Posted
almost 5 years
ago
Ted Unangst (tedu@)
posted
to the tech@
mailing list regarding
recent changes to environment handling in
doas
(in -current):
[...]
After some reflection, I've been convinced that it's unlikely everybody reads
the manuals, or that the manuals are
... [More]
even correct or complete. So the new doas
behavior moving forward is to reset most everything to the target user's
environment.
Your action items, as we like to say in the biz, are:
1. Check existing configs for "restricted root" rules and verify that they are
run with the correct environment.
2. When updating, check for rules that intentionally use inherited environment
variables. They may need to be explicitly passing using setenv in doas.conf.
Readers are encouraged to read the
entire message.
[Less]
|
Posted
almost 5 years
ago
Damien Miller (djm@) has just committed a new feature for SSH that should help protect against all the various memory side channel attacks that have surfaced recently.
Add protection for private keys at rest in RAM against speculation
and memory
... [More]
sidechannel attacks like Spectre, Meltdown, Rowhammer and
Rambleed. This change encrypts private keys when they are not in use
with a symmetic key that is derived from a relatively large "prekey"
consisting of random data (currently 16KB).
Read more…
[Less]
|
Posted
almost 5 years
ago
Otto Moerbeek (otto@) has written
an update
on his recent ntpd(8) work to the tech@ mailinglist:
Hi,
I have been working on a nice feature that improves startup behaviour of
ntpd.
Summary: make sure you have at least one constraint source
... [More]
configured
and use no options. ntpd will set the clock if needed, even if you
machines has no battery backed up clock and is running a DNSSEC
validating resolver.
Read more…
[Less]
|
Posted
almost 5 years
ago
Job Snijders (job@) has
imported
Kristaps Dzonsons'
rpki-client
(discussed previously)
into the tree:
And here is the commit message:
Import Kristaps Dzonsons' RPKI validator into the tree
rpki-client(1) is an implementation of the Resource
... [More]
Public Key
Infrastructure (RPKI), specified by RFC 6480. The client is responsible
for downloading, validating and converting Route Origin Authorisations
(ROAs) into Validated ROA Payloads (VRPs). The client's output (VRPs)
can be used by bgpd(8) to perform BGP Origin Validation (RFC 6811).
The current rpki-client(1) version depends on the CMS functions in
OpenSSL, this of course needs to be addressed urgently.
Thanks to NetNod, IIS.SE, SUNET & 6connect for supporting this effort!
OK deraadt@
On Mon, Jun 17, 2019 at 08:31:31AM -0600, Job Snijders wrote:
> CVSROOT: /cvs
> Module name: src
> Changes by: [email protected] 2019/06/17 08:31:31
>
> Log message:
> ../../../logmessage
>
> Status:
>
> Vendor Tag: job
> Release Tags: job_20190617
>
> N src/usr.sbin/rpki-client/LICENSE.md
> N src/usr.sbin/rpki-client/Makefile
> N src/usr.sbin/rpki-client/README.md
> N src/usr.sbin/rpki-client/TODO.md
> N src/usr.sbin/rpki-client/as.c
> N src/usr.sbin/rpki-client/cert.c
> N src/usr.sbin/rpki-client/cms.c
> N src/usr.sbin/rpki-client/crl.c
> N src/usr.sbin/rpki-client/extern.h
> N src/usr.sbin/rpki-client/io.c
> N src/usr.sbin/rpki-client/ip.c
> N src/usr.sbin/rpki-client/log.c
> N src/usr.sbin/rpki-client/main.c
> N src/usr.sbin/rpki-client/mft.c
> N src/usr.sbin/rpki-client/roa.c
> N src/usr.sbin/rpki-client/rpki-client.1
> N src/usr.sbin/rpki-client/rsync.c
> N src/usr.sbin/rpki-client/tal.c
> N src/usr.sbin/rpki-client/test-cert.c
> N src/usr.sbin/rpki-client/test-ip.c
> N src/usr.sbin/rpki-client/test-mft.c
> N src/usr.sbin/rpki-client/test-roa.c
> N src/usr.sbin/rpki-client/test-tal.c
> N src/usr.sbin/rpki-client/compats.c
> N src/usr.sbin/rpki-client/configure
> N src/usr.sbin/rpki-client/tests.c
> N src/usr.sbin/rpki-client/output-bgpd.c
> N src/usr.sbin/rpki-client/validate.c
> N src/usr.sbin/rpki-client/x509.c
> N src/usr.sbin/rpki-client/tals/afrinic.tal
> N src/usr.sbin/rpki-client/tals/apnic.tal
> N src/usr.sbin/rpki-client/tals/lacnic.tal
> N src/usr.sbin/rpki-client/tals/ripe.tal
>
> No conflicts created by this import
>
At the time of writing, it is not linked to the build, but work continues apace.
[Less]
|
Posted
almost 5 years
ago
Videos of presentations at
BSDCan 2019
are now (becoming) available from the
YouTube channel.
Links to the videos can now also be found in the usual place.
|
Posted
almost 5 years
ago
Our next hackathon report comes from Stefan Sperling (stsp@):
My goal for g2k19 was to work on Tx aggregation support in the wifi stack.
But of course I didn't even get to start working on that before I was back home.
Read more…
|
Posted
almost 5 years
ago
Florian Obser (florian@) has
committed
the changes required to move
acme-client(1)
in -current to the
RFC 8555
protocol used by the
Let's Encrypt v02 API:
CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2019/06/07 02:07:52
... [More]
Modified files:
usr.sbin/acme-client: acctproc.c acme-client.1 certproc.c
extern.h http.c http.h json.c main.c
netproc.c
Log message:
Implement RFC 8555 "Automatic Certificate Management Environment
(ACME)" to be able to talk to the v02 Let's Encrypt API.
With this acme-client(1) will no longer be able to talk to the v01
API. Users must change the api url in /etc/acme-client.conf to
https://acme-v02.api.letsencrypt.org/directory
Existing accounts (and certs of course) stay valid and after the url
change acme-client will be able to renew certs.
Tested by Renaud Allard and benno
Input & OK benno
Let's Encrypt has already announced its
"End of Life Plan for ACMEv1".
[Less]
|
Posted
almost 5 years
ago
Introduction
There have been some recent security
innovations
previously unreported here:
New flag "MAP_CONCEAL" for mmap(2) allocations
No syscalls from pages where PROT_WRITE is still enabled
Read more…
|
Posted
almost 5 years
ago
Ken Westerback of The OpenBSD Foundation wrote in with some excellent news on the 2019 fundraising campaign:
The OpenBSD Foundation is excited to announce that it has received its
largest ever donation. Smartisan has topped
its own previous record
... [More]
donation with a 2019 donation of CDN$380,000.00.
This makes Smartisan the first Iridium level donor of 2019.
Smartisan has donated tickets sales from its new product launch events
to the open source community since 2014. This year Smartisan chose to
donate some of the proceeds to the OpenBSD Foundation.
We thank Smartisan for its very generous support! This donation
will allow the Foundation to fund many exciting initiatives in
OpenBSD and related projects over the next few years.
As we've noted before, this donation does not preclude others from contributing!
[Less]
|
Posted
almost 5 years
ago
Next up with a report from g2k19 is Andrew Hewus Fresh
(afresh1@):
This year I had been thinking of ideas for things to work on in the
weeks before the hackathon and the top thing on my list was to improve
portgen(1)
so that I could switch from
... [More]
tools I wrote to something
everyone was more likely to use. Surprisingly, although I didn't really
get to any of the other things on my list done, I did spend most of the
hackathon on improving portgen(1) which is the first time I've ever
actually worked on something from my TODO list rather than having
something else come up.
Read more…
[Less]
|