Annotation of www/61.html, Revision 1.101
1.95 bentley 1: <!doctype html>
2: <html lang=en id=release>
3: <meta charset=utf-8>
4:
1.1 deraadt 5: <title>OpenBSD 6.1</title>
6: <meta name="description" content="OpenBSD 6.1">
7: <meta name="viewport" content="width=device-width, initial-scale=1">
8: <link rel="stylesheet" type="text/css" href="openbsd.css">
9: <link rel="canonical" href="https://www.openbsd.org/61.html">
10:
1.95 bentley 11: <h2 id=OpenBSD>
1.1 deraadt 12: <a href="index.html">
1.95 bentley 13: <i>Open</i><b>BSD</b></a>
14: 6.1
1.1 deraadt 15: </h2>
16:
1.95 bentley 17: <table>
18: <tr>
19: <td>
1.90 deraadt 20: <a href="images/Fugu.gif">
1.100 deraadt 21: <img width="227" height="343" src="images/Fugu.gif" alt="Fugu"></a>
1.95 bentley 22: <td>
1.90 deraadt 23: Released April 11, 2017<br>
1.1 deraadt 24: Copyright 1997-2017, Theo de Raadt.<br>
25: <br>
26: 6.1 Song:
1.90 deraadt 27: <a href="lyrics.html#61">"Winter of 95"</a>.
1.94 deraadt 28: <br>
1.1 deraadt 29: <br>
30: <ul>
31: <li>See the information on <a href="ftp.html">the FTP page</a> for
32: a list of mirror machines.
1.95 bentley 33: <li>Go to the <code class=reldir>pub/OpenBSD/6.1/</code> directory on
1.1 deraadt 34: one of the mirror sites.
35: <li>Have a look at <a href="errata61.html">the 6.1 errata page</a> for a list
36: of bugs and workarounds.
37: <li>See a <a href="plus61.html">detailed log of changes</a> between the
38: 6.0 and 6.1 releases.
39: <p>
1.91 tb 40: <li><a href="https://man.openbsd.org/signify.1">signify(1)</a>
1.93 deraadt 41: pubkeys for this release:<p>
42:
1.95 bentley 43: <table class=signify>
44: <tr><td>
45: openbsd-61-base.pub:
1.93 deraadt 46: <td>
47: RWQEQa33SgQSEsMwwVV1+GjzdcQfRNV2Bgo48Ztd2KiZ9bAodz9c+Maa
1.95 bentley 48: <tr><td>
1.93 deraadt 49: openbsd-61-fw.pub:
1.95 bentley 50: <td>
1.93 deraadt 51: RWS91POk0QZXfsqi4aI7MotYz8CPzoHjYg4a1IDi56cftacjsq+ZL/KY
1.95 bentley 52: <tr><td>
1.93 deraadt 53: openbsd-61-pkg.pub:
1.95 bentley 54: <td>
1.93 deraadt 55: RWQbTjGFHEvnOckqY7u9iABhXAkEpF/6TQ3Mr6bMrWbT1wOM/HnbV9ov
56: </table>
1.96 deraadt 57: </ul>
1.1 deraadt 58: <p>
59: All applicable copyrights and credits are in the src.tar.gz,
60: sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
1.98 deraadt 61: files fetched via <code>ports.tar.gz</code>.
1.95 bentley 62: </table>
1.1 deraadt 63:
64: <hr>
65:
1.95 bentley 66: <section id=new>
67: <h3>What's New</h3>
68: <p>
1.1 deraadt 69: This is a partial list of new features and systems included in OpenBSD 6.1.
70: For a comprehensive list, see the <a href="plus61.html">changelog</a> leading
71: to 6.1.
72:
73: <ul>
74: <li>New/extended platforms:
75: <ul>
1.21 schwarze 76: <li>New <a href="https://www.openbsd.org/arm64.html">arm64</a> platform,
1.91 tb 77: using <a href="https://man.openbsd.org/clang-local.1">clang(1)</a>
1.21 schwarze 78: as the base system compiler.
1.88 kettenis 79: <li>The <a href="https://www.openbsd.org/armv7.html">armv7</a> platform
80: has seen some major improvements, including a switch to EABI and
81: support for a lot more hardware.
1.52 visa 82: <li>The <a href="https://www.openbsd.org/loongson.html">loongson</a>
83: platform now supports systems with Loongson 3A CPU and RS780E chipset.
1.14 schwarze 84: <li>The following platforms were retired:
1.21 schwarze 85: <a href="https://www.openbsd.org/armish.html">armish</a>,
1.14 schwarze 86: <a href="https://www.openbsd.org/sparc.html">sparc</a>,
1.71 tb 87: <a href="https://www.openbsd.org/zaurus.html">zaurus</a>.
1.1 deraadt 88: </ul>
89: <p>
90:
91: <li>Improved hardware support, including:
92: <ul>
1.91 tb 93: <li>New <a href="https://man.openbsd.org/acpials.4">acpials(4)</a>
1.21 schwarze 94: driver for ACPI ambient light sensor devices.
1.91 tb 95: <li>New <a href="https://man.openbsd.org/acpihve.4">acpihve(4)</a>
1.21 schwarze 96: driver for feeding Hyper-V entropy into the kernel pool.
1.91 tb 97: <li>New <a href="https://man.openbsd.org/acpisbs.4">acpisbs(4)</a>
1.62 jcs 98: driver for ACPI Smart Battery devices.
1.91 tb 99: <li>New <a href="https://man.openbsd.org/dwge.4">dwge(4)</a>
1.23 jsg 100: driver for Designware GMAC 10/100/Gigabit Ethernet devices.
1.91 tb 101: <li>New <a href="https://man.openbsd.org/loongson/htb.4">htb(4)</a>
1.21 schwarze 102: driver for Loongson 3A PCI host bridges.
1.91 tb 103: <li>New <a href="https://man.openbsd.org/hvn.4">hvn(4)</a>
1.21 schwarze 104: driver for Hyper-V networking interfaces.
1.91 tb 105: <li>New <a href="https://man.openbsd.org/hyperv.4">hyperv(4)</a>
1.21 schwarze 106: driver for the Hyper-V guest nexus device.
1.91 tb 107: <li>New <a href="https://man.openbsd.org/iatp.4">iatp(4)</a>
1.21 schwarze 108: driver for the Atmel maXTouch touchpad and touchscreen.
1.91 tb 109: <li>New <a href="https://man.openbsd.org/armv7/imxtemp.4">imxtemp(4)</a>
1.21 schwarze 110: driver for Freescale i.MX6 temperature sensors.
1.91 tb 111: <li>New <a href="https://man.openbsd.org/loongson/leioc.4">leioc(4)</a>
1.21 schwarze 112: driver for the Loongson 3A low-end IO controller.
1.91 tb 113: <li>New <a href="https://man.openbsd.org/octeon/octmmc.4">octmmc(4)</a>
1.4 visa 114: driver for the OCTEON MMC host controller.
1.91 tb 115: <li>New <a href="https://man.openbsd.org/armv7/ompinmux.4">ompinmux(4)</a>
1.21 schwarze 116: driver for OMAP pin multiplexing.
1.91 tb 117: <li>New <a href="https://man.openbsd.org/armv7/omwugen.4">omwugen(4)</a>
1.21 schwarze 118: driver for OMAP wake-up generators.
1.91 tb 119: <li>New <a href="https://man.openbsd.org/armv7/psci.4">psci(4)</a>
1.21 schwarze 120: driver for the ARM Power State Coordination Interface.
1.91 tb 121: <li>New <a href="https://man.openbsd.org/simplefb.4">simplefb(4)</a>
1.21 schwarze 122: driver for the simple frame buffer on systems
1.23 jsg 123: using a device tree.
1.91 tb 124: <li>New <a href="https://man.openbsd.org/armv7/sximmc.4">sximmc(4)</a>
1.23 jsg 125: driver for Allwinner A1X/A20 MMC/SD/SDIO controllers.
1.91 tb 126: <li>New <a href="https://man.openbsd.org/tpm.4">tpm(4)</a>
1.23 jsg 127: driver for Trusted Platform Module devices.
1.91 tb 128: <li>New <a href="https://man.openbsd.org/uwacom.4">uwacom(4)</a>
1.21 schwarze 129: driver for Wacom USB tablets.
1.91 tb 130: <li>New <a href="https://man.openbsd.org/vmmci.4">vmmci(4)</a>
1.21 schwarze 131: VMM control interface.
1.91 tb 132: <li>New <a href="https://man.openbsd.org/xbf.4">xbf(4)</a>
1.21 schwarze 133: driver for Xen Blkfront virtual disks.
1.91 tb 134: <li>New <a href="https://man.openbsd.org/luna88k/xp.4">xp(4)</a>
1.21 schwarze 135: driver for the LUNA-88K HD647180X I/O processor.
1.58 jsg 136: <li>Support for Kaby Lake and Lewisburg PCH Ethernet MACs with I219 PHYs
137: has been added to the
1.95 bentley 138: <a href="https://man.openbsd.org/em">em(4)</a> driver.
1.58 jsg 139: <li>Support for RTL8153 USB 3.0 Gigabit Ethernet based devices
140: has been added to the
1.95 bentley 141: <a href="https://man.openbsd.org/ure">ure(4)</a> driver.
1.62 jcs 142: <li>Improved ACPI support for modern Apple hardware, including S3 suspend
143: and resume.
1.69 mikeb 144: <li>Support for X550 family of 10 Gigabit Ethernet based devices
145: has been added to the
1.95 bentley 146: <a href="https://man.openbsd.org/ix">ix(4)</a> driver.
1.1 deraadt 147: </ul>
1.71 tb 148:
149: <p>
1.91 tb 150: <li>New <a href="https://man.openbsd.org/amd64/vmm.4">vmm(4)</a>/
151: <a href="https://man.openbsd.org/amd64/vmd.8">vmd(8)</a>:
1.71 tb 152: <ul>
1.81 deraadt 153: <li>Support was partially integrated in 6.0, but disabled.
1.71 tb 154: <li>Support for amd64 and i386 hosts.
155: <li>BIOS payload provided via vmm-firmware, delivered via
1.91 tb 156: <a href="https://man.openbsd.org/fw_update.1">fw_update(1)</a>.
1.71 tb 157: <li>Support for Linux guest VMs.
1.76 tb 158: <li>Better interrupt handling and legacy device emulation.
1.91 tb 159: <li><a href="https://man.openbsd.org/amd64/vmm.4">vmm(4)</a> no longer
1.71 tb 160: requires VMX unrestricted guest capability (Nehalem and later CPUs
161: are sufficient).
162: <li>Removed bounce buffers previously used by
1.91 tb 163: <a href="https://man.openbsd.org/amd64/vmd.8">vmd(8)</a> for
164: <a href="https://man.openbsd.org/vio.4">vio(4)</a> and
165: <a href="https://man.openbsd.org/vioblk.4">vioblk(4)</a> devices.
1.71 tb 166: <li>Support VMs with > 2GB RAM.
1.91 tb 167: <li><a href="https://man.openbsd.org/amd64/vmd.8">vmd(8)</a> uses
168: <a href="https://man.openbsd.org/pledge.2">pledge(2)</a> and the
1.71 tb 169: fork+exec model.
1.91 tb 170: <li><a href="https://man.openbsd.org/amd64/vm.conf.5">vm.conf(5)</a>
1.71 tb 171: expanded to include VM ownership rules (uid/gid).
1.91 tb 172: <li><a href="https://man.openbsd.org/amd64/vmd.8">vmd(8)</a>/
173: <a href="https://man.openbsd.org/amd64/vm.conf.5">vm.conf(5)</a>
1.71 tb 174: supports automatic
1.91 tb 175: <a href="https://man.openbsd.org/bridge.4">bridge(4)</a> and
176: <a href="https://man.openbsd.org/switch.4">switch(4)</a> configuration
1.71 tb 177: for VM network interfaces.
1.91 tb 178: <li><a href="https://man.openbsd.org/amd64/vmctl.8">vmctl(8)</a> supports
1.71 tb 179: graceful VM shutdown via
1.91 tb 180: <a href="https://man.openbsd.org/amd64/vmmci.4">vmmci(4)</a>.
1.71 tb 181: </ul>
1.1 deraadt 182: <p>
183:
184: <li>IEEE 802.11 wireless stack improvements:
185: <ul>
1.91 tb 186: <li>The <a href="https://man.openbsd.org/ral.4">ral(4)</a> driver
1.28 stsp 187: now supports Ralink RT3900E (RT5390, RT3292) devices.
1.91 tb 188: <li>The <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> and
189: <a href="https://man.openbsd.org/iwn.4">iwn(4)</a> drivers
1.28 stsp 190: now support the short guard interval (SGI) in 11n mode.
191: <li>Added a new implementation of MiRa, a rate adapation algorithm
192: designed for 802.11n.
1.91 tb 193: <li>The <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> driver
1.28 stsp 194: now supports 802.11n MIMO (MCS 0-15).
1.91 tb 195: <li>The <a href="https://man.openbsd.org/athn.4">athn(4)</a> driver
1.28 stsp 196: now supports 802.11n, featuring MIMO (MCS 0-15) and hostap mode.
1.91 tb 197: <li>The <a href="https://man.openbsd.org/iwn.4">iwn(4)</a> driver
1.28 stsp 198: now receives MIMO frames in monitor mode.
1.91 tb 199: <li>The <a href="https://man.openbsd.org/rtwn.4">rtwn(4)</a> and
200: <a href="https://man.openbsd.org/urtwn.4">urtwn(4)</a> drivers
1.28 stsp 201: now use AMRR rate adaptation (8188EU and 8188CE devices only).
202: <li>TKIP/WPA1 was disabled by default because of inherent weaknesses
203: in this protocol.
1.1 deraadt 204: </ul>
205: <p>
206:
207: <li>Generic network stack improvements:
208: <ul>
1.91 tb 209: <li>New <a href="https://man.openbsd.org/switch.4">switch(4)</a>
1.14 schwarze 210: pseudo-device together with new
1.91 tb 211: <a href="https://man.openbsd.org/switchd.8">switchd(8)</a> and
212: <a href="https://man.openbsd.org/switchctl.8">switchctl(8)</a>
1.14 schwarze 213: programs.
1.91 tb 214: <li>New <a href="https://man.openbsd.org/mobileip.4">mobileip(4)</a>
1.21 schwarze 215: operation mode for the
1.91 tb 216: <a href="https://man.openbsd.org/gre.4">gre(4)</a>
1.21 schwarze 217: pseudo-device.
218: <li>Multipoint-to-multipoint mode in
1.91 tb 219: <a href="https://man.openbsd.org/vxlan.4">vxlan(4)</a>.
220: <li><a href="https://man.openbsd.org/route.8">route(8)</a>
1.18 bluhm 221: and netstat -r display all routing flags correctly and they
222: are completely documented in the
1.91 tb 223: <a href="https://man.openbsd.org/netstat.1">netstat(1)</a>
1.18 bluhm 224: man page.
225: <li>When sending TCP streams they are locally stored in large
226: mbuf clusters to improve memory management.
227: The maximum TCP send and receive buffer size has been
1.67 claudio 228: increased from 256KB to 2MB.
1.18 bluhm 229: Note that this results in a different
1.91 tb 230: <a href="https://man.openbsd.org/pf.4">pf(4)</a>
1.18 bluhm 231: OS fingerprint for OpenBSD.
232: The default limit for mbuf clusters has been increased.
233: You can check the values with
1.91 tb 234: <a href="https://man.openbsd.org/netstat.1">netstat(1)</a>
1.18 bluhm 235: -m and adjust them with
1.91 tb 236: <a href="https://man.openbsd.org/sysctl.8">sysctl(8)</a>
1.18 bluhm 237: kern.maxclusters.
238: <li>Make the TCP_NOPUSH flag work for
1.91 tb 239: <a href="https://man.openbsd.org/listen.2">listen(2)</a>
1.18 bluhm 240: sockets.
241: It is inherited by the socket returned from
1.91 tb 242: <a href="https://man.openbsd.org/accept.2">accept(2)</a>.
1.18 bluhm 243: <li>A lot of code has been removed or simplified to make the
244: transition to multi-processor easier.
245: Redesign the interrupt and multi-processor locks in the
246: network stack.
247: <li>When passing packets from the network stack to the
248: interface layer, make sure that they have no pointers to
1.91 tb 249: <a href="https://man.openbsd.org/pf.4">pf(4)</a>
1.18 bluhm 250: which could result in a memory free operation at the wrong
251: protection level.
252: <li>Fix checksum calculation in
1.91 tb 253: <a href="https://man.openbsd.org/pf.4">pf(4)</a>
1.18 bluhm 254: af-to ICMP packet conversions.
255: Simplify af-to processing in and fix path MTU discovery in
256: some corner cases.
257: <li>Improve IPv6 fragment processing.
258: Drop empty atomic fragments early.
259: Be more paranoid when IPv6 hop-by-hop headers appear after
260: fragment headers.
261: Follow RFC 5722 "Handling of Overlapping IPv6 Fragments"
262: more strictly in
1.91 tb 263: <a href="https://man.openbsd.org/pf.4">pf(4)</a>.
1.18 bluhm 264: RFC 8021 "IPv6 Atomic Fragments Considered Harmful" deprecates
265: generating atomic fragments, so do not send them anymore.
266: <li>Depending on the addresses,
1.91 tb 267: <a href="https://man.openbsd.org/ipsecctl.8">ipsecctl(8)</a>
1.18 bluhm 268: may automatically group SA bundles together.
269: To make clear what is going on, the kernel provides this
270: information and ipsecctl -s sa prints IPsec SA bundles.
1.51 krw 271: <li>A new routing socket message type, RTM_PROPOSAL, was added to
272: facilitate future improvements to the network configuration process.
1.1 deraadt 273: </ul>
274: <p>
275:
276: <li>Installer improvements:
277: <ul>
1.45 tj 278: <li>The installer now uses privilege separation for fetching and
279: verifying the install sets.
280: <li>Install sets are now fetched over an HTTPS connection by default
281: when using a <a href="ftp.html">mirror</a> that supports it.
1.50 krw 282: <li>The installer now considers all of the DHCP information in filename,
283: bootfile-name, server-name, tftp-server-name, and next-server when
284: attempting to do automatic installs or upgrades.
285: <li>The installer no longer adds a route to an alias IP via 127.0.0.1, due
286: to improvements in the kernel routing components.
1.1 deraadt 287: </ul>
288: <p>
289:
290: <li>Routing daemons and other userland network improvements:
291: <ul>
1.91 tb 292: <li><a href="https://man.openbsd.org/ping.8">ping(8)</a> and
293: <a href="https://man.openbsd.org/ping6.8">ping6(8)</a> are now the same
1.10 florian 294: binary and share the engine.
1.91 tb 295: <li><a href="https://man.openbsd.org/ripd.8">ripd(8)</a> now supports
1.15 jca 296: p2p links with addresses in different subnets.
1.17 jca 297: <li>UDP speakers can specify an IPv4 source address using
1.95 bentley 298: <code>IP_SENDSRCADDR</code>.
1.91 tb 299: <a href="https://man.openbsd.org/iked.8">iked(8)</a>
300: and <a href="https://man.openbsd.org/snmpd.8">snmpd(8)</a> now
1.17 jca 301: use the proper source address when sending replies.
1.91 tb 302: <li><a href="https://man.openbsd.org/iked.8">iked(8)</a> now
1.74 reyk 303: supports ECDSA and RFC 7427 signatures for authentication.
1.91 tb 304: <li><a href="https://man.openbsd.org/iked.8">iked(8)</a> now
1.74 reyk 305: supports replying to IKEv2 responder cookies.
306: <li>Many fixes and improvements for
1.91 tb 307: <a href="https://man.openbsd.org/iked.8">iked(8)</a> and
308: <a href="https://man.openbsd.org/ikectl.8">ikectl(8)</a>, including
1.74 reyk 309: various fixes for rekeying.
1.91 tb 310: <li><a href="https://man.openbsd.org/ospfd.8">ospfd(8)</a> and
311: <a href="https://man.openbsd.org/ospf6d.8">ospf6d(8)</a> now cope
1.15 jca 312: with interface MTU change at runtime.
1.91 tb 313: <li><a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> now supports
1.44 sthen 314: BGP Large Communities
315: (<a href="https://www.rfc-editor.org/rfc/rfc8092.txt">RFC 8092</a>).
1.91 tb 316: <li><a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> now supports
1.44 sthen 317: BGP Administrative Shutdown Communication
318: (<a href="https://www.ietf.org/id/draft-ietf-idr-shutdown.txt">draft-ietf-idr-shutdown</a>).
1.1 deraadt 319: </ul>
320: <p>
321:
322: <li>Security improvements:
323: <ul>
1.3 visa 324: <li>Enforcement of userland W^X on OCTEON Plus and later.
1.32 guenther 325: <li>All shared libraries, all dynamic and static-PIE executables, and
1.91 tb 326: <a href="https://man.openbsd.org/ld.so.1">ld.so(1)</a> itself use
1.29 guenther 327: the RELRO ("read-only after relocation") design such that
1.32 guenther 328: more of the initial data is protected as read-only.
1.3 visa 329: <li>The size of user virtual address space has been increased
330: from 2GB to 1TB on mips64.
1.73 tj 331: <li>PIE and -static -pie on arm.
1.91 tb 332: <li><a href="https://man.openbsd.org/route6d.8">route6d(8)</a> now
1.17 jca 333: runs with fewer privileges.
1.18 bluhm 334: <li>For incoming TLS connections
1.91 tb 335: <a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>
1.18 bluhm 336: can validate client certificates with a given CA file.
1.24 tb 337: <li>The privileged parent process of
1.91 tb 338: <a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>
1.18 bluhm 339: calls
1.91 tb 340: <a href="https://man.openbsd.org/execve.2">exec(2)</a>
1.18 bluhm 341: to reshuffle its random memory layout.
1.21 schwarze 342: <li>New function
1.91 tb 343: <a href="https://man.openbsd.org/recallocarray.3">recallocarray(3)</a>
1.21 schwarze 344: to reduce the risk of incorrect clearing of memory before and after
1.91 tb 345: <a href="https://man.openbsd.org/reallocarray.3">reallocarray(3)</a>.
346: <li><a href="https://man.openbsd.org/sha2.3">SHA512_256</a> family
1.30 guenther 347: of functions added to libc.
1.34 guenther 348: <li>arm added to the list of archs where the
1.91 tb 349: <a href="https://man.openbsd.org/setjmp.3">setjmp(3)</a>
1.30 guenther 350: family of functions apply XOR cookies to stack and return-address
1.34 guenther 351: values in the jmpbuf.
1.91 tb 352: <li><a href="https://man.openbsd.org/printf.3">printf(3)</a> family
1.30 guenther 353: of formatting functions now report to syslog when the %s
354: format is used with a NULL pointer.
1.36 otto 355: <li>Heap buffer overflow detection has been improved when the C
1.91 tb 356: <a href="https://man.openbsd.org/malloc.3">malloc(3)</a> option is used.
1.37 otto 357: The existing S option now includes C.
1.33 guenther 358: <li>Support for permitting non-root users to
1.91 tb 359: <a href="https://man.openbsd.org/mount.8">mount(8)</a> filesystems
1.33 guenther 360: has been removed.
1.91 tb 361: <li><a href="https://man.openbsd.org/bioctl.8">bioctl(8)</a> now uses
362: <a href="https://man.openbsd.org/bcrypt_pbkdf.3">bcrypt PBKDF</a> to
1.86 jsing 363: derive keys for
1.91 tb 364: <a href="https://man.openbsd.org/softraid.4">softraid(4)</a> crypto
1.85 jsing 365: volumes.
1.1 deraadt 366: </ul>
367: <p>
368:
1.91 tb 369: <li><a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a>/
370: <a href="https://man.openbsd.org/dhcpd.8">dhcpd(8)</a>/
371: <a href="https://man.openbsd.org/dhcrelay.8">dhcrelay(8)</a> improvements:
1.49 krw 372: <ul>
373: <li>Add DHO_BOOTFILE_NAME and DHO_TFTP_SERVER to the options requested by default.
374: <li>Add support for RFC 6842 (Client Identifier Option in DHCP Server Replies).
375: <li>Stop leaking option data received on the udp socket.
376: <li>Stop pretending we use RFC 3046/Option 82/Relay Agent Information.
377: <li>Stop recording ignored DHO_ROUTERS and DHO_STATIC_ROUTES options in the effective lease.
378: <li>Use only leases from no SSID or the current SSID when restarting.
379: <li>Reduce default values for various timeouts to something more
380: appropriate to modern networks.
381: <li>Fix issues with redundant dhcpd servers and CARP'd interfaces.
382: <li>Switch to standard logging functions
1.59 krw 383: <li>Fix vis/unvis of strings in
1.91 tb 384: <a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a> leases files.
1.49 krw 385: </ul>
1.80 deraadt 386: <p>
1.44 sthen 387:
1.1 deraadt 388: <li>Assorted improvements:
389: <ul>
1.91 tb 390: <li>New <a href="https://man.openbsd.org/syspatch.8">syspatch(8)</a>
1.46 tj 391: utility for security and reliability binary updates to the base
392: system.
1.91 tb 393: <li><a href="https://man.openbsd.org/acme-client.1">acme-client(1)</a>, a
1.24 tb 394: privilege separated Automatic Certificate Management Environment
1.9 florian 395: (ACME) client written by Kristaps Dzonsons has been imported.
1.14 schwarze 396: <li>New, simplified
1.91 tb 397: <a href="https://man.openbsd.org/xenodm.1">xenodm(1)</a>
1.14 schwarze 398: X11 display manager forked from
1.91 tb 399: <a href="https://man.openbsd.org/OpenBSD-6.0/xdm.1">xdm(1)</a>.
1.13 schwarze 400: <li>Unicode version 8 character properties in the C library.
401: <li>Partial UTF-8 line editing support for
1.91 tb 402: <a href="https://man.openbsd.org/ksh.1">ksh(1)</a> Vi input mode.
1.13 schwarze 403: <li>UTF-8 support in
1.91 tb 404: <a href="https://man.openbsd.org/column.1">column(1)</a>.
1.35 otto 405: <li>The performance and concurrency of the
1.91 tb 406: <a href="https://man.openbsd.org/malloc.3">malloc(3)</a> family
1.35 otto 407: in multi-threaded processes has been improved.
1.17 jca 408: <li>Estonian keyboard support.
1.91 tb 409: <li><a href="https://man.openbsd.org/read.2">read(2)</a> on
1.17 jca 410: directories now fails instead of returning 0.
1.95 bentley 411: <li>Support for the <code>RES_USE_EDNS0</code> and <code>RES_USE_DNSSEC</code>
1.17 jca 412: flags has been added to the
1.91 tb 413: <a href="https://man.openbsd.org/resolver.3">resolver(3)</a>
1.17 jca 414: implementation.
1.91 tb 415: <li><a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>
1.76 tb 416: limits the socket buffer for TCP and TLS connections to 64K
1.18 bluhm 417: to avoid wasting kernel memory.
1.91 tb 418: <li><a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>
1.18 bluhm 419: supports the option -Z to print the timestamp in RFC 5424
420: ISO format.
421: This logs everything in UTC including the year, timezone
422: and fractions of seconds.
423: The default is still RFC 3164 BSD syslog time format.
1.72 bluhm 424: <li>When log files are rotated,
1.91 tb 425: <a href="https://man.openbsd.org/newsyslog.8">newsyslog(8)</a>
1.72 bluhm 426: writes the creation time in UTC ISO format into the first line.
1.18 bluhm 427: <li>The
1.91 tb 428: <a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>
1.18 bluhm 429: options -a, -T, and -U can be given more than once to specify
430: multiple input sources.
431: <li>Improve the
1.91 tb 432: <a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>
1.18 bluhm 433: output and diagnostics in case the klog buffer
434: overflows.
435: <li>Make SIGHUP handling in
1.91 tb 436: <a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>
1.18 bluhm 437: more reliable.
1.91 tb 438: <li>Let <a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>
1.72 bluhm 439: tolerate most errors on startup.
440: Keep running and receive messages from all working subsystems,
441: but do not die.
1.91 tb 442: <li>The <a href="https://man.openbsd.org/syslog.3">syslog(3)</a>
1.72 bluhm 443: priority of fatal and warning messages of various daemons
444: has been adjusted.
1.18 bluhm 445: <li>An NMI sends the amd64 kernel into
1.91 tb 446: <a href="https://man.openbsd.org/ddb.4">ddb(4)</a>
1.18 bluhm 447: more reliably.
1.91 tb 448: <li><a href="https://man.openbsd.org/ld.so.1">ld.so(1)</a> now
1.32 guenther 449: supports the DT_PREINITARRAY, DT_INITARRAY, DT_FINIARRAY, DT_FLAGS,
450: and DT_RUNPATH dynamic tags.
1.91 tb 451: <li><a href="https://man.openbsd.org/kdump.1">kdump(1)</a>
1.44 sthen 452: now dumps the fds returned by
1.91 tb 453: <a href="https://man.openbsd.org/pipe.2">pipe(2)</a> and
454: <a href="https://man.openbsd.org/socketpair.2">socketpair(2)</a>.
455: <li>Added support to <a href="https://man.openbsd.org/doas.1">doas(1)</a>
1.33 guenther 456: for session-locked persistent authentication.
1.34 guenther 457: <li>Use a hardware register for the thread pointer on arm for improved
458: performance in multi-threaded processes.
1.43 visa 459: <li>SGI boot blocks now consult the OpenBSD
1.91 tb 460: <a href="https://man.openbsd.org/disklabel.5">disklabel(5)</a>
1.43 visa 461: to locate the root filesystem.
462: This reduces constraints on disk partitioning.
1.91 tb 463: <li><a href="https://man.openbsd.org/iec.4">iec(4)</a>
1.43 visa 464: no longer hangs when its transmit ring gets full.
1.91 tb 465: <li><a href="https://man.openbsd.org/sq.4">sq(4)</a>
1.43 visa 466: has been fixed to accept broadcast frames in non-promiscuous mode
467: when no IP address is configured.
468: This lets the interface work with DHCP.
469: <li>Multiprocessor-safe PCI interrupt handlers are run
470: without the kernel lock on OpenBSD/sgi.
1.91 tb 471: <li><a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> now unconditionally
1.50 krw 472: sets the size of the protective MBR's EFI GPT partition to UINT32_MAX.
1.91 tb 473: <li><a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> now respects the
1.50 krw 474: current MBR or GPT format when initializing a disk.
1.91 tb 475: <li><a href="https://man.openbsd.org/softraid.4">softraid(4)</a> now uses
1.50 krw 476: sufficient parallel i/o's to efficiently rebuild RAID5 volumes.
1.91 tb 477: <li><a href="https://man.openbsd.org/asr_run.3">asr</a> now accepts UDP
1.50 krw 478: packets of up to 4096 bytes to account for broken DNS servers.
1.91 tb 479: <li><a href="https://man.openbsd.org/umass.4">umass(4)</a> no longer assumes
1.50 krw 480: that ATAPI or UFI devices have only 1 LUN.
1.91 tb 481: <li><a href="https://man.openbsd.org/scsi.4">scsi(4)</a> now correctly
1.50 krw 482: detects end of tape on LTO5 devices.
1.91 tb 483: <li><a href="https://man.openbsd.org/httpd.8">httpd(8)</a> supports
1.63 beck 484: SNI
1.91 tb 485: via <a href="https://man.openbsd.org/tls_config_add_keypair_ocsp_mem.3">libtls</a>
1.63 beck 486: to allow for multiple https sites on a single IP address.
1.91 tb 487: <li><a href="https://man.openbsd.org/ocspcheck.8">ocspcheck(8)</a>
1.63 beck 488: has been added, and can be used to check the OCSP status of
1.64 beck 489: certificates. The corresponding responses can be saved for later use in OCSP stapling.
1.91 tb 490: <li><a href="https://man.openbsd.org/httpd.8">httpd(8)</a> supports
1.63 beck 491: OCSP stapling
1.91 tb 492: via <a href="https://man.openbsd.org/tls_config_add_keypair_ocsp_mem.3">libtls</a>
1.63 beck 493: to permit OCSP responses to be stapled to the tls handshake
1.91 tb 494: <li><a href="https://man.openbsd.org/nc.1">nc(1)</a> now also
1.63 beck 495: supports OCSP stapling server side, and will show the stapling information
1.80 deraadt 496: client side.
1.91 tb 497: <li>Both <a href="https://man.openbsd.org/relayd.8">relayd(8)</a> and
498: <a href="https://man.openbsd.org/httpd.8">httpd(8)</a> support now
1.68 claudio 499: TLS session resumption using TLS session tickets.
500: See the respective configuration man page for more information.
1.72 bluhm 501: <li>With the -f option
1.91 tb 502: <a href="https://man.openbsd.org/sensorsd.8">sensorsd(8)</a>
1.72 bluhm 503: can use an alternative config file.
1.1 deraadt 504: </ul>
505: <p>
506:
507: <li>OpenSMTPD 6.0.0
508: <ul>
1.78 gilles 509: <li>Added support for providing an alternate subaddressing delimiter
510: <li>Made the daemon less verbose in logs when exiting
1.101 ! jsg 511: <li>Improved the io layer to simplify code across the daemon
1.78 gilles 512: <li>Added support for matching authenticated sessions in the ruleset
513: <li>Assorted code and documentation cleanups
1.1 deraadt 514: </ul>
515: <p>
516:
1.12 matthieu 517: <li>OpenSSH 7.4
1.1 deraadt 518: <ul>
1.79 deraadt 519: <li>Security:
520: <ul>
521: <li>ssh-agent(1): Will now refuse to load PKCS#11 modules from paths
522: outside a trusted whitelist (run-time configurable). Requests to
523: load modules could be passed via agent forwarding and an attacker
524: could attempt to load a hostile PKCS#11 module across the forwarded
525: agent channel: PKCS#11 modules are shared libraries, so this would
526: result in code execution on the system running the ssh-agent if the
527: attacker has control of the forwarded agent-socket (on the host
528: running the sshd server) and the ability to write to the filesystem
529: of the host running ssh-agent (usually the host running the ssh
530: client).
531: <li>sshd(8): When privilege separation is disabled, forwarded Unix-
532: domain sockets would be created by sshd(8) with the privileges of
533: 'root' instead of the authenticated user. This release refuses
534: Unix-domain socket forwarding when privilege separation is disabled
535: (Privilege separation has been enabled by default for 14 years).
536: <li>sshd(8): Avoid theoretical leak of host private key material to
537: privilege-separated child processes via realloc() when reading
538: keys. No such leak was observed in practice for normal-sized keys,
539: nor does a leak to the child processes directly expose key material
540: to unprivileged users.
541: <li>sshd(8): The shared memory manager used by pre-authentication
542: compression support had a bounds checks that could be elided by
543: some optimising compilers. Additionally, this memory manager was
544: incorrectly accessible when pre-authentication compression was
545: disabled. This could potentially allow attacks against the
546: privileged monitor process from the sandboxed privilege-separation
547: process (a compromise of the latter would be required first).
548: This release removes support for pre-authentication compression
549: from sshd(8).
550: <li>sshd(8): Fix denial-of-service condition where an attacker who
551: sends multiple KEXINIT messages may consume up to 128MB per
552: connection.
553: <li>sshd(8): Validate address ranges for AllowUser and DenyUsers
554: directives at configuration load time and refuse to accept invalid
555: ones. It was previously possible to specify invalid CIDR address
556: ranges (e.g. user@127.1.2.3/55) and these would always match,
557: possibly resulting in granting access where it was not intended.
558: <li>ssh(1), sshd(8): Fix weakness in CBC padding oracle countermeasures
559: that allowed a variant of the attack fixed in OpenSSH 7.3 to proceed.
560: </ul>
561: <li>New/changed features:
562: <ul>
563: <li>Server support for the SSH v.1 protocol has been removed.
564: <li>ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit
565: block ciphers are not safe in 2016 and we don't want to wait until
566: attacks like SWEET32 are extended to SSH. As 3des-cbc was the
567: only mandatory cipher in the SSH RFCs, this may cause problems
568: connecting to older devices using the default configuration,
569: but it's highly likely that such devices already need explicit
570: configuration for key exchange and hostkey algorithms already
571: anyway.
572: <li>sshd(8): Remove support for pre-authentication compression.
573: Doing compression early in the protocol probably seemed reasonable
574: in the 1990s, but today it's clearly a bad idea in terms of both
575: cryptography (cf. multiple compression oracle attacks in TLS) and
576: attack surface. Pre-auth compression support has been disabled by
577: default for >10 years. Support remains in the client.
578: <li>ssh-agent will refuse to load PKCS#11 modules outside a whitelist
579: of trusted paths by default. The path whitelist may be specified
580: at run-time.
581: <li>sshd(8): When a forced-command appears in both a certificate and
582: an authorized keys/principals command= restriction, sshd will now
583: refuse to accept the certificate unless they are identical.
584: The previous (documented) behaviour of having the certificate
585: forced-command override the other could be a bit confusing and
586: error-prone.
587: <li>sshd(8): Remove the UseLogin configuration directive and support
588: for having /bin/login manage login sessions.
589: <li>ssh(1): Add a proxy multiplexing mode to ssh(1) inspired by the
590: version in PuTTY by Simon Tatham. This allows a multiplexing
591: client to communicate with the master process using a subset of
592: the SSH packet and channels protocol over a Unix-domain socket,
593: with the main process acting as a proxy that translates channel
594: IDs, etc. This allows multiplexing mode to run on systems that
595: lack file- descriptor passing (used by current multiplexing
596: code) and potentially, in conjunction with Unix-domain socket
597: forwarding, with the client and multiplexing master process on
598: different machines. Multiplexing proxy mode may be invoked using
599: "ssh -O proxy ..."
600: <li>sshd(8): Add a sshd_config DisableForwarding option that disables
601: X11, agent, TCP, tunnel and Unix domain socket forwarding, as well
602: as anything else we might implement in the future. Like the
603: 'restrict' authorized_keys flag, this is intended to be a simple
604: and future-proof way of restricting an account.
605: <li>sshd(8), ssh(1): Support the "curve25519-sha256" key exchange
606: method. This is identical to the currently-supported method named
607: "curve25519-sha256@libssh.org".
608: <li>sshd(8): Improve handling of SIGHUP by checking to see if sshd is
609: already daemonised at startup and skipping the call to daemon(3)
610: if it is. This ensures that a SIGHUP restart of sshd(8) will
611: retain the same process-ID as the initial execution. sshd(8) will
612: also now unlink the PidFile prior to SIGHUP restart and re-create
613: it after a successful restart, rather than leaving a stale file in
614: the case of a configuration error.
615: <li>sshd(8): Allow ClientAliveInterval and ClientAliveCountMax
616: directives to appear in sshd_config Match blocks.
617: <li>sshd(8): Add %-escapes to AuthorizedPrincipalsCommand to match
618: those supported by AuthorizedKeysCommand (key, key type,
619: fingerprint, etc.) and a few more to provide access to the
620: contents of the certificate being offered.
621: <li>Added regression tests for string matching, address matching and
622: string sanitisation functions.
623: <li>Improved the key exchange fuzzer harness.
624: <li>Deprecate the sshd_config UsePrivilegeSeparation
625: option, thereby making privilege separation mandatory. Privilege
626: separation has been on by default for almost 15 years and
627: sandboxing has been on by default for almost the last five.
628: <li>ssh(1), sshd(8): Support "=-" syntax to easily remove methods from
629: algorithm lists, e.g. Ciphers=-*cbc.
630: </ul>
631: <li>The following significant bugs have been fixed in this release:
632: <ul>
633: <li>ssh(1): Allow IdentityFile to successfully load and use
634: certificates that have no corresponding bare public key.
635: certificate id_rsa-cert.pub (and no id_rsa.pub).
636: <li>ssh(1): Fix public key authentication when multiple
637: authentication is in use and publickey is not just the first
638: method attempted.
639: <li>ssh-agent(1), ssh(1): improve reporting when attempting to load
640: keys from PKCS#11 tokens with fewer useless log messages and more
641: detail in debug messages.
642: <li>ssh(1): When tearing down ControlMaster connections, don't
643: pollute stderr when LogLevel=quiet.
644: <li>sftp(1): On ^Z wait for underlying ssh(1) to suspend before
645: suspending sftp(1) to ensure that ssh(1) restores the terminal mode
646: correctly if suspended during a password prompt.
647: <li>ssh(1): Avoid busy-wait when ssh(1) is suspended during a password
648: prompt.
649: <li>ssh(1), sshd(8): Correctly report errors during sending of ext-
650: info messages.
651: <li>sshd(8): fix NULL-deref crash if sshd(8) received an out-of-
652: sequence NEWKEYS message.
653: <li>sshd(8): Correct list of supported signature algorithms sent in
654: the server-sig-algs extension.
655: <li>sshd(8): Fix sending ext_info message if privsep is disabled.
656: <li>sshd(8): more strictly enforce the expected ordering of privilege
657: separation monitor calls used for authentication and allow them
658: only when their respective authentication methods are enabled
659: in the configuration
660: <li>sshd(8): Fix uninitialised optlen in getsockopt() call; harmless
661: on Unix/BSD but potentially crashy on Cygwin.
662: <li>Fix false positive reports caused by explicit_bzero(3) not being
663: recognised as a memory initialiser when compiled with
664: -fsanitize-memory.
665: <li>sshd_config(5): Use 2001:db8::/32, the official IPv6 subnet for
666: configuration examples.
667: <li>sshd(1): Fix NULL dereference crash when key exchange start
668: messages are sent out of sequence.
669: <li>ssh(1), sshd(8): Allow form-feed characters to appear in
670: configuration files.
671: <li>sshd(8): Fix regression in OpenSSH 7.4 support for the
672: server-sig-algs extension, where SHA2 RSA signature methods were
673: not being correctly advertised.
674: <li>ssh(1), ssh-keygen(1): Fix a number of case-sensitivity bugs in
675: known_hosts processing.
676: <li>ssh(1): Allow ssh to use certificates accompanied by a private key
677: file but no corresponding plain *.pub public key.
678: <li>ssh(1): When updating hostkeys using the UpdateHostKeys option,
679: accept RSA keys if HostkeyAlgorithms contains any RSA keytype.
680: Previously, ssh could ignore RSA keys when only the ssh-rsa-sha2-*
681: methods were enabled in HostkeyAlgorithms and not the old ssh-rsa
682: method.
683: <li>ssh(1): Detect and report excessively long configuration file
684: lines.
685: <li>Merge a number of fixes found by Coverity and reported via Redhat
686: and FreeBSD. Includes fixes for some memory and file descriptor
687: leaks in error paths.
688: <li>ssh-keyscan(1): Correctly hash hosts with a port number.
689: <li>ssh(1), sshd(8): When logging long messages to stderr, don't truncate
690: "\r\n" if the length of the message exceeds the buffer.
691: <li>ssh(1): Fully quote [host]:port in generated ProxyJump/-J command-
692: line; avoid confusion over IPv6 addresses and shells that treat
693: square bracket characters specially.
694: <li>ssh-keygen(1): Fix corruption of known_hosts when running
695: "ssh-keygen -H" on a known_hosts containing already-hashed entries.
696: <li>Fix various fallout and sharp edges caused by removing SSH protocol
697: 1 support from the server, including the server banner string being
698: incorrectly terminated with only \n (instead of \r\n), confusing
699: error messages from ssh-keyscan a segfault in sshd
700: if protocol v.1 was enabled for the client and sshd_config
701: contained references to legacy keys.
702: <li>ssh(1), sshd(8): Free fd_set on connection timeout.
703: <li>sshd(8): Fix Unix domain socket forwarding for root (regression in
704: OpenSSH 7.4).
705: <li>sftp(1): Fix division by zero crash in "df" output when server
706: returns zero total filesystem blocks/inodes.
707: <li>ssh(1), ssh-add(1), ssh-keygen(1), sshd(8): Translate OpenSSL errors
708: encountered during key loading to more meaningful error codes.
709: <li>ssh-keygen(1): Sanitise escape sequences in key comments sent to
710: printf but preserve valid UTF-8 when the locale supports it.
711: <li>ssh(1), sshd(8): Return reason for port forwarding failures where
712: feasible rather than always "administratively prohibited".
713: <li>sshd(8): Fix deadlock when AuthorizedKeysCommand or
714: AuthorizedPrincipalsCommand produces a lot of output and a key is
715: matched early.
716: <li>ssh(1): Fix typo in ~C error message for bad port forward
717: cancellation.
718: <li>ssh(1): Show a useful error message when included config files
719: can't be opened.
720: <li>sshd(8): Make sshd set GSSAPIStrictAcceptorCheck=yes as the manual page
721: (previously incorrectly) advertised.
722: <li>sshd_config(5): Repair accidentally-deleted mention of %k token
723: in AuthorizedKeysCommand.
724: <li>sshd(8): Remove vestiges of previously removed LOGIN_PROGRAM;
725: <li>ssh-agent(1): Relax PKCS#11 whitelist to include libexec and
726: common 32-bit compatibility library directories.
727: <li>sftp-client(1): Fix non-exploitable integer overflow in SSH2_FXP_NAME
728: response handling.
729: <li>ssh-agent(1): Fix regression in 7.4 of deleting PKCS#11-hosted
730: keys. It was not possible to delete them except by specifying
731: their full physical path.
732: </ul>
1.1 deraadt 733: </ul>
734: <p>
735:
1.61 beck 736: <li>LibreSSL 2.5.3
1.80 deraadt 737: <ul>
738: <li>libtls now supports ALPN and SNI
739: <li>libtls adds a new callback interface for integrating custom IO
740: functions. Thanks to Tobias Pape.
741: <li>libtls now handles 4 cipher suite groups:
742: <ul>
743: <li>"secure" (TLSv1.2+AEAD+PFS)
744: <li>"compat" (HIGH:!aNULL)
745: <li>"legacy" (HIGH:MEDIUM:!aNULL)
746: <li>"insecure" (ALL:!aNULL:!eNULL)
747: </ul>
748: This allows for flexibility and finer grained control, rather than
749: having two extremes (an issue raised by Marko Kreen some time ago).
750: <li>Tightened error handling for tls_config_set_ciphers().
751: <li>libtls now always loads CA, key and certificate files at the time the
752: configuration function is called. This simplifies code and results in
753: a single memory based code path being used to provide data to libssl.
1.84 jsing 754: <li>Added support for OCSP intermediate certificates.
755: <li>Added X509_check_host(), X509_check_email(), X509_check_ip(), and
756: X509_check_ip_asc() functions, via BoringSSL.
1.80 deraadt 757: <li>Added initial support for iOS, thanks to Jacob Berkman.
758: <li>Improved behavior of arc4random on Windows when using memory leak
759: analysis software.
760: <li>Correctly handle an EOF that occurs prior to the TLS handshake
761: completing. Reported by Vasily Kolobkov, based on a diff from Marko
762: Kreen.
1.84 jsing 763: <li>Limit the support of the "backward compatible" SSLv2 handshake to
1.80 deraadt 764: only be used if TLS 1.0 is enabled.
765: <li>Fix incorrect results in certain cases on 64-bit systems when
766: BN_mod_word() can return incorrect results. BN_mod_word() now can
767: return an error condition. Thanks to Brian Smith.
1.84 jsing 768: <li>Added constant-time updates to address CVE-2016-0702.
769: <li>Fixed undefined behavior in BN_GF2m_mod_arr().
770: <li>Removed unused Cryptographic Message Support (CMS).
771: <li>More conversions of long long idioms to time_t.
1.80 deraadt 772: <li>Improved compatibility by avoiding printing NULL strings with
773: printf.
774: <li>Reverted change that cleans up the EVP cipher context in
1.84 jsing 775: EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the
776: previous behaviour.
1.80 deraadt 777: <li>Avoid unbounded memory growth in libssl, which can be triggered
778: by a TLS client repeatedly renegotiating and sending OCSP Status
779: Request TLS extensions.
780: <li>Avoid falling back to a weak digest for (EC)DH when using SNI
781: with libssl.
782: <li>X509_cmp_time() now passes a malformed GeneralizedTime field as
783: an error. Reported by Theofilos Petsios.
784: <li>Check for and handle failure of HMAC_{Update,Final} or
785: EVP_DecryptUpdate().
786: <li>Massive update and normalization of manpages, conversion to
787: mandoc format. Many pages were rewritten for clarity and accuracy.
788: Portable doc links are up-to-date with a new conversion tool.
1.82 jsing 789: <li>Curve25519 and TLS X25519 Key Exchange support.
1.80 deraadt 790: <li>Support for alternate chains for certificate verification.
791: <li>Code cleanups, CBB conversions, further unification of DTLS/SSL
792: handshake code, further ASN1 macro expansion and removal.
793: <li>Private symbols are now hidden in libssl and libcrypto.
794: <li>Friendly certificate verification error messages in libtls, peer
795: verification is now always enabled.
796: <li>Added OCSP stapling support to libtls and nc.
797: <li>Added ocspcheck utility to validate a certificate against its OCSP
798: responder and save the reply for stapling
799: <li>Enhanced regression tests and error handling for libtls.
800: <li>Added explicit constant and non-constant time BN functions,
801: defaulting to constant time wherever possible.
802: <li>Moved many leaked implementation details in public structs behind
803: opaque pointers.
804: <li>Added ticket support to libtls.
805: <li>Added support for setting the supported EC curves via
806: SSL{_CTX}_set1_groups{_list}() - also provide defines for the
807: previous SSL{_CTX}_set1_curves{_list} names. This also changes
808: the default list of curves to be X25519, P-256 and P-384. All
809: other curves must be manually enabled.
810: <li>Added -groups option to openssl(1) s_client for specifying the
811: curves to be used in a colon-separated list.
812: <li>Merged client/server version negotiation code paths into one,
813: reducing much duplicate code.
814: <li>Removed error function codes from libssl and libcrypto.
815: <li>Fixed an issue where a truncated packet could crash via an OOB
816: read.
817: <li>Added SSL_OP_NO_CLIENT_RENEGOTIATION option that disallows
818: client-initiated renegotiation. This is the default for libtls
819: servers.
820: <li>Avoid a side-channel cache-timing attack that can leak the ECDSA
821: private keys when signing. This is due to BN_mod_inverse() being
822: used without the constant time flag being set. Reported by Cesar
823: Pereida Garcia and Billy Brumley (Tampere University of
824: Technology). The fix was developed by Cesar Pereida Garcia.
825: <li>iOS and MacOS compatibility updates from Simone Basso and Jacob
826: Berkman.
827: <li>Added the recallocarray(3) memory allocation function, and
828: converted various places in the library to use it, such as CBB
829: and BUF_MEM_grow. recallocarray(3) is similar to
830: reallocarray. Newly allocated memory is cleared similar to
831: calloc(3). Memory that becomes unallocated while shrinking or
832: moving existing allocations is explicitly discarded by unmapping
833: or clearing to 0.
834: <li>Added new root CAs from SECOM Trust Systems / Security
835: Communication of Japan.
836: <li>Added EVP interface for MD5+SHA1 hashes.
837: <li>Improved nc(1) TLS handshake CPU usage and server-side error
838: reporting.
1.84 jsing 839: <li>Added a constant time version of BN_gcd and use it default for
1.80 deraadt 840: BN_gcd to avoid the possibility of sidechannel timing attacks
841: against RSA private key generation - Thanks to Alejandro
1.95 bentley 842: Cabrera <aldaya@gmail.com>
1.80 deraadt 843: </ul>
1.1 deraadt 844: <p>
845:
1.13 schwarze 846: <li>mandoc 1.14.1
847: <ul>
1.91 tb 848: <li>New <a href="https://man.openbsd.org/mandoc.db.5">mandoc.db(5)</a>
849: file format: <a href="https://man.openbsd.org/man.1">man(1)</a>,
850: <a href="https://man.openbsd.org/apropos.1">apropos(1)</a>, and
851: <a href="https://man.openbsd.org/makewhatis.8">makewhatis(8)</a>
1.80 deraadt 852: no longer need SQLite3.
1.13 schwarze 853: <li>Much improved HTML output and CSS.
1.91 tb 854: <li>In <a href="https://man.openbsd.org/man.1">man(1)</a>, internal
855: searching with <a href="https://man.openbsd.org/less.1">less(1)</a>
1.80 deraadt 856: <code>:t</code> has been improved.
1.91 tb 857: <li>New <a href="https://man.openbsd.org/mandoc.1">mandoc(1)</a>
1.80 deraadt 858: <code>-mdoc -T markdown</code> output mode
859: (already a post-1.14.1 feature).
1.13 schwarze 860: </ul>
861: <p>
862:
1.95 bentley 863: <li><p>Ports and packages:
864: <p>Many pre-built packages for each architecture:
1.1 deraadt 865: <!-- number of FTP packages minus SHA256, SHA256.sig, index.txt -->
1.95 bentley 866: <ul style="column-count: 3">
1.77 deraadt 867: <li>alpha: 7413
868: <li>amd64: 9714
1.87 deraadt 869: <li>arm: 7501
870: <li>hppa: 6422
1.77 deraadt 871: <li>i386: 9697
872: <li>mips64: 8072
873: <li>mips64el: 6880
874: <li>powerpc: 7703
875: <li>sparc64: 8606
1.95 bentley 876: </ul>
877: <p>Some highlights:
878: <ul style="column-count: 2">
1.39 jsg 879: <li>AFL 2.39b
1.55 jsg 880: <li>Chromium 57.0.2987.133
1.26 lteo 881: <li>Emacs 21.4 and 25.1
882: <li>GCC 4.9.4
1.1 deraadt 883: <li>GHC 7.10.3
1.12 matthieu 884: <li>Gimp 2.8.18
1.26 lteo 885: <li>GNOME 3.22.2
1.12 matthieu 886: <li>Go 1.8
1.1 deraadt 887: <li>Groff 1.22.3
1.12 matthieu 888: <li>JDK 7u80 and 8u121
1.1 deraadt 889: <li>KDE 3.5.10 and 4.14.3 (plus KDE4 core updates)
1.39 jsg 890: <li>LLVM/Clang 4.0.0
1.12 matthieu 891: <li>LibreOffice 5.2.4.2
892: <li>Lua 5.1.5, 5.2.4, and 5.3.4
1.40 sthen 893: <li>MariaDB 10.0.30
1.12 matthieu 894: <li>Mono 4.6.2.6
1.55 jsg 895: <li>Mozilla Firefox 52.0.2esr and 52.0.2
1.26 lteo 896: <li>Mozilla Thunderbird 45.8.0
1.12 matthieu 897: <li>Mutt 1.8.0
1.57 lteo 898: <li>Node.js 6.10.1
1.26 lteo 899: <li>Ocaml 4.03.0
1.1 deraadt 900: <li>OpenLDAP 2.3.43 and 2.4.44
1.12 matthieu 901: <li>PHP 5.5.38, 5.6.30, and 7.0.16
902: <li>Postfix 3.2.0 and 3.3-20170218
903: <li>PostgreSQL 9.6.2
904: <li>Python 2.7.13, 3.4.5, 3.5.2 and 3.6.0
1.42 tb 905: <li>R 3.3.3
1.57 lteo 906: <li>Ruby 1.8.7.374, 2.1.9, 2.2.6, 2.3.3 and 2.4.1
1.48 danj 907: <li>Rust 1.16.0
1.1 deraadt 908: <li>Sendmail 8.15.2
1.13 schwarze 909: <li>SQLite3 3.17.0
1.12 matthieu 910: <li>Sudo 1.8.19.2
1.1 deraadt 911: <li>Tcl/Tk 8.5.18 and 8.6.4
912: <li>TeX Live 2015
1.12 matthieu 913: <li>Vim 8.0.0388
1.1 deraadt 914: <li>Xfce 4.12
1.95 bentley 915: </ul>
1.1 deraadt 916: <p>
917:
918: <li>As usual, steady improvements in manual pages and other documentation.
919: <p>
920:
921: <li>The system includes the following major components from outside suppliers:
922: <ul>
923: <li>Xenocara (based on X.Org 7.7 with xserver 1.18.3 + patches,
1.47 jsg 924: freetype 2.7.1, fontconfig 2.12.1, Mesa 13.0.6, xterm 327,
1.12 matthieu 925: xkeyboard-config 2.20 and more)
1.55 jsg 926: <li>LLVM/Clang 4.0.0 (+ patches)
1.1 deraadt 927: <li>GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
1.8 florian 928: <li>Perl 5.24.1 (+ patches)
1.6 florian 929: <li>NSD 4.1.15
930: <li>Unbound 1.6.1
1.1 deraadt 931: <li>Ncurses 5.7
932: <li>Binutils 2.17 (+ patches)
933: <li>Gdb 6.3 (+ patches)
934: <li>Awk Aug 10, 2011 version
935: <li>Expat 2.1.1
936: </ul>
937: </ul>
1.95 bentley 938: </section>
1.1 deraadt 939:
940: <hr>
941:
1.95 bentley 942: <section id=install>
943: <h3>How to install</h3>
1.96 deraadt 944: <p>
1.20 tj 945: Please refer to the following files on the mirror site for
1.1 deraadt 946: extensive details on how to install OpenBSD 6.1 on your machine:
947:
948: <ul>
949: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/alpha/INSTALL.alpha">
1.20 tj 950: .../OpenBSD/6.1/alpha/INSTALL.alpha</a>
1.1 deraadt 951: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/amd64/INSTALL.amd64">
1.20 tj 952: .../OpenBSD/6.1/amd64/INSTALL.amd64</a>
1.54 jsg 953: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/arm64/INSTALL.arm64">
1.56 jsg 954: .../OpenBSD/6.1/arm64/INSTALL.arm64</a>
1.1 deraadt 955: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/armv7/INSTALL.armv7">
956: .../OpenBSD/6.1/armv7/INSTALL.armv7</a>
957: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/hppa/INSTALL.hppa">
958: .../OpenBSD/6.1/hppa/INSTALL.hppa</a>
1.41 tb 959: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/i386/INSTALL.i386">
960: .../OpenBSD/6.1/i386/INSTALL.i386</a>
1.1 deraadt 961: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/landisk/INSTALL.landisk">
962: .../OpenBSD/6.1/landisk/INSTALL.landisk</a>
963: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/loongson/INSTALL.loongson">
964: .../OpenBSD/6.1/loongson/INSTALL.loongson</a>
965: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/luna88k/INSTALL.luna88k">
966: .../OpenBSD/6.1/luna88k/INSTALL.luna88k</a>
1.41 tb 967: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/macppc/INSTALL.macppc">
968: .../OpenBSD/6.1/macppc/INSTALL.macppc</a>
1.1 deraadt 969: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/octeon/INSTALL.octeon">
970: .../OpenBSD/6.1/octeon/INSTALL.octeon</a>
971: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/sgi/INSTALL.sgi">
972: .../OpenBSD/6.1/sgi/INSTALL.sgi</a>
1.41 tb 973: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/sparc64/INSTALL.sparc64">
974: .../OpenBSD/6.1/sparc64/INSTALL.sparc64</a>
1.1 deraadt 975: </ul>
1.96 deraadt 976: </section>
1.1 deraadt 977:
978: <hr>
979:
1.95 bentley 980: <section id=quickinstall>
1.1 deraadt 981: <p>
982: Quick installer information for people familiar with OpenBSD, and the use of
1.91 tb 983: the "<a href="https://man.openbsd.org/disklabel.8">disklabel</a> -E" command.
1.1 deraadt 984: If you are at all confused when installing OpenBSD, read the relevant
985: INSTALL.* file as listed above!
986:
1.95 bentley 987: <h3>OpenBSD/alpha:</h3>
1.1 deraadt 988:
1.95 bentley 989: <p>
1.41 tb 990: Write <i>floppy61.fs</i> or <i>floppyB61.fs</i> (depending on your machine)
991: to a diskette and enter <i>boot dva0</i>.
992: Refer to INSTALL.alpha for more details.
1.95 bentley 993:
1.1 deraadt 994: <p>
1.41 tb 995: Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
996: will most likely fail.
1.1 deraadt 997:
1.95 bentley 998: <h3>OpenBSD/amd64:</h3>
1.1 deraadt 999:
1.95 bentley 1000: <p>
1.20 tj 1001: If your machine can boot from CD, you can write <i>install61.iso</i> or
1002: <i>cd61.iso</i> to a CD and boot from it.
1003: You may need to adjust your BIOS options first.
1.95 bentley 1004:
1.1 deraadt 1005: <p>
1.11 tb 1006: If your machine can boot from USB, you can write <i>install61.fs</i> or
1007: <i>miniroot61.fs</i> to a USB stick and boot from it.
1.95 bentley 1008:
1.1 deraadt 1009: <p>
1010: If you can't boot from a CD, floppy disk, or USB,
1011: you can install across the network using PXE as described in the included
1012: INSTALL.amd64 document.
1.95 bentley 1013:
1.1 deraadt 1014: <p>
1015: If you are planning to dual boot OpenBSD with another OS, you will need to
1016: read INSTALL.amd64.
1.54 jsg 1017:
1.95 bentley 1018: <h3>OpenBSD/arm64:</h3>
1.54 jsg 1019:
1.95 bentley 1020: <p>
1.54 jsg 1021: Write <i>miniroot61.fs</i> to a disk and boot from it after connecting
1022: to the serial console. Refer to INSTALL.arm64 for more details.
1.1 deraadt 1023:
1.95 bentley 1024: <h3>OpenBSD/armv7:</h3>
1.1 deraadt 1025:
1.95 bentley 1026: <p>
1.41 tb 1027: Write a system specific miniroot to an SD card and boot from it after connecting
1028: to the serial console. Refer to INSTALL.armv7 for more details.
1.1 deraadt 1029:
1.95 bentley 1030: <h3>OpenBSD/hppa:</h3>
1.1 deraadt 1031:
1.95 bentley 1032: <p>
1.41 tb 1033: Boot over the network by following the instructions in INSTALL.hppa or the
1034: <a href="hppa.html#install">hppa platform page</a>.
1.1 deraadt 1035:
1.95 bentley 1036: <h3>OpenBSD/i386:</h3>
1.1 deraadt 1037:
1.95 bentley 1038: <p>
1.41 tb 1039: If your machine can boot from CD, you can write <i>install61.iso</i> or
1040: <i>cd61.iso</i> to a CD and boot from it.
1041: You may need to adjust your BIOS options first.
1.95 bentley 1042:
1.1 deraadt 1043: <p>
1.41 tb 1044: If your machine can boot from USB, you can write <i>install61.fs</i> or
1045: <i>miniroot61.fs</i> to a USB stick and boot from it.
1.95 bentley 1046:
1.41 tb 1047: <p>
1048: If you can't boot from a CD, floppy disk, or USB,
1049: you can install across the network using PXE as described in
1050: the included INSTALL.i386 document.
1.95 bentley 1051:
1.1 deraadt 1052: <p>
1.41 tb 1053: If you are planning on dual booting OpenBSD with another OS, you will need to
1054: read INSTALL.i386.
1.1 deraadt 1055:
1.95 bentley 1056: <h3>OpenBSD/landisk:</h3>
1.1 deraadt 1057:
1.95 bentley 1058: <p>
1.11 tb 1059: Write <i>miniroot61.fs</i> to the start of the CF
1.1 deraadt 1060: or disk, and boot normally.
1061:
1.95 bentley 1062: <h3>OpenBSD/loongson:</h3>
1.1 deraadt 1063:
1.95 bentley 1064: <p>
1.11 tb 1065: Write <i>miniroot61.fs</i> to a USB stick and boot bsd.rd from it
1.1 deraadt 1066: or boot bsd.rd via tftp.
1067: Refer to the instructions in INSTALL.loongson for more details.
1068:
1.95 bentley 1069: <h3>OpenBSD/luna88k:</h3>
1.1 deraadt 1070:
1.95 bentley 1071: <p>
1072: Copy 'boot' and 'bsd.rd' to a Mach or UniOS partition, and boot the bootloader
1.1 deraadt 1073: from the PROM, and then bsd.rd from the bootloader.
1074: Refer to the instructions in INSTALL.luna88k for more details.
1075:
1.95 bentley 1076: <h3>OpenBSD/macppc:</h3>
1.41 tb 1077:
1.95 bentley 1078: <p>
1.41 tb 1079: Burn the image from a mirror site to a CDROM, and power on your machine
1080: while holding down the <i>C</i> key until the display turns on and
1081: shows <i>OpenBSD/macppc boot</i>.
1.95 bentley 1082:
1.41 tb 1083: <p>
1084: Alternatively, at the Open Firmware prompt, enter <i>boot cd:,ofwboot
1085: /6.1/macppc/bsd.rd</i>
1086:
1.95 bentley 1087: <h3>OpenBSD/octeon:</h3>
1.1 deraadt 1088:
1.95 bentley 1089: <p>
1.1 deraadt 1090: After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
1091: Refer to the instructions in INSTALL.octeon for more details.
1092:
1.95 bentley 1093: <h3>OpenBSD/sgi:</h3>
1.1 deraadt 1094:
1.95 bentley 1095: <p>
1.11 tb 1096: To install, burn cd61.iso on a CD-R, put it in the CD drive of your
1.1 deraadt 1097: machine and select <i>Install System Software</i> from the System Maintenance
1098: menu. Indigo/Indy/Indigo2 (R4000) systems will not boot automatically from
1099: CD-ROM, and need a proper invocation from the PROM prompt.
1100: Refer to the instructions in INSTALL.sgi for more details.
1101:
1102: <p>
1103: If your machine doesn't have a CD drive, you can setup a DHCP/tftp network
1104: server, and boot using "bootp()/bsd.rd.IP##" using the kernel matching your
1105: system type. Refer to the instructions in INSTALL.sgi for more details.
1.41 tb 1106:
1.95 bentley 1107: <h3>OpenBSD/sparc64:</h3>
1.41 tb 1108:
1.95 bentley 1109: <p>
1.41 tb 1110: Burn the image from a mirror site to a CDROM, boot from it, and type
1111: <i>boot cdrom</i>.
1.95 bentley 1112:
1.41 tb 1113: <p>
1114: If this doesn't work, or if you don't have a CDROM drive, you can write
1115: <i>floppy61.fs</i> or <i>floppyB61.fs</i>
1116: (depending on your machine) to a floppy and boot it with <i>boot
1117: floppy</i>. Refer to INSTALL.sparc64 for details.
1.95 bentley 1118:
1.41 tb 1119: <p>
1120: Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
1121: will most likely fail.
1.95 bentley 1122:
1.41 tb 1123: <p>
1124: You can also write <i>miniroot61.fs</i> to the swap partition on
1125: the disk and boot with <i>boot disk:b</i>.
1.95 bentley 1126:
1.41 tb 1127: <p>
1128: If nothing works, you can boot over the network as described in INSTALL.sparc64.
1.95 bentley 1129: </section>
1.1 deraadt 1130:
1131: <hr>
1132:
1.95 bentley 1133: <section id=upgrade>
1134: <h3>How to upgrade</h3>
1.97 bentley 1135: <p>
1.11 tb 1136: If you already have an OpenBSD 6.0 system, and do not want to reinstall,
1.1 deraadt 1137: upgrade instructions and advice can be found in the
1.11 tb 1138: <a href="faq/upgrade61.html">Upgrade Guide</a>.
1.95 bentley 1139: </section>
1.1 deraadt 1140:
1141: <hr>
1142:
1.95 bentley 1143: <section id=sourcecode>
1144: <h3>Notes about the source code</h3>
1.97 bentley 1145: <p>
1.95 bentley 1146: <code>src.tar.gz</code> contains a source archive starting at <code>/usr/src</code>.
1.1 deraadt 1147: This file contains everything you need except for the kernel sources,
1148: which are in a separate archive.
1149: To extract:
1150: <blockquote><pre>
1.96 deraadt 1151: # <kbd>mkdir -p /usr/src</kbd>
1152: # <kbd>cd /usr/src</kbd>
1153: # <kbd>tar xvfz /tmp/src.tar.gz</kbd>
1.1 deraadt 1154: </pre></blockquote>
1.97 bentley 1155: <p>
1.95 bentley 1156: <code>sys.tar.gz</code> contains a source archive starting at <code>/usr/src/sys</code>.
1.1 deraadt 1157: This file contains all the kernel sources you need to rebuild kernels.
1158: To extract:
1159: <blockquote><pre>
1.96 deraadt 1160: # <kbd>mkdir -p /usr/src/sys</kbd>
1161: # <kbd>cd /usr/src</kbd>
1162: # <kbd>tar xvfz /tmp/sys.tar.gz</kbd>
1.1 deraadt 1163: </pre></blockquote>
1.97 bentley 1164: <p>
1.1 deraadt 1165: Both of these trees are a regular CVS checkout. Using these trees it
1166: is possible to get a head-start on using the anoncvs servers as
1167: described <a href="anoncvs.html">here</a>.
1168: Using these files
1169: results in a much faster initial CVS update than you could expect from
1170: a fresh checkout of the full OpenBSD source tree.
1.95 bentley 1171: </section>
1.1 deraadt 1172:
1173: <hr>
1174:
1.95 bentley 1175: <section id=ports>
1176: <h3>Ports Tree</h3>
1.96 deraadt 1177: <p>
1.1 deraadt 1178: A ports tree archive is also provided. To extract:
1179: <blockquote><pre>
1.96 deraadt 1180: # <kbd>cd /usr</kbd>
1181: # <kbd>tar xvfz /tmp/ports.tar.gz</kbd>
1.1 deraadt 1182: </pre></blockquote>
1.97 bentley 1183: <p>
1.1 deraadt 1184: Go read the <a href="faq/ports/index.html">ports</a> page
1185: if you know nothing about ports
1186: at this point. This text is not a manual of how to use ports.
1187: Rather, it is a set of notes meant to kickstart the user on the
1188: OpenBSD ports system.
1189: <p>
1190: The <i>ports/</i> directory represents a CVS checkout of our ports.
1191: As with our complete source tree, our ports tree is available via
1192: <a href="anoncvs.html">AnonCVS</a>.
1.92 tj 1193: So, in order to keep up to date with the -stable branch, you must make
1.1 deraadt 1194: the <i>ports/</i> tree available on a read-write medium and update the tree
1195: with a command like:
1196: <blockquote><pre>
1.96 deraadt 1197: # <kbd>cd /usr/ports</kbd>
1198: # <kbd>cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_6_1</kbd>
1.1 deraadt 1199: </pre></blockquote>
1.97 bentley 1200: <p>
1.1 deraadt 1201: [Of course, you must replace the server name here with a nearby anoncvs
1202: server.]
1203: <p>
1204: Note that most ports are available as packages on our mirrors. Updated
1205: ports for the 6.1 release will be made available if problems arise.
1206: <p>
1207: If you're interested in seeing a port added, would like to help out, or just
1208: would like to know more, the mailing list
1209: <a href="mail.html">ports@openbsd.org</a> is a good place to know.
1.95 bentley 1210: </section>