===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/75.html,v
retrieving revision 1.34
retrieving revision 1.35
diff -u -r1.34 -r1.35
--- www/75.html 2024/03/31 21:47:37 1.34
+++ www/75.html 2024/03/31 22:31:43 1.35
@@ -420,24 +420,40 @@
Security improvements:
+ - Introduce pinsyscalls(2): The kernel and ld.so(1) register the
+ precise entry location of every system call used by a program, as
+ described in the new ELF section .openbsd.syscalls inside ld.so and
+ libc.so. ld.so uses the new syscall pinsyscalls(2) to
+ tell the kernel the precise entry location of system calls in
+ libc.so.
+ Attempting to use a different system call entry instruction to
+ perform a non-corresponding system call operation will fail and the
+ process will be terminated with signal SIGABRT.
+ - Removed support for syscall(2), the
+ "indirection system call," a dangerous alternative entry point for all
+ system calls.
+ Together with pinsyscalls(2) this
+ change makes it ipmpossible to perform system call through any other
+ way than the libc system cann wrapper functions.
Added pledge(2)
stdio before parsing pfkey messages to ipsecctl(8) -m and -s.
- - Tightened pax(1) pledge(2) in List and
- Append modes.
-
- Created __OpenBSD versions of llvm cxa guard implementation using
- futex() with the correct number of arguments and without using Tightened the pledge(2) in pax(1) in List and Append
+ modes.
+
- Created __OpenBSD versions of llvm cxa guard implementation
+ using futex(2) with the
+ correct number of arguments and without using syscall(2).
-
- Removed support for syscall(2), the
- "indirection system call," a dangerous alternative entry point for all
- system calls and incompatible with the precision system call entry
- point scheme a.k.a. pinsyscalls(2)
-
-
- Enable BTI and PAC again on arm64.
-
- pinsyscalls(2)
-
+
- Improvements in Pointer Authentication (PAC) and Branch Target
+ Identification (BTI) on arm64.
Changes in the network stack:
@@ -516,7 +532,12 @@
In bgpd(8),
- - ...
+
- Rewrite the internal message passing mechanism to use a new
+ memory-safe API.
+
- Rewrite most protocol parsers to use the new memory-safe API.
+ Convert the UPDATE parser, all of RTR, as well as both the MRT dump
+ code in bgpd and the parser in bgpctl.
+
- Improve RTR logging, error handling and version negotiation.
rpki-client(8) saw these and more changes: