OpenBSD Journal

OpenBSD Journal

LibreSSL update

Contributed by rueda on from the incremental obfuscation dept.

A long list of recent LibreSSL commits by Theo Buehler (tb@) culminated in bumps to library versions:

Module name:	src
Changes by:	2022/01/14 02:15:08

Modified files:
	lib/libcrypto  : shlib_version 
	lib/libssl     : shlib_version 
	lib/libtls     : shlib_version 

Log message:
bump libcrypto, libssl, libtls majors after struct visibility changes
and Symbol addition and removal in libcrypto.

Undeadly reached out to Theo asking whether he would share with readers an explanation of the changes. He kindly responded:

Today's commits were nothing super exciting, just a lot of work, most of it boring and mechanical…

Read more…

DRM updated

Contributed by rueda on from the DRM me up before you go-go dept.

Johathan Gray (jsg@) has updated DRM to Linux 5.15.14 (with support for several additional chips):

Module name:	src
Changes by:	2022/01/13 23:53:17

Modified files:
	sys/dev/fdt    : rkdrm.c rkvop.c 
	sys/dev/ic     : anxdp.c 
	sys/dev/pci/drm: dma-resv.c drm_agpsupport.c drm_atomic.c 
Log message:
update drm to linux 5.15.14

new hardware support includes

ehl/Elkhart Lake (embedded)
jsl/Jasper Lake (atom)
rkl/Rocket Lake (desktop)

van gogh APU (gfx1033)
yellow carp / rembrandt APU (gfx1035?)
Ryzen 6000 APU
navy flounder / navi 22 (gfx1031)
RX 6700, RX 6700 XT, RX 6700M, RX 6800M, RX 6850M XT
dimgrey cavefish / navi 23 (gfx1032)
Pro W6600, Pro W6600M, RX 6600, RX 6600 XT, RX 6600M,
RX 6600S, RX 6650M, RX 6650M XT, RX 6700S, RX 6800S
beige goby / navi 24 (gfx1034)
RX 6500 XT, RX 6400, RX 6500M, RX 6300M

Thanks to the OpenBSD Foundation for sponsoring this work
niklas@ for helping with ttm and amdgpu and patrick@ for adapting
rockchip drm.

Make sure to test the new DRM code on your machines (old and new) as this will be part of the 7.1 release in a few months.

Catchup 2021-11-03

Contributed by rueda on from the onwards, onwards dept.

Interesting developments (in -current) since OpenBSD 7.0 include:

OpenBSD 7.0 released

Contributed by rueda on from the Undeadly-SYNs dept.

The OpenBSD project has released OpenBSD 7.0, the project's 51st release. As usual, the release page offers highlights, installation and upgrade instructions, as well as links to other resources such as the detailed changelog.

Notable improvements include, but are not limited to:

  • Support has been added for a new hardware platform, riscv64, for 64-bit RISC-V systems. [See earlier reports.]
  • /etc/ was introduced, providing a mechanism to make config(8)-modified GENERIC kernels compatible with KARL.
  • Hibernate time has been reduced. [See earlier report.]
  • The timeout(1) utility was imported from NetBSD. [See earlier report.]
  • openrsync(1) now has include and exclude options. [See earlier report.]
  • doas(1) will now retry up to 3 times on password authentication failure.
  • ucc(4), a driver for USB HID Consumer Control keyboards, was added. This exposes volume, audio, and application launch keys.
  • xterm(1) is now unveiled. [See earlier report.]
  • printf(3) and friends now log an error and abort when confronted with format %n.
  • iked(8) now has client-side support for DNS configuration. [See earlier report.]
  • traceroute(8) speed has been boosted through asynchronous handling of probe packets and DNS. [See earlier report.]
  • dhcpleased(8) and resolvd(8) are both enabled by default and provide the standard mechanism for configuring IPv4 addresses by DHCP. [See previous reports.] The combination also makes nameserver information gathered via slaacd usable in dynamic configurations. dhclient(8) remains available for special cases. A "nameserver" command was added to route(8), allowing sending DNS nameserver prooposals to resolvd(8) over the routing socket.
  • In LibreSSL 3.4.1, support has been added for the OpenSSL 1.1.1 TLSv3 APIs. The "new" X.509 validator is enabled, allowing verification of modern certificate chains.
  • In OpenSSH 8.8, the RSA/SHA1 signature type [not RSA ("ssh-rsa") keys - see previous report] is disabled by default. scp(1) supports optional use of the SFTP protocol. [Since our previous report, the default has reverted to using the original scp/rcp protocol by default.]

Those upgrading from the 6.9 release (or earlier) should consult the Upgrade Guide.

While your install sets download or when your packages update, please take the time to look at and use one or more of the recommended ways to support the project, such as making a donation. Corporate entities may prefer to send money to The OpenBSD Foundation, a Canadian non-profit corporation. You can also get merchandise and help OpenBSD visibility. Also, don't forget to listen to the release song (mp3 or ogg) and check out the lyrics.

Thanks to the developers for all the excellent work that has gone into this great new release!

Catchup 2021-10-08

Contributed by rueda on from the sundry puffyisms dept.

In the run-up to the OpenBSD 7.0 release, we note several recent interesting things previously unreported:

September 30th, 2021 syspatches: some assembly might be required

Contributed by Peter N. M. Hansteen on from the intermediate solutions for intermediate problems dept.

Did you just run syspatch(8) and see it fail?

Here's the reason: one of the two root certificates behind the (excellent) Let's Encrypt CA service has expired. A bug in (the "legacy" verifier of) LibreSSL also contributed.

The syspatches (for OpenBSD 6.8, 032, for OpenBSD 6.9, 018) mitigate the unfortunate situation.

However, your syspatch may fail if your local mirror uses a Let's Encrypt certificate. Patch-22! In that case, the best advice may be to try a mirror that does not use a Let's Encrypt certificate just to get past this speed bump.

Read more…


Donate to OpenBSD


We are constantly on the lookout for stories of how you put OpenBSD to work. Please submit any informative articles on how OpenBSD is helping your company.

OpenBSD Errata

OpenBSD 7.0

0082021-12-16 SECURITY If multicast routing is used, kernel memory is leaked to userland.
0072021-12-14 SECURITY Multiple input validation failures in the X server request parsing code can lead to out of bounds memory accesses for authorized clients.
0062021-11-26 SECURITY In some situations the X.509 verifier would discard an error on an unverified certificate chain, resulting in an authentication bypass.
0052021-11-26 RELIABILITY An unprivileged user could crash the kernel by using UNIX-domain sockets in multiple threads.
0042021-11-09 SECURITY rpki-client(8) should handle CA misbehaviours as soft-errors.
0032021-10-31 SECURITY The kernel could leak memory when closing unix sockets.

Unofficial RSS feed of OpenBSD errata


Users wishing RSS/RDF summary files of OpenBSD Journal can retrieve: RSS feed

Options are available.


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]