The main log message:
add sec(4) to support route based ipsec vpns.Some excerpts from the commit messages by dlg@ explains its purpose and design:
Version 8.5 of rpki-client, OpenBSD's implementation of the Resource Public Key Infrastructure (RPKI) for Relying Parties (RP), has been released.
Features include:
See the announcement for full details.
On OpenBSD, the latest -current snapshots already have the fixes, and errata patches will go out for the supported releases (7.2 and 7.3) shortly.
In a post to the tech@ list, Theo de Raadt described the situation:
List: openbsd-tech Subject: Zenbleed From: "Theo de Raadt" <deraadt () openbsd ! org> Date: 2023-07-24 16:11:45 Zenbleed errata for 7.2 and 7.3 will come out soon. sysupgrade of the -current snapshot already contains a fix.
Thanks to a series of commits by Jonathan Gray (jsg@), -current now has support for microcode (updates) for AMD (amd64 and i386) processors:
CVSROOT: /cvs Module name: src Changes by: jsg@cvs.openbsd.org 2023/07/21 21:46:09 Modified files: usr.sbin/fw_update: patterns.c Log message: match AMD x86 CPUs in fw_update(8) ok deraadt@Version 0.91 of Game of Trees has been released (and the port updated):
* got 0.91; 2023-07-19 see git repository history for per-change authorship information - use _POSIX_HOST_NAME_MAX from <limits.h> for portability - add merge -M option which tells 'got merge' not to fast-forward a reference - make gitwrapper ignore "permission denied" errors for repository paths - add cvg(1), a CVS-like Git client; still WIP and not installed by default yet - add initial implementation of 'gotadmin dump' which creates Git bundle files - add initial implementation of 'gotadmin load' which loads Git bundle files - gotadmin cleanup: consider object reachability while cleaning packfiles - gotadmin cleanup: don't delete pack files that are too young - prevent useless EEXIST errors filling up the global custom error array - abort histedit if the user quits the editor without saving the script - fix double-free in tog blame view error path - add support for keywords as <commit> arguments to got and togAlso of note is that the Game of Trees web site now includes a Comparison to other version control systems.
"We've just made an OpenSSH release to fix a remotely exploitable RCE vulnerability in ssh-agent's PKCS#11 support (CVE-2023-38408). Details at https://openssh.com/releasenotes.html#9.3p2
Thanks to the Qualys Security Advisory Team for finding and reporting this bug."
This appears to impact every version of OpenSSH's ssh-agent from 5.5 onwards.
Theo de Raadt (deraadt@) has updated innovations.html to include an item regarding the work which has been done to enforce indirect branch target restriction (on the amd64 [Intel] and arm64 platforms).
The commit message provides some detail:
CVSROOT: /cvs Module name: www Changes by: deraadt@cvs.openbsd.org 2023/07/13 08:02:00 Modified files: . : innovations.html Log message: Over the last 6 months we've worked on adding arm64 BTI & Intel IBT support in the kernels and all userland binaries. We have been fixing all the applications along the way. Many developers were involved.The announcement reads,
Subject: OpenBGPD 8.1 released From: Claudio Jeker <claudio () openbsd ! org> Date: 2023-07-12 14:20:01 We have released OpenBGPD 8.1, which will be arriving in the OpenBGPD directory of your local OpenBSD mirror soon. This release includes the following changes to the previous release:
Marc writes, Subject: pkg_*: the road forward From: Marc Espie <marc.espie.openbsd () gmail ! com> Date: 2023-07-10 19:04:04 I spent some time during the last hackathon, talking to various people over where we're going.
Read on below the fold or take in the whole thing here (including any followups) -
Matthieu Herrb (matthieu@) has written some notes on his work at the (recently-concluded) g2k23 hackathon in Tallinn, Estonia. His article, Wayland on OpenBSD, starts:
These are my notes from experimenting with building Wayland bits on OpenBSD during g2k23 in Tallinn… Thanks to the OpenBSD foundation for organizing this event.
This is still far from a complete running system as there are many issues on the road, but it’s a good start and it shows that it’s definatly not impossible to get Wayland running on OpenBSD.
Read the rest of Wayland on OpenBSD by following the link.
The major pfsync(4) rewrite on which we recently reported has been committed to -current by David Gwynne (dlg@).
As it says in the commit message
deraadt@ says this is a good time to put it inWe put ourselves at risk of stating the glaringly obvious by saying testing will be much appreciated.
The commit message by Bob Beck (beck@) reads,
From: Bob Beck <beck () cvs ! openbsd ! org> Date: 2023-07-05 15:13:28 CVSROOT: /cvs Module name: src Changes by: beck@cvs.openbsd.org 2023/07/05 09:13:28 Modified files: sys/kern : vfs_syscalls.c sys/sys : mount.h sys/ufs/ffs : ffs_softdep.c ffs_vfsops.c Log message: Make softdep mounts a no-op Softdep is a significant impediment to progressing in the vfs layer so we plan to get it out of the way. It is too clever for us to continue maintaining as it is. ok kettenis@ kn@ tobhe@ and most of the g2k23 room except bluhm@
We look forward to further work and explanation of the motivation behind this change, sure to follow.
In a message to the tech@ mailing list on July 4th, 2023, David Gwynne (dlg@) presented a diff that adds a new virtual network interface dubbed sec(4). The message reads,
Subject: sec(4): route based ipsec vpns From: David Gwynne <david () gwynne ! id ! au> Date: 2023-07-04 5:26:30 tl;dr: this adds sec(4) p2p ip interfaces. Traffic in and out of these interfaces is protected by IPsec security associations (SAs), but there's no flows (security policy database (SPD) entries) associated with these SAs. The policy for using the sec(4) interfaces and their SAs is route-based instead. Longer version: I was going to use "make ipsec great again^W" as the subject line, but thought better of it. The reason I started on this was to better interoperate with "site-to-site" vpns, in particular AWS Site-to-Site VPNs, and the Auto-Discovery VPN (ADVPN) stuff on fortinet fortigate appliances. Both of these negotiate IPsec tunnels that can carry any traffic at the IPsec level, but use BGP and routes to direct traffic into those tunnels.
Version 0.90 of Game of Trees has been released (and the port updated):
In a recent message to tech@, David Gwynne (dlg@) describes the multi-year process behind the diff contained in the message,
moving pf forward has been a real struggle, and pfsync has been a constant source of pain. we have been papering over the problems for a while now, but it reached the point that it needed a fundamental restructure, which is what this diff is. i started rewriting pfsync (again) during h2k22 last year, and it's only been in the last couple of months that i got all the existing functionality working again, and it's only been the last three weeks in particular that it's been solid. this is the first time since about openbsd 6.9 that i've been able to upgrade my production firewalls without them falling over.
which means there may still be rough edges, but testing by brave souls is encouraged. There are huge potential performance gains to be found if this works out right.
You can read the entire message (with the diff) here, or just take in the rest of the text after the fold.
Theo de Raadt (deraadt@) committed changes which result in the shutdown(8) and reboot(8) commands (in -current) requiring membership of the the (new) group "_shutdown". The commit message explains the rationale:
The OpenBSD project has released version 7.3.0p0 of OpenSMTPD, the project's SMTP server. The announcement reads in part:
Changes in this release: ======================== Includes the following security fixes: - OpenBSD 7.2 errata 20 "smtpd(8) could abort due to a connection from a local, scoped ipv6 address" - OpenBSD 7.2 errata 22 "Out of bounds accesses in libc resolver" Configuration changes: - The certificate to use is now selected by looking at the names found in the certificates themselves rather than the `pki` name. The set of certificates for a TLS listener must be defined explicitly by using the `pki` listener option multiple times.Version 0.89 of Game of Trees has been released (and the port updated):
* got 0.89; 2023-06-05 see git repository history for per-change authorship information - gotd: return early after disconnect on auth event error instead of crashing - make 'got patch' display statistics about files with conflicts and rejects - make 'got diff' not treat \r\n line endings as special - fix test failures in test_blame_lines_shifted_skip on certain times of day - show reference labels next to commit messages in tog log view - some gotwebd refactoring related to handling of file descriptors - gotwebd: lower log priority of unexpected disconnections - gotwebd: avoid needless double fseek() - fix the size of gotwebd's tempfiles array; exposed by errors from ftruncate() - simplify ancestry checks in checkout, update, rebase, and merge commands - make gitwrapper not fail if programs it wants to run do not exist on disk - stop showing backup references in the tog log and diff views - consistently use ten Xs in mkstemp(3) templates - only delete empty directories which appear in arguments to 'got rm' - simplify parsing of host names and IP addresses in gotwebd's parse.y - make 'got merge' refuse to run if a merge is in progress - make 'got merge -c' fail even if new changes only affect unrelated pathsThe LibreSSL project has announced the release of versions 3.6.3 and 3.7.3, and (development) version 3.8.0 of the software.
The announcement for versions 3.6.3 and 3.7.3 reads:
We have released LibreSSL 3.6.3 and 3.7.3, which will be arriving in the LibreSSL directory of your local OpenBSD mirror soon. They include the following fixes: * Bug fix - Hostflags in the verify parameters would not propagate from an SSL_CTX to newly created SSL. * Reliability fix - A double free or use after free could occur after SSL_clear(3). The LibreSSL project continues improvement of the codebase to reflect modern, safe programming practices. We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible.The announcement for version 3.8.0 reads:
Thanks to the following commit by Todd Miller (millert@), cron(8) now supports random values in a range with a step value (i.e. "<lo>~<hi>/<step>" in crontab(5) entries): CVSROOT: /cvs Module name: src Changes by: millert@cvs.openbsd.org 2023/05/06 17:06:27 Modified files: usr.sbin/cron : crontab.5 entry.c macros.h Log message: Support random offsets when using ranges with a step value in cron. This extends the random range syntax to support step values. Instead of choosing a random number between the high and low values, the field is treated as a range with a random offset less than the step value. This can be used to avoid thundering herd problems where multiple machines contact a server all at the same time via cron jobs. The syntax is similar to the existing range/step syntax but uses a random range. For example, instead of "0-59/10" in the minutes field, "0~59/10" can be used to run a command every 10 minutes where the first command starts at a random offset in the range [0,9]. The high and low numbers are optional, "~/10" can be used instead. Requested by job@, OK phessler@
