File: [local] / www / 61.html (download) (as text)
Revision 1.101, Mon Mar 15 10:18:42 2021 UTC (3 years, 1 month ago) by jsg
Branch: MAIN
CVS Tags: HEAD
Changes since 1.100: +1 -1 lines
spelling
|
<!doctype html>
<html lang=en id=release>
<meta charset=utf-8>
<title>OpenBSD 6.1</title>
<meta name="description" content="OpenBSD 6.1">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" href="openbsd.css">
<link rel="canonical" href="https://www.openbsd.org/61.html">
<h2 id=OpenBSD>
<a href="index.html">
<i>Open</i><b>BSD</b></a>
6.1
</h2>
<table>
<tr>
<td>
<a href="images/Fugu.gif">
<img width="227" height="343" src="images/Fugu.gif" alt="Fugu"></a>
<td>
Released April 11, 2017<br>
Copyright 1997-2017, Theo de Raadt.<br>
<br>
6.1 Song:
<a href="lyrics.html#61">"Winter of 95"</a>.
<br>
<br>
<ul>
<li>See the information on <a href="ftp.html">the FTP page</a> for
a list of mirror machines.
<li>Go to the <code class=reldir>pub/OpenBSD/6.1/</code> directory on
one of the mirror sites.
<li>Have a look at <a href="errata61.html">the 6.1 errata page</a> for a list
of bugs and workarounds.
<li>See a <a href="plus61.html">detailed log of changes</a> between the
6.0 and 6.1 releases.
<p>
<li><a href="https://man.openbsd.org/signify.1">signify(1)</a>
pubkeys for this release:<p>
<table class=signify>
<tr><td>
openbsd-61-base.pub:
<td>
RWQEQa33SgQSEsMwwVV1+GjzdcQfRNV2Bgo48Ztd2KiZ9bAodz9c+Maa
<tr><td>
openbsd-61-fw.pub:
<td>
RWS91POk0QZXfsqi4aI7MotYz8CPzoHjYg4a1IDi56cftacjsq+ZL/KY
<tr><td>
openbsd-61-pkg.pub:
<td>
RWQbTjGFHEvnOckqY7u9iABhXAkEpF/6TQ3Mr6bMrWbT1wOM/HnbV9ov
</table>
</ul>
<p>
All applicable copyrights and credits are in the src.tar.gz,
sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
files fetched via <code>ports.tar.gz</code>.
</table>
<hr>
<section id=new>
<h3>What's New</h3>
<p>
This is a partial list of new features and systems included in OpenBSD 6.1.
For a comprehensive list, see the <a href="plus61.html">changelog</a> leading
to 6.1.
<ul>
<li>New/extended platforms:
<ul>
<li>New <a href="https://www.openbsd.org/arm64.html">arm64</a> platform,
using <a href="https://man.openbsd.org/clang-local.1">clang(1)</a>
as the base system compiler.
<li>The <a href="https://www.openbsd.org/armv7.html">armv7</a> platform
has seen some major improvements, including a switch to EABI and
support for a lot more hardware.
<li>The <a href="https://www.openbsd.org/loongson.html">loongson</a>
platform now supports systems with Loongson 3A CPU and RS780E chipset.
<li>The following platforms were retired:
<a href="https://www.openbsd.org/armish.html">armish</a>,
<a href="https://www.openbsd.org/sparc.html">sparc</a>,
<a href="https://www.openbsd.org/zaurus.html">zaurus</a>.
</ul>
<p>
<li>Improved hardware support, including:
<ul>
<li>New <a href="https://man.openbsd.org/acpials.4">acpials(4)</a>
driver for ACPI ambient light sensor devices.
<li>New <a href="https://man.openbsd.org/acpihve.4">acpihve(4)</a>
driver for feeding Hyper-V entropy into the kernel pool.
<li>New <a href="https://man.openbsd.org/acpisbs.4">acpisbs(4)</a>
driver for ACPI Smart Battery devices.
<li>New <a href="https://man.openbsd.org/dwge.4">dwge(4)</a>
driver for Designware GMAC 10/100/Gigabit Ethernet devices.
<li>New <a href="https://man.openbsd.org/loongson/htb.4">htb(4)</a>
driver for Loongson 3A PCI host bridges.
<li>New <a href="https://man.openbsd.org/hvn.4">hvn(4)</a>
driver for Hyper-V networking interfaces.
<li>New <a href="https://man.openbsd.org/hyperv.4">hyperv(4)</a>
driver for the Hyper-V guest nexus device.
<li>New <a href="https://man.openbsd.org/iatp.4">iatp(4)</a>
driver for the Atmel maXTouch touchpad and touchscreen.
<li>New <a href="https://man.openbsd.org/armv7/imxtemp.4">imxtemp(4)</a>
driver for Freescale i.MX6 temperature sensors.
<li>New <a href="https://man.openbsd.org/loongson/leioc.4">leioc(4)</a>
driver for the Loongson 3A low-end IO controller.
<li>New <a href="https://man.openbsd.org/octeon/octmmc.4">octmmc(4)</a>
driver for the OCTEON MMC host controller.
<li>New <a href="https://man.openbsd.org/armv7/ompinmux.4">ompinmux(4)</a>
driver for OMAP pin multiplexing.
<li>New <a href="https://man.openbsd.org/armv7/omwugen.4">omwugen(4)</a>
driver for OMAP wake-up generators.
<li>New <a href="https://man.openbsd.org/armv7/psci.4">psci(4)</a>
driver for the ARM Power State Coordination Interface.
<li>New <a href="https://man.openbsd.org/simplefb.4">simplefb(4)</a>
driver for the simple frame buffer on systems
using a device tree.
<li>New <a href="https://man.openbsd.org/armv7/sximmc.4">sximmc(4)</a>
driver for Allwinner A1X/A20 MMC/SD/SDIO controllers.
<li>New <a href="https://man.openbsd.org/tpm.4">tpm(4)</a>
driver for Trusted Platform Module devices.
<li>New <a href="https://man.openbsd.org/uwacom.4">uwacom(4)</a>
driver for Wacom USB tablets.
<li>New <a href="https://man.openbsd.org/vmmci.4">vmmci(4)</a>
VMM control interface.
<li>New <a href="https://man.openbsd.org/xbf.4">xbf(4)</a>
driver for Xen Blkfront virtual disks.
<li>New <a href="https://man.openbsd.org/luna88k/xp.4">xp(4)</a>
driver for the LUNA-88K HD647180X I/O processor.
<li>Support for Kaby Lake and Lewisburg PCH Ethernet MACs with I219 PHYs
has been added to the
<a href="https://man.openbsd.org/em">em(4)</a> driver.
<li>Support for RTL8153 USB 3.0 Gigabit Ethernet based devices
has been added to the
<a href="https://man.openbsd.org/ure">ure(4)</a> driver.
<li>Improved ACPI support for modern Apple hardware, including S3 suspend
and resume.
<li>Support for X550 family of 10 Gigabit Ethernet based devices
has been added to the
<a href="https://man.openbsd.org/ix">ix(4)</a> driver.
</ul>
<p>
<li>New <a href="https://man.openbsd.org/amd64/vmm.4">vmm(4)</a>/
<a href="https://man.openbsd.org/amd64/vmd.8">vmd(8)</a>:
<ul>
<li>Support was partially integrated in 6.0, but disabled.
<li>Support for amd64 and i386 hosts.
<li>BIOS payload provided via vmm-firmware, delivered via
<a href="https://man.openbsd.org/fw_update.1">fw_update(1)</a>.
<li>Support for Linux guest VMs.
<li>Better interrupt handling and legacy device emulation.
<li><a href="https://man.openbsd.org/amd64/vmm.4">vmm(4)</a> no longer
requires VMX unrestricted guest capability (Nehalem and later CPUs
are sufficient).
<li>Removed bounce buffers previously used by
<a href="https://man.openbsd.org/amd64/vmd.8">vmd(8)</a> for
<a href="https://man.openbsd.org/vio.4">vio(4)</a> and
<a href="https://man.openbsd.org/vioblk.4">vioblk(4)</a> devices.
<li>Support VMs with > 2GB RAM.
<li><a href="https://man.openbsd.org/amd64/vmd.8">vmd(8)</a> uses
<a href="https://man.openbsd.org/pledge.2">pledge(2)</a> and the
fork+exec model.
<li><a href="https://man.openbsd.org/amd64/vm.conf.5">vm.conf(5)</a>
expanded to include VM ownership rules (uid/gid).
<li><a href="https://man.openbsd.org/amd64/vmd.8">vmd(8)</a>/
<a href="https://man.openbsd.org/amd64/vm.conf.5">vm.conf(5)</a>
supports automatic
<a href="https://man.openbsd.org/bridge.4">bridge(4)</a> and
<a href="https://man.openbsd.org/switch.4">switch(4)</a> configuration
for VM network interfaces.
<li><a href="https://man.openbsd.org/amd64/vmctl.8">vmctl(8)</a> supports
graceful VM shutdown via
<a href="https://man.openbsd.org/amd64/vmmci.4">vmmci(4)</a>.
</ul>
<p>
<li>IEEE 802.11 wireless stack improvements:
<ul>
<li>The <a href="https://man.openbsd.org/ral.4">ral(4)</a> driver
now supports Ralink RT3900E (RT5390, RT3292) devices.
<li>The <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> and
<a href="https://man.openbsd.org/iwn.4">iwn(4)</a> drivers
now support the short guard interval (SGI) in 11n mode.
<li>Added a new implementation of MiRa, a rate adapation algorithm
designed for 802.11n.
<li>The <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> driver
now supports 802.11n MIMO (MCS 0-15).
<li>The <a href="https://man.openbsd.org/athn.4">athn(4)</a> driver
now supports 802.11n, featuring MIMO (MCS 0-15) and hostap mode.
<li>The <a href="https://man.openbsd.org/iwn.4">iwn(4)</a> driver
now receives MIMO frames in monitor mode.
<li>The <a href="https://man.openbsd.org/rtwn.4">rtwn(4)</a> and
<a href="https://man.openbsd.org/urtwn.4">urtwn(4)</a> drivers
now use AMRR rate adaptation (8188EU and 8188CE devices only).
<li>TKIP/WPA1 was disabled by default because of inherent weaknesses
in this protocol.
</ul>
<p>
<li>Generic network stack improvements:
<ul>
<li>New <a href="https://man.openbsd.org/switch.4">switch(4)</a>
pseudo-device together with new
<a href="https://man.openbsd.org/switchd.8">switchd(8)</a> and
<a href="https://man.openbsd.org/switchctl.8">switchctl(8)</a>
programs.
<li>New <a href="https://man.openbsd.org/mobileip.4">mobileip(4)</a>
operation mode for the
<a href="https://man.openbsd.org/gre.4">gre(4)</a>
pseudo-device.
<li>Multipoint-to-multipoint mode in
<a href="https://man.openbsd.org/vxlan.4">vxlan(4)</a>.
<li><a href="https://man.openbsd.org/route.8">route(8)</a>
and netstat -r display all routing flags correctly and they
are completely documented in the
<a href="https://man.openbsd.org/netstat.1">netstat(1)</a>
man page.
<li>When sending TCP streams they are locally stored in large
mbuf clusters to improve memory management.
The maximum TCP send and receive buffer size has been
increased from 256KB to 2MB.
Note that this results in a different
<a href="https://man.openbsd.org/pf.4">pf(4)</a>
OS fingerprint for OpenBSD.
The default limit for mbuf clusters has been increased.
You can check the values with
<a href="https://man.openbsd.org/netstat.1">netstat(1)</a>
-m and adjust them with
<a href="https://man.openbsd.org/sysctl.8">sysctl(8)</a>
kern.maxclusters.
<li>Make the TCP_NOPUSH flag work for
<a href="https://man.openbsd.org/listen.2">listen(2)</a>
sockets.
It is inherited by the socket returned from
<a href="https://man.openbsd.org/accept.2">accept(2)</a>.
<li>A lot of code has been removed or simplified to make the
transition to multi-processor easier.
Redesign the interrupt and multi-processor locks in the
network stack.
<li>When passing packets from the network stack to the
interface layer, make sure that they have no pointers to
<a href="https://man.openbsd.org/pf.4">pf(4)</a>
which could result in a memory free operation at the wrong
protection level.
<li>Fix checksum calculation in
<a href="https://man.openbsd.org/pf.4">pf(4)</a>
af-to ICMP packet conversions.
Simplify af-to processing in and fix path MTU discovery in
some corner cases.
<li>Improve IPv6 fragment processing.
Drop empty atomic fragments early.
Be more paranoid when IPv6 hop-by-hop headers appear after
fragment headers.
Follow RFC 5722 "Handling of Overlapping IPv6 Fragments"
more strictly in
<a href="https://man.openbsd.org/pf.4">pf(4)</a>.
RFC 8021 "IPv6 Atomic Fragments Considered Harmful" deprecates
generating atomic fragments, so do not send them anymore.
<li>Depending on the addresses,
<a href="https://man.openbsd.org/ipsecctl.8">ipsecctl(8)</a>
may automatically group SA bundles together.
To make clear what is going on, the kernel provides this
information and ipsecctl -s sa prints IPsec SA bundles.
<li>A new routing socket message type, RTM_PROPOSAL, was added to
facilitate future improvements to the network configuration process.
</ul>
<p>
<li>Installer improvements:
<ul>
<li>The installer now uses privilege separation for fetching and
verifying the install sets.
<li>Install sets are now fetched over an HTTPS connection by default
when using a <a href="ftp.html">mirror</a> that supports it.
<li>The installer now considers all of the DHCP information in filename,
bootfile-name, server-name, tftp-server-name, and next-server when
attempting to do automatic installs or upgrades.
<li>The installer no longer adds a route to an alias IP via 127.0.0.1, due
to improvements in the kernel routing components.
</ul>
<p>
<li>Routing daemons and other userland network improvements:
<ul>
<li><a href="https://man.openbsd.org/ping.8">ping(8)</a> and
<a href="https://man.openbsd.org/ping6.8">ping6(8)</a> are now the same
binary and share the engine.
<li><a href="https://man.openbsd.org/ripd.8">ripd(8)</a> now supports
p2p links with addresses in different subnets.
<li>UDP speakers can specify an IPv4 source address using
<code>IP_SENDSRCADDR</code>.
<a href="https://man.openbsd.org/iked.8">iked(8)</a>
and <a href="https://man.openbsd.org/snmpd.8">snmpd(8)</a> now
use the proper source address when sending replies.
<li><a href="https://man.openbsd.org/iked.8">iked(8)</a> now
supports ECDSA and RFC 7427 signatures for authentication.
<li><a href="https://man.openbsd.org/iked.8">iked(8)</a> now
supports replying to IKEv2 responder cookies.
<li>Many fixes and improvements for
<a href="https://man.openbsd.org/iked.8">iked(8)</a> and
<a href="https://man.openbsd.org/ikectl.8">ikectl(8)</a>, including
various fixes for rekeying.
<li><a href="https://man.openbsd.org/ospfd.8">ospfd(8)</a> and
<a href="https://man.openbsd.org/ospf6d.8">ospf6d(8)</a> now cope
with interface MTU change at runtime.
<li><a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> now supports
BGP Large Communities
(<a href="https://www.rfc-editor.org/rfc/rfc8092.txt">RFC 8092</a>).
<li><a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> now supports
BGP Administrative Shutdown Communication
(<a href="https://www.ietf.org/id/draft-ietf-idr-shutdown.txt">draft-ietf-idr-shutdown</a>).
</ul>
<p>
<li>Security improvements:
<ul>
<li>Enforcement of userland W^X on OCTEON Plus and later.
<li>All shared libraries, all dynamic and static-PIE executables, and
<a href="https://man.openbsd.org/ld.so.1">ld.so(1)</a> itself use
the RELRO ("read-only after relocation") design such that
more of the initial data is protected as read-only.
<li>The size of user virtual address space has been increased
from 2GB to 1TB on mips64.
<li>PIE and -static -pie on arm.
<li><a href="https://man.openbsd.org/route6d.8">route6d(8)</a> now
runs with fewer privileges.
<li>For incoming TLS connections
<a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>
can validate client certificates with a given CA file.
<li>The privileged parent process of
<a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>
calls
<a href="https://man.openbsd.org/execve.2">exec(2)</a>
to reshuffle its random memory layout.
<li>New function
<a href="https://man.openbsd.org/recallocarray.3">recallocarray(3)</a>
to reduce the risk of incorrect clearing of memory before and after
<a href="https://man.openbsd.org/reallocarray.3">reallocarray(3)</a>.
<li><a href="https://man.openbsd.org/sha2.3">SHA512_256</a> family
of functions added to libc.
<li>arm added to the list of archs where the
<a href="https://man.openbsd.org/setjmp.3">setjmp(3)</a>
family of functions apply XOR cookies to stack and return-address
values in the jmpbuf.
<li><a href="https://man.openbsd.org/printf.3">printf(3)</a> family
of formatting functions now report to syslog when the %s
format is used with a NULL pointer.
<li>Heap buffer overflow detection has been improved when the C
<a href="https://man.openbsd.org/malloc.3">malloc(3)</a> option is used.
The existing S option now includes C.
<li>Support for permitting non-root users to
<a href="https://man.openbsd.org/mount.8">mount(8)</a> filesystems
has been removed.
<li><a href="https://man.openbsd.org/bioctl.8">bioctl(8)</a> now uses
<a href="https://man.openbsd.org/bcrypt_pbkdf.3">bcrypt PBKDF</a> to
derive keys for
<a href="https://man.openbsd.org/softraid.4">softraid(4)</a> crypto
volumes.
</ul>
<p>
<li><a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a>/
<a href="https://man.openbsd.org/dhcpd.8">dhcpd(8)</a>/
<a href="https://man.openbsd.org/dhcrelay.8">dhcrelay(8)</a> improvements:
<ul>
<li>Add DHO_BOOTFILE_NAME and DHO_TFTP_SERVER to the options requested by default.
<li>Add support for RFC 6842 (Client Identifier Option in DHCP Server Replies).
<li>Stop leaking option data received on the udp socket.
<li>Stop pretending we use RFC 3046/Option 82/Relay Agent Information.
<li>Stop recording ignored DHO_ROUTERS and DHO_STATIC_ROUTES options in the effective lease.
<li>Use only leases from no SSID or the current SSID when restarting.
<li>Reduce default values for various timeouts to something more
appropriate to modern networks.
<li>Fix issues with redundant dhcpd servers and CARP'd interfaces.
<li>Switch to standard logging functions
<li>Fix vis/unvis of strings in
<a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a> leases files.
</ul>
<p>
<li>Assorted improvements:
<ul>
<li>New <a href="https://man.openbsd.org/syspatch.8">syspatch(8)</a>
utility for security and reliability binary updates to the base
system.
<li><a href="https://man.openbsd.org/acme-client.1">acme-client(1)</a>, a
privilege separated Automatic Certificate Management Environment
(ACME) client written by Kristaps Dzonsons has been imported.
<li>New, simplified
<a href="https://man.openbsd.org/xenodm.1">xenodm(1)</a>
X11 display manager forked from
<a href="https://man.openbsd.org/OpenBSD-6.0/xdm.1">xdm(1)</a>.
<li>Unicode version 8 character properties in the C library.
<li>Partial UTF-8 line editing support for
<a href="https://man.openbsd.org/ksh.1">ksh(1)</a> Vi input mode.
<li>UTF-8 support in
<a href="https://man.openbsd.org/column.1">column(1)</a>.
<li>The performance and concurrency of the
<a href="https://man.openbsd.org/malloc.3">malloc(3)</a> family
in multi-threaded processes has been improved.
<li>Estonian keyboard support.
<li><a href="https://man.openbsd.org/read.2">read(2)</a> on
directories now fails instead of returning 0.
<li>Support for the <code>RES_USE_EDNS0</code> and <code>RES_USE_DNSSEC</code>
flags has been added to the
<a href="https://man.openbsd.org/resolver.3">resolver(3)</a>
implementation.
<li><a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>
limits the socket buffer for TCP and TLS connections to 64K
to avoid wasting kernel memory.
<li><a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>
supports the option -Z to print the timestamp in RFC 5424
ISO format.
This logs everything in UTC including the year, timezone
and fractions of seconds.
The default is still RFC 3164 BSD syslog time format.
<li>When log files are rotated,
<a href="https://man.openbsd.org/newsyslog.8">newsyslog(8)</a>
writes the creation time in UTC ISO format into the first line.
<li>The
<a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>
options -a, -T, and -U can be given more than once to specify
multiple input sources.
<li>Improve the
<a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>
output and diagnostics in case the klog buffer
overflows.
<li>Make SIGHUP handling in
<a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>
more reliable.
<li>Let <a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>
tolerate most errors on startup.
Keep running and receive messages from all working subsystems,
but do not die.
<li>The <a href="https://man.openbsd.org/syslog.3">syslog(3)</a>
priority of fatal and warning messages of various daemons
has been adjusted.
<li>An NMI sends the amd64 kernel into
<a href="https://man.openbsd.org/ddb.4">ddb(4)</a>
more reliably.
<li><a href="https://man.openbsd.org/ld.so.1">ld.so(1)</a> now
supports the DT_PREINITARRAY, DT_INITARRAY, DT_FINIARRAY, DT_FLAGS,
and DT_RUNPATH dynamic tags.
<li><a href="https://man.openbsd.org/kdump.1">kdump(1)</a>
now dumps the fds returned by
<a href="https://man.openbsd.org/pipe.2">pipe(2)</a> and
<a href="https://man.openbsd.org/socketpair.2">socketpair(2)</a>.
<li>Added support to <a href="https://man.openbsd.org/doas.1">doas(1)</a>
for session-locked persistent authentication.
<li>Use a hardware register for the thread pointer on arm for improved
performance in multi-threaded processes.
<li>SGI boot blocks now consult the OpenBSD
<a href="https://man.openbsd.org/disklabel.5">disklabel(5)</a>
to locate the root filesystem.
This reduces constraints on disk partitioning.
<li><a href="https://man.openbsd.org/iec.4">iec(4)</a>
no longer hangs when its transmit ring gets full.
<li><a href="https://man.openbsd.org/sq.4">sq(4)</a>
has been fixed to accept broadcast frames in non-promiscuous mode
when no IP address is configured.
This lets the interface work with DHCP.
<li>Multiprocessor-safe PCI interrupt handlers are run
without the kernel lock on OpenBSD/sgi.
<li><a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> now unconditionally
sets the size of the protective MBR's EFI GPT partition to UINT32_MAX.
<li><a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> now respects the
current MBR or GPT format when initializing a disk.
<li><a href="https://man.openbsd.org/softraid.4">softraid(4)</a> now uses
sufficient parallel i/o's to efficiently rebuild RAID5 volumes.
<li><a href="https://man.openbsd.org/asr_run.3">asr</a> now accepts UDP
packets of up to 4096 bytes to account for broken DNS servers.
<li><a href="https://man.openbsd.org/umass.4">umass(4)</a> no longer assumes
that ATAPI or UFI devices have only 1 LUN.
<li><a href="https://man.openbsd.org/scsi.4">scsi(4)</a> now correctly
detects end of tape on LTO5 devices.
<li><a href="https://man.openbsd.org/httpd.8">httpd(8)</a> supports
SNI
via <a href="https://man.openbsd.org/tls_config_add_keypair_ocsp_mem.3">libtls</a>
to allow for multiple https sites on a single IP address.
<li><a href="https://man.openbsd.org/ocspcheck.8">ocspcheck(8)</a>
has been added, and can be used to check the OCSP status of
certificates. The corresponding responses can be saved for later use in OCSP stapling.
<li><a href="https://man.openbsd.org/httpd.8">httpd(8)</a> supports
OCSP stapling
via <a href="https://man.openbsd.org/tls_config_add_keypair_ocsp_mem.3">libtls</a>
to permit OCSP responses to be stapled to the tls handshake
<li><a href="https://man.openbsd.org/nc.1">nc(1)</a> now also
supports OCSP stapling server side, and will show the stapling information
client side.
<li>Both <a href="https://man.openbsd.org/relayd.8">relayd(8)</a> and
<a href="https://man.openbsd.org/httpd.8">httpd(8)</a> support now
TLS session resumption using TLS session tickets.
See the respective configuration man page for more information.
<li>With the -f option
<a href="https://man.openbsd.org/sensorsd.8">sensorsd(8)</a>
can use an alternative config file.
</ul>
<p>
<li>OpenSMTPD 6.0.0
<ul>
<li>Added support for providing an alternate subaddressing delimiter
<li>Made the daemon less verbose in logs when exiting
<li>Improved the io layer to simplify code across the daemon
<li>Added support for matching authenticated sessions in the ruleset
<li>Assorted code and documentation cleanups
</ul>
<p>
<li>OpenSSH 7.4
<ul>
<li>Security:
<ul>
<li>ssh-agent(1): Will now refuse to load PKCS#11 modules from paths
outside a trusted whitelist (run-time configurable). Requests to
load modules could be passed via agent forwarding and an attacker
could attempt to load a hostile PKCS#11 module across the forwarded
agent channel: PKCS#11 modules are shared libraries, so this would
result in code execution on the system running the ssh-agent if the
attacker has control of the forwarded agent-socket (on the host
running the sshd server) and the ability to write to the filesystem
of the host running ssh-agent (usually the host running the ssh
client).
<li>sshd(8): When privilege separation is disabled, forwarded Unix-
domain sockets would be created by sshd(8) with the privileges of
'root' instead of the authenticated user. This release refuses
Unix-domain socket forwarding when privilege separation is disabled
(Privilege separation has been enabled by default for 14 years).
<li>sshd(8): Avoid theoretical leak of host private key material to
privilege-separated child processes via realloc() when reading
keys. No such leak was observed in practice for normal-sized keys,
nor does a leak to the child processes directly expose key material
to unprivileged users.
<li>sshd(8): The shared memory manager used by pre-authentication
compression support had a bounds checks that could be elided by
some optimising compilers. Additionally, this memory manager was
incorrectly accessible when pre-authentication compression was
disabled. This could potentially allow attacks against the
privileged monitor process from the sandboxed privilege-separation
process (a compromise of the latter would be required first).
This release removes support for pre-authentication compression
from sshd(8).
<li>sshd(8): Fix denial-of-service condition where an attacker who
sends multiple KEXINIT messages may consume up to 128MB per
connection.
<li>sshd(8): Validate address ranges for AllowUser and DenyUsers
directives at configuration load time and refuse to accept invalid
ones. It was previously possible to specify invalid CIDR address
ranges (e.g. user@127.1.2.3/55) and these would always match,
possibly resulting in granting access where it was not intended.
<li>ssh(1), sshd(8): Fix weakness in CBC padding oracle countermeasures
that allowed a variant of the attack fixed in OpenSSH 7.3 to proceed.
</ul>
<li>New/changed features:
<ul>
<li>Server support for the SSH v.1 protocol has been removed.
<li>ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit
block ciphers are not safe in 2016 and we don't want to wait until
attacks like SWEET32 are extended to SSH. As 3des-cbc was the
only mandatory cipher in the SSH RFCs, this may cause problems
connecting to older devices using the default configuration,
but it's highly likely that such devices already need explicit
configuration for key exchange and hostkey algorithms already
anyway.
<li>sshd(8): Remove support for pre-authentication compression.
Doing compression early in the protocol probably seemed reasonable
in the 1990s, but today it's clearly a bad idea in terms of both
cryptography (cf. multiple compression oracle attacks in TLS) and
attack surface. Pre-auth compression support has been disabled by
default for >10 years. Support remains in the client.
<li>ssh-agent will refuse to load PKCS#11 modules outside a whitelist
of trusted paths by default. The path whitelist may be specified
at run-time.
<li>sshd(8): When a forced-command appears in both a certificate and
an authorized keys/principals command= restriction, sshd will now
refuse to accept the certificate unless they are identical.
The previous (documented) behaviour of having the certificate
forced-command override the other could be a bit confusing and
error-prone.
<li>sshd(8): Remove the UseLogin configuration directive and support
for having /bin/login manage login sessions.
<li>ssh(1): Add a proxy multiplexing mode to ssh(1) inspired by the
version in PuTTY by Simon Tatham. This allows a multiplexing
client to communicate with the master process using a subset of
the SSH packet and channels protocol over a Unix-domain socket,
with the main process acting as a proxy that translates channel
IDs, etc. This allows multiplexing mode to run on systems that
lack file- descriptor passing (used by current multiplexing
code) and potentially, in conjunction with Unix-domain socket
forwarding, with the client and multiplexing master process on
different machines. Multiplexing proxy mode may be invoked using
"ssh -O proxy ..."
<li>sshd(8): Add a sshd_config DisableForwarding option that disables
X11, agent, TCP, tunnel and Unix domain socket forwarding, as well
as anything else we might implement in the future. Like the
'restrict' authorized_keys flag, this is intended to be a simple
and future-proof way of restricting an account.
<li>sshd(8), ssh(1): Support the "curve25519-sha256" key exchange
method. This is identical to the currently-supported method named
"curve25519-sha256@libssh.org".
<li>sshd(8): Improve handling of SIGHUP by checking to see if sshd is
already daemonised at startup and skipping the call to daemon(3)
if it is. This ensures that a SIGHUP restart of sshd(8) will
retain the same process-ID as the initial execution. sshd(8) will
also now unlink the PidFile prior to SIGHUP restart and re-create
it after a successful restart, rather than leaving a stale file in
the case of a configuration error.
<li>sshd(8): Allow ClientAliveInterval and ClientAliveCountMax
directives to appear in sshd_config Match blocks.
<li>sshd(8): Add %-escapes to AuthorizedPrincipalsCommand to match
those supported by AuthorizedKeysCommand (key, key type,
fingerprint, etc.) and a few more to provide access to the
contents of the certificate being offered.
<li>Added regression tests for string matching, address matching and
string sanitisation functions.
<li>Improved the key exchange fuzzer harness.
<li>Deprecate the sshd_config UsePrivilegeSeparation
option, thereby making privilege separation mandatory. Privilege
separation has been on by default for almost 15 years and
sandboxing has been on by default for almost the last five.
<li>ssh(1), sshd(8): Support "=-" syntax to easily remove methods from
algorithm lists, e.g. Ciphers=-*cbc.
</ul>
<li>The following significant bugs have been fixed in this release:
<ul>
<li>ssh(1): Allow IdentityFile to successfully load and use
certificates that have no corresponding bare public key.
certificate id_rsa-cert.pub (and no id_rsa.pub).
<li>ssh(1): Fix public key authentication when multiple
authentication is in use and publickey is not just the first
method attempted.
<li>ssh-agent(1), ssh(1): improve reporting when attempting to load
keys from PKCS#11 tokens with fewer useless log messages and more
detail in debug messages.
<li>ssh(1): When tearing down ControlMaster connections, don't
pollute stderr when LogLevel=quiet.
<li>sftp(1): On ^Z wait for underlying ssh(1) to suspend before
suspending sftp(1) to ensure that ssh(1) restores the terminal mode
correctly if suspended during a password prompt.
<li>ssh(1): Avoid busy-wait when ssh(1) is suspended during a password
prompt.
<li>ssh(1), sshd(8): Correctly report errors during sending of ext-
info messages.
<li>sshd(8): fix NULL-deref crash if sshd(8) received an out-of-
sequence NEWKEYS message.
<li>sshd(8): Correct list of supported signature algorithms sent in
the server-sig-algs extension.
<li>sshd(8): Fix sending ext_info message if privsep is disabled.
<li>sshd(8): more strictly enforce the expected ordering of privilege
separation monitor calls used for authentication and allow them
only when their respective authentication methods are enabled
in the configuration
<li>sshd(8): Fix uninitialised optlen in getsockopt() call; harmless
on Unix/BSD but potentially crashy on Cygwin.
<li>Fix false positive reports caused by explicit_bzero(3) not being
recognised as a memory initialiser when compiled with
-fsanitize-memory.
<li>sshd_config(5): Use 2001:db8::/32, the official IPv6 subnet for
configuration examples.
<li>sshd(1): Fix NULL dereference crash when key exchange start
messages are sent out of sequence.
<li>ssh(1), sshd(8): Allow form-feed characters to appear in
configuration files.
<li>sshd(8): Fix regression in OpenSSH 7.4 support for the
server-sig-algs extension, where SHA2 RSA signature methods were
not being correctly advertised.
<li>ssh(1), ssh-keygen(1): Fix a number of case-sensitivity bugs in
known_hosts processing.
<li>ssh(1): Allow ssh to use certificates accompanied by a private key
file but no corresponding plain *.pub public key.
<li>ssh(1): When updating hostkeys using the UpdateHostKeys option,
accept RSA keys if HostkeyAlgorithms contains any RSA keytype.
Previously, ssh could ignore RSA keys when only the ssh-rsa-sha2-*
methods were enabled in HostkeyAlgorithms and not the old ssh-rsa
method.
<li>ssh(1): Detect and report excessively long configuration file
lines.
<li>Merge a number of fixes found by Coverity and reported via Redhat
and FreeBSD. Includes fixes for some memory and file descriptor
leaks in error paths.
<li>ssh-keyscan(1): Correctly hash hosts with a port number.
<li>ssh(1), sshd(8): When logging long messages to stderr, don't truncate
"\r\n" if the length of the message exceeds the buffer.
<li>ssh(1): Fully quote [host]:port in generated ProxyJump/-J command-
line; avoid confusion over IPv6 addresses and shells that treat
square bracket characters specially.
<li>ssh-keygen(1): Fix corruption of known_hosts when running
"ssh-keygen -H" on a known_hosts containing already-hashed entries.
<li>Fix various fallout and sharp edges caused by removing SSH protocol
1 support from the server, including the server banner string being
incorrectly terminated with only \n (instead of \r\n), confusing
error messages from ssh-keyscan a segfault in sshd
if protocol v.1 was enabled for the client and sshd_config
contained references to legacy keys.
<li>ssh(1), sshd(8): Free fd_set on connection timeout.
<li>sshd(8): Fix Unix domain socket forwarding for root (regression in
OpenSSH 7.4).
<li>sftp(1): Fix division by zero crash in "df" output when server
returns zero total filesystem blocks/inodes.
<li>ssh(1), ssh-add(1), ssh-keygen(1), sshd(8): Translate OpenSSL errors
encountered during key loading to more meaningful error codes.
<li>ssh-keygen(1): Sanitise escape sequences in key comments sent to
printf but preserve valid UTF-8 when the locale supports it.
<li>ssh(1), sshd(8): Return reason for port forwarding failures where
feasible rather than always "administratively prohibited".
<li>sshd(8): Fix deadlock when AuthorizedKeysCommand or
AuthorizedPrincipalsCommand produces a lot of output and a key is
matched early.
<li>ssh(1): Fix typo in ~C error message for bad port forward
cancellation.
<li>ssh(1): Show a useful error message when included config files
can't be opened.
<li>sshd(8): Make sshd set GSSAPIStrictAcceptorCheck=yes as the manual page
(previously incorrectly) advertised.
<li>sshd_config(5): Repair accidentally-deleted mention of %k token
in AuthorizedKeysCommand.
<li>sshd(8): Remove vestiges of previously removed LOGIN_PROGRAM;
<li>ssh-agent(1): Relax PKCS#11 whitelist to include libexec and
common 32-bit compatibility library directories.
<li>sftp-client(1): Fix non-exploitable integer overflow in SSH2_FXP_NAME
response handling.
<li>ssh-agent(1): Fix regression in 7.4 of deleting PKCS#11-hosted
keys. It was not possible to delete them except by specifying
their full physical path.
</ul>
</ul>
<p>
<li>LibreSSL 2.5.3
<ul>
<li>libtls now supports ALPN and SNI
<li>libtls adds a new callback interface for integrating custom IO
functions. Thanks to Tobias Pape.
<li>libtls now handles 4 cipher suite groups:
<ul>
<li>"secure" (TLSv1.2+AEAD+PFS)
<li>"compat" (HIGH:!aNULL)
<li>"legacy" (HIGH:MEDIUM:!aNULL)
<li>"insecure" (ALL:!aNULL:!eNULL)
</ul>
This allows for flexibility and finer grained control, rather than
having two extremes (an issue raised by Marko Kreen some time ago).
<li>Tightened error handling for tls_config_set_ciphers().
<li>libtls now always loads CA, key and certificate files at the time the
configuration function is called. This simplifies code and results in
a single memory based code path being used to provide data to libssl.
<li>Added support for OCSP intermediate certificates.
<li>Added X509_check_host(), X509_check_email(), X509_check_ip(), and
X509_check_ip_asc() functions, via BoringSSL.
<li>Added initial support for iOS, thanks to Jacob Berkman.
<li>Improved behavior of arc4random on Windows when using memory leak
analysis software.
<li>Correctly handle an EOF that occurs prior to the TLS handshake
completing. Reported by Vasily Kolobkov, based on a diff from Marko
Kreen.
<li>Limit the support of the "backward compatible" SSLv2 handshake to
only be used if TLS 1.0 is enabled.
<li>Fix incorrect results in certain cases on 64-bit systems when
BN_mod_word() can return incorrect results. BN_mod_word() now can
return an error condition. Thanks to Brian Smith.
<li>Added constant-time updates to address CVE-2016-0702.
<li>Fixed undefined behavior in BN_GF2m_mod_arr().
<li>Removed unused Cryptographic Message Support (CMS).
<li>More conversions of long long idioms to time_t.
<li>Improved compatibility by avoiding printing NULL strings with
printf.
<li>Reverted change that cleans up the EVP cipher context in
EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the
previous behaviour.
<li>Avoid unbounded memory growth in libssl, which can be triggered
by a TLS client repeatedly renegotiating and sending OCSP Status
Request TLS extensions.
<li>Avoid falling back to a weak digest for (EC)DH when using SNI
with libssl.
<li>X509_cmp_time() now passes a malformed GeneralizedTime field as
an error. Reported by Theofilos Petsios.
<li>Check for and handle failure of HMAC_{Update,Final} or
EVP_DecryptUpdate().
<li>Massive update and normalization of manpages, conversion to
mandoc format. Many pages were rewritten for clarity and accuracy.
Portable doc links are up-to-date with a new conversion tool.
<li>Curve25519 and TLS X25519 Key Exchange support.
<li>Support for alternate chains for certificate verification.
<li>Code cleanups, CBB conversions, further unification of DTLS/SSL
handshake code, further ASN1 macro expansion and removal.
<li>Private symbols are now hidden in libssl and libcrypto.
<li>Friendly certificate verification error messages in libtls, peer
verification is now always enabled.
<li>Added OCSP stapling support to libtls and nc.
<li>Added ocspcheck utility to validate a certificate against its OCSP
responder and save the reply for stapling
<li>Enhanced regression tests and error handling for libtls.
<li>Added explicit constant and non-constant time BN functions,
defaulting to constant time wherever possible.
<li>Moved many leaked implementation details in public structs behind
opaque pointers.
<li>Added ticket support to libtls.
<li>Added support for setting the supported EC curves via
SSL{_CTX}_set1_groups{_list}() - also provide defines for the
previous SSL{_CTX}_set1_curves{_list} names. This also changes
the default list of curves to be X25519, P-256 and P-384. All
other curves must be manually enabled.
<li>Added -groups option to openssl(1) s_client for specifying the
curves to be used in a colon-separated list.
<li>Merged client/server version negotiation code paths into one,
reducing much duplicate code.
<li>Removed error function codes from libssl and libcrypto.
<li>Fixed an issue where a truncated packet could crash via an OOB
read.
<li>Added SSL_OP_NO_CLIENT_RENEGOTIATION option that disallows
client-initiated renegotiation. This is the default for libtls
servers.
<li>Avoid a side-channel cache-timing attack that can leak the ECDSA
private keys when signing. This is due to BN_mod_inverse() being
used without the constant time flag being set. Reported by Cesar
Pereida Garcia and Billy Brumley (Tampere University of
Technology). The fix was developed by Cesar Pereida Garcia.
<li>iOS and MacOS compatibility updates from Simone Basso and Jacob
Berkman.
<li>Added the recallocarray(3) memory allocation function, and
converted various places in the library to use it, such as CBB
and BUF_MEM_grow. recallocarray(3) is similar to
reallocarray. Newly allocated memory is cleared similar to
calloc(3). Memory that becomes unallocated while shrinking or
moving existing allocations is explicitly discarded by unmapping
or clearing to 0.
<li>Added new root CAs from SECOM Trust Systems / Security
Communication of Japan.
<li>Added EVP interface for MD5+SHA1 hashes.
<li>Improved nc(1) TLS handshake CPU usage and server-side error
reporting.
<li>Added a constant time version of BN_gcd and use it default for
BN_gcd to avoid the possibility of sidechannel timing attacks
against RSA private key generation - Thanks to Alejandro
Cabrera <aldaya@gmail.com>
</ul>
<p>
<li>mandoc 1.14.1
<ul>
<li>New <a href="https://man.openbsd.org/mandoc.db.5">mandoc.db(5)</a>
file format: <a href="https://man.openbsd.org/man.1">man(1)</a>,
<a href="https://man.openbsd.org/apropos.1">apropos(1)</a>, and
<a href="https://man.openbsd.org/makewhatis.8">makewhatis(8)</a>
no longer need SQLite3.
<li>Much improved HTML output and CSS.
<li>In <a href="https://man.openbsd.org/man.1">man(1)</a>, internal
searching with <a href="https://man.openbsd.org/less.1">less(1)</a>
<code>:t</code> has been improved.
<li>New <a href="https://man.openbsd.org/mandoc.1">mandoc(1)</a>
<code>-mdoc -T markdown</code> output mode
(already a post-1.14.1 feature).
</ul>
<p>
<li><p>Ports and packages:
<p>Many pre-built packages for each architecture:
<!-- number of FTP packages minus SHA256, SHA256.sig, index.txt -->
<ul style="column-count: 3">
<li>alpha: 7413
<li>amd64: 9714
<li>arm: 7501
<li>hppa: 6422
<li>i386: 9697
<li>mips64: 8072
<li>mips64el: 6880
<li>powerpc: 7703
<li>sparc64: 8606
</ul>
<p>Some highlights:
<ul style="column-count: 2">
<li>AFL 2.39b
<li>Chromium 57.0.2987.133
<li>Emacs 21.4 and 25.1
<li>GCC 4.9.4
<li>GHC 7.10.3
<li>Gimp 2.8.18
<li>GNOME 3.22.2
<li>Go 1.8
<li>Groff 1.22.3
<li>JDK 7u80 and 8u121
<li>KDE 3.5.10 and 4.14.3 (plus KDE4 core updates)
<li>LLVM/Clang 4.0.0
<li>LibreOffice 5.2.4.2
<li>Lua 5.1.5, 5.2.4, and 5.3.4
<li>MariaDB 10.0.30
<li>Mono 4.6.2.6
<li>Mozilla Firefox 52.0.2esr and 52.0.2
<li>Mozilla Thunderbird 45.8.0
<li>Mutt 1.8.0
<li>Node.js 6.10.1
<li>Ocaml 4.03.0
<li>OpenLDAP 2.3.43 and 2.4.44
<li>PHP 5.5.38, 5.6.30, and 7.0.16
<li>Postfix 3.2.0 and 3.3-20170218
<li>PostgreSQL 9.6.2
<li>Python 2.7.13, 3.4.5, 3.5.2 and 3.6.0
<li>R 3.3.3
<li>Ruby 1.8.7.374, 2.1.9, 2.2.6, 2.3.3 and 2.4.1
<li>Rust 1.16.0
<li>Sendmail 8.15.2
<li>SQLite3 3.17.0
<li>Sudo 1.8.19.2
<li>Tcl/Tk 8.5.18 and 8.6.4
<li>TeX Live 2015
<li>Vim 8.0.0388
<li>Xfce 4.12
</ul>
<p>
<li>As usual, steady improvements in manual pages and other documentation.
<p>
<li>The system includes the following major components from outside suppliers:
<ul>
<li>Xenocara (based on X.Org 7.7 with xserver 1.18.3 + patches,
freetype 2.7.1, fontconfig 2.12.1, Mesa 13.0.6, xterm 327,
xkeyboard-config 2.20 and more)
<li>LLVM/Clang 4.0.0 (+ patches)
<li>GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
<li>Perl 5.24.1 (+ patches)
<li>NSD 4.1.15
<li>Unbound 1.6.1
<li>Ncurses 5.7
<li>Binutils 2.17 (+ patches)
<li>Gdb 6.3 (+ patches)
<li>Awk Aug 10, 2011 version
<li>Expat 2.1.1
</ul>
</ul>
</section>
<hr>
<section id=install>
<h3>How to install</h3>
<p>
Please refer to the following files on the mirror site for
extensive details on how to install OpenBSD 6.1 on your machine:
<ul>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/alpha/INSTALL.alpha">
.../OpenBSD/6.1/alpha/INSTALL.alpha</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/amd64/INSTALL.amd64">
.../OpenBSD/6.1/amd64/INSTALL.amd64</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/arm64/INSTALL.arm64">
.../OpenBSD/6.1/arm64/INSTALL.arm64</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/armv7/INSTALL.armv7">
.../OpenBSD/6.1/armv7/INSTALL.armv7</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/hppa/INSTALL.hppa">
.../OpenBSD/6.1/hppa/INSTALL.hppa</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/i386/INSTALL.i386">
.../OpenBSD/6.1/i386/INSTALL.i386</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/landisk/INSTALL.landisk">
.../OpenBSD/6.1/landisk/INSTALL.landisk</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/loongson/INSTALL.loongson">
.../OpenBSD/6.1/loongson/INSTALL.loongson</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/luna88k/INSTALL.luna88k">
.../OpenBSD/6.1/luna88k/INSTALL.luna88k</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/macppc/INSTALL.macppc">
.../OpenBSD/6.1/macppc/INSTALL.macppc</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/octeon/INSTALL.octeon">
.../OpenBSD/6.1/octeon/INSTALL.octeon</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/sgi/INSTALL.sgi">
.../OpenBSD/6.1/sgi/INSTALL.sgi</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/sparc64/INSTALL.sparc64">
.../OpenBSD/6.1/sparc64/INSTALL.sparc64</a>
</ul>
</section>
<hr>
<section id=quickinstall>
<p>
Quick installer information for people familiar with OpenBSD, and the use of
the "<a href="https://man.openbsd.org/disklabel.8">disklabel</a> -E" command.
If you are at all confused when installing OpenBSD, read the relevant
INSTALL.* file as listed above!
<h3>OpenBSD/alpha:</h3>
<p>
Write <i>floppy61.fs</i> or <i>floppyB61.fs</i> (depending on your machine)
to a diskette and enter <i>boot dva0</i>.
Refer to INSTALL.alpha for more details.
<p>
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.
<h3>OpenBSD/amd64:</h3>
<p>
If your machine can boot from CD, you can write <i>install61.iso</i> or
<i>cd61.iso</i> to a CD and boot from it.
You may need to adjust your BIOS options first.
<p>
If your machine can boot from USB, you can write <i>install61.fs</i> or
<i>miniroot61.fs</i> to a USB stick and boot from it.
<p>
If you can't boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in the included
INSTALL.amd64 document.
<p>
If you are planning to dual boot OpenBSD with another OS, you will need to
read INSTALL.amd64.
<h3>OpenBSD/arm64:</h3>
<p>
Write <i>miniroot61.fs</i> to a disk and boot from it after connecting
to the serial console. Refer to INSTALL.arm64 for more details.
<h3>OpenBSD/armv7:</h3>
<p>
Write a system specific miniroot to an SD card and boot from it after connecting
to the serial console. Refer to INSTALL.armv7 for more details.
<h3>OpenBSD/hppa:</h3>
<p>
Boot over the network by following the instructions in INSTALL.hppa or the
<a href="hppa.html#install">hppa platform page</a>.
<h3>OpenBSD/i386:</h3>
<p>
If your machine can boot from CD, you can write <i>install61.iso</i> or
<i>cd61.iso</i> to a CD and boot from it.
You may need to adjust your BIOS options first.
<p>
If your machine can boot from USB, you can write <i>install61.fs</i> or
<i>miniroot61.fs</i> to a USB stick and boot from it.
<p>
If you can't boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in
the included INSTALL.i386 document.
<p>
If you are planning on dual booting OpenBSD with another OS, you will need to
read INSTALL.i386.
<h3>OpenBSD/landisk:</h3>
<p>
Write <i>miniroot61.fs</i> to the start of the CF
or disk, and boot normally.
<h3>OpenBSD/loongson:</h3>
<p>
Write <i>miniroot61.fs</i> to a USB stick and boot bsd.rd from it
or boot bsd.rd via tftp.
Refer to the instructions in INSTALL.loongson for more details.
<h3>OpenBSD/luna88k:</h3>
<p>
Copy 'boot' and 'bsd.rd' to a Mach or UniOS partition, and boot the bootloader
from the PROM, and then bsd.rd from the bootloader.
Refer to the instructions in INSTALL.luna88k for more details.
<h3>OpenBSD/macppc:</h3>
<p>
Burn the image from a mirror site to a CDROM, and power on your machine
while holding down the <i>C</i> key until the display turns on and
shows <i>OpenBSD/macppc boot</i>.
<p>
Alternatively, at the Open Firmware prompt, enter <i>boot cd:,ofwboot
/6.1/macppc/bsd.rd</i>
<h3>OpenBSD/octeon:</h3>
<p>
After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
Refer to the instructions in INSTALL.octeon for more details.
<h3>OpenBSD/sgi:</h3>
<p>
To install, burn cd61.iso on a CD-R, put it in the CD drive of your
machine and select <i>Install System Software</i> from the System Maintenance
menu. Indigo/Indy/Indigo2 (R4000) systems will not boot automatically from
CD-ROM, and need a proper invocation from the PROM prompt.
Refer to the instructions in INSTALL.sgi for more details.
<p>
If your machine doesn't have a CD drive, you can setup a DHCP/tftp network
server, and boot using "bootp()/bsd.rd.IP##" using the kernel matching your
system type. Refer to the instructions in INSTALL.sgi for more details.
<h3>OpenBSD/sparc64:</h3>
<p>
Burn the image from a mirror site to a CDROM, boot from it, and type
<i>boot cdrom</i>.
<p>
If this doesn't work, or if you don't have a CDROM drive, you can write
<i>floppy61.fs</i> or <i>floppyB61.fs</i>
(depending on your machine) to a floppy and boot it with <i>boot
floppy</i>. Refer to INSTALL.sparc64 for details.
<p>
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.
<p>
You can also write <i>miniroot61.fs</i> to the swap partition on
the disk and boot with <i>boot disk:b</i>.
<p>
If nothing works, you can boot over the network as described in INSTALL.sparc64.
</section>
<hr>
<section id=upgrade>
<h3>How to upgrade</h3>
<p>
If you already have an OpenBSD 6.0 system, and do not want to reinstall,
upgrade instructions and advice can be found in the
<a href="faq/upgrade61.html">Upgrade Guide</a>.
</section>
<hr>
<section id=sourcecode>
<h3>Notes about the source code</h3>
<p>
<code>src.tar.gz</code> contains a source archive starting at <code>/usr/src</code>.
This file contains everything you need except for the kernel sources,
which are in a separate archive.
To extract:
<blockquote><pre>
# <kbd>mkdir -p /usr/src</kbd>
# <kbd>cd /usr/src</kbd>
# <kbd>tar xvfz /tmp/src.tar.gz</kbd>
</pre></blockquote>
<p>
<code>sys.tar.gz</code> contains a source archive starting at <code>/usr/src/sys</code>.
This file contains all the kernel sources you need to rebuild kernels.
To extract:
<blockquote><pre>
# <kbd>mkdir -p /usr/src/sys</kbd>
# <kbd>cd /usr/src</kbd>
# <kbd>tar xvfz /tmp/sys.tar.gz</kbd>
</pre></blockquote>
<p>
Both of these trees are a regular CVS checkout. Using these trees it
is possible to get a head-start on using the anoncvs servers as
described <a href="anoncvs.html">here</a>.
Using these files
results in a much faster initial CVS update than you could expect from
a fresh checkout of the full OpenBSD source tree.
</section>
<hr>
<section id=ports>
<h3>Ports Tree</h3>
<p>
A ports tree archive is also provided. To extract:
<blockquote><pre>
# <kbd>cd /usr</kbd>
# <kbd>tar xvfz /tmp/ports.tar.gz</kbd>
</pre></blockquote>
<p>
Go read the <a href="faq/ports/index.html">ports</a> page
if you know nothing about ports
at this point. This text is not a manual of how to use ports.
Rather, it is a set of notes meant to kickstart the user on the
OpenBSD ports system.
<p>
The <i>ports/</i> directory represents a CVS checkout of our ports.
As with our complete source tree, our ports tree is available via
<a href="anoncvs.html">AnonCVS</a>.
So, in order to keep up to date with the -stable branch, you must make
the <i>ports/</i> tree available on a read-write medium and update the tree
with a command like:
<blockquote><pre>
# <kbd>cd /usr/ports</kbd>
# <kbd>cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_6_1</kbd>
</pre></blockquote>
<p>
[Of course, you must replace the server name here with a nearby anoncvs
server.]
<p>
Note that most ports are available as packages on our mirrors. Updated
ports for the 6.1 release will be made available if problems arise.
<p>
If you're interested in seeing a port added, would like to help out, or just
would like to know more, the mailing list
<a href="mail.html">ports@openbsd.org</a> is a good place to know.
</section>
![[BACK]](/icons/back.gif){kind=icon}
Return to 61.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www