OpenBSD 4.9 released

greed

Theo de Raadt has announced the release of OpenBSD 4.9, a BSD-based operating system specialising in high-security solutions through thorough code review. What's new?

• New/extended platforms:
  • OpenBSD/amd64        and OpenBSD/i386:
    • Enabled NTFS by default (read-only) on GENERIC kernels.
    • Enabled the vmt(4) driver by default for VMWare tools support as a guest.
    • SMP kernels can now boot on machines with up to 64 cores.
    • Maximum allocation size for i386 bumped to 2G.
    • Handle >16 disks when searching for kernel boot device.
    • Added support for AES-NI instructions found in recent Intel            processors.
    • Further improvements in suspend and resume.
    • Processes are now switched to TSS per cpu on the            amd64 platform,            resulting in removal of the old limit of ~4000 processes.
       
  • OpenBSD/hppa:
    • Multiprocessor support.
       
  • OpenBSD/loongson        and OpenBSD/sgi:
    • All MIPS64 based platforms now use MI softfloat code, which            implements all MIPS IV specified floating point operations.
       
  • OpenBSD/sparc64:
    • The vdsp(4) driver now supports the vDisk 1.1            protocol, allowing Solaris to run on top of an OpenBSD            control domain.
       
• Improved hardware support, including:
  • New vte(4)    driver for RDC R6040 10/100 Ethernet devices.
  • New rdcphy(4)    driver for RDC Semiconductor R6040 10/100 Ethernet PHY.
  • New rsu(4)    driver for Realtek RTL8188SU/RTL8191SU/RTL8192SU USB IEEE 802.11b/g/n wireless devices.
  • New urtwn(4)    driver for Realtek RTL8188CU/RTL8192CU USB IEEE 802.11b/g/n wireless devices.
  • New utwitch(4)    driver for YUREX USB twitch/jiggle of knee sensor.
  • Support for AR9271, AR9280+AR7010 and AR9287+AR7010 USB IEEE 802.11a/g/n wireless        adapters has been added to athn(4).
  • Support for 82583V        has been added to em(4).
  • Support for Yukon 88E8059        has been added to msk(4).
  • Support for SiS191        has been added to se(4).
  • Support for SAS2004        has been added to mpii(4).
  • Support for NVIDIA MCP89 SATA        has been added to pciide(4).
  • Support for Mobility Radeon HD 4200        has been added to radeondrm(4).
  • pms(4) support has been significantly reworked and expanded.
  • MCLGETI support has been added to xl(4).
  • Support for low latency interrupt modulation has been added to    ix(4).
  • Port multiplier support has been added to    ahci(4) and    sili(4).
  • Support for Sun XVR-300 graphics has been added to radeonfb(4).
  • Added workaround for BCM5906 A0/1/2 controller silicon bug in    bge(4).
  • ugen(4)    can now be attached along with other drivers to multifunction devices.
  • umodem(4)    now supports more devices.
  • umsm(4)    now supports more mobile broadband devices.
  • Support for more image processing controls was added to    uvideo(4).
• Generic network stack improvements:
  • Reworking of the MCLGETI livelock algorithm to improve    forwarding and host performance under high network load.
  • Added support for socket splicing; sockets can be temporarily connected so that the kernel moves data without userland intervention.  This will be used by relayd(8) in the next release.
  • Added AES-GCM support for IPsec.
  • Added automatic send and receive buffer scaling for TCP.
  • Added wpakey option to ifconfig(8) replacing wpa-psk(8).
  • TCP acknowledgments are no longer delayed on the loopback interface.
  • Network livelock counters are now exported via sysctl(3).
  • A radix tree sorting bug was fixed, which results in significant    improvements to IPsec performance under certain conditions.
  • tcpdump(8) now decodes Multicast DNS (mDNS) traffic.
  • Wake on Lan support has been added to arp(8).
  • Enabled MPLS and mpe(4) by default on GENERIC kernels.
  • Added a mpls option to ifconfig(8) to enable MPLS on a per interface basis replacing the global sysctl knob.
• OpenBGPD, OpenOSPFD and other routing daemon improvements:
  • bgpd(8) handles various message encoding errors more gracefully now.
  • Notification messages are now logged in bgpd(8).
  • ospfd(8) will now correctly redistribute overlapping routes.
  • ospfctl(8) now prints the LSDB checksum in the show summary output for quick verification that two LSDBs are in sync.
  • Fixed ldpd(8)'s message parser to work on all architectures and more LDP messages are now implemented.
  • Various improvements in ospf6d(8).
• pf(4) improvements:
  • The logging subsystem has been largely rewritten, now logging the        translated addresses again instead of the original ones.
  • match log rules cause a log on the fly, showing the packet exactly        as pf(4) sees it at the moment of evaluating that rule. A packet can also        be logged more than once now.
  • match log(matches) rules allow the further rule matching to be traced.
  • pflog(4)    now includes the original addresses and ports for packets that have been    rewritten. This is also displayed by    tcpdump(8).
• IPsec stack audit was performed, resulting in:
  • Several potential security problems have been identified and fixed.
  • ARC4 based PRNG code was audited and revamped.
  • New explicit_bzero kernel function was introduced to prevent a compiler    from optimizing    bzero    calls away.
• SCSI improvements:
  • Improved safety when detaching SCSI devices by waiting for        the completion of pending commands.
  • Improved hotplug support on mpi(4) and        mpii(4).
  • Continued iopoolification of SCSI drivers, notably on        umass(4) which improves the        reliability and performance of multi-LUN devices.
  • Added vscsi(4), a driver for        userland handling of SCSI device commands.
  • Added iscsid(8), an iSCSI initiator.
  • Forcibly restrict devices incapable of tagged I/O to executing one command at a time.
  • Discover and honour read-only status of sd(4) devices.
  • Improve st(4) handling of I/O residual information.
  • sd(4) devices that can only execute one command at a time (e.g. USB) will now be allowed to spin up if necessary.
  • cd(4) will now attach CDROM devices identified as non-removable.
  
  

greed

• Assorted improvements:
  • Enabled wide character support in ncurses(3).
  • Added nsd(8), an authoritative name server implementation.
  • Disklabel UID support improved and added to more utilities.
  • rarpd(8) now accepts a list of interfaces to listen on.
  • dhclient(8) now accepts 'egress' as an interface name, meaning whichever interface is marked as being in the 'egress' group.
  • dhcpd(8) no longer listens on interfaces without a broadcast address (e.g. pflog(4)).
  • who(1) now displays as much of the hostname as fits on the line.
  • tcpdump(8) now correctly handles 'net' primitives when processing pflog(4) traffic.
  • fdisk(8) now respects failure to read the MBR.
  • fdisk(8) will no longer infinitely loop when encountering an improperly constructed EBR.
  • disklabel(8) no longer reuses information from a failed partition addition on the next addition of the same partition.
  • Many unused and obsolete disktab(5) entries removed.
  • Enabled X11 autoconfiguration on sparc and sparc64.
  • Implement attribute syntax from RFC4517 and support bsdauth in ldapd(8).
  • New video(1) utility which can record or display images from video(4).
  • httpd(8) mod_headers now handles apache2 style RequestHeader directives.
  • UNIX-domain datagram socket support has been added to nc(1) (-uU option).
  • Added support for terabyte units in disklabel(8).
  • loongson and    sgi platforms have been    switched over to gcc4.
  • ddb cpu support was added to the    sgi platform.
  • Fast path TLB miss handling was added to the    landisk platform,    resulting in a 44-50% gain in performance.
  • PCIe extended configuration space can now be viewed using    pcidump(8) (-xxx option).
  • The number of spurious IPIs has been decreased on the    amd64 platform,    resulting in improved performance.
  • Numerous improvements and bug fixes to    tmux(1).
  • Considerable robustness and interoperability improvements in the IKEv2    daemon    iked(8).
  • Skipjack and libdes were retired from the system.    CAST-128 implementation was also removed from libc.
  • Removed some races in the USB subsystem, substantially increasing    reliability.
  • Added a few more     compat_linux(8)     system calls to make it possible for newer versions of applications,    such as Skype, to execute.
  • OpenBSD-specific package documentation is now centralised in    /usr/local/share/doc/pkg-readmes.
• OpenSSH 5.8:
  • New features:
    • Implement Elliptic Curve Cryptography modes for key exchange (ECDH)            and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA            offer better performance than plain DH and DSA at the same            equivalent symmetric key length, as well as much shorter keys.
    • sftp(1)            and            sftp-server(8):            add a protocol extension to support a hard link operation. It is            available through the "ln" command in the client. The old "ln"            behaviour of creating a symlink is available using its "-s" option            or through the preexisting "symlink" command.
    • scp(1):            Add a new -3 option to scp: Copies between two remote hosts are            transferred through the local host. Without this option the data is            copied directly between the two remote hosts.
    • ssh(1):            automatically order the hostkeys requested by the client based on            which hostkeys are already recorded in known_hosts. This avoids            hostkey warnings when connecting to servers with new ECDSA keys,            since these are now preferred when learning hostkeys for the first            time.
    • ssh(1)            and            sshd(8):            add a new IPQoS option to specify arbitrary TOS/DSCP/QoS values            instead of hardcoding lowdelay/throughput. (bz#1733)
    • sftp(1):            the sftp client is now significantly faster at performing directory            listings, using OpenBSD glob(3) extensions to preserve the results            of stat(3) operations performed in the course of its execution            rather than performing expensive round trips to fetch them again            afterwards.
    • ssh(1):            "atomically" create the listening mux socket by binding it on a            temporary name and then linking it into position after listen() has            succeeded. This allows the mux clients to determine that the server            socket is either ready or stale without races. Stale server sockets            are now automatically removed. (also fixes bz#1711)
    • ssh(1)            and            sshd(8):            add a KexAlgorithms knob to the client and server            configuration to allow selection of which key exchange methods are            used by            ssh(1)            and            sshd(8)            and their order of preference.
    • sftp(1)            and            scp(1):            factor out bandwidth limiting code from            scp(1)            into a generic bandwidth limiter that can be attached using the            atomicio callback mechanism and use it to add a bandwidth            limit option to            sftp(1).            (bz#1147)
       
  • The following significant bugs have been fixed in this release:
    • ssh(1)            and            ssh-agent(1):            honour $TMPDIR for client xauth and ssh-agent temporary            directories. (bz#1809)
    • ssh(1):            avoid NULL deref on receiving a channel request on an            unknown or invalid channel. (bz#1842)
    • sshd(8):            remove a debug() that pollutes stderr on client connecting            to a server in debug mode. (bz#1719)
    • scp(1):            pass through ssh command-line flags and options when doing            remote-remote transfers, e.g. to enable agent forwarding which is            particularly useful in this case. (bz#1837)
    • sftp-server(8):            umask should be parsed as octal.
    • sftp(1):            escape '[' in filename tab-completion.
    • ssh(1):            Typo in confirmation message. (bz#1827)
    • sshd(8):            prevent free() of string in .rodata when            overriding AuthorizedKeys in a Match block.
    • sshd(8):            Use default shell /bin/sh if $SHELL is "".
    • ssh(1):            kill proxy command on fatal() (we already killed it on            clean exit).
    • ssh(1):            install a SIGCHLD handler to reap expired child process.            (bz#1812)
    • Support building against openssl-1.0.0a
    • Fix vulnerability in legacy certificate signing introduced in            OpenSSH-5.6 and found by Mateusz Kocielski.
       
• Mandoc 1.10.9:
  • New integrated tbl(7) parser and renderer.
  • Support the roff(7) .de, .rm, and .so requests.
  • Support all roff code used in the standard pod2man(1) preamble.
  • Fully support roff quoting in man(7) documents.
  • Mandoc now copes with most formatting errors that used to be fatal.
  • Much simplified and improved reporting of errors and warnings.
  • Significantly improved -Thtml output quality.
  • The ports tree now allows ports to use either mandoc or groff      to render manuals.
• Over 6,800 ports, major robustness and speed improvements in package tools.
• Many pre-built packages for each architecture:   

  i386:       6620 sparc64:    6225 alpha:      6000

  sh:         3656 amd64:      6570 powerpc:    6272

  sparc:      4184 arm:        5679 hppa:       5838

  vax:        1068 mips64:     5492 mips64el:   5499

  Some highlights:   
  • Gnome 2.32.1.
  • KDE 3.5.10.
  • Xfce 4.8.0.
  • MySQL 5.1.54.
  • PostgreSQL 9.0.3.
  • Postfix 2.7.2.
  • OpenLDAP 2.3.43 and 2.4.23.
  • Mozilla Firefox 3.5.16 and 3.6.13.
  • Mozilla Thunderbird 3.1.7.
  • OpenOffice.org 3.3.0rc9.
  • LibreOffice 3.3.0.4.
  • Emacs 21.4 and 22.3.
  • Vim 7.3.3.
  • PHP 5.2.16.
  • Python 2.4.6, 2.5.4 and 2.6.6.
  • Ruby 1.8.7.330 and 1.9.2.136.
  • Mono 2.8.2.
  • Chromium 9.0.597.94.
• The system includes the following major components from outside suppliers:
  • Xenocara (based on X.Org 7.6 with xserver 1.9 + patches,        freetype 2.4.4,        fontconfig 2.8.0, Mesa 7.8.2, xterm 267 and more)
  • Gcc 2.95.3 (+ patches), 3.3.5 (+ patches) and 4.2.1 (+ patches)
  • Perl 5.12.2 (+ patches)
  • Our improved and secured version of Apache 1.3, with SSL/TLS        and DSO support
  • OpenSSL 1.0.0a (+ patches)
  • Sendmail 8.14.3, with libmilter
  • Bind 9.4.2-P2 (+ patches)
  • Lynx 2.8.6rel.5 with HTTPS and IPv6 support (+ patches)
  • Sudo 1.7.2p8
  • Ncurses 5.7
  • Heimdal 0.7.2 (+ patches)
  • Arla 0.35.7
  • Binutils 2.15 (+ patches)
  • Gdb 6.3 (+ patches)

ericlgq

没用过OPEN BSD。
我觉得SOLARIS不错，可惜不知道还有没有下一个版本。。。

greed

原帖由 ericlgq 于 2011-5-3 23:29 发表
没用过OPEN BSD。
我觉得SOLARIS不错，可惜不知道还有没有下一个版本。。。

那要看oracle有没有野心了。近几年solaris在sun手里是江河日下，市场份额不断被蚕食，如果oralce嫌麻烦，估计也就不会费心去重整它了。solaris的技术验证项目openSolaris已经被oralce关掉了，这个不知是不是一个信号。unix说是两大血统，但最后商业版本大多已经混血了。