Release 3.5
 

OpenBSD 3.5 was released on May 1.
Announcement and information here:
http://www.openbsd.org/35.html
http://www.openbsd.org

From their site:

What's New

This is a partial list of new features and systems included in OpenBSD 3.5. For a comprehensive list, see the changelog leading to 3.5.

* New platforms:
o OpenBSD/amd64
Supporting the AMD64 architecture natively, with full 64-bit support, 8 extra registers in the architecture to significantly increase performance, and a memory management Non-Executable bit that permits full W^X support.
(Note: The upcoming Intel "ia32e" AMD64-compatible cpus have also been tested, and work, even though they lack the NX bit).
o OpenBSD/cats
Our first entry in the ARM-cpu landscape. We intend to use this as a development platform for something else we plan for the future...
o OpenBSD/mvme88k
Supporting an older, but very cool cpu architecture, perhaps the most pure RISC cpu ever.

* Replacement of the GNU bc(1), dc(1), nm(1) and size(1) commands with BSD licensed equivalents.

* A large number of bug fixes, changes, and optimizations to our packet filter pf(4) including:
o Atomic commits of ruleset changes (reduce the chance of ending up in an inconsistent state).
o A 30% reduction in the size of state table entries.
o Source-tracking (limit number of clients and states per client).
o Sticky-address (the flexibility of round-robin with the benefits of source-hash).
o Invert the socket match order when redirecting to localhost (prevents the potential security problem of remote connections being identified as local).
o Significant improvements to interface handling.

* New tools for filtering gateway failover:
o CARP (the Common Address Redundancy Protocol) carp(4) allows multiple machines to share responsibility for a given IP address or addresses. If the owner of the address fails, another member of the group will take over for it. A discussion of the history of CARP can be found here.
o Additions to the pfsync(4) interface allow it to synchronise state table entries between two or more firewalls which are operating in parallel, allowing stateful connections to cross any of the firewalls regardless of where the state was initially created.

* New functionality:
o pty(4) devices are now allocated on demand, up to a configurable limit.
o New ptm device (see pty(4)) that allows non-privileged processes to allocate a properly-permissioned pty.
As a result any process can now open a pty easily, meaning xterm(1) and xconsole(1) are no longer setuid root. (In 3.4 they were setuid root, but privilege revoking).
o The closefrom(2) system call has been added.
o TCP MD5 signatures (used by nc(1) and bgpd(8)).
o Network boot support for i386 and amd64, using pxeboot(8).
o The i386 8GB boot loader limitation has been removed.
o spamd(8) gains greylisting support. This allows greylisting (a very powerful spam reduction technique) to be done on a firewall for many mail hosts, no matter what MTA is being used.
o Interface 'cloning', accessed by ifconfig(8) commands create and destroy. E.g. `ifconfig vlan100 create'.
o ifconfig(8) can now be used with a generic interface name, for listing all such configured interfaces. E.g. `ifconfig carp'.
o The MAKEDEV(8) manual pages are now generated, and hence, accurate.
o Complete rewrite of package tools in perl.
o syslogd(8) now supports logging to memory buffers, to be read using syslogc(8). This is useful for diskless or flash-based computers.
o IPsec ESP in UDP encapsulation.
o malloc(3) chunk randomization and guard pages. This helps to detect out-of-bounds reads and writes.
o authpf(8) now tags traffic in pflog(4) so that users may be associated with traffic through a NAT setup.
o hw.setperf sysctl allows controlling the speed of many new i386 cpus, great for prolonged battery life.
o XFS has been added to the GENERIC kernels so that afsd(8) may be started easily, eliminating the need to recompile the kernel to use AFS.
AFS can now be used anonymously by enabling it in rc.conf(8) with no further configuration.
o The ps, top and w utilities no longer break when changes are made in kernel structures.
o A poll interface has been added to the rpc routines in the standard C library. Use of poll over select can result in better performance for programs with a large number of open file descriptors.
o dhclient(8) now detects when the interface it configured is modified and gracefully exits. e.g. repeatedly running it against the same interface leaves only the last instance active.

* Privilege separation added to allow complex operations to occur in an untrusted, unprivileged process, resulting in much greater security for the following processes:
o isakmpd(8)
o named(8) (Previously privilege revoking, but this had a small breakage).
o pflogd(8)
o tcpdump(8)

* New tools:
o sensorsd(8), monitoring hardware sensors.
o procmap(1), to examine a process' memory map.
o bgpd(8), implementing the BGP-4 routing protocol.
o pkill(1) and pgrep(1), finding or signalling processes by name.

* Performance improvements:
o Improved connection/socket lookup - about 100 times faster at 10000 sockets than 3.4.
o TCP SYN cache. Greatly reduces the memory cost of half-open TCP connections.
o Implemented TCP adjustments recommended by RFC3390, controllable via sysctl.
o OpenSSL speedup on i386, up to 100% improvement for md5, sha1, blowfish, des, 3des, rsa, dsa and bn.
o OpenSSL now directly uses the new AES instructions some VIA C3 processors provide, increasing AES to 780MBytes/second (so you get to see a fan-less cpu performing AES more than 10x faster than the fastest cpu currently sold).
o Directory hashing makes lookups in large directories much faster.
o Zeroing pages with SSE. Faster operation, and avoids clobbering the cache.

* SCSI(4) improvements:
o Bus probe made faster by skipping non-existent LUNs.
o Bus probe made saner by elimination of spurious commands.
o Bus probe made safer by having INQUIRY commands ask only for available data.
o Eliminated a race that, e.g., caused problems burning CDs at high speeds.
o SCSIDEBUG output can now be restricted to specified buses.
o ASC/ASCQ diagnostic messages updated to SCSI-3 standards.
o Better error handling.

* Improved hardware support, including:
o The hppa architecture gets support for many PCI based machines w/ addition of dino(4) GSC-PCI bridge.
o New oosiop(4) driver for NCR 53C700 SCSI host adapters.
o Major improvements to ahc(4), bringing support for many new models.
o New bce(4) driver, supporting the Broadcom BCM4401 FastEthernet chipset.
o New mpt(4) driver for LSI Fusion-MPT SCSI and FibreChannel host adapters.
o New snapper(4) audio driver for recent iBook (since May 02) and PowerBook (since Apr 02) models.
o Improved stability of the wi(4) driver as well as support for USB-based adapters and software WEP.
o wi(4) in HostAP mode now supports SSID hiding and newer prism firmware revisions.
o Fixed several firmware incompatibility issues in an(4).
o Improved ATA and SATA support.
o Support for i835 AGP GART in vga(4).
o Improved Gigabit Ethernet support for em(4), sk(4) & bge(4).
o Several fixes for apm(4).
o Support for Intel 852/855/865 AGP chipsets.
o Many more USB Flash and other umass(4) devices work as a result of SCSI improvements.

* This release ships with Firefox for all major architectures.

* Major improvements in pthreads(3).

* Over 2500 ports, 2300 pre-built packages.

* Many improvements for security and reliability (look for the red print in the complete changelog).

* Many improvements in manual pages and other documentation.

* Gcc 3.3.2, including local additions like ProPolice support, for the OpenBSD/amd64, OpenBSD/cats and OpenBSD/sparc64 platforms. Other architectures still use gcc 2.95.3 with the same local additions.

* OpenSSH 3.8.1:
o sshd(8) now supports forced changes of expired passwords via passwd(1).
o ssh(1) now uses untrusted cookies for X11-Forwarding. Some X11 applications might need full access to the X11 server, see ForwardX11Trusted in ssh_config(5) and xauth(1).
o ssh(1) now supports sending application layer keep-alive messages to the server. See ServerAliveInterval in ssh_config(5).
o Improved sftp(1) batch file support.
o New KerberosGetAFSToken option for sshd(8).
o Updated /etc/moduli file and improved performance for protocol version 2.
o Support for host keys in DNS.
o The experimental "gssapi" support has been replaced with the "gssapi-with-mic" to fix possible MITM attacks. The two versions are not compatible.

* The system includes the following major components from outside suppliers:
o XFree86 4.4.0 unencumbered (+ patches, and i386 contains 3.3.X servers also, thus providing support for all chipsets)
o Gcc 2.95.3 (+ patches) and 3.3.2 (+ patches)
o Perl 5.8.2 (+ patches)
o Apache 1.3.29, mod_ssl 2.8.16, DSO support (+ patches)
o OpenSSL 0.9.7c (+ patches)
o Groff 1.15
o Sendmail 8.12.11
o Bind 9.2.3 (+ patches)
o Lynx 2.8.4rel.1 with HTTPS and IPv6 support (+ patches)
o Sudo 1.6.7p5
o Ncurses 5.2
o Latest KAME IPv6
o Heimdal 0.6rc1 (+ patches)
o Arla-current




-kwag