===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/73.html,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- www/73.html 2023/04/02 14:58:45 1.12
+++ www/73.html 2023/04/03 00:00:12 1.13
@@ -83,12 +83,53 @@
Various kernel improvements:
- - ...
+
+
- Removed copystr(9) from public API.
+
+
- Made the USB ports work after a suspend/resume cycle on the x13s.
+
- Set the arm64 default for the machdep.lidaction sysctl(8) to 1, making the
+ system suspend when the lid is closed. aplsmc(4) provides support
+ for the lid position sensor.
+
+
- Changed arm64 suspend idle loop from WFE to WFI, avoiding spurious
+ wakeups while other CPUs are still active.
+
- Added cursor back tab support to wscons(4) VT100
+ emulation.
Added aixterm bright color sequences (SGR 90-97 and
+ 100-107).
+ - Added missing wscons(4) bounds checks
+ when processing terminal escape sequences.
+
- Replaced broken UTF-8 logic in wscons(4) with a better
+ one borrowed from Citrus.
+
- Added new dt(4) ioctl
+ DTIOCARGS to get the type of probe arguments.
+
- Added a priority queue to clockintr(9).
+
SMP Improvements
Direct Rendering Manager and graphics drivers
@@ -100,72 +141,521 @@
Ryzen 7045 series "Dragon Range",
Radeon RX 7900 XT/XTX "Navi 31",
Radeon RX 7600M (XT), 7700S, 7600S "Navi 33"
- ...
+
+
+ Fixed frame buffer corruption and additional bugs after wakeup
+ on Apple Silicon laptops and the Lenovo x13s.
+ Matched unknown ATI display devices as amdgpu in fw_update(8).
+ Fixed amdgpu(4)
+ failing to init on Steam Deck after drm 6.1 update.
+
VMM/VMD improvements
- - ...
+
+
- Implemented zero-copy operations on virtqueues in vmd(8).
+
+
- Provided a detailed e820 memory map when booting vmd(8) guests with SeaBIOS.
+ When a vm initializes memory ranges, we now track what each range
+ represents. This information can be used to supply the e820 memory map
+ to SeaBIOS via the fw_cfg interface allowing it to properly
+ communicate memory ranges to a guest operating system. With this
+ special cases in ports can be removed.
+
+
- Added thread names to vm processes in vmd(8), visible in ps(1).
+
- Hid the WAITPKG cpu feature from vmm(4) guests, preventing
+ invalid instruction exceptions. Also added WAITPKG feature
+ identification to i386 and amd64.
+
+
- Changed vmd(8) to
+ only open /dev/vmm once, having the parent process send the fd to the
+ vmm child process.
+
- Restricted vmm(4) exposed cpuid extended feature flags.
+
- Adjusted vmd(8) error paths to avoid removal of configuration-defined (known) VMs on error.
+
- Stopped being paranoid about hypervisor correct PKU handling.
+ Added saving and restoring guest PKRU to vmm(4). Expose the PKU cpuid
+ bit to the guest if in use on the host.
+ - Made vmd(8) scan the pci bus to determine bootorder strings.
Various new userland features:
- - ...
+
+
- Added lastcomm(1) reporting
+ for process kills due to execve(2) from non-pinned
+ syscall address
+
Various bugfixes and tweaks in userland:
- - ...
+
+
- Added support for a personal units(1) library by passing
+ -f multiple times.
+
+
- Made rc(8) reorder
+ libraries in parallel to netstart(8), as this
+ does not depend on network access.
+
+
- Implemented periodic display in iostat(8).
+
+
- Changed df(1) to
+ round up fractional percentages.
+
+
- Added the audioctl(8) -w option to
+ display variables periodically.
+
- Added short options for timeout(1) --foreground
+ and --preserve-status.
+ Added signal as a full argument name for timeout(1) -s.
+
+ - Fixed .wav files generated by aucat(1) by using extended
+ header format.
+
- In disklabel(8), use the
+ size of the largest chunk of free space, not the total of all such
+ chunks, when checking for sufficient space to add a partition.
+
- Fixed unbounded variable expansion in pkg-config(1).
+
- Switched to use llvm-strip(1) on
+ architectures that use ld.lld(1).
+
- Extended disklabel(8) template
+ parsing to allow "[mount point] *" as the specification for putting
+ the maximum available free space into a partition, and extended
+ command line parsing to allow "T-" as the specification to read the
+ template from stdin.
+
- Fixed a number of out of bounds reads in DNS response parsing.
+
Improved hardware support and driver bugfixes, including:
- - ...
+
+
- Enabled pcagpio(4) and pcamux(4), making the SFP
+ port on the ClearFog Base (CN9130) work.
+
+
- Added uftdi(4) support for FTDI FT232R.
+
+
- Hooked up the same USB device drivers on riscv64 as done in the
+ arm64 architecture kernel.
Enabled access to usb(4), ugen(4), ulpt(4), ucom(4) and ujoy(4).
+
+ - Enabled aplpcie(4) power
+ management for PCI devices.
+
- Adopted a workaround for a bug in the ARM generic timer on the
+ A64, disabling userland timecounter support on affected hardware
+ pending a similar libc workaround.
+
- Made amd64 cpuid recognize protection keys for Protection Key Supervisor (PKS).
+
- Implemented access to EFI variables ESRT through an ioctl(2) interface
+ compatible with what FreeBSD and NetBSD have.
+ Created /dev/efi on amd64 and arm64.
+ - Added dwge(4) support
+ for "enhanced descriptor" mode found on some variants of the Synopsys
+ DesignWare GMAC.
+
- Removed the elansc(4)
+ driver for AMD Elan SC520 System Controller.
+
- Made ppb(4) bus
+ range available after detaching, fixing unplugging and replugging
+ thunderbolt devices that were plugged in when the machine was booted.
+
- Improved qcrtc(4) RTC reliability.
+
- Reworked the arm64 architecture cpu_init_secondary() function to
+ allow use for both initial powerup and wakeup from deeper sleep
+ states.
+
- Added ufshci(4),
+ a driver for Universal Flash Storage (UFS) Host Controllers.
+
- Set sncodec(4)
+ and tascodec(4)
+ default volume to -30dB instead of the hardware default of 0dB
+ (maximum).
+
- Added sncodec(4), a driver for
+ the TI SNO12776/TAS2764 digital amplifier.
+
- Added scmi(4), a
+ driver for the ARM System Control and Management Interface.
+
- Added support for the Shenzhen Tangcheng Technology TCS4525
+ voltage regulator to fanpwr(4).
+
- Added psci(4) (ARM
+ Power State Coordination Interface) support for available deep idle
+ states as advertised in device trees.
+
- Attached Apollo Lake HD Audio device to azalia(4), enabling audio.
+
- In rkgpio(4),
+ handled different register layouts in modern Rockchip SoCs as seen in
+ the RK356x and RK3588.
+
- Added support for RK356x TSADC clocks to rkclock(4).
+
- Added GMAC-related RK356x clocks to rkclock(4).
+
- Added RK3588 support to rkclock(4) and rkpinctrl(4).
+
- Switched sparc64 to clockintr(9).
+
- Switched arm amptimer(4) and agtimer(4/armv7) to
+ clockintr(9).
+
- Switched armv7 dmtimer(4) and sxitimer(4) to clockintr(9).
+
- Switched armv7 gptimer(4) to clockintr(9).
+
- Added a kernel-facing API for clockintr(9).
+
- Added mvortc(4),
+ a driver for the RTC on the ARMADA 38x series.
+
- Added mvodog(4),
+ a driver for the watchdog on the ARMADA 38x series.
+
- Added eephy(4),
+ found on the Turris Omnia WAN port, to armv7.
+
- Added polling to tipmic(4) driver when
+ starting from a cold boot, fixing a hang on boot.
+
- Implemented rkpinctrl(4) support
+ for explicit routing to use alternative pin muxings.
+
- Added ytphy(4), a
+ driver for the MotorComm YT8511 PHY.
+
- Made rktemp(4)
+ work on RK356x with U-Boot.
+
- Added initialization code for RK356x in dwpcie(4) to prevent
+ kernel hangs.
+
- Added a workaround for Intel Braswell/Cherry Trail mwait hang.
+
- Implemented setting the parent clock for RK356x in rkclock(4).
+
- Added dwpcie(4)
+ code to bring up the PCIe controller on the RK356x.
+
- Added rkpciephy(4), a driver
+ for the PCIe 3.0 PHY found on the RK356x.
+
- Added rkcomphy(4), a driver
+ for the "naneng" combo PHY found on the RK356x (and RK3588). Only
+ PCIe, SATA and USB3 support are implemented.
+
- Added the Armada 380 temperature sensor to mvtemp(4) and enabled the
+ driver on armv7.
New or improved network hardware support:
- - ...
+
- Add dwqe(4), a
+ driver for the Synopsis DesignWare Ethernet QoS controller used on the
+ NXP i.MX8MP, the Rockchip RK35xx series and Intel Elkhart Lake.
+
- Worked around an issue on the StarFive JH7100 SoC to make dwge(4) ethernet work
+ reliably on the StarFive VisionFive 1 board.
+
- In mvneta(4),
+ passed MII flags depending on the phy mode specified in the device
+ tree, making the WAN port work on the Turris Omnia.
Added or improved wireless network drivers:
- - ...
+
- Fixed bwfm(4) issues with suspend/resume and possible firmware crashes on the M2 Macbook Air.
+
+
+
- Fixed a crash in iwx(4) when connecting to WEP networks via ifconfig(8) join.
+
- Fixed an alignment issue in iwx(4) Rx descriptors.
+
- Avoided trying to remove keys while doing crypto in hardware if the station is not active in iwx(4) firmware, fixing a firmware panic.
+
- Prevented potential panics by disallowing the iwx(4) init task from running in parallel to wakeup code during resume.
+
- Switched all iwx(4) devices to -77 firmware images.
+
- Made iwx(4) get the primary channel number from AP beacon info, preventing problems on 40/80Mhz channels if there is a mismatch.
+
- Fixed iwx(4) session protection event duration.
+
- Added support for the new iwx(4) SCD_QUEUE_CONFIG command, required for adding/removing Tx queues on new firmware versions.
+
- Added support for the iwx(4) BAID allocation config command, required to set up Rx aggregation on new firmware.
+
- Added support for iwx(4) RLC config command, IWX_STA_MAC_DATA_API_S_VER_2 API, and PHY context cmd version 4.
+
- Added support for iwx(4) rate_n_flags API version 2 and removed fixed Tx rate support.
+
- Added support for iwx(4) TLC config command v4.
+
- Added support for iwx(4) firmware alive response version 6.
IEEE 802.11 wireless stack improvements and bugfixes:
- - ...
+
+
- Made net80211 drop beacons received on secondary HT/VHT
+ channels, preventing iwm(4) firmware panics and
+ making association work with 11ac APs which transmit beacons on
+ channels other than their primary.
+
- Made WEP encryption work on bwfm(4).
Installer, upgrade and bootloader improvements:
- - ...
+
- In the installer, "!" now drops into a ksh(1) environment rather
+ than the more limited sh(1).
+
- Made the installer skip interface configuration questions when no interfaces are available.
+
- Made it possible to set keyboard layout(s) in arm64's installer.
+
- Fixed resizing partitions on an auto-allocated disk that had a boot partition.
+
- Stopped the installer from asking to initialize disks that have
+ softraid(4) chunks.
+
- Made efiboot fdt support device trees with NOPs in them (like the kernel version).
+
- Improved the default choice for the installer's install media
+ disk question to show the first disk (a) not the root disk and (b) not
+ a disk with softraid chunks (hosting the root disk, for example).
+
- Stopped offering WEP in the installer if not supported.
+
- Added initial support in the installer for guided disk
+ encryption for amd64, i386, riscv64 and sparc64.
+
+
+
- Switched luna88k boot loader to MI boot code.
+
- Made ls(1) work
+ correctly in the luna88k bootloader.
+
- Made time(1) work
+ correctly in the luna88k bootloader.
+
- Removed dangerous user-settable "addr" variable from MI
+ bootloader, only compiling tty-related code on platforms where it
+ makes sense for the bootloader to control it.
+
- Added "machine poweroff" command on luna88k bootloader.
+
- Switched alpha to machine-independent boot blocks.
+
- Switched loongson ramdisk to use installboot(8) -p.
+
Security improvements:
- - ...
+
- Add Synthetic Memory Protections. These provide
+
+ - Immutable memory mappings whose permissions and size cannot be
+ changed anymore. A new system call mimmutable(2) enables
+ this feature.
+
- Execute-Only permission on memory mappings. This uses hardware
+ support where possible and emulation where the hardware does not have
+ seperate execute only features.
+
- Stack permission on mappings: On every system call the stack
+ pointer is checked. It must point to a mapping that has MAP_STACK
+ permissions.
+
- Pinning of syscall entry to a unique specific memory regions from
+ which system calls can be made.
+
+ The execute-only mappings are active on arm64, risc-v, hppa,
+ aarch64, mips64, sparc64, amd64, mips, and power-pc platforms.
+
+
+ - Implemented a --executable-only option in ld.bfd(1).
+
+
- Added execve(2)
+ violations of pinsyscall(2) policy
+ to the daily mail, available by setting rc.conf.local(5)
+ accounting=YES.
+
- Added retguard to amd64 syscalls.
+
+
- Randomly relink and install sshd(8) on boot, resulting
+ in a sshd with unknown address layout after every reboot.
+
+
- Add another mitigation against classic BROP on systems without
+ execute-only mmu hardware-enforcement. A range-checking wrapper in
+ front of copyin() and copyinstr() ensures the userland source address
+ doesn't overlap the main program text and other text segments, thereby
+ making this address ranges unreadable to the kernel. No programs have
+ been discovered which require reading their own text segments with a
+ system call.
Changes in the network stack:
+ Used stoeplitz (symmetric Toeplitz hash algorithm) to generate a
+ hash/flowid for pf(4) state
+ keys. With this change, pf will hash traffic the same way that
+ hardware using a stoeplitz key will hash incoming traffic on rings.
+ stoeplitz is also used by the tcp stack to generate a flow id, which
+ is used to pick which transmit ring is used on nics with multiple
+ queues too. using the same algorithm throughout the stack encourages
+ affinity of packets to rings and softnet threads the whole way
+ through.
+
+ Prevented possible kernel crashes by dropping TCP packets with
+ destination port 0 in pf(4)
+ and the stack.
+
+ Fixed a endian swap bug causing problems with vlans(4) on em(4) sparc64 systems.
+ Denied "pipex no" tunnel setting for pppx(4) interfaces.
+ Fixed a panic in pfsync(4) when there are
+ no data ready for bulk transfer.
+ Turned off TCP Segmentation Offload (TSO) if interface is added
+ to layer 2 devices.
+ Improved vnet(4)
+ to work better in busy conditions.
+ Added a bpf(4) timeout
+ (BIOCSWTIMEOUT) between capturing a packet and making the buffer
+ readable, preventing for example pflogd(8) waking every
+ half second even if there is nothing to read. By default this buffer
+ is infinite and must be filled to become readable.
+ Avoided enabling TSO on interfaces which are already attached to a bridge.
+
+
+
Routing daemons and other userland network improvements:
- IPsec support was improved:
- - ...
+
- Added iked(8)
+ support for configuring multiple name servers.
+
- Synced proc.c from vmd(8) to iked(8) to enabled fork +
+ exec for all processes. This gives each process a fresh and unique
+ address space to further improve randomization of ASLR and stack
+ protector.
- - In bgpd(8),
-
- - ...
+
+
- In bgpd(8), bgpctl(8) and bgplgd(8):
+
+ - Improved performance by optimising the output filters
+
- Add Autonomous System Provider Authorization (ASPA) validaton
+ based on draft-ietf-sidrops-aspa-verification-12
+
- Introduce avs (ASPA validation state) filter and bgpctl
+ filter argument
+
- Add ASPA support for the RTR protocol based on
+ draft-ietf-sidrops-8210bis-10
+
- Improve open policy (RFC 9234) support and enable the capability
+ automatically if a role is specified for the peer
+
- Introduce a per neighbor 'role' configuration option to specify
+ the session role used by ASPA verification and the open policy
+ capability. The 'announce policy' statement was simplified at
+ the same time.
+
- Improve startup behaviour by introducing a small delay before
+ opening the connection to a new peer
+
- Support for aspa-set table config which can be provided by
+ rpki-client(8)
+
- Make it possible to filter the RIB by invalid and leaked prefixes
+ in bgpctl and bgplgd
+
- Add OpenMetrics output to bgpctl for various BGP statistics and
+ add /metrics endpoint to bgplgd
+
- Fix of incorrect length checks that allowed an out-of-bounds
+ read in bgpd.
- rpki-client(8) saw some changes:
- - ...
+
- Add a new '-H' command line option to create a shortlist of
+ repositories to synchronize to. For example, when invoking
+ "rpki-client -H rpki.ripe.net -H chloe.sobornost.net", the utility
+ will not connect to any other hosts other than the two specified
+ through the -H option.
+
- Add support for validating Geofeed (RFC 9092) authenticators. To
+ see an example download https://sobornost.net/geofeed.csv and run
+ "rpki-client -f geofeed.csv"
+
- Add support for validating Trust Anchor Key (TAK) objects. TAK
+ objects can be used to produce new Trust Anchor Locators (TALs) signed
+ by and verified against the previous Trust Anchor. See
+ draft-ietf-sidrops-signed-tal for the full specification.
+
- Log lines related to RRDP/HTTPS connection problems now include the
+ IP address of the problematic endpoint (in brackets).
+
- Improve the error message when an invalid filename is encountered
+ in the rpkiManifest field in the Subject Access Information (SIA)
+ extension.
+
- Emit a warning when unexpected X.509 extensions are encountered.
+
- Restrict the ROA ipAddrBlocks field to only allow two
+ ROAIPAddressFamily structures (one per address family). See
+ draft-ietf-sidrops-rfc6482bis.
+
- Check the absence of the Path Length constraint in the Basic
+ Constraints extension.
+
- Restrict the SIA extension to only allow the signedObject and
+ rpkiNotify accessMethods.
+
- Check that the Signed Object access method is present in ROA, MFT,
+ ASPA, TAK, and GBR End-Entity certificates.
+
- In addition to the 'rsync://' scheme, also permit other schemes
+ (such as 'https://') in the SIA signedObject access method.
+
- Check that the KeyUsage extension is set to nothing but
+ digitalSignature on End-Entity certificates.
+
- Chect that the KeyUsage extension is set to nothing but keyCertSign
+ and CRLSign on CA certificates.
+
- Check that the ExtendedKeyUsage extension is absent on CA
+ certificates.
+
- Fix a bug in the handling of the port of http_proxy.
+
- The '-r' command line option has been deprecated.
+
- Filemode (-f) output is now presented as a text based table.
+
- The 'expires' key in the JSON/CSV/OpenBGPD output formats is now
+ calculated with more accuracy. The calculation takes into account the
+ nextUpdate value of all intermediate CRLs in the signature path
+ towards the trust anchor, in addition to the expiry moment of the
+ leaf-CRL and CAs.
+
- Handling of CRLs and Manifests in the face of inconsistent RRDP delta
+ publications has been improved. A copy of an alternative version of
+ the applicable CRL is kept in the staging area of the cache directory,
+ in order to increase the potential for establishing a complete
+ publication point, in cases where a single publication point update
+ was smeared across multiple RRDP delta files.
+
- The OpenBGPD configuration output now includes validated Autonomous
+ System Provider Authorization (ASPA) payloads as an 'aspa-set {}'
+ configuration block.
+
- When rpki-client is invoked with increased verbosity ('-v'), the
+ current RRDP Serial & Session ID are shown to aid debugging.
+
- Self-signed X.509 certificates (such as Trust Anchor certificates)
+ now are considered invalid if they contain an X.509
+ AuthorityInfoAccess extension.
+
- Signed Objects where the CMS signing-time attribute contains a
+ timestamp later then the X.509 certificate's notAfter timestamp are
+ considered invalid.
+
- Manifests where the CMS signing-time attribute contains a timestamp
+ later then the Manifest eContent nextUpdate timestamp are considered
+ invalid.
+
- Any objects whose CRL Distribution Points extension contains a
+ CRLIssuer, CRL Reasons, or nameRelativeToCRLIssuer field are
+ considered invalid in accordance with RFC 6487 section 4.8.6.
+
- For every X.509 certificate the SHA-1 of the Subject Public Key is
+ calculated and compared to the Subject Key Identifier (SKI), if a
+ mismatch is found the certificate is not trusted.
+
- Require the outside-TBS signature OID for every X.509 intermediate
+ CA certificate and CRL to be sha256WithRSAEncryption.
+
- Require the RSA key pair modulus and public exponent parameters to
+ strictly conform to the RFC 7935 profile.
+
- Ensure there is no trailing garbage present in Signed Objects beyond
+ the self-embedded length field.
+
- Require RRDP Session IDs to strictly be version 4 UUIDs.
+
- When decoding and validating an individual RPKI file using filemode
+ (rpki-client -f file), display the signature path towards the trust
+ anchor, and the timestamp when the signature path will expire.
+
- When decoding and validating an individual RPKI file using filemode
+ (rpki-client -f file), display the optional CMS signing-time, and
+ non-optional X.509 notBefore, and X.509 notAfter timestamps.
- In snmpd(8),
@@ -174,11 +664,42 @@
- ...
+
+
- Prevented smtpd(8)
+ abort due to a connection from a local, scoped ipv6 address.
+
- Fixed a potential NULL dereference in the unpriv child expanding
+ %{mda} in smtpd(8).
+
+
- Corrected the order of arguments for calls to shutdown(2) on the route
+ socket of slaacd(8), dhcpleased(8) and unwind(8).
+
- Made route(8)
+ sourceaddr print the used addresses for inet and inet6, or "default"
+ if no sourceaddr is set and the default algorithm is used.
+
- Added -mpls option to the route(8) monitor command. It can be
+ used to restrict displayed route messages to the mpls address family.
+
- Fixed rsync(1)
+ handling of port numbers in rsync://host[:port]/module URLS.
+
- Made tcpdrop(8)
+ accept netstat-style address.port syntax.
+
- Ensured pfctl(8)
+ correctly adds addresses to the undefined/inactive table.
+
tmux(1) improvements and bug fixes:
- - ...
+
- Made tmux(1) tty-keys accept \007 as terminator to OSC 10 or 11.
+
- Made tmux(1) recognize pasted texts wrapped in bracket paste sequences, rather than only forwarding to the program inside.
+
- Supported -1 without -N for list-keys in tmux(1).
+
- Added a flag to tmux(1) display-menu to select the menu item chosen first.
+
- Added Backtab key support to tmux(1)
+
- Disallowed multiple consecutive line separators in tmux(1) menu.
+
- Extended display-message to work for control clients in tmux(1).
+
- Added -f to list-clients in tmux(1).
+
- Added a tmux(1) L modifier like P, W, S to loop over clients.
LibreSSL version 3.7.2
@@ -273,7 +794,7 @@
-OpenSSH XXX.YYY
+OpenSSH 9.3.