OpenSSH 9.7/9.7p1 released!
Contributed by grey on from the now with more bug fixes dept.
The complete release notes may be found here: https://www.openssh.com/releasenotes.html#9.7p1
OpenBSD Journal
Contributed by grey on from the now with more bug fixes dept.
Contributed by rueda on from the again-and-again-and dept.
Version 0.97 of Game of Trees has been released (and the port updated).
* got 0.97; 2024-03-11 see git repository history for per-change authorship information - improve error messages shown upon execv failure - fix 'gotadmin pack' crash upon Ctrl-C due to invalid imsg_free() - significantly speed up deltification of large files - improve error handling in got_privsep_recv_imsg()
Just in time for the release of OpenBSD 7.5!
Contributed by rueda on from the Just before a March new moon, new TLS library versions! dept.
The LibreSSL project has announced the release of version 3.8.3, and (development) version 3.9.0 of the software.
The announcement for version 3.8.3 reads:
WWe have released LibreSSL 3.8.3, which will be arriving in the LibreSSL directory of your local OpenBSD mirror soon. This is the second stable release for the 3.8.x branch. It includes the following changes from LibreSSL 3.8.2 * Portable changes - Removed assert pop-ups with Windows debug builds. - Fixed crashes and hangs in Windows ARM64 builds. - Improved control-flow enforcement (CET) support. The LibreSSL project continues improvement of the codebase to reflect modern, safe programming practices. We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible.
Contributed by Peter N. M. Hansteen on from the routed in a route, bordering dept.
The release announcement reads,
Subject: OpenBGPD 8.4 released From: Claudio Jeker <claudio () openbsd ! org> Date: 2024-03-07 13:12:51 We have released OpenBGPD 8.4, which will be arriving in the OpenBGPD directory of your local OpenBSD mirror soon.
Contributed by Peter N. M. Hansteen on from the key my route dept.
In what can only be called a great stride forward in routing security, Sebastian Benoit (benno@
)
announced
the availability of rpki-client
version 9.0.
The announcement reads,
Subject: rpki-client 9.0 released From: Sebastian Benoit <benno () openbsd ! org> Date: 2024-03-03 17:24:06 rpki-client 9.0 has just been released and will be available in the rpki-client directory of any OpenBSD mirror soon. It is recommended that all users update to this version for improved reliability. rpki-client is a FREE, easy-to-use implementation of the Resource Public Key Infrastructure (RPKI) for Relying Parties (RP) to facilitate validation of BGP announcements. The program queries the global RPKI repository system and validates untrusted network inputs. The program outputs validated ROA payloads, BGPsec Router keys, and ASPA payloads in configuration formats suitable for OpenBGPD and BIRD, and supports emitting CSV and JSON for consumption by other routing stacks.
Contributed by Peter N. M. Hansteen on from the puffing up the versions again dept.
A clear sign that the OpenBSD 7.5 release cycle is entering the final phases just emerged.
In this commit, Theo de Raadt (deraadt@
) changed the version string to 7.5:
From: Theo de Raadt <deraadt () cvs ! openbsd ! org> Date: 2024-02-29 17:05:10 CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2024/02/29 10:05:10 Modified files: sys/conf : newvers.sh Log message: move from 7.5-beta to 7.5
ppp(4)
enabled in -current.Contributed by Janne Johansson on from the upppgrading to the sixes dept.
In this
commit,
Denis Fondras (denis@
) added code to allow
IPv6 over
PPP.
The message reads,
Subject: CVS: cvs.openbsd.org: src From: Denis Fondras <denis () cvs ! openbsd ! org> Date: 2024-02-28 16:08:34 CVSROOT: /cvs Module name: src Changes by: denis@cvs.openbsd.org 2024/02/28 09:08:34 Modified files: share/man/man4 : ppp.4 sys/net : if_ppp.c if_pppvar.h Log message: Enable IPv6 AF for ppp(4) OK claudio@
With this one commit, the brave new world of IPv6 opens up to a whole chunk of traditional-style Internet users.
mwx(4)
, another new wi-fi driver, added to -currentContributed by rueda on from the it's-raining-wi-fi-drivers dept.
Hot on the heels of
qwx(4)
[see earlier report], and soon after going -beta,
-current has gained another new wi-fi driver -
mwx(4)
.
Claudio Jeker (claudio@
)
committed
the import:
CVSROOT: /cvs Module name: src Changes by: claudio@cvs.openbsd.org 2024/02/21 03:48:10 Modified files: sys/dev/pci : files.pci Added files: sys/dev/pci : if_mwx.c if_mwxreg.h Log message: Import mwx(4) a driver for Mediatek MT7921 and MT7922 802.11ax devices This is work in progress. Scan works, RX of packets is more or less there but TX does not work yet. The packets are passed to the chip but get stuck or ignored there. It is easy to hang the device or the system since device reset is not quite right (like many other bits). Also this is only for MT7921 right now since I have no access to a MT7922 device. Lots of pushing from deraadt@ to commit this now.
So, WIP and MT7921-only [at this stage], but very promising.
Contributed by Janne Johansson on from the don't pee on the electric fence dept.
If you run recent OpenBSD on certain amd64 or aarch64 platforms, indirect branching to an "unexpected" location will crash your program, in order to prevent ROP attacks and similar ways to have your program execute code where it shouldn't.
The OpenBSD compiler will insert an extra instruction in all the places where a branch is supposed to land, and if it lands anywhere else, a CPU fault is raised and your program gets an "Illegal Instruction".
Previously, crashes of this kind have looked more or less like any other kind of fault where code is executing random data or from random locations, but since the kernel knows when this has happened, we can make it explicit that the fault is due to missing branch target instructions, which will help a lot when debugging.
Link to the commit here.
Donate to OpenBSD
We are constantly on the lookout for stories of how you put OpenBSD to work. Please submit any informative articles on how OpenBSD is helping your company.
OpenBSD 7.4
015 | 2024-03-18 SECURITY In libexpat fix billion laughs attack vulnerability CVE-2024-28757. |
014 | 2024-02-29 SECURITY vmm(4) did not restore GDTR limits properly on Intel (VMX) CPUs. |
013 | 2024-02-13 SECURITY DNSSEC protocol vulnerabilities have been discovered that render various DNSSEC validators victims of Denial Of Service while trying to validate specially crafted DNSSEC responses. Fix CVE-2023-50387 and CVE-2023-50868 in unwind(8) and unbound(8). |
012 | 2024-01-16 SECURITY Fix multiple xserver heap buffer overflows, out of bounds memory accesses and memory corruption. CVE-2023-6816 CVE-2024-0229 CVE-2024-21885 CVE-2024-21886 CVE-2024-0408 CVE-2024-0409 |
011 | 2023-12-18 SECURITY An SSH protocol weakness (the Terrapin Attack) exists that allows an on-path adversary to disable keystroke timing obfuscation. |
010 | 2023-12-14 SECURITY Fix out of bounds memory accesses in XRandR and XKB X server extensions. CVE-2023-6377 CVE-2023-6478 |
OpenBSD 7.3
027 | 2024-03-18 SECURITY In libexpat fix billion laughs attack vulnerability CVE-2024-28757. |
026 | 2024-02-13 SECURITY DNSSEC protocol vulnerabilities have been discovered that render various DNSSEC validators victims of Denial Of Service while trying to validate specially crafted DNSSEC responses. Fix CVE-2023-50387 and CVE-2023-50868 in unwind(8) and unbound(8). |
025 | 2024-01-16 SECURITY Fix multiple xserver heap buffer overflows, out of bounds memory accesses and memory corruption. CVE-2023-6816 CVE-2024-0229 CVE-2024-21885 CVE-2024-21886 CVE-2024-0408 CVE-2024-0409 |
024 | 2023-12-18 SECURITY An SSH protocol weakness (the Terrapin Attack) exists that allows an on-path adversary to disable keystroke timing obfuscation. |
023 | 2023-12-14 SECURITY Fix out of bounds memory accesses in XRandR and XKB X server extensions. CVE-2023-6377 CVE-2023-6478 |
022 | 2023-12-10 RELIABILITY vmm(4) restored stale GDTR & TR values on vm exit which could lead to memory corruption or kernel deadlocks. |
Users wishing RSS/RDF summary files of OpenBSD Journal can retrieve:
Options are available.
Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]