===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/35.html,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- www/35.html 2004/03/23 23:28:08 1.3
+++ www/35.html 2004/03/24 05:29:58 1.4
@@ -70,9 +70,7 @@
-- The i386 architecture has been switched to the
- ELF
- executable format.
+
- ...
- The HPPA architecture gets support for many
@@ -80,252 +78,16 @@
based machines.
-
- Further W^X improvements, including support for the i386 architecture.
- Native i386 binaries have their executable segments rearranged to support
- isolating code from data, and the cpu CS limit is used to impose a best
- effort limit on code execution.
-
-
-
- ld.so(1)
- on ELF platforms now loads libraries in a random order for
- greater resistance to attacks. The i386 architecture also maps libraries
- into somewhat randomized addresses. Together with W^X and
- ProPolice,
- these changes increase the difficulty of successfully exploiting an
- application error, such as a buffer overflow.
-
-
-
- A static bounds checker has been added to the compiler to perform basic
- checks on functions which accept buffers and sizes. The checker aims to
- find common mistakes in the use of library functions such as
- strlcpy(3)
- or sscanf(3)
- without emitting any false positives. Running it over the source and ports
- trees revealed over a hundred real bugs, which were fixed and submitted back
- to the original authors where possible.
-
-
-
- Privilege separation has been implemented for the
- syslogd(8)
- daemon, making it much more robust against future errors. The child which
- listens to network traffic now runs as a normal user and chroots itself,
- while the parent process tracks the state of the child and performs
- privileged operations on its behalf.
-
-
-
- Many unsafe string functions have been removed from the kernel and userland
- utilities. This audit is one of the most comprehensive OpenBSD has ever
- done, with thousands of occurrences of
- strcpy(3),
- strcat(3),
- sprintf(3),
- and
- vsprintf(3)
- being replaced with safer, bounded alternatives such as
- strlcpy(3),
- strlcat(3),
- snprintf(3),
- vsnprintf(3),
- and
- asprintf(3).
-
-
-
- Many improvements to and bugs fixed in the
-
- ProPolice stack protector. Several other code generation bugs
- for RISC architectures fixed.
-
-
-
-
- ProPolice stack protection has been enabled in the kernel as well.
-
-
-
- Privilege separation has been implemented in the X server. The privileged
- child process is responsible for the operations that can't be done after the
- main process has switched to a non-privileged user. This greatly reduces the
- potential damage that could be caused by malicious X clients, in case of
- bugs in the X server.
-
-
-
- Emulation support for binary compatibility is now controlled via
- sysctl(8).
- Emulation is now disabled by default to limit exposure to malicious
- binaries, and can be enabled in
-
- sysctl.conf(5).
-
-
-
- Manual pages have been greatly cleaned up and improved.
-
-
-
- The ports tree now supports building programs under
-
- systrace(1), preventing the possibility of applications harming the
- system at compile-time via trojaned configuration scripts or otherwise.
-
-
-
- Symbol caching in
- ld.so(1)
- reduces the startup time of large applications.
-
-
-
- More license fixes, including the removal of the advertising clause
- for large parts of the source tree.
-
-
- Replacement of GNU
-diff(1),
-diff3(1),
-nm(1),
-size(1),
-grep(1),
-egrep(1),
-fgrep(1),
-zgrep(1),
-zegrep(1),
-zfgrep(1),
-gzip(1),
-zcat(1),
-gunzip(1),
-gzcat(1),
-zcmp(1),
-zmore(1),
-zdiff(1),
-zforce(1),
-gzexe(1),
-and
-znew(1)
+nm(1) and
+size(1)
commands with BSD licensed equivalents.
-
- Addition of read-only support for
- NTFS
- file systems.
-
-
-
- Reliability improvements to layered file systems, enabling
- NULLFS
- to work again.
-
-
-
- Import of
- growfs(8)
- utility, allowing expansion of existing file systems.
-
-
-
- Improvements to
- linux emulation
- enabling more applications to run.
-
-
-
- Significant improvements to the
- pthreads(3)
- library.
-
-
-
- Replace many static fd_set uses, to instead use
- poll(2)
-or dynamic allocation.
-
-
-
- ANSIfication and stricter prototypes for a large portion of the source tree.
-
-
-
- Legacy KerberosIV support has been removed, and the remaining KerberosV
- codebase has been restructured for easier management.
-
-
-
- Over 2400 ports, 2200 pre-built packages.
-
-
-
- A large number of bug fixes, changes, and optimizations to our packet filter
- pf(4)
- including:
-
-- packet tagging (e.g. filter on tags added by bridge based on MAC address)
-
- stateful TCP normalization (prevent uptime calculation and NAT detection)
-
- passive OS detection (filter or redirect connections based on source OS)
-
- SYN proxy (protect servers against SYN flood attacks)
-
- adaptive state timeouts (prevent state table overflows under attack)
-
-
-
-
- Improved hardware support, including:
-
-- Kauai ATA controllers (Apple ATA100 wdc)
-
- kauaiata(4) enabling support for Powerbook 12" and 17" models.
-
- Support for controlling LongRun registers on Transmeta CPUs.
-
- Many fixes to
- aac(4),
- ahc(4),
- osiop(4),
- and siop(4)
- SCSI drivers.
-
- New
- it(4),
- lm(4), and
- viaenv(4)
- hardware monitor drivers.
-
- New
- safe(4)
- driver for SafeNet crypto accelerators.
-
- New
- mtd(4)
- driver for Myson Technologies network cards.
-
- More ethernet cards supported by
- sk(4),
- wi(4),
- fxp(4),
- and dc(4).
-
- Massive overhaul and sync with NetBSD of the entire
- usb(4)
- support system.
-
- New and better support for various controllers in
- pciide(4),
- including experimental support for Serial ATA.
-
- New drivers to support
-
- mgx(4) and
-
- pninek(4) SPARC framebuffers. The
-
- vigra(4) driver also supports more models.
-
- pcmcia(4)
- support for Tadpole SPARCBooks and SPARCs with pcmcia-sbus bridges.
-
- Watchdog support for
- elansc(4)
- and
- geodesc(4)
- as used on Soekris boards.
-
-
-
-
- The system includes the following major components from outside suppliers:
-
-- XFree86 4.3.0 (+ patches, and i386 contains 3.3.X servers also, thus
- providing support for all chipsets)
-
- Gcc 2.95.3 (+ patches)
-
- Perl 5.8.0 (+ patches)
-
- Apache 1.3.28, mod_ssl 2.8.15, DSO support (+ patches)
-
- OpenSSL 0.9.7b (+ patches)
-
- Groff 1.15
-
- Sendmail 8.12.9 (+ parse8.359.2.8 security patch)
-
- Bind 9.2.2 (+ patches)
-
- Lynx 2.8.4rel.1 with HTTPS and IPv6 support (+ patches)
-
- Sudo 1.6.7p5
-
- Ncurses 5.2
-
- Latest KAME IPv6
-
- Heimdal 0.6rc1 (+ patches)
-
- Arla-current
-
- OpenSSH 3.7.1 (now with GSSAPI support)
-
-
-
-
- Many improvements for security and reliability (look for the red
print in the complete changelog).
+
- and much more.
@@ -629,7 +391,7 @@
alt="OpenBSD">
www@openbsd.org
-$OpenBSD: 35.html,v 1.3 2004/03/23 23:28:08 mickey Exp $
+$OpenBSD: 35.html,v 1.4 2004/03/24 05:29:58 deraadt Exp $