Népszerű fórum témák
FreeBSD Project News
The OpenBSD Community.
Frissült: 47 perc 54 másodperc
Early registration ends 2016-08-24 23:59 CEST, so get in now for discounted prices on great (Open)BSD talks and tutorials!
Joel Sing (jsing@) has added server-side Server Name Indication (SNI) support to libtls and, based on that, to httpd.Read more...
As a result of apparent lack of maintenance, Theo de Raadt has disabled tmpfs.
CVSROOT: /cvs Module name: src Changes by: firstname.lastname@example.org 2016/07/25 13:52:56 Modified files: sys/conf : GENERIC Log message: disable tmpfs because it receives zero maintainance.
Our next report comes from Philip Guenther, who writes,
I don't actually do much hacking in the network stack. I've done some fixes and cleanup in the syscall/ioctl layers, but otherwise I stay out of sys/net*, so what was I doing at n2k16? Read more...
Our next report comes from Ken Westerback (krw@), who writes,
Suprise upgrade to Business! Yay! Bumped by a paying customer to a seat with a non-functional entertainment unit. Boo. Running the length of Frankfurt airport to meet Theo's flight in time. Yay! No Theo. Boo. I can still meet the ANZAC contingent in Prague to share trip downtown. Yay! They walk right past me even with my UQ hat on. Boo. Yet Another Hackathon Travel Adventure. Read more...
The EuroBSDCon 2016 talks and schedule have been released, and oh are we in for a treat! All three major BSD's have a "how we made the network go fast" talk, nearly every single timeslot has a networking related talk, and most of the non-networking talks look fantastic as well. The OpenBSD related talks are:
Pre-orders for the 6.0 CD sets have just been activated.
In addition, one of the six release songs has been released early.
This release has some of the coolest artwork yet.
The first report from the just-concluded n2k16 hackathon comes from Stefan Sperling, who writes:
Because this network hackathon was scheduled very close to the 6.0
release I focused my efforts on fixing bugs.
The first bug I encountered was that dhclient no longer works if DHCP return traffic has to pass through a bridge, and the member interface which receives the DHCP return traffic also has a dhclient instance running on it: Read more...
The facility for allowing non-root users to mount file systems has been removed from OpenBSD-current due to security concerns.
Specifically, the value of kern.usermount (as described in the mount(8) and sysctl(3) man pages) will be ignored in OpenBSD 6.0, and the kern.usermount system variable will be absent from later releases.
Theo de Raadt (deraadt@) committed the change:CVSROOT: /cvs Module name: src Changes by: email@example.com 2016/07/14 09:39:40 Modified files: sys/kern : vfs_syscalls.c kern_sysctl.c Log message: kern.usermount=1 is unsafe for everyone, since it allows any non-pledged program to call the mount/umount system calls. There is no way any user can be expected to keep their system safe / reliable with this feature. Ignore setting to =1, and after release we'll delete the sysctl entirely. ok lots of people Read more...
Now would be a good time to check http://www.openbsd.org/errata59.html as a number of patches related to reliability and security have been released as follows.
This appears to be in response to fuzz testing as documented further in this mailing list archive: http://marc.info/?l=oss-security&m=146853062403622&w=2
Tim Newsham and Jesse Hertz of NCC Group appear to have done most of the research related to these discoveries so far, and I know at least one of them has had patches committed to the OpenBSD project in the past, so it is nice to see continual collaboration from professional researchers contributing back to project! Again, please check http://www.openbsd.org/errata59.html for links to source code patches to address these issues. Excerpted summaries of the issues discovered below:
013: RELIABILITY FIX: July 14, 2016 All architectures Splicing sockets in a loop could cause a kernel spin.
014: RELIABILITY FIX: July 14, 2016 All architectures Multiple processes exiting with a fd-passing control message on a shared socket could crash the system.
015: RELIABILITY FIX: July 14, 2016 All architectures ufs_readdir failed to limit size of memory allocation, leading to panics.
016: SECURITY FIX: July 14, 2016 All architectures The mmap extension __MAP_NOFAULT could overcommit resources and crash the system.
017: RELIABILITY FIX: July 14, 2016 All architectures A race occuring in the unlocked ARP input path can lead to a kernel NULL dereference.
018: RELIABILITY FIX: July 14, 2016 All architectures Tick counting overflows could cause a kernel crash.
019: RELIABILITY FIX: July 14, 2016 All architectures Invalid file descriptor use with kevent(2) could lead to a kernel crash.
020: RELIABILITY FIX: July 14, 2016 All architectures Unchecked parameters and integer overflows in the amap allocation routines could cause malloc(9) to either not allocate enough memory, leading to memory corruption, or to trigger a "malloc: allocation too large" panic.
Ingo Schwarze wrote in about the new mandoc release,
From: Ingo Schwarze <firstname.lastname@example.org>
After more than a year of development since 1.13.3, this is a regular maintenance release, fixing many bugs. This release contains almost the same mandoc code as the upcoming OpenBSD 6.0 release. Upgrading is recommended for all downstream projects.
The BSDCan 2016 conference in Ottawa has just concluded, with a number of OpenBSD-themed talks. These are the talks by OpenBSD developers:
Sebastian Benoit: Opensource Routing - Running an enterprise network on OpenBSD (slides)
In addition, two OpenBSD-centric tutorials were offered by people who are not themselves OpenBSD developers:
Peter Hansteen: Building The Network You Need With PF, The OpenBSD Packet Filter (slides)
Understanding the modernization of the OpenBSD network stack, part 1: ART single thread performances
Martin Pieuchot (mpi@) wrote in, saying
OpenBSD network developers are doing some great work at modernizing and improving the network stack. But even if you're following tech@, it might be tricky to understand what's going on. Read more...
Progress on the armv7 platform continues, and Jonathan Gray writes in to the arm@ mailing list with some promising news:
There is now a bootloader for armv7 thanks to kettenis@ Recent armv7 snapshots will configure disks to use efiboot and install device tree dtb files on a fat partition at the start of the disk.
u-boot kernel images are no longer part of the release but can still be built for the time being. We are going to start assuming the kernel has been loaded with a dtb file to describe the hardware sometime soon. Those doing new installs can ignore the details but here they are. Read more...
Traditional Unix has allowed memory to be mapped W | X. Everyone now knows thats a bad practice from a security standpoint, but the software ecosystem hasn't made much progress in this area. Theo de Raadt has just committed a change to begin blocking W^X violations in OpenBSD.
CVSROOT: /cvs Module name: src Changes by: email@example.com 2016/05/27 13:45:04 Modified files: lib/libc/sys : mmap.2 mount.2 mprotect.2 sbin/mount : mntopts.h mount.8 mount.c sbin/mount_ffs : mount_ffs.c sbin/mount_nfs : mount_nfs.c sys/kern : kern_sysctl.c vfs_syscalls.c sys/sys : mount.h sysctl.h sys/uvm : uvm_mmap.c usr.sbin/pstat : pstat.c Log message: W^X violations are no longer permitted by default. A kernel log message is generated, and mprotect/mmap return ENOTSUP. If the sysctl(8) flag kern.wxabort is set then a SIGABRT occurs instead, for gdb use or coredump creation. W^X violating programs can be permitted on a ffs/nfs filesystem-basis, using the "wxallowed" mount option. One day far in the future upstream software developers will understand that W^X violations are a tremendously risky practice and that style of programming will be banished outright. Until then, we recommend most users need to use the wxallowed option on their /usr/local filesystem. At least your other filesystems don't permit such programs. Read more...
This year's dotSecurity conference featured a presentation from OpenBSD founder Theo de Raadt, titled "Privilege Separation and Pledge."
The next hackathon report comes from Paul Irofti, who writes:
This was probably the shortest hackathon I attended. The 4 days flew by and I realised we have to pack and go with nothing to show for.
My usual hackathon work flow is: waste 3-4 days trying to figure how some device works, and then polish the driver(s) for the remaining days while congratulating myself with coffee, Günther and beer. Read more...
Our next report comes from Jasper Lievisse Adriaanse, who writes:
Hackathons have long since had two themes for me, gnomes and puppets. However this hackathon I actually didn't want to play with puppets for once, yet I ended up importing Puppet 4 after all. More on that later. Read more...
In a recent email, Theo de Raadt explains the SROP mitigation technique, a recent team effort.
This is the first demonstration of a mitigation against SROP.
Utilizing a trick from kbind(2), the kernel now only accepts signal returns from the PC address of the sigreturn(2) syscall in the signal trampoline. Since the signal trampoline page is randomized placed per process, it is only known by directly returning from a signal handler.
As well, the sigcontext provided to sigreturn(2) now contains a magic cookie constructed from a per-process cookie XOR'd against the address of the signal context. That part is similar to the LWN discussion mentioned above. I came to the same conclusion semi-independently as a result of Antoine's ports builds, which identified all the parts of the application software ecosystem I had to study. Woe is me!
HUP napi hírlevél
Legfrissebb HUP képek
Hány éve használsz Linuxot? ... éve!
Nem használok Linuxot.
Összes szavazat: 502