===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/57.html,v
retrieving revision 1.96
retrieving revision 1.97
diff -u -r1.96 -r1.97
--- www/57.html 2016/03/21 05:46:19 1.96
+++ www/57.html 2016/03/22 10:54:42 1.97
@@ -36,7 +36,7 @@
See a detailed log of changes between the
5.6 and 5.7 releases.
-
signify(1) pubkeys for this release:
+signify(1) pubkeys for this release:
base: RWSvUZXnw9gUb70PdeSNnpSmodCyIPJEGN1wWr+6Time1eP7KiWJ5eAM
fw: RWSuRBL44FVkb2QuvtlwOJmzS9UJtbKZd7GEYcol8HPXu4On/Ct1LoZr
@@ -123,13 +123,13 @@
bridge(4).
Traffic destinated to link-local IPv6 addresses can now be seen with
tcpdump(8).
- A carp(4) now needs to be configured with an explicit carpdev parent interface.
+ A carp(4) now needs to be configured with an explicit carpdev parent interface.
The
mbuf(9)
layer has been made mpsafe.
Introduce mbuf_list and mbuf_queue structures and APIs.
Support changing the IPv6 input queue length via
- sysctl(1) and net.inet6.ip6.ifq.
+ sysctl(1) and net.inet6.ip6.ifq.
@@ -154,7 +154,7 @@
Ignore hostname.if.* files when upgrading.
Configure all physical interfaces before any dynamic interface types (e.g. trunks, vlans) when upgrading.
- fdisk(8) now zeros out GPT signatures found when writing out an MBR that has been re-initialized and has no EFI or EFISYS partition.
+ fdisk(8) now zeros out GPT signatures found when writing out an MBR that has been re-initialized and has no EFI or EFISYS partition.
Fixed manipulation of 'ro' and 'rw' fstab options to avoid damage to other options that happen to contain 'ro' or 'rw'.
The ramdisk binary (one binary contains all the commands) is now compiled without optimization and security features. The benefit is a substantial saving in space, allowing more features in the future.
@@ -166,11 +166,11 @@
sliplogin has been removed.
Sendmail has been removed from base -- use the package if you need it.
IPv6 router solicitations are now sent by the kernel ("inet6 autoconf"); rtsol(8) and rtsold(8) are no longer necessary and have been removed.
- Enhancements and bugfixes in arp(8) and ndp(8)
- The effects of the AI_ADDRCONFIG flag on getaddrinfo(3) results are limited to DNS queries. This avoids erratic behavior with transient network problems, "raw" addresses and localhost entries in /etc/hosts.
- gethostbyname(3) now no longer fails when more than 16 addresses/aliases are returned. The original pre-asr limit of 35 has been restored, with additional results being truncated.
- tftp(1) now supports sending or receiving files larger than 65536 blocks in size.
- ntpd(8) now supports authenticated TLS constraints.
+ Enhancements and bugfixes in arp(8) and ndp(8)
+ The effects of the AI_ADDRCONFIG flag on getaddrinfo(3) results are limited to DNS queries. This avoids erratic behavior with transient network problems, "raw" addresses and localhost entries in /etc/hosts.
+ gethostbyname(3) now no longer fails when more than 16 addresses/aliases are returned. The original pre-asr limit of 35 has been restored, with additional results being truncated.
+ tftp(1) now supports sending or receiving files larger than 65536 blocks in size.
+ ntpd(8) now supports authenticated TLS constraints.
@@ -179,106 +179,106 @@
Stricter enforcement of W^X in the kernel address space, especially on architectures with the right featureset (amd64, in particular, has seen substantial improvements).
Support for loadable kernel modules has been removed.
procfs has been removed.
- Comprehensive audit of the tree to use the reallocarray(3) idiom throughout.
- Many conversions from select(2) to poll(2).
+ Comprehensive audit of the tree to use the reallocarray(3) idiom throughout.
+ Many conversions from select(2) to poll(2).
/var/tmp is now a symbolic link to /tmp, as a first step towards reducing the "fill it up" attack surface against the /var partition.
- memcpy(3) with overlapping arguments now aborts a program (with a syslog report), allowing these problems to be found. Overlapping copies should use memmove(3). Sometime after 5.7 release, having learned more about the situation and repairing instances that are discovered by users during release use, we will go back to the optimized version.
+ memcpy(3) with overlapping arguments now aborts a program (with a syslog report), allowing these problems to be found. Overlapping copies should use memmove(3). Sometime after 5.7 release, having learned more about the situation and repairing instances that are discovered by users during release use, we will go back to the optimized version.
Change
- rand(3),
- random(3),
- drand48(3),
- lrand48(3),
- mrand48(3),
- srand48(3)
+ rand(3),
+ random(3),
+ drand48(3),
+ lrand48(3),
+ mrand48(3),
+ srand48(3)
to return non-deterministic strong random values by default, sourced from
- arc4random(3).
+ arc4random(3).
New functions
- srand_deterministic(3),
- srandom_deterministic(3),
- seed48_deterministic(3) and
- lcong48_deterministic(3)
+ srand_deterministic(3),
+ srandom_deterministic(3),
+ seed48_deterministic(3) and
+ lcong48_deterministic(3)
are added for cases where determinism needs to be requested.
At resume (or unhibernate) time, use a variety of methods to reseed the random number generator. This also works on VMs which wake up (if a wakeup event is seen).
All architectures have been transitioned to static PIE, meaning the statically linked binaries in /bin and /sbin now have randomly located text segments.
Allow larger .openbsd.randomdata ELF segments.
- Sync kernel AES code and ssh(1) AES code to the one shipped with OpenSSL/LibreSSL.
- Removed passwd(1) support for all password ciphers except blowfish(3).
- Use sha512 instead of md5 for tcp(4) initial sequence number.
+ Sync kernel AES code and ssh(1) AES code to the one shipped with OpenSSL/LibreSSL.
+ Removed passwd(1) support for all password ciphers except blowfish(3).
+ Use sha512 instead of md5 for tcp(4) initial sequence number.
Use sha512 instead of md5 in the random number generator.
- Delete secret or secret-derived data in many base utilities with explicit_bzero(3).
+ Delete secret or secret-derived data in many base utilities with explicit_bzero(3).
Assorted improvements:
- - New rcctl(8) utility to control daemons.
-
- fw_update(1) has been rewritten to be faster and smarter.
-
- Cleanup libevent(3),
+
- New rcctl(8) utility to control daemons.
+
- fw_update(1) has been rewritten to be faster and smarter.
+
- Cleanup libevent(3),
the compatibility layer for other operating systems has been removed.
The API is still compatible with upstream libevent 1.4.15-stable.
-
- openssl(1)
+
- openssl(1)
s_client now supports a -proxy parameter for connecting over an HTTP proxy.
- gzsig has been removed.
- Switch to fast assembly versions of some libc functions on amd64.
-
- Frequency scaling has been moved from apmd(8) to the kernel with an improved algorithm.
+
- Frequency scaling has been moved from apmd(8) to the kernel with an improved algorithm.
- Switch last workq API uses to
- taskq API and remove all traces of workq.
+ taskq API and remove all traces of workq.
- Use
- services(5) names in the default pf rules in force during startup.
+ services(5) names in the default pf rules in force during startup.
-
- what(1) now correctly displays $OpenBSD$ expansions.
+ what(1) now correctly displays $OpenBSD$ expansions.
-
- dhcpd(8) now removes addresses from its pf table a single time when they expire, rather than at every timeout after the expiry.
+ dhcpd(8) now removes addresses from its pf table a single time when they expire, rather than at every timeout after the expiry.
-
- dhcpd(8) now ensures that the pf table process exits when the main process does.
+ dhcpd(8) now ensures that the pf table process exits when the main process does.
-
- dhcpd(8) has more informative log entries for DHCPACKs issued in response to DHCPINFORM messages.
+ dhcpd(8) has more informative log entries for DHCPACKs issued in response to DHCPINFORM messages.
- Added POSIX types blkcnt_t (int64) and blksize_t (int32), and used them for st_blocks (formerly int64_t) and st_blksize (formerly u_int32_t) in struct stat.
- Improved typography for
- banner(6).
-
- Allow hangman
+ banner(6).
+
- Allow hangman
to play against any ELF file.
-
- dhclient(8) adjusts MTU when the interface-mtu DHCP option is provided.
+ dhclient(8) adjusts MTU when the interface-mtu DHCP option is provided.
- Various memory leaks in
- dhclient(8) plugged, providing more stability for long running (in terms of time or renewals) instances.
+ dhclient(8) plugged, providing more stability for long running (in terms of time or renewals) instances.
- The
- dhclient(8)
+ dhclient(8)
command line options -q (quiet) and -d (don't daemonize) are now mutually exclusive.
- The communication between the privileged and unprivileged
- dhclient(8) processes was reworked to further minimize information sharing.
+ dhclient(8) processes was reworked to further minimize information sharing.
-
- dhclient(8) ensures lease timeouts (renew, rebind, expire) are sane and uses default values closer to RFC suggestions.
+ dhclient(8) ensures lease timeouts (renew, rebind, expire) are sane and uses default values closer to RFC suggestions.
-
- dhclient(8) no longer crashes when a lease expires and cannot be renewed or replaced.
+ dhclient(8) no longer crashes when a lease expires and cannot be renewed or replaced.
-
- dhclient(8) improved tracking network interface link states.
+ dhclient(8) improved tracking network interface link states.
- Improved network error tracking and accounting in
- dhclient(8).
+ dhclient(8).
- Private number conversion functions in
- dhclient(8) eliminated in favour of standard library functions.
+ dhclient(8) eliminated in favour of standard library functions.
- Further signal race cleanups in
- ftp(1).
+ ftp(1).
- BIND has been retired, encouraging use of
- nsd(8) and
- unbound(8).
+ nsd(8) and
+ unbound(8).
- Significant namespace cleanup in the /usr/include files, especially related to <sys/param.h> and <limits.h>.
-
- softraid(4) RAID1 and CRYPTO volumes are now bootable on the sparc64 platform.
-
- relayd(8) now uses "TLS" rather than "SSL" terminology to reflect the deprecation of the latter.
-
- relayd(8) now supports the random and source-hash modes with redirections.
-
- relayd(8) now supports the OPENBSD-RELAYD-MIB via agentx with snmpd(8).
-
- Added interfaces for setting the close-on-exec flag and/or non-blocking mode on new file descriptors: pipe2(2), dup3(2), accept4(2), mkostemp(3), mkostemps(3), the SOCK_CLOEXEC and SOCK_NONBLOCK flags for socket(2) and socketpair(2), and the MSG_CMSG_CLOEXEC flag for recvmsg(2). In addition, posix_spawn_file_actions_adddup2(3) now always clears the close-on-exec flag.
-
- Added interfaces for setting the close-on-exec flag on new FILE handles and for requesting exclusive creation via the the 'e' and 'x' mode letters for fopen(3), fdopen(3), freopen(3), and popen(3).
+
- softraid(4) RAID1 and CRYPTO volumes are now bootable on the sparc64 platform.
+
- relayd(8) now uses "TLS" rather than "SSL" terminology to reflect the deprecation of the latter.
+
- relayd(8) now supports the random and source-hash modes with redirections.
+
- relayd(8) now supports the OPENBSD-RELAYD-MIB via agentx with snmpd(8).
+
- Added interfaces for setting the close-on-exec flag and/or non-blocking mode on new file descriptors: pipe2(2), dup3(2), accept4(2), mkostemp(3), mkostemps(3), the SOCK_CLOEXEC and SOCK_NONBLOCK flags for socket(2) and socketpair(2), and the MSG_CMSG_CLOEXEC flag for recvmsg(2). In addition, posix_spawn_file_actions_adddup2(3) now always clears the close-on-exec flag.
+
- Added interfaces for setting the close-on-exec flag on new FILE handles and for requesting exclusive creation via the the 'e' and 'x' mode letters for fopen(3), fdopen(3), freopen(3), and popen(3).
- Many library functions and programs changed to use the above for safety or simplicity.
-
- Added chflagsat(2), sockatmark(3), and stravis(3).
-
- Merged performance and safety fixes for fts(3) from FreeBSD.
-
- Merged fixes for file descriptor leaks in various rpc(3) functions from NetBSD.
-
- Added a kern.global_ptrace sysctl(1) to disable, by default, the ability to ptrace(2) processes that aren't your descendent.
-
- kdump(1) now always displays both the numeric and the textual forms for users, groups, timestamps, and sysctl ids, eliminating the -r option. It also auto-selects between decimal and hex format for arguments, renders more types of flags, and is more robust when parsing corrupt ktrace files.
-
- chmod(1)/chgrp(1)/chown(8) now comply with POSIX's requirements when they encounter symlinks when the -R option is used, and are safe from race conditions when doing so.
-
- The dmesg(8) utility can now display the console message buffer in addition to the system message buffer.
-
- inetd(8) now uses libevent instead of
- select(3).
+
- Added chflagsat(2), sockatmark(3), and stravis(3).
+
- Merged performance and safety fixes for fts(3) from FreeBSD.
+
- Merged fixes for file descriptor leaks in various rpc(3) functions from NetBSD.
+
- Added a kern.global_ptrace sysctl(1) to disable, by default, the ability to ptrace(2) processes that aren't your descendent.
+
- kdump(1) now always displays both the numeric and the textual forms for users, groups, timestamps, and sysctl ids, eliminating the -r option. It also auto-selects between decimal and hex format for arguments, renders more types of flags, and is more robust when parsing corrupt ktrace files.
+
- chmod(1)/chgrp(1)/chown(8) now comply with POSIX's requirements when they encounter symlinks when the -R option is used, and are safe from race conditions when doing so.
+
- The dmesg(8) utility can now display the console message buffer in addition to the system message buffer.
+
- inetd(8) now uses libevent instead of
+ select(3).
- Reworking of the kernel
pool(9)
implementation to provide mpsafety and pave the way for performance improvements.
@@ -301,17 +301,17 @@
-
OpenBSD httpd(8):
+OpenBSD httpd(8):
- SSLv2/3 is not supported anymore; renamed all occurrences of "SSL" to "TLS".
- Various TLS improvements with better support for ECDHE/DHE forward secrecy.
- Improved support for virtual hosts by supporting name- and IP- based aliases.
-
- Added support for basic authentication by checking against files created with htpasswd(1).
+
- Added support for basic authentication by checking against files created with htpasswd(1).
- Added support for custom error codes, blocking and dropping of connections.
- Added support for redirections and macros in specified target URLs.
- Added the "root strip" option to sanitize PATH_INFO for some CGI scripts.
- Added an option to specify an alternative log directory instead of /var/www/logs.
-
- Various FastCGI improvements; httpd(8) is now compatible with many well-known web applications.
+
- Various FastCGI improvements; httpd(8) is now compatible with many well-known web applications.
- Various other fixes and improvements.
@@ -331,10 +331,10 @@
- Potentially-incompatible changes:
- - sshd(8):
+
- sshd(8):
UseDNS now defaults to 'no'. Configurations that match
against the client host name (via
- sshd_config(5)
+ sshd_config(5)
or authorized_keys) may need to re-enable it or convert to
matching against addresses.
@@ -344,16 +344,16 @@
library-like. These changes are mostly not user-visible, but
have greatly improved OpenSSH's testability and internal layout.
- Add FingerprintHash option to
- ssh(1)
+ ssh(1)
and
- sshd(8),
+ sshd(8),
and equivalent command-line flags to the other tools to control
algorithm used for key fingerprints. The default changes from MD5
to SHA256 and format from hex to base64. Fingerprints now have the
hash algorithm prepended. Please note that visual host keys will also
be different.
-
- ssh(1),
- sshd(8):
+
- ssh(1),
+ sshd(8):
Experimental host key rotation support. Add a protocol extension
for a server to inform a client of all its available host keys after
authentication has completed. The client may record the keys in
@@ -361,63 +361,63 @@
algorithms and a server to gracefully rotate its keys. The client
side of this is controlled by a UpdateHostkeys config option
(default off).
-
- ssh(1):
+
- ssh(1):
Add a
- ssh_config(5)
+ ssh_config(5)
HostbasedKeyType option to control which host public key types
are tried during host-based authentication.
-
- ssh(1),
- sshd(8):
+
- ssh(1),
+ sshd(8):
fix connection-killing host key mismatch errors when
- sshd(8)
+ sshd(8)
offers multiple ECDSA keys of different lengths.
-
- ssh(1):
+
- ssh(1):
when host name canonicalisation is enabled, try to parse host names
as addresses before looking them up for canonicalisation. Fixes
bz#2074 and avoiding needless DNS lookups in some cases.
-
- ssh-keygen(1),
- sshd(8):
+
- ssh-keygen(1),
+ sshd(8):
Key Revocation Lists (KRLs) no longer require OpenSSH to be
compiled with OpenSSL support.
-
- ssh(1),
- ssh-keysign(8):
+
- ssh(1),
+ ssh-keysign(8):
Make ed25519 keys work for host based authentication.
-
- sshd(8):
+
- sshd(8):
SSH protocol v.1 workaround for the Meyer, et al., Bleichenbacher
Side Channel Attack. Fake up a bignum key before RSA decryption.
-
- sshd(8):
+
- sshd(8):
Remember which public keys have been used for authentication and
refuse to accept previously-used keys. This allows
AuthenticationMethods=publickey,publickey to require that
users authenticate using two different public keys.
-
- sshd(8):
+
- sshd(8):
add
- sshd_config(5)
+ sshd_config(5)
HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes
options to allow
- sshd(8)
+ sshd(8)
to control what public key types will be accepted. Currently defaults
to all.
-
- sshd(8):
+
- sshd(8):
Don't count partial authentication success as a failure against
MaxAuthTries.
-
- ssh(1):
+
- ssh(1):
Add RevokedHostKeys option for the client to allow text-file
or KRL-based revocation of host keys.
-
- ssh-keygen(1),
- sshd(8):
+
- ssh-keygen(1),
+ sshd(8):
Permit KRLs that revoke certificates by serial number or key ID without
scoping to a particular CA.
-
- ssh(1):
+
- ssh(1):
Add a "Match canonical" criteria that allows
- ssh_config(5)
+ ssh_config(5)
Match blocks to trigger only in the second config pass.
-
- ssh(1):
+
- ssh(1):
Add a -G option to
- ssh(1)
+ ssh(1)
that causes it to parse its configuration and dump the result to
stdout, similar to "sshd -T".
-
- ssh(1):
+
- ssh(1):
Allow Match criteria to be negated
(e.g. "Match !host").
- The regression test suite has been extended to cover more OpenSSH
@@ -426,30 +426,30 @@
The following significant bugs have been fixed in this release:
@@ -465,14 +465,14 @@
APIs.
Jettison DTLS over SCTP.
Move
- openssl(1)
+ openssl(1)
from /usr/sbin/openssl to /usr/bin/openssl.
Two important cipher suites, GOST and Camellia, have been reworked
or reenabled, providing better interoperability with systems around
the world.
libtls: New API for loading CA chains directly from memory instead
of a file, allowing verification with privilege separation in a
- chroot(8)
+ chroot(8)
without direct access to CA certificate files.
libtls: Ciphers default to TLSv1.2 with AEAD and PFS.
libtls: Improved error handling and message generation.
@@ -482,7 +482,7 @@
New AEAD "MAC alias" allows configuring TLSv1.2 AEAD ciphers by
using 'TLSv1.2+AEAD' as the cipher selection string.
New
- openssl(1)
+ openssl(1)
command 'certhash' replaces the c_rehash script.
Application-Layer Protocol Negotiation (ALPN) support.
@@ -513,33 +513,33 @@
mandoc 1.13.3:
- - man(1),
- apropos(1), and
- mandoc(1)
+
- man(1),
+ apropos(1), and
+ mandoc(1)
now have a unified user interface, all with the same options,
and are in fact all implemented by the same binary program.
-
- For man(1),
+
- For man(1),
this implies new options -l and -IKOTW,
and it now finds manual pages by the names in their NAME sections
even if they lack matching file names.
-
- For apropos(1),
+
- For apropos(1),
this implies new options -acfhklw and -IKOTW.
-
- For mandoc(1),
+
- For mandoc(1),
this implies new options -acfhkl.
-
- mandoc(1)
+
- mandoc(1)
now automatically detects and transparently accepts input encoded
in utf-8 and iso-8859-1, and provides a new option -K to explicitly
specify the input encoding.
-
- The mandoc(1)
+
- The mandoc(1)
default output mode now is -Tlocale rather than -Tascii.
-
- eqn(7)
+
- eqn(7)
now supports in-line equations,
and terminal rendering of equations is considerably improved.
-
- mandoc(1) -Thtml
+
- mandoc(1) -Thtml
now generates polyglot HTML5 and renders
- eqn(7)
+ eqn(7)
using MathML.
-
- mandoc(1)
+
- mandoc(1)
can no longer fail with fatal errors, no matter how broken the input
file may be, and the -Wfatal message level no longer has any effect.
A new diagnostic level -Wunsupp is provided. Besides, many
@@ -551,14 +551,14 @@
- Syslogd: