===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/plus.html,v
retrieving revision 1.924
retrieving revision 1.925
diff -u -r1.924 -r1.925
--- www/plus.html 2004/05/17 13:36:36 1.924
+++ www/plus.html 2004/05/30 16:23:12 1.925
@@ -54,17 +54,148 @@
We are working on OpenBSD-current.
-The following list sums up (almost) all the changes made up to May 15.
+The following list sums up (almost) all the changes made up to May 29.
+
+- Fix bge(4) multicast reception.
+
- Add a description field for network interfaces, accessible via ifconfig(8) command 'description' and ioctl(2)s SIOC[GS]IFDESCR.
+
- Use library CRC32 routines instead of a local implementation in sk(4).
+
- Fix a memory leak in ccdconfig(8).
+
- Remove multicast addresses and disable promiscuous mode when destroying a carp(4) interface.
+
- Make ifconfig(8) up and down commands work as expected for carp(4) devices.
+
- Create a few more USB devices by default in MAKEDEV(8).
+
+
- Clean up scsi(4) sense error logic and display. Based on NetBSD.
+
- Allow machine-dependent filesystem options to be passed for the root filesystem in src/distrib/miniroot.
+
- Remove the old package tools (src/usr.sbin/pkg_install) from the tree.
+
- Have bgpd(8) detect the absence of ipsec(4) and tcpmd5 capabilities at runtime.
+
- More helpful boot-time display for aac(4).
+
- Fix a typo in umapfs' unmount(2) implementation.
+
- Backwards compatibility fixes in the hash functions, unbreaking skey(1) with sha1.
+
- Make bpf(4) devices clonable.
+
- Make AFS flock(2)/fcntl(2) locks work on the local system.
+
+
- Make accounting optional, with the new config(8) option (wait for it) ACCOUNTING.
+
- Allow login names longer than eight characters in uucpd(8).
+
- Fix a memory leak in a pfctl(8) error path.
+
- When shutting the system down, finalise accounting before the VFS to avoid panic(9)s.
+
- Fix TCP corruption on rl(4) cards.
+
- Much better rulefile parsing for brconfig(8).
+
- Pool efficiency improvements:
+
+ - Lower the default high watermark from UINT_MAX to 8 pages.
+
- Modify uvm_km_getpage() to take a waitok flag and use it instead of uvm_km_alloc_poolpage1() for both the default and nointr pool allocators.
+
- Use the default allocator for the mbuf and mbuf cluster pools.
+
+
+ - Correct a missing freeaddrinfo(3) in ssh(1).
+
- Fix a NetBSD merge error in the TCP syncache, allowing IPv6 to use it.
+
- Fix fd leaks in a few isakmpd(8) error paths.
+
- Call ld.so(1) contructors after setting up the debugger, similar to recent destructor changes.
+
- In cu(1)/tip(1), if one process dies then kill the other ourselves.
+
- In rdate(8) NTP mode, send a 64-bit random number as the 'current time' field, which the server copies back in its response. This avoids sending out the current system time, and makes it slightly harder for an attacker to send spoof replies on behalf of the real server.
+
- Use _exit(2) instead of exit(3) in the sftp(1) child process.
+
+
- Include the hostname in syslogd(8) memory-buffered entries.
+
- Since the per-arch _dl_bcopy() in ld.so(1) is in all cases a simple for loop and painstakingly optimised assembler, just use a single machine-independent version.
+
- Allow ld.so(1) _dl_find_symbol() to return a pointer to the container object.
+
- Handle interface removals gracefully in dhcpd(8), now that poll(2) wakes it up on interface detach.
+
- Wake up any poll(2)ing process when a bpf(4) descriptor is closed.
+
- If a bpf(4)-monitored interface is detached, send any buffered packets up to userland.
+
- Scale the bge(4) timeout value correctly.
+
- Since ULLONG_MAX+1 == 0 mod ULLONG_MAX+1, let the carp(4) sc_counter wrap around all by itself.
+
+
- bktr(4) fixes from NetBSD and FreeBSD.
+
- Move the addition of atexit destructors right to the end of ld.so(1) setup (after the gdb(1) helper code) so they can be debugged.
+
- If ld.so(1) is running under ldd(1), exit earlier before a whole bunch of unnecessary setup gets done.
+
- Check ifp is valid before using it in carp_setroute(), avoiding a panic(9).
+
- Helpfully, use the right function names in isakmpd(8) error messages.
+
- Fix multicast problems with sk(4).
+
- Don't leak a socket in ndp(8).
+
- Back out the recent fork1(9) change due to compatibility problems.
+
+
- New MaxAuthTries option for sshd_config(5).
+
- Allow the retval parameter to fork1(9) to be NULL (as the manpage says) without causing a panic(9).
+
- strtonum(3)ify pflogd(8).
+
- Add gscsio(4) and lmtemp(4) I2C drivers.
+
- Add I2C framework (iic(4), iic(9)) based on that in NetBSD and enable on i386.
+
- Fix a stat(2)-then-open(2) race in isakmpd(8) when checking the policy file for root-only permissions.
+
- Let ipsecadm(8) delete tcpmd5 SAs.
+
- Fix ipsecadm(8) so that ipcomp(4) can be used.
+
- SECURITY FIX: With the introduction of IPv6 code in xdm(1), one test on the 'requestPort' resource was deleted by accident. This makes xdm create the chooser socket even if XDMCP is disabled in xdm-config, by setting requestPort to 0. See XFree86 bugzilla for details.
+ A source code patch is available.
+ [Applied to stable]
+ - Fix a boot-time crasher in ahd(4).
+
- Add (to i386 and amd64) ehci(4), a USB Enhanced Host Controller Interface driver, for USB 2.0 support.
+
- Finally implement StackGhost buffer overflow exploit protection on sparc.
+
- Correct a missing splx(9) in an igmp_joingroup() error path.
+
- Fix VFS corruption (due to gcc(1)) on i386 by out-of-lining the spl(9) functions.
+
+
- Fix size_t != off_t truncation in ahd(4).
+
- Make vmstat(8)'s disk columns wide enough to show transfer numbers for modern disks without writing into the next column.
+
+
- Change the pf(4) anchor path component separator from ':' to '/'. pfctl(8) now requires any anchor spec containing the separator to be in quotes.
+
- Make /root/.klogin optional in /etc/mtree/special.
+
- Import and merge gdb(1) version 6.1.
+
- Support RFC2796 Route Reflection in bgpd(8), removing the need for an IBGP mesh.
+
- Add support for dynamic network announcements in bgpd(8) and bgpctl(8).
+
- Don't rely on ifp's validity when setting a floor on the TCP MSS in ip_input.c.
+
- Allow an ssh(1) user to cancel a port forward (OpenSSH bugzilla #756).
+
- Do a better job of copying pf(4) relative anchor paths out to userland.
+
- Use the new DLT_PPP_ETHER datalink type to print pppoe(8) frames in tcpdump(8).
+
+
- Use the right buffer size for strlcpy(3) in libreadline.
+
- Zero the ifreq structure before use when fetching interface info in pfctl(8).
+
- Fix a missing strdup(3) error check in bgpd(8).
+
- Start work on adding the ahd(4) Adaptec PCI/PCI-X Ultra320 SCSI driver from FreeBSD.
+
+
- Enable the fancy new i386 pagezero code by not resetting it to its old value after setting it up.
+
- Allow anchors within anchors in pf(4). More work to come.
+
- Don't recursively call nd6_output() when route allocation fails, just return a host unreachable error.
+
- SECURITY FIX: A heap overflow in the cvs(1) server has been discovered that can be exploted by clients sending malformed requests. These clients can then run arbitrary code with the same privileges as the CVS server program.
+ A source code patch is available.
+ [Applied to stable]
+ - Allow symbolic service- and protocol names in isakmpd(8), so e.g. "Protocol=tcp" now works.
+
- Fix a cross-realm trust vulnerability in Kerberos V. Adapted from FreeBSD.
+ [Applied to stable]
+ - Add word boundary tests to the regexes that find @-commands in pkg_add(1) etc. packing lists.
+
- Fix SIGINT handling in sftp(1).
+
- Upgrade file(1) to version 4.09.
+
- Updates to aic79xx code from FreeBSD in preparation for the upcoming ahd(4) driver.
+
+
- Stop some fxp(4) devices creating PCI errors in 10Mbps mode by disabling 'dynamic standby mode' in the EEPROM. From NetBSD.
+
- Handle CRC errors in fxp(4).
+
- Fix a ssize_t != int overflow in rdate(8)'s NTP code.
+
- Generate /etc/ttys(5) entries for all available pty(4) devices, now that more are available.
+
- Fix a missing initialisation in ISA ie(4).
+
- Remove trailer encapsulation support from ifconfig(8).
+
- Fix a reference counting bug in pf(4) DIOCCHANGERULE.
+
- Fix a buffer overrun in ip_output() (FreeBSD PR#66386).
+
- Don't leak a mount structure when handling mount errors in nullfs.
+
- ANSIfy src/libc/gen/*.
+
+
- Merge new binutils, fix local differences, and enable on arm.
+
- Import GNU binutils 2.14, minus testsuites, infodocs and I18N files.
+
- Bump the default data size to 75MB from 64MB, so that XF4 can be built on amd64 with the imminent binutils upgrade without changing login.conf(5).
+
- Teach file(1) about the b.out (i960) binary format. From NetBSD.
+
- In pfsync(4), make sure the return code gets initialised (pfsync_request_update()).
+
- Add basic COMMUNITIES attribute support in bgpd(8)'s filter language.
+
- Update libiberty's floatformat.[ch] to those from gdb(1) 6.1.
+
+
- Use arc4random(3) instead of rand(3) in httpd(8) mod_rewrite and mod_ssl, cleaning up surrounding code in the latter on the way.
+
- Remove the now-unused dhclient(8) pidfile stuff from /etc/rc(8).
+
- Add a separate link type, DLT_PPP_ETHER, for pppoe(8) frames. From NetBSD.
+
- Don't skip the graceful shutdown of carp(4) just because the system is being powered down.
- When carp(4) backs off because of physical interface problems, advertise this fact immediately instead of waiting for the next scheduled announcement.
- Add a workaround in ppp(8) for the recent multipath routing changes.
- Fix a two-byte buffer overflow when printing sockaddr structs of unknown type in route(8).
- Correct error output for bad limit modifiers in csh(1).
-
- Fix a reference-counting bug in fifofs that could cause certain non-blocking FIFO users (e.g. qmail) to consume 100% cpu.
+
- Fix a reference-counting bug in fifofs that could cause certain non-blocking FIFO users (e.g. qmail) to consume 100% cpu.
+ [Applied to stable]
- Interpret ipsecadm(8) cpi and spi parameters as hex even if not preceded by '0x'.
- Unbreak pppoe(8) server mode by not doing the chroot(8).
- Use a nointr pool(9) instead of generic malloc(9) for pathname storage when doing name-to-inode lookups.
@@ -107,7 +238,8 @@
- When user(8) adds a new group, place it before the first '+' entry if one exists (part of a fix for PR#3727).
- strtonum(3)-ify ipsecadm(8) and add some more integer value checks.
-
- Properly initialise carp(4) advskew for values greater than 240.
+
- Properly initialise carp(4) advskew for values greater than 240.
+ [Applied to stable]
- Remove unused variables in several programs on lint(1)'s say-so.
- Use the freshly-generated MD5 digest for the SSH1 session ID instead of random stack garbage.
- Fix a null deref panic in the pf(4) TCP normaliser.
@@ -405,6 +537,8 @@
- Use daemon(3) and getopt(3) instead of DIY.
Huge cleanup of mopd(8).
+Drop very old TCP ACK packets.
+ [Applied to stable]
Implement a rate limit for TCP ACKs of 100pps, and use this more general mechanism for in-window SYN handling too.
Safely handle aborts in malloc(3) etc. without tripping the recursive call handler by mistake.
RELIABILITY FIX: Under load "recent model" gdt(4) controllers will lock up.
@@ -559,7 +693,7 @@
www@openbsd.org
-
$OpenBSD: plus.html,v 1.924 2004/05/17 13:36:36 deraadt Exp $
+
$OpenBSD: plus.html,v 1.925 2004/05/30 16:23:12 deraadt Exp $