Annotation of www/75.html, Revision 1.23
1.1 benno 1: <!doctype html>
2: <html lang=en id=release>
3: <head>
4: <meta charset=utf-8>
5:
6: <title>OpenBSD 7.5</title>
7: <meta name="description" content="OpenBSD 7.5">
8: <meta name="viewport" content="width=device-width, initial-scale=1">
9: <link rel="stylesheet" type="text/css" href="openbsd.css">
10: <link rel="canonical" href="https://www.openbsd.org/75.html">
11: </head><body>
12: <h2 id=OpenBSD>
13: <a href="index.html">
14: <i>Open</i><b>BSD</b></a>
15: 7.5
16: </h2>
17:
18: <table>
19: <tr>
20: <td>
21: <a href="images/XXX.jpg">
22: <img width="227" height="303" src="images/XXX-s.gif" alt="XXX"></a>
23: <td>
24: Released XXXMONTH DAY, 2024. (56th OpenBSD release)<br>
25: Copyright 1997-2024, Theo de Raadt.<br>
26: <br>
27: Artwork by XXX.
28: <br>
29: <ul>
30: <li>See the information on <a href="ftp.html">the FTP page</a> for
31: a list of mirror machines.
32: <li>Go to the <code class=reldir>pub/OpenBSD/7.5/</code> directory on
33: one of the mirror sites.
34: <li>Have a look at <a href="errata75.html">the 7.5 errata page</a> for a list
35: of bugs and workarounds.
36: <li>See a <a href="plus75.html">detailed log of changes</a> between the
37: 7.4 and 7.5 releases.
38: <p>
39: <li><a href="https://man.openbsd.org/signify.1">signify(1)</a>
40: pubkeys for this release:<p>
41:
42: <table class=signify>
43: <tr><td>
44: openbsd-75-base.pub:
45: <td>
46: <a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/openbsd-75-base.pub">
47: RWRGj1pRpprAfgeF/rgld4ubduChLvTkigA1Zj7WLDsVA4qfYSWOEI8q
48: </a><tr><td>
49: openbsd-75-fw.pub:
50: <td>
51: RWQ6EsXr4NMYvyLICug3dLHfmbpXlVasF1jbt3GVNQsosgB5+PgaufBu
52: <tr><td>
53: openbsd-75-pkg.pub:
54: <td>
55: RWS/sEFDvf+rjUmS1WROzxH05pB1kB7JRRq76DUGUhCE0Ks8AdpjP5pD
56: <tr><td>
57: openbsd-75-syspatch.pub:
58: <td>
59: RWRAAZC5WcFgn+8b5msDR+yDVCx4ziLaSQI2sy7e4GFY42nFW9p7mP2t
60: </table>
61: </ul>
62: <p>
63: All applicable copyrights and credits are in the src.tar.gz,
64: sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
65: files fetched via <code>ports.tar.gz</code>.
66: </table>
67:
68: <hr>
69:
70: <section id=new>
71: <h3>What's New</h3>
72: <p>
73: This is a partial list of new features and systems included in OpenBSD 7.5.
74: For a comprehensive list, see the <a href="plus75.html">changelog</a> leading <!-- plus? XXX -->
75: to 7.5.
76:
77: <ul>
78:
79: <!--
80: <li>New/extended platforms:
81: <ul>
82: <li>...
83: </ul>
84: -->
85:
86: <li>Various kernel improvements:
87: <ul>
88: <li>...
89: </ul>
90:
91: <li>SMP Improvements
92: <ul>
1.22 lteo 93: <li>Some network timers run without kernel lock.
1.19 bluhm 94: <li>TCP syn cache timer runs with shared net lock.
95: <li><a href="https://man.openbsd.org/bind.2">bind(2)</a>
96: and <a href="https://man.openbsd.org/connect.2">connect(2)</a>
97: system calls can run in parallel.
98: <li>Packet counter for <a
99: href="https://man.openbsd.org/lo.4">lo(4)</a> loopback
100: interface are MP safe.
101: <li>Split protocol control block table for UDP into IPv4
102: and IPv6 tables to allow concurrent access.
103: <li>UDP packets can be sent in parallel by multiple threads.
1.1 benno 104: </ul>
105:
106: <li>Direct Rendering Manager and graphics drivers
107: <ul>
1.11 jsg 108: <li>Updated <a href="https://man.openbsd.org/drm.4">drm(4)</a>
109: to Linux 6.6.19.
110: <li>New <a href="https://man.openbsd.org/arm64/apldcp.4">apldcp(4)</a> and
111: <a href="https://man.openbsd.org/arm64/apldrm.4">apldrm(4)</a> drivers
112: for Apple display coprocessor.
1.1 benno 113: </ul>
114:
115: <li>VMM/VMD improvements
116: <ul>
1.15 dv 117: <li>Fixed IRQ storm caused by edge-triggered devices such as the uart.
118: <li>Fixed block size calculation for vioscsi devices.
119: <li>Added io instruction length to vm exit information, allowing
120: <a href="https://man.openbsd.org/vmd.8">vmd(8)</a> to perform validation
121: in userspace.
122: <li>Adopted new <a href="https://man.openbsd.org/imsg_init.3">imsg_get_*(3)</a>
123: api.
124: <li>Rewrote vionet devices to allow zero-copy data transfers between host and
125: guest.
126: <li>Improved error messages related to <a href="https://man.openbsd.org/getgrnam.3">
127: getgrnam(3)</a> usage and out of <a href="https://man.openbsd.org/tap.4">tap(4)
128: </a> device conditions.
129: <li>Fixed various things found by smatch static analyzer.
130: <li>Fixed various file descriptor lifecycle issues and leaks across
131: <a href="https://man.openbsd.org/fork.2">fork(2)</a>/
132: <a href="https://man.openbsd.org/execve.2">execve(2)</a> usage.
133: <li>Added multi-threading support to vionet device emulation, improving latency.
134: <li>Fixed <a href="https://man.openbsd.org/vmm.4">vmm(4)</a> instability on Intel
135: VMX hosts by updating GDTR & TR if vcpu moves host cpus.
136: <li>Added EPT flushing upon <a href="https://man.openbsd.org/vmm.4">vmm(4)</a>
137: enabling VMX mode.
138: <li>Added branch predictor flushing if IBPB is supported.
139: <li>Corrected restoring GDTR and IDTR limits upon VMX guest exit.
140: <li>Corrected handling of CPUID 0xd subleaves
141: <li>Added additional use of VERW and register clobbering to mitigate RFDS
142: vulnerabilities on Intel Atom cores.
1.1 benno 143: </ul>
144:
145: <li>Various new userland features:
146: <ul>
147: <li>...
148: </ul>
149:
150: <li>Various bugfixes and tweaks in userland:
151: <ul>
152: <li>...
153: </ul>
154:
155: <li>Improved hardware support and driver bugfixes, including:
156: <ul>
1.23 ! jsg 157: <li>New <a href="https://man.openbsd.org/arm64/ampchwm.4">ampchwm(4)</a>
! 158: driver for Ampere Altra power telemetry.
! 159: <li>New <a href="https://man.openbsd.org/rkspi.4">rkspi(4)</a>
! 160: driver for Rockchip SPI controller.
! 161: <li>Support for RK806 PMIC in
! 162: <a href="https://man.openbsd.org/rkpmic.4">rkpmic(4)</a>.
! 163: <li>Support for Allwinner H616 in
! 164: <a href="https://man.openbsd.org/sxisyscon.4">sxisyscon(4)</a>,
! 165: <a href="https://man.openbsd.org/sxiccmu.4">sxiccmu(4)</a>,
! 166: <a href="https://man.openbsd.org/sxipio.4">sxipio(4)</a>,
! 167: <a href="https://man.openbsd.org/sximmc.4">sximmc(4)</a> and
! 168: <a href="https://man.openbsd.org/ehci.4">ehci(4)</a>.
! 169: <li>Support for Allwinner D1 in
! 170: <a href="https://man.openbsd.org/sxidog.4">sxidog(4)</a>,
! 171: <a href="https://man.openbsd.org/sxiccmu.4">sxiccmu(4)</a>,
! 172: <a href="https://man.openbsd.org/sxipio.4">sxipio(4)</a>,
! 173: <a href="https://man.openbsd.org/sximmc.4">sximmc(4)</a> and
! 174: <a href="https://man.openbsd.org/ehci.4">ehci(4)</a>.
! 175: <li>Support for Aero and Sea SAS HBAs in
! 176: <a href="https://man.openbsd.org/mpii.4">mpii(4)</a>.
! 177: <li>Support for SAS3816 and SAS3916 in
! 178: <a href="https://man.openbsd.org/mfii.4">mfii(4)</a>.
1.1 benno 179: </ul>
180:
181: <li>New or improved network hardware support:
182: <ul>
1.20 jan 183: <li>Utilize full checksum offload capabilities of
184: <a href="https://man.openbsd.org/vio.4">vio(4)</a> and
185: <a href="https://man.openbsd.org/vmx.4">vmx(4)</a>.</li>
186: <li>TCP Send Offload (TSO) is also used in
187: <a href="https://man.openbsd.org/bnxt.4">bnxt(4)</a> and
188: <a href="https://man.openbsd.org/em.4">em(4)</a>.</li>
189: <li>The Synopsys Ethernet Quality-of-Service Controller
190: (<a href="https://man.openbsd.org/dwqe.4">dwqe(4)</a>) is enabled for
191: amd64.</li>
1.23 ! jsg 192: <li>Support for AX88179A in
! 193: <a href="https://man.openbsd.org/axen.4">axen(4)</a>.
1.20 jan 194: <li>The Intel I225 and I226 Ethernet Controller
195: <a href="https://man.openbsd.org/igc.4">igc(4)</a> are enabled for
196: sparc64.</li>
197: <li>The Allwinner EMAC Ethernet Controller
198: <a href="https://man.openbsd.org/dwxe.4">dwxe(4)</a> is enabled for
199: riscv64.</li>
1.1 benno 200: <li>...
201: </ul>
202:
203: <li>Added or improved wireless network drivers:
204: <ul>
1.14 stsp 205: <li>Introduce <a href="https://man.openbsd.org/qwx.4">qwx(4)</a>,
206: a port of the Linux ath11k driver for QCNFA765 devices.
207: Available on the amd64 and arm64 platforms.
208: <li>Fix Tx rate selection for management frames in
209: <a href="https://man.openbsd.org/iwx.4">iwx(4)</a>.
210: <li>Fix <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> loading the wrong
211: firmware image on some devices.
212: <li>Make <a href="https://man.openbsd.org/bfwm.4">bwfm(4)</a> work with MAC
213: addresses set via ifconfig lladdr.
214: <li>Ensure that <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> uses the
215: 80MHz primary channel index announced in beacons.
216: <li>Avoid using MCS-9 in <a href="https://man.openbsd.org/iwm.4">iwm(4)</a>
217: Tx rate selection if 40 MHz is disabled to prevent firmware errors.
218: <li>Ensure that <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> and
219: <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> devices announce VHT
220: capabilities in probe requests.
221: <li>Fix bug in <a href="https://man.openbsd.org/iwm.4">iwm(4)</a>,
222: <a href="https://man.openbsd.org/iwx.4">iwx(4)</a>, and
223: <a href="https://man.openbsd.org/iwn.4">iwn(4)</a> which could result
224: in some channels missing from scan results.
225: <li>Enable <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> on the
226: arm64 platform.
1.1 benno 227: </ul>
228:
229: <li>IEEE 802.11 wireless stack improvements and bugfixes:
230: <ul>
1.14 stsp 231: <li> Ignore 40/80 MHz wide channel configurations which do not appear
232: in the 802.11ac spec. This prevents device firmware errors which
233: occurred when an access point announced an invalid channel configuration.
1.1 benno 234: </ul>
235:
236: <li>Installer, upgrade and bootloader improvements:
237: <ul>
238: <li>...
239: </ul>
240:
241: <li>Security improvements:
242: <ul>
243: <li>...
244: </ul>
245:
246: <li>Changes in the network stack:
247: <ul>
1.19 bluhm 248: <li>Enable IPv6 support in <a
249: href="https://man.openbsd.org/ppp.4">ppp(4)</a>
250: <li>Socket with sequenced packet type and control messages
251: handle end of record correctly.
1.21 jsg 252: <li>The routing table has a generation number. That means
1.19 bluhm 253: cached routes at sockets will be invalidated when the routing
254: table changes. Especially with dynamic routing daemons
255: local connections use the up to date route.
256: <li>Route cache hits an misses are printed in
257: <a href="https://man.openbsd.org/netstat.1">netstat(1)</a>
258: statistics.
1.1 benno 259: </ul>
260:
261: <li>The following changes were made to the <a
262: href="https://man.openbsd.org/pf.4">pf(4)</a> firewall:
263: <ul>
1.19 bluhm 264: <li>tcpdump on <a
265: href="https://man.openbsd.org/pflog.4">pflog(4)</a> interface
266: shows packets dropped by the default rule with the "block"
267: action. Although the default rules is a "pass" rule, it
268: blocks malformed packets. Now this is correctly logged.
1.1 benno 269: </ul>
270:
271: <li>Routing daemons and other userland network improvements:
272: <ul>
273:
274: <li>IPsec support was improved:
275: <ul>
1.18 denis 276: <li>...
1.1 benno 277: </ul>
278:
279: <li>In <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>,
280: <ul>
1.18 denis 281: <li>...
1.1 benno 282: </ul>
283:
1.2 benno 284: <li><a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> saw these and more changes:
1.1 benno 285: <ul>
1.2 benno 286: <li>Add ability to constrain an RPKI Trust Anchor's effective signing
287: authority to a limited set of Internet numbers. This allows Relying
288: Parties to enjoy the potential benefits of assuming trust, but within
289: a bounded scope.
290: <li>Following a 'failed fetch' (described in RFC 9286), emit a warning and
291: continue with a previously cached Manifest file.
292: <li>Emit a warning when the remote repository presents a Manifest with an
293: unexpected manifestNumber.
294: <li>Improved CRL extension checking.
295: <li>Experimental support for the P-256 signature algorithm.
296: <!-- 8.8. -->
297: <li>A failed manifest fetch could result in a NULL pointer dereference or
298: a use after free.
299: <li>Reject non-conforming RRDP delta elements that contain neither publish
300: nor a withdraw element and fall back to the RRDP snapshot.
301: <li>Refactoring and minor bug fixes in the warning display functions.
302: <!-- 8.9 -->
303: <li>The handling of manifests fetched via rsync or RRDP was reworked to
304: fully conform to RFC 9286.
305: <li>Fix a race condition between closing an idle connection and scheduling a
306: new request on it.
307: <li>The evaluation time specified with -P now also applies to trust anchor
308: certificates.
309: <li>Check that the entire CMS eContent was consumed. Previously, trailing
310: data would be silently discarded on deserialization of products.
311: <li>In file mode do not consider overclaiming intermediate CA certificates
312: as invalid. OAA warning is still issued.
313: <li>Print the revocation time of certificates in file mode.
314: <li>Be more careful when converting OpenSSL numeric identifiers (NIDs)
315: to strings.
316: <!-- 9.0 -->
317: <li>Added support for RPKI Signed Prefix Lists.
318: <li>Added an -x flag to opt into parsing and evaluation of file types that are
319: still considered experimental.
320: <li>Added a metric to track the number of new files that were moved to the
321: validated cache.
322: <li>Ensure that the FileAndHashes list in a Manifest contains no duplicate
323: file names and no duplicate hashes.
1.1 benno 324: </ul>
325:
326: <li>In <a href="https://man.openbsd.org/smtpd.8">smtpd(8)</a>,
327: <ul>
1.5 op 328: <li>Add <code>Message-Id</code> as needed for messages received on
329: the submission port.
330: <li>Added support for RFC 7505 "Null MX" handling and treat
331: an MX of "localhost" as it were a "Null MX".
332: <li>Allow inline tables and filter listings in
333: <a href="https://man.openbsd.org/smtpd.conf.5">smtpd.conf(5)</a>
334: to span over multiple lines.
335: <li>Enabled <abbr title="Delivery Status Notification">DSN</abbr>
336: for the implicit socket too.
337: <li>Added the
338: <a href="https://man.openbsd.org/smtpd.conf.5#no-dsn~2">no-dsn</a>
339: option for <code>listen on socket</code> too.
340: <li>Reject headers that start with a space or a tab.
341: <li>Fixed parsing of the <code>ORCPT</code> parameter.
342: <li>Fixed table lookups of IPv6 addresses.
343: <li>Fixed handling of escape characters in To, From and Cc headers.
344: <li>Run <abbr title="Local Mail Transfer Protocol">LMTP</abbr>
345: deliveries as the recipient user again.
346: <li>Disallow custom commands and file reading in root's
347: <code>.forward</code> file.
348: <li>Do not process other users <code>.forward</code> files when
349: an alternate delivery user is provided in a dispatcher.
350: <li>Unify the <a href="https://man.openbsd.org/table.5">table(5)</a>
351: parser used in
352: <a href="https://man.openbsd.org/smtpd.8">smtpd(8)</a> and
353: <a href="https://man.openbsd.org/makemap.8">makemap(8)</a>.
354: <li>Allow to use <a href="https://man.openbsd.org/table.5">table(5)</a>
355: mappings on various match constraints.
1.1 benno 356: </ul>
357:
358: <li>Many other changes in various network programs and libraries:
359: <ul>
1.19 bluhm 360: <li>If a DNS name is configured as remote syslog server,
361: <a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>
362: retries to resolve the name periodically until it succeeds.
363: UDP packets that get lost during that period are counted and
364: logged later.
1.1 benno 365: <li>...
366: </ul>
367: </ul>
368:
369: <li><a href="https://man.openbsd.org/tmux.1">tmux(1)</a> improvements and bug fixes:
370: <ul>
371: <li>...
372: </ul>
373:
1.3 tb 374: <li>LibreSSL version 3.9.0
1.1 benno 375: <ul>
1.3 tb 376: <li>Portable changes
1.1 benno 377: <ul>
1.3 tb 378: <li>libcrypto no longer exports compat symbols in cmake builds.
379: <li>Most compatibility symbols are prefixed with <code>libressl_</code>
380: to avoid symbol clashes in static links.
381: <li>Fixed various warnings on Windows.
382: <li>Removed assert pop-ups with Windows debug builds.
383: <li>Fixed crashes and hangs in Windows ARM64 builds.
384: <li>Improved control-flow enforcement (CET) support.
1.1 benno 385: </ul>
1.3 tb 386: <li>Internal improvements
1.1 benno 387: <ul>
1.3 tb 388: <li>Converted uses of <code>OBJ_bsearch_()</code> to standard
389: <a href="https://man.openbsd.org/bsearch">bsearch(3)</a>.
390: <li>Greatly simplified <code>by_file_ctrl()</code>.
391: <li>Simplified and cleaned up the OBJ_ API.
392: <li>Cleaned up the <a href="https://man.openbsd.org/EVP_CipherInit">EVP_Cipher{Init,Update,Final}(3)</a> implementations.
393: <li>Removed unused function pointers from X.509 stores and contexts.
394: <li>A lot of cleanup and reorganization in EVP.
395: <li>Removed all remaining <code>ENGINE</code> tentacles.
396: <li>Simplified internals of <code>X509_TRUST</code> handling.
397: <li>Made deletion from a <a href="https://man.openbsd.org/lh_delete">lhash</a>
398: doall callback safe.
399: <li>Rewrote <a href="https://man.openbsd.org/BIO_dump">BIO_dump*(3)</a> internals
400: to be less bad.
1.1 benno 401: </ul>
1.3 tb 402: <li>Documentation improvements
1.1 benno 403: <ul>
1.3 tb 404: <li><code>ENGINE</code> documentation was updated to reflect reality.
405: <li>Made EVP API documentation more accurate and less incoherent.
406: <li>Call out some shortcomings of the <code>EC_KEY_set_*</code> API explicitly.
1.1 benno 407: </ul>
1.3 tb 408: <li>Testing and proactive security
1.1 benno 409: <ul>
1.3 tb 410: <li>Bug fixes and simplifications in the Wycheproof tests.
1.1 benno 411: </ul>
1.3 tb 412: <li>Compatibility changes
1.1 benno 413: <ul>
1.3 tb 414: <li>Added ChaCha20 and chacha20 aliases for ChaCha.
415: <li><a href="https://man.openbsd.org/SSL_library_init">SSL_library_init(3)</a>
416: now has the same effect as OPENSSL_init_ssl().
417: <li><code>EVP_add_{cipher,digest}()</code> were removed. From the <code>OBJ_NAME</code> API,
418: only <a href="https://man.openbsd.org/OBJ_NAME_do_all">OBJ_NAME_do_all*()</a> remain.
419: In particular, it is no longer possible to add aliases for ciphers and digests.
420: <li>The thread unsafe global tables are no longer supported. It is no
421: longer possible to add aliases for ciphers and digests, custom ASN.1
422: strings table entries, ASN.1 methods, PKEY methods, digest methods,
423: CRL methods, purpose and trust identifiers, or X.509 extensions.
424: <li>Removed the _cb() and _fp() versions of
425: <a href="https://man.openbsd.org/BIO_dump">BIO_dump{,_indent}()</a>.
426: <li><code>BIO_set()</code> was removed.
427: <li><code>BIO_{sn,v,vsn}printf()</code> were removed.
428: <li>Turn the long dysfunctional
429: <a href="https://man.openbsd.org/openssl(1)">openssl(1)</a>
430: <code>s_client -pause</code> into a noop.
431: <li><a href="https://man.openbsd.org/openssl(1)">openssl(1)</a> <code>x509</code>
432: now supports <code>-new</code>, <code>-force_pubkey</code>, <code>-multivalue-rdn</code>,
433: <code>-set_issuer</code> <code>-set_subject</code>, and <code>-utf8</code>.
434: <li>Support ECDSA with SHA-3 signature algorithms.
435: <li>Support HMAC with truncated SHA-2 and SHA-3 as PBE PRF.
436: <li>GOST and STREEBOG support was removed.
437: <li><code>CRYPTO_THREADID</code>, <code>_LHASH</code>, <code>_STACK</code> and
438: <code>X509_PURPOSE</code> are now opaque, <code>X509_CERT_AUX</code> and
439: <code>X509_TRUST</code> were removed from the public API.
440: <li><a href="https://man.openbsd.org/ASN1_STRING_TABLE_get()">ASN1_STRING_TABLE_get(3)</a>
441: and <a href="https://man.openbsd.org/X509_PURPOSE_get0">X509_PURPOSE_get0*(3)</a> now
442: return const pointers.
443: <li><code>EVP_{CIPHER,MD}_CTX_init()</code>'s signatures and semantics now match
444: OpenSSL's behavior.
445: <li><code>sk_find_ex()</code> and <code>OBJ_bsearch_()</code> were removed.
446: <li><a href="https://man.openbsd.org/CRYPTO_malloc">CRYPTO_malloc(3)</a> was fixed to use
447: <code>size_t</code> argument. <code>CRYPTO_malloc()</code>
448: and <code>CRYPTO_free()</code> now accept file and line arguments.
449: <li>A lot of decrepit CRYPTO memory API was removed.
1.1 benno 450: </ul>
451: <li>Bug fixes
452: <ul>
1.3 tb 453: <li>Fixed aliasing issues in <code>BN_mod_exp_simple()</code> and <code>BN_mod_exp_recp()</code>.
454: <li>Fixed numerous misuses of
455: <a href="https://man.openbsd.org/X509_ALGOR_set0">X509_ALGOR_set0(3)</a>
456: resulting in leaks and potentially incorrect encodings.
457: <li>Fixed potential double free in
458: <a href="https://man.openbsd.org/X509v3_asid_add_id_or_range">X509v3_asid_add_id_or_range(3)</a>.
459: <li>Stopped using <code>ASN1_time_parse()</code> outside of libcrypto.
460: <li>Prepared <a href="https://man.openbsd.org/OPENSSL_gmtime">OPENSSL_gmtime(3)</a> and
461: <a href="https://man.openbsd.org/OPENSSL_timegm">OPENSSL_timegm(3)</a> as public API
462: wrappers of internal functions compatible with BoringSSL API.
463: <li>Removed <code>print_bin()</code> to avoid overwriting the stack with 5 bytes
464: of <code>" "</code> when ECPK parameters are printed with large
465: indentation.
466: <li>Avoid a <code>NULL</code> dereference after memory allocation failure during TLS
467: version downgrade.
468: <li>Fixed various bugs in CMAC internals.
469: <li>Fixed 4-byte overreads in GHASH assembly on amd64 and i386.
470: <li>Fixed various NULL dereferences in PKCS #12 code due to mishandling
471: of OPTIONAL content in PKCS #7 ContentInfo.
472: <li>Aligned <a href="https://man.openbsd.org/SSL_shutdown">SSL_shutdown(3)</a>
473: behavior in TLSv1.3 with the legacy stack.
474: <li>Fixed the new X.509 verifier to find trust anchors in the trusted
475: stack.
1.1 benno 476: </ul>
477: </ul>
478:
1.16 djm 479: <li>OpenSSH 9.6 and OpenSSH 9.7
1.1 benno 480: <ul>
1.16 djm 481: <li>Security fixes
1.1 benno 482: <ul>
1.16 djm 483: <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>, <a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: implement protocol extensions to thwart the
484: so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus
485: Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a
486: limited break of the integrity of the early encrypted SSH transport
487: protocol by sending extra messages prior to the commencement of
488: encryption, and deleting an equal number of consecutive messages
489: immediately after encryption starts. A peer SSH client/server
490: would not be able to detect that messages were deleted.
491:
492: <br>While cryptographically novel, the security impact of this attack
493: is fortunately very limited as it only allows deletion of
494: consecutive messages, and deleting most messages at this stage of
1.17 gnezdo 495: the protocol prevents user authentication from proceeding and
1.16 djm 496: results in a stuck connection.
497:
498: <br>The most serious identified impact is that it lets a MITM to
499: delete the SSH2_MSG_EXT_INFO message sent before authentication
500: starts, allowing the attacker to disable a subset of the keystroke
501: timing obfuscation features introduced in OpenSSH 9.5. There is no
502: other discernable impact to session secrecy or session integrity.
503:
504: <li><a href='https://man.openbsd.org/ssh-agent.1'>ssh-agent(1)</a>: when adding PKCS#11-hosted private keys while
505: specifying destination constraints, if the PKCS#11 token returned
506: multiple keys then only the first key had the constraints applied.
507: Use of regular private keys, FIDO tokens and unconstrained keys
508: are unaffected.
509:
510: <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: if an invalid user or hostname that contained shell
511: metacharacters was passed to <a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>, and a ProxyCommand,
512: LocalCommand directive or "match exec" predicate referenced the
513: user or hostname via %u, %h or similar expansion token, then
514: an attacker who could supply arbitrary user/hostnames to <a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>
515: could potentially perform command injection depending on what
516: quoting was present in the user-supplied <a href='https://man.openbsd.org/ssh_config.5'>ssh_config(5)</a> directive.
517:
518: <br>OpenSSH 9.6 now
519: bans most shell metacharacters from user and hostnames supplied
520: via the command-line. This countermeasure is not guaranteed to be
521: effective in all situations, as it is infeasible for <a href='https://man.openbsd.org/ssh.1'>ssh(1)</a> to
522: universally filter shell metacharacters potentially relevant to
523: user-supplied commands.
524:
525: <br>User/hostnames provided via <a href='https://man.openbsd.org/ssh_config.5'>ssh_config(5)</a> are not subject to these
526: restrictions, allowing configurations that use strange names to
527: continue to be used, under the assumption that the user knows what
528: they are doing in their own configuration files.
1.1 benno 529: </ul>
530: <li>New features
531: <ul>
1.16 djm 532: <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>, <a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: add a "global" ChannelTimeout type that watches
533: all open channels and will close all open channels if there is no
534: traffic on any of them for the specified interval. This is in
535: addition to the existing per-channel timeouts added recently.
536: <br>This supports situations like having both session and x11
537: forwarding channels open where one may be idle for an extended
538: period but the other is actively used. The global timeout could
539: close both channels when both have been idle for too long.
540:
541: <li>All: make DSA key support compile-time optional, defaulting to on.
1.1 benno 542: </ul>
543: <li>Bugfixes
544: <ul>
1.16 djm 545: <li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: don't append an unnecessary space to the end of subsystem
546: arguments (<a href='https://bugzilla.mindrot.org/show_bug.cgi?id=3667'>bz3667</a>)
547:
548: <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: fix the multiplexing "channel proxy" mode, broken when
549: keystroke timing obfuscation was added. (<a href='https://github.com/openssh/openssh-portable/pull/463'>GHPR#463</a>)
550:
551: <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>, <a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: fix spurious configuration parsing errors when
552: options that accept array arguments are overridden (<a href='https://bugzilla.mindrot.org/show_bug.cgi?id=3657'>bz3657</a>).
553:
554: <li><a href='https://man.openbsd.org/ssh-agent.1'>ssh-agent(1)</a>: fix potential spin in signal handler (<a href='https://bugzilla.mindrot.org/show_bug.cgi?id=3670'>bz3670</a>)
555:
556: <li>Many fixes to manual pages and other documentation, including
557: <a href='https://github.com/openssh/openssh-portable/pull/462'>GHPR#462</a>, <a href='https://github.com/openssh/openssh-portable/pull/454'>GHPR#454</a>, <a href='https://github.com/openssh/openssh-portable/pull/442'>GHPR#442</a> and <a href='https://github.com/openssh/openssh-portable/pull/441'>GHPR#441</a>.
558:
559: <li>Greatly improve interop testing against PuTTY.
1.1 benno 560: </ul>
561: </ul>
562:
563: <li>Ports and packages:
564: <p>Many pre-built packages for each architecture:
565: <!-- number of FTP packages minus SHA256, SHA256.sig, index.txt -->
566: <ul style="column-count: 3">
1.7 sthen 567: <li>aarch64: 12145
1.6 naddy 568: <li>amd64: 12309
1.1 benno 569: <li>arm: XXX
1.7 sthen 570: <li>i386: 10830
1.1 benno 571: <li>mips64: XXX
572: <li>powerpc: XXX
1.10 sthen 573: <li>powerpc64: 8469
1.1 benno 574: <li>riscv64: XXX
1.8 sthen 575: <li>sparc64: 9432
1.1 benno 576: </ul>
577:
578: <p>Some highlights:
579: <ul style="column-count: 3"><!-- XXX all need to be checked/updated 2024-03-02 -->
1.9 lteo 580: <li>Asterisk 16.30.1, 18.21.0 and 20.6.0
581: <li>Audacity 3.4.2
582: <li>CMake 3.28.3
583: <li>Chromium 122.0.6261.111
584: <li>Emacs 29.2
1.1 benno 585: <li>FFmpeg 4.4.4
586: <li>GCC 8.4.0 and 11.2.0
1.9 lteo 587: <li>GHC 9.6.4
588: <li>GNOME 45
589: <li>Go 1.22.1
590: <li>JDK 8u402, 11.0.22, 17.0.10 and 21.0.2
591: <li>KDE Applications 23.08.4
592: <li>KDE Frameworks 5.115.0
1.13 rsadowsk 593: <li>KDE Plasma 5.27.10
1.9 lteo 594: <li>Krita 5.2.2
595: <li>LLVM/Clang 13.0.0, 16.0.6 and 17.0.6
596: <li>LibreOffice 24.2.1.2
1.1 benno 597: <li>Lua 5.1.5, 5.2.4, 5.3.6 and 5.4.6
1.9 lteo 598: <li>MariaDB 10.9.8
1.1 benno 599: <li>Mono 6.12.0.199
1.9 lteo 600: <li>Mozilla Firefox 123.0.1 and ESR 115.8.0
601: <li>Mozilla Thunderbird 115.8.1
602: <li>Mutt 2.2.13 and NeoMutt 20240201
603: <li>Node.js 18.19.1
604: <li>OCaml 4.14.1
605: <li>OpenLDAP 2.6.7
606: <li>PHP 7.4.33, 8.0.30, 8.1.27, 8.2.16 and 8.3.3
607: <li>Postfix 3.8.6
608: <li>PostgreSQL 16.2
609: <li>Python 2.7.18, 3.9.18, 3.10.13 and 3.11.8
1.13 rsadowsk 610: <li>Qt 5.15.12 (+ kde patches) and 6.6.1
1.1 benno 611: <li>R 4.2.3
1.9 lteo 612: <li>Ruby 3.1.4, 3.2.3 and 3.3.0
613: <li>Rust 1.76.0
614: <li>SQLite 3.44.2
1.1 benno 615: <li>Shotcut 23.07.29
1.9 lteo 616: <li>Sudo 1.9.15.5
617: <li>Suricata 7.0.3
1.1 benno 618: <li>Tcl/Tk 8.5.19 and 8.6.13
1.9 lteo 619: <li>TeX Live 2023
620: <li>Vim 9.1.139 and Neovim 0.9.5
621: <li>Xfce 4.18.1
1.1 benno 622: </ul>
623: <p>
624:
625: <li>As usual, steady improvements in manual pages and other documentation.
626:
627: <li>The system includes the following major components from outside suppliers:
628: <ul><!-- XXX all need to be checked/updated 2024-03-02 -->
1.4 matthieu 629: <li>Xenocara (based on X.Org 7.7 with xserver 21.1.11 + patches,
630: freetype 2.13.0, fontconfig 2.14.2, Mesa 23.1.9, xterm 378,
631: xkeyboard-config 2.20, fonttosfnt 1.2.3 and more)
632: <li>LLVM/Clang 16.0.6 (+ patches)
1.1 benno 633: <li>GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
1.4 matthieu 634: <li>Perl 5.36.3 (+ patches)
635: <li>NSD 4.8.0
1.1 benno 636: <li>Unbound 1.18.0
637: <li>Ncurses 5.7
638: <li>Binutils 2.17 (+ patches)
639: <li>Gdb 6.3 (+ patches)
1.4 matthieu 640: <li>Awk January 22, 2024
641: <li>Expat 2.6.0
642: <li>zlib 1.3.1 (+ patches)
1.1 benno 643: </ul>
644:
645: </ul>
646: </section>
647:
648: <hr>
649:
650: <section id=install>
651: <h3>How to install</h3>
652: <p>
653: Please refer to the following files on the mirror site for
654: extensive details on how to install OpenBSD 7.5 on your machine:
655:
656: <ul>
657: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/alpha/INSTALL.alpha">
658: .../OpenBSD/7.5/alpha/INSTALL.alpha</a>
659: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/amd64/INSTALL.amd64">
660: .../OpenBSD/7.5/amd64/INSTALL.amd64</a>
661: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/arm64/INSTALL.arm64">
662: .../OpenBSD/7.5/arm64/INSTALL.arm64</a>
663: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/armv7/INSTALL.armv7">
664: .../OpenBSD/7.5/armv7/INSTALL.armv7</a>
665: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/hppa/INSTALL.hppa">
666: .../OpenBSD/7.5/hppa/INSTALL.hppa</a>
667: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/i386/INSTALL.i386">
668: .../OpenBSD/7.5/i386/INSTALL.i386</a>
669: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/landisk/INSTALL.landisk">
670: .../OpenBSD/7.5/landisk/INSTALL.landisk</a>
671: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/loongson/INSTALL.loongson">
672: .../OpenBSD/7.5/loongson/INSTALL.loongson</a>
673: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/luna88k/INSTALL.luna88k">
674: .../OpenBSD/7.5/luna88k/INSTALL.luna88k</a>
675: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/macppc/INSTALL.macppc">
676: .../OpenBSD/7.5/macppc/INSTALL.macppc</a>
677: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/octeon/INSTALL.octeon">
678: .../OpenBSD/7.5/octeon/INSTALL.octeon</a>
679: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/powerpc64/INSTALL.powerpc64">
680: .../OpenBSD/7.5/powerpc64/INSTALL.powerpc64</a>
681: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/riscv64/INSTALL.riscv64">
682: .../OpenBSD/7.5/riscv64/INSTALL.riscv64</a>
683: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/sparc64/INSTALL.sparc64">
684: .../OpenBSD/7.5/sparc64/INSTALL.sparc64</a>
685: </ul>
686: </section>
687:
688: <hr>
689:
690: <section id=quickinstall>
691: <p>
692: Quick installer information for people familiar with OpenBSD, and the use of
693: the "<a href="https://man.openbsd.org/disklabel.8">disklabel</a> -E" command.
694: If you are at all confused when installing OpenBSD, read the relevant
695: INSTALL.* file as listed above!
696:
697: <h3>OpenBSD/alpha:</h3>
698:
699: <p>
700: If your machine can boot from CD, you can write <i>install75.iso</i> or
701: <i>cd75.iso</i> to a CD and boot from it.
702: Refer to INSTALL.alpha for more details.
703:
704: <h3>OpenBSD/amd64:</h3>
705:
706: <p>
707: If your machine can boot from CD, you can write <i>install75.iso</i> or
708: <i>cd75.iso</i> to a CD and boot from it.
709: You may need to adjust your BIOS options first.
710:
711: <p>
712: If your machine can boot from USB, you can write <i>install75.img</i> or
713: <i>miniroot75.img</i> to a USB stick and boot from it.
714:
715: <p>
716: If you can't boot from a CD, floppy disk, or USB,
717: you can install across the network using PXE as described in the included
718: INSTALL.amd64 document.
719:
720: <p>
721: If you are planning to dual boot OpenBSD with another OS, you will need to
722: read INSTALL.amd64.
723:
724: <h3>OpenBSD/arm64:</h3>
725:
726: <p>
1.12 jsg 727: If your machine can boot from CD, you can write <i>install75.iso</i> or
728: <i>cd75.iso</i> to a CD and boot from it.
729:
730: <p>
731: To boot from disk, write <i>install75.img</i> or <i>miniroot75.img</i> to a
732: disk and boot from it after connecting to the serial console. Refer to
733: INSTALL.arm64 for more details.
1.1 benno 734:
735: <h3>OpenBSD/armv7:</h3>
736:
737: <p>
738: Write a system specific miniroot to an SD card and boot from it after connecting
739: to the serial console. Refer to INSTALL.armv7 for more details.
740:
741: <h3>OpenBSD/hppa:</h3>
742:
743: <p>
744: Boot over the network by following the instructions in INSTALL.hppa or the
745: <a href="hppa.html#install">hppa platform page</a>.
746:
747: <h3>OpenBSD/i386:</h3>
748:
749: <p>
750: If your machine can boot from CD, you can write <i>install75.iso</i> or
751: <i>cd75.iso</i> to a CD and boot from it.
752: You may need to adjust your BIOS options first.
753:
754: <p>
755: If your machine can boot from USB, you can write <i>install75.img</i> or
756: <i>miniroot75.img</i> to a USB stick and boot from it.
757:
758: <p>
759: If you can't boot from a CD, floppy disk, or USB,
760: you can install across the network using PXE as described in
761: the included INSTALL.i386 document.
762:
763: <p>
764: If you are planning on dual booting OpenBSD with another OS, you will need to
765: read INSTALL.i386.
766:
767: <h3>OpenBSD/landisk:</h3>
768:
769: <p>
770: Write <i>miniroot75.img</i> to the start of the CF
771: or disk, and boot normally.
772:
773: <h3>OpenBSD/loongson:</h3>
774:
775: <p>
776: Write <i>miniroot75.img</i> to a USB stick and boot bsd.rd from it
777: or boot bsd.rd via tftp.
778: Refer to the instructions in INSTALL.loongson for more details.
779:
780: <h3>OpenBSD/luna88k:</h3>
781:
782: <p>
783: Copy 'boot' and 'bsd.rd' to a Mach or UniOS partition, and boot the bootloader
784: from the PROM, and then bsd.rd from the bootloader.
785: Refer to the instructions in INSTALL.luna88k for more details.
786:
787: <h3>OpenBSD/macppc:</h3>
788:
789: <p>
790: Burn the image from a mirror site to a CDROM, and power on your machine
791: while holding down the <i>C</i> key until the display turns on and
792: shows <i>OpenBSD/macppc boot</i>.
793:
794: <p>
795: Alternatively, at the Open Firmware prompt, enter <i>boot cd:,ofwboot
796: /7.5/macppc/bsd.rd</i>
797:
798: <h3>OpenBSD/octeon:</h3>
799:
800: <p>
801: After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
802: Refer to the instructions in INSTALL.octeon for more details.
803:
804: <h3>OpenBSD/powerpc64:</h3>
805:
806: <p>
807: To install, write <i>install75.img</i> or <i>miniroot75.img</i> to a
808: USB stick, plug it into the machine and choose the <i>OpenBSD
809: install</i> menu item in Petitboot.
810: Refer to the instructions in INSTALL.powerpc64 for more details.
811:
812: <h3>OpenBSD/riscv64:</h3>
813:
814: <p>
815: To install, write <i>install75.img</i> or <i>miniroot75.img</i> to a
816: USB stick, and boot with that drive plugged in.
817: Make sure you also have the microSD card plugged in that shipped with the
818: HiFive Unmatched board.
819: Refer to the instructions in INSTALL.riscv64 for more details.
820:
821: <h3>OpenBSD/sparc64:</h3>
822:
823: <p>
824: Burn the image from a mirror site to a CDROM, boot from it, and type
825: <i>boot cdrom</i>.
826:
827: <p>
828: If this doesn't work, or if you don't have a CDROM drive, you can write
829: <i>floppy75.img</i> or <i>floppyB75.img</i>
830: (depending on your machine) to a floppy and boot it with <i>boot
831: floppy</i>. Refer to INSTALL.sparc64 for details.
832:
833: <p>
834: Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
835: will most likely fail.
836:
837: <p>
838: You can also write <i>miniroot75.img</i> to the swap partition on
839: the disk and boot with <i>boot disk:b</i>.
840:
841: <p>
842: If nothing works, you can boot over the network as described in INSTALL.sparc64.
843: </section>
844:
845: <hr>
846:
847: <section id=upgrade>
848: <h3>How to upgrade</h3>
849: <p>
850: If you already have an OpenBSD 7.4 system, and do not want to reinstall,
851: upgrade instructions and advice can be found in the
852: <a href="faq/upgrade75.html">Upgrade Guide</a>.
853: </section>
854:
855: <hr>
856:
857: <section id=sourcecode>
858: <h3>Notes about the source code</h3>
859: <p>
860: <code>src.tar.gz</code> contains a source archive starting at <code>/usr/src</code>.
861: This file contains everything you need except for the kernel sources,
862: which are in a separate archive.
863: To extract:
864: <blockquote><pre>
865: # <kbd>mkdir -p /usr/src</kbd>
866: # <kbd>cd /usr/src</kbd>
867: # <kbd>tar xvfz /tmp/src.tar.gz</kbd>
868: </pre></blockquote>
869: <p>
870: <code>sys.tar.gz</code> contains a source archive starting at <code>/usr/src/sys</code>.
871: This file contains all the kernel sources you need to rebuild kernels.
872: To extract:
873: <blockquote><pre>
874: # <kbd>mkdir -p /usr/src/sys</kbd>
875: # <kbd>cd /usr/src</kbd>
876: # <kbd>tar xvfz /tmp/sys.tar.gz</kbd>
877: </pre></blockquote>
878: <p>
879: Both of these trees are a regular CVS checkout. Using these trees it
880: is possible to get a head-start on using the anoncvs servers as
881: described <a href="anoncvs.html">here</a>.
882: Using these files
883: results in a much faster initial CVS update than you could expect from
884: a fresh checkout of the full OpenBSD source tree.
885: </section>
886:
887: <hr>
888:
889: <section id=ports>
890: <h3>Ports Tree</h3>
891: <p>
892: A ports tree archive is also provided. To extract:
893: <blockquote><pre>
894: # <kbd>cd /usr</kbd>
895: # <kbd>tar xvfz /tmp/ports.tar.gz</kbd>
896: </pre></blockquote>
897: <p>
898: Go read the <a href="faq/ports/index.html">ports</a> page
899: if you know nothing about ports
900: at this point. This text is not a manual of how to use ports.
901: Rather, it is a set of notes meant to kickstart the user on the
902: OpenBSD ports system.
903: <p>
904: The <i>ports/</i> directory represents a CVS checkout of our ports.
905: As with our complete source tree, our ports tree is available via
906: <a href="anoncvs.html">AnonCVS</a>.
907: So, in order to keep up to date with the -stable branch, you must make
908: the <i>ports/</i> tree available on a read-write medium and update the tree
909: with a command like:
910: <blockquote><pre>
911: # <kbd>cd /usr/ports</kbd>
912: # <kbd>cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_7_5</kbd>
913: </pre></blockquote>
914: <p>
915: [Of course, you must replace the server name here with a nearby anoncvs
916: server.]
917: <p>
918: Note that most ports are available as packages on our mirrors. Updated
919: ports for the 7.5 release will be made available if problems arise.
920: <p>
921: If you're interested in seeing a port added, would like to help out, or just
922: would like to know more, the mailing list
923: <a href="mail.html">ports@openbsd.org</a> is a good place to know.
924: </section>
925: </body>
926: </html>
![[BACK]](/icons/back.gif){kind=icon}
Return to 75.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www