OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
3.7 is released!

From: Theo de Raadt (deraadtcvs.openbsd.org)
Date: Thu May 19 2005 - 11:40:27 CDT


------------------------------------------------------------------------
May 19, 2005.

We are pleased to announce the official release of OpenBSD 3.7.
This is our 17th release on CD-ROM (and 18th via FTP). We remain
proud of OpenBSD's record of eight years with only a single remote
hole in the default install. As in our previous releases, 3.7
provides significant improvements, including new features, in nearly
all areas of the system:

- New platforms:
  o OpenBSD/zaurus
    Expanding the arm porting effort by supporting the
    Sharp Zaurus SL-C3000, bringing a secure ssh-capable machine
    to your pocket.
  o OpenBSD/sgi
    Starting out support with the SGI O2 machines.

- Support for a number of much faster 64-bit machines (in 32-bit
  mode) in the OpenBSD/hppa port.

- Many enhancements in the OpenBSD/mac68k port:
  o Switch to a bsd.rd-based install.
  o Improved interrupt system.
  o Create partitions with pdisk(8).
  o Add mc(4) support and enhance zsc(4) support.

- New tools:
  o ospfd(8), implementing the OSPFv2 routing protocol.
  o getcap(1), providing easy access to the capability database.

- New functionality:
  o Repaired mirroring mode in ccd(4).
  o Privilege separation for ftpd(8)
  o Bash-style prompt expansion and POSIX hex and octal constants
    in ksh(1).
  o Improved TCP send performance.
  o Reentrant getproto*_r(3) and getserv*_r(3) functions.
  o In-kernel pppoe(4) support.
  o pim(4) (Protocol Independent Multicast) support added.

- Improved hardware support, including:
  o New ath(4) driver for Atheros IEEE 802.11a/b/g wireless
    network adapters.
  o New iwi(4) driver for Intel PRO/Wireless 2200BG/2225BG/2915ABG
    IEEE 802.11a/b/g wireless network adapters.
  o New ipw(4) driver for Intel PRO/Wireless 2100 IEEE 802.11b
    wireless network adapters.
  o New atu(4) driver for Amtel AT76C50x USB IEEE 802.11b
    wireless network adapters.
  o New ral(4) and ural(4) [USB] drivers for Ralink Technology
    RT25x0 IEEE 802.11a/b/g wireless network adapters.
  o New rtw(4) driver for Realtek 8180 IEEE 802.11b wireless
    network adapters.
  o Added support to re(4) driver for Realtek 8169 CardBus
    Ethernet adapters.
  o New udav(4) driver for Davicom DM9601 USB Ethernet adapters.
  o New vge(4) driver for VIA Networking Technologies VT6122 PCI
    Gigabit Ethernet adapters.
  o New piixpm(4) driver for the Intel PIIX Power Management
    controller.
  o New ubt(4) driver for USB Bluetooth adapters.
 
- New functionality for bgpd(8), the Border Gateway Protocol Daemon:
  o Allow sessions to depend on a CARP interface's master/backup
    state, reducing failover times in redundant setups.
  o Lower latency for requests from other peers or bgpctl while
    under heavy load, e.g. initial table transfer when a session
    comes up.
  o Allow for the peer descriptions to be used in bgpctl commands
    where previously only their IPs were allowed.
  o Allow bgpd to not prepend its own AS number and to not modify
    the nexthop on updates sent out.
  o Show associated interfaces and their state on "show nexthop",
    to help pointing out why nexthops are invalid.
  o Allow for relative metrics modification, i.e. "set localpref
    +20".

- New functionality for ntpd(8), the Network Time Protocol Daemon:
  o ntpd can now set the time immediately on startup itself,
    eliminating the need to run rdate -n beforehand.
  o Use median instead of average when collapsing all the peers'
    offsets into one, greatly improving resistance against
    falsetickers.
  o Calculate rootdelay, stratum, and precision properly; include
    these in replies sent out in server mode.
  o Many logging improvements: ntpd is now almost completely
    silent in normal operation (unless in debug mode, of course).

- New functionality and improvements for pf(4), the packet filter:
  o Improved carp(4), new carpdev mode for IP-less interfaces.
  o Support limiting TCP connections by establishment rate,
    automatically adding flooding IP addresses to tables and
    flushing states (max-src-conn-rate, overload <table>, flush
    global).
  o Improved functionality of tags (tag and tagged for
    translation rules, tagging of all packets matching state
    entries).
  o Improved diagnostics (error messages and additional counters
    from pfctl -si).
  o New keyword "set skip on" to skip filtering on arbitrary
    interfaces, like loopback.
  o Filtering on route(8) labels.
  o Several bugfixes improving stability.

- New functionality and improvements for isakmpd(8), the Internet
  Security Association and Key Management Daemon:
  o Allow the Address, Network, or Netmask values of the
    "IPsec-ID" to be specified with an interface name or the
    keyword "default" (in which case the address is selected
    based on the default route).
  o Improved NAT-T and DPD stability and interoperability.

- New functionality and improvements for spamd(8), the Spamd Spam
  Deferral Daemon:
  o Allow the addition of spamtrap addresses to the spamd
    database using spamdb(8). Spamd will automatically blacklist
    hosts that attempt to deliver mail to a spamtrap address
    while greylisted.

- New functionality and improvements for the package tools:
  o Major overhaul of the package format, simplifying common
    tasks like user creation.
  o In-place updates of packages with pkg_add -r.
  o Progress meters, which make installing big packages a more
    pleasant experience.
  o Reliable dependencies on shared libraries, including the base
    system.
  o Many performance improvements.

- Over 3000 ports, 2800 pre-built packages.

- Many improvements for security and reliability. Cleaner source
  code for ksh(1), httpd(8), and many more programs.

- As usual, many improvements in manual pages and other documentation.

- OpenSSH 4.1:
  o Local, remote and dynamic port forwards may be configured to
    listen on specific IP addresses.
  o sshd_config(5) now understands "GatewayPorts clientspecified"
    to allow client-specified listen addresses in remote port
    forwards. The existing behaviour for "yes" and "no" is
    maintained.
  o known_hosts files may be hashed to provide privacy if they
    are later disclosed.
  o ssh-keygen(1) has additional modes to generate and manage
    hashed known_hosts files.
  o Users will be warned of impending password and account expiry.
  o Corrupt keys in authorized_keys are now handled gracefully.
  o sftp(1) has speed improvements for "ls" and now uses libedit
    for command line editing and history.
  o sshd(8) will now log the source of connections denied by
    AllowUsers, DenyUsers, AllowGroups and DenyGroups.
  o AddressFamily option in sshd_config(5) now has an
    AddressFamily option to provide global control of IPv4 and
    IPv6 usage by sshd(8).
  o ssh(1)'s multiplex (ControlMaster) mode has been improved and
    now provides additional capabilities such as checking if the
    master is alive, obtaining its process ID and requesting that
    it shut down.

- OpenBSD/i386 and OpenBSD/macppc now use gcc 3.3.5.

- OpenBSD/amd64, OpenBSD/cats, OpenBSD/macppc, OpenBSD/hppa,
  OpenBSD/sgi, OpenBSD/sparc64 and OpenBSD/zaurus now use DWARF2
  (C++) exception handling.

- This release of OpenBSD includes the following major components from
  outside suppliers:
  o X.Org 6.8.2 (+ patches, and i386 contains XFree86 3.3.6 servers (+ patches)
    for legacy chipsets not supported by X.Org)
  o Gcc 2.95.3 (+ patches) and 3.3.5 (+ patches)
  o Perl 5.8.6 (+ patches)
  o Apache 1.3.29, mod_ssl 2.8.16, DSO support (+ patches)
  o OpenSSL 0.9.7d (+ patches)
  o Groff 1.15
  o Sendmail 8.13.3, with libmilter
  o Bind 9.3.0 (+ patches)
  o Lynx 2.8.5rel.2 with HTTPS and IPv6 support (+ patches)
  o Sudo 1.6.8p6
  o Ncurses 5.2
  o Latest KAME IPv6
  o Heimdal 0.6rc1 (+ patches)
  o Arla 0.35.7
  o Binutils 2.15
  o Gdb 6.3

If you'd like to see a list of what has changed between OpenBSD 3.6
and 3.7, look at

        http://www.OpenBSD.org/plus37.html

Even though the list is a summary of the most important changes
made to OpenBSD, it still is a very very long list.
        Over the last 6 months, the OpenBSD developers have put
significant effort into pressuring wireless chipset vendors to release
their chip firmware binaries under a license which allows for drivers
to be included in free operating systems. This effort is very
important to ensure that future hardware you buy can be used without
requiring a piece of software you don't own. Some vendors have already
responded very positively to this activism, meaning their chips are
now supportable by all free operating systems.

        The vendors we wish to thank the most for being open in this
regard are RALink and Realtek, and secondly ATmel and Zydas.

        OpenBSD 3.7 ships with many new wireless device drivers
because of our successful activism. With more of your help, we can
make our future releases even better in this regard. Every few years
some large vendors collude to try to lock the free systems out of a
technology. A decade ago it was ethernet. This time it was wireless.
Next, it will be RAID. Don't let them do that. Help us help your
hardware run.

        Participation from the user community in this effort is very
important for its success. Please get active! Visit the articles
starting at:

http://undeadly.org/cgi?action=article&sid=20041026185704
http://undeadly.org/cgi?action=article&sid=20041027193425
http://undeadly.org/cgi?action=article&sid=20041028234237

        You should send professional, articulate e-mails to the
contacts at the companies in question telling them why this issue is
important to you. Tell them that their products must be supportable by
free operating systems for you to consider buying them, and that
non-free licenses for firmware binaries mean you will be looking for a
different product.
We provide patches for known security threats and other important
issues discovered after each CD release. As usual, between the
creation of the OpenBSD 3.7 FTP/CD-ROM binaries and the actual 3.7
release date, our team found and fixed some new reliability problems
(note: most are minor and in subsystems that are not enabled by
default). Our continued research into security means we will find
new security problems -- and we always provide patches as soon as
possible. Therefore, we advise regular visits to

        http://www.OpenBSD.org/security.html
and
        http://www.OpenBSD.org/errata.html

Security patch announcements are sent to the security-announceOpenBSD.org
mailing list. For information on OpenBSD mailing lists, please see:

        http://www.OpenBSD.org/mail.html
OpenBSD 3.7 is also available on CD-ROM. The 3-CD set costs $45USD
(EUR 45) and is available via mail order and from a number of
contacts around the world. The set includes a colorful booklet
which carefully explains the installation of OpenBSD. A new set
of cute little stickers is also included (sorry, but our FTP mirror
sites do not support STP, the Sticker Transfer Protocol). As an
added bonus, the second CD contains an audio track, a song entitled
"The Wizard of OS". Lyrics for the song may be found at:

    http://www.OpenBSD.org/lyrics.html#37

Profits from CD sales are the primary income source for the OpenBSD
project -- in essence selling these CD-ROM units ensures that OpenBSD
will continue to make another release six months from now.

The OpenBSD 3.7 CD-ROMs are bootable on the following five platforms:

  o i386
  o amd64
  o macppc
  o sparc
  o sparc64 (UltraSPARC)

(Other platforms must boot from floppy, network, or other method).

For more information on ordering CD-ROMs, see:

        http://www.OpenBSD.org/orders.html

The above web page lists a number of places where OpenBSD CD-ROMs
can be purchased from. For our default mail order, go directly to:

        https://https.OpenBSD.org/cgi-bin/order

or, for European orders:

        https://https.OpenBSD.org/cgi-bin/order.eu

All of our developers strongly urge you to buy a CD-ROM and support
our future efforts. Additionally, donations to the project are
highly appreciated, as described in more detail at:

        http://www.OpenBSD.org/goals.html#funding
The project continues to expand its funding base by selling t-shirts
and polo shirts. And our users like them too. We have a variety
of shirts available, with the new and old designs, from our web
ordering system at:

        https://https.OpenBSD.org/cgi-bin/order

and for Europe:

        https://https.OpenBSD.org/cgi-bin/order.eu

The OpenBSD 3.7 t-shirts are available now. The new shirt for 3.7 is
an update of the classic wireframe shirt featuring a really cool looking
(and nice feeling) wireframe blowfish mascot. We also sell our older
shirts, as well as a selection of OpenSSH t-shirts.
If you choose not to buy an OpenBSD CD-ROM, OpenBSD can be easily
installed via FTP. Typically you need a single small piece of boot
media (e.g., a boot floppy) and then the rest of the files can be
installed from a number of locations, including directly off the
Internet. Follow this simple set of instructions to ensure that
you find all of the documentation you will need while performing
an install via FTP. With the CD-ROMs, the necessary documentation
is easier to find.

1) Read either of the following two files for a list of ftp
   mirrors which provide OpenBSD, then choose one near you:

        http://www.OpenBSD.org/ftp.html
        ftp://ftp.OpenBSD.org/pub/OpenBSD/3.7/ftplist

   As of May 19, 2005, the following ftp mirror sites have the 3.7 release:

        ftp://ftp.kd85.com/pub/OpenBSD/3.7/ Austria
        ftp://openbsd.informatik.uni-erlangen.de/pub/OpenBSD/3.7/ Germany
        ftp://muk.kd85.com/pub/OpenBSD/3.7/ Netherlands
        ftp://ftp.stacken.kth.se/pub/OpenBSD/3.7/ Sweden
        ftp://ftp2.usa.openbsd.org/pub/OpenBSD/3.7/ New York City, NY, USA
        ftp://ftp3.usa.openbsd.org/pub/OpenBSD/3.7/ Boulder, CO, USA
        ftp://ftp5.usa.openbsd.org/pub/OpenBSD/3.7/ Redwood City, CA, USA
        ftp://rt.fm/pub/OpenBSD/3.7/ Lake in the Hills, IL,
                                                        USA

        The release is also available at the master site:

        ftp://ftp.openbsd.org/pub/OpenBSD/3.7/ Alberta, Canada
        
        However it is strongly suggested you use a mirror.

   Other mirror sites may take a day or two to update.

2) Connect to that ftp mirror site and go into the directory
   pub/OpenBSD/3.7/ which contains these files and directories.
   This is a list of what you will see:

        ANNOUNCEMENT alpha/ mac68k/ sparc/
        Changelogs/ amd64/ macppc/ sparc64/
        HARDWARE cats/ mvme68k/ src.tar.gz
        PACKAGES ftplist mvme88k/ sys.tar.gz
        PORTS hp300/ packages/ tools/
        README hppa/ ports.tar.gz vax/
        SIZES i386/ root.mail zaurus/
        XF4.tar.gz luna88k/ sgi/

   It is quite likely that you will want at LEAST the following
   files which apply to all the architectures OpenBSD supports.

        README - generic README
        HARDWARE - list of hardware we support
        PORTS - description of our "ports" tree
        PACKAGES - description of pre-compiled packages
        root.mail - a copy of root's mail at initial login.
                          (This is really worthwhile reading).

3) Read the README file. It is short, and a quick read will make
   sure you understand what else you need to fetch.

4) Next, go into the directory that applies to your architecture,
   for example, i386. This is a list of what you will see:

        CKSUM bsd.rd etc37.tgz misc37.tgz
        INSTALL.i386 cd37.iso floppy37.fs pxeboot
        INSTALL.linux cdboot floppyB37.fs xbase37.tgz
        MD5 cdbr floppyC37.fs xetc37.tgz
        base37.tgz cdemu37.iso game37.tgz xfont37.tgz
        bsd cdrom37.fs index.txt xserv37.tgz
        bsd.mp comp37.tgz man37.tgz xshare37.tgz

   If you are new to OpenBSD, fetch _at least_ the file INSTALL.i386
   and the appropriate floppy*.fs or cd37.iso file. Consult the
   INSTALL.i386 file if you don't know which of the floppy images
   you need (or simply fetch all of them).

5) If you are an expert, follow the instructions in the file called
   README; otherwise, use the more complete instructions in the
   file called INSTALL.i386. INSTALL.i386 may tell you that you
   need to fetch other files.

6) Just in case, take a peek at:

        http://www.OpenBSD.org/errata.html

   This is the page where we talk about the mistakes we made while
   creating the 3.7 release, or the significant bugs we fixed
   post-release which we think our users should have fixes for.
   Patches and workarounds are clearly described there.

Note: If you end up needing to write a raw floppy using Windows,
      you can use "fdimage.exe" located in the pub/OpenBSD/3.7/tools
      directory to do so.
X.Org has been integrated more closely into the system. This release
contains X.Org 6.8.2. Most of our architectures ship with X.Org, including
amd64, sparc, sparc64 and macppc. During installation, you can install
X.Org quite easily. Be sure to try out xdm(1) and see how we have
customized it for OpenBSD.

On the i386 platform a few older X servers are included from XFree86
3.3.6. These can be used for cards that are not supported by X.Org
or where X.Org support is buggy. Please read the /usr/X11R6/README file
for post-installation information.
The OpenBSD ports tree contains automated instructions for building
third party software. The software has been verified to build and
run on the various OpenBSD architectures. The 3.7 ports collection,
including many of the distribution files, is included on the 3-CD
set. Please see the PORTS file for more information.

Note: some of the most popular ports, e.g., the Apache web server
and several X applications, come standard with OpenBSD. Also, many
popular ports have been pre-compiled for those who do not desire
to build their own binaries (see BINARY PACKAGES, below).
A large number of binary packages is provided. Please see the PACKAGES
file (ftp://ftp.OpenBSD.org/pub/OpenBSD/3.7/PACKAGES) for more details.
The CD-ROMs contain source code for all the subsystems explained
above, and the README (ftp://ftp.OpenBSD.org/pub/OpenBSD/3.7/README)
file explains how to deal with these source files. For those who
are doing an FTP install, the source code for all four subsystems
can be found in the pub/OpenBSD/3.7/ directory:

        XF4.tar.gz ports.tar.gz src.tar.gz sys.tar.gz
OpenBSD 3.7 includes artwork and CD artistic layout by Ty Semaka,
who also arranged an audio track on the OpenBSD 3.7 CD set. Ports
tree and package building by Peter Valchev, Nikolay Sturm and
Christian Weisgerber. System builds by Theo de Raadt and Kenji Aoyama.
X11 builds by Todd Fries. ISO-9660 filesystem layout by Theo de Raadt.

We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use. We would also like
to thank those who pre-ordered the 3.7 CD-ROM or bought our previous
CD-ROMs. Those who did not support us financially have still helped
us with our goal of improving the quality of the software.

Our developers are:

    Aaron Campbell, Alex Feldman, Alexander Guy, Aleksander Piotrowski,
    Alexander Yurchenko, Andreas Gunnarsson, Angelos D. Keromytis,
    Anil Madhavapeddy, Artur Grabowski, Ben Lindstrom, Bjorn Sandell,
    Bob Beck, Brad Smith, Brandon Creighton, Brian Caswell,
    Brian Somers, Bruno Rohee, Camiel Dobbelaar, Can Erkin Acar,
    Cedric Berger, Chad Loder, Chris Cappuccio, Christian Weisgerber,
    Christopher Pascoe, Claudio Jeker, Constantine Sapuntzakis,
    Dale Rahn, Damien Bergamini, Damien Couderc, Damien Miller,
    Dan Harnett, Daniel Hartmeier, Darren Tucker, David B Terrell,
    David Gwynne, David Krause, David Lebel, David Leonard, Don Stewart,
    Dug Song, Eric Jackson, Esben Norby, Federico G. Schwindt,
    Greg Taleck, Grigoriy Orlov, Hakan Olsson, Hans Insulander,
    Hans-Joerg Hoexer, Heikki Korpela, Henning Brauer, Henric Jungheim,
    Hiroaki Etoh, Horacio Menezo Ganau, Hugh Graham, Ian Darwin,
    Jakob Schlyter, Jan-Uwe Finck, Jared J. Yanovich, Jason Ish,
    Jason McIntyre, Jason Peel, Jason Wright, Jean-Baptiste Marchand,
    Jean-Francois Brousseau, Jean-Jacques Bernard-Gundol, Jim Rees,
    Joel Knight, Jolan Luff, Jonathan Gray, Joris Vink, Jose Nazario,
    Joshua Stein, Jun-ichiro itojun Hagino, Kenji Aoyama, Kenjiro Cho,
    Kenneth R Westerback, Kevin Lo, Kevin Steves, Kjell Wooding,
    Kurt Miller, Louis Bertrand, Magnus Holmberg, Marc Balmer,
    Marc Espie, Marc Matteo, Marco Peereboom, Marco Pfatschbacher,
    Marco S Hyman, Marcus Watts, Margarida Sequeira, Marius Eriksen,
    Mark Grimes, Mark Kettenis, Markus Friedl, Martin Reindl,
    Mathieu Sauve-Frankel, Mats O Jansson, Matt Behrens, Matt Smart,
    Matthew Jacob, Matthieu Herrb, Michael Coulter, Michael Shalayeff,
    Michael T. Stolarchuk, Mike Frantzen, Mike Pechkin, Miod Vallat,
    Moritz Jodeit, Nathan Binkert, Niall O'Higgins, Nick Holland,
    Niels Provos, Niklas Hallqvist, Nikolay Sturm, Nils Nordman,
    Oleg Safiullin, Otto Moerbeek, Paul Janzen, Pedro Martelletto,
    Peter Galbavy, Peter Stromberg, Peter Valchev, Philipp Buehler,
    Reinhard J. Sammer, Reyk Floeter, Rich Cannings, Robert Nagy,
    Ryan Thomas McBride, Saad Kadhi, Shell Hin-lik Hung,
    Stephen Kirkham, Steve Murphree, Ted Unangst, Theo de Raadt,
    Thierry Deval, Thomas Nordin, Thorsten Lockert,
    Tobias Weingartner, Todd C. Miller, Todd T. Fries,
    Tom Cosgrove, Uwe Stuehler, Vincent Labrecque, Wilbern Cobb,
    Wim Vandeputte, Xavier Santolaria.