| version 1.12, 2023/04/02 14:58:45 |
version 1.13, 2023/04/03 00:00:12 |
|
|
| |
|
| <li>Various kernel improvements: |
<li>Various kernel improvements: |
| <ul> |
<ul> |
| <li>... |
|
| |
<li>Removed copystr(9) from public API. |
| |
|
| |
<li>Made the USB ports work after a suspend/resume cycle on the x13s. |
| |
<li>Set the arm64 default for the machdep.lidaction <a |
| |
href="https://man.openbsd.org/sysctl.8">sysctl(8)</a> to 1, making the |
| |
system suspend when the lid is closed. <a |
| |
href="https://man.openbsd.org/aplsmc.4">aplsmc(4)</a> provides support |
| |
for the lid position sensor. |
| |
|
| |
<li>Changed arm64 suspend idle loop from WFE to WFI, avoiding spurious |
| |
wakeups while other CPUs are still active. |
| |
<li>Added cursor back tab support to <a |
| |
href="https://man.openbsd.org/wscons.4">wscons(4)</a> VT100 |
| |
emulation.<br>Added aixterm bright color sequences (SGR 90-97 and |
| |
100-107). |
| |
<li>Added missing <a |
| |
href="https://man.openbsd.org/wscons.4">wscons(4)</a> bounds checks |
| |
when processing terminal escape sequences. |
| |
<li>Replaced broken UTF-8 logic in <a |
| |
href="https://man.openbsd.org/wscons.4">wscons(4)</a> with a better |
| |
one borrowed from Citrus. |
| |
<li>Added new <a href="https://man.openbsd.org/dt.4">dt(4)</a> ioctl |
| |
DTIOCARGS to get the type of probe arguments. |
| |
<li>Added a priority queue to <a |
| |
href="https://man.openbsd.org/clockintr.9">clockintr(9)</a>. |
| |
|
| </ul> |
</ul> |
| |
|
| <li>SMP Improvements |
<li>SMP Improvements |
| <ul> |
<ul> |
| <li>... |
|
| |
<li>Made <a href="https://man.openbsd.org/tun.4">tun(4)</a> and <a |
| |
href="https://man.openbsd.org/tap.4">tap(4)</a> event filters MP-safe. |
| |
<li>Unlocked <a href="https://man.openbsd.org/utrace.2">utrace(2)</a>. |
| |
<li>Stopped holding the vm_map lock while flushing pages in <a |
| |
href="https://man.openbsd.org/msync.2">msync(2)</a> and <a |
| |
href="https://man.openbsd.org/madvise.2">madvise(2)</a>. Prevents a |
| |
3-thread deadlock between <a |
| |
href="https://man.openbsd.org/msync.2">msync(2)</a>, page-fault and <a |
| |
href="https://man.openbsd.org/mmap.2">mmap(2)</a>. |
| |
|
| |
<li>Unlocked <a |
| |
href="https://man.openbsd.org/select.2">select(2)</a>, <a |
| |
href="https://man.openbsd.org/pselect.2">pselect(2)</a>, <a |
| |
href="https://man.openbsd.org/poll.2">poll(2)</a>, and <a |
| |
href="https://man.openbsd.org/ppoll.2">ppoll(2)</a>. |
| </ul> |
</ul> |
| |
|
| <li>Direct Rendering Manager and graphics drivers |
<li>Direct Rendering Manager and graphics drivers |
|
|
| Ryzen 7045 series "Dragon Range", |
Ryzen 7045 series "Dragon Range", |
| Radeon RX 7900 XT/XTX "Navi 31", |
Radeon RX 7900 XT/XTX "Navi 31", |
| Radeon RX 7600M (XT), 7700S, 7600S "Navi 33" |
Radeon RX 7600M (XT), 7700S, 7600S "Navi 33" |
| <li>... |
|
| |
<!-- XXX maybe remove again? --> |
| |
<li>Fixed frame buffer corruption and additional bugs after wakeup |
| |
on Apple Silicon laptops and the Lenovo x13s. |
| |
<li>Matched unknown ATI display devices as amdgpu in <a |
| |
href="https://man.openbsd.org/fw_update.8">fw_update(8)</a>. |
| |
<li>Fixed <a href="https://man.openbsd.org/amdgpu.4">amdgpu(4)</a> |
| |
failing to init on Steam Deck after drm 6.1 update. |
| |
|
| </ul> |
</ul> |
| |
|
| <li>VMM/VMD improvements |
<li>VMM/VMD improvements |
| <ul> |
<ul> |
| <li>... |
|
| |
<li>Implemented zero-copy operations on virtqueues in <a |
| |
href="https://man.openbsd.org/vmd.8">vmd(8)</a>. |
| |
|
| |
<li>Provided a detailed e820 memory map when booting <a |
| |
href="https://man.openbsd.org/vmd.8">vmd(8)</a> guests with SeaBIOS. |
| |
When a vm initializes memory ranges, we now track what each range |
| |
represents. This information can be used to supply the e820 memory map |
| |
to SeaBIOS via the fw_cfg interface allowing it to properly |
| |
communicate memory ranges to a guest operating system. With this |
| |
special cases in ports can be removed. |
| |
|
| |
<li>Added thread names to vm processes in <a |
| |
href="https://man.openbsd.org/vmd.8">vmd(8)</a>, visible in <a |
| |
href="https://man.openbsd.org/ps.1">ps(1)</a>. |
| |
<li>Hid the WAITPKG cpu feature from <a |
| |
href="https://man.openbsd.org/vmm.4">vmm(4)</a> guests, preventing |
| |
invalid instruction exceptions. Also added WAITPKG feature |
| |
identification to i386 and amd64. |
| |
|
| |
<li>Changed <a href="https://man.openbsd.org/vmd.8">vmd(8)</a> to |
| |
only open /dev/vmm once, having the parent process send the fd to the |
| |
vmm child process. |
| |
<li>Restricted <a href="https://man.openbsd.org/vmm.4">vmm(4)</a> exposed cpuid extended feature flags. |
| |
<li>Adjusted <a href="https://man.openbsd.org/vmd.8">vmd(8)</a> error paths to avoid removal of configuration-defined (known) VMs on error. |
| |
<li>Stopped being paranoid about hypervisor correct PKU handling.<br> |
| |
Added saving and restoring guest PKRU to <a |
| |
href="https://man.openbsd.org/vmm.4">vmm(4)</a>. Expose the PKU cpuid |
| |
bit to the guest if in use on the host. |
| |
<li>Made <a href="https://man.openbsd.org/vmd.8">vmd(8)</a> scan the pci bus to determine bootorder strings. |
| </ul> |
</ul> |
| |
|
| <li>Various new userland features: |
<li>Various new userland features: |
| <ul> |
<ul> |
| <li>... |
|
| |
<li>Added <a |
| |
href="https://man.openbsd.org/lastcomm.1">lastcomm(1)</a> reporting |
| |
for process kills due to <a |
| |
href="https://man.openbsd.org/execve.2">execve(2)</a> from non-pinned |
| |
syscall address |
| |
|
| </ul> |
</ul> |
| |
|
| <li>Various bugfixes and tweaks in userland: |
<li>Various bugfixes and tweaks in userland: |
| <ul> |
<ul> |
| <li>... |
|
| |
<li>Added support for a personal <a |
| |
href="https://man.openbsd.org/units.1">units(1)</a> library by passing |
| |
-f multiple times. |
| |
|
| |
<li>Made <a href="https://man.openbsd.org/rc.8">rc(8)</a> reorder |
| |
libraries in parallel to <a |
| |
href="https://man.openbsd.org/netstart.8">netstart(8)</a>, as this |
| |
does not depend on network access. |
| |
|
| |
<li>Implemented periodic display in <a |
| |
href="https://man.openbsd.org/iostat.8">iostat(8)</a>. |
| |
|
| |
<li>Changed <a href="https://man.openbsd.org/df.1">df(1)</a> to |
| |
round up fractional percentages. |
| |
|
| |
<li>Added the <a |
| |
href="https://man.openbsd.org/audioctl.8">audioctl(8)</a> -w option to |
| |
display variables periodically. |
| |
<li>Added short options for <a |
| |
href="https://man.openbsd.org/timeout.1">timeout(1)</a> --foreground |
| |
and --preserve-status.<br> |
| |
Added signal as a full argument name for <a |
| |
href="https://man.openbsd.org/timeout.1">timeout(1)</a> -s. |
| |
|
| |
<li>Fixed .wav files generated by <a |
| |
href="https://man.openbsd.org/aucat.1">aucat(1)</a> by using extended |
| |
header format. |
| |
<li>In <a |
| |
href="https://man.openbsd.org/disklabel.8">disklabel(8)</a>, use the |
| |
size of the largest chunk of free space, not the total of all such |
| |
chunks, when checking for sufficient space to add a partition. |
| |
<li>Fixed unbounded variable expansion in <a |
| |
href="https://man.openbsd.org/pkg-config.1">pkg-config(1)</a>. |
| |
<li>Switched to use <a |
| |
href="https://man.openbsd.org/llvm-strip.1">llvm-strip(1)</a> on |
| |
architectures that use <a |
| |
href="https://man.openbsd.org/ld.lld.1">ld.lld(1)</a>. |
| |
<li>Extended <a |
| |
href="https://man.openbsd.org/disklabel.8">disklabel(8)</a> template |
| |
parsing to allow "[mount point] *" as the specification for putting |
| |
the maximum available free space into a partition, and extended |
| |
command line parsing to allow "T-" as the specification to read the |
| |
template from stdin. |
| |
<li>Fixed a number of out of bounds reads in DNS response parsing. |
| |
|
| </ul> |
</ul> |
| |
|
| <li>Improved hardware support and driver bugfixes, including: |
<li>Improved hardware support and driver bugfixes, including: |
| <ul> |
<ul> |
| <li>... |
|
| |
<li>Enabled <a |
| |
href="https://man.openbsd.org/pcagpio.4">pcagpio(4)</a> and <a |
| |
href="https://man.openbsd.org/pcamux.4">pcamux(4)</a>, making the SFP |
| |
port on the ClearFog Base (CN9130) work. |
| |
|
| |
<li>Added <a href="https://man.openbsd.org/uftdi.4">uftdi(4)</a> support for FTDI FT232R. |
| |
|
| |
<li>Hooked up the same USB device drivers on riscv64 as done in the |
| |
arm64 architecture kernel.<br>Enabled access to <a |
| |
href="https://man.openbsd.org/usb.4">usb(4)</a>, <a |
| |
href="https://man.openbsd.org/ugen.4">ugen(4)</a>, <a |
| |
href="https://man.openbsd.org/ulpt.4">ulpt(4)</a>, <a |
| |
href="https://man.openbsd.org/ucom.4">ucom(4)</a> and <a |
| |
href="https://man.openbsd.org/ujoy.4">ujoy(4)</a>. |
| |
|
| |
<li>Enabled <a |
| |
href="https://man.openbsd.org/aplpcie.4">aplpcie(4)</a> power |
| |
management for PCI devices. |
| |
<li>Adopted a workaround for a bug in the ARM generic timer on the |
| |
A64, disabling userland timecounter support on affected hardware |
| |
pending a similar libc workaround. |
| |
<li>Made amd64 cpuid recognize protection keys for Protection Key Supervisor (PKS). |
| |
<li>Implemented access to EFI variables ESRT through an <a |
| |
href="https://man.openbsd.org/ioctl.2">ioctl(2)</a> interface |
| |
compatible with what FreeBSD and NetBSD have.<br> |
| |
Created /dev/efi on amd64 and arm64. |
| |
<li>Added <a href="https://man.openbsd.org/dwge.4">dwge(4)</a> support |
| |
for "enhanced descriptor" mode found on some variants of the Synopsys |
| |
DesignWare GMAC. |
| |
<li>Removed the <a |
| |
href="https://man.openbsd.org/OpenBSD-7.2/elansc.4">elansc(4)</a> |
| |
driver for AMD Elan SC520 System Controller. |
| |
<li>Made <a href="https://man.openbsd.org/ppb.4">ppb(4)</a> bus |
| |
range available after detaching, fixing unplugging and replugging |
| |
thunderbolt devices that were plugged in when the machine was booted. |
| |
<li>Improved <a href="https://man.openbsd.org/qcrtc.4">qcrtc(4)</a> RTC reliability. |
| |
<li>Reworked the arm64 architecture cpu_init_secondary() function to |
| |
allow use for both initial powerup and wakeup from deeper sleep |
| |
states. |
| |
<li>Added <a href="https://man.openbsd.org/ufshci.4">ufshci(4)</a>, |
| |
a driver for Universal Flash Storage (UFS) Host Controllers. |
| |
<li>Set <a href="https://man.openbsd.org/sncodec.4">sncodec(4)</a> |
| |
and <a href="https://man.openbsd.org/tascodec.4">tascodec(4)</a> |
| |
default volume to -30dB instead of the hardware default of 0dB |
| |
(maximum). |
| |
<li>Added <a |
| |
href="https://man.openbsd.org/sncodec.4">sncodec(4)</a>, a driver for |
| |
the TI SNO12776/TAS2764 digital amplifier. |
| |
<li>Added <a href="https://man.openbsd.org/scmi.4">scmi(4)</a>, a |
| |
driver for the ARM System Control and Management Interface. |
| |
<li>Added support for the Shenzhen Tangcheng Technology TCS4525 |
| |
voltage regulator to <a |
| |
href="https://man.openbsd.org/fanpwr.4">fanpwr(4)</a>. |
| |
<li>Added <a href="https://man.openbsd.org/psci.4">psci(4)</a> (ARM |
| |
Power State Coordination Interface) support for available deep idle |
| |
states as advertised in device trees. |
| |
<li>Attached Apollo Lake HD Audio device to <a |
| |
href="https://man.openbsd.org/azalia.4">azalia(4)</a>, enabling audio. |
| |
<li>In <a href="https://man.openbsd.org/rkgpio.4">rkgpio(4)</a>, |
| |
handled different register layouts in modern Rockchip SoCs as seen in |
| |
the RK356x and RK3588. |
| |
<li>Added support for RK356x TSADC clocks to <a |
| |
href="https://man.openbsd.org/rkclock.4">rkclock(4)</a>. |
| |
<li>Added GMAC-related RK356x clocks to <a |
| |
href="https://man.openbsd.org/rkclock.4">rkclock(4)</a>. |
| |
<li>Added RK3588 support to <a |
| |
href="https://man.openbsd.org/rkclock.4">rkclock(4)</a> and <a |
| |
href="https://man.openbsd.org/rkpinctrl.4">rkpinctrl(4)</a>. |
| |
<li>Switched sparc64 to <a |
| |
href="https://man.openbsd.org/clockintr.9">clockintr(9)</a>. |
| |
<li>Switched arm <a |
| |
href="https://man.openbsd.org/amptimer.4">amptimer(4)</a> and <a |
| |
href="https://man.openbsd.org/armv7/agtimer.4">agtimer(4/armv7)</a> to |
| |
<a href="https://man.openbsd.org/clockintr.9">clockintr(9)</a>. |
| |
<li>Switched armv7 <a |
| |
href="https://man.openbsd.org/dmtimer.4">dmtimer(4)</a> and <a |
| |
href="https://man.openbsd.org/sxitimer.4">sxitimer(4)</a> to <a |
| |
href="https://man.openbsd.org/clockintr.9">clockintr(9)</a>. |
| |
<li>Switched armv7 <a |
| |
href="https://man.openbsd.org/gptimer.4">gptimer(4)</a> to <a |
| |
href="https://man.openbsd.org/clockintr.9">clockintr(9)</a>. |
| |
<li>Added a kernel-facing API for <a |
| |
href="https://man.openbsd.org/clockintr.9">clockintr(9)</a>. |
| |
<li>Added <a href="https://man.openbsd.org/mvortc.4">mvortc(4)</a>, |
| |
a driver for the RTC on the ARMADA 38x series. |
| |
<li>Added <a href="https://man.openbsd.org/mvodog.4">mvodog(4)</a>, |
| |
a driver for the watchdog on the ARMADA 38x series. |
| |
<li>Added <a href="https://man.openbsd.org/eephy.4">eephy(4)</a>, |
| |
found on the Turris Omnia WAN port, to armv7. |
| |
<li>Added polling to <a |
| |
href="https://man.openbsd.org/tipmic.4">tipmic(4)</a> driver when |
| |
starting from a cold boot, fixing a hang on boot. |
| |
<li>Implemented <a |
| |
href="https://man.openbsd.org/rkpinctrl.4">rkpinctrl(4)</a> support |
| |
for explicit routing to use alternative pin muxings. |
| |
<li>Added <a href="https://man.openbsd.org/ytphy.4">ytphy(4)</a>, a |
| |
driver for the MotorComm YT8511 PHY. |
| |
<li>Made <a href="https://man.openbsd.org/rktemp.4">rktemp(4)</a> |
| |
work on RK356x with U-Boot. |
| |
<li>Added initialization code for RK356x in <a |
| |
href="https://man.openbsd.org/dwpcie.4">dwpcie(4)</a> to prevent |
| |
kernel hangs. |
| |
<li>Added a workaround for Intel Braswell/Cherry Trail mwait hang. |
| |
<li>Implemented setting the parent clock for RK356x in <a |
| |
href="https://man.openbsd.org/rkclock.4">rkclock(4)</a>. |
| |
<li>Added <a href="https://man.openbsd.org/dwpcie.4">dwpcie(4)</a> |
| |
code to bring up the PCIe controller on the RK356x. |
| |
<li>Added <a |
| |
href="https://man.openbsd.org/rkpciephy.4">rkpciephy(4)</a>, a driver |
| |
for the PCIe 3.0 PHY found on the RK356x. |
| |
<li>Added <a |
| |
href="https://man.openbsd.org/rkcomphy.4">rkcomphy(4)</a>, a driver |
| |
for the "naneng" combo PHY found on the RK356x (and RK3588). Only |
| |
PCIe, SATA and USB3 support are implemented. |
| |
<li>Added the Armada 380 temperature sensor to <a |
| |
href="https://man.openbsd.org/mvtemp.4">mvtemp(4)</a> and enabled the |
| |
driver on armv7. |
| </ul> |
</ul> |
| |
|
| <li>New or improved network hardware support: |
<li>New or improved network hardware support: |
| <ul> |
<ul> |
| <li>... |
<li>Add <a href="https://man.openbsd.org/dwqe.4">dwqe(4)</a>, a |
| |
driver for the Synopsis DesignWare Ethernet QoS controller used on the |
| |
NXP i.MX8MP, the Rockchip RK35xx series and Intel Elkhart Lake. |
| |
<li>Worked around an issue on the StarFive JH7100 SoC to make <a |
| |
href="https://man.openbsd.org/dwge.4">dwge(4)</a> ethernet work |
| |
reliably on the StarFive VisionFive 1 board. |
| |
<li>In <a href="https://man.openbsd.org/mvneta.4">mvneta(4)</a>, |
| |
passed MII flags depending on the phy mode specified in the device |
| |
tree, making the WAN port work on the Turris Omnia. |
| </ul> |
</ul> |
| |
|
| <li>Added or improved wireless network drivers: |
<li>Added or improved wireless network drivers: |
| <ul> |
<ul> |
| <li>... |
<li>Fixed <a href="https://man.openbsd.org/bwfm.4">bwfm(4)</a> issues with suspend/resume and possible firmware crashes on the M2 Macbook Air. |
| |
|
| |
|
| |
<li>Fixed a crash in <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> when connecting to WEP networks via <a href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a> join. |
| |
<li>Fixed an alignment issue in <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> Rx descriptors. |
| |
<li>Avoided trying to remove keys while doing crypto in hardware if the station is not active in <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> firmware, fixing a firmware panic. |
| |
<li>Prevented potential panics by disallowing the <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> init task from running in parallel to wakeup code during resume. |
| |
<li>Switched all <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> devices to -77 firmware images. |
| |
<li>Made <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> get the primary channel number from AP beacon info, preventing problems on 40/80Mhz channels if there is a mismatch. |
| |
<li>Fixed <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> session protection event duration. |
| |
<li>Added support for the new <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> SCD_QUEUE_CONFIG command, required for adding/removing Tx queues on new firmware versions. |
| |
<li>Added support for the <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> BAID allocation config command, required to set up Rx aggregation on new firmware. |
| |
<li>Added support for <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> RLC config command, IWX_STA_MAC_DATA_API_S_VER_2 API, and PHY context cmd version 4. |
| |
<li>Added support for <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> rate_n_flags API version 2 and removed fixed Tx rate support. |
| |
<li>Added support for <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> TLC config command v4. |
| |
<li>Added support for <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> firmware alive response version 6. |
| </ul> |
</ul> |
| |
|
| <li>IEEE 802.11 wireless stack improvements and bugfixes: |
<li>IEEE 802.11 wireless stack improvements and bugfixes: |
| <ul> |
<ul> |
| <li>... |
|
| |
<li>Made net80211 drop beacons received on secondary HT/VHT |
| |
channels, preventing <a |
| |
href="https://man.openbsd.org/iwm.4">iwm(4)</a> firmware panics and |
| |
making association work with 11ac APs which transmit beacons on |
| |
channels other than their primary. |
| |
<li>Made WEP encryption work on <a href="https://man.openbsd.org/bwfm.4">bwfm(4)</a>. |
| </ul> |
</ul> |
| |
|
| <li>Installer, upgrade and bootloader improvements: |
<li>Installer, upgrade and bootloader improvements: |
| <ul> |
<ul> |
| <li>... |
<li>In the installer, "!" now drops into a <a |
| |
href="https://man.openbsd.org/ksh.1">ksh(1)</a> environment rather |
| |
than the more limited <a href="https://man.openbsd.org/sh.1">sh(1)</a>. |
| |
<li>Made the installer skip interface configuration questions when no interfaces are available. |
| |
<li>Made it possible to set keyboard layout(s) in arm64's installer. |
| |
<li>Fixed resizing partitions on an auto-allocated disk that had a boot partition. |
| |
<li>Stopped the installer from asking to initialize disks that have |
| |
<a href="https://man.openbsd.org/softraid.4">softraid(4)</a> chunks. |
| |
<li>Made efiboot fdt support device trees with NOPs in them (like the kernel version). |
| |
<li>Improved the default choice for the installer's install media |
| |
disk question to show the first disk (a) not the root disk and (b) not |
| |
a disk with softraid chunks (hosting the root disk, for example). |
| |
<li>Stopped offering WEP in the installer if not supported. |
| |
<li>Added initial support in the installer for guided disk |
| |
encryption for amd64, i386, riscv64 and sparc64. |
| |
|
| |
<!-- architecture specific --> |
| |
<li>Switched luna88k boot loader to MI boot code. |
| |
<li>Made <a href="https://man.openbsd.org/ls.1">ls(1)</a> work |
| |
correctly in the luna88k bootloader. |
| |
<li>Made <a href="https://man.openbsd.org/time.1">time(1)</a> work |
| |
correctly in the luna88k bootloader. |
| |
<li>Removed dangerous user-settable "addr" variable from MI |
| |
bootloader, only compiling tty-related code on platforms where it |
| |
makes sense for the bootloader to control it. |
| |
<li>Added "machine poweroff" command on luna88k bootloader. |
| |
<li>Switched alpha to machine-independent boot blocks. |
| |
<li>Switched loongson ramdisk to use <a |
| |
href="https://man.openbsd.org/installboot.8">installboot(8)</a> -p. |
| |
|
| </ul> |
</ul> |
| |
|
| <li>Security improvements: |
<li>Security improvements: |
| <ul> |
<ul> |
| <li>... |
<li>Add Synthetic Memory Protections. These provide |
| |
<ul> |
| |
<li>Immutable memory mappings whose permissions and size cannot be |
| |
changed anymore. A new system call <a |
| |
href="https://man.openbsd.org/mimmutable.2">mimmutable(2)</a> enables |
| |
this feature. |
| |
<li>Execute-Only permission on memory mappings. This uses hardware |
| |
support where possible and emulation where the hardware does not have |
| |
seperate execute only features. |
| |
<li>Stack permission on mappings: On every system call the stack |
| |
pointer is checked. It must point to a mapping that has MAP_STACK |
| |
permissions. |
| |
<li>Pinning of syscall entry to a unique specific memory regions from |
| |
which system calls can be made. |
| |
</ul><br> |
| |
The execute-only mappings are active on arm64, risc-v, hppa, |
| |
aarch64, mips64, sparc64, amd64, mips, and power-pc platforms. |
| |
<!-- XXX xonly checks on copyin(9) are not described yet --> |
| |
|
| |
<li>Implemented a --executable-only option in <a href="https://man.openbsd.org/ld.bfd.1">ld.bfd(1)</a>. |
| |
|
| |
<li>Added <a href="https://man.openbsd.org/execve.2">execve(2)</a> |
| |
violations of <a |
| |
href="https://man.openbsd.org/pinsyscall.2">pinsyscall(2)</a> policy |
| |
to the daily mail, available by setting rc.conf.local(5) |
| |
accounting=YES. |
| |
<li>Added retguard to amd64 syscalls. |
| |
|
| |
<li>Randomly relink and install <a |
| |
href="https://man.openbsd.org/sshd.8">sshd(8)</a> on boot, resulting |
| |
in a sshd with unknown address layout after every reboot. |
| |
|
| |
<li>Add another mitigation against classic BROP on systems without |
| |
execute-only mmu hardware-enforcement. A range-checking wrapper in |
| |
front of copyin() and copyinstr() ensures the userland source address |
| |
doesn't overlap the main program text and other text segments, thereby |
| |
making this address ranges unreadable to the kernel. No programs have |
| |
been discovered which require reading their own text segments with a |
| |
system call. |
| </ul> |
</ul> |
| |
|
| <li>Changes in the network stack: |
<li>Changes in the network stack: |
| <ul> |
<ul> |
| <li>... |
|
| </ul> |
|
| |
|
| |
<li>Used stoeplitz (symmetric Toeplitz hash algorithm) to generate a |
| |
hash/flowid for <a href="https://man.openbsd.org/pf.4">pf(4)</a> state |
| |
keys. With this change, pf will hash traffic the same way that |
| |
hardware using a stoeplitz key will hash incoming traffic on rings. |
| |
stoeplitz is also used by the tcp stack to generate a flow id, which |
| |
is used to pick which transmit ring is used on nics with multiple |
| |
queues too. using the same algorithm throughout the stack encourages |
| |
affinity of packets to rings and softnet threads the whole way |
| |
through. |
| |
|
| |
<li>Prevented possible kernel crashes by dropping TCP packets with |
| |
destination port 0 in <a href="https://man.openbsd.org/pf.4">pf(4)</a> |
| |
and the stack. |
| |
|
| |
<li>Fixed a endian swap bug causing problems with <a |
| |
href="https://man.openbsd.org/vlan.4">vlans(4)</a> on <a |
| |
href="https://man.openbsd.org/em.4">em(4)</a> sparc64 systems. |
| |
<li>Denied "pipex no" tunnel setting for <a |
| |
href="https://man.openbsd.org/pppx.4">pppx(4)</a> interfaces. |
| |
<li>Fixed a panic in <a |
| |
href="https://man.openbsd.org/pfsync.4">pfsync(4)</a> when there are |
| |
no data ready for bulk transfer. |
| |
<li>Turned off TCP Segmentation Offload (TSO) if interface is added |
| |
to layer 2 devices. |
| |
<li>Improved <a href="https://man.openbsd.org/vnet.4">vnet(4)</a> |
| |
to work better in busy conditions. |
| |
<li>Added a <a href="https://man.openbsd.org/bpf.4">bpf(4)</a> timeout |
| |
(BIOCSWTIMEOUT) between capturing a packet and making the buffer |
| |
readable, preventing for example <a |
| |
href="https://man.openbsd.org/pflogd.8">pflogd(8)</a> waking every |
| |
half second even if there is nothing to read. By default this buffer |
| |
is infinite and must be filled to become readable. |
| |
<li>Avoided enabling TSO on interfaces which are already attached to a bridge. |
| |
|
| |
</ul> |
| |
|
| <li>Routing daemons and other userland network improvements: |
<li>Routing daemons and other userland network improvements: |
| <ul> |
<ul> |
| <li>IPsec support was improved: |
<li>IPsec support was improved: |
| <ul> |
<ul> |
| <li>... |
<li>Added <a href="https://man.openbsd.org/iked.8">iked(8)</a> |
| |
support for configuring multiple name servers. |
| |
<li>Synced proc.c from <a |
| |
href="https://man.openbsd.org/vmd.8">vmd(8)</a> to <a |
| |
href="https://man.openbsd.org/iked.8">iked(8)</a> to enabled fork + |
| |
exec for all processes. This gives each process a fresh and unique |
| |
address space to further improve randomization of ASLR and stack |
| |
protector. |
| </ul> |
</ul> |
| <li>In <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>, |
|
| <ul> |
<li>In <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>, <a |
| <li>... |
href="https://man.openbsd.org/bgpctl.8">bgpctl(8)</a> and <a |
| |
href="https://man.openbsd.org/bgplgd.8">bgplgd(8)</a>: |
| |
<ul> |
| |
<li>Improved performance by optimising the output filters |
| |
<li>Add Autonomous System Provider Authorization (ASPA) validaton |
| |
based on draft-ietf-sidrops-aspa-verification-12 |
| |
<li>Introduce avs (ASPA validation state) filter and bgpctl |
| |
filter argument |
| |
<li>Add ASPA support for the RTR protocol based on |
| |
draft-ietf-sidrops-8210bis-10 |
| |
<li>Improve open policy (RFC 9234) support and enable the capability |
| |
automatically if a role is specified for the peer |
| |
<li>Introduce a per neighbor 'role' configuration option to specify |
| |
the session role used by ASPA verification and the open policy |
| |
capability. The 'announce policy' statement was simplified at |
| |
the same time. |
| |
<li>Improve startup behaviour by introducing a small delay before |
| |
opening the connection to a new peer |
| |
<li>Support for aspa-set table config which can be provided by |
| |
<a |
| |
href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> |
| |
<li>Make it possible to filter the RIB by invalid and leaked prefixes |
| |
in bgpctl and bgplgd |
| |
<li>Add OpenMetrics output to bgpctl for various BGP statistics and |
| |
add /metrics endpoint to bgplgd |
| |
<li>Fix of incorrect length checks that allowed an out-of-bounds |
| |
read in bgpd. |
| </ul> |
</ul> |
| <li><a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> saw some changes: |
<li><a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> saw some changes: |
| <ul> |
<ul> |
| <li>... |
<li>Add a new '-H' command line option to create a shortlist of |
| |
repositories to synchronize to. For example, when invoking |
| |
"rpki-client -H rpki.ripe.net -H chloe.sobornost.net", the utility |
| |
will not connect to any other hosts other than the two specified |
| |
through the -H option. |
| |
<li>Add support for validating Geofeed (RFC 9092) authenticators. To |
| |
see an example download https://sobornost.net/geofeed.csv and run |
| |
"rpki-client -f geofeed.csv" |
| |
<li>Add support for validating Trust Anchor Key (TAK) objects. TAK |
| |
objects can be used to produce new Trust Anchor Locators (TALs) signed |
| |
by and verified against the previous Trust Anchor. See |
| |
draft-ietf-sidrops-signed-tal for the full specification. |
| |
<li>Log lines related to RRDP/HTTPS connection problems now include the |
| |
IP address of the problematic endpoint (in brackets). |
| |
<li>Improve the error message when an invalid filename is encountered |
| |
in the rpkiManifest field in the Subject Access Information (SIA) |
| |
extension. |
| |
<li>Emit a warning when unexpected X.509 extensions are encountered. |
| |
<li>Restrict the ROA ipAddrBlocks field to only allow two |
| |
ROAIPAddressFamily structures (one per address family). See |
| |
draft-ietf-sidrops-rfc6482bis. |
| |
<li>Check the absence of the Path Length constraint in the Basic |
| |
Constraints extension. |
| |
<li>Restrict the SIA extension to only allow the signedObject and |
| |
rpkiNotify accessMethods. |
| |
<li>Check that the Signed Object access method is present in ROA, MFT, |
| |
ASPA, TAK, and GBR End-Entity certificates. |
| |
<li>In addition to the 'rsync://' scheme, also permit other schemes |
| |
(such as 'https://') in the SIA signedObject access method. |
| |
<li>Check that the KeyUsage extension is set to nothing but |
| |
digitalSignature on End-Entity certificates. |
| |
<li>Chect that the KeyUsage extension is set to nothing but keyCertSign |
| |
and CRLSign on CA certificates. |
| |
<li>Check that the ExtendedKeyUsage extension is absent on CA |
| |
certificates. |
| |
<li>Fix a bug in the handling of the port of http_proxy. |
| |
<li>The '-r' command line option has been deprecated. |
| |
<li>Filemode (-f) output is now presented as a text based table. |
| |
<li>The 'expires' key in the JSON/CSV/OpenBGPD output formats is now |
| |
calculated with more accuracy. The calculation takes into account the |
| |
nextUpdate value of all intermediate CRLs in the signature path |
| |
towards the trust anchor, in addition to the expiry moment of the |
| |
leaf-CRL and CAs. |
| |
<li>Handling of CRLs and Manifests in the face of inconsistent RRDP delta |
| |
publications has been improved. A copy of an alternative version of |
| |
the applicable CRL is kept in the staging area of the cache directory, |
| |
in order to increase the potential for establishing a complete |
| |
publication point, in cases where a single publication point update |
| |
was smeared across multiple RRDP delta files. |
| |
<li>The OpenBGPD configuration output now includes validated Autonomous |
| |
System Provider Authorization (ASPA) payloads as an 'aspa-set {}' |
| |
configuration block. |
| |
<li>When rpki-client is invoked with increased verbosity ('-v'), the |
| |
current RRDP Serial & Session ID are shown to aid debugging. |
| |
<li>Self-signed X.509 certificates (such as Trust Anchor certificates) |
| |
now are considered invalid if they contain an X.509 |
| |
AuthorityInfoAccess extension. |
| |
<li>Signed Objects where the CMS signing-time attribute contains a |
| |
timestamp later then the X.509 certificate's notAfter timestamp are |
| |
considered invalid. |
| |
<li>Manifests where the CMS signing-time attribute contains a timestamp |
| |
later then the Manifest eContent nextUpdate timestamp are considered |
| |
invalid. |
| |
<li>Any objects whose CRL Distribution Points extension contains a |
| |
CRLIssuer, CRL Reasons, or nameRelativeToCRLIssuer field are |
| |
considered invalid in accordance with RFC 6487 section 4.8.6. |
| |
<li>For every X.509 certificate the SHA-1 of the Subject Public Key is |
| |
calculated and compared to the Subject Key Identifier (SKI), if a |
| |
mismatch is found the certificate is not trusted. |
| |
<li>Require the outside-TBS signature OID for every X.509 intermediate |
| |
CA certificate and CRL to be sha256WithRSAEncryption. |
| |
<li>Require the RSA key pair modulus and public exponent parameters to |
| |
strictly conform to the RFC 7935 profile. |
| |
<li>Ensure there is no trailing garbage present in Signed Objects beyond |
| |
the self-embedded length field. |
| |
<li>Require RRDP Session IDs to strictly be version 4 UUIDs. |
| |
<li>When decoding and validating an individual RPKI file using filemode |
| |
(rpki-client -f file), display the signature path towards the trust |
| |
anchor, and the timestamp when the signature path will expire. |
| |
<li>When decoding and validating an individual RPKI file using filemode |
| |
(rpki-client -f file), display the optional CMS signing-time, and |
| |
non-optional X.509 notBefore, and X.509 notAfter timestamps. |
| </ul> |
</ul> |
| |
|
| <li>In <a href="https://man.openbsd.org/snmpd.8">snmpd(8)</a>, |
<li>In <a href="https://man.openbsd.org/snmpd.8">snmpd(8)</a>, |
|
|
| </ul> |
</ul> |
| |
|
| <li>... |
<li>... |
| |
<!-- smtpd --> |
| |
<li>Prevented <a href="https://man.openbsd.org/smtpd.8">smtpd(8)</a> |
| |
abort due to a connection from a local, scoped ipv6 address. |
| |
<li>Fixed a potential NULL dereference in the unpriv child expanding |
| |
%{mda} in <a href="https://man.openbsd.org/smtpd.8">smtpd(8)</a>. |
| |
|
| |
<li>Corrected the order of arguments for calls to <a |
| |
href="https://man.openbsd.org/shutdown.2">shutdown(2)</a> on the route |
| |
socket of <a href="https://man.openbsd.org/slaacd.8">slaacd(8)</a>, <a |
| |
href="https://man.openbsd.org/dhcpleased.8">dhcpleased(8)</a> and <a |
| |
href="https://man.openbsd.org/unwind.8">unwind(8)</a>. |
| |
<li>Made <a href="https://man.openbsd.org/route.8">route(8)</a> |
| |
sourceaddr print the used addresses for inet and inet6, or "default" |
| |
if no sourceaddr is set and the default algorithm is used. |
| |
<li>Added -mpls option to the route(8) monitor command. It can be |
| |
used to restrict displayed route messages to the mpls address family. |
| |
<li>Fixed <a href="https://man.openbsd.org/openrsync.1">rsync(1)</a> |
| |
handling of port numbers in rsync://host[:port]/module URLS. |
| |
<li>Made <a href="https://man.openbsd.org/tcpdrop.8">tcpdrop(8)</a> |
| |
accept netstat-style address.port syntax. |
| |
<li>Ensured <a href="https://man.openbsd.org/pfctl.8">pfctl(8)</a> |
| |
correctly adds addresses to the undefined/inactive table. |
| |
|
| </ul> |
</ul> |
| |
|
| <li><a href="https://man.openbsd.org/tmux.1">tmux(1)</a> improvements and bug fixes: |
<li><a href="https://man.openbsd.org/tmux.1">tmux(1)</a> improvements and bug fixes: |
| <ul> |
<ul> |
| <li>... |
<li>Made <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> tty-keys accept \007 as terminator to OSC 10 or 11. |
| |
<li>Made <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> recognize pasted texts wrapped in bracket paste sequences, rather than only forwarding to the program inside. |
| |
<li>Supported -1 without -N for list-keys in <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>. |
| |
<li>Added a flag to <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> display-menu to select the menu item chosen first. |
| |
<li>Added Backtab key support to <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> |
| |
<li>Disallowed multiple consecutive line separators in <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> menu. |
| |
<li>Extended display-message to work for control clients in <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>. |
| |
<li>Added -f to list-clients in <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>. |
| |
<li>Added a <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> L modifier like P, W, S to loop over clients. |
| </ul> |
</ul> |
| |
|
| <li>LibreSSL version 3.7.2 |
<li>LibreSSL version 3.7.2 |
|
|
| </ul> |
</ul> |
| </ul> |
</ul> |
| |
|
| <li>OpenSSH XXX.YYY |
<li>OpenSSH 9.3. |
| <ul> |
<ul> |
| <li>Security |
<li>Security |
| <ul> |
<ul> |
![[BACK]](/icons/back.gif){kind=icon}
Return to 73.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www