Contributed by jose on from the w00t dept.
I said buy a cd/shirt/poster! What the @#$* are you waiting for???? When i was your age, we bought 5 of every item, and then we had to walk through 4 feet of snow 6 miles, just to get to school. You lazy gen-x'er!" Read on for the full announcement from Todd Miller for 3.3's release.
May 1, 2003.
We are pleased to announce the official release of OpenBSD 3.3. This is our 13th release on CD-ROM (and 14th via FTP). We remain proud of OpenBSD's record of seven years with only a single remote hole in the default install. As in our previous releases, 3.3 provides significant improvements, including new features, in nearly all areas of the system:
Ever-improving security (http://www.OpenBSD.org/security.html)
- Integration of the ProPolice stack protection technology, by Hiroaki Etoh, into the system compiler. This protection is enabled by default. With this change, function prologues are modified to rearrange the stack: a random canary is placed before the return address, and buffer variables are moved closer to the canary so that regular variables are below, and harder to smash. The function epilogue then checks if the canary is still intact. If it is not, the process is terminated. This change makes it very hard for an attacker to modify the return address used when returning from a function.
- W^X (pronounced: "W xor X") on architectures capable of pure execute-bit support in the MMU (sparc, sparc64, alpha, hppa). This is a fine-grained memory permissions layout, ensuring that memory which can be written to by application programs can not be executable at the same time and vice versa. This raises the bar on potential buffer overflows and other attacks: as a result, an attacker is unable to write code anywhere in memory where it can be executed. (NOTE: i386 and powerpc do not support W^X in 3.3; however, 3.3-current already supports it on i386, and both these processors are expected to support this change in 3.4.)
- Further reduction of the number of setuid and setgid binaries and more use of chroot(2) throughout the system. While some programs are still setuid or setgid, most allocate a resource and then quickly revoke privilege.
- The X window server and xconsole now use privilege separation, for better security. Also, xterm has been modified to do privilege revocation. xdm runs as a special user and group, to further constrain what might go wrong.
- RSA blinding is now on by default in OpenSSL.
- Many occurrences of strcpy(), strcat() and sprintf() have been changed to strlcpy(), strlcat(), and snprintf() or asprintf().
- A process will now have the P_SUGIDEXEC flag set if any of the real, effective, or saved uid/gid are mismatched. Previously only the real and effective uid/gid were checked.
- ptrace(2) is now disabled for processes with the P_SUGIDEXEC flag set.
- The xl(4), sis(4) and vr(4) ethernet drivers are more robust.
- The ahc(4) and bktr(4) drivers now work on macppc.
- Vlan tagging now works properly in the ti(4) driver.
- The cac(4) driver is now more stable.
- Media handling has been improved in the hme(4) driver.
- Bugs have been fixed in the gem(4) driver to make it more stable on the sparc64 platform.
- Several fixes for the ami(4) driver.
- New LZS compression support for the hifn(4) driver.
- Support for new IDE controllers from Promise, VIA, NVIDIA and ServerWorks.
- siop(4) driver improvements.
- The sparc64 platform is now supported on several more models and is much more stable.
- pf now supports altq-style queueing via the new "queue" directive. Packets are assigned to queues based on filter rules. This allows for very flexible queue settings, including quality of service bandwidth shaping.
- New support for "anchors," which allows the use of sub-rulesets which can be loaded and modified independently.
- A new "table" facility provides a mechanism for increasing the performance and flexibility of rules with large numbers of source or destination addresses.
- Address pools, redirect/NAT to multiple addresses and thus load balancing.
- The scrub option 'no-df' has been changed to better handle fragments with DF set, such as those sent by Linux NFS.
- There is a new 'random-id' option for the scrub rules. This randomizes outbound IP IDs and helps defeat NAT detection.
- TCP state inspection is now RFC 763 compliant; we now send a reset when presented with SYN-cookie schemes that send out-of-window ACKs during the TCP handshake.
- TCP window scaling support.
- Full support for CIDR addresses.
- Early checksum verification return on invalid packets.
- The configuration language has been made much more flexible.
- Large rulesets now load much more quickly.
- spamd, a spam deferral daemon, can be used to tie up resources on a spammer's machine. spamd uses the new pf(4) table facility to redirect connections from a blacklist such as SPEWS or DIPS.
- OpenBSD 3.3 includes the hppa port for HP PA-RISC machines. This should be considered a work in progress; users are advised to install the most recent snapshot instead of the formal 3.3 hppa release.
- The 3.3 CD-ROMs ship with many pre-built packages for the common architectures. The FTP site contains hundreds more packages (for the important architectures) which we could not fit onto the CD-ROMs (or which had prohibitive licenses).
- XFree86 4.2.1 (+ patches).
- gcc 2.95.3 (+ patches and ProPolice).
- Sendmail 8.12.9.
- Apache 1.3.27 and mod_ssl 2.8.12, DSO support (+ patches).
- OpenSSL 0.9.7beta3 (+ patches).
- Stable version of KAME IPv6.
- OpenSSH 3.6 (now 100% compliant with the secsh drafts).
- Bind 9.2.2 (+ patches).
- Perl 5.8.0
- Sudo 1.6.7.
- Latest ISC cron (+ patches and atrun integration).
- Improved vlan(4) robustness.
- FreeBSD emulation now recognizes newer FreeBSD ELF binaries.
- Significant improvements to the pthread library.
- Many, many man page improvements.
(Comments are closed)