Annotation of www/75.html, Revision 1.35
1.1 benno 1: <!doctype html>
2: <html lang=en id=release>
3: <head>
4: <meta charset=utf-8>
5:
6: <title>OpenBSD 7.5</title>
7: <meta name="description" content="OpenBSD 7.5">
8: <meta name="viewport" content="width=device-width, initial-scale=1">
9: <link rel="stylesheet" type="text/css" href="openbsd.css">
10: <link rel="canonical" href="https://www.openbsd.org/75.html">
11: </head><body>
12: <h2 id=OpenBSD>
13: <a href="index.html">
14: <i>Open</i><b>BSD</b></a>
15: 7.5
16: </h2>
17:
18: <table>
19: <tr>
20: <td>
21: <a href="images/XXX.jpg">
22: <img width="227" height="303" src="images/XXX-s.gif" alt="XXX"></a>
23: <td>
24: Released XXXMONTH DAY, 2024. (56th OpenBSD release)<br>
25: Copyright 1997-2024, Theo de Raadt.<br>
26: <br>
27: Artwork by XXX.
28: <br>
29: <ul>
30: <li>See the information on <a href="ftp.html">the FTP page</a> for
31: a list of mirror machines.
32: <li>Go to the <code class=reldir>pub/OpenBSD/7.5/</code> directory on
33: one of the mirror sites.
34: <li>Have a look at <a href="errata75.html">the 7.5 errata page</a> for a list
35: of bugs and workarounds.
36: <li>See a <a href="plus75.html">detailed log of changes</a> between the
37: 7.4 and 7.5 releases.
38: <p>
39: <li><a href="https://man.openbsd.org/signify.1">signify(1)</a>
40: pubkeys for this release:<p>
41:
42: <table class=signify>
43: <tr><td>
44: openbsd-75-base.pub:
45: <td>
46: <a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/openbsd-75-base.pub">
47: RWRGj1pRpprAfgeF/rgld4ubduChLvTkigA1Zj7WLDsVA4qfYSWOEI8q
48: </a><tr><td>
49: openbsd-75-fw.pub:
50: <td>
51: RWQ6EsXr4NMYvyLICug3dLHfmbpXlVasF1jbt3GVNQsosgB5+PgaufBu
52: <tr><td>
53: openbsd-75-pkg.pub:
54: <td>
55: RWS/sEFDvf+rjUmS1WROzxH05pB1kB7JRRq76DUGUhCE0Ks8AdpjP5pD
56: <tr><td>
57: openbsd-75-syspatch.pub:
58: <td>
59: RWRAAZC5WcFgn+8b5msDR+yDVCx4ziLaSQI2sy7e4GFY42nFW9p7mP2t
60: </table>
61: </ul>
62: <p>
63: All applicable copyrights and credits are in the src.tar.gz,
64: sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
65: files fetched via <code>ports.tar.gz</code>.
66: </table>
67:
68: <hr>
69:
70: <section id=new>
71: <h3>What's New</h3>
72: <p>
73: This is a partial list of new features and systems included in OpenBSD 7.5.
74: For a comprehensive list, see the <a href="plus75.html">changelog</a> leading <!-- plus? XXX -->
75: to 7.5.
76:
77: <ul>
78:
79: <!--
80: <li>New/extended platforms:
81: <ul>
82: <li>...
83: </ul>
84: -->
85:
86: <li>Various kernel improvements:
87: <ul>
1.26 benno 88: <li>Added <a href="https://man.openbsd.org/bt.5">bt(5)</a> and <a
89: href="https://man.openbsd.org/btrace.8">btrace(8)</a> support for
90: binary modulo operator ('%').
91: <li>Added a TIMEOUT_MPSAFE flag to <a
92: href="https://man.openbsd.org/timeout.9">timeout(9)</a>.
93: <li>Added IBM encoded version of the "Spleen 8x16" font, usable as console font.
94: <li>Cleanup and machine-independent refactoring of three context
95: switch paths outside of mi_switch(): when a process forks and the new
96: proc needs to be scheduled by proc_trampoline, cpu_hatch: when booting
97: APs, and sched_exit: when a proc exits.
98: <li>Made <a href="https://man.openbsd.org/vscsi.4">vscsi(4)</a>
99: 'vscsi_filtops' mpsafe and extended the 'sc_state_mtx' <a
100: href="https://man.openbsd.org/mutex.9">mutex(9)</a> to protect
101: 'sc_klist' knotes list.
102: <li>Made out-of-swap checking more robust, preventing potential deadlocks.
103: <li>Eliminated the ioctl whitelist that <a
104: href="https://man.openbsd.org/bio.4">bio(4)</a> will tunnel for other
105: devices, allowing bio to be used with other (non-raid) related
106: devices.
1.30 benno 107: <li>On msdos filesystems, ensure that a complete struct fsinfo is read
108: even if the filesystem sectors are smaller.
109: <li>Implemented per-CPU caching for the page table page (vp) pool and
110: the PTE descriptor (pted) pool in the arm64 pmap implementation. This
111: significantly reduces the side-effects of lock contention on the
112: kernel map lock and leads to significant speedups on machines with
1.33 otto 113: many CPU cores.
1.34 benno 114: <li>Implemented <a href="https://man.openbsd.org/acpi.4">acpi(4)</a>
115: RootPathString support in the LoadTable() AML function, fixing OpenBSD
116: boot on an older version of Hyper-V.
117: <li>Fixed Linux NFS clients freezing after five minutes of inactivity.
118: <li>Fixed core file writing when a file map into memory has later been
119: truncated to be smaller than the mapping.
120: <li>Disallow<a
121: href="https://man.openbsd.org/madvise.2">madvise(2)</a> and <a
122: href="https://man.openbsd.org/msync.2">msync(2)</a> memory/mapping
123: destructive operations on immutable memory regions. Innstead return EPERM.
124: <li>Added new amd64-only sysctl machdep.retpoline which says whether
125: the cpu requires the retpoline branch target injection mitigation.
126: <li>Added new accounting flag ABTCFI to <a
127: href="https://man.openbsd.org/acct.5">acct(5)</a> to indicate SIGILL +
128: code ILL_BTCFI has occurred in the process.
1.1 benno 129: </ul>
130:
131: <li>SMP Improvements
132: <ul>
1.30 benno 133: <li>Some network timers run without kernel lock.
134: <li>TCP syn cache timer runs with shared net lock.
135: <li><a href="https://man.openbsd.org/bind.2">bind(2)</a>
136: and <a href="https://man.openbsd.org/connect.2">connect(2)</a>
137: system calls can run in parallel.
138: <li>Packet counter for <a
139: href="https://man.openbsd.org/lo.4">lo(4)</a> loopback
140: interface are MP safe.
141: <li>Split protocol control block table for UDP into IPv4
142: and IPv6 tables to allow concurrent access.
143: <li>UDP packets can be sent in parallel by multiple threads.
1.1 benno 144: </ul>
145:
146: <li>Direct Rendering Manager and graphics drivers
147: <ul>
1.11 jsg 148: <li>Updated <a href="https://man.openbsd.org/drm.4">drm(4)</a>
149: to Linux 6.6.19.
150: <li>New <a href="https://man.openbsd.org/arm64/apldcp.4">apldcp(4)</a> and
151: <a href="https://man.openbsd.org/arm64/apldrm.4">apldrm(4)</a> drivers
152: for Apple display coprocessor.
1.1 benno 153: </ul>
154:
155: <li>VMM/VMD improvements
156: <ul>
1.31 jsg 157: <li>Fixed IRQ storm caused by edge-triggered devices such as the UART.
1.15 dv 158: <li>Fixed block size calculation for vioscsi devices.
159: <li>Added io instruction length to vm exit information, allowing
160: <a href="https://man.openbsd.org/vmd.8">vmd(8)</a> to perform validation
161: in userspace.
162: <li>Adopted new <a href="https://man.openbsd.org/imsg_init.3">imsg_get_*(3)</a>
163: api.
164: <li>Rewrote vionet devices to allow zero-copy data transfers between host and
165: guest.
166: <li>Improved error messages related to <a href="https://man.openbsd.org/getgrnam.3">
167: getgrnam(3)</a> usage and out of <a href="https://man.openbsd.org/tap.4">tap(4)
168: </a> device conditions.
169: <li>Fixed various things found by smatch static analyzer.
170: <li>Fixed various file descriptor lifecycle issues and leaks across
171: <a href="https://man.openbsd.org/fork.2">fork(2)</a>/
172: <a href="https://man.openbsd.org/execve.2">execve(2)</a> usage.
173: <li>Added multi-threading support to vionet device emulation, improving latency.
174: <li>Fixed <a href="https://man.openbsd.org/vmm.4">vmm(4)</a> instability on Intel
175: VMX hosts by updating GDTR & TR if vcpu moves host cpus.
176: <li>Added EPT flushing upon <a href="https://man.openbsd.org/vmm.4">vmm(4)</a>
177: enabling VMX mode.
178: <li>Added branch predictor flushing if IBPB is supported.
179: <li>Corrected restoring GDTR and IDTR limits upon VMX guest exit.
180: <li>Corrected handling of CPUID 0xd subleaves
181: <li>Added additional use of VERW and register clobbering to mitigate RFDS
182: vulnerabilities on Intel Atom cores.
1.1 benno 183: </ul>
184:
185: <li>Various new userland features:
186: <ul>
1.32 otto 187: <li>Made <a href="https://man.openbsd.org/malloc.3">malloc(3)</a> save
188: backtraces to show in leak dump with depth of backtrace set via malloc
189: option D (aka 1), 2, 3 or 4.
1.26 benno 190: <li>Added support for <a
191: href="https://man.openbsd.org/cksum.1">cksum(1)</a> -c checking base64
192: digests in reverse mode.
193: <li>Added <a href="https://man.openbsd.org/kdump.1">kdump(1)</a> [-p
194: program] to filter dumps by basename.
195: <li>Made <a href="https://man.openbsd.org/ps.1">ps(1)</a> accept numerical user IDs.
1.30 benno 196: <li>Built and provide the tzdata.zi and leap-seconds.list files from
197: zoneinfo. Some third-party software now expects these files to be
1.34 benno 198: installed. Provide the zonenow.tab file, a table where each row
199: stands for a timezone where civil timestamps are predicted to agree
200: from now on.
1.30 benno 201: <li>Added basic write support for <a
202: href="https://man.openbsd.org/pax.1">pax(1)</a> format archives.
203: <li>Added 'pax' format support for files over 8GB to <a
204: href="https://man.openbsd.org/tar.1">tar(1)</a>.
205: <li>Added 'pax' format support for mtime and atime to <a
206: href="https://man.openbsd.org/tar.1">tar(1)</a>.
207: <li>Extended <a href="https://man.openbsd.org/imsg_init.3">imsg</a>
208: and the <a href="https://man.openbsd.org/ibuf_add.3">ibuf</a> buffer
1.34 benno 209: manipulation API with useful getter methods. Unified file descriptior
210: passing in all imsg using programs with the use of the imsg_get_fd()
211: function.
212: <li>Added <a
213: href="https://man.openbsd.org/mkdtemps.3">mkdtemps(3)</a>, identical
214: to <a href="https://man.openbsd.org/mkdtemp.3">mkdtemp(3)</a> except
215: that it permits a suffix to exist in the template.
216: <li>Added <a href="https://man.openbsd.org/mktemp.1">mktemp(1)</a>
217: suffix support for compatibility with the GNU version. It is now
218: possible to use templates where the Xs are not at the end.
1.1 benno 219: </ul>
220:
221: <li>Various bugfixes and tweaks in userland:
222: <ul>
1.26 benno 223: <li>Silenced list of specific firmware not needing update in <a
224: href="https://man.openbsd.org/pkg_add.1">pkg_add(1)</a>.
225: <li>Improved <a href="https://man.openbsd.org/ls.1">ls(1)</a> horizontal alignment in long format.
226: <li>Added <a href="https://man.openbsd.org/bioctl.8">bioctl(8)</a> retry on empty passphrase.
227: <li>Fixed <a href="https://man.openbsd.org/unveil.2">unveil(2)</a> in
228: <a href="https://man.openbsd.org/patch.1">patch(1)</a> with explicit
229: patchfile.
230: <li>Made gnu99 the default for gcc 3.3.6 and 4.2.1 rather than defaulting to gnu89.
231: <!-- fdisk -->
232: <li>Enhanced <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> 'flag' to accept hex values.
233: <li>Prevented <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
234: 'flag' from altering other GPT partition attributes when flagging a
235: partition as the only bootable partition.
1.34 benno 236: <li>Allow <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> to
237: add GPT partitions of protected types, making it possible to provision
238: virtual machine images that need a "BIOS Boot" partition.
239:
1.26 benno 240: <li>Added group handling matching <a
241: href="https://man.openbsd.org/fbtab.5">fbtab(5)</a> to xenodm.
1.30 benno 242: <li>Made <a href="https://man.openbsd.org/grep.1">grep(1)</a> -m behavior match GNU grep.
243: <li>Tweaked the default memory limits in /etc/login.conf on several
1.31 jsg 244: architectures to account for increased memory requirements, for
1.30 benno 245: example when compiling or linking under user pbuild.
246: <li>Initialize all terminals with "tset -I", thereby avoiding extra
247: newlines to be printed.
248: <li>Added <a href="https://man.openbsd.org/mkhybrid.8">mkhybrid(8)</a>
249: '-e' (-eltorito-boot-efi) option for writing an EFI eltorito boot
250: image, in addition to or instead of the x86 boot image, to the output
251: file.
252: <li>Added <a
253: href="https://man.openbsd.org/openrsync.1">openrsync(1)</a>
254: --omit-dir-times (-O) to omit directories from --times, as well as
255: --no-O and --no-omit-dir-times options for compatibility.
256: <li>Implemented <a href="https://man.openbsd.org/openrsync.1">openrsync(1)</a>
257: --omit-link-times (-J) option to omit symlinks from --times.
258: <li>Added accounting flag and <a
259: href="https://man.openbsd.org/lastcomm.1">lastcomm(1)</a> report for
260: <a href="https://man.openbsd.org/pinsyscalls.2">syscall pinning</a> violations.
261: <li>Added <a href="https://man.openbsd.org/ktrace.1">ktrace(1)</a> and
262: <a href="https://man.openbsd.org/kdump.1">kdump(1)</a> support to
263: observe <a
264: href="https://man.openbsd.org/pinsyscall.2">pinsyscall(2)</a>
265: violations.
266: <li>Changed <a href="https://man.openbsd.org/ftp.1">ftp(1)</a> to
267: avoid use of the interactive shell if -o is given.
268: <li>Moved non-daemon services to run in a different <a
269: href="https://man.openbsd.org/rc.8">rc(8)</a> process group to avoid
270: SIGHUP at boot.
1.34 benno 271: <li>Changed <a
272: href="https://man.openbsd.org/ld.so.1">ld.so(1)</a> to only load the first libc version encountered
273: requested and substituting it for all further loads, ensuring that the
274: libc version requested by an executable itself is the one loaded.
275: <li>Significantly (for small programs) reduce the size of statically
276: linked binaries by splitting several libc internal functions into
277: seperate compilation and thus linkage units. Specifically <a
278: href="https://man.openbsd.org/getpwnam.3">getpwnam(3)</a> does not
279: need the full YP socket setup and does not use all possible <a
280: href="https://man.openbsd.org/dbopen.3">dbopen(3)</a> databease
281: backends.
282: <li>Added <a href="https://man.openbsd.org/vi.1">vi(1)</a>
283: showfilename set option to display the file name in the lower left
284: corner.
285: <li>Added backup of disklabel for <a
286: href="https://man.openbsd.org/softraid.4">softraid(4)</a> chunks to <a
287: href="https://man.openbsd.org/security.8">security(8)</a>.
1.1 benno 288: </ul>
289:
290: <li>Improved hardware support and driver bugfixes, including:
291: <ul>
1.23 jsg 292: <li>New <a href="https://man.openbsd.org/arm64/ampchwm.4">ampchwm(4)</a>
293: driver for Ampere Altra power telemetry.
294: <li>New <a href="https://man.openbsd.org/rkspi.4">rkspi(4)</a>
295: driver for Rockchip SPI controller.
296: <li>Support for RK806 PMIC in
297: <a href="https://man.openbsd.org/rkpmic.4">rkpmic(4)</a>.
298: <li>Support for Allwinner H616 in
299: <a href="https://man.openbsd.org/sxisyscon.4">sxisyscon(4)</a>,
300: <a href="https://man.openbsd.org/sxiccmu.4">sxiccmu(4)</a>,
301: <a href="https://man.openbsd.org/sxipio.4">sxipio(4)</a>,
302: <a href="https://man.openbsd.org/sximmc.4">sximmc(4)</a> and
303: <a href="https://man.openbsd.org/ehci.4">ehci(4)</a>.
304: <li>Support for Allwinner D1 in
305: <a href="https://man.openbsd.org/sxidog.4">sxidog(4)</a>,
306: <a href="https://man.openbsd.org/sxiccmu.4">sxiccmu(4)</a>,
307: <a href="https://man.openbsd.org/sxipio.4">sxipio(4)</a>,
308: <a href="https://man.openbsd.org/sximmc.4">sximmc(4)</a> and
309: <a href="https://man.openbsd.org/ehci.4">ehci(4)</a>.
310: <li>Support for Aero and Sea SAS HBAs in
311: <a href="https://man.openbsd.org/mpii.4">mpii(4)</a>.
312: <li>Support for SAS3816 and SAS3916 in
313: <a href="https://man.openbsd.org/mfii.4">mfii(4)</a>.
1.26 benno 314: <li>In <a href="https://man.openbsd.org/xbf.4">xbf(4)</a>, allowed Xen
315: to use backing store devices with 4K-byte sectors.
316: <li>Added <a href="https://man.openbsd.org/fanpwr.4">fanpwr(4)</a>
317: support for the Rockchip RK8602 and RK8603 voltage regulators.
1.30 benno 318: <li>Support keyboard backlights on Apple Powerbooks.
319: <li>Added operating performance point info about each arm64 cpu and
320: expose the states of thermal zones as <a
321: href="https://man.openbsd.org/kstat.1">kstats(1)</a>.
322: <li>Overhauled <a
323: href="https://man.openbsd.org/ugold.4">ugold(4)</a> temperature sensor
324: identification logic and added support for additional devices.
325: <li>Made <a href="https://man.openbsd.org/uthum.4">uthum(4)</a>
326: TEMPer{1,2} devices display negative degC.
327: <li>Improve support for audio devices that via attach multiple <a
328: href="https://man.openbsd.org/uaudio.4">uaudio(4)</a> drivers.
1.1 benno 329: </ul>
330:
331: <li>New or improved network hardware support:
332: <ul>
1.20 jan 333: <li>Utilize full checksum offload capabilities of
334: <a href="https://man.openbsd.org/vio.4">vio(4)</a> and
1.29 jan 335: <a href="https://man.openbsd.org/vmx.4">vmx(4)</a>.
336: <li>TCP Segmentation Offload (TSO) is also used in
1.20 jan 337: <a href="https://man.openbsd.org/bnxt.4">bnxt(4)</a> and
1.29 jan 338: <a href="https://man.openbsd.org/em.4">em(4)</a>.
1.30 benno 339: <li>Enabled TCP Segmentation Offload (TSO) in <a
340: href="https://man.openbsd.org/ixl.4">ixl(4)</a>.
1.20 jan 341: <li>The Synopsys Ethernet Quality-of-Service Controller
342: (<a href="https://man.openbsd.org/dwqe.4">dwqe(4)</a>) is enabled for
1.29 jan 343: amd64.
1.31 jsg 344: <li>Added initial support for Elkhart Lake Ethernet to <a
1.26 benno 345: href="https://man.openbsd.org/dwqe.4">dwqe(4)</a>.
1.23 jsg 346: <li>Support for AX88179A in
347: <a href="https://man.openbsd.org/axen.4">axen(4)</a>.
1.29 jan 348: <li>Intel I225 and I226 Ethernet Controller
349: <a href="https://man.openbsd.org/igc.4">igc(4)</a> enabled for
350: sparc64.
351: <li>Allwinner EMAC Ethernet Controller
352: <a href="https://man.openbsd.org/dwxe.4">dwxe(4)</a> enabled for
353: riscv64.
1.26 benno 354: <li>Corrected wrong register offset macros for <a
355: href="https://man.openbsd.org/dwqe.4">dwqe(4)</a> DMA burst length.
1.30 benno 356: <li>Fixed Tx watchdog trigger and freeze in <a
357: href="https://man.openbsd.org/dwqe.4">dwqe(4)</a>.
358: <li>Updated <a href="https://man.openbsd.org/rge.4">rge(4)</a>
359: microcode, initialization and reset behavior.
1.34 benno 360: <li>Prevented a potential <a
361: href="https://man.openbsd.org/bnxt.4">bnxt(4)</a> crash after failure
362: to bring up a queue.
1.1 benno 363: </ul>
364:
365: <li>Added or improved wireless network drivers:
366: <ul>
1.14 stsp 367: <li>Introduce <a href="https://man.openbsd.org/qwx.4">qwx(4)</a>,
368: a port of the Linux ath11k driver for QCNFA765 devices.
369: Available on the amd64 and arm64 platforms.
370: <li>Fix Tx rate selection for management frames in
371: <a href="https://man.openbsd.org/iwx.4">iwx(4)</a>.
372: <li>Fix <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> loading the wrong
373: firmware image on some devices.
374: <li>Make <a href="https://man.openbsd.org/bfwm.4">bwfm(4)</a> work with MAC
375: addresses set via ifconfig lladdr.
376: <li>Ensure that <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> uses the
377: 80MHz primary channel index announced in beacons.
378: <li>Avoid using MCS-9 in <a href="https://man.openbsd.org/iwm.4">iwm(4)</a>
379: Tx rate selection if 40 MHz is disabled to prevent firmware errors.
380: <li>Ensure that <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> and
381: <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> devices announce VHT
382: capabilities in probe requests.
383: <li>Fix bug in <a href="https://man.openbsd.org/iwm.4">iwm(4)</a>,
384: <a href="https://man.openbsd.org/iwx.4">iwx(4)</a>, and
385: <a href="https://man.openbsd.org/iwn.4">iwn(4)</a> which could result
386: in some channels missing from scan results.
387: <li>Enable <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> on the
388: arm64 platform.
1.1 benno 389: </ul>
390:
391: <li>IEEE 802.11 wireless stack improvements and bugfixes:
392: <ul>
1.14 stsp 393: <li> Ignore 40/80 MHz wide channel configurations which do not appear
394: in the 802.11ac spec. This prevents device firmware errors which
395: occurred when an access point announced an invalid channel configuration.
1.1 benno 396: </ul>
397:
398: <li>Installer, upgrade and bootloader improvements:
399: <ul>
1.34 benno 400: <li>Add support for disk encryption in unattended installations with
401: <a href="https://man.openbsd.org/autoinstall.8">autoinstall(8)</a>,
402: both with a plaintext passphrase or a keydisk.
1.26 benno 403: <li>Removed default sets answer in <a
404: href="https://man.openbsd.org/autoinstall.8">autoinstall(8)</a>
405: response file such that it now populates only with non-defaults.
406: <li>Made <a
407: href="https://man.openbsd.org/fw_update.8">fw_update(8)</a> verify but
408: not overwrite SHA256.sig.
1.30 benno 409: <li>Improved <a
410: href="https://man.openbsd.org/fw_update.1">fw_update(1)</a> output on
411: errors and improved ftp error handling.
1.26 benno 412: <li>Added support in the installer to encrypt the root disk with a key disk.
413: <li>Prevent re-starting the automatic upgrade on octeon and
414: powerpc64, as is already done on other platforms.
1.34 benno 415: <li>Added CD install images to arm64.
1.30 benno 416: <li>Make the amd64 cdXX.iso and installXX.iso CD images bootable in
417: EFI mode (by creating an EFI system partition containing the EFI boot
418: loaders to be installed as an El Torito boot image).
1.1 benno 419: </ul>
420:
421: <li>Security improvements:
422: <ul>
1.35 ! benno 423: <li>Introduce pinsyscalls(2): The kernel and <a
! 424: href="https://man.openbsd.org/ld.so.1">ld.so(1)</a> register the
! 425: precise entry location of every system call used by a program, as
! 426: described in the new ELF section .openbsd.syscalls inside ld.so and
! 427: libc.so. ld.so uses the new syscall <a
! 428: href="https://man.openbsd.org/pinsyscalls.2">pinsyscalls(2)</a> to
! 429: tell the kernel the precise entry location of system calls in
! 430: libc.so.<br>
! 431: Attempting to use a different system call entry instruction to
! 432: perform a non-corresponding system call operation will fail and the
! 433: process will be terminated with signal SIGABRT.
! 434: <li>Removed support for <a
! 435: href="https://man.openbsd.org/syscall.2">syscall(2)</a>, the
! 436: "indirection system call," a dangerous alternative entry point for all
! 437: system calls.<br>
! 438: Together with <a
! 439: href="https://man.openbsd.org/pinsyscalls.2">pinsyscalls(2)</a> this
! 440: change makes it ipmpossible to perform system call through any other
! 441: way than the libc system cann wrapper functions.<br<
! 442: Users of syscall(2), such as Perl and the Go programming
! 443: languange were converted to use the libc functions.
1.26 benno 444: <li>Added <a href="https://man.openbsd.org/pledge.2">pledge(2)</a>
445: stdio before parsing pfkey messages to <a
446: href="https://man.openbsd.org/ipsecctl.8">ipsecctl(8)</a> -m and -s.
1.35 ! benno 447: <li>Tightened the <a
! 448: href="https://man.openbsd.org/pledge.2">pledge(2)</a> in <a
! 449: href="https://man.openbsd.org/pax.1">pax(1)</a> in List and Append
! 450: modes.
! 451: <li>Created __OpenBSD versions of llvm cxa guard implementation
! 452: using <a href="https://man.openbsd.org/futex.2">futex(2)</a> with the
! 453: correct number of arguments and without using <a
1.26 benno 454: href="https://man.openbsd.org/syscall.2">syscall(2)</a>.
1.35 ! benno 455: <li>Improvements in Pointer Authentication (PAC) and Branch Target
! 456: Identification (BTI) on arm64.
1.1 benno 457: </ul>
458:
459: <li>Changes in the network stack:
460: <ul>
1.26 benno 461: <li>Enable IPv6 support in <a
1.19 bluhm 462: href="https://man.openbsd.org/ppp.4">ppp(4)</a>
1.26 benno 463: <li>Socket with sequenced packet type and control messages
1.19 bluhm 464: handle end of record correctly.
1.26 benno 465: <li>The routing table has a generation number. That means
1.19 bluhm 466: cached routes at sockets will be invalidated when the routing
467: table changes. Especially with dynamic routing daemons
468: local connections use the up to date route.
1.26 benno 469: <li>Route cache hits an misses are printed in
1.19 bluhm 470: <a href="https://man.openbsd.org/netstat.1">netstat(1)</a>
1.26 benno 471: statistics.
472: <li>Prevented <a href="https://man.openbsd.org/wg.4">wg(4)</a>
473: getting stuck on peer destruction.
474: <li>Made <a href="https://man.openbsd.org/umb.4">umb(4)</a> delete any
475: existing v4 address before setting a new one, allowing keeping of a
476: working default route when the address changes.
477: <li>Forwarded TCP LRO disabling to parent devices and disabled TCP LR0
478: on bridged <a href="https://man.openbsd.org/vlan.4">vlan(4)</a> and
479: default for <a href="https://man.openbsd.org/bpe.4">bpe(4)</a>, <a
480: href="https://man.openbsd.org/nvgre.4">nvgre(4)</a> and <a
481: href="https://man.openbsd.org/vxlan.4">vxlan(4)</a>.
1.30 benno 482: <li>Fixed race between <a
483: href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a> destroy of
484: an interface and the ARP timer.
1.34 benno 485: <li>Added statistics counters for the route cache, reporting cache
486: hits and misses. This is shown in <a
487: href="https://man.openbsd.org/netstat.1">netstat(1)</a> with
488: <code>netstat -s</code>.
1.1 benno 489: </ul>
490:
491: <li>The following changes were made to the <a
492: href="https://man.openbsd.org/pf.4">pf(4)</a> firewall:
493: <ul>
1.25 benno 494: <li>tcpdump on <a
495: href="https://man.openbsd.org/pflog.4">pflog(4)</a> interface shows
496: packets dropped by the default rule with the "block" action. Although
497: the default rules is a "pass" rule, it blocks malformed packets. Now
498: this is correctly logged.
499: <li>Adjustments to keep up firewall aware of MP related changes in
500: the network stack.
1.24 sashan 501: <li>Fix handling of multiple <code>-K</code>(<code>-k</code>) options in
1.25 benno 502: <a href="https://man.openbsd.org/pfctl.8">pfctl(8)</a>, so behavior
503: matches what's described in manual.
504: <li>Make <a href="https://man.openbsd.org/pfctl.8">pfctl(8)</a> show
505: all tables in all anchors with <code>pfctl -a "*" -sT</code>.
1.26 benno 506: <li>Added check to ensure <a
507: href="https://man.openbsd.org/pfctl.8">pfctl(8)</a> -f won't accept a
508: directory and install an empty ruleset.
1.34 benno 509: <li>Added validation for IPv4 packet options in <a
510: href="https://man.openbsd.org/divert.4">divert(4)</a>.
1.1 benno 511: </ul>
512:
513: <li>Routing daemons and other userland network improvements:
1.30 benno 514: <ul>
1.1 benno 515: <li>IPsec support was improved:
516: <ul>
1.26 benno 517:
518: <li>Made <a href="https://man.openbsd.org/iked.8">iked(8)</a> always
519: prefer group from the initial KE payload as responder if supported.
1.30 benno 520: <li>Corrected renewal of expired certificates in <a
521: href="https://man.openbsd.org/iked.8">iked(8)</a>.
1.34 benno 522: <li>Added an <a href="https://man.openbsd.org/iked.8">iked(8)</a>
523: debug message when no policy is found.
524: <li>Implemented a per connection peerid for <a
525: href="https://man.openbsd.org/iked.8">iked(8)</a> control replies.
526: <li>Made <a href="https://man.openbsd.org/iked.8">iked(8)</a>
527: trigger retransmission only for fragment 1/x to prevent each received
528: fragment triggering retransmission of the full fragment queue.
529: <li>Prevent routing loops by droping already encrypted packets that are going through <a
530: href="https://man.openbsd.org/sec.4">sec(4)</a> again.
1.1 benno 531: </ul>
532:
533: <li>In <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>,
534: <ul>
1.35 ! benno 535: <li>Rewrite the internal message passing mechanism to use a new
! 536: memory-safe API.
! 537: <li>Rewrite most protocol parsers to use the new memory-safe API.
! 538: Convert the UPDATE parser, all of RTR, as well as both the MRT dump
! 539: code in bgpd and the parser in bgpctl.
! 540: <li>Improve RTR logging, error handling and version negotiation.
1.1 benno 541: </ul>
542:
1.2 benno 543: <li><a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> saw these and more changes:
1.1 benno 544: <ul>
1.2 benno 545: <li>Add ability to constrain an RPKI Trust Anchor's effective signing
546: authority to a limited set of Internet numbers. This allows Relying
547: Parties to enjoy the potential benefits of assuming trust, but within
548: a bounded scope.
549: <li>Following a 'failed fetch' (described in RFC 9286), emit a warning and
550: continue with a previously cached Manifest file.
551: <li>Emit a warning when the remote repository presents a Manifest with an
552: unexpected manifestNumber.
553: <li>Improved CRL extension checking.
554: <li>Experimental support for the P-256 signature algorithm.
555: <!-- 8.8. -->
556: <li>A failed manifest fetch could result in a NULL pointer dereference or
557: a use after free.
558: <li>Reject non-conforming RRDP delta elements that contain neither publish
559: nor a withdraw element and fall back to the RRDP snapshot.
560: <li>Refactoring and minor bug fixes in the warning display functions.
561: <!-- 8.9 -->
562: <li>The handling of manifests fetched via rsync or RRDP was reworked to
563: fully conform to RFC 9286.
564: <li>Fix a race condition between closing an idle connection and scheduling a
565: new request on it.
566: <li>The evaluation time specified with -P now also applies to trust anchor
567: certificates.
568: <li>Check that the entire CMS eContent was consumed. Previously, trailing
569: data would be silently discarded on deserialization of products.
570: <li>In file mode do not consider overclaiming intermediate CA certificates
571: as invalid. OAA warning is still issued.
572: <li>Print the revocation time of certificates in file mode.
573: <li>Be more careful when converting OpenSSL numeric identifiers (NIDs)
574: to strings.
575: <!-- 9.0 -->
576: <li>Added support for RPKI Signed Prefix Lists.
577: <li>Added an -x flag to opt into parsing and evaluation of file types that are
578: still considered experimental.
579: <li>Added a metric to track the number of new files that were moved to the
580: validated cache.
581: <li>Ensure that the FileAndHashes list in a Manifest contains no duplicate
582: file names and no duplicate hashes.
1.1 benno 583: </ul>
584:
585: <li>In <a href="https://man.openbsd.org/smtpd.8">smtpd(8)</a>,
586: <ul>
1.5 op 587: <li>Add <code>Message-Id</code> as needed for messages received on
588: the submission port.
589: <li>Added support for RFC 7505 "Null MX" handling and treat
590: an MX of "localhost" as it were a "Null MX".
591: <li>Allow inline tables and filter listings in
592: <a href="https://man.openbsd.org/smtpd.conf.5">smtpd.conf(5)</a>
593: to span over multiple lines.
594: <li>Enabled <abbr title="Delivery Status Notification">DSN</abbr>
595: for the implicit socket too.
596: <li>Added the
597: <a href="https://man.openbsd.org/smtpd.conf.5#no-dsn~2">no-dsn</a>
598: option for <code>listen on socket</code> too.
599: <li>Reject headers that start with a space or a tab.
600: <li>Fixed parsing of the <code>ORCPT</code> parameter.
601: <li>Fixed table lookups of IPv6 addresses.
602: <li>Fixed handling of escape characters in To, From and Cc headers.
603: <li>Run <abbr title="Local Mail Transfer Protocol">LMTP</abbr>
604: deliveries as the recipient user again.
605: <li>Disallow custom commands and file reading in root's
606: <code>.forward</code> file.
607: <li>Do not process other users <code>.forward</code> files when
608: an alternate delivery user is provided in a dispatcher.
609: <li>Unify the <a href="https://man.openbsd.org/table.5">table(5)</a>
610: parser used in
611: <a href="https://man.openbsd.org/smtpd.8">smtpd(8)</a> and
612: <a href="https://man.openbsd.org/makemap.8">makemap(8)</a>.
613: <li>Allow to use <a href="https://man.openbsd.org/table.5">table(5)</a>
614: mappings on various match constraints.
1.1 benno 615: </ul>
1.30 benno 616: <!-- OTHER -->
1.1 benno 617: <li>Many other changes in various network programs and libraries:
618: <ul>
1.30 benno 619: <!-- syslogd -->
1.19 bluhm 620: <li>If a DNS name is configured as remote syslog server,
1.26 benno 621: <a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>
622: retries to resolve the loghost name periodically until it succeeds.
623: UDP packets that get lost during that period are counted and
624: logged later.
625: <li>Added counting of dropped UDP packets to <a
626: href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>.
1.30 benno 627: <li>Prevented use after free of TLS context at <a
628: href="https://man.openbsd.org/syslogd.8">syslogd(8)</a> shutdown.
629: <!-- dhcp -->
1.26 benno 630: <li>Introduced <a href="https://man.openbsd.org/dhcpd.8">dhcpd(8)</a>
631: log output to stderr and '-v' option to make this output more verbose.
1.30 benno 632: <li>In <a href="https://man.openbsd.org/dhcpd.8">dhcpd(8)</a>, made <a
633: href="https://man.openbsd.org/dhcp-options.5">dhcp-options(5)</a>
634: recognize option ipv6-only-preferred (RFC8925).
635: <li>Allowed <a
636: href="https://man.openbsd.org/dhcpleased.8">dhcpleased(8)</a> to
637: request "IPv6-only preferred" and deconfigure IPv4 on the interface if
638: the server replies with this option.
639: <!-- more -->
1.26 benno 640: <li>Fixed <a href="https://man.openbsd.org/radiusd.8">radiusd(8)</a>
641: to properly fixup MPPE-{Send,Recv}-Key and Tunnel-Password attributes of the
642: response.
1.34 benno 643: <li>Added nochroot parameter to <a
644: href="https://man.openbsd.org/radiusd.8">radiusd(8)</a>
645: module_drop_privilege() so that modules can use <a
646: href="https://man.openbsd.org/unveil.2">unveil(2)</a> instead of <a
647: href="https://man.openbsd.org/chroot.2">chroot(2)</a> if needed.
1.30 benno 648: <li>Ensured correct denominators when converting NTP fixed point
649: values to double and vice-versa in <a
650: href="https://man.openbsd.org/ntpd.8">ntpd(8)</a>.
1.34 benno 651: <li>In the resolver, do not short-circuit resolution of localhost
652: when AI_NUMERICHOST is set. Ensure that a proper string is returned by <a
653: href="https://man.openbsd.org/getaddrinfo.3">getaddrinfo(3)</a> when
654: AI_CANONNAME or AI_FQDN is set.
1.30 benno 655: <li>Added <a href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a>
656: support for specifying ports on the src address in tunnel endpoints of
657: <a href="https://man.openbsd.org/gif.4">gif(4)</a>, <a
658: href="https://man.openbsd.org/gre.4">gre(4)</a> and related
659: tunnel interfaces.
660: <li>Added an <a
661: href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a> endpoint
662: command for "bridges" that use addresses as endpoints, usable to add
663: static entries on interfaces like <a
664: href="https://man.openbsd.org/vxlan.4">vxlan(4)</a>.
665: <li>Tightened up <a
1.31 jsg 666: href="https://man.openbsd.org/relayd.8">relayd(8)</a> HTTP header parsing.
1.30 benno 667: <li>Deferred <a href="https://man.openbsd.org/relayd.8">relayd(8)</a>
668: relay_read_http header parsing until after line continuation,
669: preventing potential request smuggling attacks.
670: <li>Improved <a href="https://man.openbsd.org/httpd.8">httpd(8)</a>
671: auto-index, adding human-readable file sizes and allowing per-column
672: sorting.
1.34 benno 673: <li>Switched to using whois.internic.net for <a
674: href="https://man.openbsd.org/whois.1">whois(1)</a> -i.
1.1 benno 675: </ul>
1.30 benno 676: </ul><!-- Routing daemons and other userland network improvements -->
1.1 benno 677:
678: <li><a href="https://man.openbsd.org/tmux.1">tmux(1)</a> improvements and bug fixes:
679: <ul>
1.26 benno 680: <li>Made <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> unzoom
681: a window at the start of destroy so it doesn't happen later after the
682: layout has been freed.
683: <li>Prevented <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> use
684: of combined UTF-8 characters that are too long.
1.30 benno 685: <li>Corrected <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>
686: handling of window ops with no pane.
687: <li>Removed flags from the prefix before comparing with the received
688: key so that <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>
689: modifier keys with flags work correctly.
1.34 benno 690: <li>Increased buffer size to avoid truncating styles in <a
691: href="https://man.openbsd.org/tmux.1">tmux(1)</a>.
692: <li>Added two new values for the <a
693: href="https://man.openbsd.org/tmux.1">tmux(1)</a> destroy-unattached
694: option to destroy sessions only if they are not members of sessions
695: groups.
1.1 benno 696: </ul>
697:
1.3 tb 698: <li>LibreSSL version 3.9.0
1.1 benno 699: <ul>
1.3 tb 700: <li>Portable changes
1.1 benno 701: <ul>
1.3 tb 702: <li>libcrypto no longer exports compat symbols in cmake builds.
703: <li>Most compatibility symbols are prefixed with <code>libressl_</code>
704: to avoid symbol clashes in static links.
705: <li>Fixed various warnings on Windows.
706: <li>Removed assert pop-ups with Windows debug builds.
707: <li>Fixed crashes and hangs in Windows ARM64 builds.
708: <li>Improved control-flow enforcement (CET) support.
1.1 benno 709: </ul>
1.3 tb 710: <li>Internal improvements
1.1 benno 711: <ul>
1.3 tb 712: <li>Converted uses of <code>OBJ_bsearch_()</code> to standard
713: <a href="https://man.openbsd.org/bsearch">bsearch(3)</a>.
714: <li>Greatly simplified <code>by_file_ctrl()</code>.
715: <li>Simplified and cleaned up the OBJ_ API.
716: <li>Cleaned up the <a href="https://man.openbsd.org/EVP_CipherInit">EVP_Cipher{Init,Update,Final}(3)</a> implementations.
717: <li>Removed unused function pointers from X.509 stores and contexts.
718: <li>A lot of cleanup and reorganization in EVP.
719: <li>Removed all remaining <code>ENGINE</code> tentacles.
720: <li>Simplified internals of <code>X509_TRUST</code> handling.
721: <li>Made deletion from a <a href="https://man.openbsd.org/lh_delete">lhash</a>
722: doall callback safe.
723: <li>Rewrote <a href="https://man.openbsd.org/BIO_dump">BIO_dump*(3)</a> internals
724: to be less bad.
1.1 benno 725: </ul>
1.3 tb 726: <li>Documentation improvements
1.1 benno 727: <ul>
1.3 tb 728: <li><code>ENGINE</code> documentation was updated to reflect reality.
729: <li>Made EVP API documentation more accurate and less incoherent.
730: <li>Call out some shortcomings of the <code>EC_KEY_set_*</code> API explicitly.
1.1 benno 731: </ul>
1.3 tb 732: <li>Testing and proactive security
1.1 benno 733: <ul>
1.3 tb 734: <li>Bug fixes and simplifications in the Wycheproof tests.
1.1 benno 735: </ul>
1.3 tb 736: <li>Compatibility changes
1.1 benno 737: <ul>
1.3 tb 738: <li>Added ChaCha20 and chacha20 aliases for ChaCha.
739: <li><a href="https://man.openbsd.org/SSL_library_init">SSL_library_init(3)</a>
740: now has the same effect as OPENSSL_init_ssl().
741: <li><code>EVP_add_{cipher,digest}()</code> were removed. From the <code>OBJ_NAME</code> API,
742: only <a href="https://man.openbsd.org/OBJ_NAME_do_all">OBJ_NAME_do_all*()</a> remain.
743: In particular, it is no longer possible to add aliases for ciphers and digests.
744: <li>The thread unsafe global tables are no longer supported. It is no
745: longer possible to add aliases for ciphers and digests, custom ASN.1
746: strings table entries, ASN.1 methods, PKEY methods, digest methods,
747: CRL methods, purpose and trust identifiers, or X.509 extensions.
748: <li>Removed the _cb() and _fp() versions of
749: <a href="https://man.openbsd.org/BIO_dump">BIO_dump{,_indent}()</a>.
750: <li><code>BIO_set()</code> was removed.
751: <li><code>BIO_{sn,v,vsn}printf()</code> were removed.
752: <li>Turn the long dysfunctional
753: <a href="https://man.openbsd.org/openssl(1)">openssl(1)</a>
754: <code>s_client -pause</code> into a noop.
755: <li><a href="https://man.openbsd.org/openssl(1)">openssl(1)</a> <code>x509</code>
756: now supports <code>-new</code>, <code>-force_pubkey</code>, <code>-multivalue-rdn</code>,
757: <code>-set_issuer</code> <code>-set_subject</code>, and <code>-utf8</code>.
758: <li>Support ECDSA with SHA-3 signature algorithms.
759: <li>Support HMAC with truncated SHA-2 and SHA-3 as PBE PRF.
760: <li>GOST and STREEBOG support was removed.
761: <li><code>CRYPTO_THREADID</code>, <code>_LHASH</code>, <code>_STACK</code> and
762: <code>X509_PURPOSE</code> are now opaque, <code>X509_CERT_AUX</code> and
763: <code>X509_TRUST</code> were removed from the public API.
764: <li><a href="https://man.openbsd.org/ASN1_STRING_TABLE_get()">ASN1_STRING_TABLE_get(3)</a>
765: and <a href="https://man.openbsd.org/X509_PURPOSE_get0">X509_PURPOSE_get0*(3)</a> now
766: return const pointers.
767: <li><code>EVP_{CIPHER,MD}_CTX_init()</code>'s signatures and semantics now match
768: OpenSSL's behavior.
769: <li><code>sk_find_ex()</code> and <code>OBJ_bsearch_()</code> were removed.
770: <li><a href="https://man.openbsd.org/CRYPTO_malloc">CRYPTO_malloc(3)</a> was fixed to use
771: <code>size_t</code> argument. <code>CRYPTO_malloc()</code>
772: and <code>CRYPTO_free()</code> now accept file and line arguments.
773: <li>A lot of decrepit CRYPTO memory API was removed.
1.1 benno 774: </ul>
775: <li>Bug fixes
776: <ul>
1.3 tb 777: <li>Fixed aliasing issues in <code>BN_mod_exp_simple()</code> and <code>BN_mod_exp_recp()</code>.
778: <li>Fixed numerous misuses of
779: <a href="https://man.openbsd.org/X509_ALGOR_set0">X509_ALGOR_set0(3)</a>
780: resulting in leaks and potentially incorrect encodings.
781: <li>Fixed potential double free in
782: <a href="https://man.openbsd.org/X509v3_asid_add_id_or_range">X509v3_asid_add_id_or_range(3)</a>.
783: <li>Stopped using <code>ASN1_time_parse()</code> outside of libcrypto.
784: <li>Prepared <a href="https://man.openbsd.org/OPENSSL_gmtime">OPENSSL_gmtime(3)</a> and
785: <a href="https://man.openbsd.org/OPENSSL_timegm">OPENSSL_timegm(3)</a> as public API
786: wrappers of internal functions compatible with BoringSSL API.
787: <li>Removed <code>print_bin()</code> to avoid overwriting the stack with 5 bytes
788: of <code>" "</code> when ECPK parameters are printed with large
789: indentation.
790: <li>Avoid a <code>NULL</code> dereference after memory allocation failure during TLS
791: version downgrade.
792: <li>Fixed various bugs in CMAC internals.
793: <li>Fixed 4-byte overreads in GHASH assembly on amd64 and i386.
794: <li>Fixed various NULL dereferences in PKCS #12 code due to mishandling
795: of OPTIONAL content in PKCS #7 ContentInfo.
796: <li>Aligned <a href="https://man.openbsd.org/SSL_shutdown">SSL_shutdown(3)</a>
797: behavior in TLSv1.3 with the legacy stack.
798: <li>Fixed the new X.509 verifier to find trust anchors in the trusted
799: stack.
1.1 benno 800: </ul>
801: </ul>
802:
1.16 djm 803: <li>OpenSSH 9.6 and OpenSSH 9.7
1.1 benno 804: <ul>
1.16 djm 805: <li>Security fixes
1.1 benno 806: <ul>
1.16 djm 807: <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>, <a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: implement protocol extensions to thwart the
808: so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus
809: Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a
810: limited break of the integrity of the early encrypted SSH transport
811: protocol by sending extra messages prior to the commencement of
812: encryption, and deleting an equal number of consecutive messages
813: immediately after encryption starts. A peer SSH client/server
814: would not be able to detect that messages were deleted.
815:
816: <br>While cryptographically novel, the security impact of this attack
817: is fortunately very limited as it only allows deletion of
818: consecutive messages, and deleting most messages at this stage of
1.17 gnezdo 819: the protocol prevents user authentication from proceeding and
1.16 djm 820: results in a stuck connection.
821:
822: <br>The most serious identified impact is that it lets a MITM to
823: delete the SSH2_MSG_EXT_INFO message sent before authentication
824: starts, allowing the attacker to disable a subset of the keystroke
825: timing obfuscation features introduced in OpenSSH 9.5. There is no
826: other discernable impact to session secrecy or session integrity.
827:
828: <li><a href='https://man.openbsd.org/ssh-agent.1'>ssh-agent(1)</a>: when adding PKCS#11-hosted private keys while
829: specifying destination constraints, if the PKCS#11 token returned
830: multiple keys then only the first key had the constraints applied.
831: Use of regular private keys, FIDO tokens and unconstrained keys
832: are unaffected.
833:
834: <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: if an invalid user or hostname that contained shell
835: metacharacters was passed to <a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>, and a ProxyCommand,
836: LocalCommand directive or "match exec" predicate referenced the
837: user or hostname via %u, %h or similar expansion token, then
838: an attacker who could supply arbitrary user/hostnames to <a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>
839: could potentially perform command injection depending on what
840: quoting was present in the user-supplied <a href='https://man.openbsd.org/ssh_config.5'>ssh_config(5)</a> directive.
841:
842: <br>OpenSSH 9.6 now
843: bans most shell metacharacters from user and hostnames supplied
844: via the command-line. This countermeasure is not guaranteed to be
845: effective in all situations, as it is infeasible for <a href='https://man.openbsd.org/ssh.1'>ssh(1)</a> to
846: universally filter shell metacharacters potentially relevant to
847: user-supplied commands.
848:
849: <br>User/hostnames provided via <a href='https://man.openbsd.org/ssh_config.5'>ssh_config(5)</a> are not subject to these
850: restrictions, allowing configurations that use strange names to
851: continue to be used, under the assumption that the user knows what
852: they are doing in their own configuration files.
1.1 benno 853: </ul>
854: <li>New features
855: <ul>
1.16 djm 856: <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>, <a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: add a "global" ChannelTimeout type that watches
857: all open channels and will close all open channels if there is no
858: traffic on any of them for the specified interval. This is in
859: addition to the existing per-channel timeouts added recently.
860: <br>This supports situations like having both session and x11
861: forwarding channels open where one may be idle for an extended
862: period but the other is actively used. The global timeout could
863: close both channels when both have been idle for too long.
864:
865: <li>All: make DSA key support compile-time optional, defaulting to on.
1.1 benno 866: </ul>
867: <li>Bugfixes
868: <ul>
1.16 djm 869: <li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: don't append an unnecessary space to the end of subsystem
870: arguments (<a href='https://bugzilla.mindrot.org/show_bug.cgi?id=3667'>bz3667</a>)
871:
872: <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: fix the multiplexing "channel proxy" mode, broken when
873: keystroke timing obfuscation was added. (<a href='https://github.com/openssh/openssh-portable/pull/463'>GHPR#463</a>)
874:
875: <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>, <a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: fix spurious configuration parsing errors when
876: options that accept array arguments are overridden (<a href='https://bugzilla.mindrot.org/show_bug.cgi?id=3657'>bz3657</a>).
877:
878: <li><a href='https://man.openbsd.org/ssh-agent.1'>ssh-agent(1)</a>: fix potential spin in signal handler (<a href='https://bugzilla.mindrot.org/show_bug.cgi?id=3670'>bz3670</a>)
879:
880: <li>Many fixes to manual pages and other documentation, including
881: <a href='https://github.com/openssh/openssh-portable/pull/462'>GHPR#462</a>, <a href='https://github.com/openssh/openssh-portable/pull/454'>GHPR#454</a>, <a href='https://github.com/openssh/openssh-portable/pull/442'>GHPR#442</a> and <a href='https://github.com/openssh/openssh-portable/pull/441'>GHPR#441</a>.
882:
883: <li>Greatly improve interop testing against PuTTY.
1.1 benno 884: </ul>
885: </ul>
886:
887: <li>Ports and packages:
888: <p>Many pre-built packages for each architecture:
889: <!-- number of FTP packages minus SHA256, SHA256.sig, index.txt -->
890: <ul style="column-count: 3">
1.7 sthen 891: <li>aarch64: 12145
1.6 naddy 892: <li>amd64: 12309
1.1 benno 893: <li>arm: XXX
1.7 sthen 894: <li>i386: 10830
1.27 visa 895: <li>mips64: 8674
1.1 benno 896: <li>powerpc: XXX
1.10 sthen 897: <li>powerpc64: 8469
1.28 naddy 898: <li>riscv64: 10508
1.8 sthen 899: <li>sparc64: 9432
1.1 benno 900: </ul>
901:
902: <p>Some highlights:
903: <ul style="column-count: 3"><!-- XXX all need to be checked/updated 2024-03-02 -->
1.9 lteo 904: <li>Asterisk 16.30.1, 18.21.0 and 20.6.0
905: <li>Audacity 3.4.2
906: <li>CMake 3.28.3
907: <li>Chromium 122.0.6261.111
908: <li>Emacs 29.2
1.1 benno 909: <li>FFmpeg 4.4.4
910: <li>GCC 8.4.0 and 11.2.0
1.9 lteo 911: <li>GHC 9.6.4
912: <li>GNOME 45
913: <li>Go 1.22.1
914: <li>JDK 8u402, 11.0.22, 17.0.10 and 21.0.2
915: <li>KDE Applications 23.08.4
916: <li>KDE Frameworks 5.115.0
1.13 rsadowsk 917: <li>KDE Plasma 5.27.10
1.9 lteo 918: <li>Krita 5.2.2
919: <li>LLVM/Clang 13.0.0, 16.0.6 and 17.0.6
920: <li>LibreOffice 24.2.1.2
1.1 benno 921: <li>Lua 5.1.5, 5.2.4, 5.3.6 and 5.4.6
1.9 lteo 922: <li>MariaDB 10.9.8
1.1 benno 923: <li>Mono 6.12.0.199
1.9 lteo 924: <li>Mozilla Firefox 123.0.1 and ESR 115.8.0
925: <li>Mozilla Thunderbird 115.8.1
926: <li>Mutt 2.2.13 and NeoMutt 20240201
927: <li>Node.js 18.19.1
928: <li>OCaml 4.14.1
929: <li>OpenLDAP 2.6.7
930: <li>PHP 7.4.33, 8.0.30, 8.1.27, 8.2.16 and 8.3.3
931: <li>Postfix 3.8.6
932: <li>PostgreSQL 16.2
933: <li>Python 2.7.18, 3.9.18, 3.10.13 and 3.11.8
1.13 rsadowsk 934: <li>Qt 5.15.12 (+ kde patches) and 6.6.1
1.1 benno 935: <li>R 4.2.3
1.9 lteo 936: <li>Ruby 3.1.4, 3.2.3 and 3.3.0
937: <li>Rust 1.76.0
938: <li>SQLite 3.44.2
1.1 benno 939: <li>Shotcut 23.07.29
1.9 lteo 940: <li>Sudo 1.9.15.5
941: <li>Suricata 7.0.3
1.1 benno 942: <li>Tcl/Tk 8.5.19 and 8.6.13
1.9 lteo 943: <li>TeX Live 2023
944: <li>Vim 9.1.139 and Neovim 0.9.5
945: <li>Xfce 4.18.1
1.1 benno 946: </ul>
947: <p>
948:
949: <li>As usual, steady improvements in manual pages and other documentation.
950:
951: <li>The system includes the following major components from outside suppliers:
952: <ul><!-- XXX all need to be checked/updated 2024-03-02 -->
1.4 matthieu 953: <li>Xenocara (based on X.Org 7.7 with xserver 21.1.11 + patches,
954: freetype 2.13.0, fontconfig 2.14.2, Mesa 23.1.9, xterm 378,
955: xkeyboard-config 2.20, fonttosfnt 1.2.3 and more)
956: <li>LLVM/Clang 16.0.6 (+ patches)
1.1 benno 957: <li>GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
1.4 matthieu 958: <li>Perl 5.36.3 (+ patches)
959: <li>NSD 4.8.0
1.1 benno 960: <li>Unbound 1.18.0
961: <li>Ncurses 5.7
962: <li>Binutils 2.17 (+ patches)
963: <li>Gdb 6.3 (+ patches)
1.4 matthieu 964: <li>Awk January 22, 2024
965: <li>Expat 2.6.0
966: <li>zlib 1.3.1 (+ patches)
1.1 benno 967: </ul>
968:
969: </ul>
970: </section>
971:
972: <hr>
973:
974: <section id=install>
975: <h3>How to install</h3>
976: <p>
977: Please refer to the following files on the mirror site for
978: extensive details on how to install OpenBSD 7.5 on your machine:
979:
980: <ul>
981: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/alpha/INSTALL.alpha">
982: .../OpenBSD/7.5/alpha/INSTALL.alpha</a>
983: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/amd64/INSTALL.amd64">
984: .../OpenBSD/7.5/amd64/INSTALL.amd64</a>
985: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/arm64/INSTALL.arm64">
986: .../OpenBSD/7.5/arm64/INSTALL.arm64</a>
987: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/armv7/INSTALL.armv7">
988: .../OpenBSD/7.5/armv7/INSTALL.armv7</a>
989: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/hppa/INSTALL.hppa">
990: .../OpenBSD/7.5/hppa/INSTALL.hppa</a>
991: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/i386/INSTALL.i386">
992: .../OpenBSD/7.5/i386/INSTALL.i386</a>
993: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/landisk/INSTALL.landisk">
994: .../OpenBSD/7.5/landisk/INSTALL.landisk</a>
995: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/loongson/INSTALL.loongson">
996: .../OpenBSD/7.5/loongson/INSTALL.loongson</a>
997: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/luna88k/INSTALL.luna88k">
998: .../OpenBSD/7.5/luna88k/INSTALL.luna88k</a>
999: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/macppc/INSTALL.macppc">
1000: .../OpenBSD/7.5/macppc/INSTALL.macppc</a>
1001: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/octeon/INSTALL.octeon">
1002: .../OpenBSD/7.5/octeon/INSTALL.octeon</a>
1003: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/powerpc64/INSTALL.powerpc64">
1004: .../OpenBSD/7.5/powerpc64/INSTALL.powerpc64</a>
1005: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/riscv64/INSTALL.riscv64">
1006: .../OpenBSD/7.5/riscv64/INSTALL.riscv64</a>
1007: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/sparc64/INSTALL.sparc64">
1008: .../OpenBSD/7.5/sparc64/INSTALL.sparc64</a>
1009: </ul>
1010: </section>
1011:
1012: <hr>
1013:
1014: <section id=quickinstall>
1015: <p>
1016: Quick installer information for people familiar with OpenBSD, and the use of
1017: the "<a href="https://man.openbsd.org/disklabel.8">disklabel</a> -E" command.
1018: If you are at all confused when installing OpenBSD, read the relevant
1019: INSTALL.* file as listed above!
1020:
1021: <h3>OpenBSD/alpha:</h3>
1022:
1023: <p>
1024: If your machine can boot from CD, you can write <i>install75.iso</i> or
1025: <i>cd75.iso</i> to a CD and boot from it.
1026: Refer to INSTALL.alpha for more details.
1027:
1028: <h3>OpenBSD/amd64:</h3>
1029:
1030: <p>
1031: If your machine can boot from CD, you can write <i>install75.iso</i> or
1032: <i>cd75.iso</i> to a CD and boot from it.
1033: You may need to adjust your BIOS options first.
1034:
1035: <p>
1036: If your machine can boot from USB, you can write <i>install75.img</i> or
1037: <i>miniroot75.img</i> to a USB stick and boot from it.
1038:
1039: <p>
1040: If you can't boot from a CD, floppy disk, or USB,
1041: you can install across the network using PXE as described in the included
1042: INSTALL.amd64 document.
1043:
1044: <p>
1045: If you are planning to dual boot OpenBSD with another OS, you will need to
1046: read INSTALL.amd64.
1047:
1048: <h3>OpenBSD/arm64:</h3>
1049:
1050: <p>
1.12 jsg 1051: If your machine can boot from CD, you can write <i>install75.iso</i> or
1052: <i>cd75.iso</i> to a CD and boot from it.
1053:
1054: <p>
1055: To boot from disk, write <i>install75.img</i> or <i>miniroot75.img</i> to a
1056: disk and boot from it after connecting to the serial console. Refer to
1057: INSTALL.arm64 for more details.
1.1 benno 1058:
1059: <h3>OpenBSD/armv7:</h3>
1060:
1061: <p>
1062: Write a system specific miniroot to an SD card and boot from it after connecting
1063: to the serial console. Refer to INSTALL.armv7 for more details.
1064:
1065: <h3>OpenBSD/hppa:</h3>
1066:
1067: <p>
1068: Boot over the network by following the instructions in INSTALL.hppa or the
1069: <a href="hppa.html#install">hppa platform page</a>.
1070:
1071: <h3>OpenBSD/i386:</h3>
1072:
1073: <p>
1074: If your machine can boot from CD, you can write <i>install75.iso</i> or
1075: <i>cd75.iso</i> to a CD and boot from it.
1076: You may need to adjust your BIOS options first.
1077:
1078: <p>
1079: If your machine can boot from USB, you can write <i>install75.img</i> or
1080: <i>miniroot75.img</i> to a USB stick and boot from it.
1081:
1082: <p>
1083: If you can't boot from a CD, floppy disk, or USB,
1084: you can install across the network using PXE as described in
1085: the included INSTALL.i386 document.
1086:
1087: <p>
1088: If you are planning on dual booting OpenBSD with another OS, you will need to
1089: read INSTALL.i386.
1090:
1091: <h3>OpenBSD/landisk:</h3>
1092:
1093: <p>
1094: Write <i>miniroot75.img</i> to the start of the CF
1095: or disk, and boot normally.
1096:
1097: <h3>OpenBSD/loongson:</h3>
1098:
1099: <p>
1100: Write <i>miniroot75.img</i> to a USB stick and boot bsd.rd from it
1101: or boot bsd.rd via tftp.
1102: Refer to the instructions in INSTALL.loongson for more details.
1103:
1104: <h3>OpenBSD/luna88k:</h3>
1105:
1106: <p>
1107: Copy 'boot' and 'bsd.rd' to a Mach or UniOS partition, and boot the bootloader
1108: from the PROM, and then bsd.rd from the bootloader.
1109: Refer to the instructions in INSTALL.luna88k for more details.
1110:
1111: <h3>OpenBSD/macppc:</h3>
1112:
1113: <p>
1114: Burn the image from a mirror site to a CDROM, and power on your machine
1115: while holding down the <i>C</i> key until the display turns on and
1116: shows <i>OpenBSD/macppc boot</i>.
1117:
1118: <p>
1119: Alternatively, at the Open Firmware prompt, enter <i>boot cd:,ofwboot
1120: /7.5/macppc/bsd.rd</i>
1121:
1122: <h3>OpenBSD/octeon:</h3>
1123:
1124: <p>
1125: After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
1126: Refer to the instructions in INSTALL.octeon for more details.
1127:
1128: <h3>OpenBSD/powerpc64:</h3>
1129:
1130: <p>
1131: To install, write <i>install75.img</i> or <i>miniroot75.img</i> to a
1132: USB stick, plug it into the machine and choose the <i>OpenBSD
1133: install</i> menu item in Petitboot.
1134: Refer to the instructions in INSTALL.powerpc64 for more details.
1135:
1136: <h3>OpenBSD/riscv64:</h3>
1137:
1138: <p>
1139: To install, write <i>install75.img</i> or <i>miniroot75.img</i> to a
1140: USB stick, and boot with that drive plugged in.
1141: Make sure you also have the microSD card plugged in that shipped with the
1142: HiFive Unmatched board.
1143: Refer to the instructions in INSTALL.riscv64 for more details.
1144:
1145: <h3>OpenBSD/sparc64:</h3>
1146:
1147: <p>
1148: Burn the image from a mirror site to a CDROM, boot from it, and type
1149: <i>boot cdrom</i>.
1150:
1151: <p>
1152: If this doesn't work, or if you don't have a CDROM drive, you can write
1153: <i>floppy75.img</i> or <i>floppyB75.img</i>
1154: (depending on your machine) to a floppy and boot it with <i>boot
1155: floppy</i>. Refer to INSTALL.sparc64 for details.
1156:
1157: <p>
1158: Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
1159: will most likely fail.
1160:
1161: <p>
1162: You can also write <i>miniroot75.img</i> to the swap partition on
1163: the disk and boot with <i>boot disk:b</i>.
1164:
1165: <p>
1166: If nothing works, you can boot over the network as described in INSTALL.sparc64.
1167: </section>
1168:
1169: <hr>
1170:
1171: <section id=upgrade>
1172: <h3>How to upgrade</h3>
1173: <p>
1174: If you already have an OpenBSD 7.4 system, and do not want to reinstall,
1175: upgrade instructions and advice can be found in the
1176: <a href="faq/upgrade75.html">Upgrade Guide</a>.
1177: </section>
1178:
1179: <hr>
1180:
1181: <section id=sourcecode>
1182: <h3>Notes about the source code</h3>
1183: <p>
1184: <code>src.tar.gz</code> contains a source archive starting at <code>/usr/src</code>.
1185: This file contains everything you need except for the kernel sources,
1186: which are in a separate archive.
1187: To extract:
1188: <blockquote><pre>
1189: # <kbd>mkdir -p /usr/src</kbd>
1190: # <kbd>cd /usr/src</kbd>
1191: # <kbd>tar xvfz /tmp/src.tar.gz</kbd>
1192: </pre></blockquote>
1193: <p>
1194: <code>sys.tar.gz</code> contains a source archive starting at <code>/usr/src/sys</code>.
1195: This file contains all the kernel sources you need to rebuild kernels.
1196: To extract:
1197: <blockquote><pre>
1198: # <kbd>mkdir -p /usr/src/sys</kbd>
1199: # <kbd>cd /usr/src</kbd>
1200: # <kbd>tar xvfz /tmp/sys.tar.gz</kbd>
1201: </pre></blockquote>
1202: <p>
1203: Both of these trees are a regular CVS checkout. Using these trees it
1204: is possible to get a head-start on using the anoncvs servers as
1205: described <a href="anoncvs.html">here</a>.
1206: Using these files
1207: results in a much faster initial CVS update than you could expect from
1208: a fresh checkout of the full OpenBSD source tree.
1209: </section>
1210:
1211: <hr>
1212:
1213: <section id=ports>
1214: <h3>Ports Tree</h3>
1215: <p>
1216: A ports tree archive is also provided. To extract:
1217: <blockquote><pre>
1218: # <kbd>cd /usr</kbd>
1219: # <kbd>tar xvfz /tmp/ports.tar.gz</kbd>
1220: </pre></blockquote>
1221: <p>
1222: Go read the <a href="faq/ports/index.html">ports</a> page
1223: if you know nothing about ports
1224: at this point. This text is not a manual of how to use ports.
1225: Rather, it is a set of notes meant to kickstart the user on the
1226: OpenBSD ports system.
1227: <p>
1228: The <i>ports/</i> directory represents a CVS checkout of our ports.
1229: As with our complete source tree, our ports tree is available via
1230: <a href="anoncvs.html">AnonCVS</a>.
1231: So, in order to keep up to date with the -stable branch, you must make
1232: the <i>ports/</i> tree available on a read-write medium and update the tree
1233: with a command like:
1234: <blockquote><pre>
1235: # <kbd>cd /usr/ports</kbd>
1236: # <kbd>cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_7_5</kbd>
1237: </pre></blockquote>
1238: <p>
1239: [Of course, you must replace the server name here with a nearby anoncvs
1240: server.]
1241: <p>
1242: Note that most ports are available as packages on our mirrors. Updated
1243: ports for the 7.5 release will be made available if problems arise.
1244: <p>
1245: If you're interested in seeing a port added, would like to help out, or just
1246: would like to know more, the mailing list
1247: <a href="mail.html">ports@openbsd.org</a> is a good place to know.
1248: </section>
1249: </body>
1250: </html>