[BACK]Return to 67.html CVS log [TXT][DIR] Up to [local] / www

File: [local] / www / 67.html (download) (as text)

Revision 1.8, Wed May 6 12:55:06 2020 UTC (4 years ago) by stsp
Branch: MAIN
Changes since 1.7: +3 -1 lines

mention iwm(4) firmware updates

<!doctype html>
<html lang=en id=release>
<meta charset=utf-8>

<title>OpenBSD 6.7</title>
<meta name="description" content="OpenBSD 6.7">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" href="openbsd.css">
<link rel="canonical" href="https://www.openbsd.org/67.html">

<h2 id=OpenBSD>
<a href="index.html">
<i>Open</i><b>BSD</b></a>
6.7
</h2>

<table>
<tr>
<td>
<a href="images/xxx.gif"><!-- XXX -->
<img alt="XXX image alt tag" width="227" height="343" src="images/xxx-s.gif"></a>
<td>
Released May 19, 2020<br><!-- XXX -->
Copyright 1997-2020, Theo de Raadt.<br>
<br>
<br>
Artwork by XXX.
<br>
<ul>
<li>See the information on <a href="ftp.html">the FTP page</a> for
    a list of mirror machines.
<li>Go to the <code class=reldir>pub/OpenBSD/6.7/</code> directory on
    one of the mirror sites.
<li>Have a look at <a href="errata67.html">the 6.7 errata page</a> for a list
    of bugs and workarounds.
<li>See a <a href="plus67.html">detailed log of changes</a> between the
    6.6 and 6.7 releases.
<p>
<li><a href="https://man.openbsd.org/signify.1">signify(1)</a>
    pubkeys for this release:<p>

<table class=signify>
<tr><td>
openbsd-67-base.pub:
<td>
<a href="https://ftp.openbsd.org/pub/OpenBSD/6.7/openbsd-67-base.pub">
RWRmkIA877Io3oCILSZoJGhAswifJbFK4r18ICoia+3c0PfwANueolNj</a>
<tr><td>
openbsd-67-fw.pub:
<td>
RWSOSlsdN/fgAY1SvEyFdbTkouV2cIsUBXdJhEIhRscq8TT3bz9iOYRL
<tr><td>
openbsd-67-pkg.pub:
<td>
RWTR60UGd2MbnaRg+upZbbBYO00ZhHJehXy7tH2ORHvCjGcDH2pZpsxv
<tr><td>
openbsd-67-syspatch.pub:
<td>
RWTLqtfkjXfBADZEVkBDwSU0EAhy45nb5ovn1xHtQmD3DcqUWe+CouTL
</table>
</ul>
<p>
All applicable copyrights and credits are in the src.tar.gz,
sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
files fetched via <code>ports.tar.gz</code>.
</table>

<hr>

<section id=new>
<h3>What's New</h3>
<p>
This is a partial list of new features and systems included in OpenBSD 6.7.
For a comprehensive list, see the <a href="plus67.html">changelog</a> leading
to 6.7.

<ul>

<li>General improvements and bugfixes:
  <ul>
    <li>Reduced the minimum allowed number of chunks in a CONCAT
	volume from 2 to 1, increasing the number of volumes which can be
	created on a single disk with <a
	href="https://man.openbsd.org/bioctl">bioctl(8)</a> from 7 to 15. This
	can be used to create more partitions than previously.
    <li>Rewrote the <a href="https://man.openbsd.org/cron">cron(8)</a>
	flag-parsing code to be getopt-like, allowing tight formations like
	-ns and flag repetition. Renamed the "options" field in <a
	href="https://man.openbsd.org/crontab">crontab(5)</a> to "flags".
    <li>Added <a
	href="https://man.openbsd.org/man5/crontab.5">crontab(5)</a> -s flag
	to the command field, indicating that only a single instance of the
	job should run concurrently.
    <li>Added <a href="https://man.openbsd.org/cron">cron(8)</a>
	support for random values using the ~ operator.
    <li>Allowed <a href="https://man.openbsd.org/cwm">cwm(1)</a>
	configuration of window size based on percentage of the master window
	during horizontal and vertical tiling actions.
    <li>Allowed use of window-htile and window-vtile with the "empty"
	group clients in <a href="https://man.openbsd.org/cwm">cwm(1)</a>.
    <li>Switched powerpc to a machine-independent mplock implementation,
	allowing use of <a href="https://man.openbsd.org/witness">
	witness(4)</a>.
    <li>Added <a href="https://man.openbsd.org/acpi">acpi(4)</a>
	support for the _CCA method, indicating whether DMA is cache-coherent.
    <li>Switched the default compiler on powerpc to clang.
    <li>Bumped <a href="https://man.openbsd.org/nvme">nvme(4)</a> max
	physio() i/o size to 128K.
    <li>Blocked <a href="https://man.openbsd.org/apmd">apmd(8)</a>
	autoaction for 60 seconds after resume, preventing spurious
	suspend/resume cycles.
    <li>Checked battery life against autoaction level on power change
	events in <a href="https://man.openbsd.org/apmd">apmd(8)</a>, making
	-z/-Z work with <a
	href="https://man.openbsd.org/acpibat">acpibat(4)</a>.
    <li>Prevented a kernel hang when no unlocked ffs_softdep worklist
	items could be processed.
    <li>Stopped counting pages mapped as PROT_NONE against the
	RLIMIT_DATA limit, helping code which reserves large chunks of address
	space but populates it sparsely.
    <li>Added the $REQUEST_SCHEME variable to <a
	href="https://man.openbsd.org/httpd.conf">httpd.conf(5)</a>, allowing
	preservation of the original connection type (http or https) for
	redirect locations
    <li>Implemented "strip" option in <a
	href="https://man.openbsd.org/httpd.conf">httpd.conf(5)</a> for
	fastcgi to be able to have multiple chroots under /var/www for FastCGI
	servers.
    <li>Changed <a href="https://man.openbsd.org/httpd">httpd(8)</a>
	to send a 408 response when a timeout happens while headers are being
	received, but close the connection if no request is received.
    <li>Updated en_US.UTF-8.src to Unicode 12.1.
    <li>Added a new __tmpfd <a
	href="https://man.openbsd.org/__syscall">__syscall(2)</a> that creates
	a new, unnamed file in /tmp, intended for shm/fd passing, but for
	programs that may otherwise like filesystem access
    <li>Imported <a href="https://man.openbsd.org/dt">dt(4)</a>, a
	driver and framework for Dynamic Profiling, and an accompanying bug
	tracer that speaks the <a href="https://man.openbsd.org/bt">bt(5)</a>
	language.
    <li>Added a human-readable mode (-h) to <a
	href="https://man.openbsd.org/systat">systat(1)</a>.
    <li>Implemented scrolling in <a
	href="https://man.openbsd.org/top">top(1)</a> using the 9 and 0 keys.
    <li>Added <a
	href="https://man.openbsd.org/timeout_set_flags">timeout_set_flags(9)</a>
	and TIMEOUT_INITIALIZER_FLAGS(9) to the timeout API, allowing the
	caller to initialize timeouts with arbitrary flags.
    <li>Introduced TIMEOUT_SCHEDULED flag and tos_scheduled statistic
	to <a href="https://man.openbsd.org/timeout.9">timeout(9)</a>.
    <li>Switched to tickless backend in <a
	href="https://man.openbsd.org/timeout.9">timeout(9)</a>, adding new
	interface <a
	href="https://man.openbsd.org/timeout_at_ts">timeout_at_ts(9)</a> to
	avoid backwardly compatible behavior.
    <li>Added the system clock interface <a
	href="https://man.openbsd.org/nanoboottime">nanoboottime(9)</a>,
	returning the UTC time at which the system booted in seconds and
	nanoseconds.
    <li>Introduced efficient page freeing in reverse order from uvm,
	greatly improving cases of massive page freeing.
    <li>Added uvm_objfree to uvm to efficiently free all pages from a
	uvm object, used in the buffer cache for considerable speedup when
	freeing pages.
    <li>Modified buffer cache to use individual uvm_objs per buffer to
	speed page lookups.
    <li>Speed up <a href="https://man.openbsd.org/sort">sort(1)</a> by
	not performing a top-level sort when -c is used with a -k field.
    <li>Modified -z mode verification in <a
	href="https://man.openbsd.org/signify">signify(1)</a> to save the
	header and output it, so signify -zV >saved.tgz will keep the
	signature for later checks.
    <li>Enabled DNSSEC validation in <a
	href="https://man.openbsd.org/unbound">unbound(8)</a> by default.
    <li><a href="https://man.openbsd.org/ntpd">ntpd(8)</a> now does
	constraint validation against 9.9.9.9 and 2620:fe::fe by default.
    <li>Provide debug package information that can be installed
	alongside packages and used to provide better bug reports.
    <li>Added DEBUG_PKG_CACHE functionality to <a
	href="https://man.openbsd.org/pkg_add">pkg_add(1)</a>, fetching debug
	patches when packages are installed.<!-- XXX -->
    <li>Added a -d option to <a
	href="https://man.openbsd.org/pkg_add">pkg_add(1)</a> to add debug
	packages if present alongside intended updates or additions.
  </ul>

<!-- FFS2 -->
<li>The FFS2 filesystem, which uses 64bit timestamps and block numbers
	is now the default for new installs on nearly all architectures:
  <ul>
    <li>Enabled ffs2 in sgi bootblocks and ramdisks.
    <li>Made ffs2 the default filesystem type on installs except for landisk, luna88k and sgi.
    <li>Changed the sparc64 bootblocks to be able to read from ffs1, ffs2 and softraid, and enabled the ffs2 option for both floppies.
    <li>Enabled FFS2 on the landisk ramdisk.
    <li>Taught i386 boot(8), cdboot(8) and pxeboot(8) about ffs2.
    <li>Taught macppc boot(8) about ffs2.
    <li>Taught sparc64 boot(8) (but not the sparc64 bootblocks) about ffs2.
    <li>Allowed hppa <a href="https://man.openbsd.org/man8/hppa/boot.8">boot(8)</a>  to read from an ffs2 filesystem.
    <li>Allowed alpha boot(8) to read from an ffs2 filesystem and adapted its custom installboot to deal with ffs2. Also fixed the partition read code to deal with offsets greater than 2G.
    <li>Adapted <a href="https://man.openbsd.org/biosboot">biosboot(8)</a> so that it can read <a href="https://man.openbsd.org/boot.8">boot(8)</a> from an ffs2 filesystem.
    <li>Allowed amd64 <a href="https://man.openbsd.org/man8/amd64/boot.8">boot(8)</a> to read from an ffs2 filesystem. Enabled ffs2 for floppy.
    <li>Allowed loongson boot(8) to read from an ffs2 filesystem.
    <li>Allowed arm64 and armv7 efiboot(8) to read from an ffs2 filesystem.
  </ul>

<li>SMP-Improvements, System call unlocking:
  <ul>
    <li>Fixed absolute timeout checking in <a
	href="https://man.openbsd.org/__thrsleep">__thrsleep(2)</a>.
    <li>Introduced <a
	href="https://man.openbsd.org/tsleep_nsec">*sleep_nsec(9)</a> to allow
	sleeping for a specified minimum duration, allowing use at the syscall
	layer and elsewhere within the kernel where this minimum duration is
	required.
    <li>Added the MAXTSLP macro, the maximum sleep duration, to <a
	href="https://man.openbsd.org/tsleep_nsec">tsleep_nsec(9)</a>.
    <li>Unlocked the <a href="https://man.openbsd.org/flock">flock(2)</a>
	system call.
    <li>Reworked AMD smt/core/package detection, helping prevent cores
	being misidentified as threads.
    <li>Unlocked the <a href="https://man.openbsd.org/fcntl">fnctl(2)</a> system call.
    <li>Unlocked the <a
	href="https://man.openbsd.org/ioctl">ioctl(2)</a> system call.
    <li>Pushed the KERNEL_LOCK() inside pgsigio() and selwakeup(),
	allowing separate addressing of the three subsystems: signal,
	poll/select and kqueue.
    <li>Unlocked the <a href="https://man.openbsd.org/close">close(2)</a>
	and <a href="https://man.openbsd.org/dup">dup(2)</a> system calls.
    <li>Made <a
	href="https://man.openbsd.org/__thrsleep">__thrsleep(2)</a> and <a
	href="https://man.openbsd.org/__thrwakeup">__thrwakeup(2)</a> MP-safe.
    <li>Unlocked <a href="https://man.openbsd.org/kqueue">kqueue(2)</a>.
    <li>Unlocked <a href="https://man.openbsd.org/pipe">pipe(2)</a>
	and <a href="https://man.openbsd.org/pipe2">pipe2(2)</a>.
    <li>Avoided false positives in <a
	href="https://man.openbsd.org/witness">witness(4)</a> when detecting
	lock order reversals by using separate rwlock initializations for
	userland and kernel maps.
    <li>Reintroduced socket locking inside socket event filters.
    <li>Allowed sleeping inside kqueue event filters.
    <li>Made <a href="https://man.openbsd.org/vmx">vmx(4)</a> transmit mp-safe.
  </ul>

<li>Improved hardware support, including:
  <ul>
    <li>Improvements in the <a href="https://man.openbsd.org/em">em(4)</a> driver.
    <li>Added <a href="https://man.openbsd.org/dsxrtc">dsxrtc(4)</a>,
	a driver for the Maxim DS3231/DS3232 I2C RTC.
    <li>Enabled use of <a href="https://man.openbsd.org/em">em(4)</a> with MSI-X.
    <li>Added <a href="https://man.openbsd.org/ure">ure(4)</a> support
	for Lenovo OneLine Plus Dock Ethernet.
    <li>Improved <a href="https://man.openbsd.org/ucom">ucom(4)</a> to
	fix firmware upload on some microcontroller boards using DTR and RTS
	as signaling lines to reset the device and enter the bootloader.
    <li>Added a PCI attachment driver for <a
	href="https://man.openbsd.org/com">com(4)</a> to support memory-mapped
	PCI devices which are part of a Low Power Subsystem (LPSS).
    <li>Implemented microsecond resolution using <a
	href="https://man.openbsd.org/microuptime">microuptime(9)</a> to avoid
	a hard hang when starting X on Intel Cherry Trail Atom processors.
    <li>Added support for X553 controllers to <a
	href="https://man.openbsd.org/ix">ix(4)</a>.
    <li>Added <a href="https://man.openbsd.org/usb">usb(4)</a> device
	support for an AMD hub on the APU2 and a Synaptics vendor id and two
	fingerprint readers.
    <li>Prevented buffer overflows with <a
	href="https://man.openbsd.org/uthum">uthum(4)</a> by not assuming the
	report length given by the hardware is necessarily smaller than the
	length of the on-stack buffer.
    <li>Added <a href="https://man.openbsd.org/rge">rge(4)</a>, a driver
	for the Realtek 8125 PCI Express 2.5Gb Ethernet devices.
    <li>Fixed cursor issues and suspend/resume on <a
	href="https://man.openbsd.org/amdgpu">amdgpu(4)</a> due to incomplete
	unmapping. This may help <a
	href="https://man.openbsd.org/radeondrm">radeondrm(4)</a> issues as
	well.
    <li>Enabled mmhub power gating on picasso within <a
	href="https://man.openbsd.org/amdgpu">amdgpu(4)</a>.
    <li>Fixed support for additional I2C busses in <a
	href="https://man.openbsd.org/piixpm">piixpm(4)</a> for older SB800
	SMBus controllers. Prevented sensors from attaching four times on old
	AMD machines.
    <li>Invalidated the <a
	href="https://man.openbsd.org/knote">knote(9)</a> list of <a
	href="https://man.openbsd.org/uhid">uhid(4)</a> after device detach,
	preventing a crash that can happen when kqueue still holds references
	to knotes pointing to the device.
    <li>Prevented a use-after-free causing crashes with <a
	href="https://man.openbsd.org/uhidev">uhidev(4)</a> devices.

    <li>Prevented <a href="https://man.openbsd.org/mcx">mcx(4)</a>
	interface lockups due to completion queue overflow.
    <li>Fixed brightness keys on the x395 and other thinkpads with AMD graphics.
    <li>Fixed brightness controls on certain machines where the
	initial brightness values are returned out of range.
    <li>Made <a
	href="https://man.openbsd.org/acpivout">acpivout(4)</a> stop calling
	ACPI methods directly to allow changing brightness other ways on
	certain machines, including the x395.
    <li>Set the default brightness level on attachment for <a
	href="https://man.openbsd.org/pwmbl">pwmbl(4)</a>.
    <li>Fixed <a
	href="https://man.openbsd.org/acpivout">acpivout(4)</a> screen
	brightness adjustment through function keys, better supporting
	machines using exponential brightness scaling.
    <li>Changed <a
	href="https://man.openbsd.org/acpivout">acpivout(4)</a> to increment
	and decrement screen brightness based only on brightness level changes
	of 5% or higher.
    <li>Added <a href="https://man.openbsd.org/amlsm">amlsm(4)</a>, a
	driver for the "secure monitor" firmware interface.
    <li>Fixed Etron EJ168 USB 3.0 Host Controllers via USB 2 devices.
    <li>Added support for the SIERRA MC7700 to <a
	href="https://man.openbsd.org/umsm">umsm(4)</a> UMTS and LTE modem device.
    <li>Fixed RAID volume WWIDs for <a
	href="https://man.openbsd.org/mpii">mpii(4)</a> LSI controllers on
	sparc64, allowing <a
	href="https://man.openbsd.org/autoconf">autoconf(9)</a> to identify
	the volume as the root device and boot off hardware RAID.
    <li>Populated logical disk port WWNs with their RAID volume's WWID
	in <a href="https://man.openbsd.org/mpii">mpii(4)</a>.
    <li>Added <a
	href="https://man.openbsd.org/amdgpio">amdgpio(4)</a>, a driver for
	the GPIO controller found on newer AMD SoC/chipsets.
    <li>Added <a href="https://man.openbsd.org/fido">fido(4)</a>, an
	HID driver for FIDO/U2F security keys.
    <li>Added parsing of DDR4 and LPDDDR3/4 SPD memories to <a
	href="https://man.openbsd.org/spdmem">spdmem(4)</a>.
    <li>Added support to <a
	href="https://man.openbsd.org/lm">lm(4)</a> for NCT6775F, NCT5104D,
	NCT6779D and NCT679[1235]D sensors.
    <li>Added AMD FCH (KERNCZ) to the list of supported devices in <a
	href="https://man.openbsd.org/piixpm">piixpm(4)</a>.
    <li>Updated <a href="https://man.openbsd.org/piixpm">piixpm(4)</a>
	to support newer AMD chips like Hudson-2 and KERNCZ and implemented
	multi-bus support for SB800, Hudson-2 and KERNCZ.
    <li>Extended the expected SPD types to include DDR4 and low-power DDR3/DDR4.
    <li>Enabled full use of jumbo frames on <a
	href="https://man.openbsd.org/bnx">bnx(4)</a> devices.
    <li>Fixed <a href="https://man.openbsd.org/scsi">scsi(8)</a>
	softraid crypto volumes on 4K-sector disks.
    <li>Faked disk info to match expected boot disk when EFI
	bootloader has been received via TFTP, fixing a hang during HP
	Elitebook UEFI boot.
    <li>Improved <a href="https://man.openbsd.org/ksmn">ksmn(4)</a>
	temperature conversion precision.
    <li>Added a quirk to handle Apollo Lake, Gemini Lake and 100
	Series Intel SD/MMC <a href="https://man.openbsd.org/sdhc">sdhc(4)</a>
	controllers which should not have voltages set to 0V.
    <li>Prevented a local user from causing the system to hang by
	reading specific registers when Intel Gen8/Gen9 graphics hardware is
	in a low power state.
    <li>Prevented writes to memory allowed by the Intel Gen9 graphics hardware.
    <li>Added support for buttons 2 and 3 to <a
	href="https://man.openbsd.org/imt">imt(4)</a>.
    <li>Added <a href="https://man.openbsd.org/ogx">ogx(4)</a>, a
	driver for the OCTEON III network processor.
    <li>Fixed endian swapping in <a
	href="https://man.openbsd.org/xhci">xhci(4)</a>, allowing it to work
	again on octeon and other big endian architectures.
    <li>Added <a href="https://man.openbsd.org/sxisid">sxisid(4)</a>,
	a driver to read the on-chip eFuses.
    <li>On newer ThinkPads reporting HKEY version > 1, allowed <a
	href="https://man.openbsd.org/acpivout">acpivout(4)</a> to claim
	backlight controls rather than <a
	href="https://man.openbsd.org/wscons">wscons(4)</a>, allowing use of
	the fine-grained backlight BCL steps defined in <a
	href="https://man.openbsd.org/acpi">acpi(4)</a>.
    <li>Implemented the "parallel boot" feature on compatible sparc64 firmware.
    <li>Introduced <a href="https://man.openbsd.org/iwx">iwx(4)</a>, a
	driver for Intel AX200 WiFi devices.
    <li>Added <a href="https://man.openbsd.org/iwm">iwm(4)</a> support
	for Intel 9260 and 9560 wifi devices.
    <li>Updated firmware for all devices supported by the
	<a href="https://man.openbsd.org/iwm">iwm(4)</a> driver.
    <li>Fixed <a href="https://man.openbsd.org/iwm">iwm(4)</a> support
	for Intel 3168 wifi devices.
    <li>Added support for the tp-link tl-wn823n to the <a
	href="https://man.openbsd.org/urtwn">urtwn(4)</a> driver.
  </ul>

<li>Removed hardware support
  <ul>
	<li>Removed sitaracm(4).
	<li>Removed the rtfps(4) driver.
	<li>Removed the sli(4) driver.
	<li>Removed the dpt(4) driver for DPT EATA SCSI RAID.
	<li>Removed gpr(4).
  </ul>

<li>Improvements in audio drivers and the
	<a href="https://man.openbsd.org/sndio">sndio(7)</a> framework:
  <ul>
    <li>Introduced the <a
	href="https://man.openbsd.org/sndioctl">sndioctl(1)</a> utility to
	control audio parameters exposed by <a
	href="https://man.openbsd.org/sndiod">sndiod(8)</a>.
    <li>Increased the default number of audio devices to 4.
    <li>Disabled access for regular users to /dev/audio* and
	/dev/rmidi*, creating these devices owned by root:_sndiod.
    <li>Added the <a href="https://man.openbsd.org/sndioctl">
	sndioctl(1)</a> -n option to suppress variable names in output and the
	-q option to suppress output when setting variables, as in <a
	href="https://man.openbsd.org/mixerctl">mixerctl(1)</a>.
    <li>Modified <a
	href="https://man.openbsd.org/mixerctl">mixerctl(1)</a> to use
	/dev/audioctlN instead of /dev/mixerN.
    <li>Made libossaudio use <a
	href="https://man.openbsd.org/sndio">sndio(7)</a> instead of the
	kernel <a href="https://man.openbsd.org/mixer">mixer(4)</a> interface.
    <li>Exposed the first 8 <a
	href="https://man.openbsd.org/midi">midi(4)</a> devices to <a
	href="https://man.openbsd.org/sndiod">sndiod(8)</a> clients if no -q
	options are used.
    <li>Corrected inappropriate rate selection in <a
	href="https://man.openbsd.org/uaudio">uaudio(4)</a> preventing
	recording on devices supporting fewer rates for recording than
	playback.
    <li>Introduced the <a
	href="https://man.openbsd.org/sndioctl">sndioctl(1)</a> utility to
	control audio parameters exposed by <a
	href="https://man.openbsd.org/sndiod">sndiod(8)</a>.
    <li>Fixed channel duplication (-j option) in <a
	href="https://man.openbsd.org/sndiod">sndiod(8)</a>.
    <li>Prevented an overflow due to <a
	href="https://man.openbsd.org/xen">xen(4)</a> failing to release the
	interrupt source when unmasking the interrupt.
    <li>Implemented a hexdump command in the bootloader, helping to
	inspect the memory layout created by the firmware and useful for UEFI
	debugging.
    <li>Allowed <a href="https://man.openbsd.org/rc.d">rc.d(8)</a>
	script to reload <a
	href="https://man.openbsd.org/sndiod">sndiod(8)</a>.
    <li>Added an <a
	href="https://man.openbsd.org/azalia">azalia(4)</a> quirk for the
	ALC285 on the X1C7 to avoid a clicking noise on the headphone output.
    <li>Disabled MSI for the AMD Hudson2 <a
	href="https://man.openbsd.org/azalia">azalia(4)</a> HDA to fix random lock ups.
  </ul>

<li>Improved <a href="https://www.openbsd.org/arm64.html">arm64</a>
and <a href="https://www.openbsd.org/armv7.html">armv7</a> hardware
support, including:
  <ul>
    <li>Better hardware support for the i.MX8MM platform.
    <li>Better support for Raspbery Pi 3 and 4
    <li>Added <a href="https://man.openbsd.org/bcmbsc">bcmbsc(4)</a>, a driver for the Broadcom Serial Control (BSC) controller.
    <li>Added <a href="https://man.openbsd.org/bcmgpio">bcmgpio(4)</a>, a driver for the Broadcom BCM283x GPIO controller.
    <li>Added <a href="https://man.openbsd.org/bcmsdhost">bcmsdhost(4)</a>, a driver for the Broadcom "sdhost" SD controller found on the Raspberry Pi.
    <li>Added <a href="https://man.openbsd.org/bcmdmac">bcmdmac(4)</a>, a driver for the DMA controller found on BCM283x SoCs.
    <li>Added support for the additional <a href="https://man.openbsd.org/sdhc">sdhc(4)</a> controller found on the Raspberry Pi.
    <li>Added quirks for the <a href="https://man.openbsd.org/sdhc">sdhc(4)</a> controller on the Raspberry Pi, providing microSD card or WiFi support depending on the firmware configuration.
    <li>Added support for hardware with <a href="https://man.openbsd.org/sdhc">sdhc(4)</a> controllers on busses only supporting 32-bit access.
    <li>Added <a href="https://man.openbsd.org/bcmirng">bcmirng(4)</a>, a driver for the RNG200 random number generator found on the Raspberry Pi 4.
    <li>Added <a href="https://man.openbsd.org/bcmclock">bcmclock(4)</a>, a driver for the BCM283X CPRMAN clock controller.
    <li>Added <a href="https://man.openbsd.org/bcmmbox">bcmmbox(4)</a>, a driver for the VideoCore messagebox interface on BCM283X.
    <li>Added <a href="https://man.openbsd.org/bcmpcie">bcmpcie(4)</a>, a driver for the PCIe controller found on the Raspberry Pi 4.
    <li>Added support for the Armada 3720 CPU clock to <a href="https://man.openbsd.org/mvclock">mvclock(4)</a>.
    <li>Added <a href="https://man.openbsd.org/bse">bse(4)</a>, a driver for the Broadcom GENET v5 network interface found on the Raspberry Pi 4.
    <li>Added <a href="https://man.openbsd.org/brgphy">brgphy(4)</a> support for the Broadcom BCM54210E.
    <li>Fixed <a href="https://man.openbsd.org/mvneta">mvneta(4)</a> on arm64.
    <li>Added <a href="https://man.openbsd.org/omcm">omcm(4)</a>, <a href="https://man.openbsd.org/omclock">omclock(4)</a> and <a href="https://man.openbsd.org/omsysc">omsysc(4)</a> drivers that support the new bus structure used in current mainline Linux device trees.
    <li>Added support for RK3328 Crypto/RNG clocks.
    <li>Added glass console support to <a href="https://man.openbsd.org/rkdrm">rkdrm(4)</a> in Rockchip SoCs.
    <li>Fixed the MAC address on Pandaboard-ES by increasing <a href="https://man.openbsd.org/smsc">smsc(4)</a> buffer size used to fetch device tree properties.
    <li>Added <a href="https://man.openbsd.org/omrng">omrng(4)</a>, a driver for the random number generator found on TI OMAP SoCs.
    <li>Restored enabling and setting the output tap delay in <a href="https://man.openbsd.org/rkemmcphy">rkemmcphy(4)</a>, fixing the eMMC module on the rockpro64.
    <li>Added <a href="https://man.openbsd.org/rkrng">rkrng(4)</a>, a driver for the random number generator found on various Rockchip SoCs.
    <li>Added support for additional Allwinner A80 clocks and resets in <a href="https://man.openbsd.org/sxiccmu">sxiccmu(4)</a>.
    <li>Added <a href="https://man.openbsd.org/imxpwm">imxpwm(4)</a>, a driver for the PWM controller found on various NXP i.MX SoCs.
    <li>Fixed CPU frequency scaling support on the Librem5 Devkit.
    <li>Fixed <a href="https://man.openbsd.org/amlpciephy">amlpciephy(4)</a> USB3 support when USB has not been initialized by U-Boot.
    <li>Enabled backlight control use on the Pinebook Pro via <a href="https://man.openbsd.org/wsconsctl">wsconsctl(8)</a>.
    <li>Fixed a crash when no device ports have been registered in ofw.
    <li>Added clock support for i.MX8MM.
    <li>Added <a href="https://man.openbsd.org/bdpmic">bdpmic(4)</a>, a driver for the ROHM BD71837 and BD71847 Power Management IC.
    <li>Added support for reading the i.MX8MM temperature sensors to <a href="https://man.openbsd.org/imxtmu">imxtmu(4)</a>.
    <li>Switched USB to use non-coherent buffers for data transfers, dramatically improving performance on some ARM SoCs where the USB controller is not coherent with the caches.
    <li>Added panel support to <a href="https://man.openbsd.org/rkanxdp">rkanxdp(4)</a>.
    <li>Resolved syscall speculation in armv7 cpus as in arm64, changing the system call ABI to skip two instructions and inserting speculation-blocking sequences.
    <li>Added /dev/drm[0-3] on arm64.
    <li>Fixed "ipmi0: sendcmd fails" errors when there is an <a href="https://man.openbsd.org/ipmi">ipmi(4)</a> sensor which is enumerated but has failed to be read.
    <li>Allowed <a href="https://man.openbsd.org/ipmi">ipmi(4)</a> to attach using mmio.
    <li>Enabled the Rockchip video drivers.
    <li>Implemented the page fault handler for CMA GEM buffers and made <a href="https://man.openbsd.org/drm">drm(4)</a> attach to <a href="https://man.openbsd.org/rkdrm">rkdrm(4)</a>, making KMS work on the RK3399 SoC.
    <li>Added <a href="https://man.openbsd.org/rkdwhdmi">rkdwhdmi(4)</a>, a driver for the HDMI transmitter found on the Rockchip RK3399 SoC.
    <li>Introduced VPLL clock frequency setting to <a href="https://man.openbsd.org/rkclock">rkclock(4)</a>.
    <li>Implemented support for read transfers larger than 32 bytes for <a href="https://man.openbsd.org/rkiic">rkiic(4)</a> controllers and registered the i2c bus, allowing future HDMI support.
    <li>Added <a href="https://man.openbsd.org/rkanxdp">rkanxdp(4)</a>, an attachment driver for <a href="https://man.openbsd.org/anxdp">anxdp(4)</a> on the RK3399.
    <li>Added <a href="https://man.openbsd.org/anxdp">anxdp(4)</a>, a driver for the Analogix Display Port controller.
    <li>Added <a href="https://man.openbsd.org/rkvop">rkvop(4)</a>, a driver for the RK3399's Video Output Processors.
    <li>Added <a href="https://man.openbsd.org/rkdrm">rkdrm(4)</a>, a driver providing kernel mode setting (KMS) functionality for the graphics hardware integrated on Rockchip SoCs.
    <li>Fixed the Pinebook Pro's trackpad by ensuring only hid_input items are accepted when walking the HID descriptor.
    <li>Added support for the RK3399's VOP clocks to <a href="https://man.openbsd.org/rkclock">rkclock(4)</a>.
    <li>Fixed <a href="https://man.openbsd.org/pwmbl">pwmbl(4)</a> attachment on the Pinebook Pro.
    <li>Added <a href="https://man.openbsd.org/simplepanel">simplepanel(4)</a>, a driver for simple display panels. This allows enabling of the Pinebook Pro display panel.
    <li>Enabled <a href="https://man.openbsd.org/umt">umt(4)</a> on arm64.
    <li>Recognized BCM4345 rev 9 as shipped with the Pinebook Pro as an AMPAK AP6256 module in <a href="https://man.openbsd.org/bwfm">bwfm(4)</a>.
    <li>Improved <a href="https://man.openbsd.org/bwfm">bwfm(4)</a> on the Pinebook Pro by acking SDIO interrupts earlier on <a href="https://man.openbsd.org/dwmmc">dwmmc(4)</a>.
    <li>Added <a href="https://man.openbsd.org/amltemp">amltemp(4)</a>, a driver for the temperature sensors on various Amlogic SoCs.
    <li>Added the capability for armv7 boot from another block device than the one from which efiboot was loaded.
    <li>Added thermal sensor clocks to <a href="https://man.openbsd.org/amlclock">amlclock(4)</a>.
    <li>Added arm64 support for lldb.
    <li>Added support for gen2 negotiation to <a href="https://man.openbsd.org/rkpcie">rkpcie(4)</a> and enabled gen2 link state training when the dtb is configured with max-link-speed = 2.
    <li>Added <a href="https://man.openbsd.org/pwmfan">pwmfan(4)</a>, a driver for PWM-regulated fans.
    <li>Added <a href="https://man.openbsd.org/rkpwm">rkpwm(4)</a>, a driver for the RK3399's PWM controller.
    <li>Added support for the RK3399's PWM clock to <a href="https://man.openbsd.org/rkclock">rkclock(4)</a>.
    <li>Added <a href="https://man.openbsd.org/rkemmcphy">rkemmcphy(4)</a>, a driver for the RK3399's eMMC PHY.
    <li>Added support for the RK3399's eMMC clock to <a href="https://man.openbsd.org/rkclock">rkclock(4)</a>.
    <li>Allowed switching to framebuffer "glass" console on armv7, mirroring previous changes to arm64.
    <li>Added <a href="https://man.openbsd.org/sxipwm">sxipwm(4)</a> and <a href="https://man.openbsd.org/pwmbl">pwmbl(4)</a>, drivers which jointly add support for the backlight controller on the Pinebook.
    <li>Corrected cache flush operations on arm64 which were being incorrectly treated as write operations. This fixes a bug where cache flushing caused Firefox to abort.
  </ul>

<li>IEEE 802.11 wireless stack improvements and bugfixes:
  <ul>
    <li>Fixed a problem in <a href="https://man.openbsd.org/iwn">iwn(4)</a>
	where the link gets stuck since every CCMP encrypted frame is
	discarded by the AP as a replay.
    <li>Fixed an automatic Tx rate control issue in <a
	href="https://man.openbsd.org/iwn">iwn(4)</a>.
    <li>Fixed a bug where outstanding frames on the <a
	href="https://man.openbsd.org/iwn">iwn(4)</a> aggregation queue
	interfere with roaming to another AP.
    <li>Implemented a workaround for missing Tx completion interrupts
	in <a href="https://man.openbsd.org/iwm">iwm(4)</a> which could lead
	to failed decisions to roam to other APs.

    <li>Reenabled firmware-based Tx retries at lower rates for <a
	href="https://man.openbsd.org/iwm">iwm(4)</a>, reducing packet loss.
    <li>Enabled DQA mode for <a href="https://man.openbsd.org/iwm">iwm(4)</a>.
    <li>Added support for <a
	href="https://man.openbsd.org/iwm">iwm(4)</a> firmware paging,
	required for newer 8k device firmware.
    <li>Added support for MSI-X for <a
	href="https://man.openbsd.org/iwm">iwm(4)</a> devices.
    <li>Computed RSSI on 9k <a
	href="https://man.openbsd.org/iwm">iwm(4)</a> devices as for previous
	generations, fixing spurious signal strength values of over 100%.
    <li>Fixed an automatic Tx rate control issue in <a
	href="https://man.openbsd.org/iwm">iwm(4)</a> and <a
	href="https://man.openbsd.org/iwx">iwx(4)</a>.
    <li>Fixed MIMO rates with firmware-based rate scaling in <a
	href="https://man.openbsd.org/iwm">iwm(4)</a>.
    <li>Added support for dynamic queue allocation (DQA) to <a
	href="https://man.openbsd.org/iwm">iwm(4)</a>.
    <li>Worked around a race condition in <a
	href="https://man.openbsd.org/iwm">iwm(4)</a> interrupt handling, and
	synced the fix to <a href="https://man.openbsd.org/iwx">iwx(4)</a>.



    <li>Added support for active scan to <a
	href="https://man.openbsd.org/bwfm">bwfm(4)</a>.
    <li>Increased throughput of the ifq pressure drop mechanism for <a
	href="https://man.openbsd.org/bwfm">bwfm(4)</a>.
    <li>Improved error handling for <a
	href="https://man.openbsd.org/bwfm">bwfm(4)</a> connection attempts.

    <li>Fixed the <a
	href="https://man.openbsd.org/ifconfig">ifconfig(8)</a> "media:" line
	for 11n wifi interfaces during and after a background scan.
    <li>Fixed an mbuf corruption issue in net80211 hostap mode when overlarge SSIDs are used.
    <li>Stopped switching to new APs found during background scans
	with RSSI levels which will also trigger background scans, helping to
	prevent repeated switching in areas where APs are tuned for low
	transmit range.
    <li>Increased the net80211 node cache size.
    <li>Reduced stalling with lossy wifi by improving net80211
	handling of the Rx block ack sequence number window and queue.
    <li>Prevented a crash in ieee80211_node2req() which could be
	triggered by an <a href="https://man.openbsd.org/ioctl">ioctl(2)</a>
	if the driver had not yet initialized the channel map.
    <li>Stopped connecting to available open wifi networks when an
	interface is marked up. This behavior must now be explicitly enabled
	with <code><a href="https://man.openbsd.org/ifconfig">ifconfig(8)</a> join
	""</code>.
    <li>Fixed MiRA's sub-frame error rate computation.
    <li>Lowered the priority of APs which fail to connect in the <a
	href="https://man.openbsd.org/ifconfig">ifconfig(8)</a> join list,
	allowing switching wifi networks by moving between them without having
	to down/up the interface or suspend/resume.
    <li>Triggered a background scan when root runs the <a
	href="https://man.openbsd.org/ifconfig">ifconfig(8)</a> scan command,
	updating the list of cached APs for future scans and forcing a search
	for a better AP to roam to.
    <li>Raised net80211's "beacon miss" threshold to avoid frequent
	reconnects to APs suffering packet loss due to distance.
    <li>Made background scans less frequent when choosing the same AP.
  </ul>

<li>Generic network stack improvements and bugfixes:
  <ul>

    <li>Fixed a panic when using <a href="https://man.openbsd.org/pppac">
	pppac(4)</a> without <a href="https://man.openbsd.org/pipex">pipex(4)</a>.
    <li>Fixed a "route contains no arp information" bug where a kernel routing
	table entry was incorrectly deleted upon insertion of a new entry.
    <li>Stopped processing packets under non-exclusive netlock, preventing
	concurrency in the socket layer.
    <li>Prevented data corruption on UDP receive socket buffers by grabbing the
	exclusive NET_LOCK() in the softnet thread.
    <li>Fixed a kernel crash due to unlimited recursion caused by
	local outbound UDP broadcast/multicast packets sent by a spliced
	socket.
    <li>Added IPv6 support to <a href="https://man.openbsd.org/umb">umb(4)</a>.
    <li>Added support for very old firmware umsm devices with <a
	href="https://man.openbsd.org/umsm">umsm(4)</a> rather than <a
	href="https://man.openbsd.org/umb">umb(4)</a>.
    <li>Added <a href="https://man.openbsd.org/pppac">pppac(4)</a>
	code for a dedicated PPP Access Concentrator interface and switched <a
	href="https://man.openbsd.org/npppd.conf">npppd.conf(5)</a> to use <a
	href="https://man.openbsd.org/pppac">pppac(4)</a> instead of <a
	href="https://man.openbsd.org/tun">tun(4)</a>.
    <li>Added a check when IP forwarding is disabled to ensure packet
	destination address matches interface address.
    <li>Fixed kernel crash in pf_ioctl with WITH_PF_LOCK and NET_TASKQ > 1.
    <li>Ensured proper kernel stack alignment on mips64, fixing a
	panic on octeon related to <a
	href="https://man.openbsd.org/pppoe">pppoe(4)</a>.
    <li>Added <a href="https://man.openbsd.org/rge">rge(4)</a>, a new
	driver for Realtek 8125 PCI Express 2.5Gb ethernet devices.
    <li>Repaired the "set delay" option for <a
	href="https://man.openbsd.org/pf">pf(4)</a> to function as specified
	in <a href="https://man.openbsd.org/pf.conf">pf.conf(5)</a>.
    <li>Prevented non-root users from using <a
	href="https://man.openbsd.org/ioctl">ioctl(2)</a> to alter the address
	of a network interface.
    <li>Prevented non-root users from setting the parameters of <a
	href="https://man.openbsd.org/pppoe">pppoe(4)</a> interfaces.
    <li>Removed mobileip(4).
    <li>Stopped checking whether the IPv6 source address of a neighbor
	advertisement is from a neighbor's address, not required in accordance
	with RFC 4861.

  </ul>

<li>Installer improvements:
  <ul>
    <li>Simplified <a
	href="https://man.openbsd.org/sysupgrade">sysupgrade(8)</a> directory
	check and creation (/home/_syspatch). It can now be a symlink.
    <li>Printed the URL when <a
	href="https://man.openbsd.org/sysupgrade">sysupgrade(8)</a> fetches
	new sets.
    <li>Added an opportunistic run of <a
	href="https://man.openbsd.org/fw_update">fw_update(1)</a> to <a
	href="https://man.openbsd.org/sysupgrade">sysupgrade(8)</a> before
	rebooting to run the upgrade.
  </ul>

<li>Security improvements:
  <ul>
    <li><a href="https://man.openbsd.org/unveil.2">unveil(2)</a> is
      now used in 82 userland programs to redact filesystem access.
    <li>Used <a href="https://man.openbsd.org/unveil">unveil(2)</a> to
	reduce filesystem access in <a
	href="https://man.openbsd.org/vmstat">vmstat(8)</a>, <a
	href="https://man.openbsd.org/iostat">iostat(8)</a> and <a
	href="https://man.openbsd.org/systat">systat(1)</a>.
    <li><span style="color: red;">mention unveil in ports? Maybe under "Ports and packages" below?</span>

<!-- dig -->
    <li>Extracted <a href="https://man.openbsd.org/dig">dig(1)</a>, <a
	href="https://man.openbsd.org/host">host(1)</a> and <a
	href="https://man.openbsd.org/nslookup">nslookup(1)</a> from the
	bind(8) source code, cleanup the source code by removing not needed
	features and auditing it. The kernel API accessible to these
	programs is now restricted through <a
	href="https://man.openbsd.org/pledge">pledge(2)</a>.
    <li>System calls may now only be performed from selected code regions:
	the main program, <a href="https://man.openbsd.org/ld.so">ld.so(1)</a>,
	libc.so and the signal trampoline. A new system call
	<a href="https://man.openbsd.org/msyscall">msyscall(2)</a> indicates
	the libc range, and activates the locking.  This change hardens
	against some attack methods.
    <li>Prevented stack trace saving from inspecting untrusted data on
	amd64, arm64 and i386.
    <li>Used lfence in place of stac/clac on pre-SMAP CPUs to protect
	against Load-Value-Injection attacks against the kernel.
    <li>Prevented a panic due to missing <a
	href="https://man.openbsd.org/sysctl">sysctl(2)</a> input validation.
    <li>Injected failure to fetch entropy with an rdrand() timeout as
	an entropic event, along with an additional rdtsc measuring the vmexit
	latency.
    <li>Enforced that <a href="https://man.openbsd.org/ksh">ksh(1)</a>
	TMOUT is an integer literal to prevent command execution from the
	environment at shell initialization time.
    <li>Ensured the first 2MB page of the amd64 kernel is correctly
	mapped read-only in the direct map.
    <li>Addressed an arm64 speculative execution issue by changing the
	arm64 system call ABI to skip two instructions and inserting a barrier
	after each system call.
    <li>Fixed arm64 speculative execution of instructions after ERET,
	which had led to spectre-like effects on some processors.
    <li>Tightened permissions for USB device nodes.
    <li>Ensured that <a
	href="https://man.openbsd.org/ld.so">ld.so(1)</a> removed the
	LD_LIBRARY_PATH environment variable for set-user-ID and set-group-ID
	executables in low memory conditions.
    <li>Added support for RSA-PSS to <a
	href="https://man.openbsd.org/crypto">crypto(3)</a>.
    <li>Added retguard for octeon/mips64.

    <li>The following security bugs were addressed:
      <ul>
	<li>Reset the login class each time through the loop when using -L
	    (loop) mode with <a href="https://man.openbsd.org/su">su(1)</a>. Fixes
	    CVE-2019-19519.
	<li>Fixed insufficient username validation performed by libc's
	    authentication privilege separation layer and added additional
	    validation points, further validating in <a
	    href="https://man.openbsd.org/login">login(1)</a> and <a
	    href="https://man.openbsd.org/su">su(1)</a>.
	<li>Prevented escalation to the auth group in <a
	    href="https://man.openbsd.org/xlock">xlock(1)</a> through path-related
	    environment variables and disabled mesa and opengl functionality.
      </ul>
  </ul>

<li>Routing daemons and other userland network improvements:
  <ul>
<!-- bgpd -->
    <li>Store both IPv4 and IPv6 addresses with local-address in <a
	href="https://man.openbsd.org/bgpd">bgpd(8)</a>, allowing
	configuration of both an IPv4 and IPv6 local-address on a group with
	correct binding of neighbors. Introduced 'no local-address' to reset a
	previously-set local address back to zero. This helps to reduce
	repetition in the configuration.
    <li>Aggregated duplicate <a
	href="https://man.openbsd.org/bgpd">bgpd(8)</a> roa table
	prefix/source-as combos as a single entry with the longest maxlen
	length.
    <li>Extended <a href="https://man.openbsd.org/bgpctl">bgpctl(8)</a>
	'show neighbor' to include the received and set prefix count, as well
	as the max-prefix out limit if set.
    <li>Implemented <a
	href="https://man.openbsd.org/bgpd.conf">bgpd.conf(5)</a>
	<code>max-prefix NUM out</code> to limit the number of announced
	prefixes, avoiding leaks of full tables to upstreams and peers.
    <li>Began marking stale prefixes in the Adj-RIB-out during
	graceful reload of <a href="https://man.openbsd.org/bgpd">bgpd(8)</a>
	and fixed prefix_withdraw to check the correct prefix flags before
	removing a prefix from the update or withdraw tree.
    <li>Fixed a bug with the fatal <a
	href="https://man.openbsd.org/bgpd">bgpd(8)</a> non-existing prefix
	call to ensure the missing prefix is inserted into the prefix tree.
    <li>Fixed <a href="https://man.openbsd.org/bgpd">bgpd(8)</a>
	crashes where the nexthop_runners tail queue was corrupted.
<!-- OSPF -->
    <li>Allowed configuration of the <a
	href="https://man.openbsd.org/ospfd">ospfd(8)</a> interface setting
	"type p2p" to be configured globally or per area.
    <li>Added point-to-point <a
	href="https://man.openbsd.org/ospf6d">ospf6d(8)</a> support for
	broadcast interfaces.
<!-- iked -->
    <li>Added <a href="https://man.openbsd.org/iked">iked(8)</a>
	support for switching rdomain on <a
	href="https://man.openbsd.org/ipsec">ipsec(4)</a>
	encryption/decryption, configurable per policy with the new 'rdomain'
	option in <a
	href="https://man.openbsd.org/iked.conf">iked.conf(5)</a>.
    <li>Added support for automatically moving traffic between
	rdomains on <a href="https://man.openbsd.org/ipsec">ipsec(4)</a>
	encryption or decryption, reducing the attack surface for network
	sidechannel attacks.
    <li>Modified <a href="https://man.openbsd.org/iked">iked(8)</a> to
	always prefer generic signature authentication.
    <li>Fixed an <a href="https://man.openbsd.org/iked">iked(8)</a>
	pubkey leak in the CA process for ASN-DN IDs.
    <li>Reduced temporary address valid lifetime to 2 days in <a
	href="https://man.openbsd.org/slaacd">slaacd(8)</a>.
    <li>Fixed user database corruption resulting from use of the <a
	href="https://man.openbsd.org/ikectl">ikectl(8)</a> reload command.
    <li>Added the <a
	href="https://man.openbsd.org/ikectl">ikectl(8)</a> "show sa" command
	to print information about the state of negotiated IKE SAs, their
	Child SAs and the resulting IPsec flows.
    <li>Added an <a
	href="https://man.openbsd.org/ikectl">ikectl(8)</a> "reset id" command
	to reset all SAs from policies with matching destination IDs.
    <li>Corrected <a href="https://man.openbsd.org/iked">iked(8)</a>
	calculation of IPv6 address leases from small address pools.
    <li>Added a policy relookup to <a
	href="https://man.openbsd.org/iked">iked(8)</a> to replace the default
	policy based on a received cryptographic parameter proposal.
    <li>Added transport mode for child SAs to <a
	href="https://man.openbsd.org/iked.conf">iked.conf(5)</a>.
    <li>Extended the <a
	href="https://man.openbsd.org/ipsecctl">ipsecctl(8)</a> parser to set
	the udpencap flag and port number of an SA.
    <li>Added a -p command line option to <a
	href="https://man.openbsd.org/iked">iked(8)</a> allowing configuration
	of the UDP encapsulation port.
    <li>Removed IPsec flow blocking unencrypted IPv6 traffic in <a
	href="https://man.openbsd.org/iked">iked(8)</a>.
    <li>Fixed <a href="https://man.openbsd.org/isakmpd">isakmpd(8)</a>
	IKE pcap file creation.
    <li>Enabled ESP UDP-encapsulation with the <a
	href="https://man.openbsd.org/iked">iked(8)</a> -t flag.
<!-- other daemons -->
    <li>Validated authentication lengths in <a
	href="https://man.openbsd.org/ripd">ripd(8)</a> before use to prevent
	crashes.
    <li>Fixed empty response packages sent out by <a
	href="https://man.openbsd.org/ripd">ripd(8)</a> when entries are
	skipped due to split-horizon simple.
    <li>Correctly parse "0/0" as the default route when specifying
	the classless-[ms-]static-routes options in <a
	href="https://man.openbsd.org/dhcpd.conf">dhcpd.conf(5)</a>.
    <li>Allowed <a
	href="https://man.openbsd.org/dhclient">dhclient(8)</a> configuration
	of <a href="https://man.openbsd.org/carp">carp(4)</a> interfaces.
    <li>Rejected leases in <a
	href="https://man.openbsd.org/dhclient">dhclient(8)</a> not providing
	a subnet mask for the address being provided.
    <li>Constrained and corrected the routes being deleted when
	applying a new lease in <a
	href="https://man.openbsd.org/dhclient">dhclient(8)</a> and corrected
	route comparison. This corrects a network failure with "arpresolve:
	... route contains no information".
    <li>Made <a href="https://man.openbsd.org/slaacd">slaacd(8)</a>
	honor the rdomain in which it runs when configuring the default route.
    <li>Withdrew all proposals on <a
	href="https://man.openbsd.org/slaacd">slaacd(8)</a> startup to prevent
	indefinite retention of nameservers on interfaces no longer flagged
	for autoconf.
    <li>Modified <a href="https://man.openbsd.org/ldpd">ldpd(8)</a> to
	lookup the adjacency by LSR id as well as source IP address, as the
	remote peer may change its LSR id.

<!-- other programs -->
    <li>Added support for printing RFC 2332 NBMA Next Hop Resolution Protocol
	(NHRP) to <a href="https://man.openbsd.org/tcpdump">tcpdump(8)</a>.
    <li>Added <a href="https://man.openbsd.org/tcpdump">tcpdump(8)</a>
	support for printing RFC 8300 Network Service Header (NSH).
    <li>Added <a href="https://man.openbsd.org/tcpdump">tcpdump(8)</a>
	support for VXLAN-GPE.
    <li>Fixed a <a href="https://man.openbsd.org/tcpdump">tcpdump(8)</a>
	crash when printing the contents of a malformed packet where the
	packet length was smaller than the size of the usbpcap header.

    <li>Rewrote dhcpv6 parsing in <a
	href="https://man.openbsd.org/tcpdump">tcpdump(8)</a> to match the
	RFC, correctly handling dhcpv6 messages.
    <li>Accept netmask for IPv6 in <a
	href="https://man.openbsd.org/ifconfig">ifconfig(8)</a> instead of
	ignoring it and using only the prefixlen argument.

    <li>Fixed <a href="https://man.openbsd.org/snmp">snmp(1)</a> agent
	address parsing to allow IPv6 addresses to be used based on format,
	allow those without brackets to skip the port if it results in a
	nonsensical address (allowing use of ::1), and try to connect to the
	address immediately.
    <li>Implemented a df subcommand for <a
	href="https://man.openbsd.org/snmp">snmp(1)</a> which outputs disk and
	memory information in a <a href="https://man.openbsd.org/df">df(1)</a>
	format.
    <li>Implemented a -Cs option in <a
	href="https://man.openbsd.org/snmp">snmp(1)</a> for snmp walk and
	bulkwalk, allowing subsections of a tree to be skipped.

    <li>Added retries and timeouts for test packets to <a
	href="https://man.openbsd.org/radiusctl">radiusctl(8)</a>.


    <li>Corrected http auth combined with proxy auth in <a
	href="https://man.openbsd.org/ftp">ftp(1)</a>.
    <li>Corrected <a href="https://man.openbsd.org/ftp">ftp(1)</a>
	access to an https server with user/password through the "http_proxy"
	environment variable.
    <li>Fixed <a href="https://man.openbsd.org/ftp">ftp(1)</a>
	tls_handshake() usage, which would break ftp if an handshake wasn't
	successfully completed in one try.
    <li>Prevented <a href="https://man.openbsd.org/ftp">ftp(1)</a>
	from following remote redirects to local files.
    <li>Implemented HTTP/1.1 in <a href="https://man.openbsd.org/ftp">ftp(1)</a>.
    <li>Added new -N name option to <a
	href="https://man.openbsd.org/ftp">ftp(1)</a>, allowing calling
	scripts to change the progname and produce better error messages.

    <li>Allowed <a href="https://man.openbsd.org/pfctl">pfctl(8)</a>
	to recursively flush rules and tables.
    <li>Ensured rdr-to with loopback destination will work even when
	IP forwarding is disabled.

<!-- rpki-client -->

    <li>Enabled <a
	href="https://man.openbsd.org/rpki-client">rpki-client(8)</a>, a free,
	easy-to-use implementation of the Resource Public Key Infrastructure
	(RPKI) for Relying Parties (RP) to facilitate validation of the Route
	Origin of a BGP announcement. The program queries the RPKI repository
	system and outputs Validated ROA Payloads in the configuration format
	of OpenBGPD, BIRD, and also as CSV or JSON objects for consumption by
	other routing stacks.
    <li>Modified root's <a
	href="https://man.openbsd.org/crontab">crontab(1)</a> to run <a
	href="https://man.openbsd.org/rpki-client">rpki-client(8)</a> and
	reload <a href="https://man.openbsd.org/bgpd">bgpd(8)</a>
	configuration, enabling RPKI ROA filtering.
    <li>Stopped hardcoding the cache directory for <a
	href="https://man.openbsd.org/rpki-client">rpki-client(8)</a>. Cache
	and output directory will use defaults for root users and must be
	specified by non-root users.
    <li>Made <a
	href="https://man.openbsd.org/rpki-client">rpki-client(8)</a> use
	with the existing cache and not exit if rsync(1) exits non-zero.
    <li>Fixed <a
	href="https://man.openbsd.org/rpki-client">rpki-client(8)</a> -j
	option, which had not been producing any output.
    <li>Generated three different BIRD outputs with <a
	href="https://man.openbsd.org/rpki-client">rpki-client(8)</a> -B: v1
	with IPv4 and IPv6 routes, and v2.
    <li>Rewrote the time validity check for mtfs in <a
	href="https://man.openbsd.org/rpki-client">rpki-client(8)</a> to
	correctly account for the timezone.
    <li>Added <a
	href="https://man.openbsd.org/rpki-client">rpki-client(8)</a> output
	formats for bird and CSV.

<!-- unwind -->

    <li>Implemented <a
	href="https://man.openbsd.org/unwindctl">unwindctl(8)</a> status
	memory to show cache memory usage.
    <li>Allowed forcing specific domains to be resolved by specific
	resolvers in <a
	href="https://man.openbsd.org/unwind.conf">unwind.conf(5)</a>,
	handling typical split-horizon setups.
    <li>Decayed the <a
	href="https://man.openbsd.org/unwind">unwind(8)</a> resolver histogram
	data over time to reflect strategy performance.
    <li>Measured performance of resolving strategies in <a
	href="https://man.openbsd.org/unwind">unwind(8)</a>, sorting them and
	choosing the next best strategy when one fails.
    <li>Removed captive portal detection from <a
	href="https://man.openbsd.org/unwind">unwind(8)</a>.
    <li>Added tracking of which interfaces have learned nameservers to
	<a href="https://man.openbsd.org/unwind">unwind(8)</a>.
    <li>Began resolving captive portal hosts internally in <a
	href="https://man.openbsd.org/unwind">unwind(8)</a>.
    <li>Implemented DNS proposals in <a
	href="https://man.openbsd.org/unwind">unwind(8)</a> to learn
	nameservers from network autoconfiguration daemons.
    <li>Moved /usr and var remounting earlier to allow <a
	href="https://man.openbsd.org/unwind">unwind(8)</a> to start before <a
	href="https://man.openbsd.org/pf">pf(4)</a> is configured.
    <li>Added opportunistic DoT support to <a
	href="https://man.openbsd.org/unwind">unwind(8)</a>.
    <li>Added an ASR resolver type to <a
	href="https://man.openbsd.org/unwind">unwind(8)</a>, using the libc
	asynchronous resolver directly with DHCP-provided nameservers.
	Switched to the ASR resolver rather than DHCP when behind a captive
	portal.
  </ul>

<li><a href="https://man.openbsd.org/tmux">tmux(1)</a> improvements and bugfixes:
  <ul>
    <li>Indicated the marked pane in <a
	href="https://man.openbsd.org/tmux">tmux(1)</a> choose mode in
	reverse, and added keys to set (m) and clear it (M), and to jump to
	the starting pane (H).
    <li>Allowed <a href="https://man.openbsd.org/tmux">tmux(1)</a>
	main-pane-width and height to be specified as percentages.
    <li>Added a -f filter argument to the <a
	href="https://man.openbsd.org/tmux">tmux(1)</a> list commands like
	choose-tree.
    <li>Added an -s flag to <a
	href="https://man.openbsd.org/tmux">tmux(1)</a> copy-mode to specify a
	different pane for the source content.
    <li>Added a W position to <a
	href="https://man.openbsd.org/tmux">tmux(1)</a> display-menu -y to use
	the line above or below the status line containing the window list.
    <li>Added a -T flag to <a
	href="https://man.openbsd.org/tmux">tmux(1)</a> resize-pane to trim
	lines below the cursor.
    <li>Added non-regex search variants to <a
	href="https://man.openbsd.org/tmux">tmux(1)</a>.
    <li>Added support for <a
	href="https://man.openbsd.org/tmux">tmux(1)</a> overlay popup boxes,
	created with the display-popup command.
    <li>Added a <a href="https://man.openbsd.org/tmux">tmux(1)</a> -d
	flag to run-shell to wait for delay before running the command (or
	delay with no command).
    <li>Added a <a href="https://man.openbsd.org/tmux">tmux(1)</a>
	copy-mode -H flag to hide the position marker in the top right.
    <li>Added <a href="https://man.openbsd.org/tmux">tmux(1)</a> C-g
	to cancel command prompt with <a
	href="https://man.openbsd.org/vi">vi(1)</a> keys as well as emacs, and
	q in command mode.
    <li>Modified <a href="https://man.openbsd.org/tmux">tmux(1)</a> -S
	server socket to be created with umask 177 rather than 117.
    <li>Introduced a <a
	href="https://man.openbsd.org/tmux">tmux(1)</a> selection_active
	format for when the selection is present but not moving with the
	cursor.
    <li>Added -a to the list-keys command in <a
	href="https://man.openbsd.org/tmux">tmux(1)</a> to also list keys
	without notes with -N.
    <li>Added <a href="https://man.openbsd.org/tmux">tmux(1)</a> support
	for adding a note to a key binding with bind-key -N and using this to
	add descriptions to the default key binding. Using list-keys -N shows
	key bindings with notes. Changed the default ? binding to show a
	readable summary of keys.
    <li>Removed the <a href="https://man.openbsd.org/tmux">tmux(1)</a>
	terminal type in favor of flags DECSLRM and DECFRA.
    <li>Added -Z to the default <a
	href="https://man.openbsd.org/tmux">tmux(1)</a> switch-client command
	in tree mode.
    <li>Prevented read-only <a
	href="https://man.openbsd.org/tmux">tmux(1)</a> clients from limiting
	the size.
    <li>Added support for regex searches in <a
	href="https://man.openbsd.org/tmux">tmux(1)</a> copy mode.
    <li>Modified <a href="https://man.openbsd.org/tmux">tmux(1)</a>
	source-file to allow reading from stdin.
    <li>Added a <a href="https://man.openbsd.org/tmux">tmux(1)</a> p
	format modifier for padding to width.
    <li>Added -f for full size to join-pane in <a
	href="https://man.openbsd.org/tmux">tmux(1)</a>.
    <li>Changed <a href="https://man.openbsd.org/tmux">tmux(1)</a>
	new-session -A to attach to the best existing session when a session
	name is not specified, rather than creating a new session.
    <li>Added an option to <a
	href="https://man.openbsd.org/tmux">tmux(1)</a> to set the key sent by
	backspace for systems using ^H.
    <li>Added -F flag to <a
	href="https://man.openbsd.org/tmux">tmux(1)</a> send-keys to expand
	formats in search-backward and forward copy mode commands.
    <li>Added support for percentage sizes to <a
	href="https://man.openbsd.org/tmux">tmux(1)</a> resize-pane ("-x 10%")
	and changed split-window and join-pane -l to accept similar
	percentages, deprecating the -p option.
  </ul>

<li>VMM/VMD improvements
  <ul>
    <li>Added <a href="https://man.openbsd.org/vmm">vmm(4)</a> IOCTL
	handler to set the access protections of the ept.
    <li>Added a check in <a
	href="https://man.openbsd.org/vmm">vmm(4)</a> for <a
	href="https://man.openbsd.org/pvclock">pvclock(4)</a> struct crossing
	of page boundaries, which could potentially corrupt host memory.
    <li>Tightened rdmsr on svm in <a href="https://man.openbsd.org/vmm">vmm(4)</a>.
    <li>Fixed an issue where a <a
	href="https://man.openbsd.org/vmm">vmm(4)</a> guest could write to
	host memory by passing bogus addresses in <a
	href="https://man.openbsd.org/pvclock">pvclock(4)</a>.
    <li>Run <a href="https://man.openbsd.org/cu">cu(1)</a> in
	restricted mode using -r in <a
	href="https://man.openbsd.org/vmctl">vmctl(8)</a> and <a
	href="https://man.openbsd.org/ldomctl">ldomctl(8)</a>.
    <li>Started virtual machines defined in <a
	href="https://man.openbsd.org/vm.conf">vm.conf(5)</a> in a staggered
	fashion, helping prevent overload of the host and improper tsc
	calibration in guests.
    <li>Provided proper concurrency control when pausing a vm in <a
	href="https://man.openbsd.org/vmd">vmd(8)</a>.
    <li>Fixed a panic when tearing down vms with <a
	href="https://man.openbsd.org/vmm">vmm(4)</a>.
  </ul>


<li>ldom/sparc64 virtualization improvements
  <ul>
    <li>Added support for devaliases for vnet in <a
	href="https://man.openbsd.org/ldom.conf">ldom.conf(5)</a>.
    <li>Implemented <a
	href="https://man.openbsd.org/ldomctl">ldomctl(8)</a> "panic -c" to
	panic a guest domain (and enter <a
	href="https://man.openbsd.org/ddb">ddb(4)</a>).
    <li>Implemented "start -c" in <a
	href="https://man.openbsd.org/ldomctl">ldomctl(8)</a> to automatically
	connect to the console.
    <li>Introduced a -n option to <a
	href="https://man.openbsd.org/ldomctl">ldomctl(8)</a> to validate the
	configuration file and exit.
    <li>Added a create-vdisk command to <a
	href="https://man.openbsd.org/ldomctl">ldomctl(8)</a> analogous to
	amd64's <a href="https://man.openbsd.org/vmctl">vmctl(8)</a> create.
    <li>Added the "console" command to <a
	href="https://man.openbsd.org/ldomctl">ldomctl(8)</a> which executes
	<a href="https://man.openbsd.org/cu">cu(1)</a> on the domain's
	console.
    <li>Printed guest domain <a
	href="https://man.openbsd.org/vcctty">vcctty(4)</a> devices in status
	output in <a href="https://man.openbsd.org/ldomctl">ldomctl(8)</a>.
    <li>Added list-io command to <a
	href="https://man.openbsd.org/ldomctl">ldomctl(8)</a>, listing the
	available PCIe devices to be used with the iodevice parameter in <a
	href="https://man.openbsd.org/ldom.conf">ldom.conf(5)</a>.
  </ul>

<li>OpenSMTPD 6.7.0
  <ul>
    <li>New Features
      <ul>

	<li>Allowed use of the <a
	    href="https://man.openbsd.org/smtpd">smtpd(8)</a> session username in
	    built-in filters when available.
	<li>Introduced option filter-pf-addresses to <a
	    href="https://man.openbsd.org/snmpd.conf">snmpd.conf(5)</a>, allowing
	    the OPENBSD-PF-MIB::pfTblAddrTable tree to be filtered out when many
	    prefixes are stored in pf tables, reducing CPU usage during bulk
	    walks.
	<li>Introduced a bypass keyword to <a
	    href="https://man.openbsd.org/smtpd">smtpd(8)</a> so that built-in
	    filters can bypass processing when a condition is met.
	<li>Allowed use of 'auth' as an origin in <a
	    href="https://man.openbsd.org/smtpd.conf">smtpd.conf(5)</a>.
	<li>Allowed use of mail-from and rctp-to as for and from parameters
	    in <a href="https://man.openbsd.org/smtpd.conf">smtpd.conf(5)</a>.
	<li>Stored <a href="https://man.openbsd.org/smtp">smtp(1)</a> session
	    usernames in an envelope, allowing the ruleset to match specific users
	    or mailing addresses.


      </ul>
    <li>Bug fixes
      <ul>
	<li>Ensured legacy <a href="https://man.openbsd.org/ssl">ssl(8)</a>
	    session ID is persistent during a client TLS session, fixing an issue
	    using TLSv1.3 with smtp.mail.yahoo.com.
	<li>Fixed security vulnerabilities in <a
	    href="https://man.openbsd.org/smtpd">smtpd(8)</a>. Corrected an
	    out-of-bounds read in smtpd allowing an attacker to inject arbitrary
	    commands into the envelope file to be executed as root, and ensured
	    privilege revocation in <a
	    href="https://man.openbsd.org/smtpctl">smtpctl(8)</a> to prevent
	    arbitrary commands from being run with the _smtpq group.
	<li>Allowed <a
	    href="https://man.openbsd.org/mail.local">mail.local(8)</a> to be run
	    as non-root, opening a pipe to <a
	    href="https://man.openbsd.org/lockspool">lockspool(1)</a> for file
	    locking.
	<li>Fixed a security vulnerability in <a
	    href="https://man.openbsd.org/smtpd">smtpd(8)</a> which could lead to
	    a privilege escalation on mbox deliveries and unprivileged code
	    execution on lmtp deliveries.
	<li>Added support for CIDR in a: spf atoms in <a
	    href="https://man.openbsd.org/smtpd">smtpd(8)</a>.
	<li>Fixed a possible crash in <a
	    href="https://man.openbsd.org/smtpd">smtpd(8)</a> when combining "from
	    rdns" with nested virtual aliases under a particular configuration.

      </ul>
    <li>Experimental Features
      <ul>
	<li>...
      </ul>
  </ul>

<li>LibreSSL 3.1.0
  <ul>
<!-- XXX remove these when adding the LibreSSL Changelog -->
<!--
    <li>Added a -groups option to the <a
	href="https://man.openbsd.org/openssl">openssl(1)</a> s_server,
	allowing EC groups to be configured.
    <li>Added <a href="https://man.openbsd.org/openssl">openssl(1)</a>
	s_client -tls1_3 and -notls1_3 options.
    <li>Added support for handling hello retry requests in the <a
	href="https://man.openbsd.org/ssl">ssl(8)</a> TLSv1.3 client.
    <li>Added support for legacy message callbacks, making <a
	href="https://man.openbsd.org/openssl">openssl(1)</a> s_client -msg
	work for handshake messages.
    <li>Completed the initial TLSv1.3 implementation.
    <li>Switched to encrypted records in the TLSv1.3 server.
    <li>Enabled processing and use of signature algorithms in TLSv1.3.
    <li>Added support for TLS 1.3 post handshake handshake messages
	and key updates to <a href="https://www.libressl.org/">LibreSSL</a>.
    <li>Added -keyopt option to <a
	href="https://man.openbsd.org/openssl">openssl(1)</a> cms subcommand,
	providing rsa_padding_mode:oaep for cms -encrypt and
	rsa_padding_mode:pss for cms -sign.
-->
    <li>API and Documentation Enhancements
    <ul>
      <li>...
    </ul>

    <li>Compatibility Changes
    <ul>
      <li>...
    </ul>

    <li>Testing and Proactive Security
    <ul>
      <li>...
    </ul>

    <li>Internal Improvements
      <ul>
      <li>...
      </ul>

    <li>Portable Improvements
    <ul>
      <li>...
    </ul>

    <li>Bug Fixes
    <ul>
      <li>...
    </ul>
  </ul>

<li>OpenSSH 8.1
  <ul>
    <li>New Features
      <ul>
	<li>Allowed use of the IgnoreRhosts directive anywhere in an <a
	    href="https://man.openbsd.org/sshd_config">sshd_config(5)</a> file,
	    not just before Match blocks, and made it a tri-state option.
	<li>Added TOKEN percent expansion (i.e. userid, hostnames etc.) to <a
	    href="https://man.openbsd.org/ssh">ssh(1)</a> LocalForward and
	    RemoteForward when used for Unix domain socket forwarding.
	<li>Gave <a
	    href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a> the
	    ability to dump the contents of a binary key revocation list with
	    <code>ssh-keygen -lQf /path</code>.
	<li>Added <a href="https://man.openbsd.org/ssh">ssh(1)</a> -Q key-sig
	    option for all key and signature types, teaching ssh -Q to accept <a
	    href="https://man.openbsd.org/ssh_config">ssh_config(5)</a> and <a
	    href="https://man.openbsd.org/sshd_config">sshd_config(5)</a>
	    algorithm keywords as an alias for the corresponding query.
	<li>Updated to libfido2 780ad3c25.
	<li>Added an <a
	    href="https://man.openbsd.org/sshd_config">sshd_config(5)</a>
	    "Include" directive to allow inclusion of files.
	<li>Removed ssh-rsa (SHA1) from the list of allowed CA signature algorithms.
	<li>Removed diffie-hellman-group14-sha1 from the default <a
	    href="https://man.openbsd.org/ssh">ssh(1)</a> key exchange.
	<li>Renamed <a href="https://man.openbsd.org/ssh-add">ssh-add(1)</a>
	    -O to -K to load resident keys from a FIDO authenticator.
	<li>Added the ability to download FIDO2 resident keys from a token
	    via the <a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>
	    -K option and save public/private keys into the current directory.
	<li>Implemented support for generating FIDO2 resident keys. "ssh-add
	    -O" will load resident keys from a FIDO2 token and add them to an
	    ssh-agent. Removed the -x option currently used for the
	    FIDO/U2F-specific key flags, now under -O.
	<li>Removed single letter flags for moduli generation in <a
	    href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a> and moved
	    all moduli generation options to under the -O flag. Breaks existing
	    ssh-keygen commandline syntax for moduli-related operations.
	<li>Allowed forwarding of a different agent socket to a specified
	    path in <a href="https://man.openbsd.org/ssh">ssh(1)</a>.
	<li>Allowed <a href="https://man.openbsd.org/ssh">ssh(1)</a> security
	    keys to act as host keys as well as user keys.
	<li>Used ssh-sk-helper for all security key signing operations and
	    security key enrollment. Most <a
	    href="https://man.openbsd.org/ssh">ssh(1)</a> tools no longer need to
	    link against libfido2 or interact with /dev/uhid* directly.
	<li>Added "no-touch-required" options to <a
	    href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a> and <a
	    href="https://man.openbsd.org/sshd">sshd(8)</a> to disable touch
	    requirement for authorized_keys and certificates.
	<li>Added an <a
	    href="https://man.openbsd.org/sshd_config">sshd_config(5)</a>
	    PubkeyAuthOptions directive allowing specification of whether <a
	    href="https://man.openbsd.org/sshd">sshd(8)</a> should check whether
	    user presence was tested before a security key was made.
        <li>Added direct support for U2F/FIDO2 security keys in <a
	    href="https://man.openbsd.org/ssh">ssh(1)</a>.

        <li>Added initial infrastructure for U2F/FIDO support in <a
	    href="https://man.openbsd.org/ssh">ssh(1)</a>.

	<li>Notified the user via TTY or $SSH_ASKPASS when <a
	    href="https://man.openbsd.org/ssh">ssh(1)</a> security keys must be
	    tapped/touched in order to perform a signature operation.
	<li>Enabled ed25519 support in <a
	    href="https://man.openbsd.org/ssh">ssh(1)</a>.


      </ul>
    <li>Bugfixes
      <ul>
	<li>Detected and prevented simple <a
		href="https://man.openbsd.org/ssh">ssh(1)</a> configuration loops when
		using ProxyJump.
	<li>Fixed PIN entry bugs on FIDO <a
		href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>.
	<li>Fixed <a
		href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a> not
		displaying the authenticator touch prompt.
	<li>Prevented a timeout in <a
		href="https://man.openbsd.org/ssh">ssh(1)</a> when the server doesn't
		immediately send a banner, such as with multiplexers like sslh.
	<li>Adjusted on-wire signature encoding for ecdsh-sk <a
		href="https://man.openbsd.org/ssh">ssh(1)</a> keys to better match
		ec25519-sk keys.
	<li>Fixed a potential NULL dereference for revoked hostkeys in <a
		href="https://man.openbsd.org/ssh">ssh(1)</a>.
	</ul>
  </ul>

<li>Mandoc
  <ul>
    <li>Introduced <a
	href="https://man.openbsd.org/mandoc">mandoc(1)</a> nodes which are
	semantically transparent, skipped when looking for previous or
	following high-level macros.
    <li>Introduced a new <a
	href="https://man.openbsd.org/mdoc">mdoc(7)</a> macro .Tg ("tag") to
	explicitly mark a place as defining a term.
    <li>Added a Content-Security-Policy HTTP header to <a
	href="https://man.openbsd.org/mandoc">mandoc(1)</a> that allows only
	CSS.

  </ul>

<li><p>Ports and packages:
  <ul>
    <li>Added support for "alpha" suffixes in <a
	href="https://man.openbsd.org/packages-specs">packages-specs(7)</a>,
	removing the need for workarounds in certain ports distfiles.

  </ul>
  <p>Many pre-built packages for each architecture:
  <!-- number of FTP packages minus SHA256, SHA256.sig, index.txt -->
  <ul style="column-count: 3">
    <li>aarch64:      XXXX
    <li>amd64:        XXXX
    <li>arm:          XXXX
    <li>i386:         XXXX
    <li>mips64:       XXXX
    <li>mips64el:     XXXX
    <li>powerpc:      XXXX
    <li>sparc64:      XXXX
  </ul>

<li>As usual, steady improvements in manual pages and other documentation.

<li>The system includes the following major components from outside suppliers:
  <ul>
    <li>Xenocara (based on X.Org 7.7 with xserver 1.20.8 + patches,
        freetype 2.10.1, fontconfig 2.12.4, Mesa 19.2.8, xterm 344,
        xkeyboard-config 2.20 and more)<!-- remove XXX when updated -->
    <li>LLVM/Clang 8.0.1 (+ patches)
    <li>GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
    <li>Perl 5.30.2 (+ patches)
    <li>NSD 4.2.4
    <li>Unbound 1.10.0
    <li>Ncurses 5.7
    <li>Binutils 2.17 (+ patches)
    <li>Gdb 6.3 (+ patches)
    <li>Awk Dec 20, 2012 version
    <li>Expat 2.2.8
  </ul>
</ul>
</section>

<hr>

<section id=install>
<h3>How to install</h3>
<p>
Please refer to the following files on the mirror site for
extensive details on how to install OpenBSD 6.7 on your machine:

<ul>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.7/alpha/INSTALL.alpha">
	.../OpenBSD/6.7/alpha/INSTALL.alpha</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.7/amd64/INSTALL.amd64">
	.../OpenBSD/6.7/amd64/INSTALL.amd64</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.7/arm64/INSTALL.arm64">
	.../OpenBSD/6.7/arm64/INSTALL.arm64</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.7/armv7/INSTALL.armv7">
	.../OpenBSD/6.7/armv7/INSTALL.armv7</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.7/hppa/INSTALL.hppa">
	.../OpenBSD/6.7/hppa/INSTALL.hppa</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.7/i386/INSTALL.i386">
	.../OpenBSD/6.7/i386/INSTALL.i386</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.7/landisk/INSTALL.landisk">
	.../OpenBSD/6.7/landisk/INSTALL.landisk</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.7/loongson/INSTALL.loongson">
	.../OpenBSD/6.7/loongson/INSTALL.loongson</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.7/luna88k/INSTALL.luna88k">
	.../OpenBSD/6.7/luna88k/INSTALL.luna88k</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.7/macppc/INSTALL.macppc">
	.../OpenBSD/6.7/macppc/INSTALL.macppc</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.7/octeon/INSTALL.octeon">
	.../OpenBSD/6.7/octeon/INSTALL.octeon</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.7/sparc64/INSTALL.sparc64">
	.../OpenBSD/6.7/sparc64/INSTALL.sparc64</a>
</ul>
</section>

<hr>

<section id=quickinstall>
<p>
Quick installer information for people familiar with OpenBSD, and the use of
the "<a href="https://man.openbsd.org/disklabel.8">disklabel</a> -E" command.
If you are at all confused when installing OpenBSD, read the relevant
INSTALL.* file as listed above!

<h3>OpenBSD/alpha:</h3>

<p>
If your machine can boot from CD, you can write <i>install67.iso</i> or
<i>cd67.iso</i> to a CD and boot from it.
Refer to INSTALL.alpha for more details.

<h3>OpenBSD/amd64:</h3>

<p>
If your machine can boot from CD, you can write <i>install67.iso</i> or
<i>cd67.iso</i> to a CD and boot from it.
You may need to adjust your BIOS options first.

<p>
If your machine can boot from USB, you can write <i>install67.fs</i> or
<i>miniroot67.fs</i> to a USB stick and boot from it.

<p>
If you can't boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in the included
INSTALL.amd64 document.

<p>
If you are planning to dual boot OpenBSD with another OS, you will need to
read INSTALL.amd64.

<h3>OpenBSD/arm64:</h3>

<p>
Write <i>miniroot67.fs</i> to a disk and boot from it after connecting
to the serial console.  Refer to INSTALL.arm64 for more details.

<h3>OpenBSD/armv7:</h3>

<p>
Write a system specific miniroot to an SD card and boot from it after connecting
to the serial console.  Refer to INSTALL.armv7 for more details.

<h3>OpenBSD/hppa:</h3>

<p>
Boot over the network by following the instructions in INSTALL.hppa or the
<a href="hppa.html#install">hppa platform page</a>.

<h3>OpenBSD/i386:</h3>

<p>
If your machine can boot from CD, you can write <i>install67.iso</i> or
<i>cd67.iso</i> to a CD and boot from it.
You may need to adjust your BIOS options first.

<p>
If your machine can boot from USB, you can write <i>install67.fs</i> or
<i>miniroot67.fs</i> to a USB stick and boot from it.

<p>
If you can't boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in
the included INSTALL.i386 document.

<p>
If you are planning on dual booting OpenBSD with another OS, you will need to
read INSTALL.i386.

<h3>OpenBSD/landisk:</h3>

<p>
Write <i>miniroot67.fs</i> to the start of the CF
or disk, and boot normally.

<h3>OpenBSD/loongson:</h3>

<p>
Write <i>miniroot67.fs</i> to a USB stick and boot bsd.rd from it
or boot bsd.rd via tftp.
Refer to the instructions in INSTALL.loongson for more details.

<h3>OpenBSD/luna88k:</h3>

<p>
Copy 'boot' and 'bsd.rd' to a Mach or UniOS partition, and boot the bootloader
from the PROM, and then bsd.rd from the bootloader.
Refer to the instructions in INSTALL.luna88k for more details.

<h3>OpenBSD/macppc:</h3>

<p>
Burn the image from a mirror site to a CDROM, and power on your machine
while holding down the <i>C</i> key until the display turns on and
shows <i>OpenBSD/macppc boot</i>.

<p>
Alternatively, at the Open Firmware prompt, enter <i>boot cd:,ofwboot
/6.7/macppc/bsd.rd</i>

<h3>OpenBSD/octeon:</h3>

<p>
After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
Refer to the instructions in INSTALL.octeon for more details.

<h3>OpenBSD/sparc64:</h3>

<p>
Burn the image from a mirror site to a CDROM, boot from it, and type
<i>boot cdrom</i>.

<p>
If this doesn't work, or if you don't have a CDROM drive, you can write
<i>floppy67.fs</i> or <i>floppyB67.fs</i>
(depending on your machine) to a floppy and boot it with <i>boot
floppy</i>. Refer to INSTALL.sparc64 for details.

<p>
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.

<p>
You can also write <i>miniroot67.fs</i> to the swap partition on
the disk and boot with <i>boot disk:b</i>.

<p>
If nothing works, you can boot over the network as described in INSTALL.sparc64.
</section>

<hr>

<section id=upgrade>
<h3>How to upgrade</h3>
<p>
If you already have an OpenBSD 6.5 system, and do not want to reinstall,
upgrade instructions and advice can be found in the
<a href="faq/upgrade67.html">Upgrade Guide</a>.
</section>

<hr>

<section id=sourcecode>
<h3>Notes about the source code</h3>
<p>
<code>src.tar.gz</code> contains a source archive starting at <code>/usr/src</code>.
This file contains everything you need except for the kernel sources,
which are in a separate archive.
To extract:
<blockquote><pre>
# <kbd>mkdir -p /usr/src</kbd>
# <kbd>cd /usr/src</kbd>
# <kbd>tar xvfz /tmp/src.tar.gz</kbd>
</pre></blockquote>
<p>
<code>sys.tar.gz</code> contains a source archive starting at <code>/usr/src/sys</code>.
This file contains all the kernel sources you need to rebuild kernels.
To extract:
<blockquote><pre>
# <kbd>mkdir -p /usr/src/sys</kbd>
# <kbd>cd /usr/src</kbd>
# <kbd>tar xvfz /tmp/sys.tar.gz</kbd>
</pre></blockquote>
<p>
Both of these trees are a regular CVS checkout.  Using these trees it
is possible to get a head-start on using the anoncvs servers as
described <a href="anoncvs.html">here</a>.
Using these files
results in a much faster initial CVS update than you could expect from
a fresh checkout of the full OpenBSD source tree.
</section>

<hr>

<section id=ports>
<h3>Ports Tree</h3>
<p>
A ports tree archive is also provided.  To extract:
<blockquote><pre>
# <kbd>cd /usr</kbd>
# <kbd>tar xvfz /tmp/ports.tar.gz</kbd>
</pre></blockquote>
<p>
Go read the <a href="faq/ports/index.html">ports</a> page
if you know nothing about ports
at this point.  This text is not a manual of how to use ports.
Rather, it is a set of notes meant to kickstart the user on the
OpenBSD ports system.
<p>
The <i>ports/</i> directory represents a CVS checkout of our ports.
As with our complete source tree, our ports tree is available via
<a href="anoncvs.html">AnonCVS</a>.
So, in order to keep up to date with the -stable branch, you must make
the <i>ports/</i> tree available on a read-write medium and update the tree
with a command like:
<blockquote><pre>
# <kbd>cd /usr/ports</kbd>
# <kbd>cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_6_7</kbd>
</pre></blockquote>
<p>
[Of course, you must replace the server name here with a nearby anoncvs
server.]
<p>
Note that most ports are available as packages on our mirrors. Updated
ports for the 6.7 release will be made available if problems arise.
<p>
If you're interested in seeing a port added, would like to help out, or just
would like to know more, the mailing list
<a href="mail.html">ports@openbsd.org</a> is a good place to know.
</section>