Crea sito
RSS

OpenBSD 6.4

6 Novembre 2018

OpenBSD

OpenBSD

Il progetto OpenBSD è sistema operativo UNIX basato su 4.4 BSD ed è gratuito e multipiattaforma. OpenBSD supporta l’emulazione binaria di molti programmi da Solaris, FreeBSD, Linux, BSD/OS, SunOS e HP-UX.

Versione 6.4

Questa versione contiene (in Inglese):

 

  • Improved hardware support, including:
    • ACPI support on OpenBSD/arm64 platforms.
    • The radeondrm(4) driver was updated to code based on Linux 4.4.155, adding modesetting support for KAVERI/KABINI/MULLINS APUs and OLAND/BONAIRE/HAINAN/HAWAII GPUs.
    • Support for radeondrm(4) on OpenBSD/arm64 platforms.
    • New umt(4) driver for USB Windows Precision Touchpad devices.
    • New bnxt(4) driver for Broadcom NetXtreme-C/E PCI Express Ethernet adapters based on the Broadcom BCM573xx and BCM574xx chipsets. Enabled on amd64 and arm64 platforms.
    • New mue(4) driver for Microchip LAN7500/LAN7505/LAN7515/LAN7850 USB 2.0 and LAN7800/LAN7801 USB 3.0 Gigabit Ethernet devices.
    • New acpisurface(4) driver providing ACPI support for Microsoft Surface Book laptops.
    • New agintcmsi(4/arm64) driver for the ITS component of the ARM GIC.
    • New dwpcie(4) driver for the Synopsys Designware PCIe controller, which is built into various SoCs.
    • New acpipci(4/arm64) driver providing support for PCI host bridges based on information provided by ACPI.
    • New mvclock(4), mvgpio(4), mvicu(4), mvrng(4), mvrtc(4), and mvtemp(4) drivers for various components of the Marvell Armada SoCs.
    • New hiclock(4), hidwusb(4), hireset(4), and hitemp(4) drivers for various components of the HiSilicon SoCs.
    • New ccp(4) and octcrypto(4/octeon) drivers for hardware-accelerated cryptography.
    • New ccpmic(4) and tipmic(4) drivers for Intel Crystal Cove and Dollar Cove TI Power Management ICs.
    • New imxrtc(4) driver for the RTC integrated in Freescale i.MX7 and i.MX8 processors.
    • New fanpwr(4) driver for the Fairchild FAN53555 and Silergy SYR827/828 voltage regulators.
    • New pinctrl(4) driver for generic pin multiplexing.
    • New plgpio(4) driver for the ARM PrimeCell PL061 GPIO controller.
    • PIE support for the m88k platform.
    • Support for some HID-over-I2C touchscreen devices in imt(4).
    • Support for RTL8188EE and RTL8723AE in rtwn(4).
    • Support for RT3290 in ral(4).
    • Support for SAS 3.5 controllers (SAS34xx and SAS35xx) in mpii(4).
    • Support for drive and battery status sensors and bio in mfii(4).
    • On i386 Intel CPU microcode is loaded on boot.
    • On i386 reduce the size of the area reserved for brk(2) to make more memory available to anonymous mmap(2) calls.
    • On sparc64 ldomctl(8) now supports more modern firmware found on SPARC T2+ and T3 machines in particular such as T1000, T5120 and T5240. NVRAM variables can now be set per logical domain.
    • com(4) better supports Synopsys Designware UARTs.
    • New islrtc(4) driver for Intersil ISL1208 Real Time Clock.
    • Support for the Huawei k3772 in umsm(4).
    • Support for the VIA VX900 chipset in viapm(4).
    • Support for GNSS networks other than GPS in nmea(4).
    • Support for Elantech trackpoints in pms(4).
    • Added a sensor for port replicatior status to acpithinkpad(4).
    • Support for Allwinner H3 and A64 SoC in scitemp(4).
  • vmm(4) and vmd(8) improvements:
    • Support for qcow2 disk and snapshot images.
    • Support for VM templates and derived instances in vm.conf(5) and vmctl(8).
    • Added initial unveil(2) support to vmctl(8) along with general cleanups.
    • Various bug fixes and improvements.
  • IEEE 802.11 wireless stack improvements:
    • With the new ‘join’ feature (managed with ifconfig(8)), the kernel manages automatic switching between different WiFi networks.
    • ifconfig(8) scan performance has been improved for many devices.
  • Generic network stack improvements:
    • trunk(4) now has LACP administrative knobs for mode, timeout, system priority, port priority, and ifq priority.
    • ifconfig(8) now has the ability to adjust LACP administrative knobs lacpmode and lacptimeout.
    • sendmsg(2), sendto(2), recvfrom(2) and recvmsg(2) are run without KERNEL_LOCK.
    • New global IPsec counters are available via netstat(1).
    • New eoip(4) interface for the MikroTik Ethernet over IP (EoIP) encapsulation protocol.
  • Installer improvements:
    • installurl(5) now defaults to cdn.openbsd.org if no mirror was chosen during installation. pkg_add(1) and syspatch(8) will thus work out of the box.
    • DUID can be used to answer the “Which disk is the root disk?” question during upgrade.
    • Installing a diskless(8) setup can be done over interfaces configured with dhclient(8).
    • disklabel(8) now creates a /usr/obj partition with a minimum size of 5G when using automatic disk allocation.
    • disklabel(8) now creates a /usr/local partition with a maximum size of 20G when using automatic disk allocation.
  • Security improvements:
    • New unveil(2) system call to restrict file system access of the calling process to the specified files and directories. It is most powerful when properly combined with privilege separation and pledge(2).
    • Implemented MAP_STACK option for mmap(2). At pagefaults and syscalls the kernel will check that the stack pointer points to MAP_STACK memory, which mitigates against attacks using stack pivots.
    • New RETGUARD security mechanism on amd64 and arm64: use per-function random cookies to protect access to function return instructions, making them harder to use in ROP gadgets.
    • clang(1) includes a pass that identifies common instructions which may be useful in ROP gadgets and replaces them with safe alternatives on amd64 and i386.
    • The Retpoline mitigation against Spectre Variant 2 has been enabled in clang(1) and in assembly files on amd64 and i386.
    • Added SpectreRSB mitigation on amd64.
    • Added Intel L1 Terminal Fault mitigation on amd64.
    • When available, PCIDs are used on amd64 to separate user and kernel thread TLB entries.
    • Meltdown mitigation was added to i386.
    • amd64 now uses eager-FPU switching to prevent FPU state information speculatively leaking across protection boundaries.
    • Because Simultaneous MultiThreading (SMT) uses core resources in a shared and unsafe manner, it is now disabled by default. It can be enabled with the new hw.smt sysctl(2) variable.
    • Audio recording is now disabled by default and can be enabled with the new kern.audio.record sysctl(2) variable.
    • getpwnam(3) and getpwuid(3) no longer return a pointer to static storage but a managed allocation which gets unmapped. This allows detection of access to stale entries.
    • sshd(8) includes improved defence against user enumeration attacks.
  • Routing daemons and other userland network improvements:
    • ospf6d(8) can now set the metric for a route depending on the status of an interface.
    • ospf6d(8) can now be bound into an alternate routing domain.
    • ospf6d(8) is now pledged.
    • Prevent ospfd(8) and ospf6d(8) from being started more than once (in the same routing domain).
    • slaacd(8) is now fully pledged.
    • slaacd(8) is informed by the kernel when Duplicate Address Detection (DAD) fails and generates different addresses when possible.
    • When slaacd(8) detects roaming between networks, it deprecates all configured IPs. IPs from newly advertised prefixes will be preferred.
    • A new daemon, rad(8), sends IPv6 Router Advertisement messages and replaces the old rtadvd(8) daemon from KAME.
    • The anachronistic networks(5) configuration file is no longer supported.
    • More robust pfctl(8) parsing routines and corner case fixes around table and anchor handling.
    • route(8) now errors out on bad -netmask/-prefixlen usage instead of configuring ambiguous routes.
    • dhclient(8) now adds a direct route to the default route gateway when the gateway is not reachable via the address/netmask provided by the lease.
    • dhclient(8) now updates dhclient.leases(5), resolv.conf(5), and any ‘-L’ file before daemonizing and returning control to invoking scripts.
    • dhclient(8)‘s ‘-i’ option now discards any previously defined values for the options to be ignored.
    • Any change to any interface now causes dhclient(8) to appropriately update resolv.conf(5).
    • dhclient(8) now always records the client identifier used to obtain a lease, enabling better conformance to RFC 6842.
    • dhclient(8) now has the ‘-r’ option to release the current lease and exit.
    • dhclient(8) now avoids inappropriate changes to resolv.conf(5) by ignoring dhclient.leases(5) for interfaces that cannot report their link status.
  • bgpd(8) improvements:
    • The default filter action was changed from allow to deny.
    • The config option ‘announce (all|self|none|default-route)’ has been deprecated and superseded by filter configuration.
    • Improved prefix-sets both in speed and user experience.
    • Introduced as-sets to match ASPATH against large lists of AS numbers.
    • Support for BGP Origin Validation RFC 6811 through the roa-set directive.
    • Added origin-sets for matching prefix / origin AS pairs efficently.
    • Some syntax cleanups: newlines are optional inside expansion lists (previously newlines needed to be escaped) but, in neighbor, group and rdomain blocks multiple statements have to be on new lines.
    • Reduce the amount of work done during a configuration reload.
    • Config reloading no longer blocks other event handling in the route decision engine.
    • Better support and bugfixes for multiple bgpd processes running in different rdomains.
  • Assorted improvements:
    • rasops(9)-backed framebuffer consoles such as inteldrm(4), radeondrm(4) and efifb(4) now support scrollback.
    • rebound(8) gained support for permanent A records, similiar to local-data supported by unbound(8).
    • New kcov(4) driver used for collection of code coverage inside the kernel. It’s used in an ongoing effort to fuzz the kernel.
    • uid_from_user(3) and gid_from_group(3) were added to the C library and are now used in several programs to speed up repeated lookups.
    • New semaphore implementation making sem_post(3) async-safe.
    • pcap_set_immediate_mode(3) was imported from mainline libpcap, allowing programs to process packets as soon as they arrive.
    • ksh(1) now supports 64-bit integers on all architectures.
    • A bug in ksh(1) related to variable expansion of read-only variables has been fixed.
    • lam(1) now provides UTF-8 support.
    • Enable trunk(4) and vlan(4) on arm64 RAMDISK.
    • pf(4) IP fragment reassembly uses a better algorithm to make it robust against denial of service attacks.
    • New ldap(1) tool implementing a simple LDAP search client.
    • A bug in init(8) that caused hangs on i386 under VMware has been fixed.
    • TFTP boot support was added for U-Boot based arm64 and armv7 platforms via EFI Simple Network protocol.
    • Support was added for the EFI Random Number Generator Protocol to insert additional entropy into the kernel at boot.
    • Support for RFC 3430 (TCP connections) was added to snmpd(8).
    • Enable bwfm(4) on amd64, i386, arm64 and armv7. Also on loongson and macppc for USB devices.
    • New “Spleen 5×8” font added to wsfont, targetted at small OLED displays.
    • usbdevs(8) now reports USB port statuses.
    • top(1) and systat(1) now report the time spent by each CPU waiting on spinning locks.
    • Improved read speed on MSDOSFS via clustering.
    • Access to NFS nodes is now serialized.
    • systat(1) has a new uvm view that displays statistics relevant to the UVM subsystem.
    • mg(1) now handles carriage returns during incremental search by setting the mark and exiting the search, as modern emacsen do.
    • disklabel(8) improved the rounding of partition offsets and sizes to cylinder boundaries.
    • disklabel(8) now range checks all user input.
    • disklabel(8) no longer allows FS_RAID partitions to be given a mount point.
    • disklabel(8) now changes partition information only when all user input is valid.
    • relayd(8) has improved log directives in its configuration file for finer grained control of what gets logged.
    • tmux(1) now handles terminfo colors greater than 256 correctly.
    • httpd(8) now supports client certificate authentication.
    • Numerous improvements to the fuse(4) subsystem.
    • Improvements to the way the kernel searches for available memory to satisfy anonymous mmap(2) calls.
    • efifb(4) now remaps the EFI framebuffer early to use a write combining mapping, speeding things up considerably.
  • OpenSMTPD
    • Incompatible change to the smtpd.conf(5) grammar: separate envelope matching, which happens during the SMTP dialogue while receiving a message and merely results in assigning an action name, from delivery actions, which do not take effect until the queue runner makes a delivery attempt. This gets rid of several different roadblocks in OpenSMTPD development.
    • Improve SMTP server engine with a new RFC 5322 message parser.
    • Remove limitations preventing smtpd(8) from dealing with clients submitting long lines.
    • Improve security by moving expansion of .forward file variables into the users’ MDA process.
    • Introduce MDA wrappers allowing recipient MDA commands to be transparently wrapped inside global commands.
    • A new smtp(1) command line client has been added.
    • Assorted documentation improvements, cleanups and minor bug fixes.
  • OpenSSH 7.9
    • New features:
      • In most places in ssh(1) and sshd(8) where port numbers are used, service names (from /etc/services) can now be used.
      • The ssh(1) IdentityAgent configuration directive now accepts environment variable names. This supports the use of multiple agent sockets without needing to use fixed paths.
      • Support signalling sessions via the SSH protocol in sshd(8).
      • “ssh -Q sig” can be used to list supported signature options. Also “ssh -Q help” will show the full set of supported queries.
      • The new CASignatureAlgorithms option in ssh(1) and sshd(8) controls the allowed signature formats for CAs to sign certificates with. For example, this allows banning CAs that sign certificates using the RSA-SHA1 signature algorithm.
      • Key revocation lists (KRLs) can now contain keys specified by SHA256 hash. These lists are managed by ssh-keygen(8). In addition, KRLs can now be created from base64-encoded SHA256 fingerprints, i.e. from only the information contained in sshd(8) authentication log messages.
    • Non-exhaustive list of bug fixes:
      • ssh(1): ssh-keygen(1): avoid spurious “invalid format” errors when attempting to load PEM private keys while using an incorrect passphrase.
      • sshd(8): when a channel closed message is received from a client, close the stderr file descriptor at the same time stdout is closed. This avoids stuck processes if they were waiting for stderr to close and were insensitive to stdin/out closing.
      • ssh(1): allow ForwardX11Timeout=0 to disable the untrusted X11 forwarding timeout and support X11 forwarding indefinitely. Previously the behaviour of ForwardX11Timeout=0 was undefined.
      • sshd(8): do not fail closed when configured with a text key revocation list that contains a too-short key.
      • ssh(1): treat connections with ProxyJump specified the same as ones with a ProxyCommand set with regards to hostname canonicalisation (i.e. don’t try to canonicalise the hostname unless CanonicalizeHostname is set to ‘always’).
      • ssh(1): fix regression in OpenSSH 7.8 that could prevent public-key authentication using certificates hosted in a ssh-agent(1) or against sshd(8) from OpenSSH <7.8.
  • LibreSSL 2.8.2
    • API and Documentation Enhancements
      • X509 verification is now more strict so X509_VERIFY_PARAM host, ip or email failure will cause future X509_verify_cert(3) calls to fail.
      • Support for single DES cipher suites is removed.
      • Support for RSASSA-PKCS1-v1_5 (RFC 8017) is added to RSA_sign(3)
      • Modified signature of CRYPTO_mem_leaks_*(3) to return -1. This function is a no-op in LibreSSL, so this function returns an error to not indicate the (non-)existence of memory leaks.
      • SSL_copy_session_id(3), PEM_Sign, EVP_EncodeUpdate(3), BIO_set_cipher(3), X509_OBJECT_up_ref_count(3) now return an int for error handling, matching OpenSSL.
      • Converted a number of #defines into proper functions, matching OpenSSL’s ABI (e.g. X509_CRL_get_issuer(3) and other X509_*get*(3) functions)
      • Added X509_get0_serialNumber(3) from OpenSSL.
      • Removed EVP_PKEY2PKCS8_broken(3) and PKCS8_set_broken(3), while adding PKCS8_pkey_add1_attr_by_NID(3) and PKCS8_pkey_get0_attrs(3), matching OpenSSL.
      • Removed broken pkcs8 formats from openssl(1).
      • Added RSA_meth_get_finish(3) and RSA_meth_set1_name(3) from OpenSSL.
      • Added new EVP_CIPHER_CTX_(get|set)_iv(3) API that allows the IV to be retrieved and set with appropriate validation.
      • Extensive documentation updates and additional API history.
      • Removed SSL_OP_TLS_ROLLBACK_BUG buggy client workarounds.
      • Made ENGINE_finish(3) and ENGINE_free(3) succeed on NULL and simplify callers and matching OpenSSL behavior, rewrote ENGINE_* documentation.
      • Added const annotations to many existing APIs from OpenSSL, making interoperability easier for downstream applications.
      • Documented security pitfalls with BN_FLG_CONSTTIME and constant-time operation of BN_* functions.
    • Testing and Proactive Security
      • Added Wycheproof test support for ECDH, RSASSA-PSS, AES-GCM, AES-CMAC, AES-CCM, AES-CBC-PKCS5, DSA, ChaCha20-Poly1305, ECDSA, and X25519 test vectors. Applied appropriate fixes for errors uncovered by tests.
      • Added more cipher tests, including all TLSv1.2 ciphers.
      • Added a blinding value when generating DSA and ECDSA signatures, in order to reduce the possibility of a side-channel attack leaking the private key.
      • Added timing-safe compares for checking results of signature verification.
      • Added ECC constant time scalar multiplication support. From Billy Brumley and his team at Tampere University of Technology.
    • Internal Improvements
      • Simplified key exchange signature generation and verification.
      • Converted more code paths to use CBB/CBS. All handshake messages are now created by CBB. RSA key exchange is simplified and uses dedicated buffers for secrets.
      • Simplified session ticket parsing and handling, inspired by BoringSSL.
      • Stopped handing AES-GCM in ssl_cipher_get_evp, since they use the EVP_AEAD interface.
      • Stopped using composite EVP_CIPHER AEADs.
      • Removed unused SSL3_FLAGS_DELAY_CLIENT_FINISHED and SSL3_FLAGS_POP_BUFFER flags in write path, simplifying IO paths.
      • Updated BN_clear to use explicit_bzero.
      • Cleaned up BN_* implementations following changes made in OpenSSL by Davide Galassi and others.
      • Revised the implementation of RSASSA-PKCS1-v1_5 to match the specification in RFC 8017. Based on an OpenSSL commit by David Benjamin.
    • Bug Fixes
      • Fixed a one-byte buffer overrun in callers of EVP_read_pw_string
      • Fixed various memory leaks found by Coverity.
      • Converted more functions in public API to use const arguments.
      • Correctly clear the current cipher state, when changing cipher state. This fixed an issue where renegotiation of cipher suites would fail when switched from AEAD to non-AEAD or vice-versa. Issue reported by Bernard Spil.
      • Fixed a pair of 20+ year-old bugs in X509_NAME_add_entry
      • Fixed a potential memory leak on failure in ASN1_item_digest
      • Fixed a potential memory alignment crash in asn1_item_combine_free
      • Fixed small timing side-channels in ecdsa_sign_setup and dsa_sign_setup.
      • Added a missing bounds check in c2i_ASN1_BIT_STRING.
      • Fixed a potential leak/incorrect return value in DSA signature generation.
  • Mandoc 1.14.4
    • In HTML output, many mdoc(7) macros now use more fitting HTML elements.
    • In HTML output, almost all “style” attributes and a number of redundant “class” attributes were removed.
    • Baby steps towards responsive design: use a @media query in mandoc.css, use the HTML meta viewport element, and remove all hard-coded widths and heights from the generated HTML code.
    • Many style improvements in mandoc.css.
    • More than 15 new low level roff(7) and GNU man-ext features. Mandoc can now format the manuals of the groff port.

 

Risorse

La distribuzione può essere scaricata da:

Il sito web della dstribuzione è: http://www.openbsd.org/

Screenshot

OpenBSD 5.3

OpenBSD 5.3

Conclusioni

Si può aggiornare dalla versione precedente.

Subscribe

Subscribe to our e-mail newsletter to receive updates.

No comments yet.

Leave a Reply