OpenBSD Journal

OpenBSD Journal

Game of Trees 0.97 released

Contributed by rueda on from the again-and-again-and dept.

Version 0.97 of Game of Trees has been released (and the port updated).

* got 0.97; 2024-03-11
  see git repository history for per-change authorship information
- improve error messages shown upon execv failure 
- fix 'gotadmin pack' crash upon Ctrl-C due to invalid imsg_free()
- significantly speed up deltification of large files
- improve error handling in got_privsep_recv_imsg()

Just in time for the release of OpenBSD 7.5!

LibreSSL versions 3.8.3 and 3.9.0 released

Contributed by rueda on from the Just before a March new moon, new TLS library versions! dept.

The LibreSSL project has announced the release of version 3.8.3, and (development) version 3.9.0 of the software.

The announcement for version 3.8.3 reads:

WWe have released LibreSSL 3.8.3, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon. This is the
second stable release for the 3.8.x branch.

It includes the following changes from LibreSSL 3.8.2

  * Portable changes
	  - Removed assert pop-ups with Windows debug builds.
	  - Fixed crashes and hangs in Windows ARM64 builds.
	  - Improved control-flow enforcement (CET) support.

The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.

Read more…

OpenBGPD 8.4 released

Contributed by Peter N. M. Hansteen on from the routed in a route, bordering dept.

The OpenBSD Border Gateway Protocol (BGP) routing daemon OpenBGPD has a new version out, version 8.4.

The release announcement reads,

Subject:    OpenBGPD 8.4 released
From:       Claudio Jeker <claudio () openbsd ! org>
Date:       2024-03-07 13:12:51

We have released OpenBGPD 8.4, which will be arriving in the
OpenBGPD directory of your local OpenBSD mirror soon.

Read more…

rpki-client 9.0 released

Contributed by Peter N. M. Hansteen on from the key my route dept.

In what can only be called a great stride forward in routing security, Sebastian Benoit (benno@) announced the availability of rpki-client version 9.0.

The announcement reads,

Subject:    rpki-client 9.0 released
From:       Sebastian Benoit <benno () openbsd ! org>
Date:       2024-03-03 17:24:06

rpki-client 9.0 has just been released and will be available in the
rpki-client directory of any OpenBSD mirror soon. It is recommended
that all users update to this version for improved reliability.

rpki-client is a FREE, easy-to-use implementation of the Resource
Public Key Infrastructure (RPKI) for Relying Parties (RP) to
facilitate validation of BGP announcements. The program queries the
global RPKI repository system and validates untrusted network inputs.
The program outputs validated ROA payloads, BGPsec Router keys, and
ASPA payloads in configuration formats suitable for OpenBGPD and BIRD,
and supports emitting CSV and JSON for consumption by other routing
stacks.

Read more…

OpenBSD -current drops -beta tag, goes to 7.5

Contributed by Peter N. M. Hansteen on from the puffing up the versions again dept.

A clear sign that the OpenBSD 7.5 release cycle is entering the final phases just emerged.

In this commit, Theo de Raadt (deraadt@) changed the version string to 7.5:

From:       Theo de Raadt <deraadt () cvs ! openbsd ! org>
Date:       2024-02-29 17:05:10

CVSROOT:	/cvs
Module name:	src
Changes by:	deraadt@cvs.openbsd.org	2024/02/29 10:05:10

Modified files:
	sys/conf       : newvers.sh 

Log message:
move from 7.5-beta to 7.5

Read more…

IPv6 for ppp(4) enabled in -current.

Contributed by Janne Johansson on from the upppgrading to the sixes dept.

In this commit, Denis Fondras (denis@) added code to allow IPv6 over PPP. The message reads,

Subject:    CVS: cvs.openbsd.org: src
From:       Denis Fondras <denis () cvs ! openbsd ! org>
Date:       2024-02-28 16:08:34

CVSROOT:	/cvs
Module name:	src
Changes by:	denis@cvs.openbsd.org	2024/02/28 09:08:34

Modified files:
	share/man/man4 : ppp.4 
	sys/net        : if_ppp.c if_pppvar.h 

Log message:
Enable IPv6 AF for ppp(4)

OK claudio@

With this one commit, the brave new world of IPv6 opens up to a whole chunk of traditional-style Internet users.

mwx(4), another new wi-fi driver, added to -current

Contributed by rueda on from the it's-raining-wi-fi-drivers dept.

Hot on the heels of qwx(4) [see earlier report], and soon after going -beta, -current has gained another new wi-fi driver - mwx(4). Claudio Jeker (claudio@) committed the import:

CVSROOT:	/cvs
Module name:	src
Changes by:	claudio@cvs.openbsd.org	2024/02/21 03:48:10

Modified files:
	sys/dev/pci    : files.pci 
Added files:
	sys/dev/pci    : if_mwx.c if_mwxreg.h 

Log message:
Import mwx(4) a driver for Mediatek MT7921 and MT7922 802.11ax devices

This is work in progress. Scan works, RX of packets is more or less there
but TX does not work yet. The packets are passed to the chip but get stuck
or ignored there. It is easy to hang the device or the system since device
reset is not quite right (like many other bits).

Also this is only for MT7921 right now since I have no access to a MT7922
device.

Lots of pushing from deraadt@ to commit this now.

So, WIP and MT7921-only [at this stage], but very promising.

New code for SIGILL faults help identify misbranches

Contributed by Janne Johansson on from the don't pee on the electric fence dept.

If you run recent OpenBSD on certain amd64 or aarch64 platforms, indirect branching to an "unexpected" location will crash your program, in order to prevent ROP attacks and similar ways to have your program execute code where it shouldn't.

The OpenBSD compiler will insert an extra instruction in all the places where a branch is supposed to land, and if it lands anywhere else, a CPU fault is raised and your program gets an "Illegal Instruction".

Previously, crashes of this kind have looked more or less like any other kind of fault where code is executing random data or from random locations, but since the kernel knows when this has happened, we can make it explicit that the fault is due to missing branch target instructions, which will help a lot when debugging.

Link to the commit here.

Donate!

Donate to OpenBSD

Features

We are constantly on the lookout for stories of how you put OpenBSD to work. Please submit any informative articles on how OpenBSD is helping your company.

OpenBSD Errata

OpenBSD 7.4

0152024-03-18 SECURITY In libexpat fix billion laughs attack vulnerability CVE-2024-28757.
0142024-02-29 SECURITY vmm(4) did not restore GDTR limits properly on Intel (VMX) CPUs.
0132024-02-13 SECURITY DNSSEC protocol vulnerabilities have been discovered that render various DNSSEC validators victims of Denial Of Service while trying to validate specially crafted DNSSEC responses. Fix CVE-2023-50387 and CVE-2023-50868 in unwind(8) and unbound(8).
0122024-01-16 SECURITY Fix multiple xserver heap buffer overflows, out of bounds memory accesses and memory corruption. CVE-2023-6816 CVE-2024-0229 CVE-2024-21885 CVE-2024-21886 CVE-2024-0408 CVE-2024-0409
0112023-12-18 SECURITY An SSH protocol weakness (the Terrapin Attack) exists that allows an on-path adversary to disable keystroke timing obfuscation.
0102023-12-14 SECURITY Fix out of bounds memory accesses in XRandR and XKB X server extensions. CVE-2023-6377 CVE-2023-6478

Unofficial RSS feed of OpenBSD errata

OpenBSD 7.3

0272024-03-18 SECURITY In libexpat fix billion laughs attack vulnerability CVE-2024-28757.
0262024-02-13 SECURITY DNSSEC protocol vulnerabilities have been discovered that render various DNSSEC validators victims of Denial Of Service while trying to validate specially crafted DNSSEC responses. Fix CVE-2023-50387 and CVE-2023-50868 in unwind(8) and unbound(8).
0252024-01-16 SECURITY Fix multiple xserver heap buffer overflows, out of bounds memory accesses and memory corruption. CVE-2023-6816 CVE-2024-0229 CVE-2024-21885 CVE-2024-21886 CVE-2024-0408 CVE-2024-0409
0242023-12-18 SECURITY An SSH protocol weakness (the Terrapin Attack) exists that allows an on-path adversary to disable keystroke timing obfuscation.
0232023-12-14 SECURITY Fix out of bounds memory accesses in XRandR and XKB X server extensions. CVE-2023-6377 CVE-2023-6478
0222023-12-10 RELIABILITY vmm(4) restored stale GDTR & TR values on vm exit which could lead to memory corruption or kernel deadlocks.

Unofficial RSS feed of OpenBSD errata

XML/RSS/RDF

Users wishing RSS/RDF summary files of OpenBSD Journal can retrieve: RSS feed

Options are available.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]