===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/58.html,v
retrieving revision 1.77
retrieving revision 1.78
diff -u -r1.77 -r1.78
--- www/58.html 2015/10/18 15:21:39 1.77
+++ www/58.html 2016/03/21 05:46:19 1.78
@@ -37,7 +37,7 @@
See a detailed log of changes between the
5.7 and 5.8 releases.
-
signify(1) pubkeys for this release:
+signify(1) pubkeys for this release:
base: RWQNNZXtC/MqP3Eiu+6FBz/qrxiWQwDhd+9Yljzp62UP4KzFmmvzVk60
fw: RWTpkvg4fhJCDx9yL4bUCou/vtAecPVTfcaaGESQeBruwX/qHToMvWh6
@@ -68,37 +68,37 @@
- Improved hardware support, including:
- - New rtwn(4) driver for Realtek RTL8188CE wifi cards.
-
- New hpb(4) driver for HyperTransport bridges as found in the IBM CPC945.
-
- The ugold(4) driver now supports TEMPerHUMV1.x temperature and humidity sensors.
-
- Improved sensor support for the upd(4) driver for USB Power Devices (UPS).
-
- Support for jumbo frames on re(4) devices using RTL8168C/D/E/F/G and RTL8411, including PC Engines APU.
-
- re(4) now works with newer devices e.g. RTL8111GU.
-
- Partial support has been added for full-speed isochronous devices in ehci(4), allowing USB 1.1 audio devices to be used on EHCI-only systems in some cases.
+
- New rtwn(4) driver for Realtek RTL8188CE wifi cards.
+
- New hpb(4) driver for HyperTransport bridges as found in the IBM CPC945.
+
- The ugold(4) driver now supports TEMPerHUMV1.x temperature and humidity sensors.
+
- Improved sensor support for the upd(4) driver for USB Power Devices (UPS).
+
- Support for jumbo frames on re(4) devices using RTL8168C/D/E/F/G and RTL8411, including PC Engines APU.
+
- re(4) now works with newer devices e.g. RTL8111GU.
+
- Partial support has been added for full-speed isochronous devices in ehci(4), allowing USB 1.1 audio devices to be used on EHCI-only systems in some cases.
- Improved macppc stability and G5 performances with MP kernels.
-
- acpicpu(4) uses ACPI C-state information to reduce power consumption of idle CPUs.
+
- acpicpu(4) uses ACPI C-state information to reduce power consumption of idle CPUs.
- Kernel supports x86 AVX instructions on CPUs that have them.
- Avoid assigning low address to PCI BARs, fixing various issues on machines whose BIOSes neglect to claim low memory.
-
- wscons(4) works with even more odd trackpads.
-
- Added pvbus(4) paravirtual device tree root on virtual machines that are running on hypervisors.
+
- wscons(4) works with even more odd trackpads.
+
- Added pvbus(4) paravirtual device tree root on virtual machines that are running on hypervisors.
- New octdwctwo(4) driver for USB support on OpenBSD/octeon.
-
- New amdcf(4) driver for embedded flash on OpenBSD/octeon.
-
- Support for RTL8188EU devices was added to the urtwn(4) driver.
+
- New amdcf(4) driver for embedded flash on OpenBSD/octeon.
+
- Support for RTL8188EU devices was added to the urtwn(4) driver.
- Removed hardware support:
- - The lmc(4) driver for Lan Media Corporation SSI/T1/DS1/HSSI/DS3 devices has been removed.
-
- The san(4) driver for Sangoma Technologies AFT T1/E1 devices has been removed.
+
- The lmc(4) driver for Lan Media Corporation SSI/T1/DS1/HSSI/DS3 devices has been removed.
+
- The san(4) driver for Sangoma Technologies AFT T1/E1 devices has been removed.
- Generic network stack improvements:
- - MTU of vlan(4) devices can now be set independently from the parent interface's MTU.
+
- MTU of vlan(4) devices can now be set independently from the parent interface's MTU.
- The same network range can now be assigned to multiple interfaces, using interface priorities to choose between them.
-
- New MPLS pseudowire driver mpw(4).
+
- New MPLS pseudowire driver mpw(4).
- Much preparatory work for MP unlocking of the network stack.
@@ -110,16 +110,16 @@
- The default answer is now 'no'.
- 'prohibit-password' has been added to the list of possible answers.
- autoinstall(8)
+ autoinstall(8)
has been extended to allow
- hostname-mode.conf response file names.
- response files to be placed in a subdir of the webserver's document root.
- passing a template file to
- disklabel(8)
+ disklabel(8)
to automatically partition the disk.
- ntpd(8)
+ ntpd(8)
is now enabled by default at install time.
DUID support has improved enough that new installs now use them unconditionally.
Installing sets from CD-ROM has been fixed if more than one CD-ROM drive is present.
@@ -130,83 +130,83 @@
Routing daemons and other userland network improvements:
- - Many improvements and simplifications in ldpd(8), including configuration reload and support for mpw(4) pseudowire interfaces.
-
- bgpd(8) now allows rules to match on the peer AS number.
-
- For terminated BGP sessions, bgpctl(8) now displays the number of prefixes received on the last session.
-
- ospfd(8) now correctly handles carp(4) interfaces in "backup" mode at startup.
-
- Log messages in bgpd(8) and ospfd(8) have been made more specific.
-
- The default Diffie-Hellman group for VPNs configured by ipsec.conf(5) has been changed to modp3072.
-
- New radiusd(8),
+
- Many improvements and simplifications in ldpd(8), including configuration reload and support for mpw(4) pseudowire interfaces.
+
- bgpd(8) now allows rules to match on the peer AS number.
+
- For terminated BGP sessions, bgpctl(8) now displays the number of prefixes received on the last session.
+
- ospfd(8) now correctly handles carp(4) interfaces in "backup" mode at startup.
+
- Log messages in bgpd(8) and ospfd(8) have been made more specific.
+
- The default Diffie-Hellman group for VPNs configured by ipsec.conf(5) has been changed to modp3072.
+
- New radiusd(8),
Remote Authentication Dial In User Service (RADIUS) daemon.
Security improvements:
- - sudo in base has been replaced with doas(1), sudo is available as a package.
-
- file(1) has been replaced with a new modern implementation, including sandbox and privilege separation.
-
- pax(1) (and tar(1) and cpio(1)) now prevent archive extraction from escaping the current directory via symlinks; tar(1) without -P option now strips up through any ".." path components.
+
- sudo in base has been replaced with doas(1), sudo is available as a package.
+
- file(1) has been replaced with a new modern implementation, including sandbox and privilege separation.
+
- pax(1) (and tar(1) and cpio(1)) now prevent archive extraction from escaping the current directory via symlinks; tar(1) without -P option now strips up through any ".." path components.
- Static PIE support for sparc.
- Alpha switched to secure PLT.
- Improved kernel checks of ELF headers.
- Support for the NX (No-eXecute) bit on i386, resulting in much better W^X enforcement in userland for hardware that has this feature.
- Enforcement of W^X in the kernel address space on i386 when using processors with the NX bit.
-
- Work started on a new process-containment facility called tame(2).
+
- Work started on a new process-containment facility called tame(2).
Assorted improvements:
- - The worm(6)
+
- The worm(6)
now grows at a rate proportional to terminal size.
-
- dlclose(3) now unregisters handlers registered by a pthread_atfork(3) call from the unloaded libraries.
-
- cp(1), mv(1), and pax(1) with the -rw option now preserve timestamps with full nanosecond precision.
-
- pax(1) now detects failure to decompress an archive when reading it and errors out immediately.
-
- nm(1) now supports the -D option for displaying the dynamic symbol table.
-
- dump(8) now uses DUIDs in /etc/dumpdates when present and the -U option has thus been removed.
-
- Corrected kdump(1) reporting of lseek(2) return value on ILP32 archs and getsockopt/setsockopt(2) level and optname arguments. iovec, msghdr, and cmsghdr structures are now dumped.
-
- sed(1) -i option added.
-
- New, much simpler man.conf(5) configuration file format
- for man(1),
- apropos(1),
- and makewhatis(8).
-
- When using man(1)
- with the less(1) pager,
+
- dlclose(3) now unregisters handlers registered by a pthread_atfork(3) call from the unloaded libraries.
+
- cp(1), mv(1), and pax(1) with the -rw option now preserve timestamps with full nanosecond precision.
+
- pax(1) now detects failure to decompress an archive when reading it and errors out immediately.
+
- nm(1) now supports the -D option for displaying the dynamic symbol table.
+
- dump(8) now uses DUIDs in /etc/dumpdates when present and the -U option has thus been removed.
+
- Corrected kdump(1) reporting of lseek(2) return value on ILP32 archs and getsockopt/setsockopt(2) level and optname arguments. iovec, msghdr, and cmsghdr structures are now dumped.
+
- sed(1) -i option added.
+
- New, much simpler man.conf(5) configuration file format
+ for man(1),
+ apropos(1),
+ and makewhatis(8).
+
- When using man(1)
+ with the less(1) pager,
support the :t internal command
to search for definitions of keywords similar to what
- ctags(1) provides.
+ ctags(1) provides.
- Improvements in checking of numeric option values in many utilities.
- Upgraded to binutils version 2.17 with additional fixes.
-
- Improved correctness of poll(2) and poll(2) of O_RDONLY FIFO fds.
-
- Restored reporting of closed sockets by netstat(1) and systat(1).
-
- fdisk(8) now zeros correct GPT sector at end of disk.
-
- fdisk(8) now accepts 'T' sizes for terabytes.
-
- fdisk(8) repaired to work on 4K sector disks again.
-
- dhcpd(8) now logs correct giaddr and ciaddr information even when DHCP relays are present.
-
- dhcpd(8) now accommodates Linux and MS clients by not sending routers or static routes info when classless static routes are sent.
-
- dhcpd(8) and dhclient(8) now accept hostnames beginning with a digit.
-
- dhclient(8) no longer rejects leases with addresses overlapping existing subnets on other interfaces. Kernel routing logic now just works.
-
- Improvements to realloc(3) decrease system calls and increase efficiency.
+
- Improved correctness of poll(2) and poll(2) of O_RDONLY FIFO fds.
+
- Restored reporting of closed sockets by netstat(1) and systat(1).
+
- fdisk(8) now zeros correct GPT sector at end of disk.
+
- fdisk(8) now accepts 'T' sizes for terabytes.
+
- fdisk(8) repaired to work on 4K sector disks again.
+
- dhcpd(8) now logs correct giaddr and ciaddr information even when DHCP relays are present.
+
- dhcpd(8) now accommodates Linux and MS clients by not sending routers or static routes info when classless static routes are sent.
+
- dhcpd(8) and dhclient(8) now accept hostnames beginning with a digit.
+
- dhclient(8) no longer rejects leases with addresses overlapping existing subnets on other interfaces. Kernel routing logic now just works.
+
- Improvements to realloc(3) decrease system calls and increase efficiency.
- The reaper now tears down dead processes without holding on to
the kernel lock. This greatly reduces latency and increases
performance on multi-processor systems.
-
OpenBSD httpd(8):
+OpenBSD httpd(8):
- New features:
- - Added support for matching and redirections with Lua patterns(7).
+
- Added support for matching and redirections with Lua patterns(7).
- Implemented If-Modified-Since for conditional GET or HEAD requests (RFC 7232).
- Added byte-range support for range requests (RFC 7233).
- Allowing to specify a global or per-location default media type instead of application/octet-stream.
- Added support for HTTP Strict Transport Security (HSTS; RFC 6797).
-
- Added initial regression test suite based on relayd(8)'s implementation.
+
- Added initial regression test suite based on relayd(8)'s implementation.
- Fixes and improvements:
- - TLS in httpd(8) and relayd(8) now defaults to TLSv1.2-only.
+
- TLS in httpd(8) and relayd(8) now defaults to TLSv1.2-only.
- Fixed support for large TLS keys or certificate bundles with up to 16KB each.
- Fixed the Content-Length header for files larger than 2 GB on 32-bit architectures.
- Fixed translation of CGI environment variables in accordance with RFCs 7230 and 3875.
@@ -221,7 +221,7 @@
- OpenSMTPD 5.4.4
- - smtpd(8) reliability and bug fixes.
+
- smtpd(8) reliability and bug fixes.
- NOTE: Some security risks were discovered and fixed after the
OpenBSD 5.8 release.
See 5.8 errata 004.
@@ -232,32 +232,32 @@
- Security:
- - ssh(1):
+
- ssh(1):
when forwarding X11 connections with ForwardX11Trusted=no,
connections made after ForwardX11Timeout expired could be
permitted and no longer subject to XSECURITY restrictions because of
an ineffective timeout check in
- ssh(1)
+ ssh(1)
coupled with "fail open" behaviour in the X11 server when clients
attempted connections with expired credentials.
This problem was reported by Jann Horn.
-
- ssh-agent(1):
+
- ssh-agent(1):
fix weakness of agent locking (ssh-add -x) to
password guessing by implementing an increasing failure delay,
storing a salted hash of the password rather than the password
itself and using a timing-safe comparison function for verifying
unlock attempts. This problem was reported by Ryan Castellucci.
-
- sshd(8):
+
- sshd(8):
OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world-writable.
Local attackers may be able to write arbitrary messages to logged-in
users, including terminal escape sequences.
-
- sshd(8):
+
- sshd(8):
fix circumvention of MaxAuthTries using keyboard-interactive
authentication. By specifying a long, repeating keyboard-interactive
"devices" string, an attacker could request the same authentication
method be tried thousands of times in a single pass. The
LoginGraceTime timeout in
- sshd(8)
+ sshd(8)
and any authentication failure delays implemented by the authentication
mechanism itself were still applied.
@@ -274,7 +274,7 @@
http://www.openssh.com/legacy.html.
- Support for the legacy v00 cert format has been removed.
- The default for the
- sshd_config(5)
+ sshd_config(5)
PermitRootLogin option has changed from "yes" to
"prohibit-password" (but the OpenBSD installer defaults to "no").
- NOTE: 'PermitRootLogin prohibit-password' is subtly broken
@@ -283,38 +283,38 @@
- New/changed features:
- - ssh(1),
- sshd(8):
+
- ssh(1),
+ sshd(8):
promote chacha20-poly1305@openssh.com to be the default
cipher.
-
- sshd(8):
+
- sshd(8):
support admin-specified arguments to AuthorizedKeysCommand.
(bz#2081)
-
- sshd(8):
+
- sshd(8):
add AuthorizedPrincipalsCommand that allows retrieving
authorized principals information from a subprocess rather than a
file.
-
- ssh(1),
- ssh-add(1):
+
- ssh(1),
+ ssh-add(1):
support PKCS#11 devices with external PIN entry devices. (bz#2240)
-
- sshd(8):
+
- sshd(8):
allow GSSAPI host credential check to be relaxed for multihomed
hosts via GSSAPIStrictAcceptorCheck option. (bz#928)
-
- ssh-keygen(1):
+
- ssh-keygen(1):
support ssh-keygen -lF hostname to search known_hosts
and print key hashes rather than full keys.
-
- ssh-agent(1):
+
- ssh-agent(1):
add -D flag to leave
- ssh-agent(1)
+ ssh-agent(1)
in foreground without enabling debug mode. (bz#2381)
-
- ssh_config(5):
+
- ssh_config(5):
add PubkeyAcceptedKeyTypes option to control which public
key types are available for user authentication.
-
- sshd_config(5):
+
- sshd_config(5):
add HostKeyAlgorithms option to control which public key
types are offered for host authentications.
-
- ssh(1),
- sshd(8):
+
- ssh(1),
+ sshd(8):
extend Ciphers, MACs, KexAlgorithms,
HostKeyAlgorithms, PubkeyAcceptedKeyTypes and
HostbasedKeyTypes options to allow appending to the default
@@ -324,100 +324,100 @@
- The following significant bugs have been fixed in this release:
- - ssh(1),
- sshd(8):
+
- ssh(1),
+ sshd(8):
deprecate legacy SSH2_MSG_KEX_DH_GEX_REQUEST_OLD message and
do not try to use it against some 3rd-party SSH implementations that
use it (older PuTTY, WinSCP).
- Many fixes for problems caused by compile-time deactivation of
SSH1 support. (including bz#2369)
-
- ssh(1),
- sshd(8):
+
- ssh(1),
+ sshd(8):
cap DH-GEX group size at 4Kbits for Cisco implementations as some
would fail when attempting to use group sizes greater than 4K.
(bz#2209)
-
- ssh(1):
+
- ssh(1):
fix out-of-bound read in EscapeChar configuration option
parsing. (bz#2396)
-
- sshd(8):
+
- sshd(8):
fix application of PermitTunnel, LoginGraceTime,
AuthenticationMethods and StreamLocalBindMask
options in Match blocks.
-
- ssh(1),
- sshd(8):
+
- ssh(1),
+ sshd(8):
improve disconnection message on TCP reset. (bz#2257)
-
- ssh(1):
+
- ssh(1):
remove failed remote forwards established by multiplexing from the
list of active forwards. (bz#2363)
-
- sshd(8):
+
- sshd(8):
make parsing of authorized_keys "environment="
options independent of PermitUserEnv being enabled. (bz#2329)
-
- sshd(8):
+
- sshd(8):
fix post-auth crash with permitopen=none. (bz#2355)
-
- ssh(1),
- ssh-add(1),
- ssh-keygen(1):
+
- ssh(1),
+ ssh-add(1),
+ ssh-keygen(1):
allow new-format private keys to be encrypted with AEAD ciphers.
(bz#2366)
-
- ssh(1):
+
- ssh(1):
allow ListenAddress, Port and AddressFamily
configuration options to appear in any order. (bz#86)
-
- sshd(8):
+
- sshd(8):
check for and reject missing arguments for VersionAddendum
and ForceCommand. (bz#2281)
-
- ssh(1),
- sshd(8):
+
- ssh(1),
+ sshd(8):
don't treat unknown certificate extensions as fatal. (bz#2387)
-
- ssh-keygen(1):
+
- ssh-keygen(1):
make stdout and stderr output consistent. (bz#2325)
-
- ssh(1):
+
- ssh(1):
mention missing DISPLAY environment in debug log when X11
forwarding requested. (bz#1682)
-
- sshd(8):
+
- sshd(8):
correctly record login when UseLogin is set. (bz#378)
-
- sshd(8):
+
- sshd(8):
add some missing options to sshd -T output and fix output
of VersionAddendum and HostCertificate. (bz#2346)
- Document and improve consistency of options that accept a
"none" argument: TrustedUserCAKeys,
RevokedKeys (bz#2382), AuthorizedPrincipalsFile
(bz#2288).
-
- ssh(1):
+
- ssh(1):
include remote username in debug output. (bz#2368)
-
- sshd(8):
+
- sshd(8):
avoid compatibility problem with some versions of Tera Term, which
would crash when they received the hostkeys notification message
(hostkeys-00@openssh.com).
-
- sshd(8):
+
- sshd(8):
mention ssh-keygen -E as useful when comparing legacy
MD5 host key fingerprints. (bz#2332)
-
- ssh(1):
+
- ssh(1):
clarify pseudo-terminal request behaviour and use make manual language
consistent. (bz#1716)
-
- ssh(1):
+
- ssh(1):
document that the TERM environment variable is not subject
to SendEnv and AcceptEnv. (bz#2386)
-
- ssh(1),
- sshd(8):
+
- ssh(1),
+ sshd(8):
add compatability workarounds for Cisco and more PuTTY versions.
(bz#2424)
- Fix some omissions and errors in the PROTOCOL and
PROTCOL.mux documentation relating to Unix domain
socket forwarding. (bz#2421, bz#2422)
-
- ssh(1):
+
- ssh(1):
Improve the
- ssh(1)
+ ssh(1)
manual page to include a better desciption of Unix domain socket
forwarding. (bz#2423)
-
- ssh(1),
- ssh-agent(1):
+
- ssh(1),
+ ssh-agent(1):
skip uninitialised PKCS#11 slots, fixing failures to load keys when
they are present. (bz#2427)
-
- ssh(1),
- ssh-agent(1):
+
- ssh(1),
+ ssh-agent(1):
do not ignore PKCS#11 hosted keys that wth empty CKA_ID.
(bz#2429)
-
- sshd(8):
+
- sshd(8):
clarify documentation for UseDNS option. (bz#2045)
@@ -442,11 +442,11 @@
- Fixed dozens of Coverity issues including dead code, memory leaks,
logic errors and more.
- Ensure that
- openssl(1)
+ openssl(1)
restores terminal echo state after reading a password.
- Incorporated fix for OpenSSL issue #3683.
- Removed SSLv3 support from
- openssl(1).
+ openssl(1).
- Modified tls_write in libtls to allow partial
writes, clarified with examples in the documentation.
- Removed RSAX engine.
@@ -471,19 +471,19 @@
- Code improvements: