Kenneth R Westerback | 25 Feb 18:19 2015
Picon

OpenBSD Foundation 2014/2015 News & Fund Raising


2014 was the most successful year to date for the OpenBSD Foundation.
Both in the amount of money we raised and in the support we provided
for the OpenBSD and related projects. We are extremely grateful for
the support shown by our contributers large and small.

A detailed summary of the Foundation's activities in 2014 can be seen at

http://www.openbsdfoundation.org/activities.html

But here are some highpoints.

We received $397,000 in new donations and paid out $129,000 to support the
activities of the OpenBSD and related projects.

Some of the things the $129,000 made happen were higher speed network
links to the project's machine room; new servers, UPSs, network
switches, serial consoles and network monitoring equipment for the
machine room; development machines for several developers; participation
in GSOC 2014; and hackathons in Lujbljana, Dunedin, Berlin, and
Marrakesh.

As you can see, 2014 was a very good year for the Foundation. This
can be attributed to a number of unique events. A very public
finanical crisis at the start of the year generated extensive
community support, and the releases of LibreSSL generated significant
interest and support.

But it is important for us not to rely on one time events for our
success.
(Continue reading)

Brent Cook | 28 Jan 15:32 2015
Picon

OpenNTPD 5.7p3 released

OpenNTPD 5.7p3 has just been released. It will be available from the mirrors
listed at http://www.openntpd.org/ shortly.

OpenNTPD is a FREE, secure, and easy to use implementation of the Network Time
Protocol. It provides the ability to sync the local clock to remote NTP servers
and can act as NTP server itself, redistributing the local clock. 

Because it uses isolated, unprivileged processes for DNS and NTP operations,
OpenNTPD is especially well-hardened against bugs such as CVE-2015-0235.  

Changes since OpenNTPD 5.7p2
============================
 * Fixed issue resolving hostnames when the network is initially unavailable.
 * Fixed process name logging on Linux and OS X.
 * Fixed adjfreq failures on Solaris due to uninitialized struct timex.
 * Support building on Linux musl libc.
 * Default suggested privilege separation directory changed from /var/empty/ntp
   to /var/empty. This directory may be in a different location, depending on
   your operating system's packaging scheme. Please ensure that that the ntp
   user's home directory is empty, owned by root, and has no write privileges
   for other users.

Changes since OpenNTPD 5.7p1
============================
 * Switched the drift file from an unscaled frequency offset to ppm.
   The latter format is compatible with the NTP daemon from ntp.org.
   No forward migration steps are necessary.
 * Fixed a memory leak in DNS handler.
 * Added support for setting the process title on Linux and OS X.
 * Added NetBSD support.
(Continue reading)

Brent Cook | 22 Jan 02:26 2015
Picon

LibreSSL 2.1.3 released

We have released LibreSSL 2.1.3, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon.

This release enhances security, OS and software compatibility,
including:

* Fixes for various memory leaks in DTLS, including those for
  CVE-2015-0206.

* Application-Layer Protocol Negotiation (ALPN) support.

* Simplfied and refactored SSL/DTLS handshake code.

* SHA256 Camellia cipher suites for TLS 1.2 from RFC 5932.

* Earlier libtls support for non-blocking sockets and randomized
  session ID contexts. Work is ongoing with this library - feedback
  and potential use-cases are welcome.

* Support building Windows DLLs.  Thanks to Jan Engelhard.

* Packaged config wrapper for better compatibility with OpenSSL-based
  build systems.  Thanks to  <at> technion from github.

* Ensure the stack is marked non-executable for assembly sections.
  Thanks to Anthony G. Bastile.

* Extra compiler hardening flags are enabled by default where
  applicable.  Thanks to Jim Barlow.

(Continue reading)

Alexander Bluhm | 13 Jan 22:02 2015
Picon

libevent errata

Patches are now available for 5.5 and 5.6 which fix libevent.

5.5 errata 20 and 5.6 errata 15:
Fix CVE-2014-6272 in libevent 1.4 event buffer handling.  OpenBSD
base uses it for the programs: cu tmux ftp-proxy httpd ldapd relayd
tftp-proxy tftpd

Links:

http://www.openbsd.org/errata55.html
http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/020_libevent.patch.sig

and

http://www.openbsd.org/errata56.html
http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/015_libevent.patch.sig

untrusted comment: signature from openbsd 5.6 base private key
RWR0EANmo9nqhpu5mEMdLuZ056ynwx+qvxaVbodk7LsWqC0UCch3P2Ll0uGzfyJl/FSN9KH7tQgwwjbPwyss35EQNAlUAULiYgU=

OpenBSD 5.6 errata 15, Jan 8, 2015

Fix CVE-2014-6272 in libevent 1.4 event buffer handling.  OpenBSD
base uses it for the programs: cu tmux ftp-proxy httpd ldapd relayd
tftp-proxy tftpd

A defect in the Libevent evbuffer API leaves some programs that
pass insanely large inputs to evbuffers open to a possible heap
overflow or infinite loop.

(Continue reading)

Brent Cook | 8 Jan 15:51 2015
Picon

OpenNTPD 5.7p1 Released

OpenNTPD 5.7p1 has just been released. It will be available from the mirrors
listed at http://www.openntpd.org/ shortly.

OpenNTPD is a FREE, secure, and easy to use implementation of the Network Time
Protocol. It provides the ability to sync the local clock to remote NTP servers
and can act as NTP server itself, redistributing the local clock. 

Changes since OpenNTPD 3.9p1
==========================

After a long hiatus, the latest version of OpenNTPD is available once again in
a portable release.

 * Support for a new build infrastructure based on the LibreSSL framework.
   Source code is integrated directly from the OpenBSD tree with few manual
   changes, easing maintenance.
 * Removed support for several OSes pending test reports and updated
   portability code.
 * Supports the Simple Network Time Protocol version 4 as described in RFC 5905
 * Added route virtualization (rdomain) support.
 * Added ntpctl(8), which allows for querying ntpd(8) at runtime.
 * Finer-grained clock adjustment via adjfreq / ntp_adjtime where available.
 * Improved latency on heavily-loaded machines.

For detailed changes, see either the OpenBSD CVS repository:

    http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/ntpd/

 or the GitHub mirror:

(Continue reading)

Ted Unangst | 10 Dec 21:36 2014

three December 10 errata

Three new errata to announce.

Malicious DNS servers could cause a denial of service with an endless
series of delegations. This affects named (BIND) and unbound. There is
a patch for unbound in 5.6. (unbound wasn't built in 5.5.) We don't have
patches for BIND at this time.

Missing memory barriers (and other bugs) made virtio devices unreliable.
Patches available for 5.5 and 5.6.

Lots and lots of security bugs in the X server have finally been fixed.
http://www.x.org/wiki/Development/Security/Advisory-2014-12-09/
Patches are available for 5.5 and 5.6.

For 5.6: http://www.openbsd.org/errata56.html
http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/012_unbound.patch.sig
http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/013_virtio.patch.sig
http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/014_xserver.patch.sig

For 5.5: http://www.openbsd.org/errata55.html
http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/018_virtio.patch.sig
http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/019_xserver.patch.sig

Brent Cook | 9 Dec 02:43 2014
Picon

LibreSSL 2.1.2 released

We have released LibreSSL 2.1.2, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon.

This release greatly improves performance, interoperability and portability,
while continuing to be easy to build and integrate into your software projects.

This release includes:

 * Two important cipher suites, GOST and Camellia, have been reworked or
   reenabled, providing better interoperability with systems around the world.

 * A preview version of the libtls library, a modern and simplified interface
   for secure client and server communications, is now packaged and can be
   built optionally for testing. Feedback welcome.

 * Initial support for Microsoft Windows 32-bit and 64-bit flavors
   has been added for mingw-w64 targets. This can be used to generate native
   libraries that are usable in other Windows development environments as
   well.

 * Assembly acceleration of various algorithms for ELF (Linux, BSD, Solaris)
   and OS X systems are enabled for x86_64 CPUs. More optimizations may be
   enabled in later releases. These optimizations are disabled with the
   --disable-asm configure flag.

 * The arc4random_buf(3) calls on FreeBSD and OS X are now replaced with
   the OpenBSD versions. This fixes current problems with seeding and fork
   safety until these OS's built-in implementations can be improved.
   See these code commits for details:

(Continue reading)

Ted Unangst | 5 Dec 04:15 2014

two new kernel errata

Patches are now available for 5.5 and 5.6 which fix two kernel errata.

5.5 errata 16 and 5.6 errata 10:
Several bugs were fixed that allowed a crash from remote when an active
pipex session exists.

5.5 errata 17 and 5.6 errata 11:
An incorrect memcpy call would result in corrupted MAC addresses when
using PPPOE.

Users who don't use don't use PPPOE or PIPEX are not affected, but can
still apply the patches.

Links:

http://www.openbsd.org/errata55.html
http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/016_pipex.patch.sig
http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/017_pppoe.patch.sig

and

http://www.openbsd.org/errata56.html
http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/010_pipex.patch.sig
http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/011_pppoe.patch.sig

Reyk Floeter | 19 Nov 20:59 2014
Picon

httpd errata

Many people want to test the new httpd in OpenBSD 5.6; so we decided
to provide various improvements from -current for 5.6.
See the description below for more details.


untrusted comment: signature from openbsd 5.6 base private key
RWR0EANmo9nqhn3Gnfk2/2x+xII6do92zreKp/t5zOwfkVgsQAI4ZCPkWAazbbnWNV7Ptkle876f/kb6C2KuvnTqvwUItsyvogA=

OpenBSD 5.6 errata 9, Nov 18, 2014:  httpd was developed very rapidly
in the weeks before 5.6 release, and it has a few flaws.  It would be
nice to get these flaws fully remediated before the next release, and
that requires the community to want to use it.  Therefore here is a
"jumbo" patch that brings in the most important fixes.

Apply patch using:

    signify -Vep /etc/signify/openbsd-56-base.pub -x 009_httpd.patch.sig \
        -m - | (cd /usr/src && patch -p0)

Then build and install httpd:

    cd /usr/src/usr.sbin/httpd
    make obj
    make
    make install

Index: usr.sbin/httpd/config.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/config.c,v
retrieving revision 1.21
(Continue reading)

Ted Unangst | 17 Nov 21:20 2014

gethostbyname errata

Due to a bug in the libc asr resolver, querying an invalid hostname can
cause a crash. Patches are available for 5.5 and 5.6.

untrusted comment: signature from openbsd 5.6 base private key
RWR0EANmo9nqhl31oIXbJYtUWXNHHNzHGhJ+v2XZAAlwH5TwYDkTp2NHqjhnrJayp37glapQejDsm/LDGm1M5bnpkmHh7FGNGQ4=

OpenBSD 5.6 errata 8, Nov 17, 2014:  Querying an invalid hostname with
gethostbyname(3) could cause a NULL deref.

Apply patch using:

    signify -Vep /etc/signify/openbsd-56-base.pub -x 008_asr.patch.sig \
        -m - | (cd /usr/src && patch -p0)

Then build and install libc

    cd /usr/src/lib/libc
    make obj
    make depend
    make
    make install

Also recompile any statically-linked binaries:

    cd /usr/src/bin
    make obj
    make depend
    make
    make install

(Continue reading)

Stuart Henderson | 17 Nov 21:16 2014
Picon

pfctl errata Nov 17

Patches are now available for 5.5 and 5.6 to fix an issue with pfctl
and certain rules combining IPv4 and IPv6 addresses (in that order) with
a dynamic interface address using the "(interface)" format. The patch
for 5.6 follows.

This problem can be worked around by reversing the order of addresses
(listing IPv6 first, then IPv4).

untrusted comment: signature from openbsd 5.6 base private key
RWR0EANmo9nqhlxzEl3gBOqqoVrDRpZgSYhTqFK031hbFJ9tX84ZYqS72CcubFWty11KDc7YCvei+VSQu1PdYPo/MU/nReUdBQU=

OpenBSD 5.6 errata 7, Nov 17, 2014:  A PF rule using an IPv4 address
followed by an IPv6 address and then a dynamic address, e.g. "pass
from {192.0.2.1 2001:db8::1} to (pppoe0)", will have an incorrect /32
mask applied to the dynamic address.

Apply patch using:

    signify -Vep /etc/signify/openbsd-56-base.pub -x 007.pfctl.patch.sig \
        -m - | (cd /usr/src && patch -p0)

Then build and install pfctl:
    cd /usr/src/sbin/pfctl
    make obj
    make
    make install

Index: sbin/pfctl/parse.y
===================================================================
RCS file: /cvs/src/sbin/pfctl/parse.y,v
(Continue reading)


Gmane