===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/73.html,v
retrieving revision 1.12
retrieving revision 1.13
diff -c -r1.12 -r1.13
*** www/73.html 2023/04/02 14:58:45 1.12
--- www/73.html 2023/04/03 00:00:12 1.13
***************
*** 83,94 ****
Various kernel improvements:
SMP Improvements
Direct Rendering Manager and graphics drivers
--- 83,135 ----
Various kernel improvements:
!
! - Removed copystr(9) from public API.
!
!
- Made the USB ports work after a suspend/resume cycle on the x13s.
!
- Set the arm64 default for the machdep.lidaction sysctl(8) to 1, making the
! system suspend when the lid is closed. aplsmc(4) provides support
! for the lid position sensor.
!
!
- Changed arm64 suspend idle loop from WFE to WFI, avoiding spurious
! wakeups while other CPUs are still active.
!
- Added cursor back tab support to wscons(4) VT100
! emulation.
Added aixterm bright color sequences (SGR 90-97 and
! 100-107).
! - Added missing wscons(4) bounds checks
! when processing terminal escape sequences.
!
- Replaced broken UTF-8 logic in wscons(4) with a better
! one borrowed from Citrus.
!
- Added new dt(4) ioctl
! DTIOCARGS to get the type of probe arguments.
!
- Added a priority queue to clockintr(9).
!
SMP Improvements
Direct Rendering Manager and graphics drivers
***************
*** 100,171 ****
Ryzen 7045 series "Dragon Range",
Radeon RX 7900 XT/XTX "Navi 31",
Radeon RX 7600M (XT), 7700S, 7600S "Navi 33"
! ...
VMM/VMD improvements
Various new userland features:
Various bugfixes and tweaks in userland:
Improved hardware support and driver bugfixes, including:
New or improved network hardware support:
Added or improved wireless network drivers:
IEEE 802.11 wireless stack improvements and bugfixes:
Installer, upgrade and bootloader improvements:
Security improvements:
Changes in the network stack:
Routing daemons and other userland network improvements:
- IPsec support was improved:
!
- In bgpd(8),
!
- rpki-client(8) saw some changes:
- In snmpd(8),
--- 141,661 ----
Ryzen 7045 series "Dragon Range",
Radeon RX 7900 XT/XTX "Navi 31",
Radeon RX 7600M (XT), 7700S, 7600S "Navi 33"
!
!
!
- Fixed frame buffer corruption and additional bugs after wakeup
! on Apple Silicon laptops and the Lenovo x13s.
!
- Matched unknown ATI display devices as amdgpu in fw_update(8).
!
- Fixed amdgpu(4)
! failing to init on Steam Deck after drm 6.1 update.
!
VMM/VMD improvements
!
! - Implemented zero-copy operations on virtqueues in vmd(8).
!
!
- Provided a detailed e820 memory map when booting vmd(8) guests with SeaBIOS.
! When a vm initializes memory ranges, we now track what each range
! represents. This information can be used to supply the e820 memory map
! to SeaBIOS via the fw_cfg interface allowing it to properly
! communicate memory ranges to a guest operating system. With this
! special cases in ports can be removed.
!
!
- Added thread names to vm processes in vmd(8), visible in ps(1).
!
- Hid the WAITPKG cpu feature from vmm(4) guests, preventing
! invalid instruction exceptions. Also added WAITPKG feature
! identification to i386 and amd64.
!
!
- Changed vmd(8) to
! only open /dev/vmm once, having the parent process send the fd to the
! vmm child process.
!
- Restricted vmm(4) exposed cpuid extended feature flags.
!
- Adjusted vmd(8) error paths to avoid removal of configuration-defined (known) VMs on error.
!
- Stopped being paranoid about hypervisor correct PKU handling.
! Added saving and restoring guest PKRU to vmm(4). Expose the PKU cpuid
! bit to the guest if in use on the host.
! - Made vmd(8) scan the pci bus to determine bootorder strings.
Various new userland features:
!
! - Added lastcomm(1) reporting
! for process kills due to execve(2) from non-pinned
! syscall address
!
Various bugfixes and tweaks in userland:
!
! - Added support for a personal units(1) library by passing
! -f multiple times.
!
!
- Made rc(8) reorder
! libraries in parallel to netstart(8), as this
! does not depend on network access.
!
!
- Implemented periodic display in iostat(8).
!
!
- Changed df(1) to
! round up fractional percentages.
!
!
- Added the audioctl(8) -w option to
! display variables periodically.
!
- Added short options for timeout(1) --foreground
! and --preserve-status.
! Added signal as a full argument name for timeout(1) -s.
!
! - Fixed .wav files generated by aucat(1) by using extended
! header format.
!
- In disklabel(8), use the
! size of the largest chunk of free space, not the total of all such
! chunks, when checking for sufficient space to add a partition.
!
- Fixed unbounded variable expansion in pkg-config(1).
!
- Switched to use llvm-strip(1) on
! architectures that use ld.lld(1).
!
- Extended disklabel(8) template
! parsing to allow "[mount point] *" as the specification for putting
! the maximum available free space into a partition, and extended
! command line parsing to allow "T-" as the specification to read the
! template from stdin.
!
- Fixed a number of out of bounds reads in DNS response parsing.
!
Improved hardware support and driver bugfixes, including:
!
! - Enabled pcagpio(4) and pcamux(4), making the SFP
! port on the ClearFog Base (CN9130) work.
!
!
- Added uftdi(4) support for FTDI FT232R.
!
!
- Hooked up the same USB device drivers on riscv64 as done in the
! arm64 architecture kernel.
Enabled access to usb(4), ugen(4), ulpt(4), ucom(4) and ujoy(4).
!
! - Enabled aplpcie(4) power
! management for PCI devices.
!
- Adopted a workaround for a bug in the ARM generic timer on the
! A64, disabling userland timecounter support on affected hardware
! pending a similar libc workaround.
!
- Made amd64 cpuid recognize protection keys for Protection Key Supervisor (PKS).
!
- Implemented access to EFI variables ESRT through an ioctl(2) interface
! compatible with what FreeBSD and NetBSD have.
! Created /dev/efi on amd64 and arm64.
! - Added dwge(4) support
! for "enhanced descriptor" mode found on some variants of the Synopsys
! DesignWare GMAC.
!
- Removed the elansc(4)
! driver for AMD Elan SC520 System Controller.
!
- Made ppb(4) bus
! range available after detaching, fixing unplugging and replugging
! thunderbolt devices that were plugged in when the machine was booted.
!
- Improved qcrtc(4) RTC reliability.
!
- Reworked the arm64 architecture cpu_init_secondary() function to
! allow use for both initial powerup and wakeup from deeper sleep
! states.
!
- Added ufshci(4),
! a driver for Universal Flash Storage (UFS) Host Controllers.
!
- Set sncodec(4)
! and tascodec(4)
! default volume to -30dB instead of the hardware default of 0dB
! (maximum).
!
- Added sncodec(4), a driver for
! the TI SNO12776/TAS2764 digital amplifier.
!
- Added scmi(4), a
! driver for the ARM System Control and Management Interface.
!
- Added support for the Shenzhen Tangcheng Technology TCS4525
! voltage regulator to fanpwr(4).
!
- Added psci(4) (ARM
! Power State Coordination Interface) support for available deep idle
! states as advertised in device trees.
!
- Attached Apollo Lake HD Audio device to azalia(4), enabling audio.
!
- In rkgpio(4),
! handled different register layouts in modern Rockchip SoCs as seen in
! the RK356x and RK3588.
!
- Added support for RK356x TSADC clocks to rkclock(4).
!
- Added GMAC-related RK356x clocks to rkclock(4).
!
- Added RK3588 support to rkclock(4) and rkpinctrl(4).
!
- Switched sparc64 to clockintr(9).
!
- Switched arm amptimer(4) and agtimer(4/armv7) to
! clockintr(9).
!
- Switched armv7 dmtimer(4) and sxitimer(4) to clockintr(9).
!
- Switched armv7 gptimer(4) to clockintr(9).
!
- Added a kernel-facing API for clockintr(9).
!
- Added mvortc(4),
! a driver for the RTC on the ARMADA 38x series.
!
- Added mvodog(4),
! a driver for the watchdog on the ARMADA 38x series.
!
- Added eephy(4),
! found on the Turris Omnia WAN port, to armv7.
!
- Added polling to tipmic(4) driver when
! starting from a cold boot, fixing a hang on boot.
!
- Implemented rkpinctrl(4) support
! for explicit routing to use alternative pin muxings.
!
- Added ytphy(4), a
! driver for the MotorComm YT8511 PHY.
!
- Made rktemp(4)
! work on RK356x with U-Boot.
!
- Added initialization code for RK356x in dwpcie(4) to prevent
! kernel hangs.
!
- Added a workaround for Intel Braswell/Cherry Trail mwait hang.
!
- Implemented setting the parent clock for RK356x in rkclock(4).
!
- Added dwpcie(4)
! code to bring up the PCIe controller on the RK356x.
!
- Added rkpciephy(4), a driver
! for the PCIe 3.0 PHY found on the RK356x.
!
- Added rkcomphy(4), a driver
! for the "naneng" combo PHY found on the RK356x (and RK3588). Only
! PCIe, SATA and USB3 support are implemented.
!
- Added the Armada 380 temperature sensor to mvtemp(4) and enabled the
! driver on armv7.
New or improved network hardware support:
! - Add dwqe(4), a
! driver for the Synopsis DesignWare Ethernet QoS controller used on the
! NXP i.MX8MP, the Rockchip RK35xx series and Intel Elkhart Lake.
!
- Worked around an issue on the StarFive JH7100 SoC to make dwge(4) ethernet work
! reliably on the StarFive VisionFive 1 board.
!
- In mvneta(4),
! passed MII flags depending on the phy mode specified in the device
! tree, making the WAN port work on the Turris Omnia.
Added or improved wireless network drivers:
! - Fixed bwfm(4) issues with suspend/resume and possible firmware crashes on the M2 Macbook Air.
!
!
!
- Fixed a crash in iwx(4) when connecting to WEP networks via ifconfig(8) join.
!
- Fixed an alignment issue in iwx(4) Rx descriptors.
!
- Avoided trying to remove keys while doing crypto in hardware if the station is not active in iwx(4) firmware, fixing a firmware panic.
!
- Prevented potential panics by disallowing the iwx(4) init task from running in parallel to wakeup code during resume.
!
- Switched all iwx(4) devices to -77 firmware images.
!
- Made iwx(4) get the primary channel number from AP beacon info, preventing problems on 40/80Mhz channels if there is a mismatch.
!
- Fixed iwx(4) session protection event duration.
!
- Added support for the new iwx(4) SCD_QUEUE_CONFIG command, required for adding/removing Tx queues on new firmware versions.
!
- Added support for the iwx(4) BAID allocation config command, required to set up Rx aggregation on new firmware.
!
- Added support for iwx(4) RLC config command, IWX_STA_MAC_DATA_API_S_VER_2 API, and PHY context cmd version 4.
!
- Added support for iwx(4) rate_n_flags API version 2 and removed fixed Tx rate support.
!
- Added support for iwx(4) TLC config command v4.
!
- Added support for iwx(4) firmware alive response version 6.
IEEE 802.11 wireless stack improvements and bugfixes:
!
! - Made net80211 drop beacons received on secondary HT/VHT
! channels, preventing iwm(4) firmware panics and
! making association work with 11ac APs which transmit beacons on
! channels other than their primary.
!
- Made WEP encryption work on bwfm(4).
Installer, upgrade and bootloader improvements:
! - In the installer, "!" now drops into a ksh(1) environment rather
! than the more limited sh(1).
!
- Made the installer skip interface configuration questions when no interfaces are available.
!
- Made it possible to set keyboard layout(s) in arm64's installer.
!
- Fixed resizing partitions on an auto-allocated disk that had a boot partition.
!
- Stopped the installer from asking to initialize disks that have
! softraid(4) chunks.
!
- Made efiboot fdt support device trees with NOPs in them (like the kernel version).
!
- Improved the default choice for the installer's install media
! disk question to show the first disk (a) not the root disk and (b) not
! a disk with softraid chunks (hosting the root disk, for example).
!
- Stopped offering WEP in the installer if not supported.
!
- Added initial support in the installer for guided disk
! encryption for amd64, i386, riscv64 and sparc64.
!
!
!
- Switched luna88k boot loader to MI boot code.
!
- Made ls(1) work
! correctly in the luna88k bootloader.
!
- Made time(1) work
! correctly in the luna88k bootloader.
!
- Removed dangerous user-settable "addr" variable from MI
! bootloader, only compiling tty-related code on platforms where it
! makes sense for the bootloader to control it.
!
- Added "machine poweroff" command on luna88k bootloader.
!
- Switched alpha to machine-independent boot blocks.
!
- Switched loongson ramdisk to use installboot(8) -p.
!
Security improvements:
! - Add Synthetic Memory Protections. These provide
!
! - Immutable memory mappings whose permissions and size cannot be
! changed anymore. A new system call mimmutable(2) enables
! this feature.
!
- Execute-Only permission on memory mappings. This uses hardware
! support where possible and emulation where the hardware does not have
! seperate execute only features.
!
- Stack permission on mappings: On every system call the stack
! pointer is checked. It must point to a mapping that has MAP_STACK
! permissions.
!
- Pinning of syscall entry to a unique specific memory regions from
! which system calls can be made.
!
! The execute-only mappings are active on arm64, risc-v, hppa,
! aarch64, mips64, sparc64, amd64, mips, and power-pc platforms.
!
!
! - Implemented a --executable-only option in ld.bfd(1).
!
!
- Added execve(2)
! violations of pinsyscall(2) policy
! to the daily mail, available by setting rc.conf.local(5)
! accounting=YES.
!
- Added retguard to amd64 syscalls.
!
!
- Randomly relink and install sshd(8) on boot, resulting
! in a sshd with unknown address layout after every reboot.
!
!
- Add another mitigation against classic BROP on systems without
! execute-only mmu hardware-enforcement. A range-checking wrapper in
! front of copyin() and copyinstr() ensures the userland source address
! doesn't overlap the main program text and other text segments, thereby
! making this address ranges unreadable to the kernel. No programs have
! been discovered which require reading their own text segments with a
! system call.
Changes in the network stack:
+ - Used stoeplitz (symmetric Toeplitz hash algorithm) to generate a
+ hash/flowid for pf(4) state
+ keys. With this change, pf will hash traffic the same way that
+ hardware using a stoeplitz key will hash incoming traffic on rings.
+ stoeplitz is also used by the tcp stack to generate a flow id, which
+ is used to pick which transmit ring is used on nics with multiple
+ queues too. using the same algorithm throughout the stack encourages
+ affinity of packets to rings and softnet threads the whole way
+ through.
+
+
- Prevented possible kernel crashes by dropping TCP packets with
+ destination port 0 in pf(4)
+ and the stack.
+
+
- Fixed a endian swap bug causing problems with vlans(4) on em(4) sparc64 systems.
+
- Denied "pipex no" tunnel setting for pppx(4) interfaces.
+
- Fixed a panic in pfsync(4) when there are
+ no data ready for bulk transfer.
+
- Turned off TCP Segmentation Offload (TSO) if interface is added
+ to layer 2 devices.
+
- Improved vnet(4)
+ to work better in busy conditions.
+
- Added a bpf(4) timeout
+ (BIOCSWTIMEOUT) between capturing a packet and making the buffer
+ readable, preventing for example pflogd(8) waking every
+ half second even if there is nothing to read. By default this buffer
+ is infinite and must be filled to become readable.
+
- Avoided enabling TSO on interfaces which are already attached to a bridge.
+
+
+
Routing daemons and other userland network improvements:
- IPsec support was improved:
! - Added iked(8)
! support for configuring multiple name servers.
!
- Synced proc.c from vmd(8) to iked(8) to enabled fork +
! exec for all processes. This gives each process a fresh and unique
! address space to further improve randomization of ASLR and stack
! protector.
!
! - In bgpd(8), bgpctl(8) and bgplgd(8):
!
! - Improved performance by optimising the output filters
!
- Add Autonomous System Provider Authorization (ASPA) validaton
! based on draft-ietf-sidrops-aspa-verification-12
!
- Introduce avs (ASPA validation state) filter and bgpctl
! filter argument
!
- Add ASPA support for the RTR protocol based on
! draft-ietf-sidrops-8210bis-10
!
- Improve open policy (RFC 9234) support and enable the capability
! automatically if a role is specified for the peer
!
- Introduce a per neighbor 'role' configuration option to specify
! the session role used by ASPA verification and the open policy
! capability. The 'announce policy' statement was simplified at
! the same time.
!
- Improve startup behaviour by introducing a small delay before
! opening the connection to a new peer
!
- Support for aspa-set table config which can be provided by
! rpki-client(8)
!
- Make it possible to filter the RIB by invalid and leaked prefixes
! in bgpctl and bgplgd
!
- Add OpenMetrics output to bgpctl for various BGP statistics and
! add /metrics endpoint to bgplgd
!
- Fix of incorrect length checks that allowed an out-of-bounds
! read in bgpd.
- rpki-client(8) saw some changes:
! - Add a new '-H' command line option to create a shortlist of
! repositories to synchronize to. For example, when invoking
! "rpki-client -H rpki.ripe.net -H chloe.sobornost.net", the utility
! will not connect to any other hosts other than the two specified
! through the -H option.
!
- Add support for validating Geofeed (RFC 9092) authenticators. To
! see an example download https://sobornost.net/geofeed.csv and run
! "rpki-client -f geofeed.csv"
!
- Add support for validating Trust Anchor Key (TAK) objects. TAK
! objects can be used to produce new Trust Anchor Locators (TALs) signed
! by and verified against the previous Trust Anchor. See
! draft-ietf-sidrops-signed-tal for the full specification.
!
- Log lines related to RRDP/HTTPS connection problems now include the
! IP address of the problematic endpoint (in brackets).
!
- Improve the error message when an invalid filename is encountered
! in the rpkiManifest field in the Subject Access Information (SIA)
! extension.
!
- Emit a warning when unexpected X.509 extensions are encountered.
!
- Restrict the ROA ipAddrBlocks field to only allow two
! ROAIPAddressFamily structures (one per address family). See
! draft-ietf-sidrops-rfc6482bis.
!
- Check the absence of the Path Length constraint in the Basic
! Constraints extension.
!
- Restrict the SIA extension to only allow the signedObject and
! rpkiNotify accessMethods.
!
- Check that the Signed Object access method is present in ROA, MFT,
! ASPA, TAK, and GBR End-Entity certificates.
!
- In addition to the 'rsync://' scheme, also permit other schemes
! (such as 'https://') in the SIA signedObject access method.
!
- Check that the KeyUsage extension is set to nothing but
! digitalSignature on End-Entity certificates.
!
- Chect that the KeyUsage extension is set to nothing but keyCertSign
! and CRLSign on CA certificates.
!
- Check that the ExtendedKeyUsage extension is absent on CA
! certificates.
!
- Fix a bug in the handling of the port of http_proxy.
!
- The '-r' command line option has been deprecated.
!
- Filemode (-f) output is now presented as a text based table.
!
- The 'expires' key in the JSON/CSV/OpenBGPD output formats is now
! calculated with more accuracy. The calculation takes into account the
! nextUpdate value of all intermediate CRLs in the signature path
! towards the trust anchor, in addition to the expiry moment of the
! leaf-CRL and CAs.
!
- Handling of CRLs and Manifests in the face of inconsistent RRDP delta
! publications has been improved. A copy of an alternative version of
! the applicable CRL is kept in the staging area of the cache directory,
! in order to increase the potential for establishing a complete
! publication point, in cases where a single publication point update
! was smeared across multiple RRDP delta files.
!
- The OpenBGPD configuration output now includes validated Autonomous
! System Provider Authorization (ASPA) payloads as an 'aspa-set {}'
! configuration block.
!
- When rpki-client is invoked with increased verbosity ('-v'), the
! current RRDP Serial & Session ID are shown to aid debugging.
!
- Self-signed X.509 certificates (such as Trust Anchor certificates)
! now are considered invalid if they contain an X.509
! AuthorityInfoAccess extension.
!
- Signed Objects where the CMS signing-time attribute contains a
! timestamp later then the X.509 certificate's notAfter timestamp are
! considered invalid.
!
- Manifests where the CMS signing-time attribute contains a timestamp
! later then the Manifest eContent nextUpdate timestamp are considered
! invalid.
!
- Any objects whose CRL Distribution Points extension contains a
! CRLIssuer, CRL Reasons, or nameRelativeToCRLIssuer field are
! considered invalid in accordance with RFC 6487 section 4.8.6.
!
- For every X.509 certificate the SHA-1 of the Subject Public Key is
! calculated and compared to the Subject Key Identifier (SKI), if a
! mismatch is found the certificate is not trusted.
!
- Require the outside-TBS signature OID for every X.509 intermediate
! CA certificate and CRL to be sha256WithRSAEncryption.
!
- Require the RSA key pair modulus and public exponent parameters to
! strictly conform to the RFC 7935 profile.
!
- Ensure there is no trailing garbage present in Signed Objects beyond
! the self-embedded length field.
!
- Require RRDP Session IDs to strictly be version 4 UUIDs.
!
- When decoding and validating an individual RPKI file using filemode
! (rpki-client -f file), display the signature path towards the trust
! anchor, and the timestamp when the signature path will expire.
!
- When decoding and validating an individual RPKI file using filemode
! (rpki-client -f file), display the optional CMS signing-time, and
! non-optional X.509 notBefore, and X.509 notAfter timestamps.
- In snmpd(8),
***************
*** 174,184 ****
...
tmux(1) improvements and bug fixes:
LibreSSL version 3.7.2
--- 664,705 ----
...
+
+ Prevented smtpd(8)
+ abort due to a connection from a local, scoped ipv6 address.
+ Fixed a potential NULL dereference in the unpriv child expanding
+ %{mda} in smtpd(8).
+
+ Corrected the order of arguments for calls to shutdown(2) on the route
+ socket of slaacd(8), dhcpleased(8) and unwind(8).
+ Made route(8)
+ sourceaddr print the used addresses for inet and inet6, or "default"
+ if no sourceaddr is set and the default algorithm is used.
+ Added -mpls option to the route(8) monitor command. It can be
+ used to restrict displayed route messages to the mpls address family.
+ Fixed rsync(1)
+ handling of port numbers in rsync://host[:port]/module URLS.
+ Made tcpdrop(8)
+ accept netstat-style address.port syntax.
+ Ensured pfctl(8)
+ correctly adds addresses to the undefined/inactive table.
+
tmux(1) improvements and bug fixes:
! - Made tmux(1) tty-keys accept \007 as terminator to OSC 10 or 11.
!
- Made tmux(1) recognize pasted texts wrapped in bracket paste sequences, rather than only forwarding to the program inside.
!
- Supported -1 without -N for list-keys in tmux(1).
!
- Added a flag to tmux(1) display-menu to select the menu item chosen first.
!
- Added Backtab key support to tmux(1)
!
- Disallowed multiple consecutive line separators in tmux(1) menu.
!
- Extended display-message to work for control clients in tmux(1).
!
- Added -f to list-clients in tmux(1).
!
- Added a tmux(1) L modifier like P, W, S to loop over clients.
LibreSSL version 3.7.2
***************
*** 273,279 ****
! OpenSSH XXX.YYY
! OpenSSH 9.3.