diff --git a/website/static/security/advisories/FreeBSD-EN-24:01.tzdata.asc b/website/static/security/advisories/FreeBSD-EN-24:01.tzdata.asc new file mode 100644 index 0000000000..91d9cb0447 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-24:01.tzdata.asc @@ -0,0 +1,191 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-24:01.tzdata Errata Notice + The FreeBSD Project + +Topic: Timezone database information update + +Category: contrib +Module: zoneinfo +Announced: 2024-02-14 +Affects: All supported versions of FreeBSD +Corrected: 2024-02-05 00:30:01 UTC (stable/14, 14.0-STABLE) + 2024-02-14 06:21:06 UTC (releng/14.0, 14.0-RELEASE-p5) + 2024-02-05 00:30:42 UTC (stable/13, 13.2-STABLE) + 2024-02-14 06:27:47 UTC (releng/13.2, 13.2-RELEASE-p10) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +The IANA Time Zone Database (often called tz or zoneinfo) contains code and +data that represent the history of local time for many representative +locations around the globe. It is updated periodically to reflect changes +made by political bodies to time zone boundaries, UTC offsets, and +daylight-saving rules. + +Leap seconds are occasional adjustments added to -- or potentially subtracted +from -- Coordinated Universal Time (UTC). An authoritative list of leap +second adjustments is maintained by the International Earth Rotation and +Reference Systems Service (IERS). + +FreeBSD releases install the IANA Time Zone Database in /usr/share/zoneinfo. +The tzsetup(8) utility allows the user to specify the default local time +zone. Based on the selected time zone, tzsetup(8) copies one of the files +from /usr/share/zoneinfo to /etc/localtime. A time zone may also be selected +for an individual process by setting its TZ environment variable to a desired +time zone name. + +The latest list of leap seconds at the time of release is installed on FreeBSD +in /var/db/ntpd.leap-seconds.list. The startup rc(8) scripts of the ntpd(8) +Network Time Protocol implementation included in the FreeBSD base system can +periodically download an updated leap-seconds.list file from configurable +internet sites. + +II. Problem Description + +Several changes to future and past timestamps have been recorded in the IANA +Time Zone Database after previous FreeBSD releases were released. This +affects many users in different parts of the world. Because of these +changes, the data in the zoneinfo files need to be updated. If the local +timezone on the running system is affected, tzsetup(8) needs to be run to +update /etc/localtime. + +In the default configuration, the ntpd(8) startup script included with FreeBSD +checks for an updated leap-seconds.list on the IETF's web server. As of 2023, +the IETF no longer distributes a copy of this file. + +III. Impact + +An incorrect time will be displayed on a system configured to use one of the +affected time zones if the /usr/share/zoneinfo and /etc/localtime files are +not updated, and all applications on the system that rely on the system time, +such as cron(8) and syslog(8), will be affected. + +With the default configuration, FreeBSD systems cannot file updates to the +installed leap-seconds.list file. Since no leap second was introduced at the +end of 2023, the leap-seconds.list file included with all supported FreeBSD +releases is still accurate. Moreover, ntpd(8) is able to receive updated leap +second information from its peers. However, a diagnostic warning about an +expired leap-seconds.list is printed at startup. + +IV. Workaround + +The system administrator can install an updated version of the IANA Time Zone +Database from the misc/zoneinfo port and run tzsetup(8). + +Applications that store and display times in Coordinated Universal Time (UTC) +are not affected. + +The ntpd(8) startup script can be configured to download an updated +leap-seconds.list file from IERS with the following rc.conf(5) setting: + +ntp_leapfile_sources="https://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list" + +Larger sites, or sites without reliable connectivity to the internet, may wish +to point to their locally maintained copy of this file. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Please note that some third party software, for instance PHP, Ruby, Java, +Perl and Python, may be using different zoneinfo data sources, in such cases +this software must be updated separately. Software packages that are +installed via binary packages can be upgraded by executing 'pkg upgrade'. + +Following the instructions in this Errata Notice will only update the IANA +Time Zone Database installed in /usr/share/zoneinfo. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install + +Restart all the affected applications and daemons, or reboot the system. + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-24:01/tzdata-2024a.patch +# fetch https://security.FreeBSD.org/patches/EN-24:01/tzdata-2024a.patch.asc +# gpg --verify tzdata-2024a.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart all the affected applications and daemons, or reboot the system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 26fe22019cb2 stable/14-n266642 +releng/14.0/ a3b7bafd2acc releng/14.0-n265409 +stable/13/ f4256acec1c9 stable/13-n257384 +releng/13.2/ 66bb668fe5f2 releng/13.2-n254660 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmXMYP4ACgkQbljekB8A +Gu8lBxAA6XgVr3mwvCPgeu8UFa8OeIJzIBgCDv5QFD9BL5NjK5TQuUtc/EqFeuIp +wSR+KC5Lc/NCsi3fX85M4ZI6HnsTBwOVQ5t7xhYxmQvBmzeZWz02UfGIVLuU6/JG +mYjpRRCx1yEyUntzfuXEYNsCLkGWYLuydBfFsL+6tN587dk7A/rRMyzdEDsKApGE +GcP5N7/cKaxNCoDSJonLpX0AbsoQRQJeyhVFgtKWnbPKW9yTeEAZEIG2jqlqOX5O +JQ4Ih3nj4Y4IVVSwPyO5eZYtTc1N1MMixJct63yM4C8IHjCFnxfPASz6+9s8DcAx +BwezcAogXJ0ERuohJe2SXPayEUPqrcPAUXQfwO8kPvAX7VrF97cwfyPY6sf9j7gw +qtHX2e9OPt+oMbXOzgvnIt/p6OZ4SHpfDpiSIIJqk0f+w+qVPeRDKa2SUjWEGphc +GS1wQc+lXqwvlm2DknpESRDOF6nLQfgSm1IFOWin/10kf6mFQR4RnK0lxP2rwZgQ +s1VKhA8zPLrXhB4z/OJod7F2R5nXXfqQwlCmWC8RQjL7T7Bz7NEAIU9zwqIPAQb5 +DTtCBe4dYBt6eeYPFQ8EjD3BfYzqJyT2rXQtnwl9Je/foHqZ6pJrFbQool81aRkq +aCo/OKuzUKNnOLsLwyTTsO/kTqL1ryW/CiFHz7XhD2Y8+YqwOHE= +=7Xjc +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-24:02.libutil.asc b/website/static/security/advisories/FreeBSD-EN-24:02.libutil.asc new file mode 100644 index 0000000000..c5c33a7863 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-24:02.libutil.asc @@ -0,0 +1,169 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-24:02.libutil Errata Notice + The FreeBSD Project + +Topic: Login class resource limits and CPU mask bypass + +Category: core +Module: libutil +Announced: 2024-02-14 +Credits: Olivier Certner +Affects: All supported versions of FreeBSD. +Corrected: 2023-10-24 00:57:11 UTC (stable/14, 14.0-STABLE) + 2023-02-14 06:05:41 UTC (releng/14.0, 14.0-RELEASE-p5) + 2023-12-21 13:39:03 UTC (stable/13, 13.2-STABLE) + 2023-02-14 06:05:57 UTC (releng/13.2, 13.2-RELEASE-p10) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +setusercontext() is a high-level API generally used by login-like programs to +set the general environment of new processes launched on behalf of other +users, including the credentials (users, groups, MAC security label), resource +limits, CPU mask and process priority. + +This function only applies the settings of the types requested by the caller +via flags (e.g., LOGIN_SETALL for all types, LOGIN_SETUSER to set the real, +effective and saved user IDs, etc.), and for some of them requires privileges +to do so. Among these, the resource limits (flag LOGIN_SETRESOURCES) and CPU +mask (flag LOGIN_SETCPUMASK) types are set not only based on the target user's +login class, which is controlled by the system administrator, but also on his +personal configuration file '~/.login_conf' (see login.conf(5)). + +In order to prevent unprivileged users from overriding the administrator +settings, setusercontext() applies a personal configuration file only if the +real user ID of the process that runs it matches that of the target user, with +the goal to avoid applying the user-controlled settings with privileges. + +II. Problem Description + +When deciding to apply a target user's personal configuration file, +setusetcontext() checks the real user ID of the process whereas it should +instead check the effective user ID, which is the one affecting the process' +privileges and consequently which settings it can change and to which values. + +III. Impact + +An unprivileged user may bypass the administrator's resource limits and/or CPU +mask settings stemming from his login class provided he can run a (setuid) +login-like program that: +- - Calls setusercontext() with the LOGIN_SETRESOURCES and/or LOGIN_SETCPUMASK + flags but without LOGIN_SETUSER (which excludes the use of LOGIN_SETALL), + and with a non-NULL 'pwd' argument. +- - Does so before changing the effective user ID to the target user. + +No programs in FreeBSD's base system, including login(1) and su(1), meet these +requirements, but third-party programs may. In particular, sudo(8) does when +using the default sudoers(5) plugin configured with the 'use_loginclass' flag +enabled. doas(8) does not. + +IV. Workaround + +There are at least two possible workarounds. + +The first one is for an administrator is to prepare for all users a +'~/.login_conf' they can't write or replace, e.g., using filesystem flags +'schg' or 'sunlnk' (see chflags(1)), defeating user's own customizations. + +The second one is to review setuid login programs accessible to users, +determine if they meet the requirements above, and deactivate those that do or +reconfigure them when possible, as mentioned above for sudo(8). + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install + +It should be followed by a restart of all third-party daemons that use the +'libutil' library, or a reboot of the system. + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-24:02/libutil.patch +# fetch https://security.FreeBSD.org/patches/EN-24:02/libutil.patch.asc +# gpg --verify libutil.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart of all third-party daemons that use the 'libutil' library, or reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ ede6fd06726c stable/14-n265587 +releng/14.0/ c2a9cfc55046 releng/14.0-n265403 +stable/13/ 9fcf54d3750e stable/13-n256941 +releng/13.2/ 9deb5ca77beb releng/13.2-n254655 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmXMYQoACgkQbljekB8A +Gu8m9Q//cmgbS/PZPMBjARTQa2kkEpIy7zYgDq9/oriREfUBgbN+hFdxlwN5q59r +t+lJGJYSynMQDFglQcsD61nECP6fnjco1RxLPpzf+aBmP/VebOh7irsI7QElisY+ +SoiCHhZrpXcZGU5OBTA0Nd7NbKVmCflF6aJN0bOCZHvONSUH+ijsXPd98Pjx6TgF +0yQV3ryMYtEBbIaXdR751HLe011hcQYBnlU+/0B9bzL5JCr67NaYM3MDkMkwvXSs +zJaefj9xxMlJdB4EvkJGtcau4Kw/qdM0iFllUMmOPl3QK+s4LKguaVtuWWI0bSvL +VlFbGVCoRmaVzV+ZaCrDZrsl3NOC92Trhg5QdLV5HJUP3sSRAo5PGNostdWB6VsT +mfgJp0owv7LSSt/irDgtY2OGFb3Y/RZmqTBXR7ScFAguuA5dJva44eDkUX8YXBU/ +7ZlXMuF94dmaTmcDqOqWBmfeIWlIKdVsol6fzoKQhLjtZuUg5vdl2rUlj6GSNSL9 +6GLU2/LiobuBhfc0qL/mmtyovqHO2HDLsNX54zusBEzy7lI2URvTcCjcHX0Tbwwi +cuj6b/XzvAnQ2qFyA4l8bhCSpECkGybLgar+ig199K077HrwRUjLt666JQtMBkKQ +LZafucjfGCSpDJFcVjfGfliYnYQFyAd4NAfDsnR15xz9Pxw7MOg= +=mDl9 +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-24:03.kqueue.asc b/website/static/security/advisories/FreeBSD-EN-24:03.kqueue.asc new file mode 100644 index 0000000000..6ddfa84ef7 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-24:03.kqueue.asc @@ -0,0 +1,131 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-24:03.kqueue Errata Notice + The FreeBSD Project + +Topic: kqueue_close(2) page fault on exit using rfork(2) + +Category: core +Module: kqueue +Announced: 2024-02-14 +Affects: All supported versions of FreeBSD. +Corrected: 2023-12-05 00:43:27 UTC (stable/14, 14.0-STABLE) + 2024-02-14 06:05:42 UTC (releng/14.0, 14.0-RELEASE-p5) + 2023-12-05 00:44:13 UTC (stable/13, 13.2-STABLE) + 2024-02-14 06:05:58 UTC (releng/13.2, 13.2-RELEASE-p10) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +The kqueue(2) system call provides a generic method of notifying the user +when an event happens or a condition holds. + +II. Problem Description + +Normally, when a process exits, all its kqueue fds will be destroyed at the +moment p_klist is detached. However, if the process was created with rfork(2) +with shared file descriptors, its signal knotes can survive. This can +eventually result in a page fault when the process exits. + +III. Impact + +Using kqueue(2) with a process using rfork(2) can panic the system. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date, and reboot the system. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install + +Reboot the system. + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-24:03/kqueue.patch +# fetch https://security.FreeBSD.org/patches/EN-24:03/kqueue.patch.asc +# gpg --verify kqueue.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 24346a2f7775 stable/14-n265907 +releng/14.0/ bb06104dce0b releng/14.0-n265404 +stable/13/ 55e91944998c stable/13-n256837 +releng/13.2/ 154dedade465 releng/13.2-n254656 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmXMYQwACgkQbljekB8A +Gu+GSxAA5voCfr4a2LrMmBjQvgD7XwpCNH9yvYN3chKG07TTqNWkHbCxNvc4Brzm +IXKGxvolrY3PZhXgN2KZhe/wAOf0I1ZazeW9wdk13O9G2SF5aaUYBkCvoMmPME42 +f7lVXnkxhTQAovVFQRZAK6sYCVspIPQEpavoa7rq5dDDtO9g2AqB53aAbgdBpQ0j +ClIcMzM2HdiYQBi4WuL36XVbeX6N++N5ouE8Hdz+pDcQSHuOm3VHUKlpRsEXLmYI +3uDJ8py+PGbtcLnSVALEcnreirJcCJ5em7Gaec2KXHDRis/dLW+DPlPyZp1mpIBZ +l073AME8hEOxnJOUALvxTVHQS3L35JjFmxnSGwnLzXH16v/fGUKlnAZkOftNcRan +JW1fLXB2EH+H+hdnOWiQeTCk8duIIvXuWEYf8dfP6SBMm9FfzBAoTv/K1mHxGFKZ +s3iR4WyC7Y6r56meVdNfs/F4XtVh3edhVfOdjf/5I8+Ut9HGRNuHOCepLG9DASOd +eQbhHAnHnUB21qq4Tme0eKoA130gVcBMr2NsE0lifNArLzEvvGB0Bw+9ZP9IfFeS +/fPs4Yq1XIjpgk+TDdOPGexLWCIBl0ursjZMSuGyhXkDaD1oYzF3SKWrJRkahpUq ++tN6jVPkG7Iy36myKSHofuPh641hSmk88IJPJHVrdNjo88hUti0= +=xsIs +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-24:04.ip.asc b/website/static/security/advisories/FreeBSD-EN-24:04.ip.asc new file mode 100644 index 0000000000..a5fbf4e1a1 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-24:04.ip.asc @@ -0,0 +1,130 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-24:04.ip Errata Notice + The FreeBSD Project + +Topic: Kernel panic triggered by bind(2) + +Category: core +Module: ip +Announced: 2024-02-14 +Affects: FreeBSD 14.0 +Corrected: 2024-01-09 00:30:05 UTC (stable/14, 14.0-STABLE) + 2024-02-14 06:05:43 UTC (releng/14.0, 14.0-RELEASE-p5) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +The inpcb subsystem of the kernel is responsible for implementing +portions of socket-related system calls (e.g., bind(2)) on behalf of +IP-based network protocol implementations. This layer provides lookup +tables which can be used within the kernel to translate between sockets +and the internet addresses to which they are bound or connected. + +II. Problem Description + +The inpcb layer maintains several hash tables which are synchronized by +a combination of mutexes and the use of lock-free data structures. The +implementation of the latter was flawed such that a locked lookup could +return a socket that was in the process of being removed from the table. + +III. Impact + +The race condition can trigger a NULL pointer dereference in the kernel, +resulting in a kernel panic. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r now + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-24:04/ip.patch +# fetch https://security.FreeBSD.org/patches/EN-24:04/ip.patch.asc +# gpg --verify ip.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 2bfe735277b8 stable/14-n266255 +releng/14.0/ 9db5ae3ec45f releng/14.0-n265405 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmXMYQ4ACgkQbljekB8A +Gu8ffg/7BY7BfPU1emJ7YfFNKszPKJooefFS8dejskN6ic55hCt8fh0RuV9g/Lwg +25QehLwGl821HaoTBijM9EBt4RTT9qdzU0m+9MKKATxy5wfnfANtU3fa+nwvuWhB +fM6kLJcnViobhGHDoFN29Nz2BjfGodh4XXf1uE4zOLytw9WrM69H/UbHPMn7xSzM +mPqGppk/TdxEdWXywaHLhSKf8Y21jtcidQBQ3aILnLbNObt2uii+hqVQw5+CDRYw +NnHi1QBWMTP3blwmwGV3rtpytDMhhXUptA0ILpzVm6YAtGTsTLL4VrssGtcuW+Sh +o7wkwmNzQLayoKNwdUkx8S/X+ilCBeHVXBH3A2GHjisMstP8cU3fRAuPVI5QvIyh +rWsCLyoL+QwtZ58KJLpe6WQtLfG/xpq20+7lUJtyLaInZ7YStkNLXMZHJUbjx7yO +xZsraeCI3Y6qtdHYxk4wH3HBqR2w6WmU30iXMA5UWXjL9LaB0Az/8cHlXoTA6apB +XoHCzfC/LbV972c28P7Nky97oFkYTPvB0+iHPqMB77pciMO6gKWitf4FFA9fsp7H +QfWjUHMJSIbtzCgskKurO93UmlogQbfbgahmzSA7SDTryObbXdre2SuSrfDwbW/O +scgug9GgFuTjAp9GB7SYFA+eYUQsakyVHK1gnxt3Su7lcw/GMG0= +=2K5v +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-24:01.bhyveload.asc b/website/static/security/advisories/FreeBSD-SA-24:01.bhyveload.asc new file mode 100644 index 0000000000..c61b036f16 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-24:01.bhyveload.asc @@ -0,0 +1,140 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-24:01.bhyveload Security Advisory + The FreeBSD Project + +Topic: bhyveload(8) host file access + +Category: core +Module: bhyeload +Announced: 2024-02-14 +Credits: The water cooler. (Note, this is the requested credit) +Affects: All supported versions of FreeBSD. +Corrected: 2024-01-15 22:27:59 UTC (stable/14, 14.0-STABLE) + 2024-02-14 06:05:44 UTC (releng/14.0, 14.0-RELEASE-p5) + 2024-01-15 23:11:38 UTC (stable/13, 13.2-STABLE) + 2024-02-14 06:06:00 UTC (releng/13.2, 13.2-RELEASE-p10) +CVE Name: CVE-2024-25940 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +bhyveload(8) is used to load a FreeBSD guest into a bhyve virtual machine. + +II. Problem Description + +`bhyveload -h ` may be used to grant loader access to the +directory tree on the host. Affected versions of bhyveload(8) do not make any +attempt to restrict loader's access to , allowing the loader to read +any file the host user has access to. + +III. Impact + +In the bhyveload(8) model, the host supplies a userboot.so to boot with, but the +loader scripts generally come from the guest image. A maliciously crafted +script could be used to exfiltrate sensitive data from the host accessible to +the user running bhyhveload(8), which is often the system root. + +IV. Workaround + +No workaround is available, but guests that do not use `bhyveload -h` are not +impacted. Common VM solutions that use bhyveload(8) do not usually use the +- -h option. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 14.0] +# fetch https://security.FreeBSD.org/patches/SA-24:01/bhyveload-14.0.patch +# fetch https://security.FreeBSD.org/patches/SA-24:01/bhyveload-14.0.patch.asc +# gpg --verify bhyveload-14.0.patch.asc + +[FreeBSD 13.2] +# fetch https://security.FreeBSD.org/patches/SA-24:01/bhyveload-13.2.patch +# fetch https://security.FreeBSD.org/patches/SA-24:01/bhyveload-13.2.patch.asc +# gpg --verify bhyveload-13.2.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . Virtual +machines that have been booted with bhyveload(8) do not need to be rebooted. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 426b28fdf700 stable/14-n266333 +releng/14.0/ f5bb597829e1 releng/14.0-n265406 +stable/13/ 78345dbd7a00 stable/13-n257186 +releng/13.2/ 48598b1670ce releng/13.2-n254657 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmXMYRAACgkQbljekB8A +Gu8KwRAAxCnMsCQbp/CZ1O2GYxDTCOt1M5CZaFBD8r3b4xSN1gFB79z3aHAmSX0a +kTGpp5QSbxx1UtA9eZoZTa/wpmMAo1AZ7ry0OK1VuRFtF2D+IM64l07m91HW5ncU +YCsbeQ6wuXHeVlZ/t7eu/X03YltYIuMu/wIzpsPYtMvTB+ZI50nm0pUGaQnH9ZA2 +jMGhLcWQSaHi46pMJ1o2iXWbaFZh4S6fHhNXSEFxaWuQf/o//whSgeqtFnhozfZ4 +vbx0pyF3HrkjPRLwc9QDRNcFnG0F9DCOmiGlAAZD4/XRNOd5PgSvmHxDPrc1UkJO +K8CcU7vIgloKdETS43HhlDhT34/adV1dMpwCLpr9JZ3FmfTtIor1q8w9l0nLohln +VeLUbhaMZAXYqQp5wcDso26n9moD8l/izJZZ0gWu8xsooKmE2DY0t7ASXdcvnSq8 +VKlpZP0DHcdZdeePiCF6XovAvv3fAq5hvIdCccBIJHbFIWEL2Psq9hYqFISb+mFb +gAoX5gyo4S+lWgn33aUCzjYuR0MhelJPRFIndjr5+Dn0AgQniNre7uRt4k97jvT1 +Q9h+f4uyNFafuD5YMqfRhsk8EN93bEc3Bkq47KCYDSTJujd99pYFPE1SzvNAPmNY +CYxqYjkfjklarfellifxvqdKrOWoeOkK4a3Ckd5+4Y8BaaTzWCY= +=LOMD +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-24:02.tty.asc b/website/static/security/advisories/FreeBSD-SA-24:02.tty.asc new file mode 100644 index 0000000000..6b40af77f9 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-24:02.tty.asc @@ -0,0 +1,137 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-24:02.tty Security Advisory + The FreeBSD Project + +Topic: jail(2) information leak + +Category: core +Module: jail +Announced: 2024-02-14 +Credits: Pawel Jakub Dawidek +Affects: All supported versions of FreeBSD. +Corrected: 2024-02-12 16:25:54 UTC (stable/14, 14.0-STABLE) + 2024-02-14 06:05:46 UTC (releng/14.0, 14.0-RELEASE-p5) + 2024-02-12 16:27:37 UTC (stable/13, 13.2-STABLE) + 2024-02-14 06:06:01 UTC (releng/13.2, 13.2-RELEASE-p10) +CVE Name: CVE-2024-25941 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +The jail(2) system call allows a system administrator to lock a process +and all of its descendants inside an environment with a very limited +ability to affect the system outside that environment, even for +processes with superuser privileges. It is an extension of, but +far more powerful than, the traditional UNIX chroot(2) system call. + +tty(4) is a general terminal device. + +II. Problem Description + +The jail(2) system call has not limited a visiblity of allocated TTYs +(the kern.ttys sysctl). This gives rise to an information leak about +processes outside the current jail. + +III. Impact + +Attacker can get information about TTYs allocated on the host or in other +jails. Effectively, the information printed by "pstat -t" may be leaked. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date +and reboot. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-24:02/tty.patch +# fetch https://security.FreeBSD.org/patches/SA-24:02/tty.patch.asc +# gpg --verify tty.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 215bb03edc54 stable/14-n266676 +releng/14.0/ 4d354159d150 releng/14.0-n265407 +stable/13/ 9bff7ec98354 stable/13-n257418 +releng/13.2/ 17257e6e9a23 releng/13.2-n254658 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmXMYRMACgkQbljekB8A +Gu8C7hAAxXasfu+Xn3+voOk5pJvFJd6jWA1ZCvR83YnIqAGibiWvNaMdsdfe4k6x +eEoaQ6maYYu/wjXMZ0HbapTuJPRxwrcG7i2mZ52vSm9glSZO87Lw3oWVIV7eRPpN +pFJtR5bUXns1/dWQgcgFMc/4nNk7NO6gamuK/uwfrDF0aQsYif5pX5DmhkOD/CnQ +CjPWhv6FT94qzUiQrZLSWjCIe/rhNbmbLkhyck4MZP+1aILxsb+BHSaEeBzej2+S +8WisLPKlTwNgpA+DN+sLn28gR1+0Vd5rAv7gvcbWHE3VNvq0ABTwRoZFA4SzHEhL +BNkwMJnMJyR7qj1jWCmfrHptIPpSXtNIvh70yts5/+9nPBDkAYV9U+nJYQTZ40+U +Mn1OfN4ioRfB7bOjVA4J6Ncws4M2ttcOEyk+d8Egd5/7njOGC1sqX0F4FXAtioZF +JATTBd09J9TTZvX5xz6JdK8ZHKc+xtxYiBYg4WQTyVcPg38ONpYarSIQ6XYnNSyP +0Cv1ih5DpxzdEBA+Pu4+dJmZSlyNOJXpmlPKgyiUX0Z085ZqHTMvAXQQS/M7MXai +06d2YnZx4XfGoAhCXZKyvE6J6btiy+t8QNx14tEdtD/ktzAmB3EYHOuuPEFoS44Y +8tafKE9ps5AgWtqXvK7H5NKMwtb9Ry60WSAFfgn0LoFmw8UyBjg= +=HQVb +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/EN-24:01/tzdata-2024a.patch b/website/static/security/patches/EN-24:01/tzdata-2024a.patch new file mode 100644 index 0000000000..a6ce7c687d --- /dev/null +++ b/website/static/security/patches/EN-24:01/tzdata-2024a.patch @@ -0,0 +1,2927 @@ +--- contrib/tzdata/Makefile.orig ++++ contrib/tzdata/Makefile +@@ -1,7 +1,25 @@ + # Make and install tzdb code and data. +- + # This file is in the public domain, so clarified as of + # 2009-05-17 by Arthur David Olson. ++# Request POSIX conformance; this must be the first non-comment line. ++.POSIX: ++# On older platforms you may need to scrounge for a POSIX-conforming 'make'. ++# For example, on Solaris 10 (2005), use /usr/sfw/bin/gmake or ++# /usr/xpg4/bin/make, not /usr/ccs/bin/make. ++ ++# To affect how this Makefile works, you can run a shell script like this: ++# ++# #!/bin/sh ++# make CC='gcc -std=gnu11' "$@" ++# ++# This example script is appropriate for a pre-2017 GNU/Linux system ++# where a non-default setting is needed to support this package's use of C99. ++# ++# Alternatively, you can simply edit this Makefile to tailor the following ++# macro definitions. ++ ++############################################################################### ++# Start of macros that one plausibly might want to tailor. + + # Package name for the code distribution. + PACKAGE= tzcode +@@ -35,7 +53,7 @@ + + LOCALTIME= Factory + +-# The POSIXRULES macro controls interpretation of POSIX-like TZ ++# The POSIXRULES macro controls interpretation of POSIX-2017.1-like TZ + # settings like TZ='EET-2EEST' that lack DST transition rules. + # If POSIXRULES is '-', no template is installed; this is the default. + # Any other value for POSIXRULES is obsolete and should not be relied on, as: +@@ -191,8 +209,9 @@ + # On some hosts, this should have -lintl unless CFLAGS has -DHAVE_GETTEXT=0. + LDLIBS= + +-# Add the following to the end of the "CFLAGS=" line as needed to override +-# defaults specified in the source code. "-DFOO" is equivalent to "-DFOO=1". ++# Add the following to an uncommented "CFLAGS=" line as needed ++# to override defaults specified in the source code or by the system. ++# "-DFOO" is equivalent to "-DFOO=1". + # -DDEPRECATE_TWO_DIGIT_YEARS for optional runtime warnings about strftime + # formats that generate only the last two digits of year numbers + # -DEPOCH_LOCAL if the 'time' function returns local time not UT +@@ -234,11 +253,16 @@ + # -DHAVE_UNISTD_H=0 if does not work* + # -DHAVE_UTMPX_H=0 if does not work* + # -Dlocale_t=XXX if your system uses XXX instead of locale_t +-# -DPORT_TO_C89 if tzcode should also run on C89 platforms+ ++# -DPORT_TO_C89 if tzcode should also run on mostly-C89 platforms+ ++# Typically it is better to use a later standard. For example, ++# with GCC 4.9.4 (2016), prefer '-std=gnu11' to '-DPORT_TO_C89'. ++# Even with -DPORT_TO_C89, the code needs at least one C99 ++# feature (integers at least 64 bits wide) and maybe more. + # -DRESERVE_STD_EXT_IDS if your platform reserves standard identifiers + # with external linkage, e.g., applications cannot define 'localtime'. + # -Dssize_t=long on hosts like MS-Windows that lack ssize_t + # -DSUPPORT_C89 if the tzcode library should support C89 callers+ ++# However, this might trigger latent bugs in C99-or-later callers. + # -DSUPPRESS_TZDIR to not prepend TZDIR to file names; this has + # security implications and is not recommended for general use + # -DTHREAD_SAFE to make localtime.c thread-safe, as POSIX requires; +@@ -250,7 +274,7 @@ + # -DTZ_DOMAINDIR=\"/path\" to use "/path" for gettext directory; + # the default is system-supplied, typically "/usr/lib/locale" + # -DTZDEFRULESTRING=\",date/time,date/time\" to default to the specified +-# DST transitions for POSIX-style TZ strings lacking them, ++# DST transitions for POSIX.1-2017-style TZ strings lacking them, + # in the usual case where POSIXRULES is '-'. If not specified, + # TZDEFRULESTRING defaults to US rules for future DST transitions. + # This mishandles some past timestamps, as US DST rules have changed. +@@ -270,11 +294,15 @@ + # -DZIC_MAX_ABBR_LEN_WO_WARN=3 + # (or some other number) to set the maximum time zone abbreviation length + # that zic will accept without a warning (the default is 6) ++# -g to generate symbolic debugging info ++# -Idir to include from directory 'dir' ++# -O0 to disable optimization; other -O options to enable more optimization ++# -Uname to remove any definition of the macro 'name' + # $(GCC_DEBUG_FLAGS) if you are using recent GCC and want lots of checking + # + # * Options marked "*" can be omitted if your compiler is C23 compatible. + # * Options marked "+" are obsolescent and are planned to be removed +-# once the code assumes C99 or later. ++# once the code assumes C99 or later, say in the year 2029. + # + # Select instrumentation via "make GCC_INSTRUMENT='whatever'". + GCC_INSTRUMENT = \ +@@ -312,9 +340,10 @@ + # guess TM_GMTOFF from other macros; define NO_TM_GMTOFF to suppress this. + # Similarly, if your system has a "zone abbreviation" field, define + # -DTM_ZONE=tm_zone +-# and define NO_TM_ZONE to suppress any guessing. Although these two fields +-# not required by POSIX, a future version of POSIX is planned to require them +-# and they are widely available on GNU/Linux and BSD systems. ++# and define NO_TM_ZONE to suppress any guessing. ++# Although these two fields are not required by POSIX.1-2017, ++# POSIX 202x/D4 requires them and they are widely available ++# on GNU/Linux and BSD systems. + # + # The next batch of options control support for external variables + # exported by tzcode. In practice these variables are less useful +@@ -324,7 +353,7 @@ + # # -DHAVE_TZNAME=0 # do not support "tzname" + # # -DHAVE_TZNAME=1 # support "tzname", which is defined by system library + # # -DHAVE_TZNAME=2 # support and define "tzname" +-# # to the "CFLAGS=" line. "tzname" is required by POSIX 1988 and later. ++# # to the "CFLAGS=" line. "tzname" is required by POSIX.1-1988 and later. + # # If not defined, the code attempts to guess HAVE_TZNAME from other macros. + # # Warning: unless time_tz is also defined, HAVE_TZNAME=1 can cause + # # crashes when combined with some platforms' standard libraries, +@@ -334,8 +363,8 @@ + # # -DUSG_COMPAT=0 # do not support + # # -DUSG_COMPAT=1 # support, and variables are defined by system library + # # -DUSG_COMPAT=2 # support and define variables +-# # to the "CFLAGS=" line; "timezone" and "daylight" are inspired by +-# # Unix Systems Group code and are required by POSIX 2008 (with XSI) and later. ++# # to the "CFLAGS=" line; "timezone" and "daylight" are inspired by Unix ++# # Systems Group code and are required by POSIX.1-2008 and later (with XSI). + # # If not defined, the code attempts to guess USG_COMPAT from other macros. + # # + # # To support the external variable "altzone", add +@@ -353,9 +382,11 @@ + # functions to be added to the time conversion library. + # "offtime" is like "gmtime" except that it accepts a second (long) argument + # that gives an offset to add to the time_t when converting it. +-# "timelocal" is equivalent to "mktime". ++# I.e., "offtime" is like calling "localtime_rz" with a fixed-offset zone. ++# "timelocal" is nearly equivalent to "mktime". + # "timeoff" is like "timegm" except that it accepts a second (long) argument + # that gives an offset to use when converting to a time_t. ++# I.e., "timeoff" is like calling "mktime_z" with a fixed-offset zone. + # "posix2time" and "time2posix" are described in an included manual page. + # X3J11's work does not describe any of these functions. + # These functions may well disappear in future releases of the time +@@ -378,7 +409,7 @@ + # + # NIST-PCTS:151-2, Version 1.4, (1993-12-03) is a test suite put + # out by the National Institute of Standards and Technology +-# which claims to test C and Posix conformance. If you want to pass PCTS, add ++# which claims to test C and POSIX conformance. If you want to pass PCTS, add + # -DPCTS + # to the end of the "CFLAGS=" line. + # +@@ -388,19 +419,33 @@ + # 53 as a week number (rather than 52 or 53) for January days before + # January's first Monday when a "%V" format is used and January 1 + # falls on a Friday, Saturday, or Sunday. ++# ++# POSIX says CFLAGS defaults to "-O 1". ++# Uncomment the following line and edit its contents as needed. + +-CFLAGS= ++#CFLAGS= -O 1 + +-# Linker flags. Default to $(LFLAGS) for backwards compatibility +-# to release 2012h and earlier. + +-LDFLAGS= $(LFLAGS) ++# The name of a POSIX-like library archiver, its flags, C compiler, ++# linker flags, and 'make' utility. Ordinarily the defaults suffice. ++# The commented-out values are the defaults specified by POSIX.1-202x/D4. ++#AR = ar ++#ARFLAGS = -rv ++#CC = c17 ++#LDFLAGS = ++#MAKE = make + + # For leap seconds, this Makefile uses LEAPSECONDS='-L leapseconds' in + # submake command lines. The default is no leap seconds. + + LEAPSECONDS= + ++# Where to fetch leap-seconds.list from. ++leaplist_URI = \ ++ https://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list ++# The file is generated by the IERS Earth Orientation Centre, in Paris. ++leaplist_TZ = Europe/Paris ++ + # The zic command and its arguments. + + zic= ./zic +@@ -418,22 +463,23 @@ + + ZIC_INSTALL= $(ZIC) -d '$(DESTDIR)$(TZDIR)' $(LEAPSECONDS) + +-# The name of a Posix-compliant 'awk' on your system. ++# The name of a POSIX-compliant 'awk' on your system. + # mawk 1.3.3 and Solaris 10 /usr/bin/awk do not work. + # Also, it is better (though not essential) if 'awk' supports UTF-8, + # and unfortunately mawk and busybox awk do not support UTF-8. + # Try AWK=gawk or AWK=nawk if your awk has the abovementioned problems. + AWK= awk + +-# The full path name of a Posix-compliant shell, preferably one that supports ++# The full path name of a POSIX-compliant shell, preferably one that supports + # the Korn shell's 'select' statement as an extension. + # These days, Bash is the most popular. + # It should be OK to set this to /bin/sh, on platforms where /bin/sh +-# lacks 'select' or doesn't completely conform to Posix, but /bin/bash ++# lacks 'select' or doesn't completely conform to POSIX, but /bin/bash + # is typically nicer if it works. + KSHELL= /bin/bash + +-# Name of curl , used for HTML validation. ++# Name of curl , used for HTML validation ++# and to fetch leap-seconds.list from upstream. + CURL= curl + + # Name of GNU Privacy Guard , used to sign distributions. +@@ -503,17 +549,16 @@ + DIFF_TZS= diff -u$$(! diff -u -F'^TZ=' - - <>/dev/null >&0 2>&1 \ + || echo ' -F^TZ=') + +-############################################################################### +- +-#MAKE= make ++# ':' on typical hosts; 'ranlib' on the ancient hosts that still need ranlib. ++RANLIB= : + +-cc= cc +-CC= $(cc) -DTZDIR='"$(TZDIR)"' ++# POSIX prohibits defining or using SHELL. However, csh users on systems ++# that use the user shell for Makefile commands may need to define SHELL. ++#SHELL= /bin/sh + +-AR= ar ++# End of macros that one plausibly might want to tailor. ++############################################################################### + +-# ':' on typical hosts; 'ranlib' on the ancient hosts that still need ranlib. +-RANLIB= : + + TZCOBJS= zic.o + TZDOBJS= zdump.o localtime.o asctime.o strftime.o +@@ -543,7 +588,7 @@ + NDATA= factory + TDATA_TO_CHECK= $(YDATA) $(NDATA) backward + TDATA= $(YDATA) $(NDATA) $(BACKWARD) +-ZONETABLES= zone1970.tab zone.tab ++ZONETABLES= zone.tab zone1970.tab zonenow.tab + TABDATA= iso3166.tab $(TZDATA_TEXT) $(ZONETABLES) + LEAP_DEPS= leapseconds.awk leap-seconds.list + TZDATA_ZI_DEPS= ziguard.awk zishrink.awk version $(TDATA) \ +@@ -551,7 +596,7 @@ + DSTDATA_ZI_DEPS= ziguard.awk $(TDATA) $(PACKRATDATA) $(PACKRATLIST) + DATA= $(TDATA_TO_CHECK) backzone iso3166.tab leap-seconds.list \ + leapseconds $(ZONETABLES) +-AWK_SCRIPTS= checklinks.awk checktab.awk leapseconds.awk \ ++AWK_SCRIPTS= checklinks.awk checknow.awk checktab.awk leapseconds.awk \ + ziguard.awk zishrink.awk + MISC= $(AWK_SCRIPTS) + TZS_YEAR= 2050 +@@ -572,7 +617,7 @@ + calendars CONTRIBUTING LICENSE Makefile NEWS README SECURITY \ + africa antarctica asctime.c asia australasia \ + backward backzone \ +- checklinks.awk checktab.awk \ ++ checklinks.awk checknow.awk checktab.awk \ + date.1 date.c difftime.c \ + etcetera europe factory iso3166.tab \ + leap-seconds.list leapseconds.awk localtime.c \ +@@ -582,12 +627,7 @@ + tzfile.5 tzfile.h tzselect.8 tzselect.ksh \ + workman.sh zdump.8 zdump.c zic.8 zic.c \ + ziguard.awk zishrink.awk \ +- zone.tab zone1970.tab +- +-# And for the benefit of csh users on systems that assume the user +-# shell should be used to handle commands in Makefiles. . . +- +-SHELL= /bin/sh ++ zone.tab zone1970.tab zonenow.tab + + all: tzselect zic zdump libtz.a $(TABDATA) \ + vanguard.zi main.zi rearguard.zi +@@ -657,6 +697,16 @@ + $(DATAFORM).zi >$@.out + mv $@.out $@ + ++tzdir.h: ++ printf '%s\n' >$@.out \ ++ '#ifndef TZDEFAULT' \ ++ '# define TZDEFAULT "$(TZDEFAULT)" /* default zone */' \ ++ '#endif' \ ++ '#ifndef TZDIR' \ ++ '# define TZDIR "$(TZDIR)" /* TZif directory */' \ ++ '#endif' ++ mv $@.out $@ ++ + version.h: version + VERSION=`cat version` && printf '%s\n' \ + 'static char const PKGVERSION[]="($(PACKAGE)) ";' \ +@@ -676,6 +726,28 @@ + -f leapseconds.awk leap-seconds.list >$@.out + mv $@.out $@ + ++# Awk script to extract a Git-style author from leap-seconds.list comments. ++EXTRACT_AUTHOR = \ ++ author_line { sub(/^.[[:space:]]*/, ""); \ ++ sub(/:[[:space:]]*/, " <"); \ ++ printf "%s>\n", $$0; \ ++ success = 1; \ ++ exit \ ++ } \ ++ /Questions or comments to:/ { author_line = 1 } \ ++ END { exit !success } ++ ++# Fetch leap-seconds.list from upstream. ++fetch-leap-seconds.list: ++ $(CURL) -OR $(leaplist_URI) ++ ++# Fetch leap-seconds.list from upstream and commit it to the local repository. ++commit-leap-seconds.list: fetch-leap-seconds.list ++ author=$$($(AWK) '$(EXTRACT_AUTHOR)' leap-seconds.list) && \ ++ date=$$(TZ=$(leaplist_TZ) stat -c%y leap-seconds.list) && \ ++ git commit --author="$$author" --date="$$date" -m'make $@' \ ++ leap-seconds.list ++ + # Arguments to pass to submakes of install_data. + # They can be overridden by later submake arguments. + INSTALLARGS = \ +@@ -763,7 +835,7 @@ + + libtz.a: $(LIBOBJS) + rm -f $@ +- $(AR) -rc $@ $(LIBOBJS) ++ $(AR) $(ARFLAGS) $@ $(LIBOBJS) + $(RANLIB) $@ + + date: $(DATEOBJS) +@@ -771,26 +843,32 @@ + + tzselect: tzselect.ksh version + VERSION=`cat version` && sed \ +- -e 's|#!/bin/bash|#!$(KSHELL)|g' \ +- -e 's|AWK=[^}]*|AWK='\''$(AWK)'\''|g' \ +- -e 's|\(PKGVERSION\)=.*|\1='\''($(PACKAGE)) '\''|' \ +- -e 's|\(REPORT_BUGS_TO\)=.*|\1=$(BUGEMAIL)|' \ +- -e 's|TZDIR=[^}]*|TZDIR=$(TZDIR)|' \ +- -e 's|\(TZVERSION\)=.*|\1='"$$VERSION"'|' \ +- <$@.ksh >$@.out ++ -e "s'#!/bin/bash'#!"'$(KSHELL)'\' \ ++ -e s\''\(AWK\)=[^}]*'\''\1=\'\''$(AWK)\'\'\' \ ++ -e s\''\(PKGVERSION\)=.*'\''\1=\'\''($(PACKAGE)) \'\'\' \ ++ -e s\''\(REPORT_BUGS_TO\)=.*'\''\1=\'\''$(BUGEMAIL)\'\'\' \ ++ -e s\''\(TZDIR\)=[^}]*'\''\1=\'\''$(TZDIR)\'\'\' \ ++ -e s\''\(TZVERSION\)=.*'\''\1=\'"'$$VERSION\\''" \ ++ <$@.ksh >$@.out + chmod +x $@.out + mv $@.out $@ + + check: check_back check_mild + check_mild: check_character_set check_white_space check_links \ +- check_name_lengths check_slashed_abbrs check_sorted \ ++ check_name_lengths check_now \ ++ check_slashed_abbrs check_sorted \ + check_tables check_web check_ziguard check_zishrink check_tzs + ++# True if UTF8_LOCALE does not work; ++# otherwise, false but with LC_ALL set to $(UTF8_LOCALE). ++UTF8_LOCALE_MISSING = \ ++ { test ! '$(UTF8_LOCALE)' \ ++ || ! printf 'A\304\200B\n' \ ++ | LC_ALL='$(UTF8_LOCALE)' grep -q '^A.B$$' >/dev/null 2>&1 \ ++ || { LC_ALL='$(UTF8_LOCALE)'; export LC_ALL; false; }; } ++ + check_character_set: $(ENCHILADA) +- test ! '$(UTF8_LOCALE)' || \ +- ! printf 'A\304\200B\n' | \ +- LC_ALL='$(UTF8_LOCALE)' grep -q '^A.B$$' >/dev/null 2>&1 || { \ +- LC_ALL='$(UTF8_LOCALE)' && export LC_ALL && \ ++ $(UTF8_LOCALE_MISSING) || { \ + sharp='#' && \ + ! grep -Env $(SAFE_LINE) $(MANS) date.1 $(MANTXTS) \ + $(MISC) $(SOURCES) $(WEB_PAGES) \ +@@ -805,12 +883,12 @@ + touch $@ + + check_white_space: $(ENCHILADA) ++ $(UTF8_LOCALE_MISSING) || { \ + patfmt=' \t|[\f\r\v]' && pat=`printf "$$patfmt\\n"` && \ +- ! grep -En "$$pat" \ +- $$(ls $(ENCHILADA) | grep -Fvx leap-seconds.list) +- ! grep -n '[$s]$$' \ +- $$(ls $(ENCHILADA) | grep -Fvx leap-seconds.list) +- touch $@ ++ ! grep -En "$$pat|[$s]\$$" \ ++ $$(ls $(ENCHILADA) | grep -Fvx leap-seconds.list); \ ++ } ++ touch $@ + + PRECEDES_FILE_NAME = ^(Zone|Link[$s]+[^$s]+)[$s]+ + FILE_NAME_COMPONENT_TOO_LONG = $(PRECEDES_FILE_NAME)[^$s]*[^/$s]{15} +@@ -851,7 +929,29 @@ + -f checklinks.awk tzdata.zi + touch $@ + +-check_tables: checktab.awk $(YDATA) backward $(ZONETABLES) ++# Check timestamps from now through 28 years from now, to make sure ++# that zonenow.tab contains all sequences of planned timestamps, ++# without any duplicate sequences. In theory this might require ++# 2800 years but that would take a long time to check. ++CHECK_NOW_TIMESTAMP = `./date +%s` ++CHECK_NOW_FUTURE_YEARS = 28 ++CHECK_NOW_FUTURE_SECS = $(CHECK_NOW_FUTURE_YEARS) '*' 366 '*' 24 '*' 60 '*' 60 ++check_now: checknow.awk date tzdata.zi zdump zic zone1970.tab zonenow.tab ++ rm -fr $@.dir ++ mkdir $@.dir ++ ./zic -d $@.dir tzdata.zi ++ now=$(CHECK_NOW_TIMESTAMP) && \ ++ future=`expr $(CHECK_NOW_FUTURE_SECS) + $$now` && \ ++ ./zdump -i -t $$now,$$future \ ++ $$(find $$PWD/$@.dir/????*/ -type f) \ ++ >$@.dir/zdump.tab ++ $(AWK) \ ++ -v zdump_table=$@.dir/zdump.tab \ ++ -f checknow.awk zonenow.tab ++ rm -fr $@.dir ++ touch $@ ++ ++check_tables: checktab.awk $(YDATA) backward zone.tab zone1970.tab + for tab in $(ZONETABLES); do \ + test "$$tab" = zone.tab && links='$(BACKWARD)' || links=''; \ + $(AWK) -f checktab.awk -v zone_table=$$tab $(YDATA) $$links \ +@@ -911,10 +1011,10 @@ + touch $@ + + clean_misc: +- rm -fr check_*.dir ++ rm -fr check_*.dir typecheck_*.dir + rm -f *.o *.out $(TIME_T_ALTERNATIVES) \ + check_* core typecheck_* \ +- date tzselect version.h zdump zic libtz.a ++ date tzdir.h tzselect version.h zdump zic libtz.a + clean: clean_misc + rm -fr *.dir tzdb-*/ + rm -f *.zi $(TZS_NEW) +@@ -952,12 +1052,18 @@ + # plus N if GNU ls and touch are available. + SET_TIMESTAMP_N = sh -c '\ + n=$$0 dest=$$1; shift; \ +- touch -cmr `ls -t "$$@" | sed 1q` "$$dest" && \ ++ <"$$dest" && \ + if test $$n != 0 && \ +- lsout=`ls -n --time-style="+%s" "$$dest" 2>/dev/null`; then \ ++ lsout=`ls -nt --time-style="+%s" "$$@" 2>/dev/null`; then \ + set x $$lsout && \ +- touch -cmd @`expr $$7 + $$n` "$$dest"; \ +- else :; fi' ++ timestamp=`expr $$7 + $$n` && \ ++ echo "+ touch -md @$$timestamp $$dest" && \ ++ touch -md @$$timestamp "$$dest"; \ ++ else \ ++ newest=`ls -t "$$@" | sed 1q` && \ ++ echo "+ touch -mr $$newest $$dest" && \ ++ touch -mr "$$newest" "$$dest"; \ ++ fi' + # If DEST depends on A B C ... in this Makefile, callers should use + # $(SET_TIMESTAMP_DEP) DEST A B C ..., for the benefit of any + # downstream 'make' that considers equal timestamps to be out of date. +@@ -982,8 +1088,12 @@ + rm -f test.out && \ + for file in $$files; do \ + if git diff --quiet $$file; then \ +- time=`git log -1 --format='tformat:%ct' $$file` && \ +- touch -cmd @$$time $$file; \ ++ time=`TZ=UTC0 git log -1 \ ++ --format='tformat:%cd' \ ++ --date='format:%Y-%m-%dT%H:%M:%SZ' \ ++ $$file` && \ ++ echo "+ touch -md $$time $$file" && \ ++ touch -md $$time $$file; \ + else \ + echo >&2 "$$file: warning: does not match repository"; \ + fi || exit; \ +@@ -1008,7 +1118,8 @@ + rm -fr public.dir + mkdir public.dir + ln $(VERSION_DEPS) public.dir +- cd public.dir && $(MAKE) CFLAGS='$(GCC_DEBUG_FLAGS)' ALL ++ cd public.dir \ ++ && $(MAKE) CFLAGS='$(GCC_DEBUG_FLAGS)' TZDIR='$(TZDIR)' ALL + for i in $(TDATA_TO_CHECK) public.dir/tzdata.zi \ + public.dir/vanguard.zi public.dir/main.zi \ + public.dir/rearguard.zi; \ +@@ -1139,7 +1250,7 @@ + sed '1s/$$/-rearguard/' $@.dir/version + : The dummy pacificnew pacifies TZUpdater 2.3.1 and earlier. + $(CREATE_EMPTY) $@.dir/pacificnew +- touch -cmr version $@.dir/version ++ touch -mr version $@.dir/version + LC_ALL=C && export LC_ALL && \ + (cd $@.dir && \ + tar $(TARFLAGS) -cf - \ +@@ -1163,7 +1274,7 @@ + `test $(DATAFORM) = vanguard || echo pacificnew` + (grep '^#' tzdata.zi && echo && cat $(DATAFORM).zi) \ + >$@.dir/etcetera +- touch -cmr tzdata.zi $@.dir/etcetera ++ touch -mr tzdata.zi $@.dir/etcetera + sed -n \ + -e '/^# *version *\(.*\)/h' \ + -e '/^# *ddeps */H' \ +@@ -1174,7 +1285,7 @@ + -e 's/ /-/g' \ + -e 'p' \ + $@.dir/version +- touch -cmr version $@.dir/version ++ touch -mr version $@.dir/version + links= && \ + for file in $(TZDATA_DIST); do \ + test -f $@.dir/$$file || links="$$links $$file"; \ +@@ -1226,15 +1337,16 @@ + asctime.o: private.h tzfile.h + date.o: private.h + difftime.o: private.h +-localtime.o: private.h tzfile.h ++localtime.o: private.h tzfile.h tzdir.h + strftime.o: private.h tzfile.h + zdump.o: version.h +-zic.o: private.h tzfile.h version.h ++zic.o: private.h tzfile.h tzdir.h version.h + + .PHONY: ALL INSTALL all + .PHONY: check check_mild check_time_t_alternatives + .PHONY: check_web check_zishrink +-.PHONY: clean clean_misc dummy.zd force_tzs ++.PHONY: clean clean_misc commit-leap-seconds.list dummy.zd ++.PHONY: fetch-leap-seconds.list force_tzs + .PHONY: install install_data maintainer-clean names + .PHONY: posix_only posix_right public + .PHONY: rearguard_signatures rearguard_signatures_version +--- contrib/tzdata/NEWS.orig ++++ contrib/tzdata/NEWS +@@ -1,5 +1,177 @@ + News for the tz database + ++Release 2024a - 2024-02-01 09:28:56 -0800 ++ ++ Briefly: ++ Kazakhstan unifies on UTC+5 beginning 2024-03-01. ++ Palestine springs forward a week later after Ramadan. ++ zic no longer pretends to support indefinite-past DST. ++ localtime no longer mishandles Ciudad Juárez in 2422. ++ ++ Changes to future timestamps ++ ++ Kazakhstan unifies on UTC+5. This affects Asia/Almaty and ++ Asia/Qostanay which together represent the eastern portion of the ++ country that will transition from UTC+6 on 2024-03-01 at 00:00 to ++ join the western portion. (Thanks to Zhanbolat Raimbekov.) ++ ++ Palestine springs forward a week later than previously predicted ++ in 2024 and 2025. (Thanks to Heba Hamad.) Change spring-forward ++ predictions to the second Saturday after Ramadan, not the first; ++ this also affects other predictions starting in 2039. ++ ++ Changes to past timestamps ++ ++ Asia/Ho_Chi_Minh's 1955-07-01 transition occurred at 01:00 ++ not 00:00. (Thanks to Đoàn Trần Công Danh.) ++ ++ From 1947 through 1949, Toronto's transitions occurred at 02:00 ++ not 00:00. (Thanks to Chris Walton.) ++ ++ In 1911 Miquelon adopted standard time on June 15, not May 15. ++ ++ Changes to code ++ ++ The FROM and TO columns of Rule lines can no longer be "minimum" ++ or an abbreviation of "minimum", because TZif files do not support ++ DST rules that extend into the indefinite past - although these ++ rules were supported when TZif files had only 32-bit data, this ++ stopped working when 64-bit TZif files were introduced in 1995. ++ This should not be a problem for realistic data, since DST was ++ first used in the 20th century. As a transition aid, FROM columns ++ like "minimum" are now diagnosed and then treated as if they were ++ the year 1900; this should suffice for TZif files on old systems ++ with only 32-bit time_t, and it is more compatible with bugs in ++ 2023c-and-earlier localtime.c. (Problem reported by Yoshito ++ Umaoka.) ++ ++ localtime and related functions no longer mishandle some ++ timestamps that occur about 400 years after a switch to a time ++ zone with a DST schedule. In 2023d data this problem was visible ++ for some timestamps in November 2422, November 2822, etc. in ++ America/Ciudad_Juarez. (Problem reported by Gilmore Davidson.) ++ ++ strftime %s now uses tm_gmtoff if available. (Problem and draft ++ patch reported by Dag-Erling Smørgrav.) ++ ++ Changes to build procedure ++ ++ The leap-seconds.list file is now copied from the IERS instead of ++ from its downstream counterpart at NIST, as the IERS version is ++ now in the public domain too and tends to be more up-to-date. ++ (Thanks to Martin Burnicki for liaisoning with the IERS.) ++ ++ Changes to documentation ++ ++ The strftime man page documents which struct tm members affect ++ which conversion specs, and that tzset is called. (Problems ++ reported by Robert Elz and Steve Summit.) ++ ++ ++Release 2023d - 2023-12-21 20:02:24 -0800 ++ ++ Briefly: ++ Ittoqqortoormiit, Greenland changes time zones on 2024-03-31. ++ Vostok, Antarctica changed time zones on 2023-12-18. ++ Casey, Antarctica changed time zones five times since 2020. ++ Code and data fixes for Palestine timestamps starting in 2072. ++ A new data file zonenow.tab for timestamps starting now. ++ ++ Changes to future timestamps ++ ++ Ittoqqortoormiit, Greenland (America/Scoresbysund) joins most of ++ the rest of Greenland's timekeeping practice on 2024-03-31, by ++ changing its time zone from -01/+00 to -02/-01 at the same moment ++ as the spring-forward transition. Its clocks will therefore not ++ spring forward as previously scheduled. The time zone change ++ reverts to its common practice before 1981. ++ ++ Fix predictions for DST transitions in Palestine in 2072-2075, ++ correcting a typo introduced in 2023a. ++ ++ Changes to past and future timestamps ++ ++ Vostok, Antarctica changed to +05 on 2023-12-18. It had been at ++ +07 (not +06) for years. (Thanks to Zakhary V. Akulov.) ++ ++ Change data for Casey, Antarctica to agree with timeanddate.com, ++ by adding five time zone changes since 2020. Casey is now at +08 ++ instead of +11. ++ ++ Changes to past tm_isdst flags ++ ++ Much of Greenland, represented by America/Nuuk, changed its ++ standard time from -03 to -02 on 2023-03-25, not on 2023-10-28. ++ This does not affect UTC offsets, only the tm_isdst flag. ++ (Thanks to Thomas M. Steenholdt.) ++ ++ New data file ++ ++ A new data file zonenow.tab helps configure applications that use ++ timestamps dated from now on. This simplifies configuration, ++ since users choose from a smaller Zone set. The file's format is ++ experimental and subject to change. ++ ++ Changes to code ++ ++ localtime.c no longer mishandles TZif files that contain a single ++ transition into a DST regime. Previously, it incorrectly assumed ++ DST was in effect before the transition too. (Thanks to Alois ++ Treindl for debugging help.) ++ ++ localtime.c's timeoff no longer collides with OpenBSD 7.4. ++ ++ The C code now uses _Generic only if __STDC_VERSION__ says the ++ compiler is C11 or later. ++ ++ tzselect now optionally reads zonenow.tab, to simplify when ++ configuring only for timestamps dated from now on. ++ ++ tzselect no longer creates temporary files. ++ ++ tzselect no longer mishandles the following: ++ ++ Spaces and most other special characters in BUGEMAIL, PACKAGE, ++ TZDIR, and VERSION. ++ ++ TZ strings when using mawk 1.4.3, which mishandles regular ++ expressions of the form /X{2,}/. ++ ++ ISO 6709 coordinates when using an awk that lacks the GNU ++ extension of newlines in -v option-arguments. ++ ++ Non UTF-8 locales when using an iconv command that lacks the GNU ++ //TRANSLIT extension. ++ ++ zic no longer mishandles data for Palestine after the year 2075. ++ Previously, it incorrectly omitted post-2075 transitions that are ++ predicted for just before and just after Ramadan. (Thanks to Ken ++ Murchison for debugging help.) ++ ++ zic now works again on Linux 2.6.16 and 2.6.17 (2006). ++ (Problem reported by Rune Torgersen.) ++ ++ Changes to build procedure ++ ++ The Makefile is now more compatible with POSIX: ++ * It no longer defines AR, CC, CFLAGS, LDFLAGS, and SHELL. ++ * It no longer uses its own 'cc' in place of CC. ++ * It now uses ARFLAGS, with default specified by POSIX. ++ * It does not use LFLAGS incompatibly with POSIX. ++ * It uses the special .POSIX target. ++ * It quotes special characters more carefully. ++ * It no longer mishandles builds in an ISO 8859 locale. ++ Due to the CC changes, TZDIR is now #defined in a file tzfile.h ++ built by 'make', not in a $(CC) -D option. Also, TZDEFAULT is ++ now treated like TZDIR as they have similar roles. ++ ++ Changes to commentary ++ ++ Limitations and hazards of the optional support for obsolescent ++ C89 platforms are documented better, along with a tentative ++ schedule for removing this support. ++ ++ + Release 2023c - 2023-03-28 12:42:14 -0700 + + Changes to past and future timestamps +@@ -76,11 +248,14 @@ + platform dependent and abbreviations were silently truncated to + 16 bytes even when the limit was greater than 16. + +- The code by default is now designed for C99 or later. To build in +- a C89 environment, compile with -DPORT_TO_C89. To support C89 +- callers of the tzcode library, compile with -DSUPPORT_C89. The +- two new macros are transitional aids planned to be removed in a +- future version, when C99 or later will be required. ++ The code by default is now designed for C99 or later. To build on ++ a mostly-C89 platform, compile with -DPORT_TO_C89; this should ++ work on C89 platforms that also support C99 'long long' and ++ perhaps a few other extensions to C89. To support C89 callers of ++ tzcode's library, compile with -DSUPPORT_C89; however, this could ++ trigger latent bugs in C99-or-later callers. The two new macros ++ are transitional aids planned to be removed in a future version ++ (say, in 2029), when C99 or later will be required. + + The code now builds again on pre-C99 platforms, if you compile + with -DPORT_TO_C89. This fixes a bug introduced in 2022f. +@@ -723,6 +898,8 @@ + them, set the EXPIRES_LINE Makefile variable. If a TZif file uses + this new feature it is marked with a new TZif version number 4, + a format intended to be documented in a successor to RFC 8536. ++ The old-format "#expires" comments are now treated solely as ++ comments and have no effect on the TZif files. + + zic -L LEAPFILE -r @LO no longer generates an invalid TZif file + that omits leap second information for the range LO..B when LO +@@ -4302,7 +4479,7 @@ + now uses tz@iana.org rather than the old elsie address. + + zic -v now complains about abbreviations that are less than 3 +- or more than 6 characters, as per Posix. Formerly, it checked ++ or more than 6 characters, as per POSIX. Formerly, it checked + for abbreviations that were more than 3. + + 'make public' no longer puts its temporary directory under /tmp, +@@ -4467,8 +4644,8 @@ + In particular, the typos in comments in the data (2011-11-17 should have + been 2011-10-17 as Alan Barrett noted, and spelling of Tiraspol that + Tim Parenti noted) have been fixed, and the change for Ukraine has been +- made in all 4 Ukrainian zones, rather than just Kiev (again, thanks to +- Tim Parenti, and also Denys Gavrysh) ++ made in all 4 Ukrainian zones, rather than just Europe/Kiev ++ (again, thanks to Tim Parenti, and also Denys Gavrysh). + + In addition, I added Europe/Tiraspol to zone.tab. + +--- contrib/tzdata/README.orig ++++ contrib/tzdata/README +@@ -11,14 +11,17 @@ + and daylight-saving rules. + + See or the +-file tz-link.html for how to acquire the code and data. Once acquired, +-read the comments in the file 'Makefile' and make any changes needed +-to make things right for your system, especially if you are using some +-platform other than GNU/Linux. Then run the following commands, +-substituting your desired installation directory for "$HOME/tzdir": +- +- make TOPDIR=$HOME/tzdir install +- $HOME/tzdir/usr/bin/zdump -v America/Los_Angeles ++file tz-link.html for how to acquire the code and data. ++ ++Once acquired, read the leading comments in the file "Makefile" ++and make any changes needed to make things right for your system, ++especially when using a platform other than current GNU/Linux. ++ ++Then run the following commands, substituting your desired ++installation directory for "$HOME/tzdir": ++ ++ make TOPDIR="$HOME/tzdir" install ++ "$HOME/tzdir/usr/bin/zdump" -v America/Los_Angeles + + See the file tz-how-to.html for examples of how to read the data files. + +--- contrib/tzdata/africa.orig ++++ contrib/tzdata/africa +@@ -30,6 +30,10 @@ + # Milne J. Civil time. Geogr J. 1899 Feb;13(2):173-94. + # https://www.jstor.org/stable/1774359 + # ++# For the 1911/1912 establishment of standard time in French possessions, see: ++# Société Française de Physique, Recueil de constantes physiques (1913), ++# page 752, 18b. ++# + # European-style abbreviations are commonly used along the Mediterranean. + # For sub-Saharan Africa abbreviations were less standardized. + # Previous editions of this database used WAT, CAT, SAT, and EAT +@@ -113,7 +117,7 @@ + + # Chad + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone Africa/Ndjamena 1:00:12 - LMT 1912 # N'Djamena ++Zone Africa/Ndjamena 1:00:12 - LMT 1912 Jan 1 # N'Djamena + 1:00 - WAT 1979 Oct 14 + 1:00 1:00 WAST 1980 Mar 8 + 1:00 - WAT +@@ -139,7 +143,7 @@ + # Inaccessible, Nightingale: uninhabited + + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone Africa/Abidjan -0:16:08 - LMT 1912 ++Zone Africa/Abidjan -0:16:08 - LMT 1912 Jan 1 + 0:00 - GMT + + ############################################################################### +@@ -285,13 +289,6 @@ + # reproduced by other (more accessible) sites[, e.g.,]... + # http://elgornal.net/news/news.aspx?id=4699258 + +-# From Paul Eggert (2014-06-04): +-# Sarah El Deeb and Lee Keath of AP report that the Egyptian government says +-# the change is because of blackouts in Cairo, even though Ahram Online (cited +-# above) says DST had no affect on electricity consumption. There is +-# no information about when DST will end this fall. See: +-# http://abcnews.go.com/International/wireStory/el-sissi-pushes-egyptians-line-23614833 +- + # From Steffen Thorsen (2015-04-08): + # Egypt will start DST on midnight after Thursday, April 30, 2015. + # This is based on a law (no 35) from May 15, 2014 saying it starts the last +--- contrib/tzdata/antarctica.orig ++++ contrib/tzdata/antarctica +@@ -80,6 +80,11 @@ + # - 2018 Oct 7 4:00 - 2019 Mar 17 3:00 - 2019 Oct 4 3:00 - 2020 Mar 8 3:00 + # and now - 2020 Oct 4 0:01 + ++# From Paul Eggert (2023-12-20): ++# Transitions from 2021 on are taken from: ++# https://www.timeanddate.com/time/zone/antarctica/casey ++# retrieved at various dates. ++ + # Zone NAME STDOFF RULES FORMAT [UNTIL] + Zone Antarctica/Casey 0 - -00 1969 + 8:00 - +08 2009 Oct 18 2:00 +@@ -93,7 +98,12 @@ + 8:00 - +08 2019 Oct 4 3:00 + 11:00 - +11 2020 Mar 8 3:00 + 8:00 - +08 2020 Oct 4 0:01 +- 11:00 - +11 ++ 11:00 - +11 2021 Mar 14 0:00 ++ 8:00 - +08 2021 Oct 3 0:01 ++ 11:00 - +11 2022 Mar 13 0:00 ++ 8:00 - +08 2022 Oct 2 0:01 ++ 11:00 - +11 2023 Mar 9 3:00 ++ 8:00 - +08 + Zone Antarctica/Davis 0 - -00 1957 Jan 13 + 7:00 - +07 1964 Nov + 0 - -00 1969 Feb +@@ -240,7 +250,50 @@ + # year-round from 1960/61 to 1992 + + # Vostok, since 1957-12-16, temporarily closed 1994-02/1994-11 +-# See Asia/Urumqi. ++# From Craig Mundell (1994-12-15): ++# http://quest.arc.nasa.gov/antarctica/QA/computers/Directions,Time,ZIP ++# Vostok, which is one of the Russian stations, is set on the same ++# time as Moscow, Russia. ++# ++# From Lee Hotz (2001-03-08): ++# I queried the folks at Columbia who spent the summer at Vostok and this is ++# what they had to say about time there: ++# "in the US Camp (East Camp) we have been on New Zealand (McMurdo) ++# time, which is 12 hours ahead of GMT. The Russian Station Vostok was ++# 6 hours behind that (although only 2 miles away, i.e. 6 hours ahead ++# of GMT). This is a time zone I think two hours east of Moscow. The ++# natural time zone is in between the two: 8 hours ahead of GMT." ++# ++# From Paul Eggert (2001-05-04): ++# This seems to be hopelessly confusing, so I asked Lee Hotz about it ++# in person. He said that some Antarctic locations set their local ++# time so that noon is the warmest part of the day, and that this ++# changes during the year and does not necessarily correspond to mean ++# solar noon. So the Vostok time might have been whatever the clocks ++# happened to be during their visit. So we still don't really know what time ++# it is at Vostok. ++# ++# From Zakhary V. Akulov (2023-12-17 22:00:48 +0700): ++# ... from December, 18, 2023 00:00 by my decision the local time of ++# the Antarctic research base Vostok will correspond to UTC+5. ++# (2023-12-19): We constantly interact with Progress base, with company who ++# builds new wintering station, with sledge convoys, with aviation - they all ++# use UTC+5. Besides, difference between Moscow time is just 2 hours now, not 4. ++# (2023-12-19, in response to the question "Has local time at Vostok ++# been UTC+6 ever since 1957, or has it changed before?"): No. At least ++# since my antarctic career start, 10 years ago, Vostok base has UTC+7. ++# (In response to a 2023-12-18 question "from 02:00 to 00:00 today"): This. ++# ++# From Paul Eggert (2023-12-18): ++# For lack of better info, guess Vostok was at +07 from founding through today, ++# except when closed. ++ ++# Zone NAME STDOFF RULES FORMAT [UNTIL] ++Zone Antarctica/Vostok 0 - -00 1957 Dec 16 ++ 7:00 - +07 1994 Feb ++ 0 - -00 1994 Nov ++ 7:00 - +07 2023 Dec 18 2:00 ++ 5:00 - +05 + + # S Africa - year-round bases + # Marion Island, -4653+03752 +--- contrib/tzdata/asia.orig ++++ contrib/tzdata/asia +@@ -655,7 +655,6 @@ + 8:00 PRC C%sT + # Xinjiang time, used by many in western China; represented by Ürümqi / Ürümchi + # / Wulumuqi. (Please use Asia/Shanghai if you prefer Beijing time.) +-# Vostok base in Antarctica matches this since 1970. + Zone Asia/Urumqi 5:50:20 - LMT 1928 + 6:00 - +06 + +@@ -2458,18 +2457,33 @@ + # effective December 21st, 2018.... + # http://adilet.zan.kz/rus/docs/P1800000817 (russian language). + ++# From Zhanbolat Raimbekov (2024-01-19): ++# Kazakhstan (all parts) switching to UTC+5 on March 1, 2024 ++# https://www.gov.kz/memleket/entities/mti/press/news/details/688998?lang=ru ++# [in Russian] ++# (2024-01-20): https://primeminister.kz/ru/decisions/19012024-20 ++# ++# From Alexander Krivenyshev (2024-01-19): ++# According to a different news and the official web site for the Ministry of ++# Trade and Integration of the Republic of Kazakhstan: ++# https://en.inform.kz/news/kazakhstan-to-switch-to-single-hour-zone-mar-1-54ad0b/ ++ + # Zone NAME STDOFF RULES FORMAT [UNTIL] + # + # Almaty (formerly Alma-Ata), representing most locations in Kazakhstan +-# This includes KZ-AKM, KZ-ALA, KZ-ALM, KZ-AST, KZ-BAY, KZ-VOS, KZ-ZHA, +-# KZ-KAR, KZ-SEV, KZ-PAV, and KZ-YUZ. ++# This includes Abai/Abay (ISO 3166-2 code KZ-10), Aqmola/Akmola (KZ-11), ++# Almaty (KZ-19), Almaty city (KZ-75), Astana city (KZ-71), ++# East Kazkhstan (KZ-63), Jambyl/Zhambyl (KZ-31), Jetisu/Zhetysu (KZ-33), ++# Karaganda (KZ-35), North Kazakhstan (KZ-59), Pavlodar (KZ-55), ++# Shyumkent city (KZ-79), Turkistan (KZ-61), and Ulytau (KZ-62). + Zone Asia/Almaty 5:07:48 - LMT 1924 May 2 # or Alma-Ata + 5:00 - +05 1930 Jun 21 + 6:00 RussiaAsia +06/+07 1991 Mar 31 2:00s + 5:00 RussiaAsia +05/+06 1992 Jan 19 2:00s + 6:00 RussiaAsia +06/+07 2004 Oct 31 2:00s +- 6:00 - +06 +-# Qyzylorda (aka Kyzylorda, Kizilorda, Kzyl-Orda, etc.) (KZ-KZY) ++ 6:00 - +06 2024 Mar 1 0:00 ++ 5:00 - +05 ++# Qyzylorda (aka Kyzylorda, Kizilorda, Kzyl-Orda, etc.) (KZ-43) + Zone Asia/Qyzylorda 4:21:52 - LMT 1924 May 2 + 4:00 - +04 1930 Jun 21 + 5:00 - +05 1981 Apr 1 +@@ -2482,8 +2496,7 @@ + 5:00 RussiaAsia +05/+06 2004 Oct 31 2:00s + 6:00 - +06 2018 Dec 21 0:00 + 5:00 - +05 +-# +-# Qostanay (aka Kostanay, Kustanay) (KZ-KUS) ++# Qostanay (aka Kostanay, Kustanay) (KZ-39) + # The 1991/2 rules are unclear partly because of the 1997 Turgai + # reorganization. + Zone Asia/Qostanay 4:14:28 - LMT 1924 May 2 +@@ -2494,9 +2507,9 @@ + 5:00 RussiaAsia +05/+06 1991 Mar 31 2:00s + 4:00 RussiaAsia +04/+05 1992 Jan 19 2:00s + 5:00 RussiaAsia +05/+06 2004 Oct 31 2:00s +- 6:00 - +06 +- +-# Aqtöbe (aka Aktobe, formerly Aktyubinsk) (KZ-AKT) ++ 6:00 - +06 2024 Mar 1 0:00 ++ 5:00 - +05 ++# Aqtöbe (aka Aktobe, formerly Aktyubinsk) (KZ-15) + Zone Asia/Aqtobe 3:48:40 - LMT 1924 May 2 + 4:00 - +04 1930 Jun 21 + 5:00 - +05 1981 Apr 1 +@@ -2506,7 +2519,7 @@ + 4:00 RussiaAsia +04/+05 1992 Jan 19 2:00s + 5:00 RussiaAsia +05/+06 2004 Oct 31 2:00s + 5:00 - +05 +-# Mangghystaū (KZ-MAN) ++# Mangghystaū (KZ-47) + # Aqtau was not founded until 1963, but it represents an inhabited region, + # so include timestamps before 1963. + Zone Asia/Aqtau 3:21:04 - LMT 1924 May 2 +@@ -2518,7 +2531,7 @@ + 5:00 RussiaAsia +05/+06 1994 Sep 25 2:00s + 4:00 RussiaAsia +04/+05 2004 Oct 31 2:00s + 5:00 - +05 +-# Atyraū (KZ-ATY) is like Mangghystaū except it switched from ++# Atyraū (KZ-23) is like Mangghystaū except it switched from + # +04/+05 to +05/+06 in spring 1999, not fall 1994. + Zone Asia/Atyrau 3:27:44 - LMT 1924 May 2 + 3:00 - +03 1930 Jun 21 +@@ -2529,7 +2542,7 @@ + 5:00 RussiaAsia +05/+06 1999 Mar 28 2:00s + 4:00 RussiaAsia +04/+05 2004 Oct 31 2:00s + 5:00 - +05 +-# West Kazakhstan (KZ-ZAP) ++# West Kazakhstan (KZ-27) + # From Paul Eggert (2016-03-18): + # The 1989 transition is from USSR act No. 227 (1989-03-14). + Zone Asia/Oral 3:25:24 - LMT 1924 May 2 # or Ural'sk +@@ -3427,20 +3440,30 @@ + # From Heba Hamad (2023-03-22): + # ... summer time will begin in Palestine from Saturday 04-29-2023, + # 02:00 AM by 60 minutes forward. +-# +-# From Paul Eggert (2023-03-22): ++# From Heba Hemad (2023-10-09): ++# ... winter time will begin in Palestine from Saturday 10-28-2023, ++# 02:00 AM by 60 minutes back. ++# ++# From Heba Hamad (2024-01-25): ++# the summer time for the years 2024,2025 will begin in Palestine ++# from Saturday at 02:00 AM by 60 minutes forward as shown below: ++# year date ++# 2024 2024-04-20 ++# 2025 2025-04-12 ++# ++# From Paul Eggert (2024-01-25): + # For now, guess that spring and fall transitions will normally + # continue to use 2022's rules, that during DST Palestine will switch + # to standard time at 02:00 the last Saturday before Ramadan and back +-# to DST at 02:00 the first Saturday after Ramadan, and that ++# to DST at 02:00 the second Saturday after Ramadan, and that + # if the normal spring-forward or fall-back transition occurs during + # Ramadan the former is delayed and the latter advanced. + # To implement this, I predicted Ramadan-oriented transition dates for +-# 2023 through 2086 by running the following program under GNU Emacs 28.2, ++# 2026 through 2086 by running the following program under GNU Emacs 29.2, + # with the results integrated by hand into the table below. + # Predictions after 2086 are approximated without Ramadan. + # +-# (let ((islamic-year 1444)) ++# (let ((islamic-year 1447)) + # (require 'cal-islam) + # (while (< islamic-year 1510) + # (let ((a (calendar-islamic-to-absolute (list 9 1 islamic-year))) +@@ -3449,6 +3472,7 @@ + # (while (/= saturday (mod (setq a (1- a)) 7))) + # (while (/= saturday (mod b 7)) + # (setq b (1+ b))) ++# (setq b (+ 7 b)) + # (setq a (calendar-gregorian-from-absolute a)) + # (setq b (calendar-gregorian-from-absolute b)) + # (insert +@@ -3499,84 +3523,84 @@ + Rule Palestine 2022 only - Mar 27 0:00 1:00 S + Rule Palestine 2022 2035 - Oct Sat<=30 2:00 0 - + Rule Palestine 2023 only - Apr 29 2:00 1:00 S +-Rule Palestine 2024 only - Apr 13 2:00 1:00 S +-Rule Palestine 2025 only - Apr 5 2:00 1:00 S ++Rule Palestine 2024 only - Apr 20 2:00 1:00 S ++Rule Palestine 2025 only - Apr 12 2:00 1:00 S + Rule Palestine 2026 2054 - Mar Sat<=30 2:00 1:00 S + Rule Palestine 2036 only - Oct 18 2:00 0 - + Rule Palestine 2037 only - Oct 10 2:00 0 - + Rule Palestine 2038 only - Sep 25 2:00 0 - + Rule Palestine 2039 only - Sep 17 2:00 0 - +-Rule Palestine 2039 only - Oct 22 2:00 1:00 S +-Rule Palestine 2039 2067 - Oct Sat<=30 2:00 0 - + Rule Palestine 2040 only - Sep 1 2:00 0 - +-Rule Palestine 2040 only - Oct 13 2:00 1:00 S ++Rule Palestine 2040 only - Oct 20 2:00 1:00 S ++Rule Palestine 2040 2067 - Oct Sat<=30 2:00 0 - + Rule Palestine 2041 only - Aug 24 2:00 0 - +-Rule Palestine 2041 only - Sep 28 2:00 1:00 S ++Rule Palestine 2041 only - Oct 5 2:00 1:00 S + Rule Palestine 2042 only - Aug 16 2:00 0 - +-Rule Palestine 2042 only - Sep 20 2:00 1:00 S ++Rule Palestine 2042 only - Sep 27 2:00 1:00 S + Rule Palestine 2043 only - Aug 1 2:00 0 - +-Rule Palestine 2043 only - Sep 12 2:00 1:00 S ++Rule Palestine 2043 only - Sep 19 2:00 1:00 S + Rule Palestine 2044 only - Jul 23 2:00 0 - +-Rule Palestine 2044 only - Aug 27 2:00 1:00 S ++Rule Palestine 2044 only - Sep 3 2:00 1:00 S + Rule Palestine 2045 only - Jul 15 2:00 0 - +-Rule Palestine 2045 only - Aug 19 2:00 1:00 S ++Rule Palestine 2045 only - Aug 26 2:00 1:00 S + Rule Palestine 2046 only - Jun 30 2:00 0 - +-Rule Palestine 2046 only - Aug 11 2:00 1:00 S ++Rule Palestine 2046 only - Aug 18 2:00 1:00 S + Rule Palestine 2047 only - Jun 22 2:00 0 - +-Rule Palestine 2047 only - Jul 27 2:00 1:00 S ++Rule Palestine 2047 only - Aug 3 2:00 1:00 S + Rule Palestine 2048 only - Jun 6 2:00 0 - +-Rule Palestine 2048 only - Jul 18 2:00 1:00 S ++Rule Palestine 2048 only - Jul 25 2:00 1:00 S + Rule Palestine 2049 only - May 29 2:00 0 - +-Rule Palestine 2049 only - Jul 3 2:00 1:00 S ++Rule Palestine 2049 only - Jul 10 2:00 1:00 S + Rule Palestine 2050 only - May 21 2:00 0 - +-Rule Palestine 2050 only - Jun 25 2:00 1:00 S ++Rule Palestine 2050 only - Jul 2 2:00 1:00 S + Rule Palestine 2051 only - May 6 2:00 0 - +-Rule Palestine 2051 only - Jun 17 2:00 1:00 S ++Rule Palestine 2051 only - Jun 24 2:00 1:00 S + Rule Palestine 2052 only - Apr 27 2:00 0 - +-Rule Palestine 2052 only - Jun 1 2:00 1:00 S ++Rule Palestine 2052 only - Jun 8 2:00 1:00 S + Rule Palestine 2053 only - Apr 12 2:00 0 - +-Rule Palestine 2053 only - May 24 2:00 1:00 S ++Rule Palestine 2053 only - May 31 2:00 1:00 S + Rule Palestine 2054 only - Apr 4 2:00 0 - +-Rule Palestine 2054 only - May 16 2:00 1:00 S +-Rule Palestine 2055 only - May 1 2:00 1:00 S +-Rule Palestine 2056 only - Apr 22 2:00 1:00 S +-Rule Palestine 2057 only - Apr 7 2:00 1:00 S +-Rule Palestine 2058 max - Mar Sat<=30 2:00 1:00 S ++Rule Palestine 2054 only - May 23 2:00 1:00 S ++Rule Palestine 2055 only - May 8 2:00 1:00 S ++Rule Palestine 2056 only - Apr 29 2:00 1:00 S ++Rule Palestine 2057 only - Apr 14 2:00 1:00 S ++Rule Palestine 2058 only - Apr 6 2:00 1:00 S ++Rule Palestine 2059 max - Mar Sat<=30 2:00 1:00 S + Rule Palestine 2068 only - Oct 20 2:00 0 - + Rule Palestine 2069 only - Oct 12 2:00 0 - + Rule Palestine 2070 only - Oct 4 2:00 0 - + Rule Palestine 2071 only - Sep 19 2:00 0 - + Rule Palestine 2072 only - Sep 10 2:00 0 - +-Rule Palestine 2072 only - Oct 15 2:00 1:00 S ++Rule Palestine 2072 only - Oct 22 2:00 1:00 S ++Rule Palestine 2072 max - Oct Sat<=30 2:00 0 - + Rule Palestine 2073 only - Sep 2 2:00 0 - +-Rule Palestine 2073 only - Oct 7 2:00 1:00 S ++Rule Palestine 2073 only - Oct 14 2:00 1:00 S + Rule Palestine 2074 only - Aug 18 2:00 0 - +-Rule Palestine 2074 only - Sep 29 2:00 1:00 S ++Rule Palestine 2074 only - Oct 6 2:00 1:00 S + Rule Palestine 2075 only - Aug 10 2:00 0 - +-Rule Palestine 2075 only - Sep 14 2:00 1:00 S +-Rule Palestine 2075 max - Oct Sat<=30 2:00 0 - ++Rule Palestine 2075 only - Sep 21 2:00 1:00 S + Rule Palestine 2076 only - Jul 25 2:00 0 - +-Rule Palestine 2076 only - Sep 5 2:00 1:00 S ++Rule Palestine 2076 only - Sep 12 2:00 1:00 S + Rule Palestine 2077 only - Jul 17 2:00 0 - +-Rule Palestine 2077 only - Aug 28 2:00 1:00 S ++Rule Palestine 2077 only - Sep 4 2:00 1:00 S + Rule Palestine 2078 only - Jul 9 2:00 0 - +-Rule Palestine 2078 only - Aug 13 2:00 1:00 S ++Rule Palestine 2078 only - Aug 20 2:00 1:00 S + Rule Palestine 2079 only - Jun 24 2:00 0 - +-Rule Palestine 2079 only - Aug 5 2:00 1:00 S ++Rule Palestine 2079 only - Aug 12 2:00 1:00 S + Rule Palestine 2080 only - Jun 15 2:00 0 - +-Rule Palestine 2080 only - Jul 20 2:00 1:00 S ++Rule Palestine 2080 only - Jul 27 2:00 1:00 S + Rule Palestine 2081 only - Jun 7 2:00 0 - +-Rule Palestine 2081 only - Jul 12 2:00 1:00 S ++Rule Palestine 2081 only - Jul 19 2:00 1:00 S + Rule Palestine 2082 only - May 23 2:00 0 - +-Rule Palestine 2082 only - Jul 4 2:00 1:00 S ++Rule Palestine 2082 only - Jul 11 2:00 1:00 S + Rule Palestine 2083 only - May 15 2:00 0 - +-Rule Palestine 2083 only - Jun 19 2:00 1:00 S ++Rule Palestine 2083 only - Jun 26 2:00 1:00 S + Rule Palestine 2084 only - Apr 29 2:00 0 - +-Rule Palestine 2084 only - Jun 10 2:00 1:00 S ++Rule Palestine 2084 only - Jun 17 2:00 1:00 S + Rule Palestine 2085 only - Apr 21 2:00 0 - +-Rule Palestine 2085 only - Jun 2 2:00 1:00 S ++Rule Palestine 2085 only - Jun 9 2:00 1:00 S + Rule Palestine 2086 only - Apr 13 2:00 0 - +-Rule Palestine 2086 only - May 18 2:00 1:00 S ++Rule Palestine 2086 only - May 25 2:00 1:00 S + + # Zone NAME STDOFF RULES FORMAT [UNTIL] + Zone Asia/Gaza 2:17:52 - LMT 1900 Oct +@@ -3604,7 +3628,7 @@ + + # Philippines + +-# From Paul Eggert (2018-11-18): ++# From Paul Eggert (2024-01-21): + # The Spanish initially used American (west-of-Greenwich) time. + # It is unknown what time Manila kept when the British occupied it from + # 1762-10-06 through 1764-04; for now assume it kept American time. +@@ -3612,7 +3636,7 @@ + # Philippines, issued a proclamation announcing that 1844-12-30 was to + # be immediately followed by 1845-01-01; see R.H. van Gent's + # History of the International Date Line +-# https://www.staff.science.uu.nl/~gent0113/idl/idl_philippines.htm ++# https://webspace.science.uu.nl/~gent0113/idl/idl_philippines.htm + # The rest of the data entries are from Shanks & Pottenger. + + # From Jesper Nørgaard Welen (2006-04-26): +@@ -4039,7 +4063,8 @@ + # The English-language name of Vietnam's most populous city is "Ho Chi Minh + # City"; use Ho_Chi_Minh below to avoid a name of more than 14 characters. + +-# From Paul Eggert (2022-07-27) after a 2014 heads-up from Trần Ngọc Quân: ++# From Paul Eggert (2024-01-14) after a 2014 heads-up from Trần Ngọc Quân ++# and a 2024-01-14 heads-up from Đoàn Trần Công Danh: + # Trần Tiến Bình's authoritative book "Lịch Việt Nam: thế kỷ XX-XXI (1901-2100)" + # (Nhà xuất bản Văn Hoá - Thông Tin, Hanoi, 2005), pp 49-50, + # is quoted verbatim in: +@@ -4069,14 +4094,35 @@ + # + # Trần cites the following sources; it's unclear which supplied the info above. + # +-# Hoàng Xuân Hãn: "Lịch và lịch Việt Nam". Tập san Khoa học Xã hội, +-# No. 9, Paris, February 1982. ++# Hoàng Xuân Hãn: "Lịch và lịch Việt Nam". Tập san Khoa học Xã hội, ++# No. 9, Paris, February 1982. ++# ++# Lê Thành Lân: "Lịch và niên biểu lịch sử hai mươi thế kỷ (0001-2010)", ++# NXB Thống kê, Hanoi, 2000. + # +-# Lê Thành Lân: "Lịch và niên biểu lịch sử hai mươi thế kỷ (0001-2010)", +-# NXB Thống kê, Hanoi, 2000. ++# Lê Thành Lân: "Lịch hai thế kỷ (1802-2010) và các lịch vĩnh cửu", ++# NXB Thuận Hoá, Huế, 1995. + # +-# Lê Thành Lân: "Lịch hai thế kỷ (1802-2010) và các lịch vĩnh cửu", +-# NXB Thuận Hoá, Huế, 1995. ++# Here is the decision for the September 1945 transition: ++# Võ Nguyên Giáp, Việt Nam Dân Quốc Công Báo, No. 1 (1945-09-29), page 13 ++# http://baochi.nlv.gov.vn/baochi/cgi-bin/baochi?a=d&d=JwvzO19450929.2.5&dliv=none ++# It says that on 1945-09-01 at 24:00, Vietnam moved back two hours, to +07. ++# It also mentions a 1945-03-29 decree (by a Japanese Goveror-General) ++# to set the time zone to +09, but does not say whether that decree ++# merely legalized an earlier change to +09. ++# ++# July 1955 transition: ++# Ngô Đình Diệm, Công Báo Việt Nam, No. 92 (1955-07-02), page 1780-1781 ++# Ordinance (Dụ) No. 46 (1955-06-25) ++# http://ddsnext.crl.edu/titles/32341#?c=0&m=29&s=0&cv=4&r=0&xywh=-89%2C342%2C1724%2C1216 ++# It says that on 1955-07-01 at 01:00, South Vietnam moved back 1 hour (to +07). ++# ++# December 1959 transition: ++# Ngô Đình Diệm, Công Báo Việt Nam Cộng Hòa, 1960 part 1 (1960-01-02), page 62 ++# Decree (Sắc lệnh) No. 362-TTP (1959-12-30) ++# http://ddsnext.crl.edu/titles/32341#?c=0&m=138&s=0&cv=793&r=0&xywh=-54%2C1504%2C1705%2C1202 ++# It says that on 1959-12-31 at 23:00, South Vietnam moved forward 1 hour (to +08). ++ + + # Zone NAME STDOFF RULES FORMAT [UNTIL] + #STDOFF 7:06:30.13 +@@ -4084,9 +4130,9 @@ + 7:06:30 - PLMT 1911 May 1 # Phù Liễn MT + 7:00 - +07 1942 Dec 31 23:00 + 8:00 - +08 1945 Mar 14 23:00 +- 9:00 - +09 1945 Sep 2 ++ 9:00 - +09 1945 Sep 1 24:00 + 7:00 - +07 1947 Apr 1 +- 8:00 - +08 1955 Jul 1 ++ 8:00 - +08 1955 Jul 1 01:00 + 7:00 - +07 1959 Dec 31 23:00 + 8:00 - +08 1975 Jun 13 + 7:00 - +07 +--- contrib/tzdata/australasia.orig ++++ contrib/tzdata/australasia +@@ -391,8 +391,14 @@ + # Please note that there will not be any daylight savings time change + # in Fiji for 2022-2023.... + # https://www.facebook.com/FijianGovernment/posts/pfbid0mmWVTYmTibn66ybpFda75pDcf34SSpoSaskJW5gXwaKo5Sgc7273Q4fXWc6kQV6Hl ++ ++# From Almaz Mingaleev (2023-10-06): ++# Cabinet approved the suspension of Daylight Saving and appropriate ++# legislative changes will be considered including the repeal of the ++# Daylight Saving Act 1998 ++# https://www.fiji.gov.fj/Media-Centre/Speeches/English/CABINET-DECISIONS-3-OCTOBER-2023 + # +-# From Paul Eggert (2022-10-27): ++# From Paul Eggert (2023-10-06): + # For now, assume DST is suspended indefinitely. + + # Rule NAME FROM TO - IN ON AT SAVE LETTER/S +@@ -414,11 +420,11 @@ + + # French Polynesia + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone Pacific/Gambier -8:59:48 - LMT 1912 Oct # Rikitea ++Zone Pacific/Gambier -8:59:48 - LMT 1912 Oct 1 # Rikitea + -9:00 - -09 +-Zone Pacific/Marquesas -9:18:00 - LMT 1912 Oct ++Zone Pacific/Marquesas -9:18:00 - LMT 1912 Oct 1 + -9:30 - -0930 +-Zone Pacific/Tahiti -9:58:16 - LMT 1912 Oct # Papeete ++Zone Pacific/Tahiti -9:58:16 - LMT 1912 Oct 1 # Papeete + -10:00 - -10 + # Clipperton (near North America) is administered from French Polynesia; + # it is uninhabited. +@@ -796,7 +802,7 @@ + # Solomon Is + # excludes Bougainville, for which see Papua New Guinea + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone Pacific/Guadalcanal 10:39:48 - LMT 1912 Oct # Honiara ++Zone Pacific/Guadalcanal 10:39:48 - LMT 1912 Oct 1 # Honiara + 11:00 - +11 + + # Tokelau +@@ -957,6 +963,10 @@ + # Milne J. Civil time. Geogr J. 1899 Feb;13(2):173-94. + # https://www.jstor.org/stable/1774359 + # ++# For the 1911/1912 establishment of standard time in French possessions, see: ++# Société Française de Physique, Recueil de constantes physiques (1913), ++# page 752, 18b. ++# + # A reliable and entertaining source about time zones is + # Derek Howse, Greenwich time and longitude, Philip Wilson Publishers (1997). + # +@@ -2033,7 +2043,7 @@ + # ordaining - by a masterpiece of diplomatic flattery - that + # the Fourth of July should be celebrated twice in that year." + # This happened in 1892, according to the Evening News (Sydney) of 1892-07-20. +-# https://www.staff.science.uu.nl/~gent0113/idl/idl.htm ++# https://webspace.science.uu.nl/~gent0113/idl/idl_alaska_samoa.htm + + # Although Shanks & Pottenger says they both switched to UT -11:30 + # in 1911, and to -11 in 1950. many earlier sources give -11 +--- contrib/tzdata/backward.orig ++++ contrib/tzdata/backward +@@ -205,7 +205,6 @@ + Link Pacific/Port_Moresby Antarctica/DumontDUrville + Link Pacific/Auckland Antarctica/McMurdo + Link Asia/Riyadh Antarctica/Syowa +-Link Asia/Urumqi Antarctica/Vostok + Link Europe/Berlin Arctic/Longyearbyen + Link Asia/Riyadh Asia/Aden + Link Asia/Qatar Asia/Bahrain +--- contrib/tzdata/backzone.orig ++++ contrib/tzdata/backzone +@@ -963,35 +963,6 @@ + Zone Antarctica/Syowa 0 - -00 1957 Jan 29 + 3:00 - +03 + +-# Vostok, Antarctica +-# +-# Vostok, since 1957-12-16, temporarily closed 1994-02/1994-11 +-# From Craig Mundell (1994-12-15): +-# http://quest.arc.nasa.gov/antarctica/QA/computers/Directions,Time,ZIP +-# Vostok, which is one of the Russian stations, is set on the same +-# time as Moscow, Russia. +-# +-# From Lee Hotz (2001-03-08): +-# I queried the folks at Columbia who spent the summer at Vostok and this is +-# what they had to say about time there: +-# "in the US Camp (East Camp) we have been on New Zealand (McMurdo) +-# time, which is 12 hours ahead of GMT. The Russian Station Vostok was +-# 6 hours behind that (although only 2 miles away, i.e. 6 hours ahead +-# of GMT). This is a time zone I think two hours east of Moscow. The +-# natural time zone is in between the two: 8 hours ahead of GMT." +-# +-# From Paul Eggert (2001-05-04): +-# This seems to be hopelessly confusing, so I asked Lee Hotz about it +-# in person. He said that some Antarctic locations set their local +-# time so that noon is the warmest part of the day, and that this +-# changes during the year and does not necessarily correspond to mean +-# solar noon. So the Vostok time might have been whatever the clocks +-# happened to be during their visit. So we still don't really know what time +-# it is at Vostok. But we'll guess +06. +-# +-Zone Antarctica/Vostok 0 - -00 1957 Dec 16 +- 6:00 - +06 +- + # Yemen + # Milne says 2:59:54 was the meridian of the saluting battery at Aden, + # and that Yemen was at 1:55:56, the meridian of the Hagia Sophia. +--- /dev/null ++++ contrib/tzdata/checknow.awk +@@ -0,0 +1,54 @@ ++# Check zonenow.tab for consistency with primary data. ++ ++# Contributed by Paul Eggert. This file is in the public domain. ++ ++function record_zone(zone, data) { ++ if (zone) { ++ zone_data[zone] = data ++ zones[data] = zones[data] " " zone ++ } ++} ++ ++BEGIN { ++ while (getline >"/dev/stderr" + status = 1 +@@ -110,7 +110,7 @@ + used_max_cc = cc + } + } +- if (used_max <= 1 && comments) { ++ if (used_max <= 1 && comments && zone_table != "zonenow.tab") { + printf "%s:%d: unnecessary comment '%s'\n", \ + zone_table, i, comments \ + >>"/dev/stderr" +@@ -149,7 +149,8 @@ + if ($3 ~ /%/) rulePercentUsed[$2] = 1 + } + if (tz && tz ~ /\// && tz !~ /^Etc\//) { +- if (!tztab[tz] && FILENAME != "backward") { ++ if (!tztab[tz] && FILENAME != "backward" \ ++ && zone_table != "zonenow.tab") { + printf "%s: no data for '%s'\n", zone_table, tz \ + >>"/dev/stderr" + status = 1 +--- contrib/tzdata/etcetera.orig ++++ contrib/tzdata/etcetera +@@ -5,7 +5,7 @@ + + # These entries are for uses not otherwise covered by the tz database. + # Their main practical use is for platforms like Android that lack +-# support for POSIX-style TZ strings. On such platforms these entries ++# support for POSIX.1-2017-style TZ strings. On such platforms these entries + # can be useful if the timezone database is wrong or if a ship or + # aircraft at sea is not in a timezone. + +--- contrib/tzdata/europe.orig ++++ contrib/tzdata/europe +@@ -990,9 +990,34 @@ + # Czech Republic (Czechia) + # Slovakia + # +-# From Paul Eggert (2018-04-15): +-# The source for Czech data is: Kdy začíná a končí letní čas. 2018-04-15. ++# From Ivan Benovic (2024-01-30): ++# https://www.slov-lex.sk/pravne-predpisy/SK/ZZ/1946/54/ ++# (This is an official link to the Czechoslovak Summer Time Act of ++# March 8, 1946 that authorizes the Czechoslovak government to set the ++# exact dates of change to summer time and back to Central European Time. ++# The act also implicitly confirms Central European Time as the ++# official time zone of Czechoslovakia and currently remains in force ++# in both the Czech Republic and Slovakia.) ++# https://www.psp.cz/eknih/1945pns/tisky/t0216_00.htm ++# (This is a link to the original legislative proposal dating back to ++# February 22, 1946. The accompanying memorandum to the proposal says ++# that an advisory committee on European railroad transportation that ++# met in Brussels in October 1945 decided that the change of time ++# should be carried out in all participating countries in a strictly ++# coordinated manner....) ++# ++# From Paul Eggert (2024-01-30): ++# The source for Czech data is: Kdy začíná a končí letní čas. + # https://kalendar.beda.cz/kdy-zacina-a-konci-letni-cas ++# Its main text disagrees with its quoted sources only in 1918, ++# where the main text says spring and autumn transitions ++# occurred at 02:00 and 03:00 respectively (as usual), ++# whereas the 1918 source "Oznámení o zavedení letního času v roce 1918" ++# says transitions were at 01:00 and 02:00 respectively. ++# As the 1918 source appears to be a humorous piece, and it is ++# unlikely that Prague would have disagreed with its neighbors by an hour, ++# go with the main text for now. ++# + # We know of no English-language name for historical Czech winter time; + # abbreviate it as "GMT", as it happened to be GMT. + # +@@ -1123,6 +1148,23 @@ + # 2. The shift *from* DST in 2023 happens as normal, but coincides with the + # shift to UTC-02 normaltime (people will not change their clocks here). + # 3. After this, DST is still observed, but as -02/-01 instead of -03/-02. ++# ++# From Múte Bourup Egede via Jógvan Svabo Samuelsen (2023-03-15): ++# Greenland will not switch to Daylight Saving Time this year, 2023, ++# because the standard time for Greenland will change from UTC -3 to UTC -2. ++# However, Greenland will change to Daylight Saving Time again in 2024 ++# and onwards. ++ ++# From a contributor who wishes to remain anonymous for now (2023-10-29): ++# https://www.dr.dk/nyheder/seneste/i-nat-skal-uret-stilles-en-time-tilbage-men-foerste-gang-sker-det-ikke-i-groenland ++# with a link to that page: ++# https://naalakkersuisut.gl/Nyheder/2023/10/2710_sommertid ++# ... Ittoqqortoormiit joins the time of Nuuk at March 2024. ++# What would mean that America/Scoresbysund would either be in -01 year round ++# or in -02/-01 like America/Nuuk, but no longer in -01/+00. ++# ++# From Paul Eggert (2023-10-29): ++# For now, assume it will be like America/Nuuk. + + # Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Thule 1991 1992 - Mar lastSun 2:00 1:00 D +@@ -1143,10 +1185,12 @@ + Zone America/Scoresbysund -1:27:52 - LMT 1916 Jul 28 # Ittoqqortoormiit + -2:00 - -02 1980 Apr 6 2:00 + -2:00 C-Eur -02/-01 1981 Mar 29 +- -1:00 EU -01/+00 ++ -1:00 EU -01/+00 2024 Mar 31 ++ -2:00 EU -02/-01 + Zone America/Nuuk -3:26:56 - LMT 1916 Jul 28 # Godthåb + -3:00 - -03 1980 Apr 6 2:00 +- -3:00 EU -03/-02 2023 Oct 29 1:00u ++ -3:00 EU -03/-02 2023 Mar 26 1:00u ++ -2:00 - -02 2023 Oct 29 1:00u + -2:00 EU -02/-01 + Zone America/Thule -4:35:08 - LMT 1916 Jul 28 # Pituffik + -4:00 Thule A%sT +@@ -3711,11 +3755,7 @@ + # and not at 3:00 as would have been under EU rules. + # This is why I have set the change to EU rules into May 1996, + # so that the change in March is stil covered by the Ukraine rule. +-# The next change in October 1996 happened under EU rules.... +-# TZ database holds three other zones for Ukraine.... I have not yet +-# worked out the consequences for these three zones, as we (me and my +-# US colleague David Cochrane) are still trying to get more +-# information upon these local deviations from Kiev rules. ++# The next change in October 1996 happened under EU rules. + # + # From Paul Eggert (2022-08-27): + # For now, assume that Ukraine's zones all followed the same rules, +--- contrib/tzdata/leap-seconds.list.orig ++++ contrib/tzdata/leap-seconds.list +@@ -1,255 +1,120 @@ ++# ATOMIC TIME. ++# The Coordinated Universal Time (UTC) is the reference time scale derived ++# from The "Temps Atomique International" (TAI) calculated by the Bureau ++# International des Poids et Mesures (BIPM) using a worldwide network of atomic ++# clocks. UTC differs from TAI by an integer number of seconds; it is the basis ++# of all activities in the world. + # +-# In the following text, the symbol '#' introduces +-# a comment, which continues from that symbol until +-# the end of the line. A plain comment line has a +-# whitespace character following the comment indicator. +-# There are also special comment lines defined below. +-# A special comment will always have a non-whitespace +-# character in column 2. +-# +-# A blank line should be ignored. +-# +-# The following table shows the corrections that must +-# be applied to compute International Atomic Time (TAI) +-# from the Coordinated Universal Time (UTC) values that +-# are transmitted by almost all time services. +-# +-# The first column shows an epoch as a number of seconds +-# since 1 January 1900, 00:00:00 (1900.0 is also used to +-# indicate the same epoch.) Both of these time stamp formats +-# ignore the complexities of the time scales that were +-# used before the current definition of UTC at the start +-# of 1972. (See note 3 below.) +-# The second column shows the number of seconds that +-# must be added to UTC to compute TAI for any timestamp +-# at or after that epoch. The value on each line is +-# valid from the indicated initial instant until the +-# epoch given on the next one or indefinitely into the +-# future if there is no next line. +-# (The comment on each line shows the representation of +-# the corresponding initial epoch in the usual +-# day-month-year format. The epoch always begins at +-# 00:00:00 UTC on the indicated day. See Note 5 below.) +-# +-# Important notes: +-# +-# 1. Coordinated Universal Time (UTC) is often referred to +-# as Greenwich Mean Time (GMT). The GMT time scale is no +-# longer used, and the use of GMT to designate UTC is +-# discouraged. +-# +-# 2. The UTC time scale is realized by many national +-# laboratories and timing centers. Each laboratory +-# identifies its realization with its name: Thus +-# UTC(NIST), UTC(USNO), etc. The differences among +-# these different realizations are typically on the +-# order of a few nanoseconds (i.e., 0.000 000 00x s) +-# and can be ignored for many purposes. These differences +-# are tabulated in Circular T, which is published monthly +-# by the International Bureau of Weights and Measures +-# (BIPM). See www.bipm.org for more information. +-# +-# 3. The current definition of the relationship between UTC +-# and TAI dates from 1 January 1972. A number of different +-# time scales were in use before that epoch, and it can be +-# quite difficult to compute precise timestamps and time +-# intervals in those "prehistoric" days. For more information, +-# consult: +-# +-# The Explanatory Supplement to the Astronomical +-# Ephemeris. +-# or +-# Terry Quinn, "The BIPM and the Accurate Measurement +-# of Time," Proc. of the IEEE, Vol. 79, pp. 894-905, +-# July, 1991. +-# reprinted in: +-# Christine Hackman and Donald B Sullivan (eds.) +-# Time and Frequency Measurement +-# American Association of Physics Teachers (1996) +-# , pp. 75-86 +-# +-# 4. The decision to insert a leap second into UTC is currently +-# the responsibility of the International Earth Rotation and +-# Reference Systems Service. (The name was changed from the +-# International Earth Rotation Service, but the acronym IERS +-# is still used.) +-# +-# Leap seconds are announced by the IERS in its Bulletin C. +-# +-# See www.iers.org for more details. +-# +-# Every national laboratory and timing center uses the +-# data from the BIPM and the IERS to construct UTC(lab), +-# their local realization of UTC. +-# +-# Although the definition also includes the possibility +-# of dropping seconds ("negative" leap seconds), this has +-# never been done and is unlikely to be necessary in the +-# foreseeable future. +-# +-# 5. If your system keeps time as the number of seconds since +-# some epoch (e.g., NTP timestamps), then the algorithm for +-# assigning a UTC time stamp to an event that happens during a positive +-# leap second is not well defined. The official name of that leap +-# second is 23:59:60, but there is no way of representing that time +-# in these systems. +-# Many systems of this type effectively stop the system clock for +-# one second during the leap second and use a time that is equivalent +-# to 23:59:59 UTC twice. For these systems, the corresponding TAI +-# timestamp would be obtained by advancing to the next entry in the +-# following table when the time equivalent to 23:59:59 UTC +-# is used for the second time. Thus the leap second which +-# occurred on 30 June 1972 at 23:59:59 UTC would have TAI +-# timestamps computed as follows: +-# +-# ... +-# 30 June 1972 23:59:59 (2287785599, first time): TAI= UTC + 10 seconds +-# 30 June 1972 23:59:60 (2287785599,second time): TAI= UTC + 11 seconds +-# 1 July 1972 00:00:00 (2287785600) TAI= UTC + 11 seconds +-# ... +-# +-# If your system realizes the leap second by repeating 00:00:00 UTC twice +-# (this is possible but not usual), then the advance to the next entry +-# in the table must occur the second time that a time equivalent to +-# 00:00:00 UTC is used. Thus, using the same example as above: +-# +-# ... +-# 30 June 1972 23:59:59 (2287785599): TAI= UTC + 10 seconds +-# 30 June 1972 23:59:60 (2287785600, first time): TAI= UTC + 10 seconds +-# 1 July 1972 00:00:00 (2287785600,second time): TAI= UTC + 11 seconds +-# ... +-# +-# in both cases the use of timestamps based on TAI produces a smooth +-# time scale with no discontinuity in the time interval. However, +-# although the long-term behavior of the time scale is correct in both +-# methods, the second method is technically not correct because it adds +-# the extra second to the wrong day. +-# +-# This complexity would not be needed for negative leap seconds (if they +-# are ever used). The UTC time would skip 23:59:59 and advance from +-# 23:59:58 to 00:00:00 in that case. The TAI offset would decrease by +-# 1 second at the same instant. This is a much easier situation to deal +-# with, since the difficulty of unambiguously representing the epoch +-# during the leap second does not arise. +-# +-# Some systems implement leap seconds by amortizing the leap second +-# over the last few minutes of the day. The frequency of the local +-# clock is decreased (or increased) to realize the positive (or +-# negative) leap second. This method removes the time step described +-# above. Although the long-term behavior of the time scale is correct +-# in this case, this method introduces an error during the adjustment +-# period both in time and in frequency with respect to the official +-# definition of UTC. +-# +-# Questions or comments to: +-# Judah Levine +-# Time and Frequency Division +-# NIST +-# Boulder, Colorado +-# Judah.Levine@nist.gov +-# +-# Last Update of leap second values: 8 July 2016 +-# +-# The following line shows this last update date in NTP timestamp +-# format. This is the date on which the most recent change to +-# the leap second data was added to the file. This line can +-# be identified by the unique pair of characters in the first two +-# columns as shown below. +-# +-#$ 3676924800 +-# +-# The NTP timestamps are in units of seconds since the NTP epoch, +-# which is 1 January 1900, 00:00:00. The Modified Julian Day number +-# corresponding to the NTP time stamp, X, can be computed as +-# +-# X/86400 + 15020 +-# +-# where the first term converts seconds to days and the second +-# term adds the MJD corresponding to the time origin defined above. +-# The integer portion of the result is the integer MJD for that +-# day, and any remainder is the time of day, expressed as the +-# fraction of the day since 0 hours UTC. The conversion from day +-# fraction to seconds or to hours, minutes, and seconds may involve +-# rounding or truncation, depending on the method used in the +-# computation. +-# +-# The data in this file will be updated periodically as new leap +-# seconds are announced. In addition to being entered on the line +-# above, the update time (in NTP format) will be added to the basic +-# file name leap-seconds to form the name leap-seconds.. +-# In addition, the generic name leap-seconds.list will always point to +-# the most recent version of the file. +-# +-# This update procedure will be performed only when a new leap second +-# is announced. +-# +-# The following entry specifies the expiration date of the data +-# in this file in units of seconds since the origin at the instant +-# 1 January 1900, 00:00:00. This expiration date will be changed +-# at least twice per year whether or not a new leap second is +-# announced. These semi-annual changes will be made no later +-# than 1 June and 1 December of each year to indicate what +-# action (if any) is to be taken on 30 June and 31 December, +-# respectively. (These are the customary effective dates for new +-# leap seconds.) This expiration date will be identified by a +-# unique pair of characters in columns 1 and 2 as shown below. +-# In the unlikely event that a leap second is announced with an +-# effective date other than 30 June or 31 December, then this +-# file will be edited to include that leap second as soon as it is +-# announced or at least one month before the effective date +-# (whichever is later). +-# If an announcement by the IERS specifies that no leap second is +-# scheduled, then only the expiration date of the file will +-# be advanced to show that the information in the file is still +-# current -- the update time stamp, the data and the name of the file +-# will not change. +-# +-# Updated through IERS Bulletin C65 +-# File expires on: 28 December 2023 +-# +-#@ 3912710400 +-# +-2272060800 10 # 1 Jan 1972 +-2287785600 11 # 1 Jul 1972 +-2303683200 12 # 1 Jan 1973 +-2335219200 13 # 1 Jan 1974 +-2366755200 14 # 1 Jan 1975 +-2398291200 15 # 1 Jan 1976 +-2429913600 16 # 1 Jan 1977 +-2461449600 17 # 1 Jan 1978 +-2492985600 18 # 1 Jan 1979 +-2524521600 19 # 1 Jan 1980 +-2571782400 20 # 1 Jul 1981 +-2603318400 21 # 1 Jul 1982 +-2634854400 22 # 1 Jul 1983 +-2698012800 23 # 1 Jul 1985 +-2776982400 24 # 1 Jan 1988 +-2840140800 25 # 1 Jan 1990 +-2871676800 26 # 1 Jan 1991 +-2918937600 27 # 1 Jul 1992 +-2950473600 28 # 1 Jul 1993 +-2982009600 29 # 1 Jul 1994 +-3029443200 30 # 1 Jan 1996 +-3076704000 31 # 1 Jul 1997 +-3124137600 32 # 1 Jan 1999 +-3345062400 33 # 1 Jan 2006 +-3439756800 34 # 1 Jan 2009 +-3550089600 35 # 1 Jul 2012 +-3644697600 36 # 1 Jul 2015 +-3692217600 37 # 1 Jan 2017 +-# +-# the following special comment contains the +-# hash value of the data in this file computed +-# use the secure hash algorithm as specified +-# by FIPS 180-1. See the files in ~/pub/sha for +-# the details of how this hash value is +-# computed. Note that the hash computation +-# ignores comments and whitespace characters +-# in data lines. It includes the NTP values +-# of both the last modification time and the +-# expiration time of the file, but not the +-# white space on those lines. +-# the hash line is also ignored in the +-# computation. +-# +-#h e76a99dc 65f15cc7 e613e040 f5078b5e b23834fe ++# ++# ASTRONOMICAL TIME (UT1) is the time scale based on the rate of rotation of the earth. ++# It is now mainly derived from Very Long Baseline Interferometry (VLBI). The various ++# irregular fluctuations progressively detected in the rotation rate of the Earth lead ++# in 1972 to the replacement of UT1 by UTC as the reference time scale. ++# ++# ++# LEAP SECOND ++# Atomic clocks are more stable than the rate of the earth rotation since the latter ++# undergoes a full range of geophysical perturbations at various time scales: lunisolar ++# and core-mantle torques, atmospheric and oceanic effetcs, etc. ++# Leap seconds are needed to keep the two time scales in agreement, i.e. UT1-UTC smaller ++# than 0.9 second. Therefore, when necessary a "leap second" is applied to UTC. ++# Since the adoption of this system in 1972 it has been necessary to add a number of seconds to UTC, ++# firstly due to the initial choice of the value of the second (1/86400 mean solar day of ++# the year 1820) and secondly to the general slowing down of the Earth's rotation. It is ++# theorically possible to have a negative leap second (a second removed from UTC), but so far, ++# all leap seconds have been positive (a second has been added to UTC). Based on what we know about ++# the earth's rotation, it is unlikely that we will ever have a negative leap second. ++# ++# ++# HISTORY ++# The first leap second was added on June 30, 1972. Until yhe year 2000, it was necessary in average to add a ++# leap second at a rate of 1 to 2 years. Since the year 2000 leap seconds are introduced with an ++# average interval of 3 to 4 years due to the acceleration of the Earth rotation speed. ++# ++# ++# RESPONSABILITY OF THE DECISION TO INTRODUCE A LEAP SECOND IN UTC ++# The decision to introduce a leap second in UTC is the responsibility of the Earth Orientation Center of ++# the International Earth Rotation and reference System Service (IERS). This center is located at Paris ++# Observatory. According to international agreements, leap seconds should only be scheduled for certain dates: ++# first preference is given to the end of December and June, and second preference at the end of March ++# and September. Since the introduction of leap seconds in 1972, only dates in June and December were used. ++# ++# Questions or comments to: ++# Christian Bizouard: christian.bizouard@obspm.fr ++# Earth orientation Center of the IERS ++# Paris Observatory, France ++# ++# ++# ++# COPYRIGHT STATUS OF THIS FILE ++# This file is in the public domain. ++# ++# ++# VALIDITY OF THE FILE ++# It is important to express the validity of the file. These next two dates are ++# given in units of seconds since 1900.0. ++# ++# 1) Last update of the file. ++# ++# Updated through IERS Bulletin C (https://hpiers.obspm.fr/iers/bul/bulc/bulletinc.dat) ++# ++# The following line shows the last update of this file in NTP timestamp: ++# ++#$ 3913697179 ++# ++# 2) Expiration date of the file given on a semi-annual basis: last June or last December ++# ++# File expires on 28 December 2024 ++# ++# Expire date in NTP timestamp: ++# ++#@ 3944332800 ++# ++# ++# LIST OF LEAP SECONDS ++# NTP timestamp (X parameter) is the number of seconds since 1900.0 ++# ++# MJD: The Modified Julian Day number. MJD = X/86400 + 15020 ++# ++# DTAI: The difference DTAI= TAI-UTC in units of seconds ++# It is the quantity to add to UTC to get the time in TAI ++# ++# Day Month Year : epoch in clear ++# ++#NTP Time DTAI Day Month Year ++# ++2272060800 10 # 1 Jan 1972 ++2287785600 11 # 1 Jul 1972 ++2303683200 12 # 1 Jan 1973 ++2335219200 13 # 1 Jan 1974 ++2366755200 14 # 1 Jan 1975 ++2398291200 15 # 1 Jan 1976 ++2429913600 16 # 1 Jan 1977 ++2461449600 17 # 1 Jan 1978 ++2492985600 18 # 1 Jan 1979 ++2524521600 19 # 1 Jan 1980 ++2571782400 20 # 1 Jul 1981 ++2603318400 21 # 1 Jul 1982 ++2634854400 22 # 1 Jul 1983 ++2698012800 23 # 1 Jul 1985 ++2776982400 24 # 1 Jan 1988 ++2840140800 25 # 1 Jan 1990 ++2871676800 26 # 1 Jan 1991 ++2918937600 27 # 1 Jul 1992 ++2950473600 28 # 1 Jul 1993 ++2982009600 29 # 1 Jul 1994 ++3029443200 30 # 1 Jan 1996 ++3076704000 31 # 1 Jul 1997 ++3124137600 32 # 1 Jan 1999 ++3345062400 33 # 1 Jan 2006 ++3439756800 34 # 1 Jan 2009 ++3550089600 35 # 1 Jul 2012 ++3644697600 36 # 1 Jul 2015 ++3692217600 37 # 1 Jan 2017 ++# ++# A hash code has been generated to be able to verify the integrity ++# of this file. For more information about using this hash code, ++# please see the readme file in the 'source' directory : ++# https://hpiers.obspm.fr/iers/bul/bulc/ntp/sources/README ++# ++#h 9dac5845 8acd32c0 2947d462 daf4a943 f58d9391 +--- contrib/tzdata/leapseconds.orig ++++ contrib/tzdata/leapseconds +@@ -3,13 +3,10 @@ + # This file is in the public domain. + + # This file is generated automatically from the data in the public-domain +-# NIST format leap-seconds.list file, which can be copied from +-# +-# or . +-# The NIST file is used instead of its IERS upstream counterpart ++# NIST/IERS format leap-seconds.list file, which can be copied from + # +-# because under US law the NIST file is public domain +-# whereas the IERS file's copyright and license status is unclear. ++# or, in a variant with different comments, from ++# . + # For more about leap-seconds.list, please see + # The NTP Timescale and Leap Seconds + # . +@@ -72,11 +69,11 @@ + # Any additional leap seconds will come after this. + # This Expires line is commented out for now, + # so that pre-2020a zic implementations do not reject this file. +-#Expires 2023 Dec 28 00:00:00 ++#Expires 2024 Dec 28 00:00:00 + + # POSIX timestamps for the data in this file: +-#updated 1467936000 (2016-07-08 00:00:00 UTC) +-#expires 1703721600 (2023-12-28 00:00:00 UTC) ++#updated 1704708379 (2024-01-08 10:06:19 UTC) ++#expires 1735344000 (2024-12-28 00:00:00 UTC) + +-# Updated through IERS Bulletin C65 +-# File expires on: 28 December 2023 ++# Updated through IERS Bulletin C (https://hpiers.obspm.fr/iers/bul/bulc/bulletinc.dat) ++# File expires on 28 December 2024 +--- contrib/tzdata/leapseconds.awk.orig ++++ contrib/tzdata/leapseconds.awk +@@ -1,4 +1,4 @@ +-# Generate zic format 'leapseconds' from NIST format 'leap-seconds.list'. ++# Generate zic format 'leapseconds' from NIST/IERS format 'leap-seconds.list'. + + # This file is in the public domain. + +@@ -21,13 +21,10 @@ + print "# This file is in the public domain." + print "" + print "# This file is generated automatically from the data in the public-domain" +- print "# NIST format leap-seconds.list file, which can be copied from" +- print "# " +- print "# or ." +- print "# The NIST file is used instead of its IERS upstream counterpart" ++ print "# NIST/IERS format leap-seconds.list file, which can be copied from" + print "# " +- print "# because under US law the NIST file is public domain" +- print "# whereas the IERS file's copyright and license status is unclear." ++ print "# or, in a variant with different comments, from" ++ print "# ." + print "# For more about leap-seconds.list, please see" + print "# The NTP Timescale and Leap Seconds" + print "# ." +--- contrib/tzdata/northamerica.orig ++++ contrib/tzdata/northamerica +@@ -1268,6 +1268,10 @@ + # + # [PDF] (1914-03) + # ++# For the 1911/1912 establishment of standard time in French possessions, see: ++# Société Française de Physique, Recueil de constantes physiques (1913), ++# page 752, 18b. ++# + # See the 'europe' file for Greenland. + + # Canada +@@ -1354,7 +1358,7 @@ + # From Paul Eggert (2014-10-18): + # H. David Matthews and Mary Vincent's map + # "It's about TIME", _Canadian Geographic_ (September-October 1998) +-# http://www.canadiangeographic.ca/Magazine/SO98/alacarte.asp ++# https://web.archive.org/web/19990827055050/https://canadiangeographic.ca/SO98/geomap.htm + # contains detailed boundaries for regions observing nonstandard + # time and daylight saving time arrangements in Canada circa 1998. + # +@@ -1453,7 +1457,7 @@ + Rule StJohns 2007 2011 - Mar Sun>=8 0:01 1:00 D + Rule StJohns 2007 2010 - Nov Sun>=1 0:01 0 S + # +-# St John's has an apostrophe, but Posix file names can't have apostrophes. ++# St John's has an apostrophe, but POSIX file names can't have apostrophes. + # Zone NAME STDOFF RULES FORMAT [UNTIL] + Zone America/St_Johns -3:30:52 - LMT 1884 + -3:30:52 StJohns N%sT 1918 +@@ -1642,6 +1646,15 @@ + # Some cities in the United States have pushed the deadline back + # three weeks and will change over from daylight saving in October. + ++# From Chris Walton (2024-01-09): ++# The [Toronto] changes in 1947, 1948, and 1949 took place at 2:00 a.m. local ++# time instead of midnight.... Toronto Daily Star - ... ++# April 2, 1947 - Page 39 ... April 7, 1948 - Page 13 ... ++# April 2, 1949 - Page 1 ... April 7, 1949 - Page 24 ... ++# November 25, 1949 - Page 52 ... April 21, 1950 - Page 14 ... ++# September 19, 1950 - Page 46 ... September 20, 1950 - Page 3 ... ++# November 24, 1950 - Page 21 ++ + # From Arthur David Olson (2010-07-17): + # + # "Standard Time and Time Zones in Canada" appeared in +@@ -1703,13 +1716,9 @@ + Rule Toronto 1928 1937 - Apr Sun>=25 2:00 1:00 D + Rule Toronto 1938 1940 - Apr lastSun 2:00 1:00 D + Rule Toronto 1938 1939 - Sep lastSun 2:00 0 S +-Rule Toronto 1945 1946 - Sep lastSun 2:00 0 S +-Rule Toronto 1946 only - Apr lastSun 2:00 1:00 D +-Rule Toronto 1947 1949 - Apr lastSun 0:00 1:00 D +-Rule Toronto 1947 1948 - Sep lastSun 0:00 0 S +-Rule Toronto 1949 only - Nov lastSun 0:00 0 S +-Rule Toronto 1950 1973 - Apr lastSun 2:00 1:00 D +-Rule Toronto 1950 only - Nov lastSun 2:00 0 S ++Rule Toronto 1945 1948 - Sep lastSun 2:00 0 S ++Rule Toronto 1946 1973 - Apr lastSun 2:00 1:00 D ++Rule Toronto 1949 1950 - Nov lastSun 2:00 0 S + Rule Toronto 1951 1956 - Sep lastSun 2:00 0 S + # Shanks & Pottenger say Toronto ended DST a week early in 1971, + # namely on 1971-10-24, but Mark Brader wrote (2003-05-31) that this +@@ -3432,7 +3441,7 @@ + # Martinique + # Zone NAME STDOFF RULES FORMAT [UNTIL] + Zone America/Martinique -4:04:20 - LMT 1890 # Fort-de-France +- -4:04:20 - FFMT 1911 May # Fort-de-France MT ++ -4:04:20 - FFMT 1911 May 1 # Fort-de-France MT + -4:00 - AST 1980 Apr 6 + -4:00 1:00 ADT 1980 Sep 28 + -4:00 - AST +@@ -3539,7 +3548,7 @@ + # St Pierre and Miquelon + # There are too many St Pierres elsewhere, so we'll use 'Miquelon'. + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Miquelon -3:44:40 - LMT 1911 May 15 # St Pierre ++Zone America/Miquelon -3:44:40 - LMT 1911 Jun 15 # St Pierre + -4:00 - AST 1980 May + -3:00 - -03 1987 + -3:00 Canada -03/-02 +--- contrib/tzdata/southamerica.orig ++++ contrib/tzdata/southamerica +@@ -1570,8 +1570,11 @@ + -3:00 - -03 + + # French Guiana ++# For the 1911/1912 establishment of standard time in French possessions, see: ++# Société Française de Physique, Recueil de constantes physiques (1913), ++# page 752, 18b. + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Cayenne -3:29:20 - LMT 1911 Jul ++Zone America/Cayenne -3:29:20 - LMT 1911 Jul 1 + -4:00 - -04 1967 Oct + -3:00 - -03 + +@@ -1697,6 +1700,12 @@ + # From Carlos Raúl Perasso (2014-02-28): + # Decree 1264 can be found at: + # http://www.presidencia.gov.py/archivos/documentos/DECRETO1264_ey9r8zai.pdf ++# ++# From Paul Eggert (2023-07-26): ++# Transition dates are now set by Law No. 7115, not by presidential decree. ++# https://www.abc.com.py/politica/2023/07/12/promulgacion-el-cambio-de-hora-sera-por-ley/ ++# From Carlos Raúl Perasso (2023-07-27): ++# http://silpy.congreso.gov.py/descarga/ley-144138 + Rule Para 2013 max - Mar Sun>=22 0:00 0 - + + # Zone NAME STDOFF RULES FORMAT [UNTIL] +--- contrib/tzdata/theory.html.orig ++++ contrib/tzdata/theory.html +@@ -95,7 +95,7 @@ + Edition. + Because the database's scope encompasses real-world changes to civil + timekeeping, its model for describing time is more complex than the +-standard and daylight saving times supported by POSIX. ++standard and daylight saving times supported by POSIX.1-2017. + A tz timezone corresponds to a ruleset that can + have more than two changes per year, these changes need not merely + flip back and forth between two alternatives, and the rules themselves +@@ -187,7 +187,7 @@ + href="https://en.wikipedia.org/wiki/ASCII">ASCII letters, + '.', '-' and '_'. + Do not use digits, as that might create an ambiguity with POSIX ++ href="https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_03">POSIX.1-2017 + TZ strings. + A file name component must not exceed 14 characters or start with + '-'. +@@ -362,6 +362,11 @@ + but conforms to the older-version guidelines related to ISO 3166-1; + it lists only one country code per entry and unlike zone1970.tab + it can list names defined in backward. ++Applications that process only timestamps from now on can instead use the file ++zonenow.tab, which partitions the world more coarsely, ++into regions where clocks agree now and in the predicted future; ++this file is smaller and simpler than zone1970.tab ++and zone.tab. +

+ +

+@@ -373,7 +378,7 @@ + and no great weight should be attached to whether a link + is defined in backward or in some other file. + The source file etcetera defines names that may be useful +-on platforms that do not support POSIX-style TZ strings; ++on platforms that do not support POSIX.1-2017-style TZ strings; + no other source file other than backward + contains links to its zones. + One of etcetera's names is Etc/UTC, +@@ -421,7 +426,7 @@ + expression [-+[:alnum:]]{3,6} should match the + abbreviation. + This guarantees that all abbreviations could have been specified by a +- POSIX TZ string. ++ POSIX.1-2017 TZ string. +

+ +
  • +@@ -765,12 +770,12 @@ + calendar with 24-hour days. These divergences range from + relatively minor, such as Japanese bars giving times like "24:30" for the + wee hours of the morning, to more-significant differences such as the ++ href="https://theworld.org/stories/2015-01-30/if-you-have-meeting-ethiopia-you-better-double-check-time">the + east African practice of starting the day at dawn, renumbering + the Western 06:00 to be 12:00. These practices are largely outside + the scope of the tz code and data, which + provide only limited support for date and time localization +- such as that required by POSIX. ++ such as that required by POSIX.1-2017. + If DST is not used a different time zone + can often do the trick; for example, in Kenya a TZ setting + like <-03>3 or America/Cayenne starts +@@ -867,23 +872,23 @@ + an older zic. +

    + +-

    POSIX properties and limitations

    ++

    POSIX.1-2017 properties and limitations

    +
      +
    • +

      +- In POSIX, time display in a process is controlled by the ++ In POSIX.1-2017, time display in a process is controlled by the + environment variable TZ. +- Unfortunately, the POSIX ++ Unfortunately, the POSIX.1-2017 + TZ string takes a form that is hard to describe and + is error-prone in practice. +- Also, POSIX TZ strings cannot deal with daylight ++ Also, POSIX.1-2017 TZ strings cannot deal with daylight + saving time rules not based on the Gregorian calendar (as in + Morocco), or with situations where more than two time zone + abbreviations or UT offsets are used in an area. +

      + +

      +- The POSIX TZ string takes the following form: ++ The POSIX.1-2017 TZ string takes the following form: +

      + +

      +@@ -950,7 +955,7 @@ + + +

      +- Here is an example POSIX TZ string for New ++ Here is an example POSIX.1-2017 TZ string for New + Zealand after 2007. + It says that standard time (NZST) is 12 hours ahead + of UT, and that daylight saving time +@@ -961,7 +966,7 @@ + 

      TZ='NZST-12NZDT,M9.5.0,M4.1.0/3'
      + +

      +- This POSIX TZ string is hard to remember, and ++ This POSIX.1-2017 TZ string is hard to remember, and + mishandles some timestamps before 2008. + With this package you can use this instead: +

      +@@ -999,7 +1004,7 @@ + limit phone calls to off-peak hours. +
      • +
    • +- POSIX provides no convenient and efficient way to determine ++ POSIX.1-2017 provides no convenient and efficient way to determine + the UT offset and time zone abbreviation of arbitrary + timestamps, particularly for timezones + that do not fit into the POSIX model. +@@ -1026,14 +1031,14 @@ +
      • +
    + +-

    Extensions to POSIX in the ++

    Extensions to POSIX.1-2017 in the + tz code

    +
      +
    • +

      + The TZ environment variable is used in generating + the name of a file from which time-related information is read +- (or is interpreted à la POSIX); TZ is no longer ++ (or is interpreted à la POSIX.1-2017); TZ is no longer + constrained to be a string containing abbreviations + and numeric data as described above. + The file's format is TZif, +--- contrib/tzdata/version.orig ++++ contrib/tzdata/version +@@ -1 +1 @@ +-2023c ++2024a +--- contrib/tzdata/zishrink.awk.orig ++++ contrib/tzdata/zishrink.awk +@@ -162,7 +162,7 @@ + # Process the input line LINE and save it for later output. + + function process_input_line(line, \ +- f, field, end, i, n, r, startdef, \ ++ f, field, end, n, outline, r, \ + linkline, ruleline, zoneline) + { + # Remove comments, normalize spaces, and append a space to each line. +@@ -199,8 +199,10 @@ + } + + # Abbreviate "max", "min", "only" and month names. +- gsub(/ max /, " ma ", line) +- gsub(/ min /, " mi ", line) ++ # Although "max" and "min" can both be abbreviated to just "m", ++ # the longer forms "ma" and "mi" are needed with zic 2023d and earlier. ++ gsub(/ max /, dataform == "vanguard" ? " m " : " ma ", line) ++ gsub(/ min /, dataform == "vanguard" ? " m " : " mi ", line) + gsub(/ only /, " o ", line) + gsub(/ Jan /, " Ja ", line) + gsub(/ Feb /, " F ", line) +@@ -234,66 +236,96 @@ + rule_used[r] = 1 + } + +- # If this zone supersedes an earlier one, delete the earlier one +- # from the saved output lines. +- startdef = "" + if (zoneline) + zonename = startdef = field[2] + else if (linkline) + zonename = startdef = field[3] + else if (ruleline) + zonename = "" +- if (startdef) { +- i = zonedef[startdef] +- if (i) { +- do +- output_line[i - 1] = "" +- while (output_line[i++] ~ /^[-+0-9]/); +- } +- } +- zonedef[zonename] = nout + 1 + +- # Save the line for later output. +- output_line[nout++] = make_line(n, field) ++ # Save the information for later output. ++ outline = make_line(n, field) ++ if (ruleline) ++ rule_output_line[nrule_out++] = outline ++ else if (linkline) { ++ # In vanguard format with Gawk, links are output sorted by destination. ++ if (dataform == "vanguard" && PROCINFO["version"]) ++ linkdef[zonename] = field[2] ++ else ++ link_output_line[nlink_out++] = outline ++ }else ++ zonedef[zonename] = (zoneline ? "" : zonedef[zonename] "\n") outline + } + + function omit_unused_rules( \ + i, field) + { +- for (i = 0; i < nout; i++) { +- split(output_line[i], field) +- if (field[1] == "R" && !rule_used[field[2]]) { +- output_line[i] = "" +- } ++ for (i = 0; i < nrule_out; i++) { ++ split(rule_output_line[i], field) ++ if (!rule_used[field[2]]) ++ rule_output_line[i] = "" + } + } + + function abbreviate_rule_names( \ +- abbr, f, field, i, n, r) ++ abbr, f, field, i, n, newdef, newline, r, \ ++ zoneline, zonelines, zonename) + { +- for (i = 0; i < nout; i++) { +- n = split(output_line[i], field) ++ for (i = 0; i < nrule_out; i++) { ++ n = split(rule_output_line[i], field) + if (n) { +- f = field[1] == "Z" ? 4 : field[1] == "L" ? 0 : 2 +- r = field[f] ++ r = field[2] + if (r ~ /^[^-+0-9]/) { + abbr = rule[r] + if (!abbr) { + rule[r] = abbr = gen_rule_name(r) + } +- field[f] = abbr +- output_line[i] = make_line(n, field) ++ field[2] = abbr ++ rule_output_line[i] = make_line(n, field) + } + } + } ++ for (zonename in zonedef) { ++ zonelines = split(zonedef[zonename], zoneline, /\n/) ++ newdef = "" ++ for (i = 1; i <= zonelines; i++) { ++ newline = zoneline[i] ++ n = split(newline, field) ++ f = i == 1 ? 4 : 2 ++ r = rule[field[f]] ++ if (r) { ++ field[f] = r ++ newline = make_line(n, field) ++ } ++ newdef = (newdef ? newdef "\n" : "") newline ++ } ++ zonedef[zonename] = newdef ++ } + } + + function output_saved_lines( \ +- i) ++ i, zonename) + { +- for (i = 0; i < nout; i++) +- if (output_line[i]) +- print output_line[i] ++ for (i = 0; i < nrule_out; i++) ++ if (rule_output_line[i]) ++ print rule_output_line[i] ++ ++ # When using gawk, output zones sorted by name. ++ # This makes the output a bit more compressible. ++ PROCINFO["sorted_in"] = "@ind_str_asc" ++ for (zonename in zonedef) ++ print zonedef[zonename] ++ ++ if (nlink_out) ++ for (i = 0; i < nlink_out; i++) ++ print link_output_line[i] ++ else { ++ # When using gawk, output links sorted by destination. ++ # This also helps compressibility a bit. ++ PROCINFO["sorted_in"] = "@val_type_asc" ++ for (zonename in linkdef) ++ printf "L %s %s\n", linkdef[zonename], zonename ++ } + } + + BEGIN { +--- contrib/tzdata/zone.tab.orig ++++ contrib/tzdata/zone.tab +@@ -48,7 +48,7 @@ + AR -2447-06525 America/Argentina/Salta Salta (SA, LP, NQ, RN) + AR -2411-06518 America/Argentina/Jujuy Jujuy (JY) + AR -2649-06513 America/Argentina/Tucuman Tucuman (TM) +-AR -2828-06547 America/Argentina/Catamarca Catamarca (CT); Chubut (CH) ++AR -2828-06547 America/Argentina/Catamarca Catamarca (CT), Chubut (CH) + AR -2926-06651 America/Argentina/La_Rioja La Rioja (LR) + AR -3132-06831 America/Argentina/San_Juan San Juan (SJ) + AR -3253-06849 America/Argentina/Mendoza Mendoza (MZ) +@@ -87,7 +87,7 @@ + BO -1630-06809 America/La_Paz + BQ +120903-0681636 America/Kralendijk + BR -0351-03225 America/Noronha Atlantic islands +-BR -0127-04829 America/Belem Para (east); Amapa ++BR -0127-04829 America/Belem Para (east), Amapa + BR -0343-03830 America/Fortaleza Brazil (northeast: MA, PI, CE, RN, PB) + BR -0803-03454 America/Recife Pernambuco + BR -0712-04812 America/Araguaina Tocantins +@@ -107,21 +107,21 @@ + BW -2439+02555 Africa/Gaborone + BY +5354+02734 Europe/Minsk + BZ +1730-08812 America/Belize +-CA +4734-05243 America/St_Johns Newfoundland; Labrador (southeast) +-CA +4439-06336 America/Halifax Atlantic - NS (most areas); PE ++CA +4734-05243 America/St_Johns Newfoundland, Labrador (SE) ++CA +4439-06336 America/Halifax Atlantic - NS (most areas), PE + CA +4612-05957 America/Glace_Bay Atlantic - NS (Cape Breton) + CA +4606-06447 America/Moncton Atlantic - New Brunswick + CA +5320-06025 America/Goose_Bay Atlantic - Labrador (most areas) + CA +5125-05707 America/Blanc-Sablon AST - QC (Lower North Shore) +-CA +4339-07923 America/Toronto Eastern - ON, QC (most areas) ++CA +4339-07923 America/Toronto Eastern - ON & QC (most areas) + CA +6344-06828 America/Iqaluit Eastern - NU (most areas) +-CA +484531-0913718 America/Atikokan EST - ON (Atikokan); NU (Coral H) +-CA +4953-09709 America/Winnipeg Central - ON (west); Manitoba ++CA +484531-0913718 America/Atikokan EST - ON (Atikokan), NU (Coral H) ++CA +4953-09709 America/Winnipeg Central - ON (west), Manitoba + CA +744144-0944945 America/Resolute Central - NU (Resolute) + CA +624900-0920459 America/Rankin_Inlet Central - NU (central) + CA +5024-10439 America/Regina CST - SK (most areas) + CA +5017-10750 America/Swift_Current CST - SK (midwest) +-CA +5333-11328 America/Edmonton Mountain - AB; BC (E); NT (E); SK (W) ++CA +5333-11328 America/Edmonton Mountain - AB, BC(E), NT(E), SK(W) + CA +690650-1050310 America/Cambridge_Bay Mountain - NU (west) + CA +682059-1334300 America/Inuvik Mountain - NT (west) + CA +4906-11631 America/Creston MST - BC (Creston) +@@ -207,8 +207,8 @@ + HU +4730+01905 Europe/Budapest + ID -0610+10648 Asia/Jakarta Java, Sumatra + ID -0002+10920 Asia/Pontianak Borneo (west, central) +-ID -0507+11924 Asia/Makassar Borneo (east, south); Sulawesi/Celebes, Bali, Nusa Tengarra; Timor (west) +-ID -0232+14042 Asia/Jayapura New Guinea (West Papua / Irian Jaya); Malukus/Moluccas ++ID -0507+11924 Asia/Makassar Borneo (east, south), Sulawesi/Celebes, Bali, Nusa Tengarra, Timor (west) ++ID -0232+14042 Asia/Jayapura New Guinea (West Papua / Irian Jaya), Malukus/Moluccas + IE +5320-00615 Europe/Dublin + IL +314650+0351326 Asia/Jerusalem + IM +5409-00428 Europe/Isle_of_Man +@@ -355,7 +355,7 @@ + RU +643337+1431336 Asia/Ust-Nera MSK+07 - Oymyakonsky + RU +5934+15048 Asia/Magadan MSK+08 - Magadan + RU +4658+14242 Asia/Sakhalin MSK+08 - Sakhalin Island +-RU +6728+15343 Asia/Srednekolymsk MSK+08 - Sakha (E); N Kuril Is ++RU +6728+15343 Asia/Srednekolymsk MSK+08 - Sakha (E), N Kuril Is + RU +5301+15839 Asia/Kamchatka MSK+09 - Kamchatka + RU +6445+17729 Asia/Anadyr MSK+09 - Bering Sea + RW -0157+03004 Africa/Kigali +@@ -418,7 +418,7 @@ + US +465042-1012439 America/North_Dakota/New_Salem Central - ND (Morton rural) + US +471551-1014640 America/North_Dakota/Beulah Central - ND (Mercer) + US +394421-1045903 America/Denver Mountain (most areas) +-US +433649-1161209 America/Boise Mountain - ID (south); OR (east) ++US +433649-1161209 America/Boise Mountain - ID (south), OR (east) + US +332654-1120424 America/Phoenix MST - AZ (except Navajo) + US +340308-1181434 America/Los_Angeles Pacific + US +611305-1495401 America/Anchorage Alaska (most areas) +--- contrib/tzdata/zone1970.tab.orig ++++ contrib/tzdata/zone1970.tab +@@ -38,7 +38,7 @@ + #country- + #codes coordinates TZ comments + AD +4230+00131 Europe/Andorra +-AE,OM,RE,SC,TF +2518+05518 Asia/Dubai Crozet, Scattered Is ++AE,OM,RE,SC,TF +2518+05518 Asia/Dubai Crozet + AF +3431+06912 Asia/Kabul + AL +4120+01950 Europe/Tirane + AM +4011+04430 Asia/Yerevan +@@ -48,12 +48,13 @@ + AQ -6448-06406 Antarctica/Palmer Palmer + AQ -6734-06808 Antarctica/Rothera Rothera + AQ -720041+0023206 Antarctica/Troll Troll ++AQ -7824+10654 Antarctica/Vostok Vostok + AR -3436-05827 America/Argentina/Buenos_Aires Buenos Aires (BA, CF) + AR -3124-06411 America/Argentina/Cordoba most areas: CB, CC, CN, ER, FM, MN, SE, SF + AR -2447-06525 America/Argentina/Salta Salta (SA, LP, NQ, RN) + AR -2411-06518 America/Argentina/Jujuy Jujuy (JY) + AR -2649-06513 America/Argentina/Tucuman Tucumán (TM) +-AR -2828-06547 America/Argentina/Catamarca Catamarca (CT); Chubut (CH) ++AR -2828-06547 America/Argentina/Catamarca Catamarca (CT), Chubut (CH) + AR -2926-06651 America/Argentina/La_Rioja La Rioja (LR) + AR -3132-06831 America/Argentina/San_Juan San Juan (SJ) + AR -3253-06849 America/Argentina/Mendoza Mendoza (MZ) +@@ -82,7 +83,7 @@ + BM +3217-06446 Atlantic/Bermuda + BO -1630-06809 America/La_Paz + BR -0351-03225 America/Noronha Atlantic islands +-BR -0127-04829 America/Belem Pará (east); Amapá ++BR -0127-04829 America/Belem Pará (east), Amapá + BR -0343-03830 America/Fortaleza Brazil (northeast: MA, PI, CE, RN, PB) + BR -0803-03454 America/Recife Pernambuco + BR -0712-04812 America/Araguaina Tocantins +@@ -100,19 +101,19 @@ + BT +2728+08939 Asia/Thimphu + BY +5354+02734 Europe/Minsk + BZ +1730-08812 America/Belize +-CA +4734-05243 America/St_Johns Newfoundland; Labrador (southeast) +-CA +4439-06336 America/Halifax Atlantic - NS (most areas); PE ++CA +4734-05243 America/St_Johns Newfoundland, Labrador (SE) ++CA +4439-06336 America/Halifax Atlantic - NS (most areas), PE + CA +4612-05957 America/Glace_Bay Atlantic - NS (Cape Breton) + CA +4606-06447 America/Moncton Atlantic - New Brunswick + CA +5320-06025 America/Goose_Bay Atlantic - Labrador (most areas) +-CA,BS +4339-07923 America/Toronto Eastern - ON, QC (most areas) ++CA,BS +4339-07923 America/Toronto Eastern - ON & QC (most areas) + CA +6344-06828 America/Iqaluit Eastern - NU (most areas) +-CA +4953-09709 America/Winnipeg Central - ON (west); Manitoba ++CA +4953-09709 America/Winnipeg Central - ON (west), Manitoba + CA +744144-0944945 America/Resolute Central - NU (Resolute) + CA +624900-0920459 America/Rankin_Inlet Central - NU (central) + CA +5024-10439 America/Regina CST - SK (most areas) + CA +5017-10750 America/Swift_Current CST - SK (midwest) +-CA +5333-11328 America/Edmonton Mountain - AB; BC (E); NT (E); SK (W) ++CA +5333-11328 America/Edmonton Mountain - AB, BC(E), NT(E), SK(W) + CA +690650-1050310 America/Cambridge_Bay Mountain - NU (west) + CA +682059-1334300 America/Inuvik Mountain - NT (west) + CA +5546-12014 America/Dawson_Creek MST - BC (Dawson Cr, Ft St John) +@@ -127,7 +128,7 @@ + CL -5309-07055 America/Punta_Arenas Region of Magallanes + CL -2709-10926 Pacific/Easter Easter Island + CN +3114+12128 Asia/Shanghai Beijing Time +-CN,AQ +4348+08735 Asia/Urumqi Xinjiang Time, Vostok ++CN +4348+08735 Asia/Urumqi Xinjiang Time + CO +0436-07405 America/Bogota + CR +0956-08405 America/Costa_Rica + CU +2308-08222 America/Havana +@@ -172,8 +173,8 @@ + HU +4730+01905 Europe/Budapest + ID -0610+10648 Asia/Jakarta Java, Sumatra + ID -0002+10920 Asia/Pontianak Borneo (west, central) +-ID -0507+11924 Asia/Makassar Borneo (east, south); Sulawesi/Celebes, Bali, Nusa Tengarra; Timor (west) +-ID -0232+14042 Asia/Jayapura New Guinea (West Papua / Irian Jaya); Malukus/Moluccas ++ID -0507+11924 Asia/Makassar Borneo (east, south), Sulawesi/Celebes, Bali, Nusa Tengarra, Timor (west) ++ID -0232+14042 Asia/Jayapura New Guinea (West Papua / Irian Jaya), Malukus/Moluccas + IE +5320-00615 Europe/Dublin + IL +314650+0351326 Asia/Jerusalem + IN +2232+08822 Asia/Kolkata +@@ -252,7 +253,7 @@ + PL +5215+02100 Europe/Warsaw + PM +4703-05620 America/Miquelon + PN -2504-13005 Pacific/Pitcairn +-PR,AG,CA,AI,AW,BL,BQ,CW,DM,GD,GP,KN,LC,MF,MS,SX,TT,VC,VG,VI +182806-0660622 America/Puerto_Rico AST ++PR,AG,CA,AI,AW,BL,BQ,CW,DM,GD,GP,KN,LC,MF,MS,SX,TT,VC,VG,VI +182806-0660622 America/Puerto_Rico AST - QC (Lower North Shore) + PS +3130+03428 Asia/Gaza Gaza Strip + PS +313200+0350542 Asia/Hebron West Bank + PT +3843-00908 Europe/Lisbon Portugal (mainland) +@@ -288,7 +289,7 @@ + RU +643337+1431336 Asia/Ust-Nera MSK+07 - Oymyakonsky + RU +5934+15048 Asia/Magadan MSK+08 - Magadan + RU +4658+14242 Asia/Sakhalin MSK+08 - Sakhalin Island +-RU +6728+15343 Asia/Srednekolymsk MSK+08 - Sakha (E); N Kuril Is ++RU +6728+15343 Asia/Srednekolymsk MSK+08 - Sakha (E), N Kuril Is + RU +5301+15839 Asia/Kamchatka MSK+09 - Kamchatka + RU +6445+17729 Asia/Anadyr MSK+09 - Bering Sea + SA,AQ,KW,YE +2438+04643 Asia/Riyadh Syowa +@@ -330,7 +331,7 @@ + US +465042-1012439 America/North_Dakota/New_Salem Central - ND (Morton rural) + US +471551-1014640 America/North_Dakota/Beulah Central - ND (Mercer) + US +394421-1045903 America/Denver Mountain (most areas) +-US +433649-1161209 America/Boise Mountain - ID (south); OR (east) ++US +433649-1161209 America/Boise Mountain - ID (south), OR (east) + US,CA +332654-1120424 America/Phoenix MST - AZ (most areas), Creston BC + US +340308-1181434 America/Los_Angeles Pacific + US +611305-1495401 America/Anchorage Alaska (most areas) +--- /dev/null ++++ contrib/tzdata/zonenow.tab +@@ -0,0 +1,303 @@ ++# tzdb timezone descriptions, for users who do not care about old timestamps ++# ++# This file is in the public domain. ++# ++# From Paul Eggert (2023-12-18): ++# This file contains a table where each row stands for a timezone ++# where civil timestamps are predicted to agree from now on. ++# This file is like zone1970.tab (see zone1970.tab's coments), ++# but with the following changes: ++# ++# 1. Each timezone corresponds to a set of clocks that are planned ++# to agree from now on. This is a larger set of clocks than in ++# zone1970.tab, where each timezone's clocks must agree from 1970 on. ++# 2. The first column is irrelevant and ignored. ++# 3. The table is sorted in a different way: ++# first by standard time UTC offset; ++# then, if DST is used, by daylight saving UTC offset; ++# then by time zone abbreviation. ++# 4. Every timezone has a nonempty comments column, with wording ++# distinguishing the timezone only from other timezones with the ++# same UTC offset at some point during the year. ++# ++# The format of this table is experimental, and may change in future versions. ++# ++# This table is intended as an aid for users, to help them select timezones ++# appropriate for their practical needs. It is not intended to take or ++# endorse any position on legal or territorial claims. ++# ++#XX coordinates TZ comments ++# ++# -11 - SST ++XX -1416-17042 Pacific/Pago_Pago Midway; Samoa ("SST") ++# ++# -11 ++XX -1901-16955 Pacific/Niue Niue ++# ++# -10 - HST ++XX +211825-1575130 Pacific/Honolulu Hawaii ("HST") ++# ++# -10 ++XX -1732-14934 Pacific/Tahiti Tahiti; Cook Islands ++# ++# -10/-09 - HST / HDT (North America DST) ++XX +515248-1763929 America/Adak western Aleutians in Alaska ("HST/HDT") ++# ++# -09:30 ++XX -0900-13930 Pacific/Marquesas Marquesas ++# ++# -09 ++XX -2308-13457 Pacific/Gambier Gambier ++# ++# -09/-08 - AKST/AKDT (North America DST) ++XX +611305-1495401 America/Anchorage most of Alaska ("AKST/AKDT") ++# ++# -08 ++XX -2504-13005 Pacific/Pitcairn Pitcairn ++# ++# -08/-07 - PST/PDT (North America DST) ++XX +340308-1181434 America/Los_Angeles Pacific ("PST/PDT") - US & Canada; Mexico near US border ++# ++# -07 - MST ++XX +332654-1120424 America/Phoenix Mountain Standard ("MST") - Arizona; western Mexico; Yukon ++# ++# -07/-06 - MST/MDT (North America DST) ++XX +394421-1045903 America/Denver Mountain ("MST/MDT") - US & Canada; Mexico near US border ++# ++# -06 ++XX -0054-08936 Pacific/Galapagos Galápagos ++# ++# -06 - CST ++XX +1924-09909 America/Mexico_City Central Standard ("CST") - Saskatchewan; central Mexico; Central America ++# ++# -06/-05 (Chile DST) ++XX -2709-10926 Pacific/Easter Easter Island ++# ++# -06/-05 - CST/CDT (North America DST) ++XX +415100-0873900 America/Chicago Central ("CST/CDT") - US & Canada; Mexico near US border ++# ++# -05 ++XX -1203-07703 America/Lima eastern South America ++# ++# -05 - EST ++XX +175805-0764736 America/Jamaica Eastern Standard ("EST") - Caymans; Jamaica; eastern Mexico; Panama ++# ++# -05/-04 - CST/CDT (Cuba DST) ++XX +2308-08222 America/Havana Cuba ++# ++# -05/-04 - EST/EDT (North America DST) ++XX +404251-0740023 America/New_York Eastern ("EST/EDT") - US & Canada ++# ++# -04 ++XX +1030-06656 America/Caracas western South America ++# ++# -04 - AST ++XX +1828-06954 America/Santo_Domingo Atlantic Standard ("AST") - eastern Caribbean ++# ++# -04/-03 (Chile DST) ++XX -3327-07040 America/Santiago most of Chile ++# ++# -04/-03 (Paraguay DST) ++XX -2516-05740 America/Asuncion Paraguay ++# ++# -04/-03 - AST/ADT (North America DST) ++XX +4439-06336 America/Halifax Atlantic ("AST/ADT") - Canada; Bermuda ++# ++# -03:30/-02:30 - NST/NDT (North America DST) ++XX +4734-05243 America/St_Johns Newfoundland ("NST/NDT") ++# ++# -03 ++XX -2332-04637 America/Sao_Paulo eastern South America ++# ++# -03/-02 (North America DST) ++XX +4703-05620 America/Miquelon St Pierre & Miquelon ++# ++# -02 ++XX -0351-03225 America/Noronha Fernando de Noronha; South Georgia ++# ++# -02/-01 (EU DST) ++XX +6411-05144 America/Nuuk most of Greenland ++# ++# -01 ++XX +1455-02331 Atlantic/Cape_Verde Cape Verde ++# ++# -01/+00 (EU DST) ++XX +3744-02540 Atlantic/Azores Azores ++# -01/+00 (EU DST) until 2024-03-31; then -02/-01 (EU DST) ++XX +7029-02158 America/Scoresbysund Ittoqqortoormiit ++# ++# +00 - GMT ++XX +0519-00402 Africa/Abidjan far western Africa; Iceland ("GMT") ++# ++# +00/+01 - GMT/BST (EU DST) ++XX +513030-0000731 Europe/London United Kingdom ("GMT/BST") ++# ++# +00/+01 - WET/WEST (EU DST) ++XX +3843-00908 Europe/Lisbon western Europe ("WET/WEST") ++# ++# +00/+02 - Troll DST ++XX -720041+0023206 Antarctica/Troll Troll Station in Antarctica ++# ++# +01 - CET ++XX +3647+00303 Africa/Algiers Algeria, Tunisia ("CET") ++# ++# +01 - WAT ++XX +0627+00324 Africa/Lagos western Africa ("WAT") ++# ++# +01/+00 - IST/GMT (EU DST in reverse) ++XX +5320-00615 Europe/Dublin Ireland ("IST/GMT") ++# ++# +01/+00 - (Morocco DST) ++XX +3339-00735 Africa/Casablanca Morocco ++# ++# +01/+02 - CET/CEST (EU DST) ++XX +4852+00220 Europe/Paris central Europe ("CET/CEST") ++# ++# +02 - CAT ++XX -2558+03235 Africa/Maputo central Africa ("CAT") ++# ++# +02 - EET ++XX +3254+01311 Africa/Tripoli Libya; Kaliningrad ("EET") ++# ++# +02 - SAST ++XX -2615+02800 Africa/Johannesburg southern Africa ("SAST") ++# ++# +02/+03 - EET/EEST (EU DST) ++XX +3758+02343 Europe/Athens eastern Europe ("EET/EEST") ++# ++# +02/+03 - EET/EEST (Egypt DST) ++XX +3003+03115 Africa/Cairo Egypt ++# ++# +02/+03 - EET/EEST (Lebanon DST) ++XX +3353+03530 Asia/Beirut Lebanon ++# ++# +02/+03 - EET/EEST (Moldova DST) ++XX +4700+02850 Europe/Chisinau Moldova ++# ++# +02/+03 - EET/EEST (Palestine DST) ++XX +3130+03428 Asia/Gaza Palestine ++# ++# +02/+03 - IST/IDT (Israel DST) ++XX +314650+0351326 Asia/Jerusalem Israel ++# ++# +03 ++XX +4101+02858 Europe/Istanbul Near East; Belarus ++# ++# +03 - EAT ++XX -0117+03649 Africa/Nairobi eastern Africa ("EAT") ++# ++# +03 - MSK ++XX +554521+0373704 Europe/Moscow Moscow ("MSK") ++# ++# +03:30 ++XX +3540+05126 Asia/Tehran Iran ++# ++# +04 ++XX +2518+05518 Asia/Dubai Russia; Caucasus; Persian Gulf; Seychelles; Réunion ++# ++# +04:30 ++XX +3431+06912 Asia/Kabul Afghanistan ++# ++# +05 ++XX +4120+06918 Asia/Tashkent Russia; west Kazakhstan; Tajikistan; Turkmenistan; Uzbekistan; Maldives ++# ++# +05 - PKT ++XX +2452+06703 Asia/Karachi Pakistan ("PKT") ++# ++# +05:30 ++XX +0656+07951 Asia/Colombo Sri Lanka ++# ++# +05:30 - IST ++XX +2232+08822 Asia/Kolkata India ("IST") ++# ++# +05:45 ++XX +2743+08519 Asia/Kathmandu Nepal ++# ++# +06 ++XX +2343+09025 Asia/Dhaka Russia; Kyrgyzstan; Bhutan; Bangladesh; Chagos ++# +06 until 2024-03-01; then +05 ++XX +4315+07657 Asia/Almaty Kazakhstan (except western areas) ++# ++# +06:30 ++XX +1647+09610 Asia/Yangon Myanmar; Cocos ++# ++# +07 ++XX +1345+10031 Asia/Bangkok Russia; Indochina; Christmas Island ++# ++# +07 - WIB ++XX -0610+10648 Asia/Jakarta Indonesia ("WIB") ++# ++# +08 ++XX +0117+10351 Asia/Singapore Russia; Brunei; Malaysia; Singapore ++# ++# +08 - AWST ++XX -3157+11551 Australia/Perth Western Australia ("AWST") ++# ++# +08 - CST ++XX +3114+12128 Asia/Shanghai China ("CST") ++# ++# +08 - HKT ++XX +2217+11409 Asia/Hong_Kong Hong Kong ("HKT") ++# ++# +08 - PHT ++XX +1435+12100 Asia/Manila Philippines ("PHT") ++# ++# +08 - WITA ++XX -0507+11924 Asia/Makassar Indonesia ("WITA") ++# ++# +08:45 ++XX -3143+12852 Australia/Eucla Eucla ++# ++# +09 ++XX +5203+11328 Asia/Chita Russia; Palau; East Timor ++# ++# +09 - JST ++XX +353916+1394441 Asia/Tokyo Japan ("JST") ++# ++# +09 - KST ++XX +3733+12658 Asia/Seoul Korea ("KST") ++# ++# +09 - WIT ++XX -0232+14042 Asia/Jayapura Indonesia ("WIT") ++# ++# +09:30 - ACST ++XX -1228+13050 Australia/Darwin Northern Territory ("ACST") ++# ++# +09:30/+10:30 - ACST/ACDT (Australia DST) ++XX -3455+13835 Australia/Adelaide South Australia ("ACST/ACDT") ++# ++# +10 ++XX +4310+13156 Asia/Vladivostok Russia; Yap; Chuuk; Papua New Guinea; Dumont d'Urville ++# ++# +10 - AEST ++XX -2728+15302 Australia/Brisbane Queensland ("AEST") ++# ++# +10 - ChST ++XX +1328+14445 Pacific/Guam Mariana Islands ("ChST") ++# ++# +10/+11 - AEST/AEDT (Australia DST) ++XX -3352+15113 Australia/Sydney southeast Australia ("AEST/AEDT") ++# ++# +10:30/+11 ++XX -3133+15905 Australia/Lord_Howe Lord Howe Island ++# ++# +11 ++XX -0613+15534 Pacific/Bougainville Russia; Kosrae; Bougainville; Solomons ++# ++# +11/+12 (Australia DST) ++XX -2903+16758 Pacific/Norfolk Norfolk Island ++# ++# +12 ++XX +5301+15839 Asia/Kamchatka Russia; Tuvalu; Fiji; etc. ++# ++# +12/+13 (New Zealand DST) ++XX -3652+17446 Pacific/Auckland New Zealand ("NZST/NZDT") ++# ++# +12:45/+13:45 (Chatham DST) ++XX -4357-17633 Pacific/Chatham Chatham Islands ++# ++# +13 ++XX -210800-1751200 Pacific/Tongatapu Kanton; Tokelau; Samoa (western); Tonga ++# ++# +14 ++XX +0152-15720 Pacific/Kiritimati Kiritimati +--- usr.sbin/periodic/etc/daily/480.leapfile-ntpd.orig ++++ usr.sbin/periodic/etc/daily/480.leapfile-ntpd +@@ -12,9 +12,9 @@ + + case "$daily_ntpd_leapfile_enable" in + [Yy][Ee][Ss]) +- if service ntpd oneneedfetch; then ++ if service ntpd enabled && service ntpd needfetch; then + anticongestion +- service ntpd onefetch ++ service ntpd fetch + fi + ;; + esac +--- libexec/rc/rc.conf.orig ++++ libexec/rc/rc.conf +@@ -421,8 +421,8 @@ + ntp_src_leapfile="/etc/ntp/leap-seconds" + # Initial source for ntpd leapfile + ntp_db_leapfile="/var/db/ntpd.leap-seconds.list" +- # Working copy (updated weekly) leapfile +-ntp_leapfile_sources="https://www.ietf.org/timezones/data/leap-seconds.list" ++ # Canonical place to get the leap seconds from ++ntp_leapfile_sources="https://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list" + # Source from which to fetch leapfile + ntp_leapfile_fetch_opts="-mq" # Options to use for ntp leapfile fetch, + # e.g. --no-verify-peer diff --git a/website/static/security/patches/EN-24:01/tzdata-2024a.patch.asc b/website/static/security/patches/EN-24:01/tzdata-2024a.patch.asc new file mode 100644 index 0000000000..7a6b65e1aa --- /dev/null +++ b/website/static/security/patches/EN-24:01/tzdata-2024a.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmXMYQkACgkQbljekB8A +Gu9sxRAApIFupjUSxhQLOUUL3IaHMlV2IMF/nSyXjkGm5MYHmwY8r8KjrT1qMmkZ +pJArXPFzxr/mMWsGux1VyP2Z6euiYapo1l2CCSSUSbUvuWucZhq39bY6wAAbEo36 +t7XEifQ1mCnhnQIVRL3JyOzQfCQbnUWOF+xzRH5UbMCzSz1qHy5KSMgX9YN5PRqL +KPZP0RzocLfaRdZ3TjsXrjCL/8CjvWCMTQ2NNKcEdH+66Ek1g0ciOy+QEwIIa8IX +J3XNFrkkGkozm/c0J2VZgs8GU9PrHK5cAryEPBGZg+L+noE3KL/Szv8OAH4G+ZYC +c/wLsYY/vNhL56yAG43s3KSsgZXt+QtZOkSYBR9fwvMw7LBSI2y5HGeM7FncDO8n +KI1bA9G0Y2/jAnmCoKBXqqwigV6SRT3FtMEIs3nCEz1s8T6aCA76aVv0rlmvuO/m +/SvpDDc2BjVGcnpVFiNzZeWjMzOWMVqHvzRokgQuCfjTXyd0p+Cq49LROp0z/P9r +2CZK7j7cZkP8DaLi4BN1osJzWKIUuY69b6T8i6xbg2QB8KSDJuiV0/8iFkzpADvB +qexSMaLM42VgBMHkypqupXXLoFh0rOMcgMXskG5aBRZGpT12PbqkPvj7IJXulYkf +DYikNRezyXySUJ3H/AWdZhxYF4atOofFqhb6zPQQ3ASzNZPFEwk= +=KKM/ +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/EN-24:02/libutil.patch b/website/static/security/patches/EN-24:02/libutil.patch new file mode 100644 index 0000000000..a53fff7d6d --- /dev/null +++ b/website/static/security/patches/EN-24:02/libutil.patch @@ -0,0 +1,11 @@ +--- lib/libutil/login_class.c.orig ++++ lib/libutil/login_class.c +@@ -546,7 +546,7 @@ + /* + * Now, we repeat some of the above for the user's private entries + */ +- if (getuid() == uid && (lc = login_getuserclass(pwd)) != NULL) { ++ if (geteuid() == uid && (lc = login_getuserclass(pwd)) != NULL) { + mymask = setlogincontext(lc, pwd, mymask, flags); + login_close(lc); + } diff --git a/website/static/security/patches/EN-24:02/libutil.patch.asc b/website/static/security/patches/EN-24:02/libutil.patch.asc new file mode 100644 index 0000000000..6569aa29fa --- /dev/null +++ b/website/static/security/patches/EN-24:02/libutil.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmXMYQsACgkQbljekB8A +Gu/OQxAAiBl7mqf/XTcGmszQhlspHof71hbkx1JC6af42EQmBDO6Cz+441m0l8MF +ppfU+TUZLjskFdHQx29XQz87GXn5xPl8uHvdQ9hj6gk1mre1naMH2H18WtqHp4er +VDmzx52qYagSb43RmLXE2pQ4oHPMwWduqwTVqYgx8Tl3WoYcw9nVfJMpGL64jg2a +FrwYNt1uI6H8Rm4NRkEALKpbj3jEe7tY3oqws/6BFDYdlIYBQE6Z4iyx95QJwJqI +jRWQgGnqArCg1LWlCrUwMo3HcMpmcPr4apIpWxrtWeu0kSNS3VFgFYhqvPy1+fMn +d6Gq6x4RjRuRmYZPWS8CGfyuphb+ZMtrblXeOBKRKn2oW7eHyoEn5/zhu3EoJdCK +i79/A2WeY3n6T/IjOW8SbdmpF78r9Il6WooXvwjUluRT/R0aQjxzCWJVYK+deHm3 +MAVVF1XwW7ZRnq727dKXREdPTWKbyMQKghQCE63IKyGO5x3RTBRBgkyC8SACX6bF +N5JKJYrjcxNOCZgqWEjROKNi91jUtd4oBPt2ZpUyr++jYriDm8/6Xv38y+ybShqG +P0j2m27teZ7xH612aVeDRPUEMIUlvv03NjYKWa1i+e20vFdFYVon5qvUyXkvcnRs +czC3MeMwaWb03mBr6p4VWadMNT+sLeqIZOqmijL2OcvDjndbZWQ= +=EzzL +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/EN-24:03/kqueue.patch b/website/static/security/patches/EN-24:03/kqueue.patch new file mode 100644 index 0000000000..53bf0db7fe --- /dev/null +++ b/website/static/security/patches/EN-24:03/kqueue.patch @@ -0,0 +1,13 @@ +--- sys/kern/kern_sig.c.orig ++++ sys/kern/kern_sig.c +@@ -4291,9 +4291,7 @@ + static void + filt_sigdetach(struct knote *kn) + { +- struct proc *p = kn->kn_ptr.p_proc; +- +- knlist_remove(p->p_klist, kn, 0); ++ knlist_remove(kn->kn_knlist, kn, 0); + } + + /* diff --git a/website/static/security/patches/EN-24:03/kqueue.patch.asc b/website/static/security/patches/EN-24:03/kqueue.patch.asc new file mode 100644 index 0000000000..c0abd016fa --- /dev/null +++ b/website/static/security/patches/EN-24:03/kqueue.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmXMYQ0ACgkQbljekB8A +Gu/k3w/9HaTPxYkvTidhd/6BrWjY2SFX01k20EkW9T1GidVUQ5NcvEAabBwE18/7 +eQRJoAZjEiQUuKzh9uH8UgtQrngbeEaUkYiKXdOwV/ps91UD9vpmaHuy07mMwacM +v3pCqWgYWTZD6HoOeWkilxtiKlSdZ3Cnxvgz7UGCFTylxUqbkg/2F31LwJJ5KxFy +8RSPnwP0PZlUkDTfhqMVRt/KUVKIpg5IQ7ZVocIKxRm+XXRGgWcxdS41N4VrIwQ/ +C8DtJ/HJR3uF0WDXK+qa31oCvkhmaO6WGUHLahASqJZj86SnvEyAkcxU8GN4x5ZY +ZFqq9Rd1EIjUThnFg1SXoXLEQ60DofQQ3ibMj7uUxvakn4k+A/692k511qN/v4AP +9PEdRPFxwHcf7OF7+alqa7ssxzKcls9PSHFwQ/w9XaCmhc7xVmAWOeT8B2I0r8Yh +f32G+YBhlRmOPLA+s625Tp1qIaL1OHkEXt0wB2Ceks6lDQ48Ya+dNUAwqSzBFADc +U9kTqZLsjXQMkwieqN548010nbzOylC7TqFBUV8vTP10Qcl1ULbsHNweejaeTJTf +MVQR/6sDQftqKTSoCVxGib1iJtNqCPJFro7D3MFRLzxrRERh6KBQ7r2ucrzeq0cN +zZGibAcZc3T/1OmTomI+0h1x4fjT6AjCJDmnrX8+jTDf+MhsgJE= +=wPX7 +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/EN-24:04/ip.patch b/website/static/security/patches/EN-24:04/ip.patch new file mode 100644 index 0000000000..5851876f83 --- /dev/null +++ b/website/static/security/patches/EN-24:04/ip.patch @@ -0,0 +1,150 @@ +--- sys/netinet/in_pcb.c.orig ++++ sys/netinet/in_pcb.c +@@ -1403,26 +1403,6 @@ + } + #endif /* INET */ + +-/* +- * in_pcbdetach() is responsibe for disassociating a socket from an inpcb. +- * For most protocols, this will be invoked immediately prior to calling +- * in_pcbfree(). However, with TCP the inpcb may significantly outlive the +- * socket, in which case in_pcbfree() is deferred. +- */ +-void +-in_pcbdetach(struct inpcb *inp) +-{ +- +- KASSERT(inp->inp_socket != NULL, ("%s: inp_socket == NULL", __func__)); +- +-#ifdef RATELIMIT +- if (inp->inp_snd_tag != NULL) +- in_pcbdetach_txrtlmt(inp); +-#endif +- inp->inp_socket->so_pcb = NULL; +- inp->inp_socket = NULL; +-} +- + /* + * inpcb hash lookups are protected by SMR section. + * +@@ -1733,19 +1713,30 @@ + #endif + + INP_WLOCK_ASSERT(inp); +- KASSERT(inp->inp_socket == NULL, ("%s: inp_socket != NULL", __func__)); ++ KASSERT(inp->inp_socket != NULL, ("%s: inp_socket == NULL", __func__)); + KASSERT((inp->inp_flags & INP_FREED) == 0, + ("%s: called twice for pcb %p", __func__, inp)); + +- inp->inp_flags |= INP_FREED; ++ /* ++ * in_pcblookup_local() and in6_pcblookup_local() may return an inpcb ++ * from the hash without acquiring inpcb lock, they rely on the hash ++ * lock, thus in_pcbremhash() should be the first action. ++ */ ++ if (inp->inp_flags & INP_INHASHLIST) ++ in_pcbremhash(inp); + INP_INFO_WLOCK(pcbinfo); + inp->inp_gencnt = ++pcbinfo->ipi_gencnt; + pcbinfo->ipi_count--; + CK_LIST_REMOVE(inp, inp_list); + INP_INFO_WUNLOCK(pcbinfo); + +- if (inp->inp_flags & INP_INHASHLIST) +- in_pcbremhash(inp); ++#ifdef RATELIMIT ++ if (inp->inp_snd_tag != NULL) ++ in_pcbdetach_txrtlmt(inp); ++#endif ++ inp->inp_flags |= INP_FREED; ++ inp->inp_socket->so_pcb = NULL; ++ inp->inp_socket = NULL; + + RO_INVALIDATE_CACHE(&inp->inp_route); + #ifdef MAC +--- sys/netinet/in_pcb.h.orig ++++ sys/netinet/in_pcb.h +@@ -670,7 +670,6 @@ + bool); + int in_pcbconnect_setup(struct inpcb *, struct sockaddr_in *, in_addr_t *, + u_short *, in_addr_t *, u_short *, struct ucred *); +-void in_pcbdetach(struct inpcb *); + void in_pcbdisconnect(struct inpcb *); + void in_pcbdrop(struct inpcb *); + void in_pcbfree(struct inpcb *); +--- sys/netinet/raw_ip.c.orig ++++ sys/netinet/raw_ip.c +@@ -860,7 +860,6 @@ + ip_rsvp_force_done(so); + if (so == V_ip_rsvpd) + ip_rsvp_done(); +- in_pcbdetach(inp); + in_pcbfree(inp); + } + +--- sys/netinet/tcp_syncache.c.orig ++++ sys/netinet/tcp_syncache.c +@@ -803,7 +803,6 @@ + } + inp = sotoinpcb(so); + if ((tp = tcp_newtcpcb(inp)) == NULL) { +- in_pcbdetach(inp); + in_pcbfree(inp); + sodealloc(so); + goto allocfail; +@@ -1051,7 +1050,6 @@ + return (NULL); + + abort: +- in_pcbdetach(inp); + in_pcbfree(inp); + sodealloc(so); + if ((s = tcp_log_addrs(&sc->sc_inc, NULL, NULL, NULL))) { +--- sys/netinet/tcp_usrreq.c.orig ++++ sys/netinet/tcp_usrreq.c +@@ -175,7 +175,6 @@ + tp = tcp_newtcpcb(inp); + if (tp == NULL) { + error = ENOBUFS; +- in_pcbdetach(inp); + in_pcbfree(inp); + goto out; + } +@@ -213,7 +212,6 @@ + ("%s: inp %p not dropped or embryonic", __func__, inp)); + + tcp_discardcb(tp); +- in_pcbdetach(inp); + in_pcbfree(inp); + } + +--- sys/netinet/udp_usrreq.c.orig ++++ sys/netinet/udp_usrreq.c +@@ -1641,7 +1641,6 @@ + KASSERT(inp->inp_faddr.s_addr == INADDR_ANY, + ("udp_detach: not disconnected")); + INP_WLOCK(inp); +- in_pcbdetach(inp); + in_pcbfree(inp); + } + +--- sys/netinet6/raw_ip6.c.orig ++++ sys/netinet6/raw_ip6.c +@@ -687,7 +687,6 @@ + /* xxx: RSVP */ + INP_WLOCK(inp); + free(inp->in6p_icmp6filt, M_PCB); +- in_pcbdetach(inp); + in_pcbfree(inp); + } + +--- sys/netinet6/udp6_usrreq.c.orig ++++ sys/netinet6/udp6_usrreq.c +@@ -1201,7 +1201,6 @@ + KASSERT(inp != NULL, ("udp6_detach: inp == NULL")); + + INP_WLOCK(inp); +- in_pcbdetach(inp); + in_pcbfree(inp); + } + diff --git a/website/static/security/patches/EN-24:04/ip.patch.asc b/website/static/security/patches/EN-24:04/ip.patch.asc new file mode 100644 index 0000000000..8f325e2cb3 --- /dev/null +++ b/website/static/security/patches/EN-24:04/ip.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmXMYQ8ACgkQbljekB8A +Gu9EmBAAugzbROyodoFVhi5IqF38s1+IYOtM63VrFNED4SalgjzaJS0GQnsU0+eX +2OsGZ+7z7f8nX0Ob9+tcgLdr8i4k6V41josos6t4szGZm7aYVYF4xP3y74R5DU7/ +ps6PXxh9vxl5z73jpv6YR6Mkfq8FybCtTzCMYlqBwgT2Ei9J8KK7DMv7Go/A8O93 +SMTCmF1ky87lfeZ/YaGy+WJIudUaLCqVegelOBCtzbed3opTF6pHOSZ9VbVmzC5c +x8geUHGq6+u9fEKk5TOnaNnwspqYV8bp5s/tgmzAMloijC4z2vsUq0oHgbTtORqq +78eZQVbXDQljGPh6Ojd4PWtdFeSTBBnyLrCZkQ222uEd1P6DxpcwaqP1J3jZ15c0 +69rEBecCbJUnRGSz+rUuAyQdZIlfLWpU+xOmnkxi/obBlOBzT6dklLawSSQBqiR/ +VvFbxIjTh+g0smn7Kdi7KNg58bgnsgaHuery2WsilTW2uHChI7yWwefYcktZ4NML +rKNa0G/sxCZbKs4pBQKcBYwQOhySinwf+p9EE76ULQ2Ej0QWnrXeJM/KkZ9Cuemo +JVr5x7YlbHTffPXdD64u1mWrNMqdh9HG7PPbAEtLxdJntxdgex/vIqUN6H2yN2fi +39UFR9JCGV9y+uIzu/O73Oue0rzSH8RzqOHxwi/rrDi6eRtttho= +=+b3N +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-24:01/bhyveload-13.2.patch b/website/static/security/patches/SA-24:01/bhyveload-13.2.patch new file mode 100644 index 0000000000..ea4af29208 --- /dev/null +++ b/website/static/security/patches/SA-24:01/bhyveload-13.2.patch @@ -0,0 +1,137 @@ +--- usr.sbin/bhyveload/bhyveload.c.orig ++++ usr.sbin/bhyveload/bhyveload.c +@@ -67,6 +67,7 @@ + #include + #include + ++#include + #include + #include + #include +@@ -93,11 +94,11 @@ + + #define NDISKS 32 + +-static char *host_base; + static struct termios term, oldterm; + static int disk_fd[NDISKS]; + static int ndisks; + static int consin_fd, consout_fd; ++static int hostbase_fd = -1; + + static int need_reinit; + +@@ -163,42 +164,61 @@ + cb_open(void *arg, const char *filename, void **hp) + { + struct cb_file *cf; +- char path[PATH_MAX]; ++ struct stat sb; ++ int fd, flags; + +- if (!host_base) ++ cf = NULL; ++ fd = -1; ++ flags = O_RDONLY | O_RESOLVE_BENEATH; ++ if (hostbase_fd == -1) + return (ENOENT); + +- strlcpy(path, host_base, PATH_MAX); +- if (path[strlen(path) - 1] == '/') +- path[strlen(path) - 1] = 0; +- strlcat(path, filename, PATH_MAX); +- cf = malloc(sizeof(struct cb_file)); +- if (stat(path, &cf->cf_stat) < 0) { +- free(cf); ++ /* Absolute paths are relative to our hostbase, chop off leading /. */ ++ if (filename[0] == '/') ++ filename++; ++ ++ /* Lookup of /, use . instead. */ ++ if (filename[0] == '\0') ++ filename = "."; ++ ++ if (fstatat(hostbase_fd, filename, &sb, AT_RESOLVE_BENEATH) < 0) + return (errno); ++ ++ if (!S_ISDIR(sb.st_mode) && !S_ISREG(sb.st_mode)) ++ return (EINVAL); ++ ++ if (S_ISDIR(sb.st_mode)) ++ flags |= O_DIRECTORY; ++ ++ /* May be opening the root dir */ ++ fd = openat(hostbase_fd, filename, flags); ++ if (fd < 0) ++ return (errno); ++ ++ cf = malloc(sizeof(struct cb_file)); ++ if (cf == NULL) { ++ close(fd); ++ return (ENOMEM); + } + ++ cf->cf_stat = sb; + cf->cf_size = cf->cf_stat.st_size; ++ + if (S_ISDIR(cf->cf_stat.st_mode)) { + cf->cf_isdir = 1; +- cf->cf_u.dir = opendir(path); +- if (!cf->cf_u.dir) +- goto out; +- *hp = cf; +- return (0); +- } +- if (S_ISREG(cf->cf_stat.st_mode)) { ++ cf->cf_u.dir = fdopendir(fd); ++ if (cf->cf_u.dir == NULL) { ++ close(fd); ++ free(cf); ++ return (ENOMEM); ++ } ++ } else { ++ assert(S_ISREG(cf->cf_stat.st_mode)); + cf->cf_isdir = 0; +- cf->cf_u.fd = open(path, O_RDONLY); +- if (cf->cf_u.fd < 0) +- goto out; +- *hp = cf; +- return (0); ++ cf->cf_u.fd = fd; + } +- +-out: +- free(cf); +- return (EINVAL); ++ *hp = cf; ++ return (0); + } + + static int +@@ -712,6 +732,17 @@ + exit(1); + } + ++static void ++hostbase_open(const char *base) ++{ ++ ++ if (hostbase_fd != -1) ++ close(hostbase_fd); ++ hostbase_fd = open(base, O_DIRECTORY | O_PATH); ++ if (hostbase_fd == -1) ++ err(EX_OSERR, "open"); ++} ++ + int + main(int argc, char** argv) + { +@@ -746,7 +777,7 @@ + break; + + case 'h': +- host_base = optarg; ++ hostbase_open(optarg); + break; + + case 'l': diff --git a/website/static/security/patches/SA-24:01/bhyveload-13.2.patch.asc b/website/static/security/patches/SA-24:01/bhyveload-13.2.patch.asc new file mode 100644 index 0000000000..764c050735 --- /dev/null +++ b/website/static/security/patches/SA-24:01/bhyveload-13.2.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmXMYREACgkQbljekB8A +Gu/FTRAA34D4cV0RkVOaGZ28h2QV1cRIdPIcfZfBRASeiHTAsdssOIBWdKWPaDs+ +VSB6mTHq5YBJwrtsMZTwn+NOA9QjPKBiYhT5WPxx/GrbP4IwZ8WSco6oTTO2pygE +1XCUbdESJQGRczsfpsxfQU/YxqxvXA6GQ4AiV+c4/TtGbSBKkxceYaqU3fRHd72X +eaJ8QiliB2yiDsJ7lIeGKdWrCGARYvnXKJMHRF4KFuBjz8NT9ZLwYWw/pD9YLA6G +0N146Zahz9u/RKOqdA8aNxfwlQ3s10Bc+FBzQ8MP+gtLTHyQ1hwI0wPAoEzj5sJ5 +G8jyAH4umjzbH3LQKJGvRt9i9uoWC9fls2MjEE9gBffVrLsxS537Ub2V2OCQ21Tu +cB5kWU71LSwHYTL1MMxT19QiYoShoK1Ty19t/rXYCiqE+diQHn2QFpFzU7crjm8n +/Vg9zAII0yT2IvqnEFhKP1EgAowzA0I9E0XOvw189ULzs0Pr4C/YPmvd8jxrFClt +Q96d9UI2Lcldo9eoeZ1E6eG3sRWWWa1E9UBXlsUZduMTKp2kz1TdmEzYZTfMe8w6 +EQtpPAOSkUL/Y8tCRm7kSZFHAew78mjImogagLjAoivc04jckgDg8MrbaQzz8N9B +s5CjOWt2jD7dOap9SbLuneArNRMZQ8DBtRrJvONlCrkjVLSbuXI= +=CHdG +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-24:01/bhyveload-14.0.patch b/website/static/security/patches/SA-24:01/bhyveload-14.0.patch new file mode 100644 index 0000000000..20c02e7ca4 --- /dev/null +++ b/website/static/security/patches/SA-24:01/bhyveload-14.0.patch @@ -0,0 +1,129 @@ +--- usr.sbin/bhyveload/bhyveload.c.orig ++++ usr.sbin/bhyveload/bhyveload.c +@@ -88,11 +88,11 @@ + + #define NDISKS 32 + +-static char *host_base; + static struct termios term, oldterm; + static int disk_fd[NDISKS]; + static int ndisks; + static int consin_fd, consout_fd; ++static int hostbase_fd = -1; + + static int need_reinit; + +@@ -159,42 +159,61 @@ + cb_open(void *arg __unused, const char *filename, void **hp) + { + struct cb_file *cf; +- char path[PATH_MAX]; ++ struct stat sb; ++ int fd, flags; + +- if (!host_base) ++ cf = NULL; ++ fd = -1; ++ flags = O_RDONLY | O_RESOLVE_BENEATH; ++ if (hostbase_fd == -1) + return (ENOENT); + +- strlcpy(path, host_base, PATH_MAX); +- if (path[strlen(path) - 1] == '/') +- path[strlen(path) - 1] = 0; +- strlcat(path, filename, PATH_MAX); +- cf = malloc(sizeof(struct cb_file)); +- if (stat(path, &cf->cf_stat) < 0) { +- free(cf); ++ /* Absolute paths are relative to our hostbase, chop off leading /. */ ++ if (filename[0] == '/') ++ filename++; ++ ++ /* Lookup of /, use . instead. */ ++ if (filename[0] == '\0') ++ filename = "."; ++ ++ if (fstatat(hostbase_fd, filename, &sb, AT_RESOLVE_BENEATH) < 0) + return (errno); ++ ++ if (!S_ISDIR(sb.st_mode) && !S_ISREG(sb.st_mode)) ++ return (EINVAL); ++ ++ if (S_ISDIR(sb.st_mode)) ++ flags |= O_DIRECTORY; ++ ++ /* May be opening the root dir */ ++ fd = openat(hostbase_fd, filename, flags); ++ if (fd < 0) ++ return (errno); ++ ++ cf = malloc(sizeof(struct cb_file)); ++ if (cf == NULL) { ++ close(fd); ++ return (ENOMEM); + } + ++ cf->cf_stat = sb; + cf->cf_size = cf->cf_stat.st_size; ++ + if (S_ISDIR(cf->cf_stat.st_mode)) { + cf->cf_isdir = 1; +- cf->cf_u.dir = opendir(path); +- if (!cf->cf_u.dir) +- goto out; +- *hp = cf; +- return (0); +- } +- if (S_ISREG(cf->cf_stat.st_mode)) { ++ cf->cf_u.dir = fdopendir(fd); ++ if (cf->cf_u.dir == NULL) { ++ close(fd); ++ free(cf); ++ return (ENOMEM); ++ } ++ } else { ++ assert(S_ISREG(cf->cf_stat.st_mode)); + cf->cf_isdir = 0; +- cf->cf_u.fd = open(path, O_RDONLY); +- if (cf->cf_u.fd < 0) +- goto out; +- *hp = cf; +- return (0); ++ cf->cf_u.fd = fd; + } +- +-out: +- free(cf); +- return (EINVAL); ++ *hp = cf; ++ return (0); + } + + static int +@@ -714,6 +733,17 @@ + exit(1); + } + ++static void ++hostbase_open(const char *base) ++{ ++ ++ if (hostbase_fd != -1) ++ close(hostbase_fd); ++ hostbase_fd = open(base, O_DIRECTORY | O_PATH); ++ if (hostbase_fd == -1) ++ err(EX_OSERR, "open"); ++} ++ + int + main(int argc, char** argv) + { +@@ -748,7 +778,7 @@ + break; + + case 'h': +- host_base = optarg; ++ hostbase_open(optarg); + break; + + case 'l': diff --git a/website/static/security/patches/SA-24:01/bhyveload-14.0.patch.asc b/website/static/security/patches/SA-24:01/bhyveload-14.0.patch.asc new file mode 100644 index 0000000000..20c758702f --- /dev/null +++ b/website/static/security/patches/SA-24:01/bhyveload-14.0.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmXMYRIACgkQbljekB8A +Gu8tTA//fV7t4r0OBHgY0OZLMSPa6lwBx6oPVtfGXKEtCIxZc0oSoTf7Ld0n6crL +CYjurf+jRrtVSqyfh/P5L8TGgDHSx6+Y296ln8459Nyj4IzJeulnlOeGQR99Ey2z +lEq5Ezqdydav6nKmVXxOcGZQOlRMBtDNG4wlSK4S2BVtQ9cwzWUyhiC19RhZgAjl +r1zU55iJf6H3LEYxSUCSixNaTTqTkhcEm8il+swBsK8fIp2yRvXtJi8Pnui5AiMD +wvVmUmroDLvGl9E7M1RQUjOpumher94Bj/yBfCK0gmAm4tjntl4sfZ4nvgO3WH/a +o0Sxg5WPPGSym06WtKzYWzrHz48Nm7qH96zBVNdOHvMEdnaYciJYy8NJQNnWpNUT +HKYFWaPthcgfhfwmJFot4GxKKTM7ijq+AV5VVtoQLnm55u+vUpnxECgXTG3WYlDy +fxYXQjoOH/GF+RYBc6cUzIx7BrHQz8AwGoOotmTVEQUiQY6uNi9734Sq1yLvoi2h +ocWOuaotph7ZyVMxN4/iNj6mmkxP5IuROCUWey1m2Lj+VIvYugFBR2GVHsKqlQgC +fMCJVNJN+B2HaRPJq3z5NZtYNfZc572NF4vLws+8yUCkDMlqdajjrpjjD3r3tz8k +IaIk2EiU1yGgqGZ5ePGNIa5OuO7b7zXJPpeb0pB3wpGfGr84W0E= +=hkM7 +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-24:02/tty.patch b/website/static/security/patches/SA-24:02/tty.patch new file mode 100644 index 0000000000..b7a34fa86f --- /dev/null +++ b/website/static/security/patches/SA-24:02/tty.patch @@ -0,0 +1,55 @@ +--- sys/kern/tty.c.orig ++++ sys/kern/tty.c +@@ -44,6 +44,7 @@ + #ifdef COMPAT_43TTY + #include + #endif /* COMPAT_43TTY */ ++#include + #include + #include + #include +@@ -1308,9 +1309,11 @@ + sysctl_kern_ttys(SYSCTL_HANDLER_ARGS) + { + unsigned long lsize; ++ struct thread *td = curthread; + struct xtty *xtlist, *xt; + struct tty *tp; +- int error; ++ struct proc *p; ++ int cansee, error; + + sx_slock(&tty_list_sx); + lsize = tty_list_count * sizeof(struct xtty); +@@ -1323,13 +1326,28 @@ + + TAILQ_FOREACH(tp, &tty_list, t_list) { + tty_lock(tp); +- tty_to_xtty(tp, xt); ++ if (tp->t_session != NULL) { ++ p = tp->t_session->s_leader; ++ PROC_LOCK(p); ++ cansee = (p_cansee(td, p) == 0); ++ PROC_UNLOCK(p); ++ } else { ++ cansee = !jailed(td->td_ucred); ++ } ++ if (cansee) { ++ tty_to_xtty(tp, xt); ++ xt++; ++ } + tty_unlock(tp); +- xt++; + } + sx_sunlock(&tty_list_sx); + +- error = SYSCTL_OUT(req, xtlist, lsize); ++ lsize = (xt - xtlist) * sizeof(struct xtty); ++ if (lsize > 0) { ++ error = SYSCTL_OUT(req, xtlist, lsize); ++ } else { ++ error = 0; ++ } + free(xtlist, M_TTY); + return (error); + } diff --git a/website/static/security/patches/SA-24:02/tty.patch.asc b/website/static/security/patches/SA-24:02/tty.patch.asc new file mode 100644 index 0000000000..4bfe03cc43 --- /dev/null +++ b/website/static/security/patches/SA-24:02/tty.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmXMYRQACgkQbljekB8A +Gu/q5RAAtsZyZuV1QLpdsdE18DiiiMTSTmZX6RHTCmIdMScwJNszYG4C6mo5hWQx ++l6e8JM1HqBqx6P7KrJQb+LxRgnBVF/dKfBXzR4++UnDrQ/NMKdC5yr7OjhqKGD9 +7fkPU2d4fm3S+rQ/+FzXkySRyIkEtrTRrs76FhAfSL7Sv+KS2XLYMIk3va6JIcj/ +JDGcu3A4fpfc1qCLgBFTjKpStKXiOcbSAGI0ToRmXqIuFKvyd9lUiZnUM5UECslH +3rYxuiJZznPqFmw3Mx8C8avPARBOVtx6xrQr3Ena7nDCGRjJzJYWUlmLD5Q8hD6e +2STkarDA476+UefOgYtOtDMUKtFaZI+BGOtkUoq5T2GJpdyx8vKCit8zIISUeCpq +gzQ36I/XVFtmOb0RZnkOguOLMBdHM2r+BtqFJw+FFTGM7U3ZWpnqVHalqt6PTi+6 +vEUGijebjRme0hrkCRVecUERs2dStomjWoDWxGeuU0PewChuzzF/A8CZsP9bA+Ok +/eeexwP160nkt7DaNVnvgoB0yNmJ6uDX7GWO0SI5sOU4/p/X4CcdBYUoVzBJaEz3 +NoJ1ycbJ/K+bBGQnVBH6nNPPAT4TQh7oCxlUULAQulJXO6TqGrN6HsKDVR732LCu +u6lhkpDtRCj8A1+vBszMdpam/2UTX1CG+sVCEob52K/60KRPTIc= +=vBUT +-----END PGP SIGNATURE-----