version 1.21, 2016/07/22 20:33:22 |
version 1.22, 2016/07/22 21:24:11 |
|
|
<ul> |
<ul> |
<li><tt>W^X</tt> is now strictly enforced by default; |
<li><tt>W^X</tt> is now strictly enforced by default; |
a program can only violate it if the executable is marked with |
a program can only violate it if the executable is marked with |
<tt>PT_OPENBSD_WXNEEDED</tt> and its is located on a filesystem |
<tt>PT_OPENBSD_WXNEEDED</tt> and it is located on a filesystem |
mounted with the <tt>wxallowed</tt> |
mounted with the <tt>wxallowed</tt> |
<a href="http://man.openbsd.org/mount.8">mount(8)</a> option. |
<a href="http://man.openbsd.org/mount.8">mount(8)</a> option. |
<li>The <a href="http://man.openbsd.org/setjmp.3">setjmp(3)</a> |
<li>The <a href="http://man.openbsd.org/setjmp.3">setjmp(3)</a> |
|
|
<li><a href="http://man.openbsd.org/sigreturn.2">sigreturn(2)</a> |
<li><a href="http://man.openbsd.org/sigreturn.2">sigreturn(2)</a> |
can now only be used by the kernel-provided signal trampoline, |
can now only be used by the kernel-provided signal trampoline, |
with a cookie to detect attempts to reuse it. |
with a cookie to detect attempts to reuse it. |
<li>To deter code reuse exploits, in <a href="http://man.openbsd.org/rc.8">rc(8)</a>, |
<li>To deter code reuse exploits, <a href="http://man.openbsd.org/rc.8">rc(8)</a> |
re-link libc.so on startup, placing the objects in a random order. |
re-links libc.so on startup, placing the objects in a random order. |
<li>In the <a href="http://man.openbsd.org/getpwnam.3">getpwnam(3)</a> |
<li>In the <a href="http://man.openbsd.org/getpwnam.3">getpwnam(3)</a> |
family of functions, stop opening the shadow database by default. |
family of functions, stop opening the shadow database by default. |
<li>Allow <a href="http://man.openbsd.org/tcpdump.8">tcpdump(8)</a> |
<li>Allow <a href="http://man.openbsd.org/tcpdump.8">tcpdump(8)</a> |
|
|
ensures that only <tt>GENERALIZEDTIME</tt> formats are accepted for |
ensures that only <tt>GENERALIZEDTIME</tt> formats are accepted for |
OCSP, as per <i>RFC 6960</i>. |
OCSP, as per <i>RFC 6960</i>. |
</ul> |
</ul> |
<li>The following CVEs had been fixed: |
<li>The following CVEs have been fixed: |
<ul> |
<ul> |
<li><tt>CVE-2016-2105</tt>—EVP_EncodeUpdate overflow. |
<li><tt>CVE-2016-2105</tt>—EVP_EncodeUpdate overflow. |
<li><tt>CVE-2016-2106</tt>—EVP_EncryptUpdate overflow. |
<li><tt>CVE-2016-2106</tt>—EVP_EncryptUpdate overflow. |