this enables additional optimisations in GCC. from the README:
isl is a thread-safe C library for manipulating sets and relations
of integer points bounded by affine constraints. The descriptions of
the sets and relations may involve both parameters and existentially
quantified variables. All computations are performed in exact integer
arithmetic using GMP.
isl is released under the MIT license, but depends on the LGPL GMP
library.
Update the RaspberryPI firmware to the version from
https://github.com/raspberrypi/rpi-firmware
commit fdb9eafae4b83e553593937eae8e77b0193903c3
Author: Dom Cobley <popcornmix@gmail.com>
Date: Tue Oct 17 15:59:45 2023 +0100
kernel: Bump to 6.1.58
...
firmware: config: Add [pi5] to config.txt on 2711 and earlier platforms
of the database and update the read-write copy with the new firewall ids.
Before we did not update the state file so it contained the old firewall ids.
December 22, 2023: 3.8.4/3.7.9
==============================
Security: this release adds support to defend against an email
spoofing attack (SMTP smuggling) on recipients at a Postfix server.
For background, see https://www.postfix.org/smtp-smuggling.html.
Sites concerned about SMTP smuggling attacks should enable this
feature on Internet-facing Postfix servers. For compatibility with
non-standard clients, Postfix by default excludes clients in
mynetworks from this countermeasure.
The recommended settings are:
# Optionally disconnect remote SMTP clients that send bare newlines,
# but allow local clients with non-standard SMTP implementations
# such as netcat, fax machines, or load balancer health checks.
#
smtpd_forbid_bare_newline = yes
smtpd_forbid_bare_newline_exclusions = $mynetworks
The smtpd_forbid_bare_newline feature is disabled by default.
November 1, 2023: 3.8.3/3.7.8
=============================
Bugfix (defect introduced Postfix 2.5, date 20080104): the Postfix
SMTP server was waiting for a client command instead of replying
immediately, after a client certificate verification error in TLS
wrappermode. Reported by Andreas Kinzler.
Usability: the Postfix SMTP server (finally) attempts to log the
SASL username after authentication failure. In Postfix logging,
this appends ", sasl_username=xxx" after the reason for SASL
authentication failure. The logging replaces an unavailable reason
with "(reason unavailable)", and replaces an unavailable sasl_username
with "(unavailable)". Based on code by Jozsef Kadlecsik.
Compatibility bugfix (defect introduced: Postfix 2.11, date 20130405):
in forward_path, the expression ${recipient_delimiter} would expand
to an empty string when a recipient address had no recipient
delimiter. The compatibility fix is to use a configured recipient
delimiter value instead. Reported by Tod A. Sandman.
September 1, 2023: 3.8.2/3.7.7
==============================
Bugfix (defect introduced: Postfix alpha, 19980207): the valid_hostname()
check in the Postfix DNS client library was blocking unusual but
legitimate wildcard names (*.name) in some DNS lookup results and
lookup requests. Examples:
name class/type result
*.one.example IN CNAME *.other.example
*.other.example IN A 10.0.0.1
*.other.example IN TLSA ..certificate info...
Such syntax is blesed in RFC 1034 section 4.3.3.
Bugfix (defect introduced: Postfix 3.0, 20140218): when an address
verification probe fails during or after an opportunistic TLS
handshake, don't enforce a minimum time-in-queue before falling
back to plaintext. Problem reported by Serg.
June 5, 2023: 3.8.1/3.7.6
=========================
Optional: harden a Postfix SMTP server against remote SMTP clients
that violate RFC 2920 (or 5321) command pipelining constraints.
With "smtpd_forbid_unauth_pipelining = yes", the server disconnects
a client immediately, after responding with "554 5.5.0 Error: SMTP
protocol synchronization" and after logging "improper command
pipelining" with the unexpected remote SMTP client input. This
feature is disabled by default in Postfix 3.5-3.8 to avoid breaking
home-grown utilities, but it is enabled by default in Postfix 3.9.
A similar feature is enabled by default in the Exim SMTP server.
Optional: some OS distributions crank up TLS security to 11, and
in doing so increase the number of plaintext email deliveries. This
introduces basic OpenSSL configuration file support that may be
used to override OS-level settings. Details are in the postconf(5)
manpage under tls_config_file and tls_config_name.
Bugfix (defect introduced: Postfix 1.0): the command "postconf ..
name=v1 .. name=v2 .." (multiple instances of the same parameter
name) created multiple main.cf name=value entries with the same
parameter name. It now logs a warning and skips the earlier name(s)
and value(s). Found during code maintenance.
Bugfix (defect introduced: Postfix 3.3): the command "postconf -M
name1/type1='name2 type2 ...'" died with a segmentation violation
when the request matched multiple master.cf entries. The master.cf
file was not damaged. Problem reported by SATOH Fumiyasu.
Bugfix (defect introduced: Postfix 2.11): the command "postconf -M
name1/type1='name2 type2 ...'" could add a service definition to
master.cf that conflicted with an already existing service definition.
It now replaces all existing service definitions that match the
service pattern 'name1/type1' or the service name and type in 'name2
type2 ...' with a single service definition 'name2 type2 ...'.
Problem reported by SATOH Fumiyasu.
Bugfix (defect introduced: Postfix 3.8) the posttls-finger command
could access uninitialized memory when reconnecting. This also
fixes a malformed warning message when a destination contains
":service" information. Reported by Thomas Korbar.
Bugfix (defect introduced: Postfix 3.2): the MySQL client could
return "not found" instead of "error" (for example, resulting in
a 5XX SMTP status instead of 4XX) during the time that all MySQL
server connections were turned down after error. Found during code
maintenance. File: global/dict_mysql.c. This was already fixed in
Postfix 3.4-3.7.
April 18, 2023: 3.7.5
=====================
Bugfix (problem introduced in Postfix 3.5): check_ccert_access did
not handle inline map specifications. Report and fix by Sean
Gallagher.
Bugfix (problem introduced in Postfix 3.4): the posttls-finger
command failed to detect that a connection was resumed in the case
that a server did not return a certificate. Fix by Viktor Dukhovni.
Workaround: OpenSSL 3.x EVP_get_cipherbyname() can return lazily-bound
handles. Postfix now checks that the expected functionality will
be available instead of failing later. Fix by Viktor Dukhovni.
Safety: the long form "{ name = value }" in import_environment or
export_environment is not documented (with spaces around the '='),
but it was silently accepted, and it was stored in the process
environment as the invalid form "name = value", thus not setting
or overriding an entry for "name". This form is now stored as the
expected "name=value". Found during code maintenance.
Bugfix (problem introduced in Postfix 3.2): the MySQL client could
return "not found" instead of "error" (for example, resulting in
a 5XX SMTP status instead of 4XX) during the time that all MySQL
server connections were turned down after error. Found during code
maintenance.
April 17, 2023: 3.8.0
=====================
Support to look up DNS SRV records in the Postfix SMTP/LMTP client,
Based on code by Tomas Korbar (Red Hat). For example, with
"use_srv_lookup = submission" and "relayhost = example.com:submission",
the Postfix SMTP client will look up DNS SRV records for
_submission._tcp.example.com, and will relay email through the
hosts and ports that are specified with those records.
TLS obsolescence: Postfix now treats the "export" and "low" cipher
grade settings as "medium". The "export" and "low" grades are no
longer supported in OpenSSL 1.1.1, the minimum version required in
Postfix 3.6.0 and later. Also, Postfix default settings now exclude
deprecated or unused ciphers (SEED, IDEA, 3DES, RC2, RC4, RC5),
digest (MD5), key exchange algorithms (DH, ECDH), and public key
algorithm (DSS).
Attack resistance: the Postfix SMTP server can now aggregate
smtpd_client_*_rate and smtpd_client_*_count statistics by network
block instead of by IP address, to raise the bar against a memory
exhaustion attack in the anvil(8) server; Postfix TLS support
unconditionally disables TLS renegotiation in the middle of an SMTP
connection, to avoid a CPU exhaustion attack.
The PostgreSQL client encoding is now configurable with the "encoding"
Postfix configuration file attribute. The default is "UTF8".
Previously the encoding was hard-coded as "LATIN1", which is not
useful in the context of SMTP.
The postconf command now warns for #comment in or after a Postfix
parameter value. Postfix programs do not support #comment after
other text, and treat that as input.
January 12, 2023: 3.7.4
=======================
Workaround: with OpenSSL 3 and later always turn on
SSL_OP_IGNORE_UNEXPECTED_EOF, to avoid warning messages and missed
opportunities for TLS session reuse. This is safe because the SMTP
protocol implements application-level framing, and is therefore
not affected by TLS truncation attacks. Fix by Viktor Dukhovni.
Workaround: OpenSSL 3.x EVP_get_digestbyname() can return lazily-bound
handles for digest implementations. In sufficiently hostile
configurations, Postfix could mistakenly believe that a digest
algorithm is available, and fail when it is not. A similar workaround
may be needed for EVP_get_cipherbyname(). Fix by Viktor Dukhovni.
Bugfix (bug introduced in Postfix 2.11): the checkok() macro in
tls/tls_fprint.c evaluated its argument unconditionally; it should
evaluate the argument only if there was no prior error. Found during
code review.
Bugfix (bug introduced in Postfix 2.8): postscreen died with a
segmentation violation when postscreen_dnsbl_threshold < 1. It
should reject such input with a fatal error instead. Discovered by
Benny Pedersen.
Bitrot: fixes for linker warnings from newer Darwin (MacOS) versions.
Viktor Dukhovni.
Portability: Linux 6 support.
Added missing documentation that cidr:, pcre: and regexp: tables
support inline specification only in Postfix 3.7 and later.
Summary of changes in tzdata2023d (2023-12-21 20:02:24 -0800):
* Ittoqqortoormiit, Greenland (America/Scoresbysund) joins most of
the rest of Greenland's timekeeping practice on 2024-03-31, by
changing its time zone from -01/+00 to -02/-01.
* Fix predictions for DST transitions in Palestine in 2072-2075,
correcting a typo introduced in 2023a.
* Various fixes to zones for several Antarctic bases.
According to https://www.rfc-editor.org/rfc/rfc7143#section-11.15,
these are both 2-byte quantities. Loading 4-byte quantities and
passing them through ISCSI_NTOHS might have worked by accident on
x86, but it's not gonna fly on big-endian. (Fortunately sparc64 is
not just big-endian but also strict-alignment so it caught this
problem!)
XXX Is there an upstream for this code? doc/3RDPARTY doesn't cite
any easily-followed references.
PR port-sparc64/57784
XXX pullup-10
XXX pullup-9
XXX pullup-8
Where an output register might be reloaded, and it is a memory
reference, and the address is auto-incremented, any previously
reloaded copy of the address must be invalidated.
XXXKD: Hidden within ``#ifdef NB_FIX_VAX_BACKEND'' and enabled
only for vax at the moment.
* privsep: Stop proxying stderr to console and fix some detachment issues
* non-privsep: Fix launcher hangup
* DHCP6: Allow the invalid interface name - to mean don't assign an address from a delegated prefix
* DHCP6: Load the configuration for the interface being activated from prefix delegation
commit 2e92a49f90f73c8edc44b25c6e669d5e70893c90
Author: Gourav Samaiya <gsamaiya@nvidia.com>
Date: Mon Apr 3 16:13:19 2023 +0530
nvidia: update Tu10x and Tu11x signed firmware to support newer Turing HW
Signed-off-by: Gourav Samaiya <gsamaiya@nvidia.com>
Tested-by: Karol Herbst <kherbst@redhat.com>
Signed-off-by: Josh Boyer <jwboyer@kernel.org>
Difference from previous import:
Import nvidia firmware from linux-firmware repository at commit:
commit 2e92a49f90f73c8edc44b25c6e669d5e70893c90
Author: Gourav Samaiya <gsamaiya@nvidia.com>
Date: Mon Apr 3 16:13:19 2023 +0530
nvidia: update Tu10x and Tu11x signed firmware to support newer Turing HW
commit 2c2be4215fe29870dcd9a059ff8778e73269ddc1
Author: Gourav Samaiya <gsamaiya@nvidia.com>
Date: Wed Apr 6 14:44:32 2022 +0530
nvidia: add GA102/GA103/GA104/GA106/GA107 signed firmware
These NVIDIA-signed firmwares are required to enable the graphics engine
on Ampere GA10{2/3/4/6/7} Gpus.
Note that our drm2 driver won't use the GA10{2/3/4/6/7} firmware yet.
The updated Tu10x and Tu11x signed firmware are needed for at last the
nvidia T400 graphic card.
Add support in dtrace for SMAP, so that actions like copyinstr() work.
It would be better if dtrace could use the SMAP_* hotpatch macros directly,
but the hotpatching code does not currently operate on kernel modules,
so we'll use some tiny functions in the base kernel for now.
inspired by the macos top(1).
the first value displayed is the total in/out bytes since boot,
but each update is the amount since the prior update. the new
fetching code heavily based upon netstat/if.c.
old version:
Swap: 128G Total, 128G Free / Pools: 13G Used
new version:
Swap: 128G Total, 128G Free / Pools: 13G Used, / Network: 26M In, 804K Out
update the list of people who have contributed to m_netbsd.c.
privsep: Notify processes that dhcpcd has daemonised so they dup
stdout and stderr to /dev/null.
This avoids scripts failing with SIGPIPE if they try and write
to these streams.
This means the certificate is trusted for the listed purpose, not as
a CA to issue certificates for the listed purpose.
Clarify warning message in this case.
No change to imported certificates so no need to regen or pull up --
this designator does not actually appear in certdata.txt, only in
Mozilla nss source code.
Summary of changes:
(1) HAVE_AS_CFI_SECTIONS becomes defined.
(2) mempcpy.o is dropped as mempcpy(3) was added to -current
(but not to netbsd-10).
(3) working directories in usr.bin/gcc/arch/vax/configargs.h.
(1) will be pulled up into netbsd-10. I've confirmed that
pkgsrc/lang/perl5 builds and works as before with this change.
For now, (3) is reverted by hand. It would be better to improve mknative
not to leak working directories. But it should be NFC anyway.
For vax, mknative for binutils and gdb does not brings about significant
changes.
For other platforms, mknative for gcc.old makes no significant changes
(actually confirmed only for evbarm64, but it should be enough).
Thanks mrg@ for suggestion.
prlw1