Contributed by
rueda
on
from the puffy-does-the-splits-again dept.
The work of improving ssh security by segregating functionality into separate binaries contiues, this time by introducing sshd-auth as a separate binary.
Splitting this code into a separate binary ensures that the crucial
pre-authentication attack surface has an entirely disjoint address
space from the code used for the rest of the connection. It also
yields a small runtime memory saving as the authentication code will
be unloaded after thhe authentication phase completes.
Contributed by
rueda
on
from the delivered by Puffy dept.
Omar Polo (op@) has
announced
the release of version 7.6.0p0 of
OpenSMTPD.
The changes (including the table protocol change on which we
reported earlier)
are:
- Introduced a new K_AUTH service to allow offloading the credentials
to a proc table for non-crypt(3) authentication. Helps with use
cases like LDAP or custom auth.
- Implement report responses for proc-filters too.
- Changed the table protocol to a simpler text-based one. Existing
proc tables needs to be updated since old ones won't work. The new
protocol is documented in smtpd-tables(7).
- Fixed the parsing of IPv6 addresses in file-backed table(5)
- Document expected MDA behavior and the environment set by OpenSMTPD.
- Set ORIGINAL_RECIPIENT in the environment of MDA scripts for
compatibility with postfix.
- Updated the bundled libtls.
Options to penalize undesirable behavior [See earlier report]
support for a new hybrid post-quantum key exchange [See earlier report]
and of course there is the
full changelog
which details the changes made over this latest six month development cycle.
Installation Guide
details how to get the system up and running with a fresh install,
while those who already run earlier releases should follow the
Upgrade Guide,
in most cases using
sysupgrade(8)
to upgrade their systems.
Now please dive in and enjoy the new release, and while the installer runs, please do donate to the project to support further development and more future goodies for us all!
CVSROOT: /cvs
Module name: src
Changes by: florian@cvs.openbsd.org 2024/09/24 01:33:35
Modified files:
usr.sbin/sysupgrade: sysupgrade.8 sysupgrade.sh
Log message:
Remove -r toggle and generally be less smart.
The default is to install the next release. Snapshots are only
installed when invoked with -s.
Contributed by
rueda
on
from the snap-no-more dept.
Theo de Raadt (deraadt@)
updatedthe
version of
OpenBSD
-current to "7.6-current".
Those running the latest-and-greatest
[via a sufficiently new snapshot or built from source]
no longer need to use
"-D snap" with
pkg_add(1)
(and
pkg_info(1)).
Our favorite operating system is now changing the default shell (ksh) to enforce not allowing invalid NUL characters in input that will be parsed as parts of the script.
List: openbsd-cvs
Subject: CVS: cvs.openbsd.org: src
From: Theo de Raadt <deraadt () cvs ! openbsd ! org>
Date: 2024-09-23 21:18:33
CVSROOT: /cvs
Module name: src
Changes by: deraadt@cvs.openbsd.org 2024/09/23 15:18:33
Modified files:
bin/ksh : shf.c
Log message:
If during parsing lines in the script, ksh finds a NUL byte on the
line, it should abort ("syntax error: NUL byte unexpected"). There
appears to be one piece of software which is misinterpreting guidance
of this, and trying to depend upon embedded NUL. During research,
every shell we tested has one or more cases where a NUL byte in the
input or inside variable contents will create divergent behaviour from
other shells. (ie. gets converted to a space, is silently skipped, or
aborts script parsing or later execution). All the shells are written
in C, and majority of them use C strings for everything, which means
they cannot embed a NUL, so this is not surprising. It is quite
unbelievable there are people trying to rewrite history on a lark, and
expecting the world to follow alone.
Contributed by
rueda
on
from the Sláinte, Puffy! dept.
EuroBSDCon 2024
[in Dublin, Ireland] has now ended,
and slides for many of the OpenBSD developer presentations
are now available in the
usual place.
Video of the individual presentations can be expected somewhat later.
In the meantime, OpenBSD-related presentations [including those from
non-developers] can be found in the
recordings
of the "Foyer B" streams.
In addition, there was a full day PF tutorial with some updates to the publicly available slides.
Contributed by
grey
on
from the now with post-quantum key exchange! dept.
In a fediverse post,
Damien Miller (djm@) announced the availability of the new
OpenSSH version 9.9:
OpenSSH 9.9 has just been released. New features include support for hybrid ML-KEM X25519 post-quantum key exchange (using a formally-verified ML-KEM implementation), improved controls to drop and penalise unwanted connections, faster NTRUPrime key exchange code and more.
We are constantly on the lookout for stories of how you put OpenBSD to work.
Please submit any informative articles on how OpenBSD is helping your company.
2024-09-17SECURITYAvoid possible mbuf double free in NFS client and server implementation. Do not use uninitialized variable in error handling of NFS server.