2770 lines
154 KiB
XML
2770 lines
154 KiB
XML
<?xml version="1.0" encoding="utf-8"?>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<rss xmlns:atom="http://www.w3.org/2005/Atom" version="2.0">
|
|
<channel>
|
|
<title>OpenBSD Pour Tous 🐡</title>
|
|
<link>https://openbsd.fr.eu.org/</link>
|
|
<description>OBSD4* : Site de la communauté francophone autour d'OpenBSD.</description>
|
|
<generator>Hugo 0.80.0 https://gohugo.io/</generator>
|
|
|
|
<language>fr</language>
|
|
|
|
|
|
<managingEditor>puffy@openbsd.fr.eu.org (OBSD4a)</managingEditor>
|
|
|
|
|
|
<webMaster>puffy@openbsd.fr.eu.org (OBSD4a)</webMaster>
|
|
|
|
|
|
<copyright>[CC 0](https://creativecommons.org/publicdomain/zero/1.0/deed.fr)</copyright>
|
|
|
|
<lastBuildDate>Wed, 02 Jun 2021 03:44:41 +0200</lastBuildDate>
|
|
|
|
<atom:link rel="self" type="application/rss+xml" href="https://openbsd.fr.eu.org/rss.xml" />
|
|
|
|
|
|
<item>
|
|
<title>Changement de canal sur IRC, Jabber et Matrix</title>
|
|
<link>https://openbsd.fr.eu.org/posts/2021/06/01/changement-irc-matrix-xmpp/</link>
|
|
<guid isPermaLink="true">https://openbsd.fr.eu.org/posts/2021/06/01/changement-irc-matrix-xmpp/</guid>
|
|
<pubDate>Tue, 01 Jun 2021 23:22:31 +0200</pubDate>
|
|
|
|
<author>puffy@openbsd.fr.eu.org (OBSD4a)</author>
|
|
|
|
<copyright>[CC 0](https://creativecommons.org/publicdomain/zero/1.0/deed.fr)</copyright>
|
|
|
|
<description><h2 id="description">Description</h2>
|
|
<p>Une petite annonce officielle pour informer de nos changements de canaux
|
|
de discussion :</p>
|
|
<ul>
|
|
<li>Canal IRC : #obsd4a / irc.geeknode.org</li>
|
|
<li>Salon Matrix : <a href="https://matrix.to/#/#obsd4a:matrix.fdn.fr">#obsd4a:matrix.fdn.fr</a>
|
|
<ul>
|
|
<li><em>la communauté est &ldquo;visible&rdquo; sur son <a href="https://matrix.to/#/+obsd4a:matrix.org">espace de communauté Matrix</a></em></li>
|
|
</ul>
|
|
</li>
|
|
<li>Salon Jabber (XMPP) : #obsd4a%irc.geeknode.org@irc.automario.eu</li>
|
|
</ul>
|
|
<p>À vous de basculer vers ses nouveaux canaux de discussions officiels !</p>
|
|
<p>Merci d&rsquo;en tenir compte…</p>
|
|
<hr>
|
|
</description>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
</item>
|
|
|
|
<item>
|
|
<title>Syspatch : pmapglobal (2021/05/22)</title>
|
|
<link>https://openbsd.fr.eu.org/posts/2021/05/23/syspatch-pmapglobal-6.8-6.9/</link>
|
|
<guid isPermaLink="true">https://openbsd.fr.eu.org/posts/2021/05/23/syspatch-pmapglobal-6.8-6.9/</guid>
|
|
<pubDate>Sun, 23 May 2021 23:55:15 +0200</pubDate>
|
|
|
|
<author>puffy@openbsd.fr.eu.org (OBSD4a)</author>
|
|
|
|
<copyright>[CC 0](https://creativecommons.org/publicdomain/zero/1.0/deed.fr)</copyright>
|
|
|
|
<description><h2 id="correctifs-de-fiabilité-pmapglobal">Correctifs de fiabilité pmapglobal</h2>
|
|
<p><strong>Les machines Intel récentes pouvaient planter ou se bloquer car les mappages globaux venant de la TLB n&rsquo;étaient pas vidés</strong>.</p>
|
|
<ul>
|
|
<li>Architecture ciblée : amd64.</li>
|
|
</ul>
|
|
<hr>
|
|
<p><em><strong>Note</strong> : La TLB est une mémoire cache du processeur.</em></p>
|
|
<hr>
|
|
<h2 id="syspatch">Syspatch</h2>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># syspatch</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><p>Ensuite <a href="https://openbsd.fr.eu.org/posts/2021/05/23/syspatch-pmapglobal-6.8-6.9/#restart">redémarrez</a> la machine car ce correctif affecte le noyau !</p>
|
|
<h2 id="restart">Restart</h2>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># reboot</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><hr>
|
|
<h2 id="documentations">Documentations</h2>
|
|
<p>⇒ Plus d&rsquo;informations sur les pages d&rsquo;Errata <a href="https://openbsd.org/errata69.html">6.9</a> et <a href="https://openbsd.org/errata68.html">6.8</a>… <br>
|
|
<em>et leurs versions FR respectives : <a href="https://wiki.openbsd.fr.eu.org/doku.php/openbsd.org/errata69">6.9 FR</a> et <a href="https://wiki.openbsd.fr.eu.org/doku.php/openbsd.org/errata68">6.8 FR</a>.</em></p>
|
|
<p>⇒ Article Wikipédia à-propos de la TLB : <a href="https://fr.wikipedia.org/wiki/Translation_lookaside_buffer">FR</a>, <a href="https://en.wikipedia.org/wiki/Translation_lookaside_buffer">EN</a></p>
|
|
<hr>
|
|
</description>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/categories/syspatch/">Syspatch</category>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/syspatch/">Syspatch</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/pmapglobal/">pmapglobal</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/6.8/">6.8</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/6.9/">6.9</category>
|
|
|
|
|
|
|
|
|
|
|
|
</item>
|
|
|
|
<item>
|
|
<title>Syspatch : net80211 (2021/05/20)</title>
|
|
<link>https://openbsd.fr.eu.org/posts/2021/05/20/syspatch-net82011-6.8-6.9/</link>
|
|
<guid isPermaLink="true">https://openbsd.fr.eu.org/posts/2021/05/20/syspatch-net82011-6.8-6.9/</guid>
|
|
<pubDate>Thu, 20 May 2021 21:25:29 +0200</pubDate>
|
|
|
|
<author>puffy@openbsd.fr.eu.org (OBSD4a)</author>
|
|
|
|
<copyright>[CC 0](https://creativecommons.org/publicdomain/zero/1.0/deed.fr)</copyright>
|
|
|
|
<description><h2 id="correctif-de-sécurité">Correctif de sécurité</h2>
|
|
<p><strong>Une validation insuffisante des trames A-MSDU et des frames 802.11 fragmentées pouvait être abusée pour injecter des frames arbitraires</strong>.</p>
|
|
<ul>
|
|
<li>Architectures ciblées : toutes celles supportées par le projet OpenBSD.</li>
|
|
</ul>
|
|
<hr>
|
|
<p>Pour toutes les architectures supportées :</p>
|
|
<ul>
|
|
<li>amd64, arm64, i386 par <code>syspatch</code></li>
|
|
<li>armv7, hppa, landisk, loongson, luna88k, macppc, sparc64 par <a href="https://openbsd.fr.eu.org/posts/2021/05/20/syspatch-net82011-6.8-6.9/#recompilation">recompilation</a></li>
|
|
</ul>
|
|
<hr>
|
|
<h2 id="syspatch">Syspatch</h2>
|
|
<p>Cette étape ne concerne que les architectures amd64, arm64, i386 !</p>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># syspatch</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><p>Ensuite <a href="https://openbsd.fr.eu.org/posts/2021/05/20/syspatch-net82011-6.8-6.9/#restart">redémarrez</a> la machine car ce correctif affecte le noyau !</p>
|
|
<h2 id="recompilation">Recompilation</h2>
|
|
<p>Pour toute autre architecture prise en charge par le projet OpenBSD, voici
|
|
les étapes de recompilation nécessaires :</p>
|
|
<p>Après avoir téléchargé le correctif, vérifiez-le, et appliquez-le :</p>
|
|
<ul>
|
|
<li>pour 6.9</li>
|
|
</ul>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span><span class="lnt">2
|
|
</span><span class="lnt">3
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># https://ftp.openbsd.org/pub/OpenBSD/patches/6.9/common/004_net80211.patch.sig</span>
|
|
<span class="c1"># signify -Vep /etc/signify/openbsd-69-base.pub -x 004_net80211.patch.sig \</span>
|
|
-m - <span class="p">|</span> <span class="o">(</span><span class="nb">cd</span> /usr/src <span class="o">&amp;&amp;</span> patch -p0<span class="o">)</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><ul>
|
|
<li>pour 6.8</li>
|
|
</ul>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span><span class="lnt">2
|
|
</span><span class="lnt">3
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># wget https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/021_net80211.patch.sig</span>
|
|
<span class="c1"># signify -Vep /etc/signify/openbsd-68-base.pub -x 021_net80211.patch.sig \</span>
|
|
-m - <span class="p">|</span> <span class="o">(</span><span class="nb">cd</span> /usr/src <span class="o">&amp;&amp;</span> patch -p0<span class="o">)</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><ul>
|
|
<li>la phase de recompilation :</li>
|
|
</ul>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span><span class="lnt">2
|
|
</span><span class="lnt">3
|
|
</span><span class="lnt">4
|
|
</span><span class="lnt">5
|
|
</span><span class="lnt">6
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh">$ <span class="nv">KK</span><span class="o">=</span><span class="sb">`</span>sysctl -n kern.osversion <span class="p">|</span> cut -d# -f1<span class="sb">`</span>
|
|
$ <span class="nb">cd</span> /usr/src/sys/arch/<span class="sb">`</span>machine<span class="sb">`</span>/compile/<span class="nv">$KK</span>
|
|
<span class="c1"># make obj</span>
|
|
<span class="c1"># make config</span>
|
|
<span class="c1"># make</span>
|
|
<span class="c1"># make install</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><p>Ensuite <a href="https://openbsd.fr.eu.org/posts/2021/05/20/syspatch-net82011-6.8-6.9/#restart">redémarrez</a> la machine car ce correctif affecte le noyau !</p>
|
|
<h2 id="restart">Restart</h2>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># reboot</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><hr>
|
|
<p>Plus d&rsquo;informations sur les pages d&rsquo;Errata <a href="https://openbsd.org/errata69.html">6.9</a> et <a href="https://openbsd.org/errata68.html">6.8</a>… <br>
|
|
<em>et leurs versions FR respectives : <a href="https://wiki.openbsd.fr.eu.org/doku.php/openbsd.org/errata69">6.9 FR</a> et <a href="https://wiki.openbsd.fr.eu.org/doku.php/openbsd.org/errata68">6.8 FR</a>.</em></p>
|
|
<hr>
|
|
</description>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/categories/syspatch/">Syspatch</category>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/syspatch/">Syspatch</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/net80211/">net80211</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/6.8/">6.8</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/6.9/">6.9</category>
|
|
|
|
|
|
|
|
|
|
|
|
</item>
|
|
|
|
<item>
|
|
<title>OpenIKED 6.9.0 ; rpki-client 7.1</title>
|
|
<link>https://openbsd.fr.eu.org/posts/2021/05/18/openiked-6.9-rpki-client-7.1/</link>
|
|
<guid isPermaLink="true">https://openbsd.fr.eu.org/posts/2021/05/18/openiked-6.9-rpki-client-7.1/</guid>
|
|
<pubDate>Tue, 18 May 2021 18:49:57 +0200</pubDate>
|
|
|
|
<author>puffy@openbsd.fr.eu.org (OBSD4a)</author>
|
|
|
|
<copyright>[CC 0](https://creativecommons.org/publicdomain/zero/1.0/deed.fr)</copyright>
|
|
|
|
<description><h2 id="description">Description</h2>
|
|
<p>L&rsquo;équipe OpenBSD dévoile deux nouvelles versions de ses produits phares :</p>
|
|
<ul>
|
|
<li>OpenIKED v6.9.0</li>
|
|
<li>rpki-client v7.1</li>
|
|
</ul>
|
|
<h2 id="openiked">OpenIKED</h2>
|
|
<p>Cette implémentation libre d&rsquo;IKEv2, faisant partie du projet d&rsquo;OpenBSD,
|
|
est basée sur la version d&rsquo;OpenBSD 6.9.</p>
|
|
<hr>
|
|
<p>L&rsquo;équipe en profite pour renouveller complétement la version portable,
|
|
connue pour fonctionner sur :</p>
|
|
<ul>
|
|
<li>certaines distributions Linux, telles Arch Linux, Debian 10</li>
|
|
<li>et sur certains BSD : FreeBSD 12, FreeBSD 13 et NetBSD 9.</li>
|
|
</ul>
|
|
<hr>
|
|
<p>Pour rappel, la version portable peut être téléchargée depuis les
|
|
<a href="https://www.openbsd.org/ftp.html">miroirs du projet OpenBSD</a>, sous
|
|
le répertoire : <code>/pub/OpenBSD/OpenIKED</code>.</p>
|
|
<hr>
|
|
<p>Ceux qui veulent faire remonter des bogues, peuvent le faire sur :</p>
|
|
<ul>
|
|
<li><strong><a href="mailto:bugs@openbsd.org">bugs@openbsd.org</a></strong> : pour les bogues de manière générale</li>
|
|
<li><strong><a href="https://github.com/openiked/openiked-portable">https://github.com/openiked/openiked-portable</a></strong>, spécifiques à la version
|
|
portable</li>
|
|
</ul>
|
|
<h2 id="rpki-client">rpki-client</h2>
|
|
<p>Cette nouvelle version 7.1 intègre les changements suivants :</p>
|
|
<pre><code> * Add keep-alive support to the HTTP client code for RRDP,
|
|
* Reference-count and delete unused files synced via RRDP, as far as
|
|
possible,
|
|
* In the JSON output, change the AS Number from a string (&quot;AS123&quot;) to
|
|
an integer (&quot;123&quot;) to make processing of the output easier,
|
|
* Add an 'expires' column to CSV &amp; JSON output, based on certificate
|
|
and CRL validity times. The 'expires' value can be used to avoid route
|
|
selection based on stale data when generating VRP sets, when faced
|
|
with loss of communication between consumer and valdiator, or
|
|
validator and CA repository,
|
|
* Make the runtime timeout (-s option) also triggers in
|
|
child proecesses.
|
|
* Improved RRDP support, we encourage testing of RRDP with the -r
|
|
option so that RRDP can be enabled by default in a future release.
|
|
Please report any issues found.
|
|
</code></pre><p>Quant à la version portable :</p>
|
|
<pre><code> * Improve support for older libressl versions (altough the latest
|
|
stable release is recommended),
|
|
* Add missing compat headers in release packages so they build on
|
|
Alpine Linux and macOS.
|
|
</code></pre><hr>
|
|
<p>Pour rappel, rpki-client est connu pour fonctionner sur les systèmes d&rsquo;exploitation
|
|
suivant :</p>
|
|
<ul>
|
|
<li>Alpine 3.12, Debian 9, 10, Fedora 31, 32, 33, macOS, RHEL/CentOS 7, 8,
|
|
Windows Subsystem for Linux 2, et OpenBSD.</li>
|
|
</ul>
|
|
<hr>
|
|
<p>La version portable peut être téléchargée depuis :</p>
|
|
<ul>
|
|
<li><a href="https://www.rpki-client.org/portable.html">https://www.rpki-client.org/portable.html</a></li>
|
|
</ul>
|
|
<hr>
|
|
<p>Si vous souhaitez faire remonter des bogues, faites-le sur :</p>
|
|
<ul>
|
|
<li><strong><a href="mailto:tech@openbsd.org">tech@openbsd.org</a></strong> pour les bogues généraux</li>
|
|
<li><strong><a href="https://github.com/rpki-client/rpki-client-portable">https://github.com/rpki-client/rpki-client-portable</a></strong> pour ceux relatifs à la version portable</li>
|
|
</ul>
|
|
<hr>
|
|
</description>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/categories/openiked/">OpenIKED</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/categories/rpki-client/">rpki-client</category>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/openiked/">OpenIKED</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/rpki-client/">rpki-client</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/6.9/">6.9</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/7.1/">7.1</category>
|
|
|
|
|
|
|
|
|
|
|
|
</item>
|
|
|
|
<item>
|
|
<title>Syspatch : libX11, vmd (2021/05/18)</title>
|
|
<link>https://openbsd.fr.eu.org/posts/2021/05/18/syspatch-libx11-vmd-6.8-6.9/</link>
|
|
<guid isPermaLink="true">https://openbsd.fr.eu.org/posts/2021/05/18/syspatch-libx11-vmd-6.8-6.9/</guid>
|
|
<pubDate>Tue, 18 May 2021 18:18:12 +0200</pubDate>
|
|
|
|
<author>puffy@openbsd.fr.eu.org (OBSD4a)</author>
|
|
|
|
<copyright>[CC 0](https://creativecommons.org/publicdomain/zero/1.0/deed.fr)</copyright>
|
|
|
|
<description><h2 id="correctifs-de-sécurité">Correctifs de sécurité</h2>
|
|
<p>1/ pour la libX11 :</p>
|
|
<p><strong>Les vérifications des longueurs de requêtes dans la bibliothèque libX11 étaient manquantes.</strong></p>
|
|
<ul>
|
|
<li>Architectures ciblées : toutes celles supportées par le projet OpenBSD.</li>
|
|
</ul>
|
|
<p>2/ pour vmd :</p>
|
|
<p><strong>Les pilotes virtio des invités de vmd pouvaient provoquer des débordements de pile en fabriquant des longueurs de descripteurs virtio invalides.</strong></p>
|
|
<ul>
|
|
<li>Architecture ciblée : amd64.</li>
|
|
</ul>
|
|
<hr>
|
|
<p>Pour toutes les architectures supportées :</p>
|
|
<ul>
|
|
<li>amd64, arm64, i386 par <code>syspatch</code></li>
|
|
<li>armv7, hppa, landisk, loongson, luna88k, macppc, sparc64 par <a href="https://openbsd.fr.eu.org/posts/2021/05/18/syspatch-libx11-vmd-6.8-6.9/#recompilation">recompilation</a></li>
|
|
</ul>
|
|
<hr>
|
|
<h2 id="syspatch">Syspatch</h2>
|
|
<p>Cette étape ne concerne que les architectures amd64, arm64, i386 !</p>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># syspatch</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><p>Ensuite <a href="https://openbsd.fr.eu.org/posts/2021/05/18/syspatch-libx11-vmd-6.8-6.9/#restart">redémarrez</a> le service, <em>si utilisé</em> !</p>
|
|
<h2 id="recompilation">Recompilation</h2>
|
|
<p>Pour toute autre architecture prise en charge par le projet OpenBSD, voici
|
|
les étapes de recompilation nécessaires :</p>
|
|
<p>Après avoir téléchargé le correctif, vérifiez-le, et appliquez-le :</p>
|
|
<p>⇒ Pour la libX11 :</p>
|
|
<ul>
|
|
<li>pour 6.9</li>
|
|
</ul>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span><span class="lnt">2
|
|
</span><span class="lnt">3
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># wget https://ftp.openbsd.org/pub/OpenBSD/patches/6.9/common/002_libx11.patch.sig</span>
|
|
<span class="c1"># signify -Vep /etc/signify/openbsd-69-base.pub -x 002_libx11.patch.sig \</span>
|
|
-m - <span class="p">|</span> <span class="o">(</span><span class="nb">cd</span> /usr/src <span class="o">&amp;&amp;</span> patch -p0<span class="o">)</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><ul>
|
|
<li>pour 6.8</li>
|
|
</ul>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span><span class="lnt">2
|
|
</span><span class="lnt">3
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># wget https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/019_libx11.patch.sig</span>
|
|
<span class="c1"># signify -Vep /etc/signify/openbsd-68-base.pub -x 019_libx11.patch.sig \</span>
|
|
-m - <span class="p">|</span> <span class="o">(</span><span class="nb">cd</span> /usr/src <span class="o">&amp;&amp;</span> patch -p0<span class="o">)</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><ul>
|
|
<li>la phase de recompilation :</li>
|
|
</ul>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span><span class="lnt">2
|
|
</span><span class="lnt">3
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh">$ <span class="nb">cd</span> /usr/xenocara/lib/libX11
|
|
<span class="c1"># make -f Makefile.bsd-wrapper obj</span>
|
|
<span class="c1"># make -f Makefile.bsd-wrapper build</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><p>Ensuite <a href="https://openbsd.fr.eu.org/posts/2021/05/18/syspatch-libx11-vmd-6.8-6.9/#restart">redémarrez</a> le service <strong>xenodm</strong>, <em>si utilisé</em> !</p>
|
|
<p>⇒ pour vmd, utilisez simplement <code>syspatch</code>…</p>
|
|
<p>Ensuite <a href="https://openbsd.fr.eu.org/posts/2021/05/18/syspatch-libx11-vmd-6.8-6.9/#restart">redémarrez</a> le service <strong>vmd</strong>, voire les VM, <em>si utilisés</em> !</p>
|
|
<h2 id="restart">Restart</h2>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># rcctl restart vmd xenodm</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><hr>
|
|
<p>Plus d&rsquo;informations sur les pages d&rsquo;Errata <a href="https://openbsd.org/errata69.html">6.9</a> et <a href="https://openbsd.org/errata68.html">6.8</a>… <br>
|
|
<em>et leurs versions FR respectives : <a href="https://wiki.openbsd.fr.eu.org/doku.php/openbsd.org/errata69">6.9 FR</a> et <a href="https://wiki.openbsd.fr.eu.org/doku.php/openbsd.org/errata68">6.8 FR</a>.</em></p>
|
|
<hr>
|
|
</description>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/categories/syspatch/">Syspatch</category>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/syspatch/">Syspatch</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/libx11/">libX11</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/vmd/">vmd</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/6.8/">6.8</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/6.9/">6.9</category>
|
|
|
|
|
|
|
|
|
|
|
|
</item>
|
|
|
|
<item>
|
|
<title>LibreSSL : 3.3.3</title>
|
|
<link>https://openbsd.fr.eu.org/posts/2021/05/04/libressl-3.3.3/</link>
|
|
<guid isPermaLink="true">https://openbsd.fr.eu.org/posts/2021/05/04/libressl-3.3.3/</guid>
|
|
<pubDate>Tue, 04 May 2021 12:36:47 +0200</pubDate>
|
|
|
|
<author>puffy@openbsd.fr.eu.org (OBSD4a)</author>
|
|
|
|
<copyright>[CC 0](https://creativecommons.org/publicdomain/zero/1.0/deed.fr)</copyright>
|
|
|
|
<description><h2 id="description">Description</h2>
|
|
<p>L&rsquo;équipe d&rsquo;OpenBSD dévoile la nouvelle version stable de LibreSSL, basée
|
|
sur OpenBSD 6.9.</p>
|
|
<p>Cette version inclut les changements suivants :</p>
|
|
<p>⇒ De nouvelles fonctionnalités :</p>
|
|
<pre><code>* Support for DTLSv1.2.
|
|
* Continued rewrite of the record layer for the legacy stack.
|
|
* Numerous bugs and interoperability issues were fixed in the new verifier. A
|
|
few bugs and incompatibilities remain, so this release uses the old verifier
|
|
by default.
|
|
* The OpenSSL 1.1 TLSv1.3 API is not yet available.
|
|
</code></pre><p>⇒ Des améliorations pour la version portable :</p>
|
|
<pre><code>* Added '--enable-libtls-only' build option, which builds and installs a
|
|
statically-linked libtls, skipping libcrypto and libssl. This is useful for
|
|
systems that ship with OpenSSL but wish to also package libtls.
|
|
* Update getentropy on Windows to use Cryptography Next Generation (CNG).
|
|
wincrypt is deprecated and no longer works with newer Windows environments,
|
|
such as in Windows Store apps.
|
|
</code></pre><p>⇒ Des améliorations de l&rsquo;API et de la Documentation :</p>
|
|
<pre><code>* Add a number of RPKI OIDs from RFC 6482, 6484, 6493, 8182, 8360,
|
|
draft-ietf-sidrops-rpki-rta, and draft-ietf-opsawg-finding-geofeeds.
|
|
* Add support for SSL_get_shared_ciphers(3) with TLSv1.3.
|
|
* Add DTLSv1.2 methods.
|
|
* Implement SSL_is_dtls(3) and use it internally in place of the SSL_IS_DTLS
|
|
macro.
|
|
* Provide EVP_PKEY_new_CMAC_KEY(3).
|
|
* Add missing prototype for d2i_DSAPrivateKey_fp(3) to x509.h.
|
|
* Add DTLSv1.2 to openssl(1) s_server and s_client protocol message logging.
|
|
* Provide SSL_use_certificate_chain_file(3).
|
|
* Provide SSL_set_hostflags(3) and SSL_get0_peername(3).
|
|
* Provide various DTLSv1.2 specific functions and defines.
|
|
* Document meaning of '*' in the genrsa output.
|
|
* Updated documentation for SSL_get_shared_ciphers(3).
|
|
* Add documentation for SSL_get_finished(3).
|
|
* Document EVP_PKEY_new_CMAC_key(3).
|
|
* Document SSL_use_certificate_chain_file(3).
|
|
* Document SSL_set_hostflags(3) and SSL_get0_peername(3).
|
|
* Update SSL_get_version(3) manual for DTLSv.1.2 support.
|
|
* Make supported protocols and options for DHE params more prominent in
|
|
tls_config_set_protocols(3).
|
|
* Various documentation improvements around TLS methods.
|
|
</code></pre><p>⇒ Des changements de compatibilités :</p>
|
|
<pre><code>* Make openssl(1) s_server ignore -4 and -6 for compatibility with OpenSSL.
|
|
* Set SO_REUSEADDR on the server socket in the openssl(1) ocsp command.
|
|
* Send a host header with OCSP queries to make openssl(1) ocsp work with some
|
|
widely used OCSP responders.
|
|
* Add ability to ocspcheck(8) to parse a port in the specified OCSP URL.
|
|
* Implement auto chain for the TLSv1.3 server since some software relies on
|
|
this.
|
|
* Implement key exporter for TLSv1.3.
|
|
* Align SSL_get_shared_ciphers(3) with OpenSSL. This takes into account that
|
|
it never returned server ciphers, so now it will fail when called from the
|
|
client side.
|
|
* Sync cert.pem with Mozilla NSS root CAs except &quot;GeoTrust Global CA&quot;.
|
|
* Make SSL{_CTX,}_get_{min,max}_proto_version(3) return a version of zero if
|
|
the minimum or maximum has been set to zero to match OpenSSL's behavior.
|
|
* Add DTLSv1.2 support to openssl(1) s_client/s_server.
|
|
* Testing and Proactive Security
|
|
* Malformed ASN.1 in a certificate revocation list or a timestamp response
|
|
token can lead to a NULL pointer dereference.
|
|
* Pull in fix for EVP_CipherUpdate(3) overflow from OpenSSL.
|
|
* Use EXFLAG_INVALID to handle out of memory and parse errors in
|
|
x509v3_cache_extensions().
|
|
* Refactor and clean up ocspcheck(8) and add regression tests.
|
|
* Internal Improvements
|
|
* Further cleanup of the DTLS record handling.
|
|
* Continue the replacement of the TLSv1.2 record layer by reimplementing the
|
|
read side of the TLSv1.2 record handling.
|
|
* Replace DTLSv1_enc_data() with TLSv1_1_enc_data().
|
|
* Merge d1_{clnt,srvr}.c into ssl_{clnt,srvr}.c.
|
|
* Add const to ssl_ciphers and tls1[23]_sigalgs* to push them into
|
|
.data.rel.ro and .rodata, respectively.
|
|
* Add a const qualifier to srtp_known_profiles.
|
|
* Simplify TLS method by removing the client and server specific methods
|
|
internally.
|
|
* Avoid casting away const in ssl_ctx_make_profiles().
|
|
* Avoid explicitly conditioning an assert on DTLS1_VERSION to make the assert
|
|
work for newer DTLS versions.
|
|
* Merge SSL_ENC_METHOD into SSL_METHOD_INTERNAL.
|
|
* Add a flag to mark DTLS methods as DTLS to have an easy way to recognize
|
|
DTLS methods that avoids inspecting the version number.
|
|
* Mark a few more internal static tables const.
|
|
* Switch finish{,_peer}_md_len from an int to a size_t.
|
|
* Use EVP_MD_MAX_MD_SIZE instead of 2 * EVP_MD_MAX_MD_SIZE as size for
|
|
cert_verify_md[], finish_md[] and peer_finish_md[]. The factor 2 was a
|
|
historical artefact.
|
|
* Free struct members in tls13_record_layer_free() in their natural order for
|
|
reviewability.
|
|
* Use consistent names in tls13_{client,server}_finished_{recv,send}().
|
|
* Add tls13_secret_{init,cleanup}() and use them throughout the TLSv1.3 code
|
|
base.
|
|
* Move the read MAC key into the TLSv1.2 record layer.
|
|
* Make tls12_record_layer_free() NULL safe.
|
|
* Split the record protection from the TLSv1.2 record layer.
|
|
* Clean up sequence number handling in the new TLSv1.2 record layer.
|
|
* Clean up sequence number handling in DTLS.
|
|
* Clean up dtls1_reset_seq_numbers().
|
|
* Factor out code for explicit IV length, block size and MAC length from
|
|
tls12_record_layer_open_record_protected_cipher().
|
|
* Provide record layer overhead for DTLS.
|
|
* Provide functions to determine if TLSv1.2 record protection is engaged.
|
|
* Add code to handle change of cipher state in the new TLSv1.2 record layer.
|
|
* Mop up now unused dtls1_build_sequence_numbers() function.
|
|
* Allow setting a keypair on a tls context without specifying the private key,
|
|
and fake it internally in libtls. This removes the need for privsep engines
|
|
like relayd to use bogus keys.
|
|
* Skip the private key check for fake private keys.
|
|
* Move the private key setup from tls_configure_ssl_keypair() to a helper
|
|
function with proper error checking.
|
|
* Change the internal tls_configure_ssl_keypair() function to return -1
|
|
instead of 1 on failure.
|
|
* Move sequence numbers into the new TLSv1.2 record layer.
|
|
* Move AEAD handling into the new TLSv1.2 record layer.
|
|
* Factor out legacy stack version checks.
|
|
* Correct handshake MAC/PRF for various TLSv1.2 cipher suites which were
|
|
originally added with the default handshake MAC and PRF rather than the
|
|
SHA256 handshake MAC and PRF.
|
|
* Absorb ssl3_get_algorithm2() into ssl_get_handshake_evp_md().
|
|
* Use dtls1_record_retrieve_buffered_record() to load buffered application
|
|
data.
|
|
* Enforce read ahead with DTLS.
|
|
* Remove bogus DTLS checks that disabled ECC and OCSP.
|
|
* Clean up and simplify dtls1_get_cipher().
|
|
* Group HelloVerifyRequest decoding and add missing check for trailing data.
|
|
* Revise HelloVerifyRequest handling for DTLSv1.2.
|
|
* Handle DTLS1_2_VERSION in various places.
|
|
* Rename the &quot;truncated&quot; label into &quot;decode_err&quot; and the &quot;f_err&quot; label into
|
|
&quot;fatal_err&quot;.
|
|
* Factor out and change some of the legacy client version code.
|
|
* Simplify version checks in the TLSv1.3 client. Ensure that the server
|
|
announced TLSv1.3 and nothing higher and check that the legacy_version is
|
|
set to TLSv1.2 as required by RFC 8446.
|
|
* Only use TLS versions internally rather than both TLS and DTLS versions
|
|
since the latter are the one's complement of the human readable version
|
|
numbers, which means that newer versions decrease in value.
|
|
* Identify DTLS based on the version major value.
|
|
* Move handling of cipher/hash based cipher suites into the new record layer.
|
|
* Add tls12_record_protection_unused() and call it from CCS functions.
|
|
* Move key/IV length checks closer to usage sites. Also add explicit checks
|
|
against EVP_CIPHER_{iv,key}_length().
|
|
* Replace two handrolled tls12_record_protection_engaged().
|
|
* Improve internal version handling: add handshake fields for our minimum
|
|
version, our maximum version and the TLS version negotiated during the
|
|
handshake. Convert most of the internal code to use these version fields.
|
|
* Guard against future internal use of TLS1_get_{client,}_version() macros.
|
|
* Remove the internal ssl_downgrade_max_version() function which is no longer
|
|
needed.
|
|
* Add support for DTLSv1.2 version handling.
|
|
* Remove no longer needed read ahead workarounds in the s_client and s_server.
|
|
* Split TLSv1.3 record protection from record layer.
|
|
* Move the TLSv1.3 handshake struct inside the shared handshake struct.
|
|
* Fully initialize rrec in tls12_record_layer_open_record_protected() to avoid
|
|
confusing some static analyzers.
|
|
* Use tls_set_errorx() on OCSP_basic_verify() failure since the latter does
|
|
not set errno.
|
|
* Convert openssl(1) x509 to new option handling and do the usual clean up
|
|
that goes along with it.
|
|
* Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data.
|
|
* Rename new_cipher to cipher to align naming with keyblock or other parts of
|
|
the handshake data.
|
|
* Move the TLSv1.2 record number increment into the new record layer.
|
|
* Move finished and peer finished into the handshake struct.
|
|
* Remove pointless assignment in SSL_get0_alpn_selected().
|
|
* Add some error checking to openssl(1) x509.
|
|
</code></pre><p>⇒ Des correctifs de bogue :</p>
|
|
<pre><code>* Move point-on-curve check to set_affine_coordinates to avoid verifying ECDSA
|
|
signatures with unchecked public keys.
|
|
* Fix SSL_is_server(3) to behave as documented by re-introducing the
|
|
client-specific methods.
|
|
* Avoid undefined behavior due to memcpy(NULL, NULL, 0).
|
|
* Make SSL_get{,_peer}_finished() work when used with TLSv1.3.
|
|
* Correct the return value type from ERR_peek_error() to a long.
|
|
* Avoid use of uninitialized in ASN1_time_parse() which could happen on
|
|
parsing UTCTime if the caller did not initialize the passed struct tm.
|
|
* Destroy the mutex in a tls_config object on tls_config_free().
|
|
* Free alert_data and phh_data in tls13_record_layer_free(). These could leak
|
|
if SSL_shutdown(3) or tls_close(3) were called after closing the underlying
|
|
socket().
|
|
* Gracefully handle root certificates being both trusted and untrusted.
|
|
* Handle X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE in the new verifier.
|
|
* Use the legacy verifier when building auto chains for TLS.
|
|
* Search the intermediates only after searching the root certs in the new
|
|
verifier to avoid problems with the legacy callback.
|
|
* Bail out early after finding a single chain in the new verifier, if we have
|
|
been called via the legacy verifier API.
|
|
* Set (invalid and likely incomplete) chain on the xsc on chain build failure
|
|
prior to calling the callback. This is required by various callers, including
|
|
auto chain.
|
|
* Remove direct assignment of aead_ctx to avoid a leak.
|
|
* Fail early in legacy exporter if the master secret is not available to avoid
|
|
a segfault if it is called when the handshake is not completed.
|
|
* Only print the certificate file once on verification failure.
|
|
* Fix an off-by-one in x509_verify_set_xsc_chain() to make sure that the new
|
|
validator checks for EXFLAG_CRITICAL in x509_vfy_check_chain_extension() for
|
|
all untrusted certs in the chain. Take into account that the root is not
|
|
necessarily trusted.
|
|
* Avoid passing last and depth to x509_verify_cert_error() on ENOMEM.
|
|
* Fix two bugs in the legacy verifier that resulted from refactoring of
|
|
X509_verify_cert(3) for the new verifier: a return value was incorrectly
|
|
treated as boolean, making it insufficient to decide whether validation
|
|
should carry on or not.
|
|
* Fix checks for memory caps of constraints names. There are internal caps on
|
|
the number of name constraints and other names, that the new name constraints
|
|
code allocates per cert chain. These limits were checked too late, making
|
|
them only partially effective.
|
|
* Fix a copy-paste error - skid was confused with an akid when checking for
|
|
EXFLAG_INVALID. This broke OCSP validation with certain mirrors.
|
|
* Avoid a use-after-scope in tls13_cert_add().
|
|
* Avoid mangled output in BIO_debug_callback().
|
|
* Fix client initiated renegotiation by replacing use of s-&gt;internal-type with
|
|
s-&gt;server.
|
|
* Avoid transcript initialization when sending a TLS HelloRequest, fixing
|
|
server initiated renegotiation.
|
|
* Avoid leaking param-&gt;name in x509_verify_param_zero().
|
|
* Avoid a leak in an error path in openssl(1) x509.
|
|
* When sending an alert in TLSv1.3, only set its error code when no other
|
|
error was set previously. Certain clients rely on specific SSL_R_ error
|
|
codes to identify that they are dealing with a self signed cert.
|
|
* When switching from the TLSv1.3 stack to the legacy stack include a TLS
|
|
record header. This is necessary if there is more than one handshake message
|
|
in the TLS plaintext record.
|
|
* Fix resource handling on error in OCSP_request_add0_id().
|
|
* Make sure there is enough room for stashing the handshake message when
|
|
switching to the legacy TLS stack.
|
|
* Fix a memory leak in the openssl(1) s_client.
|
|
* Unbreak DTLS retransmissions for flights that include a CCS.
|
|
* If x509_verify() fails, ensure that the error is set on both the
|
|
x509_verify_ctx() and its store context to make some failures visible from
|
|
SSL_get_verify_result().
|
|
* Use the X509_STORE_CTX get_issuer() callback from the new X.509 verifier to
|
|
fix hashed certificate directories.
|
|
* Only check BIO_should_read(3) on read and BIO_should_write(3) on write.
|
|
Previously, BIO_should_write(3) was also checked after read and
|
|
BIO_should_read(3) after write which could cause stalls in software that
|
|
uses the same BIO for read and write.
|
|
* In openssl(1) verify, also check for error on the store context since the
|
|
return value of X509_verify_cert(3) is unreliable in presence of a callback
|
|
that returns 1 too often.
|
|
* Handle additional certificate error cases in the new X.509 verifier. Keep
|
|
track of the errors encountered if a verify callback tells the verifier to
|
|
continue and report them back via the error on the store context. This
|
|
mimics the behavior of the old verifier that would persist the first error
|
|
encountered while building the chain.
|
|
* Report specific failures for &quot;self signed certificates&quot; in a way compatible
|
|
with the old verifier since software relies on the error code.
|
|
* Plug a large memory leak in the new verifier caused by calling
|
|
X509_policy_check(3) repeatedly.
|
|
* Avoid leaking memory in x509_verify_chain_dup().
|
|
</code></pre><hr>
|
|
<p>Retrouvez la note de version :</p>
|
|
<ul>
|
|
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.3.3-relnotes.txt">3.3.3</a></li>
|
|
</ul>
|
|
<hr>
|
|
</description>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/categories/libressl/">LibreSSL</category>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/libressl/">LibreSSL</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/3.3/">3.3</category>
|
|
|
|
|
|
|
|
|
|
|
|
</item>
|
|
|
|
<item>
|
|
<title>Syspatch : vmd (2021/05/04)</title>
|
|
<link>https://openbsd.fr.eu.org/posts/2021/05/04/syspatch-vmd-6.9/</link>
|
|
<guid isPermaLink="true">https://openbsd.fr.eu.org/posts/2021/05/04/syspatch-vmd-6.9/</guid>
|
|
<pubDate>Tue, 04 May 2021 12:26:10 +0200</pubDate>
|
|
|
|
<author>puffy@openbsd.fr.eu.org (OBSD4a)</author>
|
|
|
|
<copyright>[CC 0](https://creativecommons.org/publicdomain/zero/1.0/deed.fr)</copyright>
|
|
|
|
<description><h2 id="correctif-de-fiabilité--vmd">Correctif de fiabilité : vmd</h2>
|
|
<p><strong>Les VM invités de vmd peuvent déclencher des messages de journalisation excessifs sur l&rsquo;hôte par l&rsquo;envoi de certains paquets réseaux.</strong></p>
|
|
<p>Pour toutes les architectures supportées :</p>
|
|
<ul>
|
|
<li>amd64 par <code>syspatch</code> ou par <a href="https://openbsd.fr.eu.org/posts/2021/05/04/syspatch-vmd-6.9/#recompilation">recompilation</a></li>
|
|
</ul>
|
|
<hr>
|
|
<h2 id="syspatch">Syspatch</h2>
|
|
<p>Cette étape ne concerne que les architectures amd64, arm64, i386 !</p>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># syspatch</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><p>Ensuite, préférez <a href="https://openbsd.fr.eu.org/posts/2021/05/04/syspatch-vmd-6.9/#restart">redémarrer</a> le service et vos VM.</p>
|
|
<h2 id="recompilation">Recompilation</h2>
|
|
<p>Voici les étapes de recompilation nécessaires :</p>
|
|
<p>⇒ Après avoir téléchargé le correctif, vérifiez-le, et appliquez-le :</p>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span><span class="lnt">2
|
|
</span><span class="lnt">3
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># wget https://ftp.openbsd.org/pub/OpenBSD/patches/6.9/common/001_vmd.patch.sig</span>
|
|
<span class="c1"># signify -Vep /etc/signify/openbsd-69-base.pub -x 001_vmd.patch.sig \</span>
|
|
-m - <span class="p">|</span> <span class="o">(</span><span class="nb">cd</span> /usr/src <span class="o">&amp;&amp;</span> patch -p0<span class="o">)</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><p>⇒ La phase de recompilation :</p>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span><span class="lnt">2
|
|
</span><span class="lnt">3
|
|
</span><span class="lnt">4
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh">$ <span class="nb">cd</span> /usr/src/usr.sbin/vmd
|
|
<span class="c1"># make obj</span>
|
|
<span class="c1"># make</span>
|
|
<span class="c1"># make install</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><p>Ensuite, préférez <a href="https://openbsd.fr.eu.org/posts/2021/05/04/syspatch-vmd-6.9/#restart">redémarrer</a> le service et vos VM.</p>
|
|
<h2 id="restart">Restart</h2>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># rcctl restart vmd</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><hr>
|
|
<p>Plus d&rsquo;informations sur les pages d&rsquo;Errata <a href="https://openbsd.org/errata69.html">6.9</a>… <br>
|
|
<em>et la versions FR respective : <a href="https://wiki.openbsd.fr.eu.org/doku.php/openbsd.org/errata69">6.9 FR</a>.</em></p>
|
|
<hr>
|
|
</description>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/categories/syspatch/">Syspatch</category>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/syspatch/">Syspatch</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/vmd/">vmd</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/6.9/">6.9</category>
|
|
|
|
|
|
|
|
|
|
|
|
</item>
|
|
|
|
<item>
|
|
<title>OpenBSD 6.9</title>
|
|
<link>https://openbsd.fr.eu.org/posts/2021/05/01/openbsd-6.9/</link>
|
|
<guid isPermaLink="true">https://openbsd.fr.eu.org/posts/2021/05/01/openbsd-6.9/</guid>
|
|
<pubDate>Sat, 01 May 2021 00:00:00 +0200</pubDate>
|
|
|
|
<author>puffy@openbsd.fr.eu.org (OBSD4a)</author>
|
|
|
|
<copyright>[CC 0](https://creativecommons.org/publicdomain/zero/1.0/deed.fr)</copyright>
|
|
|
|
<description><h2 id="description">Description</h2>
|
|
<p>L&rsquo;équipe OpenBSD sort la version <strong>6.9</strong> d'<strong>OpenBSD</strong>.</p>
|
|
<p>C&rsquo;est la 50<sup>ème</sup> mouture du système d&rsquo;exploitation.</p>
|
|
<p>L&rsquo;équipe est fière d&rsquo;annoncer que cela fait plus de 20 ans qu&rsquo;elle n&rsquo;a eu
|
|
que deux failles de sécurités à distance dans l&rsquo;installation de base.</p>
|
|
<p><img src="https://openbsd.fr.eu.org/images/puffy69.png" alt="Bandeau OpenBSD 6.9"></p>
|
|
<h2 id="changelog">Changelog</h2>
|
|
<p>⇒ De nombreux changements, améliorations sont apportés :</p>
|
|
<ul>
|
|
<li>début de la prise en charge du SOC M1 Apple</li>
|
|
<li>amélioration du support des plateformes arm64, PowerPC64</li>
|
|
<li>des améliorations autour du noyau, dont parmi les plus notables :
|
|
<ul>
|
|
<li>RAID1C: prise en charge du chiffrement pour le Raid1</li>
|
|
<li>video(4): introduction du paramètre sysctl kern.video.record désactivé
|
|
par défaut, dans le contexte de politique de confidentialité ;
|
|
et la possibilité d&rsquo;activer plusieurs dispositifs en même temps.</li>
|
|
</ul>
|
|
</li>
|
|
<li>des améliorations pour le SMP (<em>processeurs multiples</em>)</li>
|
|
<li>des améliorations pour la virtualisation VMD/VMM, dont principalement :
|
|
<ul>
|
|
<li>ajout du dispositif veb(4) en tant que bridge supporté par vmd(8).</li>
|
|
<li>ajout de la capacité de démarrer sur les ramdisk compressés</li>
|
|
</ul>
|
|
</li>
|
|
<li>de nouvelles fonctionnalités en &ldquo;espace utilisateur&rdquo; :
|
|
<ul>
|
|
<li>doas.conf: ajout de l&rsquo;option &ldquo;nolog&rdquo; afin de ne pas avoir d&rsquo;enregistrement
|
|
dans syslog(3).</li>
|
|
<li>sndio(7) et sndiod(8): autovolume désactivé par défaut, et volume par
|
|
défaut sur 127</li>
|
|
<li>logger(1) pour rcctl(8), rc.subr(8) et rc.d(8)</li>
|
|
<li>wscontl(8): une meilleure gestion des mouvements et autres touchés
|
|
des touchpads</li>
|
|
<li>apm(4) actif pour l&rsquo;architecture arm64.</li>
|
|
</ul>
|
|
</li>
|
|
<li>de nombreuses améliorations et autres ajouts de différents matériels,
|
|
de dispositifs réseaux dont wifi</li>
|
|
<li>des changements notables dans PF, IPSec, httpd, d&rsquo;outils tels rpki-client,
|
|
dig, dhclient, dont :
|
|
<ul>
|
|
<li>deux nouveaux démons dhcpleased(8) et resolvd(8) ont été ajoutés,
|
|
désactivés par défaut, gérables par le contrôleur rcctl afin de fournir
|
|
une configuration simple et cohérente des interfaces réseaux et de
|
|
la résolution DNS.</li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
<p>et, bien sûr bien d&rsquo;autres changements, correctifs et ajouts, lisibles
|
|
en anglais dans l'<a href="https://ftp.fr.openbsd.org/pub/OpenBSD/6.9/ANNOUNCEMENT">annonce</a> officielle.</p>
|
|
<p>⇒ Parmi les nouvelles versions de logiciels internes à OpenBSD 6.9, retrouvons :</p>
|
|
<ul>
|
|
<li>LibreSSL 3.3.2</li>
|
|
<li>OpenSSH 8.5</li>
|
|
<li>OpenSMTPD 6.9.0</li>
|
|
</ul>
|
|
<h2 id="guide-de-migration">Guide de Migration</h2>
|
|
<p>Retrouvez le <strong>Guide de Migration 6.8 → 6.9</strong> qui explique :</p>
|
|
<ol>
|
|
<li>ce qu&rsquo;il faut faire <strong>avant d&rsquo;utiliser la méthode de mise à niveau</strong></li>
|
|
<li>de choisir sa <strong>méthode de mise à niveau</strong>, dont la <strong>méthode de mise sans surveillance</strong>
|
|
par le biais de sysupgrade(8).</li>
|
|
<li>ce qu&rsquo;il est nécessaire de faire <strong>après la mise à niveau</strong></li>
|
|
<li>sans oublier ensuite de gérer les <strong>changements de configuration et de syntaxe</strong>,
|
|
les <strong>fichiers à supprimer</strong>, et de vérifier certains <strong>paquets spécifiques</strong>.</li>
|
|
</ol>
|
|
<ul>
|
|
<li>la version officielle EN du guide : <a href="https://www.openbsd.org/faq/upgrade69.html">https://www.openbsd.org/faq/upgrade69.html</a></li>
|
|
<li>la traduction EN → FR officieuse par nos soins : <a href="https://wiki.openbsd.fr.eu.org/doku.php/openbsd.org/faq/upgrade69">https://wiki.openbsd.fr.eu.org/doku.php/openbsd.org/faq/upgrade69</a></li>
|
|
</ul>
|
|
<hr>
|
|
<h2 id="art">Art</h2>
|
|
<p>⇒ Voici le poster :</p>
|
|
<p><a href="https://www.openbsd.org/images/nice.png"><img src="https://openbsd.fr.eu.org/images/OpenBSD-6.9-Poster.png" alt="Poster OpenBSD 6.9"></a></p>
|
|
<p>⇒ Retrouvez la nouvelle chanson nommée &ldquo;Vetera Novis&rdquo;.</p>
|
|
<ul>
|
|
<li><a href="https://www.OpenBSD.org/lyrics.html#69">https://www.OpenBSD.org/lyrics.html#69</a></li>
|
|
</ul>
|
|
<h2 id="vente">Vente</h2>
|
|
<p>⇒ Et voici la vente officielle de vêtements estampillés <strong>OpenBSD 6.9</strong> :</p>
|
|
<ul>
|
|
<li><a href="https://openbsd.creator-spring.com/search?searchterm=6.9">https://openbsd.creator-spring.com/search?searchterm=6.9</a></li>
|
|
</ul>
|
|
<hr>
|
|
</description>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/categories/openbsd/">OpenBSD</category>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/openbsd/">OpenBSD</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/6.9/">6.9</category>
|
|
|
|
|
|
|
|
|
|
|
|
</item>
|
|
|
|
<item>
|
|
<title>Syspatch : XInput (2021/04/13)</title>
|
|
<link>https://openbsd.fr.eu.org/posts/2021/04/13/syspatch-xi-6.7-6.8/</link>
|
|
<guid isPermaLink="true">https://openbsd.fr.eu.org/posts/2021/04/13/syspatch-xi-6.7-6.8/</guid>
|
|
<pubDate>Tue, 13 Apr 2021 17:23:58 +0200</pubDate>
|
|
|
|
<author>puffy@openbsd.fr.eu.org (OBSD4a)</author>
|
|
|
|
<copyright>[CC 0](https://creativecommons.org/publicdomain/zero/1.0/deed.fr)</copyright>
|
|
|
|
<description><h2 id="correctif-de-sécurité-xinput">Correctif de sécurité XInput</h2>
|
|
<p><strong>Des échecs de validations d&rsquo;entrées dans les extensions XInput du serveur X peuvent permettre une élévation des privilèges pour des clients autorisés.</strong></p>
|
|
<p>Il vaut mieux <strong>redémarrer le service X</strong> après l&rsquo;application du correctif !
|
|
<br><em>(ou les clients X utilisés)</em></p>
|
|
<p>Pour toutes les architectures supportées :</p>
|
|
<ul>
|
|
<li>amd64, arm64, i386 par <code>syspatch</code></li>
|
|
<li>armv7, hppa, landisk, loongson, luna88k, macppc, sparc64 par <a href="https://openbsd.fr.eu.org/posts/2021/04/13/syspatch-xi-6.7-6.8/#recompilation">recompilation</a></li>
|
|
</ul>
|
|
<hr>
|
|
<h2 id="syspatch">Syspatch</h2>
|
|
<p>Cette étape ne concerne que les architectures amd64, arm64, i386 !</p>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># syspatch</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><p>Ensuite <a href="https://openbsd.fr.eu.org/posts/2021/04/13/syspatch-xi-6.7-6.8/#restart">redémarrez</a> le service !</p>
|
|
<h2 id="recompilation">Recompilation</h2>
|
|
<p>Pour toute autre architecture prise en charge par le projet OpenBSD, voici
|
|
les étapes de recompilation nécessaires :</p>
|
|
<p>⇒ Après avoir téléchargé le correctif, vérifiez-le, et appliquez-le :</p>
|
|
<ul>
|
|
<li>Pour 6.8 :</li>
|
|
</ul>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span><span class="lnt">2
|
|
</span><span class="lnt">3
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># wget https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/018_xi.patch.sig</span>
|
|
<span class="c1"># signify -Vep /etc/signify/openbsd-68-base.pub -x 018_xi.patch.sig \</span>
|
|
-m - <span class="p">|</span> <span class="o">(</span><span class="nb">cd</span> /usr/src <span class="o">&amp;&amp;</span> patch -p0<span class="o">)</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><ul>
|
|
<li>Pour 6.7 :</li>
|
|
</ul>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span><span class="lnt">2
|
|
</span><span class="lnt">3
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># wget https://ftp.openbsd.org/pub/OpenBSD/patches/6.7/common/038_xi.patch.sig</span>
|
|
<span class="c1"># signify -Vep /etc/signify/openbsd-67-base.pub -x 038_xi.patch.sig \</span>
|
|
-m - <span class="p">|</span> <span class="o">(</span><span class="nb">cd</span> /usr/src <span class="o">&amp;&amp;</span> patch -p0<span class="o">)</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><p>⇒ La phase de recompilation :</p>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span><span class="lnt">2
|
|
</span><span class="lnt">3
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh">$ <span class="nb">cd</span> /usr/xenocara/xserver
|
|
<span class="c1"># make -f Makefile.bsd-wrapper obj</span>
|
|
<span class="c1"># make -f Makefile.bsd-wrapper build</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><p>Pour finir, <a href="https://openbsd.fr.eu.org/posts/2021/04/13/syspatch-xi-6.7-6.8/#restart">redémarrez</a> le service !</p>
|
|
<h2 id="restart">Restart</h2>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># rcctl restart xenodm</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><hr>
|
|
<p>Plus d&rsquo;informations sur les pages d&rsquo;Errata <a href="https://openbsd.org/errata68.html">6.8</a> et <a href="https://openbsd.org/errata67.html">6.7</a>… <br>
|
|
<em>et leurs versions FR respectives : <a href="https://wiki.openbsd.fr.eu.org/doku.php/openbsd.org/errata68">6.8 FR</a> et <a href="https://wiki.openbsd.fr.eu.org/doku.php/openbsd.org/errata67">6.7 FR</a>.</em></p>
|
|
<hr>
|
|
</description>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/categories/syspatch/">Syspatch</category>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/syspatch/">Syspatch</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/xinput/">XInput</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/6.7/">6.7</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/6.8/">6.8</category>
|
|
|
|
|
|
|
|
|
|
|
|
</item>
|
|
|
|
<item>
|
|
<title>LibreSSL : 3.2.5</title>
|
|
<link>https://openbsd.fr.eu.org/posts/2021/03/17/libressl-3.2.5/</link>
|
|
<guid isPermaLink="true">https://openbsd.fr.eu.org/posts/2021/03/17/libressl-3.2.5/</guid>
|
|
<pubDate>Wed, 17 Mar 2021 08:45:49 +0100</pubDate>
|
|
|
|
<author>puffy@openbsd.fr.eu.org (OBSD4a)</author>
|
|
|
|
<copyright>[CC 0](https://creativecommons.org/publicdomain/zero/1.0/deed.fr)</copyright>
|
|
|
|
<description><h2 id="description">Description</h2>
|
|
<p>Suite au correctif <a href="https://openbsd.fr.eu.org/posts/2021/03/15/syspatch-libssl-6.8/">libressl</a>, l&rsquo;équipe OpenBSD délivre une nouvelle version de LibreSSL.</p>
|
|
<p>Elle inclut le correctif suivant :</p>
|
|
<pre><code>* A TLS client using session resumption may cause a use-after-free.
|
|
</code></pre><hr>
|
|
<p>Retrouvez la note de version :</p>
|
|
<ul>
|
|
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.5-relnotes.txt">3.2.45</a></li>
|
|
</ul>
|
|
<hr>
|
|
</description>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/categories/libressl/">LibreSSL</category>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/libressl/">LibreSSL</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/3.2/">3.2</category>
|
|
|
|
|
|
|
|
|
|
|
|
</item>
|
|
|
|
<item>
|
|
<title>Syspatch : libssl (2021/03/15)</title>
|
|
<link>https://openbsd.fr.eu.org/posts/2021/03/15/syspatch-libssl-6.8/</link>
|
|
<guid isPermaLink="true">https://openbsd.fr.eu.org/posts/2021/03/15/syspatch-libssl-6.8/</guid>
|
|
<pubDate>Mon, 15 Mar 2021 18:08:33 +0100</pubDate>
|
|
|
|
<author>puffy@openbsd.fr.eu.org (OBSD4a)</author>
|
|
|
|
<copyright>[CC 0](https://creativecommons.org/publicdomain/zero/1.0/deed.fr)</copyright>
|
|
|
|
<description><h2 id="correctif-de-sécurité">Correctif de sécurité</h2>
|
|
<p><strong>Un client TLS utilisant la reprise de session peut provoquer une utilisation après libération <em>(use-after-free)</em>.</strong></p>
|
|
<p>Pour toutes les architectures supportées :</p>
|
|
<ul>
|
|
<li>amd64, arm64, i386 par <code>syspatch</code></li>
|
|
<li>armv7, hppa, landisk, loongson, luna88k, macppc, sparc64 par <a href="https://openbsd.fr.eu.org/posts/2021/03/15/syspatch-libssl-6.8/#recompilation">recompilation</a></li>
|
|
</ul>
|
|
<hr>
|
|
<h2 id="syspatch">Syspatch</h2>
|
|
<p>Cette étape ne concerne que les architectures amd64, arm64, i386 !</p>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># syspatch</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><p>Ensuite <a href="https://openbsd.fr.eu.org/posts/2021/03/15/syspatch-libssl-6.8/#restart">redémarrez</a> le service <strong>unwind</strong> <em>si vous l&rsquo;utilisez</em> !</p>
|
|
<h2 id="recompilation">Recompilation</h2>
|
|
<p>Pour toute autre architecture prise en charge par le projet OpenBSD, voici
|
|
les étapes de recompilation nécessaires :</p>
|
|
<p>⇒ Après avoir téléchargé le correctif, vérifiez-le, et appliquez-le :</p>
|
|
<ul>
|
|
<li>Pour 6.8 :</li>
|
|
</ul>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span><span class="lnt">2
|
|
</span><span class="lnt">3
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># wget https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/017_libssl.patch.sig</span>
|
|
<span class="c1"># signify -Vep /etc/signify/openbsd-68-base.pub -x 017_libssl.patch.sig \</span>
|
|
-m - <span class="p">|</span> <span class="o">(</span><span class="nb">cd</span> /usr/src <span class="o">&amp;&amp;</span> patch -p0<span class="o">)</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><p>⇒ La phase de recompilation :</p>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span><span class="lnt">2
|
|
</span><span class="lnt">3
|
|
</span><span class="lnt">4
|
|
</span><span class="lnt">5
|
|
</span><span class="lnt">6
|
|
</span><span class="lnt">7
|
|
</span><span class="lnt">8
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh">$ <span class="nb">cd</span> /usr/src/lib/libssl
|
|
<span class="c1"># make obj </span>
|
|
<span class="c1"># make</span>
|
|
<span class="c1"># make install</span>
|
|
$ <span class="nb">cd</span> /usr/src/sbin/unwind
|
|
<span class="c1"># make obj</span>
|
|
<span class="c1"># make</span>
|
|
<span class="c1"># make install</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><p>Ensuite <a href="https://openbsd.fr.eu.org/posts/2021/03/15/syspatch-libssl-6.8/#restart">redémarrez</a> le service <strong>unwind</strong> <em>si vous l&rsquo;utilisez</em> !</p>
|
|
<h2 id="restart">Restart</h2>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># rcctl restart unwind</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><hr>
|
|
<p>Plus d&rsquo;informations sur les pages d&rsquo;Errata <a href="https://openbsd.org/errata68.html">6.8</a>… <br>
|
|
<em>et leurs versions FR respectives : <a href="https://wiki.openbsd.fr.eu.org/doku.php/openbsd.org/errata68">6.8 FR</a>.</em></p>
|
|
<hr>
|
|
</description>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/categories/syspatch/">Syspatch</category>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/syspatch/">Syspatch</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/libssl/">libssl</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/6.8/">6.8</category>
|
|
|
|
|
|
|
|
|
|
|
|
</item>
|
|
|
|
<item>
|
|
<title>Syspatch : npppd (2021/03/09)</title>
|
|
<link>https://openbsd.fr.eu.org/posts/2021/03/09/syspatch-npppd-6.7-6.8/</link>
|
|
<guid isPermaLink="true">https://openbsd.fr.eu.org/posts/2021/03/09/syspatch-npppd-6.7-6.8/</guid>
|
|
<pubDate>Tue, 09 Mar 2021 12:14:49 +0100</pubDate>
|
|
|
|
<author>puffy@openbsd.fr.eu.org (OBSD4a)</author>
|
|
|
|
<copyright>[CC 0](https://creativecommons.org/publicdomain/zero/1.0/deed.fr)</copyright>
|
|
|
|
<description><h2 id="correctif-de-sécurité-npppd">Correctif de sécurité npppd</h2>
|
|
<p><strong>Le gestionnaire de protocole PPTP peut provoquer une sur-lecture du tas, ce qui peut entraîner un crash.</strong></p>
|
|
<p>Il est nécessaire de <strong>redémarrer le service</strong> après l&rsquo;application du correctif !</p>
|
|
<p>Pour toutes les architectures supportées :</p>
|
|
<ul>
|
|
<li>amd64, arm64, i386 par <code>syspatch</code></li>
|
|
<li>armv7, hppa, landisk, loongson, luna88k, macppc, sparc64 par <a href="https://openbsd.fr.eu.org/posts/2021/03/09/syspatch-npppd-6.7-6.8/#recompilation">recompilation</a></li>
|
|
</ul>
|
|
<hr>
|
|
<h2 id="syspatch">Syspatch</h2>
|
|
<p>Cette étape ne concerne que les architectures amd64, arm64, i386 !</p>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># syspatch</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><p>Ensuite <a href="https://openbsd.fr.eu.org/posts/2021/03/09/syspatch-npppd-6.7-6.8/#restart">redémarrez</a> le service, <em>si utilisé</em> !</p>
|
|
<h2 id="recompilation">Recompilation</h2>
|
|
<p>Pour toute autre architecture prise en charge par le projet OpenBSD, voici
|
|
les étapes de recompilation nécessaires :</p>
|
|
<p>⇒ Après avoir téléchargé le correctif, vérifiez-le, et appliquez-le :</p>
|
|
<ul>
|
|
<li>Pour 6.8 :</li>
|
|
</ul>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span><span class="lnt">2
|
|
</span><span class="lnt">3
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># wget https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/016_npppd.patch.sig</span>
|
|
<span class="c1"># signify -Vep /etc/signify/openbsd-68-base.pub -x 016_npppd.patch.sig \</span>
|
|
-m - <span class="p">|</span> <span class="o">(</span><span class="nb">cd</span> /usr/src <span class="o">&amp;&amp;</span> patch -p0<span class="o">)</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><ul>
|
|
<li>Pour 6.7 :</li>
|
|
</ul>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span><span class="lnt">2
|
|
</span><span class="lnt">3
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># wget https://ftp.openbsd.org/pub/OpenBSD/patches/6.7/common/037_npppd.patch.sig</span>
|
|
<span class="c1"># signify -Vep /etc/signify/openbsd-67-base.pub -x 037_npppd.patch.sig \</span>
|
|
-m - <span class="p">|</span> <span class="o">(</span><span class="nb">cd</span> /usr/src <span class="o">&amp;&amp;</span> patch -p0<span class="o">)</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><p>⇒ La phase de recompilation :</p>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span><span class="lnt">2
|
|
</span><span class="lnt">3
|
|
</span><span class="lnt">4
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh">$ <span class="nb">cd</span> /usr/src/usr.sbin/npppd
|
|
<span class="c1"># make obj</span>
|
|
<span class="c1"># make</span>
|
|
<span class="c1"># make install</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><p>Ensuite <a href="https://openbsd.fr.eu.org/posts/2021/03/09/syspatch-npppd-6.7-6.8/#restart">redémarrez</a> le service, <em>si utilisé</em> !</p>
|
|
<h2 id="restart">Restart</h2>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># rcctl restart npppd</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><hr>
|
|
<p>Plus d&rsquo;informations sur les pages d&rsquo;Errata <a href="https://openbsd.org/errata68.html">6.8</a> et <a href="https://openbsd.org/errata67.html">6.7</a>… <br>
|
|
<em>et leurs versions FR respectives : <a href="https://wiki.openbsd.fr.eu.org/doku.php/openbsd.org/errata68">6.8 FR</a> et <a href="https://wiki.openbsd.fr.eu.org/doku.php/openbsd.org/errata67">6.7 FR</a>.</em></p>
|
|
<hr>
|
|
</description>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/categories/syspatch/">Syspatch</category>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/syspatch/">Syspatch</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/npppd/">npppd</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/6.7/">6.7</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/6.8/">6.8</category>
|
|
|
|
|
|
|
|
|
|
|
|
</item>
|
|
|
|
<item>
|
|
<title>Syspatch : ssh-agent (2021/03/03)</title>
|
|
<link>https://openbsd.fr.eu.org/posts/2021/03/03/syspatch-ssh-agent-6.7-6.8/</link>
|
|
<guid isPermaLink="true">https://openbsd.fr.eu.org/posts/2021/03/03/syspatch-ssh-agent-6.7-6.8/</guid>
|
|
<pubDate>Wed, 03 Mar 2021 23:12:34 +0100</pubDate>
|
|
|
|
<author>puffy@openbsd.fr.eu.org (OBSD4a)</author>
|
|
|
|
<copyright>[CC 0](https://creativecommons.org/publicdomain/zero/1.0/deed.fr)</copyright>
|
|
|
|
<description><h2 id="correctif-de-sécurité-ssh-agent">Correctif de sécurité ssh-agent</h2>
|
|
<p><strong>Double libération (de mémoire) dans ssh-agent(1)</strong></p>
|
|
<p>Pour toutes les architectures supportées :</p>
|
|
<ul>
|
|
<li>amd64, arm64, i386 par <code>syspatch</code></li>
|
|
<li>armv7, hppa, landisk, loongson, luna88k, macppc, sparc64 par <a href="https://openbsd.fr.eu.org/posts/2021/03/03/syspatch-ssh-agent-6.7-6.8/#recompilation">recompilation</a></li>
|
|
</ul>
|
|
<hr>
|
|
<h2 id="syspatch">Syspatch</h2>
|
|
<p>Cette étape ne concerne que les architectures amd64, arm64, i386 !</p>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># syspatch</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><p>Ensuite redémarrez votre client ssh-agent !</p>
|
|
<h2 id="recompilation">Recompilation</h2>
|
|
<p>Pour toute autre architecture prise en charge par le projet OpenBSD, voici
|
|
les étapes de recompilation nécessaires :</p>
|
|
<p>⇒ Après avoir téléchargé le correctif, vérifiez-le, et appliquez-le :</p>
|
|
<ul>
|
|
<li>Pour 6.8 :</li>
|
|
</ul>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span><span class="lnt">2
|
|
</span><span class="lnt">3
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># wget https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/015_sshagent.patch.sig</span>
|
|
<span class="c1"># signify -Vep /etc/signify/openbsd-68-base.pub -x 015_sshagent.patch.sig \</span>
|
|
-m - <span class="p">|</span> <span class="o">(</span><span class="nb">cd</span> /usr/src <span class="o">&amp;&amp;</span> patch -p0<span class="o">)</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><ul>
|
|
<li>Pour 6.7 :</li>
|
|
</ul>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span><span class="lnt">2
|
|
</span><span class="lnt">3
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># wget https://ftp.openbsd.org/pub/OpenBSD/patches/6.7/common/036_sshagent.patch.sig</span>
|
|
<span class="c1"># signify -Vep /etc/signify/openbsd-67-base.pub -x 036_sshagent.patch.sig \</span>
|
|
-m - <span class="p">|</span> <span class="o">(</span><span class="nb">cd</span> /usr/src <span class="o">&amp;&amp;</span> patch -p0<span class="o">)</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><p>⇒ La phase de recompilation :</p>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span><span class="lnt">2
|
|
</span><span class="lnt">3
|
|
</span><span class="lnt">4
|
|
</span><span class="lnt">5
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh">$ <span class="nb">cd</span> /usr/src/usr.bin/ssh
|
|
<span class="c1"># make obj</span>
|
|
<span class="c1"># make clean</span>
|
|
<span class="c1"># make</span>
|
|
<span class="c1"># make install</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><p>Ensuite redémarrez votre client ssh-agent !</p>
|
|
<hr>
|
|
<p>Plus d&rsquo;informations sur les pages d&rsquo;Errata <a href="https://openbsd.org/errata68">6.8</a> et <a href="https://openbsd.org/errata67">6.7</a>… <br>
|
|
<em>et leurs versions FR respectives : <a href="https://wiki.openbsd.fr.eu.org/doku.php/openbsd.org/errata68">6.8 FR</a> et <a href="https://wiki.openbsd.fr.eu.org/doku.php/openbsd.org/errata67">6.7 FR</a>.</em></p>
|
|
<hr>
|
|
</description>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/categories/syspatch/">Syspatch</category>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/syspatch/">Syspatch</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/ssh/">ssh</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/6.7/">6.7</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/6.8/">6.8</category>
|
|
|
|
|
|
|
|
|
|
|
|
</item>
|
|
|
|
<item>
|
|
<title>Syspatch : pffrag (2021/02/24)</title>
|
|
<link>https://openbsd.fr.eu.org/posts/2021/02/24/syspatch-pffrag-6.7-6.8/</link>
|
|
<guid isPermaLink="true">https://openbsd.fr.eu.org/posts/2021/02/24/syspatch-pffrag-6.7-6.8/</guid>
|
|
<pubDate>Wed, 24 Feb 2021 18:52:52 +0100</pubDate>
|
|
|
|
<author>puffy@openbsd.fr.eu.org (OBSD4a)</author>
|
|
|
|
<copyright>[CC 0](https://creativecommons.org/publicdomain/zero/1.0/deed.fr)</copyright>
|
|
|
|
<description><h2 id="correctif-de-sécurité-pffrag">Correctif de sécurité pffrag</h2>
|
|
<p><strong>Une séquence de fragments IPv4 se chevauchant pourrait faire planter le
|
|
noyau en pf en raison d&rsquo;une assertion.</strong></p>
|
|
<p>Il est nécessaire de redémarrer le noyau !</p>
|
|
<p>Pour toutes les architectures supportées :</p>
|
|
<ul>
|
|
<li>amd64, arm64, i386 par <code>syspatch</code></li>
|
|
<li>armv7, hppa, landisk, loongson, luna88k, macppc, sparc64 par <a href="https://openbsd.fr.eu.org/posts/2021/02/24/syspatch-pffrag-6.7-6.8/#recompilation">recompilation</a></li>
|
|
</ul>
|
|
<hr>
|
|
<h2 id="syspatch">Syspatch</h2>
|
|
<p>Cette étape ne concerne que les architectures amd64, arm64, i386 !</p>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># syspatch</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><p>Ensuite <a href="https://openbsd.fr.eu.org/posts/2021/02/24/syspatch-pffrag-6.7-6.8/#restart">redémarrez</a> la machine !</p>
|
|
<h2 id="recompilation">Recompilation</h2>
|
|
<p>Pour toute autre architecture prise en charge par le projet OpenBSD, voici
|
|
les étapes de recompilation nécessaires :</p>
|
|
<p>⇒ Après avoir téléchargé le correctif, vérifiez-le, et appliquez-le :</p>
|
|
<ul>
|
|
<li>Pour 6.8 :</li>
|
|
</ul>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span><span class="lnt">2
|
|
</span><span class="lnt">3
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># wget https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/014_pffrag.patch.sig</span>
|
|
<span class="c1"># signify -Vep /etc/signify/openbsd-68-base.pub -x 014_pffrag.patch.sig \</span>
|
|
-m - <span class="p">|</span> <span class="o">(</span><span class="nb">cd</span> /usr/src <span class="o">&amp;&amp;</span> patch -p0<span class="o">)</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><ul>
|
|
<li>Pour 6.7 :</li>
|
|
</ul>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span><span class="lnt">2
|
|
</span><span class="lnt">3
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># wget https://ftp.openbsd.org/pub/OpenBSD/patches/6.7/common/035_pffrag.patch.sig</span>
|
|
<span class="c1"># signify -Vep /etc/signify/openbsd-67-base.pub -x 035_pffrag.patch.sig \</span>
|
|
-m - <span class="p">|</span> <span class="o">(</span><span class="nb">cd</span> /usr/src <span class="o">&amp;&amp;</span> patch -p0<span class="o">)</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><p>⇒ La phase de recompilation :</p>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span><span class="lnt">2
|
|
</span><span class="lnt">3
|
|
</span><span class="lnt">4
|
|
</span><span class="lnt">5
|
|
</span><span class="lnt">6
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># KK=`sysctl -n kern.osversion | cut -d# -f1`</span>
|
|
<span class="c1"># cd /usr/src/sys/arch/`machine`/compile/$KK</span>
|
|
<span class="c1"># make obj</span>
|
|
<span class="c1"># make config</span>
|
|
<span class="c1"># make</span>
|
|
<span class="c1"># make install</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><p>Pour finir, <a href="https://openbsd.fr.eu.org/posts/2021/02/24/syspatch-pffrag-6.7-6.8/#restart">redémarrez</a> la machine !</p>
|
|
<h2 id="restart">Restart</h2>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># reboot</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><hr>
|
|
<p>Plus d&rsquo;informations sur les pages d&rsquo;Errata <a href="https://openbsd.org/errata68.html">6.8</a> et <a href="https://openbsd.org/errata67.html">6.7</a>… <br>
|
|
<em>et leurs versions FR respectives : <a href="https://wiki.openbsd.fr.eu.org/doku.php/openbsd.org/errata68">6.8 FR</a> et <a href="https://wiki.openbsd.fr.eu.org/doku.php/openbsd.org/errata67">6.7 FR</a>.</em></p>
|
|
<hr>
|
|
</description>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/categories/syspatch/">Syspatch</category>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/syspatch/">Syspatch</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/pf/">PF</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/6.7/">6.7</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/6.8/">6.8</category>
|
|
|
|
|
|
|
|
|
|
|
|
</item>
|
|
|
|
<item>
|
|
<title>LibreSSL : 3.2.4</title>
|
|
<link>https://openbsd.fr.eu.org/posts/2021/02/13/libressl-3.2.4/</link>
|
|
<guid isPermaLink="true">https://openbsd.fr.eu.org/posts/2021/02/13/libressl-3.2.4/</guid>
|
|
<pubDate>Sat, 13 Feb 2021 06:32:39 +0100</pubDate>
|
|
|
|
<author>puffy@openbsd.fr.eu.org (OBSD4a)</author>
|
|
|
|
<copyright>[CC 0](https://creativecommons.org/publicdomain/zero/1.0/deed.fr)</copyright>
|
|
|
|
<description><h2 id="description">Description</h2>
|
|
<p>Suite au correctif <a href="https://openbsd.fr.eu.org/posts/2021/02/03/syspatch-libressl-6.8/">libressl</a>, l&rsquo;équipe OpenBSD délivre une nouvelle version de LibreSSL.</p>
|
|
<p>Elle inclut les correctifs des bogues et d&rsquo;interopérabilités suivants :</p>
|
|
<pre><code>* Switch back to certificate verification code from LibreSSL 3.1.x. The
|
|
new verifier is not bug compatible with the old verifier causing issues
|
|
with applications expecting behavior of the old verifier.
|
|
|
|
* Unbreak DTLS retransmissions for flights that include a CCS
|
|
|
|
* Only check BIO_should_read() on read and BIO_should_write() on write
|
|
|
|
* Implement autochain for the TLSv1.3 server
|
|
|
|
* Use the legacy verifier for autochain
|
|
|
|
* Implement exporter for TLSv1.3
|
|
|
|
* Free alert_data and phh_data in tls13_record_layer_free()
|
|
|
|
* Plug leak in x509_verify_chain_dup()
|
|
|
|
* Free the policy tree in x509_vfy_check_policy()
|
|
</code></pre><hr>
|
|
<p>Retrouvez la note de version :</p>
|
|
<ul>
|
|
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.4-relnotes.txt">3.2.4</a></li>
|
|
</ul>
|
|
<hr>
|
|
</description>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/categories/libressl/">LibreSSL</category>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/libressl/">LibreSSL</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/3.2/">3.2</category>
|
|
|
|
|
|
|
|
|
|
|
|
</item>
|
|
|
|
<item>
|
|
<title>Syspatch : libressl (2021/02/02)</title>
|
|
<link>https://openbsd.fr.eu.org/posts/2021/02/03/syspatch-libressl-6.8/</link>
|
|
<guid isPermaLink="true">https://openbsd.fr.eu.org/posts/2021/02/03/syspatch-libressl-6.8/</guid>
|
|
<pubDate>Wed, 03 Feb 2021 07:14:19 +0100</pubDate>
|
|
|
|
<author>puffy@openbsd.fr.eu.org (OBSD4a)</author>
|
|
|
|
<copyright>[CC 0](https://creativecommons.org/publicdomain/zero/1.0/deed.fr)</copyright>
|
|
|
|
<description><h2 id="correctif-de-fiabilité-libressl">Correctif de fiabilité libressl</h2>
|
|
<p><strong>De nombreux problèmes d&rsquo;interopérabilité et failles mémoire ont été découvertes dans les bibliothèques libcrypto et libssl.</strong></p>
|
|
<p>Il peut-être nécessaire de redémarrer certains services, tels isakmpd, unwind.</p>
|
|
<p>Pour toutes les architectures supportées :</p>
|
|
<ul>
|
|
<li>amd64, arm64, i386 par <code>syspatch</code></li>
|
|
<li>armv7, hppa, landisk, loongson, luna88k, macppc, sparc64 par <a href="https://openbsd.fr.eu.org/posts/2021/02/03/syspatch-libressl-6.8/#recompilation">recompilation</a></li>
|
|
</ul>
|
|
<hr>
|
|
<h2 id="syspatch">Syspatch</h2>
|
|
<p>Cette étape ne concerne que les architectures amd64, arm64, i386 !</p>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># syspatch</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><p>Ensuite <a href="https://openbsd.fr.eu.org/posts/2021/02/03/syspatch-libressl-6.8/#restart">redémarrez</a> les services utilisés, si c&rsquo;est le cas !</p>
|
|
<h2 id="recompilation">Recompilation</h2>
|
|
<p>Pour toute autre architecture prise en charge par le projet OpenBSD, voici
|
|
les étapes de recompilation nécessaires :</p>
|
|
<p>⇒ Après avoir téléchargé le correctif, vérifiez-le, et appliquez-le :</p>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span><span class="lnt">2
|
|
</span><span class="lnt">3
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># wget https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/013_libressl.patch.sig</span>
|
|
<span class="c1"># signify -Vep /etc/signify/openbsd-68-base.pub -x 013_libressl.patch.sig \</span>
|
|
-m - <span class="p">|</span> <span class="o">(</span><span class="nb">cd</span> /usr/src <span class="o">&amp;&amp;</span> patch -p0<span class="o">)</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><p>⇒ La phase de recompilation :</p>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt"> 1
|
|
</span><span class="lnt"> 2
|
|
</span><span class="lnt"> 3
|
|
</span><span class="lnt"> 4
|
|
</span><span class="lnt"> 5
|
|
</span><span class="lnt"> 6
|
|
</span><span class="lnt"> 7
|
|
</span><span class="lnt"> 8
|
|
</span><span class="lnt"> 9
|
|
</span><span class="lnt">10
|
|
</span><span class="lnt">11
|
|
</span><span class="lnt">12
|
|
</span><span class="lnt">13
|
|
</span><span class="lnt">14
|
|
</span><span class="lnt">15
|
|
</span><span class="lnt">16
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="nb">cd</span> /usr/src/lib/libcrypto
|
|
make obj
|
|
make
|
|
make install
|
|
<span class="nb">cd</span> /usr/src/lib/libssl
|
|
make obj
|
|
make
|
|
make install
|
|
<span class="nb">cd</span> /usr/src/sbin/isakmpd
|
|
make obj
|
|
make
|
|
make install
|
|
<span class="nb">cd</span> /usr/src/sbin/unwind
|
|
make obj
|
|
make
|
|
make install
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><p>Pour finir, <a href="https://openbsd.fr.eu.org/posts/2021/02/03/syspatch-libressl-6.8/#restart">redémarrez</a> les services, si utilisés.</p>
|
|
<h2 id="restart">Restart</h2>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># rcctl restart isakmpd unwind</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><hr>
|
|
<p>Plus d&rsquo;informations sur les pages d&rsquo;Errata <a href="https://openbsd.org/errata68.html">6.8</a>… <br>
|
|
<em>et leurs versions FR respectives : <a href="https://wiki.openbsd.fr.eu.org/doku.php/openbsd.org/errata68">6.8 FR</a>.</em></p>
|
|
<hr>
|
|
</description>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/categories/syspatch/">Syspatch</category>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/syspatch/">Syspatch</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/libressl/">LibreSSL</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/6.8/">6.8</category>
|
|
|
|
|
|
|
|
|
|
|
|
</item>
|
|
|
|
<item>
|
|
<title>Syspatch : carp (2021/01/13)</title>
|
|
<link>https://openbsd.fr.eu.org/posts/2021/01/13/syspatch-carp-bpf/</link>
|
|
<guid isPermaLink="true">https://openbsd.fr.eu.org/posts/2021/01/13/syspatch-carp-bpf/</guid>
|
|
<pubDate>Wed, 13 Jan 2021 20:02:39 +0100</pubDate>
|
|
|
|
<author>puffy@openbsd.fr.eu.org (OBSD4a)</author>
|
|
|
|
<copyright>[CC 0](https://creativecommons.org/publicdomain/zero/1.0/deed.fr)</copyright>
|
|
|
|
<description><h2 id="correctif-de-fiabilité-carp">Correctif de fiabilité carp</h2>
|
|
<p><strong>L&rsquo;utilisation de bpf(4) sur une interface CARP pourrait entraîner une
|
|
utilisation après une erreur</strong>.</p>
|
|
<p>Il est nécessaire de <strong>redémarrer la machine</strong> car ce correctif affecte
|
|
le noyau.</p>
|
|
<p>Pour toutes les architectures supportées :</p>
|
|
<ul>
|
|
<li>amd64, arm64, i386 par <code>syspatch</code></li>
|
|
<li>armv7, hppa, landisk, loongson, luna88k, macppc, sparc64 par <a href="https://openbsd.fr.eu.org/posts/2021/01/13/syspatch-carp-bpf/#recompilation">recompilation</a></li>
|
|
</ul>
|
|
<hr>
|
|
<h2 id="syspatch">Syspatch</h2>
|
|
<p>Cette étape ne concerne que les architectures amd64, arm64, i386 !</p>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># syspatch</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><p>Ensuite <a href="https://openbsd.fr.eu.org/posts/2021/01/13/syspatch-carp-bpf/#restart">redémarrez</a> la machine !</p>
|
|
<h2 id="recompilation">Recompilation</h2>
|
|
<p>Pour toute autre architecture prise en charge par le projet OpenBSD, voici
|
|
les étapes de recompilation nécessaires :</p>
|
|
<p>⇒ Après avoir téléchargé le correctif, vérifiez-le, et appliquez-le :</p>
|
|
<ul>
|
|
<li>Pour 6.8 :</li>
|
|
</ul>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span><span class="lnt">2
|
|
</span><span class="lnt">3
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># wget https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/012_carp.patch.sig</span>
|
|
<span class="c1"># signify -Vep /etc/signify/openbsd-68-base.pub -x 012_carp.patch.sig \</span>
|
|
-m - <span class="p">|</span> <span class="o">(</span><span class="nb">cd</span> /usr/src <span class="o">&amp;&amp;</span> patch -p0<span class="o">)</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><p>⇒ La phase de recompilation :</p>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span><span class="lnt">2
|
|
</span><span class="lnt">3
|
|
</span><span class="lnt">4
|
|
</span><span class="lnt">5
|
|
</span><span class="lnt">6
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># KK=`sysctl -n kern.osversion | cut -d# -f1`</span>
|
|
<span class="c1"># cd /usr/src/sys/arch/`machine`/compile/$KK</span>
|
|
<span class="c1"># make obj</span>
|
|
<span class="c1"># make config</span>
|
|
<span class="c1"># make</span>
|
|
<span class="c1"># make install</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><p>Pour finir, <a href="https://openbsd.fr.eu.org/posts/2021/01/13/syspatch-carp-bpf/#restart">redémarrez</a> la machine !</p>
|
|
<h2 id="restart">Restart</h2>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># reboot</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><hr>
|
|
<p>Plus d&rsquo;informations sur les pages d&rsquo;Errata <a href="https://openbsd.org/errata68.html">6.8</a> et <a href="https://openbsd.org/errata67.html">6.7</a>… <br>
|
|
<em>et leurs versions FR respectives : <a href="https://wiki.openbsd.fr.eu.org/doku.php/openbsd.org/errata68">6.8 FR</a> et <a href="https://wiki.openbsd.fr.eu.org/doku.php/openbsd.org/errata67">6.7 FR</a>.</em></p>
|
|
<hr>
|
|
</description>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/categories/syspatch/">Syspatch</category>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/syspatch/">Syspatch</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/carp/">carp</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/bpf/">bpf</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/6.8/">6.8</category>
|
|
|
|
|
|
|
|
|
|
|
|
</item>
|
|
|
|
<item>
|
|
<title>Syspatch : NDP - IPv6 (2021/01/11)</title>
|
|
<link>https://openbsd.fr.eu.org/posts/2021/01/11/syspatch-nd6/</link>
|
|
<guid isPermaLink="true">https://openbsd.fr.eu.org/posts/2021/01/11/syspatch-nd6/</guid>
|
|
<pubDate>Mon, 11 Jan 2021 15:05:12 +0100</pubDate>
|
|
|
|
<author>puffy@openbsd.fr.eu.org (OBSD4a)</author>
|
|
|
|
<copyright>[CC 0](https://creativecommons.org/publicdomain/zero/1.0/deed.fr)</copyright>
|
|
|
|
<description><h2 id="correctif-de-fiabilité--nd6">Correctif de fiabilité nd6</h2>
|
|
<p><strong>Quand une entrée NDP est invalide sur la couche de niveau 2, celle-ci
|
|
n&rsquo;est pas invalidée.</strong></p>
|
|
<p>Il est nécessaire de <strong>redémarrer la machine</strong> car ce correctif affecte
|
|
le noyau.</p>
|
|
<p>Pour toutes les architectures supportées :</p>
|
|
<ul>
|
|
<li>amd64, arm64, i386 par <code>syspatch</code></li>
|
|
<li>armv7, hppa, landisk, loongson, luna88k, macppc, sparc64 par <a href="https://openbsd.fr.eu.org/posts/2021/01/11/syspatch-nd6/#recompilation">recompilation</a></li>
|
|
</ul>
|
|
<hr>
|
|
<h2 id="syspatch">Syspatch</h2>
|
|
<p>Cette étape ne concerne que les architectures amd64, arm64, i386 !</p>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># syspatch</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><p>Ensuite <a href="https://openbsd.fr.eu.org/posts/2021/01/11/syspatch-nd6/#restart">redémarrez</a> la machine !</p>
|
|
<h2 id="recompilation">Recompilation</h2>
|
|
<p>Pour toute autre architecture prise en charge par le projet OpenBSD, voici
|
|
les étapes de recompilation nécessaires :</p>
|
|
<p>⇒ Après avoir téléchargé le correctif, vérifiez-le, et appliquez-le :</p>
|
|
<ul>
|
|
<li>Pour 6.8 :</li>
|
|
</ul>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span><span class="lnt">2
|
|
</span><span class="lnt">3
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># wget https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/011_nd6.patch.sig</span>
|
|
<span class="c1"># signify -Vep /etc/signify/openbsd-68-base.pub -x 011_nd6.patch.sig \</span>
|
|
-m - <span class="p">|</span> <span class="o">(</span><span class="nb">cd</span> /usr/src <span class="o">&amp;&amp;</span> patch -p0<span class="o">)</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><ul>
|
|
<li>Pour 6.7 :</li>
|
|
</ul>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span><span class="lnt">2
|
|
</span><span class="lnt">3
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># https://ftp.openbsd.org/pub/OpenBSD/patches/6.7/common/034_nd6.patch.sig</span>
|
|
<span class="c1"># signify -Vep /etc/signify/openbsd-67-base.pub -x 034_nd6.patch.sig \</span>
|
|
-m - <span class="p">|</span> <span class="o">(</span><span class="nb">cd</span> /usr/src <span class="o">&amp;&amp;</span> patch -p0<span class="o">)</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><p>⇒ La phase de recompilation :</p>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span><span class="lnt">2
|
|
</span><span class="lnt">3
|
|
</span><span class="lnt">4
|
|
</span><span class="lnt">5
|
|
</span><span class="lnt">6
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># KK=`sysctl -n kern.osversion | cut -d# -f1`</span>
|
|
<span class="c1"># cd /usr/src/sys/arch/`machine`/compile/$KK</span>
|
|
<span class="c1"># make obj</span>
|
|
<span class="c1"># make config</span>
|
|
<span class="c1"># make</span>
|
|
<span class="c1"># make install</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><p>Pour finir, <a href="https://openbsd.fr.eu.org/posts/2021/01/11/syspatch-nd6/#restart">redémarrez</a> la machine !</p>
|
|
<h2 id="restart">Restart</h2>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># reboot</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><hr>
|
|
<p>Plus d&rsquo;informations sur les pages d&rsquo;Errata <a href="https://openbsd.org/errata68.html">6.8</a> et <a href="https://openbsd.org/errata67.html">6.7</a>… <br>
|
|
<em>et leurs versions FR respectives : <a href="https://wiki.openbsd.fr.eu.org/doku.php/openbsd.org/errata68">6.8 FR</a> et <a href="https://wiki.openbsd.fr.eu.org/doku.php/openbsd.org/errata67">6.7 FR</a>.</em></p>
|
|
<hr>
|
|
</description>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/categories/syspatch/">Syspatch</category>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/syspatch/">Syspatch</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/ndp/">NDP</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/ipv6/">IPv6</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/6.7/">6.7</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/6.8/">6.8</category>
|
|
|
|
|
|
|
|
|
|
|
|
</item>
|
|
|
|
<item>
|
|
<title>Syspatch : smptd (2020/12/23)</title>
|
|
<link>https://openbsd.fr.eu.org/posts/2020/12/24/syspatch-smptd-6.7-6.8/</link>
|
|
<guid isPermaLink="true">https://openbsd.fr.eu.org/posts/2020/12/24/syspatch-smptd-6.7-6.8/</guid>
|
|
<pubDate>Thu, 24 Dec 2020 15:05:12 +0100</pubDate>
|
|
|
|
<author>puffy@openbsd.fr.eu.org (OBSD4a)</author>
|
|
|
|
<copyright>[CC 0](https://creativecommons.org/publicdomain/zero/1.0/deed.fr)</copyright>
|
|
|
|
<description><h2 id="correctif-de-fiabilité-smtpd">Correctif de fiabilité smtpd</h2>
|
|
<p><strong>La machine à états de filtrage de smtpd peut libérer prématurément des
|
|
ressources conduisant à un plantage</strong>.</p>
|
|
<p>Il est nécessaire de <strong>redémarrer le service</strong> après l&rsquo;application du correctif !</p>
|
|
<p>Pour toutes les architectures supportées :</p>
|
|
<ul>
|
|
<li>amd64, arm64, i386 par <code>syspatch</code></li>
|
|
<li>armv7, hppa, landisk, loongson, luna88k, macppc, sparc64 par <a href="https://openbsd.fr.eu.org/posts/2020/12/24/syspatch-smptd-6.7-6.8/#recompilation">recompilation</a></li>
|
|
</ul>
|
|
<hr>
|
|
<h2 id="syspatch">Syspatch</h2>
|
|
<p>Cette étape ne concerne que les architectures amd64, arm64, i386 !</p>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># syspatch</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><p>Ensuite <a href="https://openbsd.fr.eu.org/posts/2020/12/24/syspatch-smptd-6.7-6.8/#restart">redémarrez</a> le service !</p>
|
|
<h2 id="recompilation">Recompilation</h2>
|
|
<p>Pour toute autre architecture prise en charge par le projet OpenBSD, voici
|
|
les étapes de recompilation nécessaires :</p>
|
|
<p>⇒ Après avoir téléchargé le correctif, vérifiez-le, et appliquez-le :</p>
|
|
<ul>
|
|
<li>Pour 6.8 :</li>
|
|
</ul>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span><span class="lnt">2
|
|
</span><span class="lnt">3
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># wget https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/010_smtpd.patch.sig</span>
|
|
<span class="c1"># signify -Vep /etc/signify/openbsd-68-base.pub -x 010_smtpd.patch.sig \</span>
|
|
-m - <span class="p">|</span> <span class="o">(</span><span class="nb">cd</span> /usr/src <span class="o">&amp;&amp;</span> patch -p0<span class="o">)</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><ul>
|
|
<li>Pour 6.7 :</li>
|
|
</ul>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span><span class="lnt">2
|
|
</span><span class="lnt">3
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># wget https://ftp.openbsd.org/pub/OpenBSD/patches/6.7/common/033_smtpd.patch.sig</span>
|
|
<span class="c1"># signify -Vep /etc/signify/openbsd-67-base.pub -x 033_smtpd.patch.sig \</span>
|
|
-m - <span class="p">|</span> <span class="o">(</span><span class="nb">cd</span> /usr/src <span class="o">&amp;&amp;</span> patch -p0<span class="o">)</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><p>⇒ La phase de recompilation :</p>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span><span class="lnt">2
|
|
</span><span class="lnt">3
|
|
</span><span class="lnt">4
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># cd /usr/src/usr.sbin/smtpd</span>
|
|
<span class="c1"># make obj</span>
|
|
<span class="c1"># make</span>
|
|
<span class="c1"># make install</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><p>Pour finir, <a href="https://openbsd.fr.eu.org/posts/2020/12/24/syspatch-smptd-6.7-6.8/#restart">redémarrez</a> le service !</p>
|
|
<h2 id="restart">Restart</h2>
|
|
<div class="highlight"><div class="chroma">
|
|
<table class="lntable"><tr><td class="lntd">
|
|
<pre class="chroma"><code><span class="lnt">1
|
|
</span></code></pre></td>
|
|
<td class="lntd">
|
|
<pre class="chroma"><code class="language-ksh" data-lang="ksh"><span class="c1"># rcctl restart smtpd</span>
|
|
</code></pre></td></tr></table>
|
|
</div>
|
|
</div><hr>
|
|
<p>Plus d&rsquo;informations sur les pages d&rsquo;Errata <a href="https://openbsd.org/errata68.html">6.8</a> et <a href="https://openbsd.org/errata67.html">6.7</a>… <br>
|
|
<em>et leurs versions FR respectives : <a href="https://wiki.openbsd.fr.eu.org/doku.php/openbsd.org/errata68">6.8 FR</a> et <a href="https://wiki.openbsd.fr.eu.org/doku.php/openbsd.org/errata67">6.7 FR</a>.</em></p>
|
|
<hr>
|
|
</description>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/categories/syspatch/">Syspatch</category>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/syspatch/">Syspatch</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/smtpd/">smtpd</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/6.7/">6.7</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/6.8/">6.8</category>
|
|
|
|
|
|
|
|
|
|
|
|
</item>
|
|
|
|
<item>
|
|
<title>LibreSSL : 3.3.1, 3.2.3, 3.1.5</title>
|
|
<link>https://openbsd.fr.eu.org/posts/2020/12/09/libressl-3.3.1-3.2.3-3.1.5/</link>
|
|
<guid isPermaLink="true">https://openbsd.fr.eu.org/posts/2020/12/09/libressl-3.3.1-3.2.3-3.1.5/</guid>
|
|
<pubDate>Wed, 09 Dec 2020 13:23:17 +0100</pubDate>
|
|
|
|
<author>puffy@openbsd.fr.eu.org (OBSD4a)</author>
|
|
|
|
<copyright>[CC 0](https://creativecommons.org/publicdomain/zero/1.0/deed.fr)</copyright>
|
|
|
|
<description><h2 id="description">Description</h2>
|
|
<p>Suite au <a href="https://openbsd.fr.eu.org/posts/2020/12/09/syspatch-asn1-exit/#correctif-de-s%C3%A9curit%C3%A9-asn1">correctif de sécurité à-propos d&rsquo;asn.1</a>, l&rsquo;équipe OpenBSD
|
|
délivre trois nouvelles versions de LibreSSL.</p>
|
|
<p>Retrouvez les notes respectives de ces trois versions :</p>
|
|
<ul>
|
|
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.3.1-relnotes.txt">3.3.1</a></li>
|
|
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.3-relnotes.txt">3.2.3</a></li>
|
|
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.1.5-relnotes.txt">3.1.5</a></li>
|
|
</ul>
|
|
<hr>
|
|
</description>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/categories/libressl/">LibreSSL</category>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/libressl/">LibreSSL</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/3.3/">3.3</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/3.2/">3.2</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/3.1/">3.1</category>
|
|
|
|
|
|
|
|
|
|
|
|
</item>
|
|
|
|
<item>
|
|
<title>OpenNTPD 6.8p1</title>
|
|
<link>https://openbsd.fr.eu.org/posts/2020/12/09/openntpd-6.8p1/</link>
|
|
<guid isPermaLink="true">https://openbsd.fr.eu.org/posts/2020/12/09/openntpd-6.8p1/</guid>
|
|
<pubDate>Wed, 09 Dec 2020 13:13:58 +0100</pubDate>
|
|
|
|
<author>puffy@openbsd.fr.eu.org (OBSD4a)</author>
|
|
|
|
<copyright>[CC 0](https://creativecommons.org/publicdomain/zero/1.0/deed.fr)</copyright>
|
|
|
|
<description><h2 id="description">Description</h2>
|
|
<p>L&rsquo;équipe OpenBSD sort une nouvelle version d&rsquo;OpenNTDP, la <strong>6.8p1</strong>.</p>
|
|
<p><em>cela fait quelques années qu&rsquo;il n&rsquo;y avait pas eu de sortie majeure, depuis la 6.2p3</em></p>
|
|
<h2 id="changelog">Changelog</h2>
|
|
<ul>
|
|
<li>
|
|
<p>The ntpd daemon now gets and sets the clock in a secure way when booting
|
|
even when a battery-backed clock is absent.</p>
|
|
</li>
|
|
<li>
|
|
<p>Improvements in DNS resolving and constraints checking, especially during
|
|
startup. Unreliable NTP peers are removed from the pool and DNS resolving
|
|
is repeated to add replacements.</p>
|
|
</li>
|
|
<li>
|
|
<p>Improved reliability and security of TLS constraint checking.</p>
|
|
</li>
|
|
<li>
|
|
<p>Improved logging of failure cases.</p>
|
|
</li>
|
|
<li>
|
|
<p>Prevent the case of multiple ntpds running at once by checking presence
|
|
of the local control socket.</p>
|
|
</li>
|
|
<li>
|
|
<p>TLS certificates are now searched in TLS_CA_CERT_FILE.</p>
|
|
</li>
|
|
<li>
|
|
<p>The default ntpd.conf configuration file now uses 9.9.9.9 and
|
|
2620:fe::fe, in addition to google.com, when performing time constraint
|
|
validation.</p>
|
|
</li>
|
|
<li>
|
|
<p>Improved handling unsynched mode when there is no replies from an NTP
|
|
server, such as when there are network connectivity issues.</p>
|
|
</li>
|
|
<li>
|
|
<p>To build OpenNTPD with time constraint support, libtls from LibreSSL
|
|
3.2.2 or later is recommended.</p>
|
|
</li>
|
|
</ul>
|
|
<hr>
|
|
</description>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/categories/openntpd/">OpenNTPD</category>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/openntpd/">OpenNTPD</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/6.8/">6.8</category>
|
|
|
|
|
|
|
|
|
|
|
|
</item>
|
|
|
|
<item>
|
|
<title>Syspatch : asn.1, exit (2020/12/08)</title>
|
|
<link>https://openbsd.fr.eu.org/posts/2020/12/09/syspatch-asn1-exit/</link>
|
|
<guid isPermaLink="true">https://openbsd.fr.eu.org/posts/2020/12/09/syspatch-asn1-exit/</guid>
|
|
<pubDate>Wed, 09 Dec 2020 12:51:50 +0100</pubDate>
|
|
|
|
<author>puffy@openbsd.fr.eu.org (OBSD4a)</author>
|
|
|
|
<copyright>[CC 0](https://creativecommons.org/publicdomain/zero/1.0/deed.fr)</copyright>
|
|
|
|
<description><h2 id="correctif-de-sécurité-asn1">Correctif de Sécurité asn.1</h2>
|
|
<p>Concernant LibreSSL, <strong>une notation ASN.1 mal formée dans une liste de
|
|
révocation de certificat ou une réponse de timestamp peut amener vers un
|
|
pointeur de déréférencement NULL</strong></p>
|
|
<ul>
|
|
<li>le correctif affecte le noyau OpenBSD 6.7 et 6.8 et nécessite le redémarrage
|
|
de la machine</li>
|
|
</ul>
|
|
<h2 id="correctif-de-fiabilité-exit">Correctif de fiabilité exit</h2>
|
|
<p><strong>Lors d&rsquo;un processus de sortie, dans des programmes multithread un faux
|
|
code de sortie peut être reporté</strong>.</p>
|
|
<hr>
|
|
<p>Plus d&rsquo;informations sur les pages d&rsquo;Errata <a href="https://openbsd.org/errata68.html">6.8</a> et <a href="https://openbsd.org/errata67.html">6.7</a>… <br>
|
|
<em>et leurs versions FR respectives : <a href="https://wiki.openbsd.fr.eu.org/doku.php/openbsd.org/errata68">6.8 FR</a> et <a href="https://wiki.openbsd.fr.eu.org/doku.php/openbsd.org/errata67">6.7 FR</a>.</em></p>
|
|
<hr>
|
|
</description>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/categories/syspatch/">Syspatch</category>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/syspatch/">Syspatch</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/asn.1/">asn.1</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/exit/">exit</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/6.7/">6.7</category>
|
|
|
|
|
|
|
|
|
|
|
|
<category domain="https://openbsd.fr.eu.org/tags/6.8/">6.8</category>
|
|
|
|
|
|
|
|
|
|
|
|
</item>
|
|
|
|
</channel>
|
|
</rss>
|