+
-
+
+ |
Released May 1, 2014
Copyright 1997-2014, Theo de Raadt.
-ISBN 978-0-9881561-3-5
+ISBN 978-0-9881561-3-5
5.5 Song: "Wrap in Time"
@@ -30,29 +43,28 @@
- See the information on the FTP page for
a list of mirror machines.
-
- Go to the pub/OpenBSD/5.5/ directory on
+
- Go to the
pub/OpenBSD/5.5/ directory on
one of the mirror sites.
- Have a look at the 5.5 errata page for a list
of bugs and workarounds.
- See a detailed log of changes between the
5.4 and 5.5 releases.
- - signify(1) pubkeys for this release:
+ - signify(1) pubkeys for this release:
-
-
+
+
openbsd-55-base.pub:
- |
+ |
RWRGy8gxk9N9314J0gh9U02lA7s8i6ITajJiNgxQOndvXvM5ZPX+nQ9h
- |
+ |
openbsd-55-fw.pub:
- |
+ |
RWTdVOhdk5qyNktv0iGV6OpaVfogGxTYc1bbkaUhFlExmclYvpJR/opO
- |
+ |
openbsd-55-pkg.pub:
- |
+ |
RWQQC1M9dhm/tja/ktitJs/QVI1kGTQr7W7jtUmdZ4uTp+4yZJ6RRHb5
- |
@@ -60,17 +72,17 @@
sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
files fetched via ports.tar.gz.
-
+ |
-
-What's New
+
+What's New
+
This is a partial list of new features and systems included in OpenBSD 5.5.
For a comprehensive list, see the changelog leading
to 5.5.
-
- time_t is now 64 bits on all platforms.
@@ -78,24 +90,24 @@
- From OpenBSD 5.5 onwards, OpenBSD is year 2038 ready and will run well beyond Tue Jan 19 03:14:07 2038 UTC.
- The entire source tree (kernel, libraries, and userland programs) has been carefully and comprehensively audited to support 64-bit time_t.
- Userland programs that were changed include
- arp(8),
- bgpd(8),
- calendar(8),
- cron(8),
- find(1),
- fsck_ffs(8),
- ifconfig(8),
- ksh(1),
- ld(1),
- ld.so(1),
- netstat(1),
- pfctl(8),
- ping(8),
- rtadvd(8),
- ssh(1),
- tar(1),
- tmux(1),
- top(1),
+ arp(8),
+ bgpd(8),
+ calendar(8),
+ cron(8),
+ find(1),
+ fsck_ffs(8),
+ ifconfig(8),
+ ksh(1),
+ ld(1),
+ ld.so(1),
+ netstat(1),
+ pfctl(8),
+ ping(8),
+ rtadvd(8),
+ ssh(1),
+ tar(1),
+ tmux(1),
+ top(1),
and many others, including games!
- Removed time_t from network, on-disk, and database formats.
- Removed as many (time_t) casts as possible.
@@ -107,27 +119,27 @@
- Releases and packages are now cryptographically signed with the
-signify(1) utility.
+signify(1) utility.
- The installer will verify all sets before installing.
- Installing without verification works, but is discouraged.
- Users are advised to verify the installer (bsd.rd, install55.iso, etc.)
ahead of time using the
- signify(1) tool if available.
-
- pkg_add(1) now only trusts signed packages by default.
+ signify(1) tool if available.
+
- pkg_add(1) now only trusts signed packages by default.
- Installer improvements:
- The installer now supports a scriptable
- auto-installation
+ auto-installation
method that enables unattended installation and upgrades using a response file.
- Disk images which can be written to a USB flash drive
(miniroot55.fs [bsd.rd only] and install55.fs [bsd.rd + unsigned sets])
are now provided for amd64 and i386.
- Rewritten
- installboot(8)
+ installboot(8)
utility aiming for a unified implementation across platforms (currently
used by amd64 and i386 only).
- The installer now parses nwids with embedded blanks correctly.
@@ -150,66 +162,66 @@
- Improved hardware support, including:
- - New vmx(4)
+
- New vmx(4)
driver for VMware VMXNET3 Virtual Interface Controller devices.
-
- New vmwpvs(4)
+
- New vmwpvs(4)
driver for VMware Paravirtual SCSI.
-
- New vioscsi(4)
+
- New vioscsi(4)
driver for VirtIO SCSI adapters.
-
- New viornd(4)
+
- New viornd(4)
driver for VirtIO random number devices.
-
- New ubcmtp(4)
+
- New ubcmtp(4)
driver for Broadcom multi-touch trackpads found on newer Apple MacBook,
MacBook Pro, and MacBook Air laptops.
-
- New ugold(4)
+
- New ugold(4)
driver for TEMPer gold HID thermometers.
-
- New ugl(4)
+
- New ugl(4)
driver for Genesys Logic based USB host-to-host adapters.
-
- New qle(4) driver for QLogic Fibre Channel HBAs.
-
- radeondrm(4)
+
- New qle(4) driver for QLogic Fibre Channel HBAs.
+
- radeondrm(4)
has been overhauled, including:
- New port of the Radeon code in Linux 3.8.13.19.
- Support for Kernel Mode Setting (KMS) including support for
additional output types such as DisplayPort.
-
- wsdisplay(4)
+
- wsdisplay(4)
now attaches to
- radeondrm(4)
+ radeondrm(4)
and provides a framebuffer console.
- - inteldrm(4)
+
- inteldrm(4)
has been updated to Linux 3.8.13.19 notably bringing Haswell stability fixes.
- Support for Intel 8 Series Ethernet with i217/i218 PHYs, and
i210/i211/i354 has been added to
- em(4).
+ em(4).
- Support for Intel Centrino Wireless-N 2200, 2230 and 105/135 has been added to
- iwn(4).
+ iwn(4).
- Support for Areca ARC-1880, ARC-1882, ARC-1883, ARC-1223, ARC-1214, ARC-1264, and ARC-1284 has been added to
- arc(4).
-
- Support for Elantech v2 touchpads in pms(4) has been fixed.
-
- Support for 802.11a (5Ghz) has been added to wpi(4).
+ arc(4).
+
- Support for Elantech v2 touchpads in pms(4) has been fixed.
+
- Support for 802.11a (5Ghz) has been added to wpi(4).
- Workarounds for firmware stability issues have been added to
- wpi(4),
- iwi(4), and
- iwn(4).
+ wpi(4),
+ iwi(4), and
+ iwn(4).
- Support for RT3572 chips has been added to the
- ral(4) driver.
+ ral(4) driver.
- Support for RTL8106E chips has been added to the
- re(4) driver.
-
- Support for RTS5229 card readers has been added to rtsx(4).
-
- Support for Microsoft XBox 360 controllers has been added to the uhid(4) driver.
-
- Support for CoreChip RD9700 USB Ethernet devices has been added to the udav(4) driver.
+ re(4) driver.
+
- Support for RTS5229 card readers has been added to rtsx(4).
+
- Support for Microsoft XBox 360 controllers has been added to the uhid(4) driver.
+
- Support for CoreChip RD9700 USB Ethernet devices has been added to the udav(4) driver.
- Further reliability improvements regarding suspend/resume and hibernation.
- Enabled IPv6 transmit TCP/UDP checksum offload in
- jme(4).
+ jme(4).
- Generic network stack improvements:
- - Added vxlan(4),
+
- Added vxlan(4),
a virtual extensible local area network tunnel interface.
-
- pflow(4)
+
- pflow(4)
now sends 64 bit time values for pflowproto 10. The changed templates /
flows for pflowproto 10 are now parsable by existing receivers.
- Continued improvement of the checksum offload framework to streamline
@@ -221,40 +233,40 @@
- Routing daemons and other userland network improvements:
- The popa3d POP3 server has been removed.
-
- Added ntpctl(8),
+
- Added ntpctl(8),
a program to control the Network Time Protocol daemon.
-
- slowcgi(8)
+
- slowcgi(8)
now works with a high number of concurrent connections.
- The inetd-based identd has been replaced by a new libevent-based
- identd(8).
-
- tcpdump(8)
+ identd(8).
+
- tcpdump(8)
can now detect bad ICMP and ICMPv6 checksums when used with the -v flag.
- Added rdomain support to IPv6 configuration tools
- ndp(8),
- rtsold(8),
- ping6(8), and
- traceroute6(8).
+ ndp(8),
+ rtsold(8),
+ ping6(8), and
+ traceroute6(8).
- Added SNMPv2 client support to
- snmpctl(8)
+ snmpctl(8)
("get", "walk", and "bulkwalk").
-
- relayd(8)
+
- relayd(8)
now supports TLS Perfect Forward Secrecy (PFS) with ECDHE (Elliptic curve Diffie-Hellman) that is enabled by default.
- - pf(4) improvements:
+
- pf(4) improvements:
- New queueing system with new syntax.
- The "received-on" parameter can now be used with the "any" keyword to
match any existing interface except loopback ones.
-
- The block policy in the default pf.conf(5) is now "block return".
+
- The block policy in the default pf.conf(5) is now "block return".
- - dhcpd(8) and dhclient(8) improvements:
+
- dhcpd(8) and dhclient(8) improvements:
- No longer create a route to the bound address via 127.0.0.1.
-
- The options 'dhcp-lease-time', 'dhcp-rebinding-time', and 'dhcp-renewal-time' can now be configured in dhclient.conf(5).
+
- The options 'dhcp-lease-time', 'dhcp-rebinding-time', and 'dhcp-renewal-time' can now be configured in dhclient.conf(5).
- 'next-server' (a.k.a. siaddr) info now saved in lease files.
- Fall back to broadcasting when unicast renewal fails, as specified in
RFC 2131 and friends.
@@ -265,22 +277,22 @@
- Fix 'effective' lease created by '-L' to have correct address, 'next_server', 'timestamp', and 'resolv_conf' fields.
- Fix handling of non-printable characters in lease file strings.
- Fix many edge cases in config file and lease parsing and ensure that error messages refer to the correct position in erroneous line.
-
- dhclient.conf(5) can now override anything in an offer or saved lease when creating the effective lease. In particular, 'fixed-address', 'next-server', 'filename' and 'server-name'.
-
- Fix parsing of dhclient.conf(5) statements 'fixed-address' and
+
- dhclient.conf(5) can now override anything in an offer or saved lease when creating the effective lease. In particular, 'fixed-address', 'next-server', 'filename' and 'server-name'.
+
- Fix parsing of dhclient.conf(5) statements 'fixed-address' and
'next-server'.
- Log failures to fchmod() or fchown() files being written.
- Create lease files with permissions 0640.
-
- Fix possible failure to write resolv.conf(5) when -L is used.
-
- 'send dhcp-client-identifier "";' in dhclient.conf(5) will result in no 'dhcp-client-identifier' (option 61) being sent.
+
- Fix possible failure to write resolv.conf(5) when -L is used.
+
- 'send dhcp-client-identifier "";' in dhclient.conf(5) will result in no 'dhcp-client-identifier' (option 61) being sent.
- - iked(8) improvements:
+
- iked(8) improvements:
- Support for OCSP ("Online Certificate Status Protocol"); enable with "set ocsp URL".
- Support for RSA public key authentication as an alternative to X.509 certificates or pre-shared keys.
- Support for DPD ("Dead Peer Detection") similar to the implementation in
- isakmpd(8).
+ isakmpd(8).
- Support for dynamic IP address assignment from a pool in configuration mode; enabled with "config address net/pool-prefix".
- Initial support for IPComp.
- Various improvements and a thorough audit of the network input path.
@@ -300,7 +312,7 @@
- other processes now have an API to return more precise codes ...
- ... which will be improved further with each version.
- - Improved smtpctl(8):
+
- Improved smtpctl(8):
- sendmail mode now supports DSN parameters
- Can now pause/resume a source address -> destination domain route.
@@ -352,14 +364,14 @@
- Documentation:
- - table(5) describes format for static, file and db backends.
+
- table(5) describes format for static, file and db backends.
- sendmail(8) describes our "sendmail" interface.
- Reduced memory usage in both general and stressed cases.
- OpenSMTPD now automagically upgrades queue if the format changes!
- Support Qmail-like "sticky home".
- Support for authenticating users from a credentials table.
-
- Introduce passwd(5) table backend for user and credentials lookup.
+
- Introduce passwd(5) table backend for user and credentials lookup.
- Expansion variables in ~/.forward now support modifiers.
- Much more efficient scheduler!
- Many documentation fixes and improvements.
@@ -370,14 +382,14 @@
- Security improvements:
- Position-independent executables (PIE) are now used by default on i386.
-
- The arc4random(3)
+
- The arc4random(3)
functions now use the ChaCha20 cipher.
- The kernel random number system is initially seeded by the bootloader,
providing better random very early.
- Kernel stack protector is also seeded via the same mechanism, providing
protection earlier.
- -Wbounded is now enabled in GCC by default.
-
- Added explicit_bzero(3).
+
- Added explicit_bzero(3).
@@ -389,53 +401,53 @@
- Threading improvements:
- - Interprocess semaphores via sem_open(3).
+
- Interprocess semaphores via sem_open(3).
- Running threaded processes under a debugger no longer causes panics.
- SIGPROF and SIGVTALRM are now reliably delivered to the thread that was running when they were triggered.
- Thread stacks now have a random bias.
-
- fork(2) no longer changes the pthread_t of the forking thread in the child.
-
- Signaling races eliminated from pthread_kill(3) and pthread_cancel(3).
+
- fork(2) no longer changes the pthread_t of the forking thread in the child.
+
- Signaling races eliminated from pthread_kill(3) and pthread_cancel(3).
- Assorted improvements:
- - New in-memory file system, tmpfs.
-
- Many fuse(4) improvements and stability fixes.
-
- Added POSIX-required nl(1) utility.
+
- New in-memory file system, tmpfs.
+
- Many fuse(4) improvements and stability fixes.
+
- Added POSIX-required nl(1) utility.
- OpenBSD/vax has switched to GCC 3.
-
- Replaced getdirentries(2) with getdents(2), vastly improving the performance and memory usage of telldir(3).
+
- Replaced getdirentries(2) with getdents(2), vastly improving the performance and memory usage of telldir(3).
- amd64 and i386 now use the MWAIT instruction for their idle loop where available to reduce latency.
- Added support for CLOCK_UPTIME.
-
- Added tcgetsid(3).
+
- Added tcgetsid(3).
- clock_t is now a 64 bit type, so it no longer wraps around in only 248 days.
- ino_t is now a 64 bit type, mostly to support large NFS filesystems.
- Corrected handling of UTIME_OMIT.
-
- pax(1) now sets the mode and timestamps correctly on symlinks, and makes hardlinks to symlinks when requested.
+
- pax(1) now sets the mode and timestamps correctly on symlinks, and makes hardlinks to symlinks when requested.
- Corrected handling of shared library destructors when libc is statically linked.
- Corrected various disk drivers to handle non-512-byte sectors and disk sizes greater than 32-bits.
-
- Corrected growfs(8) to handle non-512-byte sectors and disk sizes greater than 32-bits.
+
- Corrected growfs(8) to handle non-512-byte sectors and disk sizes greater than 32-bits.
- All CIRCLEQ uses replaced with TAILQ.
- Preserve and honour changes to the OpenBSD bounds in a disklabel.
-
- fdisk(8) now always writes a good signature when the MBR is written to disk.
-
- disklabel(8) now writes the disklabel to the correct location on non-512-byte sector devices.
-
- Fix athn(4) tick calculations to eliminate excessive timeouts.
-
- Allow disklabel(8) to set any partition, including 'C', to type UNUSED.
-
- New sha512(1) tool to calculate and verify the SHA-512 checksums of files.
-
- sha256(1) and related tools
- (cksum(1),
- md5(1),
- sha1(1), and
- sha512(1))
+
- fdisk(8) now always writes a good signature when the MBR is written to disk.
+
- disklabel(8) now writes the disklabel to the correct location on non-512-byte sector devices.
+
- Fix athn(4) tick calculations to eliminate excessive timeouts.
+
- Allow disklabel(8) to set any partition, including 'C', to type UNUSED.
+
- New sha512(1) tool to calculate and verify the SHA-512 checksums of files.
+
- sha256(1) and related tools
+ (cksum(1),
+ md5(1),
+ sha1(1), and
+ sha512(1))
now support a new -h flag to place the checksum into a specified hash file instead of stdout.
-
- sha256(1) and related tools now support a new -C flag that allows the verification of selected files in a checklist.
-
- sha256(1) and related tools will now print MISSING if they encounter non-existent files in a checklist.
-
- i386 and amd64 platforms can now boot from keydisk-based softraid(4) crypto volumes.
-
- Allow softraid(4) to work with partitions larger than 2TB.
-
- Removed experimental RAID 4 support from softraid(4).
-
- Added experimental support for rebuilding RAID 5 softraid(4) volumes. Lots of testing is still required and there is missing functionality, such as the ability to resume a partially completed rebuild. bioctl(8) refuses to create RAID 5 volumes unless recompiled with -DRAID5.
+
- sha256(1) and related tools now support a new -C flag that allows the verification of selected files in a checklist.
+
- sha256(1) and related tools will now print MISSING if they encounter non-existent files in a checklist.
+
- i386 and amd64 platforms can now boot from keydisk-based softraid(4) crypto volumes.
+
- Allow softraid(4) to work with partitions larger than 2TB.
+
- Removed experimental RAID 4 support from softraid(4).
+
- Added experimental support for rebuilding RAID 5 softraid(4) volumes. Lots of testing is still required and there is missing functionality, such as the ability to resume a partially completed rebuild. bioctl(8) refuses to create RAID 5 volumes unless recompiled with -DRAID5.
- The uhts(4) driver has been merged into
- ums(4).
+ ums(4).
- Many new checks were added to portcheck(1) utility; now it catches almost every popular mistake that observed in ports in last years.
@@ -444,22 +456,22 @@
- Security:
- - sshd(8):
+
- sshd(8):
when using environment passing with a
- sshd_config(5)
- AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could
+ sshd_config(5)
+
AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could
be tricked into accepting any enviornment variable that contains the
characters before the wildcard character.
- New/changed features:
- - ssh(1),
- sshd(8):
+
- ssh(1),
+ sshd(8):
Add support for key exchange using elliptic-curve Diffie Hellman
in Daniel Bernstein's Curve25519. This key exchange method is
the default when both the client and server support it.
-
- ssh(1),
- sshd(8):
+
- ssh(1),
+ sshd(8):
Add support for ED25519 as a public key type. ED25519 is
a elliptic curve signature scheme that offers better security than
ECDSA and DSA and good performance. It may be used for
@@ -467,168 +479,168 @@
- Add a new private key format that uses a bcrypt KDF to better
protect keys at rest. This format is used unconditionally for
ED25519 keys, but may be requested when generating or saving
- existing keys of other types via the -o
- ssh-keygen(1)
+ existing keys of other types via the
-o
+ ssh-keygen(1)
option. We intend to make the new format the default in the near
- future. Details of the new format are in the PROTOCOL.key
+ future. Details of the new format are in the PROTOCOL.key
file.
- - ssh(1),
- sshd(8):
+
- ssh(1),
+ sshd(8):
Add a new transport cipher "chacha20-poly1305@openssh.com" that
combines Daniel Bernstein's ChaCha20 stream cipher and
Poly1305 MAC to build an authenticated encryption mode. Details
- are in the PROTOCOL.chacha20poly1305 file.
-
- ssh(1),
- sshd(8):
+ are in the
PROTOCOL.chacha20poly1305 file.
+ - ssh(1),
+ sshd(8):
Refuse RSA keys from old proprietary clients and servers that
use the obsolete RSA+MD5 signature scheme. It will still be
possible to connect with these clients/servers but only DSA keys
will be accepted, and OpenSSH will refuse connection entirely in a
future release.
-
- ssh(1),
- sshd(8):
+
- ssh(1),
+ sshd(8):
Refuse old proprietary clients and servers that use a weaker key
exchange hash calculation.
-
- ssh(1):
+
- ssh(1):
Increase the size of the Diffie-Hellman groups requested for
each symmetric key size. New values from NIST Special Publication
800-57 with the upper limit specified by RFC 4419.
-
- ssh(1),
- ssh-agent(1):
+
- ssh(1),
+ ssh-agent(1):
Support PKCS#11 tokens that only provide X.509 certs
instead of raw public keys. (requested as bz#1908)
-
- ssh(1):
+
- ssh(1):
Add a
- ssh_config(5)
- Match keyword that allows conditional configuration to be
+ ssh_config(5)
+
Match keyword that allows conditional configuration to be
applied by matching on hostname, user and result of
arbitrary commands.
- - ssh(1):
+
- ssh(1):
Add support for client-side hostname canonicalisation using a
set of DNS suffixes and rules in
- ssh_config(5).
+ ssh_config(5).
This allows unqualified names to be canonicalised to fully-qualified
domain names to eliminate ambiguity when looking up keys in
- known_hosts or checking host certificate names.
-
- sftp-server(8):
+
known_hosts or checking host certificate names.
+ - sftp-server(8):
Add the ability to whitelist and/or blacklist sftp protocol requests by
name.
-
- sftp-server(8):
+
- sftp-server(8):
Add a sftp "fsync@openssh.com" to support calling
- fsync(2)
+ fsync(2)
on an open file handle.
-
- sshd(8):
+
- sshd(8):
Add a
- ssh_config(5)
- PermitTTY to disallow TTY allocation, mirroring the
- longstanding no-pty authorized_keys option.
-
- ssh(1):
+ ssh_config(5)
+
PermitTTY to disallow TTY allocation, mirroring the
+ longstanding no-pty authorized_keys option.
+ - ssh(1):
Add a
- ssh_config(5)
- ProxyUseFDPass option that supports the use of
- ProxyCommands that establish a connection and then pass a
+ ssh_config(5)
+
ProxyUseFDPass option that supports the use of
+ ProxyCommands that establish a connection and then pass a
connected file descriptor back to
- ssh(1).
- This allows the ProxyCommand to exit rather than staying
+ ssh(1).
+ This allows the ProxyCommand to exit rather than staying
around to transfer data.
- - ssh(1),
- sshd(8):
+
- ssh(1),
+ sshd(8):
this release removes the J-PAKE authentication code. This code
was experimental, never enabled and had been unmaintained for some
time.
-
- ssh(1):
- when processing Match blocks, skip 'exec' clauses
+
- ssh(1):
+ when processing
Match blocks, skip 'exec ' clauses
other clauses predicates failed to match.
- - ssh(1):
+
- ssh(1):
if hostname canonicalisation is enabled and results in the destination
hostname being changed, then re-parse
- ssh_config(5)
- files using the new destination hostname. This gives 'Host'
- and 'Match' directives that use the expanded hostname a chance
+ ssh_config(5)
+ files using the new destination hostname. This gives '
Host '
+ and 'Match ' directives that use the expanded hostname a chance
to be applied.
- The following significant bugs have been fixed in this release:
- - ssh(1),
- sshd(8):
+
- ssh(1),
+ sshd(8):
Fix potential stack exhaustion caused by nested certificates.
-
- ssh(1):
- make BindAddress work with UsePrivilegedPort.
+
- ssh(1):
+ make
BindAddress work with UsePrivilegedPort .
(bz#1211)
- - sftp(1):
+
- sftp(1):
fix the progress meter for resumed transfer. (bz#2137)
-
- ssh-add(1):
+
- ssh-add(1):
do not request smartcard PIN when removing keys from
- ssh-agent(1).
+ ssh-agent(1).
(bz#2187)
-
- sshd(8):
+
- sshd(8):
fix re-exec fallback when original
- sshd(8)
+ sshd(8)
binary cannot be executed. (bz#2139)
-
- ssh-keygen(1):
+
- ssh-keygen(1):
Make relative-specified certificate expiry times relative to current
time and not the validity start time.
-
- sshd(8):
- fix AuthorizedKeysCommand inside a Match block.
+
- sshd(8):
+ fix
AuthorizedKeysCommand inside a Match block.
(bz#2161)
- - sftp(1):
+
- sftp(1):
symlinking a file would incorrectly canonicalise the target path.
(bz#2129)
-
- ssh-agent(1):
+
- ssh-agent(1):
fix a use-after-free in the PKCS#11 agent helper executable.
(bz#2175)
-
- sshd(8):
+
- sshd(8):
Improve logging of sessions to include the user name, remote
host and port, the session type (shell, command,
etc.) and allocated TTY (if any).
-
- sshd(8):
+
- sshd(8):
tell the client (via a debug message) when their preferred listen
- address has been overridden by the server's GatewayPorts
+ address has been overridden by the server's
GatewayPorts
setting. (bz#1297)
- - sshd(8):
+
- sshd(8):
include report port in bad protocol banner message. (bz#2162)
-
- sftp(1):
+
- sftp(1):
fix memory leak in error path in do_readdir(). (bz#2163)
-
- sftp(1):
+
- sftp(1):
don't leak file descriptor on error. (bz#2171)
-
- sshd(8):
+
- sshd(8):
include the local address and port in
- "Connection from ..." message.
+ "
Connection from ... " message.
(only shown at loglevel>=verbose)
- - ssh(1):
- avoid spurious "getsockname failed: Bad file descriptor" in
- ssh -W. (bz#2200, debian#738692)
-
- sshd(8):
+
- ssh(1):
+ avoid spurious "
getsockname failed: Bad file descriptor " in
+ ssh -W . (bz#2200, debian#738692)
+ - sshd(8):
allow the
- shutdown(2)
+ shutdown(2)
syscall in seccomp-bpf and systrace sandbox modes, as it is reachable
if the connection is terminated during the pre-auth phase.
-
- ssh(1),
- sshd(8):
+
- ssh(1),
+ sshd(8):
fix unsigned overflow that in SSH protocol 1 bignum parsing.
Minimum key length checks render this bug unexploitable to compromise
SSH 1 sessions.
-
- sshd_config(5)
+
- sshd_config(5)
clarify behaviour of a keyword that appears in multiple matching
- Match blocks. (bz#2184)
-
- ssh(1):
+
Match blocks. (bz#2184)
+ - ssh(1):
avoid unnecessary hostname lookups when canonicalisation is disabled.
(bz#2205)
-
- sshd(8):
+
- sshd(8):
avoid sandbox violation crashes in GSSAPI code by caching the supported
list of GSSAPI mechanism OIDs before entering the sandbox. (bz#2107)
-
- ssh(1):
+
- ssh(1):
fix possible crashes in SOCKS4 parsing caused by assumption that the
SOCKS username is nul-terminated.
-
- ssh(1):
- fix regression for UsePrivilegedPort=yes when
- BindAddress is not specified.
-
- ssh(1),
- sshd(8):
+
- ssh(1):
+ fix regression for
UsePrivilegedPort=yes when
+ BindAddress is not specified.
+ - ssh(1),
+ sshd(8):
fix memory leak in ECDSA signature verification.
-
- ssh(1):
- fix matching of 'Host' directives in
- ssh_config(5)
+
- ssh(1):
+ fix matching of '
Host ' directives in
+ ssh_config(5)
files to be case-insensitive again. (regression in 6.5)
@@ -638,35 +650,29 @@
- Over 8,700 ports.
- Major overhaul of the package tools, resulting in much better memory usage.
-
- pkg_add(1) now only trusts signed packages by default.
+
- pkg_add(1) now only trusts signed packages by default.
- The build process now allows some limited capability for building
conflicting packages, yielding KDE 4 packages as a result, along
with KDE 3 ones.
- Many pre-built packages for each architecture:
-
-
-
-
+
- i386: 8468
- sparc64: 7969
- alpha: 6199
- m68k: 3270
-
|
- sh: 345
- amd64: 8534
- powerpc: 8057
- m88k: 1258
-
|
- sparc: 4681
- arm: 6181
- hppa: 6549
-
|
- vax: 1007
- mips64: 4726
- mips64el: 6730
-
|
+
- Some highlights:
@@ -715,14 +721,15 @@
- Less 444 (+ patches)
- Awk Aug 10, 2011 version
-
+
-
+
+
+How to install
+
- How to install
-
Following this are the instructions which you would have on a piece of
paper if you had purchased a CDROM set instead of doing an alternate
form of install. The instructions for doing an FTP (or other style
@@ -792,14 +799,16 @@
+
+
Quick installer information for people familiar with OpenBSD, and the
use of the "disklabel -E" command. If you are at all confused when
installing OpenBSD, read the relevant INSTALL.* file as listed above!
-
- OpenBSD/i386:
-
+OpenBSD/i386:
+
+
Play with your BIOS options to enable booting from a CD. The OpenBSD/i386
release is on CD1. If your BIOS does not support booting from CD, you will need
to create a boot floppy to install from. To create a boot floppy write
@@ -826,26 +835,25 @@
To make a boot floppy under MS-DOS, use the "rawrite" utility located
at CD1:5.5/tools/rawrite.exe. To make the boot floppy under a Unix OS,
use the
-dd(1)
+dd(1)
utility. The following is an example usage of
-dd(1),
+dd(1),
where the device could be "floppy", "rfd0c", or
"rfd0a".
-
+
# dd if=<file> of=/dev/<device> bs=32k
-
+
Make sure you use properly formatted perfect floppies with NO BAD BLOCKS or
your install will most likely fail. For more information on creating a boot
floppy and installing OpenBSD/i386 please refer to
this page.
-
+ OpenBSD/amd64:
+
- OpenBSD/amd64:
-
The 5.5 release of OpenBSD/amd64 is located on CD2.
Boot from the CD to begin the install - you may need to adjust
your BIOS options first.
@@ -865,11 +873,10 @@
If you are planning to dual boot OpenBSD with another OS, you will need to
read INSTALL.amd64.
-
+OpenBSD/macppc:
+
- OpenBSD/macppc:
-
Burn the image from the FTP site to a CDROM, and power on your machine
while holding down the C key until the display turns on and
shows OpenBSD/macppc boot.
@@ -877,11 +884,10 @@
Alternatively, at the Open Firmware prompt, enter boot cd:,ofwboot
/5.5/macppc/bsd.rd
-
+OpenBSD/sparc64:
+
- OpenBSD/sparc64:
-
Put CD3 in your CDROM drive and type boot cdrom.
@@ -900,12 +906,11 @@
If nothing works, you can boot over the network as described in INSTALL.sparc64.
-
+OpenBSD/alpha:
+
- OpenBSD/alpha:
-
-Write FTP:5.5/alpha/floppy55.fs or
+Write FTP:5.5/alpha/floppy55.fs or
FTP:5.5/alpha/floppyB55.fs (depending on your machine) to a diskette and
enter boot dva0. Refer to INSTALL.alpha for more details.
@@ -913,12 +918,9 @@
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.
-
+OpenBSD/armish:
- OpenBSD/armish:
-
-
After connecting a serial port, Thecus can boot directly from the network
either tftp or http. Configure the network using fconfig, reset,
then load bsd.rd, see INSTALL.armish for specific details.
@@ -926,82 +928,63 @@
and copy 'boot' and bsd.rd into the first partition on wd0 (hda1)
then load and run bsd.rd, preserving the wd0i (hda1) ext2fs partition.
More details are available in INSTALL.armish.
-
+OpenBSD/hp300:
+
- OpenBSD/hp300:
-
+OpenBSD/hppa:
+
- OpenBSD/hppa:
-
+OpenBSD/landisk:
+
- OpenBSD/landisk:
-
-
Write miniroot55.fs to the start of the CF
or disk, and boot normally.
-
+OpenBSD/loongson:
+
- OpenBSD/loongson:
-
-
Write miniroot55.fs to a USB stick and boot bsd.rd from it
or boot bsd.rd via tftp.
Refer to the instructions in INSTALL.loongson for more details.
-
-
+ OpenBSD/luna88k:
+
- OpenBSD/luna88k:
-
-
-Copy `boot' and `bsd.rd' to a Mach or UniOS partition, and boot the bootloader
+Copy 'boot' and 'bsd.rd' to a Mach or UniOS partition, and boot the bootloader
from the PROM, and the bsd.rd from the bootloader.
Refer to the instructions in INSTALL.luna88k for more details.
-
+OpenBSD/mvme68k:
+
- OpenBSD/mvme68k:
-
-
You can create a bootable installation tape or boot over the network.
The network boot requires a MVME68K BUG version that supports the NIOT
and NBO debugger commands. Follow the instructions in INSTALL.mvme68k
for more details.
-
+OpenBSD/mvme88k:
+
- OpenBSD/mvme88k:
-
-
You can create a bootable installation tape or boot over the network.
The network boot requires a MVME88K BUG version that supports the NIOT
and NBO debugger commands. Follow the instructions in INSTALL.mvme88k
for more details.
-
+OpenBSD/octeon:
+
- OpenBSD/octeon:
-
-
After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
Refer to the instructions in INSTALL.octeon for more details.
-
+OpenBSD/sgi:
+
- OpenBSD/sgi:
-
-
To install, burn cd55.iso on a CD-R, put it in the CD drive of your
machine and select Install System Software from the System Maintenance
menu. Indigo/Indy/Indigo2 (R4000) systems will not boot automatically from
@@ -1012,27 +995,24 @@
If your machine doesn't have a CD drive, you can setup a DHCP/tftp network
server, and boot using "bootp()/bsd.rd.IP##" using the kernel matching your
system type. Refer to the instructions in INSTALL.sgi for more details.
-
+OpenBSD/socppc:
+
- OpenBSD/socppc:
-
-
After connecting a serial port, boot over the network via DHCP/tftp.
Refer to the instructions in INSTALL.socppc for more details.
-
+OpenBSD/sparc:
+
- OpenBSD/sparc:
-
Boot from one of the provided install ISO images, using one of the two
commands listed below, depending on the version of your ROM.
-
-ok boot cdrom 5.5/sparc/bsd.rd
+
+ok boot cdrom 5.5/sparc/bsd.rd
or
-> b sd(0,6,0)5.5/sparc/bsd.rd
-
+> b sd(0,6,0)5.5/sparc/bsd.rd
+
If your SPARC system does not have a CD drive, you can alternatively boot from floppy.
@@ -1041,11 +1021,11 @@
To boot from the floppy use one of the two commands listed below,
depending on the version of your ROM.
-
-ok boot floppy
+
+ok boot floppy
or
-> b fd()
-
+> b fd()
+
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
@@ -1055,45 +1035,46 @@
If your SPARC system doesn't have a floppy drive nor a CD drive, you can either
setup a bootable tape, or install via network, as told in the
INSTALL.sparc file.
-
+ OpenBSD/vax:
+
- OpenBSD/vax:
-
Boot over the network via mopbooting as described in INSTALL.vax.
-
+OpenBSD/zaurus:
+
- OpenBSD/zaurus:
-
-
Using the Linux built-in graphical ipkg installer, install the
openbsd55_arm.ipk package. Reboot, then run it. Read INSTALL.zaurus
for a few important details.
-
+
+
+
+Notes about the source code:
+
- Notes about the source code:
-
-# mkdir -p /usr/src
-# cd /usr/src
-# tar xvfz /tmp/src.tar.gz
-
-
sys.tar.gz contains a source archive starting at /usr/src/sys.
This file contains all the kernel sources you need to rebuild kernels.
To extract:
-
-
-# mkdir -p /usr/src/sys
-# cd /usr/src
+
+
+# mkdir -p /usr/src/sys
+# cd /usr/src
# tar xvfz /tmp/sys.tar.gz
-
+
+
Both of these trees are a regular CVS checkout. Using these trees it
is possible to get a head-start on using the anoncvs servers as
@@ -1101,29 +1082,31 @@
Using these files
results in a much faster initial CVS update than you could expect from
a fresh checkout of the full OpenBSD source tree.
-
-
-
+
+
+
+
+
+How to upgrade
- How to upgrade
-
If you already have an OpenBSD 5.4 system, and do not want to reinstall,
upgrade instructions and advice can be found in the
Upgrade Guide.
+
-
+
+
+Ports Tree
- Ports Tree
-
A ports tree archive is also provided. To extract:
-
-# cd /usr
-# tar xvfz /tmp/ports.tar.gz
-
+
+# cd /usr
+# tar xvfz /tmp/ports.tar.gz
+
The ports/ subdirectory is a checkout of the OpenBSD ports tree. Go
read the ports page
@@ -1133,7 +1116,7 @@
OpenBSD ports system.
The ports/ directory represents a CVS (see the manpage for
-
+
cvs(1) if
you aren't familiar with CVS) checkout of our ports. As with our complete
source tree, our ports tree is available via
@@ -1142,10 +1125,10 @@
available on a read-write medium and update the tree with a command
like:
-
+
# cd /usr/ports
# cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_5_5
-
+
[Of course, you must replace the server name here with a nearby anoncvs
server.]
@@ -1156,6 +1139,4 @@
If you're interested in seeing a port added, would like to help out, or just
would like to know more, the mailing list
ports@openbsd.org is a good place to know.
-
-
-
+
|