File: [local] / www / 69.html (download) (as text)
Revision 1.43, Thu Apr 15 20:55:53 2021 UTC (3 years, 1 month ago) by benno
Branch: MAIN
Changes since 1.42: +8 -17 lines
* dont mention rpki-client(8) on each line in a block that is
exclusivlely about rpk-client.
* change the wording a bit to use present tense when stating current facts.
|
<!doctype html>
<html lang=en id=release>
<meta charset=utf-8>
<title>OpenBSD 6.9</title>
<meta name="description" content="OpenBSD 6.9">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" href="openbsd.css">
<link rel="canonical" href="https://www.openbsd.org/69.html">
<h2 id=OpenBSD>
<a href="index.html">
<i>Open</i><b>BSD</b></a>
6.9
</h2>
<table>
<tr>
<td>
<a href="images/XXX.png">
<img width="227" height="303" src="images/XXX-s.gif" alt="XXX"></a>
<td>
Released May 1, 2021.<br>
Copyright 1997-2021, Theo de Raadt.<br>
<br>
This is the 50th OpenBSD release.<br>
<br>
6.9 Song:
<a href="lyrics.html#69">"XXX"</a>.
<br>
Artwork by Joy San.
<br>
<ul>
<li>See the information on <a href="ftp.html">the FTP page</a> for
a list of mirror machines.
<li>Go to the <code class=reldir>pub/OpenBSD/6.9/</code> directory on
one of the mirror sites.
<li>Have a look at <a href="errata69.html">the 6.9 errata page</a> for a list
of bugs and workarounds.
<li>See a <a href="plus69.html">detailed log of changes</a> between the
6.8 and 6.9 releases.
<p>
<li><a href="https://man.openbsd.org/signify.1">signify(1)</a>
pubkeys for this release:<p>
<table class=signify>
<tr><td>
openbsd-69-base.pub:
<td>
<a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/openbsd-69-base.pub">
RWQZj25CSG5R2oLo5735Hh6C48kkjFsj5rJDjW+fGZwyY+BkD5/zps8f</a>
<tr><td>
openbsd-69-fw.pub:
<td>
RWSYx4htNi/zavF8ZToMBDFz2xymRfFnnR1MEKV9csYbvnrTBwdkXhdy
<tr><td>
openbsd-69-pkg.pub:
<td>
RWQlDXyHx5KlPoEiz4yWRK/Gt/rvPwI8KEAt3utge/dBS7R+EscdzA5K
<tr><td>
openbsd-69-syspatch.pub:
<td>
RWRWuHkSV0U8PUX24vGa3ywrvKNQY6llV3PLvKEzDTiTVPfIRaXPfvzR
</table>
</ul>
<p>
All applicable copyrights and credits are in the src.tar.gz,
sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
files fetched via <code>ports.tar.gz</code>.
</table>
<hr>
<section id=new>
<h3>What's New</h3>
<p>
This is a partial list of new features and systems included in OpenBSD 6.9.
For a comprehensive list, see the <a href="plus69.html">changelog</a> leading
to 6.9.
<ul>
<li>New/extended platforms:
<ul>
<li>Support for the <a href="powerpc64.html">powerpc64</a> platform was improved:
<ul>
<li>Added <a href="https://man.openbsd.org/astfb.4">astfb(4)</a>, a
driver for the framebuffer of the Aspeed BMC found on many POWER8 and
POWER9 systems.
<li>Added bsd.mp to powerpc64's installXX.{img,iso}.
<li>Added RETGUARD implementation for powerpc and powerpc64.
<li>Added a workaround for PCIO devices that cannot address the full
64-bit PCI address space to powerpc64. Needed for <a
href="https://man.openbsd.org/radeondrm.4">radeondrm(4)</a> and <a
href="https://man.openbsd.org/amdgpu.4">amdgpu(4)</a> since Radeon
GPUs only implement 36, 40, or 44 bits of address space.
<li>Added limited emulation of unaligned access in the powerpc64 kernel.
<li>Added support for netbooting to the powerpc64 RAMDISK kernel.
<li>Fixed booting on powerpc64 machines with memory banks higher in
physical address space, needing a larger TCE table.
<li>Introduced power-saving mode on POWER9 CPUs.
<li>Enabled floating-point exceptions on powerpc64.
<li>Added support for <a
href="https://man.openbsd.org/ipmi.4">ipmi(4)</a> on PowerNV systems.
</ul>
<li>Preliminary support was added for devices using the Apple M1 SoC:
<ul>
<li>Recognized Apple Icestorm/Firestorm cores on arm64.
<li>Added support for BCM4378 chips, as found on the Apple M1 SoCs, to
<a href="https://man.openbsd.org/bwfm.4">bwfm(4)</a>.
<li>Added <a href="https://man.openbsd.org/exuart.4">exuart(4)</a>
support for the UART found on the Apple M1 SoC.
<li>Added <a href="https://man.openbsd.org/apldog.4">apldog(4)</a>, a
driver for the watchdog on Apple M1 SoCs, allowing reboot of the
machine.
<li>Added <a href="https://man.openbsd.org/aplintc.4">aplintc(4)</a>,
a driver for the interrupt controller found on Apple M1 SoCs.
<li>Added <a href="https://man.openbsd.org/aplpcie.4">aplpcie(4)</a>,
a driver for the PCIe host bridge on Apple M1 SoCs.
<li>Added <a href="https://man.openbsd.org/apldart.4">apldart(4)</a>,
a driver for the IOMMU on Apple M1 SoCs.
<li>Added support for CPUs with 8-bit ASIDs such as those on
Apple's M1 SoC.
</ul>
<li>The arm64 platform support was improved with the following changes:
<ul>
<li>Optimized arm64 <a
href="https://man.openbsd.org/copyin.9">copyin(9)</a>, <a
href="https://man.openbsd.org/copyout.9">copyout(9)</a> and <a
href="https://man.openbsd.org/kcopy.9">kcopy(9)</a> by doing 16-byte
copies if possible.
<li>Added recognition of Cortex-A78AE, Cortex-X1 and Neoverse V1 arm64 CPUs.
<li>Added clock support for i.MX8MP SoCs.
<li>Added support for the VF610 I2C controller to <a
href="https://man.openbsd.org/imxiic.4">imxiic(4)</a>.
<li>Added <a href="https://man.openbsd.org/dwgpio.4">dwgpio(4)</a>, a
driver for the Synopsys DesignWare GPIO controller.
<li>Added <a
href="https://man.openbsd.org/amlpinctrl.4">amlpinctrl(4)</a> support
for the "Always On" GPIOs.
<li>Made large read and write transactions work in <a
href="https://man.openbsd.org/amliic.4">amliic(4)</a>.
<li>Added support for the PCIe controller found on Amlogic
G12A/G12B/SM1 SoCs to <a
href="https://man.openbsd.org/dwpcie.4">dwpcie(4)</a>.
<li>Implemented legacy interrupt support to <a
href="https://man.openbsd.org/mvkpcie.4">mvkpcie(4)</a>.
<li>Added <a href="https://man.openbsd.org/cryptox.4">cryptox(4)</a>,
a driver for armv8 cryptographic extensions.
<li>Added support for PCIe on the NanoPi R4S to <a
href="https://man.openbsd.org/rkpcie.4">rkpcie(4)</a>.
<li>Added <a href="https://man.openbsd.org/smmu.4">smmu(4)</a>, a
driver for the ARM System MMU.
<li>Introduced an IOVA early-allocation scheme in <a
href="https://man.openbsd.org/smmu.4">smmu(4)</a>, mitigating the
performance penalty of typical IOVA allocation designs.
<li>Introduced Guard Pages in <a
href="https://man.openbsd.org/smmu.4">smmu(4)</a>, to spot misuse
and misconfiguration of I/O devices more easily.
<li>Added support for RK809 to <a
href="https://man.openbsd.org/rkpmic.4">rkpmic(4)</a>, as seen on the
Rock Pi N10 with the rk3399pro.
<li>Added support for <a
href="https://man.openbsd.org/sdhc.4">sdhc(4)</a> on the Raspberry Pi
in ACPI mode.
<li>Enabled <a href="https://man.openbsd.org/ixl.4">ixl(4)</a> on arm64.
<li>Updated device-tree bindings for <a
href="https://man.openbsd.org/cwfg.4">cwfg(4)</a> battery capacity
driver to correct attaching and account for monitoring interval
change, making cwfg(4) export values under hw.sensors as expected when
using a Pinebook Pro.
<li>Added ARMv8-5 instruction set related CPU features to arm64.
</ul>
</ul>
<li>Various kernel improvements:
<ul>
<li>Added the RAID1C (encrypted raid1) <a
href="https://man.openbsd.org/softraid.4">softraid(4)</a> discipline,
encrypting data like the CRYPTO discipline and accepting multiple
chunks during creation and assembly like the RAID1 discipline.
<li>Corrected raidlevel verification specified by the -c option in <a
href="https://man.openbsd.org/bioctl.8">bioctl(8)</a>.
<li>Introduced kern.video.record for <a
href="https://man.openbsd.org/video.4">video(4)</a> devices, a privacy feature analog
to the kern.audio.record <a
href="https://man.openbsd.org/sysctl.8">sysctl(8)</a> parameter for <a
href="https://man.openbsd.org/audio.4">audio(4)</a> devices. By
default, kern.video.record will be set to zero and blank all data
delivered by drivers attaching to <a
href="https://man.openbsd.org/video.4">video(4)</a>.
<li>Allowed a process to open a <a
href="https://man.openbsd.org/video.4">video(4)</a> device multiple
times. Fixes webcam usage with Firefox and BigBlueButton.
<li>Enabled multiple opens of a <a
href="https://man.openbsd.org/video.4">video(4)</a> device as
described in the V4L2 specification.
<li>Added basic support for kclock timeouts to <a
href="https://man.openbsd.org/timeout.9">timeout(9)</a>.
<li>Changed the <a href="https://man.openbsd.org/pool.9">pool(9)</a>
timeouts to use the system uptime instead of ticks.
<li>Ensured <a href="https://man.openbsd.org/sleep.3">sleep(3)</a>
calls <a href="https://man.openbsd.org/nanosleep.2">nanosleep(2)</a>
if seconds is zero, now delegating all decisions about whether or not
to yield the CPU.
<li>Added a top-level 'reboot' command to <a
href="https://man.openbsd.org/ddb.4">ddb(4)</a>.
<li>Added <a href="https://man.openbsd.org/witness.4">witness(4)</a>
check for uninitialized (or zeroed) lock usage.
<li>Added fd close notification for kqueue-based <a
href="https://man.openbsd.org/poll.2">poll(2)</a> and <a
href="https://man.openbsd.org/select.2">select(2)</a>.
<li>Added a global "nowake" channel for threads avoiding <a
href="https://man.openbsd.org/wakeup.9">wakeup(9)</a> to <a
href="https://man.openbsd.org/tsleep.9">tsleep(9)</a>.
<li>Added trace points for <a
href="https://man.openbsd.org/malloc.9">malloc(9)</a> and <a
href="https://man.openbsd.org/free.9">free(9)</a>, making them
traceabe via <a href="https://man.openbsd.org/dt.4">dt(4)</a> and <a
href="https://man.openbsd.org/btrace.8">btrace(8)</a>.
<li>Added <a href="https://man.openbsd.org/btrace.8">btrace(8)</a> -n
(no action) mode, which parses the program and then exits.
<li>Fixed a boot-time crash on sparc64 due to mutex use during the
message buffer initialization.
<li>Prevented a panic in some ACPI firmware that provided invalid
memory regions in their reserved memory region reporting table.
<li>Added a barrier between reading the cqe flags and the command ID
to prevent completion of the wrong scsi io for <a
href="https://man.openbsd.org/nvme.4">nvme(4)</a> drives.
<li>Prevent <a href="https://man.openbsd.org/nvme.4">nvme(4)</a>
attachment to devices with size zero.
<li>Introduced new function <a
href="https://man.openbsd.org/if_unit.9">if_unit(9)</a>, returning a
pointer to the interface descriptor corresponding to the unique name.
<li>Clear interrupts on luna88k processors more efficiently at boot
time.
<li>Added <a
href="https://man.openbsd.org/acpiiort.4">acpiiort(4)</a>, a driver
for the ACPI I/O Remapping Table.
<li>Updated clock interrupt count atomically on mips64.
<li>Prevented an amd64 kernel crash with protection fault due to an
invalid offset when reading /dev/kmem.
<li>Permitted access to kern.somaxconn sysctl information when the
unix <a href="https://man.openbsd.org/pledge.2">pledge(2)</a> is used,
allowing Go programs to use "unix" without also including "inet".
<li>Excluded the first page and added a guard page between I/O
virtual address space allocations on arm64.
</ul>
<li>SMP Improvements
<ul>
<li>Introduced "if_cloners_lock" rwlock and used it to serialize
if_clone_{create,destroy}(), avoiding multiple race conditions.
<li>Introduced a system-wide mutex that serializes msgbuf operations.
<li>Made <a
href="https://man.openbsd.org/uvm_pagealloc.9">uvm_pagealloc(9)</a> of
the physical memory allocator mp-safe.
<li>Unlocked <a href="https://man.openbsd.org/getppid.2">getppid(2)</a>.
<li>Introduced locking for amaps and anons, improving build performance.
<li>Moved UNIX domain sockets out of the kernel lock, using the new
"unp_lock" <a href="https://man.openbsd.org/rwlock.9">rwlock(9)</a> as
solock()'s backend to protect the whole layer.
<li>Unlocked <a href="https://man.openbsd.org/sendsyslog.2">sendsyslog(2)</a>.
<li>Used per-CPU counter for fault and stats counters reached in uvm_fault().
</ul>
<li>Direct Rendering Manager
<ul>
<li>Implemented linux interval tree functions for <a
href="https://man.openbsd.org/drm.4">drm(4)</a>.
<li>Fixed <a
href="https://man.openbsd.org/wsconsctl.8">wsconsctl(8)</a> display
commands when using <a href="https://man.openbsd.org/drm.4">drm(4)</a>
drivers on macppc.
<li>Changed from <a
href="https://man.openbsd.org/rwlock.9">rwlock(9)</a> to <a
href="https://man.openbsd.org/mutex.9">mutex(9)</a> for linux rwlocks.
<li>Fixed a panic associated with locks and <a
href="https://man.openbsd.org/drm.4">drm(4)</a> on macppc with
Powerbook5,6 and RV350.
<li>Revised the initialization of the <a
href="https://man.openbsd.org/drm.4">drm(4)</a> Linux emulation layer
to call it only when the first drm instance attaches.
<li>Fixed DRI3 support on <a
href="https://man.openbsd.org/amdgpu.4">amdgpu(4)</a> and <a
href="https://man.openbsd.org/ati.4">ati(4)</a>.
<li>Created /dev/ drm nodes with the same names as linux to simplify
libdrm and negate the need for certain ports patches.
</ul>
<li>VMM/VMD improvements
<ul>
<li>Prevented memory corruption or improper page access in <a
href="https://man.openbsd.org/vmm.4">vmm(4)</a> due to improper TLB
flushing for now by wiring the pages used by virtual machines.
<li>Removed the ability of <a
href="https://man.openbsd.org/vmd.8">vmd(8)</a> to boot from kernels
in raw/qcow2 images.
<li>Made <a href="https://man.openbsd.org/vmctl.8">vmctl(8)</a>
properly indicate VMs are stopping instead of "running" with "vmctl
status".
<li>Cleaned up events on <a
href="https://man.openbsd.org/vmd.8">vmd(8)</a> pause or resume and
fixed an issue leading to broken serial console by cleanly tearing
down and restoring emulated device state on vm send/receive.
<li>Propagated host-side <a
href="https://man.openbsd.org/tap.4">tap(4)</a> lladdr to guest vm
process to allow unicast dhcp and bootp renewals with <a
href="https://man.openbsd.org/vmd.8">vmd(8)</a>'s built-in dhcp
server.
<li>Added <a href="https://man.openbsd.org/veb.4">veb(4)</a> to the
list of supported bridges for <a
href="https://man.openbsd.org/vmd.8">vmd(8)</a>.
<li>Improved MSR exit handling in <a
href="https://man.openbsd.org/vmm.4">vmm(4)</a> on SVM and VMX
hosts preventing invalid reads and fixing support for 9front.
<li>Added ability to boot compressed ramdisks to <a
href="https://man.openbsd.org/vmd.8">vmd(8)</a>.
</ul>
<li>Various new userland features:
<ul>
<li>Added <a
href="https://man.openbsd.org/doas.conf.5">doas.conf(5)</a> "nolog"
option to avoid <a
href="https://man.openbsd.org/syslog.3">syslog(3)</a>.
<li>Allowed specific <a
href="https://man.openbsd.org/sndio.7">sndio(7)</a> devices to be used
for play-only and rec-only modes.
<li>Use an 8th order FIR low-pass filter for resampling in <a
href="https://man.openbsd.org/sndiod.8">sndiod(8)</a> and for <a
href="https://man.openbsd.org/aucat.1">aucat(1)</a>, removing most of
the aliasing noise during resampling.
<li>Disabled <a href="https://man.openbsd.org/sndiod.8">sndiod(8)</a>
autovolume by default and set the default volume to 127. Setting "-w
on" will replicate the previous behavior of automatically decreasing
playback volume when new programs start playing.
<li>Allowed mixing of alternative devices (-F) with different
capabilities in <a
href="https://man.openbsd.org/sndiod.8">sndiod(8)</a> by treating any
device as full-duplex.
<li>Fixed visibility of <a
href="https://man.openbsd.org/sndioctl.1">sndioctl(1)</a> output when
used through a pipe.
<li>Enabled build and install of <a href="https://man.openbsd.org/lldb.1">lldb(1)</a>.
<li>Added <a href="https://man.openbsd.org/logger.1">logger(1)</a>
support to <a href="https://man.openbsd.org/rcctl.8">rcctl(8)</a>, <a
href="https://man.openbsd.org/rc.subr.8">rc.subr(8)</a> and <a
href="https://man.openbsd.org/rc.d.8">rc.d(8)</a> for daemons logging
to stdout/stderr.
<li>Added a configurable button mapping for tap gestures on touchpads
to <a href="https://man.openbsd.org/wsconsctl.8">wsconsctl(8)</a>.
<li>Made <a href="https://man.openbsd.org/wscons.4">wscons(4)</a>
touchpad tap detection less restrictive for multi-finger taps and
improved tap detection.
<li>Enable <a
href="https://man.openbsd.org/man4/arm64/apm.4">apm(4)</a> on arm64 to
display meaningful information about battery use and capacity.
</ul>
<li>Various bugfixes and tweaks in userland:
<ul>
<li>Fixed a pledge violation in <a
href="https://man.openbsd.org/csh.1">csh(1)</a> where redirecting
input from a file containing ^T would cause csh(1) to perform a tty
ioctl operation against a non-tty.
<li>Made <a href="https://man.openbsd.org/syspatch.8">syspatch(8)</a> work
again when fewer than 3 patches are available.
<li>Stopped exempting file systems from <a
href="https://man.openbsd.org/security.8">security(8)</a> on the basis
of nodev and nosuid options, which may not be used for file systems
mounted beneath.
<li>Modified <a href="https://man.openbsd.org/daily.8">daily(8)</a>
to stop reporting disk status and networking statistics.
<li>Made <a
href="https://man.openbsd.org/sysupgrade.8">sysupgrade(8)</a> specify
a version when it uses <a
href="https://man.openbsd.org/fw_update.1">fw_update(1)</a> to avoid
the situation where upgrading a pre-6.8 snapshot to 6.8 release with
"-r" would install firmware packages from snapshots.
<li>Increased speed of the dependency check pass for <a
href="https://man.openbsd.org/pkg_add.1">pkg_add(1)</a>.
<li>Prevented process exit in multithreaded programs from reporting
the wrong error code.
<li>Allowed booting of amd64/i386 from 4TB GPT formatted disks.
<li>When using the <a href="https://man.openbsd.org/cat.1">cat(1)</a>
-n flag, correctly enumerate files with more than INT_MAX lines.
<li>Fixed a memory leak in ld.so's malloc.
<li>Added a "xenodm" login class for <a
href="https://man.openbsd.org/xenodm.1">xenodm(1)</a> and increased
openfiles to 512 to avoid running out of file descriptors with a busy
desktop.
<li>Stopped <a href="https://man.openbsd.org/xenodm.1">xenodm(1)</a>
from adding authorizations for TCP connections by default and added
"listenTCP" to explicitly add authorizations for existing IP addresses
on startup.
<li>Skip <a href="https://man.openbsd.org/xenodm.1">xenodm(1)</a>
from adding the IPv6 link local addresses for TCP listener
authorizations, matching what is done by <a
href="https://man.openbsd.org/startx.1">startx(1)</a>.
<li>Fixed -s option for <a href="https://man.openbsd.org/cmp.1">cmp(1)</a>.
<li>Improve pledge in <a
href="https://man.openbsd.org/doas.1">doas(1)</a>, specifically added
pledge to the "-C" code path.
<li>Inproved performance of <a
href="https://man.openbsd.org/malloc.3">malloc(3)</a>'s cache.
<li>Made editing GPT in <a
href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> safer by
defaulting offset to the beginning of the largest free space and
preventing the creation of overlapping partitions.
<li>Fixed a crash that could occur in <a
href="https://man.openbsd.org/sndiod.8">sndiod(8)</a> when a usb
device is unplugged.
<li>Append .html suffixes to temporary files in <a
href="https://man.openbsd.org/mandoc.1">mandoc(1)</a> to allow
recognition by browsers.
<li>Allow specification of a path to the <a
href="https://man.openbsd.org/mg.1">mg(1)</a> startup file on the
command line.
<li>Added a "batch" mode to <a
href="https://man.openbsd.org/mg.1">mg(1)</a> via the "-b" command
line option which will initialize a pty, run the specified file of mg
commands and then exit.
<li>Inverted the <a href="https://man.openbsd.org/mg.1">mg(1)</a> "R"
indicator to mean that a "*" next to a file's name indicates that it
is read-only. Made the active buffer indicator more visible by
changing it to ">".
<li>Fixed <a href="https://man.openbsd.org/ksh.1">ksh(1)</a>
redrawing of a multiline PS1 prompt in vi mode and added support for
^R (redraw) in insert mode.
<li>Used <a href="https://man.openbsd.org/unveil.2">unveil(2)</a> to
restrict filesystem access in <a
href="https://man.openbsd.org/apmd.8">apmd(8)</a>.
<li>Removed the 30s minimum delay for <a
href="https://man.openbsd.org/xlock.1">xlock(1)</a> timeouts.
<li>Stopped deleting the control socket on exit in <a
href="https://man.openbsd.org/apmd.8">apmd(8)</a> exit, as deleting
the socket in process after calling <a
href="https://man.openbsd.org/unveil.2">unveil(2)</a> would cause a
unveil restriction violation,
</ul>
<li>Improved hardware support and driver bugfixes, including:
<ul>
<li>Corrected accounting of zero length Transfer Descriptors in <a
href="https://man.openbsd.org/xhci.4">xhci(4)</a>, preventing running
out of free Transfer Ring Blocks.
<li>Moved mfokclock(4) from loongson to make it available for other
platforms and renamed it to <a
href="https://man.openbsd.org/mfokrtc.4">mfokrtc(4)</a>.
<li>Fixed brightness setting on MacBooks.
<li>Added AMD Vi and Intel VTD IOMMU support. This creates separate
domains for each PCI device and can provide protection against invalid
memory access.
<li>Enabled brightness keys on powerbooks where the keyboard attaches
as <a href="https://man.openbsd.org/ukbd.4">ukbd(4)</a>.
<li>Set initial default display brightness on macppc via
of_setbrightness() to ensure <a
href="https://man.openbsd.org/wscons.4">wscons(4)</a> and ofw are in
sync.
<li>Added support for the PL2303HXN series chips to <a
href="https://man.openbsd.org/uplcom.4">uplcom(4)</a>.
<li>Added support for the PCA9547 I2C mux to <a
href="https://man.openbsd.org/pcamux.4">pcamux(4)</a>.
<li>Extended <a href="https://man.openbsd.org/pcamux.4">pcamux(4)</a>
with ACPI support.
<li>Added <a href="https://man.openbsd.org/acpige.4">acpige(4)</a>, a
driver for ACPI generic event devices, used on various
systens to implement power button handling.
<li>Added <a href="https://man.openbsd.org/pchgpio.4">pchgpio(4)</a>,
a driver for the GPIO controllers found on modern Intel PCHs.
<li>Added ACPI support to <a
href="https://man.openbsd.org/imxiic.4">imxiic(4)</a>.
<li>Fixed panics on the HoneyComb LX2K with <a
href="https://man.openbsd.org/amdgpu.4">amdgpu(4)</a>.
<li>Fixed very old <a
href="https://man.openbsd.org/umass.4">umass(4)</a> devices where the
INQUIRY command succeeds but with a residue equal to the requested
bytes.
<li>Added Gemini Lake I2C id to <a
href="https://man.openbsd.org/dwiic.4">dwiic(4)</a>, making the
touchpad work on the Teclast F7 Plus laptop.
<li>Introduced <a href="https://man.openbsd.org/ujoy.4">ujoy(4)</a>, a
restricted subset of <a
href="https://man.openbsd.org/uhid.4">uhid(4)</a> for game controllers
which uses /dev/ujoy/* device nodes.
<li>Set up <a href="https://man.openbsd.org/ims.4">ims(4)</a> devices
in X11 to behave like touchpads.
<li>Stopped relying on USB devices to correctly present their
indices, instead searching for the correct interfaces. This fixes E+
Corp. DAC Audio devices.
<li>Introduced <a
href="https://man.openbsd.org/uhidpp.4">uhidpp(4)</a>, a driver for
Logitech HID++ devices.
<li>Separated reading of general and touchpad-specific <a
href="https://man.openbsd.org/wsmouse.4">wsmouse(4)</a> settings and
corrected identification of device type when reading touchpad
parameters fails.
<li>Added support for 30-bit color modes to <a
href="https://man.openbsd.org/simplefb.4">simplefb(4)</a>
and <a href="https://man.openbsd.org/wsfb.4">wsfb(4)</a>.
<li>Made loongson kernels recognize Lynloong LM9002/9003 and LM9013 models.
<li>Use native display resolution 1368x768 for Lynloong all-in-one computers.
</ul>
<li>New or improved network hardware support:
<ul>
<li>Fixed link state change behavior in 82598 <a
href="https://man.openbsd.org/ix.4">ix(4)</a> chips.
<li>Fixed issues with network stopping after the first down/up cycle
in <a href="https://man.openbsd.org/mvpp.4">mvpp(4)</a> Marvel Armada
Ethernet device.
<li>Added SFP+ support to ofw, including support for direct attach cables.
<li>Added 10G media support to <a
href="https://man.openbsd.org/mvpp.4">mvpp(4)</a>.
<li>Added support for 1000base-x and 2500base-x connections to <a
href="https://man.openbsd.org/mvneta.4">mvneta(4)</a>.
<li>Added <a href="https://man.openbsd.org/mvsw.4">mvsw(4)</a>, a
driver for Marvel "SOHO" switches.
<li>Enabled auto-negotiation on the SerDes links, allowing
in-band-status to work between <a
href="https://man.openbsd.org/mvpp.4">mvpp(4)</a> and <a
href="https://man.openbsd.org/mvsw.4">mvsw(4)</a> on the ClearFog GT
8K.
<li>Added support for the i.MX8MP PCIe clocks, USB clocks and second
ethernet.
<li>Added Wake on LAN support to <a
href="https://man.openbsd.org/rge.4">rge(4)</a>.
<li>Enabled IPv4 and TCP/UDP checksum offload on transmission in <a
href="https://man.openbsd.org/ogx.4">ogx(4)</a>.
<li>Raised the maximum number of queues/interrupts from 1 to 16 on <a
href="https://man.openbsd.org/mcx.4">mcx(4)</a> devices.
<li>Added support for the Netgear ProSecure UTM25 to octeon.
<li>Added vid/pid table to <a
href="https://man.openbsd.org/umb.4">umb(4)</a> allowing matching to
alternate configurations.
</ul>
<li>Added or improved wireless network drivers:
<ul>
<li>Fixed the <a href="https://man.openbsd.org/athn.4">athn(4)</a> and
<a href="https://man.openbsd.org/urtwn.4">urtwn(4)</a> drivers
in client mode against access points which use WPA1/TKIP as
the group cipher.
<li>Added multicast support to <a
href="https://man.openbsd.org/bwfm.4">bwfm(4)</a> to allow IPv6.
<li>Fixed <a href="https://man.openbsd.org/urtwn.4">urtwn(4)</a>
repeated DEAUTH and loss/restoration of link.
<li>Introduced a delay to work around an issue in <a
href="https://man.openbsd.org/bwfm.4">bwfm(4)</a> on the BCM43602 that
was triggering "unexpected pairwise key update" errors.
<li>Enabled <a href="https://man.openbsd.org/athn.4">athn(4)</a> for arm64.
<li>Implemented a new 802.11n Tx rate adaptation algorithm ("RA") for
<a href="https://man.openbsd.org/iwm.4">iwm(4)</a>,
<a href="https://man.openbsd.org/iwn.4">iwn(4)</a>, and
<a href="https://man.openbsd.org/athn.4">athn(4)</a>.
<li>Fixed association problems with the <a
href="https://man.openbsd.org/ipw.4">ipw(4)</a> and <a
href="https://man.openbsd.org/iwi.4">iwi(4)</a> drivers.
<li>Made <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> attach to
AX201 devices with PCI ID 0x34f0. Needs <a
href="https://man.openbsd.org/fw_update.1">fw_update(1)</a>.
<li>Fixed a problem where <a
href="https://man.openbsd.org/iwn.4">iwn(4)</a> firmware would
generate bogus block ack requests and stall traffic.
<li>Fixed automatic channel selection in the <a
href="https://man.openbsd.org/athn.4">athn(4)</a> driver
when running in hostap or monitor mode.
</ul>
<li>IEEE 802.11 wireless stack improvements and bugfixes:
<ul>
<li>Fixed length calculations in <a
href="https://man.openbsd.org/iwm.4">iwm(4)</a> and <a
href="https://man.openbsd.org/iwx.4">iwx(4)</a> when there are
multiple MPDUs in one packet.
<li>Fixed 802.11n interoperability with access points that offer
management frame protection.
<li>Flush the A-MPDU reorder buffer after gap timeout to prevent
frames from remaining in the buffer until the next frame
is received.
<li>Avoid spurious "input packet decapsulations failed" errors in
<a href="https://man.openbsd.org/netstat.1">netstat(1)</a> -W with
A-MSDU enabled.
<li>Fixed automatic selection of the 11a/b/g/n/ac operating mode when
operating as an access point.
</ul>
<li>Generic network stack improvements and bugfixes:
<ul>
<li>Removed the direct ACK on every other data segment. After
receiving a data segment, we were sending out two ACKs, the first one
in tcp_input() direct after receiving and the second ACK after the
userland or the sosplice task read some data out of the socket buffer.
This change removes the ACK in tcp_input(), saving processing time and
improving network performance.
<li>Removed the maxburst feature from tcp_output().
<li>Added a MONITOR feature to interfaces. Packets received on these
interfaces do not enter the network stack for further processing. This
can be used to watch traffic, for example with <a
href="https://man.openbsd.org/bpf.4">bpf(4)</a> without risk of the packets
interfering with the system.
<li>Added etherbridge, the internals of a reusable learning bridge
interface providing common code reusable for other drivers needing a
mac learning bridge.
<li>Introduced <a href="https://man.openbsd.org/veb.4">veb(4)</a>, a
Virtual Ethernet Bridge driver.
<li>Added the ability to force the selection of source IP address for
programs that do not specify a source IP, overriding the default
source IP selection algorithm. This is configurable via <a
href="https://man.openbsd.org/route.8">route(8)</a>
<code>sourceaddr</code> command.
<li>Bring interfaces up when autoconfiguration for inet or inet6 is
enabled (AUTOCONF4 or AUTOCONF6 flags).
<li>Adjust terminology in <a
href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a> to refer to
"temporary address extensions" rather than the former "privacy
extensions," including the addition of an AUTOCONF6TEMP flag (to
replace the negative flag "INET6_NOPRIVACY"). The autoconfprivacy
option if <a href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a>
has been deprecated.
<li>Made it possible to disable the "autoconf" flag but keep
"temporary" enabled in <a
href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a>.
<li>For IPv6 addresses, added tracking of address proposal creation
times to be able to establish total lifetime. This information is used
to renew pltime/vltime of privacy addresse per RFC 4941.
<li>Prevented kernel reuse of mbuf memory when generating the ICMP6
response to an IPv6 packet.
<li>Use the toeplitz hash algorithm to a flowid for tcp packets,
which in turn is used to choose the tx ring on network cards with
multiple rings.
<li>Fixed <a href="https://man.openbsd.org/wg.4">wg(4)</a> on macppc
by keeping track of allowed ips pointer correctly.
<li>Fixed <a href="https://man.openbsd.org/wg.4">wg(4)</a> ioctl to
handle multiple wgpeers.
<li>Fixed a race between tx/rx handshakes in <a
href="https://man.openbsd.org/wg.4">wg(4)</a>.
<li>Prevented a potential hang when trying to remove a <a
href="https://man.openbsd.org/tun.4">tun(4)</a> interface.
<li>Used the correct rdomain when adding and deleting routes with <a
href="https://man.openbsd.org/mpip.4">mpip(4)</a> and <a
href="https://man.openbsd.org/mpw.4">mpw(4)</a>.
<li>Made <a href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a>
"-mplslabel" work with <a
href="https://man.openbsd.org/mpw.4">mpw(4)</a>.
</ul>
<li>Installer and upgrade improvements:
<ul>
<li>Prevented a race in <a
href="https://man.openbsd.org/dhclient.8">dhclient(8)</a> privsep
which could cause autoinstall to fail by calling <a
href="https://man.openbsd.org/ftp.1">ftp(1)</a> without a local
address.
<li>Fixed hangs on amd64 bsd.rd due to misreported core clock
frequency on newer Intel Comet Lake models.
<li>Began distributing the gzip'd version of bsd.rd on all platforms
with boot methods supporting it.
<li>Fixed a problem which prevented use of <a
href="https://man.openbsd.org/sysupgrade.8">sysupgrade(8)</a> when an
interface failed to come up and <a
href="https://man.openbsd.org/dhclient.8">dhclient(8)</a> didn't
notice link-timeout expiration.
<li>Prevented <a
href="https://man.openbsd.org/disklabel.8">disklabel(8)</a> from
adjusting the swap 'b' partition size if physmem is zero to keep the
auto-allocate code from putting a filesystem on that partition.
<li>Emulate "[inet] autoconf" <a
href="https://man.openbsd.org/hostname.if.5">hostname.if(5)</a> lines
with "dhcp" so users testing <a
href="https://man.openbsd.org/dhcpleased.8">dhcpleased(8)</a> will
still be able to upgrade manually while the installer uses only <a
href="https://man.openbsd.org/dhclient.8">dhclient(8)</a>.
</ul>
<li>Security improvements:
<ul>
<li>Added notices to syslog whenever the "%n" format string component
of <a href="https://man.openbsd.org/printf.3">printf(3)</a> is used.
<li>Removed workaround permitting Go executables to do syscalls
directly, forcing them to use shared libc like all other dynamic
binaries.
</ul>
<li>Routing daemons and other userland network improvements:
<ul>
<li>The <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> daemon saw the following changes:
<ul>
<li>Fixed a memory leak when parsing <a
href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> roa-set lists.
<li>Stopped allowing configuration of the same neighbor multiple
times in <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>.
<li>When exporting prefixes from multiple sessions in <a
href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> into the same <a
href="https://man.openbsd.org/pf.4">pf(4)</a> table, now prefixes are
only removed from the table when withdrawn from all sessions that
announced them.
<li>Introduced a send hold timer in <a
href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> to detect stalls on
the sending side of a TCP connection, acting as a last resort to
detect faulty peers.
<li>Added <a href="https://man.openbsd.org/bgpctl.8">bgpctl(8)</a>
"show sets" to display information about the roa-set, as-sets and
prefix-sets loaded into <a
href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>.
<li>Introduced the <a
href="https://man.openbsd.org/bgpd.conf.5">bgpd.conf(5)</a> per
neighbor and global config option "reject as-set yes/no" to allow
rejection of received UPDATES with AS_SET segments. These rejected
prefixes can be viewed with <a
href="https://man.openbsd.org/bgpctl.8">bgpctl(8)</a> "show rib in
error".
<li>Properly implemented "rde med compare strict" in <a
href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> and ensured that the
order of prefixes is always correct.
<li>Added RTR support to <a href="https://man.openbsd.org/bgpd.8">OpenBGPD</a>.
<li>Added <a href="https://man.openbsd.org/bgpctl.8">bgpctl(8)</a>
"show rtr" to display basic information about RTR sessions.
<li>Introduced <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>
<code>rde evaluate all</code> to work around path hiding in IXP
route-server environments.
</ul>
<li>The <a
href="https://man.openbsd.org/ospfd.8">ospfd(8)</a> and <a
href="https://man.openbsd.org/ospf6d.8">ospf6d(8)</a> routing
daemons saw various internal refactoring to keep the code similar to
changes in other routing daemons and improve maintainability.<br>
Additionally, support was added in <a
href="https://man.openbsd.org/ospfd.8">ospfd(8)</a> for interfaces
that share the same IP.
<li>The <a href="https://man.openbsd.org/pf.4">pf(4)</a> packet filter and it's userland utility:
<ul>
<li>Relaxed checks in <a
href="https://man.openbsd.org/pfctl.8">pfctl(8)</a> and <a
href="https://man.openbsd.org/pf.4">pf(4)</a> to accept any valid
routing domain, even if it does not yet exist.
<li>Made <a href="https://man.openbsd.org/pfctl.8">pfctl(8)</a>
detect and reject bogus ranges before loading the ruleset to prevent a
panic.
<li>Changed route-to in <a
href="https://man.openbsd.org/pf.conf.5">pf.conf(5)</a> to send
packets to IPs instead of interfaces.
<li>Changed pf_route so <a
href="https://man.openbsd.org/pf.4">pf(4)</a> only runs when packets
enter and leave the stack. Running the same packet through pf multiple
times creates confusion for the state table. By default, pf states are
floating, meaning that packets are matched to states regardless of
which interface they're going over. This diff avoids multiple pf(4)
traversals of one packet causing confusion in the state table.
<li>Prevented the kernel from being stuck in an endless recursion
during TCP path MTU discovery when <a
href="https://man.openbsd.org/pf.4">pf(4)</a> changes the routing
table when sending packets.
<li>When cutting off the head of an overlapping fragment during <a
href="https://man.openbsd.org/pf.4">pf(4)</a> reassembly, reinserted
the fragment into the lookup table with the correct index.
</ul>
<li>IPSEC support in the kernel and the <a href="https://man.openbsd.org/iked.8">iked(8)</a> userland daemon:
<ul>
<li>Added support to request IP addresses as IKEv2 initiator to <a
href="https://man.openbsd.org/iked.8">iked(8)</a>. If 'request addr
0.0.0.0' is configured, any address will be accepted.
<li>Make <a href="https://man.openbsd.org/iked.8">iked(8)</a> accept
ANY dynamic address with 'request addr 0.0.0.0'.
<li>Added 'dynamic' keyword to <a
href="https://man.openbsd.org/iked.conf.5">iked.conf(5)</a> to allow
configuration of flows to dynamically assigned addresses.
<li>Added the 'any' keyword to <a
href="https://man.openbsd.org/iked.conf.5">iked.conf(5)</a> for
requests to allow "request address any".
<li>Enabled <a href="https://man.openbsd.org/iked.8">iked(8)</a>
support for ASN1_DN ipsec identifiers.
<li>Implemented <a href="https://man.openbsd.org/iked.8">iked(8)</a>
"from dynamic," installing flows where "dynamic" is replaced by the
received dynamic IP address.
<li>Made sure not to replace 0.0.0.0 with a dynamic address in <a
href="https://man.openbsd.org/iked.8">iked(8)</a> if it is a network
address.
<li>Added <a href="https://man.openbsd.org/iked.8">iked(8)</a> -s
socket option to specify a control socket.
<li>Used a counter instead of random IV for AES-GCM in <a
href="https://man.openbsd.org/iked.8">iked(8)</a>, eliminating the
risk of random collisions.
<li>Added <a href="https://man.openbsd.org/iked.8">iked(8)</a>
support for multiple address pools.
<li>Added the <a href="https://man.openbsd.org/iked.8">iked(8)</a>
"set stickyaddress" option, which attempts to assign the same "config
address" when an IKESA is negotiated with the DSTID of an existing
IKESA.
<li>Ensured rekeying of every child SA in <a
href="https://man.openbsd.org/iked.8">iked(8)</a>.
<li>Added <a href="https://man.openbsd.org/iked.8">iked(8)</a> support
for RSASSA-PSS signature verification (RFC 7427).
<li>Corrected the first packet of an <a
href="https://man.openbsd.org/ipsec.4">ipsec(4)</a> SA to have
sequence number 1.
<li>Accepted reject and blackhole routes for IPsec PMTU discovery.
<li>Prevented leaking of ipsec_hosts in <a
href="https://man.openbsd.org/iked.8">iked(8)</a> when building
hosts_list.
<li>Prevented initiation of new additional SAs for each policy upon
every <a href="https://man.openbsd.org/ikectl.8">ikectl(8)</a> config
reload.
<li>Fixed "any" and "dynamic" keywords for flows in <a
href="https://man.openbsd.org/iked.8">iked(8)</a> and added proper
IPv6 support.
<li>Created a path MTU host route for <a
href="https://man.openbsd.org/ipsec.4">IPsec(4)</a> over IPv6.
<li>Added support for INVALID_KE_PAYLOAD in <a
href="https://man.openbsd.org/iked.8">iked(8)</a> CREATE_CHILD_SA
exchange.
<li>Added support for RSA-PSS PKCS1 signatures to <a
href="https://man.openbsd.org/iked.8">iked(8)</a>.
<li>Fixed path MTU discovery for ESP tunnels in IPv6.
<li>Upgraded to OpenSSL 1.1 compatible crypto API in <a
href="https://man.openbsd.org/iked.8">iked(8)</a>.
<li>Added an optional "group none" transform for child SAs in <a
href="https://man.openbsd.org/iked.8">iked(8)</a> to ensure the
ability to negotiate optional PFS.
<li>Added <a href="https://man.openbsd.org/iked.8">iked(8)</a>
dynamic address configuration for roadwarrior clients, with a new
"iface" config option which can be used to specify an interface for
the virtual addresses received from the peer.
<li>Fixed an <a href="https://man.openbsd.org/iked.8">iked(8)</a>
interop problem with strongswan if make-before-break is enabled.
</ul>
<li>The <a href="https://man.openbsd.org/httpd.8">httpd(8)</a> webserver saw numerous improvements:
<ul>
<li>Prevented a crash due to
<a href="https://man.openbsd.org/httpd.8">httpd(8)</a> listening on port
443 with missing TLS certificates.
<li>Created a new "location (found|notfound)" option for
<a href="https://man.openbsd.org/httpd.conf.5">httpd.conf(5)</a> to allow
testing for resource path existence.
<li>Fixed detection of duplicate locations in <a
href="https://man.openbsd.org/httpd.8">httpd(8)</a>.
<li>Fixed leak of access and error log filenames on config reload in
<a href="https://man.openbsd.org/httpd.8">httpd(8)</a>.
<li>Avoid leaking the log message in
<a href="https://man.openbsd.org/httpd.8">httpd(8)</a>'s
server_sendlog.
<li>Incorrect order of
<a href="https://man.openbsd.org/close.2">close(2)</a> and
<a href="https://man.openbsd.org/tls_close.3">tls_close(3)</a>
together with a bug in libssl led to leaking memory in
<a href="https://man.openbsd.org/httpd.8">httpd(8)</a>
for each TLS connection.
<li>Fixed the <a href="https://man.openbsd.org/httpd.8">httpd(8)</a>
example configuration not to generate errors when running without TLS
keys already in place.
<li>Optimized disk reads of
<a href="https://man.openbsd.org/httpd.8">httpd(8)</a>
by using st_blocksize as high water mark instead of
the socket buffer size.
<li>Do not compare TLS config params for non-TLS servers.
This allows using <code>listen on * port 80</code> and
<code>listen on * port 443</code> in the same server block in
<a href="https://man.openbsd.org/httpd.conf.5">httpd.conf(5)</a>.
</ul>
<li><a
href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a>
received the following new features and bugfixes:
<ul>
<li>Added RRDP (The RPKI Repository Delta Protocol, RFC 8182) support.
<li>Support the use of more than one URI in the TAL file,
sorting with a preference for https.
<li>Validation of ghostbuster records (RFC 6493).
<li>Fixed checks of the manifest validity interval.
<li>The rsync connection is now killed when the rsync server stalls.
<li>Limited the URL embedded in .cer files to
alphanumeric characters and punctuation.
<li>Added a "-V" option to show version.
<li>Included the default cert.pem file path in tls_load_file error
messages.
</ul>
<li>The <a href="https://man.openbsd.org/dig.1">dig(1)</a> DNS
utility received the following updates:
<ul>
<li>Implemented RFC 8914 Extended DNS Errors for <a
href="https://man.openbsd.org/dig.1">dig(1)</a>.
<li>Fixed <a href="https://man.openbsd.org/dig.1">dig(1)</a> EDNS
Client Subnet option (+subnet=).
<li>Fixed IPv6 link-local address handling for nameservers to talk to
and address to bind to in <a
href="https://man.openbsd.org/dig.1">dig(1)</a>.
<li>Implemented ZONEMD (RFC 8976) in <a
href="https://man.openbsd.org/dig.1">dig(1)</a> to convey a message
digest of the content of a DNS zone.
</ul>
<li>Changes to <a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a>:
<ul>
<li>Fixed incorrect behavior when using <a
href="https://man.openbsd.org/dhclient.conf.5">dhclient.conf(5)</a> to
change the lease renew/rebind/expiry timing.
<li>Allowed the provision of <a
href="https://man.openbsd.org/dhclient.8">dhclient(8)</a> options on
"dhcp" lines in <a
href="https://man.openbsd.org/hostname.if.5">hostname.if(5)</a> files.
<li>Finished conversion of <a
href="https://man.openbsd.org/dhclient.8">dhclient(8)</a> timers to
allow monotonic accounting for the active lease.
</ul>
<li>Two new daemons, <a
href="https://man.openbsd.org/dhcpleased.8">dhcpleased(8)</a> and <a
href="https://man.openbsd.org/resolvd.8">resolvd(8)</a> were added.
These work alongside with <a
href="https://man.openbsd.org/slaacd.8">slaacd(8)</a> and <a
href="https://man.openbsd.org/unwind.8">unwind(8)</a> to provide a
coherent and simple automatic configuration of network interfaces and
DNS resolution.<br>
The two daemons are not enabled by default for now, but can be tested
by enabling them with <a href="https://man.openbsd.org/rcctl.8">rcctl(8)</a>.
<ul>
<li><a href="https://man.openbsd.org/dhcpleased.8">dhcpleased(8)</a>
implements the DHCP protocol to acquire IPv4 address leases from
servers.
<li><a href="https://man.openbsd.org/resolvd.8">resolvd(8)</a>
manages the content of <a
href="https://man.openbsd.org/resolv.conf.5">resolv.conf(5)</a> based
on nameserver proposals from dhcpleased(8) and slaacd(8).
</ul>
<li>Other userland network changes:
<ul>
<li>Fixed <a href="https://man.openbsd.org/ldapd.8">ldapd(8)</a> cert
and key path inference for absolute paths.
<li>Fixed incorrect cast in a
<a href="https://man.openbsd.org/vsnprintf(3)">vsnprintf(3)</a>
error check
in <a href="https://man.openbsd.org/ldapd.8">ldapd(8)</a>.
<li>Applied <a href="https://man.openbsd.org/unveil.2">unveil(2)</a>
to <a href="https://man.openbsd.org/ldapd.8">ldapd(8)</a>.
<li>Changed <a href="https://man.openbsd.org/ping.8">ping(8)</a> to
drain the raw socket of packets received before we were fully setup to
avoid reporting ICMP responses intended for other instances of ping(8)
running in parallel.
<li>Added <a href="https://man.openbsd.org/ping.8">ping(8)</a> -g
option to provide a visual display of packets received and lost.
<li>Changed <a href="https://man.openbsd.org/slaacd.8">slaacd(8)</a>
Duplicate Address Detection (DAD) to only generate a new address if we
are using Semantically Opaque Interface Identifiers.
<li>Handled an autoconf interface changing its rdomain in <a
href="https://man.openbsd.org/slaacd.8">slaacd(8)</a>.
<li>Completed <a
href="https://man.openbsd.org/slaacd.8">slaacd(8)</a> implementation
of RFC 8981 temporary address extensions.
<li>Do not leak the domains listed in
<a href="https://man.openbsd.org/unwind.8">unwind(8)</a>'s
blocklist file on each config reload.
<li>Do not leak duplicate domain nodes when loading the
<a href="https://man.openbsd.org/unwind.8">unwind(8)</a>
config.
<li>Fixed rare crashes of <a
href="https://man.openbsd.org/unwind.8">unwind(8)</a> when DNS answers
are larger than the maximum imsg size.
<li>Implemented <a
href="https://man.openbsd.org/unwind.8">unwind(8)</a> listening on
TCP.
<li>Implemented DNS64 synthesis in <a
href="https://man.openbsd.org/unwind.8">unwind(8)</a>.
<li>Disabled logging to <a
href="https://man.openbsd.org/syslog.3">syslog(3)</a> for libunbound
with <a href="https://man.openbsd.org/unwind.8">unwind(8)</a>. Does
not prevent logging to stderr with "unwind -d".
<li>Removed the -L option from <a
href="https://man.openbsd.org/dhclient.8">dhclient(8)</a>.
<li>Added a simple --timeout implementation to <a
href="https://man.openbsd.org/openrsync.1">openrsync(1)</a>.
<li>Added the <a href="https://man.openbsd.org/rsync.1">rsync(1)</a>
option --no-motd to suppress the information output by the client at
the start of a daemon transfer.
<li>Added support for the use of !command to <a
href="https://man.openbsd.org/mygate.5">mygate(5)</a>, so that
netstart has a late opportunity to perform network configuration.
<li>Make <a href="https://man.openbsd.org/rad.8">rad(8)</a> to handle
multiple rdomains in a single daemon (instead of running it in
multiple rdomains).
<li>Added a specific headline to <a
href="https://man.openbsd.org/netstat.1">netstat(1)</a> for TCP state
and IP protocol.
<li>Handle permanent redirects (RFC 7538) in <a
href="https://man.openbsd.org/ftp.1">ftp(1)</a> fetch.
<li>Introduced <a href="https://man.openbsd.org/ftp.1">ftp(1)</a>
support for sending the If-Modified-Since header while fetching over
http or https. Switched to using the timestamps from the remote
server's Last-Modified header if available when saving local files and
introduced the ftp "-u" flag to disable this behavior.
<li>Made <a href="https://man.openbsd.org/ftp.1">ftp(1)</a> set
timestamps only on files.
<li>Added requests for a new certificate without requiring -F when <a
href="https://man.openbsd.org/acme-client.1">acme-client(1)</a>
detects an added or removed SAN in the config file not reflected in
the existing certificate on disk.
<li>Print rewritten addresses in <a
href="https://man.openbsd.org/tcpdump.8">tcpdump(8)</a> logged with <a
href="https://man.openbsd.org/pflog.4">pflog(4)</a> for rdr-to, nat-to
and af-to rules.
<li>Removed the <a
href="https://man.openbsd.org/snmpd.8">snmpd(8)</a> traphandler
process.
<li>When calling <a
href="https://man.openbsd.org/getaddrinfo.3">getaddrinfo(3)</a> with
AI_ADDRCONFIG, consider the routing domain when checking for available
address families. This ensures that name resolution is only performed
for the address families available in the rdomain.
<li>Implemented the <a href="https://man.openbsd.org/nc.1">nc(1)</a>
-D socket debug option in <a
href="https://man.openbsd.org/tcpbench.1">tcpbench(1)</a>, allowing
analysis of TCP connections.
<li>Avoid leaking the help text in
<a href="https://man.openbsd.org/tcpbench.1">systat(8)</a>.
<li>Simplify argument parsing of
<code><a href="https://man.openbsd.org/vmctl.8">vmctl(8)</a> stop</code>
thereby avoiding a
<a href="https://man.openbsd.org/printf.3">printf(3)</a> "%s" NULL,
a use of uninitialized and a dead else branch.
<li>Increased the maximum length for CHAP challenges to 96 octets to
ensure <a href="https://man.openbsd.org/npppd.8">npppd(8)</a> can
handle longer challenges, such as those sent by Juniper.
</ul>
</ul>
<li><a href="https://man.openbsd.org/tmux">tmux(1)</a> improvements and bug fixes:
<ul>
<li>Made <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> synchronize-panes a pane option and added set-option -U flag to unset an option on all panes.
<li>Allowed use of ## and # in <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> styles and added a "w" format modifier for width.
<li>Added a -C flag to <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> run-shell to use a tmux command rather than a shell command.
<li>Added a <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> -N flag to never start the server even if the command would normally do so.
<li>Added the new <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> -S flag to new-window to select the existing window if one with the given name already exists, rather than failing.
<li>Added support for X11 color names and other variations for OSC 10/11 and added OSC 110 and 111 to <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>.
<li>Removed <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> support for popups where the content is provided directly to tmux.
<li>Added a <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> "absolute-centre" alignment to use the center of the total space instead of the available space.
<li>Added <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> split-window -Z to start the pane zoomed.
<li>Added client-detached notification in <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> control mode.
<li>Changed <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> search-again with vi keys to work like <a href="https://man.openbsd.org/vi.1">vi(1)</a>.
</ul>
<li>OpenSMTPD 6.9.0
<ul>
<li>Introduced <a href="https://man.openbsd.org/smtp.1">smtp(1)</a>
-a to perform authentication before sending a message.
<li>Fixed a memory leak in <a href="https://man.openbsd.org/smtpd.8">smtpd(8)</a> resolver.
<li>Prevented a crash due to premature release of resources by the <a
href="https://man.openbsd.org/smtpd.8">smtpd(8)</a> filter state
machine.
<li>Switch to libtls internally.
<li>Change the way SNI works in <a href="https://man.openbsd.org/smtpd.conf.5#pki~2">smtpd.conf(5)</a>.
TLS listeners may be configured with multiple certificates,
the matching is based on the names included in these certificates.
<li>Allow to specify tls protocols and ciphers per listener and relay action.
<li>Allowed <a
href="https://man.openbsd.org/smtpd.conf.5">smtpd.conf(5)</a>
specification of tls protocols and ciphers on relay actions.
</ul>
<li>LibreSSL 3.3.3
<ul>
<li>New Features
<ul>
<li>Support for DTLSv1.2.
<li>Continued rewrite of the record layer for the legacy stack.
<li>Numerous bugs and interoperability issues were fixed in the new verifier.
A few bugs and incompatibilities remain, so this release uses the old
verifier by default.
<li>The OpenSSL 1.1 TLSv1.3 API is not yet available.
</ul>
<li>Portable Improvements
<ul>
<li>Added '--enable-libtls-only' build option, which builds and installs a
statically-linked libtls, skipping libcrypto and libssl. This is useful
for systems that ship with OpenSSL but wish to also package libtls.
<li>Update getentropy on Windows to use Cryptography Next Generation
(CNG). wincrypt is deprecated and no longer works with newer Windows
environments, such as in Windows Store apps.
</ul>
<li>API and Documentation Enhancements
<ul>
<li>Add a number of RPKI OIDs from RFC 6482, 6484, 6493, 8182, 8360,
draft-ietf-sidrops-rpki-rta, and draft-ietf-opsawg-finding-geofeeds.
<li>Add support for
<a href="https://man.openbsd.org/SSL_get_shared_ciphers.3">SSL_get_shared_ciphers(3)</a>
with TLSv1.3.
<li>Add DTLSv1.2 methods.
<li>Implement SSL_is_dtls(3) and use it internally in place of the
SSL_IS_DTLS macro.
<li>Provide
<a href="https://man.openbsd.org/EVP_PKEY_new_CMAC_KEY.3">EVP_PKEY_new_CMAC_KEY(3)</a>.
<li>Add missing prototype for
<a href="https://man.openbsd.org/d2i_DSAPrivateKey_fp.3">d2i_DSAPrivateKey_fp(3)</a>
to x509.h.
<li>Add DTLSv1.2 to
<a href="https://man.openbsd.org/openssl.1">openssl(1)</a>
s_server and s_client protocol message logging.
<li>Provide
<a href="https://man.openbsd.org/SSL_use_certificate_chain_file.3">SSL_use_certificate_chain_file(3)</a>.
<li>Provide
<a href="https://man.openbsd.org/SSL_set_hostflags.3">SSL_set_hostflags(3)</a>
and
<a href="https://man.openbsd.org/SSL_get0_peername.3">SSL_get0_peername(3)</a>.
<li>Provide various DTLSv1.2 specific functions and defines.
<li>Document meaning of '*' in the genrsa output.
<li>Updated documentation for
<a href="https://man.openbsd.org/SSL_get_shared_ciphers.3">SSL_get_shared_ciphers(3)</a>.
<li>Add documentation for
<a href="https://man.openbsd.org/SSL_get_finished.3">SSL_get_finished(3)</a>.
<li>Document
<a href="https://man.openbsd.org/EVP_PKEY_new_CMAC_key.3">EVP_PKEY_new_CMAC_key(3)</a>.
<li>Document
<a href="https://man.openbsd.org/SSL_use_certificate_chain_file.3">SSL_use_certificate_chain_file(3)</a>.
<li>Document
<a href="https://man.openbsd.org/SSL_set_hostflags.3">SSL_set_hostflags(3)</a>
and
<a href="https://man.openbsd.org/SSL_get0_peername.3">SSL_get0_peername(3)</a>.
<li>Update
<a href="https://man.openbsd.org/SSL_get_version.3">SSL_get_version(3)</a>
manual for DTLSv.1.2 support.
<li>Make supported protocols and options for DHE params more prominent
in <a href="https://man.openbsd.org/tls_config_set_protocols.3">tls_config_set_protocols(3)</a>.
<li>Various documentation improvements around TLS methods.
</ul>
<li>Compatibility Changes
<ul>
<li>Make <a href="https://man.openbsd.org/openssl.3">openssl(1)</a> s_server
ignore -4 and -6 for compatibility with OpenSSL.
<li>Set SO_REUSEADDR on the server socket in the
<a href="https://man.openbsd.org/openssl.1">openssl(1)</a> ocsp command.
<li>Send a host header with OCSP queries to make
<a href="https://man.openbsd.org/openssl.1">openssl(1)</a> ocsp
work with some widely used OCSP responders.
<li>Add ability to
<a href="https://man.openbsd.org/ocspcheck.8">ocspcheck(8)</a>
to parse a port in the specified OCSP URL.
<li>Implement auto chain for the TLSv1.3 server since some software
relies on this.
<li>Implement key exporter for TLSv1.3.
<li>Align <a href="https://man.openbsd.org/SSL_get_shared_ciphers.3">SSL_get_shared_ciphers(3)</a>
with OpenSSL. This takes into account that it never returned server
ciphers, so now it will fail when called from the client side.
<li>Sync cert.pem with Mozilla NSS root CAs except "GeoTrust Global CA".
<li>Make
<a href="https://man.openbsd.org/SSL_CTX_get_min_proto_version.3">SSL{_CTX,}_get_{min,max}_proto_version(3)</a>
return a version of zero if the minimum or maximum has been set to
zero to match OpenSSL's behavior.
<li>Add DTLSv1.2 support to
<a href="https://man.openbsd.org/openssl.1">openssl(1)</a> s_client/s_server.
</ul>
<li>Testing and Proactive Security
<ul>
<li>Malformed ASN.1 in a certificate revocation list or a timestamp
response token can lead to a NULL pointer dereference.
<li>Pull in fix for
<a href="https://man.openbsd.org/EVP_CipherUpdate.3">EVP_CipherUpdate(3)</a>
overflow from OpenSSL.
<li>Use EXFLAG_INVALID to handle out of memory and parse errors in
x509v3_cache_extensions().
<li>Refactor and clean up
<a href="https://man.openbsd.org/ocspcheck.8">ocspcheck(8)</a>
and add regression tests.
</ul>
<li>Internal Improvements
<ul>
<li>Further cleanup of the DTLS record handling.
<li>Continue the replacement of the TLSv1.2 record layer by
reimplementing the read side of the TLSv1.2 record handling.
<li>Replace DTLSv1_enc_data() with TLSv1_1_enc_data().
<li>Merge d1_{clnt,srvr}.c into ssl_{clnt,srvr}.c.
<li>Add const to ssl_ciphers and tls1[23]_sigalgs* to push them into
.data.rel.ro and .rodata, respectively.
<li>Add a const qualifier to srtp_known_profiles.
<li>Simplify TLS method by removing the client and server specific
methods internally.
<li>Avoid casting away const in ssl_ctx_make_profiles().
<li>Avoid explicitly conditioning an assert on DTLS1_VERSION to make
the assert work for newer DTLS versions.
<li>Merge SSL_ENC_METHOD into SSL_METHOD_INTERNAL.
<li>Add a flag to mark DTLS methods as DTLS to have an easy way to
recognize DTLS methods that avoids inspecting the version number.
<li>Mark a few more internal static tables const.
<li>Switch finish{,_peer}_md_len from an int to a size_t.
<li>Use EVP_MD_MAX_MD_SIZE instead of 2 * EVP_MD_MAX_MD_SIZE as size
for cert_verify_md[], finish_md[] and peer_finish_md[]. The factor 2
was a historical artefact.
<li>Free struct members in tls13_record_layer_free() in their natural
order for reviewability.
<li>Use consistent names in tls13_{client,server}_finished_{recv,send}().
<li>Add tls13_secret_{init,cleanup}() and use them throughout the
TLSv1.3 code base.
<li>Move the read MAC key into the TLSv1.2 record layer.
<li>Make tls12_record_layer_free() NULL safe.
<li>Split the record protection from the TLSv1.2 record layer.
<li>Clean up sequence number handling in the new TLSv1.2 record layer.
<li>Clean up sequence number handling in DTLS.
<li>Clean up dtls1_reset_seq_numbers().
<li>Factor out code for explicit IV length, block size and MAC length
from tls12_record_layer_open_record_protected_cipher().
<li>Provide record layer overhead for DTLS.
<li>Provide functions to determine if TLSv1.2 record protection is
engaged.
<li>Add code to handle change of cipher state in the new TLSv1.2 record
layer.
<li>Mop up now unused dtls1_build_sequence_numbers() function.
<li>Allow setting a keypair on a tls context without specifying the
private key, and fake it internally in libtls. This removes the
need for privsep engines like relayd to use bogus keys.
<li>Skip the private key check for fake private keys.
<li>Move the private key setup from tls_configure_ssl_keypair() to a
helper function with proper error checking.
<li>Change the internal tls_configure_ssl_keypair() function to
return -1 instead of 1 on failure.
<li>Move sequence numbers into the new TLSv1.2 record layer.
<li>Move AEAD handling into the new TLSv1.2 record layer.
<li>Factor out legacy stack version checks.
<li>Correct handshake MAC/PRF for various TLSv1.2 cipher suites which
were originally added with the default handshake MAC and PRF rather
than the SHA256 handshake MAC and PRF.
<li>Absorb ssl3_get_algorithm2() into ssl_get_handshake_evp_md().
<li>Use dtls1_record_retrieve_buffered_record() to load buffered
application data.
<li>Enforce read ahead with DTLS.
<li>Remove bogus DTLS checks that disabled ECC and OCSP.
<li>Clean up and simplify dtls1_get_cipher().
<li>Group HelloVerifyRequest decoding and add missing check for trailing
data.
<li>Revise HelloVerifyRequest handling for DTLSv1.2.
<li>Handle DTLS1_2_VERSION in various places.
<li>Rename the "truncated" label into "decode_err" and the "f_err"
label into "fatal_err".
<li>Factor out and change some of the legacy client version code.
<li>Simplify version checks in the TLSv1.3 client. Ensure that the
server announced TLSv1.3 and nothing higher and check that the
legacy_version is set to TLSv1.2 as required by RFC 8446.
<li>Only use TLS versions internally rather than both TLS and DTLS
versions since the latter are the one's complement of the human
readable version numbers, which means that newer versions decrease
in value.
<li>Identify DTLS based on the version major value.
<li>Move handling of cipher/hash based cipher suites into the new record
layer.
<li>Add tls12_record_protection_unused() and call it from CCS functions.
<li>Move key/IV length checks closer to usage sites. Also add explicit
checks against
<a href="https://man.openbsd.org/EVP_CIPHER_iv_length.3">EVP_CIPHER_{iv,key}_length()</a>.
<li>Replace two handrolled tls12_record_protection_engaged().
<li>Improve internal version handling: add handshake fields for our
minimum version, our maximum version and the TLS version negotiated
during the handshake. Convert most of the internal code to use these
version fields.
<li>Guard against future internal use of TLS1_get_{client,}_version()
macros.
<li>Remove the internal ssl_downgrade_max_version() function which is no
longer needed.
<li>Add support for DTLSv1.2 version handling.
<li>Remove no longer needed read ahead workarounds in the s_client and
s_server.
<li>Split TLSv1.3 record protection from record layer.
<li>Move the TLSv1.3 handshake struct inside the shared handshake
struct.
<li>Fully initialize rrec in tls12_record_layer_open_record_protected()
to avoid confusing some static analyzers.
<li>Use tls_set_errorx() on OCSP_basic_verify() failure since the latter
does not set errno.
<li>Convert openssl(1) x509 to new option handling and do the usual
clean up that goes along with it.
<li>Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data.
<li>Rename new_cipher to cipher to align naming with keyblock or other
parts of the handshake data.
<li>Move the TLSv1.2 record number increment into the new record layer.
<li>Move finished and peer finished into the handshake struct.
<li>Remove pointless assignment in SSL_get0_alpn_selected().
<li>Add some error checking to openssl(1) x509.
</ul>
<li>Bug Fixes
<ul>
<li>Move point-on-curve check to set_affine_coordinates to avoid
verifying ECDSA signatures with unchecked public keys.
<li>Fix
<a href="https://man.openbsd.org/SSL_is_server.3">SSL_is_server(3)</a>
to behave as documented by re-introducing the client-specific
methods.
<li>Avoid undefined behavior due to memcpy(NULL, NULL, 0).
<li>Make SSL_get{,_peer}_finished() work when used with TLSv1.3.
<li>Correct the return value type from ERR_peek_error() to a long.
<li>Avoid use of uninitialized in ASN1_time_parse() which could happen
on parsing UTCTime if the caller did not initialise the passed
struct tm.
<li>Destroy the mutex in a tls_config object on tls_config_free().
<li>Free alert_data and phh_data in tls13_record_layer_free()
these could leak if
<a href="https://man.openbsd.org/SSL_shutdown.3">SSL_shutdown(3)</a>
or <a href="https://man.openbsd.org/tls_close.3">tls_close(3)</a>
were called after closing the underlying socket().
<li>Gracefully handle root certificates being both trusted and
untrusted.
<li>Handle X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE in the new
verifier.
<li>Use the legacy verifier when building auto chains for TLS.
<li>Search the intermediates only after searching the root certs in the
new verifier to avoid problems with the legacy callback.
<li>Bail out early after finding a single chain in the new verifier, if
we have been called via the legacy verifier API.
<li>Set (invalid and likely incomplete) chain on the xsc on chain build
failure prior to calling the callback. This is required by various
callers, including auto chain.
<li>Remove direct assignment of aead_ctx to avoid a leak.
<li>Fail early in legacy exporter if the master secret is not available
to avoid a segfault if it is called when the handshake is not
completed.
<li>Only print the certificate file once on verification failure.
<li>Fix an off-by-one in x509_verify_set_xsc_chain() to make sure that
the new validator checks for EXFLAG_CRITICAL in
x509_vfy_check_chain_extension() for all untrusted certs in the
chain. Take into account that the root is not necessarily trusted.
<li>Avoid passing last and depth to x509_verify_cert_error() on ENOMEM.
<li>Fix two bugs in the legacy verifier that resulted from refactoring
of
<a href="https://man.openbsd.org/X509_verify_cert.3">X509_verify_cert(3)</a>
for the new verifier: a return value was incorrectly treated as
boolean, making it insufficient to decide whether validation should
carry on or not.
<li>Fix checks for memory caps of constraints names. There are internal
caps on the number of name constraints and other names, that the new
name constraints code allocates per cert chain. These limits were
checked too late, making them only partially effective.
<li>Fix a copy-paste error - skid was confused with an akid when
checking for EXFLAG_INVALID. This broke OCSP validation with
certain mirrors.
<li>Avoid a use-after-scope in tls13_cert_add().
<li>Avoid mangled output in BIO_debug_callback().
<li>Fix client initiated renegotiation by replacing use of s->internal-type
with s->server.
<li>Avoid transcript initialization when sending a TLS HelloRequest,
fixing server initiated renegotiation.
<li>Avoid leaking param->name in x509_verify_param_zero().
<li>Avoid a leak in an error path in openssl(1) x509.
<li>When sending an alert in TLSv1.3, only set its error code when no
other error was set previously. Certain clients rely on specific
SSL_R_ error codes to identify that they are dealing with a self
signed cert.
<li>When switching from the TLSv1.3 stack to the legacy stack include
a TLS record header. This is necessary if there is more than one
handshake message in the TLS plaintext record.
<li>Fix resource handling on error in OCSP_request_add0_id().
<li>Make sure there is enough room for stashing the handshake message
when switching to the legacy TLS stack.
<li>Fix a memory leak in the openssl(1) s_client.
<li>Unbreak DTLS retransmissions for flights that include a CCS.
<li>If x509_verify() fails, ensure that the error is set on both
the x509_verify_ctx() and its store context to make some failures
visible from SSL_get_verify_result().
<li>Use the X509_STORE_CTX get_issuer() callback from the new X.509
verifier to fix hashed certificate directories.
<li>Only check
<a href="https://man.openbsd.org/BIO_should_read.3">BIO_should_read(3)</a>
on read and
<a href="https://man.openbsd.org/BIO_should_write.3">BIO_should_write(3)</a>
on write. Previously,
<a href="https://man.openbsd.org/BIO_should_write.3">BIO_should_write(3)</a>
was also checked after read and
<a href="https://man.openbsd.org/BIO_should_read.3">BIO_should_read(3)</a>
after write which could cause stalls in software that uses the same
BIO for read and write.
<li>In <a href="https://man.openbsd.org/openssl.1">openssl(1)</a>
verify, also check for error on the store context since the return
value of
<a href="https://man.openbsd.org/X509_verify_cert.3">X509_verify_cert(3)</a>
is unreliable in presence of a callback that returns 1 too often.
<li>Handle additional certificate error cases in the new X.509 verifier.
Keep track of the errors encountered if a verify callback tells the
verifier to continue and report them back via the error on the store
context. This mimics the behavior of the old verifier that would
persist the first error encountered while building the chain.
<li>Report specific failures for "self signed certificates" in a way
compatible with the old verifier since software relies on the
error code.
<li>Plug a large memory leak in the new verifier caused by calling
X509_policy_check(3) repeatedly.
<li>Avoid leaking memory in x509_verify_chain_dup().
</ul>
</ul>
<li>OpenSSH 8.5
<ul>
<li>Security fixes
<ul>
<li><a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>:
fixed a double-free memory corruption that was introduced in OpenSSH
8.2 . We treat all such memory faults as potentially exploitable. This
bug could be reached by an attacker with access to the agent socket.<br>
On modern operating systems where the OS can provide information
about the user identity connected to a socket, OpenSSH ssh-agent and
sshd limit agent socket access only to the originating user and root.
Additional mitigation may be afforded by the system's
malloc(3)/free(3) implementation, if it detects double-free
conditions.<br>
The most likely scenario for exploitation is a user forwarding an
agent either to an account shared with a malicious user or to a host
with an attacker holding root access.
</ul>
<li>Potentially incompatible changes.
<ul>
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a
href="https://man.openbsd.org/sshd.8">sshd(8)</a>: this release
changes the first-preference signature algorithm from ECDSA to
ED25519.
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a
href="https://man.openbsd.org/sshd.8">sshd(8)</a>: set the TOS/DSCP
specified in the configuration for interactive use prior to TCP
connect. The connection phase of the SSH session is time-sensitive and
often explicitly interactive. The ultimate interactive/bulk TOS/DSCP
will be set after authentication completes.
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a
href="https://man.openbsd.org/sshd.8">sshd(8)</a>: remove the
pre-standardization cipher rijndael-cbc@lysator.liu.se. It is an alias
for aes256-cbc before it was standardized in RFC4253 (2006), has been
deprecated and disabled by default since OpenSSH 7.2 (2016) and was
only briefly documented in ssh.1 in 2001.
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a
href="https://man.openbsd.org/sshd.8">sshd(8)</a>: update/replace the
experimental post-quantum hybrid key exchange method based on
Streamlined NTRU Prime coupled with X25519.<br>
The previous sntrup4591761x25519-sha512@tinyssh.org method is
replaced with sntrup761x25519-sha512@openssh.com. Per its designers,
the sntrup4591761 algorithm was superseded almost two years ago by
sntrup761.
(note this both the updated method and the one that it replaced are
disabled by default)
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: disable
CheckHostIP by default. It provides insignificant benefits while
making key rotation significantly more difficult, especially for hosts
behind IP-based load-balancers.
</ul>
<li>New Features
<ul>
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: this release
enables UpdateHostkeys by default subject to some conservative
preconditions:
<ul>
<li>The key was matched in the UserKnownHostsFile (and not in the
GlobalKnownHostsFile).
<li>The same key does not exist under another name.
<li>A certificate host key is not in use.
<li>known_hosts contains no matching wildcard hostname pattern.
<li>VerifyHostKeyDNS is not enabled.
<li>The default UserKnownHostsFile is in use.
</ul>
We expect some of these conditions will be modified or relaxed in
future.
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a
href="https://man.openbsd.org/sshd.8">sshd(8)</a>: add a new
LogVerbose configuration directive for that allows forcing maximum
debug logging by file/function/line pattern-lists.
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: when
prompting the user to accept a new hostkey, display any other host
names/addresses already associated with the key.
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: allow
UserKnownHostsFile=none to indicate that no known_hosts file should be
used to identify host keys.
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: add a
ssh_config KnownHostsCommand option that allows the client to obtain
known_hosts data from a command in addition to the usual files.
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: add a
ssh_config PermitRemoteOpen option that allows the client to restrict
the destination when RemoteForward is used with SOCKS.
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: for FIDO
keys, if a signature operation fails with a "incorrect PIN" reason and
no PIN was initially requested from the user, then request a PIN and
retry the operation. This supports some biometric devices that fall
back to requiring PIN when reading of the biometric failed, and
devices that require PINs for all hosted credentials.
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: implement
client address-based rate-limiting via new <a
href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>
PerSourceMaxStartups and PerSourceNetBlockSize directives that provide
more fine-grained control on a per-origin address basis than the
global MaxStartups limit.
</ul>
<li>Bugfixes
<ul>
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Prefix
keyboard interactive prompts with "(user@host)" to make it easier to
determine which connection they are associated with in cases like scp
-3, ProxyJump, etc. bz#3224
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: fix
sshd_config SetEnv directives located inside Match blocks. GHPR#201
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: when
requesting a FIDO token touch on stderr, inform the user once the
touch has been recorded.
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: prevent
integer overflow when ridiculously large ConnectTimeout values are
specified, capping the effective value (for most platforms) at 24
days. bz#3229
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: consider the
ECDSA key subtype when ordering host key algorithms in the client.
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a
href="https://man.openbsd.org/sshd.8">sshd(8)</a>: rename the
PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. The
previous name incorrectly suggested that it control allowed key
algorithms, when this option actually specifies the signature
algorithms that are accepted. The previous name remains available as
an alias. bz#3253
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a
href="https://man.openbsd.org/sshd.8">sshd(8)</a>: similarly, rename
HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to
HostbasedAcceptedAlgorithms.
<li><a
href="https://man.openbsd.org/sftp-server.8">sftp-server(8)</a>: add
missing lsetstat@openssh.com documentation and advertisement in the
server's SSH2_FXP_VERSION hello packet.
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a
href="https://man.openbsd.org/sshd.8">sshd(8)</a>: more strictly
enforce KEX state-machine by banning packet types once they are
received. Fixes memleak caused by duplicate
SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078).
<li><a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: allow the
full range of UIDs/GIDs for chown/chgrp on 32bit platforms instead of
being limited by LONG_MAX. bz#3206
<li>Minor man page fixes (capitalization, commas, etc.) bz#3223
<li><a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: when doing
an sftp recursive upload or download of a read-only directory, ensure
that the directory is created with write and execute permissions in
the interim so that the transfer can actually complete, then set the
directory permission as the final step. bz#3222
<li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:
document the -Z, check the validity of its argument earlier and
provide a better error message if it's not correct. bz#2879
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: ignore
comments at the end of config lines in ssh_config, similar to what we
already do for sshd_config. bz#2320
<li><a
href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>:
mention that DisableForwarding is valid in a sshd_config Match block.
bz3239
<li><a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: fix
incorrect sorting of "ls -ltr" under some circumstances. bz3248.
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a
href="https://man.openbsd.org/sshd.8">sshd(8)</a>: fix potential
integer truncation of (unlikely) timeout values. bz#3250
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: make
hostbased authentication send the signature algorithm in its
SSH2_MSG_USERAUTH_REQUEST packets instead of the key type. This make
HostbasedAcceptedAlgorithms do what it is supposed to - filter on
signature algorithm and not key type.
</ul>
</ul>
<li>Ports and packages:
<p>Many pre-built packages for each architecture:
<!-- number of FTP packages minus SHA256, SHA256.sig, index.txt -->
<ul style="column-count: 3">
<li>aarch64: XXX
<li>amd64: XXX
<li>arm: XXX
<li>i386: XXX
<li>mips64: XXX
<li>mips64el: XXX
<li>powerpc: XXX
<li>powerpc64: XXX
<li>sparc64: XXX
</ul>
<p>Some highlights:
<ul style="column-count: 3">
<li>Asterisk 18.3.0
<li>Audacity 2.4.2
<li>CMake 3.19.4
<li>Chromium 89.0.4389.128
<li>Emacs 27.2
<li>FFmpeg 4.3.2
<li>GCC 8.4.0
<li>GHC 8.10.3
<li>GNOME 3.38
<li>Go 1.16.2
<li>JDK 8u282 and 11.0.10
<li>KDE Applications 20.12.3
<li>KDE Frameworks 5.80.0
<li>Krita 4.4.3
<li>LLVM/Clang/Clang extra tools 10.0.0
<li>LibreOffice 7.0.5.2
<li>Lua 5.1.5, 5.2.4 and 5.3.6
<li>MariaDB 10.5.9
<li>Mono 6.12.0.122
<li>Mozilla Firefox 87.0 and ESR 78.9.0
<li>Mozilla Thunderbird 78.9.1
<li>Mutt 2.0.6 and NeoMutt 20210205
<li>Node.js 12.16.1
<li>OCaml 4.10.0
<li>OpenLDAP 2.3.43 and 2.4.58
<li>PHP 7.2.34, 7.3.27, 7.4.16 (default) and 8.0.3
<li>Postfix 3.5.10 and 3.6-20200627
<li>PostgreSQL 13.2
<li>Python 2.7.18, 3.8.8 and 3.9.2
<li>Qt 5.15.2
<li>R 4.0.5
<li>Ruby 2.6.7, 2.7.3 and 3.0.1
<li>Rust 1.51.0
<li>SQLite3 3.34.1
<li>Shotcut 21.01.29
<li>Sudo 1.9.6p1
<li>Suricata 6.0.1
<li>Tcl/Tk 8.5.19 and 8.6.8
<li>TeX Live 2020
<li>Vim 8.2.2580 and Neovim 0.4.4
<li>Xfce 4.16
</ul>
<p>
<li>As usual, steady improvements in manual pages and other documentation.
<li>The system includes the following major components from outside suppliers:
<ul>
<li>Xenocara (based on X.Org 7.7 with xserver 1.20.10 + patches,
freetype 2.10.4, fontconfig 2.12.4, Mesa 20.0.8, xterm 367,
xkeyboard-config 2.20, fonttosfnt 1.2.1 and more)
<li>LLVM/Clang 10.0.1 (+ patches)
<li>GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
<li>Perl 5.32.1 (+ patches)
<li>NSD 4.3.6
<li>Unbound 1.13.1
<li>Ncurses 5.7
<li>Binutils 2.17 (+ patches)
<li>Gdb 6.3 (+ patches)
<li>Awk December 18, 2020 version
<li>Expat 2.2.10
</ul>
</ul>
</section>
<hr>
<section id=install>
<h3>How to install</h3>
<p>
Please refer to the following files on the mirror site for
extensive details on how to install OpenBSD 6.9 on your machine:
<ul>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/alpha/INSTALL.alpha">
.../OpenBSD/6.9/alpha/INSTALL.alpha</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/amd64/INSTALL.amd64">
.../OpenBSD/6.9/amd64/INSTALL.amd64</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/arm64/INSTALL.arm64">
.../OpenBSD/6.9/arm64/INSTALL.arm64</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/armv7/INSTALL.armv7">
.../OpenBSD/6.9/armv7/INSTALL.armv7</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/hppa/INSTALL.hppa">
.../OpenBSD/6.9/hppa/INSTALL.hppa</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/i386/INSTALL.i386">
.../OpenBSD/6.9/i386/INSTALL.i386</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/landisk/INSTALL.landisk">
.../OpenBSD/6.9/landisk/INSTALL.landisk</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/loongson/INSTALL.loongson">
.../OpenBSD/6.9/loongson/INSTALL.loongson</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/luna88k/INSTALL.luna88k">
.../OpenBSD/6.9/luna88k/INSTALL.luna88k</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/macppc/INSTALL.macppc">
.../OpenBSD/6.9/macppc/INSTALL.macppc</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/octeon/INSTALL.octeon">
.../OpenBSD/6.9/octeon/INSTALL.octeon</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/powerpc64/INSTALL.powerpc64">
.../OpenBSD/6.9/powerpc64/INSTALL.powerpc64</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/sgi/INSTALL.sgi">
.../OpenBSD/6.9/sgi/INSTALL.sgi</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/sparc64/INSTALL.sparc64">
.../OpenBSD/6.9/sparc64/INSTALL.sparc64</a>
</ul>
</section>
<hr>
<section id=quickinstall>
<p>
Quick installer information for people familiar with OpenBSD, and the use of
the "<a href="https://man.openbsd.org/disklabel.8">disklabel</a> -E" command.
If you are at all confused when installing OpenBSD, read the relevant
INSTALL.* file as listed above!
<h3>OpenBSD/alpha:</h3>
<p>
If your machine can boot from CD, you can write <i>install69.iso</i> or
<i>cd69.iso</i> to a CD and boot from it.
Refer to INSTALL.alpha for more details.
<h3>OpenBSD/amd64:</h3>
<p>
If your machine can boot from CD, you can write <i>install69.iso</i> or
<i>cd69.iso</i> to a CD and boot from it.
You may need to adjust your BIOS options first.
<p>
If your machine can boot from USB, you can write <i>install69.img</i> or
<i>miniroot69.img</i> to a USB stick and boot from it.
<p>
If you can't boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in the included
INSTALL.amd64 document.
<p>
If you are planning to dual boot OpenBSD with another OS, you will need to
read INSTALL.amd64.
<h3>OpenBSD/arm64:</h3>
<p>
Write <i>miniroot69.img</i> to a disk and boot from it after connecting
to the serial console. Refer to INSTALL.arm64 for more details.
<h3>OpenBSD/armv7:</h3>
<p>
Write a system specific miniroot to an SD card and boot from it after connecting
to the serial console. Refer to INSTALL.armv7 for more details.
<h3>OpenBSD/hppa:</h3>
<p>
Boot over the network by following the instructions in INSTALL.hppa or the
<a href="hppa.html#install">hppa platform page</a>.
<h3>OpenBSD/i386:</h3>
<p>
If your machine can boot from CD, you can write <i>install69.iso</i> or
<i>cd69.iso</i> to a CD and boot from it.
You may need to adjust your BIOS options first.
<p>
If your machine can boot from USB, you can write <i>install69.img</i> or
<i>miniroot69.img</i> to a USB stick and boot from it.
<p>
If you can't boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in
the included INSTALL.i386 document.
<p>
If you are planning on dual booting OpenBSD with another OS, you will need to
read INSTALL.i386.
<h3>OpenBSD/landisk:</h3>
<p>
Write <i>miniroot69.img</i> to the start of the CF
or disk, and boot normally.
<h3>OpenBSD/loongson:</h3>
<p>
Write <i>miniroot69.img</i> to a USB stick and boot bsd.rd from it
or boot bsd.rd via tftp.
Refer to the instructions in INSTALL.loongson for more details.
<h3>OpenBSD/luna88k:</h3>
<p>
Copy 'boot' and 'bsd.rd' to a Mach or UniOS partition, and boot the bootloader
from the PROM, and then bsd.rd from the bootloader.
Refer to the instructions in INSTALL.luna88k for more details.
<h3>OpenBSD/macppc:</h3>
<p>
Burn the image from a mirror site to a CDROM, and power on your machine
while holding down the <i>C</i> key until the display turns on and
shows <i>OpenBSD/macppc boot</i>.
<p>
Alternatively, at the Open Firmware prompt, enter <i>boot cd:,ofwboot
/6.9/macppc/bsd.rd</i>
<h3>OpenBSD/octeon:</h3>
<p>
After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
Refer to the instructions in INSTALL.octeon for more details.
<h3>OpenBSD/powerpc64:</h3>
<p>
To install, write <i>install69.img</i> or <i>miniroot69.img</i> to a
USB stick, plug it into the machine and choose the <i>OpenBSD
install</i> menu item in Petitboot.
Refer to the instructions in INSTALL.powerpc64 for more details.
<h3>OpenBSD/sgi:</h3>
<p>
To install, burn cd69.iso on a CD-R, put it in the CD drive of your
machine and select <i>Install System Software</i> from the System Maintenance
menu. Indigo/Indy/Indigo2 (R4000) systems will not boot automatically from
CD-ROM, and need a proper invocation from the PROM prompt.
Refer to the instructions in INSTALL.sgi for more details.
<p>
If your machine doesn't have a CD drive, you can setup a DHCP/tftp network
server, and boot using "bootp()/bsd.rd.IP##" using the kernel matching your
system type. Refer to the instructions in INSTALL.sgi for more details.
<h3>OpenBSD/sparc64:</h3>
<p>
Burn the image from a mirror site to a CDROM, boot from it, and type
<i>boot cdrom</i>.
<p>
If this doesn't work, or if you don't have a CDROM drive, you can write
<i>floppy69.img</i> or <i>floppyB69.img</i>
(depending on your machine) to a floppy and boot it with <i>boot
floppy</i>. Refer to INSTALL.sparc64 for details.
<p>
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.
<p>
You can also write <i>miniroot69.img</i> to the swap partition on
the disk and boot with <i>boot disk:b</i>.
<p>
If nothing works, you can boot over the network as described in INSTALL.sparc64.
</section>
<hr>
<section id=upgrade>
<h3>How to upgrade</h3>
<p>
If you already have an OpenBSD 6.8 system, and do not want to reinstall,
upgrade instructions and advice can be found in the
<a href="faq/upgrade69.html">Upgrade Guide</a>.
</section>
<hr>
<section id=sourcecode>
<h3>Notes about the source code</h3>
<p>
<code>src.tar.gz</code> contains a source archive starting at <code>/usr/src</code>.
This file contains everything you need except for the kernel sources,
which are in a separate archive.
To extract:
<blockquote><pre>
# <kbd>mkdir -p /usr/src</kbd>
# <kbd>cd /usr/src</kbd>
# <kbd>tar xvfz /tmp/src.tar.gz</kbd>
</pre></blockquote>
<p>
<code>sys.tar.gz</code> contains a source archive starting at <code>/usr/src/sys</code>.
This file contains all the kernel sources you need to rebuild kernels.
To extract:
<blockquote><pre>
# <kbd>mkdir -p /usr/src/sys</kbd>
# <kbd>cd /usr/src</kbd>
# <kbd>tar xvfz /tmp/sys.tar.gz</kbd>
</pre></blockquote>
<p>
Both of these trees are a regular CVS checkout. Using these trees it
is possible to get a head-start on using the anoncvs servers as
described <a href="anoncvs.html">here</a>.
Using these files
results in a much faster initial CVS update than you could expect from
a fresh checkout of the full OpenBSD source tree.
</section>
<hr>
<section id=ports>
<h3>Ports Tree</h3>
<p>
A ports tree archive is also provided. To extract:
<blockquote><pre>
# <kbd>cd /usr</kbd>
# <kbd>tar xvfz /tmp/ports.tar.gz</kbd>
</pre></blockquote>
<p>
Go read the <a href="faq/ports/index.html">ports</a> page
if you know nothing about ports
at this point. This text is not a manual of how to use ports.
Rather, it is a set of notes meant to kickstart the user on the
OpenBSD ports system.
<p>
The <i>ports/</i> directory represents a CVS checkout of our ports.
As with our complete source tree, our ports tree is available via
<a href="anoncvs.html">AnonCVS</a>.
So, in order to keep up to date with the -stable branch, you must make
the <i>ports/</i> tree available on a read-write medium and update the tree
with a command like:
<blockquote><pre>
# <kbd>cd /usr/ports</kbd>
# <kbd>cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_6_9</kbd>
</pre></blockquote>
<p>
[Of course, you must replace the server name here with a nearby anoncvs
server.]
<p>
Note that most ports are available as packages on our mirrors. Updated
ports for the 6.9 release will be made available if problems arise.
<p>
If you're interested in seeing a port added, would like to help out, or just
would like to know more, the mailing list
<a href="mail.html">ports@openbsd.org</a> is a good place to know.
</section>