Annotation of www/69.html, Revision 1.38
1.1 deraadt 1: <!doctype html>
2: <html lang=en id=release>
3: <meta charset=utf-8>
4:
5: <title>OpenBSD 6.9</title>
6: <meta name="description" content="OpenBSD 6.9">
7: <meta name="viewport" content="width=device-width, initial-scale=1">
8: <link rel="stylesheet" type="text/css" href="openbsd.css">
9: <link rel="canonical" href="https://www.openbsd.org/69.html">
10:
11: <h2 id=OpenBSD>
12: <a href="index.html">
13: <i>Open</i><b>BSD</b></a>
14: 6.9
15: </h2>
16:
17: <table>
18: <tr>
19: <td>
20: <a href="images/XXX.png">
21: <img width="227" height="303" src="images/XXX-s.gif" alt="XXX"></a>
22: <td>
1.2 kn 23: Released May 1, 2021.<br>
24: Copyright 1997-2021, Theo de Raadt.<br>
1.1 deraadt 25: <br>
1.26 benno 26: This is the 50th OpenBSD release.<br>
27: <br>
1.1 deraadt 28: 6.9 Song:
29: <a href="lyrics.html#69">"XXX"</a>.
30: <br>
1.7 job 31: Artwork by Joy San.
1.1 deraadt 32: <br>
33: <ul>
34: <li>See the information on <a href="ftp.html">the FTP page</a> for
35: a list of mirror machines.
36: <li>Go to the <code class=reldir>pub/OpenBSD/6.9/</code> directory on
37: one of the mirror sites.
38: <li>Have a look at <a href="errata69.html">the 6.9 errata page</a> for a list
39: of bugs and workarounds.
40: <li>See a <a href="plus69.html">detailed log of changes</a> between the
41: 6.8 and 6.9 releases.
42: <p>
43: <li><a href="https://man.openbsd.org/signify.1">signify(1)</a>
44: pubkeys for this release:<p>
45:
46: <table class=signify>
47: <tr><td>
48: openbsd-69-base.pub:
49: <td>
50: <a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/openbsd-69-base.pub">
51: RWQZj25CSG5R2oLo5735Hh6C48kkjFsj5rJDjW+fGZwyY+BkD5/zps8f</a>
52: <tr><td>
53: openbsd-69-fw.pub:
54: <td>
55: RWSYx4htNi/zavF8ZToMBDFz2xymRfFnnR1MEKV9csYbvnrTBwdkXhdy
56: <tr><td>
57: openbsd-69-pkg.pub:
58: <td>
59: RWQlDXyHx5KlPoEiz4yWRK/Gt/rvPwI8KEAt3utge/dBS7R+EscdzA5K
60: <tr><td>
61: openbsd-69-syspatch.pub:
62: <td>
63: RWRWuHkSV0U8PUX24vGa3ywrvKNQY6llV3PLvKEzDTiTVPfIRaXPfvzR
64: </table>
65: </ul>
66: <p>
67: All applicable copyrights and credits are in the src.tar.gz,
68: sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
69: files fetched via <code>ports.tar.gz</code>.
70: </table>
71:
72: <hr>
73:
74: <section id=new>
75: <h3>What's New</h3>
76: <p>
77: This is a partial list of new features and systems included in OpenBSD 6.9.
78: For a comprehensive list, see the <a href="plus69.html">changelog</a> leading
79: to 6.9.
80:
81: <ul>
82:
83: <li>New/extended platforms:
84: <ul>
1.15 benno 85: <li>Support for the <a href="powerpc64.html">powerpc64</a> platform was improved:
86: <ul>
1.3 benno 87: <li>Added <a href="https://man.openbsd.org/astfb.4">astfb(4)</a>, a
88: driver for the framebuffer of the Aspeed BMC found on many POWER8 and
89: POWER9 systems.
90: <li>Added bsd.mp to powerpc64's installXX.{img,iso}.
91: <li>Added RETGUARD implementation for powerpc and powerpc64.
92: <li>Added powerpc64 retguard macros for setjmp/longjmp.
93: <li>Added retguard macros to powerpc64 locore functions.
94: <li>Added a workaround for PCIO devices that cannot address the full
95: 64-bit PCI address space to powerpc64. Needed for <a
96: href="https://man.openbsd.org/radeondrm.4">radeondrm(4)</a> and <a
97: href="https://man.openbsd.org/amdgpu.4">amdgpu(4)</a> since Radeon
98: GPUs only implement 36, 40, or 44 bits of address space.
99: <li>Added limited emulation of unaligned access in the powerpc64 kernel.
100: <li>Changed <a href="https://man.openbsd.org/astfb.4">astfb(4)</a> to
101: allow it to become the console on powerpc64.
102: <li>Added support for passing a bootmac command line argument to
103: RAMDISK on powerpc64.
1.5 benno 104: <li>Fixed booting on powerpc64 machines with memory banks higher in
105: physical address space, needing a larger TCE table.
106: <li>Introduced power-saving mode on POWER9 (ISA v3).
1.9 benno 107: <li>Enabled floating-point exceptions on powerpc64.
1.10 benno 108: <li>Added support for <a
109: href="https://man.openbsd.org/ipmi.4">ipmi(4)</a> on PowerNV systems.
1.15 benno 110: </ul>
111: <li>Support was added for devices using the Apple M1 SoC:
112: <ul>
1.10 benno 113: <li>Recognized Apple Icestorm cores on arm64.
114: <li>Added basic support for BCM4379, found on the Apple M1 SoCs, to
115: <a href="https://man.openbsd.org/bwfm.4">bwfm(4)</a>.
116: <li>Added <a href="https://man.openbsd.org/exuart.4">exuart(4)</a>
1.28 fcambus 117: support for the UART found on the Apple M1 SoC.
1.10 benno 118: <li>Added <a href="https://man.openbsd.org/apldog.4">apldog(4)</a>, a
119: driver for the watchdog on Apple M1 SoCs, allowing reboot of the
120: machine.
121: <li>Added <a href="https://man.openbsd.org/aplintc.4">aplintc(4)</a>,
122: a driver for the interrupt controller found on Apple M1 SoCs.
123: <li>Added <a href="https://man.openbsd.org/aplpcie.4">aplpcie(4)</a>,
124: a driver for the PCIe host bridge on Apple M1 SoCs.
1.35 patrick 125: <li>Added support for version 7 of the <a
126: href="https://man.openbsd.org/bwfm.4">bwfm(4)</a> PCIe interface,
127: as implemented in Apple M1's wifi.
1.10 benno 128: <li>Increased RX buffers available to the <a
129: href="https://man.openbsd.org/bwfm.4">bwfm(4)</a> chip to 256,
130: allowing use of the Apple M1's wifi.
131: <li>Added <a href="https://man.openbsd.org/apldart.4">apldart(4)</a>,
132: a driver for the IOMMU on Apple M1 SoCs.
1.15 benno 133: <li>Added an initial attempt to support 8-bit ASIDs such as those on
134: Apple's M1 SoC.
135: <li>Recognized Apple Firestorm cores on arm64.
136: <li>Added SMP support to <a
137: href="https://man.openbsd.org/aplintc.4">aplintc(4)</a>, the interrupt
138: controller driver on Apple M1 SoCs.
139: </ul>
140: <li>The arm64 platform support was improved with the following changes:
141: <ul>
142: <li>Optimized arm64 <a
143: href="https://man.openbsd.org/copyin.9">copyin(9)</a>, <a
144: href="https://man.openbsd.org/copyout.9">copyout(9)</a> and <a
145: href="https://man.openbsd.org/kcopy.9">kcopy(9)</a> by doing 16-byte
146: copies if possible.
147: <li>Added recognition of Cortex-A78AE, Cortex-X1 and Neoverse V1 arm64 CPUs.
148: <li>Added clock support for i.MX8MP.
149: <li>Added support for the VF610 I2C controller to <a
150: href="https://man.openbsd.org/imxiic.4">imxiic(4)</a>.
151: <li>Fixed a panic seen with mbuf chains on arm64.
152: <li>Added <a href="https://man.openbsd.org/dwgpio.4">dwgpio(4)</a>, a
153: driver for the Synopsys DesignWare GPIO controller.
154: <li>Added "amlogic,meson-g12a-dwmac" to <a
155: href="https://man.openbsd.org/dwge.4">dwge(4)</a>.
156: <li>Added <a
157: href="https://man.openbsd.org/amlpinctrl.4">amlpinctrl(4)</a> support
158: for the "Always On" GPIOs.
159: <li>Added PCIe clocks to <a
160: href="https://man.openbsd.org/amlclock.4">amlclock(4)</a>.
161: <li>Made large read and write transactions work in <a
162: href="https://man.openbsd.org/amliic.4">amliic(4)</a>.
163: <li>Added PCIe support to <a
164: href="https://man.openbsd.org/amlpciephy.4">amlpciephy(4)</a>.
165: <li>Added support to <a
166: href="https://man.openbsd.org/dwpcie.4">dwpcie(4)</a> for the PCIe
167: controller found on Amlogic G12A/G12B/SM1 SoCs.
168: <li>Implemented intx support in <a
169: href="https://man.openbsd.org/mvkpcie.4">mvkpcie(4)</a>.
170: <li>Added <a href="https://man.openbsd.org/cryptox.4">cryptox(4)</a>,
171: a driver for armv8 cryptographic extensions.
172: <li>Added support for PCIe on the NanoPi R4S to <a
173: href="https://man.openbsd.org/rkpcie.4">rkpcie(4)</a>.
1.34 patrick 174: <li>Added <a href="https://man.openbsd.org/smmu.4">smmu(4)</a>, a
175: driver for the ARM System MMU.
176: <li>Introduced an IOVA early-allocation scheme in <a
177: href="https://man.openbsd.org/smmu.4">smmu(4)</a>, mitigating the
178: performance penalty of typical IOVA allocation designs.
179: <li>Introduced Guard Pages in <a
180: href="https://man.openbsd.org/smmu.4">smmu(4)</a>, to spot misuse
181: and misconfiguration of I/O devices more easily.
1.15 benno 182: <li>Added support for rk809 to <a
183: href="https://man.openbsd.org/rkpmic.4">rkpmic(4)</a>, as seen on the
184: Rock Pi N10 with the rk3399pro.
185: <li>Added support for <a
186: href="https://man.openbsd.org/sdhc.4">sdhc(4)</a> on the Raspberry Pi
187: in ACPI mode.
188: <li>Enabled <a href="https://man.openbsd.org/ixl.4">ixl(4)</a> on arm64.
189: <li>Updated device-tree bindings for <a
190: href="https://man.openbsd.org/cwfg.4">cwfg(4)</a> battery capacity
191: driver to correct attaching and account for monitoring interval
192: change, making cwfg(4) export values under hw.sensors as expected when
193: using a Pinebook Pro.
194: <li>Added ARMv8-5 instruction set related CPU features to arm64.
195: </ul>
196: </ul>
1.3 benno 197:
1.15 benno 198: <li>Various kernel improvements:
1.1 deraadt 199: <ul>
1.15 benno 200: <li>Added the RAID1C (encrypted raid1) <a
201: href="https://man.openbsd.org/softraid.4">softraid(4)</a> discipline,
202: encrypting data like the CRYPTO discipline and accepting multiple
203: chunks during creation and assembly like the RAID1 discipline.
204: <li>Corrected raidlevel verification specified by the -c option in <a
205: href="https://man.openbsd.org/bioctl.8">bioctl(8)</a>.
206:
207: <li>Introduced kern.video.record for <a
208: href="https://man.openbsd.org/video.4">video(4)</a> devices, a privacy feature analog
209: to the kern.audio.record <a
210: href="https://man.openbsd.org/sysctl.8">sysctl(8)</a> parameter for <a
211: href="https://man.openbsd.org/audio.4">audio(4)</a> devices. By
212: default, kern.video.record will be set to zero and blank all data
213: delivered by drivers attaching to <a
214: href="https://man.openbsd.org/video.4">video(4)</a>.
215: <li>Allowed a process to open a <a
216: href="https://man.openbsd.org/video.4">video(4)</a> device multiple
217: times. Fixes webcam usage with Firefox and BigBlueButton.
218: <li>Enabled multiple opens of a <a
219: href="https://man.openbsd.org/video.4">video(4)</a> device as
220: described in the V4L2 specification.
1.9 benno 221:
1.15 benno 222: <li>Added basic support for kclock timeouts to <a
223: href="https://man.openbsd.org/timeout.9">timeout(9)</a>.
224: <li>Changed the <a href="https://man.openbsd.org/pool.9">pool(9)</a>
225: timeouts to use the system uptime instead of ticks.
1.9 benno 226: <li>Ensured <a href="https://man.openbsd.org/sleep.3">sleep(3)</a>
227: calls <a href="https://man.openbsd.org/nanosleep.2">nanosleep(2)</a>
228: if seconds is zero, now delegating all decisions about whether or not
229: to yield the CPU.
1.5 benno 230: <li>Added a top-level 'reboot' command to <a
231: href="https://man.openbsd.org/ddb.4">ddb(4)</a>.
232: <li>Added <a href="https://man.openbsd.org/witness.4">witness(4)</a>
233: check for uninitialized (or zeroed) lock usage.
234: <li>Added fd close notification for kqueue-based <a
235: href="https://man.openbsd.org/poll.2">poll(2)</a> and <a
236: href="https://man.openbsd.org/select.2">select(2)</a>.
237: <li>Added a global "nowake" channel for threads avoiding <a
238: href="https://man.openbsd.org/wakeup.9">wakeup(9)</a> to <a
239: href="https://man.openbsd.org/tsleep.9">tsleep(9)</a>.
1.15 benno 240:
1.5 benno 241: <li>Added trace points for <a
242: href="https://man.openbsd.org/malloc.9">malloc(9)</a> and <a
243: href="https://man.openbsd.org/free.9">free(9)</a>, making them
244: traceabe via <a href="https://man.openbsd.org/dt.4">dt(4)</a> and <a
245: href="https://man.openbsd.org/btrace.8">btrace(8)</a>.
1.15 benno 246: <li>Added <a href="https://man.openbsd.org/btrace.8">btrace(8)</a> -n
247: (no action) mode, which parses the program and then exits.
1.9 benno 248: <li>Fixed a boot-time crash on sparc64 due to mutex use during the
249: message buffer initialization.
1.15 benno 250: <li>Prevented a panic in some ACPI firmware that provided invalid
1.9 benno 251: memory regions in their reserved memory region reporting table.
252:
1.10 benno 253:
254: <li>Added a barrier between reading the cqe flags and the command ID
255: to prevent completion of the wrong scsi io for <a
256: href="https://man.openbsd.org/nvme.4">nvme(4)</a> drives.
257: <li>Prevent <a href="https://man.openbsd.org/nvme.4">nvme(4)</a>
258: attachment to devices with size zero.
1.9 benno 259: <li>Introduced new function <a
260: href="https://man.openbsd.org/if_unit.9">if_unit(9)</a>, returning a
261: pointer to the interface descriptor corresponding to the unique name.
1.10 benno 262: <li>Clear interrupts on luna88k processors more efficiently at boot
263: time.
264: <li>Added <a
265: href="https://man.openbsd.org/acpiiort.4">acpiiort(4)</a>, a driver
266: for the ACPI I/O Remapping Table.
1.15 benno 267: <li>Updated clock interrupt count atomically on mips64.
268: <li>Prevented an amd64 kernel crash with protection fault due to an
269: invalid offset when reading /dev/kmem.
270: <li>Permitted access to kern.somaxconn sysctl information when the
271: unix <a href="https://man.openbsd.org/pledge.2">pledge(2)</a> is used,
272: allowing Go programs to use "unix" without also including "inet".
273: <li>Excluded the first page and added a guard page between I/O
274: virtual address space allocations on arm64.
1.20 benno 275: </ul>
1.22 benno 276:
1.20 benno 277: <li>SMP Improvements
278: <ul>
1.23 benno 279: <li>Introduced "if_cloners_lock" rwlock and used it to serialize
280: if_clone_{create,destroy}(), avoiding multiple race conditions.
1.20 benno 281: <li>Introduced a system-wide mutex that serializes msgbuf operations.
1.23 benno 282: <li>Made <a
283: href="https://man.openbsd.org/uvm_pagealloc.9">uvm_pagealloc(9)</a> of
284: the physical memory allocator mp-safe.
1.20 benno 285: <li>Unlocked <a href="https://man.openbsd.org/getppid.2">getppid(2)</a>.
286: <li>Introduced locking for amaps and anons, improving build performance.
1.23 benno 287: <li>Moved UNIX domain sockets out of the kernel lock, using the new
288: "unp_lock" <a href="https://man.openbsd.org/rwlock.9">rwlock(9)</a> as
289: solock()'s backend to protect the whole layer.
1.20 benno 290: <li>Unlocked <a href="https://man.openbsd.org/sendsyslog.2">sendsyslog(2)</a>.
291: <li>Used per-CPU counter for fault and stats counters reached in uvm_fault().
292: </ul>
1.22 benno 293:
1.20 benno 294: <li>Direct Rendering Manager
295: <ul>
1.23 benno 296: <li>Implemented linux interval tree functions for <a
297: href="https://man.openbsd.org/drm.4">drm(4)</a>.
298: <li>Fixed <a
299: href="https://man.openbsd.org/wsconsctl.8">wsconsctl(8)</a> display
300: commands when using <a href="https://man.openbsd.org/drm.4">drm(4)</a>
301: drivers on macppc.
302: <li>Changed from <a
303: href="https://man.openbsd.org/rwlock.9">rwlock(9)</a> to <a
304: href="https://man.openbsd.org/mutex.9">mutex(9)</a> for linux rwlocks.
305: <li>Fixed a panic associated with locks and <a
306: href="https://man.openbsd.org/drm.4">drm(4)</a> on macppc with
307: Powerbook5,6 and RV350.
308: <li>Revised the initialization of the <a
309: href="https://man.openbsd.org/drm.4">drm(4)</a> Linux emulation layer
310: to call it only when the first drm instance attaches.
311: <li>Fixed DRI3 support on <a
312: href="https://man.openbsd.org/amdgpu.4">amdgpu(4)</a> and <a
313: href="https://man.openbsd.org/ati.4">ati(4)</a>.
314: <li>Created /dev/ drm nodes with the same names as linux to simplify
315: libdrm and negate the need for certain ports patches.
1.20 benno 316: </ul>
1.22 benno 317:
1.20 benno 318: <li>VMM/VMD improvements
319: <ul>
1.10 benno 320: <li>Prevented memory corruption or improper page access in <a
321: href="https://man.openbsd.org/vmm.4">vmm(4)</a> due to improper TLB
322: flushing for now by wiring the pages used by virtual machines.
1.15 benno 323: <li>Removed the ability of <a
324: href="https://man.openbsd.org/vmd.8">vmd(8)</a> to boot from kernels
325: in raw/qcow2 images.
326: <li>Made <a href="https://man.openbsd.org/vmctl.8">vmctl(8)</a>
1.27 dv 327: properly indicate VMs are stopping instead of "running" with "vmctl
1.15 benno 328: status".
329: <li>Cleaned up events on <a
330: href="https://man.openbsd.org/vmd.8">vmd(8)</a> pause or resume and
331: fixed an issue leading to broken serial console by cleanly tearing
332: down and restoring emulated device state on vm send/receive.
333: <li>Propagated host-side <a
334: href="https://man.openbsd.org/tap.4">tap(4)</a> lladdr to guest vm
335: process to allow unicast dhcp and bootp renewals with <a
336: href="https://man.openbsd.org/vmd.8">vmd(8)</a>'s built-in dhcp
337: server.
1.27 dv 338: <li>Added <a href="https://man.openbsd.org/veb.4">veb(4)</a> to the
339: list of supported bridges for <a
340: href="https://man.openbsd.org/vmd.8">vmd(8)</a>.
341: <li>Improved MSR exit handling in <a
342: href="https://man.openbsd.org/vmm.4">vmm(4)</a> on SVM and VMX
343: hosts preventing invalid reads and fixing support for 9front.
344: <li>Added ability to boot compressed ramdisks to <a
345: href="https://man.openbsd.org/vmd.8">vmd(8)</a>.
1.1 deraadt 346: </ul>
347:
348: <li>Various new userland features:
349: <ul>
1.3 benno 350: <li>Added <a
351: href="https://man.openbsd.org/doas.conf.5">doas.conf(5)</a> "nolog"
352: option to avoid <a
353: href="https://man.openbsd.org/syslog.3">syslog(3)</a>.
354: <li>Allowed specific <a
355: href="https://man.openbsd.org/sndio.7">sndio(7)</a> devices to be used
356: for play-only and rec-only modes.
1.9 benno 357: <li>Use an 8th order FIR low-pass filter for resampling in <a
358: href="https://man.openbsd.org/sndiod.8">sndiod(8)</a> and for <a
359: href="https://man.openbsd.org/aucat.1">aucat(1)</a>, removing most of
360: the aliasing noise during resampling.
1.10 benno 361: <li>Disabled <a href="https://man.openbsd.org/sndiod.8">sndiod(8)</a>
362: autovolume by default and set the default volume to 127. Setting "-w
363: on" will replicate the previous behavior of automatically decreasing
364: playback volume when new programs start playing.
365: <li>Allowed mixing of alternative devices (-F) with different
366: capabilities in <a
367: href="https://man.openbsd.org/sndiod.8">sndiod(8)</a> by treating any
368: device as full-duplex.
1.15 benno 369: <li>Fixed visibility of <a
370: href="https://man.openbsd.org/sndioctl.1">sndioctl(1)</a> output when
371: used through a pipe.
372:
1.10 benno 373: <li>Enabled build and install of <a href="https://man.openbsd.org/lldb.1">lldb(1)</a>.
374: <li>Added <a href="https://man.openbsd.org/logger.1">logger(1)</a>
375: support to <a href="https://man.openbsd.org/rcctl.8">rcctl(8)</a>, <a
376: href="https://man.openbsd.org/rc.subr.8">rc.subr(8)</a> and <a
377: href="https://man.openbsd.org/rc.d.8">rc.d(8)</a> for daemons logging
378: to stdout/stderr.
379:
1.15 benno 380: <li>Added a configurable button mapping for tap gestures on touchpads
381: to <a href="https://man.openbsd.org/wsconsctl.8">wsconsctl(8)</a>.
382: <li>Made <a href="https://man.openbsd.org/wscons.4">wscons(4)</a>
383: touchpad tap detection less restrictive for multi-finger taps and
384: improved tap detection.
385: <li>Enable <a
386: href="https://man.openbsd.org/man4/arm64/apm.4">apm(4)</a> on arm64 to
387: display meaningful information about battery use and capacity.
1.1 deraadt 388: </ul>
389:
390: <li>Various bugfixes and tweaks in userland:
391: <ul>
1.3 benno 392: <li>Fixed a pledge violation in <a
393: href="https://man.openbsd.org/csh.1">csh(1)</a> where redirecting
394: input from a file containing ^T would cause csh(1) to perform a tty
395: ioctl operation against a non-tty.
1.14 tb 396: <li>Made <a href="https://man.openbsd.org/syspatch.8">syspatch(8)</a> work
397: again when fewer than 3 patches are available.
1.3 benno 398: <li>Stopped exempting file systems from <a
399: href="https://man.openbsd.org/security.8">security(8)</a> on the basis
400: of nodev and nosuid options, which may not be used for file systems
401: mounted beneath.
402: <li>Modified <a href="https://man.openbsd.org/daily.8">daily(8)</a>
403: to stop reporting disk status and networking statistics.
404: <li>Made <a
405: href="https://man.openbsd.org/sysupgrade.8">sysupgrade(8)</a> specify
406: a version when it uses <a
407: href="https://man.openbsd.org/fw_update.1">fw_update(1)</a> to avoid
408: the situation where upgrading a pre-6.8 snapshot to 6.8 release with
409: "-r" would install firmware packages from snapshots.
410: <li>Increased speed of the dependency check pass for <a
411: href="https://man.openbsd.org/pkg_add.1">pkg_add(1)</a>.
412:
413: <li>Prevented process exit in multithreaded programs from reporting
414: the wrong error code.
415:
1.5 benno 416: <li>Allowed booting of amd64/i386 from 4TB GPT formatted disks.
417:
418: <li>When using the <a href="https://man.openbsd.org/cat.1">cat(1)</a>
419: -n flag, correctly enumerate files with more than INT_MAX lines.
420: <li>Fixed a memory leak in ld.so's malloc.
1.15 benno 421:
1.9 benno 422: <li>Added a "xenodm" login class for <a
423: href="https://man.openbsd.org/xenodm.1">xenodm(1)</a> and increased
424: openfiles to 512 to avoid running out of file descriptors with a busy
425: desktop.
1.15 benno 426: <li>Stopped <a href="https://man.openbsd.org/xenodm.1">xenodm(1)</a>
427: from adding authorizations for TCP connections by default and added
428: "listenTCP" to explicitly add authorizations for existing IP addresses
429: on startup.
430: <li>Skip <a href="https://man.openbsd.org/xenodm.1">xenodm(1)</a>
431: from adding the IPv6 link local addresses for TCP listener
432: authorizations, matching what is done by <a
433: href="https://man.openbsd.org/startx.1">startx(1)</a>.
434:
1.9 benno 435: <li>Fixed -s option for <a href="https://man.openbsd.org/cmp.1">cmp(1)</a>.
436: <li>Improve pledge in <a
437: href="https://man.openbsd.org/doas.1">doas(1)</a>, specifically added
438: pledge to the "-C" code path.
1.6 otto 439: <li>Inproved performance of <a
440: href="https://man.openbsd.org/malloc.3">malloc(3)</a>'s cache.
1.10 benno 441: <li>Made editing GPT in <a
442: href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> safer by
443: defaulting offset to the beginning of the largest free space and
444: preventing the creation of overlapping partitions.
445: <li>Fixed a crash that could occur in <a
446: href="https://man.openbsd.org/sndiod.8">sndiod(8)</a> when a usb
447: device is unplugged.
448: <li>Append .html suffixes to temporary files in <a
449: href="https://man.openbsd.org/mandoc.1">mandoc(1)</a> to allow
450: recognition by browsers.
451: <li>Allow specification of a path to the <a
452: href="https://man.openbsd.org/mg.1">mg(1)</a> startup file on the
453: command line.
1.15 benno 454: <li>Added a "batch" mode to <a
455: href="https://man.openbsd.org/mg.1">mg(1)</a> via the "-b" command
456: line option which will initialize a pty, run the specified file of mg
457: commands and then exit.
458: <li>Inverted the <a href="https://man.openbsd.org/mg.1">mg(1)</a> "R"
459: indicator to mean that a "*" next to a file's name indicates that it
460: is read-only. Made the active buffer indicator more visible by
461: changing it to ">".
462:
463: <li>Fixed <a href="https://man.openbsd.org/ksh.1">ksh(1)</a>
464: redrawing of a multiline PS1 prompt in vi mode and added support for
465: ^R (redraw) in insert mode.
466: <li>Used <a href="https://man.openbsd.org/unveil.2">unveil(2)</a> to
467: restrict filesystem access in <a
468: href="https://man.openbsd.org/apmd.8">apmd(8)</a>.
469: <li>Removed the 30s minimum delay for <a
470: href="https://man.openbsd.org/xlock.1">xlock(1)</a> timeouts.
471: <li>Stopped deleting the control socket on exit in <a
472: href="https://man.openbsd.org/apmd.8">apmd(8)</a> exit, as deleting
473: the socket in process after calling <a
474: href="https://man.openbsd.org/unveil.2">unveil(2)</a> would cause a
475: unveil restriction violation,
1.1 deraadt 476: </ul>
477:
478: <li>Improved hardware support and driver bugfixes, including:
479: <ul>
1.15 benno 480: <li>Corrected accounting of zero length Transfer Descriptors in <a
481: href="https://man.openbsd.org/xhci.4">xhci(4)</a>, preventing running
482: out of free Transfer Ring Blocks.
1.3 benno 483: <li>Moved mfokclock(4) from loongson to make it available for other
484: platforms and renamed it to <a
485: href="https://man.openbsd.org/mfokrtc.4">mfokrtc(4)</a>.
486: <li>Fixed brightness setting on MacBooks.
487: <li>Added AMD Vi and Intel VTD IOMMU support. This creates separate
488: domains for each PCI device and can provide protection against invalid
489: memory access.
490: <li>Enabled brightness keys on powerbooks where the keyboard attaches
491: as <a href="https://man.openbsd.org/ukbd.4">ukbd(4)</a>.
492: <li>Set initial default display brightness on macppc via
493: of_setbrightness() to ensure <a
494: href="https://man.openbsd.org/wscons.4">wscons(4)</a> and ofw are in
495: sync.
496: <li>Added the ClearFog GT 8K to <a
497: href="https://man.openbsd.org/mvclock.4">mvclock(4)</a>.
498: <li>Added support for the PL2303HXN series chips to <a
499: href="https://man.openbsd.org/uplcom.4">uplcom(4)</a>.
500: <li>Added support for the PCA9547 I2C mux to <a
501: href="https://man.openbsd.org/pcamux.4">pcamux(4)</a>.
502: <li>Extended <a href="https://man.openbsd.org/pcamux.4">pcamux(4)</a>
503: with ACPI support.
504: <li>Added <a href="https://man.openbsd.org/acpige.4">acpige(4)</a>, a
1.28 fcambus 505: driver for ACPI generic event devices, used on the HoneyComb LX2K to
1.3 benno 506: implement power button handling.
507: <li>Added <a href="https://man.openbsd.org/pchgpio.4">pchgpio(4)</a>,
508: a driver for the GPIO controllers found on modern Intel PCHs.
509: <li>Added ACPI support to <a
510: href="https://man.openbsd.org/imxiic.4">imxiic(4)</a>.
511: <li>Fixed panics on the HoneyComb LX2K with <a
512: href="https://man.openbsd.org/amdgpu.4">amdgpu(4)</a>.
513: <li>Fixed very old <a
514: href="https://man.openbsd.org/umass.4">umass(4)</a> devices where the
515: INQUIRY command succeeds but with a residue equal to the requested
516: bytes.
1.5 benno 517: <li>Added Gemini Lake I2C id to <a
518: href="https://man.openbsd.org/dwiic.4">dwiic(4)</a>, making the
519: touchpad work on the Teclast F7 Plus laptop.
1.10 benno 520: <li>Introduced <a href="https://man.openbsd.org/ujoy.4">ujoy(4)</a>, a
521: restricted subset of <a
522: href="https://man.openbsd.org/uhid.4">uhid(4)</a> for game controllers
523: which uses /dev/ujoy/* device nodes.
524: <li>Set up <a href="https://man.openbsd.org/ims.4">ims(4)</a> devices
525: in X11 to behave like touchpads.
526: <li>Stopped relying on USB devices to correctly present their
527: indices, instead searching for the correct interfaces. This fixes E+
528: Corp. DAC Audio devices.
529: <li>Introduced <a
530: href="https://man.openbsd.org/uhidpp.4">uhidpp(4)</a>, a driver for
531: Logitech HID++ devices.
1.15 benno 532: <li>Separated reading of general and touchpad-specific <a
533: href="https://man.openbsd.org/wsmouse.4">wsmouse(4)</a> settings and
534: corrected identification of device type when reading touchpad
535: parameters fails.
536:
537: <li>Added support for 30-bit color modes to <a
538: href="https://man.openbsd.org/simplefb.4">simplefb(4)</a>.
539: <li>Added <a href="https://man.openbsd.org/wsfb.4">wsfb(4)</a>
540: support for 30-bit color.
1.10 benno 541:
1.15 benno 542: <li>Made loongson kernels recognize Lynloong LM9002/9003 and LM9013 models.
543: <li>Use native display resolution 1368x768 for Lynloong all-in-one computers.
1.1 deraadt 544: </ul>
545:
546: <li>New or improved network hardware support:
547: <ul>
1.3 benno 548: <li>Fixed link state change behavior in 82598 <a
549: href="https://man.openbsd.org/ix.4">ix(4)</a> chips.
550: <li>Fixed issues with network stopping after the first down/up cycle
551: in <a href="https://man.openbsd.org/mvpp.4">mvpp(4)</a> Marvel Armada
552: Ethernet device.
553: <li>Added SFP+ support to ofw, including support for direct attach cables.
554: <li>Added 10G media support to <a
555: href="https://man.openbsd.org/mvpp.4">mvpp(4)</a>.
556: <li>Added support for 1000base-x and 2500base-x connections to <a
557: href="https://man.openbsd.org/mvneta.4">mvneta(4)</a>.
558: <li>Added <a href="https://man.openbsd.org/mvsw.4">mvsw(4)</a>, a
559: driver for Marvel "SOHO" switches.
1.5 benno 560: <li>Enabled auto-negotiation on the SerDes links, allowing
561: in-band-status to work between <a
562: href="https://man.openbsd.org/mvpp.4">mvpp(4)</a> and <a
563: href="https://man.openbsd.org/mvsw.4">mvsw(4)</a> on the ClearFog GT
564: 8K.
565: <li>Added support for the i.MX8MP PCIe clocks, USB clocks and second
566: ethernet.
567: <li>Added Wake on LAN support to <a
568: href="https://man.openbsd.org/rge.4">rge(4)</a>.
569: <li>Enabled IPv4 and TCP/UDP checksum offload on transmission in <a
570: href="https://man.openbsd.org/ogx.4">ogx(4)</a>.
1.10 benno 571: <li>Raised the maximum number of queues/interrupts from 1 to 16 on <a
572: href="https://man.openbsd.org/mcx.4">mcx(4)</a> devices.
573: <li>Added support for the Netgear ProSecure UTM25 to octeon.
1.15 benno 574: <li>Added vid/pid table to <a
575: href="https://man.openbsd.org/umb.4">umb(4)</a> allowing matching to
576: alternate configurations.
1.1 deraadt 577: </ul>
578:
579: <li>Added or improved wireless network drivers:
580: <ul>
1.36 stsp 581: <li>Fixed the <a href="https://man.openbsd.org/athn.4">athn(4)</a> and
582: <a href="https://man.openbsd.org/urtwn.4">urtwn(4)</a> drivers
583: in client mode against access points which use WPA1/TKIP as
584: the group cipher.
1.3 benno 585: <li>Added multicast support to <a
586: href="https://man.openbsd.org/bwfm.4">bwfm(4)</a> to allow IPv6.
587: <li>Fixed <a href="https://man.openbsd.org/urtwn.4">urtwn(4)</a>
588: repeated DEAUTH and loss/restoration of link.
1.5 benno 589: <li>Introduced a delay to work around an issue in <a
590: href="https://man.openbsd.org/bwfm.4">bwfm(4)</a> on the BCM43602 that
591: was triggering "unexpected pairwise key update" errors.
1.9 benno 592: <li>Enabled <a href="https://man.openbsd.org/athn.4">athn(4)</a> for arm64.
1.36 stsp 593: <li>Implemented a new 802.11n Tx rate adaptation algorithm ("RA") for
594: <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> and
595: <a href="https://man.openbsd.org/iwn.4">iwn(4)</a>.
596: <li>Fixed association problems with the <a
597: href="https://man.openbsd.org/ipw.4">ipw(4)</a> driver.
1.15 benno 598: <li>Made <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> attach to
599: AX201 devices with PCI ID 0x34f0. Needs <a
600: href="https://man.openbsd.org/fw_update.1">fw_update(1)</a>.
601: <li>Fixed a problem where <a
602: href="https://man.openbsd.org/iwn.4">iwn(4)</a> firmware would
603: generate bogus block ack requests and stall traffic.
1.1 deraadt 604: </ul>
605:
606: <li>IEEE 802.11 wireless stack improvements and bugfixes:
607: <ul>
1.36 stsp 608: <li>Fixed length calculations in <a
1.5 benno 609: href="https://man.openbsd.org/iwm.4">iwm(4)</a> and <a
610: href="https://man.openbsd.org/iwx.4">iwx(4)</a> when there are
611: multiple MPDUs in one packet.
1.36 stsp 612: <li>Fixed 802.11n interoperability with access points that offer
613: management frame protection.
614: <li>Flush the A-MPDU reorder buffer after gap timeout to prevent
615: frames from remaining in the buffer until the next frame
616: is received.
617: <li>Avoid spurious "input packet decapsulations failed" errors in
1.5 benno 618: <a href="https://man.openbsd.org/netstat.1">netstat(1)</a> -W with
619: A-MSDU enabled.
1.1 deraadt 620: </ul>
621:
622: <li>Generic network stack improvements and bugfixes:
623: <ul>
1.10 benno 624: <li>Removed the direct ACK on every other data segment. After
625: receiving a data segment, we were sending out two ACKs, the first one
626: in tcp_input() direct after receiving and the second ACK after the
627: userland or the sosplice task read some data out of the socket buffer.
628: This change removes the ACK in tcp_input(), saving processing time and
629: improving network performance.
630: <li>Removed the maxburst feature from tcp_output().
631: <li>Added a MONITOR feature to interfaces. Packets received on these
632: interfaces do not enter the network stack for further processing. This
633: can be used to watch traffic, for example with <a
634: href="https://man.openbsd.org/bpf.4">bpf(4)</a> without risk of the packets
635: interfering with the system.
636:
637: <li>Added etherbridge, the internals of a reusable learning bridge
638: interface providing common code reusable for other drivers needing a
639: mac learning bridge.
640: <li>Introduced <a href="https://man.openbsd.org/veb.4">veb(4)</a>, a
641: Virtual Ethernet Bridge driver.
1.3 benno 642:
1.15 benno 643: <li>Added the ability to force the selection of source IP address for
644: programs that do not specify a source IP, overriding the default
645: source IP selection algorithm. This is configurable via <a
646: href="https://man.openbsd.org/route.8">route(8)</a>
1.31 tb 647: <code>sourceaddr</code> command.
1.15 benno 648:
1.37 job 649: <li>Bring interfaces up when autoconfiguration for inet or inet6 is
1.15 benno 650: enabled (AUTOCONF4 or AUTOCONF6 flags).
651: <li>Adjust terminology in <a
652: href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a> to refer to
653: "temporary address extensions" rather than the former "privacy
654: extensions," including the addition of an AUTOCONF6TEMP flag (to
655: replace the negative flag "INET6_NOPRIVACY"). The autoconfprivacy
656: option if <a href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a>
657: has been deprecated.
658: <li>Made it possible to disable the "autoconf" flag but keep
659: "temporary" enabled in <a
660: href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a>.
661: <li>For IPv6 addresses, added tracking of address proposal creation
662: times to be able to establish total lifetime. This information is used
663: to renew pltime/vltime of privacy addresse per RFC 4941.
1.3 benno 664:
1.15 benno 665: <li>Prevented kernel reuse of mbuf memory when generating the ICMP6
666: response to an IPv6 packet.
667: <li>Use the toeplitz hash algorithm to a flowid for tcp packets,
668: which in turn is used to choose the tx ring on network cards with
669: multiple rings.
670: <li>Fixed <a href="https://man.openbsd.org/wg.4">wg(4)</a> on macppc
671: by keeping track of allowed ips pointer correctly.
672: <li>Fixed <a href="https://man.openbsd.org/wg.4">wg(4)</a> ioctl to
673: handle multiple wgpeers.
674: <li>Fixed a race between tx/rx handshakes in <a
675: href="https://man.openbsd.org/wg.4">wg(4)</a>.
676: <li>Prevented a potential hang when trying to remove a <a
677: href="https://man.openbsd.org/tun.4">tun(4)</a> interface.
678: <li>Used the correct rdomain when adding and deleting routes with <a
679: href="https://man.openbsd.org/mpip.4">mpip(4)</a> and <a
680: href="https://man.openbsd.org/mpw.4">mpw(4)</a>.
681: <li>Made <a href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a>
682: "-mplslabel" work with <a
683: href="https://man.openbsd.org/mpw.4">mpw(4)</a>.
1.1 deraadt 684: </ul>
685:
1.15 benno 686: <li>Installer and upgrade improvements:
1.1 deraadt 687: <ul>
1.5 benno 688: <li>Prevented a race in <a
689: href="https://man.openbsd.org/dhclient.8">dhclient(8)</a> privsep
690: which could cause autoinstall to fail by calling <a
691: href="https://man.openbsd.org/ftp.1">ftp(1)</a> without a local
692: address.
693: <li>Fixed hangs on amd64 bsd.rd due to misreported core clock
694: frequency on newer Intel Comet Lake models.
1.15 benno 695: <li>Began distributing the gzip'd version of bsd.rd on all platforms
696: with boot methods supporting it.
697: <li>Fixed a problem which prevented use of <a
698: href="https://man.openbsd.org/sysupgrade.8">sysupgrade(8)</a> when an
699: interface failed to come up and <a
700: href="https://man.openbsd.org/dhclient.8">dhclient(8)</a> didn't
701: notice link-timeout expiration.
702: <li>Prevented <a
703: href="https://man.openbsd.org/disklabel.8">disklabel(8)</a> from
704: adjusting the swap 'b' partition size if physmem is zero to keep the
705: auto-allocate code from putting a filesystem on that partition.
706: <li>Emulate "[inet] autoconf" <a
707: href="https://man.openbsd.org/hostname.if.5">hostname.if(5)</a> lines
708: with "dhcp" so users testing <a
709: href="https://man.openbsd.org/dhcpleased.8">dhcpleased(8)</a> will
710: still be able to upgrade manually while the installer uses only <a
711: href="https://man.openbsd.org/dhclient.8">dhclient(8)</a>.
1.5 benno 712:
1.1 deraadt 713: </ul>
714:
715: <li>Security improvements:
716: <ul>
1.25 benno 717: <li>Added notices to syslog whenever the "%n" format string component
718: of <a href="https://man.openbsd.org/printf.3">printf(3)</a> is used.
719: <li>Removed workaround permitting Go executables to do syscalls
720: directly, forcing them to use shared libc like all other dynamic
721: binaries.
1.1 deraadt 722: </ul>
723:
724: <li>Routing daemons and other userland network improvements:
725: <ul>
1.15 benno 726: <li>The <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> daemon saw the following changes:
727: <ul>
1.3 benno 728: <li>Fixed a memory leak when parsing <a
729: href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> roa-set lists.
730: <li>Stopped allowing configuration of the same neighbor multiple
731: times in <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>.
1.5 benno 732: <li>When exporting prefixes from multiple sessions in <a
733: href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> into the same <a
734: href="https://man.openbsd.org/pf.4">pf(4)</a> table, now prefixes are
735: only removed from the table when withdrawn from all sessions that
736: announced them.
737: <li>Introduced a send hold timer in <a
738: href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> to detect stalls on
739: the sending side of a TCP connection, acting as a last resort to
740: detect faulty peers.
741: <li>Added <a href="https://man.openbsd.org/bgpctl.8">bgpctl(8)</a>
742: "show sets" to display information about the roa-set, as-sets and
743: prefix-sets loaded into <a
744: href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>.
1.10 benno 745: <li>Introduced the <a
746: href="https://man.openbsd.org/bgpd.conf.5">bgpd.conf(5)</a> per
747: neighbor and global config option "reject as-set yes/no" to allow
748: rejection of received UPDATES with AS_SET segments. These rejected
749: prefixes can be viewed with <a
750: href="https://man.openbsd.org/bgpctl.8">bgpctl(8)</a> "show rib in
751: error".
752: <li>Properly implemented "rde med compare strict" in <a
753: href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> and ensured that the
754: order of prefixes is always correct.
755: <li>Added RTR support to <a href="https://man.openbsd.org/bgpd.8">OpenBGPD</a>.
756: <li>Added <a href="https://man.openbsd.org/bgpctl.8">bgpctl(8)</a>
757: "show rtr" to display basic information about RTR sessions.
758: <li>Introduced <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>
759: <code>rde evaluate all</code> to work around path hiding in IXP
760: route-server environments.
1.15 benno 761: </ul>
1.10 benno 762:
1.15 benno 763: <li>The <a
764: href="https://man.openbsd.org/ospfd.8">ospfd(8)</a> and <a
765: href="https://man.openbsd.org/ospf6d.8">ospf6d(8)</a> routing
766: daemons saw various internal refactoring to keep the code similar to
767: changes in other routing daemons and improve maintainability.<br>
768: Additionally, support was added in <a
769: href="https://man.openbsd.org/ospfd.8">ospfd(8)</a> for interfaces
770: that share the same IP.
1.10 benno 771:
1.15 benno 772: <li>The <a href="https://man.openbsd.org/pf.4">pf(4)</a> packet filter and it's userland utility:
773: <ul>
774: <li>Relaxed checks in <a
775: href="https://man.openbsd.org/pfctl.8">pfctl(8)</a> and <a
776: href="https://man.openbsd.org/pf.4">pf(4)</a> to accept any valid
777: routing domain, even if it does not yet exist.
778: <li>Made <a href="https://man.openbsd.org/pfctl.8">pfctl(8)</a>
779: detect and reject bogus ranges before loading the ruleset to prevent a
780: panic.
781: <li>Changed route-to in <a
782: href="https://man.openbsd.org/pf.conf.5">pf.conf(5)</a> to send
783: packets to IPs instead of interfaces.
784: <li>Changed pf_route so <a
785: href="https://man.openbsd.org/pf.4">pf(4)</a> only runs when packets
786: enter and leave the stack. Running the same packet through pf multiple
787: times creates confusion for the state table. By default, pf states are
788: floating, meaning that packets are matched to states regardless of
789: which interface they're going over. This diff avoids multiple pf(4)
790: traversals of one packet causing confusion in the state table.
791: <li>Prevented the kernel from being stuck in an endless recursion
792: during TCP path MTU discovery when <a
793: href="https://man.openbsd.org/pf.4">pf(4)</a> changes the routing
794: table when sending packets.
795: <li>When cutting off the head of an overlapping fragment during <a
796: href="https://man.openbsd.org/pf.4">pf(4)</a> reassembly, reinserted
797: the fragment into the lookup table with the correct index.
798: </ul>
1.5 benno 799:
1.15 benno 800: <li>IPSEC support in the kernel and the <a href="https://man.openbsd.org/iked.8">iked(8)</a> userland daemon:
801: <ul>
1.3 benno 802: <li>Added support to request IP addresses as IKEv2 initiator to <a
803: href="https://man.openbsd.org/iked.8">iked(8)</a>. If 'request addr
804: 0.0.0.0' is configured, any address will be accepted.
805: <li>Make <a href="https://man.openbsd.org/iked.8">iked(8)</a> accept
806: ANY dynamic address with 'request addr 0.0.0.0'.
807: <li>Added 'dynamic' keyword to <a
808: href="https://man.openbsd.org/iked.conf.5">iked.conf(5)</a> to allow
809: configuration of flows to dynamically assigned addresses.
810: <li>Added the 'any' keyword to <a
811: href="https://man.openbsd.org/iked.conf.5">iked.conf(5)</a> for
812: requests to allow "request address any".
813: <li>Enabled <a href="https://man.openbsd.org/iked.8">iked(8)</a>
814: support for ASN1_DN ipsec identifiers.
815: <li>Implemented <a href="https://man.openbsd.org/iked.8">iked(8)</a>
816: "from dynamic," installing flows where "dynamic" is replaced by the
817: received dynamic IP address.
818: <li>Made sure not to replace 0.0.0.0 with a dynamic address in <a
819: href="https://man.openbsd.org/iked.8">iked(8)</a> if it is a network
820: address.
821: <li>Added <a href="https://man.openbsd.org/iked.8">iked(8)</a> -s
822: socket option to specify a control socket.
823: <li>Used a counter instead of random IV for AES-GCM in <a
824: href="https://man.openbsd.org/iked.8">iked(8)</a>, eliminating the
825: risk of random collisions.
826: <li>Added <a href="https://man.openbsd.org/iked.8">iked(8)</a>
827: support for multiple address pools.
828: <li>Added the <a href="https://man.openbsd.org/iked.8">iked(8)</a>
829: "set stickyaddress" option, which attempts to assign the same "config
830: address" when an IKESA is negotiated with the DSTID of an existing
831: IKESA.
832: <li>Ensured rekeying of every child SA in <a
833: href="https://man.openbsd.org/iked.8">iked(8)</a>.
1.5 benno 834: <li>Added <a href="https://man.openbsd.org/iked.8">iked(8)</a> support
835: for RSASSA-PSS signature verification (RFC 7427).
836: <li>Corrected the first packet of an <a
837: href="https://man.openbsd.org/ipsec.4">ipsec(4)</a> SA to have
838: sequence number 1.
839: <li>Accepted reject and blackhole routes for IPsec PMTU discovery.
840: <li>Prevented leaking of ipsec_hosts in <a
841: href="https://man.openbsd.org/iked.8">iked(8)</a> when building
842: hosts_list.
843: <li>Prevented initiation of new additional SAs for each policy upon
844: every <a href="https://man.openbsd.org/ikectl.8">ikectl(8)</a> config
845: reload.
846: <li>Fixed "any" and "dynamic" keywords for flows in <a
847: href="https://man.openbsd.org/iked.8">iked(8)</a> and added proper
848: IPv6 support.
1.9 benno 849: <li>Created a path MTU host route for <a
850: href="https://man.openbsd.org/ipsec.4">IPsec(4)</a> over IPv6.
1.10 benno 851: <li>Added support for INVALID_KE_PAYLOAD in <a
852: href="https://man.openbsd.org/iked.8">iked(8)</a> CREATE_CHILD_SA
853: exchange.
854: <li>Added support for RSA-PSS PKCS1 signatures to <a
855: href="https://man.openbsd.org/iked.8">iked(8)</a>.
856: <li>Fixed path MTU discovery for ESP tunnels in IPv6.
857: <li>Upgraded to OpenSSL 1.1 compatible crypto API in <a
858: href="https://man.openbsd.org/iked.8">iked(8)</a>.
859: <li>Added an optional "group none" transform for child SAs in <a
860: href="https://man.openbsd.org/iked.8">iked(8)</a> to ensure the
861: ability to negotiate optional PFS.
862: <li>Added <a href="https://man.openbsd.org/iked.8">iked(8)</a>
863: dynamic address configuration for roadwarrior clients, with a new
864: "iface" config option which can be used to specify an interface for
865: the virtual addresses received from the peer.
1.15 benno 866: <li>Fixed an <a href="https://man.openbsd.org/iked.8">iked(8)</a>
867: interop problem with strongswan if make-before-break is enabled.
868: </ul>
1.3 benno 869:
1.16 tb 870: <li>The <a href="https://man.openbsd.org/httpd.8">httpd(8)</a> webserver saw numerous improvements:
1.15 benno 871: <ul>
872: <li>Prevented a crash due to
873: <a href="https://man.openbsd.org/httpd.8">httpd(8)</a> listening on port
874: 443 with missing TLS certificates.
875: <li>Created a new "location (found|notfound)" option for
876: <a href="https://man.openbsd.org/httpd.conf.5">httpd.conf(5)</a> to allow
877: testing for resource path existence.
878: <li>Fixed detection of duplicate locations in <a
879: href="https://man.openbsd.org/httpd.8">httpd(8)</a>.
880: <li>Fixed leak of access and error log filenames on config reload in
881: <a href="https://man.openbsd.org/httpd.8">httpd(8)</a>.
882: <li>Avoid leaking the log message in
883: <a href="https://man.openbsd.org/httpd.8">httpd(8)</a>'s
884: server_sendlog.
885: <li>Incorrect order of
886: <a href="https://man.openbsd.org/close.2">close(2)</a> and
887: <a href="https://man.openbsd.org/tls_close.3">tls_close(3)</a>
1.16 tb 888: together with a bug in libssl led to leaking memory in
1.15 benno 889: <a href="https://man.openbsd.org/httpd.8">httpd(8)</a>
890: for each TLS connection.
891: <li>Fixed the <a href="https://man.openbsd.org/httpd.8">httpd(8)</a>
892: example configuration not to generate errors when running without TLS
893: keys already in place.
1.30 tb 894: <li>Optimized disk reads of
1.15 benno 895: <a href="https://man.openbsd.org/httpd.8">httpd(8)</a>
896: by using st_blocksize as high water mark instead of
897: the socket buffer size.
1.30 tb 898: <li>Do not compare TLS config params for non-TLS servers.
899: This allows using <code>listen on * port 80</code> and
900: <code>listen on * port 443</code> in the same server block in
901: <a href="https://man.openbsd.org/httpd.conf.5">httpd.conf(5)</a>.
1.15 benno 902: </ul>
1.3 benno 903:
1.24 benno 904: <li><a
905: href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a>
906: received the following new features and bugfixes:
1.15 benno 907: <ul>
908: <li>Added RRDP (The RPKI Repository Delta Protocol, RFC 8182) support
909: to <a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a>.
910: <li>Supported use of more than one URI in the TAL file for <a
911: href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a>,
912: sorting with a preference for https.
913: <li>Validated ghostbuster records (RFC 6493) in <a
914: href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a>.
915: <li>Fixed <a
916: href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> checks
917: for the manifest validity interval.
918: <li>The connection is now killed when the rsync server stalls.
919: <li>Limited the URL embedded in .cer files in <a
920: href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> to
921: alphanumeric characters and punctuation.
922: <li>Added <a
923: href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> -V
924: option to show version.
925: <li>Included the default cert.pem file path in tls_load_file error
926: messages in <a
927: href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a>.
928: </ul>
1.3 benno 929:
1.24 benno 930: <li>The <a href="https://man.openbsd.org/dig.1">dig(1)</a> DNS
931: utility received the following updates:
1.15 benno 932: <ul>
1.5 benno 933: <li>Implemented RFC 8914 Extended DNS Errors for <a
934: href="https://man.openbsd.org/dig.1">dig(1)</a>.
935: <li>Fixed <a href="https://man.openbsd.org/dig.1">dig(1)</a> EDNS
936: Client Subnet option (+subnet=).
937: <li>Fixed IPv6 link-local address handling for nameservers to talk to
938: and address to bind to in <a
939: href="https://man.openbsd.org/dig.1">dig(1)</a>.
1.15 benno 940: <li>Implemented ZONEMD (RFC 8976) in <a
941: href="https://man.openbsd.org/dig.1">dig(1)</a> to convey a message
942: digest of the content of a DNS zone.
943: </ul>
1.5 benno 944:
1.15 benno 945: <li>Changes to <a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a>:
946: <ul>
1.5 benno 947: <li>Fixed incorrect behavior when using <a
948: href="https://man.openbsd.org/dhclient.conf.5">dhclient.conf(5)</a> to
949: change the lease renew/rebind/expiry timing.
950: <li>Allowed the provision of <a
951: href="https://man.openbsd.org/dhclient.8">dhclient(8)</a> options on
952: "dhcp" lines in <a
953: href="https://man.openbsd.org/hostname.if.5">hostname.if(5)</a> files.
1.15 benno 954: <li>Finished conversion of <a
955: href="https://man.openbsd.org/dhclient.8">dhclient(8)</a> timers to
956: allow monotonic accounting for the active lease.
957: </ul>
1.5 benno 958:
1.15 benno 959: <li>Two new daemons, <a
960: href="https://man.openbsd.org/dhcpleased.8">dhcpleased(8)</a> and <a
961: href="https://man.openbsd.org/resolvd.8">resolvd(8)</a> were added.
962: These work alongside with <a
963: href="https://man.openbsd.org/slaacd.8">slaacd(8)</a> and <a
964: href="https://man.openbsd.org/unwind.8">unwind(8)</a> to provide a
1.28 fcambus 965: coherent and simple automatic configuration of network interfaces and
1.15 benno 966: DNS resolution.<br>
967: The two daemons are not enabled by default for now, but can be tested
1.28 fcambus 968: by enabling them with <a href="https://man.openbsd.org/rcctl.8">rcctl(8)</a>.
1.15 benno 969: <ul>
970: <li><a href="https://man.openbsd.org/dhcpleased.8">dhcpleased(8)</a>
971: implements the DHCP protocol to acquire IPv4 address leases from
972: servers.
973: <li><a href="https://man.openbsd.org/resolvd.8">resolvd(8)</a>
974: manages the content of <a
975: href="https://man.openbsd.org/resolv.conf.5">resolv.conf(5)</a> based
976: on nameserver proposals from dhcpleased(8) and slaacd(8).
977: </ul>
978: <li>Other userland network changes:
979: <ul>
980: <li>Fixed <a href="https://man.openbsd.org/ldapd.8">ldapd(8)</a> cert
981: and key path inference for absolute paths.
982: <li>Fixed incorrect cast in a
983: <a href="https://man.openbsd.org/vsnprintf(3)">vsnprintf(3)</a>
984: error check
985: in <a href="https://man.openbsd.org/ldapd.8">ldapd(8)</a>.
986: <li>Applied <a href="https://man.openbsd.org/unveil.2">unveil(2)</a>
987: to <a href="https://man.openbsd.org/ldapd.8">ldapd(8)</a>.
1.5 benno 988:
1.3 benno 989: <li>Changed <a href="https://man.openbsd.org/ping.8">ping(8)</a> to
990: drain the raw socket of packets received before we were fully setup to
991: avoid reporting ICMP responses intended for other instances of ping(8)
992: running in parallel.
1.10 benno 993: <li>Added <a href="https://man.openbsd.org/ping.8">ping(8)</a> -g
994: option to provide a visual display of packets received and lost.
1.3 benno 995:
996: <li>Changed <a href="https://man.openbsd.org/slaacd.8">slaacd(8)</a>
997: Duplicate Address Detection (DAD) to only generate a new address if we
998: are using Semantically Opaque Interface Identifiers.
999: <li>Handled an autoconf interface changing its rdomain in <a
1000: href="https://man.openbsd.org/slaacd.8">slaacd(8)</a>.
1.15 benno 1001: <li>Completed <a
1002: href="https://man.openbsd.org/slaacd.8">slaacd(8)</a> implementation
1003: of RFC 8981 temporary address extensions.
1004:
1.14 tb 1005: <li>Do not leak the domains listed in
1006: <a href="https://man.openbsd.org/unwind.8">unwind(8)</a>'s
1007: blocklist file on each config reload.
1008: <li>Do not leak duplicate domain nodes when loading the
1009: <a href="https://man.openbsd.org/unwind.8">unwind(8)</a>
1010: config.
1.3 benno 1011: <li>Fixed rare crashes of <a
1012: href="https://man.openbsd.org/unwind.8">unwind(8)</a> when DNS answers
1013: are larger than the maximum imsg size.
1.9 benno 1014: <li>Implemented <a
1015: href="https://man.openbsd.org/unwind.8">unwind(8)</a> listening on
1016: TCP.
1.10 benno 1017: <li>Implemented DNS64 synthesis in <a
1018: href="https://man.openbsd.org/unwind.8">unwind(8)</a>.
1019: <li>Disabled logging to <a
1020: href="https://man.openbsd.org/syslog.3">syslog(3)</a> for libunbound
1021: with <a href="https://man.openbsd.org/unwind.8">unwind(8)</a>. Does
1022: not prevent logging to stderr with "unwind -d".
1023:
1.3 benno 1024: <li>Removed the -L option from <a
1025: href="https://man.openbsd.org/dhclient.8">dhclient(8)</a>.
1026: <li>Added a simple --timeout implementation to <a
1027: href="https://man.openbsd.org/openrsync.1">openrsync(1)</a>.
1.15 benno 1028: <li>Added the <a href="https://man.openbsd.org/rsync.1">rsync(1)</a>
1029: option --no-motd to suppress the information output by the client at
1030: the start of a daemon transfer.
1.3 benno 1031: <li>Added support for the use of !command to <a
1032: href="https://man.openbsd.org/mygate.5">mygate(5)</a>, so that
1033: netstart has a late opportunity to perform network configuration.
1.5 benno 1034: <li>Make <a href="https://man.openbsd.org/rad.8">rad(8)</a> to handle
1035: multiple rdomains in a single daemon (instead of running it in
1036: multiple rdomains).
1037: <li>Added a specific headline to <a
1038: href="https://man.openbsd.org/netstat.1">netstat(1)</a> for TCP state
1039: and IP protocol.
1.9 benno 1040: <li>Handle permanent redirects (RFC 7538) in <a
1.5 benno 1041: href="https://man.openbsd.org/ftp.1">ftp(1)</a> fetch.
1.10 benno 1042: <li>Introduced <a href="https://man.openbsd.org/ftp.1">ftp(1)</a>
1043: support for sending the If-Modified-Since header while fetching over
1044: http or https. Switched to using the timestamps from the remote
1045: server's Last-Modified header if available when saving local files and
1046: introduced the ftp "-u" flag to disable this behavior.
1.15 benno 1047: <li>Made <a href="https://man.openbsd.org/ftp.1">ftp(1)</a> set
1048: timestamps only on files.
1.10 benno 1049:
1.9 benno 1050: <li>Added requests for a new certificate without requiring -F when <a
1051: href="https://man.openbsd.org/acme-client.1">acme-client(1)</a>
1052: detects an added or removed SAN in the config file not reflected in
1053: the existing certificate on disk.
1054: <li>Print rewritten addresses in <a
1055: href="https://man.openbsd.org/tcpdump.8">tcpdump(8)</a> logged with <a
1056: href="https://man.openbsd.org/pflog.4">pflog(4)</a> for rdr-to, nat-to
1057: and af-to rules.
1.10 benno 1058: <li>Removed the <a
1059: href="https://man.openbsd.org/snmpd.8">snmpd(8)</a> traphandler
1060: process.
1061: <li>When calling <a
1062: href="https://man.openbsd.org/getaddrinfo.3">getaddrinfo(3)</a> with
1063: AI_ADDRCONFIG, consider the routing domain when checking for available
1064: address families. This ensures that name resolution is only performed
1065: for the address families available in the rdomain.
1066: <li>Implemented the <a href="https://man.openbsd.org/nc.1">nc(1)</a>
1067: -D socket debug option in <a
1068: href="https://man.openbsd.org/tcpbench.1">tcpbench(1)</a>, allowing
1069: analysis of TCP connections.
1.14 tb 1070: <li>Avoid leaking the help text in
1071: <a href="https://man.openbsd.org/tcpbench.1">systat(8)</a>.
1072: <li>Simplify argument parsing of
1.31 tb 1073: <code><a href="https://man.openbsd.org/vmctl.8">vmctl(8)</a> stop</code>
1.14 tb 1074: thereby avoiding a
1075: <a href="https://man.openbsd.org/printf.3">printf(3)</a> "%s" NULL,
1076: a use of uninitialized and a dead else branch.
1.15 benno 1077: <li>Increased the maximum length for CHAP challenges to 96 octets to
1078: ensure <a href="https://man.openbsd.org/npppd.8">npppd(8)</a> can
1079: handle longer challenges, such as those sent by Juniper.
1080: </ul>
1.1 deraadt 1081: </ul>
1082:
1083: <li><a href="https://man.openbsd.org/tmux">tmux(1)</a> improvements and bug fixes:
1084: <ul>
1.5 benno 1085: <li>Made <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> synchronize-panes a pane option and added set-option -U flag to unset an option on all panes.
1.15 benno 1086: <li>Allowed use of ## and # in <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> styles and added a "w" format modifier for width.
1087: <li>Added a -C flag to <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> run-shell to use a tmux command rather than a shell command.
1088: <li>Added a <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> -N flag to never start the server even if the command would normally do so.
1089: <li>Added the new <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> -S flag to new-window to select the existing window if one with the given name already exists, rather than failing.
1090: <li>Added support for X11 color names and other variations for OSC 10/11 and added OSC 110 and 111 to <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>.
1091: <li>Removed <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> support for popups where the content is provided directly to tmux.
1092: <li>Added a <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> "absolute-centre" alignment to use the center of the total space instead of the available space.
1093: <li>Added <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> split-window -Z to start the pane zoomed.
1094: <li>Added client-detached notification in <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> control mode.
1095: <li>Changed <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> search-again with vi keys to work like <a href="https://man.openbsd.org/vi.1">vi(1)</a>.
1.1 deraadt 1096: </ul>
1097:
1098: <li>OpenSMTPD 6.9.0
1099: <ul>
1.5 benno 1100: <li>Introduced <a href="https://man.openbsd.org/smtp.1">smtp(1)</a>
1101: -a to perform authentication before sending a message.
1102: <li>Fixed a memory leak in <a href="https://man.openbsd.org/smtpd.8">smtpd(8)</a> resolver.
1103: <li>Prevented a crash due to premature release of resources by the <a
1104: href="https://man.openbsd.org/smtpd.8">smtpd(8)</a> filter state
1105: machine.
1.12 eric 1106: <li>Switch to libtls internally.
1107: <li>Change the way SNI works in <a href="https://man.openbsd.org/smtpd.conf.5#pki~2">smtpd.conf(5)</a>.
1108: TLS listeners may be configured with multiple certificates,
1109: the matching is based on the names included in these certificates.
1110: <li>Allow to specify tls protocols and ciphers per listener and relay action.
1.15 benno 1111: <li>Allowed <a
1112: href="https://man.openbsd.org/smtpd.conf.5">smtpd.conf(5)</a>
1113: specification of tls protocols and ciphers on relay actions.
1.5 benno 1114:
1.1 deraadt 1115: </ul>
1116:
1.15 benno 1117: <li>LibreSSL 3.2.5
1.1 deraadt 1118: <ul>
1119: <li>New Features
1120: <ul>
1.38 ! tb 1121: <li>Support for DTLSv1.2.
! 1122: <li>Continued rewrite of the record layer for the legacy stack.
! 1123: <li>Numerous bugs and interoperability issues were fixed in the new verifier.
! 1124: <li>The OpenSSL 1.1 TLSv1.3 API is not yet available.
! 1125: </ul>
1.15 benno 1126:
1.38 ! tb 1127: <li>Portable Improvements
! 1128: <ul>
! 1129: <li>Added '--enable-libtls-only' build option, which builds and installs a
! 1130: statically-linked libtls, skipping libcrypto and libssl. This is useful
! 1131: for systems that ship with OpenSSL but wish to also package libtls.
1.3 benno 1132:
1.38 ! tb 1133: <li>Update getentropy on Windows to use Cryptography Next Generation
! 1134: (CNG). wincrypt is deprecated and no longer works with newer Windows
! 1135: environments, such as in Windows Store apps.
1.1 deraadt 1136: </ul>
1137:
1138: <li>API and Documentation Enhancements
1139: <ul>
1.38 ! tb 1140: <li>Add a number of RPKI OIDs from RFC 6482, 6484, 6493, 8182, 8360,
! 1141: draft-ietf-sidrops-rpki-rta, and draft-ietf-opsawg-finding-geofeeds.
! 1142:
! 1143: <li>Add support for SSL_get_shared_ciphers() with TLSv1.3.
! 1144:
! 1145: <li>Add DTLSv1.2 methods.
! 1146:
! 1147: <li>Implement SSL_is_dtls() and use it internally in place of the
! 1148: SSL_IS_DTLS macro.
! 1149:
! 1150: <li>Provide EVP_PKEY_new_CMAC_KEY(3).
! 1151:
! 1152: <li>Add missing prototype for d2i_DSAPrivateKey_fp(3) to x509.h.
! 1153:
! 1154: <li>Add DTLSv1.2 to openssl(1) s_server and s_client protocol message
! 1155: logging.
! 1156:
! 1157: <li>Provide SSL_use_certificate_chain_file(3).
! 1158:
! 1159: <li>Provide SSL_set_hostflags(3) and SSL_get0_peername(3).
! 1160:
! 1161: <li>Provide various DTLSv1.2 specific functions and defines.
! 1162:
! 1163: <li>Document meaning of '*' in the genrsa output.
! 1164:
! 1165: <li>Updated documentation for SSL_get_shared_ciphers(3).
! 1166:
! 1167: <li>Add documentation for SSL_get_finished(3).
! 1168:
! 1169: <li>Document EVP_PKEY_new_CMAC_key(3)
! 1170:
! 1171: <li>Document SSL_use_certificate_chain_file(3).
! 1172:
! 1173: <li>Document SSL_set_hostflags(3) and SSL_get0_peername(3).
! 1174:
! 1175: <li>Update SSL_get_version.3 manual for DTLSv.1.2 support.
! 1176:
! 1177: <li>Make supported protocols and options for DHE params more prominent
! 1178: in tls_config_set_protocols.3.
! 1179:
! 1180: <li>Various documentation improvements around TLS methods.
1.1 deraadt 1181: </ul>
1182:
1183: <li>Compatibility Changes
1184: <ul>
1.38 ! tb 1185: <li>Make openssl(1) s_server ignore -4 and -6 for compatibility with
! 1186: OpenSSL.
! 1187:
! 1188: <li>Set SO_REUSEADDR on the server socket in the openssl(1) ocsp
! 1189: command.
! 1190:
! 1191: <li>Send a host header with OCSP queries to make openssl(1) ocsp
! 1192: work with some widely used OCSP responders.
! 1193:
! 1194: <li>Add ability to ocspcheck(8) to parse a port in the specified
! 1195: OCSP URL.
! 1196:
! 1197: <li>Implement auto chain for the TLSv1.3 server since some software
! 1198: relies on this.
! 1199:
! 1200: <li>Implement key exporter for TLSv1.3.
! 1201: <li>Align SSL_get_shared_ciphers() with OpenSSL. This takes into account
! 1202: that it never returned server ciphers, so now it will fail when
! 1203: called from the client side.
! 1204:
! 1205: <li>Sync cert.pem with Mozilla NSS root CAs except "GeoTrust Global CA".
! 1206:
! 1207: <li>Make SSL{_CTX,}_get_{min,max}_proto_version() return a version of
! 1208: zero if the minimum or maximum has been set to zero to match
! 1209: OpenSSL's behavior.
! 1210:
! 1211: <li>Add DTLSv1.2 support to openssl s_client/s_server.
1.1 deraadt 1212: </ul>
1213:
1214: <li>Testing and Proactive Security
1215: <ul>
1.38 ! tb 1216: <li>Malformed ASN.1 in a certificate revocation list or a timestamp
! 1217: response token can lead to a NULL pointer dereference.
! 1218:
! 1219: <li>Pull in fix for EVP_CipherUpdate() overflow from OpenSSL.
! 1220:
! 1221: <li>Use EXFLAG_INVALID to handle out of memory and parse errors in
! 1222: x509v3_cache_extensions().
! 1223:
! 1224: <li>Refactor and clean up ocspcheck(8) and add regression tests.
1.1 deraadt 1225: </ul>
1226:
1227: <li>Internal Improvements
1228: <ul>
1.38 ! tb 1229: <li>Further cleanup of the DTLS record handling.
! 1230:
! 1231: <li>Continue the replacement of the TLSv1.2 record layer by
! 1232: reimplementing the read side of the TLSv1.2 record handling.
! 1233:
! 1234: <li>Replace DTLSv1_enc_data() with TLSv1_1_enc_data().
! 1235:
! 1236: <li>Merge d1_{clnt,srvr}.c into ssl_{clnt,srvr}.c.
! 1237:
! 1238: <li>Add const to ssl_ciphers and tls1[23]_sigalgs* to push them into
! 1239: .data.rel.ro and .rodata, respectively.
! 1240:
! 1241: <li>Add a const qualifier to srtp_known_profiles.
! 1242:
! 1243: <li>Simplify TLS method by removing the client and server specific
! 1244: methods internally.
! 1245:
! 1246: <li>Avoid casting away const in ssl_ctx_make_profiles().
! 1247:
! 1248: <li>Avoid explicitly conditioning an assert on DTLS1_VERSION to make
! 1249: the assert work for newer DTLS versions.
! 1250:
! 1251: <li>Merge SSL_ENC_METHOD into SSL_METHOD_INTERNAL.
! 1252:
! 1253: <li>Add a flag to mark DTLS methods as DTLS to have an easy way to
! 1254: recognize DTLS methods that avoids inspecting the version number.
! 1255:
! 1256: <li>Mark a few more internal static tables const.
! 1257:
! 1258: <li>Switch finish{,_peer}_md_len from an int to a size_t.
! 1259:
! 1260: <li>Use EVP_MD_MAX_MD_SIZE instead of 2 * EVP_MD_MAX_MD_SIZE as size
! 1261: for cert_verify_md[], finish_md[] and peer_finish_md[]. The factor 2
! 1262: was a historical artefact.
! 1263:
! 1264: <li>Free struct members in tls13_record_layer_free() in their natural
! 1265: order for reviewability.
! 1266:
! 1267: <li>Use consistent names in tls13_{client,server}_finished_{recv,send}().
! 1268:
! 1269: <li>Add tls13_secret_{init,cleanup}() and use them throughout the
! 1270: TLSv1.3 code base.
! 1271:
! 1272: <li>Move the read MAC key into the TLSv1.2 record layer.
! 1273:
! 1274: <li>Make tls12_record_layer_free() NULL safe.
! 1275:
! 1276: <li>Split the record protection from the TLSv1.2 record layer.
! 1277:
! 1278: <li>Clean up sequence number handling in the new TLSv1.2 record layer.
! 1279:
! 1280: <li>Clean up sequence number handling in DTLS.
! 1281:
! 1282: <li>Clean up dtls1_reset_seq_numbers().
! 1283:
! 1284: <li>Factor out code for explicit IV length, block size and MAC length
! 1285: from tls12_record_layer_open_record_protected_cipher().
! 1286:
! 1287: <li>Provide record layer overhead for DTLS.
! 1288:
! 1289: <li>Provide functions to determine if TLSv1.2 record protection is
! 1290: engaged.
! 1291:
! 1292: <li>Add code to handle change of cipher state in the new TLSv1.2 record
! 1293: layer.
! 1294:
! 1295: <li>Mop up now unused dtls1_build_sequence_numbers() function.
! 1296:
! 1297: <li>Allow setting a keypair on a tls context without specifying the
! 1298: private key, and fake it internally in libtls. This removes the
! 1299: need for privsep engines like relayd to use bogus keys.
! 1300:
! 1301: <li>Skip the private key check for fake private keys.
! 1302:
! 1303: <li>Move the private key setup from tls_configure_ssl_keypair() to a
! 1304: helper function with proper error checking.
! 1305:
! 1306: <li>Change the internal tls_configure_ssl_keypair() function to
! 1307: return -1 instead of 1 on failure.
! 1308:
! 1309: <li>Move sequence numbers into the new TLSv1.2 record layer.
! 1310:
! 1311: <li>Move AEAD handling into the new TLSv1.2 record layer.
! 1312:
! 1313: <li>Factor out legacy stack version checks.
! 1314:
! 1315: <li>Correct handshake MAC/PRF for various TLSv1.2 cipher suites which
! 1316: were originally added with the default handshake MAC and PRF rather
! 1317: than the SHA256 handshake MAC and PRF.
! 1318:
! 1319: <li>Absorb ssl3_get_algorithm2() into ssl_get_handshake_evp_md().
! 1320:
! 1321: <li>Use dtls1_record_retrieve_buffered_record() to load buffered
! 1322: application data.
! 1323:
! 1324: <li>Enforce read ahead with DTLS.
! 1325:
! 1326: <li>Remove bogus DTLS checks that disabled ECC and OCSP.
! 1327:
! 1328: <li>Clean up and simplify dtls1_get_cipher().
! 1329:
! 1330: <li>Group HelloVerifyRequest decoding and add missing check for trailing
! 1331: data.
! 1332:
! 1333: <li>Revise HelloVerifyRequest handling for DTLSv1.2.
! 1334:
! 1335: <li>Handle DTLS1_2_VERSION in various places.
! 1336:
! 1337: <li>Rename the "truncated" label into "decode_err" and the "f_err"
! 1338: label into "fatal_err".
! 1339:
! 1340: <li>Factor out and change some of the legacy client version code.
! 1341:
! 1342: <li>Simplify version checks in the TLSv1.3 client. Ensure that the
! 1343: server announced TLSv1.3 and nothing higher and check that the
! 1344: legacy_version is set to TLSv1.2 as required by RFC 8446.
! 1345:
! 1346: <li>Only use TLS versions internally rather than both TLS and DTLS
! 1347: versions since the latter are the one's complement of the human
! 1348: readable version numbers, which means that newer versions decrease
! 1349: in value.
! 1350:
! 1351: <li>Identify DTLS based on the version major value.
! 1352:
! 1353: <li>Move handling of cipher/hash based cipher suites into the new record
! 1354: layer.
! 1355:
! 1356: <li>Add tls12_record_protection_unused() and call it from CCS functions.
! 1357:
! 1358: <li>Move key/IV length checks closer to usage sites. Also add explicit
! 1359: checks against EVP_CIPHER_{iv,key}_length().
! 1360:
! 1361: <li>Replace two handrolled tls12_record_protection_engaged().
! 1362:
! 1363: <li>Improve internal version handling: add handshake fields for our
! 1364: minimum version, our maximum version and the TLS version negotiated
! 1365: during the handshake. Convert most of the internal code to use these
! 1366: version fields.
! 1367:
! 1368: <li>Guard against future internal use of TLS1_get_{client,}_version()
! 1369: macros.
! 1370:
! 1371: <li>Remove the internal ssl_downgrade_max_version() function which is no
! 1372: longer needed.
! 1373:
! 1374: <li>Add support for DTLSv1.2 version handling.
! 1375:
! 1376: <li>Remove no longer needed read ahead workarounds in the s_client and
! 1377: s_server.
! 1378:
! 1379: <li>Split TLSv1.3 record protection from record layer.
! 1380:
! 1381: <li>Move the TLSv1.3 handshake struct inside the shared handshake
! 1382: struct.
! 1383:
! 1384: <li>Fully initialize rrec in tls12_record_layer_open_record_protected()
! 1385: to avoid confusing some static analyzers.
! 1386:
! 1387: <li>Use tls_set_errorx() on OCSP_basic_verify() failure since the latter
! 1388: does not set errno.
! 1389:
! 1390: <li>Convert openssl(1) x509 to new option handling and do the usual
! 1391: clean up that goes along with it.
! 1392:
! 1393: <li>Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data.
! 1394:
! 1395: <li>Rename new_cipher to cipher to align naming with keyblock or other
! 1396: parts of the handshake data.
! 1397:
! 1398: <li>Move the TLSv1.2 record number increment into the new record layer.
! 1399:
! 1400: <li>Move finished and peer finished into the handshake struct.
! 1401:
! 1402: <li>Remove pointless assignment in SSL_get0_alpn_selected().
! 1403:
! 1404: <li>Add some error checking to openssl(1) x509.
1.1 deraadt 1405: </ul>
1406:
1.38 ! tb 1407: <li>Bug Fixes
1.1 deraadt 1408: <ul>
1.38 ! tb 1409: <li>Move point-on-curve check to set_affine_coordinates to avoid
! 1410: verifying ECDSA signatures with unchecked public keys.
! 1411:
! 1412: <li>Fix SSL_is_server() to behave as documented by re-introducing the
! 1413: client-specific methods.
! 1414:
! 1415: <li>Avoid undefined behavior due to memcpy(NULL, NULL, 0).
! 1416:
! 1417: <li>Make SSL_get{,_peer}_finished() work when used with TLSv1.3.
! 1418:
! 1419: <li>Correct the return value type from ERR_peek_error() to a long.
! 1420:
! 1421: <li>Avoid use of uninitialized in ASN1_time_parse() which could happen
! 1422: on parsing UTCTime if the caller did not initialise the passed
! 1423: struct tm.
! 1424:
! 1425: <li>Destroy the mutex in a tls_config object on tls_config_free().
! 1426:
! 1427: <li>Free alert_data and phh_data in tls13_record_layer_free()
! 1428: these could leak if SSL_shutdown() or tls_close() were called
! 1429: after closing the underlying socket().
! 1430:
! 1431: <li>Gracefully handle root certificates being both trusted and
! 1432: untrusted.
! 1433:
! 1434: <li>Handle X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE in the new
! 1435: verifier.
! 1436:
! 1437: <li>Use the legacy verifier when building auto chains for TLS.
! 1438:
! 1439: <li>Search the intermediates only after searching the root certs in the
! 1440: new verifier to avoid problems with the legacy callback.
! 1441:
! 1442: <li>Bail out early after finding a single chain in the new verifier, if
! 1443: we have been called via the legacy verifier API.
! 1444:
! 1445: <li>Set (invalid and likely incomplete) chain on the xsc on chain build
! 1446: failure prior to calling the callback. This is required by various
! 1447: callers, including auto chain.
! 1448:
! 1449: <li>Remove direct assignment of aead_ctx to avoid a leak.
! 1450:
! 1451: <li>Fail early in legacy exporter if the master secret is not available
! 1452: to avoid a segfault if it is called when the handshake is not
! 1453: completed.
! 1454:
! 1455: <li>Only print the certificate file once on verification failure.
! 1456:
! 1457: <li>Fix an off-by-one in x509_verify_set_xsc_chain() to make sure that
! 1458: the new validator checks for EXFLAG_CRITICAL in
! 1459: x509_vfy_check_chain_extension() for all untrusted certs in the
! 1460: chain. Take into account that the root is not necessarily trusted.
! 1461:
! 1462: <li>Avoid passing last and depth to x509_verify_cert_error() on ENOMEM.
! 1463:
! 1464: <li>Fix two bugs in the legacy verifier that resulted from refactoring
! 1465: of X509_verify_cert() for the new verifier: a return value was
! 1466: incorrectly treated as boolean, making it insufficient to decide
! 1467: whether validation should carry on or not.
! 1468:
! 1469: <li>Fix checks for memory caps of constraints names. There are internal
! 1470: caps on the number of name constraints and other names, that the new
! 1471: name constraints code allocates per cert chain. These limits were
! 1472: checked too late, making them only partially effective.
! 1473:
! 1474: <li>Fix a copy-paste error - skid was confused with an akid when
! 1475: checking for EXFLAG_INVALID. This broke OCSP validation with
! 1476: certain mirrors.
! 1477:
! 1478: <li>Avoid a use-after-scope in tls13_cert_add().
! 1479:
! 1480: <li>Avoid mangled output in BIO_debug_callback().
! 1481:
! 1482: <li>Fix client initiated renegotiation by replacing use of s->internal-type
! 1483: with s->server.
! 1484:
! 1485: <li>Avoid transcript initialization when sending a TLS HelloRequest,
! 1486: fixing server initiated renegotiation.
! 1487:
! 1488: <li>Avoid leaking param->name in x509_verify_param_zero().
! 1489:
! 1490: <li>Avoid a leak in an error path in openssl(1) x509.
! 1491:
! 1492: <li>When sending an alert in TLSv1.3, only set its error code when no
! 1493: other error was set previously. Certain clients rely on specific
! 1494: SSL_R_ error codes to identify that they are dealing with a self
! 1495: signed cert.
! 1496:
! 1497: <li>When switching from the TLSv1.3 stack to the legacy stack include
! 1498: a TLS record header. This is necessary if there is more than one
! 1499: handshake message in the TLS plaintext record.
! 1500:
! 1501: <li>Fix resource handling on error in OCSP_request_add0_id().
! 1502:
! 1503: <li>Make sure there is enough room for stashing the handshake message
! 1504: when switching to the legacy TLS stack.
! 1505:
! 1506: <li>Fix a memory leak in the openssl(1) s_client.
! 1507:
! 1508: <li>Unbreak DTLS retransmissions for flights that include a CCS.
! 1509:
! 1510: <li>If x509_verify() fails, ensure that the error is set on both
! 1511: the x509_verify_ctx() and its store context to make some failures
! 1512: visible from SSL_get_verify_result().
! 1513:
! 1514: <li>Use the X509_STORE_CTX get_issuer() callback from the new X.509
! 1515: verifier to fix hashed certificate directories.
! 1516:
! 1517: <li>Only check BIO_should_read() on read and BIO_should_write() on
! 1518: write. Previously, BIO_should_write() was also checked after read
! 1519: and BIO_should_read() after write which could cause stalls in
! 1520: software that uses the same BIO for read and write.
! 1521:
! 1522: <li>In openssl(1) verify, also check for error on the store context
! 1523: since the return value of X509_verify_cert() is unreliable in
! 1524: presence of a callback that returns 1 too often.
! 1525:
! 1526: <li>Handle additional certificate error cases in the new X.509 verifier.
! 1527: Keep track of the errors encountered if a verify callback tells the
! 1528: verifier to continue and report them back via the error on the store
! 1529: context. This mimics the behavior of the old verifier that would
! 1530: persist the first error encountered while building the chain.
! 1531:
! 1532: <li>Report specific failures for "self signed certificates" in a way
! 1533: compatible with the old verifier since software relies on the
! 1534: error code.
! 1535:
! 1536: <li>Plug a large memory leak in the new verifier caused by calling
! 1537: X509_policy_check() repeatedly.
1.1 deraadt 1538:
1.38 ! tb 1539: <li>Avoid leaking memory in x509_verify_chain_dup().
1.1 deraadt 1540: </ul>
1541: </ul>
1542:
1.15 benno 1543: <li>OpenSSH 8.5
1.1 deraadt 1544: <ul>
1.33 benno 1545: <li>Security fixes
1546: <ul>
1547: <li><a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>:
1548: fixed a double-free memory corruption that was introduced in OpenSSH
1549: 8.2 . We treat all such memory faults as potentially exploitable. This
1550: bug could be reached by an attacker with access to the agent socket.<br>
1.3 benno 1551:
1.33 benno 1552: On modern operating systems where the OS can provide information
1553: about the user identity connected to a socket, OpenSSH ssh-agent and
1554: sshd limit agent socket access only to the originating user and root.
1555: Additional mitigation may be afforded by the system's
1556: malloc(3)/free(3) implementation, if it detects double-free
1557: conditions.<br>
1.3 benno 1558:
1.33 benno 1559: The most likely scenario for exploitation is a user forwarding an
1560: agent either to an account shared with a malicious user or to a host
1561: with an attacker holding root access.
1562: </ul>
1.1 deraadt 1563: <li>Potentially incompatible changes.
1564: <ul>
1.33 benno 1565: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a
1566: href="https://man.openbsd.org/sshd.8">sshd(8)</a>: this release
1567: changes the first-preference signature algorithm from ECDSA to
1568: ED25519.
1569:
1570: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a
1571: href="https://man.openbsd.org/sshd.8">sshd(8)</a>: set the TOS/DSCP
1572: specified in the configuration for interactive use prior to TCP
1573: connect. The connection phase of the SSH session is time-sensitive and
1574: often explicitly interactive. The ultimate interactive/bulk TOS/DSCP
1575: will be set after authentication completes.
1576:
1577: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a
1578: href="https://man.openbsd.org/sshd.8">sshd(8)</a>: remove the
1579: pre-standardization cipher rijndael-cbc@lysator.liu.se. It is an alias
1580: for aes256-cbc before it was standardized in RFC4253 (2006), has been
1581: deprecated and disabled by default since OpenSSH 7.2 (2016) and was
1582: only briefly documented in ssh.1 in 2001.
1583:
1584: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a
1585: href="https://man.openbsd.org/sshd.8">sshd(8)</a>: update/replace the
1586: experimental post-quantum hybrid key exchange method based on
1587: Streamlined NTRU Prime coupled with X25519.<br>
1588:
1589: The previous sntrup4591761x25519-sha512@tinyssh.org method is
1590: replaced with sntrup761x25519-sha512@openssh.com. Per its designers,
1591: the sntrup4591761 algorithm was superseded almost two years ago by
1592: sntrup761.
1593: (note this both the updated method and the one that it replaced are
1594: disabled by default)
1595:
1596: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: disable
1597: CheckHostIP by default. It provides insignificant benefits while
1598: making key rotation significantly more difficult, especially for hosts
1599: behind IP-based load-balancers.
1.1 deraadt 1600: </ul>
1601: <li>New Features
1602: <ul>
1.33 benno 1603: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: this release
1604: enables UpdateHostkeys by default subject to some conservative
1605: preconditions:
1606: <ul>
1607: <li>The key was matched in the UserKnownHostsFile (and not in the
1608: GlobalKnownHostsFile).
1609: <li>The same key does not exist under another name.
1610: <li>A certificate host key is not in use.
1611: <li>known_hosts contains no matching wildcard hostname pattern.
1612: <li>VerifyHostKeyDNS is not enabled.
1613: <li>The default UserKnownHostsFile is in use.
1614: </ul>
1615: We expect some of these conditions will be modified or relaxed in
1616: future.
1617:
1618: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a
1619: href="https://man.openbsd.org/sshd.8">sshd(8)</a>: add a new
1620: LogVerbose configuration directive for that allows forcing maximum
1621: debug logging by file/function/line pattern-lists.
1622:
1623: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: when
1624: prompting the user to accept a new hostkey, display any other host
1625: names/addresses already associated with the key.
1626:
1627: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: allow
1628: UserKnownHostsFile=none to indicate that no known_hosts file should be
1629: used to identify host keys.
1630:
1631: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: add a
1632: ssh_config KnownHostsCommand option that allows the client to obtain
1633: known_hosts data from a command in addition to the usual files.
1634:
1635: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: add a
1636: ssh_config PermitRemoteOpen option that allows the client to restrict
1637: the destination when RemoteForward is used with SOCKS.
1638:
1639: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: for FIDO
1640: keys, if a signature operation fails with a "incorrect PIN" reason and
1641: no PIN was initially requested from the user, then request a PIN and
1642: retry the operation. This supports some biometric devices that fall
1643: back to requiring PIN when reading of the biometric failed, and
1644: devices that require PINs for all hosted credentials.
1645:
1646: <li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: implement
1647: client address-based rate-limiting via new <a
1648: href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>
1649: PerSourceMaxStartups and PerSourceNetBlockSize directives that provide
1650: more fine-grained control on a per-origin address basis than the
1651: global MaxStartups limit.
1.1 deraadt 1652: </ul>
1653: <li>Bugfixes
1654: <ul>
1.33 benno 1655: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Prefix
1656: keyboard interactive prompts with "(user@host)" to make it easier to
1657: determine which connection they are associated with in cases like scp
1658: -3, ProxyJump, etc. bz#3224
1659:
1660: <li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: fix
1661: sshd_config SetEnv directives located inside Match blocks. GHPR#201
1662:
1663: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: when
1664: requesting a FIDO token touch on stderr, inform the user once the
1665: touch has been recorded.
1666:
1667: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: prevent
1668: integer overflow when ridiculously large ConnectTimeout values are
1669: specified, capping the effective value (for most platforms) at 24
1670: days. bz#3229
1671:
1672: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: consider the
1673: ECDSA key subtype when ordering host key algorithms in the client.
1674:
1675: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a
1676: href="https://man.openbsd.org/sshd.8">sshd(8)</a>: rename the
1677: PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. The
1678: previous name incorrectly suggested that it control allowed key
1679: algorithms, when this option actually specifies the signature
1680: algorithms that are accepted. The previous name remains available as
1681: an alias. bz#3253
1682:
1683: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a
1684: href="https://man.openbsd.org/sshd.8">sshd(8)</a>: similarly, rename
1685: HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to
1686: HostbasedAcceptedAlgorithms.
1687:
1688: <li><a
1689: href="https://man.openbsd.org/sftp-server.8">sftp-server(8)</a>: add
1690: missing lsetstat@openssh.com documentation and advertisement in the
1691: server's SSH2_FXP_VERSION hello packet.
1692:
1693: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a
1694: href="https://man.openbsd.org/sshd.8">sshd(8)</a>: more strictly
1695: enforce KEX state-machine by banning packet types once they are
1696: received. Fixes memleak caused by duplicate
1697: SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078).
1698:
1699: <li><a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: allow the
1700: full range of UIDs/GIDs for chown/chgrp on 32bit platforms instead of
1701: being limited by LONG_MAX. bz#3206
1702:
1703: <li>Minor man page fixes (capitalization, commas, etc.) bz#3223
1704:
1705: <li><a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: when doing
1706: an sftp recursive upload or download of a read-only directory, ensure
1707: that the directory is created with write and execute permissions in
1708: the interim so that the transfer can actually complete, then set the
1709: directory permission as the final step. bz#3222
1710:
1711: <li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:
1712: document the -Z, check the validity of its argument earlier and
1713: provide a better error message if it's not correct. bz#2879
1714:
1715: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: ignore
1716: comments at the end of config lines in ssh_config, similar to what we
1717: already do for sshd_config. bz#2320
1718:
1719: <li><a
1720: href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>:
1721: mention that DisableForwarding is valid in a sshd_config Match block.
1722: bz3239
1723:
1724: <li><a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: fix
1725: incorrect sorting of "ls -ltr" under some circumstances. bz3248.
1726:
1727: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a
1728: href="https://man.openbsd.org/sshd.8">sshd(8)</a>: fix potential
1729: integer truncation of (unlikely) timeout values. bz#3250
1730:
1731: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: make
1732: hostbased authentication send the signature algorithm in its
1733: SSH2_MSG_USERAUTH_REQUEST packets instead of the key type. This make
1734: HostbasedAcceptedAlgorithms do what it is supposed to - filter on
1735: signature algorithm and not key type.
1.1 deraadt 1736: </ul>
1737: </ul>
1738:
1739: <li>Ports and packages:
1740: <p>Many pre-built packages for each architecture:
1741: <!-- number of FTP packages minus SHA256, SHA256.sig, index.txt -->
1742: <ul style="column-count: 3">
1743: <li>aarch64: XXX
1744: <li>amd64: XXX
1745: <li>arm: XXX
1746: <li>i386: XXX
1747: <li>mips64: XXX
1748: <li>mips64el: XXX
1749: <li>powerpc: XXX
1750: <li>powerpc64: XXX
1751: <li>sparc64: XXX
1752: </ul>
1753:
1754: <li>As usual, steady improvements in manual pages and other documentation.
1755:
1756: <li>The system includes the following major components from outside suppliers:
1757: <ul>
1.5 benno 1758:
1759: <li>Xenocara (based on X.Org 7.7 with xserver 1.20.10 + patches,
1.32 matthieu 1760: freetype 2.10.4, fontconfig 2.12.4, Mesa 20.0.8, xterm 367,
1.5 benno 1761: xkeyboard-config 2.20, fonttosfnt 1.2.1 and more)
1.1 deraadt 1762: <li>LLVM/Clang 10.0.1 (+ patches)
1763: <li>GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
1.10 benno 1764: <li>Perl 5.32.1 (+ patches)
1.8 florian 1765: <li>NSD 4.3.6
1766: <li>Unbound 1.13.1
1.1 deraadt 1767: <li>Ncurses 5.7
1768: <li>Binutils 2.17 (+ patches)
1769: <li>Gdb 6.3 (+ patches)
1.5 benno 1770: <li>Awk December 18, 2020 version
1771: <li>Expat 2.2.10
1.1 deraadt 1772: </ul>
1773:
1774: </ul>
1775: </section>
1776:
1777: <hr>
1778:
1779: <section id=install>
1780: <h3>How to install</h3>
1781: <p>
1782: Please refer to the following files on the mirror site for
1783: extensive details on how to install OpenBSD 6.9 on your machine:
1784:
1785: <ul>
1786: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/alpha/INSTALL.alpha">
1787: .../OpenBSD/6.9/alpha/INSTALL.alpha</a>
1788: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/amd64/INSTALL.amd64">
1789: .../OpenBSD/6.9/amd64/INSTALL.amd64</a>
1790: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/arm64/INSTALL.arm64">
1791: .../OpenBSD/6.9/arm64/INSTALL.arm64</a>
1792: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/armv7/INSTALL.armv7">
1793: .../OpenBSD/6.9/armv7/INSTALL.armv7</a>
1794: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/hppa/INSTALL.hppa">
1795: .../OpenBSD/6.9/hppa/INSTALL.hppa</a>
1796: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/i386/INSTALL.i386">
1797: .../OpenBSD/6.9/i386/INSTALL.i386</a>
1798: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/landisk/INSTALL.landisk">
1799: .../OpenBSD/6.9/landisk/INSTALL.landisk</a>
1800: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/loongson/INSTALL.loongson">
1801: .../OpenBSD/6.9/loongson/INSTALL.loongson</a>
1802: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/luna88k/INSTALL.luna88k">
1803: .../OpenBSD/6.9/luna88k/INSTALL.luna88k</a>
1804: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/macppc/INSTALL.macppc">
1805: .../OpenBSD/6.9/macppc/INSTALL.macppc</a>
1806: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/octeon/INSTALL.octeon">
1807: .../OpenBSD/6.9/octeon/INSTALL.octeon</a>
1808: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/powerpc64/INSTALL.powerpc64">
1.4 landry 1809: .../OpenBSD/6.9/powerpc64/INSTALL.powerpc64</a>
1.1 deraadt 1810: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/sgi/INSTALL.sgi">
1811: .../OpenBSD/6.9/sgi/INSTALL.sgi</a>
1812: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/sparc64/INSTALL.sparc64">
1813: .../OpenBSD/6.9/sparc64/INSTALL.sparc64</a>
1814: </ul>
1815: </section>
1816:
1817: <hr>
1818:
1819: <section id=quickinstall>
1820: <p>
1821: Quick installer information for people familiar with OpenBSD, and the use of
1822: the "<a href="https://man.openbsd.org/disklabel.8">disklabel</a> -E" command.
1823: If you are at all confused when installing OpenBSD, read the relevant
1824: INSTALL.* file as listed above!
1825:
1826: <h3>OpenBSD/alpha:</h3>
1827:
1828: <p>
1829: If your machine can boot from CD, you can write <i>install69.iso</i> or
1830: <i>cd69.iso</i> to a CD and boot from it.
1831: Refer to INSTALL.alpha for more details.
1832:
1833: <h3>OpenBSD/amd64:</h3>
1834:
1835: <p>
1836: If your machine can boot from CD, you can write <i>install69.iso</i> or
1837: <i>cd69.iso</i> to a CD and boot from it.
1838: You may need to adjust your BIOS options first.
1839:
1840: <p>
1841: If your machine can boot from USB, you can write <i>install69.img</i> or
1842: <i>miniroot69.img</i> to a USB stick and boot from it.
1843:
1844: <p>
1845: If you can't boot from a CD, floppy disk, or USB,
1846: you can install across the network using PXE as described in the included
1847: INSTALL.amd64 document.
1848:
1849: <p>
1850: If you are planning to dual boot OpenBSD with another OS, you will need to
1851: read INSTALL.amd64.
1852:
1853: <h3>OpenBSD/arm64:</h3>
1854:
1855: <p>
1856: Write <i>miniroot69.img</i> to a disk and boot from it after connecting
1857: to the serial console. Refer to INSTALL.arm64 for more details.
1858:
1859: <h3>OpenBSD/armv7:</h3>
1860:
1861: <p>
1862: Write a system specific miniroot to an SD card and boot from it after connecting
1863: to the serial console. Refer to INSTALL.armv7 for more details.
1864:
1865: <h3>OpenBSD/hppa:</h3>
1866:
1867: <p>
1868: Boot over the network by following the instructions in INSTALL.hppa or the
1869: <a href="hppa.html#install">hppa platform page</a>.
1870:
1871: <h3>OpenBSD/i386:</h3>
1872:
1873: <p>
1874: If your machine can boot from CD, you can write <i>install69.iso</i> or
1875: <i>cd69.iso</i> to a CD and boot from it.
1876: You may need to adjust your BIOS options first.
1877:
1878: <p>
1879: If your machine can boot from USB, you can write <i>install69.img</i> or
1880: <i>miniroot69.img</i> to a USB stick and boot from it.
1881:
1882: <p>
1883: If you can't boot from a CD, floppy disk, or USB,
1884: you can install across the network using PXE as described in
1885: the included INSTALL.i386 document.
1886:
1887: <p>
1888: If you are planning on dual booting OpenBSD with another OS, you will need to
1889: read INSTALL.i386.
1890:
1891: <h3>OpenBSD/landisk:</h3>
1892:
1893: <p>
1894: Write <i>miniroot69.img</i> to the start of the CF
1895: or disk, and boot normally.
1896:
1897: <h3>OpenBSD/loongson:</h3>
1898:
1899: <p>
1900: Write <i>miniroot69.img</i> to a USB stick and boot bsd.rd from it
1901: or boot bsd.rd via tftp.
1902: Refer to the instructions in INSTALL.loongson for more details.
1903:
1904: <h3>OpenBSD/luna88k:</h3>
1905:
1906: <p>
1907: Copy 'boot' and 'bsd.rd' to a Mach or UniOS partition, and boot the bootloader
1908: from the PROM, and then bsd.rd from the bootloader.
1909: Refer to the instructions in INSTALL.luna88k for more details.
1910:
1911: <h3>OpenBSD/macppc:</h3>
1912:
1913: <p>
1914: Burn the image from a mirror site to a CDROM, and power on your machine
1915: while holding down the <i>C</i> key until the display turns on and
1916: shows <i>OpenBSD/macppc boot</i>.
1917:
1918: <p>
1919: Alternatively, at the Open Firmware prompt, enter <i>boot cd:,ofwboot
1920: /6.9/macppc/bsd.rd</i>
1921:
1922: <h3>OpenBSD/octeon:</h3>
1923:
1924: <p>
1925: After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
1926: Refer to the instructions in INSTALL.octeon for more details.
1927:
1928: <h3>OpenBSD/powerpc64:</h3>
1929:
1930: <p>
1931: To install, write <i>install69.img</i> or <i>miniroot69.img</i> to a
1932: USB stick, plug it into the machine and choose the <i>OpenBSD
1933: install</i> menu item in Petitboot.
1934: Refer to the instructions in INSTALL.powerpc64 for more details.
1935:
1936: <h3>OpenBSD/sgi:</h3>
1937:
1938: <p>
1939: To install, burn cd69.iso on a CD-R, put it in the CD drive of your
1940: machine and select <i>Install System Software</i> from the System Maintenance
1941: menu. Indigo/Indy/Indigo2 (R4000) systems will not boot automatically from
1942: CD-ROM, and need a proper invocation from the PROM prompt.
1943: Refer to the instructions in INSTALL.sgi for more details.
1944:
1945: <p>
1946: If your machine doesn't have a CD drive, you can setup a DHCP/tftp network
1947: server, and boot using "bootp()/bsd.rd.IP##" using the kernel matching your
1948: system type. Refer to the instructions in INSTALL.sgi for more details.
1949:
1950: <h3>OpenBSD/sparc64:</h3>
1951:
1952: <p>
1953: Burn the image from a mirror site to a CDROM, boot from it, and type
1954: <i>boot cdrom</i>.
1955:
1956: <p>
1957: If this doesn't work, or if you don't have a CDROM drive, you can write
1958: <i>floppy69.img</i> or <i>floppyB69.img</i>
1959: (depending on your machine) to a floppy and boot it with <i>boot
1960: floppy</i>. Refer to INSTALL.sparc64 for details.
1961:
1962: <p>
1963: Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
1964: will most likely fail.
1965:
1966: <p>
1967: You can also write <i>miniroot69.img</i> to the swap partition on
1968: the disk and boot with <i>boot disk:b</i>.
1969:
1970: <p>
1971: If nothing works, you can boot over the network as described in INSTALL.sparc64.
1972: </section>
1973:
1974: <hr>
1975:
1976: <section id=upgrade>
1977: <h3>How to upgrade</h3>
1978: <p>
1.22 benno 1979: If you already have an OpenBSD 6.8 system, and do not want to reinstall,
1.1 deraadt 1980: upgrade instructions and advice can be found in the
1981: <a href="faq/upgrade69.html">Upgrade Guide</a>.
1982: </section>
1983:
1984: <hr>
1985:
1986: <section id=sourcecode>
1987: <h3>Notes about the source code</h3>
1988: <p>
1989: <code>src.tar.gz</code> contains a source archive starting at <code>/usr/src</code>.
1990: This file contains everything you need except for the kernel sources,
1991: which are in a separate archive.
1992: To extract:
1993: <blockquote><pre>
1994: # <kbd>mkdir -p /usr/src</kbd>
1995: # <kbd>cd /usr/src</kbd>
1996: # <kbd>tar xvfz /tmp/src.tar.gz</kbd>
1997: </pre></blockquote>
1998: <p>
1999: <code>sys.tar.gz</code> contains a source archive starting at <code>/usr/src/sys</code>.
2000: This file contains all the kernel sources you need to rebuild kernels.
2001: To extract:
2002: <blockquote><pre>
2003: # <kbd>mkdir -p /usr/src/sys</kbd>
2004: # <kbd>cd /usr/src</kbd>
2005: # <kbd>tar xvfz /tmp/sys.tar.gz</kbd>
2006: </pre></blockquote>
2007: <p>
2008: Both of these trees are a regular CVS checkout. Using these trees it
2009: is possible to get a head-start on using the anoncvs servers as
2010: described <a href="anoncvs.html">here</a>.
2011: Using these files
2012: results in a much faster initial CVS update than you could expect from
2013: a fresh checkout of the full OpenBSD source tree.
2014: </section>
2015:
2016: <hr>
2017:
2018: <section id=ports>
2019: <h3>Ports Tree</h3>
2020: <p>
2021: A ports tree archive is also provided. To extract:
2022: <blockquote><pre>
2023: # <kbd>cd /usr</kbd>
2024: # <kbd>tar xvfz /tmp/ports.tar.gz</kbd>
2025: </pre></blockquote>
2026: <p>
2027: Go read the <a href="faq/ports/index.html">ports</a> page
2028: if you know nothing about ports
2029: at this point. This text is not a manual of how to use ports.
2030: Rather, it is a set of notes meant to kickstart the user on the
2031: OpenBSD ports system.
2032: <p>
2033: The <i>ports/</i> directory represents a CVS checkout of our ports.
2034: As with our complete source tree, our ports tree is available via
2035: <a href="anoncvs.html">AnonCVS</a>.
2036: So, in order to keep up to date with the -stable branch, you must make
2037: the <i>ports/</i> tree available on a read-write medium and update the tree
2038: with a command like:
2039: <blockquote><pre>
2040: # <kbd>cd /usr/ports</kbd>
2041: # <kbd>cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_6_9</kbd>
2042: </pre></blockquote>
2043: <p>
2044: [Of course, you must replace the server name here with a nearby anoncvs
2045: server.]
2046: <p>
2047: Note that most ports are available as packages on our mirrors. Updated
2048: ports for the 6.9 release will be made available if problems arise.
2049: <p>
2050: If you're interested in seeing a port added, would like to help out, or just
2051: would like to know more, the mailing list
2052: <a href="mail.html">ports@openbsd.org</a> is a good place to know.
2053: </section>