www/35.html - diff

Return to 35.html CVS log

Up to [local] / www

Diff for /www/35.html between version 1.3 and 1.4

-version 1.3, 2004/03/23 23:28:08
+version 1.4, 2004/03/24 05:29:58
 Line 70
 Line 70
 Line 70
  <ul>
- <li>The i386 architecture has been switched to the
+ <li>...
-     <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=elf">ELF</a>
-      executable format.
  <p>
  <li>The HPPA architecture gets support for many
-Line 80
+Line 78
 Line 80
 Line 78
      based machines.
  <p>
- <li>Further W^X improvements, including support for the i386 architecture.
-     Native i386 binaries have their executable segments rearranged to support
-     isolating code from data, and the cpu CS limit is used to impose a best
-     effort limit on code execution.
- <p>
- <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ld.so">ld.so(1)</a>
-     on ELF platforms now loads libraries in a random order for
-     greater resistance to attacks.  The i386 architecture also maps libraries
-     into somewhat randomized addresses.  Together with W^X and
-     <a href="http://www.research.ibm.com/trl/projects/security/ssp/">ProPolice</a>,
-     these changes increase the difficulty of successfully exploiting an
-     application error, such as a buffer overflow.
- <p>
- <li>A static bounds checker has been added to the compiler to perform basic
-     checks on functions which accept buffers and sizes.  The checker aims to
-     find common mistakes in the use of library functions such as
-     <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=strlcpy">strlcpy(3)</a>
-     or <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sscanf">sscanf(3)</a>
-     without emitting any false positives.  Running it over the source and ports
-     trees revealed over a hundred real bugs, which were fixed and submitted back
-     to the original authors where possible.
- <p>
- <li>Privilege separation has been implemented for the
-     <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=syslogd">syslogd(8)</a>
-     daemon, making it much more robust against future errors.  The child which
-     listens to network traffic now runs as a normal user and chroots itself,
-     while the parent process tracks the state of the child and performs
-     privileged operations on its behalf.
- <p>
- <li>Many unsafe string functions have been removed from the kernel and userland
-     utilities.  This audit is one of the most comprehensive OpenBSD has ever
-     done, with thousands of occurrences of
-     <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=strcpy">strcpy(3)</a>,
-     <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=strcat">strcat(3)</a>,
-     <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sprintf">sprintf(3)</a>,
-     and
-     <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=vsprintf">vsprintf(3)</a>
-     being replaced with safer, bounded alternatives such as
-     <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=strlcpy">strlcpy(3)</a>,
-     <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=strlcat">strlcat(3)</a>,
-     <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=snprintf">snprintf(3)</a>,
-     <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=vsnprintf">vsnprintf(3)</a>,
-     and
-     <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=asprintf">asprintf(3)</a>.
- <p>
- <li>Many improvements to and bugs fixed in the
-     <a href="http://www.research.ibm.com/trl/projects/security/ssp/">
-     ProPolice</a> stack protector.  Several other code generation bugs
-     for RISC architectures fixed.
- <p>
- <li><a href="http://www.research.ibm.com/trl/projects/security/ssp/">
-     ProPolice</a> stack protection has been enabled in the kernel as well.
- <p>
- <li>Privilege separation has been implemented in the X server.  The privileged
-     child process is responsible for the operations that can't be done after the
-     main process has switched to a non-privileged user. This greatly reduces the
-     potential damage that could be caused by malicious X clients, in case of
-     bugs in the X server.
- <p>
- <li>Emulation support for binary compatibility is now controlled via
-     <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sysctl&amp;sektion=8">sysctl(8)</a>.
-     Emulation is now disabled by default to limit exposure to malicious
-     binaries, and can be enabled in
-     <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sysctl.conf">
-     sysctl.conf(5)</a>.
- <p>
- <li>Manual pages have been greatly cleaned up and improved.
- <p>
- <li>The ports tree now supports building programs under
-     <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=systrace">
-     systrace(1)</a>, preventing the possibility of applications harming the
-     system at compile-time via trojaned configuration scripts or otherwise.
- <p>
- <li>Symbol caching in
-     <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ld.so">ld.so(1)</a>
-     reduces the startup time of large applications.
- <p>
- <li>More license fixes, including the removal of the advertising clause
-     for large parts of the source tree.
- <p>
  <li>Replacement of GNU
- <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=diff">diff(1)</a>,
+ <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=nm">nm(1)</a> and
- <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=diff3">diff3(1)</a>,
+ <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=size">size(1)</a>
- <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=nm">nm(1)</a>,
- <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=size">size(1)</a>,
- <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=grep">grep(1)</a>,
- <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=egrep">egrep(1)</a>,
- <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=fgrep">fgrep(1)</a>,
- <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=zgrep">zgrep(1)</a>,
- <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=zegrep">zegrep(1)</a>,
- <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=zfgrep">zfgrep(1)</a>,
- <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=gzip">gzip(1)</a>,
- <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=zcat">zcat(1)</a>,
- <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=gunzip">gunzip(1)</a>,
- <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=gzcat">gzcat(1)</a>,
- <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=zcmp">zcmp(1)</a>,
- <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=zmore">zmore(1)</a>,
- <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=zdiff">zdiff(1)</a>,
- <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=zforce">zforce(1)</a>,
- <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=gzexe">gzexe(1)</a>,
- and
- <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=znew">znew(1)</a>
  commands with BSD licensed equivalents.
  <p>
- <li>Addition of read-only support for
-     <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=mount_ntfs">NTFS</a>
-     file systems.
- <p>
- <li>Reliability improvements to layered file systems, enabling
-     <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=mount_null">NULLFS</a>
-     to work again.
- <p>
- <li>Import of
-     <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=growfs">growfs(8)</a>
-     utility, allowing expansion of existing file systems.
- <p>
- <li>Improvements to
-     <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=compat_linux">linux emulation</a>
-     enabling more applications to run.
- <p>
- <li>Significant improvements to the
-     <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pthreads">pthreads(3)</a>
-     library.
- <p>
- <li>Replace many static fd_set uses, to instead use
-     <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=poll">poll(2)</a>
- or dynamic allocation.
- <p>
- <li>ANSIfication and stricter prototypes for a large portion of the source tree.
- <p>
- <li>Legacy KerberosIV support has been removed, and the remaining KerberosV
-     codebase has been restructured for easier management.
- <p>
- <li>Over 2400 ports, 2200 pre-built packages.
- <p>
- <li>A large number of bug fixes, changes, and optimizations to our packet filter
-     <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pf">pf(4)</a>
-     including:
- <ul>
- <li>packet tagging (e.g. filter on tags added by bridge based on MAC address)
- <li>stateful TCP normalization (prevent uptime calculation and NAT detection)
- <li>passive OS detection (filter or redirect connections based on source OS)
- <li>SYN proxy (protect servers against SYN flood attacks)
- <li>adaptive state timeouts (prevent state table overflows under attack)
- </ul>
- <p>
- <li>Improved hardware support, including:
- <ul>
- <li>Kauai ATA controllers (Apple ATA100 wdc)
-     <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=kauaiata&arch=macppc">
-     kauaiata(4)</a> enabling support for Powerbook 12" and 17" models.
- <li>Support for controlling LongRun registers on Transmeta CPUs.
- <li>Many fixes to
-     <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=aac">aac(4)</a>,
-     <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ahc">ahc(4)</a>,
-     <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=osiop">osiop(4)</a>,
-     and <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=siop">siop(4)</a>
-     SCSI drivers.
- <li>New
-     <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=it">it(4)</a>,
-     <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=lm">lm(4)</a>, and
-     <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=viaenv">viaenv(4)</a>
-     hardware monitor drivers.
- <li>New
-     <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=safe">safe(4)</a>
-     driver for SafeNet crypto accelerators.
- <li>New
-     <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=mtd">mtd(4)</a>
-     driver for Myson Technologies network cards.
- <li>More ethernet cards supported by
-     <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sk">sk(4)</a>,
-     <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=wi">wi(4)</a>,
-     <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=fxp">fxp(4)</a>,
-     and <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dc&amp;sektion=4">dc(4)</a>.
- <li>Massive overhaul and sync with NetBSD of the entire
-     <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=usb&amp;sektion=4">usb(4)</a>
-     support system.
- <li>New and better support for various controllers in
-     <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pciide">pciide(4)</a>,
-     including experimental support for Serial ATA.
- <li>New drivers to support
-     <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=mgx&arch=sparc">
-     mgx(4)</a> and
-     <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pninek&arch=sparc">
-     pninek(4)</a> SPARC framebuffers. The
-     <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=vigra&arch=sparc">
-     vigra(4)</a> driver also supports more models.
- <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pcmcia">pcmcia(4)</a>
-     support for Tadpole SPARCBooks and SPARCs with pcmcia-sbus bridges.
- <li>Watchdog support for
-     <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=elansc&arch=i386">elansc(4)</a>
-     and
-     <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=geodesc&arch=i386">geodesc(4)</a>
-     as used on Soekris boards.
- </ul>
- <p>
- <li>The system includes the following major components from outside suppliers:
- <ul>
- <li>XFree86 4.3.0 (+ patches, and i386 contains 3.3.X servers also, thus
-     providing support for all chipsets)
- <li>Gcc 2.95.3 (+ patches)
- <li>Perl 5.8.0 (+ patches)
- <li>Apache 1.3.28, mod_ssl 2.8.15, DSO support (+ patches)
- <li>OpenSSL 0.9.7b (+ patches)
- <li>Groff 1.15
- <li>Sendmail 8.12.9 (+ parse8.359.2.8 security patch)
- <li>Bind 9.2.2 (+ patches)
- <li>Lynx 2.8.4rel.1 with HTTPS and IPv6 support (+ patches)
- <li>Sudo 1.6.7p5
- <li>Ncurses 5.2
- <li>Latest KAME IPv6
- <li>Heimdal 0.6rc1 (+ patches)
- <li>Arla-current
- <li>OpenSSH 3.7.1 (now with GSSAPI support)
- </ul>
- <p>
- <p>
  <li>Many improvements for security and reliability (look for the red
  print in the <a href="plus.html">complete changelog</a>).
  <p>
  <li> and much more.
  </ul>