Yes that will break a lot of existing scripts, also it is probably not
needed - rc.subr uses the process name *and arguments*, if you're using
default top options you'll only see the name, use top -C or ps to check as
there is probably more that you can match on.
--
Sent from a phone, apologi
Hello,
I would guess the main reason is privilege separation. There will be
privileged (owner root) and unprivileged (dedicated user) processess and
both needs to be killed.
--
Kind regards,
Ville Valkonen
On Fri 26. Nov 2021 at 2.24, Vincent Lee wrote:
> Hey all,
>
> I noticed that rc.subr(8)
Stop building the kernel with -Wno-uninitialized on clang archs.
This hides real problems like the recently fixed uninitialised memory
use in pf and igc.
After visa's recent commit the remaining warnings are
[-Wsometimes-uninitialized] /sys/arch/arm/arm/cpu.c:352:6: warning: variable
'ci' is use
Hey all,
I noticed that rc.subr(8)'s invocations of pgrep(1) and pkill(1) don't
filter by the user (by passing -U or -u). I'm wondering if there's a
reason for this?
The reason is that I'm running thelounge (thelounge.chat). It's a NodeJS
application, and by default its command line shows in top(
Claudio Jeker wrote:
> On Thu, Nov 25, 2021 at 08:18:10PM +0100, Sebastian Benoit wrote:
> > Job Snijders(j...@openbsd.org) on 2021.11.25 16:13:51 +:
> > > It might be advantageous to permit operators to optionally specify the
> > > maximum number of publication points with which rpki-client
ok mvs@
> On 26 Nov 2021, at 01:37, Tobias Heider wrote:
>
> On Fri, Nov 26, 2021 at 01:17:22AM +0300, Vitaliy Makkoveev wrote:
>> On Thu, Nov 25, 2021 at 10:59:25PM +0100, Alexander Bluhm wrote:
>>> On Thu, Nov 25, 2021 at 05:13:16PM +0100, Tobias Heider wrote:
Now with the missing parts f
On Thu, Nov 25, 2021 at 11:37:59PM +0100, Tobias Heider wrote:
> I agree that the mutex is the better solution. Updated diff below.
OK bluhm@
> Index: net/pfkeyv2.c
> ===
> RCS file: /cvs/src/sys/net/pfkeyv2.c,v
> retrieving revision
On Fri, Nov 26, 2021 at 01:17:22AM +0300, Vitaliy Makkoveev wrote:
> On Thu, Nov 25, 2021 at 10:59:25PM +0100, Alexander Bluhm wrote:
> > On Thu, Nov 25, 2021 at 05:13:16PM +0100, Tobias Heider wrote:
> > > Now with the missing parts from pfkeyv2.c as noticed by Hrvoje.
> >
> > We have this code i
On Thu, Nov 25, 2021 at 08:18:10PM +0100, Sebastian Benoit wrote:
> Job Snijders(j...@openbsd.org) on 2021.11.25 16:13:51 +:
> > It might be advantageous to permit operators to optionally specify the
> > maximum number of publication points with which rpki-client will
> > synchronize.
> >
> >
On Thu, Nov 25, 2021 at 10:59:25PM +0100, Alexander Bluhm wrote:
> On Thu, Nov 25, 2021 at 05:13:16PM +0100, Tobias Heider wrote:
> > Now with the missing parts from pfkeyv2.c as noticed by Hrvoje.
>
> We have this code in pfkeyv2_send()
>
> if (headers[SADB_EXT_ADDRESS_SR
Hi,
IPsec path MTU discovery with IPv4 transport mode is broken in IP
output. The MTU at the route is used for the unencrypted packet
without ESP header. After that, the length of the encrypted packet
with ESP header is compared with the same route. Of course it is
too big.
This seems to be am
On Thu, Nov 25, 2021 at 05:13:16PM +0100, Tobias Heider wrote:
> Now with the missing parts from pfkeyv2.c as noticed by Hrvoje.
We have this code in pfkeyv2_send()
if (headers[SADB_EXT_ADDRESS_SRC] ||
headers[SADB_EXT_ADDRESS_PROXY]) {
Rich Salz removed netscape support from OpenSSL in 2015 (commit 0bc2f365).
This is the openssl(1) part of that removal. SGC was removed a bit
earlier as part of 7e1b7485. The removal of the API in libcrypto will be
part of the bump (only devel/kf5/kdelibs4support uses it thanks to a
LIBRESSL_VERSI
Store prime and generator in intermediate BIGNUMs, then set them on the
DH. DH_set0_pqg() can't actually fail in this situation, but I prefer
to do error checking mechanically.
There is one more access to dh->pub_key which I will take care of once
we have DH_get0_pub_key() (using DH_get0_key() is
Errata patches for kernel have been released for OpenBSD 6.9 and
7.0. Errata patch for libcrypto has been released for OpenBSD 7.0.
Binary updates for the amd64, i386 and arm64 platform are available
via the syspatch utility. Source code patches can be found on the
respective errata page:
ht
Job Snijders(j...@openbsd.org) on 2021.11.25 16:13:51 +:
> It might be advantageous to permit operators to optionally specify the
> maximum number of publication points with which rpki-client will
> synchronize.
>
> For example: "doas rpki-client -m 1 -t /etc/rpki/ripe.tal" has as effect
> tha
Claudio Jeker(cje...@diehard.n-r-g.com) on 2021.11.25 12:30:31 +0100:
> This add an RRDP regress test that checks basic operation.
> It checks some valid notification, snapshot and delta XML.
> There are also two XML attacks included (billion laughs and XXE).
> More bad XML files should be added.
>
Hi,
To find the ref counting bugs in IPsec tdb I use this trace code.
Per default there is no change due to #ifdef.
ddb{2}> show tdb /f 0x880164b0
tdb at 0x880164b0
...
refcnt: 2
...
trace_idx: 3767579
...
tdb_trace[64]: 3944868: refs 6 +0 cpu1 ipsec_forw
On Wed, Nov 24, 2021 at 4:46 AM Florian Obser wrote:
> Thanks, I had indeed missed this. I went through the RFC and found that
> we MUST NOT send the server identifier in rebooting state. While here I
> also made it explicit that we are not sending server identifier in
> rebinding state. This was
It might be advantageous to permit operators to optionally specify the
maximum number of publication points with which rpki-client will
synchronize.
For example: "doas rpki-client -m 1 -t /etc/rpki/ripe.tal" has as effect
that only RIPE NCC's repository is contacted, but none of the delegated
repo
On Thu, Nov 25, 2021 at 03:50:29PM +0100, Tobias Heider wrote:
> As discussed in the previous thread we can simplify the tdb cleanup
> code by removing the TDBF_DELETED flag and instead checking if the
> tdb was already unlinked.
>
> ok?
>
Now with the missing parts from pfkeyv2.c as noticed by
As discussed in the previous thread we can simplify the tdb cleanup
code by removing the TDBF_DELETED flag and instead checking if the
tdb was already unlinked.
ok?
Index: ip_ipsp.c
===
RCS file: /cvs/src/sys/netinet/ip_ipsp.c,v
retr
On Thu, Nov 25, 2021 at 12:54:49PM +, Job Snijders wrote:
> Replace MAX_REPO_TIMEOUT with repo_timeout, which is set to 1/4th of
> timeout, or if timeout is disabled set it to 24 hours.
>
> OK?
OK claudio@
> Index: extern.h
> =
Hello,
thank you for taking a look at my diff.
> > }
> >
> > - if (kif->pfik_ifp != NULL || kif->pfik_group != NULL || kif == pfi_all)
> > + if (kif->pfik_ifp != NULL || kif->pfik_group != NULL ||kif == pfi_all)
>
> Missing space over^^^ he
Replace MAX_REPO_TIMEOUT with repo_timeout, which is set to 1/4th of
timeout, or if timeout is disabled set it to 24 hours.
OK?
Index: extern.h
===
RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v
retrieving revision 1.97
diff -u -
On Fri, Nov 19, 2021 at 12:59:38AM +0100, Alexandr Nedvedicky wrote:
> Hello,
>
> it has turned out things are bit more complicated when it comes to interface
> groups. diff below makes following scenario work for me.
>
> we start with etc/pf.conf as follows:
>
> # cat /etc/pf.conf
>
On Thu, Nov 25, 2021 at 09:52:54AM +0100, Alexander Bluhm wrote:
> On Sat, Nov 13, 2021 at 06:04:07PM +0100, Alexander Bluhm wrote:
> > When testing, please check for tdb leaks.
>
> The diff below was running on my performance setup for more than
> 10 hours. iked SA lifetime was about 10 seconds.
This add an RRDP regress test that checks basic operation.
It checks some valid notification, snapshot and delta XML.
There are also two XML attacks included (billion laughs and XXE).
More bad XML files should be added.
Comments?
--
:wq Claudio
Index: Makefile.inc
===
On 25.11.2021. 9:52, Alexander Bluhm wrote:
> On Sat, Nov 13, 2021 at 06:04:07PM +0100, Alexander Bluhm wrote:
>> When testing, please check for tdb leaks.
> The diff below was running on my performance setup for more than
> 10 hours. iked SA lifetime was about 10 seconds. ipsecctl -F;
> vmstat -
On Wed, Nov 24, 2021 at 08:58:16PM +0100, Theo Buehler wrote:
> BIO_printf() is a wrapper around vfprintf, so we can remove this comment
> and the cast.
OK bluhm@
> Index: passwd.c
> ===
> RCS file: /cvs/src/usr.bin/openssl/passwd.c,
On Sat, Nov 13, 2021 at 06:04:07PM +0100, Alexander Bluhm wrote:
> When testing, please check for tdb leaks.
The diff below was running on my performance setup for more than
10 hours. iked SA lifetime was about 10 seconds. ipsecctl -F;
vmstat -m showed no leak. Running regress passed.
Hrvoje i
31 matches
Mail list logo