-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-EN-10:01.freebsd Errata Notice The FreeBSD Project Topic: Various FreeBSD 8.0-RELEASE improvements Category: core Module: kern Announced: 2010-01-06 Affects: FreeBSD 8.0-RELEASE. Corrected: 2010-01-06 21:45:30 UTC (RELENG_8_0, 8.0-RELEASE-p2) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Since FreeBSD 8.0 was released, several stability and performance problems have been identified. This Errata Notice describes several fixes judged to be of particular importance, but low risk, to users with specific workloads or using specific features that trigger these problems. Areas where problems are addressed include NFS, ZFS, Multicast networking, SCTP as well as the rename(2) syscall. II. Description * Slow NFS client reconnects when using TCP Under certain circumstances the NFS client can queue requests even though the remote server has initiated a connection shutdown. The deferred notice of the shutdown can cause slow reconnects against an NFS server that drops inactive connections. * Possible panics in ZFS Due to inadequate checks, attempts to modify a file on a read-only ZFS snapshot will lead to a 'dirtying snapshot' kernel panic. The system will also panic if ZFS is combined with a MAC policy supporting file system labeling (e.g., mac_biba(4) or mac_mls(4)). * Multicast regression and panic Multicast filtering may not pass incoming IGMP messages if the group has not been joined. User space routing daemons will therefore not see all IGMP control traffic. Further, the system will panic under certain circumstances in the IPv4 multicast forwarding path. * Panic when invalid SCTP message received during connection shutdown Receiving a specially crafted SCTP shutdown message with an invalid Transmission Sequence Number may cause the system to panic if there has been a valid association. * Panic caused by rename(2) If a path argument to the rename(2) syscall ends in '/.', insufficient checking will cause the system to panic. III. Solution Perform one of the following: 1) Upgrade your system to 8-STABLE, or to the RELENG_8_0 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 8.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/EN-10:01/nfsreconnect.patch # fetch http://security.FreeBSD.org/patches/EN-10:01/nfsreconnect.patch.asc # fetch http://security.FreeBSD.org/patches/EN-10:01/zfsvaccess.patch # fetch http://security.FreeBSD.org/patches/EN-10:01/zfsvaccess.patch.asc # fetch http://security.FreeBSD.org/patches/EN-10:01/zfsmac.patch # fetch http://security.FreeBSD.org/patches/EN-10:01/zfsmac.patch.asc # fetch http://security.FreeBSD.org/patches/EN-10:01/multicast.patch # fetch http://security.FreeBSD.org/patches/EN-10:01/multicast.patch.asc # fetch http://security.FreeBSD.org/patches/EN-10:01/mcinit.patch # fetch http://security.FreeBSD.org/patches/EN-10:01/mcinit.patch.asc # fetch http://security.FreeBSD.org/patches/EN-10:01/sctp.patch # fetch http://security.FreeBSD.org/patches/EN-10:01/sctp.patch.asc # fetch http://security.FreeBSD.org/patches/EN-10:01/rename.patch # fetch http://security.FreeBSD.org/patches/EN-10:01/rename.patch.asc b) Apply the patches. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. IV. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - - ------------------------------------------------------------------------- RELENG_8_0 src/UPDATING 1.632.2.7.2.5 src/sys/conf/newvers.sh 1.83.2.6.2.5 src/sys/netinet/ip_mroute.c 1.155.2.1.2.2 src/sys/netinet/raw_ip.c 1.220.2.2.2.2 src/sys/netinet6/raw_ip6.c 1.111.2.1.2.2 src/sys/rpc/clnt_vc.c 1.8.2.2.2.2 src/sys/kern/vfs_lookup.c 1.132.2.1.2.2 src/sys/netinet/sctp_input.c 1.82.2.2.2.2 src/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_znode.c 1.24.2.2.2.1 src/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c 1.46.2.7.2.1 src/sys/cddl/contrib/opensolaris/uts/common/sys/vnode.h 1.3.4.1.2.1 src/sys/cddl/compat/opensolaris/sys/vnode.h 1.12.2.2.2.2 - - ------------------------------------------------------------------------- Subversion: Branch/path Revision - - ------------------------------------------------------------------------- releng/8.0/ r201679 - - ------------------------------------------------------------------------- V. References The latest revision of this Errata Notice is available at http://security.FreeBSD.org/advisories/FreeBSD-EN-10:01.freebsd.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (FreeBSD) iD8DBQFLRRFQFdaIBMps37IRAuq9AJ9fq1708qfDgnyzuNRWnumiQhJD2gCcDqWd AyQA3ZdKXci6S8d9UauJFw4= =NwGp -----END PGP SIGNATURE-----