version 1.45, 2023/04/07 01:08:06 |
version 1.46, 2023/04/07 06:58:29 |
|
|
<ul> |
<ul> |
<li>Updated <a href="https://man.openbsd.org/drm.4">drm(4)</a> |
<li>Updated <a href="https://man.openbsd.org/drm.4">drm(4)</a> |
to Linux 6.1.15 |
to Linux 6.1.15 |
<li><a href="https://man.openbsd.org/drm.4">amdgpu(4)</a>: |
<li><a href="https://man.openbsd.org/drm.4">amdgpu(4)</a>: Added |
support for Ryzen 7000 "Raphael", Ryzen 7020 series "Mendocino", |
support for Ryzen 7000 "Raphael", Ryzen 7020 series "Mendocino", |
Ryzen 7045 series "Dragon Range", |
Ryzen 7045 series "Dragon Range", |
Radeon RX 7900 XT/XTX "Navi 31", |
Radeon RX 7900 XT/XTX "Navi 31", |
Radeon RX 7600M (XT), 7700S, 7600S "Navi 33" |
Radeon RX 7600M (XT), 7700S, and 7600S "Navi 33." |
<li>Fixed frame buffer corruption and additional bugs after wakeup |
<li>Fixed frame buffer corruption and additional bugs after wakeup |
on Apple Silicon laptops and the Lenovo x13s. |
on Apple Silicon laptops and the Lenovo x13s. |
<li>Added support for the backlight connector property to <a |
<li>Added support for the backlight connector property to <a |
|
|
href="https://man.openbsd.org/lastcomm.1">lastcomm(1)</a> reporting |
href="https://man.openbsd.org/lastcomm.1">lastcomm(1)</a> reporting |
for process kills due to <a |
for process kills due to <a |
href="https://man.openbsd.org/execve.2">execve(2)</a> from non-pinned |
href="https://man.openbsd.org/execve.2">execve(2)</a> from non-pinned |
syscall address |
syscall address. |
</ul> |
</ul> |
|
|
<li>Various bugfixes and tweaks in userland: |
<li>Various bugfixes and tweaks in userland: |
|
|
<li>Extended <a |
<li>Extended <a |
href="https://man.openbsd.org/disklabel.8">disklabel(8)</a> template |
href="https://man.openbsd.org/disklabel.8">disklabel(8)</a> template |
parsing to allow "[mount point] *" as the specification for putting |
parsing to allow "[mount point] *" as the specification for putting |
the maximum available free space into a partition, and extended |
the maximum available free space into a partition. Extended |
command line parsing to allow "T-" as the specification to read the |
command line parsing to allow "T-" as the specification to read the |
template from stdin. |
template from stdin. |
<li>Repaired <a |
<li>Repaired <a |
|
|
<!-- Apple --> |
<!-- Apple --> |
<li>Made <a |
<li>Made <a |
href="https://man.openbsd.org/aplhidev.4">aplhidev(4)</a> recognize M1 |
href="https://man.openbsd.org/aplhidev.4">aplhidev(4)</a> recognize M1 |
laptops with touchbars and Translated Fn+(1-10,-,=) keys to F1-F12 on |
laptops with touchbars and translated Fn+(1-10,-,=) keys to F1-F12 on |
these systems. |
these systems. |
<li>Added suspend/resume support to <a |
<li>Added suspend/resume support to <a |
href="https://man.openbsd.org/aplns.4">aplns(4)</a>. |
href="https://man.openbsd.org/aplns.4">aplns(4)</a>. |
|
|
<a href="https://man.openbsd.org/softraid.4">softraid(4)</a> chunks. |
<a href="https://man.openbsd.org/softraid.4">softraid(4)</a> chunks. |
<li>Made efiboot fdt support device trees with NOPs in them (like the kernel version). |
<li>Made efiboot fdt support device trees with NOPs in them (like the kernel version). |
<li>Improved the default choice for the installer's install media |
<li>Improved the default choice for the installer's install media |
disk question to show the first disk (a) not the root disk and (b) not |
disk question to show the first disk that (a) is not the root disk and (b) |
a disk with softraid chunks (hosting the root disk, for example). |
is not a disk with softraid chunks (hosting the root disk, for example). |
<li>Stopped offering WEP in the installer if not supported. |
<li>Stopped offering WEP in the installer if not supported. |
<li>Fixed lock file error on installer exit/abort. |
<li>Fixed lock file error on installer exit/abort. |
<li>Made <a href="https://man.openbsd.org/installboot.8">installboot(8)</a> <code>-p</code> |
<li>Made <a href="https://man.openbsd.org/installboot.8">installboot(8)</a> <code>-p</code> |
support <a href="https://man.openbsd.org/softraid.4">softraid(4)</a>. |
support <a href="https://man.openbsd.org/softraid.4">softraid(4)</a>. |
<li>Made <a href="https://man.openbsd.org/installboot.8">installboot(8)</a> silently skip |
<li>Made <a href="https://man.openbsd.org/installboot.8">installboot(8)</a> silently skip |
<a href="https://man.openbsd.org/softraid.4">softraid(4)</a>. keydisks. |
<a href="https://man.openbsd.org/softraid.4">softraid(4)</a> keydisks. |
<li>Fixed passing explicit stages files to |
<li>Fixed passing explicit stages files to |
<a href="https://man.openbsd.org/installboot.8">installboot(8)</a>. |
<a href="https://man.openbsd.org/installboot.8">installboot(8)</a>. |
<!-- architecture specific --> |
<!-- architecture specific --> |
|
|
makes sense for the bootloader to control it. |
makes sense for the bootloader to control it. |
<li>Added "machine poweroff" command on luna88k bootloader. |
<li>Added "machine poweroff" command on luna88k bootloader. |
<li>Switched alpha to machine-independent boot blocks. |
<li>Switched alpha to machine-independent boot blocks. |
<li>Switched all architectures (except alpha and luna88k) ramdisks to use |
<li>Switched all architectures' ramdisks (except alpha's and luna88k's) to use |
<a href="https://man.openbsd.org/installboot.8">installboot(8)</a> <code>-p</code>. |
<a href="https://man.openbsd.org/installboot.8">installboot(8)</a> <code>-p</code>. |
<li>Fixed ofwboot OpenFirmware <code>map</code> call to unbreak boot on some machines. |
<li>Fixed ofwboot OpenFirmware <code>map</code> call to unbreak boot on some machines. |
<li>Reduced ofwboot.net size after libz update to unbreak netboot on some machines. |
<li>Reduced ofwboot.net size after libz update to unbreak netboot on some machines. |
|
|
|
|
<li>Security improvements: |
<li>Security improvements: |
<ul> |
<ul> |
<li>Permissions (RWX, MAP_STACK, etc) on address space regions can |
<li>Permissions (RWX, MAP_STACK, etc.) on address space regions can |
be made <a href="https://man.openbsd.org/mimmutable.2">immutable</a>, |
be made <a href="https://man.openbsd.org/mimmutable.2">immutable</a>, |
so that <a href="https://man.openbsd.org/mmap.2">mmap(2)</a>, <a |
so that <a href="https://man.openbsd.org/mmap.2">mmap(2)</a>, <a |
href="https://man.openbsd.org/mprotect.2">mprotect(2)</a> or <a |
href="https://man.openbsd.org/mprotect.2">mprotect(2)</a> or <a |
|
|
userland code had to be repaired to allow this. The <a |
userland code had to be repaired to allow this. The <a |
href="https://man.openbsd.org/ld.lld.1">linker (ld.lld(1))</a> option |
href="https://man.openbsd.org/ld.lld.1">linker (ld.lld(1))</a> option |
--execute-only is enabled by default. In order of development: arm64, |
--execute-only is enabled by default. In order of development: arm64, |
riscv64, hppa, amd64, powerpc64, powerpc (G5 only), octeon. sparc64 |
riscv64, hppa, amd64, powerpc64, powerpc (G5 only), octeon, and sparc64 |
(sun4u only, unfinished). |
(sun4u only; unfinished). |
<li>On all architectures which lack hardware-enforcement of xonly, |
<li>On all architectures which lack hardware-enforcement of xonly, |
system calls are now prevented from reading (via <a |
system calls are now prevented from reading (via <a |
href="https://man.openbsd.org/copyin.9">copyin(9)</a>/copyinst) |
href="https://man.openbsd.org/copyin.9">copyin(9)</a>/copyinst) |
inside the program's main text, ld.so text, sigtramp text, or libc.so |
inside the program's main text, ld.so text, sigtramp text, or libc.so |
text. |
text. |
<li>can still benefit from switching to --execute-only binaries if the |
<li>These can still benefit from switching to --execute-only binaries if the |
cpu generates different traps for instruction-fetch versus data-fetch. |
cpu generates different traps for instruction-fetch versus data-fetch. |
The VM system will not allow memory to be read before it was executed |
The VM system will not allow memory to be read before it was executed |
which is valuable together with library relinking. Architectures |
which is valuable together with library relinking. Architectures |
|
|
front of <a href="https://man.openbsd.org/copyin.9">copyin(9)</a> and |
front of <a href="https://man.openbsd.org/copyin.9">copyin(9)</a> and |
<a href="https://man.openbsd.org/copyinstr.9">copyinstr(9)</a> ensures |
<a href="https://man.openbsd.org/copyinstr.9">copyinstr(9)</a> ensures |
the userland source address doesn't overlap the main program text and |
the userland source address doesn't overlap the main program text and |
other text segments, thereby making this address ranges unreadable to |
other text segments, thereby making these address ranges unreadable to |
the kernel. No programs have been discovered which require reading |
the kernel. No programs have been discovered which require reading |
their own text segments with a system call. |
their own text segments with a system call. |
<li>On arm64, introduce mitigation of the Spectre-BHB (Branch |
<li>On arm64, introduce mitigation of the Spectre-BHB (Branch |
|
|
hardware using a stoeplitz key will hash incoming traffic on rings. |
hardware using a stoeplitz key will hash incoming traffic on rings. |
stoeplitz is also used by the TCP stack to generate a flow id, which |
stoeplitz is also used by the TCP stack to generate a flow id, which |
is used to pick which transmit ring is used on nics with multiple |
is used to pick which transmit ring is used on nics with multiple |
queues too. using the same algorithm throughout the stack encourages |
queues, too. Using the same algorithm throughout the stack encourages |
affinity of packets to rings and softnet threads the whole way |
affinity of packets to rings and softnet threads the whole way |
through. |
through. |
<li>Prevented possible kernel crashes by dropping TCP packets with |
<li>Prevented possible kernel crashes by dropping TCP packets with |
|
|
<li>Fixed <a href="https://man.openbsd.org/pfsync.4">pfsync(4)</a> |
<li>Fixed <a href="https://man.openbsd.org/pfsync.4">pfsync(4)</a> |
crashing on pf_state_key removal. |
crashing on pf_state_key removal. |
<li>Fixed a panic in <a |
<li>Fixed a panic in <a |
href="https://man.openbsd.org/pfsync.4">pfsync(4)</a> when there are |
href="https://man.openbsd.org/pfsync.4">pfsync(4)</a> when there is |
no data ready for bulk transfer. |
no data ready for bulk transfer. |
<li>Turned off TCP Segmentation Offload (TSO) if interface is added |
<li>Turned off TCP Segmentation Offload (TSO) if interface is added |
to layer 2 devices. |
to layer 2 devices. |
|
|
to work better in busy conditions. |
to work better in busy conditions. |
<li>Added a <a href="https://man.openbsd.org/bpf.4">bpf(4)</a> timeout |
<li>Added a <a href="https://man.openbsd.org/bpf.4">bpf(4)</a> timeout |
(BIOCSWTIMEOUT) between capturing a packet and making the buffer |
(BIOCSWTIMEOUT) between capturing a packet and making the buffer |
readable, preventing for example <a |
readable, preventing, for example, <a |
href="https://man.openbsd.org/pflogd.8">pflogd(8)</a> waking every |
href="https://man.openbsd.org/pflogd.8">pflogd(8)</a> waking every |
half second even if there is nothing to read. By default this buffer |
half second even if there is nothing to read. By default this buffer |
is infinite and must be filled to become readable. |
is infinite and must be filled to become readable. |
|
|
support for configuring multiple name servers. |
support for configuring multiple name servers. |
<li>Synced proc.c from <a |
<li>Synced proc.c from <a |
href="https://man.openbsd.org/vmd.8">vmd(8)</a> to <a |
href="https://man.openbsd.org/vmd.8">vmd(8)</a> to <a |
href="https://man.openbsd.org/iked.8">iked(8)</a> to enabled fork + |
href="https://man.openbsd.org/iked.8">iked(8)</a> to enable fork + |
exec for all processes. This gives each process a fresh and unique |
exec for all processes. This gives each process a fresh and unique |
address space to further improve randomization of ASLR and stack |
address space to further improve randomization of ASLR and stack |
protector. |
protector. |
|
|
href="https://man.openbsd.org/bgpctl.8">bgpctl(8)</a> and <a |
href="https://man.openbsd.org/bgpctl.8">bgpctl(8)</a> and <a |
href="https://man.openbsd.org/bgplgd.8">bgplgd(8)</a>: |
href="https://man.openbsd.org/bgplgd.8">bgplgd(8)</a>: |
<ul> |
<ul> |
<li>Improved performance by optimising the output filters |
<li>Improved performance by optimising the output filters. |
<li>Add Autonomous System Provider Authorization (ASPA) validation |
<li>Add Autonomous System Provider Authorization (ASPA) validation |
based on draft-ietf-sidrops-aspa-verification-12 |
based on draft-ietf-sidrops-aspa-verification-12 |
<li>Introduce avs (ASPA validation state) filter and bgpctl |
<li>Introduce avs (ASPA validation state) filter and bgpctl |
filter argument |
filter argument. |
<li>Add ASPA support for the RTR protocol based on |
<li>Add ASPA support for the RTR protocol based on |
draft-ietf-sidrops-8210bis-10 |
draft-ietf-sidrops-8210bis-10. |
<li>Improve open policy (RFC 9234) support and enable the capability |
<li>Improve open policy (RFC 9234) support and enable the capability |
automatically if a role is specified for the peer |
automatically if a role is specified for the peer. |
<li>Introduce a per neighbor 'role' configuration option to specify |
<li>Introduce a per-neighbor 'role' configuration option to specify |
the session role used by ASPA verification and the open policy |
the session role used by ASPA verification and the open policy |
capability. The 'announce policy' statement was simplified at |
capability. The 'announce policy' statement was simplified at |
the same time. |
the same time. |
<li>Improve startup behaviour by introducing a small delay before |
<li>Improve startup behaviour by introducing a small delay before |
opening the connection to a new peer |
opening the connection to a new peer. |
<li>Support for aspa-set table config which can be provided by |
<li>Support for aspa-set table config which can be provided by |
<a |
<a |
href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> |
href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a>. |
<li>Make it possible to filter the RIB by invalid and leaked prefixes |
<li>Make it possible to filter the RIB by invalid and leaked prefixes |
in bgpctl and bgplgd |
in bgpctl and bgplgd. |
<li>Add OpenMetrics output to bgpctl for various BGP statistics and |
<li>Add OpenMetrics output to bgpctl for various BGP statistics and |
add /metrics endpoint to bgplgd |
add /metrics endpoint to bgplgd. |
<li>Fix of incorrect length checks that allowed an out-of-bounds |
<li>Fix of incorrect length checks that allowed an out-of-bounds |
read in bgpd. |
read in bgpd. |
</ul> |
</ul> |
|
|
System Provider Authorization (ASPA) payloads as an 'aspa-set {}' |
System Provider Authorization (ASPA) payloads as an 'aspa-set {}' |
configuration block. |
configuration block. |
<li>When rpki-client is invoked with increased verbosity ('-v'), the |
<li>When rpki-client is invoked with increased verbosity ('-v'), the |
current RRDP Serial & Session ID are shown to aid debugging. |
current RRDP Serial and Session ID are shown to aid debugging. |
<li>Self-signed X.509 certificates (such as Trust Anchor certificates) |
<li>Self-signed X.509 certificates (such as Trust Anchor certificates) |
now are considered invalid if they contain an X.509 |
now are considered invalid if they contain an X.509 |
AuthorityInfoAccess extension. |
AuthorityInfoAccess extension. |
|
|
CRLIssuer, CRL Reasons, or nameRelativeToCRLIssuer field are |
CRLIssuer, CRL Reasons, or nameRelativeToCRLIssuer field are |
considered invalid in accordance with RFC 6487 section 4.8.6. |
considered invalid in accordance with RFC 6487 section 4.8.6. |
<li>For every X.509 certificate the SHA-1 of the Subject Public Key is |
<li>For every X.509 certificate the SHA-1 of the Subject Public Key is |
calculated and compared to the Subject Key Identifier (SKI), if a |
calculated and compared to the Subject Key Identifier (SKI). If a |
mismatch is found the certificate is not trusted. |
mismatch is found the certificate is not trusted. |
<li>Require the outside-TBS signature OID for every X.509 intermediate |
<li>Require the outside-TBS signature OID for every X.509 intermediate |
CA certificate and CRL to be sha256WithRSAEncryption. |
CA certificate and CRL to be sha256WithRSAEncryption. |
|
|
<li>Require RRDP Session IDs to strictly be version 4 UUIDs. |
<li>Require RRDP Session IDs to strictly be version 4 UUIDs. |
<li>When decoding and validating an individual RPKI file using filemode |
<li>When decoding and validating an individual RPKI file using filemode |
(rpki-client -f file), display the signature path towards the trust |
(rpki-client -f file), display the signature path towards the trust |
anchor, and the timestamp when the signature path will expire. |
anchor and the timestamp when the signature path will expire. |
<li>When decoding and validating an individual RPKI file using filemode |
<li>When decoding and validating an individual RPKI file using filemode |
(rpki-client -f file), display the optional CMS signing-time, and |
(rpki-client -f file), display the optional CMS signing-time, |
non-optional X.509 notBefore, and X.509 notAfter timestamps. |
non-optional X.509 notBefore timestamp and non-optional X.509 |
|
notAfter timestamp. |
</ul> |
</ul> |
|
|
<li>Updated zlib to 1.2.13. |
<li>Updated zlib to 1.2.13. |
|
|
href="https://man.openbsd.org/resolvd.8">resolvd(8)</a>. |
href="https://man.openbsd.org/resolvd.8">resolvd(8)</a>. |
<li>Restrict the characters allowed in the hostname argument of <a |
<li>Restrict the characters allowed in the hostname argument of <a |
href="https://man.openbsd.org/getaddrinfo.3">getaddrinfo(3)</a> to the |
href="https://man.openbsd.org/getaddrinfo.3">getaddrinfo(3)</a> to the |
set [A-z0-9-_.]. Additionally two consecutive dots ('.') are not |
set [A-z0-9-_.]. Additionally, two consecutive dots ('.') are not |
allowed nor can the string start with - or '.'. This removes |
allowed nor can the string start with - or '.'. This removes |
characters like '$', '`', '\n' or '*' that can traverse the DNS |
characters like '$', '`', '\n' or '*' that can traverse the DNS |
without problems, but have special meaning, for example a shell. |
without problems but have special meaning as in a shell. |
<li>Fixed a number of out of bounds reads in DNS response parsing of |
<li>Fixed a number of out of bounds reads in DNS response parsing of |
the async DNS resolver in libc. |
the async DNS resolver in libc. |
<li>Added <a |
<li>Added <a |
|
|
href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a> to when |
href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a> to when |
either a wireguard interface is specified or the flag "-A" is used. |
either a wireguard interface is specified or the flag "-A" is used. |
<li>Implemented the RFC 8781 PREF64 router advertisement option in |
<li>Implemented the RFC 8781 PREF64 router advertisement option in |
<a href="https://man.openbsd.org/rad.8">rad(8)</a> which is used to o |
<a href="https://man.openbsd.org/rad.8">rad(8)</a> which is used to |
communicate NAT64 prefixes to hosts. |
communicate NAT64 prefixes to hosts. |
<li>Moved the documentation of flag mappings displayed by "route show" from the <a |
<li>Moved the documentation of flag mappings displayed by "route show" from the <a |
href="https://man.openbsd.org/netstat.1">netstat(1)</a> manpage to <a |
href="https://man.openbsd.org/netstat.1">netstat(1)</a> manpage to <a |
|
|
<li>Stop claiming connection success in UDP mode unless true. |
<li>Stop claiming connection success in UDP mode unless true. |
<li>Do not test the connection in non-interactive mode. The test |
<li>Do not test the connection in non-interactive mode. The test |
writes characters to the socket which can corrupt data that is |
writes characters to the socket which can corrupt data that is |
possible piped into nc. |
possibly piped into nc. |
<li>Some refactoring and code cleanup. |
<li>Some refactoring and code cleanup. |
</ul> |
</ul> |
|
|
|
|
provide it, for use by the VerifyHostKeyDNS feature. A |
provide it, for use by the VerifyHostKeyDNS feature. A |
specifically crafted DNS response could cause this function to |
specifically crafted DNS response could cause this function to |
perform an out-of-bounds read of adjacent stack data, but this |
perform an out-of-bounds read of adjacent stack data, but this |
condition does not appear to be exploitable beyond denial-of- |
condition does not appear to be exploitable beyond denial-of-service |
service to the ssh(1) client.<br> |
to the ssh(1) client.<br> |
The getrrsetbyname(3) replacement is only included if the system's |
The getrrsetbyname(3) replacement is only included if the system's |
standard library lacks this function and portable OpenSSH was not |
standard library lacks this function and portable OpenSSH was not |
compiled with the ldns library (--with-ldns). getrrsetbyname(3) is |
compiled with the ldns library (--with-ldns). getrrsetbyname(3) is |