Annotation of www/61.html, Revision 1.79
1.1 deraadt 1: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
2: <html>
3: <head>
4: <title>OpenBSD 6.1</title>
5: <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
6: <meta name="description" content="OpenBSD 6.1">
7: <meta name="copyright" content="This document copyright 2016 by OpenBSD.">
8: <meta name="viewport" content="width=device-width, initial-scale=1">
9: <link rel="stylesheet" type="text/css" href="openbsd.css">
10: <link rel="canonical" href="https://www.openbsd.org/61.html">
11: </head>
12:
13: <body bgcolor="#ffffff" text="#000000" link="#24248E">
14:
15: <h2>
16: <a href="index.html">
17: <i><font color="#0000ff">Open</font></i><font color="#000084">BSD</font></a>
18: <font color="#e00000">6.1</font>
19: </h2>
20:
1.5 deraadt 21: <a href="images/XXX.jpg">
22: <img alt="XXX" align="left" width="227" height="343" hspace="24" src="images/XXX.jpg"></a>
1.24 tb 23: To be released somewhere around May 1, 2017 plus or minus a couple months<br>
1.1 deraadt 24: Copyright 1997-2017, Theo de Raadt.<br>
25: <br>
26: <br>
27: 6.1 Song:
28: <a href="lyrics.html#61">"xxx"</a>.
29:
30: <br>
31: <ul>
32: <li>See the information on <a href="ftp.html">the FTP page</a> for
33: a list of mirror machines.
34: <li>Go to the <font color="#e00000">pub/OpenBSD/6.1/</font> directory on
35: one of the mirror sites.
36: <li>Have a look at <a href="errata61.html">the 6.1 errata page</a> for a list
37: of bugs and workarounds.
38: <li>See a <a href="plus61.html">detailed log of changes</a> between the
39: 6.0 and 6.1 releases.
40: <p>
41: <li><a href="http://man.openbsd.org/signify.1">signify(1)</a>
42: pubkeys for this release:<br>
43: <pre>
1.5 deraadt 44: base: RWQEQa33SgQSEsMwwVV1+GjzdcQfRNV2Bgo48Ztd2KiZ9bAodz9c+Maa
45: fw: RWS91POk0QZXfsqi4aI7MotYz8CPzoHjYg4a1IDi56cftacjsq+ZL/KY
46: pkg: RWQbTjGFHEvnOckqY7u9iABhXAkEpF/6TQ3Mr6bMrWbT1wOM/HnbV9ov
1.1 deraadt 47: </pre>
48: <p>
49: All applicable copyrights and credits are in the src.tar.gz,
50: sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
51: files fetched via ports.tar.gz.
52: </ul>
53: <br clear=all>
54:
55: <hr>
56:
57: <h3 id="new"><font color="#0000e0">What's New</font></h3>
58:
59: This is a partial list of new features and systems included in OpenBSD 6.1.
60: For a comprehensive list, see the <a href="plus61.html">changelog</a> leading
61: to 6.1.
62:
63: <ul>
64: <li>New/extended platforms:
65: <ul>
1.21 schwarze 66: <li>New <a href="https://www.openbsd.org/arm64.html">arm64</a> platform,
67: using <a href="http://man.openbsd.org/clang-local.1">clang(1)</a>
68: as the base system compiler.
1.52 visa 69: <li>The <a href="https://www.openbsd.org/loongson.html">loongson</a>
70: platform now supports systems with Loongson 3A CPU and RS780E chipset.
1.14 schwarze 71: <li>The following platforms were retired:
1.21 schwarze 72: <a href="https://www.openbsd.org/armish.html">armish</a>,
1.14 schwarze 73: <a href="https://www.openbsd.org/sparc.html">sparc</a>,
1.71 tb 74: <a href="https://www.openbsd.org/zaurus.html">zaurus</a>.
1.1 deraadt 75: </ul>
76: <p>
77:
78: <li>Improved hardware support, including:
79: <ul>
1.21 schwarze 80: <li>New <a href="http://man.openbsd.org/acpials.4">acpials(4)</a>
81: driver for ACPI ambient light sensor devices.
82: <li>New <a href="http://man.openbsd.org/acpihve.4">acpihve(4)</a>
83: driver for feeding Hyper-V entropy into the kernel pool.
1.62 jcs 84: <li>New <a href="http://man.openbsd.org/acpisbs.4">acpisbs(4)</a>
85: driver for ACPI Smart Battery devices.
1.23 jsg 86: <li>New <a href="http://man.openbsd.org/dwge.4">dwge(4)</a>
87: driver for Designware GMAC 10/100/Gigabit Ethernet devices.
1.21 schwarze 88: <li>New <a href="http://man.openbsd.org/loongson/htb.4">htb(4)</a>
89: driver for Loongson 3A PCI host bridges.
90: <li>New <a href="http://man.openbsd.org/hvn.4">hvn(4)</a>
91: driver for Hyper-V networking interfaces.
92: <li>New <a href="http://man.openbsd.org/hyperv.4">hyperv(4)</a>
93: driver for the Hyper-V guest nexus device.
94: <li>New <a href="http://man.openbsd.org/iatp.4">iatp(4)</a>
95: driver for the Atmel maXTouch touchpad and touchscreen.
96: <li>New <a href="http://man.openbsd.org/armv7/imxtemp.4">imxtemp(4)</a>
97: driver for Freescale i.MX6 temperature sensors.
98: <li>New <a href="http://man.openbsd.org/loongson/leioc.4">leioc(4)</a>
99: driver for the Loongson 3A low-end IO controller.
100: <li>New <a href="http://man.openbsd.org/octeon/octmmc.4">octmmc(4)</a>
1.4 visa 101: driver for the OCTEON MMC host controller.
1.21 schwarze 102: <li>New <a href="http://man.openbsd.org/armv7/ompinmux.4">ompinmux(4)</a>
103: driver for OMAP pin multiplexing.
104: <li>New <a href="http://man.openbsd.org/armv7/omwugen.4">omwugen(4)</a>
105: driver for OMAP wake-up generators.
106: <li>New <a href="http://man.openbsd.org/armv7/psci.4">psci(4)</a>
107: driver for the ARM Power State Coordination Interface.
108: <li>New <a href="http://man.openbsd.org/simplefb.4">simplefb(4)</a>
109: driver for the simple frame buffer on systems
1.23 jsg 110: using a device tree.
111: <li>New <a href="http://man.openbsd.org/armv7/sximmc.4">sximmc(4)</a>
112: driver for Allwinner A1X/A20 MMC/SD/SDIO controllers.
113: <li>New <a href="http://man.openbsd.org/tpm.4">tpm(4)</a>
114: driver for Trusted Platform Module devices.
1.21 schwarze 115: <li>New <a href="http://man.openbsd.org/uwacom.4">uwacom(4)</a>
116: driver for Wacom USB tablets.
117: <li>New <a href="http://man.openbsd.org/vmmci.4">vmmci(4)</a>
118: VMM control interface.
119: <li>New <a href="http://man.openbsd.org/xbf.4">xbf(4)</a>
120: driver for Xen Blkfront virtual disks.
121: <li>New <a href="http://man.openbsd.org/luna88k/xp.4">xp(4)</a>
122: driver for the LUNA-88K HD647180X I/O processor.
1.58 jsg 123: <li>Support for Kaby Lake and Lewisburg PCH Ethernet MACs with I219 PHYs
124: has been added to the
125: <a href="http://man.openbsd.org/?query=em">em(4)</a> driver.
126: <li>Support for RTL8153 USB 3.0 Gigabit Ethernet based devices
127: has been added to the
128: <a href="http://man.openbsd.org/?query=ure">ure(4)</a> driver.
1.62 jcs 129: <li>Improved ACPI support for modern Apple hardware, including S3 suspend
130: and resume.
1.69 mikeb 131: <li>Support for X550 family of 10 Gigabit Ethernet based devices
132: has been added to the
133: <a href="http://man.openbsd.org/?query=ix">ix(4)</a> driver.
1.1 deraadt 134: </ul>
1.71 tb 135:
136: <p>
137: <li>New <a href="http://man.openbsd.org/amd64/vmm.4">vmm(4)</a>/
138: <a href="http://man.openbsd.org/amd64/vmd.8">vmd(8)</a>:
139: <ul>
140: <li>Support for amd64 and i386 hosts.
141: <li>BIOS payload provided via vmm-firmware, delivered via
1.76 tb 142: <a href="http://man.openbsd.org/fw_update.1">fw_update(1)</a>.
1.71 tb 143: <li>Support for Linux guest VMs.
1.76 tb 144: <li>Better interrupt handling and legacy device emulation.
1.71 tb 145: <li><a href="http://man.openbsd.org/amd64/vmm.4">vmm(4)</a> no longer
146: requires VMX unrestricted guest capability (Nehalem and later CPUs
147: are sufficient).
148: <li>Removed bounce buffers previously used by
149: <a href="http://man.openbsd.org/amd64/vmd.8">vmd(8)</a> for
150: <a href="http://man.openbsd.org/vio.4">vio(4)</a> and
151: <a href="http://man.openbsd.org/vioblk.4">vioblk(4)</a> devices.
152: <li>Support VMs with > 2GB RAM.
153: <li><a href="http://man.openbsd.org/amd64/vmd.8">vmd(8)</a> uses
154: <a href="http://man.openbsd.org/pledge.2">pledge(2)</a> and the
155: fork+exec model.
156: <li><a href="http://man.openbsd.org/amd64/vm.conf.5">vm.conf(5)</a>
157: expanded to include VM ownership rules (uid/gid).
158: <li><a href="http://man.openbsd.org/amd64/vmd.8">vmd(8)</a>/
159: <a href="http://man.openbsd.org/amd64/vm.conf.5">vm.conf(5)</a>
160: supports automatic
161: <a href="http://man.openbsd.org/bridge.4">bridge(4)</a> and
162: <a href="http://man.openbsd.org/switch.4">switch(4)</a> configuration
163: for VM network interfaces.
164: <li><a href="http://man.openbsd.org/amd64/vmctl.8">vmctl(8)</a> supports
165: graceful VM shutdown via
166: <a href="http://man.openbsd.org/amd64/vmmci.4">vmmci(4)</a>.
167: </ul>
1.1 deraadt 168: <p>
169:
170: <li>IEEE 802.11 wireless stack improvements:
171: <ul>
1.28 stsp 172: <li>The <a href="http://man.openbsd.org/ral.4">ral(4)</a> driver
173: now supports Ralink RT3900E (RT5390, RT3292) devices.
174: <li>The <a href="http://man.openbsd.org/iwm.4">iwm(4)</a> and
175: <a href="http://man.openbsd.org/iwn.4">iwn(4)</a> drivers
176: now support the short guard interval (SGI) in 11n mode.
177: <li>Added a new implementation of MiRa, a rate adapation algorithm
178: designed for 802.11n.
179: <li>The <a href="http://man.openbsd.org/iwm.4">iwm(4)</a> driver
180: now supports 802.11n MIMO (MCS 0-15).
181: <li>The <a href="http://man.openbsd.org/athn.4">athn(4)</a> driver
182: now supports 802.11n, featuring MIMO (MCS 0-15) and hostap mode.
183: <li>The <a href="http://man.openbsd.org/iwn.4">iwn(4)</a> driver
184: now receives MIMO frames in monitor mode.
185: <li>The <a href="http://man.openbsd.org/rtwn.4">rtwn(4)</a> and
186: <a href="http://man.openbsd.org/urtwn.4">urtwn(4)</a> drivers
187: now use AMRR rate adaptation (8188EU and 8188CE devices only).
188: <li>TKIP/WPA1 was disabled by default because of inherent weaknesses
189: in this protocol.
1.1 deraadt 190: </ul>
191: <p>
192:
193: <li>Generic network stack improvements:
194: <ul>
1.14 schwarze 195: <li>New <a href="http://man.openbsd.org/switch.4">switch(4)</a>
196: pseudo-device together with new
197: <a href="http://man.openbsd.org/switchd.8">switchd(8)</a> and
198: <a href="http://man.openbsd.org/switchctl.8">switchctl(8)</a>
199: programs.
1.21 schwarze 200: <li>New <a href="http://man.openbsd.org/mobileip.4">mobileip(4)</a>
201: operation mode for the
202: <a href="http://man.openbsd.org/gre.4">gre(4)</a>
203: pseudo-device.
204: <li>Multipoint-to-multipoint mode in
205: <a href="http://man.openbsd.org/vxlan.4">vxlan(4)</a>.
1.18 bluhm 206: <li><a href="http://man.openbsd.org/route.8">route(8)</a>
207: and netstat -r display all routing flags correctly and they
208: are completely documented in the
209: <a href="http://man.openbsd.org/netstat.1">netstat(1)</a>
210: man page.
211: <li>When sending TCP streams they are locally stored in large
212: mbuf clusters to improve memory management.
213: The maximum TCP send and receive buffer size has been
1.67 claudio 214: increased from 256KB to 2MB.
1.18 bluhm 215: Note that this results in a different
216: <a href="http://man.openbsd.org/pf.4">pf(4)</a>
217: OS fingerprint for OpenBSD.
218: The default limit for mbuf clusters has been increased.
219: You can check the values with
220: <a href="http://man.openbsd.org/netstat.1">netstat(1)</a>
221: -m and adjust them with
222: <a href="http://man.openbsd.org/sysctl.8">sysctl(8)</a>
223: kern.maxclusters.
224: <li>Make the TCP_NOPUSH flag work for
225: <a href="http://man.openbsd.org/listen.2">listen(2)</a>
226: sockets.
227: It is inherited by the socket returned from
228: <a href="http://man.openbsd.org/accept.2">accept(2)</a>.
229: <li>A lot of code has been removed or simplified to make the
230: transition to multi-processor easier.
231: Redesign the interrupt and multi-processor locks in the
232: network stack.
233: <li>When passing packets from the network stack to the
234: interface layer, make sure that they have no pointers to
235: <a href="http://man.openbsd.org/pf.4">pf(4)</a>
236: which could result in a memory free operation at the wrong
237: protection level.
238: <li>Fix checksum calculation in
239: <a href="http://man.openbsd.org/pf.4">pf(4)</a>
240: af-to ICMP packet conversions.
241: Simplify af-to processing in and fix path MTU discovery in
242: some corner cases.
243: <li>Improve IPv6 fragment processing.
244: Drop empty atomic fragments early.
245: Be more paranoid when IPv6 hop-by-hop headers appear after
246: fragment headers.
247: Follow RFC 5722 "Handling of Overlapping IPv6 Fragments"
248: more strictly in
249: <a href="http://man.openbsd.org/pf.4">pf(4)</a>.
250: RFC 8021 "IPv6 Atomic Fragments Considered Harmful" deprecates
251: generating atomic fragments, so do not send them anymore.
252: <li>Depending on the addresses,
253: <a href="http://man.openbsd.org/ipsecctl.8">ipsecctl(8)</a>
254: may automatically group SA bundles together.
255: To make clear what is going on, the kernel provides this
256: information and ipsecctl -s sa prints IPsec SA bundles.
1.51 krw 257: <li>A new routing socket message type, RTM_PROPOSAL, was added to
258: facilitate future improvements to the network configuration process.
1.1 deraadt 259: </ul>
260: <p>
261:
262: <li>Installer improvements:
263: <ul>
1.45 tj 264: <li>The installer now uses privilege separation for fetching and
265: verifying the install sets.
266: <li>Install sets are now fetched over an HTTPS connection by default
267: when using a <a href="ftp.html">mirror</a> that supports it.
1.50 krw 268: <li>The installer now considers all of the DHCP information in filename,
269: bootfile-name, server-name, tftp-server-name, and next-server when
270: attempting to do automatic installs or upgrades.
271: <li>The installer no longer adds a route to an alias IP via 127.0.0.1, due
272: to improvements in the kernel routing components.
1.1 deraadt 273: </ul>
274: <p>
275:
276: <li>Routing daemons and other userland network improvements:
277: <ul>
1.10 florian 278: <li><a href="http://man.openbsd.org/ping.8">ping(8)</a> and
279: <a href="http://man.openbsd.org/ping6.8">ping6(8)</a> are now the same
280: binary and share the engine.
1.15 jca 281: <li><a href="http://man.openbsd.org/ripd.8">ripd(8)</a> now supports
282: p2p links with addresses in different subnets.
1.17 jca 283: <li>UDP speakers can specify an IPv4 source address using
284: <tt>IP_SENDSRCADDR</tt>.
285: <a href="http://man.openbsd.org/iked.8">iked(8)</a>
286: and <a href="http://man.openbsd.org/snmpd.8">snmpd(8)</a> now
287: use the proper source address when sending replies.
1.74 reyk 288: <li><a href="http://man.openbsd.org/iked.8">iked(8)</a> now
289: supports ECDSA and RFC 7427 signatures for authentication.
1.75 reyk 290: <li><a href="http://man.openbsd.org/iked.8">iked(8)</a> now
1.74 reyk 291: supports replying to IKEv2 responder cookies.
292: <li>Many fixes and improvements for
293: <a href="http://man.openbsd.org/iked.8">iked(8)</a> and
294: <a href="http://man.openbsd.org/ikectl.8">ikectl(8)</a>, including
295: various fixes for rekeying.
1.15 jca 296: <li><a href="http://man.openbsd.org/ospfd.8">ospfd(8)</a> and
297: <a href="http://man.openbsd.org/ospf6d.8">ospf6d(8)</a> now cope
298: with interface MTU change at runtime.
1.44 sthen 299: <li><a href="http://man.openbsd.org/bgpd.8">bgpd(8)</a> now supports
300: BGP Large Communities
301: (<a href="https://www.rfc-editor.org/rfc/rfc8092.txt">RFC 8092</a>).
302: <li><a href="http://man.openbsd.org/bgpd.8">bgpd(8)</a> now supports
303: BGP Administrative Shutdown Communication
304: (<a href="https://www.ietf.org/id/draft-ietf-idr-shutdown.txt">draft-ietf-idr-shutdown</a>).
1.1 deraadt 305: </ul>
306: <p>
307:
308: <li>Security improvements:
309: <ul>
1.3 visa 310: <li>Enforcement of userland W^X on OCTEON Plus and later.
1.32 guenther 311: <li>All shared libraries, all dynamic and static-PIE executables, and
312: <a href="http://man.openbsd.org/ld.so.1">ld.so(1)</a> itself use
1.29 guenther 313: the RELRO ("read-only after relocation") design such that
1.32 guenther 314: more of the initial data is protected as read-only.
1.3 visa 315: <li>The size of user virtual address space has been increased
316: from 2GB to 1TB on mips64.
1.73 tj 317: <li>PIE and -static -pie on arm.
1.17 jca 318: <li><a href="http://man.openbsd.org/route6d.8">route6d(8)</a> now
319: runs with fewer privileges.
1.18 bluhm 320: <li>For incoming TLS connections
321: <a href="http://man.openbsd.org/syslogd.8">syslogd(8)</a>
322: can validate client certificates with a given CA file.
1.24 tb 323: <li>The privileged parent process of
1.18 bluhm 324: <a href="http://man.openbsd.org/syslogd.8">syslogd(8)</a>
325: calls
326: <a href="http://man.openbsd.org/execve.2">exec(2)</a>
327: to reshuffle its random memory layout.
1.21 schwarze 328: <li>New function
329: <a href="http://man.openbsd.org/recallocarray.3">recallocarray(3)</a>
330: to reduce the risk of incorrect clearing of memory before and after
1.27 schwarze 331: <a href="http://man.openbsd.org/reallocarray.3">reallocarray(3)</a>.
1.31 guenther 332: <li><a href="http://man.openbsd.org/sha2.3">SHA512_256</a> family
1.30 guenther 333: of functions added to libc.
1.34 guenther 334: <li>arm added to the list of archs where the
1.30 guenther 335: <a href="http://man.openbsd.org/setjmp.3">setjmp(3)</a>
336: family of functions apply XOR cookies to stack and return-address
1.34 guenther 337: values in the jmpbuf.
1.30 guenther 338: <li><a href="http://man.openbsd.org/printf.3">printf(3)</a> family
339: of formatting functions now report to syslog when the %s
340: format is used with a NULL pointer.
1.36 otto 341: <li>Heap buffer overflow detection has been improved when the C
1.37 otto 342: <a href="http://man.openbsd.org/malloc.3">malloc(3)</a> option is used.
343: The existing S option now includes C.
1.33 guenther 344: <li>Support for permitting non-root users to
345: <a href="http://man.openbsd.org/mount.8">mount(8)</a> filesystems
346: has been removed.
1.1 deraadt 347: </ul>
348: <p>
349:
1.49 krw 350: <li><a href="http://man.openbsd.org/dhclient.8">dhclient(8)</a>/
351: <a href="http://man.openbsd.org/dhcpd.8">dhcpd(8)</a>/
352: <a href="http://man.openbsd.org/dhcrelay.8">dhcrelay(8)</a> improvements:
353: <ul>
354: <li>Add DHO_BOOTFILE_NAME and DHO_TFTP_SERVER to the options requested by default.
355: <li>Add support for RFC 6842 (Client Identifier Option in DHCP Server Replies).
356: <li>Stop leaking option data received on the udp socket.
357: <li>Stop pretending we use RFC 3046/Option 82/Relay Agent Information.
358: <li>Stop recording ignored DHO_ROUTERS and DHO_STATIC_ROUTES options in the effective lease.
359: <li>Use only leases from no SSID or the current SSID when restarting.
360: <li>Reduce default values for various timeouts to something more
361: appropriate to modern networks.
362: <li>Fix issues with redundant dhcpd servers and CARP'd interfaces.
363: <li>Switch to standard logging functions
1.59 krw 364: <li>Fix vis/unvis of strings in
365: <a href="http://man.openbsd.org/dhclient.8">dhclient(8)</a> leases files.
1.49 krw 366: </ul>
1.71 tb 367: <p>
1.44 sthen 368:
1.1 deraadt 369: <li>Assorted improvements:
370: <ul>
1.46 tj 371: <li>New <a href="http://man.openbsd.org/syspatch.8">syspatch(8)</a>
372: utility for security and reliability binary updates to the base
373: system.
1.24 tb 374: <li><a href="http://man.openbsd.org/acme-client.1">acme-client(1)</a>, a
375: privilege separated Automatic Certificate Management Environment
1.9 florian 376: (ACME) client written by Kristaps Dzonsons has been imported.
1.14 schwarze 377: <li>New, simplified
378: <a href="http://man.openbsd.org/xenodm.1">xenodm(1)</a>
379: X11 display manager forked from
380: <a href="http://man.openbsd.org/OpenBSD-6.0/xdm.1">xdm(1)</a>.
1.13 schwarze 381: <li>Unicode version 8 character properties in the C library.
382: <li>Partial UTF-8 line editing support for
383: <a href="http://man.openbsd.org/ksh.1">ksh(1)</a> Vi input mode.
384: <li>UTF-8 support in
385: <a href="http://man.openbsd.org/column.1">column(1)</a>.
1.35 otto 386: <li>The performance and concurrency of the
387: <a href="http://man.openbsd.org/malloc.3">malloc(3)</a> family
388: in multi-threaded processes has been improved.
1.17 jca 389: <li>Estonian keyboard support.
390: <li><a href="http://man.openbsd.org/read.2">read(2)</a> on
391: directories now fails instead of returning 0.
392: <li>Support for the <tt>RES_USE_EDNS0</tt> and <tt>RES_USE_DNSSEC</tt>
393: flags has been added to the
394: <a href="http://man.openbsd.org/resolver.3">resolver(3)</a>
395: implementation.
1.18 bluhm 396: <li><a href="http://man.openbsd.org/syslogd.8">syslogd(8)</a>
1.76 tb 397: limits the socket buffer for TCP and TLS connections to 64K
1.18 bluhm 398: to avoid wasting kernel memory.
399: <li><a href="http://man.openbsd.org/syslogd.8">syslogd(8)</a>
400: supports the option -Z to print the timestamp in RFC 5424
401: ISO format.
402: This logs everything in UTC including the year, timezone
403: and fractions of seconds.
404: The default is still RFC 3164 BSD syslog time format.
1.72 bluhm 405: <li>When log files are rotated,
406: <a href="http://man.openbsd.org/newsyslog.8">newsyslog(8)</a>
407: writes the creation time in UTC ISO format into the first line.
1.18 bluhm 408: <li>The
409: <a href="http://man.openbsd.org/syslogd.8">syslogd(8)</a>
410: options -a, -T, and -U can be given more than once to specify
411: multiple input sources.
412: <li>Improve the
413: <a href="http://man.openbsd.org/syslogd.8">syslogd(8)</a>
414: output and diagnostics in case the klog buffer
415: overflows.
416: <li>Make SIGHUP handling in
417: <a href="http://man.openbsd.org/syslogd.8">syslogd(8)</a>
418: more reliable.
1.72 bluhm 419: <li>Let <a href="http://man.openbsd.org/syslogd.8">syslogd(8)</a>
420: tolerate most errors on startup.
421: Keep running and receive messages from all working subsystems,
422: but do not die.
423: <li>The <a href="http://man.openbsd.org/syslog.3">syslog(3)</a>
424: priority of fatal and warning messages of various daemons
425: has been adjusted.
1.18 bluhm 426: <li>An NMI sends the amd64 kernel into
427: <a href="http://man.openbsd.org/ddb.4">ddb(4)</a>
428: more reliably.
1.32 guenther 429: <li><a href="http://man.openbsd.org/ld.so.1">ld.so(1)</a> now
430: supports the DT_PREINITARRAY, DT_INITARRAY, DT_FINIARRAY, DT_FLAGS,
431: and DT_RUNPATH dynamic tags.
1.33 guenther 432: <li><a href="http://man.openbsd.org/kdump.1">kdump(1)</a>
1.44 sthen 433: now dumps the fds returned by
1.33 guenther 434: <a href="http://man.openbsd.org/pipe.2">pipe(2)</a> and
435: <a href="http://man.openbsd.org/socketpair.2">socketpair(2)</a>.
436: <li>Added support to <a href="http://man.openbsd.org/doas.1">doas(1)</a>
437: for session-locked persistent authentication.
1.34 guenther 438: <li>Use a hardware register for the thread pointer on arm for improved
439: performance in multi-threaded processes.
1.43 visa 440: <li>SGI boot blocks now consult the OpenBSD
441: <a href="http://man.openbsd.org/disklabel.5">disklabel(5)</a>
442: to locate the root filesystem.
443: This reduces constraints on disk partitioning.
444: <li><a href="http://man.openbsd.org/iec.4">iec(4)</a>
445: no longer hangs when its transmit ring gets full.
446: <li><a href="http://man.openbsd.org/sq.4">sq(4)</a>
447: has been fixed to accept broadcast frames in non-promiscuous mode
448: when no IP address is configured.
449: This lets the interface work with DHCP.
450: <li>Multiprocessor-safe PCI interrupt handlers are run
451: without the kernel lock on OpenBSD/sgi.
1.50 krw 452: <li><a href="http://man.openbsd.org/fdisk.8">fdisk(8)</a> now unconditionally
453: sets the size of the protective MBR's EFI GPT partition to UINT32_MAX.
454: <li><a href="http://man.openbsd.org/fdisk.8">fdisk(8)</a> now respects the
455: current MBR or GPT format when initializing a disk.
456: <li><a href="http://man.openbsd.org/softraid.4">softraid(4)</a> now uses
457: sufficient parallel i/o's to efficiently rebuild RAID5 volumes.
458: <li><a href="http://man.openbsd.org/asr_run.3">asr</a> now accepts UDP
459: packets of up to 4096 bytes to account for broken DNS servers.
460: <li><a href="http://man.openbsd.org/umass.4">umass(4)</a> no longer assumes
461: that ATAPI or UFI devices have only 1 LUN.
462: <li><a href="http://man.openbsd.org/scsi.4">scsi(4)</a> now correctly
463: detects end of tape on LTO5 devices.
1.63 beck 464: <li><a href="http://man.openbsd.org/httpd.8">httpd(8)</a> supports
465: SNI
466: via <a href="http://man.openbsd.org/tls_config_add_keypair_ocsp_mem.3">libtls</a>
467: to allow for multiple https sites on a single IP address.
468: <li><a href="http://man.openbsd.org/ocspcheck.8">ocspheck(8)</a>
469: has been added, and can be used to check the OCSP status of
1.64 beck 470: certificates. The corresponding responses can be saved for later use in OCSP stapling.
1.63 beck 471: <li><a href="http://man.openbsd.org/httpd.8">httpd(8)</a> supports
472: OCSP stapling
473: via <a href="http://man.openbsd.org/tls_config_add_keypair_ocsp_mem.3">libtls</a>
474: to permit OCSP responses to be stapled to the tls handshake
475: <li><a href="http://man.openbsd.org/nc.1">nc(1)</a> now also
476: supports OCSP stapling server side, and will show the stapling information
477: client side.
1.68 claudio 478: <li>Both <a href="http://man.openbsd.org/relayd.8">relayd(8)</a> and
479: <a href="http://man.openbsd.org/httpd.8">httpd(8)</a> support now
480: TLS session resumption using TLS session tickets.
481: See the respective configuration man page for more information.
1.72 bluhm 482: <li>With the -f option
483: <a href="http://man.openbsd.org/sensorsd.8">sensorsd(8)</a>
484: can use an alternative config file.
1.1 deraadt 485: </ul>
486: <p>
487:
488: <li>OpenSMTPD 6.0.0
489: <ul>
1.78 gilles 490: <li>Added support for providing an alternate subaddressing delimiter
491: <li>Made the daemon less verbose in logs when exiting
492: <li>Improved the io layer to simplify code accross the daemon
493: <li>Added support for matching authenticated sessions in the ruleset
494: <li>Assorted code and documentation cleanups
1.1 deraadt 495: </ul>
496: <p>
497:
1.12 matthieu 498: <li>OpenSSH 7.4
1.1 deraadt 499: <ul>
1.79 ! deraadt 500: <li>Security:
! 501: <ul>
! 502: <li>ssh-agent(1): Will now refuse to load PKCS#11 modules from paths
! 503: outside a trusted whitelist (run-time configurable). Requests to
! 504: load modules could be passed via agent forwarding and an attacker
! 505: could attempt to load a hostile PKCS#11 module across the forwarded
! 506: agent channel: PKCS#11 modules are shared libraries, so this would
! 507: result in code execution on the system running the ssh-agent if the
! 508: attacker has control of the forwarded agent-socket (on the host
! 509: running the sshd server) and the ability to write to the filesystem
! 510: of the host running ssh-agent (usually the host running the ssh
! 511: client).
! 512: <li>sshd(8): When privilege separation is disabled, forwarded Unix-
! 513: domain sockets would be created by sshd(8) with the privileges of
! 514: 'root' instead of the authenticated user. This release refuses
! 515: Unix-domain socket forwarding when privilege separation is disabled
! 516: (Privilege separation has been enabled by default for 14 years).
! 517: <li>sshd(8): Avoid theoretical leak of host private key material to
! 518: privilege-separated child processes via realloc() when reading
! 519: keys. No such leak was observed in practice for normal-sized keys,
! 520: nor does a leak to the child processes directly expose key material
! 521: to unprivileged users.
! 522: <li>sshd(8): The shared memory manager used by pre-authentication
! 523: compression support had a bounds checks that could be elided by
! 524: some optimising compilers. Additionally, this memory manager was
! 525: incorrectly accessible when pre-authentication compression was
! 526: disabled. This could potentially allow attacks against the
! 527: privileged monitor process from the sandboxed privilege-separation
! 528: process (a compromise of the latter would be required first).
! 529: This release removes support for pre-authentication compression
! 530: from sshd(8).
! 531: <li>sshd(8): Fix denial-of-service condition where an attacker who
! 532: sends multiple KEXINIT messages may consume up to 128MB per
! 533: connection.
! 534: <li>sshd(8): Validate address ranges for AllowUser and DenyUsers
! 535: directives at configuration load time and refuse to accept invalid
! 536: ones. It was previously possible to specify invalid CIDR address
! 537: ranges (e.g. user@127.1.2.3/55) and these would always match,
! 538: possibly resulting in granting access where it was not intended.
! 539: <li>ssh(1), sshd(8): Fix weakness in CBC padding oracle countermeasures
! 540: that allowed a variant of the attack fixed in OpenSSH 7.3 to proceed.
! 541: <li>sftp-client(1): [portable OpenSSH only] On Cygwin, a client making
! 542: a recursive file transfer could be maniuplated by a hostile server to
! 543: perform a path-traversal attack. creating or modifying files outside
! 544: of the intended target directory.
! 545: </ul>
! 546: <li>New/changed features:
! 547: <ul>
! 548: <li>Server support for the SSH v.1 protocol has been removed.
! 549: <li>ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit
! 550: block ciphers are not safe in 2016 and we don't want to wait until
! 551: attacks like SWEET32 are extended to SSH. As 3des-cbc was the
! 552: only mandatory cipher in the SSH RFCs, this may cause problems
! 553: connecting to older devices using the default configuration,
! 554: but it's highly likely that such devices already need explicit
! 555: configuration for key exchange and hostkey algorithms already
! 556: anyway.
! 557: <li>sshd(8): Remove support for pre-authentication compression.
! 558: Doing compression early in the protocol probably seemed reasonable
! 559: in the 1990s, but today it's clearly a bad idea in terms of both
! 560: cryptography (cf. multiple compression oracle attacks in TLS) and
! 561: attack surface. Pre-auth compression support has been disabled by
! 562: default for >10 years. Support remains in the client.
! 563: <li>ssh-agent will refuse to load PKCS#11 modules outside a whitelist
! 564: of trusted paths by default. The path whitelist may be specified
! 565: at run-time.
! 566: <li>sshd(8): When a forced-command appears in both a certificate and
! 567: an authorized keys/principals command= restriction, sshd will now
! 568: refuse to accept the certificate unless they are identical.
! 569: The previous (documented) behaviour of having the certificate
! 570: forced-command override the other could be a bit confusing and
! 571: error-prone.
! 572: <li>sshd(8): Remove the UseLogin configuration directive and support
! 573: for having /bin/login manage login sessions.
! 574: <li>ssh(1): Add a proxy multiplexing mode to ssh(1) inspired by the
! 575: version in PuTTY by Simon Tatham. This allows a multiplexing
! 576: client to communicate with the master process using a subset of
! 577: the SSH packet and channels protocol over a Unix-domain socket,
! 578: with the main process acting as a proxy that translates channel
! 579: IDs, etc. This allows multiplexing mode to run on systems that
! 580: lack file- descriptor passing (used by current multiplexing
! 581: code) and potentially, in conjunction with Unix-domain socket
! 582: forwarding, with the client and multiplexing master process on
! 583: different machines. Multiplexing proxy mode may be invoked using
! 584: "ssh -O proxy ..."
! 585: <li>sshd(8): Add a sshd_config DisableForwarding option that disables
! 586: X11, agent, TCP, tunnel and Unix domain socket forwarding, as well
! 587: as anything else we might implement in the future. Like the
! 588: 'restrict' authorized_keys flag, this is intended to be a simple
! 589: and future-proof way of restricting an account.
! 590: <li>sshd(8), ssh(1): Support the "curve25519-sha256" key exchange
! 591: method. This is identical to the currently-supported method named
! 592: "curve25519-sha256@libssh.org".
! 593: <li>sshd(8): Improve handling of SIGHUP by checking to see if sshd is
! 594: already daemonised at startup and skipping the call to daemon(3)
! 595: if it is. This ensures that a SIGHUP restart of sshd(8) will
! 596: retain the same process-ID as the initial execution. sshd(8) will
! 597: also now unlink the PidFile prior to SIGHUP restart and re-create
! 598: it after a successful restart, rather than leaving a stale file in
! 599: the case of a configuration error.
! 600: <li>sshd(8): Allow ClientAliveInterval and ClientAliveCountMax
! 601: directives to appear in sshd_config Match blocks.
! 602: <li>sshd(8): Add %-escapes to AuthorizedPrincipalsCommand to match
! 603: those supported by AuthorizedKeysCommand (key, key type,
! 604: fingerprint, etc.) and a few more to provide access to the
! 605: contents of the certificate being offered.
! 606: <li>Added regression tests for string matching, address matching and
! 607: string sanitisation functions.
! 608: <li>Improved the key exchange fuzzer harness.
! 609: <li>Deprecate the sshd_config UsePrivilegeSeparation
! 610: option, thereby making privilege separation mandatory. Privilege
! 611: separation has been on by default for almost 15 years and
! 612: sandboxing has been on by default for almost the last five.
! 613: <li>ssh(1), sshd(8): Support "=-" syntax to easily remove methods from
! 614: algorithm lists, e.g. Ciphers=-*cbc.
! 615: </ul>
! 616: <li>The following significant bugs have been fixed in this release:
! 617: <ul>
! 618: <li>ssh(1): Allow IdentityFile to successfully load and use
! 619: certificates that have no corresponding bare public key.
! 620: certificate id_rsa-cert.pub (and no id_rsa.pub).
! 621: <li>ssh(1): Fix public key authentication when multiple
! 622: authentication is in use and publickey is not just the first
! 623: method attempted.
! 624: <li>ssh-agent(1), ssh(1): improve reporting when attempting to load
! 625: keys from PKCS#11 tokens with fewer useless log messages and more
! 626: detail in debug messages.
! 627: <li>ssh(1): When tearing down ControlMaster connections, don't
! 628: pollute stderr when LogLevel=quiet.
! 629: <li>sftp(1): On ^Z wait for underlying ssh(1) to suspend before
! 630: suspending sftp(1) to ensure that ssh(1) restores the terminal mode
! 631: correctly if suspended during a password prompt.
! 632: <li>ssh(1): Avoid busy-wait when ssh(1) is suspended during a password
! 633: prompt.
! 634: <li>ssh(1), sshd(8): Correctly report errors during sending of ext-
! 635: info messages.
! 636: <li>sshd(8): fix NULL-deref crash if sshd(8) received an out-of-
! 637: sequence NEWKEYS message.
! 638: <li>sshd(8): Correct list of supported signature algorithms sent in
! 639: the server-sig-algs extension.
! 640: <li>sshd(8): Fix sending ext_info message if privsep is disabled.
! 641: <li>sshd(8): more strictly enforce the expected ordering of privilege
! 642: separation monitor calls used for authentication and allow them
! 643: only when their respective authentication methods are enabled
! 644: in the configuration
! 645: <li>sshd(8): Fix uninitialised optlen in getsockopt() call; harmless
! 646: on Unix/BSD but potentially crashy on Cygwin.
! 647: <li>Fix false positive reports caused by explicit_bzero(3) not being
! 648: recognised as a memory initialiser when compiled with
! 649: -fsanitize-memory.
! 650: <li>sshd_config(5): Use 2001:db8::/32, the official IPv6 subnet for
! 651: configuration examples.
! 652: <li>sshd(1): Fix NULL dereference crash when key exchange start
! 653: messages are sent out of sequence.
! 654: <li>ssh(1), sshd(8): Allow form-feed characters to appear in
! 655: configuration files.
! 656: <li>sshd(8): Fix regression in OpenSSH 7.4 support for the
! 657: server-sig-algs extension, where SHA2 RSA signature methods were
! 658: not being correctly advertised.
! 659: <li>ssh(1), ssh-keygen(1): Fix a number of case-sensitivity bugs in
! 660: known_hosts processing.
! 661: <li>ssh(1): Allow ssh to use certificates accompanied by a private key
! 662: file but no corresponding plain *.pub public key.
! 663: <li>ssh(1): When updating hostkeys using the UpdateHostKeys option,
! 664: accept RSA keys if HostkeyAlgorithms contains any RSA keytype.
! 665: Previously, ssh could ignore RSA keys when only the ssh-rsa-sha2-*
! 666: methods were enabled in HostkeyAlgorithms and not the old ssh-rsa
! 667: method.
! 668: <li>ssh(1): Detect and report excessively long configuration file
! 669: lines.
! 670: <li>Merge a number of fixes found by Coverity and reported via Redhat
! 671: and FreeBSD. Includes fixes for some memory and file descriptor
! 672: leaks in error paths.
! 673: <li>ssh-keyscan(1): Correctly hash hosts with a port number.
! 674: <li>ssh(1), sshd(8): When logging long messages to stderr, don't truncate
! 675: "\r\n" if the length of the message exceeds the buffer.
! 676: <li>ssh(1): Fully quote [host]:port in generated ProxyJump/-J command-
! 677: line; avoid confusion over IPv6 addresses and shells that treat
! 678: square bracket characters specially.
! 679: <li>ssh-keygen(1): Fix corruption of known_hosts when running
! 680: "ssh-keygen -H" on a known_hosts containing already-hashed entries.
! 681: <li>Fix various fallout and sharp edges caused by removing SSH protocol
! 682: 1 support from the server, including the server banner string being
! 683: incorrectly terminated with only \n (instead of \r\n), confusing
! 684: error messages from ssh-keyscan a segfault in sshd
! 685: if protocol v.1 was enabled for the client and sshd_config
! 686: contained references to legacy keys.
! 687: <li>ssh(1), sshd(8): Free fd_set on connection timeout.
! 688: <li>sshd(8): Fix Unix domain socket forwarding for root (regression in
! 689: OpenSSH 7.4).
! 690: <li>sftp(1): Fix division by zero crash in "df" output when server
! 691: returns zero total filesystem blocks/inodes.
! 692: <li>ssh(1), ssh-add(1), ssh-keygen(1), sshd(8): Translate OpenSSL errors
! 693: encountered during key loading to more meaningful error codes.
! 694: <li>ssh-keygen(1): Sanitise escape sequences in key comments sent to
! 695: printf but preserve valid UTF-8 when the locale supports it.
! 696: <li>ssh(1), sshd(8): Return reason for port forwarding failures where
! 697: feasible rather than always "administratively prohibited".
! 698: <li>sshd(8): Fix deadlock when AuthorizedKeysCommand or
! 699: AuthorizedPrincipalsCommand produces a lot of output and a key is
! 700: matched early.
! 701: <li>ssh(1): Fix typo in ~C error message for bad port forward
! 702: cancellation.
! 703: <li>ssh(1): Show a useful error message when included config files
! 704: can't be opened.
! 705: <li>sshd(8): Make sshd set GSSAPIStrictAcceptorCheck=yes as the manual page
! 706: (previously incorrectly) advertised.
! 707: <li>sshd_config(5): Repair accidentally-deleted mention of %k token
! 708: in AuthorizedKeysCommand.
! 709: <li>sshd(8): Remove vestiges of previously removed LOGIN_PROGRAM;
! 710: <li>ssh-agent(1): Relax PKCS#11 whitelist to include libexec and
! 711: common 32-bit compatibility library directories.
! 712: <li>sftp-client(1): Fix non-exploitable integer overflow in SSH2_FXP_NAME
! 713: response handling.
! 714: <li>ssh-agent(1): Fix regression in 7.4 of deleting PKCS#11-hosted
! 715: keys. It was not possible to delete them except by specifying
! 716: their full physical path.
! 717: </ul>
1.1 deraadt 718: </ul>
719: <p>
720:
1.61 beck 721: <li>LibreSSL 2.5.3
722: <ul>
723:
724: <li> libtls now supports ALPN and SNI
725:
726: <li> libtls adds a new callback interface for integrating custom IO
727: functions. Thanks to Tobias Pape.
728:
729: <li> libtls now handles 4 cipher suite groups:
730: <Ul>
731: <li> "secure" (TLSv1.2+AEAD+PFS)
732: <li> "compat" (HIGH:!aNULL)
733: <li> "legacy" (HIGH:MEDIUM:!aNULL)
734: <li> "insecure" (ALL:!aNULL:!eNULL)
735: </ul>
736: This allows for flexibility and finer grained control, rather than
737: having two extremes (an issue raised by Marko Kreen some time ago).
738:
739: <li> Tightened error handling for tls_config_set_ciphers().
740:
741: <li> libtls now always loads CA, key and certificate files at the time the
742: configuration function is called. This simplifies code and results in
743: a single memory based code path being used to provide data to libssl.
744:
745: <li> Add support for OCSP intermediate certificates.
746:
747: <li> Added functions used by stunnel and exim from BoringSSL - this
748: brings in X509_check_host, X509_check_email, X509_check_ip, and
749: X509_check_ip_asc.
750:
751: <li> Added initial support for iOS, thanks to Jacob Berkman.
752:
753: <li> Improved behavior of arc4random on Windows when using memory leak
754: analysis software.
755:
756: <li> Correctly handle an EOF that occurs prior to the TLS handshake
757: completing. Reported by Vasily Kolobkov, based on a diff from Marko
758: Kreen.
759:
760: <li> Limit the support of the "backward compatible" ssl2 handshake to
761: only be used if TLS 1.0 is enabled.
762:
763: <li> Fix incorrect results in certain cases on 64-bit systems when
764: BN_mod_word() can return incorrect results. BN_mod_word() now can
765: return an error condition. Thanks to Brian Smith.
766:
767: <li> Added constant-time updates to address CVE-2016-0702
768:
769: <li> Fixed undefined behavior in BN_GF2m_mod_arr()
770:
771: <li> Removed unused Cryptographic Message Support (CMS)
772:
773: <li> More conversions of long long idioms to time_t
774:
775: <li> Improved compatibility by avoiding printing NULL strings with
776: printf.
777:
778: <li> Reverted change that cleans up the EVP cipher context in
779: EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the
780: previous behaviour.
781:
782: <li> Avoid unbounded memory growth in libssl, which can be triggered
783: by a TLS client repeatedly renegotiating and sending OCSP Status
784: Request TLS extensions.
785:
786: <li> Avoid falling back to a weak digest for (EC)DH when using SNI
787: with libssl.
788:
789: <li> X509_cmp_time() now passes a malformed GeneralizedTime field as
790: an error. Reported by Theofilos Petsios.
791:
792: <li> Detect zero-length encrypted session data early, instead of when
793: malloc(0) fails or the HMAC check fails. Noted independently by
794: jsing@ and Kurt Cancemi.
795:
796: <li> Check for and handle failure of HMAC_{Update,Final} or
797: EVP_DecryptUpdate().
798:
799: <li> Massive update and normalization of manpages, conversion to
800: mandoc format. Many pages were rewritten for clarity and accuracy.
801: Portable doc links are up-to-date with a new conversion tool.
802:
803: <li> Curve25519 Key Exchange support.
804:
805: <li> Support for alternate chains for certificate verification.
806:
807: <li> Code cleanups, CBB conversions, further unification of DTLS/SSL
808: handshake code, further ASN1 macro expansion and removal.
809:
1.64 beck 810: <li> Private symbols are now hidden in libssl and libcrypto.
1.61 beck 811:
812: <li> Friendly certificate verification error messages in libtls, peer
813: verification is now always enabled.
814:
1.64 beck 815: <li> Added OCSP stapling support to libtls and nc.
1.61 beck 816:
817: <li> Added ocspcheck utility to validate a certificate against its OCSP
818: responder and save the reply for stapling
819:
820: <li> Enhanced regression tests and error handling for libtls.
821:
822: <li> Added explicit constant and non-constant time BN functions,
823: defaulting to constant time wherever possible.
824:
825: <li> Moved many leaked implementation details in public structs behind
826: opaque pointers.
827:
828: <li> Added ticket support to libtls.
829:
830: <li> Added support for setting the supported EC curves via
831: SSL{_CTX}_set1_groups{_list}() - also provide defines for the
832: previous SSL{_CTX}_set1_curves{_list} names. This also changes
833: the default list of curves to be X25519, P-256 and P-384. All
834: other curves must be manually enabled.
835:
836: <li> Added -groups option to openssl(1) s_client for specifying the
837: curves to be used in a colon-separated list.
838:
839: <li> Merged client/server version negotiation code paths into one,
840: reducing much duplicate code.
841:
842: <li> Removed error function codes from libssl and libcrypto.
843:
844: <li> Fixed an issue where a truncated packet could crash via an OOB
845: read.
846:
847: <li> Added SSL_OP_NO_CLIENT_RENEGOTIATION option that disallows
848: client-initiated renegotiation. This is the default for libtls
849: servers.
850:
851: <li> Avoid a side-channel cache-timing attack that can leak the ECDSA
852: private keys when signing. This is due to BN_mod_inverse() being
853: used without the constant time flag being set. Reported by Cesar
854: Pereida Garcia and Billy Brumley (Tampere University of
855: Technology). The fix was developed by Cesar Pereida Garcia.
856:
857: <li> iOS and MacOS compatibility updates from Simone Basso and Jacob
858: Berkman.
859:
860: <li> Added the recallocarray(3) memory allocation function, and
861: converted various places in the library to use it, such as CBB
862: and BUF_MEM_grow. recallocarray(3) is similar to
863: reallocarray. Newly allocated memory is cleared similar to
864: calloc(3). Memory that becomes unallocated while shrinking or
865: moving existing allocations is explicitly discarded by unmapping
866: or clearing to 0.
867:
868: <li> Added new root CAs from SECOM Trust Systems / Security
869: Communication of Japan.
870:
871: <li> Added EVP interface for MD5+SHA1 hashes.
872:
873: <li> Fixed DTLS client failures when the server sends a certificate
874: request.
875:
876: <li> Correct handling of padding when upgrading an SSLv2 challenge
877: into an SSLv3/TLS connection.
878:
879: <li> Allow protocols and ciphers to be set on a TLS config object in
880: libtls.
881:
882: <li> Improved nc(1) TLS handshake CPU usage and server-side error
1.65 beck 883: reporting.
884:
885: <li> Add a constant time version of BN_gcd and use it default for
886: BN_gcd to avoid the possibility of sidechannel timing attacks
887: against RSA private key generation - Thanks to Alejandro
888: Cabrera <aldaya@gmail.com>
889:
1.61 beck 890: </ul>
1.1 deraadt 891: <p>
892:
1.13 schwarze 893: <li>mandoc 1.14.1
894: <ul>
895: <li>New <a href="http://man.openbsd.org/mandoc.db.5">mandoc.db(5)</a>
896: file format: <a href="http://man.openbsd.org/man.1">man(1)</a>,
897: <a href="http://man.openbsd.org/apropos.1">apropos(1)</a>, and
898: <a href="http://man.openbsd.org/makewhatis.8">makewhatis(8)</a>
899: no longer need SQLite3.
900: <li>Much improved HTML output and CSS.
901: <li>In <a href="http://man.openbsd.org/man.1">man(1)</a>, internal
902: searching with <a href="http://man.openbsd.org/less.1">less(1)</a>
903: <code>:t</code> has been improved.
1.25 schwarze 904: <li>New <a href="http://man.openbsd.org/mandoc.1">mandoc(1)</a>
905: <code>-mdoc -T markdown</code> output mode
906: (already a post-1.14.1 feature).
1.13 schwarze 907: </ul>
908: <p>
909:
1.1 deraadt 910: <li>Ports and packages:
911: <dl>
912: <dt>Many pre-built packages for each architecture:
913: </dl>
914: <!-- number of FTP packages minus SHA256, SHA256.sig, index.txt -->
915: <table border=0 cellspacing=0 cellpadding=2 width="95%">
916: <tr>
917: <td valign="top" width="25%">
918: <ul>
1.77 deraadt 919: <li>alpha: 7413
920: <li>amd64: 9714
921: <li>arm: 7867
1.1 deraadt 922: </ul></td><td valign=top width="25%"><ul>
1.77 deraadt 923: <li>hppa: 6353
924: <li>i386: 9697
925: <li>mips64: 8072
1.1 deraadt 926: </ul></td><td valign=top width="25%"><ul>
1.77 deraadt 927: <li>mips64el: 6880
928: <li>powerpc: 7703
929: <li>sparc64: 8606
1.1 deraadt 930: </ul></td></tr></table>
931: <p>
932:
933: <dl>
934: <dt>Some highlights:
935: </dl>
936: <table border=0 cellspacing=0 cellpadding=2 width="95%">
937: <tr>
938: <td valign="top" width="50%"><ul>
1.39 jsg 939: <li>AFL 2.39b
1.55 jsg 940: <li>Chromium 57.0.2987.133
1.26 lteo 941: <li>Emacs 21.4 and 25.1
942: <li>GCC 4.9.4
1.1 deraadt 943: <li>GHC 7.10.3
1.12 matthieu 944: <li>Gimp 2.8.18
1.26 lteo 945: <li>GNOME 3.22.2
1.12 matthieu 946: <li>Go 1.8
1.1 deraadt 947: <li>Groff 1.22.3
1.12 matthieu 948: <li>JDK 7u80 and 8u121
1.1 deraadt 949: <li>KDE 3.5.10 and 4.14.3 (plus KDE4 core updates)
1.39 jsg 950: <li>LLVM/Clang 4.0.0
1.12 matthieu 951: <li>LibreOffice 5.2.4.2
952: <li>Lua 5.1.5, 5.2.4, and 5.3.4
1.40 sthen 953: <li>MariaDB 10.0.30
1.12 matthieu 954: <li>Mono 4.6.2.6
1.55 jsg 955: <li>Mozilla Firefox 52.0.2esr and 52.0.2
1.26 lteo 956: <li>Mozilla Thunderbird 45.8.0
1.1 deraadt 957: </ul></td><td valign=top width="50%"><ul>
1.12 matthieu 958: <li>Mutt 1.8.0
1.57 lteo 959: <li>Node.js 6.10.1
1.26 lteo 960: <li>Ocaml 4.03.0
1.1 deraadt 961: <li>OpenLDAP 2.3.43 and 2.4.44
1.12 matthieu 962: <li>PHP 5.5.38, 5.6.30, and 7.0.16
963: <li>Postfix 3.2.0 and 3.3-20170218
964: <li>PostgreSQL 9.6.2
965: <li>Python 2.7.13, 3.4.5, 3.5.2 and 3.6.0
1.42 tb 966: <li>R 3.3.3
1.57 lteo 967: <li>Ruby 1.8.7.374, 2.1.9, 2.2.6, 2.3.3 and 2.4.1
1.48 danj 968: <li>Rust 1.16.0
1.1 deraadt 969: <li>Sendmail 8.15.2
1.13 schwarze 970: <li>SQLite3 3.17.0
1.12 matthieu 971: <li>Sudo 1.8.19.2
1.1 deraadt 972: <li>Tcl/Tk 8.5.18 and 8.6.4
973: <li>TeX Live 2015
1.12 matthieu 974: <li>Vim 8.0.0388
1.1 deraadt 975: <li>Xfce 4.12
976: </ul></td></tr></table>
977: <p>
978:
979: <li>As usual, steady improvements in manual pages and other documentation.
980: <p>
981:
982: <li>The system includes the following major components from outside suppliers:
983: <ul>
984: <li>Xenocara (based on X.Org 7.7 with xserver 1.18.3 + patches,
1.47 jsg 985: freetype 2.7.1, fontconfig 2.12.1, Mesa 13.0.6, xterm 327,
1.12 matthieu 986: xkeyboard-config 2.20 and more)
1.55 jsg 987: <li>LLVM/Clang 4.0.0 (+ patches)
1.1 deraadt 988: <li>GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
1.8 florian 989: <li>Perl 5.24.1 (+ patches)
1.6 florian 990: <li>NSD 4.1.15
991: <li>Unbound 1.6.1
1.1 deraadt 992: <li>Ncurses 5.7
993: <li>Binutils 2.17 (+ patches)
994: <li>Gdb 6.3 (+ patches)
995: <li>Awk Aug 10, 2011 version
996: <li>Expat 2.1.1
997: </ul>
998: </ul>
999:
1000: <hr>
1001:
1002: <h3 id="install"><font color="#0000e0">How to install</font></h3>
1003:
1.20 tj 1004: Please refer to the following files on the mirror site for
1.1 deraadt 1005: extensive details on how to install OpenBSD 6.1 on your machine:
1006:
1007: <ul>
1008: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/alpha/INSTALL.alpha">
1.20 tj 1009: .../OpenBSD/6.1/alpha/INSTALL.alpha</a>
1.1 deraadt 1010: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/amd64/INSTALL.amd64">
1.20 tj 1011: .../OpenBSD/6.1/amd64/INSTALL.amd64</a>
1.54 jsg 1012: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/arm64/INSTALL.arm64">
1.56 jsg 1013: .../OpenBSD/6.1/arm64/INSTALL.arm64</a>
1.1 deraadt 1014: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/armv7/INSTALL.armv7">
1015: .../OpenBSD/6.1/armv7/INSTALL.armv7</a>
1016: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/hppa/INSTALL.hppa">
1017: .../OpenBSD/6.1/hppa/INSTALL.hppa</a>
1.41 tb 1018: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/i386/INSTALL.i386">
1019: .../OpenBSD/6.1/i386/INSTALL.i386</a>
1.1 deraadt 1020: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/landisk/INSTALL.landisk">
1021: .../OpenBSD/6.1/landisk/INSTALL.landisk</a>
1022: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/loongson/INSTALL.loongson">
1023: .../OpenBSD/6.1/loongson/INSTALL.loongson</a>
1024: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/luna88k/INSTALL.luna88k">
1025: .../OpenBSD/6.1/luna88k/INSTALL.luna88k</a>
1.41 tb 1026: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/macppc/INSTALL.macppc">
1027: .../OpenBSD/6.1/macppc/INSTALL.macppc</a>
1.1 deraadt 1028: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/octeon/INSTALL.octeon">
1029: .../OpenBSD/6.1/octeon/INSTALL.octeon</a>
1030: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/sgi/INSTALL.sgi">
1031: .../OpenBSD/6.1/sgi/INSTALL.sgi</a>
1.41 tb 1032: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/sparc64/INSTALL.sparc64">
1033: .../OpenBSD/6.1/sparc64/INSTALL.sparc64</a>
1.1 deraadt 1034: </ul>
1035:
1036: <hr>
1037:
1038: <p>
1039: Quick installer information for people familiar with OpenBSD, and the use of
1040: the "<a href="http://man.openbsd.org/disklabel.8">disklabel</a> -E" command.
1041: If you are at all confused when installing OpenBSD, read the relevant
1042: INSTALL.* file as listed above!
1043:
1.41 tb 1044: <h3><font color="#e00000">OpenBSD/alpha:</font></h3>
1.1 deraadt 1045:
1046: <ul style="list-style-type: none">
1047: <li>
1.41 tb 1048: Write <i>floppy61.fs</i> or <i>floppyB61.fs</i> (depending on your machine)
1049: to a diskette and enter <i>boot dva0</i>.
1050: Refer to INSTALL.alpha for more details.
1.1 deraadt 1051: <p>
1052: <li>
1.41 tb 1053: Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
1054: will most likely fail.
1.1 deraadt 1055: </ul>
1056:
1057: <h3><font color="#e00000">OpenBSD/amd64:</font></h3>
1058:
1059: <ul style="list-style-type: none">
1060: <li>
1.20 tj 1061: If your machine can boot from CD, you can write <i>install61.iso</i> or
1062: <i>cd61.iso</i> to a CD and boot from it.
1063: You may need to adjust your BIOS options first.
1.1 deraadt 1064: <p>
1065: <li>
1.11 tb 1066: If your machine can boot from USB, you can write <i>install61.fs</i> or
1067: <i>miniroot61.fs</i> to a USB stick and boot from it.
1.1 deraadt 1068: <p>
1069: <li>
1070: If you can't boot from a CD, floppy disk, or USB,
1071: you can install across the network using PXE as described in the included
1072: INSTALL.amd64 document.
1073: <p>
1074: <li>
1075: If you are planning to dual boot OpenBSD with another OS, you will need to
1076: read INSTALL.amd64.
1.54 jsg 1077: </ul>
1078:
1079: <h3><font color="#e00000">OpenBSD/arm64:</font></h3>
1080:
1081: <ul style="list-style-type: none">
1082: <li>
1083: Write <i>miniroot61.fs</i> to a disk and boot from it after connecting
1084: to the serial console. Refer to INSTALL.arm64 for more details.
1085: <p>
1.1 deraadt 1086: </ul>
1087:
1.41 tb 1088: <h3><font color="#e00000">OpenBSD/armv7:</font></h3>
1.1 deraadt 1089:
1090: <ul style="list-style-type: none">
1091: <li>
1.41 tb 1092: Write a system specific miniroot to an SD card and boot from it after connecting
1093: to the serial console. Refer to INSTALL.armv7 for more details.
1.1 deraadt 1094: <p>
1095: </ul>
1096:
1.41 tb 1097: <h3><font color="#e00000">OpenBSD/hppa:</font></h3>
1.1 deraadt 1098:
1099: <ul style="list-style-type: none">
1100: <li>
1.41 tb 1101: Boot over the network by following the instructions in INSTALL.hppa or the
1102: <a href="hppa.html#install">hppa platform page</a>.
1.1 deraadt 1103: </ul>
1104:
1.41 tb 1105: <h3><font color="#e00000">OpenBSD/i386:</font></h3>
1.1 deraadt 1106:
1107: <ul style="list-style-type: none">
1108: <li>
1.41 tb 1109: If your machine can boot from CD, you can write <i>install61.iso</i> or
1110: <i>cd61.iso</i> to a CD and boot from it.
1111: You may need to adjust your BIOS options first.
1.1 deraadt 1112: <p>
1113: <li>
1.41 tb 1114: If your machine can boot from USB, you can write <i>install61.fs</i> or
1115: <i>miniroot61.fs</i> to a USB stick and boot from it.
1116: <p>
1.1 deraadt 1117: <li>
1.41 tb 1118: If you can't boot from a CD, floppy disk, or USB,
1119: you can install across the network using PXE as described in
1120: the included INSTALL.i386 document.
1.1 deraadt 1121: <p>
1122: <li>
1.41 tb 1123: If you are planning on dual booting OpenBSD with another OS, you will need to
1124: read INSTALL.i386.
1.1 deraadt 1125: </ul>
1126:
1127: <h3><font color="#e00000">OpenBSD/landisk:</font></h3>
1128:
1129: <ul style="list-style-type: none">
1130: <li>
1.11 tb 1131: Write <i>miniroot61.fs</i> to the start of the CF
1.1 deraadt 1132: or disk, and boot normally.
1133: </ul>
1134:
1135: <h3><font color="#e00000">OpenBSD/loongson:</font></h3>
1136:
1137: <ul style="list-style-type: none">
1138: <li>
1.11 tb 1139: Write <i>miniroot61.fs</i> to a USB stick and boot bsd.rd from it
1.1 deraadt 1140: or boot bsd.rd via tftp.
1141: Refer to the instructions in INSTALL.loongson for more details.
1142: </ul>
1143:
1144: <h3><font color="#e00000">OpenBSD/luna88k:</font></h3>
1145:
1146: <ul style="list-style-type: none">
1147: <li>
1148: Copy `boot' and `bsd.rd' to a Mach or UniOS partition, and boot the bootloader
1149: from the PROM, and then bsd.rd from the bootloader.
1150: Refer to the instructions in INSTALL.luna88k for more details.
1151: </ul>
1152:
1.41 tb 1153: <h3><font color="#e00000">OpenBSD/macppc:</font></h3>
1154:
1155: <ul style="list-style-type: none">
1156: <li>
1157: Burn the image from a mirror site to a CDROM, and power on your machine
1158: while holding down the <i>C</i> key until the display turns on and
1159: shows <i>OpenBSD/macppc boot</i>.
1160: <p>
1161: <li>
1162: Alternatively, at the Open Firmware prompt, enter <i>boot cd:,ofwboot
1163: /6.1/macppc/bsd.rd</i>
1164: </ul>
1165:
1.1 deraadt 1166: <h3><font color="#e00000">OpenBSD/octeon:</font></h3>
1167:
1168: <ul style="list-style-type: none">
1169: <li>
1170: After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
1171: Refer to the instructions in INSTALL.octeon for more details.
1172: </ul>
1173:
1174: <h3><font color="#e00000">OpenBSD/sgi:</font></h3>
1175:
1176: <ul style="list-style-type: none">
1177: <li>
1.11 tb 1178: To install, burn cd61.iso on a CD-R, put it in the CD drive of your
1.1 deraadt 1179: machine and select <i>Install System Software</i> from the System Maintenance
1180: menu. Indigo/Indy/Indigo2 (R4000) systems will not boot automatically from
1181: CD-ROM, and need a proper invocation from the PROM prompt.
1182: Refer to the instructions in INSTALL.sgi for more details.
1183:
1184: <p>
1185: <li>
1186: If your machine doesn't have a CD drive, you can setup a DHCP/tftp network
1187: server, and boot using "bootp()/bsd.rd.IP##" using the kernel matching your
1188: system type. Refer to the instructions in INSTALL.sgi for more details.
1.41 tb 1189: </ul>
1190:
1191: <h3><font color="#e00000">OpenBSD/sparc64:</font></h3>
1192:
1193: <ul style="list-style-type: none">
1194: <li>
1195: Burn the image from a mirror site to a CDROM, boot from it, and type
1196: <i>boot cdrom</i>.
1197: <p>
1198: <li>
1199: If this doesn't work, or if you don't have a CDROM drive, you can write
1200: <i>floppy61.fs</i> or <i>floppyB61.fs</i>
1201: (depending on your machine) to a floppy and boot it with <i>boot
1202: floppy</i>. Refer to INSTALL.sparc64 for details.
1203: <p>
1204: <li>
1205: Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
1206: will most likely fail.
1207: <p>
1208: <li>
1209: You can also write <i>miniroot61.fs</i> to the swap partition on
1210: the disk and boot with <i>boot disk:b</i>.
1211: <p>
1212: <li>
1213: If nothing works, you can boot over the network as described in INSTALL.sparc64.
1.1 deraadt 1214: </ul>
1215:
1216: <hr>
1217:
1218: <h3 id="upgrade"><font color="#0000e0">How to upgrade</font></h3>
1219:
1.11 tb 1220: If you already have an OpenBSD 6.0 system, and do not want to reinstall,
1.1 deraadt 1221: upgrade instructions and advice can be found in the
1.11 tb 1222: <a href="faq/upgrade61.html">Upgrade Guide</a>.
1.1 deraadt 1223: <p>
1224:
1225: <hr>
1226:
1227: <h3 id="sourcecode"><font color="#0000e0">Notes about the source code</font></h3>
1228:
1229: <tt>src.tar.gz</tt> contains a source archive starting at <tt>/usr/src</tt>.
1230: This file contains everything you need except for the kernel sources,
1231: which are in a separate archive.
1232: To extract:
1233:
1234: <blockquote><pre>
1235: # <b>mkdir -p /usr/src</b>
1236: # <b>cd /usr/src</b>
1237: # <b>tar xvfz /tmp/src.tar.gz</b>
1238: </pre></blockquote>
1239:
1240: <tt>sys.tar.gz</tt> contains a source archive starting at <tt>/usr/src/sys</tt>.
1241: This file contains all the kernel sources you need to rebuild kernels.
1242: To extract:
1243:
1244: <blockquote><pre>
1245: # <b>mkdir -p /usr/src/sys</b>
1246: # <b>cd /usr/src</b>
1247: # <b>tar xvfz /tmp/sys.tar.gz</b>
1248: </pre></blockquote>
1249:
1250: Both of these trees are a regular CVS checkout. Using these trees it
1251: is possible to get a head-start on using the anoncvs servers as
1252: described <a href="anoncvs.html">here</a>.
1253: Using these files
1254: results in a much faster initial CVS update than you could expect from
1255: a fresh checkout of the full OpenBSD source tree.
1256: <p>
1257:
1258: <hr>
1259:
1260: <h3 id="ports"><font color="#0000e0">Ports Tree</font></h3>
1261:
1262: A ports tree archive is also provided. To extract:
1263:
1264: <blockquote><pre>
1265: # <b>cd /usr</b>
1266: # <b>tar xvfz /tmp/ports.tar.gz</b>
1267: </pre></blockquote>
1268:
1269: Go read the <a href="faq/ports/index.html">ports</a> page
1270: if you know nothing about ports
1271: at this point. This text is not a manual of how to use ports.
1272: Rather, it is a set of notes meant to kickstart the user on the
1273: OpenBSD ports system.
1274: <p>
1275: The <i>ports/</i> directory represents a CVS checkout of our ports.
1276: As with our complete source tree, our ports tree is available via
1277: <a href="anoncvs.html">AnonCVS</a>.
1278: So, in order to keep up to date with the <i>-stable</i> branch, you must make
1279: the <i>ports/</i> tree available on a read-write medium and update the tree
1280: with a command like:
1281:
1282: <blockquote><pre>
1283: # <b>cd /usr/ports</b>
1284: # <b>cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_6_1</b>
1285: </pre></blockquote>
1286:
1287: [Of course, you must replace the server name here with a nearby anoncvs
1288: server.]
1289: <p>
1290: Note that most ports are available as packages on our mirrors. Updated
1291: ports for the 6.1 release will be made available if problems arise.
1292: <p>
1293: If you're interested in seeing a port added, would like to help out, or just
1294: would like to know more, the mailing list
1295: <a href="mail.html">ports@openbsd.org</a> is a good place to know.
1296: <p>
1297: </body>
1298: </html>