===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/60.html,v
retrieving revision 1.73
retrieving revision 1.74
diff -c -r1.73 -r1.74
*** www/60.html 2016/10/16 19:11:29 1.73
--- www/60.html 2017/06/26 17:18:57 1.74
***************
*** 46,52 ****
See a detailed log of changes between the
5.9 and 6.0 releases.
!
signify(1)
pubkeys for this release:
base: RWSho3oKSqgLQy+NpIhFXZJDtkE65tzlmtC24mStf8DoJd2OPMgna4u8
--- 46,52 ----
See a detailed log of changes between the
5.9 and 6.0 releases.
!
signify(1)
pubkeys for this release:
base: RWSho3oKSqgLQy+NpIhFXZJDtkE65tzlmtC24mStf8DoJd2OPMgna4u8
***************
*** 90,122 ****
Improved hardware support, including:
! - New bytgpio(4)
driver for the Intel Bay Trail GPIO controller.
!
- New chvgpio(4)
driver for the Intel Cherry View GPIO controller.
!
- New maxrtc(4)
driver for the Maxim DS1307 real time clock.
!
- New nvme(4)
driver for the Non-Volatile Memory Express (NVMe) host controller interface.
!
- New pcfrtc(4)
driver for the NXP PCF8523 real time clock.
!
- New umb(4)
driver for the Mobile Broadband Interface Model (MBIM).
!
- New ure(4)
driver for RealTek RTL8152 based 10/100 USB Ethernet devices.
!
- New utvfu(4)
driver for audio/video capture devices based on the Fushicai USBTV007.
!
- The iwm(4) driver
now supports Intel Wireless 3165 and 8260 devices, and works more
reliably in RAMDISK kernels.
- Support for I2C HID devices with GPIO signalled interrupts has
! been added to dwiic(4).
- Support for larger bus widths, high speed modes, and DMA
transfers has been added to
! sdmmc(4),
! rtsx(4),
! sdhc(4), and
! imxesdhc(4).
- Support for EHCI and OHCI compliant USB controllers on Octeon II SoCs.
- Many USB device drivers have been enabled on OpenBSD/octeon.
- Improved support for hardware-reduced ACPI implementations.
--- 90,122 ----
- Improved hardware support, including:
! - New bytgpio(4)
driver for the Intel Bay Trail GPIO controller.
!
- New chvgpio(4)
driver for the Intel Cherry View GPIO controller.
!
- New maxrtc(4)
driver for the Maxim DS1307 real time clock.
!
- New nvme(4)
driver for the Non-Volatile Memory Express (NVMe) host controller interface.
!
- New pcfrtc(4)
driver for the NXP PCF8523 real time clock.
!
- New umb(4)
driver for the Mobile Broadband Interface Model (MBIM).
!
- New ure(4)
driver for RealTek RTL8152 based 10/100 USB Ethernet devices.
!
- New utvfu(4)
driver for audio/video capture devices based on the Fushicai USBTV007.
!
- The iwm(4) driver
now supports Intel Wireless 3165 and 8260 devices, and works more
reliably in RAMDISK kernels.
- Support for I2C HID devices with GPIO signalled interrupts has
! been added to dwiic(4).
- Support for larger bus widths, high speed modes, and DMA
transfers has been added to
! sdmmc(4),
! rtsx(4),
! sdhc(4), and
! imxesdhc(4).
- Support for EHCI and OHCI compliant USB controllers on Octeon II SoCs.
- Many USB device drivers have been enabled on OpenBSD/octeon.
- Improved support for hardware-reduced ACPI implementations.
***************
*** 124,160 ****
- AES-NI crypto is now done without holding the kernel lock.
- Improved AGP support on PowerPC G5 machines.
- Added support for the SD card slot in Intel Bay Trail SoCs.
!
- The ichiic(4) driver
now ignores the SMBALERT# interrupt to prevent an interrupt storm
with buggy BIOS implementations.
- Device attachment problems with the
! axen(4) driver have
been fixed.
!
- The ral(4) driver
is more stable under load with RT2860 devices.
- Problems with dead keyboards after resume have been fixed in the
! pckbd(4) driver.
!
- The rtsx(4) driver
now supports RTS522A devices.
- Initial support for MSI-X has been added.
- Support MSI-X in the
! virtio(4) driver.
- Added a workaround for hardware DMA overruns to the
! dc(4) driver.
!
- The acpitz(4) driver
now spins the fan down after cooling if ACPI uses hysteresis for
active cooling.
!
- The xhci(4) driver
now performs handoff from an xHCI-capable BIOS correctly.
- Support for multi-touch input has been added to the
! wsmouse(4) driver.
!
- The uslcom(4) driver
now supports the serial console of Aruba 7xxx wireless controllers.
!
- The re(4) driver
now works around broken LED configurations in APU1 EEPROMs.
!
- The ehci(4) driver
now works around problems with ATI USB controllers (e.g. SB700).
!
- The xen(4) driver
now supports domU configuration under Qubes OS.
--- 124,160 ----
- AES-NI crypto is now done without holding the kernel lock.
- Improved AGP support on PowerPC G5 machines.
- Added support for the SD card slot in Intel Bay Trail SoCs.
!
- The ichiic(4) driver
now ignores the SMBALERT# interrupt to prevent an interrupt storm
with buggy BIOS implementations.
- Device attachment problems with the
! axen(4) driver have
been fixed.
!
- The ral(4) driver
is more stable under load with RT2860 devices.
- Problems with dead keyboards after resume have been fixed in the
! pckbd(4) driver.
!
- The rtsx(4) driver
now supports RTS522A devices.
- Initial support for MSI-X has been added.
- Support MSI-X in the
! virtio(4) driver.
- Added a workaround for hardware DMA overruns to the
! dc(4) driver.
!
- The acpitz(4) driver
now spins the fan down after cooling if ACPI uses hysteresis for
active cooling.
!
- The xhci(4) driver
now performs handoff from an xHCI-capable BIOS correctly.
- Support for multi-touch input has been added to the
! wsmouse(4) driver.
!
- The uslcom(4) driver
now supports the serial console of Aruba 7xxx wireless controllers.
!
- The re(4) driver
now works around broken LED configurations in APU1 EEPROMs.
!
- The ehci(4) driver
now works around problems with ATI USB controllers (e.g. SB700).
!
- The xen(4) driver
now supports domU configuration under Qubes OS.
***************
*** 163,177 ****
- The HT block ack receive buffer logic follows the algorithm given
in the 802.11-2012 spec more closely.
!
- The iwn(4) driver now
keeps track of HT protection changes while associated to an 11n AP.
- The wireless stack and several drivers make more aggressive use
of RTS/CTS to avoid interference from legacy devices and hidden nodes.
!
- The netstat(1) -W
command now shows information about 802.11n events.
- In hostap mode, do not reuse association IDs of nodes which are
still cached. Fixes a problem where an access point using the
! ral(4) driver
would get stuck at 1 Mbps because Tx rate accounting happened
on the wrong node object.
--- 163,177 ----
- The HT block ack receive buffer logic follows the algorithm given
in the 802.11-2012 spec more closely.
!
- The iwn(4) driver now
keeps track of HT protection changes while associated to an 11n AP.
- The wireless stack and several drivers make more aggressive use
of RTS/CTS to avoid interference from legacy devices and hidden nodes.
!
- The netstat(1) -W
command now shows information about 802.11n events.
- In hostap mode, do not reuse association IDs of nodes which are
still cached. Fixes a problem where an access point using the
! ral(4) driver
would get stuck at 1 Mbps because Tx rate accounting happened
on the wrong node object.
***************
*** 186,198 ****
forwarding path.
The prio field on VLAN headers is now correctly set on each fragment
of an IPv4 packet going out on a
! vlan(4) interface.
Enabled device cloning for
! bpf(4).
This allows the system to have just one bpf device node in /dev
that services all bpf consumers (up to 1024).
The Tx queue of the
! cnmac(4)
driver can now be processed in parallel of the rest of the kernel.
Network input path is now run in thread context.
--- 186,198 ----
forwarding path.
The prio field on VLAN headers is now correctly set on each fragment
of an IPv4 packet going out on a
! vlan(4) interface.
Enabled device cloning for
! bpf(4).
This allows the system to have just one bpf device node in /dev
that services all bpf consumers (up to 1024).
The Tx queue of the
! cnmac(4)
driver can now be processed in parallel of the rest of the kernel.
Network input path is now run in thread context.
***************
*** 202,213 ****
- updated list of restricted usercodes
- install.sh and upgrade.sh merged into install.sub
!
- update automatically runs sysmerge(8)
in batch mode before
! fw_update(1)
- questions and answers are logged in a format that can be used as a
response file for use by
! autoinstall(8)
- /usr/local is set to wxallowed during install
--- 202,213 ----
- updated list of restricted usercodes
- install.sh and upgrade.sh merged into install.sub
!
- update automatically runs sysmerge(8)
in batch mode before
! fw_update(1)
- questions and answers are logged in a format that can be used as a
response file for use by
! autoinstall(8)
- /usr/local is set to wxallowed during install
***************
*** 215,250 ****
Routing daemons and other userland network improvements:
--- 215,250 ----
Routing daemons and other userland network improvements:
***************
*** 255,281 ****
a program can only violate it if the executable is marked with
PT_OPENBSD_WXNEEDED and is located on a filesystem
mounted with the wxallowed
! mount(8) option.
Because there are still too many ports which violate W^X, the
installer mounts the /usr/local filesystem with
wxallowed. This allows the base system to be more
secure as long as /usr/local is a separate filesystem.
If you use no W^X violating programs, consider manually
revoking that option.
!
The setjmp(3)
family of functions now apply XOR cookies to stack and return-address
values in the jmpbuf on amd64, hppa, i386, mips64, and powerpc.
! SROP mitigation: sigreturn(2)
can now only be used by the kernel-provided signal trampoline,
with a cookie to detect attempts to reuse it.
! To deter code reuse exploits, rc(8)
re-links libc.so on startup, placing the objects in a random order.
! In the getpwnam(3)
family of functions, stop opening the shadow database by default.
! Allow tcpdump(8)
-r to be started without root privileges.
Remove
! systrace.
Remove Linux emulation support.
Remove support for the usermount option.
The TCP SYN cache reseeds its random hash function from
--- 255,281 ----
a program can only violate it if the executable is marked with
PT_OPENBSD_WXNEEDED and is located on a filesystem
mounted with the wxallowed
! mount(8) option.
Because there are still too many ports which violate W^X, the
installer mounts the /usr/local filesystem with
wxallowed. This allows the base system to be more
secure as long as /usr/local is a separate filesystem.
If you use no W^X violating programs, consider manually
revoking that option.
! The setjmp(3)
family of functions now apply XOR cookies to stack and return-address
values in the jmpbuf on amd64, hppa, i386, mips64, and powerpc.
! SROP mitigation: sigreturn(2)
can now only be used by the kernel-provided signal trampoline,
with a cookie to detect attempts to reuse it.
! To deter code reuse exploits, rc(8)
re-links libc.so on startup, placing the objects in a random order.
! In the getpwnam(3)
family of functions, stop opening the shadow database by default.
! Allow tcpdump(8)
-r to be started without root privileges.
Remove
! systrace.
Remove Linux emulation support.
Remove support for the usermount option.
The TCP SYN cache reseeds its random hash function from
***************
*** 284,302 ****
of the hash function with a timing attack.
To work against SYN flooding attacks the administrator can
change the size of the hash array now.
! netstat(1)
-s -p tcp shows the relevant information to tune
the SYN cache with
! sysctl(8)
net.inet.tcp.
The administrator can require root privileges for binding to some TCP
and UDP ports with
! sysctl(8)
net.inet.tcp.rootonly and
! sysctl(8)
net.inet.udp.rootonly.
Remove a function pointer from the
! mbuf(9) data structure
and use an index into an array of acceptable functions instead.
--- 284,302 ----
of the hash function with a timing attack.
To work against SYN flooding attacks the administrator can
change the size of the hash array now.
! netstat(1)
-s -p tcp shows the relevant information to tune
the SYN cache with
! sysctl(8)
net.inet.tcp.
The administrator can require root privileges for binding to some TCP
and UDP ports with
! sysctl(8)
net.inet.tcp.rootonly and
! sysctl(8)
net.inet.udp.rootonly.
Remove a function pointer from the
! mbuf(9) data structure
and use an index into an array of acceptable functions instead.
***************
*** 307,364 ****
Improved symbol handling and standards compliance in libc.
For example, defining an open() function will no longer
interfere with the operation of
! fopen(3).
PT_TLS sections are now supported in initially loaded object.
Improved handling of "no paths" and "empty path" in
! fts(3).
! In pcap(3),
provide the functions pcap_free_datalinks()
and pcap_offline_filter().
Many bugfixes and structural cleanup in the
! editline(3) library.
Remove ancient
! dbm(3)
functions;
! ndbm(3) remains.
Add setenv keyword for more powerful environment handling in
! doas.conf(5).
Add -g and -p options to
! aucat.1
for time positioning.
! Rewrite audioctl(1)
with a simpler user interface.
Add -F option to
! install(1)
! to fsync(2)
the file before closing it.
! kdump(1)
now dumps pollfd structures.
Improve various details of
! ksh(1) POSIX compliance.
! mknod(8) rewritten in a
! pledge(2)-friendly
style and to support creating multiple devices at once.
! Implement rcctl(8)
get all and getdef all.
! Implement the rcs(1)
-I (interactive) flag.
! In rcs(1),
implement Mdocdate keyword substitution.
! In top(1),
allow to filter process arguments if they are being displayed.
Added UTF-8 support to
! fold(1) and
! rev(1).
Enable UTF-8 by default in
! xterm(1) and
! pod2man(1).
Filter out non-ASCII characters in
! wall(1).
! Handle the COLUMNS
environment variable consistently across many programs.
The options -c and -k allow to provide
TLS client certificates for
! syslogd(8)
on the sending side.
With that the receiving side can verify log messages
are authentic.
--- 307,364 ----
Improved symbol handling and standards compliance in libc.
For example, defining an open() function will no longer
interfere with the operation of
! fopen(3).
PT_TLS sections are now supported in initially loaded object.
Improved handling of "no paths" and "empty path" in
! fts(3).
! In pcap(3),
provide the functions pcap_free_datalinks()
and pcap_offline_filter().
Many bugfixes and structural cleanup in the
! editline(3) library.
Remove ancient
! dbm(3)
functions;
! ndbm(3) remains.
Add setenv keyword for more powerful environment handling in
! doas.conf(5).
Add -g and -p options to
! aucat.1
for time positioning.
! Rewrite audioctl(1)
with a simpler user interface.
Add -F option to
! install(1)
! to fsync(2)
the file before closing it.
! kdump(1)
now dumps pollfd structures.
Improve various details of
! ksh(1) POSIX compliance.
! mknod(8) rewritten in a
! pledge(2)-friendly
style and to support creating multiple devices at once.
! Implement rcctl(8)
get all and getdef all.
! Implement the rcs(1)
-I (interactive) flag.
! In rcs(1),
implement Mdocdate keyword substitution.
! In top(1),
allow to filter process arguments if they are being displayed.
Added UTF-8 support to
! fold(1) and
! rev(1).
Enable UTF-8 by default in
! xterm(1) and
! pod2man(1).
Filter out non-ASCII characters in
! wall(1).
! Handle the COLUMNS
environment variable consistently across many programs.
The options -c and -k allow to provide
TLS client certificates for
! syslogd(8)
on the sending side.
With that the receiving side can verify log messages
are authentic.
***************
*** 367,435 ****
message to show that some entries is missing.
On OpenBSD/octeon, CPU cache write buffering is enabled
to improve performance.
! pkg_add(1) and
! pkg_info(1) now
understand a notion of branch to ease selection of some popular
packages such as python or php, e.g., say
pkg_add python%3.4 to select the 3.4 branch,
and use pkg_info -zm to get a fuzzy listing with branch
selection suitable for pkg_add -l.
! fdisk(8) and
! pdisk(8)
immediately exit unless passed a character special device
! st(4)
correctly tracks the current block count for variable sized blocks
! fsck_ext2fs(8)
works again
! softraid(4) volumes
can be constructed with disks that have a sector size other than 512 bytes
! dhclient(8)
DECLINE's and discards unused OFFER's.
! dhclient(8)
immediately exits if its interface (e.g. a
! bridge(4))
returns EAFNOSUPPORT when a packet is sent.
! httpd(8) returns
400 Bad Request for HTTP v0.9 requests.
ffs2's lazy node initialization avoids treating random disk data as
an inode
! fcntl(2) invocations
in base programs use the idiom fcntl(n,F_GETFL) instead of fcntl(n,F_GETFL,0)
! socket(2) and
! accept4(2) invocations
in base programs use SOCK_NONBLOCK to eliminate the need for a separate
! fcntl(2).
tmpfs not enabled by default
the in-kernel semantics of
! pledge(2)
were improved in numerous ways.
Highlights include:
a new chown promise that allows pledged programs to set
setugid attributes,
a stricter enforcement of the recvfd promise and
! chroot(2) is no longer
allowed for pledged programs.
a number of
! pledge(2)-related bugs
(missing promises, unintended changes of behavior, crashes) were fixed,
notably in
! gzip(1),
! nc(1),
! sed(1),
! skeyinit(1),
! stty(1),
and various disk-related utilities, such as
! disklabel(8) and
! fdisk(8).
Block size calculation errors in the
! audio(4) driver
have been fixed.
! The usb(4) driver
now caches vendor and product IDs. Fixes an issue where
! usbdevs(8) called
in a loop would cause a USB mass storage device to halt operation.
! The rsu(4) and
! ural(4) drivers
are now working again after they were accidentally broken in 5.9.
--- 367,435 ----
message to show that some entries is missing.
On OpenBSD/octeon, CPU cache write buffering is enabled
to improve performance.
! pkg_add(1) and
! pkg_info(1) now
understand a notion of branch to ease selection of some popular
packages such as python or php, e.g., say
pkg_add python%3.4 to select the 3.4 branch,
and use pkg_info -zm to get a fuzzy listing with branch
selection suitable for pkg_add -l.
! fdisk(8) and
! pdisk(8)
immediately exit unless passed a character special device
! st(4)
correctly tracks the current block count for variable sized blocks
! fsck_ext2fs(8)
works again
! softraid(4) volumes
can be constructed with disks that have a sector size other than 512 bytes
! dhclient(8)
DECLINE's and discards unused OFFER's.
! dhclient(8)
immediately exits if its interface (e.g. a
! bridge(4))
returns EAFNOSUPPORT when a packet is sent.
! httpd(8) returns
400 Bad Request for HTTP v0.9 requests.
ffs2's lazy node initialization avoids treating random disk data as
an inode
! fcntl(2) invocations
in base programs use the idiom fcntl(n,F_GETFL) instead of fcntl(n,F_GETFL,0)
! socket(2) and
! accept4(2) invocations
in base programs use SOCK_NONBLOCK to eliminate the need for a separate
! fcntl(2).
tmpfs not enabled by default
the in-kernel semantics of
! pledge(2)
were improved in numerous ways.
Highlights include:
a new chown promise that allows pledged programs to set
setugid attributes,
a stricter enforcement of the recvfd promise and
! chroot(2) is no longer
allowed for pledged programs.
a number of
! pledge(2)-related bugs
(missing promises, unintended changes of behavior, crashes) were fixed,
notably in
! gzip(1),
! nc(1),
! sed(1),
! skeyinit(1),
! stty(1),
and various disk-related utilities, such as
! disklabel(8) and
! fdisk(8).
Block size calculation errors in the
! audio(4) driver
have been fixed.
! The usb(4) driver
now caches vendor and product IDs. Fixes an issue where
! usbdevs(8) called
in a loop would cause a USB mass storage device to halt operation.
! The rsu(4) and
! ural(4) drivers
are now working again after they were accidentally broken in 5.9.
***************
*** 439,445 ****
Security:
- Implement the fork+exec pattern in
! smtpd(8).
- Fix a logic issue in the SMTP state machine that can lead to
an invalid state and result in a crash.
- Plug a file-pointer leak that can lead to resource exhaustion
--- 439,445 ----
- Security:
- Implement the fork+exec pattern in
! smtpd(8).
- Fix a logic issue in the SMTP state machine that can lead to
an invalid state and result in a crash.
- Plug a file-pointer leak that can lead to resource exhaustion
***************
*** 451,457 ****
- The following improvements were brought in this release:
- Add the -r option to the
! smtpd(8)
enqueuer for compatibility with mailx.
- Add missing date or message-id when listening on the submit
port.
--- 451,457 ----
- The following improvements were brought in this release:
- Add the -r option to the
! smtpd(8)
enqueuer for compatibility with mailx.
- Add missing date or message-id when listening on the submit
port.
***************
*** 475,503 ****
- Security:
- Code improvements:
--- 621,627 ----
elements over 16k in size.
- Implemented the IETF ChaCha20-Poly1305 cipher suites.
- Fixed password prompts from
! openssl(1)
to properly handle ^C.
- Code improvements:
***************
*** 629,648 ****
- Fixed an nginx compatibility issue by adding an
'install_sw' build target.
- Changed default
! EVP_aead_chacha20_poly1305(3)
implementation to the IETF version, which is now the default.
- Reworked error handling in libtls so that configuration
errors are more visible.
- Added missing error handling around
! bn_wexpand(3)
calls.
- Added
! explicit_bzero(3)
calls for freed ASN.1 objects.
- Fixed X509_*set_object functions to return 0 on allocation
failure.
- Deprecated internal use of
! EVP_[Cipher|Encrypt|Decrypt]_Final.
- Fixed a problem that prevents the DSA signing algorithm from running
in constant time even if the flag BN_FLG_CONSTTIME is set.
- Fixed several issues in the OCSP code that could result in the
--- 629,648 ----
- Fixed an nginx compatibility issue by adding an
'install_sw' build target.
- Changed default
! EVP_aead_chacha20_poly1305(3)
implementation to the IETF version, which is now the default.
- Reworked error handling in libtls so that configuration
errors are more visible.
- Added missing error handling around
! bn_wexpand(3)
calls.
- Added
! explicit_bzero(3)
calls for freed ASN.1 objects.
- Fixed X509_*set_object functions to return 0 on allocation
failure.
- Deprecated internal use of
! EVP_[Cipher|Encrypt|Decrypt]_Final.
- Fixed a problem that prevents the DSA signing algorithm from running
in constant time even if the flag BN_FLG_CONSTTIME is set.
- Fixed several issues in the OCSP code that could result in the
***************
*** 811,817 ****
Quick installer information for people familiar with OpenBSD, and the use of
! the "disklabel -E" command.
If you are at all confused when installing OpenBSD, read the relevant
INSTALL.* file as listed above!
--- 811,817 ----
Quick installer information for people familiar with OpenBSD, and the use of
! the "disklabel -E" command.
If you are at all confused when installing OpenBSD, read the relevant
INSTALL.* file as listed above!