Contributed by jose on from the finally-here dept.
This is a big release for OpenBSD with many substantial changes. Many users will want to reinstall from scratch and not upgrade, as architecture changes on some platforms as well as enhanced security features are best taken advantage of that way. Read on for the release notes.
------------------------------------------------------------------------
- OpenBSD 3.2 RELEASED -------------------------------------------------
Nov 1, 2002.
It is our pleasure to officially announce the release of OpenBSD
3.2. This is our 12th release on CD-ROM (and 13th via FTP). We
remain proud of OpenBSD's record of six years with only a single
remote hole in the default install. As in our previous releases,
3.2 provides significant improvements, including new features, in
nearly all areas of the system:
- Improved hardware support (http://www.OpenBSD.org/plat.html)
o Asymmetric and symmetric hardware encryption support is enabled
by default if a supported crypto accelerator is present.
o Improved frame buffer and X Window System performance on the sparc,
sparc64, and alpha platforms.
o Builtin AGP-based video on i386 machines using ALI, AMD, Intel, SiS,
and VIA chipsets is now supported and usable by the X Window System.
o Intel Gigabit Ethernet adapters are now supported by the em(4)
driver which replaces the gx(4) driver. The em(4) driver supports
more models and has better performance than the old gx(4) driver.
o Fixed a stability problem with the twe(4) driver and some UDMA drives.
o Added support for more PCI-based Cyclades serial boards.
o IDE disks larger than 128GB and UDMA133 are now supported.
o Updated isp(4) and siop(4) SCSI drivers.
o Added support for sbus-PCMCIA bridges on the sparc64 platform.
o The wi(4) driver (Wavelan, Prism, and Symbol 802.11b) now works
on the sparc64 platform.
o DMA handling in the hme(4) driver has been fixed.
- Major improvements in the pf packet filter, including:
o New "antispoof" keyword: spoofing protection made easy.
o Much simplified filter rule language.
o Extended filtering capabilities.
o All known bugs with filtering bridged interfaces have been fixed.
o It is now possible to control state table entries with a per-rule
granularity.
o Support for dynamic interface expansion. There is no longer a need
to reload the ruleset due to IP address changes. This is useful
for interfaces where the address is dynamically assigned (PPP
and DHCP).
- Ever-improving security (http://www.OpenBSD.org/security.html)
o Non-executable stack on i386, sparc (sun4m only), sparc64,
alpha, and macppc platforms. Non-executable data and bss on
sparc (sun4m only), sparc64 and alpha. This makes the system
more resistent to buffer overflow attacks.
o OpenBSD 3.2 ships with fewer setuid root binaries than ever before.
Many of the remaining root setuid binaries drop root privileges
early in their execution. The use of setuid in the ports subsystem
has also been reduced.
o Privilege separation is now the default in sshd.
o The Apache web server now runs in a chroot jail by default.
The new "-u" option can be used to disable this.
o Several other security issues fixed throughout the system, many
of which were identified by members of the OpenBSD team themselves.
Please see http://www.OpenBSD.org/errata31.html for more details
on what was fixed.
- New subsystems included with 3.2
o A new tool, systrace, enables the user to specify policy for an
executable at the system call level.
o The sparc platform now uses ELF binaries.
- Many other bugs fixed (http://www.OpenBSD.org/plus32.html)
- The "ports" tree is greatly improved (http://www.OpenBSD.org/ports.html)
o The 3.2 CD-ROMs ship with many pre-built packages for the common
architectures. The FTP site contains hundreds more packages
(for the important architectures) which we could not fit onto
the CD-ROMs (or which had prohibitive licenses).
- Many subsystems improved and updated since the last release:
o XFree86 updated to 4.2.1.
o Sendmail updated to 8.12.6.
o Apache 1.3.26 and mod_ssl 2.8.10.
o OpenSSL 0.9.7beta3 (+ patches)
o Latest KAME IPv6
o OpenSSH 3.5
o The atrun command has been incorporated into the cron(8) daemon.
o The vlan(4) driver now supports multicast.
If you'd like to see a list of what has changed between OpenBSD 3.1
and 3.2, look at
http://www.OpenBSD.org/plus32.html
Even though the list is a summary of the most important changes
made to OpenBSD, it still is a very very long list.
This is our thirteenth OpenBSD release, and the twelfth release
which is available on CD-ROM. Our releases have been spaced six
months apart, and we plan to continue this timing.
- CD-ROM SALES ----------------------------------------------------------
OpenBSD 3.2 is also available on CD-ROM. The 3-CD set costs $40USD
(EUR 45) and is available via mail order and from a number of
contacts around the world. The set includes a colorful booklet
which carefully explains the installation of OpenBSD. A new set
of cute little stickers are also included (sorry, but our FTP mirror
sites do not support STP, the Sticker Transfer Protocol). As an
added bonus, the second CD contains an exclusive audio track,
"Goldflipper". Lyrics for the song may be found at:
http://www.OpenBSD.org/lyrics.html#32
Profits from CD sales are the primary income source for the OpenBSD
project -- in essence selling these CD-ROM units ensures that OpenBSD
will continue to make another release six months from now.
The OpenBSD 3.2 CD-ROMs are bootable on the following six platforms:
o i386
o alpha
o sparc
o sparc64 (UltraSPARC)
o macppc
o hp300*
* The m68k-based platforms, including hp300, are located on a fourth
CD that is not included in the official CD-ROM package. You can
download the ISO-9660 image for the fourth CD as described below.
(Other platforms must boot from floppy, network, or other method).
For more information on ordering CD-ROMs, see:
http://www.OpenBSD.org/orders.html
Thanks to all developers and users who assisted in making this release a success!
(Comments are closed)
By Shane () on http://ytivarg.org/
On a related note, what is the best way to set up an OpenBSD ftp mirror (or any mirror for that matter)? I grabbed the i386 stuff with wget --mirror (and some other switches). Is there a better approach?
Comments
By GB () on http://www.wiretapped.net/
http://www.wiretapped.net/mirroring.html Hope this helps, GB@Wiretapped
By zil0g () zil0g@rst-ack.net on mailto:zil0g@rst-ack.net
I will order a set on monday when I've got the dough for it.
*waiting eagerly for the new stickers*
Comments
By Anonymous Coward () on
They're nice.
The CD arrived in the mail here today, November 1st. Hyper shipping department.
By Anonymous Coward () on
Comments
By po () on
or make one yourself.
By anders () on
By Gimlet () on
By Anonymous Coward () on
By Anonymous Coward () on www.google.com
ftp://ftp.eunet.cz/pub/os/OpenBSD/iso/
http://www.roundsparrow.com/Comp/OpenBSD/
?
By Fish Slap () on http://www.openbsd.org/
By jb () on
I would like the following simple question clarified: if I install OpenBSD 3.2 out-of-the-box as a KDC, would it be vulnerable?
Thanks for any help!
Comments
By Noob () on
With the OPENBSD_3_2_BASE tag it looked like it wasn't updated.
I wasn't going to mention anything and just assume everything was ok, until you just mentioned the same thing that was on my mind as well. Also the date for the binary files for the install seemed to be from 2002 10 05. Does that mean they were compiled on October 5?
Can anyone correct me if I'm wrong on this information?
I'm happy to have the new release out regardless!
And on a weekend too :-)
Comments
By James () on
By Anonymous Coward () on
Comments
By Noob () on
By Anonymous Coward () on
http://www.openbsd.org/cgi-bin/cvsweb/src/kerberosV/src/kadmin/version4.c?only_with_tag=
Comments
By Noob () on
OPENBSD_3_2_BASE is the tag for the release source code for OpenBSD 3.2 is it not?
The original question asked if OpenBSD 3.2 out-of-box was vulnerable to the errata:
A buffer overflow can occur in the kadmind(8) daemon, leading to possible remote crash or exploit.
You seem to not understand what I am doing, but that's ok ;-)
Comments
By Anonymous Coward () on
D'oh i forgot apache so it should be: "Three remote holes in the default install, in nearly 6 years!"
:(
Comments
By Noob () on
Comments
By Anonymous Coward () on
By Noob () on
source code file and looked at the version4.c file.
The code which was included/added in the 016_kadmin_patch for OpenBSD 3.1 wasn't included in the version4.c file above.
Wow could they really have released OpenBSD 3.2 without applying that fix?
Hmmm I'm just a Noob, what do I know. :-(
Comments
By art () on
The final release was built almost a month ago.
By Stan Williams () stanwilliams90@hotmail.com on mailto:stanwilliams90@hotmail.com
- Ever-improving security
Non-executable stack on i386, sparc (sun4m only), sparc64, alpha, and macppc platforms. Non-executable data and bss on sparc (sun4m only), sparc64 and alpha. This makes the system more resistent to buffer overflow attacks.
By RC () on
If you checked:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/
you would see that there are no patches for 3.2 (yet). Now, that would imply that either the OpenBSD team is not on the ball, or it's not an issue. I would have to assume the latter is true.
Comments
By Anonymous Coward () on
By anders () on
so if under inspection of the necessary code it seems that the patch has not been applied, then it probably hasnt, even if there is no errata to support it yet.
solution: apply the patch. if it turns out later you are wrong, just resync your source and build world again. better safe than sorry.
Comments
By Anonymous Coward () on
"Do not build kf and kfd because of security issues in them and heimdal 0.5 will not be merged in 3.2."
Sound to me like they know what is going on.
By RC () on
Now, in 3.2 MPlayer refuses to compile from the ports. For one thing, it checks for pthreads & binutils... If a newer binutils is installed, it can't detect pth, and it needs the newer binutils to work. I removed the pthread & the binutils check, tried with 3 versions of binutils, all failed miserably. Of course, this is after I installed the packages of all it's dependencies.
Why packages and not from ports, you ask? Simply because each and every last one failed miserably (I believe, because of the newer binutils). Of course I could install the mplayer package right? Well it looks like someone neglected to make a package of it... you can install packages that depend on MPlayer, but MPlayer is mysteriously absent.
In fact, with binutils installed, Mozilla couldn't even detect that gtk+ was installed...
I like OpenBSD a lot, but this kind of stuff continues to convince me that OpenBSD is just not ready for the desktop.
Comments
By Anonymous Coward () on
When I get my 3.2 cd's in the mail (anytime now :) ), we'll see what it does ;)
By jolan () on
It's not mysteriously absent:
PERMIT_PACKAGE_CDROM= "patents"
PERMIT_PACKAGE_FTP= "patents"
PERMIT_DISTFILES_CDROM= Yes
PERMIT_DISTFILES_FTP= Yes
Anyway, it works fine for all the people I have talked to. Perhaps you could filter out the whining from your post and submit a quality bug report?
Mozilla works fine when binutils is installed. You must have seriously botched your system.
Comments
By RC () on
The only thing I did before attempting to install MPlayer is to install XFce (which also installs glib, gtk, libjpeg, libpng, etc).
As for the 'whining' as you put it, that is because this is typical of my experience with the Ports system & OpenBSD. If this was an isolated incident, I would not mind it much.
As for filing bug reports, I've done it in the past, only to watch as it is completely ignored... If it doesn't particularly interest one of the developers, you aren't going to see it fixed.
That said, I appreciate hearing that it is working fine for others... That narrows down the possibilities. Perhaps OpenBSD just doesn't like something about my test system? Although I can't imagine why that might be the case.
Comments
By Marc Espie () espie@openbsd.org on mailto:espie@openbsd.org
I'm reasonably sure you are doing something utterly stupid or unsupported, or both.
Because mplayer works.
In fact, over 99% of the ports tree routinely compiles without failure on my system...
Comments
By zil0g () on
although I have problems _running_ some ports, nessus fi - it hardlocks my poor laptop when starting the scan :(
will try it again on 3.2
By RC () on
Since when is "make && make install" utterly stupid or unsupported?
I was a completely fresh install, and the only thing I'd installed before it was XFce (from the ports).
That said, I've just submitted the bug report... From past experience, I don't expect much.
Comments
By Marc Espie () espie@openbsd.org on mailto:espie@openbsd.org
I see exactly zilch in our bug reports database...
Comments
By RC () on
This forum isn't exactly suited to long discussions. You can e-mail me (within the next 72 hours) at rc@spamhole.com ...
By Not Really Anonymous () on
I like OpenBSD a lot, but this kind of stuff continues to convince me that OpenBSD is just not ready for the desktop.
_quote_
Well, OpenBSD is not focusing on the desktop.
By Dom De Vitto () dom@devitto.com on mailto:dom@devitto.com
:-(
Dom
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
But I wonder whether the patch to fix this hole was included in 3.2 anyway? I would seem strange to me if a security-conscious operating system/distribution like OpenBSD shipped a release with a bug which is known for some weeks already...
Comments
By Anonymous Coward () on
But it doesn't count since apache isn't started - the user have to enable it, this sux!
I can accept that the holes in the ports collection isn't countede, but since apache comes with I think that holes in it should be counted as well.
Apache comes with OpenBSD and there have only been 1 remote hole in nearly 6 years and that wasn't apache so my apache installation is OK - THIS IS NOT TRUE!
Comments
By Anonymous Coward () on
By zil0g () on
the way I understood "default install" was that every service - started or not - was counted, I mean it would be kinda silly otherwise... And like uhm, think it was Theo himself, said "the whole point of a server is to have SERVICES and they should be usable (secure)" (not his exact words, but something to that extent).
so IF a-patch-e really IS vulnerable, then that's a shame, but such is life, like Art said - it takes a while to get the release ready.
and just how many here are running generic, unpatched releases on your "server farms" humm?
Comments
By Anonymous Coward () on
As I understood "default install" then only services that was started was counted. So services that was not started can still be Woundable without counting in regards to that statement.
By Noob () on
Comments
By Anonymous Coward () on
By Dr. Noah Body () on
* CAN-2002-0839 (cve.mitre.org): Affects installs where System V shared memory based scoreboards. AFAIK, the default OBSD apache does not use System V shared memory
* CAN-2002-0840 (cve.mitre.org): Cross-site scripting (XSS) vulnerability in the default error page of Apache 2.0 before 2.0.43, and 1.3.x up to 1.3.26, when UseCanonicalName is "Off" and support for wildcard DNS is present.
Again, AFAIK, the default install has UseCanonicalName set to "On". Not sure about the DNS reference, but all DNS on OBSD is handled by the resolver, and not Apache (by default)
* CAN-2002-0843 (cve.mitre.org): Local exploit in "ab", not httpd. This is not a real remote exploit, but one where an unsuspecting user of ab could contact a malicious server that could do bad things.
My point is that these problems are not so dire, and probably do not affect a default install.
My other point is that we know that the OBSD team does not bump up the Apache version for things like this. They usually check in a patch, but the version remains the same (as it should). This is much safer than slurping in the next release of Apache.
Has anyone checked the diffs to see if Apache has been patched in 3.2?
By Iain Kyte () ikyte@yah00.com on mailto:ikyte@yah00.com
So, any plans to develop SMP?
Do we want a single Kernel or one for single and another for multiple processor systems?
Upgrade the Compiler to GCC 3.2?
Use or replace OpenSSL?
Any other design, ideas and projects?
Also would be nice to have a request for donation page for Hardware requests and offers on the main site. Else reply with URL to this comment.
Iain
Comments
By Anonymous Coward () on
put yer specs on grand dad :]
By Anonymous Coward () on
* Intel i82586/i82596-based Ethernet cards (i.e., BusLogic Bt763E EISA, Intel Flash32 EISA, Cogent eMaster EM935/EM932 EISA, AT&T StarLAN 10, AT&T EN100)
I emailed Theo offering a couple of Flash32 cards a year ago, he never sent a reply. I emailed again two weeks later, again no reply. I tossed them out, he obviously didn't want them.
Comments
By Anonymous Coward () on
Try emailing the developer, who usually works on that stuff, directly next time - might just have a better luck with such approach.
By ~Theo () on
By Anonymous Coward () on
Canīt wait to upgrade my box :)
It should not be any problem to upgrade through cvsup?
Comments
By zil0g () on
By Anonymous Coward () on
Many users will want to reinstall from scratch and not upgrade, as architecture changes on some platforms as well as enhanced security features are best taken advantage of that way.
I run an OpenBSD web server on i386. I would really like to avoid reinstalling from scratch, if I could. What security features would I be not taking advantage of by simply upgrading?
Comments
By Too lazy to reinstall () on
If I'm going to freshly install, I'm probably going to want bigger hardware, as my little home network has grown into several supported client nodes, all requiring DHCP, DNS and a few other acronyms that clients always want. That, and I'm hosting more than one web site now, most of which is on MySQL.