Two books specific to OpenBSD are now available, and although they first

appeared last July they have been a bit hard to get a hold of.  The OpenBSD

ordering site has carried them for a few months, but supply was limited

and slow.  They are both in good supply now.
Despite our great man pages, it is still a milestone in the maturation and

increasing credibility of OpenBSD to see specific books written for the

project.  So if there is anyone out there that doesn't know it yet, and

who has a penchant for real tangible documentation, feel free to check

out:
"Absolute OpenBSD" by Michael W. Lucas
or
"Building Firewalls with OpenBSD and PF" by Jacek Artymiak

[now 2nd Edition]
Descriptions, links to tables of contents, and cover pictures can be found

at:
http://www.openbsd.org/books.html
and
http://www.openbsd.org/orders.html#books
They are available at the OpenBSD website, and your favorite bookstore (do

insist -- just give them the ISBN from one of the links above).
PS:  Coming this Spring, expect an announcement about availability of

"OpenBSD Security -- the Complete Guide" to be published by Wiley.
A.Hook

Calgary

OpenSSH 3.9 has just been released. It will be available from the

mirrors listed at http://www.openssh.com/ shortly.
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0

implementation and includes sftp client and server support.
We would like to thank the OpenSSH community for their continued

support to the project, especially those who contributed source and

bought T-shirts or posters.
We have a new design of T-shirt available, more info on

        http://www.openbsd.org/tshirts.html#18
For international orders use http://https.openbsd.org/cgi-bin/order

and for European orders, use http://https.openbsd.org/cgi-bin/order.eu
Changes since OpenSSH 3.8:

============================ 
* Added new "IdentitiesOnly" option to ssh(1), which specifies that it should

  use keys specified in ssh_config, rather than any keys in ssh-agent(1)
* Make sshd(8) re-execute itself on accepting a new connection. This security

  measure ensures that all execute-time randomisations are reapplied for each

  connection rather than once, for the master process' lifetime. This includes

  mmap and malloc mappings, shared library addressing, shared library mapping

  order, ProPolice and StackGhost cookies on systems that support such things
* Add strict permission and ownership checks to programs reading ~/.ssh/config

  NB ssh(1) will now exit instead of trying to process a config with poor

  ownership or permissions
* Implemented the ability to pass selected environment variables between the

  client and the server. See "AcceptEnv" in sshd_config(5) and "SendEnv" in

  ssh_config(5) for details
* Added a "MaxAuthTries" option to sshd(8), allowing control over the maximum

  number of authentication attempts permitted per connection
* Added support for cancellation of active remote port forwarding sessions.

  This may be performed using the ~C escape character, see "Escape Characters"

  in ssh(1) for details
* Many sftp(1) interface improvements, including greatly enha...
[ message continues ]

To ease the load on our FTP mirrors, I am happy to announce that we

are opening up the release before the weekend rather than after it.
Enjoy!
------------------------------------------------------------------------

- OpenBSD 3.6 RELEASED -------------------------------------------------
Oct 29, 2004.
We are pleased to announce the official release of OpenBSD 3.6.

This is our 16th release on CD-ROM (and 17th via FTP).  We remain

proud of OpenBSD's record of eight years with only a single remote

hole in the default install.  As in our previous releases, 3.6

provides significant improvements, including new features, in nearly

all areas of the system:
- New platform:

  o OpenBSD/luna88k

    Expanding the mvme88k porting effort by supporting Omron's

    line of 88100-based workstations.
- SMP support on OpenBSD/i386 and OpenBSD/amd64 platforms.
- New functionality:

  o A cleaned up DHCP server and client implementation,

    now featuring privilege separation and safe defaults.

  o A new NTP daemon written from scratch, which ought to fit

    the needs of most NTP users.

  o pfctl(8) now provides a rules optimizer to help improve

    filtering speed.

  o The packet filter, pf(4), now supports nested anchors.

  o tcpdrop(8), a command to drop TCP connections.

  o The NMBCLUSTERS option has been eliminated, replaced by a

    sysctl with higher default values on many platforms.

  o Added support for cksum (three flavours), md4, sha256, sha384

    and sha512 to the md5(1) command.

  o Memory file systems created by the mount_mfs(8) command

    now can be populated immediately after creation.

  o New hotplugd(8) daemon and hotplug(4) device that

    watch for newly attached devices.

  o isakmpd(8) now supports NAT-traversal and Dead Peer Detection

    (RFC 3706).

  o strtonum(3), a simple, robust and therefore safe function

    to convert strings to numbers, has been added.

  o On the OpenBSD/sparc platform, StackGhost buffer overflow

    exploit protection has been adde...
[ message continues ]

Hi,
The release announcement for OpenSSH 4.0p1 had an incorrect md5sum for the

portable tarball. The correct md5 is below, otherwise you may verify the

integrity of the release using the PGP signature, contained in the file

"openssh-4.0p1.tar.gz.sig" in the release directory.
MD5 (openssh-4.0p1.tar.gz) = 7b36f28fc16e1b7f4ba3c1dca191ac92
Apologies for any confusion,

Damien Miller

Hi,
The SHA1 checksum on the last announcement was incorrect for the portable

OpenSSH tarball. The correct checksums are:
SHA1 (openssh-4.1.tar.gz) = 62fc9596b20244bb559d5fee3ff3ecc0dfd557cb

SHA1 (openssh-4.1p1.tar.gz) = e85d389da8ad8290f5031b8f9972e2623c674e46
Apologies for any inconvenience.
Regards,

Damien Miller

Due to the release of OpenBSD 3.7, the 3.5-STABLE branch will be

out of regular maintainance. There will be NO MORE fixes commited

to this branch nor new patches.
People relying on 3.5-STABLE (or older releases even) are strongly

advised to upgrade to a more recent release (preferrably 3.7)

as soon as possible.

The OpenBSD mailing list server will be down from 5am to 6pm MST

on Saturday, Jan 26th.  Facilities needs to shut down the computer

room cooling system for some plumbing work, and they are scheduled

to finish by 6pm.  If they finish earlier the list server will be

back sooner.
This also affects anoncvs3.usa.openbsd.org which resides in the

same machine room.
 - todd

url: http://eusecwest.com

url: http://cansecwest.com

(CanSecWest Call For Papers attached below)
EUSecWest/core06 Conference=20

---------------------------
Announcing the final selection of papers for the=20

EUSecWest conference in London, U.K. on Feb. 20/21

at the Victoria Park Plaza Hotel. The following

topics will be covered:
   Javier Burroni & Carlos Sarraute - Core Security Technologies

   Analyzing OS fingerprints using Neural Networks and Statistical Machin=

ery
   van Hauser - thc

   Attacking the IPv6 protocol suite
   Yuji Ukai - eeye=20

   Exploiting Real-Time OS Based Embedded Systems Using the JTAG Emulator
   Nguyen Anh Quynh - Keio University

   XEBEK: A Next Generation Honeypot Monitoring System
   Fred Raynal - EADS

   Malicious Crypto
   Cesar Cerrudo - Argeniss

   Windows Local Shellcode Injection
   Andrew Cushman - Microsoft

   Microsoft Security Fundamentals
   Shreeraj Shahi - Net Square

   Advanced Web Hacking - Attacks & Defense
   Justin Clarke - Ernst & Young LLP

   Practical Automated Web Application Attack Techniques
   Andy Davis - IRM PLC

   ColdFusion Security
   Tim Hurman - Pentest Ltd.

   ARMed combat: the fight for personal security
   Raffael Marty - ArcSight

   A Visual Approach to Security Event Management
   Michael Boman - KPMG Singapore

   Network Security Monitoring: Theory and Practice
   Jim DeLeskie & Danny McPherson - Teleglobe, Arbor Networks

   Protecting the Infrastructure
   Andrea Barisani - Inverse Path

   Lessons in Open Source Security: The Tale of a 0-Day Incident
We would also like to announce the final list of Security

Masters Dojo courses that will be offered on February 16th

and 17th at the Victoria Park Plaza Hotel. Seats are

available for all courses, but course registration is

limited to only ten students each. We are considering

adding additional course sessions on Feb 23/24 if

demand warrants it. The hands-on courses offered

will be:
Gerardo Richar...
[ message continues ]

Due to the release of OpenBSD 3.9, the 3.7-STABLE branch will be

out of regular maintainance. There will be NO MORE fixes commited

to this branch nor new patches.
People relying on 3.7-STABLE (or older releases even) are strongly

advised to upgrade to a more recent release (preferrably 3.9)

as soon as possible.

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1
We are pleased to announce the official release of OpenBGPD 4.0.
OpenBGPD is a fairly complete implementation of the Border Gateway

Protocol, Version 4, as described in RFC 1771. BGP is a protocol used

by routers to exchange routing information, and is one of the core

protocols of the Internet.
Highlights include:

* full support for the BGP protocol as defined in RFC 1771

* full support for tcp md5 signatures (RFC 2385)

* full ipsec integration, with both static and dynamic keying supported

* pf and CARP integration

* communities support (RFC 1997)

* route refresh (RFC 2918)

* capabilities advertisement (RFC 3392)

* low memory footprint

* kernel routing table can be coupled and decoupled any time

* easy, straightforward configuration language

* very good performance

* easy to use bgpctl program, to control bgpd at runtime

* complete and accurate manpages
Improvements since OpenBGPD 3.9 include:

* new nexthop selection logic ignoring bgpd routes, helps in complex setups

  with ospfd

* add a "detailed" show rib view to bgpctl, including communities

* allow requesting a route refresh from a peer that supports it

* have bgpd always report back the result of an operation to bgpctl, so the

  operator can spot errors quicker

* allow bgpd to manipulate carp demotion counters based on session states,

  gives even greater failover support

* support restarting sessions that reached max-prefix after a given time

* bgpctl can now show all routes received from a neighbor before filters

  were applied, and routes sent to neighbors

* assorted fixes and improvements, as usual 
OpenBGPD is in use in many production environments, with dozens to

hundreds of peers.
OpenBGPD 4.0 comes with OpenBSD 4.0, or can be downloaded seperately

from one of the mirrors listed at http://www.openbgpd.org/.
OpenBGPD is developed as part of the OpenBSD project, which offers CDs,

T-Shirts and Posters. Sales of these items help funding OpenBGPD

dev...
[ message continues ]

The OpenBSD mailing lists will be down on Saturday April 5th from

4am MDT to 6pm MDT for machine room maintainance.  This will also

affect anoncvs3.usa.openbsd.org and ftp.usa.openbsd.org which are

located in the same machine room.
 - todd

OpenSSH Security Advisory: cbc.adv
Regarding the "Plaintext Recovery Attack Against SSH" reported as

CPNI-957037[1]:
The OpenSSH team has been made aware of an attack against the SSH

protocol version 2 by researchers at the University of London.

Unfortunately, due to the report lacking any detailed technical

description of the attack and CPNI's unwillingness to share necessary

information, we are unable to properly assess its impact.
Based on the description contained in the CPNI report and a slightly

more detailed description forwarded by CERT this issue appears to be

substantially similar to a known weakness in the SSH binary packet

protocol first described in 2002 by Bellare, Kohno and Namprempre[2].

The new component seems to be an attack that can recover 14 bits of

plaintext with a success probability of 2^-14, though we suspect this

underestimates the work required by a practical attack.
For most SSH usage scenarios, this attack has a very low likelihood of

being carried out successfully - each attempt has a low probability

of success and each failure will cause connection termination with a

fatal error. It is therefore very unlikely for an interactive session

to be usefully attacked using this protocol weakness: an attacker would

expect around 32768 connection-killing attempts before they are likely

to succeed. This level of disruption would certainly be noticed and it

is highly unlikely that any user would retry the connection enough times

for the attack to succeed.
The usage pattern where the attack is most likely to succeed is where an

automated connection is configured to retry indefinitely in the event of

errors. In this case, it might be possible to recover as much as 14 bits

of plaintext per hour (assuming a very fast 10 connections per second).

Implementing a limit on the number of connection retries (e.g. 256) is

sufficient to render the attack infeasible for this case.
AES CTR mode and arcfour ciphers are not vulnerable to this attack at

all. These may b...
[ message continues ]

Many people have received their 4.6 CDs in the mail by now, and we

really don't want them to be without the full package repository.
------------------------------------------------------------------------

- OpenBSD 4.6 RELEASED -------------------------------------------------
Oct 18, 2009.
We are pleased to announce the official release of OpenBSD 4.6.

This is our 26th release on CD-ROM (and 27th via FTP).  We remain

proud of OpenBSD's record of more than ten years with only two remote

holes in the default install.
As in our previous releases, 4.6 provides significant improvements,

including new features, in nearly all areas of the system:
- New/extended platforms:

    o mvme88k

      o MVME141 and MVME165 boards are now supported.

    o sgi

      o SGI Octane, SGI Origin 200 and SGI Fuel systems are now supported.

      o Several bugs in interrupt handling have been fixed, resulting

        in significantly improved system response.

    o sparc

      o The bootblock load address has been moved so that larger kernels

        can be loaded.

    o sparc64

      o Acceleration support has been added for many of the PCI frame buffer

        drivers, such as the Sun PGX, PGX64 and XVR-100, and Tech Source

        Raptor GFX graphics cards.
- Improved hardware support, including:

    o Several new/improved drivers for sensors, including:

      o The ips(4) driver now has sensor support, complementing the bio support.

      o The acpithinkpad(4) driver now has temperature and fan sensor support.

      o New endrun(4) driver for the EndRun Technologies timedelta sensor.

      o The fins(4) driver now has support for F71806, F71862 and F71882 ICs.

      o The acpitz(4) driver now shows correct decimals for temperature.

    o Added radeonfb(4) to sparc64, an accelerated framebuffer for

      Sun XVR-100 boards.

    o Added support for RTL8103E and RTL8168DP devices in the re(4) driver.

    o Added support for BCM5709/BCM5716 devices in the bnx(4) driver.

    o Added support...
[ message continues ]

Daemon News is pleased to announce the winter quarter issue of the

print magazine.
As always, this issue delivers insiteful BSD articles and exceptional

graphics which do not appear anywhere on the Internet, as well as

reprints from the FreeBSD Diary, BSD@Work, and Daemon News Ezine.
This issue is already on its way to current subscribers, and many of

you may have already received it. My copy arrived in the mail today!
Also new is the availability of a pdf of the entire issue. When

ordering on-line, a zipped PDF can be downloaded immediately; of course

a hardcopy will be mailed to you as well.
Table of Contents:
  Getting to the source of Mac OS X

  Scanning e-mail for viruses with Kaspersky

  FreeBSD Diary: Upgrading Ports

  OpenBSD PF How-To

  Book Review: FreeBSD Unleashed

  Dual Booting NetBSD and Mac OS X

  Embedded BSD 
You can order from:
  http://www.bsdmall.com/magazines.html
Magazine Subscriptions are available here:
  http://www.bsdmall.com/dnmagsub.html
Vendor pricing will be handled through cylogistics.com.  
Chris Coleman		Editor in Chief

Daemon News E-Zine	http://www.daemonnews.org

Print Magazine		http://magazine.daemonnews.org

BSDMall			http://www.bsdmall.com

OpenSSH 3.2.2 has just been released. It will be available from the

mirrors listed at http://www.openssh.com/ shortly.
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0

implementation and includes sftp client and server support.
We would like to thank the OpenSSH community for their continued

support and encouragement.
Security Changes:

=================
- fixed buffer overflow in Kerberos/AFS token passing

- fixed overflow in Kerberos client code

- sshd no longer auto-enables Kerberos/AFS

- experimental support for privilege separation,

  see UsePrivilegeSeparation in sshd(8) and

	  http://www.citi.umich.edu/u/provos/ssh/privsep.html

  for more information.

- only accept RSA keys of size SSH_RSA_MINIMUM_MODULUS_SIZE (768) or larger
Other Changes:

==============
- improved smartcard support (including support for OpenSC, see www.opensc.org)

- improved Kerberos support (including support for MIT-Kerberos V)

- fixed stderr handling in protocol v2

- client reports failure if -R style TCP forwarding fails in protocol v2

- support configuration of TCP forwarding during interactive sessions (~C)

- improved support for older sftp servers

- improved support for importing old DSA keys (from ssh.com software).

- client side suport for PASSWD_CHANGEREQ in protocol v2

- fixed waitpid race conditions

- record correct lastlogin time
Reporting Bugs:

===============
- please read http://www.openssh.com/report.html and

  http://bugzilla.mindrot.org/
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,

Kevin Steves, Damien Miller and Ben Lindstrom.

Sorry folks, CTM generated a monster delta of 160 MB.  It contains only

trash, which will be removed by OpenBSD-cvs.2430.gz immediately.
Do not download OpenBSD-cvs.2429.gz, I'll make new deltas for both

OpenBSD-cvs.2429.gz and OpenBSD-cvs.2430.gz during this weekend.  CTM

will remain shut down until this is done.
Sorry for the inconvenience.
-hgw

April 1, 2003, 10:50 AM MST
Sun Microsystems (Nasdaq: SUNW), in a surprise announcement, has

stated that it will offer the OpenBSD operating system as the default

operating system for its Intel-based workstations.  The move came

shortly after Sun announced the death of its own Linux distribution,

internally known as "Mad Hatter Linux".
This new direction comes on the heels of a strategic partnership

between Intel and Fujitsu, long-time Sun partner and manufacturer

of Sparc chips, to build competing Linux-based servers and mainframe

computers.
"Our polling shows a strong demand for Sun-branded Intel workstations

running OpenBSD" said head of Open Source Solutions Brad S. Downey.

"Customers who wish to run Solaris generally do so on our

enterprise-strength UltraSparc-based machines.  Anyone can sell a

PC running Linux, here at Sun we strive to differentiate ourselves

and produce a product with superior hardware and software.  With

its dedication to industrial strength security OpenBSD allows us

to do just that."  Both OpenBSD and Solaris have their roots in a

version of Unix developed at the University of California, Berkeley.

Downey stated "Sun engineers are more comfortable inside the OpenBSD

kernel than they are inside Linux.  Furthermore, Sun has shipped

OpenSSH, an OpenBSD spin off project, for the past several releases

so we already have good contacts within the OpenBSD leadership."
When asked about the recent tiff between OpenBSD lead Theo de Raadt

and Sun regarding hardware documentation for the UltraSparc III

CPU, Downey said "We have a good rapport with the OpenBSD team.

Our assistance in gaining access to hardware documentation has been

invaluable to them regarding the continued development of their

UltraSparc port."  When asked whether he was worried about OpenBSD

on the UltraSparc taking market share from Sun's one Solaris (tm)

operating system, Downey had the following to say: "We don't see

ourselves as being in direct competition.  While it's true that we

both ...
[ message continues ]

The Swiss Unix Conference is taking place for the first time. It is

about education intended for open-minded individuals interested in

the Unix environment.
  Friday 5th September 2003, Kongresshaus Zurich
See the conference website http://www.sucon.ch/ for more information

and registration.
We invited several experts in the area of Unix and Open Source

Development.
Key Talks
 * Linux on iSeries

   Hans-Dieter Wehle, IBM Development Laboratory Germany
 * Gnome Technology and Direction

   Michael Meeks, Novell Ximian Services
 * Quality of Service under Linux: Theory and Use

   Bert Hubert, Author of the Linux Advanced Routing & Traffic Control

HOWTO
 * Design and Performance of the OpenBSD Stateful Packet Filter

   Daniel Hartmeier, Author of the OpenBSD Packet Filter
See http://www.sucon.ch/ for a complete list of talks.
Finally, SUCON offers the opportunity for informal discussions among

participants on both technical and non-technical topics. SUCON is a

place to learn and to have fun!
A big thank you to our sponsors IBM Switzerland and Sun Microsystems

Switzerland.
Contact <sucon@suug.ch> for questions concerning the conference.
We look forward to meeting you at SUCON.

Just back from my (hiking) trip, I am happy to announce the 4.2

song has been added to the lyrics page at
	http://www.openbsd.org/lyrics.html
Yes, it is designed to sound like a mid-era Rush song, ie. something

from Grace Under Pressure or such.  And there's a few easter eggs

hidden in the song as well.  It also explains the inside sleeve

image...