A problem exists in nginx(8) if proxy_pass is used with untrusted HTTP backend servers. The problem may lead to a denial of service or a disclosure of a worker process memory on a specially crafted response from an upstream proxied server. This issue was assigned CVE-2013-2070.

As discovered by Peter Philipp, it is possible for an unprivileged user process to trigger deleting the undeletable RNF_ROOT route, resulting in a kernel panic.

Undeadly spoke with Bill Allaire, winner of the Absolute OpenBSD 2nd Edition auction started by author Michael W. Lucas and reported on by us last month. Bill ended up with the winning bid of $1,145.00 US. Read more...

Longtime Undeadly contributor sean writes in with tips and tools for improving your spamd(8) experience:

I have been using gray-listing to thwart spamming for what feels like a very long time. I started using it around the release of OpenBSD 3.5. It was an amazing change from a constant storm of spam and just enabling it got rid of 80% of the spam almost immediately. That amazing improvement didn't come without a cost. Some mail services and servers don't work so well with it. Especially large mailing systems that pass around messages and don't necessarily guarantee the next delivery attempt will come from the same IP or network. Microsoft Exchange was also known to be 'usually' configured in such a way to not work with gray-listing as well.

Read more...

Jasper Lievisse Adriaanse writes in about his (and M:tier's) -stable packaging work:

Introduction

A short while ago an article was published on here on Undeadly, which explained how to use the ports and packages framework. While it was a good read, it focused on -current.

This article will show how to keep your -stable system up to date, without building anything yourself!

Up to date packages....on -stable?

OpenBSD is continuously working on providing snapshots for all architectures and to provide the packages that go with it. Read more...

Alors que les deux prochains jours seront fériés (8 mai et Jeudi de Pentecôte), j’en profite pour faire un en vrac’ rapide et libre, étant donné que je ne compte rien poster jusqu’à vendredi

• La ArchLinux libre au sens entendu par la Free Software Foundation, la Parabola GNU/Linux propose de nouvelles ISOs d’installation ainsi qu’une image LiveCD / LiveUSB qui utilise Lxde. Plus d’info sur la page dédiée du wiki de la distribution.
• Un LiveCD intéressant, car il utilise OpenBSD comme base. FuguIta 5.3 est disponible au téléchargement.
• Après la Debian GNU/Linux Wheezy sortie dimanche, la CrunchBang Linux 11 annonce son arrivée.
• Kwort, la distribution dont on prononce le nom en éternuant, dérivée de la Crux est aussi sortie en version 4.0.
• Linux dans l’espace via la Station Spatiale Internationale ? Merci la NASA !
• Et pour terminer avec les distributions GNU/Linux, la deuxième béta d’ElementaryOS 0.2 est sortie. Plus d’info chez son plus grand fan, Devil505 qui lui consacre un billet.
• J’aurais pu parlé de la sortie de Cinnamon 1.8.0, euh 1.8.1, mais non, j’ai pas envie

Bons jours fériés et au vendredi 10 mai

A flaw exists in the vr(4) driver that may cause it to not recover from some error conditions.

Constantine Murenin writes in about his new ports database site, ports.su

Taking on espie's dated call on doing something cool with databases/sqlports port, and with his own initial work through databases/ports-readmes port, I've decided to fork ports-readmes, and create some very simple web-site to mirror the content generated.

Introducing http://ports.su/ .

The web-site is completely static, and all the pages get regenerated daily by downloading a fresh copy of the sqlports package from the snapshots, and running the forked ports-readmes.

Read more...

May 1st 2013, Calgary, AB, CA and elsewhere:

The OpenBSD project today formally released OpenBSD 5.3, the project's 34th release on the steady six monthly release cycle.

Notable news in the present release include the a production ready release of OpenSMTPD, a much-renovated dhclient(8), a slew of new drivers for various hardware, OpenSSH release 6.2 as well as numerous improvements in all parts of the system. The OpenBSD 5.3 release page has more information, with further details given at the changelog page.

The new release is available as an inexpensive CD set and as a free download from mirror sites in several countries worldwide.

Comme tous les 6 mois OpenBSD propose sa nouvelle version. En ce premier mai, c’est la version 5.3 qui accueille les curieux.

La chanson officielle de la version 5.3, sacré clin d’oeil au chef d’oeuvre de Ridley Scott « Blade Runner », accompagne une version qui propose des petites choses intéressantes, en dehors de nouvelles versions des technologies OpenSSH et OpenSSL, entre autres :

• Gnome 3.6.2
• Xfce 4.10.2
• Mozilla Firefox 3.6.28 et 18.0.2
• Chromium 24.0.1312.68
• Libreoffice 3.6.5
• Mozilla Thunderbird 17.0.2

Une logithèque assez récente somme toute. J’ai donc récupéré l’ISO d’installation version AMD64 avec mon wget bien aimé.

[fred@fredo-arch ISO à tester]$ wget -c http://ftp.fr.openbsd.org/pub/OpenBSD/5.3/amd64/install53.iso
–2013-05-01 15:02:04– http://ftp.fr.openbsd.org/pub/OpenBSD/5.3/amd64/install53.iso
Résolution de ftp.fr.openbsd.org (ftp.fr.openbsd.org)… 145.238.209.46
Connexion vers ftp.fr.openbsd.org (ftp.fr.openbsd.org)|145.238.209.46|:80…connecté.
requête HTTP transmise, en attente de la réponse…200 OK
Longueur: 238057472 (227M) [application/octet-stream]
Sauvegarde en : «install53.iso»

100%[======================================>] 238 057 472 1,05MB/s ds 2m 50s

2013-05-01 15:04:54 (1,34 MB/s) – «install53.iso» sauvegardé [238057472/238057472]

A la différence de l’article d’octobre dernier, j’ai remplacé gnome 3.6.2 par Xfce 4.10.2.

L’installateur est toujours le même, du mode texte qui fait son travail, et c’est très bien comme cela. J’ai ajouté le support de l’heure en réseau.

Après le démarrage, je me suis connecté en root et j’ai rajouté ceci dans le fichier .profile en utilisant vi :

PKG_PATH=ftp://ftp.fr.openbsd.org/pub/OpenBSD/5.3/packages/amd64/
export PKG_PATH

L’installation de Xfce se fait avec un petit : pkg_add -v xfce xfce-extras

Pour Xfce, je suis resté dans les clous en rajoutant Midori en lieu et place de Mozilla Firefox et Claws Mail en lieu et place de Mozilla Thunderbird. Les fichiers audio ? Exaile, voyons

J’ai du quatre ou cinq fois répondre à un choix de paquets. Je ne me suis pas pris la tête, j’ai gardé l’option par défaut

J’en ai profité pour rajouter cups. Et pour être tranquille, j’ai rajouté dbus_daemon et cupsd dans la ligne pkg_scripts du fichier /etc/rc.conf

L’ajout de libreoffice ? pkg_add -v libreoffice-i18n-fr

Pour franciser l’interface dans Xfce, il faut rajouter ceci au fichier ~./profile :

LANG=fr_FR.UTF-8
MM_CHARSET=UTF-8
LC_ALL=fr_FR.UTF-8
LC_COLLATE=POSIX
export LANG MM_CHARSET LC_ALL LC_COLLATE

Pour gérer la connexion en mode graphique, j’ai choisi à savoir slim. Et rajouter slim dans la ligne pkg_scripts du fichier /etc/rc.conf.

Auparavant, il ne faut pas oublier de mettre dans le répertoire utilisateur un fichier .xinitrc contenant : exec startxfce4

Mis à part l’interface partiellement en franglais, l’ensemble approche de quelque chose de vraiment utilisable au quotidien pour une utlisation bureautique.

Que de progrès fait depuis quelques années, on pourra bientôt faire de la bureautique sur un OS orienté sécurité comme OpenBSD sans se prendre la tête

En ce jour de la fête du travail, un petit en vrac’ plus ou moins libre.

• L’équipe de Sabayon Linux nous propose une nouvelle ISO de sa distribution qui apporte un support expérimental de systemd. Plus d’infos et des liens vers les ISOs sur l’annonce officielle.
• Amoureux des systèmes obscurs, soyez ravi : OpenBSD 5.3 sort aujourd’hui. Il y a toujours les notes de publications disponibles.
• Dans la famille des BSDs libre, je demande la libellule. DragonFly BSD annonce la sortie de la version 3.4 de son OS.
• Vers un abandon à terme des versions 32 bits pour Archlinux ? En tout cas ce billet parle de la progression importante des versions 64 bits par rapport aux 32 bits…
• Pas vraiment complètement relié au libre, mais j’en profite pour rappeler le concours en cours sur le blog d’Agnès, et sur le mien

Aaaah ce que tu aimerais bien pouvoir te la raconter avec un AuthorizedKeysCommand d’OpenSSH 6.2 et binder ainsi n’importe quel programme externe pour fournir des clés publiques… mais voila, ton parc est truffé de Debian, et même pas trace de 6.2p1 dans experimental.

Mais nous sommes bienveillants, aussi, après que gaston soit parti en éclaireur et m’ait nargué avec son openssh-server_6.2p1-3_amd64.deb, je suis moi aussi parti en guerre, mais en sus, je vous ai documenté ça.

Allez, fais chauffer les builds.

Once you've installed your OpenBSD system, packages are there to make your life easier. A works for me/life is good guide for your weekend reading.

Installing OpenBSD is easy, and takes you maybe 20 minutes. Most articles and guides you find out there will urge you to take a look at the files in /etc/ and explore the man pages to make the system do what you want. With a modern BSD, the base system is full featured enough that you can in fact get a lot done right away just by editing the relevant files and perhaps starting or restarting one or more services. If all you want to do is set up something like a gateway for your network with basic-to-advanced packet filtering, everything you need is already there in the basic install.

Then again, all the world is not a firewall, and it is likely you will want to use, for example, a web browser other than the venerable lynx or editing tools that are not vi or mg. That's where packages and package systems come in. I'll skip a little ahead of myself and make a confession: The machine I'm writing this piece on reports that it has some 381 packages installed.
Read more...

Author Michael Lucas has kindly donated a signed copy of the very first production copy of Absolute OpenBSD, 2nd Edition to an auction benefitting the OpenBSD Foundation:

OpenBSD Foundation benefit Auction:

http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=200913454300

A special auction has been arranged with Michael Lucas and No Starch Press to raise funds for the OpenBSD Foundation. See the link above.

This will be an auction of the guaranteed first copy off the press of Michael Lucas's Absolute OpenBSD, 2nd edition, which is due before the end of this month. This copy will be personally signed by the author, and accompanied with a certificate of authenticity. A DRM free digital version will also be made available to the winner.

The auction is handled by Computer Shop of Calgary. 100% of the proceeds will be donated to the OpenBSD Foundation.

Auction says Credit Cards or PayPal is accepted, but I am sure we could arrange alternate methods. Hey, the OpenBSD crowd is clever enough to each have a stash of BitCoins, no? Cost you nothing, right? Just a tiny handful would do wonders!

Enjoy the fun!

Austin Hook

OpenBSD project leader Theo de Raadt added:

I would like to thank Michael for coming up with this idea.

For those who missed the fine print, this will go to the OpenBSD Foundation. The donations the Foundation receives go exclusively towards funding OpenBSD project costs.

This will join donations that fund approximately 90% of our hackathon costs (where much of our development happens), and around 90% of our network costs.

The other people who donate don't get an item like this (unless they are bidding against you and win).

This is the perfect chance to grab a unique piece of OpenBSD history, and support the project while you're at it.

Update: The auction is over, and has raised $1,145.00 US for the OpenBSD Foundation! Congratulations to the winning bidder, and another round of thanks to Michael Lucas for making this happen.

Constantine A. Murenin writes in about his new BSD source code search engine:

Publicly private beta? Instead of devising a new scheme on handing out invitations for a new and improved OpenGrok for the BSDs, why not require IPv6 for the beta?

Welcome BXR.SU — Super User's BSD Cross Reference, which is launched 2013-04-01 as an IPv6-only OpenGrok service for FreeBSD, OpenBSD, NetBSD and DragonFly BSD.

Read more...

Given the need for constant feature implementation, and the difficulty normal users have altering their running kernels, the OpenBSD project, after nearly a year of testing and rejecting candidates, is proud to announce the selection of LOLCODE as the in-kernel scripting language.

Example code implementing a basic firewall function is found below:

KAN HAZ INTERNETZ?

BTW Filter packets based on source address
HOW DUZ I SOURCEFILTER YR MBUF

    I HAZ A IPHDR ITZ mtod(MBUF, (IPHDR *))

    IZ IPHDR->srcip "192.168.1.1"?
        YARLY
            BTW Have matched a blacklisted address; drop packet
            m_freem(MBUF)
        NOWAI
            BTW Just pass the packet
    KTHX

IF U SAY SO

One of the factors driving the adoption of LOLCODE was the unparalleled ability for writing interpreters for other languages, meaning that your options for kernel hacking are virtually limitless.

LOLCODE scripts are loaded/unloaded through the new lolctl(8) command, which accesses the new lol(4) device.

This should be currently available in snapshots; as always, widespread testing is key to a quality release!

Jonathan Gray (jsg@) just committed KMS support for inteldrm(4):

Significantly increase the wordlist for ddb hangman,
and update our device independent DRM code and the Intel DRM code
to be mostly in sync with Linux 3.8.3.  Among other things this
brings support for kernel modesetting and enables use of
the rings on gen6+ Intel hardware.

Based on some earlier work from matthieu@ with some hints from FreeBSD
and with lots of help from kettenis@ (including a beautiful accelerated
wscons framebuffer console!)

Thanks to M:Tier and the OpenBSD Foundation for sponsoring this work.

Read more...

At AsiaBSDCon, Eric Faurot (eric@) has announced the release of OpenSMTPD 5.3 which is the first stable and production-ready release of OpenSMTPD.

It will also be shipping with OpenBSD 5.3.

We would like to thank the OpenBSD/OpenSMTPD community for their help in testing the snapshots, reporting bugs, contributing code and packaging for other systems. Read more...

AsiaBSDCon 2013 wrapped up on Sunday, and many of the attendees are traveling back to their home countries or extending their time with a holiday in the beautiful country of Japan.

There was a substantial OpenBSD presence at the conference, with 5 talks (including all talks in room 'B' on Sunday).

Read more...

It's the sure sign of (Northern hemisphere) spring that we've all been waiting for:

Pre-orders of the upcoming OpenBSD 5.3 release are now accepted via the project's Orders page.
Read more...

gilles@ à pris sa plus belle plume (sous la menace) pour nous pondre ceci (en exclusivité-zomg-mondiale) :

Récemment, un gros tas de commits à été fait sur OpenSMTPD dans le repository d’OpenBSD. Dans la foulée, une section spécifique est apparue dans la page resumant les bonnes choses à attendre de la prochaine release d’OpenBSD .
Cette section débutait par: “New features: code is now considered stable and suitable for use in production. [...]”

C’est pendant son talk “OpenSMTPD: we deliver” à AsiaBSDCon qu’Eric Faurot (eric@) à annoncé la release d’OpenSMTPD.
Elle est loin d’être la premiere release stable, mais c’est la première à être officiellement considérée comme “production-ready”.
Elle est d’ores et déja disponible sur le site officiel en version OpenBSD et portable.
La version OpenBSD est celle qui sera shippée dans OpenBSD 5.3.

Ndm: Pour rappel, undeadly en avait déja parlé dans le passé. Ah, et enjoy la syntaxe du fichier de conf pf-like, ainsi que son pote smtpctl pour le contrôler.

Sendmail n’a qu’a bien se tenir…

A rare condition during session startup may cause bgpd to replace an active session leading to unknown consequences. Bug found by inspection (we do not know how to reproduce it, consider that a challenge).

Antoine Jacoutot(ajacoutot@) wrote to the misc@ mailing list outlining the project's need for another xserve G4 for macppc builds:

We are looking for a second xserve G4 for the OpenBSD ports building infrastructure. Currently, only one machine is doing all the work and a bulk can last up to 1 month which makes it very hard to stay in sync with snapshots. We are also low on RAM on this machine (only 512M) which makes the build even longer and prevent building some ports.
If anyone could donate and ship such a machine and/or compliant RAM (1G would be nice), please contact me. The machine will be hosted in Alberta, Canada.
Thank you

If any of our readers can help, please contact Antoine with any offers of appropriate hardware you may have lying around.

Editor's note: Specific developers and various parts of the project tend to make their hardware needs known via the Hardware Wanted page. And if you know of hardware that might be useful (also items that are not specifically listed on that page), please follow the instructions on that page for contacting the donations coordinator.

The BSDCan 2013 program has been announced, with a nice sampling of OpenBSD related talks.

Read on for further details, registration is expected to open soon.

Read more...

Bob Beck (beck@) writes in with news of the refreshed dhclient(8):

This is a fan letter for my fellow developer Ken Westerback (krw@). Ken is currently partway through the thankless job of modernizing dhclient - it's already much better, and I think it will be really good for 5.3 an will probably take on new life afterwards with more improvements.

If you're like me, and run around with an OpenBSD laptop, dhclient has been the bane of my existence.
Read more...

The AsiaBSDCon 2013 timetable has been released. The program shows a fairly strong OpenBSD component.

The conference takes place in Tokyo, Japan on 14-17 March, 2013. Read on for details, registration will be opening soon. Read more...

Paul Irofti(pirofti@) tells us about the work he did at n2k13:

The n2k13 hackathon was mainly a Loongson hackathon for me. My main goal was to add CPU throttling support. A few things related to clocks needed to be implemented before being able to deal with the actual CPU scaling bits.

Read more...

Several correspondents wrote in to alert us to the fact that a new, improved OpenBSD book is soon to be released:

No Starch Press is now accepting pre-orders for Absolute OpenBSD 2nd edition by Michael W. Lucas. A discount is available if you use the promo code from Michael's Blog.

The book is listed with an April 2013 release date, and it will be up to date with the upcoming OpenBSD 5.3 release.

At Thu, 31 Jan 2013 16:30:40 MST, Miod Vallat (miod@) changed the -current version string to 5.3-beta:

CVSROOT:	/cvs
Module name:	src
Changes by:	miod@cvs.openbsd.org	2013/01/31 16:30:40

Modified files:
	etc/root       : root.mail 
	share/mk       : sys.mk 
	sys/arch/macppc/stand/tbxidata: bsd.tbxi 
	sys/conf       : GENERIC newvers.sh 
	sys/sys        : param.h 

Log message:
welcome to 5.3-BETA

Read more...

This weekend Feb 2-3 at the picturesque ULB Campus Solbosch in Brussels, Belgium, the annual FOSDEM conference will be held.

OpenBSD developers Mike Belopuhov (mikeb@) will give a talk about IPsec improvements in OpenBSD and Matthieu Herrb (matthieu@) will give a talk about X.Org on non-Linux systems.

Darren Tucker (dtucker@) writes in with a n2k13 hackathon report with details on his vr(4) driver work:

I intended to start the hackathon by finishing off a diff to add hardware VLAN tagging/stripping support for VT6105M chips in vr(4) then moving on to something else. Although I'm not a kernel or hardware hacker, I already had some mostly working code, the data sheet and a test device. How long could this take?

Read more...

The first report from n2k13 in New Zealand comes from Bob Beck (beck@):

Having now returned from n2k13 in new zealand, I thought I'd share a little bit here. We had a very productive time in Dunedin at the University of Otago - where we were provided with some very nice accomodation and a great hacking room organized by Jim Cheetham (Thanks Jim!).
Read more...

Gilles Chehade(gilles@) has written about the updates to OpenSMTPD that he, Eric Faurot(eric@), and Charles Longeau(chl@) have recently committed to OpenBSD. Read more...

After seeing discussions on misc@ about where wpa_supplicant would and would not work, Mark Kettenis (kettenis@) decided to take a look at wpa2-enterprise mode for wifi.

This is what he wrote:
Read more...

Mike Larkin(mlarkin@) writes to let us know that basic hibernation support is in the tree for amd64 machines. Read more...