===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/73.html,v
retrieving revision 1.45
retrieving revision 1.46
diff -c -r1.45 -r1.46
*** www/73.html 2023/04/07 01:08:06 1.45
--- www/73.html 2023/04/07 06:58:29 1.46
***************
*** 180,190 ****
- Updated drm(4)
to Linux 6.1.15
!
- amdgpu(4):
support for Ryzen 7000 "Raphael", Ryzen 7020 series "Mendocino",
Ryzen 7045 series "Dragon Range",
Radeon RX 7900 XT/XTX "Navi 31",
! Radeon RX 7600M (XT), 7700S, 7600S "Navi 33"
- Fixed frame buffer corruption and additional bugs after wakeup
on Apple Silicon laptops and the Lenovo x13s.
- Added support for the backlight connector property to
- Updated drm(4)
to Linux 6.1.15
!
- amdgpu(4): Added
support for Ryzen 7000 "Raphael", Ryzen 7020 series "Mendocino",
Ryzen 7045 series "Dragon Range",
Radeon RX 7900 XT/XTX "Navi 31",
! Radeon RX 7600M (XT), 7700S, and 7600S "Navi 33."
- Fixed frame buffer corruption and additional bugs after wakeup
on Apple Silicon laptops and the Lenovo x13s.
- Added support for the backlight connector property to lastcomm(1) reporting
for process kills due to execve(2) from non-pinned
! syscall address
Various bugfixes and tweaks in userland:
--- 259,265 ----
href="https://man.openbsd.org/lastcomm.1">lastcomm(1) reporting
for process kills due to execve(2) from non-pinned
! syscall address.
Various bugfixes and tweaks in userland:
***************
*** 336,342 ****
Extended disklabel(8) template
parsing to allow "[mount point] *" as the specification for putting
! the maximum available free space into a partition, and extended
command line parsing to allow "T-" as the specification to read the
template from stdin.
Repaired Extended disklabel(8) template
parsing to allow "[mount point] *" as the specification for putting
! the maximum available free space into a partition. Extended
command line parsing to allow "T-" as the specification to read the
template from stdin.
Repaired
Made aplhidev(4) recognize M1
! laptops with touchbars and Translated Fn+(1-10,-,=) keys to F1-F12 on
these systems.
Added suspend/resume support to aplns(4).
--- 462,468 ----
Made aplhidev(4) recognize M1
! laptops with touchbars and translated Fn+(1-10,-,=) keys to F1-F12 on
these systems.
Added suspend/resume support to aplns(4).
***************
*** 701,714 ****
softraid(4) chunks.
Made efiboot fdt support device trees with NOPs in them (like the kernel version).
Improved the default choice for the installer's install media
! disk question to show the first disk (a) not the root disk and (b) not
! a disk with softraid chunks (hosting the root disk, for example).
Stopped offering WEP in the installer if not supported.
Fixed lock file error on installer exit/abort.
Made installboot(8) -p
support softraid(4).
Made installboot(8) silently skip
! softraid(4). keydisks.
Fixed passing explicit stages files to
installboot(8).
--- 701,714 ----
softraid(4) chunks.
Made efiboot fdt support device trees with NOPs in them (like the kernel version).
Improved the default choice for the installer's install media
! disk question to show the first disk that (a) is not the root disk and (b)
! is not a disk with softraid chunks (hosting the root disk, for example).
Stopped offering WEP in the installer if not supported.
Fixed lock file error on installer exit/abort.
Made installboot(8) -p
support softraid(4).
Made installboot(8) silently skip
! softraid(4) keydisks.
Fixed passing explicit stages files to
installboot(8).
***************
*** 734,740 ****
makes sense for the bootloader to control it.
Added "machine poweroff" command on luna88k bootloader.
Switched alpha to machine-independent boot blocks.
! Switched all architectures (except alpha and luna88k) ramdisks to use
installboot(8) -p.
Fixed ofwboot OpenFirmware map call to unbreak boot on some machines.
Reduced ofwboot.net size after libz update to unbreak netboot on some machines.
--- 734,740 ----
makes sense for the bootloader to control it.
Added "machine poweroff" command on luna88k bootloader.
Switched alpha to machine-independent boot blocks.
! Switched all architectures' ramdisks (except alpha's and luna88k's) to use
installboot(8) -p.
Fixed ofwboot OpenFirmware map call to unbreak boot on some machines.
Reduced ofwboot.net size after libz update to unbreak netboot on some machines.
***************
*** 747,753 ****
Security improvements:
! - Permissions (RWX, MAP_STACK, etc) on address space regions can
be made immutable,
so that mmap(2), mprotect(2) or Security improvements:
! - Permissions (RWX, MAP_STACK, etc.) on address space regions can
be made immutable,
so that mmap(2), mprotect(2) or linker (ld.lld(1)) option
--execute-only is enabled by default. In order of development: arm64,
! riscv64, hppa, amd64, powerpc64, powerpc (G5 only), octeon. sparc64
! (sun4u only, unfinished).
- On all architectures which lack hardware-enforcement of xonly,
system calls are now prevented from reading (via copyin(9)/copyinst)
inside the program's main text, ld.so text, sigtramp text, or libc.so
text.
!
- can still benefit from switching to --execute-only binaries if the
cpu generates different traps for instruction-fetch versus data-fetch.
The VM system will not allow memory to be read before it was executed
which is valuable together with library relinking. Architectures
--- 765,778 ----
userland code had to be repaired to allow this. The linker (ld.lld(1)) option
--execute-only is enabled by default. In order of development: arm64,
! riscv64, hppa, amd64, powerpc64, powerpc (G5 only), octeon, and sparc64
! (sun4u only; unfinished).
- On all architectures which lack hardware-enforcement of xonly,
system calls are now prevented from reading (via copyin(9)/copyinst)
inside the program's main text, ld.so text, sigtramp text, or libc.so
text.
!
- These can still benefit from switching to --execute-only binaries if the
cpu generates different traps for instruction-fetch versus data-fetch.
The VM system will not allow memory to be read before it was executed
which is valuable together with library relinking. Architectures
***************
*** 797,803 ****
front of copyin(9) and
copyinstr(9) ensures
the userland source address doesn't overlap the main program text and
! other text segments, thereby making this address ranges unreadable to
the kernel. No programs have been discovered which require reading
their own text segments with a system call.
- On arm64, introduce mitigation of the Spectre-BHB (Branch
--- 797,803 ----
front of copyin(9) and
copyinstr(9) ensures
the userland source address doesn't overlap the main program text and
! other text segments, thereby making these address ranges unreadable to
the kernel. No programs have been discovered which require reading
their own text segments with a system call.
- On arm64, introduce mitigation of the Spectre-BHB (Branch
***************
*** 830,836 ****
hardware using a stoeplitz key will hash incoming traffic on rings.
stoeplitz is also used by the TCP stack to generate a flow id, which
is used to pick which transmit ring is used on nics with multiple
! queues too. using the same algorithm throughout the stack encourages
affinity of packets to rings and softnet threads the whole way
through.
- Prevented possible kernel crashes by dropping TCP packets with
--- 830,836 ----
hardware using a stoeplitz key will hash incoming traffic on rings.
stoeplitz is also used by the TCP stack to generate a flow id, which
is used to pick which transmit ring is used on nics with multiple
! queues, too. Using the same algorithm throughout the stack encourages
affinity of packets to rings and softnet threads the whole way
through.
- Prevented possible kernel crashes by dropping TCP packets with
***************
*** 844,850 ****
- Fixed pfsync(4)
crashing on pf_state_key removal.
- Fixed a panic in pfsync(4) when there are
no data ready for bulk transfer.
- Turned off TCP Segmentation Offload (TSO) if interface is added
to layer 2 devices.
--- 844,850 ----
- Fixed pfsync(4)
crashing on pf_state_key removal.
- Fixed a panic in pfsync(4) when there is
no data ready for bulk transfer.
- Turned off TCP Segmentation Offload (TSO) if interface is added
to layer 2 devices.
***************
*** 852,858 ****
to work better in busy conditions.
- Added a bpf(4) timeout
(BIOCSWTIMEOUT) between capturing a packet and making the buffer
! readable, preventing for example pflogd(8) waking every
half second even if there is nothing to read. By default this buffer
is infinite and must be filled to become readable.
--- 852,858 ----
to work better in busy conditions.
- Added a bpf(4) timeout
(BIOCSWTIMEOUT) between capturing a packet and making the buffer
! readable, preventing, for example, pflogd(8) waking every
half second even if there is nothing to read. By default this buffer
is infinite and must be filled to become readable.
***************
*** 867,873 ****
support for configuring multiple name servers.
- Synced proc.c from vmd(8) to iked(8) to enabled fork +
exec for all processes. This gives each process a fresh and unique
address space to further improve randomization of ASLR and stack
protector.
--- 867,873 ----
support for configuring multiple name servers.
- Synced proc.c from vmd(8) to iked(8) to enable fork +
exec for all processes. This gives each process a fresh and unique
address space to further improve randomization of ASLR and stack
protector.
***************
*** 876,903 ****
href="https://man.openbsd.org/bgpctl.8">bgpctl(8)
and bgplgd(8):
! - Improved performance by optimising the output filters
- Add Autonomous System Provider Authorization (ASPA) validation
based on draft-ietf-sidrops-aspa-verification-12
- Introduce avs (ASPA validation state) filter and bgpctl
! filter argument
- Add ASPA support for the RTR protocol based on
! draft-ietf-sidrops-8210bis-10
- Improve open policy (RFC 9234) support and enable the capability
! automatically if a role is specified for the peer
!
- Introduce a per neighbor 'role' configuration option to specify
the session role used by ASPA verification and the open policy
capability. The 'announce policy' statement was simplified at
the same time.
- Improve startup behaviour by introducing a small delay before
! opening the connection to a new peer
- Support for aspa-set table config which can be provided by
rpki-client(8)
- Make it possible to filter the RIB by invalid and leaked prefixes
! in bgpctl and bgplgd
- Add OpenMetrics output to bgpctl for various BGP statistics and
! add /metrics endpoint to bgplgd
- Fix of incorrect length checks that allowed an out-of-bounds
read in bgpd.
--- 876,903 ----
href="https://man.openbsd.org/bgpctl.8">bgpctl(8)
and bgplgd(8):
! - Improved performance by optimising the output filters.
- Add Autonomous System Provider Authorization (ASPA) validation
based on draft-ietf-sidrops-aspa-verification-12
- Introduce avs (ASPA validation state) filter and bgpctl
! filter argument.
- Add ASPA support for the RTR protocol based on
! draft-ietf-sidrops-8210bis-10.
- Improve open policy (RFC 9234) support and enable the capability
! automatically if a role is specified for the peer.
!
- Introduce a per-neighbor 'role' configuration option to specify
the session role used by ASPA verification and the open policy
capability. The 'announce policy' statement was simplified at
the same time.
- Improve startup behaviour by introducing a small delay before
! opening the connection to a new peer.
- Support for aspa-set table config which can be provided by
rpki-client(8).
- Make it possible to filter the RIB by invalid and leaked prefixes
! in bgpctl and bgplgd.
- Add OpenMetrics output to bgpctl for various BGP statistics and
! add /metrics endpoint to bgplgd.
- Fix of incorrect length checks that allowed an out-of-bounds
read in bgpd.
***************
*** 956,962 ****
System Provider Authorization (ASPA) payloads as an 'aspa-set {}'
configuration block.
When rpki-client is invoked with increased verbosity ('-v'), the
! current RRDP Serial & Session ID are shown to aid debugging.
Self-signed X.509 certificates (such as Trust Anchor certificates)
now are considered invalid if they contain an X.509
AuthorityInfoAccess extension.
--- 956,962 ----
System Provider Authorization (ASPA) payloads as an 'aspa-set {}'
configuration block.
When rpki-client is invoked with increased verbosity ('-v'), the
! current RRDP Serial and Session ID are shown to aid debugging.
Self-signed X.509 certificates (such as Trust Anchor certificates)
now are considered invalid if they contain an X.509
AuthorityInfoAccess extension.
***************
*** 970,976 ****
CRLIssuer, CRL Reasons, or nameRelativeToCRLIssuer field are
considered invalid in accordance with RFC 6487 section 4.8.6.
For every X.509 certificate the SHA-1 of the Subject Public Key is
! calculated and compared to the Subject Key Identifier (SKI), if a
mismatch is found the certificate is not trusted.
Require the outside-TBS signature OID for every X.509 intermediate
CA certificate and CRL to be sha256WithRSAEncryption.
--- 970,976 ----
CRLIssuer, CRL Reasons, or nameRelativeToCRLIssuer field are
considered invalid in accordance with RFC 6487 section 4.8.6.
For every X.509 certificate the SHA-1 of the Subject Public Key is
! calculated and compared to the Subject Key Identifier (SKI). If a
mismatch is found the certificate is not trusted.
Require the outside-TBS signature OID for every X.509 intermediate
CA certificate and CRL to be sha256WithRSAEncryption.
***************
*** 981,990 ****
Require RRDP Session IDs to strictly be version 4 UUIDs.
When decoding and validating an individual RPKI file using filemode
(rpki-client -f file), display the signature path towards the trust
! anchor, and the timestamp when the signature path will expire.
When decoding and validating an individual RPKI file using filemode
! (rpki-client -f file), display the optional CMS signing-time, and
! non-optional X.509 notBefore, and X.509 notAfter timestamps.
Updated zlib to 1.2.13.
--- 981,991 ----
Require RRDP Session IDs to strictly be version 4 UUIDs.
When decoding and validating an individual RPKI file using filemode
(rpki-client -f file), display the signature path towards the trust
! anchor and the timestamp when the signature path will expire.
When decoding and validating an individual RPKI file using filemode
! (rpki-client -f file), display the optional CMS signing-time,
! non-optional X.509 notBefore timestamp and non-optional X.509
! notAfter timestamp.
Updated zlib to 1.2.13.
***************
*** 1020,1029 ****
href="https://man.openbsd.org/resolvd.8">resolvd(8).
Restrict the characters allowed in the hostname argument of getaddrinfo(3) to the
! set [A-z0-9-_.]. Additionally two consecutive dots ('.') are not
allowed nor can the string start with - or '.'. This removes
characters like '$', '`', '\n' or '*' that can traverse the DNS
! without problems, but have special meaning, for example a shell.
Fixed a number of out of bounds reads in DNS response parsing of
the async DNS resolver in libc.
Added resolvd(8).
Restrict the characters allowed in the hostname argument of getaddrinfo(3) to the
! set [A-z0-9-_.]. Additionally, two consecutive dots ('.') are not
allowed nor can the string start with - or '.'. This removes
characters like '$', '`', '\n' or '*' that can traverse the DNS
! without problems but have special meaning as in a shell.
Fixed a number of out of bounds reads in DNS response parsing of
the async DNS resolver in libc.
Added ifconfig(8) to when
either a wireguard interface is specified or the flag "-A" is used.
Implemented the RFC 8781 PREF64 router advertisement option in
! rad(8) which is used to o
communicate NAT64 prefixes to hosts.
Moved the documentation of flag mappings displayed by "route show" from the netstat(1) manpage to ifconfig(8) to when
either a wireguard interface is specified or the flag "-A" is used.
Implemented the RFC 8781 PREF64 router advertisement option in
! rad(8) which is used to
communicate NAT64 prefixes to hosts.
Moved the documentation of flag mappings displayed by "route show" from the netstat(1) manpage to Stop claiming connection success in UDP mode unless true.
Do not test the connection in non-interactive mode. The test
writes characters to the socket which can corrupt data that is
! possible piped into nc.
Some refactoring and code cleanup.
--- 1049,1055 ----
Stop claiming connection success in UDP mode unless true.
Do not test the connection in non-interactive mode. The test
writes characters to the socket which can corrupt data that is
! possibly piped into nc.
Some refactoring and code cleanup.
***************
*** 1234,1241 ****
provide it, for use by the VerifyHostKeyDNS feature. A
specifically crafted DNS response could cause this function to
perform an out-of-bounds read of adjacent stack data, but this
! condition does not appear to be exploitable beyond denial-of-
! service to the ssh(1) client.
The getrrsetbyname(3) replacement is only included if the system's
standard library lacks this function and portable OpenSSH was not
compiled with the ldns library (--with-ldns). getrrsetbyname(3) is
--- 1235,1242 ----
provide it, for use by the VerifyHostKeyDNS feature. A
specifically crafted DNS response could cause this function to
perform an out-of-bounds read of adjacent stack data, but this
! condition does not appear to be exploitable beyond denial-of-service
! to the ssh(1) client.
The getrrsetbyname(3) replacement is only included if the system's
standard library lacks this function and portable OpenSSH was not
compiled with the ldns library (--with-ldns). getrrsetbyname(3) is