Annotation of www/69.html, Revision 1.14
1.1 deraadt 1: <!doctype html>
2: <html lang=en id=release>
3: <meta charset=utf-8>
4:
5: <title>OpenBSD 6.9</title>
6: <meta name="description" content="OpenBSD 6.9">
7: <meta name="viewport" content="width=device-width, initial-scale=1">
8: <link rel="stylesheet" type="text/css" href="openbsd.css">
9: <link rel="canonical" href="https://www.openbsd.org/69.html">
10:
11: <h2 id=OpenBSD>
12: <a href="index.html">
13: <i>Open</i><b>BSD</b></a>
14: 6.9
15: </h2>
16:
17: <table>
18: <tr>
19: <td>
20: <a href="images/XXX.png">
21: <img width="227" height="303" src="images/XXX-s.gif" alt="XXX"></a>
22: <td>
1.2 kn 23: Released May 1, 2021.<br>
24: Copyright 1997-2021, Theo de Raadt.<br>
1.1 deraadt 25: <br>
26: 6.9 Song:
27: <a href="lyrics.html#69">"XXX"</a>.
28: <br>
1.7 job 29: Artwork by Joy San.
1.1 deraadt 30: <br>
31: <ul>
32: <li>See the information on <a href="ftp.html">the FTP page</a> for
33: a list of mirror machines.
34: <li>Go to the <code class=reldir>pub/OpenBSD/6.9/</code> directory on
35: one of the mirror sites.
36: <li>Have a look at <a href="errata69.html">the 6.9 errata page</a> for a list
37: of bugs and workarounds.
38: <li>See a <a href="plus69.html">detailed log of changes</a> between the
39: 6.8 and 6.9 releases.
40: <p>
41: <li><a href="https://man.openbsd.org/signify.1">signify(1)</a>
42: pubkeys for this release:<p>
43:
44: <table class=signify>
45: <tr><td>
46: openbsd-69-base.pub:
47: <td>
48: <a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/openbsd-69-base.pub">
49: RWQZj25CSG5R2oLo5735Hh6C48kkjFsj5rJDjW+fGZwyY+BkD5/zps8f</a>
50: <tr><td>
51: openbsd-69-fw.pub:
52: <td>
53: RWSYx4htNi/zavF8ZToMBDFz2xymRfFnnR1MEKV9csYbvnrTBwdkXhdy
54: <tr><td>
55: openbsd-69-pkg.pub:
56: <td>
57: RWQlDXyHx5KlPoEiz4yWRK/Gt/rvPwI8KEAt3utge/dBS7R+EscdzA5K
58: <tr><td>
59: openbsd-69-syspatch.pub:
60: <td>
61: RWRWuHkSV0U8PUX24vGa3ywrvKNQY6llV3PLvKEzDTiTVPfIRaXPfvzR
62: </table>
63: </ul>
64: <p>
65: All applicable copyrights and credits are in the src.tar.gz,
66: sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
67: files fetched via <code>ports.tar.gz</code>.
68: </table>
69:
70: <hr>
71:
72: <section id=new>
73: <h3>What's New</h3>
74: <p>
75: This is a partial list of new features and systems included in OpenBSD 6.9.
76: For a comprehensive list, see the <a href="plus69.html">changelog</a> leading
77: to 6.9.
78:
79: <ul>
80:
81: <li>New/extended platforms:
82: <ul>
1.3 benno 83: <li>Added <a href="https://man.openbsd.org/astfb.4">astfb(4)</a>, a
84: driver for the framebuffer of the Aspeed BMC found on many POWER8 and
85: POWER9 systems.
86: <li>Added bsd.mp to powerpc64's installXX.{img,iso}.
87: <li>Added RETGUARD implementation for powerpc and powerpc64.
88: <li>Added powerpc64 retguard macros for setjmp/longjmp.
89: <li>Added retguard macros to powerpc64 locore functions.
90: <li>Added a workaround for PCIO devices that cannot address the full
91: 64-bit PCI address space to powerpc64. Needed for <a
92: href="https://man.openbsd.org/radeondrm.4">radeondrm(4)</a> and <a
93: href="https://man.openbsd.org/amdgpu.4">amdgpu(4)</a> since Radeon
94: GPUs only implement 36, 40, or 44 bits of address space.
95: <li>Added limited emulation of unaligned access in the powerpc64 kernel.
96: <li>Changed <a href="https://man.openbsd.org/astfb.4">astfb(4)</a> to
97: allow it to become the console on powerpc64.
98: <li>Added support for passing a bootmac command line argument to
99: RAMDISK on powerpc64.
1.5 benno 100: <li>Fixed booting on powerpc64 machines with memory banks higher in
101: physical address space, needing a larger TCE table.
102: <li>Introduced power-saving mode on POWER9 (ISA v3).
1.9 benno 103: <li>Enabled floating-point exceptions on powerpc64.
1.10 benno 104: <li>Added support for <a
105: href="https://man.openbsd.org/ipmi.4">ipmi(4)</a> on PowerNV systems.
106:
107: <!-- ARM64 on Apple M1 -->
108: <li>Recognized Apple Icestorm cores on arm64.
109: <li>Added basic support for BCM4379, found on the Apple M1 SoCs, to
110: <a href="https://man.openbsd.org/bwfm.4">bwfm(4)</a>.
111: <li>Added <a href="https://man.openbsd.org/exuart.4">exuart(4)</a>
112: support for hte UART found on the Apple M1 SoC.
113: <li>Added <a href="https://man.openbsd.org/apldog.4">apldog(4)</a>, a
114: driver for the watchdog on Apple M1 SoCs, allowing reboot of the
115: machine.
116: <li>Added <a href="https://man.openbsd.org/aplintc.4">aplintc(4)</a>,
117: a driver for the interrupt controller found on Apple M1 SoCs.
118: <li>Added <a href="https://man.openbsd.org/aplpcie.4">aplpcie(4)</a>,
119: a driver for the PCIe host bridge on Apple M1 SoCs.
120: <li>Increased RX buffers available to the <a
121: href="https://man.openbsd.org/bwfm.4">bwfm(4)</a> chip to 256,
122: allowing use of the Apple M1's wifi.
123: <li>Added <a href="https://man.openbsd.org/apldart.4">apldart(4)</a>,
124: a driver for the IOMMU on Apple M1 SoCs.
125: <li>Added <a href="https://man.openbsd.org/smmu.4">smmu(4)</a>, a
126: driver for the ARM System MMU.
1.9 benno 127:
128:
129:
130: <!-- loongson -->
131: <li>Made loongson kernels recognize Lynloong LM9002/9003 and LM9013.
132: <li>Use native display resolution 1368x768 for Lynloong all-in-one computers.
133:
134: <li>Disabled base-gcc on loongson and octeon.
1.3 benno 135:
136:
1.1 deraadt 137: </ul>
138:
139: <li>Improvements to time measurements, mostly in the kernel:
140: <ul>
1.9 benno 141: <li>Changed the <a href="https://man.openbsd.org/pool.9">pool(9)</a> timeouts to use the system uptime instead of ticks.
142:
143: <li>Ensured <a href="https://man.openbsd.org/sleep.3">sleep(3)</a>
144: calls <a href="https://man.openbsd.org/nanosleep.2">nanosleep(2)</a>
145: if seconds is zero, now delegating all decisions about whether or not
146: to yield the CPU.
147:
1.1 deraadt 148: </ul>
149:
150: <li>Various kernel improvements:
151: <ul>
1.5 benno 152: <li>Added basic support for kclock timeouts to <a
153: href="https://man.openbsd.org/timeout.9">timeout(9)</a>.
154: <li>Added a top-level 'reboot' command to <a
155: href="https://man.openbsd.org/ddb.4">ddb(4)</a>.
156: <li>Fixed the "entry point at 0x10010000" hang reported on amd64
157: machines by using a 64MB block to load the kernel.
158: <li>Added <a href="https://man.openbsd.org/witness.4">witness(4)</a>
159: check for uninitialized (or zeroed) lock usage.
160: <li>Added fd close notification for kqueue-based <a
161: href="https://man.openbsd.org/poll.2">poll(2)</a> and <a
162: href="https://man.openbsd.org/select.2">select(2)</a>.
163: <li>Added a global "nowake" channel for threads avoiding <a
164: href="https://man.openbsd.org/wakeup.9">wakeup(9)</a> to <a
165: href="https://man.openbsd.org/tsleep.9">tsleep(9)</a>.
166: <li>Corrected accounting of zero length Transfer Descriptors in <a
167: href="https://man.openbsd.org/xhci.4">xhci(4)</a>, preventing running
168: out of free Transfer Ring Blocks.
169: <li>Used per-CPU counter for fault and stats counters reached in uvm_fault().
170: <li>Introduced kern.video.record for <a
171: href="https://man.openbsd.org/video.4">video(4)</a> devices, an analog
172: to the kern.audio.record <a
173: href="https://man.openbsd.org/sysctl.8">sysctl(8)</a> parameter for <a
174: href="https://man.openbsd.org/audio.4">audio(4)</a> devices. By
175: default, kern.video.record will be set to zero and blank all data
176: delivered by drivers attaching to <a
177: href="https://man.openbsd.org/video.4">video(4)</a>.
1.9 benno 178: <li>Allowed a process to open a <a
179: href="https://man.openbsd.org/video.4">video(4)</a> device multiple
180: times. Fixes webcam usage with Firefox and BigBlueButton.
1.10 benno 181: <li>Enabled multiple opens of a <a
182: href="https://man.openbsd.org/video.4">video(4)</a> device as
183: described in the V4L2 specification.
1.5 benno 184: <li>Added trace points for <a
185: href="https://man.openbsd.org/malloc.9">malloc(9)</a> and <a
186: href="https://man.openbsd.org/free.9">free(9)</a>, making them
187: traceabe via <a href="https://man.openbsd.org/dt.4">dt(4)</a> and <a
188: href="https://man.openbsd.org/btrace.8">btrace(8)</a>.
1.9 benno 189: <li>Fixed a boot-time crash on sparc64 due to mutex use during the
190: message buffer initialization.
191: <li>Prevented a panic in some acpi firmware that provided invalid
192: memory regions in their reserved memory region reporting table.
193: <li>Disabled <a href="https://man.openbsd.org/com.4">com(4)</a> on
194: sparc64 for m3000s. Console i/o should fall back to ofw routines.
195:
1.10 benno 196: <li>In softraid(4), added the RAID1C (raid1 + crypto) <a
197: href="https://man.openbsd.org/softraid.4">softraid(4)</a> discipline,
198: encrypting data like the CRYPTO discipline and accepting multiple
199: chunks during creation and assembly like the RAID1 discipline.
200: <li>Corrected raidlevel verification specified by the -c option in <a
201: href="https://man.openbsd.org/bioctl.8">bioctl(8)</a>.
202:
203: <li>Added a barrier between reading the cqe flags and the command ID
204: to prevent completion of the wrong scsi io for <a
205: href="https://man.openbsd.org/nvme.4">nvme(4)</a> drives.
206: <li>Prevent <a href="https://man.openbsd.org/nvme.4">nvme(4)</a>
207: attachment to devices with size zero.
1.9 benno 208: <li>Introduced new function <a
209: href="https://man.openbsd.org/if_unit.9">if_unit(9)</a>, returning a
210: pointer to the interface descriptor corresponding to the unique name.
1.10 benno 211: <li>Clear interrupts on luna88k processors more efficiently at boot
212: time.
213: <li>Added <a
214: href="https://man.openbsd.org/acpiiort.4">acpiiort(4)</a>, a driver
215: for the ACPI I/O Remapping Table.
1.5 benno 216:
1.3 benno 217:
218: <!-- SMP -->
219: <li>Introduced "if_cloners_lock" rwlock and used it to serialize if_clone_{create,destroy}(), avoiding multiple race conditions.
220: <li>Introduced a system-wide mutex that serializes msgbuf operations.
1.5 benno 221: <li>Made <a href="https://man.openbsd.org/uvm_pagealloc.9">uvm_pagealloc(9)</a> of the physical memory allocator mp-safe.
1.9 benno 222: <li>Unlocked <a href="https://man.openbsd.org/getppid.2">getppid(2)</a>.
223: <li>Introduced locking for amaps and anons, improving build performance.
1.10 benno 224: <li>Moved UNIX domain sockets out of the kernel lock, using the new "unp_lock" <a href="https://man.openbsd.org/rwlock.9">rwlock(9)</a> as solock()'s backend to protect the whole layer.
225:
1.3 benno 226:
227: <!-- DRM -->
228: <li>Implemented linux interval tree functions for <a href="https://man.openbsd.org/drm.4">drm(4)</a>.
229: <li>Fixed <a href="https://man.openbsd.org/wsconsctl.8">wsconsctl(8)</a> display commands when using <a href="https://man.openbsd.org/drm.4">drm(4)</a> drivers on macppc.
230: <li>Changed from <a href="https://man.openbsd.org/rwlock.9">rwlock(9)</a> to <a href="https://man.openbsd.org/mutex.9">mutex(9)</a> for linux rwlocks.
231: <li>Fixed a panic associated with locks and <a href="https://man.openbsd.org/drm.4">drm(4)</a> on macppc with Powerbook5,6 and RV350.
232: <li>Revised the initialization of the <a href="https://man.openbsd.org/drm.4">drm(4)</a> Linux emulation layer to call it only when the first drm instance attaches.
1.5 benno 233: <li>Fixed DRI3 support on <a href="https://man.openbsd.org/amdgpu.4">amdgpu(4)</a> and <a href="https://man.openbsd.org/ati.4">ati(4)</a>.
1.10 benno 234: <li>Created /dev/ drm nodes with the same names as linux to simplify libdrm and negate the need for certain ports patches.
235:
236:
237: <!-- VMM -->
238:
239: <li>Prevented memory corruption or improper page access in <a
240: href="https://man.openbsd.org/vmm.4">vmm(4)</a> due to improper TLB
241: flushing for now by wiring the pages used by virtual machines.
1.3 benno 242:
243:
1.1 deraadt 244: </ul>
245:
246: <li>Various new userland features:
247: <ul>
1.3 benno 248: <li>Added <a
249: href="https://man.openbsd.org/doas.conf.5">doas.conf(5)</a> "nolog"
250: option to avoid <a
251: href="https://man.openbsd.org/syslog.3">syslog(3)</a>.
252: <li>Allowed specific <a
253: href="https://man.openbsd.org/sndio.7">sndio(7)</a> devices to be used
254: for play-only and rec-only modes.
1.9 benno 255: <li>Use an 8th order FIR low-pass filter for resampling in <a
256: href="https://man.openbsd.org/sndiod.8">sndiod(8)</a> and for <a
257: href="https://man.openbsd.org/aucat.1">aucat(1)</a>, removing most of
258: the aliasing noise during resampling.
1.10 benno 259: <li>Disabled <a href="https://man.openbsd.org/sndiod.8">sndiod(8)</a>
260: autovolume by default and set the default volume to 127. Setting "-w
261: on" will replicate the previous behavior of automatically decreasing
262: playback volume when new programs start playing.
263: <li>Allowed mixing of alternative devices (-F) with different
264: capabilities in <a
265: href="https://man.openbsd.org/sndiod.8">sndiod(8)</a> by treating any
266: device as full-duplex.
267: <li>Enabled build and install of <a href="https://man.openbsd.org/lldb.1">lldb(1)</a>.
268: <li>Added <a href="https://man.openbsd.org/logger.1">logger(1)</a>
269: support to <a href="https://man.openbsd.org/rcctl.8">rcctl(8)</a>, <a
270: href="https://man.openbsd.org/rc.subr.8">rc.subr(8)</a> and <a
271: href="https://man.openbsd.org/rc.d.8">rc.d(8)</a> for daemons logging
272: to stdout/stderr.
273:
274:
275: <!-- XXX own heading and introductory text ? -->
276: <li>Introduced <a
277: href="https://man.openbsd.org/dhcpleased.8">dhcpleased(8)</a>, a dhcp
278: daemon to acquire IPv4 address leases from servers.
279: <li>Added <a href="https://man.openbsd.org/resolvd.8">resolvd(8)</a>,
280: a daemon to rewrite <a
281: href="https://man.openbsd.org/resolv.conf.5">resolv.conf(5)</a>.
282:
283:
284:
1.3 benno 285:
1.1 deraadt 286: </ul>
287:
288: <li>Various bugfixes and tweaks in userland:
289: <ul>
1.3 benno 290: <li>Fixed a pledge violation in <a
291: href="https://man.openbsd.org/csh.1">csh(1)</a> where redirecting
292: input from a file containing ^T would cause csh(1) to perform a tty
293: ioctl operation against a non-tty.
1.14 ! tb 294: <li>Made <a href="https://man.openbsd.org/syspatch.8">syspatch(8)</a> work
! 295: again when fewer than 3 patches are available.
1.3 benno 296: <li>Stopped exempting file systems from <a
297: href="https://man.openbsd.org/security.8">security(8)</a> on the basis
298: of nodev and nosuid options, which may not be used for file systems
299: mounted beneath.
300: <li>Modified <a href="https://man.openbsd.org/daily.8">daily(8)</a>
301: to stop reporting disk status and networking statistics.
302: <li>Made <a
303: href="https://man.openbsd.org/sysupgrade.8">sysupgrade(8)</a> specify
304: a version when it uses <a
305: href="https://man.openbsd.org/fw_update.1">fw_update(1)</a> to avoid
306: the situation where upgrading a pre-6.8 snapshot to 6.8 release with
307: "-r" would install firmware packages from snapshots.
308: <li>Increased speed of the dependency check pass for <a
309: href="https://man.openbsd.org/pkg_add.1">pkg_add(1)</a>.
310:
311: <li>Prevented process exit in multithreaded programs from reporting
312: the wrong error code.
313:
1.5 benno 314: <li>Allowed booting of amd64/i386 from 4TB GPT formatted disks.
315:
316: <li>When using the <a href="https://man.openbsd.org/cat.1">cat(1)</a>
317: -n flag, correctly enumerate files with more than INT_MAX lines.
318: <li>Fixed a memory leak in ld.so's malloc.
1.9 benno 319: <li>Added a "xenodm" login class for <a
320: href="https://man.openbsd.org/xenodm.1">xenodm(1)</a> and increased
321: openfiles to 512 to avoid running out of file descriptors with a busy
322: desktop.
323: <li>Fixed -s option for <a href="https://man.openbsd.org/cmp.1">cmp(1)</a>.
324: <li>Improve pledge in <a
325: href="https://man.openbsd.org/doas.1">doas(1)</a>, specifically added
326: pledge to the "-C" code path.
1.6 otto 327: <li>Inproved performance of <a
328: href="https://man.openbsd.org/malloc.3">malloc(3)</a>'s cache.
1.10 benno 329: <li>Made editing GPT in <a
330: href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> safer by
331: defaulting offset to the beginning of the largest free space and
332: preventing the creation of overlapping partitions.
333: <li>Fixed a crash that could occur in <a
334: href="https://man.openbsd.org/sndiod.8">sndiod(8)</a> when a usb
335: device is unplugged.
336: <li>Append .html suffixes to temporary files in <a
337: href="https://man.openbsd.org/mandoc.1">mandoc(1)</a> to allow
338: recognition by browsers.
339: <li>Allow specification of a path to the <a
340: href="https://man.openbsd.org/mg.1">mg(1)</a> startup file on the
341: command line.
342:
343:
1.1 deraadt 344: </ul>
345:
346: <li>Improved hardware support and driver bugfixes, including:
347: <ul>
1.3 benno 348:
349: <li>Moved mfokclock(4) from loongson to make it available for other
350: platforms and renamed it to <a
351: href="https://man.openbsd.org/mfokrtc.4">mfokrtc(4)</a>.
352: <li>Fixed brightness setting on MacBooks.
353: <li>Added AMD Vi and Intel VTD IOMMU support. This creates separate
354: domains for each PCI device and can provide protection against invalid
355: memory access.
356: <li>Enabled brightness keys on powerbooks where the keyboard attaches
357: as <a href="https://man.openbsd.org/ukbd.4">ukbd(4)</a>.
358: <li>Set initial default display brightness on macppc via
359: of_setbrightness() to ensure <a
360: href="https://man.openbsd.org/wscons.4">wscons(4)</a> and ofw are in
361: sync.
362: <li>Added the ClearFog GT 8K to <a
363: href="https://man.openbsd.org/mvclock.4">mvclock(4)</a>.
364: <li>Added support for the PL2303HXN series chips to <a
365: href="https://man.openbsd.org/uplcom.4">uplcom(4)</a>.
366: <li>Added support for the PCA9547 I2C mux to <a
367: href="https://man.openbsd.org/pcamux.4">pcamux(4)</a>.
368: <li>Extended <a href="https://man.openbsd.org/pcamux.4">pcamux(4)</a>
369: with ACPI support.
370: <li>Added <a href="https://man.openbsd.org/acpige.4">acpige(4)</a>, a
371: driver for ACPI generic event devices, used on te HoneyComb LX2K to
372: implement power button handling.
373: <li>Added <a href="https://man.openbsd.org/pchgpio.4">pchgpio(4)</a>,
374: a driver for the GPIO controllers found on modern Intel PCHs.
375: <li>Added ACPI support to <a
376: href="https://man.openbsd.org/imxiic.4">imxiic(4)</a>.
377: <li>Fixed panics on the HoneyComb LX2K with <a
378: href="https://man.openbsd.org/amdgpu.4">amdgpu(4)</a>.
379: <li>Fixed very old <a
380: href="https://man.openbsd.org/umass.4">umass(4)</a> devices where the
381: INQUIRY command succeeds but with a residue equal to the requested
382: bytes.
1.5 benno 383: <li>Added Gemini Lake I2C id to <a
384: href="https://man.openbsd.org/dwiic.4">dwiic(4)</a>, making the
385: touchpad work on the Teclast F7 Plus laptop.
1.10 benno 386: <li>Introduced <a href="https://man.openbsd.org/ujoy.4">ujoy(4)</a>, a
387: restricted subset of <a
388: href="https://man.openbsd.org/uhid.4">uhid(4)</a> for game controllers
389: which uses /dev/ujoy/* device nodes.
390: <li>Set up <a href="https://man.openbsd.org/ims.4">ims(4)</a> devices
391: in X11 to behave like touchpads.
392: <li>Stopped relying on USB devices to correctly present their
393: indices, instead searching for the correct interfaces. This fixes E+
394: Corp. DAC Audio devices.
395: <li>Introduced <a
396: href="https://man.openbsd.org/uhidpp.4">uhidpp(4)</a>, a driver for
397: Logitech HID++ devices.
398:
399:
1.3 benno 400:
401: <!-- ARM64 -->
402: <li>Optimized arm64 <a
403: href="https://man.openbsd.org/copyin.9">copyin(9)</a>, <a
404: href="https://man.openbsd.org/copyout.9">copyout(9)</a> and <a
405: href="https://man.openbsd.org/kcopy.9">kcopy(9)</a> by doing 16-byte
406: copies if possible.
407: <li>Added recognition of Cortex-A78AE, Cortex-X1 and Neoverse V1 arm64 CPUs.
408: <li>Added clock support for i.MX8MP.
409: <li>Added support for the VF610 I2C controller to <a
410: href="https://man.openbsd.org/imxiic.4">imxiic(4)</a>.
411: <li>Fixed a panic seen with mbuf chains on arm64.
1.5 benno 412: <li>Added <a href="https://man.openbsd.org/dwgpio.4">dwgpio(4)</a>, a
413: driver for the Synopsys DesignWare GPIO controller.
414: <li>Added "amlogic,meson-g12a-dwmac" to <a
415: href="https://man.openbsd.org/dwge.4">dwge(4)</a>.
416: <li>Added <a
417: href="https://man.openbsd.org/amlpinctrl.4">amlpinctrl(4)</a> support
418: for the "Always On" GPIOs.
419: <li>Added PCIe clocks to <a
420: href="https://man.openbsd.org/amlclock.4">amlclock(4)</a>.
421: <li>Made large read and write transactions work in <a
422: href="https://man.openbsd.org/amliic.4">amliic(4)</a>.
1.9 benno 423: <li>Added PCIe support to <a
424: href="https://man.openbsd.org/amlpciephy.4">amlpciephy(4)</a>.
425: <li>Added support to <a
426: href="https://man.openbsd.org/dwpcie.4">dwpcie(4)</a> for the PCIe
427: controller found on Amlogic G12A/G12B/SM1 SoCs.
428: <li>Implemented intx support in <a
429: href="https://man.openbsd.org/mvkpcie.4">mvkpcie(4)</a>.
1.10 benno 430: <li>Added <a href="https://man.openbsd.org/cryptox.4">cryptox(4)</a>,
431: a driver for armv8 cryptographic extensions.
432: <li>Added support for PCIe on the NanoPi R4S to <a
433: href="https://man.openbsd.org/rkpcie.4">rkpcie(4)</a>.
1.3 benno 434:
435:
1.1 deraadt 436: </ul>
437:
438: <li>New or improved network hardware support:
439: <ul>
1.3 benno 440: <li>Fixed link state change behavior in 82598 <a
441: href="https://man.openbsd.org/ix.4">ix(4)</a> chips.
442: <li>Fixed issues with network stopping after the first down/up cycle
443: in <a href="https://man.openbsd.org/mvpp.4">mvpp(4)</a> Marvel Armada
444: Ethernet device.
445: <li>Added SFP+ support to ofw, including support for direct attach cables.
446: <li>Added 10G media support to <a
447: href="https://man.openbsd.org/mvpp.4">mvpp(4)</a>.
448: <li>Added support for 1000base-x and 2500base-x connections to <a
449: href="https://man.openbsd.org/mvneta.4">mvneta(4)</a>.
450: <li>Added <a href="https://man.openbsd.org/mvsw.4">mvsw(4)</a>, a
451: driver for Marvel "SOHO" switches.
452:
1.5 benno 453: <li>Enabled auto-negotiation on the SerDes links, allowing
454: in-band-status to work between <a
455: href="https://man.openbsd.org/mvpp.4">mvpp(4)</a> and <a
456: href="https://man.openbsd.org/mvsw.4">mvsw(4)</a> on the ClearFog GT
457: 8K.
458: <li>Added support for the i.MX8MP PCIe clocks, USB clocks and second
459: ethernet.
460: <li>Added Wake on LAN support to <a
461: href="https://man.openbsd.org/rge.4">rge(4)</a>.
462: <li>Enabled IPv4 and TCP/UDP checksum offload on transmission in <a
463: href="https://man.openbsd.org/ogx.4">ogx(4)</a>.
1.10 benno 464: <li>Raised the maximum number of queues/interrupts from 1 to 16 on <a
465: href="https://man.openbsd.org/mcx.4">mcx(4)</a> devices.
466: <li>Added support for the Netgear ProSecure UTM25 to octeon.
1.5 benno 467:
468:
1.1 deraadt 469: </ul>
470:
471: <li>Added or improved wireless network drivers:
472: <ul>
1.3 benno 473: <li>Fixed <a href="https://man.openbsd.org/athn.4">athn(4)</a> in
474: client mode against APs that use WPA1/TKIP as the group cipher.
475: <li>Fixed <a href="https://man.openbsd.org/urtwn.4">urtwn(4)</a>
476: against access points using WPA1/TKIP as the group cipher.
477: <li>Added multicast support to <a
478: href="https://man.openbsd.org/bwfm.4">bwfm(4)</a> to allow IPv6.
479: <li>Fixed <a href="https://man.openbsd.org/urtwn.4">urtwn(4)</a>
480: repeated DEAUTH and loss/restoration of link.
1.5 benno 481: <li>Introduced a delay to work around an issue in <a
482: href="https://man.openbsd.org/bwfm.4">bwfm(4)</a> on the BCM43602 that
483: was triggering "unexpected pairwise key update" errors.
1.9 benno 484: <li>Enabled <a href="https://man.openbsd.org/athn.4">athn(4)</a> for arm64.
1.10 benno 485: <li>Added support for version 7 of the <a
486: href="https://man.openbsd.org/bwfm.4">bwfm(4)</a> PCIe interface.
1.3 benno 487:
1.1 deraadt 488: </ul>
489:
490: <li>IEEE 802.11 wireless stack improvements and bugfixes:
491: <ul>
1.5 benno 492: <li>Fixed the calculation of "maxlen" in <a
493: href="https://man.openbsd.org/iwm.4">iwm(4)</a> and <a
494: href="https://man.openbsd.org/iwx.4">iwx(4)</a> when there are
495: multiple MPDUs in one packet.
496: <li>Fixed 802.11 RSN capabilities announced to peers.
497: <li>Flushed the reorder buffer after gap timeout to prevent frames
498: from remaining in the buffer until the next frame is received.
499: <li>Avoided spurious "input packet decapsulations failed" errors in
500: <a href="https://man.openbsd.org/netstat.1">netstat(1)</a> -W with
501: A-MSDU enabled.
502:
503:
1.1 deraadt 504: </ul>
505:
506: <li>Generic network stack improvements and bugfixes:
507: <ul>
1.3 benno 508: <li>Prevented kernel reuse of mbuf memory when generating the ICMP6
509: response to an IPv6 packet.
510: <li>Added the ability to force the selection of source IP address for
511: programs that do not specify a source IP, configurable via <a
512: href="https://man.openbsd.org/route.8">route(8)</a>.
513: <li>For IPv6 addresses, added tracking of address proposal creation
514: times to be able to establish total lifetime. This information is used
515: to renew pltime/vltime of privacy addresse per RFC 4941.
516: <li>Fixed <a href="https://man.openbsd.org/wg.4">wg(4)</a> on macppc
517: by keeping track of allowed ips pointer correctly.
1.10 benno 518: <li>Use the toeplitz hash algorithm to a flowid for tcp packets,
519: which in turn is used to choose the tx ring on network cards with
520: multiple rings.
521: <li>Fixed <a href="https://man.openbsd.org/wg.4">wg(4)</a> ioctl to
522: handle multiple wgpeers.
523: <li>Removed the direct ACK on every other data segment. After
524: receiving a data segment, we were sending out two ACKs, the first one
525: in tcp_input() direct after receiving and the second ACK after the
526: userland or the sosplice task read some data out of the socket buffer.
527: This change removes the ACK in tcp_input(), saving processing time and
528: improving network performance.
529: <li>Removed the maxburst feature from tcp_output().
530: <li>Added a MONITOR feature to interfaces. Packets received on these
531: interfaces do not enter the network stack for further processing. This
532: can be used to watch traffic, for example with <a
533: href="https://man.openbsd.org/bpf.4">bpf(4)</a> without risk of the packets
534: interfering with the system.
535:
536: <li>Added etherbridge, the internals of a reusable learning bridge
537: interface providing common code reusable for other drivers needing a
538: mac learning bridge.
539: <li>Introduced <a href="https://man.openbsd.org/veb.4">veb(4)</a>, a
540: Virtual Ethernet Bridge driver.
541: <li>Added support for adding and deleting mac addr entries on <a
542: href="https://man.openbsd.org/nvgre.4">nvgre(4)</a>.
543: <li>Added support for adding and deleting address table entries to <a
544: href="https://man.openbsd.org/bpe.4">bpe(4)</a>, <a
545: href="https://man.openbsd.org/veb.4">veb(4)</a> and etherbridge.
546:
547:
1.3 benno 548:
549:
1.1 deraadt 550: </ul>
551:
552: <li>Installer improvements:
553: <ul>
1.5 benno 554: <li>Prevented a race in <a
555: href="https://man.openbsd.org/dhclient.8">dhclient(8)</a> privsep
556: which could cause autoinstall to fail by calling <a
557: href="https://man.openbsd.org/ftp.1">ftp(1)</a> without a local
558: address.
559: <li>Fixed hangs on amd64 bsd.rd due to misreported core clock
560: frequency on newer Intel Comet Lake models.
1.9 benno 561: <li>Began distributing the gzip'd version of bsd.rd on all platforms with boot methods supporting it.
1.5 benno 562:
1.1 deraadt 563: </ul>
564:
565: <li>Security improvements:
566: <ul>
1.3 benno 567: <li>Added notices to syslog whenever the "%n" format string component of <a href="https://man.openbsd.org/printf.3">printf(3)</a> is used.
1.1 deraadt 568: </ul>
569:
570: <li>Routing daemons and other userland network improvements:
571: <ul>
1.3 benno 572: <!-- BGP -->
573: <li>Fixed a memory leak when parsing <a
574: href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> roa-set lists.
575: <li>Stopped allowing configuration of the same neighbor multiple
576: times in <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>.
1.5 benno 577: <li>When exporting prefixes from multiple sessions in <a
578: href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> into the same <a
579: href="https://man.openbsd.org/pf.4">pf(4)</a> table, now prefixes are
580: only removed from the table when withdrawn from all sessions that
581: announced them.
582: <li>Introduced a send hold timer in <a
583: href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> to detect stalls on
584: the sending side of a TCP connection, acting as a last resort to
585: detect faulty peers.
586: <li>Added <a href="https://man.openbsd.org/bgpctl.8">bgpctl(8)</a>
587: "show sets" to display information about the roa-set, as-sets and
588: prefix-sets loaded into <a
589: href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>.
1.10 benno 590: <li>Introduced the <a
591: href="https://man.openbsd.org/bgpd.conf.5">bgpd.conf(5)</a> per
592: neighbor and global config option "reject as-set yes/no" to allow
593: rejection of received UPDATES with AS_SET segments. These rejected
594: prefixes can be viewed with <a
595: href="https://man.openbsd.org/bgpctl.8">bgpctl(8)</a> "show rib in
596: error".
597: <li>Properly implemented "rde med compare strict" in <a
598: href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> and ensured that the
599: order of prefixes is always correct.
600: <li>Added RTR support to <a href="https://man.openbsd.org/bgpd.8">OpenBGPD</a>.
601: <li>Added <a href="https://man.openbsd.org/bgpctl.8">bgpctl(8)</a>
602: "show rtr" to display basic information about RTR sessions.
603: <li>Introduced <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>
604: <code>rde evaluate all</code> to work around path hiding in IXP
605: route-server environments.
606:
607:
1.5 benno 608:
1.9 benno 609: <li>Allowed use of <a
610: href="https://man.openbsd.org/ospfd.8">ospfd(8)</a> on interfaces that
611: share the same IP.
1.5 benno 612:
1.3 benno 613: <!-- HTTPD -->
1.13 tb 614: <li>Prevented a crash due to
615: <a href="https://man.openbsd.org/httpd.8">httpd(8)</a> listening on port
616: 443 with missing TLS certificates.
617: <li>Created a new "location (found|notfound)" option for
618: <a href="https://man.openbsd.org/httpd.conf.5">httpd.conf(5)</a> to allow
1.3 benno 619: testing for resource path existence.
620: <li>Added a directive to <a
621: href="https://man.openbsd.org/httpd.8">httpd(8)</a> to check if a path
622: is accessible.
623: <li>Fixed detection of duplicate locations in <a
624: href="https://man.openbsd.org/httpd.8">httpd(8)</a>.
1.13 tb 625: <li>Fixed leak of access and error log filenames on config reload in
626: <a href="https://man.openbsd.org/httpd.8">httpd(8)</a>.
627: <li>Avoid leaking the log message in
628: <a href="https://man.openbsd.org/httpd.8">httpd(8)</a>'s
629: server_sendlog.
630: <li>Incorrect order of
631: <a href="https://man.openbsd.org/close.2">close(2)</a> and
632: <a href="https://man.openbsd.org/tls_close.3">tls_close(3)</a>
633: together with a bug in LibSSL led to leaking memory in
634: <a href="https://man.openbsd.org/httpd.8">httpd(8)</a>
635: for each TLS connection.
1.9 benno 636: <li>Fixed the <a href="https://man.openbsd.org/httpd.8">httpd(8)</a>
637: example configuration not to generate errors when running without TLS
638: keys already in place.
1.13 tb 639: <li>Optimize disk reads of
640: <a href="https://man.openbsd.org/httpd.8">httpd(8)</a>
641: by using st_blocksize as high water mark instead of
642: the socket buffer size.
1.3 benno 643:
644:
645: <!-- IKE/IPSEC -->
646: <li>Added support to request IP addresses as IKEv2 initiator to <a
647: href="https://man.openbsd.org/iked.8">iked(8)</a>. If 'request addr
648: 0.0.0.0' is configured, any address will be accepted.
649: <li>Make <a href="https://man.openbsd.org/iked.8">iked(8)</a> accept
650: ANY dynamic address with 'request addr 0.0.0.0'.
651: <li>Added 'dynamic' keyword to <a
652: href="https://man.openbsd.org/iked.conf.5">iked.conf(5)</a> to allow
653: configuration of flows to dynamically assigned addresses.
654: <li>Added the 'any' keyword to <a
655: href="https://man.openbsd.org/iked.conf.5">iked.conf(5)</a> for
656: requests to allow "request address any".
657: <li>Enabled <a href="https://man.openbsd.org/iked.8">iked(8)</a>
658: support for ASN1_DN ipsec identifiers.
659: <li>Implemented <a href="https://man.openbsd.org/iked.8">iked(8)</a>
660: "from dynamic," installing flows where "dynamic" is replaced by the
661: received dynamic IP address.
662: <li>Made sure not to replace 0.0.0.0 with a dynamic address in <a
663: href="https://man.openbsd.org/iked.8">iked(8)</a> if it is a network
664: address.
665: <li>Added <a href="https://man.openbsd.org/iked.8">iked(8)</a> -s
666: socket option to specify a control socket.
667: <li>Used a counter instead of random IV for AES-GCM in <a
668: href="https://man.openbsd.org/iked.8">iked(8)</a>, eliminating the
669: risk of random collisions.
670: <li>Added <a href="https://man.openbsd.org/iked.8">iked(8)</a>
671: support for multiple address pools.
672: <li>Added the <a href="https://man.openbsd.org/iked.8">iked(8)</a>
673: "set stickyaddress" option, which attempts to assign the same "config
674: address" when an IKESA is negotiated with the DSTID of an existing
675: IKESA.
676: <li>Ensured rekeying of every child SA in <a
677: href="https://man.openbsd.org/iked.8">iked(8)</a>.
1.5 benno 678: <li>Added <a href="https://man.openbsd.org/iked.8">iked(8)</a> support
679: for RSASSA-PSS signature verification (RFC 7427).
680: <li>Corrected the first packet of an <a
681: href="https://man.openbsd.org/ipsec.4">ipsec(4)</a> SA to have
682: sequence number 1.
683: <li>Accepted reject and blackhole routes for IPsec PMTU discovery.
684: <li>Prevented leaking of ipsec_hosts in <a
685: href="https://man.openbsd.org/iked.8">iked(8)</a> when building
686: hosts_list.
687: <li>Prevented initiation of new additional SAs for each policy upon
688: every <a href="https://man.openbsd.org/ikectl.8">ikectl(8)</a> config
689: reload.
690: <li>Fixed "any" and "dynamic" keywords for flows in <a
691: href="https://man.openbsd.org/iked.8">iked(8)</a> and added proper
692: IPv6 support.
1.9 benno 693: <li>Created a path MTU host route for <a
694: href="https://man.openbsd.org/ipsec.4">IPsec(4)</a> over IPv6.
1.10 benno 695: <li>Added support for INVALID_KE_PAYLOAD in <a
696: href="https://man.openbsd.org/iked.8">iked(8)</a> CREATE_CHILD_SA
697: exchange.
698: <li>Added support for RSA-PSS PKCS1 signatures to <a
699: href="https://man.openbsd.org/iked.8">iked(8)</a>.
700: <li>Fixed path MTU discovery for ESP tunnels in IPv6.
701: <li>Upgraded to OpenSSL 1.1 compatible crypto API in <a
702: href="https://man.openbsd.org/iked.8">iked(8)</a>.
703: <li>Added an optional "group none" transform for child SAs in <a
704: href="https://man.openbsd.org/iked.8">iked(8)</a> to ensure the
705: ability to negotiate optional PFS.
706: <li>Added <a href="https://man.openbsd.org/iked.8">iked(8)</a>
707: dynamic address configuration for roadwarrior clients, with a new
708: "iface" config option which can be used to specify an interface for
709: the virtual addresses received from the peer.
1.3 benno 710:
711:
712: <!-- LDAP -->
713: <li>Fixed <a href="https://man.openbsd.org/ldapd.8">ldapd(8)</a> cert
714: and key path inference for absolute paths.
1.14 ! tb 715: <li>Fixed incorrect cast in a
! 716: <a href="https://man.openbsd.org/vsnprintf(3)">vsnprintf(3)</a>
! 717: error check
! 718: in <a href="https://man.openbsd.org/ldapd.8">ldapd(8)</a>.
1.10 benno 719: <li>Applied <a href="https://man.openbsd.org/unveil.2">unveil(2)</a>
720: to <a href="https://man.openbsd.org/ldapd.8">ldapd(8)</a>.
1.3 benno 721:
722:
723: <!-- PF -->
724: <li>Relaxed checks in <a
725: href="https://man.openbsd.org/pfctl.8">pfctl(8)</a> and <a
726: href="https://man.openbsd.org/pf.4">pf(4)</a> to accept any valid
727: routing domain, even if it does not yet exist.
1.5 benno 728: <li>Made <a href="https://man.openbsd.org/pfctl.8">pfctl(8)</a>
729: detect and reject bogus ranges before loading the ruleset to prevent a
730: panic.
1.10 benno 731: <li>Changed route-to in <a
732: href="https://man.openbsd.org/pf.conf.5">pf.conf(5)</a> to send
733: packets to IPs instead of interfaces.
734: <li>Changed pf_route so <a
735: href="https://man.openbsd.org/pf.4">pf(4)</a> only runs when packets
736: enter and leave the stack. Running the same packet through pf multiple
737: times creates confusion for the state table. By default, pf states are
738: floating, meaning that packets are matched to states regardless of
739: which interface they're going over. This diff avoids multiple pf(4)
740: traversals of one packet causing confusion in the state table.
741: <li>Prevented the kernel from being stuck in an endless recursion
742: during TCP path MTU discovery when <a
743: href="https://man.openbsd.org/pf.4">pf(4)</a> changes the routing
744: table when sending packets.
745: <li>When cutting off the head of an overlapping fragment during <a
746: href="https://man.openbsd.org/pf.4">pf(4)</a> reassembly, reinserted
747: the fragment into the lookup table with the correct index.
1.5 benno 748:
1.3 benno 749:
1.5 benno 750: <!-- dig -->
751: <li>Implemented RFC 8914 Extended DNS Errors for <a
752: href="https://man.openbsd.org/dig.1">dig(1)</a>.
753: <li>Fixed <a href="https://man.openbsd.org/dig.1">dig(1)</a> EDNS
754: Client Subnet option (+subnet=).
755: <li>Fixed IPv6 link-local address handling for nameservers to talk to
756: and address to bind to in <a
757: href="https://man.openbsd.org/dig.1">dig(1)</a>.
758:
759: <!-- dhclient -->
760: <li>Fixed incorrect behavior when using <a
761: href="https://man.openbsd.org/dhclient.conf.5">dhclient.conf(5)</a> to
762: change the lease renew/rebind/expiry timing.
763: <li>Allowed the provision of <a
764: href="https://man.openbsd.org/dhclient.8">dhclient(8)</a> options on
765: "dhcp" lines in <a
766: href="https://man.openbsd.org/hostname.if.5">hostname.if(5)</a> files.
767:
768:
769: <!-- other -->
1.3 benno 770: <li>Changed <a href="https://man.openbsd.org/ping.8">ping(8)</a> to
771: drain the raw socket of packets received before we were fully setup to
772: avoid reporting ICMP responses intended for other instances of ping(8)
773: running in parallel.
1.10 benno 774: <li>Added <a href="https://man.openbsd.org/ping.8">ping(8)</a> -g
775: option to provide a visual display of packets received and lost.
1.3 benno 776:
777: <li>Changed <a href="https://man.openbsd.org/slaacd.8">slaacd(8)</a>
778: Duplicate Address Detection (DAD) to only generate a new address if we
779: are using Semantically Opaque Interface Identifiers.
780: <li>Handled an autoconf interface changing its rdomain in <a
781: href="https://man.openbsd.org/slaacd.8">slaacd(8)</a>.
1.14 ! tb 782: <li>Do not leak the domains listed in
! 783: <a href="https://man.openbsd.org/unwind.8">unwind(8)</a>'s
! 784: blocklist file on each config reload.
! 785: <li>Do not leak duplicate domain nodes when loading the
! 786: <a href="https://man.openbsd.org/unwind.8">unwind(8)</a>
! 787: config.
1.3 benno 788: <li>Fixed rare crashes of <a
789: href="https://man.openbsd.org/unwind.8">unwind(8)</a> when DNS answers
790: are larger than the maximum imsg size.
1.9 benno 791: <li>Implemented <a
792: href="https://man.openbsd.org/unwind.8">unwind(8)</a> listening on
793: TCP.
1.10 benno 794: <li>Implemented DNS64 synthesis in <a
795: href="https://man.openbsd.org/unwind.8">unwind(8)</a>.
796: <li>Disabled logging to <a
797: href="https://man.openbsd.org/syslog.3">syslog(3)</a> for libunbound
798: with <a href="https://man.openbsd.org/unwind.8">unwind(8)</a>. Does
799: not prevent logging to stderr with "unwind -d".
800:
1.3 benno 801: <li>Removed the -L option from <a
802: href="https://man.openbsd.org/dhclient.8">dhclient(8)</a>.
803: <li>Added a simple --timeout implementation to <a
804: href="https://man.openbsd.org/openrsync.1">openrsync(1)</a>.
805: <li>Added support for the use of !command to <a
806: href="https://man.openbsd.org/mygate.5">mygate(5)</a>, so that
807: netstart has a late opportunity to perform network configuration.
1.5 benno 808: <li>Make <a href="https://man.openbsd.org/rad.8">rad(8)</a> to handle
809: multiple rdomains in a single daemon (instead of running it in
810: multiple rdomains).
811: <li>Added a specific headline to <a
812: href="https://man.openbsd.org/netstat.1">netstat(1)</a> for TCP state
813: and IP protocol.
1.9 benno 814: <li>Handle permanent redirects (RFC 7538) in <a
1.5 benno 815: href="https://man.openbsd.org/ftp.1">ftp(1)</a> fetch.
1.10 benno 816: <li>Introduced <a href="https://man.openbsd.org/ftp.1">ftp(1)</a>
817: support for sending the If-Modified-Since header while fetching over
818: http or https. Switched to using the timestamps from the remote
819: server's Last-Modified header if available when saving local files and
820: introduced the ftp "-u" flag to disable this behavior.
821:
1.9 benno 822: <li>Added requests for a new certificate without requiring -F when <a
823: href="https://man.openbsd.org/acme-client.1">acme-client(1)</a>
824: detects an added or removed SAN in the config file not reflected in
825: the existing certificate on disk.
826: <li>Print rewritten addresses in <a
827: href="https://man.openbsd.org/tcpdump.8">tcpdump(8)</a> logged with <a
828: href="https://man.openbsd.org/pflog.4">pflog(4)</a> for rdr-to, nat-to
829: and af-to rules.
1.10 benno 830: <li>Removed the <a
831: href="https://man.openbsd.org/snmpd.8">snmpd(8)</a> traphandler
832: process.
833: <li>When calling <a
834: href="https://man.openbsd.org/getaddrinfo.3">getaddrinfo(3)</a> with
835: AI_ADDRCONFIG, consider the routing domain when checking for available
836: address families. This ensures that name resolution is only performed
837: for the address families available in the rdomain.
838: <li>Implemented the <a href="https://man.openbsd.org/nc.1">nc(1)</a>
839: -D socket debug option in <a
840: href="https://man.openbsd.org/tcpbench.1">tcpbench(1)</a>, allowing
841: analysis of TCP connections.
1.14 ! tb 842: <li>Avoid leaking the help text in
! 843: <a href="https://man.openbsd.org/tcpbench.1">systat(8)</a>.
! 844: <li>Simplify argument parsing of
! 845: <a href="https://man.openbsd.org/vmctl.8">vmctl(8)</a> stop
! 846: thereby avoiding a
! 847: <a href="https://man.openbsd.org/printf.3">printf(3)</a> "%s" NULL,
! 848: a use of uninitialized and a dead else branch.
1.10 benno 849:
1.9 benno 850:
1.3 benno 851:
1.1 deraadt 852: </ul>
853:
854: <li><a href="https://man.openbsd.org/tmux">tmux(1)</a> improvements and bug fixes:
855: <ul>
1.5 benno 856: <li>Made <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> synchronize-panes a pane option and added set-option -U flag to unset an option on all panes.
1.1 deraadt 857: </ul>
858:
859: <li>OpenSMTPD 6.9.0
860: <ul>
1.5 benno 861: <li>Introduced <a href="https://man.openbsd.org/smtp.1">smtp(1)</a>
862: -a to perform authentication before sending a message.
863: <li>Fixed a memory leak in <a href="https://man.openbsd.org/smtpd.8">smtpd(8)</a> resolver.
864: <li>Prevented a crash due to premature release of resources by the <a
865: href="https://man.openbsd.org/smtpd.8">smtpd(8)</a> filter state
866: machine.
1.12 eric 867: <li>Switch to libtls internally.
868: <li>Change the way SNI works in <a href="https://man.openbsd.org/smtpd.conf.5#pki~2">smtpd.conf(5)</a>.
869: TLS listeners may be configured with multiple certificates,
870: the matching is based on the names included in these certificates.
871: <li>Allow to specify tls protocols and ciphers per listener and relay action.
1.5 benno 872:
1.1 deraadt 873: </ul>
874:
875: <li>LibreSSL 3.2.2
876: <ul>
877: <li>New Features
878: <ul>
1.11 benno 879: <!-- taken from plus.html, not sorted into categories:
1.3 benno 880: <li>Added a -legacy_verify flag to <a href="https://man.openbsd.org/openssl.1">openssl(1)</a> to force use of the old validator.
881: <li>Changed <a href="https://man.openbsd.org/crypto.3">crypto(3)</a>
882: to call its get_issuer() callback to try and find a suitable
883: certificate in cases where it has failed to find a print certificate
884: from the supplied roots and intermediates.
885: <li>Corrected an issue where <a href="https://man.openbsd.org/openssl.1">openssl(1)</a> verify might not error on expired certificates.
886: <li>Fixed an issue in the TLS 1.3 code that caused stalls in haproxy and other software.
887: <li>Implemented auto chain for the TLSv1.3 server.
888: <li>Implemented the key material exporter for TLSv1.3.
1.9 benno 889: <li>Fixed problems which could arise with software such as bacula and icinga when a root certificate was specified as both a trusted and an untrusted certificate.
890: <li>Added support for <a href="https://man.openbsd.org/SSL_get_shared_ciphers.3">SSL_get_shared_ciphers(3)</a> in TLSv1.3 and fixed to correctly return ciphers shared by the client and the server.
1.11 benno 891: -->
1.3 benno 892:
1.1 deraadt 893: </ul>
894:
895: <li>API and Documentation Enhancements
896: <ul>
897: <li>...
898: </ul>
899:
900: <li>Compatibility Changes
901: <ul>
902: <li>...
903: </ul>
904:
905: <li>Testing and Proactive Security
906: <ul>
907: <li>...
908: </ul>
909:
910: <li>Internal Improvements
911: <ul>
912: <li>...
913: </ul>
914:
915: <li>Portable Improvements
916: <ul>
917: <li>...
918: </ul>
919:
920: <li>Bug Fixes
921: <ul>
922: <li>...
923: </ul>
924: </ul>
925:
926: <li>OpenSSH 8.4
1.3 benno 927:
1.1 deraadt 928: <ul>
1.3 benno 929:
1.11 benno 930: <!-- XXX taken from plus.html, not sorted into categories yet
1.3 benno 931: <li>Preferred ed25519 signature algorithm variants over ECDSA in <a
932: href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a> and <a
933: href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>.
934: <li>Enabled <a
935: href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a>
936: UpdateHostkeys by default when the configuration has not overridden
937: UserKnownHostFile.
938: <li>Prefixed <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>
939: keyboard interactive prompts with "user@host" for easier
940: identification of connections.
941: <li>Displayed any other hostnames/addresses associated with a new
942: hostkey when <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>
943: prompts the user to accept it.
944: <li>When doing an <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>
945: recursive upload or download of a read-only directory, ensured that
946: the directory was created with write and execute permissions in the
947: interim to allow the transfer.
948: <li>Set the specified TOS/DSCP for interactive use prior to TCP
949: connect in <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>.
950: <li>CLeaned up passing of struct passwd from monitor to preauth
951: privsep process in <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>.
1.5 benno 952: <li>Added an <a
953: href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a>
954: KnownHostsCommand that allows the client to obtain known_hosts data
955: from a command in addition to the usual files.
1.9 benno 956: <li>Made CheckHostIP default to "no" in <a
957: href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a>.
958: <li>Added PerSourceMaxStartups and PerSourceNetBlockSize options to
959: <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>.
1.10 benno 960: <li>Renamed the PubkeyAcceptedKeyTypes keyword to
961: PubkeyAcceptedAlgorithms in <a
962: href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a> and <a
963: href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>.
964: <li>Renamed the HostbasedKeyTypes keyword in <a
965: href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a> and the
966: HostbasedAcceptedKeyTypes keyword in <a
967: href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a> to
968: HostbasedAcceptedAlgorithms.
969: <li>Added PermitRemoteOpen to <a
970: href="https://man.openbsd.org/ssh.1">ssh(1)</a> for remote dynamic
971: forwarding with SOCKS.
1.11 benno 972: -->
1.3 benno 973:
1.1 deraadt 974: <li>Potentially incompatible changes.
975: <ul>
976: <li>...
977: </ul>
978: <li>New Features
979: <ul>
980: <li>...
981: </ul>
982: <li>Bugfixes
983: <ul>
984: <li>...
985: </ul>
986: </ul>
987:
988: <li>Ports and packages:
989: <p>Many pre-built packages for each architecture:
990: <!-- number of FTP packages minus SHA256, SHA256.sig, index.txt -->
991: <ul style="column-count: 3">
992: <li>aarch64: XXX
993: <li>amd64: XXX
994: <li>arm: XXX
995: <li>i386: XXX
996: <li>mips64: XXX
997: <li>mips64el: XXX
998: <li>powerpc: XXX
999: <li>powerpc64: XXX
1000: <li>sparc64: XXX
1001: </ul>
1002:
1003: <li>As usual, steady improvements in manual pages and other documentation.
1004:
1005: <li>The system includes the following major components from outside suppliers:
1006: <ul>
1.5 benno 1007:
1008: <li>Xenocara (based on X.Org 7.7 with xserver 1.20.10 + patches,
1.10 benno 1009: freetype 2.10.4, fontconfig 2.12.4, Mesa 20.0.8, xterm 366,
1.5 benno 1010: xkeyboard-config 2.20, fonttosfnt 1.2.1 and more)
1.1 deraadt 1011: <li>LLVM/Clang 10.0.1 (+ patches)
1012: <li>GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
1.10 benno 1013: <li>Perl 5.32.1 (+ patches)
1.8 florian 1014: <li>NSD 4.3.6
1015: <li>Unbound 1.13.1
1.1 deraadt 1016: <li>Ncurses 5.7
1017: <li>Binutils 2.17 (+ patches)
1018: <li>Gdb 6.3 (+ patches)
1.5 benno 1019: <li>Awk December 18, 2020 version
1020: <li>Expat 2.2.10
1.1 deraadt 1021: </ul>
1022:
1023: </ul>
1024: </section>
1025:
1026: <hr>
1027:
1028: <section id=install>
1029: <h3>How to install</h3>
1030: <p>
1031: Please refer to the following files on the mirror site for
1032: extensive details on how to install OpenBSD 6.9 on your machine:
1033:
1034: <ul>
1035: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/alpha/INSTALL.alpha">
1036: .../OpenBSD/6.9/alpha/INSTALL.alpha</a>
1037: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/amd64/INSTALL.amd64">
1038: .../OpenBSD/6.9/amd64/INSTALL.amd64</a>
1039: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/arm64/INSTALL.arm64">
1040: .../OpenBSD/6.9/arm64/INSTALL.arm64</a>
1041: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/armv7/INSTALL.armv7">
1042: .../OpenBSD/6.9/armv7/INSTALL.armv7</a>
1043: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/hppa/INSTALL.hppa">
1044: .../OpenBSD/6.9/hppa/INSTALL.hppa</a>
1045: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/i386/INSTALL.i386">
1046: .../OpenBSD/6.9/i386/INSTALL.i386</a>
1047: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/landisk/INSTALL.landisk">
1048: .../OpenBSD/6.9/landisk/INSTALL.landisk</a>
1049: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/loongson/INSTALL.loongson">
1050: .../OpenBSD/6.9/loongson/INSTALL.loongson</a>
1051: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/luna88k/INSTALL.luna88k">
1052: .../OpenBSD/6.9/luna88k/INSTALL.luna88k</a>
1053: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/macppc/INSTALL.macppc">
1054: .../OpenBSD/6.9/macppc/INSTALL.macppc</a>
1055: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/octeon/INSTALL.octeon">
1056: .../OpenBSD/6.9/octeon/INSTALL.octeon</a>
1057: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/powerpc64/INSTALL.powerpc64">
1.4 landry 1058: .../OpenBSD/6.9/powerpc64/INSTALL.powerpc64</a>
1.1 deraadt 1059: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/sgi/INSTALL.sgi">
1060: .../OpenBSD/6.9/sgi/INSTALL.sgi</a>
1061: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/sparc64/INSTALL.sparc64">
1062: .../OpenBSD/6.9/sparc64/INSTALL.sparc64</a>
1063: </ul>
1064: </section>
1065:
1066: <hr>
1067:
1068: <section id=quickinstall>
1069: <p>
1070: Quick installer information for people familiar with OpenBSD, and the use of
1071: the "<a href="https://man.openbsd.org/disklabel.8">disklabel</a> -E" command.
1072: If you are at all confused when installing OpenBSD, read the relevant
1073: INSTALL.* file as listed above!
1074:
1075: <h3>OpenBSD/alpha:</h3>
1076:
1077: <p>
1078: If your machine can boot from CD, you can write <i>install69.iso</i> or
1079: <i>cd69.iso</i> to a CD and boot from it.
1080: Refer to INSTALL.alpha for more details.
1081:
1082: <h3>OpenBSD/amd64:</h3>
1083:
1084: <p>
1085: If your machine can boot from CD, you can write <i>install69.iso</i> or
1086: <i>cd69.iso</i> to a CD and boot from it.
1087: You may need to adjust your BIOS options first.
1088:
1089: <p>
1090: If your machine can boot from USB, you can write <i>install69.img</i> or
1091: <i>miniroot69.img</i> to a USB stick and boot from it.
1092:
1093: <p>
1094: If you can't boot from a CD, floppy disk, or USB,
1095: you can install across the network using PXE as described in the included
1096: INSTALL.amd64 document.
1097:
1098: <p>
1099: If you are planning to dual boot OpenBSD with another OS, you will need to
1100: read INSTALL.amd64.
1101:
1102: <h3>OpenBSD/arm64:</h3>
1103:
1104: <p>
1105: Write <i>miniroot69.img</i> to a disk and boot from it after connecting
1106: to the serial console. Refer to INSTALL.arm64 for more details.
1107:
1108: <h3>OpenBSD/armv7:</h3>
1109:
1110: <p>
1111: Write a system specific miniroot to an SD card and boot from it after connecting
1112: to the serial console. Refer to INSTALL.armv7 for more details.
1113:
1114: <h3>OpenBSD/hppa:</h3>
1115:
1116: <p>
1117: Boot over the network by following the instructions in INSTALL.hppa or the
1118: <a href="hppa.html#install">hppa platform page</a>.
1119:
1120: <h3>OpenBSD/i386:</h3>
1121:
1122: <p>
1123: If your machine can boot from CD, you can write <i>install69.iso</i> or
1124: <i>cd69.iso</i> to a CD and boot from it.
1125: You may need to adjust your BIOS options first.
1126:
1127: <p>
1128: If your machine can boot from USB, you can write <i>install69.img</i> or
1129: <i>miniroot69.img</i> to a USB stick and boot from it.
1130:
1131: <p>
1132: If you can't boot from a CD, floppy disk, or USB,
1133: you can install across the network using PXE as described in
1134: the included INSTALL.i386 document.
1135:
1136: <p>
1137: If you are planning on dual booting OpenBSD with another OS, you will need to
1138: read INSTALL.i386.
1139:
1140: <h3>OpenBSD/landisk:</h3>
1141:
1142: <p>
1143: Write <i>miniroot69.img</i> to the start of the CF
1144: or disk, and boot normally.
1145:
1146: <h3>OpenBSD/loongson:</h3>
1147:
1148: <p>
1149: Write <i>miniroot69.img</i> to a USB stick and boot bsd.rd from it
1150: or boot bsd.rd via tftp.
1151: Refer to the instructions in INSTALL.loongson for more details.
1152:
1153: <h3>OpenBSD/luna88k:</h3>
1154:
1155: <p>
1156: Copy 'boot' and 'bsd.rd' to a Mach or UniOS partition, and boot the bootloader
1157: from the PROM, and then bsd.rd from the bootloader.
1158: Refer to the instructions in INSTALL.luna88k for more details.
1159:
1160: <h3>OpenBSD/macppc:</h3>
1161:
1162: <p>
1163: Burn the image from a mirror site to a CDROM, and power on your machine
1164: while holding down the <i>C</i> key until the display turns on and
1165: shows <i>OpenBSD/macppc boot</i>.
1166:
1167: <p>
1168: Alternatively, at the Open Firmware prompt, enter <i>boot cd:,ofwboot
1169: /6.9/macppc/bsd.rd</i>
1170:
1171: <h3>OpenBSD/octeon:</h3>
1172:
1173: <p>
1174: After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
1175: Refer to the instructions in INSTALL.octeon for more details.
1176:
1177: <h3>OpenBSD/powerpc64:</h3>
1178:
1179: <p>
1180: To install, write <i>install69.img</i> or <i>miniroot69.img</i> to a
1181: USB stick, plug it into the machine and choose the <i>OpenBSD
1182: install</i> menu item in Petitboot.
1183: Refer to the instructions in INSTALL.powerpc64 for more details.
1184:
1185: <h3>OpenBSD/sgi:</h3>
1186:
1187: <p>
1188: To install, burn cd69.iso on a CD-R, put it in the CD drive of your
1189: machine and select <i>Install System Software</i> from the System Maintenance
1190: menu. Indigo/Indy/Indigo2 (R4000) systems will not boot automatically from
1191: CD-ROM, and need a proper invocation from the PROM prompt.
1192: Refer to the instructions in INSTALL.sgi for more details.
1193:
1194: <p>
1195: If your machine doesn't have a CD drive, you can setup a DHCP/tftp network
1196: server, and boot using "bootp()/bsd.rd.IP##" using the kernel matching your
1197: system type. Refer to the instructions in INSTALL.sgi for more details.
1198:
1199: <h3>OpenBSD/sparc64:</h3>
1200:
1201: <p>
1202: Burn the image from a mirror site to a CDROM, boot from it, and type
1203: <i>boot cdrom</i>.
1204:
1205: <p>
1206: If this doesn't work, or if you don't have a CDROM drive, you can write
1207: <i>floppy69.img</i> or <i>floppyB69.img</i>
1208: (depending on your machine) to a floppy and boot it with <i>boot
1209: floppy</i>. Refer to INSTALL.sparc64 for details.
1210:
1211: <p>
1212: Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
1213: will most likely fail.
1214:
1215: <p>
1216: You can also write <i>miniroot69.img</i> to the swap partition on
1217: the disk and boot with <i>boot disk:b</i>.
1218:
1219: <p>
1220: If nothing works, you can boot over the network as described in INSTALL.sparc64.
1221: </section>
1222:
1223: <hr>
1224:
1225: <section id=upgrade>
1226: <h3>How to upgrade</h3>
1227: <p>
1228: If you already have an OpenBSD 6.7 system, and do not want to reinstall,
1229: upgrade instructions and advice can be found in the
1230: <a href="faq/upgrade69.html">Upgrade Guide</a>.
1231: </section>
1232:
1233: <hr>
1234:
1235: <section id=sourcecode>
1236: <h3>Notes about the source code</h3>
1237: <p>
1238: <code>src.tar.gz</code> contains a source archive starting at <code>/usr/src</code>.
1239: This file contains everything you need except for the kernel sources,
1240: which are in a separate archive.
1241: To extract:
1242: <blockquote><pre>
1243: # <kbd>mkdir -p /usr/src</kbd>
1244: # <kbd>cd /usr/src</kbd>
1245: # <kbd>tar xvfz /tmp/src.tar.gz</kbd>
1246: </pre></blockquote>
1247: <p>
1248: <code>sys.tar.gz</code> contains a source archive starting at <code>/usr/src/sys</code>.
1249: This file contains all the kernel sources you need to rebuild kernels.
1250: To extract:
1251: <blockquote><pre>
1252: # <kbd>mkdir -p /usr/src/sys</kbd>
1253: # <kbd>cd /usr/src</kbd>
1254: # <kbd>tar xvfz /tmp/sys.tar.gz</kbd>
1255: </pre></blockquote>
1256: <p>
1257: Both of these trees are a regular CVS checkout. Using these trees it
1258: is possible to get a head-start on using the anoncvs servers as
1259: described <a href="anoncvs.html">here</a>.
1260: Using these files
1261: results in a much faster initial CVS update than you could expect from
1262: a fresh checkout of the full OpenBSD source tree.
1263: </section>
1264:
1265: <hr>
1266:
1267: <section id=ports>
1268: <h3>Ports Tree</h3>
1269: <p>
1270: A ports tree archive is also provided. To extract:
1271: <blockquote><pre>
1272: # <kbd>cd /usr</kbd>
1273: # <kbd>tar xvfz /tmp/ports.tar.gz</kbd>
1274: </pre></blockquote>
1275: <p>
1276: Go read the <a href="faq/ports/index.html">ports</a> page
1277: if you know nothing about ports
1278: at this point. This text is not a manual of how to use ports.
1279: Rather, it is a set of notes meant to kickstart the user on the
1280: OpenBSD ports system.
1281: <p>
1282: The <i>ports/</i> directory represents a CVS checkout of our ports.
1283: As with our complete source tree, our ports tree is available via
1284: <a href="anoncvs.html">AnonCVS</a>.
1285: So, in order to keep up to date with the -stable branch, you must make
1286: the <i>ports/</i> tree available on a read-write medium and update the tree
1287: with a command like:
1288: <blockquote><pre>
1289: # <kbd>cd /usr/ports</kbd>
1290: # <kbd>cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_6_9</kbd>
1291: </pre></blockquote>
1292: <p>
1293: [Of course, you must replace the server name here with a nearby anoncvs
1294: server.]
1295: <p>
1296: Note that most ports are available as packages on our mirrors. Updated
1297: ports for the 6.9 release will be made available if problems arise.
1298: <p>
1299: If you're interested in seeing a port added, would like to help out, or just
1300: would like to know more, the mailing list
1301: <a href="mail.html">ports@openbsd.org</a> is a good place to know.
1302: </section>