OpenBSD Journal

OpenBSD Journal

Enable local-to-anchors tables in PF rules

Contributed by Peter N. M. Hansteen on from the table the anchors, friends dept.

In a recent post to tech@ titled let's make pf(4) anchors and tables better friends (possibly originating at the ongoing hackathon) Alexandr Nedvedicky (sashan@) introduced code to enable creating local tables inside anchors in pf(4) rulesets:

Date: Sat, 13 Jul 2024 14:32:21 +0200
From: Alexandr Nedvedicky <sashan () fastmail ! net>
To: tech@openbsd.org
Subject: let's make pf(4) anchors and tables better friends

Hello,

the change presented in diff below allows user to define table
inside the anchor. Consider rules here:

Read more…

A practical guide to VPNs, IPv6, routing domains and IPSEC

Contributed by Peter N. M. Hansteen on from the networking with puffy to the sixes dept.

Crystal Kolipe writes in about a new article posted by the crew at Exotic Silicon on fun things to do with OpenBSD --
Implementing a self-managed, dual-stacked VPN.

Today we're showing you how to use iked to tunnel both IPv4 as well as IPv6 to a remote server for a self-managed VPN. We're doing all this with utilities from the OpenBSD base system so the setup is nice and sleek, completely avoiding the need to install countless programs from ports.

Not only that, but we'll also show you how to isolate the VPN traffic in it's own routing domain so it can be used only when required, (or if you're really clever like us, you can even configure more than one simultaneously).

Of course, the setup supports inbound connections too, so you can run servers from diverse physical locations whilst using the inbound address space and connectivity of the datacentre. Stuck without IPv6 or inbound connectivity at home? Not anymore! All this excitement and even more is right here waiting for you in setting up an IPv6 capable VPN. Read it today!

clang -fret-clean on the horizon for OpenBSD/arm64

Contributed by Peter N. M. Hansteen on from the clean my arm returns dept.

While we were busy with other things, Theo de Raadt (deraadt@) is continuing the work on bringing the clang option to clean return addresses off the stack, as reported upon earlier, to OpenBSD/arm64.

Theo posted an early version of the code to tech@, saying

List:       openbsd-tech
Subject:    arm64 -fret-clean attempt
From:       "Theo de Raadt" <deraadt () openbsd ! org>
Date:       2024-07-02 5:50:45

I've been trying to write -fret-clean for arm64.

On a return-stack architecture like amd64, the callee has to clean up the
word on the stack upon return.

arm64, like some other risc architectures, is a link-register architecture.
In this case, the return address is saved in some temporary location by
the caller, who loads it into the link register before returning.  Before
that moment, the caller has to clean it up.

Read more…

OpenSSH 9.8 released

Contributed by Peter N. M. Hansteen on from the SSH! listen to the sound of bugs fixed dept.

In a fediverse post, Damien Miller (djm@) announced the availability of the new OpenSSH version 9.8:
OpenSSH 9.8 has just been released. This release includes a fix for a critical race condition in sshd that could be exploited for remote code execution so you should definitely patch or upgrade. It also contains a fix for a minor issue in ssh that saw the recently-added ObscureKeystrokeTiming feature work the opposite way as intended.

There are some new features too. Please see the release notes at https://openssh.com/releasenotes.html for more details

RIP dhclient(8)

Contributed by Peter N. M. Hansteen on from the addresses will be grabbed dept.

Friends, dhclient(8) in OpenBSD is no more, at least for those of us running -current.

For some of us it is basically in muscle memory to type doas dhclient $wifiinterface when visiting somewhere, but from this day forward we will rely on dhcpleased(8) to do its job, which in my own experience does admirably.

In this commit, Theo de Raadt (deraadt@), executed the removal.

The commit message reads,

List:       openbsd-cvs
Subject:    CVS: cvs.openbsd.org: src
From:       Theo de Raadt <deraadt () cvs ! openbsd ! org>
Date:       2024-06-30 17:30:54

CVSROOT:	/cvs
Module name:	src
Changes by:	deraadt@cvs.openbsd.org	2024/06/30 11:30:54

Modified files:
	distrib/sets/lists/base: mi 
	distrib/sets/lists/man: mi 
	etc            : Makefile 
	sbin           : Makefile 
Removed files:
	etc/examples   : dhclient.conf 
	sbin/dhclient  : Makefile bpf.c clparse.c conflex.c dhclient.8 
	                 dhclient.c dhclient.conf.5 dhclient.leases.5 
	                 dhcp.h dhcpd.h dhctoken.h dispatch.c kroute.c 
	                 log.c log.h options.c packet.c parse.c 
	                 privsep.c privsep.h 

Read more…

Initial playlist of 28 BSDCan Videos released

Contributed by Patrick McEvoy on from the Beastie! Pass Puffy the poutine! dept.

Patrick McEvoy aka BSDTV writes in,

We are releasing an initial playlist of 28 BSDCan Videos.

The OpenBSD focused: Why rewrite fw_update(8)? By: Andrew Hewus Fresh

We have 6 videos in need of additional work and expect them to be released in the coming month. We will also release to Peertube. I will update this post accordingly.

We now know how quite a few of us will spend the next few hours and possibly days, while we eagerly await the arrival of the final six.

OpenBGPD 8.5 released

Contributed by Peter N. M. Hansteen on from the Puffy routes with borders dept.

The OpenBGPD project announced that a new version the Border Gateway Protocol dameon, OpenBGPD 8.5 has been released. The release comes with a number of new features and refinements, and marks another step in the development of secure and reliable routing management.

The announcement reads:

List:       openbsd-announce
Subject:    OpenBGPD 8.5 released
From:       Claudio Jeker <claudio () openbsd ! org>
Date:       2024-06-26 19:10:13

We have released OpenBGPD 8.5, which will be arriving in the
OpenBGPD directory of your local OpenBSD mirror soon.

This release includes the following changes to the previous release:

Read more…

Donate!

Donate to OpenBSD

Features

We are constantly on the lookout for stories of how you put OpenBSD to work. Please submit any informative articles on how OpenBSD is helping your company.

OpenBSD Errata

OpenBSD 7.5

0042024-06-26 RELIABILITY Repair a withdraw desyncronization problem in bgpd(8).
0032024-05-10 RELIABILITY A missing bounds check could lead to a crash in libcrypto.
0022024-04-11 RELIABILITY Install media for alpha architecture was broken due to strip(1) bug.
0012024-04-08 SECURITY Fix multiple heap buffer overread and data leakage in the X11 server Xi extension and use after free in the Render extension. CVE-2024-31080 CVE-2024-31081 CVE-2024-31083

Unofficial RSS feed of OpenBSD errata

OpenBSD 7.4

0172024-06-26 RELIABILITY Repair a withdraw desyncronization problem in bgpd(8).
0162024-04-08 SECURITY Fix multiple heap buffer overread and data leakage in the X11 server Xi extension and use after free in the Render extension. CVE-2024-31080 CVE-2024-31081 CVE-2024-31083
0152024-03-18 SECURITY In libexpat fix billion laughs attack vulnerability CVE-2024-28757.
0142024-02-29 SECURITY vmm(4) did not restore GDTR limits properly on Intel (VMX) CPUs.
0132024-02-13 SECURITY DNSSEC protocol vulnerabilities have been discovered that render various DNSSEC validators victims of Denial Of Service while trying to validate specially crafted DNSSEC responses. Fix CVE-2023-50387 and CVE-2023-50868 in unwind(8) and unbound(8).
0122024-01-16 SECURITY Fix multiple xserver heap buffer overflows, out of bounds memory accesses and memory corruption. CVE-2023-6816 CVE-2024-0229 CVE-2024-21885 CVE-2024-21886 CVE-2024-0408 CVE-2024-0409

Unofficial RSS feed of OpenBSD errata

XML/RSS/RDF

Users wishing RSS/RDF summary files of OpenBSD Journal can retrieve: RSS feed

Options are available.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]