www/plus.html - diff

Return to plus.html CVS log

Up to [local] / www

Diff for /www/plus.html between version 1.849 and 1.850

-version 1.849, 2002/11/13 21:26:19
+version 1.850, 2002/12/09 01:48:36
 Line 50
 Line 50
 Line 50
  <p>
  <h3><font color=#0000e0>We are working on OpenBSD-current.</font></h3><p>
- The following list sums up (almost) all the changes made up to November 2.
+ The following list sums up (almost) all the changes made up to December 7.
  <p>
  <ul>
+ <li>strncpy -> strlcpy in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pfctl&sektion=8">pfctl(8)</a>.
+ <li>Make <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=compress&sektion=1">compress(1)</a> accept most of <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=gzip&sektion=1">gzip(1)</a>'s long options. Some cleanup also.
+ <li>Continuing compatibility tweaks to <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=getopt_long&sektion=3">getopt_long(3)</a>.
+ <!-- ^ 20021208 -->
+ <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pf&sektion=4">pf(4)</a> queue options can now be in any order. The 'scheduler' keyword is no longer used.
+ <li>More rule shrinkage: The 'fromto' part of a <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pf&sektion=4">pf(4)</a> is now optional and defaults to 'all', so e.g. 'block' == 'block all' == 'block from any to any'. <!-- Another uncommented feature, r1.244 -->
+ <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pf&sektion=4">pf(4)</a> anchor rules now support parameters, so 'anchor name proto tcp from any to any port smtp' works.
+ <li>Remove support for the '-a otp' flag from <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=telnetd&sektion=8">telnetd(8)</a>. Use <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=login.conf&sektion=5">login.conf(5)</a> instead.
+ <li>Make <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=su&sektion=1">su(1)</a>'s -a flag work again.
+ <li>'pfctl -s' now prints out addresses in rules in the order they are entered.
+ <li>When <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=telnet&sektion=1">telnet(1)</a> receives a SIGPIPE when writing to the terminal, treat it like a user SIGQUIT.
+ <li>Have <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pfctl&sektion=8">pfctl(8)</a> use the actual interface MTU instead of assuming 1500.
+ <li>Convert string key hashes in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pfctl&sektion=8">pfctl(8)</a> to network byte order.
+ <li>Fix a bug in Xaw that reads the wrong error return from <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=open&sektion=2">open(2)</a>.
+ <!-- ^ 20021207 -->
+ <li>All the games set up the RNG with <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=srandomdev&sektion=3">srandomdev(3)</a> instead of by lesser means.
+ <li>Have <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd&sektion=8">isakmpd(8)</a> set the transform from the Default-Phase-1-Configuration.
+ <li>Make <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=srandomdev&sektion=3">srandomdev(3)</a> fall back to using sysctl if it can't open /dev/arandom.
+ <li>Make the libc <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=getopt_long&sektion=3">getopt_long(3)</a> more compatible with GNU.
+ <li>Output from 'pfctl -v' is now valid input to <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pfctl&sektion=8">pfctl(8)</a>.
+ <li>Make section and tag comparisons in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd&sektion=8">isakmpd(8)</a> case-insensitive.
+ <!-- ^ 20021206 -->
+ <li>Allow a null direction in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pf&sektion=4">pf(4)</a> rules, so e.g. 'block all' is now valid. <!-- Oh yes. Uncommented effect of r1.237 that introduced anchor rules. -->
+ <li>Add named rulesets support to <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pf&sektion=4">pf(4)</a>, invoked from 'anchor' rules in the main ruleset.
+ <li>Kernel memory allocation debugging can now be used anywhere - if the debugging pool is not yet initialised, it just does nothing.
+ <li>Fixes to <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=getopt_long&sektion=3">getopt_long(3)</a>.
+ <li>Rule numbers are no longer output by 'pfctl -v'. Use '-v -v' to get them back.
+ <li>Make <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=scp&sektion=1">scp(1)</a> handle systems with odd block sizes better.
+ <!-- ^ 20021205 -->
+ <li>Drop unnecessary altq devices from the kernel.
+ <li>Pass correct sizes to memset in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ping6&sektion=8">ping6(8)</a>.
+ <li>Make <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=bridge&sektion=4">bridge(4)</a> behave better when running spanning tree: Flush the dynamic MAC cache when the forwarding/blocking state changes, and only forward packets while in the forwarding state.
+ <li>Make <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd&sektion=8">isakmpd(8)</a> accept ACQUIRE requests with a null EXT_ADDRESS_SRC.
+ <li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pf&sektion=4">pf(4)</a>, apply a netmask consistently.
+ <!-- ^ 20021204 -->
+ <li>Crank the major version numbers of the X libraries.
+ <li>Continuing cleanup and shrinkage of the installer scripts.
+ <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=arp&sektion=8">arp(8)</a> now prints the interface name with which an address is associated.
+ <li>Big cleanup up <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=mixerctl&sektion=1">mixerctl(1)</a>.
+ <li>Import a GNUish <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=getopt_long&sektion=3">getopt_long(3)</a> from NetBSD.
+ <li>Add -4 and -6 command line options to <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd&sektion=8">isakmpd(8)</a> to select the address family to use.
+ <li>Better MTU setting for <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pfsync&sektion=4">pfsync(4)</a>.
+ <li>Correct a missed initialiser in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=raid&sektion=4">raid(4)</a>.
+ <li>Have <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pfctl&sektion=8">pfctl(8)</a> play nice and shut down its sockets when it's done.
+ <!-- ^ 20021203 -->
+ <li>Crank all (system) library major numbers now that propolice is in.
+ <li>Make a copy of rather than just refer to a string in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ld&sektion=1">ld(1)</a>. Cures some ports linking problems.
+ <li>Allow options at the end of <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pf&sektion=4">pf(4)</a> pass and block rules to come in any order.
+ <li>Make the bandwidth specifier optional in altq rules (as well as queue rules.) As a side effect, the altq rules can now have "bandwidth xx%" where the percentage is taken w.r.t. the interface bandwidth.
+ <li>Implement legacy functions <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ecvt&sektion=3">ecvt(3)</a>, fcvt(3) and gcvt(3) for standards compliance.
+ <li>Add <a href="http://www.trl.ibm.com/projects/security/ssp">propolice</a> stack attack protection into <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=gcc&sektion=1">gcc(1)</a>.
+ <li>Updated <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=unifdef&sektion=1">unifdef(1)</a>.
+ <!-- ^ 20021202 -->
+ <li>Don't have the X server drop privileges if started by root and from a non-standard config path.
+ <li>Tweaks and fixes to <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pf&sektion=4">pf(4)</a>'s ioctl code.
+ <!-- ^ 20021201 -->
+ <!-- ^ 20021130 -->
+ <li>Teach <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tcpdump&sektion=8">tcpdump(8)</a> about <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pfsync&sektion=4">pfsync(4)</a>.
+ <li>Add new pseudo-device <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pfsync&sektion=4">pfsync(4)</a>, exposing changes to the <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pf&sektion=4">pf(4)</a> state table.
+ <li>Kill a null deref in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pf&sektion=4">pf(4)</a>.
+ <li>Wrap some noisy altq printf()s with #ifdef ALTQ_DEBUG.
+ <!-- ^ 20021129 -->
+ <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=file&sektion=1">file(1)</a> gets a new option, -b, which supresses the output of the pathname.
+ <li>Allow a qlimit to be specified in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pf&sektion=4">pf(4)</a> altq rules as well as in queue rules.
+ <li>Use a custom hash function (based on that in if_bridge.c) for <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pf&sektion=4">pf(4)</a> source-hash nat pools instead of MD5.
+ <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tcpdump&sektion=8">tcpdump(8)</a> checks for invalid icmp6 option length.
+ <!-- ^ 20021128 -->
+ <li>page_dir update fixed in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=realloc&sektion=3">realloc(3)</a>. MALLOC_OPTIONS=J is now honoured in realloc() as well.
+ <li>'fc -e' now works when <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ksh&sektion=1">ksh(1)</a> is invoked in 'sh' mode.
+ <li>Allow usernames given to <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a> to contain '@' characters, i.e. the hostname follows the last '@'.
+ <li>Tweaks to <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pf&sektion=4">pf(4)</a> altq rules display.
+ <li>Stop <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=daemon&sektion=3">daemon(3)</a> closing descriptors that <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd&sektion=8">isakmpd(8)</a> needs.
+ <li>Have <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pfctl&sektion=8">pfctl(8)</a> read correctly the tbrsize spec.
+ <li>Fix underflow and wraparound in socket timeout calculation.
+ <li>Make IPv6 work in Linux emulation mode, though not for IPv4-mapped addresses.
+ <!-- ^ 20021127 -->
+ <li>The bandwidth statement in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pf&sektion=4">pf(4)</a> queue rules is now optional.
+ <li>Change <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&sektion=5">pf.conf(5)</a> ordering so translation is now after queue...
+ <li>Parse more include files so that <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=kdump&sektion=1">kdump(1)</a> knows about more ioctls.
+ <li>Pass in the right structure to DIOCCHANGEADDR.
+ <!-- ^ 20021126 -->
+ <li>Fix 'pfctl -Fq' so <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=altq&sektion=9">altq(9)</a> gets flushed and reset properly.
+ <li>setuid() -> seteuid() in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ftpd&sektion=8">ftpd(8)</a>.
+ <li>Tweak <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pf&sektion=4">pf(4)</a>'s handling of address families in rules.
+ <li>Make <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pfctl&sektion=8">pfctl(8)</a> fetch the address properly for <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=lo&sektion=4">lo(4)</a> with LINK1 set.
+ <li>Use 1KB = 1000B instead of 1024B when dealing with bandwidth in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pf&sektion=4">pf(4)</a>.
+ <li>Fix URL CRLF injection bug in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=lynx&sektion=1">lynx(1)</a>.
+  <!-- Applied to 3.2-stable -->
+ <li>Add a missing check for snprintf errors in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=identd&sektion=8">identd(8)</a>.
+ <li>Protect arc4_getbyte() with an splhigh().
+ <li>Some cleanup in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=talkd&sektion=8">talkd(8)</a>.
+ <!-- ^ 20021125 -->
+ <li>When <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=malloc&sektion=3">malloc(3)</a> stats dumps are enabled, warn if <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=atexit&sektion=3">atexit(3)</a> fails.
+ <li>Enforce new <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&sektion=5">pf.conf(5)</a> ordering: options, normalization, translation, queue, filter.
+ <li>Copy TAILQs properly in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pfctl&sektion=8">pfctl(8)</a>.
+ <!-- ^ 20021124 -->
+ <li>Remove a potential access-after-free in libc's syslog code.
+ <li>New manual page <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=gcc-local&sektion=1">gcc-local(1)</a> documenting OpenBSD-specific changes to <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=gcc&sektion=1">gcc(1)</a>.
+ <li>So farewell, then, <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=altqd&sektion=8&release=OpenBSD+3.2">altqd(8)</a> and friends.
+ <li>Better <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pfctl&sektion=8">pfctl(8)</a> altq rule error checking.
+ <li>Fix a potential null deref in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pfctl&sektion=8">pfctl(8)</a>'s parser, and some general cleanup.
+ <li>Make sure <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=authpf&sektion=8">authpf(8)</a> and <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pfctl&sektion=8">pfctl(8)</a> don't try to issue ioctls when running with -n.
+ <!-- ^ 20021123 -->
+ <li>Implement 'nat pools' in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pf&sektion=4">pf(4)</a>, allow redirection using (nat, rdr, route-to, dup-to and reply-to) to multiple addresses.
+ <li>Improvements to the ELF loader.
+ <li>Some snprintf paranoia in BSD auth, also some extra initialisation.
+ <li>Added new example dir /usr/share/pf, and example queue rulebase /usr/share/pf/queue1 to show how cool pf+altq is.
+ <li>Stop <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=authpf&sektion=8">authpf(8)</a> accepting non-interactive sessions.
+ <li>'pfctl -v' displays altq and queue lines, including child queue assignment.
+ <li>Match the queue to the return type (icmp-unreach or RST) for <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pf&sektion=4">pf(4)</a> block rules.
+ <li>Use a quad_t instead of an int, and fix rlimit sizing for >2GB machines.
+ <!-- ^ 20021122 -->
+ <li>Fix some <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=strncpy&sektion=3">strncpy(3)</a> lengths in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=telnetd&sektion=8">telnetd(8)</a>.
+ <li>Add _tokenadm and _radius groups so their respective login programs can be setgid instead of setuid(root).
+ <li>Add _shadow group and change group and mode of /etc/spwd.db to match
+ <li>Add <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=atoll&sektion=3">atoll(3)</a> and <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=strerror&sektion=3">strerror_r(3)</a> to libc.
+ <li>Add simple multiple-card load balancing to <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=crypto&sektion=9">crypto(9)</a> and add a simplified driver registration API.
+ <li>Some int -> unsigned int in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd&sektion=8">isakmpd(8)</a>.
+ <li>New -n option for <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=syslogd&sektion=8">syslogd(8)</a> to disable DNS lookups.
+ <!-- ^ 20021121 -->
+ <li>Correct a format string bug in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=routed&sektion=8">routed(8)</a>'s, er, Makefile.
+ <li>Fix <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=at&sektion=1">at(1)</a> breakage when two jobs are set for the same time.
+ <li>Correct a use-before-init in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=xterm&sektion=1">xterm(1)</a>.
+ <!-- ^ 20021120 -->
+ <li>Create a simple lookup table mechanism [dev/pci/pci.c:pci_matchbyid()] to match PCI device IDs, and have several drivers use it.
+ <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=vi&sektion=1">vi(1)</a> catalog updates: Fix Russian, add Polish and Ukrainian.
+ <li>Fix an off-by-one when reading ICMP types and codes by name in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pfctl&sektion=8">pfctl(8)</a>.
+ <!-- ^ 20021119 -->
+ <li>Merge of <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=altq&sektion=9">altq(9)</a> and <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pf&sektion=4">pf(4)</a>, still some work left to do.
+ <li>Don't overwrite SIG{INT,QUIT,TERM} handlers in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a> if they're set to ignore. This mirrors <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=rsh&sektion=1">rsh(1)</a> behaviour.
+ <!-- ^ 20021118 -->
+ <!-- ^ 20021117 -->
+ <li>Make sure <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=skey&sektion=1">skey(1)</a> issues a fake challenge for a user without an S/Key file.
+ <!-- ^ 20021116 -->
+ <li>Enable the pthread library, but install it as libnpthreads so autoconf scripts don't pick it up and use it with -lpthread as well as using -pthread.
+ <li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ftpd&sektion=8">ftpd(8)</a>, prohibit user id changes once logged in, and run more stuff as the logged-in user.
+ <li>Add 'Default-Phase-1-Configuration' to <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd&sektion=8">isakmpd(8)</a>.
+ <li>Be more careful when loading RSA1 key files in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>.
+ <!-- ^ 20021115 -->
+ <li>Fix <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd&sektion=8">isakmpd(8)</a>'s handling of multiple values and continuation lines.
+ <li>Improvements to <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ld.so&sektion=1">ld.so(1)</a> symbol lookup failure messages.
+ <li>Allow DNS queries from the initial rulebase loaded by /etc/rc, so <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pfctl&sektion=8">pfctl(8)</a> can load at boot-time rulebases containing DNS entries.
+ <!-- ^ 20021114 -->
+ <li><font color="#e00000"><strong>SECURITY FIX: A buffer overflow in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=named&sektion=8">named(8)</a> could allow an attacker to execute code with the privileges of named. On OpenBSD, named runs as a non-root user in a chrooted environment which mitigates the effects of this bug.</strong></font><br>
+     <a href="errata.html#named">A source code patch is available</a>.<br>
+     <a href="stable.html"><font color=#00b000>[Applied to stable]</font></a>
+ <li>Create links from <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=curses&sektion=3">curses(3)</a> libs to ncurses, to satisfy autoconfiguration scripts that expect the latter instead of checking properly.
+ <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pf&sektion=4">pf(4)</a> scrub rules now are subject to the same list expansion as other rules.
+ <li>Add label macro '$if' to <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&sektion=5">pf.conf(5)</a>, now we can have interfaces in expansion lists.
+ <li>Add some missing pointer initialisations in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pfctl&sektion=8">pfctl(8)</a>.
+ <!-- ^ 20021113 -->
+ <li>Add a null transform to <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=crypto&sektion=4">crypto(4)</a>, enabled via sysctl kern.cryptodevallowsoft=1.
+ <li>Fix <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=systrace&sektion=1">systrace(1)</a>'s determination of the <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=execve&sektion=2">execve(2)</a> filename.
+ <li>Kernel IPsec code checks for short IP headers.
+ <!-- ^ 20021112 -->
+ <!-- ^ 20021111 -->
+ <!-- ^ 20021110 -->
+ <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=systrace&sektion=1">systrace(1)</a> checks for invalid system call numbers.
+ <!-- ^ 20021109 -->
+ <li>Make <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=su&sektion=1">su(1)</a>'s login emultation mode work even more like <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=login&sektion=1">login(1)</a>.
+ <li>Avoid a possible reference count leak in kernel file descriptor code.
+ <li>Remove bogus operations on the not-yet-existent file descriptor table in libc_r.
+ <!-- ^ 20021108 -->
+ <li>Implement simple vnodeops inheritance for specfs and fifofs,
+ <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ftp&sektion=1">ftp(1)</a> can now follow HTTP redirects.
+ <li>Have <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=scp&sektion=1">scp(1)</a> properly reflect check the exit status of its <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a> process if an error occurs.
+ <li>Fix some invalid pointers in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pf&sektion=4">pf(4)</a>'s <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ioctl&sektion=2">ioctl(2)</a> handler.
+ <li>Stop <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=makewhatis&sektion=8">makewhatis(8)</a> moaning about non-existent directories.
+ <li>Don't use the HostbasedAuthentication switch to <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keysign&sektion=8">ssh-keysign(8)</a>; instead, add new option EnableSSHKeysign to <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5">ssh_config(5)</a>.
+  <!-- XXX not added to ssh_config manpage though -->
+ <li>Have <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=groupdel&sektion=8">groupdel(8)</a> check that the named group exists.
+ <li>Allow '$' as the last character of a username, to appease Samba.
+ <li>Make <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>'s -e option (log to stderr) work.
+ <li>Make the minimum file rotation size 512 bytes instead of 512Kbytes...
+ <li>Rearrange payload length check for ESP packets so packets with NULL encryption are tested also.
+  <!-- Applied to 3.2-stable -->
+ <li>Don't allow a simple non-existent server to crash <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=altqstat&sektion=1">altqstat(1)</a>.
+ <!-- ^ 20021107 -->
+ <li>Solve problems static linking with -lpthread. (-static -pthread still broken.)
+ <li>Stop up a couple of memory leaks in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd&sektion=8">isakmpd(8)</a>.
+ <li>Fix a few bugs in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=mount&sektion=8">mount(8)</a>, and make its command line arguments handling more consistent.
+ <li>Keep a correct reference count to the file referenced by <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ioctl&sektion=2">ioctl(2)</a> under SVR4 emulation.
+     <!-- Applied to 3.2-stable -->
+ <!-- ^ 20021106 -->
+ <li>Gracefully handle broken firewalls that block ECN-enabled TCP sessions by falling back to non-ECN.
+ <li>Some thread-safety fixes to libc.
+ <li>Add a cast to handle properly size_t larger than u_int in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>.
+ <li>Fix some problems <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=gzip&sektion=1">gzip(1)</a> had displaying information on files > 2GB.
+ <!-- ^ 20021105 -->
+ <li>Serve <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pf&sektion=4">pf(4)</a> a strong draught of CIDR (e.g. can use 10/8 now instead of 10.0.0.0/8.)
+ <li>-STABLE branch created for 3.2. <a href="errata.html#smrsh">smrsh</a>, <a href="errata.html#pfpridge">pfbridge</a> and <a href="errata.html#kadmind">kadmind</a> errata fixes applied to it.<br>
+ <li>When checking a filename in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, don't fail when <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=realpath&sektion=3">realpath(3)</a> for the user's home directory - this happens legitimately when using AFS.
+ <!-- ^ 20021104 -->
+ <!-- ^ 20021103 -->
  <li>Do a better job when comparing dynamic addresses in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pf&sektion=4">pf(4)</a>.
  <li>In <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pf&sektion=4">pf(4)</a> AF macros, operate on the whole address (all 128 bits) unless AF_INET is set.
  <!-- ^ 20021102 -->
-Line 74
+Line 268
 Line 74
 Line 268
  <!-- ^ 20021029 -->
  <li>Remove a bogus test in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dd&sektion=1">dd(1)</a> that stopped a perfectly legal seek on a character device.
  <li>Merge OpenSSL 2.2.18, fixing a cross-site scripting bug and two off-by-ones.
+  <!-- Applied to 3.2-stable -->
  <li>Add a missing break statement in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=systrace&sektion=1">systrace(1)</a>'s arguments parsing code.
  <!-- ^ 20021028 -->
  <li>Add getdents64() support under Linux emulation.
-Line 107
+Line 302
 Line 107
 Line 302
  <li>Fix a null deref in libc_r.
  <li>Make sure the user process tally is right when kernel stack space can't be allocated for the new proc.
  <li>Correctly count the total number of processes in the system.
- <li>Fix a remotely exploitable buffer overflow in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=kadmind&sektion=8">kadmind(8)</a>.<br>
+ <li><font color="#e00000"><strong>SECURITY FIX: A buffer overflow can occur in the <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=kadmind&sektion=8">kadmind(8)</a> daemon, leading to possible remote crash or exploit.</strong></font><br>
+     <a href="errata.html#kadmin">A source code patch is available</a>.<br>
      <a href="stable.html"><font color=#00b000>[Applied to stable]</font></a>
  <!-- ^ 20021021 -->
  <li>Add partial support for the 21145 chip to <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dc&sektion=4">dc(4)</a>.
-Line 148
+Line 344
 Line 148
 Line 344
  <!-- ^ 20021015 -->
  <li>In the X server, work around problems caused by certain MTRR configurations whose details are only available under NDA.
  <li>Kernel tweaks and hacks in preparation for GCC 3.x (kern/subr_prf.c)
- <li>Some fixes in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pool&sektion=9">pool(9)</a>.
+ <li><font color="#e00000"><strong>A logic error in the <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pool&sektion=9">pool(9)</a> kernel memory allocator could cause memory corruption in low-memory situations, causing the system to crash.</strong></font><br>
+     <a href="errata.html#pool">A source code patch is available</a>.<br>
+     <a href="stable.html"><font color=#00b000>[Applied to stable]</font></a>
  <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pf&sektion=4">pf(4)</a> can now binat a whole netblock with one rule.
  <!-- ^ 20021014 -->
  <li>Remove a potential null pointer deref in BSD authentication code.
-Line 162
+Line 360
 Line 162
 Line 360
  <li>Catch some endianness nits and add zero-padding of keys in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=wi&sektion=4">wi(4)</a>.
  <li>Teach ALTQ CBQ the <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pf&sektion=4">pf(4)</a> API. The old API remains for now.
  <!-- ^ 20021011 -->
- <li>Fix memory corruption that could cause panics in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=bridge&sektion=4">bridge(4)</a>d systems with scrub enabled.
+ <li><font color="#e00000"><strong>RELIABILITY FIX: Network bridges running pf with scrubbing enabled could cause mbuf corruption, causing the system to crash.</strong></font><br>
+     <a href="errata.html#pfbridge">A source code patch is available</a>.<br>
+     <a href="stable.html"><font color=#00b000>[Applied to stable]</font></a>
  <li>Fix a bug in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=mbuf_tags&sektion=9">m_tag_copy_chain()</a>.
  <!-- ^ 20021010 -->
  <li>Hush up noisy IPv6 neighbor discovery. Can be made loud again using sysctl net.inet6.icmp6.nd6_debug.
  <!-- ^ 20021009 -->
- <li>In Sendmail, fix a potential bypass of <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=smrsh&sektion=8">smrsh(8)</a> (see the Sendmail.org <a href="http://www.sendmail.org/smrsh.adv.txt">advisory</a>.)
+ <li><font color="#e00000"><strong>SECURITY FIX: An attacker can bypass the restrictions imposed by sendmail's restricted shell, <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=smrsh&sektion=8">smrsh(8)</a>, and execute arbitrary commands with the privileges of his own account.</strong></font><br>
+     <a href="errata.html#smrsh">A source code patch is available</a>.<br>
+     <a href="stable.html"><font color=#00b000>[Applied to stable]</font></a>
  <li>Make predicates part of <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=systrace&sektion=1">systrace(1)</a>'s grammar.
  <!-- ^ 20021008 -->
  <li>Start work on a merge of <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=altq&sektion=9">altq(9)</a> and <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pf&sektion=4">pf(4)</a> functionality. Oh yes.
-Line 195
+Line 397
 Line 195
 Line 397
  <li>Give <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=window&sektion=1">window(1)</a> the stdarg treatment.
  <li>When routing via <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pf&sektion=4">pf(4)</a>, use the outgoing interface as decided by the normal routing code, not the interface to which the rule applies.
  <li>Fix cross-site scripting vulnerability (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0840">CAN-2002-0840</a>) in the default error page of <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=httpd&sektion=8">httpd(8)</a>. Only applies under specific (and non-OpenBSD default) conditions.
+     <a href="stable.html"><font color=#00b000>[Applied to stable]</font></a>
  <!-- ^ 20021004 -->
  <li>In kernel IP processing, block interrupts with <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=splsoftnet&sektion=9">splsoftnet(9)</a> around interface address routing table manipulations.
  <li>Make sure <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=wi&sektion=4">wi(4)</a> doesn't accept out-of-range TX keys.