=================================================================== RCS file: /cvsrepo/anoncvs/cvs/www/plus33.html,v retrieving revision 1.58 retrieving revision 1.59 diff -c -r1.58 -r1.59 *** www/plus33.html 2018/03/25 03:02:09 1.58 --- www/plus33.html 2018/08/24 05:41:56 1.59 *************** *** 439,445 ****
  • Last part of the threaded fd improvements, fixing some bugs from stage one on the way.
  • Set an all-ones mask when doing pf(4) routing, since round-robin on the whole address space is unlikely to be the desired result. !
  • First installment of improvements to threaded file descriptor handling (see the checkin comment for details).
  • isakmpd(8) now sets the Default-Phase-1-Configuration transform to 3DES-SHA-RSA_SIG, the same as OpenBSD 3.2.
  • Don't load a signed int into the ssh(1) buffer when doing BSD auth; the buffer type only supports unsigned ints. --- 439,445 ----
  • Last part of the threaded fd improvements, fixing some bugs from stage one on the way.
  • Set an all-ones mask when doing pf(4) routing, since round-robin on the whole address space is unlikely to be the desired result. !
  • First installment of improvements to threaded file descriptor handling (see the checkin comment for details).
  • isakmpd(8) now sets the Default-Phase-1-Configuration transform to 3DES-SHA-RSA_SIG, the same as OpenBSD 3.2.
  • Don't load a signed int into the ssh(1) buffer when doing BSD auth; the buffer type only supports unsigned ints. *************** *** 463,469 ****
  • Check TCP, UDP, ICMP and ICMP6 checksums in pf(4), and make the sum isn't recalculated when the packet hits layer 4 in the kernel. Packets with invalid checksums are silently dropped, to avoid firewall detection by use of filter responses to bad packets.
  • Make pf(4)'s TCP state inspection RFC 763 compliant, and send a reset when presented with SYN-cookie schemes that send out-of-window ACKs during the TCP handshake.
  • Now that route(8) is no longer setuid root, check the effective uid instead of the real uid. !
  • Fix a number of filesystem locking issues, for details see the checkin comment.
  • Fix an ICMP mbuf leak.
    [Applied to stable] --- 463,469 ----
  • Check TCP, UDP, ICMP and ICMP6 checksums in pf(4), and make the sum isn't recalculated when the packet hits layer 4 in the kernel. Packets with invalid checksums are silently dropped, to avoid firewall detection by use of filter responses to bad packets.
  • Make pf(4)'s TCP state inspection RFC 763 compliant, and send a reset when presented with SYN-cookie schemes that send out-of-window ACKs during the TCP handshake.
  • Now that route(8) is no longer setuid root, check the effective uid instead of the real uid. !
  • Fix a number of filesystem locking issues, for details see the checkin comment.
  • Fix an ICMP mbuf leak.
    [Applied to stable] *************** *** 481,487 ****
  • Make the resolver code in libc more thread-safe.
  • Fix an fd_set overflow in telnetd(8). !
  • Improvements to pthreads signal handling. See the checkin comment for details.
  • For eg(4), el(4), ie(4/HPPA) and url(4) zero-pad frames smaller than the minimum frame length.
  • Update the termcap entry colours for wsvt25 to match reality.
  • If the -a option is given to pfctl(8) to specify an anchor, don't allow operations that have a global effect. --- 481,487 ----
  • Make the resolver code in libc more thread-safe.
  • Fix an fd_set overflow in telnetd(8). !
  • Improvements to pthreads signal handling. See the checkin comment for details.
  • For eg(4), el(4), ie(4/HPPA) and url(4) zero-pad frames smaller than the minimum frame length.
  • Update the termcap entry colours for wsvt25 to match reality.
  • If the -a option is given to pfctl(8) to specify an anchor, don't allow operations that have a global effect. *************** *** 535,541 ****
  • Have /etc/rc generate the BIND 9 rndc(8) shared secret if it doesn't exist.
  • Add BIND 9 configuration files.
  • Skip DNSSEC programs in BIND 9. !
  • Begin import of BIND 9.2.2rc1. (Local changes documented in README.OpenBSD.)
  • Fix some silly pastos in pfctl(8) table code.
  • Create /var/empty/dev/log for programs that chroot(2) to /var/empty.
  • Fix a typo in pf(4) DIOCRSETTFLAGS implmentation, so it doesn't look like changing a table flag created a table when in fact it deleted one. --- 535,541 ----
  • Have /etc/rc generate the BIND 9 rndc(8) shared secret if it doesn't exist.
  • Add BIND 9 configuration files.
  • Skip DNSSEC programs in BIND 9. !
  • Begin import of BIND 9.2.2rc1. (Local changes documented in README.OpenBSD.)
  • Fix some silly pastos in pfctl(8) table code.
  • Create /var/empty/dev/log for programs that chroot(2) to /var/empty.
  • Fix a typo in pf(4) DIOCRSETTFLAGS implmentation, so it doesn't look like changing a table flag created a table when in fact it deleted one. *************** *** 562,574 ****
  • Unbreak pf(4) nat random source port assignment. Now a rule has to actually ask for static-port in order to get it.
  • Enable the pfctl(8) 'static-port' keyword. !
  • Extensive ld(1) changes to better protect ELF executables from tampering (see the checkin comment for details).
  • Add new output format option '-f' to ncheck_ffs(8).
  • ncheck_ffs(8) no longer reports when the set[ug]id bits are set on directories, since these are meaningless in OpenBSD.
  • Fix a missing YYERROR in the pfctl(8) parser.
  • Deal with cd(4) drives that are picky about being asked to play the leadout track. !
  • Note with regret and sadness that the freely available PCI vendor and device list is no longer available.
  • Bring protocols(5) more into line with current reality.
  • More improvements and device additions to pciide(4). --- 562,574 ----
  • Unbreak pf(4) nat random source port assignment. Now a rule has to actually ask for static-port in order to get it.
  • Enable the pfctl(8) 'static-port' keyword. !
  • Extensive ld(1) changes to better protect ELF executables from tampering (see the checkin comment for details).
  • Add new output format option '-f' to ncheck_ffs(8).
  • ncheck_ffs(8) no longer reports when the set[ug]id bits are set on directories, since these are meaningless in OpenBSD.
  • Fix a missing YYERROR in the pfctl(8) parser.
  • Deal with cd(4) drives that are picky about being asked to play the leadout track. !
  • Note with regret and sadness that the freely available PCI vendor and device list is no longer available.
  • Bring protocols(5) more into line with current reality.
  • More improvements and device additions to pciide(4).