===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/55.html,v
retrieving revision 1.79
retrieving revision 1.80
diff -u -r1.79 -r1.80
--- www/55.html 2015/08/06 21:50:20 1.79
+++ www/55.html 2016/03/21 05:46:19 1.80
@@ -36,7 +36,7 @@
See a detailed log of changes between the
5.4 and 5.5 releases.
-
signify(1) pubkeys for this release:
+signify(1) pubkeys for this release:
base: RWRGy8gxk9N9314J0gh9U02lA7s8i6ITajJiNgxQOndvXvM5ZPX+nQ9h
fw: RWTdVOhdk5qyNktv0iGV6OpaVfogGxTYc1bbkaUhFlExmclYvpJR/opO
@@ -67,24 +67,24 @@
From OpenBSD 5.5 onwards, OpenBSD is year 2038 ready and will run well beyond Tue Jan 19 03:14:07 2038 UTC.
The entire source tree (kernel, libraries, and userland programs) has been carefully and comprehensively audited to support 64-bit time_t.
Userland programs that were changed include
- arp(8),
- bgpd(8),
- calendar(8),
- cron(8),
- find(1),
- fsck_ffs(8),
- ifconfig(8),
- ksh(1),
- ld(1),
- ld.so(1),
- netstat(1),
- pfctl(8),
- ping(8),
- rtadvd(8),
- ssh(1),
- tar(1),
- tmux(1),
- top(1),
+ arp(8),
+ bgpd(8),
+ calendar(8),
+ cron(8),
+ find(1),
+ fsck_ffs(8),
+ ifconfig(8),
+ ksh(1),
+ ld(1),
+ ld.so(1),
+ netstat(1),
+ pfctl(8),
+ ping(8),
+ rtadvd(8),
+ ssh(1),
+ tar(1),
+ tmux(1),
+ top(1),
and many others, including games!
Removed time_t from network, on-disk, and database formats.
Removed as many (time_t) casts as possible.
@@ -96,27 +96,27 @@
Releases and packages are now cryptographically signed with the
-signify(1) utility.
+signify(1) utility.
- The installer will verify all sets before installing.
- Installing without verification works, but is discouraged.
- Users are advised to verify the installer (bsd.rd, install55.iso, etc.)
ahead of time using the
- signify(1) tool if available.
-
- pkg_add(1) now only trusts signed packages by default.
+ signify(1) tool if available.
+
- pkg_add(1) now only trusts signed packages by default.
Installer improvements:
- The installer now supports a scriptable
- auto-installation
+ auto-installation
method that enables unattended installation and upgrades using a response file.
- Disk images which can be written to a USB flash drive
(miniroot55.fs [bsd.rd only] and install55.fs [bsd.rd + unsigned sets])
are now provided for amd64 and i386.
- Rewritten
- installboot(8)
+ installboot(8)
utility aiming for a unified implementation across platforms (currently
used by amd64 and i386 only).
- The installer now parses nwids with embedded blanks correctly.
@@ -139,66 +139,66 @@
- Improved hardware support, including:
- - New vmx(4)
+
- New vmx(4)
driver for VMware VMXNET3 Virtual Interface Controller devices.
-
- New vmwpvs(4)
+
- New vmwpvs(4)
driver for VMware Paravirtual SCSI.
-
- New vioscsi(4)
+
- New vioscsi(4)
driver for VirtIO SCSI adapters.
-
- New viornd(4)
+
- New viornd(4)
driver for VirtIO random number devices.
-
- New ubcmtp(4)
+
- New ubcmtp(4)
driver for Broadcom multi-touch trackpads found on newer Apple MacBook,
MacBook Pro, and MacBook Air laptops.
-
- New ugold(4)
+
- New ugold(4)
driver for TEMPer gold HID thermometers.
-
- New ugl(4)
+
- New ugl(4)
driver for Genesys Logic based USB host-to-host adapters.
-
- New qle(4) driver for QLogic Fibre Channel HBAs.
-
- radeondrm(4)
+
- New qle(4) driver for QLogic Fibre Channel HBAs.
+
- radeondrm(4)
has been overhauled, including:
- New port of the Radeon code in Linux 3.8.13.19.
- Support for Kernel Mode Setting (KMS) including support for
additional output types such as DisplayPort.
-
- wsdisplay(4)
+
- wsdisplay(4)
now attaches to
- radeondrm(4)
+ radeondrm(4)
and provides a framebuffer console.
- - inteldrm(4)
+
- inteldrm(4)
has been updated to Linux 3.8.13.19 notably bringing Haswell stability fixes.
- Support for Intel 8 Series Ethernet with i217/i218 PHYs, and
i210/i211/i354 has been added to
- em(4).
+ em(4).
- Support for Intel Centrino Wireless-N 2200, 2230 and 105/135 has been added to
- iwn(4).
+ iwn(4).
- Support for Areca ARC-1880, ARC-1882, ARC-1883, ARC-1223, ARC-1214, ARC-1264, and ARC-1284 has been added to
- arc(4).
-
- Support for Elantech v2 touchpads in pms(4) has been fixed.
-
- Support for 802.11a (5Ghz) has been added to wpi(4).
+ arc(4).
+
- Support for Elantech v2 touchpads in pms(4) has been fixed.
+
- Support for 802.11a (5Ghz) has been added to wpi(4).
- Workarounds for firmware stability issues have been added to
- wpi(4),
- iwi(4), and
- iwn(4).
+ wpi(4),
+ iwi(4), and
+ iwn(4).
- Support for RT3572 chips has been added to the
- ral(4) driver.
+ ral(4) driver.
- Support for RTL8106E chips has been added to the
- re(4) driver.
-
- Support for RTS5229 card readers has been added to rtsx(4).
-
- Support for Microsoft XBox 360 controllers has been added to the uhid(4) driver.
-
- Support for CoreChip RD9700 USB Ethernet devices has been added to the udav(4) driver.
+ re(4) driver.
+
- Support for RTS5229 card readers has been added to rtsx(4).
+
- Support for Microsoft XBox 360 controllers has been added to the uhid(4) driver.
+
- Support for CoreChip RD9700 USB Ethernet devices has been added to the udav(4) driver.
- Further reliability improvements regarding suspend/resume and hibernation.
- Enabled IPv6 transmit TCP/UDP checksum offload in
- jme(4).
+ jme(4).
- Generic network stack improvements:
- - Added vxlan(4),
+
- Added vxlan(4),
a virtual extensible local area network tunnel interface.
-
- pflow(4)
+
- pflow(4)
now sends 64 bit time values for pflowproto 10. The changed templates /
flows for pflowproto 10 are now parsable by existing receivers.
- Continued improvement of the checksum offload framework to streamline
@@ -210,40 +210,40 @@
- Routing daemons and other userland network improvements:
- The popa3d POP3 server has been removed.
-
- Added ntpctl(8),
+
- Added ntpctl(8),
a program to control the Network Time Protocol daemon.
-
- slowcgi(8)
+
- slowcgi(8)
now works with a high number of concurrent connections.
- The inetd-based identd has been replaced by a new libevent-based
- identd(8).
-
- tcpdump(8)
+ identd(8).
+
- tcpdump(8)
can now detect bad ICMP and ICMPv6 checksums when used with the -v flag.
- Added rdomain support to IPv6 configuration tools
- ndp(8),
- rtsold(8),
- ping6(8), and
- traceroute6(8).
+ ndp(8),
+ rtsold(8),
+ ping6(8), and
+ traceroute6(8).
- Added SNMPv2 client support to
- snmpctl(8)
+ snmpctl(8)
("get", "walk", and "bulkwalk").
-
- relayd(8)
+
- relayd(8)
now supports TLS Perfect Forward Secrecy (PFS) with ECDHE (Elliptic curve Diffie-Hellman) that is enabled by default.
-
- pf(4) improvements:
+
- pf(4) improvements:
- New queueing system with new syntax.
- The "received-on" parameter can now be used with the "any" keyword to
match any existing interface except loopback ones.
-
- The block policy in the default pf.conf(5) is now "block return".
+
- The block policy in the default pf.conf(5) is now "block return".
-
- dhcpd(8) and dhclient(8) improvements:
+
- dhcpd(8) and dhclient(8) improvements:
- No longer create a route to the bound address via 127.0.0.1.
-
- The options 'dhcp-lease-time', 'dhcp-rebinding-time', and 'dhcp-renewal-time' can now be configured in dhclient.conf(5).
+
- The options 'dhcp-lease-time', 'dhcp-rebinding-time', and 'dhcp-renewal-time' can now be configured in dhclient.conf(5).
- 'next-server' (a.k.a. siaddr) info now saved in lease files.
- Fall back to broadcasting when unicast renewal fails, as specified in
RFC 2131 and friends.
@@ -254,22 +254,22 @@
- Fix 'effective' lease created by '-L' to have correct address, 'next_server', 'timestamp', and 'resolv_conf' fields.
- Fix handling of non-printable characters in lease file strings.
- Fix many edge cases in config file and lease parsing and ensure that error messages refer to the correct position in erroneous line.
-
- dhclient.conf(5) can now override anything in an offer or saved lease when creating the effective lease. In particular, 'fixed-address', 'next-server', 'filename' and 'server-name'.
-
- Fix parsing of dhclient.conf(5) statements 'fixed-address' and
+
- dhclient.conf(5) can now override anything in an offer or saved lease when creating the effective lease. In particular, 'fixed-address', 'next-server', 'filename' and 'server-name'.
+
- Fix parsing of dhclient.conf(5) statements 'fixed-address' and
'next-server'.
- Log failures to fchmod() or fchown() files being written.
- Create lease files with permissions 0640.
-
- Fix possible failure to write resolv.conf(5) when -L is used.
-
- 'send dhcp-client-identifier "";' in dhclient.conf(5) will result in no 'dhcp-client-identifier' (option 61) being sent.
+
- Fix possible failure to write resolv.conf(5) when -L is used.
+
- 'send dhcp-client-identifier "";' in dhclient.conf(5) will result in no 'dhcp-client-identifier' (option 61) being sent.
-
- iked(8) improvements:
+
- iked(8) improvements:
- Support for OCSP ("Online Certificate Status Protocol"); enable with "set ocsp URL".
- Support for RSA public key authentication as an alternative to X.509 certificates or pre-shared keys.
- Support for DPD ("Dead Peer Detection") similar to the implementation in
- isakmpd(8).
+ isakmpd(8).
- Support for dynamic IP address assignment from a pool in configuration mode; enabled with "config address net/pool-prefix".
- Initial support for IPComp.
- Various improvements and a thorough audit of the network input path.
@@ -289,7 +289,7 @@
- other processes now have an API to return more precise codes ...
- ... which will be improved further with each version.
- - Improved smtpctl(8):
+
- Improved smtpctl(8):
- sendmail mode now supports DSN parameters
- Can now pause/resume a source address -> destination domain route.
@@ -341,14 +341,14 @@
- Documentation:
- - table(5) describes format for static, file and db backends.
+
- table(5) describes format for static, file and db backends.
- sendmail(8) describes our "sendmail" interface.
- Reduced memory usage in both general and stressed cases.
- OpenSMTPD now automagically upgrades queue if the format changes!
- Support Qmail-like "sticky home".
- Support for authenticating users from a credentials table.
-
- Introduce passwd(5) table backend for user and credentials lookup.
+
- Introduce passwd(5) table backend for user and credentials lookup.
- Expansion variables in ~/.forward now support modifiers.
- Much more efficient scheduler!
- Many documentation fixes and improvements.
@@ -359,14 +359,14 @@
- Security improvements:
- Position-independent executables (PIE) are now used by default on i386.
-
- The arc4random(3)
+
- The arc4random(3)
functions now use the ChaCha20 cipher.
- The kernel random number system is initially seeded by the bootloader,
providing better random very early.
- Kernel stack protector is also seeded via the same mechanism, providing
protection earlier.
- -Wbounded is now enabled in GCC by default.
-
- Added explicit_bzero(3).
+
- Added explicit_bzero(3).
@@ -378,53 +378,53 @@
- Threading improvements:
- - Interprocess semaphores via sem_open(3).
+
- Interprocess semaphores via sem_open(3).
- Running threaded processes under a debugger no longer causes panics.
- SIGPROF and SIGVTALRM are now reliably delivered to the thread that was running when they were triggered.
- Thread stacks now have a random bias.
-
- fork(2) no longer changes the pthread_t of the forking thread in the child.
-
- Signaling races eliminated from pthread_kill(3) and pthread_cancel(3).
+
- fork(2) no longer changes the pthread_t of the forking thread in the child.
+
- Signaling races eliminated from pthread_kill(3) and pthread_cancel(3).
- Assorted improvements:
- - New in-memory file system, tmpfs.
-
- Many fuse(4) improvements and stability fixes.
-
- Added POSIX-required nl(1) utility.
+
- New in-memory file system, tmpfs.
+
- Many fuse(4) improvements and stability fixes.
+
- Added POSIX-required nl(1) utility.
- OpenBSD/vax has switched to GCC 3.
-
- Replaced getdirentries(2) with getdents(2), vastly improving the performance and memory usage of telldir(3).
+
- Replaced getdirentries(2) with getdents(2), vastly improving the performance and memory usage of telldir(3).
- amd64 and i386 now use the MWAIT instruction for their idle loop where available to reduce latency.
- Added support for CLOCK_UPTIME.
-
- Added tcgetsid(3).
+
- Added tcgetsid(3).
- clock_t is now a 64 bit type, so it no longer wraps around in only 248 days.
- ino_t is now a 64 bit type, mostly to support large NFS filesystems.
- Corrected handling of UTIME_OMIT.
-
- pax(1) now sets the mode and timestamps correctly on symlinks, and makes hardlinks to symlinks when requested.
+
- pax(1) now sets the mode and timestamps correctly on symlinks, and makes hardlinks to symlinks when requested.
- Corrected handling of shared library destructors when libc is statically linked.
- Corrected various disk drivers to handle non-512-byte sectors and disk sizes greater than 32-bits.
-
- Corrected growfs(8) to handle non-512-byte sectors and disk sizes greater than 32-bits.
+
- Corrected growfs(8) to handle non-512-byte sectors and disk sizes greater than 32-bits.
- All CIRCLEQ uses replaced with TAILQ.
- Preserve and honour changes to the OpenBSD bounds in a disklabel.
-
- fdisk(8) now always writes a good signature when the MBR is written to disk.
-
- disklabel(8) now writes the disklabel to the correct location on non-512-byte sector devices.
-
- Fix athn(4) tick calculations to eliminate excessive timeouts.
-
- Allow disklabel(8) to set any partition, including 'C', to type UNUSED.
-
- New sha512(1) tool to calculate and verify the SHA-512 checksums of files.
-
- sha256(1) and related tools
- (cksum(1),
- md5(1),
- sha1(1), and
- sha512(1))
+
- fdisk(8) now always writes a good signature when the MBR is written to disk.
+
- disklabel(8) now writes the disklabel to the correct location on non-512-byte sector devices.
+
- Fix athn(4) tick calculations to eliminate excessive timeouts.
+
- Allow disklabel(8) to set any partition, including 'C', to type UNUSED.
+
- New sha512(1) tool to calculate and verify the SHA-512 checksums of files.
+
- sha256(1) and related tools
+ (cksum(1),
+ md5(1),
+ sha1(1), and
+ sha512(1))
now support a new -h flag to place the checksum into a specified hash file instead of stdout.
-
- sha256(1) and related tools now support a new -C flag that allows the verification of selected files in a checklist.
-
- sha256(1) and related tools will now print MISSING if they encounter non-existent files in a checklist.
-
- i386 and amd64 platforms can now boot from keydisk-based softraid(4) crypto volumes.
-
- Allow softraid(4) to work with partitions larger than 2TB.
-
- Removed experimental RAID 4 support from softraid(4).
-
- Added experimental support for rebuilding RAID 5 softraid(4) volumes. Lots of testing is still required and there is missing functionality, such as the ability to resume a partially completed rebuild. bioctl(8) refuses to create RAID 5 volumes unless recompiled with -DRAID5.
+
- sha256(1) and related tools now support a new -C flag that allows the verification of selected files in a checklist.
+
- sha256(1) and related tools will now print MISSING if they encounter non-existent files in a checklist.
+
- i386 and amd64 platforms can now boot from keydisk-based softraid(4) crypto volumes.
+
- Allow softraid(4) to work with partitions larger than 2TB.
+
- Removed experimental RAID 4 support from softraid(4).
+
- Added experimental support for rebuilding RAID 5 softraid(4) volumes. Lots of testing is still required and there is missing functionality, such as the ability to resume a partially completed rebuild. bioctl(8) refuses to create RAID 5 volumes unless recompiled with -DRAID5.
- The uhts(4) driver has been merged into
- ums(4).
+ ums(4).
- Many new checks were added to portcheck(1) utility; now it catches almost every popular mistake that observed in ports in last years.
@@ -433,22 +433,22 @@
- Security:
- - sshd(8):
+
- sshd(8):
when using environment passing with a
- sshd_config(5)
+ sshd_config(5)
AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could
be tricked into accepting any enviornment variable that contains the
characters before the wildcard character.
- New/changed features:
- - ssh(1),
- sshd(8):
+
- ssh(1),
+ sshd(8):
Add support for key exchange using elliptic-curve Diffie Hellman
in Daniel Bernstein's Curve25519. This key exchange method is
the default when both the client and server support it.
-
- ssh(1),
- sshd(8):
+
- ssh(1),
+ sshd(8):
Add support for ED25519 as a public key type. ED25519 is
a elliptic curve signature scheme that offers better security than
ECDSA and DSA and good performance. It may be used for
@@ -457,166 +457,166 @@
protect keys at rest. This format is used unconditionally for
ED25519 keys, but may be requested when generating or saving
existing keys of other types via the -o
- ssh-keygen(1)
+ ssh-keygen(1)
option. We intend to make the new format the default in the near
future. Details of the new format are in the PROTOCOL.key
file.
-
- ssh(1),
- sshd(8):
+
- ssh(1),
+ sshd(8):
Add a new transport cipher "chacha20-poly1305@openssh.com" that
combines Daniel Bernstein's ChaCha20 stream cipher and
Poly1305 MAC to build an authenticated encryption mode. Details
are in the PROTOCOL.chacha20poly1305 file.
-
- ssh(1),
- sshd(8):
+
- ssh(1),
+ sshd(8):
Refuse RSA keys from old proprietary clients and servers that
use the obsolete RSA+MD5 signature scheme. It will still be
possible to connect with these clients/servers but only DSA keys
will be accepted, and OpenSSH will refuse connection entirely in a
future release.
-
- ssh(1),
- sshd(8):
+
- ssh(1),
+ sshd(8):
Refuse old proprietary clients and servers that use a weaker key
exchange hash calculation.
-
- ssh(1):
+
- ssh(1):
Increase the size of the Diffie-Hellman groups requested for
each symmetric key size. New values from NIST Special Publication
800-57 with the upper limit specified by RFC 4419.
-
- ssh(1),
- ssh-agent(1):
+
- ssh(1),
+ ssh-agent(1):
Support PKCS#11 tokens that only provide X.509 certs
instead of raw public keys. (requested as bz#1908)
-
- ssh(1):
+
- ssh(1):
Add a
- ssh_config(5)
+ ssh_config(5)
Match keyword that allows conditional configuration to be
applied by matching on hostname, user and result of
arbitrary commands.
-
- ssh(1):
+
- ssh(1):
Add support for client-side hostname canonicalisation using a
set of DNS suffixes and rules in
- ssh_config(5).
+ ssh_config(5).
This allows unqualified names to be canonicalised to fully-qualified
domain names to eliminate ambiguity when looking up keys in
known_hosts or checking host certificate names.
-
- sftp-server(8):
+
- sftp-server(8):
Add the ability to whitelist and/or blacklist sftp protocol requests by
name.
-
- sftp-server(8):
+
- sftp-server(8):
Add a sftp "fsync@openssh.com" to support calling
- fsync(2)
+ fsync(2)
on an open file handle.
-
- sshd(8):
+
- sshd(8):
Add a
- ssh_config(5)
+ ssh_config(5)
PermitTTY to disallow TTY allocation, mirroring the
longstanding no-pty authorized_keys option.
-
- ssh(1):
+
- ssh(1):
Add a
- ssh_config(5)
+ ssh_config(5)
ProxyUseFDPass option that supports the use of
ProxyCommands that establish a connection and then pass a
connected file descriptor back to
- ssh(1).
+ ssh(1).
This allows the ProxyCommand to exit rather than staying
around to transfer data.
-
- ssh(1),
- sshd(8):
+
- ssh(1),
+ sshd(8):
this release removes the J-PAKE authentication code. This code
was experimental, never enabled and had been unmaintained for some
time.
-
- ssh(1):
+
- ssh(1):
when processing Match blocks, skip 'exec' clauses
other clauses predicates failed to match.
-
- ssh(1):
+
- ssh(1):
if hostname canonicalisation is enabled and results in the destination
hostname being changed, then re-parse
- ssh_config(5)
+ ssh_config(5)
files using the new destination hostname. This gives 'Host'
and 'Match' directives that use the expanded hostname a chance
to be applied.
- The following significant bugs have been fixed in this release:
- - ssh(1),
- sshd(8):
+
- ssh(1),
+ sshd(8):
Fix potential stack exhaustion caused by nested certificates.
-
- ssh(1):
+
- ssh(1):
make BindAddress work with UsePrivilegedPort.
(bz#1211)
-
- sftp(1):
+
- sftp(1):
fix the progress meter for resumed transfer. (bz#2137)
-
- ssh-add(1):
+
- ssh-add(1):
do not request smartcard PIN when removing keys from
- ssh-agent(1).
+ ssh-agent(1).
(bz#2187)
-
- sshd(8):
+
- sshd(8):
fix re-exec fallback when original
- sshd(8)
+ sshd(8)
binary cannot be executed. (bz#2139)
-
- ssh-keygen(1):
+
- ssh-keygen(1):
Make relative-specified certificate expiry times relative to current
time and not the validity start time.
-
- sshd(8):
+
- sshd(8):
fix AuthorizedKeysCommand inside a Match block.
(bz#2161)
-
- sftp(1):
+
- sftp(1):
symlinking a file would incorrectly canonicalise the target path.
(bz#2129)
-
- ssh-agent(1):
+
- ssh-agent(1):
fix a use-after-free in the PKCS#11 agent helper executable.
(bz#2175)
-
- sshd(8):
+
- sshd(8):
Improve logging of sessions to include the user name, remote
host and port, the session type (shell, command,
etc.) and allocated TTY (if any).
-
- sshd(8):
+
- sshd(8):
tell the client (via a debug message) when their preferred listen
address has been overridden by the server's GatewayPorts
setting. (bz#1297)
-
- sshd(8):
+
- sshd(8):
include report port in bad protocol banner message. (bz#2162)
-
- sftp(1):
+
- sftp(1):
fix memory leak in error path in do_readdir(). (bz#2163)
-
- sftp(1):
+
- sftp(1):
don't leak file descriptor on error. (bz#2171)
-
- sshd(8):
+
- sshd(8):
include the local address and port in "Connection
from ..." message. (only shown at loglevel>=verbose)
-
- ssh(1):
+
- ssh(1):
avoid spurious "getsockname failed: Bad file descriptor" in
ssh -W. (bz#2200, debian#738692)
-
- sshd(8):
+
- sshd(8):
allow the
- shutdown(2)
+ shutdown(2)
syscall in seccomp-bpf and systrace sandbox modes, as it is reachable
if the connection is terminated during the pre-auth phase.
-
- ssh(1),
- sshd(8):
+
- ssh(1),
+ sshd(8):
fix unsigned overflow that in SSH protocol 1 bignum parsing.
Minimum key length checks render this bug unexploitable to compromise
SSH 1 sessions.
-
- sshd_config(5)
+
- sshd_config(5)
clarify behaviour of a keyword that appears in multiple matching
Match blocks. (bz#2184)
-
- ssh(1):
+
- ssh(1):
avoid unnecessary hostname lookups when canonicalisation is disabled.
(bz#2205)
-
- sshd(8):
+
- sshd(8):
avoid sandbox violation crashes in GSSAPI code by caching the supported
list of GSSAPI mechanism OIDs before entering the sandbox. (bz#2107)
-
- ssh(1):
+
- ssh(1):
fix possible crashes in SOCKS4 parsing caused by assumption that the
SOCKS username is nul-terminated.
-
- ssh(1):
+
- ssh(1):
fix regression for UsePrivilegedPort=yes when
BindAddress is not specified.
-
- ssh(1),
- sshd(8):
+
- ssh(1),
+ sshd(8):
fix memory leak in ECDSA signature verification.
-
- ssh(1):
+
- ssh(1):
fix matching of 'Host' directives in
- ssh_config(5)
+ ssh_config(5)
files to be case-insensitive again. (regression in 6.5)
@@ -626,7 +626,7 @@