OpenBSD Journal

OpenBSD Journal

Block spammers/abusive IPs with Pf-badhost in OpenBSD. A 'must have' security tool!

Contributed by Özgür Kazanççı & Jordan Geoghegan on from the blackhole-diversion-joy dept.

Introduction

Pf-badhost is a very practical, robust, stable and lightweight security script for network servers.

It's compatible with BSD based operating systems such as {Open,Free,Net,Dragonfly}BSD and MacOS. It prevents potentially-bad IP addresses that could possibly attack your servers (and waste your bandwidth and fill your logfiles), by blocking all those IPs contacting your server, and therefore it makes your server network/resources lighter and the logs of important services running on your server become simpler, more readable and efficient.

Read more…

Preliminary OpenBSD Support Added to OBS Studio

Contributed by Oliver Lowe on from the Puffy's broadcast broadside dept.

OpenBSD developer Vadim Zhukov (zhukov@) has added preliminary OpenBSD support to Open Broadcaster Software (OBS) Studio release 26.1.0 and later. The changes come as part of an ongoing collaboration between the upstream OBS project and OpenBSD developers.

Preliminary OpenBSD support was added in two commits. One introduced sndio(7) support. This adds a sndio plugin which Zhukov advises will provide more reliable, lower latency audio mixing than the ffmpeg plugin for OpenBSD users. The other provides basic support such as help evaluating OpenBSD-specific filesystem paths.

A link to the release was posted on Reddit, with a title claiming full OpenBSD support. Bryan Steele (brynet@) was quick to provide helpful context in a comment:

Note that this is still a WIP and it hasn't been submitted to the ports mailing list or committed to the ports tree, zhuk@ and others have been working with the upstream. As I understand there are issues that still remain, so "full OpenBSD support" is a bit premature.

sysctl parameter kern.video.record added to -current

Contributed by rueda on from the i-spy-with-my-little-----oh! dept.

With the following commit, Marcus Glocker (mglocker@) added an enhanced privacy control for video recording:

CVSROOT:	/cvs
Module name:	src
Changes by:	mglocker@cvs.openbsd.org	2020/12/28 11:28:11

Modified files:
	sys/dev        : video.c 
	sys/kern       : kern_sysctl.c 
	sys/sys        : sysctl.h 

Log message:
Analog to the the kern.audio.record sysctl parameter for audio(4)
devices, introduce kern.video.record for video(4) devices.  By default
kern.video.record will be set to zero, blanking all data delivered
by device drivers which attach to video(4).

The idea was initially proposed by
Laurence Tratt <laurie AT tratt DOT net>.

ok mpi@

This is analogous to kern.audio.record, which was first seen in OpenBSD 6.4.

OpenBSD and you, the 6.8 update

Contributed by Peter N. M. Hansteen on from the Puffy is good for you dept.

Undeadly.org co-editor Peter Hansteen writes in, saying,

On Saturday November 7th I remote participated in OpenFest 2020 with an updated version of the OpenBSD and you talk.

Recordings will be released after the conference, but I was happy enough with my dry run or backup recording that I'm making that available too, along with the slides to follow along. I hope this will be useful in your advocacy or education on OpenBSD and why the project matters.

In case you were wondering, this is an update on a talk we covered previously, with updates to cover the more recent OpenBSD 6.8.

How the OpenBSD -stable packages are built

Contributed by rueda on from the who-says-i'm-stable? dept.

Solène Rapenne (solene@) has written a blog entry on the software system underlying the building of -stable packages:

In this long blog post, I will write about the technical details of the OpenBSD stable packages building infrastructure. I have setup the infrastructure with the help of Theo De Raadt who provides me the hardware in summer 2019, since then, OpenBSD users can upgrade their packages using pkg_add -u for critical updates that has been backported by the contributors. Many thanks to them, without their work there would be no packages to build.

(-stable packages have been the subject of earlier articles.)

Readers are reminded that they can express their gratitude to solene@ and others by donating!

OpenBSD 6.8 Released

Contributed by Peter N. M. Hansteen on from the hacker people, fun and friends dept.

On its 25th birthday, the OpenBSD project has released OpenBSD 6.8, the 49th release.

The new release comes with a large number of improvements and debuts a new architecture, OpenBSD/powerpc64, running on the POWER9 family of processors. The full list of changes can be found in the announcement and on the release page. Some highlights:

Those upgrading from 6.7 should consult the Upgrade Guide.

Thanks to the developers for all the good work that went into this excellent new release!

While your install sets download or when your packages update, please take the time to look at and use one or more of the recommended ways to support the project, such as making a donation, buying T-shirts. Corporate entities may prefer sending some money in the direction of the OpenBSD Foundation, which is a Canadian non-profit corporation.

Cryptographic Signing using ssh-keygen(1) with a FIDO Authenticator

Contributed by rueda on from the token-effort dept.

Introduction

Hitherto, releases of the fwobac software (which underlies Undeadly) have been unsigned. This is overdue for change, so for the latest release [version 1.7], we are providing a digital signature. As signing is being performed manually, why not employ an additional [hardware] factor?

signify(1) does not support the use of FIDO authenticators. However, recent versions of OpenSSH do support signing using the [under-appreciated] -Y sign option of ssh-keygen(1), and with the recent addition of FIDO authenticator support to OpenSSH [as reported previously], we have a means (using tools in base OpenBSD) of using a hardware factor when signing files.

Read more…

RETGUARD for powerpc and powerpc64 added to -current

Contributed by rueda on from the guard the power dept.

Todd Mortimer (mortimer@) has committed RETGUARD (see previous coverage) for the macppc (powerpc) and powerpc64 platforms:

CVSROOT:	/cvs
Module name:	src
Changes by:	mortimer@cvs.openbsd.org	2020/10/12 08:52:09

Modified files:
	gnu/llvm/clang/lib/Driver/ToolChains: Clang.cpp 
	gnu/llvm/llvm/lib/Target/PowerPC: CMakeLists.txt 
	                                  PPCAsmPrinter.cpp 
	                                  PPCFrameLowering.cpp 
	                                  PPCFrameLowering.h 
	                                  PPCInstrInfo.td 
	gnu/usr.bin/clang/libLLVMPowerPCCodeGen: Makefile 
Added files:
	gnu/llvm/llvm/lib/Target/PowerPC: PPCReturnProtectorLowering.cpp 
	                                  PPCReturnProtectorLowering.h 

Log message:
Add RETGUARD implementation for powerpc and powerpc64.

ok deraadt@ kettenis@

See the Innovations page for the full list of platforms on which RETGUARD is implemented.

Donate!

Donate to OpenBSD

Features

We are constantly on the lookout for stories of how you put OpenBSD to work. Please submit any informative articles on how OpenBSD is helping your company.

OpenBSD Errata

OpenBSD 6.8

0122021-01-13 RELIABILITY Use of bpf(4) on a carp interface could result in a use after free
0112021-01-11 RELIABILITY When an NDP entry is invalidated the associated layer 2 address is not invalidated.
0102020-12-24 RELIABILITY smtpd's filter state machine can prematurely release resources leading to a crash.
0092020-12-08 RELIABILITY Process exit in multithreaded programs could result in the wrong exit code being reported.
0082020-12-08 SECURITY Malformed ASN.1 in a certificate revocation list or a timestamp response token can lead to a NULL pointer dereference.
0072020-12-01 SECURITY Multiple input validation failures in the X server XKB extension can lead to out of bounds memory accesses for authorized clients.

Unofficial RSS feed of OpenBSD errata

XML/RSS/RDF

Users wishing RSS/RDF summary files of OpenBSD Journal can retrieve: RSS feed

Options are available.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]