===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/62.html,v
retrieving revision 1.52
retrieving revision 1.53
diff -c -r1.52 -r1.53
*** www/62.html 2017/10/05 00:26:55 1.52
--- www/62.html 2017/10/05 03:55:02 1.53
***************
*** 18,25 ****
6.2
!
!
Released October 15, 2017
Copyright 1997-2017, Theo de Raadt.
--- 18,25 ----
6.2
!
!
Released October 15, 2017
Copyright 1997-2017, Theo de Raadt.
***************
*** 61,76 ****
to 6.2.
- - New/extended platforms:
-
- - The i386 and
- amd64
- platforms have switched to using
- clang(1)
- as the base system compiler.
-
- ...
-
-
- Improved hardware support, including:
--- 61,66 ----
***************
*** 109,115 ****
- The puc(4) driver now supports ASIX AX99100 devices.
- Xen platform support and the xbf(4) driver in particular have been substantially improved.
- nvme(4) driver now reports correct last sector address to scsi, allowing valid GPT to be created.
!
- ...
--- 99,105 ----
- The puc(4) driver now supports ASIX AX99100 devices.
- Xen platform support and the xbf(4) driver in particular have been substantially improved.
- nvme(4) driver now reports correct last sector address to scsi, allowing valid GPT to be created.
!
- Repair ioapic(8) misconfigurations.
***************
*** 234,244 ****
mail(1)
were rewritten to cope with the removal.
Trapsleds, a new mitigation that significantly reduces the amount of
! nops in the instruction stream, converting them to traps, making it
! harder to target potential gadgets.
Kernel Address Randomized Link (KARL), a new "link-kit" allows the .o
files of the kernel to be relinked in a random order, creating a unique
! kernel for each boot.
Like with libc previously,
rc(8) re-links libcrypto on
startup, placing the objects in a random order.
--- 224,236 ----
mail(1)
were rewritten to cope with the removal.
Trapsleds, a new mitigation that significantly reduces the amount of
! nops in the instruction stream, replacing them with trap instructions
! or jump-over-trap sequences, thereby requiring greater accuracy for
! targetting potential gadgets.
Kernel Address Randomized Link (KARL), a new "link-kit" allows the .o
files of the kernel to be relinked in a random order, creating a unique
! kernel for each boot. /bsd is now non-readable to users, to try to
! keep the secret.
Like with libc previously,
rc(8) re-links libcrypto on
startup, placing the objects in a random order.
***************
*** 263,268 ****
--- 255,271 ----
Tighter pledge for at(1).
Fixed and simplified pledge logic for
nc(1).
+ More application of recallocarray(3) in userland, and tracked sizes
+ to free(9) in the kernel.
+ Achieve higher levels of paranoia regarding structure packing, and
+ clear many kernel objects before passing to userland.
+ Disable some optimizations in clang(1) due to incompatibility
+ with security.
+ For instance, cope with clang(1)'s assumption that static or const
+ objects placed in unknown sections (such as .openbsd.randomdata)
+ are surely always 0, and therefore such memory accesses can be
+ optimized away..
+ In kernel, randomly bias down the top-of-stack per kthread.
***************
*** 345,350 ****
--- 348,358 ----
Assorted improvements:
+ - The i386 and
+ amd64
+ platforms have switched to using
+ clang(1)
+ as the base system compiler.
- Improved UTF-8 line editing support for
ksh(1)
Emacs and Vi input mode.
***************
*** 419,424 ****
--- 427,439 ----
for debugging lock order issues in the kernel.
The tool is not built in by default, and only amd64, hppa and i386
are supported.
+
- Modernize some bizzare tty behaviours of getty(8).
+
- Some subtle changes to pledge(2) to satisfy requirements observed
+ in real life.
+
- Prefer use of waitpid(2) rather than wait(3) where possible, to
+ avoid problems with pre-existing children.
+
- Rewrite swaths of machine-dependent system call stub code in ld.so(1)
+ in a more portable fashion.
- Per-CPU
caches implemented in pools
***************
*** 512,522 ****
- alpha: XXXX
!
- amd64: XXXX
- arm: XXXX
|
- hppa: XXXX
!
- i386: XXXX
- mips64: XXXX
| |