UPDATING

Updating Information for MidnightBSD users.

20241130:
	remove libdispatch.  only consumer was mport and that no
	longer uses it. Apple has backed off from it also. 

20241121:
	restore vendor branch for flex and update to 2.6.4 in 
	current

20241119:
	lua 5.4.2

20241115:
	openzfs 2.1.15

	device-tree from linux 5.9

	pcg-c 20190718-83252d9

20241114:
	unifdef 2.12

	terminus-font-4.49.1

	libcbor 0.11.0

	libfido2 1.14

20241113:
	unbound 1.22.0

	wireguard-tools

	tzcode fixes

20241108:
	add lib9p

20241107:
	atf 0.22 + bugfixes

	bearssl 20230220

	bmake 20220208

	Remove amd

	byacc 20200330

	libdialog 1.3-20210117

	pnglite 2013

	jemalloc 5.2.1

	Removed gcc and binutils

20241028:
	FreeBSD 13 stable import code from this date.

20240822:
	mport 2.6.4

20240811:
	Introduced a patch to lower default timeout on IPv6 temporary addresses.

	Introduced a sysctl that allow 0.0.0.0/32 to be equivalent to 127.0.0.1/32.

20240808:
        A signal handler in sshd(8) may call a logging function that is not sync-signal-safe.  

        (another CVE-2024-6387 related bug with blacklistd support)

20240701:
	OpenSSH security vulnerability

	A signal handler in sshd(8) calls a function that is not async-signal-safe.
	The signal handler is invoked when a client does not authenticate within the
	LoginGraceTime seconds (120 by default).  This signal handler executes in the
	context of the sshd(8)'s privileged code, which is not sandboxed and runs
	with full root privileges.

	This issue is a regression of CVE-2006-5051 originally reported by Mark Dowd
	and accidentally reintroduced in OpenSSH 8.5p1.

20240519:
	Stable branch 3.2 created.  Continuing development of current

20240427:
	update the pci vendors list

20240412:
	expat 2.6.2

20240411:
	ldns 1.8.3

	sendmail 8.18.1

	libarchive 3.7.2

20240410:
	zstd 1.5.2

20240406:
	Fix for wpa supplicant CVE-2023-52160

20240331:
	unbound 1.19.3

	xz / lzma 5.4.5

20240330:
	mport 2.6.2

20240328:
	Unbound 1.19.1

20240129:
	Remove perl from base system.  We'll migrate to mports for this.

	Remove brainfuck as it depends on perl.

20240124:
	mport 2.6.0

20240112:
	Fixed a configuration issue with how Perl is built.
	man pages should not get installed correctly by mports.

	Disabled dtrace in perl due to some issues with it running reliably.

20240109:
	tzdata 2023d

20231229:
	mandoc 1.14.6

20231227:
	OpenSSH 9.3p2 - CVE-2023-38408

	Patch for CVE-2023-48795

20231226:
	OpenSSH 9.3p1

20231222:
	OpenSSH 9.2p1

20231220:
	sendmail 8.17.2

20231217:
	Delete subversion from base system.
	We've been on git for a few years.

20231212:
	nvi 2.2.1

	libevent 2.1.12

	unbound 1.19.0

	Fix security issue in libpcap OSV-2020-1231

20231211:
        mport 2.4.9 - fixes mport upgrade issue.

        perl CPAN security fix with TLS certificates
        CVE-2023-31484

20231209:
	CVE-2023-47038 perl security vulnerability in regcomp.c 
	Input can be reparsed with different results.

20231205:
	pf security issue: 
	As part of its stateful TCP connection tracking implementation, pf
	performs sequence number validation on inbound packets.  This makes it
	difficult for a would-be attacker to spoof the sender and inject packets
	into a TCP stream, since crafted packets must contain sequence numbers
	which match the current connection state to avoid being rejected by the
	firewall. A bug in the implementation of sequence number validation means that the
	sequence number is not in fact validated, allowing an attacker who is
	able to impersonate the remote host and guess the connection's port
	numbers to inject packets into the TCP stream.

20231129:
	telnetd(8) removed. Use mports/net/freebsd-telnetd if you need it

	sqlite3 3.44.0

20230905:
	openssl 1.1.1w

	mport 2.4.5

	(3.1 release happened on stable/3.1, continuing development)

20230826:
	mport 2.4.3

20230725:
	perl 5.36.1

20230627:
	openssl 1.1.1u

	zlib 1.2.13 for kernel use

	libarchive 3.6.2 

	OpenSSH 9.1p1

20230517:
	sendmail 8.17.1

20230514:
	mport 2.4.1

20230408:
	mport 2.3.0

20230403:
	libxo 1.0.4

	mport 2.2.9

20230330:
	add fix for CVE-2022-25147 (apr-util) 
	workaround an integer overflow in apr_base64 functions.

	Fix CVE-2020-10188 in telnetd

20230329:
	doas 6.3p9

	tzdata 2023c

	xz 5.2.9

	openssl 1.1.1t

	readelf - match GNU formatting

20230224:
	file 5.43

20230223:
	mport 2.2.7

20230212:
	sqlite3 3.40.1

	less 551

	subversion 1.14.2

	openssl 1.1.1s

20230208:
	tzdata 2022g

	Fix for Intel 82599 ixgbe device which reported errors on the interface
	incorrectly.

	Fix for GELI silently omits the keyfile if read from stdin

20221121:
	sqlite3 3.40.0

20221120:
	Multiple security vulnerabilities have been discovered in the Heimdal
	implementation of the Kerberos 5 network authentication protocols and KDC.

	CVE-2022-42898 PAC parse integer overflows
	CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and arcfour
	CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors
	CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
	CVE-2019-14870 Validate client attributes in protocol-transition
	CVE-2019-14870 Apply forwardable policy in protocol-transition
	CVE-2019-14870 Always lookup impersonate client in DB

20221111:
	mport bug fixes for 3.0 packages

20221104:
	MidnightBSD 3.0 stable branch created. Continuing development on 3.1

	expat 2.5.0

20221030:
	mport 2.2.5

20221016:
	mport 2.2.4

20221014:
	Build instructions from 2.2.x to 3.0 

	You may need to disable df in src/rescue/rescue/Makefile

	There are issues with usr.bin/lex on some systems. A fix was
	included after 2.2.5 for this bug.

	When doing a major upgrade, sometimes it's necessary to disable
	perl builds in usr.bin/Makefile. 

	Don't try an upgrade from a system older than 2.2.x

20221012:
	tzdata 2022d

20220831:
	zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow
	in inflate in inflate.c via a large gzip header extra field.

20220828:
	unbound 1.16.2

20220825:
	OpenSSL 1.1.1q

	re-enable web in wpa suppplicant

20220820:
	OpenSSL 1.1.1p

20220819:
	imported pci ids list 2022 08 07

20220815:
	libarchive 3.6.0

20220807:
	sqlite3 3.38.5

20220730:
	nvi 2.20

20220729:
	Imported FreeBSD 12-stable (June 17, 2022)

	bmake VERSION (_MAKE_VERSION): 20200710

	wpa 2.10

	file 5.41

20220713:
	mport 2.2.3

20220607:
	MidnightBSD 2.2.0 released. Continuing development.

20220602:
	Perl 5.36.0

20220428:
	OpenSSH 8.8p1

20220427:
	sqlite 3.38.2

	expat 2.4.7

20220408:
	Subversion 1.14.1 
	
	netmap: Fix TOCTOU vulnerability in nmreq_copyin
	The total size of the user-provided nmreq was first computed and then
	trusted during the copyin. This might lead to kernel memory corruption
	and escape from jails/containers.
	Security: CVE-2022-23084

	netmap
	An unsanitized field in an option could be abused, causing an integer
	overflow followed by kernel memory corruption. This might be used
	to escape jails/containers.
	Security: CVE-2022-23085

	The netmap_ioctl() function has a reference counting bug in case of
	NETMAP_REQ_PORT_INFO_GET command. When `hdr->nr_name[0] == '\0'`,
	the function does not decrease the refcount of "nmd", which is
	increased by netmap_mem_find(), causing a refcount leak.

20220406:
	The 802.11 beacon handling routine failed to validate the length of an
	IEEE 802.11s Mesh ID before copying it to a heap-allocated buffer.

	Handlers for *_CFG_PAGE read / write ioctls in the mpr, mps, and mpt drivers
	allocated a buffer of a caller-specified size, but copied to it a fixed size
	header.  Other heap content would be overwritten if the specified size was
	too small.

	byhve
	The e1000 network adapters permit a variety of modifications to an Ethernet
	packet when it is being transmitted.  These include the insertion of IP and
	TCP checksums, insertion of an Ethernet VLAN header, and TCP segmentation
	offload ("TSO").  The e1000 device model uses an on-stack buffer to generate
	the modified packet header when simulating these modifications on transmitted
	packets.

	When checksum offload is requested for a transmitted packet, the e1000 device
	model used a guest-provided value to specify the checksum offset in the on-
	stack buffer.  The offset was not validated for certain packet types.

20220331:
	zlib 1.2.12

20220320:
	tzdata 2022a

20220315:
	Fix an openssl vulnerability.

	wifi security changes.

20220126:
	Reject execve when new argc is zero
	Fixes a security issue with NULL argv[0] entries, similar to the recent
	CVE with polkit on Linux. The current POC for that does not work on
	MidnightBSD since we don't use glibc, but proactively prevent similar issues.

20220117:
	expat 2.4.3

20220116:
	Bug fix for HyperV support in windows 2022 server.
	
	Fix register restore for SSE/XMM

20211222:
	Import OpenBSM 1.2 alpha5

20211221:
	Import ldns 1.7

	Import unbound 1.13.1

	Import libcapsicum, libfetch, libpam, geli from FreeBSD
	12-stable (sept 2021)

	update heimdal to work with OpenSSL 1.1.1

20211220:
	Imported OpenSSL 1.1.1l

20211115:
	Update lua 5.3.6

20211104:
	Updated mport 2.2.0 code with bugfixes and new plist features.

	Updated tzdata to fix some DST changes in asia

	Update root certificates bundle

20211027:
	mport 2.2.0 (alpha)

20210924:
	Introduce a patch to dummynet from pfsense to increase max value to 4Gb/s instead of 2Gb/s.

	Libucl 0.8.1

	root shell changed to tcsh for now. We may change this again.  (was csh)

	/bin/sh updated based on freebsd 12-stable sources as of today.

20210923:
	Update pci vendor ids

	add libusb_has_capability to libusb

	use md library sha256 implementation for lzma

20210921:
	MidnightBSD 2.1.0 released. Coninuing 2.2 development. 

20210911:
	Update mandoc

	Update mport to 2.1.4

20210825:
	Patch 3 security issues:

	Certain VirtIO-based device models failed to handle errors when fetching
	I/O descriptors.  Such errors could be triggered by a malicious guest.
	As a result, the device model code could be tricked into operating on
	uninitialized I/O vectors, leading to memory corruption.

	The ggatec(8) daemon does not validate the size of a response before writing
	it to a fixed-sized buffer.  This allows to overwrite the stack of ggatec(8).

	The passive mode in FTP communication allows an out of boundary read while
	libfetch uses strtol to parse the relevant numbers into address bytes.	It
	does not check if the line ends prematurely.  If it does, the for-loop
	condition checks for *p == '\0' one byte too late because p++ was already
	performed.

20210821:
	mport 2.1.3

20210730:
	APR-util 1.6.1

	APR 1.7.0

	Subversion 1.14.0

	file 5.39

20210701:
	update mport package manager to 2.1.3 (snap)

	sendmail 8.16.1

	sqlite3 3.35.5

20210630:
	A programming error in the Linux compatibility layer futex(2) system
	call might allow attackers to cause a denial of service.

	libcasper(3) creates service processes by forking the calling process,
	so they initially inherit the calling process' file descriptor table.
	Casper services expect the lowest 3 file descriptors, traditionally
	corresponding to standard input, output, and error, are redirected to
	/dev/null.  libcasper(3) ensures this is the case.  However, it did not
	handle the possibility that one of them is closed, and this scenario
	would trigger an assertion failure during service creation, resulting in
	a crash.

20210406:
	mport package manager updated to 2.1.0

	Fix two security issues:

	A particular case of memory sharing is mishandled in the virtual memory system.  It is possible 
	and legal to establish a relationship where multiple descendant processes share a mapping which 
	shadows memory of an ancestor process.	In this scenario, when one process modifies memory 
	through such a mapping, the copy-on-write logic fails to invalidate other mappings of the source 
	page.  These stale mappings may remain even after the mapped pages have been reused for another purpose.

	Due to a race condition between lookup of ".." and remounting a filesystem,
	a process running inside a jail might access filesystem hierarchy outside
	of jail.

20210224:
	Happy 15th anniversary to MidnightBSD!

	Fix a security issue with pam.	The rules would not be applied correctly.

	xen fix to unmap correctly when errors occur

20210206:
	tzdata 2021a

	Fix a extattr corruption bug with ufs

	Uninitialized kernel stack leaks in several file systems

	Xen guests can triger backend Out Of Memory

20201220:
	libarchive 3.5.0

	Update caroot certs

	unbound 1.13.0

20201202:
	ICMPv6: A remote host may be able to trigger a read of freed kernel memory.  This may
	trigger a kernel panic if the address had been unmapped.

	tzdata: (2020d imported to fix) 
	An incorrect time will be displayed on a system configured to use one of the
	affected timezones if the /usr/share/zoneinfo and /etc/localtime files are
	not updated, and all applications on the system that rely on the system time,
	such as cron(8) and syslog(8), will be affected.
	
	ipfw: initialize some variables to fix some odd handling with ports.
	
	callout(9)
	Callouts may be bound to a specific CPU, in which case that CPU is
	responsible for raising the timer interrupt which schedules execution of the
	callout.
	A kernel thread may attempt to stop a callout while it is actively executing,
	in which case the thread goes to sleep until execution has completed.  In the
	meantime the callout may be re-scheduled and re-executed on a different CPU.
	In this scenario, when the sleeping thread finally completes removal of the
	callout from some internal data structures, it may modify the wrong CPU's
	data structures and thus leave them in an invalid state.
	
	rtsold(8)
	Two bugs exist in rtsold(8)'s RDNSS and DNSSL option handling.	First,
	rtsold(8) failed to perform sufficient bounds checking on the extent of the
	option.  In particular, it does not verify that the option does not extend
	past the end of the received packet before processing its contents.  The
	kernel currently ignores such malformed packets but still passes them to
	userspace programs.
	Second, when processing a DNSSL option, rtsold(8) decodes domain name labels
	per an encoding specified in RFC 1035 in which the first octet of each label
	contains the label's length.  rtsold(8) did not validate label lengths
	correctly and could overflow the destination buffer.
	
	A bug in the firstboot script was corrected that referenced an invalid package name.
	
	burncd was removed.

20201122:
	The root certificates of the Mozilla CA Certificate Store have been
	imported into the base system and can be managed with the certctl(8)
	utility.  If you have installed the security/ca_root_nss port or package
	with the ETCSYMLINK option (the default), be advised that there may be
	differences between those included in the port and those included in
	base due to differences in nss branch used as well as general update
	frequency.  Note also that certctl(8) cannot manage certs in the
	format used by the security/ca_root_nss port.

	Update file to 5.38

	xz 5.2.5
	
20201115:
	Fixes issues with UEFI not booting on amd64.

20201004:
	Update mDNSresponder to 1096.40.7

	Update Perl to 5.32.0

20200924:
	Add support for SIOCGIFMEDIA

20200923:
	udf: Validate the full file entry length

	Otherwise a corrupted file entry containing invalid extended attribute
	lengths or allocation descriptor lengths can trigger an overflow when
	the file entry is loaded.

20200918:
	Added experimental support for intel 8265 bluetooth. (wifi/bt combo card) 
	Needs firmware from mports/comms though.
	
20200902:
	Fix several security vulnerabilities:

	sctp use after free
	Due to improper handling in the kernel, a use-after-free bug can be triggered
	by sending large user messages from multiple threads on the same socket.

	IPv6 hop after hop
	Due to improper mbuf handling in the kernel, a use-after-free bug might be
	triggered by sending IPv6 Hop-by-Hop options over the loopback interface.
	
	linux ABI kernel panic
	The kernel function handling exec(3) of a Linux binary did not correctly
	handle a calling process with multiple threads.
	A multithread non-Linux process execing a Linux binary would fail a kernel
	assertion, resuting in a kernel panic "thread_detach: emuldata not found."

	dhclient
	When parsing option 119 data, dhclient(8) computes the uncompressed domain
	list length so that it can allocate an appropriately sized buffer to store
	the uncompressed list.	The code to compute the length failed to handle
	certain malformed input, resulting in a heap overflow when the uncompressed
	list is copied into in inadequately sized buffer.

20200807:
	A missing length validation code common to these three drivers means that a
	malicious USB device could write beyond the end of an allocated network
	packet buffer.

	- smsc(4), supporting SMSC (now Microchip) devices
	- muge(4), supporting Microchip devices
	- cdceem(4), supporting USB Communication Device Class compatible devices

20200709:
	Update SQLite3 to 3.32.3.

	Update unbound to fix several security issues.

	posix_spawnp security patch:
	posix_spawnp spawns a new thread with a limited stack allocated on the heap
	before delegating to execvp for the final execution within that thread.
	execvp would previously make unbounded allocations on the stack, directly
	proportional to the length of the user-controlled PATH environment variable.

	ip6_output security patch
	The IPV6_2292PKTOPTIONS set handler was missing synchronization,
	so racing accesses could modify freed memory.
	

20200514:
	Fixed a security issue in libalias.

	The FTP packet handler in libalias incorrectly calculates some packet
	lengths.  This may result in disclosing small amounts of memory from the
	kernel (for the in-kernel NAT implementation) or from the process space for
	natd (for the userspace implementation).

	Updated tzdata to 2020a.

	Updated subversion to 1.9.x

	bzip 1.0.8

20191112:
	Fixed a bug where packages wouldn't get removed on mport clean.  While there
	added ability to detect files that don't match the checksum of the packages.
	This will cleanup failed downloads as well as packages from older releases.

20191031:
	MidnightBSD 1.2 release, continuing development on 1.3

20190822:
	The kernel driver for /dev/midistat implements a handler for read(2).
	This handler is not thread-safe, and a multi-threaded program can
	exploit races in the handler to cause it to copy out kernel memory
	outside the boundaries of midistat's data buffer.

	System calls operating on file descriptors obtain a reference to
	relevant struct file which due to a programming error was not always put
	back, which in turn could be used to overflow the counter of affected
	struct file.

20190821:
	Security patch for CVE-2019-5611. 

	Due do a missing check in the code of m_pulldown(9) data returned may not be
	contiguous as requested by the caller.

20190808:
	OpenSSH 7.9p1

	bzip2 1.0.7

	bsnmp
	A function extracting the length from type-length-value encoding is not
`	properly validating the submitted length.

	jedec_dimm - some modules falsely report supporting temp sensors. Handle this
	better.

20190724:
	Fix some buffer overflows in telnet client

	The code which handles a close(2) of a descriptor created by
	posix_openpt(2) fails to undo the configuration which causes SIGIO to be
	raised.  This bug can lead to a write-after-free of kernel memory.

	Due to insufficient initialization of memory copied to userland in the
	components listed above small amounts of kernel memory may be disclosed
	to userland processes.

20190417:
	bring back deroff(1) to fix spell(1)

20190209:
	MidnightBSD 1.2-CURRENT development starts.

20190118:
	OpenSSH 7.5p1

	mksh R56c

	OpenSSL 1.0.2p

20181223:
	Import Perl 5.28.0

20181130:
	ICMP Buffer underwrite fix

20181109:
	Add the ability to disable TRIM on specific controllers or drives
	that have bugs.

20181021:
	Update ACPICA to 20161117

	Update ACPICA to 20160930

20181002:
	Stable 1.0 branch created. Continuing development on 1.1

	Reintroduce groff and reconnect to build. Removal causes issue with perl ports
	and we don't quite have things aligned to get rid of this yet.

20180912:
	ELF header security issue

	Insufficient validation was performed in the ELF header parser, and malformed
	or otherwise invalid ELF binaries were not rejected as they should be.

20180911:
	Add support for Corsair K70 LUX keyboard.

20180815:
	When using WPA2, EAPOL-Key frames with the Encrypted flag and without the MIC
	flag set, the data field was decrypted first without verifying the MIC.  When
	the dta field was encrypted using RC4, for example, when negotiating TKIP as
	a pairwise cipher, the unauthenticated but decrypted data was subsequently
	processed.  This opened wpa_supplicant(8) to abuse by decryption and recovery
	of sensitive information contained in EAPOL-Key messages.

	See https://w1.fi/security/2018-1/unauthenticated-eapol-key-decryption.txt
	for a detailed description of the bug.

20180720:
	Pull in r211155 from upstream llvm trunk (by Tim Northover):

	DAG: move sret demotion into most basic LowerCallTo implementation.

	It looks like there are two versions of LowerCallTo here: the
	SelectionDAGBuilder one is designed to operate on LLVM IR, and the
	TargetLowering one in the case where everything is at DAG level.

	Previously, only the SelectionDAGBuilder variant could handle
	demoting an impossible return to sret semantics (before delegating to
	the TargetLowering version), but this functionality is also useful
	for certain libcalls (e.g. 128-bit operations on 32-bit x86).  So
	this commit moves the sret handling down a level.

	This should fix "Call result #3 has unhandled type i32" errors when
	building devel/libslang2 for i386.

	Add support for AMD X370 and X399 chipsets.

	Add support for Intel 8th gen chipsets.

20180719:
	Add the AMD B350 Ryzen (300 series) AHCI and XHCI controllers

20180715:
	Support wake on lan for Intel gigabit nics in Ice Lake and Cannon Lake devices.

	Fix some man page issues

	Fix some compatibility and locking issues with NFS client/srver

	Loosely eqiuvalent to FreeBSD 10 stable 334699 (june 6)

20180708:
	Expat 2.2.0

20180704:
	Import FreeBSD 10 stable features from SVN revision 334154

	less 530

	tcsh 6.20

	libc-vis 2017/4/30 (netbsd)

20180120:
	gperf 3.0.3

20180119:
	mandoc 1.14.3

20171222:
	zlib 1.2.11

	LLVM / Clang 3.4.1

20171123:
	mport now supports installing multiple packages with one command.

	binutils updated/synced with FreeBSD 11-stable (today)

20171022:
	wpa_supplicant & hostapd 2.0. This also includes patches for the 
	recent KRACK vulnerability.

20171003:
	SQLite 3.20.1

20171001:
	Subversion 1.8.17

	Perl 5.26.0

	Change 0.10 version to 1.0. There are several compatibility issues
	with using 0.10 as the trailing zero is dropped in several utilities
	making it look like 0.1. 

20170918:
	Introduce nvme(4) and nvd(4) from FreeBSD.

	Fix build of boot code and rescue.

20170819:
	Heimdal KDC-REP service name validation vulerability patched.

	Introduce a partial fix for AMD Ryzen issues. On Ryzen, move
	the lower shared page by one.

20170326:
	sudo removed from base. Use doas(1) or install sudo from mports

	Stable 0.9 created, continue development on 0.10

20170305:
	Add hast module to bsnmpd

20170302:
	add a callback to the ada(4) driver so that it knows when
	GEOM has released references to it.

20170219:
	Add /dev/full device.

	The lindev device has been removed since /dev/full has been made a
	standard device.

	Serf 1.3.9
	Subversion 1.8.10
	apr 1.5.2
	apr-util 1.5.4

20170129:
	add doas utility from OpenBSD.

20161105:
	BIND 9.9.9-p4

	OpenSSH 7.3p1

20161103:
	OpenSSL security patch

	Due to improper handling of alert packets, OpenSSL would consume an excessive
	amount of CPU time processing undefined alert messages.

20161015:
	libarchive 3.2.1

	xz 5.2.2

20161013:
	Sync ZFS code with Illuminos/FreeBSD 9.2. Added support for
	feature flags, pool version 5000. This also includes some
	bug fixes and performance optimizations.

20160925:
	Import NetBSD vis(3) and unvis(3) as well as mtree.

	one-true-awk 20121220

	inetd now honors kern.ipc.somaxconn value.

	netmap synced with FreeBSD 9.2

	linuxolator now has dtrace probes.

	bsdgrep now correctly handles -m to exclude only one file.

	UFS file systems can now be resized in read-write mode due to the new
	write suspension feature.

	Basic support added for Intel Raid Recover Technology.

	GMIRROR & GRAID3 now mark volumes clean on shutdown earlier to help with ZFS issues.

	Highpoint hpt27xx now in GENERIC kernel.

20160923:
	Security update for OpenSSL

	A malicious client can send an excessively large OCSP Status Request extension.
	If that client continually requests renegotiation, sending a large OCSP Status
	Request extension each time, then there will be unbounded memory growth on the
	server. [CVE-2016-6304]

	An overflow can occur in MDC2_Update() either if called directly or through
	the EVP_DigestUpdate() function using MDC2. If an attacker is able to supply
	very large amounts of input data after a previous call to EVP_EncryptUpdate()
	with a partial block then a length check can overflow resulting in a heap
	corruption. [CVE-2016-6303]

	If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a
	DoS attack where a malformed ticket will result in an OOB read which will
	ultimately crash. [CVE-2016-6302]

	The function BN_bn2dec() does not check the return value of BN_div_word().
	This can cause an OOB write if an application uses this function with an
	overly large BIGNUM. This could be a problem if an overly large certificate
	or CRL is printed out from an untrusted source. TLS is not affected because
	record limits will reject an oversized certificate before it is parsed.
	[CVE-2016-2182]

	The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value is
	the total length the OID text representation would use and not the amount
	of data written. This will result in OOB reads when large OIDs are presented.
	[CVE-2016-2180]

	Some calculations of limits in OpenSSL have used undefined pointer arithmetic. 
	This could cause problems with some malloc implementations. [CVE-2016-2177]

	Operations in the DSA signing algorithm should run in constant time in order to
	avoid side channel attacks. A flaw in the OpenSSL DSA implementation means that
	a non-constant time codepath is followed for certain operations. [CVE-2016-2178]

	In a DTLS connection where handshake messages are delivered out-of-order those
	messages that OpenSSL is not yet ready to process will be buffered for later
	use. Under certain circumstances, a flaw in the logic means that those messages
	do not get removed from the buffer even though the handshake has been completed.
	An attacker could force up to approx. 15 messages to remain in the buffer when
	they are no longer required. These messages will be cleared when the DTLS
	connection is closed. The default maximum size for a message is 100k. Therefore
	the attacker could force an additional 1500k to be consumed per connection.
	[CVE-2016-2179]

	A flaw in the DTLS replay attack protection mechanism means that records that
	arrive for future epochs update the replay protection "window" before the MAC
	for the record has been validated. This could be exploited by an attacker by
	sending a record for the next epoch (which does not have to decrypt or have a
	valid MAC), with a very large sequence number. This means that all subsequent
	legitimate packets are dropped causing a denial of service for a specific
	DTLS connection. [CVE-2016-2181]

	In OpenSSL 1.0.2 and earlier some missing message length checks can result in
	OOB reads of up to 2 bytes beyond an allocated buffer. There is a theoretical
	DoS risk but this has not been observed in practice on common platforms.
	[CVE-2016-6306]

20160918:
	With the addition of auditdistd(8), a new auditdistd user is now
	depended on during installworld.  "mergemaster -p" can be used to add
	the user prior to installworld.

	The VFS KBI was changed with the merge of several nullfs
	optimizations and fixes.  All filesystem modules must be
	recompiled.

20160916:
	The random(4) support for the VIA hardware random number
	generator (`PADLOCK') is no longer enabled unconditionally.
	Add the PADLOCK_RNG option in the custom kernel config if
	needed.  The GENERIC kernels on i386 and amd64 do include the
	option, so the change only affects the custom kernel
	configurations.

	A new version of ZFS (pool version 5000) has been merged.
	Starting with this version the old system of ZFS pool versioning
	is superseded by "feature flags". This concept enables forward
	compatibility against certain future changes in functionality of ZFS
	pools. The first two read-only compatible "feature flags" for ZFS
	pools are "com.delphix:async_destroy" and "com.delphix:empty_bpobj".
	For more information read the new zpool-features(7) manual page.
	Please refer to the "ZFS notes" section of this file for information
	on upgrading boot ZFS pools.

20160906:
	Add support for the MosChip MCS9904 four serial ports
	controller.

	Add support for walltimestamp in DTrace.

	Various gdb improvments.

	ZFS
	Import the zio nop-write improvement from Illumos. To reduce I/O,
	nop-write omits overwriting data if the checksum (cryptographically
	secure) of new data matches the checksum of existing data.
	It also saves space if snapshots are in use.

	It currently works only on datasets with enabled compression, disabled
	deduplication and sha256 checksums.

	Add loader(8) tunable to enable/disable nopwrite functionality:
	vfs.zfs.nopwrite_enabled

	Introduce a new dataset aclmode setting "restricted" to protect ACL's
	being destroyed or corrupted by a drive-by chmod.

	New loader-only tunables:
	vfs.zfs.sync_pass_deferred_free
	vfs.zfs.sync_pass_dont_compress
	vfs.zfs.sync_pass_rewrite

	chkgrp(8) add support for q flag

	Fix problem with the Samsung 840 PRO series SSD detection.
	The device reports support for SATA Asynchronous Notification in its
	IDENTIFY data, but returns error on attempt to enable that feature.
	Make SATA XPT of CAM only report these errors, but not fail the device.

20160905:
	Add a resource limit for the total number of kqueues
	available to the user. Kqueue now saves the ucred of the
	allocating thread, to correctly decrement the counter on close.
	Based on FreeBSD SVN 256849

	Import netcat from OpenBSD 5.2

20160904:
	Introduced experimental TCP sysctls starting with
	net.inet.tcp.experimental.initcwnd10

20160814:
	switched default desktop port to midnightbsd-desktop. This gives us flexibility to change it
	in the release after the fact.

	tzdata 2016a

20160811:
	libdispatch 210

	Added quirks for several models of SSDs to enable advanced format/4k mode. List includes
	Samsung 830, 840, 850 and 750 series, Intel x25 and a few Toshiba models. Also
	added WD Red drives.

	Updated list of pci device vendors.

	Updated list of usb devices. 

20160807:
	Implement several changes to libmport to fix some memory corruption issues.

20160806:
	sqlite3 3.13.0

20160805:
	Merged fixes for libmport that improve error handling when installing packages. Also
	support mkdir -p like behavior for plist entries.

20160531:
	Fix four security issues with MidnightBSD.

	The implementation of TIOCGSERIAL ioctl(2) does not clear the output
	struct before sending to userland in the linux emulation layer.

	The compat 43 stat(2) system call exposes kernel stack to userland.

	libarchive - CVE-2015-2304 and CVE-2013-0211 fix issues with
	cpio directory traversal and an integer signedness error in the archive
	write zip data routine.


20160528:
	Fixed minor issues with mined(1) and msearch(1).

20160526:
	Add support for Ivybridge and Haswell Intel CPUs to hwpmc(4).

	Fix libpmc(3) build with clang compiler.

20160519:
	Kernel Security updates

	atkbd(4) - Incorrect signedness comparison in the ioctl(2) handler allows a malicious
	local user to overwrite a portion of the kernel memory.

	Incorrect argument handling in sendmsg(2)

	Incorrect argument handling in the socket code allows malicious local
	user to overwrite large portion of the kernel memory.

20160505:
	OpenSSL security patch

	The padding check in AES-NI CBC MAC was rewritten to be in constant time
	by making sure that always the same bytes are read and compared against
	either the MAC or padding bytes. But it no longer checked that there was
	enough data to have both the MAC and padding bytes. [CVE-2016-2107]

	An overflow can occur in the EVP_EncodeUpdate() function which is used for
	Base64 encoding of binary data. [CVE-2016-2105]

	An overflow can occur in the EVP_EncryptUpdate() function, however it is
	believed that there can be no overflows in internal code due to this problem.
	[CVE-2016-2106]

	When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
	a short invalid encoding can casuse allocation of large amounts of memory
	potentially consuming excessive resources or exhausting memory.
	[CVE-2016-2109]

20160412:
	0.8 stable branch created. Continue development as 0.9.

	Fix several issues with wait6 system call addition.

20160409:
	libmport now supports two new plist formats:
	@(root,wheel,4775) myfile
	@dir(root,wheel,775) mydir

	On delete, absoluate paths are now handled properly.

20160317:
	OpenSSH doesn't have the luck of the Irish. 

	Fix a security issue with OpenSSH X11 forwarding that can allow an attacker
	run shell commands on the call to xauth.

	Incorrect argument validation in sysarch(2)

	A special combination of sysarch(2) arguments, specify a request to
	uninstall a set of descriptors from the LDT.  The start descriptor
	is cleared and the number of descriptors are provided.	Due to invalid
	use of a signed intermediate value in the bounds checking during argument
	validity verification, unbound zero'ing of the process LDT and adjacent
	memory can be initiated from usermode.

	Patch obtained from FreeBSD.

20160229:
	top now displays information on ZFS arc cache.

20160228:
	llvm + clang 3.3 is now the default compiler in MidnightBSD. 

20160222:
	Introduce pipe2 to linux emulation layer.

20160114:
	OpenSSL

	The signature verification routines will crash with a NULL pointer dereference
	if presented with an ASN.1 signature using the RSA PSS algorithm and absent
	mask generation function parameter. [CVE-2015-3194]

	When presented with a malformed X509_ATTRIBUTE structure, OpenSSL will leak
	memory. [CVE-2015-3195]

	If PSK identity hints are received by a multi-threaded client then the values
	are incorrectly updated in the parent SSL_CTX structure.  [CVE-2015-3196]

	Fix security on bsnmpd configuration file during installation.

	TCP MD5 signature denial of service

	A programming error in processing a TCP connection with both TCP_MD5SIG
	and TCP_NOOPT socket options may lead to kernel crash.

	SCTP

	A lack of proper input checks in the ICMPv6 processing in the SCTP stack
	can lead to either a failed kernel assertion or to a NULL pointer
	dereference.  In either case, a kernel panic will follow.

20160102:
	Happy New Year

20151101:
	Increase kern.ipc.somaxconn default to 256.

20151017:
	Add initial statistics api to libmport and a driver to print
	it in mport(1).

20151002:
	Revised rpcbind(8) patch to fix issues with NIS

20150930:
	In rpcbind(8), netbuf structures are copied directly, which would result in
	two netbuf structures that reference to one shared address buffer.  When one
	of the two netbuf structures is freed, access to the other netbuf structure
	would result in an undefined result that may crash the rpcbind(8) daemon.

20150926:
	libmport now supports @preexec, @postexec, @preunexec and @postunexec
	to replace @exec and @unexec.  

	pre exec runs afer pre-install scripts but before actual installation

	post exec runs after install but before post install scripts and
	pkg message.

	pre unexec runs before pre uninstall scripts

	post unexec runs before de-install scripts and after file removal.

20150917:
	Fix kqueue write events for files > 2GB

20150825:
	kernel:
	fix a security issue on amd64 where the GS segment CPU register can be changed via
	userland value in kernel mode by using an IRET with #SS or #NP exceptions.

	openssh:
	A programming error in the privileged monitor process of the sshd(8)
	service may allow the username of an already-authenticated user to be
	overwritten by the unprivileged child process.

	A use-after-free error in the privileged monitor process of he sshd(8)
	service may be deterministically triggered by the actions of a
	compromised unprivileged child process.

	A use-after-free error in the session multiplexing code in the sshd(8)
	service may result in unintended termination of the connection.

20150818:
	expat security fix

20150815:
	libc changes:
	setmode(3) now returns errno consistently on error.
	libc will compile without error using clang

20150814:
	wait6 system call added.

	date(1) now handles non numeric numbers passed to -r 
	like GNU coreutils for improved compatibility.

20150811:
	ata(4) AMD Hudson2 SATA controller support.
	Intel lynxpoint SATA.

	Fix some const warnings when building several device drivers
	with llvm/clang.

	Sync cas(4) with FreeBSD 9-stable.

	Fix some minor issues with ath(4).

20150809:
	xz 5.0.8

20150808:
	libmport now logs installation and removal of packages to syslog.

20150805:
	routed - fix a potential security issue where traffic from outside
	the network can disrupt routing.

	bsd patch - fix a bug with ed(1) scripts allowing unsanitized input
	to run.

20150802:
	jansson 2.7 library added. (libjansson is a JSON library in C)

20150728:
	Heimdal 1.5.2 (kerberos implementation)

	OpenSSL 1.0.1o

	cpucontrol(8) now supports VIA CPUs. Synced with FreeBSD 9.2.

	TCP Resassemly resource exhaustion bug:
	There is a mistake with the introduction of VNET, which converted the
	global limit on the number of segments that could belong to reassembly
	queues into a per-VNET limit.  Because mbufs are allocated from a
	global pool, in the presence of a sufficient number of VNETs, the
	total number of mbufs attached to reassembly queues can grow to the
	total number of mbufs in the system, at which point all network
	traffic would cease.
	Obtained from: FreeBSD 8

	OpenSSH

	Fix two security vulnerabilities:
	OpenSSH clients does not correctly verify DNS SSHFP records when a server
	offers a certificate. [CVE-2014-2653]

	OpenSSH servers which are configured to allow password authentication
	using PAM (default) would allow many password attempts. A bug allows
	MaxAuthTries to be bypassed. [CVE-2015-5600]


	Switch to bsdpatch (from FreeBSD & OpenBSD)

20150726:
	BSD Sort updated

	sqlite 3.8.10.2

20150725:
	Import reallocarray from OpenBSD's libc.  

	The reallocarray() function is similar to realloc() except it operates on 
	nmemb members of size size and checks for integer overflow in the 
	calculation nmemb * size.

20150722:
	Fix a bug where TCP connections transitioning to LAST_ACK
	state can get stuck. This can result in a denial of service.

20150715:
	libmport now supports @shell and @sample in plists. This means that
	a shell port can automatically add an entry to /etc/shells and remove
	it upon uninstallation. For sample files, a copy is made without the 
	.sample extension if one does not exist and it is removed automatically
	only if the md5 hash of the two files is the same. 

20150709:
	flex 2.5.39

20150702:
	ZFS in MidnightBSD now supports lz4 compression. You can enable it
	with zfs set compression=lz4 pool/path.

	Verify it's working with 
	zfs get compressratio pool/path
	du -h -s *

	Note you must write new data when turning on compression to see
	changes. Existing files are not compressed.

	Note: While we used the same basic implementation of lz4 that
	FreeBSD and OpenZFS uses, we did not yet implement features support
	and the zfs version still reports 28. This may come in a future update
	to ZFS.

20150621:
	libmport now automatically stops services when deleting packages.

	The package must have installed an rc.d script in /usr/local/etc
	for this to work. This is equivalent to running service <name> onestop

20150618:
	Sendmail

	With the recent changes to OpenSSL to block 512 bit certificates,
	sendmail can't connect with TLS to some servers.

	Increase the default size to 1024 bit for client connections to
	match the server configuration.

	ZFS

	Added ZFS TRIM support which is enabled by default. To disable
	ZFS TRIM support set vfs.zfs.trim.enabled=0 in loader.conf.

	Creating new ZFS pools and adding new devices to existing pools
	first performs a full device level TRIM which can take a significant
	amount of time. The sysctl vfs.zfs.vdev.trim_on_init can be set to 0
	to disable this behaviour.

	ZFS TRIM requires the underlying device support BIO_DELETE which
	is currently provided by methods such as ATA TRIM and SCSI UNMAP
	via CAM, which are typically supported by SSD's.

	Stats for ZFS TRIM can be monitored by looking at the sysctl's
	under kstat.zfs.misc.zio_trim.

	rc.d

	Reworked handling of cleanvar and FILESYSTEMS so that FILESYSTEMS
	implies everything is mounted and ready to go.

	Changed how ip6addressctl maps IPv6 on startup.

20150613:
	tzdata 2015d

20150612:
	OpenSSL 0.9.8zg

20150419:
	MidnightBSD 0.6 stable branch created. Continue 0.7 
	development.

20150418:
	sqlite 3.8.9

20150407:
	Fix two security vulnerabilities:

	The previous fix for IGMP had an overflow issue. This has been corrected.

	ipv6: The Neighbor Discover Protocol allows a local router to advertise a
	suggested Current Hop Limit value of a link, which will replace
	Current Hop Limit on an interface connected to the link on the MidnightBSD
	system.

20150319:
	OpenSSL 0.9.8.zf

	mksh R50e

	Apple mDNSResponder 561.1.1

20150306:
	Upgrade OpenSSL to 0.9.8ze

20150225:
	Fix two security vulnerabilities.

	1. BIND servers which are configured to perform DNSSEC validation and which
	are using managed keys (which occurs implicitly when using
	"dnssec-validation auto;" or "dnssec-lookaside auto;") may exhibit
	unpredictable behavior due to the use of an improperly initialized
	variable.

	CVE-2015-1349

	2. An integer overflow in computing the size of IGMPv3 data buffer can result
	in a buffer which is too small for the requested operation.

	This can result in a DOS attack.

20141211:
	Fix a security issue with file and libmagic that can allow
	an attacker to create a denial of service attack on any
	program that uses libmagic.

20141109:
	Fix building perl during buildworld when the GDBM port is installed.

20141106:
	tzdata 2014i

20141102:
	serf 1.3.8

20141031:
	tnftp 20141031 fixes a security vulnerability with tnftp,
	CVE-2014-8517. 

20141028:
	OpenSSL 0.9.8zc

20141021:
	Fix several security vulnerabilities in routed, rtsold,
	and namei with respect to Capsicum sandboxes looking up
	nonexistent path names and leaking memory.

	The input path in routed(8) will accept queries from any source and
	attempt to answer them.  However, the output path assumes that the
	destination address for the response is on a directly connected
	network.

	Due to a missing length check in the code that handles DNS parameters,
	a malformed router advertisement message can result in a stack buffer
	overflow in rtsold(8).

20141011:
	mksh R50d - fix field splitting regression and null 
	pointer dereference

	xz 5.0.7

	OpenSSH 6.6p1

20141004:
	mksh R50c - security update for environment var bug with 
	foo vs foo+	

20141002:
	sqlite 3.8.6

	sudo 1.7.8 - some issues with the current version, but we're slowly
	getting up to date.

20141001:
	mksh R50b

	libmport now supports plist commands @dir, @owner, @group, @mode.

	sudo 1.7.6p2

20140916:
	Fix a security issue with TCP SYN.

	When a segment with the SYN flag for an already existing connection arrives,
	the TCP stack tears down the connection, bypassing a check that the
	sequence number in the segment is in the expected window.

20140909:
	Fixed a bug with our clearenv(3) implementation that caused segfaults
	with some programs including Dovecot.

	OpenSSL security patch: 

	The receipt of a specifically crafted DTLS handshake message may cause OpenSSL
	to consume large amounts of memory. [CVE-2014-3506]

	The receipt of a specifically crafted DTLS packet could cause OpenSSL to leak
	memory. [CVE-2014-3507]

	A flaw in OBJ_obj2txt may cause pretty printing functions such as
	X509_name_oneline, X509_name_print_ex et al. to leak some information from
	the stack. [CVE-2014-3508]

	OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject to
	a denial of service attack. [CVE-2014-3510]

20140902:
	We're now 0.6-CURRENT

	Update USB quirks to support K70 Corsair keyboard, and several
	other devices.

20140827:
	Perl 5.18.2

20140728:
	Jails now run shutdown scripts.

20140710:
	Fix a vulnerability in the control message API. A buffer is not properly cleared
	before sharing with userland.

20140701:
	MKSH R50

20140630:
	File 5.19

20140605:
	Fix four security issues with OpenSSL

20140604:
	Sendmail failed to properly set close-on-exec for open file descriptors.

	ktrace page fault kernel trace entries were set to an incorrect size which resulted
	in a leak of information.

20140430:
	Fix a TCP reassembly bug that could result in a DOS attack
	of the system. It may be possible to obtain portions
	of kernel memory as well.

20140411:
	Update zlib to 1.2.7

20140122:
	Support for username with length 32. Previous limit was 16

20140114:
	Fix two security vulnerabilities.

	bsnmpd contains a stack overflow when sent certain queries.

	bind 9.8 when using NSEC3-signed zones zones, will crash with special
	crafted packets.

20131228:
	Imported FreeBSD 9.2 usb stack (plus z87 patches from stable)

	Updated em(4), igb(4) and ixgbe(4)

	MidnightBSD now works with Z87 Intel chipsets.

20131207:
	Remove sparc64 architecture. It hasn't been working for awhile
	and it's not useful for desktops anymore.

20131205:
	OpenSSH 6.4p1

20131203:
	Perl 5.18.1 imported.

	Update less to v458

20131130:
	Remove named from base. We still include the client utilities for
	now until replacements can be found.

20131004:
	rarpd supports vlan(4) and has a pid flag. (from FreeBSD)

20130917:
	Support for 65,536 routing tables was added.  A new fib specific
	field has been added to mbuf.  This is an increase from 16.

20130910:
	Security updates: (kern.osreldate 5001)

	nullfs(5)

	The nullfs(5) implementation of the VOP_LINK(9) VFS operation does not
	check whether the source and target of the link are both in the same
	nullfs instance.  It is therefore possible to create a hardlink from a
	location in one nullfs instance to a file in another, as long as the
	underlying (source) filesystem is the same.

	ifioctl

	As is commonly the case, the IPv6 and ATM network layer ioctl request
	handlers are written in such a way that an unrecognized request is
	passed on unmodified to the link layer, which will either handle it or
	return an error code.

	Network interface drivers, however, assume that the SIOCSIFADDR,
	SIOCSIFBRDADDR, SIOCSIFDSTADDR and SIOCSIFNETMASK requests have been
	handled at the network layer, and therefore do not perform input
	validation or verify the caller's credentials.	Typical link-layer
	actions for these requests may include marking the interface as "up"
	and resetting the underlying hardware.

20130824:
	Fix a bug in sendmail 8.14.7 that interferes with how it
	handles AAAA records interoperating with Microsoft DNS servers.
	FreeBSD has already reported this to Sendmail and a fix
	will be included in the next release.

	Subversion 1.8.1 is now in the base system as a static
	binary.  It has limited functionality, but can be used to
	checkout/commit code.  It is named svnlite.

20130822:
	Fix two security vulnerabilities.

	Fix an integer overflow in IP_MSFILTER (IP MULTICAST). 
	This could be exploited to read memory by a user process.

	When initializing the SCTP state cookie being sent in INIT-ACK chunks,
	a buffer allocated from the kernel stack is not completely initialized.

	Import xz 5.0.4

	Import sqlite 3.7.17

	Import BIND 9.8.5-P2

20130814:
	mksh R48 imported.

	Sendmail 8.14.7 imported.

20130717:
	libmport bug was fixed causing hash verification to fail.

	virtio(4) imported from FreeBSD 9-stable. SCSI support not
	included.

20130612:
	RELENG_0_4 created for 0.4. Development continues on 0.5.

20130402:
	Update BIND and OpenSSL to resolve security advisories.

20130305:
	MKSH R44 imported.

20130213:
	MKSH R42b imported

20130211:
	MKSH R42 imported

20130125:
	MKSH R41 imported

20130122:
	OpenSSH 5.8p2 imported

	SQLite 3.7.15.2 imported

	Fixed a longstanding bug in libmport extrating new index files.

20120710:
	BSD licensed sort imported from FreeBSD-CURRENT

	For now, GNU sort is installed as gnusort, but it will
	go away in time.

20120708:
	tcsh 6.18.01 imported.

	NetBSD's iconv imported.

	libc gains strnlen(3), memrchr(3), stpncpy(3).

20120612:
	BIND security update related to CVE-2012-1667.

	Zero length resource records can cause BIND to crash resulting
	in a DOS attack or information disclosure.

20120407:
	mksh R40f (fixes regression)

20120328:
	mksh R40e

	Perl 5.14.2

20120229:
	cpucontrol(8) and cpuctl(4) added from FreeBSD 7-stable.

20120209:
	mDNSResponder 333.10 imported

20111227:
	import raid5 module for GEOM, graid5(8)

	This is experimental and known to use a lot of kernel
	memory. 

20111223:
	telnetd: fix a root exploit from a fixed buffer that was not checked

	pam: don't allow escape from policy path.  Exploitable in KDE, etc.

	Fix pam_ssh module:

	If the pam_ssh module is enabled, attackers may be able to gain access
	to user accounts which have unencrypted SSH private keys.

	This has to due with the way that openssl works.  It ignores unencrpted data.

	Fix security issue with chroot and ftpd.

	nsdispatch(3) doesn't know it's working in a chroot and some 
	operations can cause files to get reloaded causing a security
	hole in things like ftpd.

20111217:
	libdialog/dialog upgraded to an lgpl version. As it's not
	backwardly compatable, include the old libdialog as libodialog

20111212:
	mksh r40d imported

20111210:
	re(4) and rl(4) updated to support new chips.

	GEOM synced with FreeBSD 7-stable.

	MidnightBSD GPT partition types created in sys/gpt.h and
	setup in boot loader and GEOM.

	amdsbwd(4) (amd watchdog for south bridge) updated to support
	8xx series chipset.

20111207:
	import bsd grep from FreeBSD/OpenBSD.

	MK_BSD_GREP controls which grep is installed
	as grep with the other as bsdgrep or gnugrep.

20111122:
	mksh vR40c imported.

20111117:
	BIND 9.6 ESV R5 P1

20111107:
	tzdata 2011n

20111026:
	mDNSResponder v320

	BIND 9.6 ESV R5

20111022:
	cflow 0.0.6 imported

20111020:
	less v436 imported

	amdsbwd(4) AMD southbridge watchdog 

20111019:
	awk 20110810 imported

	et(4) Agere Gigabit Ethernet/Fast Ethernet driver added, but
	not included in GENERIC kernel.  The kernel module needs
	testing before we can include it in GENERIC.

	intr_bind code ported to allow an IRQ to be bound to one
	specific CPU core.

20111017:
	Time Zone Data v. 2011l (Released 10 October 2011)

	Updated list of countries (iso3166) to work with new timezone data.

20111015:
	Introduce CPU Affinity in MidnightBSD. cpuset(1) can be used
	to control which core or group of cores can be used for a given
	process. Several new system calls were added to support this
	functionality in the running kernel and for 32bit binary
	compatibility on amd64. 

	The scheduler default has been changed to ULE in i386 and
	amd64.	Changes were made to both schedulers (4BSD AND ULE)
	for this feature. 

	This work is based on Jeff Roberson's FreeBSD 7.1 patches.

20111004:
	Fix a problem with unix socket handling caused by the recent
	patch to unix socket path handling. This allows network
	apps to work under the linuxolator again.

20111001:
	Import libfetch & fetch(1) from FreeBSD 9. Passive FTP is 
	now default and an environment variable must be set to use
	active.

20110930:
	Introduce quirks handling for several umass devices including
	USB cameras.  Add workaround for Cyberpower UPS devices.

	Bring in further bug fixes from FreeBSD and NetBSD for alc(4).
	Stale ip/tcp header pointers are no longer used, lockups fixed
	when network cable is unplugged on bootup, enable TX checksum
	offloading.

	Add a new man page for gcache(8), a useful geom class when
	working with large raid3 sets.

	Restore previous workaround for Cypress pata storage controller.

20110929:
	Sync ath(4) with FreeBSD 7.3.

	The following modules are no longer available, and should be
	removed from loader.conf:
	ath_hal ath_rate_amrr ath_rate_onoe ath_rate_sample

	alc(4) would hibernate when a cable was unplugged and often
	required bring the interface down and up to "wake up" so that
	a connection could be established.  Disable hibernation.

20110928:
	Fix security issues with gzip and compress related to .Z
	files that are corrupted.

	Fix path validation with unix domain sockets.

20110917:
	Remove dependance on mports perl for generating releases as
	it's in the base system.

20110914:
	Import xz 5.0.3 with liblzma 5.0.3

20110813:
	synced the sparc64 GENERIC kernel configuration with amd64.

20110806:
	sqlite 3.7.7.1 imported

	msearch(1), libmsearch and msearch.import added.  msearch(1) provides
	a full text search command line tool.  libmsearch can also be used
	to build a graphical based search in the future. You can enable
	index building for msearch in periodic.conf or manually run the
	/usr/libexec/msearch.index tool.  Full text indexes take considerable
	space in /var.	I'm using approximately 500MB currently.

	Fix a long standing bug with the periodic script to check package
	versions.  This will be obsolete with mport though.

20110710:
	kdb_enter_why added to MidnightBSD to allow the kernel debugger to 
	know why it's in use and thus script can be run.

	Yet another problem with the perl manifest was fixed

20110709:
	cpufreq(1) is a new utility to monitor CPU frequency which may change
	with use of powerd(8) and cpufreq(4).

20110612:
	Update mksh to R40

	Catch up ObsoleteFiles.inc to remove Perl 5.10.x.  Good to run when
	updating current (cd /usr/src && make check-old)

20110528:
	Fix CVE-2011-1910 in BIND 9.6.x.  This affects caching resolvers.

20110526:
	newfs:
	Raised the default blocksize for UFS/FFS filesystems from
	16K to 32K and the default fragment size from 2K to 4K.

	This should slightly imporve performance on "advanced format"
	hard drives such as the WD EARS drives. Drives of this type
	have emulation modes that slow down with lower sizes.  Of course
	the drive must still be aligned properly when using fdisk.

20110521:
	mport tool now has a deleteall command.  This can be used to remove
	all packages from a system.

	A few bugs with the perl 5.14 import have been fixed.

20110518:
	Perl 5.14.0

20110517:
	Sendmail 8.14.5

20110314:
	DRM/DRI code updated to support newer video cards. (FreeBSD 7.1)

	cdevpriv wrappers added

	nss_mdns hack introduced to work around linking problem.

	dnsextd fixed after update to mDNSResponder code.

20110308:
	Introduce liblzma & xz 5.0.1 to the base system

	Patch for OpenSSL security issue CVE-2011-0014.

	"OSREVISION 4004"

	nsswitch module for multicast dns (nss_mdns) added.

	tzdata2011c

20110220:
	cam(4) syncronized with FreeBSD 7.3.

20110219:
	amdtemp(4) updated to support sensors framework.

20110217:
	Perl 5.10.1 imported

20110216:
	Introduce igb(4) and split Intel Gigabit Ethernet adapters between
	igb(4) and em(4).  Newer devices use igb(4).  The code has moved
	to sys/dev/e1000 for both devices in the kernel. igb(4) has
	been placed in GENERIC on i386 and amd64.

	Update bfe(4) to support newer devices and WOL.

20110215:
	age(4) added.

20110208:
	BIND 9.6.3 which fixes a bug with DNSSEC records getting added.

20110206:
	eeemon(4) added to monitor Asus Eee PC.

20110205:
	OpenSSH 5.7p1

	GNU sort 6.9 (coreutils)

20110203:
	one true awk 20100523 imported

	sqlite 3.7.5

	OpenSSL 0.9.8q

20110202:
	tcsh 6.17.00

	file 5.05

20110122:
	Import it(4) and lm(4), with support for Super I/O hardware monitors. This
	uses the sensors framework ported by Constantine A. Murenin (GSOC2007)

20110120:
	BIND 9.6.2-P3

	sudo 1.7.4-p6

20110115:
	Add experimental jme(4) for Jmicron ethernet devices.

20101130:
	A double free exists in the SSL client ECDH handling code, when
	processing specially crafted public keys with invalid prime
	numbers. [CVE-2010-2939]

20101120:
	Several portions of the kernel and userland code related to UFS file 
	systems (and UFS2) cannot properly handle inode counts above 2^31 due
	to use of int types.  Based on a patch from FreeBSD, I've modified
	our UFS2 implementation to handle unsigned values for inode counts
	which should allow for file systems greater than 16TB.

	newfs and growfs was also modified.

20101110:
	Fix a security issue with pseudofs which could result in running code in kernel
	context or a kernel panic depending on system configuration.  This affects file
	systems such as procfs for instance.

20101021:
	sysrc is a utility to print and modify name/value pairs in /etc/rc.conf easily.
	This is similar to functions present in many linux distros. The utility was
	written by Devin Teske for FreeBSD.

20100920:
	bzip2 security patch for integer overflow.

20100905:
	MidnightBSD RELENG_0_3 branch created.	Aggressive development continues here
	for 0.4.

20100902:
	Fix a security issue with libutil that allows users to bypass cpu limits in
	login.conf in some cases.  This combined with OpenSSH for example can allow
	the user to get more resources than they're allowed.

20100822:
	Import Apple's mDNSResponder (mdnsd).

20100814:
	libdispatch added to MidnightBSD.  This provides functionality found in
	Mac OS X's GCD.  We do not have blocks support yet.  As this code is
	licensed under Apache 2, we create a new MK_APACHE option so that
	it's not required for all users to run code under a license they
	may not like.

20100713:
	mbuf readonly fix related to sendfile(2) data corruption.

20100704:
	brainfuck(1) imported from MirBSD.

20100505:
	zlib 1.2.5

20100430:
	Sudo 1.7.2p6 imported

20100321:
	Update zlib to 1.2.4

20100319:
	Removed i586 from default i386 generic kernel.

20100317:
	Update to tzdata2010e (time zones).  This includes changes in
	Mexico.

	Add support for several newer sound cards via hda including
	ATI and Realtek chipsets.

20100313:
	CPU detection has been changed.  VIA Padlock detection added.

20100312:
	Fix a number of bugs and compiler warnings in libmport. Handle
	plus signs in paths for mport.check-fake

20100311:
	mksh R39c

20100309:
	Sudo 1.7.2p5

	sqlite3 3.6.23

	mksh R39b

	libffi (ffi) 3.0.9

20100206:
	WITHOUT_LIB32 is no longer needed on AMD64.  GCC was fixed to
	properly pass arguments to ld.

	re(4) and rl(4) have been updated to support several new
	realtek chipsets.  Performance has been improved on re(4).

20100204:
	Fix a bug cropping up on AMD64 MidnightBSD with sftp
	segfaulting.  

20100116:
	Import ash changes from FreeBSD (bin/sh) 8-Stable.

	BIND 9.6.1-P2

20100110:
	Import Sendmail 8.14.4. Fix for SSL vulnerability.

	posix_spawn(3) added to MidnightBSD libc.  Users may need to build and
	install libc before doing a full buildworld when upating from 0.2 or
	older current systems.

	kqueue(2) was modified to support portions of libdispatch functionality.

20100106:
	Bind security update.  Fix a bug with DNSSEC that causes negative
	cache entries and thus a possible DNS cache poisoning attack.

	Fix a bug in ZFS that can reset permissions on system crashes.

20091228:
	amdtemp(4) was added.  It allows one to monitor to the temperature
	of an AMD CPU such as a Phenom.

20091205:
	OpenSSL security fix

	The SSL version 3 and TLS protocols support session renegotiation without
	cryptographically tying the new session parameters to the old parameters.

20091128:
	OpenBSD sensors framework imported including sensorsd(8)

20091126:
	OpenNTPD 4.4 import

	Update OpenSSH to 5.3p1

	mksh R39

20091124:
	cpdup updated from DragonFly to 1.15

	tzdata2009s updated with latest timezone data for November 2009.

20091010:
	amd64 users should use WITHOUT_LIB32=yes in /etc/make.conf for now
	to test current.

	Revert unicode filename fixes from ntfs code.  This was causing chaos
	on amd64 systems.

20091006:
	Update timezone data with tzdata2009n with the Pakistan and
	Argentina changes.

	Sync several userland utilities with versions from FreeBSD 7.0 in
	sbin and usr.sbin.

20090919:
	Update timezone data with tzdate2009m from September 2009.

20090729:
	Patch for Bind 9 security vulnerability. a dynmaic update packet 
	can trigger an assertion and cause named to exit

20090606:
	Remove PCC from the base system.  This compiler will not work
	as a system compiler for us as we've got some userland investment
	in C++ code and may have Objective-C in the future.  We're stuck
	with a solution that supports these three languages at a minimum.

	I had wanted to keep it as an optional compiler because it is
	fast, however too many users want to try to use it for the base
	system which makes no sense.

	A hack was added for Cypress based usb hard drive enclosures to
	the kernel.  This should cut down on commands it claims to support
	but does not (at the cam layer).  Found while testing ZFS on
	an external device.

20090520:
	The powerd daemon no longer starts automatically to improve
	compatibility with many systems.  However, there is a new
	installer option in the startup section to enable it. This
	makes it easier to enable for users that have working systems. I		thought it was only a problem on older hardware, but it freaks
	out my new Phenom too.

20090502:
	OpenSSH 5.2p1 import

	ale(4) connected to the build. (kernel module only)

20090501:
	Imported makefs utility from NetBSD/FreeBSD

20090422:
	OpenSSL security update

	The function ASN1_STRING_print_ex does not properly validate the lengths
of BMPString or UniversalString objects before attempting to print them.

20090415:
	Created a Symbol.map for libc/ohash symbols

	Updated several usr/bin usr/sbin utilities.

	Corrected a bug with Makefile.inc1 causing the bootstrap
	tools to fail.

20090405:
	xorg 7.4 wants to configure its input devices via hald which does not
	yet work with USB. If the keyboard/mouse does not work in xorg then
	add
		Option "AllowEmptyInput" "off"
	to your ServerLayout section.  This will cause X to use the configured
	kbd and mouse sections from your xorg.conf

20090403:
	mksh was disconnected a few day ago do to bugs with
	buildworld and mports.	Now, connect it back 
	for use as /bin/sh with a conditional called
	MK_ASH.  By default, ash is the standard /bin/sh
	but we may change this later.  This will allow further
	testing by users and developers of mksh without
	causing an unpleasant default experience.  In the
	long run, we need to fix mksh compatibility.

20090328:
	Bring in mksh R37 from CVS. The dot.mkshrc files for root 
	and skel were changed.	mksh(1) now replaces ash aka sh(1)
	as the default /bin/sh.  Please report bugs with
	ports, etc. The ash code will remain in the repo for awhile
	as I decide if we'll add something like MK_SHELL_ASH as
	an optional build parameter.  

	ahd was disconnected from the lint environment until
	the compiler bug is sorted (by updating gcc?)

	Remove freebsd-tips from fortune files and change the
	default for login and profile.

20090327:
	Update libarchive to 2.5.5, tar, and add bsdcpio.

	Also previously, ctriv has been connecting Perl 5.10
	to the build (part of os).  This will have an impact
	on mports.

20090325:
	Update Bind to 9.4.3-P1

	Update mksh to R36b

	Update tcpdump to 3.9.8, fix libpcap to work with current.

	Update pnpinfo, sync with FreeBSD.

20090115:
	Fix a problem with DNSSEC and BIND.

20090110:
	For applications using OpenSSL for SSL connections, an invalid SSL
	certificate may be interpreted as valid.  This could for example be
	used by an attacker to perform a man-in-the-middle attack.

	Other applications which use the OpenSSL EVP API may similarly be
	affected.

	Stop cross site request forgery attacks in lukemftpd

20090104:
	Import GNU libreadline 5.2

20090101:
	Update time zone data to 2008i.

20081231:
	Correct a problem where bluetooth and netgraph sockets are not
	properly initialized.

	Happy 2009.

20081206:
	Due to the massive change in the underlying system under way,
	we're naming the next release 1.0.  The sys/sys/param.h was
	changed accordingly.  ipfilter and ncurses were corrected
	using __MidnightBSD__ tests in the code.  

	The GENERIC kernel config was caught up on i386 today.	Consider
	i386 still broken, but amd64 is running again. 

	mdoc.local was updated with the new MidnightBSD version info.

	batt(1) was rewritten in C.  It now supports several flags and
	runs about 8 times faster on my laptop.  The default output
	shows the number of minutes of battery life remaining and the
	percentage.  You can use -u to display the number of batteries or
	-c to get script friendly output.  Consult the man page for more.

20081204:
	Work has completed on importing ZFS, jemalloc, several
	new devices, SCTP, updated pf, a new tempfs, linuxolator 2.6 kernel
	support, improved locking for file desc., audit (openbsm), 
	openssl .98e, nfe, imporved intel high def audio, midi, updated
	intel gigabit (em), support for several wifi cards (intel), ...

	Renamed 0.3-CURRENT officially. Switched to using MidnightBSD version
	data from param.h instead of the FreeBSD version.  This means
	testing is now possible in the ports tree for the version
	and that any ports or code relying on the FreeBSD version from
	sys/sys/param.h will need to be fixed.

20080905:
	update nve(4) to support new hardware.

20080801:
	Import OpenBSM 1.0

	Modify src/release to create 3 isos instead of 2 for packages.

	etc/rc.d/firstboot now enables kdm, gnustep + slim and bsdstats.

	Many ia64, alpha, powerpc items were removed. 

	The recent diffutils 2.8.7 import was fixed.

20080703:
	pcc was not installed properly when setting DESTDIR for live cds, 
	or posibly jails. 

20080627:
	Add firmware(9), WEP, CCMP, TKIP to GENERIC.

	Add glabel to GENERIC.

	Intel ICH8 mobile chipset used on some iMacs included with ata.

	pcc connected to the build on i386. (alternative compiler)

	ath added to GENERIC.  (Atheros wireless NICs) on amd64/i386

20080528:
	Sendmail 8.14.3

20080516:
	ssh-vulnkey allows you to look for vulnerable ssh keys that
	were generated on Debian and Ubuntu hosts over the last
	few years.  sshd can block offending keys with a configuration
	option.

	The elf note on binaries is now set to MidnightBSD.

20080514:
	Fixed a number of problems with pcc.  It is not yet connected
	to the build, but usable on i386 hosts.  You may use it 
	by make; make install in /usr/src/usr.bin/pcc.	It will
	install in /usr/local as some of the files conflict with
	GCC versions. __MidnightBSD__ is defined in PCC as well.

	System headers were fixed to allow pcc to compile many binaries
	on MidnightBSD.  bin/cp will work now for instance.

20080430:
	__MidnightBSD__ is now defined via gcc.  This can be tested
	to determine we're running on MidnightBSD in the preprocessor.

20080429:
	Import bind 9.4.2 with threading

	libpthread (KSE) and libthr are built earlier
	
	pcvt(4) removed!

	Alias added for core2 cpus.

	Alpha and PC98 only utilities removed from usr/sbin

	syslogd, adduser, rmuser, mergemaster and mailwrapper have been
	improved.  See the man pages for info.

	periodic scripts will not send emails with empty message bodies.
	See mailwrapper fix.

20080410:
	Sync cpdup with DragonFly.  Add parallel transaction support and
	-l flag to line-buffer stdout and stderr.

20080406:
	Import bzip2 1.05
	Import OpenSSH 4.9p1

20080322:
	The default umask was changed to 022.
	
	/usr/X11R6 paths were removed from several config files.

	.mkshrc files are now installed for root.

20080316:
	FIx a problem with gif0 tunnels and neighbors with IPV6.

20080312:
	Add lndir from X.org.  This aides in the porting of MirPorts.

	New OS versions were added to the mapage code (groff)

20080310:
	Correct a buffer overflow in ppp.

20080308:
	Remove /usr/X11R6 from manpath config.

20080307:
	Atheros driver no longer has several options set
	which corrects building in tinderbox on all three platforms.

	Added a new macro to sx.h which returns true if the current
	thread holds an exclusive lock on a specifix sx.

	Removed OS/2's HPFS file system.   It's not maintained and
	I don't know anyone using OS/2 or ecomstation these days.
	My copy is in the closet collecting dust.

20080306:
	Synced tinderbox with FreeBSD.	Modified it for MidnightBSD.
	Developers can now use it to check src builds.

20080303:
	Add mksh to /etc/shells, made some adjustments to options
	for mksh builds per suggestion upstream.

	USB HID table updated with modern hardware list.

	Updated BSD family true (we're not in there yet)

	iso3166 file updated and import of tzdata2007k for 
	new time zones.

	Updated mksh to latest version R33.

20080228:
	Remplaced the random IP id generation code with a new
	version by Amit Klein.

20080221:
	Sendfile write only permissions fix.

	Removed some HPFS and PC98 code.

	iso639 file sycned with DragonFly.

20080128:
	Changed NTP configuration so that ips aren't cached
	so multiple servers are used.

	Fix an issue with fork() in libpthread.

20080121:
	Add virtualization detection to set the HZ rate
	according to a VM present.  VMWare and Parallels
	should work better like this.

	Change to full x11 install in sysinstall.  Add
	xorg 7 support.

20080115:
	Fix the handling of PTY's.  CVE-2008-0216

20080105:
	mport delete code added, USE_MPORT_TOOLS knob aded.

20080101:
	Happy New Year

20071123:
	Update sendmail to 8.14.2

20071120:
	Update system compiler to gcc 3.4.6.

20071023:
	Updated mksh to R31d.

20070911:
	Updated mksh to version R31b.

	Fixed stderr output in libpthread.  Previously it was
	written to stdout.

20070831:
	Added dot.mkshrc file to support the recent change to 
	mksh from OpenBSD's ksh derived from pdksh.  

	Added new firewall configuration.  ipfw is enabled by default
	with a "desktop" configuration.  Consult /etc/rc.firewall
	or ipfw show to see the ruleset used.  You can disable
	ipfw by setting firewall_enable="NO" in /etc/rc.conf This
	change only effects IPv4.  IPv6 does not have a firewall
	enabled by default.

20070814:
	Removed GNU tar source.  We've been using BSD tar 
	for awhile.

20070806:
	Finished removing umapfs and autofs from the tree.

20070804:
	BIND and Tcpdump have been patched for recent vulnerabilities.

	We switched to BSD cpio (pax).

20070719:
	Imported cpdup from DragonFly as /bin/cpdup

20070716:
	Update GNU cpio to 2.8. 

20070410:
	cvs was updated to 1.12.13.  cvsbug was removed.
	cvs now behaves similarly to DragonFly's cvs with
	most of their local changes.  

20070409:
	RELENG_0_1 was created. More aggresive changes will
	continue here.

20070406:
	Back out propolice.  propolice caused several problems
	with our threading libraries libthr and libpthread.  
	curthread was often NULL after the patch and many
	multithreaded applications would crash.  We plan to 
	work on either bringing in gcc 4.1 or developing a new
	patch which also corrects our threading issues later.

	It is more important to have a stable system for our
	mport work and other projects at this time.

	This is not a clean removal.  It is recommended that you
	have a recently SNAP CD handy.	You can either reinstall
	or perform a make buildworld and make buildkernel and 
	make installkernel.  Reboot on the cd and copy the contents
	of /bin, /sbin, /lib, /libexec, and /usr/bin, /usr/sbin,
	/usr/lib, and /usr/libexec to the respective directories on
	your disk.  Then you should be able to boot into single user
	mode and run make installworld.  You will need to run
	chflags noschg on some of the files if you can't overwrite
	them. 

	You will get __guard missing errors since we had to remove
	this from libc.

	You will need to rebuild any ports built while propolice was
	installed.

20070401:
	Importing propolice into MidnightBSD. Propolice is going to
	provide us with much greater security and stability in the
	long run. If upgrading from a pre-propolice system, please
	follow the these instructions:

	cd /usr/src/lib/libc && make obj && make && make install
	cd /usr/src/gnu/usr.bin/cc && make obj && make && make install
	cd /usr/src/lib/libpthread && make obj && make && make install
	cd /usr/src/lib/libthr && make obj && make && make install
	buildworld and kernel

	It is adviced that any mports which were installed and/or built
	prior to the propolice update also be updated. If any errors
	or issue are encounted, please contact security@midnightbsd.org
	and we will be sure to investigate and come up with an expeditious
	fix.

20070314:
	Remove send-pr from src.

	Switch to NetBSD's gzip.

	Bump MBSD minor revision.

20070313:
	Imported OpenSSH 4.6p1.

	Imported FreeBSD's libarchive and updated tar to work with it.

	Disabled debug statements cluttering up /var/log/messages for
	the tcp autobuf patch applied previously.

20070312:
	Synced several audio changes from FreeBSD 6.1. Removed the 
	BSD Daemon files from src/share.  

20070308:
	Added mfi which supports LSI Logic MegaRAID SAS devices including
	the Dell perc5i.

20070206:
	Imported OpenBSD's sudo into source. Please install
	/usr/src/usr.bin/sudo/lib first before building.

	Those who install from a snapshot after this date
	will not be effected.

20070119:
	Added audit group.  Be sure to add audit to your /etc/group file
	before installing world.

	hostapd was updated to 0.4.8.

	An accidental commit in usr.sbin/bluetooth/hccontrol was fixed to
	unbreak world.

	wpa_supplicant was updated.

	For stability and compatibility reasons, it was decided that MidnightBSD
	sync with FreeBSD 6.1 Release.	Nearly every change between the original
	fork date of February 24, 2006 and the release of FreeBSD 6.1 in May
	2006 will be merged.  Beyond this, MidnightBSD will be a "real" fork and
	will not sync every little change with FreeBSD.

20061231:
	Updated COPYRIGHT for 2007.

	Updated and bumped libutil after importing NetBSD efun(3) functions.

	Added MidnightBSD_version and bumped the FreeBSD version as we've
	synced all commits between the fork and that version.  It is now safe
	to assume MidnightBSD is compatible with FreeBSD RELENG_6 from
	Feb 26, 2006.

	Added spell(1) and deroff(1) from NetBSD.  Also added additional
	dict files to work with it. /usr/share/dict/american, 
	/usr/share/dict/british and /usr/share/dict/special/math

	Numerous man page and bug fixes.

20061226:
	Setup /usr/share/examples/cvsup SUPfiles for the new
	MidnightBSD CVSup server. 

	Fix a bug in burncd where it would continue forever while
	erasing CDRW media.

	Add csup to /usr/bin.  csup is a CVSup replacement written
	in C. 

	Fixed a bug with bsnmpd build from Oct 30.  

	Corrected some race conditions and fixed a few bugs in
	geom.  Imported changes from FreeBSD RELENG_6.

20061225:
	Fixed a typo in src/lib/libc/sparc64/fpu/fpu_implode.c
	that caused long double to long and long long 
	conversion of negative numbers to always result in -1.

20061221:
	Fixed acpi_battery.c to not report an ERROR if no
	batteries are present.

	Performed some minor updates on the RL and RE NIC drivers.
	RL should no longer panic when trying to print errors.

	Corrected a bug with TTY.

20061218:
	Corrected a bug with libpthread where newly created suspended
	threads don't get scheduled.

20061206:
	Fixed a typo with the firewire security patch.

20061129:
	Minor cleanups to utilities in bin.

	Fixed msdos file system short file name behavior to match
	FreeBSD.

20061031:
	Updated man pages in section 7.

20061030:
	Updated sys/dev/drm to support intel 915 and radeon 
	r300 cards properly.  

	Synced snmpd with FreeBSD-stable.

	Fixed a bug in rm which could cause data loss.	

20061027:
	Added Intel ICH8 and nForce 5 support to ATA. cam, mpt,
	random, kbdmux, atkbd, and usb were updated.  Changes
	to clearing registers on SSE enabled processors (i386)
	commited.  

	lukemftpd updated.  

	openssh rc script was altered which effects initial
	seeding.  

20061014:
	Workaround for em driver problem on shared IRQ.

	Started removal of alpha support.

20061013:
	ATA driver was updated.  USB/USB1/USB2 types added.

20061010: 
	OpenSSH was updated to 4.4p1.	

20060909:
	OpenNTPD was added to MidnightBSD.  Run make delete-old to remove
	the old ntpd daemon.

	cat has a new option -D which allows you to timestamp output
	on a per line basis.

	The kernel has a keyboard mux which allows you to have multiple
	keyboard connected simultaneously.  USB keyboard support was also
	improved with this patch.

	The Intel em driver was updated.  Network performance was greatly
	increased on many systems.  Additional models are supported.

	The ATA driver was patched to fix a potential deadlock.

	Bind was patched to fix a potential denial of service condition.

20060817:
	ksh has been added to the base system.	If you previously had
	the port installed, it will be overwritten on the next buildworld.


COMMON ITEMS:

	General Notes
	-------------
	Sometimes, obscure build problems are the result of environment
	poisoning.  This can happen because the make utility reads its
	environment when searching for values for global variables.  To run
	your build attempts in an "environmental clean room", prefix all make
	commands with 'env -i '.  See the env(1) manual page for more details.
	Occasionally a build failure will occur with "make -j" due to a race
	condition.  If this happens try building again without -j, and please
	report a bug if it happens consistently.

	When upgrading from one major version to another it is generally best to
	upgrade to the latest code in the currently installed branch first, then
	do an upgrade to the new branch. This is the best-tested upgrade path,
	and has the highest probability of being successful.  Please try this
	approach if you encounter problems with a major version upgrade.  Since
	the stable 0.2 branch point, one has generally been able to upgrade from
	anywhere in the most recent stable branch to head / current (or even the
	last couple of stable branches). See the top of this file when there's
	an exception.

	The update process will emit an error on an attempt to perform a build
	or install from a MidnightBSD version below the earliest supported version.
	When updating from an older version the update should be performed one
	major release at a time, including running `make delete-old` at each
	step.

	When upgrading a live system, having a root shell around before
	installing anything can help undo problems. Not having a root shell
	around can lead to problems if pam has changed too much from your
	starting point to allow continued authentication after the upgrade.

	This file should be read as a log of events. When a later event changes
	information of a prior event, the prior event should not be deleted.
	Instead, a pointer to the entry with the new information should be
	placed in the old entry. Readers of this file should also sanity check
	older entries before relying on them blindly. Authors of new entries
	should write them with this in mind.

	ZFS notes
	---------
	When upgrading the boot ZFS pool to a new version, always follow
	these two steps:

	1.) recompile and reinstall the ZFS boot loader and boot block
	(this is part of "make buildworld" and "make installworld")

	2.) update the ZFS boot block on your boot drive

	The following example updates the ZFS boot block on the
	mnbsd-boot partition of a GPT partitioned drive ada0:
	"gpart bootcode -p /boot/gptzfsboot -i $N ada0"
	The value $N will typically be 1 (if booting from BIOS) or 2 (if
	booting from EFI).

	Non-boot pools do not need these updates.

	EFI notes
	---------

	There are two locations the boot loader can be installed into. The
	current location (and the default) is \efi\midnightbsd\loader.efi and using
	efibootmgr(8) to configure it. The old location, that must be used on
	deficient systems that don't honor efibootmgr(8) protocols, is the
	fallback location of \EFI\BOOT\BOOTxxx.EFI. Generally, you will copy
	/boot/loader.efi to this location, but on systems installed a long time
	ago the ESP may be too small and /boot/boot1.efi may be needed unless
	the ESP has been expanded in the meantime.

	Recent systems will have the ESP mounted on /boot/efi, but older ones
	may not have it mounted at all, or mounted in a different
	location. Older arm SD images with MBR used /boot/msdos as the
	mountpoint. The ESP is a MSDOS filesystem.
 
	The EFI boot loader rarely needs to be updated. For ZFS booting,
	however, you must update loader.efi before you do 'zpool upgrade' the
	root zpool, otherwise the old loader.efi may reject the upgraded zpool
	since it does not automatically understand some new features.
 
	See loader.efi(8) and uefi(8) for more details.

	To build a kernel
	-----------------
	If you are updating from a prior version of MidnightBSD (even one just
	a few days old), you should follow this procedure.  It is the most
	failsafe as it uses a /usr/obj tree with a fresh mini-buildworld,

	make kernel-toolchain
	make -DALWAYS_CHECK_MAKE buildkernel KERNCONF=YOUR_KERNEL_HERE
	make -DALWAYS_CHECK_MAKE installkernel KERNCONF=YOUR_KERNEL_HERE

	To test a kernel once
	---------------------
	If you just want to boot a kernel once (because you are not sure
	if it works, or if you want to boot a known bad kernel to provide
	debugging information) run
	make installkernel KERNCONF=YOUR_KERNEL_HERE KODIR=/boot/testkernel
	nextboot -k testkernel

	To rebuild everything and install it on the current system.
	-----------------------------------------------------------
	# Note: sometimes if you are running current you gotta do more than
	# is listed here if you are upgrading from a really old current.

	<make sure you have good level 0 dumps>
	make buildworld
	make buildkernel KERNCONF=YOUR_KERNEL_HERE
	make installkernel KERNCONF=YOUR_KERNEL_HERE
							[1]
	<reboot in single user>				[3]
	etcupdate -p					[5]
	make installworld
	etcupdate -B					[4]
	make delete-old					[6]
	<reboot>

	To cross-install current onto a separate partition
	--------------------------------------------------
	# In this approach we use a separate partition to hold
	# current's root, 'usr', and 'var' directories.   A partition
	# holding "/", "/usr" and "/var" should be about 2GB in
	# size.

	<make sure you have good level 0 dumps>
	<boot into -stable>
	make buildworld
	make buildkernel KERNCONF=YOUR_KERNEL_HERE
	<maybe newfs current's root partition>
	<mount current's root partition on directory ${CURRENT_ROOT}>
	make installworld DESTDIR=${CURRENT_ROOT} -DDB_FROM_SRC
	make distribution DESTDIR=${CURRENT_ROOT} # if newfs'd
	make installkernel KERNCONF=YOUR_KERNEL_HERE DESTDIR=${CURRENT_ROOT}
	cp /etc/fstab ${CURRENT_ROOT}/etc/fstab			   # if newfs'd
	<edit ${CURRENT_ROOT}/etc/fstab to mount "/" from the correct partition>
	<reboot into current>
	<do a "native" rebuild/install as described in the previous section>
	<maybe install compatibility libraries from ports/misc/compat*>
	<reboot>


	To upgrade in-place from stable to current
	----------------------------------------------
	<make sure you have good level 0 dumps>
	make buildworld					[9]
	make buildkernel KERNCONF=YOUR_KERNEL_HERE	[8]
	make installkernel KERNCONF=YOUR_KERNEL_HERE
							[1]
	<reboot in single user>				[3]
	etcupdate -p					[5]
	make installworld
	etcupdate -B					[4]
	make delete-old					[6]
	<reboot>

	Make sure that you've read the UPDATING file to understand the
	tweaks to various things you need.  At this point in the life
	cycle of current, things change often and you are on your own
	to cope.  The defaults can also change, so please read ALL of
	the UPDATING entries.

	[1] If you have third party modules, such as vmware, you should disable
	them at this point so they don't crash your system on
	reboot. Alternatively, you should rebuild all the modules you have in
	your system and install them as well.  If you are running current, you
	should seriously consider placing all sources to all the modules for
	your system (or symlinks to them) in /usr/local/sys/modules so this
	happens automatically. If all your modules come from mports, then adding
	the port origin directories to PORTS_MODULES instead is also automatic
	and effective, eg:
	     PORTS_MODULES+=x11/nvidia-driver

	[3] From the bootblocks, boot -s, and then do
		fsck -p
		mount -u /
		mount -a
		sh /etc/rc.d/zfs start	# mount zfs filesystem, if needed
		cd src			# full path to source
		adjkerntz -i		# if CMOS is wall time
	Also, when doing a major release upgrade, it is required that you boot
	into single user mode to do the installworld.

	[4] Note: This step is non-optional.  Failure to do this step
	can result in a significant reduction in the functionality of the
	system.  Attempting to do it by hand is not recommended and those
	that pursue this avenue should read this file carefully, as well
	as the archives of midnightbsd-users mailing lists
	for potential gotchas.	See etcupdate(8) for more information.

	[5] Usually this step is a no-op.  However, from time to time
	you may need to do this if you get unknown user in the following
	step.

	[6] This only deletes old files and directories. Old libraries
	can be deleted by "make delete-old-libs", but you have to make
	sure that no program is using those libraries anymore.

	[8] The new kernel must be able to run existing binaries used by an
	installworld.  When upgrading across major versions, the new kernel's
	configuration must include the correct COMPAT_FREEBSD<n> option for
	existing binaries (e.g. COMPAT_FREEBSD11 to run 11.x binaries).  Failure
	to do so may leave you with a system that is hard to boot to recover. A
	GENERIC kernel will include suitable compatibility options to run
	binaries from older branches.  Note that the ability to run binaries
	from unsupported branches is not guaranteed.

	Make sure that you merge any new devices from GENERIC since the
	last time you updated your kernel config file. Options also
	change over time, so you may need to adjust your custom kernels
	for these as well.

	[9] If CPUTYPE is defined in your /etc/make.conf, make sure to use the
	"?=" instead of the "=" assignment operator, so that buildworld can
	override the CPUTYPE if it needs to.

	MAKEOBJDIRPREFIX must be defined in an environment variable, and
	not on the command line, or in /etc/make.conf.	buildworld will
	warn if it is improperly defined.
	
FORMAT:

Copyright information:

Copyright 1998-2009 M. Warner Losh <imp@FreeBSD.org>

Redistribution, publication, translation and use, with or without
modification, in full or in part, in any form or format of this
document are permitted without further permission from the author.

THIS DOCUMENT IS PROVIDED BY WARNER LOSH ``AS IS'' AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED.  IN NO EVENT SHALL WARNER LOSH BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.