===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/63.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- www/63.html 2018/03/14 16:34:36 1.1
+++ www/63.html 2018/03/16 13:33:30 1.2
@@ -63,488 +63,69 @@
Improved hardware support, including:
- - arm: New rkgrf(4) driver
- for the Rockchip RK3399/RK3288 register file.
-
- arm: New rkclock(4)
- driver for Rockchip RK3399/RK3288 clocks.
-
- arm: New rkpinctrl(4)
- driver for controlling Rockchip RK3399/RK3288 pins.
-
- arm: New rkgpio(4) driver
- for GPIO on Rockchip SoCs.
-
- arm: New rktemp(4) driver
- for Rockchip RK3399 temperature sensors.
-
- arm: New rkiic(4) driver
- for Rockchip RK3399 I2C controllers.
-
- arm: New rkpmic(4) driver
- for the RK808 Power Management IC.
-
- arm: New dwmmc(4) driver
- for Synopsis DesignWare SD/MMC controllers.
-
- arm: New dwdog(4) driver
- for the Synopsys DesignWare watchdog timer.
-
- arm: New dwxe(4) driver
- for the Synopsys DesignWare Ethernet controller.
-
- arm: New sxitwi(4) driver
- for the two-wire bus on Allwinner SoCs.
-
- arm: New axppmic(4)
- driver for the AXP209 I2C PMIC.
-
- arm: New bcmaux(4) driver
- for clocks and interrupts on the auxilliary UART on BCM2835 devices.
-
- arm: New mvmpic(4)
- driver for an interrupt controller on Marvell ARMADA 38x.
-
- arm: New mvpxa(4)
- driver for the SD Host Controller on Marvell ARMADA 38x.
-
- arm: New mvpinctrl(4)
- driver to configure pins on Marvell ARMADA 38x.
-
- arm: New mvneta(4) driver
- the Ethernet controller on Marvell ARMADA 38x.
-
- arm: New amdisplay(4) &
- nxphdmi(4) drivers
- for the Texas Instruments AM335x LCD controller.
-
- octeon: New octcib(4) driver for
- the interrupt bus widget on CN70xx/CN71xx.
-
- octeon: New octcit(4) driver for
- the central interrupt unit version 3 on CN72xx/CN73xx/CN77xx/CN78xx.
-
- octeon: New octsctl(4) driver
- for the OCTEON SATA controller bridge.
-
- octeon: New octxctl(4) driver
- for the OCTEON USB3 controller bridge.
-
- octeon: Rhino Labs Inc. SDNA Shasta, and Ubiquiti Networks EdgeRouter 4
- and 6 are now supported.
-
- New hvs(4) driver for
- Hyper-V storage.
-
- New pcxrtc(4) driver for
- the NXP PCF8563 Real Time Clock.
-
- New urng(4) driver for USB
- random number generator devices.
-
- Intel 8265 and 3168 support was added to the
- iwm(4) driver.
-
- RTL8192CE support was added to the
- rtwn(4) driver.
-
- RT5360 support was added to the
- ral(4) driver.
-
- RTS525A support was added to the
- rtsx(4) driver.
-
- The acpibat(4) driver
- now supports _BIX entries from ACPI 4.0.
-
- ACPI hibernate support was added to the
- nvme(4) driver.
-
- Substantially improved ACPI hibernate performance in the
- ahci(4) driver.
-
- The inteldrm(4) driver
- was updated to code based on Linux 4.4.70 - it now supports Skylake,
- Kaby Lake, and Cherryview devices and has better support for Broadwell
- and Valleyview devices.
-
- The puc(4) driver now
- supports ASIX AX99100 devices.
-
- Xen platform support and the
- xbf(4) driver in particular
- have been substantially improved.
-
- The nvme(4) driver now reports
- correct last sector address to SCSI, allowing a valid GPT to be created.
-
- Repair ioapic(4) misconfigurations.
+
- ...
vmm(4)/
vmd(8) improvements:
- - vmctl(8) supports
- paused VM migration and memory snapshotting using send and receive commands.
-
- VPID/ASID reuse/rollover in vmm(4).
-
- SGABIOS imported as an option ROM payload in SeaBIOS (for VGA to serial
- console redirection).
-
- vmd(8) resets the
- guest VM RTC (real time clock) on host resume from suspend/hibernate
- (OpenBSD guests only).
-
- Allow guest VMs access to AVX/AVX2 host CPU features.
-
- Support for AMD SVM/RVI hosts.
-
- Allow larger guest VM memory sizes (up to MAXDSIZ sized guests - e.g.
- 32GB on amd64 hosts).
-
- Better handling of guest VM MONITOR/MWAIT and HLT instructions.
-
- Various device emulation improvements in vmd(8).
-
- Increase the virtio(4)
- queue size provided by vmd(8) from 64 to 128 entries, to increase performance.
-
- Many fixes to vmctl(8)
- and vmd(8) error handling.
+
- ...
IEEE 802.11 wireless stack improvements:
- - MiRA 802.11n TX rate scaling now supports devices with unequal numbers
- of Tx and Rx streams. Fixes 11n mode for some
- athn(8) devices.
-
- The iwn(8) and
- iwm(8) drivers will now start
- scanning for a new access point if they no longer receive beacons from
- the current AP.
-
- Prefer the 5GHz band over the 2GHz band during access point selection.
-
- Improved debug output in
- dmesg(8) when a wireless
- interface is put into debug mode with
- ifconfig(8).
+
- ...
Generic network stack improvements:
- - Incoming and forwarded IP packets are now processed without
- KERNEL_LOCK, resulting in better performances and reduced latency.
-
- The kernel no longer handles IPv6 Stateless Address
- Autoconfiguration (RFC 4862), allowing cleanup and simplification
- of the IPv6 network stack.
-
- The kernel sends IPv6 router solicitations for link local addresses
- with a link local source address.
-
- FQ-CoDel algorithm has been implemented for use with pf(4) queueing.
-
- Improved IPv6 checks for IPsec policies and made them consistent
- with IPv4.
-
- Refactored local IP delivery to process IPsec packets in a flow and
- avoid enqueueing a second time.
-
- pf(4)
- now inspects AH packets and matches on the inner protocol.
- This makes IPv4 authentication headers work like IPv6.
-
- The length of extension header chains in pf(4) is limited.
- This prevents spending excessive CPU time on crafted packets.
-
- Block IPv6 packets in
- pf(4)
- that have a hop-by-hop options header or a destination options header.
- Such packets can be passed by adding "allow-opts" to the rule.
- This makes IPv6 option handling consistent with IPv4.
-
- If the IPv4 ID gets reused too fast, pf(4) fragment reassembly
- uses a smarter strategy to drop packets.
-
- Enabled the use of per-CPU caches in the network packet allocators.
+
- ...
Installer improvements:
- - The installer now uses the Allotment Routing Table (ART).
-
- A unique kernel is now created by the installer to boot from after
- install/upgrade.
-
- On release installs of architectures supported by syspatch,
- "syspatch -c" is now added to rc.firsttime.
-
- Backwards compatibility code to support the 'rtsol' keyword in
- hostname.if(5)
- has been removed.
-
- The install.site and upgrade.site scripts are now
- executed at the end of the install/upgrade process.
-
- More detailed information is shown to identify disks.
-
- The IPv6 default router selection has been fixed.
-
- On the amd64 platform, AES-NI is used if present.
+
- ...
Routing daemons and other userland network improvements:
- - A new daemon, slaacd(8) handles IPv6
- Stateless Address Autoconfiguration (RFC 4862).
-
- rtadvd(8) now supports
- "Reducing Energy Consumption of Router Advertisements" (RFC 7772).
-
- rtadvd(8) has
- been fixed to quickly handle IPv6 prefix changes on the system.
-
- ipsecctl(8)
- can now show SA bundles and the "bundle" keyword allows them to be
- explicitly created. This avoids confusion as they were previously
- used implicitly.
-
- nc(1)
- now has a -W recvlimit option to terminate netcat after
- receiving the specified number of packets. This allows for a UDP
- request to be sent, a reply to be received and the result checked on
- the command line.
-
- nc(1)
- now has a -Z option, allowing the peer certificate and chain to be
- saved to a file in PEM format.
-
- A new -T tlscompat option was added to
- nc(1), which enables the use
- of all TLS protocols and libtls "compat" ciphers.
-
- Various races have been fixed in
- relayd(8),
- expecially in HTTP chunked mode.
-
- ndp(8) now shows the
- relevant NDP information when run in a non-default routing
- domain.
-
- ifstated(8) now
- copes with interface departures/arrivals.
-
- bgpd(8) can now
- be started multiple times in different
- routing domains,
- this provides virtual router functionality.
+
- ...
Security improvements:
- - A new function
- freezero(3)
- to easily clear and free memory holding sensitive data has been added.
-
- Double free detection has been improved when the F
- malloc(3) option is used.
- The existing S option now includes F.
-
- The TIOCSTI
- tty ioctl has been removed. The I/O-loops in the last two consumers
- csh(1) and
- mail(1)
- were rewritten to cope with the removal.
-
- Trapsleds, a new mitigation that significantly reduces the amount of
- nops in the instruction stream, replacing them with trap instructions
- or jump-over-trap sequences, thereby requiring greater accuracy for
- targetting potential gadgets.
-
- Kernel Address Randomized Link (KARL), a new "link-kit" allows the .o
- files of the kernel to be relinked in a random order, creating a unique
- kernel for each boot. /bsd is now non-readable to users, to try to
- keep the secret.
-
- Like with libc previously,
- rc(8) re-links libcrypto on
- startup, placing the objects in a random order.
-
- In addition to libcrypto, to deter code reuse exploits,
- rc(8) re-links
- ld.so on
- startup, placing the objects in a random order.
-
- If process accounting is activated with
- accton(8),
- the daily mail shows pledge violations and program crashes.
- lastcomm(1)
- uses the flags P and T for such processes.
-
- pflogd(8) uses the
- fork+exec model.
-
- tcpdump(8) uses the
- fork+exec model.
-
- ifstated(8)
- uses pledge(2).
-
- snmpd(8) and
- snmpctl(8) now use
- pledge(2).
-
- Tighter pledge for at(1).
-
- Fixed and simplified pledge logic for
- nc(1).
-
- More application of
- recallocarray(3)
- in userland, and tracked sizes to
- free(9) in the kernel.
-
- Achieve higher levels of paranoia regarding structure packing, and
- clear many kernel objects before passing to userland.
-
- Disable some optimizations in
- clang(1)
- due to incompatibility with security.
-
- For instance, cope with
- clang(1)'s assumption
- that static or const
- objects placed in unknown sections (such as .openbsd.randomdata)
- are surely always 0, and therefore such memory accesses can be
- optimized away.
-
- In kernel, randomly bias down the top-of-stack per kthread.
+
- ...
dhcpd(8)/
dhcrelay(8) improvements:
- - Add support for echo-client-id statement to
- dhcpd.conf(5).
-
- Take greater care to process all data read, and only data read, from the
- bpf(4)
- socket.
-
- Use /dev/bpf instead of /dev/bpf0.
-
- Handle DHCPINFORM messages from clients behind a DHCP relay.
-
- Fix handling of
- carp(4)
- interfaces in
- dhcrelay(8).
-
- Don't stop
- dhcrelay(8)
- logging to stderr when it is started with the -d option.
+
- ...
dhclient(8) improvements:
- - Log messages reworked and clarified, in particular by prefixing
- the name of the relevant network interface.
-
- Treat SSID as 0 to 32 bytes of binary data, not a string.
-
- Use RTM_PROPOSAL to take control of an interface rather than flipping
- interface down and up in the hope that other
- dhclient(8)
- instances notice.
-
- Reduce file operations needed by -L option by opening file at
- startup and using it throughout process lifetime.
-
- Improve resolv.conf(5)
- handling by reducing writes and more reliably determining which interface
- has the current default route.
-
- Take greater care to process all data read, and only data read, from the
- bpf(4)
- socket.
-
- Improve the determination of the link state of an interface.
-
- Decline inappropriate lease offers as soon as they are deemed
- inappropriate.
-
- Drop support for the timestamp formats used in lease files created
- more than four years ago.
-
- Accept an offer from the server that sent the first copy of
- the offer, not the server that sent the last copy.
-
- Don't delete addresses and routes when exiting.
-
- Ensure IPv6 packets are not read from sockets.
-
- Don't silently ignore obsolete keywords in
- dhclient.conf(5).
-
- Reduce memory footprint by shrinking oversized static buffers.
-
- Eliminate repeated socket opens by opening the required sockets during
- startup.
-
- Fix construction of unicast UDP packets, broken in 5.6.
-
- Improve determination of when a renewed lease requires interface
- configuration changes.
-
- Don't exit when addresses are manually added or deleted from an
- interface.
-
- Don't support option 33, classfull IP addresses.
-
- Fix configuration of default routes supplied by classless route options.
-
- Consider
- dhclient.conf(5)
- contents when determining what MTU value to configure.
-
- Consider
- dhclient.conf(5)
- contents when creating the content of
- resolv.conf(5).
-
- Delete direct routes when routes are flushed.
-
- Don't label routes with "DHCLIENT nnnn".
-
- Don't delete addresses or routes that will be immediately added back.
-
- Delete addresses and routes only when a renewal request is NAK'ed.
-
- Don't wait forever for requested information on the default route.
-
- Don't exit when an attempt to send a packet fails.
-
- Don't log a packet send when the send fails.
-
- Remove the -u option, broken since 2013 without complaints.
-
- Use /dev/bpf instead of /dev/bpf0.
+
- ...
Assorted improvements:
- - The i386 and
- amd64
- platforms have switched to using
- clang(1)
- as the base system compiler.
-
- Improved UTF-8 line editing support for
- ksh(1)
- Emacs and Vi input mode.
-
- The HISTFILE of ksh(1) now uses
- a plain text format. Support for the
- HISTCONTROL
- environment variable was added.
-
- The performance of the memory deallocator used by
- ksh(1) has been fixed.
-
- The emacs-usemeta ksh(1)
- flag is no longer needed and is now deprecated.
-
- New futex(2) syscall.
-
- New pthread
- mutex and
- condition
- variable implementations improving latency
- of threaded applications.
-
- New POSIX xlocale
- implementation written from scratch, complete in the sense that
- all POSIX *locale(3) and *_l(3) functions are included, but in
- OpenBSD, we of course only really care about
LC_CTYPE
- and we only support ASCII and UTF-8.
- - Automatic hibernation and suspend by
- apmd
- when battery is low.
-
- New ctfdump(1) and
- ctfconv(1)
- tools to manipulate CTF (Compact C Type Format).
-
- The error handling in
- syslogd(8)
- has been improved.
- Even if internal errors occur, the daemon tries to keep
- unaffected subsystems active.
- So as many messages as possible are logged.
- They can be filtered by severity and facility "syslog".
-
- syslogd(8) can now suppress "last message repeated" which is
- useful for remote logging.
-
- syslogd(8) can listen on multiple TLS sockets.
-
- syslogd(8) closes the *.514 UDP sockets when they are not
- needed.
-
- Truncate log messages at 8192 bytes everywhere.
-
- newsyslog(8)
- now skips and logs invalid config lines.
-
- Nested mount points are umounted in correct order.
-
- Fix creation of
- softraid(4)
- CONCAT volumes.
-
- Include
- softraid(4)
- volume and backing disk information in i/o error messages.
-
- Make
- vioscsi(4)
- a normal
- scsi(4)
- device by eliminating its use of the obsolete XS_NO_CCB mechanism.
-
- Remove last vestiges of now unused XS_NO_CCB mechanism.
-
- Userspace can now get the address of the thread control block
- without a system call on OCTEON II and later.
-
- FPU is enabled on OCTEON III.
-
- GENERIC kernels now include a .SUNW_ctf section containing CTF data.
-
- New ddb(4) kill
- command, send an uncatchable SIGABRT to a process.
-
- New ddb(4) pprint
- command, using CTF information to "pretty print" global symbols.
-
- New ddb(4)
- show struct command, using CTF information to display the content
- of in memory C structures.
-
- x86: ddb(4) uses CTF data
- to display the correct number of function arguments in backtraces.
-
- Power off all codecs in
- azalia(4) to avoid static
- noise in speakers and headphones on reboot.
-
- Fix i386 boot regression seen on very old 486DX CPUs.
-
- New witness(4) tool
- for debugging lock order issues in the kernel.
- The tool is not built in by default, and only amd64, hppa and i386
- are supported.
-
- Modernize some bizzare tty behaviours of getty(8).
-
- Some subtle changes to pledge(2) to satisfy requirements observed
- in real life.
-
- Prefer use of waitpid(2) rather than wait(3) where possible, to
- avoid problems with pre-existing children.
-
- Rewrite swaths of machine-dependent system call stub code in ld.so(1)
- in a more portable fashion.
-
- Per-CPU
- caches implemented in pools.
-
- Mutex,
- condition-variable,
- thread-specific data,
- pthread_once(3),
- and pthread_exit(3)
- routines moved to libc from libpthread for ease of library
- use and compatibility with other OSes.
-
- Added getptmfd(3),
- fdopenpty(3), and
- fdforkpty(3)
- to simplify privilege separation and use of pledge(2).
-
- Improved computational complexity in various cases of
- strstr(3),
- qsort(3),
- and glob(3).
-
- Added support for EV_RECEIPT and EV_DISPATCH to
- kqueue(2).
-
- Added fktrace(2).
+
- ...
OpenSMTPD 6.0.0
- - Fix an off-by-one in the config parser that made 65535 an invalid port.
-
- Fix a fd leak in the session congestion mechanism.
-
- Fix a possible crash when relaying with smtps.
-
- Remove support for the "listen secure" syntax (expicitely define two listeners for tls and smtps instead).
-
- Remove experimental support for filters.
-
- Assorted code and documentation cleanups and improvements.
+
- ...
@@ -552,225 +133,28 @@
- Security:
- - sftp-server(8): in read-only mode, sftp-server was incorrectly
- permitting creation of zero-length files.
+
- ...
- New/changed features:
- - Add RemoteCommand option to specify a command in the
- ssh(1)
- config file instead of giving it on the client's command
- line.
- The feature allows to automate tasks using ssh config.
-
- sshd(8): add ExposeAuthInfo option that enables writing details of
- the authentication methods used (including public keys where
- applicable) to a file that is exposed via a $SSH_USER_AUTH
- environment variable in the subsequent session.
-
- ssh(1): add support for reverse dynamic forwarding. In this mode,
- ssh will act as a SOCKS4/5 proxy and forward connections
- to destinations requested by the remote SOCKS client. This mode
- is requested using extended syntax for the -R and RemoteForward
- options and, because it is implemented solely at the client,
- does not require the server be updated to be supported.
-
- sshd(8): allow LogLevel directive in sshd_config Match blocks.
-
- ssh-keygen(1): allow inclusion of arbitrary string or flag
- certificate extensions and critical options.
-
- ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as
- a CA when signing certificates.
-
- ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit
- ToS/DSCP value and just use the operating system default.
-
- ssh-add(1): added -q option to make ssh-add quiet on success.
-
- ssh(1): expand the StrictHostKeyChecking option with two new
- settings. The first "accept-new" will automatically accept
- hitherto-unseen keys but will refuse connections for changed or
- invalid hostkeys. This is a safer subset of the current behaviour
- of StrictHostKeyChecking=no. The second setting "off", is a synonym
- for the current behaviour of StrictHostKeyChecking=no: accept new
- host keys, and continue connection for hosts with incorrect
- hostkeys. A future release will change the meaning of
- StrictHostKeyChecking=no to the behaviour of "accept-new".
-
- ssh(1): add SyslogFacility option to ssh(1) matching the equivalent
- option in sshd(8).
+
- ...
- The following significant bugs have been fixed in this release:
- - ssh(1): use HostKeyAlias if specified instead of hostname for
- matching host certificate principal names.
-
- sftp(1): implement sorting for globbed ls.
-
- ssh(1): add a user@host prefix to client's "Permission denied"
- messages, useful in particular when using "stacked" connections
- (e.g. ssh -J) where it's not clear which host is denying.
-
- ssh(1): accept unknown EXT_INFO extension values that contain \0
- characters. These are legal, but would previously cause fatal
- connection errors if received.
-
- ssh(1)/sshd(8): repair compression statistics printed at
- connection exit.
-
- sftp(1): print '?' instead of incorrect link count (that the
- protocol doesn't provide) for remote listings.
-
- ssh(1): return failure rather than fatal() for more cases during
- session multiplexing negotiations. Causes the session to fall back
- to a non-mux connection if they occur.
-
- ssh(1): mention that the server may send debug messages to explain
- public key authentication problems under some circumstances.
-
- Translate OpenSSL error codes to better report incorrect passphrase
- errors when loading private keys.
-
- sshd(8): adjust compatibility patterns for WinSCP to correctly
- identify versions that implement only the legacy DH group exchange
- scheme.
-
- ssh(1): print the "Killed by signal 1" message only at LogLevel
- verbose so that it is not shown at the default level; prevents it
- from appearing during ssh -J and equivalent ProxyCommand configs.
-
- ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber
- existing keys if they exist but are zero length. zero-length keys
- could previously be made if ssh-keygen failed or was interrupted part
- way through generating them.
-
- ssh(1): fix pledge(2) violation in the escape sequence "~&" used to
- place the current session in the background.
-
- ssh-keyscan(1): avoid double-close() on file descriptors.
-
- sshd(8): avoid reliance on shared use of pointers shared between
- monitor and child sshd processes.
-
- sshd_config(8): document available AuthenticationMethods.
-
- ssh(1): avoid truncation in some login prompts.
-
- ssh(1): make "--" before the hostname terminate argument processing
- after the hostname too.
-
- ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting
- new-style private keys. Fixes problems related to private key
- handling for no-OpenSSL builds.
-
- ssh(1): warn and do not attempt to use keys when the public and
- private halves do not match.
-
- sftp(1): don't print verbose error message when ssh disconnects
- from under sftp.
-
- sshd(8): fix keepalive scheduling problem: activity on a forwarded
- port from preventing the keepalive from being sent.
-
- sshd(8): when started without root privileges, don't require the
- privilege separation user or path to exist. Makes running the
- regression tests easier without touching the filesystem.
-
- Make integrity.sh regression tests more robust against timeouts.
-
- ssh(1)/sshd(8): correctness fix for channels implementation: accept
- channel IDs greater than 0x7FFFFFFF.
+
- ...
LibreSSL 2.6.3
- - Added support for providing CRLs to libtls - once a CRL is provided via
- tls_config_set_crl_file(3)
- or
- tls_config_set_crl_mem(3),
- CRL checking is enabled and required for the full certificate chain.
-
- Reworked TLS certificate name verification code to more strictly
- follow RFC 6125.
-
- Cleaned up and simplified server key exchange EC point handling.
-
- Removed inconsistent IPv6 handling from BIO_get_accept_socket(),
- simplified BIO_get_host_ip() and BIO_accept().
-
- Added definitions for three OIDs used in EV certificates.
-
- Relaxed SNI validation to allow non-RFC-compliant clients using literal
- IP addresses with SNI to connect to a libtls-based TLS server.
-
- Added tls_peer_cert_chain_pem() to libtls, useful in private certificate
- validation callbacks such as those in relayd.
-
- Converted explicit clear/free sequences to use
- freezero(3).
-
- Fixed the
- openssl(1)
- ca command so that it generates certificates with RFC 5280-conformant time.
-
- Added
- ASN1_TIME_set_tm(3)
- to set an ASN.1 time from a struct tm *.
-
- Added
- SSL{,_CTX}_set_{min,max}_proto_version(3)
- functions.
-
- Imported HKDF (HMAC Key Derivation Function) from BoringSSL.
-
- Provided a
- tls_unload_file(3)
- function that frees the memory returned from a
- tls_load_file(3)
- call, ensuring that the contents become inaccessible.
-
- Implemented reference counting for libtls tls_config, allowing
- tls_config_free(3)
- to be called as soon as it has been passed to the final
- tls_configure(3)
- call, simplifying lifetime tracking for the application.
-
- Dropped cipher suites using DSS authentication.
-
- Removed support for DSS/DSA from libssl.
-
- Distinguish between self-issued certificates and self-signed
- certificates. The certificate verification code has special cases
- for self-signed certificates and without this change, self-issued
- certificates (which it seems are common place with
- openvpn/easyrsa) were also being included in this category.
-
- Added a new TLS extension handling framework and converted all
- TLS extensions to use it.
-
- Improved and added many new manpages. Updated
- SSL_{CTX_,}check_private_key(3)
- manpages with additional cautions regarding their use.
-
- Cleaned up and simplified EC key/curve configuration handling.
-
- Added
- tls_config_set_ecdhecurves(3)
- to libtls, which allows the names of the elliptical curves that may
- be used during client and server key exchange to be specified.
-
- Converted more code paths to use CBB/CBS.
-
- Removed NPN support - NPN was never standardised and the last draft
- expired in October 2012.
-
- Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken
- CryptoPro clients.
-
- Removed support for the TLS padding extension, which was added as a
- workaround for an old bug in F5's TLS termination.
-
- Added ability to clamp notafter values in certificates for systems
- with 32-bit time_t. This is necessary to conform to RFC 5280 4.1.2.5.
-
- Removed the original (pre-IETF) chacha20-poly1305 cipher suites.
-
- Reclassified ECDHE-RSA-DES-CBC3-SHA from HIGH to MEDIUM.
-
- Provide a useful error with libtls if there are no OCSP URLs in a
- peer certificate.
-
- Keep track of which keypair is in use by a TLS context, fixing a bug
- where a TLS server with SNI would only return the OCSP staple for the
- default keypair.
-
- If
- tls_config_parse_protocols(3)
- is called with a NULL pointer it now
- returns the default protocols.
+
- ...
mandoc 1.14.3
- - Full mandoc.db(5)
- databases are now enabled by default, allowing semantic searching
- with apropos(1)
- without any local configuration changes.
-
- Full integration of the former
- mdoclint(1)
- utility into mandoc(1)
-
-Wall, new -Wstyle and
- -Wopenbsd message levels, and many new messages,
- for example about typos in .Sh lines,
- unknown .Xr targets, and links to self.
- - Additional steps unifying the
- mdoc(7),
- man(7), and
- roff(7) parsers:
- use one common data type and
- ohash_init(3)
- for all requests and macros and support creation of syntax tree
- nodes in the roff(7) parser, allowing support for many new
- low-level roff(7) features.
- Only about 25 ports still need
USE_GROFF now.
- - Many improvements to
- tbl(7)
- parsing and formatting,
- including automatic line wrapping inside table columns.
-
- Many improvements to
- eqn(7)
- parsing and formatting, including better font selection,
- recognition of well-known mathematical function names, and writing
- of
<mn> and <mo> HTML tags.
- - Intelligible rendering of mathematical symbols in
-
-Tascii output.
- - Several parsing and rendering improvements for the
- mdoc(7)
-
.Lk macro.
- - Some CSS improvements in HTML output, in particular for the
- mdoc(7)
-
.Bl macro.
+ - ...