svn commit: r51533 - in head/share/security: advisories patches/EN-18:03 patches/EN-18:04 patches/SA-18:04 patches/SA-18:05
Gordon Tetlow
gordon at FreeBSD.org
Wed Apr 4 05:55:16 UTC 2018
Author: gordon (src,ports committer)
Date: Wed Apr 4 05:55:14 2018
New Revision: 51533
URL: https://svnweb.freebsd.org/changeset/doc/51533
Log:
Add SA-18:04.vt, SA-18:05.ipsec, EN-18:03.tzdata, EN-18:04.mem.
Approved by: so
Added:
head/share/security/advisories/FreeBSD-EN-18:03.tzdata.asc (contents, props changed)
head/share/security/advisories/FreeBSD-EN-18:04.mem.asc (contents, props changed)
head/share/security/advisories/FreeBSD-SA-18:04.vt.asc (contents, props changed)
head/share/security/advisories/FreeBSD-SA-18:05.ipsec.asc (contents, props changed)
head/share/security/patches/EN-18:03/
head/share/security/patches/EN-18:03/tzdata-2018d.patch (contents, props changed)
head/share/security/patches/EN-18:03/tzdata-2018d.patch.asc (contents, props changed)
head/share/security/patches/EN-18:04/
head/share/security/patches/EN-18:04/mem.10.patch (contents, props changed)
head/share/security/patches/EN-18:04/mem.10.patch.asc (contents, props changed)
head/share/security/patches/EN-18:04/mem.11.patch (contents, props changed)
head/share/security/patches/EN-18:04/mem.11.patch.asc (contents, props changed)
head/share/security/patches/SA-18:04/
head/share/security/patches/SA-18:04/vt.patch (contents, props changed)
head/share/security/patches/SA-18:04/vt.patch.asc (contents, props changed)
head/share/security/patches/SA-18:05/
head/share/security/patches/SA-18:05/ipsec.patch (contents, props changed)
head/share/security/patches/SA-18:05/ipsec.patch.asc (contents, props changed)
Added: head/share/security/advisories/FreeBSD-EN-18:03.tzdata.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-EN-18:03.tzdata.asc Wed Apr 4 05:55:14 2018 (r51533)
@@ -0,0 +1,149 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-18:03.tzdata Errata Notice
+ The FreeBSD Project
+
+Topic: Timezone database information update
+
+Category: contrib
+Module: zoneinfo
+Announced: 2018-04-04
+Credits: Philip Paeps
+Affects: All supported versions of FreeBSD
+Corrected: 2018-03-28 07:42:50 UTC (stable/11, 11.1-STABLE)
+ 2018-04-04 05:40:48 UTC (releng/11.1, 11.1-RELEASE-p9)
+ 2018-03-28 07:45:57 UTC (stable/10, 10.4-STABLE)
+ 2018-04-04 05:40:48 UTC (releng/10.4, 10.4-RELEASE-p8)
+ 2018-04-04 05:40:48 UTC (releng/10.3, 10.3-RELEASE-p29)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The tzsetup(8) program allows the user to specify the default local timezone.
+Based on the selected timezone, tzsetup(8) copies one of the files from
+/usr/share/zoneinfo to /etc/localtime. This file actually controls the
+conversion.
+
+II. Problem Description
+
+Several changes in Daylight Savings Time happened after previous FreeBSD
+releases were released that would affect many people who live in different
+countries. Because of these changes, the data in the zoneinfo files need to
+be updated, and if the local timezone on the running system is affected,
+tzsetup(8) needs to be run so the /etc/localtime is updated.
+
+III. Impact
+
+An incorrect time will be displayed on a system configured to use one of the
+affected timezones if the /usr/share/zoneinfo and /etc/localtime files are
+not updated, and all applications on the system that rely on the system time,
+such as cron(8) and syslog(8), will be affected.
+
+IV. Workaround
+
+The system administrator can install an updated timezone database from the
+misc/zoneinfo port and run tzsetup(8) to get the timezone database corrected.
+
+Applications that store and display times in Coordinated Universal Time (UTC)
+are not affected.
+
+V. Solution
+
+Please note that some third party software, for instance PHP, Ruby, Java and
+Perl, may be using different zoneinfo data source, in such cases this
+software must be updated separately. For software packages that is installed
+via binary packages, they can be upgraded by executing `pkg upgrade'.
+
+Following the instructions in this Errata Notice will update all of the
+zoneinfo files to be the same as what was released with FreeBSD release.
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date. Restart all the affected
+applications and daemons, or reboot the system.
+
+2) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Restart all the affected applications and daemons, or reboot the system.
+
+3) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-18:03/tzdata-2018d.patch
+# fetch https://security.FreeBSD.org/patches/EN-18:03/tzdata-2018d.patch.asc
+# gpg --verify tzdata-2018d.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all the affected applications and daemons, or reboot the system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/10/ r331663
+releng/10.3/ r331986
+releng/10.4/ r331986
+stable/11/ r331662
+releng/11.1/ r331986
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-18:03.tzdata.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlrEZutfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKJ7A/+NXjXPibYne7thcIjSJPFJDlA13Ga4UhKytjO7KW2wN5CjQp62ULwCfaO
+dcl5ysljMGXxNmCBqCcfQrO9AL7vnOxQSr60KwB8AAzIBPfLzXrqopXW2fB/8pKP
+cOTJHpZlNQ4P8cJ1OHpjsovcA5a/7KQ87BgRj8AUJoeTlCPoLlDlnyCR6VMOswSa
+a8PX9cAb+lcQWGg56E+n7ZE0JEMDHUVwvHplU1m5nn1Dn8b04na+tn3MRMKi2iqF
+Y9MhLavfY1UzwXkuUKf/ODTuGSYF8Sy4lJgLrqs4awJXErIJvJNbh6V4h8uRpEIY
+iUN+wPBWsvfZ4X0KSb+4aPI5jpKnE2LATHiz2vDYuDZ5U5y9ec8GMuGnFOueNwcb
+vMQkPPPOj7VTTKUZPHgAGdYlsO9mLTMkAjiTPwB0kZ6P7MN0211dHN+fvr8Skwyl
+x9IFVW6h9XtTvSqU29/Nd3KSFORuiKowokxWTQ+jnEdsYCsm0wQNKH6avxedbEAA
+oKowh4zfTGO2jOzcuCtfmZNUFUAVYE0SASnYD4rxEDcuJNx/jSVhf1wY97G22s7n
+aLKDnHHGKHsLzQAuFEITaC0pMTs41XL1baO9RtjtZDSz/dKla+ZsgQk5yVKyR2v7
+tW6ertUBZiUfD50d0GKPgGEMTWH9k5a5hJvMhAMLfHzhxBT0B+w=
+=k+2X
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-EN-18:04.mem.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-EN-18:04.mem.asc Wed Apr 4 05:55:14 2018 (r51533)
@@ -0,0 +1,151 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-18:04.mem Errata Notice
+ The FreeBSD Project
+
+Topic: Multiple small kernel memory disclosures
+
+Category: core
+Module: kernel
+Announced: 2018-04-04
+Credits: Ilja van Sprundel
+Affects: All supported versions of FreeBSD.
+Corrected: 2018-03-28 13:41:43 UTC (stable/11, 11.1-STABLE)
+ 2018-04-04 05:43:03 UTC (releng/11.1, 11.1-RELEASE-p9)
+ 2018-03-29 22:31:14 UTC (stable/10, 10.4-STABLE)
+ 2018-04-04 05:43:03 UTC (releng/10.4, 10.4-RELEASE-p8)
+ 2018-04-04 05:43:03 UTC (releng/10.3, 10.3-RELEASE-p29)
+CVE Name: CVE-2018-6919
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+FreeBSD includes drivers for HighPoint disk controllers via the hpt27xx(4),
+hptnr(4) and hptrr(4) drivers, for some graphics cards via drm drivers. In
+addition, FreeBSD includes optional support for executing svr4 and ibcs2
+binaries.
+
+II. Problem Description
+
+Due to insufficient initialization of memory copied to userland small amounts
+of kernel memory may be disclosed to userland processes.
+
+III. Impact
+
+A user who can access these drivers or execute svr4 or ibcs2 binaries
+may be able to read the contents of kernel memory.
+
+Such memory might contain sensitive information, such as portions of the file
+cache or terminal buffers. This information might be directly useful, or it
+might be leveraged to obtain elevated privileges in some way; for example,
+a terminal buffer might include a user-entered password.
+
+IV. Workaround
+
+No workaround is available, but systems that do not use these devices and
+do not enable support for ibcs2 and svr4 binaries are not vulnerable.
+In addition, note that the drm driver affected by this issue supports only
+relatively old hardware. Systems built within the last decade likely
+contain graphics hardware supported by the drm2 driver in the FreeBSD base
+system or the drm-next-kmod driver in FreeBSD ports.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Afterward, reboot the system.
+
+2) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Afterward, reboot the system.
+
+3) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 11.x]
+# fetch https://security.FreeBSD.org/patches/EN-18:04/mem.11.patch
+# fetch https://security.FreeBSD.org/patches/EN-18:04/mem.11.patch.asc
+# gpg --verify mem.11.patch.asc
+
+[FreeBSD 10.x]
+# fetch https://security.FreeBSD.org/patches/EN-18:04/mem.10.patch
+# fetch https://security.FreeBSD.org/patches/EN-18:04/mem.10.patch.asc
+# gpg --verify mem.10.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/10/ r331749
+releng/10.3/ r331987
+releng/10.4/ r331987
+stable/11/ r331670
+releng/11.1/ r331987
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6919>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-18:04.mem.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlrEZvNfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJa/A//Z53qYxwSpKH5hrkHsMVzH62xagHUn7zqewyfmBIaz8xLPArNYEy3onPv
+5mXLLL5RIoaiUXq++Nld90QPDbbHtuyfwKySm/X8vNXUu/a2mFpzSixI1tQEIcsx
+PH+eqCQTgFHyzo0uADRcLyxuo4qmM/b/8LQZWr0CLpxmdPVuoGG2tlcVpL47f5sa
+nFghwxiOj5gKCR0Wx0buZ8u1T0NV0EyGcI7SRXJItq1GM8lvb26bfSnDls5h0hPW
+dn8qa7+exYL133qZ4vgEyNk+cGjEGNIG1eoAe3WeoUaaFsmpXTNK17P8Gxr/KZk4
+QmMiRbbIooX4AsNnY+OnkGRN1LzxFF2TLc+zYGV7j/uyhGE5cfZ3Av3hDMFlyTRO
+Udp1/ghmm/GPrHO/FAmJGYPmfxRYdU/jZU6gJld+QXd2y8/HLsXNOdRK92KIwCyp
+I9tUVwMg4mze6L6/s1chmQL5jdy5Sz5SSfjDAcP3ieJ5cmg0DDITYjWEVk4Fdaxl
+rWU2X2nYmJeROqU6tlAEfMPJZEw2cPxE14vRe3iN9mPUSPvGKT4oWLMtwRnjsQyz
+v8da9m4lncTQd5/qz9BpWzFANP6+g8gmgm8G4j1HeVyf2WFPMsU+YqAoaQewB3h5
+Hnfq/GhTTNtvjTnW2trPT21lXPEFbuVVZ724U+SJwYzVJv2tyug=
+=r842
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-SA-18:04.vt.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-18:04.vt.asc Wed Apr 4 05:55:14 2018 (r51533)
@@ -0,0 +1,140 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-18:04.vt Security Advisory
+ The FreeBSD Project
+
+Topic: vt console memory disclosure
+
+Category: core
+Module: vt console
+Announced: 2018-04-04
+Credits: Dr Silvio Cesare of InfoSect
+Affects: All supported versions of FreeBSD.
+Corrected: 2018-04-04 05:24:59 UTC (stable/11, 11.1-STABLE)
+ 2018-04-04 05:33:56 UTC (releng/11.1, 11.1-RELEASE-p9)
+ 2018-04-04 05:26:33 UTC (stable/10, 10.4-STABLE)
+ 2018-04-04 05:33:56 UTC (releng/10.4, 10.4-RELEASE-p8)
+ 2018-04-04 05:33:56 UTC (releng/10.3, 10.3-RELEASE-p29)
+CVE Name: CVE-2018-6917
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+On FreeBSD 11 and later, and FreeBSD 10.x systems that boot via UEFI, the
+default system video console is provided by the vt(4) driver. The console
+allows the user, including an unprivileged user, to load a font at runtime.
+
+II. Problem Description
+
+Insufficient validation of user-provided font parameters can result in an
+integer overflow, leading to the use of arbitrary kernel memory as glyph
+data. Characters that reference this data can be displayed on the screen,
+effectively disclosing kernel memory.
+
+III. Impact
+
+Unprivileged users may be able to access privileged kernel data.
+
+Such memory might contain sensitive information, such as portions of the file
+cache or terminal buffers. This information might be directly useful, or it
+might be leveraged to obtain elevated privileges in some way; for example,
+a terminal buffer might include a user-entered password.
+
+IV. Workaround
+
+The syscons sc(4) system console is not affected by this issue and may be
+used on systems that do not boot via UEFI. To use the syscons console,
+set the kern.vty tunable in /boot/loader.conf as described in sc(4), and
+reboot. No workaround is available for systems that boot via UEFI.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+A reboot is required after the upgrade.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-18:04/vt.patch
+# fetch https://security.FreeBSD.org/patches/SA-18:04/vt.patch.asc
+# gpg --verify vt.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/10/ r331983
+releng/10.3/ r331984
+releng/10.4/ r331984
+stable/11/ r331982
+releng/11.1/ r331984
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6917>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:04.vt.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlrEZttfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cI5CBAAmZS+2l3qNafZ0FQDKONeX+jiyJt6lPWk2LUd/jJXnEnVjqiP/pW1YpC0
+9oob5gFaCt8YEpQRIPGU1VwIfX16KeMSiM2TYnZXAaTzSo5ecWemrQ706ds7hy+m
+FmlyoqoqmDn3AyziTeJAxFc2QVZ5jo25KWZL7zMJdNjGqzFao4UktY01Sy9fB3Ak
+rgi/AInZV1FGt1KrH04zJpK+WSfNtM553e7KfFlmD6cR+yXViHfGHl6TBYcb1H3y
+8wjfZmdlfyFMB84bQ5bw9iqx5fHhth4s/0sbAErRAS/PeWOKF9uxSVy3t4p160BZ
+Ym7k4PXYO8hUH9n5mqDzg/asPkRA8nJMqmUtvBJrdUMi9VhQqOybhddZNAZp7RGb
+6BtlsBUaRRmxA9tm4h5nbk+Fy9/qqtkcOdsJNqqAdSk4nTTkkkKPNPrIkXKcW4HE
+qv8c71xDkpbAGfQjkC2B4VXg9uoQIi36F8843ha6UbhdL2urSWWPXLBOoSupRAyp
+PkB35tvulXyJ/cRRf/FfAL+lSmoqImi2WjSjpd+fqABWSaxrypJqI0Cca3ySdhVG
+mylVk2sDW/d27Wltyd1Pdy9qXHVSEoKwdWemCamAABFwaCf49D1xrgysCrdY+uFp
+zydy8rxJ0Bht18n4Yhp+WveujRFwamvGjWxYbxJ0g+LD+SWD7Zs=
+=L6/K
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-SA-18:05.ipsec.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-18:05.ipsec.asc Wed Apr 4 05:55:14 2018 (r51533)
@@ -0,0 +1,142 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-18:05.ipsec Security Advisory
+ The FreeBSD Project
+
+Topic: ipsec crash or denial of service
+
+Category: core
+Module: ipsec
+Announced: 2018-04-04
+Credits: Maxime Villard
+Affects: All supported versions of FreeBSD.
+Corrected: 2018-01-31 09:24:48 UTC (stable/11, 11.1-STABLE)
+ 2018-04-04 05:37:52 UTC (releng/11.1, 11.1-RELEASE-p9)
+ 2018-01-31 09:26:28 UTC (stable/10, 10.4-STABLE)
+ 2018-04-04 05:37:52 UTC (releng/10.4, 10.4-RELEASE-p8)
+ 2018-04-04 05:37:52 UTC (releng/10.3, 10.3-RELEASE-p29)
+CVE Name: CVE-2018-6918
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The IPsec suite of protocols provide network level security for IPv4 and IPv6
+packets. FreeBSD includes software originally developed by the KAME project
+which implements the various protocols that make up IPsec.
+
+In IPsec, the IP Authentication Header (AH) is used to provide protection
+against replay attacks and connectionless integrity and data origin
+authentication for IP datagrams.
+
+II. Problem Description
+
+The length field of the option header does not count the size of the option
+header itself. This causes a problem when the length is zero, the count is
+then incremented by zero, which causes an infinite loop.
+
+In addition there are pointer/offset mistakes in the handling of IPv4
+options.
+
+III. Impact
+
+A remote attacker who is able to send an arbitrary packet, could cause the
+remote target machine to crash.
+
+IV. Workaround
+
+No workaround is available. Note that in FreeBSD 10 IPsec is not included
+in the kernel by default, but it is in FreeBSD 11.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Afterward, reboot the system.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Afterward, reboot the system.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-18:05/ipsec.patch
+# fetch https://security.FreeBSD.org/patches/SA-18:05/ipsec.patch.asc
+# gpg --verify ipsec.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/10/ r328621
+releng/10.3/ r331985
+releng/10.4/ r331985
+stable/11/ r328620
+releng/11.1/ r331985
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6918>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:05.ipsec.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlrEZuRfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKpOxAAlcyr88qHimXmMWNelNe+RvNkRoQwlmOw5XCWmWFGt4bX6KyrPSNVkZXK
+9bZr0+sYiEjHPstXy+F6v95wqShRiefwpLVNJkP6LFKdQJeuxy0Uwsgl/i3aZVHy
+q4iM+PgnMwt5FxzmIcFHjwZSGGaOw5p9dMlkFLxXQ6chafPutMbgkXMIGVGXEp4e
+iwQgmh7j5LbUED0P9G7sYpcEN+DKZLWIyvz6L/AJmeHC/Z21TTeOoPjNPImgUmeU
+R2gK6WrQ5hfDvvFIJK1RvkR7OGdgrw0p2bCeeW8HRR5WEifO+a5Mb6+S414jWLYi
+uPYoxWf5NP92b9r3sLjNXbbsZ71mOZ49nZO3gc83O4mqOo9FYbTZ1W9C1UIO66pO
+bsp9e7g09gvT/VTO9j2Bu9nNdLd41Jx6NCmrrJAPP5fp7yhgtI7a+voF+swyBPSq
+kzSrNuY+PAnEvvAPzCz97uQQWabwbJoZNlPc+9IWZ7K++8N9j0K94dtsy8g6FMIT
+A54s3LX9X5v+EYEwqnbNgEZxkSgjgpQkbnQC3evBwVkSgm0aQb4jRXoe9aY6KGtA
+pSldkfyC364h8KNM1tbMq02fAIGDdBc+TbxjPabdc+FNmwVT+KlW/cBDy8J/rUhz
+BSyWQdVwjHZ45R4Vmf8pEDA4/uc/L7XnMuqwgn2gBe23riiAjDM=
+=WcBl
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/EN-18:03/tzdata-2018d.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/EN-18:03/tzdata-2018d.patch Wed Apr 4 05:55:14 2018 (r51533)
@@ -0,0 +1,4454 @@
+--- contrib/tzdata/CONTRIBUTING.orig
++++ contrib/tzdata/CONTRIBUTING
+@@ -25,7 +25,8 @@
+
+ Please submit changes against either the latest release in
+ <https://www.iana.org/time-zones> or the master branch of the development
+-repository. If you use Git the following workflow may be helpful:
++repository. The latter is preferred. If you use Git the following
++workflow may be helpful:
+
+ * Copy the development repository.
+
+@@ -42,6 +43,12 @@
+
+ git checkout -b mybranch
+
++ * Sleuth by using 'git blame'. For example, when fixing data for
++ Africa/Sao_Tome, if the command 'git blame africa' outputs a line
++ '2951fa3b (Paul Eggert 2018-01-08 09:03:13 -0800 1068) Zone
++ Africa/Sao_Tome 0:26:56 - LMT 1884', commit 2951fa3b should
++ provide some justification for the 'Zone Africa/Sao_Tome' line.
++
+ * Edit source files. Include commentary that justifies the
+ changes by citing reliable sources.
+
+@@ -67,6 +74,9 @@
+
+ git send-email master
+
++ For an archived example of such an email, see
++ <https://mm.icann.org/pipermail/tz/2018-February/026122.html>.
++
+ * Start anew by getting current with the master branch again
+ (the second step above).
+
+--- contrib/tzdata/Makefile.orig
++++ contrib/tzdata/Makefile
+@@ -10,6 +10,15 @@
+ # Email address for bug reports.
+ BUGEMAIL= tz at iana.org
+
++# Choose source data features. To get new features right away, use:
++# DATAFORM= vanguard
++# To wait a while before using new features, to give downstream users
++# time to upgrade zic (the default), use:
++# DATAFORM= main
++# To wait even longer for new features, use:
++# DATAFORM= rearguard
++DATAFORM= main
++
+ # Change the line below for your time zone (after finding the zone you want in
+ # the time zone files, or adding it to a time zone file).
+ # Alternately, if you discover you've got the wrong time zone, you can just
+@@ -25,10 +34,10 @@
+ # for handling POSIX-style time zone environment variables,
+ # change the line below (after finding the zone you want in the
+ # time zone files, or adding it to a time zone file).
+-# (When a POSIX-style environment variable is handled, the rules in the
++# When a POSIX-style environment variable is handled, the rules in the
+ # template file are used to determine "spring forward" and "fall back" days and
+ # times; the environment variable itself specifies UT offsets of standard and
+-# summer time.)
++# daylight saving time.
+ # Alternately, if you discover you've got the wrong time zone, you can just
+ # zic -p rightzone
+ # to correct things.
+@@ -189,6 +198,7 @@
+ # -DHAVE_STDINT_H if you have a non-C99 compiler with <stdint.h>
+ # -DHAVE_STRFTIME_L if <time.h> declares locale_t and strftime_l
+ # -DHAVE_STRDUP=0 if your system lacks the strdup function
++# -DHAVE_STRTOLL=0 if your system lacks the strtoll function
+ # -DHAVE_SYMLINK=0 if your system lacks the symlink function
+ # -DHAVE_SYS_STAT_H=0 if your compiler lacks a <sys/stat.h>
+ # -DHAVE_SYS_WAIT_H=0 if your compiler lacks a <sys/wait.h>
+@@ -195,7 +205,11 @@
+ # -DHAVE_TZSET=0 if your system lacks a tzset function
+ # -DHAVE_UNISTD_H=0 if your compiler lacks a <unistd.h>
+ # -Dlocale_t=XXX if your system uses XXX instead of locale_t
++# -DRESERVE_STD_EXT_IDS if your platform reserves standard identifiers
++# with external linkage, e.g., applications cannot define 'localtime'.
+ # -Dssize_t=long on hosts like MS-Windows that lack ssize_t
++# -DSUPPRESS_TZDIR to not prepend TZDIR to file names; this has
++# security implications and is not recommended for general use
+ # -DTHREAD_SAFE to make localtime.c thread-safe, as POSIX requires;
+ # not needed by the main-program tz code, which is single-threaded.
+ # Append other compiler flags as needed, e.g., -pthread on GNU/Linux.
+@@ -394,13 +408,19 @@
+ SAFE_CHARSET= $(SAFE_CHARSET1)$(SAFE_CHARSET2)$(SAFE_CHARSET3)
+ SAFE_CHAR= '[]'$(SAFE_CHARSET)'-]'
+
++# Non-ASCII non-letters that OK_CHAR allows, as these characters are
++# useful in commentary. XEmacs 21.5.34 displays them correctly,
++# presumably because they are Latin-1.
++UNUSUAL_OK_CHARSET= °±½¾×
++
+ # OK_CHAR matches any character allowed in the distributed files.
+-# This is the same as SAFE_CHAR, except that multibyte letters are
+-# also allowed so that commentary can contain people's names and quote
+-# non-English sources. For non-letters the sources are limited to
+-# ASCII renderings for the convenience of maintainers whose text editors
+-# mishandle UTF-8 by default (e.g., XEmacs 21.4.22).
+-OK_CHAR= '[][:alpha:]'$(SAFE_CHARSET)'-]'
++# This is the same as SAFE_CHAR, except that UNUSUAL_OK_CHARSET and
++# multibyte letters are also allowed so that commentary can contain a
++# few safe symbols and people's names and can quote non-English sources.
++# Other non-letters are limited to ASCII renderings for the
++# convenience of maintainers using XEmacs 21.5.34, which by default
++# mishandles Unicode characters U+0100 and greater.
++OK_CHAR= '[][:alpha:]$(UNUSUAL_OK_CHARSET)'$(SAFE_CHARSET)'-]'
+
+ # SAFE_LINE matches a line of safe characters.
+ # SAFE_SHARP_LINE is similar, except any OK character can follow '#';
+@@ -462,10 +482,12 @@
+ ZONETABLES= zone1970.tab zone.tab
+ TABDATA= iso3166.tab $(TZDATA_TEXT) $(ZONETABLES)
+ LEAP_DEPS= leapseconds.awk leap-seconds.list
+-TZDATA_ZI_DEPS= zishrink.awk version $(TDATA) $(PACKRATDATA)
++TZDATA_ZI_DEPS= ziguard.awk zishrink.awk version $(TDATA) $(PACKRATDATA)
++DSTDATA_ZI_DEPS= ziguard.awk $(TDATA) $(PACKRATDATA)
+ DATA= $(TDATA_TO_CHECK) backzone iso3166.tab leap-seconds.list \
+ leapseconds yearistype.sh $(ZONETABLES)
+-AWK_SCRIPTS= checklinks.awk checktab.awk leapseconds.awk zishrink.awk
++AWK_SCRIPTS= checklinks.awk checktab.awk leapseconds.awk \
++ ziguard.awk zishrink.awk
+ MISC= $(AWK_SCRIPTS) zoneinfo2tdf.pl
+ TZS_YEAR= 2050
+ TZS= to$(TZS_YEAR).tzs
+@@ -499,7 +521,8 @@
+
+ SHELL= /bin/sh
+
+-all: tzselect yearistype zic zdump libtz.a $(TABDATA)
++all: tzselect yearistype zic zdump libtz.a $(TABDATA) \
++ vanguard.zi main.zi rearguard.zi
+
+ ALL: all date $(ENCHILADA)
+
+@@ -534,11 +557,15 @@
+ printf '%s\n' "$$V" >$@.out
+ mv $@.out $@
+
+-# This file can be tailored by setting BACKWARD, PACKRATDATA, etc.
+-tzdata.zi: $(TZDATA_ZI_DEPS)
++# These files can be tailored by setting BACKWARD, PACKRATDATA, etc.
++vanguard.zi main.zi rearguard.zi: $(DSTDATA_ZI_DEPS)
++ $(AWK) -v outfile='$@' -f ziguard.awk $(TDATA) $(PACKRATDATA) \
++ >$@.out
++ mv $@.out $@
++tzdata.zi: $(DATAFORM).zi version
+ version=`sed 1q version` && \
+ LC_ALL=C $(AWK) -v version="$$version" -f zishrink.awk \
+- $(TDATA) $(PACKRATDATA) >$@.out
++ $(DATAFORM).zi >$@.out
+ mv $@.out $@
+
+ version.h: version
+@@ -614,19 +641,29 @@
+
+ zones: $(REDO)
+
++# dummy.zd is not a real file; it is mentioned here only so that the
++# top-level 'make' does not have a syntax error.
++ZDS = dummy.zd
++# Rule used only by submakes invoked by the $(TZS_NEW) rule.
++# It is separate so that GNU 'make -j' can run instances in parallel.
++$(ZDS): zdump
++ ./zdump -i -c $(TZS_YEAR) '$(wd)/'$$(expr $@ : '\(.*\).zd') >$@
++
+ $(TZS_NEW): tzdata.zi zdump zic
+- mkdir -p tzs.dir
++ rm -fr tzs.dir
++ mkdir tzs.dir
+ $(zic) -d tzs.dir tzdata.zi
+ $(AWK) '/^L/{print "Link\t" $$2 "\t" $$3}' \
+ tzdata.zi | LC_ALL=C sort >$@.out
+ wd=`pwd` && \
+- zones=`$(AWK) -v wd="$$wd" \
+- '/^Z/{print wd "/tzs.dir/" $$2}' tzdata.zi \
+- | LC_ALL=C sort` && \
+- ./zdump -i -c $(TZS_YEAR) $$zones >>$@.out
+- sed 's,^TZ=".*tzs\.dir/,TZ=",' $@.out >$@.sed.out
+- rm -fr tzs.dir $@.out
+- mv $@.sed.out $@
++ set x `$(AWK) '/^Z/{print "tzs.dir/" $$2 ".zd"}' tzdata.zi \
++ | LC_ALL=C sort -t . -k 2,2` && \
++ shift && \
++ ZDS=$$* && \
++ $(MAKE) wd="$$wd" TZS_YEAR=$(TZS_YEAR) ZDS="$$ZDS" $$ZDS && \
++ sed 's,^TZ=".*tzs\.dir/,TZ=",' $$ZDS >>$@.out
++ rm -fr tzs.dir
++ mv $@.out $@
+
+ # If $(TZS) does not already exist (e.g., old-format tarballs), create it.
+ # If it exists but 'make check_tzs' fails, a maintainer should inspect the
+@@ -669,8 +706,10 @@
+ sharp='#' && \
+ ! grep -Env $(SAFE_LINE) $(MANS) date.1 $(MANTXTS) \
+ $(MISC) $(SOURCES) $(WEB_PAGES) \
+- CONTRIBUTING LICENSE Makefile README \
++ CONTRIBUTING LICENSE README \
+ version tzdata.zi && \
++ ! grep -Env $(SAFE_LINE)'|^UNUSUAL_OK_CHARSET='$(OK_CHAR)'*$$' \
++ Makefile && \
+ ! grep -Env $(SAFE_SHARP_LINE) $(TDATA_TO_CHECK) backzone \
+ leapseconds yearistype.sh zone.tab && \
+ ! grep -Env $(OK_LINE) $(ENCHILADA); \
+@@ -702,7 +741,7 @@
+ $(AWK) '/^[^#]/ $(CHECK_CC_LIST)' zone1970.tab | \
+ LC_ALL=C sort -cu
+
+-check_links: checklinks.awk $(TDATA_TO_CHECK)
++check_links: checklinks.awk $(TDATA_TO_CHECK) tzdata.zi
+ $(AWK) -f checklinks.awk $(TDATA_TO_CHECK)
+ $(AWK) -f checklinks.awk tzdata.zi
+
+@@ -720,17 +759,26 @@
+ check_web: tz-how-to.html
+ $(VALIDATE_ENV) $(VALIDATE) $(VALIDATE_FLAGS) tz-how-to.html
+
+-# Check that tzdata.zi generates the same binary data that its sources do.
+-check_zishrink: tzdata.zi zic leapseconds $(PACKRATDATA) $(TDATA)
++# Check that zishrink.awk does not alter the data, and that ziguard.awk
++# preserves main-format data.
++check_zishrink: zic leapseconds $(PACKRATDATA) $(TDATA) \
++ $(DATAFORM).zi tzdata.zi
+ for type in posix right; do \
+- mkdir -p time_t.dir/$$type time_t.dir/$$type-shrunk && \
++ mkdir -p time_t.dir/$$type time_t.dir/$$type-t \
++ time_t.dir/$$type-shrunk && \
+ case $$type in \
+ right) leap='-L leapseconds';; \
+ *) leap=;; \
+ esac && \
+- $(ZIC) $$leap -d time_t.dir/$$type $(TDATA) && \
+- $(AWK) '/^Rule/' $(TDATA) | \
+- $(ZIC) $$leap -d time_t.dir/$$type - $(PACKRATDATA) && \
++ $(ZIC) $$leap -d time_t.dir/$$type $(DATAFORM).zi && \
++ case $(DATAFORM) in \
++ main) \
++ $(ZIC) $$leap -d time_t.dir/$$type-t $(TDATA) && \
++ $(AWK) '/^Rule/' $(TDATA) | \
++ $(ZIC) $$leap -d time_t.dir/$$type-t - \
++ $(PACKRATDATA) && \
++ diff -r time_t.dir/$$type time_t.dir/$$type-t;; \
++ esac && \
+ $(ZIC) $$leap -d time_t.dir/$$type-shrunk tzdata.zi && \
+ diff -r time_t.dir/$$type time_t.dir/$$type-shrunk || exit; \
+ done
+@@ -740,7 +788,7 @@
+ rm -f core *.o *.out \
+ date tzselect version.h zdump zic yearistype libtz.a
+ clean: clean_misc
+- rm -fr *.dir tzdata.zi tzdb-*/ $(TZS_NEW)
++ rm -fr *.dir *.zi tzdb-*/ $(TZS_NEW)
+
+ maintainer-clean: clean
+ @echo 'This command is intended for maintainers to use; it'
+@@ -856,6 +904,9 @@
+ VERSION=`cat version` && \
+ $(MAKE) VERSION="$$VERSION" $@_version
+
++# These *_version rules are intended for use if VERSION is set by some
++# other means. Ordinarily these rules are used only by the above
++# non-_version rules, which set VERSION on the 'make' command line.
+ tarballs_version: traditional_tarballs_version tzdb-$(VERSION).tar.lz
+ traditional_tarballs_version: \
+ tzcode$(VERSION).tar.gz tzdata$(VERSION).tar.gz
+@@ -917,13 +968,17 @@
+ .KEEP_STATE:
+
+ .PHONY: ALL INSTALL all
+-.PHONY: check check_character_set check_links
++.PHONY: check check_character_set check_links check_name_lengths
+ .PHONY: check_public check_sorted check_tables
+ .PHONY: check_time_t_alternatives check_tzs check_web check_white_space
+ .PHONY: check_zishrink
+-.PHONY: clean clean_misc force_tzs
++.PHONY: clean clean_misc dummy.zd force_tzs
+ .PHONY: install install_data maintainer-clean names
+ .PHONY: posix_only posix_packrat posix_right
+ .PHONY: public right_only right_posix signatures signatures_version
+-.PHONY: tarballs tarballs_version typecheck
++.PHONY: tarballs tarballs_version
++.PHONY: traditional_signatures traditional_signatures_version
++.PHONY: traditional_tarballs traditional_tarballs_version
++.PHONY: typecheck
+ .PHONY: zonenames zones
++.PHONY: $(ZDS)
+--- contrib/tzdata/NEWS.orig
++++ contrib/tzdata/NEWS
+@@ -1,9 +1,146 @@
+ News for the tz database
+
++Release 2018d - 2018-03-22 07:05:46 -0700
++
++ Briefly:
++
++ Palestine starts DST a week earlier in 2018.
++ Add support for vanguard and rearguard data consumers.
++ Add subsecond precision to source data format, though not to data.
++
++ Changes to future time stamps
++
++ In 2018, Palestine starts DST on March 24, not March 31.
++ Adjust future predictions accordingly. (Thanks to Sharef Mustafa.)
++
++ Changes to past and future time stamps
++
++ Casey Station in Antarctica changed from +11 to +08 on 2018-03-11
++ at 04:00. (Thanks to Steffen Thorsen.)
++
++ Changes to past time stamps
++
++ Historical transitions for Uruguay, represented by
++ America/Montevideo, have been updated per official legal documents,
++ replacing previous data mainly originating from the inventions of
++ Shanks & Pottenger. This has resulted in adjustments ranging from
++ 30 to 90 minutes in either direction over at least two dozen
++ distinct periods ranging from one day to several years in length.
++ A mere handful of pre-1991 transitions are unaffected; data since
++ then has come from more reliable contemporaneous reporting. These
++ changes affect various timestamps in 1920-1923, 1936, 1939,
++ 1942-1943, 1959, 1966-1970, 1972, 1974-1980, and 1988-1990.
++ Additionally, Uruguay's pre-standard-time UT offset has been
++ adjusted westward by 7 seconds, from UT-03:44:44 to UT-03:44:51, to
++ match the location of the Observatory of the National Meteorological
++ Institute in Montevideo.
++ (Thanks to Jeremie Bonjour, Tim Parenti, and Michael Deckers.)
++
++ Enderbury and Kiritimati skipped New Year's Eve 1994, not
++ New Year's Day 1995. (Thanks to Kerry Shetline.)
++
++ Fix the 1912-01-01 transition for Portugual and its colonies.
++ This transition was at 00:00 according to the new UT offset, not
++ according to the old one. Also assume that Cape Verde switched on
++ the same date as the rest, not in 1907. This affects
++ Africa/Bissau, Africa/Sao_Tome, Asia/Macau, Atlantic/Azores,
++ Atlantic/Cape_Verde, Atlantic/Madeira, and Europe/Lisbon.
++ (Thanks to Michael Deckers.)
++
++ Fix an off-by-1 error for pre-1913 timestamps in Jamaica and in
++ Turks & Caicos.
++
++ Changes to past time zone abbreviations
++
++ MMT took effect in Uruguay from 1908-06-10, not 1898-06-28. There
++ is no clock change associated with the transition.
++
++ Changes to build procedure
++
++ The new DATAFORM macro in the Makefile lets the installer choose
++ among three source data formats. The idea is to lessen downstream
++ disruption when data formats are improved.
++
++ * DATAFORM=vanguard installs from the latest, bleeding-edge
++ format. DATAFORM=main (the default) installs from the format
++ used in the 'africa' etc. files. DATAFORM=rearguard installs
++ from a trailing-edge format. Eventually, elements of today's
++ vanguard format should move to the main format, and similarly
++ the main format's features should eventually move to the
++ rearguard format.
++
++ * In the current version, the main and rearguard formats are
++ identical and match that of 2018c, so this change does not
++ affect default behavior. The vanguard format currently contains
++ one feature not in the main format: negative SAVE values. This
++ improves support for Ireland, which uses Irish Standard Time
++ (IST, UTC+01) in summer and GMT (UTC) in winter. tzcode has
++ supported negative SAVE values for decades, and this feature
++ should move to the main format soon. However, it will not move
++ to the rearguard format for quite some time because some
++ downstream parsers do not support it.
++
++ * The build procedure constructs three files vanguard.zi, main.zi,
++ and rearguard.zi, one for each format. The files represent the
++ same data as closely as the formats allow. These three files
++ are intended for downstream data consumers and are not
++ installed. Zoneinfo parsers that do not support negative SAVE values
++ should start using rearguard.zi, so that they will be unaffected
++ when the negative-DST feature moves from vanguard to main.
++ Bleeding-edge Zoneinfo parsers that support the new features
++ already can use vanguard.zi; in this respect, current tzcode is
++ bleeding-edge.
++
++ The Makefile should now be safe for parallelized builds, and 'make
++ -j to2050new.tzs' is now much faster on a multiprocessor host
++ with GNU Make.
++
++ When built with -DSUPPRESS_TZDIR, the tzcode library no longer
++ prepends TZDIR/ to file names that do not begin with '/'. This is
++ not recommended for general use, due to its security implications.
++ (From a suggestion by Manuela Friedrich.)
++
++ Changes to code
++
++ zic now accepts subsecond precision in expressions like
++ 00:19:32.13, which is approximately the legal time of the
++ Netherlands from 1835 to 1937. However, because it is
++ questionable whether the few recorded uses of non-integer offsets
++ had subsecond precision in practice, there are no plans for tzdata
++ to use this feature. (Thanks to Steve Allen for pointing out
++ the limitations of historical data in this area.)
++
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-doc-head
mailing list