--- 9.9.1-P2 released ---
3346. [security] Bad-cache data could be used before it was
initialized, causing an assert. [RT #30025]
3345. [bug] Addressed race condition when removing the last item
or inserting the first item in an ISC_QUEUE.
[RT #29539]
3342. [bug] Change #3314 broke saving of stub zones to disk
resulting in excessive cpu usage in some cases.
[RT #29952]
Improve IPv6 RA support by allowing dhcpcd to manage addreses and
routes instead of the kernel. dhcpcd will only do this if RA has been
disabled in the kernel or instructed to do so via the dhcpcd.conf(5)
ipv6ra_own and/or ipv6ra_owndefault directives.
Send and process IPv6 Neighbor Solicitions and Adverts to prove router
reachability. If a router cannot be reached in this way then it is
expired.
Experimental version released on July 10th, 2012.
* Added a --enable-tools flag to configure to request the build of the
deprecated ATF tools, whose build is now disabled by default. In order
to continue running tests, you should migrate to Kyua instead of enabling
the build of the deprecated tools. The kyua-atf-compat package provides
transitional compatibility versions of atf-run and atf-report built on
top of Kyua.
* Tweaked the ATF_TEST_CASE macro of atf-c++ so that the compiler can
detect defined but unused test cases.
* PR bin/45859: Fixed some XSLT bugs that resulted in the tc-time and
tp-time XML tags leaking into the generated HTML file. Also improved
the CSS file slightly to correct alignment and color issues with the
timestamps column.
* Optimized atf-c++/macros.hpp so that GNU G++ consumes less memory during
compilation with GNU G++.
* Flipped the default to building shared libraries for atf-c and atf-c++,
and started versioning them. As a side-effect, this removes the
--enable-unstable-shared flag from configure that appears to not work any
more (under NetBSD). Additionally, some distributions require the use of
shared libraries for proper dependency tracking (e.g. Fedora), so it is
better if we do the right versioning upstream.
* Project hosting moved from an adhoc solution (custom web site and
Monotone repository) to Google Code (standard wiki and Git). ATF now
lives in a subcomponent of the Kyua project.
rename "xcpu" back to "cpu" now that the conflicting global variable
has been renamed out of the way. this also fixes some cases
where references to the local variable "cpu" had not been renamed
and thus were accidentally referring to the former global "cpu".
adapt the urtwn(4) driver to use the new files. The firmware files were
extracted from the Linux driver at www.realtek.com, version 0005.1230.2011
and the license permits redistribution without modification.
While I'm here, install the files in /libdata/firmware/if_urtwn, like
most of the other network adapter firmware.
urtwn(4) can now operate without needing external files installed. Tested
on my Edimax adapter.
used to do it for the xdm greeter, looks extremely ugly.
Unfortunately xdm has no means to load and mix alpha channel images,
so provide a png file and precomputed xpms with proper background colour
for the greeter.
If users change their greeter resources and change the background, they will
have to regenerate that xpm file, provide proper instructions for this.
While there, use less clunky fonts (hi Jared!).
XXX the fonts are not exactly perfect, if anyone feels like fine tuning
this further, please be my guest.
- The "change header" milter request could replace the wrong header. A long
header name could match a shorter one, because a length check was done on
the wrong string. Reported by Vladimir Vassiliev.
- Core dump when postlog emitted the "usage" message, caused by an extraneous
null assignment. Reported by Kant (fnord.hammer).
- These releases add support to turn off the TLSv1.1 and TLSv1.2 protocols.
Introduced with OpenSSL version 1.0.1, these protocols are known to cause
inter-operability problems, for example with some hotmail services.
The radical workaround is to temporarily turn off problematic protocols
globally:
/etc/postfix/main.cf:
smtp_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
smtp_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
smtpd_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
smtpd_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
However, it may be better to temporarily turn off problematic protocols for
broken sites only:
/etc/postfix/main.cf:
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
/etc/postfix/tls_policy:
example.com may protocols=!SSLv2:!TLSv1.1:!TLSv1.2
Notes:
Note the use of ":" instead of comma or space. Also, note that there is NO
space around the "=" in "protocols=".
The smtp_tls_policy_maps lookup key must match the "next-hop" destination
that is given to the Postfix SMTP client. If you override the next-hop
destination with transport_maps, relayhost, sender_dependent_relayhost_maps,
or otherwise, you need to specify the same destination for the
smtp_tls_policy_maps lookup key.
- OpenSSL related (all supported Postfix versions).
Some people have reported program crashes when the OpenSSL library was
updated while Postfix was accessing the Postfix TLS session cache. To avoid
this, the Postfix TLS session cache ID now includes the OpenSSL library
version number. This cache ID is not shared via the network.
- The OpenSSL workaround introduced with the previous stable and legacy
releases did not compile with older gcc compilers. These compilers can't
handle #ifdef inside a macro invocation (NOT: definition).
- To avoid repeated warnings from postscreen(8) with "connect to
private/dnsblog service: Connection refused" on FreeBSD, the dnsblog(8)
daemon now uses the single_server program driver instead of the multi_server
driver. This one-line code change has no performance impact for other
systems, and eliminates a high-frequency accept() race on a shared socket
that appears to cause trouble on FreeBSD. The same single_server program
driver has proven itself for many years in smtpd(8). Problem reported by
Sahil Tandon.
- Laptop-friendly support (all supported Postfix versions). A little-known
secret is that Postfix has always had support to avoid unnecessary disk
spin-up for MTIME updates, by doing s/fifo/unix/ in master.cf (this is
currently not supported on Solaris systems). However, two minor fixes are
needed to make this bullet-proof.
- In laptop-friendly mode, the "postqueue -f" and "sendmail -q" commands did
not wait until their requests had reached the pickup and qmgr servers before
closing their UNIX-domain request sockets.
- In laptop-friendly mode, the unused postkick command waited for more than
a minute because the event_drain() function was comparing bitmasks
incorrectly on systems with kqueue(2), epoll(2) or /dev/poll support.
caches, merge together pool_drain_start() and pool_drain_end() into
bool pool_drain(struct pool **ppp);
"bool" value indicates whether reclaiming was fully done (true) or not (false)
"ppp" will contain a pointer to the pool that was drained (optional).
See http://mail-index.netbsd.org/tech-kern/2012/06/04/msg013287.html
