ProHoster > Blog > internet news > Release of OpenBSD 7.4

Release of OpenBSD 7.4

The release of the free UNIX-like operating system OpenBSD 7.4 is presented. The OpenBSD project was founded by Theo de Raadt in 1995 after a conflict with the NetBSD developers that denied Theo access to the NetBSD CVS repository. After that, Theo de Raadt and a group of like-minded people created a new open operating system based on the NetBSD source tree, the main development goals of which were portability (13 hardware platforms are supported), standardization, correct operation, proactive security and integrated cryptographic tools. The size of the full installation ISO image of the base OpenBSD 7.4 system is 630 MB.

In addition to the operating system itself, the OpenBSD project is known for its components, which have become widespread in other systems and have proven to be one of the most secure and high-quality solutions. Among them: LibreSSL (OpenSSL fork), OpenSSH, PF packet filter, OpenBGPD and OpenOSPFD routing daemons, OpenNTPD NTP server, OpenSMTPD mail server, text terminal multiplexer (similar to GNU screen) tmux, identd daemon with IDENT protocol implementation, BSDL alternative to the GNU groff package - mandoc, CARP (Common Address Redundancy Protocol) protocol for organizing fault-tolerant systems, lightweight http server, OpenRSYNC file synchronization utility.

Main improvements:

  • For amd64 and i386 architectures, components for updating microcode for AMD processors have been added. New microcode versions are installed automatically upon download. The port “ports/sysutils/firmware/amd” has been prepared for distributing binary files with microcode. Installation of new microcode is carried out using the standard fw_update utility. Similar microcode update support for Intel processors was implemented in 2018 and offered in the OpenBSD 6.3 release.
  • For the kernel and user space, IBT (Indirect Branch Tracking, amd64) and BTI (Branch Target Identification, arm64) protection mechanisms are enabled to block control flow violations resulting from the use of exploits that modify function pointers stored in memory ( the implemented protection does not allow malicious code to jump to the middle of the function).
  • On arm64 systems, Pointer Authentication is enabled to protect user space. The technology allows you to use specialized ARM64 instructions to verify return addresses using digital signatures that are stored in the unused upper bits of the pointer itself.
  • The settings of the clang system compiler, as well as clang and gcc from the ports, have been changed to use the above protection mechanisms, which has significantly strengthened the protection of all base applications and most applications from the ports from exploits using return-oriented programming (ROP - Return-Oriented Programming) methods. When using the ROP technique, the attacker does not try to place his code in memory, but operates on pieces of machine instructions already available in loaded libraries, ending with a control return instruction (as a rule, these are the ends of library functions). The work of the exploit comes down to building a chain of calls to similar blocks (“gadgets”) to obtain the desired functionality.
  • Added a new system call kqueue1, which differs from kqueue in passing flags. Currently, kqueue1 only supports the O_CLOEXEC (close-on-exec) flag to automatically close file descriptors in a child process after calling exec().
  • For amd64 and i386 architectures, support for the dt pseudo-device has been implemented to organize dynamic tracing of the system and applications. The utrace system call has been added to insert user entries into the ktrace log.
  • Fixes have been ported over from FreeBSD to address undefined behavior when using MS-DOS file systems.
  • The softdep mount option used for lazy grouped metadata writing has been disabled.
  • Programs protected with the unveil system call are allowed to save core dumps to the current working directory.
  • The ARM64 architecture uses the ability to enter deep idle states, available in Apple M1/M2 chips, to save power and implement standby mode.
  • Added workaround protection against the Zenbleed vulnerability in AMD processors.
  • Improved support for multiprocessor (SMP) systems. The arprequest() function, the code for processing incoming ARP packets, and the implementation of neighbor detection in the IPv6 stack are freed from blocking.
  • The pfsync packet filter table synchronization interface has been rewritten to improve handling of locks and compatibility with future work on parallelization of the network stack.
  • The implementation of the drm (Direct Rendering Manager) framework is synchronized with the Linux kernel 6.1.55 (6.1.15 in the previous release). Improved performance on systems with Intel processors based on Alder Lake and Raptor Lake microarchitectures.
  • Improvements have been made to the VMM hypervisor. Support for the multiprocess model for block and network virtio devices has been implemented in the vmd. Support for vector I/O in zero-copy mode has been added to the block virtio device. Guest system access to AMD processor p-state modes has been limited. For owners virtual machines Allowed to override the boot kernel via vmctl.
  • Added a new header file uchar.h with the types char32_t and char16_t, and the functions c32rtomb(), mbrtoc32(), c16rtomb() and mbrtoc16() defined in the C11 standard.
  • Added option "D" to the malloc function to detect memory leaks using ktrace ("MALLOC_OPTIONS=D ktrace -tu program") and kdump ("kdump -u malloc ...").
  • The make utility has added support for the ${.VARIABLES} variable to display the names of all set global variables.
  • Added "-u" option to kdump utility to select utrace trace points by given label.
  • Added "--size-only" and "--ignore-times" options to the openrsync utility.
  • Support for random offsets has been added to cron and crontab when specifying ranges of values ​​with a given step, which allows you to avoid simultaneous requests for a resource from different machines that have the same rules in cron. For example, specifying "0~59/30" or "~/30" in the minute field will cause the command to run twice per hour at successive random intervals.
  • The wsconsctl utility has added the ability to map buttons for pressing with two or three fingers on a clickpad.
  • Added support for new hardware and included new drivers.
  • Improved installation on systems with armv7 and arm64 processors.
  • Added support for loading files from the EFI System Partition.
  • The installer has improved support for software RAID (softraid). Added the ability to place the root partition in softraid on riscv64 and arm64 systems. Softraid added to ramdisk for powerpc64 architecture. For arm64, support for Guided Disk Encryption has been implemented.
  • The malloc function has been added to check all blocks in the deferred memory deallocation list to identify write situations in the freed memory area.
  • The shutdown command now requires the user to be added to the "_shutdown" group, allowing the authority to shut down and read directly from disk devices to be separated.
  • Using the unveil system call, the patch utility is limited to access only the current directory, the directory containing temporary files, and the files listed on the command line.
  • Added sysctl net.inet6.icmp6.nd6_queued to show the number of packets waiting for an ND6 response (similar to ARP).
  • When setting an IPv6 address on a network interface, an announcement is sent to neighboring routers using a multicast address.
  • Added initial support for TSO (TCP Segmentation Offload) and LRO (TCP Large Receive Offload) for segment processing and packet aggregation on the NIC side.
  • Loading of pf packet filter rules from the kernel using the pfctl utility has been accelerated. Enabled processing of "keep state" and "nat-to" actions for error messages returned via ICMP.
  • Disabled calculation of IP, TCP and UDP checksums for loopback interfaces.
  • Added initial support VPN Route-based IPsec.
  • Flowspec support has been added to bgpd (RFC5575, currently only advertising flowspec rules is supported). The ASPA (Autonomous System Provider Authorization) implementation has been brought into compliance with the draft-ietf-sidrops-aspa-verification-16 and draft-ietf-sidrops-aspa-profile-16 specifications, and has been converted to use AFI (Address Family) independent lookup tables Indicator).
  • The performance of rpki-client has been increased by 30-50%. Added support for gzip and deflate compression.
  • Updated LibreSSL and OpenSSH packages. For a detailed overview of the improvements, see the reviews of LibreSSL 3.8.0, OpenSSH 9.4 and OpenSSH 9.5.
  • The number of ports for the AMD64 architecture was 11845 (from 11764), for aarch64 - 11508 (from 11561), for i386 - 10603 (from 10572). Among the application versions in the ports:
    • Asterisk 16.30.1, 18.19.0b, 20.4.0
    • Audacity 3.3.3
    • CMake 3.27.5
    • Chromium 117.0.5938.149
    • Emacs 29.1
    • ffmpeg 4.4.4
    • GCC 8.4.0 and 11.2.0
    • GHC 9.2.7
    • GNOME 44
    • Go 1.21.1
    • JDK 8u382, 11.0.20 and 17.0.8
    • KDE Applications 23.08.0
    • KDE Framework 5.110.0
    • Krita 5.1.5
    • LLVM/Clang 13.0.0 and 16.0.6
    • LibreOffice 7.6.2.1
    • Lua 5.1.5, 5.2.4, 5.3.6 and 5.4.6
    • MariaDB 10.9.6
    • Mono 6.12.0.199
    • Mozilla Firefox 118.0.1 and ESR 115.3.1
    • Mozilla Thunderbird 115.3.1
    • Mutt 2.2.12 and NeoMutt 20230517
    • Node.js 18.18.0
    • OpenLDAP 2.6.6
    • PHP 7.4.33, 8.0.30, 8.1.24 and 8.2.11
    • Postfix 3.7.3
    • PostgreSQL 15.4
    • Python 2.7.18, 3.9.18, 3.10.13 and 3.11.5
    • Qt 5.15.10 and 6.5.2
    • R4.2.3
    • Ruby 3.0.6, 3.1.4 and 3.2.2
    • Rest 1.72.1
    • SQLite 3.42.0
    • Shotcut 23.07.29
    • Sudo 1.9.14.2
    • Meerkat 6.0.12
    • Tcl/Tk 8.5.19 and 8.6.13
    • TeX Live 2022
    • Vim 9.0.1897 and Neovim 0.9.1
    • Xfce 4.18
  • Updated third party components included with OpenBSD 7.3:
    • Xenocara graphics stack based on X.Org 7.7 with xserver 21.1.8 + patches, freetype 2.13.0, fontconfig 2.14.2, Mesa 22.3.7, xterm 378, xkeyboard-config 2.20, fonttosfnt 1.2.2.
    • LLVM/Clang 13.0.0 (+ patches)
    • GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
    • Perl 5.36.1 (+ patches)
    • NSD 4.7.0
    • Unbound 1.18
    • Ncurses 5.7
    • Binutils 2.17 (+ patches)
    • Gdb 6.3 (+ patch)
    • Awk 12.9.2023/XNUMX/XNUMX
    • Expat 2.5.0.

Source: opennet.ru

Add a comment