OpenBSD Journal

OpenBSD Journal

Meltdown fix committed by guenther@

Contributed by Paul 'WEiRD' de Weerd on from the so-hot-of-the-press-it-melts-your-cpu dept.

Meltdown mitigation is coming to OpenBSD. Philip Guenther (guenther@) has just committed a diff that implements a new mitigation technique to OpenBSD: Separation of page tables for kernel and userland. This fixes the Meltdown problems that affect most CPUs from Intel. Both Philip and Mike Larkin (mlarkin@) spent a lot of time implementing this solution, talking to various people from other projects on best approaches.

In the commit message, Philip briefly describes the implementation:

Read more…

a2k18 Hackathon preview: Syncookies coming to PF

Contributed by Peter N. M. Hansteen on from the puffies-or-cookies-for-you dept.

As you may have heard, the a2k18 hackathon is in progress. As can be seen from the commit messages, several items of goodness are being worked on.

One eagerly anticipated item is the arrival of TCP syncookies (read: another important tool in your anti-DDoS toolset) in PF. Henning Brauer (henning@) added the code in a series of commits on February 6th, 2018, with this one containing the explanation:

Read more…

Remi Locherer's EuroBSDcon 2017 Talk

Contributed by rueda on from the connecting the dots dept.

Remi Locherer wrote in:

Last September I gave a talk at EuroBSDcon in Paris. It was about the VPN setup for connecting the branch offices of my employer.
https://2017.eurobsdcon.org/talk-speakers/#RemiLocherer

It was not my first EuroBSDcon but the first time I delivered a talk! I feared that only few people will show up at to my talk since Michael W. Lucas had his talk at the same time and also covered an OpenBSD topic. But the room was full and my talk was well received.

After the talk I received a nice gift from the EuroBSDcon organizers: a cartoonist made drawings from the presenters during the talks!

Read more…

CPU microcode update code for amd64

Contributed by Paul 'WEiRD' de Weerd on from the not-very-firm-ware dept.

Patrick Wildt (patrick@) recently committed some code that will update the Intel microcode on many Intel CPUs, a diff initially written by Stefan Fritsch (sf@). The microcode of your CPU is basically the firmware that runs on your (Intel) processor, defining its instruction set in terms of so called "microinstructions". The new code depends, of course, on the corresponding firmware package, ported by Patrick which can be installed using a very recent fw_update(1). Of course, this all plays into the recently revealed problems in Intel (and other) CPUs, Meltdown and Spectre.

Read more…

Handling of CPU bugs disclosure 'incredibly bad': OpenBSD's de Raadt

Contributed by rueda on from the we-are-not-amused dept.

ITWire has published an article regarding Theo de Raadt's (deraadt@) reaction to the Meltdown/Spectre disclosures.

One choice quote reads:

Intel engineers attended the same conferences as other company engineers, and read the same papers about performance enhancing strategies – so it is hard to believe they ignored the risky aspects.

OpenBSD-current now has 'smtpctl spf walk'

Contributed by Peter N. M. Hansteen on from the check-my-senders dept.

If you run a mail service, you probably like to have greylisting in place, via spamd(8) or similar means. However, there are some sites that simply do not play well with greylisting, and for those it's useful to extract SPF information to identify their valid outgoing SMTP hosts.

Now OpenBSD offers a straightforward mechanism to do that and fill your nospamd table, right from the smtpctl utility via the subcommand spf walk. Gilles Chehade (gilles@) describes how in a recent blog post titled spfwalk.

This feature is still in need of testing, so please grab a snapshot and test!

Response to the "Meltdown" Vulnerability

Contributed by rueda on from the moronoculture dept.

A message to tech@ from Philip Guenther (guenther@) provides the first public information from developers regarding the OpenBSD response to the recently announced CPU vulnerabilities:

So, yes, we the OpenBSD developers are not totally asleep and a handful of
us are working out how to deal with Intel's fuck-up aka the Meltdown
attack.  While we have the advantage of less complexity in this area (e.g.,
no 32bit-on-64bit compat), there's still a pile of details to work through
about what has to be *always* in the page tables vs what can/should/must be
hidden.

Read it and weep…

BSDCAN2017 Interview with Peter Hessler, Reyk Floeter, and Henning Brauer

Contributed by rueda on from the Oxford comma dept.

In a message to misc@, Tom Smyth wrote (in part):

While  attending BSDCAN2017 in Ottawa I met many OpenBSD Developers,
and I was fortunate to grab a few moments and video an interview
with Peter Hessler, Henning Brauer and Reyk Floeter and talk to
them about OpenBSD generally,
I really appreciate the guys generosity in their time on the
interview
I have posted the video here
https://www.youtube.com/watch?v=e-Xim3_rJns&feature=youtu.be

Nice work, Tom!

Donate!

Donate to OpenBSD

Features

We are constantly on the lookout for stories of how you put OpenBSD to work. Please submit any informative articles on how OpenBSD is helping your company.

OpenBSD Errata

OpenBSD 6.2

0082018-02-08 SECURITY A flaw was found in the way unbound validated wildcard-synthesized NSEC records. An improperly validated wildcard NSEC record could be used to prove the non-existence (NXDOMAIN answer) of an existing wildcard record, or trick unbound into accepting a NODATA proof.
0072018-02-02 SECURITY If the EtherIP tunnel protocol was disabled, IPv6 packets were not discarded properly. This causes a double free in the kernel.
0062018-02-02 RELIABILITY Processing IPv6 fragments could incorrectly access memory of an mbuf chain that is not within an mbuf. This may crash the kernel.
0052018-02-02 RELIABILITY Specially crafted IPsec AH packets with IP options or IPv6 extension headers could crash or hang the kernel.
0042018-01-14 RELIABILITY An incorrect TLS extensions block is generated when no extensions are present, which can result in handshake failures.
0032017-12-10 RELIABILITY A number of bugs were discovered in the MPLS stack that can be used to remotely trigger kernel crashes.

Unofficial RSS feed of OpenBSD errata

XML/RSS/RDF

Users wishing RSS/RDF summary files of OpenBSD Journal can retrieve: RSS feed

Options are available.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]