OpenBSD Journal
Contributed by rueda on from the cheap, fast, reliable: pick any tw^H^H - oh, crap! dept.
There have been more developments in the continuing work mitigating against (Intel®, and potentially other) CPU vulnerabilities…
Philip Guenther (guenther@) committed the following:
Contributed by rueda on from the ldapd-gets-a-friend dept.
Reyk Floeter (reyk@) has committed a simple LDAP client to -current:
CVSROOT: /cvs
Module name: src
Changes by: reyk@cvs.openbsd.org 2018/06/13 09:45:58
Log message:
Import ldap(1), a simple ldap search client.
Contributed by rueda on from the speculation-no-more dept.
Earlier this month, Philip Guenther (guenther@) committed (to amd64 -current) a change from lazy to semi-eager FPU switching to mitigate against rumored FPU state leakage in Intel® CPUs.
Theo de Raadt (deraadt@) discussed this in his BSDCan 2018 session.
Using information disclosed in Theo's talk, Colin Percival developed a proof-of-concept exploit in around 5 hours. This seems to have prompted an early end to an embargo (in which OpenBSD was not involved), and the official announcement of the vulnerability.
Contributed by rueda on from the all-present-and-correct dept.
BSDCan 2018 has concluded, and materials for (some of) the OpenBSD-related tutorials and talks can be found in the usual place.
Highlights include
the unveiling of unveil(),
hinted at by Bob Beck (beck@) in his
p2k18 report,
and
"Speculating about Intel", by Theo de Raadt (deraadt@). [An unofficial video of the latter presentation is
available.]
At the time of writing, official video recordings are not yet available.
Contributed by rueda on from the d(e)ropping-the-gadgets dept.
Todd Mortimer (mortimer@) has committed "RETGUARD" for clang (for amd64).
This is a new anti-ROP security mechanism, which uses random per-function cookies to protect return addresses on the stack.
Contributed by rueda on from the continuing-sane-innovation dept.
Joel Sing (jsing@) has committed Crypto Simplified Interface (CSI) to -current:
CVSROOT: /cvs Module name: src Changes by: jsing@cvs.openbsd.org 2018/06/02 11:40:33 Added files: lib/libcsi : Makefile Symbols.list csi.c csi.h csi_dh.c csi_dh_groups.c csi_internal.h csi_util.c shlib_version Log message: Initial version of Crypto Simplified Interface (CSI). This is a code base that intends on providing a simplified interface for mid-level cryptographic operations. In due course various applications and libraries will be able to benefit from a clean and robust API, rather than using libcrypto or other similar APIs directly. Discussed at length with deraadt@, djm@, markus@, beck@ and others.
This parallels the addition of libtls.
Contributed by rueda on from the match from gilles@ new grammar action "report" dept.
Gilles Chehade (gilles@) has committed (to -current) the new smtpd.conf grammar discussed in his p2k18 hackathon report.
Contributed by Paul 'WEiRD' de Weerd on from the gnomes-and-hobbits dept.
Next up in the stream of p2k18 reports is one from Antoine Jacoutot (ajacoutot@):
Because there was yet another national railroad strike, I decided not to take any chance and arrived on the eve of the hackathon. I figured it would be a good excuse for a pajama party at gilles@'s. It turned out to be a great achievement… thank you mead :-)
Contributed by Peter N. M. Hansteen on from the Puffy, pass the wifi semaphores dept.
I joined the hackathon with plenty on my todo list and to my surprise managed to finish or at least narrow down a plan for most items.
Donate to OpenBSD
We are constantly on the lookout for stories of how you put OpenBSD to work. Please submit any informative articles on how OpenBSD is helping your company.
OpenBSD 6.3
| 010 | 2018-06-17 SECURITY Intel CPUs speculatively access FPU registers even when the FPU is disabled, so data (including AES keys) from previous contexts could be discovered if using the lazy-save approach. |
| 009 | 2018-06-14 SECURITY DSA and ECDSA signature generation can potentially leak secret information to a timing side-channel attack. |
| 008 | 2018-05-17 RELIABILITY A malicious packet can cause a kernel crash when using IPsec over IPv6. |
| 007 | 2018-05-08 RELIABILITY Incorrect checks in libcrypto can prevent Diffie-Hellman Exchange operations from working. |
| 006 | 2018-05-08 RELIABILITY Incorrect handling of fragmented IPsec packets could result in a system crash. |
| 005 | 2018-04-21 RELIABILITY httpd can leak file descriptors when servicing range requests. |
Users wishing RSS/RDF summary files of OpenBSD Journal
can retrieve:
Options are available.
Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]