version 1.5, 2003/09/04 05:04:08 |
version 1.6, 2003/09/04 06:29:45 |
|
|
<li>The i386 architecture has been switched to the ELF executable format. |
<li>The i386 architecture has been switched to the ELF executable format. |
<p> |
<p> |
|
|
<li>Further W^X improvements, including support for the i386 and powerpc |
<li>Further W^X improvements, including support for the i386 architecture. |
architectures. |
Native i386 binaries have their executable segments rearranged to support |
|
isolating code from data. |
<p> |
<p> |
|
|
<li>ELF platforms now have random library ordering for greater resistance to |
<li>ld.so on ELF platforms now loads libraries in a random order for |
attacks. |
greater resistance to attacks. The i386 architecture also has libraries |
|
mapped at random addresses. Along with W^X, these changes increase the |
|
difficulty of successfully exploiting an application error, such as a |
|
buffer overflow. |
<p> |
<p> |
|
|
<li>A static bounds checker has been added to the compiler to perform basic |
<li>A static bounds checker has been added to the compiler to perform basic |
|
|
to the original authors where possible. |
to the original authors where possible. |
<p> |
<p> |
|
|
<li>Privilege separation has been implemented for the syslog daemon, making it much |
<li>Privilege separation has been implemented for the syslog daemon, making |
more robust against future errors. The child which listens to network traffic |
it much more robust against future errors. The child which listens to |
now runs as a normal user and chroots itself, while the parent process tracks |
network traffic now runs as a normal user and chroots itself, while the |
the state of the child and performs privileged operations on its behalf. |
parent process tracks the state of the child and performs privileged |
|
operations on its behalf. |
<p> |
<p> |
|
|
<li>Many unsafe string functions have been removed from the kernel and userland |
<li>Many unsafe string functions have been removed from the kernel and userland |
utilities. This audit is one of the most comprehensive OpenBSD has ever done, |
utilities. This audit is one of the most comprehensive OpenBSD has ever |
with thousands of occurrences of |
done, with thousands of occurrences of |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=strcpy">strcpy(3)</a> and |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=strcpy">strcpy(3)</a> and |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=strcat">strcat(3)</a> |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=strcat">strcat(3)</a> |
being replaced with safer, bounded alternatives such as |
being replaced with safer, bounded alternatives such as |
|
|
|
|
<li>The ports tree now supports building programs under |
<li>The ports tree now supports building programs under |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=systrace">systrace(1)</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=systrace">systrace(1)</a>, |
preventing the possibility of applications harming the system at compile-time |
preventing the possibility of applications harming the system at |
via trojaned configuration scripts or otherwise. |
compile-time via trojaned configuration scripts or otherwise. |
<p> |
<p> |
|
|
<li>More licenses fixes, including the removal of the advertising clause |
<li>More licenses fixes, including the removal of the advertising clause |
for large parts of the source tree. |
for large parts of the source tree. |
|
<p> |
|
|
|
<li>Replacement of GNU diff, grep, and gzip with BSD licensed equivalents. |
|
<p> |
|
|
|
<li>Addition of read-only support for NTFS file systems. |
|
<p> |
|
|
|
<li>Reliability improvements to layered file systems, enabling NULLFS to |
|
work again. |
|
<p> |
|
|
|
<li>Improvements to the linux emulator enabling more applications to run. |
|
<p> |
|
|
|
<li>Restructuring of Kerberos libraries for easier management. |
<p> |
<p> |
|
|
<li>Over 2400 tested packages. |
<li>Over 2400 tested packages. |