version 1.1, 2018/03/14 16:34:36 |
version 1.2, 2018/03/16 13:33:30 |
|
|
|
|
<li>Improved hardware support, including: |
<li>Improved hardware support, including: |
<ul> |
<ul> |
<li>arm: New <a href="https://man.openbsd.org/rkgrf.4">rkgrf(4)</a> driver |
<li>... |
for the Rockchip RK3399/RK3288 register file. |
|
<li>arm: New <a href="https://man.openbsd.org/rkclock.4">rkclock(4)</a> |
|
driver for Rockchip RK3399/RK3288 clocks. |
|
<li>arm: New <a href="https://man.openbsd.org/rkpinctrl.4">rkpinctrl(4)</a> |
|
driver for controlling Rockchip RK3399/RK3288 pins. |
|
<li>arm: New <a href="https://man.openbsd.org/rkgpio.4">rkgpio(4)</a> driver |
|
for GPIO on Rockchip SoCs. |
|
<li>arm: New <a href="https://man.openbsd.org/rktemp.4">rktemp(4)</a> driver |
|
for Rockchip RK3399 temperature sensors. |
|
<li>arm: New <a href="https://man.openbsd.org/rkiic.4">rkiic(4)</a> driver |
|
for Rockchip RK3399 I2C controllers. |
|
<li>arm: New <a href="https://man.openbsd.org/rkpmic.4">rkpmic(4)</a> driver |
|
for the RK808 Power Management IC. |
|
<li>arm: New <a href="https://man.openbsd.org/dwmmc.4">dwmmc(4)</a> driver |
|
for Synopsis DesignWare SD/MMC controllers. |
|
<li>arm: New <a href="https://man.openbsd.org/dwdog.4">dwdog(4)</a> driver |
|
for the Synopsys DesignWare watchdog timer. |
|
<li>arm: New <a href="https://man.openbsd.org/dwxe.4">dwxe(4)</a> driver |
|
for the Synopsys DesignWare Ethernet controller. |
|
<li>arm: New <a href="https://man.openbsd.org/sxitwi.4">sxitwi(4)</a> driver |
|
for the two-wire bus on Allwinner SoCs. |
|
<li>arm: New <a href="https://man.openbsd.org/axppmic.4">axppmic(4)</a> |
|
driver for the AXP209 I2C PMIC. |
|
<li>arm: New <a href="https://man.openbsd.org/bcmaux.4">bcmaux(4)</a> driver |
|
for clocks and interrupts on the auxilliary UART on BCM2835 devices. |
|
<li>arm: New <a href="https://man.openbsd.org/armv7/mvmpic.4">mvmpic(4)</a> |
|
driver for an interrupt controller on Marvell ARMADA 38x. |
|
<li>arm: New <a href="https://man.openbsd.org/armv7/mvpxa.4">mvpxa(4)</a> |
|
driver for the SD Host Controller on Marvell ARMADA 38x. |
|
<li>arm: New <a href="https://man.openbsd.org/mvpinctrl.4">mvpinctrl(4)</a> |
|
driver to configure pins on Marvell ARMADA 38x. |
|
<li>arm: New <a href="https://man.openbsd.org/mvneta.4">mvneta(4)</a> driver |
|
the Ethernet controller on Marvell ARMADA 38x. |
|
<li>arm: New <a |
|
href="https://man.openbsd.org/armv7/amdisplay.4">amdisplay(4)</a> & |
|
<a href="https://man.openbsd.org/armv7/nxphdmi.4">nxphdmi(4)</a> drivers |
|
for the Texas Instruments AM335x LCD controller. |
|
<li>octeon: New <a |
|
href="https://man.openbsd.org/octeon/octcib.4">octcib(4)</a> driver for |
|
the interrupt bus widget on CN70xx/CN71xx. |
|
<li>octeon: New <a |
|
href="https://man.openbsd.org/octeon/octcit.4">octcit(4)</a> driver for |
|
the central interrupt unit version 3 on CN72xx/CN73xx/CN77xx/CN78xx. |
|
<li>octeon: New <a |
|
href="https://man.openbsd.org/octeon/octsctl.4">octsctl(4)</a> driver |
|
for the OCTEON SATA controller bridge. |
|
<li>octeon: New <a |
|
href="https://man.openbsd.org/octeon/octxctl.4">octxctl(4)</a> driver |
|
for the OCTEON USB3 controller bridge. |
|
<li>octeon: Rhino Labs Inc. SDNA Shasta, and Ubiquiti Networks EdgeRouter 4 |
|
and 6 are now supported. |
|
<li>New <a href="https://man.openbsd.org/hvs.4">hvs(4)</a> driver for |
|
Hyper-V storage. |
|
<li>New <a href="https://man.openbsd.org/pcxrtc.4">pcxrtc(4)</a> driver for |
|
the NXP PCF8563 Real Time Clock. |
|
<li>New <a href="https://man.openbsd.org/urng.4">urng(4)</a> driver for USB |
|
random number generator devices. |
|
<li>Intel 8265 and 3168 support was added to the |
|
<a href="https://man.openbsd.org/iwm.4">iwm(4)</a> driver. |
|
<li>RTL8192CE support was added to the |
|
<a href="https://man.openbsd.org/rtwn.4">rtwn(4)</a> driver. |
|
<li>RT5360 support was added to the |
|
<a href="https://man.openbsd.org/ral.4">ral(4)</a> driver. |
|
<li>RTS525A support was added to the |
|
<a href="https://man.openbsd.org/rtsx.4">rtsx(4)</a> driver. |
|
<li>The <a href="https://man.openbsd.org/acpibat.4">acpibat(4)</a> driver |
|
now supports _BIX entries from ACPI 4.0. |
|
<li>ACPI hibernate support was added to the |
|
<a href="https://man.openbsd.org/nvme.4">nvme(4)</a> driver. |
|
<li>Substantially improved ACPI hibernate performance in the |
|
<a href="https://man.openbsd.org/ahci.4">ahci(4)</a> driver. |
|
<li>The <a href="https://man.openbsd.org/inteldrm.4">inteldrm(4)</a> driver |
|
was updated to code based on Linux 4.4.70 - it now supports Skylake, |
|
Kaby Lake, and Cherryview devices and has better support for Broadwell |
|
and Valleyview devices. |
|
<li>The <a href="https://man.openbsd.org/puc.4">puc(4)</a> driver now |
|
supports ASIX AX99100 devices. |
|
<li>Xen platform support and the |
|
<a href="https://man.openbsd.org/xbf.4">xbf(4)</a> driver in particular |
|
have been substantially improved. |
|
<li>The <a href="https://man.openbsd.org/nvme.4">nvme(4)</a> driver now reports |
|
correct last sector address to SCSI, allowing a valid GPT to be created. |
|
<li>Repair <a href="https://man.openbsd.org/ioapic.4">ioapic(4)</a> misconfigurations. |
|
</ul> |
</ul> |
|
|
<p> |
<p> |
<li><a href="https://man.openbsd.org/amd64/vmm.4">vmm(4)</a>/ |
<li><a href="https://man.openbsd.org/amd64/vmm.4">vmm(4)</a>/ |
<a href="https://man.openbsd.org/amd64/vmd.8">vmd(8)</a> improvements: |
<a href="https://man.openbsd.org/amd64/vmd.8">vmd(8)</a> improvements: |
<ul> |
<ul> |
<li><a href="https://man.openbsd.org/amd64/vmctl.8">vmctl(8)</a> supports |
<li>... |
paused VM migration and memory snapshotting using send and receive commands. |
|
<li>VPID/ASID reuse/rollover in <a |
|
href="https://man.openbsd.org/amd64/vmm.4">vmm(4)</a>. |
|
<li>SGABIOS imported as an option ROM payload in SeaBIOS (for VGA to serial |
|
console redirection). |
|
<li><a href="https://man.openbsd.org/amd64/vmd.8">vmd(8)</a> resets the |
|
guest VM RTC (real time clock) on host resume from suspend/hibernate |
|
(OpenBSD guests only). |
|
<li>Allow guest VMs access to AVX/AVX2 host CPU features. |
|
<li>Support for AMD SVM/RVI hosts. |
|
<li>Allow larger guest VM memory sizes (up to MAXDSIZ sized guests - e.g. |
|
32GB on amd64 hosts). |
|
<li>Better handling of guest VM MONITOR/MWAIT and HLT instructions. |
|
<li>Various device emulation improvements in <a |
|
href="https://man.openbsd.org/amd64/vmd.8">vmd(8)</a>. |
|
<li>Increase the <a href="https://man.openbsd.org/virtio.4">virtio(4)</a> |
|
queue size provided by <a |
|
href="https://man.openbsd.org/amd64/vmd.8">vmd(8)</a> from 64 to 128 entries, to increase performance. |
|
<li>Many fixes to <a href="https://man.openbsd.org/amd64/vmctl.8">vmctl(8)</a> |
|
and <a href="https://man.openbsd.org/amd64/vmd.8">vmd(8)</a> error handling. |
|
</ul> |
</ul> |
<p> |
<p> |
|
|
<li>IEEE 802.11 wireless stack improvements: |
<li>IEEE 802.11 wireless stack improvements: |
<ul> |
<ul> |
<li>MiRA 802.11n TX rate scaling now supports devices with unequal numbers |
<li>... |
of Tx and Rx streams. Fixes 11n mode for some |
|
<a href="https://man.openbsd.org/athn.8">athn(8)</a> devices. |
|
<li>The <a href="https://man.openbsd.org/iwn.8">iwn(8)</a> and |
|
<a href="https://man.openbsd.org/iwm.8">iwm(8)</a> drivers will now start |
|
scanning for a new access point if they no longer receive beacons from |
|
the current AP. |
|
<li>Prefer the 5GHz band over the 2GHz band during access point selection. |
|
<li>Improved debug output in |
|
<a href="https://man.openbsd.org/dmesg.8">dmesg(8)</a> when a wireless |
|
interface is put into debug mode with |
|
<a href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a>. |
|
</ul> |
</ul> |
<p> |
<p> |
|
|
<li>Generic network stack improvements: |
<li>Generic network stack improvements: |
<ul> |
<ul> |
<li>Incoming and forwarded IP packets are now processed without |
<li>... |
KERNEL_LOCK, resulting in better performances and reduced latency. |
|
<li>The kernel no longer handles IPv6 Stateless Address |
|
Autoconfiguration (RFC 4862), allowing cleanup and simplification |
|
of the IPv6 network stack. |
|
<li>The kernel sends IPv6 router solicitations for link local addresses |
|
with a link local source address. |
|
<li>FQ-CoDel algorithm has been implemented for use with <a |
|
href="https://man.openbsd.org/pf.conf#QUEUEING">pf(4) queueing</a>. |
|
<li>Improved IPv6 checks for IPsec policies and made them consistent |
|
with IPv4. |
|
<li>Refactored local IP delivery to process IPsec packets in a flow and |
|
avoid enqueueing a second time. |
|
<li><a href="https://man.openbsd.org/pf.4">pf(4)</a> |
|
now inspects AH packets and matches on the inner protocol. |
|
This makes IPv4 authentication headers work like IPv6. |
|
<li>The length of extension header chains in pf(4) is limited. |
|
This prevents spending excessive CPU time on crafted packets. |
|
<li>Block IPv6 packets in |
|
<a href="https://man.openbsd.org/pf.4">pf(4)</a> |
|
that have a hop-by-hop options header or a destination options header. |
|
Such packets can be passed by adding "allow-opts" to the rule. |
|
This makes IPv6 option handling consistent with IPv4. |
|
<li>If the IPv4 ID gets reused too fast, pf(4) fragment reassembly |
|
uses a smarter strategy to drop packets. |
|
<li>Enabled the use of per-CPU caches in the network packet allocators. |
|
</ul> |
</ul> |
<p> |
<p> |
|
|
<li>Installer improvements: |
<li>Installer improvements: |
<ul> |
<ul> |
<li>The installer now uses the Allotment Routing Table (ART). |
<li>... |
<li>A unique kernel is now created by the installer to boot from after |
|
install/upgrade. |
|
<li>On release installs of architectures supported by syspatch, |
|
"syspatch -c" is now added to rc.firsttime. |
|
<li>Backwards compatibility code to support the 'rtsol' keyword in |
|
<a href="https://man.openbsd.org/hostname.if.5">hostname.if(5)</a> |
|
has been removed. |
|
<li>The <tt>install.site</tt> and <tt>upgrade.site</tt> scripts are now |
|
executed at the end of the install/upgrade process. |
|
<li>More detailed information is shown to identify disks. |
|
<li>The IPv6 default router selection has been fixed. |
|
<li>On the amd64 platform, AES-NI is used if present. |
|
</ul> |
</ul> |
<p> |
<p> |
|
|
<li>Routing daemons and other userland network improvements: |
<li>Routing daemons and other userland network improvements: |
<ul> |
<ul> |
<li>A new daemon, <a |
<li>... |
href="https://man.openbsd.org/slaacd.8">slaacd(8)</a> handles IPv6 |
|
Stateless Address Autoconfiguration (RFC 4862). |
|
<li><a href="https://man.openbsd.org/rtadvd.8">rtadvd(8)</a> now supports |
|
"Reducing Energy Consumption of Router Advertisements" (RFC 7772). |
|
<li><a href="https://man.openbsd.org/rtadvd.8">rtadvd(8)</a> has |
|
been fixed to quickly handle IPv6 prefix changes on the system. |
|
<li><a href="https://man.openbsd.org/ipsecctl.8">ipsecctl(8)</a> |
|
can now show SA bundles and the "bundle" keyword allows them to be |
|
explicitly created. This avoids confusion as they were previously |
|
used implicitly. |
|
<li><a href="https://man.openbsd.org/nc.1">nc(1)</a> |
|
now has a <tt>-W recvlimit</tt> option to terminate netcat after |
|
receiving the specified number of packets. This allows for a UDP |
|
request to be sent, a reply to be received and the result checked on |
|
the command line. |
|
<li><a href="https://man.openbsd.org/nc.1">nc(1)</a> |
|
now has a <tt>-Z</tt> option, allowing the peer certificate and chain to be |
|
saved to a file in PEM format. |
|
<li>A new <tt>-T tlscompat</tt> option was added to |
|
<a href="https://man.openbsd.org/nc.1">nc(1)</a>, which enables the use |
|
of all TLS protocols and libtls "compat" ciphers. |
|
<li>Various races have been fixed in |
|
<a href="https://man.openbsd.org/relayd.8">relayd(8)</a>, |
|
expecially in HTTP chunked mode. |
|
<li><a href="https://man.openbsd.org/ndp.8">ndp(8)</a> now shows the |
|
relevant NDP information when run in a non-default routing |
|
domain. |
|
<li><a href="https://man.openbsd.org/ifstated.8">ifstated(8)</a> now |
|
copes with interface departures/arrivals. |
|
<li><a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> can now |
|
be started multiple times in different |
|
<a href="https://man.openbsd.org/rdomain.4">routing domains</a>, |
|
this provides virtual router functionality. |
|
</ul> |
</ul> |
<p> |
<p> |
|
|
<li>Security improvements: |
<li>Security improvements: |
<ul> |
<ul> |
<li>A new function |
<li>... |
<a href="https://man.openbsd.org/freezero.3">freezero(3)</a> |
|
to easily clear and free memory holding sensitive data has been added. |
|
<li>Double free detection has been improved when the F |
|
<a href="https://man.openbsd.org/malloc.3">malloc(3)</a> option is used. |
|
The existing S option now includes F. |
|
<li>The <a href="https://man.openbsd.org/tty.4#TIOCSTI">TIOCSTI</a> |
|
tty ioctl has been removed. The I/O-loops in the last two consumers |
|
<a href="https://man.openbsd.org/csh.1">csh(1)</a> and |
|
<a href="https://man.openbsd.org/mail.1">mail(1)</a> |
|
were rewritten to cope with the removal. |
|
<li>Trapsleds, a new mitigation that significantly reduces the amount of |
|
nops in the instruction stream, replacing them with trap instructions |
|
or jump-over-trap sequences, thereby requiring greater accuracy for |
|
targetting potential gadgets. |
|
<li>Kernel Address Randomized Link (KARL), a new "link-kit" allows the .o |
|
files of the kernel to be relinked in a random order, creating a unique |
|
kernel for each boot. /bsd is now non-readable to users, to try to |
|
keep the secret. |
|
<li>Like with libc previously, |
|
<a href="https://man.openbsd.org/rc.8">rc(8)</a> re-links libcrypto on |
|
startup, placing the objects in a random order. |
|
<li>In addition to libcrypto, to deter code reuse exploits, |
|
<a href="https://man.openbsd.org/rc.8">rc(8)</a> re-links |
|
<a href="https://man.openbsd.org/ld.so.1">ld.so</a> on |
|
startup, placing the objects in a random order. |
|
<li>If process accounting is activated with |
|
<a href="https://man.openbsd.org/accton.8">accton(8)</a>, |
|
the daily mail shows pledge violations and program crashes. |
|
<a href="https://man.openbsd.org/lastcomm.1">lastcomm(1)</a> |
|
uses the flags P and T for such processes. |
|
<li><a href="https://man.openbsd.org/pflogd.8">pflogd(8)</a> uses the |
|
fork+exec model. |
|
<li><a href="https://man.openbsd.org/tcpdump.8">tcpdump(8)</a> uses the |
|
fork+exec model. |
|
<li><a href="https://man.openbsd.org/ifstated.8">ifstated(8)</a> |
|
uses <a href="https://man.openbsd.org/pledge.2">pledge(2)</a>. |
|
<li><a href="https://man.openbsd.org/snmpd.8">snmpd(8)</a> and |
|
<a href="https://man.openbsd.org/snmpctl.8">snmpctl(8)</a> now use |
|
<a href="https://man.openbsd.org/pledge.2">pledge(2)</a>. |
|
<li>Tighter pledge for <a href="https://man.openbsd.org/at.1">at(1)</a>. |
|
<li>Fixed and simplified pledge logic for |
|
<a href="https://man.openbsd.org/nc.1">nc(1)</a>. |
|
<li>More application of |
|
<a href="https://man.openbsd.org/recallocarray.3">recallocarray(3)</a> |
|
in userland, and tracked sizes to |
|
<a href="https://man.openbsd.org/free.9">free(9)</a> in the kernel. |
|
<li>Achieve higher levels of paranoia regarding structure packing, and |
|
clear many kernel objects before passing to userland. |
|
<li>Disable some optimizations in |
|
<a href="https://man.openbsd.org/clang.1">clang(1)</a> |
|
due to incompatibility with security. |
|
<li>For instance, cope with |
|
<a href="https://man.openbsd.org/clang.1">clang(1)</a>'s assumption |
|
that static or const |
|
objects placed in unknown sections (such as .openbsd.randomdata) |
|
are surely always 0, and therefore such memory accesses can be |
|
optimized away. |
|
<li>In kernel, randomly bias down the top-of-stack per kthread. |
|
</ul> |
</ul> |
<p> |
<p> |
|
|
<li><a href="https://man.openbsd.org/dhcpd.8">dhcpd(8)</a>/ |
<li><a href="https://man.openbsd.org/dhcpd.8">dhcpd(8)</a>/ |
<a href="https://man.openbsd.org/dhcrelay.8">dhcrelay(8)</a> improvements: |
<a href="https://man.openbsd.org/dhcrelay.8">dhcrelay(8)</a> improvements: |
<ul> |
<ul> |
<li>Add support for echo-client-id statement to |
<li>... |
<a href="https://man.openbsd.org/dhcpd.conf.5">dhcpd.conf(5)</a>. |
|
<li>Take greater care to process all data read, and only data read, from the |
|
<a href="https://man.openbsd.org/bpf.4">bpf(4)</a> |
|
socket. |
|
<li>Use /dev/bpf instead of /dev/bpf0. |
|
<li>Handle DHCPINFORM messages from clients behind a DHCP relay. |
|
<li>Fix handling of |
|
<a href="https://man.openbsd.org/carp.4">carp(4)</a> |
|
interfaces in |
|
<a href="https://man.openbsd.org/dhcrelay.8">dhcrelay(8)</a>. |
|
<li>Don't stop |
|
<a href="https://man.openbsd.org/dhcrelay.8">dhcrelay(8)</a> |
|
logging to stderr when it is started with the -d option. |
|
</ul> |
</ul> |
<p> |
<p> |
|
|
<li><a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a> improvements: |
<li><a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a> improvements: |
<ul> |
<ul> |
<li>Log messages reworked and clarified, in particular by prefixing |
<li>... |
the name of the relevant network interface. |
|
<li>Treat SSID as 0 to 32 bytes of binary data, not a string. |
|
<li>Use RTM_PROPOSAL to take control of an interface rather than flipping |
|
interface down and up in the hope that other |
|
<a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a> |
|
instances notice. |
|
<li>Reduce file operations needed by -L option by opening file at |
|
startup and using it throughout process lifetime. |
|
<li>Improve <a href="https://man.openbsd.org/resolv.conf.5">resolv.conf(5)</a> |
|
handling by reducing writes and more reliably determining which interface |
|
has the current default route. |
|
<li>Take greater care to process all data read, and only data read, from the |
|
<a href="https://man.openbsd.org/bpf.4">bpf(4)</a> |
|
socket. |
|
<li>Improve the determination of the link state of an interface. |
|
<li>Decline inappropriate lease offers as soon as they are deemed |
|
inappropriate. |
|
<li>Drop support for the timestamp formats used in lease files created |
|
more than four years ago. |
|
<li>Accept an offer from the server that sent the first copy of |
|
the offer, not the server that sent the last copy. |
|
<li>Don't delete addresses and routes when exiting. |
|
<li>Ensure IPv6 packets are not read from sockets. |
|
<li>Don't silently ignore obsolete keywords in |
|
<a href="https://man.openbsd.org/dhclient.conf.5">dhclient.conf(5)</a>. |
|
<li>Reduce memory footprint by shrinking oversized static buffers. |
|
<li>Eliminate repeated socket opens by opening the required sockets during |
|
startup. |
|
<li>Fix construction of unicast UDP packets, broken in 5.6. |
|
<li>Improve determination of when a renewed lease requires interface |
|
configuration changes. |
|
<li>Don't exit when addresses are manually added or deleted from an |
|
interface. |
|
<li>Don't support option 33, classfull IP addresses. |
|
<li>Fix configuration of default routes supplied by classless route options. |
|
<li>Consider |
|
<a href="https://man.openbsd.org/dhclient.conf.5">dhclient.conf(5)</a> |
|
contents when determining what MTU value to configure. |
|
<li>Consider |
|
<a href="https://man.openbsd.org/dhclient.conf.5">dhclient.conf(5)</a> |
|
contents when creating the content of |
|
<a href="https://man.openbsd.org/resolv.conf.5">resolv.conf(5)</a>. |
|
<li>Delete direct routes when routes are flushed. |
|
<li>Don't label routes with "DHCLIENT nnnn". |
|
<li>Don't delete addresses or routes that will be immediately added back. |
|
<li>Delete addresses and routes only when a renewal request is NAK'ed. |
|
<li>Don't wait forever for requested information on the default route. |
|
<li>Don't exit when an attempt to send a packet fails. |
|
<li>Don't log a packet send when the send fails. |
|
<li>Remove the -u option, broken since 2013 without complaints. |
|
<li>Use /dev/bpf instead of /dev/bpf0. |
|
</ul> |
</ul> |
<p> |
<p> |
|
|
<li>Assorted improvements: |
<li>Assorted improvements: |
<ul> |
<ul> |
<li>The <a href="https://www.openbsd.org/i386.html">i386</a> and |
<li>... |
<a href="https://www.openbsd.org/amd64.html">amd64</a> |
|
platforms have switched to using |
|
<a href="https://man.openbsd.org/clang-local.1">clang(1)</a> |
|
as the base system compiler. |
|
<li>Improved UTF-8 line editing support for |
|
<a href="https://man.openbsd.org/ksh.1">ksh(1)</a> |
|
Emacs and Vi input mode. |
|
<li>The HISTFILE of <a href="https://man.openbsd.org/ksh.1">ksh(1)</a> now uses |
|
a plain text format. Support for the |
|
<a href="https://man.openbsd.org/ksh#HISTCONTROL">HISTCONTROL</a> |
|
environment variable was added. |
|
<li>The performance of the memory deallocator used by |
|
<a href="https://man.openbsd.org/ksh.1">ksh(1)</a> has been fixed. |
|
<li>The <tt>emacs-usemeta</tt> <a href="https://man.openbsd.org/ksh.1">ksh(1)</a> |
|
flag is no longer needed and is now deprecated. |
|
<li>New <a href="https://man.openbsd.org/futex">futex(2)</a> syscall. |
|
<li>New pthread |
|
<a href="https://man.openbsd.org/pthread_mutex_init">mutex</a> and |
|
<a href="https://man.openbsd.org/pthread_cond_init">condition |
|
variable</a> implementations improving latency |
|
of threaded applications. |
|
<li>New POSIX <a href="https://man.openbsd.org/newlocale.3">xlocale</a> |
|
implementation written from scratch, complete in the sense that |
|
all POSIX *locale(3) and *_l(3) functions are included, but in |
|
OpenBSD, we of course only really care about <code>LC_CTYPE</code> |
|
and we only support ASCII and UTF-8. |
|
<li>Automatic hibernation and suspend by |
|
<a href="https://man.openbsd.org/apmd">apmd</a> |
|
when battery is low. |
|
<li>New <a href="https://man.openbsd.org/ctfdump">ctfdump(1)</a> and |
|
<a href="https://man.openbsd.org/ctfconv">ctfconv(1)</a> |
|
tools to manipulate CTF (Compact C Type Format). |
|
<li>The error handling in |
|
<a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a> |
|
has been improved. |
|
Even if internal errors occur, the daemon tries to keep |
|
unaffected subsystems active. |
|
So as many messages as possible are logged. |
|
They can be filtered by severity and facility "syslog". |
|
<li>syslogd(8) can now suppress "last message repeated" which is |
|
useful for remote logging. |
|
<li>syslogd(8) can listen on multiple TLS sockets. |
|
<li>syslogd(8) closes the *.514 UDP sockets when they are not |
|
needed. |
|
<li>Truncate log messages at 8192 bytes everywhere. |
|
<li><a href="https://man.openbsd.org/newsyslog.8">newsyslog(8)</a> |
|
now skips and logs invalid config lines. |
|
<li>Nested mount points are umounted in correct order. |
|
<li>Fix creation of |
|
<a href="https://man.openbsd.org/softraid.4">softraid(4)</a> |
|
CONCAT volumes. |
|
<li>Include |
|
<a href="https://man.openbsd.org/softraid.4">softraid(4)</a> |
|
volume and backing disk information in i/o error messages. |
|
<li>Make |
|
<a href="https://man.openbsd.org/vioscsi.4">vioscsi(4)</a> |
|
a normal |
|
<a href="https://man.openbsd.org/scsi.4">scsi(4)</a> |
|
device by eliminating its use of the obsolete XS_NO_CCB mechanism. |
|
<li>Remove last vestiges of now unused XS_NO_CCB mechanism. |
|
<li>Userspace can now get the address of the thread control block |
|
without a system call on OCTEON II and later. |
|
<li>FPU is enabled on OCTEON III. |
|
<li>GENERIC kernels now include a .SUNW_ctf section containing CTF data. |
|
<li>New <a href="https://man.openbsd.org/ddb.4">ddb(4)</a> <tt>kill</tt> |
|
command, send an uncatchable SIGABRT to a process. |
|
<li>New <a href="https://man.openbsd.org/ddb.4">ddb(4)</a> <tt>pprint</tt> |
|
command, using CTF information to "pretty print" global symbols. |
|
<li>New <a href="https://man.openbsd.org/ddb.4">ddb(4)</a> |
|
<tt>show struct</tt> command, using CTF information to display the content |
|
of in memory C structures. |
|
<li>x86: <a href="https://man.openbsd.org/ddb.4">ddb(4)</a> uses CTF data |
|
to display the correct number of function arguments in backtraces. |
|
<li>Power off all codecs in |
|
<a href="https://man.openbsd.org/azalia.4">azalia(4)</a> to avoid static |
|
noise in speakers and headphones on reboot. |
|
<li>Fix i386 boot regression seen on very old 486DX CPUs. |
|
<li>New <a href="https://man.openbsd.org/witness.4">witness(4)</a> tool |
|
for debugging lock order issues in the kernel. |
|
The tool is not built in by default, and only amd64, hppa and i386 |
|
are supported. |
|
<li>Modernize some bizzare tty behaviours of getty(8). |
|
<li>Some subtle changes to pledge(2) to satisfy requirements observed |
|
in real life. |
|
<li>Prefer use of waitpid(2) rather than wait(3) where possible, to |
|
avoid problems with pre-existing children. |
|
<li>Rewrite swaths of machine-dependent system call stub code in ld.so(1) |
|
in a more portable fashion. |
|
<li><a href="https://man.openbsd.org/pool_cache_init.9">Per-CPU |
|
caches</a> implemented in pools. |
|
<li><a href="https://man.openbsd.org/pthread_mutex_lock.3">Mutex</a>, |
|
<a href="https://man.openbsd.org/pthread_cond_wait.3">condition-variable</a>, |
|
<a href="https://man.openbsd.org/pthread_getspecific.3">thread-specific data</a>, |
|
<a href="https://man.openbsd.org/pthread_once.3">pthread_once(3)</a>, |
|
and <a href="https://man.openbsd.org/pthread_exit.3">pthread_exit(3)</a> |
|
routines moved to libc from libpthread for ease of library |
|
use and compatibility with other OSes. |
|
<li>Added <a href="https://man.openbsd.org/openpty.3">getptmfd(3)</a>, |
|
<a href="https://man.openbsd.org/openpty.3">fdopenpty(3)</a>, and |
|
<a href="https://man.openbsd.org/openpty.3">fdforkpty(3)</a> |
|
to simplify privilege separation and use of pledge(2). |
|
<li>Improved computational complexity in various cases of |
|
<a href="https://man.openbsd.org/strstr.3">strstr(3)</a>, |
|
<a href="https://man.openbsd.org/qsort.3">qsort(3)</a>, |
|
and <a href="https://man.openbsd.org/glob.3">glob(3)</a>. |
|
<li>Added support for <tt>EV_RECEIPT</tt> and <tt>EV_DISPATCH</tt> to |
|
<a href="https://man.openbsd.org/kqueue.2">kqueue(2)</a>. |
|
<li>Added <a href="https://man.openbsd.org/ktrace.2">fktrace(2)</a>. |
|
</ul> |
</ul> |
<p> |
<p> |
|
|
<li>OpenSMTPD 6.0.0 |
<li>OpenSMTPD 6.0.0 |
<ul> |
<ul> |
<li>Fix an off-by-one in the config parser that made 65535 an invalid port. |
<li>... |
<li>Fix a fd leak in the session congestion mechanism. |
|
<li>Fix a possible crash when relaying with smtps. |
|
<li>Remove support for the "listen secure" syntax (expicitely define two listeners for tls and smtps instead). |
|
<li>Remove experimental support for filters. |
|
<li>Assorted code and documentation cleanups and improvements. |
|
</ul> |
</ul> |
<p> |
<p> |
|
|
|
|
<ul> |
<ul> |
<li>Security: |
<li>Security: |
<ul> |
<ul> |
<li>sftp-server(8): in read-only mode, sftp-server was incorrectly |
<li>... |
permitting creation of zero-length files. |
|
</ul> |
</ul> |
<li>New/changed features: |
<li>New/changed features: |
<ul> |
<ul> |
<li>Add RemoteCommand option to specify a command in the |
<li>... |
<a href="https://man.openbsd.org/ssh.1">ssh(1)</a> |
|
config file instead of giving it on the client's command |
|
line. |
|
The feature allows to automate tasks using ssh config. |
|
<li>sshd(8): add ExposeAuthInfo option that enables writing details of |
|
the authentication methods used (including public keys where |
|
applicable) to a file that is exposed via a $SSH_USER_AUTH |
|
environment variable in the subsequent session. |
|
<li>ssh(1): add support for reverse dynamic forwarding. In this mode, |
|
ssh will act as a SOCKS4/5 proxy and forward connections |
|
to destinations requested by the remote SOCKS client. This mode |
|
is requested using extended syntax for the -R and RemoteForward |
|
options and, because it is implemented solely at the client, |
|
does not require the server be updated to be supported. |
|
<li>sshd(8): allow LogLevel directive in sshd_config Match blocks. |
|
<li>ssh-keygen(1): allow inclusion of arbitrary string or flag |
|
certificate extensions and critical options. |
|
<li>ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as |
|
a CA when signing certificates. |
|
<li>ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit |
|
ToS/DSCP value and just use the operating system default. |
|
<li>ssh-add(1): added -q option to make ssh-add quiet on success. |
|
<li>ssh(1): expand the StrictHostKeyChecking option with two new |
|
settings. The first "accept-new" will automatically accept |
|
hitherto-unseen keys but will refuse connections for changed or |
|
invalid hostkeys. This is a safer subset of the current behaviour |
|
of StrictHostKeyChecking=no. The second setting "off", is a synonym |
|
for the current behaviour of StrictHostKeyChecking=no: accept new |
|
host keys, and continue connection for hosts with incorrect |
|
hostkeys. A future release will change the meaning of |
|
StrictHostKeyChecking=no to the behaviour of "accept-new". |
|
<li>ssh(1): add SyslogFacility option to ssh(1) matching the equivalent |
|
option in sshd(8). |
|
</ul> |
</ul> |
<li>The following significant bugs have been fixed in this release: |
<li>The following significant bugs have been fixed in this release: |
<ul> |
<ul> |
<li>ssh(1): use HostKeyAlias if specified instead of hostname for |
<li>... |
matching host certificate principal names. |
|
<li>sftp(1): implement sorting for globbed ls. |
|
<li>ssh(1): add a user@host prefix to client's "Permission denied" |
|
messages, useful in particular when using "stacked" connections |
|
(e.g. ssh -J) where it's not clear which host is denying. |
|
<li>ssh(1): accept unknown EXT_INFO extension values that contain \0 |
|
characters. These are legal, but would previously cause fatal |
|
connection errors if received. |
|
<li>ssh(1)/sshd(8): repair compression statistics printed at |
|
connection exit. |
|
<li>sftp(1): print '?' instead of incorrect link count (that the |
|
protocol doesn't provide) for remote listings. |
|
<li>ssh(1): return failure rather than fatal() for more cases during |
|
session multiplexing negotiations. Causes the session to fall back |
|
to a non-mux connection if they occur. |
|
<li>ssh(1): mention that the server may send debug messages to explain |
|
public key authentication problems under some circumstances. |
|
<li>Translate OpenSSL error codes to better report incorrect passphrase |
|
errors when loading private keys. |
|
<li>sshd(8): adjust compatibility patterns for WinSCP to correctly |
|
identify versions that implement only the legacy DH group exchange |
|
scheme. |
|
<li>ssh(1): print the "Killed by signal 1" message only at LogLevel |
|
verbose so that it is not shown at the default level; prevents it |
|
from appearing during ssh -J and equivalent ProxyCommand configs. |
|
<li>ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber |
|
existing keys if they exist but are zero length. zero-length keys |
|
could previously be made if ssh-keygen failed or was interrupted part |
|
way through generating them. |
|
<li>ssh(1): fix pledge(2) violation in the escape sequence "~&" used to |
|
place the current session in the background. |
|
<li>ssh-keyscan(1): avoid double-close() on file descriptors. |
|
<li>sshd(8): avoid reliance on shared use of pointers shared between |
|
monitor and child sshd processes. |
|
<li>sshd_config(8): document available AuthenticationMethods. |
|
<li>ssh(1): avoid truncation in some login prompts. |
|
<li>ssh(1): make "--" before the hostname terminate argument processing |
|
after the hostname too. |
|
<li>ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting |
|
new-style private keys. Fixes problems related to private key |
|
handling for no-OpenSSL builds. |
|
<li>ssh(1): warn and do not attempt to use keys when the public and |
|
private halves do not match. |
|
<li>sftp(1): don't print verbose error message when ssh disconnects |
|
from under sftp. |
|
<li>sshd(8): fix keepalive scheduling problem: activity on a forwarded |
|
port from preventing the keepalive from being sent. |
|
<li>sshd(8): when started without root privileges, don't require the |
|
privilege separation user or path to exist. Makes running the |
|
regression tests easier without touching the filesystem. |
|
<li>Make integrity.sh regression tests more robust against timeouts. |
|
<li>ssh(1)/sshd(8): correctness fix for channels implementation: accept |
|
channel IDs greater than 0x7FFFFFFF. |
|
</ul> |
</ul> |
</ul> |
</ul> |
<p> |
<p> |
|
|
<li>LibreSSL 2.6.3 |
<li>LibreSSL 2.6.3 |
<ul> |
<ul> |
<li>Added support for providing CRLs to libtls - once a CRL is provided via |
<li>... |
<a href="https://man.openbsd.org/tls_config_set_crl_file.3">tls_config_set_crl_file(3)</a> |
|
or |
|
<a href="https://man.openbsd.org/tls_config_set_crl_mem.3">tls_config_set_crl_mem(3)</a>, |
|
CRL checking is enabled and required for the full certificate chain. |
|
<li>Reworked TLS certificate name verification code to more strictly |
|
follow RFC 6125. |
|
<li>Cleaned up and simplified server key exchange EC point handling. |
|
<li>Removed inconsistent IPv6 handling from BIO_get_accept_socket(), |
|
simplified BIO_get_host_ip() and BIO_accept(). |
|
<li>Added definitions for three OIDs used in EV certificates. |
|
<li>Relaxed SNI validation to allow non-RFC-compliant clients using literal |
|
IP addresses with SNI to connect to a libtls-based TLS server. |
|
<li>Added tls_peer_cert_chain_pem() to libtls, useful in private certificate |
|
validation callbacks such as those in relayd. |
|
<li>Converted explicit clear/free sequences to use |
|
<a href="https://man.openbsd.org/freezero.3">freezero(3)</a>. |
|
<li>Fixed the |
|
<a href="https://man.openbsd.org/openssl.1">openssl(1)</a> |
|
ca command so that it generates certificates with RFC 5280-conformant time. |
|
<li>Added |
|
<a href="https://man.openbsd.org/ASN1_TIME_set_tm.3">ASN1_TIME_set_tm(3)</a> |
|
to set an ASN.1 time from a struct tm *. |
|
<li>Added |
|
<a href="https://man.openbsd.org/SSL_CTX_set_min_proto_version.3">SSL{,_CTX}_set_{min,max}_proto_version(3)</a> |
|
functions. |
|
<li>Imported HKDF (HMAC Key Derivation Function) from BoringSSL. |
|
<li>Provided a |
|
<a href="https://man.openbsd.org/tls_unload_file.3">tls_unload_file(3)</a> |
|
function that frees the memory returned from a |
|
<a href="https://man.openbsd.org/tls_load_file.3">tls_load_file(3)</a> |
|
call, ensuring that the contents become inaccessible. |
|
<li>Implemented reference counting for libtls tls_config, allowing |
|
<a href="https://man.openbsd.org/tls_config_free.3">tls_config_free(3)</a> |
|
to be called as soon as it has been passed to the final |
|
<a href="https://man.openbsd.org/tls_configure.3">tls_configure(3)</a> |
|
call, simplifying lifetime tracking for the application. |
|
<li>Dropped cipher suites using DSS authentication. |
|
<li>Removed support for DSS/DSA from libssl. |
|
<li>Distinguish between self-issued certificates and self-signed |
|
certificates. The certificate verification code has special cases |
|
for self-signed certificates and without this change, self-issued |
|
certificates (which it seems are common place with |
|
openvpn/easyrsa) were also being included in this category. |
|
<li>Added a new TLS extension handling framework and converted all |
|
TLS extensions to use it. |
|
<li>Improved and added many new manpages. Updated |
|
<a href="https://man.openbsd.org/SSL_CTX_check_private_key.3">SSL_{CTX_,}check_private_key(3)</a> |
|
manpages with additional cautions regarding their use. |
|
<li>Cleaned up and simplified EC key/curve configuration handling. |
|
<li>Added |
|
<a href="https://man.openbsd.org/tls_config_set_ecdhecurves.3">tls_config_set_ecdhecurves(3)</a> |
|
to libtls, which allows the names of the elliptical curves that may |
|
be used during client and server key exchange to be specified. |
|
<li>Converted more code paths to use CBB/CBS. |
|
<li>Removed NPN support - NPN was never standardised and the last draft |
|
expired in October 2012. |
|
<li>Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken |
|
CryptoPro clients. |
|
<li>Removed support for the TLS padding extension, which was added as a |
|
workaround for an old bug in F5's TLS termination. |
|
<li>Added ability to clamp notafter values in certificates for systems |
|
with 32-bit time_t. This is necessary to conform to RFC 5280 4.1.2.5. |
|
<li>Removed the original (pre-IETF) chacha20-poly1305 cipher suites. |
|
<li>Reclassified ECDHE-RSA-DES-CBC3-SHA from HIGH to MEDIUM. |
|
<li>Provide a useful error with libtls if there are no OCSP URLs in a |
|
peer certificate. |
|
<li>Keep track of which keypair is in use by a TLS context, fixing a bug |
|
where a TLS server with SNI would only return the OCSP staple for the |
|
default keypair. |
|
<li>If |
|
<a href="https://man.openbsd.org/tls_config_parse_protocols.3">tls_config_parse_protocols(3)</a> |
|
is called with a NULL pointer it now |
|
returns the default protocols. |
|
</ul> |
</ul> |
<p> |
<p> |
|
|
<li>mandoc 1.14.3 |
<li>mandoc 1.14.3 |
<ul> |
<ul> |
<li>Full <a href="https://man.openbsd.org/mandocdb.5">mandoc.db(5)</a> |
<li>... |
databases are now enabled by default, allowing semantic searching |
|
with <a href="https://man.openbsd.org/apropos.1">apropos(1)</a> |
|
without any local configuration changes. |
|
<li>Full integration of the former |
|
<a href="https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/regress/usr.bin/mdoclint/">mdoclint(1)</a> |
|
utility into <a href="https://man.openbsd.org/mandoc.1">mandoc(1)</a> |
|
<code>-Wall</code>, new <code>-Wstyle</code> and |
|
<code>-Wopenbsd</code> message levels, and many new messages, |
|
for example about typos in <code>.Sh</code> lines, |
|
unknown <code>.Xr</code> targets, and links to self. |
|
<li>Additional steps unifying the |
|
<a href="https://man.openbsd.org/mdoc.7">mdoc(7)</a>, |
|
<a href="https://man.openbsd.org/man.7">man(7)</a>, and |
|
<a href="https://man.openbsd.org/roff.7">roff(7)</a> parsers: |
|
use one common data type and |
|
<a href="https://man.openbsd.org/ohash_init.3">ohash_init(3)</a> |
|
for all requests and macros and support creation of syntax tree |
|
nodes in the roff(7) parser, allowing support for many new |
|
low-level roff(7) features. |
|
Only about 25 ports still need <code>USE_GROFF</code> now. |
|
<li>Many improvements to |
|
<a href="https://man.openbsd.org/tbl.7">tbl(7)</a> |
|
parsing and formatting, |
|
including automatic line wrapping inside table columns. |
|
<li>Many improvements to |
|
<a href="https://man.openbsd.org/eqn.7">eqn(7)</a> |
|
parsing and formatting, including better font selection, |
|
recognition of well-known mathematical function names, and writing |
|
of <code><mn></code> and <code><mo></code> HTML tags. |
|
<li>Intelligible rendering of mathematical symbols in |
|
<code>-Tascii</code> output. |
|
<li>Several parsing and rendering improvements for the |
|
<a href="https://man.openbsd.org/mdoc.7">mdoc(7)</a> |
|
<code>.Lk</code> macro. |
|
<li>Some CSS improvements in HTML output, in particular for the |
|
<a href="https://man.openbsd.org/mdoc.7">mdoc(7)</a> |
|
<code>.Bl</code> macro. |
|
</ul> |
</ul> |
<p> |
<p> |
|
|