| version 1.13, 1996/12/24 03:04:44 |
version 1.14, 1996/12/24 08:37:33 |
|
|
| <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML Strict//EN">
|
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML Strict//EN"> |
| <html>
|
<html> |
| <head>
|
<head> |
| <title>OpenBSD changes</title>
|
<title>OpenBSD changes</title> |
| <link rev=made href=mailto:www@openbsd.org>
|
<link rev=made href=mailto:www@openbsd.org> |
| <meta name="resource-type" content="document">
|
<meta name="resource-type" content="document"> |
| <meta name="description" content="the main OpenBSD page">
|
<meta name="description" content="the main OpenBSD page"> |
| <meta name="keywords" content="openbsd,main">
|
<meta name="keywords" content="openbsd,main"> |
| <meta name="distribution" content="global">
|
<meta name="distribution" content="global"> |
| <meta name="copyright" content="This document copyright 1996 by OpenBSD, Inc.">
|
<meta name="copyright" content="This document copyright 1996 by OpenBSD, Inc."> |
| </head>
|
</head> |
|
|
|
| <body>
|
<body> |
|
|
|
| <h1>OpenBSD</h1>
|
<h1>OpenBSD</h1> |
| <hr>
|
<hr> |
| <h3>Changes Relative to other *BSD's.</h3>
|
<h3>Changes Relative to other *BSD's.</h3> |
|
|
|
| <p>
|
<p> |
| OpenBSD looks a lot like NetBSD (from which it is derived, following
|
OpenBSD looks a lot like NetBSD (from which it is derived, following |
| the 4.4BSD roots), but is now being developed seperately. Good changes
|
the 4.4BSD roots), but is now being developed seperately. Good changes |
| from other free operating systems will be merged in (of course, depending
|
from other free operating systems will be merged in (of course, depending |
| on various factors like developer time for example.) OpenBSD tracks
|
on various factors like developer time for example.) OpenBSD tracks |
| NetBSD changes very closely; say anywhere between 2 to 10 days
|
NetBSD changes very closely; say anywhere between 2 to 10 days |
| behind the state of NetBSD-current all the time. Hence you can truly
|
behind the state of NetBSD-current all the time. Hence you can truly |
| say that OpenBSD is NetBSD <b>PLUS MORE STUFF</b>.
|
say that OpenBSD is NetBSD <b>PLUS MORE STUFF</b>. |
|
|
|
| <p>
|
<p> |
| Compared to NetBSD, various additions have been made. This is a
|
Compared to NetBSD, various additions have been made. This is a |
| partial list of the major machine independent changes (ie. these are the
|
partial list of the major machine independent changes (ie. these are the |
| changes people ask about most often). Check the page of the specific port
|
changes people ask about most often). Check the page of the specific port |
| you are interested in for further port-specific details. Note that many ports
|
you are interested in for further port-specific details. Note that many ports |
| have had architecture-specific enhancements.
|
have had architecture-specific enhancements. |
|
|
|
| <ul>
|
<ul> |
| <li>Many many NetBSD PR's fixed (which NetBSD has not yet fixed)
|
<li>Many many NetBSD PR's fixed (which NetBSD has not yet fixed) |
| <li>New curses library, including libform, libpanel and libmenu.
|
<li>New curses library, including libform, libpanel and libmenu. |
| <li>a termlib library which understands termcap.db, needed for new curses.
|
<li>a termlib library which understands termcap.db, needed for new curses. |
| <li>The FreeBSD ports subsystem was integrated and is usable by you!
|
<li>The FreeBSD ports subsystem was integrated and is usable by you! |
| <li>ipfilter for filtering dangerous packets
|
<li>ipfilter for filtering dangerous packets |
| <li>better ELF support
|
<li>better ELF support |
| <li>nlist() that understands ELF, ECOFF, and a.out, allowing non-a.out ports
|
<li>nlist() that understands ELF, ECOFF, and a.out, allowing non-a.out ports |
| to use kvm utilies
|
to use kvm utilies |
| <li>Verbatim integration of the GNU tools (using a wrapper Makefile)
|
<li>Verbatim integration of the GNU tools (using a wrapper Makefile) |
| <li>All the pieces needed for cross compilation are in the source tree.
|
<li>All the pieces needed for cross compilation are in the source tree. |
| <li>Some LKM support in the tree.
|
<li>Some LKM support in the tree. |
| <li>ATAPI support (should work on all ISA busses)
|
<li>ATAPI support (should work on all ISA busses) |
| <li>new scsi, md5, pkg_* commands
|
<li>new scsi, md5, pkg_* commands |
| <li>Numerous security related fixes
|
<li>Numerous security related fixes |
| <li>Kerberos and other crypto in the source tree that is exportable
|
<li>Kerberos and other crypto in the source tree that is exportable |
| <li>Solid YP master, server, and client capabilities.
|
<li>Solid YP master, server, and client capabilities. |
| <li>/dev/*random -- a device driver providing some kinds of random data
|
<li>/dev/*random -- a device driver providing some kinds of random data |
| <li>In-kernel update(8) with an adaptive algorithm
|
<li>In-kernel update(8) with an adaptive algorithm |
| <li>Some ddb improvements and extensions
|
<li>Some ddb improvements and extensions |
| <li>Numerous scsi fixes
|
<li>Numerous scsi fixes |
| <li>ncheck utility for ffs
|
<li>ncheck utility for ffs |
| <li>/sbin/init now deals with non-existant ttys, no longer spins gettys madly.
|
<li>/sbin/init now deals with non-existant ttys, no longer spins gettys madly. |
| <li>new system calls: rfork(), minherit(), poll().
|
<li>new system calls: rfork(), minherit(), poll(). |
| <li>select() that can handle any amount of file descriptors.
|
<li>select() that can handle any amount of file descriptors. |
| <li>kernfs extensions
|
<li>kernfs extensions |
| <li>ATM support (support for one company's sparc & i386 cards available)
|
<li>ATM support (support for one company's sparc & i386 cards available) |
| <li>Boot kernels with "-c" to edit/enable/disable device configuration tables
|
<li>Boot kernels with "-c" to edit/enable/disable device configuration tables |
| <li>pax as tar, gnutar is toast
|
<li>pax as tar, gnutar is toast |
| <li>using AT&T awk, gawk is toast
|
<li>using AT&T awk, gawk is toast |
| <li>Even more security fixes.
|
<li>Even more security fixes. |
| <li>Accepts FreeBSD MD5 passwords in password maps, soon will be able to
|
<li>Accepts FreeBSD MD5 passwords in password maps, soon will be able to |
| generate them too
|
generate them too |
| <li>Linux ext2fs and BSD4.4 LFS support being worked on.
|
<li>Linux ext2fs and BSD4.4 LFS support being worked on. |
| <li>Working ATAPI audio support for multiple architectures.
|
<li>Working ATAPI audio support for multiple architectures. |
| <li>terminfo database support.
|
<li>terminfo database support. |
| <li>Fortran in the tree.
|
<li>Fortran in the tree. |
| <li>The most secure rdist support anywhere.
|
<li>The most secure rdist support anywhere. |
| <li>randomized port allocation in bind(), bindresvport(), and rresvport() --
|
<li>randomized port allocation in bind(), bindresvport(), and rresvport() -- |
| security via unpredictability.
|
security via unpredictability. |
| <li>Protection from the udp spamming and ftp bounce attacks.
|
<li>Protection from the udp spamming and ftp bounce attacks. |
| <li>Significantly improved ftp daemon.
|
<li>Significantly improved ftp daemon. |
| <li>Numerous more security policy and implimentation improvements (OpenBSD
|
<li>Numerous more security policy and implimentation improvements (OpenBSD |
| defaults to installing in a very secure mode)
|
defaults to installing in a very secure mode) |
| <li>zlib (non-GPL'd gzip-compatible library)
|
<li>zlib (non-GPL'd gzip-compatible library) |
| <li>Newest version of pppd.
|
<li>Newest version of pppd. |
| <li>_POSIX_SAVED_IDS behaviour with permitted BSD extensions.
|
<li>_POSIX_SAVED_IDS behaviour with permitted BSD extensions. |
| <li>Fixed long-standing vm swap-leak.
|
<li>Fixed long-standing vm swap-leak. |
| <li>FreeBSD malloc() that uses mmap() and is able to free unused memory.
|
<li>FreeBSD malloc() that uses mmap() and is able to free unused memory. |
| <li>Numerous FreeBSD userland fixes and improvements incorporated.
|
<li>Numerous FreeBSD userland fixes and improvements incorporated. |
| <li>new rdisc Router Discovery daemon
|
<li>new rdisc Router Discovery daemon |
| <li>generic protection against the bind() takeover problem.
|
<li>generic protection against the bind() takeover problem. |
| <li>at -f security fix.
|
<li>at -f security fix. |
| <li>20 or so more security fixes
|
<li>20 or so more security fixes |
| <li>install now supports -C, -p, and -S flags.
|
<li>install now supports -C, -p, and -S flags. |
| <li>a real adduser program, which can even be used uninteractively.
|
<li>a real adduser program, which can even be used uninteractively. |
| <li>POSIX & C2 requirement; lose setuid/setgid bits if owner/group changed
|
<li>POSIX & C2 requirement; lose setuid/setgid bits if owner/group changed |
| by chown(). This can be turned off with sysctl.
|
by chown(). This can be turned off with sysctl. |
| <li>partial protection against tcp SYN attacks.
|
<li>partial protection against tcp SYN attacks. |
| <li>added /etc/fbtab support to login & init.
|
<li>added /etc/fbtab support to login & init. |
| <li>RCS version 5.7
|
<li>RCS version 5.7 |
| <li>much newer join command (4.4lite2 with other fixes)
|
<li>much newer join command (4.4lite2 with other fixes) |
| <li>scsi subsystem security fix
|
<li>scsi subsystem security fix |
| <li>Kerberos is much more silent if not configured
|
<li>Kerberos is much more silent if not configured |
| <li>arc4-based random support in kernel
|
<li>arc4-based random support in kernel |
| <li>ncr53cXXX scsi scripts assembler
|
<li>ncr53cXXX scsi scripts assembler |
| <li>Numerous ftpd improvements and fixes, including multihomed and skey support.
|
<li>Numerous ftpd improvements and fixes, including multihomed and skey support. |
| <li>`lsof'-style features in fstat.
|
<li>`lsof'-style features in fstat. |
| <li>rudimentary support for ISA Plug-and-Play cards
|
<li>rudimentary support for ISA Plug-and-Play cards |
| <li>Fixed timeout support in RPC library, and also fixed it to support more
|
<li>Fixed timeout support in RPC library, and also fixed it to support more |
| than FD_SETSIZE file descriptors.
|
than FD_SETSIZE file descriptors. |
| <li>improved locate command
|
<li>improved locate command |
| <li>a good start at NETIPX support
|
<li>a good start at NETIPX support |
| <li>vim version 4.5
|
<li>vim version 4.5 |
| <li>gcc 2.7.2.1 (to get closer to native alpha support ar gcc
|
<li>gcc 2.7.2.1 (to get closer to native alpha support ar gcc |
| bugs).
|
bugs). |
| <li>latest version of perl, and a lndir command.
|
<li>latest version of perl, and a lndir command. |
| <li>Even more security fixes.
|
<li>Even more security fixes. |
| <li>cdio command for using CD audio.
|
<li>cdio command for using CD audio. |
| <li>Kernel warns f /dev/ces not ebooting ated /de<li>libgis gone; our malloc() is better.
|
<li>Kernel warns f /dev/ces not ebooting ated /de<li>libgis gone; our malloc() is better. |
| <li>FreeBSD pipe() system call; quite a bit faster.
|
<li>FreeBSD pipe() system call; quite a bit faster. |
| <li>Some serial driver support for /dev/cuaXX devices to support transparent
|
<li>Some serial driver support for /dev/cuaXX devices to support transparent |
| out+dial
|
out+dial |
| <li>DDcess symrom LKM es
|
<li>DDcess symrom LKM es |
| <li>Say goodbye to dump, restore, and mt security holes: They are no longer
|
<li>Say goodbye to dump, restore, and mt security holes: They are no longer |
| setuid.
|
setuid. |
| <li>*Hobbit*'s netcat utility. The crackers use it, so should you.
|
<li>*Hobbit*'s netcat utility. The crackers use it, so should you. |
| <li>New routed from SGI.
|
<li>New routed from SGI. |
| <li>Complete in-tree development for MIPS/Alpha systems (ie. binutils).
|
<li>Complete in-tree development for MIPS/Alpha systems (ie. binutils). |
| <li>ftp command modified for easily scripted ftp & http downloads.
|
<li>ftp command modified for easily scripted ftp & http downloads. |
| <li>And of course... more security related bugfixes... (ie. dump,
|
<li>And of course... more security related bugfixes... (ie. dump, |
| restore, mt).
|
restore, mt). |
| <li>vim is replacing nvi, since nvi does not have a pure BSD license, and vim
|
<li>vim is replacing nvi, since nvi does not have a pure BSD license, and vim |
| also works better.
|
also works better. |
| <li>16 partitions working on sparc and i386 (yipee!)
|
<li>16 partitions working on sparc and i386 (yipee!) |
| <li>Nice sample files in /etc
|
<li>Nice sample files in /etc |
| <li>sendmail gecos hole fixed (in a number of ways; other programs in the
|
<li>sendmail gecos hole fixed (in a number of ways; other programs in the |
| source tree were also vulnerable.)
|
source tree were also vulnerable.) |
| <li>secure multicast tools against possible security problems.
|
<li>secure multicast tools against possible security problems. |
| <li>latest GNU groff, incorporated in a clean wrapperized form.
|
<li>latest GNU groff, incorporated in a clean wrapperized form. |
| <li>mopd for networking booting Digital machines
|
<li>mopd for networking booting Digital machines |
| <li>less version 2.90
|
<li>less version 2.90 |
| <li>deal with the SYN bomb problem (denial of service attack) as well known.
|
<li>deal with the SYN bomb problem (denial of service attack) as well known. |
| <li>Sendmail 8.8.4 with smrsh
|
<li>Another kerberos security fix. |
| <li>Another kerberos security fix.
|
<li>Almost a hundred more security fixes, including /tmp races because of strncpy. |
| <li>Almost a hundred more security fixes, including /tmp races because of strncpy.
|
<li>Compile time option to compile the source tree almost completely dynamic. |
| <li>Compile time option to compile the source tree almost completely dynamic.
|
<li>A 7% reduction in size of static binaries. |
| <li>A 7% reduction in size of static binaries.
|
<li>FreeBSD's adduser(8) command. Also an rmuser(8) command. |
| <li>FreeBSD's adduser(8) command. Also an rmuser(8) command.
|
<li>We have completed security reviews of almost all userland programs and |
| <li>We have completed security reviews of almost all userland programs and
|
libraries except for the gnu stuff (where, based on preliminary |
| libraries except for the gnu stuff (where, based on preliminary
|
inspection there is poor handling of temp files). |
| inspection there is poor handling of temp files).
|
<li>Working Linux ext2fs. |
| <li>Working Linux ext2fs.
|
<li>Added sudo (which is maintained by one of our developers) |
| <li>Added sudo (which is maintained by one of our developers)
|
<li>CTM is now a supported way of obtaining OpenBSD source code. |
| <li>CTM is now a supported way of obtaining OpenBSD source code.
|
<li>The NIST Posix test suite became free. As a result we have been correcting |
| <li>The NIST Posix test suite became free. As a result we have been correcting
|
numerous problems in the source tree, and expect to be completely |
| numerous problems in the source tree, and expect to be completely
|
POSIX compliant very soon. |
| POSIX compliant very soon.
|
<li>upgrade to CVS version 1.9. |
| <li>upgrade to CVS version 1.9.
|
<li>A number of security fixes to the way coredumping works. |
| <li>Added -C option to pax/tar. Also made -z support compressed files too.
|
<li>The /dev/*random devices are now default on all architectures. |
| <li>Updated md4 and md5 headers to use bittypes so they work on 64-bit machines.
|
<li>Add stack tracebacks to Arc port's kernel debugger. |
| <li>Added secure hashing-- nearing RFC 1938 compliance.
|
<li>Skey revamped into full OTP (RFC1938) support, including sha1 and |
| <li>Fix for PCI etherlink3 packet-receive bug.
|
md5 support. |
| <li>sleep will "return time unslept" if interrupted.
|
<li>GPL i387 emulator added. |
| <li>yp and bootparam warns about security problems. ypserv will not allow operations if not operating on reserved port.
|
<li>Crank kvm space on the i386 port, also limit buffer cache useage |
| <li>config now supports pmax
|
so that 512MB machines may work (untested :-) |
| <li>pdksh version is now 5.2.11
|
<li>Numerous fixes to the lpr suite, including security. |
| <li>documentation added/updated for various architectures
|
<li>More ftpd raging paranoia security fixes. |
| <li>/dev/ttyv series is now useable
|
<li>The NIST suite showed numerous errors in libraries and the kernel. |
| <li>Security fixes to sysctl, default to prevent users from using mount syscall
|
Only a few small errors remain now, mostly regarding serial |
| <li>Cleaned up Amiga's Makefile's and documentation
|
ports. |
| <li>Added more ATAPI CD-ROM sipport
|
<li>In numerous utilities: prefer $LOGNAME, but also accept $USER. |
| <li>Multiple updates for legacy GNU software
|
<li>OLF binary type added. This is like ELF, but includes an OS-dependent |
| <li>Many man pages cleaned up
|
tag. elf2olf(1) converts an elf binary to a tagged OLF binary which |
| <li>updates to installation floppy disks for many ports.
|
the kernel can recognize correctly. |
| <li>fsck now checks for holes in directories.
|
<li>Beware $HOME overflows throughout the source tree. |
| <li>updated default console drivers on Mac 68k port. Dropping to system debugger from a serial console is now an option, not the default.
|
<li>Integration of the pmax port. |
| <li>ftpd security fix-- will not write passwords if core dumps. ALL suid/root process will dump to a mode 600 file
|
<li>Import of ctm. |
| <li>Stack traceback support added to arc port.
|
<li>Various repairs to the scsi scanner support. |
| <li>Fixed prevalent poor "C" syntax strcpy() strlen() in many sources
|
<li>Numerous more difficult-to-exploit-but-possible-if-someone-really-wanted-to |
| <li>cd fix so that `cp kernel /' works with all shells
|
buffer overflows found in system utilities.. |
| <li>SCSI subsystem updates: updated scanner and unknown device routines
|
<li>Memory leak paranoia in cron. |
| <li>lpr/lpd/lp fixes (security, POSIX/ANSI compliance)
|
<li>Make login get more consistantly upset about failed logins, and tell user |
| <li>IDE Hard Disk driver fix reduces chance of NULL pointers
|
about these failures at the next successfull login. |
| <li>binutils is now 961112 release from CYGNUS
|
<li>pdksh version is now 5.2.11 |
| <li>includes and system dependancies now work on explicit 16- and 32-bit quantities-- not the machine dependent "short" and "long" integer.
|
<li>New bsd.*.mk feature: DEBUG=-g. Try it, you'll like it. |
| <br><br>
|
<li>The Arc port family has a new member: The rPC44 works! |
|
|
<li>lpt driver is now bus-independent. |
| This list only mentions platform-independent changes. For a list of changes
|
<li>com driver is now bus-independent. |
| made in a particular platform, please check the page for that platform.<br><br>
|
<li>Numerous small security fixes again... |
|
|
<li>Use pdksh as our /bin/sh. This provides excellent POSIX compliance. |
| <hr>
|
<li>Prevent generic users from mounting filesystems by default. |
| <a href="index.html"><img src=back.gif border=0 alt=OpenBSD></a>
|
<li>Added -C option to pax/tar. Also made -z support compressed files too. |
| <a href=mailto:www@openbsd.org>www@openbsd.org</a>
|
<li>Increased compatibility in the pccons driver with BSDi features. |
| <br><small>$OpenBSD$</small>
|
<li>Imported FreeBSD's calendar. |
|
|
<li>GNU gdb works on the mips-based platforms. |
| </body>
|
<li>Add FreeBSD md5 diffs to mtree(8). This can be used to implement a |
| </html>
|
tripwire-like system. |
| |
<li>Some YP and bootparamd security changes. |
| |
<li>Hundreds of little fixes all over the place. |
| |
<li>Multiple updates for GNU software |
| |
<li>Add disklabels to the floppy device drivers. |
| |
<li>At boottime, have (*mountroot)() look at the root device's disklabel |
| |
to determine which filesystem type is to be mounted. |
| |
<li>If disklabel reading code discovers an ISOFS filesystem underlying, |
| |
spoof a nice disklabel (enough to fool mountroot). |
| |
<li>tcpdump 3.3 |
| |
<li>Fix information gathering attack in ping(8). |
| |
<li>Add NetBSD's "route show" implementation, and at the samet time fix |
| |
the new buffer overflows that this provided. |
| |
<li>Fix a few setgroups() related security holes. |
| |
<li>sendmail 8.8.4 |
| |
<li>texinfo 3.9 |
| |
<li>f77 0.5.19 |
| |
<li>Repair some more KerberosIV buffer overflows. Hard to believe this is |
| |
supposed to be security software. |
| |
<li>Add XCASE/IUCLC/OLCUC/OCRNL/ONOCR/ONLRET tty subsystem flags for |
| |
backwards compatibility. |
| |
<li>Permit NFS attribute cache to be configured on a per-mount basis. |
| |
|
| |
<li>Properly split fsck, mount, and newfs into multiple pieces. Use |
| |
disklabel information if it is available. |
| |
<li>Add disklabels to the vnd device driver. |
| |
<li>Change the games to be run setgid games, not setuid games. This closes |
| |
a whole slew of fascinating security holes. |
| |
<li>Import of the powerpc port. |
| |
<li>Properly use _POSIX_SAVED_IDS throughout the source tree. |
| |
<li>Permit building of kernels without a.out support. |
| |
<li>ppp 2.3b3 |
| |
<li>libcrypt goes away. We do not need this stub library anymore. Do not link |
| |
against it on OpenBSD, all the pieces you need are in libc. |
| |
</ul> |
| |
<br> |
| |
|
| |
This list only mentions platform-independent changes. For a list of changes |
| |
made in a particular platform, please check the page for that platform.<br><br> |
| |
|
| |
<hr> |
| |
<a href="index.html"><img src=back.gif border=0 alt=OpenBSD></a> |
| |
<a href=mailto:www@openbsd.org>www@openbsd.org</a> |
| |
<br><small>$OpenBSD$</small> |
| |
|
| |
</body> |
| |
</html> |
![[BACK]](/icons/back.gif){kind=icon}
Return to plus.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www