Software-update: OpenBSD 5.2

Maandag is de nieuwe halfjaarlijkse release van OpenBSD uitgekomen. Op deze pagina is een uitgebreide lijst van ftp- en http-downloadlocaties te vinden. OpenBSD stamt af van de originele Berkeley Software Distribution en heeft als kenmerk dat de ontwikkelaars alleen opensourcesoftware willen gebruiken. Verder staat het besturingssysteem bekend om zijn uitstekende documentatie en veiligheid. Zoals gewoonlijk met een nieuwe versie van OpenBSD is er ook een nieuw thema rondom het besturingssysteem ontworpen, vergezeld van een heuse theme song en verkrijgbaar op audio-cd, als poster en als T-shirt. Als titel van het thema heeft men deze keer gekozen voor Aquarela do Linux. Hieronder is een uitgebreid overzicht van de doorgevoerde veranderingen in versie 5.2 te vinden.

pthreads(3) support:

• The most significant change in this release is the replacement of the user-level uthreads by kernel-level rthreads, allowing multithreaded programs to utilize multiple CPUs/cores.
• Use PTHREAD_MUTEX_STRICT_NP as default mutex type.
• Added pthread spinlock and barrier routines.
• Added pthread_mutex_timedlock(3) and sem_timedwait(3).
• Added pthread_condattr_setclock(3).
• Added support for live multi-threaded debugging in gdb(1).
• Improved handling for rusage totals and interval timers in threaded processes.
• Changed the RLIMIT_NPROC rlimit to count processes instead of threads.
• Added a new system limit kern.maxthread for the max number of threads.
• Closed race conditions in thread creation, and in fork(2) and open(2) in a threaded process.
• Improved handling of threaded processes in ps(1), top(1), and fstat(1).
• Changed the lock around dlopen() to be recursive, so that dl*() operations from atexit() handlers don't deadlock.
• Many fixes to pthread attribute and mutex error checking and cancellation handling.

Improved hardware support, including:

• Added hibernation support on i386. Currently only working on pciide(4) and wd(4) disks.
• Improved support for ALPS based touchpads in wsmouse(4) and the synaptics(4) X.Org input driver.
• Performance improvements with ix(4) Intel 10Gb Ethernet NICs.
• Support for i350 based devices in em(4).
• Flow control support for bnx(4).
• Hardware watchdog and HPET support for tcpcib(4) (Intel Atom E600) as found in some embedded x86 systems.
• urndis(4) supports additional Android devices.
• Support for Winbond W83627UHG has been added to wbsio(4).
• Support for the SMBus controller of the AMD CS5536 in glxpcib(4) and the NVIDIA MCP89 in nviic(4).
• Support for AX88772B based devices has been added to axe(4).
• Support for MCS7832 based devices has been added to mos(4).
• Support for the Roland UM-ONE has been added to umidi(4).
• Support for the AMD Hudson-2 chipset has been added to azalia(4) and piixpm(4).
• Support for NetMos NM9820 cardbus serial cards has been added to com(4).
• Support for Huawei Mobile E303 has been added to umsm(4).
• The sgi port now supports the R4000 Indigo (IP20), Indy (IP22), R4000 Indigo2 (IP24) and POWER Indigo2 R10000 (IP28) families.

Generic network stack improvements:

• Increased TCP initial window to 14600 bytes as proposed in draft-ietf-tcpm-initcwnd.
• Cleanup handling of sockaddrs in degenerate use cases.
• Improved handling of error and limit cases in file descriptor passing.
• Improved socketbuffer handling for AF_UNIX sockets.
• Fix yet another file descriptor leak in message passing.
• Improved error handling in socket splicing.
• IPv6 privacy addresses now appear alongside SLAAC addresses.
• Support for Extended Sequence Numbers has been added to the IPsec stack and iked(8).
• Bridging two IPv4 networks over an IPv6 link with gif(4) is now possible.

Routing daemons and other userland network improvements:

• sndiod(1), bgpd(8), dvmrpd(8), ftp-proxy(8), iked(8), iscsid(8), ldapd(8), ldpd(8), nsd(8), ospf6d(8), ospfd(8), relayd(8), ripd(8), snmpd(8), spamd(8), sshd(8), tcpbench(1) and tmux(1) now rate limit their accepting of new connections when experiencing file descriptor exhaustion.
• Allow route(8) destination/prefixlen syntax for IPv6 routes.
• ASCII packet dumping support in tcpdump(8).
• Better etherip and BGP protocol support in tcpdump(8).
• isakmpd(8) and tcpdump(8) now recognize additional Internet Key Exchange DH groups.
• Various improvements in iked(8) including support for retransmits.
• ipsecctl(8) now allows SA lifetimes to be specified in its ipsec.conf(5) file.
• Rewrote tftpd(8) as a persistent, non-blocking daemon.
• tftp(1) client now supports IPv6.
• snmpd(8) now supports PF-MIB, UCD-DISKIO-MIB, and additional OIDs in HOST-RESOURCES-MIB.
• bgpd(8) is now more robust to network instability.
• Adjust the bgpd(8) route decision code to cover checks needed due to route reflection.
• Various fixes to improve error reporting in bgpd(8) including support of RFC 6608.
• For debugging purposes bgpctl(8) can load MRT dumps into bgpd(8).
• Fixed distribution of MPLS VPN routes in bgpd(8).
• Introduced a new option "selected" to the bgpctl(8) "show rib" command to show only selected routes.
• Correctly support the LSA_TYPE_AREA_OPAQ and LSA_TYPE_AS_OPAQ types in ospfd(8).
• Make relayd(8) able to handle transactions larger than 2GB in size.
• Various bug fixes and better HTTP standard compliance in relayd(8).
• rtadvd(8) can now advertise DNS servers and search paths in router advertisements.
• rtadvd(8) can now send router advertisements with no prefix information using the noifprefix option.
• ftp(1) client now allows the source IP address of the connection to be specified.
• ypldap(8) now handles larger directories and is more tolerant when processing groups.
• Added support for AF_INET6 to inet_net_pton(3) and inet_net_ntop(3).

pf(4) improvements:

• pf(4) now ignores/preserves the lower 2 bits of the tos-header (used for Explicit Congestion Notification).
• Allow more than 16 pflog(4) interfaces.
• pf(4) now supports weighted least-states load balancing.
• The prio and tos options are now part of the "set { }" block. See pf.conf(5).
• Allow to set the tos on IPv6 packets.
• Better demotion handling in pfsync(4) to prevent failovers without having a full state table.
• Fixed printing of wildcard anchors in pfctl(8).

Assorted improvements:

• Added nginx(8), an HTTP server, reverse proxy server and mail proxy server.
• Added SQLite 3.7.13, a self-contained SQL database engine.
• libpcap has been updated with several core functions from tcpdump.org's libpcap-1.2.0 API, without the clutter.
• Disabled SSLv2 in OpenSSL.
• Moved libtool(1) into the base system. Much work remains to be done.
• Removed lint(1).
• Removed the raid(4) RAIDframe driver and its corresponding raidctl(8) utility. RAIDframe has been superseded by softraid(4).
• Added posix_spawn(3).
• Added mbsnrtowcs(3) and wcsnrtombs(3).
• Added getdelim(3) and getline(3).
• More configuration variables for sysconf(3) and pathconf(2).
• dirfd(3) is now a function instead of a macro.
• posix_memalign(3) supports arbitrarily large alignments.
• Improved realloc(3) performance.
• ld.so(1) recognizes the DF_1_NOOPEN flag and refuses to dlopen(3) shared objects linked with "-z nodlopen".
• Improved compliance and/or cleanliness of header files, particularly <dirent.h>, <time.h>, <sys/time.h>, <limits.h>, <arpa/inet.h>, <netinet/in.h>, and <sys/param.h>.
• Improved kernel uvm memory allocator.
• Added support for using AMT to provide console-over-Ethernet (c.f. the amtterm package).
• Improved support for amd64 systems with many memory extents.
• compat_linux(8) improvements: TLS-vs-clone and futex fixes, added support for statfs64(), tgkill(), gettid(), SOCK_CLOEXEC, and SOCK_NONBLOCK.
• kdump(1) improvements, including the ability to show thread IDs and dumping of timespec, timeval, sigaction, rlimit, sigset, clockid, and fdset arguments and results.
• Various improvements in smtpd(8): reliability fixes, new MTA client, new scheduler and improved queue logic, simplified smtpd.conf(5) syntax, better RFC compliance and several cosmetic changes.
• The mg(1) emacs-like editor now supports cscope functionality. Also, backup files can now be saved to a user's home directory in addition to the current working directory.
• Fixed operation of kvm_getfile2() (and therefore fstat(1) and pstat(8)) on kernel crash dumps.
• Improved emacs-style key bindings and handling of large arrays in ksh(1).
• halt(8) disables "suspend-on-lid-close" so that you don't accidentally suspend instead of shutting down.
• Improvements to parallel make(1): added the .CHEAP and .EXPENSIVE special targets and fixed glitches in already-rebuilt logic.
• The libusb package is able to access non-ugen(4) devices for some operations, allowing e.g. programming YubiKeys with a standard kernel.
• Various improvements in tmux(1): a new unified tree view to select sessions or windows, new move-pane and renumber-windows commands, a history of pane layouts, simple output rate limiting, and custom formats (-F) have been extended and are now accepted by more commands.
• fsck_msdos(8) now works on devices with non-512 byte sectors.
• quotacheck(8) now works with DUID based fstab(5) files.
• Numerous minor improvement to fdisk(8), including more sanity checking and better default partition sizing on large disks.
• dhclient(8) now discards trailing NULs in option data, and in general parses option data with more paranoia.
• Various improvements to dhclient(8) startup and timeout handling.
• disklabel(8) does a better job of calculating physical memory during partition auto-allocation of devices with non-512 byte sectors.
• SCSI errors are now correctly propagated to userland, e.g. mount(2) now reports specific errors such as trying to mount RW filesystems from RO media.
• Improved FAT media handling: autorecognize such media even if the 0x55aa signature is missing and prevent the writing of an OpenBSD disklabel over the FAT data structures.
• The MS-DOS FAT filesystem implementation gained a significant write speedup for large files (up to twice as fast).

OpenSSH 6.1 new features:

• sshd(8): This release turns on pre-auth sandboxing sshd by default for new installs, by setting UsePrivilegeSeparation=sandbox in sshd_config.
• sshd-keygen(1): Add options to specify starting line number and number of lines to process when screening moduli candidates, allowing processing of different parts of a candidate moduli file in parallel.
• sshd(8): The Match directive now supports matching on the local (listen) address and port upon which the incoming connection was received via LocalAddress and LocalPort clauses.
• sshd(8): Extend sshd_config Match directive to allow setting AcceptEnv and {Allow,Deny}{Users,Groups}.
• Add support for RFC6594 SSHFP DNS records for ECDSA key types. (bz#1978)
• sshd-keygen(1): Allow conversion of RSA1 keys to public PEM and PKCS8.
• sshd(8): Allow the sshd_config PermitOpen directive to accept "none" as an argument to refuse all port-forwarding requests.
• sshd(8): Support "none" as an argument for AuthorizedPrincipalsFile.
• sshd-keyscan(1): Look for ECDSA keys by default. (bz#1971)
• sshd(8): Add "VersionAddendum" to sshd_config to allow server operators to append some arbitrary text to the server SSH protocol banner.

OpenSSH 6.1 significant bugs have been fixed in this release:

• sshd(8) and ssh(1): Don't spin in accept() in situations of file descriptor exhaustion. Instead back off for a while.
• sshd(8) and ssh(1): Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs as they were removed from the specification. (bz#2023)
• sshd(8): Handle long comments in config files better. (bz#2025)
• ssh(1): Delay setting tty_flag so RequestTTY options are correctly picked up. (bz#1995)
• sshd(8): Fix handling of /etc/nologin incorrectly being applied to root on platforms that use login_cap.

Over 7600 ports, major performance and stability improvements in the package build process:

• dpb got simpler and faster. Handles distfiles, works without any option.
• Simpler and less error-prone mechanisms for handling MD differences.
• dpb is now used for mirroring distfiles, to the great joy of ftp://ftp.openbsd.org/pub/OpenBSD/distfiles/
• full databases of all ports available as packages:
  • pkglocatedb - a locate(1) database of all files in all packages
  • sqlports - a sqlite3(1) database of all meta-info for all packages
  • ports-readmes - a tree of html files for browsing thru available packages

Some highlights:

• GNOME 3.4.2
• KDE 3.5.10
• Xfce 4.10
• MySQL 5.1.63
• PostgreSQL 9.1.4
• Postfix 2.9.3
• OpenLDAP 2.3.43 and 2.4.31
• Mozilla Firefox 3.5.19, 3.6.28 and 13.0.1
• Mozilla Thunderbird 13.0.1
• GHC 7.0.4
• LibreOffice 3.5.5.3
• Emacs 21.4, 22.3 and 23.4
• Vim 7.3.154
• PHP 5.2.17 and 5.3.14
• Python 2.5.4, 2.7.3 and 3.2.3
• Ruby 1.8.7.370 and 1.9.3.194
• Tcl/Tk 8.5.11
• Jdk 1.7
• Mono 2.10.9
• Chromium 20.0.1132.57
• Groff 1.21
• Go 1.0.2
• GCC 4.6.3 and 4.7.1
• LLVM/Clang 3.1
• Lua 5.1.5 and 5.2.1
• As usual, steady improvements in manual pages and other documentation.

The system includes the following major components from outside suppliers:

• Xenocara (based on X.Org 7.7 with xserver 1.12.2 + patches, freetype 2.4.10, fontconfig 2.8.0, Mesa 7.10.3, xterm 279, xkeyboard-config 2.6 and more)
• Gcc 4.2.1 (+patches) and 2.95.3 (+ patches)
• Perl 5.12.2 (+ patches)
• Our improved and secured version of Apache 1.3, with SSL/TLS and DSO support
• Nginx 1.2.2 (+ patches)
• OpenSSL 1.0.0f (+ patches)
• SQLite 3.7.13 (+ patches)
• Sendmail 8.14.5, with libmilter
• Bind 9.4.2-P2 (+ patches)
• NSD 3.2.11
• Lynx 2.8.7rel.2 with HTTPS and IPv6 support (+ patches)
• Sudo 1.7.2p8
• Ncurses 5.7
• Heimdal 0.7.2 (+ patches)
• Arla 0.35.7
• Binutils 2.15 (+ patches)
• Gdb 6.3 (+ patches)
• Less 444 (+ patches)
• Awk Aug 10, 2011 version