===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/57.html,v
retrieving revision 1.43
retrieving revision 1.44
diff -u -r1.43 -r1.44
--- www/57.html 2015/03/11 11:59:13 1.43
+++ www/57.html 2015/03/11 21:16:39 1.44
@@ -79,6 +79,7 @@
The ppb(4) driver now supports PCI bridges that support subtractive decoding (fixes PCMCIA behind the ATI SB400 PCI bridge), and devices with 64-bit BARs behind PCI-PCI bridges as seen on SPARC T5-2 systems.
The pucdata(4) driver now supports Winchiphead CH382 devices.
The sdmmc(4) driver now supports eMMC storage devices larger than 2GB.
+ The sdhc(4) driver can properly resume on Ricoh controllers.
The sdhc(4) driver now supports Ricoh R5U822 and R5U823 card readers.
The mfii(4) driver now supports the Megaraid 3008 (Fury) and 3108 (Invader) cards.
The myx(4) driver runs less code under big lock.
@@ -115,6 +116,7 @@
Traffic destinated to link-local IPv6 addresses can now be seen with tcpdump(8).
...
+
Installer improvements:
@@ -139,6 +141,7 @@
-
fdisk(8) now zeros out GPT signatures found when writing out an MBR that has been re-initialzed and has no EFI or EFISYS partition.
- Fixed manipulation of 'ro' and 'rw' fstab options to avoid damage to other options that happen to contain 'ro' or 'rw'.
+ The ramdisk binary (one binary contains all the commands) is now compiled without optimization and security features. The benefit is a substantial savings in space, allowing more features in the future.
@@ -158,9 +161,31 @@
Security improvements:
- - Stricter enforcement of W^X in the kernel address space.
+
- Stricter enforcement of W^X in the kernel address space, especially on architectures with the right featureset (amd64, in particular has seen substantial improvements).
- Support for loadable kernel modules has been removed.
- procfs has been removed.
+
- Comprehensive audit of the tree to use the reallocarray(3) idiom throughout.
+
- Many conversions from select(2) to poll(2).
+
- /var/tmp is now a symbolic link to /tmp, as a first step towards reducing the "fill it up" attack surface against the /var partition.
+
- memcpy(3) with overlapping arguments now aborts a program (with a syslog report), allowing these problems to be found. Overlapping copies should use memmove(3). Sometime after 5.7 release, having learned more about the situation and repairing instances that are discovered by users during release use, we will go back to the optimized version.
+
- Change
+ rand(3),
+ random(3),
+ drand48(3),
+ lrand48(3),
+ mrand48(3),
+ srand48(3)
+ to return non-deterministic strong random values by default, sourced from
+ arc4random(3).
+ New functions
+ srand_deterministic(3),
+ srandom_deterministic(3),
+ seed48_deterministic(3),
+ lcong48_deterministic(3),
+ are added for cases where determinism must be requested.
+
- At resume (or unhibernate) time, use a variety of methods to reseed the random number generator. This also works on VM's which wake up (if a wakeup event is seen).
+
- All architectures have been transitioned so to static PIE, meaning the statically linked binaries in /bin and /sbin now have randomly located text segments.
+
- Allow larger .openbsd.randomdata ELF segments.
- ...
@@ -215,6 +240,12 @@
dhclient(8).
Private number conversion functions in
dhclient(8) eliminated in favour of standard library functions.
+ Further signal race cleanups in
+ ftp(1).
+ BIND has been retired, encouraging use of
+ nsd(8) and
+ unbound(8).
+ Significant namespace cleanup in the /usr/include files, especially related to <sys/param.h> and <limits.h>.
...