Annotation of www/71.html, Revision 1.51
1.1 deraadt 1: <!doctype html>
2: <html lang=en id=release>
1.24 benno 3: <head>
1.1 deraadt 4: <meta charset=utf-8>
5:
6: <title>OpenBSD 7.1</title>
7: <meta name="description" content="OpenBSD 7.1">
8: <meta name="viewport" content="width=device-width, initial-scale=1">
9: <link rel="stylesheet" type="text/css" href="openbsd.css">
10: <link rel="canonical" href="https://www.openbsd.org/71.html">
1.24 benno 11: </head><body>
1.1 deraadt 12: <h2 id=OpenBSD>
13: <a href="index.html">
14: <i>Open</i><b>BSD</b></a>
15: 7.1
16: </h2>
17:
18: <table>
19: <tr>
20: <td>
21: <a href="images/xxx.png">
22: <img width="227" height="303" src="images/xxx-s.png" alt="xxx"></a>
23: <td>
1.6 tj 24: Released May ?, 2022. (52nd OpenBSD release)<br>
1.1 deraadt 25: Copyright 1997-2022, Theo de Raadt.<br>
26: <br>
1.3 job 27: Artwork by Luc Houweling.
1.1 deraadt 28: <br>
29: <ul>
30: <li>See the information on <a href="ftp.html">the FTP page</a> for
31: a list of mirror machines.
32: <li>Go to the <code class=reldir>pub/OpenBSD/7.1/</code> directory on
33: one of the mirror sites.
34: <li>Have a look at <a href="errata71.html">the 7.1 errata page</a> for a list
35: of bugs and workarounds.
36: <li>See a <a href="plus71.html">detailed log of changes</a> between the
37: 7.0 and 7.1 releases.
38: <p>
39: <li><a href="https://man.openbsd.org/signify.1">signify(1)</a>
40: pubkeys for this release:<p>
41:
42: <table class=signify>
43: <tr><td>
44: openbsd-71-base.pub:
45: <td>
46: <a href="https://ftp.openbsd.org/pub/OpenBSD/7.1/openbsd-71-base.pub">
47: RWR2eHwZTOEiTWog354iy3StRj18VbZl87O9uZpa1M2jGLXEkco6vDT5</a>
48: <tr><td>
49: openbsd-71-fw.pub:
50: <td>
51: RWQCAJ4gBK3pbcm/Q5XYxu+hIY3Zvx9kwGv2uJphEN7kNl1DD4QRue6v
52: <tr><td>
53: openbsd-71-pkg.pub:
54: <td>
55: RWQgLTtHQtisyH9qc9imxVFsf+P24M75F1aNio5qJCfG/bO6gATAzC9V
56: <tr><td>
57: openbsd-71-syspatch.pub:
58: <td>
59: RWTVqN+z9ta+Z6Ri7W7Vlf+XgXE30rGXld8kO78L1GmE61U5Xvbr/zHM
60: </table>
61: </ul>
62: <p>
63: All applicable copyrights and credits are in the src.tar.gz,
64: sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
65: files fetched via <code>ports.tar.gz</code>.
66: </table>
67:
68: <hr>
69:
70: <section id=new>
71: <h3>What's New</h3>
72: <p>
73: This is a partial list of new features and systems included in OpenBSD 7.1.
74: For a comprehensive list, see the <a href="plus71.html">changelog</a> leading
75: to 7.1.
76:
77: <ul>
78:
79: <li>New/extended platforms:
80: <ul>
1.16 benno 81: <li>Support for Apple Silicon Macs has improved and is ready for general use:
1.1 deraadt 82: <ul>
1.10 benno 83: <li>Added <a href="https://man.openbsd.org/aplspi.4">aplspi(4)</a>, a driver for the SPI controller found on the Apple M1 SoC.
84: <li>Added <a href="https://man.openbsd.org/aplhidev.4">aplhidev(4)</a> support for the keyboard/touchpad on Apple M1 laptops.
1.31 jsg 85: <li>Introduced <a href="https://man.openbsd.org/aplpmgr.4">aplpmgr(4)</a>, a driver for the power management controller found on Apple SoCs.
1.11 benno 86: <li>Introduced <a href="https://man.openbsd.org/aplmbox.4">aplmbox(4)</a>, a driver for the mailbox that provides a communication channel with additional cores integrated on Apple SoCs.
1.31 jsg 87: <li>Introduced <a href="https://man.openbsd.org/apliic.4">apliic(4)</a>, a driver for the I2C controller found on Apple SoCs.
1.11 benno 88: <li>Added the chip ids used on Apple M1 Pro/Max and Apple T2 Macs to <a href="https://man.openbsd.org/bwfm.4">bwfm(4)</a>.
89: <li>Rewrote arm64 kernel FPU handling code to fix the random crashes seen with SMP kernels on Apple M1.
90: <li>Restricted the <a href="https://man.openbsd.org/pci.4">pci(4)</a> ioctl interface to devices detected by the kernel, preventing Xorg PCI probes from breaking the WiFi chip on M1 macs.
91: <li>Introduced <a href="https://man.openbsd.org/aplsmc.4">aplsmc(4)</a>, a driver for the SMC found on Apple M1 SoCs.
92: <li>Introduced <a href="https://man.openbsd.org/aplnco.4">aplnco(4)</a>, a driver for the Numerically-controlled oscillator (NCO) clock which drives the audio clocks on Apple silicon.
93: <li>Introduced <a href="https://man.openbsd.org/tascodec.4">tascodec(4)</a>, a driver for the TI TAS2770/TAS5770 digital audio amplifier codec found on Apple M1 Macs.
1.14 benno 94: <li>Introduced <a href="https://man.openbsd.org/apldma.4">apldma(4)</a>, a driver for the DMA controller found on Apple SoCs.
1.15 benno 95: <li>Added support to explicitly power on some PCIe devices on the M1 and M1 Pro/Max through a GPIO controlled by the SMC.
96: <li>Added <a href="https://man.openbsd.org/aplcpu.4">aplcpu(4)</a>, a driver to control the CPU performance levels on Apple SoCs.
97: <li>Modified <a href="https://man.openbsd.org/aplintc.4">aplintc(4)</a> to support a newer interrupt controller, making OpenBSD run on M1 Pro/Max machines.
98: <li>Added nvmem support to <a href="https://man.openbsd.org/aplpmu.4">aplpmu(4)</a> and made it available on Apple SPMI PMUs.
99: <li>Added RTC support to <a href="https://man.openbsd.org/aplsmc.4">aplsmc(4)</a>.
100: <li>Made the arm64 ramdisk installer fetch <a href="https://man.openbsd.org/bwfm.4">bwfm(4)</a> firmware from the EFI System Partition on Apple Silicon devices for use during installation and addition to the newly installed system.
101: <li>Added support for controlling keyboard LEDs to <a
102: href="https://man.openbsd.org/aplhidev.4">aplhidev(4)</a>.
103: <li>Added basic GPIO support to <a href="https://man.openbsd.org/aplsmc.4">aplsmc(4)</a>.
104: <li>Ensured <a href="https://man.openbsd.org/apldart.4">apldart(4)</a> keeps the DART enabled in front of the display controller to preserve its access to the framebuffer and continued display.
105: <li>Fixed reading motherboard time on Apple machines with old SMC firmware.
106: <li>Implemented reboot/powerdown support in <a href="https://man.openbsd.org/aplsmc.4">aplsmc(4)</a>.
107: <li>Implemented <a href="https://man.openbsd.org/aplintc.4">aplintc(4)</a> support for multiple dies, making OpenBSD work on the M1 Ultra.
1.16 benno 108: </ul>
109: <li>Support for other <a href="arm64.html">arm64</a> architecture hardware was also improved with the following changes:
110: <ul>
1.10 benno 111: <li>Introduced <a
112: href="https://man.openbsd.org/gpiocharger.4">gpiocharger(4)</a>, a
113: driver providing support for battery chargers connected to GPIO pins,
114: such as those found on the Pinebook Pro.
115: <li>Introduced <a
116: href="https://man.openbsd.org/gpioleds.4">gpioleds(4)</a> for arm64, a
117: driver providing support for LEDs connected to GPIO pins, such as
118: those found on the Pinebook Pro.
119: <li>Added <a href="https://man.openbsd.org/gpiokeys.4">gpiokeys(4)</a>
120: for arm64, a driver which handles events triggered by GPIO keys such
121: as lid status and power button.
1.11 benno 122: <li>Added pclk clock used by <a
123: href="https://man.openbsd.org/dwdog.4">dwdog(4)</a> on RK3399 to <a
124: href="https://man.openbsd.org/rkclock.4">rkclock(4)</a>.
1.23 benno 125: <li>Introduced <a
126: href="https://man.openbsd.org/mpfclock.4">mpfclock(4)</a>, a driver
127: for the PolarFire SoC MSS clock controller.
128: <li>Introduced <a
129: href="https://man.openbsd.org/cdsdhc.4">cdsdhc(4)</a>, a driver for
130: the Cadence SD/SDIO/eMMC host controller.
131: <li>Introduced <a
132: href="https://man.openbsd.org/mpfiic.4">mpfiic(4)</a>, a driver for
133: the PolarFire SoC MSS I2C controller.
134: <li>Introduced <a
135: href="https://man.openbsd.org/mpfgpio.4">mpfgpio(4)</a>, a driver for
136: the PolarFire SoC MSS GPIO controller.
137: <li>Enabled <a href="https://man.openbsd.org/cduart.4">cduart(4)</a>
138: on arm64.
139: <li>Added <a
140: href="https://man.openbsd.org/mvpinctrl.4">mvpinctrl(4)</a> support
141: for the CP115 block found on Marvell CN9K SoCs.
142: <li>Added <a href="https://man.openbsd.org/mvclock.4">mvclock(4)</a>
143: support for the AP807 block found on Marvell CN9K SoCs.
1.1 deraadt 144: </ul>
145: <li>Changes on other architectures:
146: <ul>
1.23 benno 147: <li>Enabled <a href="https://man.openbsd.org/uhid.4">uhid(4)</a>/<a
148: href="https://man.openbsd.org/fido.4">fido(4)</a> on riscv64.
1.14 benno 149: <li>Allowed riscv64 installation on a disk with a GPT.
1.16 benno 150: <li>Added missing locking to <a
151: href="https://man.openbsd.org/pmap_extract.9">pmap_extract(9)</a> and
152: <a href="https://man.openbsd.org/pmap_unwire.9">pmap_unwire(9)</a> on
153: arm64 and riscv64.
154: <li>Improved stack unwinding on riscv64 in <a href="https://man.openbsd.org/ddb.4">ddb(4)</a>.
155: <li>Fixed kernel stack alignment on riscv64.
156: <li>Fixed RISC-V lld link code when dealing with object files created with "ld -b".
157: <li>Made sure nothing can map address zero on RISC-V.
158: <li>Made sure armv7,arm64 and risc-v FDT bootloader code does not write beyond the FDT data structure.
1.11 benno 159: <li>Fixed booting from an IDE block device on the Sun Blade 100.
160: <li>Fixed <a href="https://man.openbsd.org/radeondrm.4">radeondrm(4)</a> console colors on sparc64.
1.23 benno 161: <li>Enabled <a href="https://man.openbsd.org/dt.4">dt(4)</a> on
162: macppc.
163: <li>Increased <a href="https://man.openbsd.org/ddb.1">ddb(1)</a>
164: access to registers on macppc and powerpc64.
1.16 benno 165: <li>Enabled enforcing of RLIMIT_MEMLOCK on powerpc64.
1.23 benno 166: <li>Allowed <a href="https://man.openbsd.org/ddb.4">ddb(4)</a> trace
167: through interrupt on macppc.
1.1 deraadt 168: </ul>
169: </ul>
170:
171: <li>Various kernel improvements:
172: <ul>
1.16 benno 173: <li>Made futexes work in shared anonymous memory.
174: <li>Improved tracking of mbuf memory usage in the whole system.
175: <li>Switched to using long filenames by default with <a
1.31 jsg 176: href="https://man.openbsd.org/mount_msdos.8">mount_msdos(8)</a>.
1.7 benno 177: <li>Fixed memory leak in <a
178: href="https://man.openbsd.org/fuse.4">fuse(4)</a> when calling <a
179: href="https://man.openbsd.org/namei.9">namei(9)</a>.
1.26 benno 180:
181: <li>Fixed establishing legacy INTx interrupts on machines without a
182: (usable) MSI interrupt controller.
1.7 benno 183: <li>Cleaned up irrelevant uses of 3rd mode_t parameter for <a
184: href="https://man.openbsd.org/open.2">open(2)</a>/<a
185: href="https://man.openbsd.org/openat.2">openat(2)</a>, unused when not
186: creating files.
1.16 benno 187: <li>Reworked garbage collector for <a
188: href="https://man.openbsd.org/unix.4">unix(4)</a> sockets to prevent
189: potential kernel panics.
1.10 benno 190: <li>Changed the power management <a href="https://man.openbsd.org/sysctl.8">sysctl(8)</a>
191: hw.perfpolicy to "auto" at startup, defaulting to 100%
192: performance with AC power connected and using the auto algorithm when
193: on battery.
1.26 benno 194: <li>Aligned memory allocation for USB device drivers and USB HC
195: drivers, enlarging the USB memory pool.
1.16 benno 196: <li>Prevent panic in <a
197: href="https://man.openbsd.org/softraid.4">softraid(4)</a> while
198: rebooting if softraid has been disabled.
199:
1.11 benno 200: <li>Fixed hibernate setups where removal of a <a
201: href="https://man.openbsd.org/umass.4">umass(4)</a> device results in
202: a renumbered <a
203: href="https://man.openbsd.org/softraid.4">softraid(4)</a> boot device.
204: <li>Fix hibernate on newer hardware by allowing more memory ranges.
1.26 benno 205: <li>If CPU sleep state S4 is not available, use S5 for the
206: ACPI-transitions in hibernate support.
207: <li>Added code to update hw.power whenever AC state changes on
208: resume.
1.22 benno 209: <li>Fixed a panic by prohibiting renames of tmpfs mount-points.
1.26 benno 210: <li>Fixed double free after allocation failure in <a
211: href="https://man.openbsd.org/bpf.4">bpf(4)</a>.
1.1 deraadt 212: </ul>
213:
214: <li>SMP Improvements
215: <ul>
1.7 benno 216: <li>Made pipe event filters MP-safe.
217: <li>Set klist lock for sockets to make socket event filters MP-safe.
218: <li>Implemented <a href="https://man.openbsd.org/poll.2">poll(2)</a>,
219: <a href="https://man.openbsd.org/select.2">select(2)</a>, <a
220: href="https://man.openbsd.org/ppoll.2">ppoll(2)</a> and <a
221: href="https://man.openbsd.org/pselect.2">pselect(2)</a> on top of
222: kqueue.
1.41 deraadt 223: <li>Unlocked top part of UVM fault handler on mips64.
1.10 benno 224: <li>Unlocked the <a href="https://man.openbsd.org/kevent.2">kevent(2)</a> system call.
225: <li>Made the kqread event filter MP-safe.
226: <li>Reduced the time overhead of <a
227: href="https://man.openbsd.org/kqueue.2">kqueue(2)</a>-based <a
228: href="https://man.openbsd.org/poll.2">poll(2)</a> and <a
229: href="https://man.openbsd.org/select.2">select(2)</a> systems calls by
230: keeping knotes between the system calls.
1.11 benno 231: <li>Unlocked <a href="https://man.openbsd.org/accept.2">accept(2)</a>
232: and <a href="https://man.openbsd.org/accept4.2">accept4(2)</a>
233: syscalls.
234: <li>Prevented <a
235: href="https://man.openbsd.org/select.2">select(2)</a> from blocking if
236: registering found pending events.
237: <li>Protected <a href="https://man.openbsd.org/ipsec.4">ipsec(4)</a>
238: input and output with the kernel lock to allow forwarding of non-ipsec
239: traffic in parallel.
240: <li>Unlocked the bottom part of the uvm fault handler.
241: <li>Unlocked <a href="https://man.openbsd.org/getpeername.2">getpeername(2)</a>.
242: <li>Made <a href="https://man.openbsd.org/bpf.4">bpf(4)</a> MP-safe.
1.14 benno 243: <li>Implemented the <a
244: href="https://man.openbsd.org/poll.2">poll(2)</a> system call on top
245: of the <a href="https://man.openbsd.org/kqueue.2">kqueue(2)</a>
246: subsystem, obsoleting the old, non-MP-safe poll backend.
1.15 benno 247: <li>Made <a href="https://man.openbsd.org/audio.4">audio(4)</a> event filters MP-safe.
248: <li>Unlocked <a href="https://man.openbsd.org/getsockname.2">getsockname(2)</a>.
249: <li>Added kernel interfaces for atomic load and store functions for int and long to be used in reference counted struct members.
1.1 deraadt 250: </ul>
251:
252: <li>Direct Rendering Manager
253: <ul>
1.5 jsg 254: <li>Updated <a href="https://man.openbsd.org/drm.4">drm(4)</a>
255: to Linux 5.15.26
256: <li><a href="https://man.openbsd.org/inteldrm.4">inteldrm(4)</a>:
257: support for Elkhart Lake, Jasper Lake, Rocket Lake
258: <li><a href="https://man.openbsd.org/drm.4">amdgpu(4)</a>:
259: support for Van Gogh APU, Rembrandt "Yellow Carp" Ryzen 6000 APU,
260: Navi 22 "Navy Flounder", Navi 23 "Dimgrey Cavefish",
261: Navi 24 "Beige Goby"
1.16 benno 262: <li>Reinstated a <a href="https://man.openbsd.org/drm.4">drm(4)</a>
263: workaround to get framebuffer size from efifb, preventing fatal errors
264: for the BESSTAR TECH HM90 with Ryzen 9 4900H.
265:
1.1 deraadt 266: </ul>
267:
268: <li>VMM/VMD improvements
269: <ul>
1.8 dv 270: <li>Retired <a href="https://man.openbsd.org/OpenBSD-7.0/switch.4">
271: switch(4)</a> support in <a href="https://man.openbsd.org/vmd.8">
272: vmd(8)</a>.
273: <li>Fixed a bug where <a href="https://man.openbsd.org/vmd.8">vmd(8)</a>
274: would exit when requesting a new VM and hitting memory resource
275: limits.
276: <li>Fixed <a href="https://man.openbsd.org/vmm.4">vmm(4)</a> state
277: corruption on Intel hosts.
278: <li>Fixed <a href="https://man.openbsd.org/vmm.4">vmm(4)</a> cpuid leaf
279: clamping when the host has an invariant TSC.
280: <li>Added quiesce/wakeup hooks to <a href="https://man.openbsd.org/vmm.4">
281: vmm(4)</a> allowing Intel hosts to suspend and hibernate safely with
282: running guests.
283: <li>Added a new login class for <a href="https://man.openbsd.org/vmd.8">
284: vmd(8)</a> on amd64.
1.11 benno 285: <li>Fixed broken <a href="https://man.openbsd.org/vmd.8">vmd(8)</a>
286: "boot device cdrom" feature after a fix in seabios.
287: <li>Reintroduced support for <a
288: href="https://man.openbsd.org/vmctl.8">vmctl(8)</a> <code>start -B net
289: -b bsd.rd</code>, which emulates a PXE boot and performs an
290: autoinstall.
1.16 benno 291: <li>Made <a href="https://man.openbsd.org/vmm.4">vmm(4)</a> <a
292: href="https://man.openbsd.org/dt.4">dt(4)</a> tracepoints amd64-only.
1.1 deraadt 293: </ul>
294:
295: <li>Various new userland features:
296: <ul>
1.7 benno 297: <li>Added <a
298: href="https://man.openbsd.org/realpath.1">realpath(1)</a>, a wrapper
299: for <a href="https://man.openbsd.org/realpath.3">realpath(3)</a> for
300: use in ports.
301: <li>Added <a href="https://man.openbsd.org/rcctl.8">rcctl(8)</a> "ls
302: rogue" to show daemons which are running but not set as "enabled" in
303: <a href="https://man.openbsd.org/rc.conf.local.8">rc.conf.local(8)</a>.
1.16 benno 304: <li>Implemented probe variables in BPFtrace (<a
305: href="https://man.openbsd.org/bt.5">bt(5)</a>).
1.7 benno 306: <li>Provided common <a
307: href="https://man.openbsd.org/btrace.8">btrace(8)</a> scripts
308: kprofile.bt (to save kernel stackframes and produce flamegraphs) and
309: runqlat.bt (to measure the latency of the scheduler runqueues).
1.16 benno 310: <li>DNSSEC support: Implemented RFC6840 (AD flag processing) in the libc resolver, if
1.11 benno 311: using trusted name servers specified with 'trust-ad' in <a
1.41 deraadt 312: href="https://man.openbsd.org/resolv.conf.5">resolv.conf(5)</a>
1.14 benno 313: <li>Enabled support for displaying an estimated battery recharge time
314: in <a href="https://man.openbsd.org/apm.8">apm(8)</a> and <a
315: href="https://man.openbsd.org/apmd.8">apmd(8)</a>.
316: <li>Introduced support for storing capability databases in
317: /etc/login.conf.d, allowing easy addition of custom login classes from
1.16 benno 318: packages and made <a
319: href="https://man.openbsd.org/rcctl.8">rcctl(8)</a> look for the login
320: class in both login.conf and login.conf.d/${class}.
321: <li>Added a <a href="https://man.openbsd.org/malloc.3">malloc(3)</a>
322: cache of regions between 128k and 2M to accommodate programs
323: allocating and deallocating regions of these sizes quickly.
324: ` <li>Added <a href="https://man.openbsd.org/pax.1">pax(1)</a> support
325: for mtime/atime/ctime extended headers (in not-SMALL builds).
326: <li>Added -k flag to <a
327: href="https://man.openbsd.org/gzip.1">gzip(1)</a> and <a
328: href="https://man.openbsd.org/gunzip.1">gunzip(1)</a> to retain
329: (de)compressed file.
1.22 benno 330: <li>Implemented <a href="https://man.openbsd.org/openrsync.1">openrsync(1)</a> --compare-dest, allowing specification of additional directories to check for files to be available.
331: <li>Implemented <a href="https://man.openbsd.org/openrsync.1">openrsync(1)</a> --max-size and --min-size.
1.1 deraadt 332: </ul>
333:
334: <li>Various bugfixes and tweaks in userland:
335: <ul>
1.16 benno 336: <li>Stopped <a
337: href="https://man.openbsd.org/pkg_add.1">pkg_add(1)</a> from
338: communicating warnings starting with "XXX" which appeared to indicate
339: errors.
1.7 benno 340:
1.16 benno 341: <li>Enabled subpixel rendering in FreeType.
342: <li>Updated xorg-server to 21.1.3, leaving in place an earlier change
343: to compute the screen resolution from dimensions returned by the
344: screen, reverted by upstream.
345: <li>Allowed bare numbers for key and mouse bindings in <a
346: href="https://man.openbsd.org/cwm.1">cwm(1)</a>.
347: <li>Added a <a href="https://man.openbsd.org/cwm.1">cwm(1)</a>
348: "group-last" command that shows only the previously active group.
349: <li>Fixed glass console and <a href="https://man.openbsd.org/getty.8">getty(8)</a> interference with Xorg on arm64.
350:
351: <li>Fixed octal escape parsing in <a
352: href="https://man.openbsd.org/tr.1">tr(1)</a> backslash().
353: <li>Added <a href="https://man.openbsd.org/uniq.1">uniq(1)</a>
354: support for arbitrarily long input lines.
355: <li>Made <a href="https://man.openbsd.org/uniq.1">uniq(1)</a> ignore
356: trailing newlines when comparing lines.
357: <li>Made <a href="https://man.openbsd.org/uniq.1">uniq(1)</a> skip()
358: each input line only once, improving performance.
359: <li>Increased <a href="https://man.openbsd.org/tee.1">tee(1)</a> I/O
360: buffer size for 8KB to 64KB.
361: <li>Improved performance of <a
362: href="https://man.openbsd.org/rev.1">rev(1)</a>.
363: <li>Made <a href="https://man.openbsd.org/ed.1">ed(1)</a> flush all
364: stdio streams before running a shell command.
365: <li>Prevented a file descriptor leak in <a
366: href="https://man.openbsd.org/touch.1">touch(1)</a> after <a
367: href="https://man.openbsd.org/futimens.2">futimens(2)</a> failure.
368: <li>Added <a href="https://man.openbsd.org/seq.1">seq(1)</a>, a
369: command to print sequences of numbers.
370:
1.22 benno 371: <li>Set cpuspeed to 0 in <a
372: href="https://man.openbsd.org/apm.8">apm(8)</a> when hw.cpuspeed
373: cannot be retrieved.
1.16 benno 374:
375: <li>Copied the <a href="https://man.openbsd.org/cos.3">cos(3)</a>
376: cosine software implementation from FreeBSD-13, and disabled assembly
377: implementations of trig functions on x86 platforms.
378: <li>Added optimization for tiny x in <a
379: href="https://man.openbsd.org/cos.3">cos(3)</a> and <a
1.21 tj 380: href="https://man.openbsd.org/sin.3">sin(3)</a> trigonometry
381: functions.
1.16 benno 382:
383: <li>Switched <a href="https://man.openbsd.org/aucat.1">aucat(1)</a>
384: internal sample representation and default file encoding to 24-bit.
385: <li>Switched <a href="https://man.openbsd.org/sndiod.8">sndiod(8)</a>
386: internal sample representation to 24-bit fixed point.
387:
388: <li>Allowed passing a different signal than SIGTERM in the default
389: rc_stop() function in <a
390: href="https://man.openbsd.org/rc.subr.8">rc.subr(8)</a>.
391: <li>Improved and simplified timer handling in <a
392: href="https://man.openbsd.org/rc.d.8">rc.d(8)</a> "stop" and "reload".
393:
1.19 krw 394: <li>Made <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
395: -b available on all architectures.
1.7 benno 396: <li>Removed the constraint that <a
1.19 krw 397: href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> -b block
398: count and block offset must be greater than 63.
399: <li>Made <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> -b
400: partitions other than EFI System partitions DOSACTIVE.
401: <li>Switched to using <a
402: href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> -b to create boot
403: partitions on multiple architectures.
1.16 benno 404: <li>Removed <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
405: "disk" editing command.
1.19 krw 406: <li>Prevented <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
407: from initializing an MBR to have overlapping partitions 0 and 3.
1.16 benno 408: <li>Allowed <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> to
409: extend the default OpenBSD partition to the end of the disk, rather
410: than truncating at the end of the last full cylinder.
1.19 krw 411: <li>Corrected GPT checksums written by <a
1.16 benno 412: href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> on big-endian
413: architectures to be little-endian as per spec.
414: <li>Made <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> -A
415: preserve BIOS boot partition.
1.19 krw 416: <li>Made <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> -A
417: preserve the EFI System partition on GPT disks with Apple APFS partitions.
418: <li>Removed the builtin MBR from <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>.
419: <li>Removed the "rpath" and "wpath" pledges from <a
420: href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>.
421: <li>Ensured <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
422: creates the default OpenBSD MBR partition only when there is space for it.
423: <li>Ensured <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
424: does not set MBR DOSACTIVE flag on unused partitions when initializing MBR.
425: <li>Reduced the alignment space <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
426: inserts before the start of the default OpenBSD partition.
1.16 benno 427:
1.7 benno 428: <li>Merged bugfixes from upstream into <a
429: href="https://man.openbsd.org/less.1">less(1)</a> including fixes for
430: the prompt hiding feature (CTRL-P) and an integer overflow.
1.16 benno 431: <li>Fixed possible use after free with long lines in <a
432: href="https://man.openbsd.org/less.1">less(1)</a>.
1.7 benno 433: <li>Fixed file descriptor leak of /dev/tty on <a
434: href="https://man.openbsd.org/doas.1">doas(1)</a> auth failure.
435: <li>Replaced <a href="https://man.openbsd.org/lrint.3">lrint(3)</a>,
436: <a href="https://man.openbsd.org/lrintf.3">lrintf(3)</a>, <a
437: href="https://man.openbsd.org/llrint.3">llrint(3)</a> and <a
438: href="https://man.openbsd.org/llrintf.3">llrintf(3)</a>
439: implementations from NetBSD with the existing FreeBSD implementations
440: we were already using for <a
441: href="https://man.openbsd.org/lrintl.3">lrintl(3)</a> and <a
442: href="https://man.openbsd.org/llrintl.3">llrintl(3)</a>.
1.16 benno 443: <li>In various games, call <a href="https://man.openbsd.org/pledge.2">pledge(2)</a>
1.7 benno 444: later to prevent it from killing various games using ncurses when both
445: stdout and stderr are redirected to a non-tty.
1.16 benno 446: <li>Switched LLD_ARCHs (architectures using the LLVM <a
447: href="https://man.openbsd.org/ld.lld.1">ld.lld(1)</a> linker) to also
448: user the LLVM archiver <a
449: href="https://man.openbsd.org/llvm-ar.1">llvm-ar(1)</a>.
1.24 benno 450: <li>Added openvpn ports (udp/1194 & tcp/1194) to /etc/services.
1.16 benno 451: <li>Prevented an access to uninitialized memory in <a
452: href="https://man.openbsd.org/awk.1">awk(1)</a>.
453: <li>Fixed <a href="https://man.openbsd.org/vi.1">vi(1)</a> recovery
454: mode.
455: <li>Extended and reordered the process accounting information
456: structure <a href="https://man.openbsd.org/acct.5">acct(5)</a>. Flag
457: Day for the <a href="https://man.openbsd.org/acct.2">acct(2)</a> file
458: format.
459: <li>Fixed <a
460: href="https://man.openbsd.org/setusercontext.3">setusercontext(3)</a>
461: error when /etc/login.conf is not present.
1.1 deraadt 462: </ul>
463:
464: <li>Improved hardware support and driver bugfixes, including:
465: <ul>
1.7 benno 466: <li>Added support to <a
467: href="https://man.openbsd.org/pchgpio.4">pchgpio(4)</a> for Cannon
468: Lake H and Tiger Lake H platforms.
469: <li>Ensured use of the correct encoding in xenocara when /etc/kbdtype
470: is present with an attached <a
471: href="https://man.openbsd.org/ucc.4">ucc(4)</a> keyboard.
472: <li>Added support for tpm2 CRB interface to <a
473: href="https://man.openbsd.org/tpm.4">tpm(4)</a>, fixing recent S4
474: regressions on the Surface Go 2 caused by a firmware change.
475: ` <li>Ensured armv7 and arm64 efiboot allocate fresh memory for the
476: device tree with at least one page of free space to extend into. This
477: fixes booting on VMWare Fusion.
1.10 benno 478: <li>Stopped binding audio devices exposed by <a
479: href="https://man.openbsd.org/sndiod.8">sndiod(8)</a> to physical
480: devices. <!-- XXX check this -->
481: <li>Fixed handling of interrupts shared between multiple <a
482: href="https://man.openbsd.org/dwiic.4">swiic(4)</a> devices.
1.11 benno 483: <li>Introduced <a
484: href="https://man.openbsd.org/iicmux.4">iicmux(4)</a>, a driver that
485: switches between I2C busses connected to a single I2C controller by
486: using the pin muxing facilities of an SoC.
487: <li>Introduced <a
488: href="https://man.openbsd.org/pcyrtc.4">pcyrtc(4)</a>, a driver for
489: the NXP PCF85063A/TP RTC chips.
490: <li>Fixed a panic when running <a
491: href="https://man.openbsd.org/utvfu.4">utvfu(4)</a> on <a
492: href="https://man.openbsd.org/xhci.4">xhci(4)</a>.
493: <li>Added <a href="https://man.openbsd.org/acpipci.4">acpipci(4)</a>
494: support for interrupts represented by ACPI PCI Interrupt Link Devices,
495: making PCI interrupts work on QEMU's SBSA target.
1.16 benno 496: <li>Added handling of multi-port controllers to <a
497: href="https://man.openbsd.org/uslcom.4">uslcom(4)</a>.
498: <li>Make <a href="https://man.openbsd.org/com.4">com(4)</a> attach
499: over <a href="https://man.openbsd.org/acpi.4">acpi(4)</a> on amd64.
500: <li>Added address locators for the ACPI "bus" and used these to fix
501: the order of the <a href="https://man.openbsd.org/com.4">com(4)</a>
502: devices to match the traditional order on the ISA bus.
503: <li>Added Intel Jasper Lake to the <a
504: href="https://man.openbsd.org/azalia.4">azalia(4)</a> audio driver.
505: <li>Ensured <a href="https://man.openbsd.org/azalia.4">azalia(4)</a>
506: matches on Intel 300 Series audio, fixing attaching on the Dell G3
507: 3590.
508: <li>Added Synopsys Designware UART support to <a
509: href="https://man.openbsd.org/com.4">com(4)</a>.
510: <li>Fixed an issue where <a
511: href="https://man.openbsd.org/com.4">com(4)</a> would attach for a
512: disabled serial port leading to misdirection of the hardware variant
513: and a subsequent hang when /etc/rc runs <a
514: href="https://man.openbsd.org/ttyflags.8">ttyflags(8)</a> -a.
515: <li>Fixed <a href="https://man.openbsd.org/sdhc.4">sdhc(4)</a> for
516: Jasper Lake eMMC.
517: <li>Improved how quirks are handled on <a
518: href="https://man.openbsd.org/sdhc.4">sdhc(4)</a>-compatible drivers.
519: <li>Enabled <a
520: href="https://man.openbsd.org/acpibat.4">acpibat(4)</a> use with the
521: Surface Go 3.
522: <li>Fixed suspend/resume issues with <a
523: href="https://man.openbsd.org/com.4">com(4)</a> at <a
524: href="https://man.openbsd.org/acpi.4">acpi(4)</a>.
525: <li>Correlated <a
526: href="https://man.openbsd.org/uaudio.4">uaudio(4)</a> and <a
1.31 jsg 527: href="https://man.openbsd.org/ucc.4">ucc(4)</a> devices
528: to adjust the volume of the correct audio device
1.16 benno 529: rather than the first one attached.
1.31 jsg 530: <li>Enabled FIFO support in <a
1.16 benno 531: href="https://man.openbsd.org/pluart.4">pluart(4)</a>.
1.31 jsg 532: <li>Added support for XBox One game controller.
1.16 benno 533: <li>Stopped suspending the <a
534: href="https://man.openbsd.org/tpm.4">tpm(4)</a> device upon
535: hibernation, preventing some systems from hanging when hibernating a
536: second time.
537: <li>Fixed <a href="https://man.openbsd.org/hilkbd.4">hilkbd(4)</a>
538: Swedish keyboard layout on non-PS/2 style keyboards.
1.1 deraadt 539: </ul>
540:
541: <li>New or improved network hardware support:
542: <ul>
1.16 benno 543: <li>Added support to <a
544: href="https://man.openbsd.org/umb.4">umb(4)</a> for SIMCom SIM7600.
1.7 benno 545: <li>Fixed an interrupt storm on <a
546: href="https://man.openbsd.org/dwge.4">dwge(4)</a> variants which
547: support Energy Efficient Ethernet when connected to a switch which
548: does so as well.
1.28 jmatthew 549: <li>Made <a href="https://man.openbsd.org/dwge.4">dwge(4)</a> and <a
550: href="https://man.openbsd.org/dwxe.4">dwxe(4)</a> MP-safe.</li>
1.10 benno 551: <li>Added <a href="https://man.openbsd.org/igc.4">igc(4)</a>, a
552: driver for the Intel 2.5Gb Ethernet controllers.
1.11 benno 553: <li>Implemented <a href="https://man.openbsd.org/em.4">em(4)</a>
554: support for selecting SMGII or SerDes mode depending on the plugged-in
555: SFP transceiver and for reading out transceiver information via <a
556: href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a>.
1.16 benno 557: <li>Enabled hardware vlan tagging for <a
558: href="https://man.openbsd.org/ixl.4">ixl(4)</a>.
559: <li>Re-enabled <a href="https://man.openbsd.org/ixl.4">ixl(4)</a>
560: IPv4, TCP4/6 and UDP4/6 checksum offloading. \ <li>Enabled receive
561: checksum offloading on <a
562: href="https://man.openbsd.org/ixl.4">ixl(4)</a>.
563: <li>Prevented a possible deadlock in <a
564: href="https://man.openbsd.org/cad.4">cad(4)</a>.
1.22 benno 565: <li>Prevented <a href="https://man.openbsd.org/aq.4">aq(4)</a> nics
566: from writing to mbufs taken off the ring when the interface was taken
567: down.
1.28 jmatthew 568: <li>Fixed receive filter handling and vlan packet reception in <a
1.16 benno 569: href="https://man.openbsd.org/aq.4">aq(4)</a>.
1.28 jmatthew 570: <li>Enabled vlan and checksum offloads in <a
1.16 benno 571: href="https://man.openbsd.org/aq.4">aq(4)</a>.
1.28 jmatthew 572: <li>Enabled interrupt moderation in <a
1.16 benno 573: href="https://man.openbsd.org/aq.4">aq(4)</a>, aiming at around 20k
574: per second.
575: <li>Fixed <a href="https://man.openbsd.org/ure.4">ure(4)</a> vlan
576: transmission with hw tagging.
1.28 jmatthew 577: <li>Added preliminary <a
578: href="https://man.openbsd.org/ure.4">ure(4)</a> support for RTL8156B
579: and bug fixes for RTL8153/RTL8156.
1.22 benno 580: <li>Reworked <a href="https://man.openbsd.org/ix.4">ix(4)</a>
581: checksum/vlan offloading and enabled it for IPv6.
582: <li>Enabled IP header checksum offloading in <a
583: href="https://man.openbsd.org/ix.4">ix(4)</a>.
1.30 jmatthew 584: <li>Fixed <a href="https://man.openbsd.org/msk.4">msk(4)</a> operation
585: after interface state changes.
1.35 dv 586: <li>Enabled <a href="https://man.openbsd.org/vmx.4">vmx(4)</a> on arm64.
1.1 deraadt 587: </ul>
588:
589: <li>Added or improved wireless network drivers:
590: <ul>
1.33 stsp 591: <li>Introduced <a href="https://man.openbsd.org/mtw.4">mtw(4)</a>, a
592: driver for MediaTek MT7601U USB wifi devices, enabled on amd64, i386, macppc, and arm64.
593: <li>Added 802.11n Tx aggregation support to the <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> driver.
594: <li>Added support for 802.11n 40MHz channels, and 802.11ac 80MHz channels, to the <a
595: href="https://man.openbsd.org/iwm.4">iwm(4)</a> and <a
596: href="https://man.openbsd.org/iwx.4">iwx(4)</a> drivers.
597: <li>Reset the Tx watchdog timer when a block ack notification is received by
1.7 benno 598: <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> and <a
1.33 stsp 599: href="https://man.openbsd.org/iwm.4">iwm(4)</a> firmware to prevent spurios device timeouts.
600: <li>Prevent invalid net80211 state transitions in the
601: <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> and
602: <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> drivers
603: to avoid a potential hang.
1.7 benno 604: <li>Fixed a panic when <a
605: href="https://man.openbsd.org/iwx.4">iwx(4)</a> cannot find firmware
606: at boot time.
607: <li>Fixed <a href="https://man.openbsd.org/iwm.4">iwm(4)</a>
608: performance drop after roaming between APs in 11n mode.
1.33 stsp 609: <li>When roaming with <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> or
610: <a href="https://man.openbsd.org/iwx.4">iwx(4)</a>, keep the old BSSID available for use by firmware
611: commands which tear down device state before switching to the new AP.
612: <li>Fix race conditions in the <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> and
613: <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> drivers while roaming between APs with
614: outstanding frames on transmit queues.
1.7 benno 615: <li>Reverted to use <a
616: href="https://man.openbsd.org/iwm.4">iwm(4)</a> firmware v17 on Intel
617: AC 7265, fixing instability issues on X1 Carbon gen3.
1.33 stsp 618: <li>Explicitly stop <a
619: href="https://man.openbsd.org/iwx.4">iwx(4)</a> Rx block ack sessions when
1.7 benno 620: roaming between access points.
1.11 benno 621: <li>Fixed monitor mode on <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> and <a href="https://man.openbsd.org/iwx.4">iwx(4)</a>.
622: <li>Let <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> and <a
623: href="https://man.openbsd.org/iwm.4">iwm(4)</a> use per-Tx-queue
1.33 stsp 624: interface timers to ensure the Tx watchdog triggers if a particular Tx queue gets
1.11 benno 625: stuck.
1.33 stsp 626: <li>Switched <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> to new -67 firmware images, and updated <a
627: href="https://man.openbsd.org/iwm.4">iwm(4)</a> 9260 and 9560 firmware, to address INTEL-SA-00509.
1.11 benno 628: <li>Made <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> attach to PCI devices with product ID 0x31dc, part of the 9560 chip family.
1.33 stsp 629: <li>Fixed wrong pointer assignment causing the <a href="https://man.openbsd.org/iwx.4">iwx(4)</a>
630: driver to read Rx block ack request information from the wrong offset.
631: <li>Fixed and reenabled use of probe requests during scans on <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> and <a href="https://man.openbsd.org/iwx.4">iwx(4)</a>.
632: <li>Fixed attach of multiple <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> or <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> interfaces in the same machine.
633: <li>Fixed <a href="https://man.openbsd.org/iwn.4">iwn(4)</a> with 4965 devices.
1.15 benno 634: <li>Improved roaming stability on <a href="https://man.openbsd.org/iwn.4">iwn(4)</a>, particularly with wpa_supplicant.
1.16 benno 635: <li>Added relicensed wireless firmwares from Realtek for <a
636: href="https://man.openbsd.org/rsu.4">rsu(4)</a>, <a
637: href="https://man.openbsd.org/rtwn.4">rtwn(4)</a> and <a
638: href="https://man.openbsd.org/urtwn.4">urtwn(4)</a> devices, allowing
639: these devices to work without requiring a separate firmware download.
640: <li>Added a workaround for buggy <a
641: href="https://man.openbsd.org/athn.4">athn(4)</a> devices to prevent
642: filling up the node cache when used in hostap mode.
643: <li>Applied a workaround in <a
644: href="https://man.openbsd.org/mvkpcie.4">mvkpcie(4)</a> to fix an
645: external abort under load with <a
646: href="https://man.openbsd.org/athn.4">athn(4)</a>.
647: <li>Made <a href="https://man.openbsd.org/athn.4">athn(4)</a> attach
648: to the Sony UWA-BR100.
649: <li>Fixed "(null node)" panics on <a href="https://man.openbsd.org/run.4">run(4)</a>.
650: <li>Disabled minimum power consumption in <a
651: href="https://man.openbsd.org/bwfm.4">bwfm(4)</a> hostap mode,
652: improving connection reliability when used as an access point.
653: <li>Added support for the BCM4387 to <a
654: href="https://man.openbsd.org/bwfm.4">bwfm(4)</a>.
655: <li>Improved TX performance on <a
656: href="https://man.openbsd.org/urtwn.4">urtwn(4)</a> RTL8192EU devices.
657: <li>Fix TX rate used by <a
658: href="https://man.openbsd.org/rtwn.4">rtwn(4)</a> and <a
659: href="https://man.openbsd.org/urtwn.4">urtwn(4)</a> for RTS frames.
1.1 deraadt 660: </ul>
661:
662: <li>IEEE 802.11 wireless stack improvements and bugfixes:
663: <ul>
1.7 benno 664: <li>Added an ADDBA_OFFLOAD capability for wifi devices to manage Tx block ack sessions entirely in firmware.
1.33 stsp 665: <li>Added support for 40MHz channels to net80211 Tx rate adaptation in 11n mode.
1.7 benno 666: <li>Added monitoring of 20/40MHz channel width changes in beacons sent by our access point, notifying drivers when the channel width has changed.
1.33 stsp 667: <li>Introduced an optional background-scan handler for wireless drivers, which drivers can use to take control of the device teardown sequence, ensuring that race conditions between firmware state and net80211 state are avoided.
668: <li>Taught the net80211 stack to remove corresponding frames from ic_pwrsaveq when a power-saving client decides to leave our hostap interface, preventing a panic in the <a
669: href="https://man.openbsd.org/athn.4">athn(4)</a> driver.
1.15 benno 670: <li>Added initial 802.11ac (VHT) support to the wifi stack.
1.33 stsp 671: <li>Made <a href="https://man.openbsd.org/tcpdump.8">tcpdump(8)</a> show 802.11ac VHT capability and operation IEs with the IEEE802_11_RADIO data link type (-y) in verbose (-v) mode.
672: <li>Added 802.11ac/VHT TX rate adaptation support to net80211.
1.15 benno 673: <li>When choosing networks during SSID selection, give a higher score to 11ac and 11n access points, prioritizing 11ac.
1.33 stsp 674: <li>When choosing from a set of access points for a given SSID, prefer APs on 5GHz channels over APs on 2GHz channels. This was already supposed to happen in earlier OpenBSD releases but did not always work as intended.
1.1 deraadt 675: </ul>
676:
677: <li>Generic network stack improvements and bugfixes:
678: <ul>
1.7 benno 679: <li>Fixed <a href="https://man.openbsd.org/pfctl.8">pfctl(8)</a> $nr incorrect macro expansion.
1.15 benno 680: <li>Fixed <a href="https://man.openbsd.org/pfctl.8">pfctl(8)</a> rdr-to rules failing on certain port ranges when explicitly specified.
681: <li>Ensured the <a href="https://man.openbsd.org/pf.4">pf(4)</a> "set prio" values are checked consistently.
1.11 benno 682: <li>Made "set skip on ..." in <a
683: href="https://man.openbsd.org/pf.conf.5">pf.conf(5)</a> dynamic, with
684: this, "set skip" can be used on interfaces that are not configured
685: yet.
1.22 benno 686: <li>Protected <a
687: href="https://man.openbsd.org/pfsync.4">pfsync(4)</a> tdb flags and
688: lists with a mutex to prevent crashes involving pfsync, IPsec and
689: parallel forwarding.
690:
691: <li>Added support for PPP IPCP extensions for DNS to <a
692: href="https://man.openbsd.org/sppp.4">sppp(4)</a>.
693: <li>Added display of DNS information from <a
694: href="https://man.openbsd.org/sppp.4">sppp(4)</a> to <a
695: href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a>.
696: <li>Switched to calculating <a
697: href="https://man.openbsd.org/pppoe.4">pppoe(4)</a> session duration
698: using system uptime rather than UTC.
699:
700: <li>Fixed <a href="https://man.openbsd.org/veb.4">veb(4)</a> vport
701: handling to prevent improper drop of packets leaving a vport
702: interface.
703: <li>Prevented tweaks to <a
704: href="https://man.openbsd.org/tun.4">tun(4)</a> if_flags when the
705: NET_LOCK isn't held.
706: <li>Prevented reopening of <a
707: href="https://man.openbsd.org/tun.4">tun(4)</a>/<a
708: href="https://man.openbsd.org/tap.4">tap(4)</a> interfaces which are
709: being destroyed.
1.15 benno 710: <li>Rewrote <a href="https://man.openbsd.org/vxlan.4">vxlan(4)</a> to
711: operate independently of <a
712: href="https://man.openbsd.org/bridge.4">bridge(4)</a>, create and bind
713: udp sockets and prevent loops.
1.22 benno 714: <li>Stopped hiding the mtu on "bridge" interfaces which do handle l3
715: traffic in <a
716: href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a>.
717: <li>Added mbuf tags to prevent output loops in <a
718: href="https://man.openbsd.org/etherip.4">etherip(4)</a>.
719: <li>Added rtable capability to <a
720: href="https://man.openbsd.org/login.conf.5">login.conf(5)</a>,
721: allowing to specify the rtable a process uses.
722: <li>Made <a href="https://man.openbsd.org/su.1">su(1)</a> honor the
723: login class routing table when doing a full login with su -l.
724: <li>Fix IP output routines on raw sockets so route sourceaddr can
725: take effect using <a
726: href="https://man.openbsd.org/sendto.2">sendto(2)</a> or similar.
727: <li>Ensured <a
728: href="https://man.openbsd.org/pcap_lookupdev.3">pcap_lookupdev(3)</a>
729: matches only on complete interface names.
1.1 deraadt 730: </ul>
731:
732: <li>Installer and upgrade improvements:
733: <ul>
1.22 benno 734: <li>Corrected installer to understand "inet autoconf" properly in <a
1.7 benno 735: href="https://man.openbsd.org/hostname.if.5">hostname.if(5)</a> files.
1.22 benno 736: <li>Stopped prompting whether to fall back to HTTP in the installer,
737: making the fallback automatic.
1.7 benno 738: <li>Used <a href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a>
739: "join" command by default in <a
740: href="https://man.openbsd.org/hostname.if.5">hostname.if(5)</a> files,
741: replacing the old "nwid".
1.22 benno 742: <li>Replace custom bootloader installation code with <a
743: href="https://man.openbsd.org/installboot.8">installboot(8)</a> on
744: riscv64 and armv7 architecture installations.
745: <li>New logic for <a
746: href="https://man.openbsd.org/pkg_add.1">pkg_add(1)</a> to avoid
747: excessive moving of files during updates when possible.
748: <li>Documented OpenBSD installation and upgrade customization using the <a
749: href="https://man.openbsd.org/install.site.5">install.site(5)</a> file.
1.10 benno 750: <li>Corrected "!" escape handling in the installer when accepting WEP/WPA passphrase.
1.22 benno 751: <li>Prevented a potential race which could make <a
752: href="https://man.openbsd.org/umount.8">umount(8)</a> fail spuriously
753: in the installer.
754: <li>Made <a href="https://man.openbsd.org/config.8">config(8)</a> -e
755: work with ramdisk kernels.
1.11 benno 756: <li>Made <a href="https://man.openbsd.org/config.8">config(8)</a> -c
757: cmdfile use lines from the command file for all input, not just
758: commands. This allows complex actions like changing device parameters.
1.22 benno 759: <li>Ensured that an interrupted arm64 install from the ramdisk kernel
760: can be restarted.
1.41 deraadt 761: <li>Made redistributable firmwares available across all architectures.
1.11 benno 762: <li>Returned to a shell-script based <a
763: href="https://man.openbsd.org/fw_update.8">fw_update(8)</a>, written
764: to be usable by the install script, allowing earlier retrieval of
765: downloaded firmwares.
766: <li>Stopped <a
767: href="https://man.openbsd.org/fw_update.8">fw_update(8)</a> from
768: downloading SHA256.sig when not needed, to allow installing local
769: files without network access.
770: <li>Modified the installer to use <a
771: href="https://man.openbsd.org/fw_update.8">fw_update(8)</a> to install
772: non-free firmware files if present on the install media.
1.22 benno 773: <li>Made <a
774: href="https://man.openbsd.org/fw_update.8">fw_update(8)</a>
775: re-download existing files with failed checksums.
776: <li>Made <a
777: href="https://man.openbsd.org/fw_update.8">fw_update(8)</a> use the
778: /snapshots directory only on -current snapshot installations.
1.1 deraadt 779: </ul>
780:
781: <li>Security improvements:
782: <ul>
1.22 benno 783: <li>Clear the length of keys in <a href="https://man.openbsd.org/vnconfig.8">vnconfig(8)</a> alongside keys themselves.
1.7 benno 784: <li>Removed hifn(4), safe(4) and ubsec(4) crypto drivers.
785: <li>Added call to <a href="https://man.openbsd.org/unveil.2">unveil(2)</a> to restrict <a href="https://man.openbsd.org/stty.1">stty(1)</a> -f filesystem access.
1.10 benno 786: <li>Disabled <a href="https://man.openbsd.org/xterm.1">xterm(1)</a> mouse tracking by default.
1.22 benno 787: <li>On arm64 architectures, use "rng-seed" and "kaslr-seed" properties from the device tree to mix extra entropy into the random pool.
1.15 benno 788: <li>Made <a href="https://man.openbsd.org/apmd.8">apmd(8)</a> replace /etc/random.seed for hibernate-resumes.
1.11 benno 789: <li>Restricted <a
790: href="https://man.openbsd.org/usbhidctl.1">usbhidctl(1)</a> and <a
791: href="https://man.openbsd.org/usbhidaction.1">usbhidaction(1)</a> file
792: system access with <a
793: href="https://man.openbsd.org/unveil.2">unveil(2)</a>.
1.14 benno 794: <li>Added <a href="https://man.openbsd.org/ps.1">ps(1)</a> status flag "c" to indicate a process is chrooted.
1.15 benno 795: <li>In <a
796: href="https://man.openbsd.org/rpc.rusersd.8">rpc.rusersd(8)</a> <a
797: href="https://man.openbsd.org/unveil.2">unveil(2)</a> "/dev" read-only
798: instead of using <a
799: href="https://man.openbsd.org/chroot.2">chroot(2)</a>.
1.1 deraadt 800: </ul>
801:
802: <li>Routing daemons and other userland network improvements:
803: <ul>
1.40 benno 804:
805: <li><i>switchd(8)</i>, the software-defined networking (SDN) sflow
806: controller was removed. While interesting the OpenFlow implementation
807: never managed to really get into a usable state.
1.11 benno 808: <li>Switched <a href="https://man.openbsd.org/nsd.8">nsd(8)</a> to enable default DNS cookies on, matching behavior as released in OpenBSD 7.0.
1.7 benno 809: <li>Ensured enabled resolvers are honored by <a href="https://man.openbsd.org/unwind.8">unwind(8)</a> to keep unused forwarders disabled properly.
1.11 benno 810: <li>Installed missing scope identifiers for IPv6 link-local addresses for <a href="https://man.openbsd.org/unwind.8">unwind(8)</a> and <a href="https://man.openbsd.org/resolvd.8">resolvd(8)</a>.
811: <li>Allowed interface names as scope-id in IPv6 link-local addresses in <a href="https://man.openbsd.org/unbound.8">unbound(8)</a>.
1.15 benno 812: <li>Let <a href="https://man.openbsd.org/unwind.8">unwind(8)</a> probe for DNS64 presence with an absolute name, so asr doesn't add search domains and retry.
1.7 benno 813: <li>Stopped duplicating "Connection: close" headers in <a href="https://man.openbsd.org/relayd.8">relayd(8)</a>, only adding it if it's not a websocket response.
1.11 benno 814: <li>Modified <a href="https://man.openbsd.org/syslog.conf.5">syslog.conf(5)</a> examples to use TLS rather than the plaintext protocols.
815: <li>Stopped ignoring <a href="https://man.openbsd.org/carp.4">carp(4)</a> interfaces in <a href="https://man.openbsd.org/dhcpleased.8">dhcpleased(8)</a>.
816: <li>Made the <a href="https://man.openbsd.org/dhcpleased.8">dhcpleased(8)</a> host name DHCP option configurable.
817: <li>Prevented a crash in <a href="https://man.openbsd.org/slaacd.8">slaacd(8)</a> due to updating an interface which no longer exists.
1.15 benno 818: <li>Prevented a potential crash when <a href="https://man.openbsd.org/slaacd.8">slaacd(8)</a> receives more than 7 nameservers.
819: <li>Fixed crash in <a href="https://man.openbsd.org/slaacd.8">slaacd(8)</a> when receiving a negative length field for DNS labels.
1.11 benno 820: <li>Fix <a href="https://man.openbsd.org/unveil.2">unveil(2)</a> in <a href="https://man.openbsd.org/ldapd.8">ldapd(8)</a>, create permissions are required for databases.
821: <li>Made <a href="https://man.openbsd.org/dhcpd.8">dhcpd(8)</a> start listening on interface in 'down' state. Interfaces can come up later, at which point dhcpd(8) will start receiving packets.
822: <li>Added a basic printer for EAPOL packets to <a href="https://man.openbsd.org/tcpdump.8">tcpdump(8)</a>.
1.15 benno 823: <li>Made <a href="https://man.openbsd.org/ping.8">ping(8)</a> print out the source address and sequence number when the signature on an icmp echo reply doesn't match.
824: <li>Rate limit <a href="https://man.openbsd.org/rad.8">rad(8)</a> router advertisements according to RFC 4861.
1.22 benno 825:
1.25 benno 826: <li>In <a href="https://man.openbsd.org/smtpd.8">smtpd(8)</a>,
827: <ul>
1.29 jsg 828: <li>Stop verifying the cert or CA for a relay using opportunistic TLS.
1.25 benno 829: <li>Enabled TLS verify by default for outbound "smtps://" and "smtp+tls://", restoring documented <a href="https://man.openbsd.org/smtpd.8">smtpd(8)</a> behavior.
830: </ul>
831:
1.22 benno 832: <li><a href="https://man.openbsd.org/httpd.8">httpd(8)</a> received new features and bugfixes:
833: <ul>
834: <li>Respond with 400 Bad Request when a client sends header lines without a colon.
835: <li>Added protocol version checking.
836: <li>Annotated an <a href="https://man.openbsd.org/httpd.8">httpd(8)</a> 413 error with "request body too large" in the error log.
837: <li>Corrected <a
838: href="https://man.openbsd.org/httpd.8">httpd(8)</a> version string
839: checking, responding with 505 Version Not Supported rather than 400
840: Bad Request when the version format is incorrect.
841: <li>Stop sending content alongside responses to HEAD requests.
842: <li>Added support for custom error pages.
843: <li>Added a gzip-static option to <a
844: href="https://man.openbsd.org/httpd.conf.5">httpd.conf(5)</a>,
845: allowing delivery of precompressed files with content-encoding gzip.
846: <li>Improved handling of static compressed gzip files.
847: </ul>
848:
1.29 jsg 849: <li>IPsec support was improved:
1.22 benno 850: <ul>
851: <li>Made <a href="https://man.openbsd.org/iked.conf.5">iked.conf(5)</a> proto config option accept a list to allow specifying multiple protocols for a single policy.
852: <li>Fixed removal of SAs that could not be flushed with <a href="https://man.openbsd.org/ipsecctl.8">ipsecctl(8)</a> -F.
853: <li>Changed <a href="https://man.openbsd.org/isakmpd.8">isakmpd(8)</a> to log a warning when proto is NULL rather than dereferencing it.
854: <li>Fixed broken key exchange negotiation with matching proposals in <a href="https://man.openbsd.org/iked.8">iked(8)</a>.
855: <li>Added <a href="https://man.openbsd.org/ikectl.8">ikectl(8)</a> "show certinfo" to show trusted CAs and certificates.
856: <li>Added <a href="https://man.openbsd.org/iked.8">iked(8)</a> -V to display the version.
857: <li>Fixed a bug where <a href="https://man.openbsd.org/iked.8">iked(8)</a> sent zero-prefixed NAT-T messages on port 500, causing parsing errors.
858: <li>Improved message fragment retransmissions for <a href="https://man.openbsd.org/iked.8">iked(8)</a>.
859: <li>Make sure <a href="https://man.openbsd.org/iked.8">iked(8)</a> vroute messages are correctly aligned, fixes autoconfiguration of addresses on octeon.
860: </ul>
1.34 claudio 861: <li><a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> was
862: made more resilient regarding untrusted input. The following
863: bugfixes and improvements were made:
1.22 benno 864: <ul>
865: <li>Added support for validating BGPsec Router Public Keys.
866: <li>Fix issues with chunked transfer encoding in the RRDP HTTP client.
867: <li>Cleanup and improvement of how IO is handled.
868: <li>Improvements in the way X509 certificates are verified.
869: <li>Limit the number of concurrent rsync processes.
870: <li>Fix CRLF in tal files.
871: <li>Enforce the correct namespace of rrdp files.
872: <li>Fail certificate verification if a certificate contains unknown
873: critical extensions.
874: <li>Improve cleanup of rrdp directory contents.
875: <li>Introduce a validated cache which holds all the files that have
876: successfully been verified by rpki-client.
1.24 benno 877: <li>Add a new option '-f <file>' to validate a signed object in a file
1.22 benno 878: against the RPKI cache.
879: <li>Add various RFC 6488 compliance checks to improve the CMS parser.
880: <li>Improve RRDP replication through less aggressive cache cleanup.
881: <li>Add a check whether a given Manifest EE certificate is listed on the
882: applicable CRL.
883: <li>For forward compatibility permit ASPA object to appear on Manifests.
1.24 benno 884: <li>Various improvements to the '-f <file>' diagnostic option to
1.22 benno 885: now also validate files containing Trust Anchor certs and CRLs.
886: <li>Do not apply timezone offsets when converting X509 times. X509
887: times are in UTC and comparing them to times in different timezones
888: would cause validity problems.
889: </ul>
890: <li>In <a href="https://man.openbsd.org/bgpd.conf.5">bgpd(8)</a>,
891: <ul>
1.29 jsg 892: <li>The <a href="https://man.openbsd.org/bgpd.8">bgpd</a> login
1.22 benno 893: class datasize attribute (in <a
894: href="https://man.openbsd.org/login.conf.5">login.conf(5)</a>) was set
895: to either 16G or 1G, depending on architecture.
1.34 claudio 896: <li>Macro expansion in the config file was improved. It is now possible
897: to expand 'set large-community $myAS:$location:$transit'.
898: <li>Added a "port" option to "listen on" and the "neighbor" section
899: in <a href="https://man.openbsd.org/bgpd.conf.5">bgpd.conf(5)</a> to make it
1.22 benno 900: possible to bind and connect to non-default ports.
1.34 claudio 901: <li>The RIB codebase was refactored in order to add multipath
902: support in an upcoming release.
1.22 benno 903: </ul>
1.1 deraadt 904: </ul>
905:
906: <li><a href="https://man.openbsd.org/tmux">tmux(1)</a> improvements and bug fixes:
907: <ul>
1.7 benno 908: <li>Fixed a crash in <a
909: href="https://man.openbsd.org/tmux.1">tmux(1)</a> when a session with
910: multiple clients is destroyed but tmux does not close completely due
911: to other sessions.
912: <li>Fixed a <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>
913: redraw problem on automargin terminals.
914: <li>Fixed a problem with repeat in <a
915: href="https://man.openbsd.org/tmux.1">tmux(1)</a> copy mode.
916: <li>Added -T to set a popup title in <a
917: href="https://man.openbsd.org/tmux.1">tmux(1)</a>.
918: <li>Added -s and -S to <a
919: href="https://man.openbsd.org/tmux.1">tmux(1)</a> display-popup to set
920: popup and border style.
921: <li>Fixed application-set fg and bg in <a
922: href="https://man.openbsd.org/tmux.1">tmux(1)</a> panes.
923: <li>Added a way to force a color to RGB in <a
924: href="https://man.openbsd.org/tmux.1">tmux(1)</a> and a format to
925: display it.
1.10 benno 926: <li>Added a cursor-colour option to <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>.
927: <li>Added a cursor-style option to <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>.
1.11 benno 928: <li>Added a pane-border-format pane option to <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>.
929: <li>Added attempts to turn on less-capable mouse modes when <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> turns on more-capable ones, in case the terminal doesn't support the desired mode.
1.14 benno 930: <li>Added a <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> option to show arrows for the active pane indicator.
931: <li>Added a key in <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> copy mode to toggle the position indicator.
1.15 benno 932: <li>Added an option in <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> to set the character for unused areas of the terminal.
933: <li>Add <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> option to control if it scrolls into history on clear.
934: <li>Added OSC 7 capability to <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> for setting titles.
1.1 deraadt 935: </ul>
936:
1.42 deraadt 937: <li>LibreSSL version 3.5.2
1.1 deraadt 938: <ul>
939: <li>New Features
940: <ul>
1.9 inoguchi 941: <li>The RFC 3779 API was ported from OpenSSL.<br>
942: Many bugs were fixed, regression tests were added and the code was cleaned up.
943: <li>Certificate Transparency was ported from OpenSSL.<br>
944: Many internal improvements were made, resulting in cleaner and safer code.<br>
945: Regress coverage was added. libssl does not yet make use of it.
1.1 deraadt 946: </ul>
947:
948: <li>Portable Improvements
949: <ul>
1.9 inoguchi 950: <li>Enabled ASAN CI on Linux platform.<br>
951: <li>Fixed various POSIX compliance and other portability issues<br>
952: found by the port to the Sortix operating system.
953: <li>Add libmd as platform specific libraries for Solaris.<br>
954: <li>Set IA-64 compiler flag only if it is HP-UX with IA-64.<br>
955: <li>Enabled and scheduled Coverity scan.<br>
1.1 deraadt 956: </ul>
957:
1.9 inoguchi 958: <li>Compatibility Changes
959: <ul>
960: <li>Most structs that were previously defined in the following headers
961: are now opaque as they are in OpenSSL 1.1:<br>
962: bio.h, bn.h, comp.h, dh.h, dsa.h, evp.h, hmac.h, ocsp.h, rsa.h,
963: x509.h, x509v3.h, x509_vfy.h
964: <li>Switch TLSv1.3 cipher names from AEAD- to OpenSSL's TLS_<br>
965: OpenSSL added the TLSv1.3 ciphersuites with "RFC names" instead
966: of using something consistent with the previous naming.<br>
967: Various test suites expect these names (instead of checking for the much
968: more sensible cipher numbers).<br>
969: The old names are still accepted as aliases.
970: <li>Subject alternative names and name constraints are now validated
971: when they are added to certificates.<br>
972: Various interoperability problems with stacks that validate
973: certificates more strictly than OpenSSL can be avoided this way.
974: <li>Attempt to opportunistically use the host name for SNI in s_client
975: </ul>
976:
977: <li>Bug fixes
1.1 deraadt 978: <ul>
1.9 inoguchi 979: <li>Avoid infinite loop for custom curves of order 1.<br>
980: <li>Avoid infinite loop on parsing DSA private keys.<br>
981: <li>A malicious certificate can cause an infinite loop.<br>
982: <li>In some situations, the verifier would discard the error on an
983: unvalidated certificate chain.<br>
984: This would happen when the verification callback was in use,
985: instructing the verifier to continue unconditionally.<br>
986: This could lead to incorrect decisions being made in software.
987: <li>Avoid an infinite loop in SSL_shutdown()
988: <li>Fix another return 0 bug in SSL_shutdown()
989: <li>Handle zero byte reads/writes that trigger handshakes in the
990: TLSv1.3 stack
991: <li>A long standing memleak in libtls CRL handling was fixed
1.1 deraadt 992: </ul>
993:
1.9 inoguchi 994: <li>Internal Improvements
1.1 deraadt 995: <ul>
1.9 inoguchi 996: <li>Cache the SHA-512 hash instead of the SHA-1 hash and cache
997: notBefore and notAfter times when X.509 certificates are parsed.
998: <li>The X.509 lookup code has been simplified and cleaned up.
999: <li>Fixed numerous issues flagged by coverity and the cryptofuzz project
1000: <li>Increased the number of Miller-Rabin checks in DH and DSA
1001: key/parameter generation
1002: <li>Started using the bytestring API in libcrypto for cleaner and
1003: safer code
1004: <li>Convert {i2d,d2i}_{,EC_,DSA_,RSA_}PUBKEY{,_bio,_fp}() to templated
1005: ASN1
1.44 tb 1006: <li>Convert ASN1_OBJECT_new(), ASN1_STRING_type_new(), ASN1_PCTX_new(),
1007: and X509_CRL_METHOD_new() to using calloc() instead of malloc()
1.9 inoguchi 1008: <li>Rewrite ASN1_STRING_cmp()
1009: <li>Replace asn1_tlc_clear and asn1_tlc_clear_nc macros with a function
1010: <li>Consolidate {d2i,i2d}_{pr,pu}.c
1011: <li>Remove handling of a NULL BUF_MEM from asn1_collect()
1012: <li>Pull the recursion depth check up to the top of asn1_collect()
1013: <li>Inline collect_data() in asn1_collect()
1014: <li>Convert asn1_d2i_ex_primitive()/asn1_collect() from BUF_MEM to CBB
1015: <li>Clean up d2i_ASN1_BOOLEAN() and i2d_ASN1_BOOLEAN()
1016: <li>Consolidate ASN.1 universal tag type data
1017: <li>Rewrite ASN.1 identifier/length parsing in CBS
1018: <li>Make OBJ_obj2nid() work correctly with NID_undef
1019: <li>tlsext_tick_lifetime_hint is now an uint32_t
1020: <li>Untangle ssl3_get_message() return values
1021: <li>Rename tls13_buffer to tls_buffer
1022: <li>Fold DTLS_STATE_INTERNAL into DTLS1_STATE
1023: <li>Provide a way to determine our maximum legacy version
1024: <li>Mop up enc_read_ctx and read_hash
1025: <li>Fold SSL_SESSION_INTERNAL into SSL_SESSION
1026: <li>Use ssl_force_want_read in the DTLS code
1027: <li>Add record processing limit to DTLS code
1028: <li>Add explicit CBS_contains_zero_byte() check in CBS_strdup()
1029: <li>Improve SNI hostname validation
1030: <li>Ensure SSL_set_tlsext_host_name() is given a valid hostname
1031: <li>Fix a strange check in the auto DH codepath
1032: <li>Factor out/rewrite DHE key exchange
1033: <li>Convert server serialisation of DHE parameters/public key to new
1034: functions
1035: <li>Check DH public key in ssl_kex_peer_public_dhe()
1036: <li>Move the minimum DHE key size check into ssl_kex_peer_params_dhe()
1037: <li>Clean up and refactor server side DHE key exchange
1.44 tb 1038: <li>Provide CBS_get_last_u8(), CBS_get_u64(), CBS_add_u64() and various
1039: CBS_peek_* functions.
1.9 inoguchi 1040: <li>Use CBS_get_last_u8() to find the content type in TLSv1.3 records
1041: <li>unifdef TLS13_USE_LEGACY_CLIENT_AUTH
1042: <li>Correct SSL_get_peer_cert_chain() when used with the TLSv1.3 stack
1043: <li>Only allow zero length key shares when we know we're doing HRR
1044: <li>Pull key share group/length CBB code up from
1045: tls13_key_share_public()
1046: <li>Refactor ssl3_get_server_kex_ecdhe() to separate parsing and
1047: validation
1048: <li>Return 0 on failure from send/get kex functions in the legacy
1049: stack
1050: <li>Rename tls13_key_share to tls_key_share
1051: <li>Allocate and free the EVP_AEAD_CTX struct in
1052: tls13_record_protection
1.44 tb 1053: <li>Convert legacy TLS client and server to tls_key_share
1.9 inoguchi 1054: <li>Stop attempting to duplicate the public and private key of dh_tmp
1055: <li>Rename dh_tmp to dhe_params
1056: <li>Rename CERT to SSL_CERT and CERT_PKEY to SSL_CERT_PKEY
1057: <li>Clean up pkey handling in ssl3_get_server_key_exchange()
1058: <li>Fix GOST skip certificate verify handling
1059: <li>Simplify tlsext_keyshare_server_parse()
1060: <li>Plumb decode errors through key share parsing code
1061: <li>Simplify SSL_get_peer_certificate()
1062: <li>Cleanup/simplify ssl_cert_type()
1063: <li>The S3I macro was removed
1064: <li>The openssl(1) cms, smime and ts subcommands option handling was
1065: converted and the C source was cleaned up.
1.1 deraadt 1066: </ul>
1067:
1.9 inoguchi 1068: <li>Documentation improvements
1.1 deraadt 1069: <ul>
1.9 inoguchi 1070: <li>45 new manual pages, most of which were written from scratch.<br>
1071: Documentation coverage of ASN.1 and X.509 code has been
1072: significantly improved.
1.1 deraadt 1073: </ul>
1074: </ul>
1075:
1.41 deraadt 1076: <li>OpenSSH version 9.0
1.1 deraadt 1077: <ul>
1078: <li>Security
1079: <ul>
1.47 dtucker 1080: <!-- OpenSSH 8.9 -->
1.50 dtucker 1081: <li>Near miss in <a href=https://man.openbsd.org/sshd.8>sshd(8)</a>:
1.47 dtucker 1082: fix an integer overflow in the user authentication path
1083: that, in conjunction with other logic errors, could have yielded
1084: unauthenticated access under difficult to exploit conditions.<br>
1085: This situation is not exploitable because of independent checks in
1086: the privilege separation monitor. Privilege separation has been
1.49 dtucker 1087: enabled by default in since <a href="32.html">OpenBSD 3.2</a> (released in 2002) and
1088: has been mandatory since <a href="61.html">OpenBSD 6.1</a> (released in 2017).<br>
1.1 deraadt 1089: </ul>
1090: <li>Potentially incompatible changes
1091: <ul>
1.47 dtucker 1092: <!-- OpenSSH 8.9 -->
1093: <li>In OpenSSH 8.9 the FIDO security key middleware interface
1094: changed and increments SSH_SK_VERSION_MAJOR.
1.51 ! dtucker 1095: <!-- OpenSSH 9.0 -->
! 1096: <li>This release switches <a href=https://man.openbsd.org/scp.1>scp(1)</a>
! 1097: from using the legacy scp/rcp protocol
! 1098: to using the SFTP protocol by default.<br>
! 1099: Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
! 1100: "scp host:* .") through the remote shell. This has the side effect of
! 1101: requiring double quoting of shell meta-characters in file names
! 1102: included on <a href=https://man.openbsd.org/scp.1>scp(1)</a>
! 1103: command-lines, otherwise they could be interpreted
! 1104: as shell commands on the remote side.<br>
! 1105: This creates one area of potential incompatibility:
! 1106: <a href=https://man.openbsd.org/scp.1>scp(1)</a> when using
! 1107: the SFTP protocol no longer requires this finicky and brittle quoting,
! 1108: and attempts to use it may cause transfers to fail. We consider the
! 1109: removal of the need for double-quoting shell characters in file names
! 1110: to be a benefit and do not intend to introduce bug-compatibility for
! 1111: legacy scp/rcp in <a href=https://man.openbsd.org/scp.1>scp(1)</a>
! 1112: when using the SFTP protocol.<br>
! 1113: Another area of potential incompatibility relates to the use of remote
! 1114: paths relative to other user's home directories, for example -
! 1115: "scp host:~user/file /tmp". The SFTP protocol has no native way to
! 1116: expand a ~user path. However,
! 1117: <a href=https://man.openbsd.org/sftp-server.8>sftp-server(8)</a>
! 1118: in OpenSSH 8.7 and later support a protocol extension
! 1119: "expand-path@openssh.com" to support this.<br>
! 1120: In case of incompatibility, the
! 1121: <a href=https://man.openbsd.org/scp.1>scp(1)</a> client may be instructed to use
! 1122: the legacy scp/rcp using the -O flag.
1.1 deraadt 1123: </ul>
1124:
1125: <li>New features
1126: <ul>
1.47 dtucker 1127: <!-- OpenSSH 8.9 -->
1.50 dtucker 1128: <li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>,
1129: <a href=https://man.openbsd.org/sshd.8>sshd(8)</a>,
1130: <a href=https://man.openbsd.org/ssh-add.1>ssh-add(1)</a>,
1131: <a href=https://man.openbsd.org/ssh-agent.1>ssh-agent(1)</a>:
1132: add a system for restricting forwarding and use of keys added to
1133: <a href=https://man.openbsd.org/ssh-agent.1>ssh-agent(1)</a>
1.47 dtucker 1134: A detailed description of the feature is available at
1135: https://www.openssh.com/agent-restrict.html and the protocol
1136: extensions are documented in the PROTOCOL and PROTOCOL.agent
1137: files in the source release.
1.50 dtucker 1138: <li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>,
1139: <a href=https://man.openbsd.org/sshd.8>sshd(8)</a>:
1140: add the sntrup761x25519-sha512@openssh.com hybrid
1.47 dtucker 1141: ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the
1142: default KEXAlgorithms list (after the ECDH methods but before the
1143: prime-group DH ones).
1.50 dtucker 1144: <li><a href=https://man.openbsd.org/ssh-keygen.1>ssh-keygen(1)</a>:
1145: when downloading resident keys from a FIDO token,
1.47 dtucker 1146: pass back the user ID that was used when the key was created and
1147: append it to the filename the key is written to (if it is not the
1148: default). Avoids keys being clobbered if the user created multiple
1149: resident keys with the same application string but different user
1150: IDs.
1.50 dtucker 1151: <li><a href=https://man.openbsd.org/ssh-keygen.1>ssh-keygen(1)</a>,
1152: <a href=https://man.openbsd.org/ssh.1>ssh(1)</a>,
1153: <a href=https://man.openbsd.org/ssh-agent.1>ssh-agent(1)</a>:
1154: better handling for FIDO keys
1.47 dtucker 1155: on tokens that provide user verification (UV) on the device itself,
1156: including biometric keys, avoiding unnecessary PIN prompts.
1.50 dtucker 1157: <li><a href=https://man.openbsd.org/ssh-keygen.1>ssh-keygen(1)</a>: add "ssh-keygen -Y match-principals" operation to
1.47 dtucker 1158: perform matching of principals names against an allowed signers
1159: file. To be used towards a TOFU model for SSH signatures in git.
1.50 dtucker 1160: <li><a href=https://man.openbsd.org/ssh-add.1>ssh-add(1)</a>,
1161: <a href=https://man.openbsd.org/ssh-agent.1>ssh-agent(1)</a>:
1162: allow pin-required FIDO keys to be added
1163: to <a href=https://man.openbsd.org/ssh-agent.1>ssh-agent(1)</a>.
1164: $SSH_ASKPASS will be used to request the PIN at authentication time.
1165: <li><a href=https://man.openbsd.org/ssh-keygen.1>ssh-keygen(1)</a>:
1166: allow selection of hash at sshsig signing time
1.47 dtucker 1167: (either sha512 (default) or sha256).
1.50 dtucker 1168: <li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>,
1169: <a href=https://man.openbsd.org/sshd.8>sshd(8)</a>:
1170: read network data directly to the packet input
1.47 dtucker 1171: buffer instead of indirectly via a small stack buffer. Provides a
1172: modest performance improvement.
1.50 dtucker 1173: <li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>,
1174: <a href=https://man.openbsd.org/sshd.8>sshd(8)</a>:
1175: read data directly to the channel input buffer,
1.47 dtucker 1176: providing a similar modest performance improvement.
1.50 dtucker 1177: <li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>:
1178: extend the PubkeyAuthentication configuration directive to
1.47 dtucker 1179: accept yes|no|unbound|host-bound to allow control over one of the
1180: protocol extensions used to implement agent-restricted keys.
1181: <!-- OpenSSH 9.0 -->
1.50 dtucker 1182: <li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>,
1183: <a href=https://man.openbsd.org/sshd.8>sshd(8)</a>:
1184: use the hybrid Streamlined NTRU Prime + x25519 key
1.47 dtucker 1185: exchange method by default ("sntrup761x25519-sha512@openssh.com").
1186: The NTRU algorithm is believed to resist attacks enabled by future
1187: quantum computers and is paired with the X25519 ECDH key exchange
1188: (the previous default) as a backstop against any weaknesses in
1189: NTRU Prime that may be discovered in the future. The combination
1190: ensures that the hybrid exchange offers at least as good security
1191: as the status quo.<br>
1192: We are making this change now (i.e. ahead of cryptographically-
1193: relevant quantum computers) to prevent "capture now, decrypt
1194: later" attacks where an adversary who can record and store SSH
1195: session ciphertext would be able to decrypt it once a sufficiently
1196: advanced quantum computer is available.
1.50 dtucker 1197: <li><a href=https://man.openbsd.org/sftp-server.8>sftp-server(8)</a>:
1198: support the "copy-data" extension to allow server-
1.47 dtucker 1199: side copying of files/data, following the design in
1200: draft-ietf-secsh-filexfer-extensions-00.
1.50 dtucker 1201: <li><a href=https://man.openbsd.org/sftp.1>sftp(1)</a>:
1202: add a "cp" command to allow the sftp client to perform
1.47 dtucker 1203: server-side file copies.
1204: </ul>
1.51 ! dtucker 1205:
1.1 deraadt 1206: <li>Bugfixes
1207: <ul>
1.47 dtucker 1208: <!-- OpenSSH 8.9 -->
1.50 dtucker 1209: <li><a href=https://man.openbsd.org/sshd.8>sshd(8)</a>:
1210: document that CASignatureAlgorithms, ExposeAuthInfo and
1.47 dtucker 1211: PubkeyAuthOptions can be used in a Match block.
1.50 dtucker 1212: <li><a href=https://man.openbsd.org/sshd.8>sshd(8)</a>:
1213: fix possible string truncation when constructing paths to
1.47 dtucker 1214: .rhosts/.shosts files with very long user home directory names.
1215: <li>ssh-keysign(1): unbreak for KEX algorithms that use SHA384/512
1216: exchange hashes
1.50 dtucker 1217: <li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>:
1218: don't put the TTY into raw mode when SessionType=none,
1.47 dtucker 1219: avoids ^C being unable to kill such a session.
1.50 dtucker 1220: <li><a href=https://man.openbsd.org/scp.1>scp(1)</a>:
1221: fix some corner-case bugs in SFTP-mode handling of
1.47 dtucker 1222: ~-prefixed paths.
1.50 dtucker 1223: <li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>:
1224: unbreak hostbased auth using RSA keys. Allow
1225: <a href=https://man.openbsd.org/ssh.1>ssh(1)</a> to
1.47 dtucker 1226: select RSA keys when only RSA/SHA2 signature algorithms are
1227: configured (this is the default case). Previously RSA keys were
1228: not being considered in the default case.
1229: <li>ssh-keysign(1): make ssh-keysign use the requested signature
1230: algorithm and not the default for the key type. Part of unbreaking
1231: hostbased auth for RSA/SHA2 keys.
1.50 dtucker 1232: <li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>:
1233: stricter UpdateHostkey signature verification logic on
1.47 dtucker 1234: the client- side. Require RSA/SHA2 signatures for RSA hostkeys
1235: except when RSA/SHA1 was explicitly negotiated during initial
1236: KEX
1.50 dtucker 1237: <li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>,
1238: <a href=https://man.openbsd.org/sshd.8>sshd(8)</a>:
1239: fix signature algorithm selection logic for
1.47 dtucker 1240: UpdateHostkeys on the server side. The previous code tried to
1241: prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some
1242: cases. This will use RSA/SHA2 signatures for RSA keys if the
1243: client proposed these algorithms in initial KEX.
1244: <li>All: convert all uses of select(2)/pselect(2) to poll(2)/ppoll(2).
1.50 dtucker 1245: This includes the mainloops in
1246: <a href=https://man.openbsd.org/ssh.1>ssh(1)</a>,
1247: <a href=https://man.openbsd.org/ssh-agent.1>ssh-agent(1)</a>,
1248: <a href=https://man.openbsd.org/ssh-agent.1>ssh-agent(1)</a>
1249: and <a href=https://man.openbsd.org/sftp-server.8>sftp-server(8)</a>,
1250: as well as the <a href=https://man.openbsd.org/sshd.8>sshd(8)</a>
1251: listen loop and all
1.47 dtucker 1252: other FD read/writability checks. On platforms with missing or
1253: broken poll(2)/ppoll(2) syscalls a select(2)-based compat shim is
1254: available.
1.50 dtucker 1255: <li><a href=https://man.openbsd.org/ssh-keygen.1>ssh-keygen(1)</a>:
1256: the "-Y find-principals" command was verifying key
1.47 dtucker 1257: validity when using ca certs but not with simple key lifetimes
1258: within the allowed signers file.
1.50 dtucker 1259: <li><a href=https://man.openbsd.org/ssh-keygen.1>ssh-keygen(1)</a>:
1260: make sshsig verify-time argument parsing optional
1261: <li><a href=https://man.openbsd.org/sshd.8>sshd(8)</a>:
1262: fix truncation in rhosts/shosts path construction.
1263: <li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>,
1264: <a href=https://man.openbsd.org/ssh-agent.1>ssh-agent(1)</a>:
1265: avoid xmalloc(0) for PKCS#11 keyid for ECDSA
1.47 dtucker 1266: keys (we already did this for RSA keys). Avoids fatal errors for
1267: PKCS#11 libraries that return empty keyid, e.g. Microchip ATECC608B
1268: "cryptoauthlib"
1.50 dtucker 1269: <li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>,
1270: <a href=https://man.openbsd.org/ssh-agent.1>ssh-agent(1)</a>:
1271: improve the testing of credentials against
1.47 dtucker 1272: inserted FIDO: ask the token whether a particular key belongs to
1273: it in cases where the token supports on-token user-verification
1274: (e.g. biometrics) rather than just assuming that it will accept it.<br>
1275: Will reduce spurious "Confirm user presence" notifications for key
1276: handles that relate to FIDO keys that are not currently inserted in at
1277: least some cases.
1.50 dtucker 1278: <li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>,
1279: <a href=https://man.openbsd.org/sshd.8>sshd(8)</a>:
1280: correct value for IPTOS_DSCP_LE. It needs to
1.47 dtucker 1281: allow for the preceding two ECN bits.
1.50 dtucker 1282: <li><a href=https://man.openbsd.org/ssh-keygen.1>ssh-keygen(1)</a>:
1283: add missing -O option to usage() for the "-Y sign" option.
1284: <li><a href=https://man.openbsd.org/ssh-keygen.1>ssh-keygen(1)</a>:
1285: fix a NULL deref when using the find-principals
1.47 dtucker 1286: function, when matching an allowed_signers line that contains a
1287: namespace restriction, but no restriction specified on the
1288: command-line
1.50 dtucker 1289: <li><a href=https://man.openbsd.org/ssh-agent.1>ssh-agent(1)</a>:
1290: fix memleak in process_extension(); oss-fuzz issue #42719
1291: <li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>:
1292: suppress "Connection to xxx closed" messages when LogLevel
1.47 dtucker 1293: is set to "error" or above.
1.50 dtucker 1294: <li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>,
1295: <a href=https://man.openbsd.org/sshd.8>sshd(8)</a>:
1296: use correct zlib flags when inflate(3)-ing compressed packet data.
1297: <li><a href=https://man.openbsd.org/scp.1>scp(1)</a>:
1298: when recursively transferring files in SFTP mode, create the
1299: destination directory if it doesn't already exist to match
1300: <a href=https://man.openbsd.org/scp.1>scp(1)</a> in
1.47 dtucker 1301: legacy RCP mode behaviour.
1.50 dtucker 1302: <li><a href=https://man.openbsd.org/scp.1>scp(1)</a>:
1303: many improvements in error message consistency between
1304: <a href=https://man.openbsd.org/scp.1>scp(1)</a>
1.47 dtucker 1305: in SFTP mode vs legacy RCP mode.
1.50 dtucker 1306: <li><a href=https://man.openbsd.org/sshd.8>sshd(8)</a>:
1307: fix potential race in SIGTERM handling
1308: <li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>,
1309: <a href=https://man.openbsd.org/sshd.8>sshd(8))</a>:
1310: since DSA keys are deprecated, move them to the end of the default
1311: list of public keys so that they will be tried last.
1312: <li><a href=https://man.openbsd.org/ssh-keygen.1>ssh-keygen(1)</a>:
1313: allow 'ssh-keygen -Y find-principals' to match
1.47 dtucker 1314: wildcard principals in allowed_signers files
1315: <!-- OpenSSH 9.0 -->
1.50 dtucker 1316: <li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>,
1317: <a href=https://man.openbsd.org/sshd.8>sshd(8)</a>:
1318: upstream: fix poll(2) spin when a channel's output
1.47 dtucker 1319: fd closes without data in the channel buffer.
1.50 dtucker 1320: <li><a href=https://man.openbsd.org/sshd.8>sshd(8)</a>:
1321: pack pollfd array in server listen/accept loop. Could
1.47 dtucker 1322: cause the server to hang/spin when MaxStartups > RLIMIT_NOFILE
1.50 dtucker 1323: <li><a href=https://man.openbsd.org/ssh-keygen.1>ssh-keygen(1)</a>:
1324: avoid NULL deref via the find-principals and check-novalidate operations.
1325: <li><a href=https://man.openbsd.org/scp.1>scp(1)</a>:
1326: fix a memory leak in argument processing.
1327: <li><a href=https://man.openbsd.org/sshd.8>sshd(8)</a>:
1328: don't try to resolve ListenAddress directives in the sshd
1.47 dtucker 1329: re-exec path. They are unused after re-exec and parsing errors
1330: (possible for example if the host's network configuration changed)
1331: could prevent connections from being accepted.
1.50 dtucker 1332: <li><a href=https://man.openbsd.org/sshd.8>sshd(8)</a>:
1333: when refusing a public key authentication request from a
1.47 dtucker 1334: client for using an unapproved or unsupported signature algorithm
1335: include the algorithm name in the log message to make debugging
1336: easier.
1.1 deraadt 1337: </ul>
1.47 dtucker 1338: </ul>
1.1 deraadt 1339:
1.13 schwarze 1340: <li>mandoc 1.14.6 plus several bugfixes, including:
1.1 deraadt 1341: <ul>
1.13 schwarze 1342: <li>Fixed <a href="https://man.openbsd.org/man.1">man(1)</a>
1343: to always read the configuration file and respect
1344: the other directives contained in it,
1345: even when the manpath is overridden by other means.
1346: <li>Fixed a memory leak in
1347: <a href="https://man.openbsd.org/man.1">man(1)</a>
1348: that mattered when many names were given on the command line.
1349: <li>Fixed a small memory leak in the
1350: <a href="https://man.openbsd.org/roff.7">roff(7)</a> parser
1351: that occurred each time a user-defined macro was called.
1352: <li>Fixed the width of the <code>\h</code> (horizontal motion)
1353: <a href="https://man.openbsd.org/roff.7">roff(7)</a>
1354: escape sequence in the PostScript and PDF output modes.
1.1 deraadt 1355: </ul>
1356:
1357: <li>Ports and packages:
1358: <p>Many pre-built packages for each architecture:
1359: <!-- number of FTP packages minus SHA256, SHA256.sig, index.txt -->
1360: <ul style="column-count: 3">
1.36 naddy 1361: <li>aarch64: 11081
1.17 naddy 1362: <li>amd64: 11301
1.20 deraadt 1363: <li>arm: XXXX
1364: <li>i386: 10136
1.1 deraadt 1365: <li>mips64: XXXX
1366: <li>powerpc: XXXX
1.46 sthen 1367: <li>powerpc64: 9132
1.45 sthen 1368: <li>riscv64: 9108
1.39 naddy 1369: <li>sparc64: 9288
1.1 deraadt 1370: </ul>
1371:
1372: <p>Some highlights:
1373: <ul style="column-count: 3">
1.12 sthen 1374: <li>Asterisk 16.25.1, 18.11.1 and 19.3.1
1.1 deraadt 1375: <li>Audacity 2.4.2
1376: <li>CMake 3.20.3
1.5 jsg 1377: <li>Chromium 100.0.4896.75
1.1 deraadt 1378: <li>Emacs 27.2
1.5 jsg 1379: <li>FFmpeg 4.4.1
1.1 deraadt 1380: <li>GCC 8.4.0 and 11.2.0
1381: <li>GHC 8.10.6
1.5 jsg 1382: <li>GNOME 41.5
1383: <li>Go 1.17.7
1384: <li>JDK 8u322, 11.0.14 and 17.0.2
1385: <li>KDE Applications 21.12.2
1386: <li>KDE Frameworks 5.91.0
1387: <li>Krita 5.0.2
1388: <li>LLVM/Clang 13.0.0
1389: <li>LibreOffice 7.3.2.2
1.1 deraadt 1390: <li>Lua 5.1.5, 5.2.4 and 5.3.6
1.5 jsg 1391: <li>MariaDB 10.6.7
1.1 deraadt 1392: <li>Mono 6.12.0.122
1.5 jsg 1393: <li>Mozilla Firefox 99.0 and ESR 91.8.0
1394: <li>Mozilla Thunderbird 91.8.0
1395: <li>Mutt 2.2.2 and NeoMutt 20211029
1396: <li>Node.js 16.14.2
1397: <li>OCaml 4.12.1
1.1 deraadt 1398: <li>OpenLDAP 2.4.59
1.5 jsg 1399: <li>PHP 7.4.28, 8.0.17 and 8.1.4
1400: <li>Postfix 3.5.14
1401: <li>PostgreSQL 14.2
1402: <li>Python 2.7.18, 3.8.13, 3.9.12 and 3.10.4
1.1 deraadt 1403: <li>Qt 5.15.2 and 6.0.4
1.5 jsg 1404: <li>R 4.1.2
1405: <li>Ruby 2.7.5, 3.0.3 and 3.1.1
1406: <li>Rust 1.59.0
1407: <li>SQLite 2.8.17 and 3.38.2
1408: <li>Shotcut 21.10.31
1409: <li>Sudo 1.9.10
1410: <li>Suricata 6.0.4
1.1 deraadt 1411: <li>Tcl/Tk 8.5.19 and 8.6.8
1.5 jsg 1412: <li>TeX Live 2021
1413: <li>Vim 8.2.4600 and Neovim 0.6.1
1.1 deraadt 1414: <li>Xfce 4.16
1415: </ul>
1416: <p>
1417:
1418: <li>As usual, steady improvements in manual pages and other documentation.
1419:
1420: <li>The system includes the following major components from outside suppliers:
1421: <ul>
1.5 jsg 1422: <li>Xenocara (based on X.Org 7.7 with xserver 1.21.1.3 + patches,
1423: freetype 2.11.0, fontconfig 2.12.94, Mesa 21.3.7, xterm 369,
1.1 deraadt 1424: xkeyboard-config 2.20, fonttosfnt 1.2.2 and more)
1.5 jsg 1425: <li>LLVM/Clang 13.0.0 (+ patches)
1.1 deraadt 1426: <li>GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
1427: <li>Perl 5.32.1 (+ patches)
1.5 jsg 1428: <li>NSD 4.4.0
1429: <li>Unbound 1.15.0
1.1 deraadt 1430: <li>Ncurses 5.7
1431: <li>Binutils 2.17 (+ patches)
1432: <li>Gdb 6.3 (+ patches)
1.10 benno 1433: <li>Awk October 12, 2021
1.5 jsg 1434: <li>Expat 2.4.7
1.1 deraadt 1435: </ul>
1436:
1437: </ul>
1438: </section>
1439:
1440: <hr>
1441:
1442: <section id=install>
1443: <h3>How to install</h3>
1444: <p>
1445: Please refer to the following files on the mirror site for
1446: extensive details on how to install OpenBSD 7.1 on your machine:
1447:
1448: <ul>
1449: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.1/alpha/INSTALL.alpha">
1450: .../OpenBSD/7.1/alpha/INSTALL.alpha</a>
1451: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.1/amd64/INSTALL.amd64">
1452: .../OpenBSD/7.1/amd64/INSTALL.amd64</a>
1453: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.1/arm64/INSTALL.arm64">
1454: .../OpenBSD/7.1/arm64/INSTALL.arm64</a>
1455: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.1/armv7/INSTALL.armv7">
1456: .../OpenBSD/7.1/armv7/INSTALL.armv7</a>
1457: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.1/hppa/INSTALL.hppa">
1458: .../OpenBSD/7.1/hppa/INSTALL.hppa</a>
1459: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.1/i386/INSTALL.i386">
1460: .../OpenBSD/7.1/i386/INSTALL.i386</a>
1461: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.1/landisk/INSTALL.landisk">
1462: .../OpenBSD/7.1/landisk/INSTALL.landisk</a>
1463: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.1/luna88k/INSTALL.luna88k">
1464: .../OpenBSD/7.1/luna88k/INSTALL.luna88k</a>
1465: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.1/macppc/INSTALL.macppc">
1466: .../OpenBSD/7.1/macppc/INSTALL.macppc</a>
1467: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.1/octeon/INSTALL.octeon">
1468: .../OpenBSD/7.1/octeon/INSTALL.octeon</a>
1469: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.1/powerpc64/INSTALL.powerpc64">
1470: .../OpenBSD/7.1/powerpc64/INSTALL.powerpc64</a>
1471: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.1/riscv64/INSTALL.riscv64">
1472: .../OpenBSD/7.1/riscv64/INSTALL.riscv64</a>
1473: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.1/sparc64/INSTALL.sparc64">
1474: .../OpenBSD/7.1/sparc64/INSTALL.sparc64</a>
1475: </ul>
1476: </section>
1477:
1478: <hr>
1479:
1480: <section id=quickinstall>
1481: <p>
1482: Quick installer information for people familiar with OpenBSD, and the use of
1483: the "<a href="https://man.openbsd.org/disklabel.8">disklabel</a> -E" command.
1484: If you are at all confused when installing OpenBSD, read the relevant
1485: INSTALL.* file as listed above!
1486:
1487: <h3>OpenBSD/alpha:</h3>
1488:
1489: <p>
1490: If your machine can boot from CD, you can write <i>install71.iso</i> or
1491: <i>cd71.iso</i> to a CD and boot from it.
1492: Refer to INSTALL.alpha for more details.
1493:
1494: <h3>OpenBSD/amd64:</h3>
1495:
1496: <p>
1497: If your machine can boot from CD, you can write <i>install71.iso</i> or
1498: <i>cd71.iso</i> to a CD and boot from it.
1499: You may need to adjust your BIOS options first.
1500:
1501: <p>
1502: If your machine can boot from USB, you can write <i>install71.img</i> or
1503: <i>miniroot71.img</i> to a USB stick and boot from it.
1504:
1505: <p>
1506: If you can't boot from a CD, floppy disk, or USB,
1507: you can install across the network using PXE as described in the included
1508: INSTALL.amd64 document.
1509:
1510: <p>
1511: If you are planning to dual boot OpenBSD with another OS, you will need to
1512: read INSTALL.amd64.
1513:
1514: <h3>OpenBSD/arm64:</h3>
1515:
1516: <p>
1517: Write <i>install71.img</i> or <i>miniroot71.img</i> to a disk and boot from it
1518: after connecting to the serial console. Refer to INSTALL.arm64 for more
1519: details.
1520:
1521: <h3>OpenBSD/armv7:</h3>
1522:
1523: <p>
1524: Write a system specific miniroot to an SD card and boot from it after connecting
1525: to the serial console. Refer to INSTALL.armv7 for more details.
1526:
1527: <h3>OpenBSD/hppa:</h3>
1528:
1529: <p>
1530: Boot over the network by following the instructions in INSTALL.hppa or the
1531: <a href="hppa.html#install">hppa platform page</a>.
1532:
1533: <h3>OpenBSD/i386:</h3>
1534:
1535: <p>
1536: If your machine can boot from CD, you can write <i>install71.iso</i> or
1537: <i>cd71.iso</i> to a CD and boot from it.
1538: You may need to adjust your BIOS options first.
1539:
1540: <p>
1541: If your machine can boot from USB, you can write <i>install71.img</i> or
1542: <i>miniroot71.img</i> to a USB stick and boot from it.
1543:
1544: <p>
1545: If you can't boot from a CD, floppy disk, or USB,
1546: you can install across the network using PXE as described in
1547: the included INSTALL.i386 document.
1548:
1549: <p>
1550: If you are planning on dual booting OpenBSD with another OS, you will need to
1551: read INSTALL.i386.
1552:
1553: <h3>OpenBSD/landisk:</h3>
1554:
1555: <p>
1556: Write <i>miniroot71.img</i> to the start of the CF
1557: or disk, and boot normally.
1558:
1559: <h3>OpenBSD/luna88k:</h3>
1560:
1561: <p>
1562: Copy 'boot' and 'bsd.rd' to a Mach or UniOS partition, and boot the bootloader
1563: from the PROM, and then bsd.rd from the bootloader.
1564: Refer to the instructions in INSTALL.luna88k for more details.
1565:
1566: <h3>OpenBSD/macppc:</h3>
1567:
1568: <p>
1569: Burn the image from a mirror site to a CDROM, and power on your machine
1570: while holding down the <i>C</i> key until the display turns on and
1571: shows <i>OpenBSD/macppc boot</i>.
1572:
1573: <p>
1574: Alternatively, at the Open Firmware prompt, enter <i>boot cd:,ofwboot
1575: /7.1/macppc/bsd.rd</i>
1576:
1577: <h3>OpenBSD/octeon:</h3>
1578:
1579: <p>
1580: After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
1581: Refer to the instructions in INSTALL.octeon for more details.
1582:
1583: <h3>OpenBSD/powerpc64:</h3>
1584:
1585: <p>
1586: To install, write <i>install71.img</i> or <i>miniroot71.img</i> to a
1587: USB stick, plug it into the machine and choose the <i>OpenBSD
1588: install</i> menu item in Petitboot.
1589: Refer to the instructions in INSTALL.powerpc64 for more details.
1590:
1591: <h3>OpenBSD/riscv64:</h3>
1592:
1593: <p>
1594: To install, write <i>install71.img</i> or <i>miniroot71.img</i> to a
1595: USB stick, and boot with that drive plugged in.
1596: Make sure you also have the microSD card plugged in that shipped with the
1597: HiFive Unmatched board.
1598: Refer to the instructions in INSTALL.riscv64 for more details.
1599:
1600: <h3>OpenBSD/sparc64:</h3>
1601:
1602: <p>
1603: Burn the image from a mirror site to a CDROM, boot from it, and type
1604: <i>boot cdrom</i>.
1605:
1606: <p>
1607: If this doesn't work, or if you don't have a CDROM drive, you can write
1608: <i>floppy71.img</i> or <i>floppyB71.img</i>
1609: (depending on your machine) to a floppy and boot it with <i>boot
1610: floppy</i>. Refer to INSTALL.sparc64 for details.
1611:
1612: <p>
1613: Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
1614: will most likely fail.
1615:
1616: <p>
1617: You can also write <i>miniroot71.img</i> to the swap partition on
1618: the disk and boot with <i>boot disk:b</i>.
1619:
1620: <p>
1621: If nothing works, you can boot over the network as described in INSTALL.sparc64.
1622: </section>
1623:
1624: <hr>
1625:
1626: <section id=upgrade>
1627: <h3>How to upgrade</h3>
1628: <p>
1.6 tj 1629: If you already have an OpenBSD 7.0 system, and do not want to reinstall,
1.1 deraadt 1630: upgrade instructions and advice can be found in the
1631: <a href="faq/upgrade71.html">Upgrade Guide</a>.
1632: </section>
1633:
1634: <hr>
1635:
1636: <section id=sourcecode>
1637: <h3>Notes about the source code</h3>
1638: <p>
1639: <code>src.tar.gz</code> contains a source archive starting at <code>/usr/src</code>.
1640: This file contains everything you need except for the kernel sources,
1641: which are in a separate archive.
1642: To extract:
1643: <blockquote><pre>
1644: # <kbd>mkdir -p /usr/src</kbd>
1645: # <kbd>cd /usr/src</kbd>
1646: # <kbd>tar xvfz /tmp/src.tar.gz</kbd>
1647: </pre></blockquote>
1648: <p>
1649: <code>sys.tar.gz</code> contains a source archive starting at <code>/usr/src/sys</code>.
1650: This file contains all the kernel sources you need to rebuild kernels.
1651: To extract:
1652: <blockquote><pre>
1653: # <kbd>mkdir -p /usr/src/sys</kbd>
1654: # <kbd>cd /usr/src</kbd>
1655: # <kbd>tar xvfz /tmp/sys.tar.gz</kbd>
1656: </pre></blockquote>
1657: <p>
1658: Both of these trees are a regular CVS checkout. Using these trees it
1659: is possible to get a head-start on using the anoncvs servers as
1660: described <a href="anoncvs.html">here</a>.
1661: Using these files
1662: results in a much faster initial CVS update than you could expect from
1663: a fresh checkout of the full OpenBSD source tree.
1664: </section>
1665:
1666: <hr>
1667:
1668: <section id=ports>
1669: <h3>Ports Tree</h3>
1670: <p>
1671: A ports tree archive is also provided. To extract:
1672: <blockquote><pre>
1673: # <kbd>cd /usr</kbd>
1674: # <kbd>tar xvfz /tmp/ports.tar.gz</kbd>
1675: </pre></blockquote>
1676: <p>
1677: Go read the <a href="faq/ports/index.html">ports</a> page
1678: if you know nothing about ports
1679: at this point. This text is not a manual of how to use ports.
1680: Rather, it is a set of notes meant to kickstart the user on the
1681: OpenBSD ports system.
1682: <p>
1683: The <i>ports/</i> directory represents a CVS checkout of our ports.
1684: As with our complete source tree, our ports tree is available via
1685: <a href="anoncvs.html">AnonCVS</a>.
1686: So, in order to keep up to date with the -stable branch, you must make
1687: the <i>ports/</i> tree available on a read-write medium and update the tree
1688: with a command like:
1689: <blockquote><pre>
1690: # <kbd>cd /usr/ports</kbd>
1691: # <kbd>cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_7_1</kbd>
1692: </pre></blockquote>
1693: <p>
1694: [Of course, you must replace the server name here with a nearby anoncvs
1695: server.]
1696: <p>
1697: Note that most ports are available as packages on our mirrors. Updated
1698: ports for the 7.1 release will be made available if problems arise.
1699: <p>
1700: If you're interested in seeing a port added, would like to help out, or just
1701: would like to know more, the mailing list
1702: <a href="mail.html">ports@openbsd.org</a> is a good place to know.
1703: </section>
1.24 benno 1704: </body>
1705: </html>