release of a free cross-platform UNIX-like operating system . The OpenBSD project was founded by Theo de Raadt in 1995 after with the NetBSD developers, as a result of which Teo was denied access to the NetBSD CVS repository. After that, Theo de Raadt and a group of like-minded people created a new open operating system based on the NetBSD source tree, the main development goals of which were portability ( 12 hardware platforms), standardization, correct operation, active security and integrated cryptographic tools. Full installation size OpenBSD 6.7 base system is 470 MB.
In addition to the operating system itself, the OpenBSD project is known for its components, which have become widespread in other systems and have proven to be one of the most secure and high-quality solutions. Among them: ( openSSL), , packet filter , routing daemons , NTP server , mail server , a text terminal multiplexer (similar to GNU screen) , daemon with an implementation of the IDENT protocol, a BSDL alternative to the GNU groff package - , protocol for organizing fault-tolerant systems CARP (Common Address Redundancy Protocol), lightweight , file synchronization utility .
All :
- The FFS2 file system, which uses 64-bit time and block values, is enabled by default in new installations for almost all supported architectures instead of FFS (except landisk, luna88k, and sgi).
- A new method has been added to check the validity of system calls, which further complicates the exploitation of vulnerabilities. The method allows system calls to be executed only if they are accessed from previously registered memory areas. A new msyscall() system call has been proposed to mark memory areas and activate protection.
- The number of partitions that can be created on one disk has been increased from 7 to 15.
- The cron option parsing code has been rewritten to support getopt-like features such as "-ns" and re-specifying the same flags. The "options" field in crontab has been renamed to "flags". Added a "-s" flag to crontab so that only one instance of a job can be run at a time. Added "~" operator to specify a random time value.
- The cwm window manager implements the ability to determine the window size as a percentage of the size of the primary window in a tiled layout.
- The powerpc architecture has switched to using Clang by default and enabled an architecture-independent implementation of mplock.
- apmd has improved support for automatic standby and hibernation (-z/-Z) - the daemon now responds to battery charge change messages sent by the power monitoring driver. The transition to sleep occurs with a delay of 60 seconds, which gives the user time to take control.
- Added $REQUEST_SCHEME configuration variable to the built-in HTTP server to preserve the original protocol (http or https) when redirecting, as well as a "strip" option to allow multiple chroots in /var/www for FastCGI servers.
- The top utility now supports scrolling using the 9 and 0 keys.
- A mechanism for freeing memory pages in reverse order is introduced, which significantly increases the efficiency of actively freeing a large number of pages.
- The unbound DNS server has DNSSEC checking enabled by default.
- System calls are freed from global blocking
__thrsleep(2), __thrwakeup(2), close(2), closefrom(2), dup(2), dup2(2), dup3(2), flock(2), fcntl(2), kqueue(2), pipe(2), pipe2(2) and nanosleep(2), as well as the basic part of ioctl(2). - Expanded hardware support. A new iwx driver has been added for Intel AX200 wireless chips, and the iwm driver has added support for Intel 9260 and 9560 devices. The rge driver has been added for Realtek 8125 PCI Express 2.5Gb. Many new drivers have been proposed to improve performance on arm64 and armv7 boards, including added support for the Raspberry Pi 4 board and improved support for Raspberry Pi 2 and 3.
- The sndio sound subsystem has been expanded. Added sioctl_open API and sndioctl utility for controlling sound via sndiod. /dev/mixer has been removed and all ports have been switched to sndio instead of the kernel mixer interface. Sndiod provides the use of hardware volume control mechanisms. To enhance security, regular user access to /dev/audio* and /dev/rmidi* is prohibited.
- The wireless stack stops connecting to any available Wi-Fi network that does not support encryption, except by explicitly calling the "ifconfig join" command. Ensures that a background scan of available networks is started when the “ifconfig scan” command is executed by the root user. The cache of scan results has been increased. Added the “nwflag nomimo” flag, set via ifconfig, which helps to get rid of packet loss in 11n mode if the device has unconnected antenna connectors. Added support for active scanning mode for the bwfm driver. Improved automatic switching between wireless networks by lowering the priority for networks that could not be connected to.
- A new pppac driver has appeared in the network stack, which includes the implementation of the PPP Access Concentrator interface. Changed npppd.conf settings to use pppac instead of tun. When packet redirection is disabled, a check has been added to check whether the destination address in the packet matches the address of the network interface. Mobileip support removed.
- Non-root users are prohibited from using ioctl to change the network interface address and change the parameters of pppoe interfaces.
- sysupgrade ensures that firmware updates (fw_update) are started before rebooting before upgrading.
- The unveil system call has been improved to provide file system access isolation. The number of applications from the base system for which protection using unveil is implemented has been increased to 82. Including vmstat, iostat and systat transferred to unveil.
- RSA-PSS support has been added to crypto(3).
- DoT (DNS over TLS) support has been added to the unwind DNS resolver. Added "unwindctl status memory" command.
- The implementation of ipsec has been significantly modernized. Added support for automatically moving traffic between rdomains during encryption and decryption to protect against side-channel attacks. Added support for changing rdomain to iked, and added 'rdomain' option to iked.conf
The default level for iked and isakmpd is IPSEC_LEVEL_REQUIRE, which prevents processing of unencrypted packets corresponding to the flow. The curve25519, ecp256, ecp384, ecp521, modp3072 and modp4096 algorithms have been added to the Diffie-Hellman group settings for IKE SA. In iked, the default authentication method has been changed to digital signature authentication (RFC 7427). Added ESN settings to iked.conf. Added "-p" option to select a non-standard UDP port number. - The capabilities of the tmux terminal multiplexer have been expanded and many new options have been added.
- The version of the OpenSMTPD mail server has been updated. The built-in filters implement the “bypass” keyword to skip processing under specified conditions. Allows the username of the current smtpd session to be used in filters. In smtpd.conf, the parameters allow the use of mail-from and rctp-to.
- The OpenSSH 8.2 package has been updated to include support for FIDO/U2F two-factor authentication tokens. You can see a detailed overview of the improvements .
- the LibreSSL package, in which the implementation of TLS 1.3 based on a new finite state machine and a subsystem for working with records has been completed. By default, only the client part of TLS 1.3 is enabled for now; the server part is planned to be activated by default in a future release. A list of other changes can be seen in the release announcements и .
- The number of ports for the AMD64 architecture was 11268, for aarch64 - 10848, for i386 - 10715. Components from third-party developers included in OpenBSD 6.7 have been updated:
- Xenocara graphics stack based on X.Org 7.7 with xserver 1.20.8 + patches, freetype 2.10.1, fontconfig 2.12.4, Mesa 19.2.8, xterm 351, xkeyboard-config 2.20;
- LLVM/Clang 8.0.1 (with patches)
- GCC 4.2.1 (with patches) and 3.3.6 (with patches)
- Perl 5.30.2 (with patches)
- NSD 4.2.4
- Unbound 1.10.0
- Ncurses 5.7
- Binutils 2.17 (with patches)
- Gdb 6.3 (with patches)
- Awk December 20, 2012
- Expat 2.2.8
Source: opennet.ru