www/59.html - diff

Return to 59.html CVS log

Up to [local] / www

Diff for /www/59.html between version 1.74 and 1.75

version 1.74, 2016/03/19 03:27:36

version 1.75, 2016/03/21 05:46:19

Line 35

<li>See a <a href="plus59.html">detailed log of changes</a> between the

5.8 and 5.9 releases.

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=signify">signify(1)</a>

<li><a href="http://man.openbsd.org?query=signify">signify(1)</a>

pubkeys for this release:

<pre>

base: RWQJVNompF3pwfIqbg+5sxfpxmZMa3tTBaW4qbUhWje/H/M7glrA6oVn

Line 67

<li>Improved hardware support, including:

<ul>

driver for the Apple System Management Controller.

<li>New <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pchtemp">pchtemp(4)</a>

<li>New <a href="http://man.openbsd.org?query=pchtemp">pchtemp(4)</a>

driver for the thermal sensor found on Intel X99, C610 series, 9 series

and 100 series PCH.

<li>New <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=uonerng">uonerng(4)</a>

<li>New <a href="http://man.openbsd.org?query=uonerng">uonerng(4)</a>

driver for the Moonbase Otago OneRNG.

<li>New <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dwiic">dwiic(4)</a>

<li>New <a href="http://man.openbsd.org?query=dwiic">dwiic(4)</a>

driver for the Synopsys DesignWare I2C controller.

<li>New <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ikbd">ikbd(4)</a>,

<li>New <a href="http://man.openbsd.org?query=ikbd">ikbd(4)</a>,

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ims">ims(4)</a>, and

<a href="http://man.openbsd.org?query=ims">ims(4)</a>, and

drivers for HID-over-i2c keyboards, mice and multitouch touchpads.

<li>New <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=efifb">efifb(4)</a>

<li>New <a href="http://man.openbsd.org?query=efifb">efifb(4)</a>

driver for EFI frame buffer.

<li>New <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=viocon">viocon(4)</a>

<li>New <a href="http://man.openbsd.org?query=viocon">viocon(4)</a>

driver for the

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=virtio">virtio(4)</a>

<a href="http://man.openbsd.org?query=virtio">virtio(4)</a>

console interface provided by KVM, QEMU, and others.

driver implementing Xen domU initialization and PVHVM device attachment.

driver for the XenSource Platform Device providing guests with additional

capabilities.

driver for Xen paravirtualized networking interface.

<li>amd64 can now boot from 32 bit and 64 bit EFI.

<li>Initial support for hardware reduced ACPI added to

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=acpi">acpi(4)</a>.

<a href="http://man.openbsd.org?query=acpi">acpi(4)</a>.

<li>Support for ACPI configured SD host controllers has been added to

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sdhc">sdhc(4)</a>.

<a href="http://man.openbsd.org?query=sdhc">sdhc(4)</a>.

driver now supports Moxa CP-168U, Perle Speed8 LE and QEMU PCI serial devices.

<li>Intel 100 Series PCH Ethernet MAC with i219 PHY support has been added to the

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=em">em(4)</a> driver.

<a href="http://man.openbsd.org?query=em">em(4)</a> driver.

<li>RTL8168H/RTL8111H support has been added to

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=re&sec=4">re(4)</a>.

<a href="http://man.openbsd.org?query=re&sec=4">re(4)</a>.

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=inteldrm">inteldrm(4)</a>

<li><a href="http://man.openbsd.org?query=inteldrm">inteldrm(4)</a>

has been updated to Linux 3.14.52 adding initial support for Bay Trail

and Broadwell graphics.

<li>Support for audio in Thinkpad docks has been added to the

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=azalia">azalia(4)</a>

<a href="http://man.openbsd.org?query=azalia">azalia(4)</a>

driver.

<li>Support for Synaptic touchpads without W mode has been added to the

driver.

<li>Support for tap-and-drag detection with ALPS touchpads in the

driver has been improved.

<li>The <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sdmmc">sdmmc(4)</a>

<li>The <a href="http://man.openbsd.org?query=sdmmc">sdmmc(4)</a>

driver now supports sector mode for eMMC devices, such as those found on

some BeagleBone Black boards.

<li>The <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=cnmac">cnmac(4)</a>

<li>The <a href="http://man.openbsd.org?query=cnmac">cnmac(4)</a>

driver now supports checksum offloading.

driver now supports OpenIPMI compatible character device.

<li>...

</ul>

Line 134

</ul>

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pledge">pledge(2)</a>

<li><a href="http://man.openbsd.org?query=pledge">pledge(2)</a>

support integrated:

<ul>

<li>The tame(2) system call was renamed to pledge(2).

Line 153

<ul>

support for HOSTALIASES</a> in the

resolver</a>.

support for <tt>lookup yp</tt></a>

resolv.conf(5)</a>.

setuid-preserving code</a>

Line 166

<li>handling of

ed-style diffs</a> via proc/exec in

patch(1)</a>.

</ul>

<li>Userland programs were audited so that they could be properly annotated

Line 177

addition of

privilege separation</a> to

rdate(8)</a>,

<li>

addition of

privilege separation</a> to

sndiod(8)</a>,

<li>or the introduction of the <tt>SOCK_DNS</tt>

socket(2)</a> flag that makes an <tt>SS_DNS</tt> tagged socket

conceptually different from a plain socket.

</ul>

<li>pledge(2) is also used to constrain programs that handle untrusted data

to a very limited subset of POSIX.

For example,

strings(1)</a> or

objdump(1)</a> from the <a href="http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/gnu/usr.bin/binutils-2.17/binutils/objdump.c?rev=1.2&content-type=text/x-cvsweb-markup">

binutils</a> or the <a href="http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/smtpd/ca.c?rev=1.15&content-type=text/x-cvsweb-markup">

RSA-privsep process</a> in

smtpd(8)</a>.

</ul>

Line 209

<li>The task processing incoming packets can now run mostly in parallel

of the rest of the kernel, this include:

<ul>

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=carp">carp(4)</a>,

<li><a href="http://man.openbsd.org?query=carp">carp(4)</a>,

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=trunk">trunk(4)</a>,

<a href="http://man.openbsd.org?query=trunk">trunk(4)</a>,

and other pseudo-driver with the exception of

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=bridge">bridge(4)</a>.

<a href="http://man.openbsd.org?query=bridge">bridge(4)</a>.

<li>Ethernet decapsulation, ARP processing and MPLS forwarding path.

filter matching.

</ul>

<li>The Rx and Tx rings of the

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ix">ix(4)</a>,

<a href="http://man.openbsd.org?query=ix">ix(4)</a>,

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=myx">myx(4)</a>,

<a href="http://man.openbsd.org?query=myx">myx(4)</a>,

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=em">em(4)</a>,

<a href="http://man.openbsd.org?query=em">em(4)</a>,

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=bge">bge(4)</a>,

<a href="http://man.openbsd.org?query=bge">bge(4)</a>,

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=bnx">bnx(4)</a>,

<a href="http://man.openbsd.org?query=bnx">bnx(4)</a>,

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=vmx">vmx(4)</a>,

<a href="http://man.openbsd.org?query=vmx">vmx(4)</a>,

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=gem">gem(4)</a>,

<a href="http://man.openbsd.org?query=gem">gem(4)</a>,

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=re">re(4)</a> and

<a href="http://man.openbsd.org?query=re">re(4)</a> and

drivers can now be processed in parallel of the rest of the kernel.

<li>The Rx ring of the

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=cnmac">cnmac(4)</a>

<a href="http://man.openbsd.org?query=cnmac">cnmac(4)</a>

driver can now be processed in parallel of the rest of the kernel.

</ul>

<li>Initial IEEE 802.11n wireless support:

<ul>

subsystem now supports HT data rates up to 65 Mbit/s (802.11n MCS 0-7).

<li>The input path of

now supports receiving A-MPDU and A-MSDU aggregated frames.

and <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=iwn">iwn(4)</a>

and <a href="http://man.openbsd.org?query=iwn">iwn(4)</a>

drivers make use of the above features.

<li>802.11n mode is used by default if supported by the OpenBSD wireless

driver and the access point.

Operation in 802.11a, 802.11b, and 802.11g modes can be forced with

the new <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ifconfig">ifconfig(8)</a>

the new <a href="http://man.openbsd.org?query=ifconfig">ifconfig(8)</a>

<tt>mode</tt> subcommand.

</ul>

<li>Generic network stack improvements:

<ul>

<li>New <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=etherip">etherip(4)</a>

<li>New <a href="http://man.openbsd.org?query=etherip">etherip(4)</a>

pseudo-device for tunnelling Ethernet frames across IP[46] networks

using RFC 3378 EtherIP encapsulation.

pseudo-device for creating paired virtual Ethernet interfaces.

pseudo-device splitted up from

providing a layer 3 interface with userland.

<li>Remove support for obsolete IPv6 socket options.

driver now passes IEEE 802.11 control frames in monitor mode, allowing

full capture of traffic on a particular wireless channel.

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pflow">pflow(4)</a>

<li><a href="http://man.openbsd.org?query=pflow">pflow(4)</a>

now supports IPv6 for transport.

<li>...

</ul>

Line 280

<li>Installing to a disk partitioned with a GPT is now supported (amd64 only).

<li>When initializing a GPT the required EFI System partition is automatically created.

<li>When installing to a GPT disk

installboot(8)</a>

now formats the EFI System partition, creates the appropriate directory

structure and copies the required UEFI boot files into place.

Line 290

<li>Routing daemons and other userland network improvements:

<ul>

<li>New <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=eigrpd">eigrpd(8)</a>

<li>New <a href="http://man.openbsd.org?query=eigrpd">eigrpd(8)</a>

routing daemon for the Enhanced Interior Gateway Routing Protocol.

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dhclient">dhclient(8)</a>

<li><a href="http://man.openbsd.org?query=dhclient">dhclient(8)</a>

now supports multiple domain names provided via DHCP option 15 (Domain Name).

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dhclient">dhclient(8)</a>

<li><a href="http://man.openbsd.org?query=dhclient">dhclient(8)</a>

now supports search domains provided via DHCP option 119 (Domain Search).

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dhclient">dhclient(8)</a>

<li><a href="http://man.openbsd.org?query=dhclient">dhclient(8)</a>

no longer continually checks for a change to the routing domain of the

interface it controls. It now relies on the appropriate routing socket

messages.

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dhclient">dhclient(8)</a>

<li><a href="http://man.openbsd.org?query=dhclient">dhclient(8)</a>

now issues DHCP DECLINE responses to lease offers found to be inadequate,

and restarts the DISCOVER/RENEW process rather than waiting indefinitely

for a better lease to appear.

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dhclient">dhclient(8)</a>

<li><a href="http://man.openbsd.org?query=dhclient">dhclient(8)</a>

no longer exits if a desired route cannot be added. It now just reports

the fact.

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dhclient">dhclient(8)</a>

<li><a href="http://man.openbsd.org?query=dhclient">dhclient(8)</a>

now takes a much more careful approach to received packets to ensure

only received data is used to process the packet.

Packets with incorrect length information or lacking appropriate header

information are now dropped.

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dhclient">dhclient(8)</a>

<li><a href="http://man.openbsd.org?query=dhclient">dhclient(8)</a>

again disables pending timeouts if the interface link is lost,

preventing endless retries at obtaining a lease.

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dhcpd">dhcpd(8)</a>

<li><a href="http://man.openbsd.org?query=dhcpd">dhcpd(8)</a>

again properly utilizes default-lease-time, max-lease-time and

bootp-lease-time options.

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tcpdump">tcpdump(8)</a>

<li><a href="http://man.openbsd.org?query=tcpdump">tcpdump(8)</a>

now displays more information about IEEE 802.11 frames when run with

the -y IEEE802_11_RADIO and -v options.

<li>Several interoperability issues in

have been fixed, including EAP auth with OS X El Capitan.

<li>...

</ul>

Line 335

IPsec stack for the ESP protocol.

<li>Support for looking up hosts via YP has been removed from libc.

The 'yp' lookup method in

resolv.conf</a>

is no longer available.

<li>Support for the HOSTALIASES environment variable has been removed from libc.

Line 344

<li>Assorted improvements:

<ul>

is a little friendlier to use.

<li>Updated

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=flex">flex(1)</a>.

<a href="http://man.openbsd.org?query=flex">flex(1)</a>.

<li>Forked <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=less">less(1)</a>

<li>Forked <a href="http://man.openbsd.org?query=less">less(1)</a>

from upstream, then proceeded to clean it up substantially.

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pdisk">pdisk(8)</a>

<li><a href="http://man.openbsd.org?query=pdisk">pdisk(8)</a>

was largely rewritten and pledged.

<li>Renaming files in the root directory of a MSDOS filesystem was fixed.

<li>Many obsolete

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=disktab">disktab(5)</a>

<a href="http://man.openbsd.org?query=disktab">disktab(5)</a>

attributes and entries were removed.

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=softraid">softraid(4)</a>

<li><a href="http://man.openbsd.org?query=softraid">softraid(4)</a>

volumes now correctly look for the disklabel in the first OpenBSD disk

partition, not the last.

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=softraid">softraid(4)</a>

<li><a href="http://man.openbsd.org?query=softraid">softraid(4)</a>

volumes can now be partitioned with a GPT.

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=fdisk">fdisk(8)</a>

<li><a href="http://man.openbsd.org?query=fdisk">fdisk(8)</a>

now creates a default GPT as well as the protective MBR when the '-g'

flag is used.

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=fdisk">fdisk(8)</a>

<li><a href="http://man.openbsd.org?query=fdisk">fdisk(8)</a>

now has a '-b' flag that specifies the size of the EFI System partition

to create.

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=fdisk">fdisk(8)</a>

<li><a href="http://man.openbsd.org?query=fdisk">fdisk(8)</a>

now has a '-v' flag that causes a verbose display of both MBR and GPT

information.

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=fdisk">fdisk(8)</a>

<li><a href="http://man.openbsd.org?query=fdisk">fdisk(8)</a>

now provides full interactive GPT editing.

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=fdisk">fdisk(8)</a>

<li><a href="http://man.openbsd.org?query=fdisk">fdisk(8)</a>

was pledged.

<li>Disks with sector sizes other than 512 bytes can now be partitioned with

a GPT.

Line 380

and GENERIC derived kernels.

<li>Many improvements were made to the GPT kernel support to ensure safe and

reliable operation of GPT and MBR processing.

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=disklabel">disklabel(8)</a>

<li><a href="http://man.openbsd.org?query=disklabel">disklabel(8)</a>

no longer supports boot code installation, with the -B and -b flags

being removed.

The associated fields in the disklabel were also removed.

These functions are now all performed by

installboot(8)</a>.

<li>PowerPC converted to secure-PLT ABI variant.

<li>Perform lazy binding updates in

using

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=kbind">kbind(2)</a>

<a href="http://man.openbsd.org?query=kbind">kbind(2)</a>

to improve security and reduce overhead in threaded processes.

<li>Over 100 internal or obsolete interfaces have been deleted or are no

longer exported by libc, reducing symbol conflicts and process size.

Line 400

symbol overriding, improve standards compliance, increase speed,

and reduce dynamic linking overhead.

<li>Handle intra-thread kills via new

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=thrkill">thrkill(2)</a>

<a href="http://man.openbsd.org?query=thrkill">thrkill(2)</a>

system call to tighten

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pledge">pledge(2)</a>

<a href="http://man.openbsd.org?query=pledge">pledge(2)</a>

restrictions and improve

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pthread_kill">pthread_kill(3)</a>

<a href="http://man.openbsd.org?query=pthread_kill">pthread_kill(3)</a>

and

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pthread_cancel">pthread_cancel(3)</a>

<a href="http://man.openbsd.org?query=pthread_cancel">pthread_cancel(3)</a>

compliance.

<li>Added <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=getpwnam_shadow">

<li>Added <a href="http://man.openbsd.org?query=getpwnam_shadow">

getpwnam_shadow(3)</a>

and <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=getpwuid_shadow">

and <a href="http://man.openbsd.org?query=getpwuid_shadow">

getpwuid_shadow(3)</a>

to permit tighter

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pledge">pledge(2)</a>

<a href="http://man.openbsd.org?query=pledge">pledge(2)</a>

restrictions.

<li>Added support to

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ktrace">ktrace(1)</a>

<a href="http://man.openbsd.org?query=ktrace">ktrace(1)</a>

the arguments to

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=execve">execve(2)</a>

<a href="http://man.openbsd.org?query=execve">execve(2)</a>

and

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pledge">pledge(2)</a>.

<a href="http://man.openbsd.org?query=pledge">pledge(2)</a>.

Removed support for tracing context switch points.

<tt>kevent</tt> structures are now dumped.

<li>Disabled support for loading locales other than UTF-8.

<li>UTF-8 character locale data has been updated to Unicode 7.0.0.

<li>Added UTF-8 support to several utilities, including

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=calendar">calendar(1)</a>,

<a href="http://man.openbsd.org?query=calendar">calendar(1)</a>,

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=colrm">colrm(1)</a>,

<a href="http://man.openbsd.org?query=colrm">colrm(1)</a>,

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=cut">cut(1)</a>,

<a href="http://man.openbsd.org?query=cut">cut(1)</a>,

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=fmt">fmt(1)</a>,

<a href="http://man.openbsd.org?query=fmt">fmt(1)</a>,

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ls">ls(1)</a>,

<a href="http://man.openbsd.org?query=ls">ls(1)</a>,

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ps">ps(1)</a>,

<a href="http://man.openbsd.org?query=ps">ps(1)</a>,

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=rs">rs(1)</a>,

<a href="http://man.openbsd.org?query=rs">rs(1)</a>,

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ul">ul(1)</a>,

<a href="http://man.openbsd.org?query=ul">ul(1)</a>,

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=uniq">uniq(1)</a>,

<a href="http://man.openbsd.org?query=uniq">uniq(1)</a>,

and <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=wc">wc(1)</a>.

and <a href="http://man.openbsd.org?query=wc">wc(1)</a>.

<li>Partial support for inserting and deleting UTF-8 characters in

emacs command line editing mode.

<li>Native language support (NLS) has been removed from libc.

now automatically shows a stack trace upon panic.

<li>...

</ul>

<li>OpenBSD <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=httpd">httpd(8)</a>:

<li>OpenBSD <a href="http://man.openbsd.org?query=httpd">httpd(8)</a>:

<ul>

<li>...

</ul>

Line 457

<li>Security:

<ul>

<li>Both

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=smtpd">smtpd(8)</a>

<a href="http://man.openbsd.org?query=smtpd">smtpd(8)</a>

and

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=smtpctl">smtpctl(8)</a>

<a href="http://man.openbsd.org?query=smtpctl">smtpctl(8)</a>

have been pledged.

<li>The offline enqueue mode of

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=smtpctl">smtpctl(8)</a>

<a href="http://man.openbsd.org?query=smtpctl">smtpctl(8)</a>

has been redesigned to remove the need for a publicly writable directory

which was a vector of multiple attacks in the Qualys Security audit.

</ul>

Line 483

<li>Security:

<ul>

<li>Qualys Security identified vulnerabilities in the

client experimental support for resuming SSH-connections (roaming).

In the default configuration, this could potentially leak client keys

to a hostile server. The authentication of the server host key

prevents exploitation by a man-in-the-middle, so this information leak

is restricted to connections to malicious or compromised servers.

This feature has been disabled in the

client, and it has been removed from the source tree. The matching

server code has never been shipped.

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd">sshd(8)</a>:

<li><a href="http://man.openbsd.org?query=sshd">sshd(8)</a>:

OpenSSH 7.0 contained a logic error in

<tt>PermitRootLogin=prohibit-password/without-password</tt> that could,

depending on compile-time configuration, permit password authentication

to root while preventing other forms of authentication.

<li>Fix an out of-bound read access in the packet handling code.

<li>Further use of

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=bzero">explicit_bzero(3)</a>

<a href="http://man.openbsd.org?query=bzero">explicit_bzero(3)</a>

has been added in various buffer handling code paths to guard against

compilers aggressively doing dead-store removal.

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>,

<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>,

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd">sshd(8)</a>:

<a href="http://man.openbsd.org?query=sshd">sshd(8)</a>:

remove unfinished and unused roaming code.

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>:

<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>:

eliminate fallback from untrusted X11 forwarding to trusted forwarding

when the X server disables the <tt>SECURITY</tt> extension.

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>,

<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>,

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd">sshd(8)</a>:

<a href="http://man.openbsd.org?query=sshd">sshd(8)</a>:

increase the minimum modulus size supported for

<tt>diffie-hellman-group-exchange</tt> to 2048 bits.

</ul>

Line 518

<ul>

<li>This release disables a number of legacy cryptographic algorithms

by default in

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>:

<a href="http://man.openbsd.org?query=ssh">ssh(1)</a>:

<ul>

<li>Several ciphers: <tt>blowfish-cbc</tt>, <tt>cast128-cbc</tt>,

all <tt>arcfour</tt> variants and the <tt>rijndael-cbc</tt> aliases

Line 531

<li>all: add support for RSA signatures using SHA-256/512 hash algorithms

based on <tt>draft-rsa-dsa-sha2-256-03.txt</tt> and

<tt>draft-ssh-ext-info-04.txt</tt>.

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>:

<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>:

add an <tt>AddKeysToAgent</tt> client option which can be set to

<tt>yes</tt>, <tt>no</tt>, <tt>ask</tt>, or <tt>confirm</tt>, and

defaults to <tt>no</tt>. When enabled, a private key that is used

during authentication will be added to

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent">ssh-agent(1)</a>

<a href="http://man.openbsd.org?query=ssh-agent">ssh-agent(1)</a>

if it is running (with confirmation enabled if set to <tt>confirm</tt>).

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd">sshd(8)</a>:

<li><a href="http://man.openbsd.org?query=sshd">sshd(8)</a>:

add a new <tt>authorized_keys</tt> option <tt>restrict</tt> that

includes all current and future key restrictions

(<tt>no-*-forwarding</tt>, etc.).

Line 546

<tt>no-pty</tt> -> <tt>pty</tt>. This simplifies the task of setting up

restricted keys and ensures they are maximally-restricted,

regardless of any permissions we might implement in the future.

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>:

<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>:

add

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config">ssh_config(5)</a>

<a href="http://man.openbsd.org?query=ssh_config">ssh_config(5)</a>

CertificateFile option to explicitly list certificates. (bz#2436)

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen">ssh-keygen(1)</a>:

<li><a href="http://man.openbsd.org?query=ssh-keygen">ssh-keygen(1)</a>:

allow

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen">ssh-keygen(1)</a>

<a href="http://man.openbsd.org?query=ssh-keygen">ssh-keygen(1)</a>

to change the key comment for all supported formats.

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen">ssh-keygen(1)</a>:

<li><a href="http://man.openbsd.org?query=ssh-keygen">ssh-keygen(1)</a>:

allow fingerprinting from standard input, e.g. "ssh-keygen -lf -".

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen">ssh-keygen(1)</a>:

<li><a href="http://man.openbsd.org?query=ssh-keygen">ssh-keygen(1)</a>:

allow fingerprinting multiple public keys in a file, e.g.

<tt>ssh-keygen -lf ~/.ssh/authorized_keys</tt>. (bz#1319)

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd">sshd(8)</a>:

<li><a href="http://man.openbsd.org?query=sshd">sshd(8)</a>:

support <tt>none</tt> as an argument for

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config">sshd_config(5)</a>

<a href="http://man.openbsd.org?query=sshd_config">sshd_config(5)</a>

<tt>Foreground</tt> and <tt>ChrootDirectory</tt>. Useful inside

<tt>Match</tt> blocks to override a global default. (bz#2486)

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen">ssh-keygen(1)</a>:

<li><a href="http://man.openbsd.org?query=ssh-keygen">ssh-keygen(1)</a>:

support multiple certificates (one per line) and reading from standard

input (using "<tt>-f -</tt>") for <tt>ssh-keygen -L</tt>.

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keyscan">ssh-keyscan(1)</a>:

<li><a href="http://man.openbsd.org?query=ssh-keyscan">ssh-keyscan(1)</a>:

add <tt>ssh-keyscan -c ...</tt> flag to allow fetching certificates

instead of plain keys.

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>:

<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>:

better handle anchored FQDNs (e.g. <tt>cvs.openbsd.org.</tt>) in

hostname canonicalisation - treat them as already canonical and

trailing '<tt>.</tt>' before matching

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config">ssh_config(5)</a>.

<a href="http://man.openbsd.org?query=ssh_config">ssh_config(5)</a>.

</ul>

<li>The following significant bugs have been fixed in this release:

<ul>

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>,

<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>,

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd">sshd(8)</a>:

<a href="http://man.openbsd.org?query=sshd">sshd(8)</a>:

add compatibility workarounds for FuTTY.

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>,

<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>,

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd">sshd(8)</a>:

<a href="http://man.openbsd.org?query=sshd">sshd(8)</a>:

refine compatibility workarounds for WinSCP.

<li>Fix a number of memory faults (double-free, free of uninitialised

memory, etc.) in

and

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen">ssh-keygen(1)</a>.

<a href="http://man.openbsd.org?query=ssh-keygen">ssh-keygen(1)</a>.

<li>Correctly interpret the <tt>first_kex_follows</tt> option during the

initial key exchange.

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp">sftp(1)</a>:

<li><a href="http://man.openbsd.org?query=sftp">sftp(1)</a>:

existing destination directories should not terminate recursive uploads

(regression in openssh 6.8). (bz#2528)

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>,

<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>,

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd">sshd(8)</a>:

<a href="http://man.openbsd.org?query=sshd">sshd(8)</a>:

correctly send back <tt>SSH2_MSG_UNIMPLEMENTED</tt> replies to

unexpected messages during key exchange. (bz#2949)

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>:

<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>:

refuse attempts to set <tt>ConnectionAttempts=0</tt>, which does not

make sense and would cause ssh to print an uninitialised stack

variable. (bz#2500)

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>:

<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>:

fix errors when attempting to connect to scoped IPv6 addresses with

hostname canonicalisation enabled.

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config">sshd_config(5)</a>:

<li><a href="http://man.openbsd.org?query=sshd_config">sshd_config(5)</a>:

list a couple more options usable in <tt>Match</tt> blocks. (bz#2489)

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd">sshd(8)</a>:

<li><a href="http://man.openbsd.org?query=sshd">sshd(8)</a>:

fix <tt>PubkeyAcceptedKeyTypes +...</tt> inside a <tt>Match</tt> block.

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>:

<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>:

expand tilde characters in filenames passed to <tt>-i</tt> options

before checking whether or not the identity file exists. Avoids

confusion for cases where shell doesn't expand (e.g.

<tt>-i ~/file</tt> vs. <tt>-i~/file</tt>). (bz#2481)

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>:

<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>:

do not prepend "exec" to the shell command run by <tt>Match exec</tt>

in a config file, which could cause some commands to fail in certain

environments. (bz#2471)

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keyscan">ssh-keyscan(1)</a>:

<li><a href="http://man.openbsd.org?query=ssh-keyscan">ssh-keyscan(1)</a>:

fix output for multiple hosts/addrs on one line when host hashing or

a non standard port is in use. (bz#2479)

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd">sshd(8)</a>:

<li><a href="http://man.openbsd.org?query=sshd">sshd(8)</a>:

skip "Could not chdir to home directory" message when

<tt>ChrootDirectory</tt> is active. (bz#2485)

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>:

<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>:

include <tt>PubkeyAcceptedKeyTypes</tt> in <tt>ssh -G</tt> config dump.

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd">sshd(8)</a>:

<li><a href="http://man.openbsd.org?query=sshd">sshd(8)</a>:

avoid changing <tt>TunnelForwarding</tt> device flags if they are

already what is needed; makes it possible to use

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tun">tun(4)</a>/

<a href="http://man.openbsd.org?query=tun">tun(4)</a>/

networking as non-root user if device permissions and interface flags

are pre-established.

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>,

<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>,

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd">sshd(8)</a>:

<a href="http://man.openbsd.org?query=sshd">sshd(8)</a>:

<tt>RekeyLimits</tt> could be exceeded by one packet. (bz#2521)

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>:

<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>:

fix multiplexing master failure to notice client exit.

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>,

<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>,

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent">ssh-agent(1)</a>:

<a href="http://man.openbsd.org?query=ssh-agent">ssh-agent(1)</a>:

avoid <tt>fatal()</tt> for PKCS11 tokens that present empty key IDs.

(bz#1773)

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd">sshd(8)</a>:

<li><a href="http://man.openbsd.org?query=sshd">sshd(8)</a>:

avoid

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=printf&sec=3">printf(3)</a>

<a href="http://man.openbsd.org?query=printf&sec=3">printf(3)</a>

of NULL argument. (bz#2535)

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>,

<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>,

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd">sshd(8)</a>:

<a href="http://man.openbsd.org?query=sshd">sshd(8)</a>:

allow <tt>RekeyLimits</tt> larger than 4GB. (bz#2521)

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent">ssh-agent(1)</a>,

<li><a href="http://man.openbsd.org?query=ssh-agent">ssh-agent(1)</a>,

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd">sshd(8)</a>:

<a href="http://man.openbsd.org?query=sshd">sshd(8)</a>:

fix several bugs in (unused) KRL signature support.

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>,

<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>,

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd">sshd(8)</a>:

<a href="http://man.openbsd.org?query=sshd">sshd(8)</a>:

fix connections with peers that use the key exchange guess feature of

the protocol. (bz#2515)

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd">sshd(8)</a>:

<li><a href="http://man.openbsd.org?query=sshd">sshd(8)</a>:

include remote port number in log messages. (bz#2503)

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>:

<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>:

don't try to load SSHv1 private key when compiled without SSHv1

support. (bz#2505)

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent">ssh-agent(1)</a>,

<li><a href="http://man.openbsd.org?query=ssh-agent">ssh-agent(1)</a>,

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>:

<a href="http://man.openbsd.org?query=ssh">ssh(1)</a>:

fix incorrect error messages during key loading and signing errors.

(bz#2507)

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen">ssh-keygen(1)</a>:

<li><a href="http://man.openbsd.org?query=ssh-keygen">ssh-keygen(1)</a>:

don't leave empty temporary files when performing <tt>known_hosts</tt>

file edits when <tt>known_hosts</tt> doesn't exist.

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd">sshd(8)</a>:

<li><a href="http://man.openbsd.org?query=sshd">sshd(8)</a>:

correct packet format for tcpip-forward replies for requests that

don't allocate a port. (bz#2509)

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>,

<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>,

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd">sshd(8)</a>:

<a href="http://man.openbsd.org?query=sshd">sshd(8)</a>:

fix possible hang on closed output. (bz#2469)

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>:

<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>:

expand <tt>%i</tt> in <tt>ControlPath</tt> to UID. (bz#2449)

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>,

<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>,

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd">sshd(8)</a>:

<a href="http://man.openbsd.org?query=sshd">sshd(8)</a>:

fix return type of <tt>openssh_RSA_verify</tt>. (bz#2460)

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>,

<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>,

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd">sshd(8)</a>:

<a href="http://man.openbsd.org?query=sshd">sshd(8)</a>:

fix some option parsing memory leaks. (bz#2182)

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>:

<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>:

add some debug output before DNS resolution; it's a place where

ssh could previously silently stall in cases of unresponsive DNS

servers. (bz#2433)

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>:

<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>:

remove spurious newline in visual hostkey. (bz#2686)

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>:

<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>:

fix printing (<tt>ssh -G ...</tt>) of <tt>HostKeyAlgorithms=+...</tt>

<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh">ssh(1)</a>:

<li><a href="http://man.openbsd.org?query=ssh">ssh(1)</a>:

fix expansion of <tt>HostkeyAlgorithms=+...</tt>

</ul>

Line 711

<li>Removed support for <tt>DTLS_BAD_VER</tt>. Pre-DTLSv1 implementations

are no longer supported.

<li>The engine command and parameters are removed from

openssl(1)</a>.

Previous releases removed dynamic and built-in engine support already.

<li>SHA-0 is removed, which was withdrawn shortly after publication

Line 719

<li>Added <tt>Certplus CA</tt> root certificate to the default

<tt>cert.pem</tt> file.

<li>Fixed a leak in

SSL_new(3)</a>

in the error path.

<li>Fixed a memory leak and out-of-bounds access in

OBJ_obj2txt(3)</a>.

<li>Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of

<tt>sizeof(RC4_CHUNK)</tt>.

<li>Added

EVP_aead_chacha20_poly1305_ietf(3)</a>

which matches the

<tt>AEAD</tt> construction introduced in RFC 7539, which is different

than that already used in TLS with

EVP_aead_chacha20_poly1305(3)</a>.

<li>More man pages converted from pod to

format.

<li>Added <tt>COMODO RSA Certification Authority</tt> and

<tt>QuoVadis</tt> root certificates to <tt>cert.pem</tt>.

Line 745

(serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be)

root certificate from <tt>cert.pem</tt>.

<li>Fixed incorrect TLS certificate loading by

<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=nc">nc(1)</a>.

<a href="http://man.openbsd.org?query=nc">nc(1)</a>.

<li>The following CVEs had been fixed:

<ul>

<li><tt>CVE-2015-3194</tt>—NULL pointer dereference in client

Line 770

<li>The <tt>libtls</tt> API is changed from the 2.2.x series:

<ul>

<li>The

tls_read(3)</a>

and

tls_write(3)</a>

functions now work better with external event libraries.

<li>Client-side verification is now supported, with the client

supplying the certificate to the server.

<li>Also, when using

tls_connect_fds(3)</a>,

tls_connect_socket(3)</a> or

tls_accept_fds(3)</a>,

<tt>libtls</tt> no longer implicitly closes the passed in sockets.

The caller is responsible for closing them in this case.

Line 795

<tt>ssize_t</tt> to <tt>size_t</tt>.

<li>Deduplicated DTLS code, sharing bugfixes and improvements with TLS.

<li>Converted

to use <tt>libtls</tt> for client and server operations; it is

included in the libressl-portable distribution as an example of how

to use the <tt>libtls</tt> library. This is intended to be a simpler

Line 809

<tt>libtls</tt>.

<li>Added ability to check certificate validity times with

<tt>libtls</tt>,

tls_peer_cert_notbefore(3)</a>

and

tls_peer_cert_notafter(3)</a>.

<li>Changed

tls_connect_servername(3)</a>

to use the first address that resolves with

getaddrinfo(3)</a>.

<li>Remove broken conditional <tt>EVP_CHECK_DES_KEY</tt> code

(non-functional since initial commit in 2004).

<li>Reject too small bits value in

BN_generate_prime(3)</a>,

so that it does not risk becoming negative in

<tt>probable_prime_dh_safe()</tt>.

Line 1216

OpenBSD ports system.

The ports/ directory represents a CVS (see the manpage for

cvs(1)</a> if

you aren't familiar with CVS) checkout of our ports. As with our complete

source tree, our ports tree is available via