=================================================================== RCS file: /cvsrepo/anoncvs/cvs/www/75.html,v retrieving revision 1.34 retrieving revision 1.35 diff -c -r1.34 -r1.35 *** www/75.html 2024/03/31 21:47:37 1.34 --- www/75.html 2024/03/31 22:31:43 1.35 *************** *** 420,443 ****

Security improvements:

Added pledge(2) stdio before parsing pfkey messages to ipsecctl(8) -m and -s. !
Tightened pax(1) pledge(2) in List and ! Append modes. !
Created __OpenBSD versions of llvm cxa guard implementation using ! futex() with the correct number of arguments and without using syscall(2). !
Removed support for syscall(2), the ! "indirection system call," a dangerous alternative entry point for all ! system calls and incompatible with the precision system call entry ! point scheme a.k.a. pinsyscalls(2) ! !
Enable BTI and PAC again on arm64. !
pinsyscalls(2) !

Changes in the network stack: --- 420,459 ----

Security improvements:

Introduce pinsyscalls(2): The kernel and ld.so(1) register the + precise entry location of every system call used by a program, as + described in the new ELF section .openbsd.syscalls inside ld.so and + libc.so. ld.so uses the new syscall pinsyscalls(2) to + tell the kernel the precise entry location of system calls in + libc.so.
+ Attempting to use a different system call entry instruction to + perform a non-corresponding system call operation will fail and the + process will be terminated with signal SIGABRT. +
Removed support for syscall(2), the + "indirection system call," a dangerous alternative entry point for all + system calls.
+ Together with pinsyscalls(2) this + change makes it ipmpossible to perform system call through any other + way than the libc system cann wrapper functions.Added pledge(2) stdio before parsing pfkey messages to ipsecctl(8) -m and -s. !
Tightened the pledge(2) in pax(1) in List and Append ! modes. !
Created __OpenBSD versions of llvm cxa guard implementation ! using futex(2) with the ! correct number of arguments and without using syscall(2). !
Improvements in Pointer Authentication (PAC) and Branch Target ! Identification (BTI) on arm64.

Changes in the network stack: *************** *** 516,522 ****

In bgpd(8),

rpki-client(8) saw these and more changes: --- 532,543 ----

In bgpd(8),

Rewrite the internal message passing mechanism to use a new ! memory-safe API. !
Rewrite most protocol parsers to use the new memory-safe API. ! Convert the UPDATE parser, all of RTR, as well as both the MRT dump ! code in bgpd and the parser in bgpctl. !
Improve RTR logging, error handling and version negotiation.

rpki-client(8) saw these and more changes: