OpenBSD Journal

Tartalom átvétel OpenBSD Journal
The OpenBSD Community.
Frissült: 13 perc 13 másodperc

EuroBSDCon 2016 schedule has been released

cs, 2016-07-28 11:45
The EuroBSDCon 2016 talks and schedule have been released, and oh are we in for a treat!

All three major BSD's have a "how we made the network go fast" talk, nearly every single timeslot has a networking related talk, and most of the non-networking talks look fantastic as well.

The OpenBSD related talks are:

  • Embracing the BSD routing table - mpi@
  • rc.d(8) on OpenBSD - ajacoutot@
  • OpenBSD meets 802.11n - stsp@
  • OpenBSD: pf+rdomains create splendid multi-tenancy firewalls - Philipp Buehler (formerly known as pb@)
  • Dropping in 80Gbits (hopefully) of stateful firewalling capacity with PF and OpenOSPFd - Gareth Llewellyn
  • What we learnt from natively building packages on exotic archs - landry@
  • Bidirectional Forwarding Detection (BFD) implementation and support in OpenBSD - phessler@
  • Retrofitting privsep into ports tools - espie@
  • Why and how you ought to keep multibyte character support simple - ingo@

    And an OpenBSD related tutorial is

  • OpenBSD: Building a test-environment for multi-tenancy firewalls - Philipp Buehler

    We're very excited about this year's EuroBSDCon, looks to be a fantastic one. Register Now!

  • Kategóriák: *BSD

    OpenBSD 6.0 pre-orders up

    sze, 2016-07-27 15:42
    Pre-orders for the 6.0 CD sets have just been activated.

    In addition, one of the six release songs has been released early.
    There will be another compilation CD titled "The songs 5.2 - 6.0" alongside the release.

    Head on over to the OpenBSD Store to pick up your CD set, poster, or both!

    This release has some of the coolest artwork yet.

    Kategóriák: *BSD

    OpenBSD 6.0 to be released September 1, 2016

    h, 2016-07-25 12:08

    Theo de Raadt (deraadt@) has updated the (in-progress) OpenBSD 6.0 release page to indicate that release will occur earlier than is usual:

    CVSROOT: /cvs Module name: www Changes by: deraadt@cvs.openbsd.org 2016/07/23 08:18:28 Modified files: . : 60.html Log message: the 6.0 release date will come as a surprise
    Kategóriák: *BSD

    n2k16 hackathon report: Stefan Sperling on dhclient bugs, iwm(4) issues

    h, 2016-07-25 11:51
    The first report from the just-concluded n2k16 hackathon comes from Stefan Sperling, who writes:

    Because this network hackathon was scheduled very close to the 6.0 release I focused my efforts on fixing bugs.

    The first bug I encountered was that dhclient no longer works if DHCP return traffic has to pass through a bridge, and the member interface which receives the DHCP return traffic also has a dhclient instance running on it: Read more...

    Kategóriák: *BSD

    usermount being removed from OpenBSD

    p, 2016-07-15 14:37

    The facility for allowing non-root users to mount file systems has been removed from OpenBSD-current due to security concerns.

    Specifically, the value of kern.usermount (as described in the mount(8) and sysctl(3) man pages) will be ignored in OpenBSD 6.0, and the kern.usermount system variable will be absent from later releases.

    Theo de Raadt (deraadt@) committed the change:

    CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2016/07/14 09:39:40 Modified files: sys/kern : vfs_syscalls.c kern_sysctl.c Log message: kern.usermount=1 is unsafe for everyone, since it allows any non-pledged program to call the mount/umount system calls. There is no way any user can be expected to keep their system safe / reliable with this feature. Ignore setting to =1, and after release we'll delete the sysctl entirely. ok lots of people Read more...
    Kategóriák: *BSD

    Errata and patches released!

    p, 2016-07-15 09:56
    Now would be a good time to check http://www.openbsd.org/errata59.html as a number of patches related to reliability and security have been released as follows.

    This appears to be in response to fuzz testing as documented further in this mailing list archive: http://marc.info/?l=oss-security&m=146853062403622&w=2

    Tim Newsham and Jesse Hertz of NCC Group appear to have done most of the research related to these discoveries so far, and I know at least one of them has had patches committed to the OpenBSD project in the past, so it is nice to see continual collaboration from professional researchers contributing back to project! Again, please check http://www.openbsd.org/errata59.html for links to source code patches to address these issues. Excerpted summaries of the issues discovered below:

    013: RELIABILITY FIX: July 14, 2016 All architectures Splicing sockets in a loop could cause a kernel spin.

    014: RELIABILITY FIX: July 14, 2016 All architectures Multiple processes exiting with a fd-passing control message on a shared socket could crash the system.

    015: RELIABILITY FIX: July 14, 2016 All architectures ufs_readdir failed to limit size of memory allocation, leading to panics.

    016: SECURITY FIX: July 14, 2016 All architectures The mmap extension __MAP_NOFAULT could overcommit resources and crash the system.

    017: RELIABILITY FIX: July 14, 2016 All architectures A race occuring in the unlocked ARP input path can lead to a kernel NULL dereference.

    018: RELIABILITY FIX: July 14, 2016 All architectures Tick counting overflows could cause a kernel crash.

    019: RELIABILITY FIX: July 14, 2016 All architectures Invalid file descriptor use with kevent(2) could lead to a kernel crash.

    020: RELIABILITY FIX: July 14, 2016 All architectures Unchecked parameters and integer overflows in the amap allocation routines could cause malloc(9) to either not allocate enough memory, leading to memory corruption, or to trigger a "malloc: allocation too large" panic.

    Kategóriák: *BSD

    mandoc-1.13.4 released

    cs, 2016-07-14 19:23
    Ingo Schwarze wrote in about the new mandoc release,

    From: Ingo Schwarze <schwarze@usta.de>
    Date: Thu, 14 Jul 2016 16:48:20 +0200
    To: discuss@mdocml.bsd.lv
    Subject: mandoc-1.13.4 released

    Hello,

    mandoc = mdocml 1.13.4 is now publicly available from <http://mdocml.bsd.lv/>.

    After more than a year of development since 1.13.3, this is a regular maintenance release, fixing many bugs. This release contains almost the same mandoc code as the upcoming OpenBSD 6.0 release. Upgrading is recommended for all downstream projects.

    Read more...

    Kategóriák: *BSD

    BSDCan 2016 Presentations Online

    p, 2016-06-17 15:57
    The BSDCan 2016 conference in Ottawa has just concluded, with a number of OpenBSD-themed talks. These are the talks by OpenBSD developers:

    Reyk Flöter: An OpenFlow implementation for OpenBSD - Introducing switchd(8) and more about SDN (slides)

    Henning Brauer: Running an ISP on OpenBSD - Why OpenBSD and several uncommon uses of it (slides)

    Peter Hessler: Bidirectional Forwarding Detection (BFD) implementation and support in OpenBSD. Or: A new protocol actually did improve our routing. (slides)

    Mike Belopuhov: Implementation of Xen PVHVM drivers in OpenBSD (slides)

    Antoine Jacoutot: OpenBSD rc.d(8) (slides)

    Sebastian Benoit: Opensource Routing - Running an enterprise network on OpenBSD (slides)

    In addition, two OpenBSD-centric tutorials were offered by people who are not themselves OpenBSD developers:

    Peter Hansteen: Building The Network You Need With PF, The OpenBSD Packet Filter (slides)

    Aaron Poffenberger: OpenSMTPD for the Real World (slides)

    Kategóriák: *BSD

    Understanding the modernization of the OpenBSD network stack, part 1: ART single thread performances

    p, 2016-06-17 15:53
    Martin Pieuchot (mpi@) wrote in, saying

    OpenBSD network developers are doing some great work at modernizing and improving the network stack. But even if you're following tech@, it might be tricky to understand what's going on. Read more...

    Kategóriák: *BSD

    ARMv7 now has a bootloader

    v, 2016-05-29 17:41
    Progress on the armv7 platform continues, and Jonathan Gray writes in to the arm@ mailing list with some promising news:

    There is now a bootloader for armv7 thanks to kettenis@ Recent armv7 snapshots will configure disks to use efiboot and install device tree dtb files on a fat partition at the start of the disk.

    u-boot kernel images are no longer part of the release but can still be built for the time being. We are going to start assuming the kernel has been loaded with a dtb file to describe the hardware sometime soon. Those doing new installs can ignore the details but here they are. Read more...

    Kategóriák: *BSD

    W^X now mandatory in OpenBSD

    szo, 2016-05-28 00:27
    Traditional Unix has allowed memory to be mapped W | X. Everyone now knows that’s a bad practice from a security standpoint, but the software ecosystem hasn't made much progress in this area. Theo de Raadt has just committed a change to begin blocking W^X violations in OpenBSD.

    CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2016/05/27 13:45:04 Modified files: lib/libc/sys : mmap.2 mount.2 mprotect.2 sbin/mount : mntopts.h mount.8 mount.c sbin/mount_ffs : mount_ffs.c sbin/mount_nfs : mount_nfs.c sys/kern : kern_sysctl.c vfs_syscalls.c sys/sys : mount.h sysctl.h sys/uvm : uvm_mmap.c usr.sbin/pstat : pstat.c Log message: W^X violations are no longer permitted by default. A kernel log message is generated, and mprotect/mmap return ENOTSUP. If the sysctl(8) flag kern.wxabort is set then a SIGABRT occurs instead, for gdb use or coredump creation. W^X violating programs can be permitted on a ffs/nfs filesystem-basis, using the "wxallowed" mount option. One day far in the future upstream software developers will understand that W^X violations are a tremendously risky practice and that style of programming will be banished outright. Until then, we recommend most users need to use the wxallowed option on their /usr/local filesystem. At least your other filesystems don't permit such programs. Read more...

    Kategóriák: *BSD

    Privilege Separation and Pledge (video)

    sze, 2016-05-25 15:34
    This year's dotSecurity conference featured a presentation from OpenBSD founder Theo de Raadt, titled "Privilege Separation and Pledge."

    The video is now available here, in addition to the slides.

    Kategóriák: *BSD

    p2k16 Hackathon Report: pirofti@ on octeon and TPM

    cs, 2016-05-19 13:27
    The next hackathon report comes from Paul Irofti, who writes:

    This was probably the shortest hackathon I attended. The 4 days flew by and I realised we have to pack and go with nothing to show for.

    My usual hackathon work flow is: waste 3-4 days trying to figure how some device works, and then polish the driver(s) for the remaining days while congratulating myself with coffee, Günther and beer. Read more...

    Kategóriák: *BSD

    p2k16 Hackathon Report: jasper@ on gnome, puppet and more

    k, 2016-05-17 14:37
    Our next report comes from Jasper Lievisse Adriaanse, who writes:

    Hackathons have long since had two themes for me, gnomes and puppets. However this hackathon I actually didn't want to play with puppets for once, yet I ended up importing Puppet 4 after all. More on that later. Read more...

    Kategóriák: *BSD

    SROP mitigation committed

    cs, 2016-05-12 05:28
    In a recent email, Theo de Raadt explains the SROP mitigation technique, a recent team effort.

    This is the first demonstration of a mitigation against SROP.

    Utilizing a trick from kbind(2), the kernel now only accepts signal returns from the PC address of the sigreturn(2) syscall in the signal trampoline. Since the signal trampoline page is randomized placed per process, it is only known by directly returning from a signal handler.

    As well, the sigcontext provided to sigreturn(2) now contains a magic cookie constructed from a per-process cookie XOR'd against the address of the signal context. That part is similar to the LWN discussion mentioned above. I came to the same conclusion semi-independently as a result of Antoine's ports builds, which identified all the parts of the application software ecosystem I had to study. Woe is me!

    Read more...

    Kategóriák: *BSD

    p2k16 Hackathon Report: krw@ on pdisk, softraid and more

    sze, 2016-05-11 18:31
    The next hackathon report comes from Ken Westerback, who writes:

    I arrived at CDG, got on my train and arrived in Nantes just before a national train strike started. Whew. Did a pleasant walk paralleling the tram tracks to the appropriate tram stop and consulted the documentation. "Hackroom is nearby." Hmmm. Wandered around for a while without stumbling across it, and finally noticed the large neon sign for the hotel. From which I *did* have directions. Got to the hackroom building and found that the doors had been locked early. A few frantic texts later I got in and the normal hackathon routine took hold. Read more...

    Kategóriák: *BSD

    p2k16 Hackathon Report: ajacoutot@ on Gnome, rc and rcctl improvements

    v, 2016-05-08 16:09
    Our next p2k16 report comes from Antoine Jacoutot, who writes:

    First of all I'd like to give a big thank to gilles@, Epitech Nantes and the OpenBSD Foundation for making this event a real blast. The hackroom accomodation was very nice and so was the location.

    Disclaimer: I have a goldfish memory so I am probably forgetting a lot of small things I did during this week, next time I should probably start writing what I'm doing as I go. Read more...

    Kategóriák: *BSD

    p2k16 Hackathon Report: landry@ on mozilla ports

    k, 2016-05-03 20:49
    The next report in our p2k16 series is from Landry Breuil, who writes:

    For once we had a hackathon in France, so travel should be simple... turns out, at the last minute the past week i had engaged myself in a motorbike rally race, taking place in Corsica on the weekend right before the hackathon. Driving to south of france on Thursday, night boat to corsica, two days racing, then boat back to the mainland, then driving all night to come back to my place, change backpack, sleep 1h, and hop on the cheap bus from my place to Nantes. Arrived there at 21h, i was of course totally destroyed from the 30h trip and after meeting the others for a heavy meal, i crashed early to bed... Read more...

    Kategóriák: *BSD

    p2k16 Hackathon Report: naddy@ on graphics libs progress (yes, packages!)

    k, 2016-05-03 18:07
    Fresh from the p2k16 hackathon comes this report from Christian Weisgerber, who writes:

    Coming to p2k16, I had only vague plans what to work on. The last few hackathons I had tackled some projects that didn't quite result into something committable, so this time I decided to keep it basic. The idea was to update some ports and maybe make a dent in the use of the obsolete libiconv and gettext modules. Read more...

    Kategóriák: *BSD

    OpenBSD Foundation Announces Gold Sponsor

    k, 2016-05-03 17:35
    OpenBSD Foundation director Ken Westerback (krw@) writes in with some great news:

    The OpenBSD Foundation is happy to announce that DuckDuckGo has become the first Gold level contributor to the 2016 fundraising campaign.

    This donation is part DuckDuckGo's annual initiative to help fund free and open source projects based on nominations from their community.

    Not only is it great to hear that companies are giving back to the project, but also that OpenBSD was nominated by DDG users. A big thanks to them and their community!

    Donations to the OpenBSD Foundation can be made on the donations page, and they can be contacted regarding corporate sponsorship at fundraising@openbsdfoundation.org.

    Kategóriák: *BSD