=================================================================== RCS file: /cvsrepo/anoncvs/cvs/www/71.html,v retrieving revision 1.21 retrieving revision 1.22 diff -c -r1.21 -r1.22 *** www/71.html 2022/04/10 20:27:20 1.21 --- www/71.html 2022/04/10 21:41:20 1.22 *************** *** 193,198 **** --- 193,200 ----

Fix hibernate on newer hardware by allowing more memory ranges.

If CPU sleep state S4 is not available, use S5 for the ACPI-transitions in hibernate support.

Added code to update hw.power whenever AC state changes on resume. +

Fixed a panic by prohibiting renames of tmpfs mount-points. +

Fixed double free after allocation failure in bpf(4). *************** *** 326,332 **** href="https://man.openbsd.org/gzip.1">gzip(1) and gunzip(1) to retain (de)compressed file. !

Various bugfixes and tweaks in userland: --- 328,335 ---- href="https://man.openbsd.org/gzip.1">gzip(1) and gunzip(1) to retain (de)compressed file. !

Implemented openrsync(1) --compare-dest, allowing specification of additional directories to check for files to be available. !

Implemented openrsync(1) --max-size and --min-size.

Various bugfixes and tweaks in userland: *************** *** 370,376 **** command to print sequences of numbers. !

Set cpuspeed to 0 in apm(8) when hw.cpuspeed cannot be retrieved.

Copied the cos(3) cosine software implementation from FreeBSD-13, and disabled assembly --- 373,381 ---- command to print sequences of numbers. !

Set cpuspeed to 0 in apm(8) when hw.cpuspeed ! cannot be retrieved.

Copied the cos(3) cosine software implementation from FreeBSD-13, and disabled assembly *************** *** 571,576 **** --- 576,584 ---- href="https://man.openbsd.org/ixl.4">ixl(4).

Prevented a possible deadlock in cad(4). +

Prevented aq(4) nics + from writing to mbufs taken off the ring when the interface was taken + down.

Fixed receive filter handling in aq(4).

Enable vlan promisc, header stripping and vlan RX/TX offload on *************** *** 584,589 **** --- 592,601 ---- errors seen on rockpro64.

Fixed ure(4) vlan transmission with hw tagging. +

Reworked ix(4) + checksum/vlan offloading and enabled it for IPv6. +

Enabled IP header checksum offloading in ix(4).

Added or improved wireless network drivers: *************** *** 694,746 ****

Fixed pfctl(8) $nr incorrect macro expansion.

Fixed pfctl(8) rdr-to rules failing on certain port ranges when explicitly specified.

Ensured the pf(4) "set prio" values are checked consistently. -

Added support for PPP IPCP extensions for DNS to sppp(4). -

Added display of DNS information from sppp(4) to ifconfig(8). -

Switched to calculating pppoe(4) session duration using system uptime rather than UTC.

Made "set skip on ..." in pf.conf(5) dynamic, with this, "set skip" can be used on interfaces that are not configured yet. !

Fixed veb(4) vport handling to prevent improper drop of packets leaving a vport interface. !

Reworked ix(4) checksum/vlan offloading and enabled it for IPv6. !

Enabled IP header checksum offloading in ix(4). !

Prevented tweaks to tun(4) if_flags when the NET_LOCK isn't held. !

Prevented reopening of tun(4)/tap(4) interfaces which are being destroyed.

Rewrote vxlan(4) to operate independently of bridge(4), create and bind udp sockets and prevent loops. !

Stopped hiding the mtu on "bridge" interfaces which do handle l3 traffic in ifconfig(8). !

Protected pfsync(4) tdb flags and lists with a mutex to prevent crashes involving pfsync, IPsec and parallel forwarding. !

Added mbuf tags to prevent output loops in etherip(4). !

Added rtable capability to login.conf(5), allowing to specify the rtable a process uses. !

Made su(1) honor the login class routing table when doing a full login with su -l. !

Prevented aq(4) nics from writing to mbufs taken off the ring when the interface was taken down. !

Fix crash in IPSec while doing parallel IP forwarding. !

Fix IP output routines on raw sockets so route sourceaddr can take effect using sendto(2) or similar. !

Ensured pcap_lookupdev(3) matches only on complete interface names.

Installer and upgrade improvements:

Corrected installer to use "inet autoconf" properly for hostname.if(5) files. !
Stopped prompting whether to fall back to HTTP in the installer, making the fallback automatic.
Used ifconfig(8) "join" command by default in hostname.if(5) files, replacing the old "nwid". !
Documented install.site(5), ! OpenBSD installation and upgrade customization.
Corrected "!" escape handling in the installer when accepting WEP/WPA passphrase. -
Made config(8) -e work with ramdisk kernels. -
Made config(8) -c - cmdfile use lines from the command file for all input, not just - commands. This allows complex actions like changing device parameters.
Prevented a potential race which could make umount(8) fail spuriously in the installer.
Returned to a shell-script based fw_update(8), written to be usable by the install script, allowing earlier retrieval of --- 706,792 ----
Fixed pfctl(8) $nr incorrect macro expansion.
Fixed pfctl(8) rdr-to rules failing on certain port ranges when explicitly specified.
Ensured the pf(4) "set prio" values are checked consistently.
Made "set skip on ..." in pf.conf(5) dynamic, with this, "set skip" can be used on interfaces that are not configured yet. !
Protected pfsync(4) tdb flags and ! lists with a mutex to prevent crashes involving pfsync, IPsec and ! parallel forwarding. ! !
Added support for PPP IPCP extensions for DNS to sppp(4). !
Added display of DNS information from sppp(4) to ifconfig(8). !
Switched to calculating pppoe(4) session duration ! using system uptime rather than UTC. ! !
Fixed veb(4) vport ! handling to prevent improper drop of packets leaving a vport ! interface. !
Prevented tweaks to tun(4) if_flags when the ! NET_LOCK isn't held. !
Prevented reopening of tun(4)/tap(4) interfaces which are ! being destroyed.
Rewrote vxlan(4) to operate independently of bridge(4), create and bind udp sockets and prevent loops. !
Stopped hiding the mtu on "bridge" interfaces which do handle l3 ! traffic in ifconfig(8). !
Added mbuf tags to prevent output loops in etherip(4). !
Added rtable capability to login.conf(5), ! allowing to specify the rtable a process uses. !
Made su(1) honor the ! login class routing table when doing a full login with su -l. !
Fix IP output routines on raw sockets so route sourceaddr can ! take effect using sendto(2) or similar. !
Ensured pcap_lookupdev(3) ! matches only on complete interface names.

Installer and upgrade improvements:

Corrected installer to understand "inet autoconf" properly in hostname.if(5) files. !
Stopped prompting whether to fall back to HTTP in the installer, ! making the fallback automatic.
Used ifconfig(8) "join" command by default in hostname.if(5) files, replacing the old "nwid". !
Replace custom bootloader installation code with installboot(8) on ! riscv64 and armv7 architecture installations. !
New logic for pkg_add(1) to avoid ! excessive moving of files during updates when possible. !
Documented OpenBSD installation and upgrade customization using the install.site(5) file.
Corrected "!" escape handling in the installer when accepting WEP/WPA passphrase.
Prevented a potential race which could make umount(8) fail spuriously in the installer. +
Made config(8) -e + work with ramdisk kernels. +
Made config(8) -c + cmdfile use lines from the command file for all input, not just + commands. This allows complex actions like changing device parameters. +
Ensured that an interrupted arm64 install from the ramdisk kernel + can be restarted. + +
Returned to a shell-script based fw_update(8), written to be usable by the install script, allowing earlier retrieval of *************** *** 752,784 ****
Modified the installer to use fw_update(8) to install non-free firmware files if present on the install media. !
Made fw_update(8) re-download existing files with failed checksums. !
Stopped unregistering firmware with fw_update(8) when the SHA256.sig cannot be fetched. !
Made fw_update(8) use the /snapshots directory only on -current. !
Used installboot(8) in riscv64 install.md. !
Used installboot(8) in install.md for armv7. !
New logic for pkg_add(1) to avoid excessive moving of files during updates when possible. !
Ensured that an interrupted arm64 install from the ramdisk kernel can be restarted. !

Security improvements:

Cleared length of keys in vnconfig(8) alongside keys themselves.
Removed hifn(4), safe(4) and ubsec(4) crypto drivers. -
Fixed double free after allocation failure in bpf(4).
Added call to unveil(2) to restrict stty(1) -f filesystem access. -
Fixed a panic by prohibiting renames of tmpfs mount-points. -
Fixed vi(1) use after free with unsaved buffer.
Disabled xterm(1) mouse tracking by default. !
On arm64 architectures, used "rng-seed" and "kaslr-seed" properties from the device tree to mix extra entropy into the random pool.
Made apmd(8) replace /etc/random.seed for hibernate-resumes.
Restricted usbhidctl(1) and usbhidaction(1) file system access with unveil(2). -
Updated libexpat to 2.4.4, fixing CVE-2022-23852 and CVE-2022-23990.
Added ps(1) status flag "c" to indicate a process is chrooted.
In rpc.rusersd(8) Modified the installer to use fw_update(8) to install non-free firmware files if present on the install media. !
Made fw_update(8) ! re-download existing files with failed checksums. !
Stopped unregistering firmware with fw_update(8) when the ! SHA256.sig cannot be fetched. !
Made fw_update(8) use the ! /snapshots directory only on -current snapshot installations.

Security improvements:

Clear the length of keys in vnconfig(8) alongside keys themselves.
Removed hifn(4), safe(4) and ubsec(4) crypto drivers.
Added call to unveil(2) to restrict stty(1) -f filesystem access.
Disabled xterm(1) mouse tracking by default. !
On arm64 architectures, use "rng-seed" and "kaslr-seed" properties from the device tree to mix extra entropy into the random pool.
Made apmd(8) replace /etc/random.seed for hibernate-resumes.
Restricted usbhidctl(1) and usbhidaction(1) file system access with unveil(2).
Added ps(1) status flag "c" to indicate a process is chrooted.
In rpc.rusersd(8) Routing daemons and other userland network improvements:
- Implemented openrsync(1) --compare-dest, allowing specification of additional directories to check for files to be available. -
- Implemented openrsync(1) --max-size and --min-size. -
- Limited the number of openrsync(1) processes being spawned by rpki-client(8) to 16. - -
- Switched nsd(8) to enable default DNS cookies on, matching behavior as released in OpenBSD 7.0.
- Ensured enabled resolvers are honored by unwind(8) to keep unused forwarders disabled properly.
- Installed missing scope identifiers for IPv6 link-local addresses for unwind(8) and resolvd(8).
- Allowed interface names as scope-id in IPv6 link-local addresses in unbound(8).
- Let unwind(8) probe for DNS64 presence with an absolute name, so asr doesn't add search domains and retry. - - -
- Fixed httpd(8) to respond with 400 Bad Request when a client sends header lines without a colon. -
- Added protocol version checking to httpd(8). -
- Fixed crashes in httpd(8). -
- Annotated an httpd(8) 413 error with "request body too large" in the error log. -
- Corrected httpd(8) version string checking, responding with 505 Version Not Supported rather than 400 Bad Request when the version format is incorrect.
- Stopped duplicating "Connection: close" headers in relayd(8), only adding it if it's not a websocket response. -
- In httpd(8), stopped sending content alongside responses to HEAD requests. -
- Added httpd(8) custom error page facility. -
- Added a gzip-static option to httpd.conf(5), allowing delivery of precompressed files with content-encoding gzip. -
- Improved handling of static compressed gzip files in httpd(8). - - - -
- Made iked.conf(5) proto config option accept a list to allow specifying multiple protocols for a single policy. -
- Fixed broken key exchange negotiation with matching proposals in iked(8). -
- Added ikectl(8) "show certinfo" to show trusted CAs and certificates. -
- Added iked(8) -V to display the version. -
- Fixed removal of SAs that could not be flushed with ipsecctl(8) -F. -
- Fixed a bug where iked(8) sent zero-prefixed NAT-T messages on port 500, causing parsing errors. -
- Changed isakmpd(8) to log a warning when proto is NULL rather than dereferencing it. -
- Improved message fragment retransmissions for iked(8). -
- Make sure iked(8) vroute messages are correctly aligned, fixes autoconfiguration of addresses on octeon. - - - -
- Limited rpki-client(8) HTTP requests to 2GB of data. -
- Published rpki-client 7.5. -
- Limited the number of publication points under a given TAL in rpki-client(8). -
- Introduced a validated cache which holds all the files successfully verified by rpki-client(8). -
- Allowed rpki-client(8) to display more than one file in -f mode. -
- Allowed rsync:// URIs as files in rpki-client(8) -f mode. -
- Properly handled .mft files in rpki-client(8), preventing replay attacks using old but still valid files. -
- Enforced RFC 6384 certificate policy for RPKI in rpki-client(8). -
- Added a CRL check for manifests to rpki-client(8). -
- Capped the daemon login class datasize at either 1G or 4G depending on the architecture and set the bgpd class datasize to either 16G or 1G. -
- Made it possible to bind and connect to non-default ports in bgpd.conf(5). -
- Fixed overflow protection code in rpki-client(8). -
- Changed the way $macros are expanded in bgpd.conf(5). -
- Implemented most of CMS related checks in rpki-client(8) required by RFC 6488 section 3. - - -
- Modified syslog.conf(5) examples to use TLS rather than the plaintext protocols.
- Stopped ignoring carp(4) interfaces in dhcpleased(8).
- Made the dhcpleased(8) host name DHCP option configurable. --- 832,843 ---- *************** *** 856,861 **** --- 849,938 ----
- Added a basic printer for EAPOL packets to tcpdump(8).
- Made ping(8) print out the source address and sequence number when the signature on an icmp echo reply doesn't match.
- Rate limit rad(8) router advertisements according to RFC 4861. + + +
- httpd(8) received new features and bugfixes: +
  - Respond with 400 Bad Request when a client sends header lines without a colon. +
  - Added protocol version checking. +
  - Annotated an httpd(8) 413 error with "request body too large" in the error log. +
  - Corrected httpd(8) version string + checking, responding with 505 Version Not Supported rather than 400 + Bad Request when the version format is incorrect. +
  - Stop sending content alongside responses to HEAD requests. +
  - Added support for custom error pages. +
  - Added a gzip-static option to httpd.conf(5), + allowing delivery of precompressed files with content-encoding gzip. +
  - Improved handling of static compressed gzip files. +
  + + + +
- IPSEC support was improved: +
  - Made iked.conf(5) proto config option accept a list to allow specifying multiple protocols for a single policy. +
  - Fixed removal of SAs that could not be flushed with ipsecctl(8) -F. +
  - Changed isakmpd(8) to log a warning when proto is NULL rather than dereferencing it. +
  - Fixed broken key exchange negotiation with matching proposals in iked(8). +
  - Added ikectl(8) "show certinfo" to show trusted CAs and certificates. +
  - Added iked(8) -V to display the version. +
  - Fixed a bug where iked(8) sent zero-prefixed NAT-T messages on port 500, causing parsing errors. +
  - Improved message fragment retransmissions for iked(8). +
  - Make sure iked(8) vroute messages are correctly aligned, fixes autoconfiguration of addresses on octeon. +
  + +
- rpki-client(8) was + made more resilient regarding untrusted input. Additionally the + following bugfixes and improvements were made: +
  - Added support for validating BGPsec Router Public Keys. +
  - Fix issues with chunked transfer encoding in the RRDP HTTP client. +
  - Cleanup and improvement of how IO is handled. +
  - Improvements in the way X509 certificates are verified. +
  - Make rpki-client +
  - Limit the number of concurrent rsync processes. +
  - Fix CRLF in tal files. +
  - Enforce the correct namespace of rrdp files. +
  - Fail certificate verification if a certificate contains unknown + critical extensions. +
  - Improve cleanup of rrdp directory contents. +
  - Introduce a validated cache which holds all the files that have + successfully been verified by rpki-client. +
  - Add a new option '-f ' to validate a signed object in a file + against the RPKI cache. +
  - Add various RFC 6488 compliance checks to improve the CMS parser. +
  - Improve RRDP replication through less aggressive cache cleanup. +
  - Add a check whether a given Manifest EE certificate is listed on the + applicable CRL. +
  - For forward compatibility permit ASPA object to appear on Manifests. +
  - Various improvements to the '-f ' diagnostic option to + now also validate files containing Trust Anchor certs and CRLs. +
  - Do not apply timezone offsets when converting X509 times. X509 + times are in UTC and comparing them to times in different timezones + would cause validity problems. +
  - Limited the number of openrsync(1) processes + being spawned by rpki-client(8) to 16. +
  + +
- In bgpd(8), +
  - macro expansion in the config file was improved. It is now possible + to expand 'set large-community $myAS:$location:$transit'. +
  - tThe RIB codebase was refactored in order to add multipath + support in an upcoming release. +
  - the bgpd login + class datasize attribute (in login.conf(5)) was set + to either 16G or 1G, depending on architecture. +
  - added a "listen on" parameter in in bgpd.conf(5) to make it + possible to bind and connect to non-default ports. +
tmux(1) improvements and bug fixes: