OpenBSD Journal

Wladimir Palanthas written anarticleon use ofOpenSMTPDfilters, andprovided codeunder an MIT license for those who may wish to utilizethe techniques described therein.

Version 0.85ofGame of Treeshas been released (and the portupdated):Read more…

The OpenBSD installer now has basic support for configuring disk encryption during the regular installation process. Previously, disk encryption needed to be set up manually by dropping to the shellfrom the installer.Initial support, likely to be expanded upon, wascommittedby Klemens Nanni (kn@) onMarch 7, 2023.The commit reads,

Another piece from Florian Obser (florian@) just came out, titledDynamic host configuration, please.In the article, Florian details the steps to modern OpenBSDdynamic host configuration, including interface configuration, name resolution, routing and more.We also get an explanation of the various userland programs (most of them portable, some OpenBSD-specific) that make a modern OpenBSD laptop shine.You can read the full piece here, Dynamic host configuration, please.

It's that time of the year again. With this commit,Theo de Raadt (deraadt@) changed the version string for the development branch of OpenBSD to 7.3-beta.The commit reads,

We all know the OpenBSD is lead from Canada, but what is the status in that country by and large? Bringing up the subject, Katie McMillan wrote in, saying

Version 0.84ofGame of Treeshas been released (and the portupdated).Read more…

Theo de Raadt (deraadt@)posted totech@a message entitledpinsyscall, execve, and rop pivots, etc.It explainspinsyscall(2),OpenBSD's latest securityinnovation.We reproduce the posting below with added links:Read more…

Florian Obser wrote an extensive piece with great attention to detail titled: Privilege drop, privilege separation, and restricted-service operating mode in OpenBSD.

Following a wide-ranging thread onmisc@with the subjectSafely remove USB drive,Crystal Kolipe wrote anarticleabout howOpenBSDhandles removable media, centered around theeject(1) command,also known as mt(1).The article leads in,

Rob Turner writes in about a practical guide to runningvxlan(4)over a WireGuard(wg(4))connection.Rob writes,

At the recently-concludedFOSDEM 2023conference,Stefan Sperling (stsp@)presented a talk onGame of Trees.Videoandslidesof Stefan's presentation are now available.

Hot on the heels ofsyspatches for OpenBSD 7.1 and 7.2,Brent Cook (bcook@)announcedthe release of versions 3.5.4 and 3.6.2 ofLibreSSL:

OpenSSH 9.2 was released on 2023-02-02. It is available from themirrors listed at https://www.openssh.com/.

Version 0.83ofGame of Treeshas been released (and the portupdated):Read more…

Theo de Raadt (deraadt@) postedto tech@ astatus report(and 2test programs)regarding execute-only (xonly).The report begins:

As part of her efforts in developing patches for the console(many of which have been committed recently),Crystal Kolipe created some patches for taking screenshots of theOpenBSD console.She wrote an in depth article,Coding new ioctls to produce screendumps from the console, about her work.We will look forward to further development and refinement on this.

Game of Trees 0.82 has been released (and the port updated).

Support for execute-only (xonly) code(on which wereported earlier)has been committed to -current by Theo de Raadt (deraadt@).The commitswere:Read more…

In atoot,Stefan Sperling (stsp@) announced:

As with library order randomisation(libc.so/libcrypto/ld.so)at bootand kernel relinking at boot,boot time relinking ofsshd(8)is now implemented in -current.Theo de Raadt committed thechanges:Read more…

Game of Trees 0.80 has been released (and the port updated).Read more…

On thetech@ mailing list,Theo de Raadt (deraadt@)has issued arequest for testingof patch(es) for execute-only (xonly)binaries on amd64.The message is quite long, but well worth reading in its entiretyfor those interested.Selected highlights include:

Todd Mortimer (mortimer@) hascommitted(to -current)retguardfor amd64 system calls:

The end of the year is rapidly approaching, and Rafael Sadowski (rsadowski@) has published the OpenBSD KDE Status Report 2022.The report leads in,

A new release of the OpenBSDrpki-client, a key component inBGP routing security is available.The announcement by Sebastian Benoit (benno@) reads,

A new development release of LibreSSL is out, and should be arriving on a mirror near you shortly.Brent Cook (bcook@)'s announcement reads,

A rewritten version of vmd(8)'s BIOS memory map handling could soon be appearing in -current. In a recent post to tech@ and supplemented by an accompanying post to ports@ since the changes touch on SeaBIOS, Dave Voutila (dv@) describes the changes and the motiviation for changing them, ie

Following the recent discovery of asecurity issue in FreeBSD's ping(8),OpenBSD developer Florian Obser(florian@) wanted to know if something similar lurkedin the OpenBSD code as well.The result of his investigation can be found in the article calledFuzzing ping(8) … and finding a 24 year old bug., which leads in,

Support for lladdr-tied configuration of(network) interfaces[on which wereported earlier]has beencommitted.Andrew Fresh (afresh1@)made the commit:

On December 1st, 2022 the OpenIKED project announced a new stable version, OpenIKED 7.2.Read more…

The OpenBSD Foundation, which is central to funding the OpenBSD project, needs your help to reach its 2022 Fundraising Goal of $300,000.At the time of writing, the amount raised in 2022 stands at a little over 50% of the stated goal.The Foundation needs your help to sustainably fund the project. Please head over to the Foundation's donations page, and make sure you drag your employer over there too!With about 30 days left in 2022, we know we can do it!

It started with a thread on misc@ with the subject"Locking network card configuration"where the problem description is, when two or more network interfaces are attached to the same USB bus, their numbering may not be entirely predictable.The question is, what workarounds are possible?The thread, where several developers offered their insights, and which soon migrated to tech@ with the subject switched to "lladdr support for netstart/hostname.if (was: Re: Locking network card configuration)" and later "lladdr support for netstart/hostname.if" turned up several suggestions, with several patches, and potential support for link level address (MAC address) tied configuration via a new hostname.MAC(5) file to supplement the more familiarhostname.if(5) config file, complete with correspondingifconfig(8) options.Please read the messages and patches, and if you have useful input for the developers on this, please chime in via tech@ or in comments here if you prefer.Once again, an interesting feature that may materialize for testing in snapshots in the near future.

In a recent message to the tech mailing list, Theo de Raadt (deraadt@) summarized the state of the new memory protections work. The thread also includes a followup from Otto Moerbeek (otto@) on consequent changes to the memory allocation mechanisms.Theo writes,

Tobias Heider (tobhe@) posted to tech@ asking people with access to the relevant hardware to test updates to the arm64 bootloader code:

Version 0.79ofGame of Treeshas been released (and the portupdated):

Martin Pieuchot (mpi@) hascommitteda change unlocking themmap(2),munmap(2),andmprotect(2)system calls:

Version 0.78ofGame of Treeshas been released (and the portupdated):

Brent Cook (bcook@) hasannouncedthe release ofLibreSSLverion 3.6.1:

We had previously reported on EuroBSDcon 2022. As of October 27th, 2022 the EuroBSDcon YouTube channel has been updated with a variety of OpenBSD related talk recordings for those who didn't catch the streams live, with the salient ones linked below:

Version 0.77ofGame of Treeshas been released (and the portupdated):

The OpenBSD project today announced the release of the most recent version of our favorite operating system, OpenBSD 7.2.This is the 53 release from the OpenBSD project. Highlights of the new release include:

In a long series of commits,Theo de Raadt (deraadt@)has added support for the immutable memory mappingson which wereported earlier.We see:

A new version of OpenBGPD, the OpenBSD and portable BGP daemon, has has been released.The announcement notes some key improvements in this release:

Signalling another turn of the seasons, Brent Cook (bcook@) announced that a new release of LibreSSL is out. The announcement reads:

OpenSSH 9.1has been released.It is primarily a bug-fix release.Version 9.1 will be part of theOpenBSD 7.2 release.

Another site for searching OpenBSD packages has appeared- OpenBSD.app.The site, which supports full text search,is run by Aaron Bieber (abieber@ when hisOpenBSD hat isn't askew).He commentedonLobsters.

An important message from Damien Miller (djm@) turned up on mailing lists and elsewhere, saying,

While recovering after EuroBSDCon and starting to gear up for the much anticipated next OpenBSD release, our co-editor Peter Hansteen found the time to do a remote Sunday lunch talk (slides) for SEMIBUG titled A Few of My Favorite Things About The OpenBSD Packet Filter Tools (full text, blog with trackers). The full text of the talk is also available here, without trackers.Topics covered: PF basics, state tracking tricks, greytrapping, traffic shaping, with pointers to further material.All good fun while we are waiting for the next bit thing.

Game of Trees 0.76 was released on September 23rd, 2022.