Annotation of www/75.html, Revision 1.25
1.1 benno 1: <!doctype html>
2: <html lang=en id=release>
3: <head>
4: <meta charset=utf-8>
5:
6: <title>OpenBSD 7.5</title>
7: <meta name="description" content="OpenBSD 7.5">
8: <meta name="viewport" content="width=device-width, initial-scale=1">
9: <link rel="stylesheet" type="text/css" href="openbsd.css">
10: <link rel="canonical" href="https://www.openbsd.org/75.html">
11: </head><body>
12: <h2 id=OpenBSD>
13: <a href="index.html">
14: <i>Open</i><b>BSD</b></a>
15: 7.5
16: </h2>
17:
18: <table>
19: <tr>
20: <td>
21: <a href="images/XXX.jpg">
22: <img width="227" height="303" src="images/XXX-s.gif" alt="XXX"></a>
23: <td>
24: Released XXXMONTH DAY, 2024. (56th OpenBSD release)<br>
25: Copyright 1997-2024, Theo de Raadt.<br>
26: <br>
27: Artwork by XXX.
28: <br>
29: <ul>
30: <li>See the information on <a href="ftp.html">the FTP page</a> for
31: a list of mirror machines.
32: <li>Go to the <code class=reldir>pub/OpenBSD/7.5/</code> directory on
33: one of the mirror sites.
34: <li>Have a look at <a href="errata75.html">the 7.5 errata page</a> for a list
35: of bugs and workarounds.
36: <li>See a <a href="plus75.html">detailed log of changes</a> between the
37: 7.4 and 7.5 releases.
38: <p>
39: <li><a href="https://man.openbsd.org/signify.1">signify(1)</a>
40: pubkeys for this release:<p>
41:
42: <table class=signify>
43: <tr><td>
44: openbsd-75-base.pub:
45: <td>
46: <a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/openbsd-75-base.pub">
47: RWRGj1pRpprAfgeF/rgld4ubduChLvTkigA1Zj7WLDsVA4qfYSWOEI8q
48: </a><tr><td>
49: openbsd-75-fw.pub:
50: <td>
51: RWQ6EsXr4NMYvyLICug3dLHfmbpXlVasF1jbt3GVNQsosgB5+PgaufBu
52: <tr><td>
53: openbsd-75-pkg.pub:
54: <td>
55: RWS/sEFDvf+rjUmS1WROzxH05pB1kB7JRRq76DUGUhCE0Ks8AdpjP5pD
56: <tr><td>
57: openbsd-75-syspatch.pub:
58: <td>
59: RWRAAZC5WcFgn+8b5msDR+yDVCx4ziLaSQI2sy7e4GFY42nFW9p7mP2t
60: </table>
61: </ul>
62: <p>
63: All applicable copyrights and credits are in the src.tar.gz,
64: sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
65: files fetched via <code>ports.tar.gz</code>.
66: </table>
67:
68: <hr>
69:
70: <section id=new>
71: <h3>What's New</h3>
72: <p>
73: This is a partial list of new features and systems included in OpenBSD 7.5.
74: For a comprehensive list, see the <a href="plus75.html">changelog</a> leading <!-- plus? XXX -->
75: to 7.5.
76:
77: <ul>
78:
79: <!--
80: <li>New/extended platforms:
81: <ul>
82: <li>...
83: </ul>
84: -->
85:
86: <li>Various kernel improvements:
87: <ul>
88: <li>...
89: </ul>
90:
91: <li>SMP Improvements
92: <ul>
1.22 lteo 93: <li>Some network timers run without kernel lock.
1.19 bluhm 94: <li>TCP syn cache timer runs with shared net lock.
95: <li><a href="https://man.openbsd.org/bind.2">bind(2)</a>
96: and <a href="https://man.openbsd.org/connect.2">connect(2)</a>
97: system calls can run in parallel.
98: <li>Packet counter for <a
99: href="https://man.openbsd.org/lo.4">lo(4)</a> loopback
100: interface are MP safe.
101: <li>Split protocol control block table for UDP into IPv4
102: and IPv6 tables to allow concurrent access.
103: <li>UDP packets can be sent in parallel by multiple threads.
1.1 benno 104: </ul>
105:
106: <li>Direct Rendering Manager and graphics drivers
107: <ul>
1.11 jsg 108: <li>Updated <a href="https://man.openbsd.org/drm.4">drm(4)</a>
109: to Linux 6.6.19.
110: <li>New <a href="https://man.openbsd.org/arm64/apldcp.4">apldcp(4)</a> and
111: <a href="https://man.openbsd.org/arm64/apldrm.4">apldrm(4)</a> drivers
112: for Apple display coprocessor.
1.1 benno 113: </ul>
114:
115: <li>VMM/VMD improvements
116: <ul>
1.15 dv 117: <li>Fixed IRQ storm caused by edge-triggered devices such as the uart.
118: <li>Fixed block size calculation for vioscsi devices.
119: <li>Added io instruction length to vm exit information, allowing
120: <a href="https://man.openbsd.org/vmd.8">vmd(8)</a> to perform validation
121: in userspace.
122: <li>Adopted new <a href="https://man.openbsd.org/imsg_init.3">imsg_get_*(3)</a>
123: api.
124: <li>Rewrote vionet devices to allow zero-copy data transfers between host and
125: guest.
126: <li>Improved error messages related to <a href="https://man.openbsd.org/getgrnam.3">
127: getgrnam(3)</a> usage and out of <a href="https://man.openbsd.org/tap.4">tap(4)
128: </a> device conditions.
129: <li>Fixed various things found by smatch static analyzer.
130: <li>Fixed various file descriptor lifecycle issues and leaks across
131: <a href="https://man.openbsd.org/fork.2">fork(2)</a>/
132: <a href="https://man.openbsd.org/execve.2">execve(2)</a> usage.
133: <li>Added multi-threading support to vionet device emulation, improving latency.
134: <li>Fixed <a href="https://man.openbsd.org/vmm.4">vmm(4)</a> instability on Intel
135: VMX hosts by updating GDTR & TR if vcpu moves host cpus.
136: <li>Added EPT flushing upon <a href="https://man.openbsd.org/vmm.4">vmm(4)</a>
137: enabling VMX mode.
138: <li>Added branch predictor flushing if IBPB is supported.
139: <li>Corrected restoring GDTR and IDTR limits upon VMX guest exit.
140: <li>Corrected handling of CPUID 0xd subleaves
141: <li>Added additional use of VERW and register clobbering to mitigate RFDS
142: vulnerabilities on Intel Atom cores.
1.1 benno 143: </ul>
144:
145: <li>Various new userland features:
146: <ul>
147: <li>...
148: </ul>
149:
150: <li>Various bugfixes and tweaks in userland:
151: <ul>
152: <li>...
153: </ul>
154:
155: <li>Improved hardware support and driver bugfixes, including:
156: <ul>
1.23 jsg 157: <li>New <a href="https://man.openbsd.org/arm64/ampchwm.4">ampchwm(4)</a>
158: driver for Ampere Altra power telemetry.
159: <li>New <a href="https://man.openbsd.org/rkspi.4">rkspi(4)</a>
160: driver for Rockchip SPI controller.
161: <li>Support for RK806 PMIC in
162: <a href="https://man.openbsd.org/rkpmic.4">rkpmic(4)</a>.
163: <li>Support for Allwinner H616 in
164: <a href="https://man.openbsd.org/sxisyscon.4">sxisyscon(4)</a>,
165: <a href="https://man.openbsd.org/sxiccmu.4">sxiccmu(4)</a>,
166: <a href="https://man.openbsd.org/sxipio.4">sxipio(4)</a>,
167: <a href="https://man.openbsd.org/sximmc.4">sximmc(4)</a> and
168: <a href="https://man.openbsd.org/ehci.4">ehci(4)</a>.
169: <li>Support for Allwinner D1 in
170: <a href="https://man.openbsd.org/sxidog.4">sxidog(4)</a>,
171: <a href="https://man.openbsd.org/sxiccmu.4">sxiccmu(4)</a>,
172: <a href="https://man.openbsd.org/sxipio.4">sxipio(4)</a>,
173: <a href="https://man.openbsd.org/sximmc.4">sximmc(4)</a> and
174: <a href="https://man.openbsd.org/ehci.4">ehci(4)</a>.
175: <li>Support for Aero and Sea SAS HBAs in
176: <a href="https://man.openbsd.org/mpii.4">mpii(4)</a>.
177: <li>Support for SAS3816 and SAS3916 in
178: <a href="https://man.openbsd.org/mfii.4">mfii(4)</a>.
1.1 benno 179: </ul>
180:
181: <li>New or improved network hardware support:
182: <ul>
1.20 jan 183: <li>Utilize full checksum offload capabilities of
184: <a href="https://man.openbsd.org/vio.4">vio(4)</a> and
185: <a href="https://man.openbsd.org/vmx.4">vmx(4)</a>.</li>
186: <li>TCP Send Offload (TSO) is also used in
187: <a href="https://man.openbsd.org/bnxt.4">bnxt(4)</a> and
188: <a href="https://man.openbsd.org/em.4">em(4)</a>.</li>
189: <li>The Synopsys Ethernet Quality-of-Service Controller
190: (<a href="https://man.openbsd.org/dwqe.4">dwqe(4)</a>) is enabled for
191: amd64.</li>
1.23 jsg 192: <li>Support for AX88179A in
193: <a href="https://man.openbsd.org/axen.4">axen(4)</a>.
1.20 jan 194: <li>The Intel I225 and I226 Ethernet Controller
195: <a href="https://man.openbsd.org/igc.4">igc(4)</a> are enabled for
196: sparc64.</li>
197: <li>The Allwinner EMAC Ethernet Controller
198: <a href="https://man.openbsd.org/dwxe.4">dwxe(4)</a> is enabled for
199: riscv64.</li>
1.1 benno 200: <li>...
201: </ul>
202:
203: <li>Added or improved wireless network drivers:
204: <ul>
1.14 stsp 205: <li>Introduce <a href="https://man.openbsd.org/qwx.4">qwx(4)</a>,
206: a port of the Linux ath11k driver for QCNFA765 devices.
207: Available on the amd64 and arm64 platforms.
208: <li>Fix Tx rate selection for management frames in
209: <a href="https://man.openbsd.org/iwx.4">iwx(4)</a>.
210: <li>Fix <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> loading the wrong
211: firmware image on some devices.
212: <li>Make <a href="https://man.openbsd.org/bfwm.4">bwfm(4)</a> work with MAC
213: addresses set via ifconfig lladdr.
214: <li>Ensure that <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> uses the
215: 80MHz primary channel index announced in beacons.
216: <li>Avoid using MCS-9 in <a href="https://man.openbsd.org/iwm.4">iwm(4)</a>
217: Tx rate selection if 40 MHz is disabled to prevent firmware errors.
218: <li>Ensure that <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> and
219: <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> devices announce VHT
220: capabilities in probe requests.
221: <li>Fix bug in <a href="https://man.openbsd.org/iwm.4">iwm(4)</a>,
222: <a href="https://man.openbsd.org/iwx.4">iwx(4)</a>, and
223: <a href="https://man.openbsd.org/iwn.4">iwn(4)</a> which could result
224: in some channels missing from scan results.
225: <li>Enable <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> on the
226: arm64 platform.
1.1 benno 227: </ul>
228:
229: <li>IEEE 802.11 wireless stack improvements and bugfixes:
230: <ul>
1.14 stsp 231: <li> Ignore 40/80 MHz wide channel configurations which do not appear
232: in the 802.11ac spec. This prevents device firmware errors which
233: occurred when an access point announced an invalid channel configuration.
1.1 benno 234: </ul>
235:
236: <li>Installer, upgrade and bootloader improvements:
237: <ul>
238: <li>...
239: </ul>
240:
241: <li>Security improvements:
242: <ul>
243: <li>...
244: </ul>
245:
246: <li>Changes in the network stack:
247: <ul>
1.19 bluhm 248: <li>Enable IPv6 support in <a
249: href="https://man.openbsd.org/ppp.4">ppp(4)</a>
250: <li>Socket with sequenced packet type and control messages
251: handle end of record correctly.
1.21 jsg 252: <li>The routing table has a generation number. That means
1.19 bluhm 253: cached routes at sockets will be invalidated when the routing
254: table changes. Especially with dynamic routing daemons
255: local connections use the up to date route.
256: <li>Route cache hits an misses are printed in
257: <a href="https://man.openbsd.org/netstat.1">netstat(1)</a>
258: statistics.
1.1 benno 259: </ul>
260:
261: <li>The following changes were made to the <a
262: href="https://man.openbsd.org/pf.4">pf(4)</a> firewall:
263: <ul>
1.25 ! benno 264: <li>tcpdump on <a
! 265: href="https://man.openbsd.org/pflog.4">pflog(4)</a> interface shows
! 266: packets dropped by the default rule with the "block" action. Although
! 267: the default rules is a "pass" rule, it blocks malformed packets. Now
! 268: this is correctly logged.
! 269: <li>Adjustments to keep up firewall aware of MP related changes in
! 270: the network stack.
1.24 sashan 271: <li>Fix handling of multiple <code>-K</code>(<code>-k</code>) options in
1.25 ! benno 272: <a href="https://man.openbsd.org/pfctl.8">pfctl(8)</a>, so behavior
! 273: matches what's described in manual.
! 274: <li>Make <a href="https://man.openbsd.org/pfctl.8">pfctl(8)</a> show
! 275: all tables in all anchors with <code>pfctl -a "*" -sT</code>.
1.1 benno 276: </ul>
277:
278: <li>Routing daemons and other userland network improvements:
279: <ul>
280:
281: <li>IPsec support was improved:
282: <ul>
1.18 denis 283: <li>...
1.1 benno 284: </ul>
285:
286: <li>In <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>,
287: <ul>
1.18 denis 288: <li>...
1.1 benno 289: </ul>
290:
1.2 benno 291: <li><a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> saw these and more changes:
1.1 benno 292: <ul>
1.2 benno 293: <li>Add ability to constrain an RPKI Trust Anchor's effective signing
294: authority to a limited set of Internet numbers. This allows Relying
295: Parties to enjoy the potential benefits of assuming trust, but within
296: a bounded scope.
297: <li>Following a 'failed fetch' (described in RFC 9286), emit a warning and
298: continue with a previously cached Manifest file.
299: <li>Emit a warning when the remote repository presents a Manifest with an
300: unexpected manifestNumber.
301: <li>Improved CRL extension checking.
302: <li>Experimental support for the P-256 signature algorithm.
303: <!-- 8.8. -->
304: <li>A failed manifest fetch could result in a NULL pointer dereference or
305: a use after free.
306: <li>Reject non-conforming RRDP delta elements that contain neither publish
307: nor a withdraw element and fall back to the RRDP snapshot.
308: <li>Refactoring and minor bug fixes in the warning display functions.
309: <!-- 8.9 -->
310: <li>The handling of manifests fetched via rsync or RRDP was reworked to
311: fully conform to RFC 9286.
312: <li>Fix a race condition between closing an idle connection and scheduling a
313: new request on it.
314: <li>The evaluation time specified with -P now also applies to trust anchor
315: certificates.
316: <li>Check that the entire CMS eContent was consumed. Previously, trailing
317: data would be silently discarded on deserialization of products.
318: <li>In file mode do not consider overclaiming intermediate CA certificates
319: as invalid. OAA warning is still issued.
320: <li>Print the revocation time of certificates in file mode.
321: <li>Be more careful when converting OpenSSL numeric identifiers (NIDs)
322: to strings.
323: <!-- 9.0 -->
324: <li>Added support for RPKI Signed Prefix Lists.
325: <li>Added an -x flag to opt into parsing and evaluation of file types that are
326: still considered experimental.
327: <li>Added a metric to track the number of new files that were moved to the
328: validated cache.
329: <li>Ensure that the FileAndHashes list in a Manifest contains no duplicate
330: file names and no duplicate hashes.
1.1 benno 331: </ul>
332:
333: <li>In <a href="https://man.openbsd.org/smtpd.8">smtpd(8)</a>,
334: <ul>
1.5 op 335: <li>Add <code>Message-Id</code> as needed for messages received on
336: the submission port.
337: <li>Added support for RFC 7505 "Null MX" handling and treat
338: an MX of "localhost" as it were a "Null MX".
339: <li>Allow inline tables and filter listings in
340: <a href="https://man.openbsd.org/smtpd.conf.5">smtpd.conf(5)</a>
341: to span over multiple lines.
342: <li>Enabled <abbr title="Delivery Status Notification">DSN</abbr>
343: for the implicit socket too.
344: <li>Added the
345: <a href="https://man.openbsd.org/smtpd.conf.5#no-dsn~2">no-dsn</a>
346: option for <code>listen on socket</code> too.
347: <li>Reject headers that start with a space or a tab.
348: <li>Fixed parsing of the <code>ORCPT</code> parameter.
349: <li>Fixed table lookups of IPv6 addresses.
350: <li>Fixed handling of escape characters in To, From and Cc headers.
351: <li>Run <abbr title="Local Mail Transfer Protocol">LMTP</abbr>
352: deliveries as the recipient user again.
353: <li>Disallow custom commands and file reading in root's
354: <code>.forward</code> file.
355: <li>Do not process other users <code>.forward</code> files when
356: an alternate delivery user is provided in a dispatcher.
357: <li>Unify the <a href="https://man.openbsd.org/table.5">table(5)</a>
358: parser used in
359: <a href="https://man.openbsd.org/smtpd.8">smtpd(8)</a> and
360: <a href="https://man.openbsd.org/makemap.8">makemap(8)</a>.
361: <li>Allow to use <a href="https://man.openbsd.org/table.5">table(5)</a>
362: mappings on various match constraints.
1.1 benno 363: </ul>
364:
365: <li>Many other changes in various network programs and libraries:
366: <ul>
1.19 bluhm 367: <li>If a DNS name is configured as remote syslog server,
368: <a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>
369: retries to resolve the name periodically until it succeeds.
370: UDP packets that get lost during that period are counted and
371: logged later.
1.1 benno 372: <li>...
373: </ul>
374: </ul>
375:
376: <li><a href="https://man.openbsd.org/tmux.1">tmux(1)</a> improvements and bug fixes:
377: <ul>
378: <li>...
379: </ul>
380:
1.3 tb 381: <li>LibreSSL version 3.9.0
1.1 benno 382: <ul>
1.3 tb 383: <li>Portable changes
1.1 benno 384: <ul>
1.3 tb 385: <li>libcrypto no longer exports compat symbols in cmake builds.
386: <li>Most compatibility symbols are prefixed with <code>libressl_</code>
387: to avoid symbol clashes in static links.
388: <li>Fixed various warnings on Windows.
389: <li>Removed assert pop-ups with Windows debug builds.
390: <li>Fixed crashes and hangs in Windows ARM64 builds.
391: <li>Improved control-flow enforcement (CET) support.
1.1 benno 392: </ul>
1.3 tb 393: <li>Internal improvements
1.1 benno 394: <ul>
1.3 tb 395: <li>Converted uses of <code>OBJ_bsearch_()</code> to standard
396: <a href="https://man.openbsd.org/bsearch">bsearch(3)</a>.
397: <li>Greatly simplified <code>by_file_ctrl()</code>.
398: <li>Simplified and cleaned up the OBJ_ API.
399: <li>Cleaned up the <a href="https://man.openbsd.org/EVP_CipherInit">EVP_Cipher{Init,Update,Final}(3)</a> implementations.
400: <li>Removed unused function pointers from X.509 stores and contexts.
401: <li>A lot of cleanup and reorganization in EVP.
402: <li>Removed all remaining <code>ENGINE</code> tentacles.
403: <li>Simplified internals of <code>X509_TRUST</code> handling.
404: <li>Made deletion from a <a href="https://man.openbsd.org/lh_delete">lhash</a>
405: doall callback safe.
406: <li>Rewrote <a href="https://man.openbsd.org/BIO_dump">BIO_dump*(3)</a> internals
407: to be less bad.
1.1 benno 408: </ul>
1.3 tb 409: <li>Documentation improvements
1.1 benno 410: <ul>
1.3 tb 411: <li><code>ENGINE</code> documentation was updated to reflect reality.
412: <li>Made EVP API documentation more accurate and less incoherent.
413: <li>Call out some shortcomings of the <code>EC_KEY_set_*</code> API explicitly.
1.1 benno 414: </ul>
1.3 tb 415: <li>Testing and proactive security
1.1 benno 416: <ul>
1.3 tb 417: <li>Bug fixes and simplifications in the Wycheproof tests.
1.1 benno 418: </ul>
1.3 tb 419: <li>Compatibility changes
1.1 benno 420: <ul>
1.3 tb 421: <li>Added ChaCha20 and chacha20 aliases for ChaCha.
422: <li><a href="https://man.openbsd.org/SSL_library_init">SSL_library_init(3)</a>
423: now has the same effect as OPENSSL_init_ssl().
424: <li><code>EVP_add_{cipher,digest}()</code> were removed. From the <code>OBJ_NAME</code> API,
425: only <a href="https://man.openbsd.org/OBJ_NAME_do_all">OBJ_NAME_do_all*()</a> remain.
426: In particular, it is no longer possible to add aliases for ciphers and digests.
427: <li>The thread unsafe global tables are no longer supported. It is no
428: longer possible to add aliases for ciphers and digests, custom ASN.1
429: strings table entries, ASN.1 methods, PKEY methods, digest methods,
430: CRL methods, purpose and trust identifiers, or X.509 extensions.
431: <li>Removed the _cb() and _fp() versions of
432: <a href="https://man.openbsd.org/BIO_dump">BIO_dump{,_indent}()</a>.
433: <li><code>BIO_set()</code> was removed.
434: <li><code>BIO_{sn,v,vsn}printf()</code> were removed.
435: <li>Turn the long dysfunctional
436: <a href="https://man.openbsd.org/openssl(1)">openssl(1)</a>
437: <code>s_client -pause</code> into a noop.
438: <li><a href="https://man.openbsd.org/openssl(1)">openssl(1)</a> <code>x509</code>
439: now supports <code>-new</code>, <code>-force_pubkey</code>, <code>-multivalue-rdn</code>,
440: <code>-set_issuer</code> <code>-set_subject</code>, and <code>-utf8</code>.
441: <li>Support ECDSA with SHA-3 signature algorithms.
442: <li>Support HMAC with truncated SHA-2 and SHA-3 as PBE PRF.
443: <li>GOST and STREEBOG support was removed.
444: <li><code>CRYPTO_THREADID</code>, <code>_LHASH</code>, <code>_STACK</code> and
445: <code>X509_PURPOSE</code> are now opaque, <code>X509_CERT_AUX</code> and
446: <code>X509_TRUST</code> were removed from the public API.
447: <li><a href="https://man.openbsd.org/ASN1_STRING_TABLE_get()">ASN1_STRING_TABLE_get(3)</a>
448: and <a href="https://man.openbsd.org/X509_PURPOSE_get0">X509_PURPOSE_get0*(3)</a> now
449: return const pointers.
450: <li><code>EVP_{CIPHER,MD}_CTX_init()</code>'s signatures and semantics now match
451: OpenSSL's behavior.
452: <li><code>sk_find_ex()</code> and <code>OBJ_bsearch_()</code> were removed.
453: <li><a href="https://man.openbsd.org/CRYPTO_malloc">CRYPTO_malloc(3)</a> was fixed to use
454: <code>size_t</code> argument. <code>CRYPTO_malloc()</code>
455: and <code>CRYPTO_free()</code> now accept file and line arguments.
456: <li>A lot of decrepit CRYPTO memory API was removed.
1.1 benno 457: </ul>
458: <li>Bug fixes
459: <ul>
1.3 tb 460: <li>Fixed aliasing issues in <code>BN_mod_exp_simple()</code> and <code>BN_mod_exp_recp()</code>.
461: <li>Fixed numerous misuses of
462: <a href="https://man.openbsd.org/X509_ALGOR_set0">X509_ALGOR_set0(3)</a>
463: resulting in leaks and potentially incorrect encodings.
464: <li>Fixed potential double free in
465: <a href="https://man.openbsd.org/X509v3_asid_add_id_or_range">X509v3_asid_add_id_or_range(3)</a>.
466: <li>Stopped using <code>ASN1_time_parse()</code> outside of libcrypto.
467: <li>Prepared <a href="https://man.openbsd.org/OPENSSL_gmtime">OPENSSL_gmtime(3)</a> and
468: <a href="https://man.openbsd.org/OPENSSL_timegm">OPENSSL_timegm(3)</a> as public API
469: wrappers of internal functions compatible with BoringSSL API.
470: <li>Removed <code>print_bin()</code> to avoid overwriting the stack with 5 bytes
471: of <code>" "</code> when ECPK parameters are printed with large
472: indentation.
473: <li>Avoid a <code>NULL</code> dereference after memory allocation failure during TLS
474: version downgrade.
475: <li>Fixed various bugs in CMAC internals.
476: <li>Fixed 4-byte overreads in GHASH assembly on amd64 and i386.
477: <li>Fixed various NULL dereferences in PKCS #12 code due to mishandling
478: of OPTIONAL content in PKCS #7 ContentInfo.
479: <li>Aligned <a href="https://man.openbsd.org/SSL_shutdown">SSL_shutdown(3)</a>
480: behavior in TLSv1.3 with the legacy stack.
481: <li>Fixed the new X.509 verifier to find trust anchors in the trusted
482: stack.
1.1 benno 483: </ul>
484: </ul>
485:
1.16 djm 486: <li>OpenSSH 9.6 and OpenSSH 9.7
1.1 benno 487: <ul>
1.16 djm 488: <li>Security fixes
1.1 benno 489: <ul>
1.16 djm 490: <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>, <a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: implement protocol extensions to thwart the
491: so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus
492: Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a
493: limited break of the integrity of the early encrypted SSH transport
494: protocol by sending extra messages prior to the commencement of
495: encryption, and deleting an equal number of consecutive messages
496: immediately after encryption starts. A peer SSH client/server
497: would not be able to detect that messages were deleted.
498:
499: <br>While cryptographically novel, the security impact of this attack
500: is fortunately very limited as it only allows deletion of
501: consecutive messages, and deleting most messages at this stage of
1.17 gnezdo 502: the protocol prevents user authentication from proceeding and
1.16 djm 503: results in a stuck connection.
504:
505: <br>The most serious identified impact is that it lets a MITM to
506: delete the SSH2_MSG_EXT_INFO message sent before authentication
507: starts, allowing the attacker to disable a subset of the keystroke
508: timing obfuscation features introduced in OpenSSH 9.5. There is no
509: other discernable impact to session secrecy or session integrity.
510:
511: <li><a href='https://man.openbsd.org/ssh-agent.1'>ssh-agent(1)</a>: when adding PKCS#11-hosted private keys while
512: specifying destination constraints, if the PKCS#11 token returned
513: multiple keys then only the first key had the constraints applied.
514: Use of regular private keys, FIDO tokens and unconstrained keys
515: are unaffected.
516:
517: <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: if an invalid user or hostname that contained shell
518: metacharacters was passed to <a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>, and a ProxyCommand,
519: LocalCommand directive or "match exec" predicate referenced the
520: user or hostname via %u, %h or similar expansion token, then
521: an attacker who could supply arbitrary user/hostnames to <a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>
522: could potentially perform command injection depending on what
523: quoting was present in the user-supplied <a href='https://man.openbsd.org/ssh_config.5'>ssh_config(5)</a> directive.
524:
525: <br>OpenSSH 9.6 now
526: bans most shell metacharacters from user and hostnames supplied
527: via the command-line. This countermeasure is not guaranteed to be
528: effective in all situations, as it is infeasible for <a href='https://man.openbsd.org/ssh.1'>ssh(1)</a> to
529: universally filter shell metacharacters potentially relevant to
530: user-supplied commands.
531:
532: <br>User/hostnames provided via <a href='https://man.openbsd.org/ssh_config.5'>ssh_config(5)</a> are not subject to these
533: restrictions, allowing configurations that use strange names to
534: continue to be used, under the assumption that the user knows what
535: they are doing in their own configuration files.
1.1 benno 536: </ul>
537: <li>New features
538: <ul>
1.16 djm 539: <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>, <a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: add a "global" ChannelTimeout type that watches
540: all open channels and will close all open channels if there is no
541: traffic on any of them for the specified interval. This is in
542: addition to the existing per-channel timeouts added recently.
543: <br>This supports situations like having both session and x11
544: forwarding channels open where one may be idle for an extended
545: period but the other is actively used. The global timeout could
546: close both channels when both have been idle for too long.
547:
548: <li>All: make DSA key support compile-time optional, defaulting to on.
1.1 benno 549: </ul>
550: <li>Bugfixes
551: <ul>
1.16 djm 552: <li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: don't append an unnecessary space to the end of subsystem
553: arguments (<a href='https://bugzilla.mindrot.org/show_bug.cgi?id=3667'>bz3667</a>)
554:
555: <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: fix the multiplexing "channel proxy" mode, broken when
556: keystroke timing obfuscation was added. (<a href='https://github.com/openssh/openssh-portable/pull/463'>GHPR#463</a>)
557:
558: <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>, <a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: fix spurious configuration parsing errors when
559: options that accept array arguments are overridden (<a href='https://bugzilla.mindrot.org/show_bug.cgi?id=3657'>bz3657</a>).
560:
561: <li><a href='https://man.openbsd.org/ssh-agent.1'>ssh-agent(1)</a>: fix potential spin in signal handler (<a href='https://bugzilla.mindrot.org/show_bug.cgi?id=3670'>bz3670</a>)
562:
563: <li>Many fixes to manual pages and other documentation, including
564: <a href='https://github.com/openssh/openssh-portable/pull/462'>GHPR#462</a>, <a href='https://github.com/openssh/openssh-portable/pull/454'>GHPR#454</a>, <a href='https://github.com/openssh/openssh-portable/pull/442'>GHPR#442</a> and <a href='https://github.com/openssh/openssh-portable/pull/441'>GHPR#441</a>.
565:
566: <li>Greatly improve interop testing against PuTTY.
1.1 benno 567: </ul>
568: </ul>
569:
570: <li>Ports and packages:
571: <p>Many pre-built packages for each architecture:
572: <!-- number of FTP packages minus SHA256, SHA256.sig, index.txt -->
573: <ul style="column-count: 3">
1.7 sthen 574: <li>aarch64: 12145
1.6 naddy 575: <li>amd64: 12309
1.1 benno 576: <li>arm: XXX
1.7 sthen 577: <li>i386: 10830
1.1 benno 578: <li>mips64: XXX
579: <li>powerpc: XXX
1.10 sthen 580: <li>powerpc64: 8469
1.1 benno 581: <li>riscv64: XXX
1.8 sthen 582: <li>sparc64: 9432
1.1 benno 583: </ul>
584:
585: <p>Some highlights:
586: <ul style="column-count: 3"><!-- XXX all need to be checked/updated 2024-03-02 -->
1.9 lteo 587: <li>Asterisk 16.30.1, 18.21.0 and 20.6.0
588: <li>Audacity 3.4.2
589: <li>CMake 3.28.3
590: <li>Chromium 122.0.6261.111
591: <li>Emacs 29.2
1.1 benno 592: <li>FFmpeg 4.4.4
593: <li>GCC 8.4.0 and 11.2.0
1.9 lteo 594: <li>GHC 9.6.4
595: <li>GNOME 45
596: <li>Go 1.22.1
597: <li>JDK 8u402, 11.0.22, 17.0.10 and 21.0.2
598: <li>KDE Applications 23.08.4
599: <li>KDE Frameworks 5.115.0
1.13 rsadowsk 600: <li>KDE Plasma 5.27.10
1.9 lteo 601: <li>Krita 5.2.2
602: <li>LLVM/Clang 13.0.0, 16.0.6 and 17.0.6
603: <li>LibreOffice 24.2.1.2
1.1 benno 604: <li>Lua 5.1.5, 5.2.4, 5.3.6 and 5.4.6
1.9 lteo 605: <li>MariaDB 10.9.8
1.1 benno 606: <li>Mono 6.12.0.199
1.9 lteo 607: <li>Mozilla Firefox 123.0.1 and ESR 115.8.0
608: <li>Mozilla Thunderbird 115.8.1
609: <li>Mutt 2.2.13 and NeoMutt 20240201
610: <li>Node.js 18.19.1
611: <li>OCaml 4.14.1
612: <li>OpenLDAP 2.6.7
613: <li>PHP 7.4.33, 8.0.30, 8.1.27, 8.2.16 and 8.3.3
614: <li>Postfix 3.8.6
615: <li>PostgreSQL 16.2
616: <li>Python 2.7.18, 3.9.18, 3.10.13 and 3.11.8
1.13 rsadowsk 617: <li>Qt 5.15.12 (+ kde patches) and 6.6.1
1.1 benno 618: <li>R 4.2.3
1.9 lteo 619: <li>Ruby 3.1.4, 3.2.3 and 3.3.0
620: <li>Rust 1.76.0
621: <li>SQLite 3.44.2
1.1 benno 622: <li>Shotcut 23.07.29
1.9 lteo 623: <li>Sudo 1.9.15.5
624: <li>Suricata 7.0.3
1.1 benno 625: <li>Tcl/Tk 8.5.19 and 8.6.13
1.9 lteo 626: <li>TeX Live 2023
627: <li>Vim 9.1.139 and Neovim 0.9.5
628: <li>Xfce 4.18.1
1.1 benno 629: </ul>
630: <p>
631:
632: <li>As usual, steady improvements in manual pages and other documentation.
633:
634: <li>The system includes the following major components from outside suppliers:
635: <ul><!-- XXX all need to be checked/updated 2024-03-02 -->
1.4 matthieu 636: <li>Xenocara (based on X.Org 7.7 with xserver 21.1.11 + patches,
637: freetype 2.13.0, fontconfig 2.14.2, Mesa 23.1.9, xterm 378,
638: xkeyboard-config 2.20, fonttosfnt 1.2.3 and more)
639: <li>LLVM/Clang 16.0.6 (+ patches)
1.1 benno 640: <li>GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
1.4 matthieu 641: <li>Perl 5.36.3 (+ patches)
642: <li>NSD 4.8.0
1.1 benno 643: <li>Unbound 1.18.0
644: <li>Ncurses 5.7
645: <li>Binutils 2.17 (+ patches)
646: <li>Gdb 6.3 (+ patches)
1.4 matthieu 647: <li>Awk January 22, 2024
648: <li>Expat 2.6.0
649: <li>zlib 1.3.1 (+ patches)
1.1 benno 650: </ul>
651:
652: </ul>
653: </section>
654:
655: <hr>
656:
657: <section id=install>
658: <h3>How to install</h3>
659: <p>
660: Please refer to the following files on the mirror site for
661: extensive details on how to install OpenBSD 7.5 on your machine:
662:
663: <ul>
664: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/alpha/INSTALL.alpha">
665: .../OpenBSD/7.5/alpha/INSTALL.alpha</a>
666: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/amd64/INSTALL.amd64">
667: .../OpenBSD/7.5/amd64/INSTALL.amd64</a>
668: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/arm64/INSTALL.arm64">
669: .../OpenBSD/7.5/arm64/INSTALL.arm64</a>
670: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/armv7/INSTALL.armv7">
671: .../OpenBSD/7.5/armv7/INSTALL.armv7</a>
672: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/hppa/INSTALL.hppa">
673: .../OpenBSD/7.5/hppa/INSTALL.hppa</a>
674: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/i386/INSTALL.i386">
675: .../OpenBSD/7.5/i386/INSTALL.i386</a>
676: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/landisk/INSTALL.landisk">
677: .../OpenBSD/7.5/landisk/INSTALL.landisk</a>
678: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/loongson/INSTALL.loongson">
679: .../OpenBSD/7.5/loongson/INSTALL.loongson</a>
680: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/luna88k/INSTALL.luna88k">
681: .../OpenBSD/7.5/luna88k/INSTALL.luna88k</a>
682: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/macppc/INSTALL.macppc">
683: .../OpenBSD/7.5/macppc/INSTALL.macppc</a>
684: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/octeon/INSTALL.octeon">
685: .../OpenBSD/7.5/octeon/INSTALL.octeon</a>
686: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/powerpc64/INSTALL.powerpc64">
687: .../OpenBSD/7.5/powerpc64/INSTALL.powerpc64</a>
688: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/riscv64/INSTALL.riscv64">
689: .../OpenBSD/7.5/riscv64/INSTALL.riscv64</a>
690: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/sparc64/INSTALL.sparc64">
691: .../OpenBSD/7.5/sparc64/INSTALL.sparc64</a>
692: </ul>
693: </section>
694:
695: <hr>
696:
697: <section id=quickinstall>
698: <p>
699: Quick installer information for people familiar with OpenBSD, and the use of
700: the "<a href="https://man.openbsd.org/disklabel.8">disklabel</a> -E" command.
701: If you are at all confused when installing OpenBSD, read the relevant
702: INSTALL.* file as listed above!
703:
704: <h3>OpenBSD/alpha:</h3>
705:
706: <p>
707: If your machine can boot from CD, you can write <i>install75.iso</i> or
708: <i>cd75.iso</i> to a CD and boot from it.
709: Refer to INSTALL.alpha for more details.
710:
711: <h3>OpenBSD/amd64:</h3>
712:
713: <p>
714: If your machine can boot from CD, you can write <i>install75.iso</i> or
715: <i>cd75.iso</i> to a CD and boot from it.
716: You may need to adjust your BIOS options first.
717:
718: <p>
719: If your machine can boot from USB, you can write <i>install75.img</i> or
720: <i>miniroot75.img</i> to a USB stick and boot from it.
721:
722: <p>
723: If you can't boot from a CD, floppy disk, or USB,
724: you can install across the network using PXE as described in the included
725: INSTALL.amd64 document.
726:
727: <p>
728: If you are planning to dual boot OpenBSD with another OS, you will need to
729: read INSTALL.amd64.
730:
731: <h3>OpenBSD/arm64:</h3>
732:
733: <p>
1.12 jsg 734: If your machine can boot from CD, you can write <i>install75.iso</i> or
735: <i>cd75.iso</i> to a CD and boot from it.
736:
737: <p>
738: To boot from disk, write <i>install75.img</i> or <i>miniroot75.img</i> to a
739: disk and boot from it after connecting to the serial console. Refer to
740: INSTALL.arm64 for more details.
1.1 benno 741:
742: <h3>OpenBSD/armv7:</h3>
743:
744: <p>
745: Write a system specific miniroot to an SD card and boot from it after connecting
746: to the serial console. Refer to INSTALL.armv7 for more details.
747:
748: <h3>OpenBSD/hppa:</h3>
749:
750: <p>
751: Boot over the network by following the instructions in INSTALL.hppa or the
752: <a href="hppa.html#install">hppa platform page</a>.
753:
754: <h3>OpenBSD/i386:</h3>
755:
756: <p>
757: If your machine can boot from CD, you can write <i>install75.iso</i> or
758: <i>cd75.iso</i> to a CD and boot from it.
759: You may need to adjust your BIOS options first.
760:
761: <p>
762: If your machine can boot from USB, you can write <i>install75.img</i> or
763: <i>miniroot75.img</i> to a USB stick and boot from it.
764:
765: <p>
766: If you can't boot from a CD, floppy disk, or USB,
767: you can install across the network using PXE as described in
768: the included INSTALL.i386 document.
769:
770: <p>
771: If you are planning on dual booting OpenBSD with another OS, you will need to
772: read INSTALL.i386.
773:
774: <h3>OpenBSD/landisk:</h3>
775:
776: <p>
777: Write <i>miniroot75.img</i> to the start of the CF
778: or disk, and boot normally.
779:
780: <h3>OpenBSD/loongson:</h3>
781:
782: <p>
783: Write <i>miniroot75.img</i> to a USB stick and boot bsd.rd from it
784: or boot bsd.rd via tftp.
785: Refer to the instructions in INSTALL.loongson for more details.
786:
787: <h3>OpenBSD/luna88k:</h3>
788:
789: <p>
790: Copy 'boot' and 'bsd.rd' to a Mach or UniOS partition, and boot the bootloader
791: from the PROM, and then bsd.rd from the bootloader.
792: Refer to the instructions in INSTALL.luna88k for more details.
793:
794: <h3>OpenBSD/macppc:</h3>
795:
796: <p>
797: Burn the image from a mirror site to a CDROM, and power on your machine
798: while holding down the <i>C</i> key until the display turns on and
799: shows <i>OpenBSD/macppc boot</i>.
800:
801: <p>
802: Alternatively, at the Open Firmware prompt, enter <i>boot cd:,ofwboot
803: /7.5/macppc/bsd.rd</i>
804:
805: <h3>OpenBSD/octeon:</h3>
806:
807: <p>
808: After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
809: Refer to the instructions in INSTALL.octeon for more details.
810:
811: <h3>OpenBSD/powerpc64:</h3>
812:
813: <p>
814: To install, write <i>install75.img</i> or <i>miniroot75.img</i> to a
815: USB stick, plug it into the machine and choose the <i>OpenBSD
816: install</i> menu item in Petitboot.
817: Refer to the instructions in INSTALL.powerpc64 for more details.
818:
819: <h3>OpenBSD/riscv64:</h3>
820:
821: <p>
822: To install, write <i>install75.img</i> or <i>miniroot75.img</i> to a
823: USB stick, and boot with that drive plugged in.
824: Make sure you also have the microSD card plugged in that shipped with the
825: HiFive Unmatched board.
826: Refer to the instructions in INSTALL.riscv64 for more details.
827:
828: <h3>OpenBSD/sparc64:</h3>
829:
830: <p>
831: Burn the image from a mirror site to a CDROM, boot from it, and type
832: <i>boot cdrom</i>.
833:
834: <p>
835: If this doesn't work, or if you don't have a CDROM drive, you can write
836: <i>floppy75.img</i> or <i>floppyB75.img</i>
837: (depending on your machine) to a floppy and boot it with <i>boot
838: floppy</i>. Refer to INSTALL.sparc64 for details.
839:
840: <p>
841: Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
842: will most likely fail.
843:
844: <p>
845: You can also write <i>miniroot75.img</i> to the swap partition on
846: the disk and boot with <i>boot disk:b</i>.
847:
848: <p>
849: If nothing works, you can boot over the network as described in INSTALL.sparc64.
850: </section>
851:
852: <hr>
853:
854: <section id=upgrade>
855: <h3>How to upgrade</h3>
856: <p>
857: If you already have an OpenBSD 7.4 system, and do not want to reinstall,
858: upgrade instructions and advice can be found in the
859: <a href="faq/upgrade75.html">Upgrade Guide</a>.
860: </section>
861:
862: <hr>
863:
864: <section id=sourcecode>
865: <h3>Notes about the source code</h3>
866: <p>
867: <code>src.tar.gz</code> contains a source archive starting at <code>/usr/src</code>.
868: This file contains everything you need except for the kernel sources,
869: which are in a separate archive.
870: To extract:
871: <blockquote><pre>
872: # <kbd>mkdir -p /usr/src</kbd>
873: # <kbd>cd /usr/src</kbd>
874: # <kbd>tar xvfz /tmp/src.tar.gz</kbd>
875: </pre></blockquote>
876: <p>
877: <code>sys.tar.gz</code> contains a source archive starting at <code>/usr/src/sys</code>.
878: This file contains all the kernel sources you need to rebuild kernels.
879: To extract:
880: <blockquote><pre>
881: # <kbd>mkdir -p /usr/src/sys</kbd>
882: # <kbd>cd /usr/src</kbd>
883: # <kbd>tar xvfz /tmp/sys.tar.gz</kbd>
884: </pre></blockquote>
885: <p>
886: Both of these trees are a regular CVS checkout. Using these trees it
887: is possible to get a head-start on using the anoncvs servers as
888: described <a href="anoncvs.html">here</a>.
889: Using these files
890: results in a much faster initial CVS update than you could expect from
891: a fresh checkout of the full OpenBSD source tree.
892: </section>
893:
894: <hr>
895:
896: <section id=ports>
897: <h3>Ports Tree</h3>
898: <p>
899: A ports tree archive is also provided. To extract:
900: <blockquote><pre>
901: # <kbd>cd /usr</kbd>
902: # <kbd>tar xvfz /tmp/ports.tar.gz</kbd>
903: </pre></blockquote>
904: <p>
905: Go read the <a href="faq/ports/index.html">ports</a> page
906: if you know nothing about ports
907: at this point. This text is not a manual of how to use ports.
908: Rather, it is a set of notes meant to kickstart the user on the
909: OpenBSD ports system.
910: <p>
911: The <i>ports/</i> directory represents a CVS checkout of our ports.
912: As with our complete source tree, our ports tree is available via
913: <a href="anoncvs.html">AnonCVS</a>.
914: So, in order to keep up to date with the -stable branch, you must make
915: the <i>ports/</i> tree available on a read-write medium and update the tree
916: with a command like:
917: <blockquote><pre>
918: # <kbd>cd /usr/ports</kbd>
919: # <kbd>cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_7_5</kbd>
920: </pre></blockquote>
921: <p>
922: [Of course, you must replace the server name here with a nearby anoncvs
923: server.]
924: <p>
925: Note that most ports are available as packages on our mirrors. Updated
926: ports for the 7.5 release will be made available if problems arise.
927: <p>
928: If you're interested in seeing a port added, would like to help out, or just
929: would like to know more, the mailing list
930: <a href="mail.html">ports@openbsd.org</a> is a good place to know.
931: </section>
932: </body>
933: </html>