Feed openbsd-journal OpenBSD Journal

OpenBSD Journal

Link http://undeadly.org/
Feed http://undeadly.org/cgi?action=rss
Updated 2023-03-30 17:45
Theo de Raadt at CanSecWest: Synthetic Memory Protections
We recentlyreportedthat Theo de Raadt (derradt@)was scheduled to present atCanSecWest.That's now happened, andslidesof Theo's presentation,Synthetic Memory Protections,can be found in theusual place.Video isavailableon the bird site.
OpenBGPD 7.9 released
Version 7.9 ofOpenBGPDhas beenreleased:
(Even more) Aggressive randomisation of stack location
In a late-stage addition prior to the release ofOpenBSD 7.3,Mark Kettenis (kettenis@) hascommitted[more] aggressive randomisation of the stack locationfor all 64-bit architectures except alpha:Read more…
rpki-client 8.3 released
One small but significant step for routing security on the Internet happened Sunday 19th of March 2023 with the release of version 8.3 of rpki-client.The announcement reads,
-current has moved to 7.3, ports commits restricted pending release
With the followingcommit,Theo de Raadt (deraadt@) moved -current to version 7.3:
OpenBGPD 7.8 released
OpenBGPD 7.8 has been released and the announcement may be read here.
LibreSSL 3.7.1 Released
With a message to openbsd-announce and other lists, Brent Cook (bcook@) announced the release of LibreSSL 3.7.1, with numerous improvements.It is worth noting that this is the final version to be released before the upcoming OpenBSD 7.3 release.The announcement reads,
OpenSSH 9.3/9.3p1 released
On 2023-03-15,the release ofversion 9.3ofOpenSSHwasannounced:Read more…
Theo de Raadt to be presenting at CanSecWest.
Dragos Ruiu recently announced that Theo de Raadt will be presenting at this year's CanSecWest, March 22-24 2023 in Vancouver, BC. Read more…
Game of Trees 0.86 released
Version 0.86ofGame of Treeshas been released (and the portupdated):Read more…
Bug fixing in wscons
Crystal Kolipe has written up more of her work on the console.This time, it regards bugs in the handling ofUTF-8:ExoticSilicon.com - fixing cringeworthy bugs in the OpenBSD console code.As Crystal pointed out in her email to Undeadly,Miod Vallat (miod@) hascommittedfixes.
Converting incoming emails on the fly with OpenSMTPD filters
Wladimir Palanthas written anarticleon use ofOpenSMTPDfilters, andprovided codeunder an MIT license for those who may wish to utilizethe techniques described therein.
Game of Trees 0.85 released
Version 0.85ofGame of Treeshas been released (and the portupdated):Read more…
Initial support for guided disk encryption in the installer
The OpenBSD installer now has basic support for configuring disk encryption during the regular installation process. Previously, disk encryption needed to be set up manually by dropping to the shellfrom the installer.Initial support, likely to be expanded upon, wascommittedby Klemens Nanni (kn@) onMarch 7, 2023.The commit reads,
Dynamic host configuration, please
Another piece from Florian Obser (florian@) just came out, titledDynamic host configuration, please.In the article, Florian details the steps to modern OpenBSDdynamic host configuration, including interface configuration, name resolution, routing and more.We also get an explanation of the various userland programs (most of them portable, some OpenBSD-specific) that make a modern OpenBSD laptop shine.You can read the full piece here, Dynamic host configuration, please.
OpenBSD -current is now 7.3-beta
It's that time of the year again. With this commit,Theo de Raadt (deraadt@) changed the version string for the development branch of OpenBSD to 7.3-beta.The commit reads,
OpenBSD in Canada
We all know the OpenBSD is lead from Canada, but what is the status in that country by and large? Bringing up the subject, Katie McMillan wrote in, saying
Game of Trees 0.84 released
Version 0.84ofGame of Treeshas been released (and the portupdated).Read more…
Theo de Raadt on pinsyscall(2)
Theo de Raadt (deraadt@)posted totech@a message entitledpinsyscall, execve, and rop pivots, etc.It explainspinsyscall(2),OpenBSD's latest securityinnovation.We reproduce the posting below with added links:Read more…
Privilege drop, privilege separation, and restricted-service operating mode in OpenBSD
Florian Obser wrote an extensive piece with great attention to detail titled: Privilege drop, privilege separation, and restricted-service operating mode in OpenBSD.
Using /bin/eject with USB flash drives
Following a wide-ranging thread onmisc@with the subjectSafely remove USB drive,Crystal Kolipe wrote anarticleabout howOpenBSDhandles removable media, centered around theeject(1) command,also known as mt(1).The article leads in,
Tunneling vxlan(4) over WireGuard wg(4)
Rob Turner writes in about a practical guide to runningvxlan(4)over a WireGuard(wg(4))connection.Rob writes,
Game of Trees Daemon - video and slides
At the recently-concludedFOSDEM 2023conference,Stefan Sperling (stsp@)presented a talk onGame of Trees.Videoandslidesof Stefan's presentation are now available.
LibreSSL 3.5.4 and 3.6.2 released
Hot on the heels ofsyspatches for OpenBSD 7.1 and 7.2,Brent Cook (bcook@)announcedthe release of versions 3.5.4 and 3.6.2 ofLibreSSL:
OpenSSH 9.2/9.2p1 released!
OpenSSH 9.2 was released on 2023-02-02. It is available from themirrors listed at https://www.openssh.com/.
Game of Trees 0.83 released
Version 0.83ofGame of Treeshas been released (and the portupdated):Read more…
Execute-only status report
Theo de Raadt (deraadt@) postedto tech@ astatus report(and 2test programs)regarding execute-only (xonly).The report begins:
Console screendumps
As part of her efforts in developing patches for the console(many of which have been committed recently),Crystal Kolipe created some patches for taking screenshots of theOpenBSD console.She wrote an in depth article,Coding new ioctls to produce screendumps from the console, about her work.We will look forward to further development and refinement on this.
Game of Trees 0.82 released.
Game of Trees 0.82 has been released (and the port updated).
amd64 execute-only committed to -current
Support for execute-only (xonly) code(on which wereported earlier)has been committed to -current by Theo de Raadt (deraadt@).The commitswere:Read more…
Game of Trees milestone
In atoot,Stefan Sperling (stsp@) announced:
sshd random relinking at boot
As with library order randomisation(libc.so/libcrypto/ld.so)at bootand kernel relinking at boot,boot time relinking ofsshd(8)is now implemented in -current.Theo de Raadt committed thechanges:Read more…
Game of Trees 0.80 released.
Game of Trees 0.80 has been released (and the port updated).Read more…
Testing wanted: execute-only on amd64
On thetech@ mailing list,Theo de Raadt (deraadt@)has issued arequest for testingof patch(es) for execute-only (xonly)binaries on amd64.The message is quite long, but well worth reading in its entiretyfor those interested.Selected highlights include:
retguard for amd64 system calls
Todd Mortimer (mortimer@) hascommitted(to -current)retguardfor amd64 system calls:
OpenBSD KDE Status Report 2022
The end of the year is rapidly approaching, and Rafael Sadowski (rsadowski@) has published the OpenBSD KDE Status Report 2022.The report leads in,
rpki-client 8.2 released
A new release of the OpenBSDrpki-client, a key component inBGP routing security is available.The announcement by Sebastian Benoit (benno@) reads,
LibreSSL 3.7.0 Released
A new development release of LibreSSL is out, and should be arriving on a mirror near you shortly.Brent Cook (bcook@)'s announcement reads,
BIOS Memory Map for vmd(8) Rewrite in Progress
A rewritten version of vmd(8)'s BIOS memory map handling could soon be appearing in -current. In a recent post to tech@ and supplemented by an accompanying post to ports@ since the changes touch on SeaBIOS, Dave Voutila (dv@) describes the changes and the motiviation for changing them, ie
Fuzzing ping(8) … and finding a 24 year old bug.
Following the recent discovery of asecurity issue in FreeBSD's ping(8),OpenBSD developer Florian Obser(florian@) wanted to know if something similar lurkedin the OpenBSD code as well.The result of his investigation can be found in the article calledFuzzing ping(8) … and finding a 24 year old bug., which leads in,
lladdr-tied interface config support has been committed
Support for lladdr-tied configuration of(network) interfaces[on which wereported earlier]has beencommitted.Andrew Fresh (afresh1@)made the commit:
OpenIKED 7.2 released
On December 1st, 2022 the OpenIKED project announced a new stable version, OpenIKED 7.2.Read more…
Help the OpenBSD Foundation Reach Its 2022 Funding Goal
The OpenBSD Foundation, which is central to funding the OpenBSD project, needs your help to reach its 2022 Fundraising Goal of $300,000.At the time of writing, the amount raised in 2022 stands at a little over 50% of the stated goal.The Foundation needs your help to sustainably fund the project. Please head over to the Foundation's donations page, and make sure you drag your employer over there too!With about 30 days left in 2022, we know we can do it!
lladdr-tied Config Support May Soon Land in ifconfig(8) and netstart(8)
It started with a thread on misc@ with the subject"Locking network card configuration"where the problem description is, when two or more network interfaces are attached to the same USB bus, their numbering may not be entirely predictable.The question is, what workarounds are possible?The thread, where several developers offered their insights, and which soon migrated to tech@ with the subject switched to "lladdr support for netstart/hostname.if (was: Re: Locking network card configuration)" and later "lladdr support for netstart/hostname.if" turned up several suggestions, with several patches, and potential support for link level address (MAC address) tied configuration via a new hostname.MAC(5) file to supplement the more familiarhostname.if(5) config file, complete with correspondingifconfig(8) options.Please read the messages and patches, and if you have useful input for the developers on this, please chime in via tech@ or in comments here if you prefer.Once again, an interesting feature that may materialize for testing in snapshots in the near future.
Next steps toward mimmutable, from deraadt@
In a recent message to the tech mailing list, Theo de Raadt (deraadt@) summarized the state of the new memory protections work. The thread also includes a followup from Otto Moerbeek (otto@) on consequent changes to the memory allocation mechanisms.Theo writes,
Call for testing on updated Apple M1/M2 bootloader code
Tobias Heider (tobhe@) posted to tech@ asking people with access to the relevant hardware to test updates to the arm64 bootloader code:
Game of Trees 0.79 released.
Version 0.79ofGame of Treeshas been released (and the portupdated):
mmap(2), munmap(2), and mprotect(2) unlocked
Martin Pieuchot (mpi@) hascommitteda change unlocking themmap(2),munmap(2),andmprotect(2)system calls:
Game of Trees 0.78 released
Version 0.78ofGame of Treeshas been released (and the portupdated):
LibreSSL 3.6.1 released
Brent Cook (bcook@) hasannouncedthe release ofLibreSSLverion 3.6.1: