=================================================================== RCS file: /cvsrepo/anoncvs/cvs/www/58.html,v retrieving revision 1.77 retrieving revision 1.78 diff -u -r1.77 -r1.78 --- www/58.html 2015/10/18 15:21:39 1.77 +++ www/58.html 2016/03/21 05:46:19 1.78 @@ -37,7 +37,7 @@
  • See a detailed log of changes between the 5.7 and 5.8 releases.

    -

  • signify(1) pubkeys for this release:
    +
  • signify(1) pubkeys for this release:
     base: RWQNNZXtC/MqP3Eiu+6FBz/qrxiWQwDhd+9Yljzp62UP4KzFmmvzVk60
 fw:   RWTpkvg4fhJCDx9yL4bUCou/vtAecPVTfcaaGESQeBruwX/qHToMvWh6
@@ -68,37 +68,37 @@
 
-    
  • autoinstall(8)
+    
  • autoinstall(8)
       has been extended to allow
       
      
       
    • hostname-mode.conf response file names.
       
    • response files to be placed in a subdir of the webserver's document root.
       
    • passing a template file to
-        disklabel(8)
+        disklabel(8)
         to automatically partition the disk.
       
    
-    
  • ntpd(8)
+    
  • ntpd(8)
       is now enabled by default at install time.
     
  • DUID support has improved enough that new installs now use them unconditionally.
     
  • Installing sets from CD-ROM has been fixed if more than one CD-ROM drive is present.
@@ -130,83 +130,83 @@
 
 
  • Routing daemons and other userland network improvements:
     
      
-    
    • Many improvements and simplifications in ldpd(8), including configuration reload and support for mpw(4) pseudowire interfaces.
-    
    • bgpd(8) now allows rules to match on the peer AS number.
-    
    • For terminated BGP sessions, bgpctl(8) now displays the number of prefixes received on the last session.
-    
    • ospfd(8) now correctly handles carp(4) interfaces in "backup" mode at startup.
-    
    • Log messages in bgpd(8) and ospfd(8) have been made more specific.
-    
    • The default Diffie-Hellman group for VPNs configured by ipsec.conf(5) has been changed to modp3072.
-    
    • New radiusd(8),
+    
    • Many improvements and simplifications in ldpd(8), including configuration reload and support for mpw(4) pseudowire interfaces.
+    
    • bgpd(8) now allows rules to match on the peer AS number.
+    
    • For terminated BGP sessions, bgpctl(8) now displays the number of prefixes received on the last session.
+    
    • ospfd(8) now correctly handles carp(4) interfaces in "backup" mode at startup.
+    
    • Log messages in bgpd(8) and ospfd(8) have been made more specific.
+    
    • The default Diffie-Hellman group for VPNs configured by ipsec.conf(5) has been changed to modp3072.
+    
    • New radiusd(8),
       Remote Authentication Dial In User Service (RADIUS) daemon.
     
    
 
    
 
 
  • Security improvements:
     
      
-    
    • sudo in base has been replaced with doas(1), sudo is available as a package.
-    
    • file(1) has been replaced with a new modern implementation, including sandbox and privilege separation.
-    
    • pax(1) (and tar(1) and cpio(1)) now prevent archive extraction from escaping the current directory via symlinks; tar(1) without -P option now strips up through any ".." path components.
+    
    • sudo in base has been replaced with doas(1), sudo is available as a package.
+    
    • file(1) has been replaced with a new modern implementation, including sandbox and privilege separation.
+    
    • pax(1) (and tar(1) and cpio(1)) now prevent archive extraction from escaping the current directory via symlinks; tar(1) without -P option now strips up through any ".." path components.
     
    • Static PIE support for sparc.
     
    • Alpha switched to secure PLT.
     
    • Improved kernel checks of ELF headers.
     
    • Support for the NX (No-eXecute) bit on i386, resulting in much better W^X enforcement in userland for hardware that has this feature.
     
    • Enforcement of W^X in the kernel address space on i386 when using processors with the NX bit.
-    
    • Work started on a new process-containment facility called tame(2).
+    
    • Work started on a new process-containment facility called tame(2).
     
    
 
    
 
 
  • Assorted improvements:
     
      
-    
    • The worm(6)
+    
    • The worm(6)
     now grows at a rate proportional to terminal size.
-    
    • dlclose(3) now unregisters handlers registered by a pthread_atfork(3) call from the unloaded libraries.
-    
    • cp(1), mv(1), and pax(1) with the -rw option now preserve timestamps with full nanosecond precision.
-    
    • pax(1) now detects failure to decompress an archive when reading it and errors out immediately.
-    
    • nm(1) now supports the -D option for displaying the dynamic symbol table.
-    
    • dump(8) now uses DUIDs in /etc/dumpdates when present and the -U option has thus been removed.
-    
    • Corrected kdump(1) reporting of lseek(2) return value on ILP32 archs and getsockopt/setsockopt(2) level and optname arguments.  iovec, msghdr, and cmsghdr structures are now dumped.
-    
    • sed(1) -i option added.
-    
    • New, much simpler man.conf(5) configuration file format
-	for man(1),
-	apropos(1),
-	and makewhatis(8).
-    
    • When using man(1)
-	with the less(1) pager,
+    
    • dlclose(3) now unregisters handlers registered by a pthread_atfork(3) call from the unloaded libraries.
+    
    • cp(1), mv(1), and pax(1) with the -rw option now preserve timestamps with full nanosecond precision.
+    
    • pax(1) now detects failure to decompress an archive when reading it and errors out immediately.
+    
    • nm(1) now supports the -D option for displaying the dynamic symbol table.
+    
    • dump(8) now uses DUIDs in /etc/dumpdates when present and the -U option has thus been removed.
+    
    • Corrected kdump(1) reporting of lseek(2) return value on ILP32 archs and getsockopt/setsockopt(2) level and optname arguments.  iovec, msghdr, and cmsghdr structures are now dumped.
+    
    • sed(1) -i option added.
+    
    • New, much simpler man.conf(5) configuration file format
+	for man(1),
+	apropos(1),
+	and makewhatis(8).
+    
    • When using man(1)
+	with the less(1) pager,
 	support the :t internal command
 	to search for definitions of keywords similar to what
-	ctags(1) provides.
+	ctags(1) provides.
     
    • Improvements in checking of numeric option values in many utilities.
     
    • Upgraded to binutils version 2.17 with additional fixes.
-    
    • Improved correctness of poll(2) and poll(2) of O_RDONLY FIFO fds.
-    
    • Restored reporting of closed sockets by netstat(1) and systat(1).
-    
    • fdisk(8) now zeros correct GPT sector at end of disk.
-    
    • fdisk(8) now accepts 'T' sizes for terabytes.
-    
    • fdisk(8) repaired to work on 4K sector disks again.
-    
    • dhcpd(8) now logs correct giaddr and ciaddr information even when DHCP relays are present.
-    
    • dhcpd(8) now accommodates Linux and MS clients by not sending routers or static routes info when classless static routes are sent.
-    
    • dhcpd(8) and dhclient(8) now accept hostnames beginning with a digit.
-    
    • dhclient(8) no longer rejects leases with addresses overlapping existing subnets on other interfaces. Kernel routing logic now just works.
-    
    • Improvements to realloc(3) decrease system calls and increase efficiency.
+    
    • Improved correctness of poll(2) and poll(2) of O_RDONLY FIFO fds.
+    
    • Restored reporting of closed sockets by netstat(1) and systat(1).
+    
    • fdisk(8) now zeros correct GPT sector at end of disk.
+    
    • fdisk(8) now accepts 'T' sizes for terabytes.
+    
    • fdisk(8) repaired to work on 4K sector disks again.
+    
    • dhcpd(8) now logs correct giaddr and ciaddr information even when DHCP relays are present.
+    
    • dhcpd(8) now accommodates Linux and MS clients by not sending routers or static routes info when classless static routes are sent.
+    
    • dhcpd(8) and dhclient(8) now accept hostnames beginning with a digit.
+    
    • dhclient(8) no longer rejects leases with addresses overlapping existing subnets on other interfaces. Kernel routing logic now just works.
+    
    • Improvements to realloc(3) decrease system calls and increase efficiency.
     
    • The reaper now tears down dead processes without holding on to
     the kernel lock.  This greatly reduces latency and increases
     performance on multi-processor systems.
     
    
 
    
 
-
  • OpenBSD httpd(8):
+
  • OpenBSD httpd(8):
     
      
     
    • New features:
       
        
-      
      • Added support for matching and redirections with Lua patterns(7).
+      
      • Added support for matching and redirections with Lua patterns(7).
       
      • Implemented If-Modified-Since for conditional GET or HEAD requests (RFC 7232).
       
      • Added byte-range support for range requests (RFC 7233).
       
      • Allowing to specify a global or per-location default media type instead of application/octet-stream.
       
      • Added support for HTTP Strict Transport Security (HSTS; RFC 6797).
-      
      • Added initial regression test suite based on relayd(8)'s implementation.
+      
      • Added initial regression test suite based on relayd(8)'s implementation.
       
      
     
    • Fixes and improvements:
       
        
-      
      • TLS in httpd(8) and relayd(8) now defaults to TLSv1.2-only.
+      
      • TLS in httpd(8) and relayd(8) now defaults to TLSv1.2-only.
       
      • Fixed support for large TLS keys or certificate bundles with up to 16KB each.
       
      • Fixed the Content-Length header for files larger than 2 GB on 32-bit architectures.
       
      • Fixed translation of CGI environment variables in accordance with RFCs 7230 and 3875.
@@ -221,7 +221,7 @@
 
 
      • OpenSMTPD 5.4.4
     
          
-    
        • smtpd(8) reliability and bug fixes.
+    
        • smtpd(8) reliability and bug fixes.
     
        • NOTE:  Some security risks were discovered and fixed after the
 	OpenBSD 5.8 release.
         See 5.8 errata 004.
@@ -232,32 +232,32 @@
     
            
     
          • Security:
       
              
-      
            • ssh(1):
+      
            • ssh(1):
         when forwarding X11 connections with ForwardX11Trusted=no,
         connections made after ForwardX11Timeout expired could be
         permitted and no longer subject to XSECURITY restrictions because of
         an ineffective timeout check in
-        ssh(1)
+        ssh(1)
         coupled with "fail open" behaviour in the X11 server when clients
         attempted connections with expired credentials.
         This problem was reported by Jann Horn.
-      
            • ssh-agent(1):
+      
            • ssh-agent(1):
         fix weakness of agent locking (ssh-add -x) to
         password guessing by implementing an increasing failure delay,
         storing a salted hash of the password rather than the password
         itself and using a timing-safe comparison function for verifying
         unlock attempts.  This problem was reported by Ryan Castellucci.
-      
            • sshd(8):
+      
            • sshd(8):
         OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world-writable.
         Local attackers may be able to write arbitrary messages to logged-in
         users, including terminal escape sequences.
-      
            • sshd(8):
+      
            • sshd(8):
         fix circumvention of MaxAuthTries using keyboard-interactive
         authentication.  By specifying a long, repeating keyboard-interactive
         "devices" string, an attacker could request the same authentication
         method be tried thousands of times in a single pass.  The
         LoginGraceTime timeout in
-        sshd(8)
+        sshd(8)
         and any authentication failure delays implemented by the authentication
         mechanism itself were still applied.
       
            
@@ -274,7 +274,7 @@
         http://www.openssh.com/legacy.html.
       
          • Support for the legacy v00 cert format has been removed.
       
          • The default for the
-        sshd_config(5)
+        sshd_config(5)
         PermitRootLogin option has changed from "yes" to
         "prohibit-password" (but the OpenBSD installer defaults to "no").
       
          • NOTE:  'PermitRootLogin prohibit-password' is subtly broken
@@ -283,38 +283,38 @@
       
          
     
        • New/changed features:
       
            
-      
          • ssh(1),
-        sshd(8):
+      
          • ssh(1),
+        sshd(8):
         promote chacha20-poly1305@openssh.com to be the default
         cipher.
-      
          • sshd(8):
+      
          • sshd(8):
         support admin-specified arguments to AuthorizedKeysCommand.
         (bz#2081)
-      
          • sshd(8):
+      
          • sshd(8):
         add AuthorizedPrincipalsCommand that allows retrieving
         authorized principals information from a subprocess rather than a
         file.
-      
          • ssh(1),
-        ssh-add(1):
+      
          • ssh(1),
+        ssh-add(1):
         support PKCS#11 devices with external PIN entry devices.  (bz#2240)
-      
          • sshd(8):
+      
          • sshd(8):
         allow GSSAPI host credential check to be relaxed for multihomed
         hosts via GSSAPIStrictAcceptorCheck option.  (bz#928)
-      
          • ssh-keygen(1):
+      
          • ssh-keygen(1):
         support ssh-keygen -lF hostname to search known_hosts
         and print key hashes rather than full keys.
-      
          • ssh-agent(1):
+      
          • ssh-agent(1):
         add -D flag to leave
-        ssh-agent(1)
+        ssh-agent(1)
         in foreground without enabling debug mode.  (bz#2381)
-      
          • ssh_config(5):
+      
          • ssh_config(5):
         add PubkeyAcceptedKeyTypes option to control which public
         key types are available for user authentication.
-      
          • sshd_config(5):
+      
          • sshd_config(5):
         add HostKeyAlgorithms option to control which public key
         types are offered for host authentications.
-      
          • ssh(1),
-        sshd(8):
+      
          • ssh(1),
+        sshd(8):
         extend Ciphers, MACs, KexAlgorithms,
         HostKeyAlgorithms, PubkeyAcceptedKeyTypes and
         HostbasedKeyTypes options to allow appending to the default
@@ -324,100 +324,100 @@
       
          
     
        • The following significant bugs have been fixed in this release:
       
            
-      
          • ssh(1),
-        sshd(8):
+      
          • ssh(1),
+        sshd(8):
         deprecate legacy SSH2_MSG_KEX_DH_GEX_REQUEST_OLD message and
         do not try to use it against some 3rd-party SSH implementations that
         use it (older PuTTY, WinSCP).
       
          • Many fixes for problems caused by compile-time deactivation of
         SSH1 support.  (including bz#2369)
-      
          • ssh(1),
-        sshd(8):
+      
          • ssh(1),
+        sshd(8):
         cap DH-GEX group size at 4Kbits for Cisco implementations as some
         would fail when attempting to use group sizes greater than 4K.
         (bz#2209)
-      
          • ssh(1):
+      
          • ssh(1):
         fix out-of-bound read in EscapeChar configuration option
         parsing.  (bz#2396)
-      
          • sshd(8):
+      
          • sshd(8):
         fix application of PermitTunnel, LoginGraceTime,
         AuthenticationMethods and StreamLocalBindMask
         options in Match blocks.
-      
          • ssh(1),
-        sshd(8):
+      
          • ssh(1),
+        sshd(8):
         improve disconnection message on TCP reset.  (bz#2257)
-      
          • ssh(1):
+      
          • ssh(1):
         remove failed remote forwards established by multiplexing from the
         list of active forwards.  (bz#2363)
-      
          • sshd(8):
+      
          • sshd(8):
         make parsing of authorized_keys "environment="
         options independent of PermitUserEnv being enabled.  (bz#2329)
-      
          • sshd(8):
+      
          • sshd(8):
         fix post-auth crash with permitopen=none.  (bz#2355)
-      
          • ssh(1),
-        ssh-add(1),
-        ssh-keygen(1):
+      
          • ssh(1),
+        ssh-add(1),
+        ssh-keygen(1):
         allow new-format private keys to be encrypted with AEAD ciphers.
         (bz#2366)
-      
          • ssh(1):
+      
          • ssh(1):
         allow ListenAddress, Port and AddressFamily
         configuration options to appear in any order.  (bz#86)
-      
          • sshd(8):
+      
          • sshd(8):
         check for and reject missing arguments for VersionAddendum
         and ForceCommand.  (bz#2281)
-      
          • ssh(1),
-        sshd(8):
+      
          • ssh(1),
+        sshd(8):
         don't treat unknown certificate extensions as fatal.  (bz#2387)
-      
          • ssh-keygen(1):
+      
          • ssh-keygen(1):
         make stdout and stderr output consistent.  (bz#2325)
-      
          • ssh(1):
+      
          • ssh(1):
         mention missing DISPLAY environment in debug log when X11
         forwarding requested.  (bz#1682)
-      
          • sshd(8):
+      
          • sshd(8):
         correctly record login when UseLogin is set.  (bz#378)
-      
          • sshd(8):
+      
          • sshd(8):
         add some missing options to sshd -T output and fix output
         of VersionAddendum and HostCertificate.  (bz#2346)
       
          • Document and improve consistency of options that accept a
         "none" argument: TrustedUserCAKeys,
         RevokedKeys (bz#2382), AuthorizedPrincipalsFile
         (bz#2288).
-      
          • ssh(1):
+      
          • ssh(1):
         include remote username in debug output.  (bz#2368)
-      
          • sshd(8):
+      
          • sshd(8):
         avoid compatibility problem with some versions of Tera Term, which
         would crash when they received the hostkeys notification message
         (hostkeys-00@openssh.com).
-      
          • sshd(8):
+      
          • sshd(8):
         mention ssh-keygen -E as useful when comparing legacy
         MD5 host key fingerprints.  (bz#2332)
-      
          • ssh(1):
+      
          • ssh(1):
         clarify pseudo-terminal request behaviour and use make manual language
         consistent.  (bz#1716)
-      
          • ssh(1):
+      
          • ssh(1):
         document that the TERM environment variable is not subject
         to SendEnv and AcceptEnv.  (bz#2386)
-      
          • ssh(1),
-        sshd(8):
+      
          • ssh(1),
+        sshd(8):
         add compatability workarounds for Cisco and more PuTTY versions.
         (bz#2424)
       
          • Fix some omissions and errors in the PROTOCOL and
         PROTCOL.mux documentation relating to Unix domain
         socket forwarding.  (bz#2421, bz#2422)
-      
          • ssh(1):
+      
          • ssh(1):
         Improve the
-        ssh(1)
+        ssh(1)
         manual page to include a better desciption of Unix domain socket
         forwarding.  (bz#2423)
-      
          • ssh(1),
-        ssh-agent(1):
+      
          • ssh(1),
+        ssh-agent(1):
         skip uninitialised PKCS#11 slots, fixing failures to load keys when
         they are present.  (bz#2427)
-      
          • ssh(1),
-        ssh-agent(1):
+      
          • ssh(1),
+        ssh-agent(1):
         do not ignore PKCS#11 hosted keys that wth empty CKA_ID.
         (bz#2429)
-      
          • sshd(8):
+      
          • sshd(8):
         clarify documentation for UseDNS option.  (bz#2045)
       
          
     
        
@@ -442,11 +442,11 @@
       
      • Fixed dozens of Coverity issues including dead code, memory leaks,
         logic errors and more.
       
      • Ensure that
-	openssl(1)
+	openssl(1)
         restores terminal echo state after reading a password.
       
      • Incorporated fix for OpenSSL issue #3683.
       
      • Removed SSLv3 support from
-	openssl(1).
+	openssl(1).
       
      • Modified tls_write in libtls to allow partial
         writes, clarified with examples in the documentation.
       
      • Removed RSAX engine.
@@ -471,19 +471,19 @@
       
      
     
    • Code improvements:
       
        
-      
      • Fix incorrect comparison function in openssl(1) certhash command.
+      
      • Fix incorrect comparison function in openssl(1) certhash command.
         Thanks to Christian Neukirchen / Void Linux.
       
      • Removal of OPENSSL_issetugid and all library getenv calls.
         Applications can and should no longer rely on environment variables
         for changing library behavior.
         OPENSSL_CONF and SSLEAY_CONF are still supported with the
-	openssl(1)
+	openssl(1)
         command, but note that $ENV:: is no longer supported in .cnf files.
       
      • libtls API and documentation additions.
       
      • Various bug fixes and simplifications to libssl and
         libcrypto.
       
      • Reworked
-	openssl(1)
+	openssl(1)
         option handling.
       
      • LibreSSL version define LIBRESSL_VERSION_NUMBER will now
         be bumped for each portable release.
@@ -496,18 +496,18 @@
 
      • Syslogd:
     
          
     
        • OpenBSD
-	syslogd(8)
+	syslogd(8)
 	can bind to explicitly given UDP or TCP sockets to receive messages.
 	TCP streams are accepted with the octet counting or the non
 	transparent framing method.
     
        • Blocks in
-	syslog.conf(5)
         started with +host process messages created by
         certain hosts specifically.
     
        • Handle situations when the file descriptor limit is exhausted
 	gracefully.
-    
        • Since libtls handles short writes smarter, syslogd(8) can use the
+    
        • Since libtls handles short writes smarter, syslogd(8) can use the
 	complete output buffer to save messages, coping with
         longer TLS server down times without losing messages.
     
        
@@ -947,7 +947,7 @@
 OpenBSD ports system.
 
        
 The ports/ directory represents a CVS (see the manpage for
-
+
 cvs(1) if
 you aren't familiar with CVS) checkout of our ports.  As with our complete
 source tree, our ports tree is available via