OpenSSH 9.7/9.7p1 released!
The complete release notes may be found here: https://www.openssh.com/releasenotes.html#9.7p1
Version 0.97 of Game of Trees has been released (and the port updated).
* got 0.97; 2024-03-11 see git repository history for per-change authorship information - improve error messages shown upon execv failure - fix 'gotadmin pack' crash upon Ctrl-C due to invalid imsg_free() - significantly speed up deltification of large files - improve error handling in got_privsep_recv_imsg()Just in time for the release of OpenBSD 7.5!
The LibreSSL project has announced the release of version 3.8.3, and (development) version 3.9.0 of the software.
The announcement for version 3.8.3 reads:
WWe have released LibreSSL 3.8.3, which will be arriving in the LibreSSL directory of your local OpenBSD mirror soon. This is the second stable release for the 3.8.x branch. It includes the following changes from LibreSSL 3.8.2 * Portable changes - Removed assert pop-ups with Windows debug builds. - Fixed crashes and hangs in Windows ARM64 builds. - Improved control-flow enforcement (CET) support. The LibreSSL project continues improvement of the codebase to reflect modern, safe programming practices. We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible.The release announcement reads,
Subject: OpenBGPD 8.4 released From: Claudio Jeker <claudio () openbsd ! org> Date: 2024-03-07 13:12:51 We have released OpenBGPD 8.4, which will be arriving in the OpenBGPD directory of your local OpenBSD mirror soon.
In what can only be called a great stride forward in routing security, Sebastian Benoit (benno@) announced the availability of rpki-client version 9.0.
The announcement reads,
Subject: rpki-client 9.0 released From: Sebastian Benoit <benno () openbsd ! org> Date: 2024-03-03 17:24:06 rpki-client 9.0 has just been released and will be available in the rpki-client directory of any OpenBSD mirror soon. It is recommended that all users update to this version for improved reliability. rpki-client is a FREE, easy-to-use implementation of the Resource Public Key Infrastructure (RPKI) for Relying Parties (RP) to facilitate validation of BGP announcements. The program queries the global RPKI repository system and validates untrusted network inputs. The program outputs validated ROA payloads, BGPsec Router keys, and ASPA payloads in configuration formats suitable for OpenBGPD and BIRD, and supports emitting CSV and JSON for consumption by other routing stacks.
A clear sign that the OpenBSD 7.5 release cycle is entering the final phases just emerged.
In this commit, Theo de Raadt (deraadt@) changed the version string to 7.5:
From: Theo de Raadt <deraadt () cvs ! openbsd ! org> Date: 2024-02-29 17:05:10 CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2024/02/29 10:05:10 Modified files: sys/conf : newvers.sh Log message: move from 7.5-beta to 7.5In this commit, Denis Fondras (denis@) added code to allow IPv6 over PPP. The message reads,
Subject: CVS: cvs.openbsd.org: src From: Denis Fondras <denis () cvs ! openbsd ! org> Date: 2024-02-28 16:08:34 CVSROOT: /cvs Module name: src Changes by: denis@cvs.openbsd.org 2024/02/28 09:08:34 Modified files: share/man/man4 : ppp.4 sys/net : if_ppp.c if_pppvar.h Log message: Enable IPv6 AF for ppp(4) OK claudio@
With this one commit, the brave new world of IPv6 opens up to a whole chunk of traditional-style Internet users.
Hot on the heels of qwx(4) [see earlier report], and soon after going -beta, -current has gained another new wi-fi driver - mwx(4). Claudio Jeker (claudio@) committed the import:
CVSROOT: /cvs Module name: src Changes by: claudio@cvs.openbsd.org 2024/02/21 03:48:10 Modified files: sys/dev/pci : files.pci Added files: sys/dev/pci : if_mwx.c if_mwxreg.h Log message: Import mwx(4) a driver for Mediatek MT7921 and MT7922 802.11ax devices This is work in progress. Scan works, RX of packets is more or less there but TX does not work yet. The packets are passed to the chip but get stuck or ignored there. It is easy to hang the device or the system since device reset is not quite right (like many other bits). Also this is only for MT7921 right now since I have no access to a MT7922 device. Lots of pushing from deraadt@ to commit this now.So, WIP and MT7921-only [at this stage], but very promising.
If you run recent OpenBSD on certain amd64 or aarch64 platforms, indirect branching to an "unexpected" location will crash your program, in order to prevent ROP attacks and similar ways to have your program execute code where it shouldn't.
The OpenBSD compiler will insert an extra instruction in all the places where a branch is supposed to land, and if it lands anywhere else, a CPU fault is raised and your program gets an "Illegal Instruction".
Previously, crashes of this kind have looked more or less like any other kind of fault where code is executing random data or from random locations, but since the kernel knows when this has happened, we can make it explicit that the fault is due to missing branch target instructions, which will help a lot when debugging.
Link to the commit here.
It's that time of the year again. With this commit, Theo de Raadt (deraadt@) changed the version string for the OpenBSD development branch (i.e. -current) to 7.5-beta:
CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2024/02/17 09:13:24 Modified files: sys/sys : param.h etc/root : root.mail sys/conf : newvers.sh sys/arch/macppc/stand/tbxidata: bsd.tbxi share/mk : sys.mk usr.bin/signify: signify.1 Log message: move to 7.5-betaWith the upcoming release expected to appear in May, testing is particularly welcome.
7.5-beta snapshots are already appearing on the mirrors.
Stefan Sperling (stsp@) tooted regarding the addition of qwx(4) to -current:
The next set of #OpenBSD amd64/arm64 snapshots will start shipping the qwx driver for #ath11k QCNFA765 wifi devices.
My part-time effort on this driver started about a year ago, with much help from mpi@, @bluerise, kettenis@, and claudio@
https://marc.info/?l=openbsd-cvs&m=170801475321249&w=2
Edit: And I should mention that the OpenBSD Foundation supports this effort. Thanks to everyone who donated!
The QCNFA765 is found in some laptops.
The driver currently supports only 11a/b/g modes.
Thanks to Stefan, his helpers, and The OpenBSD Foundation!
Sebastian Benoit (benno@) announced the release of version 8.9 of rpki-client.
Updating is recommended for "improved reliability".
Support for soft updates (softdep), disabled since before the 7.4 release [see earlier report], has been removed from -current by Bob Beck (beck@):
CVSROOT: /cvs Module name: src Changes by: beck@cvs.openbsd.org 2024/02/03 11:51:59 Modified files: bin/ps : ps.1 sbin/dump : traverse.c sbin/dumpfs : dumpfs.c sbin/fsck_ffs : dir.c fsck.h main.c pass1.c pass2.c pass5.c setup.c sbin/growfs : growfs.c sbin/quotacheck: quotacheck.c share/man/man5 : fs.5 sys/conf : files sys/ddb : db_interface.h sys/dev : softraid.c sys/kern : kern_physio.c spec_vnops.c vfs_bio.c vfs_subr.c vfs_sync.c vfs_syscalls.c sys/sys : buf.h mount.h proc.h vnode.h sys/ufs/ffs : ffs_alloc.c ffs_balloc.c ffs_extern.h ffs_inode.c ffs_softdep.c ffs_softdep_stub.c ffs_vfsops.c ffs_vnops.c fs.h softdep.h sys/ufs/ufs : inode.h ufs_extern.h ufs_inode.c ufs_lookup.c ufs_vnops.c sys/uvm : uvm_swap.c Log message: Remove Softdep. Softdep has been a no-op for some time now, this removes it to get it out of the way. Flensing mostly done in Talinn, with some help from krw@ ok deraadt@In a post to tech@, Theo de Raadt (deraadt@) summarizes the multi-year effort to make certain attack vectors unavailable on OpenBSD:
Subject: pinsyscalls(2) From: "Theo de Raadt" <deraadt () openbsd ! org> Date: 2024-01-28 20:20:59 pinsyscalls(2) has gone into the tree without too much difficulty, and no issues are currently known. None of this could have been possible without help from a few groups of people.Mark Kettenis (kettenis@) committed support for Kernel Mode-Setting (KMS) on Apple silicon (arm64) machines:
CVSROOT: /cvs Module name: src Changes by: kettenis@cvs.openbsd.org 2024/01/22 11:54:01 Modified files: sys/arch/arm64/conf: GENERIC sys/dev/pci/drm: files.drm sys/dev/pci/drm/include/generated: autoconf.h Added files: sys/dev/pci/drm/apple: afk.c afk.h apldcp.c apldrm.c apple_drv.c dcp-internal.h dcp.c dcp.h dcp_backlight.c dptxep.c dptxep.h ibootep.c iomfb.c iomfb.h iomfb_internal.h iomfb_template.c iomfb_template.h iomfb_v12_3.c iomfb_v12_3.h iomfb_v13_3.c iomfb_v13_3.h parser.c parser.h systemep.c trace.c trace.h version_utils.h sys/dev/pci/drm/include/linux: apple-mailbox.h args.h sys/dev/pci/drm/include/linux/soc/apple: rtkit.h Log message: Add apldcp(4) and apldrm(4). Together these drivers provide KMS functionality on Apple Silicom machines. At this point the drivers provide significant power savings when the display is blanked (and during suspend) and backlight control. Some support for HDMI output is also included, but for now only when HDMI is used as the primary output. In the future this should also provide displayport support. This is a port of the the Asahi Linux drivers which can be found at https://github.com/AsahiLinux/linux/tree/asahi-wip Note that this branch gets rebased from time to time. These drivers do *not* bring us GPU accelerated graphics. But there are reports that things run "smoother". There are some known bugs with backlight control: the backlight level may not be restored properly after the display has been blanked, and changing the backlight quickly un succession may break the backlight control. ok jsg@Theo de Raadt (deraadt@) has committed (to -current) the remaining parts required to get pinsyscalls(2) working in anger.
The commits were:
This means, once again, that if you feel up to it, it is time to grab the most recent snapshot and test intensively, reporting back any problems or oddities you may encounter.
Rafael Sadowski (rsadowski@) has added a new post to his Shut up and hack series, titled Effortless OpenBSD Audio and Desktop Screen Recording Guide, where he takes the reader through the steps needed to configure your OpenBSD system for audio and video recording. The post even includes a youtube video where he demonstrates recording while he is putting final touches on the blog post.
You can take in the blog post here: Effortless OpenBSD Audio and Desktop Screen Recording Guide.
The OpenSSH project has announced the timeline for the removal of DSA support from OpenSSH:
[…] OpenSSH plans to remove support for DSA keys in the near future. This message describes our rationale, process and proposed timeline. Rationale --------- DSA, as specified in the SSHv2 protocol, is inherently weak - being limited to a 160 bit private key and use of the SHA1 digest. Its estimated security level is <=80 bits symmetric equivalent[1][2]. OpenSSH has disabled DSA keys by default since 2015 but has retained optional support for them. DSA is the only mandatory-to-implement algorithm in the SSHv2 RFCs[3], mostly because alternative algorithms were encumbered by patents when the SSHv2 protocol was designed and specified. […] In summary: 2024/01 - this announcement 2024/03 (estimated) - DSA compile-time optional, enabled by default 2024/06 (estimated) - DSA compile-time optional, *disabled* by default 2025/01 (estimated) - DSA is removed from OpenSSHPlease read the announcement message for full details.
It's a useful collection of things you could do to secure your environment and customize your setup to best fill your needs.
Enjoy!