OpenBSD 3.3 changes

OpenBSD 3.3 released (May 1, 2003)

This is a partial list of the major machine-independent changes (i.e., these are the changes people ask about most often). Machine specific changes have also been made, and are sometimes mentioned in the pages for the specific platforms.

Changes to the ports collection are documented here.

Note: Problems for which patches exist are marked in red.

For changes in other releases, click below:
2.0, 2.1, 2.2, 2.3, 2.4, 2.5, 2.6, 2.7, 2.8, 2.9, 3.0, 3.1, 3.2, 3.4, 3.5, 3.6, 3.7,
3.8, 3.9, 4.0, 4.1, 4.2, 4.3, 4.4, 4.5, 4.6, 4.7, 4.8, 4.9, 5.0, 5.1, 5.2, 5.3, 5.4,
5.5, current.

Changes made between OpenBSD 3.2 and 3.3

3.3 release branch created.
SECURITY FIX: A buffer overflow in the address parsing in sendmail(8) may allow an attacker to gain root privileges.
A source code patch is available.
[Applied to stable]
Fix the sftp-server(8) race fix so that renames of symlinks and directories work again.
Have lpr(1) and lprm(1) do a better fake setuid(daemon), so that files to be printed no longer need to be world-readable.
Some robustness fixes to vlan(4).
Set splimp() before resetting xl(4) to prevent interrupts before we're ready to handle them.
Recognise (and ignore) the --soname argument to ld(1).
Add a missing return statement when dumping the state table in pfctl(8).
When adding hfsc queues in the kernel, return the correct value when unable to allocate memory, and add some missing error cleanup.
Fix ssh(1) rekeying when running in privsep mode.
Add some extra quoting paranoia to /etc/rc.
Don't close stdin in md5(1).
Stop sendbug(1) reporting spurious errors.
Restore ac97(4) state after an apm(4) resume.
Make the syslogd(8) default facility LOG_USER instead of (due to a bug) LOG_UUCP.
Make netstat(1) -m output of mbuf cluster stats much more useful.
Fix memory use percentage output of ps(1).
Some endianness fixes to ahc(4), making it works on macppc.
Fix some problems with pf(4) table statistics.
Disable by default (and add a switch to enable) cross-realm authentication from Kerberos IV realms in Kerberos V kdc(8). This addresses a recently found vulnerability.
[Applied to stable]
Disable the Kerberos IV kdc(8), since all its functionality is available in the Kerberos V kdc.
Enquote $lpd_flags in /etc/rc.
Fix a logic error in sudo(8)'s SIGCHLD handler.
SECURITY FIX: OpenSSL is vulnerable to an extension of the `Bleichenbacher' attack designed by Czech researchers Klima, Pokorny and Rosa.
A source code patch is available.
[Applied to stable]
Tweak pfctl(8) host address parsing to catch exceptional cases.
Fix parsing of the dhcpd(8) leases file.
Add a missing return statement in mkhybrid(8).
Restore bootable tape functionality for sparc.
Longword-align struct sockaddrs passed to the kernel by arp(8).
An RFC 2553 compliance tweak to getaddrinfo(3).
Change perl(1)'s config hints file to reflect the promotion of setre[ug]id(2) to real system calls.
Some (v)sprintf -> (v)snprintf in libcurses and libcurses++.
Bump ssh(1) version to 3.6.
[Applied to stable]
Fix a bad string length when checking options to login_passwd(8).
Add a nicely free license to hack(6).
Fix a bogus string initialisation when printing IPv6 addresses that was causing a segfault in netstat(1).
More string function sanity in the 4.3BSD compat library, crypto(3) and sudo(8).
Fix a string under-allocation in mountd(8).
Update to sudo(8) 1.6.7.
SECURITY FIX: Various SSL and TLS operations in OpenSSL are vulnerable to timing attacks.
An `RSA blinding' source code patch is available.
[Applied to stable]
Add a missing chroot path correction when creating the SSL mutex file in httpd(8).
Another fix in the gcc(1) stack protector.
More strcpy -> strlcpy, in cron(8) this time.
After all the hard work making the X server run as a non-root user, stop the scheduler lowering non-root processes' priority if they've had more than ten minutes of CPU time.
Check the length of all fixed-length IPv6 neighbor discovery options.
Enable RSA blinding in keynote(3).
Remove the redundant -t option from mt(1).
Fix a bug in pf(4) tables that could cause table-based filtering of packets with a source or destination address of 0.0.0.0 (e.g. DHCP) to corrupt the kernel.
Enable RSA blinding for mod_ssl private key operations.
Fix a bug that caused all jobs displayed by atq(1) to appear to be owned by the owner of the last job in the queue.
[Applied to stable]
Require spamd(8) control connections to originate from a reserved port.
Plug a pf(4) tables memory leak.
Scale the altq(9) RED thresholds to 10% (min) and 30% (max) of the queue limit.
Fix a one-byte underflow in raidctl(8).
Switch RSA blinding on for isakmpd(8), ssh-agent(1) and ssh-keysign(8).
Still more sprintf -> snprintf and strcpy -> strlcpy in many, many places.
More strcpy -> strlcpy, this time in badsect(8), restore(8) and scsi(8).
Fix a missing initialisation in pckbc(4) when the ps/2 keyboard is not the system console. Avoids a panic on alpha.
Remove sbin/photurisd from the tree.
(v)sprintf -> (v)snprintf in mrouted(8).
Add -c option to md5(1), for compatibility with GNU md5sum.
Set IFCAP_VLAN_MTU for sk(4).
Add a missing endianness fixup to bktr(4).
Hack compat_freebsd(8) to pick up recent FreeBSD binaries such as Opera.
Make cron(8)'s parser detect many more syntax errors.
Allow bridge(4) to send unfragmented full-length 802.1q packets on interfaces with IFCAP_VLAN_MTU set.
Make sure that pf(4) queues have a queue ID that is unique across all interfaces.
When acting on an anchor, make pfctl(8)'s -F option traverse all subrulesets in the anchor.
Remove larn(6) until some license issues are resolved.
Yet more gcc(1) stack-smash protector fixes.
Many spelling and double-word fixes.
Install lpr(1) and lprm(1) setuid root instead of setuid daemon (the latter is more risky) and setuid to daemon early on.
Add a missing getnameinfo(3) error check to ftp(1).
Always set a bpf(4) filter in pflogd(8), since bpf will otherwise grab full-length packets.
strcpy->strlcpy in mount_portal(8), quotacheck(8), route(8) and routed(8).
Make pf(4) queue code drop illegal non-PKTHDR mbufs, and whine loudly so any problem will get noticed and fixed.
Allow st(4) tape density codes up to 0xff (the old limit was 0x45).
Continued assault on manpage errors, omissions and bad English.
Fix a typo from pre-3.1 days that was stopping inode quotas from working.
Stop spamd-setup(8) always returning an error code.
Log that cron(8) has started after detaching from the controlling terminal, rather than before.
Make cron(8) show the correct error line number when the command is missing.
Make pfctl(8) give a helpful error message when multiple same-named queues are added to an interface.
Fix a problem in sis(4), found with a few DP83815 devices, where a cable length of less than 30m caused excessive receive errors.
Tighten pf(4) tcp state code in relation to a FIN received before any server response.
Add spamd and spamd-cfg tcp ports to services(5), and have spamd(8) obtain the port numbers from there.
Fix some problems adding pf(4) child queues.
Prise the correct line number for errors out of cron(8).
Warn about garbage lines before the EOF in crontab(1).
Fix a panic in ppp(4) by making sure the first mbuf in a chain contains a packet header.
Disable ptrace(2) for P_SUGIDEXEC as well as P_SUGID.
Make the kernel's P_SUGIDEXEC flag semantics match those for issetugid(2).
Make clear that mailwrapper(8) error and warning messages are not from the wrapped program but from the wrapper itself.
In mountd(8) only write to the pidfile if we've opened it.
Honour the :sh: printcap(5) flag for remote printers, instead of requiring -h to be given to lpr(1).
Add spamd.conf(5), configuration for spamd-setup(8).
Since spamd-setup(8) is no longer a Perl script, remove the Net::Netmask module.
Re-re-implement spamd-setup(8), this time in C.
Tweak queue rule expansion to fix problems when a queue spans multiple interfaces.
Base pfctl(8)'s 'bandwidth too small' whine on interface-specific calculations rather than always using '6Kb'.
Have a separate flag (-g) for pfctl(8) debugging output, instead of overloading -vv.
Fix a signedness bug (KAME PR 469) in the libc resolver.
Set some missing flags and fix ti(4)'s vlan tagging support.
Stability fixes to cac(4).
A huge number of manpage cross-reference fixes.
In kernel main(), configure devices later when process 0 is more fully initialised.
Avoid a null derefence in isakmpd(8) when converting text addresses to a sockaddr.
Fix pf(4) queue assignments when an interface is not specified.
For IPv6 etherip packets, set the next protocol field in the header.
Pass IP proto 97 (Ethernet-in-IP) packets up to bpf(4).
In the installer, delete the FTP password when no sets are found, so it doesn't get displayed in the URL.
Add a boot image ISO for alpha.
New images; the last X update before the release.
Fix a number of memory leaks in ssh(1) and its related programs.
Add a monolithic openssl(1) manpage, covering all the tool commands.
Media handling fixes to hme(4).
Set the right address family for IPv6 addresses in a pf(4) table.
Update named(8) to BIND 9.2.2-release.
Only have /etc/rc generate the rndc(8) key if named(8) is to be started.
named(8) always does setuid(named) and chroots to /var/named, so remove the variables for those actions from /etc/rc.
Turn off the stack protector when building lkm(4)s.
Don't install mrinfo(8) and mtrace(8) setuid root.
Recreate the rndc(8) key if /etc/rndc.key and /var/named/etc/rndc.key are not identical, or if either is absent.
3.3-beta -> 3.3
Fix user and group keywords with IPv6 pf(4) rules.
Create a baby ISO for i386, with just the CD boot image on it.
Move the spamd(8) configuration channel from the spamd listener port the next port up.
Add to file(1) support for additional image formats and a first pass at reading jpeg size.
strncpy->strlcpy in libc resolver code.
Upgrade file(1) to 3.41, to fix a buffer overflow. Get improved 64-bit ELF support as well.
[Applied to stable]
In the libc stack smash handler, straight away block all signal handlers from running.
More fixes and improvements to isp(4).
Sendmail updated to 8.12.8.
SECURITY FIX: A buffer overflow in the envelope comments processing in sendmail(8) may allow an attacker to gain root privileges.
A source code patch is available.
[Applied to stable]
Fix some nits in m_pulldown(9).
Return a meaningful partition size from rd(4).
Fix pfctl(8) display of altq bandwidth figures.
Fix a missing configuration message validity check in spamd(8).
Remove spamd-setup.sh script.
Add a configuration channel in spamd(8) so spamd-setup.pl can talk to it.
New spamd-setup.pl script to set up spamd(8), with support for multiple blacklists configured via spamd.conf(5).
Add perl module Net::Netmask for new spamd(8) setup perl script.
Remove the redundant 'control' keyword from altq CBQ.
Tag no-payload tcp ACK packets for priority queuing, see /usr/share/pf/ackpri for more information and an example.
Guarantee that two pf(4) queues with the same name on different interfaces have the same internal queue id.
Prevent gem(4) removing DMA mappings that are still in use, which causes faults on sparc64.
Stop the installer mistakenly deleting a default route that an FTP install may need to use.
Add a bootable CD iso image for sparc64.
Fix a few bad printf format specifiers in pflogd(8).
Disable GNU mmalloc on all architectures.
Update all disktab(5) files to show support for 16 partitions, and fix a few other glitches.
Finally, mrouted(8) and fellows have proper licensing and are now built by default.
Make sure the error value is set properly on SA expiry for AH and ESP.
Fix a Kerberos (IV and V) resolver overflow found by propolice.
Make libc random(3) and related functions use u_int32_t internally instead of long.
Update the isp(4) firmware images.
Increase the ata IDENTIFY command timeout from one to three seconds.
Use a bss copy of basename(argv[0]) for __progname, so even when there is real stack carnage a propolice stack-smash report has the right program name.
Add a missing splsoftnet() in pf(4) tables code.
Add WANT_LIBMILTER, WANT_SASL and WANT_LDAP mk.conf hooks for sendmail(8).
Add -trace-ctors-dtors option to gcc(1)'s collect2. See gcc-local(1).
Make rndc(8) die properly on errors.
In libz, check snprintf(3) return value to detect truncation.
[Applied to stable]
Stop syslog(3) always logging to the console when LOG_CONS is enabled.
Have updatedb(8) use /var/tmp instead of /tmp, and include ext2fs volumes in the database.
Handle invalid step sizes properly in cron(8).
Add IPv6 packet classification support for pf(4) queues.
Fix pf(4) tables' IPv6 support.
Correctly set the priority queue when expanding pf(4) rules.
Some cleanup in ti(4).
Make libz use snprintf(3) instead of sprintf(), since we're at it.
[Applied to stable]
Fix a bug in bind's isc_print_vsnprintf(), even though it's not used in OpenBSD.
Have named(8) listen on IPv6 interfaces by default.
More gcc(1) stack protector fixes.
Add 'show' and 'monitor' commands to ipsecadm(8).
Update xterm(1) to fix CAN-2003-0063 and CAN-2003-0071.
Fix pf(4) binat rule matching.
Clean up pfctl(8) binat rule parsing.
More bounds check fixes, in Linux compat and gdt(4).
Correct two off-by-ones in ami(4).
Fix a bad bounds check in midi(4).
Revert to the old pf(4) macro redefinition code, to stop a bad next pointer causing an endless loop.
Fix a crasher in the pfkeyv2 debugging code.
Add LZS compression support to hifn(4). Only usable by IPComp for now.
Set the portal filesystem file change time properly.
Remove tcfs due to licensing problems.
Fix a bogus vmstat(8) warning message.
Make libz use vsnprintf(3) instead of vsprintf().
[Applied to stable]
Add privilege separation to the old X servers too.
In the X server, open the keyboard and framebuffer drivers using privsep.
Plug a couple of mbuf leaks on errors in bridge(4).
Pull in from FreeBSD a better environment variable parser for cron(8).
Repair httpd(8) restarts, broken by the ETag inode leak fix. (The etags-state file wasn't readable after dropping privileges.)
Don't try to allocate < 0 bytes of memory in libcrypto.
[Applied to stable]
Re-enable 'set loginterface none' option in pfctl(8).
Fix a bad sizeof in ssh(1) auth_krb4.
Send BIND 4 to the attic. named(8) is now BIND 9.
Still more fixes to the gcc(1) stack protector.
Have tcpdump(8) check AH and ESP packets are of valid length before dumping their contents.
Teach tcpdump(8) to print IPComp packets.
Fix a crasher in systrace(1) by reparing some locking code in the kernel, and removing a null deref in userland.
Sync cron(8) with ISC cron -current, keeping the OpenBSD-specific at(1) integration.
Make xconsole(1) run as user _x11 instead of root (like the X server,) and use privilege separation for the parts that need root.
Add an empty cron.deny file, since POSIX requires that in the absence of cron.allow and cron.deny files, only root may run crontab(1).
Fix a null deref triggered by ipcomp(4).
pfctl(8) rejects non-existent interfaces in rules using dynamic interface syntax.
Move /var/at files into /var/cron since at(1) is now a part of cron(8).
Fix support for pf(4) syntax (if)/24 (dynamic interface name translation with a network prefix).
SECURITY FIX: In ssl(8) an information leak can occur via timing by performing a MAC computation even if incorrect block cipher padding has been found, this is a countermeasure. Also, check for negative sizes in memory allocation routines.
A source code patch is available.
[Applied to stable]
Add a counter for netstat(1) showing how often ipcomp(4) was skipped because the packet size was below the compression threshold.
Fix a buffer overflow in pfctl(8) on 64-bit platforms.
Stability updates to vr(4).
LFS is not supported, so remove support for it from df(1).
More niggly fixes to newly-added LZS support.
Don't load pf.conf(5) options when one of pfctl(8)'s load switches (-A, -N, -R) is in force.
Write the stack to core files properly for upward-growing stack architectures.
Enable LZS support in ipcomp(4), missed when LZS was added earlier.
Turn of BIND 9's logging of lame servers; some people never learn, and we don't want to know about them.
Make min-ttl and random-id operate on inbound as well as outbound pf(4) scrub rules.
Many missing copyright notices added to manpages.
Add privilege separation support to the X server. Fixes a lot of problems.
Fix a double-free in ftp(1).
Add -n 'no daemon' option to cron(8).
Enqueue the copy and not the original mbuf that's free four lines later, and so stop bridge(4) crashing the kernel.
Improve default route setup in the installer.
Fix ssh(1) forced commands with 'PermitRootLogin forced-commands-only' set.
Some RFC-compliance fixes to the httpd(8) multipart MIME pid leak fix.
Clean up pf(4) macro parsing.
Fix format string bugs in grep(1) and nohup(1).
strcpy -> strlcpy in rpc.pcnfsd(8).
Add support framework for LZS compression to crypto(9) and ipsec(4).
More write protection paranoia in ld.so(1).
Make bsd.rd an install/upgrade target.
SECURITY FIX: httpd(8) leaks file inode numbers via ETag header as well as child PIDs in multipart MIME boundary generation. This could lead, for example, to NFS exploitation because it uses inode numbers as part of the file handle.
A source code patch is available.
[Applied to stable]
Increase the size of the rates buffer in wi(4) hostap so 802.11g stations can associate.
When outputting raw IP and generating the header manually, make sure the packet is large enough for a full IP header.
[Applied to stable]
Fix an mbuf leak in IPv6 TCP. [Applied to stable]
Now that pf(4) tables spring into existence on demand, remove the unnecessary '-T create' option.
Have arc4random(3) stir the pool when the caller's pid changes.
Add 'scrub in all no-df' to the initial pf.conf(5) installed by /etc/rc. This helps diskless booters using Linux NFS servers.
Allow pf(4) redirect to loopback interfaces again, now that looping can't occur.
Fix an fd locking bug in libpthread.
Have spamd(8) use tables instead of regular rules on an anchor.
Improvements to ATAPI PIO mode selection.
Fix an mbuf leak in wi(4).
SECURITY FIX: A fix for an lprm(1) bug made in 1996 contains an error that could lead to privilege escalation. For OpenBSD 3.2 the impact is limited since lprm(1) is setuid daemon, not setuid root.
A source code patch is available.
[Applied to stable]
Finish nForce support in pciide(4).
When pfctl(8) complains about an illegal netmask, have it show the offending article.
Fix busted ypxfr(8), the key and values are no longer swapped around. Which is nice.
Add libedit line editing support to cdio(1).
Teach disklabel(8) to use units other than sectors on the command line.
3.2-current -> 3.3-beta.
Replace ssh(1)'s and wi(4)'s crc32 code with BSD-licensed versions.
Change pf(4) scrub option 'no-df' to better handle fragments with DF set, such as those sent by Linux NFS.
When in async mode, signal the process group instead of the process from WSEVENT_WAKEUP in wscons(4).
In newsyslog.conf(5), users can separated from groups now with ':' as well as '.'.
newsyslog(8) can now rotate files at a specific time.
Better bind(2) error checking in isakmpd(8).
Be consistent with ntohs() in pf(4) translation code.
Some consolidation and tidyup in pfctl(8)'s rule parsing code.
More fixes to pf(4) routing.
Don't ever send ICMP redirects for pf(4)-redirected packets .
Allow definition of pf(4) macros on the command line. Oh yes.
Remove sinful abbreviation of the unit of frequency as 'hz' (it's 'Hz', don't you know).
tcpdump(8) now displays the DF flag for IP fragments.
Have spamd(8) pass sensible parameters to memset().
Allow IPv6 addresses in yp(8) host maps.
More pf(4) rule compression: 'from' and 'to' keywords are optional if 'any' is one of the addresses, and 'any' itself is optional when a port is specified.
Change chroot(8)'s -u and -g options' semantics (-u is now what -U used to be, unless -g overrides it,) and remove -U and -G.
Sync up the spell(1) dictionaries with FreeBSD and NetBSD changes.
Add new 'random-id' option for pf(4) scrub rules. This randomises outbound IP IDs and defeats NAT detection and OS fingerprinting.
Stop a number of scripts that use mktemp(1) from leaving dead tempfiles around in failure cases.
A little extra paranoia in chpass(1), check that the temp file is owned by our real uid.
Don't burp syslog(3) output to the console unless syslogd(8) was not contactable.
Stop sshd(8) leaking information when PermitRootLogin is set to 'no'.
Install pf.conf(5) mode 0600 by default.
Fix races in the rename and symlink commands of sftp-server(8).
Allow 'ProxyCommand none' in ssh(1).
Hack around a tools bug in disklabel(8).
Improve handling of invalid pf(4) redirections.
Tidy up ssh(1) ProxyCommand option parsing.
Last part of the threaded fd improvements, fixing some bugs from stage one on the way.
Set an all-ones mask when doing pf(4) routing, since round-robin on the whole address space is unlikely to be the desired result.
First installment of improvements to threaded file descriptor handling (see the checkin comment for details).
isakmpd(8) now sets the Default-Phase-1-Configuration transform to 3DES-SHA-RSA_SIG, the same as OpenBSD 3.2.
Don't load a signed int into the ssh(1) buffer when doing BSD auth; the buffer type only supports unsigned ints.
Note in the documentation that snprintf(3) and syslog_r(3) are safe (with caveats) for use in signal handlers.
Stop pf(4) {dup,reply,route}-to rules using a loopback interface as the target - currently this can create loops.
Don't have pfctl(8) expand altq rules (and so check for parent queues etc.) unless altq rules are actually being loaded.
More gcc(1) stack protector fixes and tweaks.
Stop pfctl(8) closing a file it hasn't opened.
Make chpass(1) more paranoid when opening its temp file.
Make iostat(8)'s disk throughput bar smarter.
Implement key exchange guesses as per the secsh standard in ssh(1).
Relax parsing of usernames in scp(1).
Make pf(4) build without IPv6.
Fix an mbuf leak in the ESP code.
Correct a bad array index in netstat(1).
Fix multicast problems with vlan(4), and also remove some unnecessary Ethernet-specificity from the driver.
Really fix combination of pf(4) translation and route-to/reply-to.
Check TCP, UDP, ICMP and ICMP6 checksums in pf(4), and make the sum isn't recalculated when the packet hits layer 4 in the kernel. Packets with invalid checksums are silently dropped, to avoid firewall detection by use of filter responses to bad packets.
Make pf(4)'s TCP state inspection RFC 763 compliant, and send a reset when presented with SYN-cookie schemes that send out-of-window ACKs during the TCP handshake.
Now that route(8) is no longer setuid root, check the effective uid instead of the real uid.
Fix a number of filesystem locking issues, for details see the checkin comment.
Fix an ICMP mbuf leak.
[Applied to stable]
Create a fake siginfo_t for pthread_kill(3).
Stop dhcpd(8) and dhcrelay(8) trying to use dead interfaces.
For ELF images, put .rodata in a separate section to the program text, so the read-only data is no longer executable.
New pf.conf(5) interface modifiers: <if>:network for the interface's connected network(s) and <if>:broadcast for the interface's broadcast address(es).
Have spamd(8) revoke privileges earlier so it can bind to a priviliged port if desired.
Mirror the a.out initialise-dependent-libraries-first change for ELF.
For POSIX reasons, make setre[ug]id(2) real system calls again (albeit still implemented using setres[ug]id()) instead of 4.3BSD compatibility library calls.
authpf(8) sets the process title to '<user>@<ip>'.
Add a missing ntohs in tcpdump(8) so that pf(4) actions get printed correctly.
Make the resolver code in libc more thread-safe.
Fix an fd_set overflow in telnetd(8).
Improvements to pthreads signal handling. See the checkin comment for details.
For eg(4), el(4), ie(4/HPPA) and url(4) zero-pad frames smaller than the minimum frame length.
Update the termcap entry colours for wsvt25 to match reality.
If the -a option is given to pfctl(8) to specify an anchor, don't allow operations that have a global effect.
Make sure tcpdump(8) correctly exits from the loop that prints IPv6 option headers.
Use record instead of play parameters to calculate the record high watermark in audio(4).
Don't have ftp-proxy(8) remove leading spaces, this can break multiline commands.
Further cleanups and shrinkage of the installer scripts.
Correct operation of pf(4) rdr rules involving port ranges. Now the from- and to-range sizes can differ.
Stop bogus packet drops during pf(4) normalisation when an offset went negative.
Fix pfctl(8) -n option operation with table statements.
Allow pf(4) tables to be initialised from a file listed in pf.conf(5).
Better checking and error reporting for illegal table-related constructs in pf(4) rules.
Improve TCP performance by sending segments of no more than half the send buffer space limit. This means that (if enough data is available to be sent) there will always be at least two segments sent. A BSD receiver-TCP will turn off delayed ACKs with more than one un-ACK'd packet on a socket.
Improvements to newsyslog(8) monitor mode.
Plug a potential memory leak in spamd(8).
Make sure xinit(1) never leaks the MIT_MAGIC_COOKIE via the command line.
Fix vipw(8)'s use of timestamps to detect changes to the temp file.
Make sure a thread's signal handlers aren't run until the thread is made current.
Save the fpu state when switching threads on i386 and sparc64, floating-point preemption regression tests now pass on these architectures.
Fix ndc(8)'s reading of the rc.conf(8) variable NAMED_FLAGS.
Fixes to pf(4)'s TCP window scaling support.
pfctl -vvsq display (altq stats) gets more useful, showing bandwidth and packet rate stats for CBQ and PRIQ.
Install nslookup(8) along with BIND 9, and don't print the irritating deprecation warning.
ftp-proxy(8) now honours the TCP_WRAPPERS setting in mk.conf.
Allow cvs(1) Checkin-Prog and Update-prog to be disabled with the new CVSROOT/config option "DisableXProg"
Always use splimp(9) in wi(4), fixing some transmission failures.
Add -1 and -2 options to scp(1) to force SSH protocol 1 or 2 respectively.
New -l bandwidth-limiter option for scp(1).
New -c option to ssh-add(1), that forces ssh-agent(1) to pop up a dialog requesting confirmation of the use of a stored key.
Don't have pf(4) crash the kernel when translating icmp6 packets.
More updates to unifdef(1).
strcpy -> strlcpy in ftp(1) macro expansion.
pf(4) tables automatically spring into existence when referred to by pfctl(8) add or replace commands.
Add RFC 1323 TCP window scaling support to pf(4).
Improvements to wi(4) hostap timeouts.
Add new ssh-agent(1) -t option to set the default key lifetime.
Add a generic watchdog interface and sysctl(8) kern.watchdog.
Shrink wi(4) and save some space on the install floppies by removing hostap code when compiled with -DSMALL_KERNEL.
Use the right variable type when traceroute6(8) fetches the default hop limit via sysctl(3).
Tweak compat_linux(8) socket syscall emulation. Improves emulation of programs using UDP.
Fix an incorrect argument length passed to setsockopt(2) by traceroute6(8).
bzero() after malloc(9) in siop(4).
[Applied to stable]
Have /etc/rc generate the BIND 9 rndc(8) shared secret if it doesn't exist.
Add BIND 9 configuration files.
Skip DNSSEC programs in BIND 9.
Begin import of BIND 9.2.2rc1. (Local changes documented in README.OpenBSD.)
Fix some silly pastos in pfctl(8) table code.
Create /var/empty/dev/log for programs that chroot(2) to /var/empty.
Fix a typo in pf(4) DIOCRSETTFLAGS implmentation, so it doesn't look like changing a table flag created a table when in fact it deleted one.
Stop syslog(3) from reconnecting to /dev/log on an ENOBUFS as this doesn't help, and it hurts chroot(2)'ed processes.
[Applied to stable]
Change chroot(2)'ed daemons portmap(8), rstatd(8) and rusersd(8) to use openlog(3) with LOG_NDELAY.
Implement sigaltstack(2) under pthreads.
Copy the thread sources (including CVS history) from lib/libc_r to lib/pthread, and move libc_r into the Attic.
Make pfctl(8) show more information with -vvs[rn] for rules containing tables.
SECURITY FIX: A double free in cvs(1) could allow an attacker to execute code with the privileges of the user running cvs. This is only an issue when the cvs command is being run on a user's behalf as a different user. This means that, in most cases, the issue only exists for cvs configurations that use the pserver client/server connection method.
A source code patch is available.
[Applied to stable]
Add an invalid ioctl sanity check to gif(4).
Bring perl(1)'s build into line with the libc_r -> pthread move.
Big improvements to a.out library dependency handling.
Make select(2) a thread cancellation point as per the standard.
Fix some locking-related raidctl(8) panics.
Updates to unifdef(1).
Fix a null deref in pfctl(8) when processing the -k option.
Big cleanup of host() in the pfctl(8) parser.
When running pfctl(8) with insufficient privileges to open /dev/pf, make the -n option work as a syntax checker for table commands.
Unbreak pf(4) nat random source port assignment. Now a rule has to actually ask for static-port in order to get it.
Enable the pfctl(8) 'static-port' keyword.
Extensive ld(1) changes to better protect ELF executables from tampering (see the checkin comment for details).
Add new output format option '-f' to ncheck_ffs(8).
ncheck_ffs(8) no longer reports when the set[ug]id bits are set on directories, since these are meaningless in OpenBSD.
Fix a missing YYERROR in the pfctl(8) parser.
Deal with cd(4) drives that are picky about being asked to play the leadout track.
Note with regret and sadness that the freely available PCI vendor and device list is no longer available.
Bring protocols(5) more into line with current reality.
More improvements and device additions to pciide(4).
Explicity use the first path found by glob(3) instead of indexing with an uninitialised variable in sftp(1).
Small fixes to whois(1).
Create PIC archives for a number of X libs, useful for ports that create shared libraries.
Stop nfsstat(1) displaying info for the no-longer-supported NQNFS protocol.
Fix nfsstat(1)'s filesystem id lookup, and a minor buffer overrun.
Fix some minor bugs in pf(4) table creation.
Have pfctl(8) recognise the '-T load' option like it used to.
Plug a memory leak in the pf(4) table code when using PFR_FLAG_DUMMY.
For the benefit of dhclient(8), allow outbound pings from the initial pf(4) rulebase installed by rc(8).
Pull all the IP address parsing code of pfctl(8) into one place.
Goodbye libc_r and libnpthread, hello libpthread.
Check for and report read errors in md5(1).
Stop sftp(1) uploading or downloading non-regular files.
/etc/weekly is now built (by default) in /var/tmp rather than /tmp.
Add an extra sanity check in malloc(3) to prevent size_t overflows.
Better input checking and error handling in the pf(4) table code.
Begin converting vmstat(8) with the -i option to use sysctl(3) instead of kvm.
Start work on NVIDIA nForce support.
pfctl(8) now supports CIDR-notation IPv4 addresses when manipulating tables.
Some command-line fixes and tweaks to rusers(1).
Stop rm(1) with the -P option from overwriting files with multiple links.
Fix handling of addition and subtraction of negated addresses to tables in pfctl(8).
In ssh(1) only show the socket(2) error for the last address to which one tries to connect.
Don't fill files full of holes with ftruncate(2) after a write error in rcp(1) and scp(1).
Add a progress meter to the sftp(1) client.
Remove fetch(9) and store(9) from the kernel, and replace calls to them with their copy(9) descendants.
Various strl* return value checks in pfctl(8).
Initial support for queue statistics display for pfctl(8) (-vsq option).
'Default-Phase-1-Configuration' -> 'Default-phase-1-configuration', 'Default-Phase-2-Suites' -> 'Default-phase-2-suites' in isakmpd(8).
New table manipulation syntax for pf.conf(5), and a corresponding new -Tl option for pfctl(8).
Add support for active/inactive pf(4) tablesets in the kernel
Enable SET/ACK in isakmpd(8) when acting as an ike-mode-cfg responder.
[Applied to stable]
Improvements and fixes to batch mode sftp(1).
Big strlcpy/strlcat(3) makeover for csh(1).
Stop compress(1) from clobbering an existing output file if the input can't be opened.
gcc(1) attribute(sentinel) improvements.
Improvements to whois(1): Can specify port with -p; recursive IP lookup; INICHOST (-i) is now netsol.
Remove old altq packet-classifier code from the kernel now that pf(4) does its job instead.
pfctl(8)'s string parser can handle strings beginning with an underscore, useful for all those new daemon usernames.
Have authpf(8) clean up after failed previous incarnations of itself.
Don't allow s[eh]mmni to be set (via the newish sysctl(8) interface) greater than 0xffff, to prevent id collisions due to wraparound.
pf(4) tables now spring into and out of existence on demand.
Fix the sudoers(5) parser's handling of EOF not preceded by newline.
Stop sftp(1) from always adding u+w permissions to files pulled by get -p.
Values set in sysctl.conf(5) can contain spaces when quoted as for sh.
shmctl(2) can now operate on segments marked for removal.
In compress(1), don't trip the 'may not mix -o, -c or -t' warning by mistake, and don't choke on stdin when compressing.
Add mg(1) the +number option, which moves the point to the given line of each file.
Correct a couple of {dup,reply,route}-to problems related to nat pools.
Create a new group, _lkm, and install modstat(8) setgid to it instead of to kmem.
pstat(8) now only does kvm_openfiles(3) for the -v option, the rest is obtained using sysctl(3).
cp(1) sets permissions later, so -R works when copying directories with no write access.
Fix a null deref in dlsym(3).
Avoid a rare division-by-zero in ps(1) that could occur on non-IEEE systems like the vax.
Remove the endianness from bktr(4). Enable on macppc.
Make sure we don't try to free a null pointer in whois(1).
Change 'no-route' implementation from a flag in the pf(4) rule address to an address type.
Make pf(4) skip-step calculation honour the 'no-route' keyword.
Remove code in ld(1) to force linking against a specific library version.
[Applied to stable]
Add console support for Polish and Turkish keyboard layouts.
Add the userland support for pf(4) tables to pfctl(8) and authpf(8).
Remove reference to the now obsolete screenblank from /etc/rc.
Fix dig(1) time display on 64-bit big-endian targets.
Do a bridge(4) routing update if the source interface is in the LEARNING state, not the destination interface.
ftp(1) does a better job of detecting a failed cd command.
Have syslog(3) parse '%%m' correctly.
Fix a null deref in at(1).
Require a direction for pf(4) rules that do routing.
When combining (route|reply)-to and translation in pf(4) rules, make sure a state table insertion is only attempted once.
Update to sendmail 8.12.7.
Have tcpdump(8) display all pf(4) rule types instead of just pass/block rules.
Make the pf(4) table code handle duplicate table names and/or duplicate addresses in a single ioctl(2) call.
Remove the pf(4) skip-step for rule action (scrub or no-scrub).
Properly update pf(4) scrub rule statistics.
Put pf(4) scrub rules into a ruleset separate to filter rules.
Implement policy suggestions in xsystrace(1).
Adios amiga and sun3 platforms.
Don't overrun the buffer when listing route entries via sysctl(3).
Fix strtok_r(3) breakage in libwrap that was causing EXCEPT rules to fail.
Add a missing exit(3) in pfctl(8).
Correctly ignore the case where a directory with the desired executable name appears in one of the paths searched by exec[vl]p(3).
Set a default pf(4) state table size of 10000 entries.
In pf.conf(5), change keyword 'ipv6-icmp-type' to 'icmp6-type' and instead of 'proto ipv6-icmp' allow 'icmp6'
Fix a C++ compiler problem with Kerberos IV's krb.h, similar to the cdefs.h fix earlier.
Avoid a null deref when parsing the command line of make(1).
Allocate memory for connections to spamd(8) based on the -c command line option.
Make cd(4) try more often than other scsi devices, and don't ignore 'not ready' status from the bus.
Add a parameter for the number of retries when waiting for a scsi device to come ready (scsi_test_unit_ready()).
If semop(2) has to do a tsleep(9), wake it back up at a much lower priority.
Wait until a semaphore undo structure can be allocated if one isn't available immediately, and check that another hasn't been allocated to our process while we were waiting.
Properly check SOCKS connection return code in nc(1).
More firewire fixes. Concurrent devices support on the way.
Remove outdated references to NFS as an installation source from the install notes.
Fix HOSTAP_FLAG_BITS in wi(4).
Make 'pfctl -a name -s[rn]' show all rules or nats in all rulesets on anchor 'name'.
In authpf(8), set the macro '$user_id' to the username.
Fix a couple of missed semaphore counter updates.
Add kernel portion of pf(4) support for efficient tables of addresses (currently implemented as radix tables similar to the kernel routing table).
Remove an extraneous semicolon in <sys/cdefs.h> that broke some C++ compilers.
Fix an amusingly incorrect calloc(3) size in nc(1).
Allow the log keyword in pf(4) scrub rules.
Some fixes to pf(4) ioctl handling.
When pf(4) is routing a stateful connection, use the correct pool address.
Fix kernel pf(4)'s ability to match binat-anchor rules.
Add a missing initialisation that was causing a crash in pf(4).
Add spamd(8) support to rc(8). rc.conf and root's crontab.
More paranoia checks in kernel pf(4) routing.
Unbreak spamd(8)'s connection timeout.
Honour the -R and -N flags to pfctl(8).
Tweak gcc(1)'s handling of inline functions w.r.t. the stack protector.
New _spamd user and group for, uh, spamd(8).
Fix pfctl(8)'s display of 'control' keyword for CBQ rules.
Make libc/md/md5c.c compile again for big-endian machines.
Avoid a null deref in pppd(8).
Remove a couple of extra ntohs(3) calls in pfsync(4).
Cleanup of atactl(8).
Fix device attachment bug in siop(4).
[Applied to stable]
Update Perl's Safe(3p) module to 2.09, fixing a security hole.
[Applied to stable]
newsyslog(8) error messages now contain the line number.
Have 'chroot -U' do a setlogin(2) if the caller is, or can be made into, the session leader.
Make chroot(8) check for $SHELL defined as null as well as for undef.
Increase the receive buffer length of the correct socket in syslogd(8).
Fix pfctl(8)'s display of binat rules that use nat pools.
authpf(8) rules are now managed in their own anchor instead of at the end of the main rulebase. New *anchor rules are needed to activate authpf.
Make sure the queue identifier returned by msgget(2) is greater than zero.
Correctly display pf(4) rdr rules with no proxy port.
Fix a missing initialisation in pfctl(8).
Add spamd(8), which uses new pf(4) features to stop spammers even hitting the mail server.
Fix an Alpha-specific crash in pfsync(4) by using bcopy() instead of structure assignment.
Fix a use-after-free() in mailwrapper(8).
Add a new kernel pool(9) flag, PR_DEBUG, the use of which causes pool memory to be malloc(9)'d using M_DEBUG.
Add new kernel malloc(9) type M_DEBUG.
Also support CORENIC handles in whois(1).
Add dsiz and ssiz keywords to ps(1) to show data size and stack size respectively.
Update awk(1) to 'one true awk' version 20021213 (Friday 13th ed.)
Add the -6 and -c registry shortcuts to whois(1), and deal with VNIC handles starting with '!'.
Better resolver error checking, a few fixes and a lot of message cleanup in ftp-proxy(8).
Stop '-k' being used as an abbreviation for '--keep-locals' in GNU as(1).
Optimise pf(4) skip-step calculation to O(n) from O(n-squared).
Fix pf(4) 'no {binat,nat,rdr}' evaluation.
Allow pfctl(8) (with the -vsn) option to display translation statistics as -vsr does for rules.
When logging pf(4) rules from anchored rules, display the *anchor rule number, not the rule number within the anchored rules. (Hopefully both will be displayed sometime soon.)
Make sure that state table entry display doesn't try to print rules that are no longer in place.
Prevent changes to different rule types overwriting pf(4) DIOCCHANGE* tickets.
Support a single destination port in pf(4) rdr-anchor rules.
Match pf(4) {binat,nat,rdr}-anchor parsing to what is actually supported.
Always compile in PRIQ and HFSC schedulers if ALTQ is included in the kernel.
Make SysV shared memory and semaphore limits configurable via sysctl(8). Oh yes.
whois(1) no longer barfs totally if just one of its query list is not found.
Add PRIQ scheduler support to pfctl(8).
su(1) only calls setlogin(2) if it's the session leader (as noted in the setlogin manpage).
More compress(1)-works-like-gzip(1): Add -r (recurse) option, and make it truncate existing files when extracting.
Since pf(4) rule comparison is now done in userland, remove unused pf_compare* functions from the kernel.
pf(4) DIOCCHANGE* ioctls now require a ticket, to prevent races.
Merge pf(4) nat, binat and rdr structures and pools into pf_rule.
Fix the signedness of wsconsctl(8) variable display.focus, so a test against -1 now makes sense.
Teach imake(1) how to detect automagically the gcc(1) stack protector.
Now pf(4) supports other queue types, only try to create a root queue for CBQ.
For some peculiar reason, support decoding in ppt(6).
Make linux emultation *stat64() work again.
Convert altq(9) disciplines HFSC, PRIQ and RIO to pf(4)-based (CDNR and RED to come,) and remove other queuing disciplines.
iostat(8), systat(1) and vmstat(8) now update their disk stats automatically when a device is detached.
Enable login failure recording by default, by installing a blank /var/log/failedlogin (see login(1)).
Fix some problems with the new inlined <ctype.h> functions on 64-bit architectures.
Make cdio(1) deal properly with multiline CDDB responses.
Add a second 'priority' queue to be specified in a pf(rule), currently used for low-delay ToS packets. Great for ToS-savvy programs like ssh(1).
Revert nc(1) to the old behaviour, so it exits when the read descriptor is closed instead of requiring both read and write to close.
Cosmetic fixes to scp(1).
Allow some ordering freedom for pf(4) scrub rules.
Lots of firewire fixes. Add SCSI-over-FireWire support
Compare all the bytes of a pf(4) nat pools key, instead of comparing the first byte four times.
Fix a linkage problem that stopped 'make build' working with DESTDIR set.
Remove setgid(kmem) from trpt(8).
pstat(8) can now get the tty list using sysctl(3) insteam of kvm_read(3).
Fix systrace(1) logging so it works for non-translated calls too.
Stop close(2) clobbering errno in ld(1).
Convert <ctype.h> macros into functions so they are consistent with those in libc.
Change XDR.x_handy from int to u_int to avoid sign bugs.
Make ar(1) work more like its GNU and Solaris counterparts and not require an archive for the d,m,q and r operations.
Fix an mbuf-related panic in kernel PF_KEY v2 code.
More ANSIfication in /sbin.
Fix a potential (non-exploitable) buffer overrun in the httpd(8) macro FIX_PRECISION.
Add missing snprintf(3) error check to config(8).
When mounting the root partition via NFS, call inittodr(9) with the root filesystem's atime rather than its mtime (since it's likely to be read-only and pretty static).
Renumber some (debug only) tun(4) ioctls so they don't clash with ppp(4).
Make sure user(8) cleans up properly on failure by calling pw_abort(3).
Check the interface is running first to avoid doing unnecessary STP processing in bridge(4).
Before login_getcapstr(3) destroys the information, check that the value of $SHELL given to ssh(1) is the same as the user's real shell.
Remember to take the address of the structure on which we're using bzero(3) in the libc stack protector code.
Hack setsockopt(2) under linux emulation so that SO_REUSEADDR works as expected.
Use libc's getopt_long(3) instead of the private version found in a number of GNU programs.
Fix a typo in bridge(4) so that pf(4) actually gets applied to outbound frames...
Yet more string function paranoia in pfctl(8).
Allow bridge(4) to set the STP path cost.
Add support for regular expression matches in systrace(1) filters.
In systrace(1), don't allow 'permit' to be used on aliases.
Now that options to pf(4) rules can mostly be in any order, check for and disallow repeated options.
Handle '-' as stdin or stdout appropriately in uniq(1).
strncpy -> strlcpy in pfctl(8).
Make compress(1) accept most of gzip(1)'s long options. Some cleanup also.
Continuing compatibility tweaks to getopt_long(3).
pf(4) queue options can now be in any order. The 'scheduler' keyword is no longer used.
More rule shrinkage: The 'fromto' part of a pf(4) is now optional and defaults to 'all', so e.g. 'block' == 'block all' == 'block from any to any'.
pf(4) anchor rules now support parameters, so 'anchor name proto tcp from any to any port smtp' works.
Remove support for the '-a otp' flag from telnetd(8). Use login.conf(5) instead.
Make su(1)'s -a flag work again.
'pfctl -s' now prints out addresses in rules in the order they are entered.
When telnet(1) receives a SIGPIPE when writing to the terminal, treat it like a user SIGQUIT.
Have pfctl(8) use the actual interface MTU instead of assuming 1500.
Convert string key hashes in pfctl(8) to network byte order.
Fix a bug in Xaw that reads the wrong error return from open(2).
All the games set up the RNG with srandomdev(3) instead of by lesser means.
Have isakmpd(8) set the transform from the Default-Phase-1-Configuration.
Make srandomdev(3) fall back to using sysctl if it can't open /dev/arandom.
Make the libc getopt_long(3) more compatible with GNU.
Output from 'pfctl -v' is now valid input to pfctl(8).
Make section and tag comparisons in isakmpd(8) case-insensitive.
Allow a null direction in pf(4) rules, so e.g. 'block all' is now valid.
Add named rulesets support to pf(4), invoked from 'anchor' rules in the main ruleset.
Kernel memory allocation debugging can now be used anywhere - if the debugging pool is not yet initialised, it just does nothing.
Fixes to getopt_long(3).
Rule numbers are no longer output by 'pfctl -v'. Use '-v -v' to get them back.
Make scp(1) handle systems with odd block sizes better.
Drop unnecessary altq devices from the kernel.
Pass correct sizes to memset in ping6(8).
Make bridge(4) behave better when running spanning tree: Flush the dynamic MAC cache when the forwarding/blocking state changes, and only forward packets while in the forwarding state.
Make isakmpd(8) accept ACQUIRE requests with a null EXT_ADDRESS_SRC.
In pf(4), apply a netmask consistently.
Crank the major version numbers of the X libraries.
Continuing cleanup and shrinkage of the installer scripts.
arp(8) now prints the interface name with which an address is associated.
Big cleanup up mixerctl(1).
Import a GNUish getopt_long(3) from NetBSD.
Add -4 and -6 command line options to isakmpd(8) to select the address family to use.
Better MTU setting for pfsync(4).
Correct a missed initialiser in raid(4).
Have pfctl(8) play nice and shut down its sockets when it's done.
Crank all (system) library major numbers now that propolice is in.
Make a copy of rather than just refer to a string in ld(1). Cures some ports linking problems.
Allow options at the end of pf(4) pass and block rules to come in any order.
Make the bandwidth specifier optional in altq rules (as well as queue rules). As a side effect, the altq rules can now have "bandwidth xx%" where the percentage is taken w.r.t. the interface bandwidth.
Implement legacy functions ecvt(3), fcvt(3) and gcvt(3) for standards compliance.
Add propolice stack attack protection into gcc(1).
Updated unifdef(1).
Make a copy of the return value of basename() before recording it in the bfd, fixes the "NEEDED crtend.o" problem that many ports had to work around. [Applied to stable]
Don't have the X server drop privileges if started by root and from a non-standard config path.
Tweaks and fixes to pf(4)'s ioctl code.
Teach tcpdump(8) about pfsync(4).
Add new pseudo-device pfsync(4), exposing changes to the pf(4) state table.
Kill a null deref in pf(4).
Wrap some noisy altq printf()s with #ifdef ALTQ_DEBUG.
file(1) gets a new option, -b, which supresses the output of the pathname.
Allow a qlimit to be specified in pf(4) altq rules as well as in queue rules.
Use a custom hash function (based on that in if_bridge.c) for pf(4) source-hash nat pools instead of MD5.
tcpdump(8) checks for invalid icmp6 option length.
page_dir update fixed in realloc(3). MALLOC_OPTIONS=J is now honoured in realloc() as well.
'fc -e' now works when ksh(1) is invoked in 'sh' mode.
Allow usernames given to ssh(1) to contain '@' characters, i.e. the hostname follows the last '@'.
Tweaks to pf(4) altq rules display.
Stop daemon(3) closing descriptors that isakmpd(8) needs.
Have pfctl(8) read correctly the tbrsize spec.
Fix underflow and wraparound in socket timeout calculation.
Make IPv6 work in Linux emulation mode, though not for IPv4-mapped addresses.
The bandwidth statement in pf(4) queue rules is now optional.
Change pf.conf(5) ordering so translation is now after queue...
Parse more include files so that kdump(1) knows about more ioctls.
Pass in the right structure to DIOCCHANGEADDR.
Fix 'pfctl -Fq' so altq(9) gets flushed and reset properly.
setuid() -> seteuid() in ftpd(8).
Tweak pf(4)'s handling of address families in rules.
Make pfctl(8) fetch the address properly for lo(4) with LINK1 set.
Use 1KB = 1000B instead of 1024B when dealing with bandwidth in pf(4).
Fix URL CRLF injection bug in lynx(1).
[Applied to stable]
Add a missing check for snprintf errors in identd(8).
Protect arc4_getbyte() with an splhigh().
Some cleanup in talkd(8).
When malloc(3) stats dumps are enabled, warn if atexit(3) fails.
Enforce new pf.conf(5) ordering: options, normalization, translation, queue, filter.
Copy TAILQs properly in pfctl(8).
Remove a potential access-after-free in libc's syslog code.
New manual page gcc-local(1) documenting OpenBSD-specific changes to gcc(1).
So farewell, then, altqd(8) and friends.
Better pfctl(8) altq rule error checking.
Fix a potential null deref in pfctl(8)'s parser, and some general cleanup.
Make sure authpf(8) and pfctl(8) don't try to issue ioctls when running with -n.
Implement 'nat pools' in pf(4), allow redirection using (nat, rdr, route-to, dup-to and reply-to) to multiple addresses.
Improvements to the ELF loader.
Some snprintf paranoia in BSD auth, also some extra initialisation.
Added new example dir /usr/share/pf, and example queue rulebase /usr/share/pf/queue1 to show how cool pf+altq is.
Stop authpf(8) accepting non-interactive sessions.
'pfctl -v' displays altq and queue lines, including child queue assignment.
Match the queue to the return type (icmp-unreach or RST) for pf(4) block rules.
Use a quad_t instead of an int, and fix rlimit sizing for >2GB machines.
Fix some strncpy(3) lengths in telnetd(8).
Add _tokenadm and _radius groups so their respective login programs can be setgid instead of setuid(root).
Add _shadow group and change group and mode of /etc/spwd.db to match
Add atoll(3) and strerror_r(3) to libc.
Add simple multiple-card load balancing to crypto(9) and add a simplified driver registration API.
Some int -> unsigned int in isakmpd(8).
New -n option for syslogd(8) to disable DNS lookups.
Correct a format string bug in routed(8)'s, er, Makefile.
Fix at(1) breakage when two jobs are set for the same time.
[Applied to stable]
Correct a use-before-init in xterm(1).
Create a simple lookup table mechanism [dev/pci/pci.c:pci_matchbyid()] to match PCI device IDs, and have several drivers use it.
vi(1) catalog updates: Fix Russian, add Polish and Ukrainian.
Fix an off-by-one when reading ICMP types and codes by name in pfctl(8).
Merge of altq(9) and pf(4), still some work left to do.
Don't overwrite SIG{INT,QUIT,TERM} handlers in ssh(1) if they're set to ignore. This mirrors rsh(1) behaviour.
Make sure skey(1) issues a fake challenge for a user without an S/Key file.
Enable the pthread library, but install it as libnpthreads so autoconf scripts don't pick it up and use it with -lpthread as well as using -pthread.
In ftpd(8), prohibit user id changes once logged in, and run more stuff as the logged-in user.
Add 'Default-Phase-1-Configuration' to isakmpd(8).
Be more careful when loading RSA1 key files in ssh(1).
Fix isakmpd(8)'s handling of multiple values and continuation lines.
Improvements to ld.so(1) symbol lookup failure messages.
Allow DNS queries from the initial rulebase loaded by /etc/rc, so pfctl(8) can load at boot-time rulebases containing DNS entries.
SECURITY FIX: A buffer overflow in named(8) could allow an attacker to execute code with the privileges of named. On OpenBSD, named runs as a non-root user in a chrooted environment which mitigates the effects of this bug.
A source code patch is available.
[Applied to stable]
Create links from curses(3) libs to ncurses, to satisfy autoconfiguration scripts that expect the latter instead of checking properly.
pf(4) scrub rules now are subject to the same list expansion as other rules.
Add label macro '$if' to pf.conf(5), now we can have interfaces in expansion lists.
Add some missing pointer initialisations in pfctl(8).
Add a null transform to crypto(4), enabled via sysctl kern.cryptodevallowsoft=1.
Fix systrace(1)'s determination of the execve(2) filename.
Kernel IPsec code checks for short IP headers.
[Applied to stable]
systrace(1) checks for invalid system call numbers.
Make su(1)'s login emultation mode work even more like login(1).
Avoid a possible reference count leak in kernel file descriptor code.
Remove bogus operations on the not-yet-existent file descriptor table in libc_r.
Implement simple vnodeops inheritance for specfs and fifofs,
ftp(1) can now follow HTTP redirects.
Have scp(1) properly reflect check the exit status of its ssh(1) process if an error occurs.
Fix some invalid pointers in pf(4)'s ioctl(2) handler.
Stop makewhatis(8) moaning about non-existent directories.
Don't use the HostbasedAuthentication switch to ssh-keysign(8); instead, add new option EnableSSHKeysign to ssh_config(5).
Have groupdel(8) check that the named group exists.
Allow '$' as the last character of a username, to appease Samba.
Make sshd(8)'s -e option (log to stderr) work.
Make the minimum file rotation size 512 bytes instead of 512Kbytes...
Rearrange payload length check for ESP packets so packets with NULL encryption are tested also.
[Applied to stable]
Don't allow a simple non-existent server to crash altqstat(1).
Solve problems static linking with -lpthread. (-static -pthread still broken.)
Stop up a couple of memory leaks in isakmpd(8).
Fix a few bugs in mount(8), and make its command line arguments handling more consistent.
Keep a correct reference count to the file referenced by ioctl(2) under SVR4 emulation.
Gracefully handle broken firewalls that block ECN-enabled TCP sessions by falling back to non-ECN.
[Applied to stable]
Some thread-safety fixes to libc.
Add a cast to handle properly size_t larger than u_int in ssh(1).
Fix some problems gzip(1) had displaying information on files > 2GB.
Serve pf(4) a strong draught of CIDR (e.g. can use 10/8 now instead of 10.0.0.0/8).
-STABLE branch created for 3.2. smrsh, pfbridge and kadmind errata fixes applied to it.
When checking a filename in ssh(1), don't fail when realpath(3) for the user's home directory - this happens legitimately when using AFS.
Do a better job when comparing dynamic addresses in pf(4).
In pf(4) AF macros, operate on the whole address (all 128 bits) unless AF_INET is set.
Fix perl(1)'s MakeMaker so manpages get installed the way we like.
Plug a memory leak in IPv6 (ip6_output.c)
Make sure processes aren't added to the process list until they're completely initialised.
Implement some 4.3BSD emulation functions in terms of setresuid() etc.
Use the new setresuid() etc. calls for FreeBSD, HP-UX and Linux emulation of the same calls.
Implement [gs]etres[gu]id(2) system calls. Minor version bump for libc and libc_r.
Many fixes to signal and fd handing under threads.
Fix pf(4) interface expansion.
Better GRE output from tcpdump(8).
New -U option to chroot(8) that sets the uid, gid and group vector from the password database.
To a chorus of approval, add the 'set require-order [yes|no]' option to pf.conf(5).
Remove a bogus test in dd(1) that stopped a perfectly legal seek on a character device.
Merge mod_ssl 2.8.12, fixing a cross-site scripting bug and two off-by-ones.
[Applied to stable]
Add a missing break statement in systrace(1)'s arguments parsing code.
Add getdents64() support under Linux emulation.
Merge in Perl 5.8.0.
Have pool elements' sizes rounded up to the alignment passed to pool_init(9) instead of relying on the architecture's ALIGNBYTES value.
wi(4) can now do pointless-but-common WEP encryption in software for Prism and Symbol cards. Useful if your card doesn't do weak IV avoidance (or if you trust your BSD more than your hardware manufacturer,) and also serves as a framework for better wireless crypto protocols.
The installer unpacks siteXX.{tgz,tar.gz} files last so that site-specific tarballs always overwrite standard files.
Remove the error-prone and robustness-principle-defying 'flags X' (as opposed to 'flags X/Y') syntax from pf(4)
Be a little less 32-bit-centric in libcrypto.
Have route6d(8) and rtsold(8) use poll(2) instead of select(2) as well.
Change atoi(3) to strtoul(3) in route6d(8).
Change a number of header files so NULL is now defined as 0L instead of 0, and so is the same size as a pointer.
Add to chroot(8) the ability to set the uid, gid and group vector after doing the chroot(2) call.
Some additional paranoia added to authpf(8).
Have pf(4) test rule labels as well when comparing rules.
Fix a few instances where %ul was used instead of %lu.
Use poll(2) instead of select(2) in ping6(8)
More picky argument parsing in traceroute6(8) and ping6(8).
A couple of tmpnam(3)s become mkstemp(3) in httpd(8).
Lots of int -> u_long in traceroute6(8).
Correct an off-by-one in wi(4).
Fix a printf format string typo in pfctl(8).
Make pfctl(8) apply the netmask to addresses right away, so bogus netmasks show up as munges network numbers in -v output.
Correct a couple of typos in pf(4)'s ioctl() code.
Fix a null deref in libc_r.
Make sure the user process tally is right when kernel stack space can't be allocated for the new proc.
Correctly count the total number of processes in the system.
SECURITY FIX: A buffer overflow can occur in the kadmind(8) daemon, leading to possible remote crash or exploit.
A source code patch is available.
[Applied to stable]
Add partial support for the 21145 chip to dc(4).
Have xconsole(1) get a pseudoterminal using openpty(3) instead of going all #ifdef.
More NULL -> (void *)NULL, this time in XFree, to make sure varargs sentinel is pointer-width.
pax(1) now honours @LongLink, and has a new option to stop the next volume prompt.
Improved media support and a boundary check fix for wi(4).
Have route(8) correctly interpret -prefixlen 32 (or 128 for IPv6) network as a host route.
Enable uvm_tree_sanity() check #ifdef DEBUG.
Fix a potential null deref in route(8)'s arguments parser.
Renumber ch(4) CHIO* ioctls. Old definitions renamed to OCHIO*, binary backwards compatibility will be left in intact until post-3.3.
Teach kdump(1) to print AUDIO_* ioctls, and add a few missing syscall defines.
Support fxp(4) on big-endian architectures.
pf(4) allows protocols to be specified by a (valid) protocol number.
Add a missing free() in pflogd(8).
Treat manually- and auto-configured IPv6 address prefixes the same way.
For positively POSIX reasons, implement isfdtype(3).
Bring pax(1)'s date handling code back into sync with that in date(1). Four digit years parse now.
Start to break out machine-dependent parts of MAKEDEV(8) into separate files.
Send ksh.kshrc label() and ilabel() output to /dev/tty insted of stdout, so command output streams doesn't get messed up.
systrace(1) supports system call-granularity privilege elevation!
Correct a typo in systrace(1) that was causing group predicates to be evaluated incorrectly.
Range-check values given to atactl(8).
Better mask comparison for pf(4) binat.
Remove the setuid bit from login(1). If run with a non-root euid, it invokes su(1) with the new -L flag.
Add '-L' flag to su(1) to make it work like login(1).
Enable the META key in ksh(1) for 7-bit locales.
Make sure some varargs end-of-list sentinel NULLs are pointer-width.
Fix a subtle dangling pointer bug in BSD auth.
Sync Brazil's Daylight Savings Time handling with new reality.
[Applied to stable]
Stop makewhatis(8) grumbling about having Perl 5.8.x instead of 5.6.x.
In the X server, work around problems caused by certain MTRR configurations whose details are only available under NDA.
Kernel tweaks and hacks in preparation for GCC 3.x (kern/subr_prf.c)
A logic error in the pool(9) kernel memory allocator could cause memory corruption in low-memory situations, causing the system to crash.
A source code patch is available.
[Applied to stable]
pf(4) can now binat a whole netblock with one rule.
Remove a potential null pointer deref in BSD authentication code.
Fix a bad printf format string in ftpd(8). Non-critical because it's only ever fed by parts of the authentication system which sanitise the input first.
[Applied to stable]
Do some more unsigned checks to system call parameters, as with the setitimer(2) erratum.
[Applied to stable]
Prepare the GNU floating-point emulation code on i386 for ELF.
Update stable to OpenSSH 3.5.
Catch some endianness nits and add zero-padding of keys in wi(4).
Teach ALTQ CBQ the pf(4) API. The old API remains for now.
RELIABILITY FIX: Network bridges running pf with scrubbing enabled could cause mbuf corruption, causing the system to crash.
A source code patch is available.
[Applied to stable]
Fix a bug in m_tag_copy_chain().
Hush up noisy IPv6 neighbor discovery. Can be made loud again using sysctl net.inet6.icmp6.nd6_debug.
SECURITY FIX: An attacker can bypass the restrictions imposed by sendmail's restricted shell, smrsh(8), and execute arbitrary commands with the privileges of his own account.
A source code patch is available.
[Applied to stable]
Make predicates part of systrace(1)'s grammar.
Start work on a merge of altq(9) and pf(4) functionality. Oh yes.
Add a missing htons() in talkd(8).
In pmdb, fix a crash that occurred when an attempt to set a breakpoint failed.
Support SA_RESETHAND support to libc_r, in preparation for SA_SIGINFO support.
Merge in Apache 1.3.27 and mod_ssl 2.8.11.
New block-policy option to set the default response to a block rule.
More rulebase reduction: "block return ..." now does The Right Thing, RST for TCP, ICMP for UDP, silent block otherwise.
pf(4) support for icmpv6 returns in response to block rules.
New reply-to rule option for pf(4), works like route-to but applies to reply packets in a stateful connection.
httpd(8) restarts work even when srm.conf is not present.
Have the X server complain less about unknown scancodes.
Initialise the uvm_pglistalloc result list in the function, instead of requiring the caller to do it.
syslog(3) and syslog_r(3) now take the new __syslog__ format attribute.
Make the default httpd(8) config files use php4 instead of php3.
pfctl(8) expands lists left-to-right instead of right-to-left.
Teach pf(4) how to filter on the IP TOS field.
Fix list handling problem in ALTQ CBQ that showed up with three or more CBQ instances.
smtpd(8) has left the building.
By default, add the -H option to the sort(1) invoked by locate.updatedb(8).
Give window(1) the stdarg treatment.
When routing via pf(4), use the outgoing interface as decided by the normal routing code, not the interface to which the rule applies.
Fix cross-site scripting vulnerability (CAN-2002-0840) in the default error page of httpd(8). Only applies under specific (and non-OpenBSD default) conditions. [Applied to stable]
In kernel IP processing, block interrupts with splsoftnet(9) around interface address routing table manipulations.
Make sure wi(4) doesn't accept out-of-range TX keys.
Stop ami(4) matching I2O-configured devices.
3.2 -> 3.2-current.