Annotation of www/33.html, Revision 1.33
1.27 david 1: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
1.1 miod 2: <html>
3: <head>
4: <title>OpenBSD 3.3 Release</title>
5: <link rev=made href="mailto:www@openbsd.org">
6: <meta name="resource-type" content="document">
7: <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
8: <meta name="description" content="OpenBSD 3.3">
9: <meta name="keywords" content="openbsd,main">
10: <meta name="distribution" content="global">
11: <meta name="copyright" content="This document copyright 2003 by OpenBSD.">
12: </head>
13:
14: <body bgcolor="#ffffff" text="#000000" link="#24248E">
15:
16: <a href="index.html">
17: <img alt="[OpenBSD]" height="30" width="141" hspace="24" src="images/smalltitle.gif" border="0"></a>
18: <hr>
19:
20: <p>
1.5 deraadt 21: <a href="images/Barbarian.gif">
22: <img align="left" width="255" height="343" hspace="24"
23: src="images/Barbarian.gif" alt="OpenBSD 3.3 logo"></a>
1.1 miod 24: <h2><font color="#0000e0">The OpenBSD 3.3 Release:</font></h2>
25: <p>
26:
27: Released May 1, 2003<br>
28: Copyright 1997-2003, Theo de Raadt.<br>
29: <font color="#e00000">ISBN 0-9731791-1-2</font>
1.32 deraadt 30: <br>
31: <a href="lyrics.html#33">3.3 Song: "Puff the Barbarian"</a>
1.1 miod 32: <p>
33:
34: <a href="#new">What's New</a><br>
35: <a href="#install">How to install</a><br>
36: <a href="#ports">How to use the ports tree</a><br>
37: <a href="orders.html">Ordering a CD set</a><br>
38:
39: <p>
40: <h3><font color="#0000e0">
41: To get the files for this release:
42: <ul>
43: <li>Order a CDROM from our <a href="orders.html">ordering system</a>.
44: <li>See the information on <a href="ftp.html">The FTP page</a> for
45: a list of mirror machines.
46: <li>Go to the <font color="#e00000">pub/OpenBSD/3.3/</font> directory on
47: one of the mirror sites.
48: <li>Briefly read the rest of this document.
1.31 david 49: <li>Have a look at <a href="errata33.html">The 3.3 Errata page</a> for a list
1.1 miod 50: of bugs and workarounds.
1.14 deraadt 51: <li>See a <a href="plus33.html">detailed log of changes</a> between the
1.1 miod 52: 3.2 and 3.3 releases.
53: </ul>
54: </font></h3>
55: <br clear=all>
56: <br>
57: <p>
58:
59: <strong>Note:</strong> All applicable copyrights and credits can be found
1.29 pb 60: in the applicable file sources found in the files src.tar.gz, sys.tar.gz,
1.1 miod 61: XF4.tar.gz, or in the files fetched via ports.tar.gz. The distribution
62: files used to build packages from the ports.tar.gz file are not included on
63: the CDROM because of lack of space.
64: <p>
65:
66: <a name="new"></a>
67: <hr>
68: <p>
69: <h3><font color="#0000e0">What's New</font></h3>
70: <p>
71: This is a partial list of new features and systems included in OpenBSD 3.3.
1.18 deraadt 72: For a comprehensive list, see the <a href="plus33.html">changelog</a> leading
1.1 miod 73: to 3.3.
74: <p>
75:
76: <ul>
77: <li>Integration of the
1.30 david 78: <a href="http://www.research.ibm.com/trl/projects/security/ssp/">ProPolice</a>
1.26 deraadt 79: stack protection technology, by Hiroaki Etoh, into the system
80: compiler. This protection is enabled by default. With this change,
81: function prologues are modified to rearrange the stack: a random
82: canary is placed before the return address, and buffer variables are
83: moved closer to the canary so that regular variables are below, and
84: harder to smash. The function epilogue then checks if the canary is
85: still intact. If it is not, the process is terminated. This change
86: makes it very hard for an attacker to modify the return address used
87: when returning from a function.
1.2 deraadt 88: <p>
1.1 miod 89:
1.22 deraadt 90: <li>W^X (pronounced: "W xor X") on architectures capable of
1.10 deraadt 91: pure execute-bit support in the MMU (sparc, sparc64, alpha,
92: hppa). This is a fine-grained memory permissions layout, ensuring that
93: memory which can be written to by application programs can not be
1.22 deraadt 94: executable at the same time and vice versa. This raises the bar on
95: potential buffer overflows and other attacks: as a result, an attacker
96: is unable to write code anywhere in memory where it can be executed.
1.26 deraadt 97: (NOTE: i386 and powerpc do not support W^X in 3.3; however, 3.3-current
98: already supports it on i386, and both these processors are expected to
99: support this change in 3.4).
1.1 miod 100: <p>
101:
1.2 deraadt 102: <li>Still more reduction in setuid and setgid binaries, and more chroot
1.22 deraadt 103: use throughout the system. While some programs are still setuid or
104: setgid, almost all of them grab a resource and then quickly revoke
105: privilege.
1.1 miod 106: <p>
107:
1.22 deraadt 108: <li>The X window server and xconsole now use privilege separation,
109: for better security. Also, xterm has been modified to do privilege
110: revocation. xdm runs as a special user and group, to further constrain
111: what might go wrong.
1.1 miod 112: <p>
113:
114: <li>As usual, improvements to the documentation, notably the man pages and
1.7 jsyn 115: the Web FAQ. An increasingly large part of the website is available in several
1.1 miod 116: languages.
117: <p>
118:
119: <li>More complete collection and better tested set of "ports".
120: setuid/setgid ports have been significantly reduced as well. Many of the
121: ones that remain setuid have been modified to revoke privileges as early
122: as possible.
123: <p>
124:
125: <li>Over 2000 pre-built and tested packages.
126: <p>
127:
128: <li>Significant improvements to the pthread library.
129: <p>
130:
131: <li>An incredible amount of enhancements and stability improvements to
132: our packet filter, <a
133: href="http://www.openbsd.org/cgi-bin/man.cgi?query=pf&sektion=4">pf</a>,
1.8 henning 134: including:
1.1 miod 135: <ul>
1.17 deraadt 136: <li>Queue, a bandwidth management system (uses altq underneath)
137: <li>Anchors, allowing subrulesets which can be loaded and modified independently
138: <li>Tables, a very efficient way for large address lists in rules
139: <li>Address pools, redirect/NAT to multiple addresses and thus load balancing
140: <li>Configuration language has been made much more flexible
141: <li>TCP window scaling support
142: <li>Full CIDR support
143: <li>Early checksum verification return on invalid packets
144: <li>Performance boost: large rulesets load much faster now
1.22 deraadt 145: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=spamd">spamd</a>,
146: a spam deferral daemon, which SMTP connections can be redirected to.
147: This daemon handles connections based on black lists and white lists,
148: tar-pits the connections, and ensures that the spammer knows why their
149: mail has not been accepted.
1.1 miod 150: </ul>
1.11 jason 151:
152: <p>
153:
154: <li>Much improved <a href="sparc64.html">sparc64</a> support: support for
1.13 miod 155: more models and several major bugs eradicated.
1.8 henning 156:
1.1 miod 157: <p>
158:
159: <li>The system includes the following major components from outside suppliers:
160: <ul>
161: <li>XFree86 4.2.1 (and i386 contains 3.3.X servers also, thus providing support for all chipsets)
1.4 miod 162: <li>Gcc 2.95.3 (+ patches)
163: <li>Perl 5.8.0 (+ patches)
1.3 henning 164: <li>Apache 1.3.27, mod_ssl 2.8.12, DSO support (+ patches)
1.1 miod 165: <li>OpenSSL 0.9.7beta3 (+ patches)
1.4 miod 166: <li>Groff 1.15
1.24 miod 167: <li>Sendmail 8.12.9
1.4 miod 168: <li>Bind 9.2.2 (+ patches)
1.23 margarid 169: <li>Lynx 2.8.2rel.1 with HTTPS support added (+ patches)
1.4 miod 170: <li>Sudo 1.6.7
171: <li>Ncurses 5.2
1.1 miod 172: <li>Latest KAME IPv6
1.12 hin 173: <li>KTH Kerberos 1.1.1
1.1 miod 174: <li>Heimdal 0.4e (+ patches)
175: <li>OpenSSH 3.6
176: </ul>
177: <p>
178:
179: <li>Many improvements for security and reliability (look for the red
1.18 deraadt 180: print in the <a href="plus33.html">complete changelog</a>).
1.1 miod 181: <p>
1.11 jason 182: <li> and much more.
183:
1.1 miod 184: </ul>
185:
186: <a name="install"></a>
187: <hr>
188: <p>
189: <h3><font color="#0000e0">How to install</font></h3>
190: <p>
191: Following this are the instructions which you would have on a piece of
192: paper if you had purchased a CDROM set instead of doing an alternate
193: form of install. The instructions for doing an ftp (or other style
194: of) install are very similar; the CDROM instructions are left intact
195: so that you can see how much easier it would have been if you had
196: purchased a CDROM instead.
197: <p>
198:
199: <hr>
1.15 drahn 200: Please refer to the following files on the three CDROMs or ftp mirror for
201: extensive details on how to install OpenBSD 3.3 on your machine:
1.1 miod 202: <p>
203: <ul>
204: <li> CD1:3.3/i386/INSTALL.i386
205: <p>
206: <li> CD2:3.3/macppc/INSTALL.macppc
207: <li> CD2:3.3/vax/INSTALL.vax
208: <p>
209: <li> CD3:3.3/sparc/INSTALL.sparc
210: <li> CD3:3.3/sparc64/INSTALL.sparc64
1.15 drahn 211: <p>
212: <li> FTP:.../OpenBSD/3.3/alpha/INSTALL.alpha
213: <li> FTP:.../OpenBSD/3.3/hp300/INSTALL.hp300
1.20 mickey 214: <li> FTP:.../OpenBSD/3.3/hppa/INSTALL.hppa
1.15 drahn 215: <li> FTP:.../OpenBSD/3.3/mac68k/INSTALL.mac68k
216: <li> FTP:.../OpenBSD/3.3/mvme68k/INSTALL.mvme68k
1.1 miod 217: </ul>
218: <hr>
219:
220: <p>
221: Quick installer information for people familiar with OpenBSD, and the
222: use of the "disklabel -E" command. If you are at all confused when
223: installing OpenBSD, read the relevant INSTALL.* file as listed above!
224: <p>
225:
226: <h3><font color="#e00000">OpenBSD/i386:</font></h3>
227: <ul>
228: Play with your BIOS options to enable booting from a CD. The OpenBSD/i386
229: release is on CD1. If your BIOS does not support booting from CD, you will need
230: to create a boot floppy to install from. To create a boot floppy write
231: <i>CD1:3.3/i386/floppy33.fs</i> to a floppy and boot via the floppy drive.
232:
233: <p>
234: Use <i>CD1:3.3/i386/floppyB33.fs</i> instead for greater scsi controller
235: support, or <i>CD1:3.3/i386/floppyC33.fs</i> for better laptop support.
236:
237: <p>
238: If you are planning on dual booting OpenBSD with another OS, you will need to read the included INSTALL.i386 document.
239:
240: <p>
241: To make a boot floppy under MS-DOS, use the "rawrite" utility located
242: at <i>CD:/3.3/tools/rawrite.exe</i>. To make the boot floppy under a Unix OS, use the <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dd&sektion=1">dd(1)</a> utility. The following is an example usage of <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dd&sektion=1">dd(1)</a>, where the device could be "floppy", "rfd0c", or "rfd0a".
243:
244: <ul><pre>
245: # <strong>dd if=<file> of=/dev/<device> bs=32k</strong>
246: </pre></ul>
247:
248: <p>
1.18 deraadt 249: Make sure you use properly formatted perfect floppies with NO BAD BLOCKS or your install will most likely fail. For more information on creating a boot floppy and installing OpenBSD/i386 please refer to <a href="faq/faq4.html#MkFlop">FAQ4.1</a>.
1.1 miod 250: </ul>
251:
252: <p>
253: <h3><font color="#e00000">OpenBSD/macppc:</font></h3>
254: <ul>
255: Put the CD2 in your CDROM drive and poweron your machine while holding down the
256: <i>C</i> key until the display turns on and shows <i>OpenBSD/macppc boot</i>.
257:
258: <p>
259: Alternatively, at the Open Firmware prompt, enter <i>boot cd:,ofwboot
260: /3.3/macppc/bsd.rd</i>
261: </ul>
262:
263: <p>
264: <h3><font color="#e00000">OpenBSD/vax:</font></h3>
265: <ul>
266: Boot over the network via mopbooting as described in INSTALL.vax.
267: </ul>
268:
269: <p>
270: <h3><font color="#e00000">OpenBSD/sparc:</font></h3>
271: <ul>
272: The 3.3 release of OpenBSD/sparc is located on CD3. To boot off of this CD you can use one of the two commands listed below, depending on the version of your ROM.
273:
274: <ul><pre>
275: > <strong>boot cdrom 3.3/sparc/bsd.rd</strong>
276: or
277: > <strong>b sd(0,6,0)3.3/sparc/bsd.rd</strong>
278: </pre></ul>
279:
280: <p>
281: If your sparc does not have a CD drive, you can alternatively boot from floppy.
1.18 deraadt 282: To do so you need to write "CD3:3.3/sparc/floppy33.fs" to a floppy. For more information see <a href="faq/faq4.html#MkFlop">FAQ4.1</a>. To boot from the floppy use one of the two commands listed below, depending on the version of your ROM.
1.1 miod 283:
284: <ul><pre>
285: > <strong>boot floppy</strong>
286: or
287: > <strong>boot fd()</strong>
288: </pre></ul>
289:
290: <p>
291: Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install will most likely fail.
292:
293: <p>
294: If your sparc doesn't have a floppy drive nor a CD drive, you can either
295: setup a bootable tape, or install via network, as told in the
296: INSTALL.sparc file.
297: </ul>
298:
299: <p>
300: <h3><font color="#e00000">OpenBSD/sparc64:</font></h3>
301: <ul>
302: Put the CD3 in your CDROM drive and type <i>boot cdrom</i>.
303:
304: <p>
305: If this doesn't work, or if you don't have a CDROM drive, you can write
306: <i>CD3:3.3/sparc64/floppy33.fs</i> to a floppy and boot it with <i>boot
307: floppy</i>.<br>
308: Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install will most likely fail.
309:
310: <p>
311: You can also write <i>CD3:3.3/sparc64/miniroot33.fs</i> to the swap partition on
312: the disk and boot with <i>boot disk:b</i>.
313:
314: <p>
315: If nothing works, you can boot over the network as described in INSTALL.sparc64
316: </ul>
317:
318: <p>
1.15 drahn 319: <h3><font color="#e00000">OpenBSD/alpha:</font></h3>
320: <ul>
321: <p>Write <i>FTP:3.3/alpha/floppy33.fs</i> or
322: <i>FTP:3.3/alpha/floppyB33.fs</i> (depending on your machine) to a diskette and
323: enter <i>boot dva0</i>. Refer to INSTALL.alpha for more details.
324:
325: <p>
326: Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install will most likely fail.
327:
328: </ul>
329:
330: <p>
331: <h3><font color="#e00000">OpenBSD/hp300:</font></h3>
332: <ul>
333: <p>
334: Boot over the network by following the instructions in INSTALL.hp300.
335: </ul>
336:
337: <p>
1.28 miod 338: <h3><font color="#e00000">OpenBSD/hppa:</font></h3>
339: <ul>
340: <p>
341: Boot over the network by following the instructions in INSTALL.hppa or the
342: <a href="hppa.html#netboot">hppa platform page</a>.
343: </ul>
344:
345: <p>
1.15 drahn 346: <h3><font color="#e00000">OpenBSD/mac68k:</font></h3>
347: <ul>
348: <p>
349: Boot MacOS as normal and partition your disk with the appropriate A/UX
350: configurations. Then, extract the Macside utilities from
1.25 nick 351: <i>FTP:3.3/mac68k/utils</i> onto your hard disk. Run Mkfs to create your
1.15 drahn 352: filesystems on the A/UX partitions you just made. Then, use the
1.25 nick 353: "BSD/Mac68k Installer" to copy all the sets in <i>FTP:3.3/mac68k/</i> onto your
354: partitions. Finally, you will be ready to configure the "BSD/Mac68k
355: Booter" with the location of your kernel and boot the system.
1.15 drahn 356: </ul>
357:
358: <p>
359: <h3><font color="#e00000">OpenBSD/mvme68k:</font></h3>
360: <ul>
361: <p>
362: You can create a bootable installation tape or boot over the network.<br>
363: The network boot requires a MVME68K BUG version that supports the <i>NIOT</i>
364: and <i>NBO</i> debugger commands. Follow the instructions in INSTALL.mvme68k
365: for more details.
366: </ul>
367:
368: <p>
1.1 miod 369: <h3><font color="#e00000">Notes about the source code:</font></h3>
370: <ul>
371: src.tar.gz contains a source archive starting at /usr/src. This file
372: contains everything you need except for the kernel sources, which are
373: in a separate archive. To extract:
374: <p>
375: <ul><pre>
376: # <strong>mkdir -p /usr/src</strong>
377: # <strong>cd /usr/src</strong>
378: # <strong>tar xvfz /tmp/src.tar.gz</strong>
379: </pre></ul>
380: <p>
1.29 pb 381: sys.tar.gz contains a source archive starting at /usr/src/sys.
1.1 miod 382: This file contains all the kernel sources you need to rebuild kernels.
383: To extract:
384: <p>
385: <ul><pre>
386: # <strong>mkdir -p /usr/src/sys</strong>
387: # <strong>cd /usr/src</strong>
1.29 pb 388: # <strong>tar xvfz /tmp/sys.tar.gz</strong>
1.1 miod 389: </pre></ul>
390: <p>
391: Both of these trees are a regular CVS checkout. Using these trees it
392: is possible to get a head-start on using the anoncvs servers as
1.18 deraadt 393: described <a href="anoncvs.html">here</a>.
1.1 miod 394: Using these files
395: results in a much faster initial CVS update than you could expect from
396: a fresh checkout of the full OpenBSD source tree.
397: <p>
398: </ul>
399: <a name="ports"></a>
400: <hr>
401: <p>
402: <h3><font color="#0000e0">Ports Tree</font></h3>
403: <p>
404: A ports tree archive is also provided. To extract:
405: <p>
406: <ul><pre>
407: # <strong>cd /usr</strong>
408: # <strong>tar xvfz /tmp/ports.tar.gz</strong>
409: # <strong>cd ports</strong>
410: </pre></ul>
411: <p>
412: The <i>ports/</i> subdirectory is a checkout of the OpenBSD ports tree. Go
1.18 deraadt 413: read the <a href="ports.html">ports</a> page
1.1 miod 414: if you know nothing about ports
415: at this point. This text is not a manual of how to use ports.
416: Rather, it is a set of notes meant to kickstart the user on the
417: OpenBSD ports system.
418: <p>
419: Certainly, the OpenBSD ports system is not complete. It is doubtful it
420: will ever be. However, it is growing very fast and getting more stable.
421: Almost all ports provided with this release should build without problems
422: on most architectures (over 2000 packages build on i386, for instance).
423: <p>
424: The <i>ports/</i> directory represents a CVS (see the manpage for
425: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=cvs&apropos=0&sektion=1&manpath=OpenBSD+Current&arch=i386&format=html">
426: cvs(1)</a> if
427: you aren't familiar with CVS) checkout of our ports. As with our complete
428: source tree, our ports tree is available via anoncvs. So, in
429: order to keep current with it, you must make the <i>ports/</i> tree
430: available on a read-write medium and update the tree with a command
431: like:
432: <p>
433: <ul><pre>
1.33 ! deraadt 434: # <strong>cd [portsdir]/; cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_3_3</strong>
1.1 miod 435: </pre></ul>
436: <p>
437: [Of course, you must replace the local directory and server name here
438: with the location of your ports collection and a nearby anoncvs
439: server.]
440: <p>
441: Note that most ports are available as packages through ftp. Updated
442: packages for the 3.3 release will be made available if problems arise.
443: <p>
444: If you're interested in seeing a port added, would like to help out, or just
445: would like to know more, the mailing list ports@openbsd.org is a good
446: place to know.
447: <p>
448:
449: <hr>
450: <a href="index.html"><img height="24" width="24" src="back.gif" border="0"
451: alt="OpenBSD"></a>
452: <a href="mailto:www@openbsd.org">www@openbsd.org</a>
453: <br><small>
1.33 ! deraadt 454: $OpenBSD: 33.html,v 1.32 2005/04/19 17:38:56 deraadt Exp $
1.1 miod 455: </small>
456:
457: </body>
458: </html>