=================================================================== RCS file: /cvsrepo/anoncvs/cvs/www/plus34.html,v retrieving revision 1.4 retrieving revision 1.5 diff -c -r1.4 -r1.5 *** www/plus34.html 2004/02/19 03:30:52 1.4 --- www/plus34.html 2004/03/28 09:44:05 1.5 *************** *** 81,87 ****

Allocate enough space for sysctl(3) in pstat(8).

Fix the endianness of tcpdump(8)'s icmp echo output. !

Match up kernel and userland ioctls for AFS, allowing afsd(8) to turn on kernel debugging (PR#3442.)

Mirror the crypto(9) sha2 context fix in libc sha2(3).

Make an invalid '-<num>' option to diff(1) give an error. --- 81,87 ----

Allocate enough space for sysctl(3) in pstat(8).

Fix the endianness of tcpdump(8)'s icmp echo output. !

Match up kernel and userland ioctls for AFS, allowing afsd(8) to turn on kernel debugging (PR#3442).

Mirror the crypto(9) sha2 context fix in libc sha2(3).

Make an invalid '-<num>' option to diff(1) give an error. *************** *** 89,96 ****

Resurrect the -u<num> unified context length syntax for diff(1).

Use more bytes of the file when testing for binary in grep(1).

Test more than just the first character of the input file for ASCIIness in diff(1). !

Stop pppctl(8) coredumping (PR#3454.) !

Fix i386 hang on 'boot -a' (PR#2122, PR#3437.)

Have the upgrader script perform the ssl -> openssl includes dir change, both in /usr/include and /usr/libdata/perl5/site_perl/*-openbsd.

Make strxfrm(3) standards-compliant. --- 89,96 ----

Resurrect the -u<num> unified context length syntax for diff(1).

Use more bytes of the file when testing for binary in grep(1).

Test more than just the first character of the input file for ASCIIness in diff(1). !

Stop pppctl(8) coredumping (PR#3454). !

Fix i386 hang on 'boot -a' (PR#2122, PR#3437).

Have the upgrader script perform the ssl -> openssl includes dir change, both in /usr/include and /usr/libdata/perl5/site_perl/*-openbsd.

Make strxfrm(3) standards-compliant. *************** *** 98,120 ****

Add a wi_detach() function for, uh, wi(4) and use it to shut down PC cards properly.

Sync pf.os(5) database with p0f 2.0 release. !

Allow compress(1) to read from a symlink when writing to stdout (PR#3409.)

Only trigger the gcc(1) bounds checker warning if the bounds length is less than zero, since some legal code uses the zero case. !

Fix some bugs in the pkg_* tools (PR#3414.)

Don't leak a socket in the isakmpd(8) setsockopt error path.

Add a SMALL define in compress(1) that leaves out bits not needed by the installer.

Add a null compressor to compress(1) so gzcat and friends can work on uncompressed files.

Fix a FILE* leak in sup(1). !

Fix a crasher in netstat(1) by adding descriptions for icmp types up to ICMP_MAXTYPE (PR#3439.)

Correct some ld.so(1) logic so that the GOT and PLT always get W^X applied.

Add a GOT symbol lookup cache to ld.so(1).

A few more bzero(sizeof pointer) fixes.

Temp file security fixes for sup(1).

Add dummy syscalls under Linux emulation for *xattr(), all returning ENOATTR. !

Make the small window size feature of spamd(8) optional (see PR#3435.) !

Plug memory leaks in lpd(8) and lpq(1) (PR#3425.)

Fix sizeof(pointer) bzero(3) args in crypto(9) sha2 code.

Add Broadcom BC5823 crypto accelerator support to ubsec(4). --- 98,120 ----

Add a wi_detach() function for, uh, wi(4) and use it to shut down PC cards properly.

Sync pf.os(5) database with p0f 2.0 release. !

Allow compress(1) to read from a symlink when writing to stdout (PR#3409).

Only trigger the gcc(1) bounds checker warning if the bounds length is less than zero, since some legal code uses the zero case. !

Fix some bugs in the pkg_* tools (PR#3414).

Don't leak a socket in the isakmpd(8) setsockopt error path.

Add a SMALL define in compress(1) that leaves out bits not needed by the installer.

Add a null compressor to compress(1) so gzcat and friends can work on uncompressed files.

Fix a FILE* leak in sup(1). !

Fix a crasher in netstat(1) by adding descriptions for icmp types up to ICMP_MAXTYPE (PR#3439).

Correct some ld.so(1) logic so that the GOT and PLT always get W^X applied.

Add a GOT symbol lookup cache to ld.so(1).

A few more bzero(sizeof pointer) fixes.

Temp file security fixes for sup(1).

Add dummy syscalls under Linux emulation for *xattr(), all returning ENOATTR. !

Make the small window size feature of spamd(8) optional (see PR#3435). !

Plug memory leaks in lpd(8) and lpq(1) (PR#3425).

Fix sizeof(pointer) bzero(3) args in crypto(9) sha2 code.

Add Broadcom BC5823 crypto accelerator support to ubsec(4). *************** *** 135,141 ****

Fix a use-after-free in libutil check_expire(3).

Bump OpenSSH version to 3.7.
[Applied to stable] !

Fix symbol lookup in objects opened with dlopen(3) (PR#3371.)

Add Solaris-compatible RTLD_* defines in <dlfch.h>.

Fix a memory leak in sshd(8) GSSAPI authentication. --- 135,141 ----

Fix a use-after-free in libutil check_expire(3).

Bump OpenSSH version to 3.7.
[Applied to stable] !

Fix symbol lookup in objects opened with dlopen(3) (PR#3371).

Add Solaris-compatible RTLD_* defines in <dlfch.h>.

Fix a memory leak in sshd(8) GSSAPI authentication. *************** *** 179,185 ****

Fix afsd(8) crashes on alignment-sensitive architectures.

Do a dummy password calculation for nonexistent usernames in sshd(8), to prevent username discovery by timing.

Add new route(4) flag RTF_CLONED (displayed with a 'c' in netstat(1),) set for cloned routes and used to delete such routes when the parent goes away. !

Don't insert the full gcc(1) string into objects by default (see -findent in gcc-local(1).)

Have pfctl(8) disallow return-rst ttl values greater than 255.

Add an interface init routine to struct ifnet, required for 802.11 support. --- 179,185 ----

Fix afsd(8) crashes on alignment-sensitive architectures.

Do a dummy password calculation for nonexistent usernames in sshd(8), to prevent username discovery by timing.

Add new route(4) flag RTF_CLONED (displayed with a 'c' in netstat(1),) set for cloned routes and used to delete such routes when the parent goes away. !

Don't insert the full gcc(1) string into objects by default (see -findent in gcc-local(1)).

Have pfctl(8) disallow return-rst ttl values greater than 255.

Add an interface init routine to struct ifnet, required for 802.11 support. *************** *** 190,196 ****

Stop pfctl(8) rejecting perfectly legitimate nat-with-tables rules.

When tables are used in pf(4) routing rules with address pools, only allow round-robin mode.

Structure and defines for generic IEEE 802.11 framework. !

'Implement' pread(2) and pwrite(2) under FreeBSD emulation (they're identical to the native calls.)

In the installer, if an interface is configured using DHCP then assume that the default route is via DHCP also.

Improvements to spamd(8):

Stop pfctl(8) rejecting perfectly legitimate nat-with-tables rules.
When tables are used in pf(4) routing rules with address pools, only allow round-robin mode.
Structure and defines for generic IEEE 802.11 framework. !
'Implement' pread(2) and pwrite(2) under FreeBSD emulation (they're identical to the native calls).
In the installer, if an interface is configured using DHCP then assume that the default route is via DHCP also.
Improvements to spamd(8):
- In the kernel, change arguments to suser(), and add new suser_ucred() for instances where caller doesn't have a process.
- New -S option to pkg_create(1), like -s only better. !
- Zero out unused directory entry fields on FAT12 and FAT16 filesystems, to avoid breakage on Win2k and WinXP (PR#3400.)
- Add a bunch more syscall stubs and implement exit_group() under Linux emulation. Needed for newer glibc binaries.
- Fix wrongness, memory leakage and a panic on directory reads in other-OS emulation mode on some filesystems. !
- Have ssh-keygen(1) exit nicely after screening candidate primes (-T option.)
- Much cleanup in the new safe(4) driver.
- Add the POSIX-mandated struct itimerspec to sys/time.h . --- 255,264 ----
- In the kernel, change arguments to suser(), and add new suser_ucred() for instances where caller doesn't have a process.
- New -S option to pkg_create(1), like -s only better. !
- Zero out unused directory entry fields on FAT12 and FAT16 filesystems, to avoid breakage on Win2k and WinXP (PR#3400).
- Add a bunch more syscall stubs and implement exit_group() under Linux emulation. Needed for newer glibc binaries.
- Fix wrongness, memory leakage and a panic on directory reads in other-OS emulation mode on some filesystems. !
- Have ssh-keygen(1) exit nicely after screening candidate primes (-T option).
- Much cleanup in the new safe(4) driver.
- Add the POSIX-mandated struct itimerspec to sys/time.h . *************** *** 274,280 ****
- Merge in xfs from the ARLA-current as of 20030805.
- Stop pkg_create(1) erasing the last checksum from CONTENTS. !
- Kill a panic when creating a block device on a full filesystem (NetBSD PR#22419.)
  [Applied to stable]
- ftp(1), rsh(1) and talk(1) now use poll(2) instead of select(2).
- Unbreak pf(4) DIOCCHANGEADDR.
  --- 274,280 ----
- Merge in xfs from the ARLA-current as of 20030805.
- Stop pkg_create(1) erasing the last checksum from CONTENTS. !
- Kill a panic when creating a block device on a full filesystem (NetBSD PR#22419).
  [Applied to stable]
- ftp(1), rsh(1) and talk(1) now use poll(2) instead of select(2).
- Unbreak pf(4) DIOCCHANGEADDR.
  *************** *** 328,334 ****
- New, BSD-licensed znew(1) script.
- Properly check the result of attempts to read from and write to processes in pmdb(1). !
- Stop ksh(1)'s Emacs mode yank-pop command dumping core when run twice (PR#3384.)
- Correct emulation of Linux ftruncate64().
- SECURITY FIX: An off-by-one error exists in the C library function realpath(3). Since this same bug resulted in a root compromise in the wu-ftpd ftp server it is possible that this bug may allow an attacker to gain escalated privileges on OpenBSD.
  --- 328,334 ----
- New, BSD-licensed znew(1) script.
- Properly check the result of attempts to read from and write to processes in pmdb(1). !
- Stop ksh(1)'s Emacs mode yank-pop command dumping core when run twice (PR#3384).
- Correct emulation of Linux ftruncate64().
- SECURITY FIX: An off-by-one error exists in the C library function realpath(3). Since this same bug resulted in a root compromise in the wu-ftpd ftp server it is possible that this bug may allow an attacker to gain escalated privileges on OpenBSD.
  *************** *** 347,353 ****
- Privilege separation for syslogd(8). Note new HUP behaviour.
- Have patch(1) complain about non-existent lines at most once per patch.
- Make sure pfctl(8) doesn't attempt to display no-longer-existent queues. !
- In sshd(8), check that password authentication is enabled before trying to authenticate users using the 'none' method (i.e. a blank password.)
- Add a new, BSD-licensed gzexe(1).
- Fix diff(1) exit codes when comparing against stdin. --- 347,353 ----
- Privilege separation for syslogd(8). Note new HUP behaviour.
- Have patch(1) complain about non-existent lines at most once per patch.
- Make sure pfctl(8) doesn't attempt to display no-longer-existent queues. !
- In sshd(8), check that password authentication is enabled before trying to authenticate users using the 'none' method (i.e. a blank password).
- Add a new, BSD-licensed gzexe(1).
- Fix diff(1) exit codes when comparing against stdin. *************** *** 363,372 ****
- Better TMPDIR environment variable handling in patch(1).
- Improved test for output on stdout in compress(1).
- New ssh(1) progress meter implementation, with better licensing. !
- Add 'pass on lo' to the temporary boottime pf.conf(5) (PR#3376.) !
- Fix ftp-proxy(8)'s handling of multiline server responses (PR#3378.)
- Add a new, BSD-licensed zforce(1) script. !
- Make compress(1) do the right thing when confronted with (e.g.) 'gzip -lN < foo.gz'.
- Another missing netinet byte-order fixup, this time in fragment reassembly code.
- Fix a printf(%s) off-by-one in isakmpd(8).
- Improvements to pf(4) skip-step calculation. --- 363,372 ----
- Better TMPDIR environment variable handling in patch(1).
- Improved test for output on stdout in compress(1).
- New ssh(1) progress meter implementation, with better licensing. !
- Add 'pass on lo' to the temporary boottime pf.conf(5) (PR#3376). !
- Fix ftp-proxy(8)'s handling of multiline server responses (PR#3378).
- Add a new, BSD-licensed zforce(1) script. !
- Make compress(1) do the right thing when confronted with (e.g). 'gzip -lN < foo.gz'.
- Another missing netinet byte-order fixup, this time in fragment reassembly code.
- Fix a printf(%s) off-by-one in isakmpd(8).
- Improvements to pf(4) skip-step calculation. *************** *** 376,382 ****
- Remove unlicensed MATH_EMULATE code (written by some guy named Torvalds) from the kernel, leaving only the GNU emulation code for the moment.
- Don't treat consecutive slashes as path components in patch(1), for POSIX reasons.
- Make patch(1)'s exit value consistent with POSIX and with diff(1). !
- Add mbuf(9) markup (M_TUNNEL) for tunnel-mode IPsec connections so that gif(4) over IPsec can be detected and unencapsulated consistently (PR#3023.)
- ssh-keygen(1) can now generate the Diffie-Hellman groups as needed by moduli(5).
- If compress(1) detects that compressed output would be larger than the input, fail so that the .gz file gets removed. --- 376,382 ----
- Remove unlicensed MATH_EMULATE code (written by some guy named Torvalds) from the kernel, leaving only the GNU emulation code for the moment.
- Don't treat consecutive slashes as path components in patch(1), for POSIX reasons.
- Make patch(1)'s exit value consistent with POSIX and with diff(1). !
- Add mbuf(9) markup (M_TUNNEL) for tunnel-mode IPsec connections so that gif(4) over IPsec can be detected and unencapsulated consistently (PR#3023).
- ssh-keygen(1) can now generate the Diffie-Hellman groups as needed by moduli(5).
- If compress(1) detects that compressed output would be larger than the input, fail so that the .gz file gets removed. *************** *** 400,406 ****
- Fix IP packet length setting for IPsec tunnels, lost in recent byte order changes.
- Add sha2 support for IPsec.
- Add _syslogd user for, um, syslogd(8), soon to get the privsep treatment. !
- Allow the kernel to build with inet enabled but ether disabled (PR#3356.)
- New APIWARN libc/Makefile define, disabled by default, which makes the linker complain whenever unsafe string functions are used.
- Move nasty SCSI utility code out of libutil and into scsi(8), the only place it's used. --- 400,406 ----
- Fix IP packet length setting for IPsec tunnels, lost in recent byte order changes.
- Add sha2 support for IPsec.
- Add _syslogd user for, um, syslogd(8), soon to get the privsep treatment. !
- Allow the kernel to build with inet enabled but ether disabled (PR#3356).
- New APIWARN libc/Makefile define, disabled by default, which makes the linker complain whenever unsafe string functions are used.
- Move nasty SCSI utility code out of libutil and into scsi(8), the only place it's used. *************** *** 429,445 ****
- Add ftw(3) and nftw(3) functions, implemented using fts(3), for XPG compliance.
- Dynamically grow diff(1)'s array of changes as required.
- Fix a redraw bug in vi(1) that could cause endless recursion. !
- Compile modload(8) with the -Z option to ld(1) (disabling W^X.)
- Fix a typo in md5(1) that created an array of ints instead of chars.
- Allow uhid(4) devices to be used as 'mice' for the X server.
- In wd(4) only use LBA48 when absolutely necessary, to cut down on register-writing overhead.
- Have ac(8) ignore entries that go back in time. !
- Fix a bug causing a segfault in grep(1) (PR#3358.)
- With MALLOC_EXTRA_SANITY defined, have malloc(3) just warn instead of dying on mmap(2)/brk(2) errors.
- Updates to systrace(1): Bug fixes and new 'ask' action. !
- Fix sftp filename parsing for arguments with escaped quotes (OpenSSH bug #517.)
- Don't flip compress(1) into 'zcat' mode if the -o option is given.
- Check that the mountpoint of the descriptor passed to fstatfs(2) is non-NULL. --- 429,445 ----
- Add ftw(3) and nftw(3) functions, implemented using fts(3), for XPG compliance.
- Dynamically grow diff(1)'s array of changes as required.
- Fix a redraw bug in vi(1) that could cause endless recursion. !
- Compile modload(8) with the -Z option to ld(1) (disabling W^X).
- Fix a typo in md5(1) that created an array of ints instead of chars.
- Allow uhid(4) devices to be used as 'mice' for the X server.
- In wd(4) only use LBA48 when absolutely necessary, to cut down on register-writing overhead.
- Have ac(8) ignore entries that go back in time. !
- Fix a bug causing a segfault in grep(1) (PR#3358).
- With MALLOC_EXTRA_SANITY defined, have malloc(3) just warn instead of dying on mmap(2)/brk(2) errors.
- Updates to systrace(1): Bug fixes and new 'ask' action. !
- Fix sftp filename parsing for arguments with escaped quotes (OpenSSH bug #517).
- Don't flip compress(1) into 'zcat' mode if the -o option is given.
- Check that the mountpoint of the descriptor passed to fstatfs(2) is non-NULL. *************** *** 447,457 ****
- GNU diff compatibility and many other fixes and cleanups to diff(1).
- Fix pf(4) scrub rule fragment reassembly after the netinet byte order changes. !
- Add ESP decryption support to tcpdump(8) (-E option.)
- Make diff(1)'s no-newline-at-end-of-file handling consistent with GNU diff, now that patch(1) is expecting this.
- Fix a sizeof(wrongthing) bug in grep(1). !
- Teach patch(1) how to deal with "\ No newline at end of file" as produced by GNU diff (and soon OpenBSD diff(1) as well.) From NetBSD.
- In newfs(8), remove the ffs default limit of 16 cylinders per group, and simply set to match other parameters. Change the default frag size to 2048, which bumps the block size to 16k. (From FreeBSD newfs.c late 2001.)
- React rationally to bogus line numbers in input to patch(1).
- Don't store Kerberos credentials in the privileged sshd(8) process. --- 447,457 ----
- GNU diff compatibility and many other fixes and cleanups to diff(1).
- Fix pf(4) scrub rule fragment reassembly after the netinet byte order changes. !
- Add ESP decryption support to tcpdump(8) (-E option).
- Make diff(1)'s no-newline-at-end-of-file handling consistent with GNU diff, now that patch(1) is expecting this.
- Fix a sizeof(wrongthing) bug in grep(1). !
- Teach patch(1) how to deal with "\ No newline at end of file" as produced by GNU diff (and soon OpenBSD diff(1) as well). From NetBSD.
- In newfs(8), remove the ffs default limit of 16 cylinders per group, and simply set to match other parameters. Change the default frag size to 2048, which bumps the block size to 16k. (From FreeBSD newfs.c late 2001.)
- React rationally to bogus line numbers in input to patch(1).
- Don't store Kerberos credentials in the privileged sshd(8) process. *************** *** 468,474 ****
- Range-check numeric arguments to grep(1) against INT_MAX.
- Un-swap the sec and usec uptime stats in an(4).
- Fix file suffix handling code in compress(1). !
- Allow compress(1) to accept -t and an implied -c when we're taking piped input (normally -t and -c are mutually exclusive.)
- Enable build of KerberosV libraries under lib/.
- More manpage cleanup.
- Remove undocumented sshd(8) option '-V'. --- 468,474 ----
- Range-check numeric arguments to grep(1) against INT_MAX.
- Un-swap the sec and usec uptime stats in an(4).
- Fix file suffix handling code in compress(1). !
- Allow compress(1) to accept -t and an implied -c when we're taking piped input (normally -t and -c are mutually exclusive).
- Enable build of KerberosV libraries under lib/.
- More manpage cleanup.
- Remove undocumented sshd(8) option '-V'. *************** *** 485,491 ****
- Make sure an unlock message gets sent when handing NFS receive errors.
- Add a cast to 64 bits to prevent a statfs(2) overflow on large disks. !
- Fix grep(1)'s -v semantics (print if no match of any pattern.)
- LBA48 support and compatibility tweaks for atactl(8).
- Set the correct return code when grep(1) dies due to an error.
- Fix parsing of -<num> (context) option to grep(1). --- 485,491 ----
- Make sure an unlock message gets sent when handing NFS receive errors.
- Add a cast to 64 bits to prevent a statfs(2) overflow on large disks. !
- Fix grep(1)'s -v semantics (print if no match of any pattern).
- LBA48 support and compatibility tweaks for atactl(8).
- Set the correct return code when grep(1) dies due to an error.
- Fix parsing of -<num> (context) option to grep(1). *************** *** 507,513 ****
- Give gem(4) a performance boost on sparc64 and macppc.
- Merge in libevent 0.7a.
- New 'remove manpage' option -u to makewhatis(8). !
- Fix a dangling pointer when deleting multicast router virtual interfaces (option MROUTING required.)
- Fix some PHY problems in sis(4).
- Better temp file handling in diff(1).
- diff(1)'s -l (paginate) option works again. --- 507,513 ----
- Give gem(4) a performance boost on sparc64 and macppc.
- Merge in libevent 0.7a.
- New 'remove manpage' option -u to makewhatis(8). !
- Fix a dangling pointer when deleting multicast router virtual interfaces (option MROUTING required).
- Fix some PHY problems in sis(4).
- Better temp file handling in diff(1).
- diff(1)'s -l (paginate) option works again. *************** *** 528,534 ****
- Pass the right length to readlink(2) in rdistd(1).
- When given a unix domain socket name that's too long, nc(1) gives a helpful error instead of silently truncating the name.
- Implement the cpuid() function for generic i386, not just for longrun. !
- Print dump(8) times correctly (PR#3296.)
- raidctl(8) dies noisily instead of silently truncating overlong command line options.
- mount_nfs(8) now gives a helpful message when the hostname is too long. --- 528,534 ----
- Pass the right length to readlink(2) in rdistd(1).
- When given a unix domain socket name that's too long, nc(1) gives a helpful error instead of silently truncating the name.
- Implement the cpuid() function for generic i386, not just for longrun. !
- Print dump(8) times correctly (PR#3296).
- raidctl(8) dies noisily instead of silently truncating overlong command line options.
- mount_nfs(8) now gives a helpful message when the hostname is too long. *************** *** 570,576 ****
- Under-the-hood improvements to speed up m4(1).
- Add some buffer management functions for pf(4) tables.
- unifdef(1) fixes from FreeBSD. !
- Reset pf(4) interface statistics when the loginterface is changed (PR#3332.)
- Properly purge pf(4) tags when flushing bridge(4) filter rules.
- Don't generate an icmp6 redirect if pf(4) rewrote the destination address.
- Improve compress(1)'s gzip compatibility with silly configure scripts that expect 'gzip -h' to return success. --- 570,576 ----
- Under-the-hood improvements to speed up m4(1).
- Add some buffer management functions for pf(4) tables.
- unifdef(1) fixes from FreeBSD. !
- Reset pf(4) interface statistics when the loginterface is changed (PR#3332).
- Properly purge pf(4) tags when flushing bridge(4) filter rules.
- Don't generate an icmp6 redirect if pf(4) rewrote the destination address.
- Improve compress(1)'s gzip compatibility with silly configure scripts that expect 'gzip -h' to return success. *************** *** 642,648 ****
- Don't use getopt(3) in printf(1) since this causes formats beginning with a hyphen to be interpreted as flags.
- Add a simple zmore(1) script using compress(1).
- Add pcmcia(4) and wi(4) support for sparc. !
- Install a host route for a point-to-point interface even if a connected net route via a broadcast interface exists (NetBSD PR 21903.)
- Check for nfds<0 in poll(2).
- Better temp file handling in XFree's gccmakedep(1).
- Temporarily work around a tables-related use-after-free in pf(4). --- 642,648 ----
- Don't use getopt(3) in printf(1) since this causes formats beginning with a hyphen to be interpreted as flags.
- Add a simple zmore(1) script using compress(1).
- Add pcmcia(4) and wi(4) support for sparc. !
- Install a host route for a point-to-point interface even if a connected net route via a broadcast interface exists (NetBSD PR 21903).
- Check for nfds<0 in poll(2).
- Better temp file handling in XFree's gccmakedep(1).
- Temporarily work around a tables-related use-after-free in pf(4). *************** *** 672,681 ****
- rpcgen(1) now generates much prettier ANSI C code.
- Back out the recent xdm(1) '-nolisten tcp' change.
- Plug some memory leaks in popa3d(8) and systrace(1). !
- Strip the newline from user input when requesting a continuation filename in restore(8) (PR#3324.)
- Fix a bug that condemned fortune(6) to be always inoffensive. !
- Have bpf(4) return ENOBUFS on malloc(9) failure instead of causing a panic (PR#2235,PR#2236,PR#2640.)
- Make m4(1)'s handling of builtin and user macros more consistent, and allow pushdef to work for builtins.
- xdm(1) now passes '-nolisten tcp' to Xserver(1) by default for local display :0.
- Re-enable UDMA mode 5 for HPT370A pciide(4) devices, now that timing and interrupt problems are fixed. --- 672,681 ----
- rpcgen(1) now generates much prettier ANSI C code.
- Back out the recent xdm(1) '-nolisten tcp' change.
- Plug some memory leaks in popa3d(8) and systrace(1). !
- Strip the newline from user input when requesting a continuation filename in restore(8) (PR#3324).
- Fix a bug that condemned fortune(6) to be always inoffensive. !
- Have bpf(4) return ENOBUFS on malloc(9) failure instead of causing a panic (PR#2235,PR#2236,PR#2640).
- Make m4(1)'s handling of builtin and user macros more consistent, and allow pushdef to work for builtins.
- xdm(1) now passes '-nolisten tcp' to Xserver(1) by default for local display :0.
- Re-enable UDMA mode 5 for HPT370A pciide(4) devices, now that timing and interrupt problems are fixed. *************** *** 684,700 ****
- Properly display no-route addresses when expanding label macros in pfctl(8).
- Back out the recent ssh(1) smartcard key fix, it violates PKCS#1.
- When the expansion of the $srcaddr or $dstaddr label macro is a table, have pfctl(8) print the table name instead of garbage. !
- Unbreak vmstat(8) on diskless machines (PR#3322.)
- Relax rtadvd.conf(5) syntax, removing the need for the addrs option.
- Use getifaddrs(3) in amd(8), fixing the 'wire' location selector.
- Return the correct error message if the user tries to kill a non-existent process from top(1). !
- Add a few missing dead-key composition entries (PR#3295, with an entry for cedilla as well as for double-quote.) !
- Avoid a null deref in cnkqfilter() (/dev/console kqueue(2) crash, PR#3317.)
- Fix a logic bug in mtree(8) that was making -U return an error just like -u.
- Make ssh-add(1) redisplay the key comment when prompting after a bad passphrase. !
- Fix "bad decrypted len" errors in ssh(1) when using smartcard-stored public keys (OpenSSH bug 592.)
- Updates for systrace(1), support freeing of old policies and escaping of special characters.
- Better byte-swapping behaviour in dc(4), fixing mac address reads on big-endian architectures.
- Make dhclient-script(8) fix up resolv.conf(5)'s permissions. --- 684,700 ----
- Properly display no-route addresses when expanding label macros in pfctl(8).
- Back out the recent ssh(1) smartcard key fix, it violates PKCS#1.
- When the expansion of the $srcaddr or $dstaddr label macro is a table, have pfctl(8) print the table name instead of garbage. !
- Unbreak vmstat(8) on diskless machines (PR#3322).
- Relax rtadvd.conf(5) syntax, removing the need for the addrs option.
- Use getifaddrs(3) in amd(8), fixing the 'wire' location selector.
- Return the correct error message if the user tries to kill a non-existent process from top(1). !
- Add a few missing dead-key composition entries (PR#3295, with an entry for cedilla as well as for double-quote). !
- Avoid a null deref in cnkqfilter() (/dev/console kqueue(2) crash, PR#3317).
- Fix a logic bug in mtree(8) that was making -U return an error just like -u.
- Make ssh-add(1) redisplay the key comment when prompting after a bad passphrase. !
- Fix "bad decrypted len" errors in ssh(1) when using smartcard-stored public keys (OpenSSH bug 592).
- Updates for systrace(1), support freeing of old policies and escaping of special characters.
- Better byte-swapping behaviour in dc(4), fixing mac address reads on big-endian architectures.
- Make dhclient-script(8) fix up resolv.conf(5)'s permissions. *************** *** 702,708 ****
- Stop isakmpd(8) losing ID information when rekeying.
- Add new '-c class' option to encrypt(1), which will use the login class to select the password cipher. !
- Fix kqueue(2) on ptys (PR#3209.)
- In user(8), only check login class validity when the login class is set.
- Fix some sizeof oopses in top(1).
- Allocate cleared memory for isakmpd(8) payload buffers. --- 702,708 ----
- Stop isakmpd(8) losing ID information when rekeying.
- Add new '-c class' option to encrypt(1), which will use the login class to select the password cipher. !
- Fix kqueue(2) on ptys (PR#3209).
- In user(8), only check login class validity when the login class is set.
- Fix some sizeof oopses in top(1).
- Allocate cleared memory for isakmpd(8) payload buffers. *************** *** 711,717 ****
- Add __LP64__ and _LP64 cpp(1) predefined macros for alpha and sparc.
- Sync em(4) with FreeBSD updates and enable on sparc64. !
- Add -0 (zero) flag to pax(1) allowing the filename separator to be a NUL instead of a newline (PR#3310.)
- In xargs(1), don't close the descriptor we just created with dup2(2).
- security(8) allows dots in usernames consistent with user(8) changes.
- pfctl(8)'s show anchor command now respects the 'quiet' flag. --- 711,717 ----
- Add __LP64__ and _LP64 cpp(1) predefined macros for alpha and sparc.
- Sync em(4) with FreeBSD updates and enable on sparc64. !
- Add -0 (zero) flag to pax(1) allowing the filename separator to be a NUL instead of a newline (PR#3310).
- In xargs(1), don't close the descriptor we just created with dup2(2).
- security(8) allows dots in usernames consistent with user(8) changes.
- pfctl(8)'s show anchor command now respects the 'quiet' flag. *************** *** 743,750 ****
- Add login class support (-class option) to adduser(8).
- rmail(8) now tells sendmail to deliver in the foreground.
- Make rmail(8) pass the -G flag to sendmail(8) as expected. !
- Install rcs2log(1) properly (PR#3298.) !
- In user(8) check that a login class exists before using it (PR#2699.)
- user(8) changes from NetBSD:
  - useradd(8) and usermod(8) now check that the encrypted password length is correct. --- 743,750 ----
  - Add login class support (-class option) to adduser(8).
  - rmail(8) now tells sendmail to deliver in the foreground.
  - Make rmail(8) pass the -G flag to sendmail(8) as expected. !
  - Install rcs2log(1) properly (PR#3298). !
  - In user(8) check that a login class exists before using it (PR#2699).
  - user(8) changes from NetBSD:
    - useradd(8) and usermod(8) now check that the encrypted password length is correct. *************** *** 789,798 ****
    - Teach distrib/special/more how to handle arbitrarily long lines and \r\n line endings.
    - Set rusers(1)' column width to 80 if stdout isn't a tty. !
    - Add generic '-fno-builtin-<function>' option to gcc(1) (see gcc-local(1).) !
    - Kill the parent ssh(1) process when scp(1) or sftp(1) receive a signal (OpenSSH bug 241.)
    - Only drop setgid privileges the once in sshd(8). !
    - Disable ssh(1) challenge/response and keyboard-interactive authentication methods if there's a host key mismatch, to reduce the likelihood of MiTM attacks catching out ignorant users (OpenSSH bug 580.)
    - Make less(1)'s --More-- prompt more --less--, less More, and more POSIX.
    - Fix distrib/special/more on machines with unsigned chars.
    - Simply and fix tty handing in /distrib/special/more. --- 789,798 ----
    - Teach distrib/special/more how to handle arbitrarily long lines and \r\n line endings.
    - Set rusers(1)' column width to 80 if stdout isn't a tty. !
    - Add generic '-fno-builtin-<function>' option to gcc(1) (see gcc-local(1)). !
    - Kill the parent ssh(1) process when scp(1) or sftp(1) receive a signal (OpenSSH bug 241).
    - Only drop setgid privileges the once in sshd(8). !
    - Disable ssh(1) challenge/response and keyboard-interactive authentication methods if there's a host key mismatch, to reduce the likelihood of MiTM attacks catching out ignorant users (OpenSSH bug 580).
    - Make less(1)'s --More-- prompt more --less--, less More, and more POSIX.
    - Fix distrib/special/more on machines with unsigned chars.
    - Simply and fix tty handing in /distrib/special/more. *************** *** 806,812 ****
    - Huge license cleanup all over the tree.
    - Fix random lockups of cac(4) devices.
      [Applied to stable] !
    - Deprecate the dangerous VerifyReverseMapping sshd(8) option, and replace with new UseDNS option (enabled by default.)
    - Install OpenSSL include files in /usr/include/openssl instead of ../ssl.
    - Remove the advertising clause from many license statements.
    - Use getopt_long(3) for getopt(3), instead of the old implementation. --- 806,812 ----
    - Huge license cleanup all over the tree.
    - Fix random lockups of cac(4) devices.
      [Applied to stable] !
    - Deprecate the dangerous VerifyReverseMapping sshd(8) option, and replace with new UseDNS option (enabled by default).
    - Install OpenSSL include files in /usr/include/openssl instead of ../ssl.
    - Remove the advertising clause from many license statements.
    - Use getopt_long(3) for getopt(3), instead of the old implementation. *************** *** 851,857 ****
    - Install the mod_ssl headers under /usr/lib/apache/include/
    - Add IPv6 support to trpt(8). !
    - Fix xdm(1)'s XDMCP queries (XFree86 bug #277.)
    - Unbreak pf(4) binat rules after recent netmask check changes.
    - Improve pfctl(8)'s netmask validity check. --- 851,857 ----
    - Install the mod_ssl headers under /usr/lib/apache/include/
    - Add IPv6 support to trpt(8). !
    - Fix xdm(1)'s XDMCP queries (XFree86 bug #277).
    - Unbreak pf(4) binat rules after recent netmask check changes.
    - Improve pfctl(8)'s netmask validity check. *************** *** 890,896 ****
    - Don't build libperl in the libraries pass of 'make build', as we want Perl's configure to pick up details of the libraries that the build may be changing. Another leapfrog-in-waiting.
    - Add regen target in libkrb5 to remove (again) the dependency on an up-to-date asn1_compile. !
    - Complain more consistently about a missing 80-wire IDE cable (for UDMA mode > 2.)
    - In syslogd(8) don't use strlcpy(3) when printing strings out of struct utmp, since those strings aren't null terminated.
    - Don't ARP for our IP address aliases, treat them as local.
    - Merge in a number of USB SCSI device updates from NetBSD. --- 890,896 ----
    - Don't build libperl in the libraries pass of 'make build', as we want Perl's configure to pick up details of the libraries that the build may be changing. Another leapfrog-in-waiting.
    - Add regen target in libkrb5 to remove (again) the dependency on an up-to-date asn1_compile. !
    - Complain more consistently about a missing 80-wire IDE cable (for UDMA mode > 2).
    - In syslogd(8) don't use strlcpy(3) when printing strings out of struct utmp, since those strings aren't null terminated.
    - Don't ARP for our IP address aliases, treat them as local.
    - Merge in a number of USB SCSI device updates from NetBSD. *************** *** 911,918 ****
    - Fix mg(1)'s up and down cursor movement.
    - Have ksh(1) use the libc dup2(2) instead of its own.
    - Fare thee well, Kerberos IV. !
    - Another big-bucks firewall feature performed by pf(4): TCP SYN proxy, enabled with 'synproxy state' (this implies modulate state.) !
    - New AddressFamily option for ssh(1) that works like the -4 and -6 command line options (portable OpenSSH bug 534.)
    - Allow address comparison in wi(4) to work on sparc64.
    - Prevent a spamd-setup(8) crash with a config file consisting of only invalid input. --- 911,918 ----
    - Fix mg(1)'s up and down cursor movement.
    - Have ksh(1) use the libc dup2(2) instead of its own.
    - Fare thee well, Kerberos IV. !
    - Another big-bucks firewall feature performed by pf(4): TCP SYN proxy, enabled with 'synproxy state' (this implies modulate state). !
    - New AddressFamily option for ssh(1) that works like the -4 and -6 command line options (portable OpenSSH bug 534).
    - Allow address comparison in wi(4) to work on sparc64.
    - Prevent a spamd-setup(8) crash with a config file consisting of only invalid input. *************** *** 938,960 ****
    - Remove the rather short-lived kernel option LONGRUN, it's now standard except SMALL_KERNEL is defined.
    - Enable pf(4) tagging support for rdr and binat rules.
    - Add _isakmpd user and group for isakmpd(8) privsep. !
    - Allow ssh(1) clients to send a BREAK to the remote server if it supports it (SSHv2 only.)
    - Add _kdc and _kadmin users and groups for the respective KerberosV kdc(8) and kadmind(8) daemons. !
    - On i386, support Transmeta LongRun power management (kernel option LONGRUN, enabled by default.)
    - Add a pf(4) tag for each rule that matches, not just the last one.
    - Remove gated stuff from /etc/rc and /etc/rc.conf. !
    - Add experimental support for ssh(1) host key fingerprint verification using DNS records (dnsfp.) Not built by default. See src/usr.bin/ssh/README.dns for details and build instructions.
    - Unbreak malloc(3) map_pages() failure test on 64-bit architectures.
    - Back out many recent isakmpd(8) changes until they're working right.
    - Disable KerberosIV support in XFree. !
    - Make sure ssh(1) privsep children die when the monitor parent goes away (OpenSSH bug 560.)
    - Upgrade pflogd(8) to use the new bpf(4) link type too.
    - Teach tcpdump(8) and libpcap about the new pflog(4) link type in bpf(4).
    - Upgrade bpf(4) support for the pflog(4) link type to the 'official' and more extensible version from the libpcap people.
    - Start stripping out KerberosIV support from programs.
    - When handling a numeric nodename in getaddrinfo(3), set the canonical hostname to the numeric address as per RFC3493.
    - Make vis(3)'s VIS_SAFE behaviour match the manpage w.r.t isgraph(3). !
    - Allow tags to be specified for pf(4) block rules (which aren't allowed to keep state.)
    - Allow the pf.conf(5) scrub keyword to take a protocol specifier again.
    - Remove KerberosIV support from KerberosV code.
    - Add packet tag support for pf(4) nat rules. --- 938,960 ----
    - Remove the rather short-lived kernel option LONGRUN, it's now standard except SMALL_KERNEL is defined.
    - Enable pf(4) tagging support for rdr and binat rules.
    - Add _isakmpd user and group for isakmpd(8) privsep. !
    - Allow ssh(1) clients to send a BREAK to the remote server if it supports it (SSHv2 only).
    - Add _kdc and _kadmin users and groups for the respective KerberosV kdc(8) and kadmind(8) daemons. !
    - On i386, support Transmeta LongRun power management (kernel option LONGRUN, enabled by default).
    - Add a pf(4) tag for each rule that matches, not just the last one.
    - Remove gated stuff from /etc/rc and /etc/rc.conf. !
    - Add experimental support for ssh(1) host key fingerprint verification using DNS records (dnsfp). Not built by default. See src/usr.bin/ssh/README.dns for details and build instructions.
    - Unbreak malloc(3) map_pages() failure test on 64-bit architectures.
    - Back out many recent isakmpd(8) changes until they're working right.
    - Disable KerberosIV support in XFree. !
    - Make sure ssh(1) privsep children die when the monitor parent goes away (OpenSSH bug 560).
    - Upgrade pflogd(8) to use the new bpf(4) link type too.
    - Teach tcpdump(8) and libpcap about the new pflog(4) link type in bpf(4).
    - Upgrade bpf(4) support for the pflog(4) link type to the 'official' and more extensible version from the libpcap people.
    - Start stripping out KerberosIV support from programs.
    - When handling a numeric nodename in getaddrinfo(3), set the canonical hostname to the numeric address as per RFC3493.
    - Make vis(3)'s VIS_SAFE behaviour match the manpage w.r.t isgraph(3). !
    - Allow tags to be specified for pf(4) block rules (which aren't allowed to keep state).
    - Allow the pf.conf(5) scrub keyword to take a protocol specifier again.
    - Remove KerberosIV support from KerberosV code.
    - Add packet tag support for pf(4) nat rules. *************** *** 1005,1011 ****
    - New genfs code for layered filesystem support.
    - Wash print queue names through vis(3) before output.
    - Teach ctags(1) to understand '//' comments, ignore declarations of function types, and accept __attribute__. From NetBSD. !
    - Correctly check for empty output from an at(1) command (PR#3252.)
    - New ddb(4) command 'show proc' which, er, shows process information.
    - Sync popa3d(8) to version 0.6.2.
    - Improvements and bugfixes to the installer's handing of ftp and http downloads. --- 1005,1011 ----
    - New genfs code for layered filesystem support.
    - Wash print queue names through vis(3) before output.
    - Teach ctags(1) to understand '//' comments, ignore declarations of function types, and accept __attribute__. From NetBSD. !
    - Correctly check for empty output from an at(1) command (PR#3252).
    - New ddb(4) command 'show proc' which, er, shows process information.
    - Sync popa3d(8) to version 0.6.2.
    - Improvements and bugfixes to the installer's handing of ftp and http downloads. *************** *** 1019,1025 ****
    - Use the asn1_compile in src/usr.bin instead of that in src/kerberosV.
    - More string fixes to libreadline, this time with no ABI changes.
    - Fix a sign overflow in csh(1). !
    - Merge in OpenSSL 0.9.7b (without IDEA, MDC2 and RC5.)
    - Implement adaptive state table timeouts in pf(4), reducing the state timeout value inversely with the number of states present.
    - Break asn1_compile out from KerberosV into src/usr.bin. --- 1019,1025 ----
    - Use the asn1_compile in src/usr.bin instead of that in src/kerberosV.
    - More string fixes to libreadline, this time with no ABI changes.
    - Fix a sign overflow in csh(1). !
    - Merge in OpenSSL 0.9.7b (without IDEA, MDC2 and RC5).
    - Implement adaptive state table timeouts in pf(4), reducing the state timeout value inversely with the number of states present.
    - Break asn1_compile out from KerberosV into src/usr.bin. *************** *** 1035,1041 ****
    - Fix isakmpd(8)'s handling of the IPV6_ADDR ID-type.
    - Remove an unnecessary ntohs(3) in pfctl(8), unbreaking 'nat ... -> $if port n' rules. !
    - The pf(4) return keyword now generates an ICMP unreachable message for all protocols other than TCP (rather than just UDP and ICMP.)
    - Have the compiler generate warnings if unsafe string functions are used in the kernel.
    - Back out libreadline string fixes until static build works.
    - Consign swapon(2) to COMPAT_25 in favour of swapctl(2). --- 1035,1041 ----
    - Fix isakmpd(8)'s handling of the IPV6_ADDR ID-type.
    - Remove an unnecessary ntohs(3) in pfctl(8), unbreaking 'nat ... -> $if port n' rules. !
    - The pf(4) return keyword now generates an ICMP unreachable message for all protocols other than TCP (rather than just UDP and ICMP).
    - Have the compiler generate warnings if unsafe string functions are used in the kernel.
    - Back out libreadline string fixes until static build works.
    - Consign swapon(2) to COMPAT_25 in favour of swapctl(2). *************** *** 1087,1093 ****
    - Add backquote to the list of characters escaped in ksh(1)'s vi-{esc,tab}complete mode.
    - Fix a couple of sscanf(3) off-by-ones in afs and makeinfo(1).
    - Write the correct amount of data when disconnecting tip(1) on biz22. !
    - Another memory layout change on i386 to allow a larger MAXDSIZ (see the tech@ archive for details.)
    - Add a mail mode to mg(1) that does proper line wrapping, and add the '-f' command line option to set the mode.
    - Properly restore the syncer vnode if unmount(2) fails. --- 1087,1093 ----
    - Add backquote to the list of characters escaped in ksh(1)'s vi-{esc,tab}complete mode.
    - Fix a couple of sscanf(3) off-by-ones in afs and makeinfo(1).
    - Write the correct amount of data when disconnecting tip(1) on biz22. !
    - Another memory layout change on i386 to allow a larger MAXDSIZ (see the tech@ archive for details).
    - Add a mail mode to mg(1) that does proper line wrapping, and add the '-f' command line option to set the mode.
    - Properly restore the syncer vnode if unmount(2) fails. *************** *** 1115,1121 ****
    - Improve forward compatibility of fsck_ffs(8) by comparing only what we understand instead of trying to ignore what we don't.
    - Make the newly deprecated omsync() work under NetBSD emulation.
    - Several strvis(3) -> strnvis(3) changes, all part of the continuing Battle for Safe String Functions. !
    - Fix some pthreads signal bugs that were causing MySQL to crash (PR#3179, PR#3238.)
      [Applied to stable]
    - Allow pf(4) tables to be loaded into anchors. pfctl(8) table options except show and flush now honour -a. --- 1115,1121 ----
    - Improve forward compatibility of fsck_ffs(8) by comparing only what we understand instead of trying to ignore what we don't.
    - Make the newly deprecated omsync() work under NetBSD emulation.
    - Several strvis(3) -> strnvis(3) changes, all part of the continuing Battle for Safe String Functions. !
    - Fix some pthreads signal bugs that were causing MySQL to crash (PR#3179, PR#3238).
      [Applied to stable]
    - Allow pf(4) tables to be loaded into anchors. pfctl(8) table options except show and flush now honour -a. *************** *** 1123,1129 ****
    - Only build shared libXv if the target arch supports shared libraries.
    - Consign the omsync() system call to COMPAT_25 obscurity.
    - Fix parsing of the noac option to mount_nfs(8). !
    - In netinet/tcp_input.c, correct a long-standing typo made when applying a deadlock-avoidance bug fix (TCP/IP Illustrated volume 2 fig. 28.30.)
    - Fix a crasher in lkm(4), tripped when loading a module twice.
    - Make ELF dlfcn(3) calls thread-safe. --- 1123,1129 ----
    - Only build shared libXv if the target arch supports shared libraries.
    - Consign the omsync() system call to COMPAT_25 obscurity.
    - Fix parsing of the noac option to mount_nfs(8). !
    - In netinet/tcp_input.c, correct a long-standing typo made when applying a deadlock-avoidance bug fix (TCP/IP Illustrated volume 2 fig. 28.30).
    - Fix a crasher in lkm(4), tripped when loading a module twice.
    - Make ELF dlfcn(3) calls thread-safe. *************** *** 1138,1144 ****
    - Remove a potential double-free in the XFree wsfb driver.
    - Prepare pf(4) table structures for anchor support.
    - Much string cleanup in sys/dev. !
    - Fix the isakmpd(8) fifo 'C set' command (PR#3148.)
    - Use strdup(3) and asprintf(3) to eliminate some string length guesswork in rpcgen(1).
    - Allocate enough space for a *printf() %u in rpc.yppasswdd(8). --- 1138,1144 ----
    - Remove a potential double-free in the XFree wsfb driver.
    - Prepare pf(4) table structures for anchor support.
    - Much string cleanup in sys/dev. !
    - Fix the isakmpd(8) fifo 'C set' command (PR#3148).
    - Use strdup(3) and asprintf(3) to eliminate some string length guesswork in rpcgen(1).
    - Allocate enough space for a *printf() %u in rpc.yppasswdd(8). *************** *** 1146,1156 ****
    - Fix fat32 filesystem corruption when renaming directories.
    - New lm(4) (National Semiconductor LM78, LM79 and compatible) and viaenv(4) (VT82C686A South Bridge) hardware monitor drivers, adapted from NetBSD to use the new sysctl hw.sensor interface. !
    - Make funopen(3)'s declaration match its prototype (PR#3236.)
    - Back out the recent mquery(2)-uses-mmap() API change.
    - Add new sysctl(3) node hw.sensors for, er, hardware monitoring sensors.
    - Don't assume that asprintf(3) failures won't clobber the tempfile name in mktemp(1). !
    - In the IPv4 case of inet_net_pton(3), infer the netmask the same way for all address classes (i.e. don't assume multicast networks are always */4.)
    - Be more portable and check the asprintf(3) return value against -1 in pfctl(8).
    - Add size bounds to sscanf(3) strings in edquota(8) and tn3270(1).
    - Match mquery(2)'s function signature to that of mmap(2). --- 1146,1156 ----
    - Fix fat32 filesystem corruption when renaming directories.
    - New lm(4) (National Semiconductor LM78, LM79 and compatible) and viaenv(4) (VT82C686A South Bridge) hardware monitor drivers, adapted from NetBSD to use the new sysctl hw.sensor interface. !
    - Make funopen(3)'s declaration match its prototype (PR#3236).
    - Back out the recent mquery(2)-uses-mmap() API change.
    - Add new sysctl(3) node hw.sensors for, er, hardware monitoring sensors.
    - Don't assume that asprintf(3) failures won't clobber the tempfile name in mktemp(1). !
    - In the IPv4 case of inet_net_pton(3), infer the netmask the same way for all address classes (i.e. don't assume multicast networks are always */4).
    - Be more portable and check the asprintf(3) return value against -1 in pfctl(8).
    - Add size bounds to sscanf(3) strings in edquota(8) and tn3270(1).
    - Match mquery(2)'s function signature to that of mmap(2). *************** *** 1158,1164 **** [Applied to stable]
    - If one is given, properly copy the second port of a nat proxy spec in pfctl(8). !
    - Fix a bad strlcpy(3) bound in the AFS library (PR#3228.)
    - Use asprintf(3) to fix some buffer length problems in pdisk(8/MAC68K)
    - When handling the packet size option in traceroute(8), bounds check the right variable.
    - Properly detect EOF when generating policy interactively. --- 1158,1164 ---- [Applied to stable]
    - If one is given, properly copy the second port of a nat proxy spec in pfctl(8). !
    - Fix a bad strlcpy(3) bound in the AFS library (PR#3228).
    - Use asprintf(3) to fix some buffer length problems in pdisk(8/MAC68K)
    - When handling the packet size option in traceroute(8), bounds check the right variable.
    - Properly detect EOF when generating policy interactively. *************** *** 1177,1183 ****
    - Copy the null at the end of the name when adding a realm in Kerberos V. !
    - Make authpf(8) die the way it should when authpf.conf is missing (PR#3217.)
    - Fix ubsec(4) output statistics.
    - Sync sudo(8) with its CVS and bump the version to 1.6.7p4.
    - Some typedef perfectionism in libwrap. --- 1177,1183 ----
    - Copy the null at the end of the name when adding a realm in Kerberos V. !
    - Make authpf(8) die the way it should when authpf.conf is missing (PR#3217).
    - Fix ubsec(4) output statistics.
    - Sync sudo(8) with its CVS and bump the version to 1.6.7p4.
    - Some typedef perfectionism in libwrap. *************** *** 1198,1204 ****
    - Use the new mquery(2) syscall in ld.so(1), i386 only for now.
    - Avoid teeth-gnashing delays by making the installer use 'route -n show' instead of 'route show'.
    - In the kernel ELF loader, use the uvm(9) to make sure that ld.so(1) doesn't overwrite an area that's already in use. !
    - Fix a buffer overflow that was causing a crash in mg(1) (PR#3090.)
    - apachectl(8) now honours $httpd_flags from rc.conf(8).
    - Remove a race condition in mount_mfs(8). --- 1198,1204 ----
    - Use the new mquery(2) syscall in ld.so(1), i386 only for now.
    - Avoid teeth-gnashing delays by making the installer use 'route -n show' instead of 'route show'.
    - In the kernel ELF loader, use the uvm(9) to make sure that ld.so(1) doesn't overwrite an area that's already in use. !
    - Fix a buffer overflow that was causing a crash in mg(1) (PR#3090).
    - apachectl(8) now honours $httpd_flags from rc.conf(8).
    - Remove a race condition in mount_mfs(8). *************** *** 1207,1213 ****
    - Uncomment the line that unloads httpd(8) shared modules on a server shutdown or restart.
    - Many string fixes to named(8), more to come.
    - pfctl(8) can now display basic HFSC stats. !
    - Much cleanup in elf2ecoff(1) (not installed by default.)
    - Allocate the right getaddrinfo(3) buffer size in rip6query(8) and route6d(8).
    - In audioctl(1), size(1) and spamd(8), don't use snprintf(3)'s return value for pointer arithmetic. --- 1207,1213 ----
    - Uncomment the line that unloads httpd(8) shared modules on a server shutdown or restart.
    - Many string fixes to named(8), more to come.
    - pfctl(8) can now display basic HFSC stats. !
    - Much cleanup in elf2ecoff(1) (not installed by default).
    - Allocate the right getaddrinfo(3) buffer size in rip6query(8) and route6d(8).
    - In audioctl(1), size(1) and spamd(8), don't use snprintf(3)'s return value for pointer arithmetic. *************** *** 1219,1225 ****
    - Include the at(1) job number in the process title.
    - Put less(1)'s help text back into a separate file, and allow a reduced-size build for the boot floppies.
    - Stop using hardcoded SOCK_* types when creating sockets in ssh(1), to facilitate ssh-over-sctp. !
    - Have isakmpd(8) unlink its fifo and pid file on a clean shutdown (PR#3199.)
    - Allow ping(8) to send zero-length packets with the -s0 option.
    - Some snprintf(3) buffer length fixes in isakmpd(8). --- 1219,1225 ----
    - Include the at(1) job number in the process title.
    - Put less(1)'s help text back into a separate file, and allow a reduced-size build for the boot floppies.
    - Stop using hardcoded SOCK_* types when creating sockets in ssh(1), to facilitate ssh-over-sctp. !
    - Have isakmpd(8) unlink its fifo and pid file on a clean shutdown (PR#3199).
    - Allow ping(8) to send zero-length packets with the -s0 option.
    - Some snprintf(3) buffer length fixes in isakmpd(8). *************** *** 1242,1258 ****
    - Back out the earlier fix for PR#2230, which is a no-op since zombies aren't on the allproc list being scanned.
    - De-allocate bus space on wi(4) device failures. !
    - Only print the less(1) -d prompt if there's enough space left on the status line (PR#3189.)
    - When fixing up process root and working directories after a filesystem mount, leave zombies well alone. (PR#2230.)
    - Fix an off-by-one in kernel malloc(9) diagnostic code.
    - Correctly initialise xkb memory in the X server. !
    - Plug some file descriptor leaks in xman(1) (PR#3186.)
    - Fix a broken sizeof() in gcc(1) when allocating a new sentinel_info.
    - Demote the isakmpd(8) 'missing CRL dir' moan to a debug message.
    - The kernel pf_state structure now points to both a rule and an anchor, so states created on anchors can use rule options properly.
    - Create the /etc/isakmpd/crls directory from 4.4BSD.dist to stop isakmpd(8) complaining about its absence. !
    - Strip trailing whitespace before parsing ssh(1) options (OpenSSH bug 528.)
    - Disable ssh(1)'s Kerberos IV support.
    - Fix spamd(8)'s select(2) error handling. --- 1242,1258 ----
    - Back out the earlier fix for PR#2230, which is a no-op since zombies aren't on the allproc list being scanned.
    - De-allocate bus space on wi(4) device failures. !
    - Only print the less(1) -d prompt if there's enough space left on the status line (PR#3189).
    - When fixing up process root and working directories after a filesystem mount, leave zombies well alone. (PR#2230.)
    - Fix an off-by-one in kernel malloc(9) diagnostic code.
    - Correctly initialise xkb memory in the X server. !
    - Plug some file descriptor leaks in xman(1) (PR#3186).
    - Fix a broken sizeof() in gcc(1) when allocating a new sentinel_info.
    - Demote the isakmpd(8) 'missing CRL dir' moan to a debug message.
    - The kernel pf_state structure now points to both a rule and an anchor, so states created on anchors can use rule options properly.
    - Create the /etc/isakmpd/crls directory from 4.4BSD.dist to stop isakmpd(8) complaining about its absence. !
    - Strip trailing whitespace before parsing ssh(1) options (OpenSSH bug 528).
    - Disable ssh(1)'s Kerberos IV support.
    - Fix spamd(8)'s select(2) error handling. *************** *** 1267,1273 ****
    - Improvements to string handling (not str[ln]* for once) in adventure(6).
    - Add fake package information so ports can check for XF4 installation.
    - Use ksh(1) instead of csh(1) for XFree distrib scripts. !
    - Make pfctl(8) reject invalid ICMP types (>40) and codes (>255.)
    - Fix a typo in the new ssh(1) rekeying code that was causing the wrong packet state counter to be fetched.
    - Update sudo(8) to 1.6.7p3. --- 1267,1273 ----
    - Improvements to string handling (not str[ln]* for once) in adventure(6).
    - Add fake package information so ports can check for XF4 installation.
    - Use ksh(1) instead of csh(1) for XFree distrib scripts. !
    - Make pfctl(8) reject invalid ICMP types (>40) and codes (>255).
    - Fix a typo in the new ssh(1) rekeying code that was causing the wrong packet state counter to be fetched.
    - Update sudo(8) to 1.6.7p3. *************** *** 1291,1306 ****
    - Update sectok_fmt_fid(3) to take a string length parameter, and crank libsectok's major version for the new API.
    - With the XFree86 4.3.0 merge, add an additional definition so that ports libs end up in /usr/local/lib/X11.
    - Update sudo(8) to 1.6.7p2. !
    - Fix user(8)'s empty group test (PR#3178.)
    - Improve PRIQ queue id assignment, so same-priority queues on different interfaces work properly.
    - Use realloc(3) instead of leaking memory in tcpdump(8).
    - Some cleanup in ipcomp(4) and ipsec(4). !
    - Add a missing initialisation in ssh(1) (OpenSSH bug #526.)
    - When an interface doesn't support altq(9), have pfctl(8) print the interface name in the error message.
    - Add automatic ssh(1) rekeying in accordance with the current secsh newmodes draft, and fix some rekeying bugs. !
    - Fix kqueue(2) notification of immediate-mode bpf(4) events (PR#3175.)
    - Merge in XFree86 4.3.0.
    - Update sudo(8) to version 1.6.7p1, to fix some overzealous paranoia.
    - Bump OpenSSH version to 3.6.1.
      --- 1291,1306 ----
    - Update sectok_fmt_fid(3) to take a string length parameter, and crank libsectok's major version for the new API.
    - With the XFree86 4.3.0 merge, add an additional definition so that ports libs end up in /usr/local/lib/X11.
    - Update sudo(8) to 1.6.7p2. !
    - Fix user(8)'s empty group test (PR#3178).
    - Improve PRIQ queue id assignment, so same-priority queues on different interfaces work properly.
    - Use realloc(3) instead of leaking memory in tcpdump(8).
    - Some cleanup in ipcomp(4) and ipsec(4). !
    - Add a missing initialisation in ssh(1) (OpenSSH bug #526).
    - When an interface doesn't support altq(9), have pfctl(8) print the interface name in the error message.
    - Add automatic ssh(1) rekeying in accordance with the current secsh newmodes draft, and fix some rekeying bugs. !
    - Fix kqueue(2) notification of immediate-mode bpf(4) events (PR#3175).
    - Merge in XFree86 4.3.0.
    - Update sudo(8) to version 1.6.7p1, to fix some overzealous paranoia.
    - Bump OpenSSH version to 3.6.1.
      *************** *** 1372,1378 ****
      www@openbsd.org !
      $OpenBSD: plus34.html,v 1.4 2004/02/19 03:30:52 nick Exp $ --- 1372,1378 ----
      www@openbsd.org !
      $OpenBSD: plus34.html,v 1.5 2004/03/28 09:44:05 deraadt Exp $