===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/plus.html,v
retrieving revision 1.877
retrieving revision 1.878
diff -u -r1.877 -r1.878
--- www/plus.html 2003/05/11 18:24:58 1.877
+++ www/plus.html 2003/05/28 02:50:24 1.878
@@ -52,14 +52,193 @@
We are working on OpenBSD-current.
-The following list sums up (almost) all the changes made up to May 10.
+The following list sums up (almost) all the changes made up to May 25.
-- Merge in Heimdal Kerberos V 0.6rc1.
+
+
- Fix xdm(1)'s XDMCP queries (XFree86 bug #277.)
+
- Unbreak pf(4) binat rules after recent netmask check changes.
+
+
- Improve pfctl(8)'s netmask validity check.
+
- Have pfctl(8) properly free buffers and initialise pointers when working on tables.
+
- Push ssh(1) syslog output through strnvis(3) first.
+
+
- Fix an fdset leak in ssh(1).
+
+
- Remove unsafe sprintf(9) and vsprintf() functions from the kernel.
+
+
- Ignore media changes for the first command issued to an sd(4) device. See the checkin comment for details.
+
- Match kernel vprintf(9) prototype to that of userland.
+
- Have getconf(1) return _POSIX_PATH_MAX instead of _POSIX_PIPE_MAX when asked for the former.
+
+
- Now that kernels are built with propolice, build modules with it too.
+
- New hardware monitoring sensors driver it(4).
+
- Fix endianness problems in dc(4) that caused multicast reception to fail when using Centaur chips.
+
- Add a missing initialisation in altq HFSC.
+
- Add read-only NTFS support, ported from NetBSD. Not enabled in GENERIC.
+
- Add a flag to reverse the stereo on auich(4).
+
+
- Limit the return value of nice(3) to -NZERO ≤ nice ≤ NZERO, where NZERO=20.
+
- Make pfctl(8) fail hard when fed invalid hostnames and netmasks.
+
- Many games fixes from NetBSD.
+
- Allow the i386 and hppa bootloaders to skip the interactive portion altogether.
+
- Fix a badly broken switch statement affecting SO_DEBUG in tcp_input.c.
+
- Stop lpr(1) from checking if the printed file is an executable. Leave this to lpd(8) filters.
+
- Use a decay filter to get better altq throughput statistics out of pfctl(8).
+
+
- In ssh(1)'s do_log(), use syslog_r(3) in code that can be called from a signal handler.
+
- Severely restrict the paths that privsep isakmpd(8) can read from and write to.
+
- Use sockaddr_storage instead of sockaddr in isakmpd(8) to fix interface rescanning.
+
- Keep X.509 private keys only in the privileged part of privsep isakmpd(8).
+
- When using the pf(4) SYN proxy, make sure ACKs are sent with the correct window size.
+
- Wait longer for slow USB devices to be ready for attachment.
+
+
- Don't build libperl in the libraries pass of 'make build', as we want Perl's configure to pick up details of the libraries that the build may be changing. Another leapfrog-in-waiting.
+
- Add regen target in libkrb5 to remove (again) the dependency on an up-to-date asn1_compile.
+
- Complain more consistently about a missing 80-wire IDE cable (for UDMA mode > 2.)
+
- In syslogd(8) don't use strlcpy(3) when printing strings out of struct utmp, since those strings aren't null terminated.
+
- Don't ARP for our IP address aliases, treat them as local.
+
- Merge in a number of USB SCSI device updates from NetBSD.
+
- Add experimental support for aes-ctr ssh(1) ciphers.
+
- Apply some of the USB SCSI improvements to the FireWire code as well.
+
- Add string length bounds to an sscanf(3) in ssh(1)'s rhosts auth code.
+
- Pull in a fix for directory creation under systrace(1).
+
- Fix pf(4) rdr rules with address pools using bitmask and source-hash address selection.
+
- Allow inverse matching of pf(4) tags.
+
- Fix media handling for Intel dc(4) devices.
+
+
- Use the right buffer in spamd(8)'s connection handler.
+
- Use mmap(2) instead of malloc(3) in vfprintf(3) when more memory is needed to store arguments. See the checkin comment for why.
+
- New Renegotiate-on-HUP option for the [general] section of isakmpd.conf(5) will cause all Phase 2 SAs to be renegotiated.
+
- Fix a couple of signedness nits in ksh(1).
+
- Improvements to USB SCSI support.
+
- Fix mg(1)'s up and down cursor movement.
+
- Have ksh(1) use the libc dup2(2) instead of its own.
+
- Fare thee well, Kerberos IV.
+
- Another big-bucks firewall feature performed by pf(4): TCP SYN proxy, enabled with 'synproxy state' (this implies modulate state.)
+
- New AddressFamily option for ssh(1) that works like the -4 and -6 command line options (portable OpenSSH bug 534.)
+
- Allow address comparison in wi(4) to work on sparc64.
+
- Prevent a spamd-setup(8) crash with a config file consisting of only invalid input.
+
+
- Don't assume that rt->rt_ifp is valid in IPv6 neighbour discovery.
+
- Add new ConnectTimeout option to ssh(1).
+
- Disable Kerberos options to ssh(1) programs if Kerberos isn't compiled in, and warn if they're used.
+
- Have 'ssh -V' print the OpenSSL version properly, instead of trying to %s on a long.
+
- Repair IPsec forwarding for IPv6, fixing PR#3231.
+
- Fix a hang in libwrap when the hosts_access(5) file has a line containing > 2048 characters. (NetBSD pr#15025.)
+
- Add multi-column output to the ls command of sftp(1).
+
- Wash untrusted input to mail(1) through vis(3) before display.
+
- In isakmpd(8), don't store the private key in data structures we pass around a lot.
+
- Fix a missing freerrset(3) in new ssh(1) dnsfp code.
+
- New fmt_scaled(3) and scan_scaled(3) functions in libutil, for writing and reading numbers with human-readable scales.
+
- Like for sysctl(8), add a -q option to shut mixerctl(1)'s -w option up.
+
- Preliminary privilege separation support for isakmpd(8), not enabled by default for now.
+
- Fix deregistration of per-authentication method handlers in ssh(1).
+
- In faithd(8) specify IPPROTO_TCP explicitly in anticipation of a day when getaddrinfo(3) supports sctp.
+
+
- Prepare to move all KerberosV libraries to /usr/lib.
+
- More TCP scrubbing: Modulate TCP timestamps to frustrate NAT detection and prevent remote uptime guesses. New scrub option 'reassemble tcp'.
+
- Kill more unwanted le(4) 'lost carrier' moans.
+
- Remove the rather short-lived kernel option LONGRUN, it's now standard except SMALL_KERNEL is defined.
+
- Enable pf(4) tagging support for rdr and binat rules.
+
- Add _isakmpd user and group for isakmpd(8) privsep.
+
- Allow ssh(1) clients to send a BREAK to the remote server if it supports it (SSHv2 only.)
+
- Add _kdc and _kadmin users and groups for the respective KerberosV kdc(8) and kadmind(8) daemons.
+
- On i386, support Transmeta LongRun power management (kernel option LONGRUN, enabled by default.)
+
- Add a pf(4) tag for each rule that matches, not just the last one.
+
- Remove gated stuff from /etc/rc and /etc/rc.conf.
+
- Add experimental support for ssh(1) host key fingerprint verification using DNS records (dnsfp.) Not built by default. See src/usr.bin/ssh/README.dns for details and build instructions.
+
- Unbreak malloc(3) map_pages() failure test on 64-bit architectures.
+
- Back out many recent isakmpd(8) changes until they're working right.
+
- Disable KerberosIV support in XFree.
+
- Make sure ssh(1) privsep children die when the monitor parent goes away (OpenSSH bug 560.)
+
- Upgrade pflogd(8) to use the new bpf(4) link type too.
+
- Teach tcpdump(8) and libpcap about the new pflog(4) link type in bpf(4).
+
- Upgrade bpf(4) support for the pflog(4) link type to the 'official' and more extensible version from the libpcap people.
+
- Start stripping out KerberosIV support from programs.
+
- When handling a numeric nodename in getaddrinfo(3), set the canonical hostname to the numeric address as per RFC3493.
+
- Make vis(3)'s VIS_SAFE behaviour match the manpage w.r.t isgraph(3).
+
- Allow tags to be specified for pf(4) block rules (which aren't allowed to keep state.)
+
- Allow the pf.conf(5) scrub keyword to take a protocol specifier again.
+
- Remove KerberosIV support from KerberosV code.
+
- Add packet tag support for pf(4) nat rules.
+
- Correct a string length problem and a missing null init in libreadline.
+
- Add kerberos-over-ssh2 support to ssh(1).
+
- Reapply the move of Ethernet definitions to <net/ethertypes.h>, but this time have <netinet/if_ether.h> read them in for compatibility reasons.
+
- New -q flag for sysctl(8) to suppress output from the -w option.
+
- Fix a circular dependency by removing libtelnet, instead compile the code directly into telnet(1), telnetd(8) and tn3270(1) from files in libexec/telnetd.
+
- Move contents of libkafs into libkrb5, leave libkafs as an empty dummy library.
+
- Fix a use-after-free in the new pf(4) tagging code in the kernel.
+
- Enable the increasingly popular em(4) driver by default on i386 RAMDISK* kernels.
+
- Sync rdist(1) with freerdist version 0.92, minus the compress option.
+
- Don't build KerberosIV programs. Libraries still built for the moment.
+
- Move blktochr() and chrtoblk() into kernel MI code.
+
- Add [bc]devsw_lookup() kernel convenience functions.
+
+
- In pfctl(8) make sure packet tagging is only used on stateful filter rules.
+
- Add NO_PROPOLICE kernel config(8) option to build the kernel without the stack protector. Handy for install media.
+
- Fix a string length off-by-one in libreadline.
+
- Add userland portion of pf(4) packet tagging support.
+
- Disable afs until it can be made to work sans KerberosIV.
+
- Force global 'time' structure to be quad_t aligned, unbreaking sparc microtime(9) and possibly other things too.
+
- Add support in kernel pf(4) for tagging packets, and filtering based on those tags.
+
- New mbuf(9) tag PACKET_TAG_PF_TAG.
+
- Make sure lndir(1) doesn't try to use -1 as an array index when reading a directory.
+
- On ELF architectures, support the blocking of thread switches during non-thread-safe dynamic loader operations.
+
- Sync ELF identification indexes with the System V ABI specs.
+
- Stop AM7990 (le(4)) devices emitting 'lost carrier' messages.
+
- Back out <netinet/if_ether.h> changes after they caused userland meltdown.
+
- Add propolice stack-smash protector support to the kernel, and build the kernel using it on architectures that support propolice.
+
- Re-enable NULLFS, UMAPFS and UNION in the GENERIC kernel.
+
- Move Ethernet definitions from <netinet/if_ether.h> to new <net/ethertypes.h>, like NetBSD.
+
- Disable Kerberos V-to-IV conversion in login_krb5(8) and login_krb5-or-pwd(8)
+
- Stop building login_krb4(8) and login_krb4-or-pwd(8).
+
- Remove references to krb4 from login.conf(5).
+
- Changes to the way protection fault traps are handled on i386, see the checkin comment for details and Intel abuse.
+
- Merge in Heimdal KerberosV 0.6.
+
- Stop user(8) from accepting usernames beginning with a slash.
+
- Don't report unsupported scsi(4) devices as offline.
+
+
- When testing TCP window sizes in pf(4), don't apply the window scaling factor for SYN packets. Do, however, apply the scaling factor when testing ACKs.
+
- Fix a bug in pkg_add(1) that was causing recursive dependency searches to fail.
+
- More isakmpd(8) definitions for NAT-T, IKEv2 and EAP.
+
- Locking and other fixes to unionfs.
+
- Add BLOCK_SIZE attribute to isakmpd(8), and rename AES ESP transform to AES_128_CBC.
+
- Add UDP encapsulation type definitions (not code) to isakmpd(8) with an eye to future NAT-T support.
+
- Adapt nullfs and umapfs to use common code from genfs.
+
- New genfs code for layered filesystem support.
+
- Wash print queue names through vis(3) before output.
+
- Teach ctags(1) to understand '//' comments, ignore declarations of function types, and accept __attribute__. From NetBSD.
+
- Correctly check for empty output from an at(1) command (PR#3252.)
+
- New ddb(4) command 'show proc' which, er, shows process information.
+
- Sync popa3d(8) to version 0.6.2.
+
- Improvements and bugfixes to the installer's handing of ftp and http downloads.
+
- Reorder pf(4) IPv6 address comparison to check the least-significant bits first, since these are more likely to differ.
+
- Make sure the state search trees are properly in initialised when attaching pf(4).
+
- Remove a number of KerberosV files that are not used by OpenBSD.
+
- When doing pubkey authentication in ssh(1), prefer agent-stored keys that are referred to in the config file. This can reduce the likelihood of the server disconnecting before it gets to a valid key when the agent is storing many keys.
+
- Start preparations to remove KerberosIV.
+
- Remove a number of redundant declarations in games/. From NetBSD.
+
- file(1) now recognises Ogg Vorbis audio files.
+
- Use the asn1_compile in src/usr.bin instead of that in src/kerberosV.
+
- More string fixes to libreadline, this time with no ABI changes.
+
- Fix a sign overflow in csh(1).
+
- Merge in OpenSSL 0.9.7b (without IDEA, MDC2 and RC5.)
+
- Implement adaptive state table timeouts in pf(4), reducing the state timeout value inversely with the number of states present.
+
+
- Break asn1_compile out from KerberosV into src/usr.bin.
+
- First phase of pf(4) stateful TCP scrubbing: Frustrate TTL-based NIDS evasion by determining on the fly the highest TTL, and enforcing it as the minimim TTL for all subsequent packets.
+
- In ssh(1), Do the xstrdup() of the remote_name inside channel_new() instead of making the caller do it.
+
- Start to fix the annoying asn1_compile leapfrog problem when upgrading KerberosV by putting the generated files into the tree.
+
- Make sure a hole at the end of a sparse file created by install(1) actually gets written on all filesystems.
+
- The installer now accepts absolutely absolute paths (relative to the installer's root directory, not the virtual mountpoint) for local sets.
+
- Make ssh-keygen(1)'s -e option fail gracefully if the user specifies an SSH1 key. (NetBSD pr#20550.)
+
- Avoid offence to Klingons by spelling 'Kang' correctly.
+
- Merge in Heimdal KerberosV 0.6rc1.
- Since mfs doesn't try to force an unmount on receipt of a signal, there's no need to try to fix up processes' working dirs - the unmount(2) will fail.
- Fix isakmpd(8)'s handling of the IPV6_ADDR ID-type.
-
- Remove an unnecessary ntohs(3) in pfctl(8), unbreaking 'nat ... -> $if port n' rules.
+
- Remove an unnecessary ntohs(3) in pfctl(8), unbreaking 'nat ... -> $if port n' rules.
- The pf(4) return keyword now generates an ICMP unreachable message for all protocols other than TCP (rather than just UDP and ICMP.)
- Have the compiler generate warnings if unsafe string functions are used in the kernel.
@@ -117,7 +296,8 @@
- Use the right buffer size for getcwd(3) to avoid unnecessary truncation in at(1).
- Replace local (and wrong) basename logic in ln(1) with a call to the real basename(3).
-
- Don't leak an mbuf when dropping non-ARPHRD_ETHER arp packets.
+
- Don't leak an mbuf when dropping non-ARPHRD_ETHER arp packets.
+ [Applied to stable]
- Compatibility improvements to ossaudio(3), mostly from NetBSD.
- Ditch newfs(8)/mount_mfs(8)'s homespun malloc() in favour of mmap(2).
@@ -137,8 +317,9 @@
- Keep trying to unbreak apachectl(8) restarts for shared modules when running under the chroot.
- Improve forward compatiblity of fsck_ffs(8) by comparing only what we understand instead of trying to ignore what we don't.
- Make the newly deprecated omsync() work under NetBSD emulation.
-
- Several strvis(3) -> strnvis(3) changes, all part of the continuing Battle for Safe String Functions.
-
- Fix some pthreads signal bugs that were causing MySQL to crash (PR#3178, PR#3238.)
+
- Several strvis(3) -> strnvis(3) changes, all part of the continuing Battle for Safe String Functions.
+
- Fix some pthreads signal bugs that were causing MySQL to crash (PR#3179, PR#3238.)
+ [Applied to stable]
- Allow pf(4) tables to be loaded into anchors. pfctl(8) table options except show and flush now honour -a.
- Have the dynamic linker stub functions in libc return -1 if called from a statically linked program.
@@ -358,7 +539,7 @@
- Actually look for the lpr(1) -q option when calling getopt(3).
- Fix handling of -f and -h options to lpr(1).
- Improve error handling for invalid pf(4) cbq and priq flags.
-
- 3.3 -> 3.3-current.
+
- 3.3 -> 3.3-current.
@@ -392,7 +573,7 @@
www@openbsd.org
-
$OpenBSD: plus.html,v 1.877 2003/05/11 18:24:58 deraadt Exp $
+
$OpenBSD: plus.html,v 1.878 2003/05/28 02:50:24 deraadt Exp $