Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Announcements Operating Systems Software BSD

OpenBSD 3.4 Released 275

tedu writes "We just couldn't wait another 2 days, so now you can enjoy OpenBSD 3.4 a little early and protect yourself from ghosts and goblins. More details at the OpenBSD website and official announcement. Remember to please use a mirror."
This discussion has been archived. No new comments can be posted.

OpenBSD 3.4 Released

Comments Filter:
  • by Anonymous Coward on Saturday November 01, 2003 @04:55AM (#7365861)

    "Remember to please use a mirror [openbsd.org]."
  • by t0ny ( 590331 ) on Saturday November 01, 2003 @05:00AM (#7365873)
    Remember to please use a mirror

    Since when does Slashdot care about overloading webservers?

  • by jusdisgi ( 617863 ) on Saturday November 01, 2003 @05:04AM (#7365885)
    ...perfect code is irrelevant to security! Didn't you hear me?!

    -Bill
    • by Anonymous Coward
      The truth is, perfect code *should* be irrelevant to security.
      I've been working with IT-security for 6 years, and the thing is, it doesn't matter how good of a programmer you are, eventually, you will fuck up; that's why security should be in the design, not the code, mostly in the design of the OS.
      VMS is a good example of this, there where a lot of shoddy code in VMS, but it's really secure -- by design!

      First design, then langue, least important is, or if done properly at least, the code itself.

      • Man oh man would I hate to have you in my shop. Hopefully you have no intentions of pursuing your CISSP or something similar. Code should be the upmost since it is the foundation. Let's go into a different subject for analogy shall we... You build a 4 story house made of the toughest concrete money can buy. You use the strongest nails, wood through the walls, and to bind it all together. Foundation oh no don't worry let's use rubber bands, hell all that 'security' we used on the walls and ultra 31337 concre
        • I think a better analogy for you would be something like this:

          design of project : design of house

          programming language : materials of house

          coding : putting together the house

          the coding wouldn't be the foundation, it would be the putting together of the materials of the entire house. If you have a good design and materials, a slight mistake somewhere shouldn't bring down the whole house.
        • Hey, jackass...that was a JOKE! Didn't you read the story 4 hours before this one quoting Bill Gates as saying exactly what I just said? I mean, my name is not Bill. ...hence the +5 Funny.
      • Holy cow! Where have you been all of these years! Has anyone ever told you that you are a true-blue absolutely amazing genius!

        Code is the implementation of design, fucktard. No matter what your UML diagram says, one or more bugs in critical parts of a design can lead to a security breach...

  • by Anonymous Coward on Saturday November 01, 2003 @05:38AM (#7365955)
    How can anyone trust an operating system like OpenBSD when its insecure, come on it still has a root account, You obvoously haven't used Cryptech Radicacally Advanced PowerBSD. This operating system uses the "swallow the key" principle. Once installed, you are pernemently in a sandbox, with NO WAY to get root access becasue THERE IS NONE, For extra security the Installation CDROM has a built in Self destruct mechanism. Once It installs it scans a special diode embedded into the disk and destroys the CDROM. No one has managed to hack a Cryptech RAP BSD box, and I have ran one connected to the Internet on a high volume site (10,000,000 hits a month) which publishes controversail material. Noone out of the THOUSANDS of kiddies have manged to get in so far, and good riddance.
  • OpenBSD song (Score:5, Informative)

    by Malcolm Scott ( 567157 ) on Saturday November 01, 2003 @05:40AM (#7365960) Homepage
    And make sure you listen to the release song [openbsd.org] too. It's great :-)
  • Thoughts on security (Score:5, Interesting)

    by arvindn ( 542080 ) on Saturday November 01, 2003 @05:50AM (#7365974) Homepage Journal
    From the release notes:
    Thousands of occurrences of unsafe library calls such as strcpy(), strcat() and sprintf() have been changed to the safer alternatives strlcpy(), strlcat(), and snprintf() or asprintf() in one of the most intensive audits yet performed by the OpenBSD project. The kernel is now completely free of these functions, as is most of the userland source tree.
    That's certainly a good thing, but it raises the question of why they were there in the first place. I mean, everyone's known for ages that these are unsecure, and the manpage lists it a bug etc. Of course its a pain to keep track of the length of each string (making them fixed size is not always feasible), but I would have expected that in kernel level code convenience would take the back seat.

    Note: this is purely an academic question, it is not my intention to critisize anyone, but just to learn why these things happen, not being a very experienced programmer myself.

    • by __past__ ( 542467 ) on Saturday November 01, 2003 @06:50AM (#7366054)
      That's certainly a good thing, but it raises the question of why they were there in the first place. I mean, everyone's known for ages that these are unsecure, and the manpage lists it a bug etc.
      You realize that OpenBSD is not a clean-room reimplementation of Unix? Most of the code is probably simply ages old, probably older than strlcpy and friends, or the OpenBSD project itself. Obviously, there was a time where programmers thought gets would be a useful function...
      • by mindstrm ( 20013 )
        was more like
        "Given the ferocity with which the OpenBSD nazis fix things like this in their code wouldn't this sort of thing, in the kernel, be one of the first things they did?"

        Indeed, I thought this was done quite a while ago...
        • Maybe they were busy with their "security by repeated assertion" strategy before.
        • The quote was that "running it over the source and ports trees revealed over a hundred" uses. Now, you may be right to criticize the source tree occurrences--after all, what about that long, long time spent reviewing and auditing all the existing code (three years, if I remember right)--but the ports tree is specifically described as often unaudited and out of date. The ports tree is entirely third-party applications, and the OpenBSD project takes no responsibility for them. Things are hit or miss, and this
      • > Most of the code is probably simply ages old, probably older than strlcpy and friends, or the OpenBSD project itself.

        Considering that Todd Miller and Theo de Raadt implemented strl* in 1996 ( http://www.courtesan.com/todd/papers/strlcpy.html ) and OpenBSD was forked from NetBSD in '95 (which is quite old itself ( http://netbsd.org/Misc/history.html )) I'd say that that's an understatement...
    • by donhav ( 41208 )
      A openBSD release contains far, far more than just the kernel its all the userland as well. IE: things like grep and diff and csh. There are hundreds of these programs. The OpenBSd team puts a lot of effort into making the whole release secure not just the kernel.
    • by dmiller ( 581 ) <djm@mindro[ ]rg ['t.o' in gap]> on Saturday November 01, 2003 @08:04AM (#7366160) Homepage

      Note thst strcpy() and friends _can_ be used safely, and the usage of the ones in the tree before the removal had been audited at least once. For example, the following construct is safe (assuming you check the malloc return):

      len = strlen(foo) + 1;
      bar = malloc(len);
      strcpy(bar, foo);

      But is was easier to just banish them from the tree entirely, so that it is easier to grep for potentially unsafe ones when new code is imported.

      • by hey ( 83763 )
        I can't think of any way to use gets() safely.

        s = malloc(INFINITY);
        gets(s);
        • I can't think of any way to use gets() safely.

          You just have to ensure externally that stdin fulfils specific constraints (EOF or '\0' among the next N characters, for some known N). This may well be possible, for example if you've redirected stdin to a trusted file with known contents, or your program is at the receiving end of an internal pipe in a larger system of trusted interoperating programs you've all written yourself, so you know exactly how stdin looks.

    • what we're not supposed to use strcpy?
    • That's certainly a good thing, but it raises the question of why they were there in the first place. I mean, everyone's known for ages that these are unsecure, and the manpage lists it a bug etc.

      Two factors. First, there is a difference between "dangerous" and "unsafe". Explosives are dangerous but they are used safely on construction sites every day.

      Second, there is also danger in changing code that is known to work. I read a quote once from the IBM guy responsible for the core of IBM's MVS mainframe

      • Considering the times we live in now, where every little asshat is trying to get into your computer by any means possible, sometimes for no better reason than because they can, it is probably best to remove the old code that may be exploited.

        At least until they make hacking punishable by instant death.
    • Does the linux kernel still have those occurences of strcpy(), etc?
      • by ^BR ( 37824 )

        Too lazy (or too dumb) to use grep(1)?

        Yes there are (a lot of them). It does not means that there are security holes because of it it's just that's it's way easier to make a safety error using strcpy() than using strlcpy(). And in fact a systematic effort to eliminate those is the occasion to revisit some code long forgotten and to fix other things on the way...

        % grep -r -l strcpy linux-2.6.0-test9
        linux-2.6.0-test9/drivers/i2c/busses/i2c-ibm_iic. c
        linux-2.6.0-test9/drivers/net/8139too.c
        linux-2.6

        • by Anonymous Coward
          "Too lazy (or too dumb) to use grep(1)?"

          Figures that someone would be an asshole about this. Perhaps the guy doesn't use Linux and it's a pain in the ass to go download all the source, uncompress it, and then grep it out when there's someone that already knows the answer to this simple question?

          Sheesh, grow up.
          • Guess what... (Score:1, Flamebait)

            by ^BR ( 37824 )

            I don't use Linux, I use OpenBSD. And I took the pain of downloading the Linux kernel just to give an accurate answer to this guy...

            Like he could have done, unless he doesn't have broadband...

            • Thanks for being so understanding, I don't have broadband. I figure that it would be common knowledge whether linux used safe calls to these functions or not...I didn't ask you to go through the sources, btw. You put yourself through that.
  • Looks like the announcement has been delayed a little as I've had the OpenBSD3.4 CDs for over a week now, ordered from the OpenBSD online store!

    • Re:Why the delay? (Score:2, Informative)

      by Krunch ( 704330 )
      I think people who order the CD get it before it is availiable from FTP. The FTP release was set for November 1 but it was changed to October 30. http://deadly.org/article.php3?sid=20031030183459& mode=flat
    • Me too. I had pre-ordered 3.4 a month or so ago when the idiots were crowing about the OpenSSH patches, as a way to support the OpenBSD project. I think they showed up last weekend.

      Buy the CDs people, and support the project. Plus, you get the OpenBSD songs in full Redbook glory, and stickers!
  • by debilo ( 612116 ) on Saturday November 01, 2003 @06:48AM (#7366049)
    Remove unlicensed MATH_EMULATE code (written by some guy named Torvalds) from the kernel, leaving only the GNU emulation code for the moment.

    Gotta love that.
  • Unfortunately (Score:5, Informative)

    by Ryvar ( 122400 ) on Saturday November 01, 2003 @07:31AM (#7366115) Homepage
    Unlike 3.3, which made it months before a single security-related patch was issued, 3.4 LAUNCHES with 3 such patches.

    That said, it's such a huge release in terms of changes made (x86 Write or eXecute memory pages, for one) that it's more than worth the upgrade.

    As with most such fundamental updates to OBSD, though, I expect this release to be significantly patchier than the last couple.

    --Ryv
    • Re:Unfortunately (Score:2, Informative)

      by braddeicide ( 570889 )
      Its been released with patches cause its already a month old before its released onto ftp
    • I only see one security patch and two reliability patches. And all of these patches are for vulnerabilities affecting 3.3, which are so recent they simply had not been fixed in the 3.4 release. I don't see that as a very big deal. When you first install RedHat from CD, even if you just downloaded the ISO, you better well patch from the Internet.
  • by snake_dad ( 311844 ) on Saturday November 01, 2003 @07:39AM (#7366125) Homepage Journal
    Be careful when upgrading from older versions of OpenBSD, the upgrade procedure for i386 is a little bit more complicated than usual. As noted here [deadly.org] and here [deadly.org]. There's a document [graveland.net] describing a possible upgrade path available from 3.3 to 3.4.

    As I was lucky enough to run into this on a relatively new install I could just do a complete reinstall, but not reading the upgrade instructions can get you in a lot of trouble this time... :)

    • Well, unlike under Linux, OpenBSD had shared libs in a.out already so there was no ELF features that where really needed. The main reason for going to ELF was that binutils are only well maintained for ELF and the cost of the change was inferior to the cost of maintaining a.out in binutils. And ELF binaries made W^X way easier.
  • by Anonymous Coward
    Does anyone who runs a mirror care to describe the traffic hit that comes with the rush to download 3.4? I remember seeing the stats for the FreeBSD Walnut Creek server handling tons of traffic whenever the next version of something it was serving was released. Generally it was RedHat, ironically.

    While I order CDs to support the project, I run snapshots for many things, and being close to a mirror (OC-3 linking our sites), it takes minutes to install via ftp.
  • by awarnack ( 665425 ) on Saturday November 01, 2003 @09:22AM (#7366272) Homepage
    It's the DAEMONS you have to worry about... (it had to be said, right? RIGHT???)
  • Since everyone else is doing it now, why isn't there a *.torrent file for this release of OpenBSD?
    • by Anonymous Coward on Saturday November 01, 2003 @12:42PM (#7366947)
      Because OpenBSD does not offer any iso images for download. The official iso images are copyrighted by Theo and can only be gotten by buying the CD's or by pirating them. Or course you could make your own homebrew iso images, that's perfectly legal, and then distribute them as torrent files. But the OpenBSD project depends on CD sales to fund the continued development of the OS. Go buy the official CD's.
  • Via C3 support (Score:4, Interesting)

    by Gothmolly ( 148874 ) on Saturday November 01, 2003 @11:41AM (#7366728)
    1.6 Gbit/sec of AES-128? Damn, I gotta get me one of these!
  • C'mon OBSD!! (Score:4, Interesting)

    by devphaeton ( 695736 ) on Saturday November 01, 2003 @04:30PM (#7367941)
    Can't you hurry up? Look at the front page of bsd.slashdot.org....

    Freebsd released 4.9 before your 3.4!!!

    (j/k)

    On a side note, reading the 2nd or 3rd post about trojaned obsd ISOs floating around the web is really sad and upsetting. I love the open sharing of software and source code around the internet, but i always fear that someday it will be to a point that *everything* has been tampered with, essentially creating a need to look through more source code than anyone has time for. Sure we can solve this with technology (such as with MD5 Checksums) but as we create smarter verification, the internet will create smarter shitheads. I'd hate to think that it will eventually degrade into a win-some/lose-some cat-and-mouse game.

    I actually lost some sleep few months back when the GNU folks announced that their main ftp site got compromised. I realise that servers get cracked every day, but when it's gnu/linux/bsd/oss folks it feels personal.

    I'm not well acquainted with any $krYp+ KyddI3z, cr4x0rz or know what they use, but i'll be willing to bet that their OS and many of their tools are based on software from those they are attacking.

    Assholes.

C for yourself.

Working...