OpenBSD Journal

3.2 Release!

Contributed by jose on from the finally-here dept.

Todd Fries and Todd Miller happily send along notice that OpenBSD 3.2 has been released. It's available by FTP, CDROMs are shipping, and is CVS if you want to source upgrade.

This is a big release for OpenBSD with many substantial changes. Many users will want to reinstall from scratch and not upgrade, as architecture changes on some platforms as well as enhanced security features are best taken advantage of that way. Read on for the release notes.

------------------------------------------------------------------------
- OpenBSD 3.2 RELEASED -------------------------------------------------

Nov 1, 2002.

It is our pleasure to officially announce the release of OpenBSD
3.2.  This is our 12th release on CD-ROM (and 13th via FTP).  We
remain proud of OpenBSD's record of six years with only a single
remote hole in the default install.  As in our previous releases,
3.2 provides significant improvements, including new features, in
nearly all areas of the system:

- Improved hardware support             (http://www.OpenBSD.org/plat.html)

  o Asymmetric and symmetric hardware encryption support is enabled
    by default if a supported crypto accelerator is present.

  o Improved frame buffer and X Window System performance on the sparc,
    sparc64, and alpha platforms.

  o Builtin AGP-based video on i386 machines using ALI, AMD, Intel, SiS,
    and VIA chipsets is now supported and usable by the X Window System.

  o Intel Gigabit Ethernet adapters are now supported by the em(4)
    driver which replaces the gx(4) driver.  The em(4) driver supports
    more models and has better performance than the old gx(4) driver.

  o Fixed a stability problem with the twe(4) driver and some UDMA drives.

  o Added support for more PCI-based Cyclades serial boards.

  o IDE disks larger than 128GB and UDMA133 are now supported.

  o Updated isp(4) and siop(4) SCSI drivers.

  o Added support for sbus-PCMCIA bridges on the sparc64 platform.

  o The wi(4) driver (Wavelan, Prism, and Symbol 802.11b) now works
    on the sparc64 platform.

  o DMA handling in the hme(4) driver has been fixed.

- Major improvements in the pf packet filter, including:

  o New "antispoof" keyword: spoofing protection made easy.

  o Much simplified filter rule language.

  o Extended filtering capabilities.

  o All known bugs with filtering bridged interfaces have been fixed.

  o It is now possible to control state table entries with a per-rule
    granularity.

  o Support for dynamic interface expansion.  There is no longer a need
    to reload the ruleset due to IP address changes.  This is useful
    for interfaces where the address is dynamically assigned (PPP
    and DHCP).

- Ever-improving security            (http://www.OpenBSD.org/security.html)

  o Non-executable stack on i386, sparc (sun4m only), sparc64,
    alpha, and macppc platforms.  Non-executable data and bss on
    sparc (sun4m only), sparc64 and alpha.  This makes the system
    more resistent to buffer overflow attacks.

  o OpenBSD 3.2 ships with fewer setuid root binaries than ever before.
    Many of the remaining root setuid binaries drop root privileges
    early in their execution.  The use of setuid in the ports subsystem
    has also been reduced.

  o Privilege separation is now the default in sshd.

  o The Apache web server now runs in a chroot jail by default.
    The new "-u" option can be used to disable this.

  o Several other security issues fixed throughout the system, many
    of which were identified by members of the OpenBSD team themselves.
    Please see http://www.OpenBSD.org/errata31.html for more details
    on what was fixed.

- New subsystems included with 3.2

  o A new tool, systrace, enables the user to specify policy for an
    executable at the system call level.

  o The sparc platform now uses ELF binaries.

- Many other bugs fixed                 (http://www.OpenBSD.org/plus32.html)

- The "ports" tree is greatly improved  (http://www.OpenBSD.org/ports.html)

  o The 3.2 CD-ROMs ship with many pre-built packages for the common
    architectures.  The FTP site contains hundreds more packages
    (for the important architectures) which we could not fit onto
    the CD-ROMs (or which had prohibitive licenses).

- Many subsystems improved and updated since the last release:

  o XFree86 updated to 4.2.1.

  o Sendmail updated to 8.12.6.

  o Apache 1.3.26 and mod_ssl 2.8.10.

  o OpenSSL 0.9.7beta3 (+ patches)

  o Latest KAME IPv6

  o OpenSSH 3.5

  o The atrun command has been incorporated into the cron(8) daemon.

  o The vlan(4) driver now supports multicast.

If you'd like to see a list of what has changed between OpenBSD 3.1
and 3.2, look at

        http://www.OpenBSD.org/plus32.html

Even though the list is a summary of the most important changes
made to OpenBSD, it still is a very very long list.

This is our thirteenth OpenBSD release, and the twelfth release
which is available on CD-ROM.  Our releases have been spaced six
months apart, and we plan to continue this timing.

- CD-ROM SALES ----------------------------------------------------------

OpenBSD 3.2 is also available on CD-ROM.  The 3-CD set costs $40USD
(EUR 45) and is available via mail order and from a number of
contacts around the world.  The set includes a colorful booklet
which carefully explains the installation of OpenBSD.  A new set
of cute little stickers are also included (sorry, but our FTP mirror
sites do not support STP, the Sticker Transfer Protocol).  As an
added bonus, the second CD contains an exclusive audio track,
"Goldflipper".  Lyrics for the song may be found at:
    http://www.OpenBSD.org/lyrics.html#32

Profits from CD sales are the primary income source for the OpenBSD
project -- in essence selling these CD-ROM units ensures that OpenBSD
will continue to make another release six months from now.

The OpenBSD 3.2 CD-ROMs are bootable on the following six platforms:
  o i386
  o alpha
  o sparc
  o sparc64 (UltraSPARC)
  o macppc
  o hp300*

* The m68k-based platforms, including hp300, are located on a fourth
  CD that is not included in the official CD-ROM package.  You can
  download the ISO-9660 image for the fourth CD as described below.

(Other platforms must boot from floppy, network, or other method).

For more information on ordering CD-ROMs, see:

        http://www.OpenBSD.org/orders.html
Thanks to all developers and users who assisted in making this release a success!

(Comments are closed)


Comments
  1. By Shane () on http://ytivarg.org/

    Yay!

    On a related note, what is the best way to set up an OpenBSD ftp mirror (or any mirror for that matter)? I grabbed the i386 stuff with wget --mirror (and some other switches). Is there a better approach?

    Comments
  2. By zil0g () zil0g@rst-ack.net on mailto:zil0g@rst-ack.net

    Go team go! :)

    I will order a set on monday when I've got the dough for it.

    *waiting eagerly for the new stickers*

    Comments
    1. By Anonymous Coward () on

      *waiting eagerly for the new stickers*


      They're nice.

      The CD arrived in the mail here today, November 1st. Hyper shipping department.

  3. By Anonymous Coward () on

    This is great news, where are the ISO disks?

    Comments
    1. By po () on

      http://www.OpenBSD.org/orders.html

      or make one yourself.

    2. By anders () on

      lol

    3. By Gimlet () on

      I got mine in the mail today, and I do believe they're ISO 9660. Go buy your own. :-P

    4. By Anonymous Coward () on

      ftp://ftp.netbsd.org/pub/NetBSD/iso/1.6

    5. By Anonymous Coward () on www.google.com

      Here:

      ftp://ftp.eunet.cz/pub/os/OpenBSD/iso/
      http://www.roundsparrow.com/Comp/OpenBSD/

      ?

  4. By jb () on

    The Kerberos implementation used in OpenBSD had a very serious security hole some weeks ago, which fixed in version 0.51. The announcement above mentions "0.4e + patches".

    I would like the following simple question clarified: if I install OpenBSD 3.2 out-of-the-box as a KDC, would it be vulnerable?

    Thanks for any help!

    Comments
    1. By Noob () on

      I don't really know since I'm a noob, but I did have a look in the CVSWeb thing, and looked at the file src/kerberosV/src/kadmin/version4.c

      With the OPENBSD_3_2_BASE tag it looked like it wasn't updated.

      I wasn't going to mention anything and just assume everything was ok, until you just mentioned the same thing that was on my mind as well. Also the date for the binary files for the install seemed to be from 2002 10 05. Does that mean they were compiled on October 5?

      Can anyone correct me if I'm wrong on this information?

      I'm happy to have the new release out regardless!
      And on a weekend too :-)

      Comments
      1. By James () on

        Well I went and grabbed 016 from bsd 3.1 and applied it to the 3.2 source tree just fine. So for anyone who thinks they should apply the patch to their 3.2 box you can do so w/o incident and then stop worrying if you are safe due to the nonexecutable stack or not.

      2. By Anonymous Coward () on

        You are using the wrong CVS tag anyway, all fixes go into OPENBSD_3_2

        Comments
        1. By Noob () on

          Actually, I wanted to use the BASE tag since that would match the release. Which was what the original question was regarding. But thanks for the tip ;-)

        2. By Anonymous Coward () on

          Ah, no. The fix is in 3_0, 3_1 and HEAD, but not in 3_2, which is a bit weird. Take a look at this page:

          http://www.openbsd.org/cgi-bin/cvsweb/src/kerberosV/src/kadmin/version4.c?only_with_tag=

          Comments
          1. By Noob () on

            I was checking to see if the code was added to the 3.2 out-of-box release source code.

            OPENBSD_3_2_BASE is the tag for the release source code for OpenBSD 3.2 is it not?

            The original question asked if OpenBSD 3.2 out-of-box was vulnerable to the errata:

            A buffer overflow can occur in the kadmind(8) daemon, leading to possible remote crash or exploit.

            You seem to not understand what I am doing, but that's ok ;-)

            Comments
            1. By Anonymous Coward () on

              The the page sould be updated to say at least the following: "Two remote holes in the default install, in nearly 6 years!"

              D'oh i forgot apache so it should be: "Three remote holes in the default install, in nearly 6 years!"

              :(

              Comments
              1. By Noob () on

                No doubt, it does kinda scare me sometimes when I see this kind of stuff.

                Comments
                1. By Anonymous Coward () on

                  This confirmes that the claim "One remote hole in the default install, in nearly 6 years!" is just some bullshit to shell more cds.

    2. By Noob () on

      I just looked in the /pub/OpenBSD/3.2/src.tar.gz
      source code file and looked at the version4.c file.

      The code which was included/added in the 016_kadmin_patch for OpenBSD 3.1 wasn't included in the version4.c file above.

      Wow could they really have released OpenBSD 3.2 without applying that fix?

      Hmmm I'm just a Noob, what do I know. :-(

      Comments
      1. By art () on

        It takes a long time to do the final builds, make the CD masters, finalize the artwork, start CD production, etc.
        The final release was built almost a month ago.

    3. By Stan Williams () stanwilliams90@hotmail.com on mailto:stanwilliams90@hotmail.com

      Maybe the new features save you from exploitation?

      - Ever-improving security
      Non-executable stack on i386, sparc (sun4m only), sparc64, alpha, and macppc platforms. Non-executable data and bss on sparc (sun4m only), sparc64 and alpha. This makes the system more resistent to buffer overflow attacks.

    4. By RC () on

      I was wondering this myself...

      If you checked:
      ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/

      you would see that there are no patches for 3.2 (yet). Now, that would imply that either the OpenBSD team is not on the ball, or it's not an issue. I would have to assume the latter is true.

      Comments
      1. By Anonymous Coward () on

        I will assume the worst - the OpenBSD team is not on the ball - untill otherwise I have seen prove that this is not the case!

      2. By anders () on

        i have a great deal of respect for the obsd team, however they are all human, except maybe theo. lol.

        so if under inspection of the necessary code it seems that the patch has not been applied, then it probably hasnt, even if there is no errata to support it yet.

        solution: apply the patch. if it turns out later you are wrong, just resync your source and build world again. better safe than sorry.

        Comments
        1. By Anonymous Coward () on

          This might be useful information from the CVS logs.

          "Do not build kf and kfd because of security issues in them and heimdal 0.5 will not be merged in 3.2."

          Sound to me like they know what is going on.

  5. By RC () on

    I was waiting for 3.2 since I heard that it was going to have MPlayer in the ports... I tried a snapshot a while back, and it failed miserably, so I was waiting patiently for 3.2 to be released.

    Now, in 3.2 MPlayer refuses to compile from the ports. For one thing, it checks for pthreads & binutils... If a newer binutils is installed, it can't detect pth, and it needs the newer binutils to work. I removed the pthread & the binutils check, tried with 3 versions of binutils, all failed miserably. Of course, this is after I installed the packages of all it's dependencies.

    Why packages and not from ports, you ask? Simply because each and every last one failed miserably (I believe, because of the newer binutils). Of course I could install the mplayer package right? Well it looks like someone neglected to make a package of it... you can install packages that depend on MPlayer, but MPlayer is mysteriously absent.

    In fact, with binutils installed, Mozilla couldn't even detect that gtk+ was installed...

    I like OpenBSD a lot, but this kind of stuff continues to convince me that OpenBSD is just not ready for the desktop.

    Comments
    1. By Anonymous Coward () on

      I've been using MPlayer on 3.1-current for quite a few months now, without any problems (built from ports)
      When I get my 3.2 cd's in the mail (anytime now :) ), we'll see what it does ;)

    2. By jolan () on

      Well it looks like someone neglected to make a package of it...

      It's not mysteriously absent:

      PERMIT_PACKAGE_CDROM= "patents"
      PERMIT_PACKAGE_FTP= "patents"
      PERMIT_DISTFILES_CDROM= Yes
      PERMIT_DISTFILES_FTP= Yes

      Anyway, it works fine for all the people I have talked to. Perhaps you could filter out the whining from your post and submit a quality bug report?

      Mozilla works fine when binutils is installed. You must have seriously botched your system.

      Comments
      1. By RC () on

        There's nothing I could possibly have botched... This is a completely fresh install.

        The only thing I did before attempting to install MPlayer is to install XFce (which also installs glib, gtk, libjpeg, libpng, etc).


        As for the 'whining' as you put it, that is because this is typical of my experience with the Ports system & OpenBSD. If this was an isolated incident, I would not mind it much.

        As for filing bug reports, I've done it in the past, only to watch as it is completely ignored... If it doesn't particularly interest one of the developers, you aren't going to see it fixed.

        That said, I appreciate hearing that it is working fine for others... That narrows down the possibilities. Perhaps OpenBSD just doesn't like something about my test system? Although I can't imagine why that might be the case.

        Comments
        1. By Marc Espie () espie@openbsd.org on mailto:espie@openbsd.org

          submit a real complete bug-report.

          I'm reasonably sure you are doing something utterly stupid or unsupported, or both.

          Because mplayer works.

          In fact, over 99% of the ports tree routinely compiles without failure on my system...

          Comments
          1. By zil0g () on

            Yeah, 99.999% of the ports compiles for me too :)

            although I have problems _running_ some ports, nessus fi - it hardlocks my poor laptop when starting the scan :(

            will try it again on 3.2

          2. By RC () on

            > I'm reasonably sure you are doing something utterly stupid or unsupported, or both.

            Since when is "make && make install" utterly stupid or unsupported?

            I was a completely fresh install, and the only thing I'd installed before it was XFce (from the ports).

            That said, I've just submitted the bug report... From past experience, I don't expect much.

            Comments
            1. By Marc Espie () espie@openbsd.org on mailto:espie@openbsd.org

              where and how did you submit a bug-report ?
              I see exactly zilch in our bug reports database...

              Comments
              1. By RC () on

                As instructed on http://openbsd.org/report.html, I've e-mailed it to bugs@openbsd.org.

                This forum isn't exactly suited to long discussions. You can e-mail me (within the next 72 hours) at rc@spamhole.com ...

    3. By Not Really Anonymous () on

      _quote_
      I like OpenBSD a lot, but this kind of stuff continues to convince me that OpenBSD is just not ready for the desktop.
      _quote_

      Well, OpenBSD is not focusing on the desktop.

  6. By Dom De Vitto () dom@devitto.com on mailto:dom@devitto.com

    Don't forget to upgrade Apache to 1.3.27

    :-(

    Dom

    Comments
    1. By Anonymous Coward () on

      Stupid question maybe, but why upgrade?

      Comments
      1. By Anonymous Coward () on

        Because there was an ugly security hole in 1.3.26. Look at http://httpd.apache.org/ for references.
        But I wonder whether the patch to fix this hole was included in 3.2 anyway? I would seem strange to me if a security-conscious operating system/distribution like OpenBSD shipped a release with a bug which is known for some weeks already...

        Comments
        1. By Anonymous Coward () on

          One more remote hole in the default install :(

          But it doesn't count since apache isn't started - the user have to enable it, this sux!

          I can accept that the holes in the ports collection isn't countede, but since apache comes with I think that holes in it should be counted as well.

          Apache comes with OpenBSD and there have only been 1 remote hole in nearly 6 years and that wasn't apache so my apache installation is OK - THIS IS NOT TRUE!

          Comments
          1. By Anonymous Coward () on

            You got a good point there!

          2. By zil0g () on

            "But it doesn't count since apache isn't started - the user have to enable it, this sux!"

            the way I understood "default install" was that every service - started or not - was counted, I mean it would be kinda silly otherwise... And like uhm, think it was Theo himself, said "the whole point of a server is to have SERVICES and they should be usable (secure)" (not his exact words, but something to that extent).
            so IF a-patch-e really IS vulnerable, then that's a shame, but such is life, like Art said - it takes a while to get the release ready.

            and just how many here are running generic, unpatched releases on your "server farms" humm?

            Comments
            1. By Anonymous Coward () on

              If this is the case, then "One remote hole in the default install, in nearly 6 years!" itn't true.

              As I understood "default install" then only services that was started was counted. So services that was not started can still be Woundable without counting in regards to that statement.

            2. By Noob () on

              That secure by default thing I think is something a lot of people view differently. They define what it means I think at http://www.openbsd.org/security.html Sounds like it is what you mentioned, this "secure by default" only means that novice people can't blindly install this thing and have it be 100% vulnerable right away. Turning on an exploitable process excludes you from the "secure by default". I'm thinking only basic stuff like firewalls and such would account for a secure by default kind of situation. What a wonderful marketing phrase ;-) I wonder how many people enable older exploitable options thinking there safe because of the "secure by default"

              Comments
              1. By Anonymous Coward () on

                Excactly, if this claim isn't updated the I gues it must be some marketing bullshit to sell more cds and get new people to use OpenBSD with a false impression of security.

    2. By Dr. Noah Body () on

      This may have been left out because the "default" install of apache on OBSD may not be a problem. When I investigated the three vulnerabilities that are fixed by 1.3.27, it looked like the default 1.3.26 install was not affected. I have to care about this stuff because I always run a custom httpd, and not the one blessed by OBSD.

      * CAN-2002-0839 (cve.mitre.org): Affects installs where System V shared memory based scoreboards. AFAIK, the default OBSD apache does not use System V shared memory

      * CAN-2002-0840 (cve.mitre.org): Cross-site scripting (XSS) vulnerability in the default error page of Apache 2.0 before 2.0.43, and 1.3.x up to 1.3.26, when UseCanonicalName is "Off" and support for wildcard DNS is present.

      Again, AFAIK, the default install has UseCanonicalName set to "On". Not sure about the DNS reference, but all DNS on OBSD is handled by the resolver, and not Apache (by default)

      * CAN-2002-0843 (cve.mitre.org): Local exploit in "ab", not httpd. This is not a real remote exploit, but one where an unsuspecting user of ab could contact a malicious server that could do bad things.

      My point is that these problems are not so dire, and probably do not affect a default install.

      My other point is that we know that the OBSD team does not bump up the Apache version for things like this. They usually check in a patch, but the version remains the same (as it should). This is much safer than slurping in the next release of Apache.

      Has anyone checked the diffs to see if Apache has been patched in 3.2?

  7. By Iain Kyte () ikyte@yah00.com on mailto:ikyte@yah00.com

    What are the plans for the next two releases? It would be nice to have a time line so we who follow the Current stream and are interested in other enhancements know what is planned.

    So, any plans to develop SMP?
    Do we want a single Kernel or one for single and another for multiple processor systems?

    Upgrade the Compiler to GCC 3.2?

    Use or replace OpenSSL?

    Any other design, ideas and projects?

    Also would be nice to have a request for donation page for Hardware requests and offers on the main site. Else reply with URL to this comment.

    Iain

    Comments
    1. By Anonymous Coward () on

      it's the second link down on the left..

      put yer specs on grand dad :]

    2. By Anonymous Coward () on

      On the donations page:
      * Intel i82586/i82596-based Ethernet cards (i.e., BusLogic Bt763E EISA, Intel Flash32 EISA, Cogent eMaster EM935/EM932 EISA, AT&T StarLAN 10, AT&T EN100)

      I emailed Theo offering a couple of Flash32 cards a year ago, he never sent a reply. I emailed again two weeks later, again no reply. I tossed them out, he obviously didn't want them.

      Comments
      1. By Anonymous Coward () on

        Yes, he does that sometimes...
        Try emailing the developer, who usually works on that stuff, directly next time - might just have a better luck with such approach.

      2. By ~Theo () on

        I'm sure he gets a lot of email, and some of it not so nice. I know I don't answer all my email anymore.

  8. By Anonymous Coward () on

    When is the upgrade-mini-faq going to be upgraded then?
    Canīt wait to upgrade my box :)
    It should not be any problem to upgrade through cvsup?

    Comments
    1. By zil0g () on

      yes it should - search through the latest misc@ -advice is pretty straight forward.

  9. By Anonymous Coward () on

    Many users will want to reinstall from scratch and not upgrade, as architecture changes on some platforms as well as enhanced security features are best taken advantage of that way.

    I run an OpenBSD web server on i386. I would really like to avoid reinstalling from scratch, if I could. What security features would I be not taking advantage of by simply upgrading?

    Comments
    1. By Too lazy to reinstall () on

      Good question, and one that I thought did not need to be asked. I thought and upgrade was the same, albeit with a lot of mucking about in /etc to get your system back to normal.

      If I'm going to freshly install, I'm probably going to want bigger hardware, as my little home network has grown into several supported client nodes, all requiring DHCP, DNS and a few other acronyms that clients always want. That, and I'm hosting more than one web site now, most of which is on MySQL.

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]