File: [local] / www / 63.html (download) (as text)
Revision 1.88, Wed May 6 13:34:47 2020 UTC (4 years ago) by deraadt
Branch: MAIN
CVS Tags: HEAD
Changes since 1.87: +1 -1 lines
be less different from other similar files
|
<!doctype html>
<html lang=en id=release>
<meta charset=utf-8>
<title>OpenBSD 6.3</title>
<meta name="description" content="OpenBSD 6.3">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" href="openbsd.css">
<link rel="canonical" href="https://www.openbsd.org/63.html">
<h2 id=OpenBSD>
<a href="index.html">
<i>Open</i><b>BSD</b></a>
6.3
</h2>
<table>
<tr>
<td>
<a href="images/Harry.gif">
<img width="227" height="343" src="images/Harry.gif" alt="Harry"></a>
<td>
Released Apr 15, 2018<br>
Copyright 1997-2018, Theo de Raadt.<br>
<br>
<br>
Artwork by Sam Hester.<br>
<ul>
<li>See the information on <a href="ftp.html">the FTP page</a> for
a list of mirror machines.
<li>Go to the <code class=reldir>pub/OpenBSD/6.3/</code> directory on
one of the mirror sites.
<li>Have a look at <a href="errata63.html">the 6.3 errata page</a> for a list
of bugs and workarounds.
<li>See a <a href="plus63.html">detailed log of changes</a> between the
6.2 and 6.3 releases.
<p>
<li><a href="https://man.openbsd.org/signify.1">signify(1)</a>
pubkeys for this release:<p>
<table class=signify>
<tr><td>
openbsd-63-base.pub:
<td>
RWRxzbLwAd76ZZxHU7wuIFUOVGwl6SjNNzanKWTql8w+hui7WLE/72mW
<tr><td>
openbsd-63-fw.pub:
<td>
RWT3tdmiAc+DH/CJOxPFT10kUM90/UcLTgSEUEKzhKm9QEhy+UD4CWPy
<tr><td>
openbsd-63-pkg.pub:
<td>
RWT58k1AWz/zZO9DHcPHXiHhDNP6hdwGjxNkyMoc/sh4O5NI8Zz1R1lD
</table>
</ul>
<p>
All applicable copyrights and credits are in the src.tar.gz,
sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
files fetched via <code>ports.tar.gz</code>.
</table>
<hr>
<section id=new>
<h3>What's New</h3>
<p>
This is a partial list of new features and systems included in OpenBSD 6.3.
For a comprehensive list, see the <a href="plus63.html">changelog</a> leading
to 6.3.
<ul>
<li>Improved hardware support, including:
<ul>
<li>SMP support on OpenBSD/arm64 platforms.
<li>VFP and NEON support on OpenBSD/armv7 platforms.
<li>New <a href="https://man.openbsd.org/acrtc.4">acrtc(4)</a> driver
for X-Powers AC100 audio codec and Real Time Clock.
<li>New <a href="https://man.openbsd.org/axppmic.4">axppmic(4)</a> driver
for X-Powers AXP Power Management ICs.
<li>New <a href="https://man.openbsd.org/bcmrng.4">bcmrng(4)</a> driver
for Broadcom BCM2835/BCM2836/BCM2837 random number generator.
<li>New <a href="https://man.openbsd.org/bcmtemp.4">bcmtemp(4)</a> driver
for Broadcom BCM2835/BCM2836/BCM2837 temperature monitor.
<li>New <a href="https://man.openbsd.org/bgw.4">bgw(4)</a> driver
for Bosch motion sensor.
<li>New <a href="https://man.openbsd.org/bwfm.4">bwfm(4)</a> driver
for Broadcom and Cypress FullMAC 802.11 devices (still experimental and not compiled into the kernel by default)
<li>New <a href="https://man.openbsd.org/efi.4">efi(4)</a> driver
for EFI runtime services.
<li>New <a href="https://man.openbsd.org/imxanatop.4">imxanatop(4)</a> driver
for i.MX6 integrated regulator.
<li>New <a href="https://man.openbsd.org/rkpcie.4">rkpcie(4)</a> driver
for Rockchip RK3399 Host/PCIe bridge.
<li>New <a href="https://man.openbsd.org/sxirsb.4">sxirsb(4)</a> driver
for Allwinner Reduced Serial Bus controller.
<li>New <a href="https://man.openbsd.org/sxitemp.4">sxitemp(4)</a> driver
for Allwinner temperature monitor.
<li>New <a href="https://man.openbsd.org/sxits.4">sxits(4)</a> driver
for temperature sensor on Allwinner A10/A20 touchpad controller.
<li>New <a href="https://man.openbsd.org/sxitwi.4">sxitwi(4)</a> driver
for two-wire bus found on several Allwinner SoCs.
<li>New <a href="https://man.openbsd.org/sypwr.4">sypwr(4)</a> driver
for the Silergy SY8106A regulator.
<li>Support for Rockchip RK3328 SoCs has been added to the
<a href="https://man.openbsd.org/dwge.4">dwge(4)</a>,
<a href="https://man.openbsd.org/rkgrf.4">rkgrf(4)</a>,
<a href="https://man.openbsd.org/rkclock.4">rkclock(4)</a> and
<a href="https://man.openbsd.org/rkpinctrl.4">rkpinctrl(4)</a>
drivers.
<li>Support for Rockchip RK3288/RK3328 SoCs has been added to the
<a href="https://man.openbsd.org/rktemp.4">rktemp(4)</a>
driver.
<li>Support for Allwinner A10/A20, A23/A33, A80 and R40/V40
SoCs has been added to the
<a href="https://man.openbsd.org/sxiccmu.4">sxiccmu(4)</a> driver.
<li>Support for Allwinner A33, GR8 and R40/V40 SoCs has been
added to the
<a href="https://man.openbsd.org/sxipio.4">sxipio(4)</a> driver.
<li>Support for SAS3.5 MegaRAIDs has been added to the
<a href="https://man.openbsd.org/mfii.4">mfii(4)</a> driver.
<li>Support for Intel Cannon Lake and Ice Lake integrated Ethernet
has been added to the
<a href="https://man.openbsd.org/em.4">em(4)</a> driver.
<li><a href="https://man.openbsd.org/cnmac.4">cnmac(4)</a> ports are now
assigned to different CPU cores for distributed interrupt processing.
<li>The <a href="https://man.openbsd.org/pms.4">pms(4)</a> driver now
detects and handles reset announcements.
<li>On amd64 Intel CPU microcode is loaded on boot and installed/updated by
<a href="https://man.openbsd.org/fw_update.1">fw_update(1)</a>.
<li>Support the sun4v hypervisor interrupt cookie API, adding support
for SPARC T7-1/2/4 machines.
<li>Hibernate support has been added for SD/MMC storage attached to
<a href="https://man.openbsd.org/sdhc.4">sdhc(4)</a> controllers.
<li><a href="https://man.openbsd.org/clang.1">clang(1)</a>
is now used as the system compiler on armv7,
and it is also provided on sparc64.
</ul>
<li><a href="https://man.openbsd.org/amd64/vmm.4">vmm(4)</a>/
<a href="https://man.openbsd.org/amd64/vmd.8">vmd(8)</a> improvements:
<ul>
<li>Add CD-ROM/DVD ISO support to <a
href="https://man.openbsd.org/amd64/vmd.8">vmd(8)</a> via <a
href="https://man.openbsd.org/vioscsi.4">vioscsi(4)</a>.
<li><a href="https://man.openbsd.org/amd64/vmd.8">vmd(8)</a> no longer
creates an underlying bridge interface for virtual switches defined in
<a href="https://man.openbsd.org/amd64/vm.conf.5">vm.conf(5)</a>.
<li><a href="https://man.openbsd.org/amd64/vmd.8">vmd(8)</a> receives
switch information (rdomain, etc) from underlying switch interface in
conjunction of settings in <a
href="https://man.openbsd.org/amd64/vm.conf.5">vm.conf(5)</a>.
<li>Time Stamp Counter (TSC) support in guest VMs.
<li>Support ukvm/Solo5 unikernels in
<a href="https://man.openbsd.org/amd64/vmm.4">vmm(4)</a>.
<li>Handle valid (but uncommon) instruction encodings better.
<li>Better PAE paging support for 32-bit Linux guest VMs.
<li><a href="https://man.openbsd.org/amd64/vmd.8">vmd(8)</a> now allows up
to four network interfaces in each VM.
<li>Add paused migration and snapshotting support to <a
href="https://man.openbsd.org/amd64/vmm.4">vmm(4)</a> for AMD SVM/RVI
hosts.
<li>BREAK commands sent over a
<a href="https://man.openbsd.org/pty.4">pty(4)</a> are now understood by
<a href="https://man.openbsd.org/vmd.8">vmd(8)</a>.
<li>Many fixes to <a href="https://man.openbsd.org/amd64/vmctl.8">vmctl(8)</a>
and <a href="https://man.openbsd.org/amd64/vmd.8">vmd(8)</a> error handling.
</ul>
<li>IEEE 802.11 wireless stack improvements:
<ul>
<li>The <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> and
<a href="https://man.openbsd.org/iwn.4">iwn(4)</a> drivers will
automatically roam between access points which share an ESSID.
Forcing a particular AP's MAC address with ifconfig's <b>bssid</b>
command disables roaming.
<li>Automatically clear configured WEP/WPA keys when a new network ESSID
is configured.
<li>Removed the ability for userland to read configured WEP/WPA keys back
from the kernel.
<li>The <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> driver can now
connect to networks with a hidden SSID.
<li>USB devices supported by the
<a href="https://man.openbsd.org/athn.4">athn(4)</a> driver
now use an open source firmware, and hostap mode now works with
these devices.
</ul>
<li>Generic network stack improvements:
<ul>
<li>The network stack no longer runs with the KERNEL_LOCK() when IPsec is
enabled.
<li>Processing of incoming TCP/UDP packets is now done without
KERNEL_LOCK().
<li>The socket splicing task runs without KERNEL_LOCK().
<li>Cleanup and removal of code in sys/netinet6 since autoconfiguration
runs in userland now.
<li><a href="https://man.openbsd.org/bridge.4">bridge(4)</a> members can
now be prevented to talk to each others with the new <b>protected</b>
option.
<li>The pf divert-packet feature has been simplified.
The IP_DIVERTFL socket option has been removed from <a
href="https://man.openbsd.org/divert.4">divert(4)</a>.
<li>Various corner cases of pf divert-to and divert-reply are
more consistent now.
<li>Enforce in <a href="https://man.openbsd.org/pf.4">pf(4)</a>
that all neighbor discovery packets have 255 in their IPv6
header hop limit field.
<li>New <code>set syncookies</code> option in
<a href="https://man.openbsd.org/pf.conf.5">pf.conf(5)</a>.
<li>Support for GRE over IPv6.
<li>New <a href="https://man.openbsd.org/egre.4">egre(4)</a>
driver for Ethernet over GRE tunnels.
<li>Support for the optional GRE key header and GRE key entropy in
<a href="https://man.openbsd.org/gre.4">gre(4)</a> and
<a href="https://man.openbsd.org/egre.4">egre(4)</a>.
<li>New <a href="https://man.openbsd.org/nvgre.4">nvgre(4)</a>
driver for Network Virtualization using Generic Routing Encapsulation.
<li>Support for configuring the Don't Fragment flag on packets encapsulated
by tunnel interfaces.
</ul>
<li>Installer improvements:
<ul>
<li>if install.site or upgrade.site fails, notify the user and error out
after storing rand.seed.
<li>allow CIDR notation when entering IPv4 and IPv6 addresses.
<li>repair selection of a HTTP mirror from the list of mirrors.
<li>allow '-' in usernames.
<li>ask a question at the end of the install/upgrade process so
carriage return causes the appropriate action, e.g. reboot.
<li>display the mode (install or upgrade) shell prompts as
long as no hostname is known.
<li>correctly detect which interface has the default route and if it was
configured via DHCP.
<li>ensure sets can be read from the prefetch area.
<li>ensure URL redirection is effective for entire install/upgrade.
<li>add the HTTP proxy used when fetching sets to rc.firsttime, where
fw_update and syspatch can find and use it.
<li>add logic to support RFC 7217 with SLAAC.
<li>ensure that IPv6 is configured for dynamically created network
interfaces like <a href="https://man.openbsd.org/vlan.4">vlan(4)</a>.
<li>create correct hostname when both domain-name and
domain-search options are provided in the DHCP lease.
</ul>
<li>Routing daemons and other userland network improvements:
<ul>
<li><a href="https://man.openbsd.org/bgpctl.8">bgpctl(8)</a> has a new
<b>ssv</b> option which outputs rib entries as a single semicolon-separated
like for selection before output.
<li><a href="https://man.openbsd.org/slaacd.8">slaacd(8)</a> generates
random but stable IPv6 stateless autoconfiguration addresses according
to RFC 7217.
These are enabled per default in accordance with RFC 8064.
<li><a href="https://man.openbsd.org/slaacd.8">slaacd(8)</a> follows
RFC 4862 by removing an artificial limitation on /64 sized prefixes
using RFC 7217 (random but stable) and RFC 4941 (privacy) style
stateless autoconfiguration addresses.
<li><a href="https://man.openbsd.org/ospfd.8">ospfd(8)</a> can now set the
metric for a route depending on the status of an interface.
<li><a href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a> has a new
<b>staticarp</b> option to make interfaces reply to ARP requests only.
<li><a href="https://man.openbsd.org/ipsecctl.8">ipsecctl(8)</a> can now
collapse flow outputs having the same source or destination.
<li>The <code>-n</code> option in
<a href="https://man.openbsd.org/netstart.8">netstart(8)</a> no longer
messes with the default route.
It is now documented as well.
</ul>
<li>Security improvements:
<ul>
<li>Use even more trap-sleds on various architectures.
<li>More use of .rodata for constant variables in assembly source.
<li>Stop using x86 "repz ret" in dusty corners of the tree.
<li>Introduce "execpromises" in
<a href="https://man.openbsd.org/pledge.2">pledge(2)</a>.
<li>The elfrdsetroot utility used to build ramdisks and the
<a href="https://man.openbsd.org/rebound">rebound(8)</a>
monitoring process now use
<a href="https://man.openbsd.org/pledge.2">pledge(2)</a>.
<li>Prepare for the introduction of <b>MAP_STACK</b> to
<a href="https://man.openbsd.org/mmap.2">mmap(2)</a> after 6.3.
<li>Push a small piece of KARL-linked kernel text into the random
number generator as entropy at startup.
<li>Put a small random gap at the top of thread stacks, so that attackers
have yet another calculation to perform for their ROP work.
<li>Mitigation for Meltdown vulnerability for Intel brand amd64 CPUs.
<li>OpenBSD/arm64 now uses kernel page table isolation to mitigate
Spectre variant 3 (Meltdown) attacks.
<li>OpenBSD/armv7 and OpenBSD/arm64 now flush the Branch Target Buffer
(BTB) on processors that do speculative execution to
mitigate Spectre variant 2 attacks.
<li><a href="https://man.openbsd.org/pool_get.9">pool_get(9)</a> perturbs
the order of items on newly allocated pages, making the kernel heap
layout harder to predict.
<li>The
<a href="https://man.openbsd.org/OpenBSD-6.2/ktrace.2">fktrace(2)</a>
system call was deleted.
</ul>
<li><a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a> improvements:
<ul>
<li>Parsing <a href="https://man.openbsd.org/dhclient.conf.5">
dhclient.conf(5)</a> no longer leaks SSID strings, strings that are
too long for the parsing buffer or repeated string options and commands.
<li>Storing leases in <a href="https://man.openbsd.org/dhclient.conf.5">
dhclient.conf(5)</a> is no longer supported.
<li>'DENY' is no longer valid in <a href="https://man.openbsd.org/dhclient.conf.5">
dhclient.conf(5)</a>.
<li><a href="https://man.openbsd.org/dhclient.conf.5">
dhclient.conf(5)</a> and
<a href="https://man.openbsd.org/dhclient.leases.5">
dhclient.leases(5)</a>
parsing error messages have been simplified and clarified, with
improved behaviour in the presence of unexpected semicolons.
<li>More care is taken to only use configuration information that was
successfully parsed.
<li>'-n' has been added, which causes
<a href="https://man.openbsd.org/dhclient.8">
dhclient(8)</a> to exit after parsing
<a href="https://man.openbsd.org/dhclient.conf.5">
dhclient.conf(5)</a>.
<li>Default routes in options classless-static-routes (121) and
classless-ms-static-routes (249) are now correctly represented in
<a href="https://man.openbsd.org/dhclient.leases.5">
dhclient.leases(5)</a> files.
<li>Overwrite the file specified with '-L' rather than appending to it.
<li>Leases in <a href="https://man.openbsd.org/dhclient.leases.5">
dhclient.leases(5)</a> now contain an 'epoch' attribute recording
the time the lease was accepted, which is used to calculate correct
renewal, rebinding and expiry times.
<li>No longer nag about underscores in names violating RFC 952.
<li>Unconditionally send host-name information when
requesting a lease, eliminating the need for
<a href="https://man.openbsd.org/dhclient.conf.5">
dhclient.conf(5)</a> in the default installation.
<li>Be quiet by default. '-q' has been removed and '-v' added to
enable verbose logging.
<li>Decline duplicate offers for the requested address.
<li>Unconditionally go into the background after link-timeout seconds.
<li>Significantly reduce logging when being quiet, but make '-v' log
all debug information without needing to compile a custom executable.
<li>Ignore 'interface' statements in
<a href="https://man.openbsd.org/dhclient.leases.5">
dhclient.leases(5)</a> and assume all leases in the file are
for the interface being configured.
<li>Display the source of the lease bound to the interface.
<li>'ignore', 'request' and 'require' declarations in
<a href="https://man.openbsd.org/dhclient.conf.5">
dhclient.conf(5)</a> now add the specified options to the relevant
list rather than replacing the list.
<li>Eliminate a startup race that could result in
<a href="https://man.openbsd.org/dhclient.8">
dhclient(8)</a> exiting without configuring the interface.
</ul>
<li>Assorted improvements:
<ul>
<li>Code reorganization and other improvements to
<a href="https://man.openbsd.org/malloc.3">malloc(3)</a>
and friends to make them more efficient.
<li>When performing suspend or hibernate operations, ensure all filesystems
are properly synchronized and marked clean, or if they cannot be
put into perfectly clean state on disk (due to open+unlinked files)
then mark them dirty, so that a failed resume/unhibernate is guaranteed
to perform <a href="https://man.openbsd.org/fsck.8">fsck(8)</a>.
<li><a href="https://man.openbsd.org/acme-client.1">acme-client(1)</a>
autodetects the agreement URL and follows 30x HTTP redirects.
<li>Added __cxa_thread_atexit() to support modern C++ tool chains.
<li>Added EVFILT_DEVICE support to
<a href="https://man.openbsd.org/kqueue.2">kqueue(2)</a> for
monitoring changes to
<a href="https://man.openbsd.org/drm.4">drm(4)</a> devices.
<li><a href="https://man.openbsd.org/ldexp.3">ldexp(3)</a> now handles
the sign of denormal numbers correctly on mips64.
<li>New <a href="https://man.openbsd.org/sincos.3">sincos(3)</a>
functions in libm.
<li><a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> now ensures the
validity of MBR partition offsets entered while editing.
<li><a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> now ensures that
default values lie within the valid range.
<li><a href="https://man.openbsd.org/less.1">less(1)</a> now splits only
the environment variable LESS on '$'.
<li><a href="https://man.openbsd.org/less.1">less(1)</a> no longer creates
a spurious file when encountering '$' in the initial command.
<li><a href="https://man.openbsd.org/softraid.4">softraid(4)</a> now validates
the number of chunks when assembling a volume, ensuring the on-disk
and in-memory metadata are in sync.
<li><a href="https://man.openbsd.org/disklabel.8">disklabel(8)</a> now
always offers to edit an FFS partition's fragment size before offering to
edit the blocksize.
<li><a href="https://man.openbsd.org/disklabel.8">disklabel(8)</a> now
allows editing the cylinders/group (cpg) attribute whenever the partition
blocksize can be edited.
<li><a href="https://man.openbsd.org/disklabel.8">disklabel(8)</a> now
detects ^D and invalid input during (R)esize commands.
<li><a href="https://man.openbsd.org/disklabel.8">disklabel(8)</a> now
detects underflows and overflows when -/+ operators are used.
<li><a href="https://man.openbsd.org/disklabel.8">disklabel(8)</a> now
avoids an off-by-one when calculating the number of cylinders in a free
chunk.
<li><a href="https://man.openbsd.org/disklabel.8">disklabel(8)</a> now
validates the requested partition size against the size of the largest free
chunk instead of the total free space.
<li>Support for dumping USB transfers via
<a href="https://man.openbsd.org/bpf.4">bpf(4)</a>.
<li><a href="https://man.openbsd.org/tcpdump.8">tcpdump(8)</a> can now
understand dumps of USB transfers in the
<a href="http://desowin.org/usbpcap/captureformat.html">USBPcap</a>
format.
<li>The default prompts of <a href="https://man.openbsd.org/csh.1">csh(1)</a>,
<a href="https://man.openbsd.org/ksh.1">ksh(1)</a> and
<a href="https://man.openbsd.org/sh.1">sh(1)</a> now include the hostname.
<li>Memory allocation in
<a href="https://man.openbsd.org/ksh.1">ksh(1)</a> was switched from
<a href="https://man.openbsd.org/calloc.3">calloc(3)</a> back to
<a href="https://man.openbsd.org/malloc.3">malloc(3)</a>,
making it easier to recognize uninitialized memory.
As a result, a history-related bug in emacs editing mode was discovered
and fixed.
<li>New <a href="https://man.openbsd.org/script.1">script(1)</a>
<code>-c</code> option to run a command instead of a shell.
<li>New <a href="https://man.openbsd.org/grep.1">grep(1)</a>
<code>-m</code> option to limit the number of matches.
<li>New <a href="https://man.openbsd.org/uniq.1">uniq(1)</a>
<code>-i</code> option for case-insensitive comparison.
<li>The <a href="https://man.openbsd.org/printf.3">printf(3)</a> format
string is no longer validated when looking for <code>%</code> formats.
Based on a commit by android and following most other operating systems.
<li>Improved error checking in
<a href="https://man.openbsd.org/vfwprintf.3">vfwprintf(3)</a>.
<li>Many base programs have been audited and fixed for stale file descriptors,
including
<a href="https://man.openbsd.org/cron.8">cron(8)</a>,
<a href="https://man.openbsd.org/ftp.1">ftp(1)</a>,
<a href="https://man.openbsd.org/mandoc.1">mandoc(1)</a>,
<a href="https://man.openbsd.org/openssl.1">openssl(1)</a>,
<a href="https://man.openbsd.org/ssh.1">ssh(1)</a> and
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>.
<li>Various bug fixes and improvements in
<a href="https://man.openbsd.org/jot.1">jot(1)</a>:
<ul>
<li>Arbitrary length limits for the arguments for the
<code>-b</code>, <code>-s</code>, <code>-w</code> options were removed.
<li>The <code>%F</code> format specifier is now supported and a bug
in the <code>%D</code> format was fixed.
<li>Better code coverage in regression tests.
<li>Several buffer overruns were fixed.
</ul>
<li>The <a href="https://man.openbsd.org/patch.1">patch(1)</a> utility now
copes better with git diffs that create or delete files.
<li><a href="https://man.openbsd.org/pkg_add.1">pkg_add(1)</a>
now has improved support for HTTP(S) redirectors such as
<i>cdn.openbsd.org</i>.
<li><a href="https://man.openbsd.org/ftp.1">ftp(1)</a> and
<a href="https://man.openbsd.org/pkg_add.1">pkg_add(1)</a>
now support HTTPS session resumption for improved speed.
<li><a href="https://man.openbsd.org/mandoc.1">mandoc(1)</a>
<code>-T ps</code> output file size reduced by more than 50%.
<li><a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>
logs if there were warnings during startup.
<li><a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>
stopped logging to files in a full filesystem. Now it
writes a warning and continues after space has been made
available.
<li><a href="https://man.openbsd.org/vmt.4">vmt(4)</a> now allows cloning and
taking disk-only snapshots of running guests.
</ul>
<li>OpenSMTPD 6.0.4
<ul>
<li>Add <b>spf walk</b> option to
<a href="https://man.openbsd.org/smtpctl.8">smtpctl(8)</a>.
<li>Assorted cleanups and improvements.
<li>Numerous manual page fixes and improvements.
</ul>
<li>OpenSSH 7.7
<ul>
<li>New/changed features:
<ul>
<li>All: Add experimental support for PQC XMSS keys (Extended Hash-
Based Signatures) based on the algorithm described in
https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12
The XMSS signature code is experimental and not compiled in by
default.
<li>sshd(8): Add a "rdomain" criteria for the sshd_config Match keyword
to allow conditional configuration that depends on which routing
domain a connection was received on (currently supported on OpenBSD
and Linux).
<li>sshd_config(5): Add an optional rdomain qualifier to the
ListenAddress directive to allow listening on different routing
domains. This is supported only on OpenBSD and Linux at present.
<li>sshd_config(5): Add RDomain directive to allow the authenticated
session to be placed in an explicit routing domain. This is only
supported on OpenBSD at present.
<li>sshd(8): Add "expiry-time" option for authorized_keys files to
allow for expiring keys.
<li>ssh(1): Add a BindInterface option to allow binding the outgoing
connection to an interface's address (basically a more usable
BindAddress).
<li>ssh(1): Expose device allocated for tun/tap forwarding via a new
%T expansion for LocalCommand. This allows LocalCommand to be used
to prepare the interface.
<li>sshd(8): Expose the device allocated for tun/tap forwarding via a
new SSH_TUNNEL environment variable. This allows automatic setup of
the interface and surrounding network configuration automatically on
the server.
<li>ssh(1)/scp(1)/sftp(1): Add URI support to ssh, sftp and scp, e.g.
ssh://user@host or sftp://user@host/path. Additional connection
parameters described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not
implemented since the ssh fingerprint format in the draft uses the
deprecated MD5 hash with no way to specify the any other algorithm.
<li>ssh-keygen(1): Allow certificate validity intervals that specify
only a start or stop time (instead of both or neither).
<li>sftp(1): Allow "cd" and "lcd" commands with no explicit path
argument. lcd will change to the local user's home directory as
usual. cd will change to the starting directory for session (because
the protocol offers no way to obtain the remote user's home
directory). bz#2760
<li>sshd(8): When doing a config test with sshd -T, only require the
attributes that are actually used in Match criteria rather than (an
incomplete list of) all criteria.
</ul>
<li>The following significant bugs have been fixed in this release:
<ul>
<li>ssh(1)/sshd(8): More strictly check signature types during key
exchange against what was negotiated. Prevents downgrade of RSA
signatures made with SHA-256/512 to SHA-1.
<li>sshd(8): Fix support for client that advertise a protocol version
of "1.99" (indicating that they are prepared to accept both SSHv1 and
SSHv2). This was broken in OpenSSH 7.6 during the removal of SSHv1
support. bz#2810
<li>ssh(1): Warn when the agent returns a ssh-rsa (SHA1) signature when
a rsa-sha2-256/512 signature was requested. This condition is possible
when an old or non-OpenSSH agent is in use. bz#2799
<li>ssh-agent(1): Fix regression introduce in 7.6 that caused ssh-agent
to fatally exit if presented an invalid signature request message.
<li>sshd_config(5): Accept yes/no flag options case-insensitively, as
has been the case in ssh_config(5) for a long time. bz#2664
<li>ssh(1): Improve error reporting for failures during connection.
Under some circumstances misleading errors were being shows. bz#2814
<li>ssh-keyscan(1): Add -D option to allow printing of results directly
in SSHFP format. bz#2821
<li>regress tests: fix PuTTY interop test broken in last release's SSHv1
removal. bz#2823
<li>ssh(1): Compatibility fix for some servers that erroneously drop the
connection when the IUTF8 (RFC8160) option is sent.
<li>scp(1): Disable RemoteCommand and RequestTTY in the ssh session
started by scp (sftp was already doing this.)
<li>ssh-keygen(1): Refuse to create a certificate with an unusable
number of principals.
<li>ssh-keygen(1): Fatally exit if ssh-keygen is unable to write all the
public key during key generation. Previously it would silently
ignore errors writing the comment and terminating newline.
<li>ssh(1): Do not modify hostname arguments that are addresses by
automatically forcing them to lower-case. Instead canonicalise them
to resolve ambiguities (e.g. ::0001 => ::1) before they are matched
against known_hosts. bz#2763
<li>ssh(1): Don't accept junk after "yes" or "no" responses to hostkey
prompts. bz#2803
<li>sftp(1): Have sftp print a warning about shell cleanliness when
decoding the first packet fails, which is usually caused by shells
polluting stdout of non-interactive startups. bz#2800
<li>ssh(1)/sshd(8): Switch timers in packet code from using wall-clock
time to monotonic time, allowing the packet layer to better function
over a clock step and avoiding possible integer overflows during
steps.
<li>Numerous manual page fixes and improvements.
</ul>
</ul>
<li>LibreSSL 2.7.2
<ul>
<li> Added support for many OpenSSL 1.0.2 and 1.1 APIs, based on
observations of real-world usage in applications. These are
implemented in parallel with existing OpenSSL 1.0.1 APIs - visibility
changes have not been made to existing structs, allowing code written
for older OpenSSL APIs to continue working.
<li> Extensive corrections, improvements, and additions to the
API documentation, including new public APIs from OpenSSL that had
no pre-existing documentation.
<li> Added support for automatic library initialization in libcrypto,
libssl, and libtls. Support for pthread_once or a compatible
equivalent is now required of the target operating system. As a
side-effect, minimum Windows support is Vista or higher.
<li> Converted more packet handling methods to CBB, which improves
resiliency when generating TLS messages.
<li> Completed TLS extension handling rewrite, improving consistency of
checks for malformed and duplicate extensions.
<li>Rewrote ASN1_TYPE_{get,set}_octetstring() using templated ASN.1.
This removes the last remaining use of the old M_ASN1_* macros
(asn1_mac.h) from API that needs to continue to exist.
<li> Added support for client-side session resumption in libtls.
A libtls client can specify a session file descriptor (a regular
file with appropriate ownership and permissions) and libtls will
manage reading and writing of session data across TLS handshakes.
<li> Improved support for strict alignment on ARMv7 architectures,
conditionally enabling assembly in those cases.
<li> Fixed a memory leak in libtls when reusing a tls_config.
<li> Merged more DTLS support into the regular TLS code path, removing
duplicated code.
</ul>
<li><p>Ports and packages:
<ul>
<li><a href="https://man.openbsd.org/dpb.1">dpb(1)</a> and normal
<a href="https://man.openbsd.org/ports.7">ports(7)</a> can
now enjoy the same privilege separated model by setting
<code>PORTS_PRIVSEP=Yes</code>
</ul>
<p>Many pre-built packages for each architecture:
<!-- number of FTP packages minus SHA256, SHA256.sig, index.txt -->
<ul style="column-count: 4">
<li>aarch64: 7990
<li>alpha: 1
<li>amd64: 9912
<li>arm: 6582
<li>i386: 9861
<li>mips64: 8149
<li>mips64el: 8254
<li>powerpc: 8809
<li>sh: 1
<li>sparc64: 8401
</ul>
<p>Some highlights:
<ul style="column-count: 2">
<li>AFL 2.52b
<li>CMake 3.10.2
<li>Chromium 65.0.3325.181
<li>Emacs 21.4 and 25.3
<li>GCC 4.9.4
<li>GHC 8.2.2
<li>Gimp 2.8.22
<li>GNOME 3.26.2
<li>Go 1.10
<li>Groff 1.22.3
<li>JDK 8u144
<li>KDE 3.5.10 and 4.14.3 (plus KDE4 core updates)
<li>LLVM/Clang 5.0.1
<li>LibreOffice 6.0.2.1
<li>Lua 5.1.5, 5.2.4 and 5.3.4
<li>MariaDB 10.0.34
<li>Mozilla Firefox 52.7.3esr and 59.0.2
<li>Mozilla Thunderbird 52.7.0
<li>Mutt 1.9.4 and NeoMutt 20180223
<li>Node.js 8.9.4
<li>Ocaml 4.03.0
<li>OpenLDAP 2.3.43 and 2.4.45
<li>PHP 5.6.34 and 7.0.28
<li>Postfix 3.3.0 and 3.4-20180203
<li>PostgreSQL 10.3
<li>Python 2.7.14 and 3.6.4
<li>R 3.4.4
<li>Ruby 2.3.6, 2.4.3 and 2.5.0
<li>Rust 1.24.0
<li>Sendmail 8.16.0.21
<li>SQLite3 3.22.0
<li>Sudo 1.8.22
<li>Tcl/Tk 8.5.19 and 8.6.8
<li>TeX Live 2017
<li>Vim 8.0.1589
<li>Xfce 4.12
</ul>
<li>As usual, steady improvements in manual pages and other documentation.
<li>The system includes the following major components from outside suppliers:
<ul>
<li>Xenocara (based on X.Org 7.7 with xserver 1.19.6 + patches,
freetype 2.8.1, fontconfig 2.12.4, Mesa 13.0.6, xterm 330,
xkeyboard-config 2.20 and more)
<li>LLVM/Clang 5.0.1 (+ patches)
<li>GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
<li>Perl 5.24.3 (+ patches)
<li>NSD 4.1.20
<li>Unbound 1.6.8
<li>Ncurses 5.7
<li>Binutils 2.17 (+ patches)
<li>Gdb 6.3 (+ patches)
<li>Awk Aug 10, 2011 version
<li>Expat 2.2.5
</ul>
</ul>
</section>
<hr>
<section id=install>
<h3>How to install</h3>
<p>
Please refer to the following files on the mirror site for
extensive details on how to install OpenBSD 6.3 on your machine:
<ul>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.3/alpha/INSTALL.alpha">
.../OpenBSD/6.3/alpha/INSTALL.alpha</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.3/amd64/INSTALL.amd64">
.../OpenBSD/6.3/amd64/INSTALL.amd64</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.3/arm64/INSTALL.arm64">
.../OpenBSD/6.3/arm64/INSTALL.arm64</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.3/armv7/INSTALL.armv7">
.../OpenBSD/6.3/armv7/INSTALL.armv7</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.3/hppa/INSTALL.hppa">
.../OpenBSD/6.3/hppa/INSTALL.hppa</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.3/i386/INSTALL.i386">
.../OpenBSD/6.3/i386/INSTALL.i386</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.3/landisk/INSTALL.landisk">
.../OpenBSD/6.3/landisk/INSTALL.landisk</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.3/loongson/INSTALL.loongson">
.../OpenBSD/6.3/loongson/INSTALL.loongson</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.3/luna88k/INSTALL.luna88k">
.../OpenBSD/6.3/luna88k/INSTALL.luna88k</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.3/macppc/INSTALL.macppc">
.../OpenBSD/6.3/macppc/INSTALL.macppc</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.3/octeon/INSTALL.octeon">
.../OpenBSD/6.3/octeon/INSTALL.octeon</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.3/sgi/INSTALL.sgi">
.../OpenBSD/6.3/sgi/INSTALL.sgi</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.3/sparc64/INSTALL.sparc64">
.../OpenBSD/6.3/sparc64/INSTALL.sparc64</a>
</ul>
</section>
<hr>
<section id=quickinstall>
<p>
Quick installer information for people familiar with OpenBSD, and the use of
the "<a href="https://man.openbsd.org/disklabel.8">disklabel</a> -E" command.
If you are at all confused when installing OpenBSD, read the relevant
INSTALL.* file as listed above!
<h3>OpenBSD/alpha:</h3>
<p>
Write <i>floppy63.fs</i> or <i>floppyB63.fs</i> (depending on your machine)
to a diskette and enter <i>boot dva0</i>.
Refer to INSTALL.alpha for more details.
<p>
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.
<h3>OpenBSD/amd64:</h3>
<p>
If your machine can boot from CD, you can write <i>install63.iso</i> or
<i>cd63.iso</i> to a CD and boot from it.
You may need to adjust your BIOS options first.
<p>
If your machine can boot from USB, you can write <i>install63.fs</i> or
<i>miniroot63.fs</i> to a USB stick and boot from it.
<p>
If you can't boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in the included
INSTALL.amd64 document.
<p>
If you are planning to dual boot OpenBSD with another OS, you will need to
read INSTALL.amd64.
<h3>OpenBSD/arm64:</h3>
<p>
Write <i>miniroot63.fs</i> to a disk and boot from it after connecting
to the serial console. Refer to INSTALL.arm64 for more details.
<h3>OpenBSD/armv7:</h3>
<p>
Write a system specific miniroot to an SD card and boot from it after connecting
to the serial console. Refer to INSTALL.armv7 for more details.
<h3>OpenBSD/hppa:</h3>
<p>
Boot over the network by following the instructions in INSTALL.hppa or the
<a href="hppa.html#install">hppa platform page</a>.
<h3>OpenBSD/i386:</h3>
<p>
If your machine can boot from CD, you can write <i>install63.iso</i> or
<i>cd63.iso</i> to a CD and boot from it.
You may need to adjust your BIOS options first.
<p>
If your machine can boot from USB, you can write <i>install63.fs</i> or
<i>miniroot63.fs</i> to a USB stick and boot from it.
<p>
If you can't boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in
the included INSTALL.i386 document.
<p>
If you are planning on dual booting OpenBSD with another OS, you will need to
read INSTALL.i386.
<h3>OpenBSD/landisk:</h3>
<p>
Write <i>miniroot63.fs</i> to the start of the CF
or disk, and boot normally.
<h3>OpenBSD/loongson:</h3>
<p>
Write <i>miniroot63.fs</i> to a USB stick and boot bsd.rd from it
or boot bsd.rd via tftp.
Refer to the instructions in INSTALL.loongson for more details.
<h3>OpenBSD/luna88k:</h3>
<p>
Copy 'boot' and 'bsd.rd' to a Mach or UniOS partition, and boot the bootloader
from the PROM, and then bsd.rd from the bootloader.
Refer to the instructions in INSTALL.luna88k for more details.
<h3>OpenBSD/macppc:</h3>
<p>
Burn the image from a mirror site to a CDROM, and power on your machine
while holding down the <i>C</i> key until the display turns on and
shows <i>OpenBSD/macppc boot</i>.
<p>
Alternatively, at the Open Firmware prompt, enter <i>boot cd:,ofwboot
/6.3/macppc/bsd.rd</i>
<h3>OpenBSD/octeon:</h3>
<p>
After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
Refer to the instructions in INSTALL.octeon for more details.
<h3>OpenBSD/sgi:</h3>
<p>
To install, burn cd63.iso on a CD-R, put it in the CD drive of your
machine and select <i>Install System Software</i> from the System Maintenance
menu. Indigo/Indy/Indigo2 (R4000) systems will not boot automatically from
CD-ROM, and need a proper invocation from the PROM prompt.
Refer to the instructions in INSTALL.sgi for more details.
<p>
If your machine doesn't have a CD drive, you can setup a DHCP/tftp network
server, and boot using "bootp()/bsd.rd.IP##" using the kernel matching your
system type. Refer to the instructions in INSTALL.sgi for more details.
<h3>OpenBSD/sparc64:</h3>
<p>
Burn the image from a mirror site to a CDROM, boot from it, and type
<i>boot cdrom</i>.
<p>
If this doesn't work, or if you don't have a CDROM drive, you can write
<i>floppy63.fs</i> or <i>floppyB63.fs</i>
(depending on your machine) to a floppy and boot it with <i>boot
floppy</i>. Refer to INSTALL.sparc64 for details.
<p>
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.
<p>
You can also write <i>miniroot63.fs</i> to the swap partition on
the disk and boot with <i>boot disk:b</i>.
<p>
If nothing works, you can boot over the network as described in INSTALL.sparc64.
</section>
<hr>
<section id=upgrade>
<h3>How to upgrade</h3>
<p>
If you already have an OpenBSD 6.2 system, and do not want to reinstall,
upgrade instructions and advice can be found in the
<a href="faq/upgrade63.html">Upgrade Guide</a>.
</section>
<hr>
<section id=sourcecode>
<h3>Notes about the source code</h3>
<p>
<code>src.tar.gz</code> contains a source archive starting at <code>/usr/src</code>.
This file contains everything you need except for the kernel sources,
which are in a separate archive.
To extract:
<blockquote><pre>
# <kbd>mkdir -p /usr/src</kbd>
# <kbd>cd /usr/src</kbd>
# <kbd>tar xvfz /tmp/src.tar.gz</kbd>
</pre></blockquote>
<p>
<code>sys.tar.gz</code> contains a source archive starting at <code>/usr/src/sys</code>.
This file contains all the kernel sources you need to rebuild kernels.
To extract:
<blockquote><pre>
# <kbd>mkdir -p /usr/src/sys</kbd>
# <kbd>cd /usr/src</kbd>
# <kbd>tar xvfz /tmp/sys.tar.gz</kbd>
</pre></blockquote>
<p>
Both of these trees are a regular CVS checkout. Using these trees it
is possible to get a head-start on using the anoncvs servers as
described <a href="anoncvs.html">here</a>.
Using these files
results in a much faster initial CVS update than you could expect from
a fresh checkout of the full OpenBSD source tree.
</section>
<hr>
<section id=ports>
<h3>Ports Tree</h3>
<p>
A ports tree archive is also provided. To extract:
<blockquote><pre>
# <kbd>cd /usr</kbd>
# <kbd>tar xvfz /tmp/ports.tar.gz</kbd>
</pre></blockquote>
<p>
Go read the <a href="faq/ports/index.html">ports</a> page
if you know nothing about ports
at this point. This text is not a manual of how to use ports.
Rather, it is a set of notes meant to kickstart the user on the
OpenBSD ports system.
<p>
The <i>ports/</i> directory represents a CVS checkout of our ports.
As with our complete source tree, our ports tree is available via
<a href="anoncvs.html">AnonCVS</a>.
So, in order to keep up to date with the -stable branch, you must make
the <i>ports/</i> tree available on a read-write medium and update the tree
with a command like:
<blockquote><pre>
# <kbd>cd /usr/ports</kbd>
# <kbd>cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_6_3</kbd>
</pre></blockquote>
<p>
[Of course, you must replace the server name here with a nearby anoncvs
server.]
<p>
Note that most ports are available as packages on our mirrors. Updated
ports for the 6.3 release will be made available if problems arise.
<p>
If you're interested in seeing a port added, would like to help out, or just
would like to know more, the mailing list
<a href="mail.html">ports@openbsd.org</a> is a good place to know.
</section>
![[BACK]](/icons/back.gif){kind=icon}
Return to 63.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www