===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/33.html,v
retrieving revision 1.21
retrieving revision 1.22
diff -c -r1.21 -r1.22
*** www/33.html 2003/03/27 23:29:02 1.21
--- www/33.html 2003/03/29 03:12:50 1.22
***************
*** 75,96 ****
Integration of the
ProPolice
stack protection technology into the system compiler. This protection is
! enabled by default.
!
W^X (pronounced: "W xor X") binaries on architectures capable of
pure execute-bit support in the MMU (sparc, sparc64, alpha,
hppa). This is a fine-grained memory permissions layout, ensuring that
memory which can be written to by application programs can not be
! executable at the same time and vice versa. This raises the bar on
! potential buffer overflows and other attacks.
Still more reduction in setuid and setgid binaries, and more chroot
! use throughout the system.
!
The X window system uses privilege separation, for better security.
As usual, improvements to the documentation, notably the man pages and
--- 75,111 ----
Integration of the
ProPolice
stack protection technology into the system compiler. This protection is
! enabled by default. With this change, function prologues are modified
! to rearrange the stack: a random canary is placed before the return
! address, and buffer variables are moved closer to the canary so that
! regular variables are below, and harder to smash. The function
! epilogue then checks if the canary is still intact. If it is not,
! the process is terminated. This change makes it very hard for an
! attacker to modify the return address used when returning from a
! function.
!
W^X (pronounced: "W xor X") on architectures capable of
pure execute-bit support in the MMU (sparc, sparc64, alpha,
hppa). This is a fine-grained memory permissions layout, ensuring that
memory which can be written to by application programs can not be
! executable at the same time and vice versa. This raises the bar on
! potential buffer overflows and other attacks: as a result, an attacker
! is unable to write code anywhere in memory where it can be executed.
! (NOTE: i386 and powerpc do not support W^X in 3.3; however, 3.4 will
! make this change on those architectures as well).
Still more reduction in setuid and setgid binaries, and more chroot
! use throughout the system. While some programs are still setuid or
! setgid, almost all of them grab a resource and then quickly revoke
! privilege.
!
The X window server and xconsole now use privilege separation,
! for better security. Also, xterm has been modified to do privilege
! revocation. xdm runs as a special user and group, to further constrain
! what might go wrong.
As usual, improvements to the documentation, notably the man pages and
***************
*** 124,130 ****
Full CIDR support
Early checksum verification return on invalid packets
Performance boost: large rulesets load much faster now
! spamd, a spam deferral daemon, to whom smtp connections can be redirected to
--- 139,149 ----
Full CIDR support
Early checksum verification return on invalid packets
Performance boost: large rulesets load much faster now
! spamd,
! a spam deferral daemon, which SMTP connections can be redirected to.
! This daemon handles connections based on black lists and white lists,
! tar-pits the connections, and ensures that the spammer knows why their
! mail has not been accepted.
***************
*** 421,427 ****
alt="OpenBSD">
www@openbsd.org
! $OpenBSD: 33.html,v 1.21 2003/03/27 23:29:02 henning Exp $