===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/66.html,v
retrieving revision 1.27
retrieving revision 1.28
diff -c -r1.27 -r1.28
*** www/66.html 2019/09/30 12:53:10 1.27
--- www/66.html 2019/09/30 12:58:14 1.28
***************
*** 382,396 ****
Security improvements:
- unveil(2) is
! now used in 77 userland programs to restrict filesystem
! access.
- Various changes
in unveil(2)
to improve application behavior when encountering hidden
filesystem paths.
!
- ps(1) can now show
! which processes have called unveil(2) to run with a restricted
! filesystem view.
- Further and improved mitigations against Spectre side-channel
vulnerability in Intel CPUs built since 2012.
- Mitigations for Intel's Microarchitectural Data Sampling
--- 382,398 ----
- Security improvements:
- unveil(2) is
! now used in 77 userland programs to redact filesystem access.
- Various changes
in unveil(2)
to improve application behavior when encountering hidden
filesystem paths.
!
- ps(1) can show which
! processes have called unveil(2)
! with the u and U flags in STATE field.
!
- ps(1) can show the list
! of pledge(2) options
! processes use with the -o pledge option.
- Further and improved mitigations against Spectre side-channel
vulnerability in Intel CPUs built since 2012.
- Mitigations for Intel's Microarchitectural Data Sampling
***************
*** 403,411 ****
- Rewrote doas(1)
environment inheritance not to inherit, and instead reset to the
target user's values by default.
!
- Make
the amd64 BIOS
! bootloader load a kernel at a random virtual address.
- Introduced
malloc_conceal(3)
and calloc_conceal(3),
--- 405,413 ----
- Rewrote doas(1)
environment inheritance not to inherit, and instead reset to the
target user's values by default.
!
- Prepare
the amd64 BIOS
! bootloader for loading the kernel at a random virtual address (future work).
- Introduced
malloc_conceal(3)
and calloc_conceal(3),