===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/plus.html,v
retrieving revision 1.866
retrieving revision 1.867
diff -u -r1.866 -r1.867
--- www/plus.html 2003/03/14 19:11:24 1.866
+++ www/plus.html 2003/03/24 08:36:57 1.867
@@ -51,10 +51,130 @@
We are working on OpenBSD-current.
-The following list sums up (almost) all the changes made up to March 5.
+The following list sums up (almost) all the changes made up to March 21.
+
+- Stop sendbug(1) reporting spurious errors.
+
- Restore ac97(4) state after an apm(4) resume.
+
- Make the syslogd(8) default facility LOG_USER instead of (due to a bug) LOG_UUCP.
+
- Make netstat(8) -m output of mbuf cluster stats much more useful.
+
- Fix memory use percentage output of ps(1).
+
- Some endianness fixes to ahc(4), making it works on macppc.
+
- Fix some problems with pf(4) table statistics.
+
- Disable by default (and add a switch to enable) cross-realm authentication from Kerberos IV realms in Kerberos V kdc(8). This addresses a recently found vulnerability.
+ [Applied to stable]
+ - Disable the Kerberos IV kdc(8), since all its functionality is available in the Kerberos V kdc.
+
+
- Enquote $lpd_flags in /etc/rc.
+
+
- Fix a logic error in sudo(1)'s SIGCHLD handler.
+
- SECURITY FIX: OpenSSL is vulnerable to an extension of the `Bleichenbacher' attack designed by Czech researchers Klima, Pokorny and Rosa.
+ A source code patch is available.
+ [Applied to stable]
+ - Tweak pfctl(8) host address parsing to catch exceptional cases.
+
- Fix parsing of the dhcpd(8) leases file.
+
+
- Add a missing return statement in mkhybrid(8).
+
+
- Restore bootable tape functionality for sparc.
+
- Longword-align struct sockaddrs passed to the kernel by arp(8).
+
- An RFC 2553 compliance tweak to getaddrinfo(3).
+
- Change perl(1)'s config hints file to reflect the promotion of setre[ug]id(2) to real system calls.
+
- Some (v)sprintf -> (v)snprintf in libcurses and libcurses++.
+
- Bump ssh(1) version to 3.6.
+
+
- Fix a bad string length when checking options to login_passwd(8).
+
- Add a nicely free license to hack(6).
+
- Fix a bogus string initialisation when printing IPv6 addresses that was causing a segfault in netstat(8).
+
+
- More string function sanity in the 4.3BSD compat library, crypto(3) and sudo(1).
+
- Fix a string under-allocation in mountd(8).
+
- Update to sudo(1) 1.6.7.
+
- SECURITY FIX: Various SSL and TLS operations in OpenSSL are vulnerable to timing attacks.
+ An `RSA blinding' source code patch is available.
+ [Applied to stable]
+ - Add a missing chroot path correction when creating the SSL mutex file in httpd(8).
+
+
- Another fix in the gcc(1) stack protector.
+
- More strcpy -> strlcpy, in cron(8) this time.
+
- After all the hard work making the X server run as a non-root user, stop the scheduler lowering non-root processes' priority if they've had more than ten minutes of CPU time.
+
- Check the length of all fixed-length IPv6 neighbor discovery options.
+
- Enable RSA blinding in keynote(3).
+
- Remove the redundant -t option from mt(1).
+
- Fix a bug in pf(4) tables that could cause table-based filtering of packets with a source or destination address of 0.0.0.0 (e.g. DHCP) to corrupt the kernel.
+
- Enable RSA blinding for mod_ssl private key operations.
+
+
- Fix a bug that caused all jobs displayed by atq(1) to appear to be owned by the owner of the last job in the queue.
+ [Applied to stable]
+ - Require spamd(8) control connections to originate from a reserved port.
+
- Plug a pf(4) tables memory leak.
+
- Scale the altq(4) RED thresholds to 10% (min) and 30% (max) of the queue limit.
+
- Fix a one-byte underflow in raidctl(8).
+
- Switch RSA blinding on for isakmpd(8), ssh-agent(1) and ssk-keysign(8).
+
- Still more sprintf -> snprintf and strcpy -> strlcpy in many, many places.
+
+
- More strcpy -> strlcpy, this time in badsect(8), restore(8) and scsi(8).
+
- Fix a missing initialisation in pckbc(4) when the ps/2 keyboard is not the system console. Avoids a panic on alpha.
+
- Remove sbin/photurisd from the tree.
+
- (v)sprintf -> (v)snprintf in mrouted(8).
+
- Add -c option to md5(1), for compatibility with GNU md5sum.
+
- Set IFCAP_VLAN_MTU for sk(4).
+
+
- Add a missing endianness fixup to bktr(4).
+
- Hack compat_freebsd(8) to pick up recent FreeBSD binaries such as Opera.
+
- Make cron(8)'s parser detect many more syntax errors.
+
- Allow bridge(4) to send unfragmented full-length 802.1q packets on interfaces with IFCAP_VLAN_MTU set.
+
- Make sure that pf(4) queues have a queue ID that is unique across all interfaces.
+
- When acting on an anchor, make pfctl(8)'s -F option traverse all subrulesets in the anchor.
+
- Remove larn(6) until some license issues are resolved.
+
+
- Yet more gcc(1) stack-smash protector fixes.
+
- Many spelling and double-word fixes.
+
- Install lpr(1) and lprm(1) setuid root instead of setuid daemon (the latter is more risky) and setuid to daemon early on.
+
- Add a missing getnameinfo(3) error check to ftp(1).
+
- Always set a bpf(4) filter in pflogd(8), since bpf will otherwise grab full-length packets.
+
- strcpy->strlcpy in mount_portal(8), quotacheck(8), route(8) and routed(8).
+
- Make pf(4) queue code drop illegal non-PKTHDR mbufs, and whine loudly so any problem will get noticed and fixed.
+
- Allow st(4) tape density codes up to 0xff (the old limit was 0x45.)
+
- Continued assault on manpage errors, omissions and bad English.
+
- Fix a typo from pre-3.1 days that was stopping inode quotas from working.
+
- Stop spamd-setup(8) always returning an error code.
+
- Log that cron(8) has started after detaching from the controlling terminal, rather than before.
+
- Make cron(8) show the correct error line number when the command is missing.
+
- Make pfctl(8) give a helpful error message when multiple same-named queues are added to an interface.
+
- Fix a problem in sis(4), found with a few DP83815 devices, where a cable length of less than 30m caused excessive receive errors.
+
+
- Tighten pf(4) tcp state code in relation to a FIN received before any server response.
+
- Add spamd and spamd-cfg tcp ports to services(5), and have spamd(8) obtain the port numbers from there.
+
- Fix some problems adding pf(4) child queues.
+
- Prise the correct line number for errors out of cron(8).
+
- Warn about garbage lines before the EOF in crontab(1).
+
- Fix a panic in ppp(4) by making sure the first mbuf in a chain contains a packet header.
+
+
- Disable ptrace(2) for P_SUGIDEXEC as well as P_SUGID.
+
- Make the kernel's P_SUGIDEXEC flag semantics match those for issetugid(2).
+
- Make clear that mailwrapper(8) error and warning messages are not from the wrapped program but from the wrapper itself.
+
- In mountd(8) only write to the pidfile if we've opened it.
+
- Honour the :sh: printcap(5) flag for remote printers, instead of requiring -h to be given to lpr(1).
+
- Add spamd.conf(5), configuration for spamd-setup(8).
+
- Since spamd-setup(8) is no longer a Perl script, remove the Net::Netmask module.
+
- Re-re-implement spamd-setup(8), this time in C.
+
- Tweak queue rule expansion to fix problems when a queue spans multiple interfaces.
+
- Base pfctl(8)'s 'bandwidth too small' whine on interface-specific calculations rather than always using '6Kb'.
+
+
- Have a separate flag (-g) for pfctl(8) debugging output, instead of overloading -vv.
+
- Fix a signedness bug (KAME PR 469) in the libc resolver.
+
+
- Set some missing flags and fix ti(4)'s vlan tagging support.
+
- Stability fixes to cac(4).
+
- A huge number of manpage cross-reference fixes.
+
- In kernel main(), configure devices later when process 0 is more fully initialised.
+
- Avoid a null derefence in isakmpd(8) when converting text addresses to a sockaddr.
+
- Fix pf(4) queue assignments when an interface is not specified.
+
- For IPv6 etherip packets, set the next protocol field in the header.
+
- Pass IP proto 97 (Ethernet-in-IP) packets up to bpf(4).
- In the installer, delete the FTP password when no sets are found, so it doesn't get displayed in the URL.
- Add a boot image ISO for alpha.
@@ -77,7 +197,8 @@
- Move the spamd(8) configuration channel from the spamd listener port the next port up.
- Add to file(1) support for additional image formats and a first pass at reading jpeg size.
- strncpy->strlcpy in libc resolver code.
-
- Upgrade file(1) to 3.41, to fix a buffer overflow. Get improved 64-bit ELF support as well.
+
- Upgrade file(1) to 3.41, to fix a buffer overflow. Get improved 64-bit ELF support as well.
+ [Applied to stable]
- In the libc stack smash handler, straight away block all signal handlers from running.
- More fixes and improvements to isp(4).
- Sendmail updated to 8.12.8.
@@ -209,7 +330,8 @@
A source code patch is available.
[Applied to stable]
- Increase the size of the rates buffer in wi(4) hostap so 802.11g stations can associate.
-
- When outputting raw IP and generating the header manually, make sure the packet is large enough for a full IP header.
+
- When outputting raw IP and generating the header manually, make sure the packet is large enough for a full IP header.
+ [Applied to stable]
- Fix an mbuf leak in IPv6 TCP.
[Applied to stable]
@@ -371,7 +493,8 @@
- Fix some silly pastos in pfctl(8) table code.
- Create /var/empty/dev/log for programs that chroot(2) to /var/empty.
- Fix a typo in pf(4) DIOCRSETTFLAGS implmentation, so it doesn't look like changing a table flag created a table when in fact it deleted one.
-
- Stop syslog(3) from reconnecting to /dev/log on an ENOBUFS as this doesn't help, and it hurts chroot(2)'ed processes.
+
- Stop syslog(3) from reconnecting to /dev/log on an ENOBUFS as this doesn't help, and it hurts chroot(2)'ed processes.
+ [Applied to stable]
- Change chroot(2)'ed daemons portmap(8), rstatd(8) and rusersd(8) to use openlog(3) with LOG_NDELAY.
- Implement sigaltstack(2) under pthreads.
- Copy the thread sources (including CVS history) from lib/libc_r to lib/pthread, and move libc_r into the Attic.
@@ -441,7 +564,8 @@
- New table manipulation syntax for pf.conf(5), and a corresponding new -Tl option for pfctl(8).
- Add support for active/inactive pf(4) tablesets in the kernel
-
- Enable SET/ACK in isakmpd(8) when acting as an ike-mode-cfg responder.
+
- Enable SET/ACK in isakmpd(8) when acting as an ike-mode-cfg responder.
+ [Applied to stable]
- Improvements and fixes to batch mode sftp(1).
- Big strlcpy/strlcat(3) makeover for csh(1).
@@ -473,7 +597,8 @@
- Make sure we don't try to free a null pointer in whois(1).
- Change 'no-route' implementation from a flag in the pf(4) rule address to an address type.
- Make pf(4) skip-step calculation honour the 'no-route' keyword.
-
- Remove code in ld(1) to force linking against a specific library version.
+
- Remove code in ld(1) to force linking against a specific library version.
+ [Applied to stable]
- Add console support for Polish and Turkish keyboard layouts.
- Add the userland support for pf(4) tables to pfctl(8) and authpf(8).
@@ -766,7 +891,8 @@
- New -n option for syslogd(8) to disable DNS lookups.
- Correct a format string bug in routed(8)'s, er, Makefile.
-
- Fix at(1) breakage when two jobs are set for the same time.
+
- Fix at(1) breakage when two jobs are set for the same time.
+ [Applied to stable]
- Correct a use-before-init in xterm(1).
- Create a simple lookup table mechanism [dev/pci/pci.c:pci_matchbyid()] to match PCI device IDs, and have several drivers use it.
@@ -798,7 +924,8 @@
- Add a null transform to crypto(4), enabled via sysctl kern.cryptodevallowsoft=1.
- Fix systrace(1)'s determination of the execve(2) filename.
-
- Kernel IPsec code checks for short IP headers.
+
- Kernel IPsec code checks for short IP headers.
+ [Applied to stable]
@@ -1028,7 +1155,7 @@
www@openbsd.org
-
$OpenBSD: plus.html,v 1.866 2003/03/14 19:11:24 deraadt Exp $
+
$OpenBSD: plus.html,v 1.867 2003/03/24 08:36:57 deraadt Exp $