=================================================================== RCS file: /cvsrepo/anoncvs/cvs/www/plus33.html,v retrieving revision 1.38 retrieving revision 1.39 diff -c -r1.38 -r1.39 *** www/plus33.html 2014/03/28 03:37:31 1.38 --- www/plus33.html 2014/08/13 17:37:31 1.39 *************** *** 433,439 ****
  • Last part of the threaded fd improvements, fixing some bugs from stage one on the way.
  • Set an all-ones mask when doing pf(4) routing, since round-robin on the whole address space is unlikely to be the desired result. !
  • First installment of improvements to threaded file descriptor handling (see the checkin comment for details).
  • isakmpd(8) now sets the Default-Phase-1-Configuration transform to 3DES-SHA-RSA_SIG, the same as OpenBSD 3.2.
  • Don't load a signed int into the ssh(1) buffer when doing BSD auth; the buffer type only supports unsigned ints. --- 433,439 ----
  • Last part of the threaded fd improvements, fixing some bugs from stage one on the way.
  • Set an all-ones mask when doing pf(4) routing, since round-robin on the whole address space is unlikely to be the desired result. !
  • First installment of improvements to threaded file descriptor handling (see the checkin comment for details).
  • isakmpd(8) now sets the Default-Phase-1-Configuration transform to 3DES-SHA-RSA_SIG, the same as OpenBSD 3.2.
  • Don't load a signed int into the ssh(1) buffer when doing BSD auth; the buffer type only supports unsigned ints. *************** *** 457,463 ****
  • Check TCP, UDP, ICMP and ICMP6 checksums in pf(4), and make the sum isn't recalculated when the packet hits layer 4 in the kernel. Packets with invalid checksums are silently dropped, to avoid firewall detection by use of filter responses to bad packets.
  • Make pf(4)'s TCP state inspection RFC 763 compliant, and send a reset when presented with SYN-cookie schemes that send out-of-window ACKs during the TCP handshake.
  • Now that route(8) is no longer setuid root, check the effective uid instead of the real uid. !
  • Fix a number of filesystem locking issues, for details see the checkin comment.
  • Fix an ICMP mbuf leak.
    [Applied to stable] --- 457,463 ----
  • Check TCP, UDP, ICMP and ICMP6 checksums in pf(4), and make the sum isn't recalculated when the packet hits layer 4 in the kernel. Packets with invalid checksums are silently dropped, to avoid firewall detection by use of filter responses to bad packets.
  • Make pf(4)'s TCP state inspection RFC 763 compliant, and send a reset when presented with SYN-cookie schemes that send out-of-window ACKs during the TCP handshake.
  • Now that route(8) is no longer setuid root, check the effective uid instead of the real uid. !
  • Fix a number of filesystem locking issues, for details see the checkin comment.
  • Fix an ICMP mbuf leak.
    [Applied to stable] *************** *** 475,481 ****
  • Make the resolver code in libc more thread-safe.
  • Fix an fd_set overflow in telnetd(8). !
  • Improvements to pthreads signal handling. See the checkin comment for details.
  • For eg(4), el(4), ie(4/HPPA) and url(4) zero-pad frames smaller than the minimum frame length.
  • Update the termcap entry colours for wsvt25 to match reality.
  • If the -a option is given to pfctl(8) to specify an anchor, don't allow operations that have a global effect. --- 475,481 ----
  • Make the resolver code in libc more thread-safe.
  • Fix an fd_set overflow in telnetd(8). !
  • Improvements to pthreads signal handling. See the checkin comment for details.
  • For eg(4), el(4), ie(4/HPPA) and url(4) zero-pad frames smaller than the minimum frame length.
  • Update the termcap entry colours for wsvt25 to match reality.
  • If the -a option is given to pfctl(8) to specify an anchor, don't allow operations that have a global effect. *************** *** 529,535 ****
  • Have /etc/rc generate the BIND 9 rndc(8) shared secret if it doesn't exist.
  • Add BIND 9 configuration files.
  • Skip DNSSEC programs in BIND 9. !
  • Begin import of BIND 9.2.2rc1. (Local changes documented in README.OpenBSD.)
  • Fix some silly pastos in pfctl(8) table code.
  • Create /var/empty/dev/log for programs that chroot(2) to /var/empty.
  • Fix a typo in pf(4) DIOCRSETTFLAGS implmentation, so it doesn't look like changing a table flag created a table when in fact it deleted one. --- 529,535 ----
  • Have /etc/rc generate the BIND 9 rndc(8) shared secret if it doesn't exist.
  • Add BIND 9 configuration files.
  • Skip DNSSEC programs in BIND 9. !
  • Begin import of BIND 9.2.2rc1. (Local changes documented in README.OpenBSD.)
  • Fix some silly pastos in pfctl(8) table code.
  • Create /var/empty/dev/log for programs that chroot(2) to /var/empty.
  • Fix a typo in pf(4) DIOCRSETTFLAGS implmentation, so it doesn't look like changing a table flag created a table when in fact it deleted one. *************** *** 556,568 ****
  • Unbreak pf(4) nat random source port assignment. Now a rule has to actually ask for static-port in order to get it.
  • Enable the pfctl(8) 'static-port' keyword. !
  • Extensive ld(1) changes to better protect ELF executables from tampering (see the checkin comment for details).
  • Add new output format option '-f' to ncheck_ffs(8).
  • ncheck_ffs(8) no longer reports when the set[ug]id bits are set on directories, since these are meaningless in OpenBSD.
  • Fix a missing YYERROR in the pfctl(8) parser.
  • Deal with cd(4) drives that are picky about being asked to play the leadout track. !
  • Note with regret and sadness that the freely available PCI vendor and device list is no longer available.
  • Bring protocols(5) more into line with current reality.
  • More improvements and device additions to pciide(4). --- 556,568 ----
  • Unbreak pf(4) nat random source port assignment. Now a rule has to actually ask for static-port in order to get it.
  • Enable the pfctl(8) 'static-port' keyword. !
  • Extensive ld(1) changes to better protect ELF executables from tampering (see the checkin comment for details).
  • Add new output format option '-f' to ncheck_ffs(8).
  • ncheck_ffs(8) no longer reports when the set[ug]id bits are set on directories, since these are meaningless in OpenBSD.
  • Fix a missing YYERROR in the pfctl(8) parser.
  • Deal with cd(4) drives that are picky about being asked to play the leadout track. !
  • Note with regret and sadness that the freely available PCI vendor and device list is no longer available.
  • Bring protocols(5) more into line with current reality.
  • More improvements and device additions to pciide(4).