OpenBSD Journal

Rafael Sadowski (rsadowski@)bloggedabout his participation inp2k23.Perhaps most notable is his work in portingKDEPlasma.Read all about it athttps://rsadowski.de/posts/2023-10-09-p2k23-dublin-openbsd-hackathon/.There is some further discussion of the work in a thread titled NEW: KDE Plasma (x11/kde-plasma) on the ports@ mailing list.

Version 8.6ofrpki-client, the FREE, easy-to-use implementation of the ResourcePublic Key Infrastructure (RPKI)for Relying Parties (RP),has beenreleased.This version includes new compliance checks,random shuffling of processing of Manifest entries,and [non-random!] code shuffling.See the announcement for more details.This is another hint that a new OpenBSDreleaseis about to happen, and soon.

Jay Eptinxa has published a detailed write-up,entitledE-mail Filters In C,of his work creating aspamd(8)-likegreylistingsmtpd(8)filter.Thanks to Crystal Kolipe for letting us know!

OpenSSH 9.5has beenreleased.This releases features the keystroke timing obfuscationon which we reportedearlier.

With a message from Claudio Jeker (claudio@), the OpenBSD project today announced the release of the OpenBSDBGP(Border Gateway Protocol) daemon OpenBGPD, version 8.2.The announcement reads,

ManyOpenBSDsysadminsfind thesysclean(8)portuseful for removing obsolete files following upgrades.Sebastien Marie (semarie@),theauthorof sysclean(8),has written apiecegiving an under-the-hoodlook at the operation of this handy utility.It's well worth reading for those interested in understandinghow it works!

With the followingcommit,Theo de Raadt (deraadt@) moved -current to version 7.4:

Theo de Raadt (deraadt@) posted totech@a detailedmessageexplaining the past and (potential) future ofanti-ROPmeasures in OpenBSD.It's well worth reading its entirety.Highlights include:

Frederic Cambus (fcambus@) wrote a blogpost about running OpenBSD on the arm64-based cloudservers provided by Hetzner. For now, only -current will work,because the new viogpu(4)driver[on which wereported earlier]is needed.Head on over to Frederic's blog for the full story!

EuroBSDCon 2023has now ended,and slides for many of the OpenBSD developer presentationsare now available in theusual place.Video of the presentations can be expected somewhat later.Slides from the tutorial"Network Management with the OpenBSD Packet Filter Toolset"arealso available.

Version 0.93 of Game of Trees has been released (and the port updated).Read more...

With the followingcommit(s),Theo de Raadt (deraadt@) moved -currentto version 7.4-beta:

We are pleased to have anotherp2k23report, this time from Volker Schlecht (volker@)who writes:

Can you really do 3D printing from OpenBSD? Cue suspenseful musicwhilst I formulate my answer, which is: Yes.If you aren't familiar with the 3D printing process, it's dividedinto several steps, vaguely analogous to writing, compiling and runninga program in a compiled language.Read more...

Next up in the series of p2k23 hackathon reports is this from Landry Breuil (landry@), who writes,

Next up in our reports from thep2k23 hackathonis one from Jeremy Evans (jeremy@).Jeremy writes:

The p2k23 OpenBSD packages hackathon just concluded, and Marc Espie (espie@) wrote in with this report:

Version 0.92of Game of Treeshas been released (and the portupdated):

Damien Miller (djm@) hascommittedsupport for keystroke timing obfuscation tossh(1):

As alluded to with the recent"Call for testing"message on the openssh-unix-devmailing list, OpenSSH 9.4 has been released!The complete release notes may be read here:https://www.openssh.com/releasenotes.html#9.4p1

The routed IPSec mode we reported on earlier has now been committed to -current by David Gwynne (dlg@), likely to be a prominent item for the upcoming OpenBSD 7.4 release.The main log message:

Version 8.5of rpki-client,OpenBSD'simplementation of the Resource Public Key Infrastructure (RPKI)for Relying Parties (RP),has been released.Features include:

The buzzword bug of the week is Zenbleed, which affects various AMD processors and is explained in more detail here. On OpenBSD, the latest -current snapshots already have the fixes, and errata patches will go out for the supported releases (7.2 and 7.3) shortly.In a post to the tech@ list, Theo de Raadt described the situation:

Thanks toaseriesofcommitsby Jonathan Gray (jsg@),-current now has support for microcode (updates)for AMD (amd64 and i386) processors:

Version 0.91of Game of Treeshas been released (and the portupdated):

As announced by Damien Miller: "We've just made an OpenSSH release to fix a remotely exploitable RCE vulnerability in ssh-agent's PKCS#11 support (CVE-2023-38408). Details at https://openssh.com/releasenotes.html#9.3p2Thanks to the Qualys Security Advisory Team for finding and reporting this bug."This appears to impact every version of OpenSSH's ssh-agent from 5.5 onwards.

Theo de Raadt (deraadt@)has updatedinnovations.htmlto include an item regarding the work which has been doneto enforce indirect branch target restriction(on theamd64[Intel]andarm64platforms).Thecommit messageprovides some detail:

Version 8.1 of OpenBGPD, the OpenBSD Border Gateway Protocol (BGP) routing daemon, has just been released.The announcement reads,

An anonymous submitter reminded us that Marc Espie (espie@) posted a summary of the state of OpenBSD packages in a message to the tech mailing list with the subject pkg_*: the road forward.Marc writes,

Matthieu Herrb (matthieu@) has written some noteson his work at the (recently-concluded)g2k23 hackathonin Tallinn, Estonia.His article,Wayland on OpenBSD,starts:

The majorpfsync(4)rewrite on which werecently reportedhas beencommittedto -current by David Gwynne (dlg@).As it says in the commit message

A low key leak from the ongoing g2k23 hackathon comes the news thatsoft updates(akasoftdep) will, for now, be a no-opon OpenBSD-current.The commit message by Bob Beck (beck@) reads,

A new tool for creating flexible, route based site to site virtual private networks (site-to-site VPNs) is entering its call for testing phase on OpenBSD-current.In a message to the tech@ mailing list on July 4th, 2023, David Gwynne (dlg@) presented a diff that adds a new virtual network interface dubbed sec(4). The message reads,

Version 0.90ofGame of Treeshas been released (and the portupdated):Read more...

A major rewrite of pfsync(4), the state table synchronization tool for redundant pf(4) setups is in the works.In a recent message to tech@, David Gwynne (dlg@) describes the multi-year process behind the diff contained in the message,

Theo de Raadt (deraadt@)committedchanges which result intheshutdown(8)andreboot(8)commands(in -current)requiring membership of the the (new) group"_shutdown".The commit message explains the rationale:Read more...

TheOpenBSD projecthas releasedversion 7.3.0p0of OpenSMTPD, the project'sSMTPserver.Theannouncementreads in part:

Version 0.89ofGame of Treeshas been released (and the portupdated):

TheLibreSSL projecthas announced the release of versions3.6.3 and3.7.3,and (development) version3.8.0of the software.Theannouncementfor versions 3.6.3 and 3.7.3 reads:

Thanks to the followingcommitby Todd Miller (millert@),cron(8)now supports random values in a rangewith a step value(i.e."<lo>~<hi>/<step>"incrontab(5) entries):

Thanks to the followingcommitby Todd Miller (millert@),cron(8)now supports random values in a rangewith a step value(i.e."<lo>~<hi>/<step>"incrontab(5) entries):

The OpenBSD project has released a new version ofOpenBGPD,the OpenBSD Border Gateway Protocol (BGP) routing daemon,version 8.0.Theannouncementreads,

The OpenBSD project has released a new version ofOpenBGPD,the OpenBSD Border Gateway Protocol (BGP) routing daemon,version 8.0.Theannouncementreads,

Version 8.4ofrpki-clienthas beenreleased, with a number of improvements and new features:

Version 8.4ofrpki-clienthas beenreleased, with a number of improvements and new features:

Version 0.88ofGame of Treeshas been released (and the portupdated):

Version 0.88ofGame of Treeshas been released (and the portupdated):

Dave Voutila (dv@)has addedanother feature to virtualisation on OpenBSD.Thanks to the followingcommit,it is now possible for the owners of virtual machinesto override the boot kernel:Read more...

Dave Voutila (dv@)has addedanother feature to virtualisation on OpenBSD.Thanks to the followingcommit,it is now possible for the owners of virtual machinesto override the boot kernel:Read more…

Dave Voutila (dv@)committeda change which brings a multi-process model tovmd(8),enhancing both security and performance: