www/58.html - diff

Return to 58.html CVS log

Up to [local] / www

Diff for /www/58.html between version 1.88 and 1.89

version 1.88, 2019/04/24 15:54:54

version 1.89, 2019/05/27 22:55:18

Line 1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<!doctype html>

<html>

<head>

<title>OpenBSD 5.8</title>

</head>

<h2>

5.8

</h2>

<table>

<tr>

<td>

<td>

Released Oct 18, 2015<br>

<br>

5.8 Songs: <a href="lyrics.html#58a">"20 years ago today"</a>,

<a href="lyrics.html#58b">"Fanza"</a>,

Line 33

Line 34

<ul>

<li>See the information on <a href="ftp.html">the FTP page</a> for

a list of mirror machines.

<li>Go to the <font color="#e00000">pub/OpenBSD/5.8/</font> directory on

<li>Go to the <code class=reldir>pub/OpenBSD/5.8/</code> directory on

one of the mirror sites.

<li>Have a look at <a href="errata58.html">the 5.8 errata page</a> for a list

of bugs and workarounds.

<li>See a <a href="plus58.html">detailed log of changes</a> between the

5.7 and 5.8 releases.

<p>

<li><a href="https://man.openbsd.org/?query=signify&sektion=1">signify(1)</a> pubkeys for this release:<p>

<li><a href="https://man.openbsd.org/signify.1">signify(1)</a> pubkeys for this release:<p>

<td>

openbsd-58-base.pub:

</td><td>

<td>

RWQNNZXtC/MqP3Eiu+6FBz/qrxiWQwDhd+9Yljzp62UP4KzFmmvzVk60

</td></tr><tr><td>

openbsd-58-fw.pub:

</td><td>

<td>

RWTpkvg4fhJCDx9yL4bUCou/vtAecPVTfcaaGESQeBruwX/qHToMvWh6

</td></tr><tr><td>

openbsd-58-pkg.pub:

</td><td>

<td>

RWRlkI2aFHvL/XGqD+lFerD/xUi/jnAXKwdFQwZDekYwDrEPSpSWgpI9

</td></tr>

</table>

<p>

Line 63

sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the

files fetched via ports.tar.gz.

</ul>

</table>

<br>

NOTE: The src.tar.gz file on the CD is incorrect; see

<a href="errata58.html#006_src">5.8 errata 006</a>.</b>

<p>

NOTE: The src.tar.gz file on the CD is incorrect; see

<a href="errata58.html#006_src">5.8 errata 006</a>.

<hr>

<p>

<p>

This is a partial list of new features and systems included in OpenBSD 5.8.

For a comprehensive list, see the <a href="plus58.html">changelog</a> leading

to 5.8.

<p>

<ul>

<li>Improved hardware support, including:

<ul>

<li>New <a href="https://man.openbsd.org/?query=rtwn&sec=4">rtwn(4)</a> driver for Realtek RTL8188CE wifi cards.

<li>New <a href="https://man.openbsd.org/rtwn&sec=4">rtwn(4)</a> driver for Realtek RTL8188CE wifi cards.

<li>New <a href="https://man.openbsd.org/?query=hpb&sec=4&arch=macppc">hpb(4)</a> driver for HyperTransport bridges as found in the IBM CPC945.

<li>New <a href="https://man.openbsd.org/hpb&sec=4&arch=macppc">hpb(4)</a> driver for HyperTransport bridges as found in the IBM CPC945.

<li>The <a href="https://man.openbsd.org/?query=ugold&sec=4">ugold(4)</a> driver now supports TEMPerHUMV1.x temperature and humidity sensors.

<li>The <a href="https://man.openbsd.org/ugold&sec=4">ugold(4)</a> driver now supports TEMPerHUMV1.x temperature and humidity sensors.

<li>Improved sensor support for the <a href="https://man.openbsd.org/?query=upd&sec=4">upd(4)</a> driver for USB Power Devices (UPS).

<li>Improved sensor support for the <a href="https://man.openbsd.org/upd&sec=4">upd(4)</a> driver for USB Power Devices (UPS).

<li>Support for jumbo frames on <a href="https://man.openbsd.org/?query=re&sec=4">re(4)</a> devices using RTL8168C/D/E/F/G and RTL8411, including PC Engines APU.

<li>Support for jumbo frames on <a href="https://man.openbsd.org/re&sec=4">re(4)</a> devices using RTL8168C/D/E/F/G and RTL8411, including PC Engines APU.

<li><a href="https://man.openbsd.org/?query=re&sec=4">re(4)</a> now works with newer devices e.g. RTL8111GU.

<li><a href="https://man.openbsd.org/re&sec=4">re(4)</a> now works with newer devices e.g. RTL8111GU.

<li>Partial support has been added for full-speed isochronous devices in <a href="https://man.openbsd.org/?query=ehci&sec=4">ehci(4)</a>, allowing USB 1.1 audio devices to be used on EHCI-only systems in some cases.

<li>Partial support has been added for full-speed isochronous devices in <a href="https://man.openbsd.org/ehci&sec=4">ehci(4)</a>, allowing USB 1.1 audio devices to be used on EHCI-only systems in some cases.

<li>Improved macppc stability and G5 performances with MP kernels.

<li><a href="https://man.openbsd.org/?query=acpicpu&sec=4">acpicpu(4)</a> uses ACPI C-state information to reduce power consumption of idle CPUs.

<li><a href="https://man.openbsd.org/acpicpu&sec=4">acpicpu(4)</a> uses ACPI C-state information to reduce power consumption of idle CPUs.

<li>Kernel supports x86 AVX instructions on CPUs that have them.

<li>Avoid assigning low address to PCI BARs, fixing various issues on machines whose BIOSes neglect to claim low memory.

<li><a href="https://man.openbsd.org/?query=wscons&sec=4">wscons(4)</a> works with even more odd trackpads.

<li><a href="https://man.openbsd.org/wscons&sec=4">wscons(4)</a> works with even more odd trackpads.

<li>Added <a href="https://man.openbsd.org/?query=pvbus&sec=4">pvbus(4)</a> paravirtual device tree root on virtual machines that are running on hypervisors.

<li>Added <a href="https://man.openbsd.org/pvbus&sec=4">pvbus(4)</a> paravirtual device tree root on virtual machines that are running on hypervisors.

<li>New octdwctwo(4) driver for USB support on OpenBSD/octeon.

<li>New <a href="https://man.openbsd.org/?query=amdcf&sec=4">amdcf(4)</a> driver for embedded flash on OpenBSD/octeon.

<li>New <a href="https://man.openbsd.org/amdcf&sec=4">amdcf(4)</a> driver for embedded flash on OpenBSD/octeon.

<li>Support for RTL8188EU devices was added to the <a href="https://man.openbsd.org/?query=urtwn&sec=4">urtwn(4)</a> driver.

<li>Support for RTL8188EU devices was added to the <a href="https://man.openbsd.org/urtwn&sec=4">urtwn(4)</a> driver.

</ul>

<p>

<li>Removed hardware support:

<ul>

<li>The <a href="https://man.openbsd.org/OpenBSD-5.7/man4/lmc.4?query=lmc&sec=4">lmc(4)</a> driver for Lan Media Corporation SSI/T1/DS1/HSSI/DS3 devices has been removed.

<li>The <a href="https://man.openbsd.org/OpenBSD-5.7/man4/lmc.4">lmc(4)</a> driver for Lan Media Corporation SSI/T1/DS1/HSSI/DS3 devices has been removed.

<li>The <a href="https://man.openbsd.org/OpenBSD-5.7/man4/san.4?query=san&sec=4">san(4)</a> driver for Sangoma Technologies AFT T1/E1 devices has been removed.

<li>The <a href="https://man.openbsd.org/OpenBSD-5.7/man4/san.4">san(4)</a> driver for Sangoma Technologies AFT T1/E1 devices has been removed.

</ul>

<p>

<li>Generic network stack improvements:

<ul>

<li>MTU of <a href="https://man.openbsd.org/?query=vlan&sektion=4">vlan(4)</a> devices can now be set independently from the parent interface's MTU.

<li>MTU of <a href="https://man.openbsd.org/vlan.4">vlan(4)</a> devices can now be set independently from the parent interface's MTU.

<li>The same network range can now be assigned to multiple interfaces, using interface priorities to choose between them.

<li>New MPLS pseudowire driver <a href="https://man.openbsd.org/?query=mpw&sektion=4">mpw(4)</a>.

<li>New MPLS pseudowire driver <a href="https://man.openbsd.org/mpw.4">mpw(4)</a>.

<li>Much preparatory work for MP unlocking of the network stack.

</ul>

<p>

Line 124

<li>The default answer is now 'no'.

<li>'prohibit-password' has been added to the list of possible answers.

</ul>

<li><a href="https://man.openbsd.org/?query=autoinstall&sec=8">autoinstall(8)</a>

<li><a href="https://man.openbsd.org/autoinstall&sec=8">autoinstall(8)</a>

has been extended to allow

<ul>

<li><tt>hostname-mode.conf</tt> response file names.

<li><code>hostname-mode.conf</code> response file names.

<li>response files to be placed in a subdir of the webserver's document root.

<li>passing a template file to

<a href="https://man.openbsd.org/?query=disklabel&sec=8">disklabel(8)</a>

<a href="https://man.openbsd.org/disklabel&sec=8">disklabel(8)</a>

to automatically partition the disk.

</ul>

is now enabled by default at install time.

<li>DUID support has improved enough that new installs now use them unconditionally.

<li>Installing sets from CD-ROM has been fixed if more than one CD-ROM drive is present.

Line 144

<li>Routing daemons and other userland network improvements:

<ul>

<li>Many improvements and simplifications in <a href="https://man.openbsd.org/?query=ldpd&sektion=8">ldpd(8)</a>, including configuration reload and support for <a href="https://man.openbsd.org/?query=mpw&sektion=4">mpw(4)</a> pseudowire interfaces.

<li>Many improvements and simplifications in <a href="https://man.openbsd.org/ldpd.8">ldpd(8)</a>, including configuration reload and support for <a href="https://man.openbsd.org/mpw.4">mpw(4)</a> pseudowire interfaces.

<li><a href="https://man.openbsd.org/?query=bgpd&sektion=8">bgpd(8)</a> now allows rules to match on the peer AS number.

<li><a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> now allows rules to match on the peer AS number.

<li>For terminated BGP sessions, <a href="https://man.openbsd.org/?query=bgpctl&sektion=8">bgpctl(8)</a> now displays the number of prefixes received on the last session.

<li>For terminated BGP sessions, <a href="https://man.openbsd.org/bgpctl.8">bgpctl(8)</a> now displays the number of prefixes received on the last session.

<li><a href="https://man.openbsd.org/?query=ospfd&sektion=8">ospfd(8)</a> now correctly handles <a href="https://man.openbsd.org/?query=carp&sektion=4">carp(4)</a> interfaces in "backup" mode at startup.

<li><a href="https://man.openbsd.org/ospfd.8">ospfd(8)</a> now correctly handles <a href="https://man.openbsd.org/carp.4">carp(4)</a> interfaces in "backup" mode at startup.

<li>Log messages in <a href="https://man.openbsd.org/?query=bgpd&sektion=8">bgpd(8)</a> and <a href="https://man.openbsd.org/?query=ospfd&sektion=8">ospfd(8)</a> have been made more specific.

<li>Log messages in <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> and <a href="https://man.openbsd.org/ospfd.8">ospfd(8)</a> have been made more specific.

<li>The default Diffie-Hellman group for VPNs configured by <a href="https://man.openbsd.org/?query=ipsec.conf&sektion=5">ipsec.conf(5)</a> has been changed to modp3072.

<li>The default Diffie-Hellman group for VPNs configured by <a href="https://man.openbsd.org/ipsec.conf.5">ipsec.conf(5)</a> has been changed to modp3072.

<li>New <a href="https://man.openbsd.org/?query=radiusd&sektion=8">radiusd(8)</a>,

<li>New <a href="https://man.openbsd.org/radiusd.8">radiusd(8)</a>,

Remote Authentication Dial In User Service (RADIUS) daemon.

</ul>

<p>

<li>Security improvements:

<ul>

<li>sudo in base has been replaced with <a href="https://man.openbsd.org/?query=doas&sektion=1">doas(1)</a>, sudo is available as a package.

<li>sudo in base has been replaced with <a href="https://man.openbsd.org/doas.1">doas(1)</a>, sudo is available as a package.

<li><a href="https://man.openbsd.org/?query=file&sektion=1">file(1)</a> has been replaced with a new modern implementation, including sandbox and privilege separation.

<li><a href="https://man.openbsd.org/file.1">file(1)</a> has been replaced with a new modern implementation, including sandbox and privilege separation.

<li><a href="https://man.openbsd.org/?query=pax&sektion=1">pax(1)</a> (and <a href="https://man.openbsd.org/?query=tar&sektion=1">tar(1)</a> and <a href="https://man.openbsd.org/?query=cpio&sektion=1">cpio(1)</a>) now prevent archive extraction from escaping the current directory via symlinks; <a href="https://man.openbsd.org/?query=tar&sektion=1">tar(1)</a> without <tt>-P</tt> option now strips up through any "<tt>..</tt>" path components.

<li><a href="https://man.openbsd.org/pax.1">pax(1)</a> (and <a href="https://man.openbsd.org/tar.1">tar(1)</a> and <a href="https://man.openbsd.org/cpio.1">cpio(1)</a>) now prevent archive extraction from escaping the current directory via symlinks; <a href="https://man.openbsd.org/tar.1">tar(1)</a> without <code>-P</code> option now strips up through any "<code>..</code>" path components.

<li>Static PIE support for sparc.

<li>Alpha switched to secure PLT.

<li>Improved kernel checks of ELF headers.

<li>Support for the NX (No-eXecute) bit on i386, resulting in much better W^X enforcement in userland for hardware that has this feature.

<li>Enforcement of W^X in the kernel address space on i386 when using processors with the NX bit.

<li>Work started on a new process-containment facility called <a href="https://man.openbsd.org/?query=tame&sektion=2&manpath=OpenBSD-5.8">tame(2)</a>.

<li>Work started on a new process-containment facility called <a href="https://man.openbsd.org/OpenBSD-5.8/tame.2">tame(2)</a>.

</ul>

<p>

<li>Assorted improvements:

<ul>

now grows at a rate proportional to terminal size.

<li><a href="https://man.openbsd.org/?query=dlfcn&sektion=3">dlclose(3)</a> now unregisters handlers registered by a <a href="https://man.openbsd.org/?query=pthread_atfork&sektion=3">pthread_atfork(3)</a> call from the unloaded libraries.

<li><a href="https://man.openbsd.org/dlfcn.3">dlclose(3)</a> now unregisters handlers registered by a <a href="https://man.openbsd.org/pthread_atfork.3">pthread_atfork(3)</a> call from the unloaded libraries.

<li><a href="https://man.openbsd.org/?query=cp&sektion=1">cp(1)</a>, <a href="https://man.openbsd.org/?query=mv&sektion=1">mv(1)</a>, and <a href="https://man.openbsd.org/?query=pax&sektion=1">pax(1)</a> with the <tt>-rw</tt> option now preserve timestamps with full nanosecond precision.

<li><a href="https://man.openbsd.org/cp.1">cp(1)</a>, <a href="https://man.openbsd.org/mv.1">mv(1)</a>, and <a href="https://man.openbsd.org/pax.1">pax(1)</a> with the <code>-rw</code> option now preserve timestamps with full nanosecond precision.

<li><a href="https://man.openbsd.org/?query=pax&sektion=1">pax(1)</a> now detects failure to decompress an archive when reading it and errors out immediately.

<li><a href="https://man.openbsd.org/pax.1">pax(1)</a> now detects failure to decompress an archive when reading it and errors out immediately.

<li><a href="https://man.openbsd.org/?query=nm&sektion=1">nm(1)</a> now supports the <tt>-D</tt> option for displaying the dynamic symbol table.

<li><a href="https://man.openbsd.org/nm.1">nm(1)</a> now supports the <code>-D</code> option for displaying the dynamic symbol table.

<li><a href="https://man.openbsd.org/?query=dump&sektion=8">dump(8)</a> now uses DUIDs in <tt>/etc/dumpdates</tt> when present and the <tt>-U</tt> option has thus been removed.

<li><a href="https://man.openbsd.org/dump.8">dump(8)</a> now uses DUIDs in <code>/etc/dumpdates</code> when present and the <code>-U</code> option has thus been removed.

<li>Corrected <a href="https://man.openbsd.org/?query=kdump&sektion=1">kdump(1)</a> reporting of <a href="https://man.openbsd.org/?query=lseek&sektion=2">lseek(2)</a> return value on ILP32 archs and <a href="https://man.openbsd.org/?query=getsockopt&sektion=2">getsockopt/setsockopt(2)</a> level and optname arguments. <tt>iovec</tt>, <tt>msghdr</tt>, and <tt>cmsghdr</tt> structures are now dumped.

<li>Corrected <a href="https://man.openbsd.org/kdump.1">kdump(1)</a> reporting of <a href="https://man.openbsd.org/lseek.2">lseek(2)</a> return value on ILP32 archs and <a href="https://man.openbsd.org/getsockopt.2">getsockopt/setsockopt(2)</a> level and optname arguments. <code>iovec</code>, <code>msghdr</code>, and <code>cmsghdr</code> structures are now dumped.

<li><a href="https://man.openbsd.org/?query=sed&sektion=1">sed(1)</a> <tt>-i</tt> option added.

<li><a href="https://man.openbsd.org/sed.1">sed(1)</a> <code>-i</code> option added.

<li>New, much simpler <a href="https://man.openbsd.org/?query=man.conf&sektion=5">man.conf(5)</a> configuration file format

<li>New, much simpler <a href="https://man.openbsd.org/man.conf.5">man.conf(5)</a> configuration file format

for <a href="https://man.openbsd.org/?query=man&sektion=1">man(1)</a>,

for <a href="https://man.openbsd.org/man.1">man(1)</a>,

<a href="https://man.openbsd.org/?query=apropos&sektion=1">apropos(1)</a>,

<a href="https://man.openbsd.org/apropos.1">apropos(1)</a>,

and <a href="https://man.openbsd.org/?query=makewhatis&sektion=8">makewhatis(8)</a>.

and <a href="https://man.openbsd.org/makewhatis.8">makewhatis(8)</a>.

<li>When using <a href="https://man.openbsd.org/?query=man&sektion=1">man(1)</a>

<li>When using <a href="https://man.openbsd.org/man.1">man(1)</a>

with the <a href="https://man.openbsd.org/?query=less&sektion=1">less(1)</a> pager,

with the <a href="https://man.openbsd.org/less.1">less(1)</a> pager,

support the <tt>:t</tt> internal command

support the <code>:t</code> internal command

to search for definitions of keywords similar to what

<a href="https://man.openbsd.org/?query=ctags&sektion=1">ctags(1)</a> provides.

<a href="https://man.openbsd.org/ctags.1">ctags(1)</a> provides.

<li>Improvements in checking of numeric option values in <b>many</b> utilities.

<li>Upgraded to binutils version 2.17 with additional fixes.

<li>Improved correctness of <a href="https://man.openbsd.org/?query=poll&sektion=2">poll(2)</a> and <a href="https://man.openbsd.org/?query=poll&sektion=2">poll(2)</a> of <tt>O_RDONLY</tt> FIFO fds.

<li>Improved correctness of <a href="https://man.openbsd.org/poll.2">poll(2)</a> and <a href="https://man.openbsd.org/poll.2">poll(2)</a> of <code>O_RDONLY</code> FIFO fds.

<li>Restored reporting of closed sockets by <a href="https://man.openbsd.org/?query=netstat&sektion=1">netstat(1)</a> and <a href="https://man.openbsd.org/?query=systat&sektion=1">systat(1)</a>.

<li>Restored reporting of closed sockets by <a href="https://man.openbsd.org/netstat.1">netstat(1)</a> and <a href="https://man.openbsd.org/systat.1">systat(1)</a>.

<li><a href="https://man.openbsd.org/?query=fdisk&sektion=8">fdisk(8)</a> now zeros correct GPT sector at end of disk.

<li><a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> now zeros correct GPT sector at end of disk.

<li><a href="https://man.openbsd.org/?query=fdisk&sektion=8">fdisk(8)</a> now accepts 'T' sizes for terabytes.

<li><a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> now accepts 'T' sizes for terabytes.

<li><a href="https://man.openbsd.org/?query=fdisk&sektion=8">fdisk(8)</a> repaired to work on 4K sector disks again.

<li><a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> repaired to work on 4K sector disks again.

<li><a href="https://man.openbsd.org/?query=dhcpd&sektion=8">dhcpd(8)</a> now logs correct giaddr and ciaddr information even when DHCP relays are present.

<li><a href="https://man.openbsd.org/dhcpd.8">dhcpd(8)</a> now logs correct giaddr and ciaddr information even when DHCP relays are present.

<li><a href="https://man.openbsd.org/?query=dhcpd&sektion=8">dhcpd(8)</a> now accommodates Linux and MS clients by not sending routers or static routes info when classless static routes are sent.

<li><a href="https://man.openbsd.org/dhcpd.8">dhcpd(8)</a> now accommodates Linux and MS clients by not sending routers or static routes info when classless static routes are sent.

<li><a href="https://man.openbsd.org/?query=dhcpd&sektion=8">dhcpd(8)</a> and <a href="https://man.openbsd.org/?query=dhclient&sektion=8">dhclient(8)</a> now accept hostnames beginning with a digit.

<li><a href="https://man.openbsd.org/dhcpd.8">dhcpd(8)</a> and <a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a> now accept hostnames beginning with a digit.

<li><a href="https://man.openbsd.org/?query=dhclient&sektion=8">dhclient(8)</a> no longer rejects leases with addresses overlapping existing subnets on other interfaces. Kernel routing logic now just works.

<li><a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a> no longer rejects leases with addresses overlapping existing subnets on other interfaces. Kernel routing logic now just works.

<li>Improvements to <a href="https://man.openbsd.org/?query=realloc&sektion=3">realloc(3)</a> decrease system calls and increase efficiency.

<li>Improvements to <a href="https://man.openbsd.org/realloc.3">realloc(3)</a> decrease system calls and increase efficiency.

<li>The reaper now tears down dead processes without holding on to

the kernel lock. This greatly reduces latency and increases

performance on multi-processor systems.

</ul>

<p>

<li>OpenBSD <a href="https://man.openbsd.org/?query=httpd&sektion=8">httpd(8)</a>:

<li>OpenBSD <a href="https://man.openbsd.org/httpd.8">httpd(8)</a>:

<ul>

<li>New features:

<ul>

<li>Added support for matching and redirections with Lua <a href="https://man.openbsd.org/OpenBSD-current/man7/patterns.7">patterns(7)</a>.

<li>Implemented If-Modified-Since for conditional GET or HEAD requests (RFC 7232).

<li>Added byte-range support for range requests (RFC 7233).

<li>Allowing to specify a global or per-location default media type instead of <tt>application/octet-stream</tt>.

<li>Allowing to specify a global or per-location default media type instead of <code>application/octet-stream</code>.

<li>Added support for HTTP Strict Transport Security (HSTS; RFC 6797).

<li>Added initial regression test suite based on <a href="https://man.openbsd.org/OpenBSD-current/man8/relayd.8">relayd(8)</a>'s implementation.

</ul>

Line 235

<li>OpenSMTPD 5.4.4

<ul>

<li><a href="https://man.openbsd.org/?query=smtpd&sektion=8">smtpd(8)</a> reliability and bug fixes.

<li><a href="https://man.openbsd.org/smtpd.8">smtpd(8)</a> reliability and bug fixes.

<li><b>NOTE: Some security risks were discovered and fixed after the

OpenBSD 5.8 release.

See <a href="errata58.html#004_smtpd">5.8 errata 004</a>.</b>

Line 246

<ul>

<li>Security:

<ul>

<li><a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>:

<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:

when forwarding X11 connections with <tt>ForwardX11Trusted=no</tt>,

when forwarding X11 connections with <code>ForwardX11Trusted=no</code>,

connections made after <tt>ForwardX11Timeout</tt> expired could be

connections made after <code>ForwardX11Timeout</code> expired could be

permitted and no longer subject to XSECURITY restrictions because of

an ineffective timeout check in

coupled with "fail open" behaviour in the X11 server when clients

attempted connections with expired credentials.

This problem was reported by Jann Horn.

<li><a href="https://man.openbsd.org/?query=ssh-agent&sektion=1">ssh-agent(1)</a>:

<li><a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>:

fix weakness of agent locking (<tt>ssh-add -x</tt>) to

fix weakness of agent locking (<code>ssh-add -x</code>) to

password guessing by implementing an increasing failure delay,

storing a salted hash of the password rather than the password

itself and using a timing-safe comparison function for verifying

unlock attempts. This problem was reported by Ryan Castellucci.

<li><a href="https://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>:

<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:

OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world-writable.

Local attackers may be able to write arbitrary messages to logged-in

users, including terminal escape sequences.

<li><a href="https://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>:

<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:

fix circumvention of <tt>MaxAuthTries</tt> using keyboard-interactive

fix circumvention of <code>MaxAuthTries</code> using keyboard-interactive

authentication. By specifying a long, repeating keyboard-interactive

"devices" string, an attacker could request the same authentication

method be tried thousands of times in a single pass. The

<tt>LoginGraceTime</tt> timeout in

<code>LoginGraceTime</code> timeout in

and any authentication failure delays implemented by the authentication

mechanism itself were still applied.

</ul>

Line 281

default at compile time.

<li>Support for the 1024-bit diffie-hellman-group1-sha1 key exchange

is disabled by default at run-time. It may be re-enabled using

the instructions at <tt>https://www.openssh.com/legacy.html</tt>.

the instructions at <code>https://www.openssh.com/legacy.html</code>.

<li>Support for <tt>ssh-dss</tt>, <tt>ssh-dss-cert-*</tt> <i>host</i>

<li>Support for <code>ssh-dss</code>, <code>ssh-dss-cert-*</code> <i>host</i>

and <i>user</i> keys is disabled by default at run-time. These may

be re-enabled using the instructions at

<tt>https://www.openssh.com/legacy.html</tt>.

<code>https://www.openssh.com/legacy.html</code>.

<li>Support for the legacy <i>v00 cert format</i> has been removed.

<li>The default for the

<a href="https://man.openbsd.org/?query=sshd_config&sektion=5">sshd_config(5)</a>

<a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>

<tt>PermitRootLogin</tt> option has changed from "yes" to

<code>PermitRootLogin</code> option has changed from "yes" to

"prohibit-password" (but the OpenBSD installer defaults to "no").

<li><b>NOTE: 'PermitRootLogin prohibit-password' is subtly broken

in the OpenBSD 5.8 / OpenSSH 7.0. See

Line 297

</ul>

<li>New/changed features:

<ul>

<li><a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>,

<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,

<a href="https://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>:

<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:

promote <tt>chacha20-poly1305@openssh.com</tt> to be the default

promote <code>chacha20-poly1305@openssh.com</code> to be the default

cipher.

<li><a href="https://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>:

<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:

support admin-specified arguments to <tt>AuthorizedKeysCommand</tt>.

support admin-specified arguments to <code>AuthorizedKeysCommand</code>.

(bz#2081)

<li><a href="https://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>:

<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:

add <tt>AuthorizedPrincipalsCommand</tt> that allows retrieving

add <code>AuthorizedPrincipalsCommand</code> that allows retrieving

authorized principals information from a subprocess rather than a

file.

<li><a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>,

<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,

<a href="https://man.openbsd.org/?query=ssh-add&sektion=1">ssh-add(1)</a>:

<a href="https://man.openbsd.org/ssh-add.1">ssh-add(1)</a>:

support PKCS#11 devices with external PIN entry devices. (bz#2240)

<li><a href="https://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>:

<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:

allow GSSAPI host credential check to be relaxed for multihomed

hosts via <tt>GSSAPIStrictAcceptorCheck</tt> option. (bz#928)

hosts via <code>GSSAPIStrictAcceptorCheck</code> option. (bz#928)

<li><a href="https://man.openbsd.org/?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>:

<li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:

support <tt>ssh-keygen -lF hostname</tt> to search <tt>known_hosts</tt>

support <code>ssh-keygen -lF hostname</code> to search <code>known_hosts</code>

and print key hashes rather than full keys.

<li><a href="https://man.openbsd.org/?query=ssh-agent&sektion=1">ssh-agent(1)</a>:

<li><a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>:

add <tt>-D</tt> flag to leave

add <code>-D</code> flag to leave

<a href="https://man.openbsd.org/?query=ssh-agent&sektion=1">ssh-agent(1)</a>

<a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>

in foreground without enabling debug mode. (bz#2381)

<li><a href="https://man.openbsd.org/?query=ssh_config&sektion=5">ssh_config(5)</a>:

<li><a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a>:

add <tt>PubkeyAcceptedKeyTypes</tt> option to control which public

add <code>PubkeyAcceptedKeyTypes</code> option to control which public

key types are available for user authentication.

<li><a href="https://man.openbsd.org/?query=sshd_config&sektion=5">sshd_config(5)</a>:

<li><a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>:

add <tt>HostKeyAlgorithms</tt> option to control which public key

add <code>HostKeyAlgorithms</code> option to control which public key

types are offered for host authentications.

<li><a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>,

<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,

<a href="https://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>:

<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:

extend <tt>Ciphers</tt>, <tt>MACs</tt>, <tt>KexAlgorithms</tt>,

extend <code>Ciphers</code>, <code>MACs</code>, <code>KexAlgorithms</code>,

<tt>HostKeyAlgorithms</tt>, <tt>PubkeyAcceptedKeyTypes</tt> and

<code>HostKeyAlgorithms</code>, <code>PubkeyAcceptedKeyTypes</code> and

<tt>HostbasedKeyTypes</tt> options to allow appending to the default

<code>HostbasedKeyTypes</code> options to allow appending to the default

set of algorithms instead of replacing it. Options may now be

prefixed with a <tt>+</tt> to append to the default, e.g.

prefixed with a <code>+</code> to append to the default, e.g.

"<tt>HostKeyAlgorithms=+ssh-dss</tt>".

"<code>HostKeyAlgorithms=+ssh-dss</code>".

</ul>

<li>The following significant bugs have been fixed in this release:

<ul>

<li><a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>,

<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,

<a href="https://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>:

<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:

deprecate legacy <tt>SSH2_MSG_KEX_DH_GEX_REQUEST_OLD</tt> message and

deprecate legacy <code>SSH2_MSG_KEX_DH_GEX_REQUEST_OLD</code> message and

do not try to use it against some 3rd-party SSH implementations that

use it (older PuTTY, WinSCP).

<li>Many fixes for problems caused by compile-time deactivation of

SSH1 support. (including bz#2369)

<li><a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>,

<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,

<a href="https://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>:

<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:

cap DH-GEX group size at 4Kbits for Cisco implementations as some

would fail when attempting to use group sizes greater than 4K.

(bz#2209)

<li><a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>:

<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:

fix out-of-bound read in <tt>EscapeChar</tt> configuration option

fix out-of-bound read in <code>EscapeChar</code> configuration option

parsing. (bz#2396)

<li><a href="https://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>:

<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:

fix application of <tt>PermitTunnel</tt>, <tt>LoginGraceTime</tt>,

fix application of <code>PermitTunnel</code>, <code>LoginGraceTime</code>,

<tt>AuthenticationMethods</tt> and <tt>StreamLocalBindMask</tt>

<code>AuthenticationMethods</code> and <code>StreamLocalBindMask</code>

options in <tt>Match</tt> blocks.

options in <code>Match</code> blocks.

<li><a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>,

<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,

<a href="https://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>:

<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:

improve disconnection message on TCP reset. (bz#2257)

<li><a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>:

<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:

remove failed remote forwards established by multiplexing from the

list of active forwards. (bz#2363)

<li><a href="https://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>:

<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:

make parsing of <tt>authorized_keys</tt> "<tt>environment=</tt>"

make parsing of <code>authorized_keys</code> "<code>environment=</code>"

options independent of <tt>PermitUserEnv</tt> being enabled. (bz#2329)

options independent of <code>PermitUserEnv</code> being enabled. (bz#2329)

<li><a href="https://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>:

<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:

fix post-auth crash with <tt>permitopen=none</tt>. (bz#2355)

fix post-auth crash with <code>permitopen=none</code>. (bz#2355)

<li><a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>,

<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,

<a href="https://man.openbsd.org/?query=ssh-add&sektion=1">ssh-add(1)</a>,

<a href="https://man.openbsd.org/ssh-add.1">ssh-add(1)</a>,

<a href="https://man.openbsd.org/?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>:

<a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:

allow new-format private keys to be encrypted with AEAD ciphers.

(bz#2366)

<li><a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>:

<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:

allow <tt>ListenAddress</tt>, <tt>Port</tt> and <tt>AddressFamily</tt>

allow <code>ListenAddress</code>, <code>Port</code> and <code>AddressFamily</code>

configuration options to appear in any order. (bz#86)

<li><a href="https://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>:

<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:

check for and reject missing arguments for <tt>VersionAddendum</tt>

check for and reject missing arguments for <code>VersionAddendum</code>

and <tt>ForceCommand</tt>. (bz#2281)

and <code>ForceCommand</code>. (bz#2281)

<li><a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>,

<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,

<a href="https://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>:

<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:

don't treat unknown certificate extensions as fatal. (bz#2387)

<li><a href="https://man.openbsd.org/?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>:

<li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:

make <tt>stdout</tt> and <tt>stderr</tt> output consistent. (bz#2325)

make <code>stdout</code> and <code>stderr</code> output consistent. (bz#2325)

<li><a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>:

<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:

mention missing <tt>DISPLAY</tt> environment in debug log when X11

mention missing <code>DISPLAY</code> environment in debug log when X11

forwarding requested. (bz#1682)

<li><a href="https://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>:

<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:

correctly record login when <tt>UseLogin</tt> is set. (bz#378)

correctly record login when <code>UseLogin</code> is set. (bz#378)

<li><a href="https://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>:

<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:

add some missing options to <tt>sshd -T</tt> output and fix output

add some missing options to <code>sshd -T</code> output and fix output

of <tt>VersionAddendum</tt> and <tt>HostCertificate</tt>. (bz#2346)

of <code>VersionAddendum</code> and <code>HostCertificate</code>. (bz#2346)

<li>Document and improve consistency of options that accept a

"<tt>none</tt>" argument: <tt>TrustedUserCAKeys</tt>,

"<code>none</code>" argument: <code>TrustedUserCAKeys</code>,

<tt>RevokedKeys</tt> (bz#2382), <tt>AuthorizedPrincipalsFile</tt>

<code>RevokedKeys</code> (bz#2382), <code>AuthorizedPrincipalsFile</code>

(bz#2288).

<li><a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>:

<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:

include remote username in debug output. (bz#2368)

<li><a href="https://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>:

<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:

avoid compatibility problem with some versions of Tera Term, which

would crash when they received the hostkeys notification message

(<tt>hostkeys-00@openssh.com</tt>).

(<code>hostkeys-00@openssh.com</code>).

<li><a href="https://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>:

<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:

mention <tt>ssh-keygen -E</tt> as useful when comparing legacy

mention <code>ssh-keygen -E</code> as useful when comparing legacy

<i>MD5 host key fingerprints</i>. (bz#2332)

<li><a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>:

<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:

clarify pseudo-terminal request behaviour and use make manual language

consistent. (bz#1716)

<li><a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>:

<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:

document that the <tt>TERM</tt> environment variable is not subject

document that the <code>TERM</code> environment variable is not subject

to <tt>SendEnv</tt> and <tt>AcceptEnv</tt>. (bz#2386)

to <code>SendEnv</code> and <code>AcceptEnv</code>. (bz#2386)

<li><a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>,

<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,

<a href="https://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>:

<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:

add compatability workarounds for Cisco and more PuTTY versions.

(bz#2424)

<li>Fix some omissions and errors in the <tt>PROTOCOL</tt> and

<li>Fix some omissions and errors in the <code>PROTOCOL</code> and

<tt>PROTCOL.mux</tt> documentation relating to <i>Unix domain

<code>PROTCOL.mux</code> documentation relating to <i>Unix domain

socket</i> forwarding. (bz#2421, bz#2422)

<li><a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>:

<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:

Improve the

manual page to include a better desciption of Unix domain socket

forwarding. (bz#2423)

<li><a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>,

<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,

<a href="https://man.openbsd.org/?query=ssh-agent&sektion=1">ssh-agent(1)</a>:

<a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>:

skip uninitialised PKCS#11 slots, fixing failures to load keys when

they are present. (bz#2427)

<li><a href="https://man.openbsd.org/?query=ssh&sektion=1">ssh(1)</a>,

<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,

<a href="https://man.openbsd.org/?query=ssh-agent&sektion=1">ssh-agent(1)</a>:

<a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>:

do not ignore PKCS#11 hosted keys that wth empty <tt>CKA_ID</tt>.

do not ignore PKCS#11 hosted keys that wth empty <code>CKA_ID</code>.

(bz#2429)

<li><a href="https://man.openbsd.org/?query=sshd&sektion=8">sshd(8)</a>:

<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:

clarify documentation for <tt>UseDNS</tt> option. (bz#2045)

clarify documentation for <code>UseDNS</code> option. (bz#2045)

</ul>

<p>

Line 447

CVE-2015-1788, CVE-2015-1789, CVE-2015-1792.

<li>Protocol parsing conversions to BoringSSL's <i>CRYPTO ByteString</i>

(CBS) API.

<li>Added <tt>EC_curve_nid2nist</tt> and <tt>EC_curve_nist2nid</tt>

<li>Added <code>EC_curve_nid2nist</code> and <code>EC_curve_nist2nid</code>

from OpenSSL.

<li>Removed Dynamic Engine support.

<li>Removed MDC-2DES support.

<li>Switched <tt>openssl dhparam</tt> default from 512 to 2048 bits.

<li>Switched <code>openssl dhparam</code> default from 512 to 2048 bits.

<li>Fixed <tt>openssl pkeyutl -verify</tt> to exit with a 0 on success.

<li>Fixed <code>openssl pkeyutl -verify</code> to exit with a 0 on success.

<li>Fixed dozens of Coverity issues including dead code, memory leaks,

logic errors and more.

<li>Ensure that

<a href="https://man.openbsd.org/?query=openssl&sektion=1">openssl(1)</a>

<a href="https://man.openbsd.org/openssl.1">openssl(1)</a>

restores terminal echo state after reading a password.

<li>Incorporated fix for OpenSSL issue #3683.

<li>Removed SSLv3 support from

<a href="https://man.openbsd.org/?query=openssl&sektion=1">openssl(1)</a>.

<a href="https://man.openbsd.org/openssl.1">openssl(1)</a>.

<li>Modified <tt>tls_write</tt> in <tt>libtls</tt> to allow partial

<li>Modified <code>tls_write</code> in <code>libtls</code> to allow partial

writes, clarified with examples in the documentation.

<li>Removed RSAX engine.

<li>Tested SSLv3 removal with the OpenBSD ports tree and found several

applications that were not ready to build without SSLv3 yet.

For now, building a program that intentionally uses SSLv3 will

result in a linker warning.

<li>Added <tt>TLS_method</tt>, <tt>TLS_client_method</tt> and

<li>Added <code>TLS_method</code>, <code>TLS_client_method</code> and

<tt>TLS_server_method</tt> as a replacement for the

<code>TLS_server_method</code> as a replacement for the

<tt>SSLv23_*method</tt> calls.

<code>SSLv23_*method</code> calls.

<li>Default <tt>cert.pem</tt>, <tt>openssl.cnf</tt>, and

<li>Default <code>cert.pem</code>, <code>openssl.cnf</code>, and

<tt>x509v3.cnf</tt> files are now installed under

<code>x509v3.cnf</code> files are now installed under

<tt>$sysconfdir/ssl</tt> or the directory specified by

<code>$sysconfdir/ssl</code> or the directory specified by

<tt>--with-openssldir</tt>. Previous versions of LibreSSL left

<code>--with-openssldir</code>. Previous versions of LibreSSL left

these empty.

<li><b>NOTE: LibreSSL 2.2.2 in OpenBSD 5.8 incorrectly handles

ClientHello messages that do not include TLS extensions, resulting

Line 485

</ul>

<li>Code improvements:

<ul>

<li>Fix incorrect comparison function in <a href="https://man.openbsd.org/?query=openssl&sektion=1">openssl(1)</a> certhash command.

<li>Fix incorrect comparison function in <a href="https://man.openbsd.org/openssl.1">openssl(1)</a> certhash command.

Thanks to Christian Neukirchen / Void Linux.

<li>Removal of <tt>OPENSSL_issetugid</tt> and all library getenv calls.

<li>Removal of <code>OPENSSL_issetugid</code> and all library getenv calls.

Applications can and should no longer rely on environment variables

for changing library behavior.

<tt>OPENSSL_CONF</tt> and <tt>SSLEAY_CONF</tt> are still supported with the

<code>OPENSSL_CONF</code> and <code>SSLEAY_CONF</code> are still supported with the

<a href="https://man.openbsd.org/?query=openssl&sektion=1">openssl(1)</a>

<a href="https://man.openbsd.org/openssl.1">openssl(1)</a>

command, but note that $ENV:: is no longer supported in .cnf files.

<li><tt>libtls</tt> API and documentation additions.

<li><code>libtls</code> API and documentation additions.

<li>Various bug fixes and simplifications to <tt>libssl</tt> and

<li>Various bug fixes and simplifications to <code>libssl</code> and

<tt>libcrypto</tt>.

<code>libcrypto</code>.

<li>Reworked

<a href="https://man.openbsd.org/?query=openssl&sektion=1">openssl(1)</a>

<a href="https://man.openbsd.org/openssl.1">openssl(1)</a>

option handling.

<li>LibreSSL version define <tt>LIBRESSL_VERSION_NUMBER</tt> will now

<li>LibreSSL version define <code>LIBRESSL_VERSION_NUMBER</code> will now

be bumped for each portable release.

<li>Removed workarounds for TLS client padding bugs.

<li>Removed IE 6 SSLv3 workarounds.

<li><tt>--with-enginesdir</tt> is removed as a configuration parameter.

<li><code>--with-enginesdir</code> is removed as a configuration parameter.

</ul>

<p>

<li>Syslogd:

<ul>

<li>OpenBSD

<a href="https://man.openbsd.org/?query=syslogd&sektion=8">syslogd(8)</a>

<a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>

can bind to explicitly given UDP or TCP sockets to receive messages.

TCP streams are accepted with the octet counting or the non

transparent framing method.

<li>Blocks in

<a href="https://man.openbsd.org/?query=syslog.conf&se

<a href="https://man.openbsd.org/syslog.conf.5">syslog.conf(5)</a>

ktion=5">syslog.conf(5)</a>

started with <code>+host</code> process messages created by

certain hosts specifically.

<li>Handle situations when the file descriptor limit is exhausted

gracefully.

<li>Since libtls handles short writes smarter, <a href="https://man.openbsd.org/?query=syslogd&sektion=8">syslogd(8)</a> can use the

<li>Since libtls handles short writes smarter, <a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a> can use the

complete output buffer to save messages, coping with

longer TLS server down times without losing messages.

</ul>

<p>

<li>Ports and packages:

<li><p>Ports and packages:

<dl>

<dt>Many pre-built packages for each architecture:

<p>Many pre-built packages for each architecture:

<tr>

<ul>

<li>alpha: 7093

<li>amd64: 8866

<li>hppa: 5813

</ul></td><td valign=top width="25%"><ul>

<li>i386: 8839

<li>mips64: 4267

<li>mips64el: 5922

</ul></td><td valign=top width="25%"><ul>

<li>powerpc: 8114

<li>sh: 133

<li>sparc64: 7851

</ul></td><td valign=top width="25%"><ul>

<li>sparc: 3655

<li>vax: 1959

</ul></td></tr></table>

</ul>

<p>

<dt>Some highlights:

<p>Some highlights:

<tr>

<li>Chromium 44.0.2403.125

<li>Emacs 21.4 and 24.5

<li>GCC 4.8.4 and 4.9.3

Line 569

Line 559

<li>Mono 3.12.1

<li>Mozilla Firefox 38.1.1esr and 39.0.3

<li>Mozilla Thunderbird 38.1.0

</ul></td><td valign=top width="33%"><ul>

<li>Node.js 0.10.35

<li>OpenLDAP 2.3.43 and 2.4.41

<li>PHP 5.4.43, 5.5.27 and 5.6.11

Line 584

Line 573

<li>TeX Live 2014

<li>Vim 7.4.769

<li>Xfce 4.12

</ul></td><td valign=top width="34%">

</ul>

</td></tr></table>

<p>

<li>As usual, steady improvements in manual pages and other documentation.

<p>

<li>The system includes the following major components from outside suppliers:

<ul>

Line 607

Line 593

<li>Less 458 (+ patches)

<li>Awk Aug 10, 2011 version

</ul>

</section>

<hr>

<h3>How to install</h3>

<p>

<h3><font color="#0000e0">How to install</font></h3>

<p>

Following this are the instructions which you would have on a piece of

paper if you had purchased a CDROM set instead of doing an alternate

form of install. The instructions for doing an HTTP (or other style

Line 674

Line 661

</ul>

<hr>

<p>

Quick installer information for people familiar with OpenBSD, and the

use of the "disklabel -E" command. If you are at all confused when

installing OpenBSD, read the relevant INSTALL.* file as listed above!

<p>

<h3><font color="#e00000">OpenBSD/i386:</font></h3>

<h3>OpenBSD/i386:</h3>

<ul>

<p>

The OpenBSD/i386 release is on CD1.

Boot from the CD to begin the install - you may need to adjust

your BIOS options first.

Line 699

Line 687

If you are planning on dual booting OpenBSD with another OS, you will need to

read INSTALL.i386.

</ul>

<h3>OpenBSD/amd64:</h3>

<p>

<h3><font color="#e00000">OpenBSD/amd64:</font></h3>

<ul>

The OpenBSD/amd64 release is on CD2.

Boot from the CD to begin the install - you may need to adjust

your BIOS options first.

Line 720

Line 706

<p>

If you are planning to dual boot OpenBSD with another OS, you will need to

read INSTALL.amd64.

</ul>

<h3>OpenBSD/macppc:</h3>

<p>

<h3><font color="#e00000">OpenBSD/macppc:</font></h3>

<ul>

Burn the image from a mirror site to a CDROM, and power on your machine

while holding down the <i>C</i> key until the display turns on and

shows <i>OpenBSD/macppc boot</i>.

Line 732

Line 717

<p>

Alternatively, at the Open Firmware prompt, enter <i>boot cd:,ofwboot

/5.8/macppc/bsd.rd</i>

</ul>

<h3>OpenBSD/sparc64:</h3>

<p>

<h3><font color="#e00000">OpenBSD/sparc64:</font></h3>

<ul>

Put CD3 in your CDROM drive and type <i>boot cdrom</i>.

<p>

Line 755

Line 739

<p>

If nothing works, you can boot over the network as described in INSTALL.sparc64.

</ul>

<h3>OpenBSD/alpha:</h3>

<p>

<h3><font color="#e00000">OpenBSD/alpha:</font></h3>

Write <i>FTP:5.8/alpha/floppy58.fs</i> or

<ul>

<p>Write <i>FTP:5.8/alpha/floppy58.fs</i> or

<i>FTP:5.8/alpha/floppyB58.fs</i> (depending on your machine) to a diskette and

enter <i>boot dva0</i>. Refer to INSTALL.alpha for more details.

Line 768

Line 751

Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install

will most likely fail.

</ul>

<h3>OpenBSD/armish:</h3>

<p>

<h3><font color="#e00000">OpenBSD/armish:</font></h3>

<ul>

<p>

After connecting a serial port, Thecus can boot directly from the network

either tftp or http. Configure the network using fconfig, reset,

then load bsd.rd, see INSTALL.armish for specific details.

Line 781

Line 761

and copy 'boot' and bsd.rd into the first partition on wd0 (hda1)

then load and run bsd.rd, preserving the wd0i (hda1) ext2fs partition.

More details are available in INSTALL.armish.

</ul>

<h3>OpenBSD/hppa:</h3>

<p>

<h3><font color="#e00000">OpenBSD/hppa:</font></h3>

<ul>

<p>

Boot over the network by following the instructions in INSTALL.hppa or the

<a href="hppa.html#install">hppa platform page</a>.

</ul>

<h3>OpenBSD/landisk:</h3>

<p>

<h3><font color="#e00000">OpenBSD/landisk:</font></h3>

<ul>

<p>

Write <i>miniroot58.fs</i> to the start of the CF

or disk, and boot normally.

</ul>

<h3>OpenBSD/loongson:</h3>

<p>

<h3><font color="#e00000">OpenBSD/loongson:</font></h3>

<ul>

<p>

Write <i>miniroot58.fs</i> to a USB stick and boot bsd.rd from it

or boot bsd.rd via tftp.

Refer to the instructions in INSTALL.loongson for more details.

</ul>

<p>

<h3>OpenBSD/luna88k:</h3>

<p>

<h3><font color="#e00000">OpenBSD/luna88k:</font></h3>

Copy 'boot' and 'bsd.rd' to a Mach or UniOS partition, and boot the bootloader

<ul>

<p>

Copy `boot' and `bsd.rd' to a Mach or UniOS partition, and boot the bootloader

from the PROM, and then bsd.rd from the bootloader.

Refer to the instructions in INSTALL.luna88k for more details.

</ul>

<h3>OpenBSD/octeon:</h3>

<p>

<h3><font color="#e00000">OpenBSD/octeon:</font></h3>

<ul>

<p>

After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.

Refer to the instructions in INSTALL.octeon for more details.

</ul>

<h3>OpenBSD/sgi:</h3>

<p>

<h3><font color="#e00000">OpenBSD/sgi:</font></h3>

<ul>

<p>

To install, burn cd58.iso on a CD-R, put it in the CD drive of your

machine and select <i>Install System Software</i> from the System Maintenance

menu. Indigo/Indy/Indigo2 (R4000) systems will not boot automatically from

Line 840

Line 807

If your machine doesn't have a CD drive, you can setup a DHCP/tftp network

server, and boot using "bootp()/bsd.rd.IP##" using the kernel matching your

system type. Refer to the instructions in INSTALL.sgi for more details.

</ul>

<h3>OpenBSD/socppc:</h3>

<p>

<h3><font color="#e00000">OpenBSD/socppc:</font></h3>

<ul>

<p>

After connecting a serial port, boot over the network via DHCP/tftp.

Refer to the instructions in INSTALL.socppc for more details.

</ul>

<h3>OpenBSD/sparc:</h3>

<p>

<h3><font color="#e00000">OpenBSD/sparc:</font></h3>

<ul>

Boot from one of the provided install ISO images, using one of the two

commands listed below, depending on the version of your ROM.

ok <strong>boot cdrom 5.8/sparc/bsd.rd</strong>

ok <kbd>boot cdrom 5.8/sparc/bsd.rd</kbd>

> <strong>b sd(0,6,0)5.8/sparc/bsd.rd</strong>

> <kbd>b sd(0,6,0)5.8/sparc/bsd.rd</kbd>

</pre></ul>

</pre>

<p>

If your SPARC system does not have a CD drive, you can alternatively boot from floppy.

Line 869

Line 833

To boot from the floppy use one of the two commands listed below,

depending on the version of your ROM.

ok <strong>boot floppy</strong>

ok <kbd>boot floppy</kbd>

> <strong>b fd()</strong>

> <kbd>b fd()</kbd></pre>

</pre></ul>

<p>

Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install

Line 883

Line 846

If your SPARC system doesn't have a floppy drive nor a CD drive, you can either

setup a bootable tape, or install via network, as told in the

INSTALL.sparc file.

</ul>

<h3>OpenBSD/vax:</h3>

<p>

<h3><font color="#e00000">OpenBSD/vax:</font></h3>

<ul>

Boot over the network via mopbooting as described in INSTALL.vax.

</ul>

<h3>OpenBSD/zaurus:</h3>

<p>

<h3><font color="#e00000">OpenBSD/zaurus:</font></h3>

<ul>

<p>

Using the Linux built-in graphical ipkg installer, install the

openbsd58_arm.ipk package. Reboot, then run it. Read INSTALL.zaurus

for a few important details.

</ul>

</section>

<hr>

<h3>How to upgrade</h3>

<p>

<h3><font color="#0000e0">How to upgrade</font></h3>

<p>

If you already have an OpenBSD 5.7 system, and do not want to reinstall,

upgrade instructions and advice can be found in the

<a href="faq/upgrade58.html">Upgrade Guide</a>.

</section>

<hr>

<h3>Notes about the source code</h3>

<p>

<h3><font color="#0000e0">Notes about the source code</font></h3>

<p>

src.tar.gz contains a source archive starting at /usr/src. This file

contains everything you need except for the kernel sources, which are

in a separate archive. To extract:

# <kbd>mkdir -p /usr/src</kbd>

# <kbd>cd /usr/src</kbd>

# <kbd>tar xvfz /tmp/src.tar.gz</kbd>

</pre></blockquote>

<p>

# <strong>mkdir -p /usr/src</strong>

# <strong>cd /usr/src</strong>

# <strong>tar xvfz /tmp/src.tar.gz</strong>

</pre></ul>

<p>

sys.tar.gz contains a source archive starting at /usr/src/sys.

This file contains all the kernel sources you need to rebuild kernels.

To extract:

<p>

# <kbd>mkdir -p /usr/src/sys</kbd>

# <strong>mkdir -p /usr/src/sys</strong>

# <kbd>cd /usr/src</kbd>

# <strong>cd /usr/src</strong>

# <strong>tar xvfz /tmp/sys.tar.gz</strong>

</pre></ul>

</pre></blockquote>

<p>

Both of these trees are a regular CVS checkout. Using these trees it

is possible to get a head-start on using the anoncvs servers as

Line 940

Line 900

Using these files

results in a much faster initial CVS update than you could expect from

a fresh checkout of the full OpenBSD source tree.

<p>

</section>

<hr>

<h3>Ports Tree</h3>

<p>

<h3><font color="#0000e0">Ports Tree</font></h3>

<p>

A ports tree archive is also provided. To extract:

# <kbd>cd /usr</kbd>

# <kbd>tar xvfz /tmp/ports.tar.gz</kbd>

</pre></blockquote>

<p>

# <strong>cd /usr</strong>

# <strong>tar xvfz /tmp/ports.tar.gz</strong>

</pre></ul>

<p>

Go read the <a href="faq/ports/index.html">ports</a> page

if you know nothing about ports

at this point. This text is not a manual of how to use ports.

Line 961

Line 921

OpenBSD ports system.

<p>

The <i>ports/</i> directory represents a CVS (see the manpage for

cvs(1)</a> if

you aren't familiar with CVS) checkout of our ports. As with our complete

source tree, our ports tree is available via

Line 969

Line 929

So, in order to keep up to date with the -stable branch, you must make

the <i>ports/</i> tree available on a read-write medium and update the tree

with a command like:

<p>

# <strong>cd /usr/ports</strong>

# <strong>cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_5_8</strong>

</pre></ul>

</pre></blockquote>

<p>

[Of course, you must replace the server name here with a nearby anoncvs

server.]

Line 984

Line 943

If you're interested in seeing a port added, would like to help out, or just

would like to know more, the mailing list

<a href="mail.html">ports@openbsd.org</a> is a good place to know.

<p>

</section>

</body>

</html>