===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/75.html,v
retrieving revision 1.34
retrieving revision 1.35
diff -c -r1.34 -r1.35
*** www/75.html 2024/03/31 21:47:37 1.34
--- www/75.html 2024/03/31 22:31:43 1.35
***************
*** 420,443 ****
Security improvements:
- Added pledge(2)
stdio before parsing pfkey messages to ipsecctl(8) -m and -s.
!
- Tightened pax(1) pledge(2) in List and
! Append modes.
!
- Created __OpenBSD versions of llvm cxa guard implementation using
! futex() with the correct number of arguments and without using syscall(2).
!
- Removed support for syscall(2), the
! "indirection system call," a dangerous alternative entry point for all
! system calls and incompatible with the precision system call entry
! point scheme a.k.a. pinsyscalls(2)
!
!
- Enable BTI and PAC again on arm64.
!
- pinsyscalls(2)
!
Changes in the network stack:
--- 420,459 ----
Security improvements:
+ - Introduce pinsyscalls(2): The kernel and ld.so(1) register the
+ precise entry location of every system call used by a program, as
+ described in the new ELF section .openbsd.syscalls inside ld.so and
+ libc.so. ld.so uses the new syscall pinsyscalls(2) to
+ tell the kernel the precise entry location of system calls in
+ libc.so.
+ Attempting to use a different system call entry instruction to
+ perform a non-corresponding system call operation will fail and the
+ process will be terminated with signal SIGABRT.
+ - Removed support for syscall(2), the
+ "indirection system call," a dangerous alternative entry point for all
+ system calls.
+ Together with pinsyscalls(2) this
+ change makes it ipmpossible to perform system call through any other
+ way than the libc system cann wrapper functions.
Added pledge(2)
stdio before parsing pfkey messages to ipsecctl(8) -m and -s.
! - Tightened the pledge(2) in pax(1) in List and Append
! modes.
!
- Created __OpenBSD versions of llvm cxa guard implementation
! using futex(2) with the
! correct number of arguments and without using syscall(2).
!
- Improvements in Pointer Authentication (PAC) and Branch Target
! Identification (BTI) on arm64.
Changes in the network stack:
***************
*** 516,522 ****
In bgpd(8),
rpki-client(8) saw these and more changes:
--- 532,543 ----
In bgpd(8),
! - Rewrite the internal message passing mechanism to use a new
! memory-safe API.
!
- Rewrite most protocol parsers to use the new memory-safe API.
! Convert the UPDATE parser, all of RTR, as well as both the MRT dump
! code in bgpd and the parser in bgpctl.
!
- Improve RTR logging, error handling and version negotiation.
rpki-client(8) saw these and more changes: