Népszerű fórum témák
FreeBSD Project News
The OpenBSD Community.
Frissült: 13 perc 13 másodperc
The EuroBSDCon 2016 talks and schedule have been released, and oh are we in for a treat! All three major BSD's have a "how we made the network go fast" talk, nearly every single timeslot has a networking related talk, and most of the non-networking talks look fantastic as well. The OpenBSD related talks are:
Pre-orders for the 6.0 CD sets have just been activated.
In addition, one of the six release songs has been released early.
This release has some of the coolest artwork yet.
The first report from the just-concluded n2k16 hackathon comes from Stefan Sperling, who writes:
Because this network hackathon was scheduled very close to the 6.0
release I focused my efforts on fixing bugs.
The first bug I encountered was that dhclient no longer works if DHCP return traffic has to pass through a bridge, and the member interface which receives the DHCP return traffic also has a dhclient instance running on it: Read more...
The facility for allowing non-root users to mount file systems has been removed from OpenBSD-current due to security concerns.
Specifically, the value of kern.usermount (as described in the mount(8) and sysctl(3) man pages) will be ignored in OpenBSD 6.0, and the kern.usermount system variable will be absent from later releases.
Theo de Raadt (deraadt@) committed the change:CVSROOT: /cvs Module name: src Changes by: firstname.lastname@example.org 2016/07/14 09:39:40 Modified files: sys/kern : vfs_syscalls.c kern_sysctl.c Log message: kern.usermount=1 is unsafe for everyone, since it allows any non-pledged program to call the mount/umount system calls. There is no way any user can be expected to keep their system safe / reliable with this feature. Ignore setting to =1, and after release we'll delete the sysctl entirely. ok lots of people Read more...
Now would be a good time to check http://www.openbsd.org/errata59.html as a number of patches related to reliability and security have been released as follows.
This appears to be in response to fuzz testing as documented further in this mailing list archive: http://marc.info/?l=oss-security&m=146853062403622&w=2
Tim Newsham and Jesse Hertz of NCC Group appear to have done most of the research related to these discoveries so far, and I know at least one of them has had patches committed to the OpenBSD project in the past, so it is nice to see continual collaboration from professional researchers contributing back to project! Again, please check http://www.openbsd.org/errata59.html for links to source code patches to address these issues. Excerpted summaries of the issues discovered below:
013: RELIABILITY FIX: July 14, 2016 All architectures Splicing sockets in a loop could cause a kernel spin.
014: RELIABILITY FIX: July 14, 2016 All architectures Multiple processes exiting with a fd-passing control message on a shared socket could crash the system.
015: RELIABILITY FIX: July 14, 2016 All architectures ufs_readdir failed to limit size of memory allocation, leading to panics.
016: SECURITY FIX: July 14, 2016 All architectures The mmap extension __MAP_NOFAULT could overcommit resources and crash the system.
017: RELIABILITY FIX: July 14, 2016 All architectures A race occuring in the unlocked ARP input path can lead to a kernel NULL dereference.
018: RELIABILITY FIX: July 14, 2016 All architectures Tick counting overflows could cause a kernel crash.
019: RELIABILITY FIX: July 14, 2016 All architectures Invalid file descriptor use with kevent(2) could lead to a kernel crash.
020: RELIABILITY FIX: July 14, 2016 All architectures Unchecked parameters and integer overflows in the amap allocation routines could cause malloc(9) to either not allocate enough memory, leading to memory corruption, or to trigger a "malloc: allocation too large" panic.
Ingo Schwarze wrote in about the new mandoc release,
From: Ingo Schwarze <email@example.com>
After more than a year of development since 1.13.3, this is a regular maintenance release, fixing many bugs. This release contains almost the same mandoc code as the upcoming OpenBSD 6.0 release. Upgrading is recommended for all downstream projects.
The BSDCan 2016 conference in Ottawa has just concluded, with a number of OpenBSD-themed talks. These are the talks by OpenBSD developers:
Sebastian Benoit: Opensource Routing - Running an enterprise network on OpenBSD (slides)
In addition, two OpenBSD-centric tutorials were offered by people who are not themselves OpenBSD developers:
Peter Hansteen: Building The Network You Need With PF, The OpenBSD Packet Filter (slides)
Understanding the modernization of the OpenBSD network stack, part 1: ART single thread performances
Martin Pieuchot (mpi@) wrote in, saying
OpenBSD network developers are doing some great work at modernizing and improving the network stack. But even if you're following tech@, it might be tricky to understand what's going on. Read more...
Progress on the armv7 platform continues, and Jonathan Gray writes in to the arm@ mailing list with some promising news:
There is now a bootloader for armv7 thanks to kettenis@ Recent armv7 snapshots will configure disks to use efiboot and install device tree dtb files on a fat partition at the start of the disk.
u-boot kernel images are no longer part of the release but can still be built for the time being. We are going to start assuming the kernel has been loaded with a dtb file to describe the hardware sometime soon. Those doing new installs can ignore the details but here they are. Read more...
Traditional Unix has allowed memory to be mapped W | X. Everyone now knows thats a bad practice from a security standpoint, but the software ecosystem hasn't made much progress in this area. Theo de Raadt has just committed a change to begin blocking W^X violations in OpenBSD.
CVSROOT: /cvs Module name: src Changes by: firstname.lastname@example.org 2016/05/27 13:45:04 Modified files: lib/libc/sys : mmap.2 mount.2 mprotect.2 sbin/mount : mntopts.h mount.8 mount.c sbin/mount_ffs : mount_ffs.c sbin/mount_nfs : mount_nfs.c sys/kern : kern_sysctl.c vfs_syscalls.c sys/sys : mount.h sysctl.h sys/uvm : uvm_mmap.c usr.sbin/pstat : pstat.c Log message: W^X violations are no longer permitted by default. A kernel log message is generated, and mprotect/mmap return ENOTSUP. If the sysctl(8) flag kern.wxabort is set then a SIGABRT occurs instead, for gdb use or coredump creation. W^X violating programs can be permitted on a ffs/nfs filesystem-basis, using the "wxallowed" mount option. One day far in the future upstream software developers will understand that W^X violations are a tremendously risky practice and that style of programming will be banished outright. Until then, we recommend most users need to use the wxallowed option on their /usr/local filesystem. At least your other filesystems don't permit such programs. Read more...
This year's dotSecurity conference featured a presentation from OpenBSD founder Theo de Raadt, titled "Privilege Separation and Pledge."
The next hackathon report comes from Paul Irofti, who writes:
This was probably the shortest hackathon I attended. The 4 days flew by and I realised we have to pack and go with nothing to show for.
My usual hackathon work flow is: waste 3-4 days trying to figure how some device works, and then polish the driver(s) for the remaining days while congratulating myself with coffee, Günther and beer. Read more...
Our next report comes from Jasper Lievisse Adriaanse, who writes:
Hackathons have long since had two themes for me, gnomes and puppets. However this hackathon I actually didn't want to play with puppets for once, yet I ended up importing Puppet 4 after all. More on that later. Read more...
In a recent email, Theo de Raadt explains the SROP mitigation technique, a recent team effort.
This is the first demonstration of a mitigation against SROP.
Utilizing a trick from kbind(2), the kernel now only accepts signal returns from the PC address of the sigreturn(2) syscall in the signal trampoline. Since the signal trampoline page is randomized placed per process, it is only known by directly returning from a signal handler.
As well, the sigcontext provided to sigreturn(2) now contains a magic cookie constructed from a per-process cookie XOR'd against the address of the signal context. That part is similar to the LWN discussion mentioned above. I came to the same conclusion semi-independently as a result of Antoine's ports builds, which identified all the parts of the application software ecosystem I had to study. Woe is me!
The next hackathon report comes from Ken Westerback, who writes:
I arrived at CDG, got on my train and arrived in Nantes just before a national train strike started. Whew. Did a pleasant walk paralleling the tram tracks to the appropriate tram stop and consulted the documentation. "Hackroom is nearby." Hmmm. Wandered around for a while without stumbling across it, and finally noticed the large neon sign for the hotel. From which I *did* have directions. Got to the hackroom building and found that the doors had been locked early. A few frantic texts later I got in and the normal hackathon routine took hold. Read more...
Our next p2k16 report comes from Antoine Jacoutot, who writes:
First of all I'd like to give a big thank to gilles@, Epitech Nantes and the OpenBSD Foundation for making this event a real blast. The hackroom accomodation was very nice and so was the location.
Disclaimer: I have a goldfish memory so I am probably forgetting a lot of small things I did during this week, next time I should probably start writing what I'm doing as I go. Read more...
The next report in our p2k16 series is from Landry Breuil, who writes:
For once we had a hackathon in France, so travel should be simple... turns out, at the last minute the past week i had engaged myself in a motorbike rally race, taking place in Corsica on the weekend right before the hackathon. Driving to south of france on Thursday, night boat to corsica, two days racing, then boat back to the mainland, then driving all night to come back to my place, change backpack, sleep 1h, and hop on the cheap bus from my place to Nantes. Arrived there at 21h, i was of course totally destroyed from the 30h trip and after meeting the others for a heavy meal, i crashed early to bed... Read more...
Fresh from the p2k16 hackathon comes this report from Christian Weisgerber, who writes:
Coming to p2k16, I had only vague plans what to work on. The last few hackathons I had tackled some projects that didn't quite result into something committable, so this time I decided to keep it basic. The idea was to update some ports and maybe make a dent in the use of the obsolete libiconv and gettext modules. Read more...
OpenBSD Foundation director Ken Westerback (krw@) writes in with some great news:
This donation is part DuckDuckGo's annual initiative to help fund free and open source projects based on nominations from their community.
Not only is it great to hear that companies are giving back to the project, but also that OpenBSD was nominated by DDG users. A big thanks to them and their community!
HUP napi hírlevél
Legfrissebb HUP képek
Szerinted mikor fogja a Microsoft portolni az Edge böngészőt Linuxra?
Majd ha piros hó esik!
Előbb-utóbb, mert kénytelen lesz!
Szerintem már van házon belüli build-jük ;)
Teljesen hidegen hagy...
Csak az eredmény érdekel / Az eredmény sem érdekel
Összes szavazat: 317