version 1.58, 2023/10/14 11:46:50 |
version 1.59, 2023/10/14 12:54:13 |
|
|
a random offset less than the step value. This can be used to avoid |
a random offset less than the step value. This can be used to avoid |
thundering herd problems where multiple machines contact a server all |
thundering herd problems where multiple machines contact a server all |
at the same time via cron jobs. |
at the same time via cron jobs. |
|
<li>In <a href="https://man.openbsd.org/wsconsctl.8">wsconsctl(8)</a>, |
|
add button mappings for two- and three-finger clicks on clickpads. |
</ul> |
</ul> |
|
|
<li>Various bugfixes and tweaks in userland: |
<li>Various bugfixes and tweaks in userland: |
|
|
always uses the current media type provided by the kernel. |
always uses the current media type provided by the kernel. |
<li>Ensure <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> handles |
<li>Ensure <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> handles |
the case where a GPT partition name is not a valid C string. |
the case where a GPT partition name is not a valid C string. |
|
<li>When creating new crypto volumes with |
|
<a href="https://man.openbsd.org/bioctl.8">bioctl(8)</a>, |
|
by default use a hardware based number of KDF rounds for passphrases. |
|
<li>Let <a href="https://man.openbsd.org/bioctl.8">bioctl(8)</a> |
|
gracefully prompt again during interactive creation and |
|
passphrase change on CRYPTO and 1C volumes. |
|
<li>Let <a href="https://man.openbsd.org/bioctl.8">bioctl(8)</a> |
|
read passphrases without prompts or confirmation |
|
in <code>-s</code> mode. |
|
<li>Allow the <a href="https://man.openbsd.org/atactl.8">atactl(8)</a> |
|
command <a href="https://man.openbsd.org/atactl.8#readattr">readattr</a> |
|
to succeed even for disks where <code>ATA_SMART_READ</code> and |
|
<code>ATA_SMART_THRESHOLD</code> revisions mismatch, as long as |
|
checksums are OK. |
<li>In <a href="https://man.openbsd.org/ld.so.1">ld.so(1)</a>, |
<li>In <a href="https://man.openbsd.org/ld.so.1">ld.so(1)</a>, |
avoid an overflow in the ELF SYSV ABI hash function. |
avoid an overflow in the ELF SYSV ABI hash function. |
<li>Make sure <a href="https://man.openbsd.org/modf.3">modf(3)</a> and |
<li>Make sure <a href="https://man.openbsd.org/modf.3">modf(3)</a> and |
|
|
requested allocation size. |
requested allocation size. |
<li>In <a href="https://man.openbsd.org/malloc.3">malloc(3)</a>, |
<li>In <a href="https://man.openbsd.org/malloc.3">malloc(3)</a>, |
check all chunks in the delayed free list for write-after-free. |
check all chunks in the delayed free list for write-after-free. |
|
<li>The <a href="https://man.openbsd.org/shutdown.8">shutdown(8)</a> |
|
program can now only be executed by members of the |
|
<code>_shutdown</code> group. The idea is that system |
|
administrators can now remove most users from the excessively |
|
powerful <code>operator</code> group, which in particular |
|
provides read access to disk device nodes. |
<li>Restrict <a href="https://man.openbsd.org/patch.1">patch(1)</a> |
<li>Restrict <a href="https://man.openbsd.org/patch.1">patch(1)</a> |
to the current directory including subdirectories, TMPDIR, |
to the current directory including subdirectories, TMPDIR, |
and file names given on the command line using |
and file names given on the command line using |
|
|
<ul> |
<ul> |
<li>IPsec support was improved: |
<li>IPsec support was improved: |
<ul> |
<ul> |
<li>In <a href="https://man.openbsd.org/isakmpd.8">isakmpd(8)</a>, |
|
avoid a double free in ec_init() when using the OpenSSL API. |
|
<li>In <a href="https://man.openbsd.org/iked.8">iked(8)</a>, |
<li>In <a href="https://man.openbsd.org/iked.8">iked(8)</a>, |
do not treat the return value of |
support route-based |
|
<a href="https://man.openbsd.org/sec.4">sec(4)</a> tunnels. |
|
<li>In <a href="https://man.openbsd.org/iked.8">iked(8)</a>, |
|
add support to verify X.509 chain from CERT payloads. |
|
<li>In <a href="https://man.openbsd.org/iked.8">iked(8)</a>, |
|
do not leak memory when receiving a CERT payload for pubkey auth |
|
or for an invalid CERT Encoding. |
|
<li>In <a href="https://man.openbsd.org/iked.8">iked(8)</a>, |
|
do not leak a file descriptor if |
|
<a href="https://man.openbsd.org/open_memstream.3" |
|
>open_memstream(3)</a> fails while trying to enable a child SA. |
|
<li>While trying to verify an ECDSA signature in |
|
<a href="https://man.openbsd.org/iked.8">iked(8)</a>, |
|
correctly detect failure of DER encoding with |
<a href="https://man.openbsd.org/i2d_ECDSA_SIG.3" |
<a href="https://man.openbsd.org/i2d_ECDSA_SIG.3" |
>i2d_ECDSA_SIG(3)</a> as a length as it can be negative. |
>i2d_ECDSA_SIG(3)</a>. |
<li>Prepare <a href="https://man.openbsd.org/isakmpd.8">isakmpd(8)</a> |
<li>In <a href="https://man.openbsd.org/ipsecctl.8">ipsecctl(8)</a>, |
for a libcrypto library that is lacking binary field support. |
support route-based IPSec VPN negotiation with |
|
<a href="https://man.openbsd.org/sec.4">sec(4)</a>. |
<li>In <a href="https://man.openbsd.org/isakmpd.8">isakmpd(8)</a>, |
<li>In <a href="https://man.openbsd.org/isakmpd.8">isakmpd(8)</a>, |
avoid a potential crash by adding a missing NULL check. |
support configuring interface SAs for route-based IPSec VPNs. |
|
<li>In <a href="https://man.openbsd.org/isakmpd.8">isakmpd(8)</a> |
|
quick mode, do not crash with a <code>NULL</code> pointer |
|
access when a group description is specified but it is invalid, |
|
unsupported, or memory allocation or key generation fails. |
|
<li>In <a href="https://man.openbsd.org/isakmpd.8">isakmpd(8)</a>, |
|
avoid a double free in the unlikely event that |
|
<a href="https://man.openbsd.org/EC_KEY_check_key.3" |
|
>EC_KEY_check_key(3)</a> fails right after generating |
|
a new key pair. |
|
<li>Allow building |
|
<a href="https://man.openbsd.org/isakmpd.8">isakmpd(8)</a> |
|
with a libcrypto library that has |
|
<a href="https://man.openbsd.org/OpenBSD-7.3/EC_GROUP_new.3" |
|
>binary field support</a> ("GF2m") removed. |
</ul> |
</ul> |
<li>In <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>, |
<li>In <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>, |
<ul> |
<ul> |
|
|
found with <code>ndp -d</code>. |
found with <code>ndp -d</code>. |
<li>Improved error handling in the <a |
<li>Improved error handling in the <a |
href="https://man.openbsd.org/asr_run.3">asr</a> resolver. |
href="https://man.openbsd.org/asr_run.3">asr</a> resolver. |
<li>In unwind(8), handle SERVFAIL results on name resolution better. |
<li>In <a href="https://man.openbsd.org/unwind.8">unwind(8)</a>, |
|
handle SERVFAIL results on name resolution better. |
|
<li>In <a href="https://man.openbsd.org/unwind.8">unwind(8)</a>, |
|
fix a use-after-free bug triggered by fatal write errors |
|
while sending TCP responses. |
<li>In the router advertisement daemon rad(8), update the default |
<li>In the router advertisement daemon rad(8), update the default |
timers for prefix preferred and valid lifetimes to use the values from |
timers for prefix preferred and valid lifetimes to use the values from |
RFC 9096. |
RFC 9096. |
|
|
<li>In ypldap(8), make ypldap more resilient when some servers are |
<li>In ypldap(8), make ypldap more resilient when some servers are |
misbehaving: keep trying LDAP servers until we get full results from |
misbehaving: keep trying LDAP servers until we get full results from |
one, rather than just until one accepts the TCP connection. |
one, rather than just until one accepts the TCP connection. |
<li>Add support for wireguard (wg(4)) peer descriptions, which can |
<li>In <a href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a>, |
now be added with ifconfig(8). |
display separate |
<li>The ifconfig(8) option <code>tcprecvoffload</code> has been |
<a href="https://man.openbsd.org/ifconfig.8#hwfeatures">hwfeatures</a> |
renamed <code>tcplro</code>. It is shorter and more consistent. |
for TCP segmentation offload (TSOv4, TSOv6) |
|
and TCP large receive offload (LRO) and provide a |
|
<a href="https://man.openbsd.org/ifconfig.8#tcplro">-tcplro</a> |
|
parameter to disable LRO. |
|
<li>New <a href="https://man.openbsd.org/ifconfig.8#wgdescription" |
|
>wgdescription</a> parameter to |
|
<a href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a> |
|
to set a string describing the |
|
<a href="https://man.openbsd.org/wg.4">wg(4)</a> peer. |
|
<li>Let <a href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a> |
|
prefix the interface name to many error and warning messages. |
<li>Make the <code>tlsv1.0</code> and <code>tlsv1.1</code> options |
<li>Make the <code>tlsv1.0</code> and <code>tlsv1.1</code> options |
in relayd(8) do nothing, as one should use the default <code>tlsv1.2</code> |
in relayd(8) do nothing, as one should use the default <code>tlsv1.2</code> |
instead. |
instead. |