29 June 2015

Puffy

Undeadly :: Call for Testing: Valgrind on OpenBSD

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; } Maseo Uebayashi (uebayasi@) has given us a call for testing cleverly disguised as a quick how-to on using valgrind natively on OpenBSD:
  • Use the latest OpenBSD/amd64 and devel/valgrind (valgrind-3.10.1p5).
  • Dynamically link your target program.
    • Valgrind overrides some functions (alloc, free, string, memory) in libc using $LD_PRELOAD.
  • Embed symbols (cc -g).
    • Otherwise Valgrind reports problems using symbols.
Read more...

28 June 2015

Puffy

Undeadly :: Handling Leap Seconds the OpenBSD Way

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; }

Christian Weisberger (naddy@) let us all know what we need to do to prepare for the impending leap second:

As you may have heard, a leap second will be upon us at 23:59:60
UTC on June 30.

The sky will fall, civilization will end, and dinosaurs will roam
the earth again.  Well, maybe not.

Neither the OpenBSD kernel nor OpenNTPD handle leap seconds in any
way.  So what will happen?
Read more...

19 June 2015

Puffy

Undeadly :: BSDCan 2015 Videos Online

The videos of the recently-concluded BSDCan are coming online at record speed. The OpenBSD videos online are:

  • Ted Unangst, "signify: Securing OpenBSD From Us To You" (video)
  • Ray Percival, "Networking with OpenBSD in a virtualized environment" (video)
  • Reyk Flöter, "Introducing OpenBSD’s new httpd" (video, part1, part2)
  • Peter Hessler, "Using routing domains / routing tables in a production network" (video)

Undeadly :: BSDNow Episode 094: Builder's Insurance

On this week's episode of BSDNow, Marc Espie (espie@) talks about dpb, OpenBSD's distributed package builder, which runs the binary package builds in Theo's basement. He talks about why it came about, the security measures built in, and the minimalistic and works-out-of-the-box configuration, among other things.

The hosts also talk about their experiences at the recent BSDCan, and, ss usual, they have the roundup of the news, big and small, in the world of all things BSD.

[ Video | HD Video | MP3 Audio | OGG Audio | Torrent ]

12 June 2015

Puffy

Undeadly :: Call for Testing: audio(4)

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; }

Alexandre Ratchov (ratchov@) posted a call for testing of a new audio(4) driver:

This is a replacement for the audio(4) driver. It implements a
minimal and complete subset of the audio abi. The main goal is to
simplify the semantics and the code itself. Less code, less bugs,
hopefuly easier development.

To test this diff, simply run your regular audio stuff and let us
know if you notice any difference. I'd suggest to keep a copy of
the old kernel in order to be able to compare easily.

In case you notice a regression, you could build the kernel with
the AUDIO_DEBUG option, reboot, trigger the bug and send the
resulting dmesg and any related information.

thanks!

-- Alexandre

As always, testing is essential to maintaining the quality of OpenBSD!

11 June 2015

Puffy

Undeadly :: LibreSSL 2.1.7 and 2.2.0 Released

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; }

Brent Cook (bcook@) has announced the latest LibreSSL releases, which contain fixes for several CVEs:

We have released LibreSSL 2.2.0, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon.

This release is the first from the OpenBSD 5.8 development tree and
features mainly on build system improvements and new OS support.

We have also released LibreSSL 2.1.7, which contains additional security
fixes.

Of special note is the upcoming removal of SSLv3:

Note: This will likely be the last 2.2.x release with support for SSLv3,
as it will be removed entirely from the main LibreSSL tree.

03 June 2015

Puffy

Undeadly :: Microsoft Announces Support for SSH

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; }

Windows admins rejoice! Microsoft's PowerShell Team announced future support for SSH, specifically OpenSSH:

[T]he PowerShell team realized the best option will be for our team to adopt an industry proven solution while providing tight integration with Windows; a solution that Microsoft will deliver in Windows while working closely with subject matter experts across the planet to build it. Based on these goals, I’m pleased to announce that the PowerShell team will support and contribute to the OpenSSH community - Very excited to work with the OpenSSH community to deliver the PowerShell and Windows SSH solution!

A follow up question the reader might have is When and How will the SSH support be available? The team is in the early planning phase, and there’re not exact days yet. However the PowerShell team will provide details in the near future on availability dates.

Emphasis in the original. Wider adoption of secure technologies can only benefit the community. Hopefully that future is actually near, both for deployment and 'support and contribution'.

31 May 2015

Puffy

Maxime DERCHE :: "The Book of PF", version française

PF_Eyrolles_couverture.jpg

Ça y est, ma traduction de l'excellent The Book of PF de Peter N.M. Hansteen (blog) vient d'être publiée, chez Eyrolles, sous le titre Le Livre de Packet Filter (collection Cahiers de l'Admin) !

Ce livre, basé sur le célèbre didacticiel que l'auteur avait rédigé comme support de conférence, est l'un des très rares ouvrages (le seul en français) à couvrir ce filtre de paquets développé par Daniel Hartmeier pour OpenBSD, puis repris et intégré par FreeBSD et NetBSD. Il intéressera les professionnels (administrateurs système et/ou réseau, etc.) désireux d'apprendre à se servir de ce petit bijou qu'est PF, ou de se perfectionner dans sa maîtrise, ainsi que les amateurs de bidouille réseau qui y trouveront largement de quoi s'amuser quelques temps.

Comme son titre l'indique, ce livre ambitionne de servir de support à l'apprentissage et à la maitrise de tous les aspects de Packet Filter.

Une fois les présentations terminées (qu'est-ce que PF, pourquoi c'est pas disponible dans le monde GNU/Linux, etc.), on enchaîne sur un premier chapitre qui sert d'introduction, présentant les grandes lignes de l'histoire du développement de PF et expliquant les bases de la terminologie employée (NAT, IPv4/IPv6, différences entre filtre réseau et pare-feu, etc.).

On en arrive alors, au deuxième chapitre, à la configuration basique de PF, de son activation à l'écriture d'un tout premier jeu de règle pour une machine seule et autonome ; tout est détaillé pour OpenBSD, FreeBSD et NetBSD. L'auteur touche également deux mots à propos des statistiques que peut nous donner pfctl(8) si on lui demande gentiment.

Les choses sérieuses commencent au troisième chapitre : on commence par la gestion de la NAT, avec une mention spéciale pour la gestion du protocole FTP dans un réseau NATé (ftp-sesame, pftpx et bien entendu ftp-proxy), on continue par le debugging réseau (protocole ICMP pour le ping, traceroute, et la MTU path discovery), et on termine par l'explication de pourquoi les tables c'est bien. Notez qu'à chaque fois, les détails sont donnés pour les implémentations de PF d'OpenBSD, de FreeBSD et de NetBSD.

Le chapitre 4 est tout entier consacré aux réseaux sans-fil (Wi-Fi) : généralités d'usage, configuration d'une interface Wi-Fi côté client et côté routeur (avec le morceau de script /etc/pf.conf qui va bien), et on termine bien entendu par la spécialité locale : la création d'une passerelle authentifiante grâce à authpf.

Au cinquième chapitre, l'auteur termine son tour des fonctionnalités basiques de PF, que tout administrateur ou passionné se doit de maitriser pour utiliser PF dans une vraie configuration : mise en place d'une DMZ (avec ou sans NAT), filtrage de service (accessibilité depuis l'extérieur et/ou depuis le LAN), répartition de charge avec hoststated, utilisation des tags (étiquettes) pour clarifier le jeu de règles de filtrage. L'auteur ajoute à cela la mise en place d'un pare-feu ponté (décrite pour OpenBSD, FreeBSD et NetBSD), et une petite astuce pour gérer le fait que les adresses IPv4 non routables ne devraient jamais ni envoyer ni recevoir de trafic par Internet.

Au chapitre 6 (mon préféré), l'auteur traite ce qui est peut-être LE sujet par excellence quand on touche à OpenBSD : la défense pro-active. C'est ainsi qu'il (re-)donne l'astuce qui a fait la célébrité de son didacticiel en ligne : la gestion des attaques par force brute grâce à une liste noire et à quelques options (max-src-conn, max-src-conn-rate, overload, et flush global). Ensuite, l'auteur explique en détail la mise en place d'une stratégie antispam grâce à spamd ; au menu : liste noire, liste grise (greylisting), greytrapping, et utilisation des outils associés que sont spamdb et spamlogd. Que l'on me permette d'insister : ce chapitre constitue la seule vraie documentation sur spamd existant en français à l'heure actuelle, alors ne boudons pas notre plaisir...

Quant au septième chapitre, il conviendra aux plus barbus : ALTQ est détaillé sur une vingtaine de pages, et le couple CARP/pfsync sur une dizaine. Au vu du faible nombre de documentations existant en français sur ces sujets, les connaisseurs apprécieront...

Enfin, le chapitre 8 est consacré à la journalisation et aux statistiques (pflog, syslog, labels pour les règles, pftop, pfstat, pfflowd), et le neuvième et dernier chapitre donne une référence aux options utiles mais non couvertes dans le reste du livre, notamment la normalisation de trafic (scrub).

Vous trouverez en outre deux annexes, qui donnent respectivement des références documentaires et des remarques de l'auteur concernant la prise en charge du matériel.

A noter que l'intégralité du livre a été mis à jour pour être en concordance avec les dernières modifications survenues dans PF entre la sortie de la dernière version en date (OpenBSD 4.5) et celle qui sortira le 1er novembre prochain (OpenBSD 4.6), je pense notamment à scrub. Vous savez sur qui taper en cas de problème. ;-)

Vous l'aurez compris, cet ouvrage est une mine d'or pour qui cherche à apprendre à se servir de Packet Filter, que ce soit dans un cadre professionnel ou amateur.

Et si vous voulez voir un peu ce que cela donne concrètement, sachez que, suite à mon travail de traduction, j'ai décidé de réécrire totalement le script de configuration pf (/etc/pf.conf) que j'utilise pour mon réseau personnel, et j'y ai inclus un grand nombre d'astuces que l'on trouve dans le livre.

J'aimerais terminer en remerciant les éditions Eyrolles pour m'avoir fait confiance sur ce projet que j'ai mis plus d'un an à voir aboutir, Rodrigo Osorio pour avoir bien gentiment accepté de traduire le texte Explaining BSD de Greg Lehey afin que je ne sois pas obligé de faire pointer mes lecteurs vers un texte anglais :), et le canal IRC #OpenBSD.fr pour m'avoir bien aidé quand j'en avais besoin.

Et, enfin, juste pour vous mettre l'eau à la bouche, voici la traduction du fameux haïku PF que Jason Dixon a publié sur la liste de diffusion de PF, le 20 mai 2004, et qui conclut l'Avant-propos du livre :

Comparé à iptables, PF est comme ce haïku :

A breath of fresh air,                   Un souffle d'air frais,
floating on white rose petals,   Flottant sur de blancs pétales,
eating strawberries.                    En mangeant des fraises.

Et voilà que je m’emporte :

Hartmeier codes now,                       Hartmeier développe,
Henning knows not why it fails,          Henning ne comprend pas
fails only for n00b.             Pourquoi les nuls n’y arrivent pas.

Tables load my lists,                Des tables chargent mes listes,
tarpit for the asshole spammer,      Punition pour les spammers.
death to his mail store.                  Mort à leur commerce !

CARP due to Cisco,                          CARP vient de Cisco,
redundant blessed packets,             Paquets redondants bénis,
licensed free for me.                        Sous licence libre.

Par Maxime DERCHE

19 May 2015

Puffy

Undeadly :: Heads Up: spamd(8) PF Rule Change

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; }

With a recent commit, Reyk Flöter (reyk@) flipped the switch on spamd(8)'s pf interfacement:

hange spamd to use divert-to instead of rdr-to.

divert-to has many advantages over rdr-to for proxies.  For example,
it is much easier to use, requires less code, does not depend on
/dev/pf, works in-band without the asynchronous lookup (DIOCNATLOOK
ioctl), saves us from additional port allocations by the rdr/NAT code,
and even avoids potential collisions and race conditions that could
theoretically happen with the lookup.

Heads up: users will have to update their spamd PF rules from rdr-to
to divert-to.  spamd now also listens to 127.0.0.1 instead of "any"
(0.0.0.0) by default which should be fine with most setups but has to
be considered for some special configurations.

Those of you running spamd setups looking to upgrade need to double-check your pf configurations to make sure they still work the way you expect.

15 May 2015

Puffy

Undeadly :: OpenBSD 5.7 CD 2 Incorrectly Pressed

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; }

OpenBSD project leader Theo de Raadt (deraadt@) outlined some issues with the CD plant, which led to an incorrectly-finished CD 2, some of which were, unfortunately, shipped prior to the issue being found.

Sadly, CD2 of the OpenBSD 5.7 shipped in a broken fashion due to errors at the manufacturing plant. Two mistakes were made.

In the rush after the first error, this error was not caught in time. Many people have received (or will soon receive) their package with this broken disc. Orders which have not yet shipped are being held back... because...

A repaired disc is on the way from the plant.

This will be shipped out to everyone, and will be inserted into the orders not yet shipped.

Undeadly :: BSDNow Episode 089: Exclusive Disjunction

On this week's episode of BSDNow, the hosts interview Mike Larkin (mlarkin@) about how he got started in OpenBSD, his recent

and upcoming work on W^X, and how that fits into the OpenBSD exploit mitigation ecosystem.

As always, they also have all the news and reviews in the world of all things BSD.

[ Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube ]

08 May 2015

Puffy

Undeadly :: OpenBSD 5.7 Shipping, First Pre-orders Arriving

After a delay due to unfortunate production problems (the first such delay in 20 years), the OpenBSD Store announced that all pre-orders had been shipped.

And it seemed like only moments later that Raf Czlonka was the first to report on the misc@ mailing list that his pre-ordered OpenBSD 5.7 CD set had arrived.

Even if you hadn't preordered, you still have a chance to order your CD set and other swag by visting the OpenBSD Store. If you want to support the project financially in other ways, the Donations page is, as always, a good place to start.

05 May 2015

Puffy

Undeadly :: New disklabel(8) templates make for a more flexible autoinstall

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; } In a this commit, a first in a series, Henning Brauer (henning@) made disk allocations during automatic installs much more flexible via the introduction of diskablel templates. The matching installer bits came along via this commit by Robert Peichaer (rpe@).

Quoting the updated disklabel(8) man page,

A template for the automatic allocation can be passed to disklabel using -T option.

But the more exciting news is the template format:

Read more...

30 April 2015

Puffy

Undeadly :: OpenBSD 5.7 Released

May 1st, 2015, Calgary, AB, CA and elsewhere:

OpenBSD 5.7 has been released. The brand new 5.7 subdirectory should now be available and filled up on all relevant mirrors for those of you who have yet to receive your CD orders.

The release announcement, posted on project mailing lists earlier today, and the release home page both mention some highlights of the new release, while the complete changelog for the release is available on the OpenBSD website.

While you are too late to be the first to preorder a shiny OpenBSD release CD set, you can order one of your own, as well as a very cool 5.7-release poster.

29 April 2015

Puffy

Undeadly :: OpenBSD has accepted projects from Google Summer of Code 2015

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; } The OpenBSD page for Google Summer of Code 2015 has been updated with the list of accepted projects for this year.
Asynchronous USB Transfers From Userland
ARM SD/MMC Driver & Controller Driver In libsa For OpenBSD
Port HAMMER2 to OpenBSD
Implement KMS Driver For Cirrus Cards
Improving USB Userland Tools And ioctl(2)
Automating Module Porting
Many thanks to those that responded, and we wish the best of luck on all projects!

27 April 2015

Puffy

Undeadly :: EU study recommends OpenBSD

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; } In this European Parliament study: “EU should finance key open source tools” pointed out to us by Paul Irofti (pirofti@), and especially at study 2, they come to the conclusion that:
"[...] the use of open source computer operating systems and applications reduces the risk of privacy intrusion by mass surveillance. Open source software is not error free, or less prone to errors than proprietary software, the experts write. But proprietary software does not allow constant inspection and scrutiny by a large community of experts."
Read more...

22 April 2015

Puffy

Undeadly :: CfP extended for EuroBSDCon 2015

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; }

Due to overwhelming response, the deadline for submitting talks to EuroBSDCon has been extended:

Since there was a huge rush of submissions just on the very last day, we have decided to give a second chance for all of you that didn’t quite finish your talk or tutorial proposal in time for the deadline.

The new date is set to May 22nd, but you don’t have to wait until the very last moment. Send in your suggestions right away. We think there still is room for some more topics related to *BSD left to present.

For those of you who already have sent in yours, we are very happy to see so many good submissions. Don’t hesitate to add another topic to your submissions if you haven’t run out of good ideas yet.

If you've been sitting on that paper, now's the time to ship it!

20 April 2015

Puffy

Undeadly :: p2k15 Hackathon Report: schwarze@ on USE_GROFF

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; } Ingo Schwarze (schwarze@) writes in with our fourth report from the p2k15 ports hackathon:

When groff was removed from the OpenBSD base system in October 2010, Marc Espie@ marked more than 3000 ports with the USE_GROFF bsd.port.mk(5) variable, meaning that their manuals were formatted with groff at port build time and the preformatted versions included in the package. Over time, as mandoc(1) matured and learnt to handle more and more syntax, the number of ports having USE_GROFF gradually decreased.
Read more...

15 April 2015

Puffy

Undeadly :: Solaris Admins: For A Glimpse Of Your Networking Future, Install OpenBSD

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; }

Undeadly's very own Peter Hansteen has written up some PF-on-Solaris-related email chatter:

Roughly a week ago, on April 5th, 2015, parts of Oracle's roadmap for upcoming releases of their Solaris operating system was leaked in a message to the public OpenBSD tech developer mailing list. This is notable for several reasons, one is that Solaris, then owned and developed by (the now defunct) Sun Microsystems, was the original development platform for Darren Reed's IP Filter, more commonly known as IPF, which in turn was the software PF was designed to replace.

As they say, read the whole thing!

13 April 2015

Puffy

Undeadly :: p2k15 Hackathon Report: stsp@ on wifi and games

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; } Stefan Sperling (stsp@) writes in with our third report from the p2k15 ports hackathon:

I spent the week before hackathon reviving a lingering work-in-progress implementation of a wireless driver for RTL8188CE devices. These are essentially urtwn(4) devices on the PCI bus instead of USB. The driver started out as a copy of urtwn(4) which I'm gradually moving over to PCI. With help from uwe@ I could clear some roadblocks that had prevented progress and got the driver up to the point where the firmware loading process completed successfully.
Read more...

Undeadly :: p2k15 Hackathon Report: krw@ on GPT support

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; } Ken Westerback (krw@) writes in with our second report from the p2k15 ports hackathon:

Never has a hackathon accomplished so much in the presence of so many fire doors. It appears that the University of Exeter is fire door mad, with every door labelled a fire door that must always be closed or locked.
Read more...

12 April 2015

Puffy

Undeadly :: softraid(4) - RAID 5 Call for Testing

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; }

Joel Sing (jsing@) has put out a call for testing for RAID 5 on softraid(4):

For those not following source-changes@, I have just re-enabled the RAID 5 discipline for softraid(4).

During the last two hackathons in Dunedin, the RAID 5 implementation was largely rewritten. As far as I am aware, the last missing part was the lack of ability to resume a partial rebuild, which has been fixed - it now needs further testing and usage so that any remaining issues can be found.

Read more...

10 April 2015

Puffy

Undeadly :: p2k15 Hackathon Report: landry@ on mozilla and more

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; } Landry Breuil (landry@) writes in with our first report from the p2k15 ports hackathon:

This was a short hackathon for once, so I took the opportunity to visit london on the way couchsurfing for two days, then enjoyed a quiet train trip to exeter through the nice countryside of devon...

Had quite a bit of fun being the first one on-site at the university building, since the people at the desk weren't aware at all that an event was organized in their place - didnt know hackathons were such secret things :)

Read more...

25 March 2015

Puffy

Undeadly :: OpenNTPD 5.7p4 released

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; }

The OpenNTPD team has announced the availability of OpenNTPD 5.7p4, which adds

support for using HTTPS time constraints to validate NTP responses, in turn made possible by the LibreSSL supplied libtls

plus a number of important bug fixes.

You'll find the full text of the announcement after the fold:

Read more...

24 March 2015

Puffy

Undeadly :: SSH Protocol 1 Now Disabled at Compile Time

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; }

As Damien Miller (djm@) announced on tech@, support for SSH version 1 is now no longer being included in OpenBSD SSH:

Hi,

I just committed a change to src/usr.bin/ssh/Makefile.inc to compile- time disable SSH protocol 1. This protocol is old, unsafe and really, really shouldn't be used at all any more.

If you have need of it, then you can re-enable it for yourself using the knob in Makefile.inc.

If you run into bugs related to this change, please tell openssh@openssh.com and we'll fix them quickly. We're deliberately doing this change early in the release cycle to flush out bugs and find out how many people are still using this terrible old protocol.

-d

Like the man says, report any bugs found! And this might be a good time to offer the hand of friendship and understanding to any and all vendors/packagers who still support v1 to join the rest of us in deprecating the lesser protocols.

18 March 2015

Puffy

Undeadly :: EuroBSDCon 2015 Call for Papers Is Out

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; } The EuroBSDCon 2015 conference organizers have announced the Call for Papers for the upcoming conference in Stockholm, Sweden.

Go to https://2015.eurobsdcon.org/call-for-papers/ for details; the full text of the announcement also follows after the fold.

Read more...

Undeadly :: libXfont Errata

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; }

Patches are now available to fix buffer overflows in libXfont. This issue affects 5.5, 5.6, and the forthcoming 5.7 release.

For more details, refer to the X.org advisory:
http://www.x.org/wiki/Development/Security/Advisory-2015-03-17/

5.5 patch:
http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/023_libxfont.patch.sig

5.6 patch:
http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/019_libxfont.patch.sig

Read more...

17 March 2015

Puffy

Undeadly :: LibreSSL 2.1.5 Released

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; }

The LibreSSL team has released LibreSSL 2.1.5, which the team characterizes as

relatively small, focused on bug fixes before 2.2.x development begins along-side OpenBSD 5.8.

In what could be a useful test of the LibreSSL project's code cleanup operation, the team notes that

This or earlier LibreSSL releases may also address issues that are to be revealed by The OpenSSL Project Team on the 19th of March, 2015.

The LibreSSL team is not typically apprised of OpenSSL-related security issues in advance. We will address any previously-unknown issues that are found to affect LibreSSL in future releases.

You can read the full announcement here, and it also follows in full after the fold.

UPDATE 2015-03-17 16:20 CET: Bob Beck (beck@) now reports that the OpenSSL project has communicated details of the still-embargoed OpenSSL vulnerabilities to LibreSSL core developers.

Read more...

15 March 2015

Puffy

Undeadly :: OpenBSD @ AsiaBSDCon: httpd, PIE, and more

Slides from the AsiaBSDCon 2015 presentations are expected to appear on the OpenBSD web site (specifically the Presentations and Papers) page.

The first presentation to appear there was Reyk Floeter's OpenBSD's new httpd (slides), also with a paper version.

Other developers have been quite punctual too, publishing their presentations soon after their sessions at the conference:

Peter Hessler: The results of using BGP for realtime import and export of spam whitelist/blacklist entries
Ted Unangst: Pruning and Polishing: Keeping OpenBSD Modern
Henning Brauer: OpenBSD sucks
Pascal Stumpf: Converting OpenBSD to PIE (slides) plus paper

And finally, the OpenBSD Update from the work in progress session, given by Henning Brauer.

13 March 2015

Puffy

Undeadly :: OpenBSD 5.7 Preorders Started

Yes, you read that right!

Preorders of the upcoming OpenBSD 5.7 release have been enabled at the OpenBSD Store (based in the UK, ships worldwide).

The OpenBSD 5.7 release page is filling out nicely as we speak, and you can look up further details of what you have in store come May 1st by taking a peek at the detailed changelog page.

Now don't just stand there! Go ahead, order a CD set (or a few), or if you'll be downloading anyway, donate!

Update: The first copy has already been sold, just a few moments after the initial commit and before the actual announcement to misc@ (both by deraadt@) went out.

12 March 2015

Puffy

Undeadly :: FreeType Patches Available

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; }

Patches for bugs in the FreeType library are available:

FreeType 2.5.5 contained more fixes for malformed font buffer overflows. Thanks to David Coppa for extracting the necessary patches from the Ubuntu package.

Patches are available for OpenBSD 5.5 and 5.6. The forthcoming 5.7 release already includes FreeType 2.5.5.

Read more...

Undeadly :: LibSSL Patch Available

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; } Patches for the recently-announced FREAK attack are now available:

When CVE-2015-0204 (RSA silently downgrades to EXPORT_RSA) was announced, it was labeled "Severity: Low". Our assessment at the time was that export ciphers had already been removed prior to the release of 5.6, and that the fix was not worth backporting to 5.5.

Then CVE-2015-0204 was renamed the FREAK attack. Now it has a fancy name so you know it's important.

Unfortunately, our original assessment was not entirely correct. Some of the features exploited by FREAK were not deleted until after 5.6, although this was not known until testing tools became available. We've corrected libssl by backporting the necessary changes to 5.6.

Read more...

07 March 2015

Puffy

Undeadly :: s2k15 Hackathon Report: tedu@ on UVM SMP

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; } Our fourth report from the s2k15 hackathon comes from Ted Unangst:

Since s2k15 was, at least for some people, the SMP hackathon, I started my first project in that area. We currently have a few system calls that work without requiring the kernel lock because they only touch isolated parts of the data, but they aren't very exciting. getpid(), for example. I wanted to speed up a system call that may have some noticable results in a workload I use every day: compiling.

Read more...

05 March 2015

Puffy

Undeadly :: s2k15 Hackathon Report: Jonathan Gray on X Graphic Acceleration Improvements, afl fuzzer

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; } Our third report from the s2k15 hackathon comes from Jonathan Gray (jsg@):

During the recent s2k15 hackathon in Brisbane I made another attempt to get acceleration working on newer Southern Islands/Graphics Core Next Radeon parts. As there is no traditional EXA acceleration provided by the xf86-video-ati driver for these the only option is glamor. Glamor used to be an external library but is now distributed as part of the Xorg X server. It works by creating an EGL context and provides OpenGL based 2D acceleration.

Read more...

04 March 2015

Puffy

Undeadly :: LibreSSL 2.1.4

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; } Brent Cook (bcook@) posted:
We have released LibreSSL 2.1.4, which will be arriving in the LibreSSL directory of your local OpenBSD mirror soon.

This release adds a number of new security features, makes building privilege-separated programs simpler, and improves the libtls API.
Read more...

Undeadly :: Errata for X Server Infoleak

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; } As reported by Ted Unangst (tedu@) on tech:

Patches are now available to fix an information leak in the XkbSetGeometry request of X servers. For more information, see the X.org advisory.

Read more...

03 March 2015

Puffy

Undeadly :: Summer of Code 2015 Project Ideas Announced

The OpenBSD foundation has published its Project Ideas List for this year's Google-sponsored Summer of Code. If you're a student with an appropriate background, this could be your chance to take a stab at contributing to the OpenBSD code base, with OpenBSD developers as your mentors.

The Foundation and the OpenBSD project do not guarantee that SOC projects are accepted into the OpenBSD code base, but it's worth trying, isn't it?

Check out the list and see if there's something there you want to spend most of the summer hacking on.