The OpenBSD folks are pleased to announce the official release of OpenBSD 3.4. This is their 14th release on CD-ROM (and 15th via FTP). They remain proud of OpenBSD’s record of seven years with only a single remote hole in the default install. As with previous releases, 3.4 provides significant improvements, including new features, in nearly all areas of the system:
– Ever-improving security (http://www.OpenBSD.org/security.html)
o W^X (pronounced: “W xor X”) improvements, especially on the i386
architecture. Native i386 binaries have their executable segments
rearranged to support isolating code from data, and the cpu CS limit
is used to impose a best effort limit on code execution.
o ld.so on ELF platforms now loads libraries in a randomized order.
Furthermore, on the i386 architecture, libraries and executable code
are mapped at random addresses. Together with W^X and ProPolice, these
changes increase the difficulty of successfully exploiting an
o A static bounds checker has been added to the system compiler, designed
to detect improper use of string and buffer manipulation functions.
Through use of this checker, hundreds of bugs of in the source and
ports trees were found and fixed.
o Privilege separation has been implemented for the syslog daemon, making
it much more robust against future errors. The child which listens to
network traffic now runs as a normal user and chroots itself, while
the parent process tracks the state of the child and performs privileged
operations on its behalf.
o Thousands of occurrences of unsafe library calls such as strcpy(),
strcat() and sprintf() have been changed to the safer alternatives
strlcpy(), strlcat(), and snprintf() or asprintf() in one of the most
intensive audits yet performed by the OpenBSD project. The kernel is
now completely free of these functions, as is most of the userland
o Many improvements and bug fixes in the ProPolice stack protector.
Several other code generation bugs for RISC architectures were also
found and fixed.
o The kernel is now also compiled with the ProPolice stack protector.
o Privilege separation has been implemented in the X server.
The privileged child process is responsible for the operations that
cannot be done after the main process has switched to a non-privileged
user. This greatly reduces the potential damage that could be caused
by malicious X clients, in case of bugs in the X server.
o Emulation support for binary compatibility is now controlled via
sysctl. Emulation is now disabled by default to limit exposure to
malicious binaries, and can be enabled in sysctl.conf(5).
o The ports tree now supports building programs with systrace(1),
reducing the risk of harm at compile time via trojaned configure
– Improved hardware support (http://www.OpenBSD.org/plat.html)
o Support for AES instruction on just released VIA C3 processors,
capable of 1.6Gbit/s AES128-CBC in openssl(1) speed tests.
o Kauai ATA controllers (Apple ATA100 wdc) enabling support for
Powerbook 12″ and 17″ models.
o Support for controlling LongRun registers on Transmeta CPUs.
o Many fixes to aac(4), ahc(4), osiop(4), siop(4) SCSI drivers.
o New it(4), lm(4) and viaenv(4) hardware monitor drivers.
o New safe(4) driver for SafeNet crypto accelerators.
o New mtd(4) driver for Myson Technologies network cards.
o More ethernet cards supported by sk(4), wi(4), fxp(4), and dc(4).
o Massive overhaul and sync with NetBSD of the entire usb(4) system.
o New and better support for various controllers in pciide(4), including
experimental support for Serial ATA controllers.
o New drivers to support mgx(4) and pninek(4) SPARC framebuffers.
The vigra(4) driver also supports more models.
o pcmcia(4) support for Tadpole SPARCBooks and SPARCs with pcmcia-sbus
– Major improvements in the pf packet filter, including:
o Packet tagging (e.g. filter on tags added by bridge based on MAC address)
o Stateful TCP normalization (prevent uptime calculation and NAT detection)
o Passive OS detection (filter or redirect connections based on source OS)
o SYN proxy (protect servers against SYN flood attacks)
o Adaptive state timeouts (prevent state table overflows under attack)
– New features and significant bug-fixes included with 3.4
o Symbol caching in ld.so reducing the start up time of large applications.
o More licenses fixes, including the removal of the advertising clause
for large parts of the source tree.
o Replacement of GNU diff/diff3, grep/egrep/fgrep/zgrep/zegrep/zfgrep,
and gzip/zcat/gunzip/gzcat/zcmp/zmore/zdiff/zforce/gzexe/znew with BSD
o Addition of read-only support for NTFS file systems.
o Reliability improvements to layered file systems, enabling NULLFS
to work again.
o Import of growfs(8) utility, allowing expansion of existing file systems.
o Improvements to the Linux emulator enabling more applications to run
with greater stability.
o Significant improvements to the pthread library.
o Replace many static fd_set uses, to instead use poll(2) or dynamic
o ANSIfication and stricter prototypes for a large portion of the source tree.
o Legacy KerberosIV support has been removed, and the remaining KerberosV
codebase has been restructured for easier management.
o USER_LDT option now controllable via sysctl.
o Many, many man page improvements.
– The “ports” tree is greatly improved (http://www.OpenBSD.org/ports.html)
o The 3.4 CD-ROMs ship with many pre-built packages for the common
architectures. The FTP site contains hundreds more packages
(for the important architectures) which we could not fit onto
the CD-ROMs (or which had prohibitive licenses).
– The system includes the following major components from outside suppliers:
o XFree86 4.3.0 (+ patches).
o gcc 2.95.3 (+ patches and ProPolice).
o Perl 5.8.0 (+ patches).
o Apache 1.3.28 and mod_ssl 2.8.15, DSO support (+ patches).
o OpenSSL 0.9.7b (+ patches).
o Groff 1.15.
o Sendmail 8.12.9.
o Bind 9.2.2 (+ patches).
o Lynx 2.8.4rel.1 with HTTPS and IPv6 support (+ patches)
o Sudo 1.6.7p5.
o Ncurses 5.2.
o KAME-stable IPv6.
o Heimdal 0.6rc1 (+ patches)
o OpenSSH 3.7.1
If you’d like to see a list of what has changed between OpenBSD 3.3
and 3.4, look at
Even though the list is a summary of the most important changes
made to OpenBSD, it still is a very very long list.
– SECURITY AND ERRATA ————————————————–
We provide patches for known security threats and other important
issues discovered after each CD release. As usual, between the
creation of the OpenBSD 3.4 FTP/CD-ROM binaries and the actual 3.4
release date, our team found and fixed some new reliability problems
(note: most are minor, and in subsystems that are not enabled by
default). Our continued research into security means we will find
new security problems — and we always provide patches as soon as
possible. Therefore, we advise regular visits to
Security patch announcements are sent to the security-announce@OpenBSD.org
mailing list. For information on OpenBSD mailing lists, please see:
– CD-ROM SALES ———————————————————-
OpenBSD 3.4 is also available on CD-ROM. The 3-CD set costs $40USD
(EUR 45) and is available via mail order and from a number of
contacts around the world. The set includes a colorful booklet
which carefully explains the installation of OpenBSD. A new set
of cute little stickers are also included (sorry, but our FTP mirror
sites do not support STP, the Sticker Transfer Protocol). As an
added bonus, the second CD contains an exclusive audio track,
“The Legend of Puffy Hood.” Lyrics for the song may be found at:
Profits from CD sales are the primary income source for the OpenBSD
project — in essence selling these CD-ROM units ensures that OpenBSD
will continue to make another release six months from now.
The OpenBSD 3.4 CD-ROMs are bootable on the following four platforms:
o sparc64 (UltraSPARC)
(Other platforms must boot from floppy, network, or other method).
For more information on ordering CD-ROMs, see:
The above web page lists a number of places where OpenBSD CD-ROMs
can be purchased from. For our default mail order, go directly to:
or, for European orders:
All of our developers strongly urge you to buy a CD-ROM and support
our future efforts. Additionally, donations to the project are highly
appreciated, as described in more detail at:
– T-SHIRT SALES ——————————————————–
The project continues to expand its funding base by selling t-shirts
and polo shirts. And our users like them too. We have a variety
of shirts available, with the new and old designs, from our web
ordering system at:
and for Europe:
The OpenBSD 3.4 and OpenSSH t-shirts are available now!
– FTP INSTALLS ———————————————————
If you choose not to buy an OpenBSD CD-ROM, OpenBSD can be easily
installed via FTP. Typically you need a single small piece of boot
media (e.g., a boot floppy) and then the rest of the files can be
installed from a number of locations, including directly off the
Internet. Follow this simple set of instructions to ensure that
you find all of the documentation you will need while performing
an install via FTP. With the CD-ROMs, the necessary documentation
is easier to find.
1) Read either of the following two files for a list of ftp
mirrors which provide OpenBSD, then choose one near you:
As of Nov 1, 2003, the following ftp sites have the 3.4 release:
ftp://ftp.ca.openbsd.org/pub/OpenBSD/3.4/ Alberta, Canada
(above is master site, please USE A MIRROR below)
ftp://ftp.usa.openbsd.org/pub/OpenBSD/3.4/ Boulder, CO, USA
ftp://ftp7.usa.openbsd.org/pub/os/OpenBSD/3.4/ West Lafayette, IN, USA
ftp://openbsd.wiretapped.net/pub/OpenBSD/3.4/ Sydney, Australia
ftp://ftp.kd85.com/pub/OpenBSD/3.4/ Lovendegem, Belgium
ftp://ftp.calyx.nl/pub/OpenBSD/3.4/ Amsterdam, Netherlands
ftp://ftp.se.openbsd.org/pub/OpenBSD/3.4/ Stockholm, Sweden
Other mirrors will take a day or two to update.
2) Connect to that ftp mirror site and go into the directory
pub/OpenBSD/3.4/ which contains these files and directories.
This is a list of what you will see:
ANNOUNCEMENT XF4.tar.gz mac68k/ sparc/
Changelogs/ alpha/ macppc/ sparc64/
HARDWARE ftplist mvme68k/ src.tar.gz
PACKAGES hp300/ packages/ sys.tar.gz
PORTS hppa/ ports.tar.gz tools/
README i386/ root.mail vax/
It is quite likely that you will want at LEAST the following
files which apply to all the architectures OpenBSD supports.
README – generic README
HARDWARE – list of hardware we support
PORTS – description of our “ports” tree
PACKAGES – description of pre-compiled packages
root.mail – a copy of root’s mail at initial login.
(This is really worthwhile reading).
3) Read the README file. It is short, and a quick read will make
sure you understand what else you need to fetch.
4) Next, go into the directory that applies to your architecture,
for example, i386. This is a list of what you will see:
CKSUM INSTALL.os2br cdrom34.fs index.txt
INSTALL.ata INSTALL.pt comp34.tgz man34.tgz
INSTALL.chs MD5 etc34.tgz misc34.tgz
INSTALL.dbr base34.tgz floppy34.fs xbase34.tgz
INSTALL.i386 bsd floppyB34.fs xfont34.tgz
INSTALL.linux bsd.rd floppyC34.fs xserv34.tgz
INSTALL.mbr cd34.iso game34.tgz xshare34.tgz
If you are new to OpenBSD, fetch _at least_ the file INSTALL.i386
and the appropriate floppy*.fs or cd34.iso file. Consult the
INSTALL.i386 file if you don’t know which of the floppy images
you need (or simply fetch all of them).
5) If you are an expert, follow the instructions in the file called
README; otherwise, use the more complete instructions in the
file called INSTALL.i386. INSTALL.i386 may tell you that you
need to fetch other files.
6) Just in case, take a peek at:
This is the page where we talk about the mistakes we made while
creating the 3.4 release, or the significant bugs we fixed
post-release which we think our users should have fixes for.
Patches and workarounds are clearly described there.
Note: If you end up needing to write a raw floppy using Windows,
you can use “fdimage.exe” located in the pub/OpenBSD/3.4/tools
directory to do so.
– XFree86 FOR MOST ARCHITECTURES —————————————
XFree86 has been integrated more closely into the system. This
release contains XFree86 4.3.0. Most of our architectures ship
with XFree86, including sparc, sparc64 and macppc. During installation,
you can install XFree86 quite easily. Be sure to try out xdm(1)
and see how we have customized it for OpenBSD.
On the i386 platform a few older X servers are included from XFree86
3.3.6. These can be used for cards that are not supported by XFree86
4.3.0 or where XFree86 4.3.0 support is buggy. Please read the
/usr/X11R6/README file for post-installation information.
– PORTS TREE ———————————————————–
The OpenBSD ports tree contains automated instructions for building
third party software. The software has been verified to build and
run on the various OpenBSD architectures. The 3.4 ports collection,
including many of the distribution files, is included on the 3-CD
set. Please see the PORTS file for more information.
Note: some of the most popular ports, e.g., the Apache web server
and several X applications, come standard with OpenBSD. Also, many
popular ports have been pre-compiled for those who do not desire
to build their own binaries (see BINARY PACKAGES, below).
– BINARY PACKAGES WE PROVIDE ——————————————-
A large number of binary packages are provided. Please see the PACKAGES
file (ftp://ftp.OpenBSD.org/pub/OpenBSD/3.4/PACKAGES) for more details.
– SYSTEM SOURCE CODE —————————————————
The CD-ROMs contain source code for all the subsystems explained
above, and the README (ftp://ftp.OpenBSD.org/pub/OpenBSD/3.4/README)
file explains how to deal with these source files. For those who
are doing an FTP install, the source code for all four subsystems
can be found in the pub/OpenBSD/3.4/ directory:
XF4.tar.gz ports.tar.gz src.tar.gz sys.tar.gz
– THANKS —————————————————————
OpenBSD 3.4 includes artwork and CD artistic layout by Ty Semaka,
who also wrote the lyrics and arranged an audio track on the OpenBSD
3.4 CD set. Ports tree and package building by Christian Weisgerber
and Peter Valchev. System builds by Theo de Raadt, Henning Brauer,
and Michael Shalayeff. ISO-9660 filesystem layout by Theo de Raadt.
We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use. We would also like
to thank those who pre-ordered the 3.4 CD-ROM or bought our previous
CD-ROMs. Those who did not support us financially have still helped
us with our goal of improving the quality of the software.
Our developers are:
Aaron Campbell, Alexander Yurchenko, Andreas Gunnarsson,
Angelos D. Keromytis, Anil Madhavapeddy, Artur Grabowski,
Ben Lindstrom, Bjorn Sandell, Bob Beck, Brad Smith, Brandon Creighton,
Brian Caswell, Brian Somers, Bruno Rohee, Camiel Dobbelaar,
Can Erkin Acar, Cedric Berger, Chad Loder, Chris Cappuccio,
Christian Weisgerber, Constantine Sapuntzakis, Dale Rahn,
Damien Couderc, Damien Miller, Dan Harnett, Daniel Hartmeier,
David B Terrell, David Krause, David Lebel, David Leonard, Dug Song,
Eric Jackson, Federico G. Schwindt, Grigoriy Orlov, Hakan Olsson,
Hans Insulander, Heikki Korpela, Henning Brauer, Henric Jungheim,
Hiroaki Etoh, Horacio Menezo Ganau, Hugh Graham, Ian Darwin,
Jakob Schlyter, Jan-Uwe Finck, Jason Ish, Jason McIntyre, Jason Peel,
Jason Wright, Jean-Baptiste Marchand, Jean-Francois Brousseau,
Jean-Jacques Bernard-Gundol, Jim Rees, Jolan Luff, Jose Nazario,
Joshua Stein, Jun-ichiro itojun Hagino, Kenjiro Cho,
Kenneth R Westerback, Kevin Lo, Kevin Steves, Kjell Wooding,
Louis Bertrand, Magnus Holmberg, Marc Espie, Marc Matteo, Marco S Hyman,
Marcus Watts, Margarida Sequeira, Mark Grimes, Markus Friedl,
Mats O Jansson, Matt Behrens, Matt Smart, Matthew Jacob, Matthieu Herrb,
Michael Shalayeff, Michael T. Stolarchuk, Mike Frantzen, Mike Pechkin,
Miod Vallat, Nathan Binkert, Nick Holland, Niels Provos, Niklas Hallqvist,
Nikolay Sturm, Nils Nordman, Oleg Safiullin, Otto Moerbeek, Paul Janzen,
Peter Galbavy, Peter Stromberg, Peter Valchev, Philipp Buehler,
Reinhard J. Sammer, Rich Cannings, Ryan Thomas McBride,
Shell Hin-lik Hung, Steve Murphree, Ted Unangst, Theo de Raadt,
Thierry Deval, Thomas Nordin, Thorsten Lockert, Tobias Weingartner,
Todd C. Miller, Todd T. Fries, Vincent Labrecque, Wilbern Cobb,