From owner-svn-src-releng@freebsd.org  Mon Sep 26 08:21:31 2016
Return-Path: <owner-svn-src-releng@freebsd.org>
Delivered-To: svn-src-releng@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 72339BE8259;
 Mon, 26 Sep 2016 08:21:31 +0000 (UTC)
 (envelope-from delphij@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 33CAC909;
 Mon, 26 Sep 2016 08:21:31 +0000 (UTC)
 (envelope-from delphij@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u8Q8LUp8060875;
 Mon, 26 Sep 2016 08:21:30 GMT (envelope-from delphij@FreeBSD.org)
Received: (from delphij@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id u8Q8LTSG060862;
 Mon, 26 Sep 2016 08:21:29 GMT (envelope-from delphij@FreeBSD.org)
Message-Id: <201609260821.u8Q8LTSG060862@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: delphij set sender to
 delphij@FreeBSD.org using -f
From: Xin LI <delphij@FreeBSD.org>
Date: Mon, 26 Sep 2016 08:21:29 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r306336 - in releng: 10.1 10.1/crypto/openssl/crypto/bn
 10.1/sys/conf 10.2 10.2/crypto/openssl/crypto/bn 10.2/sys/conf 10.3
 10.3/crypto/openssl/crypto/bn 10.3/sys/conf 9.3 9.3/crypto/op...
X-SVN-Group: releng
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-releng>, 
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Sep 2016 08:21:31 -0000

Author: delphij
Date: Mon Sep 26 08:21:29 2016
New Revision: 306336
URL: https://svnweb.freebsd.org/changeset/base/306336

Log:
  Apply upstream revision 3612ff6fcec0e3d1f2a598135fe12177c0419582:
  
  Fix overflow check in BN_bn2dec()
  Fix an off by one error in the overflow check added by 07bed46
  ("Check for errors in BN_bn2dec()").
  
  This fixes a regression introduced in SA-16:26.openssl.
  
  Submitted by:	jkim
  PR:		212921
  Approved by:	so

Modified:
  releng/10.1/UPDATING
  releng/10.1/crypto/openssl/crypto/bn/bn_print.c
  releng/10.1/sys/conf/newvers.sh
  releng/10.2/UPDATING
  releng/10.2/crypto/openssl/crypto/bn/bn_print.c
  releng/10.2/sys/conf/newvers.sh
  releng/10.3/UPDATING
  releng/10.3/crypto/openssl/crypto/bn/bn_print.c
  releng/10.3/sys/conf/newvers.sh
  releng/9.3/UPDATING
  releng/9.3/crypto/openssl/crypto/bn/bn_print.c
  releng/9.3/sys/conf/newvers.sh

Modified: releng/10.1/UPDATING
==============================================================================
--- releng/10.1/UPDATING	Mon Sep 26 08:19:33 2016	(r306335)
+++ releng/10.1/UPDATING	Mon Sep 26 08:21:29 2016	(r306336)
@@ -16,6 +16,10 @@ from older versions of FreeBSD, try WITH
 stable/10, and then rebuild without this option. The bootstrap process from
 older version of current is a bit fragile.
 
+20160926	p29	FreeBSD-SA-16:26.openssl [revised]
+
+	Fix OpenSSL regression introduced in SA-16:26.
+
 20160923	p38	FreeBSD-SA-16:26.openssl
 
 	Fix multiple OpenSSL vulnerabilitites.

Modified: releng/10.1/crypto/openssl/crypto/bn/bn_print.c
==============================================================================
--- releng/10.1/crypto/openssl/crypto/bn/bn_print.c	Mon Sep 26 08:19:33 2016	(r306335)
+++ releng/10.1/crypto/openssl/crypto/bn/bn_print.c	Mon Sep 26 08:21:29 2016	(r306336)
@@ -141,14 +141,13 @@ char *BN_bn2dec(const BIGNUM *a)
         if (BN_is_negative(t))
             *p++ = '-';
 
-        i = 0;
         while (!BN_is_zero(t)) {
+            if (lp - bn_data >= bn_data_num)
+                goto err;
             *lp = BN_div_word(t, BN_DEC_CONV);
             if (*lp == (BN_ULONG)-1)
                 goto err;
             lp++;
-            if (lp - bn_data >= bn_data_num)
-                goto err;
         }
         lp--;
         /*

Modified: releng/10.1/sys/conf/newvers.sh
==============================================================================
--- releng/10.1/sys/conf/newvers.sh	Mon Sep 26 08:19:33 2016	(r306335)
+++ releng/10.1/sys/conf/newvers.sh	Mon Sep 26 08:21:29 2016	(r306336)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="10.1"
-BRANCH="RELEASE-p38"
+BRANCH="RELEASE-p39"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/10.2/UPDATING
==============================================================================
--- releng/10.2/UPDATING	Mon Sep 26 08:19:33 2016	(r306335)
+++ releng/10.2/UPDATING	Mon Sep 26 08:21:29 2016	(r306336)
@@ -16,6 +16,10 @@ from older versions of FreeBSD, try WITH
 stable/10, and then rebuild without this option. The bootstrap process from
 older version of current is a bit fragile.
 
+20160926	p22	FreeBSD-SA-16:26.openssl [revised]
+
+	Fix OpenSSL regression introduced in SA-16:26.
+
 20160923	p21	FreeBSD-SA-16:26.openssl
 
 	Fix multiple OpenSSL vulnerabilitites.

Modified: releng/10.2/crypto/openssl/crypto/bn/bn_print.c
==============================================================================
--- releng/10.2/crypto/openssl/crypto/bn/bn_print.c	Mon Sep 26 08:19:33 2016	(r306335)
+++ releng/10.2/crypto/openssl/crypto/bn/bn_print.c	Mon Sep 26 08:21:29 2016	(r306336)
@@ -141,14 +141,13 @@ char *BN_bn2dec(const BIGNUM *a)
         if (BN_is_negative(t))
             *p++ = '-';
 
-        i = 0;
         while (!BN_is_zero(t)) {
+            if (lp - bn_data >= bn_data_num)
+                goto err;
             *lp = BN_div_word(t, BN_DEC_CONV);
             if (*lp == (BN_ULONG)-1)
                 goto err;
             lp++;
-            if (lp - bn_data >= bn_data_num)
-                goto err;
         }
         lp--;
         /*

Modified: releng/10.2/sys/conf/newvers.sh
==============================================================================
--- releng/10.2/sys/conf/newvers.sh	Mon Sep 26 08:19:33 2016	(r306335)
+++ releng/10.2/sys/conf/newvers.sh	Mon Sep 26 08:21:29 2016	(r306336)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="10.2"
-BRANCH="RELEASE-p21"
+BRANCH="RELEASE-p22"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/10.3/UPDATING
==============================================================================
--- releng/10.3/UPDATING	Mon Sep 26 08:19:33 2016	(r306335)
+++ releng/10.3/UPDATING	Mon Sep 26 08:21:29 2016	(r306336)
@@ -16,6 +16,10 @@ from older versions of FreeBSD, try WITH
 stable/10, and then rebuild without this option. The bootstrap process from
 older version of current is a bit fragile.
 
+20160926	p9	FreeBSD-SA-16:26.openssl [revised]
+
+	Fix OpenSSL regression introduced in SA-16:26.
+
 20160923	p8	FreeBSD-SA-16:26.openssl
 
 	Fix multiple OpenSSL vulnerabilitites.

Modified: releng/10.3/crypto/openssl/crypto/bn/bn_print.c
==============================================================================
--- releng/10.3/crypto/openssl/crypto/bn/bn_print.c	Mon Sep 26 08:19:33 2016	(r306335)
+++ releng/10.3/crypto/openssl/crypto/bn/bn_print.c	Mon Sep 26 08:21:29 2016	(r306336)
@@ -141,14 +141,13 @@ char *BN_bn2dec(const BIGNUM *a)
         if (BN_is_negative(t))
             *p++ = '-';
 
-        i = 0;
         while (!BN_is_zero(t)) {
+            if (lp - bn_data >= bn_data_num)
+                goto err;
             *lp = BN_div_word(t, BN_DEC_CONV);
             if (*lp == (BN_ULONG)-1)
                 goto err;
             lp++;
-            if (lp - bn_data >= bn_data_num)
-                goto err;
         }
         lp--;
         /*

Modified: releng/10.3/sys/conf/newvers.sh
==============================================================================
--- releng/10.3/sys/conf/newvers.sh	Mon Sep 26 08:19:33 2016	(r306335)
+++ releng/10.3/sys/conf/newvers.sh	Mon Sep 26 08:21:29 2016	(r306336)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="10.3"
-BRANCH="RELEASE-p8"
+BRANCH="RELEASE-p9"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/9.3/UPDATING
==============================================================================
--- releng/9.3/UPDATING	Mon Sep 26 08:19:33 2016	(r306335)
+++ releng/9.3/UPDATING	Mon Sep 26 08:21:29 2016	(r306336)
@@ -11,6 +11,10 @@ handbook:
 Items affecting the ports and packages system can be found in
 /usr/ports/UPDATING.  Please read that file before running portupgrade.
 
+20160926	p47	FreeBSD-SA-16:26.openssl [revised]
+
+	Fix OpenSSL regression introduced in SA-16:26.
+
 20160923	p46	FreeBSD-SA-16:26.openssl
 
 	Fix multiple OpenSSL vulnerabilitites.

Modified: releng/9.3/crypto/openssl/crypto/bn/bn_print.c
==============================================================================
--- releng/9.3/crypto/openssl/crypto/bn/bn_print.c	Mon Sep 26 08:19:33 2016	(r306335)
+++ releng/9.3/crypto/openssl/crypto/bn/bn_print.c	Mon Sep 26 08:21:29 2016	(r306336)
@@ -141,14 +141,13 @@ char *BN_bn2dec(const BIGNUM *a)
         if (BN_is_negative(t))
             *p++ = '-';
 
-        i = 0;
         while (!BN_is_zero(t)) {
+            if (lp - bn_data >= bn_data_num)
+                goto err;
             *lp = BN_div_word(t, BN_DEC_CONV);
             if (*lp == (BN_ULONG)-1)
                 goto err;
             lp++;
-            if (lp - bn_data >= bn_data_num)
-                goto err;
         }
         lp--;
         /*

Modified: releng/9.3/sys/conf/newvers.sh
==============================================================================
--- releng/9.3/sys/conf/newvers.sh	Mon Sep 26 08:19:33 2016	(r306335)
+++ releng/9.3/sys/conf/newvers.sh	Mon Sep 26 08:21:29 2016	(r306336)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="9.3"
-BRANCH="RELEASE-p46"
+BRANCH="RELEASE-p47"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

From owner-svn-src-releng@freebsd.org  Mon Sep 26 20:26:29 2016
Return-Path: <owner-svn-src-releng@freebsd.org>
Delivered-To: svn-src-releng@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id F1D4EBEA56B;
 Mon, 26 Sep 2016 20:26:29 +0000 (UTC)
 (envelope-from glebius@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 7790B8B9;
 Mon, 26 Sep 2016 20:26:29 +0000 (UTC)
 (envelope-from glebius@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u8QKQSlq033907;
 Mon, 26 Sep 2016 20:26:28 GMT (envelope-from glebius@FreeBSD.org)
Received: (from glebius@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id u8QKQJAZ033814;
 Mon, 26 Sep 2016 20:26:19 GMT (envelope-from glebius@FreeBSD.org)
Message-Id: <201609262026.u8QKQJAZ033814@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: glebius set sender to
 glebius@FreeBSD.org using -f
From: Gleb Smirnoff <glebius@FreeBSD.org>
Date: Mon, 26 Sep 2016 20:26:19 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r306354 - in releng/11.0: crypto/openssl
 crypto/openssl/crypto crypto/openssl/crypto/engine crypto/openssl/crypto/x509
 crypto/openssl/ssl secure/lib/libcrypto secure/lib/libcrypto/man s...
X-SVN-Group: releng
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-releng>, 
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Sep 2016 20:26:30 -0000

Author: glebius
Date: Mon Sep 26 20:26:19 2016
New Revision: 306354
URL: https://svnweb.freebsd.org/changeset/base/306354

Log:
  Merge r306343 by jkim:
  
  Merge OpenSSL 1.0.2j.
  
  Approved by:	so
  Approved by:	re (implicit)

Modified:
  releng/11.0/crypto/openssl/CHANGES
  releng/11.0/crypto/openssl/Makefile
  releng/11.0/crypto/openssl/NEWS
  releng/11.0/crypto/openssl/README
  releng/11.0/crypto/openssl/crypto/engine/eng_cryptodev.c
  releng/11.0/crypto/openssl/crypto/opensslv.h
  releng/11.0/crypto/openssl/crypto/x509/x509_vfy.c
  releng/11.0/crypto/openssl/ssl/t1_ext.c
  releng/11.0/secure/lib/libcrypto/Makefile.inc
  releng/11.0/secure/lib/libcrypto/man/ASN1_OBJECT_new.3
  releng/11.0/secure/lib/libcrypto/man/ASN1_STRING_length.3
  releng/11.0/secure/lib/libcrypto/man/ASN1_STRING_new.3
  releng/11.0/secure/lib/libcrypto/man/ASN1_STRING_print_ex.3
  releng/11.0/secure/lib/libcrypto/man/ASN1_TIME_set.3
  releng/11.0/secure/lib/libcrypto/man/ASN1_generate_nconf.3
  releng/11.0/secure/lib/libcrypto/man/BIO_ctrl.3
  releng/11.0/secure/lib/libcrypto/man/BIO_f_base64.3
  releng/11.0/secure/lib/libcrypto/man/BIO_f_buffer.3
  releng/11.0/secure/lib/libcrypto/man/BIO_f_cipher.3
  releng/11.0/secure/lib/libcrypto/man/BIO_f_md.3
  releng/11.0/secure/lib/libcrypto/man/BIO_f_null.3
  releng/11.0/secure/lib/libcrypto/man/BIO_f_ssl.3
  releng/11.0/secure/lib/libcrypto/man/BIO_find_type.3
  releng/11.0/secure/lib/libcrypto/man/BIO_new.3
  releng/11.0/secure/lib/libcrypto/man/BIO_new_CMS.3
  releng/11.0/secure/lib/libcrypto/man/BIO_push.3
  releng/11.0/secure/lib/libcrypto/man/BIO_read.3
  releng/11.0/secure/lib/libcrypto/man/BIO_s_accept.3
  releng/11.0/secure/lib/libcrypto/man/BIO_s_bio.3
  releng/11.0/secure/lib/libcrypto/man/BIO_s_connect.3
  releng/11.0/secure/lib/libcrypto/man/BIO_s_fd.3
  releng/11.0/secure/lib/libcrypto/man/BIO_s_file.3
  releng/11.0/secure/lib/libcrypto/man/BIO_s_mem.3
  releng/11.0/secure/lib/libcrypto/man/BIO_s_null.3
  releng/11.0/secure/lib/libcrypto/man/BIO_s_socket.3
  releng/11.0/secure/lib/libcrypto/man/BIO_set_callback.3
  releng/11.0/secure/lib/libcrypto/man/BIO_should_retry.3
  releng/11.0/secure/lib/libcrypto/man/BN_BLINDING_new.3
  releng/11.0/secure/lib/libcrypto/man/BN_CTX_new.3
  releng/11.0/secure/lib/libcrypto/man/BN_CTX_start.3
  releng/11.0/secure/lib/libcrypto/man/BN_add.3
  releng/11.0/secure/lib/libcrypto/man/BN_add_word.3
  releng/11.0/secure/lib/libcrypto/man/BN_bn2bin.3
  releng/11.0/secure/lib/libcrypto/man/BN_cmp.3
  releng/11.0/secure/lib/libcrypto/man/BN_copy.3
  releng/11.0/secure/lib/libcrypto/man/BN_generate_prime.3
  releng/11.0/secure/lib/libcrypto/man/BN_mod_inverse.3
  releng/11.0/secure/lib/libcrypto/man/BN_mod_mul_montgomery.3
  releng/11.0/secure/lib/libcrypto/man/BN_mod_mul_reciprocal.3
  releng/11.0/secure/lib/libcrypto/man/BN_new.3
  releng/11.0/secure/lib/libcrypto/man/BN_num_bytes.3
  releng/11.0/secure/lib/libcrypto/man/BN_rand.3
  releng/11.0/secure/lib/libcrypto/man/BN_set_bit.3
  releng/11.0/secure/lib/libcrypto/man/BN_swap.3
  releng/11.0/secure/lib/libcrypto/man/BN_zero.3
  releng/11.0/secure/lib/libcrypto/man/CMS_add0_cert.3
  releng/11.0/secure/lib/libcrypto/man/CMS_add1_recipient_cert.3
  releng/11.0/secure/lib/libcrypto/man/CMS_add1_signer.3
  releng/11.0/secure/lib/libcrypto/man/CMS_compress.3
  releng/11.0/secure/lib/libcrypto/man/CMS_decrypt.3
  releng/11.0/secure/lib/libcrypto/man/CMS_encrypt.3
  releng/11.0/secure/lib/libcrypto/man/CMS_final.3
  releng/11.0/secure/lib/libcrypto/man/CMS_get0_RecipientInfos.3
  releng/11.0/secure/lib/libcrypto/man/CMS_get0_SignerInfos.3
  releng/11.0/secure/lib/libcrypto/man/CMS_get0_type.3
  releng/11.0/secure/lib/libcrypto/man/CMS_get1_ReceiptRequest.3
  releng/11.0/secure/lib/libcrypto/man/CMS_sign.3
  releng/11.0/secure/lib/libcrypto/man/CMS_sign_receipt.3
  releng/11.0/secure/lib/libcrypto/man/CMS_uncompress.3
  releng/11.0/secure/lib/libcrypto/man/CMS_verify.3
  releng/11.0/secure/lib/libcrypto/man/CMS_verify_receipt.3
  releng/11.0/secure/lib/libcrypto/man/CONF_modules_free.3
  releng/11.0/secure/lib/libcrypto/man/CONF_modules_load_file.3
  releng/11.0/secure/lib/libcrypto/man/CRYPTO_set_ex_data.3
  releng/11.0/secure/lib/libcrypto/man/DH_generate_key.3
  releng/11.0/secure/lib/libcrypto/man/DH_generate_parameters.3
  releng/11.0/secure/lib/libcrypto/man/DH_get_ex_new_index.3
  releng/11.0/secure/lib/libcrypto/man/DH_new.3
  releng/11.0/secure/lib/libcrypto/man/DH_set_method.3
  releng/11.0/secure/lib/libcrypto/man/DH_size.3
  releng/11.0/secure/lib/libcrypto/man/DSA_SIG_new.3
  releng/11.0/secure/lib/libcrypto/man/DSA_do_sign.3
  releng/11.0/secure/lib/libcrypto/man/DSA_dup_DH.3
  releng/11.0/secure/lib/libcrypto/man/DSA_generate_key.3
  releng/11.0/secure/lib/libcrypto/man/DSA_generate_parameters.3
  releng/11.0/secure/lib/libcrypto/man/DSA_get_ex_new_index.3
  releng/11.0/secure/lib/libcrypto/man/DSA_new.3
  releng/11.0/secure/lib/libcrypto/man/DSA_set_method.3
  releng/11.0/secure/lib/libcrypto/man/DSA_sign.3
  releng/11.0/secure/lib/libcrypto/man/DSA_size.3
  releng/11.0/secure/lib/libcrypto/man/EC_GFp_simple_method.3
  releng/11.0/secure/lib/libcrypto/man/EC_GROUP_copy.3
  releng/11.0/secure/lib/libcrypto/man/EC_GROUP_new.3
  releng/11.0/secure/lib/libcrypto/man/EC_KEY_new.3
  releng/11.0/secure/lib/libcrypto/man/EC_POINT_add.3
  releng/11.0/secure/lib/libcrypto/man/EC_POINT_new.3
  releng/11.0/secure/lib/libcrypto/man/ERR_GET_LIB.3
  releng/11.0/secure/lib/libcrypto/man/ERR_clear_error.3
  releng/11.0/secure/lib/libcrypto/man/ERR_error_string.3
  releng/11.0/secure/lib/libcrypto/man/ERR_get_error.3
  releng/11.0/secure/lib/libcrypto/man/ERR_load_crypto_strings.3
  releng/11.0/secure/lib/libcrypto/man/ERR_load_strings.3
  releng/11.0/secure/lib/libcrypto/man/ERR_print_errors.3
  releng/11.0/secure/lib/libcrypto/man/ERR_put_error.3
  releng/11.0/secure/lib/libcrypto/man/ERR_remove_state.3
  releng/11.0/secure/lib/libcrypto/man/ERR_set_mark.3
  releng/11.0/secure/lib/libcrypto/man/EVP_BytesToKey.3
  releng/11.0/secure/lib/libcrypto/man/EVP_DigestInit.3
  releng/11.0/secure/lib/libcrypto/man/EVP_DigestSignInit.3
  releng/11.0/secure/lib/libcrypto/man/EVP_DigestVerifyInit.3
  releng/11.0/secure/lib/libcrypto/man/EVP_EncodeInit.3
  releng/11.0/secure/lib/libcrypto/man/EVP_EncryptInit.3
  releng/11.0/secure/lib/libcrypto/man/EVP_OpenInit.3
  releng/11.0/secure/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3
  releng/11.0/secure/lib/libcrypto/man/EVP_PKEY_CTX_new.3
  releng/11.0/secure/lib/libcrypto/man/EVP_PKEY_cmp.3
  releng/11.0/secure/lib/libcrypto/man/EVP_PKEY_decrypt.3
  releng/11.0/secure/lib/libcrypto/man/EVP_PKEY_derive.3
  releng/11.0/secure/lib/libcrypto/man/EVP_PKEY_encrypt.3
  releng/11.0/secure/lib/libcrypto/man/EVP_PKEY_get_default_digest.3
  releng/11.0/secure/lib/libcrypto/man/EVP_PKEY_keygen.3
  releng/11.0/secure/lib/libcrypto/man/EVP_PKEY_new.3
  releng/11.0/secure/lib/libcrypto/man/EVP_PKEY_print_private.3
  releng/11.0/secure/lib/libcrypto/man/EVP_PKEY_set1_RSA.3
  releng/11.0/secure/lib/libcrypto/man/EVP_PKEY_sign.3
  releng/11.0/secure/lib/libcrypto/man/EVP_PKEY_verify.3
  releng/11.0/secure/lib/libcrypto/man/EVP_PKEY_verify_recover.3
  releng/11.0/secure/lib/libcrypto/man/EVP_SealInit.3
  releng/11.0/secure/lib/libcrypto/man/EVP_SignInit.3
  releng/11.0/secure/lib/libcrypto/man/EVP_VerifyInit.3
  releng/11.0/secure/lib/libcrypto/man/OBJ_nid2obj.3
  releng/11.0/secure/lib/libcrypto/man/OPENSSL_Applink.3
  releng/11.0/secure/lib/libcrypto/man/OPENSSL_VERSION_NUMBER.3
  releng/11.0/secure/lib/libcrypto/man/OPENSSL_config.3
  releng/11.0/secure/lib/libcrypto/man/OPENSSL_ia32cap.3
  releng/11.0/secure/lib/libcrypto/man/OPENSSL_instrument_bus.3
  releng/11.0/secure/lib/libcrypto/man/OPENSSL_load_builtin_modules.3
  releng/11.0/secure/lib/libcrypto/man/OpenSSL_add_all_algorithms.3
  releng/11.0/secure/lib/libcrypto/man/PEM_write_bio_CMS_stream.3
  releng/11.0/secure/lib/libcrypto/man/PEM_write_bio_PKCS7_stream.3
  releng/11.0/secure/lib/libcrypto/man/PKCS12_create.3
  releng/11.0/secure/lib/libcrypto/man/PKCS12_parse.3
  releng/11.0/secure/lib/libcrypto/man/PKCS7_decrypt.3
  releng/11.0/secure/lib/libcrypto/man/PKCS7_encrypt.3
  releng/11.0/secure/lib/libcrypto/man/PKCS7_sign.3
  releng/11.0/secure/lib/libcrypto/man/PKCS7_sign_add_signer.3
  releng/11.0/secure/lib/libcrypto/man/PKCS7_verify.3
  releng/11.0/secure/lib/libcrypto/man/RAND_add.3
  releng/11.0/secure/lib/libcrypto/man/RAND_bytes.3
  releng/11.0/secure/lib/libcrypto/man/RAND_cleanup.3
  releng/11.0/secure/lib/libcrypto/man/RAND_egd.3
  releng/11.0/secure/lib/libcrypto/man/RAND_load_file.3
  releng/11.0/secure/lib/libcrypto/man/RAND_set_rand_method.3
  releng/11.0/secure/lib/libcrypto/man/RSA_blinding_on.3
  releng/11.0/secure/lib/libcrypto/man/RSA_check_key.3
  releng/11.0/secure/lib/libcrypto/man/RSA_generate_key.3
  releng/11.0/secure/lib/libcrypto/man/RSA_get_ex_new_index.3
  releng/11.0/secure/lib/libcrypto/man/RSA_new.3
  releng/11.0/secure/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3
  releng/11.0/secure/lib/libcrypto/man/RSA_print.3
  releng/11.0/secure/lib/libcrypto/man/RSA_private_encrypt.3
  releng/11.0/secure/lib/libcrypto/man/RSA_public_encrypt.3
  releng/11.0/secure/lib/libcrypto/man/RSA_set_method.3
  releng/11.0/secure/lib/libcrypto/man/RSA_sign.3
  releng/11.0/secure/lib/libcrypto/man/RSA_sign_ASN1_OCTET_STRING.3
  releng/11.0/secure/lib/libcrypto/man/RSA_size.3
  releng/11.0/secure/lib/libcrypto/man/SMIME_read_CMS.3
  releng/11.0/secure/lib/libcrypto/man/SMIME_read_PKCS7.3
  releng/11.0/secure/lib/libcrypto/man/SMIME_write_CMS.3
  releng/11.0/secure/lib/libcrypto/man/SMIME_write_PKCS7.3
  releng/11.0/secure/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3
  releng/11.0/secure/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3
  releng/11.0/secure/lib/libcrypto/man/X509_NAME_get_index_by_NID.3
  releng/11.0/secure/lib/libcrypto/man/X509_NAME_print_ex.3
  releng/11.0/secure/lib/libcrypto/man/X509_STORE_CTX_get_error.3
  releng/11.0/secure/lib/libcrypto/man/X509_STORE_CTX_get_ex_new_index.3
  releng/11.0/secure/lib/libcrypto/man/X509_STORE_CTX_new.3
  releng/11.0/secure/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3
  releng/11.0/secure/lib/libcrypto/man/X509_STORE_set_verify_cb_func.3
  releng/11.0/secure/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
  releng/11.0/secure/lib/libcrypto/man/X509_check_host.3
  releng/11.0/secure/lib/libcrypto/man/X509_new.3
  releng/11.0/secure/lib/libcrypto/man/X509_verify_cert.3
  releng/11.0/secure/lib/libcrypto/man/bio.3
  releng/11.0/secure/lib/libcrypto/man/blowfish.3
  releng/11.0/secure/lib/libcrypto/man/bn.3
  releng/11.0/secure/lib/libcrypto/man/bn_internal.3
  releng/11.0/secure/lib/libcrypto/man/buffer.3
  releng/11.0/secure/lib/libcrypto/man/crypto.3
  releng/11.0/secure/lib/libcrypto/man/d2i_ASN1_OBJECT.3
  releng/11.0/secure/lib/libcrypto/man/d2i_CMS_ContentInfo.3
  releng/11.0/secure/lib/libcrypto/man/d2i_DHparams.3
  releng/11.0/secure/lib/libcrypto/man/d2i_DSAPublicKey.3
  releng/11.0/secure/lib/libcrypto/man/d2i_ECPKParameters.3
  releng/11.0/secure/lib/libcrypto/man/d2i_ECPrivateKey.3
  releng/11.0/secure/lib/libcrypto/man/d2i_PKCS8PrivateKey.3
  releng/11.0/secure/lib/libcrypto/man/d2i_PrivateKey.3
  releng/11.0/secure/lib/libcrypto/man/d2i_RSAPublicKey.3
  releng/11.0/secure/lib/libcrypto/man/d2i_X509.3
  releng/11.0/secure/lib/libcrypto/man/d2i_X509_ALGOR.3
  releng/11.0/secure/lib/libcrypto/man/d2i_X509_CRL.3
  releng/11.0/secure/lib/libcrypto/man/d2i_X509_NAME.3
  releng/11.0/secure/lib/libcrypto/man/d2i_X509_REQ.3
  releng/11.0/secure/lib/libcrypto/man/d2i_X509_SIG.3
  releng/11.0/secure/lib/libcrypto/man/des.3
  releng/11.0/secure/lib/libcrypto/man/dh.3
  releng/11.0/secure/lib/libcrypto/man/dsa.3
  releng/11.0/secure/lib/libcrypto/man/ec.3
  releng/11.0/secure/lib/libcrypto/man/ecdsa.3
  releng/11.0/secure/lib/libcrypto/man/engine.3
  releng/11.0/secure/lib/libcrypto/man/err.3
  releng/11.0/secure/lib/libcrypto/man/evp.3
  releng/11.0/secure/lib/libcrypto/man/hmac.3
  releng/11.0/secure/lib/libcrypto/man/i2d_CMS_bio_stream.3
  releng/11.0/secure/lib/libcrypto/man/i2d_PKCS7_bio_stream.3
  releng/11.0/secure/lib/libcrypto/man/lh_stats.3
  releng/11.0/secure/lib/libcrypto/man/lhash.3
  releng/11.0/secure/lib/libcrypto/man/md5.3
  releng/11.0/secure/lib/libcrypto/man/mdc2.3
  releng/11.0/secure/lib/libcrypto/man/pem.3
  releng/11.0/secure/lib/libcrypto/man/rand.3
  releng/11.0/secure/lib/libcrypto/man/rc4.3
  releng/11.0/secure/lib/libcrypto/man/ripemd.3
  releng/11.0/secure/lib/libcrypto/man/rsa.3
  releng/11.0/secure/lib/libcrypto/man/sha.3
  releng/11.0/secure/lib/libcrypto/man/threads.3
  releng/11.0/secure/lib/libcrypto/man/ui.3
  releng/11.0/secure/lib/libcrypto/man/ui_compat.3
  releng/11.0/secure/lib/libcrypto/man/x509.3
  releng/11.0/secure/lib/libssl/man/SSL_CIPHER_get_name.3
  releng/11.0/secure/lib/libssl/man/SSL_COMP_add_compression_method.3
  releng/11.0/secure/lib/libssl/man/SSL_CONF_CTX_new.3
  releng/11.0/secure/lib/libssl/man/SSL_CONF_CTX_set1_prefix.3
  releng/11.0/secure/lib/libssl/man/SSL_CONF_CTX_set_flags.3
  releng/11.0/secure/lib/libssl/man/SSL_CONF_CTX_set_ssl_ctx.3
  releng/11.0/secure/lib/libssl/man/SSL_CONF_cmd.3
  releng/11.0/secure/lib/libssl/man/SSL_CONF_cmd_argv.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_add1_chain_cert.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_add_session.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_ctrl.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_flush_sessions.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_free.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_get0_param.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_get_ex_new_index.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_get_verify_mode.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_load_verify_locations.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_new.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_sess_number.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_sess_set_cache_size.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_sess_set_get_cb.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_sessions.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_set1_curves.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_set1_verify_cert_store.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_set_cert_cb.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_set_cert_store.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_set_cipher_list.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_set_client_CA_list.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_set_client_cert_cb.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_set_custom_cli_ext.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_set_generate_session_id.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_set_info_callback.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_set_max_cert_list.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_set_mode.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_set_msg_callback.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_set_options.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_set_psk_client_callback.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_set_read_ahead.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_set_session_cache_mode.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_set_session_id_context.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_set_ssl_version.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_set_timeout.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_set_tlsext_status_cb.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_set_verify.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_use_certificate.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_use_psk_identity_hint.3
  releng/11.0/secure/lib/libssl/man/SSL_CTX_use_serverinfo.3
  releng/11.0/secure/lib/libssl/man/SSL_SESSION_free.3
  releng/11.0/secure/lib/libssl/man/SSL_SESSION_get_ex_new_index.3
  releng/11.0/secure/lib/libssl/man/SSL_SESSION_get_time.3
  releng/11.0/secure/lib/libssl/man/SSL_accept.3
  releng/11.0/secure/lib/libssl/man/SSL_alert_type_string.3
  releng/11.0/secure/lib/libssl/man/SSL_check_chain.3
  releng/11.0/secure/lib/libssl/man/SSL_clear.3
  releng/11.0/secure/lib/libssl/man/SSL_connect.3
  releng/11.0/secure/lib/libssl/man/SSL_do_handshake.3
  releng/11.0/secure/lib/libssl/man/SSL_free.3
  releng/11.0/secure/lib/libssl/man/SSL_get_SSL_CTX.3
  releng/11.0/secure/lib/libssl/man/SSL_get_ciphers.3
  releng/11.0/secure/lib/libssl/man/SSL_get_client_CA_list.3
  releng/11.0/secure/lib/libssl/man/SSL_get_current_cipher.3
  releng/11.0/secure/lib/libssl/man/SSL_get_default_timeout.3
  releng/11.0/secure/lib/libssl/man/SSL_get_error.3
  releng/11.0/secure/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3
  releng/11.0/secure/lib/libssl/man/SSL_get_ex_new_index.3
  releng/11.0/secure/lib/libssl/man/SSL_get_fd.3
  releng/11.0/secure/lib/libssl/man/SSL_get_peer_cert_chain.3
  releng/11.0/secure/lib/libssl/man/SSL_get_peer_certificate.3
  releng/11.0/secure/lib/libssl/man/SSL_get_psk_identity.3
  releng/11.0/secure/lib/libssl/man/SSL_get_rbio.3
  releng/11.0/secure/lib/libssl/man/SSL_get_session.3
  releng/11.0/secure/lib/libssl/man/SSL_get_verify_result.3
  releng/11.0/secure/lib/libssl/man/SSL_get_version.3
  releng/11.0/secure/lib/libssl/man/SSL_library_init.3
  releng/11.0/secure/lib/libssl/man/SSL_load_client_CA_file.3
  releng/11.0/secure/lib/libssl/man/SSL_new.3
  releng/11.0/secure/lib/libssl/man/SSL_pending.3
  releng/11.0/secure/lib/libssl/man/SSL_read.3
  releng/11.0/secure/lib/libssl/man/SSL_rstate_string.3
  releng/11.0/secure/lib/libssl/man/SSL_session_reused.3
  releng/11.0/secure/lib/libssl/man/SSL_set_bio.3
  releng/11.0/secure/lib/libssl/man/SSL_set_connect_state.3
  releng/11.0/secure/lib/libssl/man/SSL_set_fd.3
  releng/11.0/secure/lib/libssl/man/SSL_set_session.3
  releng/11.0/secure/lib/libssl/man/SSL_set_shutdown.3
  releng/11.0/secure/lib/libssl/man/SSL_set_verify_result.3
  releng/11.0/secure/lib/libssl/man/SSL_shutdown.3
  releng/11.0/secure/lib/libssl/man/SSL_state_string.3
  releng/11.0/secure/lib/libssl/man/SSL_want.3
  releng/11.0/secure/lib/libssl/man/SSL_write.3
  releng/11.0/secure/lib/libssl/man/d2i_SSL_SESSION.3
  releng/11.0/secure/lib/libssl/man/ssl.3
  releng/11.0/secure/usr.bin/openssl/man/CA.pl.1
  releng/11.0/secure/usr.bin/openssl/man/asn1parse.1
  releng/11.0/secure/usr.bin/openssl/man/c_rehash.1
  releng/11.0/secure/usr.bin/openssl/man/ca.1
  releng/11.0/secure/usr.bin/openssl/man/ciphers.1
  releng/11.0/secure/usr.bin/openssl/man/cms.1
  releng/11.0/secure/usr.bin/openssl/man/crl.1
  releng/11.0/secure/usr.bin/openssl/man/crl2pkcs7.1
  releng/11.0/secure/usr.bin/openssl/man/dgst.1
  releng/11.0/secure/usr.bin/openssl/man/dhparam.1
  releng/11.0/secure/usr.bin/openssl/man/dsa.1
  releng/11.0/secure/usr.bin/openssl/man/dsaparam.1
  releng/11.0/secure/usr.bin/openssl/man/ec.1
  releng/11.0/secure/usr.bin/openssl/man/ecparam.1
  releng/11.0/secure/usr.bin/openssl/man/enc.1
  releng/11.0/secure/usr.bin/openssl/man/errstr.1
  releng/11.0/secure/usr.bin/openssl/man/gendsa.1
  releng/11.0/secure/usr.bin/openssl/man/genpkey.1
  releng/11.0/secure/usr.bin/openssl/man/genrsa.1
  releng/11.0/secure/usr.bin/openssl/man/nseq.1
  releng/11.0/secure/usr.bin/openssl/man/ocsp.1
  releng/11.0/secure/usr.bin/openssl/man/openssl.1
  releng/11.0/secure/usr.bin/openssl/man/passwd.1
  releng/11.0/secure/usr.bin/openssl/man/pkcs12.1
  releng/11.0/secure/usr.bin/openssl/man/pkcs7.1
  releng/11.0/secure/usr.bin/openssl/man/pkcs8.1
  releng/11.0/secure/usr.bin/openssl/man/pkey.1
  releng/11.0/secure/usr.bin/openssl/man/pkeyparam.1
  releng/11.0/secure/usr.bin/openssl/man/pkeyutl.1
  releng/11.0/secure/usr.bin/openssl/man/rand.1
  releng/11.0/secure/usr.bin/openssl/man/req.1
  releng/11.0/secure/usr.bin/openssl/man/rsa.1
  releng/11.0/secure/usr.bin/openssl/man/rsautl.1
  releng/11.0/secure/usr.bin/openssl/man/s_client.1
  releng/11.0/secure/usr.bin/openssl/man/s_server.1
  releng/11.0/secure/usr.bin/openssl/man/s_time.1
  releng/11.0/secure/usr.bin/openssl/man/sess_id.1
  releng/11.0/secure/usr.bin/openssl/man/smime.1
  releng/11.0/secure/usr.bin/openssl/man/speed.1
  releng/11.0/secure/usr.bin/openssl/man/spkac.1
  releng/11.0/secure/usr.bin/openssl/man/ts.1
  releng/11.0/secure/usr.bin/openssl/man/tsget.1
  releng/11.0/secure/usr.bin/openssl/man/verify.1
  releng/11.0/secure/usr.bin/openssl/man/version.1
  releng/11.0/secure/usr.bin/openssl/man/x509.1
  releng/11.0/secure/usr.bin/openssl/man/x509v3_config.1
Directory Properties:
  releng/11.0/   (props changed)

Modified: releng/11.0/crypto/openssl/CHANGES
==============================================================================
--- releng/11.0/crypto/openssl/CHANGES	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/crypto/openssl/CHANGES	Mon Sep 26 20:26:19 2016	(r306354)
@@ -2,6 +2,18 @@
  OpenSSL CHANGES
  _______________
 
+ Changes between 1.0.2i and 1.0.2j [26 Sep 2016]
+
+  *) Missing CRL sanity check
+
+     A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0
+     but was omitted from OpenSSL 1.0.2i. As a result any attempt to use
+     CRLs in OpenSSL 1.0.2i will crash with a null pointer exception.
+
+     This issue only affects the OpenSSL 1.0.2i
+     (CVE-2016-7052)
+     [Matt Caswell]
+
  Changes between 1.0.2h and 1.0.2i [22 Sep 2016]
 
   *) OCSP Status Request extension unbounded memory growth

Modified: releng/11.0/crypto/openssl/Makefile
==============================================================================
--- releng/11.0/crypto/openssl/Makefile	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/crypto/openssl/Makefile	Mon Sep 26 20:26:19 2016	(r306354)
@@ -4,7 +4,7 @@
 ## Makefile for OpenSSL
 ##
 
-VERSION=1.0.2i
+VERSION=1.0.2j
 MAJOR=1
 MINOR=0.2
 SHLIB_VERSION_NUMBER=1.0.0

Modified: releng/11.0/crypto/openssl/NEWS
==============================================================================
--- releng/11.0/crypto/openssl/NEWS	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/crypto/openssl/NEWS	Mon Sep 26 20:26:19 2016	(r306354)
@@ -5,6 +5,10 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 1.0.2i and OpenSSL 1.0.2j [26 Sep 2016]
+
+      o Fix Use After Free for large message sizes (CVE-2016-6309)
+
   Major changes between OpenSSL 1.0.2h and OpenSSL 1.0.2i [22 Sep 2016]
 
       o OCSP Status Request extension unbounded memory growth (CVE-2016-6304)

Modified: releng/11.0/crypto/openssl/README
==============================================================================
--- releng/11.0/crypto/openssl/README	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/crypto/openssl/README	Mon Sep 26 20:26:19 2016	(r306354)
@@ -1,5 +1,5 @@
 
- OpenSSL 1.0.2i 22 Sep 2016
+ OpenSSL 1.0.2j 26 Sep 2016
 
  Copyright (c) 1998-2015 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson

Modified: releng/11.0/crypto/openssl/crypto/engine/eng_cryptodev.c
==============================================================================
--- releng/11.0/crypto/openssl/crypto/engine/eng_cryptodev.c	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/crypto/openssl/crypto/engine/eng_cryptodev.c	Mon Sep 26 20:26:19 2016	(r306354)
@@ -939,7 +939,7 @@ static int cryptodev_digest_copy(EVP_MD_
     if (fstate->mac_len != 0) {
         if (fstate->mac_data != NULL) {
             dstate->mac_data = OPENSSL_malloc(fstate->mac_len);
-            if (dstate->ac_data == NULL) {
+            if (dstate->mac_data == NULL) {
                 printf("cryptodev_digest_init: malloc failed\n");
                 return 0;
             }

Modified: releng/11.0/crypto/openssl/crypto/opensslv.h
==============================================================================
--- releng/11.0/crypto/openssl/crypto/opensslv.h	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/crypto/openssl/crypto/opensslv.h	Mon Sep 26 20:26:19 2016	(r306354)
@@ -30,11 +30,11 @@ extern "C" {
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-# define OPENSSL_VERSION_NUMBER  0x1000209fL
+# define OPENSSL_VERSION_NUMBER  0x100020afL
 # ifdef OPENSSL_FIPS
-#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.2i-fips  22 Sep 2016"
+#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.2j-fips  26 Sep 2016"
 # else
-#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.2i-freebsd  22 Sep 2016"
+#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.2j-freebsd  26 Sep 2016"
 # endif
 # define OPENSSL_VERSION_PTEXT   " part of " OPENSSL_VERSION_TEXT
 

Modified: releng/11.0/crypto/openssl/crypto/x509/x509_vfy.c
==============================================================================
--- releng/11.0/crypto/openssl/crypto/x509/x509_vfy.c	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/crypto/openssl/crypto/x509/x509_vfy.c	Mon Sep 26 20:26:19 2016	(r306354)
@@ -1124,10 +1124,10 @@ static int get_crl_sk(X509_STORE_CTX *ct
         crl = sk_X509_CRL_value(crls, i);
         reasons = *preasons;
         crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x);
-        if (crl_score < best_score)
+        if (crl_score < best_score || crl_score == 0)
             continue;
         /* If current CRL is equivalent use it if it is newer */
-        if (crl_score == best_score) {
+        if (crl_score == best_score && best_crl != NULL) {
             int day, sec;
             if (ASN1_TIME_diff(&day, &sec, X509_CRL_get_lastUpdate(best_crl),
                                X509_CRL_get_lastUpdate(crl)) == 0)

Modified: releng/11.0/crypto/openssl/ssl/t1_ext.c
==============================================================================
--- releng/11.0/crypto/openssl/ssl/t1_ext.c	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/crypto/openssl/ssl/t1_ext.c	Mon Sep 26 20:26:19 2016	(r306354)
@@ -275,7 +275,9 @@ int SSL_extension_supported(unsigned int
     case TLSEXT_TYPE_ec_point_formats:
     case TLSEXT_TYPE_elliptic_curves:
     case TLSEXT_TYPE_heartbeat:
+# ifndef OPENSSL_NO_NEXTPROTONEG
     case TLSEXT_TYPE_next_proto_neg:
+# endif
     case TLSEXT_TYPE_padding:
     case TLSEXT_TYPE_renegotiate:
     case TLSEXT_TYPE_server_name:

Modified: releng/11.0/secure/lib/libcrypto/Makefile.inc
==============================================================================
--- releng/11.0/secure/lib/libcrypto/Makefile.inc	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/Makefile.inc	Mon Sep 26 20:26:19 2016	(r306354)
@@ -3,8 +3,8 @@
 .include <bsd.own.mk>
 
 # OpenSSL version used for manual page generation
-OPENSSL_VER=	1.0.2i
-OPENSSL_DATE=	2016-09-22
+OPENSSL_VER=	1.0.2j
+OPENSSL_DATE=	2016-09-26
 
 LCRYPTO_SRC=	${.CURDIR}/../../../crypto/openssl
 LCRYPTO_DOC=	${LCRYPTO_SRC}/doc

Modified: releng/11.0/secure/lib/libcrypto/man/ASN1_OBJECT_new.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/ASN1_OBJECT_new.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/ASN1_OBJECT_new.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ASN1_OBJECT_new 3"
-.TH ASN1_OBJECT_new 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH ASN1_OBJECT_new 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/ASN1_STRING_length.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/ASN1_STRING_length.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/ASN1_STRING_length.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ASN1_STRING_length 3"
-.TH ASN1_STRING_length 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH ASN1_STRING_length 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/ASN1_STRING_new.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/ASN1_STRING_new.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/ASN1_STRING_new.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ASN1_STRING_new 3"
-.TH ASN1_STRING_new 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH ASN1_STRING_new 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/ASN1_STRING_print_ex.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/ASN1_STRING_print_ex.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/ASN1_STRING_print_ex.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ASN1_STRING_print_ex 3"
-.TH ASN1_STRING_print_ex 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH ASN1_STRING_print_ex 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/ASN1_TIME_set.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/ASN1_TIME_set.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/ASN1_TIME_set.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ASN1_TIME_set 3"
-.TH ASN1_TIME_set 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH ASN1_TIME_set 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/ASN1_generate_nconf.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/ASN1_generate_nconf.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/ASN1_generate_nconf.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ASN1_generate_nconf 3"
-.TH ASN1_generate_nconf 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH ASN1_generate_nconf 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/BIO_ctrl.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/BIO_ctrl.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/BIO_ctrl.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_ctrl 3"
-.TH BIO_ctrl 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH BIO_ctrl 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/BIO_f_base64.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/BIO_f_base64.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/BIO_f_base64.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_f_base64 3"
-.TH BIO_f_base64 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH BIO_f_base64 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/BIO_f_buffer.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/BIO_f_buffer.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/BIO_f_buffer.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_f_buffer 3"
-.TH BIO_f_buffer 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH BIO_f_buffer 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/BIO_f_cipher.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/BIO_f_cipher.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/BIO_f_cipher.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_f_cipher 3"
-.TH BIO_f_cipher 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH BIO_f_cipher 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/BIO_f_md.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/BIO_f_md.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/BIO_f_md.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_f_md 3"
-.TH BIO_f_md 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH BIO_f_md 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/BIO_f_null.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/BIO_f_null.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/BIO_f_null.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_f_null 3"
-.TH BIO_f_null 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH BIO_f_null 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/BIO_f_ssl.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/BIO_f_ssl.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/BIO_f_ssl.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_f_ssl 3"
-.TH BIO_f_ssl 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH BIO_f_ssl 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/BIO_find_type.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/BIO_find_type.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/BIO_find_type.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_find_type 3"
-.TH BIO_find_type 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH BIO_find_type 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/BIO_new.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/BIO_new.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/BIO_new.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_new 3"
-.TH BIO_new 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH BIO_new 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/BIO_new_CMS.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/BIO_new_CMS.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/BIO_new_CMS.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_new_CMS 3"
-.TH BIO_new_CMS 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH BIO_new_CMS 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/BIO_push.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/BIO_push.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/BIO_push.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_push 3"
-.TH BIO_push 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH BIO_push 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/BIO_read.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/BIO_read.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/BIO_read.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_read 3"
-.TH BIO_read 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH BIO_read 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/BIO_s_accept.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/BIO_s_accept.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/BIO_s_accept.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_s_accept 3"
-.TH BIO_s_accept 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH BIO_s_accept 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/BIO_s_bio.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/BIO_s_bio.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/BIO_s_bio.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_s_bio 3"
-.TH BIO_s_bio 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH BIO_s_bio 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/BIO_s_connect.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/BIO_s_connect.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/BIO_s_connect.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_s_connect 3"
-.TH BIO_s_connect 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH BIO_s_connect 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/BIO_s_fd.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/BIO_s_fd.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/BIO_s_fd.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_s_fd 3"
-.TH BIO_s_fd 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH BIO_s_fd 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/BIO_s_file.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/BIO_s_file.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/BIO_s_file.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_s_file 3"
-.TH BIO_s_file 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH BIO_s_file 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/BIO_s_mem.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/BIO_s_mem.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/BIO_s_mem.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_s_mem 3"
-.TH BIO_s_mem 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH BIO_s_mem 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/BIO_s_null.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/BIO_s_null.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/BIO_s_null.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_s_null 3"
-.TH BIO_s_null 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH BIO_s_null 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/BIO_s_socket.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/BIO_s_socket.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/BIO_s_socket.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_s_socket 3"
-.TH BIO_s_socket 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH BIO_s_socket 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/BIO_set_callback.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/BIO_set_callback.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/BIO_set_callback.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_set_callback 3"
-.TH BIO_set_callback 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH BIO_set_callback 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/BIO_should_retry.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/BIO_should_retry.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/BIO_should_retry.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_should_retry 3"
-.TH BIO_should_retry 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH BIO_should_retry 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/BN_BLINDING_new.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/BN_BLINDING_new.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/BN_BLINDING_new.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_BLINDING_new 3"
-.TH BN_BLINDING_new 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH BN_BLINDING_new 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/BN_CTX_new.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/BN_CTX_new.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/BN_CTX_new.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_CTX_new 3"
-.TH BN_CTX_new 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH BN_CTX_new 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/BN_CTX_start.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/BN_CTX_start.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/BN_CTX_start.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_CTX_start 3"
-.TH BN_CTX_start 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH BN_CTX_start 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/BN_add.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/BN_add.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/BN_add.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_add 3"
-.TH BN_add 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH BN_add 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/BN_add_word.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/BN_add_word.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/BN_add_word.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_add_word 3"
-.TH BN_add_word 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH BN_add_word 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/BN_bn2bin.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/BN_bn2bin.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/BN_bn2bin.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_bn2bin 3"
-.TH BN_bn2bin 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH BN_bn2bin 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/BN_cmp.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/BN_cmp.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/BN_cmp.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_cmp 3"
-.TH BN_cmp 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH BN_cmp 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/BN_copy.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/BN_copy.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/BN_copy.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_copy 3"
-.TH BN_copy 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH BN_copy 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/BN_generate_prime.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/BN_generate_prime.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/BN_generate_prime.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_generate_prime 3"
-.TH BN_generate_prime 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH BN_generate_prime 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/BN_mod_inverse.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/BN_mod_inverse.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/BN_mod_inverse.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_mod_inverse 3"
-.TH BN_mod_inverse 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH BN_mod_inverse 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/BN_mod_mul_montgomery.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/BN_mod_mul_montgomery.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/BN_mod_mul_montgomery.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_mod_mul_montgomery 3"
-.TH BN_mod_mul_montgomery 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH BN_mod_mul_montgomery 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/BN_mod_mul_reciprocal.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/BN_mod_mul_reciprocal.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/BN_mod_mul_reciprocal.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_mod_mul_reciprocal 3"
-.TH BN_mod_mul_reciprocal 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH BN_mod_mul_reciprocal 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/BN_new.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/BN_new.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/BN_new.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_new 3"
-.TH BN_new 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH BN_new 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/BN_num_bytes.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/BN_num_bytes.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/BN_num_bytes.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_num_bytes 3"
-.TH BN_num_bytes 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH BN_num_bytes 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/BN_rand.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/BN_rand.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/BN_rand.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_rand 3"
-.TH BN_rand 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH BN_rand 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/BN_set_bit.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/BN_set_bit.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/BN_set_bit.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_set_bit 3"
-.TH BN_set_bit 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH BN_set_bit 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/BN_swap.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/BN_swap.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/BN_swap.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_swap 3"
-.TH BN_swap 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH BN_swap 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/BN_zero.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/BN_zero.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/BN_zero.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_zero 3"
-.TH BN_zero 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH BN_zero 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/CMS_add0_cert.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/CMS_add0_cert.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/CMS_add0_cert.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CMS_add0_cert 3"
-.TH CMS_add0_cert 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH CMS_add0_cert 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/CMS_add1_recipient_cert.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/CMS_add1_recipient_cert.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/CMS_add1_recipient_cert.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CMS_add1_recipient_cert 3"
-.TH CMS_add1_recipient_cert 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH CMS_add1_recipient_cert 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/CMS_add1_signer.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/CMS_add1_signer.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/CMS_add1_signer.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CMS_add1_signer 3"
-.TH CMS_add1_signer 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH CMS_add1_signer 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/CMS_compress.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/CMS_compress.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/CMS_compress.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CMS_compress 3"
-.TH CMS_compress 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH CMS_compress 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/CMS_decrypt.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/CMS_decrypt.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/CMS_decrypt.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CMS_decrypt 3"
-.TH CMS_decrypt 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH CMS_decrypt 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/CMS_encrypt.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/CMS_encrypt.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/CMS_encrypt.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CMS_encrypt 3"
-.TH CMS_encrypt 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH CMS_encrypt 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/CMS_final.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/CMS_final.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/CMS_final.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CMS_final 3"
-.TH CMS_final 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH CMS_final 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/CMS_get0_RecipientInfos.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/CMS_get0_RecipientInfos.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/CMS_get0_RecipientInfos.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CMS_get0_RecipientInfos 3"
-.TH CMS_get0_RecipientInfos 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH CMS_get0_RecipientInfos 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/CMS_get0_SignerInfos.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/CMS_get0_SignerInfos.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/CMS_get0_SignerInfos.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CMS_get0_SignerInfos 3"
-.TH CMS_get0_SignerInfos 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH CMS_get0_SignerInfos 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/CMS_get0_type.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/CMS_get0_type.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/CMS_get0_type.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CMS_get0_type 3"
-.TH CMS_get0_type 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH CMS_get0_type 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/CMS_get1_ReceiptRequest.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/CMS_get1_ReceiptRequest.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/CMS_get1_ReceiptRequest.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CMS_get1_ReceiptRequest 3"
-.TH CMS_get1_ReceiptRequest 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH CMS_get1_ReceiptRequest 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/CMS_sign.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/CMS_sign.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/CMS_sign.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CMS_sign 3"
-.TH CMS_sign 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH CMS_sign 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/CMS_sign_receipt.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/CMS_sign_receipt.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/CMS_sign_receipt.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CMS_sign_receipt 3"
-.TH CMS_sign_receipt 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH CMS_sign_receipt 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/CMS_uncompress.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/CMS_uncompress.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/CMS_uncompress.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CMS_uncompress 3"
-.TH CMS_uncompress 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH CMS_uncompress 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/CMS_verify.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/CMS_verify.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/CMS_verify.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CMS_verify 3"
-.TH CMS_verify 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH CMS_verify 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/CMS_verify_receipt.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/CMS_verify_receipt.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/CMS_verify_receipt.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CMS_verify_receipt 3"
-.TH CMS_verify_receipt 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH CMS_verify_receipt 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/CONF_modules_free.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/CONF_modules_free.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/CONF_modules_free.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CONF_modules_free 3"
-.TH CONF_modules_free 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH CONF_modules_free 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/CONF_modules_load_file.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/CONF_modules_load_file.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/CONF_modules_load_file.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CONF_modules_load_file 3"
-.TH CONF_modules_load_file 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH CONF_modules_load_file 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/CRYPTO_set_ex_data.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/CRYPTO_set_ex_data.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/CRYPTO_set_ex_data.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CRYPTO_set_ex_data 3"
-.TH CRYPTO_set_ex_data 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH CRYPTO_set_ex_data 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/DH_generate_key.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/DH_generate_key.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/DH_generate_key.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DH_generate_key 3"
-.TH DH_generate_key 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH DH_generate_key 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/DH_generate_parameters.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/DH_generate_parameters.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/DH_generate_parameters.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DH_generate_parameters 3"
-.TH DH_generate_parameters 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH DH_generate_parameters 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/DH_get_ex_new_index.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/DH_get_ex_new_index.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/DH_get_ex_new_index.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DH_get_ex_new_index 3"
-.TH DH_get_ex_new_index 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH DH_get_ex_new_index 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/DH_new.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/DH_new.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/DH_new.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DH_new 3"
-.TH DH_new 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH DH_new 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/DH_set_method.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/DH_set_method.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/DH_set_method.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DH_set_method 3"
-.TH DH_set_method 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH DH_set_method 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/DH_size.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/DH_size.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/DH_size.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DH_size 3"
-.TH DH_size 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH DH_size 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/DSA_SIG_new.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/DSA_SIG_new.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/DSA_SIG_new.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DSA_SIG_new 3"
-.TH DSA_SIG_new 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH DSA_SIG_new 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/DSA_do_sign.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/DSA_do_sign.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/DSA_do_sign.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DSA_do_sign 3"
-.TH DSA_do_sign 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH DSA_do_sign 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/DSA_dup_DH.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/DSA_dup_DH.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/DSA_dup_DH.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DSA_dup_DH 3"
-.TH DSA_dup_DH 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH DSA_dup_DH 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/DSA_generate_key.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/DSA_generate_key.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/DSA_generate_key.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DSA_generate_key 3"
-.TH DSA_generate_key 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH DSA_generate_key 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/DSA_generate_parameters.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/DSA_generate_parameters.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/DSA_generate_parameters.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DSA_generate_parameters 3"
-.TH DSA_generate_parameters 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH DSA_generate_parameters 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/DSA_get_ex_new_index.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/DSA_get_ex_new_index.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/DSA_get_ex_new_index.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DSA_get_ex_new_index 3"
-.TH DSA_get_ex_new_index 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH DSA_get_ex_new_index 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/DSA_new.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/DSA_new.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/DSA_new.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DSA_new 3"
-.TH DSA_new 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH DSA_new 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/DSA_set_method.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/DSA_set_method.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/DSA_set_method.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DSA_set_method 3"
-.TH DSA_set_method 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH DSA_set_method 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

Modified: releng/11.0/secure/lib/libcrypto/man/DSA_sign.3
==============================================================================
--- releng/11.0/secure/lib/libcrypto/man/DSA_sign.3	Mon Sep 26 20:13:33 2016	(r306353)
+++ releng/11.0/secure/lib/libcrypto/man/DSA_sign.3	Mon Sep 26 20:26:19 2016	(r306354)
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DSA_sign 3"
-.TH DSA_sign 3 "2016-09-22" "1.0.2i" "OpenSSL"
+.TH DSA_sign 3 "2016-09-26" "1.0.2j" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***

From owner-svn-src-releng@freebsd.org  Tue Sep 27 19:36:14 2016
Return-Path: <owner-svn-src-releng@freebsd.org>
Delivered-To: svn-src-releng@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id DDE19BEC608;
 Tue, 27 Sep 2016 19:36:14 +0000 (UTC)
 (envelope-from emaste@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 7CE89264;
 Tue, 27 Sep 2016 19:36:14 +0000 (UTC)
 (envelope-from emaste@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u8RJaDOa058318;
 Tue, 27 Sep 2016 19:36:13 GMT (envelope-from emaste@FreeBSD.org)
Received: (from emaste@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id u8RJaDng058309;
 Tue, 27 Sep 2016 19:36:13 GMT (envelope-from emaste@FreeBSD.org)
Message-Id: <201609271936.u8RJaDng058309@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: emaste set sender to
 emaste@FreeBSD.org using -f
From: Ed Maste <emaste@FreeBSD.org>
Date: Tue, 27 Sep 2016 19:36:13 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r306379 - in releng/11.0: contrib/libarchive
 contrib/libarchive/libarchive contrib/libarchive/libarchive/test
 lib/libarchive lib/libarchive/tests usr.bin/bsdiff/bspatch
 usr.sbin/portsna...
X-SVN-Group: releng
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-releng>, 
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Sep 2016 19:36:15 -0000

Author: emaste
Date: Tue Sep 27 19:36:12 2016
New Revision: 306379
URL: https://svnweb.freebsd.org/changeset/base/306379

Log:
  Merge from stable/11 bspatch, portsnap, and libarchive fixes:
  
  === bspatch ===
  
  MFS r306213: bspatch Capsicumization, sanity checks, and other improvements
  
  r304691: bspatch: apply style(9)
  
  Make style changes (and trivial refactoring of open calls) now in order
  to reduce noise in diffs for future capsicum changes.
  
  r304807 (allanjude): Capsicumize bspatch
  
  Move all of the fopen() and open() calls to the top of main()
  
  Restrict each FD to least privilege (read/seek only, write only, etc)
  
  cap_enter(), and make all except the output FD read/seek only.
  
  r304821: bspatch: remove output file in the case of error
  
  r305486: bspatch: add sanity checks on sizes to avoid integer overflow
  
  Note that this introduces an explicit 2GB limit, but this was already
  implicit in variable and function argument types.
  
  This is based on the "non-cryptanalytic attacks against freebsd
  update components" anonymous gist. Further refinement is planned.
  
  r305737: bspatch: remove superfluous newlines from errx strings
  
  r305822: bspatch: use #define for header size instead of magic number
  
  r306026: bspatch: Remove backwards-compatibility sys/capability.h support
  
  bspatch previously included sys/capability.h or sys/capsicum.h based
  on __FreeBSD_version, as FreeBSD is the upstream for bsdiff and we may
  see this file incorporated into other third-party software.
  
  The Capsicum header is now installed as sys/capsicum.h in stable/10 and
  FreeBSD 10.3, so we can just use sys/capsicum.h and simplify the logic.
  
  With this change, bspatch is identical between head, stable/11 and releng/11.0.
  
  === portsnap ===
  
  MFS r305648 (delphij): MFC r305469:
  
  Ensure that we always open only files that is named by explicitly
  using shell redirections instead of having gzip(1) to decide what
  file to open.
  
  Issue reported in the "non-cryptanalytic attacks against freebsd
  update components" anonymous gist.
  
  === libarchive ===
  
  MFS r305754 (mm): MFC r305422:
  
  Sync libarchive with vendor
  
  Vendor issues fixed:
  PR #777: Multiple bugfixes for setup_acls()
  
  This includes a bugfix for a bug that caused ACLs not to be read properly
  for files and directories inside subdirectories and as a result not being
  stored or being incorrectly stored in tar archives.
  
  MFS r306321 (mm): MFC r305819:
  
  Sync libarchive with vendor including important security fixes.
  
  Issues fixed (FreeBSD):
  PR #778: ACL error handling
  Issue #745: Symlink check prefix optimization is too aggressive
  Issue #746: Hard links with data can evade sandboxing restrictions
  
  This update fixes the vulnerability #3 and vulnerability #4 as reported in
  "non-cryptanalytic attacks against FreeBSD update components".
  https://gist.github.com/anonymous/e48209b03f1dd9625a992717e7b89c4f
  
  Fix for vulnerability #2 has already been merged.
  
  Approved by:	re (gjb), so (glebius)

Added:
  releng/11.0/contrib/libarchive/README.md
     - copied unchanged from r305754, stable/11/contrib/libarchive/README.md
Deleted:
  releng/11.0/contrib/libarchive/README
Modified:
  releng/11.0/contrib/libarchive/libarchive/archive_acl.c
  releng/11.0/contrib/libarchive/libarchive/archive_platform.h
  releng/11.0/contrib/libarchive/libarchive/archive_read_disk_entry_from_file.c
  releng/11.0/contrib/libarchive/libarchive/archive_read_disk_posix.c
  releng/11.0/contrib/libarchive/libarchive/archive_read_support_format_tar.c
  releng/11.0/contrib/libarchive/libarchive/archive_write_disk_acl.c
  releng/11.0/contrib/libarchive/libarchive/archive_write_disk_posix.c
  releng/11.0/contrib/libarchive/libarchive/test/test_acl_freebsd_posix1e.c
  releng/11.0/contrib/libarchive/libarchive/test/test_write_disk_secure745.c
  releng/11.0/contrib/libarchive/libarchive/test/test_write_disk_secure746.c
  releng/11.0/contrib/libarchive/libarchive/test/test_write_format_gnutar_filenames.c
  releng/11.0/lib/libarchive/config_freebsd.h
  releng/11.0/lib/libarchive/tests/Makefile
  releng/11.0/usr.bin/bsdiff/bspatch/bspatch.c
  releng/11.0/usr.sbin/portsnap/portsnap/portsnap.sh
Directory Properties:
  releng/11.0/   (props changed)

Copied: releng/11.0/contrib/libarchive/README.md (from r305754, stable/11/contrib/libarchive/README.md)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ releng/11.0/contrib/libarchive/README.md	Tue Sep 27 19:36:12 2016	(r306379, copy of r305754, stable/11/contrib/libarchive/README.md)
@@ -0,0 +1,222 @@
+# Welcome to libarchive!
+
+The libarchive project develops a portable, efficient C library that
+can read and write streaming archives in a variety of formats.  It
+also includes implementations of the common `tar`, `cpio`, and `zcat`
+command-line tools that use the libarchive library.
+
+## Questions?  Issues?
+
+* http://www.libarchive.org is the home for ongoing
+  libarchive development, including documentation,
+  and links to the libarchive mailing lists.
+* To report an issue, use the issue tracker at
+  https://github.com/libarchive/libarchive/issues
+* To submit an enhancement to libarchive, please
+  submit a pull request via GitHub: https://github.com/libarchive/libarchive/pulls
+
+## Contents of the Distribution
+
+This distribution bundle includes the following major components:
+
+* **libarchive**: a library for reading and writing streaming archives
+* **tar**: the 'bsdtar' program is a full-featured 'tar' implementation built on libarchive
+* **cpio**: the 'bsdcpio' program is a different interface to essentially the same functionality
+* **cat**: the 'bsdcat' program is a simple replacement tool for zcat, bzcat, xzcat, and such
+* **examples**: Some small example programs that you may find useful.
+* **examples/minitar**: a compact sample demonstrating use of libarchive.
+* **contrib**:  Various items sent to me by third parties; please contact the authors with any questions.
+
+The top-level directory contains the following information files:
+
+* **NEWS** - highlights of recent changes
+* **COPYING** - what you can do with this
+* **INSTALL** - installation instructions
+* **README** - this file
+* **CMakeLists.txt** - input for "cmake" build tool, see INSTALL
+* **configure** - configuration script, see INSTALL for details.  If your copy of the source lacks a `configure` script, you can try to construct it by running the script in `build/autogen.sh` (or use `cmake`).
+
+The following files in the top-level directory are used by the 'configure' script:
+* `Makefile.am`, `aclocal.m4`, `configure.ac` - used to build this distribution, only needed by maintainers
+* `Makefile.in`, `config.h.in` - templates used by configure script
+
+## Documentation
+
+In addition to the informational articles and documentation
+in the online [libarchive Wiki](https://github.com/libarchive/libarchive/wiki),
+the distribution also includes a number of manual pages:
+
+ * bsdtar.1 explains the use of the bsdtar program
+ * bsdcpio.1 explains the use of the bsdcpio program
+ * bsdcat.1 explains the use of the bsdcat program
+ * libarchive.3 gives an overview of the library as a whole
+ * archive_read.3, archive_write.3, archive_write_disk.3, and
+   archive_read_disk.3 provide detailed calling sequences for the read
+   and write APIs
+ * archive_entry.3 details the "struct archive_entry" utility class
+ * archive_internals.3 provides some insight into libarchive's
+   internal structure and operation.
+ * libarchive-formats.5 documents the file formats supported by the library
+ * cpio.5, mtree.5, and tar.5 provide detailed information about these
+   popular archive formats, including hard-to-find details about
+   modern cpio and tar variants.
+
+The manual pages above are provided in the 'doc' directory in
+a number of different formats.
+
+You should also read the copious comments in `archive.h` and the
+source code for the sample programs for more details.  Please let us
+know about any errors or omissions you find.
+
+## Supported Formats
+
+Currently, the library automatically detects and reads the following fomats:
+  * Old V7 tar archives
+  * POSIX ustar
+  * GNU tar format (including GNU long filenames, long link names, and sparse files)
+  * Solaris 9 extended tar format (including ACLs)
+  * POSIX pax interchange format
+  * POSIX octet-oriented cpio
+  * SVR4 ASCII cpio
+  * POSIX octet-oriented cpio
+  * Binary cpio (big-endian or little-endian)
+  * ISO9660 CD-ROM images (with optional Rockridge or Joliet extensions)
+  * ZIP archives (with uncompressed or "deflate" compressed entries, including support for encrypted Zip archives)
+  * GNU and BSD 'ar' archives
+  * 'mtree' format
+  * 7-Zip archives
+  * Microsoft CAB format
+  * LHA and LZH archives
+  * RAR archives (with some limitations due to RAR's proprietary status)
+  * XAR archives
+
+The library also detects and handles any of the following before evaluating the archive:
+  * uuencoded files
+  * files with RPM wrapper
+  * gzip compression
+  * bzip2 compression
+  * compress/LZW compression
+  * lzma, lzip, and xz compression
+  * lz4 compression
+  * lzop compression
+
+The library can create archives in any of the following formats:
+  * POSIX ustar
+  * POSIX pax interchange format
+  * "restricted" pax format, which will create ustar archives except for
+    entries that require pax extensions (for long filenames, ACLs, etc).
+  * Old GNU tar format
+  * Old V7 tar format
+  * POSIX octet-oriented cpio
+  * SVR4 "newc" cpio
+  * shar archives
+  * ZIP archives (with uncompressed or "deflate" compressed entries)
+  * GNU and BSD 'ar' archives
+  * 'mtree' format
+  * ISO9660 format
+  * 7-Zip archives
+  * XAR archives
+
+When creating archives, the result can be filtered with any of the following:
+  * uuencode
+  * gzip compression
+  * bzip2 compression
+  * compress/LZW compression
+  * lzma, lzip, and xz compression
+  * lz4 compression
+  * lzop compression
+
+## Notes about the Library Design
+
+The following notes address many of the most common
+questions we are asked about libarchive:
+
+* This is a heavily stream-oriented system.  That means that
+  it is optimized to read or write the archive in a single
+  pass from beginning to end.  For example, this allows
+  libarchive to process archives too large to store on disk
+  by processing them on-the-fly as they are read from or
+  written to a network or tape drive.  This also makes
+  libarchive useful for tools that need to produce
+  archives on-the-fly (such as webservers that provide
+  archived contents of a users account).
+
+* In-place modification and random access to the contents
+  of an archive are not directly supported.  For some formats,
+  this is not an issue: For example, tar.gz archives are not
+  designed for random access.  In some other cases, libarchive
+  can re-open an archive and scan it from the beginning quickly
+  enough to provide the needed abilities even without true
+  random access.  Of course, some applications do require true
+  random access; those applications should consider alternatives
+  to libarchive.
+
+* The library is designed to be extended with new compression and
+  archive formats.  The only requirement is that the format be
+  readable or writable as a stream and that each archive entry be
+  independent.  There are articles on the libarchive Wiki explaining
+  how to extend libarchive.
+
+* On read, compression and format are always detected automatically.
+
+* The same API is used for all formats; in particular, it's very
+  easy for software using libarchive to transparently handle
+  any of libarchive's archiving formats.
+
+* Libarchive's automatic support for decompression can be used
+  without archiving by explicitly selecting the "raw" and "empty"
+  formats.
+
+* I've attempted to minimize static link pollution.  If you don't
+  explicitly invoke a particular feature (such as support for a
+  particular compression or format), it won't get pulled in to
+  statically-linked programs.  In particular, if you don't explicitly
+  enable a particular compression or decompression support, you won't
+  need to link against the corresponding compression or decompression
+  libraries.  This also reduces the size of statically-linked
+  binaries in environments where that matters.
+
+* The library is generally _thread safe_ depending on the platform:
+  it does not define any global variables of its own.  However, some
+  platforms do not provide fully thread-safe versions of key C library
+  functions.  On those platforms, libarchive will use the non-thread-safe
+  functions.  Patches to improve this are of great interest to us.
+
+* In particular, libarchive's modules to read or write a directory
+  tree do use `chdir()` to optimize the directory traversals.  This
+  can cause problems for programs that expect to do disk access from
+  multiple threads.  Of course, those modules are completely
+  optional and you can use the rest of libarchive without them.
+
+* The library is _not_ thread aware, however.  It does no locking
+  or thread management of any kind.  If you create a libarchive
+  object and need to access it from multiple threads, you will
+  need to provide your own locking.
+
+* On read, the library accepts whatever blocks you hand it.
+  Your read callback is free to pass the library a byte at a time
+  or mmap the entire archive and give it to the library at once.
+  On write, the library always produces correctly-blocked output.
+
+* The object-style approach allows you to have multiple archive streams
+  open at once.  bsdtar uses this in its "@archive" extension.
+
+* The archive itself is read/written using callback functions.
+  You can read an archive directly from an in-memory buffer or
+  write it to a socket, if you wish.  There are some utility
+  functions to provide easy-to-use "open file," etc, capabilities.
+
+* The read/write APIs are designed to allow individual entries
+  to be read or written to any data source:  You can create
+  a block of data in memory and add it to a tar archive without
+  first writing a temporary file.  You can also read an entry from
+  an archive and write the data directly to a socket.  If you want
+  to read/write entries to disk, there are convenience functions to
+  make this especially easy.
+
+* Note: The "pax interchange format" is a POSIX standard extended tar
+  format that should be used when the older _ustar_ format is not
+  appropriate.  It has many advantages over other tar formats
+  (including the legacy GNU tar format) and is widely supported by
+  current tar implementations.
+

Modified: releng/11.0/contrib/libarchive/libarchive/archive_acl.c
==============================================================================
--- releng/11.0/contrib/libarchive/libarchive/archive_acl.c	Tue Sep 27 19:00:22 2016	(r306378)
+++ releng/11.0/contrib/libarchive/libarchive/archive_acl.c	Tue Sep 27 19:36:12 2016	(r306379)
@@ -707,10 +707,11 @@ archive_acl_text_l(struct archive_acl *a
 			if (r != 0)
 				return (-1);
 			*p++ = separator;
-			if (flags & ARCHIVE_ENTRY_ACL_STYLE_EXTRA_ID)
+			if (name == NULL || (flags & ARCHIVE_ENTRY_ACL_STYLE_EXTRA_ID)) {
 				id = ap->id;
-			else
+			} else {
 				id = -1;
+			}
 			append_entry(&p, NULL, ap->tag, name,
 			    ap->permset, id);
 			count++;

Modified: releng/11.0/contrib/libarchive/libarchive/archive_platform.h
==============================================================================
--- releng/11.0/contrib/libarchive/libarchive/archive_platform.h	Tue Sep 27 19:00:22 2016	(r306378)
+++ releng/11.0/contrib/libarchive/libarchive/archive_platform.h	Tue Sep 27 19:36:12 2016	(r306379)
@@ -159,6 +159,15 @@
 #define	CAN_RESTORE_METADATA_FD
 #endif
 
+/*
+ * glibc 2.24 deprecates readdir_r
+ */
+#if defined(HAVE_READDIR_R) && (!defined(__GLIBC__) || !defined(__GLIBC_MINOR__) || __GLIBC__ < 2 || (__GLIBC__ == 2 && __GLIBC_MINOR__ < 24))
+#define	USE_READDIR_R	1
+#else
+#undef	USE_READDIR_R
+#endif
+
 /* Set up defaults for internal error codes. */
 #ifndef ARCHIVE_ERRNO_FILE_FORMAT
 #if HAVE_EFTYPE

Modified: releng/11.0/contrib/libarchive/libarchive/archive_read_disk_entry_from_file.c
==============================================================================
--- releng/11.0/contrib/libarchive/libarchive/archive_read_disk_entry_from_file.c	Tue Sep 27 19:00:22 2016	(r306378)
+++ releng/11.0/contrib/libarchive/libarchive/archive_read_disk_entry_from_file.c	Tue Sep 27 19:36:12 2016	(r306379)
@@ -411,20 +411,38 @@ setup_acls(struct archive_read_disk *a,
 {
 	const char	*accpath;
 	acl_t		 acl;
-#if HAVE_ACL_IS_TRIVIAL_NP
 	int		r;
-#endif
 
 	accpath = archive_entry_sourcepath(entry);
 	if (accpath == NULL)
 		accpath = archive_entry_pathname(entry);
 
+	if (*fd < 0 && a->tree != NULL) {
+		if (a->follow_symlinks ||
+		    archive_entry_filetype(entry) != AE_IFLNK)
+			*fd = a->open_on_current_dir(a->tree,
+			    accpath, O_RDONLY | O_NONBLOCK);
+		if (*fd < 0) {
+			if (a->tree_enter_working_dir(a->tree) != 0) {
+				archive_set_error(&a->archive, errno,
+				    "Couldn't access %s", accpath);
+				return (ARCHIVE_FAILED);
+			}
+		}
+	}
+
 	archive_entry_acl_clear(entry);
 
+	acl = NULL;
+
 #ifdef ACL_TYPE_NFS4
 	/* Try NFS4 ACL first. */
 	if (*fd >= 0)
+#if HAVE_ACL_GET_FD_NP
+		acl = acl_get_fd_np(*fd, ACL_TYPE_NFS4);
+#else
 		acl = acl_get_fd(*fd);
+#endif
 #if HAVE_ACL_GET_LINK_NP
 	else if (!a->follow_symlinks)
 		acl = acl_get_link_np(accpath, ACL_TYPE_NFS4);
@@ -437,20 +455,31 @@ setup_acls(struct archive_read_disk *a,
 #endif
 	else
 		acl = acl_get_file(accpath, ACL_TYPE_NFS4);
+
 #if HAVE_ACL_IS_TRIVIAL_NP
-	/* Ignore "trivial" ACLs that just mirror the file mode. */
-	acl_is_trivial_np(acl, &r);
-	if (r) {
-		acl_free(acl);
-		acl = NULL;
+	if (acl != NULL && acl_is_trivial_np(acl, &r) == 0) {
+		/* Ignore "trivial" ACLs that just mirror the file mode. */
+		if (r) {
+			acl_free(acl);
+			acl = NULL;
+			/*
+			 * Simultaneous NFSv4 and POSIX.1e ACLs for the same
+			 * entry are not allowed, so we should return here
+			 */
+			return (ARCHIVE_OK);
+		}
 	}
 #endif
 	if (acl != NULL) {
-		translate_acl(a, entry, acl, ARCHIVE_ENTRY_ACL_TYPE_NFS4);
+		r = translate_acl(a, entry, acl, ARCHIVE_ENTRY_ACL_TYPE_NFS4);
 		acl_free(acl);
-		return (ARCHIVE_OK);
+		if (r != ARCHIVE_OK) {
+			archive_set_error(&a->archive, errno,
+			    "Couldn't translate NFSv4 ACLs: %s", accpath);
+		}
+		return (r);
 	}
-#endif
+#endif	/* ACL_TYPE_NFS4 */
 
 	/* Retrieve access ACL from file. */
 	if (*fd >= 0)
@@ -467,19 +496,42 @@ setup_acls(struct archive_read_disk *a,
 #endif
 	else
 		acl = acl_get_file(accpath, ACL_TYPE_ACCESS);
+
+#if HAVE_ACL_IS_TRIVIAL_NP
+	/* Ignore "trivial" ACLs that just mirror the file mode. */
+	if (acl != NULL && acl_is_trivial_np(acl, &r) == 0) {
+		if (r) {
+			acl_free(acl);
+			acl = NULL;
+		}
+	}
+#endif
+
 	if (acl != NULL) {
-		translate_acl(a, entry, acl,
+		r = translate_acl(a, entry, acl,
 		    ARCHIVE_ENTRY_ACL_TYPE_ACCESS);
 		acl_free(acl);
+		acl = NULL;
+		if (r != ARCHIVE_OK) {
+			archive_set_error(&a->archive, errno,
+			    "Couldn't translate access ACLs: %s", accpath);
+			return (r);
+		}
 	}
 
 	/* Only directories can have default ACLs. */
 	if (S_ISDIR(archive_entry_mode(entry))) {
 		acl = acl_get_file(accpath, ACL_TYPE_DEFAULT);
 		if (acl != NULL) {
-			translate_acl(a, entry, acl,
+			r = translate_acl(a, entry, acl,
 			    ARCHIVE_ENTRY_ACL_TYPE_DEFAULT);
 			acl_free(acl);
+			if (r != ARCHIVE_OK) {
+				archive_set_error(&a->archive, errno,
+				    "Couldn't translate default ACLs: %s",
+				    accpath);
+				return (r);
+			}
 		}
 	}
 	return (ARCHIVE_OK);
@@ -535,19 +587,23 @@ translate_acl(struct archive_read_disk *
 #ifdef ACL_TYPE_NFS4
 	acl_entry_type_t acl_type;
 	acl_flagset_t	 acl_flagset;
-	int brand, r;
+	int brand;
 #endif
 	acl_entry_t	 acl_entry;
 	acl_permset_t	 acl_permset;
 	int		 i, entry_acl_type;
-	int		 s, ae_id, ae_tag, ae_perm;
+	int		 r, s, ae_id, ae_tag, ae_perm;
 	const char	*ae_name;
 
 #ifdef ACL_TYPE_NFS4
 	// FreeBSD "brands" ACLs as POSIX.1e or NFSv4
 	// Make sure the "brand" on this ACL is consistent
 	// with the default_entry_acl_type bits provided.
-	acl_get_brand_np(acl, &brand);
+	if (acl_get_brand_np(acl, &brand) != 0) {
+		archive_set_error(&a->archive, errno,
+		    "Failed to read ACL brand");
+		return (ARCHIVE_WARN);
+	}
 	switch (brand) {
 	case ACL_BRAND_POSIX:
 		switch (default_entry_acl_type) {
@@ -555,31 +611,43 @@ translate_acl(struct archive_read_disk *
 		case ARCHIVE_ENTRY_ACL_TYPE_DEFAULT:
 			break;
 		default:
-			// XXX set warning message?
-			return ARCHIVE_FAILED;
+			archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC,
+			    "Invalid ACL entry type for POSIX.1e ACL");
+			return (ARCHIVE_WARN);
 		}
 		break;
 	case ACL_BRAND_NFS4:
 		if (default_entry_acl_type & ~ARCHIVE_ENTRY_ACL_TYPE_NFS4) {
-			// XXX set warning message?
-			return ARCHIVE_FAILED;
+			archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC,
+			    "Invalid ACL entry type for NFSv4 ACL");
+			return (ARCHIVE_WARN);
 		}
 		break;
 	default:
-		// XXX set warning message?
-		return ARCHIVE_FAILED;
+		archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC,
+		    "Unknown ACL brand");
+		return (ARCHIVE_WARN);
 		break;
 	}
 #endif
 
 
 	s = acl_get_entry(acl, ACL_FIRST_ENTRY, &acl_entry);
+	if (s == -1) {
+		archive_set_error(&a->archive, errno,
+		    "Failed to get first ACL entry");
+		return (ARCHIVE_WARN);
+	}
 	while (s == 1) {
 		ae_id = -1;
 		ae_name = NULL;
 		ae_perm = 0;
 
-		acl_get_tag_type(acl_entry, &acl_tag);
+		if (acl_get_tag_type(acl_entry, &acl_tag) != 0) {
+			archive_set_error(&a->archive, errno,
+			    "Failed to get ACL tag type");
+			return (ARCHIVE_WARN);
+		}
 		switch (acl_tag) {
 		case ACL_USER:
 			ae_id = (int)*(uid_t *)acl_get_qualifier(acl_entry);
@@ -614,13 +682,18 @@ translate_acl(struct archive_read_disk *
 			continue;
 		}
 
-		// XXX acl type maps to allow/deny/audit/YYYY bits
-		// XXX acl_get_entry_type_np on FreeBSD returns EINVAL for
-		// non-NFSv4 ACLs
+		// XXX acl_type maps to allow/deny/audit/YYYY bits
 		entry_acl_type = default_entry_acl_type;
 #ifdef ACL_TYPE_NFS4
-		r = acl_get_entry_type_np(acl_entry, &acl_type);
-		if (r == 0) {
+		if (default_entry_acl_type & ARCHIVE_ENTRY_ACL_TYPE_NFS4) {
+			/*
+			 * acl_get_entry_type_np() falis with non-NFSv4 ACLs
+			 */
+			if (acl_get_entry_type_np(acl_entry, &acl_type) != 0) {
+				archive_set_error(&a->archive, errno, "Failed "
+				    "to get ACL type from a NFSv4 ACL entry");
+				return (ARCHIVE_WARN);
+			}
 			switch (acl_type) {
 			case ACL_ENTRY_TYPE_ALLOW:
 				entry_acl_type = ARCHIVE_ENTRY_ACL_TYPE_ALLOW;
@@ -634,32 +707,53 @@ translate_acl(struct archive_read_disk *
 			case ACL_ENTRY_TYPE_ALARM:
 				entry_acl_type = ARCHIVE_ENTRY_ACL_TYPE_ALARM;
 				break;
+			default:
+				archive_set_error(&a->archive, errno,
+				    "Invalid NFSv4 ACL entry type");
+				return (ARCHIVE_WARN);
 			}
-		}
 
-		/*
-		 * Libarchive stores "flag" (NFSv4 inheritance bits)
-		 * in the ae_perm bitmap.
-		 */
-		// XXX acl_get_flagset_np on FreeBSD returns EINVAL for
-		// non-NFSv4 ACLs
-		r = acl_get_flagset_np(acl_entry, &acl_flagset);
-		if (r == 0) {
+			/*
+			 * Libarchive stores "flag" (NFSv4 inheritance bits)
+			 * in the ae_perm bitmap.
+			 *
+			 * acl_get_flagset_np() fails with non-NFSv4 ACLs
+			 */
+			if (acl_get_flagset_np(acl_entry, &acl_flagset) != 0) {
+				archive_set_error(&a->archive, errno,
+				    "Failed to get flagset from a NFSv4 ACL entry");
+				return (ARCHIVE_WARN);
+			}
 	                for (i = 0; i < (int)(sizeof(acl_inherit_map) / sizeof(acl_inherit_map[0])); ++i) {
-				if (acl_get_flag_np(acl_flagset,
-						    acl_inherit_map[i].platform_inherit))
+				r = acl_get_flag_np(acl_flagset,
+				    acl_inherit_map[i].platform_inherit);
+				if (r == -1) {
+					archive_set_error(&a->archive, errno,
+					    "Failed to check flag in a NFSv4 "
+					    "ACL flagset");
+					return (ARCHIVE_WARN);
+				} else if (r)
 					ae_perm |= acl_inherit_map[i].archive_inherit;
                 	}
 		}
 #endif
 
-		acl_get_permset(acl_entry, &acl_permset);
+		if (acl_get_permset(acl_entry, &acl_permset) != 0) {
+			archive_set_error(&a->archive, errno,
+			    "Failed to get ACL permission set");
+			return (ARCHIVE_WARN);
+		}
 		for (i = 0; i < (int)(sizeof(acl_perm_map) / sizeof(acl_perm_map[0])); ++i) {
 			/*
 			 * acl_get_perm() is spelled differently on different
 			 * platforms; see above.
 			 */
-			if (ACL_GET_PERM(acl_permset, acl_perm_map[i].platform_perm))
+			r = ACL_GET_PERM(acl_permset, acl_perm_map[i].platform_perm);
+			if (r == -1) {
+				archive_set_error(&a->archive, errno,
+				    "Failed to check permission in an ACL permission set");
+				return (ARCHIVE_WARN);
+			} else if (r)
 				ae_perm |= acl_perm_map[i].archive_perm;
 		}
 
@@ -668,6 +762,11 @@ translate_acl(struct archive_read_disk *
 					    ae_id, ae_name);
 
 		s = acl_get_entry(acl, ACL_NEXT_ENTRY, &acl_entry);
+		if (s == -1) {
+			archive_set_error(&a->archive, errno,
+			    "Failed to get next ACL entry");
+			return (ARCHIVE_WARN);
+		}
 	}
 	return (ARCHIVE_OK);
 }

Modified: releng/11.0/contrib/libarchive/libarchive/archive_read_disk_posix.c
==============================================================================
--- releng/11.0/contrib/libarchive/libarchive/archive_read_disk_posix.c	Tue Sep 27 19:00:22 2016	(r306378)
+++ releng/11.0/contrib/libarchive/libarchive/archive_read_disk_posix.c	Tue Sep 27 19:36:12 2016	(r306379)
@@ -165,7 +165,7 @@ struct filesystem {
 	int		synthetic;
 	int		remote;
 	int		noatime;
-#if defined(HAVE_READDIR_R)
+#if defined(USE_READDIR_R)
 	size_t		name_max;
 #endif
 	long		incr_xfer_size;
@@ -200,7 +200,7 @@ struct tree {
 	DIR			*d;
 #define	INVALID_DIR_HANDLE NULL
 	struct dirent		*de;
-#if defined(HAVE_READDIR_R)
+#if defined(USE_READDIR_R)
 	struct dirent		*dirent;
 	size_t			 dirent_allocated;
 #endif
@@ -1504,10 +1504,19 @@ setup_current_filesystem(struct archive_
 	struct tree *t = a->tree;
 	struct statfs sfs;
 #if defined(HAVE_GETVFSBYNAME) && defined(VFCF_SYNTHETIC)
-#  if defined(HAVE_STRUCT_VFSCONF)
-	struct vfsconf vfc;
-#  else
+/* TODO: configure should set GETVFSBYNAME_ARG_TYPE to make
+ * this accurate; some platforms have both and we need the one that's
+ * used by getvfsbyname()
+ *
+ * Then the following would become:
+ *  #if defined(GETVFSBYNAME_ARG_TYPE)
+ *   GETVFSBYNAME_ARG_TYPE vfc;
+ *  #endif
+ */
+#  if defined(HAVE_STRUCT_XVFSCONF)
 	struct xvfsconf vfc;
+#  else
+	struct vfsconf vfc;
 #  endif
 #endif
 	int r, xr = 0;
@@ -1583,7 +1592,7 @@ setup_current_filesystem(struct archive_
 #endif
 		t->current_filesystem->noatime = 0;
 
-#if defined(HAVE_READDIR_R)
+#if defined(USE_READDIR_R)
 	/* Set maximum filename length. */
 #if defined(HAVE_STRUCT_STATFS_F_NAMEMAX)
 	t->current_filesystem->name_max = sfs.f_namemax;
@@ -1606,7 +1615,7 @@ setup_current_filesystem(struct archive_
 	else
 		t->current_filesystem->name_max = nm;
 #endif
-#endif /* HAVE_READDIR_R */
+#endif /* USE_READDIR_R */
 	return (ARCHIVE_OK);
 }
 
@@ -1808,7 +1817,7 @@ setup_current_filesystem(struct archive_
 #endif
 		t->current_filesystem->noatime = 0;
 
-#if defined(HAVE_READDIR_R)
+#if defined(USE_READDIR_R)
 	/* Set maximum filename length. */
 	t->current_filesystem->name_max = sfs.f_namelen;
 #endif
@@ -1892,7 +1901,7 @@ setup_current_filesystem(struct archive_
 #endif
 		t->current_filesystem->noatime = 0;
 
-#if defined(HAVE_READDIR_R)
+#if defined(USE_READDIR_R)
 	/* Set maximum filename length. */
 	t->current_filesystem->name_max = sfs.f_namemax;
 #endif
@@ -1909,7 +1918,7 @@ static int
 setup_current_filesystem(struct archive_read_disk *a)
 {
 	struct tree *t = a->tree;
-#if defined(_PC_NAME_MAX) && defined(HAVE_READDIR_R)
+#if defined(_PC_NAME_MAX) && defined(USE_READDIR_R)
 	long nm;
 #endif
 	t->current_filesystem->synthetic = -1;/* Not supported */
@@ -1921,7 +1930,7 @@ setup_current_filesystem(struct archive_
 	t->current_filesystem->min_xfer_size = -1;
 	t->current_filesystem->incr_xfer_size = -1;
 
-#if defined(HAVE_READDIR_R)
+#if defined(USE_READDIR_R)
 	/* Set maximum filename length. */
 #  if defined(_PC_NAME_MAX)
 	if (tree_current_is_symblic_link_target(t)) {
@@ -1949,7 +1958,7 @@ setup_current_filesystem(struct archive_
 	else
 		t->current_filesystem->name_max = nm;
 #  endif /* _PC_NAME_MAX */
-#endif /* HAVE_READDIR_R */
+#endif /* USE_READDIR_R */
 	return (ARCHIVE_OK);
 }
 
@@ -2357,7 +2366,7 @@ tree_dir_next_posix(struct tree *t)
 	size_t namelen;
 
 	if (t->d == NULL) {
-#if defined(HAVE_READDIR_R)
+#if defined(USE_READDIR_R)
 		size_t dirent_size;
 #endif
 
@@ -2378,7 +2387,7 @@ tree_dir_next_posix(struct tree *t)
 			t->visit_type = r != 0 ? r : TREE_ERROR_DIR;
 			return (t->visit_type);
 		}
-#if defined(HAVE_READDIR_R)
+#if defined(USE_READDIR_R)
 		dirent_size = offsetof(struct dirent, d_name) +
 		  t->filesystem_table[t->current->filesystem_id].name_max + 1;
 		if (t->dirent == NULL || t->dirent_allocated < dirent_size) {
@@ -2395,11 +2404,11 @@ tree_dir_next_posix(struct tree *t)
 			}
 			t->dirent_allocated = dirent_size;
 		}
-#endif /* HAVE_READDIR_R */
+#endif /* USE_READDIR_R */
 	}
 	for (;;) {
 		errno = 0;
-#if defined(HAVE_READDIR_R)
+#if defined(USE_READDIR_R)
 		r = readdir_r(t->d, t->dirent, &t->de);
 #ifdef _AIX
 		/* Note: According to the man page, return value 9 indicates
@@ -2651,7 +2660,7 @@ tree_free(struct tree *t)
 	if (t == NULL)
 		return;
 	archive_string_free(&t->path);
-#if defined(HAVE_READDIR_R)
+#if defined(USE_READDIR_R)
 	free(t->dirent);
 #endif
 	free(t->sparse_list);

Modified: releng/11.0/contrib/libarchive/libarchive/archive_read_support_format_tar.c
==============================================================================
--- releng/11.0/contrib/libarchive/libarchive/archive_read_support_format_tar.c	Tue Sep 27 19:00:22 2016	(r306378)
+++ releng/11.0/contrib/libarchive/libarchive/archive_read_support_format_tar.c	Tue Sep 27 19:36:12 2016	(r306379)
@@ -136,6 +136,7 @@ struct tar {
 	int64_t			 entry_padding;
 	int64_t 		 entry_bytes_unconsumed;
 	int64_t			 realsize;
+	int			 sparse_allowed;
 	struct sparse_block	*sparse_list;
 	struct sparse_block	*sparse_last;
 	int64_t			 sparse_offset;
@@ -1271,6 +1272,14 @@ header_common(struct archive_read *a, st
 		 * sparse information in the extended area.
 		 */
 		/* FALLTHROUGH */
+	case '0':
+		/*
+		 * Enable sparse file "read" support only for regular
+		 * files and explicit GNU sparse files.  However, we
+		 * don't allow non-standard file types to be sparse.
+		 */
+		tar->sparse_allowed = 1;
+		/* FALLTHROUGH */
 	default: /* Regular file  and non-standard types */
 		/*
 		 * Per POSIX: non-recognized types should always be
@@ -1730,6 +1739,14 @@ pax_attribute(struct archive_read *a, st
 #endif
 	switch (key[0]) {
 	case 'G':
+		/* Reject GNU.sparse.* headers on non-regular files. */
+		if (strncmp(key, "GNU.sparse", 10) == 0 &&
+		    !tar->sparse_allowed) {
+			archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC,
+			    "Non-regular file cannot be sparse");
+			return (ARCHIVE_FATAL);
+		}
+
 		/* GNU "0.0" sparse pax format. */
 		if (strcmp(key, "GNU.sparse.numblocks") == 0) {
 			tar->sparse_offset = -1;

Modified: releng/11.0/contrib/libarchive/libarchive/archive_write_disk_acl.c
==============================================================================
--- releng/11.0/contrib/libarchive/libarchive/archive_write_disk_acl.c	Tue Sep 27 19:00:22 2016	(r306378)
+++ releng/11.0/contrib/libarchive/libarchive/archive_write_disk_acl.c	Tue Sep 27 19:36:12 2016	(r306379)
@@ -153,9 +153,19 @@ set_acl(struct archive *a, int fd, const
 	if (entries == 0)
 		return (ARCHIVE_OK);
 	acl = acl_init(entries);
+	if (acl == (acl_t)NULL) {
+		archive_set_error(a, errno,
+		    "Failed to initialize ACL working storage");
+		return (ARCHIVE_FAILED);
+	}
 	while (archive_acl_next(a, abstract_acl, ae_requested_type, &ae_type,
 		   &ae_permset, &ae_tag, &ae_id, &ae_name) == ARCHIVE_OK) {
-		acl_create_entry(&acl, &acl_entry);
+		if (acl_create_entry(&acl, &acl_entry) != 0) {
+			archive_set_error(a, errno,
+			    "Failed to create a new ACL entry");
+			ret = ARCHIVE_FAILED;
+			goto exit_free;
+		}
 
 		switch (ae_tag) {
 		case ARCHIVE_ENTRY_ACL_USER:
@@ -186,53 +196,96 @@ set_acl(struct archive *a, int fd, const
 			break;
 #endif
 		default:
-			/* XXX */
-			break;
+			archive_set_error(a, ARCHIVE_ERRNO_MISC,
+			    "Unknown ACL tag");
+			ret = ARCHIVE_FAILED;
+			goto exit_free;
 		}
 
 #ifdef ACL_TYPE_NFS4
+		r = 0;
 		switch (ae_type) {
 		case ARCHIVE_ENTRY_ACL_TYPE_ALLOW:
-			acl_set_entry_type_np(acl_entry, ACL_ENTRY_TYPE_ALLOW);
+			r = acl_set_entry_type_np(acl_entry, ACL_ENTRY_TYPE_ALLOW);
 			break;
 		case ARCHIVE_ENTRY_ACL_TYPE_DENY:
-			acl_set_entry_type_np(acl_entry, ACL_ENTRY_TYPE_DENY);
+			r = acl_set_entry_type_np(acl_entry, ACL_ENTRY_TYPE_DENY);
 			break;
 		case ARCHIVE_ENTRY_ACL_TYPE_AUDIT:
-			acl_set_entry_type_np(acl_entry, ACL_ENTRY_TYPE_AUDIT);
+			r = acl_set_entry_type_np(acl_entry, ACL_ENTRY_TYPE_AUDIT);
 			break;
 		case ARCHIVE_ENTRY_ACL_TYPE_ALARM:
-			acl_set_entry_type_np(acl_entry, ACL_ENTRY_TYPE_ALARM);
+			r = acl_set_entry_type_np(acl_entry, ACL_ENTRY_TYPE_ALARM);
 			break;
 		case ARCHIVE_ENTRY_ACL_TYPE_ACCESS:
 		case ARCHIVE_ENTRY_ACL_TYPE_DEFAULT:
 			// These don't translate directly into the system ACL.
 			break;
 		default:
-			// XXX error handling here.
-			break;
+			archive_set_error(a, ARCHIVE_ERRNO_MISC,
+			    "Unknown ACL entry type");
+			ret = ARCHIVE_FAILED;
+			goto exit_free;
+		}
+		if (r != 0) {
+			archive_set_error(a, errno,
+			    "Failed to set ACL entry type");
+			ret = ARCHIVE_FAILED;
+			goto exit_free;
 		}
 #endif
 
-		acl_get_permset(acl_entry, &acl_permset);
-		acl_clear_perms(acl_permset);
+		if (acl_get_permset(acl_entry, &acl_permset) != 0) {
+			archive_set_error(a, errno,
+			    "Failed to get ACL permission set");
+			ret = ARCHIVE_FAILED;
+			goto exit_free;
+		}
+		if (acl_clear_perms(acl_permset) != 0) {
+			archive_set_error(a, errno,
+			    "Failed to clear ACL permissions");
+			ret = ARCHIVE_FAILED;
+			goto exit_free;
+		}
 
 		for (i = 0; i < (int)(sizeof(acl_perm_map) / sizeof(acl_perm_map[0])); ++i) {
 			if (ae_permset & acl_perm_map[i].archive_perm)
-				acl_add_perm(acl_permset,
-					     acl_perm_map[i].platform_perm);
+				if (acl_add_perm(acl_permset,
+				    acl_perm_map[i].platform_perm) != 0) {
+					archive_set_error(a, errno,
+					    "Failed to add ACL permission");
+					ret = ARCHIVE_FAILED;
+					goto exit_free;
+				}
 		}
 
 #ifdef ACL_TYPE_NFS4
-		// XXX acl_get_flagset_np on FreeBSD returns EINVAL for
-		// non-NFSv4 ACLs
-		r = acl_get_flagset_np(acl_entry, &acl_flagset);
-		if (r == 0) {
-			acl_clear_flags_np(acl_flagset);
+		if (acl_type == ACL_TYPE_NFS4) {
+			/*
+			 * acl_get_flagset_np() fails with non-NFSv4 ACLs
+			 */
+			if (acl_get_flagset_np(acl_entry, &acl_flagset) != 0) {
+				archive_set_error(a, errno,
+				    "Failed to get flagset from an NFSv4 ACL entry");
+				ret = ARCHIVE_FAILED;
+				goto exit_free;
+			}
+			if (acl_clear_flags_np(acl_flagset) != 0) {
+				archive_set_error(a, errno,
+				    "Failed to clear flags from an NFSv4 ACL flagset");
+				ret = ARCHIVE_FAILED;
+				goto exit_free;
+			}
 			for (i = 0; i < (int)(sizeof(acl_inherit_map) / sizeof(acl_inherit_map[0])); ++i) {
-				if (ae_permset & acl_inherit_map[i].archive_inherit)
-					acl_add_flag_np(acl_flagset,
-							acl_inherit_map[i].platform_inherit);
+				if (ae_permset & acl_inherit_map[i].archive_inherit) {
+					if (acl_add_flag_np(acl_flagset,
+							acl_inherit_map[i].platform_inherit) != 0) {
+						archive_set_error(a, errno,
+						    "Failed to add flag to NFSv4 ACL flagset");
+						ret = ARCHIVE_FAILED;
+						goto exit_free;
+					}
+				}
 			}
 		}
 #endif
@@ -262,6 +315,7 @@ set_acl(struct archive *a, int fd, const
 		ret = ARCHIVE_WARN;
 	}
 #endif
+exit_free:
 	acl_free(acl);
 	return (ret);
 }

Modified: releng/11.0/contrib/libarchive/libarchive/archive_write_disk_posix.c
==============================================================================
--- releng/11.0/contrib/libarchive/libarchive/archive_write_disk_posix.c	Tue Sep 27 19:00:22 2016	(r306378)
+++ releng/11.0/contrib/libarchive/libarchive/archive_write_disk_posix.c	Tue Sep 27 19:36:12 2016	(r306379)
@@ -140,7 +140,17 @@ __FBSDID("$FreeBSD$");
 #define O_BINARY 0
 #endif
 #ifndef O_CLOEXEC
-#define O_CLOEXEC	0
+#define O_CLOEXEC 0
+#endif
+
+/* Ignore non-int O_NOFOLLOW constant. */
+/* gnulib's fcntl.h does this on AIX, but it seems practical everywhere */
+#if defined O_NOFOLLOW && !(INT_MIN <= O_NOFOLLOW && O_NOFOLLOW <= INT_MAX)
+#undef O_NOFOLLOW
+#endif
+
+#ifndef O_NOFOLLOW
+#define O_NOFOLLOW 0
 #endif
 
 struct fixup_entry {
@@ -326,12 +336,14 @@ struct archive_write_disk {
 
 #define HFS_BLOCKS(s)	((s) >> 12)
 
+static int	check_symlinks_fsobj(char *path, int *error_number, struct archive_string *error_string, int flags);
 static int	check_symlinks(struct archive_write_disk *);
 static int	create_filesystem_object(struct archive_write_disk *);
 static struct fixup_entry *current_fixup(struct archive_write_disk *, const char *pathname);
 #if defined(HAVE_FCHDIR) && defined(PATH_MAX)
 static void	edit_deep_directories(struct archive_write_disk *ad);
 #endif
+static int	cleanup_pathname_fsobj(char *path, int *error_number, struct archive_string *error_string, int flags);
 static int	cleanup_pathname(struct archive_write_disk *);
 static int	create_dir(struct archive_write_disk *, char *);
 static int	create_parent_dir(struct archive_write_disk *, char *);
@@ -2014,6 +2026,10 @@ create_filesystem_object(struct archive_
 	const char *linkname;
 	mode_t final_mode, mode;
 	int r;
+	/* these for check_symlinks_fsobj */
+	char *linkname_copy;	/* non-const copy of linkname */
+	struct archive_string error_string;
+	int error_number;
 
 	/* We identify hard/symlinks according to the link names. */
 	/* Since link(2) and symlink(2) don't handle modes, we're done here. */
@@ -2022,6 +2038,27 @@ create_filesystem_object(struct archive_
 #if !HAVE_LINK
 		return (EPERM);
 #else
+		archive_string_init(&error_string);
+		linkname_copy = strdup(linkname);
+		if (linkname_copy == NULL) {
+		    return (EPERM);
+		}
+		/* TODO: consider using the cleaned-up path as the link target? */
+		r = cleanup_pathname_fsobj(linkname_copy, &error_number, &error_string, a->flags);
+		if (r != ARCHIVE_OK) {
+			archive_set_error(&a->archive, error_number, "%s", error_string.s);
+			free(linkname_copy);
+			/* EPERM is more appropriate than error_number for our callers */
+			return (EPERM);
+		}
+		r = check_symlinks_fsobj(linkname_copy, &error_number, &error_string, a->flags);
+		if (r != ARCHIVE_OK) {
+			archive_set_error(&a->archive, error_number, "%s", error_string.s);
+			free(linkname_copy);
+			/* EPERM is more appropriate than error_number for our callers */
+			return (EPERM);
+		}
+		free(linkname_copy);
 		r = link(linkname, a->name) ? errno : 0;
 		/*
 		 * New cpio and pax formats allow hardlink entries
@@ -2040,7 +2077,7 @@ create_filesystem_object(struct archive_
 			a->deferred = 0;
 		} else if (r == 0 && a->filesize > 0) {
 			a->fd = open(a->name,
-				     O_WRONLY | O_TRUNC | O_BINARY | O_CLOEXEC);
+				     O_WRONLY | O_TRUNC | O_BINARY | O_CLOEXEC | O_NOFOLLOW);
 			__archive_ensure_cloexec_flag(a->fd);
 			if (a->fd < 0)
 				r = errno;
@@ -2351,126 +2388,233 @@ current_fixup(struct archive_write_disk 
 	return (a->current_fixup);
 }
 
-/* TODO: Make this work. */
-/*
- * TODO: The deep-directory support bypasses this; disable deep directory
- * support if we're doing symlink checks.
- */
 /*
  * TODO: Someday, integrate this with the deep dir support; they both
  * scan the path and both can be optimized by comparing against other
  * recent paths.

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***

From owner-svn-src-releng@freebsd.org  Wed Sep 28 22:04:08 2016
Return-Path: <owner-svn-src-releng@freebsd.org>
Delivered-To: svn-src-releng@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 82C97C0152B;
 Wed, 28 Sep 2016 22:04:08 +0000 (UTC)
 (envelope-from emaste@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4F6CBA51;
 Wed, 28 Sep 2016 22:04:08 +0000 (UTC)
 (envelope-from emaste@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u8SM47rr062365;
 Wed, 28 Sep 2016 22:04:07 GMT (envelope-from emaste@FreeBSD.org)
Received: (from emaste@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id u8SM478Q062364;
 Wed, 28 Sep 2016 22:04:07 GMT (envelope-from emaste@FreeBSD.org)
Message-Id: <201609282204.u8SM478Q062364@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: emaste set sender to
 emaste@FreeBSD.org using -f
From: Ed Maste <emaste@FreeBSD.org>
Date: Wed, 28 Sep 2016 22:04:07 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r306419 - releng/11.0/usr.sbin/portsnap/portsnap
X-SVN-Group: releng
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-releng>, 
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Sep 2016 22:04:08 -0000

Author: emaste
Date: Wed Sep 28 22:04:07 2016
New Revision: 306419
URL: https://svnweb.freebsd.org/changeset/base/306419

Log:
  MFS r306418: portsnap: only move expected snapshot contents from snap/ to files/
  
  Previously it was possible to smuggle in addional files that would
  be used by later portsnap runs. Now we only move those files expected
  to be in the snapshot into files/ and require that there are no
  unexpected files.
  
  This was used by portsnap attacks 2, 3, and 4 in the "non-cryptanalytic
  attacks against FreeBSD update components" anonymous gist.
  
  Approved by:	re (gjb)

Modified:
  releng/11.0/usr.sbin/portsnap/portsnap/portsnap.sh
Directory Properties:
  releng/11.0/   (props changed)

Modified: releng/11.0/usr.sbin/portsnap/portsnap/portsnap.sh
==============================================================================
--- releng/11.0/usr.sbin/portsnap/portsnap/portsnap.sh	Wed Sep 28 21:33:35 2016	(r306418)
+++ releng/11.0/usr.sbin/portsnap/portsnap/portsnap.sh	Wed Sep 28 22:04:07 2016	(r306419)
@@ -691,6 +691,13 @@ fetch_snapshot() {
 	fetch_index_sanity || return 1
 # Verify the snapshot contents
 	cut -f 2 -d '|' INDEX.new | fetch_snapshot_verify || return 1
+	cut -f 2 -d '|' tINDEX.new INDEX.new | sort -u > files.expected
+	find snap -mindepth 1 | sed -E 's^snap/(.*)\.gz^\1^' | sort > files.snap
+	if ! cmp -s files.expected files.snap; then
+		echo "unexpected files in snapshot."
+		return 1
+	fi
+	rm files.expected files.snap
 	echo "done."
 
 # Move files into their proper locations

From owner-svn-src-releng@freebsd.org  Wed Sep 28 23:06:05 2016
Return-Path: <owner-svn-src-releng@freebsd.org>
Delivered-To: svn-src-releng@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2D306C00D34;
 Wed, 28 Sep 2016 23:06:05 +0000 (UTC) (envelope-from gjb@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id F1D88DCC;
 Wed, 28 Sep 2016 23:06:04 +0000 (UTC) (envelope-from gjb@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u8SN64Dm085203;
 Wed, 28 Sep 2016 23:06:04 GMT (envelope-from gjb@FreeBSD.org)
Received: (from gjb@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id u8SN64sN085202;
 Wed, 28 Sep 2016 23:06:04 GMT (envelope-from gjb@FreeBSD.org)
Message-Id: <201609282306.u8SN64sN085202@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: gjb set sender to gjb@FreeBSD.org
 using -f
From: Glen Barber <gjb@FreeBSD.org>
Date: Wed, 28 Sep 2016 23:06:04 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r306420 - releng/11.0/sys/conf
X-SVN-Group: releng
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-releng>, 
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Sep 2016 23:06:05 -0000

Author: gjb
Date: Wed Sep 28 23:06:03 2016
New Revision: 306420
URL: https://svnweb.freebsd.org/changeset/base/306420

Log:
  Update releng/11.0 to 11.0-RELEASE-p1.
  
  Approved by:	re (implicit)
  Sponsored by:	The FreeBSD Foundation

Modified:
  releng/11.0/sys/conf/newvers.sh

Modified: releng/11.0/sys/conf/newvers.sh
==============================================================================
--- releng/11.0/sys/conf/newvers.sh	Wed Sep 28 22:04:07 2016	(r306419)
+++ releng/11.0/sys/conf/newvers.sh	Wed Sep 28 23:06:03 2016	(r306420)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="11.0"
-BRANCH="RELEASE"
+BRANCH="RELEASE-p1"
 if [ -n "${BRANCH_OVERRIDE}" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi