===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/66.html,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -r1.20 -r1.21
--- www/66.html 2019/09/29 10:15:00 1.20
+++ www/66.html 2019/09/29 18:44:10 1.21
@@ -17,14 +17,14 @@
-
-
+
+
|
Released XXX, 2019
Copyright 1997-2019, Theo de Raadt.
-Artwork by Hans Tseng, Efrain Farias, and Natasha Allegri.
+Artwork by XXX Y Z.
|
@@ -76,77 +76,547 @@
+- General improvements and bugfixes::
+
+ - Fixed support for amd64 machines with greater than 1023GB
+ physical memory.
+
- drm(4) updates.
+
- The powerpc and octeon architectures are now build with
+ clang(1), in
+ addition to aarch64, amd64, arm, i386, mips64el, sparc64.
+
- Disabled gcc in
+ base on armv7 and i386.
+
- Prevented dhclient(8)
+ from repeatedly obtaining a new lease when the mtu is given in a
+ lease.
+
- Prevented more than one thread from opening a
+ wscons(4) device in
+ read/write mode.
+
- Allowed non-root users to become owner of the
+ drm(4) device when they are
+ the first to open it.
+
- Added regular expression support for the format search, match
+ and substitute modifiers in
+ tmux(1).
+
- Added a -v flag to source-file in
+ tmux(1) to show the commands
+ and line numbers.
+
- Added simple menus usable with mouse or keyboard in
+ tmux(1).
+ Introduced the command "display-menu" to show a menu bound to
+ the mouse on status line by default, and added menus in tree,
+ client and buffer modes.
+
- Changed the behavior of swap-window -d in
+ tmux(1) to match
+ swap-pane.
+
- Allow panes to be empty in
+ tmux(1), and
+ enabling output to be piped to them with split-window or
+ display-message -I.
+
- Adjusted tmux(1)
+ to automatically scroll when dragging to create a selection with
+ the mouse when the cursor reaches the top or bottom line.
+
- Fixed a tmux(1)
+ crash when killing the current window, and other bugfixes.
+
+
+ - SMP-Improvements, System call unlocking: ...
+
+
- Improved hardware support, including:
-
- - clang(1)
- is now provided on powerpc.
-
+
+ - Added support for ethernet on Lenovo USB-C docks.
+
- Implemented Linux compatibility
+ acpi(4)
+ interfaces and enabled the ACPI support code in
+ radeon(4) and
+ amdgpu(4).
+
- Implemented backlight control for
+ amdgpu(4), allowing setting
+ of the backlight using
+ wsconsctl(8).
+
- Speakers now work on the ThinkPad X1C7.
+
- Added amdgpu(4), an AMD
+ RADEON GPU video driver.
+
- Added TSC synchronization for multiprocessor machines and re-enabled TSC
+ as the default amd64 time source.
+
- Added support of Realtek ALC285 in
+ azalia(4).
+
- Added uvideo(4) support
+ for the KSMedia 8-bit IR format and for dual functions on integrated USB
+ cameras.
+
- Added the aplgpio(4)
+ driver for the gpio controllers on Intel's Apollo Lake SoC.
+
- Implemented MSI-X support on sparc64.
+
- Skipped PCI host bridges and devices not present with
+ acpi(1) when establishing
+ the mapping between ACPI device nodes and PCI devices.
+
- Added the ukspan(4)
+ driver for the Keyspan USA19HS USB serial adapter.
+
- Supported 64BIT DMA for io in
+ mpii(4).
+
- Fixed MSI/MSI-X on arm64 machines with
+ agintc(4).
+
- Added MSI-X support in
+ acpipci(4), pciecam,
+ dwpcie(4) and
+ rkpcie(4).
+
- Improved support for type4 devices in the
+ ubcmtp(4) multi-touch
+ trackpad driver.
+
- Support for virtio(4) 1.0
+ specification for PCI devices.
+
- Improved support for the AR9271 chipset
+ in athn(4) .
+
- Support for the trackpad and trackpoint of the Dell Precision 7520
+ laptop in the dwiic(4)
+ driver.
+
- Added the colemak keyboard layout.
+
- New fusbtc(4)
+ driver for the Fairchild FUSB302 USB Type-C controller.
+
- Added a fallback to
+ ehci(4)
+ which enables the USB ports on the RockPro64.
+
- Added support for more Intel 300 Series PCH devices to
+ ichiic(4).
+
- Added mcx(4) driver for
+ Mellanox ConnectX-4 (and later) Ethernet controllers.
+
- Added support for the cryptographic coprocessor found on newer
+ AMD Ryzen CPUs/APUs.
+
- Improved the envy(4) codec
+ API and used it on ESI Juli@ cards.
+
- Enabled EnvyHT-specific sample rates (above 96kHz) on the host
+ controller for envy(4)
+ devices.
+
- Added support for the USB serial adapter found in Juniper SRX 300 to
+ uslcom(4).
+
- Updated shared drm code,
+ inteldrm(4)
+ and radeondrm(4)
+ to linux 4.19.34. This adds support for Intel Broxton/Apollo
+ Lake, Amber Lake, Gemini Lake, Coffee Lake, Whiskey Lake, Cannon
+ Lake and Ice Lake hardware.
+
- Made startx(1) and
+ xinit(1) work again on
+ modern systems using
+ inteldrm(4),
+ radeondrm(4)
+ and amdgpu(4).
+
- Added mcprtc(4), a driver
+ for the Microchip MCP79400 RTC and similar.
+
- Added I2C clock gates to
+ mvclock(4).
+
- Added support for MSI-X to
+ bnxt(4).
+
- Added octpip(4), a driver
+ for the Octeon packet input processing unit.
+
- Added the octiic(4)
+ driver for OCTEON two-wire serial interfaces.
+
- Enabled nvme(4) on octeon.
+
- Added octpcie(4), a
+ driver for the PCIe controller found on OCTEON II and OCTEON III.
+
- Added the octiic(4)
+ driver for OCTEON two-wire serial interfaces.
+
- Fixed random kernel hangs on
+ some sparc64
+ machines by blocking interrupts while sending an IPI on sunv4
+ (as on sun4u).
+
+ - Improved arm64 hardware
+ support, including:
+
+ - Added support for Ampere eMAG CPU based systems.
+
- Added support to amlclock(4)
+ for obtaining CPU clock frequency.
+
- Enabled amlmmc(4), a
+ driver for the SD/MMC controller found on various Amlogic SoCs.
+
- Implemented setting the CPU clock for Allwinner A64 SoCs in
+ sxiccmu(4).
+
- Added amldwusb(4),
+ amlusbphy(4) and
+ amlpciephy(4), drivers
+ for the USB controller and PHYs on the Amlogic G12A/B SoCs.
+
- Added imxtmu(4), a driver
+ to upport the temperature sensors on i.MX8M SoCs.
+
- Added amlrng(4), a simple
+ random number generator driver for Amlogic SoCs.
+
- Added amclock(4),
+ a driver for the Amlogic SoC clocks.
+
- Added amluart(4), a
+ driver for the UARTs found on various Amlogic SoCs.
+
- Added support for the SMBus System Interfaces (SSIF) to
+ ipmi(4).
+
- PXE booting using U-Boot works now.
+
- Added clock support
+ to sxisyscon(4),
+ a driver for the system controller found on various Allwinner
+ SoCs.
+
- Implemented smbios(4)
+ support on arm64.
+
- Added ucrcom(4), a driver
+ for the serial console of chromebooks.
+
- Enabled mvmdio(4) and
+ mvneta(4) on arm64.
+
- Added pinctrl(4)
+ support for 'pinconf-single' devices and support for
+ bias and drive-strength properties, needed for HiSilicon SoCs.
+
- Added mvdog(4), a driver
+ to support the watchdog on the Armada 3700 SoC.
+
- Added support for the Allwinner H6 to
+ sxipio(4) and
+ sxiccmu(4).
+
- Enabled amlmmc(4), a
+ driverfor the SD/MMC controller found on various Amlogic SoCs.
+
- Added mviic(4), a driver
+ to support the I2C controller on the Armada 3700 SoC.
+
- Added mvuart(4) to
+ support the Armada 3720's serial console.
+
- Added support for the Armada 3720 clocks to
+ mvclock(4)
+ and added mvuart(4) to
+ support the serial console.
+
- Added support for the Armada 3720 pinctrl controller to
+ mvpinctrl(4). This
+ controller also includes GPIO controller functionality.
+
- Added the RK3328 and RK3399 GMAC clocks to
+ rkclock(4).
+
- Increased MAXCPUs to 32 in arm64, allowing use of all cores on the Ampere
+ eMAG.
+
- Added support for the Cortex-A65 CPU.
+
- Implemented interrupt controller functionality in
+ rkgpio(4),
+ allowing use of the
+ fusbtc(4)
+ interrupt on the RockPro64.
+
+
- IEEE 802.11 wireless stack improvements:
+ - Made net80211 expose reasons for association failures to have
+ ifconfig(8)
+ display them in "scan" output and on the
+ ieee80211(9)
+ status line.
+
- ure(4) now supports
+ RTL8153B devices.
+
- Added support for 802.11n Tx aggregation to net80211 and
+ iwm(4).
+
- ...
- Generic network stack improvements:
-
+
+ - Enabled TCP and UDP checksum offloading by default for
+ ix(4).
+
- Added tpmr(4), a 802.1Q
+ two-port MAC relay implementation.
+
- Added iavf(4) driver for
+ Intel SR-IOV Virtual Functions of Intel 700 series ethernet controllers.
+
- Added aggr(4), a
+ dedicated driver to implement 802.1AX link aggregration.
+
- Added port protection support
+ to switch(4). Domain
+ membership is checked for unicast, flooded (broadcast) and local
+ (host-network-bound, e.g. trunk) traffic.
+
- Disabled mobileip(4).
+
- Added support
+ to ifconfig(8)
+ for getting and setting rxprio, finishing support for RFC
+ 2983. Implemented configuring rxprio
+ in vlan(4),
+ gre(4),
+ mpw(4),
+ mpe(4),
+ mpip(4),
+ etherip(4)
+ and bpe(4) .
+
- Implemented tx mitigation by calling the hardware transmit
+ routine per several packets rather than for individual
+ packets. Defers calls to the transmit routine to a network taskq,
+ or until a backlog of packets has built up.
+
- Stopped using splnet(9) when
+ running the network stack now
+ that it is using the NET_LOCK for protection, reducing latency spikes.
+
- Added sfp(4), a driver
+ allowing communication with SFPs connected over
+ an I2C bus and reading pages over the SFP framework.
+
- Added SFP and I2C ofw frameworks.
+
- Installer improvements:
-
+
+ - Allowed quoted SSIDs in the installer, rather than ignoring
+ those containing whitespace.
+
- Introduced sysupgrade(8)
+ that can be used to upgrade OpenBSD from one release to the next
+ or from snapshot to snapshot without user input.
+
- Added octeon bootloader to files copied to the boot partition.
+ To use the bootloader, the firmware must be configured to load file "boot"
+ instead of "bsd."
+
- Included mount_nfs(8)
+ on the amd64 CD ramdisk.
+
- Added tee(1) to the ramdisk, and
+ display a moving progress bar
+ during auto upgrade/install.
+
- Repaired and improved v6 default route selection, fixing autoinstalls.
+
- Added sysupgrade(8)
+ support to the sparc64 bootloader.
+
- The dhcp configuration is now preserved when restarting an install.
+
- The installer now remembers 'autoconf' when restarting an install.
+
- Stopped prompting for disks that do not contain a root
+ partition during upgrades. This defaults to the correct disk
+ when full disk encryption is in use, and will be useful for
+ future unattended upgrades.
+
- Added octeon
+ bootloader to files copied to the boot partition. To use the
+ bootloader, the firmware must be configured to load file "boot"
+ instead of "bsd."
+
- Security improvements:
+ - unveil(2) is
+ now used in 77 userland programs to restrict filesystem
+ access.
+
- Various changes
+ in unveil(2)
+ to improve application behaiviour when encountering hidden
+ filesystem paths.
+
- ps(1) can now show
+ which processes have called unveil(2) to run with a restricted
+ filesystem view.
+
- Further and improved mittigations against Spectre side-channel
+ vulnerability in Intel CPUs built since 2012.
+
- Mitigations for Intel's Microarchitectural Data Sampling
+ vulnerability, using the new CPU VERW behavior if available or
+ by using the proper sequence from Intel's "Deep Dive" doc in the
+ return-to-userspace and enter-VMM-guest
+ paths. Updated vmm(4)
+ to pass through the MSR bits so that guests can apply the
+ optimal mitigation.
+
- Rewrote doas(1)
+ environment inheritance not to inherit, and instead reset to the
+ target user's values by default.
+
- Make
+ the amd64 BIOS
+ bootloader load a kernel at a random virtual address.
+
- Introduced
+ malloc_conceal(3)
+ and calloc_conceal(3),
+ which return memory in pages marked MAP_CONCEAL and call
+ freezero(3)
+ on free(3).
+
- Make 'systat pf' not require root permissions
+ (systat(8)).
+
- Added support for the EFI Random Number Generator Protocol,
+ using it to XOR random data into the buffer we feed the kernel for
+ amd64.
+
- Added information about system call memory write protection
+ and stack mappion violations to system
+ accounting. Now daily(8)
+ will print a list of affected processes
+ and lastcomm(1)
+ will flag violations with 'M'.
- Routing daemons and other userland network improvements:
-
- - The ntpd(8)
- daemon now gets and sets the clock in a secure way when booting
- even when a battery-backed clock is absent.
-
-
- - bgpd(8) improvements:
-
-
-
- Assorted improvements:
+ - The ntpd(8)
+ daemon now gets and sets the clock in a secure way when booting
+ even when a battery-backed clock is absent.
+
- slaacd(8) now
+ removes IPv6 addresses when it detects a link-state change but
+ no new router advertisement is received.
+
- ifconfig(8)
+ now reports SFP, SFP+ and QSFP module information.
+
- Imported snmp(1),
+ a new snmp client which aims to be netsnmp-compatible for
+ supported features, and
+ removed snmpctl(8).
+
- Improvements
+ in ntpd(8)s dns
+ resoving and constraints checking, especially during
+ startup. Unreliable ntp peers are removed them from the pool and
+ dns resolving is repeated to add replacements.
+
- Changed the bgpd(8)
+ Adj-RIB-Out to a per-peer set of RB trees, improving speed.
+
- Rewrote bgpd(8)
+ community matching and handling code and improved performance
+ for setups using many communities.
+
- Checked the type of a network statement when looking for
+ duplicates
+ in bgpd(8). This
+ fixes added network 0.0.0.0/0 after 'network inet static'.
+
- Made improvements
+ to bgpd(8) speed when
+ configuring many peers.
+
- Implemented bgpctl(8)
+ 'show mrt neighbors', to print the neighbor table of MRT
+ TABLE_DUMP_V2 dumps.
+
- Moved bgpd(8)
+ pfkey socket to the parent process. The refreshing of the keys
+ for MD5 and IPSEC is done whenever the session state changes to
+ IDLE or ACTIVE, which should behave better when reloading
+ configs with auth changes.
+
- In bgpd(8), fixed
+ reloading of network statements that have no fixed prefix
+ specification.
+
- Extended the maximum size of
+ the bgpd(8)
+ shutdown communication message to 255 bytes.
+
- Improvements
+ in pfctl(8), to
+ always check for namespace collisions on table
+ commands. Introduced 'pfctl -FR' to reset pfctl(8) settings to
+ defaults.
+
- Added support
+ to ifconfig(8)
+ and various network drivers to display SFP+, XFP, and d QSFP+
+ tranceiver information.
+
- Imported Kristaps Dzonsons' RPKI
+ validator, rpki-client(8).
+
- relayd(8) now supports
+ binary protocol health checking. See
+ relayd.conf(5).
+
- Added support for OCSP stapling
+ to relayd(8).
+
- Added relayd(8)
+ support for SNI with new 'tls keypair' option to load additional
+ certificates.
+
- Added support for 'from/to address[/prefix]'
+ in relayd(8) filter rules.
+
- Implemented RFC 8555 "Automatic Certificate Management
+ Environment (ACME)" to
+ enable acme-client(1)
+ to communicate with the v02 Let's Encrypt API. Read the
+ upgrade guide for more information.
+
- tcpdump(8)
+ support for '-T erspan' and
+ arbitrary gre(4)
+ protocols.
+
- Allowed specifying area by number as well as id
+ in ospf6d(8).
+
- ospfctl(8) now
+ accepts both address and number format for 'ospfctl show
+ database area XXX'.
+
- ospfd(8) reload
+ improvements.
+
- Added a check
+ to ospfd(8)
+ and ospf6d(8)
+ that any "depend on" interfaces are in the same rdomain.
+
- Make 'passive' (announce a network configured on an interface
+ as a stub network) work with P2P interfaces
+ in ospfd(8).
+
- Shutdown the service port when behind a captive portal
+ with unwind(8),
+ allowing bypass of captive portals that correctly answer SOA
+ queries for the root zone and return NXDOMAIN for the captive
+ portal redirect domain if edns0 is present.
+
- Implemented DNS block lists
+ in unwind(8).
+
- Added support for IKEv2 Message Fragmentation (RFC 7383)
+ to iked(8).
+
- Enabled switching between wireless and wired interfaces in
+ dhclient(8), setting the default route with the interface
+ address and allowing two default routes in the routing table. A
+ wired interface will be preferred when connected.
+
- Added consistent use of 'ifconfig $_if [-inet| -inet6]' to clear existing
+ configurations completely after restarting an install.
+
- Added 'forwarded' log format extending the 'combined' log
+ format in httpd(8).
+
+
+ - Assorted improvements:
+
+
- VMM/VMD improvements ...
+
+ - Added support for 'boot device'
+ to vm.conf(5)
+ grammar, the '-B device' counterpart
+ from vmctl(8).
+
- Emulated kvm pvclock
+ in vmm(4), compatible
+ with pvclock(4) in
+ OpenBSD.
+
- Enabled reporting of the vm state through use of
+ the vmctl(8)
+ 'status' command.
+
- Synced vm state
+ in vmd(8) when
+ (un)pausing a vm to ensure
+ both vmm(4)
+ and vmd(8) processes
+ know the vm is paused.
+
- Handled some unhandled instructions for SVM which led
+ to vmm(4) guest
+ termination, as well as RDTSCP and INVLPGA instructions.
+
- Modified vmm(4) to
+ flush guest TLB entries if the guest disables paging.
+
+
- OpenSMTPD 6.6.0
- New Features
- Introduced support for ECDSA certificates with an ECDSA privsep engine.
-
- Introduced builtin filters to allow basic filtering of incoming sessions in smtpd(8).
-
- Introduced option to deliver junk to a Junk folder in mail.maildir(8).
+
- Introduced builtin filters to allow basic filtering of incoming sessions
+ in smtpd(8).
+
- Introduced option to deliver junk to a Junk folder
+ in mail.maildir(8).
- Bug fixes
- - Fixed the smtp(1) client so it uses correct default port for SMTPS.
-
- Fixed an smtpd(8) crash on excessively large input.
+
- Fixed the smtp(1) client
+ so it uses correct default port for SMTPS.
+
- Fixed an smtpd(8) crash on
+ excessively large input.
- Ensured mail rejected by an LMTP server will stay queued rather than bouncing.
- Experimental Features
- - Introduced a filters API to allow writing standalone filters for smtpd(8),
+
- Introduced a filters API to allow writing standalone filters
+ for smtpd(8),
with multiple filters made available in ports.
-
- Introduced support for proxy-v2 protocol allowing smtpd(8) to operate behind proxy.
+
- Introduced support for proxy-v2 protocol
+ allowing smtpd(8) to
+ operate behind proxy.
@@ -156,8 +626,10 @@
- Completed the port of RSA_METHOD accessors from the
OpenSSL 1.1 API.
-
- Documented undescribed options and
- removed unfunctional options description in openssl(1) manual.
+
- Documented undescribed options and removed unfunctional
+ options description
+ in openssl(1)
+ manual.
- Compatibility Changes
@@ -169,48 +641,88 @@
-
A plethora of small fixes due to regular oss-fuzz testing.
-
- Various side channels in DSA and ECDSA were addressed.
- These are some of the many issues found in an extensive systematic
- analysis of bignum usage by Samuel Weiser, David Schrammel et al.
+ Various side channels in DSA and ECDSA were addressed. These
+ are some of the many issues found in an extensive systematic
+ analysis of bignum usage by Samuel Weiser, David Schrammel et
+ al.
-
- Try to compute the cofactor if a nonsensical value was provided
- for ECC parameters.
- Fix from Billy Brumley.
+ Try to compute the cofactor if a nonsensical value was
+ provided for ECC parameters. Fix from Billy Brumley.
Internal Improvements
-
+
Portable Improvements
- - Enabled performance optimizations when building with Visual Studio on Windows.
+
- Enabled performance optimizations when building with Visual
+ Studio on Windows.
- Enabled openssl(1) speed subcommand on Windows platform.
Bug Fixes
- -
- Fixed issue where SRTP extension would not be sent by server.
-
-
- Fixed incorrect carry operation in 512 addition for Streebog.
+
- Fixed issue where SRTP extension would not be sent by
+ server.
+
- Fixed incorrect carry operation in 512 addition for
+ Streebog.
- Fixed -modulus option with openssl(1) dsa subcommand.
-
- Fixed PVK format output issue with openssl(1) dsa and rsa subcommand.
+
- Fixed PVK format output issue with openssl(1) dsa and rsa
+ subcommand.
OpenSSH 8.X
- - New Features
-
- Bugfixes
+
- New Features
+
+ - Added sshsig, a lightweight signature and verification
+ ability for OpenSSH,
+ to ssh-keygen(1).
+ Signatures can be made and verified using
ssh-keygen
+ -Y sign|verify
.
+ - Included SHA2-variant RSA key algorithms in KEX proposal,
+ allowing ssh-keyscan(1)
+ to harvest keys from servers that disable SHA1 ssh-rsa.
+
- Encrypted
+ private ssh(1)
+ keys that are not in use as protection against speculation
+ and memory sidechannel attacks like Spectre, Meltdown,
+ Rowhammer and Rambleed.
+
- Adjusted ssh(1)
+ to default to using the rsa-sha2-512 signature algorith when
+ signing certificates with an RSA key. This will render these
+ certificates incompatible with OpenSSH 7.1 and earlier,
+ unless the default is overridden by use of the (1) -t flag.
+
- Added logging
+ of ssh(1)
+ PermitOpen and PermitListen violations.
+
- Allowed prepending a list of algorithms to the default set in ssh(1) by
+ starting the list with the ^ character.
+
+ - Bugfixes
+
-
Mandoc XXX
+ - Provided a notification to stderr to indicate messages have been shown when
+ mandoc(1) output is printed without a pager, to indicate messages may have
+ preceded the output.
+
- Fixed a segfault
+ in mandoc(1) when
+ /tmp is not writable.
+
- Added mandoc(1)
+ support for 'prefers-color-scheme: dark'.
+
- Improved man(1)
+ matching for requests for a specific section.
Xenocara
Ports and packages:
@@ -231,13 +743,27 @@
Some highlights:
As usual, steady improvements in manual pages and other documentation.
The system includes the following major components from outside suppliers:
-
+
+ - ibexpat to 2.2.7
+
- unbound 1.9.3
+
- NSD 4.2.2.
+
- LLVM 8.0.0
+
- perl 5.28.2.
+
- Mesa 19.0.5.
+
- libdrm 2.4.98
+
- LLVM 8.0.1
+