OpenBSD 6.0

What's New

This is a partial list of new features and systems included in OpenBSD 6.0. For a comprehensive list, see the changelog leading to 6.0. *************** *** 97,133 ****

Removed. -

Improved hardware support, including:

New bytgpio(4) driver for the Intel Bay Trail GPIO controller. !
New chvgpio(4) driver for the Intel Cherry View GPIO controller. !
New maxrtc(4) driver for the Maxim DS1307 real time clock. !
New nvme(4) driver for the Non-Volatile Memory Express (NVMe) host controller interface. !
New pcfrtc(4) driver for the NXP PCF8523 real time clock. !
New umb(4) driver for the Mobile Broadband Interface Model (MBIM). !
New ure(4) driver for RealTek RTL8152 based 10/100 USB Ethernet devices. !
New utvfu(4) driver for audio/video capture devices based on the Fushicai USBTV007. !
The iwm(4) driver now supports Intel Wireless 3165 and 8260 devices, and works more reliably in RAMDISK kernels.
Support for I2C HID devices with GPIO signalled interrupts has ! been added to dwiic(4).
Support for larger bus widths, high speed modes, and DMA transfers has been added to ! sdmmc(4), ! rtsx(4), ! sdhc(4), and ! imxesdhc(4).
Support for EHCI and OHCI compliant USB controllers on Octeon II SoCs.
Many USB device drivers have been enabled on OpenBSD/octeon.
Improved support for hardware-reduced ACPI implementations. --- 99,134 ----
Removed.

Improved hardware support, including:

New bytgpio(4) driver for the Intel Bay Trail GPIO controller. !
New chvgpio(4) driver for the Intel Cherry View GPIO controller. !
New maxrtc(4) driver for the Maxim DS1307 real time clock. !
New nvme(4) driver for the Non-Volatile Memory Express (NVMe) host controller interface. !
New pcfrtc(4) driver for the NXP PCF8523 real time clock. !
New umb(4) driver for the Mobile Broadband Interface Model (MBIM). !
New ure(4) driver for RealTek RTL8152 based 10/100 USB Ethernet devices. !
New utvfu(4) driver for audio/video capture devices based on the Fushicai USBTV007. !
The iwm(4) driver now supports Intel Wireless 3165 and 8260 devices, and works more reliably in RAMDISK kernels.
Support for I2C HID devices with GPIO signalled interrupts has ! been added to dwiic(4).
Support for larger bus widths, high speed modes, and DMA transfers has been added to ! sdmmc(4), ! rtsx(4), ! sdhc(4), and ! imxesdhc(4).
Support for EHCI and OHCI compliant USB controllers on Octeon II SoCs.
Many USB device drivers have been enabled on OpenBSD/octeon.
Improved support for hardware-reduced ACPI implementations. *************** *** 135,192 ****
AES-NI crypto is now done without holding the kernel lock.
Improved AGP support on PowerPC G5 machines.
Added support for the SD card slot in Intel Bay Trail SoCs. !
The ichiic(4) driver now ignores the SMBALERT# interrupt to prevent an interrupt storm with buggy BIOS implementations.
Device attachment problems with the ! axen(4) driver have been fixed. !
The ral(4) driver is more stable under load with RT2860 devices.
Problems with dead keyboards after resume have been fixed in the ! pckbd(4) driver. !
The rtsx(4) driver now supports RTS522A devices.
Initial support for MSI-X has been added.
Support MSI-X in the ! virtio(4) driver.
Added a workaround for hardware DMA overruns to the dc(4) driver. !
The acpitz(4) driver now spins the fan down after cooling if ACPI uses hysteresis for active cooling. !
The xhci(4) driver now performs handoff from an xHCI-capable BIOS correctly.
Support for multi-touch input has been added to the ! wsmouse(4) driver. !
The uslcom(4) driver now supports the serial console of Aruba 7xxx wireless controllers. !
The re(4) driver now works around broken LED configurations in APU1 EEPROMs. !
The ehci(4) driver now works around problems with ATI USB controllers (e.g. SB700). !
The xen(4) driver now supports domU configuration under Qubes OS.

IEEE 802.11 wireless stack improvements:

The HT block ack receive buffer logic follows the algorithm given in the 802.11-2012 spec more closely. !
The iwn(4) driver now keeps track of HT protection changes while associated to an 11n AP.
The wireless stack and several drivers make more aggressive use of RTS/CTS to avoid interference from legacy devices and hidden nodes. !
The netstat(1) -W command now shows information about 802.11n events.
In hostap mode, do not reuse association IDs of nodes which are still cached. Fixes a problem where an access point using the ! ral(4) driver would get stuck at 1 Mbps because Tx rate accounting happened on the wrong node object.

Generic network stack improvements:

AES-NI crypto is now done without holding the kernel lock.
Improved AGP support on PowerPC G5 machines.
Added support for the SD card slot in Intel Bay Trail SoCs. !
The ichiic(4) driver now ignores the SMBALERT# interrupt to prevent an interrupt storm with buggy BIOS implementations.
Device attachment problems with the ! axen(4) driver have been fixed. !
The ral(4) driver is more stable under load with RT2860 devices.
Problems with dead keyboards after resume have been fixed in the ! pckbd(4) driver. !
The rtsx(4) driver now supports RTS522A devices.
Initial support for MSI-X has been added.
Support MSI-X in the ! virtio(4) driver.
Added a workaround for hardware DMA overruns to the dc(4) driver. !
The acpitz(4) driver now spins the fan down after cooling if ACPI uses hysteresis for active cooling. !
The xhci(4) driver now performs handoff from an xHCI-capable BIOS correctly.
Support for multi-touch input has been added to the ! wsmouse(4) driver. !
The uslcom(4) driver now supports the serial console of Aruba 7xxx wireless controllers. !
The re(4) driver now works around broken LED configurations in APU1 EEPROMs. !
The ehci(4) driver now works around problems with ATI USB controllers (e.g. SB700). !
The xen(4) driver now supports domU configuration under Qubes OS.

IEEE 802.11 wireless stack improvements:

The HT block ack receive buffer logic follows the algorithm given in the 802.11-2012 spec more closely. !
The iwn(4) driver now keeps track of HT protection changes while associated to an 11n AP.
The wireless stack and several drivers make more aggressive use of RTS/CTS to avoid interference from legacy devices and hidden nodes. !
The netstat(1) -W command now shows information about 802.11n events.
In hostap mode, do not reuse association IDs of nodes which are still cached. Fixes a problem where an access point using the ! ral(4) driver would get stuck at 1 Mbps because Tx rate accounting happened on the wrong node object.

Generic network stack improvements:

The Tx queue of the ! cnmac(4) driver can now be processed in parallel of the rest of the kernel.
Network input path is now run in thread context.

Installer improvements:

The Tx queue of the ! cnmac(4) driver can now be processed in parallel of the rest of the kernel.
Network input path is now run in thread context.

Installer improvements:

questions and answers are logged in a format that can be used as a response file for use by autoinstall(8) !
/usr/local is set to wxallowed during install

Routing daemons and other userland network improvements:

questions and answers are logged in a format that can be used as a response file for use by autoinstall(8) !
/usr/local is set to wxallowed during install

Routing daemons and other userland network improvements:

rcctl(8)

Let nc(1) support service names in addition to port numbers. !
Add -M and -m TTL flags to nc(1). !
Add AF_UNIX support to tcpbench(1).
Fixed a regression in rarpd(8). The daemon could hang if it was idle for a long time. !
Added the llprio option in ifconfig(8).
Multiple programs that use bpf(4) have been modified to take advantage of bpf(4) ! device cloning by opening /dev/bpf0 instead of looping ! through /dev/bpf* devices. These programs include arp(8), dhclient(8), dhcpd(8), --- 227,247 ---- rcctl(8).
Let nc(1) support service names in addition to port numbers. !
Add -M and -m TTL flags to nc(1). !
Add AF_UNIX support to tcpbench(1).
Fixed a regression in rarpd(8). The daemon could hang if it was idle for a long time. !
Added the llprio option in ifconfig(8).
Multiple programs that use bpf(4) have been modified to take advantage of bpf(4) ! device cloning by opening /dev/bpf0 instead of looping ! through /dev/bpf* devices. These programs include arp(8), dhclient(8), dhcpd(8), *************** *** 258,276 **** The libpcap library has also been modified accordingly.

Security improvements:

W^X is now strictly enforced by default; a program can only violate it if the executable is marked with ! PT_OPENBSD_WXNEEDED and is located on a filesystem ! mounted with the wxallowed mount(8) option. Because there are still too many ports which violate W^X, the ! installer mounts the /usr/local filesystem with ! wxallowed. This allows the base system to be more ! secure as long as /usr/local is a separate filesystem. If you use no W^X violating programs, consider manually revoking that option.
The setjmp(3) --- 255,272 ---- The libpcap library has also been modified accordingly.

Security improvements:

W^X is now strictly enforced by default; a program can only violate it if the executable is marked with ! PT_OPENBSD_WXNEEDED and is located on a filesystem ! mounted with the wxallowed mount(8) option. Because there are still too many ports which violate W^X, the ! installer mounts the /usr/local filesystem with ! wxallowed. This allows the base system to be more ! secure as long as /usr/local is a separate filesystem. If you use no W^X violating programs, consider manually revoking that option.
The setjmp(3) *************** *** 284,290 ****
In the getpwnam(3) family of functions, stop opening the shadow database by default.
Allow tcpdump(8) ! -r to be started without root privileges.
Remove systrace.
Remove Linux emulation support. --- 280,286 ----
In the getpwnam(3) family of functions, stop opening the shadow database by default.
Allow tcpdump(8) ! -r to be started without root privileges.
Remove systrace.
Remove Linux emulation support. *************** *** 296,358 ****
To work against SYN flooding attacks the administrator can change the size of the hash array now. netstat(1) ! -s -p tcp shows the relevant information to tune the SYN cache with sysctl(8) ! net.inet.tcp.
The administrator can require root privileges for binding to some TCP and UDP ports with sysctl(8) ! net.inet.tcp.rootonly and sysctl(8) ! net.inet.udp.rootonly.
Remove a function pointer from the mbuf(9) data structure and use an index into an array of acceptable functions instead.

Assorted improvements:

The thread library can now be loaded into a single-threaded process.
Improved symbol handling and standards compliance in libc. ! For example, defining an open() function will no longer interfere with the operation of fopen(3). !
PT_TLS sections are now supported in initially loaded object.
Improved handling of "no paths" and "empty path" in fts(3).
In pcap(3), ! provide the functions pcap_free_datalinks() ! and pcap_offline_filter().
Many bugfixes and structural cleanup in the editline(3) library.
Remove ancient dbm(3) functions; ndbm(3) remains. !
Add setenv keyword for more powerful environment handling in doas.conf(5). !
Add -g and -p options to aucat.1 for time positioning.
Rewrite audioctl(1) with a simpler user interface. !
Add -F option to install(1) to fsync(2) the file before closing it.
kdump(1) ! now dumps pollfd structures.
Improve various details of ksh(1) POSIX compliance.
mknod(8) rewritten in a pledge(2)-friendly style and to support creating multiple devices at once.
Implement rcctl(8) ! get all and getdef all.
Implement the rcs(1) ! -I (interactive) flag.
In rcs(1), implement Mdocdate keyword substitution.
In top(1), --- 292,353 ----
To work against SYN flooding attacks the administrator can change the size of the hash array now. netstat(1) ! -s -p tcp shows the relevant information to tune the SYN cache with sysctl(8) ! net.inet.tcp.
The administrator can require root privileges for binding to some TCP and UDP ports with sysctl(8) ! net.inet.tcp.rootonly and sysctl(8) ! net.inet.udp.rootonly.
Remove a function pointer from the mbuf(9) data structure and use an index into an array of acceptable functions instead.

Assorted improvements:

The thread library can now be loaded into a single-threaded process.
Improved symbol handling and standards compliance in libc. ! For example, defining an open() function will no longer interfere with the operation of fopen(3). !
PT_TLS sections are now supported in initially loaded object.
Improved handling of "no paths" and "empty path" in fts(3).
In pcap(3), ! provide the functions pcap_free_datalinks() ! and pcap_offline_filter().
Many bugfixes and structural cleanup in the editline(3) library.
Remove ancient dbm(3) functions; ndbm(3) remains. !
Add setenv keyword for more powerful environment handling in doas.conf(5). !
Add -g and -p options to aucat.1 for time positioning.
Rewrite audioctl(1) with a simpler user interface. !
Add -F option to install(1) to fsync(2) the file before closing it.
kdump(1) ! now dumps pollfd structures.
Improve various details of ksh(1) POSIX compliance.
mknod(8) rewritten in a pledge(2)-friendly style and to support creating multiple devices at once.
Implement rcctl(8) ! get all and getdef all.
Implement the rcs(1) ! -I (interactive) flag.
In rcs(1), implement Mdocdate keyword substitution.
In top(1), *************** *** 367,373 **** wall(1).
Handle the COLUMNS environment variable consistently across many programs. !
The options -c and -k allow to provide TLS client certificates for syslogd(8) on the sending side. --- 362,368 ---- wall(1).
Handle the COLUMNS environment variable consistently across many programs. !
The options -c and -k allow to provide TLS client certificates for syslogd(8) on the sending side. *************** *** 382,423 **** pkg_info(1) now understand a notion of branch to ease selection of some popular packages such as python or php, e.g., say ! pkg_add python%3.4 to select the 3.4 branch, ! and use pkg_info -zm to get a fuzzy listing with branch ! selection suitable for pkg_add -l. !
fdisk(8) and ! pdisk(8) immediately exit unless passed a character special device !
st(4) correctly tracks the current block count for variable sized blocks !
fsck_ext2fs(8) works again !
softraid(4) volumes can be constructed with disks that have a sector size other than 512 bytes !
dhclient(8) DECLINE's and discards unused OFFER's. !
dhclient(8) immediately exits if its interface (e.g. a ! bridge(4)) returns EAFNOSUPPORT when a packet is sent. !
httpd(8) returns 400 Bad Request for HTTP v0.9 requests.
ffs2's lazy node initialization avoids treating random disk data as an inode !
fcntl(2) invocations in base programs use the idiom fcntl(n,F_GETFL) instead of fcntl(n,F_GETFL,0) !
socket(2) and ! accept4(2) invocations in base programs use SOCK_NONBLOCK to eliminate the need for a separate ! fcntl(2).
tmpfs not enabled by default
the in-kernel semantics of pledge(2) were improved in numerous ways. Highlights include: ! a new chown promise that allows pledged programs to set setugid attributes, ! a stricter enforcement of the recvfd promise and chroot(2) is no longer allowed for pledged programs.
a number of --- 377,418 ---- pkg_info(1) now understand a notion of branch to ease selection of some popular packages such as python or php, e.g., say ! pkg_add python%3.4 to select the 3.4 branch, ! and use pkg_info -zm to get a fuzzy listing with branch ! selection suitable for pkg_add -l. !
fdisk(8) and ! pdisk(8) immediately exit unless passed a character special device !
st(4) correctly tracks the current block count for variable sized blocks !
fsck_ext2fs(8) works again !
softraid(4) volumes can be constructed with disks that have a sector size other than 512 bytes !
dhclient(8) DECLINE's and discards unused OFFER's. !
dhclient(8) immediately exits if its interface (e.g. a ! bridge(4)) returns EAFNOSUPPORT when a packet is sent. !
httpd(8) returns 400 Bad Request for HTTP v0.9 requests.
ffs2's lazy node initialization avoids treating random disk data as an inode !
fcntl(2) invocations in base programs use the idiom fcntl(n,F_GETFL) instead of fcntl(n,F_GETFL,0) !
socket(2) and ! accept4(2) invocations in base programs use SOCK_NONBLOCK to eliminate the need for a separate ! fcntl(2).
tmpfs not enabled by default
the in-kernel semantics of pledge(2) were improved in numerous ways. Highlights include: ! a new chown promise that allows pledged programs to set setugid attributes, ! a stricter enforcement of the recvfd promise and chroot(2) is no longer allowed for pledged programs.
a number of *************** *** 433,449 **** disklabel(8) and fdisk(8).
Block size calculation errors in the ! audio(4) driver have been fixed. !
The usb(4) driver now caches vendor and product IDs. Fixes an issue where ! usbdevs(8) called in a loop would cause a USB mass storage device to halt operation. !
The rsu(4) and ! ural(4) drivers are now working again after they were accidentally broken in 5.9.

OpenSMTPD 6.0.0

disklabel(8)

fdisk(8)

Block size calculation errors in the ! audio(4) driver have been fixed. !
The usb(4) driver now caches vendor and product IDs. Fixes an issue where ! usbdevs(8) called in a loop would cause a USB mass storage device to halt operation. !
The rsu(4) and ! ural(4) drivers are now working again after they were accidentally broken in 5.9.

OpenSMTPD 6.0.0

*************** *** 461,467 ****

The following improvements were brought in this release:

Add the -r option to the smtpd(8) enqueuer for compatibility with mailx.
Add missing date or message-id when listening on the submit --- 455,461 ----

The following improvements were brought in this release:

Add the -r option to the smtpd(8) enqueuer for compatibility with mailx.
Add missing date or message-id when listening on the submit *************** *** 480,486 **** pages.

OpenSSH 7.3

New/changed features:
- ssh(1): ! Add a ProxyJump option and corresponding -J command-line flag to allow simplified indirection through a one or more SSH bastions or "jump hosts".
- ssh(1): ! Add an IdentityAgent option to allow specifying specific agent sockets instead of accepting one from the environment.
- ssh(1): ! Allow ExitOnForwardFailure and ClearAllForwardings ! to be optionally overridden when using ssh -W. (bz#2577)
- ssh(1), sshd(8): Implement support for the IUTF8 terminal mode as per --- 511,525 ----
- New/changed features:
  - ssh(1): ! Add a ProxyJump option and corresponding -J command-line flag to allow simplified indirection through a one or more SSH bastions or "jump hosts".
  - ssh(1): ! Add an IdentityAgent option to allow specifying specific agent sockets instead of accepting one from the environment.
  - ssh(1): ! Allow ExitOnForwardFailure and ClearAllForwardings ! to be optionally overridden when using ssh -W. (bz#2577)
  - ssh(1), sshd(8): Implement support for the IUTF8 terminal mode as per *************** *** 540,546 **** sshd(8): support SHA256 and SHA512 RSA signatures in certificates.
  - ssh(1): ! Add an Include directive for ssh_config(5) files.
  - ssh(1): --- 533,539 ---- sshd(8): support SHA256 and SHA512 RSA signatures in certificates.
  - ssh(1): ! Add an Include directive for ssh_config(5) files.
  - ssh(1): *************** *** 556,596 ****
  - ssh(1), sshd(8): Reduce the syslog level of some relatively common protocol events ! from LOG_CRIT. (bz#2585)
  - sshd(8): ! Refuse AuthenticationMethods="" in configurations and accept ! AuthenticationMethods=any for the default behaviour of not requiring multiple authentication. (bz#2398)
  - sshd(8): ! Remove obsolete and misleading "POSSIBLE BREAK-IN ATTEMPT!" message when forward and reverse DNS don't match. (bz#2585)
  - ssh(1): ! Close ControlPersist background process stderr except in debug mode or when logging to syslog. (bz#1988)
  - misc: Make PROTOCOL description for direct-streamlocal@openssh.com channel open messages match deployed code. (bz#2529)
  - ssh(1): ! Deduplicate LocalForward and RemoteForward entries ! to fix failures when both ExitOnForwardFailure and ! hostname canonicalisation are enabled. (bz#2562)
  - sshd(8): Remove fallback from moduli to obsolete "primes" file that was deprecated in 2001. (bz#2559)
  - sshd_config(5): ! Correct description of UseDNS: it affects ssh hostname ! processing for authorized_keys, not known_hosts. (bz#2554)
  - ssh(1): Fix authentication using lone certificate keys in an agent without corresponding private keys on the filesystem. (bz#2550)
  - sshd(8): ! Send ClientAliveInterval pings when a time-based ! RekeyLimit is set; previously keepalive packets were not being sent. (bz#2252)
-
OpenNTPD 6.0
- ssh(1), sshd(8): Reduce the syslog level of some relatively common protocol events ! from LOG_CRIT. (bz#2585)
- sshd(8): ! Refuse AuthenticationMethods="" in configurations and accept ! AuthenticationMethods=any for the default behaviour of not requiring multiple authentication. (bz#2398)
- sshd(8): ! Remove obsolete and misleading "POSSIBLE BREAK-IN ATTEMPT!" message when forward and reverse DNS don't match. (bz#2585)
- ssh(1): ! Close ControlPersist background process stderr except in debug mode or when logging to syslog. (bz#1988)
- misc: Make PROTOCOL description for direct-streamlocal@openssh.com channel open messages match deployed code. (bz#2529)
- ssh(1): ! Deduplicate LocalForward and RemoteForward entries ! to fix failures when both ExitOnForwardFailure and ! hostname canonicalisation are enabled. (bz#2562)
- sshd(8): Remove fallback from moduli to obsolete "primes" file that was deprecated in 2001. (bz#2559)
- sshd_config(5): ! Correct description of UseDNS: it affects ssh hostname ! processing for authorized_keys, not known_hosts. (bz#2554)
- ssh(1): Fix authentication using lone certificate keys in an agent without corresponding private keys on the filesystem. (bz#2550)
- sshd(8): ! Send ClientAliveInterval pings when a time-based ! RekeyLimit is set; previously keepalive packets were not being sent. (bz#2252)

OpenNTPD 6.0

Fixed various memory leaks.
Switched to RMS for jitter calculations.
Unified logging functions with other OpenBSD base programs. !
Set MOD_MAXERROR to avoid unsynced time status when using ntp_adjtime.
Fixed HTTP Timestamp header parsing to use strptime(3) --- 602,608 ----
Fixed various memory leaks.
Switched to RMS for jitter calculations.
Unified logging functions with other OpenBSD base programs. !
Set MOD_MAXERROR to avoid unsynced time status when using ntp_adjtime.
Fixed HTTP Timestamp header parsing to use strptime(3) *************** *** 619,632 **** ntpd(8) constraints, enabling server name verification.

LibreSSL 2.4.2

User-visible features:
- Fixed some broken manpage links in the install target. !
- cert.pem has been reorganized and synced with Mozilla's certificate store.
- Reliability fix, correcting an error when parsing certain ASN.1 elements over 16k in size. --- 611,623 ---- ntpd(8) constraints, enabling server name verification.

LibreSSL 2.4.2

User-visible features:

Fixed some broken manpage links in the install target. !
cert.pem has been reorganized and synced with Mozilla's certificate store.
Reliability fix, correcting an error when parsing certain ASN.1 elements over 16k in size. *************** *** 638,648 ****
Code improvements:
- Fixed an nginx compatibility issue by adding an ! 'install_sw' build target.
- Changed default EVP_aead_chacha20_poly1305(3) implementation to the IETF version, which is now the default. !
- Reworked error handling in libtls so that configuration errors are more visible.
- Added missing error handling around bn_wexpand(3) --- 629,639 ----
- Code improvements:
  - Fixed an nginx compatibility issue by adding an ! 'install_sw' build target.
  - Changed default EVP_aead_chacha20_poly1305(3) implementation to the IETF version, which is now the default. !
  - Reworked error handling in libtls so that configuration errors are more visible.
  - Added missing error handling around bn_wexpand(3) *************** *** 650,709 ****
  - Added explicit_bzero(3) calls for freed ASN.1 objects. !
  - Fixed X509_*set_object functions to return 0 on allocation failure.
  - Deprecated internal use of EVP_[Cipher|Encrypt|Decrypt]_Final.
  - Fixed a problem that prevents the DSA signing algorithm from running ! in constant time even if the flag BN_FLG_CONSTTIME is set.
  - Fixed several issues in the OCSP code that could result in the incorrect generation and parsing of OCSP requests. This remediates a lack of error checking on time parsing in these functions, and ! ensures that only GENERALIZEDTIME formats are accepted for OCSP, as per RFC 6960.
- The following CVEs have been fixed:
  - CVE-2016-2105—EVP_EncodeUpdate overflow. !
  - CVE-2016-2106—EVP_EncryptUpdate overflow. !
  - CVE-2016-2107—padding oracle in AES-NI CBC MAC check. !
  - CVE-2016-2108—memory corruption in the ASN.1 encoder. !
  - CVE-2016-2109—ASN.1 BIO excessive memory allocation.
-
!

Ports and packages: !

New proot(1) tool in the ports tree for building packages in a chroot. !

Many pre-built packages for each architecture: !

! ! !

alpha: 7422
amd64: 9433
hppa: 6346 -

i386: 9394
mips64: 7921
mips64el: 7767 -

powerpc: 8318
sparc64: 8570 !

Some highlights: !

! ! !

Afl 2.19b
Chromium 51.0.2704.106
Emacs 21.4 and 24.5 --- 641,685 ----
Added explicit_bzero(3) calls for freed ASN.1 objects. !
Fixed X509_*set_object functions to return 0 on allocation failure.
Deprecated internal use of EVP_[Cipher|Encrypt|Decrypt]_Final.
Fixed a problem that prevents the DSA signing algorithm from running ! in constant time even if the flag BN_FLG_CONSTTIME is set.
Fixed several issues in the OCSP code that could result in the incorrect generation and parsing of OCSP requests. This remediates a lack of error checking on time parsing in these functions, and ! ensures that only GENERALIZEDTIME formats are accepted for OCSP, as per RFC 6960.

The following CVEs have been fixed:

CVE-2016-2105—EVP_EncodeUpdate overflow. !
CVE-2016-2106—EVP_EncryptUpdate overflow. !
CVE-2016-2107—padding oracle in AES-NI CBC MAC check. !
CVE-2016-2108—memory corruption in the ASN.1 encoder. !
CVE-2016-2109—ASN.1 BIO excessive memory allocation.

Ports and packages: !

New proot(1) tool in the ports tree for building packages in a chroot. !

Many pre-built packages for each architecture: !

alpha: 7422
amd64: 9433
hppa: 6346
i386: 9394
mips64: 7921
mips64el: 7767
powerpc: 8318
sparc64: 8570 !

Some highlights: !

Afl 2.19b
Chromium 51.0.2704.106
Emacs 21.4 and 24.5 *************** *** 721,727 ****
MariaDB 10.0.25
Mono 4.4.0.182
Mozilla Firefox 45.2.0esr and 47.0.1 -

Mozilla Thunderbird 45.2.0
Mutt 1.6.2
Node.js 4.4.5 --- 697,702 ---- *************** *** 740,750 ****
TeX Live 2015
Vim 7.4.1467
Xfce 4.12 !

As usual, steady improvements in manual pages and other documentation. -
The system includes the following major components from outside suppliers:
- TeX Live 2015
- Vim 7.4.1467
- Xfce 4.12 !
As usual, steady improvements in manual pages and other documentation.
The system includes the following major components from outside suppliers:
- Expat 2.1.1

How to install

Following this are the instructions which you would have on a piece of paper if you had purchased a CDROM set instead of doing an alternate --- 736,747 ----

Expat 2.1.1

How to install

Following this are the instructions which you would have on a piece of paper if you had purchased a CDROM set instead of doing an alternate *************** *** 820,980 ****

Quick installer information for people familiar with OpenBSD, and the use of the "disklabel -E" command. If you are at all confused when installing OpenBSD, read the relevant INSTALL.* file as listed above! !

OpenBSD/i386:

The OpenBSD/i386 release is on CD1. Boot from the CD to begin the install - you may need to adjust your BIOS options first.
-
If your machine can boot from USB, you can write install60.fs or miniroot60.fs to a USB stick and boot from it.
-
If you can't boot from a CD, floppy disk, or USB, you can install across the network using PXE as described in the included INSTALL.i386 document.
-
If you are planning on dual booting OpenBSD with another OS, you will need to read INSTALL.i386. -

OpenBSD/amd64:

The OpenBSD/amd64 release is on CD2. Boot from the CD to begin the install - you may need to adjust your BIOS options first.
-
If your machine can boot from USB, you can write install60.fs or miniroot60.fs to a USB stick and boot from it.
-
If you can't boot from a CD, floppy disk, or USB, you can install across the network using PXE as described in the included INSTALL.amd64 document.
-
If you are planning to dual boot OpenBSD with another OS, you will need to read INSTALL.amd64. -

OpenBSD/macppc:

Burn the image from a mirror site to a CDROM, and power on your machine while holding down the C key until the display turns on and shows OpenBSD/macppc boot.
-
Alternatively, at the Open Firmware prompt, enter boot cd:,ofwboot /6.0/macppc/bsd.rd -

OpenBSD/sparc64:

Put CD3 in your CDROM drive and type boot cdrom.
-
If this doesn't work, or if you don't have a CDROM drive, you can write CD3:6.0/sparc64/floppy60.fs or CD3:6.0/sparc64/floppyB60.fs (depending on your machine) to a floppy and boot it with boot floppy. Refer to INSTALL.sparc64 for details.
-
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install will most likely fail.
-
You can also write CD3:6.0/sparc64/miniroot60.fs to the swap partition on the disk and boot with boot disk:b.
-
If nothing works, you can boot over the network as described in INSTALL.sparc64. -

OpenBSD/alpha:

Write FTP:6.0/alpha/floppy60.fs or FTP:6.0/alpha/floppyB60.fs (depending on your machine) to a diskette and enter boot dva0. Refer to INSTALL.alpha for more details.
-
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install will most likely fail. -

OpenBSD/armv7:

Write a system specific miniroot to an SD card and boot from it after connecting to the serial console. Refer to INSTALL.armv7 for more details. -
-

OpenBSD/hppa:

Boot over the network by following the instructions in INSTALL.hppa or the hppa platform page. -

OpenBSD/landisk:

Write miniroot60.fs to the start of the CF or disk, and boot normally. -

OpenBSD/loongson:

Write miniroot60.fs to a USB stick and boot bsd.rd from it or boot bsd.rd via tftp. Refer to the instructions in INSTALL.loongson for more details. -

OpenBSD/luna88k:

! Copy `boot' and `bsd.rd' to a Mach or UniOS partition, and boot the bootloader from the PROM, and then bsd.rd from the bootloader. Refer to the instructions in INSTALL.luna88k for more details. -

OpenBSD/octeon:

After connecting a serial port, boot bsd.rd over the network via DHCP/tftp. Refer to the instructions in INSTALL.octeon for more details. -

OpenBSD/sgi:

To install, burn cd60.iso on a CD-R, put it in the CD drive of your machine and select Install System Software from the System Maintenance menu. Indigo/Indy/Indigo2 (R4000) systems will not boot automatically from --- 795,932 ----
+

Quick installer information for people familiar with OpenBSD, and the use of the "disklabel -E" command. If you are at all confused when installing OpenBSD, read the relevant INSTALL.* file as listed above! !
OpenBSD/i386:
!
The OpenBSD/i386 release is on CD1. Boot from the CD to begin the install - you may need to adjust your BIOS options first. +
If your machine can boot from USB, you can write install60.fs or miniroot60.fs to a USB stick and boot from it. +
If you can't boot from a CD, floppy disk, or USB, you can install across the network using PXE as described in the included INSTALL.i386 document. +
If you are planning on dual booting OpenBSD with another OS, you will need to read INSTALL.i386. !
OpenBSD/amd64:
!
The OpenBSD/amd64 release is on CD2. Boot from the CD to begin the install - you may need to adjust your BIOS options first. +
If your machine can boot from USB, you can write install60.fs or miniroot60.fs to a USB stick and boot from it. +
If you can't boot from a CD, floppy disk, or USB, you can install across the network using PXE as described in the included INSTALL.amd64 document. +
If you are planning to dual boot OpenBSD with another OS, you will need to read INSTALL.amd64. !
OpenBSD/macppc:
!
Burn the image from a mirror site to a CDROM, and power on your machine while holding down the C key until the display turns on and shows OpenBSD/macppc boot. +
Alternatively, at the Open Firmware prompt, enter boot cd:,ofwboot /6.0/macppc/bsd.rd !
OpenBSD/sparc64:
!
Put CD3 in your CDROM drive and type boot cdrom. +
If this doesn't work, or if you don't have a CDROM drive, you can write CD3:6.0/sparc64/floppy60.fs or CD3:6.0/sparc64/floppyB60.fs (depending on your machine) to a floppy and boot it with boot floppy. Refer to INSTALL.sparc64 for details. +
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install will most likely fail. +
You can also write CD3:6.0/sparc64/miniroot60.fs to the swap partition on the disk and boot with boot disk:b. +
If nothing works, you can boot over the network as described in INSTALL.sparc64. !
OpenBSD/alpha:
!
Write FTP:6.0/alpha/floppy60.fs or FTP:6.0/alpha/floppyB60.fs (depending on your machine) to a diskette and enter boot dva0. Refer to INSTALL.alpha for more details. +
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install will most likely fail. !
OpenBSD/armv7:
!
Write a system specific miniroot to an SD card and boot from it after connecting to the serial console. Refer to INSTALL.armv7 for more details. !
OpenBSD/hppa:
!
Boot over the network by following the instructions in INSTALL.hppa or the hppa platform page. !
OpenBSD/landisk:
!
Write miniroot60.fs to the start of the CF or disk, and boot normally. !
OpenBSD/loongson:
!
Write miniroot60.fs to a USB stick and boot bsd.rd from it or boot bsd.rd via tftp. Refer to the instructions in INSTALL.loongson for more details. !
OpenBSD/luna88k:
!
! Copy 'boot' and 'bsd.rd' to a Mach or UniOS partition, and boot the bootloader from the PROM, and then bsd.rd from the bootloader. Refer to the instructions in INSTALL.luna88k for more details. !
OpenBSD/octeon:
!
After connecting a serial port, boot bsd.rd over the network via DHCP/tftp. Refer to the instructions in INSTALL.octeon for more details. !
OpenBSD/sgi:
!
To install, burn cd60.iso on a CD-R, put it in the CD drive of your machine and select Install System Software from the System Maintenance menu. Indigo/Indy/Indigo2 (R4000) systems will not boot automatically from *************** *** 982,1024 **** Refer to the instructions in INSTALL.sgi for more details.
-
If your machine doesn't have a CD drive, you can setup a DHCP/tftp network server, and boot using "bootp()/bsd.rd.IP##" using the kernel matching your system type. Refer to the instructions in INSTALL.sgi for more details. -

OpenBSD/socppc:

After connecting a serial port, boot over the network via DHCP/tftp. Refer to the instructions in INSTALL.socppc for more details. -

OpenBSD/zaurus:

Using the Linux built-in graphical ipkg installer, install the openbsd60_arm.ipk package. Reboot, then run it. Read INSTALL.zaurus for a few important details. -

How to upgrade

If you already have an OpenBSD 5.9 system, and do not want to reinstall, upgrade instructions and advice can be found in the Upgrade Guide. !

Notes about the source code

! src.tar.gz contains a source archive starting at /usr/src. This file contains everything you need except for the kernel sources, which are in a separate archive. To extract: --- 934,974 ---- Refer to the instructions in INSTALL.sgi for more details.

If your machine doesn't have a CD drive, you can setup a DHCP/tftp network server, and boot using "bootp()/bsd.rd.IP##" using the kernel matching your system type. Refer to the instructions in INSTALL.sgi for more details. !

OpenBSD/socppc:

After connecting a serial port, boot over the network via DHCP/tftp. Refer to the instructions in INSTALL.socppc for more details. !

OpenBSD/zaurus:

Using the Linux built-in graphical ipkg installer, install the openbsd60_arm.ipk package. Reboot, then run it. Read INSTALL.zaurus for a few important details. +

! OpenBSD ! 6.0

! OpenBSD ! 6.0

What's New

What's New

How to install

How to install

OpenBSD/i386:

OpenBSD/amd64:

OpenBSD/macppc:

OpenBSD/sparc64:

OpenBSD/alpha:

OpenBSD/armv7:

OpenBSD/hppa:

OpenBSD/landisk:

OpenBSD/loongson:

OpenBSD/luna88k:

OpenBSD/octeon:

OpenBSD/sgi:

OpenBSD/i386:

OpenBSD/amd64:

OpenBSD/macppc:

OpenBSD/sparc64:

OpenBSD/alpha:

OpenBSD/armv7:

OpenBSD/hppa:

OpenBSD/landisk:

OpenBSD/loongson:

OpenBSD/luna88k:

OpenBSD/octeon:

OpenBSD/sgi:

OpenBSD/socppc:

OpenBSD/zaurus:

How to upgrade

Notes about the source code

OpenBSD/socppc:

OpenBSD/zaurus:

How to upgrade

Notes about the source code

Ports Tree

Ports Tree