Contributed by jose on from the w00t dept.
I said buy a cd/shirt/poster! What the @#$* are you waiting for???? When i was your age, we bought 5 of every item, and then we had to walk through 4 feet of snow 6 miles, just to get to school. You lazy gen-x'er!" Read on for the full announcement from Todd Miller for 3.3's release.
May 1, 2003.
We are pleased to announce the official release of OpenBSD 3.3. This is our 13th release on CD-ROM (and 14th via FTP). We remain proud of OpenBSD's record of seven years with only a single remote hole in the default install. As in our previous releases, 3.3 provides significant improvements, including new features, in nearly all areas of the system:
-
Ever-improving security (http://www.OpenBSD.org/security.html)
- Integration of the ProPolice stack protection technology, by Hiroaki Etoh, into the system compiler. This protection is enabled by default. With this change, function prologues are modified to rearrange the stack: a random canary is placed before the return address, and buffer variables are moved closer to the canary so that regular variables are below, and harder to smash. The function epilogue then checks if the canary is still intact. If it is not, the process is terminated. This change makes it very hard for an attacker to modify the return address used when returning from a function.
- W^X (pronounced: "W xor X") on architectures capable of pure execute-bit support in the MMU (sparc, sparc64, alpha, hppa). This is a fine-grained memory permissions layout, ensuring that memory which can be written to by application programs can not be executable at the same time and vice versa. This raises the bar on potential buffer overflows and other attacks: as a result, an attacker is unable to write code anywhere in memory where it can be executed. (NOTE: i386 and powerpc do not support W^X in 3.3; however, 3.3-current already supports it on i386, and both these processors are expected to support this change in 3.4.)
- Further reduction of the number of setuid and setgid binaries and more use of chroot(2) throughout the system. While some programs are still setuid or setgid, most allocate a resource and then quickly revoke privilege.
- The X window server and xconsole now use privilege separation, for better security. Also, xterm has been modified to do privilege revocation. xdm runs as a special user and group, to further constrain what might go wrong.
- RSA blinding is now on by default in OpenSSL.
- Many occurrences of strcpy(), strcat() and sprintf() have been changed to strlcpy(), strlcat(), and snprintf() or asprintf().
- A process will now have the P_SUGIDEXEC flag set if any of the real, effective, or saved uid/gid are mismatched. Previously only the real and effective uid/gid were checked.
- ptrace(2) is now disabled for processes with the P_SUGIDEXEC flag set.
- The xl(4), sis(4) and vr(4) ethernet drivers are more robust.
- The ahc(4) and bktr(4) drivers now work on macppc.
- Vlan tagging now works properly in the ti(4) driver.
- The cac(4) driver is now more stable.
- Media handling has been improved in the hme(4) driver.
- Bugs have been fixed in the gem(4) driver to make it more stable on the sparc64 platform.
- Several fixes for the ami(4) driver.
- New LZS compression support for the hifn(4) driver.
- Support for new IDE controllers from Promise, VIA, NVIDIA and ServerWorks.
- siop(4) driver improvements.
- The sparc64 platform is now supported on several more models and is much more stable.
- pf now supports altq-style queueing via the new "queue" directive. Packets are assigned to queues based on filter rules. This allows for very flexible queue settings, including quality of service bandwidth shaping.
- New support for "anchors," which allows the use of sub-rulesets which can be loaded and modified independently.
- A new "table" facility provides a mechanism for increasing the performance and flexibility of rules with large numbers of source or destination addresses.
- Address pools, redirect/NAT to multiple addresses and thus load balancing.
- The scrub option 'no-df' has been changed to better handle fragments with DF set, such as those sent by Linux NFS.
- There is a new 'random-id' option for the scrub rules. This randomizes outbound IP IDs and helps defeat NAT detection.
- TCP state inspection is now RFC 763 compliant; we now send a reset when presented with SYN-cookie schemes that send out-of-window ACKs during the TCP handshake.
- TCP window scaling support.
- Full support for CIDR addresses.
- Early checksum verification return on invalid packets.
- The configuration language has been made much more flexible.
- Large rulesets now load much more quickly.
- spamd, a spam deferral daemon, can be used to tie up resources on a spammer's machine. spamd uses the new pf(4) table facility to redirect connections from a blacklist such as SPEWS or DIPS.
- OpenBSD 3.3 includes the hppa port for HP PA-RISC machines. This should be considered a work in progress; users are advised to install the most recent snapshot instead of the formal 3.3 hppa release.
- The 3.3 CD-ROMs ship with many pre-built packages for the common architectures. The FTP site contains hundreds more packages (for the important architectures) which we could not fit onto the CD-ROMs (or which had prohibitive licenses).
- XFree86 4.2.1 (+ patches).
- gcc 2.95.3 (+ patches and ProPolice).
- Sendmail 8.12.9.
- Apache 1.3.27 and mod_ssl 2.8.12, DSO support (+ patches).
- OpenSSL 0.9.7beta3 (+ patches).
- Stable version of KAME IPv6.
- OpenSSH 3.6 (now 100% compliant with the secsh drafts).
- Bind 9.2.2 (+ patches).
- Perl 5.8.0
- Sudo 1.6.7.
- Latest ISC cron (+ patches and atrun integration).
- Improved vlan(4) robustness.
- FreeBSD emulation now recognizes newer FreeBSD ELF binaries.
- Significant improvements to the pthread library.
- Many, many man page improvements.
http://www.OpenBSD.org/plus33.htmlEven though the list is a summary of the most important changes made to OpenBSD, it still is a very very long list.
(Comments are closed)
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Try before you buy. But be sure to buy the CDs.
Thanks guys. You have done it again.
By Kolchak () kolchak at wdg dot com dot au on mailto:kolchak at wdg dot com dot au
Comments
By Anonymous Coward () on
marco
By deekayen () on http://openbsddiary.org
By Anonymous Coward () on
I want to play with the new release but don't want to add to the slashdotting of the mirrors.
Comments
By Anonymous Coward () on
M
By Anonymous Coward () on
Comments
By Clay Dowling () clay@lazarusid.com on http://www.lazarusid.com
Comments
By Martijn () martijn@bunix.org on http://martijn.bunix.org
By Ben () on
By Anonymous Coward () on
By cc () maxentropic at hotmail dot com on mailto:maxentropic at hotmail dot com
If you have any kind of Linux experience, you can swing it. While I still run Slackware (funny you should mention that) on my laptop, I find OpenBSD's differences enlightening and very well suited to the applications I use it for.
cc
By revdiablo () revdiablo@wd39.com on mailto:revdiablo@wd39.com
By Artur () on
Good Luck!
By Jason () on
Comments
By ac () on
Like the even ones....
:-)
By Darren () on
By brian () on
By Anonymous Coward () on
By Lazy Coward () on
I wonder how easy an "upgrade" install from a seriously customized 3.1 box will go...
Most of of the core stuff is standard, or standard via ports/packages, but I do have a custom Apache. The trick will be recalling all my customized bits and remembering to move them out of the way, at least so that can serve as references.
Might be a good time to finally upgrade the hardware, as well.
Comments
By rabbit () rabbit@ulyssis.org on http://ace.ulyssis.org/rabbit
Comments
By Matt () on
I find it very useful to build these scripts on a test box and make sure i understand whats going on before i then run the script on my firewall and production systems.
By Anonymous Coward () on
Comments
By Anonymous Coward () on
By Anonymous Coward () on
However, I still want linux and windows, and refuse to use something like vmware.
I plan on making a 500mb partition at the start for openbsd(has to be i think, because of stupid 8gb limit), then a 2gb linux partition and then win2k.
Can anyone forsee any problems with this plan?
P.S. something I did not understand..maybe I should look more deeply into documentation, but coming from linux background, I am a tad confused looking at disklabel install part(I looked at some other docs on installing openbsd), it seems to use drive letters from alphabet, same as windows?
Is ths not more windows than unix like?
Maybe I am very wrong..but it seemed to have c: drive etc
Many thanks in advance, and sorry for bad english.
Comments
By rabbit () rabbit@ulyssis.org on http://ace.ulyssis.org/rabbit
To give you an idea: my main workstation uses about 2gb of disk (without user data), and has quite some applications installed.
About the disklabel part: The FAQ does a pretty good job explaining how it works. And no, the letters aren't the same as windows drive letters. ;-)
And no, OpenBSD is definately not more windows-like that unix-like. On the contrary; imho OpenBSD catches more of the real UNIX-way than linux does...
By Ross () on
You'll have to use lilo or grub as your bootloader, because to my knowledge linux can't boot from something like OSBS. Check out the INSTALL.Linux document for more about dual booting between linux and openbsd. You can find it in the /pub/OpenBSD/3.3/i386 directory on one of the anonymous FTP sites.
By Martin () tb.303@gmx.de on mailto:tb.303@gmx.de
xfonts33.tgz
xserv33.tgz and
xshare33.tgz
Anyone else having the same problem?
By Rob () on
Comments
By Zokleet () zokleet@altern.org on mailto:zokleet@altern.org
Comments
By Anonymous Coward () on
Comments
By Rob () on
By tedu () on
Comments
By Rob () on