OpenBSD Version 6.0 -

OpenBSD Version 6.0

Die offizielle CD-Ausgabe

Theo de Raadt, OpenBSD.org (Herausgeber)

CD-ROM (Software)
2016 | 12. Auflage
OpenBSD.org (Hersteller)
978-0-9881561-8-0 (ISBN)
49,95 inkl. MwSt
  • Titel ist leider vergriffen;
    keine Neuauflage
  • Artikel merken
Ab der Version 6.1 ist nur noch ein Download möglich bei openbsd.org

  • Three CDROMs in a regular size soft-shell DVD case.
  • The complete install components for FOUR architectures: i386, amd64, macppc, sparc64.
  • Several pre-built binary packages for the most common architectures, which are very easy to install directly off the CDROM.

OpenBSD 6.0 ist ein vollständiges BSD-basiertes Betriebssystem (BSD=Berkeley Software Distribution) und wird allgemein als sehr sicher eingeschätzt dank proaktiven Security-Features und integrierter Kryptographie.

Es wird ausschließlich von Freiwilligen entwickelt. Das Projekt finanziert die nötige Entwicklungsumgebung und Veranstaltungen für Entwickler mit dem Verkauf von CDs und durch die Annahme von Spenden von Organisationen und Privatpersonen. Diese Geldmittel stellen sicher, dass OpenBSD auch weiterhin existiert, und frei für jeden und jegliche Benutzung bleibt.

This is a partial list of new features and systems included in OpenBSD 6.0. For a comprehensive list, see the changelog leading to 6.0.

New/extended platforms:
armv7:
  • EFI bootloader added, kernels are now loaded from FFS instead of FAT or EXT filesystems, without U-Boot headers.
  • A single kernel and ramdisk are now used for all SoCs.
  • Hardware is dynamically enumerated via Flattened Device Tree (FDT) instead of via static tables based on board id numbers.
  • Miniroot installer images include U-Boot 2016.07 with support for EFI payloads.
vax:
  • Removed.

Improved hardware support, including:
  • New bytgpio(4) driver for the Intel Bay Trail GPIO controller.
  • New chvgpio(4) driver for the Intel Cherry View GPIO controller.
  • New maxrtc(4) driver for the Maxim DS1307 real time clock.
  • New nvme(4) driver for the Non-Volatile Memory Express (NVMe) host controller interface.
  • New pcfrtc(4) driver for the NXP PCF8523 real time clock.
  • New umb(4) driver for the Mobile Broadband Interface Model (MBIM).
  • New ure(4) driver for RealTek RTL8152 based 10/100 USB Ethernet devices.
  • New utvfu(4) driver for audio/video capture devices based on the Fushicai USBTV007.
  • The iwm(4) driver supports more models, notably the Intel Wireless 3165 and 8260.
  • Support for I2C HID devices with GPIO signalled interrupts has been added to dwiic(4).
  • Support for larger bus widths, high speed modes, and DMA transfers has been added to sdmmc(4), rtsx(4), sdhc(4), and imxesdhc(4).
  • Support for EHCI and OHCI compliant USB controllers on Octeon II SoCs.
  • Many USB device drivers have been enabled on OpenBSD/octeon.
  • Improved support for hardware-reduced ACPI implementations.
  • AES-NI crypto is now down without holding the kernel lock.
  • Improved AGP support on PowerPC G5 machines.
  • Added support for the SD card slot in Intel Bay Trail SoCs.
  • The ichiic(4) driver now ignores the SMBALERT# interrupt to prevent an interrupt storm.
  • Device attachment problems with the axen(4) driver have been fixed.
  • The ral(4) driver is more stable under load with RT2860 devices.
  • Problems with dead keyboards after resume have been fixed in the pckbd(4) driver.
  • The rtsx(4) driver now supports RTS522A devices.
  • Initial support for MSI-X has been added.
  • Support for MSI-X has been added to the virtio(4) driver.
  • Added a workaround for hardware DMA overruns to the dc(4) driver.
  • The acpitz(4) driver now spins the fan down after cooling if ACPI uses hysteresis for active cooling.
  • The xhci(4) driver now performs handoff from an xHCI-capable BIOS correctly.

SMP network stack improvements:
  • The Tx queue of the cnmac(4) driver can now be processed in parallel of the rest of the kernel.
  • Network input path is now run in thread context.

IEEE 802.11 wireless stack improvements:
  • The HT block ack receive buffer logic follows the algorithm given in the 802.11-2012 spec more closely.
  • The iwn(4) driver now keeps track of HT protection changes while associated to an 11n AP.
  • The wireless stack and several drivers make more aggressive use of RTS/CTS to avoid interference from legacy devices and hidden nodes.

Generic network stack improvements:
  • The routing table is now based on ART offering a faster lookup.
  • The number of route lookup per packet has been reduced to 1 in the forwarding path.
  • The prio field on VLAN headers is now correctly set on each fragment of an IPv4 packet going out on a vlan(4)interface.
  • Enabled device cloning for bpf(4). This allows the system to have just one bpf device node in /dev that services all bpf consumers (up to 1024).

Installer improvements:
  • updated list of restricted usercodes
  • install.sh and upgrade.sh merged into install.sub
  • update automatically runs sysmerge(8) in batch mode before fw_update(1)
  • questions and answers are logged in a format that can be used as a response file for use by autoinstall(8)
  • /usr/local is set to wxallowed during install

Routing daemons and other userland network improvements:
  • Add routing table support to rc.d(8) and rcctl(8).
  • Let nc(1) support service names in addition to port numbers.
  • Add -M and -m TTL flags to nc(1).
  • Add AF_UNIX support to tcpbench(1).
  • Fixed a regression in rarpd(8). The daemon could hang if it was idle for a long time.
  • Added the llprio option in ifconfig(8).
  • Multiple programs that use bpf(4) have been modified to take advantage of bpf(4) device cloning by opening /dev/bpf0 instead of looping through /dev/bpf* devices. These programs include arp(8), dhclient(8), dhcpd(8), dhcrelay(8), hostapd(8), mopd(8), npppd(8), rarpd(8), rbootd(8), and tcpdump(8). The libpcap library has also been modified accordingly.

Security improvements:
  • W^X is now strictly enforced by default; a program can only violate it if the executable is marked with PT_OPENBSD_WXNEEDED and is located on a filesystem mounted with the wxallowed mount(8) option. Because there are still too many ports which violate W^X, the installer mounts the /usr/local filesystem with wxallowed. This allows the base system to be more secure as long as /usr/local is a separate filesystem. If you use no W^X violating programs, consider manually revoking that option.
  • The setjmp(3) family of functions now apply XOR cookies to stack and return-address values in the jmpbuf on amd64, hppa, i386, mips64, and powerpc.
  • SROP mitigation: sigreturn(2) can now only be used by the kernel-provided signal trampoline, with a cookie to detect attempts to reuse it.
  • To deter code reuse exploits, rc(8) re-links libc.so on startup, placing the objects in a random order.
  • In the getpwnam(3) family of functions, stop opening the shadow database by default.
  • Allow tcpdump(8) -r to be started without root privileges.
  • Remove systrace.
  • Remove Linux emulation support.
  • Remove support for the usermount option.
  • The TCP SYN cache reseeds its random hash function from time to time. This prevents an attacker from calculating the distribution of the hash function with a timing attack.
  • To work against SYN flooding attacks the administrator can change the size of the hash array now. netstat(1) -s -p tcp shows the relevant information to tune the SYN cache with sysctl(8) net.inet.tcp.
  • The administrator can require root privileges for binding to some TCP and UDP ports with sysctl(8) net.inet.tcp.rootonly and sysctl(8) net.inet.udp.rootonly.

Assorted improvements:
  • The thread library can now be loaded into a single-threaded process.
  • Improved symbol handling and standards compliance in libc. For example, defining an open() function will no longer interfere with the operation of fopen(3).
  • PT_TLS sections are now supported in initially loaded object.
  • Improved handling of "no paths" and "empty path" in fts(3).
  • In pcap(3), provide the functions pcap_free_datalinks() and pcap_offline_filter().
  • Many bugfixes and structural cleanup in the editline(3) library.
  • Remove ancient dbm(3) functions; ndbm(3) remains.
  • Add setenv keyword for more powerful environment handling in doas.conf(5).
  • Add -g and -p options to aucat.1 for time positioning.
  • Rewrite audioctl(1) with a simpler user interface.
  • Add -F option to install(1) to fsync(2) the file before closing it.
  • kdump(1) now dumps pollfd structures.
  • Improve various details of ksh(1) POSIX compliance.
  • mknod(8) rewritten in a pledge(2)-friendly style and to support creating multiple devices at once.
  • Implement rcctl(8) get all and getdef all.
  • Implement the rcs(1) -I (interactive) flag.
  • In rcs(1), implement Mdocdate keyword substitution.
  • In top(1), allow to filter process arguments if they are being displayed.
  • Added UTF-8 support to fold(1) and rev(1).
  • Enable UTF-8 by default in xterm(1) and pod2man(1).
  • Filter out non-ASCII characters in wall(1).
  • Handle the COLUMNS environment variable consistently across many programs.
  • The options -c and -k allow to provide TLS client certificates for syslogd(8) on the sending side. With that the receiving side can verify log messages are authentic. Note that syslogd does not have this check feature yet.
  • When the klog buffer overflows, syslogd will write a log message to show that some entries is missing.
  • On OpenBSD/octeon, CPU cache write buffering is enabled to improve performance.
  • pkg_add(1) and pkg_info(1) now understand a notion of branch to ease selection of some popular packages such as python or php, e.g., say pkg_add python%3.4 to select the 3.4 branch, and use pkg_info -zm to get a fuzzy listing with branch selection suitable for pkg_add -l.
  • fdisk(8) and pdisk(8) immediately exit unless passed a character special device
  • st(4) correctly tracks the current block count for variable sized blocks
  • fsck_ext2fs(8) works again
  • softraid(4) volumes can be constructed with disks that have a sector size other than 512 bytes
  • dhclient(8) DECLINE's and discards unused OFFER's.
  • dhclient(8) immediately exits if its interface (e.g. a bridge(4)) returns EAFNOSUPPORT when a packet is sent.
  • httpd(8) returns 400 Bad Request for HTTP v0.9 requests.
  • ffs2's lazy node initialization avoids treating random disk data as an inode
  • fcntl(2) invocations in base programs use the idiom fcntl(n,F_GETFL) instead of fcntl(n,F_GETFL,0)
  • socket(2) and accept4(2) invocations in base programs use SOCK_NONBLOCK to eliminate the need for a separate fcntl(2).
  • tmpfs not enabled by default
  • the in-kernel semantics of pledge(2) were improved in numerous ways. Highlights include: a new chown promise that allows pledged programs to set setugid attributes, a stricter enforcement of the recvfd promise and chroot(2) is no longer allowed for pledged programs.
  • a number of pledge(2)-related bugs (missing promises, unintended changes of behavior, crashes) were fixed, notably in gzip(1), nc(1), sed(1), skeyinit(1), stty(1), and various disk-related utilities, such as disklabel(8) and fdisk(8).

OpenSMTPD 6.0.0
Security:
  • Implement the fork+exec pattern in smtpd(8).
  • Fix a logic issue in the SMTP state machine that can lead to an invalid state and result in a crash.
  • Plug a file-pointer leak that can lead to resource exhaustion and result in a crash.
  • Use automatic DH parameters instead of fixed ones.
  • Disable DHE by default since it is computationally expensive and a potential DoS vector.
The following improvements were brought in this release:
  • Add the -r option to the smtpd(8) enqueuer for compatibility with mailx.
  • Explicitly enclose SMTP transactions between BEGIN and COMMIT/ROLLBACK filter events.
  • Add missing date or message-id when listening on the submit port.
  • Fix "smtpctl show queue" reporting "invalid" envelope state.
  • Rework the format of the "Received" header so that the TLS part does not violate the RFC.
  • Increase the number of connections a local address is allowed to establish, and decrease the delay between transactions in the same session.
  • Properly reset the transaction when a filter rejects a message.
  • Deal with LMTP servers returning continuation lines.

OpenSSH 7.3
Security:
  • sshd(8): Mitigate a potential denial-of-service attack against the system's crypt(3) function via sshd(8). An attacker could send very long passwords that would cause excessive CPU use in crypt(3). sshd(8) now refuses to accept password authentication requests of length greater than 1024 characters.
  • sshd(8): Mitigate timing differences in password authentication that could be used to discern valid from invalid account names when long passwords were sent and particular password hashing algorithms are in use on the server. CVE-2016-6210.
  • ssh(1), sshd(8): Fix observable timing weakness in the CBC padding oracle countermeasures. Note that CBC ciphers are disabled by default and only included for legacy compatibility.
  • ssh(1), sshd(8): Improve ordering ordering of MAC verification for Encrypt-then-MAC (EtM) mode transport MAC algorithms to verify the MAC before decrypting any ciphertext. This removes the possibility of timing differences leaking facts about the plaintext, though no such leakage is known.
New/changed features:
  • ssh(1): Add a ProxyJump option and corresponding -J command-line flag to allow simplified indirection through a one or more SSH bastions or "jump hosts".
  • ssh(1): Add an IdentityAgent option to allow specifying specific agent sockets instead of accepting one from the environment.
  • ssh(1): Allow ExitOnForwardFailure and ClearAllForwardings to be optionally overridden when using ssh -W. (bz#2577)
  • ssh(1), sshd(8): Implement support for the IUTF8 terminal mode as per draft-sgtatham-secsh-iutf8-00.
  • ssh(1), sshd(8): Add support for additional fixed Diffie-Hellman 2K, 4K and 8K groups from draft-ietf-curdle-ssh-kex-sha2-03.
  • ssh-keygen(1), ssh(1), sshd(8): support SHA256 and SHA512 RSA signatures in certificates.
  • ssh(1): Add an Include directive for ssh_config(5) files.
  • ssh(1): Permit UTF-8 characters in pre-authentication banners sent from the server. (bz#2058)
The following significant bugs have been fixed in this release:
  • In scp(1) and sftp(1), prevent screwing up terminal settings by escaping bytes not forming ASCII or UTF-8 characters.
  • ssh(1), sshd(8): Reduce the syslog level of some relatively common protocol events from LOG_CRIT. (bz#2585)
  • sshd(8): Refuse AuthenticationMethods="" in configurations and accept AuthenticationMethods=any for the default behaviour of not requiring multiple authentication. (bz#2398)
  • sshd(8): Remove obsolete and misleading "POSSIBLE BREAK-IN ATTEMPT!" message when forward and reverse DNS don't match. (bz#2585)
  • ssh(1): Close ControlPersist background process stderr except in debug mode or when logging to syslog. (bz#1988)
  • misc: Make PROTOCOL description for direct-streamlocal@openssh.com channel open messages match deployed code. (bz#2529)
  • ssh(1): Deduplicate LocalForward and RemoteForward entries to fix failures when both ExitOnForwardFailure and hostname canonicalisation are enabled. (bz#2562)
  • sshd(8): Remove fallback from moduli to obsolete "primes" file that was deprecated in 2001. (bz#2559)
  • sshd_config(5): Correct description of UseDNS: it affects ssh hostname processing for authorized_keys, not known_hosts. (bz#2554)
  • ssh(1): Fix authentication using lone certificate keys in an agent without corresponding private keys on the filesystem. (bz#2550)
  • sshd(8): Send ClientAliveInterval pings when a time-based RekeyLimit is set; previously keepalive packets were not being sent. (bz#2252)

OpenNTPD 6.0
  • When a single "constraint" is specified, try all returned addresses until one succeeds, rather than the first returned address.
  • Relaxed the constraint error margin to be proportional to the number of NTP peers, avoid constant reconnections when there is a bad NTP peer.
  • Removed disabled hotplug(4) sensor support.
  • Added support for detecting crashes in constraint subprocesses.
  • Moved the execution of constraints from the ntp process to the parent process, allowing for better privilege separation since the ntp process can be further restricted.
  • Added pledge(2) support.
  • Fixed high CPU usage when the network is down.
  • Fixed various memory leaks.
  • Switched to RMS for jitter calculations.
  • Unified logging functions with other OpenBSD base programs.
  • Set MOD_MAXERROR to avoid unsynced time status when using ntp_adjtime.
  • Fixed HTTP Timestamp header parsing to use strptime(3) in a more portable fashion.
  • Hardened TLS for ntpd(8) constraints, enabling server name verification.

LibreSSL 2.4.2
User-visible features:
  • Fixed some broken manpage links in the install target.
  • cert.pem has been reorganized and synced with Mozilla's certificate store.
  • Reliability fix, correcting an error when parsing certain ASN.1 elements over 16k in size.
  • Implemented the IETF ChaCha20-Poly1305 cipher suites.
  • Fixed password prompts from openssl(1) to properly handle ^C.

Code improvements:
  • Fixed an nginx compatibility issue by adding an 'install_sw' build target.
  • Changed default EVP_aead_chacha20_poly1305(3) implementation to the IETF version, which is now the default.
  • Reworked error handling in libtls so that configuration errors are more visible.
  • Added missing error handling around bn_wexpand(3) calls.
  • Added explicit_bzero(3) calls for freed ASN.1 objects.
  • Fixed X509_*set_object functions to return 0 on allocation failure.
  • Deprecated internal use of EVP_[Cipher|Encrypt|Decrypt]_Final.
  • Fixed a problem that prevents the DSA signing algorithm from running in constant time even if the flag BN_FLG_CONSTTIME is set.
  • Fixed several issues in the OCSP code that could result in the incorrect generation and parsing of OCSP requests. This remediates a lack of error checking on time parsing in these functions, and ensures that only GENERALIZEDTIME formats are accepted for OCSP, as per RFC 6960.
The following CVEs have been fixed:
  • CVE-2016-2105—EVP_EncodeUpdate overflow.
  • CVE-2016-2106—EVP_EncryptUpdate overflow.
  • CVE-2016-2107—padding oracle in AES-NI CBC MAC check.
  • CVE-2016-2108—memory corruption in the ASN.1 encoder.
  • CVE-2016-2109—ASN.1 BIO excessive memory allocation.

Ports and packages:
  • New proot(1) tool in the ports tree for building packages in a chroot.

Many pre-built packages for each architecture:
  • alpha: 7422
  • amd64: 9433
  • hppa: 6346
  • i386: 9394
  • mips64: xxxx
  • mips64el: xxxx
  • powerpc: xxxx
  • sparc64: 8570

Some highlights:
  • Afl 2.19b
  • Chromium 51.0.2704.106
  • Emacs 21.4 and 24.5
  • GCC 4.9.3
  • GHC 7.10.3
  • Gimp 2.8.16
  • GNOME 3.20.2
  • Go 1.6.3
  • Groff 1.22.3
  • JDK 7u80 and 8u72
  • KDE 3.5.10 and 4.14.3 (plus KDE4 core updates)
  • LLVM/Clang 3.8.0
  • LibreOffice 5.1.4.2
  • Lua 5.1.5, 5.2.4, and 5.3.3
  • MariaDB 10.0.25
  • Mono 4.4.0.182
  • Mozilla Firefox 45.2.0esr and 47.0.1
  • Mozilla Thunderbird 45.2.0
  • Mutt 1.6.2
  • Node.js 4.4.5
  • Ocaml 4.3.0
  • OpenLDAP 2.3.43 and 2.4.44
  • PHP 5.5.37, 5.6.23, and 7.0.8
  • Postfix 3.1.1 and 3.2-20160515
  • PostgreSQL 9.5.3
  • Python 2.7.12, 3.4.5, and 3.5.2
  • R 3.3.1
  • Ruby 1.8.7.374, 2.0.0.648, 2.1.9, 2.2.5, and 2.3.1
  • Rust 1.9.0-20160608
  • Sendmail 8.15.2
  • Sudo 1.8.17.1
  • Tcl/Tk 8.5.18 and 8.6.4
  • TeX Live 2015
  • Vim 7.4.1467
  • Xfce 4.12

As usual, steady improvements in manual pages and other documentation.

The system includes the following major components from outside suppliers:
  • Xenocara (based on X.Org 7.7 with xserver 1.18.3 + patches, freetype 2.6.3, fontconfig 2.11.1, Mesa 11.2.2, xterm 322, xkeyboard-config 2.18 and more)
  • GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
  • Perl 5.20.3 (+ patches)
  • SQLite 3.9.2 (+ patches)
  • NSD 4.1.10
  • Unbound 1.5.9
  • Ncurses 5.7
  • Binutils 2.17 (+ patches)
  • Gdb 6.3 (+ patches)
  • Awk Aug 10, 2011 version
  • Expat 2.1.1

OpenBSD wird ausschließlich von Freiwilligen entwickelt. Das Projekt finanziert die nötige Entwicklungsumgebung und Veranstaltungen für Entwickler mit dem Verkauf von CDs und durch die Annahme von Spenden von Organisationen und Privatpersonen. Diese Geldmittel stellen sicher, dass OpenBSD auch weiterhin existiert, und frei für jeden und jegliche Benutzung bleibt.

Sprache englisch
Einbandart DVD-Box
Themenwelt Informatik Betriebssysteme / Server Unix / Linux
Informatik Netzwerke Sicherheit / Firewall
Informatik Theorie / Studium Kryptologie
Schlagworte Betriebssysteme / Linux, UNIX • BSD • BSD Unix • Open BSD
ISBN-10 0-9881561-8-0 / 0988156180
ISBN-13 978-0-9881561-8-0 / 9780988156180
Zustand Neuware
Haben Sie eine Frage zum Produkt?