MFC: Update to Crypt::OpenSSL::RSA 0.41, tested by henning
Attacks on the Marvin attack were too aggressive and 0.35 disabled the
widely used PKCS#1 v1.5 padding outright, when only decryption is
problematic due to the padding oracle. Signing is fine and required for
many things, among other things TLS and DNSSEC.
Version 0.35 disabled PKCS#1 v1.5 padding entirely to mitigate the
Marvin attack. However, the Marvin attack only affects PKCS#1 v1.5
decryption (padding oracle), not signatures. Version 0.38 re-enables
use_pkcs1_padding() for use with sign() and verify(), while keeping it
disabled for encrypt() and decrypt(). PKCS1_OAEP should be used for
encryption and either PKCS1_PSS or PKCS1 can be used for signing.
https://metacpan.org/pod/Crypt::OpenSSL::RSA#SECURITY
CI: skip full CI runs on push events
Full CI runs for proposed changes always occur in the PR where the
review is done and patch approved. Once merged the full CI is run
again using the merged commit. This is somewhat overkill. In the
interest of reducing the CI load only run the zloop and checkstyle
workflows which are enough to verify the build on the master branch.
Push events to forks will continue to trigger a full CI run.
Reviewed-by: George Melikov <mail at gmelikov.ru>
Signed-off-by: Brian Behlendorf <behlendorf1 at llnl.gov>
Closes #18571
NAS-140948 / 25.10.4 / Avoid LUN-replace stall and slow HA-session cleanup at failover (by bmeagherix) (#18997)
Release parked async LUN-replace cleanup after DLM peer eviction
scst.async_lun_replace=1 now also tells the kernel to park the deferred
cleanup of old tgt_devs from each LUN replace until the flag is cleared.
This avoids stalling become_active on scst_dlm_lock_wait inside
scst_clear_reservation while the dead peer is still a DLM lockspace
member.
Add iscsi.scst.disable_async_lun_replace and call it from the end of
iscsi.alua.reset_active, after dlm.reset_active (which evicts the peer)
completes.
Also add regression test for failover LUN-replace stall
Original PR: https://github.com/truenas/middleware/pull/18920
Co-authored-by: Brian M <brian.meagher at ixsystems.com>
NAS-140948 / 26.0.0-BETA.2 / Avoid LUN-replace stall and slow HA-session cleanup at failover (by bmeagherix) (#18998)
Release parked async LUN-replace cleanup after DLM peer eviction
scst.async_lun_replace=1 now also tells the kernel to park the deferred
cleanup of old tgt_devs from each LUN replace until the flag is cleared.
This avoids stalling become_active on scst_dlm_lock_wait inside
scst_clear_reservation while the dead peer is still a DLM lockspace
member.
Add iscsi.scst.disable_async_lun_replace and call it from the end of
iscsi.alua.reset_active, after dlm.reset_active (which evicts the peer)
completes.
Original PR: https://github.com/truenas/middleware/pull/18920
---------
Co-authored-by: Brian M <brian.meagher at ixsystems.com>
NAS-140948 / 26.0.0-RC.1 / Avoid LUN-replace stall and slow HA-session cleanup at failover (by bmeagherix) (#18999)
Release parked async LUN-replace cleanup after DLM peer eviction
scst.async_lun_replace=1 now also tells the kernel to park the deferred
cleanup of old tgt_devs from each LUN replace until the flag is cleared.
This avoids stalling become_active on scst_dlm_lock_wait inside
scst_clear_reservation while the dead peer is still a DLM lockspace
member.
Add iscsi.scst.disable_async_lun_replace and call it from the end of
iscsi.alua.reset_active, after dlm.reset_active (which evicts the peer)
completes.
Original PR: https://github.com/truenas/middleware/pull/18920
---------
Co-authored-by: Brian M <brian.meagher at ixsystems.com>
graphics/converseen: Update to 0.15.2.4
ChangeLog: https://converseen.fasterland.net/
* Added autoscroll to the conversion dialog
* Fixed grammar in prompt for creating an output directory
* Various Bugfixes
sendfile: Fix bug when using headers with SW KTLS offload
When using SW KTLS, we must account for the headers in sf_iodone()
in terms of either freeing or enqueuing them for TLS work.
Not doing so can lead to a situation where we enqueue only
the payload, and not the header, for encryption. Rather than
leaking the header, the socket is left "hung" with the header marked
M_NOTREADY.
Sponsored by: Netflix
Reviewed by: glebius, kib
Differential Revision: https://reviews.freebsd.org/D57134
MFC After: 14 days
[CIR][CUDA] Introduce cu.var_registration for shadow and attach device-side var metadata, internalize device side variables, and lower poison attribute (#190087)
Signed-off-by: ZakyHermawan <zaky.hermawan9615 at gmail.com>
mdoc.7: Revert upstream changes to Lb/LIBRARY
Since this manual describes the mdoc syntax throughout the ecosystem,
I had to blend what we had before with what upstream is doing now.
Thanks: adrian
MFC after: 3 days (we shipped this doc in 15.0/14.4)
Reviewed by: ivy, mhorne, des, adrian
Discussed with: arch@
Differential Revision: https://reviews.freebsd.org/D56153
