| version 1.85, 2016/10/16 19:11:29 |
version 1.86, 2017/06/26 17:18:57 |
|
|
| <li>See a <a href="plus55.html">detailed log of changes</a> between the |
<li>See a <a href="plus55.html">detailed log of changes</a> between the |
| 5.4 and 5.5 releases. |
5.4 and 5.5 releases. |
| <p> |
<p> |
| <li><a href="http://man.openbsd.org/?query=signify&sektion=1">signify(1)</a> pubkeys for this release:<br> |
<li><a href="https://man.openbsd.org/?query=signify&sektion=1">signify(1)</a> pubkeys for this release:<br> |
| <pre> |
<pre> |
| base: RWRGy8gxk9N9314J0gh9U02lA7s8i6ITajJiNgxQOndvXvM5ZPX+nQ9h |
base: RWRGy8gxk9N9314J0gh9U02lA7s8i6ITajJiNgxQOndvXvM5ZPX+nQ9h |
| fw: RWTdVOhdk5qyNktv0iGV6OpaVfogGxTYc1bbkaUhFlExmclYvpJR/opO |
fw: RWTdVOhdk5qyNktv0iGV6OpaVfogGxTYc1bbkaUhFlExmclYvpJR/opO |
|
|
| <li>From OpenBSD 5.5 onwards, OpenBSD is year 2038 ready and will run well beyond Tue Jan 19 03:14:07 2038 UTC. |
<li>From OpenBSD 5.5 onwards, OpenBSD is year 2038 ready and will run well beyond Tue Jan 19 03:14:07 2038 UTC. |
| <li>The entire source tree (kernel, libraries, and userland programs) has been carefully and comprehensively audited to support 64-bit time_t. |
<li>The entire source tree (kernel, libraries, and userland programs) has been carefully and comprehensively audited to support 64-bit time_t. |
| <li>Userland programs that were changed include |
<li>Userland programs that were changed include |
| <a href="http://man.openbsd.org/?query=arp&sektion=8">arp(8)</a>, |
<a href="https://man.openbsd.org/?query=arp&sektion=8">arp(8)</a>, |
| <a href="http://man.openbsd.org/?query=bgpd&sektion=8">bgpd(8)</a>, |
<a href="https://man.openbsd.org/?query=bgpd&sektion=8">bgpd(8)</a>, |
| <a href="http://man.openbsd.org/?query=calendar&sektion=8">calendar(8)</a>, |
<a href="https://man.openbsd.org/?query=calendar&sektion=8">calendar(8)</a>, |
| <a href="http://man.openbsd.org/?query=cron&sektion=8">cron(8)</a>, |
<a href="https://man.openbsd.org/?query=cron&sektion=8">cron(8)</a>, |
| <a href="http://man.openbsd.org/?query=find&sektion=1">find(1)</a>, |
<a href="https://man.openbsd.org/?query=find&sektion=1">find(1)</a>, |
| <a href="http://man.openbsd.org/?query=fsck_ffs&sektion=8">fsck_ffs(8)</a>, |
<a href="https://man.openbsd.org/?query=fsck_ffs&sektion=8">fsck_ffs(8)</a>, |
| <a href="http://man.openbsd.org/?query=ifconfig&sektion=8">ifconfig(8)</a>, |
<a href="https://man.openbsd.org/?query=ifconfig&sektion=8">ifconfig(8)</a>, |
| <a href="http://man.openbsd.org/?query=ksh&sektion=1">ksh(1)</a>, |
<a href="https://man.openbsd.org/?query=ksh&sektion=1">ksh(1)</a>, |
| <a href="http://man.openbsd.org/?query=ld&sektion=1">ld(1)</a>, |
<a href="https://man.openbsd.org/?query=ld&sektion=1">ld(1)</a>, |
| <a href="http://man.openbsd.org/?query=ld.so&sektion=1">ld.so(1)</a>, |
<a href="https://man.openbsd.org/?query=ld.so&sektion=1">ld.so(1)</a>, |
| <a href="http://man.openbsd.org/?query=netstat&sektion=1">netstat(1)</a>, |
<a href="https://man.openbsd.org/?query=netstat&sektion=1">netstat(1)</a>, |
| <a href="http://man.openbsd.org/?query=pfctl&sektion=8">pfctl(8)</a>, |
<a href="https://man.openbsd.org/?query=pfctl&sektion=8">pfctl(8)</a>, |
| <a href="http://man.openbsd.org/?query=ping&sektion=8">ping(8)</a>, |
<a href="https://man.openbsd.org/?query=ping&sektion=8">ping(8)</a>, |
| <a href="http://man.openbsd.org/?query=rtadvd&sektion=8">rtadvd(8)</a>, |
<a href="https://man.openbsd.org/?query=rtadvd&sektion=8">rtadvd(8)</a>, |
| <a href="http://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>, |
<a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>, |
| <a href="http://man.openbsd.org/?query=tar&sektion=1">tar(1)</a>, |
<a href="https://man.openbsd.org/?query=tar&sektion=1">tar(1)</a>, |
| <a href="http://man.openbsd.org/?query=tmux&sektion=1">tmux(1)</a>, |
<a href="https://man.openbsd.org/?query=tmux&sektion=1">tmux(1)</a>, |
| <a href="http://man.openbsd.org/?query=top&sektion=1">top(1)</a>, |
<a href="https://man.openbsd.org/?query=top&sektion=1">top(1)</a>, |
| and many others, including games! |
and many others, including games! |
| <li>Removed time_t from network, on-disk, and database formats. |
<li>Removed time_t from network, on-disk, and database formats. |
| <li>Removed as many (time_t) casts as possible. |
<li>Removed as many (time_t) casts as possible. |
|
|
| <p> |
<p> |
| |
|
| <li>Releases and packages are now cryptographically signed with the |
<li>Releases and packages are now cryptographically signed with the |
| <a href="http://man.openbsd.org/?query=signify&sektion=1">signify(1)</a> utility. |
<a href="https://man.openbsd.org/?query=signify&sektion=1">signify(1)</a> utility. |
| <ul> |
<ul> |
| <li>The installer will verify all sets before installing. |
<li>The installer will verify all sets before installing. |
| <li>Installing without verification works, but is discouraged. |
<li>Installing without verification works, but is discouraged. |
| <li>Users are advised to verify the installer (bsd.rd, install55.iso, etc.) |
<li>Users are advised to verify the installer (bsd.rd, install55.iso, etc.) |
| ahead of time using the |
ahead of time using the |
| <a href="http://man.openbsd.org/?query=signify&sektion=1#end">signify(1)</a> tool if available. |
<a href="https://man.openbsd.org/?query=signify&sektion=1#end">signify(1)</a> tool if available. |
| <li><a href="http://man.openbsd.org/?query=pkg_add&sektion=1">pkg_add(1)</a> now only trusts signed packages by default. |
<li><a href="https://man.openbsd.org/?query=pkg_add&sektion=1">pkg_add(1)</a> now only trusts signed packages by default. |
| </ul> |
</ul> |
| <p> |
<p> |
| |
|
| <li>Installer improvements: |
<li>Installer improvements: |
| <ul> |
<ul> |
| <li>The installer now supports a scriptable |
<li>The installer now supports a scriptable |
| <a href="http://man.openbsd.org/?query=autoinstall&sektion=8">auto-installation</a> |
<a href="https://man.openbsd.org/?query=autoinstall&sektion=8">auto-installation</a> |
| method that enables unattended installation and upgrades using a response file. |
method that enables unattended installation and upgrades using a response file. |
| <li>Disk images which can be written to a USB flash drive |
<li>Disk images which can be written to a USB flash drive |
| (miniroot55.fs [bsd.rd only] and install55.fs [bsd.rd + unsigned sets]) |
(miniroot55.fs [bsd.rd only] and install55.fs [bsd.rd + unsigned sets]) |
| are now provided for amd64 and i386. |
are now provided for amd64 and i386. |
| <li>Rewritten |
<li>Rewritten |
| <a href="http://man.openbsd.org/?query=installboot&sektion=8">installboot(8)</a> |
<a href="https://man.openbsd.org/?query=installboot&sektion=8">installboot(8)</a> |
| utility aiming for a unified implementation across platforms (currently |
utility aiming for a unified implementation across platforms (currently |
| used by amd64 and i386 only). |
used by amd64 and i386 only). |
| <li>The installer now parses nwids with embedded blanks correctly. |
<li>The installer now parses nwids with embedded blanks correctly. |
|
|
| |
|
| <li>Improved hardware support, including: |
<li>Improved hardware support, including: |
| <ul> |
<ul> |
| <li>New <a href="http://man.openbsd.org/?query=vmx&sektion=4">vmx(4)</a> |
<li>New <a href="https://man.openbsd.org/?query=vmx&sektion=4">vmx(4)</a> |
| driver for VMware VMXNET3 Virtual Interface Controller devices. |
driver for VMware VMXNET3 Virtual Interface Controller devices. |
| <li>New <a href="http://man.openbsd.org/?query=vmwpvs&sektion=4">vmwpvs(4)</a> |
<li>New <a href="https://man.openbsd.org/?query=vmwpvs&sektion=4">vmwpvs(4)</a> |
| driver for VMware Paravirtual SCSI. |
driver for VMware Paravirtual SCSI. |
| <li>New <a href="http://man.openbsd.org/?query=vioscsi&sektion=4">vioscsi(4)</a> |
<li>New <a href="https://man.openbsd.org/?query=vioscsi&sektion=4">vioscsi(4)</a> |
| driver for VirtIO SCSI adapters. |
driver for VirtIO SCSI adapters. |
| <li>New <a href="http://man.openbsd.org/?query=viornd&sektion=4">viornd(4)</a> |
<li>New <a href="https://man.openbsd.org/?query=viornd&sektion=4">viornd(4)</a> |
| driver for VirtIO random number devices. |
driver for VirtIO random number devices. |
| <li>New <a href="http://man.openbsd.org/?query=ubcmtp&sektion=4">ubcmtp(4)</a> |
<li>New <a href="https://man.openbsd.org/?query=ubcmtp&sektion=4">ubcmtp(4)</a> |
| driver for Broadcom multi-touch trackpads found on newer Apple MacBook, |
driver for Broadcom multi-touch trackpads found on newer Apple MacBook, |
| MacBook Pro, and MacBook Air laptops. |
MacBook Pro, and MacBook Air laptops. |
| <li>New <a href="http://man.openbsd.org/?query=ugold&sektion=4">ugold(4)</a> |
<li>New <a href="https://man.openbsd.org/?query=ugold&sektion=4">ugold(4)</a> |
| driver for TEMPer gold HID thermometers. |
driver for TEMPer gold HID thermometers. |
| <li>New <a href="http://man.openbsd.org/?query=ugl&sektion=4">ugl(4)</a> |
<li>New <a href="https://man.openbsd.org/?query=ugl&sektion=4">ugl(4)</a> |
| driver for Genesys Logic based USB host-to-host adapters. |
driver for Genesys Logic based USB host-to-host adapters. |
| <li> New <a href="http://man.openbsd.org/?query=qle&sektion=4">qle(4)</a> driver for QLogic Fibre Channel HBAs. |
<li> New <a href="https://man.openbsd.org/?query=qle&sektion=4">qle(4)</a> driver for QLogic Fibre Channel HBAs. |
| <li><a href="http://man.openbsd.org/?query=radeondrm&sektion=4">radeondrm(4)</a> |
<li><a href="https://man.openbsd.org/?query=radeondrm&sektion=4">radeondrm(4)</a> |
| has been overhauled, including: |
has been overhauled, including: |
| <ul> |
<ul> |
| <li>New port of the Radeon code in Linux 3.8.13.19. |
<li>New port of the Radeon code in Linux 3.8.13.19. |
| <li>Support for Kernel Mode Setting (KMS) including support for |
<li>Support for Kernel Mode Setting (KMS) including support for |
| additional output types such as DisplayPort. |
additional output types such as DisplayPort. |
| <li><a href="http://man.openbsd.org/?query=wsdisplay&sektion=4">wsdisplay(4)</a> |
<li><a href="https://man.openbsd.org/?query=wsdisplay&sektion=4">wsdisplay(4)</a> |
| now attaches to |
now attaches to |
| <a href="http://man.openbsd.org/?query=radeondrm&sektion=4">radeondrm(4)</a> |
<a href="https://man.openbsd.org/?query=radeondrm&sektion=4">radeondrm(4)</a> |
| and provides a framebuffer console. |
and provides a framebuffer console. |
| </ul> |
</ul> |
| <li><a href="http://man.openbsd.org/?query=inteldrm&sektion=4">inteldrm(4)</a> |
<li><a href="https://man.openbsd.org/?query=inteldrm&sektion=4">inteldrm(4)</a> |
| has been updated to Linux 3.8.13.19 notably bringing Haswell stability fixes. |
has been updated to Linux 3.8.13.19 notably bringing Haswell stability fixes. |
| <li>Support for Intel 8 Series Ethernet with i217/i218 PHYs, and |
<li>Support for Intel 8 Series Ethernet with i217/i218 PHYs, and |
| i210/i211/i354 has been added to |
i210/i211/i354 has been added to |
| <a href="http://man.openbsd.org/?query=em&sektion=4">em(4)</a>. |
<a href="https://man.openbsd.org/?query=em&sektion=4">em(4)</a>. |
| <li>Support for Intel Centrino Wireless-N 2200, 2230 and 105/135 has been added to |
<li>Support for Intel Centrino Wireless-N 2200, 2230 and 105/135 has been added to |
| <a href="http://man.openbsd.org/?query=iwn&sektion=4">iwn(4)</a>. |
<a href="https://man.openbsd.org/?query=iwn&sektion=4">iwn(4)</a>. |
| <li>Support for Areca ARC-1880, ARC-1882, ARC-1883, ARC-1223, ARC-1214, ARC-1264, and ARC-1284 has been added to |
<li>Support for Areca ARC-1880, ARC-1882, ARC-1883, ARC-1223, ARC-1214, ARC-1264, and ARC-1284 has been added to |
| <a href="http://man.openbsd.org/?query=arc&sektion=4">arc(4)</a>. |
<a href="https://man.openbsd.org/?query=arc&sektion=4">arc(4)</a>. |
| <li>Support for Elantech v2 touchpads in <a href="http://man.openbsd.org/?query=pms&sektion=4">pms(4)</a> has been fixed. |
<li>Support for Elantech v2 touchpads in <a href="https://man.openbsd.org/?query=pms&sektion=4">pms(4)</a> has been fixed. |
| <li>Support for 802.11a (5Ghz) has been added to <a href="http://man.openbsd.org/?query=wpi&sektion=4">wpi(4)</a>. |
<li>Support for 802.11a (5Ghz) has been added to <a href="https://man.openbsd.org/?query=wpi&sektion=4">wpi(4)</a>. |
| <li>Workarounds for firmware stability issues have been added to |
<li>Workarounds for firmware stability issues have been added to |
| <a href="http://man.openbsd.org/?query=wpi&sektion=4">wpi(4)</a>, |
<a href="https://man.openbsd.org/?query=wpi&sektion=4">wpi(4)</a>, |
| <a href="http://man.openbsd.org/?query=iwi&sektion=4">iwi(4)</a>, and |
<a href="https://man.openbsd.org/?query=iwi&sektion=4">iwi(4)</a>, and |
| <a href="http://man.openbsd.org/?query=iwn&sektion=4">iwn(4)</a>. |
<a href="https://man.openbsd.org/?query=iwn&sektion=4">iwn(4)</a>. |
| <li>Support for RT3572 chips has been added to the |
<li>Support for RT3572 chips has been added to the |
| <a href="http://man.openbsd.org/?query=ral&sektion=4">ral(4)</a> driver. |
<a href="https://man.openbsd.org/?query=ral&sektion=4">ral(4)</a> driver. |
| <li>Support for RTL8106E chips has been added to the |
<li>Support for RTL8106E chips has been added to the |
| <a href="http://man.openbsd.org/?query=re&sektion=4">re(4)</a> driver. |
<a href="https://man.openbsd.org/?query=re&sektion=4">re(4)</a> driver. |
| <li>Support for RTS5229 card readers has been added to <a href="http://man.openbsd.org/?query=rtsx&sektion=4">rtsx(4)</a>. |
<li>Support for RTS5229 card readers has been added to <a href="https://man.openbsd.org/?query=rtsx&sektion=4">rtsx(4)</a>. |
| <li>Support for Microsoft XBox 360 controllers has been added to the <a href="http://man.openbsd.org/?query=uhid&sektion=4">uhid(4)</a> driver. |
<li>Support for Microsoft XBox 360 controllers has been added to the <a href="https://man.openbsd.org/?query=uhid&sektion=4">uhid(4)</a> driver. |
| <li>Support for CoreChip RD9700 USB Ethernet devices has been added to the <a href="http://man.openbsd.org/?query=udav&sektion=4">udav(4)</a> driver. |
<li>Support for CoreChip RD9700 USB Ethernet devices has been added to the <a href="https://man.openbsd.org/?query=udav&sektion=4">udav(4)</a> driver. |
| <li>Further reliability improvements regarding suspend/resume and hibernation. |
<li>Further reliability improvements regarding suspend/resume and hibernation. |
| <li>Enabled IPv6 transmit TCP/UDP checksum offload in |
<li>Enabled IPv6 transmit TCP/UDP checksum offload in |
| <a href="http://man.openbsd.org/?query=jme&sektion=4">jme(4)</a>. |
<a href="https://man.openbsd.org/?query=jme&sektion=4">jme(4)</a>. |
| </ul> |
</ul> |
| <p> |
<p> |
| |
|
| <li>Generic network stack improvements: |
<li>Generic network stack improvements: |
| <ul> |
<ul> |
| <li>Added <a href="http://man.openbsd.org/?query=vxlan&sektion=4">vxlan(4)</a>, |
<li>Added <a href="https://man.openbsd.org/?query=vxlan&sektion=4">vxlan(4)</a>, |
| a virtual extensible local area network tunnel interface. |
a virtual extensible local area network tunnel interface. |
| <li><a href="http://man.openbsd.org/?query=pflow&sektion=4">pflow(4)</a> |
<li><a href="https://man.openbsd.org/?query=pflow&sektion=4">pflow(4)</a> |
| now sends 64 bit time values for pflowproto 10. The changed templates / |
now sends 64 bit time values for pflowproto 10. The changed templates / |
| flows for pflowproto 10 are now parsable by existing receivers. |
flows for pflowproto 10 are now parsable by existing receivers. |
| <li>Continued improvement of the checksum offload framework to streamline |
<li>Continued improvement of the checksum offload framework to streamline |
|
|
| <li>Routing daemons and other userland network improvements: |
<li>Routing daemons and other userland network improvements: |
| <ul> |
<ul> |
| <li>The popa3d POP3 server has been removed. |
<li>The popa3d POP3 server has been removed. |
| <li>Added <a href="http://man.openbsd.org/?query=ntpctl&sektion=8">ntpctl(8)</a>, |
<li>Added <a href="https://man.openbsd.org/?query=ntpctl&sektion=8">ntpctl(8)</a>, |
| a program to control the Network Time Protocol daemon. |
a program to control the Network Time Protocol daemon. |
| <li><a href="http://man.openbsd.org/?query=slowcgi&sektion=8">slowcgi(8)</a> |
<li><a href="https://man.openbsd.org/?query=slowcgi&sektion=8">slowcgi(8)</a> |
| now works with a high number of concurrent connections. |
now works with a high number of concurrent connections. |
| <li>The inetd-based identd has been replaced by a new libevent-based |
<li>The inetd-based identd has been replaced by a new libevent-based |
| <a href="http://man.openbsd.org/?query=identd&sektion=8">identd(8)</a>. |
<a href="https://man.openbsd.org/?query=identd&sektion=8">identd(8)</a>. |
| <li><a href="http://man.openbsd.org/?query=tcpdump&sektion=8">tcpdump(8)</a> |
<li><a href="https://man.openbsd.org/?query=tcpdump&sektion=8">tcpdump(8)</a> |
| can now detect bad ICMP and ICMPv6 checksums when used with the -v flag. |
can now detect bad ICMP and ICMPv6 checksums when used with the -v flag. |
| <li>Added rdomain support to IPv6 configuration tools |
<li>Added rdomain support to IPv6 configuration tools |
| <a href="http://man.openbsd.org/?query=ndp&sektion=8">ndp(8)</a>, |
<a href="https://man.openbsd.org/?query=ndp&sektion=8">ndp(8)</a>, |
| <a href="http://man.openbsd.org/?query=rtsold&sektion=8">rtsold(8)</a>, |
<a href="https://man.openbsd.org/?query=rtsold&sektion=8">rtsold(8)</a>, |
| <a href="http://man.openbsd.org/?query=ping6&sektion=8">ping6(8)</a>, and |
<a href="https://man.openbsd.org/?query=ping6&sektion=8">ping6(8)</a>, and |
| <a href="http://man.openbsd.org/?query=traceroute6&sektion=8">traceroute6(8)</a>. |
<a href="https://man.openbsd.org/?query=traceroute6&sektion=8">traceroute6(8)</a>. |
| <li>Added SNMPv2 client support to |
<li>Added SNMPv2 client support to |
| <a href="http://man.openbsd.org/?query=snmpctl&sektion=8">snmpctl(8)</a> |
<a href="https://man.openbsd.org/?query=snmpctl&sektion=8">snmpctl(8)</a> |
| ("get", "walk", and "bulkwalk"). |
("get", "walk", and "bulkwalk"). |
| <li><a href="http://man.openbsd.org/?query=relayd&sektion=8">relayd(8)</a> |
<li><a href="https://man.openbsd.org/?query=relayd&sektion=8">relayd(8)</a> |
| now supports TLS Perfect Forward Secrecy (PFS) with ECDHE (Elliptic curve Diffie-Hellman) that is enabled by default. |
now supports TLS Perfect Forward Secrecy (PFS) with ECDHE (Elliptic curve Diffie-Hellman) that is enabled by default. |
| </ul> |
</ul> |
| <p> |
<p> |
| |
|
| <li><a href="http://man.openbsd.org/?query=pf&sektion=4">pf(4)</a> improvements: |
<li><a href="https://man.openbsd.org/?query=pf&sektion=4">pf(4)</a> improvements: |
| <ul> |
<ul> |
| <li>New queueing system with new syntax. |
<li>New queueing system with new syntax. |
| <li>The "received-on" parameter can now be used with the "any" keyword to |
<li>The "received-on" parameter can now be used with the "any" keyword to |
| match any existing interface except loopback ones. |
match any existing interface except loopback ones. |
| <li>The block policy in the default <a href="http://man.openbsd.org/?query=pf.conf&sektion=5">pf.conf(5)</a> is now "block return". |
<li>The block policy in the default <a href="https://man.openbsd.org/?query=pf.conf&sektion=5">pf.conf(5)</a> is now "block return". |
| </ul> |
</ul> |
| <p> |
<p> |
| |
|
| <li><a href="http://man.openbsd.org/?query=dhcpd&sektion=8">dhcpd(8)</a> and <a href="http://man.openbsd.org/?query=dhclient&sektion=8">dhclient(8)</a> improvements: |
<li><a href="https://man.openbsd.org/?query=dhcpd&sektion=8">dhcpd(8)</a> and <a href="https://man.openbsd.org/?query=dhclient&sektion=8">dhclient(8)</a> improvements: |
| <ul> |
<ul> |
| <li>No longer create a route to the bound address via 127.0.0.1. |
<li>No longer create a route to the bound address via 127.0.0.1. |
| <li>The options 'dhcp-lease-time', 'dhcp-rebinding-time', and 'dhcp-renewal-time' can now be configured in <a href="http://man.openbsd.org/?query=dhclient.conf&sektion=5">dhclient.conf(5)</a>. |
<li>The options 'dhcp-lease-time', 'dhcp-rebinding-time', and 'dhcp-renewal-time' can now be configured in <a href="https://man.openbsd.org/?query=dhclient.conf&sektion=5">dhclient.conf(5)</a>. |
| <li>'next-server' (a.k.a. siaddr) info now saved in lease files. |
<li>'next-server' (a.k.a. siaddr) info now saved in lease files. |
| <li>Fall back to broadcasting when unicast renewal fails, as specified in |
<li>Fall back to broadcasting when unicast renewal fails, as specified in |
| RFC 2131 and friends. |
RFC 2131 and friends. |
|
|
| <li>Fix 'effective' lease created by '-L' to have correct address, 'next_server', 'timestamp', and 'resolv_conf' fields. |
<li>Fix 'effective' lease created by '-L' to have correct address, 'next_server', 'timestamp', and 'resolv_conf' fields. |
| <li>Fix handling of non-printable characters in lease file strings. |
<li>Fix handling of non-printable characters in lease file strings. |
| <li>Fix many edge cases in config file and lease parsing and ensure that error messages refer to the correct position in erroneous line. |
<li>Fix many edge cases in config file and lease parsing and ensure that error messages refer to the correct position in erroneous line. |
| <li><a href="http://man.openbsd.org/?query=dhclient.conf&sektion=5">dhclient.conf(5)</a> can now override anything in an offer or saved lease when creating the effective lease. In particular, 'fixed-address', 'next-server', 'filename' and 'server-name'. |
<li><a href="https://man.openbsd.org/?query=dhclient.conf&sektion=5">dhclient.conf(5)</a> can now override anything in an offer or saved lease when creating the effective lease. In particular, 'fixed-address', 'next-server', 'filename' and 'server-name'. |
| <li>Fix parsing of <a href="http://man.openbsd.org/?query=dhclient.conf&sektion=5">dhclient.conf(5)</a> statements 'fixed-address' and |
<li>Fix parsing of <a href="https://man.openbsd.org/?query=dhclient.conf&sektion=5">dhclient.conf(5)</a> statements 'fixed-address' and |
| 'next-server'. |
'next-server'. |
| <li>Log failures to fchmod() or fchown() files being written. |
<li>Log failures to fchmod() or fchown() files being written. |
| <li>Create lease files with permissions 0640. |
<li>Create lease files with permissions 0640. |
| <li>Fix possible failure to write <a href="http://man.openbsd.org/?query=resolv.conf&sektion=5">resolv.conf(5)</a> when -L is used. |
<li>Fix possible failure to write <a href="https://man.openbsd.org/?query=resolv.conf&sektion=5">resolv.conf(5)</a> when -L is used. |
| <li>'send dhcp-client-identifier "";' in <a href="http://man.openbsd.org/?query=dhclient.conf&sektion=5">dhclient.conf(5)</a> will result in no 'dhcp-client-identifier' (option 61) being sent. |
<li>'send dhcp-client-identifier "";' in <a href="https://man.openbsd.org/?query=dhclient.conf&sektion=5">dhclient.conf(5)</a> will result in no 'dhcp-client-identifier' (option 61) being sent. |
| </ul> |
</ul> |
| <p> |
<p> |
| |
|
| <li><a href="http://man.openbsd.org/?query=iked&sektion=8">iked(8)</a> improvements: |
<li><a href="https://man.openbsd.org/?query=iked&sektion=8">iked(8)</a> improvements: |
| <ul> |
<ul> |
| <li>Support for OCSP ("Online Certificate Status Protocol"); enable with "set ocsp <em>URL</em>". |
<li>Support for OCSP ("Online Certificate Status Protocol"); enable with "set ocsp <em>URL</em>". |
| <li>Support for RSA public key authentication as an alternative to X.509 certificates or pre-shared keys. |
<li>Support for RSA public key authentication as an alternative to X.509 certificates or pre-shared keys. |
| <li>Support for DPD ("Dead Peer Detection") similar to the implementation in |
<li>Support for DPD ("Dead Peer Detection") similar to the implementation in |
| <a href="http://man.openbsd.org/?query=isakmpd&sektion=8">isakmpd(8)</a>. |
<a href="https://man.openbsd.org/?query=isakmpd&sektion=8">isakmpd(8)</a>. |
| <li>Support for dynamic IP address assignment from a pool in configuration mode; enabled with "config address <em>net/pool-prefix</em>". |
<li>Support for dynamic IP address assignment from a pool in configuration mode; enabled with "config address <em>net/pool-prefix</em>". |
| <li>Initial support for IPComp. |
<li>Initial support for IPComp. |
| <li>Various improvements and a thorough audit of the network input path. |
<li>Various improvements and a thorough audit of the network input path. |
|
|
| <li>other processes now have an API to return more precise codes ... |
<li>other processes now have an API to return more precise codes ... |
| <li>... which will be improved further with each version. |
<li>... which will be improved further with each version. |
| </ul> |
</ul> |
| <li>Improved <a href="http://man.openbsd.org/?query=smtpctl&sektion=8">smtpctl(8)</a>: |
<li>Improved <a href="https://man.openbsd.org/?query=smtpctl&sektion=8">smtpctl(8)</a>: |
| <ul> |
<ul> |
| <li>sendmail mode now supports DSN parameters |
<li>sendmail mode now supports DSN parameters |
| <li>Can now pause/resume a source address -> destination domain route. |
<li>Can now pause/resume a source address -> destination domain route. |
|
|
| </ul> |
</ul> |
| <li>Documentation: |
<li>Documentation: |
| <ul> |
<ul> |
| <li><a href="http://man.openbsd.org/?query=table&sektion=5">table(5)</a> describes format for static, file and db backends. |
<li><a href="https://man.openbsd.org/?query=table&sektion=5">table(5)</a> describes format for static, file and db backends. |
| <li>sendmail(8) describes our "sendmail" interface. |
<li>sendmail(8) describes our "sendmail" interface. |
| </ul> |
</ul> |
| <li>Reduced memory usage in both general and stressed cases. |
<li>Reduced memory usage in both general and stressed cases. |
| <li>OpenSMTPD now automagically upgrades queue if the format changes! |
<li>OpenSMTPD now automagically upgrades queue if the format changes! |
| <li>Support Qmail-like "sticky home". |
<li>Support Qmail-like "sticky home". |
| <li>Support for authenticating users from a credentials table. |
<li>Support for authenticating users from a credentials table. |
| <li>Introduce <a href="http://man.openbsd.org/?query=passwd&sektion=5">passwd(5)</a> table backend for user and credentials lookup. |
<li>Introduce <a href="https://man.openbsd.org/?query=passwd&sektion=5">passwd(5)</a> table backend for user and credentials lookup. |
| <li>Expansion variables in ~/.forward now support modifiers. |
<li>Expansion variables in ~/.forward now support modifiers. |
| <li>Much more efficient scheduler! |
<li>Much more efficient scheduler! |
| <li>Many documentation fixes and improvements. |
<li>Many documentation fixes and improvements. |
|
|
| <li>Security improvements: |
<li>Security improvements: |
| <ul> |
<ul> |
| <li>Position-independent executables (PIE) are now used by default on i386. |
<li>Position-independent executables (PIE) are now used by default on i386. |
| <li>The <a href="http://man.openbsd.org/?query=arc4random&sektion=3">arc4random(3)</a> |
<li>The <a href="https://man.openbsd.org/?query=arc4random&sektion=3">arc4random(3)</a> |
| functions now use the ChaCha20 cipher. |
functions now use the ChaCha20 cipher. |
| <li>The kernel random number system is initially seeded by the bootloader, |
<li>The kernel random number system is initially seeded by the bootloader, |
| providing better random very early. |
providing better random very early. |
| <li>Kernel stack protector is also seeded via the same mechanism, providing |
<li>Kernel stack protector is also seeded via the same mechanism, providing |
| protection earlier. |
protection earlier. |
| <li>-Wbounded is now enabled in GCC by default. |
<li>-Wbounded is now enabled in GCC by default. |
| <li>Added <a href="http://man.openbsd.org/?query=explicit_bzero&sektion=3">explicit_bzero(3)</a>. |
<li>Added <a href="https://man.openbsd.org/?query=explicit_bzero&sektion=3">explicit_bzero(3)</a>. |
| </ul> |
</ul> |
| <p> |
<p> |
| |
|
|
|
| |
|
| <li>Threading improvements: |
<li>Threading improvements: |
| <ul> |
<ul> |
| <li>Interprocess semaphores via <a href="http://man.openbsd.org/?query=sem_open&sektion=3">sem_open(3)</a>. |
<li>Interprocess semaphores via <a href="https://man.openbsd.org/?query=sem_open&sektion=3">sem_open(3)</a>. |
| <li>Running threaded processes under a debugger no longer causes panics. |
<li>Running threaded processes under a debugger no longer causes panics. |
| <li>SIGPROF and SIGVTALRM are now reliably delivered to the thread that was running when they were triggered. |
<li>SIGPROF and SIGVTALRM are now reliably delivered to the thread that was running when they were triggered. |
| <li>Thread stacks now have a random bias. |
<li>Thread stacks now have a random bias. |
| <li><a href="http://man.openbsd.org/?query=fork&sektion=2">fork(2)</a> no longer changes the pthread_t of the forking thread in the child. |
<li><a href="https://man.openbsd.org/?query=fork&sektion=2">fork(2)</a> no longer changes the pthread_t of the forking thread in the child. |
| <li>Signaling races eliminated from <a href="http://man.openbsd.org/?query=pthread_kill&sektion=3">pthread_kill(3)</a> and <a href="http://man.openbsd.org/?query=pthread_cancel&sektion=3">pthread_cancel(3)</a>. |
<li>Signaling races eliminated from <a href="https://man.openbsd.org/?query=pthread_kill&sektion=3">pthread_kill(3)</a> and <a href="https://man.openbsd.org/?query=pthread_cancel&sektion=3">pthread_cancel(3)</a>. |
| </ul> |
</ul> |
| <p> |
<p> |
| |
|
| <li>Assorted improvements: |
<li>Assorted improvements: |
| <ul> |
<ul> |
| <li>New in-memory file system, <a href="http://man.openbsd.org/?query=mount_tmpfs&sektion=8">tmpfs</a>. |
<li>New in-memory file system, <a href="https://man.openbsd.org/?query=mount_tmpfs&sektion=8">tmpfs</a>. |
| <li>Many <a href="http://man.openbsd.org/?query=fuse&sektion=4">fuse(4)</a> improvements and stability fixes. |
<li>Many <a href="https://man.openbsd.org/?query=fuse&sektion=4">fuse(4)</a> improvements and stability fixes. |
| <li>Added POSIX-required <a href="http://man.openbsd.org/?query=nl&sektion=1">nl(1)</a> utility. |
<li>Added POSIX-required <a href="https://man.openbsd.org/?query=nl&sektion=1">nl(1)</a> utility. |
| <li>OpenBSD/vax has switched to GCC 3. |
<li>OpenBSD/vax has switched to GCC 3. |
| <li>Replaced <a href="http://man.openbsd.org/?query=getdirentries&sektion=2&manpath=OpenBSD+5.4">getdirentries(2)</a> with <a href="http://man.openbsd.org/?query=getdents&sektion=2">getdents(2)</a>, vastly improving the performance and memory usage of <a href="http://man.openbsd.org/?query=telldir&sektion=3">telldir(3)</a>. |
<li>Replaced <a href="https://man.openbsd.org/?query=getdirentries&sektion=2&manpath=OpenBSD+5.4">getdirentries(2)</a> with <a href="https://man.openbsd.org/?query=getdents&sektion=2">getdents(2)</a>, vastly improving the performance and memory usage of <a href="https://man.openbsd.org/?query=telldir&sektion=3">telldir(3)</a>. |
| <li>amd64 and i386 now use the MWAIT instruction for their idle loop where available to reduce latency. |
<li>amd64 and i386 now use the MWAIT instruction for their idle loop where available to reduce latency. |
| <li>Added support for CLOCK_UPTIME. |
<li>Added support for CLOCK_UPTIME. |
| <li>Added <a href="http://man.openbsd.org/?query=tcgetsid&sektion=3">tcgetsid(3)</a>. |
<li>Added <a href="https://man.openbsd.org/?query=tcgetsid&sektion=3">tcgetsid(3)</a>. |
| <li>clock_t is now a 64 bit type, so it no longer wraps around in only 248 days. |
<li>clock_t is now a 64 bit type, so it no longer wraps around in only 248 days. |
| <li>ino_t is now a 64 bit type, mostly to support large NFS filesystems. |
<li>ino_t is now a 64 bit type, mostly to support large NFS filesystems. |
| <li>Corrected handling of UTIME_OMIT. |
<li>Corrected handling of UTIME_OMIT. |
| <li><a href="http://man.openbsd.org/?query=pax&sektion=1">pax(1)</a> now sets the mode and timestamps correctly on symlinks, and makes hardlinks to symlinks when requested. |
<li><a href="https://man.openbsd.org/?query=pax&sektion=1">pax(1)</a> now sets the mode and timestamps correctly on symlinks, and makes hardlinks to symlinks when requested. |
| <li>Corrected handling of shared library destructors when libc is statically linked. |
<li>Corrected handling of shared library destructors when libc is statically linked. |
| <li>Corrected various disk drivers to handle non-512-byte sectors and disk sizes greater than 32-bits. |
<li>Corrected various disk drivers to handle non-512-byte sectors and disk sizes greater than 32-bits. |
| <li>Corrected <a href="http://man.openbsd.org/?query=growfs&sektion=8">growfs(8)</a> to handle non-512-byte sectors and disk sizes greater than 32-bits. |
<li>Corrected <a href="https://man.openbsd.org/?query=growfs&sektion=8">growfs(8)</a> to handle non-512-byte sectors and disk sizes greater than 32-bits. |
| <li>All CIRCLEQ uses replaced with TAILQ. |
<li>All CIRCLEQ uses replaced with TAILQ. |
| <li>Preserve and honour changes to the OpenBSD bounds in a disklabel. |
<li>Preserve and honour changes to the OpenBSD bounds in a disklabel. |
| <li><a href="http://man.openbsd.org/?query=fdisk&sektion=8">fdisk(8)</a> now always writes a good signature when the MBR is written to disk. |
<li><a href="https://man.openbsd.org/?query=fdisk&sektion=8">fdisk(8)</a> now always writes a good signature when the MBR is written to disk. |
| <li><a href="http://man.openbsd.org/?query=disklabel&sektion=8">disklabel(8)</a> now writes the disklabel to the correct location on non-512-byte sector devices. |
<li><a href="https://man.openbsd.org/?query=disklabel&sektion=8">disklabel(8)</a> now writes the disklabel to the correct location on non-512-byte sector devices. |
| <li>Fix <a href="http://man.openbsd.org/?query=athn&sektion=4">athn(4)</a> tick calculations to eliminate excessive timeouts. |
<li>Fix <a href="https://man.openbsd.org/?query=athn&sektion=4">athn(4)</a> tick calculations to eliminate excessive timeouts. |
| <li>Allow <a href="http://man.openbsd.org/?query=disklabel&sektion=8">disklabel(8)</a> to set any partition, including 'C', to type UNUSED. |
<li>Allow <a href="https://man.openbsd.org/?query=disklabel&sektion=8">disklabel(8)</a> to set any partition, including 'C', to type UNUSED. |
| <li>New <a href="http://man.openbsd.org/?query=sha512&sektion=1">sha512(1)</a> tool to calculate and verify the SHA-512 checksums of files. |
<li>New <a href="https://man.openbsd.org/?query=sha512&sektion=1">sha512(1)</a> tool to calculate and verify the SHA-512 checksums of files. |
| <li><a href="http://man.openbsd.org/?query=sha256&sektion=1">sha256(1)</a> and related tools |
<li><a href="https://man.openbsd.org/?query=sha256&sektion=1">sha256(1)</a> and related tools |
| (<a href="http://man.openbsd.org/?query=cksum&sektion=1">cksum(1)</a>, |
(<a href="https://man.openbsd.org/?query=cksum&sektion=1">cksum(1)</a>, |
| <a href="http://man.openbsd.org/?query=md5&sektion=1">md5(1)</a>, |
<a href="https://man.openbsd.org/?query=md5&sektion=1">md5(1)</a>, |
| <a href="http://man.openbsd.org/?query=sha1&sektion=1">sha1(1)</a>, and |
<a href="https://man.openbsd.org/?query=sha1&sektion=1">sha1(1)</a>, and |
| <a href="http://man.openbsd.org/?query=sha512&sektion=1">sha512(1)</a>) |
<a href="https://man.openbsd.org/?query=sha512&sektion=1">sha512(1)</a>) |
| now support a new -h flag to place the checksum into a specified hash file instead of stdout. |
now support a new -h flag to place the checksum into a specified hash file instead of stdout. |
| <li><a href="http://man.openbsd.org/?query=sha256&sektion=1">sha256(1)</a> and related tools now support a new -C flag that allows the verification of selected files in a checklist. |
<li><a href="https://man.openbsd.org/?query=sha256&sektion=1">sha256(1)</a> and related tools now support a new -C flag that allows the verification of selected files in a checklist. |
| <li><a href="http://man.openbsd.org/?query=sha256&sektion=1">sha256(1)</a> and related tools will now print MISSING if they encounter non-existent files in a checklist. |
<li><a href="https://man.openbsd.org/?query=sha256&sektion=1">sha256(1)</a> and related tools will now print MISSING if they encounter non-existent files in a checklist. |
| <li>i386 and amd64 platforms can now boot from keydisk-based <a href="http://man.openbsd.org/?query=softraid&sektion=4">softraid(4)</a> crypto volumes. |
<li>i386 and amd64 platforms can now boot from keydisk-based <a href="https://man.openbsd.org/?query=softraid&sektion=4">softraid(4)</a> crypto volumes. |
| <li>Allow <a href="http://man.openbsd.org/?query=softraid&sektion=4">softraid(4)</a> to work with partitions larger than 2TB. |
<li>Allow <a href="https://man.openbsd.org/?query=softraid&sektion=4">softraid(4)</a> to work with partitions larger than 2TB. |
| <li>Removed experimental RAID 4 support from <a href="http://man.openbsd.org/?query=softraid&sektion=4">softraid(4)</a>. |
<li>Removed experimental RAID 4 support from <a href="https://man.openbsd.org/?query=softraid&sektion=4">softraid(4)</a>. |
| <li>Added experimental support for rebuilding RAID 5 <a href="http://man.openbsd.org/?query=softraid&sektion=4">softraid(4)</a> volumes. Lots of testing is still required and there is missing functionality, such as the ability to resume a partially completed rebuild. <a href="http://man.openbsd.org/?query=bioctl&sektion=8">bioctl(8)</a> refuses to create RAID 5 volumes unless recompiled with -DRAID5. |
<li>Added experimental support for rebuilding RAID 5 <a href="https://man.openbsd.org/?query=softraid&sektion=4">softraid(4)</a> volumes. Lots of testing is still required and there is missing functionality, such as the ability to resume a partially completed rebuild. <a href="https://man.openbsd.org/?query=bioctl&sektion=8">bioctl(8)</a> refuses to create RAID 5 volumes unless recompiled with -DRAID5. |
| <li>The uhts(4) driver has been merged into |
<li>The uhts(4) driver has been merged into |
| <a href="http://man.openbsd.org/?query=ums&sektion=4">ums(4)</a>. |
<a href="https://man.openbsd.org/?query=ums&sektion=4">ums(4)</a>. |
| <li>Many new checks were added to portcheck(1) <!-- no href to man.cgi due to the fact it doesn't show stuff under /usr/ports/infrastructure/man --> utility; now it catches almost every popular mistake that observed in ports in last years. |
<li>Many new checks were added to portcheck(1) <!-- no href to man.cgi due to the fact it doesn't show stuff under /usr/ports/infrastructure/man --> utility; now it catches almost every popular mistake that observed in ports in last years. |
| </ul> |
</ul> |
| <p> |
<p> |
|
|
| <ul> |
<ul> |
| <li>Security: |
<li>Security: |
| <ul> |
<ul> |
| <li><a href="http://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>: |
<li><a href="https://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>: |
| when using environment passing with a |
when using environment passing with a |
| <a href="http://man.openbsd.org/?query=sshd_config&sektion=5">sshd_config(5)</a> |
<a href="https://man.openbsd.org/?query=sshd_config&sektion=5">sshd_config(5)</a> |
| <tt>AcceptEnv</tt> pattern with a wildcard. OpenSSH prior to 6.6 could |
<tt>AcceptEnv</tt> pattern with a wildcard. OpenSSH prior to 6.6 could |
| be tricked into accepting any enviornment variable that contains the |
be tricked into accepting any enviornment variable that contains the |
| characters before the wildcard character. |
characters before the wildcard character. |
| </ul> |
</ul> |
| <li>New/changed features: |
<li>New/changed features: |
| <ul> |
<ul> |
| <li><a href="http://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>, |
<li><a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>, |
| <a href="http://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>: |
<a href="https://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>: |
| Add support for key exchange using <i>elliptic-curve Diffie Hellman</i> |
Add support for key exchange using <i>elliptic-curve Diffie Hellman</i> |
| in Daniel Bernstein's <i>Curve25519</i>. This key exchange method is |
in Daniel Bernstein's <i>Curve25519</i>. This key exchange method is |
| the default when both the client and server support it. |
the default when both the client and server support it. |
| <li><a href="http://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>, |
<li><a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>, |
| <a href="http://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>: |
<a href="https://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>: |
| Add support for <i>ED25519</i> as a public key type. ED25519 is |
Add support for <i>ED25519</i> as a public key type. ED25519 is |
| a elliptic curve signature scheme that offers better security than |
a elliptic curve signature scheme that offers better security than |
| <i>ECDSA</i> and <i>DSA</i> and good performance. It may be used for |
<i>ECDSA</i> and <i>DSA</i> and good performance. It may be used for |
|
|
| protect keys at rest. This format is used unconditionally for |
protect keys at rest. This format is used unconditionally for |
| ED25519 keys, but may be requested when generating or saving |
ED25519 keys, but may be requested when generating or saving |
| existing keys of other types via the <tt>-o</tt> |
existing keys of other types via the <tt>-o</tt> |
| <a href="http://man.openbsd.org/?query=ssh-keygen&sektion=1">ssh-keygen(1)</a> |
<a href="https://man.openbsd.org/?query=ssh-keygen&sektion=1">ssh-keygen(1)</a> |
| option. We intend to make the new format the default in the near |
option. We intend to make the new format the default in the near |
| future. Details of the new format are in the <tt>PROTOCOL.key</tt> |
future. Details of the new format are in the <tt>PROTOCOL.key</tt> |
| file. |
file. |
| <li><a href="http://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>, |
<li><a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>, |
| <a href="http://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>: |
<a href="https://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>: |
| Add a new transport cipher "chacha20-poly1305@openssh.com" that |
Add a new transport cipher "chacha20-poly1305@openssh.com" that |
| combines Daniel Bernstein's <i>ChaCha20</i> stream cipher and |
combines Daniel Bernstein's <i>ChaCha20</i> stream cipher and |
| <i>Poly1305 MAC</i> to build an authenticated encryption mode. Details |
<i>Poly1305 MAC</i> to build an authenticated encryption mode. Details |
| are in the <tt>PROTOCOL.chacha20poly1305</tt> file. |
are in the <tt>PROTOCOL.chacha20poly1305</tt> file. |
| <li><a href="http://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>, |
<li><a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>, |
| <a href="http://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>: |
<a href="https://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>: |
| Refuse <i>RSA</i> keys from old proprietary clients and servers that |
Refuse <i>RSA</i> keys from old proprietary clients and servers that |
| use the obsolete <i>RSA+MD5</i> signature scheme. It will still be |
use the obsolete <i>RSA+MD5</i> signature scheme. It will still be |
| possible to connect with these clients/servers but <b>only DSA keys |
possible to connect with these clients/servers but <b>only DSA keys |
| will be accepted, and OpenSSH will refuse connection entirely in a |
will be accepted, and OpenSSH will refuse connection entirely in a |
| future release</b>. |
future release</b>. |
| <li><a href="http://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>, |
<li><a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>, |
| <a href="http://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>: |
<a href="https://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>: |
| Refuse old proprietary clients and servers that use a weaker key |
Refuse old proprietary clients and servers that use a weaker key |
| exchange hash calculation. |
exchange hash calculation. |
| <li><a href="http://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>: |
<li><a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>: |
| Increase the size of the <i>Diffie-Hellman groups</i> requested for |
Increase the size of the <i>Diffie-Hellman groups</i> requested for |
| each symmetric key size. New values from <i>NIST Special Publication |
each symmetric key size. New values from <i>NIST Special Publication |
| 800-57</i> with the upper limit specified by <i>RFC 4419</i>. |
800-57</i> with the upper limit specified by <i>RFC 4419</i>. |
| <li><a href="http://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>, |
<li><a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>, |
| <a href="http://man.openbsd.org/?query=ssh-agent&sektion=1">ssh-agent(1)</a>: |
<a href="https://man.openbsd.org/?query=ssh-agent&sektion=1">ssh-agent(1)</a>: |
| Support <i>PKCS#11</i> tokens that only provide <i>X.509</i> certs |
Support <i>PKCS#11</i> tokens that only provide <i>X.509</i> certs |
| instead of raw public keys. (requested as bz#1908) |
instead of raw public keys. (requested as bz#1908) |
| <li><a href="http://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>: |
<li><a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>: |
| Add a |
Add a |
| <a href="http://man.openbsd.org/?query=ssh_config&sektion=5">ssh_config(5)</a> |
<a href="https://man.openbsd.org/?query=ssh_config&sektion=5">ssh_config(5)</a> |
| <tt>Match</tt> keyword that allows conditional configuration to be |
<tt>Match</tt> keyword that allows conditional configuration to be |
| applied by matching on <i>hostname</i>, <i>user</i> and <i>result of |
applied by matching on <i>hostname</i>, <i>user</i> and <i>result of |
| arbitrary commands</i>. |
arbitrary commands</i>. |
| <li><a href="http://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>: |
<li><a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>: |
| Add support for <i>client-side hostname canonicalisation</i> using a |
Add support for <i>client-side hostname canonicalisation</i> using a |
| set of <i>DNS suffixes</i> and rules in |
set of <i>DNS suffixes</i> and rules in |
| <a href="http://man.openbsd.org/?query=ssh_config&sektion=5">ssh_config(5)</a>. |
<a href="https://man.openbsd.org/?query=ssh_config&sektion=5">ssh_config(5)</a>. |
| This allows unqualified names to be canonicalised to fully-qualified |
This allows unqualified names to be canonicalised to fully-qualified |
| domain names to eliminate ambiguity when looking up keys in |
domain names to eliminate ambiguity when looking up keys in |
| <tt>known_hosts</tt> or checking host certificate names. |
<tt>known_hosts</tt> or checking host certificate names. |
| <li><a href="http://man.openbsd.org/?query=sftp-server&sektion=8">sftp-server(8)</a>: |
<li><a href="https://man.openbsd.org/?query=sftp-server&sektion=8">sftp-server(8)</a>: |
| Add the ability to whitelist and/or blacklist sftp protocol requests by |
Add the ability to whitelist and/or blacklist sftp protocol requests by |
| name. |
name. |
| <li><a href="http://man.openbsd.org/?query=sftp-server&sektion=8">sftp-server(8)</a>: |
<li><a href="https://man.openbsd.org/?query=sftp-server&sektion=8">sftp-server(8)</a>: |
| Add a sftp "fsync@openssh.com" to support calling |
Add a sftp "fsync@openssh.com" to support calling |
| <a href="http://man.openbsd.org/?query=fsync&sektion=2">fsync(2)</a> |
<a href="https://man.openbsd.org/?query=fsync&sektion=2">fsync(2)</a> |
| on an open file handle. |
on an open file handle. |
| <li><a href="http://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>: |
<li><a href="https://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>: |
| Add a |
Add a |
| <a href="http://man.openbsd.org/?query=ssh_config&sektion=5">ssh_config(5)</a> |
<a href="https://man.openbsd.org/?query=ssh_config&sektion=5">ssh_config(5)</a> |
| <tt>PermitTTY</tt> to disallow <i>TTY</i> allocation, mirroring the |
<tt>PermitTTY</tt> to disallow <i>TTY</i> allocation, mirroring the |
| longstanding <tt>no-pty</tt> <tt>authorized_keys</tt> option. |
longstanding <tt>no-pty</tt> <tt>authorized_keys</tt> option. |
| <li><a href="http://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>: |
<li><a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>: |
| Add a |
Add a |
| <a href="http://man.openbsd.org/?query=ssh_config&sektion=5">ssh_config(5)</a> |
<a href="https://man.openbsd.org/?query=ssh_config&sektion=5">ssh_config(5)</a> |
| <tt>ProxyUseFDPass</tt> option that supports the use of |
<tt>ProxyUseFDPass</tt> option that supports the use of |
| <tt>ProxyCommands</tt> that establish a connection and then pass a |
<tt>ProxyCommands</tt> that establish a connection and then pass a |
| connected file descriptor back to |
connected file descriptor back to |
| <a href="http://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>. |
<a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>. |
| This allows the <tt>ProxyCommand</tt> to exit rather than staying |
This allows the <tt>ProxyCommand</tt> to exit rather than staying |
| around to transfer data. |
around to transfer data. |
| <li><a href="http://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>, |
<li><a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>, |
| <a href="http://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>: |
<a href="https://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>: |
| this release removes the <i>J-PAKE</i> authentication code. This code |
this release removes the <i>J-PAKE</i> authentication code. This code |
| was experimental, never enabled and had been unmaintained for some |
was experimental, never enabled and had been unmaintained for some |
| time. |
time. |
| <li><a href="http://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>: |
<li><a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>: |
| when processing <tt>Match</tt> blocks, skip '<tt>exec</tt>' clauses |
when processing <tt>Match</tt> blocks, skip '<tt>exec</tt>' clauses |
| other clauses predicates failed to match. |
other clauses predicates failed to match. |
| <li><a href="http://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>: |
<li><a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>: |
| if hostname canonicalisation is enabled and results in the destination |
if hostname canonicalisation is enabled and results in the destination |
| hostname being changed, then re-parse |
hostname being changed, then re-parse |
| <a href="http://man.openbsd.org/?query=ssh_config&sektion=5">ssh_config(5)</a> |
<a href="https://man.openbsd.org/?query=ssh_config&sektion=5">ssh_config(5)</a> |
| files using the new destination hostname. This gives '<tt>Host</tt>' |
files using the new destination hostname. This gives '<tt>Host</tt>' |
| and '<tt>Match</tt>' directives that use the expanded hostname a chance |
and '<tt>Match</tt>' directives that use the expanded hostname a chance |
| to be applied. |
to be applied. |
| </ul> |
</ul> |
| <li>The following significant bugs have been fixed in this release: |
<li>The following significant bugs have been fixed in this release: |
| <ul> |
<ul> |
| <li><a href="http://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>, |
<li><a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>, |
| <a href="http://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>: |
<a href="https://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>: |
| Fix potential stack exhaustion caused by nested certificates. |
Fix potential stack exhaustion caused by nested certificates. |
| <li><a href="http://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>: |
<li><a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>: |
| make <tt>BindAddress</tt> work with <tt>UsePrivilegedPort</tt>. |
make <tt>BindAddress</tt> work with <tt>UsePrivilegedPort</tt>. |
| (bz#1211) |
(bz#1211) |
| <li><a href="http://man.openbsd.org/?query=sftp&sektion=1">sftp(1)</a>: |
<li><a href="https://man.openbsd.org/?query=sftp&sektion=1">sftp(1)</a>: |
| fix the progress meter for resumed transfer. (bz#2137) |
fix the progress meter for resumed transfer. (bz#2137) |
| <li><a href="http://man.openbsd.org/?query=ssh-add&sektion=1">ssh-add(1)</a>: |
<li><a href="https://man.openbsd.org/?query=ssh-add&sektion=1">ssh-add(1)</a>: |
| do not request smartcard PIN when removing keys from |
do not request smartcard PIN when removing keys from |
| <a href="http://man.openbsd.org/?query=ssh-agent&sektion=1">ssh-agent(1)</a>. |
<a href="https://man.openbsd.org/?query=ssh-agent&sektion=1">ssh-agent(1)</a>. |
| (bz#2187) |
(bz#2187) |
| <li><a href="http://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>: |
<li><a href="https://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>: |
| fix re-exec fallback when original |
fix re-exec fallback when original |
| <a href="http://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a> |
<a href="https://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a> |
| binary cannot be executed. (bz#2139) |
binary cannot be executed. (bz#2139) |
| <li><a href="http://man.openbsd.org/?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>: |
<li><a href="https://man.openbsd.org/?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>: |
| Make relative-specified certificate expiry times relative to current |
Make relative-specified certificate expiry times relative to current |
| time and not the validity start time. |
time and not the validity start time. |
| <li><a href="http://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>: |
<li><a href="https://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>: |
| fix <tt>AuthorizedKeysCommand</tt> inside a <tt>Match</tt> block. |
fix <tt>AuthorizedKeysCommand</tt> inside a <tt>Match</tt> block. |
| (bz#2161) |
(bz#2161) |
| <li><a href="http://man.openbsd.org/?query=sftp&sektion=1">sftp(1)</a>: |
<li><a href="https://man.openbsd.org/?query=sftp&sektion=1">sftp(1)</a>: |
| symlinking a file would incorrectly canonicalise the target path. |
symlinking a file would incorrectly canonicalise the target path. |
| (bz#2129) |
(bz#2129) |
| <li><a href="http://man.openbsd.org/?query=ssh-agent&sektion=1">ssh-agent(1)</a>: |
<li><a href="https://man.openbsd.org/?query=ssh-agent&sektion=1">ssh-agent(1)</a>: |
| fix a use-after-free in the PKCS#11 agent helper executable. |
fix a use-after-free in the PKCS#11 agent helper executable. |
| (bz#2175) |
(bz#2175) |
| <li><a href="http://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>: |
<li><a href="https://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>: |
| Improve logging of sessions to include the <i>user name</i>, <i>remote |
Improve logging of sessions to include the <i>user name</i>, <i>remote |
| host</i> and <i>port</i>, the <i>session type</i> (shell, command, |
host</i> and <i>port</i>, the <i>session type</i> (shell, command, |
| etc.) and <i>allocated TTY</i> (if any). |
etc.) and <i>allocated TTY</i> (if any). |
| <li><a href="http://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>: |
<li><a href="https://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>: |
| tell the client (via a debug message) when their preferred listen |
tell the client (via a debug message) when their preferred listen |
| address has been overridden by the server's <tt>GatewayPorts</tt> |
address has been overridden by the server's <tt>GatewayPorts</tt> |
| setting. (bz#1297) |
setting. (bz#1297) |
| <li><a href="http://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>: |
<li><a href="https://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>: |
| include report port in bad protocol banner message. (bz#2162) |
include report port in bad protocol banner message. (bz#2162) |
| <li><a href="http://man.openbsd.org/?query=sftp&sektion=1">sftp(1)</a>: |
<li><a href="https://man.openbsd.org/?query=sftp&sektion=1">sftp(1)</a>: |
| fix memory leak in error path in <i>do_readdir()</i>. (bz#2163) |
fix memory leak in error path in <i>do_readdir()</i>. (bz#2163) |
| <li><a href="http://man.openbsd.org/?query=sftp&sektion=1">sftp(1)</a>: |
<li><a href="https://man.openbsd.org/?query=sftp&sektion=1">sftp(1)</a>: |
| don't leak file descriptor on error. (bz#2171) |
don't leak file descriptor on error. (bz#2171) |
| <li><a href="http://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>: |
<li><a href="https://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>: |
| include the <i>local address</i> and <i>port</i> in "<tt>Connection |
include the <i>local address</i> and <i>port</i> in "<tt>Connection |
| from ...</tt>" message. (only shown at <i>loglevel>=verbose</i>) |
from ...</tt>" message. (only shown at <i>loglevel>=verbose</i>) |
| <li><a href="http://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>: |
<li><a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>: |
| avoid spurious "<tt>getsockname failed: Bad file descriptor</tt>" in |
avoid spurious "<tt>getsockname failed: Bad file descriptor</tt>" in |
| <tt>ssh -W</tt>. (bz#2200, debian#738692) |
<tt>ssh -W</tt>. (bz#2200, debian#738692) |
| <li><a href="http://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>: |
<li><a href="https://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>: |
| allow the |
allow the |
| <a href="http://man.openbsd.org/?query=shutdown&sektion=2">shutdown(2)</a> |
<a href="https://man.openbsd.org/?query=shutdown&sektion=2">shutdown(2)</a> |
| syscall in seccomp-bpf and systrace sandbox modes, as it is reachable |
syscall in seccomp-bpf and systrace sandbox modes, as it is reachable |
| if the connection is terminated during the pre-auth phase. |
if the connection is terminated during the pre-auth phase. |
| <li><a href="http://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>, |
<li><a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>, |
| <a href="http://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>: |
<a href="https://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>: |
| fix unsigned overflow that in <i>SSH protocol 1 bignum parsing</i>. |
fix unsigned overflow that in <i>SSH protocol 1 bignum parsing</i>. |
| Minimum key length checks render this bug unexploitable to compromise |
Minimum key length checks render this bug unexploitable to compromise |
| SSH 1 sessions. |
SSH 1 sessions. |
| <li><a href="http://man.openbsd.org/?query=sshd_config&sektion=5">sshd_config(5)</a> |
<li><a href="https://man.openbsd.org/?query=sshd_config&sektion=5">sshd_config(5)</a> |
| clarify behaviour of a keyword that appears in multiple matching |
clarify behaviour of a keyword that appears in multiple matching |
| <tt>Match</tt> blocks. (bz#2184) |
<tt>Match</tt> blocks. (bz#2184) |
| <li><a href="http://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>: |
<li><a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>: |
| avoid unnecessary hostname lookups when canonicalisation is disabled. |
avoid unnecessary hostname lookups when canonicalisation is disabled. |
| (bz#2205) |
(bz#2205) |
| <li><a href="http://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>: |
<li><a href="https://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>: |
| avoid sandbox violation crashes in GSSAPI code by caching the supported |
avoid sandbox violation crashes in GSSAPI code by caching the supported |
| list of GSSAPI mechanism OIDs before entering the sandbox. (bz#2107) |
list of GSSAPI mechanism OIDs before entering the sandbox. (bz#2107) |
| <li><a href="http://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>: |
<li><a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>: |
| fix possible crashes in SOCKS4 parsing caused by assumption that the |
fix possible crashes in SOCKS4 parsing caused by assumption that the |
| SOCKS username is nul-terminated. |
SOCKS username is nul-terminated. |
| <li><a href="http://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>: |
<li><a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>: |
| fix regression for <tt>UsePrivilegedPort=yes</tt> when |
fix regression for <tt>UsePrivilegedPort=yes</tt> when |
| <tt>BindAddress</tt> is not specified. |
<tt>BindAddress</tt> is not specified. |
| <li><a href="http://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>, |
<li><a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>, |
| <a href="http://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>: |
<a href="https://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>: |
| fix memory leak in ECDSA signature verification. |
fix memory leak in ECDSA signature verification. |
| <li><a href="http://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>: |
<li><a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>: |
| fix matching of '<tt>Host</tt>' directives in |
fix matching of '<tt>Host</tt>' directives in |
| <a href="http://man.openbsd.org/?query=ssh_config&sektion=5">ssh_config(5)</a> |
<a href="https://man.openbsd.org/?query=ssh_config&sektion=5">ssh_config(5)</a> |
| files to be case-insensitive again. (regression in 6.5) |
files to be case-insensitive again. (regression in 6.5) |
| </ul> |
</ul> |
| </ul> |
</ul> |
|
|
| <ul> |
<ul> |
| <li>Over 8,700 ports. |
<li>Over 8,700 ports. |
| <li>Major overhaul of the package tools, resulting in much better memory usage. |
<li>Major overhaul of the package tools, resulting in much better memory usage. |
| <li><a href="http://man.openbsd.org/?query=pkg_add&sektion=1">pkg_add(1)</a> now only trusts signed packages by default. |
<li><a href="https://man.openbsd.org/?query=pkg_add&sektion=1">pkg_add(1)</a> now only trusts signed packages by default. |
| <li>The build process now allows some limited capability for building |
<li>The build process now allows some limited capability for building |
| conflicting packages, yielding KDE 4 packages as a result, along |
conflicting packages, yielding KDE 4 packages as a result, along |
| with KDE 3 ones. |
with KDE 3 ones. |
|
|
| To make a boot floppy under MS-DOS, use the "rawrite" utility located |
To make a boot floppy under MS-DOS, use the "rawrite" utility located |
| at <i>CD1:5.5/tools/rawrite.exe</i>. To make the boot floppy under a Unix OS, |
at <i>CD1:5.5/tools/rawrite.exe</i>. To make the boot floppy under a Unix OS, |
| use the |
use the |
| <a href="http://man.openbsd.org/?query=dd&sektion=1">dd(1)</a> |
<a href="https://man.openbsd.org/?query=dd&sektion=1">dd(1)</a> |
| utility. The following is an example usage of |
utility. The following is an example usage of |
| <a href="http://man.openbsd.org/?query=dd&sektion=1">dd(1)</a>, |
<a href="https://man.openbsd.org/?query=dd&sektion=1">dd(1)</a>, |
| where the device could be "floppy", "rfd0c", or |
where the device could be "floppy", "rfd0c", or |
| "rfd0a". |
"rfd0a". |
| |
|
|
|
| OpenBSD ports system. |
OpenBSD ports system. |
| <p> |
<p> |
| The <i>ports/</i> directory represents a CVS (see the manpage for |
The <i>ports/</i> directory represents a CVS (see the manpage for |
| <a href="http://man.openbsd.org/?query=cvs&sektion=1&arch=i386"> |
<a href="https://man.openbsd.org/?query=cvs&sektion=1&arch=i386"> |
| cvs(1)</a> if |
cvs(1)</a> if |
| you aren't familiar with CVS) checkout of our ports. As with our complete |
you aren't familiar with CVS) checkout of our ports. As with our complete |
| source tree, our ports tree is available via |
source tree, our ports tree is available via |
![[BACK]](/icons/back.gif){kind=icon}
Return to 55.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www