OpenBSD Journal

OpenBSD Journal

mandoc-1.14.5 released

Contributed by Peter N. M. Hansteen on from the table of the man dept.

Ingo Schwarze wrote in with the announcement of a new mandoc release. Ingo writes,

I just released mandoc-1.14.5. This is a regular maintenance release. As structural changes are quite limited, i expect it to be very stable, so all downstream systems are encouraged to upgrade from any earlier version.

Read more…

a2k19 Hackathon Report: Antoine Jacoutot on ports, syspatch(8), and more

Contributed by rueda on from the do devices hotplug counterclockwise down under dept.

We are delighted to have received an a2k19 hackathon report: Antoine Jacoutot (ajacoutot@) writes:

Better (very) late than never… here's my small report about my a2k19 hackathon slacking time in Wellington (NZ).

The "Antipodean" hackathon they call it. Indeed, it took me 28h to get there from Paris via Singapore! Fortunately, I met with phessler@ and cheloha@ right on arrival at the airport. From there we went directly into town to visit the different bars with mlarkin@ as our guide :-).
The challenge was to find a way to keep us awake (12h of jet lag for me), and going around 6 different bars did the trick :-)

Read more…

Using a Yubikey as smartcard for SSH public key authentication

Contributed by Sebastian Benoit (benno@) on from the token dept.

SSH is an awesome tool. Logging into other machines securely is so pervasive to us sysadmins nowadays that few of us think about what's going on underneath. Even more so once you start using the more advanced features such as the ssh-agent, agent-forwarding and ProxyJump. When doing so, care must be taken in order to not compromise one's logins or ssh keys.

Read more…

6.5-beta has been tagged

Contributed by Paul 'WEiRD' de Weerd on from the time flies dept.

It's that time of year again; Theo (deraadt@) has just tagged 6.5-beta. A good reminder for us all run an extra test install and see if your favorite port still works as you expect.

CVSROOT:        /cvs
Module name:    src
Changes by:     deraadt@cvs.openbsd.org 2019/02/26 15:24:41

Modified files:
        etc/root       : root.mail
        share/mk       : sys.mk
        sys/conf       : newvers.sh
        sys/sys        : ktrace.h param.h
        usr.bin/signify: signify.1
        sys/arch/macppc/stand/tbxidata: bsd.tbxi

Log message:
crank to 6.5-beta

New VPN FAQ

Contributed by rueda on from the Virtually Problematic Njetworks dept.

Landry Breuil (landry@) has committed a work-in-progress FAQ section "Virtual Private Networks (VPN)":

CVSROOT:	/cvs
Module name:	www
Changes by:	landry@cvs.openbsd.org	2019/02/22 15:07:05

Modified files:
	faq            : index.html 
Added files:
	faq            : faq17.html 

Log message:
Add a (wip!) VPN FAQ, because 'How do i VPN with OpenBSD?' seems to be a
frequently asked question, and IPSec is hard. Now is the time to polish
it in-tree.

With feedback from solene@, tj@, tb@ & sthen@, thanks!
ok tb@ tj@

Improvements to X86FixupGadgets pass of clang(1)

Contributed by rueda on from the all your returns are belong to us dept.

Todd Mortimer (mortimer@) has committed improvements to (the anti-ROP) "X86FixupGadgets" pass of clang(1) for amd64 and i386:

 CVSROOT:	/cvs
Module name:	src
Changes by:	mortimer@cvs.openbsd.org	2019/02/22 08:28:43

Modified files:
	gnu/llvm/lib/Target/X86: X86FixupGadgets.cpp X86InstrCompiler.td 
	                         X86MCInstLower.cpp 
	gnu/llvm/tools/clang/include/clang/Driver: Options.td 
	gnu/llvm/tools/clang/lib/Driver/ToolChains: Clang.cpp 
	share/man/man1 : clang-local.1 

Log message:
Improve the X86FixupGadgets pass:
- Target all four kinds of return bytes (c2, c3, ca, cb)
- Fix up instructions using both ModR/M and SIB bytes
- Force alignment before instructions with return bytes in immediates
- Force alignment before instructions that have return bytes in their encoding
- Add a command line switch to toggle the functionality.

ok deraadt@ 

This extends the previous work to cover even more cases which (previously potentially) could be exploited as return instructions.

Faster vlan(4) forwarding? - blog post by mpi@

Contributed by Peter N. M. Hansteen on from the ffwd all the vlans dept.

Hrvoje Popovski wrote in to alert us that Martin Pieuchot (mpi@) has written a new blog post entitled Faster vlan(4) forwarding?, which leads in with

Two years ago we observed that vlan(4) performances suffered from the locks added to the queueing API. At that time, the use of SRP was also pointed out as a possible responsible for the regression. Since dlg@ recently reworked if_enqueue() to allow pseudo-drivers to bypass the use of queues, and their associated locks, let's dive into vlan(4) performances again.

Read the whole thing here: Faster vlan(4) forwarding?

openrsync imported into the tree

Contributed by rueda on from the diving-into-base dept.

openrsync, a clean-room implementation of rsync, is being developed by Kristaps Dzonsons as part of the rpki-client(1) project [featured in an earlier article]. openrsync(1) has been imported into the tree (as "rsync") by Sebastian Benoit (benno@):

CVSROOT:	/cvs
Module name:	src
Changes by:	benno@cvs.openbsd.org	2019/02/10 16:18:28

Added files:
	usr.bin/rsync  : Makefile TODO.md blocks.c child.c client.c 
	                 downloader.c extern.h fargs.c flist.c hash.c 
	                 io.c log.c main.c md4.c md4.h mkpath.c 
	                 receiver.c rsync.1 rsync.5 rsyncd.5 sender.c 
	                 server.c session.c socket.c symlinks.c 
	                 uploader.c 

Log message:
Import Kristaps' openrsync into the tree.
OK deraadt@

The "Security" section on the GitHub site contains a description of openrsync's use of OpenBSD's security features.

At the time of writing, rsync is not yet linked to the build.

Donate!

Donate to OpenBSD

Features

We are constantly on the lookout for stories of how you put OpenBSD to work. Please submit any informative articles on how OpenBSD is helping your company.

OpenBSD Errata

OpenBSD 6.4

0152019-03-22 SECURITY A state in pf could pass ICMP packets to a destination IP address that did not match the state.
0142019-03-01 SECURITY Fragmented IPv6 packets may be erroneously passed by pf or lead to a crash.
0132019-01-27 SECURITY The unveil() system call can leak memory.
0122019-01-27 RELIABILITY Missing length checks in the NFS server and client can lead to crashes and other errors.
0112019-01-27 SECURITY The mincore() system call can be used to observe memory access patterns of other processes.
0102018-12-22 SECURITY The setsockopt(2) system call could overflow mbuf cluster kernel memory by 4 bytes.

Unofficial RSS feed of OpenBSD errata

XML/RSS/RDF

Users wishing RSS/RDF summary files of OpenBSD Journal can retrieve: RSS feed

Options are available.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]