In a recent commit, Damien Miller (djm@) introduced the new sshd(8) configurations options, PerSourcePenalties and PerSourcePenaltyExemptList, to provide a built in facility in sshd(8) itself to penalize undesirable behavior, and to shield specific clients from penalty, respectively.

The commit message reads,

List:       openbsd-cvs
Subject:    CVS: cvs.openbsd.org: src
From:       Damien Miller <djm () cvs ! openbsd ! org>
Date:       2024-06-06 17:15:26

CVSROOT:	/cvs
Module name:	src
Changes by:	djm@cvs.openbsd.org	2024/06/06 11:15:26

Modified files:
	usr.bin/ssh    : misc.c misc.h monitor.c monitor_wrap.c 
	                 servconf.c servconf.h srclimit.c srclimit.h 
	                 sshd-session.c sshd.c sshd_config.5 

Log message:
Add a facility to sshd(8) to penalise particular problematic client
behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.

As noted earlier, OpenBSD-current now has IPv6 prefix delegation available via the new dhcp6leased(8) deamon.

Now before he committed the code, Florian Obser (florian@) wrote a blog post on the process of developing the new program in a piece called DHCPv6-PD - First steps.

The prologue leads in,

The single most requested feature missing in OpenBSD base directed at me is DHCPv6-PD. Recently I got a working setup at home using dhcpcd from ports and a donated Fritz!Box 6660 Cable1, 2. Time to hack on this.

He follows up with details on how the ideas and the code developed. Read the whole thing at DHCPv6-PD - First steps.

Version 0.100 of Game of Trees has been released (and the port updated).

* got 0.100; 2024-06-03
  see git repository history for per-change authorship information

Florian Obser (florian@) has committed (to -current) dhcp6leased(8), a DHCPv6 client for handling Prefix Delegation (PD):

CVSROOT:	/cvs
Module name:	src
Changes by:	florian@cvs.openbsd.org	2024/06/02 06:28:05

Added files:
	sbin/dhcp6leased: Makefile control.c control.h dhcp6leased.8 
	                  dhcp6leased.c dhcp6leased.conf.5 dhcp6leased.h 
	                  engine.c engine.h frontend.c frontend.h log.c 
	                  log.h parse.y printconf.c 

Log message:
Import dhcp6leased(8)

dhcp6leased is a daemon to manage IPv6 prefix delegations. It requests
a prefix from an upstream DHCPv6 server and configures downstream
network interfaces. rad(8) can be used to advertise available prefixes
to clients.

Theo de Raadt (deraadt@) has committed -fret-clean for clang:

CVSROOT:	/cvs
Module name:	src
Changes by:	deraadt@cvs.openbsd.org	2024/06/02 09:40:43

Modified files:
	gnu/llvm/clang/include/clang/Driver: Options.td 
	gnu/llvm/clang/lib/Driver/ToolChains: Clang.cpp 
	gnu/llvm/llvm/lib/Target/X86: X86.h X86TargetMachine.cpp 
	gnu/usr.bin/clang/libLLVMX86CodeGen: Makefile 
	share/man/man1 : clang-local.1 

Log message:
add -fret-clean option (amd64 and i386 only at first), defaulting to off.
This causes the caller to cleans the return address off the stack after
a callq completes.  The option is best used in low-level libraries (such as
libc), because libc contains low-level system call stubs.  The option
reduces hints (found on the stale parts of the stack) about libc.so's mapping
location, and together with random-relinking, relro got/pic, and xonly
makes some exploit methods more difficult.
ok mortimer, mlarkin, much discussion with kettenis, in snaps for 2 weeks.

See our earlier article for more discussion.

For now, this is only for amd64 and i386.

Future versions of OpenBSD may include core system libraries and binaries built with logic to remove return addresses off the stack. With this in place, whole classes of bugs would be harder to exploit.

In a message to the tech@ mailing list titled clang -fret-clean: cleaning return addresses off stack, Theo de Raadt (deraadt@) explains how this would work and includes code to implement the feature for the X86 architecture only:

List:       openbsd-tech
Subject:    clang -fret-clean: cleaning return addresses off stack
From:       "Theo de Raadt" <deraadt () openbsd ! org>
Date:       2024-05-25 6:18:59

There are many address space mitigations in play now which make standard
control-flow methods and ROP-style methods more difficult than ever before.
None of them are a silver bullet; added up they are a big deal, but noone
is saying they are a comprehensive solution,

One thing I've worried about for a while is that program bugs being
exercised tend to happen in the main program, or in some large library.
But many types of attack methodology require reaching system calls via
libc, in as direct and simple fashion as possible.  ASLR location of
libc has made that a bit harder, boot-time random relinking of libc
makes it even more difficult.  But there's a few things which do hint at
where libc is mapped.

As you may be aware, OpenBSD runs on Apple Silicon M series processors, thanks to the efforts of the OpenBSD/arm64 developers.

For those running our favorite operating system alongside the Apple product, sometimes special measures are needed, though.

Mark Kettenis (kettenis@) sent a message titled Important message for Apple Silicon OpenBSD/arm64 users to the misc@ and arm@ mailing lists, warning about possible firmware issues:

Subject:    Important message for Apple Silicon OpenBSD/arm64 users
From:       Mark Kettenis <mark.kettenis () xs4all ! nl>
Date:       2024-05-21 20:54:21

As indicated here:

  https://social.treehouse.systems/@AsahiLinux/112449204541186432

The system firmware that comes with macOS Sonoma 14.5 triggers a bug
in the m1n1 bootloader that is used to boot OpenBSD on these machines.
The bug will prevent OpenBSD from booting on some machines after the
macOS update has been installed.  The recommended fix is to update the
"stage1" m1n1 by booting into macOS and running:

YES! KDE6 landed in OpenBSD -current

Rafael Sadowski (rsadowski@) writes in his most recent blog entry on KDE6 on OpenBSD, and goes on to say

We are currently in an excellent phase ahead of the upcoming OpenBSD release 7.6, which gives us plenty time to thoroughly test KDE Plasma 6. My goal is to make sure it works well and is stable for everyone.

Also worth noting is some still in progress work,

Stay tuned for more updates as we progress towards the integration of KDE Plasma 6 into OpenBSD 7.6.

But don't just take our word for it, read the whole thing, KDE6 on OpenBSD over at Rafael's blog. There you will find detailed descriptions of how to perform the upgrade, and a video of the important points.

With the following commit, Damien Miller (djm@) commenced the process of splitting sshd(8) into multiple binaries:

CVSROOT:	/cvs
Module name:	src
Changes by:	djm@cvs.openbsd.org	2024/05/16 18:30:24

Modified files:
	usr.bin/ssh    : Makefile Makefile.inc auth-rhosts.c auth.c 
	                 auth.h auth2-gss.c auth2-hostbased.c 
	                 auth2-kbdint.c auth2-none.c auth2-passwd.c 
	                 auth2-pubkey.c auth2.c channels.c kex.c kex.h 
	                 kexgexs.c misc.c misc.h monitor.c monitor.h 
	                 monitor_wrap.c monitor_wrap.h msg.c packet.c 
	                 packet.h pathnames.h servconf.c servconf.h 
	                 serverloop.c session.c ssh_api.c sshd.c 
	usr.bin/ssh/sshd: Makefile 
Added files:
	usr.bin/ssh    : sshd-session.c 
	usr.bin/ssh/sshd-session: Makefile 

Log message:
Start the process of splitting sshd into separate binaries. This step
splits sshd into a listener and a session binary. More splits are
planned.