OpenBSD 3.5 Released

pgilman writes "The word just hit the announce@openbsd.org mailing list: "We are pleased to announce the official release of OpenBSD 3.5. We remain proud of OpenBSD's record of eight years with only a single remote hole in the default install. As in our previous releases, 3.5 provides significant improvements, including new features, in nearly all areas of the system" including security, hardware support, software ports, and lots more. Support the project if you can by ordering the cds, or grab it from the net (use a mirror!). Thanks to Theo and the whole team!"

Amazingly, yes

[Anonymous Coward]

It does [gentoo.org].

What?

[Anonymous Coward]

"The word just hit the announce@openbsd.org mailing list..." You act as if this is big news. New versions are always released in May and Nov.

yea

[Anonymous Coward]

seems main ftp server is down. remember there are the mirrors if you guys want to get it. http://openbsd.org/ftp.html

and OpenBSD Rocks!

Re:Excellent

[gnuman99]

chroot in OpenBSD is a joke - under grsecurity you at least can't easily get out of it. chroot restrictions are essential for a secure system.

well, this is at least my 2 cents

Mascot

[Zardus]

Isn't that the wrong mascott in the slashdot story?

Re:pfsync/CARP

[PatJensen]

When you can do the following, OpenBSD will be a Cisco IOS killer.

• Configure, maintain and secure your routing protocols and interfaces in one easy to read and edit configuration file.
• Store the configuration in solid-state flash memory.
• Upgrade the entire OS by TFTP'ing a single file.
• Provide support for many types of LAN and WAN interfaces (DSx, hardware accelerated ATM segmentation and reassembly, etc.)
• Provide support for layer 2/3 QoS packet tagging in hardware (on ALL WAN interface types i.e. ATM, Frame, DSx) to reduce CPU load on distribution routers.
• Handle IPv4 traffic routing in hardware, with the OS just maintaining flow state information.
• Provide support for the plethora of legacy protocols that are on corporate networks (DLSw, X.25, etc.)

When the only tool you have is a hammer, everything looks like a nail.

-Pat

Re:my favorite comment from the changelog

[Gogo Dodo]

fxp [openbsd.org] is the driver for the Intel PRO/100 Ethernet adapters.

Re:"single remote hole"

[cperciva]

What was it?

OpenSSH.

Re:"single remote hole"

[Indy1]

it was a bug in openssh, which if i remember correctly, would of been tricky to exploit in the first place.

Re:Argh

[dhartmei]

There's an inofficial Bittorrent link [hewus.com], just make sure you verify MD5 checksums against those listed on the official ftp server [openbsd.org].

Not all mirrors have 3.5 yet...

[b00m3rang]

I've found that ftp.sunet.se does, however.

In case google is broken, which it's not

[b00m3rang]

http://www.openbsd.org/faq/faq4.html [openbsd.org]

I'll bite too...

[Anonymous Coward]

Let's begin hacking this one apart :P

1) Devry... nice.. :P not.
2) A company capable of buying quad xeon hardware doesn't sound like the kind of cmopany that needs to resort to running a workstation OS--XP Professional--on a server. Plus, Windows XP will only use 2 CPUs maximum.
3) Like mentioned before, you'd never run OpenBSD on an SMP box in a production scenario
4) What kind of password? The Windows XP password has nothing to do with Dell. If you mean the BIOS password, that has nothing to do with Windows.
5) Microsoft's multi-user computing (read: NT Domains/Active Directory) is actually quite good.
6) If your server had three years of uptime, there was probably (I'm sure there wasn't but I don't want to be wrong) no OpenBSD SMP support (not even beta) 3 years ago... I wonder how your boss feels about a server having 75% of its computing power being unused.

There's more wrong with your post, but why bohter...

Re:Excellent

[klasikahl]

I think you're forgetting about the NSA funded SELinux project. It's also a kernel level MAC security patch. I prefer SELinux over GrSec for many reasons, one of which is the fact a team of well trained NSA kernel hackers coded SELinux. (As opposed to GrSec whose head coder and inventor is a punk who uses his security knowledge to keep his exploits as 0days. Sounds pretty fishy to me; I won't trust anything that has his name on it.) SELinux is in the official 2.6 kernel branch. Check it out here [nsa.gov].

Re:Excellent

[Triumph The Insult C]

Another thing, if Linux's "iptables" interface to netfilter challenges you, then you have no business using computers at all.

that is absolute bullshit. when software is easy to use, it leads to fewer mistakes

hmm ... edit a text file (using a syntax that is almost like reading english) and tell the firewall software to re-read it, or, memorize a half-dozen of command line switches

One remote whole...

[gnu-sucks]

We remain proud of OpenBSD's record of eight years with only a single remote hole in the default install.

I love OpenBSD as much as anyone serious about security, but this quote is completely full of shit.

If you look at the release 3.4 [openbsd.org] errata list, there's at least three or four root exploits waiting to happen. And 3.3 [openbsd.org] and 3.2 [openbsd.org] aren't any better.

And YES, sendmail was in the default install. As well as many programs based off the lately bad libc-6.

OpenBSD is the most secure, and secure-oriented, but its not perfect by any means.

And yes, I run OpenBSD on a few servers, and one desktop!

Perfect Timing

[alexhmit01]

Ironically, I just finished installing 2 OpenBSD machines in the past couple of days, just finished up one about 5 minutes ago. Unfortunately, while they get the software up on a mirror quickly, everytime we buy the CDs they don't ship out for weeks after the downloaders grabbed them... makes it a bit discouraging to buy the CDs, which we used to do (several copies) each release...

But now that OpenBSD is only on Firewalls, no webservers, it's less pressing.

Re:pfsync/CARP

[pacman on prozac]

IPv4 routing in Cisco is done by software not hardware.

This already is a Cisco killer for one simple reason, VSRP is crap.

Re:Fast AES

[leov211]

Yes, the new 600MHz version of Nehemiah runs fanless on the new CL6000 mini-itx server board.

Re:about security holes

[Anonymous Coward]

- Program should declare what syscalls it uses, what libraries it needs, etc, and no other syscalls/libraries would be allowed.
- Program should declare what kind of access it needs to the filesystem to function. No other parts of the "real" filesystem should be visible in the program's namespace at all.
- Same for every other resource such as sockets, etc...

You mean like systrace? ;)

Re:One remote whole...

[Triumph The Insult C]

and in the default install, sendmail only listens on localhost ...

Re:Fast AES

[mst76]

I believe the 600mhz fanless boards (ME 6000, CL 6000) also include the hardware AES accellerator.

Um, no.....

[tomasdore]

From the netcraft FAQ [netcraft.com]
"Operating systems that do not provide uptime information include;

• NetBSD/OpenBSD"

Looks like an excellent release!

[ninjaz]

I picked up OpenBSD with version 2.3 and started using it seriously with version 2.5. During that time, it has gone from being an audited and secure (but otherwise fairly plain) OS to a compelling system with a wide range of complementary features.

The ones that stand out for me are -

Chrooting and dropping privileges for BIND by default (kept me feeling fairly safe through a few vulnerabilities, and without the extra work of maintaining my own bind built for chroot)

Picking up ssh and releasing a good, free version

Coming up with the nicest firewall I've used, taking it from nothing to ready for release within 6 months (That still amazes me!)

spamd - After breaking 400 spam messages a day directed at my inbox, wiring Spamhaus SBL into the firewall and tarpitting a good portion of the traffic is a nice bonus. Noticing a week after setting that up that OpenBSD 3.5 has graylisting is a nice surprise.

Propolice stack protection built into the OS and integrated for the long haul

Now with CARP, I can feel comfortable getting all this in any environment - I think failover support really opens up a lot of possibilities for the future of OpenBSD.

All in all, OpenBSD has all the attributes I like in an OS -

regular 6 month releases (production quality doesn't have to mean stale),

cohesiveness (no waiting for glibc to catch up to a new kernel feature, or vice-versa),

a real commitment to free software (as demonstrated with OpenSSH, pf, and now CARP)

really delivering - as opposed to various Linux security projects that I've seen integrated with mainstream distros, then apparently forgotten about or relegated to a special option marked with a warning label, OpenBSD is a real tested system.

As a system, it can progress toward its goals through every aspect of the system (eg., the pervasive privilege separation), rather than a patchset to a mainstream distro, which has inherent lag time and may be working at cross-purposes to that distro or the numerous projects that make up the distro it's trying to secure. I've seen a few patchsets come and go over the years, too, while OpenBSD keeps adding to the foundation they've built.

Thanks, OpenBSD team, for all the great releases... (and all the fish ;)

Now I'm off to explore my new OpenBSD 3.5 system, where make build just finished. :-)

Re:FreeBSD and OpenBSD

[lyberth]

While i haven't run FreeBSD that much i have been running OpenBSD for a while. While not all freebsd programs will run on OpenBSD automatically, most will ether by compiling it on OpenBSD or through the excelent binary emulation. So go try it out (all normal things like apache, perl, sendmail, postfix, samba kde, mozilla, joe, vi, emacs, and a lot more will run on openbsd). go go go

Re:Downloadable ISO?

[roka]

$ mkdir -p OpenBSD/3.5/i386
$ cd OpenBSD/3.5/i386

Then get the following files from a mirror:
CKSUM
MD5
base35.tgz
bsd
bsd.rd
bsd. rd-a.out
cdrom35.fs
comp35.tgz
etc35.tgz
game3 5.tgz
man35.tgz
misc35.tgz
xbase35.tgz
xfont35 .tgz
xserv35.tgz
xshare35.tgz

$ cd ..

And optionally also fetch these files:

ports.tar.gz
src.tar.gz
sys.tar.gz

$ cd ..
$ mkisofs -J -r -T -V "OpenBSD_3.5" -b 3.5/i386/cdrom35.fs -c boot.catalog -o ../OpenBSD-3.5.iso .

Upgrade Mini-FAQ

[Mysteray]

Upgrade Mini-FAQ [openbsd.org]

Re:Downloadable ISO?

[incabulos]

There are unofficial ISO complilations of OpenBSD available is you want to search around for a bit. Or you could buy the official 3 CD pack [openbsd.org] and support the project that way.

I think the easiest way to do an installation ( I ran 3.5 up on an old p-166 this evening ) is to download the arch-specific install files ( ie everything under /i386 for run of the mill x86 cpus ), and set them up on a local web or ftp server. 'dd' the boot floppy image to a spare disk ( floppy35.fs will suit 90% of cases ), boot up with this on the system, and simply follow the prompts for the ftp/http install. Or you could simply do a ftp install from a local OpenBSD mirror across the internet.

For detailed info on the install, see the FAQ [openbsd.org].

The Errata [openbsd.org] page should be checked regularly too. Unlike the 3.4 release that had a number of bugfixes that needed to be applied as soon as it was officially released, 3.5 has no need for further patching at this point in time.

Re:about security holes

[Geekboy(Wizard)]

- Program should declare what syscalls it uses, what libraries it needs, etc, and no other syscalls/libraries would be allowed.
- Program should declare what kind of access it needs to the filesystem to function. No other parts of the "real" filesystem should be visible in the program's namespace at all.
- Same for every other resource such as sockets, etc...

systrace(1) [openbsd.org]

Re:Documentation

[lemonjelo]

What I really like about OpenBSD is that I don't have to google for a HOWTO on configuring pf and altq.

I'd also throw in that the file system layout is very consistant with OpenBSD. There's even a hier(7) [openbsd.org] man page describing the layout. When I'm working on another OS I find myself digging around, even for configuration files, way too often.

Re:FreeBSD and OpenBSD

[grub]

I use OpenBSD on my desktop at work. There's a FreeBSD and Linux (among others) binary compatibility option which work great for me. I use the Linux Citrix client binary to connect to a Citrix server across the country just fine. I don't think I've ever run a FreeBSD binary but I install from ports usually so the port-meister of that particular software takes care of issues.

OpenBSD supports a load of different architectures [openbsd.org], far more than FreeBSD. However I think you're really asking about supported hardware on i386. In that area FreeBSD is ahead but most stock hardware runs OpenBSD just fine.

Jump in, the water's fine!

Re:Breaking backward compatibility?

[Anonymous Coward]

Does OpenBSD 3.5 break backward compatibility with all previous releases, like every other OpenBSD release does?

That's utter bullshit. Read the upgrade mini-FAQ [openbsd.org], FOLLOW IT and nothing should break. I've updated remote machines that I've never been within 2000 KM from and have never had a problem.

Re:Ok., who has a free iso

[nocomment]

Since he doesnt allow direct downloads.... who has a torrent of the 'real thing'...

Torrent [hewus.com], and Source torrent [hewus.com].