Annotation of www/69.html, Revision 1.75
1.1 deraadt 1: <!doctype html>
2: <html lang=en id=release>
3: <meta charset=utf-8>
4:
5: <title>OpenBSD 6.9</title>
6: <meta name="description" content="OpenBSD 6.9">
7: <meta name="viewport" content="width=device-width, initial-scale=1">
8: <link rel="stylesheet" type="text/css" href="openbsd.css">
9: <link rel="canonical" href="https://www.openbsd.org/69.html">
10:
11: <h2 id=OpenBSD>
12: <a href="index.html">
13: <i>Open</i><b>BSD</b></a>
14: 6.9
15: </h2>
16:
17: <table>
18: <tr>
19: <td>
1.75 ! deraadt 20: <a href="images/nice.png">
! 21: <img width="227" height="303" src="images/nice-s.gif" alt="Nice"></a>
1.1 deraadt 22: <td>
1.71 deraadt 23: Released May 1, 2021. (50th OpenBSD release)<br>
1.2 kn 24: Copyright 1997-2021, Theo de Raadt.<br>
1.26 benno 25: <br>
1.1 deraadt 26: 6.9 Song:
1.70 deraadt 27: <a href="lyrics.html#69">"Vetera Novis"</a>.
1.1 deraadt 28: <br>
1.7 job 29: Artwork by Joy San.
1.1 deraadt 30: <br>
31: <ul>
32: <li>See the information on <a href="ftp.html">the FTP page</a> for
33: a list of mirror machines.
34: <li>Go to the <code class=reldir>pub/OpenBSD/6.9/</code> directory on
35: one of the mirror sites.
36: <li>Have a look at <a href="errata69.html">the 6.9 errata page</a> for a list
37: of bugs and workarounds.
38: <li>See a <a href="plus69.html">detailed log of changes</a> between the
39: 6.8 and 6.9 releases.
40: <p>
41: <li><a href="https://man.openbsd.org/signify.1">signify(1)</a>
42: pubkeys for this release:<p>
43:
44: <table class=signify>
45: <tr><td>
46: openbsd-69-base.pub:
47: <td>
48: <a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/openbsd-69-base.pub">
49: RWQZj25CSG5R2oLo5735Hh6C48kkjFsj5rJDjW+fGZwyY+BkD5/zps8f</a>
50: <tr><td>
51: openbsd-69-fw.pub:
52: <td>
53: RWSYx4htNi/zavF8ZToMBDFz2xymRfFnnR1MEKV9csYbvnrTBwdkXhdy
54: <tr><td>
55: openbsd-69-pkg.pub:
56: <td>
57: RWQlDXyHx5KlPoEiz4yWRK/Gt/rvPwI8KEAt3utge/dBS7R+EscdzA5K
58: <tr><td>
59: openbsd-69-syspatch.pub:
60: <td>
61: RWRWuHkSV0U8PUX24vGa3ywrvKNQY6llV3PLvKEzDTiTVPfIRaXPfvzR
62: </table>
63: </ul>
64: <p>
65: All applicable copyrights and credits are in the src.tar.gz,
66: sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
67: files fetched via <code>ports.tar.gz</code>.
68: </table>
69:
70: <hr>
71:
72: <section id=new>
73: <h3>What's New</h3>
74: <p>
75: This is a partial list of new features and systems included in OpenBSD 6.9.
76: For a comprehensive list, see the <a href="plus69.html">changelog</a> leading
77: to 6.9.
78:
79: <ul>
80:
81: <li>New/extended platforms:
82: <ul>
1.15 benno 83: <li>Support for the <a href="powerpc64.html">powerpc64</a> platform was improved:
84: <ul>
1.3 benno 85: <li>Added <a href="https://man.openbsd.org/astfb.4">astfb(4)</a>, a
86: driver for the framebuffer of the Aspeed BMC found on many POWER8 and
87: POWER9 systems.
88: <li>Added bsd.mp to powerpc64's installXX.{img,iso}.
89: <li>Added RETGUARD implementation for powerpc and powerpc64.
90: <li>Added a workaround for PCIO devices that cannot address the full
91: 64-bit PCI address space to powerpc64. Needed for <a
92: href="https://man.openbsd.org/radeondrm.4">radeondrm(4)</a> and <a
93: href="https://man.openbsd.org/amdgpu.4">amdgpu(4)</a> since Radeon
94: GPUs only implement 36, 40, or 44 bits of address space.
95: <li>Added limited emulation of unaligned access in the powerpc64 kernel.
1.41 kettenis 96: <li>Added support for netbooting to the powerpc64 RAMDISK kernel.
1.5 benno 97: <li>Fixed booting on powerpc64 machines with memory banks higher in
98: physical address space, needing a larger TCE table.
1.41 kettenis 99: <li>Introduced power-saving mode on POWER9 CPUs.
1.9 benno 100: <li>Enabled floating-point exceptions on powerpc64.
1.10 benno 101: <li>Added support for <a
102: href="https://man.openbsd.org/ipmi.4">ipmi(4)</a> on PowerNV systems.
1.15 benno 103: </ul>
1.41 kettenis 104: <li>Preliminary support was added for devices using the Apple M1 SoC:
1.15 benno 105: <ul>
1.41 kettenis 106: <li>Recognized Apple Icestorm/Firestorm cores on arm64.
107: <li>Added support for BCM4378 chips, as found on the Apple M1 SoCs, to
1.10 benno 108: <a href="https://man.openbsd.org/bwfm.4">bwfm(4)</a>.
109: <li>Added <a href="https://man.openbsd.org/exuart.4">exuart(4)</a>
1.28 fcambus 110: support for the UART found on the Apple M1 SoC.
1.10 benno 111: <li>Added <a href="https://man.openbsd.org/apldog.4">apldog(4)</a>, a
112: driver for the watchdog on Apple M1 SoCs, allowing reboot of the
113: machine.
114: <li>Added <a href="https://man.openbsd.org/aplintc.4">aplintc(4)</a>,
115: a driver for the interrupt controller found on Apple M1 SoCs.
116: <li>Added <a href="https://man.openbsd.org/aplpcie.4">aplpcie(4)</a>,
117: a driver for the PCIe host bridge on Apple M1 SoCs.
118: <li>Added <a href="https://man.openbsd.org/apldart.4">apldart(4)</a>,
119: a driver for the IOMMU on Apple M1 SoCs.
1.41 kettenis 120: <li>Added support for CPUs with 8-bit ASIDs such as those on
1.15 benno 121: Apple's M1 SoC.
122: </ul>
123: <li>The arm64 platform support was improved with the following changes:
124: <ul>
125: <li>Optimized arm64 <a
126: href="https://man.openbsd.org/copyin.9">copyin(9)</a>, <a
127: href="https://man.openbsd.org/copyout.9">copyout(9)</a> and <a
128: href="https://man.openbsd.org/kcopy.9">kcopy(9)</a> by doing 16-byte
129: copies if possible.
130: <li>Added recognition of Cortex-A78AE, Cortex-X1 and Neoverse V1 arm64 CPUs.
1.41 kettenis 131: <li>Added clock support for i.MX8MP SoCs.
1.15 benno 132: <li>Added support for the VF610 I2C controller to <a
133: href="https://man.openbsd.org/imxiic.4">imxiic(4)</a>.
134: <li>Added <a href="https://man.openbsd.org/dwgpio.4">dwgpio(4)</a>, a
135: driver for the Synopsys DesignWare GPIO controller.
136: <li>Added <a
137: href="https://man.openbsd.org/amlpinctrl.4">amlpinctrl(4)</a> support
138: for the "Always On" GPIOs.
139: <li>Made large read and write transactions work in <a
140: href="https://man.openbsd.org/amliic.4">amliic(4)</a>.
1.41 kettenis 141: <li>Added support for the PCIe controller found on Amlogic
142: G12A/G12B/SM1 SoCs to <a
143: href="https://man.openbsd.org/dwpcie.4">dwpcie(4)</a>.
144: <li>Implemented legacy interrupt support to <a
1.15 benno 145: href="https://man.openbsd.org/mvkpcie.4">mvkpcie(4)</a>.
146: <li>Added <a href="https://man.openbsd.org/cryptox.4">cryptox(4)</a>,
147: a driver for armv8 cryptographic extensions.
148: <li>Added support for PCIe on the NanoPi R4S to <a
149: href="https://man.openbsd.org/rkpcie.4">rkpcie(4)</a>.
1.34 patrick 150: <li>Added <a href="https://man.openbsd.org/smmu.4">smmu(4)</a>, a
151: driver for the ARM System MMU.
152: <li>Introduced an IOVA early-allocation scheme in <a
153: href="https://man.openbsd.org/smmu.4">smmu(4)</a>, mitigating the
154: performance penalty of typical IOVA allocation designs.
155: <li>Introduced Guard Pages in <a
156: href="https://man.openbsd.org/smmu.4">smmu(4)</a>, to spot misuse
157: and misconfiguration of I/O devices more easily.
1.41 kettenis 158: <li>Added support for RK809 to <a
1.15 benno 159: href="https://man.openbsd.org/rkpmic.4">rkpmic(4)</a>, as seen on the
160: Rock Pi N10 with the rk3399pro.
161: <li>Added support for <a
162: href="https://man.openbsd.org/sdhc.4">sdhc(4)</a> on the Raspberry Pi
163: in ACPI mode.
164: <li>Enabled <a href="https://man.openbsd.org/ixl.4">ixl(4)</a> on arm64.
165: <li>Updated device-tree bindings for <a
166: href="https://man.openbsd.org/cwfg.4">cwfg(4)</a> battery capacity
167: driver to correct attaching and account for monitoring interval
168: change, making cwfg(4) export values under hw.sensors as expected when
169: using a Pinebook Pro.
170: <li>Added ARMv8-5 instruction set related CPU features to arm64.
171: </ul>
172: </ul>
1.3 benno 173:
1.15 benno 174: <li>Various kernel improvements:
1.1 deraadt 175: <ul>
1.15 benno 176: <li>Added the RAID1C (encrypted raid1) <a
177: href="https://man.openbsd.org/softraid.4">softraid(4)</a> discipline,
178: encrypting data like the CRYPTO discipline and accepting multiple
179: chunks during creation and assembly like the RAID1 discipline.
180: <li>Corrected raidlevel verification specified by the -c option in <a
181: href="https://man.openbsd.org/bioctl.8">bioctl(8)</a>.
182:
183: <li>Introduced kern.video.record for <a
184: href="https://man.openbsd.org/video.4">video(4)</a> devices, a privacy feature analog
185: to the kern.audio.record <a
186: href="https://man.openbsd.org/sysctl.8">sysctl(8)</a> parameter for <a
187: href="https://man.openbsd.org/audio.4">audio(4)</a> devices. By
188: default, kern.video.record will be set to zero and blank all data
189: delivered by drivers attaching to <a
190: href="https://man.openbsd.org/video.4">video(4)</a>.
191: <li>Allowed a process to open a <a
192: href="https://man.openbsd.org/video.4">video(4)</a> device multiple
193: times. Fixes webcam usage with Firefox and BigBlueButton.
194: <li>Enabled multiple opens of a <a
195: href="https://man.openbsd.org/video.4">video(4)</a> device as
196: described in the V4L2 specification.
1.9 benno 197:
1.15 benno 198: <li>Added basic support for kclock timeouts to <a
199: href="https://man.openbsd.org/timeout.9">timeout(9)</a>.
200: <li>Changed the <a href="https://man.openbsd.org/pool.9">pool(9)</a>
201: timeouts to use the system uptime instead of ticks.
1.9 benno 202: <li>Ensured <a href="https://man.openbsd.org/sleep.3">sleep(3)</a>
203: calls <a href="https://man.openbsd.org/nanosleep.2">nanosleep(2)</a>
204: if seconds is zero, now delegating all decisions about whether or not
205: to yield the CPU.
1.5 benno 206: <li>Added a top-level 'reboot' command to <a
207: href="https://man.openbsd.org/ddb.4">ddb(4)</a>.
208: <li>Added <a href="https://man.openbsd.org/witness.4">witness(4)</a>
209: check for uninitialized (or zeroed) lock usage.
210: <li>Added fd close notification for kqueue-based <a
211: href="https://man.openbsd.org/poll.2">poll(2)</a> and <a
212: href="https://man.openbsd.org/select.2">select(2)</a>.
213: <li>Added a global "nowake" channel for threads avoiding <a
214: href="https://man.openbsd.org/wakeup.9">wakeup(9)</a> to <a
215: href="https://man.openbsd.org/tsleep.9">tsleep(9)</a>.
1.15 benno 216:
1.5 benno 217: <li>Added trace points for <a
218: href="https://man.openbsd.org/malloc.9">malloc(9)</a> and <a
219: href="https://man.openbsd.org/free.9">free(9)</a>, making them
1.73 namn 220: traceable via <a href="https://man.openbsd.org/dt.4">dt(4)</a> and <a
1.5 benno 221: href="https://man.openbsd.org/btrace.8">btrace(8)</a>.
1.15 benno 222: <li>Added <a href="https://man.openbsd.org/btrace.8">btrace(8)</a> -n
223: (no action) mode, which parses the program and then exits.
1.9 benno 224: <li>Fixed a boot-time crash on sparc64 due to mutex use during the
225: message buffer initialization.
1.15 benno 226: <li>Prevented a panic in some ACPI firmware that provided invalid
1.9 benno 227: memory regions in their reserved memory region reporting table.
228:
1.10 benno 229:
230: <li>Added a barrier between reading the cqe flags and the command ID
1.73 namn 231: to prevent completion of the wrong SCSI I/O for <a
1.10 benno 232: href="https://man.openbsd.org/nvme.4">nvme(4)</a> drives.
1.52 krw 233: <li>Prevented attachment of <a href="https://man.openbsd.org/nvme.4">nvme(4)</a>
234: devices of zero size.
1.9 benno 235: <li>Introduced new function <a
236: href="https://man.openbsd.org/if_unit.9">if_unit(9)</a>, returning a
237: pointer to the interface descriptor corresponding to the unique name.
1.10 benno 238: <li>Clear interrupts on luna88k processors more efficiently at boot
239: time.
240: <li>Added <a
241: href="https://man.openbsd.org/acpiiort.4">acpiiort(4)</a>, a driver
242: for the ACPI I/O Remapping Table.
1.15 benno 243: <li>Updated clock interrupt count atomically on mips64.
244: <li>Prevented an amd64 kernel crash with protection fault due to an
245: invalid offset when reading /dev/kmem.
246: <li>Permitted access to kern.somaxconn sysctl information when the
247: unix <a href="https://man.openbsd.org/pledge.2">pledge(2)</a> is used,
248: allowing Go programs to use "unix" without also including "inet".
249: <li>Excluded the first page and added a guard page between I/O
250: virtual address space allocations on arm64.
1.52 krw 251:
252: <li>Prevented attachment of SCSI devices that fail to provide
253: adequate INQUIRY data.
1.20 benno 254: </ul>
1.22 benno 255:
1.20 benno 256: <li>SMP Improvements
257: <ul>
1.23 benno 258: <li>Introduced "if_cloners_lock" rwlock and used it to serialize
259: if_clone_{create,destroy}(), avoiding multiple race conditions.
1.20 benno 260: <li>Introduced a system-wide mutex that serializes msgbuf operations.
1.23 benno 261: <li>Made <a
262: href="https://man.openbsd.org/uvm_pagealloc.9">uvm_pagealloc(9)</a> of
263: the physical memory allocator mp-safe.
1.20 benno 264: <li>Unlocked <a href="https://man.openbsd.org/getppid.2">getppid(2)</a>.
265: <li>Introduced locking for amaps and anons, improving build performance.
1.23 benno 266: <li>Moved UNIX domain sockets out of the kernel lock, using the new
267: "unp_lock" <a href="https://man.openbsd.org/rwlock.9">rwlock(9)</a> as
268: solock()'s backend to protect the whole layer.
1.20 benno 269: <li>Unlocked <a href="https://man.openbsd.org/sendsyslog.2">sendsyslog(2)</a>.
270: <li>Used per-CPU counter for fault and stats counters reached in uvm_fault().
271: </ul>
1.22 benno 272:
1.20 benno 273: <li>Direct Rendering Manager
274: <ul>
1.23 benno 275: <li>Fixed <a
1.55 jsg 276: href="https://man.openbsd.org/wsconsctl.8">wsconsctl(8)</a>
277: backlight commands when using
278: <a href="https://man.openbsd.org/drm.4">drm(4)</a> drivers on
279: macppc.
280: <li>Fixed a <a
281: href="https://man.openbsd.org/radeondrm.4">radeondrm(4)</a>
282: panic on macppc with Powerbook5,6 and RV350.
1.23 benno 283: <li>Fixed DRI3 support on <a
284: href="https://man.openbsd.org/amdgpu.4">amdgpu(4)</a> and <a
285: href="https://man.openbsd.org/ati.4">ati(4)</a>.
1.55 jsg 286: <li>/dev/dri/ device nodes are created to be more compatible with Linux.
1.20 benno 287: </ul>
1.22 benno 288:
1.20 benno 289: <li>VMM/VMD improvements
290: <ul>
1.10 benno 291: <li>Prevented memory corruption or improper page access in <a
292: href="https://man.openbsd.org/vmm.4">vmm(4)</a> due to improper TLB
293: flushing for now by wiring the pages used by virtual machines.
1.15 benno 294: <li>Removed the ability of <a
295: href="https://man.openbsd.org/vmd.8">vmd(8)</a> to boot from kernels
296: in raw/qcow2 images.
297: <li>Made <a href="https://man.openbsd.org/vmctl.8">vmctl(8)</a>
1.27 dv 298: properly indicate VMs are stopping instead of "running" with "vmctl
1.15 benno 299: status".
1.56 jsg 300: <li>Simplify argument parsing of
301: <code><a href="https://man.openbsd.org/vmctl.8">vmctl(8)</a> stop</code>
302: thereby avoiding a
303: <a href="https://man.openbsd.org/printf.3">printf(3)</a> "%s" NULL,
304: a use of uninitialized and a dead else branch.
1.15 benno 305: <li>Cleaned up events on <a
306: href="https://man.openbsd.org/vmd.8">vmd(8)</a> pause or resume and
307: fixed an issue leading to broken serial console by cleanly tearing
308: down and restoring emulated device state on vm send/receive.
309: <li>Propagated host-side <a
310: href="https://man.openbsd.org/tap.4">tap(4)</a> lladdr to guest vm
311: process to allow unicast dhcp and bootp renewals with <a
312: href="https://man.openbsd.org/vmd.8">vmd(8)</a>'s built-in dhcp
313: server.
1.27 dv 314: <li>Added <a href="https://man.openbsd.org/veb.4">veb(4)</a> to the
315: list of supported bridges for <a
316: href="https://man.openbsd.org/vmd.8">vmd(8)</a>.
317: <li>Improved MSR exit handling in <a
318: href="https://man.openbsd.org/vmm.4">vmm(4)</a> on SVM and VMX
319: hosts preventing invalid reads and fixing support for 9front.
320: <li>Added ability to boot compressed ramdisks to <a
321: href="https://man.openbsd.org/vmd.8">vmd(8)</a>.
1.1 deraadt 322: </ul>
323:
324: <li>Various new userland features:
325: <ul>
1.3 benno 326: <li>Added <a
327: href="https://man.openbsd.org/doas.conf.5">doas.conf(5)</a> "nolog"
328: option to avoid <a
329: href="https://man.openbsd.org/syslog.3">syslog(3)</a>.
330: <li>Allowed specific <a
331: href="https://man.openbsd.org/sndio.7">sndio(7)</a> devices to be used
332: for play-only and rec-only modes.
1.9 benno 333: <li>Use an 8th order FIR low-pass filter for resampling in <a
334: href="https://man.openbsd.org/sndiod.8">sndiod(8)</a> and for <a
335: href="https://man.openbsd.org/aucat.1">aucat(1)</a>, removing most of
336: the aliasing noise during resampling.
1.10 benno 337: <li>Disabled <a href="https://man.openbsd.org/sndiod.8">sndiod(8)</a>
338: autovolume by default and set the default volume to 127. Setting "-w
339: on" will replicate the previous behavior of automatically decreasing
340: playback volume when new programs start playing.
341: <li>Allowed mixing of alternative devices (-F) with different
342: capabilities in <a
343: href="https://man.openbsd.org/sndiod.8">sndiod(8)</a> by treating any
344: device as full-duplex.
1.15 benno 345: <li>Fixed visibility of <a
346: href="https://man.openbsd.org/sndioctl.1">sndioctl(1)</a> output when
347: used through a pipe.
348:
1.10 benno 349: <li>Enabled build and install of <a href="https://man.openbsd.org/lldb.1">lldb(1)</a>.
350: <li>Added <a href="https://man.openbsd.org/logger.1">logger(1)</a>
351: support to <a href="https://man.openbsd.org/rcctl.8">rcctl(8)</a>, <a
352: href="https://man.openbsd.org/rc.subr.8">rc.subr(8)</a> and <a
353: href="https://man.openbsd.org/rc.d.8">rc.d(8)</a> for daemons logging
354: to stdout/stderr.
355:
1.15 benno 356: <li>Added a configurable button mapping for tap gestures on touchpads
357: to <a href="https://man.openbsd.org/wsconsctl.8">wsconsctl(8)</a>.
358: <li>Made <a href="https://man.openbsd.org/wscons.4">wscons(4)</a>
359: touchpad tap detection less restrictive for multi-finger taps and
360: improved tap detection.
361: <li>Enable <a
362: href="https://man.openbsd.org/man4/arm64/apm.4">apm(4)</a> on arm64 to
363: display meaningful information about battery use and capacity.
1.1 deraadt 364: </ul>
365:
366: <li>Various bugfixes and tweaks in userland:
367: <ul>
1.3 benno 368: <li>Fixed a pledge violation in <a
369: href="https://man.openbsd.org/csh.1">csh(1)</a> where redirecting
370: input from a file containing ^T would cause csh(1) to perform a tty
371: ioctl operation against a non-tty.
1.14 tb 372: <li>Made <a href="https://man.openbsd.org/syspatch.8">syspatch(8)</a> work
373: again when fewer than 3 patches are available.
1.3 benno 374: <li>Stopped exempting file systems from <a
375: href="https://man.openbsd.org/security.8">security(8)</a> on the basis
376: of nodev and nosuid options, which may not be used for file systems
377: mounted beneath.
378: <li>Modified <a href="https://man.openbsd.org/daily.8">daily(8)</a>
379: to stop reporting disk status and networking statistics.
380: <li>Made <a
381: href="https://man.openbsd.org/sysupgrade.8">sysupgrade(8)</a> specify
382: a version when it uses <a
383: href="https://man.openbsd.org/fw_update.1">fw_update(1)</a> to avoid
384: the situation where upgrading a pre-6.8 snapshot to 6.8 release with
385: "-r" would install firmware packages from snapshots.
386: <li>Increased speed of the dependency check pass for <a
387: href="https://man.openbsd.org/pkg_add.1">pkg_add(1)</a>.
388:
389: <li>Prevented process exit in multithreaded programs from reporting
390: the wrong error code.
391:
1.52 krw 392: <li>Allowed booting of amd64/i386 from GPT formatted disks larger than 4TB.
1.5 benno 393:
394: <li>When using the <a href="https://man.openbsd.org/cat.1">cat(1)</a>
395: -n flag, correctly enumerate files with more than INT_MAX lines.
396: <li>Fixed a memory leak in ld.so's malloc.
1.15 benno 397:
1.9 benno 398: <li>Added a "xenodm" login class for <a
399: href="https://man.openbsd.org/xenodm.1">xenodm(1)</a> and increased
400: openfiles to 512 to avoid running out of file descriptors with a busy
401: desktop.
1.15 benno 402: <li>Stopped <a href="https://man.openbsd.org/xenodm.1">xenodm(1)</a>
403: from adding authorizations for TCP connections by default and added
404: "listenTCP" to explicitly add authorizations for existing IP addresses
405: on startup.
1.73 namn 406: <li>Skip adding the IPv6 link local addresses for TCP listener
407: authorizations in <a href="https://man.openbsd.org/xenodm.1">xenodm(1)</a>,
408: matching what is done by
409: <a href="https://man.openbsd.org/startx.1">startx(1)</a>.
1.15 benno 410:
1.9 benno 411: <li>Fixed -s option for <a href="https://man.openbsd.org/cmp.1">cmp(1)</a>.
412: <li>Improve pledge in <a
413: href="https://man.openbsd.org/doas.1">doas(1)</a>, specifically added
414: pledge to the "-C" code path.
1.73 namn 415: <li>Improved performance of <a
1.6 otto 416: href="https://man.openbsd.org/malloc.3">malloc(3)</a>'s cache.
1.10 benno 417: <li>Made editing GPT in <a
418: href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> safer by
419: defaulting offset to the beginning of the largest free space and
420: preventing the creation of overlapping partitions.
421: <li>Fixed a crash that could occur in <a
1.58 jsg 422: href="https://man.openbsd.org/sndiod.8">sndiod(8)</a> when a USB
1.10 benno 423: device is unplugged.
424: <li>Append .html suffixes to temporary files in <a
425: href="https://man.openbsd.org/mandoc.1">mandoc(1)</a> to allow
426: recognition by browsers.
427: <li>Allow specification of a path to the <a
428: href="https://man.openbsd.org/mg.1">mg(1)</a> startup file on the
429: command line.
1.15 benno 430: <li>Added a "batch" mode to <a
431: href="https://man.openbsd.org/mg.1">mg(1)</a> via the "-b" command
1.73 namn 432: line option, which will initialize a pty, run the specified file of mg
1.15 benno 433: commands and then exit.
434: <li>Inverted the <a href="https://man.openbsd.org/mg.1">mg(1)</a> "R"
435: indicator to mean that a "*" next to a file's name indicates that it
436: is read-only. Made the active buffer indicator more visible by
437: changing it to ">".
438:
439: <li>Fixed <a href="https://man.openbsd.org/ksh.1">ksh(1)</a>
440: redrawing of a multiline PS1 prompt in vi mode and added support for
441: ^R (redraw) in insert mode.
442: <li>Used <a href="https://man.openbsd.org/unveil.2">unveil(2)</a> to
443: restrict filesystem access in <a
444: href="https://man.openbsd.org/apmd.8">apmd(8)</a>.
445: <li>Removed the 30s minimum delay for <a
446: href="https://man.openbsd.org/xlock.1">xlock(1)</a> timeouts.
447: <li>Stopped deleting the control socket on exit in <a
1.59 jsg 448: href="https://man.openbsd.org/apmd.8">apmd(8)</a>, as deleting
449: the socket after calling <a
450: href="https://man.openbsd.org/unveil.2">unveil(2)</a> would cause an
451: unveil violation.
1.1 deraadt 452: </ul>
453:
454: <li>Improved hardware support and driver bugfixes, including:
455: <ul>
1.15 benno 456: <li>Corrected accounting of zero length Transfer Descriptors in <a
457: href="https://man.openbsd.org/xhci.4">xhci(4)</a>, preventing running
458: out of free Transfer Ring Blocks.
1.3 benno 459: <li>Moved mfokclock(4) from loongson to make it available for other
460: platforms and renamed it to <a
461: href="https://man.openbsd.org/mfokrtc.4">mfokrtc(4)</a>.
462: <li>Fixed brightness setting on MacBooks.
463: <li>Added AMD Vi and Intel VTD IOMMU support. This creates separate
464: domains for each PCI device and can provide protection against invalid
465: memory access.
466: <li>Enabled brightness keys on powerbooks where the keyboard attaches
467: as <a href="https://man.openbsd.org/ukbd.4">ukbd(4)</a>.
468: <li>Set initial default display brightness on macppc via
469: of_setbrightness() to ensure <a
470: href="https://man.openbsd.org/wscons.4">wscons(4)</a> and ofw are in
471: sync.
472: <li>Added support for the PL2303HXN series chips to <a
473: href="https://man.openbsd.org/uplcom.4">uplcom(4)</a>.
474: <li>Added support for the PCA9547 I2C mux to <a
475: href="https://man.openbsd.org/pcamux.4">pcamux(4)</a>.
476: <li>Extended <a href="https://man.openbsd.org/pcamux.4">pcamux(4)</a>
477: with ACPI support.
478: <li>Added <a href="https://man.openbsd.org/acpige.4">acpige(4)</a>, a
1.41 kettenis 479: driver for ACPI generic event devices, used on various
1.54 jsg 480: systems to implement power button handling.
1.3 benno 481: <li>Added <a href="https://man.openbsd.org/pchgpio.4">pchgpio(4)</a>,
482: a driver for the GPIO controllers found on modern Intel PCHs.
483: <li>Added ACPI support to <a
484: href="https://man.openbsd.org/imxiic.4">imxiic(4)</a>.
485: <li>Fixed panics on the HoneyComb LX2K with <a
486: href="https://man.openbsd.org/amdgpu.4">amdgpu(4)</a>.
487: <li>Fixed very old <a
488: href="https://man.openbsd.org/umass.4">umass(4)</a> devices where the
489: INQUIRY command succeeds but with a residue equal to the requested
490: bytes.
1.5 benno 491: <li>Added Gemini Lake I2C id to <a
492: href="https://man.openbsd.org/dwiic.4">dwiic(4)</a>, making the
493: touchpad work on the Teclast F7 Plus laptop.
1.10 benno 494: <li>Introduced <a href="https://man.openbsd.org/ujoy.4">ujoy(4)</a>, a
495: restricted subset of <a
496: href="https://man.openbsd.org/uhid.4">uhid(4)</a> for game controllers
497: which uses /dev/ujoy/* device nodes.
498: <li>Set up <a href="https://man.openbsd.org/ims.4">ims(4)</a> devices
499: in X11 to behave like touchpads.
500: <li>Stopped relying on USB devices to correctly present their
501: indices, instead searching for the correct interfaces. This fixes E+
502: Corp. DAC Audio devices.
503: <li>Introduced <a
504: href="https://man.openbsd.org/uhidpp.4">uhidpp(4)</a>, a driver for
505: Logitech HID++ devices.
1.15 benno 506: <li>Separated reading of general and touchpad-specific <a
507: href="https://man.openbsd.org/wsmouse.4">wsmouse(4)</a> settings and
508: corrected identification of device type when reading touchpad
509: parameters fails.
510:
511: <li>Added support for 30-bit color modes to <a
1.41 kettenis 512: href="https://man.openbsd.org/simplefb.4">simplefb(4)</a>
513: and <a href="https://man.openbsd.org/wsfb.4">wsfb(4)</a>.
1.10 benno 514:
1.15 benno 515: <li>Made loongson kernels recognize Lynloong LM9002/9003 and LM9013 models.
516: <li>Use native display resolution 1368x768 for Lynloong all-in-one computers.
1.1 deraadt 517: </ul>
518:
519: <li>New or improved network hardware support:
520: <ul>
1.3 benno 521: <li>Fixed link state change behavior in 82598 <a
522: href="https://man.openbsd.org/ix.4">ix(4)</a> chips.
523: <li>Fixed issues with network stopping after the first down/up cycle
524: in <a href="https://man.openbsd.org/mvpp.4">mvpp(4)</a> Marvel Armada
525: Ethernet device.
526: <li>Added SFP+ support to ofw, including support for direct attach cables.
527: <li>Added 10G media support to <a
528: href="https://man.openbsd.org/mvpp.4">mvpp(4)</a>.
529: <li>Added support for 1000base-x and 2500base-x connections to <a
530: href="https://man.openbsd.org/mvneta.4">mvneta(4)</a>.
531: <li>Added <a href="https://man.openbsd.org/mvsw.4">mvsw(4)</a>, a
532: driver for Marvel "SOHO" switches.
1.5 benno 533: <li>Enabled auto-negotiation on the SerDes links, allowing
534: in-band-status to work between <a
535: href="https://man.openbsd.org/mvpp.4">mvpp(4)</a> and <a
536: href="https://man.openbsd.org/mvsw.4">mvsw(4)</a> on the ClearFog GT
537: 8K.
538: <li>Added support for the i.MX8MP PCIe clocks, USB clocks and second
539: ethernet.
540: <li>Added Wake on LAN support to <a
541: href="https://man.openbsd.org/rge.4">rge(4)</a>.
542: <li>Enabled IPv4 and TCP/UDP checksum offload on transmission in <a
543: href="https://man.openbsd.org/ogx.4">ogx(4)</a>.
1.10 benno 544: <li>Raised the maximum number of queues/interrupts from 1 to 16 on <a
545: href="https://man.openbsd.org/mcx.4">mcx(4)</a> devices.
546: <li>Added support for the Netgear ProSecure UTM25 to octeon.
1.15 benno 547: <li>Added vid/pid table to <a
548: href="https://man.openbsd.org/umb.4">umb(4)</a> allowing matching to
549: alternate configurations.
1.1 deraadt 550: </ul>
551:
552: <li>Added or improved wireless network drivers:
553: <ul>
1.36 stsp 554: <li>Fixed the <a href="https://man.openbsd.org/athn.4">athn(4)</a> and
555: <a href="https://man.openbsd.org/urtwn.4">urtwn(4)</a> drivers
556: in client mode against access points which use WPA1/TKIP as
557: the group cipher.
1.3 benno 558: <li>Added multicast support to <a
559: href="https://man.openbsd.org/bwfm.4">bwfm(4)</a> to allow IPv6.
560: <li>Fixed <a href="https://man.openbsd.org/urtwn.4">urtwn(4)</a>
561: repeated DEAUTH and loss/restoration of link.
1.5 benno 562: <li>Introduced a delay to work around an issue in <a
563: href="https://man.openbsd.org/bwfm.4">bwfm(4)</a> on the BCM43602 that
564: was triggering "unexpected pairwise key update" errors.
1.9 benno 565: <li>Enabled <a href="https://man.openbsd.org/athn.4">athn(4)</a> for arm64.
1.36 stsp 566: <li>Implemented a new 802.11n Tx rate adaptation algorithm ("RA") for
1.42 stsp 567: <a href="https://man.openbsd.org/iwm.4">iwm(4)</a>,
568: <a href="https://man.openbsd.org/iwn.4">iwn(4)</a>, and
569: <a href="https://man.openbsd.org/athn.4">athn(4)</a>.
1.36 stsp 570: <li>Fixed association problems with the <a
1.42 stsp 571: href="https://man.openbsd.org/ipw.4">ipw(4)</a> and <a
572: href="https://man.openbsd.org/iwi.4">iwi(4)</a> drivers.
1.15 benno 573: <li>Made <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> attach to
1.48 stsp 574: AX201 devices with PCI IDs 0x34f0 and 0x06f0. Needs <a
1.15 benno 575: href="https://man.openbsd.org/fw_update.1">fw_update(1)</a>.
576: <li>Fixed a problem where <a
577: href="https://man.openbsd.org/iwn.4">iwn(4)</a> firmware would
578: generate bogus block ack requests and stall traffic.
1.42 stsp 579: <li>Fixed automatic channel selection in the <a
580: href="https://man.openbsd.org/athn.4">athn(4)</a> driver
581: when running in hostap or monitor mode.
1.1 deraadt 582: </ul>
583:
584: <li>IEEE 802.11 wireless stack improvements and bugfixes:
585: <ul>
1.36 stsp 586: <li>Fixed length calculations in <a
1.5 benno 587: href="https://man.openbsd.org/iwm.4">iwm(4)</a> and <a
588: href="https://man.openbsd.org/iwx.4">iwx(4)</a> when there are
589: multiple MPDUs in one packet.
1.36 stsp 590: <li>Fixed 802.11n interoperability with access points that offer
591: management frame protection.
592: <li>Flush the A-MPDU reorder buffer after gap timeout to prevent
593: frames from remaining in the buffer until the next frame
594: is received.
595: <li>Avoid spurious "input packet decapsulations failed" errors in
1.5 benno 596: <a href="https://man.openbsd.org/netstat.1">netstat(1)</a> -W with
597: A-MSDU enabled.
1.42 stsp 598: <li>Fixed automatic selection of the 11a/b/g/n/ac operating mode when
1.53 stsp 599: the interface is running as an access point.
1.52 krw 600: <li>Ensured crypto keys are installed before the link is brought up.
1.1 deraadt 601: </ul>
602:
603: <li>Generic network stack improvements and bugfixes:
604: <ul>
1.10 benno 605: <li>Removed the maxburst feature from tcp_output().
1.51 bluhm 606: Sending out TCP segments was limited to 4 packets per burst.
1.54 jsg 607: This did not scale well on high bandwidth, high latency links.
1.51 bluhm 608: Especially when the receiving side delays ACK packets
609: aggressively, the maxburst limitation could seriously reduce
610: TCP throughput per connection.
1.10 benno 611: <li>Added a MONITOR feature to interfaces. Packets received on these
612: interfaces do not enter the network stack for further processing. This
613: can be used to watch traffic, for example with <a
614: href="https://man.openbsd.org/bpf.4">bpf(4)</a> without risk of the packets
615: interfering with the system.
616:
617: <li>Added etherbridge, the internals of a reusable learning bridge
618: interface providing common code reusable for other drivers needing a
619: mac learning bridge.
620: <li>Introduced <a href="https://man.openbsd.org/veb.4">veb(4)</a>, a
621: Virtual Ethernet Bridge driver.
1.3 benno 622:
1.15 benno 623: <li>Added the ability to force the selection of source IP address for
624: programs that do not specify a source IP, overriding the default
625: source IP selection algorithm. This is configurable via <a
626: href="https://man.openbsd.org/route.8">route(8)</a>
1.31 tb 627: <code>sourceaddr</code> command.
1.15 benno 628:
1.37 job 629: <li>Bring interfaces up when autoconfiguration for inet or inet6 is
1.15 benno 630: enabled (AUTOCONF4 or AUTOCONF6 flags).
631: <li>Adjust terminology in <a
632: href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a> to refer to
633: "temporary address extensions" rather than the former "privacy
634: extensions," including the addition of an AUTOCONF6TEMP flag (to
1.73 namn 635: replace the negative flag "INET6_NOPRIVACY"). The autoconfprivacy
636: option in <a href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a>
1.15 benno 637: has been deprecated.
638: <li>Made it possible to disable the "autoconf" flag but keep
639: "temporary" enabled in <a
640: href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a>.
641: <li>For IPv6 addresses, added tracking of address proposal creation
642: times to be able to establish total lifetime. This information is used
643: to renew pltime/vltime of privacy addresse per RFC 4941.
1.3 benno 644:
1.15 benno 645: <li>Prevented kernel reuse of mbuf memory when generating the ICMP6
646: response to an IPv6 packet.
1.73 namn 647: <li>Use the toeplitz hash algorithm to set a flowid for tcp packets,
1.15 benno 648: which in turn is used to choose the tx ring on network cards with
649: multiple rings.
650: <li>Fixed <a href="https://man.openbsd.org/wg.4">wg(4)</a> on macppc
651: by keeping track of allowed ips pointer correctly.
652: <li>Fixed <a href="https://man.openbsd.org/wg.4">wg(4)</a> ioctl to
653: handle multiple wgpeers.
654: <li>Fixed a race between tx/rx handshakes in <a
655: href="https://man.openbsd.org/wg.4">wg(4)</a>.
656: <li>Prevented a potential hang when trying to remove a <a
657: href="https://man.openbsd.org/tun.4">tun(4)</a> interface.
658: <li>Used the correct rdomain when adding and deleting routes with <a
659: href="https://man.openbsd.org/mpip.4">mpip(4)</a> and <a
660: href="https://man.openbsd.org/mpw.4">mpw(4)</a>.
661: <li>Made <a href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a>
662: "-mplslabel" work with <a
663: href="https://man.openbsd.org/mpw.4">mpw(4)</a>.
1.1 deraadt 664: </ul>
665:
1.15 benno 666: <li>Installer and upgrade improvements:
1.1 deraadt 667: <ul>
1.5 benno 668: <li>Prevented a race in <a
669: href="https://man.openbsd.org/dhclient.8">dhclient(8)</a> privsep
670: which could cause autoinstall to fail by calling <a
671: href="https://man.openbsd.org/ftp.1">ftp(1)</a> without a local
672: address.
673: <li>Fixed hangs on amd64 bsd.rd due to misreported core clock
674: frequency on newer Intel Comet Lake models.
1.15 benno 675: <li>Began distributing the gzip'd version of bsd.rd on all platforms
676: with boot methods supporting it.
677: <li>Fixed a problem which prevented use of <a
678: href="https://man.openbsd.org/sysupgrade.8">sysupgrade(8)</a> when an
679: interface failed to come up and <a
680: href="https://man.openbsd.org/dhclient.8">dhclient(8)</a> didn't
681: notice link-timeout expiration.
682: <li>Prevented <a
683: href="https://man.openbsd.org/disklabel.8">disklabel(8)</a> from
684: adjusting the swap 'b' partition size if physmem is zero to keep the
685: auto-allocate code from putting a filesystem on that partition.
686: <li>Emulate "[inet] autoconf" <a
687: href="https://man.openbsd.org/hostname.if.5">hostname.if(5)</a> lines
688: with "dhcp" so users testing <a
689: href="https://man.openbsd.org/dhcpleased.8">dhcpleased(8)</a> will
690: still be able to upgrade manually while the installer uses only <a
691: href="https://man.openbsd.org/dhclient.8">dhclient(8)</a>.
1.52 krw 692: <li>Restored <a
693: href="https://man.openbsd.org/dhclient.conf.5">dhclient.conf(5)</a>
694: to the group of network configuration files used during upgrades.
1.5 benno 695:
1.1 deraadt 696: </ul>
697:
698: <li>Security improvements:
699: <ul>
1.25 benno 700: <li>Added notices to syslog whenever the "%n" format string component
701: of <a href="https://man.openbsd.org/printf.3">printf(3)</a> is used.
702: <li>Removed workaround permitting Go executables to do syscalls
703: directly, forcing them to use shared libc like all other dynamic
704: binaries.
1.1 deraadt 705: </ul>
706:
707: <li>Routing daemons and other userland network improvements:
708: <ul>
1.15 benno 709: <li>The <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> daemon saw the following changes:
710: <ul>
1.66 claudio 711: <li>Introduced <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>
712: <code>rde evaluate all</code> to reduce path hiding in IXP
713: route-server environments.
714: <li>Added RTR support to <a href="https://man.openbsd.org/bgpd.8">OpenBGPD</a>.
715: <li>Added <a href="https://man.openbsd.org/bgpctl.8">bgpctl(8)</a>
716: "show rtr" to display basic information about RTR sessions.
717: <li>Added <a href="https://man.openbsd.org/bgpctl.8">bgpctl(8)</a>
718: "show sets" to display information about the roa-set, as-sets and
719: prefix-sets loaded into <a
720: href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>.
721: <li>Properly implemented "rde med compare strict" in <a
722: href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> and ensured that the
723: order of prefixes is always correct.
1.5 benno 724: <li>Introduced a send hold timer in <a
725: href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> to detect stalls on
726: the sending side of a TCP connection, acting as a last resort to
727: detect faulty peers.
1.10 benno 728: <li>Introduced the <a
729: href="https://man.openbsd.org/bgpd.conf.5">bgpd.conf(5)</a> per
730: neighbor and global config option "reject as-set yes/no" to allow
731: rejection of received UPDATES with AS_SET segments. These rejected
732: prefixes can be viewed with <a
733: href="https://man.openbsd.org/bgpctl.8">bgpctl(8)</a> "show rib in
734: error".
1.66 claudio 735: <li>No longer allow configuration of the same neighbor multiple
736: times in <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>.
1.73 namn 737: <li><a href="https://man.openbsd.org/pf.4">pf(4)</a> tables now track
1.66 claudio 738: prefixes correctly even when received by multiple sessions.
739: <li>Fixed a memory leak when parsing <a
740: href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> roa-set lists.
1.15 benno 741: </ul>
1.10 benno 742:
1.15 benno 743: <li>The <a
744: href="https://man.openbsd.org/ospfd.8">ospfd(8)</a> and <a
1.73 namn 745: href="https://man.openbsd.org/ospf6d.8">ospf6d(8)</a> routing
746: daemons were refactored to keep the code similar to
747: changes in other routing daemons and to improve maintainability.<br>
1.67 claudio 748: Additionally, support for point-to-point interfaces in <a
1.73 namn 749: href="https://man.openbsd.org/ospf6d.8">ospf6d(8)</a> was fixed and <a
1.67 claudio 750: href="https://man.openbsd.org/ospfd.8">ospfd(8)</a> now works with
751: point-to-point interfaces which use a common IP address.
1.10 benno 752:
1.57 jsg 753: <li>The <a href="https://man.openbsd.org/pf.4">pf(4)</a> packet filter and its userland utility:
1.15 benno 754: <ul>
755: <li>Relaxed checks in <a
756: href="https://man.openbsd.org/pfctl.8">pfctl(8)</a> and <a
757: href="https://man.openbsd.org/pf.4">pf(4)</a> to accept any valid
758: routing domain, even if it does not yet exist.
759: <li>Made <a href="https://man.openbsd.org/pfctl.8">pfctl(8)</a>
760: detect and reject bogus ranges before loading the ruleset to prevent a
761: panic.
762: <li>Changed route-to in <a
763: href="https://man.openbsd.org/pf.conf.5">pf.conf(5)</a> to send
764: packets to IPs instead of interfaces.
765: <li>Changed pf_route so <a
766: href="https://man.openbsd.org/pf.4">pf(4)</a> only runs when packets
767: enter and leave the stack. Running the same packet through pf multiple
768: times creates confusion for the state table. By default, pf states are
769: floating, meaning that packets are matched to states regardless of
770: which interface they're going over. This diff avoids multiple pf(4)
771: traversals of one packet causing confusion in the state table.
772: <li>Prevented the kernel from being stuck in an endless recursion
773: during TCP path MTU discovery when <a
774: href="https://man.openbsd.org/pf.4">pf(4)</a> changes the routing
775: table when sending packets.
776: <li>When cutting off the head of an overlapping fragment during <a
777: href="https://man.openbsd.org/pf.4">pf(4)</a> reassembly, reinserted
778: the fragment into the lookup table with the correct index.
1.52 krw 779:
780: <li>Improved
781: <href="https://man.openbsd.org/tftpd.8">tftpd(8)</a> logging to report the reasons
782: a transfer failed.
783:
1.15 benno 784: </ul>
1.5 benno 785:
1.15 benno 786: <li>IPSEC support in the kernel and the <a href="https://man.openbsd.org/iked.8">iked(8)</a> userland daemon:
787: <ul>
1.3 benno 788: <li>Added support to request IP addresses as IKEv2 initiator to <a
789: href="https://man.openbsd.org/iked.8">iked(8)</a>. If 'request addr
790: 0.0.0.0' is configured, any address will be accepted.
791: <li>Make <a href="https://man.openbsd.org/iked.8">iked(8)</a> accept
792: ANY dynamic address with 'request addr 0.0.0.0'.
793: <li>Added 'dynamic' keyword to <a
794: href="https://man.openbsd.org/iked.conf.5">iked.conf(5)</a> to allow
795: configuration of flows to dynamically assigned addresses.
796: <li>Added the 'any' keyword to <a
797: href="https://man.openbsd.org/iked.conf.5">iked.conf(5)</a> for
798: requests to allow "request address any".
799: <li>Enabled <a href="https://man.openbsd.org/iked.8">iked(8)</a>
800: support for ASN1_DN ipsec identifiers.
801: <li>Implemented <a href="https://man.openbsd.org/iked.8">iked(8)</a>
802: "from dynamic," installing flows where "dynamic" is replaced by the
803: received dynamic IP address.
804: <li>Made sure not to replace 0.0.0.0 with a dynamic address in <a
805: href="https://man.openbsd.org/iked.8">iked(8)</a> if it is a network
806: address.
807: <li>Added <a href="https://man.openbsd.org/iked.8">iked(8)</a> -s
808: socket option to specify a control socket.
809: <li>Used a counter instead of random IV for AES-GCM in <a
810: href="https://man.openbsd.org/iked.8">iked(8)</a>, eliminating the
811: risk of random collisions.
812: <li>Added <a href="https://man.openbsd.org/iked.8">iked(8)</a>
813: support for multiple address pools.
814: <li>Added the <a href="https://man.openbsd.org/iked.8">iked(8)</a>
815: "set stickyaddress" option, which attempts to assign the same "config
816: address" when an IKESA is negotiated with the DSTID of an existing
817: IKESA.
818: <li>Ensured rekeying of every child SA in <a
819: href="https://man.openbsd.org/iked.8">iked(8)</a>.
1.5 benno 820: <li>Added <a href="https://man.openbsd.org/iked.8">iked(8)</a> support
821: for RSASSA-PSS signature verification (RFC 7427).
822: <li>Corrected the first packet of an <a
823: href="https://man.openbsd.org/ipsec.4">ipsec(4)</a> SA to have
824: sequence number 1.
825: <li>Accepted reject and blackhole routes for IPsec PMTU discovery.
826: <li>Prevented leaking of ipsec_hosts in <a
827: href="https://man.openbsd.org/iked.8">iked(8)</a> when building
828: hosts_list.
829: <li>Prevented initiation of new additional SAs for each policy upon
830: every <a href="https://man.openbsd.org/ikectl.8">ikectl(8)</a> config
831: reload.
832: <li>Fixed "any" and "dynamic" keywords for flows in <a
833: href="https://man.openbsd.org/iked.8">iked(8)</a> and added proper
834: IPv6 support.
1.9 benno 835: <li>Created a path MTU host route for <a
836: href="https://man.openbsd.org/ipsec.4">IPsec(4)</a> over IPv6.
1.10 benno 837: <li>Added support for INVALID_KE_PAYLOAD in <a
838: href="https://man.openbsd.org/iked.8">iked(8)</a> CREATE_CHILD_SA
839: exchange.
840: <li>Added support for RSA-PSS PKCS1 signatures to <a
841: href="https://man.openbsd.org/iked.8">iked(8)</a>.
842: <li>Fixed path MTU discovery for ESP tunnels in IPv6.
843: <li>Upgraded to OpenSSL 1.1 compatible crypto API in <a
844: href="https://man.openbsd.org/iked.8">iked(8)</a>.
845: <li>Added an optional "group none" transform for child SAs in <a
846: href="https://man.openbsd.org/iked.8">iked(8)</a> to ensure the
847: ability to negotiate optional PFS.
848: <li>Added <a href="https://man.openbsd.org/iked.8">iked(8)</a>
849: dynamic address configuration for roadwarrior clients, with a new
850: "iface" config option which can be used to specify an interface for
851: the virtual addresses received from the peer.
1.15 benno 852: <li>Fixed an <a href="https://man.openbsd.org/iked.8">iked(8)</a>
853: interop problem with strongswan if make-before-break is enabled.
854: </ul>
1.3 benno 855:
1.16 tb 856: <li>The <a href="https://man.openbsd.org/httpd.8">httpd(8)</a> webserver saw numerous improvements:
1.15 benno 857: <ul>
858: <li>Prevented a crash due to
859: <a href="https://man.openbsd.org/httpd.8">httpd(8)</a> listening on port
860: 443 with missing TLS certificates.
861: <li>Created a new "location (found|notfound)" option for
862: <a href="https://man.openbsd.org/httpd.conf.5">httpd.conf(5)</a> to allow
863: testing for resource path existence.
864: <li>Fixed detection of duplicate locations in <a
865: href="https://man.openbsd.org/httpd.8">httpd(8)</a>.
866: <li>Fixed leak of access and error log filenames on config reload in
867: <a href="https://man.openbsd.org/httpd.8">httpd(8)</a>.
868: <li>Avoid leaking the log message in
869: <a href="https://man.openbsd.org/httpd.8">httpd(8)</a>'s
870: server_sendlog.
871: <li>Incorrect order of
872: <a href="https://man.openbsd.org/close.2">close(2)</a> and
873: <a href="https://man.openbsd.org/tls_close.3">tls_close(3)</a>
1.16 tb 874: together with a bug in libssl led to leaking memory in
1.15 benno 875: <a href="https://man.openbsd.org/httpd.8">httpd(8)</a>
876: for each TLS connection.
877: <li>Fixed the <a href="https://man.openbsd.org/httpd.8">httpd(8)</a>
878: example configuration not to generate errors when running without TLS
879: keys already in place.
1.30 tb 880: <li>Optimized disk reads of
1.15 benno 881: <a href="https://man.openbsd.org/httpd.8">httpd(8)</a>
882: by using st_blocksize as high water mark instead of
883: the socket buffer size.
1.30 tb 884: <li>Do not compare TLS config params for non-TLS servers.
885: This allows using <code>listen on * port 80</code> and
886: <code>listen on * port 443</code> in the same server block in
887: <a href="https://man.openbsd.org/httpd.conf.5">httpd.conf(5)</a>.
1.15 benno 888: </ul>
1.3 benno 889:
1.24 benno 890: <li><a
891: href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a>
892: received the following new features and bugfixes:
1.15 benno 893: <ul>
1.47 benno 894: <li>Added RRDP (The RPKI Repository Delta Protocol, RFC 8182) support
895: as a 'technology preview'. To use it, the "-r" flag needs to be used.
1.43 benno 896: <li>Support the use of more than one URI in the TAL file,
1.15 benno 897: sorting with a preference for https.
1.43 benno 898: <li>Validation of ghostbuster records (RFC 6493).
899: <li>Fixed checks of the manifest validity interval.
900: <li>The rsync connection is now killed when the rsync server stalls.
901: <li>Limited the URL embedded in .cer files to
1.15 benno 902: alphanumeric characters and punctuation.
1.43 benno 903: <li>Added a "-V" option to show version.
1.15 benno 904: <li>Included the default cert.pem file path in tls_load_file error
1.43 benno 905: messages.
1.15 benno 906: </ul>
1.3 benno 907:
1.24 benno 908: <li>The <a href="https://man.openbsd.org/dig.1">dig(1)</a> DNS
909: utility received the following updates:
1.15 benno 910: <ul>
1.5 benno 911: <li>Implemented RFC 8914 Extended DNS Errors for <a
912: href="https://man.openbsd.org/dig.1">dig(1)</a>.
913: <li>Fixed <a href="https://man.openbsd.org/dig.1">dig(1)</a> EDNS
914: Client Subnet option (+subnet=).
915: <li>Fixed IPv6 link-local address handling for nameservers to talk to
1.73 namn 916: and for address to bind to in <a
1.5 benno 917: href="https://man.openbsd.org/dig.1">dig(1)</a>.
1.15 benno 918: <li>Implemented ZONEMD (RFC 8976) in <a
919: href="https://man.openbsd.org/dig.1">dig(1)</a> to convey a message
920: digest of the content of a DNS zone.
921: </ul>
1.5 benno 922:
1.15 benno 923: <li>Changes to <a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a>:
924: <ul>
1.5 benno 925: <li>Fixed incorrect behavior when using <a
926: href="https://man.openbsd.org/dhclient.conf.5">dhclient.conf(5)</a> to
927: change the lease renew/rebind/expiry timing.
928: <li>Allowed the provision of <a
929: href="https://man.openbsd.org/dhclient.8">dhclient(8)</a> options on
930: "dhcp" lines in <a
931: href="https://man.openbsd.org/hostname.if.5">hostname.if(5)</a> files.
1.52 krw 932: <li>Converted all timers from
933: <a
934: href="https://man.openbsd.org/time.3">time(3)</a> values
935: to <a
936: href="https://man.openbsd.org/clock_gettime.2">clock_gettime(2)</a>
937: CLOCK_MONOTONIC values.
938: <li>Removed -L command line option.
939: <li>Improved debug output.
940: <li>Improved re-acquisition of a previous address by immediately
941: accepting any OFFER for the address, rather than waiting for
942: 'select-timeout' to expire.
1.54 jsg 943: <li>Exit immediately if the -c option specifies a non-existent file.
1.52 krw 944: <li>Exit immediately if the -i option contains invalid information.
945: </ul>
1.5 benno 946:
1.15 benno 947: <li>Two new daemons, <a
948: href="https://man.openbsd.org/dhcpleased.8">dhcpleased(8)</a> and <a
949: href="https://man.openbsd.org/resolvd.8">resolvd(8)</a> were added.
950: These work alongside with <a
951: href="https://man.openbsd.org/slaacd.8">slaacd(8)</a> and <a
952: href="https://man.openbsd.org/unwind.8">unwind(8)</a> to provide a
1.28 fcambus 953: coherent and simple automatic configuration of network interfaces and
1.15 benno 954: DNS resolution.<br>
955: The two daemons are not enabled by default for now, but can be tested
1.28 fcambus 956: by enabling them with <a href="https://man.openbsd.org/rcctl.8">rcctl(8)</a>.
1.15 benno 957: <ul>
958: <li><a href="https://man.openbsd.org/dhcpleased.8">dhcpleased(8)</a>
959: implements the DHCP protocol to acquire IPv4 address leases from
960: servers.
961: <li><a href="https://man.openbsd.org/resolvd.8">resolvd(8)</a>
962: manages the content of <a
963: href="https://man.openbsd.org/resolv.conf.5">resolv.conf(5)</a> based
1.49 deraadt 964: on nameserver proposals from
965: <a href="https://man.openbsd.org/dhcpleased.8">dhcpleased(8)</a>,
966: <a href="https://man.openbsd.org/slaacd.8">slaacd(8)</a>, and
967: drivers like <a href="https://man.openbsd.org/umb.4">umb(4)</a>.
1.15 benno 968: </ul>
1.44 martijn 969:
970: <li>Changes to snmp related tools:
971: <ul>
972: <li><a href="https://man.openbsd.org/agentx.3">libagentx(3)</a> moved its
973: API prefix from subagentx_ to agentx_.
974: <li><a href="https://man.openbsd.org/agentx.3">agentx_varbind_integer(3)</a>
975: now accepts an int32_t as per SMI/RFC 2578.
976: <li><a href="https://man.openbsd.org/agentx.3">agentx_varbind_unsigned32(3)</a>
977: has been added as an alias for
978: <a href="https://man.openbsd.org/agentx.3">agentx_varbind_gauge32(3)</a>.
979: <li><a href="https://man.openbsd.org/snmpd.conf.5">snmpd.conf(5)</a> no
980: longer accepts the old <code>listen on address [tcp|udp]</code>
981: syntax. Only the new <code>listen on [tcp|udp] address</code>
1.73 namn 982: syntax is now supported.
1.44 martijn 983: <li><a href="https://man.openbsd.org/snmpd.8">snmpd(8)</a> now fully
1.73 namn 984: implements RFC3584 Trapv1 to Trapv2 conversion for the
985: <code>trap handle</code>.
1.44 martijn 986: <li>sysUpTime and snmpTrapOID now respect
1.73 namn 987: <a href="https://man.openbsd.org/snmpd.8">snmpd(8)</a>'s -N flag,
988: similar to the other values sent by the <code>trap handle</code>.
1.44 martijn 989: <li><a href="https://man.openbsd.org/snmpd.conf.5">snmpd.conf(5)</a> now
990: accepts the <code>read</code>, <code>write</code>, and
1.73 namn 991: <code>notify</code> keywords. This allows for request type
1.44 martijn 992: filtering per <code>listen on</code> statement and custom
1.73 namn 993: <code>trap handle</code> ports.
1.44 martijn 994: <li><a href="https://man.openbsd.org/snmp.1">snmp(1)</a> now has initial
995: support for SMI enums. For now only TruthValue is implemented
996: on ifPromiscuousMode and ifConnectorPresent.
997: <li><a href="https://man.openbsd.org/snmp.1">snmp(1)</a> now interprets
998: the "u" data type as unsigned integer.
999: </ul>
1000:
1.15 benno 1001: <li>Other userland network changes:
1002: <ul>
1003: <li>Fixed <a href="https://man.openbsd.org/ldapd.8">ldapd(8)</a> cert
1004: and key path inference for absolute paths.
1005: <li>Fixed incorrect cast in a
1006: <a href="https://man.openbsd.org/vsnprintf(3)">vsnprintf(3)</a>
1007: error check
1008: in <a href="https://man.openbsd.org/ldapd.8">ldapd(8)</a>.
1009: <li>Applied <a href="https://man.openbsd.org/unveil.2">unveil(2)</a>
1010: to <a href="https://man.openbsd.org/ldapd.8">ldapd(8)</a>.
1.5 benno 1011:
1.3 benno 1012: <li>Changed <a href="https://man.openbsd.org/ping.8">ping(8)</a> to
1.73 namn 1013: drain the raw socket of packets received before it is fully set up to
1.3 benno 1014: avoid reporting ICMP responses intended for other instances of ping(8)
1015: running in parallel.
1.10 benno 1016: <li>Added <a href="https://man.openbsd.org/ping.8">ping(8)</a> -g
1017: option to provide a visual display of packets received and lost.
1.3 benno 1018:
1019: <li>Changed <a href="https://man.openbsd.org/slaacd.8">slaacd(8)</a>
1020: Duplicate Address Detection (DAD) to only generate a new address if we
1021: are using Semantically Opaque Interface Identifiers.
1022: <li>Handled an autoconf interface changing its rdomain in <a
1023: href="https://man.openbsd.org/slaacd.8">slaacd(8)</a>.
1.15 benno 1024: <li>Completed <a
1025: href="https://man.openbsd.org/slaacd.8">slaacd(8)</a> implementation
1026: of RFC 8981 temporary address extensions.
1027:
1.14 tb 1028: <li>Do not leak the domains listed in
1029: <a href="https://man.openbsd.org/unwind.8">unwind(8)</a>'s
1030: blocklist file on each config reload.
1031: <li>Do not leak duplicate domain nodes when loading the
1032: <a href="https://man.openbsd.org/unwind.8">unwind(8)</a>
1033: config.
1.3 benno 1034: <li>Fixed rare crashes of <a
1035: href="https://man.openbsd.org/unwind.8">unwind(8)</a> when DNS answers
1036: are larger than the maximum imsg size.
1.9 benno 1037: <li>Implemented <a
1038: href="https://man.openbsd.org/unwind.8">unwind(8)</a> listening on
1039: TCP.
1.10 benno 1040: <li>Implemented DNS64 synthesis in <a
1041: href="https://man.openbsd.org/unwind.8">unwind(8)</a>.
1042: <li>Disabled logging to <a
1043: href="https://man.openbsd.org/syslog.3">syslog(3)</a> for libunbound
1044: with <a href="https://man.openbsd.org/unwind.8">unwind(8)</a>. Does
1045: not prevent logging to stderr with "unwind -d".
1046:
1.3 benno 1047: <li>Added a simple --timeout implementation to <a
1048: href="https://man.openbsd.org/openrsync.1">openrsync(1)</a>.
1.15 benno 1049: <li>Added the <a href="https://man.openbsd.org/rsync.1">rsync(1)</a>
1050: option --no-motd to suppress the information output by the client at
1051: the start of a daemon transfer.
1.3 benno 1052: <li>Added support for the use of !command to <a
1053: href="https://man.openbsd.org/mygate.5">mygate(5)</a>, so that
1054: netstart has a late opportunity to perform network configuration.
1.5 benno 1055: <li>Make <a href="https://man.openbsd.org/rad.8">rad(8)</a> to handle
1056: multiple rdomains in a single daemon (instead of running it in
1057: multiple rdomains).
1058: <li>Added a specific headline to <a
1059: href="https://man.openbsd.org/netstat.1">netstat(1)</a> for TCP state
1060: and IP protocol.
1.9 benno 1061: <li>Handle permanent redirects (RFC 7538) in <a
1.5 benno 1062: href="https://man.openbsd.org/ftp.1">ftp(1)</a> fetch.
1.10 benno 1063: <li>Introduced <a href="https://man.openbsd.org/ftp.1">ftp(1)</a>
1064: support for sending the If-Modified-Since header while fetching over
1065: http or https. Switched to using the timestamps from the remote
1066: server's Last-Modified header if available when saving local files and
1067: introduced the ftp "-u" flag to disable this behavior.
1.15 benno 1068: <li>Made <a href="https://man.openbsd.org/ftp.1">ftp(1)</a> set
1069: timestamps only on files.
1.10 benno 1070:
1.9 benno 1071: <li>Added requests for a new certificate without requiring -F when <a
1072: href="https://man.openbsd.org/acme-client.1">acme-client(1)</a>
1073: detects an added or removed SAN in the config file not reflected in
1074: the existing certificate on disk.
1075: <li>Print rewritten addresses in <a
1076: href="https://man.openbsd.org/tcpdump.8">tcpdump(8)</a> logged with <a
1077: href="https://man.openbsd.org/pflog.4">pflog(4)</a> for rdr-to, nat-to
1078: and af-to rules.
1.10 benno 1079: <li>When calling <a
1080: href="https://man.openbsd.org/getaddrinfo.3">getaddrinfo(3)</a> with
1081: AI_ADDRCONFIG, consider the routing domain when checking for available
1082: address families. This ensures that name resolution is only performed
1083: for the address families available in the rdomain.
1084: <li>Implemented the <a href="https://man.openbsd.org/nc.1">nc(1)</a>
1085: -D socket debug option in <a
1086: href="https://man.openbsd.org/tcpbench.1">tcpbench(1)</a>, allowing
1087: analysis of TCP connections.
1.14 tb 1088: <li>Avoid leaking the help text in
1089: <a href="https://man.openbsd.org/tcpbench.1">systat(8)</a>.
1.15 benno 1090: <li>Increased the maximum length for CHAP challenges to 96 octets to
1091: ensure <a href="https://man.openbsd.org/npppd.8">npppd(8)</a> can
1092: handle longer challenges, such as those sent by Juniper.
1093: </ul>
1.1 deraadt 1094: </ul>
1095:
1096: <li><a href="https://man.openbsd.org/tmux">tmux(1)</a> improvements and bug fixes:
1097: <ul>
1.5 benno 1098: <li>Made <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> synchronize-panes a pane option and added set-option -U flag to unset an option on all panes.
1.15 benno 1099: <li>Allowed use of ## and # in <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> styles and added a "w" format modifier for width.
1100: <li>Added a -C flag to <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> run-shell to use a tmux command rather than a shell command.
1101: <li>Added a <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> -N flag to never start the server even if the command would normally do so.
1102: <li>Added the new <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> -S flag to new-window to select the existing window if one with the given name already exists, rather than failing.
1103: <li>Added support for X11 color names and other variations for OSC 10/11 and added OSC 110 and 111 to <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>.
1104: <li>Removed <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> support for popups where the content is provided directly to tmux.
1105: <li>Added a <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> "absolute-centre" alignment to use the center of the total space instead of the available space.
1106: <li>Added <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> split-window -Z to start the pane zoomed.
1107: <li>Added client-detached notification in <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> control mode.
1108: <li>Changed <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> search-again with vi keys to work like <a href="https://man.openbsd.org/vi.1">vi(1)</a>.
1.1 deraadt 1109: </ul>
1110:
1111: <li>OpenSMTPD 6.9.0
1112: <ul>
1.5 benno 1113: <li>Introduced <a href="https://man.openbsd.org/smtp.1">smtp(1)</a>
1114: -a to perform authentication before sending a message.
1115: <li>Fixed a memory leak in <a href="https://man.openbsd.org/smtpd.8">smtpd(8)</a> resolver.
1116: <li>Prevented a crash due to premature release of resources by the <a
1117: href="https://man.openbsd.org/smtpd.8">smtpd(8)</a> filter state
1118: machine.
1.12 eric 1119: <li>Switch to libtls internally.
1120: <li>Change the way SNI works in <a href="https://man.openbsd.org/smtpd.conf.5#pki~2">smtpd.conf(5)</a>.
1.73 namn 1121: TLS listeners may be configured with multiple certificates.
1122: The matching is based on the names included in these certificates.
1.12 eric 1123: <li>Allow to specify tls protocols and ciphers per listener and relay action.
1.1 deraadt 1124: </ul>
1125:
1.65 tb 1126: <li>LibreSSL 3.3.2
1.1 deraadt 1127: <ul>
1128: <li>New Features
1129: <ul>
1.38 tb 1130: <li>Support for DTLSv1.2.
1131: <li>Continued rewrite of the record layer for the legacy stack.
1132: <li>Numerous bugs and interoperability issues were fixed in the new verifier.
1.39 tb 1133: A few bugs and incompatibilities remain, so this release uses the old
1134: verifier by default.
1.38 tb 1135: <li>The OpenSSL 1.1 TLSv1.3 API is not yet available.
1136: </ul>
1.15 benno 1137:
1.38 tb 1138: <li>Portable Improvements
1139: <ul>
1140: <li>Added '--enable-libtls-only' build option, which builds and installs a
1141: statically-linked libtls, skipping libcrypto and libssl. This is useful
1142: for systems that ship with OpenSSL but wish to also package libtls.
1.3 benno 1143:
1.38 tb 1144: <li>Update getentropy on Windows to use Cryptography Next Generation
1145: (CNG). wincrypt is deprecated and no longer works with newer Windows
1146: environments, such as in Windows Store apps.
1.1 deraadt 1147: </ul>
1148:
1149: <li>API and Documentation Enhancements
1150: <ul>
1.38 tb 1151: <li>Add a number of RPKI OIDs from RFC 6482, 6484, 6493, 8182, 8360,
1152: draft-ietf-sidrops-rpki-rta, and draft-ietf-opsawg-finding-geofeeds.
1153:
1.39 tb 1154: <li>Add support for
1155: <a href="https://man.openbsd.org/SSL_get_shared_ciphers.3">SSL_get_shared_ciphers(3)</a>
1156: with TLSv1.3.
1.38 tb 1157:
1158: <li>Add DTLSv1.2 methods.
1159:
1.39 tb 1160: <li>Implement SSL_is_dtls(3) and use it internally in place of the
1.38 tb 1161: SSL_IS_DTLS macro.
1162:
1.39 tb 1163: <li>Provide
1164: <a href="https://man.openbsd.org/EVP_PKEY_new_CMAC_KEY.3">EVP_PKEY_new_CMAC_KEY(3)</a>.
1165: <li>Add missing prototype for
1166: <a href="https://man.openbsd.org/d2i_DSAPrivateKey_fp.3">d2i_DSAPrivateKey_fp(3)</a>
1167: to x509.h.
1168:
1169: <li>Add DTLSv1.2 to
1170: <a href="https://man.openbsd.org/openssl.1">openssl(1)</a>
1171: s_server and s_client protocol message logging.
1172:
1173: <li>Provide
1174: <a href="https://man.openbsd.org/SSL_use_certificate_chain_file.3">SSL_use_certificate_chain_file(3)</a>.
1175:
1176: <li>Provide
1177: <a href="https://man.openbsd.org/SSL_set_hostflags.3">SSL_set_hostflags(3)</a>
1178: and
1179: <a href="https://man.openbsd.org/SSL_get0_peername.3">SSL_get0_peername(3)</a>.
1.38 tb 1180:
1181: <li>Provide various DTLSv1.2 specific functions and defines.
1182:
1183: <li>Document meaning of '*' in the genrsa output.
1184:
1.39 tb 1185: <li>Updated documentation for
1186: <a href="https://man.openbsd.org/SSL_get_shared_ciphers.3">SSL_get_shared_ciphers(3)</a>.
1187:
1188: <li>Add documentation for
1189: <a href="https://man.openbsd.org/SSL_get_finished.3">SSL_get_finished(3)</a>.
1.38 tb 1190:
1.39 tb 1191: <li>Document
1192: <a href="https://man.openbsd.org/EVP_PKEY_new_CMAC_key.3">EVP_PKEY_new_CMAC_key(3)</a>.
1.38 tb 1193:
1194:
1.39 tb 1195: <li>Document
1196: <a href="https://man.openbsd.org/SSL_use_certificate_chain_file.3">SSL_use_certificate_chain_file(3)</a>.
1.38 tb 1197:
1.39 tb 1198: <li>Document
1199: <a href="https://man.openbsd.org/SSL_set_hostflags.3">SSL_set_hostflags(3)</a>
1200: and
1201: <a href="https://man.openbsd.org/SSL_get0_peername.3">SSL_get0_peername(3)</a>.
1.38 tb 1202:
1.39 tb 1203: <li>Update
1204: <a href="https://man.openbsd.org/SSL_get_version.3">SSL_get_version(3)</a>
1205: manual for DTLSv.1.2 support.
1.38 tb 1206:
1207: <li>Make supported protocols and options for DHE params more prominent
1.39 tb 1208: in <a href="https://man.openbsd.org/tls_config_set_protocols.3">tls_config_set_protocols(3)</a>.
1.38 tb 1209:
1210: <li>Various documentation improvements around TLS methods.
1.1 deraadt 1211: </ul>
1212:
1213: <li>Compatibility Changes
1214: <ul>
1.39 tb 1215: <li>Make <a href="https://man.openbsd.org/openssl.3">openssl(1)</a> s_server
1216: ignore -4 and -6 for compatibility with OpenSSL.
1.38 tb 1217:
1.39 tb 1218: <li>Set SO_REUSEADDR on the server socket in the
1219: <a href="https://man.openbsd.org/openssl.1">openssl(1)</a> ocsp command.
1.38 tb 1220:
1.39 tb 1221: <li>Send a host header with OCSP queries to make
1222: <a href="https://man.openbsd.org/openssl.1">openssl(1)</a> ocsp
1.38 tb 1223: work with some widely used OCSP responders.
1224:
1.39 tb 1225: <li>Add ability to
1226: <a href="https://man.openbsd.org/ocspcheck.8">ocspcheck(8)</a>
1227: to parse a port in the specified OCSP URL.
1.38 tb 1228:
1229: <li>Implement auto chain for the TLSv1.3 server since some software
1230: relies on this.
1231:
1232: <li>Implement key exporter for TLSv1.3.
1.39 tb 1233: <li>Align <a href="https://man.openbsd.org/SSL_get_shared_ciphers.3">SSL_get_shared_ciphers(3)</a>
1234: with OpenSSL. This takes into account that it never returned server
1235: ciphers, so now it will fail when called from the client side.
1.38 tb 1236:
1237: <li>Sync cert.pem with Mozilla NSS root CAs except "GeoTrust Global CA".
1238:
1.39 tb 1239: <li>Make
1240: <a href="https://man.openbsd.org/SSL_CTX_get_min_proto_version.3">SSL{_CTX,}_get_{min,max}_proto_version(3)</a>
1241: return a version of zero if the minimum or maximum has been set to
1242: zero to match OpenSSL's behavior.
1.38 tb 1243:
1.39 tb 1244: <li>Add DTLSv1.2 support to
1245: <a href="https://man.openbsd.org/openssl.1">openssl(1)</a> s_client/s_server.
1.1 deraadt 1246: </ul>
1247:
1248: <li>Testing and Proactive Security
1249: <ul>
1.38 tb 1250: <li>Malformed ASN.1 in a certificate revocation list or a timestamp
1251: response token can lead to a NULL pointer dereference.
1252:
1.39 tb 1253: <li>Pull in fix for
1254: <a href="https://man.openbsd.org/EVP_CipherUpdate.3">EVP_CipherUpdate(3)</a>
1255: overflow from OpenSSL.
1.38 tb 1256:
1257: <li>Use EXFLAG_INVALID to handle out of memory and parse errors in
1258: x509v3_cache_extensions().
1259:
1.39 tb 1260: <li>Refactor and clean up
1261: <a href="https://man.openbsd.org/ocspcheck.8">ocspcheck(8)</a>
1262: and add regression tests.
1.1 deraadt 1263: </ul>
1264:
1265: <li>Internal Improvements
1266: <ul>
1.38 tb 1267: <li>Further cleanup of the DTLS record handling.
1268:
1269: <li>Continue the replacement of the TLSv1.2 record layer by
1270: reimplementing the read side of the TLSv1.2 record handling.
1271:
1272: <li>Replace DTLSv1_enc_data() with TLSv1_1_enc_data().
1273:
1274: <li>Merge d1_{clnt,srvr}.c into ssl_{clnt,srvr}.c.
1275:
1276: <li>Add const to ssl_ciphers and tls1[23]_sigalgs* to push them into
1277: .data.rel.ro and .rodata, respectively.
1278:
1279: <li>Add a const qualifier to srtp_known_profiles.
1280:
1281: <li>Simplify TLS method by removing the client and server specific
1282: methods internally.
1283:
1284: <li>Avoid casting away const in ssl_ctx_make_profiles().
1285:
1286: <li>Avoid explicitly conditioning an assert on DTLS1_VERSION to make
1287: the assert work for newer DTLS versions.
1288:
1289: <li>Merge SSL_ENC_METHOD into SSL_METHOD_INTERNAL.
1290:
1291: <li>Add a flag to mark DTLS methods as DTLS to have an easy way to
1292: recognize DTLS methods that avoids inspecting the version number.
1293:
1294: <li>Mark a few more internal static tables const.
1295:
1296: <li>Switch finish{,_peer}_md_len from an int to a size_t.
1297:
1298: <li>Use EVP_MD_MAX_MD_SIZE instead of 2 * EVP_MD_MAX_MD_SIZE as size
1299: for cert_verify_md[], finish_md[] and peer_finish_md[]. The factor 2
1300: was a historical artefact.
1301:
1302: <li>Free struct members in tls13_record_layer_free() in their natural
1303: order for reviewability.
1304:
1305: <li>Use consistent names in tls13_{client,server}_finished_{recv,send}().
1306:
1307: <li>Add tls13_secret_{init,cleanup}() and use them throughout the
1308: TLSv1.3 code base.
1309:
1310: <li>Move the read MAC key into the TLSv1.2 record layer.
1311:
1312: <li>Make tls12_record_layer_free() NULL safe.
1313:
1314: <li>Split the record protection from the TLSv1.2 record layer.
1315:
1316: <li>Clean up sequence number handling in the new TLSv1.2 record layer.
1317:
1318: <li>Clean up sequence number handling in DTLS.
1319:
1320: <li>Clean up dtls1_reset_seq_numbers().
1321:
1322: <li>Factor out code for explicit IV length, block size and MAC length
1323: from tls12_record_layer_open_record_protected_cipher().
1324:
1325: <li>Provide record layer overhead for DTLS.
1326:
1327: <li>Provide functions to determine if TLSv1.2 record protection is
1328: engaged.
1329:
1330: <li>Add code to handle change of cipher state in the new TLSv1.2 record
1331: layer.
1332:
1333: <li>Mop up now unused dtls1_build_sequence_numbers() function.
1334:
1335: <li>Allow setting a keypair on a tls context without specifying the
1336: private key, and fake it internally in libtls. This removes the
1337: need for privsep engines like relayd to use bogus keys.
1338:
1339: <li>Skip the private key check for fake private keys.
1340:
1341: <li>Move the private key setup from tls_configure_ssl_keypair() to a
1342: helper function with proper error checking.
1343:
1344: <li>Change the internal tls_configure_ssl_keypair() function to
1345: return -1 instead of 1 on failure.
1346:
1347: <li>Move sequence numbers into the new TLSv1.2 record layer.
1348:
1349: <li>Move AEAD handling into the new TLSv1.2 record layer.
1350:
1351: <li>Factor out legacy stack version checks.
1352:
1353: <li>Correct handshake MAC/PRF for various TLSv1.2 cipher suites which
1354: were originally added with the default handshake MAC and PRF rather
1355: than the SHA256 handshake MAC and PRF.
1356:
1357: <li>Absorb ssl3_get_algorithm2() into ssl_get_handshake_evp_md().
1358:
1359: <li>Use dtls1_record_retrieve_buffered_record() to load buffered
1360: application data.
1361:
1362: <li>Enforce read ahead with DTLS.
1363:
1364: <li>Remove bogus DTLS checks that disabled ECC and OCSP.
1365:
1366: <li>Clean up and simplify dtls1_get_cipher().
1367:
1368: <li>Group HelloVerifyRequest decoding and add missing check for trailing
1369: data.
1370:
1371: <li>Revise HelloVerifyRequest handling for DTLSv1.2.
1372:
1373: <li>Handle DTLS1_2_VERSION in various places.
1374:
1375: <li>Rename the "truncated" label into "decode_err" and the "f_err"
1376: label into "fatal_err".
1377:
1378: <li>Factor out and change some of the legacy client version code.
1379:
1380: <li>Simplify version checks in the TLSv1.3 client. Ensure that the
1381: server announced TLSv1.3 and nothing higher and check that the
1382: legacy_version is set to TLSv1.2 as required by RFC 8446.
1383:
1384: <li>Only use TLS versions internally rather than both TLS and DTLS
1385: versions since the latter are the one's complement of the human
1386: readable version numbers, which means that newer versions decrease
1387: in value.
1388:
1389: <li>Identify DTLS based on the version major value.
1390:
1391: <li>Move handling of cipher/hash based cipher suites into the new record
1392: layer.
1393:
1394: <li>Add tls12_record_protection_unused() and call it from CCS functions.
1395:
1396: <li>Move key/IV length checks closer to usage sites. Also add explicit
1.39 tb 1397: checks against
1398: <a href="https://man.openbsd.org/EVP_CIPHER_iv_length.3">EVP_CIPHER_{iv,key}_length()</a>.
1.38 tb 1399:
1400: <li>Replace two handrolled tls12_record_protection_engaged().
1401:
1402: <li>Improve internal version handling: add handshake fields for our
1403: minimum version, our maximum version and the TLS version negotiated
1404: during the handshake. Convert most of the internal code to use these
1405: version fields.
1406:
1407: <li>Guard against future internal use of TLS1_get_{client,}_version()
1408: macros.
1409:
1410: <li>Remove the internal ssl_downgrade_max_version() function which is no
1411: longer needed.
1412:
1413: <li>Add support for DTLSv1.2 version handling.
1414:
1415: <li>Remove no longer needed read ahead workarounds in the s_client and
1416: s_server.
1417:
1418: <li>Split TLSv1.3 record protection from record layer.
1419:
1420: <li>Move the TLSv1.3 handshake struct inside the shared handshake
1421: struct.
1422:
1423: <li>Fully initialize rrec in tls12_record_layer_open_record_protected()
1424: to avoid confusing some static analyzers.
1425:
1426: <li>Use tls_set_errorx() on OCSP_basic_verify() failure since the latter
1427: does not set errno.
1428:
1429: <li>Convert openssl(1) x509 to new option handling and do the usual
1430: clean up that goes along with it.
1431:
1432: <li>Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data.
1433:
1434: <li>Rename new_cipher to cipher to align naming with keyblock or other
1435: parts of the handshake data.
1436:
1437: <li>Move the TLSv1.2 record number increment into the new record layer.
1438:
1439: <li>Move finished and peer finished into the handshake struct.
1440:
1441: <li>Remove pointless assignment in SSL_get0_alpn_selected().
1442:
1443: <li>Add some error checking to openssl(1) x509.
1.1 deraadt 1444: </ul>
1445:
1.38 tb 1446: <li>Bug Fixes
1.1 deraadt 1447: <ul>
1.38 tb 1448: <li>Move point-on-curve check to set_affine_coordinates to avoid
1449: verifying ECDSA signatures with unchecked public keys.
1450:
1.39 tb 1451: <li>Fix
1452: <a href="https://man.openbsd.org/SSL_is_server.3">SSL_is_server(3)</a>
1453: to behave as documented by re-introducing the client-specific
1454: methods.
1.38 tb 1455:
1456: <li>Avoid undefined behavior due to memcpy(NULL, NULL, 0).
1457:
1458: <li>Make SSL_get{,_peer}_finished() work when used with TLSv1.3.
1459:
1460: <li>Correct the return value type from ERR_peek_error() to a long.
1461:
1462: <li>Avoid use of uninitialized in ASN1_time_parse() which could happen
1.61 tb 1463: on parsing UTCTime if the caller did not initialize the passed
1.38 tb 1464: struct tm.
1465:
1466: <li>Destroy the mutex in a tls_config object on tls_config_free().
1467:
1.73 namn 1468: <li>Free alert_data and phh_data in tls13_record_layer_free().
1469: These could leak if
1.39 tb 1470: <a href="https://man.openbsd.org/SSL_shutdown.3">SSL_shutdown(3)</a>
1471: or <a href="https://man.openbsd.org/tls_close.3">tls_close(3)</a>
1472: were called after closing the underlying socket().
1.38 tb 1473:
1474: <li>Gracefully handle root certificates being both trusted and
1475: untrusted.
1476:
1477: <li>Handle X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE in the new
1478: verifier.
1479:
1480: <li>Use the legacy verifier when building auto chains for TLS.
1481:
1482: <li>Search the intermediates only after searching the root certs in the
1483: new verifier to avoid problems with the legacy callback.
1484:
1485: <li>Bail out early after finding a single chain in the new verifier, if
1486: we have been called via the legacy verifier API.
1487:
1488: <li>Set (invalid and likely incomplete) chain on the xsc on chain build
1489: failure prior to calling the callback. This is required by various
1490: callers, including auto chain.
1491:
1492: <li>Remove direct assignment of aead_ctx to avoid a leak.
1493:
1494: <li>Fail early in legacy exporter if the master secret is not available
1495: to avoid a segfault if it is called when the handshake is not
1496: completed.
1497:
1498: <li>Only print the certificate file once on verification failure.
1499:
1500: <li>Fix an off-by-one in x509_verify_set_xsc_chain() to make sure that
1501: the new validator checks for EXFLAG_CRITICAL in
1502: x509_vfy_check_chain_extension() for all untrusted certs in the
1503: chain. Take into account that the root is not necessarily trusted.
1504:
1505: <li>Avoid passing last and depth to x509_verify_cert_error() on ENOMEM.
1506:
1507: <li>Fix two bugs in the legacy verifier that resulted from refactoring
1.39 tb 1508: of
1509: <a href="https://man.openbsd.org/X509_verify_cert.3">X509_verify_cert(3)</a>
1510: for the new verifier: a return value was incorrectly treated as
1511: boolean, making it insufficient to decide whether validation should
1512: carry on or not.
1.38 tb 1513:
1514: <li>Fix checks for memory caps of constraints names. There are internal
1515: caps on the number of name constraints and other names, that the new
1516: name constraints code allocates per cert chain. These limits were
1517: checked too late, making them only partially effective.
1518:
1519: <li>Fix a copy-paste error - skid was confused with an akid when
1520: checking for EXFLAG_INVALID. This broke OCSP validation with
1521: certain mirrors.
1522:
1523: <li>Avoid a use-after-scope in tls13_cert_add().
1524:
1525: <li>Avoid mangled output in BIO_debug_callback().
1526:
1527: <li>Fix client initiated renegotiation by replacing use of s->internal-type
1528: with s->server.
1529:
1530: <li>Avoid transcript initialization when sending a TLS HelloRequest,
1531: fixing server initiated renegotiation.
1532:
1533: <li>Avoid leaking param->name in x509_verify_param_zero().
1534:
1535: <li>Avoid a leak in an error path in openssl(1) x509.
1536:
1537: <li>When sending an alert in TLSv1.3, only set its error code when no
1538: other error was set previously. Certain clients rely on specific
1539: SSL_R_ error codes to identify that they are dealing with a self
1540: signed cert.
1541:
1542: <li>When switching from the TLSv1.3 stack to the legacy stack include
1543: a TLS record header. This is necessary if there is more than one
1544: handshake message in the TLS plaintext record.
1545:
1546: <li>Fix resource handling on error in OCSP_request_add0_id().
1547:
1548: <li>Make sure there is enough room for stashing the handshake message
1549: when switching to the legacy TLS stack.
1550:
1551: <li>Fix a memory leak in the openssl(1) s_client.
1552:
1553: <li>Unbreak DTLS retransmissions for flights that include a CCS.
1554:
1555: <li>If x509_verify() fails, ensure that the error is set on both
1556: the x509_verify_ctx() and its store context to make some failures
1557: visible from SSL_get_verify_result().
1558:
1559: <li>Use the X509_STORE_CTX get_issuer() callback from the new X.509
1560: verifier to fix hashed certificate directories.
1561:
1.39 tb 1562: <li>Only check
1563: <a href="https://man.openbsd.org/BIO_should_read.3">BIO_should_read(3)</a>
1564: on read and
1565: <a href="https://man.openbsd.org/BIO_should_write.3">BIO_should_write(3)</a>
1566: on write. Previously,
1567: <a href="https://man.openbsd.org/BIO_should_write.3">BIO_should_write(3)</a>
1568: was also checked after read and
1569: <a href="https://man.openbsd.org/BIO_should_read.3">BIO_should_read(3)</a>
1570: after write which could cause stalls in software that uses the same
1571: BIO for read and write.
1572:
1573: <li>In <a href="https://man.openbsd.org/openssl.1">openssl(1)</a>
1574: verify, also check for error on the store context since the return
1575: value of
1576: <a href="https://man.openbsd.org/X509_verify_cert.3">X509_verify_cert(3)</a>
1577: is unreliable in presence of a callback that returns 1 too often.
1.38 tb 1578:
1579: <li>Handle additional certificate error cases in the new X.509 verifier.
1580: Keep track of the errors encountered if a verify callback tells the
1581: verifier to continue and report them back via the error on the store
1582: context. This mimics the behavior of the old verifier that would
1583: persist the first error encountered while building the chain.
1584:
1585: <li>Report specific failures for "self signed certificates" in a way
1586: compatible with the old verifier since software relies on the
1587: error code.
1588:
1589: <li>Plug a large memory leak in the new verifier caused by calling
1.39 tb 1590: X509_policy_check(3) repeatedly.
1.1 deraadt 1591:
1.38 tb 1592: <li>Avoid leaking memory in x509_verify_chain_dup().
1.1 deraadt 1593: </ul>
1594: </ul>
1595:
1.15 benno 1596: <li>OpenSSH 8.5
1.1 deraadt 1597: <ul>
1.33 benno 1598: <li>Security fixes
1599: <ul>
1600: <li><a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>:
1601: fixed a double-free memory corruption that was introduced in OpenSSH
1602: 8.2 . We treat all such memory faults as potentially exploitable. This
1603: bug could be reached by an attacker with access to the agent socket.<br>
1.3 benno 1604:
1.33 benno 1605: On modern operating systems where the OS can provide information
1606: about the user identity connected to a socket, OpenSSH ssh-agent and
1607: sshd limit agent socket access only to the originating user and root.
1608: Additional mitigation may be afforded by the system's
1609: malloc(3)/free(3) implementation, if it detects double-free
1610: conditions.<br>
1.3 benno 1611:
1.33 benno 1612: The most likely scenario for exploitation is a user forwarding an
1613: agent either to an account shared with a malicious user or to a host
1614: with an attacker holding root access.
1615: </ul>
1.63 benno 1616: <li>Potentially incompatible changes
1.1 deraadt 1617: <ul>
1.33 benno 1618: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a
1619: href="https://man.openbsd.org/sshd.8">sshd(8)</a>: this release
1620: changes the first-preference signature algorithm from ECDSA to
1621: ED25519.
1622:
1623: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a
1624: href="https://man.openbsd.org/sshd.8">sshd(8)</a>: set the TOS/DSCP
1625: specified in the configuration for interactive use prior to TCP
1626: connect. The connection phase of the SSH session is time-sensitive and
1627: often explicitly interactive. The ultimate interactive/bulk TOS/DSCP
1628: will be set after authentication completes.
1629:
1630: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a
1631: href="https://man.openbsd.org/sshd.8">sshd(8)</a>: remove the
1632: pre-standardization cipher rijndael-cbc@lysator.liu.se. It is an alias
1633: for aes256-cbc before it was standardized in RFC4253 (2006), has been
1634: deprecated and disabled by default since OpenSSH 7.2 (2016) and was
1635: only briefly documented in ssh.1 in 2001.
1636:
1637: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a
1638: href="https://man.openbsd.org/sshd.8">sshd(8)</a>: update/replace the
1639: experimental post-quantum hybrid key exchange method based on
1640: Streamlined NTRU Prime coupled with X25519.<br>
1641:
1642: The previous sntrup4591761x25519-sha512@tinyssh.org method is
1643: replaced with sntrup761x25519-sha512@openssh.com. Per its designers,
1644: the sntrup4591761 algorithm was superseded almost two years ago by
1645: sntrup761.
1.63 benno 1646: (Note that both the updated method and the one that it replaced are
1647: disabled by default.)
1.33 benno 1648:
1649: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: disable
1650: CheckHostIP by default. It provides insignificant benefits while
1651: making key rotation significantly more difficult, especially for hosts
1652: behind IP-based load-balancers.
1.1 deraadt 1653: </ul>
1654: <li>New Features
1655: <ul>
1.33 benno 1656: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: this release
1657: enables UpdateHostkeys by default subject to some conservative
1658: preconditions:
1659: <ul>
1660: <li>The key was matched in the UserKnownHostsFile (and not in the
1661: GlobalKnownHostsFile).
1662: <li>The same key does not exist under another name.
1663: <li>A certificate host key is not in use.
1664: <li>known_hosts contains no matching wildcard hostname pattern.
1665: <li>VerifyHostKeyDNS is not enabled.
1666: <li>The default UserKnownHostsFile is in use.
1667: </ul>
1668: We expect some of these conditions will be modified or relaxed in
1669: future.
1670:
1671: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a
1672: href="https://man.openbsd.org/sshd.8">sshd(8)</a>: add a new
1673: LogVerbose configuration directive for that allows forcing maximum
1674: debug logging by file/function/line pattern-lists.
1675:
1676: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: when
1677: prompting the user to accept a new hostkey, display any other host
1678: names/addresses already associated with the key.
1679:
1680: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: allow
1681: UserKnownHostsFile=none to indicate that no known_hosts file should be
1682: used to identify host keys.
1683:
1684: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: add a
1685: ssh_config KnownHostsCommand option that allows the client to obtain
1686: known_hosts data from a command in addition to the usual files.
1687:
1688: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: add a
1689: ssh_config PermitRemoteOpen option that allows the client to restrict
1690: the destination when RemoteForward is used with SOCKS.
1691:
1692: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: for FIDO
1693: keys, if a signature operation fails with a "incorrect PIN" reason and
1694: no PIN was initially requested from the user, then request a PIN and
1695: retry the operation. This supports some biometric devices that fall
1696: back to requiring PIN when reading of the biometric failed, and
1697: devices that require PINs for all hosted credentials.
1698:
1699: <li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: implement
1700: client address-based rate-limiting via new <a
1701: href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>
1702: PerSourceMaxStartups and PerSourceNetBlockSize directives that provide
1703: more fine-grained control on a per-origin address basis than the
1704: global MaxStartups limit.
1.1 deraadt 1705: </ul>
1706: <li>Bugfixes
1707: <ul>
1.33 benno 1708: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Prefix
1709: keyboard interactive prompts with "(user@host)" to make it easier to
1710: determine which connection they are associated with in cases like scp
1711: -3, ProxyJump, etc. bz#3224
1712:
1713: <li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: fix
1714: sshd_config SetEnv directives located inside Match blocks. GHPR#201
1715:
1716: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: when
1717: requesting a FIDO token touch on stderr, inform the user once the
1718: touch has been recorded.
1719:
1720: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: prevent
1721: integer overflow when ridiculously large ConnectTimeout values are
1722: specified, capping the effective value (for most platforms) at 24
1723: days. bz#3229
1724:
1725: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: consider the
1726: ECDSA key subtype when ordering host key algorithms in the client.
1727:
1728: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a
1729: href="https://man.openbsd.org/sshd.8">sshd(8)</a>: rename the
1730: PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. The
1731: previous name incorrectly suggested that it control allowed key
1732: algorithms, when this option actually specifies the signature
1733: algorithms that are accepted. The previous name remains available as
1734: an alias. bz#3253
1735:
1736: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a
1737: href="https://man.openbsd.org/sshd.8">sshd(8)</a>: similarly, rename
1738: HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to
1739: HostbasedAcceptedAlgorithms.
1740:
1741: <li><a
1742: href="https://man.openbsd.org/sftp-server.8">sftp-server(8)</a>: add
1743: missing lsetstat@openssh.com documentation and advertisement in the
1744: server's SSH2_FXP_VERSION hello packet.
1745:
1746: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a
1747: href="https://man.openbsd.org/sshd.8">sshd(8)</a>: more strictly
1748: enforce KEX state-machine by banning packet types once they are
1749: received. Fixes memleak caused by duplicate
1750: SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078).
1751:
1752: <li><a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: allow the
1753: full range of UIDs/GIDs for chown/chgrp on 32bit platforms instead of
1754: being limited by LONG_MAX. bz#3206
1755:
1756: <li>Minor man page fixes (capitalization, commas, etc.) bz#3223
1757:
1758: <li><a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: when doing
1759: an sftp recursive upload or download of a read-only directory, ensure
1760: that the directory is created with write and execute permissions in
1761: the interim so that the transfer can actually complete, then set the
1762: directory permission as the final step. bz#3222
1763:
1764: <li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:
1765: document the -Z, check the validity of its argument earlier and
1766: provide a better error message if it's not correct. bz#2879
1767:
1768: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: ignore
1769: comments at the end of config lines in ssh_config, similar to what we
1770: already do for sshd_config. bz#2320
1771:
1772: <li><a
1773: href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>:
1774: mention that DisableForwarding is valid in a sshd_config Match block.
1775: bz3239
1776:
1777: <li><a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: fix
1778: incorrect sorting of "ls -ltr" under some circumstances. bz3248.
1779:
1780: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a
1781: href="https://man.openbsd.org/sshd.8">sshd(8)</a>: fix potential
1782: integer truncation of (unlikely) timeout values. bz#3250
1783:
1784: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: make
1785: hostbased authentication send the signature algorithm in its
1.73 namn 1786: SSH2_MSG_USERAUTH_REQUEST packets instead of the key type. This makes
1.33 benno 1787: HostbasedAcceptedAlgorithms do what it is supposed to - filter on
1788: signature algorithm and not key type.
1.1 deraadt 1789: </ul>
1790: </ul>
1791:
1792: <li>Ports and packages:
1793: <p>Many pre-built packages for each architecture:
1794: <!-- number of FTP packages minus SHA256, SHA256.sig, index.txt -->
1795: <ul style="column-count: 3">
1.69 sthen 1796: <li>aarch64: 10943
1.68 sthen 1797: <li>amd64: 11310
1.75 ! deraadt 1798: <li>arm: (still building)
1.68 sthen 1799: <li>i386: 10468
1.72 visa 1800: <li>mips64: 8182
1.75 ! deraadt 1801: <li>mips64el: (still building)
! 1802: <li>powerpc: (still building)
1.74 sthen 1803: <li>powerpc64: 9341
1.69 sthen 1804: <li>sparc64: 9642
1.1 deraadt 1805: </ul>
1806:
1.40 rsadowsk 1807: <p>Some highlights:
1808: <ul style="column-count: 3">
1809: <li>Asterisk 18.3.0
1810: <li>Audacity 2.4.2
1811: <li>CMake 3.19.4
1.50 lteo 1812: <li>Chromium 90.0.4430.72
1.40 rsadowsk 1813: <li>Emacs 27.2
1814: <li>FFmpeg 4.3.2
1815: <li>GCC 8.4.0
1816: <li>GHC 8.10.3
1817: <li>GNOME 3.38
1818: <li>Go 1.16.2
1819: <li>JDK 8u282 and 11.0.10
1820: <li>KDE Applications 20.12.3
1821: <li>KDE Frameworks 5.80.0
1822: <li>Krita 4.4.3
1.46 sthen 1823: <li>LLVM/Clang 10.0.1
1.40 rsadowsk 1824: <li>LibreOffice 7.0.5.2
1825: <li>Lua 5.1.5, 5.2.4 and 5.3.6
1826: <li>MariaDB 10.5.9
1827: <li>Mono 6.12.0.122
1.64 naddy 1828: <li>Mozilla Firefox 88.0 and ESR 78.10.0
1829: <li>Mozilla Thunderbird 78.10.0
1.40 rsadowsk 1830: <li>Mutt 2.0.6 and NeoMutt 20210205
1831: <li>Node.js 12.16.1
1832: <li>OCaml 4.10.0
1.45 sthen 1833: <li>OpenLDAP 2.4.58
1834: <li>PHP 7.2.34, 7.3.27, 7.4.16 and 8.0.3
1835: <li>Postfix 3.5.10
1.40 rsadowsk 1836: <li>PostgreSQL 13.2
1837: <li>Python 2.7.18, 3.8.8 and 3.9.2
1838: <li>Qt 5.15.2
1839: <li>R 4.0.5
1840: <li>Ruby 2.6.7, 2.7.3 and 3.0.1
1841: <li>Rust 1.51.0
1.45 sthen 1842: <li>SQLite 3.34.1
1.40 rsadowsk 1843: <li>Shotcut 21.01.29
1844: <li>Sudo 1.9.6p1
1845: <li>Suricata 6.0.1
1846: <li>Tcl/Tk 8.5.19 and 8.6.8
1847: <li>TeX Live 2020
1848: <li>Vim 8.2.2580 and Neovim 0.4.4
1849: <li>Xfce 4.16
1850: </ul>
1851: <p>
1852:
1.1 deraadt 1853: <li>As usual, steady improvements in manual pages and other documentation.
1854:
1855: <li>The system includes the following major components from outside suppliers:
1856: <ul>
1.5 benno 1857:
1858: <li>Xenocara (based on X.Org 7.7 with xserver 1.20.10 + patches,
1.32 matthieu 1859: freetype 2.10.4, fontconfig 2.12.4, Mesa 20.0.8, xterm 367,
1.5 benno 1860: xkeyboard-config 2.20, fonttosfnt 1.2.1 and more)
1.1 deraadt 1861: <li>LLVM/Clang 10.0.1 (+ patches)
1862: <li>GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
1.10 benno 1863: <li>Perl 5.32.1 (+ patches)
1.8 florian 1864: <li>NSD 4.3.6
1865: <li>Unbound 1.13.1
1.1 deraadt 1866: <li>Ncurses 5.7
1867: <li>Binutils 2.17 (+ patches)
1868: <li>Gdb 6.3 (+ patches)
1.5 benno 1869: <li>Awk December 18, 2020 version
1870: <li>Expat 2.2.10
1.1 deraadt 1871: </ul>
1872:
1873: </ul>
1874: </section>
1875:
1876: <hr>
1877:
1878: <section id=install>
1879: <h3>How to install</h3>
1880: <p>
1881: Please refer to the following files on the mirror site for
1882: extensive details on how to install OpenBSD 6.9 on your machine:
1883:
1884: <ul>
1885: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/alpha/INSTALL.alpha">
1886: .../OpenBSD/6.9/alpha/INSTALL.alpha</a>
1887: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/amd64/INSTALL.amd64">
1888: .../OpenBSD/6.9/amd64/INSTALL.amd64</a>
1889: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/arm64/INSTALL.arm64">
1890: .../OpenBSD/6.9/arm64/INSTALL.arm64</a>
1891: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/armv7/INSTALL.armv7">
1892: .../OpenBSD/6.9/armv7/INSTALL.armv7</a>
1893: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/hppa/INSTALL.hppa">
1894: .../OpenBSD/6.9/hppa/INSTALL.hppa</a>
1895: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/i386/INSTALL.i386">
1896: .../OpenBSD/6.9/i386/INSTALL.i386</a>
1897: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/landisk/INSTALL.landisk">
1898: .../OpenBSD/6.9/landisk/INSTALL.landisk</a>
1899: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/loongson/INSTALL.loongson">
1900: .../OpenBSD/6.9/loongson/INSTALL.loongson</a>
1901: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/luna88k/INSTALL.luna88k">
1902: .../OpenBSD/6.9/luna88k/INSTALL.luna88k</a>
1903: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/macppc/INSTALL.macppc">
1904: .../OpenBSD/6.9/macppc/INSTALL.macppc</a>
1905: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/octeon/INSTALL.octeon">
1906: .../OpenBSD/6.9/octeon/INSTALL.octeon</a>
1907: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/powerpc64/INSTALL.powerpc64">
1.4 landry 1908: .../OpenBSD/6.9/powerpc64/INSTALL.powerpc64</a>
1.1 deraadt 1909: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/sgi/INSTALL.sgi">
1910: .../OpenBSD/6.9/sgi/INSTALL.sgi</a>
1911: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/sparc64/INSTALL.sparc64">
1912: .../OpenBSD/6.9/sparc64/INSTALL.sparc64</a>
1913: </ul>
1914: </section>
1915:
1916: <hr>
1917:
1918: <section id=quickinstall>
1919: <p>
1920: Quick installer information for people familiar with OpenBSD, and the use of
1921: the "<a href="https://man.openbsd.org/disklabel.8">disklabel</a> -E" command.
1922: If you are at all confused when installing OpenBSD, read the relevant
1923: INSTALL.* file as listed above!
1924:
1925: <h3>OpenBSD/alpha:</h3>
1926:
1927: <p>
1928: If your machine can boot from CD, you can write <i>install69.iso</i> or
1929: <i>cd69.iso</i> to a CD and boot from it.
1930: Refer to INSTALL.alpha for more details.
1931:
1932: <h3>OpenBSD/amd64:</h3>
1933:
1934: <p>
1935: If your machine can boot from CD, you can write <i>install69.iso</i> or
1936: <i>cd69.iso</i> to a CD and boot from it.
1937: You may need to adjust your BIOS options first.
1938:
1939: <p>
1940: If your machine can boot from USB, you can write <i>install69.img</i> or
1941: <i>miniroot69.img</i> to a USB stick and boot from it.
1942:
1943: <p>
1944: If you can't boot from a CD, floppy disk, or USB,
1945: you can install across the network using PXE as described in the included
1946: INSTALL.amd64 document.
1947:
1948: <p>
1949: If you are planning to dual boot OpenBSD with another OS, you will need to
1950: read INSTALL.amd64.
1951:
1952: <h3>OpenBSD/arm64:</h3>
1953:
1954: <p>
1.60 jsg 1955: Write <i>install69.img</i> or <i>miniroot69.img</i> to a disk and boot from it
1956: after connecting to the serial console. Refer to INSTALL.arm64 for more
1957: details.
1.1 deraadt 1958:
1959: <h3>OpenBSD/armv7:</h3>
1960:
1961: <p>
1962: Write a system specific miniroot to an SD card and boot from it after connecting
1963: to the serial console. Refer to INSTALL.armv7 for more details.
1964:
1965: <h3>OpenBSD/hppa:</h3>
1966:
1967: <p>
1968: Boot over the network by following the instructions in INSTALL.hppa or the
1969: <a href="hppa.html#install">hppa platform page</a>.
1970:
1971: <h3>OpenBSD/i386:</h3>
1972:
1973: <p>
1974: If your machine can boot from CD, you can write <i>install69.iso</i> or
1975: <i>cd69.iso</i> to a CD and boot from it.
1976: You may need to adjust your BIOS options first.
1977:
1978: <p>
1979: If your machine can boot from USB, you can write <i>install69.img</i> or
1980: <i>miniroot69.img</i> to a USB stick and boot from it.
1981:
1982: <p>
1983: If you can't boot from a CD, floppy disk, or USB,
1984: you can install across the network using PXE as described in
1985: the included INSTALL.i386 document.
1986:
1987: <p>
1988: If you are planning on dual booting OpenBSD with another OS, you will need to
1989: read INSTALL.i386.
1990:
1991: <h3>OpenBSD/landisk:</h3>
1992:
1993: <p>
1994: Write <i>miniroot69.img</i> to the start of the CF
1995: or disk, and boot normally.
1996:
1997: <h3>OpenBSD/loongson:</h3>
1998:
1999: <p>
2000: Write <i>miniroot69.img</i> to a USB stick and boot bsd.rd from it
2001: or boot bsd.rd via tftp.
2002: Refer to the instructions in INSTALL.loongson for more details.
2003:
2004: <h3>OpenBSD/luna88k:</h3>
2005:
2006: <p>
2007: Copy 'boot' and 'bsd.rd' to a Mach or UniOS partition, and boot the bootloader
2008: from the PROM, and then bsd.rd from the bootloader.
2009: Refer to the instructions in INSTALL.luna88k for more details.
2010:
2011: <h3>OpenBSD/macppc:</h3>
2012:
2013: <p>
2014: Burn the image from a mirror site to a CDROM, and power on your machine
2015: while holding down the <i>C</i> key until the display turns on and
2016: shows <i>OpenBSD/macppc boot</i>.
2017:
2018: <p>
2019: Alternatively, at the Open Firmware prompt, enter <i>boot cd:,ofwboot
2020: /6.9/macppc/bsd.rd</i>
2021:
2022: <h3>OpenBSD/octeon:</h3>
2023:
2024: <p>
2025: After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
2026: Refer to the instructions in INSTALL.octeon for more details.
2027:
2028: <h3>OpenBSD/powerpc64:</h3>
2029:
2030: <p>
2031: To install, write <i>install69.img</i> or <i>miniroot69.img</i> to a
2032: USB stick, plug it into the machine and choose the <i>OpenBSD
2033: install</i> menu item in Petitboot.
2034: Refer to the instructions in INSTALL.powerpc64 for more details.
2035:
2036: <h3>OpenBSD/sgi:</h3>
2037:
2038: <p>
2039: To install, burn cd69.iso on a CD-R, put it in the CD drive of your
2040: machine and select <i>Install System Software</i> from the System Maintenance
2041: menu. Indigo/Indy/Indigo2 (R4000) systems will not boot automatically from
2042: CD-ROM, and need a proper invocation from the PROM prompt.
2043: Refer to the instructions in INSTALL.sgi for more details.
2044:
2045: <p>
2046: If your machine doesn't have a CD drive, you can setup a DHCP/tftp network
2047: server, and boot using "bootp()/bsd.rd.IP##" using the kernel matching your
2048: system type. Refer to the instructions in INSTALL.sgi for more details.
2049:
2050: <h3>OpenBSD/sparc64:</h3>
2051:
2052: <p>
2053: Burn the image from a mirror site to a CDROM, boot from it, and type
2054: <i>boot cdrom</i>.
2055:
2056: <p>
2057: If this doesn't work, or if you don't have a CDROM drive, you can write
2058: <i>floppy69.img</i> or <i>floppyB69.img</i>
2059: (depending on your machine) to a floppy and boot it with <i>boot
2060: floppy</i>. Refer to INSTALL.sparc64 for details.
2061:
2062: <p>
2063: Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
2064: will most likely fail.
2065:
2066: <p>
2067: You can also write <i>miniroot69.img</i> to the swap partition on
2068: the disk and boot with <i>boot disk:b</i>.
2069:
2070: <p>
2071: If nothing works, you can boot over the network as described in INSTALL.sparc64.
2072: </section>
2073:
2074: <hr>
2075:
2076: <section id=upgrade>
2077: <h3>How to upgrade</h3>
2078: <p>
1.22 benno 2079: If you already have an OpenBSD 6.8 system, and do not want to reinstall,
1.1 deraadt 2080: upgrade instructions and advice can be found in the
2081: <a href="faq/upgrade69.html">Upgrade Guide</a>.
2082: </section>
2083:
2084: <hr>
2085:
2086: <section id=sourcecode>
2087: <h3>Notes about the source code</h3>
2088: <p>
2089: <code>src.tar.gz</code> contains a source archive starting at <code>/usr/src</code>.
2090: This file contains everything you need except for the kernel sources,
2091: which are in a separate archive.
2092: To extract:
2093: <blockquote><pre>
2094: # <kbd>mkdir -p /usr/src</kbd>
2095: # <kbd>cd /usr/src</kbd>
2096: # <kbd>tar xvfz /tmp/src.tar.gz</kbd>
2097: </pre></blockquote>
2098: <p>
2099: <code>sys.tar.gz</code> contains a source archive starting at <code>/usr/src/sys</code>.
2100: This file contains all the kernel sources you need to rebuild kernels.
2101: To extract:
2102: <blockquote><pre>
2103: # <kbd>mkdir -p /usr/src/sys</kbd>
2104: # <kbd>cd /usr/src</kbd>
2105: # <kbd>tar xvfz /tmp/sys.tar.gz</kbd>
2106: </pre></blockquote>
2107: <p>
2108: Both of these trees are a regular CVS checkout. Using these trees it
2109: is possible to get a head-start on using the anoncvs servers as
2110: described <a href="anoncvs.html">here</a>.
2111: Using these files
2112: results in a much faster initial CVS update than you could expect from
2113: a fresh checkout of the full OpenBSD source tree.
2114: </section>
2115:
2116: <hr>
2117:
2118: <section id=ports>
2119: <h3>Ports Tree</h3>
2120: <p>
2121: A ports tree archive is also provided. To extract:
2122: <blockquote><pre>
2123: # <kbd>cd /usr</kbd>
2124: # <kbd>tar xvfz /tmp/ports.tar.gz</kbd>
2125: </pre></blockquote>
2126: <p>
2127: Go read the <a href="faq/ports/index.html">ports</a> page
2128: if you know nothing about ports
2129: at this point. This text is not a manual of how to use ports.
2130: Rather, it is a set of notes meant to kickstart the user on the
2131: OpenBSD ports system.
2132: <p>
2133: The <i>ports/</i> directory represents a CVS checkout of our ports.
2134: As with our complete source tree, our ports tree is available via
2135: <a href="anoncvs.html">AnonCVS</a>.
2136: So, in order to keep up to date with the -stable branch, you must make
2137: the <i>ports/</i> tree available on a read-write medium and update the tree
2138: with a command like:
2139: <blockquote><pre>
2140: # <kbd>cd /usr/ports</kbd>
2141: # <kbd>cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_6_9</kbd>
2142: </pre></blockquote>
2143: <p>
2144: [Of course, you must replace the server name here with a nearby anoncvs
2145: server.]
2146: <p>
2147: Note that most ports are available as packages on our mirrors. Updated
2148: ports for the 6.9 release will be made available if problems arise.
2149: <p>
2150: If you're interested in seeing a port added, would like to help out, or just
2151: would like to know more, the mailing list
2152: <a href="mail.html">ports@openbsd.org</a> is a good place to know.
2153: </section>
![[BACK]](/icons/back.gif){kind=icon}
Return to 69.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www