Annotation of www/74.html, Revision 1.28
1.1 deraadt 1: <!doctype html>
2: <html lang=en id=release>
3: <head>
4: <meta charset=utf-8>
5:
6: <title>OpenBSD 7.4</title>
7: <meta name="description" content="OpenBSD 7.4">
8: <meta name="viewport" content="width=device-width, initial-scale=1">
9: <link rel="stylesheet" type="text/css" href="openbsd.css">
10: <link rel="canonical" href="https://www.openbsd.org/74.html">
11: </head><body>
12: <h2 id=OpenBSD>
13: <a href="index.html">
14: <i>Open</i><b>BSD</b></a>
15: 7.4
16: </h2>
17:
18: <table>
19: <tr>
20: <td>
21: <a href="images/XXX.png">
22: <img width="227" height="303" src="images/XXX-s.gif" alt="XXX"></a>
23: <td>
24: Released Oct XXX, 2023. (55th OpenBSD release)<br>
25: Copyright 1997-2023, Theo de Raadt.<br>
26: <br>
1.4 job 27: Artwork by Jessica Scott.
1.1 deraadt 28: <br>
29: <ul>
30: <li>See the information on <a href="ftp.html">the FTP page</a> for
31: a list of mirror machines.
32: <li>Go to the <code class=reldir>pub/OpenBSD/7.4/</code> directory on
33: one of the mirror sites.
34: <li>Have a look at <a href="errata74.html">the 7.4 errata page</a> for a list
35: of bugs and workarounds.
36: <li>See a <a href="plus74.html">detailed log of changes</a> between the
37: 7.3 and 7.4 releases.
38: <p>
39: <li><a href="https://man.openbsd.org/signify.1">signify(1)</a>
40: pubkeys for this release:<p>
41:
42: <table class=signify>
43: <tr><td>
44: openbsd-74-base.pub:
45: <td>
46: <a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/openbsd-74-base.pub">
47: RWRoyQmAD08ajTqgzK3UcWaVlwaJMckH9/CshU8Md5pN1GoIrcBdTF+c</a>
48: <tr><td>
49: openbsd-74-fw.pub:
50: <td>
51: RWTRA9KXRuZKunpXYK0ed5OxbE0K7rYWpDnTu+M8wZdqzRroFqed0U6I
52: <tr><td>
53: openbsd-74-pkg.pub:
54: <td>
55: RWR/h7gubZ9M/O46RNy3PzLTPevOCK24LGCPca41IHMwSH4YuVA+jnWO
56: <tr><td>
57: openbsd-74-syspatch.pub:
58: <td>
59: RWQqty2voy8V8afR9/v2RzuNr7r4y9cKwljABN7Tytd7JcPdBjnXg0Ue
60: </table>
61: </ul>
62: <p>
63: All applicable copyrights and credits are in the src.tar.gz,
64: sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
65: files fetched via <code>ports.tar.gz</code>.
66: </table>
67:
68: <hr>
69:
70: <section id=new>
71: <h3>What's New</h3>
72: <p>
73: This is a partial list of new features and systems included in OpenBSD 7.4.
74: For a comprehensive list, see the <a href="plus74.html">changelog</a> leading
75: to 7.4.
76:
77: <ul>
78:
79: <li>New/extended platforms:
80: <ul>
1.11 benno 81: <li>On arm64, implement branch target protection using the branch
82: target identification feature introduced in Armv8.5. This provides
83: "head-CFI" to complement the "tail-CFI" provided by retguard, and is
84: supported on Apple M2.
1.1 deraadt 85: </ul>
86:
87: <li>Various kernel improvements:
88: <ul>
1.21 schwarze 89: <li>On amd64, identify IBT capability in
90: <a href="https://man.openbsd.org/amd64/cpu.4">cpu(4)</a> dmesg lines.
1.26 kn 91: <li>On arm64, show BTI and SBSS features in
1.21 schwarze 92: <a href="https://man.openbsd.org/dmesg.8">dmesg(8)</a>.
93: <li>Map device tree read/write to unbreak root on
94: <a href="https://man.openbsd.org/softraid.4">softraid(4)</a>.
1.1 deraadt 95: </ul>
96:
97: <li>SMP Improvements
98: <ul>
1.15 benno 99: <li>Protect struct clockintr(9)_queue with a mutex so that arbitrary CPUs
100: can manipulate clock interrupts established on arbitrary CPU queues.
1.28 ! benno 101: <li>Pushed kernel lock into nd6_resolve().
! 102: <li>Removed kernel locks from the ARP input path.
! 103: <li>Pulled MP-safe arprequest() out of kernel lock.
1.1 deraadt 104: </ul>
105:
106: <li>Direct Rendering Manager and graphics drivers
107: <ul>
1.18 jsg 108: <li>Updated <a href="https://man.openbsd.org/drm.4">drm(4)</a>
109: to Linux 6.1.55
110: <li>Don't change end marker in sg_set_page(). Caused bad memory accesses
111: when using page flipping on Alder Lake and Raptor Lake.
1.1 deraadt 112: </ul>
113:
114: <li>VMM/VMD improvements
115: <ul>
1.21 schwarze 116: <li>Avoid use of uninitialised memory in
117: <a href="https://man.openbsd.org/vmd.8">vmd(8)</a>.
1.15 benno 118: <li>Migrate vmd_vm.vm_ttyname to char array allowing a vmd_vm
119: object to be transmitted over an ipc channel.
1.1 deraadt 120: </ul>
121:
122: <li>Various new userland features:
123: <ul>
1.20 schwarze 124: <li>New ISO C11 header <code><uchar.h></code> declaring the
125: types <code>char32_t</code> and <code>char16_t</code> and the
126: functions <a href="https://man.openbsd.org/c32rtomb.3">c32rtomb(3)</a>,
127: <a href="https://man.openbsd.org/mbrtoc32.3">mbrtoc32(3)</a>,
128: <a href="https://man.openbsd.org/c16rtomb.3">c16rtomb(3)</a>, and
129: <a href="https://man.openbsd.org/mbrtoc16.3">mbrtoc16(3)</a>.
1.24 otto 130: <li><a href="https://man.openbsd.org/malloc.3">malloc(3)</a> gains built-in leak detection.
1.11 benno 131: <li>Update zoneinfo to tzdata2023c.
1.28 ! benno 132: <li>Improve the manpage documentation of <a href="https://man.openbsd.org/event.3">libevent</a> in manpages.
1.1 deraadt 133: </ul>
134:
135: <li>Various bugfixes and tweaks in userland:
136: <ul>
1.21 schwarze 137: <li>Refactoring and documenting of
138: <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> code,
139: to make it easier to maintain.
140: <li>In <a href="https://man.openbsd.org/clang.1">clang(1)</a>,
141: allow out-of-class defaulting of comparison operators,
1.11 benno 142: by ways of backporting an upstream commit.
1.21 schwarze 143: <li>Improve the code of
144: <a href="https://man.openbsd.org/aucat.1">aucat(1)</a>
145: and fix spelling mistakes.
1.11 benno 146: <li>Improve the code quality of find(1).
1.21 schwarze 147: <li>Many changes in <a href="https://man.openbsd.org/mg.1">mg(1)</a>:
1.11 benno 148: <ul>
1.21 schwarze 149: <li>Improve the readability of the code.
150: <li>Fall back to /bin/sh if $SHELL is undefined.
151: <li>Fix parsing of tag files with duplicate entries.
1.11 benno 152: Instead of erroring out ignore duplicates. Fixes using
153: /var/db/libc.tags again.
1.21 schwarze 154: <li>Change tagvisit (aka visit-tag-table) to immediately
1.11 benno 155: load the tag file, and drop the lazy mechanics.
1.21 schwarze 156: <li>Remove useless global variable.
157: <li>Plug memory leak.
158: <li>Replace strncpy() with strlcpy().
1.11 benno 159: <li>Skip checking permissions of conffile with access(2).
160: </ul>
1.16 jsg 161: <li>On aarch64 architectures improve how BTI control flow integrity
1.11 benno 162: enforcement is implemented in the executable entry point and enable
1.16 jsg 163: support for BTI control flow integrity checks in libc assembly
1.11 benno 164: functions.
1.28 ! benno 165: <li>In <a href="https://man.openbsd.org/ld.so.1">ld.so(1)</a> treat
! 166: symlinks in $ORIGIN determination the same way as other OS linkers do.
1.1 deraadt 167: </ul>
168:
169: <li>Improved hardware support and driver bugfixes, including:
170: <ul>
1.20 schwarze 171: <li>New <a href="https://man.openbsd.org/sysctl.2">sysctl(2)</a>
172: nodes for battery management, <code>hw.battery.charge*</code>.
173: <li>Define fixed names for
174: <a href="https://man.openbsd.org/ucom.4">ucom(4)</a> USB serial
175: ports, make them discoverable via the new <code>hw.ucomnames</code>
176: <a href="https://man.openbsd.org/sysctl.2#HW_UCOMNAMES~2">sysctl(2)</a>,
177: and support them in <a href="https://man.openbsd.org/cu.1">cu(1)</a>.
1.28 ! benno 178: <li>Add support for the RK3568 32k RTC and other clocks in
1.21 schwarze 179: <a href="https://man.openbsd.org/rkclock.4">rkclock(4)</a>.
180: <li>In <a href="https://man.openbsd.org/dwpcie.4">dwpcie(4)</a>,
181: attach Baikal-M PCIe.
1.11 benno 182: <li>In openfirmware, implement regulator notifiers which get called
183: when the voltage/current for a regulator is changed or when the
184: regulator gets initialized when it attaches for the first time. The
185: latter makes it possible to register a notifier for a regulator that
186: hasn't attached yet.
1.21 schwarze 187: <li>Add <a href="https://man.openbsd.org/rkiovd.4">rkiovd(4)</a>,
188: a driver for the I/O voltage domains on Rockchip SoCs.
189: <li>Add support for TEMPerGold 3.4 temperature sensor to
190: <a href="https://man.openbsd.org/ugold.4">ugold(4)</a>.
1.15 benno 191: <li>Ignore duplicate ACPI lid transitions as they can happen on Dell
192: Precision 5510 systems.
193: <li>Make RK3568 PCIe controllers run at the maximum possible speed
194: by using dwpcie_link_config() when initializing.
195: <li>In the Universal Flash Storage Host Controller Interface
1.21 schwarze 196: (<a href="https://man.openbsd.org/ufshci.4">ufshci(4)</a>),
197: enable Force Unit Access (FUA) for write commands.
1.28 ! benno 198: <li>Make SATA (<a href="https://man.openbsd.org/ahci.4">ahci(4)</a>)
! 199: work on a Banana Pi BPI-R2 Pro.
! 200: <li>In <a href="https://man.openbsd.org/umcs.4">umcs(4)</a>, set
! 201: parity bits correctly.
! 202: <li>Enable the caps lock LED on modern Apple laptop keyboards.
1.1 deraadt 203: </ul>
204:
205: <li>New or improved network hardware support:
206: <ul>
1.21 schwarze 207: <li>Fix <a href="https://man.openbsd.org/dwqe.4">dwqe(4)</a>
208: on several boards that use
209: <a href="https://man.openbsd.org/rgephy.4">rgephy(4)</a> by configuring
1.11 benno 210: the RGMII interface before taking the PHY out of reset.
1.28 ! benno 211: <li>Improve <a href="https://man.openbsd.org/dwqe.4">dwqe(4)</a> and
! 212: determine PHY mode and pass the appropriate flags down to the PHY when
! 213: we attach it.
! 214: <li>Report in dmesg(8) on which gmac the dwqe driver is attaching to.
1.21 schwarze 215: <li>Document that Intel i226 adapters are supported by
216: <a href="https://man.openbsd.org/igc.4">igc(4)</a>.
217: <li>Add <a href="https://man.openbsd.org/ngbe.4">ngbe(4)</a>,
218: a driver for WangXun WX1860 PCI Express 10/100/1Gb Ethernet devices.
219: Also support it on amd64 install media.
220: <li>Add <a href="https://man.openbsd.org/rkusbphy.4">rkusbphy(4)</a>,
221: a driver for the usb2phy on Rockchip SoCs, and enable it on arm64.
222: <li>Add support for the RTL8211F-VD PHY in
223: <a href="https://man.openbsd.org/rgephy.4">rgephy(4)</a>.
1.15 benno 224: <li>In openfirmware, add glue for network interfaces to be found by
225: fdt/ofw node or phandle in order to support "switch chips" like the
226: marvell link street.
227: <li>Add support for enabling both the usb2 and usb3 phys in xhci and ehci.
1.1 deraadt 228: </ul>
229:
230: <li>Added or improved wireless network drivers:
231: <ul>
1.21 schwarze 232: <li>Improve how Quectel LTE&5G devices attach to
233: <a href="https://man.openbsd.org/umb.4">umb(4)</a>.
1.1 deraadt 234: </ul>
235:
236: <li>IEEE 802.11 wireless stack improvements and bugfixes:
237: <ul>
1.27 stsp 238: <li> Add support for RTL8188FTV devices to the
239: <a href="https://man.openbsd.org/urtwn.4">urtwn(4)</a> driver.
240: <li>Attach Intel wireless devices with PCI product ID 0x51f1 to
241: <a href="https://man.openbsd.org/iwx.4">iwx(4)</a>.
242: <li>Fix a bug where <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> and
243: <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> background
244: scan tasks were added to the wrong task queue.
245: <li>Fix a firmware error that occurred when an
246: <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> interface
247: was brought down.
248: <li>Fix <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> firmware errors
249: triggered during background scans.
250: <li>Fix a crash in the <a href="https://man.openbsd.org/iwm.4">iwm(4)</a>
251: driver when userland attempts to inject frames via bpf in monitor mode.
1.1 deraadt 252: </ul>
253:
254: <li>Installer, upgrade and bootloader improvements:
255: <ul>
1.11 benno 256: <li>In the arm64 ramdisk, simplify apple firmware copying to make it
257: easier to add new firmware.
1.21 schwarze 258: <li>On armv7 and arm64, silence informational messages from
259: <a href="https://man.openbsd.org/dd.1">dd(1)</a>
1.11 benno 260: when zeroing a disk's first 1MB. Use character not block devices with
261: dd(1) like on other architectures.
262: <li>Refactor the code of md_installboot() on armv7 and arm64 to be
263: more in line with other architectures.
264: <li>Improve the dialogue of the installer without affecting
1.21 schwarze 265: <a href="https://man.openbsd.org/autoinstall.8">autoinstall(8)</a>
266: files.
267: <li>Enable <a href="https://man.openbsd.org/ufshci.4">ufshci(4)</a>
268: on arm64 install media.
1.15 benno 269: <li>On arm64 pine64 boards, stop writing pine64 firmware to disk.
1.21 schwarze 270: <li>Make root on
271: <a href="https://man.openbsd.org/softraid.4">softraid(4)</a>
272: installations boot out of the box on Raspberry Pis (arm64).
1.28 ! benno 273: <li>Support installations with root on
! 274: <a href="https://man.openbsd.org/softraid.4">softraid(4)</a>
! 275: on arm64, tested on Pinebook Pro, Raspberry Pi 4b, and SolidRun CEX7.
! 276: <li>When installing on encrypted
! 277: <a href="https://man.openbsd.org/softraid.4">softraid(4)</a>, determine
! 278: the disk for placing the root device automatically and make it default
! 279: as it is the only legit choice.
1.26 kn 280: <li>Add arm64 to the list of architectures with support for guided disk
281: encryption.
282: <li>Retain existing EFI System partitions on systems with APFSISC
283: partitions (arm64 Apple M1/M2) during installation with root on
284: <a href="https://man.openbsd.org/softraid.4">softraid(4)</a>.
1.1 deraadt 285: </ul>
286:
287: <li>Security improvements:
288: <ul>
1.21 schwarze 289: <li>Change <a href="https://man.openbsd.org/malloc.3">malloc(3)</a>
1.24 otto 290: chunk sizes to be fine grained: chunk sizes are closer to the
291: requested allocation size.
1.21 schwarze 292: <li>In <a href="https://man.openbsd.org/malloc.3">malloc(3)</a>,
293: check all chunks in the delayed free list for write-after-free.
1.1 deraadt 294: </ul>
295:
296: <li>Changes in the network stack:
297: <ul>
1.21 schwarze 298: <li>In <a href="https://man.openbsd.org/pf.4">pf(4)</a>,
299: when redirecting locally generated IP packets to
1.15 benno 300: userland with divert-packet rules, the packets may have no checksum
1.17 jsg 301: due to hardware offloading. Calculate the checksum in that case.
1.21 schwarze 302: <li>Sync the use of
303: <a href="https://man.openbsd.org/getuptime.9">getuptime(9)</a>
304: in the Neighbour Discovery (ND) code with ARP.
305: <li>In the IPv6 forwarding code, call
306: <a href="https://man.openbsd.org/getuptime.9">getuptime(9)</a>
307: once for consistency with IPv4.
1.28 ! benno 308: <li>ARP has a queue of packets that should be sent after name
! 309: resolution. Neighbor discovery (ND6) did only hold a single packet.
! 310: Unified the code, added a queue to ND6 and made the code MP safe.
! 311: <li>Implemented new sysctl net.inet6.icmp6.nd6_queued to show he
! 312: number of packets waiting for an ND6 response, analog to ARP.
! 313:
1.15 benno 314:
1.1 deraadt 315: </ul>
316:
317: <li>Routing daemons and other userland network improvements:
318: <ul>
319: <li>IPsec support was improved:
320: <ul>
1.21 schwarze 321: <li>In <a href="https://man.openbsd.org/isakmpd.8">isakmpd(8)</a>,
322: avoid a double free in ec_init() when using the OpenSSL API.
323: <li>In <a href="https://man.openbsd.org/iked.8">iked(8)</a>,
324: do not treat the return value of
325: <a href="https://man.openbsd.org/i2d_ECDSA_SIG.3"
326: >i2d_ECDSA_SIG(3)</a> as a length as it can be negative.
327: <li>Prepare <a href="https://man.openbsd.org/isakmpd.8">isakmpd(8)</a>
328: for a libcrypto library that is lacking binary field support.
329: <li>In <a href="https://man.openbsd.org/isakmpd.8">isakmpd(8)</a>,
330: avoid a potential crash by adding a missing NULL check.
1.11 benno 331:
1.1 deraadt 332: </ul>
333: <li>In <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>,
334: <ul>
1.22 claudio 335: <li>Add first version of flowspec support. Right now only announcement
336: of flowspec rules is possible.
337: <li>Update ASPA support to follow draft-ietf-sidrops-aspa-verification-16
338: and draft-ietf-sidrops-aspa-profile-16 by making the ASPA lookup
339: tables AFI-agnostic.
340: <li>Rework UPDATE message generation to use the new ibuf API instead
341: of the hand-rolled solution before.
342: <li>Fix <code>ext-community * *</code> matching which also affects
343: filters removing all ext-commuinites.
344: <li>Improve and extend the bgpctl parser to handle commands like
345: <code>bgpctl show rib 192.0.2.0/24 detail</code>.
346: Also add various flowspec specific commands.
347: <li>Introduce a semaphore to protect intermittent RTR session data
348: from being published to the RDE.
349: <li>Limit the socket buffer size to 64k for all sessions.
350: Limiting the buffer size to a reasonable size ensures that not
351: too many updates end up queued in the TCP stack.
352: <li>Adjusted example <code>GRACEFUL_SHUTDOWN</code> filter rule in
353: the example config to only match on ebgp sessions.
1.1 deraadt 354: </ul>
355: <li><a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> saw some changes:
356: <ul>
1.23 claudio 357: <li>A 30%-50% performance improvement was achieved through libcrypto's
358: partial chains certificate validation feature. Already validated
359: non-inheriting CA certificates are now marked as trusted roots. This
360: way it can be ensured that a leaf's delegated resources are properly
361: covered, and at the same time most validation paths are
362: significantly shortened.
363: <li>Support for gzip and deflate HTTP Content-Encoding compression was
364: added. This allows web servers to send RRDP XML in compressed form,
365: saving around 50% of bandwidth.
366: <li>ASPA support was updated to draft-ietf-sidrops-aspa-profile-16.
367: As part of supporting AFI-agnostic ASPAs, the JSON syntax for
368: Validated ASPA Payloads changed in both filemode and normal output.
369: <li>In filemode (-f option) the applicable manifests are now shown as
370: part of the signature path.
371: <li>A new -P option was added to manually specify a moment in time
372: to use when parsing the validity window of certificates. Useful
373: for regression testing. Default is invocation time of rpki-client.
374: <li>The -A option will now also exclude ASPA data from the JSON output.
375: <li>The synchronisation protocol used to sync the repository is now
376: included in the OpenMetrics output.
377: <li>Improved accounting by tracking objects both by repo and tal.
378: <li>Check whether products listed on a manifest were issued by the same
379: authority as the manifest itself.
380: <li>File modification timestamps of objects retrieved via RRDP are now
381: deterministically set to prepare the on-disk cache for seamless
382: failovers from RRDP to RSYNC.
383: <li>Improved detection of RRDP session desynchronization: a check was
384: added to compare whether the delta hashes associated to previously
385: seen serials are different in newly fetched notification files.
386: <li>Improved handling of RRDP deltas in which objects are published,
387: withdrawn, and published again.
388: <li>Disallow X.509 v2 issuer and subject unique identifiers in certs.
389: RPKI CAs will never issue certificates with V2 unique identifiers.
390: <li>A check to disallow duplicate X.509 certificate extensions was
391: added.
392: <li>A check to disallow empty sets of IP Addresses or AS numbers in RFC
393: 3779 extensions was added.
394: <li>A warning is printed when the CMS signing-time attribute in a Signed
395: Object is missing.
396: <li>Warnings about unrecoverable message digest mismatches now include
397: the manifestNumber to aid debugging the cause.
398: <li>A check was added to disallow multiple RRDP publish elements for the
399: same file in RRDP snapshots. If this error condition is encountered,
400: the RRDP transfer is failed and the RP falls back to rsync.
401: <li>A compliance check for the proper X.509 Certificate version and CRL
402: version was added.
403: <li>A compliance check was added to ensure CMS Signed Objects contain
404: SignedData, in accordance to RFC 6488 section 3 checklist item 1a.
405: <li>Compliance checks were added for the version, KeyUsage, and
406: ExtendedKeyUsage of EE certificates in Manifest, TAK, and GBR Signed
407: Objects.
408: <li>A CMS signing-time value being after the X.509 notAfter timestamp
409: was downgraded from an error to a warning.
410: <li>A bug was fixed in the handling of CA certificates which inherit IP
411: resources.
412: <li>A compliance check was added to ensure the X.509 Subject only
413: contains commonName and optionally serialNumber.
414: <li>A compliance check was added to ensure the CMS SignedData and
415: SignerInfo versions to be 3.
416: <li>Fisher-Yates shuffle the order in which Manifest entries are
417: processed. Previously, work items were enqueued in the order the CA
418: intended them to appear on a Manifest. However, there is no obvious
419: benefit to third parties deciding the order in which things are
420: processed.
1.1 deraadt 421: </ul>
422:
423: <li>In <a href="https://man.openbsd.org/snmpd.8">snmpd(8)</a>,
424: <ul>
425: <li>...
426: </ul>
427:
1.21 schwarze 428: <li>Make <a href="https://man.openbsd.org/dig.1">dig(1)</a>
429: use less deprecated LibreSSL API.
430: <li>In <a href="https://man.openbsd.org/ypldap.8">ypldap(8)</a>,
431: reduce memory usage when updating larger directories.
432: <li>Remove stylistic differences between
433: <a href="https://man.openbsd.org/arp.8">arp(8)</a> and
434: <a href="https://man.openbsd.org/ndp.8">ndp(8)</a> delete()
1.15 benno 435: function. This makes it easier to spot real changes in behavior.
1.21 schwarze 436: <li>Make <a href="https://man.openbsd.org/ndp.8">ndp(8)</a>
437: not remove cloning routes when no neighbor entry is
1.15 benno 438: found with <code>ndp -d</code>.
1.1 deraadt 439: </ul>
440:
441: <li><a href="https://man.openbsd.org/tmux.1">tmux(1)</a> improvements and bug fixes:
442: <ul>
1.11 benno 443: <li>For passthrough, don't write to clients attached to different sessions.
444: <li>Add a format to show if there are unseen changes while in a mode.
1.1 deraadt 445: </ul>
446:
1.7 tb 447: <li>LibreSSL version 3.8.2
1.1 deraadt 448: <ul>
1.7 tb 449: <li>Security fixes
450: <ul>
451: <li>Disabled TLSv1.0 and TLSv1.1 in libssl so that they may no longer
452: be selected for use.
453: <li>BN_is_prime{,_fasttest}_ex() refuse to check numbers larger than
454: 32 kbits for primality. This mitigates various DoS vectors.
455: <li>Restricted the RFC 3779 code to IPv4 and IPv6. It was not written
456: to be able to deal with anything else.
457: </ul>
458: <li>Portable changes
459: <ul>
460: <li>Extended the endian.h compat header with hto* and *toh macros.
461: <li>Adapted more tests to the portable framework.
462: <li>Internal tools are now statically linked.
463: <li>Applications bundled as part of the LibreSSL package internally,
464: nc(1) and openssl(1), now are linked statically if static libraries
465: are built.
466: <li>Internal compatibility function symbols are no longer exported from
467: libcrypto. Instead, the libcompat library is linked to libcrypto,
468: libssl, and libtls separately. This increases size a little, but
469: ensures that the libraries are not exporting symbols to programs
470: unintentionally.
471: <li>Selective removal of CET implementation on platforms where it is
472: not supported (macOS).
473: <li>Integrated four more tests.
474: <li>Added Windows ARM64 architecture to tested platforms.
475: <li>Removed Solaris 10 support, fixed Solaris 11.
476: <li>libtls no longer links statically to libcrypto / libssl unless
477: <code>--enable-libtls-only</code> is specified at configure time.
478: <li>Improved Windows compatibility library, namely handling of files vs
479: sockets, correcting an exception when operating on a closed socket.
480: <li>CMake builds no longer hardcode <code>-O2</code> into the compiler flags,
481: instead using flags from the CMake build type instead.
482: <li>Set the CMake default build type to <code>Release</code>. This can be overridden
483: during configuration.
484: <li>Fixed broken ASM support with MinGW builds.
485: </ul>
1.1 deraadt 486: <li>New features
487: <ul>
1.7 tb 488: <li>Added support for truncated SHA-2 and for SHA-3.
489: <li>The BPSW primality test performs additional Miller-Rabin rounds
490: with random bases to reduce the likelihood of composites passing.
491: <li>Allow testing of ciphers and digests using badly aligned buffers
492: in openssl speed using -unalign.
493: <li>Ed25519 certificates are now supported in openssl(1) ca and req.
494: Prepared Ed25519 support in libssl.
495: <li>Add branch target information (BTI) support to amd64 and arm64
496: assembly.
1.1 deraadt 497: </ul>
498: <li>Compatibility changes
499: <ul>
1.7 tb 500: <li>Added a workaround for a poorly thought-out change in OpenSSL 3 that
501: broke privilege separation support in libtls.
502: <li>Moved libtls from ECDSA_METHOD to EC_KEY_METHOD.
503: <li>Removed GF2m support: BIGNUM no longer supports binary extension
504: field arithmetic and all binary elliptic builtin curves were removed.
505: <li>Removed dangerous, "fast" NIST prime and elliptic curve implementations.
506: In particular, EC_GFp_nist_method() is no longer available.
507: <li>Removed most public symbols that were deprecated in OpenSSL 0.9.8.
508: <li>Removed the public X9.31 API (RSA_X931_PADDING is still available).
509: <li>Removed Cipher Text Stealing mode.
510: <li>Removed ENGINE support, including ECDH_METHOD and ECDSA_METHOD.
511: <li>Removed COMP, DSO, dynamic loading of conf modules and support for
512: custom ex_data and error stacks.
513: <li>Removed proxy certificate (RFC 3820) support.
514: <li>Removed SXNET and NETSCAPE_CERT_SEQUENCE support including the
1.8 tb 515: openssl(1) nseq command.
1.7 tb 516: <li>ENGINE support was removed and OPENSSL_NO_ENGINE is set. In spite
517: of this, some stub functions are provided to avoid patching some
518: applications that do not honor OPENSSL_NO_ENGINE.
519: <li>The POLICY_TREE and its related structures and API were removed.
520: <li>In X509_VERIFY_PARAM_inherit() copy hostflags independently of the
521: host list.
522: <li>Made CRYPTO_get_ex_new_index() not return 0 to allow applications
523: to use *_{get,set}_app_data() and *_{get,set}_ex_data() alongside
524: each other.
525: <li>X509_NAME_get_text_by_{NID,OBJ}() now only succeed if they contain
526: valid UTF-8 without embedded NUL.
527: <li>The explicitText user notice uses UTF8String instead of VisibleString
528: to reduce the risk of emitting certificates with invalid DER-encoding.
529: <li>Initial fixes for RSA-PSS support to make the TLSv1.3 stack more
530: compliant with RFC 8446.
531: <li>Fixed EVP_CIPHER_CTX_iv_length() to return what was set with
532: EVP_CTRL_AEAD_SET_IVLEN or one of its aliases.
1.1 deraadt 533: </ul>
1.7 tb 534: <li>Internal improvements
1.1 deraadt 535: <ul>
1.7 tb 536: <li>Improved sieve of Eratosthenes script used for generating a table
537: of small primes.
538: <li>Removed incomplete and dangerous BN_RECURSION code.
539: <li>Imported RFC 5280 policy checking code from BoringSSL and used it
540: to replace the old exponential time code.
541: <li>Converted more of libcrypto to use CBB/CBS.
542: <li>Started cleaning up and rewriting SHA internals.
543: <li>Reduced the dependency of hash implementations on many layers of
544: macros. This results in significant speedups since modern compilers
545: are now less confused.
546: <li>Improved BIGNUM internals and performance.
547: <li>Significantly simplified the BN_BLINDING internals used in RSA.
548: <li>Made BN_num_bits() independent of bn->top.
549: <li>Rewrote and simplified bn_sqr().
550: <li>Significantly improved Montgomery multiplication performance.
551: <li>Rewrote and improved BN_exp() and BN_copy().
552: <li>Changed ASN1_item_sign_ctx() and ASN1_item_verify() to work with
553: Ed25519 and fixed a few bugs in there.
554: <li>Lots of cleanup for DH, DSA, EC, RSA internals. Plugged numerous
555: memory leaks, fixed logic errors and inconsistencies.
556: <li>Cleaned up and simplified various ECDH and ECDSA internals.
557: <li>Removed EC_GROUP precomp machinery.
558: <li>Fixed various issues with EVP_PKEY_CTX_{new,dup}().
559: <li>Rewrote OBJ_find_sigid_algs() and OBJ_find_sigid_by_algs().
560: <li>Improved X.509 certificate version checks.
561: <li>Ensure no X.509v3 extensions appear more than once in certificates.
562: <li>Replaced ASN1_bn_print with a cleaner internal implementation.
563: <li>Fix OPENSSL_cpuid_setup() invocations on arm/aarch64.
564: <li>Improved checks for commonName in libtls.
565: <li>Fixed error check for X509_get_ext_d2i() failure in libtls.
566: <li>Removed code guarded by #ifdef ZLIB.
567: <li>Plug a potential memory leak in ASN1_TIME_normalize().
568: <li>Fixed a use of uninitialized in i2r_IPAddrBlocks().
569: <li>Rewrote CMS_SignerInfo_{sign,verify}().
1.1 deraadt 570: </ul>
1.7 tb 571: <li>Bug fixes
1.1 deraadt 572: <ul>
1.7 tb 573: <li>Correctly handle negative input to various BIGNUM functions.
574: <li>Ensure ERR_load_ERR_strings() does not set errno unexpectedly.
575: <li>Fix error checking of i2d_ECDSA_SIG() in ossl_ecdsa_sign().
1.8 tb 576: <li>Fixed aliasing issue in BN_mod_inverse(). Disallowed aliasing of result
577: and modulus in various BN_mod_* functions.
1.7 tb 578: <li>Fixed detection of extended operations (XOP) on AMD hardware.
579: <li>Ensure Montgomery exponentiation is used for the initial RSA blinding.
580: <li>Policy is always checked in X509 validation. Critical policy extensions
581: are no longer silently ignored.
582: <li>Fixed error handling in tls_check_common_name().
583: <li>Add missing pointer invalidation in SSL_free().
584: <li>Fixed X509err() and X509V3err() and their internal versions.
585: <li>Ensure that OBJ_obj2txt() always returns a C string again.
586: <li>Made EVP_PKEY_set1_hkdf_key() fail on a NULL key.
587: <li>On socket errors in the poll loop, netcat could issue system calls
588: on invalidated file descriptors.
589: <li>Allow IP addresses to be specified in a URI.
590: <li>Fixed a copy-paste error in ASN1_TIME_compare() that could lead
591: to two UTCTimes or two GeneralizedTimes incorrectly being compared
592: as equal.
593: </ul>
594: <li>Documentation improvements
595: <ul>
596: <li>Improved documentation of BIO_ctrl(3), BIO_set_info_callback(3),
597: BIO_get_info_callback(3), BIO_method_type(3), and BIO_method_name(3).
598: <li>Marked BIO_CB_return(), BIO_cb_pre(), and BIO_cb_post() as intentionally
599: undocumented.
600: <li>Made it very explicit that the verify callback should not be used.
601: <li>Called out that the CRL lastUpdate is standardized as thisUpdate.
602: <li>Documented the RFC 3779 API and its shortcomings.
603: </ul>
604: <li>Testing and Proactive Security
605: <ul>
606: <li>Significantly improved test coverage of BN_mod_sqrt() and GCD.
607: <li>As always, new test coverage is added as bugs are fixed and subsystems
608: are cleaned up.
1.1 deraadt 609: </ul>
610: </ul>
611:
1.13 dtucker 612: <li>OpenSSH 9.5 and OpenSSH 9.4
1.1 deraadt 613: <ul>
1.12 dtucker 614: <li>Potentially incompatible changes
1.1 deraadt 615: <ul>
1.12 dtucker 616: <li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:
617: generate Ed25519 keys by default. Ed25519 public keys
618: are very convenient due to their small size. Ed25519 keys are
619: specified in RFC 8709 and OpenSSH has supported them since version 6.5
620: (January 2014).
621: <li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
622: the Subsystem directive now accurately preserves quoting of
623: subsystem commands and arguments. This may change behaviour for exotic
624: configurations, but the most common subsystem configuration
625: (sftp-server) is unlikely to be affected.
1.13 dtucker 626: <li><a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>:
627: PKCS#11 modules must now be specified by their full
628: paths. Previously dlopen(3) could search for them in system
629: library directories.
1.1 deraadt 630: </ul>
1.12 dtucker 631: <li>New features
1.1 deraadt 632: <ul>
1.12 dtucker 633: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
634: add keystroke timing obfuscation to the client. This attempts
635: to hide inter-keystroke timings by sending interactive traffic at
636: fixed intervals (default: every 20ms) when there is only a small
637: amount of data being sent. It also sends fake "chaff" keystrokes for
638: a random interval after the last real keystroke. These are
639: controlled by a new ssh_config ObscureKeystrokeTiming keyword.
640: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
641: <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
642: Introduce a transport-level ping facility. This adds
643: a pair of SSH transport protocol messages SSH2_MSG_PING/PONG to
644: implement a ping capability. These messages use numbers in the "local
645: extensions" number space and are advertised using a "ping@openssh.com"
646: ext-info message with a string version number of "0".
1.13 dtucker 647: <li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
648: allow override of Subsystem directives in sshd Match blocks.
649: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
650: allow forwarding Unix Domain sockets via ssh -W.
651: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
652: add support for configuration tags to ssh(1).
653: This adds a ssh_config(5) "Tag" directive and corresponding
654: "Match tag" predicate that may be used to select blocks of
655: configuration similar to the pf.conf(5) keywords of the same
656: name.
657: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
658: add a "match localnetwork" predicate. This allows matching
659: on the addresses of available network interfaces and may be used to
660: vary the effective client configuration based on network location.
661: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
662: <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>,
663: <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:
664: infrastructure support for KRL
665: extensions. This defines wire formats for optional KRL extensions
666: and implements parsing of the new submessages. No actual extensions
667: are supported at this point.
668: <li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
669: AuthorizedPrincipalsCommand and AuthorizedKeysCommand now
670: accept two additional %-expansion sequences: %D which expands to
671: the routing domain of the connected session and %C which expands
672: to the addresses and port numbers for the source and destination
673: of the connection.
674: <li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:
675: increase the default work factor (rounds) for the
676: bcrypt KDF used to derive symmetric encryption keys for passphrase
677: protected key files by 50%.
1.1 deraadt 678: </ul>
679: <li>Bugfixes
680: <ul>
1.12 dtucker 681: <li><a href="https://man.openbsd.org/scp.1">scp(1)</a>:
682: fix scp in SFTP mode recursive upload and download of
683: directories that contain symlinks to other directories. In scp mode,
684: the links would be followed, but in SFTP mode they were not.
685: <li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:
686: handle cr+lf (instead of just cr) line endings in
687: sshsig signature files.
688: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
689: interactive mode for ControlPersist sessions if they
690: originally requested a tty.
691: <li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
692: make PerSourceMaxStartups first-match-wins
693: <li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
694: limit artificial login delay to a reasonable maximum (5s)
695: and don't delay at all for the "none" authentication mechanism.
1.13 dtucker 696: <li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
697: Log errors in kex_exchange_identification() with level
1.12 dtucker 698: verbose instead of error to reduce preauth log spam. All of those
699: get logged with a more generic error message by sshpkt_fatal().
700: <li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
701: correct math for ClientAliveInterval that caused the probes
702: to be sent less frequently than configured.
1.13 dtucker 703: <li><a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>:
704: improve isolation between loaded PKCS#11 modules
705: by running separate ssh-pkcs11-helpers for each loaded provider.
706: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
707: make -f (fork after authentication) work correctly with
708: multiplexed connections, including ControlPersist.
709: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
710: make ConnectTimeout apply to multiplexing sockets and not
711: just to network connections.
712: <li><a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>,
713: <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
714: improve defences against invalid PKCS#11
715: modules being loaded by checking that the requested module
716: contains the required symbol before loading it.
717: <li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
718: fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand
719: appears before it in sshd_config. Since OpenSSH 8.7 the
720: AuthorizedPrincipalsCommand directive was incorrectly ignored in
721: this situation.
722: <li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>,
723: <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
724: <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:
1.16 jsg 725: remove vestigial support for KRL
1.13 dtucker 726: signatures When the KRL format was originally defined, it included
727: support for signing of KRL objects. However, the code to sign KRLs
1.16 jsg 728: and verify KRL signatures was never completed in OpenSSH. This
1.13 dtucker 729: release removes the partially-implemented code to verify KRLs.
730: All OpenSSH tools now ignore KRL_SECTION_SIGNATURE sections in
731: KRL files.
732: <li>All: fix a number of memory leaks and unreachable/harmless integer
733: overflows.
734: <li><a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>,
735: <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
736: don't truncate strings logged from PKCS#11 modules
737: <li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>,
738: <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
739: better validate CASignatureAlgorithms in
740: ssh_config and sshd_config. Previously this directive would accept
741: certificate algorithm names, but these were unusable in practice as
742: OpenSSH does not support CA chains.
743: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
744: make <code>ssh -Q CASignatureAlgorithms</code> only list signature
745: algorithms that are valid for CA signing. Previous behaviour was
746: to list all signing algorithms, including certificate algorithms.
747: <li><a href="https://man.openbsd.org/ssh-keyscan.1">ssh-keyscan(1)</a>:
748: gracefully handle systems where rlimits or the
749: maximum number of open files is larger than INT_MAX
750: <li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:
751: fix "no comment" not showing on when running
752: <code>ssh-keygen -l</code> on multiple keys where one has a comment
753: and other following keys do not.
754: <li><a href="https://man.openbsd.org/scp.1">scp(1)</a>,
1.14 dtucker 755: <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>:
1.13 dtucker 756: adjust ftruncate() logic to handle servers that
757: reorder requests. Previously, if the server reordered requests then
758: the resultant file would be erroneously truncated.
759: <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
760: don't incorrectly disable hostname canonicalization when
1.16 jsg 761: CanonicalizeHostname=yes and ProxyJump was explicitly set to
1.13 dtucker 762: "none".
763: <li><a href="https://man.openbsd.org/scp.1">scp(1)</a>:
764: when copying local to remote, check that the source file
765: exists before opening an SFTP connection to the server.
1.1 deraadt 766: </ul>
767: </ul>
768:
769: <li>Ports and packages:
770: <p>Many pre-built packages for each architecture:
771: <!-- number of FTP packages minus SHA256, SHA256.sig, index.txt -->
772: <ul style="column-count: 3">
1.25 naddy 773: <li>aarch64: 11508
774: <li>amd64: 11845
1.1 deraadt 775: <li>arm:
1.25 naddy 776: <li>i386: 10603
1.1 deraadt 777: <li>mips64:
778: <li>powerpc:
779: <li>powerpc64:
780: <li>riscv64:
781: <li>sparc64:
782: </ul>
783:
784: <p>Some highlights:
1.7 tb 785: <ul style="column-count: 3"><!-- XXX all need to be checked/updated 2023-03-04 -->
1.6 matthieu 786: <li>Asterisk 16.30.1, 18.19.0 and 20.4.0
1.5 matthieu 787: <li>Audacity 3.3.3
788: <li>CMake 3.27.5
1.10 matthieu 789: <li>Chromium 117.0.5838.149
1.5 matthieu 790: <li>Emacs 29.1
791: <li>FFmpeg 4.4.4
1.1 deraadt 792: <li>GCC 8.4.0 and 11.2.0
1.5 matthieu 793: <li>GHC 9.2.7
794: <li>GNOME 44
795: <li>Go 1.21.1
796: <li>JDK 8u382, 11.0.20 and 17.0.8
797: <li>KDE Applications 23.08.0
1.1 deraadt 798: <li>KDE Frameworks 5.98.0
1.5 matthieu 799: <li>Krita 5.1.5
800: <li>LLVM/Clang 13.0.0 and 16.0.6
801: <li>LibreOffice 7.6.2.1
802: <li>Lua 5.1.5, 5.2.4, 5.3.6 and 5.4.6
803: <li>MariaDB 10.9.6
804: <li>Mono 6.12.0.199
805: <li>Mozilla Firefox 118.0.1 and ESR 115.3.1
806: <li>Mozilla Thunderbird 115.3.1
807: <li>Mutt 2.2.12 and NeoMutt 20230517
808: <li>Node.js 18.18.0
1.1 deraadt 809: <li>OCaml 4.12.1
1.5 matthieu 810: <li>OpenLDAP 2.6.6
811: <li>PHP 7.4.33, 8.0.30, 8.1.24 and 8.2.11
812: <li>Postfix 3.7.3
813: <li>PostgreSQL 15.4
814: <li>Python 2.7.18, 3.9.18, 3.10.13 and 3.11.5
815: <li>Qt 5.15.10 and 6.5.2
816: <li>R 4.2.3
817: <li>Ruby 3.0.6, 3.1.4 and 3.2.2
818: <li>Rust 1.72.1
1.9 lteo 819: <li>SQLite 3.42.0
1.5 matthieu 820: <li>Shotcut 23.07.29
821: <li>Sudo 1.9.14.2
822: <li>Suricata 6.0.12
823: <li>Tcl/Tk 8.5.19 and 8.6.13
824: <li>TeX Live 2022
825: <li>Vim 9.0.1897 and Neovim 0.9.1
826: <li>Xfce 4.18
1.1 deraadt 827: </ul>
828: <p>
829:
830: <li>As usual, steady improvements in manual pages and other documentation.
831:
832: <li>The system includes the following major components from outside suppliers:
1.7 tb 833: <ul><!-- XXX all need to be checked/updated 2023-03-04 -->
1.5 matthieu 834: <li>Xenocara (based on X.Org 7.7 with xserver 21.1.8 + patches,
835: freetype 2.13.0, fontconfig 2.14.2, Mesa 22.3.7, xterm 378,
1.1 deraadt 836: xkeyboard-config 2.20, fonttosfnt 1.2.2 and more)
837: <li>LLVM/Clang 13.0.0 (+ patches)
838: <li>GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
1.5 matthieu 839: <li>Perl 5.36.1 (+ patches)
840: <li>NSD 4.7.0
841: <li>Unbound 1.18.0
1.1 deraadt 842: <li>Ncurses 5.7
843: <li>Binutils 2.17 (+ patches)
844: <li>Gdb 6.3 (+ patches)
1.5 matthieu 845: <li>Awk September 12, 2023
846: <li>Expat 2.5.0
1.1 deraadt 847: </ul>
848:
849: </ul>
850: </section>
851:
852: <hr>
853:
854: <section id=install>
855: <h3>How to install</h3>
856: <p>
857: Please refer to the following files on the mirror site for
858: extensive details on how to install OpenBSD 7.4 on your machine:
859:
860: <ul>
861: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/alpha/INSTALL.alpha">
1.2 jsg 862: .../OpenBSD/7.4/alpha/INSTALL.alpha</a>
1.1 deraadt 863: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/amd64/INSTALL.amd64">
1.2 jsg 864: .../OpenBSD/7.4/amd64/INSTALL.amd64</a>
1.1 deraadt 865: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/arm64/INSTALL.arm64">
1.2 jsg 866: .../OpenBSD/7.4/arm64/INSTALL.arm64</a>
1.1 deraadt 867: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/armv7/INSTALL.armv7">
1.2 jsg 868: .../OpenBSD/7.4/armv7/INSTALL.armv7</a>
1.1 deraadt 869: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/hppa/INSTALL.hppa">
1.2 jsg 870: .../OpenBSD/7.4/hppa/INSTALL.hppa</a>
1.1 deraadt 871: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/i386/INSTALL.i386">
1.2 jsg 872: .../OpenBSD/7.4/i386/INSTALL.i386</a>
1.1 deraadt 873: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/landisk/INSTALL.landisk">
1.2 jsg 874: .../OpenBSD/7.4/landisk/INSTALL.landisk</a>
1.1 deraadt 875: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/loongson/INSTALL.loongson">
1.2 jsg 876: .../OpenBSD/7.4/loongson/INSTALL.loongson</a>
1.1 deraadt 877: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/luna88k/INSTALL.luna88k">
1.2 jsg 878: .../OpenBSD/7.4/luna88k/INSTALL.luna88k</a>
1.1 deraadt 879: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/macppc/INSTALL.macppc">
1.2 jsg 880: .../OpenBSD/7.4/macppc/INSTALL.macppc</a>
1.1 deraadt 881: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/octeon/INSTALL.octeon">
1.2 jsg 882: .../OpenBSD/7.4/octeon/INSTALL.octeon</a>
1.1 deraadt 883: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/powerpc64/INSTALL.powerpc64">
1.2 jsg 884: .../OpenBSD/7.4/powerpc64/INSTALL.powerpc64</a>
1.1 deraadt 885: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/riscv64/INSTALL.riscv64">
1.2 jsg 886: .../OpenBSD/7.4/riscv64/INSTALL.riscv64</a>
1.1 deraadt 887: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/sparc64/INSTALL.sparc64">
1.2 jsg 888: .../OpenBSD/7.4/sparc64/INSTALL.sparc64</a>
1.1 deraadt 889: </ul>
890: </section>
891:
892: <hr>
893:
894: <section id=quickinstall>
895: <p>
896: Quick installer information for people familiar with OpenBSD, and the use of
897: the "<a href="https://man.openbsd.org/disklabel.8">disklabel</a> -E" command.
898: If you are at all confused when installing OpenBSD, read the relevant
899: INSTALL.* file as listed above!
900:
901: <h3>OpenBSD/alpha:</h3>
902:
903: <p>
904: If your machine can boot from CD, you can write <i>install74.iso</i> or
905: <i>cd74.iso</i> to a CD and boot from it.
906: Refer to INSTALL.alpha for more details.
907:
908: <h3>OpenBSD/amd64:</h3>
909:
910: <p>
911: If your machine can boot from CD, you can write <i>install74.iso</i> or
912: <i>cd74.iso</i> to a CD and boot from it.
913: You may need to adjust your BIOS options first.
914:
915: <p>
916: If your machine can boot from USB, you can write <i>install74.img</i> or
917: <i>miniroot74.img</i> to a USB stick and boot from it.
918:
919: <p>
920: If you can't boot from a CD, floppy disk, or USB,
921: you can install across the network using PXE as described in the included
922: INSTALL.amd64 document.
923:
924: <p>
925: If you are planning to dual boot OpenBSD with another OS, you will need to
926: read INSTALL.amd64.
927:
928: <h3>OpenBSD/arm64:</h3>
929:
930: <p>
931: Write <i>install74.img</i> or <i>miniroot74.img</i> to a disk and boot from it
932: after connecting to the serial console. Refer to INSTALL.arm64 for more
933: details.
934:
935: <h3>OpenBSD/armv7:</h3>
936:
937: <p>
938: Write a system specific miniroot to an SD card and boot from it after connecting
939: to the serial console. Refer to INSTALL.armv7 for more details.
940:
941: <h3>OpenBSD/hppa:</h3>
942:
943: <p>
944: Boot over the network by following the instructions in INSTALL.hppa or the
945: <a href="hppa.html#install">hppa platform page</a>.
946:
947: <h3>OpenBSD/i386:</h3>
948:
949: <p>
950: If your machine can boot from CD, you can write <i>install74.iso</i> or
951: <i>cd74.iso</i> to a CD and boot from it.
952: You may need to adjust your BIOS options first.
953:
954: <p>
955: If your machine can boot from USB, you can write <i>install74.img</i> or
956: <i>miniroot74.img</i> to a USB stick and boot from it.
957:
958: <p>
959: If you can't boot from a CD, floppy disk, or USB,
960: you can install across the network using PXE as described in
961: the included INSTALL.i386 document.
962:
963: <p>
964: If you are planning on dual booting OpenBSD with another OS, you will need to
965: read INSTALL.i386.
966:
967: <h3>OpenBSD/landisk:</h3>
968:
969: <p>
970: Write <i>miniroot74.img</i> to the start of the CF
971: or disk, and boot normally.
972:
973: <h3>OpenBSD/loongson:</h3>
974:
975: <p>
976: Write <i>miniroot74.img</i> to a USB stick and boot bsd.rd from it
977: or boot bsd.rd via tftp.
978: Refer to the instructions in INSTALL.loongson for more details.
979:
980: <h3>OpenBSD/luna88k:</h3>
981:
982: <p>
983: Copy 'boot' and 'bsd.rd' to a Mach or UniOS partition, and boot the bootloader
984: from the PROM, and then bsd.rd from the bootloader.
985: Refer to the instructions in INSTALL.luna88k for more details.
986:
987: <h3>OpenBSD/macppc:</h3>
988:
989: <p>
990: Burn the image from a mirror site to a CDROM, and power on your machine
991: while holding down the <i>C</i> key until the display turns on and
992: shows <i>OpenBSD/macppc boot</i>.
993:
994: <p>
995: Alternatively, at the Open Firmware prompt, enter <i>boot cd:,ofwboot
1.2 jsg 996: /7.4/macppc/bsd.rd</i>
1.1 deraadt 997:
998: <h3>OpenBSD/octeon:</h3>
999:
1000: <p>
1001: After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
1002: Refer to the instructions in INSTALL.octeon for more details.
1003:
1004: <h3>OpenBSD/powerpc64:</h3>
1005:
1006: <p>
1007: To install, write <i>install74.img</i> or <i>miniroot74.img</i> to a
1008: USB stick, plug it into the machine and choose the <i>OpenBSD
1009: install</i> menu item in Petitboot.
1010: Refer to the instructions in INSTALL.powerpc64 for more details.
1011:
1012: <h3>OpenBSD/riscv64:</h3>
1013:
1014: <p>
1015: To install, write <i>install74.img</i> or <i>miniroot74.img</i> to a
1016: USB stick, and boot with that drive plugged in.
1017: Make sure you also have the microSD card plugged in that shipped with the
1018: HiFive Unmatched board.
1019: Refer to the instructions in INSTALL.riscv64 for more details.
1020:
1021: <h3>OpenBSD/sparc64:</h3>
1022:
1023: <p>
1024: Burn the image from a mirror site to a CDROM, boot from it, and type
1025: <i>boot cdrom</i>.
1026:
1027: <p>
1028: If this doesn't work, or if you don't have a CDROM drive, you can write
1029: <i>floppy74.img</i> or <i>floppyB74.img</i>
1030: (depending on your machine) to a floppy and boot it with <i>boot
1031: floppy</i>. Refer to INSTALL.sparc64 for details.
1032:
1033: <p>
1034: Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
1035: will most likely fail.
1036:
1037: <p>
1038: You can also write <i>miniroot74.img</i> to the swap partition on
1039: the disk and boot with <i>boot disk:b</i>.
1040:
1041: <p>
1042: If nothing works, you can boot over the network as described in INSTALL.sparc64.
1043: </section>
1044:
1045: <hr>
1046:
1047: <section id=upgrade>
1048: <h3>How to upgrade</h3>
1049: <p>
1.3 jsg 1050: If you already have an OpenBSD 7.3 system, and do not want to reinstall,
1.1 deraadt 1051: upgrade instructions and advice can be found in the
1052: <a href="faq/upgrade74.html">Upgrade Guide</a>.
1053: </section>
1054:
1055: <hr>
1056:
1057: <section id=sourcecode>
1058: <h3>Notes about the source code</h3>
1059: <p>
1060: <code>src.tar.gz</code> contains a source archive starting at <code>/usr/src</code>.
1061: This file contains everything you need except for the kernel sources,
1062: which are in a separate archive.
1063: To extract:
1064: <blockquote><pre>
1065: # <kbd>mkdir -p /usr/src</kbd>
1066: # <kbd>cd /usr/src</kbd>
1067: # <kbd>tar xvfz /tmp/src.tar.gz</kbd>
1068: </pre></blockquote>
1069: <p>
1070: <code>sys.tar.gz</code> contains a source archive starting at <code>/usr/src/sys</code>.
1071: This file contains all the kernel sources you need to rebuild kernels.
1072: To extract:
1073: <blockquote><pre>
1074: # <kbd>mkdir -p /usr/src/sys</kbd>
1075: # <kbd>cd /usr/src</kbd>
1076: # <kbd>tar xvfz /tmp/sys.tar.gz</kbd>
1077: </pre></blockquote>
1078: <p>
1079: Both of these trees are a regular CVS checkout. Using these trees it
1080: is possible to get a head-start on using the anoncvs servers as
1081: described <a href="anoncvs.html">here</a>.
1082: Using these files
1083: results in a much faster initial CVS update than you could expect from
1084: a fresh checkout of the full OpenBSD source tree.
1085: </section>
1086:
1087: <hr>
1088:
1089: <section id=ports>
1090: <h3>Ports Tree</h3>
1091: <p>
1092: A ports tree archive is also provided. To extract:
1093: <blockquote><pre>
1094: # <kbd>cd /usr</kbd>
1095: # <kbd>tar xvfz /tmp/ports.tar.gz</kbd>
1096: </pre></blockquote>
1097: <p>
1098: Go read the <a href="faq/ports/index.html">ports</a> page
1099: if you know nothing about ports
1100: at this point. This text is not a manual of how to use ports.
1101: Rather, it is a set of notes meant to kickstart the user on the
1102: OpenBSD ports system.
1103: <p>
1104: The <i>ports/</i> directory represents a CVS checkout of our ports.
1105: As with our complete source tree, our ports tree is available via
1106: <a href="anoncvs.html">AnonCVS</a>.
1107: So, in order to keep up to date with the -stable branch, you must make
1108: the <i>ports/</i> tree available on a read-write medium and update the tree
1109: with a command like:
1110: <blockquote><pre>
1111: # <kbd>cd /usr/ports</kbd>
1.2 jsg 1112: # <kbd>cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_7_4</kbd>
1.1 deraadt 1113: </pre></blockquote>
1114: <p>
1115: [Of course, you must replace the server name here with a nearby anoncvs
1116: server.]
1117: <p>
1118: Note that most ports are available as packages on our mirrors. Updated
1119: ports for the 7.4 release will be made available if problems arise.
1120: <p>
1121: If you're interested in seeing a port added, would like to help out, or just
1122: would like to know more, the mailing list
1123: <a href="mail.html">ports@openbsd.org</a> is a good place to know.
1124: </section>
1125: </body>
1126: </html>