File: [local] / www / 74.html (download) (as text)
Revision 1.20, Wed Oct 11 13:39:03 2023 UTC (7 months, 2 weeks ago) by schwarze
Branch: MAIN
Changes since 1.19: +13 -5 lines
mention <uchar.h>, hw.battery, and hw.ucomnames;
drop empty mandoc(1) section
|
<!doctype html>
<html lang=en id=release>
<head>
<meta charset=utf-8>
<title>OpenBSD 7.4</title>
<meta name="description" content="OpenBSD 7.4">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" href="openbsd.css">
<link rel="canonical" href="https://www.openbsd.org/74.html">
</head><body>
<h2 id=OpenBSD>
<a href="index.html">
<i>Open</i><b>BSD</b></a>
7.4
</h2>
<table>
<tr>
<td>
<a href="images/XXX.png">
<img width="227" height="303" src="images/XXX-s.gif" alt="XXX"></a>
<td>
Released Oct XXX, 2023. (55th OpenBSD release)<br>
Copyright 1997-2023, Theo de Raadt.<br>
<br>
Artwork by Jessica Scott.
<br>
<ul>
<li>See the information on <a href="ftp.html">the FTP page</a> for
a list of mirror machines.
<li>Go to the <code class=reldir>pub/OpenBSD/7.4/</code> directory on
one of the mirror sites.
<li>Have a look at <a href="errata74.html">the 7.4 errata page</a> for a list
of bugs and workarounds.
<li>See a <a href="plus74.html">detailed log of changes</a> between the
7.3 and 7.4 releases.
<p>
<li><a href="https://man.openbsd.org/signify.1">signify(1)</a>
pubkeys for this release:<p>
<table class=signify>
<tr><td>
openbsd-74-base.pub:
<td>
<a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/openbsd-74-base.pub">
RWRoyQmAD08ajTqgzK3UcWaVlwaJMckH9/CshU8Md5pN1GoIrcBdTF+c</a>
<tr><td>
openbsd-74-fw.pub:
<td>
RWTRA9KXRuZKunpXYK0ed5OxbE0K7rYWpDnTu+M8wZdqzRroFqed0U6I
<tr><td>
openbsd-74-pkg.pub:
<td>
RWR/h7gubZ9M/O46RNy3PzLTPevOCK24LGCPca41IHMwSH4YuVA+jnWO
<tr><td>
openbsd-74-syspatch.pub:
<td>
RWQqty2voy8V8afR9/v2RzuNr7r4y9cKwljABN7Tytd7JcPdBjnXg0Ue
</table>
</ul>
<p>
All applicable copyrights and credits are in the src.tar.gz,
sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
files fetched via <code>ports.tar.gz</code>.
</table>
<hr>
<section id=new>
<h3>What's New</h3>
<p>
This is a partial list of new features and systems included in OpenBSD 7.4.
For a comprehensive list, see the <a href="plus74.html">changelog</a> leading
to 7.4.
<ul>
<li>New/extended platforms:
<ul>
<li>On arm64, implement branch target protection using the branch
target identification feature introduced in Armv8.5. This provides
"head-CFI" to complement the "tail-CFI" provided by retguard, and is
supported on Apple M2.
</ul>
<li>Various kernel improvements:
<ul>
<li>On amd64, identify IBT capability in cpu(4) dmesg lines.
<li>On arm64, show BT and SBSS features in dmesg(8).
<li>Map device tree read/write to unbreak root on softraid(4).
</ul>
<li>SMP Improvements
<ul>
<li>Protect struct clockintr(9)_queue with a mutex so that arbitrary CPUs
can manipulate clock interrupts established on arbitrary CPU queues.
<li>
</ul>
<li>Direct Rendering Manager and graphics drivers
<ul>
<li>Updated <a href="https://man.openbsd.org/drm.4">drm(4)</a>
to Linux 6.1.55
<li>Don't change end marker in sg_set_page(). Caused bad memory accesses
when using page flipping on Alder Lake and Raptor Lake.
</ul>
<li>VMM/VMD improvements
<ul>
<li>Avoid use of uninitialised memory in vmd(8).
<li>Migrate vmd_vm.vm_ttyname to char array allowing a vmd_vm
object to be transmitted over an ipc channel.
</ul>
<li>Various new userland features:
<ul>
<li>New ISO C11 header <code><uchar.h></code> declaring the
types <code>char32_t</code> and <code>char16_t</code> and the
functions <a href="https://man.openbsd.org/c32rtomb.3">c32rtomb(3)</a>,
<a href="https://man.openbsd.org/mbrtoc32.3">mbrtoc32(3)</a>,
<a href="https://man.openbsd.org/c16rtomb.3">c16rtomb(3)</a>, and
<a href="https://man.openbsd.org/mbrtoc16.3">mbrtoc16(3)</a>.
<li>Update zoneinfo to tzdata2023c.
</ul>
<li>Various bugfixes and tweaks in userland:
<ul>
<li>Refactoring and documenting of fdisk(8) code, to make the code
easier to maintain.
<li>In clang, allow out-of-class defaulting of comparison operators,
by ways of backporting an upstream commit.
<li>Improve the code of aucat(1) and fix spelling mistakes.
<li>Improve the code quality of find(1).
<li>Many changes in mg(1):
<ul>
<li>Improve the readability of the code of mg(1).
<li>In mg(1), fall back to /bin/sh if $SHELL is undefined.
<li>Fix parsing of tag files with duplicate entries in mg (1).
Instead of erroring out ignore duplicates. Fixes using
/var/db/libc.tags again.
<li>In mg(1), change tagvisit (aka visit-tag-table) to immediately
load the tag file, and drop the lazy mechanics.
<li>Remove useless global variable in mg(1).
<li>Plug memory leak in mg(1).
<li>Replace strncpy() with strlcpy() in mg(1).
<li>Skip checking permissions of conffile with access(2).
</ul>
<li>On aarch64 architectures improve how BTI control flow integrity
enforcement is implemented in the executable entry point and enable
support for BTI control flow integrity checks in libc assembly
functions.
</ul>
<li>Improved hardware support and driver bugfixes, including:
<ul>
<li>New <a href="https://man.openbsd.org/sysctl.2">sysctl(2)</a>
nodes for battery management, <code>hw.battery.charge*</code>.
<li>Define fixed names for
<a href="https://man.openbsd.org/ucom.4">ucom(4)</a> USB serial
ports, make them discoverable via the new <code>hw.ucomnames</code>
<a href="https://man.openbsd.org/sysctl.2#HW_UCOMNAMES~2">sysctl(2)</a>,
and support them in <a href="https://man.openbsd.org/cu.1">cu(1)</a>.
<li>Add support for the RK3568 32k RTC clock in rkclock(4)
<li>In dwpcie(4) attach Baikal-M PCIe.
<li>In openfirmware, implement regulator notifiers which get called
when the voltage/current for a regulator is changed or when the
regulator gets initialized when it attaches for the first time. The
latter makes it possible to register a notifier for a regulator that
hasn't attached yet.
<li>Add rkiovd(4), a driver for the IO voltage domains on Rockchip SoCs.
<li>Add support for TEMPerGold 3.4 temperature sensor to ugold(4).
<li>Ignore duplicate ACPI lid transitions as they can happen on Dell
Precision 5510 systems.
<li>Make RK3568 PCIe controllers run at the maximum possible speed
by using dwpcie_link_config() when initializing.
<li>In the Universal Flash Storage Host Controller Interface
(ufshci(4)) enable Force Unit Access (FUA) for write commands.
</ul>
<li>New or improved network hardware support:
<ul>
<li>Fix dwqe(4) on several boards that use rgephy(4) by configuring
the RGMII interface before taking the PHY out of reset.
<li>Document that Intel i226 adapters are supported by igc(4).
<li>Add ngbe(4), a driver for WangXun WX1860 PCI Express 10/100/1Gb Ethernet devices.
<li>Add rkusbphy(4), a driver for the usb2phy on Rockchip SoCs.
<li>Add support for the RTL8211F-VD PHY in rgephy(4).
<li>Enable rkusbphy(4) on arm64.
<li>In openfirmware, add glue for network interfaces to be found by
fdt/ofw node or phandle in order to support "switch chips" like the
marvell link street.
<li>Add support for enabling both the usb2 and usb3 phys in xhci and ehci.
</ul>
<li>Added or improved wireless network drivers:
<ul>
<li>Improve how Quectel LTE&5G devices attach to umb(4).
</ul>
<li>IEEE 802.11 wireless stack improvements and bugfixes:
<ul>
<li>...
</ul>
<li>Installer, upgrade and bootloader improvements:
<ul>
<li>In the arm64 ramdisk, simplify apple firmware copying to make it
easier to add new firmware.
<li>On armv7 and arm64, silence informational messages from dd(1)
when zeroing a disk's first 1MB. Use character not block devices with
dd(1) like on other architectures.
<li>Refactor the code of md_installboot() on armv7 and arm64 to be
more in line with other architectures.
<li>Improve the dialogue of the installer without affecting
autoinstall(8) files.
<li>Enable ufshci(4) on arm64 install media.
<li>Enable ngbe(4) on amd64 install media.
<li>On arm64 pine64 boards, stop writing pine64 firmware to disk.
<li>Make root on softraid(4) installations boot out of the box on
Raspberry Pis (arm64).
<li>Support installations with root on softraid on arm64, tested on
Pinebook Pro, Raspberry Pi 4b, and SolidRun CEX7.
</ul>
<li>Security improvements:
<ul>
<li>Change malloc(3) chunk sizes to be fine grained. [needs better explanation]
<li>In malloc(3), check all chunks in the delayed free list for write-after-free.
</ul>
<li>Changes in the network stack:
<ul>
<li>In pf(4), when redirecting locally generated IP packets to
userland with divert-packet rules, the packets may have no checksum
due to hardware offloading. Calculate the checksum in that case.
<li>Sync the use of getuptime(9) in the Neighbour Discovery (ND) code with ARP.
<li>In the IPv6 forwarding code, call getuptime(9) once for
consistency with IPv4.
</ul>
<li>Routing daemons and other userland network improvements:
<ul>
<li>IPsec support was improved:
<ul>
<li>In isakmpd(8), avoid a double free in ec_init() when using the OpenSSL API.
<li>In iked(8), do not treat the return value of i2d_ECDSA_SIG() as
length as it can be negative.
<li>Prepare isakmpd(8) for a libcrypto library that is lacking binary field
support.
<li>In isakmpd(8), avoid a potential crash by adding a missing NULL check.
</ul>
<li>In <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>,
<ul>
<li>...
</ul>
<li><a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> saw some changes:
<ul>
<li>...
</ul>
<li>In <a href="https://man.openbsd.org/snmpd.8">snmpd(8)</a>,
<ul>
<li>...
</ul>
<li>Make dig(1) use less deprecated LibreSSL API.
<li>In ypldap(8), reduce memory usage when updating larger directories.
<li>Remove stylistic differences between arp(8) and ndp(8) delete()
function. This makes it easier to spot real changes in behavior.
<li>Make ndp(8) not remove cloning routes when no neighbor entry is
found with <code>ndp -d</code>.
</ul>
<li><a href="https://man.openbsd.org/tmux.1">tmux(1)</a> improvements and bug fixes:
<ul>
<li>For passthrough, don't write to clients attached to different sessions.
<li>Add a format to show if there are unseen changes while in a mode.
</ul>
<li>LibreSSL version 3.8.2
<ul>
<li>Security fixes
<ul>
<li>Disabled TLSv1.0 and TLSv1.1 in libssl so that they may no longer
be selected for use.
<li>BN_is_prime{,_fasttest}_ex() refuse to check numbers larger than
32 kbits for primality. This mitigates various DoS vectors.
<li>Restricted the RFC 3779 code to IPv4 and IPv6. It was not written
to be able to deal with anything else.
</ul>
<li>Portable changes
<ul>
<li>Extended the endian.h compat header with hto* and *toh macros.
<li>Adapted more tests to the portable framework.
<li>Internal tools are now statically linked.
<li>Applications bundled as part of the LibreSSL package internally,
nc(1) and openssl(1), now are linked statically if static libraries
are built.
<li>Internal compatibility function symbols are no longer exported from
libcrypto. Instead, the libcompat library is linked to libcrypto,
libssl, and libtls separately. This increases size a little, but
ensures that the libraries are not exporting symbols to programs
unintentionally.
<li>Selective removal of CET implementation on platforms where it is
not supported (macOS).
<li>Integrated four more tests.
<li>Added Windows ARM64 architecture to tested platforms.
<li>Removed Solaris 10 support, fixed Solaris 11.
<li>libtls no longer links statically to libcrypto / libssl unless
<code>--enable-libtls-only</code> is specified at configure time.
<li>Improved Windows compatibility library, namely handling of files vs
sockets, correcting an exception when operating on a closed socket.
<li>CMake builds no longer hardcode <code>-O2</code> into the compiler flags,
instead using flags from the CMake build type instead.
<li>Set the CMake default build type to <code>Release</code>. This can be overridden
during configuration.
<li>Fixed broken ASM support with MinGW builds.
</ul>
<li>New features
<ul>
<li>Added support for truncated SHA-2 and for SHA-3.
<li>The BPSW primality test performs additional Miller-Rabin rounds
with random bases to reduce the likelihood of composites passing.
<li>Allow testing of ciphers and digests using badly aligned buffers
in openssl speed using -unalign.
<li>Ed25519 certificates are now supported in openssl(1) ca and req.
Prepared Ed25519 support in libssl.
<li>Add branch target information (BTI) support to amd64 and arm64
assembly.
</ul>
<li>Compatibility changes
<ul>
<li>Added a workaround for a poorly thought-out change in OpenSSL 3 that
broke privilege separation support in libtls.
<li>Moved libtls from ECDSA_METHOD to EC_KEY_METHOD.
<li>Removed GF2m support: BIGNUM no longer supports binary extension
field arithmetic and all binary elliptic builtin curves were removed.
<li>Removed dangerous, "fast" NIST prime and elliptic curve implementations.
In particular, EC_GFp_nist_method() is no longer available.
<li>Removed most public symbols that were deprecated in OpenSSL 0.9.8.
<li>Removed the public X9.31 API (RSA_X931_PADDING is still available).
<li>Removed Cipher Text Stealing mode.
<li>Removed ENGINE support, including ECDH_METHOD and ECDSA_METHOD.
<li>Removed COMP, DSO, dynamic loading of conf modules and support for
custom ex_data and error stacks.
<li>Removed proxy certificate (RFC 3820) support.
<li>Removed SXNET and NETSCAPE_CERT_SEQUENCE support including the
openssl(1) nseq command.
<li>ENGINE support was removed and OPENSSL_NO_ENGINE is set. In spite
of this, some stub functions are provided to avoid patching some
applications that do not honor OPENSSL_NO_ENGINE.
<li>The POLICY_TREE and its related structures and API were removed.
<li>In X509_VERIFY_PARAM_inherit() copy hostflags independently of the
host list.
<li>Made CRYPTO_get_ex_new_index() not return 0 to allow applications
to use *_{get,set}_app_data() and *_{get,set}_ex_data() alongside
each other.
<li>X509_NAME_get_text_by_{NID,OBJ}() now only succeed if they contain
valid UTF-8 without embedded NUL.
<li>The explicitText user notice uses UTF8String instead of VisibleString
to reduce the risk of emitting certificates with invalid DER-encoding.
<li>Initial fixes for RSA-PSS support to make the TLSv1.3 stack more
compliant with RFC 8446.
<li>Fixed EVP_CIPHER_CTX_iv_length() to return what was set with
EVP_CTRL_AEAD_SET_IVLEN or one of its aliases.
</ul>
<li>Internal improvements
<ul>
<li>Improved sieve of Eratosthenes script used for generating a table
of small primes.
<li>Removed incomplete and dangerous BN_RECURSION code.
<li>Imported RFC 5280 policy checking code from BoringSSL and used it
to replace the old exponential time code.
<li>Converted more of libcrypto to use CBB/CBS.
<li>Started cleaning up and rewriting SHA internals.
<li>Reduced the dependency of hash implementations on many layers of
macros. This results in significant speedups since modern compilers
are now less confused.
<li>Improved BIGNUM internals and performance.
<li>Significantly simplified the BN_BLINDING internals used in RSA.
<li>Made BN_num_bits() independent of bn->top.
<li>Rewrote and simplified bn_sqr().
<li>Significantly improved Montgomery multiplication performance.
<li>Rewrote and improved BN_exp() and BN_copy().
<li>Changed ASN1_item_sign_ctx() and ASN1_item_verify() to work with
Ed25519 and fixed a few bugs in there.
<li>Lots of cleanup for DH, DSA, EC, RSA internals. Plugged numerous
memory leaks, fixed logic errors and inconsistencies.
<li>Cleaned up and simplified various ECDH and ECDSA internals.
<li>Removed EC_GROUP precomp machinery.
<li>Fixed various issues with EVP_PKEY_CTX_{new,dup}().
<li>Rewrote OBJ_find_sigid_algs() and OBJ_find_sigid_by_algs().
<li>Improved X.509 certificate version checks.
<li>Ensure no X.509v3 extensions appear more than once in certificates.
<li>Replaced ASN1_bn_print with a cleaner internal implementation.
<li>Fix OPENSSL_cpuid_setup() invocations on arm/aarch64.
<li>Improved checks for commonName in libtls.
<li>Fixed error check for X509_get_ext_d2i() failure in libtls.
<li>Removed code guarded by #ifdef ZLIB.
<li>Plug a potential memory leak in ASN1_TIME_normalize().
<li>Fixed a use of uninitialized in i2r_IPAddrBlocks().
<li>Rewrote CMS_SignerInfo_{sign,verify}().
</ul>
<li>Bug fixes
<ul>
<li>Correctly handle negative input to various BIGNUM functions.
<li>Ensure ERR_load_ERR_strings() does not set errno unexpectedly.
<li>Fix error checking of i2d_ECDSA_SIG() in ossl_ecdsa_sign().
<li>Fixed aliasing issue in BN_mod_inverse(). Disallowed aliasing of result
and modulus in various BN_mod_* functions.
<li>Fixed detection of extended operations (XOP) on AMD hardware.
<li>Ensure Montgomery exponentiation is used for the initial RSA blinding.
<li>Policy is always checked in X509 validation. Critical policy extensions
are no longer silently ignored.
<li>Fixed error handling in tls_check_common_name().
<li>Add missing pointer invalidation in SSL_free().
<li>Fixed X509err() and X509V3err() and their internal versions.
<li>Ensure that OBJ_obj2txt() always returns a C string again.
<li>Made EVP_PKEY_set1_hkdf_key() fail on a NULL key.
<li>On socket errors in the poll loop, netcat could issue system calls
on invalidated file descriptors.
<li>Allow IP addresses to be specified in a URI.
<li>Fixed a copy-paste error in ASN1_TIME_compare() that could lead
to two UTCTimes or two GeneralizedTimes incorrectly being compared
as equal.
</ul>
<li>Documentation improvements
<ul>
<li>Improved documentation of BIO_ctrl(3), BIO_set_info_callback(3),
BIO_get_info_callback(3), BIO_method_type(3), and BIO_method_name(3).
<li>Marked BIO_CB_return(), BIO_cb_pre(), and BIO_cb_post() as intentionally
undocumented.
<li>Made it very explicit that the verify callback should not be used.
<li>Called out that the CRL lastUpdate is standardized as thisUpdate.
<li>Documented the RFC 3779 API and its shortcomings.
</ul>
<li>Testing and Proactive Security
<ul>
<li>Significantly improved test coverage of BN_mod_sqrt() and GCD.
<li>As always, new test coverage is added as bugs are fixed and subsystems
are cleaned up.
</ul>
</ul>
<li>OpenSSH 9.5 and OpenSSH 9.4
<ul>
<li>Potentially incompatible changes
<ul>
<li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:
generate Ed25519 keys by default. Ed25519 public keys
are very convenient due to their small size. Ed25519 keys are
specified in RFC 8709 and OpenSSH has supported them since version 6.5
(January 2014).
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
the Subsystem directive now accurately preserves quoting of
subsystem commands and arguments. This may change behaviour for exotic
configurations, but the most common subsystem configuration
(sftp-server) is unlikely to be affected.
<li><a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>:
PKCS#11 modules must now be specified by their full
paths. Previously dlopen(3) could search for them in system
library directories.
</ul>
<li>New features
<ul>
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
add keystroke timing obfuscation to the client. This attempts
to hide inter-keystroke timings by sending interactive traffic at
fixed intervals (default: every 20ms) when there is only a small
amount of data being sent. It also sends fake "chaff" keystrokes for
a random interval after the last real keystroke. These are
controlled by a new ssh_config ObscureKeystrokeTiming keyword.
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
Introduce a transport-level ping facility. This adds
a pair of SSH transport protocol messages SSH2_MSG_PING/PONG to
implement a ping capability. These messages use numbers in the "local
extensions" number space and are advertised using a "ping@openssh.com"
ext-info message with a string version number of "0".
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
allow override of Subsystem directives in sshd Match blocks.
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
allow forwarding Unix Domain sockets via ssh -W.
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
add support for configuration tags to ssh(1).
This adds a ssh_config(5) "Tag" directive and corresponding
"Match tag" predicate that may be used to select blocks of
configuration similar to the pf.conf(5) keywords of the same
name.
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
add a "match localnetwork" predicate. This allows matching
on the addresses of available network interfaces and may be used to
vary the effective client configuration based on network location.
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>,
<a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:
infrastructure support for KRL
extensions. This defines wire formats for optional KRL extensions
and implements parsing of the new submessages. No actual extensions
are supported at this point.
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
AuthorizedPrincipalsCommand and AuthorizedKeysCommand now
accept two additional %-expansion sequences: %D which expands to
the routing domain of the connected session and %C which expands
to the addresses and port numbers for the source and destination
of the connection.
<li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:
increase the default work factor (rounds) for the
bcrypt KDF used to derive symmetric encryption keys for passphrase
protected key files by 50%.
</ul>
<li>Bugfixes
<ul>
<li><a href="https://man.openbsd.org/scp.1">scp(1)</a>:
fix scp in SFTP mode recursive upload and download of
directories that contain symlinks to other directories. In scp mode,
the links would be followed, but in SFTP mode they were not.
<li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:
handle cr+lf (instead of just cr) line endings in
sshsig signature files.
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
interactive mode for ControlPersist sessions if they
originally requested a tty.
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
make PerSourceMaxStartups first-match-wins
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
limit artificial login delay to a reasonable maximum (5s)
and don't delay at all for the "none" authentication mechanism.
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
Log errors in kex_exchange_identification() with level
verbose instead of error to reduce preauth log spam. All of those
get logged with a more generic error message by sshpkt_fatal().
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
correct math for ClientAliveInterval that caused the probes
to be sent less frequently than configured.
<li><a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>:
improve isolation between loaded PKCS#11 modules
by running separate ssh-pkcs11-helpers for each loaded provider.
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
make -f (fork after authentication) work correctly with
multiplexed connections, including ControlPersist.
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
make ConnectTimeout apply to multiplexing sockets and not
just to network connections.
<li><a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>,
<a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
improve defences against invalid PKCS#11
modules being loaded by checking that the requested module
contains the required symbol before loading it.
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand
appears before it in sshd_config. Since OpenSSH 8.7 the
AuthorizedPrincipalsCommand directive was incorrectly ignored in
this situation.
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>,
<a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
<a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:
remove vestigial support for KRL
signatures When the KRL format was originally defined, it included
support for signing of KRL objects. However, the code to sign KRLs
and verify KRL signatures was never completed in OpenSSH. This
release removes the partially-implemented code to verify KRLs.
All OpenSSH tools now ignore KRL_SECTION_SIGNATURE sections in
KRL files.
<li>All: fix a number of memory leaks and unreachable/harmless integer
overflows.
<li><a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>,
<a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
don't truncate strings logged from PKCS#11 modules
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>,
<a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
better validate CASignatureAlgorithms in
ssh_config and sshd_config. Previously this directive would accept
certificate algorithm names, but these were unusable in practice as
OpenSSH does not support CA chains.
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
make <code>ssh -Q CASignatureAlgorithms</code> only list signature
algorithms that are valid for CA signing. Previous behaviour was
to list all signing algorithms, including certificate algorithms.
<li><a href="https://man.openbsd.org/ssh-keyscan.1">ssh-keyscan(1)</a>:
gracefully handle systems where rlimits or the
maximum number of open files is larger than INT_MAX
<li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:
fix "no comment" not showing on when running
<code>ssh-keygen -l</code> on multiple keys where one has a comment
and other following keys do not.
<li><a href="https://man.openbsd.org/scp.1">scp(1)</a>,
<a href="https://man.openbsd.org/sftp.1">sftp(1)</a>:
adjust ftruncate() logic to handle servers that
reorder requests. Previously, if the server reordered requests then
the resultant file would be erroneously truncated.
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
don't incorrectly disable hostname canonicalization when
CanonicalizeHostname=yes and ProxyJump was explicitly set to
"none".
<li><a href="https://man.openbsd.org/scp.1">scp(1)</a>:
when copying local to remote, check that the source file
exists before opening an SFTP connection to the server.
</ul>
</ul>
<li>Ports and packages:
<p>Many pre-built packages for each architecture:
<!-- number of FTP packages minus SHA256, SHA256.sig, index.txt -->
<ul style="column-count: 3">
<li>aarch64:
<li>amd64:
<li>arm:
<li>i386:
<li>mips64:
<li>powerpc:
<li>powerpc64:
<li>riscv64:
<li>sparc64:
</ul>
<p>Some highlights:
<ul style="column-count: 3"><!-- XXX all need to be checked/updated 2023-03-04 -->
<li>Asterisk 16.30.1, 18.19.0 and 20.4.0
<li>Audacity 3.3.3
<li>CMake 3.27.5
<li>Chromium 117.0.5838.149
<li>Emacs 29.1
<li>FFmpeg 4.4.4
<li>GCC 8.4.0 and 11.2.0
<li>GHC 9.2.7
<li>GNOME 44
<li>Go 1.21.1
<li>JDK 8u382, 11.0.20 and 17.0.8
<li>KDE Applications 23.08.0
<li>KDE Frameworks 5.98.0
<li>Krita 5.1.5
<li>LLVM/Clang 13.0.0 and 16.0.6
<li>LibreOffice 7.6.2.1
<li>Lua 5.1.5, 5.2.4, 5.3.6 and 5.4.6
<li>MariaDB 10.9.6
<li>Mono 6.12.0.199
<li>Mozilla Firefox 118.0.1 and ESR 115.3.1
<li>Mozilla Thunderbird 115.3.1
<li>Mutt 2.2.12 and NeoMutt 20230517
<li>Node.js 18.18.0
<li>OCaml 4.12.1
<li>OpenLDAP 2.6.6
<li>PHP 7.4.33, 8.0.30, 8.1.24 and 8.2.11
<li>Postfix 3.7.3
<li>PostgreSQL 15.4
<li>Python 2.7.18, 3.9.18, 3.10.13 and 3.11.5
<li>Qt 5.15.10 and 6.5.2
<li>R 4.2.3
<li>Ruby 3.0.6, 3.1.4 and 3.2.2
<li>Rust 1.72.1
<li>SQLite 3.42.0
<li>Shotcut 23.07.29
<li>Sudo 1.9.14.2
<li>Suricata 6.0.12
<li>Tcl/Tk 8.5.19 and 8.6.13
<li>TeX Live 2022
<li>Vim 9.0.1897 and Neovim 0.9.1
<li>Xfce 4.18
</ul>
<p>
<li>As usual, steady improvements in manual pages and other documentation.
<li>The system includes the following major components from outside suppliers:
<ul><!-- XXX all need to be checked/updated 2023-03-04 -->
<li>Xenocara (based on X.Org 7.7 with xserver 21.1.8 + patches,
freetype 2.13.0, fontconfig 2.14.2, Mesa 22.3.7, xterm 378,
xkeyboard-config 2.20, fonttosfnt 1.2.2 and more)
<li>LLVM/Clang 13.0.0 (+ patches)
<li>GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
<li>Perl 5.36.1 (+ patches)
<li>NSD 4.7.0
<li>Unbound 1.18.0
<li>Ncurses 5.7
<li>Binutils 2.17 (+ patches)
<li>Gdb 6.3 (+ patches)
<li>Awk September 12, 2023
<li>Expat 2.5.0
</ul>
</ul>
</section>
<hr>
<section id=install>
<h3>How to install</h3>
<p>
Please refer to the following files on the mirror site for
extensive details on how to install OpenBSD 7.4 on your machine:
<ul>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/alpha/INSTALL.alpha">
.../OpenBSD/7.4/alpha/INSTALL.alpha</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/amd64/INSTALL.amd64">
.../OpenBSD/7.4/amd64/INSTALL.amd64</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/arm64/INSTALL.arm64">
.../OpenBSD/7.4/arm64/INSTALL.arm64</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/armv7/INSTALL.armv7">
.../OpenBSD/7.4/armv7/INSTALL.armv7</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/hppa/INSTALL.hppa">
.../OpenBSD/7.4/hppa/INSTALL.hppa</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/i386/INSTALL.i386">
.../OpenBSD/7.4/i386/INSTALL.i386</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/landisk/INSTALL.landisk">
.../OpenBSD/7.4/landisk/INSTALL.landisk</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/loongson/INSTALL.loongson">
.../OpenBSD/7.4/loongson/INSTALL.loongson</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/luna88k/INSTALL.luna88k">
.../OpenBSD/7.4/luna88k/INSTALL.luna88k</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/macppc/INSTALL.macppc">
.../OpenBSD/7.4/macppc/INSTALL.macppc</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/octeon/INSTALL.octeon">
.../OpenBSD/7.4/octeon/INSTALL.octeon</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/powerpc64/INSTALL.powerpc64">
.../OpenBSD/7.4/powerpc64/INSTALL.powerpc64</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/riscv64/INSTALL.riscv64">
.../OpenBSD/7.4/riscv64/INSTALL.riscv64</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/sparc64/INSTALL.sparc64">
.../OpenBSD/7.4/sparc64/INSTALL.sparc64</a>
</ul>
</section>
<hr>
<section id=quickinstall>
<p>
Quick installer information for people familiar with OpenBSD, and the use of
the "<a href="https://man.openbsd.org/disklabel.8">disklabel</a> -E" command.
If you are at all confused when installing OpenBSD, read the relevant
INSTALL.* file as listed above!
<h3>OpenBSD/alpha:</h3>
<p>
If your machine can boot from CD, you can write <i>install74.iso</i> or
<i>cd74.iso</i> to a CD and boot from it.
Refer to INSTALL.alpha for more details.
<h3>OpenBSD/amd64:</h3>
<p>
If your machine can boot from CD, you can write <i>install74.iso</i> or
<i>cd74.iso</i> to a CD and boot from it.
You may need to adjust your BIOS options first.
<p>
If your machine can boot from USB, you can write <i>install74.img</i> or
<i>miniroot74.img</i> to a USB stick and boot from it.
<p>
If you can't boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in the included
INSTALL.amd64 document.
<p>
If you are planning to dual boot OpenBSD with another OS, you will need to
read INSTALL.amd64.
<h3>OpenBSD/arm64:</h3>
<p>
Write <i>install74.img</i> or <i>miniroot74.img</i> to a disk and boot from it
after connecting to the serial console. Refer to INSTALL.arm64 for more
details.
<h3>OpenBSD/armv7:</h3>
<p>
Write a system specific miniroot to an SD card and boot from it after connecting
to the serial console. Refer to INSTALL.armv7 for more details.
<h3>OpenBSD/hppa:</h3>
<p>
Boot over the network by following the instructions in INSTALL.hppa or the
<a href="hppa.html#install">hppa platform page</a>.
<h3>OpenBSD/i386:</h3>
<p>
If your machine can boot from CD, you can write <i>install74.iso</i> or
<i>cd74.iso</i> to a CD and boot from it.
You may need to adjust your BIOS options first.
<p>
If your machine can boot from USB, you can write <i>install74.img</i> or
<i>miniroot74.img</i> to a USB stick and boot from it.
<p>
If you can't boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in
the included INSTALL.i386 document.
<p>
If you are planning on dual booting OpenBSD with another OS, you will need to
read INSTALL.i386.
<h3>OpenBSD/landisk:</h3>
<p>
Write <i>miniroot74.img</i> to the start of the CF
or disk, and boot normally.
<h3>OpenBSD/loongson:</h3>
<p>
Write <i>miniroot74.img</i> to a USB stick and boot bsd.rd from it
or boot bsd.rd via tftp.
Refer to the instructions in INSTALL.loongson for more details.
<h3>OpenBSD/luna88k:</h3>
<p>
Copy 'boot' and 'bsd.rd' to a Mach or UniOS partition, and boot the bootloader
from the PROM, and then bsd.rd from the bootloader.
Refer to the instructions in INSTALL.luna88k for more details.
<h3>OpenBSD/macppc:</h3>
<p>
Burn the image from a mirror site to a CDROM, and power on your machine
while holding down the <i>C</i> key until the display turns on and
shows <i>OpenBSD/macppc boot</i>.
<p>
Alternatively, at the Open Firmware prompt, enter <i>boot cd:,ofwboot
/7.4/macppc/bsd.rd</i>
<h3>OpenBSD/octeon:</h3>
<p>
After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
Refer to the instructions in INSTALL.octeon for more details.
<h3>OpenBSD/powerpc64:</h3>
<p>
To install, write <i>install74.img</i> or <i>miniroot74.img</i> to a
USB stick, plug it into the machine and choose the <i>OpenBSD
install</i> menu item in Petitboot.
Refer to the instructions in INSTALL.powerpc64 for more details.
<h3>OpenBSD/riscv64:</h3>
<p>
To install, write <i>install74.img</i> or <i>miniroot74.img</i> to a
USB stick, and boot with that drive plugged in.
Make sure you also have the microSD card plugged in that shipped with the
HiFive Unmatched board.
Refer to the instructions in INSTALL.riscv64 for more details.
<h3>OpenBSD/sparc64:</h3>
<p>
Burn the image from a mirror site to a CDROM, boot from it, and type
<i>boot cdrom</i>.
<p>
If this doesn't work, or if you don't have a CDROM drive, you can write
<i>floppy74.img</i> or <i>floppyB74.img</i>
(depending on your machine) to a floppy and boot it with <i>boot
floppy</i>. Refer to INSTALL.sparc64 for details.
<p>
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.
<p>
You can also write <i>miniroot74.img</i> to the swap partition on
the disk and boot with <i>boot disk:b</i>.
<p>
If nothing works, you can boot over the network as described in INSTALL.sparc64.
</section>
<hr>
<section id=upgrade>
<h3>How to upgrade</h3>
<p>
If you already have an OpenBSD 7.3 system, and do not want to reinstall,
upgrade instructions and advice can be found in the
<a href="faq/upgrade74.html">Upgrade Guide</a>.
</section>
<hr>
<section id=sourcecode>
<h3>Notes about the source code</h3>
<p>
<code>src.tar.gz</code> contains a source archive starting at <code>/usr/src</code>.
This file contains everything you need except for the kernel sources,
which are in a separate archive.
To extract:
<blockquote><pre>
# <kbd>mkdir -p /usr/src</kbd>
# <kbd>cd /usr/src</kbd>
# <kbd>tar xvfz /tmp/src.tar.gz</kbd>
</pre></blockquote>
<p>
<code>sys.tar.gz</code> contains a source archive starting at <code>/usr/src/sys</code>.
This file contains all the kernel sources you need to rebuild kernels.
To extract:
<blockquote><pre>
# <kbd>mkdir -p /usr/src/sys</kbd>
# <kbd>cd /usr/src</kbd>
# <kbd>tar xvfz /tmp/sys.tar.gz</kbd>
</pre></blockquote>
<p>
Both of these trees are a regular CVS checkout. Using these trees it
is possible to get a head-start on using the anoncvs servers as
described <a href="anoncvs.html">here</a>.
Using these files
results in a much faster initial CVS update than you could expect from
a fresh checkout of the full OpenBSD source tree.
</section>
<hr>
<section id=ports>
<h3>Ports Tree</h3>
<p>
A ports tree archive is also provided. To extract:
<blockquote><pre>
# <kbd>cd /usr</kbd>
# <kbd>tar xvfz /tmp/ports.tar.gz</kbd>
</pre></blockquote>
<p>
Go read the <a href="faq/ports/index.html">ports</a> page
if you know nothing about ports
at this point. This text is not a manual of how to use ports.
Rather, it is a set of notes meant to kickstart the user on the
OpenBSD ports system.
<p>
The <i>ports/</i> directory represents a CVS checkout of our ports.
As with our complete source tree, our ports tree is available via
<a href="anoncvs.html">AnonCVS</a>.
So, in order to keep up to date with the -stable branch, you must make
the <i>ports/</i> tree available on a read-write medium and update the tree
with a command like:
<blockquote><pre>
# <kbd>cd /usr/ports</kbd>
# <kbd>cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_7_4</kbd>
</pre></blockquote>
<p>
[Of course, you must replace the server name here with a nearby anoncvs
server.]
<p>
Note that most ports are available as packages on our mirrors. Updated
ports for the 7.4 release will be made available if problems arise.
<p>
If you're interested in seeing a port added, would like to help out, or just
would like to know more, the mailing list
<a href="mail.html">ports@openbsd.org</a> is a good place to know.
</section>
</body>
</html>
![[BACK]](/icons/back.gif){kind=icon}
Return to 74.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www