ProHoster > Blog > internet news > Release of OpenBSD 6.5

Release of OpenBSD 6.5

saw the light release of a free, cross-platform UNIX-like operating system OpenBSD 6.5. The OpenBSD project was founded by Theo de Raadt in 1995 after conflict with the NetBSD developers, as a result of which Teo was denied access to the NetBSD CVS repository. After that, Theo de Raadt and a group of like-minded people created a new open operating system based on the NetBSD source tree, the main development goals of which were portability (supported by 13 hardware platforms), standardization, correct operation, active security and integrated cryptographic tools. Full installation size ISO image base system OpenBSD 6.5 is 407 MB.

In addition to the operating system itself, the OpenBSD project is known for its components, which have become widespread in other systems and have proven to be one of the most secure and high-quality solutions. Among them: FreeSSL (fork openSSL), OpenSSH, packet filter PF, routing daemons OpenBGPD and OpenOSPFD, NTP server OpenNTPD, mail server OpenSMTPD, a text terminal multiplexer (similar to GNU screen) tmux, daemon identd with an implementation of the IDENT protocol, a BSDL alternative to the GNU groff package - mandoc, protocol for organizing fault-tolerant systems CARP (Common Address Redundancy Protocol), lightweight http server, file synchronization utility OpenRSYNC.

Among the most notable changes: a portable version of bgpd is introduced, adapted to work in other operating systems, Xenocara and tcpdump root privileges are eliminated, LDD linker is enabled by default for amd64 and i386, MPLS support is significantly improved, protection against exploits with reverse- oriented programming (ROP), the simplest recursive unwind DNS server has been added, an undefined behavior detector has been integrated into the kernel, and its own implementation of the rsync utility has been presented.

All improvements:

  • When building for the amd64 and i386 architectures, the LDD linker developed by the LLVM project is used by default. For the mips64 architecture, support for building using Clang has been added;
  • New pvclock drivers for paravirtualized KVM timer and ixl for Intel Ethernet 700. The uaudio driver has been replaced with a new implementation with USB Audio 2.0 support.
  • Improved performance of bwfm, iwn, iwm and athn wireless device drivers. Support for RTM_80211INFO messages has been added to the wireless stack to pass detailed interface state information to the dhclient and route commands. Changed the default behavior when connecting to wireless networks - if you have a configured auto-connect list, OpenBSD now does not connect to unknown open networks (you can add an empty network to the list to return the previous behavior);
  • The networking stack introduces new bpe (Backbone Provider Edge) and mpip (MPLS IP layer 2) pseudo device drivers. Added support for configuring alternative routing domains for MPLS interfaces. The work of the vlan driver is provided bypassing the processing of queues with output directly to the parent network interface. Added txprio mode to ifconfig to control priority encoding in tunneled packet headers (supported for vlan, gre, gif and etherip drivers);
  • In the implementation of the bpf filter, it became possible to use the drop mechanism without capturing packets. This feature is used in tcpdump to filter at the initial stage of the packet arrival by the device;
  • The installer provides support rdsetroot to add a disk image to the RAMDISK of the kernel. Removed some components of old releases during the system update;
  • Improved system call unveiled, which provides file system access isolation. The new version adds detection of matches relative to the working directory of the current process when parsing relative paths. It is forbidden to use stat and access for restricted components of file paths. ospfd, ospf6d, rebound, getconf, kvm_mkdb, bdftopcf, Xserver, passwd, spamlogd, spamd, sensorsd, snmpd, htpasswd, and ifstated applications are protected using unveiled;
  • In Clang, the tools for blocking the use of return-oriented programming (ROP) techniques have been improved, which made it possible to significantly reduce the number of polymorphic gadgets found in the resulting executable files for the i386 and amd64 architectures;
  • Improved performance and security in Clang when applied
    protection mechanism RETGUARD, aimed at complicating the execution of exploits built using code borrowing and return-oriented programming techniques. To speed up work, instead of a stack, data is placed in registers whenever possible, and when returning, the processor cache is used more efficiently. RETGUARD is also now used instead of the traditional stack guard on amd64 and arm64 systems;

  • Improved utilities related to the network stack: Added support for MPLS packet filtering to pcap-filter. ospfd, ospf6d and ripd now have the ability to set routing priorities. IN
    ripd added mechanism based protection pledge. Added sff and sffdump modes to ifconfig to obtain diagnostic information from optical transmitters;

  • First release of new resolver introduced unwind, which handles recursive DNS queries and accepts connections only on interface 127.0.0.1.
    Unwind is designed for use on client systems such as laptops moving between different wireless networks. If it detects blocking DNS traffic on the local network, unwind switches to using the address of the recursive DNS server transmitted via DHCP, but continues to periodically try to resolve itself, and as soon as direct requests begin to pass, it returns to independently accessing DNS servers;

  • Improved memory consumption in bgpd, added a simple rules optimizer (merges filter rules that differ only in filter sets), changed BGP MPLS VPN configuration process, added support for IPv6 BGP MPLS VPN, implemented "as-override" functionality to replace AS neighbor to local AS in paths, added the ability to match multiple communities in a single rule, added new match features "*", "local-as" and "neighbor-as", improved handling of large sets of rules, added new commands for working with groups neighboring autonomous systems ("bgpctl neighbor group", "bgpctl show neighbor group", "bgpctl show rib neighbor group"), the ability to add networks to BGP VPN tables has been added to bgpctl. For the first time, a portable version of OpenBGPD-portable has been prepared, ready to work on systems other than OpenBSD;
  • Added option kubsan to detect cases of undefined behavior in the OpenBSD kernel.
  • The tcpdump utility is completely free from using root privileges;
  • Improved malloc performance in multi-threaded applications;
  • The initial version of the program has been added to the composition OpenRSYNC with its own implementation of the rsync file synchronization utility;
  • The version of the OpenSMTPD mail server has been updated, in which a new comparison criterion β€œfrom rdns” has been added to smtpd.conf, which allows you to select sessions based on reverse DNS resolution (determining the host name by IP). When searching in tables, the ability to use regular expressions has been added;
  • The OpenSSH 8.0 package has been updated, a detailed overview of the improvements can be viewed here;
  • The LibreSSL package has been updated, a detailed overview of the improvements can be found in the release announcements 2.9.0 ΠΈ 2.9.1;
  • Mandoc greatly improved HTML output, improved table rendering, and added the "-O" flag to open a page with the definition of the specified term;
  • Enhanced Xenocara graphics stack: X server no longer requires setuid installation to run. radeonsi Mesa driver enabled hardware acceleration support for Southern Islands (Radeon HD 7000) and Sea Islands (Radeon HD 8000) GPUs;
  • C++ ports for architectures not supported by Clang are now built using GCC from ports. The number of ports for the AMD64 architecture was 10602, for aarch64 - 9654, for i386 - 10535. Of the applications in the ports, the following are noted:
    • Asterisk 16.2.1
    • Audacity 2.3.1
    • CMake 3.10.2
    • Chromium 73.0.3683.86
    • ffmpeg 4.1.3
    • GCC 4.9.4 and 8.3.0
    • GNOME 3.30.2.1
    • Go 1.12.1
    • JDK 8u202 and 11.0.2+9-3
    • LLVM/Clang 7.0.1
    • LibreOffice 6.2.2.2
    • Lua 5.1.5, 5.2.4 and 5.3.5
    • MariaDB 10.0.38
    • Mono 5.18.1.0
    • Mozilla Firefox 66.0.2 and ESR 60.6.1
    • Mozilla Thunderbird 60.6.1
    • Node.js 10.15.0
    • OpenLDAP 2.3.43 and 2.4.47
    • PHP 7.1.28, 7.2.17 and 7.3.4
    • Postfix 3.3.3 and 3.4.20190106
    • PostgreSQL 11.2
    • Python 2.7.16 and 3.6.8
    • R3.5.3
    • Ruby 2.4.6, 2.5.5 and 2.6.2
    • Rest 1.33.0
    • Sendmail 8.16.0.41
    • SQLite3 3.27.2
    • Meerkat 4.1.3
    • Tcl/Tk 8.5.19 and 8.6.8
    • TeX Live 2018
    • Vim 8.1.1048 and Neovim 0.3.4
    • Xfce 4.12
  • Third party components included with OpenBSD 6.5:
    • Xenocara graphics stack based on X.Org server 1.19.7 with patches, freetype 2.9.1, fontconfig 2.12.4, Mesa 18.3.5, xterm 344, xkeyboard-config 2.20;
    • LLVM/Clang 7.0.1 (with patches)
    • GCC 4.2.1 (with patches) and 3.3.6 (with patches)
    • Perl 5.28.1 (with patches)
    • NSD 4.1.27
    • Unbound 1.9.1
    • Ncurses 5.7
    • Binutils 2.17 (with patches)
    • Gdb 6.3 (with patches)
    • Awk Aug 10, 2011
    • Expat 2.2.6

Source: opennet.ru

Add a comment