version 1.85, 2018/10/17 07:48:17 |
version 1.86, 2018/10/17 10:42:19 |
|
|
<li>New <a href="https://man.openbsd.org/acpipci.4">acpipci(4/arm64)</a> |
<li>New <a href="https://man.openbsd.org/acpipci.4">acpipci(4/arm64)</a> |
driver providing support for PCI host bridges |
driver providing support for PCI host bridges |
based on information provided by ACPI. |
based on information provided by ACPI. |
<li>New |
<li>New |
<a href="https://man.openbsd.org/mvclock.4">mvclock(4)</a>, |
<a href="https://man.openbsd.org/mvclock.4">mvclock(4)</a>, |
<a href="https://man.openbsd.org/mvgpio.4">mvgpio(4)</a>, |
<a href="https://man.openbsd.org/mvgpio.4">mvgpio(4)</a>, |
<a href="https://man.openbsd.org/mvicu.4">mvicu(4)</a>, |
<a href="https://man.openbsd.org/mvicu.4">mvicu(4)</a>, |
|
|
and in assembly files on amd64 and i386. |
and in assembly files on amd64 and i386. |
<li>Added SpectreRSB mitigation on amd64. |
<li>Added SpectreRSB mitigation on amd64. |
<li>Added Intel L1 Terminal Fault mitigation on amd64. |
<li>Added Intel L1 Terminal Fault mitigation on amd64. |
<li>When available, PCIDs are used on amd64 to separate user |
<li>When available, PCIDs are used on amd64 to separate user |
and kernel thread TLB entries. |
and kernel thread TLB entries. |
<li>Meltdown mitigation was added to i386. |
<li>Meltdown mitigation was added to i386. |
<li>amd64 now uses eager-FPU switching to prevent FPU state |
<li>amd64 now uses eager-FPU switching to prevent FPU state |
|
|
bound into an alternate routing domain. |
bound into an alternate routing domain. |
<li><a href="https://man.openbsd.org/ospf6d.8">ospf6d(8)</a> is |
<li><a href="https://man.openbsd.org/ospf6d.8">ospf6d(8)</a> is |
now pledged. |
now pledged. |
<li>Prevent <a href="https://man.openbsd.org/ospfd.8">ospfd(8)</a> and |
<li>Prevent <a href="https://man.openbsd.org/ospfd.8">ospfd(8)</a> and |
<a href="https://man.openbsd.org/ospf6d.8">ospf6d(8)</a> from being |
<a href="https://man.openbsd.org/ospf6d.8">ospf6d(8)</a> from being |
started more than once (in the same routing domain). |
started more than once (in the same routing domain). |
<li><a href="https://man.openbsd.org/slaacd.8">slaacd(8)</a> is now fully |
<li><a href="https://man.openbsd.org/slaacd.8">slaacd(8)</a> is now fully |
pledged. |
pledged. |
|
|
improved the rounding of partition offsets and |
improved the rounding of partition offsets and |
sizes to cylinder boundaries. |
sizes to cylinder boundaries. |
<li><a href="https://man.openbsd.org/disklabel.8">disklabel(8)</a> |
<li><a href="https://man.openbsd.org/disklabel.8">disklabel(8)</a> |
now range checks all user input. |
now range checks all user input. |
<li><a href="https://man.openbsd.org/disklabel.8">disklabel(8)</a> |
<li><a href="https://man.openbsd.org/disklabel.8">disklabel(8)</a> |
no longer allows FS_RAID partitions to be given a mount point. |
no longer allows FS_RAID partitions to be given a mount point. |
<li><a href="https://man.openbsd.org/disklabel.8">disklabel(8)</a> |
<li><a href="https://man.openbsd.org/disklabel.8">disklabel(8)</a> |
|
|
now handles terminfo colors greater than 256 correctly. |
now handles terminfo colors greater than 256 correctly. |
<li><a href="https://man.openbsd.org/httpd.8">httpd(8)</a> |
<li><a href="https://man.openbsd.org/httpd.8">httpd(8)</a> |
now supports client certificate authentication. |
now supports client certificate authentication. |
<li>Numerous improvements to the |
<li>Numerous improvements to the |
<a href="https://man.openbsd.org/fuse.4">fuse(4)</a> subsystem. |
<a href="https://man.openbsd.org/fuse.4">fuse(4)</a> subsystem. |
<li>Improvements to the way the kernel searches for available |
<li>Improvements to the way the kernel searches for available |
memory to satisfy anonymous |
memory to satisfy anonymous |
|
|
authentication log messages. |
authentication log messages. |
</ul> |
</ul> |
<li>Non-exhaustive list of bug fixes: |
<li>Non-exhaustive list of bug fixes: |
<ul> |
<ul> |
<li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>: |
<li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>: |
<a href="http://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: |
<a href="http://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: |
avoid spurious "invalid format" errors when attempting to load |
avoid spurious "invalid format" errors when attempting to load |
|
|
from OpenSSH <7.8. |
from OpenSSH <7.8. |
</ul> |
</ul> |
</ul> |
</ul> |
|
|
<p> |
<p> |
|
|
<li>LibreSSL 2.8.2 |
<li>LibreSSL 2.8.2 |
<ul> |
<ul> |
<li>X509 verification was made more strict so |
<li>API and Documentation Enhancements |
<a href="https://man.openbsd.org/X509_VERIFY_PARAM_set_flags.3">X509_VERIFY_PARAM</a> |
<ul> |
host, ip or email failure will cause future |
<li>X509 verification is now more strict so |
<a href="https://man.openbsd.org/X509_verify_cert.3">X509_verify_cert</a> |
<a href="https://man.openbsd.org/X509_VERIFY_PARAM_set_flags.3">X509_VERIFY_PARAM</a> |
calls to fail. |
host, ip or email failure will cause future |
<li>Support for single DES cipher suites has been removed. |
<a href="https://man.openbsd.org/X509_verify_cert.3">X509_verify_cert</a> |
<li>Support for RSASSA-PKCS1-v1_5 (RFC 8017) was added to |
calls to fail. |
<a href="https://man.openbsd.org/man3/RSA_sign.3">RSA_sign(3)</a> |
<li>Support for single DES cipher suites is removed. |
|
<li>Support for RSASSA-PKCS1-v1_5 (RFC 8017) is added to |
|
<a href="https://man.openbsd.org/man3/RSA_sign.3">RSA_sign(3)</a> |
|
<li>Modified signature of CRYPTO_mem_leaks_* to return -1. This function |
|
is a no-op in LibreSSL, so this function returns an error to not |
|
indicate the (non-)existence of memory leaks. |
|
<li>SSL_copy_session_id, PEM_Sign, EVP_EncodeUpdate, BIO_set_cipher, |
|
X509_OBJECT_up_ref_count now return an int for error handling, |
|
matching OpenSSL. |
|
<li>Converted a number of #defines into proper functions, matching |
|
OpenSSL's ABI. |
|
<li>Added X509_get0_serialNumber from OpenSSL. |
|
<li>Removed EVP_PKEY2PKCS8_broken and PKCS8_set_broken, while adding |
|
PKCS8_pkey_add1_attr_by_NID and PKCS8_pkey_get0_attrs, matching |
|
OpenSSL. |
|
<li>Removed broken pkcs8 formats from openssl(1). |
|
<li>Added RSA_meth_get_finish() RSA_meth_set1_name() from OpenSSL. |
|
<li>Added new EVP_CIPHER_CTX_(get|set)_iv() API that allows the IV to be |
|
retrieved and set with appropriate validation. |
|
<li>Extensive documentation updates and additional API history. |
|
<li>Removed SSL_OP_TLS_ROLLBACK_BUG buggy client workarounds. |
|
<li>Made ENGINE_finish and ENGINE_free succeed on NULL and simplify callers |
|
and matching OpenSSL behavior, rewrote ENGINE_* documentation. |
|
<li>Added const annotations to many existing APIs from OpenSSL, making |
|
interoperability easier for downstream applications. |
|
<li>Documented security pitfalls with BN_FLG_CONSTTIME and constant-time |
|
operation of BN_* functions. |
|
</ul> |
|
<li>Testing and Proactive Security |
|
<ul> |
|
<li>Added Wycheproof test support for ECDH, RSASSA-PSS, AES-GCM, |
|
AES-CMAC, AES-CCM, AES-CBC-PKCS5, DSA, ChaCha20-Poly1305, ECDSA, and |
|
X25519 test vectors. Applied appropriate fixes for errors uncovered by |
|
tests. |
|
<li>Added more cipher tests, including all TLSv1.2 ciphers. |
|
<li>Added a blinding value when generating DSA and ECDSA signatures, in |
|
order to reduce the possibility of a side-channel attack leaking the |
|
private key. |
|
<li>Added timing-safe compares for checking results of signature |
|
verification. |
|
<li>Added ECC constant time scalar multiplication support. |
|
From Billy Brumley and his team at Tampere University of Technology. |
|
</ul> |
|
|
|
<li>Internal Improvements |
|
<ul> |
|
<li>Simplified key exchange signature generation and verification. |
|
<li>Converted more code paths to use CBB/CBS. All handshake messages are |
|
now created by CBB. RSA key exchange is simplified and uses dedicated |
|
buffers for secrets. |
|
<li>Simplified session ticket parsing and handling, inspired by |
|
BoringSSL. |
|
<li>Stopped handing AES-GCM in ssl_cipher_get_evp, since they use the |
|
EVP_AEAD interface. |
|
<li>Stopped using composite EVP_CIPHER AEADs. |
|
<li>Removed unused SSL3_FLAGS_DELAY_CLIENT_FINISHED and |
|
SSL3_FLAGS_POP_BUFFER flags in write path, simplifying IO paths. |
|
<li>Updated BN_clear to use explicit_bzero. |
|
<li>Cleaned up BN_* implementations following changes made in OpenSSL by |
|
Davide Galassi and others. |
|
<li>Revised the implementation of RSASSA-PKCS1-v1_5 to match the |
|
specification in RFC 8017. Based on an OpenSSL commit by David |
|
Benjamin. |
|
</ul> |
|
|
|
<li>Bug Fixes |
|
<ul> |
|
<li>Fixed a one-byte buffer overrun in callers of EVP_read_pw_string |
|
<li>Fixed various memory leaks found by Coverity. |
|
<li>Converted more functions in public API to use const arguments. |
|
<li>Correctly clear the current cipher state, when changing cipher state. |
|
This fixed an issue where renegotion of cipher suites would fail |
|
when switched from AEAD to non-AEAD or vice-versa. |
|
Issue reported by Bernard Spil. |
|
<li>Fixed a pair of 20+ year-old bugs in X509_NAME_add_entry |
|
<li>Fixed a potential memory leak on failure in ASN1_item_digest |
|
<li>Fixed a potential memory alignment crash in asn1_item_combine_free |
|
<li>Fixed small timing side-channels in ecdsa_sign_setup and |
|
dsa_sign_setup. |
|
<li>Added a missing bounds check in c2i_ASN1_BIT_STRING. |
|
<li>Fixed a potential leak/incorrect return value in DSA signature |
|
generation. |
|
</ul> |
</ul> |
</ul> |
<p> |
<p> |
|
|
|
|
<li><a href="https://man.openbsd.org/update-plist.1">update-plist(1)</a> |
<li><a href="https://man.openbsd.org/update-plist.1">update-plist(1)</a> |
has been entirely rewritten and now figures out MULTI_PACKAGES and |
has been entirely rewritten and now figures out MULTI_PACKAGES and |
variable substitution almost 100%. |
variable substitution almost 100%. |
<li>New packages now run maintenance database tools like |
<li>New packages now run maintenance database tools like |
update-desktop-database just once instead of after |
update-desktop-database just once instead of after |
every package addition/removal. |
every package addition/removal. |
</ul> |
</ul> |
<dl> |
<dl> |
|
|
<ul> |
<ul> |
<li>aarch64: 8319 |
<li>aarch64: 8319 |
<li>amd64: 10304 |
<li>amd64: 10304 |
<li>arm: |
<li>arm: |
</ul></td><td valign=top width="25%"><ul> |
</ul></td><td valign=top width="25%"><ul> |
<li>i386: 10230 |
<li>i386: 10230 |
<li>mips64: |
<li>mips64: |
<li>mips64el: |
<li>mips64el: |
</ul></td><td valign=top width="25%"><ul> |
</ul></td><td valign=top width="25%"><ul> |
<li>powerpc: |
<li>powerpc: |
<li>sparc64: |
<li>sparc64: |
</ul></td></tr></table> |
</ul></td></tr></table> |
<p> |
<p> |