Changes made between OpenBSD 3.1 and OpenBSD-current
This is a partial list of the major machine-independent changes
(i.e., these are the changes people ask about most often). Port
specific changes have also been made, and are sometimes mentioned
in the pages for the specific platforms.
Changes to the ports collection are documented
here.
Note: Problems for which patches exist are marked in red.
This file is lagging some way behind -current at the moment, but we
are trying to catch up. Honest.
We are working on OpenBSD-current.
The following list sums up (almost) all the changes made up to May 24th.
- SECURITY FIX: A buffer overflow can
occur during the interpretation of chunked encoding in httpd(8), leading to possible remote crash.
A source code patch is available.
[Applied to stable]
- ...
- Add
-t
key lifetime option to ssh-add(1).
- Use IPv4/IPv6 addresses in
/etc/inetd.conf
instead of 'localhost' to avoid DNS lookups.
- Add predicate suffixes to systrace(1).
- Add
-x
and -X
options to respectively lock and unlock ssh-agent(1).
- Compatibility tweaks to
getpid()
, getuid()
and getgid()
under Linux emulation.
- Start work on new debugger, pmdb.
- Additional check (#ifdef DIAGNOSTIC) for duplicate uvm(9) map entries.
- If syslog(3) fails with ENOBUFS when sending to
/dev/log
, it now waits a millisecond and retries.
- syslogd(8) doubles the socket receive buffer size.
- Automatic policy generation for systrace(1).
- lynx(1) now defaults to passive FTP.
- Remove
[gs]etprogname()
from KerberosV.
- New
-a <bind_address>
option to ssh-agent(1) so user can specify the agent's UNIX domain socket.
- Make tbrconfig(8) statically linked.
- Make sure the IPv6 MTU isn't set too high because of a high layer 2 MTU (e.g. FDDI or ARCnet.)
- Use the same byte-order kung fu as the kernel in atactl(8).
- Don't automagically set -prefixlen 128 on IPv6 host route.
- rasops instead of rcons for vgafb(4/SPARC64).
- Add xsystrace(1) [no manpage yet] UI for systrace(1).
- Add sbus bwtwo(4) mono framebuffer support (untested, undocumented.)
- PrivSep'd ssh monitor processes check each authentication method is enabled before use.
- systrace(1) userland import.
- Use arc4random(3) for rtadvd(8).
- Make nice(3) standards compliant.
- More wi(4) tweaks for Symbol cards.
- Recognise VIA VT8233 PCI-ISA bridge.
- Fix sparc64 64-bit relocation masks in ld.so(1).
- Merge in Sendmail 8.12.4.
- Detect stereo radio reception in fms(4).
- Compatibility tweaks to creator(4/SPARC64).
- Replace mr(4) radio driver with new gtp(4) driver, which is better tested.
- '
pfctl -s all
' now prints labels as well.
- Add
volatile
to sig_atomic_t
. Stand well back.
- Use rasops instead of rcons in cgthree(4/SPARC) and cgsix(4/SPARC).
- Stop IPv6 making assumptions about interface MTU, use the actual interface values.
- Stop maintaining 2.9-stable.
- Bump 2.9-stable to OpenSSH version 3.2.3.
- Bump 3.0-stable to OpenSSH version 3.2.3.
- Implement PMAP_CANFAIL flag for m68k pmap.
- Enable console blanking on cgthree(4/SPARC).
- Make sure some
struct sockaddr
are cleared before use.
- Start work on NetOctave NSP2000 driver.
- Apply BSD Airtools 0.2 patches.
- Teach ECN flags to pf(4).
- Dump mkisofs in favor of mkhybrid.
- Fix
fd_set
overrun in rtsold(8).
- Clue in inetd(8) to IPv6 FTP bounce attacks.
- Fix
/etc/ptmp
deletion bug that occurred if rmuser(8) was aborted.
- IBSS mode for Symbol cards (firmware >= 2.5) using the wi(4) driver.
- Add leading-zero padding to RSA signatures in ssh.
- Tweak altq(4) options(4) so the kernel compiles on i[34]86.
- Add support in the fxp(4) driver for more Intel PRO/100 VM cards.
- For those that do metric but refuse to work in meters and kilograms, kayser conversion has been added to units(1).
- Fix signal races in ping(8).
- Now that the Dungeon Master dm(1) has gone into well-earned retirement, make those games that need to save high scores, etc. run setgid
games
.
- Per-socket ipsec(4) policies and options!
- Stop a potential ipsec(4) DoS where an attacker could falsely advance the replay counter and so force valid traffic to be discarded.
- Add German keyboard map for Apple iBook.
- On ELF platforms, allow gcc(1) to link Fortran code with other languages.
- Pull ldconfig(8)
strlcpy()
fix into -stable.
- Make sure every PCI interrupt is recorded, so ISA doesn't step on one of them later.
- Attach radio(4) devices properly.
- Fix VIA8233 support in auvia(4).
- Make nc(1) timeouts behave more like
netcat
.
- Make sure user's shell is
/usr/sbin/authpf
before running authpf(8) to prevent $SSH_CLIENT shenanigans.
- In ssh, use OpenSSL's AES implementation instead of our own.
- Add
-[46]
options to ftp(1).
- Warn if IPv6 neighbor discovery tries to set the link MTU too small.
- Make tip(1) query the driver with the user's baud rate setting rather than only accepting a compiled-in list.
- Support Sun type 5 keyboards, as helpfully some key mappings are switched around from type 4.
- Cleanup and small fixes to skeyaudit(8).
- Fixes to fms(4).
- Various fixes and enhancements to mg(1).
- sshd(8) no longer starts in privilege-separated mode unless the PrivSep user
sshd
and chroot(2) dir /var/empty
are both present.
- Recognise Intel 830 (laptop Celery support) and 312 southbridge.
- Fix potential time overflow in dd(1).
- Make bridge(4) refragment IP packets that are too large for the outgoing interface.
- Remove
libdl
, support is now in libc
.
- Recognise Nokia C110 and C111 PC cards as wi(4) devices.
- Really sanitize ld.so(1)'s environment as promised in the manpage when running set[ug]id, and test for set[ug]id earlier.
- Don't allow mktemp(3) to back up past the beginning of its input buffer.
- Use the correct string buffer size for printing port numbers in pfctl(8).
- Remove
arc4random_8()
.
struct ifnet
now has an array of pointers to data for each address family. Move per-interface IPv6 state and neighbor discovery stuff here.
- netstat(8) cleanup.
- ping6(8) and traceroute6(8) updates from KAME.
unsigned
-> unsigned int
cleanup.
pid_t
type cleanup.
- Fix big snprintf(3)
parameter typo in strftime(3).
- Don't use execlp(3) when invoking ssh-keysign(8).
- Fix kill(2) parameter brainfade in amd(8) and KerberosIV's rlogin.
- vax: Add board type for VXT2000+.
- More IANA interface type values, including IFT_BRIDGE.
- Split XFree86
bsd_video.c
into architecture-specific files.
- Add sysctl(8) toggle
net.inet.icmp.tstamprepl
(default: 1) for ICMP timestamp replies.
- Yet more safe string function fixes.
- In XFree86 build, honour COPTS variable when building third-party apps.
- Add
LIBS
option for crunchgen
so custom libraries can be added to boot images.
- Run rpc.rstatd(8) and rpc.rusersd(8) as user
nobody
(boo!) from inetd(8).
- From ld.so(1), remove tests that have no license, and for the same reason replace parts of ld(1) and ldconfig(8).
- Remove unnecessary instruction cache flushes on sparc64.
- Many cleanups in ld.so(1).
- Fix disklabel(8) warnings on a SCSI
cd(4) with no data track.
- Allow incoming ssh(1) connections in the temporary pf(4) ruleset installed by /etc/rc, just in case the real rulebase fails to load later on.
- Support mixed IPv4/IPv6 address lists in pfctl(8).
- Add ssh-keysign(8).
- Remove obsolete dm(8).
- Hunt for biodone() calls not made at splbio() spl(9), and fix them.
- Improve cd9660(8) filesystem read-ahead performance.
- Support software brightness and backlight control on various macppc models.
- Allow wsconsctl(8) to control brightness and backlight on displays which
support this.
- New libc IEEE floating-point code and libm routines for hppa.
- splassert (spl(9)) on i386.
- More steps toward the death of unsafe string functions.
- splassert (spl(9)) on sparc64.
- Add a creator(4) driver for sparc64 Creator and Creator3D cards.
- Jumbo lpr(1) changes including IPv6 support, new features, and bugfixes.
- Still more hppa memory management and low-level code fixes.
- Simple pmap optimization on macppc.
- Did we mention the cleaning of the installation scripts, adding functionality yet reducing size?
- Allow ddb(4) to do a stack trace into the kernel message buffer.
- isp(4) fixes.
- SECURITY FIX: Fix incorrect ACL check when using BSD authentication in sshd(8).
A source code patch is available.
[Applied to stable]
- Fix a memory leak in mg(1).
- New systrace facility.
- Better Cyrix cpu support.
- ECN support.
- Support SNTP in rdate(8).
- Fix infinite SIGFPE loop situations on vax.
- Remove unnecessary setuid bit from binaries that either do not need it or
whose functionality requiring root privileges should only be invoked by root
anyways, or which can be changed into a setgid bit for a specific group.
- Switch skey(1) management to per-user directories instead of a flat file and drop setuid bit on related tools.
- Lots of ppp(8) goodies.
- New splassert (see spl(9)) debug functionality on sparc.
- Enable Altivec instructions in macppc kernels.
- Support more Hifn cards (7814, 7851, 7854) via the nofn(4) driver.
- OpenSSL 0.9.7.
- Completely rework at(1) and related binaries, and make them POSIX-compliant.
- More use of hardware crypto cards functionality via ubsec(4).
- More hppa memory management fixes.
- binutils 2.11.2.
- Add per-gid filtering to pf(4).
- Switch at(1) to be setgid crontab as well.
- Handle host names resolving in several addresses in pfctl(8).
- Fix compilation warnings for various userland programs.
- Add a new user, crontab, and change cron(8) from being setuid root to being setgid crontab.
- Add per-uid filtering to pf(4).
- More usb(4) support updates.
- More ubsec(4)
hackery to get it to do more crypto operations, and hack
hifn(4)
and
lofn(4)
to work with this.
- Your average extensive cleaning of the installation scripts, adding functionality yet reducing size.
- Fix adb(4) french keyboard layout on macppc.
- Switch ELF platforms to the native gprof(1).
- Obtain a better licence for the hppa spmath routines.
- Add an url(4) driver for Realtek RTL8150L-based USB cards.
- mvme88k pmap bugfixes.
- Various usb(4) driver updates.
- Remove rlogin(1),
rlogind(8) and
rexecd(8).
- Fix several wrong computations in newfs(8).
- Workaround ghost pcibus detection in pchb(4).
- Add a tuner driver for the fms(4) radio cards.
- Allow userland to know which pf(4) rule created a specific state.
- Prevent a 3.0 wsmoused(8) binary from panic'ing the kernel.
- Enable privsep by default in sshd(8).
- Fix find(1)'s -anewer and -cnewer options behaviour.
- Sprinkle ptrdiff_t and size_t types instead of int all over the tree.
- Support LBA48 addressing in wdc(4).
- Bring back TURBOchannel alpha hardware support.
- Fix a slightly incorrect behaviour of the device cloning in UKC (boot_config(8)).
- SECURITY FIX: cause the exec(3) to fail if we are unable to allocate resources when dup-ing /dev/null(4) to fd(4)'s 0-2 for setuid programs.
A source code patch is available.
[Applied to stable]
- Extended Attributes code updates.
- Improve PS/2 mouse port detection in pckbc(4).
- Better hifn(4) initialization and memory usage.
- Extensive cleaning of the installation scripts, adding functionality yet reducing size. No, you're not having a deja vu.
- Fix ethernet interrupt level on sparc, and rework the sparc interrupt framework.
- Better color depth detection in Xwsfb.
- 64-bit fixes in vmstat(8).
- Improve dma processing in bge(4).
- RELIABILITY FIX: constrain readdirplus request count in the nfs(8) filesystem.
[Applied to stable]
- Switch macppc console from the rcons engine to the rasops engine.
- Extensive cleaning of the installation scripts, adding functionality yet reducing size. Yes, once again.
- Add IEEE754 floating point completion code on alpha.
- Improve dma processing in gx(4).
- Build the XFree86 GLX extension on sparc64.
- Hunt for outdated prototypes for character devices entry points and fix them.
- Switch mvme88k to the new MAKEDEV(8) generation framework.
- Implement the -s option in m4(1), for it to be POSIX-compliant.
- Kill all mvme68k kernel compilation warnings.
- Assorted mac68k code cleanups.
- Shared key support in hostap mode in wi(4).
- Make Xwsfb support tga(4) cards on alpha.
- Fix a lock leak in ami(4).
- SECURITY FIX: update sudo(8) to sudo 1.6.6.
A source code patch is available.
[Applied to stable]
- RELIABILITY FIX: avoid buffer overrun on PASV from a malicious server in ftp(1).
[Applied to stable]
- Add a Soundforte radio driver, sfr(4).
- Add dynamic interface -> address translation in pf(4).
- Add kernel hooks on ethernet interfaces, triggered by address changes.
- Extended Attributes code updates.
- Enable the Freetype library on sparc64.
- Add queueing in the kernel crypto framework.
- Make the system includes C++ friendly.
- Allow explicit filtering of non-reassembled fragments in pf(4).
- Support more hardware and fix stability issues in the mac68k sn(4) network driver.
- Improved Lithuanian keyboard map for wscons(4).
- SECURITY FIX: fix a buffer overflow in AFS/Kerberos token handling in sshd(8), and send a complete ticket.
A source code patch is available.
[Applied to stable]
- Fix a memory leak in mg(1).
- Assorted hppa memory management fixes.
- Allow fractional delays in top(1).
- Enable upgrade functionality again on alpha installation media.
- Extensive cleaning of the installation scripts, adding functionality yet reducing size.
- Make cvs(1) create the .cvspass file on a login operation if it does not exist, rather than failing.
- Extend mac68k disklabels to 16 partitions, like all the other platforms.
- Add cddb support to cdio(1).
- Support more network cards with the dc(4) driver.
- Improve sparc pmap behaviour in some low memory conditions.
- sendmail 8.13.
- Switch mvme68k to the new MAKEDEV(8) generation framework.
- Improve the library logic in ld(1) to increase speed and decrease memory usage on a.out platforms.
- New mvme68k installation media.
- Change fpu probe routine on mac68k.
- Fix an obscure bug in sed(1).
- Support more wireless cards with the wi(4) driver, and fix a few issues within.
- Fix 64-bit issues in pfctl(8).
- Remove the wx(4) driver,
which had been deprecated in favor of the gx(4) driver.
This list mentions mostly platform-independent changes. For a list of changes
made in a particular platform, please check the page for that platform. If you
find them not listed there, the changes are either (1) not being documented or
(2) are documented here.
www@openbsd.org
$OpenBSD: plus.html,v 1.830 2002/07/02 01:20:25 deraadt Exp $