===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/plus.html,v
retrieving revision 1.883
retrieving revision 1.884
diff -u -r1.883 -r1.884
--- www/plus.html 2003/08/17 21:37:40 1.883
+++ www/plus.html 2003/08/25 22:24:05 1.884
@@ -52,10 +52,228 @@
We are working on OpenBSD-current.
-The following list sums up (almost) all the changes made up to July 23.
+The following list sums up (almost) all the changes made up to August 24.
+
+- Fix static ssh(1) builds.
+
- Some 64-bit cleanup in the new ssh(1) GSSAPI code.
+
- Stop pfctl(8) rejecting perfectly legitimate nat-with-tables rules.
+
- When tables are used in pf(4) routing rules with address pools, only allow round-robin mode.
+
- Structure and defines for generic IEEE 802.11 framework.
+
- 'Implement' pread(2) and pwrite(2) under FreeBSD emulation (they're identical to the native calls.)
+
+
- In the installer, if an interface is configured using DHCP then assume that the default route is via DHCP also.
+
- Improvements to spamd(8):
+ - New -s option to specify the delay in seconds between each character sent.
+
- Shrink the TCP receive window to one byte, hurting the sender's stack.
+
- Keep the connection open until ten lines of mail body have been received.
+
- Better logging via syslog.
+
+ - Use the correct format for printing time values in spamd(8).
+
- Check the maximum size of an exec header after lkm(4) load or unload, since the module may just change it.
+
- Allow sysctl(8)-toggled emulations to be switched off after being switched on.
+
- Fix a bug in ksh(1) emacs-mode filename completion.
+
+
- Fix 64-bit breakage in pfctl(8) counters output.
+
- Build sendmail(8) with support for DSN-specific timeouts, so bounces can be timed out more quickly.
+
- Fix ksh(1)'s end-of-word detection.
+
- Remove ssh(1) and sshd(8) support for the kerberos-2@ssh.com authentication method, now obsoleted by GSSAPI.
+
- Add GSSAPI authentication support to ssh(1) and sshd(8).
+
- Don't age IPv6 non-gateway host routes. (NetBSD PR bin/22568.)
+
+
- New keywords @extra and @extraunexec for pkg_create(1), to specify 'extra' package files that are only undeleted with pkg_delete -c.
+
- tcpdump(8) can now show the operating system of TCP SYN packets with the -o option.
+
- Add passive OS fingerprinting capability to pf(4), via the 'os' keyword.
+
- Add pf.os(5) passive OS fingerprint database.
+
- Add kern.emul.* sysctl(8) toggles for the various OS emulations instead of compile-time options.
+
- Fix Apache bug #21737 (zombie suexec processes) by reverting to 1.3.27 behaviour.
+
- Merge in Apache 1.3.28 and mod_ssl 2.8.15.
+
- By default, use spamhaus instead of spews for spamd(8).
+
- In libcrypto, add bignum zero to bignum zero without corrupting the result.
+
- Backport a fix for an obscure g++(1) bug which propolice trips.
+
+
- RELIABILITY FIX: An improper bounds check in the semget(2) system call can allow a local user to cause a kernel panic.
+ A source code patch is available.
+ [Applied to stable]
+ - Queues that list themselves as a child queue are now disallowed by pfctl(8).
+
- Have pfctl(8) print a more helpful error messages for bad queue definitions and invalid CBQ priorities.
+
- Convert bootpd(8) from select(2) to poll(2).
+
+
- Increase the default FD_SETSIZE from 256 to 1024.
+
- Set the select(2) timeout properly for active mode FTP under faithd(8).
+
- Change ioctl(...SIOCFIGCONF...) to getifaddrs(3) in lots of places.
+
- Add dynamic select(2) fd_set handling to ypbind(8).
+
- Convert map-mbone(8), mrinfo(8), mtrace(8), pppctl(8) and timed(8) from select(2) to poll(2).
+
- Fix accidental fallthrough from SIOCSIFADDR to SIOCIFFLAGS for tl(4), tx(4) and wb(4).
+
- As well as recommending su(1) instead root logins, clearly and distinctly suggest the user read afterboot(8). If that doesn't work, banner(1) is available...
+
- Change /etc/mtree/4.4BSD.dist to reflect the move from /usr/include/ssl to /usr/include/openssl.
+
- New mtd(4) driver for Myson Technologies 3-in-1 Fast Ethernet boards. From NetBSD.
+
+
- New NOFONTS define for XF4, stops fonts being built. Oh yes.
+
- Handle target lookup using the shell PATH nicely in pmdb(1).
+
- Do a tzset(3) in syslogd(8) before doing the chroot.
+
- Don't treat PKG_PATH-built URL paths to pkg_info(1) as if they refer to local files.
+
- Make pkg_info(1)'s -a option look only at installed packages.
+
- Have pfctl(8) detect nonsensical max-mss > 65535 in scrub rules.
+
- Don't loop back a copy of a broadcast or multicast packet to a simplex interface if pf(4) routing is involved, preventing lockups.
+
- Enable the --initial-tab long option to diff(1) by spelling it correctly.
+
+
- Use only sysctl(3) to stir arc4random(3) using kernel arc4random(). No more messing with /dev/arandom.
+
+
- Add a bunch of emacs commands to mg(1) dired mode.
+
- Unbreak mg(1) dired mode directory listings.
+
- In the kernel, change arguments to suser(), and add new suser_ucred() for instances where caller doesn't have a process.
+
- New -S option to pkg_create(1), like -s only better.
+
+
- Zero out unused directory entry fields on FAT12 and FAT16 filesystems, to avoid breakage on Win2k and WinXP (PR#3400.)
+
- Add a bunch more syscall stubs and implement exit_group() under Linux emulation. Needed for newer glibc binaries.
+
- Fix wrongness, memory leakage and a panic on directory reads in other-OS emulation mode on some filesystems.
+
- Have ssh-keygen(1) exit nicely after screening candidate primes (-T option.)
+
- Much cleanup in the new safe(4) driver.
+
- Add the POSIX-mandated struct itimerspec to sys/time.h .
+
+
- Install the sendmail(8) TUNING guide.
+
- Better memory-use optimization for diff(1).
+
- Remove the very deprecated RhostsAuthentication feature from ssh(1).
+
- Use tcsendbreak(3) in sshd(8) instead of ioctl(...TIOCSBRK...), for portability.
+
+
- Convert rshd(8) to use poll(2) instead of select(2).
+
- Don't blindly pass FD_SETSIZE as the first argument to select(2), that's bad mmmkay?
+
- New driver, safe(4), for the SafeNet crypto accelerator. From FreeBSD.
+
- Remove a bunch of AFS stuff that isn't used by OpenBSD.
+
- Merge in xfs from the ARLA-current as of 20030805.
+
- Stop pkg_create(1) erasing the last checksum from CONTENTS.
+
+
- Kill a panic when creating a block device on a full filesystem (NetBSD PR#22419.)
+ [Applied to stable]
+ - ftp(1), rsh(1) and talk(1) now use poll(2) instead of select(2).
+
- Unbreak pf(4) DIOCCHANGEADDR.
+ [Applied to stable]
+ - Some nice robustness-in-the-face-of-spam tweaks to the example sendmail(8) config in cf/courtesan.mc.
+
- Do dynamic select(2) fd_set allocation in nfsd(8).
+
- Handle realloc(3) failure nicely in the libedit tokenizer.
+
- 3.3-current -> 3.4-beta.
+
- Implement CLOCK_MONOTONIC for clock_gettime(2). From NetBSD.
+
- Don't attach a le(4) device if the interrupt for it can't be established.
+
+
- Stop patch(1) adding an extraneous newline at the end of its output.
+
- Have patch(1) warn if a context or unified diff comes without a context, since this makes detection of a previously applied patch impossible.
+
- Remove uvm_useracc() from uvm(9).
+
+
- Fix an off-by-one in vacation(1).
+
- Allow tables to be used in pf(4) translation and routing rules.
+
+
- In diff(1), do the initial memory allocation using a guesstimate based on the file size.
+
- Fix a bunch of potential null derefs in isakmpd(8).
+
- Stop patch(1) scanning the input file twice.
+
- Disable a gcc(1) optimization, enabled by -fexpensive-optimizations and hence by -O2, on platforms where it was generating incorrect code.
+
+
- Fix some memory leaks in ed(1).
+
- Allow 192- and 256-bit AES in crypto(4).
+
- Use setusercontext(3) instead of roll-your-own in httpd(8), so that login.conf(5) values apply.
+
- Make pf(4) matching code handle 32-bit uid and gid values properly.
+
- Make the sysctl(3) toggle net.inet6.ip6.redirect work as expected.
+
- Fix a potential use-after-free in icmp6 redirect code.
+
+
- Fix the abnormal exit code in ohci(4).
+
- Plug memory leaks in modload(8), pkg_add(1) and usb(4).
+
- Add -h option to ls(1) for human-readable sizes.
+
- The gcc(1) -Wbounded checker can't handle variable-length arrays yet, so don't try.
+
- Stop gdb(1) crashing on 'set enum' without an argument.
+
+
- Now the information is actually copied into place, make mount(8) show procfs info.
+
- Have procfs copy its mount options into statfs.mount_info.
+
- Add a debugging lever that forces patch(1) to use plan B.
+
- In patch(1) plan A, use mmap(2) instead of read(2)/malloc(3).
+
- strlcpy() -> strncpy() in bos(8), un-busting the AFS wire protocol.
+
- Merge in ARLA -current, set version to 'arla-20030805'.
+
+
- systrace(1) updates from NetBSD and monkey.org.
+
- Add a missing close() in libsa's exec().
+
- Use strlcpy(3) to guarantee null termination of the coredump process name.
+
+
- Implement the WCONTINUED flag in wait*(2), as per POSIX. Adapted from FreeBSD.
+
- Fix Linux truncate64() emulation as well.
+
- Remove GNU gzip from the tree.
+
+
- New, BSD-licensed znew(1) script.
+
- Properly check the result of attempts to read from and write to processes in pmdb(1).
+
- Stop ksh(1)'s Emacs mode yank-pop command dumping core when run twice (PR#3384.)
+
- Correct emulation of Linux ftruncate64().
+
+
- SECURITY FIX: An off-by-one error exists in the C library function realpath(3). Since this same bug resulted in a root compromise in the wu-ftpd ftp server it is possible that this bug may allow an attacker to gain escalated privileges on OpenBSD.
+ A source code patch is available.
+ [Applied to stable]
+ - Back out the pthread itimer change (except when profiling) for compatibility reasons.
+
- Add __bounded__ attribute definitions (see gcc-local(1)) for many library functions.
+
- Don't print a pointless read-only warning message when running vi(1) in read-only mode.
+
- New -q flag for pkg_delete(1) that doesn't do a checksum before removing package files.
+
- Support for Marvell-based devices in sk(4).
+
+
- Make pf(4) table tickets per-ruleset instead of global.
+
- Remove undocumented '-p' == '-p0' behaviour from patch(1), like GNU patch and in accordance with POSIX.
+
- Repair patch(1)'s relative path handling by not nuking a parameter needed later in the function.
+
- Change the hash function used in the internals of diff(1) so it generates fewer collisions.
+
- Privilege separation for syslogd(8). Note new HUP behaviour.
+
- Have patch(1) complain about non-existent lines at most once per patch.
+
- Make sure pfctl(8) doesn't attempt to display no-longer-existent queues.
+
- In sshd(8), check that password authentication is enabled before trying to authenticate users using the 'none' method (i.e. a blank password.)
+
- Add a new, BSD-licensed gzexe(1).
+
- Fix diff(1) exit codes when comparing against stdin.
+
+
- Remove GNU diff from the tree.
+
- Add basic support for ftp:// package paths via the PKG_PATH environment variable.
+
- Make patch(1) prompting more POSIX, and add the POSIX -i option.
+
- Make ifconfig(8) die (instead of just complaining) when addition or deletion of an interface address fails.
+
+
- Use a sockaddr_storage instead of a sockaddr to avoid a stack smash in bpf(4).
+
- Remove a stray backslash and unbreak 'make release' for XF4.
+
- Save the interface associated with a pf(4) state table entry when the entry is first created, not when another packet matches the entry.
+
- When running fsck(8) as root, bump the data size resource limit up to unlimited (instead of up to the hard limit) to avoid problems with large filesystems.
+
- Better TMPDIR environment variable handling in patch(1).
+
- Improved test for output on stdout in compress(1).
+
- New ssh(1) progress meter implementation, with better licensing.
+
- Add 'pass on lo' to the temporary boottime pf.conf(5) (PR#3376.)
+
- Fix ftp-proxy(8)'s handling of multiline server responses (PR#3378.)
+
- Add a new, BSD-licensed zforce(1) script.
+
- Make compress(1) do the right thing when confronted with (e.g.) 'gzip -lN < foo.gz'.
+
- Another missing netinet byte-order fixup, this time in fragment reassembly code.
+
- Fix a printf(%s) off-by-one in isakmpd(8).
+
- Improvements to pf(4) skip-step calculation.
+
- More propolice fixes.
+
+
- Add growfs(8) from FreeBSD.
+
- Remove unlicensed MATH_EMULATE code (written by some guy named Torvalds) from the kernel, leaving only the GNU emulation code for the moment.
+
- Don't treat consecutive slashes as path components in patch(1), for POSIX reasons.
+
- Make patch(1)'s exit value consistent with POSIX and with diff(1).
+
- Add mbuf(9) markup (M_TUNNEL) for tunnel-mode IPsec connections so that gif(4) over IPsec can be detected and unencapsulated consistently (PR#3023.)
+
- ssh-keygen(1) can now generate the Diffie-Hellman groups as needed by moduli(5).
+
+
- If compress(1) detects that compressed output would be larger than the input, fail so that the .gz file gets removed.
+
- Fix a missing initialisation and cure a hang that could occur when diff(1)ing a directory.
+
- Try to bound memory and cpu usage of diff(1), old (unbounded) behaviour available with -d.
+
+
- Install ed(1) tutorial papers.
+
- Stop mtree(8)'s -s option enabling -t by mistake.
+
+
- More tweaks to compress(1).
+
- Fix an x86 DoS (reported by Michal Zalewski) by zeroing the SYSENTER registers at kernel boot time.
+ [Applied to stable]
+ - Remove some in-place IP header byte order changes in bridge(4), missed out before.
+
- Print the right error line number in newsyslog(8).
+
- Change references to the now non-existent kerberos(1) manpage to point at 'info heimdal.'
+
- Add sha2 support to isakmpd(8).
+
- A few *printf cleanups in sys/net/.
+
- New __kprintf__ format attribute for gcc(1) that groks kernel *printf(9) format arguments. See gcc-local(1) for details.
+
- Change patch(1)'s -b option to be POSIX ('save a backup') and give the old functionality (specify backup filename suffix) to the -z option like GNU patch. For now, -b is on by default.
+
+
- Fix IP packet length setting for IPsec tunnels, lost in recent byte order changes.
+
- Add sha2 support for IPsec.
+
- Add _syslogd user for, um, syslogd(8), soon to get the privsep treatment.
+
- Allow the kernel to build with inet enabled but ether disabled (PR#3356.)
+
- New APIWARN libc/Makefile define, disabled by default, which makes the linker complain whenever unsafe string functions are used.
- Move nasty SCSI utility code out of libutil and into scsi(8), the only place it's used.
- When detaching an interface, remove from software interrupt queues any packets pointing to that interface.
@@ -66,7 +284,8 @@
- Implement the sysinfo() system call under Linux emulation.
- Remove AFS code from sshd(8).
- Redo the 'invalid line number' fix for patch(1).
-
- Update CGI(3p) to version 2.98 to fix a cross-site scripting bug.
+
- Update CGI(3p) to version 2.98 to fix a cross-site scripting bug.
+ [Applied to stable]
- Use libc getopt_long(3) in patch(1) instead of a local version.
- POSIX tweaks to patch(1).
@@ -551,7 +770,8 @@
- Apply some of the USB SCSI improvements to the FireWire code as well.
- Add string length bounds to an sscanf(3) in ssh(1)'s rhosts auth code.
- Pull in a fix for directory creation under systrace(1).
-
- Fix pf(4) rdr rules with address pools using bitmask and source-hash address selection.
+
- Fix pf(4) rdr rules with address pools using bitmask and source-hash address selection.
+ [Applied to stable]
- Allow inverse matching of pf(4) tags.
- Fix media handling for Intel dc(4) devices.
@@ -1023,7 +1243,7 @@
www@openbsd.org
-
$OpenBSD: plus.html,v 1.883 2003/08/17 21:37:40 deraadt Exp $
+
$OpenBSD: plus.html,v 1.884 2003/08/25 22:24:05 deraadt Exp $