Sunday, May 2, 2004

OpenBSD 3.5 released

As always, there are new features, improved security and various fixes. As well as more hardware support, as with any new OpenBSD release.

As included in the announce email, here is some of what is new / changed:

* New ptm device (see pty(4)) that allows non-privileged processes to
allocate a properly-permissioned pty. As a result any process can
now open a pty easily, meaning xterm(1) and xconsole(1) are no longer
setuid root. (In 3.4 they were setuid root, but privilege revoking).

* malloc(3) chunk randomization and guard pages. This helps to detect
out-of-bounds reads and writes.

* Privilege separation added to allow complex operations to occur in an
untrusted, unprivileged process, resulting in much greater security
for the following processes:
- isakmpd(8)
- named(8) (Previously privilege revoking, but this had a small breakage).
- pflogd(8)
- tcpdump(8)

* Many improvements and bug fixes in the ProPolice stack protector.
Several other code generation bugs for RISC architectures were also
found and fixed.

* Major improvements in the pf packet filter, including:

* Atomic commits of ruleset changes (reduce the chance of ending up in
in an inconsistent state).

* A 30% reduction in the size of state table entries.

* Source-tracking (limit number of clients and states per client).

* Sticky-address (the flexibility of round-robin with the benefits
of source-hash).

* Invert the socket match order when redirecting to localhost (prevents
the potential security problem of remote connections being identified
as local).

* Significant improvements to interface handling.

* New tools for filtering gateway failover:

* CARP (the Common Address Redundancy Protocol) carp(4) allows
multiple machines to share responsibility for a given IP address
or addresses. If the owner of the address fails, another member
of the group will take over for it. A discussion of the history
of CARP can be found here.

* Additions to the pfsync(4) interface allow it to synchronise
state table entries between two or more firewalls which are
operating in parallel, allowing stateful connections to cross
any of the firewalls regardless of where the state was initially

* Performance improvements:

* Improved connection/socket lookup - about 100 times faster at
10000 sockets than 3.4.

* TCP SYN cache. Greatly reduces the memory cost of half-open TCP

* Implemented TCP adjustments recommended by RFC3390, controllable
via sysctl.

* OpenSSL speedup on i386, up to 100% improvement for md5, sha1,
blowfish, des, 3des, rsa, dsa and bn.

* OpenSSL now directly uses the new AES instructions some VIA C3
processors provide, increasing AES to 780MBytes/second (so you get to
see a fan-less cpu performing AES more than 10x faster than the
fastest cpu currently sold).

* Directory hashing makes lookups in large directories much faster.

* New features and significant bug-fixes included with 3.5

* Replacement of the GNU bc(1), dc(1), nm(1) and size(1) commands
with BSD licensed equivalents.

* pty(4) devices are now allocated on demand, up to a configurable limit.

* The closefrom(2) system call has been added.

* TCP MD5 signatures (used by nc(1) and bgpd(8)).

* Network boot support for i386 and amd64, using pxeboot(8).

* The i386 8GB boot loader limitation has been removed.

* spamd(8) gains greylisting support. This allows greylisting (a very
powerful spam reduction technique) to be done on a firewall for many
mail hosts, no matter what MTA is being used.

* Interface 'cloning', accessed by ifconfig(8) commands create and destroy.
E.g. `ifconfig vlan100 create'.

* ifconfig(8) can now be used with a generic interface name, for listing
all such configured interfaces. E.g. `ifconfig carp'.

* The MAKEDEV(8) manual pages are now generated, and hence, accurate.

* Complete rewrite of package tools in perl.

* syslogd(8) now supports logging to memory buffers, to be read using
syslogc(8). This is useful for diskless or flash-based computers.

* IPsec ESP in UDP encapsulation.

* authpf(8) now tags traffic in pflog(4) so that users may be associated
with traffic through a NAT setup.

* XFS has been added to the GENERIC kernels so that afsd(8) may be started
easily, eliminating the need to recompile the kernel to use AFS.

* AFS can now be used anonymously by enabling it in rc.conf(8) with no
further configuration.

* The ps, top and w utilities no longer break when changes are made in
kernel structures.

* A poll interface has been added to the rpc routines in the standard C
library. Use of poll over select can result in better performance for
programs with a large number of open file descriptors.

* dhclient(8) now detects when the interface it configured is modified and
gracefully exits. e.g. repeatedly running it against the same
interface leaves only the last instance active.

* New tools:
- sensorsd(8), monitoring hardware sensors.
- procmap(1), to examine a process' memory map.
- bgpd(8), implementing the BGP-4 routing protocol.
- pkill(1) and pgrep(1), finding or signalling processes by name.

* OpenSSH 3.8.1.

* Many, many man page improvements.

* The "ports" tree is greatly improved (

* The 3.5 CD-ROMs ship with many pre-built packages for the common
architectures. The FTP site contains hundreds more packages
(for the important architectures) which we could not fit onto
the CD-ROMs (or which had prohibitive licenses).

* The system includes the following major components from outside suppliers:

* XFree86 4.pre4.0 (+ patches).
* gcc 2.95.3 (+ patches and ProPolice)
* gcc 3.3.2 (+ patches and ProPolice) on sparc64, amd64, and cats
* Perl 5.8.2 (+ patches).
* Apache 1.3.29 and mod_ssl 2.8.16, DSO support (+ patches).
* OpenSSL 0.9.7c (+ patches).
* Groff 1.15.
* Sendmail 8.12.11.
* Bind 9.2.3 (+ patches).
* Lynx 2.8.4rel.1 with HTTPS and IPv6 support (+ patches)
* Sudo 1.6.7p5.
* Ncurses 5.2.
* Latest KAME IPv6.
* Heimdal 0.6rc1 (+ patches).
* Arla-current.

To see a full list of changes between 3.4 & 3.5 go here.

Post ID: 363, posted by jase at 04:08 PM
Permalink | TrackBack ID: 337, (6) | Category: BSD | Google Search
Post a comment

Thanks for signing in, . Now you can comment. (sign out)

(If you haven't left a comment here before, you may need to be approved before your comment will appear.)

Remember me?

Valve Media Ltd
Search Engine Compliance