| version 1.73, 2016/10/16 19:11:29 |
version 1.74, 2017/06/26 17:18:57 |
|
|
| <li>See a <a href="plus60.html">detailed log of changes</a> between the |
<li>See a <a href="plus60.html">detailed log of changes</a> between the |
| 5.9 and 6.0 releases. |
5.9 and 6.0 releases. |
| <p> |
<p> |
| <li><a href="http://man.openbsd.org/signify.1">signify(1)</a> |
<li><a href="https://man.openbsd.org/signify.1">signify(1)</a> |
| pubkeys for this release:<br> |
pubkeys for this release:<br> |
| <pre> |
<pre> |
| base: RWSho3oKSqgLQy+NpIhFXZJDtkE65tzlmtC24mStf8DoJd2OPMgna4u8 |
base: RWSho3oKSqgLQy+NpIhFXZJDtkE65tzlmtC24mStf8DoJd2OPMgna4u8 |
|
|
| |
|
| <li>Improved hardware support, including: |
<li>Improved hardware support, including: |
| <ul> |
<ul> |
| <li>New <a href="http://man.openbsd.org/?query=bytgpio">bytgpio(4)</a> |
<li>New <a href="https://man.openbsd.org/?query=bytgpio">bytgpio(4)</a> |
| driver for the Intel Bay Trail GPIO controller. |
driver for the Intel Bay Trail GPIO controller. |
| <li>New <a href="http://man.openbsd.org/?query=chvgpio">chvgpio(4)</a> |
<li>New <a href="https://man.openbsd.org/?query=chvgpio">chvgpio(4)</a> |
| driver for the Intel Cherry View GPIO controller. |
driver for the Intel Cherry View GPIO controller. |
| <li>New <a href="http://man.openbsd.org/?query=maxrtc">maxrtc(4)</a> |
<li>New <a href="https://man.openbsd.org/?query=maxrtc">maxrtc(4)</a> |
| driver for the Maxim DS1307 real time clock. |
driver for the Maxim DS1307 real time clock. |
| <li>New <a href="http://man.openbsd.org/?query=nvme">nvme(4)</a> |
<li>New <a href="https://man.openbsd.org/?query=nvme">nvme(4)</a> |
| driver for the Non-Volatile Memory Express (NVMe) host controller interface. |
driver for the Non-Volatile Memory Express (NVMe) host controller interface. |
| <li>New <a href="http://man.openbsd.org/?query=pcfrtc">pcfrtc(4)</a> |
<li>New <a href="https://man.openbsd.org/?query=pcfrtc">pcfrtc(4)</a> |
| driver for the NXP PCF8523 real time clock. |
driver for the NXP PCF8523 real time clock. |
| <li>New <a href="http://man.openbsd.org/?query=umb">umb(4)</a> |
<li>New <a href="https://man.openbsd.org/?query=umb">umb(4)</a> |
| driver for the Mobile Broadband Interface Model (MBIM). |
driver for the Mobile Broadband Interface Model (MBIM). |
| <li>New <a href="http://man.openbsd.org/?query=ure">ure(4)</a> |
<li>New <a href="https://man.openbsd.org/?query=ure">ure(4)</a> |
| driver for RealTek RTL8152 based 10/100 USB Ethernet devices. |
driver for RealTek RTL8152 based 10/100 USB Ethernet devices. |
| <li>New <a href="http://man.openbsd.org/?query=utvfu">utvfu(4)</a> |
<li>New <a href="https://man.openbsd.org/?query=utvfu">utvfu(4)</a> |
| driver for audio/video capture devices based on the Fushicai USBTV007. |
driver for audio/video capture devices based on the Fushicai USBTV007. |
| <li>The <a href="http://man.openbsd.org/?query=iwm">iwm(4)</a> driver |
<li>The <a href="https://man.openbsd.org/?query=iwm">iwm(4)</a> driver |
| now supports Intel Wireless 3165 and 8260 devices, and works more |
now supports Intel Wireless 3165 and 8260 devices, and works more |
| reliably in RAMDISK kernels. |
reliably in RAMDISK kernels. |
| <li>Support for I2C HID devices with GPIO signalled interrupts has |
<li>Support for I2C HID devices with GPIO signalled interrupts has |
| been added to <a href="http://man.openbsd.org/?query=dwiic">dwiic(4)</a>. |
been added to <a href="https://man.openbsd.org/?query=dwiic">dwiic(4)</a>. |
| <li>Support for larger bus widths, high speed modes, and DMA |
<li>Support for larger bus widths, high speed modes, and DMA |
| transfers has been added to |
transfers has been added to |
| <a href="http://man.openbsd.org/?query=sdmmc">sdmmc(4)</a>, |
<a href="https://man.openbsd.org/?query=sdmmc">sdmmc(4)</a>, |
| <a href="http://man.openbsd.org/?query=rtsx">rtsx(4)</a>, |
<a href="https://man.openbsd.org/?query=rtsx">rtsx(4)</a>, |
| <a href="http://man.openbsd.org/?query=sdhc">sdhc(4)</a>, and |
<a href="https://man.openbsd.org/?query=sdhc">sdhc(4)</a>, and |
| <a href="http://man.openbsd.org/?query=imxesdhc">imxesdhc(4)</a>. |
<a href="https://man.openbsd.org/?query=imxesdhc">imxesdhc(4)</a>. |
| <li>Support for EHCI and OHCI compliant USB controllers on Octeon II SoCs. |
<li>Support for EHCI and OHCI compliant USB controllers on Octeon II SoCs. |
| <li>Many USB device drivers have been enabled on OpenBSD/octeon. |
<li>Many USB device drivers have been enabled on OpenBSD/octeon. |
| <li>Improved support for hardware-reduced ACPI implementations. |
<li>Improved support for hardware-reduced ACPI implementations. |
|
|
| <li>AES-NI crypto is now done without holding the kernel lock. |
<li>AES-NI crypto is now done without holding the kernel lock. |
| <li>Improved AGP support on PowerPC G5 machines. |
<li>Improved AGP support on PowerPC G5 machines. |
| <li>Added support for the SD card slot in Intel Bay Trail SoCs. |
<li>Added support for the SD card slot in Intel Bay Trail SoCs. |
| <li>The <a href="http://man.openbsd.org/?query=ichiic">ichiic(4)</a> driver |
<li>The <a href="https://man.openbsd.org/?query=ichiic">ichiic(4)</a> driver |
| now ignores the SMBALERT# interrupt to prevent an interrupt storm |
now ignores the SMBALERT# interrupt to prevent an interrupt storm |
| with buggy BIOS implementations. |
with buggy BIOS implementations. |
| <li>Device attachment problems with the |
<li>Device attachment problems with the |
| <a href="http://man.openbsd.org/?query=axen">axen(4)</a> driver have |
<a href="https://man.openbsd.org/?query=axen">axen(4)</a> driver have |
| been fixed. |
been fixed. |
| <li>The <a href="http://man.openbsd.org/?query=ral">ral(4)</a> driver |
<li>The <a href="https://man.openbsd.org/?query=ral">ral(4)</a> driver |
| is more stable under load with RT2860 devices. |
is more stable under load with RT2860 devices. |
| <li>Problems with dead keyboards after resume have been fixed in the |
<li>Problems with dead keyboards after resume have been fixed in the |
| <a href="http://man.openbsd.org/?query=pckbd">pckbd(4)</a> driver. |
<a href="https://man.openbsd.org/?query=pckbd">pckbd(4)</a> driver. |
| <li>The <a href="http://man.openbsd.org/?query=rtsx">rtsx(4)</a> driver |
<li>The <a href="https://man.openbsd.org/?query=rtsx">rtsx(4)</a> driver |
| now supports RTS522A devices. |
now supports RTS522A devices. |
| <li>Initial support for MSI-X has been added. |
<li>Initial support for MSI-X has been added. |
| <li>Support MSI-X in the |
<li>Support MSI-X in the |
| <a href="http://man.openbsd.org/?query=virtio">virtio(4)</a> driver. |
<a href="https://man.openbsd.org/?query=virtio">virtio(4)</a> driver. |
| <li>Added a workaround for hardware DMA overruns to the |
<li>Added a workaround for hardware DMA overruns to the |
| <a href="http://man.openbsd.org/man4/dc.4">dc(4)</a> driver. |
<a href="https://man.openbsd.org/man4/dc.4">dc(4)</a> driver. |
| <li>The <a href="http://man.openbsd.org/?query=acpitz">acpitz(4)</a> driver |
<li>The <a href="https://man.openbsd.org/?query=acpitz">acpitz(4)</a> driver |
| now spins the fan down after cooling if ACPI uses hysteresis for |
now spins the fan down after cooling if ACPI uses hysteresis for |
| active cooling. |
active cooling. |
| <li>The <a href="http://man.openbsd.org/?query=xhci">xhci(4)</a> driver |
<li>The <a href="https://man.openbsd.org/?query=xhci">xhci(4)</a> driver |
| now performs handoff from an xHCI-capable BIOS correctly. |
now performs handoff from an xHCI-capable BIOS correctly. |
| <li>Support for multi-touch input has been added to the |
<li>Support for multi-touch input has been added to the |
| <a href="http://man.openbsd.org/?query=wsmouse">wsmouse(4)</a> driver. |
<a href="https://man.openbsd.org/?query=wsmouse">wsmouse(4)</a> driver. |
| <li>The <a href="http://man.openbsd.org/?query=uslcom">uslcom(4)</a> driver |
<li>The <a href="https://man.openbsd.org/?query=uslcom">uslcom(4)</a> driver |
| now supports the serial console of Aruba 7xxx wireless controllers. |
now supports the serial console of Aruba 7xxx wireless controllers. |
| <li>The <a href="http://man.openbsd.org/?query=re">re(4)</a> driver |
<li>The <a href="https://man.openbsd.org/?query=re">re(4)</a> driver |
| now works around broken LED configurations in APU1 EEPROMs. |
now works around broken LED configurations in APU1 EEPROMs. |
| <li>The <a href="http://man.openbsd.org/?query=ehci">ehci(4)</a> driver |
<li>The <a href="https://man.openbsd.org/?query=ehci">ehci(4)</a> driver |
| now works around problems with ATI USB controllers (e.g. SB700). |
now works around problems with ATI USB controllers (e.g. SB700). |
| <li>The <a href="http://man.openbsd.org/?query=xen">xen(4)</a> driver |
<li>The <a href="https://man.openbsd.org/?query=xen">xen(4)</a> driver |
| now supports domU configuration under Qubes OS. |
now supports domU configuration under Qubes OS. |
| </ul> |
</ul> |
| <p> |
<p> |
|
|
| <ul> |
<ul> |
| <li>The HT block ack receive buffer logic follows the algorithm given |
<li>The HT block ack receive buffer logic follows the algorithm given |
| in the 802.11-2012 spec more closely. |
in the 802.11-2012 spec more closely. |
| <li>The <a href="http://man.openbsd.org/?query=iwn">iwn(4)</a> driver now |
<li>The <a href="https://man.openbsd.org/?query=iwn">iwn(4)</a> driver now |
| keeps track of HT protection changes while associated to an 11n AP. |
keeps track of HT protection changes while associated to an 11n AP. |
| <li>The wireless stack and several drivers make more aggressive use |
<li>The wireless stack and several drivers make more aggressive use |
| of RTS/CTS to avoid interference from legacy devices and hidden nodes. |
of RTS/CTS to avoid interference from legacy devices and hidden nodes. |
| <li>The <a href="http://man.openbsd.org/?query=netstat">netstat(1)</a> -W |
<li>The <a href="https://man.openbsd.org/?query=netstat">netstat(1)</a> -W |
| command now shows information about 802.11n events. |
command now shows information about 802.11n events. |
| <li>In hostap mode, do not reuse association IDs of nodes which are |
<li>In hostap mode, do not reuse association IDs of nodes which are |
| still cached. Fixes a problem where an access point using the |
still cached. Fixes a problem where an access point using the |
| <a href="http://man.openbsd.org/?query=ral">ral(4)</a> driver |
<a href="https://man.openbsd.org/?query=ral">ral(4)</a> driver |
| would get stuck at 1 Mbps because Tx rate accounting happened |
would get stuck at 1 Mbps because Tx rate accounting happened |
| on the wrong node object. |
on the wrong node object. |
| </ul> |
</ul> |
|
|
| forwarding path. |
forwarding path. |
| <li>The prio field on VLAN headers is now correctly set on each fragment |
<li>The prio field on VLAN headers is now correctly set on each fragment |
| of an IPv4 packet going out on a |
of an IPv4 packet going out on a |
| <a href="http://man.openbsd.org/vlan.4">vlan(4)</a> interface. |
<a href="https://man.openbsd.org/vlan.4">vlan(4)</a> interface. |
| <li>Enabled device cloning for |
<li>Enabled device cloning for |
| <a href="http://man.openbsd.org/bpf.4">bpf(4)</a>. |
<a href="https://man.openbsd.org/bpf.4">bpf(4)</a>. |
| This allows the system to have just one bpf device node in /dev |
This allows the system to have just one bpf device node in /dev |
| that services all bpf consumers (up to 1024). |
that services all bpf consumers (up to 1024). |
| <li>The Tx queue of the |
<li>The Tx queue of the |
| <a href="http://man.openbsd.org/?query=cnmac">cnmac(4)</a> |
<a href="https://man.openbsd.org/?query=cnmac">cnmac(4)</a> |
| driver can now be processed in parallel of the rest of the kernel. |
driver can now be processed in parallel of the rest of the kernel. |
| <li>Network input path is now run in thread context. |
<li>Network input path is now run in thread context. |
| </ul> |
</ul> |
|
|
| <ul> |
<ul> |
| <li>updated list of restricted usercodes |
<li>updated list of restricted usercodes |
| <li>install.sh and upgrade.sh merged into install.sub |
<li>install.sh and upgrade.sh merged into install.sub |
| <li>update automatically runs <a href="http://man.openbsd.org/sysmerge">sysmerge(8)</a> |
<li>update automatically runs <a href="https://man.openbsd.org/sysmerge">sysmerge(8)</a> |
| in batch mode before |
in batch mode before |
| <a href="http://man.openbsd.org/fw_update">fw_update(1)</a> |
<a href="https://man.openbsd.org/fw_update">fw_update(1)</a> |
| <li>questions and answers are logged in a format that can be used as a |
<li>questions and answers are logged in a format that can be used as a |
| response file for use by |
response file for use by |
| <a href="http://man.openbsd.org/autoinstall">autoinstall(8)</a> |
<a href="https://man.openbsd.org/autoinstall">autoinstall(8)</a> |
| <li><tt>/usr/local</tt> is set to <tt>wxallowed</tt> during install |
<li><tt>/usr/local</tt> is set to <tt>wxallowed</tt> during install |
| </ul> |
</ul> |
| <p> |
<p> |
|
|
| <li>Routing daemons and other userland network improvements: |
<li>Routing daemons and other userland network improvements: |
| <ul> |
<ul> |
| <li>Add routing table support to |
<li>Add routing table support to |
| <a href="http://man.openbsd.org/rc.d.8">rc.d(8)</a> and |
<a href="https://man.openbsd.org/rc.d.8">rc.d(8)</a> and |
| <a href="http://man.openbsd.org/rcctl.8">rcctl(8)</a>. |
<a href="https://man.openbsd.org/rcctl.8">rcctl(8)</a>. |
| <li>Let <a href="http://man.openbsd.org/nc.1">nc(1)</a> |
<li>Let <a href="https://man.openbsd.org/nc.1">nc(1)</a> |
| support service names in addition to port numbers. |
support service names in addition to port numbers. |
| <li>Add <tt>-M</tt> and <tt>-m</tt> TTL flags to |
<li>Add <tt>-M</tt> and <tt>-m</tt> TTL flags to |
| <a href="http://man.openbsd.org/nc.1">nc(1)</a>. |
<a href="https://man.openbsd.org/nc.1">nc(1)</a>. |
| <li>Add <tt>AF_UNIX</tt> support to |
<li>Add <tt>AF_UNIX</tt> support to |
| <a href="http://man.openbsd.org/tcpbench.1">tcpbench(1)</a>. |
<a href="https://man.openbsd.org/tcpbench.1">tcpbench(1)</a>. |
| <li>Fixed a regression in |
<li>Fixed a regression in |
| <a href="http://man.openbsd.org/rarpd.8">rarpd(8)</a>. |
<a href="https://man.openbsd.org/rarpd.8">rarpd(8)</a>. |
| The daemon could hang if it was idle for a long time. |
The daemon could hang if it was idle for a long time. |
| <li>Added the <tt>llprio</tt> option in |
<li>Added the <tt>llprio</tt> option in |
| <a href="http://man.openbsd.org/ifconfig.8">ifconfig(8)</a>. |
<a href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a>. |
| <li>Multiple programs that use |
<li>Multiple programs that use |
| <a href="http://man.openbsd.org/bpf.4">bpf(4)</a> |
<a href="https://man.openbsd.org/bpf.4">bpf(4)</a> |
| have been modified to take advantage of |
have been modified to take advantage of |
| <a href="http://man.openbsd.org/bpf.4">bpf(4)</a> |
<a href="https://man.openbsd.org/bpf.4">bpf(4)</a> |
| device cloning by opening <tt>/dev/bpf0</tt> instead of looping |
device cloning by opening <tt>/dev/bpf0</tt> instead of looping |
| through <tt>/dev/bpf*</tt> devices. These programs include |
through <tt>/dev/bpf*</tt> devices. These programs include |
| <a href="http://man.openbsd.org/arp.8">arp(8)</a>, |
<a href="https://man.openbsd.org/arp.8">arp(8)</a>, |
| <a href="http://man.openbsd.org/dhclient.8">dhclient(8)</a>, |
<a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a>, |
| <a href="http://man.openbsd.org/dhcpd.8">dhcpd(8)</a>, |
<a href="https://man.openbsd.org/dhcpd.8">dhcpd(8)</a>, |
| <a href="http://man.openbsd.org/dhcrelay.8">dhcrelay(8)</a>, |
<a href="https://man.openbsd.org/dhcrelay.8">dhcrelay(8)</a>, |
| <a href="http://man.openbsd.org/hostapd.8">hostapd(8)</a>, |
<a href="https://man.openbsd.org/hostapd.8">hostapd(8)</a>, |
| <a href="http://man.openbsd.org/mopd.8">mopd(8)</a>, |
<a href="https://man.openbsd.org/mopd.8">mopd(8)</a>, |
| <a href="http://man.openbsd.org/npppd.8">npppd(8)</a>, |
<a href="https://man.openbsd.org/npppd.8">npppd(8)</a>, |
| <a href="http://man.openbsd.org/rarpd.8">rarpd(8)</a>, |
<a href="https://man.openbsd.org/rarpd.8">rarpd(8)</a>, |
| <a href="http://man.openbsd.org/rbootd.8">rbootd(8)</a>, and |
<a href="https://man.openbsd.org/rbootd.8">rbootd(8)</a>, and |
| <a href="http://man.openbsd.org/tcpdump.8">tcpdump(8)</a>. |
<a href="https://man.openbsd.org/tcpdump.8">tcpdump(8)</a>. |
| The <a href="http://man.openbsd.org/pcap.3">libpcap</a> library |
The <a href="https://man.openbsd.org/pcap.3">libpcap</a> library |
| has also been modified accordingly. |
has also been modified accordingly. |
| </ul> |
</ul> |
| <p> |
<p> |
|
|
| a program can only violate it if the executable is marked with |
a program can only violate it if the executable is marked with |
| <tt>PT_OPENBSD_WXNEEDED</tt> and is located on a filesystem |
<tt>PT_OPENBSD_WXNEEDED</tt> and is located on a filesystem |
| mounted with the <tt>wxallowed</tt> |
mounted with the <tt>wxallowed</tt> |
| <a href="http://man.openbsd.org/mount.8">mount(8)</a> option. |
<a href="https://man.openbsd.org/mount.8">mount(8)</a> option. |
| Because there are still too many ports which violate W^X, the |
Because there are still too many ports which violate W^X, the |
| installer mounts the <tt>/usr/local</tt> filesystem with |
installer mounts the <tt>/usr/local</tt> filesystem with |
| <tt>wxallowed</tt>. This allows the base system to be more |
<tt>wxallowed</tt>. This allows the base system to be more |
| secure as long as <tt>/usr/local</tt> is a separate filesystem. |
secure as long as <tt>/usr/local</tt> is a separate filesystem. |
| If you use no W^X violating programs, consider manually |
If you use no W^X violating programs, consider manually |
| revoking that option. |
revoking that option. |
| <li>The <a href="http://man.openbsd.org/setjmp.3">setjmp(3)</a> |
<li>The <a href="https://man.openbsd.org/setjmp.3">setjmp(3)</a> |
| family of functions now apply XOR cookies to stack and return-address |
family of functions now apply XOR cookies to stack and return-address |
| values in the jmpbuf on amd64, hppa, i386, mips64, and powerpc. |
values in the jmpbuf on amd64, hppa, i386, mips64, and powerpc. |
| <li>SROP mitigation: <a href="http://man.openbsd.org/sigreturn.2">sigreturn(2)</a> |
<li>SROP mitigation: <a href="https://man.openbsd.org/sigreturn.2">sigreturn(2)</a> |
| can now only be used by the kernel-provided signal trampoline, |
can now only be used by the kernel-provided signal trampoline, |
| with a cookie to detect attempts to reuse it. |
with a cookie to detect attempts to reuse it. |
| <li>To deter code reuse exploits, <a href="http://man.openbsd.org/rc.8">rc(8)</a> |
<li>To deter code reuse exploits, <a href="https://man.openbsd.org/rc.8">rc(8)</a> |
| re-links libc.so on startup, placing the objects in a random order. |
re-links libc.so on startup, placing the objects in a random order. |
| <li>In the <a href="http://man.openbsd.org/getpwnam.3">getpwnam(3)</a> |
<li>In the <a href="https://man.openbsd.org/getpwnam.3">getpwnam(3)</a> |
| family of functions, stop opening the shadow database by default. |
family of functions, stop opening the shadow database by default. |
| <li>Allow <a href="http://man.openbsd.org/tcpdump.8">tcpdump(8)</a> |
<li>Allow <a href="https://man.openbsd.org/tcpdump.8">tcpdump(8)</a> |
| <tt>-r</tt> to be started without root privileges. |
<tt>-r</tt> to be started without root privileges. |
| <li>Remove |
<li>Remove |
| <a href="http://man.openbsd.org/OpenBSD-5.9/systrace">systrace</a>. |
<a href="https://man.openbsd.org/OpenBSD-5.9/systrace">systrace</a>. |
| <li>Remove Linux emulation support. |
<li>Remove Linux emulation support. |
| <li>Remove support for the usermount option. |
<li>Remove support for the usermount option. |
| <li>The TCP SYN cache reseeds its random hash function from |
<li>The TCP SYN cache reseeds its random hash function from |
|
|
| of the hash function with a timing attack. |
of the hash function with a timing attack. |
| <li>To work against SYN flooding attacks the administrator can |
<li>To work against SYN flooding attacks the administrator can |
| change the size of the hash array now. |
change the size of the hash array now. |
| <a href="http://man.openbsd.org/netstat.1">netstat(1)</a> |
<a href="https://man.openbsd.org/netstat.1">netstat(1)</a> |
| <tt>-s -p tcp</tt> shows the relevant information to tune |
<tt>-s -p tcp</tt> shows the relevant information to tune |
| the SYN cache with |
the SYN cache with |
| <a href="http://man.openbsd.org/sysctl.8">sysctl(8)</a> |
<a href="https://man.openbsd.org/sysctl.8">sysctl(8)</a> |
| <tt>net.inet.tcp</tt>. |
<tt>net.inet.tcp</tt>. |
| <li>The administrator can require root privileges for binding to some TCP |
<li>The administrator can require root privileges for binding to some TCP |
| and UDP ports with |
and UDP ports with |
| <a href="http://man.openbsd.org/sysctl.8">sysctl(8)</a> |
<a href="https://man.openbsd.org/sysctl.8">sysctl(8)</a> |
| <tt>net.inet.tcp.rootonly</tt> and |
<tt>net.inet.tcp.rootonly</tt> and |
| <a href="http://man.openbsd.org/sysctl.8">sysctl(8)</a> |
<a href="https://man.openbsd.org/sysctl.8">sysctl(8)</a> |
| <tt>net.inet.udp.rootonly</tt>. |
<tt>net.inet.udp.rootonly</tt>. |
| <li>Remove a function pointer from the |
<li>Remove a function pointer from the |
| <a href="http://man.openbsd.org/mbuf.9">mbuf(9)</a> data structure |
<a href="https://man.openbsd.org/mbuf.9">mbuf(9)</a> data structure |
| and use an index into an array of acceptable functions instead. |
and use an index into an array of acceptable functions instead. |
| </ul> |
</ul> |
| <p> |
<p> |
|
|
| <li>Improved symbol handling and standards compliance in libc. |
<li>Improved symbol handling and standards compliance in libc. |
| For example, defining an <tt>open()</tt> function will no longer |
For example, defining an <tt>open()</tt> function will no longer |
| interfere with the operation of |
interfere with the operation of |
| <a href="http://man.openbsd.org/fopen.3">fopen(3)</a>. |
<a href="https://man.openbsd.org/fopen.3">fopen(3)</a>. |
| <li><tt>PT_TLS</tt> sections are now supported in initially loaded object. |
<li><tt>PT_TLS</tt> sections are now supported in initially loaded object. |
| <li>Improved handling of "no paths" and "empty path" in |
<li>Improved handling of "no paths" and "empty path" in |
| <a href="http://man.openbsd.org/fts.3">fts(3)</a>. |
<a href="https://man.openbsd.org/fts.3">fts(3)</a>. |
| <li>In <a href="http://man.openbsd.org/pcap.3">pcap(3)</a>, |
<li>In <a href="https://man.openbsd.org/pcap.3">pcap(3)</a>, |
| provide the functions <tt>pcap_free_datalinks()</tt> |
provide the functions <tt>pcap_free_datalinks()</tt> |
| and <tt>pcap_offline_filter()</tt>. |
and <tt>pcap_offline_filter()</tt>. |
| <li>Many bugfixes and structural cleanup in the |
<li>Many bugfixes and structural cleanup in the |
| <a href="http://man.openbsd.org/editline">editline(3)</a> library. |
<a href="https://man.openbsd.org/editline">editline(3)</a> library. |
| <li>Remove ancient |
<li>Remove ancient |
| <a href="http://man.openbsd.org/OpenBSD-5.9/dbm.3">dbm(3)</a> |
<a href="https://man.openbsd.org/OpenBSD-5.9/dbm.3">dbm(3)</a> |
| functions; |
functions; |
| <a href="http://man.openbsd.org/ndbm.3">ndbm(3)</a> remains. |
<a href="https://man.openbsd.org/ndbm.3">ndbm(3)</a> remains. |
| <li>Add <tt>setenv</tt> keyword for more powerful environment handling in |
<li>Add <tt>setenv</tt> keyword for more powerful environment handling in |
| <a href="http://man.openbsd.org/doas.conf.5">doas.conf(5)</a>. |
<a href="https://man.openbsd.org/doas.conf.5">doas.conf(5)</a>. |
| <li>Add <tt>-g</tt> and <tt>-p</tt> options to |
<li>Add <tt>-g</tt> and <tt>-p</tt> options to |
| <a href="http://man.openbsd.org/aucat.1">aucat.1</a> |
<a href="https://man.openbsd.org/aucat.1">aucat.1</a> |
| for time positioning. |
for time positioning. |
| <li>Rewrite <a href="http://man.openbsd.org/audioctl.1">audioctl(1)</a> |
<li>Rewrite <a href="https://man.openbsd.org/audioctl.1">audioctl(1)</a> |
| with a simpler user interface. |
with a simpler user interface. |
| <li>Add <tt>-F</tt> option to |
<li>Add <tt>-F</tt> option to |
| <a href="http://man.openbsd.org/install.1">install(1)</a> |
<a href="https://man.openbsd.org/install.1">install(1)</a> |
| to <a href="http://man.openbsd.org/fsync.2">fsync(2)</a> |
to <a href="https://man.openbsd.org/fsync.2">fsync(2)</a> |
| the file before closing it. |
the file before closing it. |
| <li><a href="http://man.openbsd.org/kdump.1">kdump(1)</a> |
<li><a href="https://man.openbsd.org/kdump.1">kdump(1)</a> |
| now dumps <tt>pollfd</tt> structures. |
now dumps <tt>pollfd</tt> structures. |
| <li>Improve various details of |
<li>Improve various details of |
| <a href="http://man.openbsd.org/ksh.1">ksh(1)</a> POSIX compliance. |
<a href="https://man.openbsd.org/ksh.1">ksh(1)</a> POSIX compliance. |
| <li><a href="http://man.openbsd.org/mknod.8">mknod(8)</a> rewritten in a |
<li><a href="https://man.openbsd.org/mknod.8">mknod(8)</a> rewritten in a |
| <a href="http://man.openbsd.org/pledge.2">pledge(2)</a>-friendly |
<a href="https://man.openbsd.org/pledge.2">pledge(2)</a>-friendly |
| style and to support creating multiple devices at once. |
style and to support creating multiple devices at once. |
| <li>Implement <a href="http://man.openbsd.org/rcctl.8">rcctl(8)</a> |
<li>Implement <a href="https://man.openbsd.org/rcctl.8">rcctl(8)</a> |
| <tt>get all</tt> and <tt>getdef all</tt>. |
<tt>get all</tt> and <tt>getdef all</tt>. |
| <li>Implement the <a href="http://man.openbsd.org/rcs.1">rcs(1)</a> |
<li>Implement the <a href="https://man.openbsd.org/rcs.1">rcs(1)</a> |
| <tt>-I</tt> (interactive) flag. |
<tt>-I</tt> (interactive) flag. |
| <li>In <a href="http://man.openbsd.org/rcs.1">rcs(1)</a>, |
<li>In <a href="https://man.openbsd.org/rcs.1">rcs(1)</a>, |
| implement Mdocdate keyword substitution. |
implement Mdocdate keyword substitution. |
| <li>In <a href="http://man.openbsd.org/top.1">top(1)</a>, |
<li>In <a href="https://man.openbsd.org/top.1">top(1)</a>, |
| allow to filter process arguments if they are being displayed. |
allow to filter process arguments if they are being displayed. |
| <li>Added UTF-8 support to |
<li>Added UTF-8 support to |
| <a href="http://man.openbsd.org/fold.1">fold(1)</a> and |
<a href="https://man.openbsd.org/fold.1">fold(1)</a> and |
| <a href="http://man.openbsd.org/rev.1">rev(1)</a>. |
<a href="https://man.openbsd.org/rev.1">rev(1)</a>. |
| <li>Enable UTF-8 by default in |
<li>Enable UTF-8 by default in |
| <a href="http://man.openbsd.org/xterm.1">xterm(1)</a> and |
<a href="https://man.openbsd.org/xterm.1">xterm(1)</a> and |
| <a href="http://man.openbsd.org/pod2man.1">pod2man(1)</a>. |
<a href="https://man.openbsd.org/pod2man.1">pod2man(1)</a>. |
| <li>Filter out non-ASCII characters in |
<li>Filter out non-ASCII characters in |
| <a href="http://man.openbsd.org/wall.1">wall(1)</a>. |
<a href="https://man.openbsd.org/wall.1">wall(1)</a>. |
| <li>Handle the <a href="http://man.openbsd.org/?apropos=1&query=Ev%3DCOLUMNS">COLUMNS</a> |
<li>Handle the <a href="https://man.openbsd.org/?apropos=1&query=Ev%3DCOLUMNS">COLUMNS</a> |
| environment variable consistently across many programs. |
environment variable consistently across many programs. |
| <li>The options <tt>-c</tt> and <tt>-k</tt> allow to provide |
<li>The options <tt>-c</tt> and <tt>-k</tt> allow to provide |
| TLS client certificates for |
TLS client certificates for |
| <a href="http://man.openbsd.org/syslogd.8">syslogd(8)</a> |
<a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a> |
| on the sending side. |
on the sending side. |
| With that the receiving side can verify log messages |
With that the receiving side can verify log messages |
| are authentic. |
are authentic. |
|
|
| message to show that some entries is missing. |
message to show that some entries is missing. |
| <li>On OpenBSD/octeon, CPU cache write buffering is enabled |
<li>On OpenBSD/octeon, CPU cache write buffering is enabled |
| to improve performance. |
to improve performance. |
| <li><a href="http://man.openbsd.org/pkg_add.1">pkg_add(1)</a> and |
<li><a href="https://man.openbsd.org/pkg_add.1">pkg_add(1)</a> and |
| <a href="http://man.openbsd.org/pkg_info.1">pkg_info(1)</a> now |
<a href="https://man.openbsd.org/pkg_info.1">pkg_info(1)</a> now |
| understand a notion of branch to ease selection of some popular |
understand a notion of branch to ease selection of some popular |
| packages such as python or php, e.g., say |
packages such as python or php, e.g., say |
| <tt>pkg_add python%3.4</tt> to select the <tt>3.4</tt> branch, |
<tt>pkg_add python%3.4</tt> to select the <tt>3.4</tt> branch, |
| and use <tt>pkg_info -zm</tt> to get a fuzzy listing with branch |
and use <tt>pkg_info -zm</tt> to get a fuzzy listing with branch |
| selection suitable for <tt>pkg_add -l</tt>. |
selection suitable for <tt>pkg_add -l</tt>. |
| <li><a href="http://man.openbsd.org/?query=fdisk">fdisk(8)</a> and |
<li><a href="https://man.openbsd.org/?query=fdisk">fdisk(8)</a> and |
| <a href="http://man.openbsd.org/?query=pdisk">pdisk(8)</a> |
<a href="https://man.openbsd.org/?query=pdisk">pdisk(8)</a> |
| immediately exit unless passed a character special device |
immediately exit unless passed a character special device |
| <li><a href="http://man.openbsd.org/?query=st">st(4)</a> |
<li><a href="https://man.openbsd.org/?query=st">st(4)</a> |
| correctly tracks the current block count for variable sized blocks |
correctly tracks the current block count for variable sized blocks |
| <li><a href="http://man.openbsd.org/?query=fsck_ext2fs">fsck_ext2fs(8)</a> |
<li><a href="https://man.openbsd.org/?query=fsck_ext2fs">fsck_ext2fs(8)</a> |
| works again |
works again |
| <li><a href="http://man.openbsd.org/?query=softraid">softraid(4)</a> volumes |
<li><a href="https://man.openbsd.org/?query=softraid">softraid(4)</a> volumes |
| can be constructed with disks that have a sector size other than 512 bytes |
can be constructed with disks that have a sector size other than 512 bytes |
| <li><a href="http://man.openbsd.org/?query=dhclient">dhclient(8)</a> |
<li><a href="https://man.openbsd.org/?query=dhclient">dhclient(8)</a> |
| DECLINE's and discards unused OFFER's. |
DECLINE's and discards unused OFFER's. |
| <li><a href="http://man.openbsd.org/?query=dhclient">dhclient(8)</a> |
<li><a href="https://man.openbsd.org/?query=dhclient">dhclient(8)</a> |
| immediately exits if its interface (e.g. a |
immediately exits if its interface (e.g. a |
| <a href="http://man.openbsd.org/?query=bridge">bridge(4)</a>) |
<a href="https://man.openbsd.org/?query=bridge">bridge(4)</a>) |
| returns EAFNOSUPPORT when a packet is sent. |
returns EAFNOSUPPORT when a packet is sent. |
| <li><a href="http://man.openbsd.org/?query=httpd">httpd(8)</a> returns |
<li><a href="https://man.openbsd.org/?query=httpd">httpd(8)</a> returns |
| 400 Bad Request for HTTP v0.9 requests. |
400 Bad Request for HTTP v0.9 requests. |
| <li>ffs2's lazy node initialization avoids treating random disk data as |
<li>ffs2's lazy node initialization avoids treating random disk data as |
| an inode |
an inode |
| <li><a href="http://man.openbsd.org/?query=fcntl">fcntl(2)</a> invocations |
<li><a href="https://man.openbsd.org/?query=fcntl">fcntl(2)</a> invocations |
| in base programs use the idiom fcntl(n,F_GETFL) instead of fcntl(n,F_GETFL,0) |
in base programs use the idiom fcntl(n,F_GETFL) instead of fcntl(n,F_GETFL,0) |
| <li><a href="http://man.openbsd.org/?query=socket">socket(2)</a> and |
<li><a href="https://man.openbsd.org/?query=socket">socket(2)</a> and |
| <a href="http://man.openbsd.org/?query=accept4">accept4(2)</a> invocations |
<a href="https://man.openbsd.org/?query=accept4">accept4(2)</a> invocations |
| in base programs use SOCK_NONBLOCK to eliminate the need for a separate |
in base programs use SOCK_NONBLOCK to eliminate the need for a separate |
| <a href="http://man.openbsd.org/?query=fcntl">fcntl(2)</a>. |
<a href="https://man.openbsd.org/?query=fcntl">fcntl(2)</a>. |
| <li>tmpfs not enabled by default |
<li>tmpfs not enabled by default |
| <li>the in-kernel semantics of |
<li>the in-kernel semantics of |
| <a href="http://man.openbsd.org/pledge">pledge(2)</a> |
<a href="https://man.openbsd.org/pledge">pledge(2)</a> |
| were improved in numerous ways. |
were improved in numerous ways. |
| Highlights include: |
Highlights include: |
| a new <tt>chown</tt> promise that allows pledged programs to set |
a new <tt>chown</tt> promise that allows pledged programs to set |
| setugid attributes, |
setugid attributes, |
| a stricter enforcement of the <tt>recvfd</tt> promise and |
a stricter enforcement of the <tt>recvfd</tt> promise and |
| <a href="http://man.openbsd.org/chroot.2">chroot(2)</a> is no longer |
<a href="https://man.openbsd.org/chroot.2">chroot(2)</a> is no longer |
| allowed for pledged programs. |
allowed for pledged programs. |
| <li>a number of |
<li>a number of |
| <a href="http://man.openbsd.org/pledge">pledge(2)</a>-related bugs |
<a href="https://man.openbsd.org/pledge">pledge(2)</a>-related bugs |
| (missing promises, unintended changes of behavior, crashes) were fixed, |
(missing promises, unintended changes of behavior, crashes) were fixed, |
| notably in |
notably in |
| <a href="http://man.openbsd.org/gzip">gzip(1)</a>, |
<a href="https://man.openbsd.org/gzip">gzip(1)</a>, |
| <a href="http://man.openbsd.org/nc">nc(1)</a>, |
<a href="https://man.openbsd.org/nc">nc(1)</a>, |
| <a href="http://man.openbsd.org/sed">sed(1)</a>, |
<a href="https://man.openbsd.org/sed">sed(1)</a>, |
| <a href="http://man.openbsd.org/skeyinit">skeyinit(1)</a>, |
<a href="https://man.openbsd.org/skeyinit">skeyinit(1)</a>, |
| <a href="http://man.openbsd.org/stty">stty(1)</a>, |
<a href="https://man.openbsd.org/stty">stty(1)</a>, |
| and various disk-related utilities, such as |
and various disk-related utilities, such as |
| <a href="http://man.openbsd.org/disklabel">disklabel(8)</a> and |
<a href="https://man.openbsd.org/disklabel">disklabel(8)</a> and |
| <a href="http://man.openbsd.org/fdisk">fdisk(8)</a>. |
<a href="https://man.openbsd.org/fdisk">fdisk(8)</a>. |
| <li>Block size calculation errors in the |
<li>Block size calculation errors in the |
| <a href="http://man.openbsd.org/?query=audio">audio(4)</a> driver |
<a href="https://man.openbsd.org/?query=audio">audio(4)</a> driver |
| have been fixed. |
have been fixed. |
| <li>The <a href="http://man.openbsd.org/?query=usb">usb(4)</a> driver |
<li>The <a href="https://man.openbsd.org/?query=usb">usb(4)</a> driver |
| now caches vendor and product IDs. Fixes an issue where |
now caches vendor and product IDs. Fixes an issue where |
| <a href="http://man.openbsd.org/?query=usbdevs">usbdevs(8)</a> called |
<a href="https://man.openbsd.org/?query=usbdevs">usbdevs(8)</a> called |
| in a loop would cause a USB mass storage device to halt operation. |
in a loop would cause a USB mass storage device to halt operation. |
| <li>The <a href="http://man.openbsd.org/?query=rsu">rsu(4)</a> and |
<li>The <a href="https://man.openbsd.org/?query=rsu">rsu(4)</a> and |
| <a href="http://man.openbsd.org/?query=ural">ural(4)</a> drivers |
<a href="https://man.openbsd.org/?query=ural">ural(4)</a> drivers |
| are now working again after they were accidentally broken in 5.9. |
are now working again after they were accidentally broken in 5.9. |
| </ul> |
</ul> |
| <p> |
<p> |
|
|
| <li>Security: |
<li>Security: |
| <ul> |
<ul> |
| <li>Implement the fork+exec pattern in |
<li>Implement the fork+exec pattern in |
| <a href="http://man.openbsd.org/smtpd">smtpd(8)</a>. |
<a href="https://man.openbsd.org/smtpd">smtpd(8)</a>. |
| <li>Fix a logic issue in the SMTP state machine that can lead to |
<li>Fix a logic issue in the SMTP state machine that can lead to |
| an invalid state and result in a crash. |
an invalid state and result in a crash. |
| <li>Plug a file-pointer leak that can lead to resource exhaustion |
<li>Plug a file-pointer leak that can lead to resource exhaustion |
|
|
| <li>The following improvements were brought in this release: |
<li>The following improvements were brought in this release: |
| <ul> |
<ul> |
| <li>Add the <tt>-r</tt> option to the |
<li>Add the <tt>-r</tt> option to the |
| <a href="http://man.openbsd.org/smtpd">smtpd(8)</a> |
<a href="https://man.openbsd.org/smtpd">smtpd(8)</a> |
| enqueuer for compatibility with mailx. |
enqueuer for compatibility with mailx. |
| <li>Add missing date or message-id when listening on the submit |
<li>Add missing date or message-id when listening on the submit |
| port. |
port. |
|
|
| <ul> |
<ul> |
| <li>Security: |
<li>Security: |
| <ul> |
<ul> |
| <li><a href="http://man.openbsd.org/sshd.8">sshd(8)</a>: |
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
| Mitigate a potential denial-of-service attack against the system's |
Mitigate a potential denial-of-service attack against the system's |
| <a href="http://man.openbsd.org/crypt.3">crypt(3)</a> |
<a href="https://man.openbsd.org/crypt.3">crypt(3)</a> |
| function via |
function via |
| <a href="http://man.openbsd.org/sshd.8">sshd(8)</a>. |
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>. |
| An attacker could send very long passwords that would cause |
An attacker could send very long passwords that would cause |
| excessive CPU use in |
excessive CPU use in |
| <a href="http://man.openbsd.org/crypt.3">crypt(3)</a>. |
<a href="https://man.openbsd.org/crypt.3">crypt(3)</a>. |
| <a href="http://man.openbsd.org/sshd.8">sshd(8)</a> |
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a> |
| now refuses to accept password authentication requests of length |
now refuses to accept password authentication requests of length |
| greater than 1024 characters. |
greater than 1024 characters. |
| <li><a href="http://man.openbsd.org/sshd.8">sshd(8)</a>: |
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
| Mitigate timing differences in password authentication that could be |
Mitigate timing differences in password authentication that could be |
| used to discern valid from invalid account names when long passwords |
used to discern valid from invalid account names when long passwords |
| were sent and particular password hashing algorithms are in use on |
were sent and particular password hashing algorithms are in use on |
| the server. CVE-2016-6210. |
the server. CVE-2016-6210. |
| <li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>, |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, |
| <a href="http://man.openbsd.org/sshd.8">sshd(8)</a>: |
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
| Fix observable timing weakness in the <i>CBC padding oracle |
Fix observable timing weakness in the <i>CBC padding oracle |
| countermeasures</i>. Note that CBC ciphers are disabled by default |
countermeasures</i>. Note that CBC ciphers are disabled by default |
| and only included for legacy compatibility. |
and only included for legacy compatibility. |
| <li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>, |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, |
| <a href="http://man.openbsd.org/sshd.8">sshd(8)</a>: |
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
| Improve ordering of MAC verification for |
Improve ordering of MAC verification for |
| <i>Encrypt-then-MAC</i> (EtM) mode transport MAC algorithms to |
<i>Encrypt-then-MAC</i> (EtM) mode transport MAC algorithms to |
| verify the MAC before decrypting any ciphertext. This removes the |
verify the MAC before decrypting any ciphertext. This removes the |
|
|
| </ul> |
</ul> |
| <li>New/changed features: |
<li>New/changed features: |
| <ul> |
<ul> |
| <li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>: |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: |
| Add a <tt>ProxyJump</tt> option and corresponding <tt>-J</tt> |
Add a <tt>ProxyJump</tt> option and corresponding <tt>-J</tt> |
| command-line flag to allow simplified indirection through a one or |
command-line flag to allow simplified indirection through a one or |
| more SSH bastions or "jump hosts". |
more SSH bastions or "jump hosts". |
| <li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>: |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: |
| Add an <tt>IdentityAgent</tt> option to allow specifying specific |
Add an <tt>IdentityAgent</tt> option to allow specifying specific |
| agent sockets instead of accepting one from the environment. |
agent sockets instead of accepting one from the environment. |
| <li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>: |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: |
| Allow <tt>ExitOnForwardFailure</tt> and <tt>ClearAllForwardings</tt> |
Allow <tt>ExitOnForwardFailure</tt> and <tt>ClearAllForwardings</tt> |
| to be optionally overridden when using <tt>ssh -W</tt>. (bz#2577) |
to be optionally overridden when using <tt>ssh -W</tt>. (bz#2577) |
| <li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>, |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, |
| <a href="http://man.openbsd.org/sshd.8">sshd(8)</a>: |
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
| Implement support for the IUTF8 terminal mode as per |
Implement support for the IUTF8 terminal mode as per |
| <i>draft-sgtatham-secsh-iutf8-00</i>. |
<i>draft-sgtatham-secsh-iutf8-00</i>. |
| <li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>, |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, |
| <a href="http://man.openbsd.org/sshd.8">sshd(8)</a>: |
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
| Add support for additional <i>fixed Diffie-Hellman 2K</i>, <i>4K</i> |
Add support for additional <i>fixed Diffie-Hellman 2K</i>, <i>4K</i> |
| and <i>8K</i> groups from <i>draft-ietf-curdle-ssh-kex-sha2-03</i>. |
and <i>8K</i> groups from <i>draft-ietf-curdle-ssh-kex-sha2-03</i>. |
| <li><a href="http://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>, |
<li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>, |
| <a href="http://man.openbsd.org/ssh.1">ssh(1)</a>, |
<a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, |
| <a href="http://man.openbsd.org/sshd.8">sshd(8)</a>: |
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
| support SHA256 and SHA512 RSA signatures in certificates. |
support SHA256 and SHA512 RSA signatures in certificates. |
| <li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>: |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: |
| Add an <tt>Include</tt> directive for |
Add an <tt>Include</tt> directive for |
| <a href="http://man.openbsd.org/ssh_config.5">ssh_config(5)</a> |
<a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a> |
| files. |
files. |
| <li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>: |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: |
| Permit UTF-8 characters in pre-authentication banners sent from the |
Permit UTF-8 characters in pre-authentication banners sent from the |
| server. (bz#2058) |
server. (bz#2058) |
| </ul> |
</ul> |
| <li>The following significant bugs have been fixed in this release: |
<li>The following significant bugs have been fixed in this release: |
| <ul> |
<ul> |
| <li>In <a href="http://man.openbsd.org/scp.1">scp(1)</a> |
<li>In <a href="https://man.openbsd.org/scp.1">scp(1)</a> |
| and <a href="http://man.openbsd.org/sftp.1">sftp(1)</a>, |
and <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>, |
| prevent screwing up terminal settings by escaping bytes |
prevent screwing up terminal settings by escaping bytes |
| not forming ASCII or UTF-8 characters. |
not forming ASCII or UTF-8 characters. |
| <li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>, |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, |
| <a href="http://man.openbsd.org/sshd.8">sshd(8)</a>: |
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
| Reduce the syslog level of some relatively common protocol events |
Reduce the syslog level of some relatively common protocol events |
| from <tt>LOG_CRIT</tt>. (bz#2585) |
from <tt>LOG_CRIT</tt>. (bz#2585) |
| <li><a href="http://man.openbsd.org/sshd.8">sshd(8)</a>: |
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
| Refuse <tt>AuthenticationMethods=""</tt> in configurations and accept |
Refuse <tt>AuthenticationMethods=""</tt> in configurations and accept |
| <tt>AuthenticationMethods=any</tt> for the default behaviour of not |
<tt>AuthenticationMethods=any</tt> for the default behaviour of not |
| requiring multiple authentication. (bz#2398) |
requiring multiple authentication. (bz#2398) |
| <li><a href="http://man.openbsd.org/sshd.8">sshd(8)</a>: |
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
| Remove obsolete and misleading <tt>"POSSIBLE BREAK-IN ATTEMPT!"</tt> |
Remove obsolete and misleading <tt>"POSSIBLE BREAK-IN ATTEMPT!"</tt> |
| message when forward and reverse DNS don't match. (bz#2585) |
message when forward and reverse DNS don't match. (bz#2585) |
| <li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>: |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: |
| Close <tt>ControlPersist</tt> background process stderr except in |
Close <tt>ControlPersist</tt> background process stderr except in |
| debug mode or when logging to syslog. (bz#1988) |
debug mode or when logging to syslog. (bz#1988) |
| <li>misc: Make PROTOCOL description for |
<li>misc: Make PROTOCOL description for |
| <i>direct-streamlocal@openssh.com</i> channel open messages match |
<i>direct-streamlocal@openssh.com</i> channel open messages match |
| deployed code. (bz#2529) |
deployed code. (bz#2529) |
| <li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>: |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: |
| Deduplicate <tt>LocalForward</tt> and <tt>RemoteForward</tt> entries |
Deduplicate <tt>LocalForward</tt> and <tt>RemoteForward</tt> entries |
| to fix failures when both <tt>ExitOnForwardFailure</tt> and |
to fix failures when both <tt>ExitOnForwardFailure</tt> and |
| <tt>hostname</tt> canonicalisation are enabled. (bz#2562) |
<tt>hostname</tt> canonicalisation are enabled. (bz#2562) |
| <li><a href="http://man.openbsd.org/sshd.8">sshd(8)</a>: |
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
| Remove fallback from moduli to obsolete "primes" file that was |
Remove fallback from moduli to obsolete "primes" file that was |
| deprecated in 2001. (bz#2559) |
deprecated in 2001. (bz#2559) |
| <li><a href="http://man.openbsd.org/sshd_config.5">sshd_config(5)</a>: |
<li><a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>: |
| Correct description of <tt>UseDNS</tt>: it affects ssh hostname |
Correct description of <tt>UseDNS</tt>: it affects ssh hostname |
| processing for <tt>authorized_keys</tt>, not <tt>known_hosts</tt>. |
processing for <tt>authorized_keys</tt>, not <tt>known_hosts</tt>. |
| (bz#2554) |
(bz#2554) |
| <li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>: |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: |
| Fix authentication using lone certificate keys in an agent without |
Fix authentication using lone certificate keys in an agent without |
| corresponding private keys on the filesystem. (bz#2550) |
corresponding private keys on the filesystem. (bz#2550) |
| <li><a href="http://man.openbsd.org/sshd.8">sshd(8)</a>: |
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
| Send <tt>ClientAliveInterval</tt> pings when a time-based |
Send <tt>ClientAliveInterval</tt> pings when a time-based |
| <tt>RekeyLimit</tt> is set; previously keepalive packets were not |
<tt>RekeyLimit</tt> is set; previously keepalive packets were not |
| being sent. (bz#2252) |
being sent. (bz#2252) |
|
|
| of NTP peers, avoid constant reconnections when there is a bad NTP |
of NTP peers, avoid constant reconnections when there is a bad NTP |
| peer. |
peer. |
| <li>Removed disabled |
<li>Removed disabled |
| <a href="http://man.openbsd.org/hotplug.4">hotplug(4)</a> |
<a href="https://man.openbsd.org/hotplug.4">hotplug(4)</a> |
| sensor support. |
sensor support. |
| <li>Added support for detecting crashes in constraint subprocesses. |
<li>Added support for detecting crashes in constraint subprocesses. |
| <li>Moved the execution of constraints from the ntp process to the |
<li>Moved the execution of constraints from the ntp process to the |
|
|
| <li>Set <tt>MOD_MAXERROR</tt> to avoid unsynced time status when using |
<li>Set <tt>MOD_MAXERROR</tt> to avoid unsynced time status when using |
| ntp_adjtime. |
ntp_adjtime. |
| <li>Fixed HTTP Timestamp header parsing to use |
<li>Fixed HTTP Timestamp header parsing to use |
| <a href="http://man.openbsd.org/strptime.3">strptime(3)</a> |
<a href="https://man.openbsd.org/strptime.3">strptime(3)</a> |
| in a more portable fashion. |
in a more portable fashion. |
| <li>Hardened TLS for |
<li>Hardened TLS for |
| <a href="http://man.openbsd.org/ntpd.8">ntpd(8)</a> |
<a href="https://man.openbsd.org/ntpd.8">ntpd(8)</a> |
| constraints, enabling server name verification. |
constraints, enabling server name verification. |
| </ul> |
</ul> |
| <p> |
<p> |
|
|
| elements over 16k in size. |
elements over 16k in size. |
| <li>Implemented the IETF <i>ChaCha20-Poly1305</i> cipher suites. |
<li>Implemented the IETF <i>ChaCha20-Poly1305</i> cipher suites. |
| <li>Fixed password prompts from |
<li>Fixed password prompts from |
| <a href="http://man.openbsd.org/openssl.1">openssl(1)</a> |
<a href="https://man.openbsd.org/openssl.1">openssl(1)</a> |
| to properly handle ^C. |
to properly handle ^C. |
| </ul> |
</ul> |
| <li>Code improvements: |
<li>Code improvements: |
|
|
| <li>Fixed an <i>nginx</i> compatibility issue by adding an |
<li>Fixed an <i>nginx</i> compatibility issue by adding an |
| '<tt>install_sw</tt>' build target. |
'<tt>install_sw</tt>' build target. |
| <li>Changed default |
<li>Changed default |
| <a href="http://man.openbsd.org/EVP_AEAD_CTX_init.3">EVP_aead_chacha20_poly1305(3)</a> |
<a href="https://man.openbsd.org/EVP_AEAD_CTX_init.3">EVP_aead_chacha20_poly1305(3)</a> |
| implementation to the IETF version, which is now the default. |
implementation to the IETF version, which is now the default. |
| <li>Reworked error handling in <tt>libtls</tt> so that configuration |
<li>Reworked error handling in <tt>libtls</tt> so that configuration |
| errors are more visible. |
errors are more visible. |
| <li>Added missing error handling around |
<li>Added missing error handling around |
| <a href="http://man.openbsd.org/bn_wexpand.3">bn_wexpand(3)</a> |
<a href="https://man.openbsd.org/bn_wexpand.3">bn_wexpand(3)</a> |
| calls. |
calls. |
| <li>Added |
<li>Added |
| <a href="http://man.openbsd.org/explicit_bzero.3">explicit_bzero(3)</a> |
<a href="https://man.openbsd.org/explicit_bzero.3">explicit_bzero(3)</a> |
| calls for freed ASN.1 objects. |
calls for freed ASN.1 objects. |
| <li>Fixed <tt>X509_*set_object</tt> functions to return 0 on allocation |
<li>Fixed <tt>X509_*set_object</tt> functions to return 0 on allocation |
| failure. |
failure. |
| <li>Deprecated internal use of |
<li>Deprecated internal use of |
| <a href="http://man.openbsd.org/EVP_EncryptInit">EVP_[Cipher|Encrypt|Decrypt]_Final</a>. |
<a href="https://man.openbsd.org/EVP_EncryptInit">EVP_[Cipher|Encrypt|Decrypt]_Final</a>. |
| <li>Fixed a problem that prevents the DSA signing algorithm from running |
<li>Fixed a problem that prevents the DSA signing algorithm from running |
| in constant time even if the flag <tt>BN_FLG_CONSTTIME</tt> is set. |
in constant time even if the flag <tt>BN_FLG_CONSTTIME</tt> is set. |
| <li>Fixed several issues in the OCSP code that could result in the |
<li>Fixed several issues in the OCSP code that could result in the |
|
|
| |
|
| <p> |
<p> |
| Quick installer information for people familiar with OpenBSD, and the use of |
Quick installer information for people familiar with OpenBSD, and the use of |
| the "<a href="http://man.openbsd.org/disklabel.8">disklabel</a> -E" command. |
the "<a href="https://man.openbsd.org/disklabel.8">disklabel</a> -E" command. |
| If you are at all confused when installing OpenBSD, read the relevant |
If you are at all confused when installing OpenBSD, read the relevant |
| INSTALL.* file as listed above! |
INSTALL.* file as listed above! |
| |
|
![[BACK]](/icons/back.gif){kind=icon}
Return to 60.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www