===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/74.html,v
retrieving revision 1.88
retrieving revision 1.89
diff -u -r1.88 -r1.89
--- www/74.html 2023/10/15 04:19:24 1.88
+++ www/74.html 2023/10/15 10:45:56 1.89
@@ -667,15 +667,13 @@
feature it helps enforcing control flow integrity by making sure
malicious code cannot manipulate a function's return address.
-
-Together with retguard these features protect against ROP attacks.
-
-Compiler defaults for base clang, ports clang and ports gcc (as well
+Together with retguard these features protect against ROP attacks.
+Compiler defaults for base clang, ports clang and ports gcc (as well
as some other non-C language family compilers in ports) have been
changed to enable these features by default. As a result the vast
majority of programs on OpenBSD (and all programs in the base system)
-run with these security features enabled.
-
+run with these security features enabled.
+
Further security enhancements in this release are:
- Change malloc(3)
chunk sizes to be fine grained: chunk sizes are closer to the
@@ -688,10 +686,10 @@
administrators can now remove most users from the excessively
powerful
operator group, which in particular
provides read access to disk device nodes.
- - Restrict patch(1)
- to the current directory including subdirectories, TMPDIR,
- and file names given on the command line using
- unveil(2).
+
- Using unveil(2),
+ restrict patch(1)
+ filesystem access to the current directory including subdirectories,
+ TMPDIR, and file names given on the command line.
- In ksh(1), consistently
escape control characters when displaying file name completions,
even when there are multiple matches.