Annotation of www/67.html, Revision 1.49
1.1 benno 1: <!doctype html>
2: <html lang=en id=release>
3: <meta charset=utf-8>
4:
5: <title>OpenBSD 6.7</title>
6: <meta name="description" content="OpenBSD 6.7">
7: <meta name="viewport" content="width=device-width, initial-scale=1">
8: <link rel="stylesheet" type="text/css" href="openbsd.css">
9: <link rel="canonical" href="https://www.openbsd.org/67.html">
10:
11: <h2 id=OpenBSD>
12: <a href="index.html">
13: <i>Open</i><b>BSD</b></a>
14: 6.7
15: </h2>
16:
17: <table>
18: <tr>
19: <td>
20: <a href="images/xxx.gif"><!-- XXX -->
1.16 deraadt 21: <img width="227" height="343" src="images/xxx-s.gif" alt="XXX image alt tag"></a>
1.1 benno 22: <td>
23: Released May 19, 2020<br><!-- XXX -->
24: Copyright 1997-2020, Theo de Raadt.<br>
25: <br>
26: <br>
1.11 job 27: Artwork by Jonni Phillips.
1.1 benno 28: <br>
29: <ul>
30: <li>See the information on <a href="ftp.html">the FTP page</a> for
31: a list of mirror machines.
32: <li>Go to the <code class=reldir>pub/OpenBSD/6.7/</code> directory on
33: one of the mirror sites.
34: <li>Have a look at <a href="errata67.html">the 6.7 errata page</a> for a list
35: of bugs and workarounds.
36: <li>See a <a href="plus67.html">detailed log of changes</a> between the
37: 6.6 and 6.7 releases.
38: <p>
39: <li><a href="https://man.openbsd.org/signify.1">signify(1)</a>
40: pubkeys for this release:<p>
41:
42: <table class=signify>
43: <tr><td>
44: openbsd-67-base.pub:
45: <td>
46: <a href="https://ftp.openbsd.org/pub/OpenBSD/6.7/openbsd-67-base.pub">
47: RWRmkIA877Io3oCILSZoJGhAswifJbFK4r18ICoia+3c0PfwANueolNj</a>
48: <tr><td>
49: openbsd-67-fw.pub:
50: <td>
51: RWSOSlsdN/fgAY1SvEyFdbTkouV2cIsUBXdJhEIhRscq8TT3bz9iOYRL
52: <tr><td>
53: openbsd-67-pkg.pub:
54: <td>
55: RWTR60UGd2MbnaRg+upZbbBYO00ZhHJehXy7tH2ORHvCjGcDH2pZpsxv
56: <tr><td>
57: openbsd-67-syspatch.pub:
58: <td>
59: RWTLqtfkjXfBADZEVkBDwSU0EAhy45nb5ovn1xHtQmD3DcqUWe+CouTL
60: </table>
61: </ul>
62: <p>
63: All applicable copyrights and credits are in the src.tar.gz,
64: sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
65: files fetched via <code>ports.tar.gz</code>.
66: </table>
67:
68: <hr>
69:
70: <section id=new>
71: <h3>What's New</h3>
72: <p>
73: This is a partial list of new features and systems included in OpenBSD 6.7.
74: For a comprehensive list, see the <a href="plus67.html">changelog</a> leading
75: to 6.7.
76:
77: <ul>
78:
79: <li>General improvements and bugfixes:
80: <ul>
81: <li>Reduced the minimum allowed number of chunks in a CONCAT
82: volume from 2 to 1, increasing the number of volumes which can be
83: created on a single disk with <a
84: href="https://man.openbsd.org/bioctl">bioctl(8)</a> from 7 to 15. This
85: can be used to create more partitions than previously.
86: <li>Rewrote the <a href="https://man.openbsd.org/cron">cron(8)</a>
87: flag-parsing code to be getopt-like, allowing tight formations like
88: -ns and flag repetition. Renamed the "options" field in <a
89: href="https://man.openbsd.org/crontab">crontab(5)</a> to "flags".
90: <li>Added <a
91: href="https://man.openbsd.org/man5/crontab.5">crontab(5)</a> -s flag
92: to the command field, indicating that only a single instance of the
93: job should run concurrently.
94: <li>Added <a href="https://man.openbsd.org/cron">cron(8)</a>
95: support for random values using the ~ operator.
96: <li>Allowed <a href="https://man.openbsd.org/cwm">cwm(1)</a>
97: configuration of window size based on percentage of the master window
98: during horizontal and vertical tiling actions.
99: <li>Allowed use of window-htile and window-vtile with the "empty"
100: group clients in <a href="https://man.openbsd.org/cwm">cwm(1)</a>.
101: <li>Switched powerpc to a machine-independent mplock implementation,
102: allowing use of <a href="https://man.openbsd.org/witness">
103: witness(4)</a>.
104: <li>Added <a href="https://man.openbsd.org/acpi">acpi(4)</a>
105: support for the _CCA method, indicating whether DMA is cache-coherent.
106: <li>Switched the default compiler on powerpc to clang.
107: <li>Bumped <a href="https://man.openbsd.org/nvme">nvme(4)</a> max
108: physio() i/o size to 128K.
109: <li>Blocked <a href="https://man.openbsd.org/apmd">apmd(8)</a>
110: autoaction for 60 seconds after resume, preventing spurious
111: suspend/resume cycles.
112: <li>Checked battery life against autoaction level on power change
113: events in <a href="https://man.openbsd.org/apmd">apmd(8)</a>, making
114: -z/-Z work with <a
115: href="https://man.openbsd.org/acpibat">acpibat(4)</a>.
116: <li>Prevented a kernel hang when no unlocked ffs_softdep worklist
117: items could be processed.
118: <li>Stopped counting pages mapped as PROT_NONE against the
119: RLIMIT_DATA limit, helping code which reserves large chunks of address
120: space but populates it sparsely.
121: <li>Added the $REQUEST_SCHEME variable to <a
122: href="https://man.openbsd.org/httpd.conf">httpd.conf(5)</a>, allowing
123: preservation of the original connection type (http or https) for
124: redirect locations
125: <li>Implemented "strip" option in <a
126: href="https://man.openbsd.org/httpd.conf">httpd.conf(5)</a> for
127: fastcgi to be able to have multiple chroots under /var/www for FastCGI
128: servers.
129: <li>Changed <a href="https://man.openbsd.org/httpd">httpd(8)</a>
130: to send a 408 response when a timeout happens while headers are being
131: received, but close the connection if no request is received.
132: <li>Updated en_US.UTF-8.src to Unicode 12.1.
1.19 deraadt 133: <li>Added a new __tmpfd system call which creates a new, unnamed file in
134: /tmp, intended for shm/fd passing, but in programs that may otherwise
135: lack filesystem access (due to restrictions imposed by
136: <a href="https://man.openbsd.org/unveil.2">unveil(2)</a> or
137: <a href="https://man.openbsd.org/pledge.2">pledge(2)</a>).
1.1 benno 138: <li>Imported <a href="https://man.openbsd.org/dt">dt(4)</a>, a
139: driver and framework for Dynamic Profiling, and an accompanying bug
140: tracer that speaks the <a href="https://man.openbsd.org/bt">bt(5)</a>
141: language.
142: <li>Added a human-readable mode (-h) to <a
143: href="https://man.openbsd.org/systat">systat(1)</a>.
144: <li>Implemented scrolling in <a
145: href="https://man.openbsd.org/top">top(1)</a> using the 9 and 0 keys.
146: <li>Added <a
147: href="https://man.openbsd.org/timeout_set_flags">timeout_set_flags(9)</a>
148: and TIMEOUT_INITIALIZER_FLAGS(9) to the timeout API, allowing the
149: caller to initialize timeouts with arbitrary flags.
150: <li>Introduced TIMEOUT_SCHEDULED flag and tos_scheduled statistic
151: to <a href="https://man.openbsd.org/timeout.9">timeout(9)</a>.
152: <li>Switched to tickless backend in <a
153: href="https://man.openbsd.org/timeout.9">timeout(9)</a>, adding new
154: interface <a
155: href="https://man.openbsd.org/timeout_at_ts">timeout_at_ts(9)</a> to
156: avoid backwardly compatible behavior.
157: <li>Added the system clock interface <a
158: href="https://man.openbsd.org/nanoboottime">nanoboottime(9)</a>,
159: returning the UTC time at which the system booted in seconds and
160: nanoseconds.
161: <li>Introduced efficient page freeing in reverse order from uvm,
162: greatly improving cases of massive page freeing.
163: <li>Added uvm_objfree to uvm to efficiently free all pages from a
164: uvm object, used in the buffer cache for considerable speedup when
165: freeing pages.
166: <li>Modified buffer cache to use individual uvm_objs per buffer to
167: speed page lookups.
168: <li>Speed up <a href="https://man.openbsd.org/sort">sort(1)</a> by
169: not performing a top-level sort when -c is used with a -k field.
170: <li>Modified -z mode verification in <a
171: href="https://man.openbsd.org/signify">signify(1)</a> to save the
172: header and output it, so signify -zV >saved.tgz will keep the
173: signature for later checks.
174: <li>Enabled DNSSEC validation in <a
175: href="https://man.openbsd.org/unbound">unbound(8)</a> by default.
176: <li><a href="https://man.openbsd.org/ntpd">ntpd(8)</a> now does
177: constraint validation against 9.9.9.9 and 2620:fe::fe by default.
1.44 krw 178: <li>Fixed <a href="https://man.openbsd.org/arp.4">arp(4)</a>
179: issues created by <a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a>
180: modifying existing routes.
181: <li>Fixed <a href="https://man.openbsd.org/resolv.conf.5">route.conf(5)</a>
182: handling by <a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a>
183: when an interface loses link.
184: <li>Restored previous <a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a>
185: behaviour of rejecting leases that lack a subnet mask.
186: <li>Enabled <a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a>
187: to configure <a href="https://man.openbsd.org/carp.4">carp(4)</a>
188: interfaces.
189: <li>Fixed <a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a>
190: releasing leases without a server identifier.
191: <li>Improved <a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a>
192: NAK handling in various corner cases.
193: <li>Fixed <a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a>
194: endlessly sending REQUEST messages when an ACK is never received.
1.45 krw 195: <li>Prevented
196: <a href="https://man.openbsd.org/dhcpd.8">dhcpd(8)</a>
197: from referencing freed memory when releasing a lease with
198: an unusually long uid.
199: <li>Corrected parsing of classless static default route "0/0" in
200: <a href="https://man.openbsd.org/dhcpd.conf.5">dhcpd.conf(5)</a>.
1.46 krw 201: <li>Increased to 15 the number of
202: <a href="https://man.openbsd.org/softraid.4">softraid(4)</a>
203: CONCAT volumes that can be created on a single disk.
204: <li>Fixed
205: <a href="https://man.openbsd.org/softraid.4">softraid(4)</a>
206: CRYPTO volumes on 4K-sector disks.
1.1 benno 207: </ul>
208:
209: <!-- FFS2 -->
1.6 benno 210: <li>The FFS2 filesystem, which uses 64bit timestamps and block numbers
211: is now the default for new installs on nearly all architectures:
1.1 benno 212: <ul>
213: <li>Enabled ffs2 in sgi bootblocks and ramdisks.
214: <li>Made ffs2 the default filesystem type on installs except for landisk, luna88k and sgi.
215: <li>Changed the sparc64 bootblocks to be able to read from ffs1, ffs2 and softraid, and enabled the ffs2 option for both floppies.
216: <li>Enabled FFS2 on the landisk ramdisk.
217: <li>Taught i386 boot(8), cdboot(8) and pxeboot(8) about ffs2.
218: <li>Taught macppc boot(8) about ffs2.
219: <li>Taught sparc64 boot(8) (but not the sparc64 bootblocks) about ffs2.
220: <li>Allowed hppa <a href="https://man.openbsd.org/man8/hppa/boot.8">boot(8)</a> to read from an ffs2 filesystem.
221: <li>Allowed alpha boot(8) to read from an ffs2 filesystem and adapted its custom installboot to deal with ffs2. Also fixed the partition read code to deal with offsets greater than 2G.
222: <li>Adapted <a href="https://man.openbsd.org/biosboot">biosboot(8)</a> so that it can read <a href="https://man.openbsd.org/boot.8">boot(8)</a> from an ffs2 filesystem.
223: <li>Allowed amd64 <a href="https://man.openbsd.org/man8/amd64/boot.8">boot(8)</a> to read from an ffs2 filesystem. Enabled ffs2 for floppy.
224: <li>Allowed loongson boot(8) to read from an ffs2 filesystem.
225: <li>Allowed arm64 and armv7 efiboot(8) to read from an ffs2 filesystem.
226: </ul>
227:
1.36 mpi 228: <li>SMP-Improvements:
1.1 benno 229: <ul>
1.36 mpi 230: <li>
1.37 anton 231: <a href="https://man.openbsd.org/__thrsleep">__thrsleep(2)</a>,
232: <a href="https://man.openbsd.org/__thrwakeup">__thrwakeup(2)</a>,
1.36 mpi 233: <a href="https://man.openbsd.org/close">close(2)</a>,
234: <a href="https://man.openbsd.org/closefrom">closefrom(2)</a>,
235: <a href="https://man.openbsd.org/dup">dup(2)</a>,
236: <a href="https://man.openbsd.org/dup2">dup2(2)</a>,
237: <a href="https://man.openbsd.org/dup3">dup3(2)</a>,
238: <a href="https://man.openbsd.org/flock">flock(2)</a>,
1.37 anton 239: <a href="https://man.openbsd.org/fcntl">fcntl(2)</a>,
1.36 mpi 240: <a href="https://man.openbsd.org/kqueue">kqueue(2)</a>,
1.37 anton 241: <a href="https://man.openbsd.org/pipe">pipe(2)</a>,
242: <a href="https://man.openbsd.org/pipe2">pipe2(2)</a> and
1.36 mpi 243: <a href="https://man.openbsd.org/nanosleep">nanosleep(2)</a>
244: are run without KERNEL_LOCK.
245: <li>The generic part of <a href="https://man.openbsd.org/ioctl">ioctl(2)</a>
246: is run without KERNEL_LOCK.
247: <li>Reworked AMD smt/core/package detection, helping prevent cores being
248: misidentified as threads.
249: <li>Avoided false positives in
250: <a href="https://man.openbsd.org/witness">witness(4)</a> when detecting
251: lock order reversals by using separate rwlock initializations for
252: userland and kernel maps.
1.1 benno 253: <li>Allowed sleeping inside kqueue event filters.
1.36 mpi 254: <li>Made <a href="https://man.openbsd.org/vmx">vmx(4)</a> transmit MP-safe.
1.1 benno 255: </ul>
256:
257: <li>Improved hardware support, including:
258: <ul>
259: <li>Improvements in the <a href="https://man.openbsd.org/em">em(4)</a> driver.
260: <li>Added <a href="https://man.openbsd.org/dsxrtc">dsxrtc(4)</a>,
261: a driver for the Maxim DS3231/DS3232 I2C RTC.
262: <li>Enabled use of <a href="https://man.openbsd.org/em">em(4)</a> with MSI-X.
263: <li>Added <a href="https://man.openbsd.org/ure">ure(4)</a> support
264: for Lenovo OneLine Plus Dock Ethernet.
265: <li>Improved <a href="https://man.openbsd.org/ucom">ucom(4)</a> to
266: fix firmware upload on some microcontroller boards using DTR and RTS
267: as signaling lines to reset the device and enter the bootloader.
268: <li>Added a PCI attachment driver for <a
269: href="https://man.openbsd.org/com">com(4)</a> to support memory-mapped
270: PCI devices which are part of a Low Power Subsystem (LPSS).
271: <li>Implemented microsecond resolution using <a
272: href="https://man.openbsd.org/microuptime">microuptime(9)</a> to avoid
273: a hard hang when starting X on Intel Cherry Trail Atom processors.
274: <li>Added support for X553 controllers to <a
275: href="https://man.openbsd.org/ix">ix(4)</a>.
276: <li>Added <a href="https://man.openbsd.org/usb">usb(4)</a> device
277: support for an AMD hub on the APU2 and a Synaptics vendor id and two
278: fingerprint readers.
279: <li>Prevented buffer overflows with <a
280: href="https://man.openbsd.org/uthum">uthum(4)</a> by not assuming the
281: report length given by the hardware is necessarily smaller than the
282: length of the on-stack buffer.
283: <li>Added <a href="https://man.openbsd.org/rge">rge(4)</a>, a driver
284: for the Realtek 8125 PCI Express 2.5Gb Ethernet devices.
285: <li>Fixed cursor issues and suspend/resume on <a
286: href="https://man.openbsd.org/amdgpu">amdgpu(4)</a> due to incomplete
287: unmapping. This may help <a
288: href="https://man.openbsd.org/radeondrm">radeondrm(4)</a> issues as
289: well.
290: <li>Enabled mmhub power gating on picasso within <a
291: href="https://man.openbsd.org/amdgpu">amdgpu(4)</a>.
292: <li>Fixed support for additional I2C busses in <a
293: href="https://man.openbsd.org/piixpm">piixpm(4)</a> for older SB800
294: SMBus controllers. Prevented sensors from attaching four times on old
295: AMD machines.
296: <li>Invalidated the <a
297: href="https://man.openbsd.org/knote">knote(9)</a> list of <a
298: href="https://man.openbsd.org/uhid">uhid(4)</a> after device detach,
299: preventing a crash that can happen when kqueue still holds references
300: to knotes pointing to the device.
301: <li>Prevented a use-after-free causing crashes with <a
302: href="https://man.openbsd.org/uhidev">uhidev(4)</a> devices.
303:
304: <li>Prevented <a href="https://man.openbsd.org/mcx">mcx(4)</a>
305: interface lockups due to completion queue overflow.
306: <li>Fixed brightness keys on the x395 and other thinkpads with AMD graphics.
307: <li>Fixed brightness controls on certain machines where the
308: initial brightness values are returned out of range.
309: <li>Made <a
310: href="https://man.openbsd.org/acpivout">acpivout(4)</a> stop calling
311: ACPI methods directly to allow changing brightness other ways on
312: certain machines, including the x395.
313: <li>Set the default brightness level on attachment for <a
314: href="https://man.openbsd.org/pwmbl">pwmbl(4)</a>.
315: <li>Fixed <a
316: href="https://man.openbsd.org/acpivout">acpivout(4)</a> screen
317: brightness adjustment through function keys, better supporting
318: machines using exponential brightness scaling.
319: <li>Changed <a
320: href="https://man.openbsd.org/acpivout">acpivout(4)</a> to increment
321: and decrement screen brightness based only on brightness level changes
322: of 5% or higher.
323: <li>Added <a href="https://man.openbsd.org/amlsm">amlsm(4)</a>, a
324: driver for the "secure monitor" firmware interface.
325: <li>Fixed Etron EJ168 USB 3.0 Host Controllers via USB 2 devices.
326: <li>Added support for the SIERRA MC7700 to <a
327: href="https://man.openbsd.org/umsm">umsm(4)</a> UMTS and LTE modem device.
328: <li>Fixed RAID volume WWIDs for <a
329: href="https://man.openbsd.org/mpii">mpii(4)</a> LSI controllers on
330: sparc64, allowing <a
331: href="https://man.openbsd.org/autoconf">autoconf(9)</a> to identify
332: the volume as the root device and boot off hardware RAID.
333: <li>Populated logical disk port WWNs with their RAID volume's WWID
334: in <a href="https://man.openbsd.org/mpii">mpii(4)</a>.
335: <li>Added <a
336: href="https://man.openbsd.org/amdgpio">amdgpio(4)</a>, a driver for
337: the GPIO controller found on newer AMD SoC/chipsets.
338: <li>Added <a href="https://man.openbsd.org/fido">fido(4)</a>, an
339: HID driver for FIDO/U2F security keys.
340: <li>Added parsing of DDR4 and LPDDDR3/4 SPD memories to <a
341: href="https://man.openbsd.org/spdmem">spdmem(4)</a>.
342: <li>Added support to <a
343: href="https://man.openbsd.org/lm">lm(4)</a> for NCT6775F, NCT5104D,
344: NCT6779D and NCT679[1235]D sensors.
345: <li>Added AMD FCH (KERNCZ) to the list of supported devices in <a
346: href="https://man.openbsd.org/piixpm">piixpm(4)</a>.
347: <li>Updated <a href="https://man.openbsd.org/piixpm">piixpm(4)</a>
348: to support newer AMD chips like Hudson-2 and KERNCZ and implemented
349: multi-bus support for SB800, Hudson-2 and KERNCZ.
350: <li>Extended the expected SPD types to include DDR4 and low-power DDR3/DDR4.
351: <li>Enabled full use of jumbo frames on <a
352: href="https://man.openbsd.org/bnx">bnx(4)</a> devices.
353: <li>Fixed <a href="https://man.openbsd.org/scsi">scsi(8)</a>
354: softraid crypto volumes on 4K-sector disks.
355: <li>Faked disk info to match expected boot disk when EFI
356: bootloader has been received via TFTP, fixing a hang during HP
357: Elitebook UEFI boot.
1.40 schwarze 358: <li>Implemented a hexdump command in the bootloader, helping to
359: inspect the memory layout created by the firmware and useful for UEFI
360: debugging.
1.1 benno 361: <li>Improved <a href="https://man.openbsd.org/ksmn">ksmn(4)</a>
362: temperature conversion precision.
363: <li>Added a quirk to handle Apollo Lake, Gemini Lake and 100
364: Series Intel SD/MMC <a href="https://man.openbsd.org/sdhc">sdhc(4)</a>
365: controllers which should not have voltages set to 0V.
366: <li>Prevented a local user from causing the system to hang by
367: reading specific registers when Intel Gen8/Gen9 graphics hardware is
368: in a low power state.
369: <li>Prevented writes to memory allowed by the Intel Gen9 graphics hardware.
370: <li>Added support for buttons 2 and 3 to <a
371: href="https://man.openbsd.org/imt">imt(4)</a>.
372: <li>Added <a href="https://man.openbsd.org/ogx">ogx(4)</a>, a
373: driver for the OCTEON III network processor.
374: <li>Fixed endian swapping in <a
375: href="https://man.openbsd.org/xhci">xhci(4)</a>, allowing it to work
376: again on octeon and other big endian architectures.
377: <li>Added <a href="https://man.openbsd.org/sxisid">sxisid(4)</a>,
378: a driver to read the on-chip eFuses.
379: <li>On newer ThinkPads reporting HKEY version > 1, allowed <a
380: href="https://man.openbsd.org/acpivout">acpivout(4)</a> to claim
381: backlight controls rather than <a
382: href="https://man.openbsd.org/wscons">wscons(4)</a>, allowing use of
383: the fine-grained backlight BCL steps defined in <a
384: href="https://man.openbsd.org/acpi">acpi(4)</a>.
385: <li>Implemented the "parallel boot" feature on compatible sparc64 firmware.
1.7 stsp 386: <li>Introduced <a href="https://man.openbsd.org/iwx">iwx(4)</a>, a
387: driver for Intel AX200 WiFi devices.
388: <li>Added <a href="https://man.openbsd.org/iwm">iwm(4)</a> support
389: for Intel 9260 and 9560 wifi devices.
1.8 stsp 390: <li>Updated firmware for all devices supported by the
391: <a href="https://man.openbsd.org/iwm">iwm(4)</a> driver.
1.7 stsp 392: <li>Fixed <a href="https://man.openbsd.org/iwm">iwm(4)</a> support
1.8 stsp 393: for Intel 3168 wifi devices.
1.7 stsp 394: <li>Added support for the tp-link tl-wn823n to the <a
395: href="https://man.openbsd.org/urtwn">urtwn(4)</a> driver.
1.24 stsp 396: <li>The <a href="https://man.openbsd.org/athn">athn(4)</a> driver
397: now offloads CCMP (WPA2) encryption and decryption to hardware.
1.40 schwarze 398: <li>Prevented an overflow due to <a
399: href="https://man.openbsd.org/xen">xen(4)</a> failing to release the
400: interrupt source when unmasking the interrupt.
1.47 krw 401: <li>Fixed <a href="https://man.openbsd.org/usb.4">usb(4)</a>
402: handling USB 2.0 devices on various USB 3.0 controllers.
403: <li>Fixed <a href="https://man.openbsd.org/usb.4">usb(4)</a>
404: handling of controllers that STALL to indicate a short read.
405: <li>Fixed <a href="https://man.openbsd.org/xhci.4">xhci(4)</a>
406: handling of i/o's that are exact multiples of the max packet size.
1.49 ! krw 407: <li>Bumped <a href="https://man.openbsd.org/nvme.4">nvme(4)</a>
! 408: maximum physio i/o size to 128K.
! 409: <li>Fixed probing of modern <a href="https://man.openbsd.org/scsi.4">scsi(4)</a>
! 410: devices to ignore the SYNC and WIDE flags used by parallel SCSI.
1.1 benno 411: </ul>
412:
413: <li>Removed hardware support
414: <ul>
1.13 benno 415: <li>Removed sitaracm(4), for the Sitara ARM control module device integrated in AM335X SoCs.
416: <li>Removed the rtfps(4) driver, a multiplexing serial communications interface for IBM RT PC boards
417: <li>Removed the sli(4), the Emulex LightPulse Fibre Channel SCSI interface driver.
1.1 benno 418: <li>Removed the dpt(4) driver for DPT EATA SCSI RAID.
1.13 benno 419: <li>Removed gpr(4), a driver for GemPlus GPR400 PCMCIA smartcard readers.
1.49 ! krw 420: <li>Removed mesh(4), a driver for old world Apple Power Macintosh SCSI cards.
1.1 benno 421: </ul>
422:
423: <li>Improvements in audio drivers and the
424: <a href="https://man.openbsd.org/sndio">sndio(7)</a> framework:
425: <ul>
426: <li>Introduced the <a
1.48 ratchov 427: href="https://man.openbsd.org/sioctl_open">sioctl_open(3)</a>
428: API to manipulate audio controls exposed by <a
429: href="https://man.openbsd.org/sndiod">sndiod(8)</a>.
430: <li>Modified <a
431: href="https://man.openbsd.org/sndiod">sndiod(8)</a> to
432: use and expose hardware volume controls if available.
433: <li>Modified all ports manipulating audio controls to use <a
434: href="https://man.openbsd.org/sndio">sndio(7)</a> instead of the
435: kernel <a href="https://man.openbsd.org/mixer">mixer(4)</a> interface.
436: <li>Introduced the <a
1.1 benno 437: href="https://man.openbsd.org/sndioctl">sndioctl(1)</a> utility to
1.48 ratchov 438: manipulate audio controls exposed by <a
1.1 benno 439: href="https://man.openbsd.org/sndiod">sndiod(8)</a>.
1.48 ratchov 440: <li>Exposed the first 4 <a
441: href="https://man.openbsd.org/audio">audio(4)</a> devices
442: and the first 8 <a
443: href="https://man.openbsd.org/midi">midi(4)</a> devices through <a
444: href="https://man.openbsd.org/sndiod">sndiod(8)</a> by default.
1.1 benno 445: <li>Disabled access for regular users to /dev/audio* and
1.48 ratchov 446: /dev/rmidi*, for improved security.
1.1 benno 447: <li>Modified <a
448: href="https://man.openbsd.org/mixerctl">mixerctl(1)</a> to use
1.48 ratchov 449: /dev/audioctl* instead of /dev/mixer*.
450: <li>Removed /dev/mixer*
1.1 benno 451: <li>Corrected inappropriate rate selection in <a
452: href="https://man.openbsd.org/uaudio">uaudio(4)</a> preventing
1.48 ratchov 453: operation of devices supporting fewer rates for recording than
1.1 benno 454: playback.
1.48 ratchov 455: <li>Fixed volume control of many <a
456: href="https://man.openbsd.org/uaudio">uaudio(4)</a>
457: devices.
1.1 benno 458: <li>Fixed channel duplication (-j option) in <a
459: href="https://man.openbsd.org/sndiod">sndiod(8)</a>.
460: <li>Allowed <a href="https://man.openbsd.org/rc.d">rc.d(8)</a>
461: script to reload <a
462: href="https://man.openbsd.org/sndiod">sndiod(8)</a>.
463: <li>Added an <a
464: href="https://man.openbsd.org/azalia">azalia(4)</a> quirk for the
465: ALC285 on the X1C7 to avoid a clicking noise on the headphone output.
466: <li>Disabled MSI for the AMD Hudson2 <a
467: href="https://man.openbsd.org/azalia">azalia(4)</a> HDA to fix random lock ups.
468: </ul>
469:
1.12 benno 470: <li>A large number of drivers were written to improve <a href="https://www.openbsd.org/arm64.html">arm64</a>
471: and <a href="https://www.openbsd.org/armv7.html">armv7</a> hardware support, including:
1.1 benno 472: <ul>
473: <li>Better hardware support for the i.MX8MM platform.
474: <li>Better support for Raspbery Pi 3 and 4
1.20 benno 475: <li>Better support for Rockchip based systems, especially the Pinebook Pro.
476: <li>Added arm64 support for lldb.
477: <li>Switched USB to use non-coherent buffers for data transfers, dramatically improving performance on some ARM SoCs where the USB controller is not coherent with the caches.
478: <li>Resolved syscall speculation in armv7 cpus as in arm64, changing the system call ABI to skip two instructions and inserting speculation-blocking sequences.
479: <li>Added /dev/drm[0-3] on arm64.
480: <li>Allowed switching to framebuffer "glass" console on armv7, mirroring previous changes to arm64.
481: <li>Corrected cache flush operations on arm64 which were being incorrectly treated as write operations. This fixes a bug where cache flushing caused Firefox to abort.
482: <li>Added the capability for armv7 boot from another block device than the one from which efiboot was loaded.
483: <li>Enabled <a href="https://man.openbsd.org/umt">umt(4)</a> (USB HID multitouch touchpad devices) on arm64.
484: <br><br>
485: Specifically the following device drivers were added or fixed:
1.1 benno 486: <li>Added <a href="https://man.openbsd.org/bcmbsc">bcmbsc(4)</a>, a driver for the Broadcom Serial Control (BSC) controller.
487: <li>Added <a href="https://man.openbsd.org/bcmgpio">bcmgpio(4)</a>, a driver for the Broadcom BCM283x GPIO controller.
488: <li>Added <a href="https://man.openbsd.org/bcmsdhost">bcmsdhost(4)</a>, a driver for the Broadcom "sdhost" SD controller found on the Raspberry Pi.
489: <li>Added <a href="https://man.openbsd.org/bcmdmac">bcmdmac(4)</a>, a driver for the DMA controller found on BCM283x SoCs.
490: <li>Added support for the additional <a href="https://man.openbsd.org/sdhc">sdhc(4)</a> controller found on the Raspberry Pi.
491: <li>Added quirks for the <a href="https://man.openbsd.org/sdhc">sdhc(4)</a> controller on the Raspberry Pi, providing microSD card or WiFi support depending on the firmware configuration.
492: <li>Added support for hardware with <a href="https://man.openbsd.org/sdhc">sdhc(4)</a> controllers on busses only supporting 32-bit access.
493: <li>Added <a href="https://man.openbsd.org/bcmirng">bcmirng(4)</a>, a driver for the RNG200 random number generator found on the Raspberry Pi 4.
494: <li>Added <a href="https://man.openbsd.org/bcmclock">bcmclock(4)</a>, a driver for the BCM283X CPRMAN clock controller.
495: <li>Added <a href="https://man.openbsd.org/bcmmbox">bcmmbox(4)</a>, a driver for the VideoCore messagebox interface on BCM283X.
496: <li>Added <a href="https://man.openbsd.org/bcmpcie">bcmpcie(4)</a>, a driver for the PCIe controller found on the Raspberry Pi 4.
1.20 benno 497:
498:
1.1 benno 499: <li>Added <a href="https://man.openbsd.org/bse">bse(4)</a>, a driver for the Broadcom GENET v5 network interface found on the Raspberry Pi 4.
500: <li>Added <a href="https://man.openbsd.org/brgphy">brgphy(4)</a> support for the Broadcom BCM54210E.
1.20 benno 501: <li>Added support for the Armada 3720 CPU clock to <a href="https://man.openbsd.org/mvclock">mvclock(4)</a>.
1.1 benno 502: <li>Fixed <a href="https://man.openbsd.org/mvneta">mvneta(4)</a> on arm64.
503: <li>Added <a href="https://man.openbsd.org/omcm">omcm(4)</a>, <a href="https://man.openbsd.org/omclock">omclock(4)</a> and <a href="https://man.openbsd.org/omsysc">omsysc(4)</a> drivers that support the new bus structure used in current mainline Linux device trees.
1.20 benno 504: <li>Added <a href="https://man.openbsd.org/omrng">omrng(4)</a>, a driver for the random number generator found on TI OMAP SoCs.
1.1 benno 505: <li>Fixed the MAC address on Pandaboard-ES by increasing <a href="https://man.openbsd.org/smsc">smsc(4)</a> buffer size used to fetch device tree properties.
506: <li>Added support for additional Allwinner A80 clocks and resets in <a href="https://man.openbsd.org/sxiccmu">sxiccmu(4)</a>.
507: <li>Fixed <a href="https://man.openbsd.org/amlpciephy">amlpciephy(4)</a> USB3 support when USB has not been initialized by U-Boot.
508: <li>Fixed a crash when no device ports have been registered in ofw.
509: <li>Added clock support for i.MX8MM.
1.20 benno 510: <li>Fixed CPU frequency scaling support on the Librem5 Devkit.
511: <li>Added <a href="https://man.openbsd.org/imxpwm">imxpwm(4)</a>, a driver for the PWM controller found on various NXP i.MX SoCs.
512: <li>Added support for reading the i.MX8MM temperature sensors to <a href="https://man.openbsd.org/imxtmu">imxtmu(4)</a>.
1.1 benno 513: <li>Added <a href="https://man.openbsd.org/bdpmic">bdpmic(4)</a>, a driver for the ROHM BD71837 and BD71847 Power Management IC.
514: <li>Fixed "ipmi0: sendcmd fails" errors when there is an <a href="https://man.openbsd.org/ipmi">ipmi(4)</a> sensor which is enumerated but has failed to be read.
515: <li>Allowed <a href="https://man.openbsd.org/ipmi">ipmi(4)</a> to attach using mmio.
1.20 benno 516:
517: <li>Added <a href="https://man.openbsd.org/rkrng">rkrng(4)</a>, a driver for the random number generator found on various Rockchip SoCs.
518: <li>Added glass console support to <a href="https://man.openbsd.org/rkdrm">rkdrm(4)</a> in Rockchip SoCs.
519: <li>Added <a href="https://man.openbsd.org/rkdrm">rkdrm(4)</a>, a driver providing kernel mode setting (KMS) functionality for the graphics hardware integrated on Rockchip SoCs.
520: <li>Added support for RK3328 Crypto/RNG clocks.
1.1 benno 521: <li>Implemented the page fault handler for CMA GEM buffers and made <a href="https://man.openbsd.org/drm">drm(4)</a> attach to <a href="https://man.openbsd.org/rkdrm">rkdrm(4)</a>, making KMS work on the RK3399 SoC.
522: <li>Added <a href="https://man.openbsd.org/rkdwhdmi">rkdwhdmi(4)</a>, a driver for the HDMI transmitter found on the Rockchip RK3399 SoC.
1.22 benno 523: <li>Added <a href="https://man.openbsd.org/rkanxdp">rkanxdp(4)</a>, an attachment driver for the Analogix Display Port on the RK3399.
1.20 benno 524: <li>Added <a href="https://man.openbsd.org/rkvop">rkvop(4)</a>, a driver for the RK3399's Video Output Processors.
525: <li>Added support for the RK3399's VOP clocks to <a href="https://man.openbsd.org/rkclock">rkclock(4)</a>.
526: <li>Added <a href="https://man.openbsd.org/rkpwm">rkpwm(4)</a>, a driver for the RK3399's PWM controller.
527: <li>Added support for the RK3399's PWM clock to <a href="https://man.openbsd.org/rkclock">rkclock(4)</a>.
528: <li>Added <a href="https://man.openbsd.org/rkemmcphy">rkemmcphy(4)</a>, a driver for the RK3399's eMMC PHY.
529: <li>Added support for the RK3399's eMMC clock to <a href="https://man.openbsd.org/rkclock">rkclock(4)</a>.
530: <li>Added support for gen2 negotiation to <a href="https://man.openbsd.org/rkpcie">rkpcie(4)</a> and enabled gen2 link state training when the dtb is configured with max-link-speed = 2.
531: <li>Added panel support to <a href="https://man.openbsd.org/rkanxdp">rkanxdp(4)</a>.
1.1 benno 532: <li>Introduced VPLL clock frequency setting to <a href="https://man.openbsd.org/rkclock">rkclock(4)</a>.
533: <li>Implemented support for read transfers larger than 32 bytes for <a href="https://man.openbsd.org/rkiic">rkiic(4)</a> controllers and registered the i2c bus, allowing future HDMI support.
1.20 benno 534: <li>Restored enabling and setting the output tap delay in <a href="https://man.openbsd.org/rkemmcphy">rkemmcphy(4)</a>, fixing the eMMC module on the rockpro64.
535:
536: <li>Enabled backlight control use on the Pinebook Pro via <a href="https://man.openbsd.org/wsconsctl">wsconsctl(8)</a>.
1.1 benno 537: <li>Fixed the Pinebook Pro's trackpad by ensuring only hid_input items are accepted when walking the HID descriptor.
538: <li>Fixed <a href="https://man.openbsd.org/pwmbl">pwmbl(4)</a> attachment on the Pinebook Pro.
539: <li>Added <a href="https://man.openbsd.org/simplepanel">simplepanel(4)</a>, a driver for simple display panels. This allows enabling of the Pinebook Pro display panel.
540: <li>Recognized BCM4345 rev 9 as shipped with the Pinebook Pro as an AMPAK AP6256 module in <a href="https://man.openbsd.org/bwfm">bwfm(4)</a>.
541: <li>Improved <a href="https://man.openbsd.org/bwfm">bwfm(4)</a> on the Pinebook Pro by acking SDIO interrupts earlier on <a href="https://man.openbsd.org/dwmmc">dwmmc(4)</a>.
1.20 benno 542: <li>Added <a href="https://man.openbsd.org/sxipwm">sxipwm(4)</a> and <a href="https://man.openbsd.org/pwmbl">pwmbl(4)</a>, drivers which jointly add support for the backlight controller on the Pinebook.
543:
544: <li>Added <a href="https://man.openbsd.org/anxdp">anxdp(4)</a>, a driver for the Analogix Display Port controller.
1.1 benno 545: <li>Added <a href="https://man.openbsd.org/amltemp">amltemp(4)</a>, a driver for the temperature sensors on various Amlogic SoCs.
546: <li>Added thermal sensor clocks to <a href="https://man.openbsd.org/amlclock">amlclock(4)</a>.
547: <li>Added <a href="https://man.openbsd.org/pwmfan">pwmfan(4)</a>, a driver for PWM-regulated fans.
1.20 benno 548:
549:
1.1 benno 550: </ul>
551:
552: <li>IEEE 802.11 wireless stack improvements and bugfixes:
553: <ul>
1.17 stsp 554: <li>Stop connecting to any available unencrypted wifi networks when an
555: interface is marked up. This behavior must now be explicitly enabled
556: with <code><a href="https://man.openbsd.org/ifconfig">ifconfig(8)</a> join
557: ""</code>.
558: <li>A background scan is now triggered when root runs the <a
559: href="https://man.openbsd.org/ifconfig">ifconfig(8)</a> scan command.
560: This updates the list of cached APs displayed by the scan command and
561: forces a search for a better AP to roam to.
1.23 stsp 562: <li>Add <code>nwflag nomimo</code> which can be set with <a
563: href="https://man.openbsd.org/ifconfig">ifconfig(8)</a> to work
564: around packet loss in 11n mode if the wireless network device has
565: unused antenna connectors.
1.17 stsp 566: <li>Increased the net80211 node cache size to allow more APs to be viewed during scans.
567: <li>Fixed the <a
568: href="https://man.openbsd.org/ifconfig">ifconfig(8)</a> "media:" line
569: displayed during and after a background scan in 11n mode.
570: <li>Made background scans less frequent if they keep choosing the same AP.
571: <li>Fix kernel crashes in net802111 hostap mode due to mbuf corruption
572: which occurred if a relatively long SSID was configured.
1.14 stsp 573: <li>Added support for active scanning to <a
1.1 benno 574: href="https://man.openbsd.org/bwfm">bwfm(4)</a>.
1.14 stsp 575: <li>Fix <a href="https://man.openbsd.org/bwfm">bwfm(4)</a> behavior which
576: could trigger the ifq pressure drop mechanism under moderate load.
1.1 benno 577: <li>Improved error handling for <a
578: href="https://man.openbsd.org/bwfm">bwfm(4)</a> connection attempts.
1.14 stsp 579: <li>Improved automatic switching between wifi networks by lowering the priority
580: of networks in the <a
581: href="https://man.openbsd.org/ifconfig">ifconfig(8)</a> join list which
582: fail to connect.
1.27 stsp 583: <li>Avoid repeated switching between APs in areas where APs
1.17 stsp 584: are tuned for low transmit range.
1.1 benno 585: <li>Raised net80211's "beacon miss" threshold to avoid frequent
1.14 stsp 586: reconnects under conditions which cause loss of beacons.
1.17 stsp 587: <li>Reduced stalls on packet loss in 11n mode by improving net80211 handling
588: of the Rx block ack sequence number window and queue.
589: <li>Fixed a bug where outstanding frames on the <a
590: href="https://man.openbsd.org/iwn">iwn(4)</a> aggregation queue
591: interfered with roaming to another AP.
592: <li>Fixed a race condition in <a
593: href="https://man.openbsd.org/iwm">iwm(4)</a> Rx interrupt handling.
594: <li>Implemented a workaround for missing Tx completion interrupts
595: in <a href="https://man.openbsd.org/iwm">iwm(4)</a> which could lead
596: to failures when roaming to another AP.
597: <li>Re-enabled firmware-based Tx retries at lower rates for <a
598: href="https://man.openbsd.org/iwm">iwm(4)</a>, reducing packet loss.
599: <li>Fixed automatic Tx rate control issues in <a
600: href="https://man.openbsd.org/iwm">iwn(4)</a>, and <a
601: href="https://man.openbsd.org/iwm">iwm(4)</a>.
1.25 stsp 602: <li>Fixed a use-after-free that caused a kernel crash during <a
603: href="https://man.openbsd.org/zyd">zyd(4)</a> device detach.
1.1 benno 604: </ul>
605:
606: <li>Generic network stack improvements and bugfixes:
607: <ul>
608:
609: <li>Fixed a panic when using <a href="https://man.openbsd.org/pppac">
610: pppac(4)</a> without <a href="https://man.openbsd.org/pipex">pipex(4)</a>.
611: <li>Fixed a "route contains no arp information" bug where a kernel routing
612: table entry was incorrectly deleted upon insertion of a new entry.
613: <li>Stopped processing packets under non-exclusive netlock, preventing
614: concurrency in the socket layer.
615: <li>Prevented data corruption on UDP receive socket buffers by grabbing the
616: exclusive NET_LOCK() in the softnet thread.
617: <li>Fixed a kernel crash due to unlimited recursion caused by
618: local outbound UDP broadcast/multicast packets sent by a spliced
619: socket.
620: <li>Added IPv6 support to <a href="https://man.openbsd.org/umb">umb(4)</a>.
621: <li>Added support for very old firmware umsm devices with <a
622: href="https://man.openbsd.org/umsm">umsm(4)</a> rather than <a
623: href="https://man.openbsd.org/umb">umb(4)</a>.
624: <li>Added <a href="https://man.openbsd.org/pppac">pppac(4)</a>
625: code for a dedicated PPP Access Concentrator interface and switched <a
626: href="https://man.openbsd.org/npppd.conf">npppd.conf(5)</a> to use <a
627: href="https://man.openbsd.org/pppac">pppac(4)</a> instead of <a
628: href="https://man.openbsd.org/tun">tun(4)</a>.
629: <li>Added a check when IP forwarding is disabled to ensure packet
630: destination address matches interface address.
631: <li>Fixed kernel crash in pf_ioctl with WITH_PF_LOCK and NET_TASKQ > 1.
632: <li>Ensured proper kernel stack alignment on mips64, fixing a
633: panic on octeon related to <a
634: href="https://man.openbsd.org/pppoe">pppoe(4)</a>.
635: <li>Added <a href="https://man.openbsd.org/rge">rge(4)</a>, a new
636: driver for Realtek 8125 PCI Express 2.5Gb ethernet devices.
637: <li>Repaired the "set delay" option for <a
638: href="https://man.openbsd.org/pf">pf(4)</a> to function as specified
639: in <a href="https://man.openbsd.org/pf.conf">pf.conf(5)</a>.
640: <li>Prevented non-root users from using <a
641: href="https://man.openbsd.org/ioctl">ioctl(2)</a> to alter the address
642: of a network interface.
643: <li>Prevented non-root users from setting the parameters of <a
644: href="https://man.openbsd.org/pppoe">pppoe(4)</a> interfaces.
645: <li>Removed mobileip(4).
646: <li>Stopped checking whether the IPv6 source address of a neighbor
647: advertisement is from a neighbor's address, not required in accordance
648: with RFC 4861.
649:
650: </ul>
651:
652: <li>Installer improvements:
653: <ul>
654: <li>Simplified <a
655: href="https://man.openbsd.org/sysupgrade">sysupgrade(8)</a> directory
656: check and creation (/home/_syspatch). It can now be a symlink.
657: <li>Printed the URL when <a
658: href="https://man.openbsd.org/sysupgrade">sysupgrade(8)</a> fetches
659: new sets.
660: <li>Added an opportunistic run of <a
661: href="https://man.openbsd.org/fw_update">fw_update(1)</a> to <a
662: href="https://man.openbsd.org/sysupgrade">sysupgrade(8)</a> before
663: rebooting to run the upgrade.
664: </ul>
665:
666: <li>Security improvements:
667: <ul>
668: <li><a href="https://man.openbsd.org/unveil.2">unveil(2)</a> is
1.6 benno 669: now used in 82 userland programs to redact filesystem access.
1.1 benno 670: <li>Used <a href="https://man.openbsd.org/unveil">unveil(2)</a> to
671: reduce filesystem access in <a
672: href="https://man.openbsd.org/vmstat">vmstat(8)</a>, <a
673: href="https://man.openbsd.org/iostat">iostat(8)</a> and <a
674: href="https://man.openbsd.org/systat">systat(1)</a>.
675:
676: <!-- dig -->
677: <li>Extracted <a href="https://man.openbsd.org/dig">dig(1)</a>, <a
678: href="https://man.openbsd.org/host">host(1)</a> and <a
679: href="https://man.openbsd.org/nslookup">nslookup(1)</a> from the
680: bind(8) source code, cleanup the source code by removing not needed
681: features and auditing it. The kernel API accessible to these
682: programs is now restricted through <a
683: href="https://man.openbsd.org/pledge">pledge(2)</a>.
1.2 deraadt 684: <li>System calls may now only be performed from selected code regions:
685: the main program, <a href="https://man.openbsd.org/ld.so">ld.so(1)</a>,
686: libc.so and the signal trampoline. A new system call
687: <a href="https://man.openbsd.org/msyscall">msyscall(2)</a> indicates
1.5 deraadt 688: the libc range, and activates the locking. This change hardens
1.2 deraadt 689: against some attack methods.
1.1 benno 690: <li>Prevented stack trace saving from inspecting untrusted data on
691: amd64, arm64 and i386.
692: <li>Used lfence in place of stac/clac on pre-SMAP CPUs to protect
693: against Load-Value-Injection attacks against the kernel.
694: <li>Prevented a panic due to missing <a
695: href="https://man.openbsd.org/sysctl">sysctl(2)</a> input validation.
696: <li>Injected failure to fetch entropy with an rdrand() timeout as
697: an entropic event, along with an additional rdtsc measuring the vmexit
698: latency.
699: <li>Enforced that <a href="https://man.openbsd.org/ksh">ksh(1)</a>
700: TMOUT is an integer literal to prevent command execution from the
701: environment at shell initialization time.
702: <li>Ensured the first 2MB page of the amd64 kernel is correctly
703: mapped read-only in the direct map.
704: <li>Addressed an arm64 speculative execution issue by changing the
705: arm64 system call ABI to skip two instructions and inserting a barrier
706: after each system call.
707: <li>Fixed arm64 speculative execution of instructions after ERET,
708: which had led to spectre-like effects on some processors.
709: <li>Tightened permissions for USB device nodes.
710: <li>Ensured that <a
711: href="https://man.openbsd.org/ld.so">ld.so(1)</a> removed the
712: LD_LIBRARY_PATH environment variable for set-user-ID and set-group-ID
713: executables in low memory conditions.
714: <li>Added support for RSA-PSS to <a
715: href="https://man.openbsd.org/crypto">crypto(3)</a>.
716: <li>Added retguard for octeon/mips64.
717:
718: <li>The following security bugs were addressed:
719: <ul>
720: <li>Reset the login class each time through the loop when using -L
721: (loop) mode with <a href="https://man.openbsd.org/su">su(1)</a>. Fixes
722: CVE-2019-19519.
723: <li>Fixed insufficient username validation performed by libc's
724: authentication privilege separation layer and added additional
725: validation points, further validating in <a
726: href="https://man.openbsd.org/login">login(1)</a> and <a
727: href="https://man.openbsd.org/su">su(1)</a>.
728: <li>Prevented escalation to the auth group in <a
729: href="https://man.openbsd.org/xlock">xlock(1)</a> through path-related
730: environment variables and disabled mesa and opengl functionality.
731: </ul>
732: </ul>
733:
734: <li>Routing daemons and other userland network improvements:
735: <ul>
736: <!-- bgpd -->
737: <li>Store both IPv4 and IPv6 addresses with local-address in <a
738: href="https://man.openbsd.org/bgpd">bgpd(8)</a>, allowing
739: configuration of both an IPv4 and IPv6 local-address on a group with
740: correct binding of neighbors. Introduced 'no local-address' to reset a
741: previously-set local address back to zero. This helps to reduce
742: repetition in the configuration.
743: <li>Aggregated duplicate <a
744: href="https://man.openbsd.org/bgpd">bgpd(8)</a> roa table
745: prefix/source-as combos as a single entry with the longest maxlen
746: length.
747: <li>Extended <a href="https://man.openbsd.org/bgpctl">bgpctl(8)</a>
748: 'show neighbor' to include the received and set prefix count, as well
749: as the max-prefix out limit if set.
750: <li>Implemented <a
751: href="https://man.openbsd.org/bgpd.conf">bgpd.conf(5)</a>
752: <code>max-prefix NUM out</code> to limit the number of announced
753: prefixes, avoiding leaks of full tables to upstreams and peers.
754: <li>Began marking stale prefixes in the Adj-RIB-out during
755: graceful reload of <a href="https://man.openbsd.org/bgpd">bgpd(8)</a>
756: and fixed prefix_withdraw to check the correct prefix flags before
757: removing a prefix from the update or withdraw tree.
758: <li>Fixed a bug with the fatal <a
759: href="https://man.openbsd.org/bgpd">bgpd(8)</a> non-existing prefix
760: call to ensure the missing prefix is inserted into the prefix tree.
761: <li>Fixed <a href="https://man.openbsd.org/bgpd">bgpd(8)</a>
762: crashes where the nexthop_runners tail queue was corrupted.
763: <!-- OSPF -->
764: <li>Allowed configuration of the <a
765: href="https://man.openbsd.org/ospfd">ospfd(8)</a> interface setting
766: "type p2p" to be configured globally or per area.
767: <li>Added point-to-point <a
768: href="https://man.openbsd.org/ospf6d">ospf6d(8)</a> support for
769: broadcast interfaces.
1.39 tobhe 770: <!-- other daemons -->
1.1 benno 771: <li>Reduced temporary address valid lifetime to 2 days in <a
772: href="https://man.openbsd.org/slaacd">slaacd(8)</a>.
773: <li>Validated authentication lengths in <a
774: href="https://man.openbsd.org/ripd">ripd(8)</a> before use to prevent
775: crashes.
776: <li>Fixed empty response packages sent out by <a
777: href="https://man.openbsd.org/ripd">ripd(8)</a> when entries are
778: skipped due to split-horizon simple.
779: <li>Correctly parse "0/0" as the default route when specifying
780: the classless-[ms-]static-routes options in <a
781: href="https://man.openbsd.org/dhcpd.conf">dhcpd.conf(5)</a>.
782: <li>Allowed <a
783: href="https://man.openbsd.org/dhclient">dhclient(8)</a> configuration
784: of <a href="https://man.openbsd.org/carp">carp(4)</a> interfaces.
785: <li>Rejected leases in <a
786: href="https://man.openbsd.org/dhclient">dhclient(8)</a> not providing
787: a subnet mask for the address being provided.
788: <li>Constrained and corrected the routes being deleted when
789: applying a new lease in <a
790: href="https://man.openbsd.org/dhclient">dhclient(8)</a> and corrected
791: route comparison. This corrects a network failure with "arpresolve:
792: ... route contains no information".
793: <li>Made <a href="https://man.openbsd.org/slaacd">slaacd(8)</a>
794: honor the rdomain in which it runs when configuring the default route.
795: <li>Withdrew all proposals on <a
796: href="https://man.openbsd.org/slaacd">slaacd(8)</a> startup to prevent
797: indefinite retention of nameservers on interfaces no longer flagged
798: for autoconf.
799: <li>Modified <a href="https://man.openbsd.org/ldpd">ldpd(8)</a> to
800: lookup the adjacency by LSR id as well as source IP address, as the
801: remote peer may change its LSR id.
802:
803: <!-- other programs -->
804: <li>Added support for printing RFC 2332 NBMA Next Hop Resolution Protocol
805: (NHRP) to <a href="https://man.openbsd.org/tcpdump">tcpdump(8)</a>.
806: <li>Added <a href="https://man.openbsd.org/tcpdump">tcpdump(8)</a>
807: support for printing RFC 8300 Network Service Header (NSH).
808: <li>Added <a href="https://man.openbsd.org/tcpdump">tcpdump(8)</a>
809: support for VXLAN-GPE.
810: <li>Fixed a <a href="https://man.openbsd.org/tcpdump">tcpdump(8)</a>
811: crash when printing the contents of a malformed packet where the
812: packet length was smaller than the size of the usbpcap header.
813:
814: <li>Rewrote dhcpv6 parsing in <a
815: href="https://man.openbsd.org/tcpdump">tcpdump(8)</a> to match the
816: RFC, correctly handling dhcpv6 messages.
817: <li>Accept netmask for IPv6 in <a
818: href="https://man.openbsd.org/ifconfig">ifconfig(8)</a> instead of
819: ignoring it and using only the prefixlen argument.
820:
821: <li>Fixed <a href="https://man.openbsd.org/snmp">snmp(1)</a> agent
822: address parsing to allow IPv6 addresses to be used based on format,
823: allow those without brackets to skip the port if it results in a
824: nonsensical address (allowing use of ::1), and try to connect to the
825: address immediately.
826: <li>Implemented a df subcommand for <a
827: href="https://man.openbsd.org/snmp">snmp(1)</a> which outputs disk and
828: memory information in a <a href="https://man.openbsd.org/df">df(1)</a>
829: format.
830: <li>Implemented a -Cs option in <a
831: href="https://man.openbsd.org/snmp">snmp(1)</a> for snmp walk and
832: bulkwalk, allowing subsections of a tree to be skipped.
1.10 benno 833: <li>Introduced option filter-pf-addresses to <a
834: href="https://man.openbsd.org/snmpd.conf">snmpd.conf(5)</a>, allowing
835: the OPENBSD-PF-MIB::pfTblAddrTable tree to be filtered out when many
836: prefixes are stored in pf tables, reducing CPU usage during bulk
837: walks.
1.1 benno 838:
839: <li>Added retries and timeouts for test packets to <a
840: href="https://man.openbsd.org/radiusctl">radiusctl(8)</a>.
841:
842:
843: <li>Corrected http auth combined with proxy auth in <a
844: href="https://man.openbsd.org/ftp">ftp(1)</a>.
845: <li>Corrected <a href="https://man.openbsd.org/ftp">ftp(1)</a>
846: access to an https server with user/password through the "http_proxy"
847: environment variable.
848: <li>Fixed <a href="https://man.openbsd.org/ftp">ftp(1)</a>
849: tls_handshake() usage, which would break ftp if an handshake wasn't
850: successfully completed in one try.
851: <li>Prevented <a href="https://man.openbsd.org/ftp">ftp(1)</a>
852: from following remote redirects to local files.
853: <li>Implemented HTTP/1.1 in <a href="https://man.openbsd.org/ftp">ftp(1)</a>.
854: <li>Added new -N name option to <a
855: href="https://man.openbsd.org/ftp">ftp(1)</a>, allowing calling
856: scripts to change the progname and produce better error messages.
857:
858: <li>Allowed <a href="https://man.openbsd.org/pfctl">pfctl(8)</a>
859: to recursively flush rules and tables.
860: <li>Ensured rdr-to with loopback destination will work even when
861: IP forwarding is disabled.
862:
863: <!-- rpki-client -->
864:
865: <li>Enabled <a
866: href="https://man.openbsd.org/rpki-client">rpki-client(8)</a>, a free,
867: easy-to-use implementation of the Resource Public Key Infrastructure
868: (RPKI) for Relying Parties (RP) to facilitate validation of the Route
869: Origin of a BGP announcement. The program queries the RPKI repository
870: system and outputs Validated ROA Payloads in the configuration format
871: of OpenBGPD, BIRD, and also as CSV or JSON objects for consumption by
872: other routing stacks.
873: <li>Modified root's <a
874: href="https://man.openbsd.org/crontab">crontab(1)</a> to run <a
875: href="https://man.openbsd.org/rpki-client">rpki-client(8)</a> and
876: reload <a href="https://man.openbsd.org/bgpd">bgpd(8)</a>
877: configuration, enabling RPKI ROA filtering.
878: <li>Stopped hardcoding the cache directory for <a
879: href="https://man.openbsd.org/rpki-client">rpki-client(8)</a>. Cache
880: and output directory will use defaults for root users and must be
881: specified by non-root users.
882: <li>Made <a
883: href="https://man.openbsd.org/rpki-client">rpki-client(8)</a> use
884: with the existing cache and not exit if rsync(1) exits non-zero.
885: <li>Fixed <a
886: href="https://man.openbsd.org/rpki-client">rpki-client(8)</a> -j
887: option, which had not been producing any output.
888: <li>Generated three different BIRD outputs with <a
889: href="https://man.openbsd.org/rpki-client">rpki-client(8)</a> -B: v1
890: with IPv4 and IPv6 routes, and v2.
891: <li>Rewrote the time validity check for mtfs in <a
892: href="https://man.openbsd.org/rpki-client">rpki-client(8)</a> to
893: correctly account for the timezone.
894: <li>Added <a
895: href="https://man.openbsd.org/rpki-client">rpki-client(8)</a> output
896: formats for bird and CSV.
1.41 florian 897: </ul>
1.1 benno 898:
1.41 florian 899: <li><a href="https://man.openbsd.org/unwind">unwind(8)</a> improvements:
900: <ul>
1.1 benno 901: <li>Implemented <a
902: href="https://man.openbsd.org/unwindctl">unwindctl(8)</a> status
903: memory to show cache memory usage.
904: <li>Allowed forcing specific domains to be resolved by specific
905: resolvers in <a
906: href="https://man.openbsd.org/unwind.conf">unwind.conf(5)</a>,
907: handling typical split-horizon setups.
908: <li>Measured performance of resolving strategies in <a
909: href="https://man.openbsd.org/unwind">unwind(8)</a>, sorting them and
1.41 florian 910: choosing the next best strategy when one fails.
911: Performance data decays over time.
912: <li>Switched captive portal detection from HTTP probing to DNS probing in <a
1.1 benno 913: href="https://man.openbsd.org/unwind">unwind(8)</a>.
914: <li>Implemented DNS proposals in <a
915: href="https://man.openbsd.org/unwind">unwind(8)</a> to learn
916: nameservers from network autoconfiguration daemons.
917: <li>Added opportunistic DoT support to <a
918: href="https://man.openbsd.org/unwind">unwind(8)</a>.
919: <li>Added an ASR resolver type to <a
920: href="https://man.openbsd.org/unwind">unwind(8)</a>, using the libc
1.41 florian 921: asynchronous resolver directly with DHCP-provided nameservers to work
922: around broken middle boxes.
1.39 tobhe 923: </ul>
924:
925: <li><a href="https://man.openbsd.org/ipsec">ipsec(4)</a> improvements and
926: bugfixes:
927: <ul>
928: <li>Added support for automatically moving traffic between
929: rdomains on <a href="https://man.openbsd.org/ipsec">ipsec(4)</a>
930: encryption or decryption, reducing the attack surface for network
931: sidechannel attacks.
932: <li>Added <a href="https://man.openbsd.org/iked">iked(8)</a>
933: support for switching rdomain on <a
934: href="https://man.openbsd.org/ipsec">ipsec(4)</a>
935: encryption/decryption, configurable per policy with the new
936: 'rdomain' option in <a
937: href="https://man.openbsd.org/iked.conf">iked.conf(5)</a>.
938: <li>Changed the default ipsec level set by <a
939: href="https://man.openbsd.org/iked">iked(8)</a> and <a
940: href="https://man.openbsd.org/isakmpd">isakmpd(8)</a> to
941: IPSEC_LEVEL_REQUIRE. Unencrypted packets matching incoming
942: ipsec flows are no longer accepted by default.
943: <li>Added curve25519, ecp256, ecp384, ecp521, modp3072 and modp4096 to
944: the default Diffie-Hellman group configuration for IKE SAs in
945: <a href="https://man.openbsd.org/iked">iked(8)</a>.
946: <li>Removed support for the insecure EC2N Diffie-Hellman groups in <a
947: href="https://man.openbsd.org/iked">iked(8)</a>.
948: <li>Changed the default authentication method in <a
949: href="https://man.openbsd.org/iked">iked(8)</a> to
950: generic signature authentication (RFC 7427).
951: <li>Added ESN configuration options for ikesa in <a
952: href="https://man.openbsd.org/iked.conf">iked.conf(5)</a>.
953: <li>Added transport mode for child SAs to <a
954: href="https://man.openbsd.org/iked">iked(8)</a>.
955: <li>Added active probing for lost connection in <a
956: href="https://man.openbsd.org/iked">iked(8)</a> resulting in a
957: faster connection reset.
958: <li>Added a -p command line option to <a
959: href="https://man.openbsd.org/iked">iked(8)</a> allow configuration
960: of a non-standard UDP encapsulation port.
961: <li>Added support for multiple x509 extensions and multiple
962: subjectAltName fields in certificates used with <a
963: href="https://man.openbsd.org/iked">iked(8)</a>.
964: <li>Added support for certificates with uppercase subjectAltNames
965: in <a href="https://man.openbsd.org/iked">iked(8)</a>.
966: <li>Removed automatically installed <a
967: href="https://man.openbsd.org/ipsec">ipsec(4)</a> flow blocking
968: unencrypted IPv6 traffic in <a
969: href="https://man.openbsd.org/iked">iked(8)</a>.
970: <li>Reduced size of IKE_AUTH message by eliminating duplicate traffic
971: selectors in <a href="https://man.openbsd.org/iked">iked(8)</a>.
972: <li>Added an <a
973: href="https://man.openbsd.org/ikectl">ikectl(8)</a> "show sa"
974: command to print information about the state of negotiated IKE SAs,
975: their child SAs and the resulting IPsec flows.
976: <li>Added an <a
977: href="https://man.openbsd.org/ikectl">ikectl(8)</a> "reset id"
978: command to reset all SAs from policies with matching destination IDs.
979: <li>Added support for UDP encapsulation in manual SAs set up with <a
980: href="https://man.openbsd.org/ipsec.conf">ipsec.conf(5)</a>.
981: <li>Fixed an <a href="https://man.openbsd.org/iked">iked(8)</a>
982: bug that lead to connection loss after simultaneous rekeying.
983: <li>Fixed an <a href="https://man.openbsd.org/iked">iked(8)</a>
984: public key leak in the CA process for ASN-DN IDs.
985: <li>Fixed a bug that lead to a lost EAP ID after rekeying in <a
986: href="https://man.openbsd.org/iked">iked(8)</a>.
987: <li>Fixed EAP user database corruption resulting from use of the <a
988: href="https://man.openbsd.org/ikectl">ikectl(8)</a> reload command.
989: <li>Corrected <a href="https://man.openbsd.org/iked">iked(8)</a>
990: calculation of IPv6 address leases from small address pools.
991: <li>Fixed several bugs that could lead to <a
992: href="https://man.openbsd.org/iked">iked(8)</a> selecting a false policy
993: for incoming requests, resulting in a failed handshake.
994: <li>Fixed a bug that broke PSK authentication against Strongswan.
995: <li>Enabled UDP-encapsulation in Child SAs if <a
996: href="https://man.openbsd.org/iked">iked(8)</a> was started with -t.
997: <li>Fixed <a href="https://man.openbsd.org/isakmpd">isakmpd(8)</a>
998: IKE pcap file creation.
1.1 benno 999: </ul>
1000:
1.35 nicm 1001: <li><a href="https://man.openbsd.org/tmux">tmux(1)</a> improvements and bug fixes:
1.1 benno 1002: <ul>
1003: <li>Indicated the marked pane in <a
1004: href="https://man.openbsd.org/tmux">tmux(1)</a> choose mode in
1005: reverse, and added keys to set (m) and clear it (M), and to jump to
1006: the starting pane (H).
1007: <li>Allowed <a href="https://man.openbsd.org/tmux">tmux(1)</a>
1008: main-pane-width and height to be specified as percentages.
1009: <li>Added a -f filter argument to the <a
1010: href="https://man.openbsd.org/tmux">tmux(1)</a> list commands like
1011: choose-tree.
1012: <li>Added an -s flag to <a
1013: href="https://man.openbsd.org/tmux">tmux(1)</a> copy-mode to specify a
1014: different pane for the source content.
1015: <li>Added a -T flag to <a
1016: href="https://man.openbsd.org/tmux">tmux(1)</a> resize-pane to trim
1017: lines below the cursor.
1018: <li>Added support for <a
1019: href="https://man.openbsd.org/tmux">tmux(1)</a> overlay popup boxes,
1020: created with the display-popup command.
1021: <li>Added a <a href="https://man.openbsd.org/tmux">tmux(1)</a> -d
1022: flag to run-shell to wait for delay before running the command (or
1023: delay with no command).
1024: <li>Added a <a href="https://man.openbsd.org/tmux">tmux(1)</a>
1025: copy-mode -H flag to hide the position marker in the top right.
1026: <li>Added <a href="https://man.openbsd.org/tmux">tmux(1)</a> C-g
1027: to cancel command prompt with <a
1028: href="https://man.openbsd.org/vi">vi(1)</a> keys as well as emacs, and
1029: q in command mode.
1030: <li>Modified <a href="https://man.openbsd.org/tmux">tmux(1)</a> -S
1031: server socket to be created with umask 177 rather than 117.
1032: <li>Introduced a <a
1033: href="https://man.openbsd.org/tmux">tmux(1)</a> selection_active
1034: format for when the selection is present but not moving with the
1035: cursor.
1036: <li>Added -a to the list-keys command in <a
1037: href="https://man.openbsd.org/tmux">tmux(1)</a> to also list keys
1038: without notes with -N.
1039: <li>Added <a href="https://man.openbsd.org/tmux">tmux(1)</a> support
1040: for adding a note to a key binding with bind-key -N and using this to
1041: add descriptions to the default key binding. Using list-keys -N shows
1042: key bindings with notes. Changed the default ? binding to show a
1043: readable summary of keys.
1044: <li>Added -Z to the default <a
1045: href="https://man.openbsd.org/tmux">tmux(1)</a> switch-client command
1046: in tree mode.
1047: <li>Prevented read-only <a
1048: href="https://man.openbsd.org/tmux">tmux(1)</a> clients from limiting
1.35 nicm 1049: the size of other clients.
1.1 benno 1050: <li>Added support for regex searches in <a
1051: href="https://man.openbsd.org/tmux">tmux(1)</a> copy mode.
1052: <li>Modified <a href="https://man.openbsd.org/tmux">tmux(1)</a>
1053: source-file to allow reading from stdin.
1054: <li>Added a <a href="https://man.openbsd.org/tmux">tmux(1)</a> p
1055: format modifier for padding to width.
1056: <li>Added -f for full size to join-pane in <a
1057: href="https://man.openbsd.org/tmux">tmux(1)</a>.
1058: <li>Changed <a href="https://man.openbsd.org/tmux">tmux(1)</a>
1059: new-session -A to attach to the best existing session when a session
1060: name is not specified, rather than creating a new session.
1061: <li>Added an option to <a
1062: href="https://man.openbsd.org/tmux">tmux(1)</a> to set the key sent by
1063: backspace for systems using ^H.
1064: <li>Added -F flag to <a
1065: href="https://man.openbsd.org/tmux">tmux(1)</a> send-keys to expand
1066: formats in search-backward and forward copy mode commands.
1067: <li>Added support for percentage sizes to <a
1068: href="https://man.openbsd.org/tmux">tmux(1)</a> resize-pane ("-x 10%")
1069: and changed split-window and join-pane -l to accept similar
1070: percentages, deprecating the -p option.
1071: </ul>
1072:
1073: <li>VMM/VMD improvements
1074: <ul>
1075: <li>Added <a href="https://man.openbsd.org/vmm">vmm(4)</a> IOCTL
1076: handler to set the access protections of the ept.
1077: <li>Added a check in <a
1078: href="https://man.openbsd.org/vmm">vmm(4)</a> for <a
1079: href="https://man.openbsd.org/pvclock">pvclock(4)</a> struct crossing
1080: of page boundaries, which could potentially corrupt host memory.
1081: <li>Tightened rdmsr on svm in <a href="https://man.openbsd.org/vmm">vmm(4)</a>.
1082: <li>Fixed an issue where a <a
1083: href="https://man.openbsd.org/vmm">vmm(4)</a> guest could write to
1084: host memory by passing bogus addresses in <a
1085: href="https://man.openbsd.org/pvclock">pvclock(4)</a>.
1086: <li>Run <a href="https://man.openbsd.org/cu">cu(1)</a> in
1087: restricted mode using -r in <a
1088: href="https://man.openbsd.org/vmctl">vmctl(8)</a> and <a
1089: href="https://man.openbsd.org/ldomctl">ldomctl(8)</a>.
1090: <li>Started virtual machines defined in <a
1091: href="https://man.openbsd.org/vm.conf">vm.conf(5)</a> in a staggered
1092: fashion, helping prevent overload of the host and improper tsc
1093: calibration in guests.
1094: <li>Provided proper concurrency control when pausing a vm in <a
1095: href="https://man.openbsd.org/vmd">vmd(8)</a>.
1096: <li>Fixed a panic when tearing down vms with <a
1097: href="https://man.openbsd.org/vmm">vmm(4)</a>.
1098: </ul>
1099:
1100:
1101: <li>ldom/sparc64 virtualization improvements
1102: <ul>
1103: <li>Added support for devaliases for vnet in <a
1104: href="https://man.openbsd.org/ldom.conf">ldom.conf(5)</a>.
1105: <li>Implemented <a
1106: href="https://man.openbsd.org/ldomctl">ldomctl(8)</a> "panic -c" to
1107: panic a guest domain (and enter <a
1108: href="https://man.openbsd.org/ddb">ddb(4)</a>).
1109: <li>Implemented "start -c" in <a
1110: href="https://man.openbsd.org/ldomctl">ldomctl(8)</a> to automatically
1111: connect to the console.
1112: <li>Introduced a -n option to <a
1113: href="https://man.openbsd.org/ldomctl">ldomctl(8)</a> to validate the
1114: configuration file and exit.
1115: <li>Added a create-vdisk command to <a
1116: href="https://man.openbsd.org/ldomctl">ldomctl(8)</a> analogous to
1117: amd64's <a href="https://man.openbsd.org/vmctl">vmctl(8)</a> create.
1118: <li>Added the "console" command to <a
1119: href="https://man.openbsd.org/ldomctl">ldomctl(8)</a> which executes
1120: <a href="https://man.openbsd.org/cu">cu(1)</a> on the domain's
1121: console.
1122: <li>Printed guest domain <a
1123: href="https://man.openbsd.org/vcctty">vcctty(4)</a> devices in status
1124: output in <a href="https://man.openbsd.org/ldomctl">ldomctl(8)</a>.
1125: <li>Added list-io command to <a
1126: href="https://man.openbsd.org/ldomctl">ldomctl(8)</a>, listing the
1127: available PCIe devices to be used with the iodevice parameter in <a
1128: href="https://man.openbsd.org/ldom.conf">ldom.conf(5)</a>.
1129: </ul>
1130:
1131: <li>OpenSMTPD 6.7.0
1132: <ul>
1133: <li>New Features
1134: <ul>
1135:
1136: <li>Allowed use of the <a
1137: href="https://man.openbsd.org/smtpd">smtpd(8)</a> session username in
1138: built-in filters when available.
1139: <li>Introduced a bypass keyword to <a
1140: href="https://man.openbsd.org/smtpd">smtpd(8)</a> so that built-in
1141: filters can bypass processing when a condition is met.
1142: <li>Allowed use of 'auth' as an origin in <a
1143: href="https://man.openbsd.org/smtpd.conf">smtpd.conf(5)</a>.
1144: <li>Allowed use of mail-from and rctp-to as for and from parameters
1145: in <a href="https://man.openbsd.org/smtpd.conf">smtpd.conf(5)</a>.
1146: <li>Stored <a href="https://man.openbsd.org/smtp">smtp(1)</a> session
1147: usernames in an envelope, allowing the ruleset to match specific users
1148: or mailing addresses.
1149:
1150:
1151: </ul>
1152: <li>Bug fixes
1153: <ul>
1154: <li>Ensured legacy <a href="https://man.openbsd.org/ssl">ssl(8)</a>
1155: session ID is persistent during a client TLS session, fixing an issue
1156: using TLSv1.3 with smtp.mail.yahoo.com.
1157: <li>Fixed security vulnerabilities in <a
1158: href="https://man.openbsd.org/smtpd">smtpd(8)</a>. Corrected an
1159: out-of-bounds read in smtpd allowing an attacker to inject arbitrary
1160: commands into the envelope file to be executed as root, and ensured
1161: privilege revocation in <a
1162: href="https://man.openbsd.org/smtpctl">smtpctl(8)</a> to prevent
1163: arbitrary commands from being run with the _smtpq group.
1164: <li>Allowed <a
1165: href="https://man.openbsd.org/mail.local">mail.local(8)</a> to be run
1166: as non-root, opening a pipe to <a
1167: href="https://man.openbsd.org/lockspool">lockspool(1)</a> for file
1168: locking.
1169: <li>Fixed a security vulnerability in <a
1170: href="https://man.openbsd.org/smtpd">smtpd(8)</a> which could lead to
1171: a privilege escalation on mbox deliveries and unprivileged code
1172: execution on lmtp deliveries.
1173: <li>Added support for CIDR in a: spf atoms in <a
1174: href="https://man.openbsd.org/smtpd">smtpd(8)</a>.
1175: <li>Fixed a possible crash in <a
1176: href="https://man.openbsd.org/smtpd">smtpd(8)</a> when combining "from
1177: rdns" with nested virtual aliases under a particular configuration.
1178:
1179: </ul>
1180: <li>Experimental Features
1181: <ul>
1182: <li>...
1183: </ul>
1184: </ul>
1185:
1.28 beck 1186: <li>LibreSSL 3.1.1
1.34 inoguchi 1187: <ul>
1.43 jsing 1188: <li>New Features
1.29 beck 1189: <ul>
1.34 inoguchi 1190: <li>Completed initial TLS 1.3 implementation with a completely new state
1.29 beck 1191: machine and record layer. TLS 1.3 is now enabled by default for the
1192: client side, with the server side to be enabled in a future release.
1193: Note that the OpenSSL TLS 1.3 API is not yet visible/available.
1.43 jsing 1194: <li>Improved cipher suite handling to automatically include TLSv1.3
1195: cipher suites when they are not explicitly referred to in the
1196: cipher string.
1.34 inoguchi 1197: <li>Provided TLSv1.3 cipher suite aliases to match the names used
1198: in RFC 8446.
1.43 jsing 1199: <li>Added cms subcommand to openssl(1).
1200: <li>Added -addext option to openssl(1) req subcommand.
1201: <li>Added -groups option to openssl(1) s_server subcommand.
1202: <li>Added TLSv1.3 extension types to openssl(1) -tlsextdebug.
1203: </ul>
1204:
1205: <li>API and Documentation Enhancements
1206: <ul>
1.34 inoguchi 1207: <li>Added RSA-PSS and RSA-OAEP methods from OpenSSL 1.1.1.
1208: <li>Ported Cryptographic Message Syntax (CMS) implementation from OpenSSL
1.29 beck 1209: 1.1.1 and enabled by default.
1.1 benno 1210: </ul>
1211:
1212: <li>Compatibility Changes
1213: <ul>
1.34 inoguchi 1214: <li>Improved compatibility by backporting functionality and documentation
1215: from OpenSSL 1.1.1.
1216: <li>Adjusted EVP_chacha20()'s behavior to match OpenSSL's semantics.
1.1 benno 1217: </ul>
1218:
1219: <li>Testing and Proactive Security
1220: <ul>
1.34 inoguchi 1221: <li>Added many new additional crypto test vectors.
1.43 jsing 1222: <li>Fix to disallow setting the AES-GCM IV length to zero.
1.1 benno 1223: </ul>
1224:
1225: <li>Internal Improvements
1226: <ul>
1.34 inoguchi 1227: <li>Many more code cleanups, fixes, and improvements to memory handling
1228: and protocol parsing.
1.1 benno 1229: </ul>
1230:
1231: <li>Portable Improvements
1232: <ul>
1.34 inoguchi 1233: <li>Default CA bundle location is now configurable in portable builds.
1234: <li>Improved portable builds to support for use of static MSVC runtimes.
1235: <li>Fixed portable builds to avoid exporting a sleep() symbol.
1.1 benno 1236: </ul>
1237:
1238: <li>Bug Fixes
1239: <ul>
1.34 inoguchi 1240: <li>Fixed printing the serialNumber with X509_print_ex() fall back to
1241: the colon separated hex bytes in case greater than int value.
1.1 benno 1242: </ul>
1243: </ul>
1244:
1245: <li>OpenSSH 8.1
1246: <ul>
1247: <li>New Features
1248: <ul>
1249: <li>Allowed use of the IgnoreRhosts directive anywhere in an <a
1250: href="https://man.openbsd.org/sshd_config">sshd_config(5)</a> file,
1251: not just before Match blocks, and made it a tri-state option.
1252: <li>Added TOKEN percent expansion (i.e. userid, hostnames etc.) to <a
1253: href="https://man.openbsd.org/ssh">ssh(1)</a> LocalForward and
1254: RemoteForward when used for Unix domain socket forwarding.
1255: <li>Gave <a
1256: href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a> the
1257: ability to dump the contents of a binary key revocation list with
1258: <code>ssh-keygen -lQf /path</code>.
1259: <li>Added <a href="https://man.openbsd.org/ssh">ssh(1)</a> -Q key-sig
1260: option for all key and signature types, teaching ssh -Q to accept <a
1261: href="https://man.openbsd.org/ssh_config">ssh_config(5)</a> and <a
1262: href="https://man.openbsd.org/sshd_config">sshd_config(5)</a>
1263: algorithm keywords as an alias for the corresponding query.
1264: <li>Updated to libfido2 780ad3c25.
1265: <li>Added an <a
1266: href="https://man.openbsd.org/sshd_config">sshd_config(5)</a>
1267: "Include" directive to allow inclusion of files.
1268: <li>Removed ssh-rsa (SHA1) from the list of allowed CA signature algorithms.
1269: <li>Removed diffie-hellman-group14-sha1 from the default <a
1270: href="https://man.openbsd.org/ssh">ssh(1)</a> key exchange.
1271: <li>Renamed <a href="https://man.openbsd.org/ssh-add">ssh-add(1)</a>
1272: -O to -K to load resident keys from a FIDO authenticator.
1273: <li>Added the ability to download FIDO2 resident keys from a token
1274: via the <a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>
1275: -K option and save public/private keys into the current directory.
1276: <li>Implemented support for generating FIDO2 resident keys. "ssh-add
1277: -O" will load resident keys from a FIDO2 token and add them to an
1278: ssh-agent. Removed the -x option currently used for the
1279: FIDO/U2F-specific key flags, now under -O.
1280: <li>Removed single letter flags for moduli generation in <a
1281: href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a> and moved
1282: all moduli generation options to under the -O flag. Breaks existing
1283: ssh-keygen commandline syntax for moduli-related operations.
1284: <li>Allowed forwarding of a different agent socket to a specified
1285: path in <a href="https://man.openbsd.org/ssh">ssh(1)</a>.
1286: <li>Allowed <a href="https://man.openbsd.org/ssh">ssh(1)</a> security
1287: keys to act as host keys as well as user keys.
1288: <li>Used ssh-sk-helper for all security key signing operations and
1289: security key enrollment. Most <a
1290: href="https://man.openbsd.org/ssh">ssh(1)</a> tools no longer need to
1291: link against libfido2 or interact with /dev/uhid* directly.
1292: <li>Added "no-touch-required" options to <a
1293: href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a> and <a
1294: href="https://man.openbsd.org/sshd">sshd(8)</a> to disable touch
1295: requirement for authorized_keys and certificates.
1296: <li>Added an <a
1297: href="https://man.openbsd.org/sshd_config">sshd_config(5)</a>
1298: PubkeyAuthOptions directive allowing specification of whether <a
1299: href="https://man.openbsd.org/sshd">sshd(8)</a> should check whether
1300: user presence was tested before a security key was made.
1301: <li>Added direct support for U2F/FIDO2 security keys in <a
1302: href="https://man.openbsd.org/ssh">ssh(1)</a>.
1303:
1304: <li>Added initial infrastructure for U2F/FIDO support in <a
1305: href="https://man.openbsd.org/ssh">ssh(1)</a>.
1306:
1307: <li>Notified the user via TTY or $SSH_ASKPASS when <a
1308: href="https://man.openbsd.org/ssh">ssh(1)</a> security keys must be
1309: tapped/touched in order to perform a signature operation.
1310: <li>Enabled ed25519 support in <a
1311: href="https://man.openbsd.org/ssh">ssh(1)</a>.
1312:
1313:
1314: </ul>
1315: <li>Bugfixes
1316: <ul>
1317: <li>Detected and prevented simple <a
1318: href="https://man.openbsd.org/ssh">ssh(1)</a> configuration loops when
1319: using ProxyJump.
1320: <li>Fixed PIN entry bugs on FIDO <a
1321: href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>.
1322: <li>Fixed <a
1323: href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a> not
1324: displaying the authenticator touch prompt.
1325: <li>Prevented a timeout in <a
1326: href="https://man.openbsd.org/ssh">ssh(1)</a> when the server doesn't
1327: immediately send a banner, such as with multiplexers like sslh.
1328: <li>Adjusted on-wire signature encoding for ecdsh-sk <a
1329: href="https://man.openbsd.org/ssh">ssh(1)</a> keys to better match
1330: ec25519-sk keys.
1331: <li>Fixed a potential NULL dereference for revoked hostkeys in <a
1332: href="https://man.openbsd.org/ssh">ssh(1)</a>.
1333: </ul>
1334: </ul>
1335:
1.38 schwarze 1336: <li>Mandoc 1.14.6
1.1 benno 1337: <ul>
1338: <li>Introduced a new <a
1339: href="https://man.openbsd.org/mdoc">mdoc(7)</a> macro .Tg ("tag") to
1.38 schwarze 1340: explicitly mark a place as defining a term, and improved automatic
1341: tagging in various ways.
1342: <li>Print the manpath when the <a
1343: href="https://man.openbsd.org/man.1#w">man(1) -w</a> option
1344: is given without an argument, for compatibility with the man-1.6
1345: and man-db implementations.
1346: <li>Deleted support for the <a
1347: href="https://man.openbsd.org/OpenBSD-6.6/man.conf.5#_whatdb"
1348: >_whatdb</a> configuration directive from
1349: <a href="https://man.openbsd.org/man.conf.5">man.conf(5)</a>
1350: five years after it was declared obsolete; use <a
1351: href="https://man.openbsd.org/man.conf.5#manpath">manpath</a> instead.
1.1 benno 1352: <li>Added a Content-Security-Policy HTTP header to <a
1.38 schwarze 1353: href="https://man.openbsd.org/man.cgi.8">man.cgi(8)</a>
1354: that allows only CSS.
1355: <li>Provide a STYLE message when <a
1356: href="https://man.openbsd.org/mandoc.1">mandoc(1)</a> knows the
1357: filename and the extension disagrees with the section number
1358: given in the .Dt or .TH macro.
1359: <li>When the <a href="https://man.openbsd.org/mdoc.7">mdoc(7)</a> .Dd
1360: macro lacks an argument, use the empty string, and always
1361: concatenate all arguments, no matter their number.
1362: The same change was applied to groff.
1.1 benno 1363: </ul>
1364:
1.31 benno 1365: <li>Ports and packages:
1366: <p>The package system provides an easy way to install 3rd party software. New features include:
1.1 benno 1367: <ul>
1.18 benno 1368: <li>Provide debug package information that can be installed
1369: alongside packages and used to provide better bug reports.
1370: <li>Added DEBUG_PKG_CACHE functionality to <a
1371: href="https://man.openbsd.org/pkg_add">pkg_add(1)</a>, fetching debug
1372: patches when packages are installed.
1373: <li>Added a -d option to <a
1374: href="https://man.openbsd.org/pkg_add">pkg_add(1)</a> to add debug
1375: packages if present alongside intended updates or additions.
1.1 benno 1376: <li>Added support for "alpha" suffixes in <a
1377: href="https://man.openbsd.org/packages-specs">packages-specs(7)</a>,
1378: removing the need for workarounds in certain ports distfiles.
1.31 benno 1379: </ul>
1.1 benno 1380:
1381: <p>Many pre-built packages for each architecture:
1382: <!-- number of FTP packages minus SHA256, SHA256.sig, index.txt -->
1383: <ul style="column-count: 3">
1384: <li>aarch64: XXXX
1385: <li>amd64: XXXX
1386: <li>arm: XXXX
1387: <li>i386: XXXX
1388: <li>mips64: XXXX
1389: <li>mips64el: XXXX
1390: <li>powerpc: XXXX
1391: <li>sparc64: XXXX
1392: </ul>
1393:
1394: <li>As usual, steady improvements in manual pages and other documentation.
1395:
1396: <li>The system includes the following major components from outside suppliers:
1397: <ul>
1398: <li>Xenocara (based on X.Org 7.7 with xserver 1.20.8 + patches,
1.30 matthieu 1399: freetype 2.10.1, fontconfig 2.12.4, Mesa 19.2.8, xterm 351,
1400: xkeyboard-config 2.20 and more)
1.1 benno 1401: <li>LLVM/Clang 8.0.1 (+ patches)
1402: <li>GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
1403: <li>Perl 5.30.2 (+ patches)
1404: <li>NSD 4.2.4
1405: <li>Unbound 1.10.0
1406: <li>Ncurses 5.7
1407: <li>Binutils 2.17 (+ patches)
1408: <li>Gdb 6.3 (+ patches)
1409: <li>Awk Dec 20, 2012 version
1410: <li>Expat 2.2.8
1411: </ul>
1412: </ul>
1413: </section>
1414:
1415: <hr>
1416:
1417: <section id=install>
1418: <h3>How to install</h3>
1419: <p>
1420: Please refer to the following files on the mirror site for
1421: extensive details on how to install OpenBSD 6.7 on your machine:
1422:
1423: <ul>
1424: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.7/alpha/INSTALL.alpha">
1425: .../OpenBSD/6.7/alpha/INSTALL.alpha</a>
1426: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.7/amd64/INSTALL.amd64">
1427: .../OpenBSD/6.7/amd64/INSTALL.amd64</a>
1428: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.7/arm64/INSTALL.arm64">
1429: .../OpenBSD/6.7/arm64/INSTALL.arm64</a>
1430: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.7/armv7/INSTALL.armv7">
1431: .../OpenBSD/6.7/armv7/INSTALL.armv7</a>
1432: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.7/hppa/INSTALL.hppa">
1433: .../OpenBSD/6.7/hppa/INSTALL.hppa</a>
1434: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.7/i386/INSTALL.i386">
1435: .../OpenBSD/6.7/i386/INSTALL.i386</a>
1436: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.7/landisk/INSTALL.landisk">
1437: .../OpenBSD/6.7/landisk/INSTALL.landisk</a>
1438: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.7/loongson/INSTALL.loongson">
1439: .../OpenBSD/6.7/loongson/INSTALL.loongson</a>
1440: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.7/luna88k/INSTALL.luna88k">
1441: .../OpenBSD/6.7/luna88k/INSTALL.luna88k</a>
1442: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.7/macppc/INSTALL.macppc">
1443: .../OpenBSD/6.7/macppc/INSTALL.macppc</a>
1444: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.7/octeon/INSTALL.octeon">
1445: .../OpenBSD/6.7/octeon/INSTALL.octeon</a>
1446: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.7/sparc64/INSTALL.sparc64">
1447: .../OpenBSD/6.7/sparc64/INSTALL.sparc64</a>
1448: </ul>
1449: </section>
1450:
1451: <hr>
1452:
1453: <section id=quickinstall>
1454: <p>
1455: Quick installer information for people familiar with OpenBSD, and the use of
1456: the "<a href="https://man.openbsd.org/disklabel.8">disklabel</a> -E" command.
1457: If you are at all confused when installing OpenBSD, read the relevant
1458: INSTALL.* file as listed above!
1459:
1460: <h3>OpenBSD/alpha:</h3>
1461:
1462: <p>
1463: If your machine can boot from CD, you can write <i>install67.iso</i> or
1464: <i>cd67.iso</i> to a CD and boot from it.
1465: Refer to INSTALL.alpha for more details.
1466:
1467: <h3>OpenBSD/amd64:</h3>
1468:
1469: <p>
1470: If your machine can boot from CD, you can write <i>install67.iso</i> or
1471: <i>cd67.iso</i> to a CD and boot from it.
1472: You may need to adjust your BIOS options first.
1473:
1474: <p>
1475: If your machine can boot from USB, you can write <i>install67.fs</i> or
1476: <i>miniroot67.fs</i> to a USB stick and boot from it.
1477:
1478: <p>
1479: If you can't boot from a CD, floppy disk, or USB,
1480: you can install across the network using PXE as described in the included
1481: INSTALL.amd64 document.
1482:
1483: <p>
1484: If you are planning to dual boot OpenBSD with another OS, you will need to
1485: read INSTALL.amd64.
1486:
1487: <h3>OpenBSD/arm64:</h3>
1488:
1489: <p>
1490: Write <i>miniroot67.fs</i> to a disk and boot from it after connecting
1491: to the serial console. Refer to INSTALL.arm64 for more details.
1492:
1493: <h3>OpenBSD/armv7:</h3>
1494:
1495: <p>
1496: Write a system specific miniroot to an SD card and boot from it after connecting
1497: to the serial console. Refer to INSTALL.armv7 for more details.
1498:
1499: <h3>OpenBSD/hppa:</h3>
1500:
1501: <p>
1502: Boot over the network by following the instructions in INSTALL.hppa or the
1503: <a href="hppa.html#install">hppa platform page</a>.
1504:
1505: <h3>OpenBSD/i386:</h3>
1506:
1507: <p>
1508: If your machine can boot from CD, you can write <i>install67.iso</i> or
1509: <i>cd67.iso</i> to a CD and boot from it.
1510: You may need to adjust your BIOS options first.
1511:
1512: <p>
1513: If your machine can boot from USB, you can write <i>install67.fs</i> or
1514: <i>miniroot67.fs</i> to a USB stick and boot from it.
1515:
1516: <p>
1517: If you can't boot from a CD, floppy disk, or USB,
1518: you can install across the network using PXE as described in
1519: the included INSTALL.i386 document.
1520:
1521: <p>
1522: If you are planning on dual booting OpenBSD with another OS, you will need to
1523: read INSTALL.i386.
1524:
1525: <h3>OpenBSD/landisk:</h3>
1526:
1527: <p>
1528: Write <i>miniroot67.fs</i> to the start of the CF
1529: or disk, and boot normally.
1530:
1531: <h3>OpenBSD/loongson:</h3>
1532:
1533: <p>
1534: Write <i>miniroot67.fs</i> to a USB stick and boot bsd.rd from it
1535: or boot bsd.rd via tftp.
1536: Refer to the instructions in INSTALL.loongson for more details.
1537:
1538: <h3>OpenBSD/luna88k:</h3>
1539:
1540: <p>
1541: Copy 'boot' and 'bsd.rd' to a Mach or UniOS partition, and boot the bootloader
1542: from the PROM, and then bsd.rd from the bootloader.
1543: Refer to the instructions in INSTALL.luna88k for more details.
1544:
1545: <h3>OpenBSD/macppc:</h3>
1546:
1547: <p>
1548: Burn the image from a mirror site to a CDROM, and power on your machine
1549: while holding down the <i>C</i> key until the display turns on and
1550: shows <i>OpenBSD/macppc boot</i>.
1551:
1552: <p>
1553: Alternatively, at the Open Firmware prompt, enter <i>boot cd:,ofwboot
1554: /6.7/macppc/bsd.rd</i>
1555:
1556: <h3>OpenBSD/octeon:</h3>
1557:
1558: <p>
1559: After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
1560: Refer to the instructions in INSTALL.octeon for more details.
1561:
1562: <h3>OpenBSD/sparc64:</h3>
1563:
1564: <p>
1565: Burn the image from a mirror site to a CDROM, boot from it, and type
1566: <i>boot cdrom</i>.
1567:
1568: <p>
1569: If this doesn't work, or if you don't have a CDROM drive, you can write
1570: <i>floppy67.fs</i> or <i>floppyB67.fs</i>
1571: (depending on your machine) to a floppy and boot it with <i>boot
1572: floppy</i>. Refer to INSTALL.sparc64 for details.
1573:
1574: <p>
1575: Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
1576: will most likely fail.
1577:
1578: <p>
1579: You can also write <i>miniroot67.fs</i> to the swap partition on
1580: the disk and boot with <i>boot disk:b</i>.
1581:
1582: <p>
1583: If nothing works, you can boot over the network as described in INSTALL.sparc64.
1584: </section>
1585:
1586: <hr>
1587:
1588: <section id=upgrade>
1589: <h3>How to upgrade</h3>
1590: <p>
1.42 deraadt 1591: If you already have an OpenBSD 6.6 system, and do not want to reinstall,
1.1 benno 1592: upgrade instructions and advice can be found in the
1593: <a href="faq/upgrade67.html">Upgrade Guide</a>.
1594: </section>
1595:
1596: <hr>
1597:
1598: <section id=sourcecode>
1599: <h3>Notes about the source code</h3>
1600: <p>
1601: <code>src.tar.gz</code> contains a source archive starting at <code>/usr/src</code>.
1602: This file contains everything you need except for the kernel sources,
1603: which are in a separate archive.
1604: To extract:
1605: <blockquote><pre>
1606: # <kbd>mkdir -p /usr/src</kbd>
1607: # <kbd>cd /usr/src</kbd>
1608: # <kbd>tar xvfz /tmp/src.tar.gz</kbd>
1609: </pre></blockquote>
1610: <p>
1611: <code>sys.tar.gz</code> contains a source archive starting at <code>/usr/src/sys</code>.
1612: This file contains all the kernel sources you need to rebuild kernels.
1613: To extract:
1614: <blockquote><pre>
1615: # <kbd>mkdir -p /usr/src/sys</kbd>
1616: # <kbd>cd /usr/src</kbd>
1617: # <kbd>tar xvfz /tmp/sys.tar.gz</kbd>
1618: </pre></blockquote>
1619: <p>
1620: Both of these trees are a regular CVS checkout. Using these trees it
1621: is possible to get a head-start on using the anoncvs servers as
1622: described <a href="anoncvs.html">here</a>.
1623: Using these files
1624: results in a much faster initial CVS update than you could expect from
1625: a fresh checkout of the full OpenBSD source tree.
1626: </section>
1627:
1628: <hr>
1629:
1630: <section id=ports>
1631: <h3>Ports Tree</h3>
1632: <p>
1633: A ports tree archive is also provided. To extract:
1634: <blockquote><pre>
1635: # <kbd>cd /usr</kbd>
1636: # <kbd>tar xvfz /tmp/ports.tar.gz</kbd>
1637: </pre></blockquote>
1638: <p>
1639: Go read the <a href="faq/ports/index.html">ports</a> page
1640: if you know nothing about ports
1641: at this point. This text is not a manual of how to use ports.
1642: Rather, it is a set of notes meant to kickstart the user on the
1643: OpenBSD ports system.
1644: <p>
1645: The <i>ports/</i> directory represents a CVS checkout of our ports.
1646: As with our complete source tree, our ports tree is available via
1647: <a href="anoncvs.html">AnonCVS</a>.
1648: So, in order to keep up to date with the -stable branch, you must make
1649: the <i>ports/</i> tree available on a read-write medium and update the tree
1650: with a command like:
1651: <blockquote><pre>
1652: # <kbd>cd /usr/ports</kbd>
1653: # <kbd>cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_6_7</kbd>
1654: </pre></blockquote>
1655: <p>
1656: [Of course, you must replace the server name here with a nearby anoncvs
1657: server.]
1658: <p>
1659: Note that most ports are available as packages on our mirrors. Updated
1660: ports for the 6.7 release will be made available if problems arise.
1661: <p>
1662: If you're interested in seeing a port added, would like to help out, or just
1663: would like to know more, the mailing list
1664: <a href="mail.html">ports@openbsd.org</a> is a good place to know.
1665: </section>