Taken from: http://caia.swin.edu.au/freebsd/aqm/

This reverts commit 0a19f813.

Fix excessive latency in x86 IPI delivery. [EN-16:07]

Fix memory leak in ZFS. [EN-16:08]

Approved by:	so

Approved by:	so

Taken from: https://www.iana.org/time-zones

Taken from: http://caia.swin.edu.au/freebsd/aqm/

We have a merge.  I repeat, we have a merge.  :)

On i386, the stack isn't randomized enough to provide enough space for
the VDSO to be randomized. Bump the stack randomization up to 14 for
32bit systems and lower the VDSO randomization to 8. This provides
enough of a difference between the two to allow for both stack and
VDSO randomization.

Note that ASLR on 32bit systems is still rather weak. Not much entropy
can be introduced into the stack and VDSO. Brute forcing the stack and
VDSO is well within the realm of possibility. Users are strongly
advised to migrate to 64bit systems.

Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>

On OPNsense's 16.7 roadmap is HardenedBSD's ASLR code. This commit
separates out the ASLR code from the rest of our exploit mitigation
and system hardening code.

Testing and verification still need to be performed. Initial testing
(compile + boot + `procstat -v PIDofPIEapplication) has been
performed. More thorough testing should occur.

Shared object load order randomization in the RTLD is not included in
this patch. That will be discussed with the fine folks at OPNsense at
a later time.

Since OPNsense is based on FreeBSD 10.x, this patch will need to be
backported to 10-STABLE. However, a "horizontal port" to 11-CURRENT,
which is what this commit is, needed to be done first.

Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>

Taken from: https://www.iana.org/time-zones

This code will be purged with 16.7, but for now we tighten the
it to prevent panics that surfaced after cleaning up defunct
code paths in the legacy VPN area of the GUI.  Userland must
not be able to produce panics...

PR: https://forum.opnsense.org/index.php?topic=2385

panics when unloading the dummynet and IPFW modules:

- The callout drain function can sleep and should not be called having
a non-sleepable lock locked. Remove locks around "ipfw_dyn_uninit(0)".

- Add a new "dn_gone" variable to prevent asynchronous restart of
dummynet callouts when unloading the dummynet kernel module.

- Call "dn_reschedule()" locked so that "dn_gone" can be set and
checked atomically with regard to starting a new callout.

Reviewed by:	hiren
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D3855

Taken from: http://www.pcengines.info/forums/?page=post&id=6DA3284E-4973-4EC5-921D-A93AB72123DC

OpenBSD pf 4.5).

Fix argument ordering to memcpy as well as the size of the copy in the
(theoretical) case that pfi_buffer_cnt should be greater than ~_max.

This fix the failure when you hit the self table size and force it to be
resized.

MFC after:	3 days
Sponsored by:	Rubicon Communications (Netgate)

o Fix incorrect argument validation in sysarch(2). [SA-16:15]
o Fix Hyper-V KVP (Key-Value Pair) daemon indefinite sleep. [EN-16:04]
o Fix hv_netvsc(4) incorrect TCP/IP checksums. [EN-16:05]

Errata:         FreeBSD-EN-16:04.hyperv
Errata:         FreeBSD-EN-16:05.hv_netvsc
Security:       FreeBSD-SA-16:14.openssh-xauth, CVE-2016-3115
Security:       FreeBSD-SA-16:15.sysarch, CVE-2016-1885
Approved by:    so

Taken from: https://www.iana.org/time-zones

PR: https://lists.freebsd.org/pipermail/freebsd-ipfw/2016-March/006047.html

Taken from: https://www.iana.org/time-zones

Security:	FreeBSD-SA-16:12.openssl
Approved by:	so

Taken from: http://caia.swin.edu.au/freebsd/aqm/

Time is ticking.... tick tock tick tock :)

Submitted by:	Milosz Kaniewski <m.kaniewski@wheelsystems.com>,
		UMEZAWA Takeshi <umezawa@iij.ad.jp> (orginal)
Reviewed by:	glebius
Approved by:	pjd (mentor)
Obtained from:	OpenBSD
MFC after:	3 days

Logo kindly supplied by the Schellevis brothers @jschellevis
and @adschellevis, technicolor version follows...  :)

Some previous changes have been rolled back to avoid touching
upstream code.

hyperv/kvp: wake up the daemon if it's sleeping due to poll()

Submitted by:           Dexuan Cui <decui@microsoft.com>
Sponsored by:		Microsoft OSTC

Ignore the inbound checksum flags when doing packet forwarding in netvsc
driver.

Sponsored by:	Microsoft OSTC
PR:		203630

(cherry picked from commit a5f1c95b3c8a3114c0dd550de01326f7c442020a)

Respect pf rule log option before log dropped packets with IP options or
dangerous v6 headers

Reviewed by:	gnn, eri
Approved by:	gnn, glebius
Obtained from:	pfSense
Sponsored by:	Netgate
Differential Revision:	https://reviews.freebsd.org/D3222

Security:	CVE-2015-3197
Security:	FreeBSD-SA-16:11.openssl
Approved by:	so

Bravely going where no man has gone before.  :)

Fix Linux compatibility layer issetugid(2) system call
vulnerability. [SA-16:10]

Security:	FreeBSD-SA-16:09.ntp
Security:	FreeBSD-SA-16:10.linux
Approved by:	so

This reverts commit 8f8e34e6.

Non-standard feature is non-standard.

Approved by: @adschellevis

Approved by:	so

Security:       SA-16:07.openssh
Security:       CVE-2016-0777
Approved by:	so

o Fix filemon and bmake meta-mode stability issues. [EN-16:01] o Fix invalid TCP checksums with pf(4). [EN-16:02.pf] o Fix YP/NIS client library critical bug. [EN-16:03.yplib] o Fix SCTP ICMPv6 error message vulnerability. [SA-16:01.sctp] o Fix ntp panic threshold bypass vulnerability. [SA-16:02.ntp] o Fix Linux compatibility layer incorrect futex handling. [SA-16:03.linux] o Fix Linux compatibility layer setgroups(2) system call. [SA-16:04.linux] o Fix TCP MD5 signature denial of service. [SA-16:05.tcp] o Fix insecure default bsnmpd.conf permissions. [SA-16:06.bsnmpd]

Errata:		FreeBSD-EN-16:01.filemon
Errata:		FreeBSD-EN-16:02.pf
Errata:		FreeBSD-EN-16:03.yplib
Security:	FreeBSD-SA-16:01.sctp, CVE-2016-1879
Security:	FreeBSD-SA-16:02.ntp, CVE-2015-5300
Security:	FreeBSD-SA-16:03.linux, CVE-2016-1880
Security:	FreeBSD-SA-16:04.linux, CVE-2016-1881
Security:	FreeBSD-SA-16:05.tcp, CVE-2016-1882
Security:	FreeBSD-SA-16:06.bsnmpd, CVE-2015-5677
Approved by:	so