OpenBSD 5.8

What's New

This is a partial list of new features and systems included in OpenBSD 5.8. For a comprehensive list, see the changelog leading to 5.8.

Improved hardware support, including:
- New rtwn(4) driver for Realtek RTL8188CE wifi cards. !
- New hpb(4) driver for HyperTransport bridges as found in the IBM CPC945. !
- The ugold(4) driver now supports TEMPerHUMV1.x temperature and humidity sensors. !
- Improved sensor support for the upd(4) driver for USB Power Devices (UPS). !
- Support for jumbo frames on re(4) devices using RTL8168C/D/E/F/G and RTL8411, including PC Engines APU. !
- re(4) now works with newer devices e.g. RTL8111GU. !
- Partial support has been added for full-speed isochronous devices in ehci(4), allowing USB 1.1 audio devices to be used on EHCI-only systems in some cases.
- Improved macppc stability and G5 performances with MP kernels. !
- acpicpu(4) uses ACPI C-state information to reduce power consumption of idle CPUs.
- Kernel supports x86 AVX instructions on CPUs that have them.
- Avoid assigning low address to PCI BARs, fixing various issues on machines whose BIOSes neglect to claim low memory. !
- wscons(4) works with even more odd trackpads. !
- Added pvbus(4) paravirtual device tree root on virtual machines that are running on hypervisors.
- New octdwctwo(4) driver for USB support on OpenBSD/octeon. !
- New amdcf(4) driver for embedded flash on OpenBSD/octeon. !
- Support for RTL8188EU devices was added to the urtwn(4) driver.
Removed hardware support:
- The lmc(4) driver for Lan Media Corporation SSI/T1/DS1/HSSI/DS3 devices has been removed. !
- The san(4) driver for Sangoma Technologies AFT T1/E1 devices has been removed.
Generic network stack improvements:
- MTU of vlan(4) devices can now be set independently from the parent interface's MTU.
- The same network range can now be assigned to multiple interfaces, using interface priorities to choose between them. !
- New MPLS pseudowire driver mpw(4).
- Much preparatory work for MP unlocking of the network stack.
*************** *** 124,139 ****
The default answer is now 'no'.
'prohibit-password' has been added to the list of possible answers.

autoinstall(8) has been extended to allow

hostname-mode.conf response file names.
response files to be placed in a subdir of the webserver's document root.
passing a template file to ! disklabel(8) to automatically partition the disk.

ntpd(8) is now enabled by default at install time.

DUID support has improved enough that new installs now use them unconditionally.

Installing sets from CD-ROM has been fixed if more than one CD-ROM drive is present. --- 124,139 ----

The default answer is now 'no'.

'prohibit-password' has been added to the list of possible answers. !

autoinstall(8) has been extended to allow

hostname-mode.conf response file names.
response files to be placed in a subdir of the webserver's document root.
passing a template file to ! disklabel(8) to automatically partition the disk.

ntpd(8) is now enabled by default at install time.

DUID support has improved enough that new installs now use them unconditionally.

Installing sets from CD-ROM has been fixed if more than one CD-ROM drive is present. *************** *** 144,220 ****

Routing daemons and other userland network improvements:

Many improvements and simplifications in ldpd(8), including configuration reload and support for mpw(4) pseudowire interfaces. !
bgpd(8) now allows rules to match on the peer AS number. !
For terminated BGP sessions, bgpctl(8) now displays the number of prefixes received on the last session. !
ospfd(8) now correctly handles carp(4) interfaces in "backup" mode at startup. !
Log messages in bgpd(8) and ospfd(8) have been made more specific. !
The default Diffie-Hellman group for VPNs configured by ipsec.conf(5) has been changed to modp3072. !
New radiusd(8), Remote Authentication Dial In User Service (RADIUS) daemon.

Security improvements:

sudo in base has been replaced with doas(1), sudo is available as a package. !
file(1) has been replaced with a new modern implementation, including sandbox and privilege separation. !
pax(1) (and tar(1) and cpio(1)) now prevent archive extraction from escaping the current directory via symlinks; tar(1) without -P option now strips up through any ".." path components.
Static PIE support for sparc.
Alpha switched to secure PLT.
Improved kernel checks of ELF headers.
Support for the NX (No-eXecute) bit on i386, resulting in much better W^X enforcement in userland for hardware that has this feature.
Enforcement of W^X in the kernel address space on i386 when using processors with the NX bit. !
Work started on a new process-containment facility called tame(2).

Assorted improvements:

The worm(6) now grows at a rate proportional to terminal size. !
dlclose(3) now unregisters handlers registered by a pthread_atfork(3) call from the unloaded libraries. !
cp(1), mv(1), and pax(1) with the -rw option now preserve timestamps with full nanosecond precision. !
pax(1) now detects failure to decompress an archive when reading it and errors out immediately. !
nm(1) now supports the -D option for displaying the dynamic symbol table. !
dump(8) now uses DUIDs in /etc/dumpdates when present and the -U option has thus been removed. !
Corrected kdump(1) reporting of lseek(2) return value on ILP32 archs and getsockopt/setsockopt(2) level and optname arguments. iovec, msghdr, and cmsghdr structures are now dumped. !
sed(1) -i option added. !
New, much simpler man.conf(5) configuration file format ! for man(1), ! apropos(1), ! and makewhatis(8). !
When using man(1) ! with the less(1) pager, ! support the :t internal command to search for definitions of keywords similar to what ! ctags(1) provides.
Improvements in checking of numeric option values in many utilities.
Upgraded to binutils version 2.17 with additional fixes. !
Improved correctness of poll(2) and poll(2) of O_RDONLY FIFO fds. !
Restored reporting of closed sockets by netstat(1) and systat(1). !
fdisk(8) now zeros correct GPT sector at end of disk. !
fdisk(8) now accepts 'T' sizes for terabytes. !
fdisk(8) repaired to work on 4K sector disks again. !
dhcpd(8) now logs correct giaddr and ciaddr information even when DHCP relays are present. !
dhcpd(8) now accommodates Linux and MS clients by not sending routers or static routes info when classless static routes are sent. !
dhcpd(8) and dhclient(8) now accept hostnames beginning with a digit. !
dhclient(8) no longer rejects leases with addresses overlapping existing subnets on other interfaces. Kernel routing logic now just works. !
Improvements to realloc(3) decrease system calls and increase efficiency.
The reaper now tears down dead processes without holding on to the kernel lock. This greatly reduces latency and increases performance on multi-processor systems.

OpenBSD httpd(8):

New features:
- Added support for matching and redirections with Lua patterns(7).
- Implemented If-Modified-Since for conditional GET or HEAD requests (RFC 7232).
- Added byte-range support for range requests (RFC 7233). !
- Allowing to specify a global or per-location default media type instead of application/octet-stream.
- Added support for HTTP Strict Transport Security (HSTS; RFC 6797).
- Added initial regression test suite based on relayd(8)'s implementation.
--- 144,220 ----
Routing daemons and other userland network improvements:
- Many improvements and simplifications in ldpd(8), including configuration reload and support for mpw(4) pseudowire interfaces. !
- bgpd(8) now allows rules to match on the peer AS number. !
- For terminated BGP sessions, bgpctl(8) now displays the number of prefixes received on the last session. !
- ospfd(8) now correctly handles carp(4) interfaces in "backup" mode at startup. !
- Log messages in bgpd(8) and ospfd(8) have been made more specific. !
- The default Diffie-Hellman group for VPNs configured by ipsec.conf(5) has been changed to modp3072. !
- New radiusd(8), Remote Authentication Dial In User Service (RADIUS) daemon.
Security improvements:
- sudo in base has been replaced with doas(1), sudo is available as a package. !
- file(1) has been replaced with a new modern implementation, including sandbox and privilege separation. !
- pax(1) (and tar(1) and cpio(1)) now prevent archive extraction from escaping the current directory via symlinks; tar(1) without -P option now strips up through any ".." path components.
- Static PIE support for sparc.
- Alpha switched to secure PLT.
- Improved kernel checks of ELF headers.
- Support for the NX (No-eXecute) bit on i386, resulting in much better W^X enforcement in userland for hardware that has this feature.
- Enforcement of W^X in the kernel address space on i386 when using processors with the NX bit. !
- Work started on a new process-containment facility called tame(2).
Assorted improvements:
- The worm(6) now grows at a rate proportional to terminal size. !
- dlclose(3) now unregisters handlers registered by a pthread_atfork(3) call from the unloaded libraries. !
- cp(1), mv(1), and pax(1) with the -rw option now preserve timestamps with full nanosecond precision. !
- pax(1) now detects failure to decompress an archive when reading it and errors out immediately. !
- nm(1) now supports the -D option for displaying the dynamic symbol table. !
- dump(8) now uses DUIDs in /etc/dumpdates when present and the -U option has thus been removed. !
- Corrected kdump(1) reporting of lseek(2) return value on ILP32 archs and getsockopt/setsockopt(2) level and optname arguments. iovec, msghdr, and cmsghdr structures are now dumped. !
- sed(1) -i option added. !
- New, much simpler man.conf(5) configuration file format ! for man(1), ! apropos(1), ! and makewhatis(8). !
- When using man(1) ! with the less(1) pager, ! support the :t internal command to search for definitions of keywords similar to what ! ctags(1) provides.
- Improvements in checking of numeric option values in many utilities.
- Upgraded to binutils version 2.17 with additional fixes. !
- Improved correctness of poll(2) and poll(2) of O_RDONLY FIFO fds. !
- Restored reporting of closed sockets by netstat(1) and systat(1). !
- fdisk(8) now zeros correct GPT sector at end of disk. !
- fdisk(8) now accepts 'T' sizes for terabytes. !
- fdisk(8) repaired to work on 4K sector disks again. !
- dhcpd(8) now logs correct giaddr and ciaddr information even when DHCP relays are present. !
- dhcpd(8) now accommodates Linux and MS clients by not sending routers or static routes info when classless static routes are sent. !
- dhcpd(8) and dhclient(8) now accept hostnames beginning with a digit. !
- dhclient(8) no longer rejects leases with addresses overlapping existing subnets on other interfaces. Kernel routing logic now just works. !
- Improvements to realloc(3) decrease system calls and increase efficiency.
- The reaper now tears down dead processes without holding on to the kernel lock. This greatly reduces latency and increases performance on multi-processor systems.
!
OpenBSD httpd(8):
- New features:
  - Added support for matching and redirections with Lua patterns(7).
  - Implemented If-Modified-Since for conditional GET or HEAD requests (RFC 7232).
  - Added byte-range support for range requests (RFC 7233). !
  - Allowing to specify a global or per-location default media type instead of application/octet-stream.
  - Added support for HTTP Strict Transport Security (HSTS; RFC 6797).
  - Added initial regression test suite based on relayd(8)'s implementation.
  *************** *** 235,241 ****
- OpenSMTPD 5.4.4
  - smtpd(8) reliability and bug fixes.
  - NOTE: Some security risks were discovered and fixed after the OpenBSD 5.8 release. See 5.8 errata 004. --- 235,241 ----
  - OpenSMTPD 5.4.4
    - smtpd(8) reliability and bug fixes.
    - NOTE: Some security risks were discovered and fixed after the OpenBSD 5.8 release. See 5.8 errata 004. *************** *** 246,277 ****
      - Security:
        !
        ssh(1): ! when forwarding X11 connections with ForwardX11Trusted=no, ! connections made after ForwardX11Timeout expired could be permitted and no longer subject to XSECURITY restrictions because of an ineffective timeout check in ! ssh(1) coupled with "fail open" behaviour in the X11 server when clients attempted connections with expired credentials. This problem was reported by Jann Horn. !
        ssh-agent(1): ! fix weakness of agent locking (ssh-add -x) to password guessing by implementing an increasing failure delay, storing a salted hash of the password rather than the password itself and using a timing-safe comparison function for verifying unlock attempts. This problem was reported by Ryan Castellucci. !
        sshd(8): OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world-writable. Local attackers may be able to write arbitrary messages to logged-in users, including terminal escape sequences. !
        sshd(8): ! fix circumvention of MaxAuthTries using keyboard-interactive authentication. By specifying a long, repeating keyboard-interactive "devices" string, an attacker could request the same authentication method be tried thousands of times in a single pass. The ! LoginGraceTime timeout in ! sshd(8) and any authentication failure delays implemented by the authentication mechanism itself were still applied.
        --- 246,277 ----
        
        Security:
        !
        ssh(1): ! when forwarding X11 connections with ForwardX11Trusted=no, ! connections made after ForwardX11Timeout expired could be permitted and no longer subject to XSECURITY restrictions because of an ineffective timeout check in ! ssh(1) coupled with "fail open" behaviour in the X11 server when clients attempted connections with expired credentials. This problem was reported by Jann Horn. !
        ssh-agent(1): ! fix weakness of agent locking (ssh-add -x) to password guessing by implementing an increasing failure delay, storing a salted hash of the password rather than the password itself and using a timing-safe comparison function for verifying unlock attempts. This problem was reported by Ryan Castellucci. !
        sshd(8): OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world-writable. Local attackers may be able to write arbitrary messages to logged-in users, including terminal escape sequences. !
        sshd(8): ! fix circumvention of MaxAuthTries using keyboard-interactive authentication. By specifying a long, repeating keyboard-interactive "devices" string, an attacker could request the same authentication method be tried thousands of times in a single pass. The ! LoginGraceTime timeout in ! sshd(8) and any authentication failure delays implemented by the authentication mechanism itself were still applied.
        *************** *** 281,295 **** default at compile time.
        Support for the 1024-bit diffie-hellman-group1-sha1 key exchange is disabled by default at run-time. It may be re-enabled using ! the instructions at https://www.openssh.com/legacy.html. !
        Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by default at run-time. These may be re-enabled using the instructions at ! https://www.openssh.com/legacy.html.
        Support for the legacy v00 cert format has been removed.
        The default for the ! sshd_config(5) ! PermitRootLogin option has changed from "yes" to "prohibit-password" (but the OpenBSD installer defaults to "no").
        NOTE: 'PermitRootLogin prohibit-password' is subtly broken in the OpenBSD 5.8 / OpenSSH 7.0. See --- 281,295 ---- default at compile time.
        Support for the 1024-bit diffie-hellman-group1-sha1 key exchange is disabled by default at run-time. It may be re-enabled using ! the instructions at https://www.openssh.com/legacy.html. !
        Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by default at run-time. These may be re-enabled using the instructions at ! https://www.openssh.com/legacy.html.
        Support for the legacy v00 cert format has been removed.
        The default for the ! sshd_config(5) ! PermitRootLogin option has changed from "yes" to "prohibit-password" (but the OpenBSD installer defaults to "no").
        NOTE: 'PermitRootLogin prohibit-password' is subtly broken in the OpenBSD 5.8 / OpenSSH 7.0. See *************** *** 297,438 ****
      - New/changed features:
        !
        ssh(1), ! sshd(8): ! promote chacha20-poly1305@openssh.com to be the default cipher. !
        sshd(8): ! support admin-specified arguments to AuthorizedKeysCommand. (bz#2081) !
        sshd(8): ! add AuthorizedPrincipalsCommand that allows retrieving authorized principals information from a subprocess rather than a file. !
        ssh(1), ! ssh-add(1): support PKCS#11 devices with external PIN entry devices. (bz#2240) !
        sshd(8): allow GSSAPI host credential check to be relaxed for multihomed ! hosts via GSSAPIStrictAcceptorCheck option. (bz#928) !
        ssh-keygen(1): ! support ssh-keygen -lF hostname to search known_hosts and print key hashes rather than full keys. !
        ssh-agent(1): ! add -D flag to leave ! ssh-agent(1) in foreground without enabling debug mode. (bz#2381) !
        ssh_config(5): ! add PubkeyAcceptedKeyTypes option to control which public key types are available for user authentication. !
        sshd_config(5): ! add HostKeyAlgorithms option to control which public key types are offered for host authentications. !
        ssh(1), ! sshd(8): ! extend Ciphers, MACs, KexAlgorithms, ! HostKeyAlgorithms, PubkeyAcceptedKeyTypes and ! HostbasedKeyTypes options to allow appending to the default set of algorithms instead of replacing it. Options may now be ! prefixed with a + to append to the default, e.g. ! "HostKeyAlgorithms=+ssh-dss".
      - The following significant bugs have been fixed in this release:
        !
        ssh(1), ! sshd(8): ! deprecate legacy SSH2_MSG_KEX_DH_GEX_REQUEST_OLD message and do not try to use it against some 3rd-party SSH implementations that use it (older PuTTY, WinSCP).
        Many fixes for problems caused by compile-time deactivation of SSH1 support. (including bz#2369) !
        ssh(1), ! sshd(8): cap DH-GEX group size at 4Kbits for Cisco implementations as some would fail when attempting to use group sizes greater than 4K. (bz#2209) !
        ssh(1): ! fix out-of-bound read in EscapeChar configuration option parsing. (bz#2396) !
        sshd(8): ! fix application of PermitTunnel, LoginGraceTime, ! AuthenticationMethods and StreamLocalBindMask ! options in Match blocks. !
        ssh(1), ! sshd(8): improve disconnection message on TCP reset. (bz#2257) !
        ssh(1): remove failed remote forwards established by multiplexing from the list of active forwards. (bz#2363) !
        sshd(8): ! make parsing of authorized_keys "environment=" ! options independent of PermitUserEnv being enabled. (bz#2329) !
        sshd(8): ! fix post-auth crash with permitopen=none. (bz#2355) !
        ssh(1), ! ssh-add(1), ! ssh-keygen(1): allow new-format private keys to be encrypted with AEAD ciphers. (bz#2366) !
        ssh(1): ! allow ListenAddress, Port and AddressFamily configuration options to appear in any order. (bz#86) !
        sshd(8): ! check for and reject missing arguments for VersionAddendum ! and ForceCommand. (bz#2281) !
        ssh(1), ! sshd(8): don't treat unknown certificate extensions as fatal. (bz#2387) !
        ssh-keygen(1): ! make stdout and stderr output consistent. (bz#2325) !
        ssh(1): ! mention missing DISPLAY environment in debug log when X11 forwarding requested. (bz#1682) !
        sshd(8): ! correctly record login when UseLogin is set. (bz#378) !
        sshd(8): ! add some missing options to sshd -T output and fix output ! of VersionAddendum and HostCertificate. (bz#2346)
        Document and improve consistency of options that accept a ! "none" argument: TrustedUserCAKeys, ! RevokedKeys (bz#2382), AuthorizedPrincipalsFile (bz#2288). !
        ssh(1): include remote username in debug output. (bz#2368) !
        sshd(8): avoid compatibility problem with some versions of Tera Term, which would crash when they received the hostkeys notification message ! (hostkeys-00@openssh.com). !
        sshd(8): ! mention ssh-keygen -E as useful when comparing legacy MD5 host key fingerprints. (bz#2332) !
        ssh(1): clarify pseudo-terminal request behaviour and use make manual language consistent. (bz#1716) !
        ssh(1): ! document that the TERM environment variable is not subject ! to SendEnv and AcceptEnv. (bz#2386) !
        ssh(1), ! sshd(8): add compatability workarounds for Cisco and more PuTTY versions. (bz#2424) !
        Fix some omissions and errors in the PROTOCOL and ! PROTCOL.mux documentation relating to Unix domain socket forwarding. (bz#2421, bz#2422) !
        ssh(1): Improve the ! ssh(1) manual page to include a better desciption of Unix domain socket forwarding. (bz#2423) !
        ssh(1), ! ssh-agent(1): skip uninitialised PKCS#11 slots, fixing failures to load keys when they are present. (bz#2427) !
        ssh(1), ! ssh-agent(1): ! do not ignore PKCS#11 hosted keys that wth empty CKA_ID. (bz#2429) !
        sshd(8): ! clarify documentation for UseDNS option. (bz#2045)
      --- 297,438 ----
  - New/changed features:
    !
    ssh(1), ! sshd(8): ! promote chacha20-poly1305@openssh.com to be the default cipher. !
    sshd(8): ! support admin-specified arguments to AuthorizedKeysCommand. (bz#2081) !
    sshd(8): ! add AuthorizedPrincipalsCommand that allows retrieving authorized principals information from a subprocess rather than a file. !
    ssh(1), ! ssh-add(1): support PKCS#11 devices with external PIN entry devices. (bz#2240) !
    sshd(8): allow GSSAPI host credential check to be relaxed for multihomed ! hosts via GSSAPIStrictAcceptorCheck option. (bz#928) !
    ssh-keygen(1): ! support ssh-keygen -lF hostname to search known_hosts and print key hashes rather than full keys. !
    ssh-agent(1): ! add -D flag to leave ! ssh-agent(1) in foreground without enabling debug mode. (bz#2381) !
    ssh_config(5): ! add PubkeyAcceptedKeyTypes option to control which public key types are available for user authentication. !
    sshd_config(5): ! add HostKeyAlgorithms option to control which public key types are offered for host authentications. !
    ssh(1), ! sshd(8): ! extend Ciphers, MACs, KexAlgorithms, ! HostKeyAlgorithms, PubkeyAcceptedKeyTypes and ! HostbasedKeyTypes options to allow appending to the default set of algorithms instead of replacing it. Options may now be ! prefixed with a + to append to the default, e.g. ! "HostKeyAlgorithms=+ssh-dss".
  - The following significant bugs have been fixed in this release:
    !
    ssh(1), ! sshd(8): ! deprecate legacy SSH2_MSG_KEX_DH_GEX_REQUEST_OLD message and do not try to use it against some 3rd-party SSH implementations that use it (older PuTTY, WinSCP).
    Many fixes for problems caused by compile-time deactivation of SSH1 support. (including bz#2369) !
    ssh(1), ! sshd(8): cap DH-GEX group size at 4Kbits for Cisco implementations as some would fail when attempting to use group sizes greater than 4K. (bz#2209) !
    ssh(1): ! fix out-of-bound read in EscapeChar configuration option parsing. (bz#2396) !
    sshd(8): ! fix application of PermitTunnel, LoginGraceTime, ! AuthenticationMethods and StreamLocalBindMask ! options in Match blocks. !
    ssh(1), ! sshd(8): improve disconnection message on TCP reset. (bz#2257) !
    ssh(1): remove failed remote forwards established by multiplexing from the list of active forwards. (bz#2363) !
    sshd(8): ! make parsing of authorized_keys "environment=" ! options independent of PermitUserEnv being enabled. (bz#2329) !
    sshd(8): ! fix post-auth crash with permitopen=none. (bz#2355) !
    ssh(1), ! ssh-add(1), ! ssh-keygen(1): allow new-format private keys to be encrypted with AEAD ciphers. (bz#2366) !
    ssh(1): ! allow ListenAddress, Port and AddressFamily configuration options to appear in any order. (bz#86) !
    sshd(8): ! check for and reject missing arguments for VersionAddendum ! and ForceCommand. (bz#2281) !
    ssh(1), ! sshd(8): don't treat unknown certificate extensions as fatal. (bz#2387) !
    ssh-keygen(1): ! make stdout and stderr output consistent. (bz#2325) !
    ssh(1): ! mention missing DISPLAY environment in debug log when X11 forwarding requested. (bz#1682) !
    sshd(8): ! correctly record login when UseLogin is set. (bz#378) !
    sshd(8): ! add some missing options to sshd -T output and fix output ! of VersionAddendum and HostCertificate. (bz#2346)
    Document and improve consistency of options that accept a ! "none" argument: TrustedUserCAKeys, ! RevokedKeys (bz#2382), AuthorizedPrincipalsFile (bz#2288). !
    ssh(1): include remote username in debug output. (bz#2368) !
    sshd(8): avoid compatibility problem with some versions of Tera Term, which would crash when they received the hostkeys notification message ! (hostkeys-00@openssh.com). !
    sshd(8): ! mention ssh-keygen -E as useful when comparing legacy MD5 host key fingerprints. (bz#2332) !
    ssh(1): clarify pseudo-terminal request behaviour and use make manual language consistent. (bz#1716) !
    ssh(1): ! document that the TERM environment variable is not subject ! to SendEnv and AcceptEnv. (bz#2386) !
    ssh(1), ! sshd(8): add compatability workarounds for Cisco and more PuTTY versions. (bz#2424) !
    Fix some omissions and errors in the PROTOCOL and ! PROTCOL.mux documentation relating to Unix domain socket forwarding. (bz#2421, bz#2422) !
    ssh(1): Improve the ! ssh(1) manual page to include a better desciption of Unix domain socket forwarding. (bz#2423) !
    ssh(1), ! ssh-agent(1): skip uninitialised PKCS#11 slots, fixing failures to load keys when they are present. (bz#2427) !
    ssh(1), ! ssh-agent(1): ! do not ignore PKCS#11 hosted keys that wth empty CKA_ID. (bz#2429) !
    sshd(8): ! clarify documentation for UseDNS option. (bz#2045)
  *************** *** 447,480 **** CVE-2015-1788, CVE-2015-1789, CVE-2015-1792.
- Protocol parsing conversions to BoringSSL's CRYPTO ByteString (CBS) API. !
- Added EC_curve_nid2nist and EC_curve_nist2nid from OpenSSL.
- Removed Dynamic Engine support.
- Removed MDC-2DES support. !
- Switched openssl dhparam default from 512 to 2048 bits. !
- Fixed openssl pkeyutl -verify to exit with a 0 on success.
- Fixed dozens of Coverity issues including dead code, memory leaks, logic errors and more.
- Ensure that ! openssl(1) restores terminal echo state after reading a password.
- Incorporated fix for OpenSSL issue #3683.
- Removed SSLv3 support from ! openssl(1). !
- Modified tls_write in libtls to allow partial writes, clarified with examples in the documentation.
- Removed RSAX engine.
- Tested SSLv3 removal with the OpenBSD ports tree and found several applications that were not ready to build without SSLv3 yet. For now, building a program that intentionally uses SSLv3 will result in a linker warning. !
- Added TLS_method, TLS_client_method and ! TLS_server_method as a replacement for the ! SSLv23_*method calls. !
- Default cert.pem, openssl.cnf, and ! x509v3.cnf files are now installed under ! $sysconfdir/ssl or the directory specified by ! --with-openssldir. Previous versions of LibreSSL left these empty.
- NOTE: LibreSSL 2.2.2 in OpenBSD 5.8 incorrectly handles ClientHello messages that do not include TLS extensions, resulting --- 447,480 ---- CVE-2015-1788, CVE-2015-1789, CVE-2015-1792.
- Protocol parsing conversions to BoringSSL's CRYPTO ByteString (CBS) API. !
- Added EC_curve_nid2nist and EC_curve_nist2nid from OpenSSL.
- Removed Dynamic Engine support.
- Removed MDC-2DES support. !
- Switched openssl dhparam default from 512 to 2048 bits. !
- Fixed openssl pkeyutl -verify to exit with a 0 on success.
- Fixed dozens of Coverity issues including dead code, memory leaks, logic errors and more.
- Ensure that ! openssl(1) restores terminal echo state after reading a password.
- Incorporated fix for OpenSSL issue #3683.
- Removed SSLv3 support from ! openssl(1). !
- Modified tls_write in libtls to allow partial writes, clarified with examples in the documentation.
- Removed RSAX engine.
- Tested SSLv3 removal with the OpenBSD ports tree and found several applications that were not ready to build without SSLv3 yet. For now, building a program that intentionally uses SSLv3 will result in a linker warning. !
- Added TLS_method, TLS_client_method and ! TLS_server_method as a replacement for the ! SSLv23_*method calls. !
- Default cert.pem, openssl.cnf, and ! x509v3.cnf files are now installed under ! $sysconfdir/ssl or the directory specified by ! --with-openssldir. Previous versions of LibreSSL left these empty.
- NOTE: LibreSSL 2.2.2 in OpenBSD 5.8 incorrectly handles ClientHello messages that do not include TLS extensions, resulting *************** *** 485,559 ****
Code improvements:
!
Fix incorrect comparison function in openssl(1) certhash command. Thanks to Christian Neukirchen / Void Linux. !
Removal of OPENSSL_issetugid and all library getenv calls. Applications can and should no longer rely on environment variables for changing library behavior. ! OPENSSL_CONF and SSLEAY_CONF are still supported with the ! openssl(1) command, but note that $ENV:: is no longer supported in .cnf files. !
libtls API and documentation additions. !
Various bug fixes and simplifications to libssl and ! libcrypto.
Reworked ! openssl(1) option handling. !
LibreSSL version define LIBRESSL_VERSION_NUMBER will now be bumped for each portable release.
Removed workarounds for TLS client padding bugs.
Removed IE 6 SSLv3 workarounds. !
--with-enginesdir is removed as a configuration parameter.

Syslogd:

OpenBSD ! syslogd(8) can bind to explicitly given UDP or TCP sockets to receive messages. TCP streams are accepted with the octet counting or the non transparent framing method.
Blocks in ! syslog.conf(5) started with +host process messages created by certain hosts specifically.
Handle situations when the file descriptor limit is exhausted gracefully. !
Since libtls handles short writes smarter, syslogd(8) can use the complete output buffer to save messages, coping with longer TLS server down times without losing messages.

!

Ports and packages: !
!
Many pre-built packages for each architecture: ! ! !
!

alpha: 7093
amd64: 8866
hppa: 5813 -

i386: 8839
mips64: 4267
mips64el: 5922 -

powerpc: 8114
sh: 133
sparc64: 7851 -

sparc: 3655
vax: 1959 !
!
!
Some highlights: ! ! !

Chromium 44.0.2403.125
Emacs 21.4 and 24.5
GCC 4.8.4 and 4.9.3 --- 485,549 ----

Code improvements:
!
Fix incorrect comparison function in openssl(1) certhash command. Thanks to Christian Neukirchen / Void Linux. !
Removal of OPENSSL_issetugid and all library getenv calls. Applications can and should no longer rely on environment variables for changing library behavior. ! OPENSSL_CONF and SSLEAY_CONF are still supported with the ! openssl(1) command, but note that $ENV:: is no longer supported in .cnf files. !
libtls API and documentation additions. !
Various bug fixes and simplifications to libssl and ! libcrypto.
Reworked ! openssl(1) option handling. !
LibreSSL version define LIBRESSL_VERSION_NUMBER will now be bumped for each portable release.
Removed workarounds for TLS client padding bugs.
Removed IE 6 SSLv3 workarounds. !
--with-enginesdir is removed as a configuration parameter.

Syslogd:

OpenBSD ! syslogd(8) can bind to explicitly given UDP or TCP sockets to receive messages. TCP streams are accepted with the octet counting or the non transparent framing method.
Blocks in ! syslog.conf(5) started with +host process messages created by certain hosts specifically.
Handle situations when the file descriptor limit is exhausted gracefully. !
Since libtls handles short writes smarter, syslogd(8) can use the complete output buffer to save messages, coping with longer TLS server down times without losing messages.

!
Ports and packages: ! !
Many pre-built packages for each architecture: !

alpha: 7093
amd64: 8866
hppa: 5813
i386: 8839
mips64: 4267
mips64el: 5922
powerpc: 8114
sh: 133
sparc64: 7851
sparc: 3655
vax: 1959 !
!
Some highlights: !

Chromium 44.0.2403.125
Emacs 21.4 and 24.5
GCC 4.8.4 and 4.9.3 *************** *** 569,575 ****
Mono 3.12.1
Mozilla Firefox 38.1.1esr and 39.0.3
Mozilla Thunderbird 38.1.0 -

Node.js 0.10.35
OpenLDAP 2.3.43 and 2.4.41
PHP 5.4.43, 5.5.27 and 5.6.11 --- 559,564 ---- *************** *** 584,595 ****
TeX Live 2014
Vim 7.4.769
Xfce 4.12 !
!
!

As usual, steady improvements in manual pages and other documentation. -

The system includes the following major components from outside suppliers:
--- 573,581 ----
TeX Live 2014
Vim 7.4.769
Xfce 4.12 !

As usual, steady improvements in manual pages and other documentation.
The system includes the following major components from outside suppliers:
*************** *** 607,620 ****
Less 458 (+ patches)
Awk Aug 10, 2011 version
- -

-
How to install
-
Following this are the instructions which you would have on a piece of paper if you had purchased a CDROM set instead of doing an alternate form of install. The instructions for doing an HTTP (or other style --- 593,607 ----
Less 458 (+ patches)
Awk Aug 10, 2011 version +

How to install

Following this are the instructions which you would have on a piece of paper if you had purchased a CDROM set instead of doing an alternate form of install. The instructions for doing an HTTP (or other style *************** *** 674,687 ****

Quick installer information for people familiar with OpenBSD, and the use of the "disklabel -E" command. If you are at all confused when installing OpenBSD, read the relevant INSTALL.* file as listed above! -

OpenBSD/i386:

The OpenBSD/i386 release is on CD1. Boot from the CD to begin the install - you may need to adjust your BIOS options first. --- 661,675 ----

OpenBSD/i386:

! !

The OpenBSD/i386 release is on CD1. Boot from the CD to begin the install - you may need to adjust your BIOS options first. *************** *** 699,709 **** If you are planning on dual booting OpenBSD with another OS, you will need to read INSTALL.i386. !

OpenBSD/amd64:

The OpenBSD/amd64 release is on CD2. Boot from the CD to begin the install - you may need to adjust your BIOS options first. *************** *** 720,730 ****

If you are planning to dual boot OpenBSD with another OS, you will need to read INSTALL.amd64. -

OpenBSD/macppc:

OpenBSD/macppc boot

If you are planning to dual boot OpenBSD with another OS, you will need to read INSTALL.amd64. +

OpenBSD/macppc:

Burn the image from a mirror site to a CDROM, and power on your machine while holding down the C key until the display turns on and shows OpenBSD/macppc boot. *************** *** 732,742 ****

Alternatively, at the Open Firmware prompt, enter boot cd:,ofwboot /5.8/macppc/bsd.rd -

OpenBSD/sparc64:

boot cdrom

--- 717,726 ----

Alternatively, at the Open Firmware prompt, enter boot cd:,ofwboot /5.8/macppc/bsd.rd +

OpenBSD/sparc64:

Put CD3 in your CDROM drive and type boot cdrom.

*************** *** 755,766 ****

If nothing works, you can boot over the network as described in INSTALL.sparc64. -

OpenBSD/alpha:

Write FTP:5.8/alpha/floppy58.fs or FTP:5.8/alpha/floppyB58.fs (depending on your machine) to a diskette and enter boot dva0. Refer to INSTALL.alpha for more details. --- 739,749 ----

If nothing works, you can boot over the network as described in INSTALL.sparc64. +

OpenBSD/alpha:

! Write FTP:5.8/alpha/floppy58.fs or FTP:5.8/alpha/floppyB58.fs (depending on your machine) to a diskette and enter boot dva0. Refer to INSTALL.alpha for more details. *************** *** 768,779 **** Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install will most likely fail. !

OpenBSD/armish:

After connecting a serial port, Thecus can boot directly from the network either tftp or http. Configure the network using fconfig, reset, then load bsd.rd, see INSTALL.armish for specific details. --- 751,759 ---- Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install will most likely fail. !

OpenBSD/armish:

After connecting a serial port, Thecus can boot directly from the network either tftp or http. Configure the network using fconfig, reset, then load bsd.rd, see INSTALL.armish for specific details. *************** *** 781,835 **** and copy 'boot' and bsd.rd into the first partition on wd0 (hda1) then load and run bsd.rd, preserving the wd0i (hda1) ext2fs partition. More details are available in INSTALL.armish. -

OpenBSD/hppa:

Boot over the network by following the instructions in INSTALL.hppa or the hppa platform page. -

OpenBSD/landisk:

Write miniroot58.fs to the start of the CF or disk, and boot normally. -

OpenBSD/loongson:

Write miniroot58.fs to a USB stick and boot bsd.rd from it or boot bsd.rd via tftp. Refer to the instructions in INSTALL.loongson for more details. -

OpenBSD/luna88k:

! Copy `boot' and `bsd.rd' to a Mach or UniOS partition, and boot the bootloader from the PROM, and then bsd.rd from the bootloader. Refer to the instructions in INSTALL.luna88k for more details. -

OpenBSD/octeon:

After connecting a serial port, boot bsd.rd over the network via DHCP/tftp. Refer to the instructions in INSTALL.octeon for more details. -

OpenBSD/sgi:

To install, burn cd58.iso on a CD-R, put it in the CD drive of your machine and select Install System Software from the System Maintenance menu. Indigo/Indy/Indigo2 (R4000) systems will not boot automatically from --- 761,802 ---- and copy 'boot' and bsd.rd into the first partition on wd0 (hda1) then load and run bsd.rd, preserving the wd0i (hda1) ext2fs partition. More details are available in INSTALL.armish. +

OpenBSD/hppa:

Boot over the network by following the instructions in INSTALL.hppa or the hppa platform page. +

OpenBSD/landisk:

Write miniroot58.fs to the start of the CF or disk, and boot normally. +

OpenBSD/loongson:

Write miniroot58.fs to a USB stick and boot bsd.rd from it or boot bsd.rd via tftp. Refer to the instructions in INSTALL.loongson for more details. +

OpenBSD/luna88k:

! Copy 'boot' and 'bsd.rd' to a Mach or UniOS partition, and boot the bootloader from the PROM, and then bsd.rd from the bootloader. Refer to the instructions in INSTALL.luna88k for more details. +

OpenBSD/octeon:

After connecting a serial port, boot bsd.rd over the network via DHCP/tftp. Refer to the instructions in INSTALL.octeon for more details. +

OpenBSD/sgi:

To install, burn cd58.iso on a CD-R, put it in the CD drive of your machine and select Install System Software from the System Maintenance menu. Indigo/Indy/Indigo2 (R4000) systems will not boot automatically from *************** *** 840,866 **** If your machine doesn't have a CD drive, you can setup a DHCP/tftp network server, and boot using "bootp()/bsd.rd.IP##" using the kernel matching your system type. Refer to the instructions in INSTALL.sgi for more details. -

OpenBSD/socppc:

After connecting a serial port, boot over the network via DHCP/tftp. Refer to the instructions in INSTALL.socppc for more details. -

OpenBSD/sparc:

! ok boot cdrom 5.8/sparc/bsd.rd
  or
! > b sd(0,6,0)5.8/sparc/bsd.rd
!

If your SPARC system does not have a CD drive, you can alternatively boot from floppy. --- 807,830 ---- If your machine doesn't have a CD drive, you can setup a DHCP/tftp network server, and boot using "bootp()/bsd.rd.IP##" using the kernel matching your system type. Refer to the instructions in INSTALL.sgi for more details. +

OpenBSD/socppc:

After connecting a serial port, boot over the network via DHCP/tftp. Refer to the instructions in INSTALL.socppc for more details. +

OpenBSD/sparc:

Boot from one of the provided install ISO images, using one of the two commands listed below, depending on the version of your ROM. !

! ok boot cdrom 5.8/sparc/bsd.rd
  or
! > b sd(0,6,0)5.8/sparc/bsd.rd
!

If your SPARC system does not have a CD drive, you can alternatively boot from floppy. *************** *** 869,879 **** To boot from the floppy use one of the two commands listed below, depending on the version of your ROM. !

! ok boot floppy
  or
! > b fd()
!

Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install --- 833,842 ---- To boot from the floppy use one of the two commands listed below, depending on the version of your ROM. !

! ok boot floppy
  or
! > b fd()

Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install *************** *** 883,938 **** If your SPARC system doesn't have a floppy drive nor a CD drive, you can either setup a bootable tape, or install via network, as told in the INSTALL.sparc file. -

OpenBSD/vax:

Boot over the network via mopbooting as described in INSTALL.vax. -

OpenBSD/zaurus:

Using the Linux built-in graphical ipkg installer, install the openbsd58_arm.ipk package. Reboot, then run it. Read INSTALL.zaurus for a few important details. -

How to upgrade

If you already have an OpenBSD 5.7 system, and do not want to reinstall, upgrade instructions and advice can be found in the Upgrade Guide. -

Notes about the source code

src.tar.gz contains a source archive starting at /usr/src. This file contains everything you need except for the kernel sources, which are in a separate archive. To extract:

- # mkdir -p /usr/src
- # cd /usr/src
- # tar xvfz /tmp/src.tar.gz
-

sys.tar.gz contains a source archive starting at /usr/src/sys. This file contains all the kernel sources you need to rebuild kernels. To extract: !

! # mkdir -p /usr/src/sys
! # cd /usr/src
  # tar xvfz /tmp/sys.tar.gz
!

Both of these trees are a regular CVS checkout. Using these trees it is possible to get a head-start on using the anoncvs servers as --- 846,898 ---- If your SPARC system doesn't have a floppy drive nor a CD drive, you can either setup a bootable tape, or install via network, as told in the INSTALL.sparc file. +

OpenBSD/vax:

Boot over the network via mopbooting as described in INSTALL.vax. +

OpenBSD/zaurus:

Using the Linux built-in graphical ipkg installer, install the openbsd58_arm.ipk package. Reboot, then run it. Read INSTALL.zaurus for a few important details. !

+ +

How to upgrade

If you already have an OpenBSD 5.7 system, and do not want to reinstall, upgrade instructions and advice can be found in the Upgrade Guide. +

+ +

Notes about the source code

src.tar.gz contains a source archive starting at /usr/src. This file contains everything you need except for the kernel sources, which are in a separate archive. To extract: +

+ # mkdir -p /usr/src
+ # cd /usr/src
+ # tar xvfz /tmp/src.tar.gz
+

sys.tar.gz contains a source archive starting at /usr/src/sys. This file contains all the kernel sources you need to rebuild kernels. To extract: !

! # mkdir -p /usr/src/sys
! # cd /usr/src
  # tar xvfz /tmp/sys.tar.gz
!

Both of these trees are a regular CVS checkout. Using these trees it is possible to get a head-start on using the anoncvs servers as *************** *** 940,959 **** Using these files results in a much faster initial CVS update than you could expect from a fresh checkout of the full OpenBSD source tree. !

Ports Tree

A ports tree archive is also provided. To extract:

- # cd /usr
- # tar xvfz /tmp/ports.tar.gz
-

Go read the ports page if you know nothing about ports at this point. This text is not a manual of how to use ports. --- 900,919 ---- Using these files results in a much faster initial CVS update than you could expect from a fresh checkout of the full OpenBSD source tree. !

! OpenBSD ! 5.8

! OpenBSD ! 5.8

What's New

What's New

How to install

How to install

OpenBSD/i386:

OpenBSD/i386:

OpenBSD/amd64:

OpenBSD/amd64:

OpenBSD/macppc:

OpenBSD/macppc:

OpenBSD/sparc64:

OpenBSD/sparc64:

OpenBSD/alpha:

OpenBSD/alpha:

OpenBSD/armish:

OpenBSD/armish:

OpenBSD/hppa:

OpenBSD/landisk:

OpenBSD/loongson:

OpenBSD/luna88k:

OpenBSD/octeon:

OpenBSD/sgi:

OpenBSD/hppa:

OpenBSD/landisk:

OpenBSD/loongson:

OpenBSD/luna88k:

OpenBSD/octeon:

OpenBSD/sgi:

OpenBSD/socppc:

OpenBSD/sparc:

OpenBSD/socppc:

OpenBSD/sparc:

OpenBSD/vax:

OpenBSD/zaurus:

How to upgrade

Notes about the source code

OpenBSD/vax:

OpenBSD/zaurus:

How to upgrade

Notes about the source code

Ports Tree

Ports Tree