===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/plus.html,v
retrieving revision 1.1335
retrieving revision 1.1336
diff -c -r1.1335 -r1.1336
*** www/plus.html 2014/04/17 01:51:07 1.1335
--- www/plus.html 2014/04/30 02:07:27 1.1336
***************
*** 74,79 ****
--- 74,176 ----
+
+ - 5.5 RELIABILITY FIX: Disable the ssh(1) curve25519-sha256@libssh.org KEX method when the other party's connection will fail.
+
- Prevent lpd(8) from looking into hosts.equiv(5). Access control is now done only using hosts.lpd.
+
- Introduced basic stats for the iscsid(8) vscsi(4) layer; added iscsictl(8) controls.
+
- In mandoc(1) debug messages, truncate strings of excessive lengths.
+
- dhclient(8) -L now preserves the fd being monitored after new leases, lease renewals and cable unplugs.
+
- Fixed unchecked snprintf(3) in mandoc(1) page header printing.
+
- In mandoc(1), made sure static buffers for snprintf(3) are large enough.
+
- Removed more unused ssl(8) tools and docs.
+
- Moved iscsid(8) session params initialisation to session start, so config parameters stick.
+
- iscsid(8) now does proper LoginOperational negotiation.
+
- Added relayd(8) check for strlcpy(3) overflow when expanding HTTP input value.
+
- snmpd(8) and relayd(8) will now fail if strlcpy(3) overflows the socket path.
+
- When installing OpenBSD, ensure that the hostname information is in the dhclient(8) lease db.
+
- Reimplemented arrays in relayd(8) used to set up process-to-process imsg communication.
+
- Use calloc(3) instead of malloc(3) + memset(3) across ssl(8), to avoid integer overflows.
+
- Rearranged qle(4) update processing loop to attach and detach targets last; handle fabric port login errors better.
+
- Fixed leak in the snmpd(8) and relayd(8) agentx error paths.
+
- Added support for SSHFP DNS records for ED25519 key types to ssh(1).
+
+
- In ssl(8) ts_rsp_verify.c, reset imprint to NULL to avoid double free.
+
- Added a canonical 6.6+ curve25519 fake version to ssh(1), to be recommended with openssh-6.7.
+
- Use get/put_u32 to load values and unbreak ssh(1) on strict-alignment architectures.
+
- Removed checksum offloading from sk(4), faulty on this hardware.
+
- Added strlcpy(3) check. Stops smtpd(8) fatal at startup if truncation occurred with filters enabled.
+
- Added missing strlcpy(3) check when parsing the "backup hostname" section in smtpd.conf(5).
+
- Removed "disable pmtud" and "increased window size" options from sysctl.conf(5) to discourage their use.
+
- Removed rsh(1). Deprecated in favor of ssh(1).
+
- Fixed display of destination IP when host is an IP address in traceroute(8).
+
- Added checks to strlcpy(3) when smtpd(8) is copying envelope "destination" buffer to the mda delivery buffer.
+
- If user+tag@ exceeds SMTPD_MAXPATHLEN smtpd(8) now fails instead of creating a ".truncated" tag dir.
+
- Removed obsolete altq bandwidth shaping from pf(4).
+
+
- Allow mandoc(1) to properly handle symlinks .
+
- Disable the ssh(1) curve25519-sha256@libssh.org KEX method when the other party's connection will fail.
+
- In mandoc(1) update mode, when opening the database fails, just rebuild it from scratch.
+
- Removed RAND_seed(3) calls in iked(8), ikectl(8), relayd(8) and snmpd(8).
+
- For wscons(4) WSDISPLAY_COMPAT_USL protocol, send the synchronizing signals to the process, not just the thread.
+
- Updated unifdef(1) to version 2.10.
+
- Raised nginx(8) file limits, but lower number of connections (leaving files to spare for other programs).
+
- Removed bdes(1), so as to not encourage its use.
+
- Removed dead KAME code that dealt with IPv4-mapped IPv6 addresses; added check for IPv4-mapped IPv6 destination addresses for non-connected sockets.
+
- Use arc4random_buf(3) instead of harmful RAND_xxx in kerberos(8).
+
- Sync traceroute6(8) to tracroute(8): don't print source IP if "-s" is not given.
+
- In relayd(8), fixed ssl(8) client-only mode when no RSA private key is needed.
+
- Neuter the -legacy_renegotiation option to the openssl(1) "openssl s_{client,server}"; added support for "-starttls lmtp" to openssl s_client.
+
- When parsing a new cert into memory occupied by a previously verified cert, ssl(8) will no longer bypass verification checks.
+
- Introduced privsep for relayd(8) private keys.
+
- Use asprintf(3) for generating path. Eliminates many unsafe uses of strlcpy(3) and strlcat(3) in ssl(8).
+
- If nfs rpc requests on a stream socket are already being processed, don't panic, just return.
+
- Cleanup of relayd(8) code tracking of socketpair between different privsep processes.
+
- Have each thread keeps its own reference to the process's ucreds. Avoids possible use-after-free.
+
- Allow printf(1) to handle passing zero as a fieldwidth or precision variable.
+
- Switched to the new makewhatis(8)/apropos(1)/whatis(1) (described in apropos(1)).
+
- Added support for smtpd(8) mailaddr lookup in the table_db.
+
+
- Reworked qle(4) command polling loop to handle multiple responses in one interrupt, like qla(4).
+
- Fully kill ssl(8) FIPS API.
+
- Added some UTF-8 utility functions to tmux(1), to stop splitting UTF-8 characters improperly.
+
- Ensure parent thread is blocked until any others are detached before letting it exit. Avoids panic.
+
- Only scroll by one line at a time in tmux(1) choose mode (as lists are generally short).
+
- Fixed dhclient(8) DHCPDISCOVERY and DHCPDECLINE (as INADDR_ANY != INADDR_BROADCAST).
+
- Changed ssl(8) library to use intrinsic memory allocation functions instead of OPENSSL_foo wrappers.
+
- Set tmux(1) PATH explicitly, either from the client or session environment.
+
- Don't limit the tmux(1) DCS buffer to 256 bytes, expand it as needed.
+
- No longer allow ssl(8) to feed RSA private key information to the random subsystem as entropy.
+
- openssl(1) PR#3309: when looking for an extension, properly search all extensions.
+
- Removed the monitor-content option from tmux(1).
+
- Fixed ssl(8) to call the correct decrypt function in aes_cbc_cipher().
+
- Execute the active path checks when mpath(4) asks for it (rather than on attach).
+
+
- Skip leading zero bytes in ssh(1) buffer_put_bignum2_from_string() function.
+
- Add ufs2 support in libsa/ufs2.c. One step closer being able to boot from ffs2 filesystems.
+
- Cleaned up dangerous strncpy(3) use in ssl(8).
+
- Added missing parens so that rshd(8) errorhost gets properly initialised.
+
- Gave mlinks and keys tables a sqlite3(1) pageid index. Speeds basic apropos(1) searches by 30%.
+
- Make dhclient(8) -q even quieter.
+
- Removed programs from ssl(8) code which don't work with current openssl(1) releases.
+
- Fixed ssl(8) bugs listed at http://www.viva64.com/en/b/0250/.
+
- ssl(8) now ignores setting which allowed the connection to negotiate insecurely.
+
- Zero-pad ssl(8) "usec" format to handle values less than 100,000 correctly.
+
- Killed bogus "send an SSLv3/TLS hello in SSLv2 format" code from the ssl(8) client.
+
- Stubbed some functions in ssl(8) mem_dbg.c, to avoid all possibility of using them.
+
- Always return 1 in the ssl(8) arc4random(9) backend. Unbreaks lynx(1) and git.
+
- Added generic driver for "NEC PC-9801 extension board slot" on luna88k.
+
- Made directory ordering in our libtool stable.
+
- Closed memory leaks in snmpctl(8) client code.
+
+
- Removed md2, seed and jpake cyphers from ssl(8).
+
- Removed approx 30 unused makefiles and more vestiges of ssl2 support from ssl(8).
+
- In ssh(8) EC_POINT_invert(), check the correct function pointer before attempting to invoke it (openssl(1) RT #2569).
+
- RotIBM stream cipher (ebcdic), FIPS mode support and GOST engine removed from ssl(8).
+
- Replaced ssl(8) PRNG with arc4random_buf(), keeping existing RAND interfaces unchanged.
+
- Added -s (two-byte signed decimal display) to od(1), as mandated by POSIX.
+
- ssl(8) fixes: corrected cases where code occurred directly after goto/break/return; removed pentium specific benchmark code; removed more vms and windows specific code.
+
- Unbroke xcb-util-cursor.
+
- Made smtpd(8) reply with correct imsg when using non-system authentication.
- Stopped mandoc(1) crashing when processing macros in .Sh header lines, or having .Sm off or .Bk -words open.
- Stopped leaking socketpair file descriptors if tmux(1) fork(2) fails.
***************
*** 365,368 ****
--- 462,466 ----