After many years of being the default DNS server, BIND has been disabled in OpenBSD base:
After many years of being the default DNS server, BIND has been disabled in OpenBSD base:
This week the hosts set up SSL on nginx and an interview about the FreeBSD community and utilisation in the commercial server space, along with the week's BSD-world odds and ends.
CVSROOT: /cvs Module name: src Changes by: email@example.com 2014/08/21 11:00:34 Modified files: usr.sbin/syslogd: privsep.c syslogd.c Log message: Send and receive UDP syslog packets on the IPv6 socket. OK henning@
Google EMEA Women in Tech Conference and Travel grants for female computer scientists
As part of Google's ongoing commitment to encourage women to excel in computing and technology, Google is pleased to offer Women in Tech Travel and Conference Grants to attend the EuroBSDcon 2014 conference.
5 grants, are offered which include:
- Free registration for the conference
- Up to 1000 EUR towards travel costs (to be paid after the conference)
Antoine Jacoutot (ajacoutot@) has just committed committed a tool for managing rc.conf.local(8), in order to make it simpler for automated management systems such as Puppet or Ansible to interface with the operating system configuration:
CVSROOT: /cvs Module name: src Changes by: firstname.lastname@example.org 2014/08/19 08:08:20 Added files: usr.sbin/rcctl : Makefile rcctl.8 rcctl.sh Log message: Introduce rcctl(8), a simple utility for maintaining rc.conf.local(8). # rcctl usage: rcctl enable|disable|status|action [service [flags [...]]] Lots of man page improvement from the usual suspects (jmc@ and schwarze@) not hooked up yet but committing now so work can continue in-tree agreed by several
after more than seven months of active development including two hackathons, i have just released mandoc = mdocml 1.13.1 on <http://mdocml.bsd.lv/>.
Finally a hackathon where I did not have to spend 90% of my time under ports/x11/gnome \o/ (but of course, I had to cd into it anyway...). Besides some regular tweaks and updates in there, I worked on the gnome.port.mk MODULE to make it more generic and allow non-GNOME ports to benefit from some of its goodies (like xdg triggers and such) without ending up with unneeded build dependencies or things being only relevant to GNOME.Read more...
We have released LibreSSL 2.0.5, which should be arriving in the LibreSSL directory of an OpenBSD mirror near you. This version forward-ports security fixes from OpenSSL 1.0.1i, including fixes for the following CVEs: CVE-2014-3506
CVE-2014-3508 (partially vulnerable)
LibreSSL 2.0.4 was not found vulnerable to the following CVEs: CVE-2014-5139
We welcome feedback and support from the community as we continue to work on LibreSSL. Thank you, Brent
With the g2k14 hackathon starting on tuesday, I saw the commits and chatter from the hackathon. sadly, my original plan was to stay at work mostly since I am out of vacation days for the year. Thursday morning, I see that not only were a few more hackathon shirts being printed for attendees that wanted more, but also last-minute flights to Ljubljana were actually affordable. I nudged claudio@, who works at the desk next to me "hey, want to go to the hackathon for the weekend?"Read more...
Christian Weisgerber wrote in with this report from g2k14:
I updated the gettext port, of course. What'd you think I'd do at a hackathon?
The most interesting thing I worked on at g2k14 started out with a question: Why exactly do we run the fake step as root? (Hint: FreeBSD's corresponding stage infrastructure does not.)
On this week's episode, the BSDNow crew gabs about the BSD tribe, continues the recursive Undeadly mentions, interviews LibreSSL portable maintainer Brent Cook (bcook@), and Bob Beck (beck@) writes in to let the hosts know about arc4random-related FreeBSD porting issues.
It’s possible to misuse NAT to load balance outbound traffic across multiple internet connections from different service providers,see the Load Balance Outgoing Traffic section of PF FAQ.
The shortfall with this configuration is when implemented alongside unstable links, forwarding will continue to be attempted over the links which are down, this will cause issues such as long hangs for users behind the NAT while connections time out. To mitigate this,
ifstatedcan be used to smooth things over.
Read the rest at geeklan.co.uk, Sevan's blog site.
I'm looking for a few people to test some additional radeondrm fixes from the recently released Linux 188.8.131.52: https://lkml.org/lkml/2014/7/25/621
In particular on newer asics with displayport/eDP as I can only test on r100/lvds at the moment.
Despite being in the same room as many other LibreSSL developers for the first time (since the beginning of LibreSSL at least), I didn't do too much work on that front. I did remove the compression feature (as made famous by the CRIME attack; not all protocols or deployments are vulnerable, but we're also aiming for a simpler feature set overall) and made a few other cleanups. While it's very helpful to be in the same room as other hackers to exchange ideas, having everyone pounding on the source at the same time is a little troublesome so I elected to stay out of the way.
The latest episode of BSDTalk involves our very own Ingo Schwarze (schwarze@):
bsdtalk243 - mandoc with Ingo Schwarze
Interview about mandoc with Ingo Schwarze. The project webpage describes mandoc as "a suite of tools compiling mdoc, the roff macro language of choice for BSD manual pages, and man, the predominant historical language for UNIX manuals."
Recorded at BSDCan 2014.
As is now an habit, i had made zero plans for this hackathon, i had some unfinished stuff lying around, and no real big task ahead. Firefox 31 betas were already working for me, and only needed actual testing.
Read more...CVSROOT: /cvs Module name: src Changes by: email@example.com 2014/07/22 11:37:16 Modified files: usr.sbin : Makefile etc : Makefile changelist rc.conf Added files: etc/rc.d : httpd Log message: Enable httpd(8) in the builds to get more testing, feedback and improvements. It is not "finished" but serves static files. ok deraadt@
Undeadly was able to get a few minutes of time with Brent Cook (bcook@), who worked on the official LibreSSL port:
Undeadly: Tell us about yourself; who are you, and how did you get involved with the LibreSSL porting effort?Read more...
bcook@: My name is Brent Cook. I'm a generalist programmer by day, mostly working on low-level system stuff. I'm also a code performance junky, and I also play piano and saxophone, gigging occasionally around Austin, TX.
Matthieu Herrb (matthieu@), who is the mad Frenchman who maintains Xenocara, writes in to share his g2k14 experience:
My main projects (multitouch, dhcpv6) didn't make any progress as I was distracted into X sets tweaks at the request of a few other hackers.
We have released an update, LibreSSL 2.0.3 - which should be arriving in the LibreSSL directory of an OpenBSD mirror near you very soon. This release includes a number of portability fixes based on the the feedback we have received from the community. It also includes some improvements to the fork detection support. As noted before, we welcome feedback from the broader community. Enjoy, -Bob
Having missed Ljubljana 1, I looked forward to Ljubljana 2 with great expectations. I was not disappointed! Mitja ran a great hackathon with a nice site and an excellent city around it.Read more...
I spent most of this hackathon looking at problems in wifi drivers.Read more...
I wasn't exactly sure in advance which problems I wanted to work on. So I packed a bunch of hardware, including several USB wifi adapters, (rsu(4), 2x run(4), rum(4), urtwn(4), zyd(4)), some miniPCIe cards (an unsupported cousin of urtwn(4) named Realtek 8188CE, unsupported athn(4) AR9485, bwi(4)), two laptops, and an access point. This left me with more than enough toys for a week.
I arrived in Ljubljana somewhat tired so I started the first day off with some light ping(8) and ping6(8) hacking. Some unifdef(1) application forRead more...
#ifdef FEATURE_THAT_EXISTS_SINCE_FOREVER_BUT_MAYBE_WE_DONT_HAVE_IT and some cleanup by hand. The idea is to have ping(8) and ping6(8) be the same binary like traceroute(8) and traceroute6(8).
In the week right before the hackathon, I have done quite a bit of work cleaning up mandoc(1) warning and error messages. The goal is to provide more, more precise, and more readily understandable information to the user, in particular mentioning in the messages which section titles, macro names, and arguments each individual message is related to, and which workaround or fallback mandoc(1) has chosen, if any.Read more...
For me the hackathon started before arriving in Ljubljana. On my trip I noticed that there was something wrong with my ssh connections: some did not work. So I started debugging in Munich Airport and the result was a quick fix for a recent bug in ssh-add.
This hackathon started out for me with my usual routine of fixing some bugs in Puppet, add more facts to Facter and dig into pkg-config.
One of the first things I did at g2k14 was import the Mesa update I've been working on for some time now. I've been tracking the Mesa git for a few months and submitting patches to reduce the amount of pain involved and given the local diff isn't too large anymore it seemed like a decent time to update. Shortly before the hackathon I ran into a problem getting Mesa to build on i386 however. It turns out there is an i386 only codepath that does a sysctl to check if SSE is enabled. This turned out to be a problem because sysctl.h pulls in uvm_extern.h which then pulls in a bunch of kernel headers including mutex.h which meant that Mesa's mtx_init() collided with the kernel's mtx_init(). Theo spent some time cleaning up the sysctl and uvm headers so they wouldn't include anywhere near as many definitions, and that work had already been committed when I arrived at the hackathon.
I came to the hackathon with a single goal: working on the driver for the USB host controller interface found on the octeon machines.
As unusual as it sounds for someone working with the OpenBSD project, I'm not primarily an OpenBSD user. I actually use a Mac and Linux equally, and even do fair amount of Windows development. Some might say my involvement was more of a survival of the fittest.
There are two kinds of hackathons.
Those were you pack your headphones, and don't use them. And those where you forget to pack them, and wish you hadn't.
As a veteran hackathon attendee, I packed my headphones, of course. And I was more than happy to keep them packed, as the pace of the hackathon was so hectic it was better to relax by talking to people than to relax by listening to music.
In the two weeks leading up to Slovenia I worked with Bob Beck on the replacement functions that would be needed to emulate getentropy(2). During the start of the hackathon there was a final bit of work to ensure Bob and Brent Cook were on their way with that.Read more...
My initial plan was to bring our base to a state where LLVM's libcpp could be compiled, giving us C++11 support. After I read up on the latest POSIX locale additions, other developers made it clear that more library version cranks will be necessary in order not to break ports. After the first diff was ready, I set up a base system build to check if it breaks. And then my life has changed...
I came to hackathon with a short but heavy TODO list:Read more...
1. Finish KDE 4.13.2 and prepare 4.13.3 (official announce to be done Jul 15);
2. Import at least some stuff from semi-official openbsd-wip ports repository to official CVS;
3. Fix the long-standing issue with kded4 constantly eating CPU;
4. Continue hacking on Samba 4.x;
5. Enable ext2fs in RAMDISK_CD for amd64.
6. Put in CVS some stuff under ports/infrastructure/ I've developed for last months.
7. Put in CVS the man-pages-posix port.
First time in Slovenia. Took a few hours off to see the city, managing to escape the thunderstorms. Somewhat interesting mix, never seen that mixture of eastern european, southern europe, and tourist places.Read more...
Our second g2k14 report comes from Henning Brauer (henning@), who writes:
g2k14 has been weird: I, for the most part, wrote IPv6 code. No, that doesn't mean I'd suddenly think inet6 is any good. But let's start from the beginning.Read more...
Bob Beck (beck@) was the first developer to submit a report from the just concluded g2k14 hackathon:
Well, this was certainly not the hackathon I would have predicted several months ago for me. Had you asked me in January what I'd be doing here it would have been wading into uvm, kernel lock, buffer cache, and other such things in the kernel.
Then LibreSSL happened.
Bob Beck (beck@) announced the second release of LibreSSL-portable:
Bob also writes:We have released an update, LibreSSL 2.0.1 This release includes a number of portability fixes based on the initial feedback we have received from the community. This includes among other things two new configure options to set OPENSSLDIR and ENGINESDIR. We have removed a few hardcoded compiler options that were problematic on some systems as well as -Werror. We have also re-synced with the latest OpenBSD sources as a number of issues were fixed upstream. This release also includes pkg-config support. As noted before, we welcome feedback from the broader community. Enjoy, -Bob
Also starting with this release the directory includes SHA256 signatures which are signed using signify. The signify public key for libressl is: untrusted comment: LibreSSL Portable public key RWQg/nutTVqCUVUw8OhyHt9n51IC8mdQRd1b93dOyVrwtIXmMI+dtGFe
Bob Beck (beck@) announced the release of LibreSSL-portable:
The first release of LibreSSL portable has been released. LibreSSL can be found in the LibreSSL directory of your favorite OpenBSD mirror. http://ftp.openbsd.org/pub/OpenBSD/LibreSSL has it, and other mirrors will soon. libressl-2.0.0.tar.gz has been tested to build on various versions of Linux, Solaris, Mac OSX, and FreeBSD. This is intended as an initial release to allow the community to start using and providing feedback. We will be adding support for other platforms as time and resources permit. As always, donations (http://www.openbsdfoundation.org/donations.html) are appreciated to assist in our efforts. Enjoy, -Bob
The commit by Reyk Floeter (reyk@) has a CVS log message that reads:
Author Peter Hansteen comments, "It's good to see that the thing is still widely read and referenced. I'll keep working on that and the book for as long at is makes sense.", and continues, "But please do remember that I would have had noting to write about without a vital OpenBSD project producing high quality stuff. Please remember to not just buy the book, but also donate to the project to help keep it running."
You heard the man, now go ahead, read and donate!
The vulnerability known as CVE-2014-3956 could allow local users to interfere with open SMTP connections, and it is strongly advised that any sendmail users out there patch their systems without undue delay.
ld.so has a very basic malloc. This diff changes it to use a (somewhat stripped) libc malloc with all the randomization and other goodness.
A bit late ourselves on a late announcement, but Theo de Raadt (deraadt@) and Bob Beck (beck@) will be giving a presentation in Calgary:
I'm sorry for the late public announcement...
Tomorrow (Tuesday) Bob Beck will be hurtling down the Highway from Edmonton to Calgary.
Then in the evening, he and I will present at the local calgary unix group meeting about recent changes in LibreSSL, OpenBSD, and how the OpenBSD Foundation fits into this.
Anyone in the area who is able to attend probably should.
An Anonymous Coward writes in to tell us about sightings of secrets-related privsep in the wild:
The developer known by the pseudonym insane coder, who authored the popular pro-LibreSSL review LibreSSL: The good and the bad, has presented a solution for preventing common coding mistakes resulting in another Heartbleed:
To protect against exploiting such bugs, one should ensure that buffer overflows do not have access to memory containing private data. The memory containing private keys and similar kinds of data should be protected, meaning nothing should be allowed to read from them, not even the web server itself.
He then talks about using memory protection and process separation to isolate a server's private keys from anything which can be exploited to send them over the network.
This technique has already been utilized in an stunnel-like server, and it remains to be seen when others will follow.
Thanks for the tip, Anonymous Coward!
Check out the build details after the break. Read more...X Font Service Protocol & Font metadata file handling issues in libXfont CVE-2014-0209: integer overflow of allocations in font metadata file parsing CVE-2014-0210: unvalidated length fields when parsing xfs protocol replies CVE-2014-0211: integer overflows calculating memory needs for xfs replies Please see the advisory for more information. http://lists.x.org/archives/xorg-announce/2014-May/002431.html
I'll be doing a webcast on O'Reilly's community site called "Beyond Security: OpenBSD's Real Purpose." This will go out live on Tuesday, 27 May, 1PM EDT. I'll take questions at the end.
The talk will focus on OpenBSD as a pressure cooker to change the world. If only I had a really good example of this whole "pressure cooker" idea from, say, the last month or so, then the talk would feel really current and attract a lot of interest from the outside world.
If only, indeed!
Another BSDCan has come and gone, and for those of you who missed the fun, the OpenBSD presentations are now online:
BSDCan started for me with a long flight over from Europe. 9 hours before I collected one of my favourite souvenirs from a trip (the passport stamp), pop into Tim Hortons to grab a coffee (North American drip coffee is just that. Drip.) before running to bounce up to Ottawa.Read more...
There is also a lunchtime OpenBSD, libressl and stuff BOF session that may produce interesting results.
Recently, Ted Unangst (tedu@) committed a tweak for malloc(3) freelists:
CVSROOT: /cvs Module name: src Changes by: firstname.lastname@example.org 2014/05/12 13:02:20 Modified files: lib/libc/stdlib: malloc.c Log message: change to having four freelists per size, to reduce another source of deterministic behavior. four selected because it's more than three, less than five. i.e., no particular reason.
These changes make it much harder for bugs which require the immediate recycling of freed memory, an example of which was famously unearthed during the heartbleed fallout, to go undiscovered.
Book of PF author and Undeadly editor Peter Hansteen asks the following question:
Does enforced password change at set intervals actually enhance security?
Given the increasing sophistication of password cracking techniques, and potentially insecure methods for two-factor authentication, what can administrators do to strike the balance between utility and security?
BSDNow Episode 36 is out, with the titular segment featuring RAID setups on both FreeBSD and OpenBSD.
It also features an overview of the April issue of BSDMag, an interview with FreeBSD developer David Chisnall, using FreeBSD in the cloud, a new episode of BSDTalk, and a weekly update from PCBSD.
Although much internet hand wringing has been performed in the service of "Won't someone think of the child^H^H^H^H^Hportability!", the OpenBSD devs are making changes in OpenBSD itself which will make the upcoming release of LibreSSL more easily portable to other operating systems:
CVSROOT: /cvs Module name: src Changes by: email@example.com 2014/05/08 15:43:49 Modified files: lib/libc/stdlib: Makefile.inc malloc.c Added files: lib/libc/stdlib: reallocarray.c Log message: move reallocarray() to a seperate file so that -portable applications can avoid reinventing the wheel ok guenther schwarze
reallocarray(3) was added to address issues found in the OpenSSL source, and now exists as a single, freely-licensed, easily-included file for any and all who require it to make LibreSSL work on their system, as long as that system isn't Irix running Visual C 1.5.2.
Over at Servicevirtualization.com, Bob Beck (beck@) was interviewed for a piece called Dead Code Walking: What Companies Can Do to Mitigate Old, Bad Code about the Heartbleed bug and the subsequent LibreSSL fork. A favorite quote:
ServiceVirtualization: What can organizations do to ensure they are building applications using high-quality, open-source components?
Beck: This is not an open source problem. It’s a problem with any codebase you incorporate or reuse. Examine where they come from, have competent developers look at what they are bringing in, and know what the motivations of the organization is that is developing them. OpenBSD can stand well on its own track record. We are security-focused developers.
Martynas Venckus (martynas@) has committed a pair of security-related enhancements to OpenBSD's gcc(1), improving the bug- and exploit-resistance of the entire system.
The first, a new -fstack-shuffle option, hopes to find bugs that were slipping through due to the ordering of variables on the stack.
Read more...CVSROOT: /cvs Module name: src Changes by: firstname.lastname@example.org 2014/05/06 17:22:33 Modified files: gnu/gcc/gcc : cfgexpand.c common.opt Log message: Introduce -fstack-shuffle, which randomizes local stack variables. This will make the environment more hostile and help detect bugs that depend on overrunning one variable into another, with almost no performance cost. Discussed with Theo at m2k14 hackathon. "oh god yes" tedu@, "oh nice" djm@
i maintain Android's C library which, as you may know, contains a lot of OpenBSD code. i've been working to clean up our mess and get us back in sync with upstream, and currently have 173 files that are exactly the same as current upstream OpenBSD. (more than we have from the other two BSDs put together.)
There's more after the fold: Read more...
OpenBSD users and developers know to appreciate that our favorite operating system is a sanely constructed, modern Unix with a well deserved reputation for an emphasis on security. That is perhaps one of the reasons why the LibreSSL initiative has caused so much excitement, to the point where several people have independently started efforts to port the OpenBSD project's work in progress LibreSSL code to other platforms.
The main takeway is:
OpenBSD functions may be more secure than counterparts elsewhereRead more...
Starting today, we're going to try sending patches out via email so you don't miss them.
Several previous errata have also been recently published for OpenBSD 5.4 and 5.5. We won't be mailing them out individually since they aren't new, but you should check the web site for details.
Refer to http://www.openbsd.org/errata55.html and errata54.html.
(Also note that OpenBSD 5.3 is officially end of life and will not be receiving any more patches.)
When I arrived in Marocco I had a few small things I wanted to look at, which I naturally ended up spending most of my time on. While Puppet generally works great on OpenBSD, the port itself was in dire need of some cleaning and pushing patches upstream. While working on the port I finally sat down to iron out some (the last?) bugs in the "ensure => latest" patch we have to update packages to their latest version. Moving Puppet and all the related components of the stack to use Ruby 2.0 (instead of 1.9) concludes my work on Puppet for m2k14.Read more...
Since I always fail at actually doing whatever I have planned for a hackathon, this time I decided to come to m2k14 "unprepared" about what I was going to do.
Au menu des nouveautés pour cette release:
les sets d’installs et les paquets sont maintenant signés par signify(1). Oui, nous sommes bien en 2014.
un mode d’installation scripté est disponible dans l’installeur, et des images iso à dumper sur des clefs usb sont fournies. Il était déja possible d’installer OpenBSD depuis une clef usb, c’est maintenant encore plus simple!
coté hardware, le support du multiprocesseur sur alpha, OpenBSD/vax est passé à GCC3, ont été ajoutés un certain nombre de nouveaux drivers (ubcmtp(4), qla(4)…) pour le support matériel ainsi que le support virtuel : vmx(4), vmwpvs(4), vioscsi(4)… qui a dit qu’OpenBSD supportait mal la virtualisation en client ?
une impressionante liste de changements dans iked(8) (support d’OCSP, authentification par clef RSA, allocation d’IP aux clients via un pool d’adresses) et smtpd(8) (support partiel de DSN et ENHANCEDSTATUSCODES, de SNI, beaucoup d’améliorations dans smtpctl(8))
le générateur de nombres aléatoire est maintenant initialisé dès le boot pour plus de parano!
Dans les ports/packages, GNOME 3.10.2, KDE 4.11.5 (FINALLY \o/), toujours Xfce 4.10, Firefox 26, Chromium 32, 4 différentes versions de ruby, 2 de python, 2 de php.. tout ce qu’il faut pour faire un desktop, ou un serveur de dev/web.
Et enfin, une foultitude d’autres changements dans OpenSSH, mais la je vais vous laisser aller lire la liste comme des grands.
Of course, un guide d’upgrade est fourni, faire spécialement attention à cause du changement d’ABI causé par time_t..
Stay tuned for 5.6, qui va roxer des mamans ours avec des choses comme smtpd et nginx par défaut, libressl, nsd/unbound, et plein d’autres trucs qui brillent!
Looking at the release announcement and other sources such as the release page, it's easy to see that there are numerous goodies in store for you: A whole new traffic shaping system to replace ALTQ, 64-bit time_t, cryptographically signed base sets and packages, automatic installation features, improved hardware support, and more.
And if you haven't already, a good way to say a big thank you to Theo and the other developers is to go to the orders site and buy CD sets, T-shirts and other items. Direct donations are welcome too, of course.
One more data point for why OpenBSD 5.6 will be, for lack of a better word, awesome.
Hi there. I'm trying to find somebody who is actually using either Kerberos or SRP support in libssl. I'm inclined to remove support for them. While the bulk of the code sits off to the side, the integration requires adding several additional cases to some of the most critical paths.
For reference, OpenBSD hasn't ever compiled support for either of these features and I haven't seen many complaints. The code has all the hallmarks of something that somebody needed once, threw over the fence, and has been barely maintained on life support ever since. That said, we'd rather not be too hasty in deleting it because unbeknownst to us, it could be useful.
We're looking for somebody to stand up and say "Not only do I need SRP support, but I'm sufficiently invested that I'd like to help maintain it."
Note that I'm not looking for negative responses. You don't need to tell me you think it's ok to delete these features. I already think that.
Also note that I'm not really interested in rumors or whispers. You don't need to tell me that it's possible somebody else uses Kerberos. I know it's possible, that's why I'm asking. I'd like to know who.
If you or one of your loved ones has a need for this, speak now or resurrect the code from the attic.
The OpenBSD Foundation is very pleased to announce that Google has granted us five student slots for GSOC 2014.
The five projects that we will undertaking as a result are:
- Proper YACC parsers for dhcpd and dhclient.
- Systemd-like support for ports.
- GPT and UEFI.
- Improved dhcpd.
Kudos to the winning students and the generous volunteers who will serve as mentors for the projects.
We're looking forward to seeing the results of the student's work, mentored by notable OpenBSD developers!