October 30th, 2003, 19:08
We just couldn't wait another 2 days, so now you can enjoy OpenBSD 3.4
little early and protect yourself from ghosts and goblins.


Nov 1, 2003.

We are pleased to announce the official release of OpenBSD 3.4.
This is our 14th release on CD-ROM (and 15th via FTP). We remain
proud of OpenBSD's record of seven years with only a single remote
hole in the default install. As in our previous releases, 3.4
provides significant improvements, including new features, in nearly
all areas of the system:

- Ever-improving security

o W^X (pronounced: "W xor X") improvements, especially on the i386
architecture. Native i386 binaries have their executable segments
rearranged to support isolating code from data, and the cpu CS
is used to impose a best effort limit on code execution.

o on ELF platforms now loads libraries in a randomized order.
Furthermore, on the i386 architecture, libraries and executable
are mapped at random addresses. Together with W^X and ProPolice,
changes increase the difficulty of successfully exploiting an
application error.

o A static bounds checker has been added to the system compiler,
to detect improper use of string and buffer manipulation functions.
Through use of this checker, hundreds of bugs of in the source and
ports trees were found and fixed.

o Privilege separation has been implemented for the syslog daemon,
it much more robust against future errors. The child which listens
network traffic now runs as a normal user and chroots itself, while
the parent process tracks the state of the child and performs
operations on its behalf.

o Thousands of occurrences of unsafe library calls such as strcpy(),
strcat() and sprintf() have been changed to the safer alternatives
strlcpy(), strlcat(), and snprintf() or asprintf() in one of the
intensive audits yet performed by the OpenBSD project. The kernel
now completely free of these functions, as is most of the userland
source tree.

o Many improvements and bug fixes in the ProPolice stack protector.
Several other code generation bugs for RISC architectures were also
found and fixed.

o The kernel is now also compiled with the ProPolice stack protector.

o Privilege separation has been implemented in the X server.
The privileged child process is responsible for the operations that
cannot be done after the main process has switched to a
user. This greatly reduces the potential damage that could be
by malicious X clients, in case of bugs in the X server.

o Emulation support for binary compatibility is now controlled via
sysctl. Emulation is now disabled by default to limit exposure to
malicious binaries, and can be enabled in sysctl.conf(5).

o The ports tree now supports building programs with systrace(1),
reducing the risk of harm at compile time via trojaned configure

- Improved hardware support

o Support for AES instruction on just released VIA C3 processors,
capable of 1.6Gbit/s AES128-CBC in openssl(1) speed tests.

o Kauai ATA controllers (Apple ATA100 wdc) enabling support for
Powerbook 12" and 17" models.

o Support for controlling LongRun registers on Transmeta CPUs.

o Many fixes to aac(4), ahc(4), osiop(4), siop(4) SCSI drivers.

o New it(4), lm(4) and viaenv(4) hardware monitor drivers.

o New safe(4) driver for SafeNet crypto accelerators.

o New mtd(4) driver for Myson Technologies network cards.

o More ethernet cards supported by sk(4), wi(4), fxp(4), and dc(4).

o Massive overhaul and sync with NetBSD of the entire usb(4) system.

o New and better support for various controllers in pciide(4),
experimental support for Serial ATA controllers.

o New drivers to support mgx(4) and pninek(4) SPARC framebuffers.
The vigra(4) driver also supports more models.

o pcmcia(4) support for Tadpole SPARCBooks and SPARCs with

- Major improvements in the pf packet filter, including:

o Packet tagging (e.g. filter on tags added by bridge based on MAC

o Stateful TCP normalization (prevent uptime calculation and NAT

o Passive OS detection (filter or redirect connections based on
source OS)

o SYN proxy (protect servers against SYN flood attacks)

o Adaptive state timeouts (prevent state table overflows under

- New features and significant bug-fixes included with 3.4

o Symbol caching in reducing the start up time of large

o More licenses fixes, including the removal of the advertising
for large parts of the source tree.

o Replacement of GNU diff/diff3,
and gzip/zcat/gunzip/gzcat/zcmp/zmore/zdiff/zforce/gzexe/znew with
licensed equivalents.

o Addition of read-only support for NTFS file systems.

o Reliability improvements to layered file systems, enabling NULLFS
to work again.

o Import of growfs(8) utility, allowing expansion of existing file

o Improvements to the Linux emulator enabling more applications to
with greater stability.

o Significant improvements to the pthread library.

o Replace many static fd_set uses, to instead use poll(2) or dynamic

o ANSIfication and stricter prototypes for a large portion of the
source tree.

o Legacy KerberosIV support has been removed, and the remaining
codebase has been restructured for easier management.

o USER_LDT option now controllable via sysctl.

o Many, many man page improvements.

- The "ports" tree is greatly improved

o The 3.4 CD-ROMs ship with many pre-built packages for the common
architectures. The FTP site contains hundreds more packages
(for the important architectures) which we could not fit onto
the CD-ROMs (or which had prohibitive licenses).

- The system includes the following major components from outside

o XFree86 4.3.0 (+ patches).

o gcc 2.95.3 (+ patches and ProPolice).

o Perl 5.8.0 (+ patches).

o Apache 1.3.28 and mod_ssl 2.8.15, DSO support (+ patches).

o OpenSSL 0.9.7b (+ patches).

o Groff 1.15.

o Sendmail 8.12.9.

o Bind 9.2.2 (+ patches).

o Lynx 2.8.4rel.1 with HTTPS and IPv6 support (+ patches)

o Sudo 1.6.7p5.

o Ncurses 5.2.

o KAME-stable IPv6.

o Heimdal 0.6rc1 (+ patches)

o Arla-current

o OpenSSH 3.7.1

If you'd like to see a list of what has changed between OpenBSD 3.3
and 3.4, look at

Even though the list is a summary of the most important changes
made to OpenBSD, it still is a very very long list.


We provide patches for known security threats and other important
issues discovered after each CD release. As usual, between the
creation of the OpenBSD 3.4 FTP/CD-ROM binaries and the actual 3.4
release date, our team found and fixed some new reliability problems
(note: most are minor, and in subsystems that are not enabled by
default). Our continued research into security means we will find
new security problems -- and we always provide patches as soon as
possible. Therefore, we advise regular visits to

Security patch announcements are sent to the
mailing list. For information on OpenBSD mailing lists, please see:


OpenBSD 3.4 is also available on CD-ROM. The 3-CD set costs $40USD
(EUR 45) and is available via mail order and from a number of
contacts around the world. The set includes a colorful booklet
which carefully explains the installation of OpenBSD. A new set
of cute little stickers are also included (sorry, but our FTP mirror
sites do not support STP, the Sticker Transfer Protocol). As an
added bonus, the second CD contains an exclusive audio track,
"The Legend of Puffy Hood." Lyrics for the song may be found at:

Profits from CD sales are the primary income source for the OpenBSD
project -- in essence selling these CD-ROM units ensures that OpenBSD
will continue to make another release six months from now.

The OpenBSD 3.4 CD-ROMs are bootable on the following four platforms:
o i386
o macppc
o sparc
o sparc64 (UltraSPARC)

(Other platforms must boot from floppy, network, or other method).

For more information on ordering CD-ROMs, see:

The above web page lists a number of places where OpenBSD CD-ROMs
can be purchased from. For our default mail order, go directly to:

or, for European orders:

All of our developers strongly urge you to buy a CD-ROM and support
our future efforts. Additionally, donations to the project are highly
appreciated, as described in more detail at:


The project continues to expand its funding base by selling t-shirts
and polo shirts. And our users like them too. We have a variety
of shirts available, with the new and old designs, from our web
ordering system at:

and for Europe:

The OpenBSD 3.4 and OpenSSH t-shirts are available now!


If you choose not to buy an OpenBSD CD-ROM, OpenBSD can be easily
installed via FTP. Typically you need a single small piece of boot
media (e.g., a boot floppy) and then the rest of the files can be
installed from a number of locations, including directly off the
Internet. Follow this simple set of instructions to ensure that
you find all of the documentation you will need while performing
an install via FTP. With the CD-ROMs, the necessary documentation
is easier to find.

1) Read either of the following two files for a list of ftp
mirrors which provide OpenBSD, then choose one near you:

As of Nov 1, 2003, the following ftp sites have the 3.4 release: Alberta, Canada
(above is master site, please USE A MIRROR below) Boulder, CO, USA West Lafayette, IN, USA Sydney, Australia Lovendegem, Belgium Amsterdam, Netherlands Stockholm, Sweden Turkey

Other mirrors will take a day or two to update.

2) Connect to that ftp mirror site and go into the directory
pub/OpenBSD/3.4/ which contains these files and directories.
This is a list of what you will see:

ANNOUNCEMENT XF4.tar.gz mac68k/ sparc/
Changelogs/ alpha/ macppc/ sparc64/
HARDWARE ftplist mvme68k/ src.tar.gz
PACKAGES hp300/ packages/ sys.tar.gz
PORTS hppa/ ports.tar.gz tools/
README i386/ root.mail vax/

It is quite likely that you will want at LEAST the following
files which apply to all the architectures OpenBSD supports.

HARDWARE - list of hardware we support
PORTS - description of our "ports" tree
PACKAGES - description of pre-compiled packages
root.mail - a copy of root's mail at initial login.
(This is really worthwhile reading).

3) Read the README file. It is short, and a quick read will make
sure you understand what else you need to fetch.

4) Next, go into the directory that applies to your architecture,
for example, i386. This is a list of what you will see:

CKSUM INSTALL.os2br cdrom34.fs index.txt
INSTALL.ata comp34.tgz man34.tgz
INSTALL.chs MD5 etc34.tgz misc34.tgz
INSTALL.dbr base34.tgz floppy34.fs xbase34.tgz
INSTALL.i386 bsd floppyB34.fs xfont34.tgz
INSTALL.linux bsd.rd floppyC34.fs xserv34.tgz
INSTALL.mbr cd34.iso game34.tgz xshare34.tgz

If you are new to OpenBSD, fetch _at least_ the file INSTALL.i386
and the appropriate floppy*.fs or cd34.iso file. Consult the
INSTALL.i386 file if you don't know which of the floppy images
you need (or simply fetch all of them).

5) If you are an expert, follow the instructions in the file called
README; otherwise, use the more complete instructions in the
file called INSTALL.i386. INSTALL.i386 may tell you that you
need to fetch other files.

6) Just in case, take a peek at:

This is the page where we talk about the mistakes we made while
creating the 3.4 release, or the significant bugs we fixed
post-release which we think our users should have fixes for.
Patches and workarounds are clearly described there.

Note: If you end up needing to write a raw floppy using Windows,
you can use "fdimage.exe" located in the pub/OpenBSD/3.4/tools
directory to do so.


XFree86 has been integrated more closely into the system. This
release contains XFree86 4.3.0. Most of our architectures ship
with XFree86, including sparc, sparc64 and macppc. During
you can install XFree86 quite easily. Be sure to try out xdm(1)
and see how we have customized it for OpenBSD.

On the i386 platform a few older X servers are included from XFree86
3.3.6. These can be used for cards that are not supported by XFree86
4.3.0 or where XFree86 4.3.0 support is buggy. Please read the
/usr/X11R6/README file for post-installation information.


The OpenBSD ports tree contains automated instructions for building
third party software. The software has been verified to build and
run on the various OpenBSD architectures. The 3.4 ports collection,
including many of the distribution files, is included on the 3-CD
set. Please see the PORTS file for more information.

Note: some of the most popular ports, e.g., the Apache web server
and several X applications, come standard with OpenBSD. Also, many
popular ports have been pre-compiled for those who do not desire
to build their own binaries (see BINARY PACKAGES, below).


A large number of binary packages are provided. Please see the
file ( for more details.


The CD-ROMs contain source code for all the subsystems explained
above, and the README (
file explains how to deal with these source files. For those who
are doing an FTP install, the source code for all four subsystems
can be found in the pub/OpenBSD/3.4/ directory:

XF4.tar.gz ports.tar.gz src.tar.gz sys.tar.gz


OpenBSD 3.4 includes artwork and CD artistic layout by Ty Semaka,
who also wrote the lyrics and arranged an audio track on the OpenBSD
3.4 CD set. Ports tree and package building by Christian Weisgerber
and Peter Valchev. System builds by Theo de Raadt, Henning Brauer,
and Michael Shalayeff. ISO-9660 filesystem layout by Theo de Raadt.

We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use. We would also like
to thank those who pre-ordered the 3.4 CD-ROM or bought our previous
CD-ROMs. Those who did not support us financially have still helped
us with our goal of improving the quality of the software.

Our developers are:

Aaron Campbell, Alexander Yurchenko, Andreas Gunnarsson,
Angelos D. Keromytis, Anil Madhavapeddy, Artur Grabowski,
Ben Lindstrom, Bjorn Sandell, Bob Beck, Brad Smith, Brandon
Brian Caswell, Brian Somers, Bruno Rohee, Camiel Dobbelaar,
Can Erkin Acar, Cedric Berger, Chad Loder, Chris Cappuccio,
Christian Weisgerber, Constantine Sapuntzakis, Dale Rahn,
Damien Couderc, Damien Miller, Dan Harnett, Daniel Hartmeier,
David B Terrell, David Krause, David Lebel, David Leonard, Dug
Eric Jackson, Federico G. Schwindt, Grigoriy Orlov, Hakan Olsson,
Hans Insulander, Heikki Korpela, Henning Brauer, Henric Jungheim,
Hiroaki Etoh, Horacio Menezo Ganau, Hugh Graham, Ian Darwin,
Jakob Schlyter, Jan-Uwe Finck, Jason Ish, Jason McIntyre, Jason
Jason Wright, Jean-Baptiste Marchand, Jean-Francois Brousseau,
Jean-Jacques Bernard-Gundol, Jim Rees, Jolan Luff, Jose Nazario,
Joshua Stein, Jun-ichiro itojun Hagino, Kenjiro Cho,
Kenneth R Westerback, Kevin Lo, Kevin Steves, Kjell Wooding,
Louis Bertrand, Magnus Holmberg, Marc Espie, Marc Matteo, Marco S
Marcus Watts, Margarida Sequeira, Mark Grimes, Markus Friedl,
Mats O Jansson, Matt Behrens, Matt Smart, Matthew Jacob, Matthieu
Michael Shalayeff, Michael T. Stolarchuk, Mike Frantzen, Mike
Miod Vallat, Nathan Binkert, Nick Holland, Niels Provos, Niklas
Nikolay Sturm, Nils Nordman, Oleg Safiullin, Otto Moerbeek, Paul
Peter Galbavy, Peter Stromberg, Peter Valchev, Philipp Buehler,
Reinhard J. Sammer, Rich Cannings, Ryan Thomas McBride,
Shell Hin-lik Hung, Steve Murphree, Ted Unangst, Theo de Raadt,
Thierry Deval, Thomas Nordin, Thorsten Lockert, Tobias Weingartner,
Todd C. Miller, Todd T. Fries, Vincent Labrecque, Wilbern Cobb,
Wim Vandeputte.

October 31st, 2003, 02:55
There have already been a number of updates to 3.4 including 5 source patches according to

I also noticed that there have been about 10 or so commits put into -stable within the last 16 hours of this posting. Fire up CVS and get updating.

Former Member
October 31st, 2003, 05:46
Along with this:
# 004: RELIABILITY FIX: October 29, 2003
A user with write permission to httpd.conf or a .htaccess file can crash httpd(8) or potentially run arbitrary code as the user www (although it is believed that ProPolice will prevent code execution).
A source code patch exists which remedies the problem.

The date being October 29th, meaning all the cd's purchased up to this date (I presume) are _possibly_ open to this and do need patching.

On the funnier side of things:

001: DOCUMENTATION FIX: November 1, 2003
The CD insert documentation has an incorrect example for package installation.
Where it is written:

# pkg_add

It should instead read:

# pkg_add

The extra / at the end is important. We do not make patch files available for things printed on paper.

Somehow, that recieved a chuckle..

October 31st, 2003, 09:23
This is probably a stupid question but installing over ftp should give me the most current patched version of 3.4, right?

October 31st, 2003, 10:43
This is probably a stupid question but installing over ftp should give me the most current patched version of 3.4, right?

If you install via ftp and grab packages from /pub/OpenBSD/3.4/ (or /3.3/, /3.2/, /3.1, etc) then you get what is on the cd for that release set.

If you install via ftp and grab packages from /pub/OpenBSD/snapshots/ then you get binaries from a recent version of the current source tree. This is different than any official release and should be considered beta software.

To get to 3.4-stable or 3.4 with patches, you will need to patch (or grab via cvs) your src tree and compile/install the new binaries. There are no official release sets of any -stable or any patched binaries.

October 31st, 2003, 12:26
I'll tell ya, each time OpenBSD puts out a new release, it truly does just keep getting better and better. Finally, someone implementing security from the foundation up using tools like systrace, proprolice, W^X, etc. Not to mention the recent overhaul of all the str* function changes.

I for one can't wait to get this release. I haven't been able to buy the releases of recent, but now that I scored a huge contract job, I'm definitely going to purchase this release. :D

November 3rd, 2003, 12:03
Yea, I recently install Obsd, and its been damn cool. It just keeps getting better, and I love the "down and dirty" approach. I love seeing functions in man pages, and the low level code changes, it seems much more hacker friendly that just abou anything else I've tried.

I understand there are major binary updates in this release, would it be smart just to do a clean install, or is updating from 3.3 still jivin'

November 3rd, 2003, 18:39
Yeah, a.out to ELF switch, You could do a binary update and I remember some links being posted here and on IRC, truely I'm just gonna follow snapshot from now on for the ports :lol:

Former Member
November 4th, 2003, 04:41
Your meant to so they say, unless of course there is a compatibility issue. You can either spend a few minutes writing a cron job to cvs up the ports or just pokg_add from your local ftp, I prefer the latter as it saves on bandwidth.