Annotation of www/60.html, Revision 1.39
1.1 deraadt 1: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
2: <html>
3: <head>
4: <title>OpenBSD 6.0</title>
5: <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
6: <meta name="description" content="OpenBSD 6.0">
7: <meta name="copyright" content="This document copyright 2016 by OpenBSD.">
8: <meta name="viewport" content="width=device-width, initial-scale=1">
9: <link rel="stylesheet" type="text/css" href="openbsd.css">
1.2 deraadt 10: <link rel="canonical" href="http://www.openbsd.org/60.html">
1.1 deraadt 11: </head>
12:
13: <body bgcolor="#ffffff" text="#000000" link="#24248E">
14:
15: <h2>
16: <a href="index.html">
17: <i><font color="#0000ff">Open</font></i><font color="#000084">BSD</font></a>
18: <font color="#e00000">6.0</font>
19: </h2>
20:
21: <a href="images/puff.jpg">
22: <img alt="Puff" align="left" width="227" height="343" hspace="24" src="images/puff.jpg"></a>
1.24 deraadt 23: To be released Sep 1, 2016<br>
1.1 deraadt 24: Copyright 1997-2016, Theo de Raadt.<br>
25: <font color="#e00000">ISBN 978-0-9881561-8-0</font>
26: <br>
1.34 deraadt 27: 6.0 Songs:
28: <a href="lyrics.html#60a">"Another Smash of the Stack"</a>
29: (plus 5 more...)
1.1 deraadt 30:
31: <ul>
32: <li>Order a CDROM from our <a href="https://openbsdstore.com">ordering system</a>.
33: <li>See the information on <a href="ftp.html">the FTP page</a> for
34: a list of mirror machines.
35: <li>Go to the <font color="#e00000">pub/OpenBSD/6.0/</font> directory on
36: one of the mirror sites.
37: <li>Have a look at <a href="errata60.html">the 6.0 errata page</a> for a list
38: of bugs and workarounds.
39: <li>See a <a href="plus60.html">detailed log of changes</a> between the
40: 5.9 and 6.0 releases.
41: <p>
1.6 schwarze 42: <li><a href="http://man.openbsd.org/signify.1">signify(1)</a>
1.1 deraadt 43: pubkeys for this release:<br>
44: <pre>
45: base: RWSho3oKSqgLQy+NpIhFXZJDtkE65tzlmtC24mStf8DoJd2OPMgna4u8
46: fw: RWRWf7GJKFvJTWEMIaw9wld0DujiqL1mlrC6HisE6i78C+2SRArV1Iyo
47: pkg: RWQHIajRlT2mX7tmRgb6oN6mfJu3AgQ/TU38acrWABO8lz90dR3rNmey
48: </pre>
49: <p>
50: All applicable copyrights and credits are in the src.tar.gz,
51: sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
52: files fetched via ports.tar.gz.
53: </ul>
54: <br clear=all>
55:
56: <hr>
57:
58: <h3 id="new"><font color="#0000e0">What's New</font></h3>
59:
60: This is a partial list of new features and systems included in OpenBSD 6.0.
61: For a comprehensive list, see the <a href="plus60.html">changelog</a> leading
62: to 6.0.
63:
64: <ul>
1.27 jsg 65: <li>New/extended platforms:
66: <ul>
1.28 deraadt 67: <li><a href="armv7.html">armv7</a>:
1.27 jsg 68: <ul>
69: <li>EFI bootloader added, kernels are now loaded from FFS instead
70: of FAT or EXT filesystems, without U-Boot headers.
71: <li>A single kernel and ramdisk are now used for all SoCs.
72: <li>Hardware is dynamically enumerated via Flattened Device
73: Tree (FDT) instead of via static tables based on board id numbers.
74: <li>Miniroot installer images include U-Boot 2016.07 with support for
75: EFI payloads.
76: </ul>
1.28 deraadt 77: <li><a href="vax.html">vax</a>:
78: <ul>
79: <li>Removed.
80: </ul>
1.27 jsg 81: </ul>
82: <p>
83:
1.1 deraadt 84: <li>Improved hardware support, including:
85: <ul>
1.25 jsg 86: <li>New <a href="http://man.openbsd.org/?query=bytgpio">bytgpio(4)</a>
87: driver for the Intel Bay Trail GPIO controller.
88: <li>New <a href="http://man.openbsd.org/?query=chvgpio">chvgpio(4)</a>
89: driver for the Intel Cherry View GPIO controller.
90: <li>New <a href="http://man.openbsd.org/?query=maxrtc">maxrtc(4)</a>
91: driver for the Maxim DS1307 real time clock.
92: <li>New <a href="http://man.openbsd.org/?query=nvme">nvme(4)</a>
93: driver for the Non-Volatile Memory Express (NVMe) host controller interface.
94: <li>New <a href="http://man.openbsd.org/?query=pcfrtc">pcfrtc(4)</a>
95: driver for the NXP PCF8523 real time clock.
96: <li>New <a href="http://man.openbsd.org/?query=umb">umb(4)</a>
97: driver for the Mobile Broadband Interface Model (MBIM).
98: <li>New <a href="http://man.openbsd.org/?query=ure">ure(4)</a>
99: driver for RealTek RTL8152 based 10/100 USB Ethernet devices.
100: <li>New <a href="http://man.openbsd.org/?query=utvfu">utvfu(4)</a>
101: driver for audio/video capture devices based on the Fushicai USBTV007.
102: <li>The <a href="http://man.openbsd.org/?query=iwm">iwm(4)</a> driver
103: supports more models, notably the Intel Wireless 3165 and 8260.
104: <li>Support for I2C HID devices with GPIO signalled interrupts has
105: been added to <a href="http://man.openbsd.org/?query=dwiic">dwiic(4)</a>.
1.26 jsg 106: <li>Support for larger bus widths, high speed modes, and DMA
107: transfers has been added to
108: <a href="http://man.openbsd.org/?query=sdmmc">sdmmc(4)</a>,
109: <a href="http://man.openbsd.org/?query=sdhc">sdhc(4)</a>, and
110: <a href="http://man.openbsd.org/?query=imxesdhc&sektion=4&arch=armv7">imxesdhc(4)</a>.
1.31 visa 111: <li>Support for EHCI and OHCI compliant USB controllers on Octeon II SoCs.
112: <li>Many USB device drivers have been enabled on OpenBSD/octeon.
1.1 deraadt 113: <li>...
114: </ul>
115: <p>
116:
117: <li>SMP network stack improvements:
118: <ul>
1.31 visa 119: <li>The Tx queue of the
120: <a href="http://man.openbsd.org/?query=cnmac">cnmac(4)</a>
121: driver can now be processed in parallel of the rest of the kernel.
1.1 deraadt 122: <li>...
123: </ul>
124: <p>
125:
1.30 stsp 126: <li>IEEE 802.11 wireless stack improvements:
1.1 deraadt 127: <ul>
1.30 stsp 128: <li>The HT block ack receive buffer logic follows the algorithm given
129: in the 802.11-2012 spec more closely.
130: <li>The <a href="http://man.openbsd.org/?query=iwn">iwn(4)</a> driver now
131: keeps track of HT protection changes while associated to an 11n AP.
132: <li>The wireless stack and several drivers make more aggressive use
133: of RTS/CTS to avoid interference from legacy devices and hidden nodes.
1.1 deraadt 134: </ul>
135: <p>
136:
137: <li>Generic network stack improvements:
138: <ul>
1.33 vgross 139: <li>The prio field on VLAN headers is now correctly set
140: on each fragment of an IPv4 packet going out on a
141: <a href="http://man.openbsd.org/vlan.4">vlan(4)</a>
142: interface.
1.1 deraadt 143: <li>...
144: </ul>
145: <p>
146:
147: <li>Installer improvements:
148: <ul>
149: <li>...
150: </ul>
151: <p>
152:
153: <li>Routing daemons and other userland network improvements:
154: <ul>
1.11 schwarze 155: <li>Add routing table support to
156: <a href="http://man.openbsd.org/rc.d.8">rc.d(8)</a> and
157: <a href="http://man.openbsd.org/rcctl.8">rcctl(8)</a>.
1.12 schwarze 158: <li>Let <a href="http://man.openbsd.org/nc.1">nc(1)</a>
159: support service names in addition to port numbers.
160: <li>Add <tt>-M</tt> and <tt>-m</tt> TTL flags to
161: <a href="http://man.openbsd.org/nc.1">nc(1)</a>.
162: <li>Add <tt>AF_UNIX</tt> support to
1.13 schwarze 163: <a href="http://man.openbsd.org/tcpbench.1">tcpbench(1)</a>.
1.32 visa 164: <li>Fixed a regression in
165: <a href="http://man.openbsd.org/rarpd.8">rarpd(8)</a>.
166: The daemon could hang if it was idle for a long time.
1.33 vgross 167: <li>Added the <tt>llprio</tt> option in
168: <a href="http://man.openbsd.org/ifconfig.8">ifconfig(8)</a>.
1.1 deraadt 169: <li>...
170: </ul>
171: <p>
172:
173: <li>Security improvements:
174: <ul>
1.3 guenther 175: <li><tt>W^X</tt> is now strictly enforced by default;
176: a program can only violate it if the executable is marked with
1.38 tb 177: <tt>PT_OPENBSD_WXNEEDED</tt> and is located on a filesystem
1.6 schwarze 178: mounted with the <tt>wxallowed</tt>
179: <a href="http://man.openbsd.org/mount.8">mount(8)</a> option.
1.36 deraadt 180: Because there are still too many ports which violate W^X, the
181: installer mounts the <tt>/usr/local</tt> filesystem with
182: <tt>wxallowed</tt>. This allows the base system to be more
1.37 tb 183: secure as long as <tt>/usr/local</tt> is a separate filesystem.
1.36 deraadt 184: If you use no W^X violating programs, consider manually
185: revoking that option.
1.6 schwarze 186: <li>The <a href="http://man.openbsd.org/setjmp.3">setjmp(3)</a>
1.3 guenther 187: family of functions now apply XOR cookies to stack and return-address
188: values in the jmpbuf on amd64, hppa, i386, mips64, and powerpc.
1.28 deraadt 189: <li>SROP mitigation: <a href="http://man.openbsd.org/sigreturn.2">sigreturn(2)</a>
1.3 guenther 190: can now only be used by the kernel-provided signal trampoline,
191: with a cookie to detect attempts to reuse it.
1.22 tom 192: <li>To deter code reuse exploits, <a href="http://man.openbsd.org/rc.8">rc(8)</a>
193: re-links libc.so on startup, placing the objects in a random order.
1.11 schwarze 194: <li>In the <a href="http://man.openbsd.org/getpwnam.3">getpwnam(3)</a>
195: family of functions, stop opening the shadow database by default.
1.12 schwarze 196: <li>Allow <a href="http://man.openbsd.org/tcpdump.8">tcpdump(8)</a>
197: <tt>-r</tt> to be started without root privileges.
1.11 schwarze 198: <li>Remove
199: <a href="http://man.openbsd.org/OpenBSD-5.9/systrace">systrace</a>.
200: <li>Remove Linux emulation support.
1.17 tedu 201: <li>Remove support for the usermount option.
1.19 tedu 202: <li>The TCP SYN cache reseeds its random hash function from
1.14 bluhm 203: time to time.
1.19 tedu 204: This prevents an attacker from calculating the distribution
1.14 bluhm 205: of the hash function with a timing attack.
206: <li>To work against SYN flooding attacks the administrator can
207: change the size of the hash array now.
1.16 schwarze 208: <a href="http://man.openbsd.org/netstat.1">netstat(1)</a>
1.14 bluhm 209: <tt>-s -p tcp</tt> shows the relevant information to tune
1.15 bluhm 210: the SYN cache with
1.16 schwarze 211: <a href="http://man.openbsd.org/sysctl.8">sysctl(8)</a>
1.15 bluhm 212: <tt>net.inet.tcp</tt>.
1.33 vgross 213: <li>The administrator can require root privileges for binding to some TCP
214: and UDP ports with
215: <a href="http://man.openbsd.org/sysctl.8">sysctl(8)</a>
216: <tt>net.inet.tcp.rootonly</tt> and
217: <a href="http://man.openbsd.org/sysctl.8">sysctl(8)</a>
218: <tt>net.inet.udp.rootonly</tt>.
1.1 deraadt 219: <li>...
220: </ul>
221: <p>
222:
223: <li>Assorted improvements:
224: <ul>
1.3 guenther 225: <li>The thread library can now be loaded into a single-threaded process.
226: <li>Improved symbol handling and standards compliance in libc.
227: For example, defining an <tt>open()</tt> function will no longer
228: interfere with the operation of
1.6 schwarze 229: <a href="http://man.openbsd.org/fopen.3">fopen(3)</a>.
1.3 guenther 230: <li><tt>PT_TLS</tt> sections are now supported in initially loaded object.
231: <li>Improved handling of "no paths" and "empty path" in
1.6 schwarze 232: <a href="http://man.openbsd.org/fts.3">fts(3)</a>.
1.12 schwarze 233: <li>In <a href="http://man.openbsd.org/pcap.3">pcap(3)</a>,
234: provide the functions <tt>pcap_free_datalinks()</tt>
235: and <tt>pcap_offline_filter()</tt>.
236: <li>Many bugfixes and structural cleanup in the
237: <a href="http://man.openbsd.org/editline">editline(3)</a> library.
238: <li>Remove ancient
239: <a href="http://man.openbsd.org/OpenBSD-5.9/dbm.3">dbm(3)</a>
240: functions;
241: <a href="http://man.openbsd.org/ndbm.3">ndbm(3)</a> remains.
1.17 tedu 242: <li>Add <tt>setenv</tt> keyword for more powerful environment handling in
1.12 schwarze 243: <a href="http://man.openbsd.org/doas.conf.5">doas.conf(5)</a>.
244: <li>Add <tt>-g</tt> and <tt>-p</tt> options to
245: <a href="http://man.openbsd.org/aucat.1">aucat.1</a>
246: for time positioning.
247: <li>Rewrite <a href="http://man.openbsd.org/audioctl.1">audioctl(1)</a>
248: with a simpler user interface.
249: <li>Add <tt>-F</tt> option to
250: <a href="http://man.openbsd.org/install.1">install(1)</a>
251: to <a href="http://man.openbsd.org/fsync.2">fsync(2)</a>
252: the file before closing it.
1.6 schwarze 253: <li><a href="http://man.openbsd.org/kdump.1">kdump(1)</a>
254: now dumps <tt>pollfd</tt> structures.
1.12 schwarze 255: <li>Improve various details of
256: <a href="http://man.openbsd.org/ksh.1">ksh(1)</a> POSIX compliance.
257: <li><a href="http://man.openbsd.org/mknod.8">mknod(8)</a> rewritten in a
258: <a href="http://man.openbsd.org/pledge.2">pledge(2)</a>-friendly
259: style and to support creating multiple devices at once.
260: <li>Implement <a href="http://man.openbsd.org/rcctl.8">rcctl(8)</a>
261: <tt>get all</tt> and <tt>getdef all</tt>.
262: <li>Implement the <a href="http://man.openbsd.org/rcs.1">rcs(1)</a>
263: <tt>-I</tt> (interactive) flag.
1.11 schwarze 264: <li>In <a href="http://man.openbsd.org/rcs.1">rcs(1)</a>,
265: implement Mdocdate keyword substitution.
266: <li>In <a href="http://man.openbsd.org/top.1">top(1)</a>,
267: allow to filter process arguments if they are being displayed.
268: <li>Added UTF-8 support to
269: <a href="http://man.openbsd.org/fold.1">fold(1)</a> and
270: <a href="http://man.openbsd.org/rev.1">rev(1)</a>.
271: <li>Enable UTF-8 by default in
272: <a href="http://man.openbsd.org/xterm.1">xterm(1)</a> and
273: <a href="http://man.openbsd.org/pod2man.1">pod2man(1)</a>.
274: <li>Filter out non-ASCII characters in
275: <a href="http://man.openbsd.org/wall.1">wall(1)</a>.
1.12 schwarze 276: <li>Handle the <a href="http://man.openbsd.org/?apropos=1&query=Ev%3DCOLUMNS">COLUMNS</a>
277: environment variable consistently across many programs.
1.14 bluhm 278: <li>The options <tt>-c</tt> and <tt>-k</tt> allow to provide
279: TLS client certificates for
280: <a href="http://man.openbsd.org/syslogd.8">syslogd(8)</a>
281: on the sending side.
1.18 tedu 282: With that the receiving side can verify log messages
1.14 bluhm 283: are authentic.
284: Note that syslogd does not have this check feature yet.
285: <li>When the klog buffer overflows, syslogd will write a log
286: message to show that some entries is missing.
1.31 visa 287: <li>On OpenBSD/octeon, CPU cache write buffering is enabled
288: to improve performance.
1.35 espie 289: <li><a href="http://man.openbsd.org/pkg_add.1">pkg_add(1)</a> and
290: <a href="http://man.openbsd.org/pkg_info.1">pkg_info(1)</a> now
291: understand a notion of branch to ease selection of some popular
292: packages such as python or php, e.g., say
293: <tt>pkg_add python%3.4</tt> to select the <tt>3.4</tt> branch,
294: and use <tt>pkg_info -zm</tt> to get a fuzzy listing with branch
295: selection suitable for <tt>pkg_add -l</tt>.
1.1 deraadt 296: </ul>
297: <p>
298:
1.28 deraadt 299: <li>OpenSMTPD 5.9.1
1.1 deraadt 300: <ul>
301: <li>...
302: </ul>
303: <p>
304:
1.28 deraadt 305: <li>OpenSSH 7.3
1.1 deraadt 306: <ul>
307: <li>Security:
308: <ul>
1.39 ! sobrado 309: <li><a href="http://man.openbsd.org/sshd.8">sshd(8)</a>:
! 310: Mitigate a potential denial-of-service attack against the system's
! 311: <a href="http://man.openbsd.org/crypt.3">crypt(3)</a>
! 312: function via
! 313: <a href="http://man.openbsd.org/sshd.8">sshd(8)</a>.
! 314: An attacker could send very long passwords that would cause
! 315: excessive CPU use in
! 316: <a href="http://man.openbsd.org/crypt.3">crypt(3)</a>.
! 317: <a href="http://man.openbsd.org/sshd.8">sshd(8)</a>
! 318: now refuses to accept password authentication requests of length
! 319: greater than 1024 characters.
! 320: <li><a href="http://man.openbsd.org/sshd.8">sshd(8)</a>:
! 321: Mitigate timing differences in password authentication that could be
! 322: used to discern valid from invalid account names when long passwords
! 323: were sent and particular password hashing algorithms are in use on
! 324: the server. CVE-2016-6210.
! 325: <li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>,
! 326: <a href="http://man.openbsd.org/sshd.8">sshd(8)</a>:
! 327: Fix observable timing weakness in the <i>CBC padding oracle
! 328: countermeasures</i>. Note that CBC ciphers are disabled by default
! 329: and only included for legacy compatibility.
! 330: <li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>,
! 331: <a href="http://man.openbsd.org/sshd.8">sshd(8)</a>:
! 332: Improve ordering ordering of MAC verification for
! 333: <i>Encrypt-then-MAC</i> (EtM) mode transport MAC algorithms to
! 334: verify the MAC before decrypting any ciphertext. This removes the
! 335: possibility of timing differences leaking facts about the plaintext,
! 336: though no such leakage is known.
1.1 deraadt 337: </ul>
338: <li>New/changed features:
339: <ul>
1.39 ! sobrado 340: <li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>:
! 341: Add a <tt>ProxyJump</tt> option and corresponding <tt>-J</tt>
! 342: command-line flag to allow simplified indirection through a one or
! 343: more SSH bastions or "jump hosts".
! 344: <li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>:
! 345: Add an <tt>IdentityAgent</tt> option to allow specifying specific
! 346: agent sockets instead of accepting one from the environment.
! 347: <li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>:
! 348: Allow <tt>ExitOnForwardFailure</tt> and <tt>ClearAllForwardings</tt>
! 349: to be optionally overridden when using <tt>ssh -W</tt>. (bz#2577)
! 350: <li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>,
! 351: <a href="http://man.openbsd.org/sshd.8">sshd(8)</a>:
! 352: Implement support for the IUTF8 terminal mode as per
! 353: <i>draft-sgtatham-secsh-iutf8-00</i>.
! 354: <li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>,
! 355: <a href="http://man.openbsd.org/sshd.8">sshd(8)</a>:
! 356: Add support for additional <i>fixed Diffie-Hellman 2K</i>, <i>4K</i>
! 357: and <i>8K</i> groups from <i>draft-ietf-curdle-ssh-kex-sha2-03</i>.
! 358: <li><a href="http://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>,
! 359: <a href="http://man.openbsd.org/ssh.1">ssh(1)</a>,
! 360: <a href="http://man.openbsd.org/sshd.8">sshd(8)</a>:
! 361: support SHA256 and SHA512 RSA signatures in certificates.
! 362: <li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>:
! 363: Add an <tt>Include</tt> directive for
! 364: <a href="http://man.openbsd.org/ssh_config.5">ssh_config(5)</a>
! 365: files.
! 366: <li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>:
! 367: Permit UTF-8 characters in pre-authentication banners sent from the
! 368: server. (bz#2058)
1.1 deraadt 369: </ul>
370: <li>The following significant bugs have been fixed in this release:
371: <ul>
1.11 schwarze 372: <li>In <a href="http://man.openbsd.org/scp.1">scp(1)</a>
1.39 ! sobrado 373: and <a href="http://man.openbsd.org/sftp.1">sftp(1)</a>,
! 374: prevent screwing up terminal settings by escaping bytes
! 375: not forming ASCII or UTF-8 characters.
! 376: <li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>,
! 377: <a href="http://man.openbsd.org/sshd.8">sshd(8)</a>:
! 378: Reduce the syslog level of some relatively common protocol events
! 379: from <tt>LOG_CRIT</tt>. (bz#2585)
! 380: <li><a href="http://man.openbsd.org/sshd.8">sshd(8)</a>:
! 381: Refuse <tt>AuthenticationMethods=""</tt> in configurations and accept
! 382: <tt>AuthenticationMethods=any</tt> for the default behaviour of not
! 383: requiring multiple authentication. (bz#2398)
! 384: <li><a href="http://man.openbsd.org/sshd.8">sshd(8)</a>:
! 385: Remove obsolete and misleading <tt>"POSSIBLE BREAK-IN ATTEMPT!"</tt>
! 386: message when forward and reverse DNS don't match. (bz#2585)
! 387: <li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>:
! 388: Close <tt>ControlPersist</tt> background process stderr except in
! 389: debug mode or when logging to syslog. (bz#1988)
! 390: <li>misc: Make PROTOCOL description for
! 391: <i>direct-streamlocal@openssh.com</i> channel open messages match
! 392: deployed code. (bz#2529)
! 393: <li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>:
! 394: Deduplicate <tt>LocalForward</tt> and <tt>RemoteForward</tt> entries
! 395: to fix failures when both <tt>ExitOnForwardFailure</tt> and
! 396: <tt>hostname</tt> canonicalisation are enabled. (bz#2562)
! 397: <li><a href="http://man.openbsd.org/sshd.8">sshd(8)</a>:
! 398: Remove fallback from moduli to obsolete "primes" file that was
! 399: deprecated in 2001. (bz#2559)
! 400: <li><a href="http://man.openbsd.org/sshd_config.5">sshd_config(5)</a>:
! 401: Correct description of <tt>UseDNS</tt>: it affects ssh hostname
! 402: processing for <tt>authorized_keys</tt>, not <tt>known_hosts</tt>.
! 403: (bz#2554)
! 404: <li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>:
! 405: Fix authentication using lone certificate keys in an agent without
! 406: corresponding private keys on the filesystem. (bz#2550)
! 407: <li><a href="http://man.openbsd.org/sshd.8">sshd(8)</a>:
! 408: Send <tt>ClientAliveInterval</tt> pings when a time-based
! 409: <tt>RekeyLimit</tt> is set; previously keepalive packets were not
! 410: being sent. (bz#2252)
1.1 deraadt 411: </ul>
412: </ul>
413: <p>
1.5 sobrado 414:
415: <li>OpenNTPD 6.0
416: <ul>
417: <li>When a single "constraint" is specified, try all returned addresses
418: until one succeeds, rather than the first returned address.
419: <li>Relaxed the constraint error margin to be proportional to the number
420: of NTP peers, avoid constant reconnections when there is a bad NTP
421: peer.
422: <li>Removed disabled
1.6 schwarze 423: <a href="http://man.openbsd.org/hotplug.4">hotplug(4)</a>
1.5 sobrado 424: sensor support.
425: <li>Added support for detecting crashes in constraint subprocesses.
426: <li>Moved the execution of constraints from the ntp process to the
427: parent process, allowing for better privilege separation since the
428: ntp process can be further restricted.
429: <li>Added
1.6 schwarze 430: <a href="http://man.openbsd.org/pledge.2">pledge(2)</a>
1.5 sobrado 431: support.
432: <li>Fixed high CPU usage when the network is down.
433: <li>Fixed various memory leaks.
434: <li>Switched to RMS for jitter calculations.
435: <li>Unified logging functions with other OpenBSD base programs.
436: <li>Set <tt>MOD_MAXERROR</tt> to avoid unsynced time status when using
437: ntp_adjtime.
438: <li>Fixed HTTP Timestamp header parsing to use
1.6 schwarze 439: <a href="http://man.openbsd.org/strptime.3">strptime(3)</a>
1.5 sobrado 440: in a more portable fashion.
441: <li>Hardened TLS for
1.6 schwarze 442: <a href="http://man.openbsd.org/ntpd.8">ntpd(8)</a>
1.5 sobrado 443: constraints, enabling server name verification.
444: </ul>
445: <p>
446:
1.4 sobrado 447: <li>LibreSSL 2.4.2
1.1 deraadt 448: <ul>
449: <li>User-visible features:
450: <ul>
1.4 sobrado 451: <li>Fixed some broken manpage links in the install target.
452: <li><tt>cert.pem</tt> has been reorganized and synced with Mozilla's
453: certificate store.
454: <li>Reliability fix, correcting an error when parsing certain ASN.1
455: elements over 16k in size.
456: <li>Implemented the IETF <i>ChaCha20-Poly1305</i> cipher suites.
457: <li>Fixed password prompts from
1.6 schwarze 458: <a href="http://man.openbsd.org/openssl.1">openssl(1)</a>
1.4 sobrado 459: to properly handle ^C.
1.1 deraadt 460: </ul>
461: <li>Code improvements:
462: <ul>
1.4 sobrado 463: <li>Fixed an <i>nginx</i> compatibility issue by adding an
464: '<tt>install_sw</tt>' build target.
465: <li>Changed default
1.6 schwarze 466: <a href="http://man.openbsd.org/EVP_AEAD_CTX_init.3">EVP_aead_chacha20_poly1305(3)</a>
1.4 sobrado 467: implementation to the IETF version, which is now the default.
468: <li>Reworked error handling in <tt>libtls</tt> so that configuration
469: errors are more visible.
470: <li>Added missing error handling around
1.6 schwarze 471: <a href="http://man.openbsd.org/bn_wexpand.3">bn_wexpand(3)</a>
1.4 sobrado 472: calls.
473: <li>Added
1.6 schwarze 474: <a href="http://man.openbsd.org/explicit_bzero.3">explicit_bzero(3)</a>
1.4 sobrado 475: calls for freed ASN.1 objects.
476: <li>Fixed <tt>X509_*set_object</tt> functions to return 0 on allocation
477: failure.
478: <li>Deprecated internal use of
1.6 schwarze 479: <a href="http://man.openbsd.org/EVP_EncryptInit">EVP_[Cipher|Encrypt|Decrypt]_Final</a>.
1.4 sobrado 480: <li>Fixed a problem that prevents the DSA signing algorithm from running
481: in constant time even if the flag <tt>BN_FLG_CONSTTIME</tt> is set.
482: <li>Fixed several issues in the OCSP code that could result in the
483: incorrect generation and parsing of OCSP requests. This remediates
484: a lack of error checking on time parsing in these functions, and
485: ensures that only <tt>GENERALIZEDTIME</tt> formats are accepted for
486: OCSP, as per <i>RFC 6960</i>.
487: </ul>
1.22 tom 488: <li>The following CVEs have been fixed:
1.4 sobrado 489: <ul>
490: <li><tt>CVE-2016-2105</tt>—EVP_EncodeUpdate overflow.
491: <li><tt>CVE-2016-2106</tt>—EVP_EncryptUpdate overflow.
492: <li><tt>CVE-2016-2107</tt>—padding oracle in AES-NI CBC MAC check.
493: <li><tt>CVE-2016-2108</tt>—memory corruption in the ASN.1 encoder.
494: <li><tt>CVE-2016-2109</tt>—ASN.1 BIO excessive memory allocation.
1.1 deraadt 495: </ul>
496: </ul>
497: <p>
498:
499: <li>Ports and packages:
1.35 espie 500: <dl>
501: <dt>New proot(1) tool in the ports tree for building packages in a chroot.
502: </dl>
1.1 deraadt 503: <dl>
504: <dt>Many pre-built packages for each architecture:
505: </dl>
506: <!-- number of FTP packages minus SHA256, SHA256.sig, index.txt -->
507: <table border=0 cellspacing=0 cellpadding=2 width="95%">
508: <tr>
509: <td valign="top" width="25%">
510: <ul>
511: <li>alpha: xxxx
512: <li>amd64: xxxx
513: <li>hppa: xxxx
514: </ul></td><td valign=top width="25%"><ul>
515: <li>i386: xxxx
516: <li>mips64: xxxx
517: <li>mips64el: xxxx
518: </ul></td><td valign=top width="25%"><ul>
519: <li>powerpc: xxxx
520: <li>sparc64: xxxx
521: </ul></td></tr></table>
522: <p>
523:
524: <dl>
525: <dt>Some highlights:
526: </dl>
527: <table border=0 cellspacing=0 cellpadding=2 width="95%">
528: <tr>
1.7 schwarze 529: <td valign="top" width="50%"><ul>
530: <li>Afl 2.19b
531: <li>Chromium 51.0.2704.106
532: <li>Emacs 21.4 and 24.5
533: <li>GCC 4.9.3
534: <li>GHC 7.10.3
535: <li>Gimp 2.8.16
1.9 jasper 536: <li>GNOME 3.20.2
1.7 schwarze 537: <li>Go 1.6.3
538: <li>Groff 1.22.3
539: <li>JDK 7u80 and 8u72
1.9 jasper 540: <li>KDE 3.5.10 and 4.14.3 (plus KDE4 core updates)
1.7 schwarze 541: <li>LLVM/Clang 3.8.0
542: <li>LibreOffice 5.1.4.2
543: <li>Lua 5.1.5, 5.2.4, and 5.3.3
544: <li>MariaDB 10.0.25
545: <li>Mono 4.4.0.182
546: <li>Mozilla Firefox 45.2.0esr and 47.0.1
547: </ul></td><td valign=top width="50%"><ul>
548: <li>Mozilla Thunderbird 45.2.0
549: <li>Mutt 1.6.2
550: <li>Node.js 4.4.5
551: <li>OpenLDAP 2.3.43 and 2.4.44
552: <li>PHP 5.5.37, 5.6.23, and 7.0.8
553: <li>Postfix 3.1.1 and 3.2-20160515
554: <li>PostgreSQL 9.5.3
555: <li>Python 2.7.12, 3.4.5, and 3.5.2
556: <li>R 3.3.1
557: <li>Ruby 1.8.7.374, 2.0.0.648, 2.1.9, 2.2.5, and 2.3.1
558: <li>Rust 1.9.0-20160608
559: <li>Sendmail 8.15.2
560: <li>Sudo 1.8.17.1
561: <li>Tcl/Tk 8.5.18 and 8.6.4
562: <li>TeX Live 2015
563: <li>Vim 7.4.1467
564: <li>Xfce 4.12
565: </ul></td></tr></table>
1.1 deraadt 566: <p>
567:
568: <li>As usual, steady improvements in manual pages and other documentation.
569: <p>
570:
571: <li>The system includes the following major components from outside suppliers:
572: <ul>
1.8 schwarze 573: <li>Xenocara (based on X.Org 7.7 with xserver 1.18.3 + patches,
574: freetype 2.6.3, fontconfig 2.11.1, Mesa 11.2.2, xterm 322,
575: xkeyboard-config 2.18 and more)
1.34 deraadt 576: <li>GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
1.8 schwarze 577: <li>Perl 5.20.3 (+ patches)
578: <li>SQLite 3.9.2 (+ patches)
579: <li>NSD 4.1.10
580: <li>Unbound 1.5.9
581: <li>Ncurses 5.7
582: <li>Binutils 2.17 (+ patches)
583: <li>Gdb 6.3 (+ patches)
584: <li>Awk Aug 10, 2011 version
1.12 schwarze 585: <li>Expat 2.1.1
1.1 deraadt 586: </ul>
587: </ul>
588:
589: <hr>
590:
591: <h3 id="install"><font color="#0000e0">How to install</font></h3>
592:
593: Following this are the instructions which you would have on a piece of
594: paper if you had purchased a CDROM set instead of doing an alternate
595: form of install. The instructions for doing an HTTP (or other style
596: of) install are very similar; the CDROM instructions are left intact
597: so that you can see how much easier it would have been if you had
598: purchased a CDROM instead.
599: <p>
600:
601: <hr>
602: <p>
603: Please refer to the following files on the three CDROMs or mirror site for
604: extensive details on how to install OpenBSD 6.0 on your machine:
605:
606: <ul>
607: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/6.0/alpha/INSTALL.alpha">
608: .../OpenBSD/6.0/alpha/INSTALL.alpha (on CD1)</a>
609: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/6.0/i386/INSTALL.i386">
610: .../OpenBSD/6.0/i386/INSTALL.i386 (on CD1)</a>
611: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/6.0/hppa/INSTALL.hppa">
612: .../OpenBSD/6.0/hppa/INSTALL.hppa (on CD1)</a>
613: <p>
614: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/6.0/amd64/INSTALL.amd64">
615: .../OpenBSD/6.0/amd64/INSTALL.amd64 (on CD2)</a>
616: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/6.0/macppc/INSTALL.macppc">
617: .../OpenBSD/6.0/macppc/INSTALL.macppc (on CD2)</a>
618: <p>
619: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/6.0/sparc64/INSTALL.sparc64">
620: .../OpenBSD/6.0/sparc64/INSTALL.sparc64 (on CD3)</a>
621: <p>
622: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/6.0/armv7/INSTALL.armv7">
623: .../OpenBSD/6.0/armv7/INSTALL.armv7</a>
624: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/6.0/hppa/INSTALL.hppa">
625: .../OpenBSD/6.0/hppa/INSTALL.hppa</a>
626: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/6.0/landisk/INSTALL.landisk">
627: .../OpenBSD/6.0/landisk/INSTALL.landisk</a>
628: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/6.0/loongson/INSTALL.loongson">
629: .../OpenBSD/6.0/loongson/INSTALL.loongson</a>
630: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/6.0/luna88k/INSTALL.luna88k">
631: .../OpenBSD/6.0/luna88k/INSTALL.luna88k</a>
632: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/6.0/octeon/INSTALL.octeon">
633: .../OpenBSD/6.0/octeon/INSTALL.octeon</a>
634: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/6.0/sgi/INSTALL.sgi">
635: .../OpenBSD/6.0/sgi/INSTALL.sgi</a>
636: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/6.0/socppc/INSTALL.socppc">
637: .../OpenBSD/6.0/socppc/INSTALL.socppc</a>
638: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/6.0/zaurus/INSTALL.zaurus">
639: .../OpenBSD/6.0/zaurus/INSTALL.zaurus</a>
640: </ul>
641:
642:
643: <hr>
644:
645: <p>
1.6 schwarze 646: Quick installer information for people familiar with OpenBSD, and the use of
647: the "<a href="http://man.openbsd.org/disklabel.8">disklabel</a> -E" command.
648: If you are at all confused when installing OpenBSD, read the relevant
649: INSTALL.* file as listed above!
1.1 deraadt 650:
651: <h3><font color="#e00000">OpenBSD/i386:</font></h3>
652:
653: <ul style="list-style-type: none">
654: <li>
655: The OpenBSD/i386 release is on CD1.
656: Boot from the CD to begin the install - you may need to adjust
657: your BIOS options first.
658: <p>
659: <li>
660: If your machine can boot from USB, you can write <i>install60.fs</i> or
661: <i>miniroot60.fs</i> to a USB stick and boot from it.
662: <p>
663: <li>
664: If you can't boot from a CD, floppy disk, or USB,
665: you can install across the network using PXE as described in
666: the included INSTALL.i386 document.
667: <p>
668: <li>
669: If you are planning on dual booting OpenBSD with another OS, you will need to
670: read INSTALL.i386.
671: </ul>
672:
673: <h3><font color="#e00000">OpenBSD/amd64:</font></h3>
674:
675: <ul style="list-style-type: none">
676: <li>
677: The OpenBSD/amd64 release is on CD2.
678: Boot from the CD to begin the install - you may need to adjust
679: your BIOS options first.
680: <p>
681: <li>
682: If your machine can boot from USB, you can write <i>install60.fs</i> or
683: <i>miniroot60.fs</i> to a USB stick and boot from it.
684: <p>
685: <li>
686: If you can't boot from a CD, floppy disk, or USB,
687: you can install across the network using PXE as described in the included
688: INSTALL.amd64 document.
689: <p>
690: <li>
691: If you are planning to dual boot OpenBSD with another OS, you will need to
692: read INSTALL.amd64.
693: </ul>
694:
695: <h3><font color="#e00000">OpenBSD/macppc:</font></h3>
696:
697: <ul style="list-style-type: none">
698: <li>
699: Burn the image from a mirror site to a CDROM, and power on your machine
700: while holding down the <i>C</i> key until the display turns on and
701: shows <i>OpenBSD/macppc boot</i>.
702: <p>
703: <li>
704: Alternatively, at the Open Firmware prompt, enter <i>boot cd:,ofwboot
705: /6.0/macppc/bsd.rd</i>
706: </ul>
707:
708: <h3><font color="#e00000">OpenBSD/sparc64:</font></h3>
709:
710: <ul style="list-style-type: none">
711: <li>
712: Put CD3 in your CDROM drive and type <i>boot cdrom</i>.
713: <p>
714: <li>
715: If this doesn't work, or if you don't have a CDROM drive, you can write
716: <i>CD3:6.0/sparc64/floppy60.fs</i> or <i>CD3:6.0/sparc64/floppyB60.fs</i>
717: (depending on your machine) to a floppy and boot it with <i>boot
718: floppy</i>. Refer to INSTALL.sparc64 for details.
719: <p>
720: <li>
721: Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
722: will most likely fail.
723: <p>
724: <li>
725: You can also write <i>CD3:6.0/sparc64/miniroot60.fs</i> to the swap partition on
726: the disk and boot with <i>boot disk:b</i>.
727: <p>
728: <li>
729: If nothing works, you can boot over the network as described in INSTALL.sparc64.
730: </ul>
731:
732: <h3><font color="#e00000">OpenBSD/alpha:</font></h3>
733:
734: <ul style="list-style-type: none">
735: <li>
736: Write <i>FTP:6.0/alpha/floppy60.fs</i> or
737: <i>FTP:6.0/alpha/floppyB60.fs</i> (depending on your machine) to a diskette and
738: enter <i>boot dva0</i>. Refer to INSTALL.alpha for more details.
739: <p>
740: <li>
741: Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
742: will most likely fail.
743: </ul>
744:
745: <h3><font color="#e00000">OpenBSD/armv7:</font></h3>
746:
747: <ul style="list-style-type: none">
748: <li>
1.29 jsg 749: Write a system specific miniroot to an SD card and boot from it after connecting
750: to the serial console. Refer to INSTALL.armv7 for more details.
1.1 deraadt 751: <p>
752: </ul>
753:
754: <h3><font color="#e00000">OpenBSD/hppa:</font></h3>
755:
756: <ul style="list-style-type: none">
757: <li>
758: Boot over the network by following the instructions in INSTALL.hppa or the
759: <a href="hppa.html#install">hppa platform page</a>.
760: </ul>
761:
762: <h3><font color="#e00000">OpenBSD/landisk:</font></h3>
763:
764: <ul style="list-style-type: none">
765: <li>
766: Write <i>miniroot60.fs</i> to the start of the CF
767: or disk, and boot normally.
768: </ul>
769:
770: <h3><font color="#e00000">OpenBSD/loongson:</font></h3>
771:
772: <ul style="list-style-type: none">
773: <li>
774: Write <i>miniroot60.fs</i> to a USB stick and boot bsd.rd from it
775: or boot bsd.rd via tftp.
776: Refer to the instructions in INSTALL.loongson for more details.
777: </ul>
778:
779: <h3><font color="#e00000">OpenBSD/luna88k:</font></h3>
780:
781: <ul style="list-style-type: none">
782: <li>
783: Copy `boot' and `bsd.rd' to a Mach or UniOS partition, and boot the bootloader
784: from the PROM, and then bsd.rd from the bootloader.
785: Refer to the instructions in INSTALL.luna88k for more details.
786: </ul>
787:
788: <h3><font color="#e00000">OpenBSD/octeon:</font></h3>
789:
790: <ul style="list-style-type: none">
791: <li>
792: After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
793: Refer to the instructions in INSTALL.octeon for more details.
794: </ul>
795:
796: <h3><font color="#e00000">OpenBSD/sgi:</font></h3>
797:
798: <ul style="list-style-type: none">
799: <li>
800: To install, burn cd60.iso on a CD-R, put it in the CD drive of your
801: machine and select <i>Install System Software</i> from the System Maintenance
802: menu. Indigo/Indy/Indigo2 (R4000) systems will not boot automatically from
803: CD-ROM, and need a proper invocation from the PROM prompt.
804: Refer to the instructions in INSTALL.sgi for more details.
805:
806: <p>
807: <li>
808: If your machine doesn't have a CD drive, you can setup a DHCP/tftp network
809: server, and boot using "bootp()/bsd.rd.IP##" using the kernel matching your
810: system type. Refer to the instructions in INSTALL.sgi for more details.
811: </ul>
812:
813: <h3><font color="#e00000">OpenBSD/socppc:</font></h3>
814:
815: <ul style="list-style-type: none">
816: <li>
817: After connecting a serial port, boot over the network via DHCP/tftp.
818: Refer to the instructions in INSTALL.socppc for more details.
819: </ul>
820:
821: <h3><font color="#e00000">OpenBSD/zaurus:</font></h3>
822:
823: <ul style="list-style-type: none">
824: <li>
825: Using the Linux built-in graphical ipkg installer, install the
826: openbsd60_arm.ipk package. Reboot, then run it. Read INSTALL.zaurus
827: for a few important details.
828: </ul>
829:
830: <hr>
831:
832: <h3 id="upgrade"><font color="#0000e0">How to upgrade</font></h3>
833:
834: If you already have an OpenBSD 5.9 system, and do not want to reinstall,
835: upgrade instructions and advice can be found in the
836: <a href="faq/upgrade60.html">Upgrade Guide</a>.
837: <p>
838:
839: <hr>
840:
841: <h3 id="sourcecode"><font color="#0000e0">Notes about the source code</font></h3>
842:
1.6 schwarze 843: <tt>src.tar.gz</tt> contains a source archive starting at <tt>/usr/src</tt>.
844: This file contains everything you need except for the kernel sources,
845: which are in a separate archive.
846: To extract:
1.1 deraadt 847:
848: <blockquote><pre>
849: # <b>mkdir -p /usr/src</b>
850: # <b>cd /usr/src</b>
851: # <b>tar xvfz /tmp/src.tar.gz</b>
852: </pre></blockquote>
853:
1.6 schwarze 854: <tt>sys.tar.gz</tt> contains a source archive starting at <tt>/usr/src/sys</tt>.
1.1 deraadt 855: This file contains all the kernel sources you need to rebuild kernels.
856: To extract:
857:
858: <blockquote><pre>
859: # <b>mkdir -p /usr/src/sys</b>
860: # <b>cd /usr/src</b>
861: # <b>tar xvfz /tmp/sys.tar.gz</b>
862: </pre></blockquote>
863:
864: Both of these trees are a regular CVS checkout. Using these trees it
865: is possible to get a head-start on using the anoncvs servers as
866: described <a href="anoncvs.html">here</a>.
867: Using these files
868: results in a much faster initial CVS update than you could expect from
869: a fresh checkout of the full OpenBSD source tree.
870: <p>
871:
872: <hr>
873:
874: <h3 id="ports"><font color="#0000e0">Ports Tree</font></h3>
875:
876: A ports tree archive is also provided. To extract:
877:
878: <blockquote><pre>
879: # <b>cd /usr</b>
880: # <b>tar xvfz /tmp/ports.tar.gz</b>
881: </pre></blockquote>
882:
883: Go read the <a href="faq/ports/index.html">ports</a> page
884: if you know nothing about ports
885: at this point. This text is not a manual of how to use ports.
886: Rather, it is a set of notes meant to kickstart the user on the
887: OpenBSD ports system.
888: <p>
1.6 schwarze 889: The <i>ports/</i> directory represents a CVS checkout of our ports.
890: As with our complete source tree, our ports tree is available via
1.1 deraadt 891: <a href="anoncvs.html">AnonCVS</a>.
892: So, in order to keep up to date with the <i>-stable</i> branch, you must make
893: the <i>ports/</i> tree available on a read-write medium and update the tree
894: with a command like:
895:
896: <blockquote><pre>
897: # <b>cd /usr/ports</b>
898: # <b>cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_6_0</b>
899: </pre></blockquote>
900:
901: [Of course, you must replace the server name here with a nearby anoncvs
902: server.]
903: <p>
904: Note that most ports are available as packages on our mirrors. Updated
905: ports for the 6.0 release will be made available if problems arise.
906: <p>
907: If you're interested in seeing a port added, would like to help out, or just
908: would like to know more, the mailing list
909: <a href="mail.html">ports@openbsd.org</a> is a good place to know.
910: <p>
911: </body>
912: </html>