version 1.88, 2023/10/15 04:19:24 |
version 1.89, 2023/10/15 10:45:56 |
|
|
feature it helps enforcing control flow integrity by making sure |
feature it helps enforcing control flow integrity by making sure |
malicious code cannot manipulate a function's return address. |
malicious code cannot manipulate a function's return address. |
</ul> |
</ul> |
|
<p>Together with retguard these features protect against ROP attacks.</p> |
Together with retguard these features protect against ROP attacks. |
<p>Compiler defaults for base clang, ports clang and ports gcc (as well |
|
|
Compiler defaults for base clang, ports clang and ports gcc (as well |
|
as some other non-C language family compilers in ports) have been |
as some other non-C language family compilers in ports) have been |
changed to enable these features by default. As a result the vast |
changed to enable these features by default. As a result the vast |
majority of programs on OpenBSD (and all programs in the base system) |
majority of programs on OpenBSD (and all programs in the base system) |
run with these security features enabled. |
run with these security features enabled.</p> |
|
<p><br>Further security enhancements in this release are:</p> |
<ul> |
<ul> |
<li>Change <a href="https://man.openbsd.org/malloc.3">malloc(3)</a> |
<li>Change <a href="https://man.openbsd.org/malloc.3">malloc(3)</a> |
chunk sizes to be fine grained: chunk sizes are closer to the |
chunk sizes to be fine grained: chunk sizes are closer to the |
|
|
administrators can now remove most users from the excessively |
administrators can now remove most users from the excessively |
powerful <code>operator</code> group, which in particular |
powerful <code>operator</code> group, which in particular |
provides read access to disk device nodes. |
provides read access to disk device nodes. |
<li>Restrict <a href="https://man.openbsd.org/patch.1">patch(1)</a> |
<li>Using <a href="https://man.openbsd.org/unveil.2">unveil(2)</a>, |
to the current directory including subdirectories, TMPDIR, |
restrict <a href="https://man.openbsd.org/patch.1">patch(1)</a> |
and file names given on the command line using |
filesystem access to the current directory including subdirectories, |
<a href="https://man.openbsd.org/unveil.2">unveil(2)</a>. |
TMPDIR, and file names given on the command line. |
<li>In <a href="https://man.openbsd.org/ksh.1">ksh(1)</a>, consistently |
<li>In <a href="https://man.openbsd.org/ksh.1">ksh(1)</a>, consistently |
escape control characters when displaying file name completions, |
escape control characters when displaying file name completions, |
even when there are multiple matches. |
even when there are multiple matches. |