OpenBSD 3.4 Released

The OpenBSD folks are pleased to announce the official release of OpenBSD 3.4. This is their 14th release on CD-ROM (and 15th via FTP). They remain proud of OpenBSD’s record of seven years with only a single remote hole in the default install. As with previous releases, 3.4 provides significant improvements, including new features, in nearly all areas of the system:

– Ever-improving security            (http://www.OpenBSD.org/security.html)

  o W^X (pronounced: “W xor X”) improvements, especially on the i386

    architecture.  Native i386 binaries have their executable segments

    rearranged to support isolating code from data, and the cpu CS limit

    is used to impose a best effort limit on code execution. 
  o ld.so on ELF platforms now loads libraries in a randomized order.

    Furthermore, on the i386 architecture, libraries and executable code

    are mapped at random addresses.  Together with W^X and ProPolice, these

    changes increase the difficulty of successfully exploiting an

    application error.
  o A static bounds checker has been added to the system compiler, designed

    to detect improper use of string and buffer manipulation functions.

    Through use of this checker, hundreds of bugs of in the source and

    ports trees were found and fixed.
  o Privilege separation has been implemented for the syslog daemon, making

    it much more robust against future errors. The child which listens to

    network traffic now runs as a normal user and chroots itself, while

    the parent process tracks the state of the child and performs privileged

    operations on its behalf.
  o Thousands of occurrences of unsafe library calls such as strcpy(),

    strcat() and sprintf() have been changed to the safer alternatives

    strlcpy(), strlcat(), and snprintf() or asprintf() in one of the most

    intensive audits yet performed by the OpenBSD project.  The kernel is

    now completely free of these functions, as is most of the userland

    source tree.
  o Many improvements and bug fixes in the ProPolice stack protector.

    Several other code generation bugs for RISC architectures were also

    found and fixed.
  o The kernel is now also compiled with the ProPolice stack protector.
  o Privilege separation has been implemented in the X server.

    The privileged child process is responsible for the operations that

    cannot be done after the main process has switched to a non-privileged

    user.  This greatly reduces the potential damage that could be caused

    by malicious X clients, in case of bugs in the X server.
  o Emulation support for binary compatibility is now controlled via

    sysctl.  Emulation is now disabled by default to limit exposure to

    malicious binaries, and can be enabled in sysctl.conf(5). 
  o The ports tree now supports building programs with systrace(1),

    reducing the risk of harm at compile time via trojaned configure

    scripts.
– Improved hardware support             (http://www.OpenBSD.org/plat.html)
  o Support for AES instruction on just released VIA C3 processors,

    capable of 1.6Gbit/s AES128-CBC in openssl(1) speed tests.
  o Kauai ATA controllers (Apple ATA100 wdc) enabling support for

    Powerbook 12″ and 17″ models.
  o Support for controlling LongRun registers on Transmeta CPUs.
  o Many fixes to aac(4), ahc(4), osiop(4), siop(4) SCSI drivers.
  o New it(4), lm(4) and viaenv(4) hardware monitor drivers.
  o New safe(4) driver for SafeNet crypto accelerators.
  o New mtd(4) driver for Myson Technologies network cards.
  o More ethernet cards supported by sk(4), wi(4), fxp(4), and dc(4).
  o Massive overhaul and sync with NetBSD of the entire usb(4) system.
  o New and better support for various controllers in pciide(4), including

    experimental support for Serial ATA controllers.
  o New drivers to support mgx(4) and pninek(4) SPARC framebuffers.

    The vigra(4) driver also supports more models.
  o pcmcia(4) support for Tadpole SPARCBooks and SPARCs with pcmcia-sbus

    bridges. 
– Major improvements in the pf packet filter, including:
  o Packet tagging (e.g. filter on tags added by bridge based on MAC address)
  o Stateful TCP normalization (prevent uptime calculation and NAT detection)
  o Passive OS detection (filter or redirect connections based on source OS)
  o SYN proxy (protect servers against SYN flood attacks)
  o Adaptive state timeouts (prevent state table overflows under attack)
– New features and significant bug-fixes included with 3.4
  o Symbol caching in ld.so reducing the start up time of large applications.
  o More licenses fixes, including the removal of the advertising clause

    for large parts of the source tree.
  o Replacement of GNU diff/diff3, grep/egrep/fgrep/zgrep/zegrep/zfgrep,

    and gzip/zcat/gunzip/gzcat/zcmp/zmore/zdiff/zforce/gzexe/znew with BSD

    licensed equivalents.
  o Addition of read-only support for NTFS file systems.
  o Reliability improvements to layered file systems, enabling NULLFS

    to work again.
  o Import of growfs(8) utility, allowing expansion of existing file systems.
  o Improvements to the Linux emulator enabling more applications to run

    with greater stability.
  o Significant improvements to the pthread library.
  o Replace many static fd_set uses, to instead use poll(2) or dynamic

    allocation.
  o ANSIfication and stricter prototypes for a large portion of the source tree.
  o Legacy KerberosIV support has been removed, and the remaining KerberosV

    codebase has been restructured for easier management.
  o USER_LDT option now controllable via sysctl.
  o Many, many man page improvements.
– The “ports” tree is greatly improved  (http://www.OpenBSD.org/ports.html)
  o The 3.4 CD-ROMs ship with many pre-built packages for the common

    architectures.  The FTP site contains hundreds more packages

    (for the important architectures) which we could not fit onto

    the CD-ROMs (or which had prohibitive licenses).
– The system includes the following major components from outside suppliers:
  o XFree86 4.3.0 (+ patches).
  o gcc 2.95.3 (+ patches and ProPolice).
  o Perl 5.8.0 (+ patches).
  o Apache 1.3.28 and mod_ssl 2.8.15, DSO support (+ patches).
  o OpenSSL 0.9.7b (+ patches).
  o Groff 1.15.
  o Sendmail 8.12.9.
  o Bind 9.2.2 (+ patches).
  o Lynx 2.8.4rel.1 with HTTPS and IPv6 support (+ patches)
  o Sudo 1.6.7p5.
  o Ncurses 5.2.
  o KAME-stable IPv6.
  o Heimdal 0.6rc1 (+ patches)
  o Arla-current
  o OpenSSH 3.7.1
If you’d like to see a list of what has changed between OpenBSD 3.3

and 3.4, look at
        http://www.OpenBSD.org/plus34.html
Even though the list is a summary of the most important changes

made to OpenBSD, it still is a very very long list.
————————————————————————

– SECURITY AND ERRATA ————————————————–
We provide patches for known security threats and other important

issues discovered after each CD release.  As usual, between the

creation of the OpenBSD 3.4 FTP/CD-ROM binaries and the actual 3.4

release date, our team found and fixed some new reliability problems

(note: most are minor, and in subsystems that are not enabled by

default).  Our continued research into security means we will find

new security problems — and we always provide patches as soon as

possible.  Therefore, we advise regular visits to
        http://www.OpenBSD.org/security.html

and

http://www.OpenBSD.org/errata.html
Security patch announcements are sent to the [email protected]

mailing list.  For information on OpenBSD mailing lists, please see:
http://www.OpenBSD.org/mail.html
————————————————————————

– CD-ROM SALES ———————————————————-
OpenBSD 3.4 is also available on CD-ROM.  The 3-CD set costs $40USD

(EUR 45) and is available via mail order and from a number of

contacts around the world.  The set includes a colorful booklet

which carefully explains the installation of OpenBSD.  A new set

of cute little stickers are also included (sorry, but our FTP mirror

sites do not support STP, the Sticker Transfer Protocol).  As an

added bonus, the second CD contains an exclusive audio track,

“The Legend of Puffy Hood.”  Lyrics for the song may be found at:

    http://www.OpenBSD.org/lyrics.html#34
Profits from CD sales are the primary income source for the OpenBSD

project — in essence selling these CD-ROM units ensures that OpenBSD

will continue to make another release six months from now.
The OpenBSD 3.4 CD-ROMs are bootable on the following four platforms:

  o i386

  o macppc

  o sparc

  o sparc64 (UltraSPARC)
(Other platforms must boot from floppy, network, or other method).
For more information on ordering CD-ROMs, see:
        http://www.OpenBSD.org/orders.html
The above web page lists a number of places where OpenBSD CD-ROMs

can be purchased from.  For our default mail order, go directly to:
        https://https.OpenBSD.org/cgi-bin/order
or, for European orders:
https://https.OpenBSD.org/cgi-bin/order.eu
All of our developers strongly urge you to buy a CD-ROM and support

our future efforts.  Additionally, donations to the project are highly

appreciated, as described in more detail at:
        http://www.OpenBSD.org/goals.html#funding
————————————————————————

– T-SHIRT SALES ——————————————————–
The project continues to expand its funding base by selling t-shirts

and polo shirts.  And our users like them too.  We have a variety

of shirts available, with the new and old designs, from our web

ordering system at:
        https://https.OpenBSD.org/cgi-bin/order
and for Europe:
https://https.OpenBSD.org/cgi-bin/order.eu
The OpenBSD 3.4 and OpenSSH t-shirts are available now!
————————————————————————

– FTP INSTALLS ———————————————————
If you choose not to buy an OpenBSD CD-ROM, OpenBSD can be easily

installed via FTP.  Typically you need a single small piece of boot

media (e.g., a boot floppy) and then the rest of the files can be

installed from a number of locations, including directly off the

Internet.  Follow this simple set of instructions to ensure that

you find all of the documentation you will need while performing

an install via FTP.  With the CD-ROMs, the necessary documentation

is easier to find.
1) Read either of the following two files for a list of ftp

   mirrors which provide OpenBSD, then choose one near you:
        http://www.OpenBSD.org/ftp.html

        ftp://ftp.OpenBSD.org/pub/OpenBSD/3.4/ftplist
   As of Nov 1, 2003, the following ftp sites have the 3.4 release:
ftp://ftp.ca.openbsd.org/pub/OpenBSD/3.4/ Alberta, Canada

(above is master site, please USE A MIRROR below)

ftp://ftp.usa.openbsd.org/pub/OpenBSD/3.4/ Boulder, CO, USA

ftp://ftp7.usa.openbsd.org/pub/os/OpenBSD/3.4/ West Lafayette, IN, USA

ftp://openbsd.wiretapped.net/pub/OpenBSD/3.4/ Sydney, Australia

ftp://ftp.kd85.com/pub/OpenBSD/3.4/ Lovendegem, Belgium

ftp://ftp.calyx.nl/pub/OpenBSD/3.4/ Amsterdam, Netherlands

ftp://ftp.se.openbsd.org/pub/OpenBSD/3.4/ Stockholm, Sweden

ftp://ftp.linux.org.tr/pub/OpenBSD/3.4/ Turkey
   Other mirrors will take a day or two to update.
2) Connect to that ftp mirror site and go into the directory

   pub/OpenBSD/3.4/ which contains these files and directories.

   This is a list of what you will see:
ANNOUNCEMENT   XF4.tar.gz     mac68k/        sparc/

Changelogs/    alpha/         macppc/        sparc64/

HARDWARE       ftplist        mvme68k/       src.tar.gz

PACKAGES       hp300/         packages/      sys.tar.gz

PORTS          hppa/          ports.tar.gz   tools/

README         i386/          root.mail      vax/
   It is quite likely that you will want at LEAST the following

   files which apply to all the architectures OpenBSD supports.
        README          – generic README

        HARDWARE        – list of hardware we support

        PORTS           – description of our “ports” tree

        PACKAGES        – description of pre-compiled packages

        root.mail       – a copy of root’s mail at initial login.

  (This is really worthwhile reading).
3) Read the README file.  It is short, and a quick read will make

   sure you understand what else you need to fetch.
4) Next, go into the directory that applies to your architecture,

   for example, i386.  This is a list of what you will see:
CKSUM          INSTALL.os2br  cdrom34.fs     index.txt

INSTALL.ata    INSTALL.pt     comp34.tgz     man34.tgz

INSTALL.chs    MD5            etc34.tgz      misc34.tgz

INSTALL.dbr    base34.tgz     floppy34.fs    xbase34.tgz

INSTALL.i386   bsd            floppyB34.fs   xfont34.tgz

INSTALL.linux  bsd.rd         floppyC34.fs   xserv34.tgz

INSTALL.mbr    cd34.iso       game34.tgz     xshare34.tgz
   If you are new to OpenBSD, fetch _at least_ the file INSTALL.i386

   and the appropriate floppy*.fs or cd34.iso file.  Consult the

   INSTALL.i386 file if you don’t know which of the floppy images

   you need (or simply fetch all of them).
5) If you are an expert, follow the instructions in the file called

   README; otherwise, use the more complete instructions in the

   file called INSTALL.i386.  INSTALL.i386 may tell you that you

   need to fetch other files.
6) Just in case, take a peek at:
        http://www.OpenBSD.org/errata.html
   This is the page where we talk about the mistakes we made while

   creating the 3.4 release, or the significant bugs we fixed

   post-release which we think our users should have fixes for.

   Patches and workarounds are clearly described there.
Note: If you end up needing to write a raw floppy using Windows,

      you can use “fdimage.exe” located in the pub/OpenBSD/3.4/tools

      directory to do so.
————————————————————————

– XFree86 FOR MOST ARCHITECTURES —————————————
XFree86 has been integrated more closely into the system.  This

release contains XFree86 4.3.0.  Most of our architectures ship

with XFree86, including sparc, sparc64 and macppc.  During installation,

you can install XFree86 quite easily.  Be sure to try out xdm(1)

and see how we have customized it for OpenBSD.
On the i386 platform a few older X servers are included from XFree86

3.3.6.  These can be used for cards that are not supported by XFree86

4.3.0 or where XFree86 4.3.0 support is buggy.  Please read the

/usr/X11R6/README file for post-installation information.
————————————————————————

– PORTS TREE ———————————————————–
The OpenBSD ports tree contains automated instructions for building

third party software.  The software has been verified to build and

run on the various OpenBSD architectures.  The 3.4 ports collection,

including many of the distribution files, is included on the 3-CD

set.  Please see the PORTS file for more information.
Note: some of the most popular ports, e.g., the Apache web server

and several X applications, come standard with OpenBSD.  Also, many

popular ports have been pre-compiled for those who do not desire

to build their own binaries (see BINARY PACKAGES, below).
————————————————————————

– BINARY PACKAGES WE PROVIDE ——————————————-
A large number of binary packages are provided.  Please see the PACKAGES

file (ftp://ftp.OpenBSD.org/pub/OpenBSD/3.4/PACKAGES) for more details.
————————————————————————

– SYSTEM SOURCE CODE —————————————————
The CD-ROMs contain source code for all the subsystems explained

above, and the README (ftp://ftp.OpenBSD.org/pub/OpenBSD/3.4/README)

file explains how to deal with these source files.  For those who

are doing an FTP install, the source code for all four subsystems

can be found in the pub/OpenBSD/3.4/ directory:
        XF4.tar.gz     ports.tar.gz   src.tar.gz     sys.tar.gz
————————————————————————

– THANKS —————————————————————
OpenBSD 3.4 includes artwork and CD artistic layout by Ty Semaka,

who also wrote the lyrics and arranged an audio track on the OpenBSD

3.4 CD set.  Ports tree and package building by Christian Weisgerber

and Peter Valchev.  System builds by Theo de Raadt, Henning Brauer,

and Michael Shalayeff.  ISO-9660 filesystem layout by Theo de Raadt.
We would like to thank all of the people who sent in bug reports, bug

fixes, donation cheques, and hardware that we use.  We would also like

to thank those who pre-ordered the 3.4 CD-ROM or bought our previous

CD-ROMs.  Those who did not support us financially have still helped

us with our goal of improving the quality of the software.
Our developers are:
    Aaron Campbell, Alexander Yurchenko, Andreas Gunnarsson,

    Angelos D. Keromytis, Anil Madhavapeddy, Artur Grabowski,

    Ben Lindstrom, Bjorn Sandell, Bob Beck, Brad Smith, Brandon Creighton,

    Brian Caswell, Brian Somers, Bruno Rohee, Camiel Dobbelaar,

    Can Erkin Acar, Cedric Berger, Chad Loder, Chris Cappuccio,

    Christian Weisgerber, Constantine Sapuntzakis, Dale Rahn,

    Damien Couderc, Damien Miller, Dan Harnett, Daniel Hartmeier,

    David B Terrell, David Krause, David Lebel, David Leonard, Dug Song,

    Eric Jackson, Federico G. Schwindt, Grigoriy Orlov, Hakan Olsson,

    Hans Insulander, Heikki Korpela, Henning Brauer, Henric Jungheim,

    Hiroaki Etoh, Horacio Menezo Ganau, Hugh Graham, Ian Darwin,

    Jakob Schlyter, Jan-Uwe Finck, Jason Ish, Jason McIntyre, Jason Peel,

    Jason Wright, Jean-Baptiste Marchand, Jean-Francois Brousseau,

    Jean-Jacques Bernard-Gundol, Jim Rees, Jolan Luff, Jose Nazario,

    Joshua Stein, Jun-ichiro itojun Hagino, Kenjiro Cho,

    Kenneth R Westerback, Kevin Lo, Kevin Steves, Kjell Wooding,

    Louis Bertrand, Magnus Holmberg, Marc Espie, Marc Matteo, Marco S Hyman,

    Marcus Watts, Margarida Sequeira, Mark Grimes, Markus Friedl,

    Mats O Jansson, Matt Behrens, Matt Smart, Matthew Jacob, Matthieu Herrb,

    Michael Shalayeff, Michael T. Stolarchuk, Mike Frantzen, Mike Pechkin,

    Miod Vallat, Nathan Binkert, Nick Holland, Niels Provos, Niklas Hallqvist,

    Nikolay Sturm, Nils Nordman, Oleg Safiullin, Otto Moerbeek, Paul Janzen,

    Peter Galbavy, Peter Stromberg, Peter Valchev, Philipp Buehler,

    Reinhard J. Sammer, Rich Cannings, Ryan Thomas McBride,

    Shell Hin-lik Hung, Steve Murphree, Ted Unangst, Theo de Raadt,

    Thierry Deval, Thomas Nordin, Thorsten Lockert, Tobias Weingartner,

    Todd C. Miller, Todd T. Fries, Vincent Labrecque, Wilbern Cobb,

    Wim Vandeputte.