===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/55.html,v
retrieving revision 1.85
retrieving revision 1.86
diff -c -r1.85 -r1.86
*** www/55.html 2016/10/16 19:11:29 1.85
--- www/55.html 2017/06/26 17:18:57 1.86
***************
*** 38,44 ****
See a detailed log of changes between the
5.4 and 5.5 releases.
!
signify(1) pubkeys for this release:
base: RWRGy8gxk9N9314J0gh9U02lA7s8i6ITajJiNgxQOndvXvM5ZPX+nQ9h
fw: RWTdVOhdk5qyNktv0iGV6OpaVfogGxTYc1bbkaUhFlExmclYvpJR/opO
--- 38,44 ----
See a detailed log of changes between the
5.4 and 5.5 releases.
!
signify(1) pubkeys for this release:
base: RWRGy8gxk9N9314J0gh9U02lA7s8i6ITajJiNgxQOndvXvM5ZPX+nQ9h
fw: RWTdVOhdk5qyNktv0iGV6OpaVfogGxTYc1bbkaUhFlExmclYvpJR/opO
***************
*** 67,90 ****
From OpenBSD 5.5 onwards, OpenBSD is year 2038 ready and will run well beyond Tue Jan 19 03:14:07 2038 UTC.
The entire source tree (kernel, libraries, and userland programs) has been carefully and comprehensively audited to support 64-bit time_t.
Userland programs that were changed include
! arp(8),
! bgpd(8),
! calendar(8),
! cron(8),
! find(1),
! fsck_ffs(8),
! ifconfig(8),
! ksh(1),
! ld(1),
! ld.so(1),
! netstat(1),
! pfctl(8),
! ping(8),
! rtadvd(8),
! ssh(1),
! tar(1),
! tmux(1),
! top(1),
and many others, including games!
Removed time_t from network, on-disk, and database formats.
Removed as many (time_t) casts as possible.
--- 67,90 ----
From OpenBSD 5.5 onwards, OpenBSD is year 2038 ready and will run well beyond Tue Jan 19 03:14:07 2038 UTC.
The entire source tree (kernel, libraries, and userland programs) has been carefully and comprehensively audited to support 64-bit time_t.
Userland programs that were changed include
! arp(8),
! bgpd(8),
! calendar(8),
! cron(8),
! find(1),
! fsck_ffs(8),
! ifconfig(8),
! ksh(1),
! ld(1),
! ld.so(1),
! netstat(1),
! pfctl(8),
! ping(8),
! rtadvd(8),
! ssh(1),
! tar(1),
! tmux(1),
! top(1),
and many others, including games!
Removed time_t from network, on-disk, and database formats.
Removed as many (time_t) casts as possible.
***************
*** 96,122 ****
Releases and packages are now cryptographically signed with the
! signify(1) utility.
- The installer will verify all sets before installing.
- Installing without verification works, but is discouraged.
- Users are advised to verify the installer (bsd.rd, install55.iso, etc.)
ahead of time using the
! signify(1) tool if available.
!
- pkg_add(1) now only trusts signed packages by default.
Installer improvements:
- The installer now supports a scriptable
! auto-installation
method that enables unattended installation and upgrades using a response file.
- Disk images which can be written to a USB flash drive
(miniroot55.fs [bsd.rd only] and install55.fs [bsd.rd + unsigned sets])
are now provided for amd64 and i386.
- Rewritten
! installboot(8)
utility aiming for a unified implementation across platforms (currently
used by amd64 and i386 only).
- The installer now parses nwids with embedded blanks correctly.
--- 96,122 ----
- Releases and packages are now cryptographically signed with the
! signify(1) utility.
- The installer will verify all sets before installing.
- Installing without verification works, but is discouraged.
- Users are advised to verify the installer (bsd.rd, install55.iso, etc.)
ahead of time using the
! signify(1) tool if available.
!
- pkg_add(1) now only trusts signed packages by default.
- Installer improvements:
- The installer now supports a scriptable
! auto-installation
method that enables unattended installation and upgrades using a response file.
- Disk images which can be written to a USB flash drive
(miniroot55.fs [bsd.rd only] and install55.fs [bsd.rd + unsigned sets])
are now provided for amd64 and i386.
- Rewritten
! installboot(8)
utility aiming for a unified implementation across platforms (currently
used by amd64 and i386 only).
- The installer now parses nwids with embedded blanks correctly.
***************
*** 139,204 ****
- Improved hardware support, including:
! - New vmx(4)
driver for VMware VMXNET3 Virtual Interface Controller devices.
!
- New vmwpvs(4)
driver for VMware Paravirtual SCSI.
!
- New vioscsi(4)
driver for VirtIO SCSI adapters.
!
- New viornd(4)
driver for VirtIO random number devices.
!
- New ubcmtp(4)
driver for Broadcom multi-touch trackpads found on newer Apple MacBook,
MacBook Pro, and MacBook Air laptops.
!
- New ugold(4)
driver for TEMPer gold HID thermometers.
!
- New ugl(4)
driver for Genesys Logic based USB host-to-host adapters.
!
- New qle(4) driver for QLogic Fibre Channel HBAs.
!
- radeondrm(4)
has been overhauled, including:
- New port of the Radeon code in Linux 3.8.13.19.
- Support for Kernel Mode Setting (KMS) including support for
additional output types such as DisplayPort.
!
- wsdisplay(4)
now attaches to
! radeondrm(4)
and provides a framebuffer console.
! - inteldrm(4)
has been updated to Linux 3.8.13.19 notably bringing Haswell stability fixes.
- Support for Intel 8 Series Ethernet with i217/i218 PHYs, and
i210/i211/i354 has been added to
! em(4).
- Support for Intel Centrino Wireless-N 2200, 2230 and 105/135 has been added to
! iwn(4).
- Support for Areca ARC-1880, ARC-1882, ARC-1883, ARC-1223, ARC-1214, ARC-1264, and ARC-1284 has been added to
! arc(4).
!
- Support for Elantech v2 touchpads in pms(4) has been fixed.
!
- Support for 802.11a (5Ghz) has been added to wpi(4).
- Workarounds for firmware stability issues have been added to
! wpi(4),
! iwi(4), and
! iwn(4).
- Support for RT3572 chips has been added to the
! ral(4) driver.
- Support for RTL8106E chips has been added to the
! re(4) driver.
!
- Support for RTS5229 card readers has been added to rtsx(4).
!
- Support for Microsoft XBox 360 controllers has been added to the uhid(4) driver.
!
- Support for CoreChip RD9700 USB Ethernet devices has been added to the udav(4) driver.
- Further reliability improvements regarding suspend/resume and hibernation.
- Enabled IPv6 transmit TCP/UDP checksum offload in
! jme(4).
- Generic network stack improvements:
! - Added vxlan(4),
a virtual extensible local area network tunnel interface.
!
- pflow(4)
now sends 64 bit time values for pflowproto 10. The changed templates /
flows for pflowproto 10 are now parsable by existing receivers.
- Continued improvement of the checksum offload framework to streamline
--- 139,204 ----
- Improved hardware support, including:
! - New vmx(4)
driver for VMware VMXNET3 Virtual Interface Controller devices.
!
- New vmwpvs(4)
driver for VMware Paravirtual SCSI.
!
- New vioscsi(4)
driver for VirtIO SCSI adapters.
!
- New viornd(4)
driver for VirtIO random number devices.
!
- New ubcmtp(4)
driver for Broadcom multi-touch trackpads found on newer Apple MacBook,
MacBook Pro, and MacBook Air laptops.
!
- New ugold(4)
driver for TEMPer gold HID thermometers.
!
- New ugl(4)
driver for Genesys Logic based USB host-to-host adapters.
!
- New qle(4) driver for QLogic Fibre Channel HBAs.
!
- radeondrm(4)
has been overhauled, including:
- New port of the Radeon code in Linux 3.8.13.19.
- Support for Kernel Mode Setting (KMS) including support for
additional output types such as DisplayPort.
!
- wsdisplay(4)
now attaches to
! radeondrm(4)
and provides a framebuffer console.
! - inteldrm(4)
has been updated to Linux 3.8.13.19 notably bringing Haswell stability fixes.
- Support for Intel 8 Series Ethernet with i217/i218 PHYs, and
i210/i211/i354 has been added to
! em(4).
- Support for Intel Centrino Wireless-N 2200, 2230 and 105/135 has been added to
! iwn(4).
- Support for Areca ARC-1880, ARC-1882, ARC-1883, ARC-1223, ARC-1214, ARC-1264, and ARC-1284 has been added to
! arc(4).
!
- Support for Elantech v2 touchpads in pms(4) has been fixed.
!
- Support for 802.11a (5Ghz) has been added to wpi(4).
- Workarounds for firmware stability issues have been added to
! wpi(4),
! iwi(4), and
! iwn(4).
- Support for RT3572 chips has been added to the
! ral(4) driver.
- Support for RTL8106E chips has been added to the
! re(4) driver.
!
- Support for RTS5229 card readers has been added to rtsx(4).
!
- Support for Microsoft XBox 360 controllers has been added to the uhid(4) driver.
!
- Support for CoreChip RD9700 USB Ethernet devices has been added to the udav(4) driver.
- Further reliability improvements regarding suspend/resume and hibernation.
- Enabled IPv6 transmit TCP/UDP checksum offload in
! jme(4).
- Generic network stack improvements:
! - Added vxlan(4),
a virtual extensible local area network tunnel interface.
!
- pflow(4)
now sends 64 bit time values for pflowproto 10. The changed templates /
flows for pflowproto 10 are now parsable by existing receivers.
- Continued improvement of the checksum offload framework to streamline
***************
*** 210,249 ****
- Routing daemons and other userland network improvements:
- The popa3d POP3 server has been removed.
!
- Added ntpctl(8),
a program to control the Network Time Protocol daemon.
!
- slowcgi(8)
now works with a high number of concurrent connections.
- The inetd-based identd has been replaced by a new libevent-based
! identd(8).
!
- tcpdump(8)
can now detect bad ICMP and ICMPv6 checksums when used with the -v flag.
- Added rdomain support to IPv6 configuration tools
! ndp(8),
! rtsold(8),
! ping6(8), and
! traceroute6(8).
- Added SNMPv2 client support to
! snmpctl(8)
("get", "walk", and "bulkwalk").
!
- relayd(8)
now supports TLS Perfect Forward Secrecy (PFS) with ECDHE (Elliptic curve Diffie-Hellman) that is enabled by default.
!
- pf(4) improvements:
- New queueing system with new syntax.
- The "received-on" parameter can now be used with the "any" keyword to
match any existing interface except loopback ones.
!
- The block policy in the default pf.conf(5) is now "block return".
!
- dhcpd(8) and dhclient(8) improvements:
- No longer create a route to the bound address via 127.0.0.1.
!
- The options 'dhcp-lease-time', 'dhcp-rebinding-time', and 'dhcp-renewal-time' can now be configured in dhclient.conf(5).
- 'next-server' (a.k.a. siaddr) info now saved in lease files.
- Fall back to broadcasting when unicast renewal fails, as specified in
RFC 2131 and friends.
--- 210,249 ----
- Routing daemons and other userland network improvements:
- The popa3d POP3 server has been removed.
!
- Added ntpctl(8),
a program to control the Network Time Protocol daemon.
!
- slowcgi(8)
now works with a high number of concurrent connections.
- The inetd-based identd has been replaced by a new libevent-based
! identd(8).
!
- tcpdump(8)
can now detect bad ICMP and ICMPv6 checksums when used with the -v flag.
- Added rdomain support to IPv6 configuration tools
! ndp(8),
! rtsold(8),
! ping6(8), and
! traceroute6(8).
- Added SNMPv2 client support to
! snmpctl(8)
("get", "walk", and "bulkwalk").
!
- relayd(8)
now supports TLS Perfect Forward Secrecy (PFS) with ECDHE (Elliptic curve Diffie-Hellman) that is enabled by default.
!
- pf(4) improvements:
- New queueing system with new syntax.
- The "received-on" parameter can now be used with the "any" keyword to
match any existing interface except loopback ones.
!
- The block policy in the default pf.conf(5) is now "block return".
!
- dhcpd(8) and dhclient(8) improvements:
- No longer create a route to the bound address via 127.0.0.1.
!
- The options 'dhcp-lease-time', 'dhcp-rebinding-time', and 'dhcp-renewal-time' can now be configured in dhclient.conf(5).
- 'next-server' (a.k.a. siaddr) info now saved in lease files.
- Fall back to broadcasting when unicast renewal fails, as specified in
RFC 2131 and friends.
***************
*** 254,275 ****
- Fix 'effective' lease created by '-L' to have correct address, 'next_server', 'timestamp', and 'resolv_conf' fields.
- Fix handling of non-printable characters in lease file strings.
- Fix many edge cases in config file and lease parsing and ensure that error messages refer to the correct position in erroneous line.
!
- dhclient.conf(5) can now override anything in an offer or saved lease when creating the effective lease. In particular, 'fixed-address', 'next-server', 'filename' and 'server-name'.
!
- Fix parsing of dhclient.conf(5) statements 'fixed-address' and
'next-server'.
- Log failures to fchmod() or fchown() files being written.
- Create lease files with permissions 0640.
!
- Fix possible failure to write resolv.conf(5) when -L is used.
!
- 'send dhcp-client-identifier "";' in dhclient.conf(5) will result in no 'dhcp-client-identifier' (option 61) being sent.
!
- iked(8) improvements:
- Support for OCSP ("Online Certificate Status Protocol"); enable with "set ocsp URL".
- Support for RSA public key authentication as an alternative to X.509 certificates or pre-shared keys.
- Support for DPD ("Dead Peer Detection") similar to the implementation in
! isakmpd(8).
- Support for dynamic IP address assignment from a pool in configuration mode; enabled with "config address net/pool-prefix".
- Initial support for IPComp.
- Various improvements and a thorough audit of the network input path.
--- 254,275 ----
- Fix 'effective' lease created by '-L' to have correct address, 'next_server', 'timestamp', and 'resolv_conf' fields.
- Fix handling of non-printable characters in lease file strings.
- Fix many edge cases in config file and lease parsing and ensure that error messages refer to the correct position in erroneous line.
!
- dhclient.conf(5) can now override anything in an offer or saved lease when creating the effective lease. In particular, 'fixed-address', 'next-server', 'filename' and 'server-name'.
!
- Fix parsing of dhclient.conf(5) statements 'fixed-address' and
'next-server'.
- Log failures to fchmod() or fchown() files being written.
- Create lease files with permissions 0640.
!
- Fix possible failure to write resolv.conf(5) when -L is used.
!
- 'send dhcp-client-identifier "";' in dhclient.conf(5) will result in no 'dhcp-client-identifier' (option 61) being sent.
!
- iked(8) improvements:
- Support for OCSP ("Online Certificate Status Protocol"); enable with "set ocsp URL".
- Support for RSA public key authentication as an alternative to X.509 certificates or pre-shared keys.
- Support for DPD ("Dead Peer Detection") similar to the implementation in
! isakmpd(8).
- Support for dynamic IP address assignment from a pool in configuration mode; enabled with "config address net/pool-prefix".
- Initial support for IPComp.
- Various improvements and a thorough audit of the network input path.
***************
*** 289,295 ****
- other processes now have an API to return more precise codes ...
- ... which will be improved further with each version.
! - Improved smtpctl(8):
- sendmail mode now supports DSN parameters
- Can now pause/resume a source address -> destination domain route.
--- 289,295 ----
- other processes now have an API to return more precise codes ...
- ... which will be improved further with each version.
! - Improved smtpctl(8):
- sendmail mode now supports DSN parameters
- Can now pause/resume a source address -> destination domain route.
***************
*** 341,354 ****
- Documentation:
! - table(5) describes format for static, file and db backends.
- sendmail(8) describes our "sendmail" interface.
- Reduced memory usage in both general and stressed cases.
- OpenSMTPD now automagically upgrades queue if the format changes!
- Support Qmail-like "sticky home".
- Support for authenticating users from a credentials table.
!
- Introduce passwd(5) table backend for user and credentials lookup.
- Expansion variables in ~/.forward now support modifiers.
- Much more efficient scheduler!
- Many documentation fixes and improvements.
--- 341,354 ----
- Documentation:
! - table(5) describes format for static, file and db backends.
- sendmail(8) describes our "sendmail" interface.
- Reduced memory usage in both general and stressed cases.
- OpenSMTPD now automagically upgrades queue if the format changes!
- Support Qmail-like "sticky home".
- Support for authenticating users from a credentials table.
!
- Introduce passwd(5) table backend for user and credentials lookup.
- Expansion variables in ~/.forward now support modifiers.
- Much more efficient scheduler!
- Many documentation fixes and improvements.
***************
*** 359,372 ****
- Security improvements:
- Position-independent executables (PIE) are now used by default on i386.
!
- The arc4random(3)
functions now use the ChaCha20 cipher.
- The kernel random number system is initially seeded by the bootloader,
providing better random very early.
- Kernel stack protector is also seeded via the same mechanism, providing
protection earlier.
- -Wbounded is now enabled in GCC by default.
!
- Added explicit_bzero(3).
--- 359,372 ----
- Security improvements:
- Position-independent executables (PIE) are now used by default on i386.
!
- The arc4random(3)
functions now use the ChaCha20 cipher.
- The kernel random number system is initially seeded by the bootloader,
providing better random very early.
- Kernel stack protector is also seeded via the same mechanism, providing
protection earlier.
- -Wbounded is now enabled in GCC by default.
!
- Added explicit_bzero(3).
***************
*** 378,430 ****
- Threading improvements:
! - Interprocess semaphores via sem_open(3).
- Running threaded processes under a debugger no longer causes panics.
- SIGPROF and SIGVTALRM are now reliably delivered to the thread that was running when they were triggered.
- Thread stacks now have a random bias.
!
- fork(2) no longer changes the pthread_t of the forking thread in the child.
!
- Signaling races eliminated from pthread_kill(3) and pthread_cancel(3).
- Assorted improvements:
! - New in-memory file system, tmpfs.
!
- Many fuse(4) improvements and stability fixes.
!
- Added POSIX-required nl(1) utility.
- OpenBSD/vax has switched to GCC 3.
!
- Replaced getdirentries(2) with getdents(2), vastly improving the performance and memory usage of telldir(3).
- amd64 and i386 now use the MWAIT instruction for their idle loop where available to reduce latency.
- Added support for CLOCK_UPTIME.
!
- Added tcgetsid(3).
- clock_t is now a 64 bit type, so it no longer wraps around in only 248 days.
- ino_t is now a 64 bit type, mostly to support large NFS filesystems.
- Corrected handling of UTIME_OMIT.
!
- pax(1) now sets the mode and timestamps correctly on symlinks, and makes hardlinks to symlinks when requested.
- Corrected handling of shared library destructors when libc is statically linked.
- Corrected various disk drivers to handle non-512-byte sectors and disk sizes greater than 32-bits.
!
- Corrected growfs(8) to handle non-512-byte sectors and disk sizes greater than 32-bits.
- All CIRCLEQ uses replaced with TAILQ.
- Preserve and honour changes to the OpenBSD bounds in a disklabel.
!
- fdisk(8) now always writes a good signature when the MBR is written to disk.
!
- disklabel(8) now writes the disklabel to the correct location on non-512-byte sector devices.
!
- Fix athn(4) tick calculations to eliminate excessive timeouts.
!
- Allow disklabel(8) to set any partition, including 'C', to type UNUSED.
!
- New sha512(1) tool to calculate and verify the SHA-512 checksums of files.
!
- sha256(1) and related tools
! (cksum(1),
! md5(1),
! sha1(1), and
! sha512(1))
now support a new -h flag to place the checksum into a specified hash file instead of stdout.
!
- sha256(1) and related tools now support a new -C flag that allows the verification of selected files in a checklist.
!
- sha256(1) and related tools will now print MISSING if they encounter non-existent files in a checklist.
!
- i386 and amd64 platforms can now boot from keydisk-based softraid(4) crypto volumes.
!
- Allow softraid(4) to work with partitions larger than 2TB.
!
- Removed experimental RAID 4 support from softraid(4).
!
- Added experimental support for rebuilding RAID 5 softraid(4) volumes. Lots of testing is still required and there is missing functionality, such as the ability to resume a partially completed rebuild. bioctl(8) refuses to create RAID 5 volumes unless recompiled with -DRAID5.
- The uhts(4) driver has been merged into
! ums(4).
- Many new checks were added to portcheck(1) utility; now it catches almost every popular mistake that observed in ports in last years.
--- 378,430 ----
- Threading improvements:
! - Interprocess semaphores via sem_open(3).
- Running threaded processes under a debugger no longer causes panics.
- SIGPROF and SIGVTALRM are now reliably delivered to the thread that was running when they were triggered.
- Thread stacks now have a random bias.
!
- fork(2) no longer changes the pthread_t of the forking thread in the child.
!
- Signaling races eliminated from pthread_kill(3) and pthread_cancel(3).
- Assorted improvements:
! - New in-memory file system, tmpfs.
!
- Many fuse(4) improvements and stability fixes.
!
- Added POSIX-required nl(1) utility.
- OpenBSD/vax has switched to GCC 3.
!
- Replaced getdirentries(2) with getdents(2), vastly improving the performance and memory usage of telldir(3).
- amd64 and i386 now use the MWAIT instruction for their idle loop where available to reduce latency.
- Added support for CLOCK_UPTIME.
!
- Added tcgetsid(3).
- clock_t is now a 64 bit type, so it no longer wraps around in only 248 days.
- ino_t is now a 64 bit type, mostly to support large NFS filesystems.
- Corrected handling of UTIME_OMIT.
!
- pax(1) now sets the mode and timestamps correctly on symlinks, and makes hardlinks to symlinks when requested.
- Corrected handling of shared library destructors when libc is statically linked.
- Corrected various disk drivers to handle non-512-byte sectors and disk sizes greater than 32-bits.
!
- Corrected growfs(8) to handle non-512-byte sectors and disk sizes greater than 32-bits.
- All CIRCLEQ uses replaced with TAILQ.
- Preserve and honour changes to the OpenBSD bounds in a disklabel.
!
- fdisk(8) now always writes a good signature when the MBR is written to disk.
!
- disklabel(8) now writes the disklabel to the correct location on non-512-byte sector devices.
!
- Fix athn(4) tick calculations to eliminate excessive timeouts.
!
- Allow disklabel(8) to set any partition, including 'C', to type UNUSED.
!
- New sha512(1) tool to calculate and verify the SHA-512 checksums of files.
!
- sha256(1) and related tools
! (cksum(1),
! md5(1),
! sha1(1), and
! sha512(1))
now support a new -h flag to place the checksum into a specified hash file instead of stdout.
!
- sha256(1) and related tools now support a new -C flag that allows the verification of selected files in a checklist.
!
- sha256(1) and related tools will now print MISSING if they encounter non-existent files in a checklist.
!
- i386 and amd64 platforms can now boot from keydisk-based softraid(4) crypto volumes.
!
- Allow softraid(4) to work with partitions larger than 2TB.
!
- Removed experimental RAID 4 support from softraid(4).
!
- Added experimental support for rebuilding RAID 5 softraid(4) volumes. Lots of testing is still required and there is missing functionality, such as the ability to resume a partially completed rebuild. bioctl(8) refuses to create RAID 5 volumes unless recompiled with -DRAID5.
- The uhts(4) driver has been merged into
! ums(4).
- Many new checks were added to portcheck(1) utility; now it catches almost every popular mistake that observed in ports in last years.
***************
*** 433,454 ****
- Security:
! - sshd(8):
when using environment passing with a
! sshd_config(5)
AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could
be tricked into accepting any enviornment variable that contains the
characters before the wildcard character.
- New/changed features:
! - ssh(1),
! sshd(8):
Add support for key exchange using elliptic-curve Diffie Hellman
in Daniel Bernstein's Curve25519. This key exchange method is
the default when both the client and server support it.
!
- ssh(1),
! sshd(8):
Add support for ED25519 as a public key type. ED25519 is
a elliptic curve signature scheme that offers better security than
ECDSA and DSA and good performance. It may be used for
--- 433,454 ----
- Security:
! - sshd(8):
when using environment passing with a
! sshd_config(5)
AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could
be tricked into accepting any enviornment variable that contains the
characters before the wildcard character.
- New/changed features:
! - ssh(1),
! sshd(8):
Add support for key exchange using elliptic-curve Diffie Hellman
in Daniel Bernstein's Curve25519. This key exchange method is
the default when both the client and server support it.
!
- ssh(1),
! sshd(8):
Add support for ED25519 as a public key type. ED25519 is
a elliptic curve signature scheme that offers better security than
ECDSA and DSA and good performance. It may be used for
***************
*** 457,622 ****
protect keys at rest. This format is used unconditionally for
ED25519 keys, but may be requested when generating or saving
existing keys of other types via the -o
! ssh-keygen(1)
option. We intend to make the new format the default in the near
future. Details of the new format are in the PROTOCOL.key
file.
!
- ssh(1),
! sshd(8):
Add a new transport cipher "chacha20-poly1305@openssh.com" that
combines Daniel Bernstein's ChaCha20 stream cipher and
Poly1305 MAC to build an authenticated encryption mode. Details
are in the PROTOCOL.chacha20poly1305 file.
!
- ssh(1),
! sshd(8):
Refuse RSA keys from old proprietary clients and servers that
use the obsolete RSA+MD5 signature scheme. It will still be
possible to connect with these clients/servers but only DSA keys
will be accepted, and OpenSSH will refuse connection entirely in a
future release.
!
- ssh(1),
! sshd(8):
Refuse old proprietary clients and servers that use a weaker key
exchange hash calculation.
!
- ssh(1):
Increase the size of the Diffie-Hellman groups requested for
each symmetric key size. New values from NIST Special Publication
800-57 with the upper limit specified by RFC 4419.
!
- ssh(1),
! ssh-agent(1):
Support PKCS#11 tokens that only provide X.509 certs
instead of raw public keys. (requested as bz#1908)
!
- ssh(1):
Add a
! ssh_config(5)
Match keyword that allows conditional configuration to be
applied by matching on hostname, user and result of
arbitrary commands.
!
- ssh(1):
Add support for client-side hostname canonicalisation using a
set of DNS suffixes and rules in
! ssh_config(5).
This allows unqualified names to be canonicalised to fully-qualified
domain names to eliminate ambiguity when looking up keys in
known_hosts or checking host certificate names.
!
- sftp-server(8):
Add the ability to whitelist and/or blacklist sftp protocol requests by
name.
!
- sftp-server(8):
Add a sftp "fsync@openssh.com" to support calling
! fsync(2)
on an open file handle.
!
- sshd(8):
Add a
! ssh_config(5)
PermitTTY to disallow TTY allocation, mirroring the
longstanding no-pty authorized_keys option.
!
- ssh(1):
Add a
! ssh_config(5)
ProxyUseFDPass option that supports the use of
ProxyCommands that establish a connection and then pass a
connected file descriptor back to
! ssh(1).
This allows the ProxyCommand to exit rather than staying
around to transfer data.
!
- ssh(1),
! sshd(8):
this release removes the J-PAKE authentication code. This code
was experimental, never enabled and had been unmaintained for some
time.
!
- ssh(1):
when processing Match blocks, skip 'exec' clauses
other clauses predicates failed to match.
!
- ssh(1):
if hostname canonicalisation is enabled and results in the destination
hostname being changed, then re-parse
! ssh_config(5)
files using the new destination hostname. This gives 'Host'
and 'Match' directives that use the expanded hostname a chance
to be applied.
- The following significant bugs have been fixed in this release:
! - ssh(1),
! sshd(8):
Fix potential stack exhaustion caused by nested certificates.
!
- ssh(1):
make BindAddress work with UsePrivilegedPort.
(bz#1211)
!
- sftp(1):
fix the progress meter for resumed transfer. (bz#2137)
!
- ssh-add(1):
do not request smartcard PIN when removing keys from
! ssh-agent(1).
(bz#2187)
!
- sshd(8):
fix re-exec fallback when original
! sshd(8)
binary cannot be executed. (bz#2139)
!
- ssh-keygen(1):
Make relative-specified certificate expiry times relative to current
time and not the validity start time.
!
- sshd(8):
fix AuthorizedKeysCommand inside a Match block.
(bz#2161)
!
- sftp(1):
symlinking a file would incorrectly canonicalise the target path.
(bz#2129)
!
- ssh-agent(1):
fix a use-after-free in the PKCS#11 agent helper executable.
(bz#2175)
!
- sshd(8):
Improve logging of sessions to include the user name, remote
host and port, the session type (shell, command,
etc.) and allocated TTY (if any).
!
- sshd(8):
tell the client (via a debug message) when their preferred listen
address has been overridden by the server's GatewayPorts
setting. (bz#1297)
!
- sshd(8):
include report port in bad protocol banner message. (bz#2162)
!
- sftp(1):
fix memory leak in error path in do_readdir(). (bz#2163)
!
- sftp(1):
don't leak file descriptor on error. (bz#2171)
!
- sshd(8):
include the local address and port in "Connection
from ..." message. (only shown at loglevel>=verbose)
!
- ssh(1):
avoid spurious "getsockname failed: Bad file descriptor" in
ssh -W. (bz#2200, debian#738692)
!
- sshd(8):
allow the
! shutdown(2)
syscall in seccomp-bpf and systrace sandbox modes, as it is reachable
if the connection is terminated during the pre-auth phase.
!
- ssh(1),
! sshd(8):
fix unsigned overflow that in SSH protocol 1 bignum parsing.
Minimum key length checks render this bug unexploitable to compromise
SSH 1 sessions.
!
- sshd_config(5)
clarify behaviour of a keyword that appears in multiple matching
Match blocks. (bz#2184)
!
- ssh(1):
avoid unnecessary hostname lookups when canonicalisation is disabled.
(bz#2205)
!
- sshd(8):
avoid sandbox violation crashes in GSSAPI code by caching the supported
list of GSSAPI mechanism OIDs before entering the sandbox. (bz#2107)
!
- ssh(1):
fix possible crashes in SOCKS4 parsing caused by assumption that the
SOCKS username is nul-terminated.
!
- ssh(1):
fix regression for UsePrivilegedPort=yes when
BindAddress is not specified.
!
- ssh(1),
! sshd(8):
fix memory leak in ECDSA signature verification.
!
- ssh(1):
fix matching of 'Host' directives in
! ssh_config(5)
files to be case-insensitive again. (regression in 6.5)
--- 457,622 ----
protect keys at rest. This format is used unconditionally for
ED25519 keys, but may be requested when generating or saving
existing keys of other types via the -o
! ssh-keygen(1)
option. We intend to make the new format the default in the near
future. Details of the new format are in the PROTOCOL.key
file.
! - ssh(1),
! sshd(8):
Add a new transport cipher "chacha20-poly1305@openssh.com" that
combines Daniel Bernstein's ChaCha20 stream cipher and
Poly1305 MAC to build an authenticated encryption mode. Details
are in the PROTOCOL.chacha20poly1305 file.
!
- ssh(1),
! sshd(8):
Refuse RSA keys from old proprietary clients and servers that
use the obsolete RSA+MD5 signature scheme. It will still be
possible to connect with these clients/servers but only DSA keys
will be accepted, and OpenSSH will refuse connection entirely in a
future release.
!
- ssh(1),
! sshd(8):
Refuse old proprietary clients and servers that use a weaker key
exchange hash calculation.
!
- ssh(1):
Increase the size of the Diffie-Hellman groups requested for
each symmetric key size. New values from NIST Special Publication
800-57 with the upper limit specified by RFC 4419.
!
- ssh(1),
! ssh-agent(1):
Support PKCS#11 tokens that only provide X.509 certs
instead of raw public keys. (requested as bz#1908)
!
- ssh(1):
Add a
! ssh_config(5)
Match keyword that allows conditional configuration to be
applied by matching on hostname, user and result of
arbitrary commands.
!
- ssh(1):
Add support for client-side hostname canonicalisation using a
set of DNS suffixes and rules in
! ssh_config(5).
This allows unqualified names to be canonicalised to fully-qualified
domain names to eliminate ambiguity when looking up keys in
known_hosts or checking host certificate names.
!
- sftp-server(8):
Add the ability to whitelist and/or blacklist sftp protocol requests by
name.
!
- sftp-server(8):
Add a sftp "fsync@openssh.com" to support calling
! fsync(2)
on an open file handle.
!
- sshd(8):
Add a
! ssh_config(5)
PermitTTY to disallow TTY allocation, mirroring the
longstanding no-pty authorized_keys option.
!
- ssh(1):
Add a
! ssh_config(5)
ProxyUseFDPass option that supports the use of
ProxyCommands that establish a connection and then pass a
connected file descriptor back to
! ssh(1).
This allows the ProxyCommand to exit rather than staying
around to transfer data.
!
- ssh(1),
! sshd(8):
this release removes the J-PAKE authentication code. This code
was experimental, never enabled and had been unmaintained for some
time.
!
- ssh(1):
when processing Match blocks, skip 'exec' clauses
other clauses predicates failed to match.
!
- ssh(1):
if hostname canonicalisation is enabled and results in the destination
hostname being changed, then re-parse
! ssh_config(5)
files using the new destination hostname. This gives 'Host'
and 'Match' directives that use the expanded hostname a chance
to be applied.
- The following significant bugs have been fixed in this release:
! - ssh(1),
! sshd(8):
Fix potential stack exhaustion caused by nested certificates.
!
- ssh(1):
make BindAddress work with UsePrivilegedPort.
(bz#1211)
!
- sftp(1):
fix the progress meter for resumed transfer. (bz#2137)
!
- ssh-add(1):
do not request smartcard PIN when removing keys from
! ssh-agent(1).
(bz#2187)
!
- sshd(8):
fix re-exec fallback when original
! sshd(8)
binary cannot be executed. (bz#2139)
!
- ssh-keygen(1):
Make relative-specified certificate expiry times relative to current
time and not the validity start time.
!
- sshd(8):
fix AuthorizedKeysCommand inside a Match block.
(bz#2161)
!
- sftp(1):
symlinking a file would incorrectly canonicalise the target path.
(bz#2129)
!
- ssh-agent(1):
fix a use-after-free in the PKCS#11 agent helper executable.
(bz#2175)
!
- sshd(8):
Improve logging of sessions to include the user name, remote
host and port, the session type (shell, command,
etc.) and allocated TTY (if any).
!
- sshd(8):
tell the client (via a debug message) when their preferred listen
address has been overridden by the server's GatewayPorts
setting. (bz#1297)
!
- sshd(8):
include report port in bad protocol banner message. (bz#2162)
!
- sftp(1):
fix memory leak in error path in do_readdir(). (bz#2163)
!
- sftp(1):
don't leak file descriptor on error. (bz#2171)
!
- sshd(8):
include the local address and port in "Connection
from ..." message. (only shown at loglevel>=verbose)
!
- ssh(1):
avoid spurious "getsockname failed: Bad file descriptor" in
ssh -W. (bz#2200, debian#738692)
!
- sshd(8):
allow the
! shutdown(2)
syscall in seccomp-bpf and systrace sandbox modes, as it is reachable
if the connection is terminated during the pre-auth phase.
!
- ssh(1),
! sshd(8):
fix unsigned overflow that in SSH protocol 1 bignum parsing.
Minimum key length checks render this bug unexploitable to compromise
SSH 1 sessions.
!
- sshd_config(5)
clarify behaviour of a keyword that appears in multiple matching
Match blocks. (bz#2184)
!
- ssh(1):
avoid unnecessary hostname lookups when canonicalisation is disabled.
(bz#2205)
!
- sshd(8):
avoid sandbox violation crashes in GSSAPI code by caching the supported
list of GSSAPI mechanism OIDs before entering the sandbox. (bz#2107)
!
- ssh(1):
fix possible crashes in SOCKS4 parsing caused by assumption that the
SOCKS username is nul-terminated.
!
- ssh(1):
fix regression for UsePrivilegedPort=yes when
BindAddress is not specified.
!
- ssh(1),
! sshd(8):
fix memory leak in ECDSA signature verification.
!
- ssh(1):
fix matching of 'Host' directives in
! ssh_config(5)
files to be case-insensitive again. (regression in 6.5)
***************
*** 626,632 ****
- Over 8,700 ports.
- Major overhaul of the package tools, resulting in much better memory usage.
!
- pkg_add(1) now only trusts signed packages by default.
- The build process now allows some limited capability for building
conflicting packages, yielding KDE 4 packages as a result, along
with KDE 3 ones.
--- 626,632 ----
- Over 8,700 ports.
- Major overhaul of the package tools, resulting in much better memory usage.
!
- pkg_add(1) now only trusts signed packages by default.
- The build process now allows some limited capability for building
conflicting packages, yielding KDE 4 packages as a result, along
with KDE 3 ones.
***************
*** 814,822 ****
To make a boot floppy under MS-DOS, use the "rawrite" utility located
at CD1:5.5/tools/rawrite.exe. To make the boot floppy under a Unix OS,
use the
! dd(1)
utility. The following is an example usage of
! dd(1),
where the device could be "floppy", "rfd0c", or
"rfd0a".
--- 814,822 ----
To make a boot floppy under MS-DOS, use the "rawrite" utility located
at CD1:5.5/tools/rawrite.exe. To make the boot floppy under a Unix OS,
use the
! dd(1)
utility. The following is an example usage of
! dd(1),
where the device could be "floppy", "rfd0c", or
"rfd0a".
***************
*** 1121,1127 ****
OpenBSD ports system.
The ports/ directory represents a CVS (see the manpage for
!
cvs(1) if
you aren't familiar with CVS) checkout of our ports. As with our complete
source tree, our ports tree is available via
--- 1121,1127 ----
OpenBSD ports system.
The ports/ directory represents a CVS (see the manpage for
!
cvs(1) if
you aren't familiar with CVS) checkout of our ports. As with our complete
source tree, our ports tree is available via