first binary update)
• Fix <bsd.lkm.mk> CPPFLAGS include path, allow building LKMs again (included in first binary update)
• Two flaws in httpd(8) modules not enabled by default:
  • mod_status XSS CVE-2007-6388: cross-site scripting attack
  • mod_imap XSS CVE-2007-5000: cross-site scripting attack
  (included in first binary update)
• Buffer overflow in ppp(8) command prompt parsing (already included in #10semel)

Binary updates

Download the first i386 binary update or the first sparc binary update. Either select the site10.ngz distribution set during install, or use cd /; sudo tar xzphvvf /path/to/site10.ngz to bring in the fixed files.

The security update is gzsig(1)d, use the following command to verify the integrity of the cryptographic signature:

	$ grep '^key 2:' /usr/share/doc/README | \
	    sed 's/^key 2:.//' | gzsig verify /dev/stdin site10.ngz
	$ rmd160 site10.ngz

The first command verifies the cryptographic signature, i.e. whether the update is really from us. The second command outputs a cryptographic hash to compare with the correct one from the list below, to determine whether you got the correct file.

• RMD160 (i386/site10.ngz) = addc766151cf0c35301920822b0a107a20039b8e
• RMD160 (sparc/site10.ngz) = 13f724f851339c3d8b2cac89345dc63a4b64fb16

Alternatively, you can use the updated locations for the i386 or sparc architectures during netinstall and ensure that you have the site10.ngz set selected.

In the future, the update set will be named fixes10.ngz, but to be able to select it, you must use the modified installer from the updates directory (or rename it to or merge it into your own site10.ngz set).