| version 1.1, 2018/03/14 16:34:36 |
version 1.2, 2018/03/16 13:33:30 |
|
|
| |
|
| <li>Improved hardware support, including: |
<li>Improved hardware support, including: |
| <ul> |
<ul> |
| <li>arm: New <a href="https://man.openbsd.org/rkgrf.4">rkgrf(4)</a> driver |
<li>... |
| for the Rockchip RK3399/RK3288 register file. |
|
| <li>arm: New <a href="https://man.openbsd.org/rkclock.4">rkclock(4)</a> |
|
| driver for Rockchip RK3399/RK3288 clocks. |
|
| <li>arm: New <a href="https://man.openbsd.org/rkpinctrl.4">rkpinctrl(4)</a> |
|
| driver for controlling Rockchip RK3399/RK3288 pins. |
|
| <li>arm: New <a href="https://man.openbsd.org/rkgpio.4">rkgpio(4)</a> driver |
|
| for GPIO on Rockchip SoCs. |
|
| <li>arm: New <a href="https://man.openbsd.org/rktemp.4">rktemp(4)</a> driver |
|
| for Rockchip RK3399 temperature sensors. |
|
| <li>arm: New <a href="https://man.openbsd.org/rkiic.4">rkiic(4)</a> driver |
|
| for Rockchip RK3399 I2C controllers. |
|
| <li>arm: New <a href="https://man.openbsd.org/rkpmic.4">rkpmic(4)</a> driver |
|
| for the RK808 Power Management IC. |
|
| <li>arm: New <a href="https://man.openbsd.org/dwmmc.4">dwmmc(4)</a> driver |
|
| for Synopsis DesignWare SD/MMC controllers. |
|
| <li>arm: New <a href="https://man.openbsd.org/dwdog.4">dwdog(4)</a> driver |
|
| for the Synopsys DesignWare watchdog timer. |
|
| <li>arm: New <a href="https://man.openbsd.org/dwxe.4">dwxe(4)</a> driver |
|
| for the Synopsys DesignWare Ethernet controller. |
|
| <li>arm: New <a href="https://man.openbsd.org/sxitwi.4">sxitwi(4)</a> driver |
|
| for the two-wire bus on Allwinner SoCs. |
|
| <li>arm: New <a href="https://man.openbsd.org/axppmic.4">axppmic(4)</a> |
|
| driver for the AXP209 I2C PMIC. |
|
| <li>arm: New <a href="https://man.openbsd.org/bcmaux.4">bcmaux(4)</a> driver |
|
| for clocks and interrupts on the auxilliary UART on BCM2835 devices. |
|
| <li>arm: New <a href="https://man.openbsd.org/armv7/mvmpic.4">mvmpic(4)</a> |
|
| driver for an interrupt controller on Marvell ARMADA 38x. |
|
| <li>arm: New <a href="https://man.openbsd.org/armv7/mvpxa.4">mvpxa(4)</a> |
|
| driver for the SD Host Controller on Marvell ARMADA 38x. |
|
| <li>arm: New <a href="https://man.openbsd.org/mvpinctrl.4">mvpinctrl(4)</a> |
|
| driver to configure pins on Marvell ARMADA 38x. |
|
| <li>arm: New <a href="https://man.openbsd.org/mvneta.4">mvneta(4)</a> driver |
|
| the Ethernet controller on Marvell ARMADA 38x. |
|
| <li>arm: New <a |
|
| href="https://man.openbsd.org/armv7/amdisplay.4">amdisplay(4)</a> & |
|
| <a href="https://man.openbsd.org/armv7/nxphdmi.4">nxphdmi(4)</a> drivers |
|
| for the Texas Instruments AM335x LCD controller. |
|
| <li>octeon: New <a |
|
| href="https://man.openbsd.org/octeon/octcib.4">octcib(4)</a> driver for |
|
| the interrupt bus widget on CN70xx/CN71xx. |
|
| <li>octeon: New <a |
|
| href="https://man.openbsd.org/octeon/octcit.4">octcit(4)</a> driver for |
|
| the central interrupt unit version 3 on CN72xx/CN73xx/CN77xx/CN78xx. |
|
| <li>octeon: New <a |
|
| href="https://man.openbsd.org/octeon/octsctl.4">octsctl(4)</a> driver |
|
| for the OCTEON SATA controller bridge. |
|
| <li>octeon: New <a |
|
| href="https://man.openbsd.org/octeon/octxctl.4">octxctl(4)</a> driver |
|
| for the OCTEON USB3 controller bridge. |
|
| <li>octeon: Rhino Labs Inc. SDNA Shasta, and Ubiquiti Networks EdgeRouter 4 |
|
| and 6 are now supported. |
|
| <li>New <a href="https://man.openbsd.org/hvs.4">hvs(4)</a> driver for |
|
| Hyper-V storage. |
|
| <li>New <a href="https://man.openbsd.org/pcxrtc.4">pcxrtc(4)</a> driver for |
|
| the NXP PCF8563 Real Time Clock. |
|
| <li>New <a href="https://man.openbsd.org/urng.4">urng(4)</a> driver for USB |
|
| random number generator devices. |
|
| <li>Intel 8265 and 3168 support was added to the |
|
| <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> driver. |
|
| <li>RTL8192CE support was added to the |
|
| <a href="https://man.openbsd.org/rtwn.4">rtwn(4)</a> driver. |
|
| <li>RT5360 support was added to the |
|
| <a href="https://man.openbsd.org/ral.4">ral(4)</a> driver. |
|
| <li>RTS525A support was added to the |
|
| <a href="https://man.openbsd.org/rtsx.4">rtsx(4)</a> driver. |
|
| <li>The <a href="https://man.openbsd.org/acpibat.4">acpibat(4)</a> driver |
|
| now supports _BIX entries from ACPI 4.0. |
|
| <li>ACPI hibernate support was added to the |
|
| <a href="https://man.openbsd.org/nvme.4">nvme(4)</a> driver. |
|
| <li>Substantially improved ACPI hibernate performance in the |
|
| <a href="https://man.openbsd.org/ahci.4">ahci(4)</a> driver. |
|
| <li>The <a href="https://man.openbsd.org/inteldrm.4">inteldrm(4)</a> driver |
|
| was updated to code based on Linux 4.4.70 - it now supports Skylake, |
|
| Kaby Lake, and Cherryview devices and has better support for Broadwell |
|
| and Valleyview devices. |
|
| <li>The <a href="https://man.openbsd.org/puc.4">puc(4)</a> driver now |
|
| supports ASIX AX99100 devices. |
|
| <li>Xen platform support and the |
|
| <a href="https://man.openbsd.org/xbf.4">xbf(4)</a> driver in particular |
|
| have been substantially improved. |
|
| <li>The <a href="https://man.openbsd.org/nvme.4">nvme(4)</a> driver now reports |
|
| correct last sector address to SCSI, allowing a valid GPT to be created. |
|
| <li>Repair <a href="https://man.openbsd.org/ioapic.4">ioapic(4)</a> misconfigurations. |
|
| </ul> |
</ul> |
| |
|
| <p> |
<p> |
| <li><a href="https://man.openbsd.org/amd64/vmm.4">vmm(4)</a>/ |
<li><a href="https://man.openbsd.org/amd64/vmm.4">vmm(4)</a>/ |
| <a href="https://man.openbsd.org/amd64/vmd.8">vmd(8)</a> improvements: |
<a href="https://man.openbsd.org/amd64/vmd.8">vmd(8)</a> improvements: |
| <ul> |
<ul> |
| <li><a href="https://man.openbsd.org/amd64/vmctl.8">vmctl(8)</a> supports |
<li>... |
| paused VM migration and memory snapshotting using send and receive commands. |
|
| <li>VPID/ASID reuse/rollover in <a |
|
| href="https://man.openbsd.org/amd64/vmm.4">vmm(4)</a>. |
|
| <li>SGABIOS imported as an option ROM payload in SeaBIOS (for VGA to serial |
|
| console redirection). |
|
| <li><a href="https://man.openbsd.org/amd64/vmd.8">vmd(8)</a> resets the |
|
| guest VM RTC (real time clock) on host resume from suspend/hibernate |
|
| (OpenBSD guests only). |
|
| <li>Allow guest VMs access to AVX/AVX2 host CPU features. |
|
| <li>Support for AMD SVM/RVI hosts. |
|
| <li>Allow larger guest VM memory sizes (up to MAXDSIZ sized guests - e.g. |
|
| 32GB on amd64 hosts). |
|
| <li>Better handling of guest VM MONITOR/MWAIT and HLT instructions. |
|
| <li>Various device emulation improvements in <a |
|
| href="https://man.openbsd.org/amd64/vmd.8">vmd(8)</a>. |
|
| <li>Increase the <a href="https://man.openbsd.org/virtio.4">virtio(4)</a> |
|
| queue size provided by <a |
|
| href="https://man.openbsd.org/amd64/vmd.8">vmd(8)</a> from 64 to 128 entries, to increase performance. |
|
| <li>Many fixes to <a href="https://man.openbsd.org/amd64/vmctl.8">vmctl(8)</a> |
|
| and <a href="https://man.openbsd.org/amd64/vmd.8">vmd(8)</a> error handling. |
|
| </ul> |
</ul> |
| <p> |
<p> |
| |
|
| <li>IEEE 802.11 wireless stack improvements: |
<li>IEEE 802.11 wireless stack improvements: |
| <ul> |
<ul> |
| <li>MiRA 802.11n TX rate scaling now supports devices with unequal numbers |
<li>... |
| of Tx and Rx streams. Fixes 11n mode for some |
|
| <a href="https://man.openbsd.org/athn.8">athn(8)</a> devices. |
|
| <li>The <a href="https://man.openbsd.org/iwn.8">iwn(8)</a> and |
|
| <a href="https://man.openbsd.org/iwm.8">iwm(8)</a> drivers will now start |
|
| scanning for a new access point if they no longer receive beacons from |
|
| the current AP. |
|
| <li>Prefer the 5GHz band over the 2GHz band during access point selection. |
|
| <li>Improved debug output in |
|
| <a href="https://man.openbsd.org/dmesg.8">dmesg(8)</a> when a wireless |
|
| interface is put into debug mode with |
|
| <a href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a>. |
|
| </ul> |
</ul> |
| <p> |
<p> |
| |
|
| <li>Generic network stack improvements: |
<li>Generic network stack improvements: |
| <ul> |
<ul> |
| <li>Incoming and forwarded IP packets are now processed without |
<li>... |
| KERNEL_LOCK, resulting in better performances and reduced latency. |
|
| <li>The kernel no longer handles IPv6 Stateless Address |
|
| Autoconfiguration (RFC 4862), allowing cleanup and simplification |
|
| of the IPv6 network stack. |
|
| <li>The kernel sends IPv6 router solicitations for link local addresses |
|
| with a link local source address. |
|
| <li>FQ-CoDel algorithm has been implemented for use with <a |
|
| href="https://man.openbsd.org/pf.conf#QUEUEING">pf(4) queueing</a>. |
|
| <li>Improved IPv6 checks for IPsec policies and made them consistent |
|
| with IPv4. |
|
| <li>Refactored local IP delivery to process IPsec packets in a flow and |
|
| avoid enqueueing a second time. |
|
| <li><a href="https://man.openbsd.org/pf.4">pf(4)</a> |
|
| now inspects AH packets and matches on the inner protocol. |
|
| This makes IPv4 authentication headers work like IPv6. |
|
| <li>The length of extension header chains in pf(4) is limited. |
|
| This prevents spending excessive CPU time on crafted packets. |
|
| <li>Block IPv6 packets in |
|
| <a href="https://man.openbsd.org/pf.4">pf(4)</a> |
|
| that have a hop-by-hop options header or a destination options header. |
|
| Such packets can be passed by adding "allow-opts" to the rule. |
|
| This makes IPv6 option handling consistent with IPv4. |
|
| <li>If the IPv4 ID gets reused too fast, pf(4) fragment reassembly |
|
| uses a smarter strategy to drop packets. |
|
| <li>Enabled the use of per-CPU caches in the network packet allocators. |
|
| </ul> |
</ul> |
| <p> |
<p> |
| |
|
| <li>Installer improvements: |
<li>Installer improvements: |
| <ul> |
<ul> |
| <li>The installer now uses the Allotment Routing Table (ART). |
<li>... |
| <li>A unique kernel is now created by the installer to boot from after |
|
| install/upgrade. |
|
| <li>On release installs of architectures supported by syspatch, |
|
| "syspatch -c" is now added to rc.firsttime. |
|
| <li>Backwards compatibility code to support the 'rtsol' keyword in |
|
| <a href="https://man.openbsd.org/hostname.if.5">hostname.if(5)</a> |
|
| has been removed. |
|
| <li>The <tt>install.site</tt> and <tt>upgrade.site</tt> scripts are now |
|
| executed at the end of the install/upgrade process. |
|
| <li>More detailed information is shown to identify disks. |
|
| <li>The IPv6 default router selection has been fixed. |
|
| <li>On the amd64 platform, AES-NI is used if present. |
|
| </ul> |
</ul> |
| <p> |
<p> |
| |
|
| <li>Routing daemons and other userland network improvements: |
<li>Routing daemons and other userland network improvements: |
| <ul> |
<ul> |
| <li>A new daemon, <a |
<li>... |
| href="https://man.openbsd.org/slaacd.8">slaacd(8)</a> handles IPv6 |
|
| Stateless Address Autoconfiguration (RFC 4862). |
|
| <li><a href="https://man.openbsd.org/rtadvd.8">rtadvd(8)</a> now supports |
|
| "Reducing Energy Consumption of Router Advertisements" (RFC 7772). |
|
| <li><a href="https://man.openbsd.org/rtadvd.8">rtadvd(8)</a> has |
|
| been fixed to quickly handle IPv6 prefix changes on the system. |
|
| <li><a href="https://man.openbsd.org/ipsecctl.8">ipsecctl(8)</a> |
|
| can now show SA bundles and the "bundle" keyword allows them to be |
|
| explicitly created. This avoids confusion as they were previously |
|
| used implicitly. |
|
| <li><a href="https://man.openbsd.org/nc.1">nc(1)</a> |
|
| now has a <tt>-W recvlimit</tt> option to terminate netcat after |
|
| receiving the specified number of packets. This allows for a UDP |
|
| request to be sent, a reply to be received and the result checked on |
|
| the command line. |
|
| <li><a href="https://man.openbsd.org/nc.1">nc(1)</a> |
|
| now has a <tt>-Z</tt> option, allowing the peer certificate and chain to be |
|
| saved to a file in PEM format. |
|
| <li>A new <tt>-T tlscompat</tt> option was added to |
|
| <a href="https://man.openbsd.org/nc.1">nc(1)</a>, which enables the use |
|
| of all TLS protocols and libtls "compat" ciphers. |
|
| <li>Various races have been fixed in |
|
| <a href="https://man.openbsd.org/relayd.8">relayd(8)</a>, |
|
| expecially in HTTP chunked mode. |
|
| <li><a href="https://man.openbsd.org/ndp.8">ndp(8)</a> now shows the |
|
| relevant NDP information when run in a non-default routing |
|
| domain. |
|
| <li><a href="https://man.openbsd.org/ifstated.8">ifstated(8)</a> now |
|
| copes with interface departures/arrivals. |
|
| <li><a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> can now |
|
| be started multiple times in different |
|
| <a href="https://man.openbsd.org/rdomain.4">routing domains</a>, |
|
| this provides virtual router functionality. |
|
| </ul> |
</ul> |
| <p> |
<p> |
| |
|
| <li>Security improvements: |
<li>Security improvements: |
| <ul> |
<ul> |
| <li>A new function |
<li>... |
| <a href="https://man.openbsd.org/freezero.3">freezero(3)</a> |
|
| to easily clear and free memory holding sensitive data has been added. |
|
| <li>Double free detection has been improved when the F |
|
| <a href="https://man.openbsd.org/malloc.3">malloc(3)</a> option is used. |
|
| The existing S option now includes F. |
|
| <li>The <a href="https://man.openbsd.org/tty.4#TIOCSTI">TIOCSTI</a> |
|
| tty ioctl has been removed. The I/O-loops in the last two consumers |
|
| <a href="https://man.openbsd.org/csh.1">csh(1)</a> and |
|
| <a href="https://man.openbsd.org/mail.1">mail(1)</a> |
|
| were rewritten to cope with the removal. |
|
| <li>Trapsleds, a new mitigation that significantly reduces the amount of |
|
| nops in the instruction stream, replacing them with trap instructions |
|
| or jump-over-trap sequences, thereby requiring greater accuracy for |
|
| targetting potential gadgets. |
|
| <li>Kernel Address Randomized Link (KARL), a new "link-kit" allows the .o |
|
| files of the kernel to be relinked in a random order, creating a unique |
|
| kernel for each boot. /bsd is now non-readable to users, to try to |
|
| keep the secret. |
|
| <li>Like with libc previously, |
|
| <a href="https://man.openbsd.org/rc.8">rc(8)</a> re-links libcrypto on |
|
| startup, placing the objects in a random order. |
|
| <li>In addition to libcrypto, to deter code reuse exploits, |
|
| <a href="https://man.openbsd.org/rc.8">rc(8)</a> re-links |
|
| <a href="https://man.openbsd.org/ld.so.1">ld.so</a> on |
|
| startup, placing the objects in a random order. |
|
| <li>If process accounting is activated with |
|
| <a href="https://man.openbsd.org/accton.8">accton(8)</a>, |
|
| the daily mail shows pledge violations and program crashes. |
|
| <a href="https://man.openbsd.org/lastcomm.1">lastcomm(1)</a> |
|
| uses the flags P and T for such processes. |
|
| <li><a href="https://man.openbsd.org/pflogd.8">pflogd(8)</a> uses the |
|
| fork+exec model. |
|
| <li><a href="https://man.openbsd.org/tcpdump.8">tcpdump(8)</a> uses the |
|
| fork+exec model. |
|
| <li><a href="https://man.openbsd.org/ifstated.8">ifstated(8)</a> |
|
| uses <a href="https://man.openbsd.org/pledge.2">pledge(2)</a>. |
|
| <li><a href="https://man.openbsd.org/snmpd.8">snmpd(8)</a> and |
|
| <a href="https://man.openbsd.org/snmpctl.8">snmpctl(8)</a> now use |
|
| <a href="https://man.openbsd.org/pledge.2">pledge(2)</a>. |
|
| <li>Tighter pledge for <a href="https://man.openbsd.org/at.1">at(1)</a>. |
|
| <li>Fixed and simplified pledge logic for |
|
| <a href="https://man.openbsd.org/nc.1">nc(1)</a>. |
|
| <li>More application of |
|
| <a href="https://man.openbsd.org/recallocarray.3">recallocarray(3)</a> |
|
| in userland, and tracked sizes to |
|
| <a href="https://man.openbsd.org/free.9">free(9)</a> in the kernel. |
|
| <li>Achieve higher levels of paranoia regarding structure packing, and |
|
| clear many kernel objects before passing to userland. |
|
| <li>Disable some optimizations in |
|
| <a href="https://man.openbsd.org/clang.1">clang(1)</a> |
|
| due to incompatibility with security. |
|
| <li>For instance, cope with |
|
| <a href="https://man.openbsd.org/clang.1">clang(1)</a>'s assumption |
|
| that static or const |
|
| objects placed in unknown sections (such as .openbsd.randomdata) |
|
| are surely always 0, and therefore such memory accesses can be |
|
| optimized away. |
|
| <li>In kernel, randomly bias down the top-of-stack per kthread. |
|
| </ul> |
</ul> |
| <p> |
<p> |
| |
|
| <li><a href="https://man.openbsd.org/dhcpd.8">dhcpd(8)</a>/ |
<li><a href="https://man.openbsd.org/dhcpd.8">dhcpd(8)</a>/ |
| <a href="https://man.openbsd.org/dhcrelay.8">dhcrelay(8)</a> improvements: |
<a href="https://man.openbsd.org/dhcrelay.8">dhcrelay(8)</a> improvements: |
| <ul> |
<ul> |
| <li>Add support for echo-client-id statement to |
<li>... |
| <a href="https://man.openbsd.org/dhcpd.conf.5">dhcpd.conf(5)</a>. |
|
| <li>Take greater care to process all data read, and only data read, from the |
|
| <a href="https://man.openbsd.org/bpf.4">bpf(4)</a> |
|
| socket. |
|
| <li>Use /dev/bpf instead of /dev/bpf0. |
|
| <li>Handle DHCPINFORM messages from clients behind a DHCP relay. |
|
| <li>Fix handling of |
|
| <a href="https://man.openbsd.org/carp.4">carp(4)</a> |
|
| interfaces in |
|
| <a href="https://man.openbsd.org/dhcrelay.8">dhcrelay(8)</a>. |
|
| <li>Don't stop |
|
| <a href="https://man.openbsd.org/dhcrelay.8">dhcrelay(8)</a> |
|
| logging to stderr when it is started with the -d option. |
|
| </ul> |
</ul> |
| <p> |
<p> |
| |
|
| <li><a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a> improvements: |
<li><a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a> improvements: |
| <ul> |
<ul> |
| <li>Log messages reworked and clarified, in particular by prefixing |
<li>... |
| the name of the relevant network interface. |
|
| <li>Treat SSID as 0 to 32 bytes of binary data, not a string. |
|
| <li>Use RTM_PROPOSAL to take control of an interface rather than flipping |
|
| interface down and up in the hope that other |
|
| <a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a> |
|
| instances notice. |
|
| <li>Reduce file operations needed by -L option by opening file at |
|
| startup and using it throughout process lifetime. |
|
| <li>Improve <a href="https://man.openbsd.org/resolv.conf.5">resolv.conf(5)</a> |
|
| handling by reducing writes and more reliably determining which interface |
|
| has the current default route. |
|
| <li>Take greater care to process all data read, and only data read, from the |
|
| <a href="https://man.openbsd.org/bpf.4">bpf(4)</a> |
|
| socket. |
|
| <li>Improve the determination of the link state of an interface. |
|
| <li>Decline inappropriate lease offers as soon as they are deemed |
|
| inappropriate. |
|
| <li>Drop support for the timestamp formats used in lease files created |
|
| more than four years ago. |
|
| <li>Accept an offer from the server that sent the first copy of |
|
| the offer, not the server that sent the last copy. |
|
| <li>Don't delete addresses and routes when exiting. |
|
| <li>Ensure IPv6 packets are not read from sockets. |
|
| <li>Don't silently ignore obsolete keywords in |
|
| <a href="https://man.openbsd.org/dhclient.conf.5">dhclient.conf(5)</a>. |
|
| <li>Reduce memory footprint by shrinking oversized static buffers. |
|
| <li>Eliminate repeated socket opens by opening the required sockets during |
|
| startup. |
|
| <li>Fix construction of unicast UDP packets, broken in 5.6. |
|
| <li>Improve determination of when a renewed lease requires interface |
|
| configuration changes. |
|
| <li>Don't exit when addresses are manually added or deleted from an |
|
| interface. |
|
| <li>Don't support option 33, classfull IP addresses. |
|
| <li>Fix configuration of default routes supplied by classless route options. |
|
| <li>Consider |
|
| <a href="https://man.openbsd.org/dhclient.conf.5">dhclient.conf(5)</a> |
|
| contents when determining what MTU value to configure. |
|
| <li>Consider |
|
| <a href="https://man.openbsd.org/dhclient.conf.5">dhclient.conf(5)</a> |
|
| contents when creating the content of |
|
| <a href="https://man.openbsd.org/resolv.conf.5">resolv.conf(5)</a>. |
|
| <li>Delete direct routes when routes are flushed. |
|
| <li>Don't label routes with "DHCLIENT nnnn". |
|
| <li>Don't delete addresses or routes that will be immediately added back. |
|
| <li>Delete addresses and routes only when a renewal request is NAK'ed. |
|
| <li>Don't wait forever for requested information on the default route. |
|
| <li>Don't exit when an attempt to send a packet fails. |
|
| <li>Don't log a packet send when the send fails. |
|
| <li>Remove the -u option, broken since 2013 without complaints. |
|
| <li>Use /dev/bpf instead of /dev/bpf0. |
|
| </ul> |
</ul> |
| <p> |
<p> |
| |
|
| <li>Assorted improvements: |
<li>Assorted improvements: |
| <ul> |
<ul> |
| <li>The <a href="https://www.openbsd.org/i386.html">i386</a> and |
<li>... |
| <a href="https://www.openbsd.org/amd64.html">amd64</a> |
|
| platforms have switched to using |
|
| <a href="https://man.openbsd.org/clang-local.1">clang(1)</a> |
|
| as the base system compiler. |
|
| <li>Improved UTF-8 line editing support for |
|
| <a href="https://man.openbsd.org/ksh.1">ksh(1)</a> |
|
| Emacs and Vi input mode. |
|
| <li>The HISTFILE of <a href="https://man.openbsd.org/ksh.1">ksh(1)</a> now uses |
|
| a plain text format. Support for the |
|
| <a href="https://man.openbsd.org/ksh#HISTCONTROL">HISTCONTROL</a> |
|
| environment variable was added. |
|
| <li>The performance of the memory deallocator used by |
|
| <a href="https://man.openbsd.org/ksh.1">ksh(1)</a> has been fixed. |
|
| <li>The <tt>emacs-usemeta</tt> <a href="https://man.openbsd.org/ksh.1">ksh(1)</a> |
|
| flag is no longer needed and is now deprecated. |
|
| <li>New <a href="https://man.openbsd.org/futex">futex(2)</a> syscall. |
|
| <li>New pthread |
|
| <a href="https://man.openbsd.org/pthread_mutex_init">mutex</a> and |
|
| <a href="https://man.openbsd.org/pthread_cond_init">condition |
|
| variable</a> implementations improving latency |
|
| of threaded applications. |
|
| <li>New POSIX <a href="https://man.openbsd.org/newlocale.3">xlocale</a> |
|
| implementation written from scratch, complete in the sense that |
|
| all POSIX *locale(3) and *_l(3) functions are included, but in |
|
| OpenBSD, we of course only really care about <code>LC_CTYPE</code> |
|
| and we only support ASCII and UTF-8. |
|
| <li>Automatic hibernation and suspend by |
|
| <a href="https://man.openbsd.org/apmd">apmd</a> |
|
| when battery is low. |
|
| <li>New <a href="https://man.openbsd.org/ctfdump">ctfdump(1)</a> and |
|
| <a href="https://man.openbsd.org/ctfconv">ctfconv(1)</a> |
|
| tools to manipulate CTF (Compact C Type Format). |
|
| <li>The error handling in |
|
| <a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a> |
|
| has been improved. |
|
| Even if internal errors occur, the daemon tries to keep |
|
| unaffected subsystems active. |
|
| So as many messages as possible are logged. |
|
| They can be filtered by severity and facility "syslog". |
|
| <li>syslogd(8) can now suppress "last message repeated" which is |
|
| useful for remote logging. |
|
| <li>syslogd(8) can listen on multiple TLS sockets. |
|
| <li>syslogd(8) closes the *.514 UDP sockets when they are not |
|
| needed. |
|
| <li>Truncate log messages at 8192 bytes everywhere. |
|
| <li><a href="https://man.openbsd.org/newsyslog.8">newsyslog(8)</a> |
|
| now skips and logs invalid config lines. |
|
| <li>Nested mount points are umounted in correct order. |
|
| <li>Fix creation of |
|
| <a href="https://man.openbsd.org/softraid.4">softraid(4)</a> |
|
| CONCAT volumes. |
|
| <li>Include |
|
| <a href="https://man.openbsd.org/softraid.4">softraid(4)</a> |
|
| volume and backing disk information in i/o error messages. |
|
| <li>Make |
|
| <a href="https://man.openbsd.org/vioscsi.4">vioscsi(4)</a> |
|
| a normal |
|
| <a href="https://man.openbsd.org/scsi.4">scsi(4)</a> |
|
| device by eliminating its use of the obsolete XS_NO_CCB mechanism. |
|
| <li>Remove last vestiges of now unused XS_NO_CCB mechanism. |
|
| <li>Userspace can now get the address of the thread control block |
|
| without a system call on OCTEON II and later. |
|
| <li>FPU is enabled on OCTEON III. |
|
| <li>GENERIC kernels now include a .SUNW_ctf section containing CTF data. |
|
| <li>New <a href="https://man.openbsd.org/ddb.4">ddb(4)</a> <tt>kill</tt> |
|
| command, send an uncatchable SIGABRT to a process. |
|
| <li>New <a href="https://man.openbsd.org/ddb.4">ddb(4)</a> <tt>pprint</tt> |
|
| command, using CTF information to "pretty print" global symbols. |
|
| <li>New <a href="https://man.openbsd.org/ddb.4">ddb(4)</a> |
|
| <tt>show struct</tt> command, using CTF information to display the content |
|
| of in memory C structures. |
|
| <li>x86: <a href="https://man.openbsd.org/ddb.4">ddb(4)</a> uses CTF data |
|
| to display the correct number of function arguments in backtraces. |
|
| <li>Power off all codecs in |
|
| <a href="https://man.openbsd.org/azalia.4">azalia(4)</a> to avoid static |
|
| noise in speakers and headphones on reboot. |
|
| <li>Fix i386 boot regression seen on very old 486DX CPUs. |
|
| <li>New <a href="https://man.openbsd.org/witness.4">witness(4)</a> tool |
|
| for debugging lock order issues in the kernel. |
|
| The tool is not built in by default, and only amd64, hppa and i386 |
|
| are supported. |
|
| <li>Modernize some bizzare tty behaviours of getty(8). |
|
| <li>Some subtle changes to pledge(2) to satisfy requirements observed |
|
| in real life. |
|
| <li>Prefer use of waitpid(2) rather than wait(3) where possible, to |
|
| avoid problems with pre-existing children. |
|
| <li>Rewrite swaths of machine-dependent system call stub code in ld.so(1) |
|
| in a more portable fashion. |
|
| <li><a href="https://man.openbsd.org/pool_cache_init.9">Per-CPU |
|
| caches</a> implemented in pools. |
|
| <li><a href="https://man.openbsd.org/pthread_mutex_lock.3">Mutex</a>, |
|
| <a href="https://man.openbsd.org/pthread_cond_wait.3">condition-variable</a>, |
|
| <a href="https://man.openbsd.org/pthread_getspecific.3">thread-specific data</a>, |
|
| <a href="https://man.openbsd.org/pthread_once.3">pthread_once(3)</a>, |
|
| and <a href="https://man.openbsd.org/pthread_exit.3">pthread_exit(3)</a> |
|
| routines moved to libc from libpthread for ease of library |
|
| use and compatibility with other OSes. |
|
| <li>Added <a href="https://man.openbsd.org/openpty.3">getptmfd(3)</a>, |
|
| <a href="https://man.openbsd.org/openpty.3">fdopenpty(3)</a>, and |
|
| <a href="https://man.openbsd.org/openpty.3">fdforkpty(3)</a> |
|
| to simplify privilege separation and use of pledge(2). |
|
| <li>Improved computational complexity in various cases of |
|
| <a href="https://man.openbsd.org/strstr.3">strstr(3)</a>, |
|
| <a href="https://man.openbsd.org/qsort.3">qsort(3)</a>, |
|
| and <a href="https://man.openbsd.org/glob.3">glob(3)</a>. |
|
| <li>Added support for <tt>EV_RECEIPT</tt> and <tt>EV_DISPATCH</tt> to |
|
| <a href="https://man.openbsd.org/kqueue.2">kqueue(2)</a>. |
|
| <li>Added <a href="https://man.openbsd.org/ktrace.2">fktrace(2)</a>. |
|
| </ul> |
</ul> |
| <p> |
<p> |
| |
|
| <li>OpenSMTPD 6.0.0 |
<li>OpenSMTPD 6.0.0 |
| <ul> |
<ul> |
| <li>Fix an off-by-one in the config parser that made 65535 an invalid port. |
<li>... |
| <li>Fix a fd leak in the session congestion mechanism. |
|
| <li>Fix a possible crash when relaying with smtps. |
|
| <li>Remove support for the "listen secure" syntax (expicitely define two listeners for tls and smtps instead). |
|
| <li>Remove experimental support for filters. |
|
| <li>Assorted code and documentation cleanups and improvements. |
|
| </ul> |
</ul> |
| <p> |
<p> |
| |
|
|
|
| <ul> |
<ul> |
| <li>Security: |
<li>Security: |
| <ul> |
<ul> |
| <li>sftp-server(8): in read-only mode, sftp-server was incorrectly |
<li>... |
| permitting creation of zero-length files. |
|
| </ul> |
</ul> |
| <li>New/changed features: |
<li>New/changed features: |
| <ul> |
<ul> |
| <li>Add RemoteCommand option to specify a command in the |
<li>... |
| <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> |
|
| config file instead of giving it on the client's command |
|
| line. |
|
| The feature allows to automate tasks using ssh config. |
|
| <li>sshd(8): add ExposeAuthInfo option that enables writing details of |
|
| the authentication methods used (including public keys where |
|
| applicable) to a file that is exposed via a $SSH_USER_AUTH |
|
| environment variable in the subsequent session. |
|
| <li>ssh(1): add support for reverse dynamic forwarding. In this mode, |
|
| ssh will act as a SOCKS4/5 proxy and forward connections |
|
| to destinations requested by the remote SOCKS client. This mode |
|
| is requested using extended syntax for the -R and RemoteForward |
|
| options and, because it is implemented solely at the client, |
|
| does not require the server be updated to be supported. |
|
| <li>sshd(8): allow LogLevel directive in sshd_config Match blocks. |
|
| <li>ssh-keygen(1): allow inclusion of arbitrary string or flag |
|
| certificate extensions and critical options. |
|
| <li>ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as |
|
| a CA when signing certificates. |
|
| <li>ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit |
|
| ToS/DSCP value and just use the operating system default. |
|
| <li>ssh-add(1): added -q option to make ssh-add quiet on success. |
|
| <li>ssh(1): expand the StrictHostKeyChecking option with two new |
|
| settings. The first "accept-new" will automatically accept |
|
| hitherto-unseen keys but will refuse connections for changed or |
|
| invalid hostkeys. This is a safer subset of the current behaviour |
|
| of StrictHostKeyChecking=no. The second setting "off", is a synonym |
|
| for the current behaviour of StrictHostKeyChecking=no: accept new |
|
| host keys, and continue connection for hosts with incorrect |
|
| hostkeys. A future release will change the meaning of |
|
| StrictHostKeyChecking=no to the behaviour of "accept-new". |
|
| <li>ssh(1): add SyslogFacility option to ssh(1) matching the equivalent |
|
| option in sshd(8). |
|
| </ul> |
</ul> |
| <li>The following significant bugs have been fixed in this release: |
<li>The following significant bugs have been fixed in this release: |
| <ul> |
<ul> |
| <li>ssh(1): use HostKeyAlias if specified instead of hostname for |
<li>... |
| matching host certificate principal names. |
|
| <li>sftp(1): implement sorting for globbed ls. |
|
| <li>ssh(1): add a user@host prefix to client's "Permission denied" |
|
| messages, useful in particular when using "stacked" connections |
|
| (e.g. ssh -J) where it's not clear which host is denying. |
|
| <li>ssh(1): accept unknown EXT_INFO extension values that contain \0 |
|
| characters. These are legal, but would previously cause fatal |
|
| connection errors if received. |
|
| <li>ssh(1)/sshd(8): repair compression statistics printed at |
|
| connection exit. |
|
| <li>sftp(1): print '?' instead of incorrect link count (that the |
|
| protocol doesn't provide) for remote listings. |
|
| <li>ssh(1): return failure rather than fatal() for more cases during |
|
| session multiplexing negotiations. Causes the session to fall back |
|
| to a non-mux connection if they occur. |
|
| <li>ssh(1): mention that the server may send debug messages to explain |
|
| public key authentication problems under some circumstances. |
|
| <li>Translate OpenSSL error codes to better report incorrect passphrase |
|
| errors when loading private keys. |
|
| <li>sshd(8): adjust compatibility patterns for WinSCP to correctly |
|
| identify versions that implement only the legacy DH group exchange |
|
| scheme. |
|
| <li>ssh(1): print the "Killed by signal 1" message only at LogLevel |
|
| verbose so that it is not shown at the default level; prevents it |
|
| from appearing during ssh -J and equivalent ProxyCommand configs. |
|
| <li>ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber |
|
| existing keys if they exist but are zero length. zero-length keys |
|
| could previously be made if ssh-keygen failed or was interrupted part |
|
| way through generating them. |
|
| <li>ssh(1): fix pledge(2) violation in the escape sequence "~&" used to |
|
| place the current session in the background. |
|
| <li>ssh-keyscan(1): avoid double-close() on file descriptors. |
|
| <li>sshd(8): avoid reliance on shared use of pointers shared between |
|
| monitor and child sshd processes. |
|
| <li>sshd_config(8): document available AuthenticationMethods. |
|
| <li>ssh(1): avoid truncation in some login prompts. |
|
| <li>ssh(1): make "--" before the hostname terminate argument processing |
|
| after the hostname too. |
|
| <li>ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting |
|
| new-style private keys. Fixes problems related to private key |
|
| handling for no-OpenSSL builds. |
|
| <li>ssh(1): warn and do not attempt to use keys when the public and |
|
| private halves do not match. |
|
| <li>sftp(1): don't print verbose error message when ssh disconnects |
|
| from under sftp. |
|
| <li>sshd(8): fix keepalive scheduling problem: activity on a forwarded |
|
| port from preventing the keepalive from being sent. |
|
| <li>sshd(8): when started without root privileges, don't require the |
|
| privilege separation user or path to exist. Makes running the |
|
| regression tests easier without touching the filesystem. |
|
| <li>Make integrity.sh regression tests more robust against timeouts. |
|
| <li>ssh(1)/sshd(8): correctness fix for channels implementation: accept |
|
| channel IDs greater than 0x7FFFFFFF. |
|
| </ul> |
</ul> |
| </ul> |
</ul> |
| <p> |
<p> |
| |
|
| <li>LibreSSL 2.6.3 |
<li>LibreSSL 2.6.3 |
| <ul> |
<ul> |
| <li>Added support for providing CRLs to libtls - once a CRL is provided via |
<li>... |
| <a href="https://man.openbsd.org/tls_config_set_crl_file.3">tls_config_set_crl_file(3)</a> |
|
| or |
|
| <a href="https://man.openbsd.org/tls_config_set_crl_mem.3">tls_config_set_crl_mem(3)</a>, |
|
| CRL checking is enabled and required for the full certificate chain. |
|
| <li>Reworked TLS certificate name verification code to more strictly |
|
| follow RFC 6125. |
|
| <li>Cleaned up and simplified server key exchange EC point handling. |
|
| <li>Removed inconsistent IPv6 handling from BIO_get_accept_socket(), |
|
| simplified BIO_get_host_ip() and BIO_accept(). |
|
| <li>Added definitions for three OIDs used in EV certificates. |
|
| <li>Relaxed SNI validation to allow non-RFC-compliant clients using literal |
|
| IP addresses with SNI to connect to a libtls-based TLS server. |
|
| <li>Added tls_peer_cert_chain_pem() to libtls, useful in private certificate |
|
| validation callbacks such as those in relayd. |
|
| <li>Converted explicit clear/free sequences to use |
|
| <a href="https://man.openbsd.org/freezero.3">freezero(3)</a>. |
|
| <li>Fixed the |
|
| <a href="https://man.openbsd.org/openssl.1">openssl(1)</a> |
|
| ca command so that it generates certificates with RFC 5280-conformant time. |
|
| <li>Added |
|
| <a href="https://man.openbsd.org/ASN1_TIME_set_tm.3">ASN1_TIME_set_tm(3)</a> |
|
| to set an ASN.1 time from a struct tm *. |
|
| <li>Added |
|
| <a href="https://man.openbsd.org/SSL_CTX_set_min_proto_version.3">SSL{,_CTX}_set_{min,max}_proto_version(3)</a> |
|
| functions. |
|
| <li>Imported HKDF (HMAC Key Derivation Function) from BoringSSL. |
|
| <li>Provided a |
|
| <a href="https://man.openbsd.org/tls_unload_file.3">tls_unload_file(3)</a> |
|
| function that frees the memory returned from a |
|
| <a href="https://man.openbsd.org/tls_load_file.3">tls_load_file(3)</a> |
|
| call, ensuring that the contents become inaccessible. |
|
| <li>Implemented reference counting for libtls tls_config, allowing |
|
| <a href="https://man.openbsd.org/tls_config_free.3">tls_config_free(3)</a> |
|
| to be called as soon as it has been passed to the final |
|
| <a href="https://man.openbsd.org/tls_configure.3">tls_configure(3)</a> |
|
| call, simplifying lifetime tracking for the application. |
|
| <li>Dropped cipher suites using DSS authentication. |
|
| <li>Removed support for DSS/DSA from libssl. |
|
| <li>Distinguish between self-issued certificates and self-signed |
|
| certificates. The certificate verification code has special cases |
|
| for self-signed certificates and without this change, self-issued |
|
| certificates (which it seems are common place with |
|
| openvpn/easyrsa) were also being included in this category. |
|
| <li>Added a new TLS extension handling framework and converted all |
|
| TLS extensions to use it. |
|
| <li>Improved and added many new manpages. Updated |
|
| <a href="https://man.openbsd.org/SSL_CTX_check_private_key.3">SSL_{CTX_,}check_private_key(3)</a> |
|
| manpages with additional cautions regarding their use. |
|
| <li>Cleaned up and simplified EC key/curve configuration handling. |
|
| <li>Added |
|
| <a href="https://man.openbsd.org/tls_config_set_ecdhecurves.3">tls_config_set_ecdhecurves(3)</a> |
|
| to libtls, which allows the names of the elliptical curves that may |
|
| be used during client and server key exchange to be specified. |
|
| <li>Converted more code paths to use CBB/CBS. |
|
| <li>Removed NPN support - NPN was never standardised and the last draft |
|
| expired in October 2012. |
|
| <li>Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken |
|
| CryptoPro clients. |
|
| <li>Removed support for the TLS padding extension, which was added as a |
|
| workaround for an old bug in F5's TLS termination. |
|
| <li>Added ability to clamp notafter values in certificates for systems |
|
| with 32-bit time_t. This is necessary to conform to RFC 5280 4.1.2.5. |
|
| <li>Removed the original (pre-IETF) chacha20-poly1305 cipher suites. |
|
| <li>Reclassified ECDHE-RSA-DES-CBC3-SHA from HIGH to MEDIUM. |
|
| <li>Provide a useful error with libtls if there are no OCSP URLs in a |
|
| peer certificate. |
|
| <li>Keep track of which keypair is in use by a TLS context, fixing a bug |
|
| where a TLS server with SNI would only return the OCSP staple for the |
|
| default keypair. |
|
| <li>If |
|
| <a href="https://man.openbsd.org/tls_config_parse_protocols.3">tls_config_parse_protocols(3)</a> |
|
| is called with a NULL pointer it now |
|
| returns the default protocols. |
|
| </ul> |
</ul> |
| <p> |
<p> |
| |
|
| <li>mandoc 1.14.3 |
<li>mandoc 1.14.3 |
| <ul> |
<ul> |
| <li>Full <a href="https://man.openbsd.org/mandocdb.5">mandoc.db(5)</a> |
<li>... |
| databases are now enabled by default, allowing semantic searching |
|
| with <a href="https://man.openbsd.org/apropos.1">apropos(1)</a> |
|
| without any local configuration changes. |
|
| <li>Full integration of the former |
|
| <a href="https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/regress/usr.bin/mdoclint/">mdoclint(1)</a> |
|
| utility into <a href="https://man.openbsd.org/mandoc.1">mandoc(1)</a> |
|
| <code>-Wall</code>, new <code>-Wstyle</code> and |
|
| <code>-Wopenbsd</code> message levels, and many new messages, |
|
| for example about typos in <code>.Sh</code> lines, |
|
| unknown <code>.Xr</code> targets, and links to self. |
|
| <li>Additional steps unifying the |
|
| <a href="https://man.openbsd.org/mdoc.7">mdoc(7)</a>, |
|
| <a href="https://man.openbsd.org/man.7">man(7)</a>, and |
|
| <a href="https://man.openbsd.org/roff.7">roff(7)</a> parsers: |
|
| use one common data type and |
|
| <a href="https://man.openbsd.org/ohash_init.3">ohash_init(3)</a> |
|
| for all requests and macros and support creation of syntax tree |
|
| nodes in the roff(7) parser, allowing support for many new |
|
| low-level roff(7) features. |
|
| Only about 25 ports still need <code>USE_GROFF</code> now. |
|
| <li>Many improvements to |
|
| <a href="https://man.openbsd.org/tbl.7">tbl(7)</a> |
|
| parsing and formatting, |
|
| including automatic line wrapping inside table columns. |
|
| <li>Many improvements to |
|
| <a href="https://man.openbsd.org/eqn.7">eqn(7)</a> |
|
| parsing and formatting, including better font selection, |
|
| recognition of well-known mathematical function names, and writing |
|
| of <code><mn></code> and <code><mo></code> HTML tags. |
|
| <li>Intelligible rendering of mathematical symbols in |
|
| <code>-Tascii</code> output. |
|
| <li>Several parsing and rendering improvements for the |
|
| <a href="https://man.openbsd.org/mdoc.7">mdoc(7)</a> |
|
| <code>.Lk</code> macro. |
|
| <li>Some CSS improvements in HTML output, in particular for the |
|
| <a href="https://man.openbsd.org/mdoc.7">mdoc(7)</a> |
|
| <code>.Bl</code> macro. |
|
| </ul> |
</ul> |
| <p> |
<p> |
| |
|
![[BACK]](/icons/back.gif){kind=icon}
Return to 63.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www