===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/plus33.html,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- www/plus33.html 2003/10/24 22:12:41 1.8
+++ www/plus33.html 2004/03/28 09:44:05 1.9
@@ -157,7 +157,7 @@
Always set a bpf(4) filter in pflogd(8), since bpf will otherwise grab full-length packets.
strcpy->strlcpy in mount_portal(8), quotacheck(8), route(8) and routed(8).
Make pf(4) queue code drop illegal non-PKTHDR mbufs, and whine loudly so any problem will get noticed and fixed.
-Allow st(4) tape density codes up to 0xff (the old limit was 0x45.)
+Allow st(4) tape density codes up to 0xff (the old limit was 0x45).
Continued assault on manpage errors, omissions and bad English.
Fix a typo from pre-3.1 days that was stopping inode quotas from working.
Stop spamd-setup(8) always returning an error code.
@@ -314,7 +314,7 @@
pfctl(8) rejects non-existent interfaces in rules using dynamic interface syntax.
Move /var/at files into /var/cron since at(1) is now a part of cron(8).
-Fix support for pf(4) syntax (if)/24 (dynamic interface name translation with a network prefix.)
+Fix support for pf(4) syntax (if)/24 (dynamic interface name translation with a network prefix).
SECURITY FIX: In ssl(8) an information leak can occur via timing by performing a MAC computation even if incorrect block cipher padding has been found, this is a countermeasure. Also, check for negative sizes in memory allocation routines.
A source code patch is available.
[Applied to stable]
@@ -386,7 +386,7 @@
More fixes to pf(4) routing.
Don't ever send ICMP redirects for pf(4)-redirected packets .
Allow definition of pf(4) macros on the command line. Oh yes.
-Remove sinful abbreviation of the unit of frequency as 'hz' (it's 'Hz', don't you know.)
+Remove sinful abbreviation of the unit of frequency as 'hz' (it's 'Hz', don't you know).
tcpdump(8) now displays the DF flag for IP fragments.
Have spamd(8) pass sensible parameters to memset().
@@ -413,7 +413,7 @@
Last part of the threaded fd improvements, fixing some bugs from stage one on the way.
Set an all-ones mask when doing pf(4) routing, since round-robin on the whole address space is unlikely to be the desired result.
-First installment of improvements to threaded file descriptor handling (see the checkin comment for details.)
+First installment of improvements to threaded file descriptor handling (see the checkin comment for details).
isakmpd(8) now sets the Default-Phase-1-Configuration transform to 3DES-SHA-RSA_SIG, the same as OpenBSD 3.2.
Don't load a signed int into the ssh(1) buffer when doing BSD auth; the buffer type only supports unsigned ints.
@@ -536,7 +536,7 @@
Unbreak pf(4) nat random source port assignment. Now a rule has to actually ask for static-port in order to get it.
Enable the pfctl(8) 'static-port' keyword.
-Extensive ld(1) changes to better protect ELF executables from tampering (see the checkin comment for details.)
+Extensive ld(1) changes to better protect ELF executables from tampering (see the checkin comment for details).
Add new output format option '-f' to ncheck_ffs(8).
ncheck_ffs(8) no longer reports when the set[ug]id bits are set on directories, since these are meaningless in OpenBSD.
Fix a missing YYERROR in the pfctl(8) parser.
@@ -579,7 +579,7 @@
Remove fetch(9) and store(9) from the kernel, and replace calls to them with their copy(9) descendants.
Various strl* return value checks in pfctl(8).
-Initial support for queue statistics display for pfctl(8) (-vsq option.)
+Initial support for queue statistics display for pfctl(8) (-vsq option).
'Default-Phase-1-Configuration' -> 'Default-phase-1-configuration', 'Default-Phase-2-Suites' -> 'Default-phase-2-suites' in isakmpd(8).
New table manipulation syntax for pf.conf(5), and a corresponding new -Tl option for pfctl(8).
Add support for active/inactive pf(4) tablesets in the kernel
@@ -637,7 +637,7 @@
Have tcpdump(8) display all pf(4) rule types instead of just pass/block rules.
Make the pf(4) table code handle duplicate table names and/or duplicate addresses in a single ioctl(2) call.
-Remove the pf(4) skip-step for rule action (scrub or no-scrub.)
+Remove the pf(4) skip-step for rule action (scrub or no-scrub).
Properly update pf(4) scrub rule statistics.
Put pf(4) scrub rules into a ruleset separate to filter rules.
Implement policy suggestions in xsystrace(1).
@@ -653,7 +653,7 @@
Avoid a null deref when parsing the command line of make(1).
Allocate memory for connections to spamd(8) based on the -c command line option.
Make cd(4) try more often than other scsi devices, and don't ignore 'not ready' status from the bus.
-Add a parameter for the number of retries when waiting for a scsi device to come ready (scsi_test_unit_ready().)
+Add a parameter for the number of retries when waiting for a scsi device to come ready (scsi_test_unit_ready()).
If semop(2) has to do a tsleep(9), wake it back up at a much lower priority.
Wait until a semaphore undo structure can be allocated if one isn't available immediately, and check that another hasn't been allocated to our process while we were waiting.
Properly check SOCKS connection return code in nc(1).
@@ -731,7 +731,7 @@
Make SysV shared memory and semaphore limits configurable via sysctl(8). Oh yes.
whois(1) no longer barfs totally if just one of its query list is not found.
Add PRIQ scheduler support to pfctl(8).
-su(1) only calls setlogin(2) if it's the session leader (as noted in the setlogin manpage.)
+su(1) only calls setlogin(2) if it's the session leader (as noted in the setlogin manpage).
More compress(1)-works-like-gzip(1): Add -r (recurse) option, and make it truncate existing files when extracting.
Since pf(4) rule comparison is now done in userland, remove unused pf_compare* functions from the kernel.
pf(4) DIOCCHANGE* ioctls now require a ticket, to prevent races.
@@ -745,7 +745,7 @@
Convert altq(9) disciplines HFSC, PRIQ and RIO to pf(4)-based (CDNR and RED to come,) and remove other queuing disciplines.
iostat(8), systat(1) and vmstat(8) now update their disk stats automatically when a device is detached.
-Enable login failure recording by default, by installing a blank /var/log/failedlogin (see login(1).)
+Enable login failure recording by default, by installing a blank /var/log/failedlogin (see login(1)).
Fix some problems with the new inlined <ctype.h> functions on 64-bit architectures.
Make cdio(1) deal properly with multiline CDDB responses.
@@ -771,7 +771,7 @@
Fix a potential (non-exploitable) buffer overrun in the httpd(8) macro FIX_PRECISION.
Add missing snprintf(3) error check to config(8).
-When mounting the root partition via NFS, call inittodr(9) with the root filesystem's atime rather than its mtime (since it's likely to be read-only and pretty static.)
+When mounting the root partition via NFS, call inittodr(9) with the root filesystem's atime rather than its mtime (since it's likely to be read-only and pretty static).
Renumber some (debug only) tun(4) ioctls so they don't clash with ppp(4).
Make sure user(8) cleans up properly on failure by calling pw_abort(3).
Check the interface is running first to avoid doing unnecessary STP processing in bridge(4).
@@ -836,7 +836,7 @@
Crank all (system) library major numbers now that propolice is in.
Make a copy of rather than just refer to a string in ld(1). Cures some ports linking problems.
Allow options at the end of pf(4) pass and block rules to come in any order.
-Make the bandwidth specifier optional in altq rules (as well as queue rules.) As a side effect, the altq rules can now have "bandwidth xx%" where the percentage is taken w.r.t. the interface bandwidth.
+Make the bandwidth specifier optional in altq rules (as well as queue rules). As a side effect, the altq rules can now have "bandwidth xx%" where the percentage is taken w.r.t. the interface bandwidth.
Implement legacy functions ecvt(3), fcvt(3) and gcvt(3) for standards compliance.
Add propolice stack attack protection into gcc(1).
Updated unifdef(1).
@@ -982,7 +982,7 @@
Add a cast to handle properly size_t larger than u_int in ssh(1).
Fix some problems gzip(1) had displaying information on files > 2GB.
-Serve pf(4) a strong draught of CIDR (e.g. can use 10/8 now instead of 10.0.0.0/8.)
+Serve pf(4) a strong draught of CIDR (e.g. can use 10/8 now instead of 10.0.0.0/8).
-STABLE branch created for 3.2. smrsh, pfbridge and kadmind errata fixes applied to it.
When checking a filename in ssh(1), don't fail when realpath(3) for the user's home directory - this happens legitimately when using AFS.
@@ -1177,7 +1177,7 @@
www@openbsd.org
-
$OpenBSD: plus33.html,v 1.8 2003/10/24 22:12:41 david Exp $
+
$OpenBSD: plus33.html,v 1.9 2004/03/28 09:44:05 deraadt Exp $