Annotation of www/68.html, Revision 1.29
1.1 benno 1: <!doctype html>
2: <html lang=en id=release>
3: <meta charset=utf-8>
4:
5: <title>OpenBSD 6.8</title>
6: <meta name="description" content="OpenBSD 6.8">
7: <meta name="viewport" content="width=device-width, initial-scale=1">
8: <link rel="stylesheet" type="text/css" href="openbsd.css">
9: <link rel="canonical" href="https://www.openbsd.org/68.html">
10:
11: <h2 id=OpenBSD>
12: <a href="index.html">
13: <i>Open</i><b>BSD</b></a>
14: 6.8
15: </h2>
16:
17: <table>
18: <tr>
19: <td>
20: <a href="images/XXX.gif">
21: <img width="227" height="343" src="images/XXX-s.gif" alt="XXX"></a>
22: <td>
23: Released Oct XXX, 2020<br>
24: Copyright 1997-2020, Theo de Raadt.<br>
25: <br>
26: <br>
27: Artwork by XXX.
28: <br>
29: <ul>
30: <li>See the information on <a href="ftp.html">the FTP page</a> for
31: a list of mirror machines.
32: <li>Go to the <code class=reldir>pub/OpenBSD/6.8/</code> directory on
33: one of the mirror sites.
34: <li>Have a look at <a href="errata68.html">the 6.8 errata page</a> for a list
35: of bugs and workarounds.
36: <li>See a <a href="plus68.html">detailed log of changes</a> between the
37: 6.7 and 6.8 releases.
38: <p>
39: <li><a href="https://man.openbsd.org/signify.1">signify(1)</a>
40: pubkeys for this release:<p>
41:
42: <table class=signify>
43: <tr><td>
44: openbsd-68-base.pub:
45: <td>
46: <a href="https://ftp.openbsd.org/pub/OpenBSD/6.8/openbsd-68-base.pub">
47: RWQZj25CSG5R2oLo5735Hh6C48kkjFsj5rJDjW+fGZwyY+BkD5/zps8f
48: <tr><td>
49: openbsd-68-fw.pub:
50: <td>
51: RWSYx4htNi/zavF8ZToMBDFz2xymRfFnnR1MEKV9csYbvnrTBwdkXhdy
52: <tr><td>
53: openbsd-68-pkg.pub:
54: <td>
55: RWQlDXyHx5KlPoEiz4yWRK/Gt/rvPwI8KEAt3utge/dBS7R+EscdzA5K
56: <tr><td>
57: openbsd-68-syspatch.pub:
58: <td>
59: RWRWuHkSV0U8PUX24vGa3ywrvKNQY6llV3PLvKEzDTiTVPfIRaXPfvzR
60: </table>
61: </ul>
62: <p>
63: All applicable copyrights and credits are in the src.tar.gz,
64: sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
65: files fetched via <code>ports.tar.gz</code>.
66: </table>
67:
68: <hr>
69:
70: <section id=new>
71: <h3>What's New</h3>
72: <p>
73: This is a partial list of new features and systems included in OpenBSD 6.8.
74: For a comprehensive list, see the <a href="plus68.html">changelog</a> leading
75: to 6.8.
76:
77: <ul>
78:
1.17 kettenis 79: <li>New/extended platforms:
80: <ul>
81: <li>New <a href="https://www.openbsd.org/powerpc64.html">powerpc64</a>
82: platform, supporting PowerNV (non-virtualized) systems with
83: POWER8 and POWER9 CPUs, such as Raptor Computing Systems Talos
84: II and Blackbird systems. POWER8 support has not been tested
85: on real hardware yet.
86: </ul>
87:
1.1 benno 88: <li>General improvements and bugfixes:
89: <ul>
1.3 benno 90: <li>Added support in the kernel and libc for timecounting in
91: userland, eliminating the need for a context switch everytime a
92: process requests the current time, thereby improving speed and
93: responsiveness in programs which make many <a
94: href="https://man.openbsd.org/gettimeofday">gettimeofday(2)</a> calls,
95: especially browsers and office software.<br>The userland timecounters
96: are enabled on the amd64, arm64, macppc, octeon and sparc64
1.18 kettenis 97: architectures.
1.3 benno 98:
1.1 benno 99: <li>Set <a href="https://man.openbsd.org/ddb">ddb(4)</a> "/t" to show a trace via TID on all architectures.
100: <li>Restored VGA fonts on VT switch, preventing an unusable screen when switching to a VT with a custom VGA font from X.
101: <li>Fixed the <a href="https://man.openbsd.org/ksh">ksh(1)</a> exit code when evaluating a || compound list to prevent termination of the shell when running under -e.
102: <li>Relaxed filename checks in <a href="https://man.openbsd.org/syspatch">syspatch(8)</a> to allow use of hyphens.
103: <li>Rewrote m88k mutex code as a slight variation of the MI mutex code, potentially improving stability and rendering mutex spinning time visible in <a href="https://man.openbsd.org/top">top(1)</a>.
104: <li>Corrected <a href="https://man.openbsd.org/getopt_long">getopt_long(3)</a> parsing of a trailing dash in an option group, which was being incorrectly returned as an argument.
105: <li>Enabled building <a href="https://man.openbsd.org/wsmoused">wsmoused(8)</a> and <a href="https://man.openbsd.org/wsfontload">wsfontload(8)</a> on arm64 and armv7.
106: <li>Added a new column to <a href="https://man.openbsd.org/wsfontload">wsfontload(8)</a> -l output to report the number of characters contained in a loaded font.
107: <li>Prevented callers inspecting unrelated fields in the libc resolver function asr_run().
108: <li>Prevented <a href="https://man.openbsd.org/rcs">rcs(1)</a> removal of locked revisions with rcs -orange, avoiding leaving behind a lock for a revision which no longer exists.
109: <li>Provided an optimized implementation of <a href="https://man.openbsd.org/ffs">ffs(3)</a> in the kernel on arm64/powerpc/powerpc64.
110: <li>Improved CPU frequency scaling in automatic performance mode by removing accounting for offline CPUs.
111: <li>Fixed <a href="https://man.openbsd.org/sndiod">sndiod(8)</a> crashes when USB devices are disconnected.
112: <li>Fixed the initial <a href="https://man.openbsd.org/sndiod">sndiod(8)</a> alternate device number, preventing device number 1 from being skipped on first use.
113: <li>Allowed switching between alternate devices (-F) with <a href="https://man.openbsd.org/sndioctl">sndioctl(1)</a>.
114: <li>Implemented the gensub(), systime() and strftime() functions for <a href="https://man.openbsd.org/awk">awk(1)</a>.
115: <li>Stopped incrementing openclass for a literal "[" in <a href="https://man.openbsd.org/awk">awk(1)</a>, allowing parsing of expressions such as "/[[/[]/".
116: <li>Added <a href="https://man.openbsd.org/intrmap_create">intrmap</a>, an interrupt to CPU mapping API that is used by hardware drivers to use multiple CPUs for interrupt handling.
117: <li>Added an ioctl PCIOCGETVPD allowing userland to access read-only support information about pci devices via the vpd register.
118: <li>Introduced <a href="https://man.openbsd.org/gettime">gettime(9)</a> and <a href="https://man.openbsd.org/getuptime">getuptime(9)</a> and substituted these for time_second(9) and time_uptime(9) throughout the kernel to prevent split-read problems on 32-bit platforms.
119: <li>Fixed merging of files that lack newlines for <a href="https://man.openbsd.org/diff3">diff3(1)</a>, OpenRCS and OpenCVS.
120: <li>Switched the default CDDB database for <a href="https://man.openbsd.org/cdio">cdio(1)</a> to gnudb.gnudb.org:8880.
121: <li>Introduced a darker <a href="https://man.openbsd.org/xenodm">xenodm(1)</a> login widget and a lower contrast default background.
122: <li>Prevented creation of bogus <a href="https://man.openbsd.org/sd">sd(4)</a> devices for <a href="https://man.openbsd.org/nvme">nvme(4)</a> namespaces which are configured but have size 0.
123: <li>Initialized v4l2_requestbuffers for libv4l compatibility, allowing view of video encodings not directly supported by <a href="https://man.openbsd.org/video">video(1)</a>.
124: <li>Added <a href="https://man.openbsd.org/video">video(1)</a> white balance temperature control through w/W keys.
125: <li>Added the ability to set and display <a href="https://man.openbsd.org/video">video(1)</a> control values directly on the CLI.
126: <li>Allowed the combination of <a href="https://man.openbsd.org/video">video(1)</a> "-dc" options, reset and display control values.
127: <li>Added control for backlight compensation to <a href="https://man.openbsd.org/video">video(4)</a>.
128: <li>Used an LFENCE instruction everywhere RDTSC is used for a time measurement, reducing the jitter in TSC skew measurements.
129: <li>Prevented a core dump in <a href="https://man.openbsd.org/ftp">ftp(1)</a> during fetch abort.
130: <li>Allowed specification of supported TLS protocols in <a href="https://man.openbsd.org/ftp">ftp(1)</a> "-S protocols".
131: <li>Fixed an <a href="https://man.openbsd.org/xconsole">xconsole(1)</a> crash by starting it after setting the background.
132: <li>Fixed <a href="https://man.openbsd.org/ls">ls(1)</a> -R mode to not display subdirectories of a directory beginning with '.' and ensure directory names are always displayed.
133: <li>Introduced <a href="https://man.openbsd.org/kstat">kstat(1)</a>, a subsystem to allow the kernel to expose statistics to userland (and <a href="https://man.openbsd.org/kstat">kstat(8)</a>, the userland side).
134: <li>Added <a href="https://man.openbsd.org/kstat">kstat(1)</a> -w option, allowing update and printing of stats at a specified wait interval.
135: <li>Added kstat to <a href="https://man.openbsd.org/cnmac">cnmac(4)</a>.
136: <li>Added tsc_delay(), a <a href="https://man.openbsd.org/delay">delay(9)</a> implementation based on the TSC, to amd64.
137: <li>Synchronized each core's CP0 cycle counter using the IO clock counter on mips64 and octeon, making the cycle counter usable as timecounter.
138: <li>Added support for set -o pipefail to <a href="https://man.openbsd.org/ksh">ksh(1)</a>, potentially helping error checking.
139: <li>Taught <a href="https://man.openbsd.org/su">su(1)</a> -l -f to start a regular shell for non-csh shells rather than a login shell.
140: <li>Enabled spleen16x32 and spleen32x64 fonts on armv7 for GENERIC kernels.
141: <li>Implemented linear and power-of-two histograms in btrace(5).
142: <li>Added <a href="https://man.openbsd.org/btrace">btrace(8)</a> -p flag to filter all actions by PID.
1.28 kn 143: <li>Enabled <a href="https://man.openbsd.org/btrace">btrace(8)</a> (<a href="https://man.openbsd.org/dt">dt(4)</a> not yet enabled in GENERIC, though).
1.1 benno 144: <li>Added support for "&" and "|" operators in btrace scripts.
145: <li>Used <a href="https://man.openbsd.org/su">su(1)</a> -fl to avoid sourcing the target user's .profile in <a href="https://man.openbsd.org/rc.d">rc.d(8)</a>/<a href="https://man.openbsd.org/rcctl">rcctl(8)</a>.
146: <li>Added a <a href="https://man.openbsd.org/ktrace">ktrace(1)</a> -T option to make time-related system calls more prominent.
1.12 schwarze 147: <li>Switched the default <a href="https://man.openbsd.org/man.1">man(1)</a> pager from "<a href="https://man.openbsd.org/more.1">more(1)</a> -s" to <a href="https://man.openbsd.org/less.1">less(1)</a>.
148: <li>Supported -T html -O tag in <a href="https://man.openbsd.org/man.1">man(1)</a> by passing a file:// URI to the pager.
1.1 benno 149: <li>Ensured only pseudo-terminal devices use reprint delays.
150: <li>Prevented <a href="https://man.openbsd.org/mg">mg(1)</a> from running out of memory or segfaulting with <code>query-replace-regex ^</code>.
151: <li>Prevented an <a href="https://man.openbsd.org/unveil">unveil(2)</a> failure with chdir / on <a href="https://man.openbsd.org/sensorsd">sensorsd(8)</a>.
152: <li>Ported NetBSD's arm64 disassembler for <a href="https://man.openbsd.org/ddb">ddb(4)</a>.
153: <li>Added / as an alias for g (grep) in <a href="https://man.openbsd.org/top">top(1)</a>.
154: <li>Added support for remote coverage to <a href="https://man.openbsd.org/kcov">kcov(4)</a>.
155: <li>Avoided reading one byte before the path buffer in <a href="https://man.openbsd.org/mountd">mountd(8)</a>.
156: <li>Added the ability to filter which <a href="https://man.openbsd.org/kstat">kstat(1)</a> entries are displayed.
157: <li>Moved <a href="https://man.openbsd.org/sysctl">sysctl(2)</a> CTL_DEBUG from DEBUG to the new DEBUG_SYSCTL.
158: <li>Added <a href="https://man.openbsd.org/fstat">fstat(1)</a> support for looking up unix domain sockets by file name.
159: <li>Fixed <a href="https://man.openbsd.org/make">make(1)</a> :S with anchors and replacement.
160: <li>Imported <a href="https://man.openbsd.org/login_ldap">login_ldap(8)</a>, using <a href="https://man.openbsd.org/ldap">ldap(1)</a> rather than openldap.
161: <li>Used READ(16)/WRITE(16) commands for disks large enough to require them to access the last sectors, fixing large 512E devices plugged into USB to ATA/ATAPI bridges which mistakenly use 4K sector addresses/sizes.
162: <li>Fixed "$@" splitting with empty IFS in <a href="https://man.openbsd.org/ksh">ksh(1)</a>.
163: <li>Prevented improper disabling of the backlight in <a href="https://man.openbsd.org/umstc">umstc(4)</a> when brightness is adjusted to 0.
1.7 jsg 164: <li>Stopped <a href="https://man.openbsd.org/syslogd">syslogd(8)</a> from closing UDP sockets for sending messages when DNS lookup of a UDP loghost fails, allowing them to be used to send if DNS is working during the next SIGHUP.
1.1 benno 165: <li>Prevented established TCP and TLS sockets of <a href="https://man.openbsd.org/syslogd">syslogd(8)</a> from staying open forever if a client aborted the connection silently.
166: <li>Provided a naptime variable for userspace via <a href="https://man.openbsd.org/kvm_read">kvm_read(3)</a>, usable by <a href="https://man.openbsd.org/vmstat">vmstat(8)</a>.
167: <li>Cleared the screen in <a href="https://man.openbsd.org/ksh">ksh(1)</a>'s vi editing mode before redrawing the line with ^L.
168: <li>Made <a href="https://man.openbsd.org/apmd">apmd(8)</a> always ask the kernel about current hw.perfpolicy rather than maintaining state.
169: <li>Reworked kernel loading with <a href="https://man.openbsd.org/octboot">octboot(4)</a>, which now does not rely on a mounted filesystem.
170: <li>Converted macppc, octeon and loongson to use machine-independent installboot.
171: <li>Forced long-names on msdos filenames for installboot on most 32-bit architectures.
172: <!-- FFS2 -->
173: <li>Improvements in the FFS2 filesystem:
174: <ul>
175: <li>Made FFS2 the default for <a href="https://man.openbsd.org/newfs">newfs(8)</a>, except for mfs.
176: <li>Enabled the FFS2 option on the luna88k ramdisk.
177: <li>Made FFS2 the default non-root filesystems on landisk, sgi and luna88k.
178: </ul>
179: </ul>
180:
181: <li>Improved hardware support and driver bugfixes, including:
182: <ul>
183: <li>Enabled scrollback in <a href="https://man.openbsd.org/simplefb">simplefb(4)</a>.
184: <li>Fixed display glitches on smaller screens or with larger fonts in <a href="https://man.openbsd.org/efifb">efifb(4)</a> associated with remapping and attaching.
185: <li>Improved reporting of remaining power with batteries of different capacities in <a href="https://man.openbsd.org/acpi">acpi(4)</a>.
186: <li>Fixed bogus frame sizes being returned by <a href="https://man.openbsd.org/xhci">xhci(4)</a>.
187: <li>Added <a href="https://man.openbsd.org/wsmoused">wsmoused(8)</a> support to <a href="https://man.openbsd.org/efifb">efifb(4)</a>.
188: <li>Added <a href="https://man.openbsd.org/umstc">umstc(4)</a>, a driver for Microsoft Surface Type Cover keyboards.
189: <li>Introduced <a href="https://man.openbsd.org/acpihid">acpihid(4)</a> for ACPI HID event and 5-button array devices.
190: <li>Moved Powerbook5,4 audio from <a href="https://man.openbsd.org/aoa">aoa(4)</a> to <a href="https://man.openbsd.org/snapper">snapper(4)</a>, adding the missing TAS3004 volume control.
191: <li>Fixed broken HID descriptors of Elecom trackballs with 6 or 8 buttons.
192: <li>Added RK3328 PWM, also found in the RK3308, to <a href="https://man.openbsd.org/rkpwm">rkpwm(4)</a>.
193: <li>Added RK3308 temperature sensors to <a href="https://man.openbsd.org/rktemp">rktemp(4)</a>.
194: <li>Added <a href="https://man.openbsd.org/pcamux">pcamux(4)</a>, a driver for the PCA8548 I2C switch.
1.6 jsg 195: <li>Introduced a framework for digital audio interfaces, and added <a href="https://man.openbsd.org/simpleaudio">simpleaudio(4)</a>, a driver for "simple audio cards." This is a wrapper connecting the I2S controller, the codec and some aux devices, and <a href="https://man.openbsd.org/simpleamp">simpleamp(4)</a>, a driver for "simple audio amplifier," one of the aux devices for <a href="https://man.openbsd.org/simpleaudio">simpleaudio(4)</a>.
1.1 benno 196: <li>Enabled <a href="https://man.openbsd.org/nvme">nvme(4)</a> on i386.
197: <li>Added support for the Ericsson F5521gw Mobile Broadband Modem.
198: <li>Ensured the STOP command sent by <a href="https://man.openbsd.org/sd">sd(4)</a> on powerdown will not result in hanging the machine if commands to the USB mass storage fail.
199: <li>Fixed intermittent failing <a href="https://man.openbsd.org/pms">pms(4)</a> device initialization seen on some Synaptics devices.
200: <li>Corrected trackstick/button attachment of Windows Precision Touchpad <a href="https://man.openbsd.org/imt">imt(4)</a> devices, fixing behavior on certain Dell Latitude laptops.
201: <li>Improved speed of scrolling by optimizing <a href="https://man.openbsd.org/rasops">rasops(9)</a> write-only framebuffer console.
202: <li>Modified <a href="https://man.openbsd.org/uvideo">uvideo(4)</a> to fix webcam detection in Firefox 78.
203: <li>Added a SENSOR_ENERGY sensor type to the <a href="https://man.openbsd.org/sensor_attach">sensors framework API</a> which uses microjoules.
204: <li>Added support for the AMDI0010 touchpad on the Inspiron 5505.
205: <li>Avoided nvram lock timeout on sparc64 systems with onboard BCM5704 <a href="https://man.openbsd.org/bge">bge(4)</a> instances that come without a fitted EEPROM/NVRAM.
206: <li>Added <a href="https://man.openbsd.org/pms">pms(4)</a> support for the Elantech v1 touchpad with firmware version 0x20022.
207: <li>Added <a href="https://man.openbsd.org/sdmmc">sdmmc(4)</a> support for eMMC HS200 mode.
208: <li>Added Exar XR17V35x serial port support.
209: <li>Properly implemented <a href="https://man.openbsd.org/amlmmc">amlmmc(4)</a> setting of signal voltage.
210: <li>Implemented UHS-I support in the <a href="https://man.openbsd.org/sdmmc">sdmmc(4)</a> midlayer and enabled it in <a href="https://man.openbsd.org/amlmmc">amlmmc(4)</a>.
211: <li>Introduced <a href="https://man.openbsd.org/abl">abl(4)</a>, a new driver to control the backlight brightness on Intel-based Apple machines, and allowed it to be controlled through <a href="https://man.openbsd.org/wsconsctl">wsconsctl(8)</a>.
212: <li>Disabled <a href="https://man.openbsd.org/acpivout">acpivout(4)</a> brightness control on machines aware of Windows 8, enabling inteldrm to handle brightness ioctls.
213: <li>Fixed <a href="https://man.openbsd.org/eeprom">eeprom(8)</a> error when setting variables on macppc.
1.4 jsg 214: <li>Updated <a href="https://man.openbsd.org/drm">drm(4)</a> to Linux 5.7.19.
1.1 benno 215: </ul>
216: <li>New or improved network hardware support:
217: <ul>
218: <li>Enabled multiple queues on <a href="https://man.openbsd.org/vmx">vmx(4)</a>, VMware VMXNET3 Virtual Interface Controller.
1.29 ! jsg 219: <li>Enabled multipe queues on <a href="https://man.openbsd.org/ix">ix(4)</a>.
! 220: <li>Added support for hardware VLAN tagging to <a href="https://man.openbsd.org/mcx">mcx(4)</a>.
1.1 benno 221: <li>Fixed a crash in <a href="https://man.openbsd.org/re">re(4)</a>.
1.7 jsg 222: <li>Added <a href="https://man.openbsd.org/bge">bge(4)</a> support for the BCM5719 A1 Ethernet controller.
1.1 benno 223: <li>Handled AGL interfaces on octeon, making management network ports usable on some machines.
1.29 ! jsg 224: <li>Implemented RSS/Toeplitz support for <a href="https://man.openbsd.org/ixl">ixl(4)</a> 710 chips.
1.1 benno 225: <li>Added support for the <a href="https://man.openbsd.org/mcx">mcx(4)</a> ConnectX-6 Dx.
226: <li>Fixed a potential crash when bringing down an <a href="https://man.openbsd.org/mcx">mcx(4)</a> interface.
227: <li>Increased the <a href="https://man.openbsd.org/mcx">mcx(4)</a> event queue size, preventing a potential interrupt storm on the ConnectX-4.
228: <li>Fixed outbound <a href="https://man.openbsd.org/bpf">bpf(4)</a> tap on <a href="https://man.openbsd.org/ogx">ogx(4)</a> interfaces.
1.29 ! jsg 229: <li>Improved <a href="https://man.openbsd.org/ure">ure(4)</a> performance by combining multiple sent packets into one transfer.
! 230: <li>Added support for RK3308 Ethernet to <a href="https://man.openbsd.org/dwge">dwge(4)</a>.
1.1 benno 231: </ul>
232: <li>Added or improved wireless network drivers:
233: <ul>
234: <li>Added support to <a href="https://man.openbsd.org/urtwn">urtwn(4)</a> for TP-Link TL-WN822N-EU v5 (and v4).
235: <li>Added WPA2 (CCMP) crypto offload support to <a href="https://man.openbsd.org/iwx">iwx(4)</a>.
236: <li>Fixed a fatal firmware error at run-time on <a href="https://man.openbsd.org/iwx">iwx(4)</a>.
237: <li>Added <a href="https://man.openbsd.org/bwfm">bwfm(4)</a> support for BCM4359 SDIO variants such as the AP6359SA module found on the RockPro64 WiFi module.
238: <li>Enabled critical temperature detection in <a href="https://man.openbsd.org/iwx">iwx(4)</a> firmware.
239: <li>Fixed mbuf leak in <a href="https://man.openbsd.org/urtwn">urtwn(4)</a> with frames CCMP-encrypted by hardware.
240: <li>Added support for the D-Link DWA-121 rev B1 <a href="https://man.openbsd.org/urtwn">urtwn(4)</a> device.
241: <li>Repaired <a href="https://man.openbsd.org/athn">athn(4)</a> in client mode against WPA2 access points.
242: <li>Switched <a href="https://man.openbsd.org/iwx">iwx(4)</a> from -46 to -48 firmware.
243: <li>Fixed <a href="https://man.openbsd.org/athn">athn(4)</a> use with WPA2 APs.
244: <li>Enabled background scanning on <a href="https://man.openbsd.org/iwx">iwx(4)</a> devices.
245: <li>Added <a href="https://man.openbsd.org/rge">rge(4)</a> support for newer RTL8125 chipset (RTL8125B).
246: <li>Fixed gain calibration for some <a href="https://man.openbsd.org/iwn">iwn(4)</a> devices (5000 and up).
247: <li>Added support for AX201 devices to <a href="https://man.openbsd.org/iwx">iwx(4)</a>.
248: </ul>
249:
250: <li>New <a href="https://www.openbsd.org/arm64.html">arm64</a> and <a
251: href="https://www.openbsd.org/armv7.html">armv7</a> hardware support
252: and bugfixes, including:
253: <ul>
254: <li>Added <a href="https://man.openbsd.org/amlpwrc">amlpwrc(4)</a>, a driver for the power domain controller found on Amlogic SoCs.
1.7 jsg 255: <li>Made OpenBSD boot on the ODROID-C4 with power domain in <a href="https://man.openbsd.org/amldwusb">amldwusb(4)</a>.
1.1 benno 256: <li>Added support for the SD card detect pins on the Turris Mox.
1.29 ! jsg 257: <li>Added support for the Marvell Xenon SDHC, used as storage on the Armada 3700 and 8040 SoCs.
1.7 jsg 258: <li>Opened up a 4GB memory bus window for <a href="https://man.openbsd.org/mvneta">mvneta(4)</a> on the Marvell Armada 3700, making the second Ethernet controller/port work on the Turris Mox.
1.1 benno 259: <li>Added <a href="https://man.openbsd.org/mvkpcie">mkvpcie(4)</a>, a driver for the Aardvark PCIe controller found on the Armada 3700 SoC.
260: <li>Adjusted <a href="https://man.openbsd.org/dwpcie">dwpcie(4)</a> timing to improve likelihood of a successful PCIe link on the i.MX8MM. Avoids a failure to detect <a href="https://man.openbsd.org/em">em(4)</a> on the HummingBoard Pulse.
261: <li>Added <a href="https://man.openbsd.org/cwfg">cwfg(4)</a>, a driver for the Cellwise CW201x fuel gauge on the Pinebook Pro.
262: <li>Populated a list of 256 brightness levels as a fallback when the device tree does not specify a list, making the Pinebook Pro display work with the dtb from Linux 5.7.
263: <li>Added <a href="https://man.openbsd.org/escodec">escodec(4)</a>, a driver for the Everest ES8316 audio codec used on the Pinebook Pro.
1.6 jsg 264: <li>Added <a href="https://man.openbsd.org/rkiis">rkiis(4)</a>, a driver for the I2S controller found on the Rockchip RK3399.
1.1 benno 265: <li>Added <a href="https://man.openbsd.org/bcmtmon">bcmtmon(4)</a>, a driver for the temperature sensor on the Raspberry Pi 4.
266: <li>Introduced <a href="https://man.openbsd.org/mvpp">mvpp(4)</a>, a driver for the Marvell Packet Processor v2 as used on the Armada 7K and 8K SoCs.
267: <li>Improved PLL1(CPU_PLL) stability for the Allwinner H3/H2+.
268: </ul>
269:
270: <li>IEEE 802.11 wireless stack improvements and bugfixes:
271: <ul>
272: <li>Fixed CCMP replay checks with 11n Rx aggregation and CCMP hardware offloading.
273: <li>Offloaded CCMP (WPA2) encryption and decryption to <a href="https://man.openbsd.org/iwm">iwm(4)</a> hardware, reducing CPU load during traffic bursts.
274: <li>Adjusted to complete group key renewal immediately if no station is associated when ieee80211_proto.c runs.
275: <li>Improved processing of lost frames during 802.11 Rx aggregation.
276: <li>Allowed passage of unencrypted 802.11 frames during hardware decryption post-processing, fixing failure of some <a href="https://man.openbsd.org/ral">ral(4)</a> devices to receive packets on encrypted networks.
277: <li>Prevented a fatal <a href="https://man.openbsd.org/iwx">iwx(4)</a> firmware error when the driver moves out of AUTH state.
278: <li>Prevented a panic where <a href="https://man.openbsd.org/athn">athn(4)</a> attempted to transmit old, unencryptable frames after switching to a new group key in hostap mode.
279: <li>Prevented a use-after-free when a wireless device is detached.
280: </ul>
281:
282: <li>Generic network stack improvements and bugfixes:
283: <ul>
284: <!-- carp and pf -->
285: <li>Implemented a <a href="https://man.openbsd.org/carp">carp(4)</a> transmit bypassing the ifq on output, enqueuing the packet directly on the parent interface.
286: <li>Fixed <a href="https://man.openbsd.org/pf.conf">pf.conf(5)</a> "route-to TABLE least-states" in an anchor.
287: <li>Allowed <a href="https://man.openbsd.org/pf">pf(4)</a> to divert packets from <a href="https://man.openbsd.org/bridge">bridge(4)</a> to local socket.
288: <li>Rehashed main <a href="https://man.openbsd.org/pf">pf(4)</a> rulesets after rule expiration.
289: <li>Added a check for <a href="https://man.openbsd.org/pfctl">pfctl(8)</a> that an rtable exists when parsing the config.
1.24 kn 290: <li>Corrected ruleset checksum calculation to allow <a href="https://man.openbsd.org/pfsync">pfsync(4)</a> to verify rulesets are identical on all nodes.
1.1 benno 291: <!-- wg -->
1.7 jsg 292: <li>Added <a href="https://man.openbsd.org/wg">wg(4)</a>, an in-kernel driver for WireGuard VPN communication.
1.1 benno 293: <!-- network pseudo drivers and other kernel network internals -->
294: <li>Protected the whole <a href="https://man.openbsd.org/pipex">pipex(4)</a> layer by NET_LOCK().
295: <li>Stopped creation of non-existent <a href="https://man.openbsd.org/bridge">bridge(4)</a> interfaces.
296: <li>Added a symmetric toeplitz implementation with integration for nics, usable through the <a href="https://man.openbsd.org/stoeplitz_to_key">stoeplitz_to_key(9)</a> hash algorithm API.
297: <li>Changed <a href="https://man.openbsd.org/tpmr">tpmr(4)</a> from ifconfig [-]trunkport to add|del synopsis.
298: <li>Filtered vlan and svlan packets by default for <a href="https://man.openbsd.org/tpmr">tpmr(4)</a>.
299: <li>Implemented IPv6 source address selection as outlined in RFC 6724 section 5.
300: <li>Set IPv6 source address selection to prefer the address with the highest preferred lifetime in case of a tie.
301: <li>Stopped preventing TCP connections to IPv6 anycast addresses.
302: <li>Added the <a href="https://man.openbsd.org/pcap-filter">pcap-filter(5)</a> "sample NUM" primitive to allow capture of 1/NUM packets.
303: <li>Added a <a href="https://man.openbsd.org/man4/route.4">ROUTE_FLAGFILTER</a> socket option for routing sockets, allowing routing daemons to opt out of receiving messages for L2 and broadcast route entries.
304: <li>Allowed SIOCSWGDPID and SIOCSWGMAXFLOW ioctls for non-root, preventing <a href="https://man.openbsd.org/switch">switch(4)</a> interfaces from appearing partially as <a href="https://man.openbsd.org/bridge">bridge(4)</a> devices for unprivileged users running <a href="https://man.openbsd.org/ifconfig">ifconfig(8)</a>.
305: <li>Modified <a href="https://man.openbsd.org/trunk">trunk(4)</a> to keep port interfaces UP on removal, matching <a href="https://man.openbsd.org/aggr">aggr(4)</a> behavior.
1.25 kn 306: <li>Fixed <a href="https://man.openbsd.org/rdomain">rdomain(4)</a> handling for IPv6.
307: <li>Fixed <a href="https://man.openbsd.org/rtable">rtable(4)</a> separation of raw sockets for IPv6.
308: <li>Documented <a href="https://man.openbsd.org/rtable">rtable(4)</a> removal semantics.
1.1 benno 309: </ul>
310:
311: <li>Installer improvements:
312: <ul>
1.16 benno 313: <li>sysupgrade(8) can now be used on systems with multiple installations and boot disks.
1.1 benno 314: <li>Ensured <a href="https://man.openbsd.org/sysupgrade">sysupgrade(8)</a> on systems with multiple root disks will proceed on the disk with auto_upgrade.conf present.
315: <li>Changed install images called *.fs to *.img to accommodate some UEFI bootloaders.
316: </ul>
317:
318: <li>Security improvements:
319: <ul>
320: <li>Added RB_GOODRANDOM passed from bootloader to kernel in boothowto, indicating confidence a "great seed" was loaded.
321: <li>Passed boothowto from the sparc64 bootloader to the kernel using .openbsd.bootdata.
322: <li>Introduced detection of /etc/random.seed reuse.
323: <li>Rewrote the entropy enqueue ring to collect damage asynchronously and adapted the dequeue to mix a selection of "best" ring entries, exponentially backing off the dequeue timeout, to compensate rapidly for weak seeding in unidentifiable conditions and ensure quality to arc4random() calls early in boot.
324: <li>Enabled PAN (Privileged Access Never) on arm64 CPUs supporting it.
325: <li>Skipped scanning file systems which are both nodev and nosuid for SUID, SGID and device files with <a href="https://man.openbsd.org/security">security(8)</a>.
326:
327:
328: <li>The following security bugs were addressed:
329: <ul>
330: <li>Fixed two out-of-bounds array accesses in ioctl code pathways in
331: <a href="https://man.openbsd.org/wscons">wscons(4)</a>.
332: <li>Fixed information leak in semctl SEM_GET.
333: <li>Prevented root from freezing the UTC clock with <a href="https://man.openbsd.org/settimeofday">settimeofday(2)</a> at securelevel 2.
334: <li>Fixed performance problems relating to tty subsystem abuse.<!-- tty.c,v 1.158 2020/07/14 14:33:03 deraadt -->
335: <li>Fixed heap corruption in the X input method client in libX11.
336: <li>Fixed potential information leak via X server pixel data uninitialized memory.
337: <li>Fixed a race condition for isoc devices during device close.
338: <li>Fixed an integer overflow in libX11 which could lead to a double free.
339: <li>Corrected multiple input validation deficits in X server extensions.
340: </ul>
341: </ul>
342:
343: <li>Routing daemons and other userland network improvements:
344: <ul>
345: <!-- bgpd -->
346: <li>In <a href="https://man.openbsd.org/bgpctl">bgpctl(8)</a>, the
347: "reload" command now takes a 'reason' argument to use as
1.7 jsg 348: Administrative Shutdown Communication to its neighbors.
1.1 benno 349: <li>Added <a href="https://man.openbsd.org/bgpctl">bgpctl(8)</a>
350: support for VPNv6 in the family option of the "show rib" command.
351: <!-- OSPF -->
352: <li>Improve performance of <a href="https://man.openbsd.org/ospfd">ospfd(8)</a>, <a href="https://man.openbsd.org/ospf6d">ospf6d(8)</a> by using the ROUTE_FLAGFILTER setsockopt to filter out routing socket messages
353: for L2 and broadcast routes.
354: <!-- ldap -->
355: <li>Modified <a href="https://man.openbsd.org/ldapd">ldapd(8)</a> use of "ldaps" and "tls" keywords to enable only the libtls defaults for protocols and ciphers. The new "legacy" keyword can be used before these keywords in <a href="https://man.openbsd.org/ldapd.conf">ldapd.conf(5)</a> to enable them all.
356: <li>Added a bsd.schema to <a href="https://man.openbsd.org/ldapd">ldapd(8)</a> including a shadowPassword and an sshPublicKey attribute which can be used to extend existing LDAP users with the additional bsdAccount objectclass.
357: <!-- snmpd -->
358: <li>Removed support for the socket keyword in <a href="https://man.openbsd.org/snmpd.conf">snmpd.conf(5)</a>.
359: <li>Allowed <a href="https://man.openbsd.org/snmp">snmp(1)</a> mibtree to take one or more arguments to be converted to a chosen output format.
360: <!-- httpd and relayd -->
361: <li>Introduced a "dark mode" for directory listings and error pages in <a href="https://man.openbsd.org/httpd">httpd(8)</a>.
362: <li>Allowed specifying -d multiple times in <a href="https://man.openbsd.org/slowcgi">slowcgi(8)</a>.
363: <li>Added <a href="https://man.openbsd.org/unveil">unveil(2)</a> to the main process of <a href="https://man.openbsd.org/relayd">relayd(8)</a>.
364: <li>Added support for non-localhost fastcgi sockets to <a href="https://man.openbsd.org/httpd.conf">httpd.conf(5)</a>.
365: <!-- rpki-client -->
366: <li>Fixed a hang in <a href="https://man.openbsd.org/rpki-client">rpki-client(8)</a> by properly waiting for exiting <a href="https://man.openbsd.org/openrsync">openrsync(1)</a> processes.
367: <li>Removed the -f (force) option in <a href="https://man.openbsd.org/rpki-client">rpki-client(8)</a>.
1.7 jsg 368: <li>Fixed <a href="https://man.openbsd.org/rpki-client">rpki-client(8)</a> return value check for OpenSSL API used during pubkey validation.
1.1 benno 369: <li>Released <a href="https://man.openbsd.org/rpki-client">rpki-client(8)</a> 6.7p1 including OpenBSD 6.7 Errata 015.
370: <li>Changed <a href="https://man.openbsd.org/rpki-client">rpki-client(8)</a> -n behavior to automatically validate the repo.
371: <li>Added a "-s timeout" feature to <a href="https://man.openbsd.org/rpki-client">rpki-client(8)</a> with a one hour default, allowing fresh attempts with <a href="https://man.openbsd.org/cron">cron(8)</a> if rpki-client gets stuck.
372: <!-- other userland -->
373: <li>Added an optional "domain name" <a href="https://man.openbsd.org/acme-client.conf">acme-client.conf(5)</a> option allowing use of multiple domain sections with the same name and creation of an rsa and an ecdsa key for the same domain name.
374: <li>Added <a href="https://man.openbsd.org/netstat">netstat(1)</a> -R to show a summary of rdomains with associated interfaces and tables.
375: <li>Defaulted to showing full IPv6 address entries in the routing tables displayed by <a href="https://man.openbsd.org/route">route(8)</a> show and <a href="https://man.openbsd.org/netstat">netstat(1)</a> -r.
1.27 kn 376: <li>Fixed <a href="https://man.openbsd.org/pcap-filters">pcap-filters(5)</a> on DLT_LOOP links, e.g. <a href="https://man.openbsd.org/lo">lo(4)</a>, <a href="https://man.openbsd.org/gre">gre(4)</a>, <a href="https://man.openbsd.org/wg">wg(4)</a>, etc.
1.1 benno 377: <li>Fixed <a href="https://man.openbsd.org/dhclient">dhclient(8)</a> domain-search option processing.
378: <li>Corrected <a href="https://man.openbsd.org/route">route(8)</a> handling of ::/0 and "route add -inet 0.0.0.0 -prefixlen 0 (gateway)".
1.27 kn 379: <li>Fixed integer underflow in <a href="https://man.openbsd.org/tcpdump">tcpdump(8)</a> due to tiny snaplen causing bogus hexdumps.
1.1 benno 380: <li>Added initial <a href="https://man.openbsd.org/tcpdump">tcpdump(8)</a> support for handling geneve packets.
381: <li>Added <a href="https://man.openbsd.org/top">top(1)</a> "t" to toggle the display of routing tables.
382: <li>Added filtering by routing table to <a href="https://man.openbsd.org/top">top(1)</a>.
383: <li>Moved <a href="https://man.openbsd.org/ntpd">ntpd(8)</a> to unsynced mode if no replies are received for awhile due to connectivity issues.
384: <li>Made <a href="https://man.openbsd.org/slaacd">slaacd(8)</a> handle IPv6 address configuration in all rdomains in a single daemon, instead of running one daemon per rdomain.
385: <li>Added an explanation for <a href="https://man.openbsd.org/acme-client">acme-client(1)</a> account creation failure.
386: </ul>
387:
388: <li><a href="https://man.openbsd.org/ipsec">ipsec(4)</a> (and related userland programs) improvements and
389: bugfixes:
390: <ul>
391: <li>Fixed an <a href="https://man.openbsd.org/iked">iked(8)</a> policy lookup edge case for simultaneous transport and tunnel mode SAs.
392: <li>Added AES-GCM mode ciphers for IKEv2, configurable in <a href="https://man.openbsd.org/iked.conf">iked.conf(5)</a> with the new "ikesa enc" options aes-128-gcm, aes-256-gcm, aes-128-gcm-12 and aes-256-gcm-12.
393: <li>Fixed <a href="https://man.openbsd.org/iked">iked(8)</a> public key authentication interoperability with *swan and other IKEv2 implementations by making CERT and CERTREQ payloads optional.
394: <li>Prioritized incoming certificate requests by the order of CERTEQ payloads in the received message in <a href="https://man.openbsd.org/iked">iked(8)</a>.
395: <li>Added optional <a href="https://man.openbsd.org/iked">iked(8)</a> time-stamp validation for OCSP.
396: <li>Prevented concurrent CREATE_CHILD_SA and INFORMATION exchanges in <a href="https://man.openbsd.org/iked">iked(8)</a>.
397: <li>Added the new <a href="https://man.openbsd.org/iked">iked(8)</a> configuration option "set enforcesingleikesa" to limit the number of connections for each peer.
398: <li>Added a dpd_check_interval configuration option to <a href="https://man.openbsd.org/iked.conf">iked.conf(5)</a>.
399: <li>Allowed disabling of <a href="https://man.openbsd.org/iked">iked(8)</a> DPD liveness checks by setting dpd_check_interval to 0 in <a href="https://man.openbsd.org/iked.conf">iked.conf(5)</a>.
400: <li>Added a 30 second timeout for OCSP requests in <a href="https://man.openbsd.org/iked">iked(8)</a>.
401: <li>Added a new "set cert_partial_chain" config option to <a href="https://man.openbsd.org/iked.conf">iked.conf(5)</a> to allow verification of partial certificate chains if a trusted intermediate CA is found in /etc/iked/ca.
1.24 kn 402: <li>Fixed a dst/src <a href="https://man.openbsd.org/iked">iked(8)</a> port configuration bug with multiple flows.
403: <li>Handled <a href="https://man.openbsd.org/iked">iked(8)</a> TEMPORARY_FAILURE notification on IKESA rekeying.
1.1 benno 404: </ul>
405:
406: <li><a href="https://man.openbsd.org/tmux">tmux(1)</a> improvements and bug fixes:
407: <ul>
408: <li>Added -W and -T flags to command-prompt to only complete a window and a target.
409: <li>Added the 'e' key in buffer mode to open the buffer in an editor.
410: <li>Added -e for new-session to set environment variables.
411: <li>Changed refresh-client -F to -f and added -f flags to attach-session and switch-client.
412: <li>Added M-+ and M-- to expand and collapse all items in tree mode.
413: <li>Added a customize mode (C) where keys and options can be browsed and changed.
414: <li>Added a -D flag to run in non-daemonized mode.
415: <li>Added a client flag 'active-pane' which stores the active pane in the client and allows it to be changed independently from the real active pane stored in the window.
416: <li>Added an option to set the pane border lines style as single lines, double or heavy, simple or number (the pane numbers).
417: <li>Added support for pausing a <a href="https://man.openbsd.org/tmux">tmux(1)</a> pane when the output buffered for a control mode client is too far behind, controllable with refresh-client -f and -A.
418: <li>Added a <a href="https://man.openbsd.org/tmux">tmux(1)</a> -A option to pause a pane manually.
419: <li>Added <a href="https://man.openbsd.org/tmux">tmux(1)</a> -b flags to insert a window before (like the existing -a for after) to break-pane, move-window and new-window.
420: <li>Added d and D keys to <a href="https://man.openbsd.org/tmux">tmux(1)</a> customize mode to reset to defaults.
421: <li>Corrected handling of padding cells while searching in <a href="https://man.openbsd.org/tmux">tmux(1)</a>.
422: <li>Added <a href="https://man.openbsd.org/tmux">tmux(1)</a> -d option to display-message to set delay.
423: <li>Changed <a href="https://man.openbsd.org/tmux">tmux(1)</a> searching to behave more like emacs and prevented regex searching from overlapping when searching forward.
424: <li>Added the <a href="https://man.openbsd.org/tmux">tmux(1)</a> n: modifier to get the length of a format.
425: <li>Allowed a-z keys for <a href="https://man.openbsd.org/tmux">tmux(1)</a> display-panes to jump to higher-numbered panes.
426: <li>Allowed use of -N without a command to change or add a note to an existing key in <a href="https://man.openbsd.org/tmux">tmux(1)</a>.
427: </ul>
428:
429: <li>VMM/VMD and ldom/sparc64 virtualization improvements
430: <ul>
1.24 kn 431: <li>Fixed <a href="https://man.openbsd.org/ldomctl">ldomctl(8)</a> "init-system" with multiple PCIe root complexes (Oracle SPARC T4-2 machines).
432: <li>Made <a href="https://man.openbsd.org/ldomctl">ldomctl(8)</a> reject vdisk, vnet and iodevice parameters for primary domain.
1.1 benno 433: <li>Made <a href="https://man.openbsd.org/ldomctl">ldomctl(8)</a> "init-system -n" check vcpu and memory constraints.
434: <li>Increased the default number of ldom and ttyV devices for sparc64 from eight to sixteen.
435: <li>Fixed <a href="https://man.openbsd.org/vmd">vmd(8)</a> ns8250 lockup due to a race condition, helping to prevent linux vm crashes when the return key is held on boot.
436: <li>Prevented possible libevent state corruption in <a href="https://man.openbsd.org/vmd">vmd(8)</a>.
437: </ul>
438:
439: <li>OpenSMTPD 6.8.0
440: <ul>
441: <li>Fixed an uninitialized variable and potential stack overflow with IPv6 connections in <a href="https://man.openbsd.org/smtpd">smtpd(8)</a>.
442: <li>Fixed <a href="https://man.openbsd.org/smtpd">smtpd(8)</a> handling of user names containing "@" symbols.
443: <li>Allowed handling of long lines in an <a href="https://man.openbsd.org/smtpd">smtpd(8)</a> aliases table.
444: <li>Removed <a href="https://man.openbsd.org/mail.local">mail.local(8)</a> support for world-writable mail spools.
445: </ul>
446:
447: <li>LibreSSL 3.1.1 XXX <span style="color:red;">Temporary List, replace with LibreSSL ChangeLog:</span>
448: <ul>
449: <li>Enabled the TLSv1.3 server in <a href="https://man.openbsd.org/openssl">openssl(1)</a>.
450: <li>Added -rls1_3 and -no_tls1_3 options to <a href="https://man.openbsd.org/openssl">openssl(1)</a> s_server.
451: <li>Enabled TLSv1.3 support in <a href="https://man.openbsd.org/relayd">relayd(8)</a>.
452: <li>Added a decode error alert when a TLS server provides an empty certificate list.
1.7 jsg 453: <li>Added support for TLS 1.3 server to send certificate status messages with OCSP staples.
1.1 benno 454: <li>Began looking for non-expired certificates first when building a chain, making certificate validation possible for various sites that are serving expired AddTrust certificates.
455: <li>Improved TLSv1.3 client certificate selection to allow use of EC certificates.
456: <li>Added <a href="https://man.openbsd.org/ssl">ssl(8)</a> support for additional GOST curves and aliases for 256-bit GOST curves.
457: <li>Enabled TLSv1.3 for the generic TLS_method().
458: <li>Fixed potential use-after-free and double-free issues in <a href="https://man.openbsd.org/PEM_X509_INFO_read_bio">PEM_X509_INFO_read_bio(3)</a>.
459: <li>Corrected <a href="https://man.openbsd.org/ssl">ssl(8)</a> handling of server requests for an OCSP response.
460: <li>Added P-521 to the list of curves supported by default for TLS.
461: <li>Released <a href="https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.1.4-relnotes.txt">LibreSSL 3.1.4</a>.
462: <li>Released <a href="https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.1-relnotes.txt">LibreSSL 3.2.1</a>.
463: <li>Fixed a memory leak in x509_constraints_extract_names.
464: </ul>
465: <ul>
466: <li>New Features
467: <ul>
468: <li>...
469: </ul>
470:
471: <li>API and Documentation Enhancements
472: <ul>
473: <li>...
474: </ul>
475:
476: <li>Compatibility Changes
477: <ul>
478: <li>...
479: </ul>
480:
481: <li>Testing and Proactive Security
482: <ul>
483: <li>...
484: </ul>
485:
486: <li>Internal Improvements
487: <ul>
488: <li>...
489: </ul>
490:
491: <li>Portable Improvements
492: <ul>
493: <li>...
494: </ul>
495:
496: <li>Bug Fixes
497: <ul>
498: <li>...
499: </ul>
500: </ul>
501:
1.14 benno 502: <li>OpenSSH 8.4
1.1 benno 503: <ul>
504: <li>Potentially incompatible changes.
1.14 benno 505: <ul>
506:
507: <li>For FIDO/U2F support, OpenSSH recommends the use of libfido2
508: 1.5.0 or greater. Older libraries have limited support at the expense
509: of disabling particular features. These include resident keys, PIN-
510: required keys and multiple attached tokens.
511:
512: <li><a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>:
513: the format of the attestation information optionally recorded when a
514: FIDO key is generated has changed. It now includes the authenticator
515: data needed to validate attestation signatures.
516:
517: <li>The API between OpenSSH and the FIDO token middleware has
518: changed and the SSH_SK_VERSION_MAJOR version has been incremented as a
519: result. Third-party middleware libraries must support the current API
520: version (7) to work with OpenSSH 8.4.
521:
522: <li>The portable OpenSSH distribution now requires automake to
523: rebuild the configure script and supporting files. This is not
524: required when simply building portable OpenSSH from a release tar
525: file.
526:
527: </ul>
1.1 benno 528: <li>New Features
1.14 benno 529: <ul>
530:
531: <li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a
532: href="https://man.openbsd.org/ssh-keygen">ssh-keygen">ssh-keygen(1)</a>:
533: support for FIDO keys that require a PIN for each use. These keys may
534: be generated using ssh-keygen using a new "verify-required" option.
535: When a PIN-required key is used, the user will be prompted for a PIN
536: to complete the signature operation.
537:
538: <li><a href="https://man.openbsd.org/sshd">sshd(8)</a>:
539: authorized_keys now supports a new "verify-required" option to require
540: FIDO signatures assert that the token verified that the user was
541: present before making the signature. The FIDO protocol supports
542: multiple methods for user-verification, but currently OpenSSH only
543: supports PIN verification.
544:
545: <li><a href="https://man.openbsd.org/sshd">sshd(8)</a>, <a
546: href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: add
547: support for verifying FIDO webauthn signatures. Webauthn is a standard
548: for using FIDO keys in web browsers. These signatures are a slightly
549: different format to plain FIDO signatures and thus require explicit
550: support.
551:
552: <li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: allow some
553: keywords to expand shell-style ${ENV} environment variables. The
554: supported keywords are CertificateFile, ControlPath, IdentityAgent and
555: IdentityFile, plus LocalForward and RemoteForward when used for Unix
556: domain socket paths.
557:
558: <li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a
559: href="https://man.openbsd.org/ssh-agent">ssh-agent(1)</a>: allow some
560: additional control over the use of ssh-askpass via a new
561: $SSH_ASKPASS_REQUIRE environment variable, including forcibly enabling
562: and disabling its use.
563:
564: <li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: allow <a
565: href="https://man.openbsd.org/ssh_config">ssh_config(5)</a>'s
566: AddKeysToAgent keyword accept a time limit for keys in addition to its
567: current flag options. Time- limited keys will automatically be removed
568: from ssh-agent after their expiry time has passed.
569:
570: <li><a href="https://man.openbsd.org/scp">scp(1)</a>, <a
571: href="https://man.openbsd.org/sftp">sftp(1)</a>: allow the -A flag to
572: explicitly enable agent forwarding in scp and sftp. The default
573: remains to not forward an agent, even when ssh_config enables it.
574:
575: <li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: add a '%k'
576: TOKEN that expands to the effective HostKey of the destination. This
577: allows, e.g., keeping host keys in individual files using
578: "UserKnownHostsFile ~/.ssh/known_hosts.d/%k".
579:
580: <li><a href="https://man.openbsd.org/ssh(1): add %-TOKEN,
581: environment variable and tilde expansion to the UserKnownHostsFile
582: directive, allowing the path to be completed by the configuration.
583:
584: <li><a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>:
585: allow "ssh-add -d -" to read keys to be deleted from stdin.
586:
587: <li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: improve
588: logging for MaxStartups connection throttling. sshd will now log when
589: it starts and stops throttling and periodically while in this state.
590:
591:
592: </ul>
1.1 benno 593: <li>Bugfixes
1.14 benno 594: <ul>
595:
596: <li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a
597: href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: better
598: support for multiple attached FIDO tokens. In cases where OpenSSH
599: cannot unambiguously determine which token to direct a request to, the
600: user is now required to select a token by touching it. In cases of
601: operations that require a PIN to be verified, this avoids sending the
602: wrong PIN to the wrong token and incrementing the token's PIN failure
603: counter (tokens effectively erase their keys after too many PIN
604: failures).
605:
606: <li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: fix Include
607: before Match in <a
608: href="https://man.openbsd.org/sshd_config">sshd_config(5)</a>.
609:
610: <li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: close
611: stdin/out/error when forking after authentication completes ("ssh -f
612: ...").
613:
614: <li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a
615: href="https://man.openbsd.org/sshd">sshd(8)</a>: limit the amount of
616: channel input data buffered, avoiding peers that advertise large
617: windows but are slow to read from causing high memory consumption.
618:
619: <li><a href="https://man.openbsd.org/ssh-agent">ssh-agent(1)</a>:
620: handle multiple requests sent in a single write() to the agent.
621:
622: <li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: allow <a
623: href="https://man.openbsd.org/sshd_config">sshd_config(5)</a> longer than 256k
624:
625: <li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: avoid
626: spurious "Unable to load host key" message when sshd load a private
627: key but no public counterpart
628:
629: <li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: prefer the
630: default hostkey algorithm list whenever we have a hostkey that matches
631: its best-preference algorithm.
632:
633: <li><a href="https://man.openbsd.org/sshd">sshd(1)</a>: when
634: ordering the hostkey algorithms to request from a server, prefer
635: certificate types if the known_hosts files contain a key marked as a
636: @cert-authority;
637:
638: <li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: perform host
639: key fingerprint comparisons for the "Are you sure you want to continue
640: connecting (yes/no/[fingerprint])?" prompt with case sensitivity.
641:
642: <li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: ensure that
643: address/masklen mismatches in sshd_config yield fatal errors at daemon
644: start time rather than later when they are evaluated.
645:
646: <li><a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>:
647: ensure that certificate extensions are lexically sorted. Previously if
648: the user specified a custom extension then the everything would be in
649: order except the custom ones.
650:
651: <li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: also compare
652: username when checking for JumpHost loops.
653:
654: <li><a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>:
655: preserve group/world read permission on known_hosts files across runs
656: of "ssh-keygen -Rf /path". The old behaviour was to remove all rights
657: for group/other.
658:
659: <li><a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>:
660: Mention the [-a rounds] flag in the ssh-keygen manual page and
661: usage().
662:
663: <li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: explicitly construct path to ~/.ssh/rc rather than
664: relying on it being relative to the current directory, so that it
665: can still be found if the shell startup changes its directory.
666:
667: <li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: when
668: redirecting sshd's log output to a file, undo this redirection after
669: the session child process is forked(). Fixes missing log messages when
670: using this feature under some circumstances.
671:
672: <li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: start
673: ClientAliveInterval bookkeeping before first pass through select()
674: loop; fixed theoretical case where busy sshd may ignore timeouts from
675: client.
676:
677: <li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: only reset the
678: ServerAliveInterval check when we receive traffic from the server and
679: ignore traffic from a port forwarding client, preventing a client from
680: keeping a connection alive when it should be terminated.
681:
682: <li><a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>:
683: avoid spurious error message when ssh-keygen creates files outside
684: ~/.ssh
685:
686: <li><a
687: href="https://man.openbsd.org/sftp-client">sftp-client(1)</a>: fix
688: off-by-one error that caused sftp downloads to make one more
689: concurrent request that desired. This prevented using <a
690: href="https://man.openbsd.org/sftp">sftp(1)</a> in unpipelined
691: request/response mode, which is useful when debugging.
692:
693: <li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a
694: href="https://man.openbsd.org/sshd">sshd(8)</a>: handle EINTR in
695: waitfd() and timeout_connect() helpers.
696:
697: <li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a
698: href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: defer
699: creation of ~/.ssh until we attempt to write to it so we don't leave
700: an empty .ssh directory when it's not needed.
701:
702: <li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a
703: href="https://man.openbsd.org/sshd">sshd(8)</a>: fix multiplier when
704: parsing time specifications when handling seconds after other units.
705:
706: </ul>
1.1 benno 707: </ul>
708:
709: <li>Ports and packages:
710: <p>The package system provides an easy way to install 3rd party software. New features include:
711: <ul>
712: <li>...
713: </ul>
714:
715: <p>Many pre-built packages for each architecture:
716: <!-- number of FTP packages minus SHA256, SHA256.sig, index.txt -->
717: <ul style="column-count: 3">
718: <li>aarch64: XXX
1.11 sthen 719: <li>amd64: 11234
1.1 benno 720: <li>arm: XXX
1.11 sthen 721: <li>i386: 10548
1.1 benno 722: <li>mips64: XXX
723: <li>mips64el: XXX
724: <li>powerpc: XXX
1.15 deraadt 725: <li>powerpc64: XXX
1.1 benno 726: <li>sparc64: XXX
727: </ul>
728:
729: <li>As usual, steady improvements in manual pages and other documentation.
730:
731: <li>The system includes the following major components from outside suppliers: XXX
732: <ul><span style="color:red;">this list needs checking</span>
733: <li>Xenocara (based on X.Org 7.7 with xserver 1.20.8 + patches,
1.4 jsg 734: freetype 2.10.2, fontconfig 2.12.4, Mesa 20.0.8, xterm 351,
1.1 benno 735: xkeyboard-config 2.20 and more)
736: <li>LLVM/Clang 10.0.1 (+ patches)
737: <li>GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
738: <li>Perl 5.30.3 (+ patches)
739: <li>NSD 4.3.2
740: <li>Unbound 1.11.0
741: <li>Ncurses 5.7
742: <li>Binutils 2.17 (+ patches)
743: <li>Gdb 6.3 (+ patches)
744: <li>Awk August 7, 2020 version
745: <li>Expat 2.2.8
746: </ul>
747:
748: <ul><span style="color:red;">XXX. We did not list these before, i got them from plus.html. Do we want them here? libfido2 version looks funny.</span>
749: <li>Updated libpcap to 9.0.
750: <li>Updated Spleen kernel fonts to version 1.8.2.
751: <li>Updated libcbor to v0.7.0.
752: <li>Updated <a href="https://man.openbsd.org/xkbcomp">xkbcomp(1)</a> to 1.4.3.
753: <li>Updated to libfido2 46710ac06.
754: </ul>
755:
756:
757: </ul>
758: </section>
759:
760: <hr>
761:
762: <section id=install>
763: <h3>How to install</h3>
764: <p>
765: Please refer to the following files on the mirror site for
766: extensive details on how to install OpenBSD 6.8 on your machine:
767:
768: <ul>
769: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.8/alpha/INSTALL.alpha">
770: .../OpenBSD/6.8/alpha/INSTALL.alpha</a>
771: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.8/amd64/INSTALL.amd64">
772: .../OpenBSD/6.8/amd64/INSTALL.amd64</a>
773: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.8/arm64/INSTALL.arm64">
774: .../OpenBSD/6.8/arm64/INSTALL.arm64</a>
775: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.8/armv7/INSTALL.armv7">
776: .../OpenBSD/6.8/armv7/INSTALL.armv7</a>
777: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.8/hppa/INSTALL.hppa">
778: .../OpenBSD/6.8/hppa/INSTALL.hppa</a>
779: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.8/i386/INSTALL.i386">
780: .../OpenBSD/6.8/i386/INSTALL.i386</a>
781: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.8/landisk/INSTALL.landisk">
782: .../OpenBSD/6.8/landisk/INSTALL.landisk</a>
783: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.8/loongson/INSTALL.loongson">
784: .../OpenBSD/6.8/loongson/INSTALL.loongson</a>
785: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.8/luna88k/INSTALL.luna88k">
786: .../OpenBSD/6.8/luna88k/INSTALL.luna88k</a>
787: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.8/macppc/INSTALL.macppc">
788: .../OpenBSD/6.8/macppc/INSTALL.macppc</a>
789: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.8/octeon/INSTALL.octeon">
790: .../OpenBSD/6.8/octeon/INSTALL.octeon</a>
791: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.8/powerpc64/INSTALL.powerpc64">
792: .../OpenBSD/6.8/octeon/INSTALL.powerpc64</a>
793: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.8/sgi/INSTALL.sgi">
794: .../OpenBSD/6.8/sgi/INSTALL.sgi</a>
795: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.8/sparc64/INSTALL.sparc64">
796: .../OpenBSD/6.8/sparc64/INSTALL.sparc64</a>
797: </ul>
798: </section>
799:
800: <hr>
801:
802: <section id=quickinstall>
803: <p>
804: Quick installer information for people familiar with OpenBSD, and the use of
805: the "<a href="https://man.openbsd.org/disklabel.8">disklabel</a> -E" command.
806: If you are at all confused when installing OpenBSD, read the relevant
807: INSTALL.* file as listed above!
808:
809: <h3>OpenBSD/alpha:</h3>
810:
811: <p>
812: If your machine can boot from CD, you can write <i>install68.iso</i> or
813: <i>cd68.iso</i> to a CD and boot from it.
814: Refer to INSTALL.alpha for more details.
815:
816: <h3>OpenBSD/amd64:</h3>
817:
818: <p>
819: If your machine can boot from CD, you can write <i>install68.iso</i> or
820: <i>cd68.iso</i> to a CD and boot from it.
821: You may need to adjust your BIOS options first.
822:
823: <p>
1.23 kettenis 824: If your machine can boot from USB, you can write <i>install68.img</i> or
825: <i>miniroot68.img</i> to a USB stick and boot from it.
1.1 benno 826:
827: <p>
828: If you can't boot from a CD, floppy disk, or USB,
829: you can install across the network using PXE as described in the included
830: INSTALL.amd64 document.
831:
832: <p>
833: If you are planning to dual boot OpenBSD with another OS, you will need to
834: read INSTALL.amd64.
835:
836: <h3>OpenBSD/arm64:</h3>
837:
838: <p>
1.23 kettenis 839: Write <i>miniroot68.img</i> to a disk and boot from it after connecting
1.1 benno 840: to the serial console. Refer to INSTALL.arm64 for more details.
841:
842: <h3>OpenBSD/armv7:</h3>
843:
844: <p>
845: Write a system specific miniroot to an SD card and boot from it after connecting
846: to the serial console. Refer to INSTALL.armv7 for more details.
847:
848: <h3>OpenBSD/hppa:</h3>
849:
850: <p>
851: Boot over the network by following the instructions in INSTALL.hppa or the
852: <a href="hppa.html#install">hppa platform page</a>.
853:
854: <h3>OpenBSD/i386:</h3>
855:
856: <p>
857: If your machine can boot from CD, you can write <i>install68.iso</i> or
858: <i>cd68.iso</i> to a CD and boot from it.
859: You may need to adjust your BIOS options first.
860:
861: <p>
1.23 kettenis 862: If your machine can boot from USB, you can write <i>install68.img</i> or
863: <i>miniroot68.img</i> to a USB stick and boot from it.
1.1 benno 864:
865: <p>
866: If you can't boot from a CD, floppy disk, or USB,
867: you can install across the network using PXE as described in
868: the included INSTALL.i386 document.
869:
870: <p>
871: If you are planning on dual booting OpenBSD with another OS, you will need to
872: read INSTALL.i386.
873:
874: <h3>OpenBSD/landisk:</h3>
875:
876: <p>
1.23 kettenis 877: Write <i>miniroot68.img</i> to the start of the CF
1.1 benno 878: or disk, and boot normally.
879:
880: <h3>OpenBSD/loongson:</h3>
881:
882: <p>
1.23 kettenis 883: Write <i>miniroot68.img</i> to a USB stick and boot bsd.rd from it
1.1 benno 884: or boot bsd.rd via tftp.
885: Refer to the instructions in INSTALL.loongson for more details.
886:
887: <h3>OpenBSD/luna88k:</h3>
888:
889: <p>
890: Copy 'boot' and 'bsd.rd' to a Mach or UniOS partition, and boot the bootloader
891: from the PROM, and then bsd.rd from the bootloader.
892: Refer to the instructions in INSTALL.luna88k for more details.
893:
894: <h3>OpenBSD/macppc:</h3>
895:
896: <p>
897: Burn the image from a mirror site to a CDROM, and power on your machine
898: while holding down the <i>C</i> key until the display turns on and
899: shows <i>OpenBSD/macppc boot</i>.
900:
901: <p>
902: Alternatively, at the Open Firmware prompt, enter <i>boot cd:,ofwboot
903: /6.8/macppc/bsd.rd</i>
904:
905: <h3>OpenBSD/octeon:</h3>
906:
907: <p>
908: After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
909: Refer to the instructions in INSTALL.octeon for more details.
910:
911: <h3>OpenBSD/powerpc64:</h3>
912:
913: <p>
1.23 kettenis 914: To install, write <i>install68.img</i> or <i>miniroot68.img</i> to a
915: USB stick, plug it into the machine and coose the <i>OpenBSD
916: install</i> menu item in Petitboot.
1.1 benno 917: Refer to the instructions in INSTALL.powerpc64 for more details.
918:
919: <h3>OpenBSD/sgi:</h3>
920:
921: <p>
922: To install, burn cd68.iso on a CD-R, put it in the CD drive of your
923: machine and select <i>Install System Software</i> from the System Maintenance
924: menu. Indigo/Indy/Indigo2 (R4000) systems will not boot automatically from
925: CD-ROM, and need a proper invocation from the PROM prompt.
926: Refer to the instructions in INSTALL.sgi for more details.
927:
928: <p>
929: If your machine doesn't have a CD drive, you can setup a DHCP/tftp network
930: server, and boot using "bootp()/bsd.rd.IP##" using the kernel matching your
931: system type. Refer to the instructions in INSTALL.sgi for more details.
932:
933: <h3>OpenBSD/sparc64:</h3>
934:
935: <p>
936: Burn the image from a mirror site to a CDROM, boot from it, and type
937: <i>boot cdrom</i>.
938:
939: <p>
940: If this doesn't work, or if you don't have a CDROM drive, you can write
1.23 kettenis 941: <i>floppy68.img</i> or <i>floppyB68.img</i>
1.1 benno 942: (depending on your machine) to a floppy and boot it with <i>boot
943: floppy</i>. Refer to INSTALL.sparc64 for details.
944:
945: <p>
946: Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
947: will most likely fail.
948:
949: <p>
1.23 kettenis 950: You can also write <i>miniroot68.img</i> to the swap partition on
1.1 benno 951: the disk and boot with <i>boot disk:b</i>.
952:
953: <p>
954: If nothing works, you can boot over the network as described in INSTALL.sparc64.
955: </section>
956:
957: <hr>
958:
959: <section id=upgrade>
960: <h3>How to upgrade</h3>
961: <p>
1.2 benno 962: If you already have an OpenBSD 6.7 system, and do not want to reinstall,
1.1 benno 963: upgrade instructions and advice can be found in the
964: <a href="faq/upgrade68.html">Upgrade Guide</a>.
965: </section>
966:
967: <hr>
968:
969: <section id=sourcecode>
970: <h3>Notes about the source code</h3>
971: <p>
972: <code>src.tar.gz</code> contains a source archive starting at <code>/usr/src</code>.
973: This file contains everything you need except for the kernel sources,
974: which are in a separate archive.
975: To extract:
976: <blockquote><pre>
977: # <kbd>mkdir -p /usr/src</kbd>
978: # <kbd>cd /usr/src</kbd>
979: # <kbd>tar xvfz /tmp/src.tar.gz</kbd>
980: </pre></blockquote>
981: <p>
982: <code>sys.tar.gz</code> contains a source archive starting at <code>/usr/src/sys</code>.
983: This file contains all the kernel sources you need to rebuild kernels.
984: To extract:
985: <blockquote><pre>
986: # <kbd>mkdir -p /usr/src/sys</kbd>
987: # <kbd>cd /usr/src</kbd>
988: # <kbd>tar xvfz /tmp/sys.tar.gz</kbd>
989: </pre></blockquote>
990: <p>
991: Both of these trees are a regular CVS checkout. Using these trees it
992: is possible to get a head-start on using the anoncvs servers as
993: described <a href="anoncvs.html">here</a>.
994: Using these files
995: results in a much faster initial CVS update than you could expect from
996: a fresh checkout of the full OpenBSD source tree.
997: </section>
998:
999: <hr>
1000:
1001: <section id=ports>
1002: <h3>Ports Tree</h3>
1003: <p>
1004: A ports tree archive is also provided. To extract:
1005: <blockquote><pre>
1006: # <kbd>cd /usr</kbd>
1007: # <kbd>tar xvfz /tmp/ports.tar.gz</kbd>
1008: </pre></blockquote>
1009: <p>
1010: Go read the <a href="faq/ports/index.html">ports</a> page
1011: if you know nothing about ports
1012: at this point. This text is not a manual of how to use ports.
1013: Rather, it is a set of notes meant to kickstart the user on the
1014: OpenBSD ports system.
1015: <p>
1016: The <i>ports/</i> directory represents a CVS checkout of our ports.
1017: As with our complete source tree, our ports tree is available via
1018: <a href="anoncvs.html">AnonCVS</a>.
1019: So, in order to keep up to date with the -stable branch, you must make
1020: the <i>ports/</i> tree available on a read-write medium and update the tree
1021: with a command like:
1022: <blockquote><pre>
1023: # <kbd>cd /usr/ports</kbd>
1024: # <kbd>cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_6_8</kbd>
1025: </pre></blockquote>
1026: <p>
1027: [Of course, you must replace the server name here with a nearby anoncvs
1028: server.]
1029: <p>
1030: Note that most ports are available as packages on our mirrors. Updated
1031: ports for the 6.8 release will be made available if problems arise.
1032: <p>
1033: If you're interested in seeing a port added, would like to help out, or just
1034: would like to know more, the mailing list
1035: <a href="mail.html">ports@openbsd.org</a> is a good place to know.
1036: </section>