OpenBSD Journal

tis' finally arrived

Contributed by jose on from the w00t dept.

Josh writes: "3.3 is released. Buy a cd/shirt/poster.

I said buy a cd/shirt/poster! What the @#$* are you waiting for???? When i was your age, we bought 5 of every item, and then we had to walk through 4 feet of snow 6 miles, just to get to school. You lazy gen-x'er!" Read on for the full announcement from Todd Miller for 3.3's release.

May 1, 2003.

We are pleased to announce the official release of OpenBSD 3.3. This is our 13th release on CD-ROM (and 14th via FTP). We remain proud of OpenBSD's record of seven years with only a single remote hole in the default install. As in our previous releases, 3.3 provides significant improvements, including new features, in nearly all areas of the system:

  • Ever-improving security (
    • Integration of the ProPolice stack protection technology, by Hiroaki Etoh, into the system compiler. This protection is enabled by default. With this change, function prologues are modified to rearrange the stack: a random canary is placed before the return address, and buffer variables are moved closer to the canary so that regular variables are below, and harder to smash. The function epilogue then checks if the canary is still intact. If it is not, the process is terminated. This change makes it very hard for an attacker to modify the return address used when returning from a function.
    • W^X (pronounced: "W xor X") on architectures capable of pure execute-bit support in the MMU (sparc, sparc64, alpha, hppa). This is a fine-grained memory permissions layout, ensuring that memory which can be written to by application programs can not be executable at the same time and vice versa. This raises the bar on potential buffer overflows and other attacks: as a result, an attacker is unable to write code anywhere in memory where it can be executed. (NOTE: i386 and powerpc do not support W^X in 3.3; however, 3.3-current already supports it on i386, and both these processors are expected to support this change in 3.4.)
    • Further reduction of the number of setuid and setgid binaries and more use of chroot(2) throughout the system. While some programs are still setuid or setgid, most allocate a resource and then quickly revoke privilege.
    • The X window server and xconsole now use privilege separation, for better security. Also, xterm has been modified to do privilege revocation. xdm runs as a special user and group, to further constrain what might go wrong.
    • RSA blinding is now on by default in OpenSSL.
    • Many occurrences of strcpy(), strcat() and sprintf() have been changed to strlcpy(), strlcat(), and snprintf() or asprintf().
    • A process will now have the P_SUGIDEXEC flag set if any of the real, effective, or saved uid/gid are mismatched. Previously only the real and effective uid/gid were checked.
    • ptrace(2) is now disabled for processes with the P_SUGIDEXEC flag set.
  • Improved hardware support (
    • The xl(4), sis(4) and vr(4) ethernet drivers are more robust.
    • The ahc(4) and bktr(4) drivers now work on macppc.
    • Vlan tagging now works properly in the ti(4) driver.
    • The cac(4) driver is now more stable.
    • Media handling has been improved in the hme(4) driver.
    • Bugs have been fixed in the gem(4) driver to make it more stable on the sparc64 platform.
    • Several fixes for the ami(4) driver.
    • New LZS compression support for the hifn(4) driver.
    • Support for new IDE controllers from Promise, VIA, NVIDIA and ServerWorks.
    • siop(4) driver improvements.
    • The sparc64 platform is now supported on several more models and is much more stable.
  • Major improvements in the pf packet filter, including:
    • pf now supports altq-style queueing via the new "queue" directive. Packets are assigned to queues based on filter rules. This allows for very flexible queue settings, including quality of service bandwidth shaping.
    • New support for "anchors," which allows the use of sub-rulesets which can be loaded and modified independently.
    • A new "table" facility provides a mechanism for increasing the performance and flexibility of rules with large numbers of source or destination addresses.
    • Address pools, redirect/NAT to multiple addresses and thus load balancing.
    • The scrub option 'no-df' has been changed to better handle fragments with DF set, such as those sent by Linux NFS.
    • There is a new 'random-id' option for the scrub rules. This randomizes outbound IP IDs and helps defeat NAT detection.
    • TCP state inspection is now RFC 763 compliant; we now send a reset when presented with SYN-cookie schemes that send out-of-window ACKs during the TCP handshake.
    • TCP window scaling support.
    • Full support for CIDR addresses.
    • Early checksum verification return on invalid packets.
    • The configuration language has been made much more flexible.
    • Large rulesets now load much more quickly.
  • New subsystems included with 3.3
    • spamd, a spam deferral daemon, can be used to tie up resources on a spammer's machine. spamd uses the new pf(4) table facility to redirect connections from a blacklist such as SPEWS or DIPS.
    • OpenBSD 3.3 includes the hppa port for HP PA-RISC machines. This should be considered a work in progress; users are advised to install the most recent snapshot instead of the formal 3.3 hppa release.
  • Many other bugs fixed
  • The "ports" tree is greatly improved (
    • The 3.3 CD-ROMs ship with many pre-built packages for the common architectures. The FTP site contains hundreds more packages (for the important architectures) which we could not fit onto the CD-ROMs (or which had prohibitive licenses).
  • Many subsystems improved and updated since the last release:
    • XFree86 4.2.1 (+ patches).
    • gcc 2.95.3 (+ patches and ProPolice).
    • Sendmail 8.12.9.
    • Apache 1.3.27 and mod_ssl 2.8.12, DSO support (+ patches).
    • OpenSSL 0.9.7beta3 (+ patches).
    • Stable version of KAME IPv6.
    • OpenSSH 3.6 (now 100% compliant with the secsh drafts).
    • Bind 9.2.2 (+ patches).
    • Perl 5.8.0
    • Sudo 1.6.7.
    • Latest ISC cron (+ patches and atrun integration).
    • Improved vlan(4) robustness.
    • FreeBSD emulation now recognizes newer FreeBSD ELF binaries.
    • Significant improvements to the pthread library.
    • Many, many man page improvements.
If you'd like to see a list of what has changed between OpenBSD 3.2 and 3.3, look at
Even though the list is a summary of the most important changes made to OpenBSD, it still is a very very long list.

(Comments are closed)

  1. By Anonymous Coward () on


    1. By Anonymous Coward () on

      Just downloaded 3.3. Installed it and started playing around. Besides the usual great work on security, PF is great !!! I tried a few games, falconseye looks really cool. So what if its not $40 master blaster , its on OpenBSD.
      Try before you buy. But be sure to buy the CDs.
      Thanks guys. You have done it again.

  2. By Kolchak () kolchak at wdg dot com dot au on mailto:kolchak at wdg dot com dot au

    Gimme gimme gimme ;) Got a 3.0 firewall, a mail server and some nameservers that are definiately being up'd tonite! Bring on the cola!!!

    1. By Anonymous Coward () on

      i know you mean they'll be upgraded in a day or two when your CDs show up, right? =)


  3. By deekayen () on

    I ordered a CD set the first day the order form went up, but I still dont't have my CDs. Maybe tomorrow.

  4. By Anonymous Coward () on

    Do cd's ship today or did they ship last week to arrive today? I remember reading somewhere that they often arrive about 2 weeks after the release date, but am not positive.

    I want to play with the new release but don't want to add to the slashdotting of the mirrors.

    1. By Anonymous Coward () on

      I ordered my 3.3 CD's a while ago, and my credit card got charged on tuesday. If they charge the card when they ship, then the CD's were shipping on tuesday (4/29/03). (shipping from Canada to California)


  5. By Anonymous Coward () on

    I'm changing my gateway box from slackware to OpenBSD. People say it will be worth it.

    1. By Clay Dowling () on

      You should be in for a pleasant suprise. If your UNIX skills are up to snuff & you can read a man page, you'll find no system easier to install and maintain.

      1. By Martijn () on

        I can totally agree on this. I have had an Debian GNU/Linux router for 1.5 years, but switched to OpenBSD a few months ago. I think I will never switch back to Debian!

    2. By Ben () on

      I couldn't believe how much more straight forward OpenBSD was to install and configure when I switched over to it from Linux a few years ago ... 2.5 days IIRC. I got a lot of mileage from the FAQ and the man pages. You can figure out how to do most everything from just those two resources alone.

    3. By Anonymous Coward () on

      people lie.

    4. By cc () maxentropic at hotmail dot com on mailto:maxentropic at hotmail dot com

      It took me all of 20 minutes to go from 3.2 to a 3.3-current snapshot on my home firewall (I did order a CD, though). It is truly the easiest OS for a specific-function box I've ever installed -- well, maybe a little harder than DOS :)

      If you have any kind of Linux experience, you can swing it. While I still run Slackware (funny you should mention that) on my laptop, I find OpenBSD's differences enlightening and very well suited to the applications I use it for.


    5. By revdiablo () on

      Others have mentioned, but I thought it was worth reiterating, that the OpenBSD FAQ and man pages are excellent. I've been using OBSD for a firewall/nat box for several years now, and I've never had a problem that wasn't resolved by reading the appropriate man page, or resorting to the FAQ as a last resort. OBSD's documentation is simply excellent, especially compared to that of a standard linux distro.

    6. By Artur () on

      The diference beetwin(help, is that right?), Slack and OpenBSD is very small (comparing with Red Hat or SuSE). I make the oposite move and today I love both: Slack and OpenBSD.
      Good Luck!

  6. By Jason () on

    Lots of cool new features, but 3.2 is working just fine for my home NAT. Besides, I only upgrade home machines during the xmas holidays. ;-)

    1. By ac () on

      Same with me. Waiting for 3.4.
      Like the even ones....


  7. By Darren () on

    I've ordered my OpenBSD 3.3 CD's from Belgium, guess i'll have to wait a few days ...

  8. By brian () on

    Is anyone else having trouble with converting bind from v4 to v9? The documentation says there should be a script for converting the named.boot, etc. But I'm basically finding this portion of the upgrade woefully inadequate. Any suggestions?

  9. By Anonymous Coward () on

    I just ordered the cd's the other day, but i did a net install this morning, other than my pf rules had to be changed, its a kick ass realease :)

  10. By Lazy Coward () on

    I wonder how easy an "upgrade" install from a seriously customized 3.1 box will go...

    Most of of the core stuff is standard, or standard via ports/packages, but I do have a custom Apache. The trick will be recalling all my customized bits and remembering to move them out of the way, at least so that can serve as references.

    Might be a good time to finally upgrade the hardware, as well.

    1. By rabbit () on

      If you tend to do a lot of customizations to your boxes, it might be a good idea to keep some kind of 'changelog' on each of them, describing all the changes you made.

      1. By Matt () on

        I've just started doing this. I've made little bitty scripts that configure and enable dhcpd with the settings I like, auto install of djbdns, things like that.

        I find it very useful to build these scripts on a test box and make sure i understand whats going on before i then run the script on my firewall and production systems.

    2. By Anonymous Coward () on

      Maybe it's time to learn CVS?

      1. By Anonymous Coward () on

        An exactly how will this help?

  11. By Anonymous Coward () on

    I am interested in trying OpenBSD...

    However, I still want linux and windows, and refuse to use something like vmware.

    I plan on making a 500mb partition at the start for openbsd(has to be i think, because of stupid 8gb limit), then a 2gb linux partition and then win2k.

    Can anyone forsee any problems with this plan?

    P.S. something I did not understand..maybe I should look more deeply into documentation, but coming from linux background, I am a tad confused looking at disklabel install part(I looked at some other docs on installing openbsd), it seems to use drive letters from alphabet, same as windows?

    Is ths not more windows than unix like?

    Maybe I am very wrong..but it seemed to have c: drive etc

    Many thanks in advance, and sorry for bad english.

    1. By rabbit () on

      The partitioning scheme you suggest will work; youcould even make the OpenBSD and Linux partitions a bit bigger too, but that's up to you. Though you can get a fully functional OpenBSD system in 500mb, you may want to get some more space to be able to comfortably install some extra programs.
      To give you an idea: my main workstation uses about 2gb of disk (without user data), and has quite some applications installed.

      About the disklabel part: The FAQ does a pretty good job explaining how it works. And no, the letters aren't the same as windows drive letters. ;-)

      And no, OpenBSD is definately not more windows-like that unix-like. On the contrary; imho OpenBSD catches more of the real UNIX-way than linux does...

    2. By Ross () on

      I don't think you will have any problems. When I first tried OpenBSD, I wasn't willing to give any of my old OS's up either, so I had a tribooting system with Win98, RedHat and OpenBSD. Everything worked just fine.

      You'll have to use lilo or grub as your bootloader, because to my knowledge linux can't boot from something like OSBS. Check out the INSTALL.Linux document for more about dual booting between linux and openbsd. You can find it in the /pub/OpenBSD/3.3/i386 directory on one of the anonymous FTP sites.

  12. By Martin () on

    I am experiencing download problems of those files:
    xserv33.tgz and
    Anyone else having the same problem?

  13. By Rob () on

    I noticed there is a cd33.iso file on the ftp site instead of a bootable CD in the set. Does anyone have details on how to combine it with the .tgz and other files from the ftp site onto a single CD to make CD installs viable again?

    1. By Zokleet () on

      I think they really would prefer you to buy one... That's why they only provide this :o) Then on, I must admit my answer may sound stoopid, and maybe I didnt get it at all :o)

      1. By Anonymous Coward () on

        alpha isnt on the cd set anymore, thats why he is asking.

        1. By Rob () on

          Yep, that's exactly why. FWIW, I pre-ordered the CD set a couple of weeks ago anyway, even though I won't end up using it.

    2. By tedu () on

      look in src/distrib/alpha/cdfs. that's the makefile to build just the mini-iso. you can either add the tgz files to the objdir, or cut and paste the mkhybird commands to create your own cd.

      1. By Rob () on

        Sweet! Thanks, I'll give it a go.

Latest Articles


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]