Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.cs.su.oz.au!metro!metro!munnari.OZ.AU!news.ecn.uoknor.edu!news.wildstar.net!newsfeed.direct.ca!nntp.portal.ca!news.bc.net!info.ucla.edu!psgrain!news.rain.net!pacifier!deraadt From: deraadt@theos.com (Theo de Raadt) Newsgroups: comp.unix.bsd.netbsd.misc,comp.unix.bsd.misc Subject: OpenBSD changes since 2.0 Date: 17 Feb 1997 09:40:41 GMT Organization: Theo Ports Kernels For Fun And Profit Lines: 154 Distribution: world Message-ID: <DERAADT.97Feb17024041@zeus.pacifier.com> NNTP-Posting-Host: zeus.theos.com Xref: euryale.cc.adfa.oz.au comp.unix.bsd.netbsd.misc:5486 comp.unix.bsd.misc:2550 I include below a list of the major changes that have happened since OpenBSD was release in the autumn last year. ---------------------------------------- The NIST Posix test suite became free. As a result we have been correcting numerous problems in the source tree, and expect to be completely POSIX compliant very soon. upgrade to CVS version 1.9. A number of security fixes to the way coredumping works. The /dev/*random devices are now default on all architectures. Add stack tracebacks to Arc port's kernel debugger. Skey revamped into full OTP (RFC1938) support, including sha1 and md5 support. GPL i387 emulator added. Crank kvm space on the i386 port, also limit buffer cache useage so that 512MB machines may work (untested :-) Numerous fixes to the lpr suite, including security. More ftpd raging paranoia security fixes. The NIST suite showed numerous errors in libraries and the kernel. Only a few small errors remain now, mostly regarding serial ports. In numerous utilities: prefer $LOGNAME, but also accept $USER. OLF binary type added. This is like ELF, but includes an OS-dependent tag. elf2olf(1) converts an elf binary to a tagged OLF binary which the kernel can recognize correctly. Beware $HOME overflows throughout the source tree. Integration of the pmax port. Import of ctm. Various repairs to the scsi scanner support. Numerous more difficult-to-exploit-but-possible-if-someone-really-wanted-to buffer overflows found in system utilities.. Memory leak paranoia in cron. Make login get more consistantly upset about failed logins, and tell user about these failures at the next successfull login. pdksh version is now 5.2.11 New bsd.*.mk feature: DEBUG=-g. Try it, you'll like it. The Arc port family has a new member: The rPC44 works! lpt driver is now bus-independent. com driver is now bus-independent. Numerous small security fixes again... Use pdksh as our /bin/sh. This provides excellent POSIX compliance. Prevent generic users from mounting filesystems by default. Added -C option to pax/tar. Also made -z support compressed files too. Increased compatibility in the pccons driver with BSDi features. Imported FreeBSD's calendar. GNU gdb works on the mips-based platforms. Add FreeBSD md5 diffs to mtree(8). This can be used to implement a tripwire-like system. Some YP and bootparamd security changes. Hundreds of little fixes all over the place. Multiple updates for GNU software Add disklabels to the floppy device drivers. At boottime, have (*mountroot)() look at the root device's disklabel to determine which filesystem type is to be mounted. If disklabel reading code discovers an ISOFS filesystem underlying, spoof a nice disklabel (enough to fool mountroot). tcpdump 3.3 Fix information gathering attack in ping(8). Add NetBSD's "route show" implementation, and at the samet time fix the new buffer overflows that this provided. Fix a few setgroups() related security holes. sendmail 8.8.4 texinfo 3.9 f77 0.5.19 Repair some more KerberosIV buffer overflows. Hard to believe this is supposed to be security software. Add XCASE/IUCLC/OLCUC/OCRNL/ONOCR/ONLRET tty subsystem flags for backwards compatibility. Permit NFS attribute cache to be configured on a per-mount basis. Properly split fsck, mount, and newfs into multiple pieces. Use disklabel information if it is available. Add disklabels to the vnd device driver. Change the games to be run setgid games, not setuid games. This closes a whole slew of fascinating security holes. Import of the powerpc port. Properly use _POSIX_SAVED_IDS throughout the source tree. Permit building of kernels without a.out support. ppp 2.3b3 libcrypt goes away. We do not need this stub library anymore. Do not link against it on OpenBSD, all the pieces you need are in libc. new aucat command. Fix a fairly nasty security hole in all of the games. Support for the hp300 added. Upgrade of awk(1), integration of BSD tsort(1), getopt fixes. Sendmail upgraded to version 8.8.5. Added lchown(2) for compatibility with SVR4 implementations. New gnu cpio 2.4.2 Support lchown(2) in dump(8), cp(1), pax(1), cpio(1), chown(8), and restore(8). No buffer lengths in fmt(1). various adjtime() corrections inside the kernel. Prevent stat() from disclosing inode generation numbers to non-root userland. pax in tar mode will understand multiple -v options to generate ls-like output. Repair many uses of the SIOCGIFCONF code for machines with an outrageous number of network interfaces. More kerberosIV security patches. A working fsirand. Completely in-tree PowerPC port for non-Apple hardware. This port requires nothing outside the in-tree development environment to build (except mkisofs for building distributions). Some ypbind(8) tightening up, includes a method to specify a list of valid servers Bug fixed that prevented bufpages/nbuf > 1 setups. This allows large buffer caches even when available kvm space is low, like for i386 & sparc. Changed netinet IP_HDRINCL option to require ip_len and ip_off in network byte order. This is a compatibility/portability fix and we expect other BSD systems to eventually follow suit. amd (the automounter) is now 64-bit and working on the alpha. The Alpha port and all it's utilities now compiles using in-tree versions of all tools. Yipee! A SA_SIGINFO implementation for sigaction() and signal handlers. This is a small part of POSIX 1003.1b and permits the signal handler to figure out the exact cause of a signal; such as fault address information for SIGSEGV or more detailed information for SIGFPE. config.old(8) has been removed from the tree, as the hp300 port switches to config(8). /sbin/dump -a saves you from needing to deal with finicky tape length options (from FreeBSD) Added RFC-1812 ICMP unreachable codes to ip_icmp.h, traceroute, and ping. Be more careful if some fool decides to enable source routing ;-) Support for gzip'd kernels in some bootblocks. New wgrisc port for Willowglen embedded r3081-based machine with ISA slots. Add cdev and partition support to the ramdisk driver. Merge new ftp(1) changes from NetBSD. Change mktemp(3) and family to generate more random filenames, yet still as collision free as possible. Have libc/rpc save you from yourself if you do enable source routing. The hp300 joins many other ports in supporting 16 disk partitions. IPF 1.3.7 which includes fully working NAT support (ie. IP masquerading). Use lots more XXXX characters in calls to the few remaining mktemp() calls in the source tree. This cuts out a whole class of races. Improved NFS filehandle creation. Make dd(1) work fine with our 64-bit off_t types, now you can copy very large disks using it. add RPC service name generation to netstat -a Fix pax & tar to be POSIX compliant. Fix a few netinet kernel crash problems. Fix so that stack limits which are not a multiple of the pagesize work. fix some more memory and file descriptor leaks in libc/rpc New scalable BLOWFISH-based crypt algorithm for passwd file entries. It uses a very large strong-random `salt' and the number of rotor runs is configurable. Hence if you have faster machines you can slow the crypt routine down and make harder keys. Add support for /etc/passwd.conf which controls the format and strength of passwd entries for the next time a user changes their password. These options can be set per-user. ---------------------------------------- Work is continuing and we are expecting to make a new release in the early summer. It's not clear yet but the new release might even ship with IPsec. -- This space not left unintentionally unblank. deraadt@theos.com www.OpenBSD.org -- We're fixing security problems so you can sleep at night.