Annotation of www/59.html, Revision 1.55
1.1 deraadt 1: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
2: <html>
3: <head>
4: <title>OpenBSD 5.9</title>
5: <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
6: <meta name="description" content="OpenBSD 5.9">
7: <meta name="copyright" content="This document copyright 2015 by OpenBSD.">
8: <link rel="canonical" href="http://www.openbsd.org/59.html">
9: </head>
10:
11: <body bgcolor="#ffffff" text="#000000" link="#24248E">
12:
13: <a href="index.html">
14: <img alt="[OpenBSD]" height="30" width="141" hspace="24" src="images/smalltitle.gif" border="0"></a>
15: <p>
16:
1.53 deraadt 17: <a href="images/drwxorx.jpg">
18: <img align="left" width="227" height="343" hspace="24" vspace="10" src="images/drwxorx.jpg"></a>
1.1 deraadt 19: <h2><font color="#0000e0">OpenBSD 5.9</font></h2>
20: <p>
1.11 tedu 21: To be released May 1, 2016<br>
1.1 deraadt 22: Copyright 1997-2016, Theo de Raadt.<br>
23: <font color="#e00000">ISBN 978-0-9881561-7-3</font>
24: <br>
25: 5.9 Songs: <a href="lyrics.html#59a">"xxx"</a>,
26: <a href="lyrics.html#59b">"xxx"</a>
27: <ul>
28: <li>Order a CDROM from our <a href="https://openbsdstore.com">ordering system</a>.
29: <li>See the information on <a href="ftp.html">the FTP page</a> for
30: a list of mirror machines.
31: <li>Go to the <font color="#e00000">pub/OpenBSD/5.9/</font> directory on
32: one of the mirror sites.
33: <li>Have a look at <a href="errata59.html">the 5.9 errata page</a> for a list
34: of bugs and workarounds.
35: <li>See a <a href="plus59.html">detailed log of changes</a> between the
36: 5.8 and 5.9 releases.
37: <p>
38: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=signify&sektion=1">signify(1)</a> pubkeys for this release:<br>
39: <pre>
1.4 jsg 40: base: RWQJVNompF3pwfIqbg+5sxfpxmZMa3tTBaW4qbUhWje/H/M7glrA6oVn
41: fw: RWSdmaNkytzh6BApmPSNSDLNg26ZaXlY8g/879UvLdo3rjbsby76Eda1
42: pkg: RWSLRYDCTJeWLIScncqwGuXK6JVXDcIyRT0q+0m30MXXG4W2xWS4NZBP
1.1 deraadt 43: </pre>
44: </ul>
45: <br clear=all>
46: All applicable copyrights and credits can be found in the applicable
47: file sources found in the files src.tar.gz, sys.tar.gz,
48: xenocara.tar.gz, or in the files fetched via ports.tar.gz. The
49: distribution files used to build packages from the ports.tar.gz file
50: are not included on the CDROM because of lack of space.
51: <p>
52:
53: <a name="new"></a>
54: <hr>
55: <p>
56: <h3><font color="#0000e0">What's New</font></h3>
57: <p>
58: This is a partial list of new features and systems included in OpenBSD 5.9.
59: For a comprehensive list, see the <a href="plus59.html">changelog</a> leading
60: to 5.9.
61: <p>
62:
63: <ul>
1.51 deraadt 64: <li>Processor support, including:
65: <ul>
66: <li>W^X policy enforced in the i386 kernel address space.
67: </ul>
68: <p>
1.1 deraadt 69: <li>Improved hardware support, including:
70: <ul>
1.33 jsg 71: <li>amd64 can now boot from 32 bit and 64 bit EFI.
72: <li>Initial support for hardware reduced ACPI added to
73: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=acpi&sektion=4">acpi(4)</a>.
74: <li>New <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=efifb&sektion=4;arch=amd64">efifb(4)</a> driver for EFI frame buffer.
75: <li>Support for ACPI configured SD host controllers has been added to
76: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sdhc&sektion=4">sdhc(4)</a>.
77: <li>Xen domU support <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=xen&sektion=4">xen(4)</a>,
1.37 sobrado 78: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=xspd&sektion=4">xspd(4)</a>.
1.33 jsg 79: <li>New <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=xnf&sektion=4">xnf(4)</a> driver for Xen Netfront network interfaces.
1.30 kirby 80: <li>The <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=puc&sektion=4">puc(4)</a> driver now supports Moxa CP-168U, Perle Speed8 LE and QEMU PCI serial devices.
1.33 jsg 81: <li>Intel 100 Series PCH Ethernet MAC with i219 PHY support has been added to the
82: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=em&sektion=4">em(4)</a> driver.
1.48 stsp 83: <li>The <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=bge&sektion=4">bge(4)</a> and <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=em&sektion=4">em(4)</a> drivers now process packets without the kernel lock held.
84: <li>The <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=oce&sektion=4">oce(4)</a> driver now processes received packets without the kernel lock held.
1.33 jsg 85: <li>RTL8168H/RTL8111H support has been added to
86: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=re&sektion=4">re(4)</a>.
1.47 matthieu 87: <li>Initial IEEE 802.11n support in the <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=iwm&sektion=4">iwm(4)</a>
88: and <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=iwn&sektion=4">iwn(4)</a> drivers.
1.31 kirby 89: <li>New <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=asmc&sektion=4">asmc(4)</a> driver for the Apple System Management Controller.
1.33 jsg 90: <li>New <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pchtemp&sektion=4">pchtemp(4)</a> driver for the thermal sensor found on Intel X99, C610 series, 9 series and 100 series PCH.
1.31 kirby 91: <li>New <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=uonerng&sektion=4">uonerng(4)</a> driver for the Moonbase Otago OneRNG.
1.33 jsg 92: <li>New <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dwiic&sektion=4">dwiic(4)</a> driver for the Synopsys DesignWare I2C controller.
93: <li>New <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ikbd&sektion=4">ikbd(4)</a>,
94: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ims&sektion=4">ims(4)</a>, and
95: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=imt&sektion=4">imt(4)</a>
96: drivers for HID-over-i2c keyboards, mice and multitouch touchpads.
97: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=inteldrm&sektion=4">inteldrm(4)</a>
98: has been updated to Linux 3.14.52 adding initial support for Bay Trail and Broadwell graphics.
1.32 kirby 99: <li>New <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=viocon&sektion=4">viocon(4)</a> driver for the <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=virtio&sektion=4">virtio(4)</a> console interface provided by KVM, QEMU, and others.
1.46 stsp 100: <li>Support for audio in Thinkpad docks has been added to the <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=azalia&sektion=4">azalia(4)</a> driver.
101: <li>Support for Synaptic touchpads without W mode has been added to the <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pms&sektion=4">pms(4)</a> driver.
102: <li>Support for tap-and-drag detection with ALPS touchpads in the <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pms&sektion=4">pms(4)</a> driver has been improved.
1.48 stsp 103: <li>The <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sdmmc&sektion=4">sdmmc(4)</a> driver now supports sector mode for eMMC devices, such as those found on some BeagleBone Black boards.
104: <li>The <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=cnmac&sektion=4">cnmac(4)</a> driver now supports checksum offloading and receives packets without the kernel lock held.
105: <li>The <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=xhci&sektion=4">xhci(4)</a> driver is now enabled for macppc machines.
1.55 ! uebayasi 106: <li>The <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ipmi&sektion=4">ipmi(4)</a> driver now supports OpenIPMI compatible character device.
1.1 deraadt 107: <li>...
108: </ul>
109: <p>
110:
111: <li>Removed hardware support:
112: <ul>
1.24 krw 113: <li>ST-506 disks are no longer supported.
1.1 deraadt 114: <li>...
115: </ul>
116: <p>
117:
1.34 deraadt 118: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pledge&sektion=2">pledge(2)</a> support integrated:
119: <ul>
120: <li>tame(2) system call renamed to pledge(2).
1.51 deraadt 121: <li>Many behaviours/semantics extended and refined.
1.35 deraadt 122: <li>453 out of 707 base system binaries adapted to use pledge.
1.36 deraadt 123: <li>14 ports adapted to use pledge (some decompression tools, mutt,
124: some pdf tools, chromium/iridium, and the i3 window manager).
1.43 guenther 125: <li>Several bugs exposed by pledge(2) have been corrected, for example in <a href="http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/bgpd/bgpd.c?rev=1.181&content-type=text/x-cvsweb-markup">bgpd(8)</a>, <a href="http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sbin/iked/config.c?rev=1.40&content-type=text/x-cvsweb-markup">iked(8)</a>, <a href="http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/ldapd/control.c?rev=1.13&content-type=text/x-cvsweb-markup">ldapd(8)</a>, <a href="http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/ntpd/constraint.c?rev=1.25&content-type=text/x-cvsweb-markup">ntpd(8)</a>, and <a href="http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/syslogd/syslogd.c?rev=1.200&content-type=text/x-cvsweb-markup">syslogd(8)</a>,
126: <li>Several misguided "features" have been removed, such as <a href="http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libc/asr/asr.c?rev=1.50&content-type=text/x-cvsweb-markup">support for HOSTALIASES from the resolver</a>, <a href="http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libc/asr/asr.c?rev=1.49&content-type=text/x-cvsweb-markup">support for "lookup yp" in /etc/resolv.conf</a>, <a href="http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/gnu/usr.bin/binutils-2.17/binutils/rename.c?rev=1.2&content-type=text/x-cvsweb-markup">setuid-preserving code in binutils tools</a> or <a href="http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/patch/ed.c?rev=1.1&content-type=text/x-cvsweb-markup">ed-style diffs via proc/exec in patch(1)</a>.
127: <li>A somewhat intensive audit of userland program so that they could be properly annotated with pledge(2) was done, resulting in some design changes such as in <a href="http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/rdate/rdate.c?rev=1.33&content-type=text/x-cvsweb-markup">rdate(1)</a>, <a href="http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/sndiod/sndiod.c?rev=1.18&content-type=text/x-cvsweb-markup">sndiod(8)</a> or the introduction of <tt>SOCK_DNS</tt> <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=socket&sektion=2">socket(2)</a> flag that makes an <tt>SS_DNS</tt> tagged socket conceptually different from a plain socket.
128: <li>It also has been used to constrain programs to a more limited POSIX subset, such as some <a href="http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/gnu/usr.bin/binutils-2.17/binutils/objdump.c?rev=1.2&content-type=text/x-cvsweb-markup">binutils</a> tools that handle untrusted data (<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=strings&sektion=1">strings(1)</a>, <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=objdump&sektion=1">objdump(1)</a>, ...), or the RSA-privsep process in <a href="http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/smtpd/ca.c?rev=1.15&content-type=text/x-cvsweb-markup">smtpd(1)</a>.
1.34 deraadt 129: </ul>
130: <p>
131:
1.1 deraadt 132: <li>Generic network stack improvements:
133: <ul>
1.28 sobrado 134: <li>Remove support for obsolete IPv6 socket options.
1.33 jsg 135: <li>New <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=etherip&sektion=4">etherip(4)</a>
1.39 tj 136: pseudo-device for tunnelling Ethernet frames across IP[46] networks using RFC 3378 EtherIP encapsulation.
1.46 stsp 137: <li>New <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pair&sektion=4">pair(4)</a> pseudo-device for creating paired virtual Ethernet interfaces.
138: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=bpf&sektion=4">bpf(4)</a> now runs without the kernel lock.
1.48 stsp 139: <li>Split up the <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tun&sektion=4">tun(4)</a>
140: pseudo-device into <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tun&sektion=4">tun(4)</a>
141: (for layer 3) and <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tap&sektion=4">tap(4)</a> (for layer 2) pseudo-devices. As a result, the link0 flag has no effect on <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tun&sektion=4">tun(4)</a> interfaces anymore.
142: <li>The <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=iwn&sektion=4">iwn(4)</a> driver now passes IEEE 802.11 control frames in monitor mode, allowing full capture of traffic on a particular wireless channel.
143: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pflow&sektion=4">pflow(4)</a> now supports IPv6 for transport.
144: <li>Several interoperability issues in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=iked&sektion=8">iked(4)</a> have been fixed, including EAP auth with OS X El Capitan.
1.1 deraadt 145: <li>...
146: </ul>
147: <p>
148:
149: <li>Installer improvements:
150: <ul>
1.24 krw 151: <li>Inappropriate user choices from a list of options are more reliably rejected.
152: <li>Installing to a disk partitioned with a GPT is now supported (amd64 only).
153: <li>When initializing a GPT the required EFI System partition is automatically created.
154: <li>When installing to a GPT disk <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=installboot&sektion=8">installboot(8)</a> now formats the EFI System partition, creates the appropriate directory structure and copies the required UEFI boot files into place.
1.1 deraadt 155: <li>...
156: </ul>
157: <p>
158:
159: <li>Routing daemons and other userland network improvements:
160: <ul>
1.48 stsp 161: <li>New <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=eigrpd&sektion=8">eigrpd(8)</a> routing daemon for the Enhanced Interior Gateway Routing Protocol.
1.23 krw 162: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dhclient&sektion=8">dhclient(8)</a> now supports multiple domain names provided via DHCP option 15 (Domain Name).
163: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dhclient&sektion=8">dhclient(8)</a> now supports search domains provided via DHCP option 119 (Domain Search).
164: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dhclient&sektion=8">dhclient(8)</a> no longer continually checks for a change to the routing domain of the interface it controls. It now relies on the appropriate routing socket messages.
165: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dhclient&sektion=8">dhclient(8)</a> now issues DHCP DECLINE responses to lease offers found to be inadequate, and restarts the DISCOVER/RENEW process rather than waiting indefinitely for a better lease to appear.
166: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dhclient&sektion=8">dhclient(8)</a> no longer exits if a desired route cannot be added. It now just reports the fact.
167: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dhclient&sektion=8">dhclient(8)</a> now takes a much more careful approach to received packets to ensure only received data is used to process the packet. Packets with incorrect length information or lacking appropriate header information are now dropped.
168: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dhclient&sektion=8">dhclient(8)</a> again disables pending timeouts if the interface link is lost, preventing endless retries at obtaining a lease.
169: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dhclient&sektion=8">dhclient(8)</a> was pledged.
170: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dhcpd&sektion=8">dhcpd(8)</a> again properly utilizes default-lease-time, max-lease-time and bootp-lease-time options.
171: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dhcpd&sektion=8">dhcpd(8)</a> was pledged.
1.49 stsp 172: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tcpdump&sektion=1">tcpdump(1)</a> now displays more information about IEEE 802.11 frames when run with the -y IEEE802_11_RADIO and -v options.</li>
1.1 deraadt 173: <li>...
174: </ul>
175: <p>
176:
177: <li>Security improvements:
178: <ul>
179: <li>...
1.10 tedu 180: <li>Support for looking up hosts via YP has been removed from libc.
181: The 'yp' lookup method in
182: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=resolv.conf&sektion=5">resolv.conf</a>
183: is no longer available.
184: <li>Support for the HOSTALIASES environment variable has been removed from libc.
1.1 deraadt 185: </ul>
186: <p>
187:
188: <li>Assorted improvements:
189: <ul>
1.29 sobrado 190: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=doas&sektion=1">doas(1)</a>
191: is a little friendlier to use.
1.28 sobrado 192: <li>Updated
193: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=flex&sektion=1">flex(1)</a>.
1.52 deraadt 194: <li>Forked <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=less&sektion=1">less(1)</a> from upstream, then proceeeded to clean it up substantially.
1.24 krw 195: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/macppc/pdisk.8?query=pdisk">pdisk(8)</a> was largely rewritten and pledged.
196: <li>Renaming files in the root directory of a MSDOS filesystem was fixed.
197: <li>Many obsolete <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/disktab.5?query=disktab">disktab(5)</a> attributes and entries were removed.
198: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man4/softraid.4?query=softraid">softraid(4)</a> volumes now correctly look for the disklabel in the first OpenBSD disk partition, not the last.
199: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man4/softraid.4?query=softraid">softraid(4)</a> volumes can now be partitioned with a GPT.
1.25 krw 200: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=fdisk&sektion=9">fdisk(8)</a> now creates a default GPT as well as the protective MBR when the '-g' flag is used.
201: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=fdisk&sektion=8">fdisk(8)</a> now has a '-b' flag that specifies the size of the EFI System partition to create.
202: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=fdisk&sektion=8">fdisk(8)</a> now has a '-v' flag that causes a verbose display of both MBR and GPT information.
203: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=fdisk&sektion=8">fdisk(8)</a> now provides full interactive GPT editing.
204: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=fdisk&sektion=8">fdisk(8)</a> was pledged.
205: <li>Disks with sector sizes other than 512 bytes can now be partitioned with a GPT.
206: <li>The GPT kernel option was removed and GPT support is part of all GENERIC and GENERIC derived kernels.
207: <li>Many improvements were made to the GPT kernel support to ensure safe and reliable operation of GPT and MBR processing.
208: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=disklabel&sec=8">disklabel(8)</a> no longer supports boot code installation, with the -B and -b flags being removed. The associated fields in the disklabel were also removed. These functions are now all performed by
209: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=installboot&sektion=8">installboot(8)</a>.
1.43 guenther 210: <li>PowerPC converted to secure-PLT ABI variant.
211: <li>Perform lazy binding updates in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ld.so&sektion=1">ld.so(1)</a> using <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=kbind&sektion=2">kbind(2)</a> to improve security and reduce overhead in threaded processes.
212: <li>Over 100 internal or obsolete interfaces have been deleted or are no longer exported by libc, reducing symbol conflicts and process size. <!-- List stuff? YP and XDR APIs, mpool_*, bcrypt_autorounds, link_addr -->
213: <li>libc now uses local references for most of its own functions to avoid symbol overriding, improve standards compliance, increase speed, and reduce dynamic linking overhead.
214: <li>Handle intra-thread kills via new <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=thrkill&sektion=2">thrkill(2)</a> system call to tighten pledge(2) restrictions and improve pthread_kill(3) and pthread_cancel(3) compliance.
215: <li>Added <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=getpwnam_shadow&sektion=3">getpwnam_shadow(3)</a> and <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=getpwuid_shadow&sektion=3">getpwuid_shadow(3)</a> to permit tighter pledge(2) restrictions.
216: <li>Added support to <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ktrace&sektion=1">ktrace(1)</a> the arguments to <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=execve&sektion=2">execve(2)</a> and <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pledge&sektion=2">pledge(2)</a>. Removed support for tracing context switch points. <tt>kevent</tt> structures are now dumped.
1.46 stsp 217: <li>Disabled support for loading locales other than UTF-8.
218: <li>UTF-8 character locale data has been updated to Unicode 7.0.0.
1.48 stsp 219: <li>Added UTF-8 support to several utilities, including <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=calendar&sektion=1">calendar(1)</a>, <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=colrm&sektion=1">colrm(1)</a>, <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=cut&sektion=1">cut(1)</a>, <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=fmt&sektion=1">fmt(1)</a>, <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ls&sektion=1">ls(1)</a>, <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ps&sektion=1">ps(1)</a>, <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=rs&sektion=1">rs(1)</a>, <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ul&sektion=1">ul(1)</a>, <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=uniq&sektion=1">uniq(1)</a>, and <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=wc&sektion=1">wc(1)</a>.
1.46 stsp 220: <li>Native language support (NLS) has been removed from libc.
1.48 stsp 221: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ddb&sektion=4">ddb(4)</a> now automatically shows a stack trace upon panic.
1.1 deraadt 222: <li>...
223: </ul>
224: <p>
225:
226: <li>OpenBSD <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=httpd&sektion=8">httpd(8)</a>:
227: <ul>
228: <li>...
229: </ul>
230: <p>
231:
1.38 gilles 232: <li>OpenSMTPD 5.9.1
233: <ul>
234: <li>Security:
235: <ul>
236: <li>Both
237: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=smtpd&sektion=8">smtpd(8)</a>
238: and
239: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=smtpctl&sektion=8">smtpctl(8)</a>
240: have been pledged.
241: <li>The offline enqueue mode of
242: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=smtpctl&sektion=8">smtpctl(8)</a>
1.39 tj 243: has been redesigned to remove the need for a publicly writable directory which was a vector of multiple attacks in the Qualys Security audit.
1.38 gilles 244: </ul>
245: <li>The following improvements were brought in this release:
246: <ul>
247: <li>Experimental support for filters API is now available with several filters available in ports.
248: <li>Add Message-Id header if necessary.
249: <li>Removed the kick mechanism which was misbehaving.
1.39 tj 250: <li>Increased the length of acceptable headers lines.
1.38 gilles 251: <li>Assume messages are 8-bit bytes by default.
252: </ul>
1.1 deraadt 253: </ul>
254: <p>
255:
1.41 jsg 256: <li>OpenSSH 7.2
1.1 deraadt 257: <ul>
258: <li>Security:
259: <ul>
1.16 sobrado 260: <li>Qualys Security identified vulnerabilities in the
261: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>
1.18 sobrado 262: client experimental support for resuming SSH-connections (roaming).
1.16 sobrado 263: In the default configuration, this could potentially leak client keys
264: to a hostile server. The authentication of the server host key
265: prevents exploitation by a man-in-the-middle, so this information leak
266: is restricted to connections to malicious or compromised servers.
267: This feature has been disabled in the
268: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>
269: client, and it has been removed from the source tree. The matching
270: server code has never been shipped.
271: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>:
272: OpenSSH 7.0 contained a logic error in
273: <tt>PermitRootLogin=prohibit-password/without-password</tt> that could,
274: depending on compile-time configuration, permit password authentication
275: to root while preventing other forms of authentication.
276: <li>Fix an out of-bound read access in the packet handling code.
1.18 sobrado 277: <li>Further use of
278: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=bzero&sektion=3">explicit_bzero(3)</a>
279: has been added in various buffer handling code paths to guard against
280: compilers aggressively doing dead-store removal.
1.45 sobrado 281: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>,
282: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>:
283: remove unfinished and unused roaming code.
284: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>:
285: eliminate fallback from untrusted X11 forwarding to trusted forwarding
286: when the X server disables the <tt>SECURITY</tt> extension.
287: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>,
288: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>:
289: increase the minimum modulus size supported for
290: <tt>diffie-hellman-group-exchange</tt> to 2048 bits.
291: </ul>
292: <li>Potentially-incompatible changes:
293: <ul>
294: <li>This release disables a number of legacy cryptographic algorithms
295: by default in
296: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>:
297: <ul>
298: <li>Several ciphers: <tt>blowfish-cbc</tt>, <tt>cast128-cbc</tt>,
299: all <tt>arcfour</tt> variants and the <tt>rijndael-cbc</tt> aliases
300: for AES.
301: <li>MD5-based and truncated HMAC algorithms.
302: </ul>
303: </ul>
304: <li>New/changed features:
305: <ul>
306: <li>all: add support for RSA signatures using SHA-256/512 hash algorithms
307: based on <tt>draft-rsa-dsa-sha2-256-03.txt</tt> and
308: <tt>draft-ssh-ext-info-04.txt</tt>.
309: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>:
310: Add an <tt>AddKeysToAgent</tt> client option which can be set to
311: <tt>yes</tt>, <tt>no</tt>, <tt>ask</tt>, or <tt>confirm</tt>, and
312: defaults to <tt>no</tt>. When enabled, a private key that is used
313: during authentication will be added to
314: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1">ssh-agent(1)</a>
315: if it is running (with confirmation enabled if set to <tt>confirm</tt>).
316: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>:
317: add a new <tt>authorized_keys</tt> option <tt>restrict</tt> that
318: includes all current and future key restrictions
319: (<tt>no-*-forwarding</tt>, etc.).
320: Also add permissive versions of the existing restrictions, e.g.
321: <tt>no-pty</tt> -> <tt>pty</tt>. This simplifies the task of setting up
322: restricted keys and ensures they are maximally-restricted,
323: regardless of any permissions we might implement in the future.
324: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>:
325: add
326: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5">ssh_config(5)</a>
327: CertificateFile option to explicitly list certificates. (bz#2436)
328: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>:
329: allow
330: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>
331: to change the key comment for all supported formats.
332: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>:
333: allow fingerprinting from standard input, e.g. "ssh-keygen -lf -".
334: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>:
335: allow fingerprinting multiple public keys in a file, e.g.
336: <tt>ssh-keygen -lf ~/.ssh/authorized_keys</tt>. (bz#1319)
337: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>:
338: support <tt>none</tt> as an argument for
339: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5">sshd_config(5)</a>
340: <tt>Foreground</tt> and <tt>ChrootDirectory</tt>. Useful inside
341: <tt>Match</tt> blocks to override a global default. (bz#2486)
342: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>:
343: support multiple certificates (one per line) and reading from standard
344: input (using "<tt>-f -</tt>") for <tt>ssh-keygen -L</tt>.
345: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keyscan&sektion=1">ssh-keyscan(1)</a>:
346: add <tt>ssh-keyscan -c ...</tt> flag to allow fetching certificates
347: instead of plain keys.
348: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>:
349: better handle anchored FQDNs (e.g. <tt>cvs.openbsd.org.</tt>) in
350: hostname canonicalisation - treat them as already canonical and
351: trailing '<tt>.</tt>' before matching
352: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5">ssh_config(5)</a>.
1.1 deraadt 353: </ul>
354: <li>The following significant bugs have been fixed in this release:
355: <ul>
1.16 sobrado 356: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>,
357: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>:
1.18 sobrado 358: add compatibility workarounds for FuTTY.
1.16 sobrado 359: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>,
360: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>:
1.18 sobrado 361: refine compatibility workarounds for WinSCP.
1.16 sobrado 362: <li>Fix a number of memory faults (double-free, free of uninitialised
363: memory, etc) in
364: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>
365: and
366: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>.
1.18 sobrado 367: <li>Correctly interpret the <tt>first_kex_follows</tt> option during the
368: initial key exchange.
1.45 sobrado 369: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&sektion=1">sftp(1)</a>:
370: existing destination directories should not terminate recursive uploads
371: (regression in openssh 6.8). (bz#2528)
372: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>,
373: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>:
374: correctly send back <tt>SSH2_MSG_UNIMPLEMENTED</tt> replies to
375: unexpected messages during key exchange. (bz#2949)
376: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>:
377: refuse attempts to set <tt>ConnectionAttempts=0</tt>, which does not
378: make sense and would cause ssh to print an uninitialised stack
379: variable. (bz#2500)
380: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>:
381: fix errors when attempting to connect to scoped IPv6 addresses with
382: hostname canonicalisation enabled.
383: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5">sshd_config(5)</a>:
384: list a couple more options usable in <tt>Match</tt> blocks. (bz#2489)
385: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>:
386: fix <tt>PubkeyAcceptedKeyTypes +...</tt> inside a <tt>Match</tt> block.
387: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>:
388: expand tilde characters in filenames passed to <tt>-i</tt> options
389: before checking whether or not the identity file exists. Avoids
390: confusion for cases where shell doesn't expand (e.g.
391: <tt>-i ~/file</tt> vs. <tt>-i~/file</tt>). (bz#2481)
392: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>:
393: do not prepend "exec" to the shell command run by <tt>Match exec</tt>
394: in a config file, which could cause some commands to fail in certain
395: environments. (bz#2471)
396: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keyscan&sektion=1">ssh-keyscan(1)</a>:
397: fix output for multiple hosts/addrs on one line when host hashing or
398: a non standard port is in use. (bz#2479)
399: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>:
400: skip "Could not chdir to home directory" message when
401: <tt>ChrootDirectory</tt> is active. (bz#2485)
402: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>:
403: include <tt>PubkeyAcceptedKeyTypes</tt> in <tt>ssh -G</tt> config dump.
404: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>:
405: avoid changing <tt>TunnelForwarding</tt> device flags if they are
406: already what is needed; makes it possible to use
407: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tun&sektion=4">tun(4)</a>/
408: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tap&sektion=4">tap(4)</a>
409: networking as non-root user if device permissions and interface flags
410: are pre-established.
411: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>,
412: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>:
413: <tt>RekeyLimits</tt> could be exceeded by one packet. (bz#2521)
414: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>:
415: fix multiplexing master failure to notice client exit.
416: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>,
417: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1">ssh-agent(1)</a>:
418: avoid <tt>fatal()</tt> for PKCS11 tokens that present empty key IDs.
419: (bz#1773)
420: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>:
421: avoid
422: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=printf&sektion=3">printf(3)</a>
423: of NULL argument. (bz#2535)
424: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>,
425: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>:
426: allow <tt>RekeyLimits</tt> larger than 4GB. (bz#2521)
427: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1">ssh-agent(1)</a>,
428: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>:
429: fix several bugs in (unused) KRL signature support.
430: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>,
431: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>:
432: fix connections with peers that use the key exchange guess feature of
433: the protocol. (bz#2515)
434: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>:
435: include remote port number in log messages. (bz#2503)
436: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>:
437: don't try to load SSHv1 private key when compiled without SSHv1
438: support. (bz#2505)
439: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1">ssh-agent(1)</a>,
440: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>:
441: fix incorrect error messages during key loading and signing errors.
442: (bz#2507)
443: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>:
444: don't leave empty temporary files when performing <tt>known_hosts</tt>
445: file edits when <tt>known_hosts</tt> doesn't exist.
446: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>:
447: correct packet format for tcpip-forward replies for requests that
448: don't allocate a port. (bz#2509)
449: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>,
450: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>:
451: fix possible hang on closed output. (bz#2469)
452: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>:
453: expand <tt>%i</tt> in <tt>ControlPath</tt> to UID. (bz#2449)
454: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>,
455: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>:
456: fix return type of <tt>openssh_RSA_verify</tt>. (bz#2460)
457: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>,
458: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>:
459: fix some option parsing memory leaks. (bz#2182)
460: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>:
461: add a some debug output before DNS resolution; it's a place where
462: ssh could previously silently stall in cases of unresponsive DNS
463: servers. (bz#2433)
464: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>:
465: remove spurious newline in visual hostkey. (bz#2686)
466: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>:
467: fix printing (<tt>ssh -G ...</tt>) of <tt>HostKeyAlgorithms=+...</tt>
468: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>:
469: fix expansion of <tt>HostkeyAlgorithms=+...</tt>
1.1 deraadt 470: </ul>
471: </ul>
472: <p>
1.17 sobrado 473: <li>LibreSSL 2.3.2
1.1 deraadt 474: <ul>
475: <li>User-visible features:
476: <ul>
1.17 sobrado 477: <li>This release corrects the handling of <tt>ClientHello</tt> messages
478: that do not include TLS extensions, resulting in such handshakes being
479: aborted.
1.39 tj 480: <li>When loading a DSA key from a raw (without DH parameters) ASN.1
1.17 sobrado 481: serialization, perform some consistency checks on its `p' and `q'
482: values, and return an error if the checks failed.
483: <li>Fixed a bug in <tt>ECDH_compute_key</tt> that can lead to silent
484: truncation of the result key without error. A coding error could cause
485: software to use much shorter keys than intended.
486: <li>Removed support for <tt>DTLS_BAD_VER</tt>. Pre-DTLSv1 implementations
487: are no longer supported.
488: <li>The engine command and parameters are removed from
489: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=openssl&sektion=1">openssl(1)</a>.
1.39 tj 490: Previous releases removed dynamic and built-in engine support already.
1.17 sobrado 491: <li>SHA-0 is removed, which was withdrawn shortly after publication
492: twenty years ago.
493: <li>Added <tt>Certplus CA</tt> root certificate to the default
494: <tt>cert.pem</tt> file.
1.19 sobrado 495: <li>Fixed a leak in
1.28 sobrado 496: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=SSL_new&sektion=3">SSL_new(3)</a>
1.19 sobrado 497: in the error path.
1.28 sobrado 498: <li>Fixed a memory leak and out-of-bounds access in
499: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=OBJ_nid2obj&sektion=3">OBJ_obj2txt(3)</a>.
1.17 sobrado 500: <li>Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of
501: <tt>sizeof(RC4_CHUNK)</tt>.
1.19 sobrado 502: <li>Added
1.50 doug 503: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=EVP_AEAD_CTX_init&sektion=3">EVP_aead_chacha20_poly1305_ietf(3)</a>
1.19 sobrado 504: which matches the
1.18 sobrado 505: <tt>AEAD</tt> construction introduced in RFC 7539, which is different
506: than that already used in TLS with
1.28 sobrado 507: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=EVP_AEAD_CTX_init&sektion=3">EVP_aead_chacha20_poly1305(3)</a>.
1.18 sobrado 508: <li>More man pages converted from pod to
1.28 sobrado 509: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=mdoc&sektion=7">mdoc(7)</a>
1.18 sobrado 510: format.
1.17 sobrado 511: <li>Added <tt>COMODO RSA Certification Authority</tt> and
512: <tt>QuoVadis</tt> root certificates to <tt>cert.pem</tt>.
513: <li>Removed Remhve "<tt>C=US, O=VeriSign, Inc., OU=Class 3 Public Primary
514: Certification Authority</tt>"
515: (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be)
516: root certificate from <tt>cert.pem</tt>.
517: <li>Fixed incorrect TLS certificate loading by
1.28 sobrado 518: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=nc&sektion=1">nc(1)</a>.
1.17 sobrado 519: <li>The following CVEs had been fixed:
520: <ul>
1.28 sobrado 521: <li><tt>CVE-2015-3194</tt>—NULL pointer dereference in client
522: side certificate validation.
523: <li><tt>CVE-2015-3195</tt>—memory leak in PKCS7, not reachable
524: from TLS/SSL.
1.17 sobrado 525: </ul>
526: <li>Note: The following OpenSSL CVEs did not apply to LibreSSL:
527: <ul>
1.28 sobrado 528: <li><tt>CVE-2015-3193</tt>—carry propagating bug in the x86_64
529: Montgomery squaring procedure.
530: <li><tt>CVE-2015-3196</tt>—double free race condition of the
531: identify hint data.
1.17 sobrado 532: </ul>
1.1 deraadt 533: </ul>
534: <li>Code improvements:
535: <ul>
1.17 sobrado 536: <li>Added install target for <tt>cmake</tt> builds.
537: <li>Updated <tt>pkgconfig</tt> files to correctly report the release
538: version number, not the individual library ABI version numbers.
539: <li>SSLv3 is now permanently removed from the tree.
540: <li>The <tt>libtls</tt> API is changed from the 2.2.x series:
541: <ul>
1.28 sobrado 542: <li>The
543: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tls_init&sektion=3">tls_read(3)</a>
544: and
545: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tls_init&sektion=3">tls_write(3)</a>
546: functions now work better with external event libraries.
547: <li>Client-side verification is now supported, with the client
548: supplying the certificate to the server.
549: <li>Also, when using
550: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tls_init&sektion=3">tls_connect_fds(3)</a>,
551: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tls_init&sektion=3">tls_connect_socket(3)</a>
552: or
553: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tls_init&sektion=3">tls_accept_fds(3)</a>,
554: <tt>libtls</tt> no longer implicitly closes the passed in sockets.
555: The caller is responsible for closing them in this case.
1.17 sobrado 556: </ul>
557: <li>New interface <tt>OPENSSL_cpu_caps</tt> is provided that does not
558: allow software to inadvertently modify cpu capability flags.
559: <tt>OPENSSL_ia32cap</tt> and <tt>OPENSSL_ia32cap_loc</tt> are removed.
1.18 sobrado 560: <li>The <tt>out_len</tt> argument of <tt>AEAD</tt> changed from
561: <tt>ssize_t</tt> to <tt>size_t</tt>.
1.17 sobrado 562: <li>Deduplicated DTLS code, sharing bugfixes and improvements with TLS.
563: <li>Converted
1.28 sobrado 564: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=nc&sektion=1">nc(1)</a>
1.17 sobrado 565: to use <tt>libtls</tt> for client and server operations; it is
566: included in the libressl-portable distribution as an example of how
567: to use the <tt>libtls</tt> library. This is intended to be a simpler
568: and more robust replacement for <tt>openssl s_client</tt> and
569: <tt>openssl s_server</tt> for day-to-day operations.
570: <li>ASN.1 cleanups and RFC5280 compliance fixes.
571: <li>Time representations switched from <tt>unsigned long</tt> to
572: <tt>time_t</tt>. LibreSSL now checks if the host OS supports 64-bit
573: <tt>time_t</tt>.
574: <li>Support always extracting the peer cipher and version with
575: <tt>libtls</tt>.
576: <li>Added ability to check certificate validity times with
1.19 sobrado 577: <tt>libtls</tt>,
1.28 sobrado 578: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tls_init&sektion=3">tls_peer_cert_notbefore(3)</a>
1.19 sobrado 579: and
1.28 sobrado 580: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tls_init&sektion=3">tls_peer_cert_notafter(3)</a>.
1.19 sobrado 581: <li>Changed
1.28 sobrado 582: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tls_init&sektion=3">tls_connect_servername(3)</a>
1.19 sobrado 583: to use the first address that resolves with
1.28 sobrado 584: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=getaddrinfo&sektion=3">getaddrinfo(3)</a>.
1.17 sobrado 585: <li>Remove broken conditional <tt>EVP_CHECK_DES_KEY</tt> code
586: (non-functional since initial commit in 2004).
1.19 sobrado 587: <li>Reject too small bits value in
1.28 sobrado 588: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=BN_generate_prime&sektion=3">BN_generate_prime_ex(3)</a>,
1.17 sobrado 589: so that it does not risk becoming negative in
590: <tt>probable_prime_dh_safe()</tt>.
1.18 sobrado 591: <li>Changed format of <tt>LIBRESSL_VERSION_NUMBER</tt> to match that of
1.17 sobrado 592: <tt>OPENSSL_VERSION_NUMBER</tt>.
593: <li>Avoid a potential undefined C99+ behavior due to shift overflow in
594: <tt>AES_decrypt</tt>.
595: <li>Deprecated the <tt>SSL_OP_SINGLE_DH_USE</tt> flag.
1.1 deraadt 596: </ul>
597: </ul>
598: <p>
599: <li>Syslogd:
600: <ul>
601: <li>...
602: </ul>
603: <p>
604: <li>Ports and packages:
605: <dl>
606: <dt>Many pre-built packages for each architecture:
607: <table border=0 cellspacing=0 cellpadding=2 width="95%">
608: <tr>
609: <td valign="top" width="25%">
610: <ul>
611: <li>alpha: xxxx
1.54 deraadt 612: <li>amd64: 9295
1.1 deraadt 613: <li>hppa: xxxx
614: </ul></td><td valign=top width="25%"><ul>
1.54 deraadt 615: <li>i386: 9290
1.1 deraadt 616: <li>mips64: xxxx
617: <li>mips64el: xxxx
618: </ul></td><td valign=top width="25%"><ul>
619: <li>powerpc: xxxx
620: <li>sh: xxxx
621: <li>sparc64: xxxx
622: </ul></td><td valign=top width="25%"><ul>
623: <li>vax: xxxx
624: </ul></td></tr></table>
625: <p>
626:
627: <dt>Some highlights:
628: <table border=0 cellspacing=0 cellpadding=2 width="95%">
629: <tr>
630: <td valign="top" width="33%"><ul>
1.40 sthen 631: <li>Chromium 48.0.2564.116
1.1 deraadt 632: <li>Emacs 21.4 and 24.5
1.3 jsg 633: <li>GCC 4.9.3
634: <li>GHC 7.10.3
635: <li>GNOME 3.18.2
1.5 sthen 636: <li>Go 1.5.3
1.1 deraadt 637: <li>Groff 1.22.3
1.40 sthen 638: <li>JDK 7u80 and 8u72
1.1 deraadt 639: <li>KDE 3.5.10 and 4.14.3 (plus KDE4 core updates)
640: <li>LLVM/Clang 3.5 (20140228)
1.3 jsg 641: <li>LibreOffice 5.0.4.2
642: <li>MariaDB 10.0.23
643: <li>Mono 4.2.1.102
1.26 lteo 644: <li>Mozilla Firefox 38.6.1esr and 44.0.2
645: <li>Mozilla Thunderbird 38.6.0
1.1 deraadt 646: </ul></td><td valign=top width="33%"><ul>
1.22 abieber 647: <li>Node.js 4.3.0
1.3 jsg 648: <li>OpenLDAP 2.3.43 and 2.4.43
1.26 lteo 649: <li>PHP 5.4.45, 5.5.32 and 5.6.18
1.3 jsg 650: <li>Postfix 3.0.3
1.26 lteo 651: <li>PostgreSQL 9.4.6
1.3 jsg 652: <li>Python 2.7.11, 3.4.4 and 3.5.1
653: <li>R 3.2.3
654: <li>Ruby 1.8.7.374, 2.0.0.648, 2.1.8, 2.2.4 and 2.3.0
1.15 lteo 655: <li>Rust 1.6.0
1.1 deraadt 656: <li>Sendmail 8.15.2
1.3 jsg 657: <li>Sudo 1.8.15
1.1 deraadt 658: <li>Tcl/Tk 8.5.18 and 8.6.4
659: <li>TeX Live 2014
1.3 jsg 660: <li>Vim 7.4.900
1.1 deraadt 661: <li>Xfce 4.12
662: </ul></td><td valign=top width="34%">
663: </td></tr></table>
664: <p>
665:
666: <li>As usual, steady improvements in manual pages and other documentation.
667: <p>
668:
669: <li>The system includes the following major components from outside suppliers:
670: <ul>
1.3 jsg 671: <li>Xenocara (based on X.Org 7.7 with xserver 1.17.4 + patches,
1.8 jsg 672: freetype 2.6.2, fontconfig 2.11.1, Mesa 11.0.9, xterm 322,
1.21 matthieu 673: xkeyboard-config 2.17 and more)
1.1 deraadt 674: <li>Gcc 4.2.1 (+ patches) and 3.3.6 (+ patches)
675: <li>Perl 5.20.2 (+ patches)
1.3 jsg 676: <li>SQLite 3.9.2 (+ patches)
677: <li>NSD 4.1.7
678: <li>Unbound 1.5.7
1.1 deraadt 679: <li>Ncurses 5.7
680: <li>Binutils 2.17 (+ patches)
681: <li>Gdb 6.3 (+ patches)
682: <li>Awk Aug 10, 2011 version
683: </ul>
684:
685: </ul>
686:
687: <a name="install"></a>
688: <hr>
689: <p>
690: <h3><font color="#0000e0">How to install</font></h3>
691: <p>
692: Following this are the instructions which you would have on a piece of
693: paper if you had purchased a CDROM set instead of doing an alternate
694: form of install. The instructions for doing an HTTP (or other style
695: of) install are very similar; the CDROM instructions are left intact
696: so that you can see how much easier it would have been if you had
697: purchased a CDROM instead.
698: <p>
699:
700: <hr>
701: Please refer to the following files on the three CDROMs or mirror site for
702: extensive details on how to install OpenBSD 5.9 on your machine:
703: <p>
704: <ul>
705: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/5.9/alpha/INSTALL.alpha">
706: .../OpenBSD/5.9/alpha/INSTALL.alpha (on CD1)</a>
707: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/5.9/i386/INSTALL.i386">
708: .../OpenBSD/5.9/i386/INSTALL.i386 (on CD1)</a>
709: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/5.9/hppa/INSTALL.hppa">
710: .../OpenBSD/5.9/hppa/INSTALL.hppa (on CD1)</a>
711: <p>
712: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/5.9/amd64/INSTALL.amd64">
713: .../OpenBSD/5.9/amd64/INSTALL.amd64 (on CD2)</a>
714: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/5.9/macppc/INSTALL.macppc">
715: .../OpenBSD/5.9/macppc/INSTALL.macppc (on CD2)</a>
716: <p>
717: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/5.9/sparc64/INSTALL.sparc64">
718: .../OpenBSD/5.9/sparc64/INSTALL.sparc64 (on CD3)</a>
719: <p>
720: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/5.9/alpha/INSTALL.alpha">
721: .../OpenBSD/5.9/alpha/INSTALL.alpha</a>
722: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/5.9/hppa/INSTALL.hppa">
723: .../OpenBSD/5.9/hppa/INSTALL.hppa</a>
724: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/5.9/landisk/INSTALL.landisk">
725: .../OpenBSD/5.9/landisk/INSTALL.landisk</a>
726: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/5.9/loongson/INSTALL.loongson">
727: .../OpenBSD/5.9/loongson/INSTALL.loongson</a>
728: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/5.9/luna88k/INSTALL.luna88k">
729: .../OpenBSD/5.9/luna88k/INSTALL.luna88k</a>
730: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/5.9/macppc/INSTALL.macppc">
731: .../OpenBSD/5.9/macppc/INSTALL.macppc</a>
732: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/5.9/octeon/INSTALL.octeon">
733: .../OpenBSD/5.9/octeon/INSTALL.octeon</a>
734: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/5.9/sgi/INSTALL.sgi">
735: .../OpenBSD/5.9/sgi/INSTALL.sgi</a>
736: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/5.9/socppc/INSTALL.socppc">
737: .../OpenBSD/5.9/socppc/INSTALL.socppc</a>
738: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/5.9/vax/INSTALL.vax">
739: .../OpenBSD/5.9/vax/INSTALL.vax</a>
740: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/5.9/zaurus/INSTALL.zaurus">
741: .../OpenBSD/5.9/zaurus/INSTALL.zaurus</a>
742: </ul>
743: <hr>
744:
745: <p>
746: Quick installer information for people familiar with OpenBSD, and the
747: use of the "disklabel -E" command. If you are at all confused when
748: installing OpenBSD, read the relevant INSTALL.* file as listed above!
749: <p>
750:
751: <h3><font color="#e00000">OpenBSD/i386:</font></h3>
752: <ul>
753: The OpenBSD/i386 release is on CD1.
754: Boot from the CD to begin the install - you may need to adjust
755: your BIOS options first.
756:
757: <p>
758: If your machine can boot from USB, you can write <i>install59.fs</i> or
759: <i>miniroot59.fs</i> to a USB stick and boot from it.
760:
761: <p>
762: If you can't boot from a CD, floppy disk, or USB,
763: you can install across the network using PXE as described in
764: the included INSTALL.i386 document.
765:
766: <p>
767: If you are planning on dual booting OpenBSD with another OS, you will need to
768: read INSTALL.i386.
769:
770: </ul>
771:
772: <p>
773: <h3><font color="#e00000">OpenBSD/amd64:</font></h3>
774: <ul>
775: The OpenBSD/amd64 release is on CD2.
776: Boot from the CD to begin the install - you may need to adjust
777: your BIOS options first.
778:
779: <p>
780: If your machine can boot from USB, you can write <i>install59.fs</i> or
781: <i>miniroot59.fs</i> to a USB stick and boot from it.
782:
783: <p>
784: If you can't boot from a CD, floppy disk, or USB,
785: you can install across the network using PXE as described in the included
786: INSTALL.amd64 document.
787:
788: <p>
789: If you are planning to dual boot OpenBSD with another OS, you will need to
790: read INSTALL.amd64.
791: </ul>
792:
793: <p>
794: <h3><font color="#e00000">OpenBSD/macppc:</font></h3>
795: <ul>
796: Burn the image from a mirror site to a CDROM, and power on your machine
797: while holding down the <i>C</i> key until the display turns on and
798: shows <i>OpenBSD/macppc boot</i>.
799:
800: <p>
801: Alternatively, at the Open Firmware prompt, enter <i>boot cd:,ofwboot
802: /5.9/macppc/bsd.rd</i>
803: </ul>
804:
805: <p>
806: <h3><font color="#e00000">OpenBSD/sparc64:</font></h3>
807: <ul>
808: Put CD3 in your CDROM drive and type <i>boot cdrom</i>.
809:
810: <p>
811: If this doesn't work, or if you don't have a CDROM drive, you can write
812: <i>CD3:5.9/sparc64/floppy59.fs</i> or <i>CD3:5.9/sparc64/floppyB59.fs</i>
813: (depending on your machine) to a floppy and boot it with <i>boot
814: floppy</i>. Refer to INSTALL.sparc64 for details.
815:
816: <p>
817: Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
818: will most likely fail.
819:
820: <p>
821: You can also write <i>CD3:5.9/sparc64/miniroot59.fs</i> to the swap partition on
822: the disk and boot with <i>boot disk:b</i>.
823:
824: <p>
825: If nothing works, you can boot over the network as described in INSTALL.sparc64.
826: </ul>
827:
828: <p>
829: <h3><font color="#e00000">OpenBSD/alpha:</font></h3>
830: <ul>
831: <p>Write <i>FTP:5.9/alpha/floppy59.fs</i> or
832: <i>FTP:5.9/alpha/floppyB59.fs</i> (depending on your machine) to a diskette and
833: enter <i>boot dva0</i>. Refer to INSTALL.alpha for more details.
834:
835: <p>
836: Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
837: will most likely fail.
838:
839: </ul>
840:
841: <p>
842: <h3><font color="#e00000">OpenBSD/hppa:</font></h3>
843: <ul>
844: <p>
845: Boot over the network by following the instructions in INSTALL.hppa or the
846: <a href="hppa.html#install">hppa platform page</a>.
847: </ul>
848:
849: <p>
850: <h3><font color="#e00000">OpenBSD/landisk:</font></h3>
851: <ul>
852: <p>
853: Write <i>miniroot59.fs</i> to the start of the CF
854: or disk, and boot normally.
855: </ul>
856:
857: <p>
858: <h3><font color="#e00000">OpenBSD/loongson:</font></h3>
859: <ul>
860: <p>
861: Write <i>miniroot59.fs</i> to a USB stick and boot bsd.rd from it
862: or boot bsd.rd via tftp.
863: Refer to the instructions in INSTALL.loongson for more details.
864: </ul>
865: <p>
866:
867: <p>
868: <h3><font color="#e00000">OpenBSD/luna88k:</font></h3>
869: <ul>
870: <p>
871: Copy `boot' and `bsd.rd' to a Mach or UniOS partition, and boot the bootloader
872: from the PROM, and then bsd.rd from the bootloader.
873: Refer to the instructions in INSTALL.luna88k for more details.
874: </ul>
875:
876: <p>
877: <h3><font color="#e00000">OpenBSD/octeon:</font></h3>
878: <ul>
879: <p>
880: After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
881: Refer to the instructions in INSTALL.octeon for more details.
882: </ul>
883:
884: <p>
885: <h3><font color="#e00000">OpenBSD/sgi:</font></h3>
886: <ul>
887: <p>
888: To install, burn cd59.iso on a CD-R, put it in the CD drive of your
889: machine and select <i>Install System Software</i> from the System Maintenance
890: menu. Indigo/Indy/Indigo2 (R4000) systems will not boot automatically from
891: CD-ROM, and need a proper invocation from the PROM prompt.
892: Refer to the instructions in INSTALL.sgi for more details.
893:
894: <p>
895: If your machine doesn't have a CD drive, you can setup a DHCP/tftp network
896: server, and boot using "bootp()/bsd.rd.IP##" using the kernel matching your
897: system type. Refer to the instructions in INSTALL.sgi for more details.
898: </ul>
899:
900: <p>
901: <h3><font color="#e00000">OpenBSD/socppc:</font></h3>
902: <ul>
903: <p>
904: After connecting a serial port, boot over the network via DHCP/tftp.
905: Refer to the instructions in INSTALL.socppc for more details.
906: </ul>
907:
908: <p>
909: <h3><font color="#e00000">OpenBSD/vax:</font></h3>
910: <ul>
911: Boot over the network via mopbooting as described in INSTALL.vax.
912: </ul>
913:
914: <p>
915: <h3><font color="#e00000">OpenBSD/zaurus:</font></h3>
916: <ul>
917: <p>
918: Using the Linux built-in graphical ipkg installer, install the
919: openbsd59_arm.ipk package. Reboot, then run it. Read INSTALL.zaurus
920: for a few important details.
921: </ul>
922:
923: <a name="upgrade"></a>
924: <hr>
925: <p>
926: <h3><font color="#0000e0">How to upgrade</font></h3>
927: <p>
1.6 tj 928: If you already have an OpenBSD 5.8 system, and do not want to reinstall,
1.1 deraadt 929: upgrade instructions and advice can be found in the
930: <a href="faq/upgrade59.html">Upgrade Guide</a>.
931:
932: <a name="sourcecode"></a>
933: <hr>
934: <p>
935: <h3><font color="#0000e0">Notes about the source code</font></h3>
936: <p>
937: src.tar.gz contains a source archive starting at /usr/src. This file
938: contains everything you need except for the kernel sources, which are
939: in a separate archive. To extract:
940: <p>
941: <ul><pre>
942: # <strong>mkdir -p /usr/src</strong>
943: # <strong>cd /usr/src</strong>
944: # <strong>tar xvfz /tmp/src.tar.gz</strong>
945: </pre></ul>
946: <p>
947: sys.tar.gz contains a source archive starting at /usr/src/sys.
948: This file contains all the kernel sources you need to rebuild kernels.
949: To extract:
950: <p>
951: <ul><pre>
952: # <strong>mkdir -p /usr/src/sys</strong>
953: # <strong>cd /usr/src</strong>
954: # <strong>tar xvfz /tmp/sys.tar.gz</strong>
955: </pre></ul>
956: <p>
957: Both of these trees are a regular CVS checkout. Using these trees it
958: is possible to get a head-start on using the anoncvs servers as
959: described <a href="anoncvs.html">here</a>.
960: Using these files
961: results in a much faster initial CVS update than you could expect from
962: a fresh checkout of the full OpenBSD source tree.
963: <p>
964:
965: <a name="ports"></a>
966: <hr>
967: <p>
968: <h3><font color="#0000e0">Ports Tree</font></h3>
969: <p>
970: A ports tree archive is also provided. To extract:
971: <p>
972: <ul><pre>
973: # <strong>cd /usr</strong>
974: # <strong>tar xvfz /tmp/ports.tar.gz</strong>
975: </pre></ul>
976: <p>
977: Go read the <a href="faq/ports/index.html">ports</a> page
978: if you know nothing about ports
979: at this point. This text is not a manual of how to use ports.
980: Rather, it is a set of notes meant to kickstart the user on the
981: OpenBSD ports system.
982: <p>
983: The <i>ports/</i> directory represents a CVS (see the manpage for
984: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=cvs&sektion=1&arch=i386">
985: cvs(1)</a> if
986: you aren't familiar with CVS) checkout of our ports. As with our complete
987: source tree, our ports tree is available via
988: <a href="anoncvs.html">AnonCVS</a>.
989: So, in order to keep up to date with the <i>-stable</i> branch, you must make
990: the <i>ports/</i> tree available on a read-write medium and update the tree
991: with a command like:
992: <p>
993: <ul><pre>
994: # <strong>cd /usr/ports</strong>
995: # <strong>cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_5_9</strong>
996: </pre></ul>
997: <p>
998: [Of course, you must replace the server name here with a nearby anoncvs
999: server.]
1000: <p>
1001: Note that most ports are available as packages on our mirrors. Updated
1002: ports for the 5.9 release will be made available if problems arise.
1003: <p>
1004: If you're interested in seeing a port added, would like to help out, or just
1005: would like to know more, the mailing list
1006: <a href="mail.html">ports@openbsd.org</a> is a good place to know.
1007: <p>
1008: </body>
1009: </html>