RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2

OpenBSD

Product
Developers: The OpenBSD Foundation
Date of the premiere of the system: 2022/04/22
Last Release Date: 2023/03/10
Technology: OS

Content

2023: OpenBSD 7.3

On April 10, 2023, it became known that the release of the free UNIX-like operating system OpenBSD 7.3 was presented. The OpenBSD project was founded by Theo de Raadt in 1995 after a conflict with NetBSD developers that closed access to the CVS NetBSD repository for Teo. After that, Teo de Raadt and a group of like-minded people created an open operating system based on the NetBSD source tree, the main development goals of which were portability (13 hardware platforms are supported), standardization, correct operation, proactive security and integrated cryptographic tools. The size of the full installation ISO image of the basic OpenBSD 7.3 system is 620 MB.

OpenBSD 7.3

As reported, in addition to the operating system itself, the OpenBSD project is known for its components, which have become widespread in other systems and have proven themselves to be one of the most secure and high-quality solutions. Among them: LibreSSL (fork) OpenSSL ,, OpenSSH PF packet filter, OpenBGPD and OpenOSPFD routing daemons, OpenNTPD NTP server, OpenSMTPD mail server, text terminal multiplexer (analogue of GNU screen) tmux, identd daemon with IDENT protocol implementation, BSDL Link-resistant system alternative GNU GROP P httpserver files

Major changes:

  • System calls waitid (waiting for the process state to change), pinsyscall (to transfer information about the execve entry point for protection against ROP exploits), getthrname and setthrname (to get and set the thread name) are implemented.
  • All architectures use clockintr, a hardware-independent timer interrupt scheduler.
  • A sysctl kern.autoconf_serial has been added that can be used to track changes in device tree status in the kernel from user space.
  • Improved support for multiprocessor systems (SMP). Switched to mp-safe event filters for tun and tap devices. Freed from select, pselect, poll, ppoll, getsockopt, setsockopt, mmap, munmap, mprotect, sched_yield, minherit and utrace function locks, as well as ioctl SIOCGIFCONF, SIOCGIFGMEMB, SIOCGIFGATTR and SIOCGIFGLIST. Optimized work with locks in the pf batch filter. Optimized system and network stack performance on multi-core systems.
  • The implementation of the drm framework (Direct Rendering Manager) is synchronized with the Linux 6.1.15 kernel (in the previous release - 5.15.69). The amdgpu driver adds support for Ryzen 7000 "Raphael," Ryzen 7020 "Mendocino," Ryzen 7045 "Dragon Range," Radeon RX 7900 XT/XTX "Navi 31," Radeon RX 7600M (XT), 7700S and 7600S "Navi 33." Amdgpu has added support for backlight control and provides work g xbacklight when using the X.Org modesetting driver. Shader caching is enabled by default in Mesa.
  • Changes have been made to the VMM hypervisor.
  • The possibilities for additional protection of the memory of processes in the user's space are implemented: the system call mimmutable and the library function of the same name associated with it, which allows you to fix access rights when reflecting in memory (memory mappings). After the commit, the rights set for the memory area, for example, the write and execution prohibition, cannot be further changed through subsequent calls to the mmap (), mprotect () and munmap () functions, which, when the change is attempted, will produce an EPERM error.
  • On the AMD64 architecture, the RETGUARD protection mechanism is enabled for system calls, aimed at complicating the execution of exploits built using borrowing pieces of code and receiving return-oriented programming.
  • Exploitation protection is enabled, vulnerabilities based on random reassembly of the sshd executable at each system boot. The reassembly allows you to make the displacement of functions in sshd unremarkable, which will make it difficult to create exploits using return-oriented methods. programming
  • More aggressive randomization of stack location on 64-bit systems is provided.
  • Added protection against Specter-BHB vulnerability in microarchitectural processor structures.
  • The ARM64 processors for the user space and kernel use the DIT (Data Independent Timing) flag to block attacks on third-party channels that manipulate the dependence of the execution time of instructions on the data processed in these instructions.
  • Enabling lladdr to be used in defining network configurations. For example, in addition to binding to the interface name (hostname.fxp0), you can use binding to a MAC address (hostname.00: 00: 6e: 00:34: 8f).
  • Optimized sleep support for ARM64 architecture-based systems.
  • Support for ARM chips has been significantly expanded. Apple
  • Added support for additional hardware and included updated drivers.
  • The bwfm driver for wireless cards based on Broadcom and Cypress chips implements encryption support for WEP.
  • The installer optimizes work with software RAID and implements initial support for disk encryption (Guided Disk Encryption).
  • Added scroll-top and scroll-bottom commands in tmux ("terminal multiplexer") to scroll the cursor to the beginning and end * Updated LibreSSL and OpenSSH packages. A detailed overview of the changes can be found in the reviews of LibreSSL 3.7.0, OpenSSH 9.2 and OpenSSH 9.3.
  • The number of ports for the AMD64 architecture was 11,764 (was 11,451), for aarch64 - 11,561 (was 11,261), for i386 - 10,572 (was 10,225). Among the versions of applications on ports:
  • * Asterisk 16.30.0, 18.17.0 и 20.2.0
    • Audacity 3.2.5
    • CMake 3.25.2
    • Chromium 111.0.5563.110

  • * Emacs 28.2

    • FFmpeg 4.4.3
    • GCC 8.4.0 and 11.2.0
    • GHC 9.2.7

  • * GNOME 43.3

    • Go 1.20.1
    • JDK 8u362, 11.0.18 and 17.0.6
    • KDE Gears 22.12.3
    • KDE Frameworks 5.103.0
    • Krita 5.1.5
    • LLVM/Clang 13.0.0

  • * LibreOffice 7.5.1.2

    • Lua 5.1.5, 5.2.4, 5.3.6 and 5.4.4

  • * MariaDB 10.9.4
  • * Mono 6.12.0.182
  • * Mozilla Firefox 111.0 и ESR 102.9.0
  • * Mozilla Thunderbird 102.9.0

    • Mutt 2.2.9 и NeoMutt 20220429
    • Node.js 18.15.0
    • OCaml 4.12.1
    • OpenLDAP 2.6.4
    • PHP 7.4.33, 8.0.28, 8.1.16 and 8.2.3
    • Postfix 3.5.17 и 3.7.3

  • * PostgreSQL 15.2
  • * Python 2.7.18, 3.9.16, 3.10.10 и 3.11.2

    • Qt 5.15.8 and 6.4.2
    • R 4.2.1
    • Ruby 3.0.5, 3.1.3 and 3.2.1

  • * Rust 1.68.0
  • * SQLite 2.8.17 и 3.41.0

    • Shotcut 22.12.21
    • Sudo 1.9.13.3

  • * Suricata 6.0.10

    • Tcl/Tk 8.5.19 and 8.6.13
    • TeX Live 2022
    • Vim 9.0.1388 и Neovim 0.8.3
    • Xfce 4.18

  • Updated third-party components included in OpenBSD 7.3:

    • Xenocara X.Org 7.7 graphics stack with xserver 1.21.6 + patches, freetype 2.12.1, fontconfig 2.14, Mesa 22.3.4, xterm 378, xkeyboard-config 2.20, fonttosfnt 1.2.2.
    • LLVM/Clang 13.0.0 (+ patches)
    • GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
    • Perl 5.36.1 (+ patches)
    • NSD 4.6.1
    • Unbound 1.17
    • Ncurses 5.7
    • Binutils 2.17 (+ patches)
    • Gdb 6.3 (+ patch)
    • Awk 12.9.2022
    • Expat 2.5.0[1].

2022

OpenBSD 7.1

On April 22, 2022, it became known that the release of a free cross-platform UNIX-like operating system OpenBSD 7.1 was presented.

Image:OpenBSD 7.1.png
OpenBSD 7.1

As reported, the main changes are:

  • Support for ARM-chip computers Mac Apple M1 (), Apple Silicon such as Apple M1 Pro/Max and Apple T2 Macs, has been announced ready for use. Added drivers for SPI, I2C, DMA controller,, keyboards touchpad, power and performance management. Support, GPIO Wi-Fi, framebuffer,, USB screen, NVMe drives are provided.
  • Optimized support for ARM64 architecture. Added gpiocharger, gpioleds and gpiokeys drivers, providing support for chargers, backlights and buttons connected to the GPIO (for example, this is what is done in Pinebook Pro). Добавлены драйверы: mpfclock (PolarFire SoC MSS clock controller), cdsdhc (Cadence SD/SDIO/eMMC host controller), mpfiic (PolarFire SoC MSS I2C controller) и mpfgpio (PolarFire SoC MSS GPIO).
  • Optimized support for RISC-V 64 architecture, for which uhid and fido drivers are enabled, support for installation on GPT disks is provided.
  • The mount_msdos utility enables the use of long file names by default.
  • Redesigned garbage collector code for unix sockets.
  • sysctl hw.perfpolicy is set to "auto" by default, which implies turning on full performance mode when connecting stationary power and using an adaptive algorithm when powering the battery.
  • Optimized support for multiprocessor systems (SMP). Switched to mp-safe event filters of unnamed pipes, kqread, sound and sockets, as well as the BPF mechanism. The system calls poll, select, ppoll and pselect are rewritten and are now implemented on top of kqueue. Kevent, getsockname, getpeername, accept and accept system calls are freed from locks. 4. The kernel interface for atomic load and store functions has been added, allowing the use of int and long types in elements of structures to which reference counting is applied.
  • The implementation of the drm framework (Direct Rendering Manager) is synchronized with the Linux kernel 5.15.26 (in the previous release - 5.10.65). The inteldrm driver adds support for Intel chips based on Elkhart Lake, Jasper Lake and Rocket Lake microarchitectures. The amdgpu driver supports APU/GPU Van Gogh, Rembrandt "Yellow Carp" Ryzen 6000, Navi 22 "Navy Flounder," Navi 23 "Dimgrey Cavefish" and Navi 24 "Beige Goby."
  • The FreeType library includes subpixel rendering of fonts.
  • The realpath utility has been added to display the absolute path to the file.
  • The rcctl utility has added the command "ls rogue" to show background processes that are running but not included in rc.conf.local.
  • BPFtrace supports variables for checks. Btrace has added kprofile.bt scripts to profile the kernel stack and runqlat.bt to detect delays in the scheduler.
  • libc has added support for a RFC6840 that specifies support for the AD flag and the 'trust-ad' settings for DNSSEC.
  • In apm and apmd, the display of the predicted battery recharge time is included.
  • Capability is provided storages DB in/etc/login.conf.d to optimize the addition of own account classes from packages.
  • Malloc provides caching of memory regions ranging in size from 128k to 2M.
  • The pax archiver supports extended headers with mtime, atime, and ctime data.
  • The "-k" option has been added to the gzip and gunzip utilities to save the source file.
  • The openrsync utility has added options: "--compare-dest" to check for files in additional directories; --max-size and --min-size to limit file size.
  • Added seq command to output sequences of numbers.
  • A universal software implementation of trigonometric functions has been transferred from FreeBSD 13 (assembly implementations * for x86 are disabled).
  • The implementation of the functions lrint, lrintf, llrint and llrintf was transferred from FreeBSD (the implementation from NetBSD was previously used).
  • The fdisk utility has noted numerous changes and fixes related to working with disk partitions.
  • Added support for updated hardware, including the Intel PCH GPIO controller (for Cannon Lake H and Tiger Lake H platforms), NXP PCF85063A/TP RTC, Synopsys Designware UART, Intel 2.5Gb Ethernet, SIMCom SIM7600, RTL8156B, MediaTek MT7601U USB wifi, BCM4387 wifi.
  • The composition includes relicensed firmware for Realtek wireless chips, which allows you to use the rsu, rtwn and urtwn drivers without manually loading the firmware.
  • ixl (Intel Ethernet 700), ix (Intel 82598/82599/X540/X550), and aq (Aquantia AQC1xx) drivers support VLAN tag hardware and checksum calculations/checks for IPv4, TCP4/6, and UDP4/6.
  • Added audio driver for Intel Jasper Lake chips. Added support for the XBox One game controller.
  • The IEEE wireless stack 802.11 implements support for 802.11n 40MHz channels and initial standard support (802.11ac VHT). An optional background scan handler has been added for drivers. When selecting an access point, the 5GHz points are now the priority, and only then the 2GHz points are selected.
  • The implementation of the vxlan driver has been rewritten, which now works independently of the bridge subsystem.
  • The installer has redesigned the logic of calling the pkg_add utility to reduce the intensity of file movements during the update process. The install.site file documents the setup and upgrade process. For all architectures, firmware has been added to the composition, the distribution of which is allowed in third-party products. The fw_update utility is used to install proprietary firmware available on the installation media.
  • In xterm, mouse tracking is disabled by default for security reasons.
  • usbhidctl and usbhidaction provide isolation of access to the file system using the unveil system call.
  • In dhcpd, by default, attachment is provided to network interfaces that are inactive (down) in order to ensure that packets are received immediately after the network interface is activated.
  • OpenSMTPD (smtpd) has TLS check enabled by default for outgoing connections "smtps ://" and" smtp + tls ://. "
  • Httpd implements protocol version verification, adds the ability to determine its own files with error texts and optimizes data processing in compressed form, including adding the gzip-static option to httpd.conf to deliver pre-compressed files with the gzip flag set in the content-encoding header.
  • In IPsec, the proto parameter from iked.conf allows you to specify a list of protocols. The "show certinfo" command has been added to the ikectl utility to show trustworthy certificate authorities and certificates. iked optimizes the processing of fragmented messages.
  • The rpki-client adds support for BGPsec Router open key validation and optimizes X509 certificate validation.
  • A cache of verified files has been added. Optimized compatibility with RFC 6488.
  • bgpd has added the parameter "port," which can be used in the sections "listen on" and "neighbor" to bind to a non-standard network port number. Code refactoring was carried out to work with RIB (Routing Information Base), made with an eye to providing multipath support in the future.
  • In the console window manager tmux ("terminal multiplexer"), the capabilities for color output are expanded. Added pane-border-format, cursor-color, and cursor-style commands.
  • LibreSSL ported from OpenSSL support RFC 3779 (X.509 extensions for IP addresses and autonomous systems) and the Certificate Transparency mechanism (an independent public log of all issued and revoked certificates, which makes it possible to independently audit all changes and actions of certification centers, and allows you to immediately track any attempts to secretly create fake records). Optimized compatibility with OpenSSL 1.1 and uses identical cipher names for TLSv1.3 with OpenSSL. Many functions have been switched to calloc (). A large portion of calls has been added to libssl and libcrypto.
  • The OpenSSH package has been updated. A detailed overview of the improvements can be found in the OpenSSH 8.9 and OpenSSH 9.0 reviews. The scp utility has been switched by default to using SFTP instead of the legacy SCP/RCP protocol.
  • The number of ports for the AMD64 architecture was 11301 (there were 11325), for aarch64 - 11081 (there were 11034), for i386 - 10136 (there were 10248). Among the versions of applications on ports:
    • Asterisk 16.25.1, 18.11.1 и 19.3.1
    • Audacity 2.4.2
    • CMake 3.20.3
    • Chromium 100.0.4896.75

  • * Emacs 27.2

    • FFmpeg 4.4.1
    • GCC 8.4.0 and 11.2.0

  • * GNOME 41.5

    • Go 1.17.7
    • JDK 8u322, 11.0.14 and 17.0.2
    • KDE Applications 21.12.2
    • KDE Frameworks 5.91.0
    • Krita 5.0.2
    • LLVM/Clang 13.0.0

  • * LibreOffice 7.3.2.2

    • Lua 5.1.5, 5.2.4 and 5.3.6

  • * MariaDB 10.6.7
  • * Mono 6.12.0.122
  • * Firefox 99.0 и ESR 91.8.0
  • * Thunderbird 91.8.0

    • Mutt 2.2.2 и NeoMutt 20211029
    • Node.js 16.14.2
    • OpenLDAP 2.4.59
    • PHP 7.4.28, 8.0.17 and 8.1.4
    • Postfix 3.5.14

  • * PostgreSQL 14.2
  • * Python 2.7.18, 3.8.13, 3.9.12 и 3.10.4

    • Qt 5.15.2 and 6.0.4
    • R 4.1.2
    • Ruby 2.7.5, 3.0.3 and 3.1.1

  • * Rust 1.59.0
  • * SQLite 2.8.17 и 3.38.2

    • Shotcut 21.10.31
    • Sudo 1.9.10

  • * Suricata 6.0.4

    • Tcl/Tk 8.5.19 and 8.6.8
    • TeX Live 2021
    • Vim 8.2.4600 и Neovim 0.6.1
    • Xfce 4.16

  • Updated third-party components included in OpenBSD 7.1:

    • Xenocara X.Org 7.7 graphics stack with xserver 1.21.1 + patches, freetype 2.11.0, fontconfig 2.12.94, Mesa 21.3.7, xterm 369, xkeyboard-config 2.20, fonttosfnt 1.2.2.
    • LLVM/Clang 13.0.0 (+ patches)
    • GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
    • Perl 5.32.1 (+ patches)
    • NSD 4.4.0
    • Unbound 1.15.0
    • Ncurses 5.7
    • Binutils 2.17 (+ patches)
    • Gdb 6.3 (+ patch)
    • Awk 12.10.2021
    • Expat 2.4.7[2]

Discovery of a vulnerability leading to a buffer overflow

In the background process of slavacd, which is responsible in OpenBSD for auto-configuration of addresses IPv6 (IPv6 Stateless Address Autoconfiguration, RFC 4862), a vulnerability was identified that leads to a buffer overflow when receiving a specially crafted router IPv6 announcement (RA, Router Advertisement). This became known on March 25, 2022.

Initially, the functionality of auto-configuring IPv6 addresses was implemented at the kernel level, but starting with OpenBSD 6.2, it was placed in a separate unprivileged process slavacd. The specified process is responsible for sending RS (Router Solicitation) messages and parsing RA (Router Advertisement) responses information with the router and network connection parameters.

In February, a bug was fixed in the slaacd that causes a crash if 7 servers are specified in the RDNSS (Recursive DNS Servers) list. A similar gaffe attracted the attention of independent researchers, who tried to study the code of laacd for other errors that occur when parsing fields in RA messages. The analysis showed that the code has another problem that manifests itself when processing the DNSSL (DNS Search List) field, which includes lists of domain names and host templates for DNS.

Each name in the DNSSL is encoded using a null separator and intermediate single-byte labels that determine the size of the following data. The vulnerability is caused by the fact that in the list parsing code a field with a size is copied to a variable with a signed type integer ("len = data [pos]"). Accordingly, if a value with the highest bit set is specified in the field, this value will be taken in the conditional operator as a negative number and checked for the maximum allowable size ("if (len > 63 || len + pos + 1 > datalen) {") will not work, which will lead to a memcpy call with a parameter that exceeds the size of the[3].

LibreSSL 3.5.0 Portable Edition Release

On March 4, 2022, it became known about the release by the OpenBSD project of a portable edition of the LibreSSL 3.5.0 package, within which the OpenSSL fork is developing, aimed at providing a higher level of security. Read more here.

2021: OpenBSD 7.0 with 64-bit RISC-V port

On October 14, 2021, OpenBSD 7.0 was released with a 64-bit RISC-V port and improved processors production support. Apple

This version contains numerous improvements:

  • Added support for a 64-bit RISC-V system with an initial riscv64 platform;
  • Improved stability on the ARM64 platform with updated Apple M1 processor drivers for USB, GPIO, SPMI and NVMe storage. OpenBSD 7.0 also added the ability to install on disk with GPT;
  • On AMD64, the base-gcc compiler was disabled;
  • Improved SMP stability;
  • The updated version no longer has target OpenBSD/SGI platforms;
  • The DRM kernel code now supports Linux 5.10.65 and improved Tiger Lake compatibility;
  • Added support for AMD GPU DRM for Navi 12, Navi 21, Arcturus and Cezanne;
  • Clang 11.1, Go 1.17, GCC 8.4.0/11.2, KDE Applications 21.08.1, Xfce 4.16 [4]

2019: OpenBSD 6.5

First, OpenBSD 6.5 introduced a portable version of bgpd, adapted to work in other operating systems. Secondly, Xenocara and tcpdump are now stripped of superuser privileges, and the default linker for amd64 and i386 is LLD. Mips64 architecture adds build support using the Clang translator[5].

In turn, Clang received improved attack blocking mechanisms using return-oriented programming (ROP). In addition, Clang has improved performance and safety with the RETGUARD security mechanism enabled. This mechanism is designed to complicate the process of executing exploits created using borrowed parts of code and ROP. RETGUARD is now also used as stack protection on amd64 and arm64.

Other significant changes in OpenBSD 6.5 include improving MPLS support, strengthening protection against cyber attacks using ROP, and adding a recursive unwind DNS server and its own implementation of the rsync utility. The OpenBSD kernel received an undefined behavior detector.

Among other things, the new version of the OS received an update for the OpenSMTPD mail server. In particular, smtpd.conf now has a new mapping criterion "from rdns." With its help, sessions can be selected based on the reverse DNS resolution.

2017: Core randomization function

In July 2017, information appeared that OpenBSD developers are testing a new function of the operating system, which will radically increase its protection against cyber attacks - a kernel randomization system.

The technology, called KARL (Kernel Address Randomized Link), implies that each reboot or update randomly generates a new kernel binary file based on the connection of object modules and runtime components. As a result, pointers between functions and kernel data turn out to be new every time, which means that the kernel itself turns out to be new.

OpenBSD randomization: At each OS boot, the kernel will be "new"

KARL technology is being developed by Theo de Raadt himself, founder of the OpenBSD project. KARL is significantly different from ASLR (address space randomization) technology, used in many modern operating systems as one of the means of protection against malware. When using ASLR, the address memory spaces change, so that, for example, exploits aimed at certain addresses in the machine's RAM cannot find them and, accordingly, are powerless.

In the case of KARL, the structure of the entire kernel, and not just memory, changes every time. This feature has been in development over the past two months, and is already available in test releases of OpenBSD 6.1, according to a July 4, 2017 release.

In Linux 4.12, the Kernel Address Space Layout Randomization (KASLR) system has been active by default since last week. A similar system has long been used in Windows.

The key difference between KARL and KASLR is that in the first case, different versions of the kernel binary file are loaded into the same memory area, and in the second case, the same kernel is loaded into a random memory area.

File:Aquote1.png
KARL looks like a more effective means of protecting the kernel than even KASRL, "said Georgy Lagoda, CEO of SEC Consult Services. - In this case, all the key functions of the OS are randomized and it will be much more difficult for cyberplayers and malware to determine the address of the "target" of interest to them - it will be different every time.
File:Aquote2.png

Whether the KARL technique will be implemented in future versions of Linux or Windows is still unknown. At the moment, it is not used anywhere except OpenBSD.

2016

OpenBSD 6.0

On September 1, 2016, an update to the free OpenBSD 6.0 OS was released.

OpenBSD 6.0 (2016) View

This version of OpenBSD has improved ARM7 support, discontinued support for the VAX architecture, and paid much attention to drivers and code cleaning. Improvements affected the network stack, security (W^X enabled by default, systrace eliminated and support for Linux emulation) [6]part of the work on Unicode, UTF-8 is included in XTerm by default. OpenSMTPD, OpenSSH, OpenNTPD and LibreSSL packages, which are also supported by the OpenBSD project, have received updates.

OpenBSD 5.9 Release

On March 29, 2016, the release of the OpenBSD 5.9 operating system was released. The size of the full installation ISO image of the base system OpenBSD 5.9 213 MB[7].

OpenBSD View 5.9 (2016)


In the blog, the developers said that this release is the latest OpenBSD with support for the VAX architecture. The lack of working equipment did not allow a full release to be prepared, so a few weeks ago it was decided to abandon this architecture that does not support shared libraries. The next for the same reason could probably be the 32-bit SPARC architecture.

Major Release Changes

  • A new Pledge system call isolation mechanism has been implemented, which makes security policies as easy as possible. Pledge requires special annotations to be made to applications, but instead of detailing at the level of individual system calls, it manipulates access classes. After building and running the modified application, the kernel takes over the work of monitoring compliance with the specified rules. Currently, about 70% of the base system applications have been transferred to protection using Pledge (453 out of 707);
  • Support for boot on UEFI systems;
  • Significantly improved GPT (GUID Partition Table) support. The installer has added support for installation on GPT partitions. The possibility of using GPT partitions has been added to softraid. Disks with a sector size of not 512 are broken by default using GPT;
  • A new implementation of the less utility, based on a fork supported by Garrett D'Amore, the leader of the Illumos project. Fork differs from the original less by cleaning the code base, switching from termcap to terminfo, stricter POSIX compatibility, and optimization for use on POSIX SUSv3 systems.
  • The composition includes Xen domU components that provide operation as a guest system under the control of the Xen hypervisor. Xen support is only enabled for the AMD64 architecture and allows OpenBSD to be used on Xen-based cloud systems without the need to reassemble from source code. Included are viocon drivers (virtio-based console), xen (Xen domU initialization and PVHVM mode support), xspd (XenSource Platform Device), xnf (paravirtualized network interface);
  • The network stack is one step closer to completely getting rid of global blocking, which prevents parallelization of operations on multi-core systems. Incoming network packets are now processed in multiple parallel streams. Parallelization is added for carp (4), trunk (4) and vlan (4) interfaces, Ethernet frames processing, ARP and MPLS, BPF filter mapping, Rx and Tx driver queues ix (4), myx (4), em (4), bge (4), bnx (4), vmx (4), gem (4), re (4) and cas (4);
  • New pseudo-device pair for creating connected virtual Ethernet interfaces;
  • New eigrpd routing daemon with Enhanced Interior Gateway Routing Protocol (EIGRP) implementation;
  • Support for authenticated Chacha20-Poly1305 encryption has been added to the IPsec stack for ESP;
  • Support for all locales has been removed, with the exception of UTF-8 and C. Single-byte locales such as ISO-8859-1, CP1251 and KOI-8 are no longer part of the base system. This step is compromising evidence, which made it possible to provide full and high-quality support for universal UTF-8 encoding, at the cost of excluding outdated single-byte encodings. The "C" locale is implemented by emulation via UTF-8. UTF-8 support is added to the calendar (1), colrm (1), cut (1), fmt (1), ls (1), ps (1), rs (1), ul (1), uniq (1), and wc (1) utilities.
  • In libc, a large cleaning was carried out, more than 100 internal and outdated interfaces were removed, NLS (Native language support) support was removed. Local links are used to call internal functions in libc, which led to faster binding;
  • In the kernel address space on i386 systems W^X the default mode is activated in which memory pages cannot be simultaneously available for writing and execution;
  • The inteldrm driver with initial support for the Intel Broadwell GPU and Bay Trail is ported from the Linux 3.14.52 kernel;
  • New drivers: asmc (Apple System Management Controller), pchtemp (temperature sensors (Intel X99, C610, 9. 100), uonerng (Moonbase Otago OneRNG), dwiic (Synopsys DesignWare I2C controller), ikbd, ims and imt (keyboards, mice and touchpads HID-over-i2c), efifb (EFI frame buffer);
  • Support for WiFi 802.11n has been added to iwm and iwn drivers;
  • Updated the version of the mail server OpenSMTPD 5.9.1, which carried out work to strengthen security, added experimental API support for external filters located on ports, provided the installation of the Message-Id header;
  • Updated the implementation of the NTP server OpenNTPD 5.9;
  • Updated OpenSSH 7.2 package, a detailed overview of the improvements can be found here;
  • The LibreSSL 2.3.2 package has been updated, a detailed overview of the improvements can be found in the announcements of releases 2.3.0, 2.3.1 and 2.3.2;
  • The number of ports for the AMD64 architecture was 9295, for i386 - 9290. Of the applications located in the ports, the following are noted:
    • Chromium 48.0.2564.116
    • Emacs 21.4, 24.5
    • GCC 4.9.3
    • GNOME 3.18.2
    • Go 1.5.3
    • JDK 7u80 and 8u72
    • KDE 3.5.10 and 4.14.3
    • LLVM/Clang 3.5 (20140228)

  • * LibreOffice 5.0.4.2
  • * MariaDB 10.0.23

    • Mono 4.2.1.102

  • * Mozilla Firefox 38.6.1esr и 44.0.2
  • Mozilla Thunderbird * 38.6.0

    • Node.js 4.3.0
    • OpenLDAP 2.3.43 и 2.4.43
    • PHP 5.4.45, 5.5.32 and 5.6.18
    • Postfix 3.0.3

  • * PostgreSQL 9.4.6

    • Python 2.7.11, 3.4.4 и 3.5.1
    • R 3.2.3
    • Ruby 1.8.7.374, 2.0.0.648, 2.1.8, 2.2.4 and 2.3.0
    • Rust 1.6.0
    • Sendmail 8.15.2
    • Sudo 1.8.15
    • Tcl/Tk 8.5.18 and 8.6.4
    • Vim 7.4.900
    • Xfce 4.12
    • Third-party components included in OpenBSD 5.9:
    • Xenocara X.Org server 1.17.4 graphics stack with patches, freetype 2.6.2, fontconfig 2.11.1, Mesa 11.0.9, xterm 322, xkeyboard-config 2.17, etc.)
    • Gcc 4.2.1 (with patches) and 3.3.6 (with patches)
    • Perl 5.20.2 (with patches)
    • SQLite 3.9.2 (with patches)
    • NSD 4.1.7
    • Unbound 1.5.7
    • Ncurses 5.7
    • Binutils 2.17 (with patches)
    • Gdb 6.3 (with patches)
    • Awk in the August 10, 2011 version.

Xen support enabled

On January 14, 2016, the OpenBSD developer community announced the connection of Xen hypervisor support to OpenBSD for AMD 64 architecture[8].

The current OpenBSD branch includes components that provide operation as a guest system under the control of a hypervisor. Xen Support Xen is only enabled for the AMD 64 architecture and allows OpenBSD to be used in cloud-based systems Xen without the need for source code resampling.

2015: OpenBSD 5.7 release released

On May 1, 2015, the release of the OpenBSD 5.7 operating system was released. When developing OpenBSD, attention is paid to portability (21 hardware platforms are supported), standardization, correct operation, active security and integrated cryptographic tools. The size of the full installation ISO image of the base system is 208 MB[9].

In addition to the operating system itself, the OpenBSD project is known for its components, which have become widespread in other systems and have proven themselves to be one of the most secure and high-quality solutions. Among them: LibreSSL (OpenSSL fork), OpenSSH, PF packet filter, OpenBGPD and OpenOSPFD routing daemons, OpenNTPD NTP server, OpenSMTPD mail server, text terminal multiplexer (analogue of GNU screen) tmux, identd daemon with implementation of the IDENT Database Application Protocol, GPBBBR protocol


Main additions

  • Security enhancement:
    • The W^X memory protection mode (Write XOR Execute) is applied to the address space of the kernel, in which memory pages cannot be available for both writing and executing code (or writing or executing, but not simultaneously);
    • Removed code to support downloadable kernel and procfs modules;
    • A detailed audit of subsystems was carried out to switch to the use of the system call reallocarray, which allows allocating memory for several objects that differ in size without additional memory cleaning costs, but with the preservation of means to combat integer overflows;
    • Work was carried out to replace select calls with poll;
    • As a first step to minimize the possibility of an attack on the/var partition, the/var/tmp directory is transformed into a symbolic link to/tmp;
    • The memcpy implementation has added protection against overlapping memory areas, if the fact of such overlapping is detected, then the program is forcibly terminated with a corresponding warning in syslog. If you want to overlap areas, use memmove;
    • Calls rand, random, drand48, lrand48, mrand48 and srand48 have been converted to using the arc4random generator. To obtain deterministic random numbers, new functions srand_deterministic, srandom_deterministic, seed48_deterministic and lcong48_deterministic have been introduced;
    • When returning from sleep and standby modes, when waking up virtual machines, various methods are used to reset the random number generator;
    • All architectures are converted to static PIE format, i.e. all statically assembled executables in/bin and/sbin now contain randomly located "text" segments;
    • Kernel code and ssh for working with AES is synchronized with code from OpenSSL/LibreSSL.

The passwd utility has discontinued support for all hashing methods except blowfish;

    • In the random number generator and when generating sequence start numbers in TCP, instead of MD5, the SHA512 is involved;

  • Added xhci driver to support XHCI (eXtensible Host Controller Interface) compliant USB 3.0 devices. Significantly expanded support for network devices, including the new iwm driver for Intel 7260, 7265 and 3160 wireless cards;
  • To manage background processes and system services, a new rcctl utility is presented;
  • nginx and sendmail have been removed from the base system, instead of which an in-house http server and OpenSMTPD are offered. Support for the BIND DNS server has been discontinued, instead of which it is recommended to use nsd and unbound. Nginx, bind and sendmail can be installed from ports.
  • Improvements in the network stack: Most IP address operations are translated into routing tables, replacing RB trees and IPv4 address lists. The SipHash algorithm is used for hashing in the PF packet filter, network bridges, trunk interfaces and PCB. Configuring CARP now requires explicitly creating a parent carpdev interface. The mbuf layer is spared global blocking and recognized as mpsafe. New mbuf_list and mbuf_queue structures are presented, as well as APIs for working with them;
  • Improvements in the installer: Sets etc and xetc, including the rc and rc.conf files, are no longer supplied separately, but are included in the base and xbase sets. The definition of a file with an automated installation script has been improved if there is a/ auto_install.conf file or/ auto_upgrade.conf installer now immediately starts automatic mode.
  • Syslogd and inetd systems are translated from select to libevent. Syslogd has added support for sending and receiving messages over UDP, TCP and TLS, despite the fact that TCP and TLS have implemented means of automatic connection recovery after a link break;
  • Tftp removed the limit on the size of received and sent files, which previously could not exceed 65536 bytes;
  • In the implementation of a number of libc functions for the amd64 architecture, fast assembler optimizations are involved;
  • Enhanced the capabilities of the http server from the OpenBSD project. SSLv2/3 support has been discontinued, ECDHE/DHE support in TLS has been improved. It is easier to create virtual hosts based on the definition of aliases by IP and host names. Added support for basic authentication, defining their return codes, redirection and macros for URLs. Added the "root strip" option to clear the start of the path for CGI scripts. It is possible to create a log in a directory other than/var/www/logs. The implementation of FastCGI has been brought to compatibility with many well-known web applications.

  • The new version of the OpenSMTPD mail server has discontinued SSLv3 support, added support for new message and header parsers, added the append-domain option, and provided the ability to send messages to a local user without defining a domain.
  • Updated OpenSSH 6.8 package, a detailed overview of the improvements can be found here;
  • The LibreSSL 2.1.5 package has been updated, a detailed overview of the improvements can be found in the announcements of issues 2.1.0, 2.1.2, 2.1.4 and 2.1.5.

  • The number of ports exceeded 9,000 (six months ago it was 8,800). Of the applications located in the ports, the following are noted:
    • Chromium 40.0.2214.115
    • Emacs 21.4 and 24.4
    • GCC 4.8.4 and 4.9.2
    • GHC 7.8.4
    • GNOME 3.14.2
    • Go 1.4.1
    • Groff 1.22.3
    • JDK 1.7.0.71
    • KDE 3.5.10 and 4.14.3
    • LLVM/Clang 3.5 (20140228)

  • * LibreOffice 4.3.5.2

    • MariaDB 10.0.16
    • Mono 3.12.0

  • * Mozilla Firefox 31.4.0esr и 35.0.1
  • * Mozilla Thunderbird 31.4.0

    • Node.js 0.10.35
    • OpenLDAP 2.3.43 и 2.4.40
    • PHP 5.3.29, 5.4.38, 5.5.22 and 5.6.5
    • Postfix 2.11.4

  • * PostgreSQL 9.4.1

    • Python 2.7.9 и 3.4.2
    • R 3.1.2
    • Ruby 1.8.7.374, 1.9.3.551, 2.0.0.598, 2.1.5 and 2.2.0
    • Sendmail 8.15.1
    • Tcl/Tk 8.5.16 and 8.6.2
    • TeX Live 2013
    • Vim 7.4.475
    • Xfce 4.10

Third-party components included in OpenBSD 5.7:

    • Xenocara based on X.Org 7.7 with xserver 1.16.4 + patches, freetype 2.5.5, fontconfig 2.11.1, Mesa 10.2.9, xterm 314, xkeyboard-config 2.13;
    • GCC 4.2.1 (with patches) and 3.3.6 (with patches);
    • Perl 5.20.1 (with patches)
    • SQLite 3.8.6 (with patches)
    • Unbound 1.5.2
    • NSD 4.1.1
    • Sudo 1.7.2p8
    • Ncurses 5.7
    • Binutils 2.15 (with patches)
    • Gdb 6.3 (with patches)
    • Less 458 (with patches)
    • Awk in the August 10, 2011 version.

2011: OpenBSD 5.0

On November 1, 2011, version 5.0 operating system of OpenBSD was released, positioned as the safest operating system among existing operating systems. The new version of the system added: support for over 4 GB of RAM in all possible architectures; ACPI driver for acpitoshiba laptops Toshiba (4); fw_update utility (1) for installing and updating closed firmware, which is running, including when the installed system is first started; Wake on LAN support by the system network infrastructure and xl (4), re (4) and vr (4) drivers; full support for the so-called Disklabel Unique Identifiers (DUID), which allows you to access partitions without specifying device names.

The base system includes the previously released OpenSSH 5.9 (open secure shell - a set of programs that provide encryption of communication sessions over computer networks using the SSH protocol). As before, amd64, i386, macppc and sparc64 architectures support booting and installing the OS from CD. More than 7200 ports have been prepared for the system, including KDE 3.5.10, Gnome 2.32.2, Xfce 4.8.0, LibreOffice 3.4.1.3, Chromium 12.0.742.122, etc. The supplied Xorg build called Xenocara is based on X.Org 7.6 (xserver 1.9 with patches, freetype 2.4.5, fontconfig 2.8.0, Mesa 7.8.2, xterm 270, xkeyboard-config 2.3, etc.). The system is available for download on official mirrors, including Russian.

Notes