version 1.73, 2016/10/16 19:11:29 |
version 1.74, 2017/06/26 17:18:57 |
|
|
<li>See a <a href="plus60.html">detailed log of changes</a> between the |
<li>See a <a href="plus60.html">detailed log of changes</a> between the |
5.9 and 6.0 releases. |
5.9 and 6.0 releases. |
<p> |
<p> |
<li><a href="http://man.openbsd.org/signify.1">signify(1)</a> |
<li><a href="https://man.openbsd.org/signify.1">signify(1)</a> |
pubkeys for this release:<br> |
pubkeys for this release:<br> |
<pre> |
<pre> |
base: RWSho3oKSqgLQy+NpIhFXZJDtkE65tzlmtC24mStf8DoJd2OPMgna4u8 |
base: RWSho3oKSqgLQy+NpIhFXZJDtkE65tzlmtC24mStf8DoJd2OPMgna4u8 |
|
|
|
|
<li>Improved hardware support, including: |
<li>Improved hardware support, including: |
<ul> |
<ul> |
<li>New <a href="http://man.openbsd.org/?query=bytgpio">bytgpio(4)</a> |
<li>New <a href="https://man.openbsd.org/?query=bytgpio">bytgpio(4)</a> |
driver for the Intel Bay Trail GPIO controller. |
driver for the Intel Bay Trail GPIO controller. |
<li>New <a href="http://man.openbsd.org/?query=chvgpio">chvgpio(4)</a> |
<li>New <a href="https://man.openbsd.org/?query=chvgpio">chvgpio(4)</a> |
driver for the Intel Cherry View GPIO controller. |
driver for the Intel Cherry View GPIO controller. |
<li>New <a href="http://man.openbsd.org/?query=maxrtc">maxrtc(4)</a> |
<li>New <a href="https://man.openbsd.org/?query=maxrtc">maxrtc(4)</a> |
driver for the Maxim DS1307 real time clock. |
driver for the Maxim DS1307 real time clock. |
<li>New <a href="http://man.openbsd.org/?query=nvme">nvme(4)</a> |
<li>New <a href="https://man.openbsd.org/?query=nvme">nvme(4)</a> |
driver for the Non-Volatile Memory Express (NVMe) host controller interface. |
driver for the Non-Volatile Memory Express (NVMe) host controller interface. |
<li>New <a href="http://man.openbsd.org/?query=pcfrtc">pcfrtc(4)</a> |
<li>New <a href="https://man.openbsd.org/?query=pcfrtc">pcfrtc(4)</a> |
driver for the NXP PCF8523 real time clock. |
driver for the NXP PCF8523 real time clock. |
<li>New <a href="http://man.openbsd.org/?query=umb">umb(4)</a> |
<li>New <a href="https://man.openbsd.org/?query=umb">umb(4)</a> |
driver for the Mobile Broadband Interface Model (MBIM). |
driver for the Mobile Broadband Interface Model (MBIM). |
<li>New <a href="http://man.openbsd.org/?query=ure">ure(4)</a> |
<li>New <a href="https://man.openbsd.org/?query=ure">ure(4)</a> |
driver for RealTek RTL8152 based 10/100 USB Ethernet devices. |
driver for RealTek RTL8152 based 10/100 USB Ethernet devices. |
<li>New <a href="http://man.openbsd.org/?query=utvfu">utvfu(4)</a> |
<li>New <a href="https://man.openbsd.org/?query=utvfu">utvfu(4)</a> |
driver for audio/video capture devices based on the Fushicai USBTV007. |
driver for audio/video capture devices based on the Fushicai USBTV007. |
<li>The <a href="http://man.openbsd.org/?query=iwm">iwm(4)</a> driver |
<li>The <a href="https://man.openbsd.org/?query=iwm">iwm(4)</a> driver |
now supports Intel Wireless 3165 and 8260 devices, and works more |
now supports Intel Wireless 3165 and 8260 devices, and works more |
reliably in RAMDISK kernels. |
reliably in RAMDISK kernels. |
<li>Support for I2C HID devices with GPIO signalled interrupts has |
<li>Support for I2C HID devices with GPIO signalled interrupts has |
been added to <a href="http://man.openbsd.org/?query=dwiic">dwiic(4)</a>. |
been added to <a href="https://man.openbsd.org/?query=dwiic">dwiic(4)</a>. |
<li>Support for larger bus widths, high speed modes, and DMA |
<li>Support for larger bus widths, high speed modes, and DMA |
transfers has been added to |
transfers has been added to |
<a href="http://man.openbsd.org/?query=sdmmc">sdmmc(4)</a>, |
<a href="https://man.openbsd.org/?query=sdmmc">sdmmc(4)</a>, |
<a href="http://man.openbsd.org/?query=rtsx">rtsx(4)</a>, |
<a href="https://man.openbsd.org/?query=rtsx">rtsx(4)</a>, |
<a href="http://man.openbsd.org/?query=sdhc">sdhc(4)</a>, and |
<a href="https://man.openbsd.org/?query=sdhc">sdhc(4)</a>, and |
<a href="http://man.openbsd.org/?query=imxesdhc">imxesdhc(4)</a>. |
<a href="https://man.openbsd.org/?query=imxesdhc">imxesdhc(4)</a>. |
<li>Support for EHCI and OHCI compliant USB controllers on Octeon II SoCs. |
<li>Support for EHCI and OHCI compliant USB controllers on Octeon II SoCs. |
<li>Many USB device drivers have been enabled on OpenBSD/octeon. |
<li>Many USB device drivers have been enabled on OpenBSD/octeon. |
<li>Improved support for hardware-reduced ACPI implementations. |
<li>Improved support for hardware-reduced ACPI implementations. |
|
|
<li>AES-NI crypto is now done without holding the kernel lock. |
<li>AES-NI crypto is now done without holding the kernel lock. |
<li>Improved AGP support on PowerPC G5 machines. |
<li>Improved AGP support on PowerPC G5 machines. |
<li>Added support for the SD card slot in Intel Bay Trail SoCs. |
<li>Added support for the SD card slot in Intel Bay Trail SoCs. |
<li>The <a href="http://man.openbsd.org/?query=ichiic">ichiic(4)</a> driver |
<li>The <a href="https://man.openbsd.org/?query=ichiic">ichiic(4)</a> driver |
now ignores the SMBALERT# interrupt to prevent an interrupt storm |
now ignores the SMBALERT# interrupt to prevent an interrupt storm |
with buggy BIOS implementations. |
with buggy BIOS implementations. |
<li>Device attachment problems with the |
<li>Device attachment problems with the |
<a href="http://man.openbsd.org/?query=axen">axen(4)</a> driver have |
<a href="https://man.openbsd.org/?query=axen">axen(4)</a> driver have |
been fixed. |
been fixed. |
<li>The <a href="http://man.openbsd.org/?query=ral">ral(4)</a> driver |
<li>The <a href="https://man.openbsd.org/?query=ral">ral(4)</a> driver |
is more stable under load with RT2860 devices. |
is more stable under load with RT2860 devices. |
<li>Problems with dead keyboards after resume have been fixed in the |
<li>Problems with dead keyboards after resume have been fixed in the |
<a href="http://man.openbsd.org/?query=pckbd">pckbd(4)</a> driver. |
<a href="https://man.openbsd.org/?query=pckbd">pckbd(4)</a> driver. |
<li>The <a href="http://man.openbsd.org/?query=rtsx">rtsx(4)</a> driver |
<li>The <a href="https://man.openbsd.org/?query=rtsx">rtsx(4)</a> driver |
now supports RTS522A devices. |
now supports RTS522A devices. |
<li>Initial support for MSI-X has been added. |
<li>Initial support for MSI-X has been added. |
<li>Support MSI-X in the |
<li>Support MSI-X in the |
<a href="http://man.openbsd.org/?query=virtio">virtio(4)</a> driver. |
<a href="https://man.openbsd.org/?query=virtio">virtio(4)</a> driver. |
<li>Added a workaround for hardware DMA overruns to the |
<li>Added a workaround for hardware DMA overruns to the |
<a href="http://man.openbsd.org/man4/dc.4">dc(4)</a> driver. |
<a href="https://man.openbsd.org/man4/dc.4">dc(4)</a> driver. |
<li>The <a href="http://man.openbsd.org/?query=acpitz">acpitz(4)</a> driver |
<li>The <a href="https://man.openbsd.org/?query=acpitz">acpitz(4)</a> driver |
now spins the fan down after cooling if ACPI uses hysteresis for |
now spins the fan down after cooling if ACPI uses hysteresis for |
active cooling. |
active cooling. |
<li>The <a href="http://man.openbsd.org/?query=xhci">xhci(4)</a> driver |
<li>The <a href="https://man.openbsd.org/?query=xhci">xhci(4)</a> driver |
now performs handoff from an xHCI-capable BIOS correctly. |
now performs handoff from an xHCI-capable BIOS correctly. |
<li>Support for multi-touch input has been added to the |
<li>Support for multi-touch input has been added to the |
<a href="http://man.openbsd.org/?query=wsmouse">wsmouse(4)</a> driver. |
<a href="https://man.openbsd.org/?query=wsmouse">wsmouse(4)</a> driver. |
<li>The <a href="http://man.openbsd.org/?query=uslcom">uslcom(4)</a> driver |
<li>The <a href="https://man.openbsd.org/?query=uslcom">uslcom(4)</a> driver |
now supports the serial console of Aruba 7xxx wireless controllers. |
now supports the serial console of Aruba 7xxx wireless controllers. |
<li>The <a href="http://man.openbsd.org/?query=re">re(4)</a> driver |
<li>The <a href="https://man.openbsd.org/?query=re">re(4)</a> driver |
now works around broken LED configurations in APU1 EEPROMs. |
now works around broken LED configurations in APU1 EEPROMs. |
<li>The <a href="http://man.openbsd.org/?query=ehci">ehci(4)</a> driver |
<li>The <a href="https://man.openbsd.org/?query=ehci">ehci(4)</a> driver |
now works around problems with ATI USB controllers (e.g. SB700). |
now works around problems with ATI USB controllers (e.g. SB700). |
<li>The <a href="http://man.openbsd.org/?query=xen">xen(4)</a> driver |
<li>The <a href="https://man.openbsd.org/?query=xen">xen(4)</a> driver |
now supports domU configuration under Qubes OS. |
now supports domU configuration under Qubes OS. |
</ul> |
</ul> |
<p> |
<p> |
|
|
<ul> |
<ul> |
<li>The HT block ack receive buffer logic follows the algorithm given |
<li>The HT block ack receive buffer logic follows the algorithm given |
in the 802.11-2012 spec more closely. |
in the 802.11-2012 spec more closely. |
<li>The <a href="http://man.openbsd.org/?query=iwn">iwn(4)</a> driver now |
<li>The <a href="https://man.openbsd.org/?query=iwn">iwn(4)</a> driver now |
keeps track of HT protection changes while associated to an 11n AP. |
keeps track of HT protection changes while associated to an 11n AP. |
<li>The wireless stack and several drivers make more aggressive use |
<li>The wireless stack and several drivers make more aggressive use |
of RTS/CTS to avoid interference from legacy devices and hidden nodes. |
of RTS/CTS to avoid interference from legacy devices and hidden nodes. |
<li>The <a href="http://man.openbsd.org/?query=netstat">netstat(1)</a> -W |
<li>The <a href="https://man.openbsd.org/?query=netstat">netstat(1)</a> -W |
command now shows information about 802.11n events. |
command now shows information about 802.11n events. |
<li>In hostap mode, do not reuse association IDs of nodes which are |
<li>In hostap mode, do not reuse association IDs of nodes which are |
still cached. Fixes a problem where an access point using the |
still cached. Fixes a problem where an access point using the |
<a href="http://man.openbsd.org/?query=ral">ral(4)</a> driver |
<a href="https://man.openbsd.org/?query=ral">ral(4)</a> driver |
would get stuck at 1 Mbps because Tx rate accounting happened |
would get stuck at 1 Mbps because Tx rate accounting happened |
on the wrong node object. |
on the wrong node object. |
</ul> |
</ul> |
|
|
forwarding path. |
forwarding path. |
<li>The prio field on VLAN headers is now correctly set on each fragment |
<li>The prio field on VLAN headers is now correctly set on each fragment |
of an IPv4 packet going out on a |
of an IPv4 packet going out on a |
<a href="http://man.openbsd.org/vlan.4">vlan(4)</a> interface. |
<a href="https://man.openbsd.org/vlan.4">vlan(4)</a> interface. |
<li>Enabled device cloning for |
<li>Enabled device cloning for |
<a href="http://man.openbsd.org/bpf.4">bpf(4)</a>. |
<a href="https://man.openbsd.org/bpf.4">bpf(4)</a>. |
This allows the system to have just one bpf device node in /dev |
This allows the system to have just one bpf device node in /dev |
that services all bpf consumers (up to 1024). |
that services all bpf consumers (up to 1024). |
<li>The Tx queue of the |
<li>The Tx queue of the |
<a href="http://man.openbsd.org/?query=cnmac">cnmac(4)</a> |
<a href="https://man.openbsd.org/?query=cnmac">cnmac(4)</a> |
driver can now be processed in parallel of the rest of the kernel. |
driver can now be processed in parallel of the rest of the kernel. |
<li>Network input path is now run in thread context. |
<li>Network input path is now run in thread context. |
</ul> |
</ul> |
|
|
<ul> |
<ul> |
<li>updated list of restricted usercodes |
<li>updated list of restricted usercodes |
<li>install.sh and upgrade.sh merged into install.sub |
<li>install.sh and upgrade.sh merged into install.sub |
<li>update automatically runs <a href="http://man.openbsd.org/sysmerge">sysmerge(8)</a> |
<li>update automatically runs <a href="https://man.openbsd.org/sysmerge">sysmerge(8)</a> |
in batch mode before |
in batch mode before |
<a href="http://man.openbsd.org/fw_update">fw_update(1)</a> |
<a href="https://man.openbsd.org/fw_update">fw_update(1)</a> |
<li>questions and answers are logged in a format that can be used as a |
<li>questions and answers are logged in a format that can be used as a |
response file for use by |
response file for use by |
<a href="http://man.openbsd.org/autoinstall">autoinstall(8)</a> |
<a href="https://man.openbsd.org/autoinstall">autoinstall(8)</a> |
<li><tt>/usr/local</tt> is set to <tt>wxallowed</tt> during install |
<li><tt>/usr/local</tt> is set to <tt>wxallowed</tt> during install |
</ul> |
</ul> |
<p> |
<p> |
|
|
<li>Routing daemons and other userland network improvements: |
<li>Routing daemons and other userland network improvements: |
<ul> |
<ul> |
<li>Add routing table support to |
<li>Add routing table support to |
<a href="http://man.openbsd.org/rc.d.8">rc.d(8)</a> and |
<a href="https://man.openbsd.org/rc.d.8">rc.d(8)</a> and |
<a href="http://man.openbsd.org/rcctl.8">rcctl(8)</a>. |
<a href="https://man.openbsd.org/rcctl.8">rcctl(8)</a>. |
<li>Let <a href="http://man.openbsd.org/nc.1">nc(1)</a> |
<li>Let <a href="https://man.openbsd.org/nc.1">nc(1)</a> |
support service names in addition to port numbers. |
support service names in addition to port numbers. |
<li>Add <tt>-M</tt> and <tt>-m</tt> TTL flags to |
<li>Add <tt>-M</tt> and <tt>-m</tt> TTL flags to |
<a href="http://man.openbsd.org/nc.1">nc(1)</a>. |
<a href="https://man.openbsd.org/nc.1">nc(1)</a>. |
<li>Add <tt>AF_UNIX</tt> support to |
<li>Add <tt>AF_UNIX</tt> support to |
<a href="http://man.openbsd.org/tcpbench.1">tcpbench(1)</a>. |
<a href="https://man.openbsd.org/tcpbench.1">tcpbench(1)</a>. |
<li>Fixed a regression in |
<li>Fixed a regression in |
<a href="http://man.openbsd.org/rarpd.8">rarpd(8)</a>. |
<a href="https://man.openbsd.org/rarpd.8">rarpd(8)</a>. |
The daemon could hang if it was idle for a long time. |
The daemon could hang if it was idle for a long time. |
<li>Added the <tt>llprio</tt> option in |
<li>Added the <tt>llprio</tt> option in |
<a href="http://man.openbsd.org/ifconfig.8">ifconfig(8)</a>. |
<a href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a>. |
<li>Multiple programs that use |
<li>Multiple programs that use |
<a href="http://man.openbsd.org/bpf.4">bpf(4)</a> |
<a href="https://man.openbsd.org/bpf.4">bpf(4)</a> |
have been modified to take advantage of |
have been modified to take advantage of |
<a href="http://man.openbsd.org/bpf.4">bpf(4)</a> |
<a href="https://man.openbsd.org/bpf.4">bpf(4)</a> |
device cloning by opening <tt>/dev/bpf0</tt> instead of looping |
device cloning by opening <tt>/dev/bpf0</tt> instead of looping |
through <tt>/dev/bpf*</tt> devices. These programs include |
through <tt>/dev/bpf*</tt> devices. These programs include |
<a href="http://man.openbsd.org/arp.8">arp(8)</a>, |
<a href="https://man.openbsd.org/arp.8">arp(8)</a>, |
<a href="http://man.openbsd.org/dhclient.8">dhclient(8)</a>, |
<a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a>, |
<a href="http://man.openbsd.org/dhcpd.8">dhcpd(8)</a>, |
<a href="https://man.openbsd.org/dhcpd.8">dhcpd(8)</a>, |
<a href="http://man.openbsd.org/dhcrelay.8">dhcrelay(8)</a>, |
<a href="https://man.openbsd.org/dhcrelay.8">dhcrelay(8)</a>, |
<a href="http://man.openbsd.org/hostapd.8">hostapd(8)</a>, |
<a href="https://man.openbsd.org/hostapd.8">hostapd(8)</a>, |
<a href="http://man.openbsd.org/mopd.8">mopd(8)</a>, |
<a href="https://man.openbsd.org/mopd.8">mopd(8)</a>, |
<a href="http://man.openbsd.org/npppd.8">npppd(8)</a>, |
<a href="https://man.openbsd.org/npppd.8">npppd(8)</a>, |
<a href="http://man.openbsd.org/rarpd.8">rarpd(8)</a>, |
<a href="https://man.openbsd.org/rarpd.8">rarpd(8)</a>, |
<a href="http://man.openbsd.org/rbootd.8">rbootd(8)</a>, and |
<a href="https://man.openbsd.org/rbootd.8">rbootd(8)</a>, and |
<a href="http://man.openbsd.org/tcpdump.8">tcpdump(8)</a>. |
<a href="https://man.openbsd.org/tcpdump.8">tcpdump(8)</a>. |
The <a href="http://man.openbsd.org/pcap.3">libpcap</a> library |
The <a href="https://man.openbsd.org/pcap.3">libpcap</a> library |
has also been modified accordingly. |
has also been modified accordingly. |
</ul> |
</ul> |
<p> |
<p> |
|
|
a program can only violate it if the executable is marked with |
a program can only violate it if the executable is marked with |
<tt>PT_OPENBSD_WXNEEDED</tt> and is located on a filesystem |
<tt>PT_OPENBSD_WXNEEDED</tt> and is located on a filesystem |
mounted with the <tt>wxallowed</tt> |
mounted with the <tt>wxallowed</tt> |
<a href="http://man.openbsd.org/mount.8">mount(8)</a> option. |
<a href="https://man.openbsd.org/mount.8">mount(8)</a> option. |
Because there are still too many ports which violate W^X, the |
Because there are still too many ports which violate W^X, the |
installer mounts the <tt>/usr/local</tt> filesystem with |
installer mounts the <tt>/usr/local</tt> filesystem with |
<tt>wxallowed</tt>. This allows the base system to be more |
<tt>wxallowed</tt>. This allows the base system to be more |
secure as long as <tt>/usr/local</tt> is a separate filesystem. |
secure as long as <tt>/usr/local</tt> is a separate filesystem. |
If you use no W^X violating programs, consider manually |
If you use no W^X violating programs, consider manually |
revoking that option. |
revoking that option. |
<li>The <a href="http://man.openbsd.org/setjmp.3">setjmp(3)</a> |
<li>The <a href="https://man.openbsd.org/setjmp.3">setjmp(3)</a> |
family of functions now apply XOR cookies to stack and return-address |
family of functions now apply XOR cookies to stack and return-address |
values in the jmpbuf on amd64, hppa, i386, mips64, and powerpc. |
values in the jmpbuf on amd64, hppa, i386, mips64, and powerpc. |
<li>SROP mitigation: <a href="http://man.openbsd.org/sigreturn.2">sigreturn(2)</a> |
<li>SROP mitigation: <a href="https://man.openbsd.org/sigreturn.2">sigreturn(2)</a> |
can now only be used by the kernel-provided signal trampoline, |
can now only be used by the kernel-provided signal trampoline, |
with a cookie to detect attempts to reuse it. |
with a cookie to detect attempts to reuse it. |
<li>To deter code reuse exploits, <a href="http://man.openbsd.org/rc.8">rc(8)</a> |
<li>To deter code reuse exploits, <a href="https://man.openbsd.org/rc.8">rc(8)</a> |
re-links libc.so on startup, placing the objects in a random order. |
re-links libc.so on startup, placing the objects in a random order. |
<li>In the <a href="http://man.openbsd.org/getpwnam.3">getpwnam(3)</a> |
<li>In the <a href="https://man.openbsd.org/getpwnam.3">getpwnam(3)</a> |
family of functions, stop opening the shadow database by default. |
family of functions, stop opening the shadow database by default. |
<li>Allow <a href="http://man.openbsd.org/tcpdump.8">tcpdump(8)</a> |
<li>Allow <a href="https://man.openbsd.org/tcpdump.8">tcpdump(8)</a> |
<tt>-r</tt> to be started without root privileges. |
<tt>-r</tt> to be started without root privileges. |
<li>Remove |
<li>Remove |
<a href="http://man.openbsd.org/OpenBSD-5.9/systrace">systrace</a>. |
<a href="https://man.openbsd.org/OpenBSD-5.9/systrace">systrace</a>. |
<li>Remove Linux emulation support. |
<li>Remove Linux emulation support. |
<li>Remove support for the usermount option. |
<li>Remove support for the usermount option. |
<li>The TCP SYN cache reseeds its random hash function from |
<li>The TCP SYN cache reseeds its random hash function from |
|
|
of the hash function with a timing attack. |
of the hash function with a timing attack. |
<li>To work against SYN flooding attacks the administrator can |
<li>To work against SYN flooding attacks the administrator can |
change the size of the hash array now. |
change the size of the hash array now. |
<a href="http://man.openbsd.org/netstat.1">netstat(1)</a> |
<a href="https://man.openbsd.org/netstat.1">netstat(1)</a> |
<tt>-s -p tcp</tt> shows the relevant information to tune |
<tt>-s -p tcp</tt> shows the relevant information to tune |
the SYN cache with |
the SYN cache with |
<a href="http://man.openbsd.org/sysctl.8">sysctl(8)</a> |
<a href="https://man.openbsd.org/sysctl.8">sysctl(8)</a> |
<tt>net.inet.tcp</tt>. |
<tt>net.inet.tcp</tt>. |
<li>The administrator can require root privileges for binding to some TCP |
<li>The administrator can require root privileges for binding to some TCP |
and UDP ports with |
and UDP ports with |
<a href="http://man.openbsd.org/sysctl.8">sysctl(8)</a> |
<a href="https://man.openbsd.org/sysctl.8">sysctl(8)</a> |
<tt>net.inet.tcp.rootonly</tt> and |
<tt>net.inet.tcp.rootonly</tt> and |
<a href="http://man.openbsd.org/sysctl.8">sysctl(8)</a> |
<a href="https://man.openbsd.org/sysctl.8">sysctl(8)</a> |
<tt>net.inet.udp.rootonly</tt>. |
<tt>net.inet.udp.rootonly</tt>. |
<li>Remove a function pointer from the |
<li>Remove a function pointer from the |
<a href="http://man.openbsd.org/mbuf.9">mbuf(9)</a> data structure |
<a href="https://man.openbsd.org/mbuf.9">mbuf(9)</a> data structure |
and use an index into an array of acceptable functions instead. |
and use an index into an array of acceptable functions instead. |
</ul> |
</ul> |
<p> |
<p> |
|
|
<li>Improved symbol handling and standards compliance in libc. |
<li>Improved symbol handling and standards compliance in libc. |
For example, defining an <tt>open()</tt> function will no longer |
For example, defining an <tt>open()</tt> function will no longer |
interfere with the operation of |
interfere with the operation of |
<a href="http://man.openbsd.org/fopen.3">fopen(3)</a>. |
<a href="https://man.openbsd.org/fopen.3">fopen(3)</a>. |
<li><tt>PT_TLS</tt> sections are now supported in initially loaded object. |
<li><tt>PT_TLS</tt> sections are now supported in initially loaded object. |
<li>Improved handling of "no paths" and "empty path" in |
<li>Improved handling of "no paths" and "empty path" in |
<a href="http://man.openbsd.org/fts.3">fts(3)</a>. |
<a href="https://man.openbsd.org/fts.3">fts(3)</a>. |
<li>In <a href="http://man.openbsd.org/pcap.3">pcap(3)</a>, |
<li>In <a href="https://man.openbsd.org/pcap.3">pcap(3)</a>, |
provide the functions <tt>pcap_free_datalinks()</tt> |
provide the functions <tt>pcap_free_datalinks()</tt> |
and <tt>pcap_offline_filter()</tt>. |
and <tt>pcap_offline_filter()</tt>. |
<li>Many bugfixes and structural cleanup in the |
<li>Many bugfixes and structural cleanup in the |
<a href="http://man.openbsd.org/editline">editline(3)</a> library. |
<a href="https://man.openbsd.org/editline">editline(3)</a> library. |
<li>Remove ancient |
<li>Remove ancient |
<a href="http://man.openbsd.org/OpenBSD-5.9/dbm.3">dbm(3)</a> |
<a href="https://man.openbsd.org/OpenBSD-5.9/dbm.3">dbm(3)</a> |
functions; |
functions; |
<a href="http://man.openbsd.org/ndbm.3">ndbm(3)</a> remains. |
<a href="https://man.openbsd.org/ndbm.3">ndbm(3)</a> remains. |
<li>Add <tt>setenv</tt> keyword for more powerful environment handling in |
<li>Add <tt>setenv</tt> keyword for more powerful environment handling in |
<a href="http://man.openbsd.org/doas.conf.5">doas.conf(5)</a>. |
<a href="https://man.openbsd.org/doas.conf.5">doas.conf(5)</a>. |
<li>Add <tt>-g</tt> and <tt>-p</tt> options to |
<li>Add <tt>-g</tt> and <tt>-p</tt> options to |
<a href="http://man.openbsd.org/aucat.1">aucat.1</a> |
<a href="https://man.openbsd.org/aucat.1">aucat.1</a> |
for time positioning. |
for time positioning. |
<li>Rewrite <a href="http://man.openbsd.org/audioctl.1">audioctl(1)</a> |
<li>Rewrite <a href="https://man.openbsd.org/audioctl.1">audioctl(1)</a> |
with a simpler user interface. |
with a simpler user interface. |
<li>Add <tt>-F</tt> option to |
<li>Add <tt>-F</tt> option to |
<a href="http://man.openbsd.org/install.1">install(1)</a> |
<a href="https://man.openbsd.org/install.1">install(1)</a> |
to <a href="http://man.openbsd.org/fsync.2">fsync(2)</a> |
to <a href="https://man.openbsd.org/fsync.2">fsync(2)</a> |
the file before closing it. |
the file before closing it. |
<li><a href="http://man.openbsd.org/kdump.1">kdump(1)</a> |
<li><a href="https://man.openbsd.org/kdump.1">kdump(1)</a> |
now dumps <tt>pollfd</tt> structures. |
now dumps <tt>pollfd</tt> structures. |
<li>Improve various details of |
<li>Improve various details of |
<a href="http://man.openbsd.org/ksh.1">ksh(1)</a> POSIX compliance. |
<a href="https://man.openbsd.org/ksh.1">ksh(1)</a> POSIX compliance. |
<li><a href="http://man.openbsd.org/mknod.8">mknod(8)</a> rewritten in a |
<li><a href="https://man.openbsd.org/mknod.8">mknod(8)</a> rewritten in a |
<a href="http://man.openbsd.org/pledge.2">pledge(2)</a>-friendly |
<a href="https://man.openbsd.org/pledge.2">pledge(2)</a>-friendly |
style and to support creating multiple devices at once. |
style and to support creating multiple devices at once. |
<li>Implement <a href="http://man.openbsd.org/rcctl.8">rcctl(8)</a> |
<li>Implement <a href="https://man.openbsd.org/rcctl.8">rcctl(8)</a> |
<tt>get all</tt> and <tt>getdef all</tt>. |
<tt>get all</tt> and <tt>getdef all</tt>. |
<li>Implement the <a href="http://man.openbsd.org/rcs.1">rcs(1)</a> |
<li>Implement the <a href="https://man.openbsd.org/rcs.1">rcs(1)</a> |
<tt>-I</tt> (interactive) flag. |
<tt>-I</tt> (interactive) flag. |
<li>In <a href="http://man.openbsd.org/rcs.1">rcs(1)</a>, |
<li>In <a href="https://man.openbsd.org/rcs.1">rcs(1)</a>, |
implement Mdocdate keyword substitution. |
implement Mdocdate keyword substitution. |
<li>In <a href="http://man.openbsd.org/top.1">top(1)</a>, |
<li>In <a href="https://man.openbsd.org/top.1">top(1)</a>, |
allow to filter process arguments if they are being displayed. |
allow to filter process arguments if they are being displayed. |
<li>Added UTF-8 support to |
<li>Added UTF-8 support to |
<a href="http://man.openbsd.org/fold.1">fold(1)</a> and |
<a href="https://man.openbsd.org/fold.1">fold(1)</a> and |
<a href="http://man.openbsd.org/rev.1">rev(1)</a>. |
<a href="https://man.openbsd.org/rev.1">rev(1)</a>. |
<li>Enable UTF-8 by default in |
<li>Enable UTF-8 by default in |
<a href="http://man.openbsd.org/xterm.1">xterm(1)</a> and |
<a href="https://man.openbsd.org/xterm.1">xterm(1)</a> and |
<a href="http://man.openbsd.org/pod2man.1">pod2man(1)</a>. |
<a href="https://man.openbsd.org/pod2man.1">pod2man(1)</a>. |
<li>Filter out non-ASCII characters in |
<li>Filter out non-ASCII characters in |
<a href="http://man.openbsd.org/wall.1">wall(1)</a>. |
<a href="https://man.openbsd.org/wall.1">wall(1)</a>. |
<li>Handle the <a href="http://man.openbsd.org/?apropos=1&query=Ev%3DCOLUMNS">COLUMNS</a> |
<li>Handle the <a href="https://man.openbsd.org/?apropos=1&query=Ev%3DCOLUMNS">COLUMNS</a> |
environment variable consistently across many programs. |
environment variable consistently across many programs. |
<li>The options <tt>-c</tt> and <tt>-k</tt> allow to provide |
<li>The options <tt>-c</tt> and <tt>-k</tt> allow to provide |
TLS client certificates for |
TLS client certificates for |
<a href="http://man.openbsd.org/syslogd.8">syslogd(8)</a> |
<a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a> |
on the sending side. |
on the sending side. |
With that the receiving side can verify log messages |
With that the receiving side can verify log messages |
are authentic. |
are authentic. |
|
|
message to show that some entries is missing. |
message to show that some entries is missing. |
<li>On OpenBSD/octeon, CPU cache write buffering is enabled |
<li>On OpenBSD/octeon, CPU cache write buffering is enabled |
to improve performance. |
to improve performance. |
<li><a href="http://man.openbsd.org/pkg_add.1">pkg_add(1)</a> and |
<li><a href="https://man.openbsd.org/pkg_add.1">pkg_add(1)</a> and |
<a href="http://man.openbsd.org/pkg_info.1">pkg_info(1)</a> now |
<a href="https://man.openbsd.org/pkg_info.1">pkg_info(1)</a> now |
understand a notion of branch to ease selection of some popular |
understand a notion of branch to ease selection of some popular |
packages such as python or php, e.g., say |
packages such as python or php, e.g., say |
<tt>pkg_add python%3.4</tt> to select the <tt>3.4</tt> branch, |
<tt>pkg_add python%3.4</tt> to select the <tt>3.4</tt> branch, |
and use <tt>pkg_info -zm</tt> to get a fuzzy listing with branch |
and use <tt>pkg_info -zm</tt> to get a fuzzy listing with branch |
selection suitable for <tt>pkg_add -l</tt>. |
selection suitable for <tt>pkg_add -l</tt>. |
<li><a href="http://man.openbsd.org/?query=fdisk">fdisk(8)</a> and |
<li><a href="https://man.openbsd.org/?query=fdisk">fdisk(8)</a> and |
<a href="http://man.openbsd.org/?query=pdisk">pdisk(8)</a> |
<a href="https://man.openbsd.org/?query=pdisk">pdisk(8)</a> |
immediately exit unless passed a character special device |
immediately exit unless passed a character special device |
<li><a href="http://man.openbsd.org/?query=st">st(4)</a> |
<li><a href="https://man.openbsd.org/?query=st">st(4)</a> |
correctly tracks the current block count for variable sized blocks |
correctly tracks the current block count for variable sized blocks |
<li><a href="http://man.openbsd.org/?query=fsck_ext2fs">fsck_ext2fs(8)</a> |
<li><a href="https://man.openbsd.org/?query=fsck_ext2fs">fsck_ext2fs(8)</a> |
works again |
works again |
<li><a href="http://man.openbsd.org/?query=softraid">softraid(4)</a> volumes |
<li><a href="https://man.openbsd.org/?query=softraid">softraid(4)</a> volumes |
can be constructed with disks that have a sector size other than 512 bytes |
can be constructed with disks that have a sector size other than 512 bytes |
<li><a href="http://man.openbsd.org/?query=dhclient">dhclient(8)</a> |
<li><a href="https://man.openbsd.org/?query=dhclient">dhclient(8)</a> |
DECLINE's and discards unused OFFER's. |
DECLINE's and discards unused OFFER's. |
<li><a href="http://man.openbsd.org/?query=dhclient">dhclient(8)</a> |
<li><a href="https://man.openbsd.org/?query=dhclient">dhclient(8)</a> |
immediately exits if its interface (e.g. a |
immediately exits if its interface (e.g. a |
<a href="http://man.openbsd.org/?query=bridge">bridge(4)</a>) |
<a href="https://man.openbsd.org/?query=bridge">bridge(4)</a>) |
returns EAFNOSUPPORT when a packet is sent. |
returns EAFNOSUPPORT when a packet is sent. |
<li><a href="http://man.openbsd.org/?query=httpd">httpd(8)</a> returns |
<li><a href="https://man.openbsd.org/?query=httpd">httpd(8)</a> returns |
400 Bad Request for HTTP v0.9 requests. |
400 Bad Request for HTTP v0.9 requests. |
<li>ffs2's lazy node initialization avoids treating random disk data as |
<li>ffs2's lazy node initialization avoids treating random disk data as |
an inode |
an inode |
<li><a href="http://man.openbsd.org/?query=fcntl">fcntl(2)</a> invocations |
<li><a href="https://man.openbsd.org/?query=fcntl">fcntl(2)</a> invocations |
in base programs use the idiom fcntl(n,F_GETFL) instead of fcntl(n,F_GETFL,0) |
in base programs use the idiom fcntl(n,F_GETFL) instead of fcntl(n,F_GETFL,0) |
<li><a href="http://man.openbsd.org/?query=socket">socket(2)</a> and |
<li><a href="https://man.openbsd.org/?query=socket">socket(2)</a> and |
<a href="http://man.openbsd.org/?query=accept4">accept4(2)</a> invocations |
<a href="https://man.openbsd.org/?query=accept4">accept4(2)</a> invocations |
in base programs use SOCK_NONBLOCK to eliminate the need for a separate |
in base programs use SOCK_NONBLOCK to eliminate the need for a separate |
<a href="http://man.openbsd.org/?query=fcntl">fcntl(2)</a>. |
<a href="https://man.openbsd.org/?query=fcntl">fcntl(2)</a>. |
<li>tmpfs not enabled by default |
<li>tmpfs not enabled by default |
<li>the in-kernel semantics of |
<li>the in-kernel semantics of |
<a href="http://man.openbsd.org/pledge">pledge(2)</a> |
<a href="https://man.openbsd.org/pledge">pledge(2)</a> |
were improved in numerous ways. |
were improved in numerous ways. |
Highlights include: |
Highlights include: |
a new <tt>chown</tt> promise that allows pledged programs to set |
a new <tt>chown</tt> promise that allows pledged programs to set |
setugid attributes, |
setugid attributes, |
a stricter enforcement of the <tt>recvfd</tt> promise and |
a stricter enforcement of the <tt>recvfd</tt> promise and |
<a href="http://man.openbsd.org/chroot.2">chroot(2)</a> is no longer |
<a href="https://man.openbsd.org/chroot.2">chroot(2)</a> is no longer |
allowed for pledged programs. |
allowed for pledged programs. |
<li>a number of |
<li>a number of |
<a href="http://man.openbsd.org/pledge">pledge(2)</a>-related bugs |
<a href="https://man.openbsd.org/pledge">pledge(2)</a>-related bugs |
(missing promises, unintended changes of behavior, crashes) were fixed, |
(missing promises, unintended changes of behavior, crashes) were fixed, |
notably in |
notably in |
<a href="http://man.openbsd.org/gzip">gzip(1)</a>, |
<a href="https://man.openbsd.org/gzip">gzip(1)</a>, |
<a href="http://man.openbsd.org/nc">nc(1)</a>, |
<a href="https://man.openbsd.org/nc">nc(1)</a>, |
<a href="http://man.openbsd.org/sed">sed(1)</a>, |
<a href="https://man.openbsd.org/sed">sed(1)</a>, |
<a href="http://man.openbsd.org/skeyinit">skeyinit(1)</a>, |
<a href="https://man.openbsd.org/skeyinit">skeyinit(1)</a>, |
<a href="http://man.openbsd.org/stty">stty(1)</a>, |
<a href="https://man.openbsd.org/stty">stty(1)</a>, |
and various disk-related utilities, such as |
and various disk-related utilities, such as |
<a href="http://man.openbsd.org/disklabel">disklabel(8)</a> and |
<a href="https://man.openbsd.org/disklabel">disklabel(8)</a> and |
<a href="http://man.openbsd.org/fdisk">fdisk(8)</a>. |
<a href="https://man.openbsd.org/fdisk">fdisk(8)</a>. |
<li>Block size calculation errors in the |
<li>Block size calculation errors in the |
<a href="http://man.openbsd.org/?query=audio">audio(4)</a> driver |
<a href="https://man.openbsd.org/?query=audio">audio(4)</a> driver |
have been fixed. |
have been fixed. |
<li>The <a href="http://man.openbsd.org/?query=usb">usb(4)</a> driver |
<li>The <a href="https://man.openbsd.org/?query=usb">usb(4)</a> driver |
now caches vendor and product IDs. Fixes an issue where |
now caches vendor and product IDs. Fixes an issue where |
<a href="http://man.openbsd.org/?query=usbdevs">usbdevs(8)</a> called |
<a href="https://man.openbsd.org/?query=usbdevs">usbdevs(8)</a> called |
in a loop would cause a USB mass storage device to halt operation. |
in a loop would cause a USB mass storage device to halt operation. |
<li>The <a href="http://man.openbsd.org/?query=rsu">rsu(4)</a> and |
<li>The <a href="https://man.openbsd.org/?query=rsu">rsu(4)</a> and |
<a href="http://man.openbsd.org/?query=ural">ural(4)</a> drivers |
<a href="https://man.openbsd.org/?query=ural">ural(4)</a> drivers |
are now working again after they were accidentally broken in 5.9. |
are now working again after they were accidentally broken in 5.9. |
</ul> |
</ul> |
<p> |
<p> |
|
|
<li>Security: |
<li>Security: |
<ul> |
<ul> |
<li>Implement the fork+exec pattern in |
<li>Implement the fork+exec pattern in |
<a href="http://man.openbsd.org/smtpd">smtpd(8)</a>. |
<a href="https://man.openbsd.org/smtpd">smtpd(8)</a>. |
<li>Fix a logic issue in the SMTP state machine that can lead to |
<li>Fix a logic issue in the SMTP state machine that can lead to |
an invalid state and result in a crash. |
an invalid state and result in a crash. |
<li>Plug a file-pointer leak that can lead to resource exhaustion |
<li>Plug a file-pointer leak that can lead to resource exhaustion |
|
|
<li>The following improvements were brought in this release: |
<li>The following improvements were brought in this release: |
<ul> |
<ul> |
<li>Add the <tt>-r</tt> option to the |
<li>Add the <tt>-r</tt> option to the |
<a href="http://man.openbsd.org/smtpd">smtpd(8)</a> |
<a href="https://man.openbsd.org/smtpd">smtpd(8)</a> |
enqueuer for compatibility with mailx. |
enqueuer for compatibility with mailx. |
<li>Add missing date or message-id when listening on the submit |
<li>Add missing date or message-id when listening on the submit |
port. |
port. |
|
|
<ul> |
<ul> |
<li>Security: |
<li>Security: |
<ul> |
<ul> |
<li><a href="http://man.openbsd.org/sshd.8">sshd(8)</a>: |
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
Mitigate a potential denial-of-service attack against the system's |
Mitigate a potential denial-of-service attack against the system's |
<a href="http://man.openbsd.org/crypt.3">crypt(3)</a> |
<a href="https://man.openbsd.org/crypt.3">crypt(3)</a> |
function via |
function via |
<a href="http://man.openbsd.org/sshd.8">sshd(8)</a>. |
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>. |
An attacker could send very long passwords that would cause |
An attacker could send very long passwords that would cause |
excessive CPU use in |
excessive CPU use in |
<a href="http://man.openbsd.org/crypt.3">crypt(3)</a>. |
<a href="https://man.openbsd.org/crypt.3">crypt(3)</a>. |
<a href="http://man.openbsd.org/sshd.8">sshd(8)</a> |
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a> |
now refuses to accept password authentication requests of length |
now refuses to accept password authentication requests of length |
greater than 1024 characters. |
greater than 1024 characters. |
<li><a href="http://man.openbsd.org/sshd.8">sshd(8)</a>: |
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
Mitigate timing differences in password authentication that could be |
Mitigate timing differences in password authentication that could be |
used to discern valid from invalid account names when long passwords |
used to discern valid from invalid account names when long passwords |
were sent and particular password hashing algorithms are in use on |
were sent and particular password hashing algorithms are in use on |
the server. CVE-2016-6210. |
the server. CVE-2016-6210. |
<li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>, |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, |
<a href="http://man.openbsd.org/sshd.8">sshd(8)</a>: |
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
Fix observable timing weakness in the <i>CBC padding oracle |
Fix observable timing weakness in the <i>CBC padding oracle |
countermeasures</i>. Note that CBC ciphers are disabled by default |
countermeasures</i>. Note that CBC ciphers are disabled by default |
and only included for legacy compatibility. |
and only included for legacy compatibility. |
<li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>, |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, |
<a href="http://man.openbsd.org/sshd.8">sshd(8)</a>: |
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
Improve ordering of MAC verification for |
Improve ordering of MAC verification for |
<i>Encrypt-then-MAC</i> (EtM) mode transport MAC algorithms to |
<i>Encrypt-then-MAC</i> (EtM) mode transport MAC algorithms to |
verify the MAC before decrypting any ciphertext. This removes the |
verify the MAC before decrypting any ciphertext. This removes the |
|
|
</ul> |
</ul> |
<li>New/changed features: |
<li>New/changed features: |
<ul> |
<ul> |
<li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>: |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: |
Add a <tt>ProxyJump</tt> option and corresponding <tt>-J</tt> |
Add a <tt>ProxyJump</tt> option and corresponding <tt>-J</tt> |
command-line flag to allow simplified indirection through a one or |
command-line flag to allow simplified indirection through a one or |
more SSH bastions or "jump hosts". |
more SSH bastions or "jump hosts". |
<li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>: |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: |
Add an <tt>IdentityAgent</tt> option to allow specifying specific |
Add an <tt>IdentityAgent</tt> option to allow specifying specific |
agent sockets instead of accepting one from the environment. |
agent sockets instead of accepting one from the environment. |
<li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>: |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: |
Allow <tt>ExitOnForwardFailure</tt> and <tt>ClearAllForwardings</tt> |
Allow <tt>ExitOnForwardFailure</tt> and <tt>ClearAllForwardings</tt> |
to be optionally overridden when using <tt>ssh -W</tt>. (bz#2577) |
to be optionally overridden when using <tt>ssh -W</tt>. (bz#2577) |
<li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>, |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, |
<a href="http://man.openbsd.org/sshd.8">sshd(8)</a>: |
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
Implement support for the IUTF8 terminal mode as per |
Implement support for the IUTF8 terminal mode as per |
<i>draft-sgtatham-secsh-iutf8-00</i>. |
<i>draft-sgtatham-secsh-iutf8-00</i>. |
<li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>, |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, |
<a href="http://man.openbsd.org/sshd.8">sshd(8)</a>: |
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
Add support for additional <i>fixed Diffie-Hellman 2K</i>, <i>4K</i> |
Add support for additional <i>fixed Diffie-Hellman 2K</i>, <i>4K</i> |
and <i>8K</i> groups from <i>draft-ietf-curdle-ssh-kex-sha2-03</i>. |
and <i>8K</i> groups from <i>draft-ietf-curdle-ssh-kex-sha2-03</i>. |
<li><a href="http://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>, |
<li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>, |
<a href="http://man.openbsd.org/ssh.1">ssh(1)</a>, |
<a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, |
<a href="http://man.openbsd.org/sshd.8">sshd(8)</a>: |
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
support SHA256 and SHA512 RSA signatures in certificates. |
support SHA256 and SHA512 RSA signatures in certificates. |
<li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>: |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: |
Add an <tt>Include</tt> directive for |
Add an <tt>Include</tt> directive for |
<a href="http://man.openbsd.org/ssh_config.5">ssh_config(5)</a> |
<a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a> |
files. |
files. |
<li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>: |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: |
Permit UTF-8 characters in pre-authentication banners sent from the |
Permit UTF-8 characters in pre-authentication banners sent from the |
server. (bz#2058) |
server. (bz#2058) |
</ul> |
</ul> |
<li>The following significant bugs have been fixed in this release: |
<li>The following significant bugs have been fixed in this release: |
<ul> |
<ul> |
<li>In <a href="http://man.openbsd.org/scp.1">scp(1)</a> |
<li>In <a href="https://man.openbsd.org/scp.1">scp(1)</a> |
and <a href="http://man.openbsd.org/sftp.1">sftp(1)</a>, |
and <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>, |
prevent screwing up terminal settings by escaping bytes |
prevent screwing up terminal settings by escaping bytes |
not forming ASCII or UTF-8 characters. |
not forming ASCII or UTF-8 characters. |
<li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>, |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, |
<a href="http://man.openbsd.org/sshd.8">sshd(8)</a>: |
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
Reduce the syslog level of some relatively common protocol events |
Reduce the syslog level of some relatively common protocol events |
from <tt>LOG_CRIT</tt>. (bz#2585) |
from <tt>LOG_CRIT</tt>. (bz#2585) |
<li><a href="http://man.openbsd.org/sshd.8">sshd(8)</a>: |
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
Refuse <tt>AuthenticationMethods=""</tt> in configurations and accept |
Refuse <tt>AuthenticationMethods=""</tt> in configurations and accept |
<tt>AuthenticationMethods=any</tt> for the default behaviour of not |
<tt>AuthenticationMethods=any</tt> for the default behaviour of not |
requiring multiple authentication. (bz#2398) |
requiring multiple authentication. (bz#2398) |
<li><a href="http://man.openbsd.org/sshd.8">sshd(8)</a>: |
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
Remove obsolete and misleading <tt>"POSSIBLE BREAK-IN ATTEMPT!"</tt> |
Remove obsolete and misleading <tt>"POSSIBLE BREAK-IN ATTEMPT!"</tt> |
message when forward and reverse DNS don't match. (bz#2585) |
message when forward and reverse DNS don't match. (bz#2585) |
<li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>: |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: |
Close <tt>ControlPersist</tt> background process stderr except in |
Close <tt>ControlPersist</tt> background process stderr except in |
debug mode or when logging to syslog. (bz#1988) |
debug mode or when logging to syslog. (bz#1988) |
<li>misc: Make PROTOCOL description for |
<li>misc: Make PROTOCOL description for |
<i>direct-streamlocal@openssh.com</i> channel open messages match |
<i>direct-streamlocal@openssh.com</i> channel open messages match |
deployed code. (bz#2529) |
deployed code. (bz#2529) |
<li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>: |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: |
Deduplicate <tt>LocalForward</tt> and <tt>RemoteForward</tt> entries |
Deduplicate <tt>LocalForward</tt> and <tt>RemoteForward</tt> entries |
to fix failures when both <tt>ExitOnForwardFailure</tt> and |
to fix failures when both <tt>ExitOnForwardFailure</tt> and |
<tt>hostname</tt> canonicalisation are enabled. (bz#2562) |
<tt>hostname</tt> canonicalisation are enabled. (bz#2562) |
<li><a href="http://man.openbsd.org/sshd.8">sshd(8)</a>: |
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
Remove fallback from moduli to obsolete "primes" file that was |
Remove fallback from moduli to obsolete "primes" file that was |
deprecated in 2001. (bz#2559) |
deprecated in 2001. (bz#2559) |
<li><a href="http://man.openbsd.org/sshd_config.5">sshd_config(5)</a>: |
<li><a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>: |
Correct description of <tt>UseDNS</tt>: it affects ssh hostname |
Correct description of <tt>UseDNS</tt>: it affects ssh hostname |
processing for <tt>authorized_keys</tt>, not <tt>known_hosts</tt>. |
processing for <tt>authorized_keys</tt>, not <tt>known_hosts</tt>. |
(bz#2554) |
(bz#2554) |
<li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>: |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: |
Fix authentication using lone certificate keys in an agent without |
Fix authentication using lone certificate keys in an agent without |
corresponding private keys on the filesystem. (bz#2550) |
corresponding private keys on the filesystem. (bz#2550) |
<li><a href="http://man.openbsd.org/sshd.8">sshd(8)</a>: |
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
Send <tt>ClientAliveInterval</tt> pings when a time-based |
Send <tt>ClientAliveInterval</tt> pings when a time-based |
<tt>RekeyLimit</tt> is set; previously keepalive packets were not |
<tt>RekeyLimit</tt> is set; previously keepalive packets were not |
being sent. (bz#2252) |
being sent. (bz#2252) |
|
|
of NTP peers, avoid constant reconnections when there is a bad NTP |
of NTP peers, avoid constant reconnections when there is a bad NTP |
peer. |
peer. |
<li>Removed disabled |
<li>Removed disabled |
<a href="http://man.openbsd.org/hotplug.4">hotplug(4)</a> |
<a href="https://man.openbsd.org/hotplug.4">hotplug(4)</a> |
sensor support. |
sensor support. |
<li>Added support for detecting crashes in constraint subprocesses. |
<li>Added support for detecting crashes in constraint subprocesses. |
<li>Moved the execution of constraints from the ntp process to the |
<li>Moved the execution of constraints from the ntp process to the |
|
|
<li>Set <tt>MOD_MAXERROR</tt> to avoid unsynced time status when using |
<li>Set <tt>MOD_MAXERROR</tt> to avoid unsynced time status when using |
ntp_adjtime. |
ntp_adjtime. |
<li>Fixed HTTP Timestamp header parsing to use |
<li>Fixed HTTP Timestamp header parsing to use |
<a href="http://man.openbsd.org/strptime.3">strptime(3)</a> |
<a href="https://man.openbsd.org/strptime.3">strptime(3)</a> |
in a more portable fashion. |
in a more portable fashion. |
<li>Hardened TLS for |
<li>Hardened TLS for |
<a href="http://man.openbsd.org/ntpd.8">ntpd(8)</a> |
<a href="https://man.openbsd.org/ntpd.8">ntpd(8)</a> |
constraints, enabling server name verification. |
constraints, enabling server name verification. |
</ul> |
</ul> |
<p> |
<p> |
|
|
elements over 16k in size. |
elements over 16k in size. |
<li>Implemented the IETF <i>ChaCha20-Poly1305</i> cipher suites. |
<li>Implemented the IETF <i>ChaCha20-Poly1305</i> cipher suites. |
<li>Fixed password prompts from |
<li>Fixed password prompts from |
<a href="http://man.openbsd.org/openssl.1">openssl(1)</a> |
<a href="https://man.openbsd.org/openssl.1">openssl(1)</a> |
to properly handle ^C. |
to properly handle ^C. |
</ul> |
</ul> |
<li>Code improvements: |
<li>Code improvements: |
|
|
<li>Fixed an <i>nginx</i> compatibility issue by adding an |
<li>Fixed an <i>nginx</i> compatibility issue by adding an |
'<tt>install_sw</tt>' build target. |
'<tt>install_sw</tt>' build target. |
<li>Changed default |
<li>Changed default |
<a href="http://man.openbsd.org/EVP_AEAD_CTX_init.3">EVP_aead_chacha20_poly1305(3)</a> |
<a href="https://man.openbsd.org/EVP_AEAD_CTX_init.3">EVP_aead_chacha20_poly1305(3)</a> |
implementation to the IETF version, which is now the default. |
implementation to the IETF version, which is now the default. |
<li>Reworked error handling in <tt>libtls</tt> so that configuration |
<li>Reworked error handling in <tt>libtls</tt> so that configuration |
errors are more visible. |
errors are more visible. |
<li>Added missing error handling around |
<li>Added missing error handling around |
<a href="http://man.openbsd.org/bn_wexpand.3">bn_wexpand(3)</a> |
<a href="https://man.openbsd.org/bn_wexpand.3">bn_wexpand(3)</a> |
calls. |
calls. |
<li>Added |
<li>Added |
<a href="http://man.openbsd.org/explicit_bzero.3">explicit_bzero(3)</a> |
<a href="https://man.openbsd.org/explicit_bzero.3">explicit_bzero(3)</a> |
calls for freed ASN.1 objects. |
calls for freed ASN.1 objects. |
<li>Fixed <tt>X509_*set_object</tt> functions to return 0 on allocation |
<li>Fixed <tt>X509_*set_object</tt> functions to return 0 on allocation |
failure. |
failure. |
<li>Deprecated internal use of |
<li>Deprecated internal use of |
<a href="http://man.openbsd.org/EVP_EncryptInit">EVP_[Cipher|Encrypt|Decrypt]_Final</a>. |
<a href="https://man.openbsd.org/EVP_EncryptInit">EVP_[Cipher|Encrypt|Decrypt]_Final</a>. |
<li>Fixed a problem that prevents the DSA signing algorithm from running |
<li>Fixed a problem that prevents the DSA signing algorithm from running |
in constant time even if the flag <tt>BN_FLG_CONSTTIME</tt> is set. |
in constant time even if the flag <tt>BN_FLG_CONSTTIME</tt> is set. |
<li>Fixed several issues in the OCSP code that could result in the |
<li>Fixed several issues in the OCSP code that could result in the |
|
|
|
|
<p> |
<p> |
Quick installer information for people familiar with OpenBSD, and the use of |
Quick installer information for people familiar with OpenBSD, and the use of |
the "<a href="http://man.openbsd.org/disklabel.8">disklabel</a> -E" command. |
the "<a href="https://man.openbsd.org/disklabel.8">disklabel</a> -E" command. |
If you are at all confused when installing OpenBSD, read the relevant |
If you are at all confused when installing OpenBSD, read the relevant |
INSTALL.* file as listed above! |
INSTALL.* file as listed above! |
|
|