version 1.74, 2016/03/19 03:27:36 |
version 1.75, 2016/03/21 05:46:19 |
|
|
<li>See a <a href="plus59.html">detailed log of changes</a> between the |
<li>See a <a href="plus59.html">detailed log of changes</a> between the |
5.8 and 5.9 releases. |
5.8 and 5.9 releases. |
<p> |
<p> |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=signify">signify(1)</a> |
<li><a href="http://man.openbsd.org?query=signify">signify(1)</a> |
pubkeys for this release:<br> |
pubkeys for this release:<br> |
<pre> |
<pre> |
base: RWQJVNompF3pwfIqbg+5sxfpxmZMa3tTBaW4qbUhWje/H/M7glrA6oVn |
base: RWQJVNompF3pwfIqbg+5sxfpxmZMa3tTBaW4qbUhWje/H/M7glrA6oVn |
|
|
<p> |
<p> |
<li>Improved hardware support, including: |
<li>Improved hardware support, including: |
<ul> |
<ul> |
<li>New <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=asmc">asmc(4)</a> |
<li>New <a href="http://man.openbsd.org?query=asmc">asmc(4)</a> |
driver for the Apple System Management Controller. |
driver for the Apple System Management Controller. |
<li>New <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pchtemp">pchtemp(4)</a> |
<li>New <a href="http://man.openbsd.org?query=pchtemp">pchtemp(4)</a> |
driver for the thermal sensor found on Intel X99, C610 series, 9 series |
driver for the thermal sensor found on Intel X99, C610 series, 9 series |
and 100 series PCH. |
and 100 series PCH. |
<li>New <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=uonerng">uonerng(4)</a> |
<li>New <a href="http://man.openbsd.org?query=uonerng">uonerng(4)</a> |
driver for the Moonbase Otago OneRNG. |
driver for the Moonbase Otago OneRNG. |
<li>New <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dwiic">dwiic(4)</a> |
<li>New <a href="http://man.openbsd.org?query=dwiic">dwiic(4)</a> |
driver for the Synopsys DesignWare I2C controller. |
driver for the Synopsys DesignWare I2C controller. |
<li>New <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ikbd">ikbd(4)</a>, |
<li>New <a href="http://man.openbsd.org?query=ikbd">ikbd(4)</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ims">ims(4)</a>, and |
<a href="http://man.openbsd.org?query=ims">ims(4)</a>, and |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=imt">imt(4)</a> |
<a href="http://man.openbsd.org?query=imt">imt(4)</a> |
drivers for HID-over-i2c keyboards, mice and multitouch touchpads. |
drivers for HID-over-i2c keyboards, mice and multitouch touchpads. |
<li>New <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=efifb">efifb(4)</a> |
<li>New <a href="http://man.openbsd.org?query=efifb">efifb(4)</a> |
driver for EFI frame buffer. |
driver for EFI frame buffer. |
<li>New <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=viocon">viocon(4)</a> |
<li>New <a href="http://man.openbsd.org?query=viocon">viocon(4)</a> |
driver for the |
driver for the |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=virtio">virtio(4)</a> |
<a href="http://man.openbsd.org?query=virtio">virtio(4)</a> |
console interface provided by KVM, QEMU, and others. |
console interface provided by KVM, QEMU, and others. |
<li>New <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=xen">xen(4)</a> |
<li>New <a href="http://man.openbsd.org?query=xen">xen(4)</a> |
driver implementing Xen domU initialization and PVHVM device attachment. |
driver implementing Xen domU initialization and PVHVM device attachment. |
<li>New <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=xspd">xspd(4)</a> |
<li>New <a href="http://man.openbsd.org?query=xspd">xspd(4)</a> |
driver for the XenSource Platform Device providing guests with additional |
driver for the XenSource Platform Device providing guests with additional |
capabilities. |
capabilities. |
<li>New <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=xnf">xnf(4)</a> |
<li>New <a href="http://man.openbsd.org?query=xnf">xnf(4)</a> |
driver for Xen paravirtualized networking interface. |
driver for Xen paravirtualized networking interface. |
<li>amd64 can now boot from 32 bit and 64 bit EFI. |
<li>amd64 can now boot from 32 bit and 64 bit EFI. |
<li>Initial support for hardware reduced ACPI added to |
<li>Initial support for hardware reduced ACPI added to |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=acpi">acpi(4)</a>. |
<a href="http://man.openbsd.org?query=acpi">acpi(4)</a>. |
<li>Support for ACPI configured SD host controllers has been added to |
<li>Support for ACPI configured SD host controllers has been added to |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sdhc">sdhc(4)</a>. |
<a href="http://man.openbsd.org?query=sdhc">sdhc(4)</a>. |
<li>The <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=puc">puc(4)</a> |
<li>The <a href="http://man.openbsd.org?query=puc">puc(4)</a> |
driver now supports Moxa CP-168U, Perle Speed8 LE and QEMU PCI serial devices. |
driver now supports Moxa CP-168U, Perle Speed8 LE and QEMU PCI serial devices. |
<li>Intel 100 Series PCH Ethernet MAC with i219 PHY support has been added to the |
<li>Intel 100 Series PCH Ethernet MAC with i219 PHY support has been added to the |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=em">em(4)</a> driver. |
<a href="http://man.openbsd.org?query=em">em(4)</a> driver. |
<li>RTL8168H/RTL8111H support has been added to |
<li>RTL8168H/RTL8111H support has been added to |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=re&sec=4">re(4)</a>. |
<a href="http://man.openbsd.org?query=re&sec=4">re(4)</a>. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=inteldrm">inteldrm(4)</a> |
<li><a href="http://man.openbsd.org?query=inteldrm">inteldrm(4)</a> |
has been updated to Linux 3.14.52 adding initial support for Bay Trail |
has been updated to Linux 3.14.52 adding initial support for Bay Trail |
and Broadwell graphics. |
and Broadwell graphics. |
<li>Support for audio in Thinkpad docks has been added to the |
<li>Support for audio in Thinkpad docks has been added to the |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=azalia">azalia(4)</a> |
<a href="http://man.openbsd.org?query=azalia">azalia(4)</a> |
driver. |
driver. |
<li>Support for Synaptic touchpads without W mode has been added to the |
<li>Support for Synaptic touchpads without W mode has been added to the |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pms">pms(4)</a> |
<a href="http://man.openbsd.org?query=pms">pms(4)</a> |
driver. |
driver. |
<li>Support for tap-and-drag detection with ALPS touchpads in the |
<li>Support for tap-and-drag detection with ALPS touchpads in the |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pms">pms(4)</a> |
<a href="http://man.openbsd.org?query=pms">pms(4)</a> |
driver has been improved. |
driver has been improved. |
<li>The <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sdmmc">sdmmc(4)</a> |
<li>The <a href="http://man.openbsd.org?query=sdmmc">sdmmc(4)</a> |
driver now supports sector mode for eMMC devices, such as those found on |
driver now supports sector mode for eMMC devices, such as those found on |
some BeagleBone Black boards. |
some BeagleBone Black boards. |
<li>The <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=cnmac">cnmac(4)</a> |
<li>The <a href="http://man.openbsd.org?query=cnmac">cnmac(4)</a> |
driver now supports checksum offloading. |
driver now supports checksum offloading. |
<li>The <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ipmi">ipmi(4)</a> |
<li>The <a href="http://man.openbsd.org?query=ipmi">ipmi(4)</a> |
driver now supports OpenIPMI compatible character device. |
driver now supports OpenIPMI compatible character device. |
<li>... |
<li>... |
</ul> |
</ul> |
|
|
</ul> |
</ul> |
<p> |
<p> |
|
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pledge">pledge(2)</a> |
<li><a href="http://man.openbsd.org?query=pledge">pledge(2)</a> |
support integrated: |
support integrated: |
<ul> |
<ul> |
<li>The tame(2) system call was renamed to pledge(2). |
<li>The tame(2) system call was renamed to pledge(2). |
|
|
<ul> |
<ul> |
<li><a href="http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libc/asr/asr.c?rev=1.50&content-type=text/x-cvsweb-markup"> |
<li><a href="http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libc/asr/asr.c?rev=1.50&content-type=text/x-cvsweb-markup"> |
support for HOSTALIASES</a> in the |
support for HOSTALIASES</a> in the |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=asr_run"> |
<a href="http://man.openbsd.org?query=asr_run"> |
resolver</a>. |
resolver</a>. |
<li><a href="http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libc/asr/asr.c?rev=1.49&content-type=text/x-cvsweb-markup"> |
<li><a href="http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libc/asr/asr.c?rev=1.49&content-type=text/x-cvsweb-markup"> |
support for <tt>lookup yp</tt></a> |
support for <tt>lookup yp</tt></a> |
in |
in |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=resolv.conf"> |
<a href="http://man.openbsd.org?query=resolv.conf"> |
resolv.conf(5)</a>. |
resolv.conf(5)</a>. |
<li><a href="http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/gnu/usr.bin/binutils-2.17/binutils/rename.c?rev=1.2&content-type=text/x-cvsweb-markup"> |
<li><a href="http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/gnu/usr.bin/binutils-2.17/binutils/rename.c?rev=1.2&content-type=text/x-cvsweb-markup"> |
setuid-preserving code</a> |
setuid-preserving code</a> |
|
|
<li>handling of |
<li>handling of |
<a href="http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/patch/ed.c?rev=1.1&content-type=text/x-cvsweb-markup"> |
<a href="http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/patch/ed.c?rev=1.1&content-type=text/x-cvsweb-markup"> |
ed-style diffs</a> via proc/exec in |
ed-style diffs</a> via proc/exec in |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=patch"> |
<a href="http://man.openbsd.org?query=patch"> |
patch(1)</a>. |
patch(1)</a>. |
</ul> |
</ul> |
<li>Userland programs were audited so that they could be properly annotated |
<li>Userland programs were audited so that they could be properly annotated |
|
|
addition of |
addition of |
<a href="http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/rdate/rdate.c?rev=1.33&content-type=text/x-cvsweb-markup"> |
<a href="http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/rdate/rdate.c?rev=1.33&content-type=text/x-cvsweb-markup"> |
privilege separation</a> to |
privilege separation</a> to |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=rdate"> |
<a href="http://man.openbsd.org?query=rdate"> |
rdate(8)</a>, |
rdate(8)</a>, |
<li> |
<li> |
addition of |
addition of |
<a href="http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/sndiod/sndiod.c?rev=1.18&content-type=text/x-cvsweb-markup"> |
<a href="http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/sndiod/sndiod.c?rev=1.18&content-type=text/x-cvsweb-markup"> |
privilege separation</a> to |
privilege separation</a> to |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sndiod"> |
<a href="http://man.openbsd.org?query=sndiod"> |
sndiod(8)</a>, |
sndiod(8)</a>, |
<li>or the introduction of the <tt>SOCK_DNS</tt> |
<li>or the introduction of the <tt>SOCK_DNS</tt> |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=socket"> |
<a href="http://man.openbsd.org?query=socket"> |
socket(2)</a> flag that makes an <tt>SS_DNS</tt> tagged socket |
socket(2)</a> flag that makes an <tt>SS_DNS</tt> tagged socket |
conceptually different from a plain socket. |
conceptually different from a plain socket. |
</ul> |
</ul> |
<li>pledge(2) is also used to constrain programs that handle untrusted data |
<li>pledge(2) is also used to constrain programs that handle untrusted data |
to a very limited subset of POSIX. |
to a very limited subset of POSIX. |
For example, |
For example, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=strings"> |
<a href="http://man.openbsd.org?query=strings"> |
strings(1)</a> or |
strings(1)</a> or |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=objdump"> |
<a href="http://man.openbsd.org?query=objdump"> |
objdump(1)</a> from the <a href="http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/gnu/usr.bin/binutils-2.17/binutils/objdump.c?rev=1.2&content-type=text/x-cvsweb-markup"> |
objdump(1)</a> from the <a href="http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/gnu/usr.bin/binutils-2.17/binutils/objdump.c?rev=1.2&content-type=text/x-cvsweb-markup"> |
binutils</a> or the <a href="http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/smtpd/ca.c?rev=1.15&content-type=text/x-cvsweb-markup"> |
binutils</a> or the <a href="http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/smtpd/ca.c?rev=1.15&content-type=text/x-cvsweb-markup"> |
RSA-privsep process</a> in |
RSA-privsep process</a> in |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=smtpd"> |
<a href="http://man.openbsd.org?query=smtpd"> |
smtpd(8)</a>. |
smtpd(8)</a>. |
</ul> |
</ul> |
<p> |
<p> |
|
|
<li>The task processing incoming packets can now run mostly in parallel |
<li>The task processing incoming packets can now run mostly in parallel |
of the rest of the kernel, this include: |
of the rest of the kernel, this include: |
<ul> |
<ul> |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=carp">carp(4)</a>, |
<li><a href="http://man.openbsd.org?query=carp">carp(4)</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=trunk">trunk(4)</a>, |
<a href="http://man.openbsd.org?query=trunk">trunk(4)</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=vlan">vlan(4)</a> |
<a href="http://man.openbsd.org?query=vlan">vlan(4)</a> |
and other pseudo-driver with the exception of |
and other pseudo-driver with the exception of |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=bridge">bridge(4)</a>. |
<a href="http://man.openbsd.org?query=bridge">bridge(4)</a>. |
<li>Ethernet decapsulation, ARP processing and MPLS forwarding path. |
<li>Ethernet decapsulation, ARP processing and MPLS forwarding path. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=bpf">bpf(4)</a> |
<li><a href="http://man.openbsd.org?query=bpf">bpf(4)</a> |
filter matching. |
filter matching. |
</ul> |
</ul> |
<li>The Rx and Tx rings of the |
<li>The Rx and Tx rings of the |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ix">ix(4)</a>, |
<a href="http://man.openbsd.org?query=ix">ix(4)</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=myx">myx(4)</a>, |
<a href="http://man.openbsd.org?query=myx">myx(4)</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=em">em(4)</a>, |
<a href="http://man.openbsd.org?query=em">em(4)</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=bge">bge(4)</a>, |
<a href="http://man.openbsd.org?query=bge">bge(4)</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=bnx">bnx(4)</a>, |
<a href="http://man.openbsd.org?query=bnx">bnx(4)</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=vmx">vmx(4)</a>, |
<a href="http://man.openbsd.org?query=vmx">vmx(4)</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=gem">gem(4)</a>, |
<a href="http://man.openbsd.org?query=gem">gem(4)</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=re">re(4)</a> and |
<a href="http://man.openbsd.org?query=re">re(4)</a> and |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=cas">cas(4)</a> |
<a href="http://man.openbsd.org?query=cas">cas(4)</a> |
drivers can now be processed in parallel of the rest of the kernel. |
drivers can now be processed in parallel of the rest of the kernel. |
<li>The Rx ring of the |
<li>The Rx ring of the |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=cnmac">cnmac(4)</a> |
<a href="http://man.openbsd.org?query=cnmac">cnmac(4)</a> |
driver can now be processed in parallel of the rest of the kernel. |
driver can now be processed in parallel of the rest of the kernel. |
</ul> |
</ul> |
<p> |
<p> |
|
|
<li>Initial IEEE 802.11n wireless support: |
<li>Initial IEEE 802.11n wireless support: |
<ul> |
<ul> |
<li>The <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ieee80211">ieee80211(9)</a> |
<li>The <a href="http://man.openbsd.org?query=ieee80211">ieee80211(9)</a> |
subsystem now supports HT data rates up to 65 Mbit/s (802.11n MCS 0-7). |
subsystem now supports HT data rates up to 65 Mbit/s (802.11n MCS 0-7). |
<li>The input path of |
<li>The input path of |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ieee80211">ieee80211(9)</a> |
<a href="http://man.openbsd.org?query=ieee80211">ieee80211(9)</a> |
now supports receiving A-MPDU and A-MSDU aggregated frames. |
now supports receiving A-MPDU and A-MSDU aggregated frames. |
<li>The <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=iwm">iwm(4)</a> |
<li>The <a href="http://man.openbsd.org?query=iwm">iwm(4)</a> |
and <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=iwn">iwn(4)</a> |
and <a href="http://man.openbsd.org?query=iwn">iwn(4)</a> |
drivers make use of the above features. |
drivers make use of the above features. |
<li>802.11n mode is used by default if supported by the OpenBSD wireless |
<li>802.11n mode is used by default if supported by the OpenBSD wireless |
driver and the access point. |
driver and the access point. |
Operation in 802.11a, 802.11b, and 802.11g modes can be forced with |
Operation in 802.11a, 802.11b, and 802.11g modes can be forced with |
the new <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ifconfig">ifconfig(8)</a> |
the new <a href="http://man.openbsd.org?query=ifconfig">ifconfig(8)</a> |
<tt>mode</tt> subcommand. |
<tt>mode</tt> subcommand. |
</ul> |
</ul> |
<p> |
<p> |
|
|
<li>Generic network stack improvements: |
<li>Generic network stack improvements: |
<ul> |
<ul> |
<li>New <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=etherip">etherip(4)</a> |
<li>New <a href="http://man.openbsd.org?query=etherip">etherip(4)</a> |
pseudo-device for tunnelling Ethernet frames across IP[46] networks |
pseudo-device for tunnelling Ethernet frames across IP[46] networks |
using RFC 3378 EtherIP encapsulation. |
using RFC 3378 EtherIP encapsulation. |
<li>New <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pair">pair(4)</a> |
<li>New <a href="http://man.openbsd.org?query=pair">pair(4)</a> |
pseudo-device for creating paired virtual Ethernet interfaces. |
pseudo-device for creating paired virtual Ethernet interfaces. |
<li>New <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tap">tap(4)</a> |
<li>New <a href="http://man.openbsd.org?query=tap">tap(4)</a> |
pseudo-device splitted up from |
pseudo-device splitted up from |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tun">tun(4)</a> |
<a href="http://man.openbsd.org?query=tun">tun(4)</a> |
providing a layer 3 interface with userland. |
providing a layer 3 interface with userland. |
<li>Remove support for obsolete IPv6 socket options. |
<li>Remove support for obsolete IPv6 socket options. |
<li>The <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=iwn">iwn(4)</a> |
<li>The <a href="http://man.openbsd.org?query=iwn">iwn(4)</a> |
driver now passes IEEE 802.11 control frames in monitor mode, allowing |
driver now passes IEEE 802.11 control frames in monitor mode, allowing |
full capture of traffic on a particular wireless channel. |
full capture of traffic on a particular wireless channel. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pflow">pflow(4)</a> |
<li><a href="http://man.openbsd.org?query=pflow">pflow(4)</a> |
now supports IPv6 for transport. |
now supports IPv6 for transport. |
<li>... |
<li>... |
</ul> |
</ul> |
|
|
<li>Installing to a disk partitioned with a GPT is now supported (amd64 only). |
<li>Installing to a disk partitioned with a GPT is now supported (amd64 only). |
<li>When initializing a GPT the required EFI System partition is automatically created. |
<li>When initializing a GPT the required EFI System partition is automatically created. |
<li>When installing to a GPT disk |
<li>When installing to a GPT disk |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=installboot"> |
<a href="http://man.openbsd.org?query=installboot"> |
installboot(8)</a> |
installboot(8)</a> |
now formats the EFI System partition, creates the appropriate directory |
now formats the EFI System partition, creates the appropriate directory |
structure and copies the required UEFI boot files into place. |
structure and copies the required UEFI boot files into place. |
|
|
|
|
<li>Routing daemons and other userland network improvements: |
<li>Routing daemons and other userland network improvements: |
<ul> |
<ul> |
<li>New <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=eigrpd">eigrpd(8)</a> |
<li>New <a href="http://man.openbsd.org?query=eigrpd">eigrpd(8)</a> |
routing daemon for the Enhanced Interior Gateway Routing Protocol. |
routing daemon for the Enhanced Interior Gateway Routing Protocol. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dhclient">dhclient(8)</a> |
<li><a href="http://man.openbsd.org?query=dhclient">dhclient(8)</a> |
now supports multiple domain names provided via DHCP option 15 (Domain Name). |
now supports multiple domain names provided via DHCP option 15 (Domain Name). |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dhclient">dhclient(8)</a> |
<li><a href="http://man.openbsd.org?query=dhclient">dhclient(8)</a> |
now supports search domains provided via DHCP option 119 (Domain Search). |
now supports search domains provided via DHCP option 119 (Domain Search). |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dhclient">dhclient(8)</a> |
<li><a href="http://man.openbsd.org?query=dhclient">dhclient(8)</a> |
no longer continually checks for a change to the routing domain of the |
no longer continually checks for a change to the routing domain of the |
interface it controls. It now relies on the appropriate routing socket |
interface it controls. It now relies on the appropriate routing socket |
messages. |
messages. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dhclient">dhclient(8)</a> |
<li><a href="http://man.openbsd.org?query=dhclient">dhclient(8)</a> |
now issues DHCP DECLINE responses to lease offers found to be inadequate, |
now issues DHCP DECLINE responses to lease offers found to be inadequate, |
and restarts the DISCOVER/RENEW process rather than waiting indefinitely |
and restarts the DISCOVER/RENEW process rather than waiting indefinitely |
for a better lease to appear. |
for a better lease to appear. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dhclient">dhclient(8)</a> |
<li><a href="http://man.openbsd.org?query=dhclient">dhclient(8)</a> |
no longer exits if a desired route cannot be added. It now just reports |
no longer exits if a desired route cannot be added. It now just reports |
the fact. |
the fact. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dhclient">dhclient(8)</a> |
<li><a href="http://man.openbsd.org?query=dhclient">dhclient(8)</a> |
now takes a much more careful approach to received packets to ensure |
now takes a much more careful approach to received packets to ensure |
only received data is used to process the packet. |
only received data is used to process the packet. |
Packets with incorrect length information or lacking appropriate header |
Packets with incorrect length information or lacking appropriate header |
information are now dropped. |
information are now dropped. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dhclient">dhclient(8)</a> |
<li><a href="http://man.openbsd.org?query=dhclient">dhclient(8)</a> |
again disables pending timeouts if the interface link is lost, |
again disables pending timeouts if the interface link is lost, |
preventing endless retries at obtaining a lease. |
preventing endless retries at obtaining a lease. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dhcpd">dhcpd(8)</a> |
<li><a href="http://man.openbsd.org?query=dhcpd">dhcpd(8)</a> |
again properly utilizes default-lease-time, max-lease-time and |
again properly utilizes default-lease-time, max-lease-time and |
bootp-lease-time options. |
bootp-lease-time options. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tcpdump">tcpdump(8)</a> |
<li><a href="http://man.openbsd.org?query=tcpdump">tcpdump(8)</a> |
now displays more information about IEEE 802.11 frames when run with |
now displays more information about IEEE 802.11 frames when run with |
the -y IEEE802_11_RADIO and -v options. |
the -y IEEE802_11_RADIO and -v options. |
<li>Several interoperability issues in |
<li>Several interoperability issues in |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=iked">iked(8)</a> |
<a href="http://man.openbsd.org?query=iked">iked(8)</a> |
have been fixed, including EAP auth with OS X El Capitan. |
have been fixed, including EAP auth with OS X El Capitan. |
<li>... |
<li>... |
</ul> |
</ul> |
|
|
IPsec stack for the ESP protocol. |
IPsec stack for the ESP protocol. |
<li>Support for looking up hosts via YP has been removed from libc. |
<li>Support for looking up hosts via YP has been removed from libc. |
The 'yp' lookup method in |
The 'yp' lookup method in |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=resolv.conf"> |
<a href="http://man.openbsd.org?query=resolv.conf"> |
resolv.conf</a> |
resolv.conf</a> |
is no longer available. |
is no longer available. |
<li>Support for the HOSTALIASES environment variable has been removed from libc. |
<li>Support for the HOSTALIASES environment variable has been removed from libc. |
|
|
|
|
<li>Assorted improvements: |
<li>Assorted improvements: |
<ul> |
<ul> |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=doas">doas(1)</a> |
<li><a href="http://man.openbsd.org?query=doas">doas(1)</a> |
is a little friendlier to use. |
is a little friendlier to use. |
<li>Updated |
<li>Updated |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=flex">flex(1)</a>. |
<a href="http://man.openbsd.org?query=flex">flex(1)</a>. |
<li>Forked <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=less">less(1)</a> |
<li>Forked <a href="http://man.openbsd.org?query=less">less(1)</a> |
from upstream, then proceeded to clean it up substantially. |
from upstream, then proceeded to clean it up substantially. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pdisk">pdisk(8)</a> |
<li><a href="http://man.openbsd.org?query=pdisk">pdisk(8)</a> |
was largely rewritten and pledged. |
was largely rewritten and pledged. |
<li>Renaming files in the root directory of a MSDOS filesystem was fixed. |
<li>Renaming files in the root directory of a MSDOS filesystem was fixed. |
<li>Many obsolete |
<li>Many obsolete |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=disktab">disktab(5)</a> |
<a href="http://man.openbsd.org?query=disktab">disktab(5)</a> |
attributes and entries were removed. |
attributes and entries were removed. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=softraid">softraid(4)</a> |
<li><a href="http://man.openbsd.org?query=softraid">softraid(4)</a> |
volumes now correctly look for the disklabel in the first OpenBSD disk |
volumes now correctly look for the disklabel in the first OpenBSD disk |
partition, not the last. |
partition, not the last. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=softraid">softraid(4)</a> |
<li><a href="http://man.openbsd.org?query=softraid">softraid(4)</a> |
volumes can now be partitioned with a GPT. |
volumes can now be partitioned with a GPT. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=fdisk">fdisk(8)</a> |
<li><a href="http://man.openbsd.org?query=fdisk">fdisk(8)</a> |
now creates a default GPT as well as the protective MBR when the '-g' |
now creates a default GPT as well as the protective MBR when the '-g' |
flag is used. |
flag is used. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=fdisk">fdisk(8)</a> |
<li><a href="http://man.openbsd.org?query=fdisk">fdisk(8)</a> |
now has a '-b' flag that specifies the size of the EFI System partition |
now has a '-b' flag that specifies the size of the EFI System partition |
to create. |
to create. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=fdisk">fdisk(8)</a> |
<li><a href="http://man.openbsd.org?query=fdisk">fdisk(8)</a> |
now has a '-v' flag that causes a verbose display of both MBR and GPT |
now has a '-v' flag that causes a verbose display of both MBR and GPT |
information. |
information. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=fdisk">fdisk(8)</a> |
<li><a href="http://man.openbsd.org?query=fdisk">fdisk(8)</a> |
now provides full interactive GPT editing. |
now provides full interactive GPT editing. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=fdisk">fdisk(8)</a> |
<li><a href="http://man.openbsd.org?query=fdisk">fdisk(8)</a> |
was pledged. |
was pledged. |
<li>Disks with sector sizes other than 512 bytes can now be partitioned with |
<li>Disks with sector sizes other than 512 bytes can now be partitioned with |
a GPT. |
a GPT. |
|
|
and GENERIC derived kernels. |
and GENERIC derived kernels. |
<li>Many improvements were made to the GPT kernel support to ensure safe and |
<li>Many improvements were made to the GPT kernel support to ensure safe and |
reliable operation of GPT and MBR processing. |
reliable operation of GPT and MBR processing. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=disklabel">disklabel(8)</a> |
<li><a href="http://man.openbsd.org?query=disklabel">disklabel(8)</a> |
no longer supports boot code installation, with the -B and -b flags |
no longer supports boot code installation, with the -B and -b flags |
being removed. |
being removed. |
The associated fields in the disklabel were also removed. |
The associated fields in the disklabel were also removed. |
These functions are now all performed by |
These functions are now all performed by |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=installboot"> |
<a href="http://man.openbsd.org?query=installboot"> |
installboot(8)</a>. |
installboot(8)</a>. |
<li>PowerPC converted to secure-PLT ABI variant. |
<li>PowerPC converted to secure-PLT ABI variant. |
<li>Perform lazy binding updates in |
<li>Perform lazy binding updates in |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ld.so">ld.so(1)</a> |
<a href="http://man.openbsd.org?query=ld.so">ld.so(1)</a> |
using |
using |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=kbind">kbind(2)</a> |
<a href="http://man.openbsd.org?query=kbind">kbind(2)</a> |
to improve security and reduce overhead in threaded processes. |
to improve security and reduce overhead in threaded processes. |
<li>Over 100 internal or obsolete interfaces have been deleted or are no |
<li>Over 100 internal or obsolete interfaces have been deleted or are no |
longer exported by libc, reducing symbol conflicts and process size. |
longer exported by libc, reducing symbol conflicts and process size. |
|
|
symbol overriding, improve standards compliance, increase speed, |
symbol overriding, improve standards compliance, increase speed, |
and reduce dynamic linking overhead. |
and reduce dynamic linking overhead. |
<li>Handle intra-thread kills via new |
<li>Handle intra-thread kills via new |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=thrkill">thrkill(2)</a> |
<a href="http://man.openbsd.org?query=thrkill">thrkill(2)</a> |
system call to tighten |
system call to tighten |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pledge">pledge(2)</a> |
<a href="http://man.openbsd.org?query=pledge">pledge(2)</a> |
restrictions and improve |
restrictions and improve |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pthread_kill">pthread_kill(3)</a> |
<a href="http://man.openbsd.org?query=pthread_kill">pthread_kill(3)</a> |
and |
and |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pthread_cancel">pthread_cancel(3)</a> |
<a href="http://man.openbsd.org?query=pthread_cancel">pthread_cancel(3)</a> |
compliance. |
compliance. |
<li>Added <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=getpwnam_shadow"> |
<li>Added <a href="http://man.openbsd.org?query=getpwnam_shadow"> |
getpwnam_shadow(3)</a> |
getpwnam_shadow(3)</a> |
and <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=getpwuid_shadow"> |
and <a href="http://man.openbsd.org?query=getpwuid_shadow"> |
getpwuid_shadow(3)</a> |
getpwuid_shadow(3)</a> |
to permit tighter |
to permit tighter |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pledge">pledge(2)</a> |
<a href="http://man.openbsd.org?query=pledge">pledge(2)</a> |
restrictions. |
restrictions. |
<li>Added support to |
<li>Added support to |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ktrace">ktrace(1)</a> |
<a href="http://man.openbsd.org?query=ktrace">ktrace(1)</a> |
the arguments to |
the arguments to |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=execve">execve(2)</a> |
<a href="http://man.openbsd.org?query=execve">execve(2)</a> |
and |
and |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pledge">pledge(2)</a>. |
<a href="http://man.openbsd.org?query=pledge">pledge(2)</a>. |
Removed support for tracing context switch points. |
Removed support for tracing context switch points. |
<tt>kevent</tt> structures are now dumped. |
<tt>kevent</tt> structures are now dumped. |
<li>Disabled support for loading locales other than UTF-8. |
<li>Disabled support for loading locales other than UTF-8. |
<li>UTF-8 character locale data has been updated to Unicode 7.0.0. |
<li>UTF-8 character locale data has been updated to Unicode 7.0.0. |
<li>Added UTF-8 support to several utilities, including |
<li>Added UTF-8 support to several utilities, including |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=calendar">calendar(1)</a>, |
<a href="http://man.openbsd.org?query=calendar">calendar(1)</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=colrm">colrm(1)</a>, |
<a href="http://man.openbsd.org?query=colrm">colrm(1)</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=cut">cut(1)</a>, |
<a href="http://man.openbsd.org?query=cut">cut(1)</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=fmt">fmt(1)</a>, |
<a href="http://man.openbsd.org?query=fmt">fmt(1)</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ls">ls(1)</a>, |
<a href="http://man.openbsd.org?query=ls">ls(1)</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ps">ps(1)</a>, |
<a href="http://man.openbsd.org?query=ps">ps(1)</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=rs">rs(1)</a>, |
<a href="http://man.openbsd.org?query=rs">rs(1)</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ul">ul(1)</a>, |
<a href="http://man.openbsd.org?query=ul">ul(1)</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=uniq">uniq(1)</a>, |
<a href="http://man.openbsd.org?query=uniq">uniq(1)</a>, |
and <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=wc">wc(1)</a>. |
and <a href="http://man.openbsd.org?query=wc">wc(1)</a>. |
<li>Partial support for inserting and deleting UTF-8 characters in |
<li>Partial support for inserting and deleting UTF-8 characters in |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ksh">ksh(1)</a> |
<a href="http://man.openbsd.org?query=ksh">ksh(1)</a> |
emacs command line editing mode. |
emacs command line editing mode. |
<li>Native language support (NLS) has been removed from libc. |
<li>Native language support (NLS) has been removed from libc. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ddb">ddb(4)</a> |
<li><a href="http://man.openbsd.org?query=ddb">ddb(4)</a> |
now automatically shows a stack trace upon panic. |
now automatically shows a stack trace upon panic. |
<li>... |
<li>... |
</ul> |
</ul> |
<p> |
<p> |
|
|
<li>OpenBSD <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=httpd">httpd(8)</a>: |
<li>OpenBSD <a href="http://man.openbsd.org?query=httpd">httpd(8)</a>: |
<ul> |
<ul> |
<li>... |
<li>... |
</ul> |
</ul> |
|
|
<li>Security: |
<li>Security: |
<ul> |
<ul> |
<li>Both |
<li>Both |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=smtpd">smtpd(8)</a> |
<a href="http://man.openbsd.org?query=smtpd">smtpd(8)</a> |
and |
and |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=smtpctl">smtpctl(8)</a> |
<a href="http://man.openbsd.org?query=smtpctl">smtpctl(8)</a> |
have been pledged. |
have been pledged. |
<li>The offline enqueue mode of |
<li>The offline enqueue mode of |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=smtpctl">smtpctl(8)</a> |
<a href="http://man.openbsd.org?query=smtpctl">smtpctl(8)</a> |
has been redesigned to remove the need for a publicly writable directory |
has been redesigned to remove the need for a publicly writable directory |
which was a vector of multiple attacks in the Qualys Security audit. |
which was a vector of multiple attacks in the Qualys Security audit. |
</ul> |
</ul> |
|
|
<li>Security: |
<li>Security: |
<ul> |
<ul> |
<li>Qualys Security identified vulnerabilities in the |
<li>Qualys Security identified vulnerabilities in the |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a> |
<a href="http://man.openbsd.org?query=ssh">ssh(1)</a> |
client experimental support for resuming SSH-connections (roaming). |
client experimental support for resuming SSH-connections (roaming). |
In the default configuration, this could potentially leak client keys |
In the default configuration, this could potentially leak client keys |
to a hostile server. The authentication of the server host key |
to a hostile server. The authentication of the server host key |
prevents exploitation by a man-in-the-middle, so this information leak |
prevents exploitation by a man-in-the-middle, so this information leak |
is restricted to connections to malicious or compromised servers. |
is restricted to connections to malicious or compromised servers. |
This feature has been disabled in the |
This feature has been disabled in the |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a> |
<a href="http://man.openbsd.org?query=ssh">ssh(1)</a> |
client, and it has been removed from the source tree. The matching |
client, and it has been removed from the source tree. The matching |
server code has never been shipped. |
server code has never been shipped. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd">sshd(8)</a>: |
<li><a href="http://man.openbsd.org?query=sshd">sshd(8)</a>: |
OpenSSH 7.0 contained a logic error in |
OpenSSH 7.0 contained a logic error in |
<tt>PermitRootLogin=prohibit-password/without-password</tt> that could, |
<tt>PermitRootLogin=prohibit-password/without-password</tt> that could, |
depending on compile-time configuration, permit password authentication |
depending on compile-time configuration, permit password authentication |
to root while preventing other forms of authentication. |
to root while preventing other forms of authentication. |
<li>Fix an out of-bound read access in the packet handling code. |
<li>Fix an out of-bound read access in the packet handling code. |
<li>Further use of |
<li>Further use of |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=bzero">explicit_bzero(3)</a> |
<a href="http://man.openbsd.org?query=bzero">explicit_bzero(3)</a> |
has been added in various buffer handling code paths to guard against |
has been added in various buffer handling code paths to guard against |
compilers aggressively doing dead-store removal. |
compilers aggressively doing dead-store removal. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>, |
<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd">sshd(8)</a>: |
<a href="http://man.openbsd.org?query=sshd">sshd(8)</a>: |
remove unfinished and unused roaming code. |
remove unfinished and unused roaming code. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>: |
<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>: |
eliminate fallback from untrusted X11 forwarding to trusted forwarding |
eliminate fallback from untrusted X11 forwarding to trusted forwarding |
when the X server disables the <tt>SECURITY</tt> extension. |
when the X server disables the <tt>SECURITY</tt> extension. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>, |
<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd">sshd(8)</a>: |
<a href="http://man.openbsd.org?query=sshd">sshd(8)</a>: |
increase the minimum modulus size supported for |
increase the minimum modulus size supported for |
<tt>diffie-hellman-group-exchange</tt> to 2048 bits. |
<tt>diffie-hellman-group-exchange</tt> to 2048 bits. |
</ul> |
</ul> |
|
|
<ul> |
<ul> |
<li>This release disables a number of legacy cryptographic algorithms |
<li>This release disables a number of legacy cryptographic algorithms |
by default in |
by default in |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>: |
<a href="http://man.openbsd.org?query=ssh">ssh(1)</a>: |
<ul> |
<ul> |
<li>Several ciphers: <tt>blowfish-cbc</tt>, <tt>cast128-cbc</tt>, |
<li>Several ciphers: <tt>blowfish-cbc</tt>, <tt>cast128-cbc</tt>, |
all <tt>arcfour</tt> variants and the <tt>rijndael-cbc</tt> aliases |
all <tt>arcfour</tt> variants and the <tt>rijndael-cbc</tt> aliases |
|
|
<li>all: add support for RSA signatures using SHA-256/512 hash algorithms |
<li>all: add support for RSA signatures using SHA-256/512 hash algorithms |
based on <tt>draft-rsa-dsa-sha2-256-03.txt</tt> and |
based on <tt>draft-rsa-dsa-sha2-256-03.txt</tt> and |
<tt>draft-ssh-ext-info-04.txt</tt>. |
<tt>draft-ssh-ext-info-04.txt</tt>. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>: |
<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>: |
add an <tt>AddKeysToAgent</tt> client option which can be set to |
add an <tt>AddKeysToAgent</tt> client option which can be set to |
<tt>yes</tt>, <tt>no</tt>, <tt>ask</tt>, or <tt>confirm</tt>, and |
<tt>yes</tt>, <tt>no</tt>, <tt>ask</tt>, or <tt>confirm</tt>, and |
defaults to <tt>no</tt>. When enabled, a private key that is used |
defaults to <tt>no</tt>. When enabled, a private key that is used |
during authentication will be added to |
during authentication will be added to |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent">ssh-agent(1)</a> |
<a href="http://man.openbsd.org?query=ssh-agent">ssh-agent(1)</a> |
if it is running (with confirmation enabled if set to <tt>confirm</tt>). |
if it is running (with confirmation enabled if set to <tt>confirm</tt>). |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd">sshd(8)</a>: |
<li><a href="http://man.openbsd.org?query=sshd">sshd(8)</a>: |
add a new <tt>authorized_keys</tt> option <tt>restrict</tt> that |
add a new <tt>authorized_keys</tt> option <tt>restrict</tt> that |
includes all current and future key restrictions |
includes all current and future key restrictions |
(<tt>no-*-forwarding</tt>, etc.). |
(<tt>no-*-forwarding</tt>, etc.). |
|
|
<tt>no-pty</tt> -> <tt>pty</tt>. This simplifies the task of setting up |
<tt>no-pty</tt> -> <tt>pty</tt>. This simplifies the task of setting up |
restricted keys and ensures they are maximally-restricted, |
restricted keys and ensures they are maximally-restricted, |
regardless of any permissions we might implement in the future. |
regardless of any permissions we might implement in the future. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>: |
<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>: |
add |
add |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config">ssh_config(5)</a> |
<a href="http://man.openbsd.org?query=ssh_config">ssh_config(5)</a> |
CertificateFile option to explicitly list certificates. (bz#2436) |
CertificateFile option to explicitly list certificates. (bz#2436) |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen">ssh-keygen(1)</a>: |
<li><a href="http://man.openbsd.org?query=ssh-keygen">ssh-keygen(1)</a>: |
allow |
allow |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen">ssh-keygen(1)</a> |
<a href="http://man.openbsd.org?query=ssh-keygen">ssh-keygen(1)</a> |
to change the key comment for all supported formats. |
to change the key comment for all supported formats. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen">ssh-keygen(1)</a>: |
<li><a href="http://man.openbsd.org?query=ssh-keygen">ssh-keygen(1)</a>: |
allow fingerprinting from standard input, e.g. "ssh-keygen -lf -". |
allow fingerprinting from standard input, e.g. "ssh-keygen -lf -". |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen">ssh-keygen(1)</a>: |
<li><a href="http://man.openbsd.org?query=ssh-keygen">ssh-keygen(1)</a>: |
allow fingerprinting multiple public keys in a file, e.g. |
allow fingerprinting multiple public keys in a file, e.g. |
<tt>ssh-keygen -lf ~/.ssh/authorized_keys</tt>. (bz#1319) |
<tt>ssh-keygen -lf ~/.ssh/authorized_keys</tt>. (bz#1319) |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd">sshd(8)</a>: |
<li><a href="http://man.openbsd.org?query=sshd">sshd(8)</a>: |
support <tt>none</tt> as an argument for |
support <tt>none</tt> as an argument for |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config">sshd_config(5)</a> |
<a href="http://man.openbsd.org?query=sshd_config">sshd_config(5)</a> |
<tt>Foreground</tt> and <tt>ChrootDirectory</tt>. Useful inside |
<tt>Foreground</tt> and <tt>ChrootDirectory</tt>. Useful inside |
<tt>Match</tt> blocks to override a global default. (bz#2486) |
<tt>Match</tt> blocks to override a global default. (bz#2486) |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen">ssh-keygen(1)</a>: |
<li><a href="http://man.openbsd.org?query=ssh-keygen">ssh-keygen(1)</a>: |
support multiple certificates (one per line) and reading from standard |
support multiple certificates (one per line) and reading from standard |
input (using "<tt>-f -</tt>") for <tt>ssh-keygen -L</tt>. |
input (using "<tt>-f -</tt>") for <tt>ssh-keygen -L</tt>. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keyscan">ssh-keyscan(1)</a>: |
<li><a href="http://man.openbsd.org?query=ssh-keyscan">ssh-keyscan(1)</a>: |
add <tt>ssh-keyscan -c ...</tt> flag to allow fetching certificates |
add <tt>ssh-keyscan -c ...</tt> flag to allow fetching certificates |
instead of plain keys. |
instead of plain keys. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>: |
<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>: |
better handle anchored FQDNs (e.g. <tt>cvs.openbsd.org.</tt>) in |
better handle anchored FQDNs (e.g. <tt>cvs.openbsd.org.</tt>) in |
hostname canonicalisation - treat them as already canonical and |
hostname canonicalisation - treat them as already canonical and |
trailing '<tt>.</tt>' before matching |
trailing '<tt>.</tt>' before matching |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config">ssh_config(5)</a>. |
<a href="http://man.openbsd.org?query=ssh_config">ssh_config(5)</a>. |
</ul> |
</ul> |
<li>The following significant bugs have been fixed in this release: |
<li>The following significant bugs have been fixed in this release: |
<ul> |
<ul> |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>, |
<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd">sshd(8)</a>: |
<a href="http://man.openbsd.org?query=sshd">sshd(8)</a>: |
add compatibility workarounds for FuTTY. |
add compatibility workarounds for FuTTY. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>, |
<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd">sshd(8)</a>: |
<a href="http://man.openbsd.org?query=sshd">sshd(8)</a>: |
refine compatibility workarounds for WinSCP. |
refine compatibility workarounds for WinSCP. |
<li>Fix a number of memory faults (double-free, free of uninitialised |
<li>Fix a number of memory faults (double-free, free of uninitialised |
memory, etc.) in |
memory, etc.) in |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a> |
<a href="http://man.openbsd.org?query=ssh">ssh(1)</a> |
and |
and |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen">ssh-keygen(1)</a>. |
<a href="http://man.openbsd.org?query=ssh-keygen">ssh-keygen(1)</a>. |
<li>Correctly interpret the <tt>first_kex_follows</tt> option during the |
<li>Correctly interpret the <tt>first_kex_follows</tt> option during the |
initial key exchange. |
initial key exchange. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp">sftp(1)</a>: |
<li><a href="http://man.openbsd.org?query=sftp">sftp(1)</a>: |
existing destination directories should not terminate recursive uploads |
existing destination directories should not terminate recursive uploads |
(regression in openssh 6.8). (bz#2528) |
(regression in openssh 6.8). (bz#2528) |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>, |
<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd">sshd(8)</a>: |
<a href="http://man.openbsd.org?query=sshd">sshd(8)</a>: |
correctly send back <tt>SSH2_MSG_UNIMPLEMENTED</tt> replies to |
correctly send back <tt>SSH2_MSG_UNIMPLEMENTED</tt> replies to |
unexpected messages during key exchange. (bz#2949) |
unexpected messages during key exchange. (bz#2949) |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>: |
<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>: |
refuse attempts to set <tt>ConnectionAttempts=0</tt>, which does not |
refuse attempts to set <tt>ConnectionAttempts=0</tt>, which does not |
make sense and would cause ssh to print an uninitialised stack |
make sense and would cause ssh to print an uninitialised stack |
variable. (bz#2500) |
variable. (bz#2500) |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>: |
<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>: |
fix errors when attempting to connect to scoped IPv6 addresses with |
fix errors when attempting to connect to scoped IPv6 addresses with |
hostname canonicalisation enabled. |
hostname canonicalisation enabled. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config">sshd_config(5)</a>: |
<li><a href="http://man.openbsd.org?query=sshd_config">sshd_config(5)</a>: |
list a couple more options usable in <tt>Match</tt> blocks. (bz#2489) |
list a couple more options usable in <tt>Match</tt> blocks. (bz#2489) |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd">sshd(8)</a>: |
<li><a href="http://man.openbsd.org?query=sshd">sshd(8)</a>: |
fix <tt>PubkeyAcceptedKeyTypes +...</tt> inside a <tt>Match</tt> block. |
fix <tt>PubkeyAcceptedKeyTypes +...</tt> inside a <tt>Match</tt> block. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>: |
<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>: |
expand tilde characters in filenames passed to <tt>-i</tt> options |
expand tilde characters in filenames passed to <tt>-i</tt> options |
before checking whether or not the identity file exists. Avoids |
before checking whether or not the identity file exists. Avoids |
confusion for cases where shell doesn't expand (e.g. |
confusion for cases where shell doesn't expand (e.g. |
<tt>-i ~/file</tt> vs. <tt>-i~/file</tt>). (bz#2481) |
<tt>-i ~/file</tt> vs. <tt>-i~/file</tt>). (bz#2481) |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>: |
<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>: |
do not prepend "exec" to the shell command run by <tt>Match exec</tt> |
do not prepend "exec" to the shell command run by <tt>Match exec</tt> |
in a config file, which could cause some commands to fail in certain |
in a config file, which could cause some commands to fail in certain |
environments. (bz#2471) |
environments. (bz#2471) |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keyscan">ssh-keyscan(1)</a>: |
<li><a href="http://man.openbsd.org?query=ssh-keyscan">ssh-keyscan(1)</a>: |
fix output for multiple hosts/addrs on one line when host hashing or |
fix output for multiple hosts/addrs on one line when host hashing or |
a non standard port is in use. (bz#2479) |
a non standard port is in use. (bz#2479) |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd">sshd(8)</a>: |
<li><a href="http://man.openbsd.org?query=sshd">sshd(8)</a>: |
skip "Could not chdir to home directory" message when |
skip "Could not chdir to home directory" message when |
<tt>ChrootDirectory</tt> is active. (bz#2485) |
<tt>ChrootDirectory</tt> is active. (bz#2485) |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>: |
<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>: |
include <tt>PubkeyAcceptedKeyTypes</tt> in <tt>ssh -G</tt> config dump. |
include <tt>PubkeyAcceptedKeyTypes</tt> in <tt>ssh -G</tt> config dump. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd">sshd(8)</a>: |
<li><a href="http://man.openbsd.org?query=sshd">sshd(8)</a>: |
avoid changing <tt>TunnelForwarding</tt> device flags if they are |
avoid changing <tt>TunnelForwarding</tt> device flags if they are |
already what is needed; makes it possible to use |
already what is needed; makes it possible to use |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tun">tun(4)</a>/ |
<a href="http://man.openbsd.org?query=tun">tun(4)</a>/ |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tap">tap(4)</a> |
<a href="http://man.openbsd.org?query=tap">tap(4)</a> |
networking as non-root user if device permissions and interface flags |
networking as non-root user if device permissions and interface flags |
are pre-established. |
are pre-established. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>, |
<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd">sshd(8)</a>: |
<a href="http://man.openbsd.org?query=sshd">sshd(8)</a>: |
<tt>RekeyLimits</tt> could be exceeded by one packet. (bz#2521) |
<tt>RekeyLimits</tt> could be exceeded by one packet. (bz#2521) |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>: |
<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>: |
fix multiplexing master failure to notice client exit. |
fix multiplexing master failure to notice client exit. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>, |
<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent">ssh-agent(1)</a>: |
<a href="http://man.openbsd.org?query=ssh-agent">ssh-agent(1)</a>: |
avoid <tt>fatal()</tt> for PKCS11 tokens that present empty key IDs. |
avoid <tt>fatal()</tt> for PKCS11 tokens that present empty key IDs. |
(bz#1773) |
(bz#1773) |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd">sshd(8)</a>: |
<li><a href="http://man.openbsd.org?query=sshd">sshd(8)</a>: |
avoid |
avoid |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=printf&sec=3">printf(3)</a> |
<a href="http://man.openbsd.org?query=printf&sec=3">printf(3)</a> |
of NULL argument. (bz#2535) |
of NULL argument. (bz#2535) |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>, |
<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd">sshd(8)</a>: |
<a href="http://man.openbsd.org?query=sshd">sshd(8)</a>: |
allow <tt>RekeyLimits</tt> larger than 4GB. (bz#2521) |
allow <tt>RekeyLimits</tt> larger than 4GB. (bz#2521) |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent">ssh-agent(1)</a>, |
<li><a href="http://man.openbsd.org?query=ssh-agent">ssh-agent(1)</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd">sshd(8)</a>: |
<a href="http://man.openbsd.org?query=sshd">sshd(8)</a>: |
fix several bugs in (unused) KRL signature support. |
fix several bugs in (unused) KRL signature support. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>, |
<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd">sshd(8)</a>: |
<a href="http://man.openbsd.org?query=sshd">sshd(8)</a>: |
fix connections with peers that use the key exchange guess feature of |
fix connections with peers that use the key exchange guess feature of |
the protocol. (bz#2515) |
the protocol. (bz#2515) |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd">sshd(8)</a>: |
<li><a href="http://man.openbsd.org?query=sshd">sshd(8)</a>: |
include remote port number in log messages. (bz#2503) |
include remote port number in log messages. (bz#2503) |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>: |
<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>: |
don't try to load SSHv1 private key when compiled without SSHv1 |
don't try to load SSHv1 private key when compiled without SSHv1 |
support. (bz#2505) |
support. (bz#2505) |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent">ssh-agent(1)</a>, |
<li><a href="http://man.openbsd.org?query=ssh-agent">ssh-agent(1)</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>: |
<a href="http://man.openbsd.org?query=ssh">ssh(1)</a>: |
fix incorrect error messages during key loading and signing errors. |
fix incorrect error messages during key loading and signing errors. |
(bz#2507) |
(bz#2507) |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen">ssh-keygen(1)</a>: |
<li><a href="http://man.openbsd.org?query=ssh-keygen">ssh-keygen(1)</a>: |
don't leave empty temporary files when performing <tt>known_hosts</tt> |
don't leave empty temporary files when performing <tt>known_hosts</tt> |
file edits when <tt>known_hosts</tt> doesn't exist. |
file edits when <tt>known_hosts</tt> doesn't exist. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd">sshd(8)</a>: |
<li><a href="http://man.openbsd.org?query=sshd">sshd(8)</a>: |
correct packet format for tcpip-forward replies for requests that |
correct packet format for tcpip-forward replies for requests that |
don't allocate a port. (bz#2509) |
don't allocate a port. (bz#2509) |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>, |
<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd">sshd(8)</a>: |
<a href="http://man.openbsd.org?query=sshd">sshd(8)</a>: |
fix possible hang on closed output. (bz#2469) |
fix possible hang on closed output. (bz#2469) |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>: |
<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>: |
expand <tt>%i</tt> in <tt>ControlPath</tt> to UID. (bz#2449) |
expand <tt>%i</tt> in <tt>ControlPath</tt> to UID. (bz#2449) |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>, |
<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd">sshd(8)</a>: |
<a href="http://man.openbsd.org?query=sshd">sshd(8)</a>: |
fix return type of <tt>openssh_RSA_verify</tt>. (bz#2460) |
fix return type of <tt>openssh_RSA_verify</tt>. (bz#2460) |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>, |
<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd">sshd(8)</a>: |
<a href="http://man.openbsd.org?query=sshd">sshd(8)</a>: |
fix some option parsing memory leaks. (bz#2182) |
fix some option parsing memory leaks. (bz#2182) |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>: |
<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>: |
add some debug output before DNS resolution; it's a place where |
add some debug output before DNS resolution; it's a place where |
ssh could previously silently stall in cases of unresponsive DNS |
ssh could previously silently stall in cases of unresponsive DNS |
servers. (bz#2433) |
servers. (bz#2433) |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>: |
<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>: |
remove spurious newline in visual hostkey. (bz#2686) |
remove spurious newline in visual hostkey. (bz#2686) |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>: |
<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>: |
fix printing (<tt>ssh -G ...</tt>) of <tt>HostKeyAlgorithms=+...</tt> |
fix printing (<tt>ssh -G ...</tt>) of <tt>HostKeyAlgorithms=+...</tt> |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>: |
<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>: |
fix expansion of <tt>HostkeyAlgorithms=+...</tt> |
fix expansion of <tt>HostkeyAlgorithms=+...</tt> |
</ul> |
</ul> |
</ul> |
</ul> |
|
|
<li>Removed support for <tt>DTLS_BAD_VER</tt>. Pre-DTLSv1 implementations |
<li>Removed support for <tt>DTLS_BAD_VER</tt>. Pre-DTLSv1 implementations |
are no longer supported. |
are no longer supported. |
<li>The engine command and parameters are removed from |
<li>The engine command and parameters are removed from |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=openssl"> |
<a href="http://man.openbsd.org?query=openssl"> |
openssl(1)</a>. |
openssl(1)</a>. |
Previous releases removed dynamic and built-in engine support already. |
Previous releases removed dynamic and built-in engine support already. |
<li>SHA-0 is removed, which was withdrawn shortly after publication |
<li>SHA-0 is removed, which was withdrawn shortly after publication |
|
|
<li>Added <tt>Certplus CA</tt> root certificate to the default |
<li>Added <tt>Certplus CA</tt> root certificate to the default |
<tt>cert.pem</tt> file. |
<tt>cert.pem</tt> file. |
<li>Fixed a leak in |
<li>Fixed a leak in |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=SSL_new"> |
<a href="http://man.openbsd.org?query=SSL_new"> |
SSL_new(3)</a> |
SSL_new(3)</a> |
in the error path. |
in the error path. |
<li>Fixed a memory leak and out-of-bounds access in |
<li>Fixed a memory leak and out-of-bounds access in |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=OBJ_nid2obj"> |
<a href="http://man.openbsd.org?query=OBJ_nid2obj"> |
OBJ_obj2txt(3)</a>. |
OBJ_obj2txt(3)</a>. |
<li>Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of |
<li>Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of |
<tt>sizeof(RC4_CHUNK)</tt>. |
<tt>sizeof(RC4_CHUNK)</tt>. |
<li>Added |
<li>Added |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=EVP_AEAD_CTX_init"> |
<a href="http://man.openbsd.org?query=EVP_AEAD_CTX_init"> |
EVP_aead_chacha20_poly1305_ietf(3)</a> |
EVP_aead_chacha20_poly1305_ietf(3)</a> |
which matches the |
which matches the |
<tt>AEAD</tt> construction introduced in RFC 7539, which is different |
<tt>AEAD</tt> construction introduced in RFC 7539, which is different |
than that already used in TLS with |
than that already used in TLS with |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=EVP_AEAD_CTX_init"> |
<a href="http://man.openbsd.org?query=EVP_AEAD_CTX_init"> |
EVP_aead_chacha20_poly1305(3)</a>. |
EVP_aead_chacha20_poly1305(3)</a>. |
<li>More man pages converted from pod to |
<li>More man pages converted from pod to |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=mdoc">mdoc(7)</a> |
<a href="http://man.openbsd.org?query=mdoc">mdoc(7)</a> |
format. |
format. |
<li>Added <tt>COMODO RSA Certification Authority</tt> and |
<li>Added <tt>COMODO RSA Certification Authority</tt> and |
<tt>QuoVadis</tt> root certificates to <tt>cert.pem</tt>. |
<tt>QuoVadis</tt> root certificates to <tt>cert.pem</tt>. |
|
|
(serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) |
(serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) |
root certificate from <tt>cert.pem</tt>. |
root certificate from <tt>cert.pem</tt>. |
<li>Fixed incorrect TLS certificate loading by |
<li>Fixed incorrect TLS certificate loading by |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=nc">nc(1)</a>. |
<a href="http://man.openbsd.org?query=nc">nc(1)</a>. |
<li>The following CVEs had been fixed: |
<li>The following CVEs had been fixed: |
<ul> |
<ul> |
<li><tt>CVE-2015-3194</tt>—NULL pointer dereference in client |
<li><tt>CVE-2015-3194</tt>—NULL pointer dereference in client |
|
|
<li>The <tt>libtls</tt> API is changed from the 2.2.x series: |
<li>The <tt>libtls</tt> API is changed from the 2.2.x series: |
<ul> |
<ul> |
<li>The |
<li>The |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tls_init"> |
<a href="http://man.openbsd.org?query=tls_init"> |
tls_read(3)</a> |
tls_read(3)</a> |
and |
and |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tls_init"> |
<a href="http://man.openbsd.org?query=tls_init"> |
tls_write(3)</a> |
tls_write(3)</a> |
functions now work better with external event libraries. |
functions now work better with external event libraries. |
<li>Client-side verification is now supported, with the client |
<li>Client-side verification is now supported, with the client |
supplying the certificate to the server. |
supplying the certificate to the server. |
<li>Also, when using |
<li>Also, when using |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tls_init"> |
<a href="http://man.openbsd.org?query=tls_init"> |
tls_connect_fds(3)</a>, |
tls_connect_fds(3)</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tls_init"> |
<a href="http://man.openbsd.org?query=tls_init"> |
tls_connect_socket(3)</a> or |
tls_connect_socket(3)</a> or |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tls_init"> |
<a href="http://man.openbsd.org?query=tls_init"> |
tls_accept_fds(3)</a>, |
tls_accept_fds(3)</a>, |
<tt>libtls</tt> no longer implicitly closes the passed in sockets. |
<tt>libtls</tt> no longer implicitly closes the passed in sockets. |
The caller is responsible for closing them in this case. |
The caller is responsible for closing them in this case. |
|
|
<tt>ssize_t</tt> to <tt>size_t</tt>. |
<tt>ssize_t</tt> to <tt>size_t</tt>. |
<li>Deduplicated DTLS code, sharing bugfixes and improvements with TLS. |
<li>Deduplicated DTLS code, sharing bugfixes and improvements with TLS. |
<li>Converted |
<li>Converted |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=nc">nc(1)</a> |
<a href="http://man.openbsd.org?query=nc">nc(1)</a> |
to use <tt>libtls</tt> for client and server operations; it is |
to use <tt>libtls</tt> for client and server operations; it is |
included in the libressl-portable distribution as an example of how |
included in the libressl-portable distribution as an example of how |
to use the <tt>libtls</tt> library. This is intended to be a simpler |
to use the <tt>libtls</tt> library. This is intended to be a simpler |
|
|
<tt>libtls</tt>. |
<tt>libtls</tt>. |
<li>Added ability to check certificate validity times with |
<li>Added ability to check certificate validity times with |
<tt>libtls</tt>, |
<tt>libtls</tt>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tls_init"> |
<a href="http://man.openbsd.org?query=tls_init"> |
tls_peer_cert_notbefore(3)</a> |
tls_peer_cert_notbefore(3)</a> |
and |
and |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tls_init"> |
<a href="http://man.openbsd.org?query=tls_init"> |
tls_peer_cert_notafter(3)</a>. |
tls_peer_cert_notafter(3)</a>. |
<li>Changed |
<li>Changed |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tls_init"> |
<a href="http://man.openbsd.org?query=tls_init"> |
tls_connect_servername(3)</a> |
tls_connect_servername(3)</a> |
to use the first address that resolves with |
to use the first address that resolves with |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=getaddrinfo"> |
<a href="http://man.openbsd.org?query=getaddrinfo"> |
getaddrinfo(3)</a>. |
getaddrinfo(3)</a>. |
<li>Remove broken conditional <tt>EVP_CHECK_DES_KEY</tt> code |
<li>Remove broken conditional <tt>EVP_CHECK_DES_KEY</tt> code |
(non-functional since initial commit in 2004). |
(non-functional since initial commit in 2004). |
<li>Reject too small bits value in |
<li>Reject too small bits value in |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=BN_generate_prime"> |
<a href="http://man.openbsd.org?query=BN_generate_prime"> |
BN_generate_prime(3)</a>, |
BN_generate_prime(3)</a>, |
so that it does not risk becoming negative in |
so that it does not risk becoming negative in |
<tt>probable_prime_dh_safe()</tt>. |
<tt>probable_prime_dh_safe()</tt>. |
|
|
OpenBSD ports system. |
OpenBSD ports system. |
<p> |
<p> |
The <i>ports/</i> directory represents a CVS (see the manpage for |
The <i>ports/</i> directory represents a CVS (see the manpage for |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=cvs"> |
<a href="http://man.openbsd.org?query=cvs"> |
cvs(1)</a> if |
cvs(1)</a> if |
you aren't familiar with CVS) checkout of our ports. As with our complete |
you aren't familiar with CVS) checkout of our ports. As with our complete |
source tree, our ports tree is available via |
source tree, our ports tree is available via |