diff options
| author | gordon <gordon@c2e8774f-c49f-e111-b436-862b2bbc8956> | 2020-12-01 19:53:40 +0000 |
|---|---|---|
| committer | gordon <gordon@c2e8774f-c49f-e111-b436-862b2bbc8956> | 2020-12-01 19:53:40 +0000 |
| commit | eeff2564df962900facb6c39ee1fd4255e9e269d (patch) | |
| tree | 1517932a7bd18a9f07c25c38fab158221d354fef | |
| parent | 24475e686ef4a4adf836c010ee5ecfaf1e10e4f9 (diff) | |
| download | freebsd-doc-eeff2564df962900facb6c39ee1fd4255e9e269d.tar.gz freebsd-doc-eeff2564df962900facb6c39ee1fd4255e9e269d.tar.bz2 | |
Add EN-20:19 to EN-20:22, SA-20:31, and SA-20:32.
Approved by: so
git-svn-id: http://svn.freebsd.org/doc/head@54726 c2e8774f-c49f-e111-b436-862b2bbc8956
28 files changed, 4216 insertions, 0 deletions
diff --git a/share/security/advisories/FreeBSD-EN-20:19.audit.asc b/share/security/advisories/FreeBSD-EN-20:19.audit.asc new file mode 100644 index 0000000000..204fa4c5ab --- /dev/null +++ b/share/security/advisories/FreeBSD-EN-20:19.audit.asc @@ -0,0 +1,142 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-20:19.audit Errata Notice + The FreeBSD Project + +Topic: execve/fexecve system call auditing + +Category: core +Module: kernel +Announced: 2020-12-01 +Affects: FreeBSD 12.1 and later. +Corrected: 2020-10-27 13:13:04 UTC (stable/12, 12.2-STABLE) + 2020-12-01 19:34:45 UTC (releng/12.2, 12.2-RELEASE-p1) + 2020-12-01 19:34:45 UTC (releng/12.1, 12.1-RELEASE-p11) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +The audit(4) facility allows a system administrator to audit +security-relevant events. System calls are one such security-related event, +and the audit(4) facility will record whether the system call was successful +along with other important details. + +II. Problem Description + +All execve/fexecve system calls in affected versions will be reported as a +failure, even upon successful execution. For affected kernels, the exact +error reported is EJUSTRETURN, 201, or "Just return" depending on the tooling +used. These can safely be considered successful returns for the fexecve and +execve system calls. Note that audit trails that were produced by kernels +starting with FreeBSD 12.0 will exhibit this problem. + +III. Impact + +It is important to be able to determine when a process is, for instance, +executing a shell. Such events may be indicative of an intrusion if they +are not expected. Failure to report such an execution as successful may +result in intrusions that are no longer detectable. + +IV. Workaround + +No workaround is available. This error is irrelevant for system +administrators that do not use the audit(4) facility. Users of the +audit(4) facility could detect the specific error that is being +returned as success, but this may complicate auditing as all failures +must be recorded. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date and reboot. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for errata update" + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 12.2] +# fetch https://security.FreeBSD.org/patches/EN-20:19/audit.12.2.patch +# fetch https://security.FreeBSD.org/patches/EN-20:19/audit.12.2.patch.asc +# gpg --verify audit.12.2.patch.asc + +[FreeBSD 12.1] +# fetch https://security.FreeBSD.org/patches/EN-20:19/audit.12.1.patch +# fetch https://security.FreeBSD.org/patches/EN-20:19/audit.12.1.patch.asc +# gpg --verify audit.12.1.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r367080 +releng/12.2/ r368249 +releng/12.1/ r368249 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=249179> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:19.audit.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/GnclfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cKqdBAAjBubNRAnzviekLybf9W6QnFT+9LrdoHEKM0epXT7GxHeGdKSbWwJPvaO +PmogRZ88uPOvaRVYIjGLXjJf48zA6D5LuQrVre0BEICVsLEaKcoQpwqOgtSKroI4 +LguI26tLC/TmzWMid7CUeDOxzY0yg+t8QWPvrc9kDCZVqDFjrWtUDurLYM50p8Rm +FHfbWgFg0g3ytPF6k7DuafDrSJIs0lULwOtAPBrYR5chTr3/quc6onU99B6oxo4K +rRe4Se458M3Gm637lADAqqyRXtzwMXZ+bJBRFjdMZb3gn6QSRphHluXosv9EWwZe +FV5muyouYzxObkE4ev8dXF8Xx6LyuWfYLj5r064DRS7oFIZjIc/5F3wUITmkzCSc +iqOPZ545JO2Mxd5JwgA6QMy1YagHJb4MKDpwoQG5EHdNSSIRxRy9SEnyyxB/boMw +c65iw+SXM6ln+iAoFO9tyoLF5ek9OFRMH/1hemkY82eECcMA2m8/taSHb3++YOQr +7tmGjBZpynj/xDLQKwQiOrz5bVSPkWFc/4q9yQWAg/IoRPs+j/bsu1QoFlZX5b/8 +/161dxwjs5ZLsTj+/oV/cBKQSWIFkSkbaK61ZAdrysXmGHB1jJ6OZDlsXK9kptHr +XavfRbYVCs8tB6NmWWEcfRQvLso20u+9zLO2X0yGz0+XEpKNU4k= +=QTo/ +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-EN-20:20.tzdata.asc b/share/security/advisories/FreeBSD-EN-20:20.tzdata.asc new file mode 100644 index 0000000000..dd99b2e39e --- /dev/null +++ b/share/security/advisories/FreeBSD-EN-20:20.tzdata.asc @@ -0,0 +1,148 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-20:20.tzdata Errata Notice + The FreeBSD Project + +Topic: Timezone database information update + +Category: contrib +Module: zoneinfo +Announced: 2020-12-01 +Affects: All supported versions of FreeBSD. +Corrected: 2020-10-23 01:06:33 UTC (stable/12, 12.1-STABLE) + 2020-12-01 19:35:48 UTC (releng/12.2, 12.2-RELEASE-p1) + 2020-12-01 19:35:48 UTC (releng/12.1, 12.1-RELEASE-p11) + 2020-10-23 01:06:42 UTC (stable/11, 11.4-STABLE) + 2020-12-01 19:35:48 UTC (releng/11.4, 11.4-RELEASE-p5) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +The tzsetup(8) program allows the user to specify the default local timezone. +Based on the selected timezone, tzsetup(8) copies one of the files from +/usr/share/zoneinfo to /etc/localtime. This file actually controls the +conversion. + +II. Problem Description + +Several changes in Daylight Saving Time happened after previous FreeBSD +releases were released that would affect many people who live in different +parts of the world. Because of these changes, the data in the zoneinfo files +need to be updated, and if the local timezone on the running system is +affected, tzsetup(8) needs to be run so the /etc/localtime is updated. + +III. Impact + +An incorrect time will be displayed on a system configured to use one of the +affected timezones if the /usr/share/zoneinfo and /etc/localtime files are +not updated, and all applications on the system that rely on the system time, +such as cron(8) and syslog(8), will be affected. + +IV. Workaround + +The system administrator can install an updated timezone database from the +misc/zoneinfo port and run tzsetup(8) to get the timezone database corrected. + +Applications that store and display times in Coordinated Universal Time (UTC) +are not affected. + +V. Solution + +Please note that some third party software, for instance PHP, Ruby, Java and +Perl, may be using different zoneinfo data source, in such cases this +software must be updated separately. For software packages that is installed +via binary packages, they can be upgraded by executing `pkg upgrade'. + +Following the instructions in this Errata Notice will update all of the +zoneinfo files to be the same as what was released with FreeBSD release. + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. Restart all the affected +applications and daemons, or reboot the system. + +2) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Restart all the affected applications and daemons, or reboot the system. + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-20:20/tzdata-2020d.patch +# fetch https://security.FreeBSD.org/patches/EN-20:20/tzdata-2020d.patch.asc +# gpg --verify tzdata-2020d.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart all the affected applications and daemons, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r366956 +releng/12.2/ r368251 +releng/12.1/ r368251 +stable/11/ r366957 +releng/11.4/ r368251 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:20.tzdata.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/GndRfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cLWBw/9HeAWb+xuxt8CdZUD+99vXFdHb8gLSFrlFZbHnjDwrGhz4yrAzO/3NFxh +j+DQugxxUgLvJpm3W+sYAwqO7TjJE2DkG2BV2r4vdMCax3YpkPqvuk/3oYdVy+nm +c0LTJDwHLWhluO7nrA3v49yOPICMGW1Xb7S7hNPHQaRCEVfP3hI61LM9sHAEp3zW +Q44qWfeXK46grCCbviDI+GVYmQr3/b5QJbvLidzIAz+XTToD88+DDgaowwg8GuUn +9v29aT8LjLB2XNYxRr3CZ5khdZTT5q+CGWSb0VvKHKaRgFMNLYw7gTKDOFTBQi0x +utonkT5Jsxq6kqHbp9drA6LMvUzWOThrabxCaJEk5p7t5FQWtYUfDTsspThwS54e +6n2cSCNg8j3eW6YVF7CVvCrUEsXejA/bv0ZW0M896oy5xizTKa6Yjh1llqNvpJ1h +jW9UrxtI4oGQ+Q2cUc7+85P7ddNQ/wO/SHIRVcKPHVBbs8u0YAikGjUzEhWR/pDD +tzUpNR3UTOIq96h1J+sK+jxk7arw6gCIksNDCKo3AI2DoXTe12K2OdG88OKW/t5P +iZZZufbAvY88SdKSGlBHbSXZLiMB+uH1NTI2Fab4XIetXdZq/5TPX7rRmlINS8nd +LMqCDSsVhjaUR6E1D3pOamo3n8IZgiluxqx7JZ2m9p0nKMjHDZo= +=gsQm +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-EN-20:21.ipfw.asc b/share/security/advisories/FreeBSD-EN-20:21.ipfw.asc new file mode 100644 index 0000000000..0d9b2c06b6 --- /dev/null +++ b/share/security/advisories/FreeBSD-EN-20:21.ipfw.asc @@ -0,0 +1,118 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-20:21.ipfw Errata Notice + The FreeBSD Project + +Topic: Uninitialized variable in ipfw + +Category: core +Module: ipfw +Announced: 2020-12-01 +Affects: FreeBSD 12.2 +Corrected: 2020-10-18 20:54:15 UTC (stable/12, 12.2-STABLE) + 2020-12-01 19:36:36 UTC (releng/12.2, 12.2-RELEASE-p1) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +ipfw(8) is the command-line utility used to configure the ipfw(4) firewall. + +II. Problem Description + +A regression in FreeBSD 12.2 meant that ipfw(8) fwd commands referencing +specific port numbers may configure the firewall incorrectly. + +III. Impact + +Forwarding rules referencing port numbers may not work as configured. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-20:21/ipfw.patch +# fetch https://security.FreeBSD.org/patches/EN-20:21/ipfw.patch.asc +# gpg --verify ipfw.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r366816 +releng/12.2/ r368252 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=250434> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:21.ipfw.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/GndRfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cLY3w/8DpeBoG7dMm3m60BFStxuQMkUKwuMNiYXVOADLIACLW5F8fRxleAiMh1n +09YHHO/OfoGuuI8FkviqUfwBQsX9ljY8x35/UUZtf19YTllKvmz8gTTAVYmkO0g/ +ohEZBMsA9h9Wfnn51/CVziTtO597mbLsJrt+lXnYVJLUIFdf6VNbK719ZtUOq53v +5mMKaFqyZJzDTouXePPVirvsiM5a2S7qVSoWTDEgog6iYxvEeXhd4Mtbaxbl2UW5 +JJ1ZUycIUECCu2MI09JxZhRaRLnUA4RfzGIu63wxUJtfiKyIK0Afn3Gm/nyF+Sop +X/rm7jg1DDdqMd55QdG9AchI4D4C0DcJbTo4r8OSRFzmwQlTAsfOAlrH3ov+E+0f +rZ8SN2gjR/y+cdWQJxQ04pGh9NJkdrWMZJdZ047NnO8jF25rSN3iMgY6PydhE5TT +JKZXcfjTUqGeFveeMqdaZ5uoUyKaE/DnrNimv7Y4tcY0dsRIVIZQb6ml1dJdrkCG +6R5/yboAp2m9dtkplGUOo7cRae8bxXTQteANhZJYT3dqKDMKUJCw6ZShmr0pg2Of +KASqUMdHYSIyGoUaQ+Pd3s5UweuG8NEZt+p302qbn8cBCncMioibZqUJyo0lt/zn +jVFCZuepLOSGH7u0hYvlizkpbsXkUraBkQOTelqYyxXGoWF7WQg= +=N2u/ +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-EN-20:22.callout.asc b/share/security/advisories/FreeBSD-EN-20:22.callout.asc new file mode 100644 index 0000000000..69cb22054c --- /dev/null +++ b/share/security/advisories/FreeBSD-EN-20:22.callout.asc @@ -0,0 +1,137 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-20:22.callout Errata Notice + The FreeBSD Project + +Topic: Race condition in callout CPU migration + +Category: core +Module: callout +Announced: 2020-12-01 +Affects: FreeBSD 12.1 and 12.2 +Corrected: 2020-11-26 14:57:30 UTC (stable/12, 12.2-STABLE) + 2020-12-01 19:37:33 UTC (releng/12.2, 12.2-RELEASE-p1) + 2020-12-01 19:37:33 UTC (releng/12.1, 12.1-RELEASE-p11) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +The callout(9) kernel subsystem is used by other kernel subsystems to request +execution of a function following a specified timeout. callout(9) implements +an interface which allows a pending callout to be stopped. + +II. Problem Description + +Callouts may be bound to a specific CPU, in which case that CPU is +responsible for raising the timer interrupt which schedules execution of the +callout. + +A kernel thread may attempt to stop a callout while it is actively executing, +in which case the thread goes to sleep until execution has completed. In the +meantime the callout may be re-scheduled and re-executed on a different CPU. +In this scenario, when the sleeping thread finally completes removal of the +callout from some internal data structures, it may modify the wrong CPU's +data structures and thus leave them in an invalid state. + +III. Impact + +The bug may result in kernel panics under some workloads, typically in the +softclock threads. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date and reboot. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for errata update" + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 12.2] +# fetch https://security.FreeBSD.org/patches/EN-20:22/callout.12.2.patch +# fetch https://security.FreeBSD.org/patches/EN-20:22/callout.12.2.patch.asc +# gpg --verify callout.12.2.patch.asc + +[FreeBSD 12.1] +# fetch https://security.FreeBSD.org/patches/EN-20:22/callout.12.1.patch +# fetch https://security.FreeBSD.org/patches/EN-20:22/callout.12.1.patch.asc +# gpg --verify callout.12.1.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r368057 +releng/12.2/ r368254 +releng/12.1/ r368254 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:22.callout.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/GndVfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJUHxAAg1Mw+GeweWrKv/qaDymHW6YTGF8/y1qJ9YQKhVZ4QCtFMX2E467Slh35 +sVOtfVsfUxKmwsKfdEM93sw9uSjj6///TodhF9vJMKGk/uVpF+PHrnFLtD+2VONs +jhAtH1R5tatIQEZeijaGBGizxXQRN2y2PqUQfKBNIqO5u06rG3KonNI+Cx1TGKm1 +4R0ua06s0i2WpTsdW6AMszJqD3WbvlV7W5aM5pRfWtGM/OFksBKp/ScJ4J/MdOhh +11g4RsbvPvxGwBMad32TDV9Npjmkcjy65Ro92RUHAkDOT9Eftt18w1JYNaOxl+/p +fcS7cLBjdXJgvARJ57turXEiQT03SemG7yu9mr3SB//2Kh/RNVE5KFZev+i1kZOe +98NS8+AYNyN3ovg5ceESuXBpVM+T+mFMu6NLfNFSfgfd0OneNSiiB0uDt2B07TWN +LM0bz3vrq91GSnf7EZWppx/f3e8wIT0lBXcpJMJo9T56096ewoPMx9C5/RNqcrpL +LskXRnwi8od0o8nw7nDWYlIGiAfWkwzXm5slvKA0v2c9qVsyB7OWtGtS+YonOb4c +Eyc5b14MoRb9Y4J/fZHm3gWDVP9OQDWxyRTXvLZq8QCYmOYFoXspIM6kM5geOIZH +S/X3Xl671coCtCJcQVQJShMwgEcEeUCtJcKEOJ+gC3f60E0aLS0= +=l7SY +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-SA-20:31.icmp6.asc b/share/security/advisories/FreeBSD-SA-20:31.icmp6.asc new file mode 100644 index 0000000000..113dbca831 --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-20:31.icmp6.asc @@ -0,0 +1,152 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-20:31.icmp6 Security Advisory + The FreeBSD Project + +Topic: ICMPv6 use-after-free in error message handling + +Category: core +Module: icmp6 +Announced: 2020-12-01 +Credits: Maxime Villard +Affects: All supported versions of FreeBSD. +Corrected: 2020-11-05 22:41:54 UTC (stable/12, 12.2-STABLE) + 2020-12-01 19:38:52 UTC (releng/12.2, 12.2-RELEASE-p1) + 2020-12-01 19:38:52 UTC (releng/12.1, 12.1-RELEASE-p11) + 2020-12-01 03:07:26 UTC (stable/11, 11.4-STABLE) + 2020-12-01 19:38:52 UTC (releng/11.4, 11.4-RELEASE-p5) +CVE Name: CVE-2020-7469 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +ICMPv6 is the ICMP protocol for IPv6. It is used to transmit informational +and error messages between IPv6 hosts. + +II. Problem Description + +When an ICMPv6 error message is received, the FreeBSD ICMPv6 stack may +extract information from the message to hand to upper-layer protocols. As a +part of this operation, it may parse IPv6 header options from a packet +embedded in the ICMPv6 message. + +The handler for a routing option caches a pointer into the packet buffer +holding the ICMPv6 message. However, when processing subsequent options the +packet buffer may be freed, rendering the cached pointer invalid. The +network stack may later dereference the pointer, potentially triggering a +use-after-free. + +III. Impact + +A remote host may be able to trigger a read of freed kernel memory. This may +trigger a kernel panic if the address had been unmapped. + +IV. Workaround + +Systems with IPv6 disabled are not affected. No workaround is available +except to disable IPv6 on the system's network interfaces. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date and +reboot. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 12.2] +# fetch https://security.FreeBSD.org/patches/SA-20:31/icmp6.12.2.patch +# fetch https://security.FreeBSD.org/patches/SA-20:31/icmp6.12.2.patch.asc +# gpg --verify icmp6.12.2.patch.asc + +[FreeBSD 12.1] +# fetch https://security.FreeBSD.org/patches/SA-20:31/icmp6.12.1.patch +# fetch https://security.FreeBSD.org/patches/SA-20:31/icmp6.12.1.patch.asc +# gpg --verify icmp6.12.1.patch.asc + +[FreeBSD 11.4] +# fetch https://security.FreeBSD.org/patches/SA-20:31/icmp6.11.4.patch +# fetch https://security.FreeBSD.org/patches/SA-20:31/icmp6.11.4.patch.asc +# gpg --verify icmp6.11.4.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r367402 +releng/12.2/ r368255 +releng/12.1/ r368255 +stable/11/ r368202 +releng/11.4/ r368255 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<other info on vulnerability> + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7469> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:31.icmp6.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/GndVfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cIE8g//d4TXo4cXH4H0k6Et5lCoKz7R+x/wE6EuTymvKOiYyvwGwk3TZnLwhSSr ++FmwYMa0nQfHl3JdbUFYcQdA8Q/mvh0OZf55icRRHwchA+V9ENzuN8DqP1FPbL09 +Ar3Q7osE2LyblTX9vOF0KYNWT+OmUZE5BDHEJ+OD5TKV2xWMkrksVOylXdKKgNyK +Umc3uccud3nvBlrIeP5SiNewCP06/SEZkSovFI1QKCVJGs4hCO97Es0RWiY9MkPG +JcUOdCsYVrvfcWNeRkcAqnH/vgWQYBumSW15ldNGIrMaUAi0DiDTisFIifPI1z8T +j+WmxN2IGvjYQzLBLhpJqq9Ox1OUD2R6Q0YSsndMHgf2bo1HheVUtQlBPMOq/V/8 +I74Ppu2NPxdh2ocUzk60XaNZ2PuZhqkDMOLqZLcKNEe7m94ImzfNxtDGyRkEwpbw +/Vu4ysFrHQR4derU3c9TV+LJwCYaoNw//0WKpcycnqfvb/y5dWgOc3sBf5zwiuRL +NNwRnnRK/gaGoigJxm/Ev2SNsJDLs0g7IuscwYPRtadi1eUTeKeJFg3yvSVTYRov +tGPIhWYmWvOmKSg8ZGIAnTcXeNleyymw+vi6l0gHtwcLJ0AjdbVEWZ3FCy7XvD3c +yRbkJ4ORllto95caGGtzHDj0CMShYaOMNhrf+QrEYDRMB8jfXh0= +=a0pv +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-SA-20:32.rtsold.asc b/share/security/advisories/FreeBSD-SA-20:32.rtsold.asc new file mode 100644 index 0000000000..c80dc2664d --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-20:32.rtsold.asc @@ -0,0 +1,156 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-20:32.rtsold Security Advisory + The FreeBSD Project + +Topic: Multiple vulnerabilities in rtsold + +Category: core +Module: rtsold +Announced: 2020-12-01 +Credits: Quarkslab Vulnerability Reports +Affects: All supported versions of FreeBSD +Corrected: 2020-12-01 19:35:48 UTC (stable/12, 12.2-STABLE) + 2020-12-01 19:39:44 UTC (releng/12.2, 12.2-RELEASE-p1) + 2020-12-01 19:39:44 UTC (releng/12.1, 12.1-RELEASE-p11) + 2020-12-01 19:36:37 UTC (stable/11, 11.4-STABLE) + 2020-12-01 19:39:44 UTC (releng/11.4, 11.4-RELEASE-p5) +CVE Name: CVE-2020-25577 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +As part of the stateless address autoconfiguration (SLAAC) mechanism, IPv6 +routers periodically broadcast router advertisement messages on attached +networks to inform hosts of the correct network prefix, router address and +MTU, as well as additional network parameters such as the DNS servers +(RDNSS), DNS search list (DNSSL) and whether a stateful configuration service +is available. Hosts that have recently joined the network can broadcast a +router solicitation message to solicit an immediate advertisement instead of +waiting for the next periodic advertisement. + +The router solicitation daemon, rtsold(8), broadcasts router solicitation +messages at startup or when the state of an interface changes from passive to +active. Incoming router advertisement messages are first processed by the +kernel and then passed on to rtsold(8), which handles the DNS and stateful +configuration options. + +II. Problem Description + +Two bugs exist in rtsold(8)'s RDNSS and DNSSL option handling. First, +rtsold(8) failed to perform sufficient bounds checking on the extent of the +option. In particular, it does not verify that the option does not extend +past the end of the received packet before processing its contents. The +kernel currently ignores such malformed packets but still passes them to +userspace programs. + +Second, when processing a DNSSL option, rtsold(8) decodes domain name labels +per an encoding specified in RFC 1035 in which the first octet of each label +contains the label's length. rtsold(8) did not validate label lengths +correctly and could overflow the destination buffer. + +III. Impact + +It is believed that these bugs could be exploited to gain remote code +execution within the rtsold(8) daemon, which runs as root. Note that +rtsold(8) only processes messages received from hosts attached to the same +physical link as the interface(s) on which rtsold(8) is listening. + +In FreeBSD 12.2 rtsold(8) runs in a Capsicum sandbox, limiting the scope of a +compromised rtsold(8) process. + +IV. Workaround + +No workaround is available, but systems that do not run rtsold(8) are not +affected. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-20:32/rtsold.patch +# fetch https://security.FreeBSD.org/patches/SA-20:32/rtsold.patch.asc +# gpg --verify rtsold.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart the applicable daemons, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r368250 +releng/12.2/ r368256 +releng/12.1/ r368256 +stable/11/ r368253 +releng/11.4/ r368256 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25577> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:32.rtsold.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/GndZfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cIUXQ/+K/FAB22beBBiOUDaRMF0n4a/umwvwX2BAy7PsLIzRcYL8ydhvTWPXQnU +KssmRoi0eobczpIYgIqTDNDTI46UErEvfoCBTIiY+uedER77FKxesfnO/9S3owvh +8uP+WCMzZXRfNvIYqEsK43ipm3LL4rDfUNLEdeFj0bLlwEwiTJaXsdLayJ3KpanN +A3ykePDXnQD41BcDcotvzSV6r7o5dbCILI4K4zEOSCAXBP1Du16J/K/aHOWahJ20 +Ex6YFg0llH3VkAVE9iGdHLGFqakjobUhm+LzV9ShAkXZqZs3Hx+p8dfM4w7aicCM +f6Nn0rLlb4ZdSmMnbsexoZZwO0v2dQNHd1EEtQD6zjJfey1auJKJLTcLoWXH+3mm +w5eOjjmqdOkab0h224q8jidhgyUm1c8By5H5aZ79y5SpRG0mfuS82Z6uIAf0KKZ3 +uIzPswc0YtI30M638ZCKCug3gxwZu4EG7P08/Ab4B0fpyfqqLy6KVsMdH6w64R6+ +64twgiVPuM3DpokvTfdcQLp13IHeMJwkpdc/SICyg3NDAFJZMcIe6eqjko5FsNnH +RSjA0SHRKyl303OLR+jUHe64m+LISyNne+fC1VoThbqQ1f5nWX9PlF4VjRu30Wz4 +8VcmRCehMT1G1aIEGG74zKDeWDP6+bGeieBU7Pa/jfr/aI88Hw0= +=5tIC +-----END PGP SIGNATURE----- diff --git a/share/security/patches/EN-20:19/audit.12.1.patch b/share/security/patches/EN-20:19/audit.12.1.patch new file mode 100644 index 0000000000..527e3d4980 --- /dev/null +++ b/share/security/patches/EN-20:19/audit.12.1.patch @@ -0,0 +1,139 @@ +--- sys/amd64/linux/linux_machdep.c.orig ++++ sys/amd64/linux/linux_machdep.c +@@ -81,6 +81,8 @@ + #include <x86/ifunc.h> + #include <x86/sysarch.h> + ++#include <security/audit/audit.h> ++ + #include <amd64/linux/linux.h> + #include <amd64/linux/linux_proto.h> + #include <compat/linux/linux_emul.h> +@@ -107,6 +109,7 @@ + free(path, M_TEMP); + if (error == 0) + error = linux_common_execve(td, &eargs); ++ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td); + return (error); + } + +--- sys/amd64/linux32/linux32_machdep.c.orig ++++ sys/amd64/linux32/linux32_machdep.c +@@ -69,6 +69,8 @@ + #include <vm/vm.h> + #include <vm/vm_map.h> + ++#include <security/audit/audit.h> ++ + #include <compat/freebsd32/freebsd32_util.h> + #include <amd64/linux32/linux.h> + #include <amd64/linux32/linux32_proto.h> +@@ -143,6 +145,7 @@ + free(path, M_TEMP); + if (error == 0) + error = linux_common_execve(td, &eargs); ++ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td); + return (error); + } + +--- sys/arm64/linux/linux_machdep.c.orig ++++ sys/arm64/linux/linux_machdep.c +@@ -38,6 +38,8 @@ + #include <sys/proc.h> + #include <sys/sdt.h> + ++#include <security/audit/audit.h> ++ + #include <arm64/linux/linux.h> + #include <arm64/linux/linux_proto.h> + #include <compat/linux/linux_dtrace.h> +@@ -74,6 +76,7 @@ + free(path, M_TEMP); + if (error == 0) + error = linux_common_execve(td, &eargs); ++ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td); + return (error); + } + +--- sys/compat/freebsd32/freebsd32_misc.c.orig ++++ sys/compat/freebsd32/freebsd32_misc.c +@@ -440,6 +440,7 @@ + if (error == 0) + error = kern_execve(td, &eargs, NULL); + post_execve(td, error, oldvmspace); ++ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td); + return (error); + } + +@@ -460,6 +461,7 @@ + error = kern_execve(td, &eargs, NULL); + } + post_execve(td, error, oldvmspace); ++ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td); + return (error); + } + +--- sys/i386/linux/linux_machdep.c.orig ++++ sys/i386/linux/linux_machdep.c +@@ -61,6 +61,8 @@ + #include <vm/vm.h> + #include <vm/vm_map.h> + ++#include <security/audit/audit.h> ++ + #include <i386/linux/linux.h> + #include <i386/linux/linux_proto.h> + #include <compat/linux/linux_emul.h> +@@ -116,6 +118,7 @@ + free(newpath, M_TEMP); + if (error == 0) + error = linux_common_execve(td, &eargs); ++ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td); + return (error); + } + +--- sys/kern/kern_exec.c.orig ++++ sys/kern/kern_exec.c +@@ -224,6 +224,7 @@ + if (error == 0) + error = kern_execve(td, &args, NULL); + post_execve(td, error, oldvmspace); ++ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td); + return (error); + } + +@@ -251,6 +252,7 @@ + error = kern_execve(td, &args, NULL); + } + post_execve(td, error, oldvmspace); ++ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td); + return (error); + } + +@@ -279,6 +281,7 @@ + if (error == 0) + error = kern_execve(td, &args, uap->mac_p); + post_execve(td, error, oldvmspace); ++ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td); + return (error); + #else + return (ENOSYS); +--- sys/kern/subr_syscall.c.orig ++++ sys/kern/subr_syscall.c +@@ -133,6 +133,16 @@ + + AUDIT_SYSCALL_ENTER(sa->code, td); + error = (sa->callp->sy_call)(td, sa->args); ++ ++ /* ++ * Note that some syscall implementations (e.g., sys_execve) ++ * will commit the audit record just before their final return. ++ * These were done under the assumption that nothing of interest ++ * would happen between their return and here, where we would ++ * normally commit the audit record. These assumptions will ++ * need to be revisited should any substantial logic be added ++ * above. ++ */ + AUDIT_SYSCALL_EXIT(error, td); + + /* Save the latest error return value. */ diff --git a/share/security/patches/EN-20:19/audit.12.1.patch.asc b/share/security/patches/EN-20:19/audit.12.1.patch.asc new file mode 100644 index 0000000000..66ec2d4cdb --- /dev/null +++ b/share/security/patches/EN-20:19/audit.12.1.patch.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/GndRfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJXAA/9E0lCQrBoO79sqBKqCbbEr4o+ofO4jft7KkJOKgcpUvJS94dWGNgqEsVG +6H2gnFJM/PcDqdRZ4u3ooepdnPcvlehpBC17W7XFf5WSnXebdGnLY+xYTA3BIwyg +iXbghEeTh8OK8wiHJPZSoSOTF8XSpzEZi6YLoh6PG5DPTsOokyu9/TqIIXzNL7MW +viqWBNIGPKbuP34ooZaSXBAyqqXL5xgzb03seZapIqW5wCO6rbeZ7hMNSfNNgitA +msBTD++DZ42vZt88Z0Eho4WLchp/AJa7rd7RluWLKLlqXFnL5a0lqz/kjcA3gslm +O1qDi8TXMYYxPhnOyHo6TIFWwRnImMXLnlPw5nvk0c0MfTb+mKzRj+FjCOcGy5Sa +c/RkdKmhX9VxB7/yEC+S9sJP/ZcTZjOltWS7zJgFOO8mVb53lZGkO8jl6jawdY0W +ggKqLEHgCfQMXy0Z5VZNvoqLobYRDK5sUMNkptkcrzwBAS5jnwNg+jcPqWQmf7GA +dQGlEjoDlrqqk3wpPRuEuu247q3HOT2QKWorTMtevMFgsYNL+BgKP6m5pB+VArlq +vHi+/jOmB25EunWEXfLm2FYHqnEMoMKXBzNd2OgxeKjypQFL2kjWBcwvxFRkGIpf +KhM3pRlNRFre37MDs9nOw5aXGhzU9WjjTbr23nx2ZeOtPoDcEwc= +=nMXE +-----END PGP SIGNATURE----- diff --git a/share/security/patches/EN-20:19/audit.12.2.patch b/share/security/patches/EN-20:19/audit.12.2.patch new file mode 100644 index 0000000000..647f3d137c --- /dev/null +++ b/share/security/patches/EN-20:19/audit.12.2.patch @@ -0,0 +1,139 @@ +--- sys/amd64/linux/linux_machdep.c.orig ++++ sys/amd64/linux/linux_machdep.c +@@ -81,6 +81,8 @@ + #include <x86/ifunc.h> + #include <x86/sysarch.h> + ++#include <security/audit/audit.h> ++ + #include <amd64/linux/linux.h> + #include <amd64/linux/linux_proto.h> + #include <compat/linux/linux_emul.h> +@@ -107,6 +109,7 @@ + free(path, M_TEMP); + if (error == 0) + error = linux_common_execve(td, &eargs); ++ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td); + return (error); + } + +--- sys/amd64/linux32/linux32_machdep.c.orig ++++ sys/amd64/linux32/linux32_machdep.c +@@ -69,6 +69,8 @@ + #include <vm/vm.h> + #include <vm/vm_map.h> + ++#include <security/audit/audit.h> ++ + #include <compat/freebsd32/freebsd32_util.h> + #include <amd64/linux32/linux.h> + #include <amd64/linux32/linux32_proto.h> +@@ -138,6 +140,7 @@ + free(path, M_TEMP); + if (error == 0) + error = linux_common_execve(td, &eargs); ++ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td); + return (error); + } + +--- sys/arm64/linux/linux_machdep.c.orig ++++ sys/arm64/linux/linux_machdep.c +@@ -38,6 +38,8 @@ + #include <sys/proc.h> + #include <sys/sdt.h> + ++#include <security/audit/audit.h> ++ + #include <arm64/linux/linux.h> + #include <arm64/linux/linux_proto.h> + #include <compat/linux/linux_dtrace.h> +@@ -74,6 +76,7 @@ + free(path, M_TEMP); + if (error == 0) + error = linux_common_execve(td, &eargs); ++ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td); + return (error); + } + +--- sys/compat/freebsd32/freebsd32_misc.c.orig ++++ sys/compat/freebsd32/freebsd32_misc.c +@@ -440,6 +440,7 @@ + if (error == 0) + error = kern_execve(td, &eargs, NULL, oldvmspace); + post_execve(td, error, oldvmspace); ++ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td); + return (error); + } + +@@ -460,6 +461,7 @@ + error = kern_execve(td, &eargs, NULL, oldvmspace); + } + post_execve(td, error, oldvmspace); ++ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td); + return (error); + } + +--- sys/i386/linux/linux_machdep.c.orig ++++ sys/i386/linux/linux_machdep.c +@@ -61,6 +61,8 @@ + #include <vm/vm.h> + #include <vm/vm_map.h> + ++#include <security/audit/audit.h> ++ + #include <i386/linux/linux.h> + #include <i386/linux/linux_proto.h> + #include <compat/linux/linux_emul.h> +@@ -111,6 +113,7 @@ + free(newpath, M_TEMP); + if (error == 0) + error = linux_common_execve(td, &eargs); ++ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td); + return (error); + } + +--- sys/kern/kern_exec.c.orig ++++ sys/kern/kern_exec.c +@@ -224,6 +224,7 @@ + if (error == 0) + error = kern_execve(td, &args, NULL, oldvmspace); + post_execve(td, error, oldvmspace); ++ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td); + return (error); + } + +@@ -251,6 +252,7 @@ + error = kern_execve(td, &args, NULL, oldvmspace); + } + post_execve(td, error, oldvmspace); ++ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td); + return (error); + } + +@@ -279,6 +281,7 @@ + if (error == 0) + error = kern_execve(td, &args, uap->mac_p, oldvmspace); + post_execve(td, error, oldvmspace); ++ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td); + return (error); + #else + return (ENOSYS); +--- sys/kern/subr_syscall.c.orig ++++ sys/kern/subr_syscall.c +@@ -142,6 +142,16 @@ + + AUDIT_SYSCALL_ENTER(sa->code, td); + error = (sa->callp->sy_call)(td, sa->args); ++ ++ /* ++ * Note that some syscall implementations (e.g., sys_execve) ++ * will commit the audit record just before their final return. ++ * These were done under the assumption that nothing of interest ++ * would happen between their return and here, where we would ++ * normally commit the audit record. These assumptions will ++ * need to be revisited should any substantial logic be added ++ * above. ++ */ + AUDIT_SYSCALL_EXIT(error, td); + + /* Save the latest error return value. */ diff --git a/share/security/patches/EN-20:19/audit.12.2.patch.asc b/share/security/patches/EN-20:19/audit.12.2.patch.asc new file mode 100644 index 0000000000..cdec2fb21f --- /dev/null +++ b/share/security/patches/EN-20:19/audit.12.2.patch.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/GndRfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJx2w/+KTqASybIYxgNDmouQyx4Ik5n3J+NinZJ2MVej1ePwq6kCxz9sJZ5pnIB +yvuwVLJILVOpDjdtgj1NIYGm18HD4Y7dUtcTZis4y1j2cki0W/U6rQB3J78MW2aX +6AJipmo0kYWKc1lAEuMzkhxO6ijVlnhdsV1SCbmZ8ND5GYnr/9nqZ22nA7GWceW6 +yy5pU5CtgJU0c7oRW5mQzomzGuy5Amml1xMA3m+GSgdajmYpkLuLrT8N2ny3xW8k +7mRibxSfaJmdCOeNlPPZ87DIdKs4M6/PQwk/kVaimeAZxTD8uo2F2RGN4OkXPa7q +wnLMRy7tpQPFq6E5LdtK4VEc16c8IbOyD05ouOX7BUQYumCkqxmt1KQgHjDj8H8+ +65yry8jgY57lodjwpBjZd7bSBxhvQHnQpf7LJn0+nvZ0FZcn9XRe6yji98wC6PPi +p7bpmqWihWPdn6gNA0kBvW7eyCK9FbjPyQORNDtAy2fpW1YVVUzqrR2iOITwUEZu +06a0+gIuV1FxXNKdCgKqCirD70q7EKtksvge/rS8GWK9HWCLbEEt9qg0xhcwNMf7 +LkyBEApdSXsfoY+6wi69uZ+GtCOGlgWOVBfnYytcRO/dNlYcdXnH9+HOUBsbrFoy +gLokeabKK+U/Ped7BslVGQe4PzA5h5fw1NbC2vHWEntgFu34hlA= +=y1yb +-----END PGP SIGNATURE----- diff --git a/share/security/patches/EN-20:20/tzdata-2020d.patch b/share/security/patches/EN-20:20/tzdata-2020d.patch new file mode 100644 index 0000000000..bfdb917ab0 --- /dev/null +++ b/share/security/patches/EN-20:20/tzdata-2020d.patch @@ -0,0 +1,2507 @@ +--- contrib/tzdata/Makefile.orig ++++ contrib/tzdata/Makefile +@@ -22,13 +22,13 @@ + # DATAFORM= main + # To wait even longer for new features, use: + # DATAFORM= rearguard ++# Rearguard users might also want "ZFLAGS = -b fat"; see below. + DATAFORM= main + + # Change the line below for your timezone (after finding the one you want in + # one of the $(TDATA) source files, or adding it to a source file). + # Alternatively, if you discover you've got the wrong timezone, you can just +-# zic -l rightzone +-# to correct things. ++# 'zic -l -' to remove it, or 'zic -l rightzone' to change it. + # Use the command + # make zonenames + # to get a list of the values you can use for LOCALTIME. +@@ -37,25 +37,13 @@ + + # The POSIXRULES macro controls interpretation of nonstandard and obsolete + # POSIX-like TZ settings like TZ='EET-2EEST' that lack DST transition rules. +-# In the reference implementation, if you want something other than Eastern +-# United States time as a template for handling these settings, you can +-# change the line below (after finding the timezone you want in the +-# one of the $(TDATA) source files, or adding it to a source file). +-# A setting like TZ='EET-2EEST' is supposed to use the rules in the +-# template file to determine "spring forward" and "fall back" days and +-# times; the environment variable itself specifies UT offsets of standard and +-# daylight saving time. +-# Alternatively, if you discover you've got the wrong timezone, you can just +-# zic -p rightzone +-# to correct things. +-# Use the command +-# make zonenames +-# to get a list of the values you can use for POSIXRULES. ++# Such a setting uses the rules in a template file to determine ++# "spring forward" and "fall back" days and times; the environment ++# variable itself specifies UT offsets of standard and daylight saving time. + # +-# If POSIXRULES is empty, no template is installed; this is the intended +-# future default for POSIXRULES. ++# If POSIXRULES is '-', no template is installed; this is the default. + # +-# Nonempty POSIXRULES is obsolete and should not be relied on, because: ++# Any other value for POSIXRULES is obsolete and should not be relied on, as: + # * It does not work correctly in popular implementations such as GNU/Linux. + # * It does not work in the tzdb implementation for timestamps after 2037. + # * It is incompatible with 'zic -b slim' if POSIXRULES specifies transitions +@@ -62,8 +50,17 @@ + # at standard time or UT rather than at local time. + # In short, software should avoid ruleless settings like TZ='EET-2EEST' + # and so should not depend on the value of POSIXRULES. ++# ++# If, despite the above, you want a template for handling these settings, ++# you can change the line below (after finding the timezone you want in the ++# one of the $(TDATA) source files, or adding it to a source file). ++# Alternatively, if you discover you've got the wrong timezone, you can just ++# 'zic -p -' to remove it, or 'zic -p rightzone' to change it. ++# Use the command ++# make zonenames ++# to get a list of the values you can use for POSIXRULES. + +-POSIXRULES= America/New_York ++POSIXRULES= - + + # Also see TZDEFRULESTRING below, which takes effect only + # if the time zone files cannot be accessed. +@@ -172,9 +169,6 @@ + + # For backward-compatibility links for old zone names, use + # BACKWARD= backward +-# If you also want the link US/Pacific-New, even though it is confusing +-# and is planned to be removed from the database eventually, use +-# BACKWARD= backward pacificnew + # To omit these links, use + # BACKWARD= + +@@ -192,10 +186,6 @@ + + UTF8_LOCALE= en_US.utf8 + +-# Since "." may not be in PATH... +- +-YEARISTYPE= ./yearistype +- + # Non-default libraries needed to link. + LDLIBS= + +@@ -253,13 +243,12 @@ + # other than simply getting garbage data + # -DUSE_LTZ=0 to build zdump with the system time zone library + # Also set TZDOBJS=zdump.o and CHECK_TIME_T_ALTERNATIVES= below. +-# -DZIC_BLOAT_DEFAULT=\"slim\" to default zic's -b option to "slim", and +-# similarly for "fat". Fat TZif files work around incompatibilities ++# -DZIC_BLOAT_DEFAULT=\"fat\" to default zic's -b option to "fat", and ++# similarly for "slim". Fat TZif files work around incompatibilities + # and bugs in some TZif readers, notably readers that mishandle 64-bit + # data in TZif files. Slim TZif files are more efficient and do not + # work around these incompatibilities and bugs. If not given, the +-# current default is "fat" but this is intended to change as readers +-# requiring fat files often mishandle timestamps after 2037 anyway. ++# default is "slim". + # -DZIC_MAX_ABBR_LEN_WO_WARN=3 + # (or some other number) to set the maximum time zone abbreviation length + # that zic will accept without a warning (the default is 6) +@@ -333,9 +322,8 @@ + # add + # -DSTD_INSPIRED + # to the end of the "CFLAGS=" line. This arranges for the functions +-# "tzsetwall", "offtime", "timelocal", "timegm", "timeoff", ++# "offtime", "timelocal", "timegm", "timeoff", + # "posix2time", and "time2posix" to be added to the time conversion library. +-# "tzsetwall" is deprecated and is intended to be removed soon; see NEWS. + # "offtime" is like "gmtime" except that it accepts a second (long) argument + # that gives an offset to add to the time_t when converting it. + # "timelocal" is equivalent to "mktime". +@@ -395,7 +383,7 @@ + + # To shrink the size of installed TZif files, + # append "-r @N" to omit data before N-seconds-after-the-Epoch. +-# You can also append "-b slim" if that is not already the default; ++# To grow the files and work around older application bugs, append "-b fat"; + # see ZIC_BLOAT_DEFAULT above. + # See the zic man page for more about -b and -r. + ZFLAGS= +@@ -424,26 +412,6 @@ + # Name of GNU Privacy Guard <https://gnupg.org/>, used to sign distributions. + GPG= gpg + +-# The path where SGML DTDs are kept and the catalog file(s) to use when +-# validating HTML 4.01. The default should work on both Debian and Red Hat. +-SGML_TOPDIR= /usr +-SGML_DTDDIR= $(SGML_TOPDIR)/share/xml/w3c-sgml-lib/schema/dtd +-SGML_SEARCH_PATH= $(SGML_DTDDIR)/REC-html401-19991224 +-SGML_CATALOG_FILES= \ +- $(SGML_TOPDIR)/share/doc/w3-recs/html/www.w3.org/TR/1999/REC-html401-19991224/HTML4.cat:$(SGML_TOPDIR)/share/sgml/html/4.01/HTML4.cat +- +-# The name, arguments and environment of a program to validate HTML 4.01. +-# See <http://openjade.sourceforge.net/doc/> for a validator, and +-# <https://validator.w3.org/source/> for a validation library. +-# Set VALIDATE=':' if you do not have such a program. +-VALIDATE = nsgmls +-VALIDATE_FLAGS = -s -B -wall -wno-unused-param +-VALIDATE_ENV = \ +- SGML_CATALOG_FILES='$(SGML_CATALOG_FILES)' \ +- SGML_SEARCH_PATH='$(SGML_SEARCH_PATH)' \ +- SP_CHARSET_FIXED=YES \ +- SP_ENCODING=UTF-8 +- + # This expensive test requires USE_LTZ. + # To suppress it, define this macro to be empty. + CHECK_TIME_T_ALTERNATIVES = check_time_t_alternatives +@@ -538,8 +506,8 @@ + PRIMARY_YDATA= africa antarctica asia australasia \ + europe northamerica southamerica + YDATA= $(PRIMARY_YDATA) etcetera +-NDATA= systemv factory +-TDATA_TO_CHECK= $(YDATA) $(NDATA) backward pacificnew ++NDATA= factory ++TDATA_TO_CHECK= $(YDATA) $(NDATA) backward + TDATA= $(YDATA) $(NDATA) $(BACKWARD) + ZONETABLES= zone1970.tab zone.tab + TABDATA= iso3166.tab $(TZDATA_TEXT) $(ZONETABLES) +@@ -547,7 +515,7 @@ + TZDATA_ZI_DEPS= ziguard.awk zishrink.awk version $(TDATA) $(PACKRATDATA) + DSTDATA_ZI_DEPS= ziguard.awk $(TDATA) $(PACKRATDATA) + DATA= $(TDATA_TO_CHECK) backzone iso3166.tab leap-seconds.list \ +- leapseconds yearistype.sh $(ZONETABLES) ++ leapseconds $(ZONETABLES) + AWK_SCRIPTS= checklinks.awk checktab.awk leapseconds.awk \ + ziguard.awk zishrink.awk + MISC= $(AWK_SCRIPTS) zoneinfo2tdf.pl +@@ -573,12 +541,10 @@ + etcetera europe factory iso3166.tab \ + leap-seconds.list leapseconds.awk localtime.c \ + newctime.3 newstrftime.3 newtzset.3 northamerica \ +- pacificnew private.h \ +- southamerica strftime.c systemv theory.html \ ++ private.h southamerica strftime.c theory.html \ + time2posix.3 tz-art.html tz-how-to.html tz-link.html \ + tzfile.5 tzfile.h tzselect.8 tzselect.ksh \ +- workman.sh yearistype.sh \ +- zdump.8 zdump.c zic.8 zic.c \ ++ workman.sh zdump.8 zdump.c zic.8 zic.c \ + ziguard.awk zishrink.awk \ + zone.tab zone1970.tab zoneinfo2tdf.pl + +@@ -587,7 +553,7 @@ + + SHELL= /bin/sh + +-all: tzselect yearistype zic zdump libtz.a $(TABDATA) \ ++all: tzselect zic zdump libtz.a $(TABDATA) \ + vanguard.zi main.zi rearguard.zi + + ALL: all date $(ENCHILADA) +@@ -657,10 +623,6 @@ + zic: $(TZCOBJS) + $(CC) -o $@ $(CFLAGS) $(LDFLAGS) $(TZCOBJS) $(LDLIBS) + +-yearistype: yearistype.sh +- cp yearistype.sh yearistype +- chmod +x yearistype +- + leapseconds: $(LEAP_DEPS) + $(AWK) -v EXPIRES_LINE=$(EXPIRES_LINE) \ + -f leapseconds.awk leap-seconds.list >$@.out +@@ -675,10 +637,9 @@ + PACKRATDATA='$(PACKRATDATA)' \ + TZDEFAULT='$(TZDEFAULT)' \ + TZDIR='$(TZDIR)' \ +- YEARISTYPE='$(YEARISTYPE)' \ + ZIC='$(ZIC)' + +-INSTALL_DATA_DEPS = zic leapseconds yearistype tzdata.zi ++INSTALL_DATA_DEPS = zic leapseconds tzdata.zi + + # 'make install_data' installs one set of TZif files. + install_data: $(INSTALL_DATA_DEPS) +@@ -793,7 +754,7 @@ + ! grep -Env $(SAFE_LINE)'|^UNUSUAL_OK_'$(OK_CHAR)'*$$' \ + Makefile && \ + ! grep -Env $(SAFE_SHARP_LINE) $(TDATA_TO_CHECK) backzone \ +- leapseconds yearistype.sh zone.tab && \ ++ leapseconds zone.tab && \ + ! grep -Env $(OK_LINE) $(ENCHILADA); \ + } + touch $@ +@@ -845,15 +806,13 @@ + check_web: $(CHECK_WEB_PAGES) + check_theory.html: theory.html + check_tz-art.html: tz-art.html ++check_tz-how-to.html: tz-how-to.html + check_tz-link.html: tz-link.html +-check_theory.html check_tz-art.html check_tz-link.html: ++check_theory.html check_tz-art.html check_tz-how-to.html check_tz-link.html: + $(CURL) -sS --url https://validator.w3.org/nu/ -F out=gnu \ + -F file=@$$(expr $@ : 'check_\(.*\)') -o $@.out && \ + test ! -s $@.out || { cat $@.out; exit 1; } + mv $@.out $@ +-check_tz-how-to.html: tz-how-to.html +- $(VALIDATE_ENV) $(VALIDATE) $(VALIDATE_FLAGS) tz-how-to.html +- touch $@ + + # Check that zishrink.awk does not alter the data, and that ziguard.awk + # preserves main-format data. +@@ -883,7 +842,7 @@ + rm -fr check_*.dir + rm -f *.o *.out $(TIME_T_ALTERNATIVES) \ + check_* core typecheck_* \ +- date tzselect version.h zdump zic yearistype libtz.a ++ date tzselect version.h zdump zic libtz.a + clean: clean_misc + rm -fr *.dir tzdb-*/ + rm -f *.zi $(TZS_NEW) +@@ -1063,10 +1022,14 @@ + done + sed '1s/$$/-rearguard/' \ + <version >tzdata$(VERSION)-rearguard.dir/version ++ : The dummy pacificnew pacifies TZUpdater 2.3.1 and earlier. ++ TZ=UTC0 touch -mt 202010122253.00 \ ++ tzdata$(VERSION)-rearguard.dir/pacificnew + touch -cmr version tzdata$(VERSION)-rearguard.dir/version + LC_ALL=C && export LC_ALL && \ + (cd tzdata$(VERSION)-rearguard.dir && \ +- tar $(TARFLAGS) -cf - $(COMMON) $(DATA) $(MISC) | \ ++ tar $(TARFLAGS) -cf - \ ++ $(COMMON) $(DATA) $(MISC) pacificnew | \ + gzip $(GZIPFLAGS)) >$@.out + mv $@.out $@ + +--- contrib/tzdata/NEWS.orig ++++ contrib/tzdata/NEWS +@@ -1,5 +1,114 @@ + News for the tz database + ++Release 2020d - 2020-10-21 11:24:13 -0700 ++ ++ Briefly: ++ Palestine ends DST earlier than predicted, on 2020-10-24. ++ ++ Changes to past and future timestamps ++ ++ Palestine ends DST on 2020-10-24 at 01:00, instead of 2020-10-31 ++ as previously predicted (thanks to Sharef Mustafa.) Its ++ 2019-10-26 fall-back was at 00:00, not 01:00 (thanks to Steffen ++ Thorsen.) Its 2015-10-23 transition was at 01:00 not 00:00, and ++ its spring 2020 transition was on March 28 at 00:00, not March 27 ++ (thanks to Pierre Cashon.) This affects Asia/Gaza and ++ Asia/Hebron. Assume future spring and fall transitions will be on ++ the Saturday preceding the last Sunday of March and October, ++ respectively. ++ ++ ++Release 2020c - 2020-10-16 11:15:53 -0700 ++ ++ Briefly: ++ Fiji starts DST later than usual, on 2020-12-20. ++ ++ Changes to future timestamps ++ ++ Fiji will start DST on 2020-12-20, instead of 2020-11-08 as ++ previously predicted. DST will still end on 2021-01-17. ++ (Thanks to Raymond Kumar and Alan Mintz.) Assume for now that ++ the later-than-usual start date is a one-time departure from the ++ recent pattern. ++ ++ Changes to build procedure ++ ++ Rearguard tarballs now contain an empty file pacificnew. ++ Some older downstream software expects this file to exist. ++ (Problem reported by Mike Cullinan.) ++ ++ ++Release 2020b - 2020-10-06 18:35:04 -0700 ++ ++ Briefly: ++ Revised predictions for Morocco's changes starting in 2023. ++ Canada's Yukon changes to -07 on 2020-11-01, not 2020-03-08. ++ Macquarie Island has stayed in sync with Tasmania since 2011. ++ Casey, Antarctica is at +08 in winter and +11 in summer. ++ zic no longer supports -y, nor the TYPE field of Rules. ++ ++ Changes to future timestamps ++ ++ Morocco's spring-forward after Ramadan is now predicted to occur ++ no sooner than two days after Ramadan, instead of one day. ++ (Thanks to Milamber.) The first altered prediction is for 2023, ++ now predicted to spring-forward on April 30 instead of April 23. ++ ++ Changes to past and future timestamps ++ ++ Casey Station, Antarctica has been using +08 in winter and +11 in ++ summer since 2018. The most recent transition from +08 to +11 was ++ 2020-10-04 00:01. Also, Macquarie Island has been staying in ++ sync with Tasmania since 2011. (Thanks to Steffen Thorsen.) ++ ++ Changes to past and future time zone abbreviations and DST flags ++ ++ Canada's Yukon, represented by America/Whitehorse and ++ America/Dawson, changes its time zone rules from -08/-07 to ++ permanent -07 on 2020-11-01, not on 2020-03-08 as 2020a had it. ++ This change affects only the time zone abbreviation (MST vs PDT) ++ and daylight saving flag for the period between the two dates. ++ (Thanks to Andrew G. Smith.) ++ ++ Changes to past timestamps ++ ++ Correct several transitions for Hungary for 1918/1983. ++ For example, the 1983-09-25 fall-back was at 01:00, not 03:00. ++ (Thanks to Géza Nyáry.) Also, the 1890 transition to standard ++ time was on 11-01, not 10-01 (thanks to Michael Deckers). ++ ++ The 1891 French transition was on March 16, not March 15. The ++ 1911-03-11 French transition was at midnight, not a minute later. ++ Monaco's transitions were on 1892-06-01 and 1911-03-29, not ++ 1891-03-15 and 1911-03-11. (Thanks to Michael Deckers.) ++ ++ Changes to code ++ ++ Support for zic's long-obsolete '-y YEARISTYPE' option has been ++ removed and, with it, so has support for the TYPE field in Rule ++ lines, which is now reserved for compatibility with earlier zic. ++ These features were previously deprecated in release 2015f. ++ (Thanks to Tim Parenti.) ++ ++ zic now defaults to '-b slim' instead of to '-b fat'. ++ ++ zic's new '-l -' and '-p -' options uninstall any existing ++ localtime and posixrules files, respectively. ++ ++ The undocumented and ineffective tzsetwall function has been ++ removed. ++ ++ Changes to build procedure ++ ++ The Makefile now defaults POSIXRULES to '-', so the posixrules ++ feature (obsolete as of 2019b) is no longer installed by default. ++ ++ Changes to documentation and commentary ++ ++ The long-obsolete files pacificnew, systemv, and yearistype.sh have ++ been removed from the distribution. (Thanks to Tim Parenti.) ++ ++ + Release 2020a - 2020-04-23 16:03:47 -0700 + + Briefly: +--- contrib/tzdata/README.orig ++++ contrib/tzdata/README +@@ -20,6 +20,8 @@ + make TOPDIR=$HOME/tzdir install + $HOME/tzdir/usr/bin/zdump -v America/Los_Angeles + ++See the file tz-how-to.html for examples of how to read the data files. ++ + This database of historical local time information has several goals: + + * Provide a compendium of data about the history of civil time that +--- contrib/tzdata/africa.orig ++++ contrib/tzdata/africa +@@ -64,7 +64,7 @@ + # Corrections are welcome. + + # Algeria +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Algeria 1916 only - Jun 14 23:00s 1:00 S + Rule Algeria 1916 1919 - Oct Sun>=1 23:00s 0 - + Rule Algeria 1917 only - Mar 24 23:00s 1:00 S +@@ -87,10 +87,9 @@ + Rule Algeria 1978 only - Sep 22 3:00 0 - + Rule Algeria 1980 only - Apr 25 0:00 1:00 S + Rule Algeria 1980 only - Oct 31 2:00 0 - +-# Shanks & Pottenger give 0:09:20 for Paris Mean Time; go with Howse's +-# more precise 0:09:21. ++# See Europe/Paris for PMT-related transitions. + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone Africa/Algiers 0:12:12 - LMT 1891 Mar 15 0:01 ++Zone Africa/Algiers 0:12:12 - LMT 1891 Mar 16 + 0:09:21 - PMT 1911 Mar 11 # Paris Mean Time + 0:00 Algeria WE%sT 1940 Feb 25 2:00 + 1:00 Algeria CE%sT 1946 Oct 7 +@@ -176,7 +175,7 @@ + # Egypt was mean noon at the Great Pyramid, 2:04:30.5, but apparently this + # did not apply to Cairo, Alexandria, or Port Said. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Egypt 1940 only - Jul 15 0:00 1:00 S + Rule Egypt 1940 only - Oct 1 0:00 0 - + Rule Egypt 1941 only - Apr 15 0:00 1:00 S +@@ -411,7 +410,7 @@ + # now Ghana observed different DST regimes in different years. For + # lack of better info, use Shanks except treat the minus sign as a + # typo, and assume DST started in 1920 not 1936. +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Ghana 1920 1942 - Sep 1 0:00 0:20 - + Rule Ghana 1920 1942 - Dec 31 0:00 0 - + # Zone NAME STDOFF RULES FORMAT [UNTIL] +@@ -501,7 +500,7 @@ + # From Paul Eggert (2013-10-25): + # For now, assume they're reverting to the pre-2012 rules of permanent UT +02. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Libya 1951 only - Oct 14 2:00 1:00 S + Rule Libya 1952 only - Jan 1 0:00 0 - + Rule Libya 1953 only - Oct 9 2:00 1:00 S +@@ -624,7 +623,7 @@ + # "The trial ended on March 29, 2009, when the clocks moved back by one hour + # at 2am (or 02:00) local time..." + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Mauritius 1982 only - Oct 10 0:00 1:00 - + Rule Mauritius 1983 only - Mar 21 0:00 0 - + Rule Mauritius 2008 only - Oct lastSun 2:00 1:00 - +@@ -875,17 +874,30 @@ + # https://maroc-diplomatique.net/maroc-le-retour-a-lheure-gmt-est-prevu-dimanche-prochain/ + # http://aujourdhui.ma/actualite/gmt1-retour-a-lheure-normale-dimanche-prochain-1 + # +-# From Paul Eggert (2020-04-14): ++# From Milamber (2020-05-31) ++# In Morocco (where I live), the end of Ramadan (Arabic month) is followed by ++# the Eid al-Fitr, and concretely it's 1 or 2 day offs for the people (with ++# traditional visiting of family, big lunches/dinners, etc.). So for this ++# year the astronomical calculations don't include the following 2 days off in ++# the calc. These 2 days fall in a Sunday/Monday, so it's not acceptable by ++# people to have a time shift during these 2 days off. Perhaps you can modify ++# the (predicted) rules for next years: if the end of Ramadan is a (probable) ++# Friday or Saturday (and so the 2 days off are on a weekend), the next time ++# shift will be the next weekend. ++# ++# From Paul Eggert (2020-05-31): + # For now, guess that in the future Morocco will fall back at 03:00 + # the last Sunday before Ramadan, and spring forward at 02:00 the +-# first Sunday after the day after Ramadan. To implement this, +-# transition dates for 2021 through 2087 were determined by running +-# the following program under GNU Emacs 26.3. +-# (let ((islamic-year 1442)) ++# first Sunday after two days after Ramadan. To implement this, ++# transition dates and times for 2019 through 2087 were determined by ++# running the following program under GNU Emacs 26.3. (This algorithm ++# also produces the correct transition dates for 2016 through 2018, ++# though the times differ due to Morocco's time zone change in 2018.) ++# (let ((islamic-year 1440)) + # (require 'cal-islam) + # (while (< islamic-year 1511) + # (let ((a (calendar-islamic-to-absolute (list 9 1 islamic-year))) +-# (b (1+ (calendar-islamic-to-absolute (list 10 1 islamic-year)))) ++# (b (+ 2 (calendar-islamic-to-absolute (list 10 1 islamic-year)))) + # (sunday 0)) + # (while (/= sunday (mod (setq a (1- a)) 7))) + # (while (/= sunday (mod b 7)) +@@ -900,7 +912,7 @@ + # (car (cdr (cdr b))) (calendar-month-name (car b) t) (car (cdr b))))) + # (setq islamic-year (+ 1 islamic-year)))) + +-# RULE NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Morocco 1939 only - Sep 12 0:00 1:00 - + Rule Morocco 1939 only - Nov 19 0:00 0 - + Rule Morocco 1940 only - Feb 25 0:00 1:00 - +@@ -951,7 +963,7 @@ + Rule Morocco 2022 only - Mar 27 3:00 -1:00 - + Rule Morocco 2022 only - May 8 2:00 0 - + Rule Morocco 2023 only - Mar 19 3:00 -1:00 - +-Rule Morocco 2023 only - Apr 23 2:00 0 - ++Rule Morocco 2023 only - Apr 30 2:00 0 - + Rule Morocco 2024 only - Mar 10 3:00 -1:00 - + Rule Morocco 2024 only - Apr 14 2:00 0 - + Rule Morocco 2025 only - Feb 23 3:00 -1:00 - +@@ -967,7 +979,7 @@ + Rule Morocco 2029 only - Dec 30 3:00 -1:00 - + Rule Morocco 2030 only - Feb 10 2:00 0 - + Rule Morocco 2030 only - Dec 22 3:00 -1:00 - +-Rule Morocco 2031 only - Jan 26 2:00 0 - ++Rule Morocco 2031 only - Feb 2 2:00 0 - + Rule Morocco 2031 only - Dec 14 3:00 -1:00 - + Rule Morocco 2032 only - Jan 18 2:00 0 - + Rule Morocco 2032 only - Nov 28 3:00 -1:00 - +@@ -983,7 +995,7 @@ + Rule Morocco 2037 only - Oct 4 3:00 -1:00 - + Rule Morocco 2037 only - Nov 15 2:00 0 - + Rule Morocco 2038 only - Sep 26 3:00 -1:00 - +-Rule Morocco 2038 only - Oct 31 2:00 0 - ++Rule Morocco 2038 only - Nov 7 2:00 0 - + Rule Morocco 2039 only - Sep 18 3:00 -1:00 - + Rule Morocco 2039 only - Oct 23 2:00 0 - + Rule Morocco 2040 only - Sep 2 3:00 -1:00 - +@@ -999,7 +1011,7 @@ + Rule Morocco 2045 only - Jul 9 3:00 -1:00 - + Rule Morocco 2045 only - Aug 20 2:00 0 - + Rule Morocco 2046 only - Jul 1 3:00 -1:00 - +-Rule Morocco 2046 only - Aug 5 2:00 0 - ++Rule Morocco 2046 only - Aug 12 2:00 0 - + Rule Morocco 2047 only - Jun 23 3:00 -1:00 - + Rule Morocco 2047 only - Jul 28 2:00 0 - + Rule Morocco 2048 only - Jun 7 3:00 -1:00 - +@@ -1015,7 +1027,7 @@ + Rule Morocco 2053 only - Apr 13 3:00 -1:00 - + Rule Morocco 2053 only - May 25 2:00 0 - + Rule Morocco 2054 only - Apr 5 3:00 -1:00 - +-Rule Morocco 2054 only - May 10 2:00 0 - ++Rule Morocco 2054 only - May 17 2:00 0 - + Rule Morocco 2055 only - Mar 28 3:00 -1:00 - + Rule Morocco 2055 only - May 2 2:00 0 - + Rule Morocco 2056 only - Mar 12 3:00 -1:00 - +@@ -1031,7 +1043,7 @@ + Rule Morocco 2061 only - Jan 16 3:00 -1:00 - + Rule Morocco 2061 only - Feb 27 2:00 0 - + Rule Morocco 2062 only - Jan 8 3:00 -1:00 - +-Rule Morocco 2062 only - Feb 12 2:00 0 - ++Rule Morocco 2062 only - Feb 19 2:00 0 - + Rule Morocco 2062 only - Dec 31 3:00 -1:00 - + Rule Morocco 2063 only - Feb 4 2:00 0 - + Rule Morocco 2063 only - Dec 16 3:00 -1:00 - +@@ -1047,7 +1059,7 @@ + Rule Morocco 2068 only - Oct 21 3:00 -1:00 - + Rule Morocco 2068 only - Dec 2 2:00 0 - + Rule Morocco 2069 only - Oct 13 3:00 -1:00 - +-Rule Morocco 2069 only - Nov 17 2:00 0 - ++Rule Morocco 2069 only - Nov 24 2:00 0 - + Rule Morocco 2070 only - Oct 5 3:00 -1:00 - + Rule Morocco 2070 only - Nov 9 2:00 0 - + Rule Morocco 2071 only - Sep 20 3:00 -1:00 - +@@ -1063,7 +1075,7 @@ + Rule Morocco 2076 only - Jul 26 3:00 -1:00 - + Rule Morocco 2076 only - Sep 6 2:00 0 - + Rule Morocco 2077 only - Jul 18 3:00 -1:00 - +-Rule Morocco 2077 only - Aug 22 2:00 0 - ++Rule Morocco 2077 only - Aug 29 2:00 0 - + Rule Morocco 2078 only - Jul 10 3:00 -1:00 - + Rule Morocco 2078 only - Aug 14 2:00 0 - + Rule Morocco 2079 only - Jun 25 3:00 -1:00 - +@@ -1073,13 +1085,13 @@ + Rule Morocco 2081 only - Jun 1 3:00 -1:00 - + Rule Morocco 2081 only - Jul 13 2:00 0 - + Rule Morocco 2082 only - May 24 3:00 -1:00 - +-Rule Morocco 2082 only - Jun 28 2:00 0 - ++Rule Morocco 2082 only - Jul 5 2:00 0 - + Rule Morocco 2083 only - May 16 3:00 -1:00 - + Rule Morocco 2083 only - Jun 20 2:00 0 - + Rule Morocco 2084 only - Apr 30 3:00 -1:00 - + Rule Morocco 2084 only - Jun 11 2:00 0 - + Rule Morocco 2085 only - Apr 22 3:00 -1:00 - +-Rule Morocco 2085 only - May 27 2:00 0 - ++Rule Morocco 2085 only - Jun 3 2:00 0 - + Rule Morocco 2086 only - Apr 14 3:00 -1:00 - + Rule Morocco 2086 only - May 19 2:00 0 - + Rule Morocco 2087 only - Mar 30 3:00 -1:00 - +@@ -1180,7 +1192,7 @@ + # Use plain "WAT" and "CAT" for the time zone abbreviations, to be compatible + # with Namibia's neighbors. + +-# RULE NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + # Vanguard section, for zic and other parsers that support negative DST. + Rule Namibia 1994 only - Mar 21 0:00 -1:00 WAT + Rule Namibia 1994 2017 - Sep Sun>=1 2:00 0 CAT +@@ -1303,7 +1315,7 @@ + # See Africa/Nairobi. + + # South Africa +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule SA 1942 1943 - Sep Sun>=15 2:00 1:00 - + Rule SA 1943 1944 - Mar Sun>=15 2:00 0 - + # Zone NAME STDOFF RULES FORMAT [UNTIL] +@@ -1336,7 +1348,7 @@ + # Abdalla of NTC, archived at: + # https://mm.icann.org/pipermail/tz/2017-October/025333.html + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Sudan 1970 only - May 1 0:00 1:00 S + Rule Sudan 1970 1985 - Oct 15 0:00 0 - + Rule Sudan 1971 only - Apr 30 0:00 1:00 S +@@ -1424,7 +1436,7 @@ + # http://www.almadenahnews.com/newss/news.php?c=118&id=38036 + # http://www.worldtimezone.com/dst_news/dst_news_tunis02.html + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Tunisia 1939 only - Apr 15 23:00s 1:00 S + Rule Tunisia 1939 only - Nov 18 23:00s 0 - + Rule Tunisia 1940 only - Feb 25 23:00s 1:00 S +@@ -1451,9 +1463,7 @@ + Rule Tunisia 2006 2008 - Mar lastSun 2:00s 1:00 S + Rule Tunisia 2006 2008 - Oct lastSun 2:00s 0 - + +-# Shanks & Pottenger give 0:09:20 for Paris Mean Time; go with Howse's +-# more precise 0:09:21. +-# Shanks & Pottenger say the 1911 switch was on Mar 9; go with Howse's Mar 11. ++# See Europe/Paris for PMT-related transitions. + # Zone NAME STDOFF RULES FORMAT [UNTIL] + Zone Africa/Tunis 0:40:44 - LMT 1881 May 12 + 0:09:21 - PMT 1911 Mar 11 # Paris Mean Time +--- contrib/tzdata/antarctica.orig ++++ contrib/tzdata/antarctica +@@ -70,15 +70,30 @@ + # Australian Antarctica Division informed us that Casey changed time + # zone to UTC+11 in "the morning of 22nd October 2016". + ++# From Steffen Thorsen (2020-10-02, as corrected): ++# Based on information we have received from the Australian Antarctic ++# Division, Casey station and Macquarie Island station will move to Tasmanian ++# daylight savings time on Sunday 4 October. This will take effect from 0001 ++# hrs on Sunday 4 October 2020 and will mean Casey and Macquarie Island will ++# be on the same time zone as Hobart. Some past dates too for this 3 hour ++# time change back and forth between UTC+8 and UTC+11 for Casey: ++# - 2018 Oct 7 4:00 - 2019 Mar 17 3:00 - 2019 Oct 4 3:00 - 2020 Mar 8 3:00 ++# and now - 2020 Oct 4 0:01 ++ + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone Antarctica/Casey 0 - -00 1969 +- 8:00 - +08 2009 Oct 18 2:00 ++Zone Antarctica/Casey 0 - -00 1969 ++ 8:00 - +08 2009 Oct 18 2:00 + 11:00 - +11 2010 Mar 5 2:00 +- 8:00 - +08 2011 Oct 28 2:00 ++ 8:00 - +08 2011 Oct 28 2:00 + 11:00 - +11 2012 Feb 21 17:00u +- 8:00 - +08 2016 Oct 22 ++ 8:00 - +08 2016 Oct 22 + 11:00 - +11 2018 Mar 11 4:00 +- 8:00 - +08 ++ 8:00 - +08 2018 Oct 7 4:00 ++ 11:00 - +11 2019 Mar 17 3:00 ++ 8:00 - +08 2019 Oct 4 3:00 ++ 11:00 - +11 2020 Mar 8 3:00 ++ 8:00 - +08 2020 Oct 4 0:01 ++ 11:00 - +11 + Zone Antarctica/Davis 0 - -00 1957 Jan 13 + 7:00 - +07 1964 Nov + 0 - -00 1969 Feb +@@ -224,7 +239,7 @@ + # suggested by Bengt-Inge Larsson comment them out for now, and approximate + # with only UTC and CEST. Uncomment them when 2014b is more prevalent. + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + #Rule Troll 2005 max - Mar 1 1:00u 1:00 +01 + Rule Troll 2005 max - Mar lastSun 1:00u 2:00 +02 + #Rule Troll 2005 max - Oct lastSun 1:00u 1:00 +01 +--- contrib/tzdata/asia.orig ++++ contrib/tzdata/asia +@@ -70,7 +70,7 @@ + ############################################################################### + + # These rules are stolen from the 'europe' file. +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule EUAsia 1981 max - Mar lastSun 1:00u 1:00 S + Rule EUAsia 1979 1995 - Sep lastSun 1:00u 0 - + Rule EUAsia 1996 max - Oct lastSun 1:00u 0 - +@@ -114,7 +114,7 @@ + # or + # (brief) + # http://www.worldtimezone.com/dst_news/dst_news_armenia03.html +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Armenia 2011 only - Mar lastSun 2:00s 1:00 - + Rule Armenia 2011 only - Oct lastSun 2:00s 0 - + # Zone NAME STDOFF RULES FORMAT [UNTIL] +@@ -140,7 +140,7 @@ + # http://vestnikkavkaza.net/news/Azerbaijani-Cabinet-of-Ministers-cancels-daylight-saving-time.html + # http://en.apa.az/xeber_azerbaijan_abolishes_daylight_savings_ti_240862.html + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Azer 1997 2015 - Mar lastSun 4:00 1:00 - + Rule Azer 1997 2015 - Oct lastSun 5:00 0 - + # Zone NAME STDOFF RULES FORMAT [UNTIL] +@@ -227,7 +227,7 @@ + # http://www.thedailystar.net/newDesign/latest_news.php?nid=22817 + # http://www.worldtimezone.com/dst_news/dst_news_bangladesh06.html + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Dhaka 2009 only - Jun 19 23:00 1:00 - + Rule Dhaka 2009 only - Dec 31 24:00 0 - + +@@ -303,7 +303,7 @@ + # generally esteemed a success, it was announced early in 1920 that it would + # not be repeated." + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Shang 1919 only - Apr 12 24:00 1:00 D + Rule Shang 1919 only - Sep 30 24:00 0 S + +@@ -399,7 +399,7 @@ + # the Yangtze river delta area during that period of time although the scope + # of such use will need to be investigated to determine. + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Shang 1940 only - Jun 1 0:00 1:00 D + Rule Shang 1940 only - Oct 12 24:00 0 S + Rule Shang 1941 only - Mar 15 0:00 1:00 D +@@ -462,7 +462,7 @@ + # to begin on 17 April. + # http://data.people.com.cn/pic/101p/1988/04/1988041201.jpg + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule PRC 1986 only - May 4 2:00 1:00 D + Rule PRC 1986 1991 - Sep Sun>=11 2:00 0 S + Rule PRC 1987 1991 - Apr Sun>=11 2:00 1:00 D +@@ -846,7 +846,7 @@ + # or dates for the 1942 and 1945 transitions. + # The Japanese occupation of Hong Kong began 1941-12-25. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule HK 1946 only - Apr 21 0:00 1:00 S + Rule HK 1946 only - Dec 1 3:30s 0 - + Rule HK 1947 only - Apr 13 3:30s 1:00 S +@@ -973,7 +973,7 @@ + # until 1945-09-21 at 01:00, overriding Shanks & Pottenger. + # Likewise, use Yu-Cheng Chuang's data for DST in Taiwan. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Taiwan 1946 only - May 15 0:00 1:00 D + Rule Taiwan 1946 only - Oct 1 0:00 0 S + Rule Taiwan 1947 only - Apr 15 0:00 1:00 D +@@ -1099,7 +1099,7 @@ + # The 1904 decree says that Macau changed from the meridian of + # Fortaleza do Monte, presumably the basis for the 7:34:10 for LMT. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Macau 1942 1943 - Apr 30 23:00 1:00 - + Rule Macau 1942 only - Nov 17 23:00 0 - + Rule Macau 1943 only - Sep 30 23:00 0 S +@@ -1157,7 +1157,7 @@ + # Cyprus to remain united in time. Cyprus Mail 2017-10-17. + # https://cyprus-mail.com/2017/10/17/cyprus-remain-united-time/ + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Cyprus 1975 only - Apr 13 0:00 1:00 S + Rule Cyprus 1975 only - Oct 12 0:00 0 - + Rule Cyprus 1976 only - May 15 0:00 1:00 S +@@ -1534,7 +1534,7 @@ + # be changed back to its previous state on the 24 hours of the + # thirtieth day of Shahrivar. + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Iran 1978 1980 - Mar 20 24:00 1:00 - + Rule Iran 1978 only - Oct 20 24:00 0 - + Rule Iran 1979 only - Sep 18 24:00 0 - +@@ -1676,7 +1676,7 @@ + # We have published a short article in English about the change: + # https://www.timeanddate.com/news/time/iraq-dumps-daylight-saving.html + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Iraq 1982 only - May 1 0:00 1:00 - + Rule Iraq 1982 1984 - Oct 1 0:00 0 - + Rule Iraq 1983 only - Mar 31 0:00 1:00 - +@@ -1699,6 +1699,10 @@ + + # Israel + ++# For more info about the motivation for DST in Israel, see: ++# Barak Y. Israel's Daylight Saving Time controversy. Israel Affairs. ++# 2020-08-11. https://doi.org/10.1080/13537121.2020.1806564 ++ + # From Ephraim Silverberg (2001-01-11): + # + # I coined "IST/IDT" circa 1988. Until then there were three +@@ -1720,7 +1724,7 @@ + # family is from India). + + # From Shanks & Pottenger: +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Zion 1940 only - Jun 1 0:00 1:00 D + Rule Zion 1942 1944 - Nov 1 0:00 0 S + Rule Zion 1943 only - Apr 1 2:00 1:00 D +@@ -1812,7 +1816,7 @@ + # (except in 2002) is three nights before Yom Kippur [Day of Atonement] + # (the eve of the 7th of Tishrei in the lunar Hebrew calendar). + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Zion 1989 only - Apr 30 0:00 1:00 D + Rule Zion 1989 only - Sep 3 0:00 0 S + Rule Zion 1990 only - Mar 25 0:00 1:00 D +@@ -1828,7 +1832,7 @@ + # Ministry of Interior, Jerusalem, Israel. The spokeswoman can be reached by + # calling the office directly at 972-2-6701447 or 972-2-6701448. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Zion 1994 only - Apr 1 0:00 1:00 D + Rule Zion 1994 only - Aug 28 0:00 0 S + Rule Zion 1995 only - Mar 31 0:00 1:00 D +@@ -1848,7 +1852,7 @@ + # + # where YYYY is the relevant year. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Zion 1996 only - Mar 15 0:00 1:00 D + Rule Zion 1996 only - Sep 16 0:00 0 S + Rule Zion 1997 only - Mar 21 0:00 1:00 D +@@ -1871,7 +1875,7 @@ + # + # ftp://ftp.cs.huji.ac.il/pub/tz/announcements/2000-2004.ps.gz + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Zion 2000 only - Apr 14 2:00 1:00 D + Rule Zion 2000 only - Oct 6 1:00 0 S + Rule Zion 2001 only - Apr 9 1:00 1:00 D +@@ -1893,7 +1897,7 @@ + # + # ftp://ftp.cs.huji.ac.il/pub/tz/announcements/2005+beyond.ps + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Zion 2005 2012 - Apr Fri<=1 2:00 1:00 D + Rule Zion 2005 only - Oct 9 2:00 0 S + Rule Zion 2006 only - Oct 1 2:00 0 S +@@ -1913,7 +1917,7 @@ + # As of 2013, DST starts at 02:00 on the Friday before the last Sunday + # in March. DST ends at 02:00 on the last Sunday of October. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Zion 2013 max - Mar Fri>=23 2:00 1:00 D + Rule Zion 2013 max - Oct lastSun 2:00 0 S + +@@ -2013,7 +2017,7 @@ + # do in any POSIX or C platform. The "25:00" assumes zic from 2007 or later, + # which should be safe now. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Japan 1948 only - May Sat>=1 24:00 1:00 D + Rule Japan 1948 1951 - Sep Sat>=8 25:00 0 S + Rule Japan 1949 only - Apr Sat>=1 24:00 1:00 D +@@ -2090,7 +2094,7 @@ + # From Paul Eggert (2013-12-11): + # As Steffen suggested, consider the past 21-month experiment to be DST. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Jordan 1973 only - Jun 6 0:00 1:00 S + Rule Jordan 1973 1975 - Oct 1 0:00 0 - + Rule Jordan 1974 1977 - May 1 0:00 1:00 S +@@ -2416,7 +2420,7 @@ + # Our government cancels daylight saving time 6th of August 2005. + # From 2005-08-12 our GMT-offset is +6, w/o any daylight saving. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Kyrgyz 1992 1996 - Apr Sun>=7 0:00s 1:00 - + Rule Kyrgyz 1992 1996 - Sep lastSun 0:00 0 - + Rule Kyrgyz 1997 2005 - Mar lastSun 2:30 1:00 - +@@ -2472,7 +2476,7 @@ + # follow and continued to use GMT+9:00 for interoperability. + + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule ROK 1948 only - Jun 1 0:00 1:00 D + Rule ROK 1948 only - Sep 12 24:00 0 S + Rule ROK 1949 only - Apr 3 0:00 1:00 D +@@ -2560,7 +2564,7 @@ + + + # Lebanon +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Lebanon 1920 only - Mar 28 0:00 1:00 S + Rule Lebanon 1920 only - Oct 25 0:00 0 - + Rule Lebanon 1921 only - Apr 3 0:00 1:00 S +@@ -2590,7 +2594,7 @@ + 2:00 Lebanon EE%sT + + # Malaysia +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule NBorneo 1935 1941 - Sep 14 0:00 0:20 - + Rule NBorneo 1935 1941 - Dec 14 0:00 0 - + # +@@ -2735,7 +2739,7 @@ + # September daylight saving time ends. Source: + # http://zasag.mn/news/view/8969 + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Mongol 1983 1984 - Apr 1 0:00 1:00 - + Rule Mongol 1983 only - Oct 1 0:00 0 - + # Shanks & Pottenger and IATA SSIM say 1990s switches occurred at 00:00, +@@ -2923,7 +2927,7 @@ + # "People laud PM's announcement to end DST" + # http://www.app.com.pk/en_/index.php?option=com_content&task=view&id=99374&Itemid=2 + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Pakistan 2002 only - Apr Sun>=2 0:00 1:00 S + Rule Pakistan 2002 only - Oct Sun>=2 0:00 0 - + Rule Pakistan 2008 only - Jun 1 0:00 1:00 S +@@ -3217,15 +3221,42 @@ + + # From Sharef Mustafa (2019-10-18): + # Palestine summer time will end on midnight Oct 26th 2019 ... +-# http://www.palestinecabinet.gov.ps/website/ar/ViewDetails?ID=43948 + # +-# From Paul Eggert (2019-04-10): +-# For now, guess spring-ahead transitions are March's last Friday at 00:00. ++# From Steffen Thorsen (2020-10-20): ++# Some sources such as these say, and display on clocks, that DST ended at ++# midnight last year... ++# https://www.amad.ps/ar/post/320006 + # +-# From Tim Parenti (2016-10-19): +-# Predict fall transitions on October's last Saturday at 01:00 from now on. ++# From Tim Parenti (2020-10-20): ++# The report of the Palestinian Cabinet meeting of 2019-10-14 confirms ++# a decision on (translated): "The start of the winter time in Palestine, by ++# delaying the clock by sixty minutes, starting from midnight on Friday / ++# Saturday corresponding to 26/10/2019." ++# http://www.palestinecabinet.gov.ps/portal/meeting/details/43948 + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# From Sharef Mustafa (2020-10-20): ++# As per the palestinian cabinet announcement yesterday , the day light saving ++# shall [end] on Oct 24th 2020 at 01:00AM by delaying the clock by 60 minutes. ++# http://www.palestinecabinet.gov.ps/portal/Meeting/Details/51584 ++ ++# From Tim Parenti (2020-10-20): ++# Predict future fall transitions at 01:00 on the Saturday preceding October's ++# last Sunday (i.e., Sat>=24). This is consistent with our predictions since ++# 2016, although the time of the change differed slightly in 2019. ++ ++# From Pierre Cashon (2020-10-20): ++# The summer time this year started on March 28 at 00:00. ++# https://wafa.ps/ar_page.aspx?id=GveQNZa872839351758aGveQNZ ++# http://www.palestinecabinet.gov.ps/portal/meeting/details/50284 ++# The winter time in 2015 started on October 23 at 01:00. ++# https://wafa.ps/ar_page.aspx?id=CgpCdYa670694628582aCgpCdY ++# http://www.palestinecabinet.gov.ps/portal/meeting/details/27583 ++# ++# From Paul Eggert (2019-04-10): ++# For now, guess spring-ahead transitions are at 00:00 on the Saturday ++# preceding March's last Sunday (i.e., Sat>=24). ++ ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule EgyptAsia 1957 only - May 10 0:00 1:00 S + Rule EgyptAsia 1957 1958 - Oct 1 0:00 0 - + Rule EgyptAsia 1958 only - May 1 0:00 1:00 S +@@ -3239,10 +3270,10 @@ + Rule Palestine 2005 only - Oct 4 2:00 0 - + Rule Palestine 2006 2007 - Apr 1 0:00 1:00 S + Rule Palestine 2006 only - Sep 22 0:00 0 - +-Rule Palestine 2007 only - Sep Thu>=8 2:00 0 - ++Rule Palestine 2007 only - Sep 13 2:00 0 - + Rule Palestine 2008 2009 - Mar lastFri 0:00 1:00 S + Rule Palestine 2008 only - Sep 1 0:00 0 - +-Rule Palestine 2009 only - Sep Fri>=1 1:00 0 - ++Rule Palestine 2009 only - Sep 4 1:00 0 - + Rule Palestine 2010 only - Mar 26 0:00 1:00 S + Rule Palestine 2010 only - Aug 11 0:00 0 - + Rule Palestine 2011 only - Apr 1 0:01 1:00 S +@@ -3251,12 +3282,16 @@ + Rule Palestine 2011 only - Sep 30 0:00 0 - + Rule Palestine 2012 2014 - Mar lastThu 24:00 1:00 S + Rule Palestine 2012 only - Sep 21 1:00 0 - +-Rule Palestine 2013 only - Sep Fri>=21 0:00 0 - +-Rule Palestine 2014 2015 - Oct Fri>=21 0:00 0 - +-Rule Palestine 2015 only - Mar lastFri 24:00 1:00 S ++Rule Palestine 2013 only - Sep 27 0:00 0 - ++Rule Palestine 2014 only - Oct 24 0:00 0 - ++Rule Palestine 2015 only - Mar 28 0:00 1:00 S ++Rule Palestine 2015 only - Oct 23 1:00 0 - + Rule Palestine 2016 2018 - Mar Sat>=24 1:00 1:00 S +-Rule Palestine 2016 max - Oct lastSat 1:00 0 - +-Rule Palestine 2019 max - Mar lastFri 0:00 1:00 S ++Rule Palestine 2016 2018 - Oct Sat>=24 1:00 0 - ++Rule Palestine 2019 only - Mar 29 0:00 1:00 S ++Rule Palestine 2019 only - Oct Sat>=24 0:00 0 - ++Rule Palestine 2020 max - Mar Sat>=24 0:00 1:00 S ++Rule Palestine 2020 max - Oct Sat>=24 1:00 0 - + + # Zone NAME STDOFF RULES FORMAT [UNTIL] + Zone Asia/Gaza 2:17:52 - LMT 1900 Oct +@@ -3325,7 +3360,7 @@ + # influence of the sources. There is no current abbreviation for DST, + # so use "PDT", the usual American style. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Phil 1936 only - Nov 1 0:00 1:00 D + Rule Phil 1937 only - Feb 1 0:00 0 S + Rule Phil 1954 only - Apr 12 0:00 1:00 D +@@ -3473,7 +3508,7 @@ + 5:30 - +0530 + + # Syria +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Syria 1920 1923 - Apr Sun>=15 2:00 1:00 S + Rule Syria 1920 1923 - Oct Sun>=1 2:00 0 - + Rule Syria 1962 only - Apr 29 2:00 1:00 S +--- contrib/tzdata/australasia.orig ++++ contrib/tzdata/australasia +@@ -13,7 +13,7 @@ + + # Please see the notes below for the controversy about "EST" versus "AEST" etc. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Aus 1917 only - Jan 1 0:01 1:00 D + Rule Aus 1917 only - Mar 25 2:00 0 S + Rule Aus 1942 only - Jan 1 2:00 1:00 D +@@ -32,7 +32,7 @@ + 9:30 Aus AC%sT + # Western Australia + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule AW 1974 only - Oct lastSun 2:00s 1:00 D + Rule AW 1975 only - Mar Sun>=1 2:00s 0 S + Rule AW 1983 only - Oct lastSun 2:00s 1:00 D +@@ -70,7 +70,7 @@ + # applies to all of the Whitsundays. + # http://www.australia.gov.au/about-australia/australian-story/austn-islands + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule AQ 1971 only - Oct lastSun 2:00s 1:00 D + Rule AQ 1972 only - Feb lastSun 2:00s 0 S + Rule AQ 1989 1991 - Oct lastSun 2:00s 1:00 D +@@ -86,7 +86,7 @@ + 10:00 Holiday AE%sT + + # South Australia +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule AS 1971 1985 - Oct lastSun 2:00s 1:00 D + Rule AS 1986 only - Oct 19 2:00s 1:00 D + Rule AS 1987 2007 - Oct lastSun 2:00s 1:00 D +@@ -114,7 +114,7 @@ + # http://www.bom.gov.au/climate/averages/tables/dst_times.shtml + # says King Island didn't observe DST from WWII until late 1971. + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule AT 1967 only - Oct Sun>=1 2:00s 1:00 D + Rule AT 1968 only - Mar lastSun 2:00s 0 S + Rule AT 1968 1985 - Oct lastSun 2:00s 1:00 D +@@ -147,7 +147,7 @@ + 10:00 AT AE%sT + + # Victoria +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule AV 1971 1985 - Oct lastSun 2:00s 1:00 D + Rule AV 1972 only - Feb lastSun 2:00s 0 S + Rule AV 1973 1985 - Mar Sun>=1 2:00s 0 S +@@ -168,7 +168,7 @@ + 10:00 AV AE%sT + + # New South Wales +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule AN 1971 1985 - Oct lastSun 2:00s 1:00 D + Rule AN 1972 only - Feb 27 2:00s 0 S + Rule AN 1973 1981 - Mar Sun>=1 2:00s 0 S +@@ -197,7 +197,7 @@ + 9:30 AS AC%sT + + # Lord Howe Island +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule LH 1981 1984 - Oct lastSun 2:00 1:00 - + Rule LH 1982 1985 - Mar Sun>=1 2:00 0 - + Rule LH 1985 only - Oct lastSun 2:00 0:30 - +@@ -252,8 +252,9 @@ + 10:00 Aus AE%sT 1919 Apr 1 0:00s + 0 - -00 1948 Mar 25 + 10:00 Aus AE%sT 1967 +- 10:00 AT AE%sT 2010 Apr 4 3:00 +- 11:00 - +11 ++ 10:00 AT AE%sT 2010 ++ 10:00 1:00 AEDT 2011 ++ 10:00 AT AE%sT + + # Christmas + # Zone NAME STDOFF RULES FORMAT [UNTIL] +@@ -380,7 +381,20 @@ + # From Michael Deckers (2019-08-06): + # https://www.laws.gov.fj/LawsAsMade/downloadfile/848 + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# From Raymond Kumar (2020-10-08): ++# [DST in Fiji] is from December 20th 2020, till 17th January 2021. ++# From Alan Mintz (2020-10-08): ++# https://www.laws.gov.fj/LawsAsMade/GetFile/1071 ++# From Tim Parenti (2020-10-08): ++# https://www.fijivillage.com/news/Daylight-saving-from-Dec-20th-this-year-to-Jan-17th-2021-8rf4x5/ ++# "Minister for Employment, Parveen Bala says they had never thought of ++# stopping daylight saving. He says it was just to decide on when it should ++# start and end. Bala says it is a short period..." ++# Since the end date is still in line with our ongoing predictions, assume for ++# now that the later-than-usual start date is a one-time departure from the ++# recent second Sunday in November pattern. ++ ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Fiji 1998 1999 - Nov Sun>=1 2:00 1:00 - + Rule Fiji 1999 2000 - Feb lastSun 3:00 0 - + Rule Fiji 2009 only - Nov 29 2:00 1:00 - +@@ -391,7 +405,9 @@ + Rule Fiji 2014 only - Jan Sun>=18 2:00 0 - + Rule Fiji 2014 2018 - Nov Sun>=1 2:00 1:00 - + Rule Fiji 2015 max - Jan Sun>=12 3:00 0 - +-Rule Fiji 2019 max - Nov Sun>=8 2:00 1:00 - ++Rule Fiji 2019 only - Nov Sun>=8 2:00 1:00 - ++Rule Fiji 2020 only - Dec 20 2:00 1:00 - ++Rule Fiji 2021 max - Nov Sun>=8 2:00 1:00 - + # Zone NAME STDOFF RULES FORMAT [UNTIL] + Zone Pacific/Fiji 11:55:44 - LMT 1915 Oct 26 # Suva + 12:00 Fiji +12/+13 +@@ -409,7 +425,7 @@ + + # Guam + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + # http://guamlegislature.com/Public_Laws_5th/PL05-025.pdf + # http://documents.guam.gov/wp-content/uploads/E.O.-59-7-Guam-Daylight-Savings-Time-May-6-1959.pdf + Rule Guam 1959 only - Jun 27 2:00 1:00 D +@@ -520,7 +536,7 @@ + 12:00 - +12 + + # New Caledonia +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule NC 1977 1978 - Dec Sun>=1 0:00 1:00 - + Rule NC 1978 1979 - Feb 27 0:00 0 - + Rule NC 1996 only - Dec 1 2:00s 1:00 - +@@ -535,7 +551,7 @@ + + # New Zealand + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule NZ 1927 only - Nov 6 2:00 1:00 S + Rule NZ 1928 only - Mar 4 2:00 0 M + Rule NZ 1928 1933 - Oct Sun>=8 2:00 0:30 S +@@ -587,7 +603,7 @@ + + # Cook Is + # From Shanks & Pottenger: +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Cook 1978 only - Nov 12 0:00 0:30 - + Rule Cook 1979 1991 - Mar Sun>=1 0:00 0 - + Rule Cook 1979 1990 - Oct lastSun 0:00 0:30 - +@@ -732,7 +748,7 @@ + # That web page currently lists transitions for 2012/3 and 2013/4. + # Assume the pattern instituted in 2012 will continue indefinitely. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule WS 2010 only - Sep lastSun 0:00 1 - + Rule WS 2011 only - Apr Sat>=1 4:00 0 - + Rule WS 2011 only - Sep lastSat 3:00 1 - +@@ -776,7 +792,7 @@ + 13:00 - +13 + + # Tonga +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Tonga 1999 only - Oct 7 2:00s 1:00 - + Rule Tonga 2000 only - Mar 19 2:00s 0 - + Rule Tonga 2000 2001 - Nov Sun>=1 2:00 1:00 - +@@ -857,7 +873,7 @@ + + + # Vanuatu +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Vanuatu 1983 only - Sep 25 0:00 1:00 - + Rule Vanuatu 1984 1991 - Mar Sun>=23 0:00 0 - + Rule Vanuatu 1984 only - Oct 23 0:00 1:00 - +--- contrib/tzdata/backzone.orig ++++ contrib/tzdata/backzone +@@ -150,7 +150,7 @@ + # Whitman gives Mar 31 - Aug 31 for 1931 on. + # The International Hydrographic Bulletin, 1932-33, p 63 says that + # Sierra Leone would advance its clocks by 20 minutes on 1933-10-01. +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule SL 1935 1942 - Jun 1 0:00 0:40 -0020 + Rule SL 1935 1942 - Oct 1 0:00 0 -01 + Rule SL 1957 1962 - Jun 1 0:00 1:00 +01 +@@ -351,7 +351,7 @@ + # Pottenger data. The post-1970 entries have been corrected, but the + # pre-1970 entries are unchecked and probably have errors. + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Mont 1917 only - Mar 25 2:00 1:00 D + Rule Mont 1917 only - Apr 24 0:00 0 S + Rule Mont 1919 only - Mar 31 2:30 1:00 D +@@ -459,7 +459,34 @@ + 3:00 - +03 + + # Bahrain +-Zone Asia/Bahrain 3:22:20 - LMT 1920 # Manamah ++# ++# From Paul Eggert (2020-07-23): ++# Most of this data comes from: ++# Stewart A. Why Gulf Standard Time is far from standard: the fascinating story ++# behind the time zone's invention. The National (Abu Dhabi). 2020-07-22. ++# https://www.thenational.ae/arts-culture/why-gulf-standard-time-is-far-from-standard-the-fascinating-story-behind-the-time-zone-s-invention-1.1052589 ++# Stewart writes that before 1941 some companies in Bahrain were at +0330 and ++# others at +0323. Reginald George Alban, a British political agent based in ++# Manama, worked to standardize this, and from 1941-07-20 Bahrain was at ++# +0330. However, BOAC asked that clocks be moved to gain more light at day's ++# end, so Bahrain switched to +04 on 1944-01-01. ++# ++# Re the 1941 transition, Stewart privately sent me this citation: ++# "File 16/53 Enquiries Re: Calculation of Local Time", British Library: India ++# Office Records and Private Papers, IOR/R/15/2/1564, in Qatar Digital Library ++# https://www.qdl.qa/archive/81055/vdc_100000000282.0x00012b ++# It says there was no real standard in Bahrain before 1941-07-20. ++# +0330 was used by steamers of the British India Co, by Petroleum Concessions ++# and by Cable & Wireless; +0323 was used by the Eastern Bank Ltd, BOAC, and ++# Bahrein Petroleum (Bapco), and California Arabian Standard Oil Co (Casoc) ++# adopted DST effective 1941-05-24. Alban suggested adopting DST, R.B. Coomb ++# of C&W countersuggested +0330, and although C.A. Rodstrom of Casoc (formerly ++# of Bapco) stated that Bahrain had formerly used +0330 before Bapco arrived ++# but Bapco switched to +0323 because of "constant confusion", the consensus ++# was +0330. The government adopted +0330 in 1941-07-20 and companies seem to ++# have switched by 08-01. No time of day was given for the 1940s transitions. ++Zone Asia/Bahrain 3:22:20 - LMT 1941 Jul 20 # Manamah ++ 3:30 - +0330 1944 Jan 1 + 4:00 - +04 1972 Jun + 3:00 - +03 + +--- contrib/tzdata/europe.orig ++++ contrib/tzdata/europe +@@ -388,7 +388,7 @@ + # http://www.irishstatutebook.ie/eli/1926/sro/919/made/en/print + # http://www.irishstatutebook.ie/eli/1947/sro/71/made/en/print + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + # Summer Time Act, 1916 + Rule GB-Eire 1916 only - May 21 2:00s 1:00 BST + Rule GB-Eire 1916 only - Oct 1 2:00s 0 GMT +@@ -529,7 +529,7 @@ + # The following is like GB-Eire and EU, except with standard time in + # summer and negative daylight saving time in winter. It is for when + # negative SAVE values are used. +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Eire 1971 only - Oct 31 2:00u -1:00 - + Rule Eire 1972 1980 - Mar Sun>=16 2:00u 0 - + Rule Eire 1972 1980 - Oct Sun>=23 2:00u -1:00 - +@@ -566,7 +566,7 @@ + # predecessor organization, the European Communities. + # For brevity they are called "EU rules" elsewhere in this file. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule EU 1977 1980 - Apr Sun>=1 1:00u 1:00 S + Rule EU 1977 only - Sep lastSun 1:00u 0 - + Rule EU 1978 only - Oct 1 1:00u 0 - +@@ -606,13 +606,13 @@ + # corrected in version 2008d). The circumstantial evidence is simply the + # tz database itself, as seen below: + # +-# Zone Europe/Paris 0:09:21 - LMT 1891 Mar 15 0:01 ++# Zone Europe/Paris ... + # 0:00 France WE%sT 1945 Sep 16 3:00 + # +-# Zone Europe/Monaco 0:29:32 - LMT 1891 Mar 15 ++# Zone Europe/Monaco ... + # 0:00 France WE%sT 1945 Sep 16 3:00 + # +-# Zone Europe/Belgrade 1:22:00 - LMT 1884 ++# Zone Europe/Belgrade ... + # 1:00 1:00 CEST 1945 Sep 16 2:00s + # + # Rule France 1945 only - Sep 16 3:00 0 - +@@ -658,7 +658,7 @@ + # + # The 1917-1921 decree URLs are from Alexander Belopolsky (2016-08-23). + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Russia 1917 only - Jul 1 23:00 1:00 MST # Moscow Summer Time + # + # Decree No. 142 (1917-12-22) http://istmat.info/node/28137 +@@ -772,7 +772,7 @@ + + + # Albania +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Albania 1940 only - Jun 16 0:00 1:00 S + Rule Albania 1942 only - Nov 2 3:00 0 - + Rule Albania 1943 only - Mar 29 2:00 1:00 S +@@ -826,7 +826,7 @@ + # In 1946 the end of DST was on Monday, 7 October 1946, at 3:00 am. + # Shanks had this right. Source: Die Weltpresse, 5. Oktober 1946, page 5. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Austria 1920 only - Apr 5 2:00s 1:00 S + Rule Austria 1920 only - Sep 13 2:00s 0 - + Rule Austria 1946 only - Apr 14 2:00s 1:00 S +@@ -913,7 +913,7 @@ + # The 1918 rules are listed for completeness; they apply to unoccupied Belgium. + # Assume Brussels switched to WET in 1918 when the armistice took effect. + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Belgium 1918 only - Mar 9 0:00s 1:00 S + Rule Belgium 1918 1919 - Oct Sat>=1 23:00s 0 - + Rule Belgium 1919 only - Mar 1 23:00s 1:00 S +@@ -973,7 +973,7 @@ + # EET -> EETDST is in 03:00 Local time in last Sunday of March ... + # EETDST -> EET is in 04:00 Local time in last Sunday of October + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Bulg 1979 only - Mar 31 23:00 1:00 S + Rule Bulg 1979 only - Oct 1 1:00 0 - + Rule Bulg 1980 1982 - Apr Sat>=1 23:00 1:00 S +@@ -1005,7 +1005,7 @@ + # We know of no English-language name for historical Czech winter time; + # abbreviate it as "GMT", as it happened to be GMT. + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Czech 1945 only - Apr Mon>=1 2:00s 1:00 S + Rule Czech 1945 only - Oct 1 2:00s 0 - + Rule Czech 1946 only - May 6 2:00s 1:00 S +@@ -1029,17 +1029,16 @@ + # Denmark, Faroe Islands, and Greenland + + # From Jesper Nørgaard Welen (2005-04-26): +-# http://www.hum.aau.dk/~poe/tid/tine/DanskTid.htm says that the law +-# [introducing standard time] was in effect from 1894-01-01.... +-# The page http://www.retsinfo.dk/_GETDOCI_/ACCN/A18930008330-REGL ++# the law [introducing standard time] was in effect from 1894-01-01.... ++# The page https://www.retsinformation.dk/eli/lta/1893/83 + # confirms this, and states that the law was put forth 1893-03-29. + # + # The EU [actually, EEC and Euratom] treaty with effect from 1973: +-# http://www.retsinfo.dk/_GETDOCI_/ACCN/A19722110030-REGL ++# https://www.retsinformation.dk/eli/lta/1972/21100 + # + # This provoked a new law from 1974 to make possible summer time changes + # in subsequent decrees with the law +-# http://www.retsinfo.dk/_GETDOCI_/ACCN/A19740022330-REGL ++# https://www.retsinformation.dk/eli/lta/1974/223 + # + # It seems however that no decree was set forward until 1980. I have + # not found any decree, but in another related law, the effecting DST +@@ -1051,7 +1050,7 @@ + # The law is about the management of the extra hour, concerning + # working hours reported and effect on obligatory-rest rules (which + # was suspended on that night): +-# http://www.retsinfo.dk/_GETDOCI_/ACCN/C19801120554-REGL ++# https://web.archive.org/web/20140104053304/https://www.retsinformation.dk/Forms/R0710.aspx?id=60267 + + # From Jesper Nørgaard Welen (2005-06-11): + # The Herning Folkeblad (1980-09-26) reported that the night between +@@ -1061,7 +1060,7 @@ + # Hence the "02:00" of the 1980 law refers to standard time, not + # wall-clock time, and so the EU rules were in effect in 1980. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Denmark 1916 only - May 14 23:00 1:00 S + Rule Denmark 1916 only - Sep 30 23:00 0 - + Rule Denmark 1940 only - May 15 0:00 1:00 S +@@ -1163,7 +1162,7 @@ + # http://naalakkersuisut.gl/~/media/Nanoq/Files/Attached%20Files/Engelske-tekster/Legislation/Executive%20Order%20National%20Park.rtf + # It is their only National Park. + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Thule 1991 1992 - Mar lastSun 2:00 1:00 D + Rule Thule 1991 1992 - Sep lastSun 2:00 0 S + Rule Thule 1993 2006 - Apr Sun>=1 2:00 1:00 D +@@ -1294,7 +1293,7 @@ + # From Paul Eggert (2014-06-14): + # Go with Oja over Shanks. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Finland 1942 only - Apr 2 24:00 1:00 S + Rule Finland 1942 only - Oct 4 1:00 0 - + Rule Finland 1981 1982 - Mar lastSun 2:00 1:00 S +@@ -1326,10 +1325,58 @@ + # Françoise Gauquelin, Problèmes de l'heure résolus en astrologie, + # Guy Trédaniel, Paris 1987 + ++# From Michael Deckers (2020-06-11): ++# the law of 1891 <https://gallica.bnf.fr/ark:/12148/bpt6k64415343.texteImage> ++# was published on 1891-03-15, so it could only take force on 1891-03-16. + ++# From Michael Deckers (2020-06-10): ++# Le Gaulois, 1911-03-11, page 1/6, online at ++# https://www.retronews.fr/societe/echo-de-presse/2018/01/29/1911-change-lheure-de-paris ++# ... [ Instantly, all pressure driven clock dials halted... Nine minutes and ++# twenty-one seconds later the hands resumed their circular motion. ] ++# There are also precise reports about how the change was prepared in train ++# stations: all the publicly visible clocks stopped at midnight railway time ++# (or were covered), only the chief of service had a watch, labeled ++# "Heure ancienne", that he kept running until it reached 00:04:21, when ++# he announced "Heure nouvelle". See the "Le Petit Journal 1911-03-11". ++# https://gallica.bnf.fr/ark:/12148/bpt6k6192911/f1.item.zoom + # ++# From Michael Deckers (2020-06-12): ++# That "all French clocks stopped" for 00:09:21 is a misreading of French ++# newspapers; this sort of adjustment applies only to certain ++# remote-controlled clocks ("pendules pneumatiques", of which there existed ++# perhaps a dozen in Paris, and which simply could not be set back remotely), ++# but not to all the clocks in all French towns and villages. For instance, ++# the following story in the "Courrier de Saône-et-Loire" 1911-03-11, page 2: ++# only works if legal time was stepped back (was not monotone): ... ++# [One can observe that children who had been born at midnight less 5 ++# minutes and who had died at midnight of the old time, would turn out to ++# be dead before being born, time having been set back and having ++# suppressed 9 minutes and 25 seconds of their existence, that is, more ++# than they could spend.] ++# ++# From Paul Eggert (2020-06-12): ++# French time in railway stations was legally five minutes behind civil time, ++# which explains why railway "old time" ran to 00:04:21 instead of to 00:09:21. ++# The law's text (which Michael Deckers noted is at ++# <https://gallica.bnf.fr/ark:/12148/bpt6k2022333z/f2>) says only that ++# at 1911-03-11 00:00 legal time was that of Paris mean time delayed by ++# nine minutes and twenty-one seconds, and does not say how the ++# transition from Paris mean time was to occur. ++# ++# tzdb has no way to represent stopped clocks. As the railway practice ++# was to keep a watch running on "old time" to decide when to restart ++# the other clocks, this could be modeled as a transition for "old time" at ++# 00:09:21. However, since the law was ambiguous and clocks outside railway ++# stations were probably done haphazardly with the popular impression being ++# that the transition was done at 00:00 "old time", simply leave the time ++# blank; this causes zic to default to 00:00 "old time" which is good enough. ++# Do something similar for the 1891-03-16 transition. There are similar ++# problems in Algiers, Monaco and Tunis. ++ ++# + # Shank & Pottenger seem to use '24:00' ambiguously; resolve it with Whitman. +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule France 1916 only - Jun 14 23:00s 1:00 S + Rule France 1916 1919 - Oct Sun>=1 23:00s 0 - + Rule France 1917 only - Mar 24 23:00s 1:00 S +@@ -1389,13 +1436,11 @@ + # go with Excoffier's 28/3/76 0hUT and 25/9/76 23hUT. + Rule France 1976 only - Mar 28 1:00 1:00 S + Rule France 1976 only - Sep 26 1:00 0 - +-# Shanks & Pottenger give 0:09:20 for Paris Mean Time, and Whitman 0:09:05, +-# but Howse quotes the actual French legislation as saying 0:09:21. +-# Go with Howse. Howse writes that the time in France was officially based ++# Howse writes that the time in France was officially based + # on PMT-0:09:21 until 1978-08-09, when the time base finally switched to UTC. + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone Europe/Paris 0:09:21 - LMT 1891 Mar 15 0:01 +- 0:09:21 - PMT 1911 Mar 11 0:01 # Paris MT ++Zone Europe/Paris 0:09:21 - LMT 1891 Mar 16 ++ 0:09:21 - PMT 1911 Mar 11 # Paris Mean Time + # Shanks & Pottenger give 1940 Jun 14 0:00; go with Excoffier and Le Corre. + 0:00 France WE%sT 1940 Jun 14 23:00 + # Le Corre says Paris stuck with occupied-France time after the liberation; +@@ -1424,7 +1469,7 @@ + # this was equivalent to UT +03, not +04. + + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Germany 1946 only - Apr 14 2:00s 1:00 S + Rule Germany 1946 only - Oct 7 2:00s 0 - + Rule Germany 1947 1949 - Oct Sun>=1 2:00s 0 - +@@ -1476,7 +1521,7 @@ + 1:00 EU CE%sT + + # Greece +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + # Whitman gives 1932 Jul 5 - Nov 1; go with Shanks & Pottenger. + Rule Greece 1932 only - Jul 7 0:00 1:00 S + Rule Greece 1932 only - Sep 1 0:00 0 - +@@ -1511,38 +1556,73 @@ + 2:00 EU EE%sT + + # Hungary +-# From Paul Eggert (2014-07-15): +-# Dates for 1916-1945 are taken from: +-# Oross A. Jelen a múlt jövője: a nyári időszámítás Magyarországon 1916-1945. +-# National Archives of Hungary (2012-10-29). +-# http://mnl.gov.hu/a_het_dokumentuma/a_nyari_idoszamitas_magyarorszagon_19161945.html +-# This source does not always give times, which are taken from Shanks +-# & Pottenger (which disagree about the dates). +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S +-Rule Hungary 1918 only - Apr 1 3:00 1:00 S +-Rule Hungary 1918 only - Sep 16 3:00 0 - +-Rule Hungary 1919 only - Apr 15 3:00 1:00 S +-Rule Hungary 1919 only - Nov 24 3:00 0 - ++ ++# From Michael Deckers (2020-06-09): ++# an Austrian encyclopedia of railroads of 1913, online at ++# http://www.zeno.org/Roell-1912/A/Eisenbahnzeit ++# says that the switch [to CET] happened on 1890-11-01. ++ ++# From Géza Nyáry (2020-06-07): ++# Data for 1918-1983 are based on the archive database of Library Hungaricana. ++# The dates are collected from original, scanned governmental orders, ++# bulletins, instructions and public press. ++# [See URLs below.] ++ ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S ++# https://library.hungaricana.hu/hu/view/OGYK_RT_1918/?pg=238 ++# https://library.hungaricana.hu/hu/view/OGYK_RT_1919/?pg=808 ++# https://library.hungaricana.hu/hu/view/OGYK_RT_1920/?pg=201 ++Rule Hungary 1918 1919 - Apr 15 2:00 1:00 S ++Rule Hungary 1918 1920 - Sep Mon>=15 3:00 0 - ++Rule Hungary 1920 only - Apr 5 2:00 1:00 S ++# https://library.hungaricana.hu/hu/view/OGYK_RT_1945/?pg=882 + Rule Hungary 1945 only - May 1 23:00 1:00 S +-Rule Hungary 1945 only - Nov 1 0:00 0 - ++Rule Hungary 1945 only - Nov 1 1:00 0 - ++# https://library.hungaricana.hu/hu/view/Delmagyarorszag_1946_03/?pg=49 + Rule Hungary 1946 only - Mar 31 2:00s 1:00 S +-Rule Hungary 1946 1949 - Oct Sun>=1 2:00s 0 - ++# https://library.hungaricana.hu/hu/view/Delmagyarorszag_1946_09/?pg=54 ++Rule Hungary 1946 only - Oct 7 2:00 0 - ++# https://library.hungaricana.hu/hu/view/KulfBelfHirek_1947_04_1__001-123/?pg=90 ++# https://library.hungaricana.hu/hu/view/DunantuliNaplo_1947_09/?pg=128 ++# https://library.hungaricana.hu/hu/view/KulfBelfHirek_1948_03_3__001-123/?pg=304 ++# https://library.hungaricana.hu/hu/view/Zala_1948_09/?pg=64 ++# https://library.hungaricana.hu/hu/view/SatoraljaujhelyiLeveltar_ZempleniNepujsag_1948/?pg=53 ++# https://library.hungaricana.hu/hu/view/SatoraljaujhelyiLeveltar_ZempleniNepujsag_1948/?pg=160 ++# https://library.hungaricana.hu/hu/view/UjSzo_1949_01-04/?pg=102 ++# https://library.hungaricana.hu/hu/view/KeletMagyarorszag_1949_03/?pg=96 ++# https://library.hungaricana.hu/hu/view/Delmagyarorszag_1949_09/?pg=94 + Rule Hungary 1947 1949 - Apr Sun>=4 2:00s 1:00 S +-Rule Hungary 1950 only - Apr 17 2:00s 1:00 S +-Rule Hungary 1950 only - Oct 23 2:00s 0 - +-Rule Hungary 1954 1955 - May 23 0:00 1:00 S +-Rule Hungary 1954 1955 - Oct 3 0:00 0 - +-Rule Hungary 1956 only - Jun Sun>=1 0:00 1:00 S +-Rule Hungary 1956 only - Sep lastSun 0:00 0 - +-Rule Hungary 1957 only - Jun Sun>=1 1:00 1:00 S +-Rule Hungary 1957 only - Sep lastSun 3:00 0 - +-Rule Hungary 1980 only - Apr 6 1:00 1:00 S ++Rule Hungary 1947 1949 - Oct Sun>=1 2:00s 0 - ++# https://library.hungaricana.hu/hu/view/DTT_KOZL_TanacsokKozlonye_1954/?pg=513 ++Rule Hungary 1954 only - May 23 0:00 1:00 S ++Rule Hungary 1954 only - Oct 3 0:00 0 - ++# https://library.hungaricana.hu/hu/view/DTT_KOZL_TanacsokKozlonye_1955/?pg=398 ++Rule Hungary 1955 only - May 22 2:00 1:00 S ++Rule Hungary 1955 only - Oct 2 3:00 0 - ++# https://library.hungaricana.hu/hu/view/HevesMegyeiNepujsag_1956_06/?pg=0 ++# https://library.hungaricana.hu/hu/view/EszakMagyarorszag_1956_06/?pg=6 ++# https://library.hungaricana.hu/hu/view/SzolnokMegyeiNeplap_1957_04/?pg=120 ++# https://library.hungaricana.hu/hu/view/PestMegyeiHirlap_1957_09/?pg=143 ++Rule Hungary 1956 1957 - Jun Sun>=1 2:00 1:00 S ++Rule Hungary 1956 1957 - Sep lastSun 3:00 0 - ++# https://library.hungaricana.hu/hu/view/DTT_KOZL_TanacsokKozlonye_1980/?pg=189 ++Rule Hungary 1980 only - Apr 6 0:00 1:00 S ++Rule Hungary 1980 only - Sep 28 1:00 0 - ++# https://library.hungaricana.hu/hu/view/DTT_KOZL_TanacsokKozlonye_1980/?pg=1227 ++# https://library.hungaricana.hu/hu/view/Delmagyarorszag_1981_01/?pg=79 ++# https://library.hungaricana.hu/hu/view/DTT_KOZL_TanacsokKozlonye_1982/?pg=115 ++# https://library.hungaricana.hu/hu/view/DTT_KOZL_TanacsokKozlonye_1983/?pg=85 ++Rule Hungary 1981 1983 - Mar lastSun 0:00 1:00 S ++Rule Hungary 1981 1983 - Sep lastSun 1:00 0 - ++# + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone Europe/Budapest 1:16:20 - LMT 1890 Oct ++Zone Europe/Budapest 1:16:20 - LMT 1890 Nov 1 + 1:00 C-Eur CE%sT 1918 +- 1:00 Hungary CE%sT 1941 Apr 8 ++# https://library.hungaricana.hu/hu/view/OGYK_RT_1941/?pg=1204 ++# https://library.hungaricana.hu/hu/view/OGYK_RT_1942/?pg=3955 ++ 1:00 Hungary CE%sT 1941 Apr 7 23:00 + 1:00 C-Eur CE%sT 1945 +- 1:00 Hungary CE%sT 1980 Sep 28 2:00s ++ 1:00 Hungary CE%sT 1984 + 1:00 EU CE%sT + + # Iceland +@@ -1578,7 +1658,7 @@ + # The information below is taken from the 1988 Almanak; see + # http://www.almanak.hi.is/klukkan.html + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Iceland 1917 1919 - Feb 19 23:00 1:00 - + Rule Iceland 1917 only - Oct 21 1:00 0 - + Rule Iceland 1918 1919 - Nov 16 1:00 0 - +@@ -1670,7 +1750,7 @@ + # to 1944-06-04; although Rome was an open city during this period, it + # was effectively controlled by Germany. + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Italy 1916 only - Jun 3 24:00 1:00 S + Rule Italy 1916 1917 - Sep 30 24:00 0 - + Rule Italy 1917 only - Mar 31 24:00 1:00 S +@@ -1780,7 +1860,7 @@ + # urged Lithuania and Estonia to adopt a similar time policy, but it + # appears that they will not do so.... + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Latvia 1989 1996 - Mar lastSun 2:00s 1:00 S + Rule Latvia 1989 1996 - Sep lastSun 2:00s 0 - + +@@ -1873,7 +1953,7 @@ + # Luxembourg + # Whitman disagrees with most of these dates in minor ways; + # go with Shanks & Pottenger. +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Lux 1916 only - May 14 23:00 1:00 S + Rule Lux 1916 only - Oct 1 1:00 0 - + Rule Lux 1917 only - Apr 28 23:00 1:00 S +@@ -1914,7 +1994,7 @@ + # From Paul Eggert (2016-10-21): + # Assume 1900-1972 was like Rome, overriding Shanks. + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Malta 1973 only - Mar 31 0:00s 1:00 S + Rule Malta 1973 only - Sep 29 0:00s 0 - + Rule Malta 1974 only - Apr 21 0:00s 1:00 S +@@ -1987,7 +2067,7 @@ + # says the 2014-03-30 spring-forward transition was at 02:00 local time. + # Guess that since 1997 Moldova has switched one hour before the EU. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Moldova 1997 max - Mar lastSun 2:00 1:00 S + Rule Moldova 1997 max - Oct lastSun 3:00 0 - + +@@ -2005,11 +2085,24 @@ + 2:00 Moldova EE%sT + + # Monaco +-# Shanks & Pottenger give 0:09:20 for Paris Mean Time; go with Howse's +-# more precise 0:09:21. ++# ++# From Michael Deckers (2020-06-12): ++# In the "Journal de Monaco" of 1892-05-24, online at ++# https://journaldemonaco.gouv.mc/var/jdm/storage/original/application/b1c67c12c5af11b41ea888fb048e4fe8.pdf ++# we read: ... ++# [In virtue of a Sovereign Ordinance of the May 13 of the current [year], ++# legal time in the Principality will be set to, from the date of June 1, ++# 1892 onwards, to the meridian of Paris, as in France.] ++# In the "Journal de Monaco" of 1911-03-28, online at ++# https://journaldemonaco.gouv.mc/var/jdm/storage/original/application/de74ffb7db53d4f599059fe8f0ed482a.pdf ++# we read an ordinance of 1911-03-16: ... ++# [Legal time in the Principality will be set, from the date of promulgation ++# of the present ordinance, to legal time in France.... Consequently, legal ++# time will be retarded by 9 minutes and 21 seconds.] ++# + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone Europe/Monaco 0:29:32 - LMT 1891 Mar 15 +- 0:09:21 - PMT 1911 Mar 11 # Paris Mean Time ++Zone Europe/Monaco 0:29:32 - LMT 1892 Jun 1 ++ 0:09:21 - PMT 1911 Mar 29 # Paris Mean Time + 0:00 France WE%sT 1945 Sep 16 3:00 + 1:00 France CE%sT 1977 + 1:00 EU CE%sT +@@ -2057,7 +2150,7 @@ + # The data entries before 1945 are taken from + # https://www.staff.science.uu.nl/~gent0113/wettijd/wettijd.htm + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Neth 1916 only - May 1 0:00 1:00 NST # Netherlands Summer Time + Rule Neth 1916 only - Oct 1 0:00 0 AMT # Amsterdam Mean Time + Rule Neth 1917 only - Apr 16 2:00s 1:00 NST +@@ -2094,7 +2187,7 @@ + # Norway + # http://met.no/met/met_lex/q_u/sommertid.html (2004-01) agrees with Shanks & + # Pottenger. +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Norway 1916 only - May 22 1:00 1:00 S + Rule Norway 1916 only - Sep 30 0:00 0 - + Rule Norway 1945 only - Apr 2 2:00s 1:00 S +@@ -2163,7 +2256,7 @@ + # The 1919 dates and times can be found in Tygodnik Urzędowy nr 1 (1919-03-20), + # <http://www.wbc.poznan.pl/publication/32156> pp 1-2. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Poland 1918 1919 - Sep 16 2:00s 0 - + Rule Poland 1919 only - Apr 15 2:00s 1:00 S + Rule Poland 1944 only - Apr 3 2:00s 1:00 S +@@ -2234,7 +2327,7 @@ + # Guess that the Azores changed to EU rules in 1992 (since that's when Portugal + # harmonized with EU rules), and that they stayed +0:00 that winter. + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + # DSH writes that despite Decree 1,469 (1915), the change to the clocks was not + # done every year, depending on what Spain did, because of railroad schedules. + # Go with Shanks & Pottenger. +@@ -2347,7 +2440,7 @@ + # assume that Romania and Moldova switched to EU rules in 1997, + # the same year as Bulgaria. + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Romania 1932 only - May 21 0:00s 1:00 S + Rule Romania 1932 1939 - Oct Sun>=1 0:00s 0 - + Rule Romania 1933 1939 - Apr Sun>=2 0:00s 1:00 S +@@ -3445,7 +3538,7 @@ + # fallback transition from the next day's 00:59... to 00:00. + + # From Michael Deckers (2016-12-15): +-# The Royal Decree of 1900-06-26 quoted by Planesas, online at ++# The Royal Decree of 1900-07-26 quoted by Planesas, online at + # https://www.boe.es/datos/pdfs/BOE//1900/209/A00383-00384.pdf + # says in its article 5 (my translation): + # These dispositions will enter into force beginning with the +@@ -3452,7 +3545,7 @@ + # instant at which, according to the time indicated in article 1, + # the 1st day of January of 1901 will begin. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Spain 1918 only - Apr 15 23:00 1:00 S + Rule Spain 1918 1919 - Oct 6 24:00s 0 - + Rule Spain 1919 only - Apr 6 23:00 1:00 S +@@ -3589,7 +3682,7 @@ + # By the end of the 18th century clocks and watches became commonplace + # and their performance improved enormously. Communities began to keep + # mean time in preference to apparent time - Geneva from 1780 .... +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + # From Whitman (who writes "Midnight?"): + # Rule Swiss 1940 only - Nov 2 0:00 1:00 S + # Rule Swiss 1940 only - Dec 31 0:00 0 - +@@ -3676,7 +3769,7 @@ + # 1853-07-16, though it probably occurred at some other date in Zurich, and + # legal civil time probably changed at still some other transition date. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Swiss 1941 1942 - May Mon>=1 1:00 1:00 S + Rule Swiss 1941 1942 - Oct Mon>=1 2:00 0 - + # Zone NAME STDOFF RULES FORMAT [UNTIL] +@@ -3825,7 +3918,7 @@ + # Although Google Translate misfires on that source, it looks like + # Turkey reversed last month's decision, and so will stay at +03. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Turkey 1916 only - May 1 0:00 1:00 S + Rule Turkey 1916 only - Oct 1 0:00 0 - + Rule Turkey 1920 only - Mar 28 0:00 1:00 S +@@ -3983,7 +4076,7 @@ + 2:00 1:00 EEST 1991 Sep 29 3:00 + 2:00 E-Eur EE%sT 1995 + 2:00 EU EE%sT +-# Ruthenia used CET 1990/1991. ++# Transcarpathia used CET 1990/1991. + # "Uzhhorod" is the transliteration of the Rusyn/Ukrainian pronunciation, but + # "Uzhgorod" is more common in English. + Zone Europe/Uzhgorod 1:29:12 - LMT 1890 Oct +--- contrib/tzdata/leap-seconds.list.orig ++++ contrib/tzdata/leap-seconds.list +@@ -204,10 +204,10 @@ + # current -- the update time stamp, the data and the name of the file + # will not change. + # +-# Updated through IERS Bulletin C59 +-# File expires on: 28 December 2020 ++# Updated through IERS Bulletin C60 ++# File expires on: 28 June 2021 + # +-#@ 3818102400 ++#@ 3833827200 + # + 2272060800 10 # 1 Jan 1972 + 2287785600 11 # 1 Jul 1972 +@@ -252,4 +252,4 @@ + # the hash line is also ignored in the + # computation. + # +-#h a1c168ae 27c79a7d 9dddcfc3 bcfe616b 2e2c44ea ++#h 064356a8 39268b92 76e4d5ef 3e22fae1 0cca529c +--- contrib/tzdata/leapseconds.orig ++++ contrib/tzdata/leapseconds +@@ -68,11 +68,11 @@ + # Any additional leap seconds will come after this. + # This Expires line is commented out for now, + # so that pre-2020a zic implementations do not reject this file. +-#Expires 2020 Dec 28 00:00:00 ++#Expires 2021 Jun 28 00:00:00 + + # POSIX timestamps for the data in this file: + #updated 1467936000 (2016-07-08 00:00:00 UTC) +-#expires 1609113600 (2020-12-28 00:00:00 UTC) ++#expires 1624838400 (2021-06-28 00:00:00 UTC) + +-# Updated through IERS Bulletin C59 +-# File expires on: 28 December 2020 ++# Updated through IERS Bulletin C60 ++# File expires on: 28 June 2021 +--- contrib/tzdata/leapseconds.awk.orig ++++ contrib/tzdata/leapseconds.awk +@@ -105,8 +105,10 @@ + print "" + print "# UTC timestamp when this leap second list expires." + print "# Any additional leap seconds will come after this." +- print "# This Expires line is commented out for now," +- print "# so that pre-2020a zic implementations do not reject this file." ++ if (! EXPIRES_LINE) { ++ print "# This Expires line is commented out for now," ++ print "# so that pre-2020a zic implementations do not reject this file." ++ } + printf "%sExpires %.4d\t%s\t%.2d\t%.2d:%.2d:%.2d\n", \ + EXPIRES_LINE ? "" : "#", \ + ss_year, monthabbr[ss_month], ss_mday, ss_hour, ss_min, ss_sec +--- contrib/tzdata/northamerica.orig ++++ contrib/tzdata/northamerica +@@ -170,7 +170,7 @@ + # U.S. government action. So even though the "US" rules have changed + # in the latest release, other countries won't be affected. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule US 1918 1919 - Mar lastSun 2:00 1:00 D + Rule US 1918 1919 - Oct lastSun 2:00 0 S + Rule US 1942 only - Feb 9 2:00 1:00 W # War +@@ -347,7 +347,7 @@ + # Eastern time (i.e., -4:56:01.6) just before the 1883 switch. Round to the + # nearest second. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER ++# Rule NAME FROM TO - IN ON AT SAVE LETTER + Rule NYC 1920 only - Mar lastSun 2:00 1:00 D + Rule NYC 1920 only - Oct lastSun 2:00 0 S + Rule NYC 1921 1966 - Apr lastSun 2:00 1:00 D +@@ -431,7 +431,7 @@ + # The Tennessean 2007-05-11, republished 2015-04-06. + # https://www.tennessean.com/story/insider/extras/2015/04/06/archives-seigenthaler-for-100-years-the-tennessean-had-it-covered/25348545/ + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER ++# Rule NAME FROM TO - IN ON AT SAVE LETTER + Rule Chicago 1920 only - Jun 13 2:00 1:00 D + Rule Chicago 1920 1921 - Oct lastSun 2:00 0 S + Rule Chicago 1921 only - Mar lastSun 2:00 1:00 D +@@ -500,7 +500,7 @@ + # El Paso Times. 2018-10-24 06:40 -06. + # https://www.elpasotimes.com/story/news/local/el-paso/2018/10/24/el-pasoans-were-time-rebels-fought-stay-mountain-zone/1744509002/ + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER ++# Rule NAME FROM TO - IN ON AT SAVE LETTER + Rule Denver 1920 1921 - Mar lastSun 2:00 1:00 D + Rule Denver 1920 only - Oct lastSun 2:00 0 S + Rule Denver 1921 only - May 22 2:00 0 S +@@ -553,7 +553,7 @@ + # https://repository.uchastings.edu/cgi/viewcontent.cgi?article=1501&context=ca_ballot_props + # https://repository.uchastings.edu/cgi/viewcontent.cgi?article=1636&context=ca_ballot_props + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER ++# Rule NAME FROM TO - IN ON AT SAVE LETTER + Rule CA 1948 only - Mar 14 2:01 1:00 D + Rule CA 1949 only - Jan 1 2:00 0 S + Rule CA 1950 1966 - Apr lastSun 1:00 1:00 D +@@ -911,7 +911,7 @@ + # going to switch from Central to Eastern Time on March 11, 2007.... + # http://www.indystar.com/apps/pbcs.dll/article?AID=/20070207/LOCAL190108/702070524/0/LOCAL + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER ++# Rule NAME FROM TO - IN ON AT SAVE LETTER + Rule Indianapolis 1941 only - Jun 22 2:00 1:00 D + Rule Indianapolis 1941 1954 - Sep lastSun 2:00 0 S + Rule Indianapolis 1946 1954 - Apr lastSun 2:00 1:00 D +@@ -930,7 +930,7 @@ + # + # Eastern Crawford County, Indiana, left its clocks alone in 1974, + # as well as from 1976 through 2005. +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER ++# Rule NAME FROM TO - IN ON AT SAVE LETTER + Rule Marengo 1951 only - Apr lastSun 2:00 1:00 D + Rule Marengo 1951 only - Sep lastSun 2:00 0 S + Rule Marengo 1954 1960 - Apr lastSun 2:00 1:00 D +@@ -949,7 +949,7 @@ + # Daviess, Dubois, Knox, and Martin Counties, Indiana, + # switched from eastern to central time in April 2006, then switched back + # in November 2007. +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER ++# Rule NAME FROM TO - IN ON AT SAVE LETTER + Rule Vincennes 1946 only - Apr lastSun 2:00 1:00 D + Rule Vincennes 1946 only - Sep lastSun 2:00 0 S + Rule Vincennes 1953 1954 - Apr lastSun 2:00 1:00 D +@@ -974,7 +974,7 @@ + # The Indianapolis News, Friday 27 October 1967 states that Perry County + # returned to CST. It went again to EST on 27 April 1969, as documented by the + # Indianapolis star of Saturday 26 April. +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER ++# Rule NAME FROM TO - IN ON AT SAVE LETTER + Rule Perry 1955 only - May 1 0:00 1:00 D + Rule Perry 1955 1960 - Sep lastSun 2:00 0 S + Rule Perry 1956 1963 - Apr lastSun 2:00 1:00 D +@@ -991,7 +991,7 @@ + # + # Pike County, Indiana moved from central to eastern time in 1977, + # then switched back in 2006, then switched back again in 2007. +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER ++# Rule NAME FROM TO - IN ON AT SAVE LETTER + Rule Pike 1955 only - May 1 0:00 1:00 D + Rule Pike 1955 1960 - Sep lastSun 2:00 0 S + Rule Pike 1956 1964 - Apr lastSun 2:00 1:00 D +@@ -1012,7 +1012,7 @@ + # An article on page A3 of the Sunday, 1991-10-27 Washington Post + # notes that Starke County switched from Central time to Eastern time as of + # 1991-10-27. +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER ++# Rule NAME FROM TO - IN ON AT SAVE LETTER + Rule Starke 1947 1961 - Apr lastSun 2:00 1:00 D + Rule Starke 1947 1954 - Sep lastSun 2:00 0 S + Rule Starke 1955 1956 - Oct lastSun 2:00 0 S +@@ -1029,7 +1029,7 @@ + # + # Pulaski County, Indiana, switched from eastern to central time in + # April 2006 and then switched back in March 2007. +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER ++# Rule NAME FROM TO - IN ON AT SAVE LETTER + Rule Pulaski 1946 1960 - Apr lastSun 2:00 1:00 D + Rule Pulaski 1946 1954 - Sep lastSun 2:00 0 S + Rule Pulaski 1955 1956 - Oct lastSun 2:00 0 S +@@ -1071,7 +1071,7 @@ + # + # Part of Kentucky left its clocks alone in 1974. + # This also includes Clark, Floyd, and Harrison counties in Indiana. +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER ++# Rule NAME FROM TO - IN ON AT SAVE LETTER + Rule Louisville 1921 only - May 1 2:00 1:00 D + Rule Louisville 1921 only - Sep 1 2:00 0 S + Rule Louisville 1941 only - Apr lastSun 2:00 1:00 D +@@ -1185,7 +1185,7 @@ + # election Michigan voters narrowly repealed DST, effective 1969. + # + # Most of Michigan observed DST from 1973 on, but was a bit late in 1975. +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER ++# Rule NAME FROM TO - IN ON AT SAVE LETTER + Rule Detroit 1948 only - Apr lastSun 2:00 1:00 D + Rule Detroit 1948 only - Sep lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] +@@ -1202,7 +1202,7 @@ + # + # Dickinson, Gogebic, Iron, and Menominee Counties, Michigan, + # switched from EST to CST/CDT in 1973. +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER ++# Rule NAME FROM TO - IN ON AT SAVE LETTER + Rule Menominee 1946 only - Apr lastSun 2:00 1:00 D + Rule Menominee 1946 only - Sep lastSun 2:00 0 S + Rule Menominee 1966 only - Apr lastSun 2:00 1:00 D +@@ -1372,7 +1372,7 @@ + # Oct 31, to Oct 27, 1918 (and Sunday is a more likely transition day + # than Thursday) in all Canadian rulesets. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Canada 1918 only - Apr 14 2:00 1:00 D + Rule Canada 1918 only - Oct 27 2:00 0 S + Rule Canada 1942 only - Feb 9 2:00 1:00 W # War +@@ -1395,7 +1395,7 @@ + # that follows the rules is the southeast corner, including Port Hope + # Simpson and Mary's Harbour, but excluding, say, Black Tickle. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule StJohns 1917 only - Apr 8 2:00 1:00 D + Rule StJohns 1917 only - Sep 17 2:00 0 S + # Whitman gives 1919 Apr 5 and 1920 Apr 5; go with Shanks & Pottenger. +@@ -1497,7 +1497,7 @@ + # bill say that it is "accommodating the customs and practices" of those + # regions, which suggests that they have always been in-line with Halifax. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Halifax 1916 only - Apr 1 0:00 1:00 D + Rule Halifax 1916 only - Oct 1 0:00 0 S + Rule Halifax 1920 only - May 9 0:00 1:00 D +@@ -1563,7 +1563,7 @@ + # clear that this was the case since at least 1993. + # For now, assume it started in 1993. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Moncton 1933 1935 - Jun Sun>=8 1:00 1:00 D + Rule Moncton 1933 1935 - Sep Sun>=8 1:00 0 S + Rule Moncton 1936 1938 - Jun Sun>=1 1:00 1:00 D +@@ -1772,7 +1772,7 @@ + # With some exceptions, the use of daylight saving may be said to be limited + # to those cities and towns lying between Quebec city and Windsor, Ont. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Toronto 1919 only - Mar 30 23:30 1:00 D + Rule Toronto 1919 only - Oct 26 0:00 0 S + Rule Toronto 1920 only - May 2 2:00 1:00 D +@@ -1870,7 +1870,7 @@ + # starting 1966. Since 02:00s is clearly correct for 1967 on, assume + # it was also 02:00s in 1966. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Winn 1916 only - Apr 23 0:00 1:00 D + Rule Winn 1916 only - Sep 17 0:00 0 S + Rule Winn 1918 only - Apr 14 2:00 1:00 D +@@ -1961,7 +1961,7 @@ + # long and rather painful to read. + # http://www.qp.gov.sk.ca/documents/English/Statutes/Statutes/T14.pdf + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Regina 1918 only - Apr 14 2:00 1:00 D + Rule Regina 1918 only - Oct 27 2:00 0 S + Rule Regina 1930 1934 - May Sun>=1 0:00 1:00 D +@@ -2011,7 +2011,7 @@ + # Boyer JP. Forcing Choice: The Risky Reward of Referendums. Dundum. 2017. + # ISBN 978-1459739123. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Edm 1918 1919 - Apr Sun>=8 2:00 1:00 D + Rule Edm 1918 only - Oct 27 2:00 0 S + Rule Edm 1919 only - May 27 2:00 0 S +@@ -2120,7 +2120,7 @@ + # https://searcharchives.vancouver.ca/daylight-saving-1918-starts-again-july-7-1941-start-d-s-sept-27-end-of-d-s-1941 + # We have no further details, so omit them for now. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Vanc 1918 only - Apr 14 2:00 1:00 D + Rule Vanc 1918 only - Oct 27 2:00 0 S + Rule Vanc 1942 only - Feb 9 2:00 1:00 W # War +@@ -2449,7 +2449,19 @@ + # consistency with nearby Dawson Creek, Creston, and Fort Nelson. + # https://yukon.ca/en/news/yukon-end-seasonal-time-change + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# From Andrew G. Smith (2020-09-24): ++# Yukon has completed its regulatory change to be on UTC -7 year-round.... ++# http://www.gov.yk.ca/legislation/regs/oic2020_125.pdf ++# What we have done is re-defined Yukon Standard Time, as we are ++# authorized to do under section 33 of our Interpretation Act: ++# http://www.gov.yk.ca/legislation/acts/interpretation_c.pdf ++# ++# From Paul Eggert (2020-09-24): ++# tzdb uses the obsolete YST abbreviation for standard time in Yukon through ++# about 1970, and uses PST for standard time in Yukon since then. Consistent ++# with that, use MST for -07, the new standard time in Yukon effective Nov. 1. ++ ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule NT_YK 1918 only - Apr 14 2:00 1:00 D + Rule NT_YK 1918 only - Oct 27 2:00 0 S + Rule NT_YK 1919 only - May 25 2:00 1:00 D +@@ -2503,12 +2515,12 @@ + Zone America/Whitehorse -9:00:12 - LMT 1900 Aug 20 + -9:00 NT_YK Y%sT 1967 May 28 0:00 + -8:00 NT_YK P%sT 1980 +- -8:00 Canada P%sT 2020 Mar 8 2:00 ++ -8:00 Canada P%sT 2020 Nov 1 + -7:00 - MST + Zone America/Dawson -9:17:40 - LMT 1900 Aug 20 + -9:00 NT_YK Y%sT 1973 Oct 28 0:00 + -8:00 NT_YK P%sT 1980 +- -8:00 Canada P%sT 2020 Mar 8 2:00 ++ -8:00 Canada P%sT 2020 Nov 1 + -7:00 - MST + + +@@ -2723,7 +2735,7 @@ + # 5- The islands, reefs and keys shall take their timezone from the + # longitude they are located at. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Mexico 1939 only - Feb 5 0:00 1:00 D + Rule Mexico 1939 only - Jun 25 0:00 0 S + Rule Mexico 1940 only - Dec 9 0:00 1:00 D +@@ -2928,7 +2940,7 @@ + # rules to sync with the U.S. starting in 2007.... + # http://www.jonesbahamas.com/?c=45&a=10412 + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Bahamas 1964 1975 - Oct lastSun 2:00 0 S + Rule Bahamas 1964 1975 - Apr lastSun 2:00 1:00 D + # Zone NAME STDOFF RULES FORMAT [UNTIL] +@@ -2940,7 +2952,7 @@ + + # For 1899 Milne gives -3:58:29.2; round that. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Barb 1977 only - Jun 12 2:00 1:00 D + Rule Barb 1977 1978 - Oct Sun>=1 2:00 0 S + Rule Barb 1978 1980 - Apr Sun>=15 2:00 1:00 D +@@ -2953,7 +2965,7 @@ + + # Belize + # Whitman entirely disagrees with Shanks; go with Shanks & Pottenger. +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Belize 1918 1942 - Oct Sun>=2 0:00 0:30 -0530 + Rule Belize 1919 1943 - Feb Sun>=9 0:00 0 CST + Rule Belize 1973 only - Dec 5 0:00 1:00 CDT +@@ -2990,7 +3002,7 @@ + + # Milne gives -5:36:13.3 as San José mean time; round to nearest. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule CR 1979 1980 - Feb lastSun 0:00 1:00 D + Rule CR 1979 1980 - Jun Sun>=1 0:00 0 S + Rule CR 1991 1992 - Jan Sat>=15 0:00 1:00 D +@@ -3164,7 +3176,7 @@ + # From Paul Eggert (2012-11-03): + # For now, assume the future rule is first Sunday in November. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Cuba 1928 only - Jun 10 0:00 1:00 D + Rule Cuba 1928 only - Oct 10 0:00 0 S + Rule Cuba 1940 1942 - Jun Sun>=1 0:00 1:00 D +@@ -3233,7 +3245,7 @@ + # decided to revert. + + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule DR 1966 only - Oct 30 0:00 1:00 EDT + Rule DR 1967 only - Feb 28 0:00 0 EST + Rule DR 1969 1973 - Oct lastSun 0:00 0:30 -0430 +@@ -3250,7 +3262,7 @@ + + # El Salvador + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Salv 1987 1988 - May Sun>=1 0:00 1:00 D + Rule Salv 1987 1988 - Sep lastSun 0:00 0 S + # There are too many San Salvadors elsewhere, so use America/El_Salvador +@@ -3279,7 +3291,7 @@ + # (2006-04-19), says DST ends at 24:00. See + # http://www.sieca.org.gt/Sitio_publico/Energeticos/Doc/Medidas/Cambio_Horario_Nac_190406.pdf + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Guat 1973 only - Nov 25 0:00 1:00 D + Rule Guat 1974 only - Feb 24 0:00 0 S + Rule Guat 1983 only - May 21 0:00 1:00 D +@@ -3360,7 +3372,7 @@ + # I have not been able to find a more authoritative source: + # https://www.haitilibre.com/en/news-20319-haiti-notices-time-change-in-haiti.html + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Haiti 1983 only - May 8 0:00 1:00 D + Rule Haiti 1984 1987 - Apr lastSun 0:00 1:00 D + Rule Haiti 1983 1987 - Oct lastSun 0:00 0 S +@@ -3408,7 +3420,7 @@ + # http://www.laprensahn.com/pais_nota.php?id04962=7386 + # So it seems that Honduras will not enter DST this year.... + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Hond 1987 1988 - May Sun>=1 0:00 1:00 D + Rule Hond 1987 1988 - Sep lastSun 0:00 0 S + Rule Hond 2006 only - May Sun>=1 0:00 1:00 D +@@ -3499,7 +3511,7 @@ + # The natural sun time is restored in all the national territory, in that the + # time is returned one hour at 01:00 am of October 1 of 2006. + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Nic 1979 1980 - Mar Sun>=16 0:00 1:00 D + Rule Nic 1979 1980 - Jun Mon>=23 0:00 0 S + Rule Nic 2005 only - Apr 10 0:00 1:00 D +--- contrib/tzdata/southamerica.orig ++++ contrib/tzdata/southamerica +@@ -48,7 +48,7 @@ + # I am sending modifications to the Argentine time zone table... + # AR was chosen because they are the ISO letters that represent Argentina. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Arg 1930 only - Dec 1 0:00 1:00 - + Rule Arg 1931 only - Apr 1 0:00 0 - + Rule Arg 1931 only - Oct 15 0:00 1:00 - +@@ -769,7 +769,7 @@ + # From Paul Eggert (2013-10-17): + # For now, assume western Amazonas will change as well. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + # Decree 20,466 <http://pcdsh01.on.br/HV20466.htm> (1931-10-01) + # Decree 21,896 <http://pcdsh01.on.br/HV21896.htm> (1932-01-10) + Rule Brazil 1931 only - Oct 3 11:00 1:00 - +@@ -1258,7 +1258,7 @@ + # For now, assume that they will not revert, + # since they have extended the expiration date once already. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Chile 1927 1931 - Sep 1 0:00 1:00 - + Rule Chile 1928 1932 - Apr 1 0:00 0 - + Rule Chile 1968 only - Nov 3 4:00u 1:00 - +@@ -1358,7 +1358,7 @@ + # Milne gives 4:56:16.4 for Bogotá time in 1899; round to nearest. He writes, + # "A variation of fifteen minutes in the public clocks of Bogota is not rare." + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule CO 1992 only - May 3 0:00 1:00 - + Rule CO 1993 only - Apr 4 0:00 0 - + # Zone NAME STDOFF RULES FORMAT [UNTIL] +@@ -1418,7 +1418,7 @@ + # (Not one step back), the clocks went back in 1993 and the experiment was not + # repeated. For now, assume transitions were at 00:00 local time country-wide. + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Ecuador 1992 only - Nov 28 0:00 1:00 - + Rule Ecuador 1993 only - Feb 5 0:00 0 - + # +@@ -1512,7 +1512,7 @@ + # For now we will assume permanent -03 for the Falklands + # until advised differently (to apply for 2012 and beyond, after the 2011 + # experiment was apparently successful.) +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Falk 1937 1938 - Sep lastSun 0:00 1:00 - + Rule Falk 1938 1942 - Mar Sun>=19 0:00 0 - + Rule Falk 1939 only - Oct 1 0:00 1:00 - +@@ -1558,7 +1558,7 @@ + # No time of the day is established for the adjustment, so people normally + # adjust their clocks at 0 hour of the given dates. + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Para 1975 1988 - Oct 1 0:00 1:00 - + Rule Para 1975 1978 - Mar 1 0:00 0 - + Rule Para 1979 1991 - Apr 1 0:00 0 - +@@ -1651,7 +1651,7 @@ + # From Paul Eggert (2006-03-22): + # Shanks & Pottenger don't have this transition. Assume 1986 was like 1987. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Peru 1938 only - Jan 1 0:00 1:00 - + Rule Peru 1938 only - Apr 1 0:00 0 - + Rule Peru 1938 1939 - Sep lastSun 0:00 1:00 - +@@ -1747,7 +1747,7 @@ + # https://www.impo.com.uy/diariooficial/1926/03/10/2 + # https://www.impo.com.uy/diariooficial/1926/03/18/2 + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Uruguay 1923 1925 - Oct 1 0:00 0:30 - + Rule Uruguay 1924 1926 - Apr 1 0:00 0 - + # From Tim Parenti (2018-02-15): +--- contrib/tzdata/theory.html.orig ++++ contrib/tzdata/theory.html +@@ -33,7 +33,7 @@ + The <a + href="https://www.iana.org/time-zones"><code><abbr>tz</abbr></code> + database</a> attempts to record the history and predicted future of +-all computer-based clocks that track civil time. ++civil time scales. + It organizes <a href="tz-link.html">time zone and daylight saving time + data</a> by partitioning the world into <a + href="https://en.wikipedia.org/wiki/List_of_tz_database_time_zones"><dfn>timezones</dfn></a> +@@ -115,17 +115,15 @@ + Inexperienced users are not expected to select these names unaided. + Distributors should provide documentation and/or a simple selection + interface that explains each name via a map or via descriptive text like +-"Ruthenia" instead of the timezone name "<code>Europe/Uzhgorod</code>". ++"Czech Republic" instead of the timezone name "<code>Europe/Prague</code>". + If geolocation information is available, a selection interface can + locate the user on a timezone map or prioritize names that are + geographically close. For an example selection interface, see the + <code>tzselect</code> program in the <code><abbr>tz</abbr></code> code. +-The <a href="http://cldr.unicode.org/">Unicode Common Locale Data ++The <a href="http://cldr.unicode.org">Unicode Common Locale Data + Repository</a> contains data that may be useful for other selection +-interfaces; it maps timezone names like <code>Europe/Uzhgorod</code> +-to CLDR names like <code>uauzh</code> which are in turn mapped to +-locale-dependent strings like "Uzhhorod", "Ungvár", "Ужгород", and +-"乌日哥罗德". ++interfaces; it maps timezone names like <code>Europe/Prague</code> to ++locale-dependent strings like "Prague", "Praha", "Прага", and "布拉格". + </p> + + <p> +@@ -693,6 +691,14 @@ + <code><abbr>tz</abbr></code> database requires. + </li> + <li> ++ The <code><abbr>tz</abbr></code> database cannot represent stopped clocks. ++ However, on 1911-03-11 at 00:00, some public-facing French clocks ++ were changed by stopping them for a few minutes to effect a transition. ++ The <code><abbr>tz</abbr></code> database models this via a ++ backward transition; the relevant French legislation does not ++ specify exactly how the transition was to occur. ++ </li> ++ <li> + Sometimes historical timekeeping was specified more precisely + than what the <code><abbr>tz</abbr></code> code can handle. + For example, from 1909 to 1937 <a +@@ -1321,17 +1327,21 @@ + <section> + <h2 id="planets">Time and time zones on other planets</h2> + <p> +-Some people's work schedules +-use <a href="https://en.wikipedia.org/wiki/Timekeeping_on_Mars">Mars time</a>. ++Some people's work schedules have used ++<a href="https://en.wikipedia.org/wiki/Timekeeping_on_Mars">Mars time</a>. + Jet Propulsion Laboratory (JPL) coordinators kept Mars time on + and off during the + <a href="https://en.wikipedia.org/wiki/Mars_Pathfinder">Mars +-Pathfinder</a> mission. ++Pathfinder</a> mission (1997). + Some of their family members also adapted to Mars time. + Dozens of special Mars watches were built for JPL workers who kept +-Mars time during the Mars Exploration Rovers mission (2004). +-These timepieces look like normal Seikos and Citizens but use Mars +-seconds rather than terrestrial seconds. ++Mars time during the ++<a href="https://en.wikipedia.org/wiki/Mars_Exploration_Rover">Mars ++Exploration Rovers (MER)</a> mission (2004–2018). ++These timepieces looked like normal Seikos and Citizens but were adjusted ++to use Mars seconds rather than terrestrial seconds, although ++unfortunately the adjusted watches were unreliable and appear to have ++had only limited use. + </p> + + <p> +@@ -1339,6 +1349,8 @@ + about 24 hours 39 minutes 35.244 seconds in terrestrial time. + It is divided into a conventional 24-hour clock, so each Mars second + equals about 1.02749125 terrestrial seconds. ++(One MER worker noted, "If I am working Mars hours, and Mars hours are ++2.5% more than Earth hours, shouldn't I get an extra 2.5% pay raise?") + </p> + + <p> +@@ -1354,12 +1366,12 @@ + <p> + Each landed mission on Mars has adopted a different reference for + solar timekeeping, so there is no real standard for Mars time zones. +-For example, the +-<a href="https://en.wikipedia.org/wiki/Mars_Exploration_Rover">Mars +-Exploration Rover</a> project (2004) defined two time zones "Local ++For example, the MER mission defined two time zones "Local + Solar Time A" and "Local Solar Time B" for its two missions, each zone + designed so that its time equals local true solar time at + approximately the middle of the nominal mission. ++The A and B zones differ enough so that an MER worker assigned to ++the A zone might suffer "Mars lag" when switching to work in the B zone. + Such a "time zone" is not particularly suited for any application + other than the mission itself. + </p> +@@ -1408,9 +1420,14 @@ + Michael Allison and Robert Schmunk, + "<a href="https://www.giss.nasa.gov/tools/mars24/help/notes.html">Technical + Notes on Mars Solar Time as Adopted by the Mars24 Sunclock</a>" +- (2018-12-13). ++ (2020-03-08). + </li> + <li> ++ Zara Mirmalek, ++ <em><a href="https://mitpress.mit.edu/books/making-time-mars">Making ++ Time on Mars</a></em>, MIT Press (March 2020), ISBN 978-0262043854. ++ </li> ++ <li> + Jia-Rui Chong, + "<a href="https://www.latimes.com/archives/la-xpm-2004-jan-14-sci-marstime14-story.html">Workdays + Fit for a Martian</a>", <cite>Los Angeles Times</cite> +--- contrib/tzdata/version.orig ++++ contrib/tzdata/version +@@ -1 +1 @@ +-2020a ++2020d +--- contrib/tzdata/ziguard.awk.orig ++++ contrib/tzdata/ziguard.awk +@@ -3,7 +3,14 @@ + # Contributed by Paul Eggert. This file is in the public domain. + + # This is not a general-purpose converter; it is designed for current tzdata. ++# It just converts from current source to main, vanguard, and rearguard forms. ++# Although it might be nice for it to be idempotent, or to be useful ++# for converting back and forth between vanguard and rearguard formats, ++# it does not do these nonessential tasks now. + # ++# Although main and vanguard forms are currently equivalent, ++# this need not always be the case. ++# + # When converting to vanguard form, the output can use negative SAVE + # values. + # +@@ -28,7 +35,7 @@ + in_comment = /^#/ + uncomment = comment_out = 0 + +- # If the line should differ due to Czechoslovakia using negative SAVE values, ++ # If this line should differ due to Czechoslovakia using negative SAVE values, + # uncomment the desired version and comment out the undesired one. + if (zone == "Europe/Prague" && /1947 Feb 23/) { + if (($(in_comment + 2) != "-") == vanguard) { +--- contrib/tzdata/zishrink.awk.orig ++++ contrib/tzdata/zishrink.awk +@@ -166,9 +166,6 @@ + ruleline = sub(/^Rule /, "R ", line) + zoneline = sub(/^Zone /, "Z ", line) + +- # SystemV rules are not needed. +- if (line ~ /^R SystemV /) return +- + # Replace FooAsia rules with the same rules without "Asia", as they + # are duplicates. + if (match(line, /[^ ]Asia /)) { +@@ -275,7 +272,6 @@ + default_dep["factory"] = 1 + default_dep["northamerica"] = 1 + default_dep["southamerica"] = 1 +- default_dep["systemv"] = 1 + default_dep["ziguard.awk"] = 1 + default_dep["zishrink.awk"] = 1 + +--- contrib/tzdata/zoneinfo2tdf.pl.orig ++++ contrib/tzdata/zoneinfo2tdf.pl +@@ -38,7 +38,7 @@ + } + $contZone = $fields[1] if @fields > 5; + } elsif ($type eq 'rule') { +- # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++ # Rule NAME FROM TO - IN ON AT SAVE LETTER/S + @fields == 10 or warn "bad rule line"; + } elsif ($type eq 'link') { + # Link TARGET LINK-NAME diff --git a/share/security/patches/EN-20:20/tzdata-2020d.patch.asc b/share/security/patches/EN-20:20/tzdata-2020d.patch.asc new file mode 100644 index 0000000000..4aaafe360b --- /dev/null +++ b/share/security/patches/EN-20:20/tzdata-2020d.patch.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/GndRfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cLNvw/9FVwnxlarsLLMSuWOCKZtbAIs5Bxoa2bxBvMLM12nWHAh7gUSFQzM2cCk +Wcc7JZueQf57qyVMM+nzV3W+evJ55ZBLsBVNLh7LeEhosZFFgCoSjJg3CZrkNL6D +8uupAWLNOGikv+mFi7HIViI56a9Zdnse+hAgNBowj6vt20queVTbW+3K3Tqmb0Ru +EksgdQ7+Y0Rhd9XpgnB5bmLPSnyeKJ4ffLyG4aj4THyc/lPqYXauc3xGhgnmtdTO +Pm+HTlWsOy9dMFzA+28nBhpS5Wa3hx8mMNM0XjZxeCRrI8yvFugtIPoW7Avn8LII +88GvrZG8pKGehUqJcKERY/DZnwESxiJJvZ/YF8SDXnkjNA2q+fAzrekG+Qk9QcLB +8Pnybv7scU8IKcuONmMIN18ini7lJqbnApW9gOgKwLQBmwnSCcaYQuTCJ8CigQgR +73FvoLvMyAKoTUz1A2+TbArWEJLXWsCAffo2ki8WBVzOivFk0gw8O7rmHXl5lCJP +FbdIxfsC82xjKLvVG7CwB+WRUwQCG17QzElQVYyYlTSbFa1CUXqfwVvxqhzXXh63 +9FFoBVcGaglrmYVojGr5Mj41G0MhRvNieQ7VAId3uUxVfQe8Z77gf3x52lXjwVPt +VpDjZOooFEDi+WlD/DuMmLnIVOFmyWbeYIV2nlIgcWGA5a9qE2M= +=MCBt +-----END PGP SIGNATURE----- diff --git a/share/security/patches/EN-20:21/ipfw.patch b/share/security/patches/EN-20:21/ipfw.patch new file mode 100644 index 0000000000..188b06960d --- /dev/null +++ b/share/security/patches/EN-20:21/ipfw.patch @@ -0,0 +1,89 @@ +--- sbin/ipfw/dummynet.c.orig ++++ sbin/ipfw/dummynet.c +@@ -1279,8 +1279,8 @@ + struct dn_profile *pf = NULL; + struct ipfw_flow_id *mask = NULL; + #ifdef NEW_AQM +- struct dn_extra_parms *aqm_extra; +- struct dn_extra_parms *sch_extra; ++ struct dn_extra_parms *aqm_extra = NULL; ++ struct dn_extra_parms *sch_extra = NULL; + int lmax_extra; + #endif + +--- sbin/ipfw/ipfw2.c.orig ++++ sbin/ipfw/ipfw2.c +@@ -1618,6 +1618,9 @@ + case O_TCPWIN: + s = "tcpwin"; + break; ++ default: ++ s = "<unknown>"; ++ break; + } + bprintf(bp, " %s %u", s, cmd->arg1); + } else +@@ -4003,7 +4006,7 @@ + struct addrinfo *res; + char *s, *end; + int family; +- u_short port_number; ++ u_short port_number = 0; + + NEED1("missing forward address[:port]"); + +@@ -5600,7 +5603,7 @@ + static void + ipfw_list_tifaces(void) + { +- ipfw_obj_lheader *olh; ++ ipfw_obj_lheader *olh = NULL; + ipfw_iface_info *info; + uint32_t i; + int error; +@@ -5608,7 +5611,6 @@ + if ((error = ipfw_get_tracked_ifaces(&olh)) != 0) + err(EX_OSERR, "Unable to request ipfw tracked interface list"); + +- + qsort(olh + 1, olh->count, olh->objsize, ifinfo_cmp); + + info = (ipfw_iface_info *)(olh + 1); +@@ -5625,7 +5627,3 @@ + + free(olh); + } +- +- +- +- +--- sbin/ipfw/nat64lsn.c.orig ++++ sbin/ipfw/nat64lsn.c +@@ -99,6 +99,7 @@ + stg = (ipfw_nat64lsn_stg_v1 *)(od + 1); + sz = od->head.length - sizeof(*od); + next_idx = 0; ++ proto = NULL; + while (sz > 0 && next_idx != 0xFF) { + next_idx = stg->next.index; + sz -= sizeof(*stg); +--- sbin/ipfw/tables.c.orig ++++ sbin/ipfw/tables.c +@@ -847,7 +847,7 @@ + static int + table_show_one(ipfw_xtable_info *i, void *arg) + { +- ipfw_obj_header *oh; ++ ipfw_obj_header *oh = NULL; + int error; + int is_all; + +@@ -1179,7 +1179,7 @@ + struct servent *sent; + int masklen; + +- masklen = 0; ++ mask = masklen = 0; + af = 0; + paddr = (struct in6_addr *)&tentry->k; + diff --git a/share/security/patches/EN-20:21/ipfw.patch.asc b/share/security/patches/EN-20:21/ipfw.patch.asc new file mode 100644 index 0000000000..afae6323a9 --- /dev/null +++ b/share/security/patches/EN-20:21/ipfw.patch.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/GndVfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cK2ixAAlpgsUKdrLpBC5c56MsSuX76DEvyiMwbyTK7II8+Wyslj/ZUZA+PXEqJ5 +D0btsf33HfDsaFum7qyJ9GPoSkxQh4cYVY7OfQB40mJp2NKtMbSVDVjXPqb/Igm1 +kVhT/AJO3vm2WUhwy6ER5s5zxPh5unsw3rWtgwwC6YiJ+mf5JjowM6jE7DKB20eH +Ix6+pPwroCaZ3dN5XsbDBNaORaROuC8EbrwjB+/AHhHK0enXukd5WgwPNTrah9q7 +i5+dZX1cDk7rZVWHPo1fywvFDdEWwNUeW2yL7B4Ftuha44n4vZU253Z8CtDLv7hw +xzioch1uKM+xnXNqkx1uzT4mgghlHl8cIe3Px/1CiUXGUdAjo8Fq8tiCYKWrp3PB +hZsE7+RmdlxfcI7COOeFUaLf1HGlFQXnsw7I6Q4fE1Bgo+qOyk7URq2yXvi5aKOA +WVcZkr7PSHnj9KGqHLi5j4i/ieqeptN1ZXwhGtSW5P7xDfxX4Oxt/9Nqlmhp7vFR +G3XPChMwn7j6EL/CzR89BG2S7Gaz7kZe6evG4rfd2UCD5oI/cceu3/ihA+EeEdtn +WZ50pqGMLBRuJySJOGJM8Yh6gXlydzkiQWp+Ux43s5ltALONF1g43wPfx6dsNhtL +oPap5xzObkFKs0m9vNSMacZqS5Oz5LeoeZqTBz/VMUiCdayewhk= +=4mes +-----END PGP SIGNATURE----- diff --git a/share/security/patches/EN-20:22/callout.12.1.patch b/share/security/patches/EN-20:22/callout.12.1.patch new file mode 100644 index 0000000000..e77787d61b --- /dev/null +++ b/share/security/patches/EN-20:22/callout.12.1.patch @@ -0,0 +1,20 @@ +--- sys/kern/kern_timeout.c.orig ++++ sys/kern/kern_timeout.c +@@ -1270,7 +1270,7 @@ + * just wait for the current invocation to + * finish. + */ +- while (cc_exec_curr(cc, direct) == c) { ++ if (cc_exec_curr(cc, direct) == c) { + /* + * Use direct calls to sleepqueue interface + * instead of cv/msleep in order to avoid +@@ -1318,7 +1318,7 @@ + + /* Reacquire locks previously released. */ + PICKUP_GIANT(); +- CC_LOCK(cc); ++ goto again; + } + c->c_flags &= ~CALLOUT_ACTIVE; + } else if (use_lock && diff --git a/share/security/patches/EN-20:22/callout.12.1.patch.asc b/share/security/patches/EN-20:22/callout.12.1.patch.asc new file mode 100644 index 0000000000..64ff7fe7c7 --- /dev/null +++ b/share/security/patches/EN-20:22/callout.12.1.patch.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/GndVfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cLVfA//ekZ9PiCNi+aoV3AW8hY1zTeRKy2SUPGJ0zBL2fmM6p8jByqIYL7qm9RR +EpEFv9E8IDfp2SBHj8mdD8TcBZls1wSVnCVy2oAl2RUxZxmimBNBlhB57iLUsfMz +kSUviZksGS6B1uYZGysFOQhknRRB+dA9/jojIkJZOevMZcMV73zq0CXIjhJ3QbSy +D0wIZfDZx65Q9ZprxLcFfyhteFtRFzaYsIi9IcWRWB9SrE/mlrAm4Fye3wvgDPmu +5cxpzRDyJqWnGZk/ViQpUIsbbq4MYAh2cO3Qc9uTv+BxegpOpR+0XMCFffegI8UH +454zbVeMHVIDCV0/R3nfMBxb+UnOhjYAwiQydA405xEvtHFlMGOqko4lVpDfoRRd +2dnEowPdo06CSSgfMVIod0kFUxJq7ijjGrxXeXs+Q4oVcb7ETXo16qPSwFMTV7QB +2HrdUNE6OmWoaEEIywIKF2mTk0aCWroYlpX+Nr80uJqW6KjOd+qPkuWPFu4JauJ4 +dpL0cOU4B29wQUbXjekaGvArJ8nqf6/UJ4xad9o8jgbJS7ncNvXXY6tPQqc1QmAo +8Jbbd6QM37dE+hiZ3lXSJjA5MWUTcEfrNnlAP32hkjwlOeIrYE+5St1VRHq2pCMY +R8EEdRlQG4GBKZnhbmlKbT9IUrWL4KioZfg5wdiJmG45eRjPKUo= +=f0gt +-----END PGP SIGNATURE----- diff --git a/share/security/patches/EN-20:22/callout.12.2.patch b/share/security/patches/EN-20:22/callout.12.2.patch new file mode 100644 index 0000000000..fde12f776c --- /dev/null +++ b/share/security/patches/EN-20:22/callout.12.2.patch @@ -0,0 +1,20 @@ +--- sys/kern/kern_timeout.c.orig ++++ sys/kern/kern_timeout.c +@@ -1271,7 +1271,7 @@ + * just wait for the current invocation to + * finish. + */ +- while (cc_exec_curr(cc, direct) == c) { ++ if (cc_exec_curr(cc, direct) == c) { + /* + * Use direct calls to sleepqueue interface + * instead of cv/msleep in order to avoid +@@ -1319,7 +1319,7 @@ + + /* Reacquire locks previously released. */ + PICKUP_GIANT(); +- CC_LOCK(cc); ++ goto again; + } + c->c_flags &= ~CALLOUT_ACTIVE; + } else if (use_lock && diff --git a/share/security/patches/EN-20:22/callout.12.2.patch.asc b/share/security/patches/EN-20:22/callout.12.2.patch.asc new file mode 100644 index 0000000000..b7205d2f3e --- /dev/null +++ b/share/security/patches/EN-20:22/callout.12.2.patch.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/GndVfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cKZLg//Q6GcyfEtQgG86dIwR+ZvIQvmqKnLu8w3fLGpCuZ0rrgQ52+OKl7htsfP +9T2HuyRwb/WM3C86vgrw70+FiXBkEQ7DwsjDSXD1REOTbg3gGa3RN4f0kZfHH7xq +vYdHzgVp6wT6Ld7bxFRdylsS33tSg3ZJ/PObjxJGugtwCgtP80oc+yxvaNpEmCz4 +6CckiK0TG8HZPT04mudyS7X7QYEPjpwANwPfSbYvBZm2FTpQyU7xeOr/gfw6o7QR +/ORMfdWtumehRcSEosMrvGEKmd7HM4fwNUJQwW1mesKMDwd8UfK9LeW/J030icua +DvjfLvtpx3H1FxPvH1QIsoj54KD/W0zazPP7T4IyOgNha7qMRihY5q5Dwt1yvC8g +6k6HtTIxfqoROKc5FpyzEeBTWuli3AiJPo9WYr85UaMtpEzwxavgaVjEQb+kxCpO +STHGKUbU8LX3spJDEvMZPqq86VQQZd5b1mgMjClZ9/0uc3eNlL3tAfcRb3AXYJ54 +7l1itJ3RQYqfRgTzA6dKnWeWwMqg2PN6nN/z01VmCBIJHsF47ae9Mc51kRbdXN4e +jvwQn+Obk5WmaiWEhbnEs24gLK8cqXsnHaM8mf9RE+z2Tn5dd9chqtTF+gsmxw8M +07t0Wp3yoUdyqGkaJOo9WVFNt0bEK+AboT5HsNjyFda89Xz9OLY= +=ZONK +-----END PGP SIGNATURE----- diff --git a/share/security/patches/SA-20:31/icmp6.11.4.patch b/share/security/patches/SA-20:31/icmp6.11.4.patch new file mode 100644 index 0000000000..3f5129a530 --- /dev/null +++ b/share/security/patches/SA-20:31/icmp6.11.4.patch @@ -0,0 +1,57 @@ +--- sys/netinet6/icmp6.c.orig ++++ sys/netinet6/icmp6.c +@@ -903,6 +903,7 @@ + } + #endif + eip6 = (struct ip6_hdr *)(icmp6 + 1); ++ bzero(&icmp6dst, sizeof(icmp6dst)); + + /* Detect the upper level protocol */ + { +@@ -911,7 +912,6 @@ + int eoff = off + sizeof(struct icmp6_hdr) + + sizeof(struct ip6_hdr); + struct ip6ctlparam ip6cp; +- struct in6_addr *finaldst = NULL; + int icmp6type = icmp6->icmp6_type; + struct ip6_frag *fh; + struct ip6_rthdr *rth; +@@ -994,7 +994,7 @@ + /* just ignore a bogus header */ + if ((rth0->ip6r0_len % 2) == 0 && + (hops = rth0->ip6r0_len/2)) +- finaldst = (struct in6_addr *)(rth0 + 1) + (hops - 1); ++ icmp6dst.sin6_addr = *((struct in6_addr *)(rth0 + 1) + (hops - 1)); + } + eoff += rthlen; + nxt = rth->ip6r_nxt; +@@ -1059,13 +1059,10 @@ + */ + eip6 = (struct ip6_hdr *)(icmp6 + 1); + +- bzero(&icmp6dst, sizeof(icmp6dst)); + icmp6dst.sin6_len = sizeof(struct sockaddr_in6); + icmp6dst.sin6_family = AF_INET6; +- if (finaldst == NULL) ++ if (IN6_IS_ADDR_UNSPECIFIED(&icmp6dst.sin6_addr)) + icmp6dst.sin6_addr = eip6->ip6_dst; +- else +- icmp6dst.sin6_addr = *finaldst; + if (in6_setscope(&icmp6dst.sin6_addr, m->m_pkthdr.rcvif, NULL)) + goto freeit; + bzero(&icmp6src, sizeof(icmp6src)); +@@ -1077,13 +1074,11 @@ + icmp6src.sin6_flowinfo = + (eip6->ip6_flow & IPV6_FLOWLABEL_MASK); + +- if (finaldst == NULL) +- finaldst = &eip6->ip6_dst; + ip6cp.ip6c_m = m; + ip6cp.ip6c_icmp6 = icmp6; + ip6cp.ip6c_ip6 = (struct ip6_hdr *)(icmp6 + 1); + ip6cp.ip6c_off = eoff; +- ip6cp.ip6c_finaldst = finaldst; ++ ip6cp.ip6c_finaldst = &icmp6dst.sin6_addr; + ip6cp.ip6c_src = &icmp6src; + ip6cp.ip6c_nxt = nxt; + diff --git a/share/security/patches/SA-20:31/icmp6.11.4.patch.asc b/share/security/patches/SA-20:31/icmp6.11.4.patch.asc new file mode 100644 index 0000000000..5703c2ef18 --- /dev/null +++ b/share/security/patches/SA-20:31/icmp6.11.4.patch.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/GndVfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJIVxAAk45mGlrtJ9NU3MqPexb3BO2Ta5qoOUZcXLSUtVn/uAguB3pE0U6YvyUW +S4JRl5V/I3sB2R4PfJbO/tISHXVKcVpag9xjjYumXgKKWbQQQPCmw2GAhFikzwix +njPwhZaw3IfH9JTfrqkUXYGMwaVTZ4UcvfSInPCRKTlBiKa17OcIlALwv0LOo91V +B3uJJOix6zasPDEaCQwSOOrLgxjt0ddxZVvxi3DiQvoyTDXgZ6n2RuC/xqJWMnO2 +Xv3rVdfXEpMX8w20/Q5x7tA3GJROdijNooaUu7gs4r6nssYR6UYejnvWLHsk0uZw +JDGdlczDY06V0vRQ/kj9Nwg74c3XfHanGcvUlwtLj4LIAE9j6iXpD72aBlPzGpsE ++PgghqKkay9ALMp/DmvTR9W7OhmGtPvG9xOLMfFH7TiBPo9qXScopl9Qe9dDAKsR +7C+sNp8K13usF9hfdzqsXFmIzHZOoQ5hKblawfDTMUrw3RW53toL2UetGJCPkAo5 +0QHIgE+zqY0q+ikMppT9Cm1rW2DfgUmdDL1adlp+3eBZWfmqJ+O/H4KvZD906LZU +iP08TwzWuj2zrHyRTRHtiQDYLD4n1vVMbuROmLJvvF58RAfhck7tJQWaZKuCEXJr +smt+DicU+NjCslpOFFOcKzMU7n83POKg+2U2KxryKxJEIJpsefM= +=pxHP +-----END PGP SIGNATURE----- diff --git a/share/security/patches/SA-20:31/icmp6.12.1.patch b/share/security/patches/SA-20:31/icmp6.12.1.patch new file mode 100644 index 0000000000..b5ad9b50ac --- /dev/null +++ b/share/security/patches/SA-20:31/icmp6.12.1.patch @@ -0,0 +1,57 @@ +--- sys/netinet6/icmp6.c.orig ++++ sys/netinet6/icmp6.c +@@ -896,6 +896,7 @@ + } + #endif + eip6 = (struct ip6_hdr *)(icmp6 + 1); ++ bzero(&icmp6dst, sizeof(icmp6dst)); + + /* Detect the upper level protocol */ + { +@@ -904,7 +905,6 @@ + int eoff = off + sizeof(struct icmp6_hdr) + + sizeof(struct ip6_hdr); + struct ip6ctlparam ip6cp; +- struct in6_addr *finaldst = NULL; + int icmp6type = icmp6->icmp6_type; + struct ip6_frag *fh; + struct ip6_rthdr *rth; +@@ -987,7 +987,7 @@ + /* just ignore a bogus header */ + if ((rth0->ip6r0_len % 2) == 0 && + (hops = rth0->ip6r0_len/2)) +- finaldst = (struct in6_addr *)(rth0 + 1) + (hops - 1); ++ icmp6dst.sin6_addr = *((struct in6_addr *)(rth0 + 1) + (hops - 1)); + } + eoff += rthlen; + nxt = rth->ip6r_nxt; +@@ -1052,13 +1052,10 @@ + */ + eip6 = (struct ip6_hdr *)(icmp6 + 1); + +- bzero(&icmp6dst, sizeof(icmp6dst)); + icmp6dst.sin6_len = sizeof(struct sockaddr_in6); + icmp6dst.sin6_family = AF_INET6; +- if (finaldst == NULL) ++ if (IN6_IS_ADDR_UNSPECIFIED(&icmp6dst.sin6_addr)) + icmp6dst.sin6_addr = eip6->ip6_dst; +- else +- icmp6dst.sin6_addr = *finaldst; + if (in6_setscope(&icmp6dst.sin6_addr, m->m_pkthdr.rcvif, NULL)) + goto freeit; + bzero(&icmp6src, sizeof(icmp6src)); +@@ -1070,13 +1067,11 @@ + icmp6src.sin6_flowinfo = + (eip6->ip6_flow & IPV6_FLOWLABEL_MASK); + +- if (finaldst == NULL) +- finaldst = &eip6->ip6_dst; + ip6cp.ip6c_m = m; + ip6cp.ip6c_icmp6 = icmp6; + ip6cp.ip6c_ip6 = (struct ip6_hdr *)(icmp6 + 1); + ip6cp.ip6c_off = eoff; +- ip6cp.ip6c_finaldst = finaldst; ++ ip6cp.ip6c_finaldst = &icmp6dst.sin6_addr; + ip6cp.ip6c_src = &icmp6src; + ip6cp.ip6c_nxt = nxt; + diff --git a/share/security/patches/SA-20:31/icmp6.12.1.patch.asc b/share/security/patches/SA-20:31/icmp6.12.1.patch.asc new file mode 100644 index 0000000000..aac6972a6f --- /dev/null +++ b/share/security/patches/SA-20:31/icmp6.12.1.patch.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/GndZfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJ4kw/9Gs/epcOA+MRGwUP34WIXmrnHB+qZPZ5TMTldCHviTfVhAlCGApNqnuW3 +8T0TkvC7h11yD2ftTMarOZsIerAJvn3fA+ZMKGB3GvsuyO7z4K+OWJbPDuXvk7XY +Ad+NOLS+lovxC0RMPnxNU5Np82/ei1wprkgbVdLO5bLGvlTy1fGAi1skpOd4Lobk +9rHHPd9lo8s27YYJzQq8re92amdSq0td6L/L2xwpfd0USc1KUPZA6DMq9CsAzUdu +j7k0EGGzU1+ekyzjLyd4pp4mhLGGVHVEQ9Fin5RseR9qDVw9vVAItVUlaEgEp0nd +iMuYJ5zSIeBOUcf0HqwLxKqfTK+yN+/fW916Mn+h7inj7dF6kHOxZNFtAbA17G6X +HeLCTgnW9Sw81bBED780jbLoHO7wiMVHeRgiEyFh8tA30qvBslfGOXQHMOJ65WzV +60HJmqrksZEwKeAZm9lQc3Q0kPyj9VZgMWm8JhvbpWwE4iYLx3tfXhzGnMxUYEzI +TueBf3Dmu/V/2hNlO2fkOWJ1zdsZM0oudO0zTn+MyuaPmCxEEJ9WzGOPGr5SXSod +BkMwGAGYQG8FjlxvNaLOH23snpQiXGRi/zrLN34zeaqwNaU8f7bZoJAm6VEvfo4n +MYsSNbKSkNZK2FV1DmF+zdefBjNrfU11TIfXKkcmRKLiUb6zuM8= +=BitD +-----END PGP SIGNATURE----- diff --git a/share/security/patches/SA-20:31/icmp6.12.2.patch b/share/security/patches/SA-20:31/icmp6.12.2.patch new file mode 100644 index 0000000000..460bf9915a --- /dev/null +++ b/share/security/patches/SA-20:31/icmp6.12.2.patch @@ -0,0 +1,61 @@ +--- sys/netinet6/icmp6.c.orig ++++ sys/netinet6/icmp6.c +@@ -912,6 +912,7 @@ + } + icmp6 = (struct icmp6_hdr *)(mtod(m, caddr_t) + off); + eip6 = (struct ip6_hdr *)(icmp6 + 1); ++ bzero(&icmp6dst, sizeof(icmp6dst)); + + /* Detect the upper level protocol */ + { +@@ -920,7 +921,6 @@ + int eoff = off + sizeof(struct icmp6_hdr) + + sizeof(struct ip6_hdr); + struct ip6ctlparam ip6cp; +- struct in6_addr *finaldst = NULL; + int icmp6type = icmp6->icmp6_type; + struct ip6_frag *fh; + struct ip6_rthdr *rth; +@@ -994,10 +994,11 @@ + } + rth0 = (struct ip6_rthdr0 *) + (mtod(m, caddr_t) + eoff); ++ + /* just ignore a bogus header */ + if ((rth0->ip6r0_len % 2) == 0 && + (hops = rth0->ip6r0_len/2)) +- finaldst = (struct in6_addr *)(rth0 + 1) + (hops - 1); ++ icmp6dst.sin6_addr = *((struct in6_addr *)(rth0 + 1) + (hops - 1)); + } + eoff += rthlen; + nxt = rth->ip6r_nxt; +@@ -1051,13 +1052,10 @@ + */ + eip6 = (struct ip6_hdr *)(icmp6 + 1); + +- bzero(&icmp6dst, sizeof(icmp6dst)); + icmp6dst.sin6_len = sizeof(struct sockaddr_in6); + icmp6dst.sin6_family = AF_INET6; +- if (finaldst == NULL) ++ if (IN6_IS_ADDR_UNSPECIFIED(&icmp6dst.sin6_addr)) + icmp6dst.sin6_addr = eip6->ip6_dst; +- else +- icmp6dst.sin6_addr = *finaldst; + if (in6_setscope(&icmp6dst.sin6_addr, m->m_pkthdr.rcvif, NULL)) + goto freeit; + bzero(&icmp6src, sizeof(icmp6src)); +@@ -1069,13 +1067,11 @@ + icmp6src.sin6_flowinfo = + (eip6->ip6_flow & IPV6_FLOWLABEL_MASK); + +- if (finaldst == NULL) +- finaldst = &eip6->ip6_dst; + ip6cp.ip6c_m = m; + ip6cp.ip6c_icmp6 = icmp6; + ip6cp.ip6c_ip6 = (struct ip6_hdr *)(icmp6 + 1); + ip6cp.ip6c_off = eoff; +- ip6cp.ip6c_finaldst = finaldst; ++ ip6cp.ip6c_finaldst = &icmp6dst.sin6_addr; + ip6cp.ip6c_src = &icmp6src; + ip6cp.ip6c_nxt = nxt; + diff --git a/share/security/patches/SA-20:31/icmp6.12.2.patch.asc b/share/security/patches/SA-20:31/icmp6.12.2.patch.asc new file mode 100644 index 0000000000..6d166848a4 --- /dev/null +++ b/share/security/patches/SA-20:31/icmp6.12.2.patch.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/GndZfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJt2g/+PxSwZYW93TorqIa3EDX9uGg2vA7NzKqJ2ilswktRDf5E3ZgEN9GqePzv +3tiHpdDSr9k6uVZVKH6GgW/0sEUQKJY/xs6rzIUlQowHH0Zi4fF6h3llHWmI3Ay6 +iJxCnikCxYQEkb7Gq+xgrNBHKM6JGeKKGxqwe0STb6NvgEmPhQzL7KtWL4L7MZv2 +wzmvfLKR4rTIYAY/BBsx6hMdUA5fEQQCjQr0eor7P9Rb3JPyHN7D8Ho7HkkXLNER +iK9rryUOcIBIOrVrSxIaockJABMk+Umhw2UnlGLuqlvW9KgVV+mKZ4yFdpTr7ZLn +TNS/UFql8HCTidAqxT0cLfGsDfUwqTwi+qNJclKoOqCXIH15rlvyJbyi8XWt333+ +YmRnkbxMZ8ETCa1W/36qDYjjEE9l2hVbRV/D7JpDGl5Mb4GXs3hhPTm8LJ8xx/BZ +iBht4KfhOEoVl4K0lvasyGPSvEz1D/2TXciAJtM3nuSFJNgl476Tk57rewVZTl1/ +CWWfdTWaWggFSAo7nE1NAhkV0dUqbGUZrK3A2kmYq4EDEx90+k1NLbhI8Xeu4f0p +pE3y2/qk6bg3W1/6ZgFb7WvuzgMUD6qC4GbV84X1nt+IWgQDZWD6yfxKmkJLKlfv +/zbhO0bYtpRTtfCEei6k6Ec7koxd7HIWW202+SdEAIdVq+v3CUM= +=hs7b +-----END PGP SIGNATURE----- diff --git a/share/security/patches/SA-20:32/rtsold.patch b/share/security/patches/SA-20:32/rtsold.patch new file mode 100644 index 0000000000..b203e858ae --- /dev/null +++ b/share/security/patches/SA-20:32/rtsold.patch @@ -0,0 +1,52 @@ +--- usr.sbin/rtsold/rtsol.c.orig ++++ usr.sbin/rtsold/rtsol.c +@@ -337,8 +337,8 @@ + newent_rai = 1; + } + +-#define RA_OPT_NEXT_HDR(x) (struct nd_opt_hdr *)((char *)x + \ +- (((struct nd_opt_hdr *)x)->nd_opt_len * 8)) ++#define RA_OPT_NEXT_HDR(x) (struct nd_opt_hdr *)((char *)(x) + \ ++ (((struct nd_opt_hdr *)(x))->nd_opt_len * 8)) + /* Process RA options. */ + warnmsg(LOG_DEBUG, __func__, "Processing RA"); + raoptp = (char *)icp + sizeof(struct nd_router_advert); +@@ -350,6 +350,15 @@ + warnmsg(LOG_DEBUG, __func__, "ndo->nd_opt_len = %d", + ndo->nd_opt_len); + ++ if (ndo->nd_opt_len == 0) { ++ warnmsg(LOG_INFO, __func__, "invalid option length 0."); ++ break; ++ } ++ if ((char *)RA_OPT_NEXT_HDR(raoptp) > (char *)icp + msglen) { ++ warnmsg(LOG_INFO, __func__, "option length overflow."); ++ break; ++ } ++ + switch (ndo->nd_opt_type) { + case ND_OPT_RDNSS: + rdnss = (struct nd_opt_rdnss *)raoptp; +@@ -760,15 +769,18 @@ + src_last = strchr(src, '\0'); + dst_origin = dst; + memset(dst, '\0', dlen); +- while (src && (len = (uint8_t)(*src++) & 0x3f) && +- (src + len) <= src_last && +- (dst - dst_origin < (ssize_t)dlen)) { +- if (dst != dst_origin) ++ while ((len = (*src++) & 0x3f) && ++ src + len <= src_last && ++ len + 1 + (dst == dst_origin ? 0 : 1) <= dlen) { ++ if (dst != dst_origin) { + *dst++ = '.'; ++ dlen--; ++ } + warnmsg(LOG_DEBUG, __func__, "labellen = %zd", len); + memcpy(dst, src, len); + src += len; + dst += len; ++ dlen -= len; + } + *dst = '\0'; + diff --git a/share/security/patches/SA-20:32/rtsold.patch.asc b/share/security/patches/SA-20:32/rtsold.patch.asc new file mode 100644 index 0000000000..d0ee367ec4 --- /dev/null +++ b/share/security/patches/SA-20:32/rtsold.patch.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/GndZfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cIxIRAAh4x47/cWVRAIb46KNT518hxl1BKFKngUpIndte+y9fBpzDwvUV0fqhHS +csYCa0zPdcTc6FCrTyeB60+u7NbAKjMdw2UwL6YtkNZdNUuUy7h/Hd+gTYRQBVm1 +CO0d0MjOunR0M9oVp20jr6rJG4coQ/7GNCzkbgqA91gABPKxqZCvYWv6NLy2ngwB +r0ITNuazGxv3GPsU1aGqskVHx1ER1f9RaecT7ZvWFUXjobk1lQJrMPU9lGkt7/j7 +oIBzgISbGCKjKLh/XRIHnXiF16bRXq/arJo0+bH6nU16VKH9TgTPZdK0pprbtNKJ +46vEfou2khYDLjDUIm8d+JIetE+Ja3SpKdvsiYnTVQsKsUG22hma+c/H3wYJh/3Q +jeLvl5EG/3HE04s1wq+gwSwJ0Fcgr7gadgnafAaCXXl70D3j3hsuyNMvqNLkDXBm +LyNr6lMNBgdFddZzWmQS+EHmHtQWGCSTNCYtibDmti+rjVJdgpC6e9ACCgG6w+Dd +WfQ4MYb/ODbwko8+Dtm0ITxm3I38ArufYHBcOUUlKD1mt2YXlNodHNfXPl70Nnix +lAtY8snO2TOUmmwN5qxtvCwYjyEo5gCD+WWwgugFmkJyyqyQ6j6+reKZW9C9zl9k +mK2rN4yVGPRkSHzg49We430KCBg+kGK3pavZGqZCGn/Q0DOv57Q= +=9gYz +-----END PGP SIGNATURE----- diff --git a/share/xml/advisories.xml b/share/xml/advisories.xml index f50178e534..39cc0402c0 100644 --- a/share/xml/advisories.xml +++ b/share/xml/advisories.xml @@ -8,6 +8,23 @@ <name>2020</name> <month> + <name>12</name> + + <day> + <name>1</name> + + <advisory> + <name>FreeBSD-SA-20:32.rtsold</name> + </advisory> + + <advisory> + <name>FreeBSD-SA-20:31.icmp6</name> + </advisory> + + </day> + </month> + + <month> <name>9</name> <day> diff --git a/share/xml/notices.xml b/share/xml/notices.xml index 9db10ffee5..e03754940c 100644 --- a/share/xml/notices.xml +++ b/share/xml/notices.xml @@ -8,6 +8,31 @@ <name>2020</name> <month> + <name>12</name> + + <day> + <name>1</name> + + <notice> + <name>FreeBSD-EN-20:22.callout</name> + </notice> + + <notice> + <name>FreeBSD-EN-20:21.ipfw</name> + </notice> + + <notice> + <name>FreeBSD-EN-20:20.tzdata</name> + </notice> + + <notice> + <name>FreeBSD-EN-20:19.audit</name> + </notice> + + </day> + </month> + + <month> <name>9</name> <day> |