OpenBSD 5.7

Scritto il

OpenBSD

Il progetto OpenBSD è sistema operativo UNIX basato su 4.4 BSD ed è gratuito e multipiattaforma. OpenBSD supporta l’emulazione binaria di molti programmi da Solaris, FreeBSD, Linux, BSD/OS, SunOS e HP-UX.

Versione 5.7

Questa versione contiene (in Inglese):

  • Update unbound(8) to 1.5.0.
  • In mandoc(1), make .Ao and .Aq renders as “<>” after .An, and as “\(la\(ra” elsewhere, just like groff.
  • Fixed for mandoc(1) db for NAME_FIRST before its first use, NAME_FILE duplication and correct NAME_FILE mask for .so links.
  • Delete KERN_VNODE sysctl(3).
  • Add support for exporting relayd(8) statistics via AgentX/snmpd(8).
  • Add support for AgentX subagents in snmpd(8).
  • Fix ssl memory leak with pkey in client key exchange.
  • Bugfix for grdc(6) to run for the specified amount of seconds, not for a fixed amount of iterations. Makes a difference on slow terminals.
  • Make mandoc(1) let escape sequences terminate high-level macro names, and when doing so, they are ignored.
  • Make binutils recognize sahf/lahf for amd64 code, backported from 2.17.
  • For newer re(4) chipsets, add support for stopping the operation within re_stop().
  • Let mandoc(1) support the “.if v” conditional operater for groff compatibility.
  • Sync ssh(1) AES code to the one shipped with OpenSSL/LibreSSL.
  • Make binutils recognize dcbzl for PPC code, backported from 2.17.
  • Disable the page zeroing thread on MP mips64 kernels.
  • Added support for sigwinch resizing in grdc(6).
  • Make mandoc(1) ignore invalid directories in man.conf and MANPATH, but complain about invalid directories given on the command line.
  • Avoid iteration over end of string in patch(1).
  • On ppc platforms, make pmap_zero_page MP-safe by using the directmap.
  • Enable GOST cipher in libcrypto.
  • For cas(4), use pa_device to ensure each MAC address of a multi port board is unique.
  • When running mandoc(1) in man(1) mode, set match order to file name over .Dt name over first .Nm entries over other NAME .Nm enties over SYNOPSIS .Nm entries. Re-run “makewhatis” to effectuate this change.
  • Fix NULL pointer dereference in ssh(1) key loading.
  • Activate support in pkg-config(1) for “package != version” requests.
  • Imported perl 5.20.1.
  • Add Cammelia cipher to libcrypto.
  • Make /var/tmp a symbolic link to /tmp. Move /tmp to the same 7-day expiration that /var/tmp had.
  • Added new function to libc, crypt_newhash(3).
  • Add quirks for “Realtek ALC885” found on MacMini3.1, unmutes the internal speaker, line input and hp output.
  • Reduce dhclient(8) risk by putting config file reading after forking the privilege separated child process but before getting hardware link.
  • Sync kernel AES code to the one shipped with OpenSSL/LibreSSL.
  • Make usbdevs(8) show super speed status in verbose output mode.
  • In ssh(1), fix KRL generation when multiple CAs are in use.
  • Make mandoc(1) correctly handle whitespace-only lines in regard to vbl and vis variables.
  • Two fixes to make Qemu and VMWare xhci(4) implementations work, always unmask the slow context for the Set Address command and use the right spl when wubmitting a transfer.
  • Allow cas(4) to retrieve the MAC address from the rom for NS Saturn based boards.
  • Reworked the sigwait() handling to fix ptrace() in some circumstances.
  • Add cas(4) devices to i386 and amd64 GENERIC kernels.
  • Change librthread to not restart syscalls on SIGTHR.
  • Fix in librthread to allow check for cancellation when a handled (but not waited for) signal occurs.
  • Use newly imported siphash algorithm for in_pcb hashing.
  • In dhclient(8), make -q and -d mutually exclusive.
  • Removed ‘tcl’ command from vi(1).
  • On ifconfig(8), move trunk(4) code outside #ifdef SMALL to allow trunk operation on RAMDISK kernels.
  • Implement atomic_* ops for the arm platform.
  • In mandoc(1), remove harmful byte swapping on big endian architectures.
  • Fix reversed logic when selecting log level in npppd(8).
  • Fixed use after free in npppd(8) when pool addresses change.
  • Add -b to splitw in tmux(1) like in joinw.
  • In the performance adjustment code, take a few more ticks before throttling down to handle situation where it is cpu intense but intermittenly idle.
  • In tmux(1), don’t let force-width or force-height be less tha PANE_MINIMUM.
  • Store autoinstaller logfile in /mnt/var/log to be available after reboot.
  • Updated time zone data to tzdata2014j.
  • Do not hold the kernel lock when calling hardclock() and statclock().
  • When exploring the usb buses, do not probe the ports which status hasn’t changed. Saves a lot of I/O when attaching/detaching devices.
  • Tweaked DHCPACK to DHCPINFORM log entries to more informative.
  • Speedup in mandoc(1) in man(1) mode without -a, stop searching after the first manual tree that contained at least one match.
  • Stop athn(4) from attaching to AR9300 devices due to unresolveed bugs.
  • For httpd(8), allow the log directory be configurable in the config file, rather than having it fixed as /logs in the chroot.
  • In xhci(4), do not reset the base address of the control endpoints ring when the second Set Address command is issued.
  • Make pf(4) ask for ICMPv6 checksum recalculation in pf_route6 since the addresses may have been tweaked.
  • bgpd(8) now outputs 32bit AS numbers in ASPLAIN format by default instead of AS_DOT+.
  • Socket closing fixes in the client rpc(3) code.
  • Implemented -h in mandoc(1) for preformatted (cat) pages.
  • Fix for ix(4) SFP+ module detection when booting without the modules plugged in.
  • Added support for USB 1.x devices below external hubs on xhci(4).
  • Make sure httpd(8) does’t try to open log files when using syslog.
  • Changed the xhci(4) attach logic to set the address of a device. Fixes issues seen on root hubs with some Low/Full speed devices.
  • Plug an rtentry leak in route code.
  • Fix pf(4) state linking used to implement transparent relays for connectionless protocols.
  • Added GOST crypto algorithms to libcrypto. Not enabled yet.
  • Make tmux(1) expand formats in copy-pipe command.
  • When a usb(4) pipe is closed, only clear the memory of the corresponding endpoint context. Fixes a panic.
  • Stopped tmux(1) extending the line to full width on insert/delete character (leaves extra spaces when reflowing); only mark a line wrapped when the cursor actually goes off the end (not on newlines).
  • If resuming from sleep (zzz/ZZZ) and the lid is still closed, go back to sleep. Prevents accidental lid flex from waking the machine up.
  • Libtool moved to the comp set.
  • Enabled xhci(4) on i386 and amd64, for USB 3.0 support.
  • Fixed problems with iked(8) EAP state transition. Allows Win7 to establish the a tunnel again.
  • Fixed a race (and panic) in xhci(4) when submitting a command by using the appropriate spl(9) protection.
  • Removed the SSLv2 option from relayd(8); made “no sslv3” work as intended.
  • Added bcd(6) -l option to create “modern” 80 column cards.
  • Made malloc(9) calculate correct size before doing the free checks, to fix recent panics.
  • Enabled TLS extensions in ssl(8).
  • Fixed mac address selection with unnumbered carpdevs when using carp(4).
  • When tmux(1) copy mode is used for output, wrap the text.
  • Removed old curses support from vi(1).
  • Added V for tmux(1) “select line” with vi(1) keys.
  • In smtpd(8), stopped prepending the user ID in the local enqueuing “Received” line.
  • Implemented workaround for em(4) i218 watchdog timeouts that are triggered by heavy traffic.
  • Fixed sd(4) cards with rev C BeagleBone Blacks.
  • Added rgephy(4) for the RTL8211E phy in the LeMaker Banana Pi and Banana Pro.
  • Added atphy(4) to armv7, for the Atheros AR8031 phys in the AM335x starter kit.
  • Introduced SipHash (https://131002.net/siphash/), useful when adding protection against hash bucket flooding attacks.
  • Allow the five man(7) font macros to concatenate their line arguments. Removes bogus
    when font macros are used in -Thtml “no-fill” mode.
  • Stopped dhclient(8) leaking static leases when the “lease {}” parsing fails or when a static lease supersedes an earlier one.
  • Fixed kernel stack overflow in carp(4) by preventing carp_send_ad_all() from re-entrant calls.
  • Stopped changing the gateway of local route(4) for p2p interfaces. Prevents a panic.
  • Updated to xterm(1) version 312.
  • Use the correct default MaxPacketSize for Full Speed usb(4) devices and make them work with xhci(4).
  • In passwd(1), removed support for all password cyphers except blowfish(3).
  • Removed ephemeral RSA key handling from ssl(8).
  • Add support for automatic DH ephemeral keys in ssl(8), so DH keys can be generated based on the server key length; use automatic DH ephemeral parameters instead of fixed 512 bit.
  • Removed ssl(8) support for ephemeral/temporary RSA private keys.
  • Renamed libressl to libtls, to avoid confusion.
  • Major bugsquashing with respect to -offset and -width in mdoc(7).
  • Do not enable interrupts before attaching usb(4). Fixes panic when an Express Card has usb(4) devices.
  • Support utf-8 and iso-8859-1 input by integrating preconv(1) utility into mandoc(1).
  • In mandoc(1) -Tascii mode, only print “” for unicode escapes of unknown representation (not for character escapes with unknown names).
  • Tightened mandoc(1) unicode escape name parsing.
  • Fixed pipex(4) to return multicast packets to the caller so that npppd(8) can handle them.
  • Fixed pipex(4) to initialise DF bit in IP header for L2TP message, so packets larger than minimum MTU aren’t dropped.
  • 5.4, 5.5, 5.6 and -current SECURITY FIX: Fixed incorrect expansion of netmask for dynamic interfaces by pfctl(8). Stops potential elevation of access permissions for IPv6 traffic..
  • Removed execute permission from most pages in the kernel pmap(9) on powerpc.
  • Stopped supporting wsmoused(8) and X(7) in parallel. Code is racy and known to break mice upon resume.
  • Fixed regression in term.c r1.89: repaired handling of zero-width spaces (\&) in mandoc(1) utf-8 output.
  • Allow the current lease to expire without causing dhclient(8) to seg fault when it tries to get a new one.
  • Fixed possible infinite recursion in perl(1) Data::Dumper (CVE-2014-4330).
  • Improved mandoc(1) -Tascii output for unicode escape sequences: for the first 512 code points, provide ASCII approximations; provide approximations for some sequences above codepoint 512 via mandoc_char(7) character table.
  • When using the local enqueuer and the internal SMTP session fails, made smtpd(8) copy the original message to ~/dead.letter so it’s not lost.
  • On hppa, fixed “read section header string table failed(0)” errors when attempting to boot lif.fs.
  • Fixed smtpd(8) so newaliases and makemap can parse multi-line aliases entries.
  • Stopped mandoc(1) attempting to parse empty equations. Fixes a null pointer dereference.
  • In mandoc(1), report arguments to .EQ if they have caused an error.
  • Don’t attempt to suspend/resume a partially attached drm(4) driver. Fixes crash upon resume with ATI FireMV 2400 card.
  • Stopped the page zeroing thread launching on m88k multiprocessor systems. Avoids a deadlock between reaper and zerothread.
  • Added pane_input_off format to tmux(1).
  • Retired networks(5) support from amd(8) and getent(1).
  • Extended features in autoinstall(8).
  • No longer limit physmem to 2GB on hppa.
  • Removed networks(5) support from netstat(1).
  • Avoid an ssl(8) null pointer dereference that could be triggered by SSL3_RT_HANDSHAKE replays.
  • Allow reliable IPv6 communication between carp(4) master and backup across a shared IPv6 subnet.
  • URL-decode the httpd(8) request path.
  • Only redraw the tmux(1) pane when it has actually changed.
  • Reworked httpd(8) error messages: do not send details of 40x errors, to avoid possibility of javascript injection attacks.
  • Made tftp(1) cope with sending or receiving files beyond 65536 blocks in length.
  • Fixed du(1) regression, always report the size of files listed.
  • 5.6 SECURITY FIX: disabled SSLv3 by default.
    A source code patch is available for 5.6.
  • In getent(1), error out when hosts enumeration is requested.
  • Made mandoc(1) correctly parse spacing around in-line equations.
  • Removed the “interface” option from relayd(8) “transparent forward” directive.
  • Fixed memory leak in ssl(8) d2i_SSL_SESSION.
  • Backported fix for binutils bug 11867: “.quad” directive not assembled correctly.
  • Use sha512 instead of md5 for tcp(4) initial sequence number.
  • In ssl(8) s_client, no longer call shutdown on a non-existent socket descriptor.
  • In the random number generator, use sha512 to hash the entropy (instead of md5).
  • 5.4, 5.5 and 5.6 RELIABILITY FIX: Stopped assuming elf(5) ep_taddr and ep_daddr are page-aligned, to fix a panic.
    A source code patch is available for 5.4, 5.5 and 5.6.
  • Update to xf86-video-mga 1.6.3
  • Update to xf86-video-savage 2.3.7.
  • More gracefully handle firmware loading errors in ulpt(4). Avoids potential kernel crash.
  • 5.4 and 5.5 RELIABILITY FIX: Fixed two remotely triggerable memory leaks in ssl(8).
    A source code patch is available for 5.4 and 5.5.
  • Better POSIX compliance for realpath(3).
  • Made sure the pmap(9) direct map isn’t executable on amd64. Mitigates some ret2dir attacks.
  • Correctly encode half line feed in the output stream for col(1) -f.
  • Added the -d flag (limit display depth) to du(1).
  • Made the mg(1) kill-paragraph and forward-paragraph commands stop once they can go no further.
  • Fixed resume from hibernate on AMD processors.
  • Fixed col(1) segfault triggered by an input line containing two consecutive backspace characters beyond column MAX_SHRT.
  • Implemented in-line equations in mandoc(1), needed by Xenocara manuals.
  • Allow empty headers in smtpd(8).
  • Disabled SSLv3 by default in ssl(8), relayd(8) and smtpd(8).
  • Stopped smtpd(8) relaying a header that will be rewritten by the destination MX.
  • Prevented sessions from sending a huge number of continuations to a single header and starving smtpd(8).
  • Made rcctl(8) properly access all rc.d(8) scripts and ignore anything irrelevant in /etc/rc.d.
  • Fixed memory leak in smtpd(8) error path.
  • Even if a table has zero columns, do not segfault in the mandoc(1) formatter.
  • Stricter syntax checking of unicode character names by mandoc(1); properly scale string length measurements for postscript and pdf output.
  • Improved error handling in the eqn(7) parser; do not parse quoted strings for tokens. Fixes glFrustum(3).
  • Fixed bug in mg(1) backward-paragraph when pressing “M-{“.
  • Stopped iked(8) segfaulting when connecting from Strongswan on Android
  • Major upgrade to eqn(7) terminal output.
  • Removed possibility of multiplicative integer overflow in relayd(8) and snmpd(8).
  • Moved CPU throttling into the kernel, enabled with sysctl(8) hw.setperf=-1.
  • Added rcctl(8) “default” command.
  • Allow pkg_sign(1) signing to proceed when interrupted.
  • In rcctl(8), prevented “-e” in daemon_flags being fed as an argument to the built-in echo.
  • Partial eqn(7) rewrite, to fix operator precedence.
  • Let rcs(1) handle -l and -u combinations.
  • Parse and render “from” and “to” clauses in eqn(7), and render matrices.
  • More readable eqn(7) -Ttree output; initial bits of MathML rendering for eqn(7) -Thtml.
  • Properly initialise secondary CPUs on 64 bit macppc machines.
  • Allow kernel to be built without ddb(4).
  • Added ddb(4) support for DWARF line number decoding, so “trace” includes file and line numbers.
  • No more modstat(8), modload(8) or lkm(4).
  • Tweaked ssh_config(5) reparsing with host canonicalisation; added -G option to ssh(1); don’t ignore ssh_config(5) “Port” options (bz#2267 and bz#2286).
  • Made sndiod(1) check parameters returned by audio drivers, and report driver bugs rather than crashing.
  • Made workq/taskq runner threads yield when they’ve hogged the CPU.
  • Now that the cleaner yields the CPU, stopped vfs(9) checking to see if we are hogging the CPU.
  • Restricted smtpd(8) address lookups to configured address families.
  • Fixed hardware lockup on intel(4) with i845g.
  • In vi(1), bumped max columns to 768 to accommodate bigger screens.
  • Removed support for AOE (ata over ethernet).
  • Fixed DDOS in head(1) by using the correct exit code on failure.
  • Removed gzsig(1).
  • Switched mandoc(1) HTML output to polyglot HTML5; have only one single -Thtml mode.
  • If a tbl(7) layout contains unknown font modifiers, don’t fail table, fallback to default font.
  • Removed sdio(8).
  • Made amd64 pmap(9) more efficient on multi-processor machines.
  • When chmod(1) is called, do not silently ignore syntax errors in options, instead error out properly.
  • When ssl(8) is verifying an IP address is in a certificate common Name, do not perform wildcard matching.
  • If ssl(8) has to match against a wildcard in a cert, verify that it contains at least a domain label.
  • Amended previous commit in ftp(1) fetch.c to un break ELS cert validation when using a proxy.
  • Check object allocation for success before using it in ssl(8) v3_cpols.c.
  • In ssl(8), fixed memory leaks in the error path of v2i_AUTHORITY_KEYID() and set_dist_point_name().
  • Switched syslogd(8) from using poll(2) to libevent.
  • Updated xterm(1) to version 311.
  • Stopped xhci(4) Intel Series 7 controllers reporting illegal context state transition when detaching devices.
  • In ftp(1), only pass the remote host name (not any “:portnumber” suffix) to ressl_connect_socket().
  • Forced smtpd(8) to strip any empty BCC header in the DATA part of the SMTP transaction.
  • Cleaned up the reporting socket code in syslogd(8).
  • Introduced a thread for zeroing uvm(9) pages without holding the kernel lock, to reduce latency.
  • In syslog_r(3), strip trailing newlines from syslog messages, to avoid empty lines when printing.
  • Allow ssl(8) to disable hostname and certificate verification separately.
  • Enabled automatic handling of ephemeral EC keys by ssl(8).
  • Allowed many code paths in myx(4) to run without the kernel lock.
  • Now that pool(9) are mpsafe, made the mbuf(9) allocators on top of pools mpsafe too.
  • Fixed a crash when there is text after a failed %Z conversion in strptime(3).
  • When no domain is specified in MAIL FROM or RCPT TO, smtpd(8) now assumes local user.
  • Fixed httpd(8) endless event loop that could eat all CPU time.
  • Added local subnet route (RFC 3442) support to dhclient(8).
  • Enlarged columns for 4-byte ASN display with bgpctl(8) “show summary” output.
  • Fixed route(4) so arp(8) will no longer report an incomplete entry for lo0.
  • Made tmux(1) take account of window-status-separator when checking window position.
  • Update status when a tmux(1) pane is selected with a mouse.
  • Always call waitpid(2) on SIGCHLD when client_attached is set in tmux(1). Avoids potential zombie.
  • Fixed some incorrect format specifiers in a debug printf(9) in apm(8).
  • Fixed loopback related breakage introduced by the conversion of in_ouraddr() to use the route(4) table.
  • Map out-of-range facility values to LOG_USER to avoid array over-read in syslogd(8).
  • No longer define default_bits in openssl.cnf. Allows the compiled-in default to take priority.
  • Switched openssl(1) “req” command to using SHA256 (hashes) and AES256 (on-disk keys) by default.
  • 5.6 RELIABILITY FIX: Fixed some run(4) devices working in 5.5 but not in 5.6-release.
  • More optimisations of luna frame buffer. Makes 4bpp wscons(4) putchar ~8% faster on luna88k.
  • Unhooked sliplogin(8), sl(4), slstats(8) and slattach(8).
  • Check speed of a new device does not exceed parent’s speed prior to calling usbd_new_device().
  • 5.4, 5.5 and 5.6 SECURITY FIX: Stopped nginx (in base) reusing cached ssl(8) sessions in unrelated contexts (CVE-2014-3616).
    A source code patch is available for 5.4, 5.5 and 5.6.
  • Added support for “physical devices” to mfii(4).
  • In ssl(8), cleaned up EC cipher handling in ssl3_choose_cipher().
  • Prevented dmesg(8) spam from some windows-only keys (found on very new thinkpads).
  • Do not use the global list of IPv4 addresses in icmp_reflect(), use the route(4) table.
  • Increased text segment size on arm to 32MB.
  • When setting env(1) in an at(1) atrun script, use the “export foo=bar” form. Allows shell to catch variable names that are not valid shell identifiers.
  • Fixed r1.12 of ssl(8) x509_att.c which had a NULL pointer dereference in the error path.
  • Added option that allows any enabled ssl(8) protocols to be explicitly configured.
  • Use raster operation (ROP) function on luna frame buffer. 4bpp wscons(4) putchar now ~20% faster.
  • vds(4/sparc64) now supports block devices.
  • Reversion fixed in smtpd(8), which had broken table_passwd.
  • In ssl(8) check_cert(), reset ctx->current_crl to NULL before freeing it.
  • In ssl(8) X509_NAME_get_text_by_OBJ(), made sure we do not pass a negative size to memcpy(3).
  • In wdc(4) when doing ioctl(2), fixed leak by ensuring scsi(4) xfer free is done before ata xfer free.
  • Properly serialise closing vnode on sparc64. Fixes occasional panic during reboot or when restarting ldomd(8).
  • Updated to: xtrans 1.3.5; libXext 1.3.3, libXi 1.7.4, inputproto 2.3.1 and xrandr 1.4.3.
  • Provided a ressl config function that explicitly clears keys.
  • New API function SSL_CTX_use_certificate_chain(). Allows reading PEM-encoded certificate chain from memory instead of a file.
  • Remove a limitation that ignored IPv6 link-local addresses (eg fe80::2%carp0) on carp(4).
  • Reverted r1.142 of netstart.
  • In ssl(8) X509v3_add_ext() error path, do not free memory that was not allocated.
  • In ssl(8) X509_TRUST_add(), check X509_TRUST_get0() return value before dereferencing it; fixed memory leak.
  • In pool_destroy(9), enter and leave mutex(9) as necessary to satisfy assertions.
  • Updated to: xf86-video-vmware 13.0.2, fontsproto 2.1.3, libXfont 1.5.0 and xserver 1.16.1.
  • Disabled WRITE events when closing file descriptor of the I/O bufferevent. Fixes potential event flood in httpd(8).
  • In ssl(8), check that the specified curve is one of the client preferences.
  • In ssl(8) X509_STORE_get1_certs() and X509_STORE_get1_crls(), check the result of allocations.
  • Fixed memory leaks in ssl(8) X509_issuer_and_serial_hash() and X509_STORE_new().
  • Use correct format specifiers in various loongson machine dependent code.
  • Push sdhc(4) ricoh controllers into “old slow mode” at resume time.
  • Reverted part of r1.98 if_run.c which caused a regression on older run(4) devices.
  • Reworked piglet and pig memory allocation for more robust hibernation.
  • Now that sysctl(8) mp setperf is fixed, activated aggressive apmd(8) throttling again.
  • Fixed the calculation of the number of items to prime the pool(9) with in pool_setlowat(9).
  • Restored r1.249 of sys/dev/acpi/acpi.c. Upon resume, CPU now runs at speed requested by apm(8).
  • Support using pane id as part of session or window specifier and window id as part of session in tmux(1).
  • Support ! for last pane in tmux(1).
  • Fixed the build when DRMDEBUG is defined.
  • Enabled MSI support in msk(4).
  • Release the acpi(4) lock when calling wsdisplay_suspend() and wsdisplay_resume(). For better resume.
  • Fixed high capacity (> 2GB) eMMC support in sdmmc(4).
  • Hide unused, duplicate and/or misleading fields from audioctl(1).
  • In ssl(8), check the result from final_finish_mac() against finish_mac_length in ssl3_send_finished().
  • In ssl(8), don’t record a match with the “finish MAC” if “SSL finished” has a zero-byte payload.
  • Implemented atomic_{cas,swap}_{uint,ulong,ptr} and atomic_{add,sub}_{int,long}_nv on hppa.
  • On macppc, enabled power saving modes for IBM PowerPC 970 CPUs.
  • Reworked pool(9) code to make it mpsafe (can be called without the kernel biglock being held).
  • Made packages(7) rsync-friendly. Reduces bandwidth usage by mirrors.
  • Fixed an invalid escape sequence in cu(1).
  • Allow agp(4) to map a single page without sleeping. Fixes intel(4) drm(4) panic on i386.
  • Added CHACHA20 to ssl(8) as a cipher symmetric encryption alias.
  • Moved rc.conf(8) from the etc to the base set (any local changes will be overwritten at next upgrade).
  • 5.5 and 5.6 SECURITY FIX: ssl(8) session reuse vulnerability (CVE-2014-3616).
  • Introduce config_suspend_all(9), to invoke config_suspend(9) in appropriate order. Fixes problems with unflushed disk caches on machines where mpath(4) takes control of some of your disks.
  • Stopped sd(4) spinning back up while attempting to spin down some drives.
  • Increased number of blowfish(3) rounds to 8 by default (when not specified in login.conf(5)).
  • Updated to xkeyboard-config(7) version 2.12.
  • Changed screen terminfo(5) entry to have kbs=\177. Fixes problems with “le” editor.
  • If there are more than 8 CPUs, top(1) now defaults to combined CPU stats.
  • Disabled taking the mutex(9) to read pool(9) stats. Eliminates code paths that try to mtx_enter(9) twice.
  • Unlinked sendmail from the build.
  • Support ppb(4) bridges subtractive decoding. Fixes issues with pcmcia(4) behind a ATI SB400 PCI bridge.
  • Marked the mpi(4) and mpii(4) interrupt handlers mpsafe.
  • In httpd(8) and relayd(8), made the HTTP version mandatory and abort if it is missing in the request.
  • Made dd(1) error out when negative values are given for sizes on the command line.
  • In man.cgi(8), support backslash-escaping of white space in the query expression, similar to apropos(1).
  • Made the new isp(4) drivers match at a higher priority than old drivers.
  • In sysmerge(8) PKG mode, cope with non-default PREFIX (e.g. /var/www/…).
  • Provided a sparc64 version of sqrtl(3) for quad-precision floating point.
  • Remove cached 802.11 nodes in IEEE80211_STA_CACHE state. Stops them showing with ifconfig(8) scan.
  • On i386/amd64, stopped attempts to synchronise P-state transitions between CPUs. Fixes hangs and suspend/resume when running apmd(8/amd64).
  • Inspired by mdoclint(1), made mandoc(1) warn about botched .Xr ordering and punctuation below SEE ALSO; warn about commas in function arguments.
  • Implemented membar(9) API for i386.
  • Install files that moved from etc to base during “make build” to unbreak updating from src.
  • Let httpd(8) handle variations of the “Host” header (eg www.example.com:80, [2001:db8::1], [2001:db8::1]:80).
  • If a manpath directory does not exist, mandoc(1) will now silently skip it.
  • Fixed scans with various iwn(4) devices.
  • If pkg_add(1) not running as root, dismiss user id and groups, replace with root/bin. For FAKE_AS_ROOT=No.
  • Made the cleaner, syncer, pagedaemon and aiodone daemons all yield() if CPU is marked SHOULDYIELD.
  • Marked the mfi(4) interrupt handler mpsafe; give up biglock in the scsi(4) cmd submission paths.
  • Fixed interrupt storm on 2009 Mac minis with WOL enabled on nfe(4) interfaces.
  • Stopped uvm(9) sleeping on allocation of hash table entries. Fixes crashes with tmpfs.
  • Stopped pflog(4) counting bad packets multiple times.
  • Added window_last_flag and window_zoomed_flag to tmux(1).
  • 5.6 and -current RELIABILITY FIX: Prevent addition of redundant IPv6 autoconf (SLAAC) addresses.
  • Fix a syslogd(8) regression when specifying all 20 additional log paths.
  • Implemented membar API for amd64.
  • Deleted procfs (always suffered from race conditions and is now unused).
  • 5.4 RELIABILITY FIX: Added a one second receive timeout. Avoids stall of receive queue in vio(4).
  • 5.4 and 5.5 RELIABILITY FIX: Removed race condition. Stops occasional network hangs in in vio(4).
  • Updated to mesa version 10.2.7.
  • Removed SSL_kDHr, SSL_kDHd and SSL_aDH from ssl(8). No supported ciphersuites use them.
  • Use shell substitution instead of dirname in sysmerge(8); fixed installing pkg @sample when target directory is missing; fixed output when a file fails to install.
  • 5.6 RELIABILITY FIX: Stopped incorrect RX ring computation, which led to panics under load with bge(4), em(4) and ix(4).
    A source code patch is available for 5.6.
  • Let roff(7) accept .ll in the prologue; parse and ignore the .pl (page length) request.
  • Upgraded inodesc.id_entryno in fsck_ffs(8) to u_int64_t, to handle larger file sizes with FFS2; fixed check for allocated fragments marked free in the bitmap.
  • Fixed FastCGI-based WebDAV and CalDAV (calendar) servers with httpd(8).
  • httpd(8) server name specification changed to name+address+port. Allows using same server name for multiple servers with different addresses.
  • Removed /etc/{hosts,myname} from etc.tgz; made the installer create the /etc/hosts template.
  • In perl(1), updated libnet to version 1.27.
  • Reworked how pool(9) with large pages (>PAGE_SIZE) are implemented.
  • Added *.gz support to apropos(1) -a, man(1), and mandoc(1).
  • In ssh(1), tightened permissions on pty(4) when the “tty” group does not exist.
  • Be coherent in the way arp(8) and ndp(8) display local entries, use “l” flag to distinguish them; skip broadcast entries (are not real arp(4) entries).
  • Make sure broadcast entries won’t be freed by the arp(4) timer so we can use them for address lookups.
  • Treat broadcast entries like local ones and give them the highest route(4) priority.
  • Sync amd64 and i386 GENERIC.MP with other arches by enabling MP_LOCKDEBUG option.
  • If crypt(3) fails, smtpd(8) will now return an authentication error.
  • Implemented traditional -h option for man(1): show the SYNOPSIS only.
  • Initial httpd(8) support for persistent FastCGI connections via chunked Transfer-Encoding.
  • Added Jumbo support for BCM5714/5780/5717/5719/5720/57765/57766 bge(4) chipsets.
  • Fixed makewhatis(8) bug so apropos(1) and man(1) can find Xenocara manuals via .so links.
  • In man(1) mode, change to the right directory before starting the parser. Finds more Xenocara manuals.
  • Wake up any waiting clients with the tmux(1) “wait-for” command when the server exits.
  • smtpd(8) queue_api.c code will now close the file descriptor if fdopen(3) fails.
  • Prevented a null dereference of the urtw(4) configuration descriptor.
  • Improved option usage output for ssl(8); converted ssl(8) ecparam to new option/usage handling.
  • Applied fix from upstream perl(1) to harden the close() function (RT 37700).
  • Replaced the “least recently used” bufcache in vfs_cache(9) with one based on 2Q, for scan resistance.
  • On amd64, added implementations of atomic_{inc,dec,add,sub}_{int,long}(9) and atomic_{add,sub}_{int,long}_nv(9).
  • Correctly made accept4(2) a cancellation point as per pthread_testcancel(3).
  • Backported @file support from binutils-2.17.
  • Added uuid(3) support routines to libc.
  • Made sysmerge(8) completely silent by default when no file is modified.
  • In sysmerge(8) pkg mode, warn if the directory we want to copy an @sample into doesn’t exist or is not an @sample.
  • In sparc64 ld.so(1), made the handling of PLT entries above the 32k mark thread-safe.
  • When a service is not available, made rcctl(8) return ENOENT.
  • Introduced a man(1) -l option as an alias for mandoc(1) -a.
  • Converted the openssl(1) “version” command to new option/usage handling.
  • On lii(4), set the MRU to a full size frame instead of basing it on the MTU.
  • Let the MRU always be what the oce(4) chip can do, not what the MTU implies.
  • Fixed 2 macppc panics.
  • Allow new devices to get an address for xhci(4) when XHCI_DEBUG is defined.
  • Fixed checking sync for old synaptics touchpad (ver 5.9) in pckbc(4).
  • Allow multiple relayd(8) instances to be configured to forward traffic to the same host.
  • Major sysmerge(8) cleanup now that both etc and xetc sets are part of base (-S -s and -x options gone).
  • Moved the xetc set into xbase (like etc was moved into base).
  • Added openssl(8) option handling for input/output formats, ordered flags, and for argument processing.
  • Added mdoc(7) support for .St -susv1 and .St -susv4.
  • Made diff(1) -uw produce valid output even when one file doesn’t end with a newline.
  • Implemented table-driven ssl(8) option parsing. Allows an application to specify valid options and where to store them.
  • Ported openssl(1) rand application to the new option parsing and usage.
  • Nuked sysctl(8) net.inet6.icmp6.rediraccept and allow redirects on interfaces with autoconf enabled.
  • In newsyslog.conf(5), added httpd(8) default log files to the rotation.
  • Added ssl(8) API function ressl_config_set_ecdhcurve to set or disable a non-standard ECDH curve.
  • Added support for Curve25519 to iked(8).
  • Write all data before closing the httpd(8) server socket if the output buffer is not empty.
  • Added missing capability to handle new $2b version of blowfish(3) password encryption for usermod(8) and friends.
  • Added an implementation of man(1) into the /usr/bin/mandoc binary; unify command line options for mandoc(1), man(1), apropos(1), and whatis(1).
  • Create etc set during “make build”, now embedded it in base set.
  • Removed nginx from the base system in favour of OpenBSD’s homegrown httpd(8).
  • Moved openssl(1) from /usr/sbin/openssl to /usr/bin/openssl.
  • Unlinked xfs(1) from the build.
  • Added the ability to restrict syslogd(8) to an ip(4) or ip6(4) protocol family.
  • Added iked(8) support for DH groups 27-30 using the Brainpool curves as in ssl(8).
  • httpd(8) now supports both mime.types flavours (nginx- or apache-style).
  • Added generic system-wide /usr/share/misc/mime.types file, usable by httpd.conf(5).
  • Moved sending of router solicitations to the kernel. Makes rtsol(8) and rtsold(8) unnecessary.
  • Don’t allow pasting into input-disabled tmux(1) panes.
  • Implemented _NET_WM_STATE_STICKY in cwm(1). Allows client to “stick” to all desktops or groups.
  • When using a proxy, made ftp(1) validate the cert hostname against the target hostname, not the proxy hostname.
  • Delete secret or secret-derived data in many base utilities with explicit_bzero(3).
  • Implementation of bold italic font support for postscript and pdf output in mandoc(1).
  • Start all rcctl(8) error messages with “rcctl: ” so it is clear where they come from.
  • In debug mode, only print the flags relevant to the rc.d(8) we are calling instead of all flags; make it clear when we are using the default flags when none are set.
  • Make it possible for rcctl(8) to pass `-d’ and `-f’ to the rc.d(8) script.
  • Removed non-standard GOST cipher suites (which are not compiled in currently) from ssl(8).
  • pfctl(8) now makes sure rules have been defined when you specify queues in a rule.
  • Switched ndp(8) to display MAC addresses in 00:00:00:00:00:00 format.
  • Get arp(8) to print leading zeros in MAC addresses again.
  • Disabled use of bind in base (base uses nsd(8)/unbound(8) instead).
  • Ensure cwm(1) client that wants to be in nogroup stays in nogroup (thus stays in view), even when (re)reading NET_WM_DESKTOP.
  • Made syslogd(8) check host/port length when parsing syslog.conf(5). Avoids nasty error message “syslogd: priv_getaddrinfo: overflow attempt in hostname”.
  • Set the default nfsd(8) flags to “-tun 4” when launched from rc.d(8).
  • Fixed memory leak in isakmpd(8) ike_phase_1.c.
  • Fixed acpi(4) sensor status for docking/undocking laptops, to allow sensorsd(8) to correctly detects state changes.
  • Bugfix to make whatis(1) case-insensitive again.
  • Added Last-Modified: HTTP header to httpd(8).
  • Allow syslogd(8) to send and receive udp(4) syslog packets on the IPv6 socket.
  • Unbroke sysmerge(8) when “SRCDIR=.”
  • Limited the mandoc(1) CGI process execution time, to make REDoS attacks less effective.
  • Stopped mandoc(1) suppressing white space after .Fl if the next node is a text node on the same input line.
  • Made rcctl(8) “status” output match rc.conf(8) format.
  • Changed the output of arp(8) to match what ndp(8) does; include the expire timer.
  • After nfe(4) allocates an mbuf and cluster, properly init the length fields.
  • Implemented rxrinfo ioctl in ix(4) for cluster usage statistics.
  • Call audio_{pint,rint}() call-backs with the mutex held.
  • When doing “whole disk” installs on macppc, blank the first 1 meg of the disk. Allows successful creation of boot partition.
  • Unlinked the crypto(4) pseudo device (disabled by default for about 4 years).
  • Made sure eap(4) releases CPU mutexes upon receiving an EINVAL message.
  • On i386/amd64, backported support for the “rdtscp” instruction from binutils-2.17.
  • Removed the custom jumbo allocator from nfe(4) which was never enabled.
  • When sshd(8) is dumping the server configuration, made it print correct KEX, MAC and cipher defaults.
  • Introduced rcctl(8), a simple utility for maintaining rc.conf.local(8).
  • When a local route(4) entry is added for an ifa having a broadcast address, made it identifiable (by a flag) and persistent.
  • Ensure state changes are properly serialised in pms(4). makes enabling/disabling touchpads more reliable.
  • Missing stack var initialisation fixed in ld.so(1).
  • Added -4 and -6 flags to tcpbench(1), to specify ipv4 or ipv6 respectively.
  • Fixed _exit codes in syslogd(8) privsep.c, which were the wrong way around.
  • Fixed read access to uninitialised memory in mandoc(1).
  • Removed malloc(3) lock across some mmap(2) syscall(9). Speeds up multithreaded programs.
  • Added fancy printing of ktrace(1)‘s ops argument to kdump(1).
  • Made kdump(1) display symbolically the mode argument of mkdir(1), mkfifo(1), mknod(2) and umask(2).
  • /etc/netstart now executed using sh(1) instead of sourcing it.
  • Repaired operation of sysctl(8) kern.arandom.
  • Removed support for public key operations from ubsec(4) and safe(4).
  • lofn(4) and nofn(4) removed as obsolete, due to reliance on the crypto(4) interface.
  • Switched to using O_CLOEXEC wherever we open a file and then call fcntl(F_SETFD, FD_CLOEXEC) on it. Reduces system calls and improves thread-safety for libraries.
  • More fixes in the attach failure path for ze(4/vax).
  • Added bounce matching for [] and {} to mg(1).
  • Synced relayd(8) and httpd(8) with RFC 7230-7235 phrases and IANA registered status codes.
  • In oce(4), implemented rxrinfo ioctl for cluster usage statistics.
  • systat(1) now only show active pools by default, pressing “A” shows all pools.
  • Updated drm(4) to libdrm 2.4.56.
  • Began cleanup of scaling units in roff(7).
  • Some X(7) resource files moved to /usr/X11R6/share/X11/app-defaults.
  • With a non-existent httpd(8) root, removed root prefix from PATH_INFO (useful for virtual FastCGI scripts inside a chroot(8)).
  • Made sure tftpd(8) always calls freeaddrinfo(3) after getaddrinfo(3).
  • In httpd(8), provided a failsafe version of the path_info() function.
  • Correctly set the rtable ID of the packet header when sending pppoe(4) Active Discovery Terminate packets.
  • Brought pflow(4) IPFIX sequence numbers in line with the RFC.
  • Sync pf.conf(5) behaviour with the man page regarding parent anchors for “once” rules.
  • On mips64, stopped uvm_map(9) from receiving addresses outside userland bounds.
  • Fixed tmux(1) copy mode problems: in vi mode, include the last character if you moved the cursor up or left; in emacs mode include the last character if you moved the cursor left.
  • Added tmux(1) flags to selectp, to enable and disable input to a pane.
  • In ksh(1), separately set FD_CLOEXEC if the new fd was >= FDBASE. Affects scripts that directly use 9 of the first 10 file descriptors.
  • When dhclient(8) is parsing 32 bit values, verify that we received 4 bytes.
  • Validate len field in dhcpd(8) for proper length, not just “not zero.”
  • Brought back r1.131 of sys/kern/subr_pool.c: take the pools mutex when copying stats out of it in the sysctl(8) path.
  • Put back the checks about RTF_LOCAL routes now that userland tools are aware of them.
  • Stopped arp(4) and ndp(8) from trying to delete RTF_LOCAL entries.
  • Fixed unchecked memory allocation (and potential leak upon error) in ssl(8) ssl3_get_cert_verify().
  • Provided ssl3_get_cipher_by_id() function that allows ssl(8) ciphers to be looked up by their ID.
  • Always write core file of a non-suid process into pwd(1), even if sysctl(8) kern.nosuidcoredump is 2 or 3.
  • Fixed race in relayd(8) that caused non-persistent PUT connections with a short body to hang.
  • Removed disabled (weakened export and non-ephemeral DH) cipher suites from the ssl(8) cipher list.
  • If pkg_create(1) is run as non-root, restore correct group/owner to root/bin, and remove write permissions without explicit modes.
  • Fixed kqueue read/write filters for msdosfs and fuse(4) filesystems.
  • Fixed the length check for reinjected icmp(4) packets. Stops divert(4) discarding valid packets shorter than 20 bytes.
  • Fixed readelf(1) “–debug-dump=frames-interp” output.
  • 5.4 and 5.5 SECURITY FIXES: Backported security fixes from openssl 1.0.1i
    A source code patch is available for 5.4 and 5.5.
  • Initial sysmerge(8) support for handling configuration files from packages.
  • Now that uhub(4) can deal with them, added support for non-root hubs.
  • Made uhub(4) correctly recognise Super Speed devices.
  • Allow httpd.conf(5) to include the “types” section anywhere in the configuration file.
  • Removed tmux(1) support for the continuously reporting “any” mouse mode (never worked properly, rarely used).
  • Backport from binutils-2.17 the correct i386/amd64 register->int assignments for CFI.
  • Allow httpd(8) to use a fastcgi target as the default index (eg index.php).
  • Fixed relayd(8) when using DNS over udp(4) so it continues to work after the first request.
  • radeon(4) fixes: only apply hdmi “bpc pll” flags when encoder mode is hdmi; fixed dithering on some panels; fixed lane/clock setup for dp 1.2 capable devices.
  • Brought mandoc(1) handling of defective prologues closer to groff.
  • Simplified man(7) validation in mandoc(1).
  • Fixed mandoc(1) floating point handling. Fixes the indentation of the readline(3) manual.
  • Allow httpd(8) to serve emtpy (0 bytes) files.
  • Improved mandoc(1) handling of next-line scope when it is broken by end of file.
  • Partial mandoc(1) implementation of .Bd -centred; various improvements related to .Ex and .Rv.
  • Made sure asynchronous commands do not race with synchronous ones in xhci(4).
  • Improved xhci(4) logic to determine the maximum endpoint service interface time payload.
  • Made xhci(4) always report stalls, as umass(4) relies on this information.
  • Added support for using “-” as shorthand for stdin/stdout in tradcpp(1).

Risorse

La distribuzione può essere scaricata da:

Il sito web della dstribuzione è: http://www.openbsd.org/

Screenshot

OpenBSD 5.3
OpenBSD 5.3

Conclusioni

Il sistema ha questi componenti principali:

  • Xenocara (based on X.Org 7.7 with xserver 1.16.4 + patches, freetype 2.5.5, fontconfig 2.11.1, Mesa 10.2.9, xterm 314, xkeyboard-config 2.13 and more)
  • Gcc 4.2.1 (+ patches) and 3.3.6 (+ patches)
  • Perl 5.20.1 (+ patches)
  • SQLite 3.8.6 (+ patches)
  • NSD 4.1.1
  • Unbound 1.5.2
  • Sudo 1.7.2p8
  • Ncurses 5.7
  • Binutils 2.15 (+ patches)
  • Gdb 6.3 (+ patches)
  • Less 458 (+ patches)
  • Awk Aug 10, 2011 version

Lascia un commento

Il tuo indirizzo email non sarà pubblicato. I campi obbligatori sono contrassegnati *

Questo sito usa Akismet per ridurre lo spam. Scopri come i tuoi dati vengono elaborati.

Tema Seamless Primrose, sviluppato da Altervista

Apri un sito e guadagna con Altervista - Disclaimer - Segnala abuso - Privacy Policy - Personalizza tracciamento pubblicitario