OpenBSD Journal
Home : : Add Story : : Archives : : About : : Create Account : : Login :
OpenNTPD 5.7p4 released
Contributed by pitrh on Wed Mar 25 18:12:52 2015 (GMT)
from the time is real this time dept.

The OpenNTPD team has announced the availability of OpenNTPD 5.7p4, which adds

support for using HTTPS time constraints to validate NTP responses, in turn made possible by the LibreSSL supplied libtls

plus a number of important bug fixes.

You'll find the full text of the announcement after the fold:

[ 0 comments ] (flat) (expanded)

SSH Protocol 1 Now Disabled at Compile Time
Contributed by pitrh on Tue Mar 24 16:34:18 2015 (GMT)
from the two-versions-enter-one-version-leaves dept.

As Damien Miller (djm@) announced on tech@, support for SSH version 1 is now no longer being included in OpenBSD SSH:


I just committed a change to src/usr.bin/ssh/ to compile- time disable SSH protocol 1. This protocol is old, unsafe and really, really shouldn't be used at all any more.

If you have need of it, then you can re-enable it for yourself using the knob in

If you run into bugs related to this change, please tell and we'll fix them quickly. We're deliberately doing this change early in the release cycle to flush out bugs and find out how many people are still using this terrible old protocol.


Like the man says, report any bugs found! And this might be a good time to offer the hand of friendship and understanding to any and all vendors/packagers who still support v1 to join the rest of us in deprecating the lesser protocols.

[ 1 comment 6d20:20 ago ] (flat) (expanded)

EuroBSDCon 2015 Call for Papers Is Out
Contributed by pitrh on Wed Mar 18 13:32:01 2015 (GMT)
from the Puffy craves plankstek dept.

The EuroBSDCon 2015 conference organizers have announced the Call for Papers for the upcoming conference in Stockholm, Sweden.

Go to for details; the full text of the announcement also follows after the fold.

[ 0 comments ] (flat) (expanded)

Donation request for network SMP development
Contributed by tj on Fri Mar 20 20:38:13 2015 (GMT)
from the needs-dragon-taming-gear dept.

Martin Pieuchot (mpi@) writes in about what's needed for further SMP improvements in the network stack:

If you've been following my contributions to OpenBSD's kernel, you already know that in the past years I've been working on the Network Stack to make it more SMP friendly.

All the network hackers present at s2k15 agreed to volunteer me to work on the next step: properly integrate the pseudo-drivers (carp(4), vlan(4), trunk(4)...) in order to take ether_input() out of the kernel lock.

[ 2 comments 6d22:56 ago ] (flat) (expanded)

OpenSSH 6.8 Released
Contributed by pitrh on Fri Mar 20 13:07:47 2015 (GMT)
from the yes, toys inside dept.

This week has been full of other exciting news, so it may have been easy to miss that the OpenSSH team has released OpenSSH 6.8. The new release is billed as

This is a major release, containing a number of new features as well as a large internal re-factoring.

This is the OpenSSH version that will be in OpenBSD 5.7, with lots of goodies as well as some potentially backward-incompatible features. The full announcement is at, or look after the fold.

[ 0 comments ] (flat) (expanded)

OpenSSL 2015-03-19 Security Advisories - LibreSSL Largely Unaffected
Contributed by pitrh on Thu Mar 19 15:05:46 2015 (GMT)
from the may contain dangerous toys dept.

The response to today's much-anticipated unveiling of newly discovered OpenSSL vulnerabilities has been varied and loud as expected. However, the impact on the OpenBSD-initated LibreSSL project's code -- which has undergone extensive cleanup since LibreSSL forked off OpenSSL's code base in 2014 -- appears to be limited. Out of a total of 13 CVEs in OpenSSL's announcement, only five - CVE-2015-0207, CVE-2015-0286, CVE-2015-0287, CVE-2015-0289 and CVE-2015-0209, still applied to LibreSSL's code.

The main takeaway from the announcement appears to be that the cleanup has been effective, however these 'crash-inducing' issues have now been fixed in LibreSSL:

CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
CVE-2015-0287 - ASN.1 structure reuse memory corruption
CVE-2015-0289 - PKCS7 NULL pointer dereferences

The OpenSSL project provided information and patches to the LibreSSL project in advance of the announcements.

More, including information about OpenBSD 5.7, 5.6 and 5.5, after the fold.

[ 1 comment 12d12:37 ago ] (flat) (expanded)

libXfont Errata
Contributed by tbert on Wed Mar 18 08:51:24 2015 (GMT)
from the tell-X-where-you-marked-the-spot dept.

Patches are now available to fix buffer overflows in libXfont. This issue affects 5.5, 5.6, and the forthcoming 5.7 release.

For more details, refer to the advisory:

5.5 patch:

5.6 patch:

[ 1 comment 13d14:36 ago ] (flat) (expanded)

LibreSSL 2.1.5 Released
Contributed by pitrh on Tue Mar 17 16:04:29 2015 (GMT)
from the liberal yak shaving dept.

The LibreSSL team has released LibreSSL 2.1.5, which the team characterizes as

relatively small, focused on bug fixes before 2.2.x development begins along-side OpenBSD 5.8.

In what could be a useful test of the LibreSSL project's code cleanup operation, the team notes that

This or earlier LibreSSL releases may also address issues that are to be revealed by The OpenSSL Project Team on the 19th of March, 2015.

The LibreSSL team is not typically apprised of OpenSSL-related security issues in advance. We will address any previously-unknown issues that are found to affect LibreSSL in future releases.

You can read the full announcement here, and it also follows in full after the fold.

UPDATE 2015-03-17 16:20 CET: Bob Beck (beck@) now reports that the OpenSSL project has communicated details of the still-embargoed OpenSSL vulnerabilities to LibreSSL core developers.

[ 0 comments ] (flat) (expanded)

OpenBSD @ AsiaBSDCon: httpd, PIE, and more
Contributed by jj on Sun Mar 15 19:30:43 2015 (GMT)
from the how to make sushi out of puffer fish dept.

Slides from the AsiaBSDCon 2015 presentations are expected to appear on the OpenBSD web site (specifically the Presentations and Papers) page.

The first presentation to appear there was Reyk Floeter's OpenBSD's new httpd (slides), also with a paper version.

Other developers have been quite punctual too, publishing their presentations soon after their sessions at the conference:

Peter Hessler: The results of using BGP for realtime import and export of spam whitelist/blacklist entries
Ted Unangst: Pruning and Polishing: Keeping OpenBSD Modern
Henning Brauer: OpenBSD sucks
Pascal Stumpf: Converting OpenBSD to PIE (slides) plus paper

And finally, the OpenBSD Update from the work in progress session, given by Henning Brauer.

[ 2 comments 7d3:48 ago ] (flat) (expanded)

Support OpenBSD!

Donate to OpenBSD

Buy OpenBSD products


We are constantly on the lookout for stories of how you put OpenBSD to work. Please submit any informative articles on how OpenBSD is helping your company.

Older Stuff
Thursday, March 12
07:30 OpenBSD 5.7 Preorders Started (3)
08:46 FreeType Patches Available (3)
08:45 LibSSL Patch Available (5)
Saturday, March 07
16:48 s2k15 Hackathon Report: tedu@ on UVM SMP (3)
Thursday, March 05
08:38 s2k15 Hackathon Report: Jonathan Gray on X Graphic Acceleration Improvements, afl fuzzer (2)
Wednesday, March 04
09:24 LibreSSL 2.1.4 (1)
08:50 Errata for X Server Infoleak (0)
21:53 Summer of Code 2015 Project Ideas Announced (4)
Tuesday, March 03
07:54 Ted Unangst: Improving Browser Security (4)

Older Stuff...
Yesterday's Edition...

OpenBSD Errata

OpenBSD Resources

Users wishing RSS/RDF summary files of OpenBSD Journal, can retrieve: [xml]

[ Home | Add Story | Archives | Polls | About ]

Copyright © 2004-2009 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. Some icons from used with permission from Kathleen. This journal runs as CGI with thttpd (plus patches) on OpenBSD, the source code is BSD licensed. Search engine is ht://Dig. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]