===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/74.html,v
retrieving revision 1.58
retrieving revision 1.59
diff -c -r1.58 -r1.59
*** www/74.html 2023/10/14 11:46:50 1.58
--- www/74.html 2023/10/14 12:54:13 1.59
***************
*** 222,227 ****
--- 222,229 ----
a random offset less than the step value. This can be used to avoid
thundering herd problems where multiple machines contact a server all
at the same time via cron jobs.
+ In wsconsctl(8),
+ add button mappings for two- and three-finger clicks on clickpads.
Various bugfixes and tweaks in userland:
***************
*** 312,317 ****
--- 314,333 ----
always uses the current media type provided by the kernel.
Ensure fdisk(8) handles
the case where a GPT partition name is not a valid C string.
+ When creating new crypto volumes with
+ bioctl(8),
+ by default use a hardware based number of KDF rounds for passphrases.
+ Let bioctl(8)
+ gracefully prompt again during interactive creation and
+ passphrase change on CRYPTO and 1C volumes.
+ Let bioctl(8)
+ read passphrases without prompts or confirmation
+ in -s mode.
+ Allow the atactl(8)
+ command readattr
+ to succeed even for disks where ATA_SMART_READ and
+ ATA_SMART_THRESHOLD revisions mismatch, as long as
+ checksums are OK.
In ld.so(1),
avoid an overflow in the ELF SYSV ABI hash function.
Make sure modf(3) and
***************
*** 489,494 ****
--- 505,516 ----
requested allocation size.
In malloc(3),
check all chunks in the delayed free list for write-after-free.
+ The shutdown(8)
+ program can now only be executed by members of the
+ _shutdown group. The idea is that system
+ administrators can now remove most users from the excessively
+ powerful operator group, which in particular
+ provides read access to disk device nodes.
Restrict patch(1)
to the current directory including subdirectories, TMPDIR,
and file names given on the command line using
***************
*** 554,570 ****
- IPsec support was improved:
- - In isakmpd(8),
- avoid a double free in ec_init() when using the OpenSSL API.
- In iked(8),
! do not treat the return value of
i2d_ECDSA_SIG(3) as a length as it can be negative.
!
- Prepare isakmpd(8)
! for a libcrypto library that is lacking binary field support.
- In isakmpd(8),
! avoid a potential crash by adding a missing NULL check.
!
- In bgpd(8),
--- 576,617 ----
- IPsec support was improved:
- In iked(8),
! support route-based
! sec(4) tunnels.
!
- In iked(8),
! add support to verify X.509 chain from CERT payloads.
!
- In iked(8),
! do not leak memory when receiving a CERT payload for pubkey auth
! or for an invalid CERT Encoding.
!
- In iked(8),
! do not leak a file descriptor if
! open_memstream(3) fails while trying to enable a child SA.
!
- While trying to verify an ECDSA signature in
! iked(8),
! correctly detect failure of DER encoding with
i2d_ECDSA_SIG(3).
!
- In ipsecctl(8),
! support route-based IPSec VPN negotiation with
! sec(4).
- In isakmpd(8),
! support configuring interface SAs for route-based IPSec VPNs.
!
- In isakmpd(8)
! quick mode, do not crash with a
NULL pointer
! access when a group description is specified but it is invalid,
! unsupported, or memory allocation or key generation fails.
! - In isakmpd(8),
! avoid a double free in the unlikely event that
! EC_KEY_check_key(3) fails right after generating
! a new key pair.
!
- Allow building
! isakmpd(8)
! with a libcrypto library that has
! binary field support ("GF2m") removed.
- In bgpd(8),
***************
*** 683,689 ****
found with ndp -d.
- Improved error handling in the asr resolver.
!
- In unwind(8), handle SERVFAIL results on name resolution better.
- In the router advertisement daemon rad(8), update the default
timers for prefix preferred and valid lifetimes to use the values from
RFC 9096.
--- 730,740 ----
found with
ndp -d.
- Improved error handling in the asr resolver.
!
- In unwind(8),
! handle SERVFAIL results on name resolution better.
!
- In unwind(8),
! fix a use-after-free bug triggered by fatal write errors
! while sending TCP responses.
- In the router advertisement daemon rad(8), update the default
timers for prefix preferred and valid lifetimes to use the values from
RFC 9096.
***************
*** 692,701 ****
- In ypldap(8), make ypldap more resilient when some servers are
misbehaving: keep trying LDAP servers until we get full results from
one, rather than just until one accepts the TCP connection.
!
- Add support for wireguard (wg(4)) peer descriptions, which can
! now be added with ifconfig(8).
!
- The ifconfig(8) option
tcprecvoffload has been
! renamed tcplro. It is shorter and more consistent.
- Make the
tlsv1.0 and tlsv1.1 options
in relayd(8) do nothing, as one should use the default tlsv1.2
instead.
--- 743,762 ----
- In ypldap(8), make ypldap more resilient when some servers are
misbehaving: keep trying LDAP servers until we get full results from
one, rather than just until one accepts the TCP connection.
!
- In ifconfig(8),
! display separate
! hwfeatures
! for TCP segmentation offload (TSOv4, TSOv6)
! and TCP large receive offload (LRO) and provide a
! -tcplro
! parameter to disable LRO.
!
- New wgdescription parameter to
! ifconfig(8)
! to set a string describing the
! wg(4) peer.
!
- Let ifconfig(8)
! prefix the interface name to many error and warning messages.
- Make the
tlsv1.0 and tlsv1.1 options
in relayd(8) do nothing, as one should use the default tlsv1.2
instead.