OpenBSD developer Ryan McBride explains the new firewall redundancy features in the upcoming OpenBSD 3.5 release in his article Firewall Failover with pfsync and CARP.

CARP (Common Address Redundancy Protocol) [story] is a free alternative to the patent-encumbered VRRP, responsible for electing masters in a firewall cluster, while pfsync syncronizes packet filter state information among nodes.

The combination allows to replace single-point-of-failure firewalls with clusters of two (or more) nodes, which continue to filter ongoing and new connections when nodes fail. Additional features like arpbalance allow to share a single IP address for multiple servers, transparently balancing load among them, and adapting to servers failing.

Now I have been involved in open source development for a number of years , myself beeing a computer sicence student representative at a local college and an active OpenBSD user for over 3 years now. I can say that I have never met anyone who has flamed OpenBSD in any way.
There have been some suggestions for improvement, but never ever have I heard anything negative towards this system.

From my experience OpenBSD is:

SMP development in OpenBSD has been refreshed by Nick Halqvist, a funded developer who has been commiting various SMP related changes to -current:
Post to openbsd-tech

Additionally, privilege separation has been added to named:
CVS commit to openbsd-cvs

I am using OpenBSD 3.4 and xmms-1.2.7
I also pkg_delete xmms-1.2.7 and installed xmms-1.2.10.
after ./configure;make;and make install, I saw no binary for xmms in /usr/local/bin?
the xmms load file windows opens,(xmms-1.2.7) but when I select the mp3 file I get no sound. The load file program does not load.
I installed the OSS software and compiled a new kernel correctly to run the soundon command.

After creating an administrative user account (group 'wheel') I tried to use the startx command with no results. I can 'startx' in root account but not in any user accounts.
Help appreciated!

Ryan McBride announced that he has committed code to PF, OpenBSD's stateful packet filter, adding support for tracking stateful connections based on the source IP address. Ryan explains that this allows a firewall administrator to "ensure that clients get a consistent IP mapping with load-balanced translation/routing rules, limit the number of simultaneous connections a client can make, [and] limit the number of clients which can connect through a rule".

Read on for Ryan's announcement which includes examples of how to configure this new functionality.

How close is OpenBSD to a stable amd64 arch port?

Margarida Sequeira announced that OpenBSD 3.2 [story] has reached its end of life, "There will be NO MORE fixes commited to this branch nor new patches." The OpenBSD project always supports the two latest releases, which at this time are 3.3 [story] and 3.4 [story].

Ted Unangst announced the release of OpenBSD 3.4 a couple of days early referring to Halloween by saying, "We just couldn't wait another 2 days, so now you can enjoy OpenBSD 3.4 a little early and protect yourself from ghosts and goblins." OpenBSD 3.4 is the 14'th release of OpenBSD on CD-Rom, and the 15'th release by FTP. Ted adds, " We remain proud of OpenBSD's record of seven years with only a single remote hole in the default install. As in our previous releases, 3.4 provides significant improvements, including new features, in nearly all areas of the system".

Highlights of the 3.4 release include W^X improvments, randomized order in loading of libraries, loading of libraries into somewhat random memory locations, privilege seperation implemented in syslog, reimplementation of thousands of occurances of unsafe library calls, the kernel is compiled with ProPolice, improved hardware support, massive overhaul and sync with NetBSD of USB code, and an improved ports tree. Users of PF, OpenBSD's stateful packet filter, will be able to utilize the introduction of packet tagging, stateful TCP normalization (effectively preventing uptime calculation and NAT detection), passive OS detection, a SYN proxy to protect from SYN flood attacks and adaptive state timeouts to better handle attacks.

OpenBSD creator Theo de Raadt [interview] will be speaking at pacsec in Japan in November. He explains:

"I'll be talking about the various tweaks that can be made to the environment that processes live in... tweaks that make attacking the system more much much difficulty, while at the same time ensuring that everything else still operates properly. This includes the propolice, W^X, random allocations, atexit and stdio cleanup vector protection, and even the guard page ideas that are being worked on. I will try to explain the subtle concept of why sometimes one or other of these is not as comprehensive as one might like, because it affects some software, and must be tuned back... to cope with reality."

Under certain circumstances, an attacker may be able to mount a denial of service attack against a machine by flooding it with bogus ARP requests. This can lead to resource starvation, ultimately resulting in a kernel panic.

Todd C. Miller announced some denial of service bugs affecting OpenSSL in OpenBSD 3.2 and 3.3:

"The use of certain ASN.1 encodings or malformed public keys may allow an attacker to mount a denial of service attack against applications linked with ssl(3). This does not affect OpenSSH."

OpenBSD creator Theo de Raadt [interview] announced on the OpenBSD -misc mailing list that the song for the upcoming OpenBSD 3.4 release [forum] is already available for download. The new song is titled, "The Legend of Puffy Hood", based on a familiar and true story (go here and scroll down to April, 2003 if you missed all the excitement). The synopsis begins, "Join Puffy Hood and his Funny Fish as they take on the Sherriff (an unelected leader) and other evil forces of the draconian government!" The page notes that the song is allegorical of recent happenings, this time in response to DARPA suddenly pulling OpenBSD funds last April. The song's chorus goes:

"They called it "BSD"! And "Open" because it's always free So raise up your glass and three cheers to the Funny Fish for never running and making something good! And here's to Puffy Hood!"

The 3.4 song is now available for download in mp3 and ogg format. The 3.4 CD will begin shipping on November 1'st [story].

OpenBSD creator Theo de Raadt [interview] announced, "Sometime in the last 24 hours I think we crossed a line in the project I've been waiting for ... a while. 100,000 commits to the OpenBSD cvs trees."

Theo went on to note, "Markus Friedl has also noted that OpenSSH's birthday is near: Sep 26 OpenSSH born, Sunday 11:56 MST, 1999".

Damien Miller announced the release of OpenSSH 3.7.1p2, noting security changes:

"Portable OpenSSH version 3.7p1 and 3.7.1p1 contain multiple vulnerabilities in the new PAM authentication code. At least one of these bugs is remotely exploitable (under a non-standard configuration, with privsep disabled). OpenSSH 3.7.1p2 fixes these bugs. Please note that these bugs do not exist in OpenBSD's releases of OpenSSH."