I've just received the announce email from Theo. It has been released slightly early, to try and spread out some of the load during the weekend. Take a look at what is new & improved in this release, as per the release announcement.
We are pleased to announce the official release of OpenBSD 3.6. This is our 16th release on CD-ROM (and 17th via FTP). We remain proud of OpenBSD's record of eight years with only a single remote hole in the default install. As in our previous releases, 3.6 provides significant improvements, including new features, in nearly all areas of the system:
- New platform:
Expanding the mvme88k porting effort by supporting Omron's
line of 88100-based workstations.
- SMP support on OpenBSD/i386 and OpenBSD/amd64 platforms.
- New functionality:
* A cleaned up DHCP server and client implementation, now featuring privilege separation and safe defaults.
* A new NTP daemon written from scratch, which ought to fit
the needs of most NTP users.
* pfctl(8) now provides a rules optimizer to help improve filtering speed.
* pf(4), now supports nested anchors.
* tcpdrop(8), a command to drop TCP connections.
* The NMBCLUSTERS option has been eliminated, replaced by a sysctl with higher default values on many platforms.
* Added support for cksum (three flavours), md4, sha256, sha384 & sha512 to the md5(1) command.
* Memory file systems created by the mount_mfs(8) command now can be populated immediately after creation.
* New hotplugd(8) daemon and hotplug(4) device that watch
for newly attached devices.
* isakmpd(8) now supports NAT-traversal and Dead Peer Detection
* strtonum(3), a simple, robust and therefore safe function to convert strings to numbers, has been added.
* On the OpenBSD/sparc platform, StackGhost buffer overflow exploit protection has been added.
* A generic IEEE 802.11 framework has been added.
- Improved hardware support, including:
* Sangoma T1 and E1 cards (san(4)).
* Jumbo frames now work reliably on em(4), sk(4), and ti(4) adapters.
* USB 2.0 (ehci(4)) controllers.
* AIC79xx-based Ultra320 SCSI adapters, such as the
Adaptec 29320 & 39320 (ahd(4)).
* The i386 and amd64 CD bootloader code no longer emulates a floppy which improves the chances of booting on newer machines.
* New re(4) driver for Realtek 8169/8169S/8110S PCI Ethernet adapters.
* New atw(4) driver for ADMtek ADM8211 802.11b wireless adapters.
* New axe(4) driver for ASIX Electronics AX88172 USB Ethernet adapters.
* New cdce(4) driver for Ethernet over USB bridges.
* New ichpcib(4) driver for Intel ICHx/ICHx-M LPC PCI-ISA bridges.
* New gscpcib(4) driver for National Semiconductor Geode
SC1100 PCI-ISA bridges.
* New iic(4) driver for Inter IC (I2C) master/slave buses.
* New lmtemp(4) driver for National Semiconductor
LM75/LM77 temperature sensors.
* New gscsio(4) driver for National Semiconductor Geode
SC1100 Super I/O chips.
* New gpio(4) driver and accompanying gpioctl(8) utility for
supporting General Purpose Input/Output.
*New mediabay(4) macppc driver for the ATA33 HD
controller over removable CD.
* hw.setperf sysctl hooks for PowerNow in AMD K6 and K7 processors.
- New functionality for bgpd(8), the Border Gateway Protocol Daemon:
* Kernel memory management improvements now allow the full global routing table to be kept in memory without customizing or tuning.
* Support for adding received prefixes to a pf(4) table.
* Support for IPsec, both manually keyed and using IKE.
* Support for setting BGP communities on incoming & outbound UPDATES.
* Support for NOPEER community (RFC3765).
* Partial support for RFC2858 Multiprotocol Capabilities,
currently only IPv4-unicast is announced.
* Support for Route Reflection (RFC2796).
* Support for dynamic network announcements.
* Support for Route Refresh Capability (RFC2918).
- Improved NFS performance and reliability.
- Shared libraries and gcc 3.3.2 on the OpenBSD/hppa port.
- Privilege separation or revocation for the following programs:
* dhcrelay(8), dhclient(8), and dhcpd(8)
- Over 2700 ports, 2500 pre-built packages.
- Many improvements for security and reliability (look for the red
print in the complete changelog).
- As usual, many improvements in manual pages and other documentation.
- OpenSSH 3.9:
* sshd(8) now re-executes itself on accepting a new connection. This security measure ensures that all execute-time randomizations are reapplied for each connection rather than once, for the master process' lifetime. This includes mmap and malloc mappings, shared library addressing, shared library mapping order, ProPolice and StackGhost cookies on architectures that support such things.
* Selected environment variables can now be passed between
the client and the server.
* Session multiplexing: a single ssh connection can now carry multiple login/command/file transfer sessions.
- This release of OpenBSD includes the following major components from outside suppliers:
* XFree86 4.4.0 unencumbered (+ patches, and i386 contains 3.3.6 servers
(+ patches) for chipsets not supported by 4.4).
* Gcc 2.95.3 (+ patches) and 3.3.2 (+ patches)
* Perl 5.8.5 (+ patches)
* Apache 1.3.29, mod_ssl 2.8.16, DSO support (+ patches)
* OpenSSL 0.9.7d (+ patches)
* Groff 1.15
* Sendmail 8.13.0, with libmilter
* Bind 9.2.3 (+ patches)
* Lynx 2.8.5rel.2 with HTTPS and IPv6 support (+ patches)
* Sudo 1.6.7p5
* Ncurses 5.2
* Latest KAME IPv6
* Heimdal 0.6rc1 (+ patches)
* Arla 0.35.7
* Binutils 2.14
* Gdb 6.1
If you'd like to see a list of what has changed between OpenBSD 3.5
and 3.6, look at
Even though the list is a summary of the most important changes
made to OpenBSD, it still is a very very long list.
As you can see, there is a list of new features and improvements as always as well as new releases of third party applications and of course all the new packages and ports available to download if you want them. There are quite a few things which have been added that I like & I'm sure there will be a lot of people that have been waiting for the SMP support. I'll be upgrading my OpenBSD systems shortly.
I don't use NTP at all, but for people that do this is another alternative. Of course it will stand up to the quality of development that we always see from the OpenBSD team. If you use NTP, go check it out. It can act as a server and client.
As always, there are new features, improved security and various fixes. As well as more hardware support, as with any new OpenBSD release.
As included in the announce email, here is some of what is new / changed:
* New ptm device (see pty(4)) that allows non-privileged processes to
allocate a properly-permissioned pty. As a result any process can
now open a pty easily, meaning xterm(1) and xconsole(1) are no longer
setuid root. (In 3.4 they were setuid root, but privilege revoking).
* malloc(3) chunk randomization and guard pages. This helps to detect
out-of-bounds reads and writes.
* Privilege separation added to allow complex operations to occur in an
untrusted, unprivileged process, resulting in much greater security
for the following processes:
- named(8) (Previously privilege revoking, but this had a small breakage).
* Many improvements and bug fixes in the ProPolice stack protector.
Several other code generation bugs for RISC architectures were also
found and fixed.
* Major improvements in the pf packet filter, including:
* Atomic commits of ruleset changes (reduce the chance of ending up in
in an inconsistent state).
* A 30% reduction in the size of state table entries.
* Source-tracking (limit number of clients and states per client).
* Sticky-address (the flexibility of round-robin with the benefits
* Invert the socket match order when redirecting to localhost (prevents
the potential security problem of remote connections being identified
* Significant improvements to interface handling.
* New tools for filtering gateway failover:
* CARP (the Common Address Redundancy Protocol) carp(4) allows
multiple machines to share responsibility for a given IP address
or addresses. If the owner of the address fails, another member
of the group will take over for it. A discussion of the history
of CARP can be found here.
* Additions to the pfsync(4) interface allow it to synchronise
state table entries between two or more firewalls which are
operating in parallel, allowing stateful connections to cross
any of the firewalls regardless of where the state was initially
* Performance improvements:
* Improved connection/socket lookup - about 100 times faster at
10000 sockets than 3.4.
* TCP SYN cache. Greatly reduces the memory cost of half-open TCP
* Implemented TCP adjustments recommended by RFC3390, controllable
* OpenSSL speedup on i386, up to 100% improvement for md5, sha1,
blowfish, des, 3des, rsa, dsa and bn.
* OpenSSL now directly uses the new AES instructions some VIA C3
processors provide, increasing AES to 780MBytes/second (so you get to
see a fan-less cpu performing AES more than 10x faster than the
fastest cpu currently sold).
* Directory hashing makes lookups in large directories much faster.
* New features and significant bug-fixes included with 3.5
* Replacement of the GNU bc(1), dc(1), nm(1) and size(1) commands
with BSD licensed equivalents.
* pty(4) devices are now allocated on demand, up to a configurable limit.
* The closefrom(2) system call has been added.
* TCP MD5 signatures (used by nc(1) and bgpd(8)).
* Network boot support for i386 and amd64, using pxeboot(8).
* The i386 8GB boot loader limitation has been removed.
* spamd(8) gains greylisting support. This allows greylisting (a very
powerful spam reduction technique) to be done on a firewall for many
mail hosts, no matter what MTA is being used.
* Interface 'cloning', accessed by ifconfig(8) commands create and destroy.
E.g. `ifconfig vlan100 create'.
* ifconfig(8) can now be used with a generic interface name, for listing
all such configured interfaces. E.g. `ifconfig carp'.
* The MAKEDEV(8) manual pages are now generated, and hence, accurate.
* Complete rewrite of package tools in perl.
* syslogd(8) now supports logging to memory buffers, to be read using
syslogc(8). This is useful for diskless or flash-based computers.
* IPsec ESP in UDP encapsulation.
* authpf(8) now tags traffic in pflog(4) so that users may be associated
with traffic through a NAT setup.
* XFS has been added to the GENERIC kernels so that afsd(8) may be started
easily, eliminating the need to recompile the kernel to use AFS.
* AFS can now be used anonymously by enabling it in rc.conf(8) with no
* The ps, top and w utilities no longer break when changes are made in
* A poll interface has been added to the rpc routines in the standard C
library. Use of poll over select can result in better performance for
programs with a large number of open file descriptors.
* dhclient(8) now detects when the interface it configured is modified and
gracefully exits. e.g. repeatedly running it against the same
interface leaves only the last instance active.
* New tools:
- sensorsd(8), monitoring hardware sensors.
- procmap(1), to examine a process' memory map.
- bgpd(8), implementing the BGP-4 routing protocol.
- pkill(1) and pgrep(1), finding or signalling processes by name.
* OpenSSH 3.8.1.
* Many, many man page improvements.
* The "ports" tree is greatly improved (http://www.OpenBSD.org/ports.html)
* The 3.5 CD-ROMs ship with many pre-built packages for the common
architectures. The FTP site contains hundreds more packages
(for the important architectures) which we could not fit onto
the CD-ROMs (or which had prohibitive licenses).
* The system includes the following major components from outside suppliers:
* XFree86 4.pre4.0 (+ patches).
* gcc 2.95.3 (+ patches and ProPolice)
* gcc 3.3.2 (+ patches and ProPolice) on sparc64, amd64, and cats
* Perl 5.8.2 (+ patches).
* Apache 1.3.29 and mod_ssl 2.8.16, DSO support (+ patches).
* OpenSSL 0.9.7c (+ patches).
* Groff 1.15.
* Sendmail 8.12.11.
* Bind 9.2.3 (+ patches).
* Lynx 2.8.4rel.1 with HTTPS and IPv6 support (+ patches)
* Sudo 1.6.7p5.
* Ncurses 5.2.
* Latest KAME IPv6.
* Heimdal 0.6rc1 (+ patches).
To see a full list of changes between 3.4 & 3.5 go here.
The good news is that SMP won't be too long off in OpenBSD, hopefully coming in the 3.6 release. Theo de Raadt states that there is currently one developer working almost full time on this implementation but he would like some funding for another one to help.
All make your donations!
Following the other live cd distributions, the FreeSBIE project has released a live cd BSD version, based on FreeBSD. Looks promising, I've yet to download it yet though.
Also the people over at www.livecd.com are releasing live cd FreeBSD versions, with a Dragon Fly BSD release to come after. Live CD based OS's can be really handy and good when you want to check out a distribution without having to go through a full install.
Check them out!
NetBSD 1.6.2 has been released, which fixes many security issues and various other bugs in 1.6.1. From the release notes, here is a list of updates:
* With pciide(4), make Promise controllers do DMA with large disks requiring 48-bit LBA drives.
* Add error detection when running low on swap, to improve stability in low-memory situations.
* Support for more SiS and Intel controllers were added to pciide(4).
* Support for the new PowerBook G4 12-inch added.
* mlx(4) stability improved.
* A problem with the original Sun4c sparc systems (SS1, SS1& IPC) has been found and fixed.
* Sun3, Sun3x & Sun2 may now boot from tape files, through addition of seek support.
* The USERCONF option has been added to the i386 kernels.
* Hardware random number generator support for Intel 865 and 875P chipsets added.
* Fix wdc(4) to work with pre-ATA drives.
* General support for multi-function pcmcia cards has been fixed.
* Various fixes to linux emulation have been added.
* rtk(4) multicast problem fixed.
* fxp(4) support yet a few more chip variants.
* tulip(4) driver fixed so that the DEC Alpha PWS no longer panics.
* Path MTU discovery black-hole detection has been added.
* bce(4) driver added for Broadcom BCM4401 chipset, as seen in recent Dell laptops.
* A race condition workaround in networking code has been added to avoid corruption.
* Various networking stack fixes for IPv4, IPv6 and IPSEC.
The following security issues have been fixed:
* NetBSD-SA2004-004 Insufficient packet validation in racoon IKE daemon
* NetBSD-SA2004-003 Inconsistent IPv6 path MTU discovery handling
* NetBSD-SA2004-002 OpenSSL 0.9.6 ASN.1 parser vulnerability
* NetBSD-SA2004-001 shmat reference counting bug
* NetBSD-SA2003-018 DNS negative cache poisoning
* NetBSD-SA2003-017 OpenSSL multiple vulnerability
* NetBSD-SA2003-016 Sendmail - another prescan() bug CAN-2003-0694
* NetBSD-SA2003-015 Remote and local vulnerabilities in XFree86 font libraries
* NetBSD-SA2003-014 Insufficient argument checking in sysctl(2)
* NetBSD-SA2003-012 Out of bounds memset(0) in sshd
* NetBSD-SA2003-011 off-by-one error in realpath(3)
* NetBSD-SA2003-010 remote panic in OSI networking code
System administration and user tools
* Possible crash in vi(1) triggered by an error was fixed.
* XFree86 upgraded to version 4.3.0 for those architectures which use XFree86 version 4.
* scsictl(8) now supports a few new commands.
* BIND has been upgraded to version 8.3.7.
* DHCP has been upgraded to version 3.0.1rc11 with various fixes.
* CVS has been upgraded to version 1.11.10.
There is more, but as you can see quite a lot of problems have been addressed, packages and applications upgraded and lots of improvements. If you're running 1.6.1 or an older release, try out this new one.
After the the recent release candidates that we have seen, FreeBSD 5.2.1-RELEASE is now available to download. With bugs fixed found in the release candidates this will be another great release and has plenty of updates and enhancements over previous releases.
Head on over to freebsd.org and download it!
A bug has been discovered that could allow someone to remotely crash a box running OpenBSD 3.4, but since this is an ipv6 related issue, you have to have access to the system via ipv6 to be able to cause the crash. Since most people won't be using ipv6 this is not an issue for most people although for the systems out there that are, they should be upgraded.
Since the release of 3.4, as yet there have not been many issues discovered so once again this is a fine release. I've still got to get round to upgrading my machine at home from 3.3 to 3.4. I have another server which I've still got running on 3.0 so will have to also get around to upgrading that at some point. Although, on the other hand - why upgrade when it works? Well, once the patches have been applied and the system is as current as it can get, it would still be worth upgrading for new features and stability. If the system runs fine and you don't need anything new adding - it can be left for longer.
I've just noticed that v5.2.1 is available for download now. Since I'm running v5.2 on my other new box I can CVSUP to this version. I will do at some point anyway. Major points to not on this release are - bug fixes.
I'm sure there is some other stuff in there too, will have to check out the changelog. Go get it.
I've just installed FreBSD 5.2 on my new Athlon box, which I built a few months ago but have not yet done anything with. I've been waiting for SATA support to appear in Linux distributions and anything else, now the 2.6x kernel is out, we should see new releases shipping with this and of course SATA support as standard. Since it's a SATA only system I had to wait for support to appear and the BSD's seem to have sorted this out earlier.
So far so good, just trying to get X setup as XFree86 doesn't support my Radeon 9600 card in the 4.3.0 release, so I'm sorting out the lastest snapshot to solve that problem.
I think 4.9 supports the chipsets on the board like 5.2, so I might go for that instead. 5.2 seems okay so far, apart from the new technology in this box not being supported without updating some packages.
I think I'll be getting another drive soon and will install some form of Linux on that and make this a dual boot box. Or I might get my original Pentium box and put Linux on that - yet another option would be to put FreeBSD on that and Linux on the new Athlon box. I'll have to make my mind up.
In the mean time, it's time for more playing.
OpenBSD 3.4 was due for release today, November 1st, but it has been released a little earlier. There are some major changes and improvements along with 3.4, especially with regards, as usual - to security, which include:
* Privilege separation implemented for syslogd.
* ProPolice stack protection enabled in the Kernel.
* A static bounds checker added to the compiler to perform checks on functions which accept buffers & sizes.
* Unsafe string functions have been removed from the Kernel & userland utilities.
* Privilege separation implemented in the X server.
And a whole lot more. As for new features and support, well hardware support has of course been improved, the man pages have been updated and improved, read only support for NTFS file systems & more. Check here for the full list. Don't forget to also check the Errata & Security pages.
I'm running OpenBSD on two servers and have been using it since release 2.5. It's a nice stable OS with a strong view towards security, which is what I like. The only real way your sites are going to get defaced or the servers compromised and backdoored, is if you misconfigure something very badly. Otherwise, you've not got to worry - as it's secure by default.
Time to upgrade shortly and experience all the new stuff!