Open BSD 3.4 릴리즈..

오늘 openbsd.org에 방문해 보니 3.4버젼이 나왔군요.

흐.. 3.4에서는 복어씨가 로빈훗으로 변했군요 :)

자세한 내용은 홈페이지를 참조 하시길.. http://openbsd.org

What's New

This is a partial list of new features and systems included in OpenBSD 3.4. For a comprehensive list, see the changelog leading to 3.4.

* The i386 architecture has been switched to the ELF executable format.

* Further W^X improvements, including support for the i386 architecture. Native i386 binaries have their executable segments rearranged to support isolating code from data, and the cpu CS limit is used to impose a best effort limit on code execution.

* ld.so(1) on ELF platforms now loads libraries in a random order for greater resistance to attacks. The i386 architecture also maps libraries into somewhat randomized addresses. Together with W^X and ProPolice, these changes increase the difficulty of successfully exploiting an application error, such as a buffer overflow.

* A static bounds checker has been added to the compiler to perform basic checks on functions which accept buffers and sizes. The checker aims to find common mistakes in the use of library functions such as strlcpy(3) or sscanf(3) without emitting any false positives. Running it over the source and ports trees revealed over a hundred real bugs, which were fixed and submitted back to the original authors where possible.

* Privilege separation has been implemented for the syslogd(8) daemon, making it much more robust against future errors. The child which listens to network traffic now runs as a normal user and chroots itself, while the parent process tracks the state of the child and performs privileged operations on its behalf.

* Many unsafe string functions have been removed from the kernel and userland utilities. This audit is one of the most comprehensive OpenBSD has ever done, with thousands of occurrences of strcpy(3), strcat(3), sprintf(3), and vsprintf(3) being replaced with safer, bounded alternatives such as strlcpy(3), strlcat(3), snprintf(3), vsnprintf(3), and asprintf(3).

* Many improvements to and bugs fixed in the ProPolice stack protector. Several other code generation bugs for RISC architectures fixed.

* ProPolice stack protection has been enabled in the kernel as well.

* Privilege separation has been implemented in the X server. The privileged child process is responsible for the operations that can't be done after the main process has switched to a non-privileged user. This greatly reduces the potential damage that could be caused by malicious X clients, in case of bugs in the X server.

* Emulation support for binary compatibility is now controlled via sysctl(8). Emulation is now disabled by default to limit exposure to malicious binaries, and can be enabled in sysctl.conf(5).

* Manual pages have been greatly cleaned up and improved.

* The ports tree now supports building programs under systrace(1), preventing the possibility of applications harming the system at compile-time via trojaned configuration scripts or otherwise.

* Symbol caching in ld.so(1) reduces the startup time of large applications.

* More license fixes, including the removal of the advertising clause for large parts of the source tree.

* Replacement of GNU diff(1), diff3(1), grep(1), egrep(1), fgrep(1), zgrep(1), zegrep(1), zfgrep(1), gzip(1), zcat(1), gunzip(1), gzcat(1), zcmp(1), zmore(1), zdiff(1), zforce(1), gzexe(1), and znew(1) commands with BSD licensed equivalents.

* Addition of read-only support for NTFS file systems.

* Reliability improvements to layered file systems, enabling NULLFS to work again.

* Import of growfs(8) utility, allowing expansion of existing file systems.

* Improvements to linux emulation enabling more applications to run.

* Significant improvements to the pthreads(3) library.

* Replace many static fd_set uses, to instead use poll(2) or dynamic allocation.

* ANSIfication and stricter prototypes for a large portion of the source tree.

* Legacy KerberosIV support has been removed, and the remaining KerberosV codebase has been restructured for easier management.

* Over 2400 ports, 2200 pre-built packages.

* A large number of bug fixes, changes, and optimizations to our packet filter pf(4) including:
o packet tagging (e.g. filter on tags added by bridge based on MAC address)
o stateful TCP normalization (prevent uptime calculation and NAT detection)
o passive OS detection (filter or redirect connections based on source OS)
o SYN proxy (protect servers against SYN flood attacks)
o adaptive state timeouts (prevent state table overflows under attack)

* Improved hardware support, including:
o Kauai ATA controllers (Apple ATA100 wdc) kauaiata(4) enabling support for Powerbook 12" and 17" models.
o Support for controlling LongRun registers on Transmeta CPUs.
o Many fixes to aac(4), ahc(4), osiop(4), and siop(4) SCSI drivers.
o New it(4), lm(4), and viaenv(4) hardware monitor drivers.
o New safe(4) driver for SafeNet crypto acclerators.
o New mtd(4) driver for Myson Technologies network cards.
o More ethernet cards supported by sk(4), wi(4), fxp(4), and dc(4).
o Massive overhaul and sync with NetBSD of the entire usb(4) support system.
o New and better support for various controllers in pciide(4), including experimental support for Serial ATA.
o New drivers to support mgx(4) and pninek(4) SPARC framebuffers. The vigra(4) driver also supports more models.
o pcmcia(4) support for Tadpole SPARCBooks and SPARCs with pcmcia-sbus bridges.
o Watchdog support for elansc(4) and geodesc(4) as used on Soekris boards.

* The system includes the following major components from outside suppliers:
o XFree86 4.3.0 (+ patches, and i386 contains 3.3.X servers also, thus providing support for all chipsets)
o Gcc 2.95.3 (+ patches)
o Perl 5.8.0 (+ patches)
o Apache 1.3.28, mod_ssl 2.8.15, DSO support (+ patches)
o OpenSSL 0.9.7b (+ patches)
o Groff 1.15
o Sendmail 8.12.9 (+ parse8.359.2.8 security patch)
o Bind 9.2.2 (+ patches)
o Lynx 2.8.4rel.1 with HTTPS and IPv6 support (+ patches)
o Sudo 1.6.7p5
o Ncurses 5.2
o Latest KAME IPv6
o Heimdal 0.6rc1 (+ patches)
o Arla-current
o OpenSSH 3.7.1 (now with GSSAPI support)

* Many improvements for security and reliability (look for the red print in the complete changelog).

* and much more.