=================================================================== RCS file: /cvsrepo/anoncvs/cvs/www/plus33.html,v retrieving revision 1.8 retrieving revision 1.9 diff -u -r1.8 -r1.9 --- www/plus33.html 2003/10/24 22:12:41 1.8 +++ www/plus33.html 2004/03/28 09:44:05 1.9 @@ -157,7 +157,7 @@
  • Always set a bpf(4) filter in pflogd(8), since bpf will otherwise grab full-length packets.
  • strcpy->strlcpy in mount_portal(8), quotacheck(8), route(8) and routed(8).
  • Make pf(4) queue code drop illegal non-PKTHDR mbufs, and whine loudly so any problem will get noticed and fixed. -
  • Allow st(4) tape density codes up to 0xff (the old limit was 0x45.) +
  • Allow st(4) tape density codes up to 0xff (the old limit was 0x45).
  • Continued assault on manpage errors, omissions and bad English.
  • Fix a typo from pre-3.1 days that was stopping inode quotas from working.
  • Stop spamd-setup(8) always returning an error code. @@ -314,7 +314,7 @@
  • pfctl(8) rejects non-existent interfaces in rules using dynamic interface syntax.
  • Move /var/at files into /var/cron since at(1) is now a part of cron(8). -
  • Fix support for pf(4) syntax (if)/24 (dynamic interface name translation with a network prefix.) +
  • Fix support for pf(4) syntax (if)/24 (dynamic interface name translation with a network prefix).
  • SECURITY FIX: In ssl(8) an information leak can occur via timing by performing a MAC computation even if incorrect block cipher padding has been found, this is a countermeasure. Also, check for negative sizes in memory allocation routines.
    A source code patch is available.
    [Applied to stable] @@ -386,7 +386,7 @@
  • More fixes to pf(4) routing.
  • Don't ever send ICMP redirects for pf(4)-redirected packets .
  • Allow definition of pf(4) macros on the command line. Oh yes. -
  • Remove sinful abbreviation of the unit of frequency as 'hz' (it's 'Hz', don't you know.) +
  • Remove sinful abbreviation of the unit of frequency as 'hz' (it's 'Hz', don't you know).
  • tcpdump(8) now displays the DF flag for IP fragments.
  • Have spamd(8) pass sensible parameters to memset(). @@ -413,7 +413,7 @@
  • Last part of the threaded fd improvements, fixing some bugs from stage one on the way.
  • Set an all-ones mask when doing pf(4) routing, since round-robin on the whole address space is unlikely to be the desired result. -
  • First installment of improvements to threaded file descriptor handling (see the checkin comment for details.) +
  • First installment of improvements to threaded file descriptor handling (see the checkin comment for details).
  • isakmpd(8) now sets the Default-Phase-1-Configuration transform to 3DES-SHA-RSA_SIG, the same as OpenBSD 3.2.
  • Don't load a signed int into the ssh(1) buffer when doing BSD auth; the buffer type only supports unsigned ints. @@ -536,7 +536,7 @@
  • Unbreak pf(4) nat random source port assignment. Now a rule has to actually ask for static-port in order to get it.
  • Enable the pfctl(8) 'static-port' keyword. -
  • Extensive ld(1) changes to better protect ELF executables from tampering (see the checkin comment for details.) +
  • Extensive ld(1) changes to better protect ELF executables from tampering (see the checkin comment for details).
  • Add new output format option '-f' to ncheck_ffs(8).
  • ncheck_ffs(8) no longer reports when the set[ug]id bits are set on directories, since these are meaningless in OpenBSD.
  • Fix a missing YYERROR in the pfctl(8) parser. @@ -579,7 +579,7 @@
  • Remove fetch(9) and store(9) from the kernel, and replace calls to them with their copy(9) descendants.
  • Various strl* return value checks in pfctl(8). -
  • Initial support for queue statistics display for pfctl(8) (-vsq option.) +
  • Initial support for queue statistics display for pfctl(8) (-vsq option).
  • 'Default-Phase-1-Configuration' -> 'Default-phase-1-configuration', 'Default-Phase-2-Suites' -> 'Default-phase-2-suites' in isakmpd(8).
  • New table manipulation syntax for pf.conf(5), and a corresponding new -Tl option for pfctl(8).
  • Add support for active/inactive pf(4) tablesets in the kernel @@ -637,7 +637,7 @@
  • Have tcpdump(8) display all pf(4) rule types instead of just pass/block rules.
  • Make the pf(4) table code handle duplicate table names and/or duplicate addresses in a single ioctl(2) call. -
  • Remove the pf(4) skip-step for rule action (scrub or no-scrub.) +
  • Remove the pf(4) skip-step for rule action (scrub or no-scrub).
  • Properly update pf(4) scrub rule statistics.
  • Put pf(4) scrub rules into a ruleset separate to filter rules.
  • Implement policy suggestions in xsystrace(1). @@ -653,7 +653,7 @@
  • Avoid a null deref when parsing the command line of make(1).
  • Allocate memory for connections to spamd(8) based on the -c command line option.
  • Make cd(4) try more often than other scsi devices, and don't ignore 'not ready' status from the bus. -
  • Add a parameter for the number of retries when waiting for a scsi device to come ready (scsi_test_unit_ready().) +
  • Add a parameter for the number of retries when waiting for a scsi device to come ready (scsi_test_unit_ready()).
  • If semop(2) has to do a tsleep(9), wake it back up at a much lower priority.
  • Wait until a semaphore undo structure can be allocated if one isn't available immediately, and check that another hasn't been allocated to our process while we were waiting.
  • Properly check SOCKS connection return code in nc(1). @@ -731,7 +731,7 @@
  • Make SysV shared memory and semaphore limits configurable via sysctl(8). Oh yes.
  • whois(1) no longer barfs totally if just one of its query list is not found.
  • Add PRIQ scheduler support to pfctl(8). -
  • su(1) only calls setlogin(2) if it's the session leader (as noted in the setlogin manpage.) +
  • su(1) only calls setlogin(2) if it's the session leader (as noted in the setlogin manpage).
  • More compress(1)-works-like-gzip(1): Add -r (recurse) option, and make it truncate existing files when extracting.
  • Since pf(4) rule comparison is now done in userland, remove unused pf_compare* functions from the kernel.
  • pf(4) DIOCCHANGE* ioctls now require a ticket, to prevent races. @@ -745,7 +745,7 @@
  • Convert altq(9) disciplines HFSC, PRIQ and RIO to pf(4)-based (CDNR and RED to come,) and remove other queuing disciplines.
  • iostat(8), systat(1) and vmstat(8) now update their disk stats automatically when a device is detached. -
  • Enable login failure recording by default, by installing a blank /var/log/failedlogin (see login(1).) +
  • Enable login failure recording by default, by installing a blank /var/log/failedlogin (see login(1)).
  • Fix some problems with the new inlined <ctype.h> functions on 64-bit architectures.
  • Make cdio(1) deal properly with multiline CDDB responses. @@ -771,7 +771,7 @@
  • Fix a potential (non-exploitable) buffer overrun in the httpd(8) macro FIX_PRECISION.
  • Add missing snprintf(3) error check to config(8). -
  • When mounting the root partition via NFS, call inittodr(9) with the root filesystem's atime rather than its mtime (since it's likely to be read-only and pretty static.) +
  • When mounting the root partition via NFS, call inittodr(9) with the root filesystem's atime rather than its mtime (since it's likely to be read-only and pretty static).
  • Renumber some (debug only) tun(4) ioctls so they don't clash with ppp(4).
  • Make sure user(8) cleans up properly on failure by calling pw_abort(3).
  • Check the interface is running first to avoid doing unnecessary STP processing in bridge(4). @@ -836,7 +836,7 @@
  • Crank all (system) library major numbers now that propolice is in.
  • Make a copy of rather than just refer to a string in ld(1). Cures some ports linking problems.
  • Allow options at the end of pf(4) pass and block rules to come in any order. -
  • Make the bandwidth specifier optional in altq rules (as well as queue rules.) As a side effect, the altq rules can now have "bandwidth xx%" where the percentage is taken w.r.t. the interface bandwidth. +
  • Make the bandwidth specifier optional in altq rules (as well as queue rules). As a side effect, the altq rules can now have "bandwidth xx%" where the percentage is taken w.r.t. the interface bandwidth.
  • Implement legacy functions ecvt(3), fcvt(3) and gcvt(3) for standards compliance.
  • Add propolice stack attack protection into gcc(1).
  • Updated unifdef(1). @@ -982,7 +982,7 @@
  • Add a cast to handle properly size_t larger than u_int in ssh(1).
  • Fix some problems gzip(1) had displaying information on files > 2GB. -
  • Serve pf(4) a strong draught of CIDR (e.g. can use 10/8 now instead of 10.0.0.0/8.) +
  • Serve pf(4) a strong draught of CIDR (e.g. can use 10/8 now instead of 10.0.0.0/8).
  • -STABLE branch created for 3.2. smrsh, pfbridge and kadmind errata fixes applied to it.
  • When checking a filename in ssh(1), don't fail when realpath(3) for the user's home directory - this happens legitimately when using AFS. @@ -1177,7 +1177,7 @@
    OpenBSD www@openbsd.org -
    $OpenBSD: plus33.html,v 1.8 2003/10/24 22:12:41 david Exp $ +
    $OpenBSD: plus33.html,v 1.9 2004/03/28 09:44:05 deraadt Exp $