version 1.12, 2023/04/02 14:58:45 |
version 1.13, 2023/04/03 00:00:12 |
|
|
|
|
<li>Various kernel improvements: |
<li>Various kernel improvements: |
<ul> |
<ul> |
<li>... |
|
|
<li>Removed copystr(9) from public API. |
|
|
|
<li>Made the USB ports work after a suspend/resume cycle on the x13s. |
|
<li>Set the arm64 default for the machdep.lidaction <a |
|
href="https://man.openbsd.org/sysctl.8">sysctl(8)</a> to 1, making the |
|
system suspend when the lid is closed. <a |
|
href="https://man.openbsd.org/aplsmc.4">aplsmc(4)</a> provides support |
|
for the lid position sensor. |
|
|
|
<li>Changed arm64 suspend idle loop from WFE to WFI, avoiding spurious |
|
wakeups while other CPUs are still active. |
|
<li>Added cursor back tab support to <a |
|
href="https://man.openbsd.org/wscons.4">wscons(4)</a> VT100 |
|
emulation.<br>Added aixterm bright color sequences (SGR 90-97 and |
|
100-107). |
|
<li>Added missing <a |
|
href="https://man.openbsd.org/wscons.4">wscons(4)</a> bounds checks |
|
when processing terminal escape sequences. |
|
<li>Replaced broken UTF-8 logic in <a |
|
href="https://man.openbsd.org/wscons.4">wscons(4)</a> with a better |
|
one borrowed from Citrus. |
|
<li>Added new <a href="https://man.openbsd.org/dt.4">dt(4)</a> ioctl |
|
DTIOCARGS to get the type of probe arguments. |
|
<li>Added a priority queue to <a |
|
href="https://man.openbsd.org/clockintr.9">clockintr(9)</a>. |
|
|
</ul> |
</ul> |
|
|
<li>SMP Improvements |
<li>SMP Improvements |
<ul> |
<ul> |
<li>... |
|
|
<li>Made <a href="https://man.openbsd.org/tun.4">tun(4)</a> and <a |
|
href="https://man.openbsd.org/tap.4">tap(4)</a> event filters MP-safe. |
|
<li>Unlocked <a href="https://man.openbsd.org/utrace.2">utrace(2)</a>. |
|
<li>Stopped holding the vm_map lock while flushing pages in <a |
|
href="https://man.openbsd.org/msync.2">msync(2)</a> and <a |
|
href="https://man.openbsd.org/madvise.2">madvise(2)</a>. Prevents a |
|
3-thread deadlock between <a |
|
href="https://man.openbsd.org/msync.2">msync(2)</a>, page-fault and <a |
|
href="https://man.openbsd.org/mmap.2">mmap(2)</a>. |
|
|
|
<li>Unlocked <a |
|
href="https://man.openbsd.org/select.2">select(2)</a>, <a |
|
href="https://man.openbsd.org/pselect.2">pselect(2)</a>, <a |
|
href="https://man.openbsd.org/poll.2">poll(2)</a>, and <a |
|
href="https://man.openbsd.org/ppoll.2">ppoll(2)</a>. |
</ul> |
</ul> |
|
|
<li>Direct Rendering Manager and graphics drivers |
<li>Direct Rendering Manager and graphics drivers |
|
|
Ryzen 7045 series "Dragon Range", |
Ryzen 7045 series "Dragon Range", |
Radeon RX 7900 XT/XTX "Navi 31", |
Radeon RX 7900 XT/XTX "Navi 31", |
Radeon RX 7600M (XT), 7700S, 7600S "Navi 33" |
Radeon RX 7600M (XT), 7700S, 7600S "Navi 33" |
<li>... |
|
|
<!-- XXX maybe remove again? --> |
|
<li>Fixed frame buffer corruption and additional bugs after wakeup |
|
on Apple Silicon laptops and the Lenovo x13s. |
|
<li>Matched unknown ATI display devices as amdgpu in <a |
|
href="https://man.openbsd.org/fw_update.8">fw_update(8)</a>. |
|
<li>Fixed <a href="https://man.openbsd.org/amdgpu.4">amdgpu(4)</a> |
|
failing to init on Steam Deck after drm 6.1 update. |
|
|
</ul> |
</ul> |
|
|
<li>VMM/VMD improvements |
<li>VMM/VMD improvements |
<ul> |
<ul> |
<li>... |
|
|
<li>Implemented zero-copy operations on virtqueues in <a |
|
href="https://man.openbsd.org/vmd.8">vmd(8)</a>. |
|
|
|
<li>Provided a detailed e820 memory map when booting <a |
|
href="https://man.openbsd.org/vmd.8">vmd(8)</a> guests with SeaBIOS. |
|
When a vm initializes memory ranges, we now track what each range |
|
represents. This information can be used to supply the e820 memory map |
|
to SeaBIOS via the fw_cfg interface allowing it to properly |
|
communicate memory ranges to a guest operating system. With this |
|
special cases in ports can be removed. |
|
|
|
<li>Added thread names to vm processes in <a |
|
href="https://man.openbsd.org/vmd.8">vmd(8)</a>, visible in <a |
|
href="https://man.openbsd.org/ps.1">ps(1)</a>. |
|
<li>Hid the WAITPKG cpu feature from <a |
|
href="https://man.openbsd.org/vmm.4">vmm(4)</a> guests, preventing |
|
invalid instruction exceptions. Also added WAITPKG feature |
|
identification to i386 and amd64. |
|
|
|
<li>Changed <a href="https://man.openbsd.org/vmd.8">vmd(8)</a> to |
|
only open /dev/vmm once, having the parent process send the fd to the |
|
vmm child process. |
|
<li>Restricted <a href="https://man.openbsd.org/vmm.4">vmm(4)</a> exposed cpuid extended feature flags. |
|
<li>Adjusted <a href="https://man.openbsd.org/vmd.8">vmd(8)</a> error paths to avoid removal of configuration-defined (known) VMs on error. |
|
<li>Stopped being paranoid about hypervisor correct PKU handling.<br> |
|
Added saving and restoring guest PKRU to <a |
|
href="https://man.openbsd.org/vmm.4">vmm(4)</a>. Expose the PKU cpuid |
|
bit to the guest if in use on the host. |
|
<li>Made <a href="https://man.openbsd.org/vmd.8">vmd(8)</a> scan the pci bus to determine bootorder strings. |
</ul> |
</ul> |
|
|
<li>Various new userland features: |
<li>Various new userland features: |
<ul> |
<ul> |
<li>... |
|
|
<li>Added <a |
|
href="https://man.openbsd.org/lastcomm.1">lastcomm(1)</a> reporting |
|
for process kills due to <a |
|
href="https://man.openbsd.org/execve.2">execve(2)</a> from non-pinned |
|
syscall address |
|
|
</ul> |
</ul> |
|
|
<li>Various bugfixes and tweaks in userland: |
<li>Various bugfixes and tweaks in userland: |
<ul> |
<ul> |
<li>... |
|
|
<li>Added support for a personal <a |
|
href="https://man.openbsd.org/units.1">units(1)</a> library by passing |
|
-f multiple times. |
|
|
|
<li>Made <a href="https://man.openbsd.org/rc.8">rc(8)</a> reorder |
|
libraries in parallel to <a |
|
href="https://man.openbsd.org/netstart.8">netstart(8)</a>, as this |
|
does not depend on network access. |
|
|
|
<li>Implemented periodic display in <a |
|
href="https://man.openbsd.org/iostat.8">iostat(8)</a>. |
|
|
|
<li>Changed <a href="https://man.openbsd.org/df.1">df(1)</a> to |
|
round up fractional percentages. |
|
|
|
<li>Added the <a |
|
href="https://man.openbsd.org/audioctl.8">audioctl(8)</a> -w option to |
|
display variables periodically. |
|
<li>Added short options for <a |
|
href="https://man.openbsd.org/timeout.1">timeout(1)</a> --foreground |
|
and --preserve-status.<br> |
|
Added signal as a full argument name for <a |
|
href="https://man.openbsd.org/timeout.1">timeout(1)</a> -s. |
|
|
|
<li>Fixed .wav files generated by <a |
|
href="https://man.openbsd.org/aucat.1">aucat(1)</a> by using extended |
|
header format. |
|
<li>In <a |
|
href="https://man.openbsd.org/disklabel.8">disklabel(8)</a>, use the |
|
size of the largest chunk of free space, not the total of all such |
|
chunks, when checking for sufficient space to add a partition. |
|
<li>Fixed unbounded variable expansion in <a |
|
href="https://man.openbsd.org/pkg-config.1">pkg-config(1)</a>. |
|
<li>Switched to use <a |
|
href="https://man.openbsd.org/llvm-strip.1">llvm-strip(1)</a> on |
|
architectures that use <a |
|
href="https://man.openbsd.org/ld.lld.1">ld.lld(1)</a>. |
|
<li>Extended <a |
|
href="https://man.openbsd.org/disklabel.8">disklabel(8)</a> template |
|
parsing to allow "[mount point] *" as the specification for putting |
|
the maximum available free space into a partition, and extended |
|
command line parsing to allow "T-" as the specification to read the |
|
template from stdin. |
|
<li>Fixed a number of out of bounds reads in DNS response parsing. |
|
|
</ul> |
</ul> |
|
|
<li>Improved hardware support and driver bugfixes, including: |
<li>Improved hardware support and driver bugfixes, including: |
<ul> |
<ul> |
<li>... |
|
|
<li>Enabled <a |
|
href="https://man.openbsd.org/pcagpio.4">pcagpio(4)</a> and <a |
|
href="https://man.openbsd.org/pcamux.4">pcamux(4)</a>, making the SFP |
|
port on the ClearFog Base (CN9130) work. |
|
|
|
<li>Added <a href="https://man.openbsd.org/uftdi.4">uftdi(4)</a> support for FTDI FT232R. |
|
|
|
<li>Hooked up the same USB device drivers on riscv64 as done in the |
|
arm64 architecture kernel.<br>Enabled access to <a |
|
href="https://man.openbsd.org/usb.4">usb(4)</a>, <a |
|
href="https://man.openbsd.org/ugen.4">ugen(4)</a>, <a |
|
href="https://man.openbsd.org/ulpt.4">ulpt(4)</a>, <a |
|
href="https://man.openbsd.org/ucom.4">ucom(4)</a> and <a |
|
href="https://man.openbsd.org/ujoy.4">ujoy(4)</a>. |
|
|
|
<li>Enabled <a |
|
href="https://man.openbsd.org/aplpcie.4">aplpcie(4)</a> power |
|
management for PCI devices. |
|
<li>Adopted a workaround for a bug in the ARM generic timer on the |
|
A64, disabling userland timecounter support on affected hardware |
|
pending a similar libc workaround. |
|
<li>Made amd64 cpuid recognize protection keys for Protection Key Supervisor (PKS). |
|
<li>Implemented access to EFI variables ESRT through an <a |
|
href="https://man.openbsd.org/ioctl.2">ioctl(2)</a> interface |
|
compatible with what FreeBSD and NetBSD have.<br> |
|
Created /dev/efi on amd64 and arm64. |
|
<li>Added <a href="https://man.openbsd.org/dwge.4">dwge(4)</a> support |
|
for "enhanced descriptor" mode found on some variants of the Synopsys |
|
DesignWare GMAC. |
|
<li>Removed the <a |
|
href="https://man.openbsd.org/OpenBSD-7.2/elansc.4">elansc(4)</a> |
|
driver for AMD Elan SC520 System Controller. |
|
<li>Made <a href="https://man.openbsd.org/ppb.4">ppb(4)</a> bus |
|
range available after detaching, fixing unplugging and replugging |
|
thunderbolt devices that were plugged in when the machine was booted. |
|
<li>Improved <a href="https://man.openbsd.org/qcrtc.4">qcrtc(4)</a> RTC reliability. |
|
<li>Reworked the arm64 architecture cpu_init_secondary() function to |
|
allow use for both initial powerup and wakeup from deeper sleep |
|
states. |
|
<li>Added <a href="https://man.openbsd.org/ufshci.4">ufshci(4)</a>, |
|
a driver for Universal Flash Storage (UFS) Host Controllers. |
|
<li>Set <a href="https://man.openbsd.org/sncodec.4">sncodec(4)</a> |
|
and <a href="https://man.openbsd.org/tascodec.4">tascodec(4)</a> |
|
default volume to -30dB instead of the hardware default of 0dB |
|
(maximum). |
|
<li>Added <a |
|
href="https://man.openbsd.org/sncodec.4">sncodec(4)</a>, a driver for |
|
the TI SNO12776/TAS2764 digital amplifier. |
|
<li>Added <a href="https://man.openbsd.org/scmi.4">scmi(4)</a>, a |
|
driver for the ARM System Control and Management Interface. |
|
<li>Added support for the Shenzhen Tangcheng Technology TCS4525 |
|
voltage regulator to <a |
|
href="https://man.openbsd.org/fanpwr.4">fanpwr(4)</a>. |
|
<li>Added <a href="https://man.openbsd.org/psci.4">psci(4)</a> (ARM |
|
Power State Coordination Interface) support for available deep idle |
|
states as advertised in device trees. |
|
<li>Attached Apollo Lake HD Audio device to <a |
|
href="https://man.openbsd.org/azalia.4">azalia(4)</a>, enabling audio. |
|
<li>In <a href="https://man.openbsd.org/rkgpio.4">rkgpio(4)</a>, |
|
handled different register layouts in modern Rockchip SoCs as seen in |
|
the RK356x and RK3588. |
|
<li>Added support for RK356x TSADC clocks to <a |
|
href="https://man.openbsd.org/rkclock.4">rkclock(4)</a>. |
|
<li>Added GMAC-related RK356x clocks to <a |
|
href="https://man.openbsd.org/rkclock.4">rkclock(4)</a>. |
|
<li>Added RK3588 support to <a |
|
href="https://man.openbsd.org/rkclock.4">rkclock(4)</a> and <a |
|
href="https://man.openbsd.org/rkpinctrl.4">rkpinctrl(4)</a>. |
|
<li>Switched sparc64 to <a |
|
href="https://man.openbsd.org/clockintr.9">clockintr(9)</a>. |
|
<li>Switched arm <a |
|
href="https://man.openbsd.org/amptimer.4">amptimer(4)</a> and <a |
|
href="https://man.openbsd.org/armv7/agtimer.4">agtimer(4/armv7)</a> to |
|
<a href="https://man.openbsd.org/clockintr.9">clockintr(9)</a>. |
|
<li>Switched armv7 <a |
|
href="https://man.openbsd.org/dmtimer.4">dmtimer(4)</a> and <a |
|
href="https://man.openbsd.org/sxitimer.4">sxitimer(4)</a> to <a |
|
href="https://man.openbsd.org/clockintr.9">clockintr(9)</a>. |
|
<li>Switched armv7 <a |
|
href="https://man.openbsd.org/gptimer.4">gptimer(4)</a> to <a |
|
href="https://man.openbsd.org/clockintr.9">clockintr(9)</a>. |
|
<li>Added a kernel-facing API for <a |
|
href="https://man.openbsd.org/clockintr.9">clockintr(9)</a>. |
|
<li>Added <a href="https://man.openbsd.org/mvortc.4">mvortc(4)</a>, |
|
a driver for the RTC on the ARMADA 38x series. |
|
<li>Added <a href="https://man.openbsd.org/mvodog.4">mvodog(4)</a>, |
|
a driver for the watchdog on the ARMADA 38x series. |
|
<li>Added <a href="https://man.openbsd.org/eephy.4">eephy(4)</a>, |
|
found on the Turris Omnia WAN port, to armv7. |
|
<li>Added polling to <a |
|
href="https://man.openbsd.org/tipmic.4">tipmic(4)</a> driver when |
|
starting from a cold boot, fixing a hang on boot. |
|
<li>Implemented <a |
|
href="https://man.openbsd.org/rkpinctrl.4">rkpinctrl(4)</a> support |
|
for explicit routing to use alternative pin muxings. |
|
<li>Added <a href="https://man.openbsd.org/ytphy.4">ytphy(4)</a>, a |
|
driver for the MotorComm YT8511 PHY. |
|
<li>Made <a href="https://man.openbsd.org/rktemp.4">rktemp(4)</a> |
|
work on RK356x with U-Boot. |
|
<li>Added initialization code for RK356x in <a |
|
href="https://man.openbsd.org/dwpcie.4">dwpcie(4)</a> to prevent |
|
kernel hangs. |
|
<li>Added a workaround for Intel Braswell/Cherry Trail mwait hang. |
|
<li>Implemented setting the parent clock for RK356x in <a |
|
href="https://man.openbsd.org/rkclock.4">rkclock(4)</a>. |
|
<li>Added <a href="https://man.openbsd.org/dwpcie.4">dwpcie(4)</a> |
|
code to bring up the PCIe controller on the RK356x. |
|
<li>Added <a |
|
href="https://man.openbsd.org/rkpciephy.4">rkpciephy(4)</a>, a driver |
|
for the PCIe 3.0 PHY found on the RK356x. |
|
<li>Added <a |
|
href="https://man.openbsd.org/rkcomphy.4">rkcomphy(4)</a>, a driver |
|
for the "naneng" combo PHY found on the RK356x (and RK3588). Only |
|
PCIe, SATA and USB3 support are implemented. |
|
<li>Added the Armada 380 temperature sensor to <a |
|
href="https://man.openbsd.org/mvtemp.4">mvtemp(4)</a> and enabled the |
|
driver on armv7. |
</ul> |
</ul> |
|
|
<li>New or improved network hardware support: |
<li>New or improved network hardware support: |
<ul> |
<ul> |
<li>... |
<li>Add <a href="https://man.openbsd.org/dwqe.4">dwqe(4)</a>, a |
|
driver for the Synopsis DesignWare Ethernet QoS controller used on the |
|
NXP i.MX8MP, the Rockchip RK35xx series and Intel Elkhart Lake. |
|
<li>Worked around an issue on the StarFive JH7100 SoC to make <a |
|
href="https://man.openbsd.org/dwge.4">dwge(4)</a> ethernet work |
|
reliably on the StarFive VisionFive 1 board. |
|
<li>In <a href="https://man.openbsd.org/mvneta.4">mvneta(4)</a>, |
|
passed MII flags depending on the phy mode specified in the device |
|
tree, making the WAN port work on the Turris Omnia. |
</ul> |
</ul> |
|
|
<li>Added or improved wireless network drivers: |
<li>Added or improved wireless network drivers: |
<ul> |
<ul> |
<li>... |
<li>Fixed <a href="https://man.openbsd.org/bwfm.4">bwfm(4)</a> issues with suspend/resume and possible firmware crashes on the M2 Macbook Air. |
|
|
|
|
|
<li>Fixed a crash in <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> when connecting to WEP networks via <a href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a> join. |
|
<li>Fixed an alignment issue in <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> Rx descriptors. |
|
<li>Avoided trying to remove keys while doing crypto in hardware if the station is not active in <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> firmware, fixing a firmware panic. |
|
<li>Prevented potential panics by disallowing the <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> init task from running in parallel to wakeup code during resume. |
|
<li>Switched all <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> devices to -77 firmware images. |
|
<li>Made <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> get the primary channel number from AP beacon info, preventing problems on 40/80Mhz channels if there is a mismatch. |
|
<li>Fixed <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> session protection event duration. |
|
<li>Added support for the new <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> SCD_QUEUE_CONFIG command, required for adding/removing Tx queues on new firmware versions. |
|
<li>Added support for the <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> BAID allocation config command, required to set up Rx aggregation on new firmware. |
|
<li>Added support for <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> RLC config command, IWX_STA_MAC_DATA_API_S_VER_2 API, and PHY context cmd version 4. |
|
<li>Added support for <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> rate_n_flags API version 2 and removed fixed Tx rate support. |
|
<li>Added support for <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> TLC config command v4. |
|
<li>Added support for <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> firmware alive response version 6. |
</ul> |
</ul> |
|
|
<li>IEEE 802.11 wireless stack improvements and bugfixes: |
<li>IEEE 802.11 wireless stack improvements and bugfixes: |
<ul> |
<ul> |
<li>... |
|
|
<li>Made net80211 drop beacons received on secondary HT/VHT |
|
channels, preventing <a |
|
href="https://man.openbsd.org/iwm.4">iwm(4)</a> firmware panics and |
|
making association work with 11ac APs which transmit beacons on |
|
channels other than their primary. |
|
<li>Made WEP encryption work on <a href="https://man.openbsd.org/bwfm.4">bwfm(4)</a>. |
</ul> |
</ul> |
|
|
<li>Installer, upgrade and bootloader improvements: |
<li>Installer, upgrade and bootloader improvements: |
<ul> |
<ul> |
<li>... |
<li>In the installer, "!" now drops into a <a |
|
href="https://man.openbsd.org/ksh.1">ksh(1)</a> environment rather |
|
than the more limited <a href="https://man.openbsd.org/sh.1">sh(1)</a>. |
|
<li>Made the installer skip interface configuration questions when no interfaces are available. |
|
<li>Made it possible to set keyboard layout(s) in arm64's installer. |
|
<li>Fixed resizing partitions on an auto-allocated disk that had a boot partition. |
|
<li>Stopped the installer from asking to initialize disks that have |
|
<a href="https://man.openbsd.org/softraid.4">softraid(4)</a> chunks. |
|
<li>Made efiboot fdt support device trees with NOPs in them (like the kernel version). |
|
<li>Improved the default choice for the installer's install media |
|
disk question to show the first disk (a) not the root disk and (b) not |
|
a disk with softraid chunks (hosting the root disk, for example). |
|
<li>Stopped offering WEP in the installer if not supported. |
|
<li>Added initial support in the installer for guided disk |
|
encryption for amd64, i386, riscv64 and sparc64. |
|
|
|
<!-- architecture specific --> |
|
<li>Switched luna88k boot loader to MI boot code. |
|
<li>Made <a href="https://man.openbsd.org/ls.1">ls(1)</a> work |
|
correctly in the luna88k bootloader. |
|
<li>Made <a href="https://man.openbsd.org/time.1">time(1)</a> work |
|
correctly in the luna88k bootloader. |
|
<li>Removed dangerous user-settable "addr" variable from MI |
|
bootloader, only compiling tty-related code on platforms where it |
|
makes sense for the bootloader to control it. |
|
<li>Added "machine poweroff" command on luna88k bootloader. |
|
<li>Switched alpha to machine-independent boot blocks. |
|
<li>Switched loongson ramdisk to use <a |
|
href="https://man.openbsd.org/installboot.8">installboot(8)</a> -p. |
|
|
</ul> |
</ul> |
|
|
<li>Security improvements: |
<li>Security improvements: |
<ul> |
<ul> |
<li>... |
<li>Add Synthetic Memory Protections. These provide |
|
<ul> |
|
<li>Immutable memory mappings whose permissions and size cannot be |
|
changed anymore. A new system call <a |
|
href="https://man.openbsd.org/mimmutable.2">mimmutable(2)</a> enables |
|
this feature. |
|
<li>Execute-Only permission on memory mappings. This uses hardware |
|
support where possible and emulation where the hardware does not have |
|
seperate execute only features. |
|
<li>Stack permission on mappings: On every system call the stack |
|
pointer is checked. It must point to a mapping that has MAP_STACK |
|
permissions. |
|
<li>Pinning of syscall entry to a unique specific memory regions from |
|
which system calls can be made. |
|
</ul><br> |
|
The execute-only mappings are active on arm64, risc-v, hppa, |
|
aarch64, mips64, sparc64, amd64, mips, and power-pc platforms. |
|
<!-- XXX xonly checks on copyin(9) are not described yet --> |
|
|
|
<li>Implemented a --executable-only option in <a href="https://man.openbsd.org/ld.bfd.1">ld.bfd(1)</a>. |
|
|
|
<li>Added <a href="https://man.openbsd.org/execve.2">execve(2)</a> |
|
violations of <a |
|
href="https://man.openbsd.org/pinsyscall.2">pinsyscall(2)</a> policy |
|
to the daily mail, available by setting rc.conf.local(5) |
|
accounting=YES. |
|
<li>Added retguard to amd64 syscalls. |
|
|
|
<li>Randomly relink and install <a |
|
href="https://man.openbsd.org/sshd.8">sshd(8)</a> on boot, resulting |
|
in a sshd with unknown address layout after every reboot. |
|
|
|
<li>Add another mitigation against classic BROP on systems without |
|
execute-only mmu hardware-enforcement. A range-checking wrapper in |
|
front of copyin() and copyinstr() ensures the userland source address |
|
doesn't overlap the main program text and other text segments, thereby |
|
making this address ranges unreadable to the kernel. No programs have |
|
been discovered which require reading their own text segments with a |
|
system call. |
</ul> |
</ul> |
|
|
<li>Changes in the network stack: |
<li>Changes in the network stack: |
<ul> |
<ul> |
<li>... |
|
</ul> |
|
|
|
|
<li>Used stoeplitz (symmetric Toeplitz hash algorithm) to generate a |
|
hash/flowid for <a href="https://man.openbsd.org/pf.4">pf(4)</a> state |
|
keys. With this change, pf will hash traffic the same way that |
|
hardware using a stoeplitz key will hash incoming traffic on rings. |
|
stoeplitz is also used by the tcp stack to generate a flow id, which |
|
is used to pick which transmit ring is used on nics with multiple |
|
queues too. using the same algorithm throughout the stack encourages |
|
affinity of packets to rings and softnet threads the whole way |
|
through. |
|
|
|
<li>Prevented possible kernel crashes by dropping TCP packets with |
|
destination port 0 in <a href="https://man.openbsd.org/pf.4">pf(4)</a> |
|
and the stack. |
|
|
|
<li>Fixed a endian swap bug causing problems with <a |
|
href="https://man.openbsd.org/vlan.4">vlans(4)</a> on <a |
|
href="https://man.openbsd.org/em.4">em(4)</a> sparc64 systems. |
|
<li>Denied "pipex no" tunnel setting for <a |
|
href="https://man.openbsd.org/pppx.4">pppx(4)</a> interfaces. |
|
<li>Fixed a panic in <a |
|
href="https://man.openbsd.org/pfsync.4">pfsync(4)</a> when there are |
|
no data ready for bulk transfer. |
|
<li>Turned off TCP Segmentation Offload (TSO) if interface is added |
|
to layer 2 devices. |
|
<li>Improved <a href="https://man.openbsd.org/vnet.4">vnet(4)</a> |
|
to work better in busy conditions. |
|
<li>Added a <a href="https://man.openbsd.org/bpf.4">bpf(4)</a> timeout |
|
(BIOCSWTIMEOUT) between capturing a packet and making the buffer |
|
readable, preventing for example <a |
|
href="https://man.openbsd.org/pflogd.8">pflogd(8)</a> waking every |
|
half second even if there is nothing to read. By default this buffer |
|
is infinite and must be filled to become readable. |
|
<li>Avoided enabling TSO on interfaces which are already attached to a bridge. |
|
|
|
</ul> |
|
|
<li>Routing daemons and other userland network improvements: |
<li>Routing daemons and other userland network improvements: |
<ul> |
<ul> |
<li>IPsec support was improved: |
<li>IPsec support was improved: |
<ul> |
<ul> |
<li>... |
<li>Added <a href="https://man.openbsd.org/iked.8">iked(8)</a> |
|
support for configuring multiple name servers. |
|
<li>Synced proc.c from <a |
|
href="https://man.openbsd.org/vmd.8">vmd(8)</a> to <a |
|
href="https://man.openbsd.org/iked.8">iked(8)</a> to enabled fork + |
|
exec for all processes. This gives each process a fresh and unique |
|
address space to further improve randomization of ASLR and stack |
|
protector. |
</ul> |
</ul> |
<li>In <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>, |
|
<ul> |
<li>In <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>, <a |
<li>... |
href="https://man.openbsd.org/bgpctl.8">bgpctl(8)</a> and <a |
|
href="https://man.openbsd.org/bgplgd.8">bgplgd(8)</a>: |
|
<ul> |
|
<li>Improved performance by optimising the output filters |
|
<li>Add Autonomous System Provider Authorization (ASPA) validaton |
|
based on draft-ietf-sidrops-aspa-verification-12 |
|
<li>Introduce avs (ASPA validation state) filter and bgpctl |
|
filter argument |
|
<li>Add ASPA support for the RTR protocol based on |
|
draft-ietf-sidrops-8210bis-10 |
|
<li>Improve open policy (RFC 9234) support and enable the capability |
|
automatically if a role is specified for the peer |
|
<li>Introduce a per neighbor 'role' configuration option to specify |
|
the session role used by ASPA verification and the open policy |
|
capability. The 'announce policy' statement was simplified at |
|
the same time. |
|
<li>Improve startup behaviour by introducing a small delay before |
|
opening the connection to a new peer |
|
<li>Support for aspa-set table config which can be provided by |
|
<a |
|
href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> |
|
<li>Make it possible to filter the RIB by invalid and leaked prefixes |
|
in bgpctl and bgplgd |
|
<li>Add OpenMetrics output to bgpctl for various BGP statistics and |
|
add /metrics endpoint to bgplgd |
|
<li>Fix of incorrect length checks that allowed an out-of-bounds |
|
read in bgpd. |
</ul> |
</ul> |
<li><a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> saw some changes: |
<li><a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> saw some changes: |
<ul> |
<ul> |
<li>... |
<li>Add a new '-H' command line option to create a shortlist of |
|
repositories to synchronize to. For example, when invoking |
|
"rpki-client -H rpki.ripe.net -H chloe.sobornost.net", the utility |
|
will not connect to any other hosts other than the two specified |
|
through the -H option. |
|
<li>Add support for validating Geofeed (RFC 9092) authenticators. To |
|
see an example download https://sobornost.net/geofeed.csv and run |
|
"rpki-client -f geofeed.csv" |
|
<li>Add support for validating Trust Anchor Key (TAK) objects. TAK |
|
objects can be used to produce new Trust Anchor Locators (TALs) signed |
|
by and verified against the previous Trust Anchor. See |
|
draft-ietf-sidrops-signed-tal for the full specification. |
|
<li>Log lines related to RRDP/HTTPS connection problems now include the |
|
IP address of the problematic endpoint (in brackets). |
|
<li>Improve the error message when an invalid filename is encountered |
|
in the rpkiManifest field in the Subject Access Information (SIA) |
|
extension. |
|
<li>Emit a warning when unexpected X.509 extensions are encountered. |
|
<li>Restrict the ROA ipAddrBlocks field to only allow two |
|
ROAIPAddressFamily structures (one per address family). See |
|
draft-ietf-sidrops-rfc6482bis. |
|
<li>Check the absence of the Path Length constraint in the Basic |
|
Constraints extension. |
|
<li>Restrict the SIA extension to only allow the signedObject and |
|
rpkiNotify accessMethods. |
|
<li>Check that the Signed Object access method is present in ROA, MFT, |
|
ASPA, TAK, and GBR End-Entity certificates. |
|
<li>In addition to the 'rsync://' scheme, also permit other schemes |
|
(such as 'https://') in the SIA signedObject access method. |
|
<li>Check that the KeyUsage extension is set to nothing but |
|
digitalSignature on End-Entity certificates. |
|
<li>Chect that the KeyUsage extension is set to nothing but keyCertSign |
|
and CRLSign on CA certificates. |
|
<li>Check that the ExtendedKeyUsage extension is absent on CA |
|
certificates. |
|
<li>Fix a bug in the handling of the port of http_proxy. |
|
<li>The '-r' command line option has been deprecated. |
|
<li>Filemode (-f) output is now presented as a text based table. |
|
<li>The 'expires' key in the JSON/CSV/OpenBGPD output formats is now |
|
calculated with more accuracy. The calculation takes into account the |
|
nextUpdate value of all intermediate CRLs in the signature path |
|
towards the trust anchor, in addition to the expiry moment of the |
|
leaf-CRL and CAs. |
|
<li>Handling of CRLs and Manifests in the face of inconsistent RRDP delta |
|
publications has been improved. A copy of an alternative version of |
|
the applicable CRL is kept in the staging area of the cache directory, |
|
in order to increase the potential for establishing a complete |
|
publication point, in cases where a single publication point update |
|
was smeared across multiple RRDP delta files. |
|
<li>The OpenBGPD configuration output now includes validated Autonomous |
|
System Provider Authorization (ASPA) payloads as an 'aspa-set {}' |
|
configuration block. |
|
<li>When rpki-client is invoked with increased verbosity ('-v'), the |
|
current RRDP Serial & Session ID are shown to aid debugging. |
|
<li>Self-signed X.509 certificates (such as Trust Anchor certificates) |
|
now are considered invalid if they contain an X.509 |
|
AuthorityInfoAccess extension. |
|
<li>Signed Objects where the CMS signing-time attribute contains a |
|
timestamp later then the X.509 certificate's notAfter timestamp are |
|
considered invalid. |
|
<li>Manifests where the CMS signing-time attribute contains a timestamp |
|
later then the Manifest eContent nextUpdate timestamp are considered |
|
invalid. |
|
<li>Any objects whose CRL Distribution Points extension contains a |
|
CRLIssuer, CRL Reasons, or nameRelativeToCRLIssuer field are |
|
considered invalid in accordance with RFC 6487 section 4.8.6. |
|
<li>For every X.509 certificate the SHA-1 of the Subject Public Key is |
|
calculated and compared to the Subject Key Identifier (SKI), if a |
|
mismatch is found the certificate is not trusted. |
|
<li>Require the outside-TBS signature OID for every X.509 intermediate |
|
CA certificate and CRL to be sha256WithRSAEncryption. |
|
<li>Require the RSA key pair modulus and public exponent parameters to |
|
strictly conform to the RFC 7935 profile. |
|
<li>Ensure there is no trailing garbage present in Signed Objects beyond |
|
the self-embedded length field. |
|
<li>Require RRDP Session IDs to strictly be version 4 UUIDs. |
|
<li>When decoding and validating an individual RPKI file using filemode |
|
(rpki-client -f file), display the signature path towards the trust |
|
anchor, and the timestamp when the signature path will expire. |
|
<li>When decoding and validating an individual RPKI file using filemode |
|
(rpki-client -f file), display the optional CMS signing-time, and |
|
non-optional X.509 notBefore, and X.509 notAfter timestamps. |
</ul> |
</ul> |
|
|
<li>In <a href="https://man.openbsd.org/snmpd.8">snmpd(8)</a>, |
<li>In <a href="https://man.openbsd.org/snmpd.8">snmpd(8)</a>, |
|
|
</ul> |
</ul> |
|
|
<li>... |
<li>... |
|
<!-- smtpd --> |
|
<li>Prevented <a href="https://man.openbsd.org/smtpd.8">smtpd(8)</a> |
|
abort due to a connection from a local, scoped ipv6 address. |
|
<li>Fixed a potential NULL dereference in the unpriv child expanding |
|
%{mda} in <a href="https://man.openbsd.org/smtpd.8">smtpd(8)</a>. |
|
|
|
<li>Corrected the order of arguments for calls to <a |
|
href="https://man.openbsd.org/shutdown.2">shutdown(2)</a> on the route |
|
socket of <a href="https://man.openbsd.org/slaacd.8">slaacd(8)</a>, <a |
|
href="https://man.openbsd.org/dhcpleased.8">dhcpleased(8)</a> and <a |
|
href="https://man.openbsd.org/unwind.8">unwind(8)</a>. |
|
<li>Made <a href="https://man.openbsd.org/route.8">route(8)</a> |
|
sourceaddr print the used addresses for inet and inet6, or "default" |
|
if no sourceaddr is set and the default algorithm is used. |
|
<li>Added -mpls option to the route(8) monitor command. It can be |
|
used to restrict displayed route messages to the mpls address family. |
|
<li>Fixed <a href="https://man.openbsd.org/openrsync.1">rsync(1)</a> |
|
handling of port numbers in rsync://host[:port]/module URLS. |
|
<li>Made <a href="https://man.openbsd.org/tcpdrop.8">tcpdrop(8)</a> |
|
accept netstat-style address.port syntax. |
|
<li>Ensured <a href="https://man.openbsd.org/pfctl.8">pfctl(8)</a> |
|
correctly adds addresses to the undefined/inactive table. |
|
|
</ul> |
</ul> |
|
|
<li><a href="https://man.openbsd.org/tmux.1">tmux(1)</a> improvements and bug fixes: |
<li><a href="https://man.openbsd.org/tmux.1">tmux(1)</a> improvements and bug fixes: |
<ul> |
<ul> |
<li>... |
<li>Made <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> tty-keys accept \007 as terminator to OSC 10 or 11. |
|
<li>Made <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> recognize pasted texts wrapped in bracket paste sequences, rather than only forwarding to the program inside. |
|
<li>Supported -1 without -N for list-keys in <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>. |
|
<li>Added a flag to <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> display-menu to select the menu item chosen first. |
|
<li>Added Backtab key support to <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> |
|
<li>Disallowed multiple consecutive line separators in <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> menu. |
|
<li>Extended display-message to work for control clients in <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>. |
|
<li>Added -f to list-clients in <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>. |
|
<li>Added a <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> L modifier like P, W, S to loop over clients. |
</ul> |
</ul> |
|
|
<li>LibreSSL version 3.7.2 |
<li>LibreSSL version 3.7.2 |
|
|
</ul> |
</ul> |
</ul> |
</ul> |
|
|
<li>OpenSSH XXX.YYY |
<li>OpenSSH 9.3. |
<ul> |
<ul> |
<li>Security |
<li>Security |
<ul> |
<ul> |