Crea sito
RSS

OpenBSD 6.7

28 Giugno 2020

OpenBSD

OpenBSD

Il progetto OpenBSD è sistema operativo UNIX basato su 4.4 BSD ed è gratuito e multipiattaforma. OpenBSD supporta l’emulazione binaria di molti programmi da Solaris, FreeBSD, Linux, BSD/OS, SunOS e HP-UX.

Versione 6.7

Questa versione contiene (in Inglese):

  • General improvements and bugfixes:
    • Reduced the minimum allowed number of chunks in a CONCAT volume from 2 to 1, increasing the number of volumes which can be created on a single disk with bioctl(8) from 7 to 15. This can be used to create more partitions than previously.
    • Rewrote the cron(8) flag-parsing code to be getopt-like, allowing tight formations like -ns and flag repetition. Renamed the “options” field in crontab(5) to “flags”.
    • Added crontab(5) -s flag to the command field, indicating that only a single instance of the job should run concurrently.
    • Added cron(8) support for random time values using the ~ operator.
    • Allowed cwm(1) configuration of window size based on percentage of the master window during horizontal and vertical tiling actions.
    • Allowed use of window-htile and window-vtile with the “empty” group clients in cwm(1).
    • Switched powerpc to a machine-independent mplock implementation, allowing use of witness(4).
    • Added acpi(4) support for the _CCA method, indicating whether DMA is cache-coherent.
    • Switched the default compiler on powerpc to clang.
    • Bumped nvme(4) max physio() i/o size to 128K.
    • Improved apmd(8) support for automatic suspend/hibernate (-z/-Z). The daemon now reacts to power changes messages sent by the battery driver. Those messages are ignored for 60 seconds after a resume, so that the user can take control before the machine goes back to sleep.
    • Prevented a kernel hang when no unlocked ffs_softdep worklist items could be processed.
    • Stopped counting pages mapped as PROT_NONE against the RLIMIT_DATA limit, helping code which reserves large chunks of address space but populates it sparsely.
    • Added the $REQUEST_SCHEME variable to httpd.conf(5), allowing preservation of the original connection type (http or https) for redirect locations
    • Implemented “strip” option in httpd.conf(5) for fastcgi to be able to have multiple chroots under /var/www for FastCGI servers.
    • Changed httpd(8) to send a 408 response when a timeout happens while headers are being received, but close the connection if no request is received.
    • Updated en_US.UTF-8.src to Unicode 12.1.
    • Added a new __tmpfd system call which creates a new, unnamed file in /tmp, intended for shm/fd passing, but in programs that may otherwise lack filesystem access (due to restrictions imposed by unveil(2) or pledge(2)).
    • Imported dt(4), a driver and framework for Dynamic Profiling, and an accompanying bug tracer that speaks the dt(5) language.
    • Added a human-readable mode (-h) to systat(1).
    • Implemented scrolling in top(1) using the 9 and 0 keys.
    • Added timeout_set_flags(9) and TIMEOUT_INITIALIZER_FLAGS(9) to the timeout API, allowing the caller to initialize timeouts with arbitrary flags.
    • Introduced TIMEOUT_SCHEDULED flag and tos_scheduled statistic to timeout(9).
    • Switched to tickless backend in timeout(9), adding new interface timeout_add_ts(9) to avoid backwardly compatible behavior.
    • Added the system clock interface nanoboottime(9), returning the UTC time at which the system booted in seconds and nanoseconds.
    • Introduced efficient page freeing in reverse order from uvm, greatly improving cases of massive page freeing.
    • Added uvm_objfree to uvm to efficiently free all pages from a uvm object, used in the buffer cache for considerable speedup when freeing pages.
    • Modified buffer cache to use individual uvm_objs per buffer to speed page lookups.
    • Speed up sort(1) by not performing a top-level sort when -c is used with a -k field.
    • Modified -z mode verification in signify(1) to save the header and output it, so signify -zV >saved.tgz will keep the signature for later checks.
    • Enabled DNSSEC validation in unbound(8) by default.
    • ntpd(8) now does constraint validation against 9.9.9.9 and 2620:fe::fe by default.
    • Fixed arp(4) issues created by dhclient(8) modifying existing routes.
    • Fixed resolv.conf(5) handling by dhclient(8) when an interface loses link.
    • Restored previous dhclient(8) behaviour of rejecting leases that lack a subnet mask.
    • Enabled dhclient(8) to configure carp(4) interfaces.
    • Fixed dhclient(8) releasing leases without a server identifier.
    • Improved dhclient(8) NAK handling in various corner cases.
    • Fixed dhclient(8) endlessly sending REQUEST messages when an ACK is never received.
    • Prevented dhcpd(8) from referencing freed memory when releasing a lease with an unusually long uid.
    • Corrected parsing of classless static default route “0/0” in dhcpd.conf(5).
    • Increased to 15 the number of softraid(4) CONCAT volumes that can be created on a single disk.
    • Fixed softraid(4) CRYPTO volumes on 4K-sector disks.
  • The FFS2 filesystem, which uses 64bit timestamps and block numbers is now the default for new installs on nearly all architectures:
    • Enabled ffs2 in sgi bootblocks and ramdisks.
    • Made ffs2 the default filesystem type on installs except for landisk, luna88k and sgi.
    • Changed the sparc64 bootblocks to be able to read from ffs1, ffs2 and softraid, and enabled the ffs2 option for both floppies.
    • Enabled FFS2 on the landisk ramdisk.
    • Taught i386 boot(8), cdboot(8) and pxeboot(8) about ffs2.
    • Taught macppc boot(8) about ffs2.
    • Taught sparc64 boot(8) about ffs2.
    • Allowed hppa boot(8) to read from an ffs2 filesystem.
    • Allowed alpha boot(8) to read from an ffs2 filesystem and adapted its custom installboot to deal with ffs2. Also fixed the partition read code to deal with offsets greater than 2G.
    • Adapted biosboot(8) so that it can read boot(8) from an ffs2 filesystem.
    • Allowed amd64 boot(8) to read from an ffs2 filesystem. Enabled ffs2 for floppy.
    • Allowed loongson boot(8) to read from an ffs2 filesystem.
    • Allowed arm64 and armv7 efiboot(8) to read from an ffs2 filesystem.
  • SMP-Improvements:
  • Improved hardware support, including:
    • Improvements in the em(4) driver.
    • Added dsxrtc(4), a driver for the Maxim DS3231/DS3232 I2C RTC.
    • Added ure(4) support for Lenovo OneLine Plus Dock Ethernet.
    • Improved ucom(4) to fix firmware upload on some microcontroller boards using DTR and RTS as signaling lines to reset the device and enter the bootloader.
    • Added a PCI attachment driver for com(4) to support memory-mapped PCI devices which are part of a Low Power Subsystem (LPSS).
    • Implemented microsecond resolution using microuptime(9) to avoid a hard hang when starting X on Intel Cherry Trail Atom processors.
    • Added support for X553 controllers to ix(4).
    • Added usb(4) device support for an AMD hub on the APU2 and a Synaptics vendor id and two fingerprint readers.
    • Prevented buffer overflows with uthum(4) by not assuming the report length given by the hardware is necessarily smaller than the length of the on-stack buffer.
    • Added rge(4), a driver for the Realtek 8125 PCI Express 2.5Gb Ethernet devices.
    • Fixed cursor issues and suspend/resume on amdgpu(4) and radeondrm(4).
    • Fixed support for additional I2C busses in piixpm(4) for older SB800 SMBus controllers. Prevented sensors from attaching four times on old AMD machines.
    • Invalidated the knote(9) list of uhid(4) after device detach, preventing a crash that can happen when kqueue still holds references to knotes pointing to the device.
    • Prevented a use-after-free causing crashes with uhidev(4) devices.
    • Prevented mcx(4) interface lockups due to completion queue overflow.
    • Fixed brightness keys on various laptops with AMD graphics.
    • Fixed brightness controls on machines where the initial brightness values are returned out of range.
    • Set the default brightness level on attachment for pwmbl(4).
    • Fixed acpivout(4) screen brightness adjustment through function keys, better supporting machines using exponential brightness scaling.
    • Changed acpivout(4) to increment and decrement screen brightness based only on brightness level changes of 5% or higher.
    • Fixed Etron EJ168 USB 3.0 Host Controllers via USB 2 devices.
    • Added support for the SIERRA MC7700 to umsm(4) UMTS and LTE modem device.
    • Fixed RAID volume WWIDs for mpii(4) LSI controllers on sparc64, allowing autoconf(9) to identify the volume as the root device and boot off hardware RAID.
    • Populated logical disk port WWNs with their RAID volume’s WWID in mpii(4).
    • Added fido(4), an HID driver for FIDO/U2F security keys.
    • Added parsing of DDR4 and LPDDDR3/4 SPD memories to spdmem(4).
    • Added support to lm(4) for NCT6775F, NCT5104D, NCT6779D and NCT679[1235]D sensors.
    • Updated piixpm(4) to support newer AMD chips like Hudson-2 and KERNCZ and implemented multi-bus support for SB800, Hudson-2 and KERNCZ.
    • Extended the expected SPD types to include DDR4 and low-power DDR3/DDR4.
    • Enabled full use of jumbo frames on bnx(4) devices.
    • Fixed scsi(8) softraid crypto volumes on 4K-sector disks.
    • Faked disk info to match expected boot disk when EFI bootloader has been received via TFTP, fixing a hang during HP Elitebook UEFI boot.
    • Implemented a hexdump command in the bootloader, helping to inspect the memory layout created by the firmware and useful for UEFI debugging.
    • Improved ksmn(4) temperature conversion precision.
    • Added a quirk to handle Apollo Lake, Gemini Lake and 100 Series Intel SD/MMC sdhc(4) controllers which should not have voltages set to 0V.
    • Prevented a local user from causing the system to hang by reading specific registers when Intel Gen8/Gen9 graphics hardware is in a low power state.
    • Prevented writes to memory allowed by the Intel Gen9 graphics hardware.
    • Added support for buttons 2 and 3 to imt(4).
    • Added ogx(4), a driver for the OCTEON III network processor.
    • Fixed endian swapping in xhci(4), allowing it to work again on octeon and other big endian architectures.
    • Implemented the “parallel boot” feature on compatible sparc64 firmware.
    • Introduced iwx(4), a driver for Intel AX200 WiFi devices.
    • Added iwm(4) support for Intel 9260 and 9560 wifi devices.
    • Updated firmware for all devices supported by the iwm(4) driver.
    • Fixed iwm(4) support for Intel 3168 wifi devices.
    • Added support for the tp-link tl-wn823n to the urtwn(4) driver.
    • The athn(4) driver now offloads CCMP (WPA2) encryption and decryption to hardware.
    • Prevented an overflow due to xen(4) failing to release the interrupt source when unmasking the interrupt.
    • Fixed usb(4) handling USB 2.0 devices on various USB 3.0 controllers.
    • Fixed usb(4) handling of controllers that STALL to indicate a short read.
    • Fixed xhci(4) handling of i/o’s that are exact multiples of the max packet size.
    • Bumped nvme(4) maximum physio i/o size to 128K.
    • Fixed probing of modern scsi(4) devices to ignore the SYNC and WIDE flags used by parallel SCSI.
  • Removed hardware support
    • Removed the rtfps(4) driver, a multiplexing serial communications interface for IBM RT PC boards
    • Removed the dpt(4) driver for DPT EATA SCSI RAID.
    • Removed gpr(4), a driver for GemPlus GPR400 PCMCIA smartcard readers.
    • Removed mesh(4), a driver for old world Apple Power Macintosh SCSI cards.
  • Improvements in audio drivers and the sndio(7) framework:
    • Introduced the sioctl_open(3) API to manipulate audio controls exposed by sndiod(8).
    • Modified sndiod(8) to use and expose hardware volume controls if available.
    • Modified all ports manipulating audio controls to use sndio(7) instead of the kernel mixer(4) interface.
    • Introduced the sndioctl(1) utility to manipulate audio controls exposed by sndiod(8).
    • Exposed the first 4 audio(4) devices and the first 8 midi(4) devices through sndiod(8) by default.
    • Disabled access for regular users to /dev/audio* and /dev/rmidi*, for improved security.
    • Modified mixerctl(1) to use /dev/audioctl* instead of /dev/mixer*.
    • Removed /dev/mixer*
    • Fixed support for uaudio(4) devices with different recording and playback rate sets.
    • Fixed volume control of many uaudio(4) devices.
    • Fixed channel duplication (-j option) in sndiod(8).
    • Allowed rc.d(8) script to reload sndiod(8).
    • Added an azalia(4) quirk for the ALC285 on the X1C7 to avoid a clicking noise on the headphone output.
    • Disabled MSI for the AMD Hudson2 azalia(4) HDA to fix random lock ups.
  • A large number of drivers were written to improve arm64 and armv7 hardware support, including:
    • Better hardware support for the i.MX8MM platform.
    • Support for the Raspberry Pi 4 on arm64.
    • Better support for the Raspberry Pi 3 on arm64.
    • Proper support for the Raspberry Pi 2 and 3 on armv7.
    • Better support for Rockchip based systems, especially the Pinebook Pro.
    • Switched USB to use non-coherent buffers for data transfers, dramatically improving performance on some ARM SoCs where the USB controller is not coherent with the caches.
    • Allowed switching to framebuffer “glass” console on armv7 in the bootloader, mirroring previous changes to arm64.
    • Corrected cache flush operations on arm64 which were being incorrectly treated as write operations. This fixes a bug where cache flushing caused Firefox to abort.
    • Added the capability for armv7 boot from another block device than the one from which efiboot was loaded.

      Specifically the following device drivers were added or fixed:

    • Added bcmbsc(4), a driver for the Broadcom Serial Control (BSC) controller.
    • Added bcmgpio(4), a driver for the Broadcom BCM283x GPIO controller.
    • Added bcmsdhost(4), a driver for the Broadcom “sdhost” SD controller found on the Raspberry Pi.
    • Added bcmdmac(4), a driver for the DMA controller found on BCM283x SoCs.
    • Added support for the additional sdhc(4) controller found on the Raspberry Pi.
    • Added quirks for the sdhc(4) controller on the Raspberry Pi, providing microSD card or WiFi support depending on the firmware configuration.
    • Added support for hardware with sdhc(4) controllers on busses only supporting 32-bit access.
    • Added bcmirng(4), a driver for the RNG200 random number generator found on the Raspberry Pi 4.
    • Added bcmclock(4), a driver for the BCM283X CPRMAN clock controller.
    • Added bcmmbox(4), a driver for the VideoCore messagebox interface on BCM283X.
    • Added bcmpcie(4), a driver for the PCIe controller found on the Raspberry Pi 4.
    • Added bse(4), a driver for the Broadcom GENET v5 network interface found on the Raspberry Pi 4.
    • Added brgphy(4) support for the Broadcom BCM54210E.
    • Added support for the Armada 3720 CPU clock to mvclock(4).
    • Fixed address filter in mvneta(4).
    • Added omcm(4), omclock(4) and omsysc(4) drivers that support the new bus structure used in current mainline Linux device trees.
    • Added omrng(4), a driver for the random number generator found on TI OMAP SoCs.
    • Fixed the MAC address on Pandaboard-ES by increasing smsc(4) buffer size used to fetch device tree properties.
    • Added support for additional Allwinner A80 clocks and resets in sxiccmu(4).
    • Fixed amlpciephy(4) USB3 support when USB has not been initialized by U-Boot.
    • Added clock support for i.MX8MM.
    • Fixed CPU frequency scaling support on the Librem5 Devkit.
    • Added imxpwm(4), a driver for the PWM controller found on various NXP i.MX SoCs.
    • Added support for reading the i.MX8MM temperature sensors to imxtmu(4).
    • Added bdpmic(4), a driver for the ROHM BD71837 and BD71847 Power Management IC.
    • Allowed ipmi(4) to attach using mmio.
    • Added rkrng(4), a driver for the random number generator found on various Rockchip SoCs.
    • Added glass console support to rkdrm(4) in Rockchip SoCs, including kernel modesetting support.
    • Added rkdrm(4), a driver providing kernel mode setting (KMS) functionality for the graphics hardware integrated on Rockchip SoCs.
    • Added rkdwhdmi(4), a driver for the HDMI transmitter found on the Rockchip RK3399 SoC.
    • Added rkanxdp(4), a driver for the Analogix Display Port controller on the RK3399.
    • Added rkvop(4), a driver for the RK3399’s Video Output Processors.
    • Added rkpwm(4), a driver for the RK3399’s PWM controller.
    • Added rkemmcphy(4), a driver for the RK3399’s eMMC PHY.
    • Added support for gen2 negotiation to rkpcie(4) and enabled gen2 link state training when the dtb is configured with max-link-speed = 2.
    • Enabled backlight control use on the Pinebook Pro via wsconsctl(8).
    • Fixed the Pinebook Pro’s trackpad by ensuring only hid_input items are accepted when walking the HID descriptor.
    • Fixed pwmbl(4) attachment on the Pinebook Pro.
    • Added simplepanel(4), a driver for simple display panels such as the one found on the Pinebook Pro.
    • Recognized BCM4345 rev 9 as shipped with the Pinebook Pro as an AMPAK AP6256 module in bwfm(4).
    • Improved bwfm(4) on the Pinebook Pro by acking SDIO interrupts earlier on dwmmc(4).
    • Added amltemp(4), a driver for the temperature sensors on various Amlogic SoCs.
    • Added pwmfan(4), a driver for PWM-regulated fans.
    • Enabled umt(4) (USB HID multitouch touchpad devices) on arm64.
  • IEEE 802.11 wireless stack improvements and bugfixes:
    • Stop connecting to any available unencrypted wifi networks when an interface is marked up. This behavior must now be explicitly enabled with ifconfig(8) join
      ""
      .
    • A background scan is now triggered when root runs the ifconfig(8) scan command. This updates the list of cached APs displayed by the scan command and forces a search for a better AP to roam to.
    • Add nwflag nomimo which can be set with ifconfig(8) to work around packet loss in 11n mode if the wireless network device has unused antenna connectors.
    • Increased the net80211 node cache size to allow more APs to be viewed during scans.
    • Fixed the ifconfig(8) “media:” line displayed during and after a background scan in 11n mode.
    • Made background scans less frequent if they keep choosing the same AP.
    • Fix kernel crashes in net80211 hostap mode due to mbuf corruption which occurred if a relatively long SSID was configured.
    • Added support for active scanning to bwfm(4).
    • Fix bwfm(4) behavior which could trigger the ifq pressure drop mechanism under moderate load.
    • Improved error handling for bwfm(4) connection attempts.
    • Improved automatic switching between wifi networks by lowering the priority of networks in the ifconfig(8) join list which fail to connect.
    • Avoid repeated switching between APs in areas where APs are tuned for low transmit range.
    • Raised net80211’s “beacon miss” threshold to avoid frequent reconnects under conditions which cause loss of beacons.
    • Reduced stalls on packet loss in 11n mode by improving net80211 handling of the Rx block ack sequence number window and queue.
    • Fixed a bug where outstanding frames on the iwn(4) aggregation queue interfered with roaming to another AP.
    • Fixed a race condition in iwm(4) Rx interrupt handling.
    • Implemented a workaround for missing Tx completion interrupts in iwm(4) which could lead to failures when roaming to another AP.
    • Re-enabled firmware-based Tx retries at lower rates for iwm(4), reducing packet loss.
    • Fixed automatic Tx rate control issues in iwn(4), and iwm(4).
    • Fixed a use-after-free that caused a kernel crash during zyd(4) device detach.
  • Generic network stack improvements and bugfixes:
    • Fixed a panic when using pppac(4) without pipex(4).
    • Fixed a “route contains no arp information” bug where a kernel routing table entry was incorrectly deleted upon insertion of a new entry.
    • Stopped processing packets under non-exclusive netlock, preventing concurrency in the socket layer.
    • Prevented data corruption on UDP receive socket buffers by grabbing the exclusive NET_LOCK() in the softnet thread.
    • Fixed a kernel crash due to unlimited recursion caused by local outbound UDP broadcast/multicast packets sent by a spliced socket.
    • Added IPv6 support to umb(4).
    • Added support for very old firmware umsm devices with umsm(4) rather than umb(4).
    • Added pppac(4) code for a dedicated PPP Access Concentrator interface and switched npppd.conf(5) to use pppac(4) instead of tun(4).
    • Added a check when IP forwarding is disabled to ensure packet destination address matches interface address.
    • Fixed kernel crash in pf_ioctl with WITH_PF_LOCK and NET_TASKQ > 1.
    • Ensured proper kernel stack alignment on mips64, fixing a panic on octeon related to pppoe(4).
    • Added rge(4), a new driver for Realtek 8125 PCI Express 2.5Gb ethernet devices.
    • Repaired the “set delay” option for pf(4) to function as specified in pf.conf(5).
    • Prevented non-root users from using ioctl(2) to alter the address of a network interface.
    • Prevented non-root users from setting the parameters of pppoe(4) interfaces.
    • Removed mobileip(4).
    • Stopped checking whether the IPv6 source address of a neighbor advertisement is from a neighbor’s address, not required in accordance with RFC 4861.
  • Installer improvements:
  • Security improvements:
    • unveil(2) is now used in 82 userland programs to redact filesystem access.
    • Used unveil(2) to reduce filesystem access in vmstat(8), iostat(8) and systat(1).
    • Extracted dig(1), host(1) and nslookup(1) from the bind(8) source code and cleaned up the source code by removing not needed features and auditing it. The kernel API accessible to these programs is now restricted through pledge(2).
    • System calls may now only be performed from selected code regions: the main program, ld.so(1), libc.so and the signal trampoline. A new system call msyscall(2) indicates the libc range, and activates the locking. This change hardens against some attack methods.
    • Prevented stack trace saving from inspecting untrusted data on amd64, arm64 and i386.
    • Used lfence in place of stac/clac on pre-SMAP CPUs to protect against Load-Value-Injection attacks against the kernel.
    • Prevented a panic due to missing sysctl(2) input validation.
    • Injected failure to fetch entropy with an rdrand() timeout as an entropic event, along with an additional rdtsc measuring the vmexit latency.
    • Enforced that ksh(1) TMOUT is an integer literal to prevent command execution from the environment at shell initialization time.
    • Ensured the first 2MB page of the amd64 kernel is correctly mapped read-only in the direct map.
    • Addressed an armv7/arm64 speculative execution issue by changing the system call ABI to skip two instructions and inserting a barrier after each system call.
    • Fixed arm64 speculative execution of instructions after ERET, which had led to spectre-like effects on some processors.
    • Tightened permissions for USB device nodes.
    • Ensured that ld.so(1) removed the LD_LIBRARY_PATH environment variable for set-user-ID and set-group-ID executables in low memory conditions.
    • Added support for RSA-PSS to crypto(3).
    • Added retguard for octeon/mips64.
    • The following security bugs were addressed:
      • Reset the login class each time through the loop when using -L (loop) mode with su(1). Fixes CVE-2019-19519.
      • Fixed insufficient username validation performed by libc’s authentication privilege separation layer and added additional validation points, further validating in login(1) and su(1).
      • Prevented escalation to the auth group in xlock(1) through path-related environment variables and disabled mesa and opengl functionality.
  • Routing daemons and other userland network improvements:
    • Add initial support for JSON output in bgpctl(8).
    • Allow setting both IPv4 and IPv6 local-addresses at the same time in bgpd.conf(5) group blocks. Introduced no local-address to reset a previously set local address.
    • Properly aggregate duplicate bgpd(8) roa table prefix/source-as combinations into a single entry with the longest maxlen length.
    • Implemented bgpd.conf(5) max-prefix NUM out to limit the number of announced prefixes, avoiding leaks of full tables to upstreams and peers.
    • Extended bgpctl(8) show neighbor to include the received and set prefix count, as well as the max-prefix out limit if set.
    • Improved reporting of notifications to include the suberror cause.
    • Also report the last received error cause in bgpctl(8) show
      neighbor
      output.
    • Fix softreconfig out handling to also work for neighbors using export default-route.
    • Mark stale prefixes in the Adj-RIB-Out so that graceful reload operates properly.
    • Allowed configuration of the ospfd(8) interface setting “type p2p” to be configured globally or per area.
    • Added point-to-point ospf6d(8) support for broadcast interfaces.
    • Validated authentication lengths in ripd(8) before use to prevent crashes.
    • Fixed empty response packages sent out by ripd(8) when entries are skipped due to split-horizon simple.
    • Reduced temporary address valid lifetime to 2 days in slaacd(8).
    • Made slaacd(8) honor the rdomain in which it runs when configuring the default route.
    • Withdrew all proposals on slaacd(8) startup to prevent indefinite retention of nameservers on interfaces no longer flagged for autoconf.
    • Modified ldpd(8) to lookup the adjacency by LSR id as well as source IP address, as the remote peer may change its LSR id.
    • Added support for printing RFC 2332 NBMA Next Hop Resolution Protocol (NHRP) to tcpdump(8).
    • Added tcpdump(8) support for printing RFC 8300 Network Service Header (NSH).
    • Added tcpdump(8) support for VXLAN-GPE.
    • Fixed a tcpdump(8) crash when printing the contents of a malformed packet where the packet length was smaller than the size of the usbpcap header.
    • Rewrote dhcpv6 parsing in tcpdump(8) to match the RFC, correctly handling dhcpv6 messages.
    • Accept netmask for IPv6 in ifconfig(8) instead of ignoring it and using only the prefixlen argument.
    • Fixed snmp(1) agent address parsing to allow IPv6 addresses to be used based on format, allow those without brackets to skip the port if it results in a nonsensical address (allowing use of ::1), and try to connect to the address immediately.
    • Implemented a df subcommand for snmp(1) which outputs disk and memory information in a df(1) format.
    • Implemented a -Cs option in snmp(1) for snmp walk and bulkwalk, allowing subsections of a tree to be skipped.
    • Introduced option filter-pf-addresses to snmpd.conf(5), allowing the OPENBSD-PF-MIB::pfTblAddrTable tree to be filtered out when many prefixes are stored in pf tables, reducing CPU usage during bulk walks.
    • Added retries and timeouts for test packets to radiusctl(8).
    • Corrected http auth combined with proxy auth in ftp(1).
    • Corrected ftp(1) access to an https server with user/password through the “http_proxy” environment variable.
    • Prevented ftp(1) from following remote redirects to local files.
    • Implemented HTTP/1.1 in ftp(1).
    • Added new -N name option to ftp(1), allowing calling scripts to change the progname and produce better error messages.
    • Allowed pfctl(8) to recursively flush rules and tables.
    • In pf(4), ensured rdr-to with loopback destination will work even when IP forwarding is disabled.
    • Enabled rpki-client(8), a free, easy-to-use implementation of the Resource Public Key Infrastructure (RPKI) for Relying Parties (RP) to facilitate validation of the Route Origin of a BGP announcement. The program queries the RPKI repository system and outputs Validated ROA Payloads in the configuration format of OpenBGPD, BIRD, and also as CSV or JSON objects for consumption by other routing stacks.
    • Modified root’s crontab(1) to run rpki-client(8) and reload bgpd(8) configuration, enabling RPKI ROA filtering.
    • Stopped hardcoding the cache directory in rpki-client(8). Cache and output directory will use defaults for root users and must be specified by non-root users.
    • Made rpki-client(8) use the existing cache and not exit if rsync(1) exits non-zero.
    • Fixed rpki-client(8) -j option, which had not been producing any output.
    • Rewrote the time validity check for mtfs in rpki-client(8) to correctly account for the timezone.
    • Added rpki-client(8) output formats for the BIRD routing daemon and CSV.
    • For BIRD rpki-client(8) can generate three different output formats with the option -B: v1 with IPv4 and IPv6 routes, and v2.
  • unwind(8) improvements:
    • Implemented unwindctl(8) status memory to show cache memory usage.
    • Allowed forcing specific domains to be resolved by specific resolvers in unwind.conf(5), handling typical split-horizon setups.
    • Measured performance of resolving strategies in unwind(8), sorting them and choosing the next best strategy when one fails. Performance data decays over time.
    • Switched captive portal detection from HTTP probing to DNS probing in unwind(8).
    • Implemented DNS proposals in unwind(8) to learn nameservers from network autoconfiguration daemons.
    • Added opportunistic DoT support to unwind(8).
    • Added an ASR resolver type to unwind(8), using the libc asynchronous resolver directly with DHCP-provided nameservers to work around broken middle boxes.
  • ipsec(4) improvements and bugfixes:
    • Added support for automatically moving traffic between rdomains on ipsec(4) encryption or decryption, reducing the attack surface for network sidechannel attacks.
    • Added iked(8) support for switching rdomain on ipsec(4) encryption/decryption, configurable per policy with the new ‘rdomain’ option in iked.conf(5).
    • Changed the default ipsec level set by iked(8) and isakmpd(8) to IPSEC_LEVEL_REQUIRE. Unencrypted packets matching incoming ipsec flows are no longer accepted by default.
    • Added curve25519, ecp256, ecp384, ecp521, modp3072 and modp4096 to the default Diffie-Hellman group configuration for IKE SAs in iked(8).
    • Removed support for the insecure EC2N Diffie-Hellman groups in iked(8).
    • Changed the default authentication method in iked(8) to generic signature authentication (RFC 7427).
    • Added ESN configuration options for ikesa in iked.conf(5).
    • Added transport mode for child SAs to iked(8).
    • Added active probing for lost connection in iked(8) resulting in a faster connection reset.
    • Added a -p command line option to iked(8) allow configuration of a non-standard UDP encapsulation port.
    • Added support for multiple x509 extensions and multiple subjectAltName fields in certificates used with iked(8).
    • Added support for certificates with uppercase subjectAltNames in iked(8).
    • Removed automatically installed ipsec(4) flow blocking unencrypted IPv6 traffic in iked(8).
    • Reduced size of IKE_AUTH message by eliminating duplicate traffic selectors in iked(8).
    • Added an ikectl(8) “show sa” command to print information about the state of negotiated IKE SAs, their child SAs and the resulting IPsec flows.
    • Added an ikectl(8) “reset id” command to reset all SAs from policies with matching destination IDs.
    • Added support for UDP encapsulation in manual SAs set up with ipsec.conf(5).
    • Fixed an iked(8) bug that lead to connection loss after simultaneous rekeying.
    • Fixed an iked(8) public key leak in the CA process for ASN-DN IDs.
    • Fixed a bug that lead to a lost EAP ID after rekeying in iked(8).
    • Fixed EAP user database corruption resulting from use of the ikectl(8) reload command.
    • Corrected iked(8) calculation of IPv6 address leases from small address pools.
    • Fixed several bugs that could lead to iked(8) selecting a false policy for incoming requests, resulting in a failed handshake.
    • Fixed a bug that broke PSK authentication against Strongswan.
    • Enabled UDP-encapsulation in Child SAs if iked(8) was started with -t.
    • Fixed isakmpd(8) IKE pcap file creation.
  • tmux(1) improvements and bug fixes:
    • Indicated the marked pane in tmux(1) choose mode in reverse, and added keys to set (m) and clear it (M), and to jump to the starting pane (H).
    • Allowed tmux(1) main-pane-width and height to be specified as percentages.
    • Added a -f filter argument to the tmux(1) list commands like choose-tree.
    • Added an -s flag to tmux(1) copy-mode to specify a different pane for the source content.
    • Added a -T flag to tmux(1) resize-pane to trim lines below the cursor.
    • Added support for tmux(1) overlay popup boxes, created with the display-popup command.
    • Added a tmux(1) -d flag to run-shell to wait for delay before running the command (or delay with no command).
    • Added a tmux(1) copy-mode -H flag to hide the position marker in the top right.
    • Added tmux(1) C-g to cancel command prompt with vi(1) keys as well as emacs, and q in command mode.
    • Modified tmux(1) -S server socket to be created with umask 177 rather than 117.
    • Introduced a tmux(1) selection_active format for when the selection is present but not moving with the cursor.
    • Added -a to the list-keys command in tmux(1) to also list keys without notes with -N.
    • Added tmux(1) support for adding a note to a key binding with bind-key -N and using this to add descriptions to the default key binding. Using list-keys -N shows key bindings with notes. Changed the default ? binding to show a readable summary of keys.
    • Added -Z to the default tmux(1) switch-client command in tree mode.
    • Prevented read-only tmux(1) clients from limiting the size of other clients.
    • Added support for regex searches in tmux(1) copy mode.
    • Modified tmux(1) source-file to allow reading from stdin.
    • Added a tmux(1) p format modifier for padding to width.
    • Added -f for full size to join-pane in tmux(1).
    • Changed tmux(1) new-session -A to attach to the best existing session when a session name is not specified, rather than creating a new session.
    • Added an option to tmux(1) to set the key sent by backspace for systems using ^H.
    • Added -F flag to tmux(1) send-keys to expand formats in search-backward and forward copy mode commands.
    • Added support for percentage sizes to tmux(1) resize-pane (“-x 10%”) and changed split-window and join-pane -l to accept similar percentages, deprecating the -p option.
  • VMM/VMD improvements
    • Added vmm(4) IOCTL handler to set the access protections of the ept.
    • Added a check in vmm(4) for pvclock(4) struct crossing of page boundaries, which could potentially corrupt host memory.
    • Tightened rdmsr on svm in vmm(4).
    • Fixed an issue where a vmm(4) guest could write to host memory by passing bogus addresses in pvclock(4).
    • Run cu(1) in restricted mode using -r in vmctl(8) and ldomctl(8).
    • Started virtual machines defined in vm.conf(5) in a staggered fashion, helping prevent overload of the host and improper tsc calibration in guests.
    • Provided proper concurrency control when pausing a vm in vmd(8).
    • Fixed a panic when tearing down vms with vmm(4).
  • ldom/sparc64 virtualization improvements
    • Added support for devaliases for vnet in ldom.conf(5).
    • Implemented ldomctl(8) “panic -c” to panic a guest domain (and enter ddb(4)).
    • Implemented “start -c” in ldomctl(8) to automatically connect to the console.
    • Introduced a -n option to ldomctl(8) to validate the configuration file and exit.
    • Added a create-vdisk command to ldomctl(8) analogous to amd64’s vmctl(8) create.
    • Added the “console” command to ldomctl(8) which executes cu(1) on the domain’s console.
    • Printed guest domain vcctty(4) devices in status output in ldomctl(8).
    • Added list-io command to ldomctl(8), listing the available PCIe devices to be used with the iodevice parameter in ldom.conf(5).
  • OpenSMTPD 6.7.0
    • New Features
      • Allowed use of the smtpd(8) session username in built-in filters when available.
      • Introduced a bypass keyword to smtpd(8) so that built-in filters can bypass processing when a condition is met.
      • Allowed use of ‘auth’ as an origin in smtpd.conf(5).
      • Allowed use of mail-from and rctp-to as for and from parameters in smtpd.conf(5).
    • Bug fixes
      • Ensured legacy ssl(8) session ID is persistent during a client TLS session, fixing an issue using TLSv1.3 with smtp.mail.yahoo.com.
      • Fixed security vulnerabilities in smtpd(8). Corrected an out-of-bounds read in smtpd allowing an attacker to inject arbitrary commands into the envelope file to be executed as root, and ensured privilege revocation in smtpctl(8) to prevent arbitrary commands from being run with the _smtpq group.
      • Allowed mail.local(8) to be run as non-root, opening a pipe to lockspool(1) for file locking.
      • Fixed a security vulnerability in smtpd(8) which could lead to a privilege escalation on mbox deliveries and unprivileged code execution on lmtp deliveries.
      • Added support for CIDR in a: spf atoms in smtpd(8).
      • Fixed a possible crash in smtpd(8) when combining “from rdns” with nested virtual aliases under a particular configuration.
    • Experimental Features
      • Introduced smtp-out event reporting.
      • Improved filtering protocol.
  • LibreSSL 3.1.1
    • New Features
      • Completed initial TLS 1.3 implementation with a completely new state machine and record layer. TLS 1.3 is now enabled by default for the client side, with the server side to be enabled in a future release. Note that the OpenSSL TLS 1.3 API is not yet visible/available.
      • Improved cipher suite handling to automatically include TLSv1.3 cipher suites when they are not explicitly referred to in the cipher string.
      • Provided TLSv1.3 cipher suite aliases to match the names used in RFC 8446.
      • Added cms subcommand to openssl(1).
      • Added -addext option to openssl(1) req subcommand.
      • Added -groups option to openssl(1) s_server subcommand.
      • Added TLSv1.3 extension types to openssl(1) -tlsextdebug.
    • API and Documentation Enhancements
      • Added RSA-PSS and RSA-OAEP methods from OpenSSL 1.1.1.
      • Ported Cryptographic Message Syntax (CMS) implementation from OpenSSL 1.1.1 and enabled by default.
    • Compatibility Changes
      • Improved compatibility by backporting functionality and documentation from OpenSSL 1.1.1.
      • Adjusted EVP_chacha20()’s behavior to match OpenSSL’s semantics.
    • Testing and Proactive Security
      • Added many new additional crypto test vectors.
      • Fix to disallow setting the AES-GCM IV length to zero.
    • Internal Improvements
      • Many more code cleanups, fixes, and improvements to memory handling and protocol parsing.
    • Portable Improvements
      • Default CA bundle location is now configurable in portable builds.
      • Improved portable builds to support for use of static MSVC runtimes.
      • Fixed portable builds to avoid exporting a sleep() symbol.
    • Bug Fixes
      • Fixed printing the serialNumber with X509_print_ex() fall back to the colon separated hex bytes in case greater than int value.
  • OpenSSH 8.3
    • Potentially incompatible changes.
      • sftp(1): reject an argument of “-1” in the same way as ssh(1) and scp(1) do instead of accepting and silently ignoring it.
      • Removed ssh-rsa (SHA1) from the list of allowed CA signature algorithms.
      • Removed diffie-hellman-group14-sha1 from the default ssh(1) key exchange.
      • ssh-keygen(1): the command-line options related to the generation and screening of safe prime numbers used by the diffie-hellman-group-exchange-* key exchange algorithms have changed. Most options have been folded under the -O flag.
      • sshd(8): the sshd listener process title visible to ps(1) has changed to include information about the number of connections that are currently attempting authentication and the limits configured by MaxStartups.
      • ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). It needs to be installed in the expected path under /usr/libexec.
    • New Features
      • Allowed use of the IgnoreRhosts directive anywhere in an sshd_config(5) file, not just before Match blocks, and made it a tri-state option.
      • Added TOKEN percent expansion (i.e. userid, hostnames etc.) to ssh(1) LocalForward and RemoteForward when used for Unix domain socket forwarding.
      • all: allow loading public keys from the unencrypted envelope of a private key file if no corresponding public key file is present.
      • Gave ssh-keygen(1) the ability to dump the contents of a binary key revocation list with ssh-keygen -lQf /path.
      • Added ssh(1) -Q key-sig option for all key and signature types, teaching ssh -Q to accept ssh_config(5) and sshd_config(5) algorithm keywords as an alias for the corresponding query.
      • Updated to libfido2 780ad3c25.
      • Added an sshd_config(5) “Include” directive to allow inclusion of files.
      • Renamed ssh-add(1) -O to -K to load resident keys from a FIDO authenticator.
      • Added the ability to download FIDO2 resident keys from a token via the ssh-keygen(1) -K option and save public/private keys into the current directory.
      • Implemented support for generating FIDO2 resident keys. “ssh-add -O” will load resident keys from a FIDO2 token and add them to an ssh-agent. Removed the -x option currently used for the FIDO/U2F-specific key flags, now under -O.
      • Removed single letter flags for moduli generation in ssh-keygen(1) and moved all moduli generation options to under the -O flag. Breaks existing ssh-keygen commandline syntax for moduli-related operations.
      • Allowed forwarding of a different agent socket to a specified path in ssh(1).
      • Allowed ssh(1) security keys to act as host keys as well as user keys.
      • Used ssh-sk-helper for all security key signing operations and security key enrollment. Most ssh(1) tools no longer need to link against libfido2 or interact with /dev/uhid* directly.
      • Added “no-touch-required” options to ssh-keygen(1) and sshd(8) to disable touch requirement for authorized_keys and certificates.
      • Added an sshd_config(5) PubkeyAuthOptions directive allowing specification of whether sshd(8) should check whether user presence was tested before a security key was made.
      • Added direct support for U2F/FIDO2 security keys in ssh(1).
      • Added initial infrastructure for U2F/FIDO support in ssh(1).
      • Notified the user via TTY or $SSH_ASKPASS when ssh(1) security keys must be tapped/touched in order to perform a signature operation.
      • Enabled ed25519 support in ssh(1).
    • Bugfixes
      • Detected and prevented simple ssh(1) configuration loops when using ProxyJump.
      • Fixed PIN entry bugs on FIDO in ssh-keygen(1).
      • Fixed ssh-keygen(1) not displaying the authenticator touch prompt.
      • Prevented a timeout in ssh(1) when the server doesn’t immediately send a banner, such as with multiplexers like sslh.
      • Adjusted on-wire signature encoding for ecdsh-sk ssh(1) keys to better match ec25519-sk keys.
      • Fixed a potential NULL dereference for revoked hostkeys in ssh(1).
      • ssh(1): fix IdentitiesOnly=yes to also apply to keys loaded from a PKCS11Provider
      • ssh-keygen(1): avoid NULL dereference when trying to convert an invalid RFC4716 private key.
      • scp(2): when performing remote-to-remote copies using “scp -3”, start the second ssh(1) channel with BatchMode=yes enabled to avoid confusing and non-deterministic ordering of prompts.
      • ssh(1): fix incorrect error message for “too many known hosts files.”
      • ssh(1): make failures when establishing “Tunnel” forwarding terminate the connection when ExitOnForwardFailure is enabled
      • ssh-keygen(1): fix printing of fingerprints on private keys and add a regression test for same.
      • sshd(8): document order of checking AuthorizedKeysFile (first) and AuthorizedKeysCommand (subsequently, if the file doesn’t match)
      • sshd(8): document that /etc/hosts.equiv and /etc/shosts.equiv are not considered for HostbasedAuthentication when the target user is root
      • ssh(1), ssh-keygen(1): fix NULL dereference in private certificate key parsing (oss-fuzz #20074).
      • ssh(1), sshd(8): more consistency between sets of %TOKENS are accepted in various configuration options.
      • ssh(1), ssh-keygen(1): improve error messages for some common PKCS#11 C_Login failure cases
      • ssh(1), sshd(8): make error messages for problems during SSH banner exchange consistent with other SSH transport-layer error messages and ensure they include the relevant IP addresses
      • various: fix a number of spelling errors in comments and debug/error messages
      • ssh-keygen(1), ssh-add(1): when downloading FIDO2 resident keys from a token, don’t prompt for a PIN until the token has told us that it needs one. Avoids double-prompting on devices that implement on-device authentication.
      • sshd(8), ssh-keygen(1): no-touch-required FIDO certificate option should be an extension, not a critical option.
      • ssh(1), ssh-keygen(1), ssh-add(1): offer a better error message when trying to use a FIDO key function and SecurityKeyProvider is empty.
      • ssh-add(1), ssh-agent(8): ensure that a key lifetime fits within the values allowed by the wire format (u32). Prevents integer wraparound of the timeout values
  • Mandoc 1.14.6
    • Introduced a new mdoc(7) macro .Tg (“tag”) to explicitly mark a place as defining a term, and improved automatic tagging in various ways.
    • Print the manpath when the man(1) -w option is given without an argument, for compatibility with the man-1.6 and man-db implementations.
    • Deleted support for the _whatdb configuration directive from man.conf(5) five years after it was declared obsolete; use manpath instead.
    • Added a Content-Security-Policy HTTP header to man.cgi(8) that allows only CSS.
    • Provide a STYLE message when mandoc(1) knows the filename and the extension disagrees with the section number given in the .Dt or .TH macro.
    • When the mdoc(7) .Dd macro lacks an argument, use the empty string, and always concatenate all arguments, no matter their number. The same change was applied to groff.
  • Ports and packages:The package system provides an easy way to install 3rd party software. New features include:
    • Provide debug package information that can be installed alongside packages and used to provide better bug reports.
    • Added DEBUG_PKG_CACHE functionality to pkg_add(1), fetching debug patches when packages are installed.
    • Added a -d option to pkg_add(1) to add debug packages if present alongside intended updates or additions.
    • Added support for “alpha” suffixes in packages-specs(7), removing the need for workarounds in certain ports distfiles.

    Many pre-built packages for each architecture:

    • aarch64: 10848
    • amd64: 11268
    • arm: 8596
    • i386: 10715
    • mips64: 9281
    • mips64el: XXXX
    • powerpc: 9890
    • sparc64: 9850
  • As usual, steady improvements in manual pages and other documentation.
  • The system includes the following major components from outside suppliers:
    • Xenocara (based on X.Org 7.7 with xserver 1.20.8 + patches, freetype 2.10.1, fontconfig 2.12.4, Mesa 19.2.8, xterm 351, xkeyboard-config 2.20 and more)
    • LLVM/Clang 8.0.1 (+ patches)
    • GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
    • Perl 5.30.2 (+ patches)
    • NSD 4.2.4
    • Unbound 1.10.0
    • Ncurses 5.7
    • Binutils 2.17 (+ patches)
    • Gdb 6.3 (+ patches)
    • Awk Dec 20, 2012 version
    • Expat 2.2.8

Risorse

La distribuzione può essere scaricata da:

Il sito web della dstribuzione è: http://www.openbsd.org/

Screenshot

OpenBSD 5.3

OpenBSD 5.3

Conclusioni

Si può aggiornare dalla versione precedente.

Subscribe

Subscribe to our e-mail newsletter to receive updates.

No comments yet.

Leave a Reply