File: [local] / www / 60.html (download) (as text)
Revision 1.86, Wed May 6 13:34:47 2020 UTC (4 years ago) by deraadt
Branch: MAIN
CVS Tags: HEAD
Changes since 1.85: +1 -1 lines
be less different from other similar files
|
<!doctype html>
<html lang=en id=release>
<meta charset=utf-8>
<title>OpenBSD 6.0</title>
<meta name="description" content="OpenBSD 6.0">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" href="openbsd.css">
<link rel="canonical" href="https://www.openbsd.org/60.html">
<h2 id=OpenBSD>
<a href="index.html">
<i>Open</i><b>BSD</b></a>
6.0
</h2>
<table>
<tr>
<td>
<a href="images/puff.jpg">
<img width="227" height="343" src="images/puff.jpg" alt="Puff"></a>
<td>
Released Sep 1, 2016<br>
Copyright 1997-2016, Theo de Raadt.<br>
<cite class=isbn>ISBN 978-0-9881561-8-0</cite>
<br>
6.0 Songs:
<a href="lyrics.html#60a">"Another Smash of the Stack"</a>,
<a href="lyrics.html#60b">"Black Hat"</a>,
<a href="lyrics.html#60c">"Money"</a><br>
<a href="lyrics.html#60d">"Comfortably Dumb (the misc song)"</a>,
<a href="lyrics.html#60e">"Mother"</a>,
<a href="lyrics.html#60f">"Goodbye"</a>.
<br>
<ul>
<li>See the information on <a href="ftp.html">the FTP page</a> for
a list of mirror machines.
<li>Go to the <code class=reldir>pub/OpenBSD/6.0/</code> directory on
one of the mirror sites.
<li>Have a look at <a href="errata60.html">the 6.0 errata page</a> for a list
of bugs and workarounds.
<li>See a <a href="plus60.html">detailed log of changes</a> between the
5.9 and 6.0 releases.
<p>
<li><a href="https://man.openbsd.org/signify.1">signify(1)</a>
pubkeys for this release:<p>
<table class=signify>
<tr><td>
openbsd-60-base.pub:
<td>
RWSho3oKSqgLQy+NpIhFXZJDtkE65tzlmtC24mStf8DoJd2OPMgna4u8
<tr><td>
openbsd-60-fw.pub:
<td>
RWRWf7GJKFvJTWEMIaw9wld0DujiqL1mlrC6HisE6i78C+2SRArV1Iyo
<tr><td>
openbsd-60-pkg.pub:
<td>
RWQHIajRlT2mX7tmRgb6oN6mfJu3AgQ/TU38acrWABO8lz90dR3rNmey
</table>
</ul>
<p>
All applicable copyrights and credits are in the src.tar.gz,
sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
files fetched via <code>ports.tar.gz</code>.
</table>
<hr>
<section id=new>
<h3>What's New</h3>
<p>
This is a partial list of new features and systems included in OpenBSD 6.0.
For a comprehensive list, see the <a href="plus60.html">changelog</a> leading
to 6.0.
<ul>
<li>New/extended platforms:
<ul>
<li><a href="armv7.html">armv7</a>:
<ul>
<li>EFI bootloader added, kernels are now loaded from FFS instead
of FAT or EXT filesystems, without U-Boot headers.
<li>A single kernel and ramdisk are now used for all SoCs.
<li>Hardware is dynamically enumerated via Flattened Device
Tree (FDT) instead of via static tables based on board id numbers.
<li>Miniroot installer images include U-Boot 2016.07 with support for
EFI payloads.
</ul>
<li><a href="vax.html">vax</a>:
<ul>
<li>Removed.
</ul>
</ul>
<li>Improved hardware support, including:
<ul>
<li>New <a href="https://man.openbsd.org/bytgpio">bytgpio(4)</a>
driver for the Intel Bay Trail GPIO controller.
<li>New <a href="https://man.openbsd.org/chvgpio">chvgpio(4)</a>
driver for the Intel Cherry View GPIO controller.
<li>New <a href="https://man.openbsd.org/maxrtc">maxrtc(4)</a>
driver for the Maxim DS1307 real time clock.
<li>New <a href="https://man.openbsd.org/nvme">nvme(4)</a>
driver for the Non-Volatile Memory Express (NVMe) host controller interface.
<li>New <a href="https://man.openbsd.org/pcfrtc">pcfrtc(4)</a>
driver for the NXP PCF8523 real time clock.
<li>New <a href="https://man.openbsd.org/umb">umb(4)</a>
driver for the Mobile Broadband Interface Model (MBIM).
<li>New <a href="https://man.openbsd.org/ure">ure(4)</a>
driver for RealTek RTL8152 based 10/100 USB Ethernet devices.
<li>New <a href="https://man.openbsd.org/utvfu">utvfu(4)</a>
driver for audio/video capture devices based on the Fushicai USBTV007.
<li>The <a href="https://man.openbsd.org/iwm">iwm(4)</a> driver
now supports Intel Wireless 3165 and 8260 devices, and works more
reliably in RAMDISK kernels.
<li>Support for I2C HID devices with GPIO signalled interrupts has
been added to <a href="https://man.openbsd.org/dwiic">dwiic(4)</a>.
<li>Support for larger bus widths, high speed modes, and DMA
transfers has been added to
<a href="https://man.openbsd.org/sdmmc">sdmmc(4)</a>,
<a href="https://man.openbsd.org/rtsx">rtsx(4)</a>,
<a href="https://man.openbsd.org/sdhc">sdhc(4)</a>, and
<a href="https://man.openbsd.org/imxesdhc">imxesdhc(4)</a>.
<li>Support for EHCI and OHCI compliant USB controllers on Octeon II SoCs.
<li>Many USB device drivers have been enabled on OpenBSD/octeon.
<li>Improved support for hardware-reduced ACPI implementations.
<li>Improved support for ACPI 5.0 implementations.
<li>AES-NI crypto is now done without holding the kernel lock.
<li>Improved AGP support on PowerPC G5 machines.
<li>Added support for the SD card slot in Intel Bay Trail SoCs.
<li>The <a href="https://man.openbsd.org/ichiic">ichiic(4)</a> driver
now ignores the SMBALERT# interrupt to prevent an interrupt storm
with buggy BIOS implementations.
<li>Device attachment problems with the
<a href="https://man.openbsd.org/axen">axen(4)</a> driver have
been fixed.
<li>The <a href="https://man.openbsd.org/ral">ral(4)</a> driver
is more stable under load with RT2860 devices.
<li>Problems with dead keyboards after resume have been fixed in the
<a href="https://man.openbsd.org/pckbd">pckbd(4)</a> driver.
<li>The <a href="https://man.openbsd.org/rtsx">rtsx(4)</a> driver
now supports RTS522A devices.
<li>Initial support for MSI-X has been added.
<li>Support MSI-X in the
<a href="https://man.openbsd.org/virtio">virtio(4)</a> driver.
<li>Added a workaround for hardware DMA overruns to the
<a href="https://man.openbsd.org/man4/dc.4">dc(4)</a> driver.
<li>The <a href="https://man.openbsd.org/acpitz">acpitz(4)</a> driver
now spins the fan down after cooling if ACPI uses hysteresis for
active cooling.
<li>The <a href="https://man.openbsd.org/xhci">xhci(4)</a> driver
now performs handoff from an xHCI-capable BIOS correctly.
<li>Support for multi-touch input has been added to the
<a href="https://man.openbsd.org/wsmouse">wsmouse(4)</a> driver.
<li>The <a href="https://man.openbsd.org/uslcom">uslcom(4)</a> driver
now supports the serial console of Aruba 7xxx wireless controllers.
<li>The <a href="https://man.openbsd.org/re">re(4)</a> driver
now works around broken LED configurations in APU1 EEPROMs.
<li>The <a href="https://man.openbsd.org/ehci">ehci(4)</a> driver
now works around problems with ATI USB controllers (e.g. SB700).
<li>The <a href="https://man.openbsd.org/xen">xen(4)</a> driver
now supports domU configuration under Qubes OS.
</ul>
<li>IEEE 802.11 wireless stack improvements:
<ul>
<li>The HT block ack receive buffer logic follows the algorithm given
in the 802.11-2012 spec more closely.
<li>The <a href="https://man.openbsd.org/iwn">iwn(4)</a> driver now
keeps track of HT protection changes while associated to an 11n AP.
<li>The wireless stack and several drivers make more aggressive use
of RTS/CTS to avoid interference from legacy devices and hidden nodes.
<li>The <a href="https://man.openbsd.org/netstat">netstat(1)</a> -W
command now shows information about 802.11n events.
<li>In hostap mode, do not reuse association IDs of nodes which are
still cached. Fixes a problem where an access point using the
<a href="https://man.openbsd.org/ral">ral(4)</a> driver
would get stuck at 1 Mbps because Tx rate accounting happened
on the wrong node object.
</ul>
<li>Generic network stack improvements:
<ul>
<li>The routing table is now based on
<a href="http://www.hariguchi.org/art/art.pdf">ART</a> offering a
faster lookup.
<li>The number of route lookup per packet has been reduced to 1 in the
forwarding path.
<li>The prio field on VLAN headers is now correctly set on each fragment
of an IPv4 packet going out on a
<a href="https://man.openbsd.org/vlan.4">vlan(4)</a> interface.
<li>Enabled device cloning for
<a href="https://man.openbsd.org/bpf.4">bpf(4)</a>.
This allows the system to have just one bpf device node in /dev
that services all bpf consumers (up to 1024).
<li>The Tx queue of the
<a href="https://man.openbsd.org/cnmac">cnmac(4)</a>
driver can now be processed in parallel of the rest of the kernel.
<li>Network input path is now run in thread context.
</ul>
<li>Installer improvements:
<ul>
<li>updated list of restricted usercodes
<li>install.sh and upgrade.sh merged into install.sub
<li>update automatically runs <a href="https://man.openbsd.org/sysmerge">sysmerge(8)</a>
in batch mode before
<a href="https://man.openbsd.org/fw_update">fw_update(1)</a>
<li>questions and answers are logged in a format that can be used as a
response file for use by
<a href="https://man.openbsd.org/autoinstall">autoinstall(8)</a>
<li><code>/usr/local</code> is set to <code>wxallowed</code> during install
</ul>
<li>Routing daemons and other userland network improvements:
<ul>
<li>Add routing table support to
<a href="https://man.openbsd.org/rc.d.8">rc.d(8)</a> and
<a href="https://man.openbsd.org/rcctl.8">rcctl(8)</a>.
<li>Let <a href="https://man.openbsd.org/nc.1">nc(1)</a>
support service names in addition to port numbers.
<li>Add <code>-M</code> and <code>-m</code> TTL flags to
<a href="https://man.openbsd.org/nc.1">nc(1)</a>.
<li>Add <code>AF_UNIX</code> support to
<a href="https://man.openbsd.org/tcpbench.1">tcpbench(1)</a>.
<li>Fixed a regression in
<a href="https://man.openbsd.org/rarpd.8">rarpd(8)</a>.
The daemon could hang if it was idle for a long time.
<li>Added the <code>llprio</code> option in
<a href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a>.
<li>Multiple programs that use
<a href="https://man.openbsd.org/bpf.4">bpf(4)</a>
have been modified to take advantage of
<a href="https://man.openbsd.org/bpf.4">bpf(4)</a>
device cloning by opening <code>/dev/bpf0</code> instead of looping
through <code>/dev/bpf*</code> devices. These programs include
<a href="https://man.openbsd.org/arp.8">arp(8)</a>,
<a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a>,
<a href="https://man.openbsd.org/dhcpd.8">dhcpd(8)</a>,
<a href="https://man.openbsd.org/dhcrelay.8">dhcrelay(8)</a>,
<a href="https://man.openbsd.org/hostapd.8">hostapd(8)</a>,
<a href="https://man.openbsd.org/mopd.8">mopd(8)</a>,
<a href="https://man.openbsd.org/npppd.8">npppd(8)</a>,
<a href="https://man.openbsd.org/rarpd.8">rarpd(8)</a>,
<a href="https://man.openbsd.org/rbootd.8">rbootd(8)</a>, and
<a href="https://man.openbsd.org/tcpdump.8">tcpdump(8)</a>.
The <a href="https://man.openbsd.org/pcap.3">libpcap</a> library
has also been modified accordingly.
</ul>
<li>Security improvements:
<ul>
<li><code>W^X</code> is now strictly enforced by default;
a program can only violate it if the executable is marked with
<code>PT_OPENBSD_WXNEEDED</code> and is located on a filesystem
mounted with the <code>wxallowed</code>
<a href="https://man.openbsd.org/mount.8">mount(8)</a> option.
Because there are still too many ports which violate W^X, the
installer mounts the <code>/usr/local</code> filesystem with
<code>wxallowed</code>. This allows the base system to be more
secure as long as <code>/usr/local</code> is a separate filesystem.
If you use no W^X violating programs, consider manually
revoking that option.
<li>The <a href="https://man.openbsd.org/setjmp.3">setjmp(3)</a>
family of functions now apply XOR cookies to stack and return-address
values in the jmpbuf on amd64, hppa, i386, mips64, and powerpc.
<li>SROP mitigation: <a href="https://man.openbsd.org/sigreturn.2">sigreturn(2)</a>
can now only be used by the kernel-provided signal trampoline,
with a cookie to detect attempts to reuse it.
<li>To deter code reuse exploits, <a href="https://man.openbsd.org/rc.8">rc(8)</a>
re-links libc.so on startup, placing the objects in a random order.
<li>In the <a href="https://man.openbsd.org/getpwnam.3">getpwnam(3)</a>
family of functions, stop opening the shadow database by default.
<li>Allow <a href="https://man.openbsd.org/tcpdump.8">tcpdump(8)</a>
<code>-r</code> to be started without root privileges.
<li>Remove
<a href="https://man.openbsd.org/OpenBSD-5.9/systrace">systrace</a>.
<li>Remove Linux emulation support.
<li>Remove support for the usermount option.
<li>The TCP SYN cache reseeds its random hash function from
time to time.
This prevents an attacker from calculating the distribution
of the hash function with a timing attack.
<li>To work against SYN flooding attacks the administrator can
change the size of the hash array now.
<a href="https://man.openbsd.org/netstat.1">netstat(1)</a>
<code>-s -p tcp</code> shows the relevant information to tune
the SYN cache with
<a href="https://man.openbsd.org/sysctl.8">sysctl(8)</a>
<code>net.inet.tcp</code>.
<li>The administrator can require root privileges for binding to some TCP
and UDP ports with
<a href="https://man.openbsd.org/sysctl.8">sysctl(8)</a>
<code>net.inet.tcp.rootonly</code> and
<a href="https://man.openbsd.org/sysctl.8">sysctl(8)</a>
<code>net.inet.udp.rootonly</code>.
<li>Remove a function pointer from the
<a href="https://man.openbsd.org/mbuf.9">mbuf(9)</a> data structure
and use an index into an array of acceptable functions instead.
</ul>
<li>Assorted improvements:
<ul>
<li>The thread library can now be loaded into a single-threaded process.
<li>Improved symbol handling and standards compliance in libc.
For example, defining an <code>open()</code> function will no longer
interfere with the operation of
<a href="https://man.openbsd.org/fopen.3">fopen(3)</a>.
<li><code>PT_TLS</code> sections are now supported in initially loaded object.
<li>Improved handling of "no paths" and "empty path" in
<a href="https://man.openbsd.org/fts.3">fts(3)</a>.
<li>In <a href="https://man.openbsd.org/pcap.3">pcap(3)</a>,
provide the functions <code>pcap_free_datalinks()</code>
and <code>pcap_offline_filter()</code>.
<li>Many bugfixes and structural cleanup in the
<a href="https://man.openbsd.org/editline">editline(3)</a> library.
<li>Remove ancient
<a href="https://man.openbsd.org/OpenBSD-5.9/dbm.3">dbm(3)</a>
functions;
<a href="https://man.openbsd.org/ndbm.3">ndbm(3)</a> remains.
<li>Add <code>setenv</code> keyword for more powerful environment handling in
<a href="https://man.openbsd.org/doas.conf.5">doas.conf(5)</a>.
<li>Add <code>-g</code> and <code>-p</code> options to
<a href="https://man.openbsd.org/aucat.1">aucat.1</a>
for time positioning.
<li>Rewrite <a href="https://man.openbsd.org/audioctl.1">audioctl(1)</a>
with a simpler user interface.
<li>Add <code>-F</code> option to
<a href="https://man.openbsd.org/install.1">install(1)</a>
to <a href="https://man.openbsd.org/fsync.2">fsync(2)</a>
the file before closing it.
<li><a href="https://man.openbsd.org/kdump.1">kdump(1)</a>
now dumps <code>pollfd</code> structures.
<li>Improve various details of
<a href="https://man.openbsd.org/ksh.1">ksh(1)</a> POSIX compliance.
<li><a href="https://man.openbsd.org/mknod.8">mknod(8)</a> rewritten in a
<a href="https://man.openbsd.org/pledge.2">pledge(2)</a>-friendly
style and to support creating multiple devices at once.
<li>Implement <a href="https://man.openbsd.org/rcctl.8">rcctl(8)</a>
<code>get all</code> and <code>getdef all</code>.
<li>Implement the <a href="https://man.openbsd.org/rcs.1">rcs(1)</a>
<code>-I</code> (interactive) flag.
<li>In <a href="https://man.openbsd.org/rcs.1">rcs(1)</a>,
implement Mdocdate keyword substitution.
<li>In <a href="https://man.openbsd.org/top.1">top(1)</a>,
allow to filter process arguments if they are being displayed.
<li>Added UTF-8 support to
<a href="https://man.openbsd.org/fold.1">fold(1)</a> and
<a href="https://man.openbsd.org/rev.1">rev(1)</a>.
<li>Enable UTF-8 by default in
<a href="https://man.openbsd.org/xterm.1">xterm(1)</a> and
<a href="https://man.openbsd.org/pod2man.1">pod2man(1)</a>.
<li>Filter out non-ASCII characters in
<a href="https://man.openbsd.org/wall.1">wall(1)</a>.
<li>Handle the <a href="https://man.openbsd.org/?apropos=1&query=Ev%3DCOLUMNS">COLUMNS</a>
environment variable consistently across many programs.
<li>The options <code>-c</code> and <code>-k</code> allow to provide
TLS client certificates for
<a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>
on the sending side.
With that the receiving side can verify log messages
are authentic.
Note that syslogd does not have this check feature yet.
<li>When the klog buffer overflows, syslogd will write a log
message to show that some entries is missing.
<li>On OpenBSD/octeon, CPU cache write buffering is enabled
to improve performance.
<li><a href="https://man.openbsd.org/pkg_add.1">pkg_add(1)</a> and
<a href="https://man.openbsd.org/pkg_info.1">pkg_info(1)</a> now
understand a notion of branch to ease selection of some popular
packages such as python or php, e.g., say
<code>pkg_add python%3.4</code> to select the <code>3.4</code> branch,
and use <code>pkg_info -zm</code> to get a fuzzy listing with branch
selection suitable for <code>pkg_add -l</code>.
<li><a href="https://man.openbsd.org/fdisk">fdisk(8)</a> and
<a href="https://man.openbsd.org/pdisk">pdisk(8)</a>
immediately exit unless passed a character special device
<li><a href="https://man.openbsd.org/st">st(4)</a>
correctly tracks the current block count for variable sized blocks
<li><a href="https://man.openbsd.org/fsck_ext2fs">fsck_ext2fs(8)</a>
works again
<li><a href="https://man.openbsd.org/softraid">softraid(4)</a> volumes
can be constructed with disks that have a sector size other than 512 bytes
<li><a href="https://man.openbsd.org/dhclient">dhclient(8)</a>
DECLINE's and discards unused OFFER's.
<li><a href="https://man.openbsd.org/dhclient">dhclient(8)</a>
immediately exits if its interface (e.g. a
<a href="https://man.openbsd.org/bridge">bridge(4)</a>)
returns EAFNOSUPPORT when a packet is sent.
<li><a href="https://man.openbsd.org/httpd">httpd(8)</a> returns
400 Bad Request for HTTP v0.9 requests.
<li>ffs2's lazy node initialization avoids treating random disk data as
an inode
<li><a href="https://man.openbsd.org/fcntl">fcntl(2)</a> invocations
in base programs use the idiom fcntl(n,F_GETFL) instead of fcntl(n,F_GETFL,0)
<li><a href="https://man.openbsd.org/socket">socket(2)</a> and
<a href="https://man.openbsd.org/accept4">accept4(2)</a> invocations
in base programs use SOCK_NONBLOCK to eliminate the need for a separate
<a href="https://man.openbsd.org/fcntl">fcntl(2)</a>.
<li>tmpfs not enabled by default
<li>the in-kernel semantics of
<a href="https://man.openbsd.org/pledge">pledge(2)</a>
were improved in numerous ways.
Highlights include:
a new <code>chown</code> promise that allows pledged programs to set
setugid attributes,
a stricter enforcement of the <code>recvfd</code> promise and
<a href="https://man.openbsd.org/chroot.2">chroot(2)</a> is no longer
allowed for pledged programs.
<li>a number of
<a href="https://man.openbsd.org/pledge">pledge(2)</a>-related bugs
(missing promises, unintended changes of behavior, crashes) were fixed,
notably in
<a href="https://man.openbsd.org/gzip">gzip(1)</a>,
<a href="https://man.openbsd.org/nc">nc(1)</a>,
<a href="https://man.openbsd.org/sed">sed(1)</a>,
<a href="https://man.openbsd.org/skeyinit">skeyinit(1)</a>,
<a href="https://man.openbsd.org/stty">stty(1)</a>,
and various disk-related utilities, such as
<a href="https://man.openbsd.org/disklabel">disklabel(8)</a> and
<a href="https://man.openbsd.org/fdisk">fdisk(8)</a>.
<li>Block size calculation errors in the
<a href="https://man.openbsd.org/audio">audio(4)</a> driver
have been fixed.
<li>The <a href="https://man.openbsd.org/usb">usb(4)</a> driver
now caches vendor and product IDs. Fixes an issue where
<a href="https://man.openbsd.org/usbdevs">usbdevs(8)</a> called
in a loop would cause a USB mass storage device to halt operation.
<li>The <a href="https://man.openbsd.org/rsu">rsu(4)</a> and
<a href="https://man.openbsd.org/ural">ural(4)</a> drivers
are now working again after they were accidentally broken in 5.9.
</ul>
<li>OpenSMTPD 6.0.0
<ul>
<li>Security:
<ul>
<li>Implement the fork+exec pattern in
<a href="https://man.openbsd.org/smtpd">smtpd(8)</a>.
<li>Fix a logic issue in the SMTP state machine that can lead to
an invalid state and result in a crash.
<li>Plug a file-pointer leak that can lead to resource exhaustion
and result in a crash.
<li>Use automatic DH parameters instead of fixed ones.
<li>Disable DHE by default since it is computationally expensive
and a potential DoS vector.
</ul>
<li>The following improvements were brought in this release:
<ul>
<li>Add the <code>-r</code> option to the
<a href="https://man.openbsd.org/smtpd">smtpd(8)</a>
enqueuer for compatibility with mailx.
<li>Add missing date or message-id when listening on the submit
port.
<li>Fix "smtpctl show queue" reporting "invalid" envelope state.
<li>Rework the format of the "Received" header so that the TLS
part does not violate the RFC.
<li>Increase the number of connections a local address is
allowed to establish, and decrease the delay between
transactions in the same session.
<li>Fix LMTP delivery to servers returning continuation lines.
<li>Further improve the still experimental filter API and fix
various related issues.
<li>Start improving and unifying the format of log messages.
<li>Fix several documentation discrepancies and typos in the man
pages.
</ul>
</ul>
<li>OpenSSH 7.3
<ul>
<li>Security:
<ul>
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
Mitigate a potential denial-of-service attack against the system's
<a href="https://man.openbsd.org/crypt.3">crypt(3)</a>
function via
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>.
An attacker could send very long passwords that would cause
excessive CPU use in
<a href="https://man.openbsd.org/crypt.3">crypt(3)</a>.
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>
now refuses to accept password authentication requests of length
greater than 1024 characters.
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
Mitigate timing differences in password authentication that could be
used to discern valid from invalid account names when long passwords
were sent and particular password hashing algorithms are in use on
the server. CVE-2016-6210.
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
Fix observable timing weakness in the <i>CBC padding oracle
countermeasures</i>. Note that CBC ciphers are disabled by default
and only included for legacy compatibility.
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
Improve ordering of MAC verification for
<i>Encrypt-then-MAC</i> (EtM) mode transport MAC algorithms to
verify the MAC before decrypting any ciphertext. This removes the
possibility of timing differences leaking facts about the plaintext,
though no such leakage is known.
</ul>
<li>New/changed features:
<ul>
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
Add a <code>ProxyJump</code> option and corresponding <code>-J</code>
command-line flag to allow simplified indirection through a one or
more SSH bastions or "jump hosts".
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
Add an <code>IdentityAgent</code> option to allow specifying specific
agent sockets instead of accepting one from the environment.
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
Allow <code>ExitOnForwardFailure</code> and <code>ClearAllForwardings</code>
to be optionally overridden when using <code>ssh -W</code>. (bz#2577)
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
Implement support for the IUTF8 terminal mode as per
<i>draft-sgtatham-secsh-iutf8-00</i>.
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
Add support for additional <i>fixed Diffie-Hellman 2K</i>, <i>4K</i>
and <i>8K</i> groups from <i>draft-ietf-curdle-ssh-kex-sha2-03</i>.
<li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>,
<a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
support SHA256 and SHA512 RSA signatures in certificates.
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
Add an <code>Include</code> directive for
<a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a>
files.
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
Permit UTF-8 characters in pre-authentication banners sent from the
server. (bz#2058)
</ul>
<li>The following significant bugs have been fixed in this release:
<ul>
<li>In <a href="https://man.openbsd.org/scp.1">scp(1)</a>
and <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>,
prevent screwing up terminal settings by escaping bytes
not forming ASCII or UTF-8 characters.
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
Reduce the syslog level of some relatively common protocol events
from <code>LOG_CRIT</code>. (bz#2585)
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
Refuse <code>AuthenticationMethods=""</code> in configurations and accept
<code>AuthenticationMethods=any</code> for the default behaviour of not
requiring multiple authentication. (bz#2398)
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
Remove obsolete and misleading <code>"POSSIBLE BREAK-IN ATTEMPT!"</code>
message when forward and reverse DNS don't match. (bz#2585)
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
Close <code>ControlPersist</code> background process stderr except in
debug mode or when logging to syslog. (bz#1988)
<li>misc: Make PROTOCOL description for
<i>direct-streamlocal@openssh.com</i> channel open messages match
deployed code. (bz#2529)
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
Deduplicate <code>LocalForward</code> and <code>RemoteForward</code> entries
to fix failures when both <code>ExitOnForwardFailure</code> and
<code>hostname</code> canonicalisation are enabled. (bz#2562)
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
Remove fallback from moduli to obsolete "primes" file that was
deprecated in 2001. (bz#2559)
<li><a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>:
Correct description of <code>UseDNS</code>: it affects ssh hostname
processing for <code>authorized_keys</code>, not <code>known_hosts</code>.
(bz#2554)
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
Fix authentication using lone certificate keys in an agent without
corresponding private keys on the filesystem. (bz#2550)
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
Send <code>ClientAliveInterval</code> pings when a time-based
<code>RekeyLimit</code> is set; previously keepalive packets were not
being sent. (bz#2252)
</ul>
</ul>
<li>OpenNTPD 6.0
<ul>
<li>When a single "constraint" is specified, try all returned addresses
until one succeeds, rather than the first returned address.
<li>Relaxed the constraint error margin to be proportional to the number
of NTP peers, avoid constant reconnections when there is a bad NTP
peer.
<li>Removed disabled
<a href="https://man.openbsd.org/hotplug.4">hotplug(4)</a>
sensor support.
<li>Added support for detecting crashes in constraint subprocesses.
<li>Moved the execution of constraints from the ntp process to the
parent process, allowing for better privilege separation since the
ntp process can be further restricted.
<li>Fixed high CPU usage when the network is down.
<li>Fixed various memory leaks.
<li>Switched to RMS for jitter calculations.
<li>Unified logging functions with other OpenBSD base programs.
<li>Set <code>MOD_MAXERROR</code> to avoid unsynced time status when using
ntp_adjtime.
<li>Fixed HTTP Timestamp header parsing to use
<a href="https://man.openbsd.org/strptime.3">strptime(3)</a>
in a more portable fashion.
<li>Hardened TLS for
<a href="https://man.openbsd.org/ntpd.8">ntpd(8)</a>
constraints, enabling server name verification.
</ul>
<li>LibreSSL 2.4.2
<ul>
<li>User-visible features:
<ul>
<li>Fixed some broken manpage links in the install target.
<li><code>cert.pem</code> has been reorganized and synced with Mozilla's
certificate store.
<li>Reliability fix, correcting an error when parsing certain ASN.1
elements over 16k in size.
<li>Implemented the IETF <i>ChaCha20-Poly1305</i> cipher suites.
<li>Fixed password prompts from
<a href="https://man.openbsd.org/openssl.1">openssl(1)</a>
to properly handle ^C.
</ul>
<li>Code improvements:
<ul>
<li>Fixed an <i>nginx</i> compatibility issue by adding an
'<code>install_sw</code>' build target.
<li>Changed default
<a href="https://man.openbsd.org/EVP_AEAD_CTX_init.3">EVP_aead_chacha20_poly1305(3)</a>
implementation to the IETF version, which is now the default.
<li>Reworked error handling in <code>libtls</code> so that configuration
errors are more visible.
<li>Added missing error handling around
<a href="https://man.openbsd.org/bn_wexpand.3">bn_wexpand(3)</a>
calls.
<li>Added
<a href="https://man.openbsd.org/explicit_bzero.3">explicit_bzero(3)</a>
calls for freed ASN.1 objects.
<li>Fixed <code>X509_*set_object</code> functions to return 0 on allocation
failure.
<li>Deprecated internal use of
<a href="https://man.openbsd.org/EVP_EncryptInit">EVP_[Cipher|Encrypt|Decrypt]_Final</a>.
<li>Fixed a problem that prevents the DSA signing algorithm from running
in constant time even if the flag <code>BN_FLG_CONSTTIME</code> is set.
<li>Fixed several issues in the OCSP code that could result in the
incorrect generation and parsing of OCSP requests. This remediates
a lack of error checking on time parsing in these functions, and
ensures that only <code>GENERALIZEDTIME</code> formats are accepted for
OCSP, as per <i>RFC 6960</i>.
</ul>
<li>The following CVEs have been fixed:
<ul>
<li><code>CVE-2016-2105</code>—EVP_EncodeUpdate overflow.
<li><code>CVE-2016-2106</code>—EVP_EncryptUpdate overflow.
<li><code>CVE-2016-2107</code>—padding oracle in AES-NI CBC MAC check.
<li><code>CVE-2016-2108</code>—memory corruption in the ASN.1 encoder.
<li><code>CVE-2016-2109</code>—ASN.1 BIO excessive memory allocation.
</ul>
</ul>
<li><p>Ports and packages:
<p>New proot(1) tool in the ports tree for building packages in a chroot.
<p>Many pre-built packages for each architecture:
<!-- number of FTP packages minus SHA256, SHA256.sig, index.txt -->
<ul style="column-count: 3">
<li>alpha: 7422
<li>amd64: 9433
<li>hppa: 6346
<li>i386: 9394
<li>mips64: 7921
<li>mips64el: 7767
<li>powerpc: 8318
<li>sparc64: 8570
</ul>
<p>Some highlights:
<ul style="column-count: 2">
<li>Afl 2.19b
<li>Chromium 51.0.2704.106
<li>Emacs 21.4 and 24.5
<li>GCC 4.9.3
<li>GHC 7.10.3
<li>Gimp 2.8.16
<li>GNOME 3.20.2
<li>Go 1.6.3
<li>Groff 1.22.3
<li>JDK 7u80 and 8u72
<li>KDE 3.5.10 and 4.14.3 (plus KDE4 core updates)
<li>LLVM/Clang 3.8.0
<li>LibreOffice 5.1.4.2
<li>Lua 5.1.5, 5.2.4, and 5.3.3
<li>MariaDB 10.0.25
<li>Mono 4.4.0.182
<li>Mozilla Firefox 45.2.0esr and 47.0.1
<li>Mozilla Thunderbird 45.2.0
<li>Mutt 1.6.2
<li>Node.js 4.4.5
<li>Ocaml 4.3.0
<li>OpenLDAP 2.3.43 and 2.4.44
<li>PHP 5.5.37, 5.6.23, and 7.0.8
<li>Postfix 3.1.1 and 3.2-20160515
<li>PostgreSQL 9.5.3
<li>Python 2.7.12, 3.4.5, and 3.5.2
<li>R 3.3.1
<li>Ruby 1.8.7.374, 2.0.0.648, 2.1.9, 2.2.5, and 2.3.1
<li>Rust 1.9.0-20160608
<li>Sendmail 8.15.2
<li>Sudo 1.8.17.1
<li>Tcl/Tk 8.5.18 and 8.6.4
<li>TeX Live 2015
<li>Vim 7.4.1467
<li>Xfce 4.12
</ul>
<li>As usual, steady improvements in manual pages and other documentation.
<li>The system includes the following major components from outside suppliers:
<ul>
<li>Xenocara (based on X.Org 7.7 with xserver 1.18.3 + patches,
freetype 2.6.3, fontconfig 2.11.1, Mesa 11.2.2, xterm 322,
xkeyboard-config 2.18 and more)
<li>GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
<li>Perl 5.20.3 (+ patches)
<li>SQLite 3.9.2 (+ patches)
<li>NSD 4.1.10
<li>Unbound 1.5.9
<li>Ncurses 5.7
<li>Binutils 2.17 (+ patches)
<li>Gdb 6.3 (+ patches)
<li>Awk Aug 10, 2011 version
<li>Expat 2.1.1
</ul>
</ul>
</section>
<hr>
<section id=install>
<h3>How to install</h3>
<p>
Following this are the instructions which you would have on a piece of
paper if you had purchased a CDROM set instead of doing an alternate
form of install. The instructions for doing an HTTP (or other style
of) install are very similar; the CDROM instructions are left intact
so that you can see how much easier it would have been if you had
purchased a CDROM instead.
<hr>
<p>
Please refer to the following files on the three CDROMs or mirror site for
extensive details on how to install OpenBSD 6.0 on your machine:
<ul>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.0/alpha/INSTALL.alpha">
.../OpenBSD/6.0/alpha/INSTALL.alpha (on CD1)</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.0/i386/INSTALL.i386">
.../OpenBSD/6.0/i386/INSTALL.i386 (on CD1)</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.0/hppa/INSTALL.hppa">
.../OpenBSD/6.0/hppa/INSTALL.hppa (on CD1)</a>
<p>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.0/amd64/INSTALL.amd64">
.../OpenBSD/6.0/amd64/INSTALL.amd64 (on CD2)</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.0/macppc/INSTALL.macppc">
.../OpenBSD/6.0/macppc/INSTALL.macppc (on CD2)</a>
<p>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.0/sparc64/INSTALL.sparc64">
.../OpenBSD/6.0/sparc64/INSTALL.sparc64 (on CD3)</a>
<p>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.0/armv7/INSTALL.armv7">
.../OpenBSD/6.0/armv7/INSTALL.armv7</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.0/hppa/INSTALL.hppa">
.../OpenBSD/6.0/hppa/INSTALL.hppa</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.0/landisk/INSTALL.landisk">
.../OpenBSD/6.0/landisk/INSTALL.landisk</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.0/loongson/INSTALL.loongson">
.../OpenBSD/6.0/loongson/INSTALL.loongson</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.0/luna88k/INSTALL.luna88k">
.../OpenBSD/6.0/luna88k/INSTALL.luna88k</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.0/octeon/INSTALL.octeon">
.../OpenBSD/6.0/octeon/INSTALL.octeon</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.0/sgi/INSTALL.sgi">
.../OpenBSD/6.0/sgi/INSTALL.sgi</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.0/socppc/INSTALL.socppc">
.../OpenBSD/6.0/socppc/INSTALL.socppc</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.0/zaurus/INSTALL.zaurus">
.../OpenBSD/6.0/zaurus/INSTALL.zaurus</a>
</ul>
</section>
<hr>
<section id=quickinstall>
<p>
Quick installer information for people familiar with OpenBSD, and the use of
the "<a href="https://man.openbsd.org/disklabel.8">disklabel</a> -E" command.
If you are at all confused when installing OpenBSD, read the relevant
INSTALL.* file as listed above!
<h3>OpenBSD/i386:</h3>
<p>
The OpenBSD/i386 release is on CD1.
Boot from the CD to begin the install - you may need to adjust
your BIOS options first.
<p>
If your machine can boot from USB, you can write <i>install60.fs</i> or
<i>miniroot60.fs</i> to a USB stick and boot from it.
<p>
If you can't boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in
the included INSTALL.i386 document.
<p>
If you are planning on dual booting OpenBSD with another OS, you will need to
read INSTALL.i386.
<h3>OpenBSD/amd64:</h3>
<p>
The OpenBSD/amd64 release is on CD2.
Boot from the CD to begin the install - you may need to adjust
your BIOS options first.
<p>
If your machine can boot from USB, you can write <i>install60.fs</i> or
<i>miniroot60.fs</i> to a USB stick and boot from it.
<p>
If you can't boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in the included
INSTALL.amd64 document.
<p>
If you are planning to dual boot OpenBSD with another OS, you will need to
read INSTALL.amd64.
<h3>OpenBSD/macppc:</h3>
<p>
Burn the image from a mirror site to a CDROM, and power on your machine
while holding down the <i>C</i> key until the display turns on and
shows <i>OpenBSD/macppc boot</i>.
<p>
Alternatively, at the Open Firmware prompt, enter <i>boot cd:,ofwboot
/6.0/macppc/bsd.rd</i>
<h3>OpenBSD/sparc64:</h3>
<p>
Put CD3 in your CDROM drive and type <i>boot cdrom</i>.
<p>
If this doesn't work, or if you don't have a CDROM drive, you can write
<i>CD3:6.0/sparc64/floppy60.fs</i> or <i>CD3:6.0/sparc64/floppyB60.fs</i>
(depending on your machine) to a floppy and boot it with <i>boot
floppy</i>. Refer to INSTALL.sparc64 for details.
<p>
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.
<p>
You can also write <i>CD3:6.0/sparc64/miniroot60.fs</i> to the swap partition on
the disk and boot with <i>boot disk:b</i>.
<p>
If nothing works, you can boot over the network as described in INSTALL.sparc64.
<h3>OpenBSD/alpha:</h3>
<p>
Write <i>6.0/alpha/floppy60.fs</i> or
<i>6.0/alpha/floppyB60.fs</i> (depending on your machine) to a diskette and
enter <i>boot dva0</i>. Refer to INSTALL.alpha for more details.
<p>
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.
<h3>OpenBSD/armv7:</h3>
<p>
Write a system specific miniroot to an SD card and boot from it after connecting
to the serial console. Refer to INSTALL.armv7 for more details.
<h3>OpenBSD/hppa:</h3>
<p>
Boot over the network by following the instructions in INSTALL.hppa or the
<a href="hppa.html#install">hppa platform page</a>.
<h3>OpenBSD/landisk:</h3>
<p>
Write <i>miniroot60.fs</i> to the start of the CF
or disk, and boot normally.
<h3>OpenBSD/loongson:</h3>
<p>
Write <i>miniroot60.fs</i> to a USB stick and boot bsd.rd from it
or boot bsd.rd via tftp.
Refer to the instructions in INSTALL.loongson for more details.
<h3>OpenBSD/luna88k:</h3>
<p>
Copy 'boot' and 'bsd.rd' to a Mach or UniOS partition, and boot the bootloader
from the PROM, and then bsd.rd from the bootloader.
Refer to the instructions in INSTALL.luna88k for more details.
<h3>OpenBSD/octeon:</h3>
<p>
After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
Refer to the instructions in INSTALL.octeon for more details.
<h3>OpenBSD/sgi:</h3>
<p>
To install, burn cd60.iso on a CD-R, put it in the CD drive of your
machine and select <i>Install System Software</i> from the System Maintenance
menu. Indigo/Indy/Indigo2 (R4000) systems will not boot automatically from
CD-ROM, and need a proper invocation from the PROM prompt.
Refer to the instructions in INSTALL.sgi for more details.
<p>
If your machine doesn't have a CD drive, you can setup a DHCP/tftp network
server, and boot using "bootp()/bsd.rd.IP##" using the kernel matching your
system type. Refer to the instructions in INSTALL.sgi for more details.
<h3>OpenBSD/socppc:</h3>
<p>
After connecting a serial port, boot over the network via DHCP/tftp.
Refer to the instructions in INSTALL.socppc for more details.
<h3>OpenBSD/zaurus:</h3>
<p>
Using the Linux built-in graphical ipkg installer, install the
openbsd60_arm.ipk package. Reboot, then run it. Read INSTALL.zaurus
for a few important details.
</section>
<hr>
<section id=upgrade>
<h3>How to upgrade</h3>
<p>
If you already have an OpenBSD 5.9 system, and do not want to reinstall,
upgrade instructions and advice can be found in the
<a href="faq/upgrade60.html">Upgrade Guide</a>.
</section>
<hr>
<section id=sourcecode>
<h3>Notes about the source code</h3>
<p>
<code>src.tar.gz</code> contains a source archive starting at <code>/usr/src</code>.
This file contains everything you need except for the kernel sources,
which are in a separate archive.
To extract:
<blockquote><pre>
# <kbd>mkdir -p /usr/src</kbd>
# <kbd>cd /usr/src</kbd>
# <kbd>tar xvfz /tmp/src.tar.gz</kbd>
</pre></blockquote>
<p>
<code>sys.tar.gz</code> contains a source archive starting at <code>/usr/src/sys</code>.
This file contains all the kernel sources you need to rebuild kernels.
To extract:
<blockquote><pre>
# <kbd>mkdir -p /usr/src/sys</kbd>
# <kbd>cd /usr/src</kbd>
# <kbd>tar xvfz /tmp/sys.tar.gz</kbd>
</pre></blockquote>
<p>
Both of these trees are a regular CVS checkout. Using these trees it
is possible to get a head-start on using the anoncvs servers as
described <a href="anoncvs.html">here</a>.
Using these files
results in a much faster initial CVS update than you could expect from
a fresh checkout of the full OpenBSD source tree.
</section>
<hr>
<section id=ports>
<h3>Ports Tree</h3>
<p>
A ports tree archive is also provided. To extract:
<blockquote><pre>
# <kbd>cd /usr</kbd>
# <kbd>tar xvfz /tmp/ports.tar.gz</kbd>
</pre></blockquote>
<p>
Go read the <a href="faq/ports/index.html">ports</a> page
if you know nothing about ports
at this point. This text is not a manual of how to use ports.
Rather, it is a set of notes meant to kickstart the user on the
OpenBSD ports system.
<p>
The <i>ports/</i> directory represents a CVS checkout of our ports.
As with our complete source tree, our ports tree is available via
<a href="anoncvs.html">AnonCVS</a>.
So, in order to keep up to date with the -stable branch, you must make
the <i>ports/</i> tree available on a read-write medium and update the tree
with a command like:
<blockquote><pre>
# <kbd>cd /usr/ports</kbd>
# <kbd>cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_6_0</kbd>
</pre></blockquote>
<p>
[Of course, you must replace the server name here with a nearby anoncvs
server.]
<p>
Note that most ports are available as packages on our mirrors. Updated
ports for the 6.0 release will be made available if problems arise.
<p>
If you're interested in seeing a port added, would like to help out, or just
would like to know more, the mailing list
<a href="mail.html">ports@openbsd.org</a> is a good place to know.
</section>
![[BACK]](/icons/back.gif){kind=icon}
Return to 60.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www