www/65.html - diff

Return to 65.html CVS log

Up to [local] / www

Diff for /www/65.html between version 1.75 and 1.76

-version 1.75, 2019/04/13 03:15:36
+version 1.76, 2019/04/13 03:20:06
 Line 144
 Line 144
 Line 144
  <li>Security improvements:
    <ul>
-       <li>
+   <li><a href="https://man.openbsd.org/unveil.2">unveil(2)</a> has been
-         <a href="https://man.openbsd.org/unveil.2">unveil(2)</a> has been
+     improved to understand and find covering unveil matches above the
-         improved to understand and find covering unveil matches above the
+     working directory of the running process for relative path accesses.
-         working directory of the running process for relative path accesses.
+     As a result many programs now can use unveil in broad ways such as
-         As a result many programs now can use unveil in broad ways such as
+     unveil("/", "r");
-         unveil("/", "r");
+   <li><a href="https://man.openbsd.org/unveil.2">unveil(2)</a> no longer
-       <li>
+     silently allows
-         <a href="https://man.openbsd.org/unveil.2">unveil(2)</a> no longer
+     <a href="https://man.openbsd.org/stat.2">stat(2)</a> and
-         silently allows
+     <a href="https://man.openbsd.org/access.2">access(2)</a> to work on any
-         <a href="https://man.openbsd.org/stat.2">stat(2)</a> and
+     unveiled path component.
-         <a href="https://man.openbsd.org/access.2">access(2)</a> to work on any
+   <li>Now using <a href="https://man.openbsd.org/unveil.2">unveil(2)</a> in
-         unveiled path component.
+     <a href="https://man.openbsd.org/ospfd">ospfd(8)</a>,
-       <li>Now using <a href="https://man.openbsd.org/unveil.2">unveil(2)</a> in
+     <a href="https://man.openbsd.org/ospf6d">ospf6d(8)</a>,
-         <a href="https://man.openbsd.org/ospfd">ospfd(8)</a>,
+     <a href="https://man.openbsd.org/rebound">rebound(8)</a>,
-         <a href="https://man.openbsd.org/ospf6d">ospf6d(8)</a>,
+     <a href="https://man.openbsd.org/getconf">getconf(1)</a>,
-         <a href="https://man.openbsd.org/rebound">rebound(8)</a>,
+     <a href="https://man.openbsd.org/kvm_mkdb">kvm_mkdb(8)</a>,
-         <a href="https://man.openbsd.org/getconf">getconf(1)</a>,
+     <a href="https://man.openbsd.org/bdftopcf">bdftopcf(1)</a>,
-         <a href="https://man.openbsd.org/kvm_mkdb">kvm_mkdb(8)</a>,
+     <a href="https://man.openbsd.org/Xserver">Xserver(1)</a>,
-         <a href="https://man.openbsd.org/bdftopcf">bdftopcf(1)</a>,
+     <a href="https://man.openbsd.org/passwd">passwd(1)</a>,
-         <a href="https://man.openbsd.org/Xserver">Xserver(1)</a>,
+     <a href="https://man.openbsd.org/spamlogd">spamlogd(8)</a>,
-         <a href="https://man.openbsd.org/passwd">passwd(1)</a>,
+     <a href="https://man.openbsd.org/spamd">spamd(8)</a>,
-         <a href="https://man.openbsd.org/spamlogd">spamlogd(8)</a>,
+     <a href="https://man.openbsd.org/sensorsd">sensorsd(8)</a>,
-         <a href="https://man.openbsd.org/spamd">spamd(8)</a>,
+     <a href="https://man.openbsd.org/snmpd">snmpd(8)</a>,
-         <a href="https://man.openbsd.org/sensorsd">sensorsd(8)</a>,
+     <a href="https://man.openbsd.org/htpasswd">htpasswd(1)</a>,
-         <a href="https://man.openbsd.org/snmpd">snmpd(8)</a>,
+     <a href="https://man.openbsd.org/ifstated">ifstated(8)</a>.
-         <a href="https://man.openbsd.org/htpasswd">htpasswd(1)</a>,
+     Some <a href="https://man.openbsd.org/pledge.2">pledge(2)</a>
-         <a href="https://man.openbsd.org/ifstated">ifstated(8)</a>.
+     changes were required to accommodate unveil.
-         Some <a href="https://man.openbsd.org/pledge.2">pledge(2)</a>
+   <li>ROP mitigations in <a href="https://man.openbsd.org/clang-local.1">clang(1)</a>
-         changes were required to accommodate unveil.
+     have been improved, resulting in a significant decrease in the number
-           <li>ROP mitigations in <a href="https://man.openbsd.org/clang-local.1">clang(1)</a>
+     of polymorphic ROP gadgets in binaries on i386/amd64.
-                   have been improved, resulting in a significant decrease in the number
+   <li>RETGUARD performance and security has been improved in
-                   of polymorphic ROP gadgets in binaries on i386/amd64.
+     <a href="https://man.openbsd.org/clang-local.1">clang(1)</a>
-           <li>RETGUARD performance and security has been improved in
+     by keeping data on registers instead of on the stack when possible,
-                   <a href="https://man.openbsd.org/clang-local.1">clang(1)</a>
+     and lengthing the epilogue trapsled on amd64 to consume the rest
-                   by keeping data on registers instead of on the stack when possible,
+     of the cache line before the return.
-                   and lengthing the epilogue trapsled on amd64 to consume the rest
+   <li>RETGUARD replaces the stack protector on amd64 and arm64,
-                   of the cache line before the return.
+     since RETGUARD instruments every function that returns and provides
-           <li>RETGUARD replaces the stack protector on amd64 and arm64,
+     better security properties than the traditional stack protector.
-                   since RETGUARD instruments every function that returns and provides
-                   better security properties than the traditional stack protector.
    </ul>
  <p>