| version 1.88, 2023/10/15 04:19:24 |
version 1.89, 2023/10/15 10:45:56 |
|
|
| feature it helps enforcing control flow integrity by making sure |
feature it helps enforcing control flow integrity by making sure |
| malicious code cannot manipulate a function's return address. |
malicious code cannot manipulate a function's return address. |
| </ul> |
</ul> |
| |
<p>Together with retguard these features protect against ROP attacks.</p> |
| Together with retguard these features protect against ROP attacks. |
<p>Compiler defaults for base clang, ports clang and ports gcc (as well |
| |
|
| Compiler defaults for base clang, ports clang and ports gcc (as well |
|
| as some other non-C language family compilers in ports) have been |
as some other non-C language family compilers in ports) have been |
| changed to enable these features by default. As a result the vast |
changed to enable these features by default. As a result the vast |
| majority of programs on OpenBSD (and all programs in the base system) |
majority of programs on OpenBSD (and all programs in the base system) |
| run with these security features enabled. |
run with these security features enabled.</p> |
| |
<p><br>Further security enhancements in this release are:</p> |
| <ul> |
<ul> |
| <li>Change <a href="https://man.openbsd.org/malloc.3">malloc(3)</a> |
<li>Change <a href="https://man.openbsd.org/malloc.3">malloc(3)</a> |
| chunk sizes to be fine grained: chunk sizes are closer to the |
chunk sizes to be fine grained: chunk sizes are closer to the |
|
|
| administrators can now remove most users from the excessively |
administrators can now remove most users from the excessively |
| powerful <code>operator</code> group, which in particular |
powerful <code>operator</code> group, which in particular |
| provides read access to disk device nodes. |
provides read access to disk device nodes. |
| <li>Restrict <a href="https://man.openbsd.org/patch.1">patch(1)</a> |
<li>Using <a href="https://man.openbsd.org/unveil.2">unveil(2)</a>, |
| to the current directory including subdirectories, TMPDIR, |
restrict <a href="https://man.openbsd.org/patch.1">patch(1)</a> |
| and file names given on the command line using |
filesystem access to the current directory including subdirectories, |
| <a href="https://man.openbsd.org/unveil.2">unveil(2)</a>. |
TMPDIR, and file names given on the command line. |
| <li>In <a href="https://man.openbsd.org/ksh.1">ksh(1)</a>, consistently |
<li>In <a href="https://man.openbsd.org/ksh.1">ksh(1)</a>, consistently |
| escape control characters when displaying file name completions, |
escape control characters when displaying file name completions, |
| even when there are multiple matches. |
even when there are multiple matches. |
![[BACK]](/icons/back.gif){kind=icon}
Return to 74.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www