*BSD News Article 89629


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.cs.su.oz.au!metro!metro!munnari.OZ.AU!news.ecn.uoknor.edu!news.wildstar.net!newsfeed.direct.ca!nntp.portal.ca!news.bc.net!info.ucla.edu!psgrain!news.rain.net!pacifier!deraadt
From: deraadt@theos.com (Theo de Raadt)
Newsgroups: comp.unix.bsd.netbsd.misc,comp.unix.bsd.misc
Subject: OpenBSD changes since 2.0
Date: 17 Feb 1997 09:40:41 GMT
Organization: Theo Ports Kernels For Fun And Profit
Lines: 154
Distribution: world
Message-ID: <DERAADT.97Feb17024041@zeus.pacifier.com>
NNTP-Posting-Host: zeus.theos.com
Xref: euryale.cc.adfa.oz.au comp.unix.bsd.netbsd.misc:5486 comp.unix.bsd.misc:2550

I include below a list of the major changes that have happened since
OpenBSD was release in the autumn last year.

----------------------------------------
The NIST Posix test suite became free. As a result we have been correcting
	numerous problems in the source tree, and expect to be completely
	POSIX compliant very soon.
upgrade to CVS version 1.9.
A number of security fixes to the way coredumping works.
The /dev/*random devices are now default on all architectures.
Add stack tracebacks to Arc port's kernel debugger.
Skey revamped into full OTP (RFC1938) support, including sha1 and
	md5 support.
GPL i387 emulator added.
Crank kvm space on the i386 port, also limit buffer cache useage
	so that 512MB machines may work (untested :-)
Numerous fixes to the lpr suite, including security.
More ftpd raging paranoia security fixes.
The NIST suite showed numerous errors in libraries and the kernel. Only
	a few small errors remain now, mostly regarding serial ports.
In numerous utilities: prefer $LOGNAME, but also accept $USER.
OLF binary type added.  This is like ELF, but includes an OS-dependent
	tag. elf2olf(1) converts an elf binary to a tagged OLF binary which
	the kernel can recognize correctly.
Beware $HOME overflows throughout the source tree.
Integration of the pmax port.
Import of ctm.
Various repairs to the scsi scanner support.
Numerous more difficult-to-exploit-but-possible-if-someone-really-wanted-to
	buffer overflows found in system utilities..
Memory leak paranoia in cron.
Make login get more consistantly upset about failed logins, and tell user
	about these failures at the next successfull login.
pdksh version is now 5.2.11
New bsd.*.mk feature: DEBUG=-g.  Try it, you'll like it.
The Arc port family has a new member: The rPC44 works! 
lpt driver is now bus-independent.
com driver is now bus-independent.
Numerous small security fixes again...
Use pdksh as our /bin/sh.  This provides excellent POSIX compliance.
Prevent generic users from mounting filesystems by default.
Added -C option to pax/tar. Also made -z support compressed files too.
Increased compatibility in the pccons driver with BSDi features.
Imported FreeBSD's calendar.
GNU gdb works on the mips-based platforms.
Add FreeBSD md5 diffs to mtree(8).  This can be used to implement a
	tripwire-like system.
Some YP and bootparamd security changes.
Hundreds of little fixes all over the place.
Multiple updates for GNU software
Add disklabels to the floppy device drivers.
At boottime, have (*mountroot)() look at the root device's disklabel
	to determine which filesystem type is to be mounted.
If disklabel reading code discovers an ISOFS filesystem underlying,
	spoof a nice disklabel (enough to fool mountroot).
tcpdump 3.3
Fix information gathering attack in ping(8).
Add NetBSD's "route show" implementation, and at the samet time fix
	the new buffer overflows that this provided.
Fix a few setgroups() related security holes.
sendmail 8.8.4
texinfo 3.9
f77 0.5.19
Repair some more KerberosIV buffer overflows.  Hard to believe this is
	supposed to be security software.
Add XCASE/IUCLC/OLCUC/OCRNL/ONOCR/ONLRET tty subsystem flags for
	backwards compatibility.
Permit NFS attribute cache to be configured on a per-mount basis.
Properly split fsck, mount, and newfs into multiple pieces.  Use
	disklabel information if it is available.
Add disklabels to the vnd device driver.
Change the games to be run setgid games, not setuid games.  This closes
	a whole slew of fascinating security holes.
Import of the powerpc port.
Properly use _POSIX_SAVED_IDS throughout the source tree.
Permit building of kernels without a.out support.
ppp 2.3b3
libcrypt goes away. We do not need this stub library anymore. Do not link
	against it on OpenBSD, all the pieces you need are in libc.
new aucat command.
Fix a fairly nasty security hole in all of the games.
Support for the hp300 added.
Upgrade of awk(1), integration of BSD tsort(1), getopt fixes.
Sendmail upgraded to version 8.8.5.
Added lchown(2) for compatibility with SVR4 implementations.
New gnu cpio 2.4.2
Support lchown(2) in dump(8), cp(1), pax(1), cpio(1), chown(8), and
	restore(8).
No buffer lengths in fmt(1).
various adjtime() corrections inside the kernel.
Prevent stat() from disclosing inode generation numbers to non-root userland.
pax in tar mode will understand multiple -v options to generate ls-like output.
Repair many uses of the SIOCGIFCONF code for machines with an outrageous
	number of network interfaces.
More kerberosIV security patches.
A working fsirand.
Completely in-tree PowerPC port for non-Apple hardware.  This port requires
	nothing outside the in-tree development environment to build (except
	mkisofs for building distributions).
Some ypbind(8) tightening up, includes a method to specify a list of
	valid servers
Bug fixed that prevented bufpages/nbuf > 1 setups.  This allows large
	buffer caches even when available kvm space is low, like for i386
	& sparc.
Changed netinet IP_HDRINCL option to require ip_len and ip_off in network
	byte order. This is a compatibility/portability fix and we expect
	other BSD systems to eventually follow suit.
amd (the automounter) is now 64-bit and working on the alpha.
The Alpha port and all it's utilities now compiles
	using in-tree versions of all tools.  Yipee!
A SA_SIGINFO implementation for sigaction() and signal handlers.  This is a
	small part of POSIX 1003.1b and permits the signal handler to figure
	out the exact cause of a signal; such as fault address information
	for SIGSEGV or more detailed information for SIGFPE.
config.old(8) has been removed from the tree, as the hp300 port switches
	to config(8).
/sbin/dump -a saves you from needing to deal with finicky tape length
	options (from FreeBSD)
Added RFC-1812 ICMP unreachable codes to ip_icmp.h, traceroute, and ping.
Be more careful if some fool decides to enable source routing ;-)
Support for gzip'd kernels in some bootblocks.
New wgrisc port for Willowglen embedded r3081-based machine with ISA slots.
Add cdev and partition support to the ramdisk driver.
Merge new ftp(1) changes from NetBSD.
Change mktemp(3) and family to generate more random filenames, yet still
	as collision free as possible.
Have libc/rpc save you from yourself if you do enable source routing. 
The hp300 joins many other ports in supporting 16 disk partitions.
IPF 1.3.7 which includes fully working NAT support (ie. IP masquerading).
Use lots more XXXX characters in calls to the few remaining mktemp() calls
	in the source tree. This cuts out a whole class of races. 
Improved NFS filehandle creation.
Make dd(1) work fine with our 64-bit off_t types, now you can copy very
	large disks using it.
add RPC service name generation to netstat -a
Fix pax & tar to be POSIX compliant.
Fix a few netinet kernel crash problems.
Fix so that stack limits which are not a multiple of the pagesize work.
fix some more memory and file descriptor leaks in libc/rpc
New scalable BLOWFISH-based crypt algorithm for passwd file entries. It
	uses a very large strong-random `salt' and the number of rotor
	runs is configurable.  Hence if you have faster machines you can
	slow the crypt routine down and make harder keys.
Add support for /etc/passwd.conf which controls the format and strength
	of passwd entries for the next time a user changes their password.
	These options can be set per-user.
----------------------------------------

Work is continuing and we are expecting to make a new release in the
early summer.  It's not clear yet but the new release might even ship
with IPsec.
--
This space not left unintentionally unblank.		deraadt@theos.com
www.OpenBSD.org -- We're fixing security problems so you can sleep at night.