The OpenBSD 3.4 Release:
Released Nov 1, 2003
Copyright 1997-2003, Theo de Raadt.
ISBN 0-9731791-2-0
What's New
How to install
How to use the ports tree
Ordering a CD set
To get the files for this release:
- Order a CDROM from our ordering system.
- See the information on The FTP page for
a list of mirror machines.
- Go to the pub/OpenBSD/3.4/ directory on
one of the mirror sites.
- Briefly read the rest of this document.
- Have a look at The 3.4 Errata page for a list
of bugs and workarounds.
- See a detailed log of changes between the
3.3 and 3.4 releases.
Note: All applicable copyrights and credits can be found
in the applicable file sources found in the files src.tar.gz, sys.tar.gz,
XF4.tar.gz, or in the files fetched via ports.tar.gz. The distribution
files used to build packages from the ports.tar.gz file are not included on
the CDROM because of lack of space.
What's New
This is a partial list of new features and systems included in OpenBSD 3.4.
For a comprehensive list, see the changelog leading
to 3.4.
- The i386 architecture has been switched to the ELF executable format so
i386 upgrades are not possible for this release.
- Further W^X improvements, including support for the i386 architecture.
Native i386 binaries have their executable segments rearranged to support
isolating code from data, and the cpu CS limit is used to impose a best
effort limit on code execution.
- ld.so on ELF platforms now loads libraries in a random order for
greater resistance to attacks. The i386 architecture also maps libraries
somewhat randomized addresses. Together with W^X and ProPolice, these
changes increase the difficulty of successfully exploiting an application
error, such as a buffer overflow.
- A static bounds checker has been added to the compiler to perform basic
checks on functions which accept buffers and sizes. The checker aims to
find common mistakes in the use of library functions such as
strlcpy(3)
or sscanf(3)
without emitting any false positives. Running it over the source and ports
trees revealed over a hundred real bugs, which were fixed and submitted back
to the original authors where possible.
- Privilege separation has been implemented for the syslog daemon, making
it much more robust against future errors. The child which listens to
network traffic now runs as a normal user and chroots itself, while the
parent process tracks the state of the child and performs privileged
operations on its behalf.
- Many unsafe string functions have been removed from the kernel and userland
utilities. This audit is one of the most comprehensive OpenBSD has ever
done, with thousands of occurrences of
strcpy(3),
strcat(3),
sprintf(3),
and
vsprintf(3)
being replaced with safer, bounded alternatives such as
strlcpy(3),
strlcat(3),
snprintf(3),
vsnprintf(3),
and
asprintf(3).
-
ProPolice stack protection has been enabled in the kernel as well.
- Privileged separation has been implemented in the X server. The privileged
child process is responsible for the operations that can't be done after the
main process has switched to a non-privileged user. This greatly reduces the
potential damage that could be caused by malicious X clients, in case of
bugs in the X server.
- Emulation support for binary compatibility is now controlled via sysctl.
- Manual pages have been greatly cleaned up and improved.
- The ports tree now supports building programs under
systrace(1), preventing the possibility of applications harming the
system at compile-time via trojaned configuration scripts or otherwise.
- More licenses fixes, including the removal of the advertising clause
for large parts of the source tree.
- Replacement of GNU diff/diff3, grep/egrep/fgrep/zgrep/zegrep/zfgrep,
and gzip/zcat/gunzip/gzcat/zcmp/zmore/zdiff/zforce/gzexe/znew
with BSD licensed equivalents.
- Addition of read-only support for NTFS file systems.
- Reliability improvements to layered file systems, enabling NULLFS to
work again.
- Improvements to the linux emulator enabling more applications to run.
- Significant improvements to the pthread library.
- Replace many static fd_set uses to poll() or dynamic allocation.
- Legacy KerberosIV support has been removed, and the remaining KerberosV
codebase has been restructured for easier management.
- Over 2400 ports, 2200 pre-built packages.
- A large number of bug fixes, changes, and optimizations to our packet filter
including:
- packet tagging (e.g. filter on tags added by bridge based on MAC address)
- stateful TCP normalization (prevent uptime calculation and NAT detection)
- passive OS detection (filter or redirect connections based on source OS)
- SYN proxy (protect servers against SYN flood attacks)
- adaptive state timeouts (prevent state table overflows under attack)
- Improved hardware support, including:
- Kauai ATA controllers (Apple ATA100 wdc) enabling support for
Powerbook 12" and 17" models.
- Support for controlling LongRun registers on Transmeta CPUs.
- Many fixes to aac(4), ahc(4), osiop(4), siop(4) SCSI drivers.
- New it(4), lm(4) and viaenv(4) hardware monitor drivers.
- New safe(4) driver for SafeNet crypto acclerators.
- New mtd(4) driver for Myson Technologies network cards.
- Massive overhaul and sync with NetBSD of the entire usb(4) support system.
- New and better support for various controllers in pciide(4).
- The system includes the following major components from outside suppliers:
- XFree86 4.3.0 (+ patches, and i386 contains 3.3.X servers also, thus
providing support for all chipsets)
- Gcc 2.95.3 (+ patches)
- Perl 5.8.0 (+ patches)
- Apache 1.3.28, mod_ssl 2.8.15, DSO support (+ patches)
- OpenSSL 0.9.7beta3 (+ patches)
- Groff 1.15
- Sendmail 8.12.9
- Bind 9.2.2 (+ patches)
- Lynx 2.8.4rel.1 with HTTPS and IPv6 support (+ patches)
- Sudo 1.6.7p5
- Ncurses 5.2
- Latest KAME IPv6
- Heimdal 0.6rc1 (+ patches)
- Arla-current
- OpenSSH 3.7 (now with GSSAPI support)
- Many improvements for security and reliability (look for the red
print in the complete changelog).
- and much more.
How to install
Following this are the instructions which you would have on a piece of
paper if you had purchased a CDROM set instead of doing an alternate
form of install. The instructions for doing an ftp (or other style
of) install are very similar; the CDROM instructions are left intact
so that you can see how much easier it would have been if you had
purchased a CDROM instead.
Please refer to the following files on the three CDROMs or ftp mirror for
extensive details on how to install OpenBSD 3.4 on your machine:
- CD1:3.4/i386/INSTALL.i386
- CD2:3.4/macppc/INSTALL.macppc
- CD2:3.4/vax/INSTALL.vax
- CD3:3.4/sparc/INSTALL.sparc
- CD3:3.4/sparc64/INSTALL.sparc64
- FTP:.../OpenBSD/3.4/alpha/INSTALL.alpha
- FTP:.../OpenBSD/3.4/hp300/INSTALL.hp300
- FTP:.../OpenBSD/3.4/hppa/INSTALL.hppa
- FTP:.../OpenBSD/3.4/mac68k/INSTALL.mac68k
- FTP:.../OpenBSD/3.4/mvme68k/INSTALL.mvme68k
Quick installer information for people familiar with OpenBSD, and the
use of the "disklabel -E" command. If you are at all confused when
installing OpenBSD, read the relevant INSTALL.* file as listed above!
OpenBSD/i386:
Play with your BIOS options to enable booting from a CD. The OpenBSD/i386
release is on CD1. If your BIOS does not support booting from CD, you will need
to create a boot floppy to install from. To create a boot floppy write
CD1:3.4/i386/floppy34.fs to a floppy and boot via the floppy drive.
Use CD1:3.4/i386/floppyB34.fs instead for greater scsi controller
support, or CD1:3.4/i386/floppyC34.fs for better laptop support.
If you are planning on dual booting OpenBSD with another OS, you will need to
read the included INSTALL.i386 document.
To make a boot floppy under MS-DOS, use the "rawrite" utility located
at CD:/3.4/tools/rawrite.exe. To make the boot floppy under a Unix OS,
use the dd(1) utility. The following is an example usage of
dd(1)
, where the device could be "floppy", "rfd0c", or
"rfd0a".
# dd if=<file> of=/dev/<device> bs=32k
Make sure you use properly formatted perfect floppies with NO BAD BLOCKS or
your install will most likely fail. For more information on creating a boot
floppy and installing OpenBSD/i386 please refer to
FAQ4.1.
OpenBSD/macppc:
Put the CD2 in your CDROM drive and poweron your machine while holding down the
C key until the display turns on and shows OpenBSD/macppc boot.
Alternatively, at the Open Firmware prompt, enter boot cd:,ofwboot
/3.4/macppc/bsd.rd
OpenBSD/vax:
Boot over the network via mopbooting as described in INSTALL.vax.
OpenBSD/sparc:
The 3.4 release of OpenBSD/sparc is located on CD3. To boot off of this CD you
can use one of the two commands listed below, depending on the version of your
ROM.
> boot cdrom 3.4/sparc/bsd.rd
or
> boot sd(0,6,0)3.4/sparc/bsd.rd
If your sparc does not have a CD drive, you can alternatively boot from floppy.
To do so you need to write "CD3:3.4/sparc/floppy34.fs" to a floppy.
For more information see FAQ4.1. To boot from
the floppy use one of the two commands listed below, depending on the version of
your ROM.
> boot floppy
or
> boot fd()
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.
If your sparc doesn't have a floppy drive nor a CD drive, you can either
setup a bootable tape, or install via network, as told in the
INSTALL.sparc file.
OpenBSD/sparc64:
Put the CD3 in your CDROM drive and type boot cdrom.
If this doesn't work, or if you don't have a CDROM drive, you can write
CD3:3.4/sparc64/floppy34.fs to a floppy and boot it with boot
floppy.
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.
You can also write CD3:3.4/sparc64/miniroot34.fs to the swap partition on
the disk and boot with boot disk:b.
If nothing works, you can boot over the network as described in INSTALL.sparc64
OpenBSD/alpha:
Write FTP:3.4/alpha/floppy34.fs or
FTP:3.4/alpha/floppyB34.fs (depending on your machine) to a diskette and
enter boot dva0. Refer to INSTALL.alpha for more details.
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.
OpenBSD/hp300:
OpenBSD/hppa:
OpenBSD/mac68k:
Boot MacOS as normal and partition your disk with the appropriate A/UX
configurations. Then, extract the Macside utilities from
FTP:3.4/mac68k/utils onto your hard disk. Run Mkfs to create your
filesystems on the A/UX partitions you just made. Then, use the
"BSD/Mac68k Installer" to copy all the sets in FTP:3.4/mac68k/ onto your
partitions. Finally, you will be ready to configure the "BSD/Mac68k
Booter" with the location of your kernel and boot the system.
OpenBSD/mvme68k:
You can create a bootable installation tape or boot over the network.
The network boot requires a MVME68K BUG version that supports the NIOT
and NBO debugger commands. Follow the instructions in INSTALL.mvme68k
for more details.
Notes about the source code:
src.tar.gz contains a source archive starting at /usr/src. This file
contains everything you need except for the kernel sources, which are
in a separate archive. To extract:
# mkdir -p /usr/src
# cd /usr/src
# tar xvfz /tmp/src.tar.gz
sys.tar.gz contains a source archive starting at /usr/src/sys.
This file contains all the kernel sources you need to rebuild kernels.
To extract:
# mkdir -p /usr/src/sys
# cd /usr/src
# tar xvfz /tmp/sys.tar.gz
Both of these trees are a regular CVS checkout. Using these trees it
is possible to get a head-start on using the anoncvs servers as
described here.
Using these files
results in a much faster initial CVS update than you could expect from
a fresh checkout of the full OpenBSD source tree.
Ports Tree
A ports tree archive is also provided. To extract:
# cd /usr
# tar xvfz /tmp/ports.tar.gz
# cd ports
The ports/ subdirectory is a checkout of the OpenBSD ports tree. Go
read the ports page
if you know nothing about ports
at this point. This text is not a manual of how to use ports.
Rather, it is a set of notes meant to kickstart the user on the
OpenBSD ports system.
Certainly, the OpenBSD ports system is not complete. It is doubtful it
will ever be. However, it is growing very fast and getting more stable.
Almost all ports provided with this release should build without problems
on most architectures (over 2400 packages build on i386, for instance).
The ports/ directory represents a CVS (see the manpage for
cvs(1) if
you aren't familiar with CVS) checkout of our ports. As with our complete
source tree, our ports tree is available via anoncvs. So, in
order to keep current with it, you must make the ports/ tree
available on a read-write medium and update the tree with a command
like:
# cd [portsdir]/; cvs -d anoncvsserver.openbsd.org:/cvs update -Pd -rOPENBSD_3_4
[Of course, you must replace the local directory and server name here
with the location of your ports collection and a nearby anoncvs
server.]
Note that most ports are available as packages through ftp. Updated
packages for the 3.4 release will be made available if problems arise.
If you're interested in seeing a port added, would like to help out, or just
would like to know more, the mailing list ports@openbsd.org is a good
place to know.
www@openbsd.org
$OpenBSD: 34.html,v 1.17 2003/09/04 21:51:35 david Exp $