#	$NetBSD: CHANGES-3.1.1,v 1.1.2.52 2007/06/28 18:40:58 ghen Exp $

A complete list of changes from the NetBSD 3.1 release to the NetBSD 3.1.1
release:

File						Revision(s)
----						--------
gnu/usr.bin/groff/tmac/mdoc.local		patch
sys/sys/param.h					patch

	Welcome to 3.1.0_PATCH

sys/arch/sparc64/sparc64/locore.s		1.217-1.218 via patch

	Fix a couple of %y register save/restore errors.
	[nakayama, ticket #1517]

sys/netinet/tcp_sack.c				1.20

	Fix alignment problems causing regular panics in tpc_sack_option on
	NetBSD/alpha and NetBSD/sparc. This fixes PR#34751.

	Fix provided by Izumi Tsutsui and ok'd by Martin.
	[reinoud, ticket #1561]

sys/miscfs/specfs/spec_vnops.c			1.91 via patch

	Protect spec_poll from racing against revocation and thus
	dereferencing a NULL v_specinfo (race condition between polling
	and revoking a character device).
	[jld, ticket #1557]

sys/arch/arm/iomd/iomdkbc.c			1.3

	Interpret the argument to iomdkbc_set_poll() correctly.  Quite how we
	got this far with it the wrong way around is beyond me.
	[bjh21, ticket #1562]

sbin/dump/dump.h				1.44 via patch
sbin/dump/main.c				1.63 via patch
sbin/dump/snapshot.c				1.3 via patch
sbin/dump/snapshot.h				1.3 via patch
sbin/dump/tape.c				1.47 via patch

	When using a snapshot take the snapshot raw device on further open.
	Fixes PR #34923: dump(8) only dumps a corefile with -X (snapshots).
	[hannken, ticket #1573]

sys/kern/sys_process.c				1.112

	Check for negative length in PT_COREDUMP (from Neil).
	[christos, ticket #1574]

sys/arch/xen/xen/if_xennet_xenbus.c		1.14

	Prevent xennet (Xen 3) from occasionally becoming unable to receive
	packets for several minutes when under certain types of load.
	[jld, ticket #1581]

usr.sbin/postinstall/postinstall		1.30

	/etc/postfix/post-install needs to be 555 not 444.
	[lukem, ticket #1585]

sys/dev/pci/bktr/bktr_core.c			patch
	Fix bug introduced by missing braces around a if() block in
	ticket #1511.
	[aymeric, ticket #1587]

sys/net/if_pppoe.c				1.61

	Fix bogus uninitialized variable warning ifdef PPPOE_SERVER.
	Noticed by Marcin Jessa on current-users.
	[martin, ticket #1588]

sys/dev/ata/wd.c				1.334

	Yet another broken seagate drive: ST3160811A.
	[bouyer, ticket #1583]

games/banner/banner.c				1.16 via patch

	Check that -w width is not above maximum. (It already checks for zero
	or negative.) Using width above DWIDTH may cause overflow as noted by
	Gruzicki Wlodek on bugtraq.
	While here replace one use of 132 with DWIDTH.
	[reed, ticket #1591]

sys/netiso/esis.c				1.42

	Check parameters to avoid potential panic root user.
	Patch checked by chopps@.
	[is, ticket #1593]

lib/libc/gen/glob.c				1.13 via patch

	Don't overflow when DEBUG is defined.
	PR/30833, from Tomas Skare.
	[joerg, ticket #1596]

sys/ufs/ffs/ffs_snapshot.c			1.38

	Prevent kernel panics when creating snapshots on filesystems which
	use quotas. This fixes PR kern/35121.
	[hannken, ticket #1598]

sys/arch/xen/x86/consinit.c			1.7

	PR port-xen/35217: Fix compile failure if CONS_OVERRIDE is defined.
	[bouyer, ticket #1600]

sys/dev/vnd.c					1.153

	Don't accept a compressed vnd(4) image with block size 0 to avoid a
	kernel panic.
	[cube, ticket #1530]

dist/dhcp/server/dhcp.c				1.10

	Fix get-lease-hostnames option in dhcpd.conf(5) to make dhcpd(8) use
	the DNS hostname as the DHCP hostname given to the client.
	[drochner, ticket #1619]

sys/net/if_ethersubr.c				1.142

	Don't define dropanyway: label unless ISO or NETATALK is defined.
	Fixes a build failure for certain kernel configurations.
	[bouyer, ticket #1623]

sys/arch/xen/xen/xbd_xenbus.c			1.16

	Don't try to handle xbd interrupts if the device is not yet connected.
	Fixes a Xen3 xbd panic at boot when more than one xbd device is
	configured.
	[bouyer, ticket #1624]

sys/arch/xen/xen/xencons.c			1.20

	Fix Xen console hangs.
	[bouyer, ticket #1625]

sys/dist/ipf/netinet/ip_state.c			1.16 via patch

	TCP window scaling was being recognised but the recorded settins were
	being clobbered and thus effectively disabled.
	[darrenr, ticket #1610]

sys/arch/mac68k/mac68k/locore.s			1.146

	Avoid kernel panic before reboot. This fixes PR port-mac68k/35068.
	[chs, ticket #1626]

xsrc/xfree/xc/programs/Xserver/dbe/dbe.c		1.2
xsrc/xfree/xc/programs/Xserver/render/render.c	1.3

	Fix integer overflow in DBE and Render extensions
	(CVE-2006-6101, CVE-2006-6102 and CVE-2006-6103), from xfree86 CVS.
	[drochner, ticket #1631]

usr.sbin/etcupdate/etcupdate			1.29 - 1.30
usr.sbin/etcupdate/etcupdate.8			1.12

	Use "stty size" to acquire screen width reliably.
	The fields of the first line of "stty -a" is not fixed.
	Fix PR bin/32343.
	Clean ${SRCDIR}/etc when done. Patch provided by rudolf.
	http://mail-index.netbsd.org/tech-toolchain/2007/01/11/0001.html
	Xref postinstall(8)
	[martti, ticket #1630]

sys/arch/xen/xen/xbd_xenbus.c			1.17

	Fix occasional panics in NetBSD domUs caused by a race condition.
	[bouyer, ticket #1632]

sys/arch/xen/include/cpufunc.h			1.13
sys/arch/xen/include/xen3-public/io/ring.h	1.6

	Avoid block I/O stalls in Xen 3 guests on SMP systems.
	[bouyer, ticket #1652]

sys/netinet/ip_output.c				1.173

	Avoid problems if PF's fragment reassemble feature is used.
	[yamt, ticket #1656]

dist/bzip2/bzlib.c				1.3

	Avoid dereference of NULL pointer.
	[adrianp, ticket #1658]

usr.sbin/etcupdate/etcupdate			1.31

	Run pwd_mkdb(8) before running mtree(8) to get updated user and
	group information. This fixes PR bin/35570.
	[martti, ticket #1666]

sys/kern/vfs_syscalls.c				1.293 via patch

	Fix issue noted by Ilja van Sprundel and disclosed at 23C3.
	Make sure we always FILE_UNUSE the file. To make it easier, exit
	via a new "out:" exit path that does so, setting error beforehand.
	Fix suggested by Elad, hand-typed by me.
	[wrstuden, ticket #1616]

dist/bind/lib/dns/resolver.c                    patch
dist/bind/lib/dns/validator.c                   patch
dist/bind/lib/dns/include/dns/validator.h       patch   
dist/bind/version                               patch

	Fix CVE-2007-0493 and CVE-2007-0494.
	[adrianp, ticket #1675]

sys/dev/audio.c					1.221

	Return information about playing buffer, not recording bufer,
	for AUDIO_WSEEK. Fix PR#35171.
	[kent, ticket #1678]

sys/netiso/clnp_subr.c				1.27 via patch

	The clnp(4) functions now check the length of arguments passed and will
	return an appropriate error if the value passed is to large.  This
	prevents a local denial of service and privilege escalation attack.

	Issue found by Christer Oberg and patch from christos.
	(NetBSD-SA2007-004)
	[adrianp, ticket #1733]

distrib/sets/lists/base/mi		patch
doc/3RDPARTY				patch
share/zoneinfo/africa			patch
share/zoneinfo/antarctica		patch
share/zoneinfo/asia			patch
share/zoneinfo/australasia		patch
share/zoneinfo/backward			patch
share/zoneinfo/etcetera			patch
share/zoneinfo/europe			patch
share/zoneinfo/factory			patch
share/zoneinfo/iso3166.tab		patch
share/zoneinfo/leapseconds		patch
share/zoneinfo/northamerica		patch
share/zoneinfo/pacificnew		patch
share/zoneinfo/solar87			patch
share/zoneinfo/solar88			patch
share/zoneinfo/solar89			patch
share/zoneinfo/southamerica		patch
share/zoneinfo/systemv			patch
share/zoneinfo/yearistype.sh		patch
share/zoneinfo/zone.tab			patch
etc/mtree/NetBSD.dist			1.295

	Update to tzdata2007a.
	[abp, ticket #1682]

dist/file/src/file.h	patch
dist/file/src/funcs.c	patch
dist/file/src/magic.c	patch

	Fix an integer underflow in file(1) which can lead to an exploitable
	heap overflow.
	[adrianp, ticket #1743]

xsrc/xfree/xc/lib/X11/ImUtil.c			1.2
xsrc/xfree/xc/lib/font/bitmap/bdfread.c		1.2
xsrc/xfree/xc/lib/font/fontfile/fontdir.c	1.2
xsrc/xfree/xc/programs/Xserver/Xext/xcmisc.c	1.2

	Fix a possible memory corruption due to integer overflow in
	ProcXCMiscGetXIDList() (CVE-2007-1003).

	Fix a possible memory corruption due to integer overflow, caused by
	lack of validation of bdf font files (CVE 2007-1351).

	Fix a possible memory corruption due to integer overflow, caused by
	lack of validation of fonts.dir files (CVE 2007-1352).

	Fix a possible memory corruption due to incomplete input validation in
	XInitImage() (CVE 2007-1667).
	[drochner, ticket #1752]

xfree/xc/extras/freetype2/src/bdf/bdflib.c	1.3

	pull in a patch from freetype CVS (fix CVE-2007-1351):
	* src/bdf/bdflib.c (setsbit, sbitset): Handle values >= 128
	  gracefully.
	  (_bdf_set_default_spacing): Increase `name' buffer size to 256 and
	  issue an error for longer names.
	  (_bdf_parse_glyphs): Limit allowed number of glyphs in font to the
	  number of code points in Unicode.
	[drochner, ticket #1754]

crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c	via patch

	Fix a denial of service vulnerability (CVE-2007-1841) which could allow
	an attacker to disrupt a connection between IPSec peers.
	[adrianp, ticket #1763]

etc/rc.d/route6d				1.7
etc/rc.d/routed					1.10

	The "routed" and "route6d" scripts must be run early during system
	startup because they are part of the network initialization. Use
	similar dependences as the "rtsold" script.
	[tron, ticket #1767]

sbin/sysctl/sysctl.8				patch
sys/netinet6/ip6_input.c			1.102 via patch
sys/netinet6/ip6_var.h				1.41-1.42 via patch
sys/netinet6/route6.c				1.18 via patch

	Disable processing of routing header type 0 packets since they
	can be used of DoS attacks. Provide a sysctl to re-enable them
	(net.inet6.ip6.rht0).

	Information from:
	http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf
	[christos, ticket #1766]

usr.bin/passwd/pam_passwd.c			1.4

	Display a message indicating who's password is being changed.
	[jnemeth, ticket #1776]

etc/security					1.101

	PR/36058 -- fix check for group/other writable home directories from
	Jukka Salmi
	[jnemeth, ticket #1777]

sys/arch/amd64/conf/GENERIC			1.141
sys/arch/amd64/conf/INSTALL			1.68
sys/arch/hpcarm/conf/IPAQ			1.50
sys/arch/i386/conf/SWINGER			1.90

	PR/36234 - Joerg Niendorf -- xi -> xirc
	[jnemeth, ticket #1778]

src/share/zoneinfo/africa			patch
src/share/zoneinfo/australasia			patch
src/share/zoneinfo/northamerica			patch

	Merge tzdata2007f.
	[markd, ticket #1787]

sys/kern/kern_verifiedexec.c			patch
sys/kern/vfs_syscalls.c				patch
sys/sys/verified_exec.h				patch

	Prevent users to rename a file to a veriexec protected file and to run
	unfingerprinted files at strict level two or above.
	[blymn, ticket #1471]

dist/file/					synced with HEAD on 20070615
distrib/sets/lists/base/shl.elf			1.222
distrib/sets/lists/base/shl.mi			1.375 via patch
lib/Makefile					1.108 via patch
lib/libmagic/Makefile				1.5
lib/libmagic/config.h				patch
lib/libmagic/shlib_version			1.3-1.4
tools/file/Makefile				1.4
usr.bin/file/Makefile				1.51-1.53

	Update file(1) to version 4.21, including security fixes (CVE-2007-1536
	and CVE-2007-2799).
	[pooka, ticket #1804]

sys/ufs/ufs/quota.h				1.24
sys/ufs/ufs/ufs_quota.c				1.46
sys/sys/param.h					patch

	If a quota-enabled file system has 65536 active vnodes for one uid the
	reference counter of the corresponding struct dquot will overflow.

	Change the type of the reference counter from u_int16_t to u_int32_t
	and add an assertion to check for overflow.

	Bump kernel version as LKM's depending on UFS internals will have to be
	recompiled after this change (discussed and approved on tech-kern).
	[hannken, ticket #1807]

etc/daily					1.70
etc/monthly					1.11
etc/security					1.102
etc/weekly					1.23

	Use "mktemp -d -t xxx" to create the temporary directories. This will
	use TMPDIR environment variable if set, otherwise use /tmp.
	[martti, ticket #1800]

gnu/usr.bin/groff/tmac/mdoc.local		patch
sys/sys/param.h					patch

	Welcome to NetBSD 3.1.1.