OpenBSD Journal

OpenBSD Journal

Package updates for -stable branch now available for amd64, i386 soon

Contributed by Peter N. M. Hansteen on from the a stab at stability, packed dept.

In a very welcome development, Solene Rapenne (solene@) announced that binary package updates for the most popular platforms will be available for the latest OpenBSD release.

The announcement reads:

The OpenBSD base system has received binary updates for security and some other important problems in the base OS through syspatch(8) for the last few releases.

We are pleased to announce that we now also provide selected binary packages for the most recent release. These are built from the -stable ports tree which receives security and a few other important fixes:

-release: fixed point in time, no update (6.3, 6.4, 6.5, ...).
-stable: conservative updates only. For ports, only the most recent release is updated (currently 6.5).
-current: main development branch, receives bigger changes.

Read more…

6.6-beta has been tagged

Contributed by rueda on from the here-we-go-again dept.

Theo de Raadt (deraadt@) has just tagged 6.6-beta:

CVSROOT:	/cvs
Module name:	src
Changes by:	deraadt@cvs.openbsd.org	2019/08/09 21:56:02

Modified files:
	etc/root       : root.mail 
	share/mk       : sys.mk 
	sys/arch/macppc/stand/tbxidata: bsd.tbxi 
	sys/conf       : newvers.sh 
	sys/sys        : param.h 
	usr.bin/signify: signify.1 

Log message:
move to 6.6-beta

This serves as an excellent reminder to test both base and ports, and to report problems.

Game of Trees

Contributed by rueda on from the got-to-do-things-properly dept.

Stefan Sperling (stsp@) is developing a version control system, "Game of Trees". From <https://gameoftrees.org/>:

Game of Trees (Got) is a version control system which prioritizes ease of use and simplicity over flexibility.

Got is still under development; it is being developed exclusively on OpenBSD and its target audience are OpenBSD developers.

Got uses Git repositories to store versioned data. At present, Got supports local version control operations only. Git can be used for any functionality which has not yet been implemented in Got. It will always remain possible to work with both Got and Git on the same repository.

GoT has been added to the ports tree as devel/got.

It is the subject of a talk at EUROBSDCON 2019.

Stefan has been involved in the discussion on Lobste.rs.

snmp(1) added to -current

Contributed by rueda on from the manage me simply dept.

Martijn van Duren (martijn@) has committed a new Simple Network Management Protocol (SNMP) client, snmp(1):

CVSROOT:	/cvs
Module name:	src
Changes by:	martijn@cvs.openbsd.org	2019/08/09 00:17:59

Added files:
	usr.bin/snmp   : Makefile mib.c mib.h smi.c smi.h snmp.1 snmp.c 
	                 snmp.h snmpc.c 

Log message:
Import snmp(1), a new snmp client which aims to be netsnmp compatible for
supported features.  It only supports get, getnext, walk, bulkget, bulkwalk,
trap, mibtree, and is SNMPv1 and SNMPv2c for now.

This will shortly replace snmpctl entirely. People using snmpctl are encouraged
to test and migrate to this code as soon as possible.

Much help with the manpage from schwarze@ and jmc@
No objections from reyk@
"Roll it in" deraadt@

This should be appearing in snapshots shortly; if you use snmpctl much today, please do test and report back to Martijn about any unexpected behaviour or possibly even feature requests.

tpmr(4) driver added to -current

Contributed by rueda on from the help you step over trolls dept.

David Gwynne (dlg@) has committed to -current another new network driver - an 802.1Q Two-Port MAC Relay driver, tpmr(4). The main commit message explains the raison d'ĂȘtre:

CVSROOT:	/cvs
Module name:	src
Changes by:	dlg@cvs.openbsd.org	2019/07/31 21:05:46

Added files:
	sys/net        : if_tpmr.c 

Log message:
add tpmr(4), a quick and dirty 802.1Q Two-Port MAC Relay implementation

a TPMR is a simplified bridge (as supported by bridge(4)). it only
supports two ports, and unconditionally forwards frames between
them. this is unlike a real bridge which can support an arbitrary
number of ports and implements a learning algorithm.

Read more…

OpenBGPD 6.5p1 released.

Contributed by Janne Johansson on from the patching up the intarwebs, one route at a time dept.

Claudio Jeker (claudio@) has announced the release of a new version of OpenBGPD:

We have released OpenBGPD 6.5p1, which will be arriving in the
OpenBGPD directory of your local OpenBSD mirror soon.  This is
the first stable update for the 6.5 version.

Read more…

OpenBSD::Unveil(3p) added to -current

Contributed by rueda on from the OpenBSD::Pledge(3p)-makes-a-friend dept.

Andrew Fresh (afresh1@) has committed OpenBSD::Unveil(3p), a Perl interface to unveil(2):

CVSROOT:	/cvs
Module name:	src
Changes by:	afresh1@cvs.openbsd.org	2019/07/09 14:41:54

Added files:
	gnu/usr.bin/perl/cpan/OpenBSD-Unveil: Unveil.xs 
	gnu/usr.bin/perl/cpan/OpenBSD-Unveil/lib/OpenBSD: Unveil.pm 
	gnu/usr.bin/perl/cpan/OpenBSD-Unveil/t: OpenBSD-Unveil.t 

Log message:
Add OpenBSD::Unveil, a perl interface to unveil(2)

OK brynet@, bluhm@

This parallels OpenBSD::Pledge(3p) / pledge(2).

aggr(4) driver added to -current

Contributed by rueda on from the aggregating bonded trunks dept.

David Gwynne (dlg@) has committed to -current a dedicated Link Aggregation (EEE 802.1AX) driver, aggr(4). The main commit message explains the raison d'être:

CVSROOT:	/cvs
Module name:	src
Changes by:	dlg@cvs.openbsd.org	2019/07/04 19:35:58

Added files:
	sys/net        : if_aggr.c 

Log message:
add aggr(4), a dedicated driver that implements 802.1AX link aggregation

802.1AX (formerly known as 802.3ad) describes the Link Aggregation
Control Protocol (LACP) and how to use it in a bunch of different
state machines to control when to bundle interfaces into an
aggregation.

technically the trunk(4) driver already implements support for
802.1AX, but it had a couple of problems i struggled to deal with
as part of that driver. firstly, i couldnt easily make the output
path in trunk mpsafe without getting bogged down, and the state
machine handling had a few hard to diagnose edge cases that i couldnt
figure out.

the new driver has an mpsafe output path, and implements ifq bypass
like vlan(4) does. this means output with aggr(4) is up to twice
as fast as trunk(4). the implementation of the state machines as
per the standard means the driver behaves more correctly in edge
cases like when a physical link looks like it is up, but is logically
unidirectional.

the code has been good enough for me to use in production, but it
does need more work. that can happen in tree now instead of carrying
a large diff around.

some testing by ccardenas@, hrvoje popovski, and jmatthew@
ok deraadt@ ccardenas@ jmatthew@

Donate!

Donate to OpenBSD

Features

We are constantly on the lookout for stories of how you put OpenBSD to work. Please submit any informative articles on how OpenBSD is helping your company.

OpenBSD Errata

OpenBSD 6.5

0082019-08-09 SECURITY Intel CPUs have another cross privilege side-channel attack. (SWAPGS)
0072019-08-02 RELIABILITY smtpd can crash on excessively large input, causing a denial of service.
0062019-07-25 RELIABILITY By creating long chains of TCP SACK holes, an attacker could possibly slow down the system temporarily.
0052019-06-10 RELIABILITY TLS handshakes fail if a client supporting TLS 1.3 tries to connect to an OpenBSD server and sends a key share extension that does not include X25519.
0042019-06-10 RELIABILITY Several issues were corrected in bgpd: "network" statements with no fixed prefix were incorrectly removed when configuration was reloaded, "export default-route" did not work, and "network 0.0.0.0/0" could not be used in some cases.
0032019-05-29 SECURITY Intel CPUs have a cross privilege side-channel attack (MDS).

Unofficial RSS feed of OpenBSD errata

XML/RSS/RDF

Users wishing RSS/RDF summary files of OpenBSD Journal can retrieve: RSS feed

Options are available.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]