Annotation of www/71.html, Revision 1.65
1.1 deraadt 1: <!doctype html>
2: <html lang=en id=release>
1.24 benno 3: <head>
1.1 deraadt 4: <meta charset=utf-8>
5:
6: <title>OpenBSD 7.1</title>
7: <meta name="description" content="OpenBSD 7.1">
8: <meta name="viewport" content="width=device-width, initial-scale=1">
9: <link rel="stylesheet" type="text/css" href="openbsd.css">
10: <link rel="canonical" href="https://www.openbsd.org/71.html">
1.24 benno 11: </head><body>
1.1 deraadt 12: <h2 id=OpenBSD>
13: <a href="index.html">
14: <i>Open</i><b>BSD</b></a>
15: 7.1
16: </h2>
17:
18: <table>
19: <tr>
20: <td>
1.60 job 21: <a href="images/TheGreatWaveOffCalgary.png">
22: <img width="227" height="303" src="images/TheGreatWaveOffCalgary-s.gif" alt="The Great Wave off Calgary"></a>
1.1 deraadt 23: <td>
1.60 job 24: Released Apr 21, 2022. (52nd OpenBSD release)<br>
1.1 deraadt 25: Copyright 1997-2022, Theo de Raadt.<br>
26: <br>
1.3 job 27: Artwork by Luc Houweling.
1.1 deraadt 28: <br>
29: <ul>
30: <li>See the information on <a href="ftp.html">the FTP page</a> for
31: a list of mirror machines.
32: <li>Go to the <code class=reldir>pub/OpenBSD/7.1/</code> directory on
33: one of the mirror sites.
34: <li>Have a look at <a href="errata71.html">the 7.1 errata page</a> for a list
35: of bugs and workarounds.
36: <li>See a <a href="plus71.html">detailed log of changes</a> between the
37: 7.0 and 7.1 releases.
38: <p>
39: <li><a href="https://man.openbsd.org/signify.1">signify(1)</a>
40: pubkeys for this release:<p>
41:
42: <table class=signify>
43: <tr><td>
44: openbsd-71-base.pub:
45: <td>
46: <a href="https://ftp.openbsd.org/pub/OpenBSD/7.1/openbsd-71-base.pub">
47: RWR2eHwZTOEiTWog354iy3StRj18VbZl87O9uZpa1M2jGLXEkco6vDT5</a>
48: <tr><td>
49: openbsd-71-fw.pub:
50: <td>
51: RWQCAJ4gBK3pbcm/Q5XYxu+hIY3Zvx9kwGv2uJphEN7kNl1DD4QRue6v
52: <tr><td>
53: openbsd-71-pkg.pub:
54: <td>
55: RWQgLTtHQtisyH9qc9imxVFsf+P24M75F1aNio5qJCfG/bO6gATAzC9V
56: <tr><td>
57: openbsd-71-syspatch.pub:
58: <td>
59: RWTVqN+z9ta+Z6Ri7W7Vlf+XgXE30rGXld8kO78L1GmE61U5Xvbr/zHM
60: </table>
61: </ul>
62: <p>
63: All applicable copyrights and credits are in the src.tar.gz,
64: sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
65: files fetched via <code>ports.tar.gz</code>.
66: </table>
67:
68: <hr>
69:
70: <section id=new>
71: <h3>What's New</h3>
72: <p>
73: This is a partial list of new features and systems included in OpenBSD 7.1.
74: For a comprehensive list, see the <a href="plus71.html">changelog</a> leading
75: to 7.1.
76:
77: <ul>
78:
79: <li>New/extended platforms:
80: <ul>
1.16 benno 81: <li>Support for Apple Silicon Macs has improved and is ready for general use:
1.1 deraadt 82: <ul>
1.10 benno 83: <li>Added <a href="https://man.openbsd.org/aplspi.4">aplspi(4)</a>, a driver for the SPI controller found on the Apple M1 SoC.
84: <li>Added <a href="https://man.openbsd.org/aplhidev.4">aplhidev(4)</a> support for the keyboard/touchpad on Apple M1 laptops.
1.31 jsg 85: <li>Introduced <a href="https://man.openbsd.org/aplpmgr.4">aplpmgr(4)</a>, a driver for the power management controller found on Apple SoCs.
1.11 benno 86: <li>Introduced <a href="https://man.openbsd.org/aplmbox.4">aplmbox(4)</a>, a driver for the mailbox that provides a communication channel with additional cores integrated on Apple SoCs.
1.31 jsg 87: <li>Introduced <a href="https://man.openbsd.org/apliic.4">apliic(4)</a>, a driver for the I2C controller found on Apple SoCs.
1.11 benno 88: <li>Added the chip ids used on Apple M1 Pro/Max and Apple T2 Macs to <a href="https://man.openbsd.org/bwfm.4">bwfm(4)</a>.
89: <li>Rewrote arm64 kernel FPU handling code to fix the random crashes seen with SMP kernels on Apple M1.
90: <li>Restricted the <a href="https://man.openbsd.org/pci.4">pci(4)</a> ioctl interface to devices detected by the kernel, preventing Xorg PCI probes from breaking the WiFi chip on M1 macs.
91: <li>Introduced <a href="https://man.openbsd.org/aplsmc.4">aplsmc(4)</a>, a driver for the SMC found on Apple M1 SoCs.
92: <li>Introduced <a href="https://man.openbsd.org/aplnco.4">aplnco(4)</a>, a driver for the Numerically-controlled oscillator (NCO) clock which drives the audio clocks on Apple silicon.
93: <li>Introduced <a href="https://man.openbsd.org/tascodec.4">tascodec(4)</a>, a driver for the TI TAS2770/TAS5770 digital audio amplifier codec found on Apple M1 Macs.
1.14 benno 94: <li>Introduced <a href="https://man.openbsd.org/apldma.4">apldma(4)</a>, a driver for the DMA controller found on Apple SoCs.
1.15 benno 95: <li>Added support to explicitly power on some PCIe devices on the M1 and M1 Pro/Max through a GPIO controlled by the SMC.
96: <li>Added <a href="https://man.openbsd.org/aplcpu.4">aplcpu(4)</a>, a driver to control the CPU performance levels on Apple SoCs.
97: <li>Modified <a href="https://man.openbsd.org/aplintc.4">aplintc(4)</a> to support a newer interrupt controller, making OpenBSD run on M1 Pro/Max machines.
98: <li>Added nvmem support to <a href="https://man.openbsd.org/aplpmu.4">aplpmu(4)</a> and made it available on Apple SPMI PMUs.
99: <li>Added RTC support to <a href="https://man.openbsd.org/aplsmc.4">aplsmc(4)</a>.
100: <li>Made the arm64 ramdisk installer fetch <a href="https://man.openbsd.org/bwfm.4">bwfm(4)</a> firmware from the EFI System Partition on Apple Silicon devices for use during installation and addition to the newly installed system.
101: <li>Added support for controlling keyboard LEDs to <a
102: href="https://man.openbsd.org/aplhidev.4">aplhidev(4)</a>.
103: <li>Added basic GPIO support to <a href="https://man.openbsd.org/aplsmc.4">aplsmc(4)</a>.
104: <li>Ensured <a href="https://man.openbsd.org/apldart.4">apldart(4)</a> keeps the DART enabled in front of the display controller to preserve its access to the framebuffer and continued display.
105: <li>Fixed reading motherboard time on Apple machines with old SMC firmware.
106: <li>Implemented reboot/powerdown support in <a href="https://man.openbsd.org/aplsmc.4">aplsmc(4)</a>.
107: <li>Implemented <a href="https://man.openbsd.org/aplintc.4">aplintc(4)</a> support for multiple dies, making OpenBSD work on the M1 Ultra.
1.16 benno 108: </ul>
109: <li>Support for other <a href="arm64.html">arm64</a> architecture hardware was also improved with the following changes:
110: <ul>
1.10 benno 111: <li>Introduced <a
112: href="https://man.openbsd.org/gpiocharger.4">gpiocharger(4)</a>, a
113: driver providing support for battery chargers connected to GPIO pins,
114: such as those found on the Pinebook Pro.
115: <li>Introduced <a
116: href="https://man.openbsd.org/gpioleds.4">gpioleds(4)</a> for arm64, a
117: driver providing support for LEDs connected to GPIO pins, such as
118: those found on the Pinebook Pro.
119: <li>Added <a href="https://man.openbsd.org/gpiokeys.4">gpiokeys(4)</a>
120: for arm64, a driver which handles events triggered by GPIO keys such
121: as lid status and power button.
1.11 benno 122: <li>Added pclk clock used by <a
123: href="https://man.openbsd.org/dwdog.4">dwdog(4)</a> on RK3399 to <a
124: href="https://man.openbsd.org/rkclock.4">rkclock(4)</a>.
1.23 benno 125: <li>Introduced <a
126: href="https://man.openbsd.org/mpfclock.4">mpfclock(4)</a>, a driver
127: for the PolarFire SoC MSS clock controller.
128: <li>Introduced <a
129: href="https://man.openbsd.org/cdsdhc.4">cdsdhc(4)</a>, a driver for
130: the Cadence SD/SDIO/eMMC host controller.
131: <li>Introduced <a
132: href="https://man.openbsd.org/mpfiic.4">mpfiic(4)</a>, a driver for
133: the PolarFire SoC MSS I2C controller.
134: <li>Introduced <a
135: href="https://man.openbsd.org/mpfgpio.4">mpfgpio(4)</a>, a driver for
136: the PolarFire SoC MSS GPIO controller.
137: <li>Enabled <a href="https://man.openbsd.org/cduart.4">cduart(4)</a>
138: on arm64.
139: <li>Added <a
140: href="https://man.openbsd.org/mvpinctrl.4">mvpinctrl(4)</a> support
141: for the CP115 block found on Marvell CN9K SoCs.
142: <li>Added <a href="https://man.openbsd.org/mvclock.4">mvclock(4)</a>
143: support for the AP807 block found on Marvell CN9K SoCs.
1.1 deraadt 144: </ul>
145: <li>Changes on other architectures:
146: <ul>
1.23 benno 147: <li>Enabled <a href="https://man.openbsd.org/uhid.4">uhid(4)</a>/<a
148: href="https://man.openbsd.org/fido.4">fido(4)</a> on riscv64.
1.14 benno 149: <li>Allowed riscv64 installation on a disk with a GPT.
1.16 benno 150: <li>Added missing locking to <a
151: href="https://man.openbsd.org/pmap_extract.9">pmap_extract(9)</a> and
152: <a href="https://man.openbsd.org/pmap_unwire.9">pmap_unwire(9)</a> on
153: arm64 and riscv64.
154: <li>Improved stack unwinding on riscv64 in <a href="https://man.openbsd.org/ddb.4">ddb(4)</a>.
155: <li>Fixed kernel stack alignment on riscv64.
156: <li>Fixed RISC-V lld link code when dealing with object files created with "ld -b".
157: <li>Made sure nothing can map address zero on RISC-V.
158: <li>Made sure armv7,arm64 and risc-v FDT bootloader code does not write beyond the FDT data structure.
1.11 benno 159: <li>Fixed booting from an IDE block device on the Sun Blade 100.
160: <li>Fixed <a href="https://man.openbsd.org/radeondrm.4">radeondrm(4)</a> console colors on sparc64.
1.23 benno 161: <li>Enabled <a href="https://man.openbsd.org/dt.4">dt(4)</a> on
162: macppc.
163: <li>Increased <a href="https://man.openbsd.org/ddb.1">ddb(1)</a>
164: access to registers on macppc and powerpc64.
1.16 benno 165: <li>Enabled enforcing of RLIMIT_MEMLOCK on powerpc64.
1.23 benno 166: <li>Allowed <a href="https://man.openbsd.org/ddb.4">ddb(4)</a> trace
167: through interrupt on macppc.
1.1 deraadt 168: </ul>
169: </ul>
170:
171: <li>Various kernel improvements:
172: <ul>
1.16 benno 173: <li>Made futexes work in shared anonymous memory.
174: <li>Improved tracking of mbuf memory usage in the whole system.
175: <li>Switched to using long filenames by default with <a
1.31 jsg 176: href="https://man.openbsd.org/mount_msdos.8">mount_msdos(8)</a>.
1.7 benno 177: <li>Fixed memory leak in <a
178: href="https://man.openbsd.org/fuse.4">fuse(4)</a> when calling <a
179: href="https://man.openbsd.org/namei.9">namei(9)</a>.
1.26 benno 180:
181: <li>Fixed establishing legacy INTx interrupts on machines without a
182: (usable) MSI interrupt controller.
1.7 benno 183: <li>Cleaned up irrelevant uses of 3rd mode_t parameter for <a
184: href="https://man.openbsd.org/open.2">open(2)</a>/<a
185: href="https://man.openbsd.org/openat.2">openat(2)</a>, unused when not
186: creating files.
1.16 benno 187: <li>Reworked garbage collector for <a
188: href="https://man.openbsd.org/unix.4">unix(4)</a> sockets to prevent
189: potential kernel panics.
1.10 benno 190: <li>Changed the power management <a href="https://man.openbsd.org/sysctl.8">sysctl(8)</a>
191: hw.perfpolicy to "auto" at startup, defaulting to 100%
192: performance with AC power connected and using the auto algorithm when
193: on battery.
1.26 benno 194: <li>Aligned memory allocation for USB device drivers and USB HC
195: drivers, enlarging the USB memory pool.
1.16 benno 196: <li>Prevent panic in <a
197: href="https://man.openbsd.org/softraid.4">softraid(4)</a> while
198: rebooting if softraid has been disabled.
199:
1.11 benno 200: <li>Fixed hibernate setups where removal of a <a
201: href="https://man.openbsd.org/umass.4">umass(4)</a> device results in
202: a renumbered <a
203: href="https://man.openbsd.org/softraid.4">softraid(4)</a> boot device.
204: <li>Fix hibernate on newer hardware by allowing more memory ranges.
1.26 benno 205: <li>If CPU sleep state S4 is not available, use S5 for the
206: ACPI-transitions in hibernate support.
207: <li>Added code to update hw.power whenever AC state changes on
208: resume.
1.22 benno 209: <li>Fixed a panic by prohibiting renames of tmpfs mount-points.
1.26 benno 210: <li>Fixed double free after allocation failure in <a
211: href="https://man.openbsd.org/bpf.4">bpf(4)</a>.
1.1 deraadt 212: </ul>
213:
214: <li>SMP Improvements
215: <ul>
1.7 benno 216: <li>Made pipe event filters MP-safe.
217: <li>Set klist lock for sockets to make socket event filters MP-safe.
218: <li>Implemented <a href="https://man.openbsd.org/poll.2">poll(2)</a>,
219: <a href="https://man.openbsd.org/select.2">select(2)</a>, <a
220: href="https://man.openbsd.org/ppoll.2">ppoll(2)</a> and <a
221: href="https://man.openbsd.org/pselect.2">pselect(2)</a> on top of
222: kqueue.
1.41 deraadt 223: <li>Unlocked top part of UVM fault handler on mips64.
1.10 benno 224: <li>Unlocked the <a href="https://man.openbsd.org/kevent.2">kevent(2)</a> system call.
225: <li>Made the kqread event filter MP-safe.
226: <li>Reduced the time overhead of <a
227: href="https://man.openbsd.org/kqueue.2">kqueue(2)</a>-based <a
228: href="https://man.openbsd.org/poll.2">poll(2)</a> and <a
229: href="https://man.openbsd.org/select.2">select(2)</a> systems calls by
230: keeping knotes between the system calls.
1.11 benno 231: <li>Unlocked <a href="https://man.openbsd.org/accept.2">accept(2)</a>
232: and <a href="https://man.openbsd.org/accept4.2">accept4(2)</a>
233: syscalls.
234: <li>Prevented <a
235: href="https://man.openbsd.org/select.2">select(2)</a> from blocking if
236: registering found pending events.
237: <li>Protected <a href="https://man.openbsd.org/ipsec.4">ipsec(4)</a>
238: input and output with the kernel lock to allow forwarding of non-ipsec
239: traffic in parallel.
240: <li>Unlocked the bottom part of the uvm fault handler.
241: <li>Unlocked <a href="https://man.openbsd.org/getpeername.2">getpeername(2)</a>.
242: <li>Made <a href="https://man.openbsd.org/bpf.4">bpf(4)</a> MP-safe.
1.14 benno 243: <li>Implemented the <a
244: href="https://man.openbsd.org/poll.2">poll(2)</a> system call on top
245: of the <a href="https://man.openbsd.org/kqueue.2">kqueue(2)</a>
246: subsystem, obsoleting the old, non-MP-safe poll backend.
1.15 benno 247: <li>Made <a href="https://man.openbsd.org/audio.4">audio(4)</a> event filters MP-safe.
248: <li>Unlocked <a href="https://man.openbsd.org/getsockname.2">getsockname(2)</a>.
249: <li>Added kernel interfaces for atomic load and store functions for int and long to be used in reference counted struct members.
1.1 deraadt 250: </ul>
251:
252: <li>Direct Rendering Manager
253: <ul>
1.5 jsg 254: <li>Updated <a href="https://man.openbsd.org/drm.4">drm(4)</a>
255: to Linux 5.15.26
256: <li><a href="https://man.openbsd.org/inteldrm.4">inteldrm(4)</a>:
257: support for Elkhart Lake, Jasper Lake, Rocket Lake
258: <li><a href="https://man.openbsd.org/drm.4">amdgpu(4)</a>:
259: support for Van Gogh APU, Rembrandt "Yellow Carp" Ryzen 6000 APU,
260: Navi 22 "Navy Flounder", Navi 23 "Dimgrey Cavefish",
261: Navi 24 "Beige Goby"
1.1 deraadt 262: </ul>
263:
264: <li>VMM/VMD improvements
265: <ul>
1.8 dv 266: <li>Retired <a href="https://man.openbsd.org/OpenBSD-7.0/switch.4">
267: switch(4)</a> support in <a href="https://man.openbsd.org/vmd.8">
268: vmd(8)</a>.
269: <li>Fixed a bug where <a href="https://man.openbsd.org/vmd.8">vmd(8)</a>
270: would exit when requesting a new VM and hitting memory resource
271: limits.
272: <li>Fixed <a href="https://man.openbsd.org/vmm.4">vmm(4)</a> state
273: corruption on Intel hosts.
274: <li>Fixed <a href="https://man.openbsd.org/vmm.4">vmm(4)</a> cpuid leaf
275: clamping when the host has an invariant TSC.
276: <li>Added quiesce/wakeup hooks to <a href="https://man.openbsd.org/vmm.4">
277: vmm(4)</a> allowing Intel hosts to suspend and hibernate safely with
278: running guests.
279: <li>Added a new login class for <a href="https://man.openbsd.org/vmd.8">
280: vmd(8)</a> on amd64.
1.11 benno 281: <li>Fixed broken <a href="https://man.openbsd.org/vmd.8">vmd(8)</a>
282: "boot device cdrom" feature after a fix in seabios.
283: <li>Reintroduced support for <a
284: href="https://man.openbsd.org/vmctl.8">vmctl(8)</a> <code>start -B net
285: -b bsd.rd</code>, which emulates a PXE boot and performs an
286: autoinstall.
1.16 benno 287: <li>Made <a href="https://man.openbsd.org/vmm.4">vmm(4)</a> <a
288: href="https://man.openbsd.org/dt.4">dt(4)</a> tracepoints amd64-only.
1.1 deraadt 289: </ul>
290:
291: <li>Various new userland features:
292: <ul>
1.7 benno 293: <li>Added <a
294: href="https://man.openbsd.org/realpath.1">realpath(1)</a>, a wrapper
295: for <a href="https://man.openbsd.org/realpath.3">realpath(3)</a> for
296: use in ports.
297: <li>Added <a href="https://man.openbsd.org/rcctl.8">rcctl(8)</a> "ls
298: rogue" to show daemons which are running but not set as "enabled" in
299: <a href="https://man.openbsd.org/rc.conf.local.8">rc.conf.local(8)</a>.
1.16 benno 300: <li>Implemented probe variables in BPFtrace (<a
301: href="https://man.openbsd.org/bt.5">bt(5)</a>).
1.7 benno 302: <li>Provided common <a
303: href="https://man.openbsd.org/btrace.8">btrace(8)</a> scripts
304: kprofile.bt (to save kernel stackframes and produce flamegraphs) and
305: runqlat.bt (to measure the latency of the scheduler runqueues).
1.16 benno 306: <li>DNSSEC support: Implemented RFC6840 (AD flag processing) in the libc resolver, if
1.11 benno 307: using trusted name servers specified with 'trust-ad' in <a
1.41 deraadt 308: href="https://man.openbsd.org/resolv.conf.5">resolv.conf(5)</a>
1.14 benno 309: <li>Enabled support for displaying an estimated battery recharge time
310: in <a href="https://man.openbsd.org/apm.8">apm(8)</a> and <a
311: href="https://man.openbsd.org/apmd.8">apmd(8)</a>.
312: <li>Introduced support for storing capability databases in
313: /etc/login.conf.d, allowing easy addition of custom login classes from
1.16 benno 314: packages and made <a
315: href="https://man.openbsd.org/rcctl.8">rcctl(8)</a> look for the login
316: class in both login.conf and login.conf.d/${class}.
317: <li>Added a <a href="https://man.openbsd.org/malloc.3">malloc(3)</a>
318: cache of regions between 128k and 2M to accommodate programs
319: allocating and deallocating regions of these sizes quickly.
1.65 ! tb 320: <li>Added <a href="https://man.openbsd.org/pax.1">pax(1)</a> support
1.16 benno 321: for mtime/atime/ctime extended headers (in not-SMALL builds).
322: <li>Added -k flag to <a
323: href="https://man.openbsd.org/gzip.1">gzip(1)</a> and <a
324: href="https://man.openbsd.org/gunzip.1">gunzip(1)</a> to retain
325: (de)compressed file.
1.22 benno 326: <li>Implemented <a href="https://man.openbsd.org/openrsync.1">openrsync(1)</a> --compare-dest, allowing specification of additional directories to check for files to be available.
327: <li>Implemented <a href="https://man.openbsd.org/openrsync.1">openrsync(1)</a> --max-size and --min-size.
1.1 deraadt 328: </ul>
329:
330: <li>Various bugfixes and tweaks in userland:
331: <ul>
1.62 espie 332: <li>Reliability and performance of
333: <a href="https://man.openbsd.org/pkg_add.1">pkg_add(1)</a>:
334: fixed a bug which resulted in a "XXX" warning for
335: "shouldn't ever happen" situations in a scenario that
336: was actually harmless.
337: Also, massive improvement of performances in scenarios like
338: texlive updates, by reducing filesystem names churn when
339: updated files didn't change.
1.16 benno 340: <li>Enabled subpixel rendering in FreeType.
341: <li>Updated xorg-server to 21.1.3, leaving in place an earlier change
342: to compute the screen resolution from dimensions returned by the
343: screen, reverted by upstream.
344: <li>Allowed bare numbers for key and mouse bindings in <a
345: href="https://man.openbsd.org/cwm.1">cwm(1)</a>.
346: <li>Added a <a href="https://man.openbsd.org/cwm.1">cwm(1)</a>
347: "group-last" command that shows only the previously active group.
348: <li>Fixed glass console and <a href="https://man.openbsd.org/getty.8">getty(8)</a> interference with Xorg on arm64.
349:
350: <li>Fixed octal escape parsing in <a
351: href="https://man.openbsd.org/tr.1">tr(1)</a> backslash().
352: <li>Added <a href="https://man.openbsd.org/uniq.1">uniq(1)</a>
353: support for arbitrarily long input lines.
354: <li>Made <a href="https://man.openbsd.org/uniq.1">uniq(1)</a> ignore
355: trailing newlines when comparing lines.
356: <li>Made <a href="https://man.openbsd.org/uniq.1">uniq(1)</a> skip()
357: each input line only once, improving performance.
358: <li>Increased <a href="https://man.openbsd.org/tee.1">tee(1)</a> I/O
1.56 tj 359: buffer size from 8KB to 64KB.
1.16 benno 360: <li>Improved performance of <a
361: href="https://man.openbsd.org/rev.1">rev(1)</a>.
362: <li>Made <a href="https://man.openbsd.org/ed.1">ed(1)</a> flush all
363: stdio streams before running a shell command.
364: <li>Prevented a file descriptor leak in <a
365: href="https://man.openbsd.org/touch.1">touch(1)</a> after <a
366: href="https://man.openbsd.org/futimens.2">futimens(2)</a> failure.
367: <li>Added <a href="https://man.openbsd.org/seq.1">seq(1)</a>, a
368: command to print sequences of numbers.
369:
1.22 benno 370: <li>Set cpuspeed to 0 in <a
371: href="https://man.openbsd.org/apm.8">apm(8)</a> when hw.cpuspeed
372: cannot be retrieved.
1.16 benno 373:
374: <li>Copied the <a href="https://man.openbsd.org/cos.3">cos(3)</a>
375: cosine software implementation from FreeBSD-13, and disabled assembly
376: implementations of trig functions on x86 platforms.
377: <li>Added optimization for tiny x in <a
378: href="https://man.openbsd.org/cos.3">cos(3)</a> and <a
1.21 tj 379: href="https://man.openbsd.org/sin.3">sin(3)</a> trigonometry
380: functions.
1.16 benno 381:
382: <li>Switched <a href="https://man.openbsd.org/aucat.1">aucat(1)</a>
383: internal sample representation and default file encoding to 24-bit.
384: <li>Switched <a href="https://man.openbsd.org/sndiod.8">sndiod(8)</a>
385: internal sample representation to 24-bit fixed point.
386:
387: <li>Allowed passing a different signal than SIGTERM in the default
388: rc_stop() function in <a
389: href="https://man.openbsd.org/rc.subr.8">rc.subr(8)</a>.
390: <li>Improved and simplified timer handling in <a
391: href="https://man.openbsd.org/rc.d.8">rc.d(8)</a> "stop" and "reload".
392:
1.19 krw 393: <li>Made <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
394: -b available on all architectures.
1.7 benno 395: <li>Removed the constraint that <a
1.19 krw 396: href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> -b block
397: count and block offset must be greater than 63.
398: <li>Made <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> -b
399: partitions other than EFI System partitions DOSACTIVE.
400: <li>Switched to using <a
401: href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> -b to create boot
402: partitions on multiple architectures.
1.16 benno 403: <li>Removed <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
404: "disk" editing command.
1.19 krw 405: <li>Prevented <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
406: from initializing an MBR to have overlapping partitions 0 and 3.
1.16 benno 407: <li>Allowed <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> to
408: extend the default OpenBSD partition to the end of the disk, rather
409: than truncating at the end of the last full cylinder.
1.19 krw 410: <li>Corrected GPT checksums written by <a
1.16 benno 411: href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> on big-endian
412: architectures to be little-endian as per spec.
413: <li>Made <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> -A
414: preserve BIOS boot partition.
1.19 krw 415: <li>Made <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> -A
416: preserve the EFI System partition on GPT disks with Apple APFS partitions.
417: <li>Removed the builtin MBR from <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>.
418: <li>Removed the "rpath" and "wpath" pledges from <a
419: href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>.
420: <li>Ensured <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
421: creates the default OpenBSD MBR partition only when there is space for it.
422: <li>Ensured <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
423: does not set MBR DOSACTIVE flag on unused partitions when initializing MBR.
424: <li>Reduced the alignment space <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
425: inserts before the start of the default OpenBSD partition.
1.16 benno 426:
1.7 benno 427: <li>Merged bugfixes from upstream into <a
428: href="https://man.openbsd.org/less.1">less(1)</a> including fixes for
429: the prompt hiding feature (CTRL-P) and an integer overflow.
1.16 benno 430: <li>Fixed possible use after free with long lines in <a
431: href="https://man.openbsd.org/less.1">less(1)</a>.
1.7 benno 432: <li>Fixed file descriptor leak of /dev/tty on <a
433: href="https://man.openbsd.org/doas.1">doas(1)</a> auth failure.
434: <li>Replaced <a href="https://man.openbsd.org/lrint.3">lrint(3)</a>,
435: <a href="https://man.openbsd.org/lrintf.3">lrintf(3)</a>, <a
436: href="https://man.openbsd.org/llrint.3">llrint(3)</a> and <a
437: href="https://man.openbsd.org/llrintf.3">llrintf(3)</a>
438: implementations from NetBSD with the existing FreeBSD implementations
439: we were already using for <a
440: href="https://man.openbsd.org/lrintl.3">lrintl(3)</a> and <a
441: href="https://man.openbsd.org/llrintl.3">llrintl(3)</a>.
1.16 benno 442: <li>In various games, call <a href="https://man.openbsd.org/pledge.2">pledge(2)</a>
1.7 benno 443: later to prevent it from killing various games using ncurses when both
444: stdout and stderr are redirected to a non-tty.
1.16 benno 445: <li>Switched LLD_ARCHs (architectures using the LLVM <a
446: href="https://man.openbsd.org/ld.lld.1">ld.lld(1)</a> linker) to also
447: user the LLVM archiver <a
448: href="https://man.openbsd.org/llvm-ar.1">llvm-ar(1)</a>.
1.24 benno 449: <li>Added openvpn ports (udp/1194 & tcp/1194) to /etc/services.
1.16 benno 450: <li>Prevented an access to uninitialized memory in <a
451: href="https://man.openbsd.org/awk.1">awk(1)</a>.
452: <li>Fixed <a href="https://man.openbsd.org/vi.1">vi(1)</a> recovery
453: mode.
454: <li>Extended and reordered the process accounting information
455: structure <a href="https://man.openbsd.org/acct.5">acct(5)</a>. Flag
456: Day for the <a href="https://man.openbsd.org/acct.2">acct(2)</a> file
457: format.
458: <li>Fixed <a
459: href="https://man.openbsd.org/setusercontext.3">setusercontext(3)</a>
460: error when /etc/login.conf is not present.
1.1 deraadt 461: </ul>
462:
463: <li>Improved hardware support and driver bugfixes, including:
464: <ul>
1.7 benno 465: <li>Added support to <a
466: href="https://man.openbsd.org/pchgpio.4">pchgpio(4)</a> for Cannon
467: Lake H and Tiger Lake H platforms.
468: <li>Ensured use of the correct encoding in xenocara when /etc/kbdtype
469: is present with an attached <a
470: href="https://man.openbsd.org/ucc.4">ucc(4)</a> keyboard.
471: <li>Added support for tpm2 CRB interface to <a
472: href="https://man.openbsd.org/tpm.4">tpm(4)</a>, fixing recent S4
473: regressions on the Surface Go 2 caused by a firmware change.
1.65 ! tb 474: <li>Ensured armv7 and arm64 efiboot allocate fresh memory for the
1.7 benno 475: device tree with at least one page of free space to extend into. This
476: fixes booting on VMWare Fusion.
1.10 benno 477: <li>Stopped binding audio devices exposed by <a
478: href="https://man.openbsd.org/sndiod.8">sndiod(8)</a> to physical
479: devices. <!-- XXX check this -->
480: <li>Fixed handling of interrupts shared between multiple <a
481: href="https://man.openbsd.org/dwiic.4">swiic(4)</a> devices.
1.11 benno 482: <li>Introduced <a
483: href="https://man.openbsd.org/iicmux.4">iicmux(4)</a>, a driver that
484: switches between I2C busses connected to a single I2C controller by
485: using the pin muxing facilities of an SoC.
486: <li>Introduced <a
487: href="https://man.openbsd.org/pcyrtc.4">pcyrtc(4)</a>, a driver for
488: the NXP PCF85063A/TP RTC chips.
489: <li>Fixed a panic when running <a
490: href="https://man.openbsd.org/utvfu.4">utvfu(4)</a> on <a
491: href="https://man.openbsd.org/xhci.4">xhci(4)</a>.
492: <li>Added <a href="https://man.openbsd.org/acpipci.4">acpipci(4)</a>
493: support for interrupts represented by ACPI PCI Interrupt Link Devices,
494: making PCI interrupts work on QEMU's SBSA target.
1.16 benno 495: <li>Added handling of multi-port controllers to <a
496: href="https://man.openbsd.org/uslcom.4">uslcom(4)</a>.
497: <li>Make <a href="https://man.openbsd.org/com.4">com(4)</a> attach
498: over <a href="https://man.openbsd.org/acpi.4">acpi(4)</a> on amd64.
499: <li>Added address locators for the ACPI "bus" and used these to fix
500: the order of the <a href="https://man.openbsd.org/com.4">com(4)</a>
501: devices to match the traditional order on the ISA bus.
502: <li>Added Intel Jasper Lake to the <a
503: href="https://man.openbsd.org/azalia.4">azalia(4)</a> audio driver.
504: <li>Ensured <a href="https://man.openbsd.org/azalia.4">azalia(4)</a>
505: matches on Intel 300 Series audio, fixing attaching on the Dell G3
506: 3590.
507: <li>Added Synopsys Designware UART support to <a
508: href="https://man.openbsd.org/com.4">com(4)</a>.
509: <li>Fixed an issue where <a
510: href="https://man.openbsd.org/com.4">com(4)</a> would attach for a
511: disabled serial port leading to misdirection of the hardware variant
512: and a subsequent hang when /etc/rc runs <a
513: href="https://man.openbsd.org/ttyflags.8">ttyflags(8)</a> -a.
514: <li>Fixed <a href="https://man.openbsd.org/sdhc.4">sdhc(4)</a> for
515: Jasper Lake eMMC.
516: <li>Improved how quirks are handled on <a
517: href="https://man.openbsd.org/sdhc.4">sdhc(4)</a>-compatible drivers.
518: <li>Enabled <a
519: href="https://man.openbsd.org/acpibat.4">acpibat(4)</a> use with the
520: Surface Go 3.
521: <li>Fixed suspend/resume issues with <a
522: href="https://man.openbsd.org/com.4">com(4)</a> at <a
523: href="https://man.openbsd.org/acpi.4">acpi(4)</a>.
524: <li>Correlated <a
525: href="https://man.openbsd.org/uaudio.4">uaudio(4)</a> and <a
1.31 jsg 526: href="https://man.openbsd.org/ucc.4">ucc(4)</a> devices
527: to adjust the volume of the correct audio device
1.16 benno 528: rather than the first one attached.
1.31 jsg 529: <li>Enabled FIFO support in <a
1.16 benno 530: href="https://man.openbsd.org/pluart.4">pluart(4)</a>.
1.31 jsg 531: <li>Added support for XBox One game controller.
1.16 benno 532: <li>Stopped suspending the <a
533: href="https://man.openbsd.org/tpm.4">tpm(4)</a> device upon
534: hibernation, preventing some systems from hanging when hibernating a
535: second time.
536: <li>Fixed <a href="https://man.openbsd.org/hilkbd.4">hilkbd(4)</a>
537: Swedish keyboard layout on non-PS/2 style keyboards.
1.1 deraadt 538: </ul>
539:
540: <li>New or improved network hardware support:
541: <ul>
1.16 benno 542: <li>Added support to <a
543: href="https://man.openbsd.org/umb.4">umb(4)</a> for SIMCom SIM7600.
1.7 benno 544: <li>Fixed an interrupt storm on <a
545: href="https://man.openbsd.org/dwge.4">dwge(4)</a> variants which
546: support Energy Efficient Ethernet when connected to a switch which
547: does so as well.
1.28 jmatthew 548: <li>Made <a href="https://man.openbsd.org/dwge.4">dwge(4)</a> and <a
549: href="https://man.openbsd.org/dwxe.4">dwxe(4)</a> MP-safe.</li>
1.10 benno 550: <li>Added <a href="https://man.openbsd.org/igc.4">igc(4)</a>, a
551: driver for the Intel 2.5Gb Ethernet controllers.
1.11 benno 552: <li>Implemented <a href="https://man.openbsd.org/em.4">em(4)</a>
553: support for selecting SMGII or SerDes mode depending on the plugged-in
554: SFP transceiver and for reading out transceiver information via <a
555: href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a>.
1.16 benno 556: <li>Enabled hardware vlan tagging for <a
557: href="https://man.openbsd.org/ixl.4">ixl(4)</a>.
558: <li>Re-enabled <a href="https://man.openbsd.org/ixl.4">ixl(4)</a>
559: IPv4, TCP4/6 and UDP4/6 checksum offloading. \ <li>Enabled receive
560: checksum offloading on <a
561: href="https://man.openbsd.org/ixl.4">ixl(4)</a>.
562: <li>Prevented a possible deadlock in <a
563: href="https://man.openbsd.org/cad.4">cad(4)</a>.
1.22 benno 564: <li>Prevented <a href="https://man.openbsd.org/aq.4">aq(4)</a> nics
565: from writing to mbufs taken off the ring when the interface was taken
566: down.
1.28 jmatthew 567: <li>Fixed receive filter handling and vlan packet reception in <a
1.16 benno 568: href="https://man.openbsd.org/aq.4">aq(4)</a>.
1.28 jmatthew 569: <li>Enabled vlan and checksum offloads in <a
1.16 benno 570: href="https://man.openbsd.org/aq.4">aq(4)</a>.
1.28 jmatthew 571: <li>Enabled interrupt moderation in <a
1.16 benno 572: href="https://man.openbsd.org/aq.4">aq(4)</a>, aiming at around 20k
573: per second.
574: <li>Fixed <a href="https://man.openbsd.org/ure.4">ure(4)</a> vlan
575: transmission with hw tagging.
1.28 jmatthew 576: <li>Added preliminary <a
577: href="https://man.openbsd.org/ure.4">ure(4)</a> support for RTL8156B
578: and bug fixes for RTL8153/RTL8156.
1.22 benno 579: <li>Reworked <a href="https://man.openbsd.org/ix.4">ix(4)</a>
580: checksum/vlan offloading and enabled it for IPv6.
581: <li>Enabled IP header checksum offloading in <a
582: href="https://man.openbsd.org/ix.4">ix(4)</a>.
1.30 jmatthew 583: <li>Fixed <a href="https://man.openbsd.org/msk.4">msk(4)</a> operation
584: after interface state changes.
1.35 dv 585: <li>Enabled <a href="https://man.openbsd.org/vmx.4">vmx(4)</a> on arm64.
1.1 deraadt 586: </ul>
587:
588: <li>Added or improved wireless network drivers:
589: <ul>
1.33 stsp 590: <li>Introduced <a href="https://man.openbsd.org/mtw.4">mtw(4)</a>, a
591: driver for MediaTek MT7601U USB wifi devices, enabled on amd64, i386, macppc, and arm64.
592: <li>Added 802.11n Tx aggregation support to the <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> driver.
593: <li>Added support for 802.11n 40MHz channels, and 802.11ac 80MHz channels, to the <a
594: href="https://man.openbsd.org/iwm.4">iwm(4)</a> and <a
595: href="https://man.openbsd.org/iwx.4">iwx(4)</a> drivers.
596: <li>Reset the Tx watchdog timer when a block ack notification is received by
1.7 benno 597: <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> and <a
1.64 jsg 598: href="https://man.openbsd.org/iwm.4">iwm(4)</a> firmware to prevent spurious device timeouts.
1.33 stsp 599: <li>Prevent invalid net80211 state transitions in the
600: <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> and
601: <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> drivers
602: to avoid a potential hang.
1.7 benno 603: <li>Fixed a panic when <a
604: href="https://man.openbsd.org/iwx.4">iwx(4)</a> cannot find firmware
605: at boot time.
606: <li>Fixed <a href="https://man.openbsd.org/iwm.4">iwm(4)</a>
607: performance drop after roaming between APs in 11n mode.
1.33 stsp 608: <li>When roaming with <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> or
609: <a href="https://man.openbsd.org/iwx.4">iwx(4)</a>, keep the old BSSID available for use by firmware
610: commands which tear down device state before switching to the new AP.
611: <li>Fix race conditions in the <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> and
612: <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> drivers while roaming between APs with
613: outstanding frames on transmit queues.
1.7 benno 614: <li>Reverted to use <a
615: href="https://man.openbsd.org/iwm.4">iwm(4)</a> firmware v17 on Intel
616: AC 7265, fixing instability issues on X1 Carbon gen3.
1.33 stsp 617: <li>Explicitly stop <a
618: href="https://man.openbsd.org/iwx.4">iwx(4)</a> Rx block ack sessions when
1.7 benno 619: roaming between access points.
1.11 benno 620: <li>Fixed monitor mode on <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> and <a href="https://man.openbsd.org/iwx.4">iwx(4)</a>.
621: <li>Let <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> and <a
622: href="https://man.openbsd.org/iwm.4">iwm(4)</a> use per-Tx-queue
1.33 stsp 623: interface timers to ensure the Tx watchdog triggers if a particular Tx queue gets
1.11 benno 624: stuck.
1.33 stsp 625: <li>Switched <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> to new -67 firmware images, and updated <a
626: href="https://man.openbsd.org/iwm.4">iwm(4)</a> 9260 and 9560 firmware, to address INTEL-SA-00509.
1.11 benno 627: <li>Made <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> attach to PCI devices with product ID 0x31dc, part of the 9560 chip family.
1.33 stsp 628: <li>Fixed wrong pointer assignment causing the <a href="https://man.openbsd.org/iwx.4">iwx(4)</a>
629: driver to read Rx block ack request information from the wrong offset.
630: <li>Fixed and reenabled use of probe requests during scans on <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> and <a href="https://man.openbsd.org/iwx.4">iwx(4)</a>.
631: <li>Fixed attach of multiple <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> or <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> interfaces in the same machine.
632: <li>Fixed <a href="https://man.openbsd.org/iwn.4">iwn(4)</a> with 4965 devices.
1.15 benno 633: <li>Improved roaming stability on <a href="https://man.openbsd.org/iwn.4">iwn(4)</a>, particularly with wpa_supplicant.
1.16 benno 634: <li>Added relicensed wireless firmwares from Realtek for <a
635: href="https://man.openbsd.org/rsu.4">rsu(4)</a>, <a
636: href="https://man.openbsd.org/rtwn.4">rtwn(4)</a> and <a
637: href="https://man.openbsd.org/urtwn.4">urtwn(4)</a> devices, allowing
638: these devices to work without requiring a separate firmware download.
639: <li>Added a workaround for buggy <a
640: href="https://man.openbsd.org/athn.4">athn(4)</a> devices to prevent
641: filling up the node cache when used in hostap mode.
642: <li>Applied a workaround in <a
643: href="https://man.openbsd.org/mvkpcie.4">mvkpcie(4)</a> to fix an
644: external abort under load with <a
645: href="https://man.openbsd.org/athn.4">athn(4)</a>.
646: <li>Made <a href="https://man.openbsd.org/athn.4">athn(4)</a> attach
647: to the Sony UWA-BR100.
648: <li>Fixed "(null node)" panics on <a href="https://man.openbsd.org/run.4">run(4)</a>.
649: <li>Disabled minimum power consumption in <a
650: href="https://man.openbsd.org/bwfm.4">bwfm(4)</a> hostap mode,
651: improving connection reliability when used as an access point.
652: <li>Added support for the BCM4387 to <a
653: href="https://man.openbsd.org/bwfm.4">bwfm(4)</a>.
654: <li>Improved TX performance on <a
655: href="https://man.openbsd.org/urtwn.4">urtwn(4)</a> RTL8192EU devices.
656: <li>Fix TX rate used by <a
657: href="https://man.openbsd.org/rtwn.4">rtwn(4)</a> and <a
658: href="https://man.openbsd.org/urtwn.4">urtwn(4)</a> for RTS frames.
1.1 deraadt 659: </ul>
660:
661: <li>IEEE 802.11 wireless stack improvements and bugfixes:
662: <ul>
1.7 benno 663: <li>Added an ADDBA_OFFLOAD capability for wifi devices to manage Tx block ack sessions entirely in firmware.
1.33 stsp 664: <li>Added support for 40MHz channels to net80211 Tx rate adaptation in 11n mode.
1.7 benno 665: <li>Added monitoring of 20/40MHz channel width changes in beacons sent by our access point, notifying drivers when the channel width has changed.
1.33 stsp 666: <li>Introduced an optional background-scan handler for wireless drivers, which drivers can use to take control of the device teardown sequence, ensuring that race conditions between firmware state and net80211 state are avoided.
667: <li>Taught the net80211 stack to remove corresponding frames from ic_pwrsaveq when a power-saving client decides to leave our hostap interface, preventing a panic in the <a
668: href="https://man.openbsd.org/athn.4">athn(4)</a> driver.
1.15 benno 669: <li>Added initial 802.11ac (VHT) support to the wifi stack.
1.33 stsp 670: <li>Made <a href="https://man.openbsd.org/tcpdump.8">tcpdump(8)</a> show 802.11ac VHT capability and operation IEs with the IEEE802_11_RADIO data link type (-y) in verbose (-v) mode.
671: <li>Added 802.11ac/VHT TX rate adaptation support to net80211.
1.15 benno 672: <li>When choosing networks during SSID selection, give a higher score to 11ac and 11n access points, prioritizing 11ac.
1.33 stsp 673: <li>When choosing from a set of access points for a given SSID, prefer APs on 5GHz channels over APs on 2GHz channels. This was already supposed to happen in earlier OpenBSD releases but did not always work as intended.
1.1 deraadt 674: </ul>
675:
676: <li>Generic network stack improvements and bugfixes:
677: <ul>
1.7 benno 678: <li>Fixed <a href="https://man.openbsd.org/pfctl.8">pfctl(8)</a> $nr incorrect macro expansion.
1.15 benno 679: <li>Fixed <a href="https://man.openbsd.org/pfctl.8">pfctl(8)</a> rdr-to rules failing on certain port ranges when explicitly specified.
680: <li>Ensured the <a href="https://man.openbsd.org/pf.4">pf(4)</a> "set prio" values are checked consistently.
1.11 benno 681: <li>Made "set skip on ..." in <a
682: href="https://man.openbsd.org/pf.conf.5">pf.conf(5)</a> dynamic, with
683: this, "set skip" can be used on interfaces that are not configured
684: yet.
1.22 benno 685: <li>Protected <a
686: href="https://man.openbsd.org/pfsync.4">pfsync(4)</a> tdb flags and
687: lists with a mutex to prevent crashes involving pfsync, IPsec and
688: parallel forwarding.
689:
690: <li>Added support for PPP IPCP extensions for DNS to <a
691: href="https://man.openbsd.org/sppp.4">sppp(4)</a>.
692: <li>Added display of DNS information from <a
693: href="https://man.openbsd.org/sppp.4">sppp(4)</a> to <a
694: href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a>.
695: <li>Switched to calculating <a
696: href="https://man.openbsd.org/pppoe.4">pppoe(4)</a> session duration
697: using system uptime rather than UTC.
698:
699: <li>Fixed <a href="https://man.openbsd.org/veb.4">veb(4)</a> vport
700: handling to prevent improper drop of packets leaving a vport
701: interface.
702: <li>Prevented tweaks to <a
703: href="https://man.openbsd.org/tun.4">tun(4)</a> if_flags when the
704: NET_LOCK isn't held.
705: <li>Prevented reopening of <a
706: href="https://man.openbsd.org/tun.4">tun(4)</a>/<a
707: href="https://man.openbsd.org/tap.4">tap(4)</a> interfaces which are
708: being destroyed.
1.15 benno 709: <li>Rewrote <a href="https://man.openbsd.org/vxlan.4">vxlan(4)</a> to
710: operate independently of <a
711: href="https://man.openbsd.org/bridge.4">bridge(4)</a>, create and bind
712: udp sockets and prevent loops.
1.22 benno 713: <li>Stopped hiding the mtu on "bridge" interfaces which do handle l3
714: traffic in <a
715: href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a>.
716: <li>Added mbuf tags to prevent output loops in <a
717: href="https://man.openbsd.org/etherip.4">etherip(4)</a>.
718: <li>Added rtable capability to <a
719: href="https://man.openbsd.org/login.conf.5">login.conf(5)</a>,
720: allowing to specify the rtable a process uses.
721: <li>Made <a href="https://man.openbsd.org/su.1">su(1)</a> honor the
722: login class routing table when doing a full login with su -l.
723: <li>Fix IP output routines on raw sockets so route sourceaddr can
724: take effect using <a
725: href="https://man.openbsd.org/sendto.2">sendto(2)</a> or similar.
726: <li>Ensured <a
727: href="https://man.openbsd.org/pcap_lookupdev.3">pcap_lookupdev(3)</a>
728: matches only on complete interface names.
1.1 deraadt 729: </ul>
730:
731: <li>Installer and upgrade improvements:
732: <ul>
1.22 benno 733: <li>Corrected installer to understand "inet autoconf" properly in <a
1.7 benno 734: href="https://man.openbsd.org/hostname.if.5">hostname.if(5)</a> files.
1.22 benno 735: <li>Stopped prompting whether to fall back to HTTP in the installer,
736: making the fallback automatic.
1.7 benno 737: <li>Used <a href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a>
738: "join" command by default in <a
739: href="https://man.openbsd.org/hostname.if.5">hostname.if(5)</a> files,
740: replacing the old "nwid".
1.22 benno 741: <li>Replace custom bootloader installation code with <a
742: href="https://man.openbsd.org/installboot.8">installboot(8)</a> on
743: riscv64 and armv7 architecture installations.
744: <li>New logic for <a
745: href="https://man.openbsd.org/pkg_add.1">pkg_add(1)</a> to avoid
746: excessive moving of files during updates when possible.
747: <li>Documented OpenBSD installation and upgrade customization using the <a
748: href="https://man.openbsd.org/install.site.5">install.site(5)</a> file.
1.10 benno 749: <li>Corrected "!" escape handling in the installer when accepting WEP/WPA passphrase.
1.22 benno 750: <li>Prevented a potential race which could make <a
751: href="https://man.openbsd.org/umount.8">umount(8)</a> fail spuriously
752: in the installer.
753: <li>Made <a href="https://man.openbsd.org/config.8">config(8)</a> -e
754: work with ramdisk kernels.
1.11 benno 755: <li>Made <a href="https://man.openbsd.org/config.8">config(8)</a> -c
756: cmdfile use lines from the command file for all input, not just
757: commands. This allows complex actions like changing device parameters.
1.22 benno 758: <li>Ensured that an interrupted arm64 install from the ramdisk kernel
759: can be restarted.
1.41 deraadt 760: <li>Made redistributable firmwares available across all architectures.
1.11 benno 761: <li>Returned to a shell-script based <a
762: href="https://man.openbsd.org/fw_update.8">fw_update(8)</a>, written
763: to be usable by the install script, allowing earlier retrieval of
764: downloaded firmwares.
765: <li>Stopped <a
766: href="https://man.openbsd.org/fw_update.8">fw_update(8)</a> from
767: downloading SHA256.sig when not needed, to allow installing local
768: files without network access.
769: <li>Modified the installer to use <a
770: href="https://man.openbsd.org/fw_update.8">fw_update(8)</a> to install
771: non-free firmware files if present on the install media.
1.22 benno 772: <li>Made <a
773: href="https://man.openbsd.org/fw_update.8">fw_update(8)</a>
774: re-download existing files with failed checksums.
775: <li>Made <a
776: href="https://man.openbsd.org/fw_update.8">fw_update(8)</a> use the
777: /snapshots directory only on -current snapshot installations.
1.1 deraadt 778: </ul>
779:
780: <li>Security improvements:
781: <ul>
1.22 benno 782: <li>Clear the length of keys in <a href="https://man.openbsd.org/vnconfig.8">vnconfig(8)</a> alongside keys themselves.
1.7 benno 783: <li>Removed hifn(4), safe(4) and ubsec(4) crypto drivers.
784: <li>Added call to <a href="https://man.openbsd.org/unveil.2">unveil(2)</a> to restrict <a href="https://man.openbsd.org/stty.1">stty(1)</a> -f filesystem access.
1.10 benno 785: <li>Disabled <a href="https://man.openbsd.org/xterm.1">xterm(1)</a> mouse tracking by default.
1.22 benno 786: <li>On arm64 architectures, use "rng-seed" and "kaslr-seed" properties from the device tree to mix extra entropy into the random pool.
1.15 benno 787: <li>Made <a href="https://man.openbsd.org/apmd.8">apmd(8)</a> replace /etc/random.seed for hibernate-resumes.
1.11 benno 788: <li>Restricted <a
789: href="https://man.openbsd.org/usbhidctl.1">usbhidctl(1)</a> and <a
790: href="https://man.openbsd.org/usbhidaction.1">usbhidaction(1)</a> file
791: system access with <a
792: href="https://man.openbsd.org/unveil.2">unveil(2)</a>.
1.14 benno 793: <li>Added <a href="https://man.openbsd.org/ps.1">ps(1)</a> status flag "c" to indicate a process is chrooted.
1.15 benno 794: <li>In <a
795: href="https://man.openbsd.org/rpc.rusersd.8">rpc.rusersd(8)</a> <a
796: href="https://man.openbsd.org/unveil.2">unveil(2)</a> "/dev" read-only
797: instead of using <a
798: href="https://man.openbsd.org/chroot.2">chroot(2)</a>.
1.1 deraadt 799: </ul>
800:
801: <li>Routing daemons and other userland network improvements:
802: <ul>
1.40 benno 803:
804: <li><i>switchd(8)</i>, the software-defined networking (SDN) sflow
805: controller was removed. While interesting the OpenFlow implementation
806: never managed to really get into a usable state.
1.11 benno 807: <li>Switched <a href="https://man.openbsd.org/nsd.8">nsd(8)</a> to enable default DNS cookies on, matching behavior as released in OpenBSD 7.0.
1.7 benno 808: <li>Ensured enabled resolvers are honored by <a href="https://man.openbsd.org/unwind.8">unwind(8)</a> to keep unused forwarders disabled properly.
1.11 benno 809: <li>Installed missing scope identifiers for IPv6 link-local addresses for <a href="https://man.openbsd.org/unwind.8">unwind(8)</a> and <a href="https://man.openbsd.org/resolvd.8">resolvd(8)</a>.
810: <li>Allowed interface names as scope-id in IPv6 link-local addresses in <a href="https://man.openbsd.org/unbound.8">unbound(8)</a>.
1.15 benno 811: <li>Let <a href="https://man.openbsd.org/unwind.8">unwind(8)</a> probe for DNS64 presence with an absolute name, so asr doesn't add search domains and retry.
1.7 benno 812: <li>Stopped duplicating "Connection: close" headers in <a href="https://man.openbsd.org/relayd.8">relayd(8)</a>, only adding it if it's not a websocket response.
1.11 benno 813: <li>Modified <a href="https://man.openbsd.org/syslog.conf.5">syslog.conf(5)</a> examples to use TLS rather than the plaintext protocols.
814: <li>Stopped ignoring <a href="https://man.openbsd.org/carp.4">carp(4)</a> interfaces in <a href="https://man.openbsd.org/dhcpleased.8">dhcpleased(8)</a>.
815: <li>Made the <a href="https://man.openbsd.org/dhcpleased.8">dhcpleased(8)</a> host name DHCP option configurable.
816: <li>Prevented a crash in <a href="https://man.openbsd.org/slaacd.8">slaacd(8)</a> due to updating an interface which no longer exists.
1.15 benno 817: <li>Prevented a potential crash when <a href="https://man.openbsd.org/slaacd.8">slaacd(8)</a> receives more than 7 nameservers.
818: <li>Fixed crash in <a href="https://man.openbsd.org/slaacd.8">slaacd(8)</a> when receiving a negative length field for DNS labels.
1.11 benno 819: <li>Fix <a href="https://man.openbsd.org/unveil.2">unveil(2)</a> in <a href="https://man.openbsd.org/ldapd.8">ldapd(8)</a>, create permissions are required for databases.
820: <li>Made <a href="https://man.openbsd.org/dhcpd.8">dhcpd(8)</a> start listening on interface in 'down' state. Interfaces can come up later, at which point dhcpd(8) will start receiving packets.
821: <li>Added a basic printer for EAPOL packets to <a href="https://man.openbsd.org/tcpdump.8">tcpdump(8)</a>.
1.15 benno 822: <li>Made <a href="https://man.openbsd.org/ping.8">ping(8)</a> print out the source address and sequence number when the signature on an icmp echo reply doesn't match.
823: <li>Rate limit <a href="https://man.openbsd.org/rad.8">rad(8)</a> router advertisements according to RFC 4861.
1.22 benno 824:
1.25 benno 825: <li>In <a href="https://man.openbsd.org/smtpd.8">smtpd(8)</a>,
826: <ul>
1.29 jsg 827: <li>Stop verifying the cert or CA for a relay using opportunistic TLS.
1.25 benno 828: <li>Enabled TLS verify by default for outbound "smtps://" and "smtp+tls://", restoring documented <a href="https://man.openbsd.org/smtpd.8">smtpd(8)</a> behavior.
829: </ul>
830:
1.22 benno 831: <li><a href="https://man.openbsd.org/httpd.8">httpd(8)</a> received new features and bugfixes:
832: <ul>
833: <li>Respond with 400 Bad Request when a client sends header lines without a colon.
834: <li>Added protocol version checking.
835: <li>Annotated an <a href="https://man.openbsd.org/httpd.8">httpd(8)</a> 413 error with "request body too large" in the error log.
836: <li>Corrected <a
837: href="https://man.openbsd.org/httpd.8">httpd(8)</a> version string
838: checking, responding with 505 Version Not Supported rather than 400
839: Bad Request when the version format is incorrect.
840: <li>Stop sending content alongside responses to HEAD requests.
841: <li>Added support for custom error pages.
842: <li>Added a gzip-static option to <a
843: href="https://man.openbsd.org/httpd.conf.5">httpd.conf(5)</a>,
844: allowing delivery of precompressed files with content-encoding gzip.
845: <li>Improved handling of static compressed gzip files.
846: </ul>
847:
1.29 jsg 848: <li>IPsec support was improved:
1.22 benno 849: <ul>
850: <li>Made <a href="https://man.openbsd.org/iked.conf.5">iked.conf(5)</a> proto config option accept a list to allow specifying multiple protocols for a single policy.
851: <li>Fixed removal of SAs that could not be flushed with <a href="https://man.openbsd.org/ipsecctl.8">ipsecctl(8)</a> -F.
852: <li>Changed <a href="https://man.openbsd.org/isakmpd.8">isakmpd(8)</a> to log a warning when proto is NULL rather than dereferencing it.
853: <li>Fixed broken key exchange negotiation with matching proposals in <a href="https://man.openbsd.org/iked.8">iked(8)</a>.
854: <li>Added <a href="https://man.openbsd.org/ikectl.8">ikectl(8)</a> "show certinfo" to show trusted CAs and certificates.
855: <li>Added <a href="https://man.openbsd.org/iked.8">iked(8)</a> -V to display the version.
856: <li>Fixed a bug where <a href="https://man.openbsd.org/iked.8">iked(8)</a> sent zero-prefixed NAT-T messages on port 500, causing parsing errors.
857: <li>Improved message fragment retransmissions for <a href="https://man.openbsd.org/iked.8">iked(8)</a>.
858: <li>Make sure <a href="https://man.openbsd.org/iked.8">iked(8)</a> vroute messages are correctly aligned, fixes autoconfiguration of addresses on octeon.
859: </ul>
1.34 claudio 860: <li><a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> was
861: made more resilient regarding untrusted input. The following
862: bugfixes and improvements were made:
1.22 benno 863: <ul>
864: <li>Added support for validating BGPsec Router Public Keys.
865: <li>Fix issues with chunked transfer encoding in the RRDP HTTP client.
866: <li>Cleanup and improvement of how IO is handled.
867: <li>Improvements in the way X509 certificates are verified.
868: <li>Limit the number of concurrent rsync processes.
869: <li>Fix CRLF in tal files.
870: <li>Enforce the correct namespace of rrdp files.
871: <li>Fail certificate verification if a certificate contains unknown
872: critical extensions.
873: <li>Improve cleanup of rrdp directory contents.
874: <li>Introduce a validated cache which holds all the files that have
875: successfully been verified by rpki-client.
1.24 benno 876: <li>Add a new option '-f <file>' to validate a signed object in a file
1.22 benno 877: against the RPKI cache.
878: <li>Add various RFC 6488 compliance checks to improve the CMS parser.
879: <li>Improve RRDP replication through less aggressive cache cleanup.
880: <li>Add a check whether a given Manifest EE certificate is listed on the
881: applicable CRL.
882: <li>For forward compatibility permit ASPA object to appear on Manifests.
1.24 benno 883: <li>Various improvements to the '-f <file>' diagnostic option to
1.22 benno 884: now also validate files containing Trust Anchor certs and CRLs.
885: <li>Do not apply timezone offsets when converting X509 times. X509
886: times are in UTC and comparing them to times in different timezones
887: would cause validity problems.
888: </ul>
889: <li>In <a href="https://man.openbsd.org/bgpd.conf.5">bgpd(8)</a>,
890: <ul>
1.29 jsg 891: <li>The <a href="https://man.openbsd.org/bgpd.8">bgpd</a> login
1.22 benno 892: class datasize attribute (in <a
893: href="https://man.openbsd.org/login.conf.5">login.conf(5)</a>) was set
894: to either 16G or 1G, depending on architecture.
1.34 claudio 895: <li>Macro expansion in the config file was improved. It is now possible
896: to expand 'set large-community $myAS:$location:$transit'.
897: <li>Added a "port" option to "listen on" and the "neighbor" section
898: in <a href="https://man.openbsd.org/bgpd.conf.5">bgpd.conf(5)</a> to make it
1.22 benno 899: possible to bind and connect to non-default ports.
1.34 claudio 900: <li>The RIB codebase was refactored in order to add multipath
901: support in an upcoming release.
1.22 benno 902: </ul>
1.1 deraadt 903: </ul>
904:
905: <li><a href="https://man.openbsd.org/tmux">tmux(1)</a> improvements and bug fixes:
906: <ul>
1.7 benno 907: <li>Fixed a crash in <a
908: href="https://man.openbsd.org/tmux.1">tmux(1)</a> when a session with
909: multiple clients is destroyed but tmux does not close completely due
910: to other sessions.
911: <li>Fixed a <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>
912: redraw problem on automargin terminals.
913: <li>Fixed a problem with repeat in <a
914: href="https://man.openbsd.org/tmux.1">tmux(1)</a> copy mode.
915: <li>Added -T to set a popup title in <a
916: href="https://man.openbsd.org/tmux.1">tmux(1)</a>.
917: <li>Added -s and -S to <a
918: href="https://man.openbsd.org/tmux.1">tmux(1)</a> display-popup to set
919: popup and border style.
920: <li>Fixed application-set fg and bg in <a
921: href="https://man.openbsd.org/tmux.1">tmux(1)</a> panes.
922: <li>Added a way to force a color to RGB in <a
923: href="https://man.openbsd.org/tmux.1">tmux(1)</a> and a format to
924: display it.
1.10 benno 925: <li>Added a cursor-colour option to <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>.
926: <li>Added a cursor-style option to <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>.
1.11 benno 927: <li>Added a pane-border-format pane option to <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>.
928: <li>Added attempts to turn on less-capable mouse modes when <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> turns on more-capable ones, in case the terminal doesn't support the desired mode.
1.14 benno 929: <li>Added a <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> option to show arrows for the active pane indicator.
930: <li>Added a key in <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> copy mode to toggle the position indicator.
1.15 benno 931: <li>Added an option in <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> to set the character for unused areas of the terminal.
932: <li>Add <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> option to control if it scrolls into history on clear.
933: <li>Added OSC 7 capability to <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> for setting titles.
1.1 deraadt 934: </ul>
935:
1.42 deraadt 936: <li>LibreSSL version 3.5.2
1.1 deraadt 937: <ul>
938: <li>New Features
939: <ul>
1.9 inoguchi 940: <li>The RFC 3779 API was ported from OpenSSL.<br>
941: Many bugs were fixed, regression tests were added and the code was cleaned up.
942: <li>Certificate Transparency was ported from OpenSSL.<br>
943: Many internal improvements were made, resulting in cleaner and safer code.<br>
944: Regress coverage was added. libssl does not yet make use of it.
1.1 deraadt 945: </ul>
946:
947: <li>Portable Improvements
948: <ul>
1.9 inoguchi 949: <li>Enabled ASAN CI on Linux platform.<br>
950: <li>Fixed various POSIX compliance and other portability issues<br>
951: found by the port to the Sortix operating system.
952: <li>Add libmd as platform specific libraries for Solaris.<br>
953: <li>Set IA-64 compiler flag only if it is HP-UX with IA-64.<br>
1.58 jsing 954: <li>Enabled and scheduled Coverity scans.<br>
1.1 deraadt 955: </ul>
956:
1.9 inoguchi 957: <li>Compatibility Changes
958: <ul>
959: <li>Most structs that were previously defined in the following headers
960: are now opaque as they are in OpenSSL 1.1:<br>
961: bio.h, bn.h, comp.h, dh.h, dsa.h, evp.h, hmac.h, ocsp.h, rsa.h,
962: x509.h, x509v3.h, x509_vfy.h
963: <li>Switch TLSv1.3 cipher names from AEAD- to OpenSSL's TLS_<br>
964: OpenSSL added the TLSv1.3 ciphersuites with "RFC names" instead
965: of using something consistent with the previous naming.<br>
966: Various test suites expect these names (instead of checking for the much
967: more sensible cipher numbers).<br>
968: The old names are still accepted as aliases.
969: <li>Subject alternative names and name constraints are now validated
970: when they are added to certificates.<br>
971: Various interoperability problems with stacks that validate
972: certificates more strictly than OpenSSL can be avoided this way.
973: <li>Attempt to opportunistically use the host name for SNI in s_client
1.57 jsing 974: <li>Allow non-standard name constraints of the form @domain.com.
1.9 inoguchi 975: </ul>
976:
977: <li>Bug fixes
1.1 deraadt 978: <ul>
1.9 inoguchi 979: <li>Avoid infinite loop for custom curves of order 1.<br>
980: <li>Avoid infinite loop on parsing DSA private keys.<br>
1.58 jsing 981: <li>Prevent a malicious certificate from causing an infinite loop.<br>
1.9 inoguchi 982: <li>In some situations, the verifier would discard the error on an
983: unvalidated certificate chain.<br>
984: This would happen when the verification callback was in use,
985: instructing the verifier to continue unconditionally.<br>
986: This could lead to incorrect decisions being made in software.
987: <li>Avoid an infinite loop in SSL_shutdown()
988: <li>Handle zero byte reads/writes that trigger handshakes in the
1.58 jsing 989: TLSv1.3 stack.
1.9 inoguchi 990: <li>A long standing memleak in libtls CRL handling was fixed
1.57 jsing 991: <li>Allow name constraints with a leading dot.
992: <li>Fix NULL dereferences in openssl(1) cms option parsing.
993: <li>Do not zero the computed cofactor on ec_guess_cofactor() success.
994: <li>Bound cofactor in EC_GROUP_set_generator() to reduce the number of
995: bogus groups that can be described with nonsensical parameters.
996: <li>Avoid various potential segfaults in EVP_PKEY_CTX_free() in low
997: memory conditions.
1.1 deraadt 998: </ul>
999:
1.9 inoguchi 1000: <li>Internal Improvements
1.1 deraadt 1001: <ul>
1.9 inoguchi 1002: <li>Cache the SHA-512 hash instead of the SHA-1 hash and cache
1003: notBefore and notAfter times when X.509 certificates are parsed.
1004: <li>The X.509 lookup code has been simplified and cleaned up.
1.58 jsing 1005: <li>Fixed numerous issues flagged by coverity and the cryptofuzz project.
1.9 inoguchi 1006: <li>Increased the number of Miller-Rabin checks in DH and DSA
1.58 jsing 1007: key/parameter generation.
1.9 inoguchi 1008: <li>Started using the bytestring API in libcrypto for cleaner and
1.58 jsing 1009: safer code.
1.9 inoguchi 1010: <li>Convert asn1_d2i_ex_primitive()/asn1_collect() from BUF_MEM to CBB
1011: <li>Clean up d2i_ASN1_BOOLEAN() and i2d_ASN1_BOOLEAN()
1012: <li>Consolidate ASN.1 universal tag type data
1013: <li>Rewrite ASN.1 identifier/length parsing in CBS
1014: <li>Make OBJ_obj2nid() work correctly with NID_undef
1015: <li>Untangle ssl3_get_message() return values
1016: <li>Provide a way to determine our maximum legacy version
1017: <li>Add explicit CBS_contains_zero_byte() check in CBS_strdup()
1018: <li>Improve SNI hostname validation
1019: <li>Ensure SSL_set_tlsext_host_name() is given a valid hostname
1020: <li>Factor out/rewrite DHE key exchange
1021: <li>Convert server serialisation of DHE parameters/public key to new
1022: functions
1.44 tb 1023: <li>Provide CBS_get_last_u8(), CBS_get_u64(), CBS_add_u64() and various
1024: CBS_peek_* functions.
1.9 inoguchi 1025: <li>Use CBS_get_last_u8() to find the content type in TLSv1.3 records
1026: <li>Correct SSL_get_peer_cert_chain() when used with the TLSv1.3 stack
1027: <li>Only allow zero length key shares when we know we're doing HRR
1028: <li>Pull key share group/length CBB code up from
1029: tls13_key_share_public()
1030: <li>Refactor ssl3_get_server_kex_ecdhe() to separate parsing and
1.58 jsing 1031: validation.
1.9 inoguchi 1032: <li>Allocate and free the EVP_AEAD_CTX struct in
1.58 jsing 1033: tls13_record_protection.
1.44 tb 1034: <li>Convert legacy TLS client and server to tls_key_share
1.9 inoguchi 1035: <li>Clean up pkey handling in ssl3_get_server_key_exchange()
1036: <li>Fix GOST skip certificate verify handling
1037: <li>Simplify SSL_get_peer_certificate()
1038: <li>Cleanup/simplify ssl_cert_type()
1039: <li>The openssl(1) cms, smime and ts subcommands option handling was
1040: converted and the C source was cleaned up.
1.57 jsing 1041: <li>Limit OID text conversion to 64 bits per arc.
1042: <li>Clean up and simplify memory BIO code.
1043: <li>Reduce number of memmove() calls in memory BIOs.
1044: <li>Factor out alert handling code in the legacy stack.
1045: <li>Add sanity checks on p and q in old_dsa_priv_decode()
1046: <li>Cache the SHA-512 hash instead of the SHA-1 for CRLs.
1047: <li>Suppress various compiler warnings for old gcc versions.
1048: <li>Rework ASN1_STRING_set().
1049: <li>Clean up and simplify ssl3_renegotiate{,_check}().
1050: <li>Rewrite legacy TLS and DTLS unexpected handshake message handling.
1051: <li>Simplify SSL_do_handshake().
1052: <li>Rewrite ASCII/text to ASN.1 object conversion.
1053: <li>Convert {c2i,d2i}_ASN1_OBJECT() to CBS.
1054: <li>Clean up {dtls1,ssl3}_read_bytes().
1055: <li>Be more careful with embedded and terminating NULs in the new
1.58 jsing 1056: name constraints code.
1.57 jsing 1057: <li>Various minor code cleanup in openssl(1) pkcs12.
1058: <li>Simplify priv_key handling in d2i_ECPrivateKey().
1.1 deraadt 1059: </ul>
1060:
1.9 inoguchi 1061: <li>Documentation improvements
1.1 deraadt 1062: <ul>
1.9 inoguchi 1063: <li>45 new manual pages, most of which were written from scratch.<br>
1064: Documentation coverage of ASN.1 and X.509 code has been
1065: significantly improved.
1.57 jsing 1066: <li>Update d2i_ASN1_OBJECT(3) documentation to reflect reality after
1067: refactoring and bug fixes.
1068: <li>Fixed numerous minor grammar, spelling, wording, and punctuation
1069: issues.
1.1 deraadt 1070: </ul>
1071: </ul>
1072:
1.54 dtucker 1073: <li>OpenSSH 9.0
1.1 deraadt 1074: <ul>
1075: <li>Security
1076: <ul>
1.47 dtucker 1077: <!-- OpenSSH 8.9 -->
1.65 ! tb 1078: <li>Near miss in <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
1.47 dtucker 1079: fix an integer overflow in the user authentication path
1080: that, in conjunction with other logic errors, could have yielded
1081: unauthenticated access under difficult to exploit conditions.<br>
1082: This situation is not exploitable because of independent checks in
1083: the privilege separation monitor. Privilege separation has been
1.49 dtucker 1084: enabled by default in since <a href="32.html">OpenBSD 3.2</a> (released in 2002) and
1085: has been mandatory since <a href="61.html">OpenBSD 6.1</a> (released in 2017).<br>
1.1 deraadt 1086: </ul>
1087: <li>Potentially incompatible changes
1088: <ul>
1.47 dtucker 1089: <!-- OpenSSH 8.9 -->
1090: <li>In OpenSSH 8.9 the FIDO security key middleware interface
1091: changed and increments SSH_SK_VERSION_MAJOR.
1.51 dtucker 1092: <!-- OpenSSH 9.0 -->
1.65 ! tb 1093: <li>This release switches <a href="https://man.openbsd.org/scp.1">scp(1)</a>
1.51 dtucker 1094: from using the legacy scp/rcp protocol
1095: to using the SFTP protocol by default.<br>
1096: Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
1097: "scp host:* .") through the remote shell. This has the side effect of
1098: requiring double quoting of shell meta-characters in file names
1.65 ! tb 1099: included on <a href="https://man.openbsd.org/scp.1">scp(1)</a>
1.51 dtucker 1100: command-lines, otherwise they could be interpreted
1101: as shell commands on the remote side.<br>
1102: This creates one area of potential incompatibility:
1.65 ! tb 1103: <a href="https://man.openbsd.org/scp.1">scp(1)</a> when using
1.51 dtucker 1104: the SFTP protocol no longer requires this finicky and brittle quoting,
1105: and attempts to use it may cause transfers to fail. We consider the
1106: removal of the need for double-quoting shell characters in file names
1107: to be a benefit and do not intend to introduce bug-compatibility for
1.65 ! tb 1108: legacy scp/rcp in <a href="https://man.openbsd.org/scp.1">scp(1)</a>
1.51 dtucker 1109: when using the SFTP protocol.<br>
1110: Another area of potential incompatibility relates to the use of remote
1111: paths relative to other user's home directories, for example -
1112: "scp host:~user/file /tmp". The SFTP protocol has no native way to
1113: expand a ~user path. However,
1.65 ! tb 1114: <a href="https://man.openbsd.org/sftp-server.8">sftp-server(8)</a>
1.51 dtucker 1115: in OpenSSH 8.7 and later support a protocol extension
1116: "expand-path@openssh.com" to support this.<br>
1117: In case of incompatibility, the
1.65 ! tb 1118: <a href="https://man.openbsd.org/scp.1">scp(1)</a> client may be instructed to use
1.51 dtucker 1119: the legacy scp/rcp using the -O flag.
1.1 deraadt 1120: </ul>
1121:
1122: <li>New features
1123: <ul>
1.47 dtucker 1124: <!-- OpenSSH 8.9 -->
1.65 ! tb 1125: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
! 1126: <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>,
! 1127: <a href="https://man.openbsd.org/ssh-add.1">ssh-add(1)</a>,
! 1128: <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>:
1.50 dtucker 1129: add a system for restricting forwarding and use of keys added to
1.65 ! tb 1130: <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>
1.47 dtucker 1131: A detailed description of the feature is available at
1132: https://www.openssh.com/agent-restrict.html and the protocol
1.53 dtucker 1133: extensions are documented in the
1134: <a href="https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=OPENBSD_7_1"
1135: >PROTOCOL</a> and
1136: <a href="https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.agent?annotate=OPENBSD_7_1"
1137: >PROTOCOL.agent</a> files in the source release.
1.65 ! tb 1138: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
! 1139: <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
1.50 dtucker 1140: add the sntrup761x25519-sha512@openssh.com hybrid
1.47 dtucker 1141: ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the
1142: default KEXAlgorithms list (after the ECDH methods but before the
1143: prime-group DH ones).
1.65 ! tb 1144: <li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:
1.50 dtucker 1145: when downloading resident keys from a FIDO token,
1.47 dtucker 1146: pass back the user ID that was used when the key was created and
1147: append it to the filename the key is written to (if it is not the
1148: default). Avoids keys being clobbered if the user created multiple
1149: resident keys with the same application string but different user
1150: IDs.
1.65 ! tb 1151: <li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>,
! 1152: <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
! 1153: <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>:
1.50 dtucker 1154: better handling for FIDO keys
1.47 dtucker 1155: on tokens that provide user verification (UV) on the device itself,
1156: including biometric keys, avoiding unnecessary PIN prompts.
1.65 ! tb 1157: <li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: add "ssh-keygen -Y match-principals" operation to
1.47 dtucker 1158: perform matching of principals names against an allowed signers
1159: file. To be used towards a TOFU model for SSH signatures in git.
1.65 ! tb 1160: <li><a href="https://man.openbsd.org/ssh-add.1">ssh-add(1)</a>,
! 1161: <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>:
1.50 dtucker 1162: allow pin-required FIDO keys to be added
1.65 ! tb 1163: to <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>.
1.50 dtucker 1164: $SSH_ASKPASS will be used to request the PIN at authentication time.
1.65 ! tb 1165: <li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:
1.50 dtucker 1166: allow selection of hash at sshsig signing time
1.47 dtucker 1167: (either sha512 (default) or sha256).
1.65 ! tb 1168: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
! 1169: <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
1.50 dtucker 1170: read network data directly to the packet input
1.47 dtucker 1171: buffer instead of indirectly via a small stack buffer. Provides a
1172: modest performance improvement.
1.65 ! tb 1173: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
! 1174: <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
1.50 dtucker 1175: read data directly to the channel input buffer,
1.47 dtucker 1176: providing a similar modest performance improvement.
1.65 ! tb 1177: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
1.50 dtucker 1178: extend the PubkeyAuthentication configuration directive to
1.47 dtucker 1179: accept yes|no|unbound|host-bound to allow control over one of the
1180: protocol extensions used to implement agent-restricted keys.
1181: <!-- OpenSSH 9.0 -->
1.65 ! tb 1182: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
! 1183: <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
1.50 dtucker 1184: use the hybrid Streamlined NTRU Prime + x25519 key
1.47 dtucker 1185: exchange method by default ("sntrup761x25519-sha512@openssh.com").
1186: The NTRU algorithm is believed to resist attacks enabled by future
1187: quantum computers and is paired with the X25519 ECDH key exchange
1188: (the previous default) as a backstop against any weaknesses in
1189: NTRU Prime that may be discovered in the future. The combination
1190: ensures that the hybrid exchange offers at least as good security
1191: as the status quo.<br>
1192: We are making this change now (i.e. ahead of cryptographically-
1193: relevant quantum computers) to prevent "capture now, decrypt
1194: later" attacks where an adversary who can record and store SSH
1195: session ciphertext would be able to decrypt it once a sufficiently
1196: advanced quantum computer is available.
1.65 ! tb 1197: <li><a href="https://man.openbsd.org/sftp-server.8">sftp-server(8)</a>:
1.50 dtucker 1198: support the "copy-data" extension to allow server-
1.47 dtucker 1199: side copying of files/data, following the design in
1200: draft-ietf-secsh-filexfer-extensions-00.
1.65 ! tb 1201: <li><a href="https://man.openbsd.org/sftp.1">sftp(1)</a>:
1.50 dtucker 1202: add a "cp" command to allow the sftp client to perform
1.47 dtucker 1203: server-side file copies.
1204: </ul>
1.51 dtucker 1205:
1.1 deraadt 1206: <li>Bugfixes
1207: <ul>
1.47 dtucker 1208: <!-- OpenSSH 8.9 -->
1.65 ! tb 1209: <li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
1.50 dtucker 1210: document that CASignatureAlgorithms, ExposeAuthInfo and
1.47 dtucker 1211: PubkeyAuthOptions can be used in a Match block.
1.65 ! tb 1212: <li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
1.50 dtucker 1213: fix possible string truncation when constructing paths to
1.47 dtucker 1214: .rhosts/.shosts files with very long user home directory names.
1215: <li>ssh-keysign(1): unbreak for KEX algorithms that use SHA384/512
1216: exchange hashes
1.65 ! tb 1217: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
1.50 dtucker 1218: don't put the TTY into raw mode when SessionType=none,
1.47 dtucker 1219: avoids ^C being unable to kill such a session.
1.65 ! tb 1220: <li><a href="https://man.openbsd.org/scp.1">scp(1)</a>:
1.50 dtucker 1221: fix some corner-case bugs in SFTP-mode handling of
1.47 dtucker 1222: ~-prefixed paths.
1.65 ! tb 1223: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
1.50 dtucker 1224: unbreak hostbased auth using RSA keys. Allow
1.65 ! tb 1225: <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> to
1.47 dtucker 1226: select RSA keys when only RSA/SHA2 signature algorithms are
1227: configured (this is the default case). Previously RSA keys were
1228: not being considered in the default case.
1229: <li>ssh-keysign(1): make ssh-keysign use the requested signature
1230: algorithm and not the default for the key type. Part of unbreaking
1231: hostbased auth for RSA/SHA2 keys.
1.65 ! tb 1232: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
1.50 dtucker 1233: stricter UpdateHostkey signature verification logic on
1.47 dtucker 1234: the client- side. Require RSA/SHA2 signatures for RSA hostkeys
1235: except when RSA/SHA1 was explicitly negotiated during initial
1236: KEX
1.65 ! tb 1237: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
! 1238: <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
1.50 dtucker 1239: fix signature algorithm selection logic for
1.47 dtucker 1240: UpdateHostkeys on the server side. The previous code tried to
1241: prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some
1242: cases. This will use RSA/SHA2 signatures for RSA keys if the
1243: client proposed these algorithms in initial KEX.
1.52 dtucker 1244: <li>All: convert all uses of
1.65 ! tb 1245: <a href="https://man.openbsd.org/select.2">select(2)</a>/
! 1246: <a href="https://man.openbsd.org/pselect.2">pselect(2)</a> to
! 1247: <a href="https://man.openbsd.org/poll.2">poll(2)</a>/
! 1248: <a href="https://man.openbsd.org/ppoll.2">ppoll(2)</a>.
1.50 dtucker 1249: This includes the mainloops in
1.65 ! tb 1250: <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
! 1251: <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>,
! 1252: <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>
! 1253: and <a href="https://man.openbsd.org/sftp-server.8">sftp-server(8)</a>,
! 1254: as well as the <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>
1.52 dtucker 1255: listen loop and all other FD read/writability checks.
1.65 ! tb 1256: <li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:
1.50 dtucker 1257: the "-Y find-principals" command was verifying key
1.47 dtucker 1258: validity when using ca certs but not with simple key lifetimes
1259: within the allowed signers file.
1.65 ! tb 1260: <li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:
1.50 dtucker 1261: make sshsig verify-time argument parsing optional
1.65 ! tb 1262: <li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
1.50 dtucker 1263: fix truncation in rhosts/shosts path construction.
1.65 ! tb 1264: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
! 1265: <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>:
1.50 dtucker 1266: avoid xmalloc(0) for PKCS#11 keyid for ECDSA
1.47 dtucker 1267: keys (we already did this for RSA keys). Avoids fatal errors for
1268: PKCS#11 libraries that return empty keyid, e.g. Microchip ATECC608B
1269: "cryptoauthlib"
1.65 ! tb 1270: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
! 1271: <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>:
1.50 dtucker 1272: improve the testing of credentials against
1.47 dtucker 1273: inserted FIDO: ask the token whether a particular key belongs to
1274: it in cases where the token supports on-token user-verification
1275: (e.g. biometrics) rather than just assuming that it will accept it.<br>
1276: Will reduce spurious "Confirm user presence" notifications for key
1277: handles that relate to FIDO keys that are not currently inserted in at
1278: least some cases.
1.65 ! tb 1279: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
! 1280: <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
1.50 dtucker 1281: correct value for IPTOS_DSCP_LE. It needs to
1.47 dtucker 1282: allow for the preceding two ECN bits.
1.65 ! tb 1283: <li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:
1.50 dtucker 1284: add missing -O option to usage() for the "-Y sign" option.
1.65 ! tb 1285: <li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:
1.50 dtucker 1286: fix a NULL deref when using the find-principals
1.47 dtucker 1287: function, when matching an allowed_signers line that contains a
1288: namespace restriction, but no restriction specified on the
1289: command-line
1.65 ! tb 1290: <li><a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>:
1.50 dtucker 1291: fix memleak in process_extension(); oss-fuzz issue #42719
1.65 ! tb 1292: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
1.50 dtucker 1293: suppress "Connection to xxx closed" messages when LogLevel
1.47 dtucker 1294: is set to "error" or above.
1.65 ! tb 1295: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
! 1296: <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
1.50 dtucker 1297: use correct zlib flags when inflate(3)-ing compressed packet data.
1.65 ! tb 1298: <li><a href="https://man.openbsd.org/scp.1">scp(1)</a>:
1.50 dtucker 1299: when recursively transferring files in SFTP mode, create the
1300: destination directory if it doesn't already exist to match
1.65 ! tb 1301: <a href="https://man.openbsd.org/scp.1">scp(1)</a> in
1.47 dtucker 1302: legacy RCP mode behaviour.
1.65 ! tb 1303: <li><a href="https://man.openbsd.org/scp.1">scp(1)</a>:
1.50 dtucker 1304: many improvements in error message consistency between
1.65 ! tb 1305: <a href="https://man.openbsd.org/scp.1">scp(1)</a>
1.47 dtucker 1306: in SFTP mode vs legacy RCP mode.
1.65 ! tb 1307: <li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
1.50 dtucker 1308: fix potential race in SIGTERM handling
1.65 ! tb 1309: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
! 1310: <a href="https://man.openbsd.org/sshd.8">sshd(8))</a>:
1.50 dtucker 1311: since DSA keys are deprecated, move them to the end of the default
1312: list of public keys so that they will be tried last.
1.65 ! tb 1313: <li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:
1.50 dtucker 1314: allow 'ssh-keygen -Y find-principals' to match
1.47 dtucker 1315: wildcard principals in allowed_signers files
1316: <!-- OpenSSH 9.0 -->
1.65 ! tb 1317: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
! 1318: <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
1.52 dtucker 1319: fix
1.65 ! tb 1320: <a href="https://man.openbsd.org/poll.2">poll(2)</a> spin when a
1.52 dtucker 1321: channel's output fd closes without data in the channel buffer.
1.65 ! tb 1322: <li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
1.50 dtucker 1323: pack pollfd array in server listen/accept loop. Could
1.47 dtucker 1324: cause the server to hang/spin when MaxStartups > RLIMIT_NOFILE
1.65 ! tb 1325: <li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:
1.50 dtucker 1326: avoid NULL deref via the find-principals and check-novalidate operations.
1.65 ! tb 1327: <li><a href="https://man.openbsd.org/scp.1">scp(1)</a>:
1.50 dtucker 1328: fix a memory leak in argument processing.
1.65 ! tb 1329: <li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
1.50 dtucker 1330: don't try to resolve ListenAddress directives in the sshd
1.47 dtucker 1331: re-exec path. They are unused after re-exec and parsing errors
1332: (possible for example if the host's network configuration changed)
1333: could prevent connections from being accepted.
1.65 ! tb 1334: <li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
1.50 dtucker 1335: when refusing a public key authentication request from a
1.47 dtucker 1336: client for using an unapproved or unsupported signature algorithm
1337: include the algorithm name in the log message to make debugging
1338: easier.
1.1 deraadt 1339: </ul>
1.47 dtucker 1340: </ul>
1.1 deraadt 1341:
1.13 schwarze 1342: <li>mandoc 1.14.6 plus several bugfixes, including:
1.1 deraadt 1343: <ul>
1.13 schwarze 1344: <li>Fixed <a href="https://man.openbsd.org/man.1">man(1)</a>
1345: to always read the configuration file and respect
1346: the other directives contained in it,
1347: even when the manpath is overridden by other means.
1348: <li>Fixed a memory leak in
1349: <a href="https://man.openbsd.org/man.1">man(1)</a>
1350: that mattered when many names were given on the command line.
1351: <li>Fixed a small memory leak in the
1352: <a href="https://man.openbsd.org/roff.7">roff(7)</a> parser
1353: that occurred each time a user-defined macro was called.
1354: <li>Fixed the width of the <code>\h</code> (horizontal motion)
1355: <a href="https://man.openbsd.org/roff.7">roff(7)</a>
1356: escape sequence in the PostScript and PDF output modes.
1.1 deraadt 1357: </ul>
1358:
1359: <li>Ports and packages:
1360: <p>Many pre-built packages for each architecture:
1361: <!-- number of FTP packages minus SHA256, SHA256.sig, index.txt -->
1362: <ul style="column-count: 3">
1.36 naddy 1363: <li>aarch64: 11081
1.17 naddy 1364: <li>amd64: 11301
1.63 naddy 1365: <li>arm: 8372
1.20 deraadt 1366: <li>i386: 10136
1.55 visa 1367: <li>mips64: 8708
1.61 naddy 1368: <li>powerpc: 9290
1.46 sthen 1369: <li>powerpc64: 9132
1.45 sthen 1370: <li>riscv64: 9108
1.39 naddy 1371: <li>sparc64: 9288
1.1 deraadt 1372: </ul>
1373:
1374: <p>Some highlights:
1375: <ul style="column-count: 3">
1.12 sthen 1376: <li>Asterisk 16.25.1, 18.11.1 and 19.3.1
1.1 deraadt 1377: <li>Audacity 2.4.2
1378: <li>CMake 3.20.3
1.5 jsg 1379: <li>Chromium 100.0.4896.75
1.1 deraadt 1380: <li>Emacs 27.2
1.5 jsg 1381: <li>FFmpeg 4.4.1
1.1 deraadt 1382: <li>GCC 8.4.0 and 11.2.0
1383: <li>GHC 8.10.6
1.5 jsg 1384: <li>GNOME 41.5
1385: <li>Go 1.17.7
1386: <li>JDK 8u322, 11.0.14 and 17.0.2
1387: <li>KDE Applications 21.12.2
1388: <li>KDE Frameworks 5.91.0
1389: <li>Krita 5.0.2
1390: <li>LLVM/Clang 13.0.0
1391: <li>LibreOffice 7.3.2.2
1.1 deraadt 1392: <li>Lua 5.1.5, 5.2.4 and 5.3.6
1.5 jsg 1393: <li>MariaDB 10.6.7
1.1 deraadt 1394: <li>Mono 6.12.0.122
1.5 jsg 1395: <li>Mozilla Firefox 99.0 and ESR 91.8.0
1396: <li>Mozilla Thunderbird 91.8.0
1397: <li>Mutt 2.2.2 and NeoMutt 20211029
1398: <li>Node.js 16.14.2
1399: <li>OCaml 4.12.1
1.1 deraadt 1400: <li>OpenLDAP 2.4.59
1.5 jsg 1401: <li>PHP 7.4.28, 8.0.17 and 8.1.4
1402: <li>Postfix 3.5.14
1403: <li>PostgreSQL 14.2
1404: <li>Python 2.7.18, 3.8.13, 3.9.12 and 3.10.4
1.1 deraadt 1405: <li>Qt 5.15.2 and 6.0.4
1.5 jsg 1406: <li>R 4.1.2
1407: <li>Ruby 2.7.5, 3.0.3 and 3.1.1
1408: <li>Rust 1.59.0
1409: <li>SQLite 2.8.17 and 3.38.2
1410: <li>Shotcut 21.10.31
1411: <li>Sudo 1.9.10
1412: <li>Suricata 6.0.4
1.1 deraadt 1413: <li>Tcl/Tk 8.5.19 and 8.6.8
1.5 jsg 1414: <li>TeX Live 2021
1415: <li>Vim 8.2.4600 and Neovim 0.6.1
1.1 deraadt 1416: <li>Xfce 4.16
1417: </ul>
1418: <p>
1419:
1420: <li>As usual, steady improvements in manual pages and other documentation.
1421:
1422: <li>The system includes the following major components from outside suppliers:
1423: <ul>
1.5 jsg 1424: <li>Xenocara (based on X.Org 7.7 with xserver 1.21.1.3 + patches,
1425: freetype 2.11.0, fontconfig 2.12.94, Mesa 21.3.7, xterm 369,
1.1 deraadt 1426: xkeyboard-config 2.20, fonttosfnt 1.2.2 and more)
1.5 jsg 1427: <li>LLVM/Clang 13.0.0 (+ patches)
1.1 deraadt 1428: <li>GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
1429: <li>Perl 5.32.1 (+ patches)
1.5 jsg 1430: <li>NSD 4.4.0
1431: <li>Unbound 1.15.0
1.1 deraadt 1432: <li>Ncurses 5.7
1433: <li>Binutils 2.17 (+ patches)
1434: <li>Gdb 6.3 (+ patches)
1.10 benno 1435: <li>Awk October 12, 2021
1.5 jsg 1436: <li>Expat 2.4.7
1.1 deraadt 1437: </ul>
1438:
1439: </ul>
1440: </section>
1441:
1442: <hr>
1443:
1444: <section id=install>
1445: <h3>How to install</h3>
1446: <p>
1447: Please refer to the following files on the mirror site for
1448: extensive details on how to install OpenBSD 7.1 on your machine:
1449:
1450: <ul>
1451: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.1/alpha/INSTALL.alpha">
1452: .../OpenBSD/7.1/alpha/INSTALL.alpha</a>
1453: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.1/amd64/INSTALL.amd64">
1454: .../OpenBSD/7.1/amd64/INSTALL.amd64</a>
1455: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.1/arm64/INSTALL.arm64">
1456: .../OpenBSD/7.1/arm64/INSTALL.arm64</a>
1457: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.1/armv7/INSTALL.armv7">
1458: .../OpenBSD/7.1/armv7/INSTALL.armv7</a>
1459: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.1/hppa/INSTALL.hppa">
1460: .../OpenBSD/7.1/hppa/INSTALL.hppa</a>
1461: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.1/i386/INSTALL.i386">
1462: .../OpenBSD/7.1/i386/INSTALL.i386</a>
1463: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.1/landisk/INSTALL.landisk">
1464: .../OpenBSD/7.1/landisk/INSTALL.landisk</a>
1465: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.1/luna88k/INSTALL.luna88k">
1466: .../OpenBSD/7.1/luna88k/INSTALL.luna88k</a>
1467: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.1/macppc/INSTALL.macppc">
1468: .../OpenBSD/7.1/macppc/INSTALL.macppc</a>
1469: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.1/octeon/INSTALL.octeon">
1470: .../OpenBSD/7.1/octeon/INSTALL.octeon</a>
1471: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.1/powerpc64/INSTALL.powerpc64">
1472: .../OpenBSD/7.1/powerpc64/INSTALL.powerpc64</a>
1473: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.1/riscv64/INSTALL.riscv64">
1474: .../OpenBSD/7.1/riscv64/INSTALL.riscv64</a>
1475: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.1/sparc64/INSTALL.sparc64">
1476: .../OpenBSD/7.1/sparc64/INSTALL.sparc64</a>
1477: </ul>
1478: </section>
1479:
1480: <hr>
1481:
1482: <section id=quickinstall>
1483: <p>
1484: Quick installer information for people familiar with OpenBSD, and the use of
1485: the "<a href="https://man.openbsd.org/disklabel.8">disklabel</a> -E" command.
1486: If you are at all confused when installing OpenBSD, read the relevant
1487: INSTALL.* file as listed above!
1488:
1489: <h3>OpenBSD/alpha:</h3>
1490:
1491: <p>
1492: If your machine can boot from CD, you can write <i>install71.iso</i> or
1493: <i>cd71.iso</i> to a CD and boot from it.
1494: Refer to INSTALL.alpha for more details.
1495:
1496: <h3>OpenBSD/amd64:</h3>
1497:
1498: <p>
1499: If your machine can boot from CD, you can write <i>install71.iso</i> or
1500: <i>cd71.iso</i> to a CD and boot from it.
1501: You may need to adjust your BIOS options first.
1502:
1503: <p>
1504: If your machine can boot from USB, you can write <i>install71.img</i> or
1505: <i>miniroot71.img</i> to a USB stick and boot from it.
1506:
1507: <p>
1508: If you can't boot from a CD, floppy disk, or USB,
1509: you can install across the network using PXE as described in the included
1510: INSTALL.amd64 document.
1511:
1512: <p>
1513: If you are planning to dual boot OpenBSD with another OS, you will need to
1514: read INSTALL.amd64.
1515:
1516: <h3>OpenBSD/arm64:</h3>
1517:
1518: <p>
1519: Write <i>install71.img</i> or <i>miniroot71.img</i> to a disk and boot from it
1520: after connecting to the serial console. Refer to INSTALL.arm64 for more
1521: details.
1522:
1523: <h3>OpenBSD/armv7:</h3>
1524:
1525: <p>
1526: Write a system specific miniroot to an SD card and boot from it after connecting
1527: to the serial console. Refer to INSTALL.armv7 for more details.
1528:
1529: <h3>OpenBSD/hppa:</h3>
1530:
1531: <p>
1532: Boot over the network by following the instructions in INSTALL.hppa or the
1533: <a href="hppa.html#install">hppa platform page</a>.
1534:
1535: <h3>OpenBSD/i386:</h3>
1536:
1537: <p>
1538: If your machine can boot from CD, you can write <i>install71.iso</i> or
1539: <i>cd71.iso</i> to a CD and boot from it.
1540: You may need to adjust your BIOS options first.
1541:
1542: <p>
1543: If your machine can boot from USB, you can write <i>install71.img</i> or
1544: <i>miniroot71.img</i> to a USB stick and boot from it.
1545:
1546: <p>
1547: If you can't boot from a CD, floppy disk, or USB,
1548: you can install across the network using PXE as described in
1549: the included INSTALL.i386 document.
1550:
1551: <p>
1552: If you are planning on dual booting OpenBSD with another OS, you will need to
1553: read INSTALL.i386.
1554:
1555: <h3>OpenBSD/landisk:</h3>
1556:
1557: <p>
1558: Write <i>miniroot71.img</i> to the start of the CF
1559: or disk, and boot normally.
1560:
1561: <h3>OpenBSD/luna88k:</h3>
1562:
1563: <p>
1564: Copy 'boot' and 'bsd.rd' to a Mach or UniOS partition, and boot the bootloader
1565: from the PROM, and then bsd.rd from the bootloader.
1566: Refer to the instructions in INSTALL.luna88k for more details.
1567:
1568: <h3>OpenBSD/macppc:</h3>
1569:
1570: <p>
1571: Burn the image from a mirror site to a CDROM, and power on your machine
1572: while holding down the <i>C</i> key until the display turns on and
1573: shows <i>OpenBSD/macppc boot</i>.
1574:
1575: <p>
1576: Alternatively, at the Open Firmware prompt, enter <i>boot cd:,ofwboot
1577: /7.1/macppc/bsd.rd</i>
1578:
1579: <h3>OpenBSD/octeon:</h3>
1580:
1581: <p>
1582: After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
1583: Refer to the instructions in INSTALL.octeon for more details.
1584:
1585: <h3>OpenBSD/powerpc64:</h3>
1586:
1587: <p>
1588: To install, write <i>install71.img</i> or <i>miniroot71.img</i> to a
1589: USB stick, plug it into the machine and choose the <i>OpenBSD
1590: install</i> menu item in Petitboot.
1591: Refer to the instructions in INSTALL.powerpc64 for more details.
1592:
1593: <h3>OpenBSD/riscv64:</h3>
1594:
1595: <p>
1596: To install, write <i>install71.img</i> or <i>miniroot71.img</i> to a
1597: USB stick, and boot with that drive plugged in.
1598: Make sure you also have the microSD card plugged in that shipped with the
1599: HiFive Unmatched board.
1600: Refer to the instructions in INSTALL.riscv64 for more details.
1601:
1602: <h3>OpenBSD/sparc64:</h3>
1603:
1604: <p>
1605: Burn the image from a mirror site to a CDROM, boot from it, and type
1606: <i>boot cdrom</i>.
1607:
1608: <p>
1609: If this doesn't work, or if you don't have a CDROM drive, you can write
1610: <i>floppy71.img</i> or <i>floppyB71.img</i>
1611: (depending on your machine) to a floppy and boot it with <i>boot
1612: floppy</i>. Refer to INSTALL.sparc64 for details.
1613:
1614: <p>
1615: Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
1616: will most likely fail.
1617:
1618: <p>
1619: You can also write <i>miniroot71.img</i> to the swap partition on
1620: the disk and boot with <i>boot disk:b</i>.
1621:
1622: <p>
1623: If nothing works, you can boot over the network as described in INSTALL.sparc64.
1624: </section>
1625:
1626: <hr>
1627:
1628: <section id=upgrade>
1629: <h3>How to upgrade</h3>
1630: <p>
1.6 tj 1631: If you already have an OpenBSD 7.0 system, and do not want to reinstall,
1.1 deraadt 1632: upgrade instructions and advice can be found in the
1633: <a href="faq/upgrade71.html">Upgrade Guide</a>.
1634: </section>
1635:
1636: <hr>
1637:
1638: <section id=sourcecode>
1639: <h3>Notes about the source code</h3>
1640: <p>
1641: <code>src.tar.gz</code> contains a source archive starting at <code>/usr/src</code>.
1642: This file contains everything you need except for the kernel sources,
1643: which are in a separate archive.
1644: To extract:
1645: <blockquote><pre>
1646: # <kbd>mkdir -p /usr/src</kbd>
1647: # <kbd>cd /usr/src</kbd>
1648: # <kbd>tar xvfz /tmp/src.tar.gz</kbd>
1649: </pre></blockquote>
1650: <p>
1651: <code>sys.tar.gz</code> contains a source archive starting at <code>/usr/src/sys</code>.
1652: This file contains all the kernel sources you need to rebuild kernels.
1653: To extract:
1654: <blockquote><pre>
1655: # <kbd>mkdir -p /usr/src/sys</kbd>
1656: # <kbd>cd /usr/src</kbd>
1657: # <kbd>tar xvfz /tmp/sys.tar.gz</kbd>
1658: </pre></blockquote>
1659: <p>
1660: Both of these trees are a regular CVS checkout. Using these trees it
1661: is possible to get a head-start on using the anoncvs servers as
1662: described <a href="anoncvs.html">here</a>.
1663: Using these files
1664: results in a much faster initial CVS update than you could expect from
1665: a fresh checkout of the full OpenBSD source tree.
1666: </section>
1667:
1668: <hr>
1669:
1670: <section id=ports>
1671: <h3>Ports Tree</h3>
1672: <p>
1673: A ports tree archive is also provided. To extract:
1674: <blockquote><pre>
1675: # <kbd>cd /usr</kbd>
1676: # <kbd>tar xvfz /tmp/ports.tar.gz</kbd>
1677: </pre></blockquote>
1678: <p>
1679: Go read the <a href="faq/ports/index.html">ports</a> page
1680: if you know nothing about ports
1681: at this point. This text is not a manual of how to use ports.
1682: Rather, it is a set of notes meant to kickstart the user on the
1683: OpenBSD ports system.
1684: <p>
1685: The <i>ports/</i> directory represents a CVS checkout of our ports.
1686: As with our complete source tree, our ports tree is available via
1687: <a href="anoncvs.html">AnonCVS</a>.
1688: So, in order to keep up to date with the -stable branch, you must make
1689: the <i>ports/</i> tree available on a read-write medium and update the tree
1690: with a command like:
1691: <blockquote><pre>
1692: # <kbd>cd /usr/ports</kbd>
1693: # <kbd>cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_7_1</kbd>
1694: </pre></blockquote>
1695: <p>
1696: [Of course, you must replace the server name here with a nearby anoncvs
1697: server.]
1698: <p>
1699: Note that most ports are available as packages on our mirrors. Updated
1700: ports for the 7.1 release will be made available if problems arise.
1701: <p>
1702: If you're interested in seeing a port added, would like to help out, or just
1703: would like to know more, the mailing list
1704: <a href="mail.html">ports@openbsd.org</a> is a good place to know.
1705: </section>
1.24 benno 1706: </body>
1707: </html>
![[BACK]](/icons/back.gif){kind=icon}
Return to 71.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www