Annotation of www/34.html, Revision 1.17
1.1 david 1: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
2: <html>
3: <head>
4: <title>OpenBSD 3.4 Release</title>
5: <link rev=made href="mailto:www@openbsd.org">
6: <meta name="resource-type" content="document">
7: <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
8: <meta name="description" content="OpenBSD 3.4">
9: <meta name="keywords" content="openbsd,main">
10: <meta name="distribution" content="global">
11: <meta name="copyright" content="This document copyright 2003 by OpenBSD.">
12: </head>
13:
14: <body bgcolor="#ffffff" text="#000000" link="#24248E">
15:
16: <a href="index.html">
17: <img alt="[OpenBSD]" height="30" width="141" hspace="24" src="images/smalltitle.gif" border="0"></a>
18: <hr>
19:
20: <p>
21: <a href="images/Hood.gif">
22: <img align="left" width="255" height="343" hspace="24"
23: src="images/Hood.gif" alt="OpenBSD 3.4 logo"></a>
24: <h2><font color="#0000e0">The OpenBSD 3.4 Release:</font></h2>
25: <p>
26:
27: Released Nov 1, 2003<br>
28: Copyright 1997-2003, Theo de Raadt.<br>
29: <font color="#e00000">ISBN 0-9731791-2-0</font>
30: <p>
31:
32: <a href="#new">What's New</a><br>
33: <a href="#install">How to install</a><br>
34: <a href="#ports">How to use the ports tree</a><br>
35: <a href="orders.html">Ordering a CD set</a><br>
36:
37: <p>
38: <h3><font color="#0000e0">
39: To get the files for this release:
40: <ul>
41: <li>Order a CDROM from our <a href="orders.html">ordering system</a>.
42: <li>See the information on <a href="ftp.html">The FTP page</a> for
1.8 david 43: a list of mirror machines.
1.1 david 44: <li>Go to the <font color="#e00000">pub/OpenBSD/3.4/</font> directory on
1.8 david 45: one of the mirror sites.
1.1 david 46: <li>Briefly read the rest of this document.
47: <li>Have a look at <a href="errata.html">The 3.4 Errata page</a> for a list
1.8 david 48: of bugs and workarounds.
1.1 david 49: <li>See a <a href="plus.html">detailed log of changes</a> between the
1.8 david 50: 3.3 and 3.4 releases.
1.1 david 51: </ul>
52: </font></h3>
53: <br clear=all>
54: <br>
55: <p>
56:
57: <strong>Note:</strong> All applicable copyrights and credits can be found
58: in the applicable file sources found in the files src.tar.gz, sys.tar.gz,
59: XF4.tar.gz, or in the files fetched via ports.tar.gz. The distribution
60: files used to build packages from the ports.tar.gz file are not included on
61: the CDROM because of lack of space.
62: <p>
63:
64: <a name="new"></a>
65: <hr>
66: <p>
67: <h3><font color="#0000e0">What's New</font></h3>
68: <p>
69: This is a partial list of new features and systems included in OpenBSD 3.4.
70: For a comprehensive list, see the <a href="plus.html">changelog</a> leading
71: to 3.4.
72: <p>
73:
74: <ul>
75:
1.13 david 76: <li>The i386 architecture has been switched to the ELF executable format so
77: i386 upgrades are not possible for this release.
1.1 david 78: <p>
79:
1.6 tedu 80: <li>Further W^X improvements, including support for the i386 architecture.
81: Native i386 binaries have their executable segments rearranged to support
1.14 deraadt 82: isolating code from data, and the cpu CS limit is used to impose a best
83: effort limit on code execution.
1.1 david 84: <p>
85:
1.6 tedu 86: <li>ld.so on ELF platforms now loads libraries in a random order for
1.14 deraadt 87: greater resistance to attacks. The i386 architecture also maps libraries
88: somewhat randomized addresses. Together with W^X and ProPolice, these
89: changes increase the difficulty of successfully exploiting an application
90: error, such as a buffer overflow.
1.1 david 91: <p>
92:
93: <li>A static bounds checker has been added to the compiler to perform basic
1.4 avsm 94: checks on functions which accept buffers and sizes. The checker aims to
1.8 david 95: find common mistakes in the use of library functions such as
1.4 avsm 96: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=strlcpy">strlcpy(3)</a>
97: or <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sscanf">sscanf(3)</a>
98: without emitting any false positives. Running it over the source and ports
99: trees revealed over a hundred real bugs, which were fixed and submitted back
100: to the original authors where possible.
1.1 david 101: <p>
102:
1.6 tedu 103: <li>Privilege separation has been implemented for the syslog daemon, making
104: it much more robust against future errors. The child which listens to
105: network traffic now runs as a normal user and chroots itself, while the
106: parent process tracks the state of the child and performs privileged
107: operations on its behalf.
1.1 david 108: <p>
109:
110: <li>Many unsafe string functions have been removed from the kernel and userland
1.6 tedu 111: utilities. This audit is one of the most comprehensive OpenBSD has ever
112: done, with thousands of occurrences of
1.12 deraadt 113: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=strcpy">strcpy(3)</a>,
114: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=strcat">strcat(3)</a>,
115: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sprintf">sprintf(3)</a>,
1.8 david 116: and
1.12 deraadt 117: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=vsprintf">vsprintf(3)</a>
1.4 avsm 118: being replaced with safer, bounded alternatives such as
1.12 deraadt 119: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=strlcpy">strlcpy(3)</a>,
120: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=strlcat">strlcat(3)</a>,
121: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=snprintf">snprintf(3)</a>,
122: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=vsnprintf">vsnprintf(3)</a>,
123: and
124: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=asprintf">asprintf(3)</a>.
1.1 david 125: <p>
126:
1.13 david 127: <li><a href="http://www.research.ibm.com/trl/projects/security/ssp/">
128: ProPolice</a> stack protection has been enabled in the kernel as well.
1.1 david 129: <p>
130:
1.15 david 131: <li>Privileged separation has been implemented in the X server. The privileged
132: child process is responsible for the operations that can't be done after the
133: main process has switched to a non-privileged user. This greatly reduces the
134: potential damage that could be caused by malicious X clients, in case of
135: bugs in the X server.
136: <p>
137:
1.16 tedu 138: <li>Emulation support for binary compatibility is now controlled via sysctl.
139: <p>
140:
1.1 david 141: <li>Manual pages have been greatly cleaned up and improved.
142: <p>
143:
1.8 david 144: <li>The ports tree now supports building programs under
145: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=systrace">
146: systrace(1)</a>, preventing the possibility of applications harming the
147: system at compile-time via trojaned configuration scripts or otherwise.
1.1 david 148: <p>
149:
1.3 jason 150: <li>More licenses fixes, including the removal of the advertising clause
1.6 tedu 151: for large parts of the source tree.
152: <p>
153:
1.11 deraadt 154: <li>Replacement of GNU diff/diff3, grep/egrep/fgrep/zgrep/zegrep/zfgrep,
155: and gzip/zcat/gunzip/gzcat/zcmp/zmore/zdiff/zforce/gzexe/znew
156: with BSD licensed equivalents.
1.6 tedu 157: <p>
158:
159: <li>Addition of read-only support for NTFS file systems.
160: <p>
161:
162: <li>Reliability improvements to layered file systems, enabling NULLFS to
163: work again.
164: <p>
165:
166: <li>Improvements to the linux emulator enabling more applications to run.
167: <p>
168:
1.16 tedu 169: <li>Significant improvements to the pthread library.
170: <p>
171:
172: <li>Replace many static fd_set uses to poll() or dynamic allocation.
173: <p>
174:
1.13 david 175: <li>Legacy KerberosIV support has been removed, and the remaining KerberosV
176: codebase has been restructured for easier management.
1.3 jason 177: <p>
178:
1.13 david 179: <li>Over 2400 ports, 2200 pre-built packages.
1.1 david 180: <p>
181:
182: <li>A large number of bug fixes, changes, and optimizations to our packet filter
183: including:
184: <ul>
1.9 dhartmei 185: <li>packet tagging (e.g. filter on tags added by bridge based on MAC address)
1.10 frantzen 186: <li>stateful TCP normalization (prevent uptime calculation and NAT detection)
1.9 dhartmei 187: <li>passive OS detection (filter or redirect connections based on source OS)
188: <li>SYN proxy (protect servers against SYN flood attacks)
189: <li>adaptive state timeouts (prevent state table overflows under attack)
1.1 david 190: </ul>
191: <p>
192:
1.16 tedu 193: <li>Improved hardware support, including:
194: <ul>
195: <li>Kauai ATA controllers (Apple ATA100 wdc) enabling support for
196: Powerbook 12" and 17" models.
197: <li>Support for controlling LongRun registers on Transmeta CPUs.
198: <li>Many fixes to aac(4), ahc(4), osiop(4), siop(4) SCSI drivers.
199: <li>New it(4), lm(4) and viaenv(4) hardware monitor drivers.
200: <li>New safe(4) driver for SafeNet crypto acclerators.
201: <li>New mtd(4) driver for Myson Technologies network cards.
202: <li>Massive overhaul and sync with NetBSD of the entire usb(4) support system.
203: <li>New and better support for various controllers in pciide(4).
204: </ul>
205: <p>
206:
1.1 david 207: <li>The system includes the following major components from outside suppliers:
208: <ul>
1.7 david 209: <li>XFree86 4.3.0 (+ patches, and i386 contains 3.3.X servers also, thus
210: providing support for all chipsets)
1.1 david 211: <li>Gcc 2.95.3 (+ patches)
212: <li>Perl 5.8.0 (+ patches)
213: <li>Apache 1.3.28, mod_ssl 2.8.15, DSO support (+ patches)
214: <li>OpenSSL 0.9.7beta3 (+ patches)
215: <li>Groff 1.15
216: <li>Sendmail 8.12.9
217: <li>Bind 9.2.2 (+ patches)
1.5 avsm 218: <li>Lynx 2.8.4rel.1 with HTTPS and IPv6 support (+ patches)
1.1 david 219: <li>Sudo 1.6.7p5
220: <li>Ncurses 5.2
221: <li>Latest KAME IPv6
222: <li>Heimdal 0.6rc1 (+ patches)
223: <li>Arla-current
1.17 ! david 224: <li>OpenSSH 3.7 (now with GSSAPI support)
1.1 david 225: </ul>
226: <p>
227:
228: <p>
229: <li>Many improvements for security and reliability (look for the red
230: print in the <a href="plus.html">complete changelog</a>).
231: <p>
232: <li> and much more.
233:
234: </ul>
235:
236: <a name="install"></a>
237: <hr>
238: <p>
239: <h3><font color="#0000e0">How to install</font></h3>
240: <p>
241: Following this are the instructions which you would have on a piece of
242: paper if you had purchased a CDROM set instead of doing an alternate
243: form of install. The instructions for doing an ftp (or other style
244: of) install are very similar; the CDROM instructions are left intact
245: so that you can see how much easier it would have been if you had
246: purchased a CDROM instead.
247: <p>
248:
249: <hr>
250: Please refer to the following files on the three CDROMs or ftp mirror for
251: extensive details on how to install OpenBSD 3.4 on your machine:
252: <p>
253: <ul>
1.8 david 254: <li>CD1:3.4/i386/INSTALL.i386
1.1 david 255: <p>
1.8 david 256: <li>CD2:3.4/macppc/INSTALL.macppc
257: <li>CD2:3.4/vax/INSTALL.vax
1.1 david 258: <p>
1.8 david 259: <li>CD3:3.4/sparc/INSTALL.sparc
260: <li>CD3:3.4/sparc64/INSTALL.sparc64
1.1 david 261: <p>
1.8 david 262: <li>FTP:.../OpenBSD/3.4/alpha/INSTALL.alpha
263: <li>FTP:.../OpenBSD/3.4/hp300/INSTALL.hp300
264: <li>FTP:.../OpenBSD/3.4/hppa/INSTALL.hppa
265: <li>FTP:.../OpenBSD/3.4/mac68k/INSTALL.mac68k
266: <li>FTP:.../OpenBSD/3.4/mvme68k/INSTALL.mvme68k
1.1 david 267: </ul>
268: <hr>
269:
270: <p>
271: Quick installer information for people familiar with OpenBSD, and the
272: use of the "disklabel -E" command. If you are at all confused when
273: installing OpenBSD, read the relevant INSTALL.* file as listed above!
274: <p>
275:
276: <h3><font color="#e00000">OpenBSD/i386:</font></h3>
277: <ul>
278: Play with your BIOS options to enable booting from a CD. The OpenBSD/i386
279: release is on CD1. If your BIOS does not support booting from CD, you will need
280: to create a boot floppy to install from. To create a boot floppy write
281: <i>CD1:3.4/i386/floppy34.fs</i> to a floppy and boot via the floppy drive.
282:
283: <p>
284: Use <i>CD1:3.4/i386/floppyB34.fs</i> instead for greater scsi controller
285: support, or <i>CD1:3.4/i386/floppyC34.fs</i> for better laptop support.
286:
287: <p>
1.2 david 288: If you are planning on dual booting OpenBSD with another OS, you will need to
289: read the included INSTALL.i386 document.
1.1 david 290:
291: <p>
292: To make a boot floppy under MS-DOS, use the "rawrite" utility located
1.2 david 293: at <i>CD:/3.4/tools/rawrite.exe</i>. To make the boot floppy under a Unix OS,
294: use the <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=
295: dd&sektion=1">dd(1)</a> utility. The following is an example usage of
296: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dd&sektion=1">dd(1)
297: </a>, where the device could be "floppy", "rfd0c", or
298: "rfd0a".
1.1 david 299:
300: <ul><pre>
301: # <strong>dd if=<file> of=/dev/<device> bs=32k</strong>
302: </pre></ul>
303:
304: <p>
1.2 david 305: Make sure you use properly formatted perfect floppies with NO BAD BLOCKS or
306: your install will most likely fail. For more information on creating a boot
307: floppy and installing OpenBSD/i386 please refer to
308: <a href="faq/faq4.html#MkFlop">FAQ4.1</a>.
1.1 david 309: </ul>
310:
311: <p>
312: <h3><font color="#e00000">OpenBSD/macppc:</font></h3>
313: <ul>
314: Put the CD2 in your CDROM drive and poweron your machine while holding down the
315: <i>C</i> key until the display turns on and shows <i>OpenBSD/macppc boot</i>.
316:
317: <p>
318: Alternatively, at the Open Firmware prompt, enter <i>boot cd:,ofwboot
319: /3.4/macppc/bsd.rd</i>
320: </ul>
321:
322: <p>
323: <h3><font color="#e00000">OpenBSD/vax:</font></h3>
324: <ul>
325: Boot over the network via mopbooting as described in INSTALL.vax.
326: </ul>
327:
328: <p>
329: <h3><font color="#e00000">OpenBSD/sparc:</font></h3>
330: <ul>
1.2 david 331: The 3.4 release of OpenBSD/sparc is located on CD3. To boot off of this CD you
332: can use one of the two commands listed below, depending on the version of your
333: ROM.
1.1 david 334:
335: <ul><pre>
1.8 david 336: > <strong>boot cdrom 3.4/sparc/bsd.rd</strong>
1.1 david 337: or
1.8 david 338: > <strong>boot sd(0,6,0)3.4/sparc/bsd.rd</strong>
1.1 david 339: </pre></ul>
340:
341: <p>
342: If your sparc does not have a CD drive, you can alternatively boot from floppy.
1.2 david 343: To do so you need to write "CD3:3.4/sparc/floppy34.fs" to a floppy.
344: For more information see <a href="faq/faq4.html#MkFlop">FAQ4.1</a>. To boot from
345: the floppy use one of the two commands listed below, depending on the version of
346: your ROM.
1.1 david 347:
348: <ul><pre>
1.8 david 349: > <strong>boot floppy</strong>
1.1 david 350: or
1.8 david 351: > <strong>boot fd()</strong>
1.1 david 352: </pre></ul>
353:
354: <p>
1.2 david 355: Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
356: will most likely fail.
1.1 david 357:
358: <p>
359: If your sparc doesn't have a floppy drive nor a CD drive, you can either
360: setup a bootable tape, or install via network, as told in the
361: INSTALL.sparc file.
362: </ul>
363:
364: <p>
365: <h3><font color="#e00000">OpenBSD/sparc64:</font></h3>
366: <ul>
367: Put the CD3 in your CDROM drive and type <i>boot cdrom</i>.
368:
369: <p>
370: If this doesn't work, or if you don't have a CDROM drive, you can write
371: <i>CD3:3.4/sparc64/floppy34.fs</i> to a floppy and boot it with <i>boot
372: floppy</i>.<br>
1.2 david 373: Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
374: will most likely fail.
1.1 david 375:
376: <p>
377: You can also write <i>CD3:3.4/sparc64/miniroot34.fs</i> to the swap partition on
378: the disk and boot with <i>boot disk:b</i>.
379:
380: <p>
381: If nothing works, you can boot over the network as described in INSTALL.sparc64
382: </ul>
383:
384: <p>
385: <h3><font color="#e00000">OpenBSD/alpha:</font></h3>
386: <ul>
387: <p>Write <i>FTP:3.4/alpha/floppy34.fs</i> or
388: <i>FTP:3.4/alpha/floppyB34.fs</i> (depending on your machine) to a diskette and
389: enter <i>boot dva0</i>. Refer to INSTALL.alpha for more details.
390:
391: <p>
1.2 david 392: Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
393: will most likely fail.
1.1 david 394:
395: </ul>
396:
397: <p>
398: <h3><font color="#e00000">OpenBSD/hp300:</font></h3>
399: <ul>
400: <p>
401: Boot over the network by following the instructions in INSTALL.hp300.
402: </ul>
403:
404: <p>
405: <h3><font color="#e00000">OpenBSD/hppa:</font></h3>
406: <ul>
407: <p>
408: Boot over the network by following the instructions in INSTALL.hppa or the
409: <a href="hppa.html#netboot">hppa platform page</a>.
410: </ul>
411:
412: <p>
413: <h3><font color="#e00000">OpenBSD/mac68k:</font></h3>
414: <ul>
415: <p>
416: Boot MacOS as normal and partition your disk with the appropriate A/UX
417: configurations. Then, extract the Macside utilities from
418: <i>FTP:3.4/mac68k/utils</i> onto your hard disk. Run Mkfs to create your
419: filesystems on the A/UX partitions you just made. Then, use the
420: "BSD/Mac68k Installer" to copy all the sets in <i>FTP:3.4/mac68k/</i> onto your
421: partitions. Finally, you will be ready to configure the "BSD/Mac68k
422: Booter" with the location of your kernel and boot the system.
423: </ul>
424:
425: <p>
426: <h3><font color="#e00000">OpenBSD/mvme68k:</font></h3>
427: <ul>
428: <p>
429: You can create a bootable installation tape or boot over the network.<br>
430: The network boot requires a MVME68K BUG version that supports the <i>NIOT</i>
431: and <i>NBO</i> debugger commands. Follow the instructions in INSTALL.mvme68k
432: for more details.
433: </ul>
434:
435: <p>
436: <h3><font color="#e00000">Notes about the source code:</font></h3>
437: <ul>
438: src.tar.gz contains a source archive starting at /usr/src. This file
439: contains everything you need except for the kernel sources, which are
440: in a separate archive. To extract:
441: <p>
442: <ul><pre>
443: # <strong>mkdir -p /usr/src</strong>
444: # <strong>cd /usr/src</strong>
445: # <strong>tar xvfz /tmp/src.tar.gz</strong>
446: </pre></ul>
447: <p>
448: sys.tar.gz contains a source archive starting at /usr/src/sys.
449: This file contains all the kernel sources you need to rebuild kernels.
450: To extract:
451: <p>
452: <ul><pre>
453: # <strong>mkdir -p /usr/src/sys</strong>
454: # <strong>cd /usr/src</strong>
455: # <strong>tar xvfz /tmp/sys.tar.gz</strong>
456: </pre></ul>
457: <p>
458: Both of these trees are a regular CVS checkout. Using these trees it
459: is possible to get a head-start on using the anoncvs servers as
460: described <a href="anoncvs.html">here</a>.
461: Using these files
462: results in a much faster initial CVS update than you could expect from
463: a fresh checkout of the full OpenBSD source tree.
464: <p>
465: </ul>
466: <a name="ports"></a>
467: <hr>
468: <p>
469: <h3><font color="#0000e0">Ports Tree</font></h3>
470: <p>
471: A ports tree archive is also provided. To extract:
472: <p>
473: <ul><pre>
474: # <strong>cd /usr</strong>
475: # <strong>tar xvfz /tmp/ports.tar.gz</strong>
476: # <strong>cd ports</strong>
477: </pre></ul>
478: <p>
479: The <i>ports/</i> subdirectory is a checkout of the OpenBSD ports tree. Go
480: read the <a href="ports.html">ports</a> page
481: if you know nothing about ports
482: at this point. This text is not a manual of how to use ports.
483: Rather, it is a set of notes meant to kickstart the user on the
484: OpenBSD ports system.
485: <p>
486: Certainly, the OpenBSD ports system is not complete. It is doubtful it
487: will ever be. However, it is growing very fast and getting more stable.
488: Almost all ports provided with this release should build without problems
489: on most architectures (over 2400 packages build on i386, for instance).
490: <p>
491: The <i>ports/</i> directory represents a CVS (see the manpage for
492: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=cvs&apropos=0&sektion=1&manpath=OpenBSD+Current&arch=i386&format=html">
493: cvs(1)</a> if
494: you aren't familiar with CVS) checkout of our ports. As with our complete
495: source tree, our ports tree is available via anoncvs. So, in
496: order to keep current with it, you must make the <i>ports/</i> tree
497: available on a read-write medium and update the tree with a command
498: like:
499: <p>
500: <ul><pre>
501: # <strong>cd [portsdir]/; cvs -d anoncvsserver.openbsd.org:/cvs update -Pd -rOPENBSD_3_4</strong>
502: </pre></ul>
503: <p>
504: [Of course, you must replace the local directory and server name here
505: with the location of your ports collection and a nearby anoncvs
506: server.]
507: <p>
508: Note that most ports are available as packages through ftp. Updated
509: packages for the 3.4 release will be made available if problems arise.
510: <p>
511: If you're interested in seeing a port added, would like to help out, or just
512: would like to know more, the mailing list ports@openbsd.org is a good
513: place to know.
514: <p>
515:
516: <hr>
517: <a href="index.html"><img height="24" width="24" src="back.gif" border="0"
518: alt="OpenBSD"></a>
519: <a href="mailto:www@openbsd.org">www@openbsd.org</a>
520: <br><small>
1.17 ! david 521: $OpenBSD: 34.html,v 1.16 2003/09/04 21:18:42 tedu Exp $
1.1 david 522: </small>
523:
524: </body>
525: </html>