===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/plus.html,v
retrieving revision 1.836
retrieving revision 1.837
diff -u -r1.836 -r1.837
--- www/plus.html 2002/07/23 21:56:24 1.836
+++ www/plus.html 2002/07/31 22:56:49 1.837
@@ -48,31 +48,177 @@
We are working on OpenBSD-current.
-The following list sums up (almost) all the changes made up to July 16.
+The following list sums up (almost) all the changes made up to July 29.
-- Cardbus support for macppc.
-
- Fix graceful restarts of chrooted httpd(8).
+
- New 'PermitUserEnvironment' option for SSH. Off by default.
+
- Add 'with or without modification' clause to gprof(1) licensing.
+
- Sync with OpenSSL 0.9.6e-0.9.7 CHANGES file.
+
- SECURITY FIX: Several remote buffer overflows can occur in the SSL2 server and SSL3 client of the ssl(8) library, as in the ASN.1 parser code in the crypto(3) library, all of them being potentially remotely exploitable.
+ A source code patch is available.
+ [Applied to stable]
+ - In pf(4), allow TCP flags to be specified in all rules that include TCP (before the rules had to be exclusively TCP.)
+
+
- Fix a buffer overflow in backgammon(6), and replace its gameplay algorithm.
+
- Kill a kernel tty memory leak.
+
- Super-cautious strcpy()->strlcpy() in exec*(3).
+
- Return failure if the parameters given to calloc(3) would cause an overflow of size_t.
+ [Applied to stable]
+ - Don't enable so many authentication methods by default in login.conf(5).
+
- SECURITY FIX: A buffer overflow can occur in the xdr_array(3) RPC code, leading to possible remote crash.
+ A source code patch is available.
+ [Applied to stable]
+ - Privilege drop in new X servers is disabled for now on x86 due to a problem with xf86OpenConsole().
+
- Support DMA for two more ServerWorks pciide(4) devices.
+
- SECURITY FIX: A race condition exists in the pppd(8) daemon which may cause it to alter the file permissions of an arbitrary file.
+ A source code patch is available.
+ [Applied to stable]
+ - mprotect(2) function pointers stored by atexit(3) to stop bad guys tweaking the exit handlers.
+
- "undrugs" gpr(4).
+
- Fix two off-by-one bugs in ext2fs.
+
- Add ld.so support for sparc.
+
- Lookup of ip6.arpa, then ip6.int for IPv6 reverse resolution. See RFC3152 for why.
+
- Small fix for GCC 3.1.1 in IPv4 checksum code.
+
+
- Apply the 'broken PCI burst-write' workaround to all hifn(4) 7811-based devices.
+
- Show uftdi(4) how to use hardware and software flow control.
+
- Fix a potential access-after-free() in kue(4).
+
+
- /tmp/.X11-unix and /tmp/.ICE-unix are created in rc, owned by root, removing the need for root privs later on.
+
- Again, this time in ld(1), map BSS non-executable.
+
- Rearrange the new XFree86 server so all tasks for which root privs are needed get done early in osinit(). Of course, revoke root right afterwards.
+
- Add Dell-specific PERC (right) product IDs so that aac(4) configures Dell PowerEdge 2650 RAID.
+
- Add leapsecond support to rdate(8)'s NTP client.
+
+
- The install/upgrade scripts no longer automatically mount NFS filesystems.
+
- Kernel a.out code now allocates (mostly) non-executable BSS.
+
- Miscellaneous fixes to several games.
+
- Lots of work on the sparc64 creator(4/sparc64) framebuffer driver.
+
- In pf(4) the order of the log and quick keywords is now irrelevant.
+
+
- Allow X servers to be built without DGA.
+
- At securelevel 2, stop an attacker from setting the clock forwards to within a year of the time it wraps around to zero.
+
- Allow altq(9) to work on pre-Pentium x86 machines that lack pentium_mhz stuff.
+
- Add a distrib note that due to major changes to the port, the sparc installer won't allow upgrades to 3.2
+
- Only include a single wscons(4) font when building with option SMALL_KERNEL.
+
- Add a few more RFC2142-suggested mailbox aliases.
+
- Improve mg(1)'s filename handling.
+
- More hifn(4) fixes.
+
- Fix comparison bug in IPv6 multicast routing MTU check.
+
+
- Correct bad sizeof() in kernel NFS code.
+
- Checks for snprintf(3) return values < 0.
+
- Improve systrace(1)'s uid/gid tracking.
+
- Fix the csh(1) large directory fix.
+
- In ssh(1), help avoid a potential man-in-the-middle attack by showing all known host keys for a host when we're warning about an unknown host key.
+
- Fix a TAILQ null deref in pmdb.
+
+
- Make the second parameter to r?index()/strr?chr() an int instead of a char.
+
- Stick a thread mutex around name lookups in getaddrinfo(3).
+
- Fix a systrace(1) double free().
+
- Cardbus support for macppc.
+
- Fix dc(4) cardbus reads.
+
- Remove a signedness bug in sshd(8)'s handling of utmp_len (-u option.)
+
- Fix some bugs in pool(9).
+
+
- More additions to GNU as(1), this time to make Ogle compile.
+
- Fix graceful restarts of chroot'ed httpd(8).
+
- Have SSH fall back to the standard path if setusercontext() can't set it.
+
+
- Add a sequence number to kernel messages for systrace(1).
+
- Teach pmdb about corefiles.
+
+
- noct(4) now works around NSP2000 PCI bridge brokenness. Fix a similar problem in hifn(4).
+
- Drop the requirement for commas in many pf(4) lists, useful when used in conjunction with the new variable concat feature.
+
- Implement string concatenation for variable declarations in pf(4).
+
- Big change to the way signal trampolines are stored and called.
- Add milter build support to sendmail(8), see the Makefile.
+
- Make sudo(8) and inetd(8) die if setusercontext() fails.
+
+
- Fix a disk masher bug in siop(4), a little too late for some.
+
- Don't install mk-amd-map(8) any more, we don't use it. And it's broken.
- Merge Apache 1.3.26 and mod_ssl 2.8.10.
-
- /etc/systrace directory added.
+
- Have SSH remove fatal cleanups after calling fork().
+
+
- /etc/systrace directory added along with policies for named(8) and lpd(8).
+
- Make OpenSSL use /bin/sh instead of $SHELL when running scripts. Not everyone uses a Bourne-like shell.
+
- String handling and other fixes to rogue(6).
+
+
- Fix pax(1) -s replacement string truncation.
+
- Fix a deref after free() in the kernel's routing socket code.
+
- Add 'fdcache' to Apache, part of the work to make graceful restart work properly under the chroot().
+
- The search for a shorter rulebase continues, pf(4) now recognises 'self' as an address, meaning all IPv4 and IPv6 addresses on all interfaces.
+
+
- Fix wayward string termination in rbootd(8).
+
- Fix a DIAGNOSTIC bug in ffs_softupdates(4), and also make panic() calls show the right type.
+
- Some mbuf Fixes to the hifn(4) driver, more fixes to come.
+
- Add DES and 3DES to noct(4) as well.
+
- Fix some broken memset() and lseek() calls.
+
+
- Work around some limitations of noct(4) hardware. Add MD5 and SHA1 support.
- Small additions to as(1) to make gnupg compile.
+
- Add some new users (names beginning with underscore) to replace user nobody for portmap, rstatd, identd, rusersd and fingerd.
- Fix csh(1) directory completion SIGSEGV with large directories.
- Make atrun(8) part of cron(8), removing the need for the atrun cronjob.
- More pf(4): accept !<interface> syntax. Oh yes.
- top(1) now has a BSD license.
- pf(4) parser spots more silly combinations (return-rst on non-TCP rules, keep-state on block rules.)
+
+
- Fix a double free in BSD authentication.
+
- Make ftpd(8) always use high port numbers for passive data connections (no more -h option.)
-
- The XFree86 3.3.x servers that are left now revoke their root privileges after getting I/O access.
-
- Teach MMX (not SSE) to as(1).
-
- Add support for AGP GART on i386 (see vga(4) and options(4),) and enable by default.
-
- Make xterm revoke its root privileges, and install it setgid(utmp).
+
+
- Add SIGALRM to the list of signals that can be sent (after uid/euid checks) to set[ug]id child processes.
+
- Enable list expansion for pf(4) NAT rules, broken since the pf.conf/nat.conf merge.
+
- The XFree86 3.3.x servers that are left now revoke their root privileges right after getting I/O access.
+
- Now that xterm(1) drops its root privileges, install it setgid(utmp) for utmp updates. Revoke setgid too if not needed.
+
- Fix at least one tcpdump(8) buffer overflow.
[Applied to stable]
+ - Teach MMX (not SSE) to as(1).
+
- Add radio(4) device attachment for bktr(4) and fms(4).
+
- Have pcibios(4) detect and ignore a too-short PCI IRQ routing table header.
+
- Changes to ld.so(1): Search order now always looks like a.out, destructors are called on dlclose(), move some libc-like functions into private namespace.
+
- Add support for AGP GART on some i386 AGP chipsets (see vga(4) and options(4).)
+
- Remove '\\' -> '\' translation in crontabs to keep the shell happy.
+
- Make xterm(1) revoke its root privileges.
+
- Remove a race and some other bugs from the mountpoint locking code.
+
- Add some flags to dohooks(8) and fix a time-honoured memory leak in hook_disestablish(9).
+
+
- New, hard-won firmware image for the txp(4) driver.
+
- Remove the www group's privileges to the mod_ssl mutex semaphore.
+
- Really remove SuperProbe from X.
- Create a skeleton UserDir tree under /var/www/users.
-
- Make httpd(8) chroot() and drop root privileges by default.
-
- pf(4) now accepts an interface in most of the places it can take an IP address, and picks up all the IPv4 and IPv6 addresses on that interface.
+
- Have Apache initialise OpenSSL (opening /dev/crypto) before chroot. No more /var/www/dev/crypto.
+
+
- Basic IPv6 fragment support (no normalisation yet) in pf(4).
+
- Correct a memcpy error in the kernel and ssh's Rijndael code.
+
- Make systrace(1) filename intercepts work with chroot().
+
- Try to make resetting of USB ports work better.
+
- Add fchmod translation support to systrace(1).
+
- Stop systrace(1) closing the std file descriptors when going daemon.
+
+
- Fix ni6_nametodns() pointer bug in icmp6; NetBSD PR17540.
+
- Add support in uftdi(4) for FT8U232AM-based USB serial adapters, likewise add more devices to uplcom(4).
+
- Fix miniroot typo that was breaking FTP installs.
+
- Fix sed(1)'s r command (PR2755.)
+
- Add a daemon mode to systrace(1).
+
- udbsr(4) driver for D-Link radio cards added.
+
- Add a timeout value to USB I/O calls, rather than having a systemwide timeout.
+
- Make httpd(8) chroot() and drop root privileges by default. A lot module chroot fixes to come.
+
- Add syscall aliasing to systrace(1) (e.g. stat/fstat/readlink/access/... become 'fsread'.)
+
- Some fixes to
- In umidi(4) and uscanner(4).
+
- Add SMC 2206 support to
- In aue(4).
+
- Fix a potential off-by-five error in systrace(1).
+
- pf(4) now accepts an interface in most of the places it can take an IP address, and picks up all the IPv4 and IPv6 addresses on that interface.
+
+
- Don't try to load a 32-bit quart into a 16-bit pint register in xl(4).
+
- Always load ELF binaries to the address at which they were linked.
+
- Rig opendir(3)'s sort so it can't fail due to lack of memory.
+
- Compatibility fixes for the ubsec(4) 582x series.
- Some updates to cron(8).
+
- Grab a security fix to bcopy/memcpy from FreeBSD. See their cvsweb entry for bcopy.S.
+
- Work around tl(4)'s broken multicast filter.
- Remove ab(1) from the Apache installation.
- Remove NTP support from the kernel.
- Don't attempt to resubmit a structure we just freed in ipsec(4) / ipcomp(4).
@@ -618,7 +764,7 @@
www@openbsd.org
-
$OpenBSD: plus.html,v 1.836 2002/07/23 21:56:24 deraadt Exp $
+
$OpenBSD: plus.html,v 1.837 2002/07/31 22:56:49 deraadt Exp $