version 1.19, 2003/09/05 00:30:26 |
version 1.20, 2003/09/05 02:40:05 |
|
|
effort limit on code execution. |
effort limit on code execution. |
<p> |
<p> |
|
|
<li>ld.so on ELF platforms now loads libraries in a random order for |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ld.so">ld.so(1)</a> |
|
on ELF platforms now loads libraries in a random order for |
greater resistance to attacks. The i386 architecture also maps libraries |
greater resistance to attacks. The i386 architecture also maps libraries |
somewhat randomized addresses. Together with W^X and ProPolice, these |
somewhat randomized addresses. Together with W^X and ProPolice, these |
changes increase the difficulty of successfully exploiting an application |
changes increase the difficulty of successfully exploiting an application |
|
|
to the original authors where possible. |
to the original authors where possible. |
<p> |
<p> |
|
|
<li>Privilege separation has been implemented for the syslog daemon, making |
<li>Privilege separation has been implemented for the |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=syslogd">syslogd(8)</a> |
|
daemon, making |
it much more robust against future errors. The child which listens to |
it much more robust against future errors. The child which listens to |
network traffic now runs as a normal user and chroots itself, while the |
network traffic now runs as a normal user and chroots itself, while the |
parent process tracks the state of the child and performs privileged |
parent process tracks the state of the child and performs privileged |
|
|
bugs in the X server. |
bugs in the X server. |
<p> |
<p> |
|
|
<li>Emulation support for binary compatibility is now controlled via sysctl. |
<li>Emulation support for binary compatibility is now controlled via |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sysctl">sysctl(1)</a> |
Emulation is now disabled by default to limit exposure to malicious |
Emulation is now disabled by default to limit exposure to malicious |
binaries, and can be enabled in |
binaries, and can be enabled in |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sysctl.conf"> |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sysctl.conf"> |
|
|
for large parts of the source tree. |
for large parts of the source tree. |
<p> |
<p> |
|
|
<li>Replacement of GNU diff/diff3, grep/egrep/fgrep/zgrep/zegrep/zfgrep, |
<li>Replacement of GNU |
and gzip/zcat/gunzip/gzcat/zcmp/zmore/zdiff/zforce/gzexe/znew |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=diff">diff</a>, |
with BSD licensed equivalents. |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=diff3">diff3</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=grep">grep</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=egrep">egrep</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=fgrep">fgrep</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=zgrep">zgrep</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=zegrep">zegrep</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=zfgrep">zfgrep</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=gzip">gzip</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=zcat">zcat</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=gunzip">gunzip</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=gzcat">gzcat</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=zcmp">zcmp</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=zmore">zmore</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=zdiff">zdiff</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=zforce">zforce</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=gzexe">gzexe</a>, |
|
and |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=znew">znew</a> |
|
commands with BSD licensed equivalents. |
<p> |
<p> |
|
|
<li>Addition of read-only support for NTFS file systems. |
<li>Addition of read-only support for |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=mount_ntfs">NTFS</a> |
|
file systems. |
<p> |
<p> |
|
|
<li>Reliability improvements to layered file systems, enabling NULLFS to |
<li>Reliability improvements to layered file systems, enabling |
work again. |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=mount_null">NULLFS</a> |
|
to work again. |
<p> |
<p> |
|
|
<li>Improvements to the Linux emulator enabling more applications to run. |
<li>Improvements to the Linux emulator enabling more applications to run. |
|
|
<li>Significant improvements to the pthread library. |
<li>Significant improvements to the pthread library. |
<p> |
<p> |
|
|
<li>Replace many static fd_set uses to poll() or dynamic allocation. |
<li>Replace many static fd_set uses, to instead use |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=poll">poll(2)</a> |
|
or dynamic allocation. |
<p> |
<p> |
|
|
<li>Legacy KerberosIV support has been removed, and the remaining KerberosV |
<li>Legacy KerberosIV support has been removed, and the remaining KerberosV |
|
|
<p> |
<p> |
|
|
<li>A large number of bug fixes, changes, and optimizations to our packet filter |
<li>A large number of bug fixes, changes, and optimizations to our packet filter |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pf">pf(4)</a> |
including: |
including: |
<ul> |
<ul> |
<li>packet tagging (e.g. filter on tags added by bridge based on MAC address) |
<li>packet tagging (e.g. filter on tags added by bridge based on MAC address) |
<li>stateful TCP normalization (prevent uptime calculation and NAT detection) |
<li>stateful TCP normalization (prevent uptime calculation and NAT detection) |
<li>passive OS detection (filter or redirect connections based on source OS) |
<li>passive OS detection (filter or redirect connections based on source OS) |
<li>SYN proxy (protect servers against SYN flood attacks) |
<li>SYN proxy (protect servers against SYN flood attacks) |