Annotation of www/74.html, Revision 1.15
1.1 deraadt 1: <!doctype html>
2: <html lang=en id=release>
3: <head>
4: <meta charset=utf-8>
5:
6: <title>OpenBSD 7.4</title>
7: <meta name="description" content="OpenBSD 7.4">
8: <meta name="viewport" content="width=device-width, initial-scale=1">
9: <link rel="stylesheet" type="text/css" href="openbsd.css">
10: <link rel="canonical" href="https://www.openbsd.org/74.html">
11: </head><body>
12: <h2 id=OpenBSD>
13: <a href="index.html">
14: <i>Open</i><b>BSD</b></a>
15: 7.4
16: </h2>
17:
18: <table>
19: <tr>
20: <td>
21: <a href="images/XXX.png">
22: <img width="227" height="303" src="images/XXX-s.gif" alt="XXX"></a>
23: <td>
24: Released Oct XXX, 2023. (55th OpenBSD release)<br>
25: Copyright 1997-2023, Theo de Raadt.<br>
26: <br>
1.4 job 27: Artwork by Jessica Scott.
1.1 deraadt 28: <br>
29: <ul>
30: <li>See the information on <a href="ftp.html">the FTP page</a> for
31: a list of mirror machines.
32: <li>Go to the <code class=reldir>pub/OpenBSD/7.4/</code> directory on
33: one of the mirror sites.
34: <li>Have a look at <a href="errata74.html">the 7.4 errata page</a> for a list
35: of bugs and workarounds.
36: <li>See a <a href="plus74.html">detailed log of changes</a> between the
37: 7.3 and 7.4 releases.
38: <p>
39: <li><a href="https://man.openbsd.org/signify.1">signify(1)</a>
40: pubkeys for this release:<p>
41:
42: <table class=signify>
43: <tr><td>
44: openbsd-74-base.pub:
45: <td>
46: <a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/openbsd-74-base.pub">
47: RWRoyQmAD08ajTqgzK3UcWaVlwaJMckH9/CshU8Md5pN1GoIrcBdTF+c</a>
48: <tr><td>
49: openbsd-74-fw.pub:
50: <td>
51: RWTRA9KXRuZKunpXYK0ed5OxbE0K7rYWpDnTu+M8wZdqzRroFqed0U6I
52: <tr><td>
53: openbsd-74-pkg.pub:
54: <td>
55: RWR/h7gubZ9M/O46RNy3PzLTPevOCK24LGCPca41IHMwSH4YuVA+jnWO
56: <tr><td>
57: openbsd-74-syspatch.pub:
58: <td>
59: RWQqty2voy8V8afR9/v2RzuNr7r4y9cKwljABN7Tytd7JcPdBjnXg0Ue
60: </table>
61: </ul>
62: <p>
63: All applicable copyrights and credits are in the src.tar.gz,
64: sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
65: files fetched via <code>ports.tar.gz</code>.
66: </table>
67:
68: <hr>
69:
70: <section id=new>
71: <h3>What's New</h3>
72: <p>
73: This is a partial list of new features and systems included in OpenBSD 7.4.
74: For a comprehensive list, see the <a href="plus74.html">changelog</a> leading
75: to 7.4.
76:
77: <ul>
78:
79: <li>New/extended platforms:
80: <ul>
1.11 benno 81: <li>On arm64, implement branch target protection using the branch
82: target identification feature introduced in Armv8.5. This provides
83: "head-CFI" to complement the "tail-CFI" provided by retguard, and is
84: supported on Apple M2.
1.1 deraadt 85: </ul>
86:
87: <li>Various kernel improvements:
88: <ul>
1.11 benno 89: <li>On amd64, identify IBT capability in cpu(4) dmesg lines.
90: <li>On arm64, show BT and SBSS features in dmesg(8).
91: <li>Map device tree read/write to unbreak root on softraid(4).
1.1 deraadt 92: </ul>
93:
94: <li>SMP Improvements
95: <ul>
1.15 ! benno 96: <li>Protect struct clockintr(9)_queue with a mutex so that arbitrary CPUs
! 97: can manipulate clock interrupts established on arbitrary CPU queues.
! 98: <li>
! 99:
1.1 deraadt 100: </ul>
101:
102: <li>Direct Rendering Manager and graphics drivers
103: <ul>
104: <li>...
105: </ul>
106:
107: <li>VMM/VMD improvements
108: <ul>
1.11 benno 109: <li>Avoid use of uninitialised memory in vmd(8).
1.15 ! benno 110: <li>Migrate vmd_vm.vm_ttyname to char array allowing a vmd_vm
! 111: object to be transmitted over an ipc channel.
1.1 deraadt 112: </ul>
113:
114: <li>Various new userland features:
115: <ul>
1.11 benno 116: <li>Update zoneinfo to tzdata2023c.
1.1 deraadt 117: </ul>
118:
119: <li>Various bugfixes and tweaks in userland:
120: <ul>
1.11 benno 121: <li>Refactoring and documenting of fdisk(8) code, to make the code
122: easier to maintain.
123: <li>In clang, allow out-of-class defaulting of comparison operators,
124: by ways of backporting an upstream commit.
125: <li>Improve the code of aucat(1) and fix spelling mistakes.
126: <li>Improve the code quality of find(1).
127: <li>Many changes in mg(1):
128: <ul>
129: <li>Improve the readability of the code of mg(1).
130: <li>In mg(1), fall back to /bin/sh if $SHELL is undefined.
131: <li>Fix parsing of tag files with duplicate entries in mg (1).
132: Instead of erroring out ignore duplicates. Fixes using
133: /var/db/libc.tags again.
134: <li>In mg(1), change tagvisit (aka visit-tag-table) to immediately
135: load the tag file, and drop the lazy mechanics.
136: <li>Remove useless global variable in mg(1).
137: <li>Plug memory leak in mg(1).
138: <li>Replace strncpy() with strlcpy() in mg(1).
139: <li>Skip checking permissions of conffile with access(2).
140: </ul>
141: <li>On aarch64 architectures improve how BTI control flow integretry
142: enforcement is implemented in the executable entry point and enable
143: support for BTI control flow integrety checks in libc assembly
144: functions.
145:
1.1 deraadt 146: </ul>
147:
148: <li>Improved hardware support and driver bugfixes, including:
149: <ul>
1.11 benno 150: <li>Add support for the RK3568 32k RTC clock in rkclock(4)
151: <li>In dwpcie(4) attach Baikal-M PCIe.
152: <li>In openfirmware, implement regulator notifiers which get called
153: when the voltage/current for a regulator is changed or when the
154: regulator gets initialized when it attaches for the first time. The
155: latter makes it possible to register a notifier for a regulator that
156: hasn't attached yet.
157: <li>Add rkiovd(4), a driver for the IO voltage domains on Rockchip SoCs.
1.15 ! benno 158: <li>Add support for TEMPerGold 3.4 temperature sensor to ugold(4).
! 159: <li>Ignore duplicate ACPI lid transitions as they can happen on Dell
! 160: Precision 5510 systems.
! 161: <li>Make RK3568 PCIe controllers run at the maximum possible speed
! 162: by using dwpcie_link_config() when initializing.
! 163: <li>In the Universal Flash Storage Host Controller Interface
! 164: (ufshci(4)) enable Force Unit Access (FUA) for write commands.
1.11 benno 165:
1.1 deraadt 166: </ul>
167:
168: <li>New or improved network hardware support:
169: <ul>
1.11 benno 170: <li>Fix dwqe(4) on several boards that use rgephy(4) by configuring
171: the RGMII interface before taking the PHY out of reset.
172: <li>Document that Intel i226 adapters are supported by igc(4).
173: <li>Add ngbe(4), a driver for WangXun WX1860 PCI Express 10/100/1Gb Ethernet devices.
1.15 ! benno 174: <li>Add rkusbphy(4), a driver for the usb2phy on Rockchip SoCs.
! 175: <li>Add support for the RTL8211F-VD PHY in rgephy(4).
! 176: <li>Enable rkusbphy(4) on arm64.
! 177: <li>In openfirmware, add glue for network interfaces to be found by
! 178: fdt/ofw node or phandle in order to support "switch chips" like the
! 179: marvell link street.
! 180: <li>Add support for enabling both the usb2 and usb3 phys in xhci and ehci.
1.1 deraadt 181: </ul>
182:
183: <li>Added or improved wireless network drivers:
184: <ul>
1.11 benno 185: <li>Improve how Quectel LTE&5G devices attach to umb(4).
1.1 deraadt 186: </ul>
187:
188: <li>IEEE 802.11 wireless stack improvements and bugfixes:
189: <ul>
190: <li>...
191: </ul>
192:
193: <li>Installer, upgrade and bootloader improvements:
194: <ul>
1.11 benno 195: <li>In the arm64 ramdisk, simplify apple firmware copying to make it
196: easier to add new firmware.
197: <li>On armv7 and arm64, silence informational messages from dd(1)
198: when zeroing a disk's first 1MB. Use character not block devices with
199: dd(1) like on other architectures.
200: <li>Refactor the code of md_installboot() on armv7 and arm64 to be
201: more in line with other architectures.
202: <li>Improve the dialogue of the installer without affecting
203: autoinstall(8) files.
1.15 ! benno 204: <li>Enable ufshci(4) on arm64 install media.
! 205: <li>Enable ngbe(4) on amd64 install media.
! 206: <li>On arm64 pine64 boards, stop writing pine64 firmware to disk.
! 207: <li>Make root on softraid(4) installations boot out of the box on
! 208: Raspberry Pis (arm64).
! 209: <li>Support installations with root on softraid on arm64, tested on
! 210: Pinebook Pro, Raspberry Pi 4b, and SolidRun CEX7.
1.11 benno 211:
1.1 deraadt 212: </ul>
213:
214: <li>Security improvements:
215: <ul>
1.11 benno 216: <li>Change malloc(3) chunk sizes to be fine grained. [needs better explaination]
217: <li>In malloc(3), check all chunks in the delayed free list for write-after-free.
1.1 deraadt 218: </ul>
219:
220: <li>Changes in the network stack:
221: <ul>
1.15 ! benno 222: <li>In pf(4), when redirecting locally generated IP packets to
! 223: userland with divert-packet rules, the packets may have no checksum
! 224: due to to hardware offloading. Calculate the checksum in that case.
! 225: <li>Sync the use of getuptime(9) in the Neighbour Discovery (ND) code with ARP.
! 226: <li>In the IPv6 forwarding code, call getuptime(9) once for
! 227: consistency with IPv4.
! 228:
1.1 deraadt 229: </ul>
230:
231: <li>Routing daemons and other userland network improvements:
232: <ul>
233: <li>IPsec support was improved:
234: <ul>
1.11 benno 235: <li>In isakmpd(8), avoid a double free in ec_init() when using the OpenSSL API.
236: <li>In iked(8), do not treat the return value of i2d_ECDSA_SIG() as
237: lenght as it can be negative.
238: <li>Prepare isakmpd(8) for a libcrypto library that is lacking binary field
239: support.
240: <li>In isakmpd(8), avoid a potential crash by addind a missing NULL check.
241:
1.1 deraadt 242: </ul>
243: <li>In <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>,
244: <ul>
245: <li>...
246: </ul>
247: <li><a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> saw some changes:
248: <ul>
249: <li>...
250: </ul>
251:
252: <li>In <a href="https://man.openbsd.org/snmpd.8">snmpd(8)</a>,
253: <ul>
254: <li>...
255: </ul>
256:
1.11 benno 257: <li>Make dig(1) use less deprecated LibreSSL API.
258: <li>In ypldap(8), reduce memory usage when updating larger directories.
1.15 ! benno 259: <li>Remove stylistic differences between arp(8) and ndp(8) delete()
! 260: function. This makes it easier to spot real changes in behavior.
! 261: <li>Make ndp(8) not remove cloning routes when no neigbor entry is
! 262: found with <code>ndp -d</code>.
1.1 deraadt 263: </ul>
264:
265: <li><a href="https://man.openbsd.org/tmux.1">tmux(1)</a> improvements and bug fixes:
266: <ul>
1.11 benno 267: <li>For passthrough, don't write to clients attached to different sessions.
268: <li>Add a format to show if there are unseen changes while in a mode.
1.1 deraadt 269: </ul>
270:
1.7 tb 271: <li>LibreSSL version 3.8.2
1.1 deraadt 272: <ul>
1.7 tb 273: <li>Security fixes
274: <ul>
275: <li>Disabled TLSv1.0 and TLSv1.1 in libssl so that they may no longer
276: be selected for use.
277: <li>BN_is_prime{,_fasttest}_ex() refuse to check numbers larger than
278: 32 kbits for primality. This mitigates various DoS vectors.
279: <li>Restricted the RFC 3779 code to IPv4 and IPv6. It was not written
280: to be able to deal with anything else.
281: </ul>
282: <li>Portable changes
283: <ul>
284: <li>Extended the endian.h compat header with hto* and *toh macros.
285: <li>Adapted more tests to the portable framework.
286: <li>Internal tools are now statically linked.
287: <li>Applications bundled as part of the LibreSSL package internally,
288: nc(1) and openssl(1), now are linked statically if static libraries
289: are built.
290: <li>Internal compatibility function symbols are no longer exported from
291: libcrypto. Instead, the libcompat library is linked to libcrypto,
292: libssl, and libtls separately. This increases size a little, but
293: ensures that the libraries are not exporting symbols to programs
294: unintentionally.
295: <li>Selective removal of CET implementation on platforms where it is
296: not supported (macOS).
297: <li>Integrated four more tests.
298: <li>Added Windows ARM64 architecture to tested platforms.
299: <li>Removed Solaris 10 support, fixed Solaris 11.
300: <li>libtls no longer links statically to libcrypto / libssl unless
301: <code>--enable-libtls-only</code> is specified at configure time.
302: <li>Improved Windows compatibility library, namely handling of files vs
303: sockets, correcting an exception when operating on a closed socket.
304: <li>CMake builds no longer hardcode <code>-O2</code> into the compiler flags,
305: instead using flags from the CMake build type instead.
306: <li>Set the CMake default build type to <code>Release</code>. This can be overridden
307: during configuration.
308: <li>Fixed broken ASM support with MinGW builds.
309: </ul>
1.1 deraadt 310: <li>New features
311: <ul>
1.7 tb 312: <li>Added support for truncated SHA-2 and for SHA-3.
313: <li>The BPSW primality test performs additional Miller-Rabin rounds
314: with random bases to reduce the likelihood of composites passing.
315: <li>Allow testing of ciphers and digests using badly aligned buffers
316: in openssl speed using -unalign.
317: <li>Ed25519 certificates are now supported in openssl(1) ca and req.
318: Prepared Ed25519 support in libssl.
319: <li>Add branch target information (BTI) support to amd64 and arm64
320: assembly.
1.1 deraadt 321: </ul>
322: <li>Compatibility changes
323: <ul>
1.7 tb 324: <li>Added a workaround for a poorly thought-out change in OpenSSL 3 that
325: broke privilege separation support in libtls.
326: <li>Moved libtls from ECDSA_METHOD to EC_KEY_METHOD.
327: <li>Removed GF2m support: BIGNUM no longer supports binary extension
328: field arithmetic and all binary elliptic builtin curves were removed.
329: <li>Removed dangerous, "fast" NIST prime and elliptic curve implementations.
330: In particular, EC_GFp_nist_method() is no longer available.
331: <li>Removed most public symbols that were deprecated in OpenSSL 0.9.8.
332: <li>Removed the public X9.31 API (RSA_X931_PADDING is still available).
333: <li>Removed Cipher Text Stealing mode.
334: <li>Removed ENGINE support, including ECDH_METHOD and ECDSA_METHOD.
335: <li>Removed COMP, DSO, dynamic loading of conf modules and support for
336: custom ex_data and error stacks.
337: <li>Removed proxy certificate (RFC 3820) support.
338: <li>Removed SXNET and NETSCAPE_CERT_SEQUENCE support including the
1.8 tb 339: openssl(1) nseq command.
1.7 tb 340: <li>ENGINE support was removed and OPENSSL_NO_ENGINE is set. In spite
341: of this, some stub functions are provided to avoid patching some
342: applications that do not honor OPENSSL_NO_ENGINE.
343: <li>The POLICY_TREE and its related structures and API were removed.
344: <li>In X509_VERIFY_PARAM_inherit() copy hostflags independently of the
345: host list.
346: <li>Made CRYPTO_get_ex_new_index() not return 0 to allow applications
347: to use *_{get,set}_app_data() and *_{get,set}_ex_data() alongside
348: each other.
349: <li>X509_NAME_get_text_by_{NID,OBJ}() now only succeed if they contain
350: valid UTF-8 without embedded NUL.
351: <li>The explicitText user notice uses UTF8String instead of VisibleString
352: to reduce the risk of emitting certificates with invalid DER-encoding.
353: <li>Initial fixes for RSA-PSS support to make the TLSv1.3 stack more
354: compliant with RFC 8446.
355: <li>Fixed EVP_CIPHER_CTX_iv_length() to return what was set with
356: EVP_CTRL_AEAD_SET_IVLEN or one of its aliases.
1.1 deraadt 357: </ul>
1.7 tb 358: <li>Internal improvements
1.1 deraadt 359: <ul>
1.7 tb 360: <li>Improved sieve of Eratosthenes script used for generating a table
361: of small primes.
362: <li>Removed incomplete and dangerous BN_RECURSION code.
363: <li>Imported RFC 5280 policy checking code from BoringSSL and used it
364: to replace the old exponential time code.
365: <li>Converted more of libcrypto to use CBB/CBS.
366: <li>Started cleaning up and rewriting SHA internals.
367: <li>Reduced the dependency of hash implementations on many layers of
368: macros. This results in significant speedups since modern compilers
369: are now less confused.
370: <li>Improved BIGNUM internals and performance.
371: <li>Significantly simplified the BN_BLINDING internals used in RSA.
372: <li>Made BN_num_bits() independent of bn->top.
373: <li>Rewrote and simplified bn_sqr().
374: <li>Significantly improved Montgomery multiplication performance.
375: <li>Rewrote and improved BN_exp() and BN_copy().
376: <li>Changed ASN1_item_sign_ctx() and ASN1_item_verify() to work with
377: Ed25519 and fixed a few bugs in there.
378: <li>Lots of cleanup for DH, DSA, EC, RSA internals. Plugged numerous
379: memory leaks, fixed logic errors and inconsistencies.
380: <li>Cleaned up and simplified various ECDH and ECDSA internals.
381: <li>Removed EC_GROUP precomp machinery.
382: <li>Fixed various issues with EVP_PKEY_CTX_{new,dup}().
383: <li>Rewrote OBJ_find_sigid_algs() and OBJ_find_sigid_by_algs().
384: <li>Improved X.509 certificate version checks.
385: <li>Ensure no X.509v3 extensions appear more than once in certificates.
386: <li>Replaced ASN1_bn_print with a cleaner internal implementation.
387: <li>Fix OPENSSL_cpuid_setup() invocations on arm/aarch64.
388: <li>Improved checks for commonName in libtls.
389: <li>Fixed error check for X509_get_ext_d2i() failure in libtls.
390: <li>Removed code guarded by #ifdef ZLIB.
391: <li>Plug a potential memory leak in ASN1_TIME_normalize().
392: <li>Fixed a use of uninitialized in i2r_IPAddrBlocks().
393: <li>Rewrote CMS_SignerInfo_{sign,verify}().
1.1 deraadt 394: </ul>
1.7 tb 395: <li>Bug fixes
1.1 deraadt 396: <ul>
1.7 tb 397: <li>Correctly handle negative input to various BIGNUM functions.
398: <li>Ensure ERR_load_ERR_strings() does not set errno unexpectedly.
399: <li>Fix error checking of i2d_ECDSA_SIG() in ossl_ecdsa_sign().
1.8 tb 400: <li>Fixed aliasing issue in BN_mod_inverse(). Disallowed aliasing of result
401: and modulus in various BN_mod_* functions.
1.7 tb 402: <li>Fixed detection of extended operations (XOP) on AMD hardware.
403: <li>Ensure Montgomery exponentiation is used for the initial RSA blinding.
404: <li>Policy is always checked in X509 validation. Critical policy extensions
405: are no longer silently ignored.
406: <li>Fixed error handling in tls_check_common_name().
407: <li>Add missing pointer invalidation in SSL_free().
408: <li>Fixed X509err() and X509V3err() and their internal versions.
409: <li>Ensure that OBJ_obj2txt() always returns a C string again.
410: <li>Made EVP_PKEY_set1_hkdf_key() fail on a NULL key.
411: <li>On socket errors in the poll loop, netcat could issue system calls
412: on invalidated file descriptors.
413: <li>Allow IP addresses to be specified in a URI.
414: <li>Fixed a copy-paste error in ASN1_TIME_compare() that could lead
415: to two UTCTimes or two GeneralizedTimes incorrectly being compared
416: as equal.
417: </ul>
418: <li>Documentation improvements
419: <ul>
420: <li>Improved documentation of BIO_ctrl(3), BIO_set_info_callback(3),
421: BIO_get_info_callback(3), BIO_method_type(3), and BIO_method_name(3).
422: <li>Marked BIO_CB_return(), BIO_cb_pre(), and BIO_cb_post() as intentionally
423: undocumented.
424: <li>Made it very explicit that the verify callback should not be used.
425: <li>Called out that the CRL lastUpdate is standardized as thisUpdate.
426: <li>Documented the RFC 3779 API and its shortcomings.
427: </ul>
428: <li>Testing and Proactive Security
429: <ul>
430: <li>Significantly improved test coverage of BN_mod_sqrt() and GCD.
431: <li>As always, new test coverage is added as bugs are fixed and subsystems
432: are cleaned up.
1.1 deraadt 433: </ul>
434: </ul>
435:
1.13 dtucker 436: <li>OpenSSH 9.5 and OpenSSH 9.4
1.1 deraadt 437: <ul>
1.12 dtucker 438: <li>Potentially incompatible changes
1.1 deraadt 439: <ul>
1.12 dtucker 440: <li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:
441: generate Ed25519 keys by default. Ed25519 public keys
442: are very convenient due to their small size. Ed25519 keys are
443: specified in RFC 8709 and OpenSSH has supported them since version 6.5
444: (January 2014).
445: <li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
446: the Subsystem directive now accurately preserves quoting of
447: subsystem commands and arguments. This may change behaviour for exotic
448: configurations, but the most common subsystem configuration
449: (sftp-server) is unlikely to be affected.
1.13 dtucker 450: <li><a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>:
451: PKCS#11 modules must now be specified by their full
452: paths. Previously dlopen(3) could search for them in system
453: library directories.
1.1 deraadt 454: </ul>
1.12 dtucker 455: <li>New features
1.1 deraadt 456: <ul>
1.12 dtucker 457: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
458: add keystroke timing obfuscation to the client. This attempts
459: to hide inter-keystroke timings by sending interactive traffic at
460: fixed intervals (default: every 20ms) when there is only a small
461: amount of data being sent. It also sends fake "chaff" keystrokes for
462: a random interval after the last real keystroke. These are
463: controlled by a new ssh_config ObscureKeystrokeTiming keyword.
464: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
465: <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
466: Introduce a transport-level ping facility. This adds
467: a pair of SSH transport protocol messages SSH2_MSG_PING/PONG to
468: implement a ping capability. These messages use numbers in the "local
469: extensions" number space and are advertised using a "ping@openssh.com"
470: ext-info message with a string version number of "0".
1.13 dtucker 471: <li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
472: allow override of Subsystem directives in sshd Match blocks.
473: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
474: allow forwarding Unix Domain sockets via ssh -W.
475: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
476: add support for configuration tags to ssh(1).
477: This adds a ssh_config(5) "Tag" directive and corresponding
478: "Match tag" predicate that may be used to select blocks of
479: configuration similar to the pf.conf(5) keywords of the same
480: name.
481: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
482: add a "match localnetwork" predicate. This allows matching
483: on the addresses of available network interfaces and may be used to
484: vary the effective client configuration based on network location.
485: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
486: <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>,
487: <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:
488: infrastructure support for KRL
489: extensions. This defines wire formats for optional KRL extensions
490: and implements parsing of the new submessages. No actual extensions
491: are supported at this point.
492: <li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
493: AuthorizedPrincipalsCommand and AuthorizedKeysCommand now
494: accept two additional %-expansion sequences: %D which expands to
495: the routing domain of the connected session and %C which expands
496: to the addresses and port numbers for the source and destination
497: of the connection.
498: <li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:
499: increase the default work factor (rounds) for the
500: bcrypt KDF used to derive symmetric encryption keys for passphrase
501: protected key files by 50%.
1.1 deraadt 502: </ul>
503: <li>Bugfixes
504: <ul>
1.12 dtucker 505: <li><a href="https://man.openbsd.org/scp.1">scp(1)</a>:
506: fix scp in SFTP mode recursive upload and download of
507: directories that contain symlinks to other directories. In scp mode,
508: the links would be followed, but in SFTP mode they were not.
509: <li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:
510: handle cr+lf (instead of just cr) line endings in
511: sshsig signature files.
512: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
513: interactive mode for ControlPersist sessions if they
514: originally requested a tty.
515: <li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
516: make PerSourceMaxStartups first-match-wins
517: <li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
518: limit artificial login delay to a reasonable maximum (5s)
519: and don't delay at all for the "none" authentication mechanism.
1.13 dtucker 520: <li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
521: Log errors in kex_exchange_identification() with level
1.12 dtucker 522: verbose instead of error to reduce preauth log spam. All of those
523: get logged with a more generic error message by sshpkt_fatal().
524: <li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
525: correct math for ClientAliveInterval that caused the probes
526: to be sent less frequently than configured.
1.13 dtucker 527: <li><a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>:
528: improve isolation between loaded PKCS#11 modules
529: by running separate ssh-pkcs11-helpers for each loaded provider.
530: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
531: make -f (fork after authentication) work correctly with
532: multiplexed connections, including ControlPersist.
533: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
534: make ConnectTimeout apply to multiplexing sockets and not
535: just to network connections.
536: <li><a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>,
537: <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
538: improve defences against invalid PKCS#11
539: modules being loaded by checking that the requested module
540: contains the required symbol before loading it.
541: <li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
542: fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand
543: appears before it in sshd_config. Since OpenSSH 8.7 the
544: AuthorizedPrincipalsCommand directive was incorrectly ignored in
545: this situation.
546: <li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>,
547: <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
548: <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:
549: remove vestigal support for KRL
550: signatures When the KRL format was originally defined, it included
551: support for signing of KRL objects. However, the code to sign KRLs
552: and verify KRL signatues was never completed in OpenSSH. This
553: release removes the partially-implemented code to verify KRLs.
554: All OpenSSH tools now ignore KRL_SECTION_SIGNATURE sections in
555: KRL files.
556: <li>All: fix a number of memory leaks and unreachable/harmless integer
557: overflows.
558: <li><a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>,
559: <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
560: don't truncate strings logged from PKCS#11 modules
561: <li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>,
562: <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
563: better validate CASignatureAlgorithms in
564: ssh_config and sshd_config. Previously this directive would accept
565: certificate algorithm names, but these were unusable in practice as
566: OpenSSH does not support CA chains.
567: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
568: make <code>ssh -Q CASignatureAlgorithms</code> only list signature
569: algorithms that are valid for CA signing. Previous behaviour was
570: to list all signing algorithms, including certificate algorithms.
571: <li><a href="https://man.openbsd.org/ssh-keyscan.1">ssh-keyscan(1)</a>:
572: gracefully handle systems where rlimits or the
573: maximum number of open files is larger than INT_MAX
574: <li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:
575: fix "no comment" not showing on when running
576: <code>ssh-keygen -l</code> on multiple keys where one has a comment
577: and other following keys do not.
578: <li><a href="https://man.openbsd.org/scp.1">scp(1)</a>,
1.14 dtucker 579: <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>:
1.13 dtucker 580: adjust ftruncate() logic to handle servers that
581: reorder requests. Previously, if the server reordered requests then
582: the resultant file would be erroneously truncated.
583: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
584: don't incorrectly disable hostname canonicalization when
585: CanonicalizeHostname=yes and ProxyJump was expicitly set to
586: "none".
587: <li><a href="https://man.openbsd.org/scp.1">scp(1)</a>:
588: when copying local to remote, check that the source file
589: exists before opening an SFTP connection to the server.
1.1 deraadt 590: </ul>
591: </ul>
592:
593: <li>mandoc XXX plus some new features and many bugfixes, including:
594: <ul>
595: <li>...
596: </ul>
597:
598: <li>Ports and packages:
599: <p>Many pre-built packages for each architecture:
600: <!-- number of FTP packages minus SHA256, SHA256.sig, index.txt -->
601: <ul style="column-count: 3">
602: <li>aarch64:
603: <li>amd64:
604: <li>arm:
605: <li>i386:
606: <li>mips64:
607: <li>powerpc:
608: <li>powerpc64:
609: <li>riscv64:
610: <li>sparc64:
611: </ul>
612:
613: <p>Some highlights:
1.7 tb 614: <ul style="column-count: 3"><!-- XXX all need to be checked/updated 2023-03-04 -->
1.6 matthieu 615: <li>Asterisk 16.30.1, 18.19.0 and 20.4.0
1.5 matthieu 616: <li>Audacity 3.3.3
617: <li>CMake 3.27.5
1.10 matthieu 618: <li>Chromium 117.0.5838.149
1.5 matthieu 619: <li>Emacs 29.1
620: <li>FFmpeg 4.4.4
1.1 deraadt 621: <li>GCC 8.4.0 and 11.2.0
1.5 matthieu 622: <li>GHC 9.2.7
623: <li>GNOME 44
624: <li>Go 1.21.1
625: <li>JDK 8u382, 11.0.20 and 17.0.8
626: <li>KDE Applications 23.08.0
1.1 deraadt 627: <li>KDE Frameworks 5.98.0
1.5 matthieu 628: <li>Krita 5.1.5
629: <li>LLVM/Clang 13.0.0 and 16.0.6
630: <li>LibreOffice 7.6.2.1
631: <li>Lua 5.1.5, 5.2.4, 5.3.6 and 5.4.6
632: <li>MariaDB 10.9.6
633: <li>Mono 6.12.0.199
634: <li>Mozilla Firefox 118.0.1 and ESR 115.3.1
635: <li>Mozilla Thunderbird 115.3.1
636: <li>Mutt 2.2.12 and NeoMutt 20230517
637: <li>Node.js 18.18.0
1.1 deraadt 638: <li>OCaml 4.12.1
1.5 matthieu 639: <li>OpenLDAP 2.6.6
640: <li>PHP 7.4.33, 8.0.30, 8.1.24 and 8.2.11
641: <li>Postfix 3.7.3
642: <li>PostgreSQL 15.4
643: <li>Python 2.7.18, 3.9.18, 3.10.13 and 3.11.5
644: <li>Qt 5.15.10 and 6.5.2
645: <li>R 4.2.3
646: <li>Ruby 3.0.6, 3.1.4 and 3.2.2
647: <li>Rust 1.72.1
1.9 lteo 648: <li>SQLite 3.42.0
1.5 matthieu 649: <li>Shotcut 23.07.29
650: <li>Sudo 1.9.14.2
651: <li>Suricata 6.0.12
652: <li>Tcl/Tk 8.5.19 and 8.6.13
653: <li>TeX Live 2022
654: <li>Vim 9.0.1897 and Neovim 0.9.1
655: <li>Xfce 4.18
1.1 deraadt 656: </ul>
657: <p>
658:
659: <li>As usual, steady improvements in manual pages and other documentation.
660:
661: <li>The system includes the following major components from outside suppliers:
1.7 tb 662: <ul><!-- XXX all need to be checked/updated 2023-03-04 -->
1.5 matthieu 663: <li>Xenocara (based on X.Org 7.7 with xserver 21.1.8 + patches,
664: freetype 2.13.0, fontconfig 2.14.2, Mesa 22.3.7, xterm 378,
1.1 deraadt 665: xkeyboard-config 2.20, fonttosfnt 1.2.2 and more)
666: <li>LLVM/Clang 13.0.0 (+ patches)
667: <li>GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
1.5 matthieu 668: <li>Perl 5.36.1 (+ patches)
669: <li>NSD 4.7.0
670: <li>Unbound 1.18.0
1.1 deraadt 671: <li>Ncurses 5.7
672: <li>Binutils 2.17 (+ patches)
673: <li>Gdb 6.3 (+ patches)
1.5 matthieu 674: <li>Awk September 12, 2023
675: <li>Expat 2.5.0
1.1 deraadt 676: </ul>
677:
678: </ul>
679: </section>
680:
681: <hr>
682:
683: <section id=install>
684: <h3>How to install</h3>
685: <p>
686: Please refer to the following files on the mirror site for
687: extensive details on how to install OpenBSD 7.4 on your machine:
688:
689: <ul>
690: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/alpha/INSTALL.alpha">
1.2 jsg 691: .../OpenBSD/7.4/alpha/INSTALL.alpha</a>
1.1 deraadt 692: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/amd64/INSTALL.amd64">
1.2 jsg 693: .../OpenBSD/7.4/amd64/INSTALL.amd64</a>
1.1 deraadt 694: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/arm64/INSTALL.arm64">
1.2 jsg 695: .../OpenBSD/7.4/arm64/INSTALL.arm64</a>
1.1 deraadt 696: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/armv7/INSTALL.armv7">
1.2 jsg 697: .../OpenBSD/7.4/armv7/INSTALL.armv7</a>
1.1 deraadt 698: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/hppa/INSTALL.hppa">
1.2 jsg 699: .../OpenBSD/7.4/hppa/INSTALL.hppa</a>
1.1 deraadt 700: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/i386/INSTALL.i386">
1.2 jsg 701: .../OpenBSD/7.4/i386/INSTALL.i386</a>
1.1 deraadt 702: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/landisk/INSTALL.landisk">
1.2 jsg 703: .../OpenBSD/7.4/landisk/INSTALL.landisk</a>
1.1 deraadt 704: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/loongson/INSTALL.loongson">
1.2 jsg 705: .../OpenBSD/7.4/loongson/INSTALL.loongson</a>
1.1 deraadt 706: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/luna88k/INSTALL.luna88k">
1.2 jsg 707: .../OpenBSD/7.4/luna88k/INSTALL.luna88k</a>
1.1 deraadt 708: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/macppc/INSTALL.macppc">
1.2 jsg 709: .../OpenBSD/7.4/macppc/INSTALL.macppc</a>
1.1 deraadt 710: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/octeon/INSTALL.octeon">
1.2 jsg 711: .../OpenBSD/7.4/octeon/INSTALL.octeon</a>
1.1 deraadt 712: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/powerpc64/INSTALL.powerpc64">
1.2 jsg 713: .../OpenBSD/7.4/powerpc64/INSTALL.powerpc64</a>
1.1 deraadt 714: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/riscv64/INSTALL.riscv64">
1.2 jsg 715: .../OpenBSD/7.4/riscv64/INSTALL.riscv64</a>
1.1 deraadt 716: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/sparc64/INSTALL.sparc64">
1.2 jsg 717: .../OpenBSD/7.4/sparc64/INSTALL.sparc64</a>
1.1 deraadt 718: </ul>
719: </section>
720:
721: <hr>
722:
723: <section id=quickinstall>
724: <p>
725: Quick installer information for people familiar with OpenBSD, and the use of
726: the "<a href="https://man.openbsd.org/disklabel.8">disklabel</a> -E" command.
727: If you are at all confused when installing OpenBSD, read the relevant
728: INSTALL.* file as listed above!
729:
730: <h3>OpenBSD/alpha:</h3>
731:
732: <p>
733: If your machine can boot from CD, you can write <i>install74.iso</i> or
734: <i>cd74.iso</i> to a CD and boot from it.
735: Refer to INSTALL.alpha for more details.
736:
737: <h3>OpenBSD/amd64:</h3>
738:
739: <p>
740: If your machine can boot from CD, you can write <i>install74.iso</i> or
741: <i>cd74.iso</i> to a CD and boot from it.
742: You may need to adjust your BIOS options first.
743:
744: <p>
745: If your machine can boot from USB, you can write <i>install74.img</i> or
746: <i>miniroot74.img</i> to a USB stick and boot from it.
747:
748: <p>
749: If you can't boot from a CD, floppy disk, or USB,
750: you can install across the network using PXE as described in the included
751: INSTALL.amd64 document.
752:
753: <p>
754: If you are planning to dual boot OpenBSD with another OS, you will need to
755: read INSTALL.amd64.
756:
757: <h3>OpenBSD/arm64:</h3>
758:
759: <p>
760: Write <i>install74.img</i> or <i>miniroot74.img</i> to a disk and boot from it
761: after connecting to the serial console. Refer to INSTALL.arm64 for more
762: details.
763:
764: <h3>OpenBSD/armv7:</h3>
765:
766: <p>
767: Write a system specific miniroot to an SD card and boot from it after connecting
768: to the serial console. Refer to INSTALL.armv7 for more details.
769:
770: <h3>OpenBSD/hppa:</h3>
771:
772: <p>
773: Boot over the network by following the instructions in INSTALL.hppa or the
774: <a href="hppa.html#install">hppa platform page</a>.
775:
776: <h3>OpenBSD/i386:</h3>
777:
778: <p>
779: If your machine can boot from CD, you can write <i>install74.iso</i> or
780: <i>cd74.iso</i> to a CD and boot from it.
781: You may need to adjust your BIOS options first.
782:
783: <p>
784: If your machine can boot from USB, you can write <i>install74.img</i> or
785: <i>miniroot74.img</i> to a USB stick and boot from it.
786:
787: <p>
788: If you can't boot from a CD, floppy disk, or USB,
789: you can install across the network using PXE as described in
790: the included INSTALL.i386 document.
791:
792: <p>
793: If you are planning on dual booting OpenBSD with another OS, you will need to
794: read INSTALL.i386.
795:
796: <h3>OpenBSD/landisk:</h3>
797:
798: <p>
799: Write <i>miniroot74.img</i> to the start of the CF
800: or disk, and boot normally.
801:
802: <h3>OpenBSD/loongson:</h3>
803:
804: <p>
805: Write <i>miniroot74.img</i> to a USB stick and boot bsd.rd from it
806: or boot bsd.rd via tftp.
807: Refer to the instructions in INSTALL.loongson for more details.
808:
809: <h3>OpenBSD/luna88k:</h3>
810:
811: <p>
812: Copy 'boot' and 'bsd.rd' to a Mach or UniOS partition, and boot the bootloader
813: from the PROM, and then bsd.rd from the bootloader.
814: Refer to the instructions in INSTALL.luna88k for more details.
815:
816: <h3>OpenBSD/macppc:</h3>
817:
818: <p>
819: Burn the image from a mirror site to a CDROM, and power on your machine
820: while holding down the <i>C</i> key until the display turns on and
821: shows <i>OpenBSD/macppc boot</i>.
822:
823: <p>
824: Alternatively, at the Open Firmware prompt, enter <i>boot cd:,ofwboot
1.2 jsg 825: /7.4/macppc/bsd.rd</i>
1.1 deraadt 826:
827: <h3>OpenBSD/octeon:</h3>
828:
829: <p>
830: After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
831: Refer to the instructions in INSTALL.octeon for more details.
832:
833: <h3>OpenBSD/powerpc64:</h3>
834:
835: <p>
836: To install, write <i>install74.img</i> or <i>miniroot74.img</i> to a
837: USB stick, plug it into the machine and choose the <i>OpenBSD
838: install</i> menu item in Petitboot.
839: Refer to the instructions in INSTALL.powerpc64 for more details.
840:
841: <h3>OpenBSD/riscv64:</h3>
842:
843: <p>
844: To install, write <i>install74.img</i> or <i>miniroot74.img</i> to a
845: USB stick, and boot with that drive plugged in.
846: Make sure you also have the microSD card plugged in that shipped with the
847: HiFive Unmatched board.
848: Refer to the instructions in INSTALL.riscv64 for more details.
849:
850: <h3>OpenBSD/sparc64:</h3>
851:
852: <p>
853: Burn the image from a mirror site to a CDROM, boot from it, and type
854: <i>boot cdrom</i>.
855:
856: <p>
857: If this doesn't work, or if you don't have a CDROM drive, you can write
858: <i>floppy74.img</i> or <i>floppyB74.img</i>
859: (depending on your machine) to a floppy and boot it with <i>boot
860: floppy</i>. Refer to INSTALL.sparc64 for details.
861:
862: <p>
863: Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
864: will most likely fail.
865:
866: <p>
867: You can also write <i>miniroot74.img</i> to the swap partition on
868: the disk and boot with <i>boot disk:b</i>.
869:
870: <p>
871: If nothing works, you can boot over the network as described in INSTALL.sparc64.
872: </section>
873:
874: <hr>
875:
876: <section id=upgrade>
877: <h3>How to upgrade</h3>
878: <p>
1.3 jsg 879: If you already have an OpenBSD 7.3 system, and do not want to reinstall,
1.1 deraadt 880: upgrade instructions and advice can be found in the
881: <a href="faq/upgrade74.html">Upgrade Guide</a>.
882: </section>
883:
884: <hr>
885:
886: <section id=sourcecode>
887: <h3>Notes about the source code</h3>
888: <p>
889: <code>src.tar.gz</code> contains a source archive starting at <code>/usr/src</code>.
890: This file contains everything you need except for the kernel sources,
891: which are in a separate archive.
892: To extract:
893: <blockquote><pre>
894: # <kbd>mkdir -p /usr/src</kbd>
895: # <kbd>cd /usr/src</kbd>
896: # <kbd>tar xvfz /tmp/src.tar.gz</kbd>
897: </pre></blockquote>
898: <p>
899: <code>sys.tar.gz</code> contains a source archive starting at <code>/usr/src/sys</code>.
900: This file contains all the kernel sources you need to rebuild kernels.
901: To extract:
902: <blockquote><pre>
903: # <kbd>mkdir -p /usr/src/sys</kbd>
904: # <kbd>cd /usr/src</kbd>
905: # <kbd>tar xvfz /tmp/sys.tar.gz</kbd>
906: </pre></blockquote>
907: <p>
908: Both of these trees are a regular CVS checkout. Using these trees it
909: is possible to get a head-start on using the anoncvs servers as
910: described <a href="anoncvs.html">here</a>.
911: Using these files
912: results in a much faster initial CVS update than you could expect from
913: a fresh checkout of the full OpenBSD source tree.
914: </section>
915:
916: <hr>
917:
918: <section id=ports>
919: <h3>Ports Tree</h3>
920: <p>
921: A ports tree archive is also provided. To extract:
922: <blockquote><pre>
923: # <kbd>cd /usr</kbd>
924: # <kbd>tar xvfz /tmp/ports.tar.gz</kbd>
925: </pre></blockquote>
926: <p>
927: Go read the <a href="faq/ports/index.html">ports</a> page
928: if you know nothing about ports
929: at this point. This text is not a manual of how to use ports.
930: Rather, it is a set of notes meant to kickstart the user on the
931: OpenBSD ports system.
932: <p>
933: The <i>ports/</i> directory represents a CVS checkout of our ports.
934: As with our complete source tree, our ports tree is available via
935: <a href="anoncvs.html">AnonCVS</a>.
936: So, in order to keep up to date with the -stable branch, you must make
937: the <i>ports/</i> tree available on a read-write medium and update the tree
938: with a command like:
939: <blockquote><pre>
940: # <kbd>cd /usr/ports</kbd>
1.2 jsg 941: # <kbd>cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_7_4</kbd>
1.1 deraadt 942: </pre></blockquote>
943: <p>
944: [Of course, you must replace the server name here with a nearby anoncvs
945: server.]
946: <p>
947: Note that most ports are available as packages on our mirrors. Updated
948: ports for the 7.4 release will be made available if problems arise.
949: <p>
950: If you're interested in seeing a port added, would like to help out, or just
951: would like to know more, the mailing list
952: <a href="mail.html">ports@openbsd.org</a> is a good place to know.
953: </section>
954: </body>
955: </html>