Annotation of www/75.html, Revision 1.39
1.1 benno 1: <!doctype html>
2: <html lang=en id=release>
3: <head>
4: <meta charset=utf-8>
5:
6: <title>OpenBSD 7.5</title>
7: <meta name="description" content="OpenBSD 7.5">
8: <meta name="viewport" content="width=device-width, initial-scale=1">
9: <link rel="stylesheet" type="text/css" href="openbsd.css">
10: <link rel="canonical" href="https://www.openbsd.org/75.html">
11: </head><body>
12: <h2 id=OpenBSD>
13: <a href="index.html">
14: <i>Open</i><b>BSD</b></a>
15: 7.5
16: </h2>
17:
18: <table>
19: <tr>
20: <td>
21: <a href="images/XXX.jpg">
22: <img width="227" height="303" src="images/XXX-s.gif" alt="XXX"></a>
23: <td>
24: Released XXXMONTH DAY, 2024. (56th OpenBSD release)<br>
25: Copyright 1997-2024, Theo de Raadt.<br>
26: <br>
27: Artwork by XXX.
28: <br>
29: <ul>
30: <li>See the information on <a href="ftp.html">the FTP page</a> for
31: a list of mirror machines.
32: <li>Go to the <code class=reldir>pub/OpenBSD/7.5/</code> directory on
33: one of the mirror sites.
34: <li>Have a look at <a href="errata75.html">the 7.5 errata page</a> for a list
35: of bugs and workarounds.
36: <li>See a <a href="plus75.html">detailed log of changes</a> between the
37: 7.4 and 7.5 releases.
38: <p>
39: <li><a href="https://man.openbsd.org/signify.1">signify(1)</a>
40: pubkeys for this release:<p>
41:
42: <table class=signify>
43: <tr><td>
44: openbsd-75-base.pub:
45: <td>
46: <a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/openbsd-75-base.pub">
47: RWRGj1pRpprAfgeF/rgld4ubduChLvTkigA1Zj7WLDsVA4qfYSWOEI8q
48: </a><tr><td>
49: openbsd-75-fw.pub:
50: <td>
51: RWQ6EsXr4NMYvyLICug3dLHfmbpXlVasF1jbt3GVNQsosgB5+PgaufBu
52: <tr><td>
53: openbsd-75-pkg.pub:
54: <td>
55: RWS/sEFDvf+rjUmS1WROzxH05pB1kB7JRRq76DUGUhCE0Ks8AdpjP5pD
56: <tr><td>
57: openbsd-75-syspatch.pub:
58: <td>
59: RWRAAZC5WcFgn+8b5msDR+yDVCx4ziLaSQI2sy7e4GFY42nFW9p7mP2t
60: </table>
61: </ul>
62: <p>
63: All applicable copyrights and credits are in the src.tar.gz,
64: sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
65: files fetched via <code>ports.tar.gz</code>.
66: </table>
67:
68: <hr>
69:
70: <section id=new>
71: <h3>What's New</h3>
72: <p>
73: This is a partial list of new features and systems included in OpenBSD 7.5.
74: For a comprehensive list, see the <a href="plus75.html">changelog</a> leading <!-- plus? XXX -->
75: to 7.5.
76:
77: <ul>
78:
79: <!--
80: <li>New/extended platforms:
81: <ul>
82: <li>...
83: </ul>
84: -->
85:
86: <li>Various kernel improvements:
87: <ul>
1.26 benno 88: <li>Added <a href="https://man.openbsd.org/bt.5">bt(5)</a> and <a
89: href="https://man.openbsd.org/btrace.8">btrace(8)</a> support for
90: binary modulo operator ('%').
91: <li>Added a TIMEOUT_MPSAFE flag to <a
92: href="https://man.openbsd.org/timeout.9">timeout(9)</a>.
93: <li>Added IBM encoded version of the "Spleen 8x16" font, usable as console font.
94: <li>Cleanup and machine-independent refactoring of three context
95: switch paths outside of mi_switch(): when a process forks and the new
96: proc needs to be scheduled by proc_trampoline, cpu_hatch: when booting
97: APs, and sched_exit: when a proc exits.
98: <li>Made <a href="https://man.openbsd.org/vscsi.4">vscsi(4)</a>
99: 'vscsi_filtops' mpsafe and extended the 'sc_state_mtx' <a
100: href="https://man.openbsd.org/mutex.9">mutex(9)</a> to protect
101: 'sc_klist' knotes list.
102: <li>Made out-of-swap checking more robust, preventing potential deadlocks.
103: <li>Eliminated the ioctl whitelist that <a
104: href="https://man.openbsd.org/bio.4">bio(4)</a> will tunnel for other
105: devices, allowing bio to be used with other (non-raid) related
106: devices.
1.30 benno 107: <li>On msdos filesystems, ensure that a complete struct fsinfo is read
108: even if the filesystem sectors are smaller.
109: <li>Implemented per-CPU caching for the page table page (vp) pool and
110: the PTE descriptor (pted) pool in the arm64 pmap implementation. This
111: significantly reduces the side-effects of lock contention on the
112: kernel map lock and leads to significant speedups on machines with
1.33 otto 113: many CPU cores.
1.34 benno 114: <li>Implemented <a href="https://man.openbsd.org/acpi.4">acpi(4)</a>
115: RootPathString support in the LoadTable() AML function, fixing OpenBSD
116: boot on an older version of Hyper-V.
117: <li>Fixed Linux NFS clients freezing after five minutes of inactivity.
118: <li>Fixed core file writing when a file map into memory has later been
119: truncated to be smaller than the mapping.
1.38 tj 120: <li>Disallow <a
1.34 benno 121: href="https://man.openbsd.org/madvise.2">madvise(2)</a> and <a
122: href="https://man.openbsd.org/msync.2">msync(2)</a> memory/mapping
1.39 ! jsg 123: destructive operations on immutable memory regions. Instead return EPERM.
1.34 benno 124: <li>Added new amd64-only sysctl machdep.retpoline which says whether
125: the cpu requires the retpoline branch target injection mitigation.
126: <li>Added new accounting flag ABTCFI to <a
127: href="https://man.openbsd.org/acct.5">acct(5)</a> to indicate SIGILL +
128: code ILL_BTCFI has occurred in the process.
1.1 benno 129: </ul>
130:
131: <li>SMP Improvements
132: <ul>
1.30 benno 133: <li>Some network timers run without kernel lock.
134: <li>TCP syn cache timer runs with shared net lock.
135: <li><a href="https://man.openbsd.org/bind.2">bind(2)</a>
136: and <a href="https://man.openbsd.org/connect.2">connect(2)</a>
137: system calls can run in parallel.
138: <li>Packet counter for <a
139: href="https://man.openbsd.org/lo.4">lo(4)</a> loopback
140: interface are MP safe.
141: <li>Split protocol control block table for UDP into IPv4
142: and IPv6 tables to allow concurrent access.
143: <li>UDP packets can be sent in parallel by multiple threads.
1.1 benno 144: </ul>
145:
146: <li>Direct Rendering Manager and graphics drivers
147: <ul>
1.11 jsg 148: <li>Updated <a href="https://man.openbsd.org/drm.4">drm(4)</a>
149: to Linux 6.6.19.
150: <li>New <a href="https://man.openbsd.org/arm64/apldcp.4">apldcp(4)</a> and
151: <a href="https://man.openbsd.org/arm64/apldrm.4">apldrm(4)</a> drivers
152: for Apple display coprocessor.
1.1 benno 153: </ul>
154:
155: <li>VMM/VMD improvements
156: <ul>
1.31 jsg 157: <li>Fixed IRQ storm caused by edge-triggered devices such as the UART.
1.15 dv 158: <li>Fixed block size calculation for vioscsi devices.
159: <li>Added io instruction length to vm exit information, allowing
160: <a href="https://man.openbsd.org/vmd.8">vmd(8)</a> to perform validation
161: in userspace.
162: <li>Adopted new <a href="https://man.openbsd.org/imsg_init.3">imsg_get_*(3)</a>
163: api.
164: <li>Rewrote vionet devices to allow zero-copy data transfers between host and
165: guest.
166: <li>Improved error messages related to <a href="https://man.openbsd.org/getgrnam.3">
167: getgrnam(3)</a> usage and out of <a href="https://man.openbsd.org/tap.4">tap(4)
168: </a> device conditions.
169: <li>Fixed various things found by smatch static analyzer.
170: <li>Fixed various file descriptor lifecycle issues and leaks across
171: <a href="https://man.openbsd.org/fork.2">fork(2)</a>/
172: <a href="https://man.openbsd.org/execve.2">execve(2)</a> usage.
173: <li>Added multi-threading support to vionet device emulation, improving latency.
174: <li>Fixed <a href="https://man.openbsd.org/vmm.4">vmm(4)</a> instability on Intel
175: VMX hosts by updating GDTR & TR if vcpu moves host cpus.
176: <li>Added EPT flushing upon <a href="https://man.openbsd.org/vmm.4">vmm(4)</a>
177: enabling VMX mode.
178: <li>Added branch predictor flushing if IBPB is supported.
179: <li>Corrected restoring GDTR and IDTR limits upon VMX guest exit.
180: <li>Corrected handling of CPUID 0xd subleaves
181: <li>Added additional use of VERW and register clobbering to mitigate RFDS
182: vulnerabilities on Intel Atom cores.
1.1 benno 183: </ul>
184:
185: <li>Various new userland features:
186: <ul>
1.32 otto 187: <li>Made <a href="https://man.openbsd.org/malloc.3">malloc(3)</a> save
188: backtraces to show in leak dump with depth of backtrace set via malloc
189: option D (aka 1), 2, 3 or 4.
1.26 benno 190: <li>Added support for <a
191: href="https://man.openbsd.org/cksum.1">cksum(1)</a> -c checking base64
192: digests in reverse mode.
193: <li>Added <a href="https://man.openbsd.org/kdump.1">kdump(1)</a> [-p
194: program] to filter dumps by basename.
195: <li>Made <a href="https://man.openbsd.org/ps.1">ps(1)</a> accept numerical user IDs.
1.30 benno 196: <li>Built and provide the tzdata.zi and leap-seconds.list files from
197: zoneinfo. Some third-party software now expects these files to be
1.34 benno 198: installed. Provide the zonenow.tab file, a table where each row
199: stands for a timezone where civil timestamps are predicted to agree
200: from now on.
1.30 benno 201: <li>Added basic write support for <a
202: href="https://man.openbsd.org/pax.1">pax(1)</a> format archives.
203: <li>Added 'pax' format support for files over 8GB to <a
204: href="https://man.openbsd.org/tar.1">tar(1)</a>.
205: <li>Added 'pax' format support for mtime and atime to <a
206: href="https://man.openbsd.org/tar.1">tar(1)</a>.
207: <li>Extended <a href="https://man.openbsd.org/imsg_init.3">imsg</a>
208: and the <a href="https://man.openbsd.org/ibuf_add.3">ibuf</a> buffer
1.39 ! jsg 209: manipulation API with useful getter methods. Unified file descriptor
1.34 benno 210: passing in all imsg using programs with the use of the imsg_get_fd()
211: function.
212: <li>Added <a
213: href="https://man.openbsd.org/mkdtemps.3">mkdtemps(3)</a>, identical
214: to <a href="https://man.openbsd.org/mkdtemp.3">mkdtemp(3)</a> except
215: that it permits a suffix to exist in the template.
216: <li>Added <a href="https://man.openbsd.org/mktemp.1">mktemp(1)</a>
217: suffix support for compatibility with the GNU version. It is now
218: possible to use templates where the Xs are not at the end.
1.1 benno 219: </ul>
220:
221: <li>Various bugfixes and tweaks in userland:
222: <ul>
1.26 benno 223: <li>Silenced list of specific firmware not needing update in <a
224: href="https://man.openbsd.org/pkg_add.1">pkg_add(1)</a>.
225: <li>Improved <a href="https://man.openbsd.org/ls.1">ls(1)</a> horizontal alignment in long format.
226: <li>Added <a href="https://man.openbsd.org/bioctl.8">bioctl(8)</a> retry on empty passphrase.
227: <li>Fixed <a href="https://man.openbsd.org/unveil.2">unveil(2)</a> in
228: <a href="https://man.openbsd.org/patch.1">patch(1)</a> with explicit
229: patchfile.
230: <li>Made gnu99 the default for gcc 3.3.6 and 4.2.1 rather than defaulting to gnu89.
231: <!-- fdisk -->
232: <li>Enhanced <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> 'flag' to accept hex values.
233: <li>Prevented <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
234: 'flag' from altering other GPT partition attributes when flagging a
235: partition as the only bootable partition.
1.34 benno 236: <li>Allow <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> to
237: add GPT partitions of protected types, making it possible to provision
238: virtual machine images that need a "BIOS Boot" partition.
239:
1.26 benno 240: <li>Added group handling matching <a
241: href="https://man.openbsd.org/fbtab.5">fbtab(5)</a> to xenodm.
1.30 benno 242: <li>Made <a href="https://man.openbsd.org/grep.1">grep(1)</a> -m behavior match GNU grep.
243: <li>Tweaked the default memory limits in /etc/login.conf on several
1.31 jsg 244: architectures to account for increased memory requirements, for
1.30 benno 245: example when compiling or linking under user pbuild.
246: <li>Initialize all terminals with "tset -I", thereby avoiding extra
247: newlines to be printed.
248: <li>Added <a href="https://man.openbsd.org/mkhybrid.8">mkhybrid(8)</a>
249: '-e' (-eltorito-boot-efi) option for writing an EFI eltorito boot
250: image, in addition to or instead of the x86 boot image, to the output
251: file.
252: <li>Added <a
253: href="https://man.openbsd.org/openrsync.1">openrsync(1)</a>
254: --omit-dir-times (-O) to omit directories from --times, as well as
255: --no-O and --no-omit-dir-times options for compatibility.
256: <li>Implemented <a href="https://man.openbsd.org/openrsync.1">openrsync(1)</a>
257: --omit-link-times (-J) option to omit symlinks from --times.
258: <li>Added accounting flag and <a
259: href="https://man.openbsd.org/lastcomm.1">lastcomm(1)</a> report for
260: <a href="https://man.openbsd.org/pinsyscalls.2">syscall pinning</a> violations.
261: <li>Added <a href="https://man.openbsd.org/ktrace.1">ktrace(1)</a> and
262: <a href="https://man.openbsd.org/kdump.1">kdump(1)</a> support to
263: observe <a
264: href="https://man.openbsd.org/pinsyscall.2">pinsyscall(2)</a>
265: violations.
266: <li>Changed <a href="https://man.openbsd.org/ftp.1">ftp(1)</a> to
267: avoid use of the interactive shell if -o is given.
268: <li>Moved non-daemon services to run in a different <a
269: href="https://man.openbsd.org/rc.8">rc(8)</a> process group to avoid
270: SIGHUP at boot.
1.34 benno 271: <li>Changed <a
272: href="https://man.openbsd.org/ld.so.1">ld.so(1)</a> to only load the first libc version encountered
273: requested and substituting it for all further loads, ensuring that the
274: libc version requested by an executable itself is the one loaded.
275: <li>Significantly (for small programs) reduce the size of statically
276: linked binaries by splitting several libc internal functions into
1.39 ! jsg 277: separate compilation and thus linkage units. Specifically <a
1.34 benno 278: href="https://man.openbsd.org/getpwnam.3">getpwnam(3)</a> does not
279: need the full YP socket setup and does not use all possible <a
1.39 ! jsg 280: href="https://man.openbsd.org/dbopen.3">dbopen(3)</a> database
1.34 benno 281: backends.
282: <li>Added <a href="https://man.openbsd.org/vi.1">vi(1)</a>
283: showfilename set option to display the file name in the lower left
284: corner.
285: <li>Added backup of disklabel for <a
286: href="https://man.openbsd.org/softraid.4">softraid(4)</a> chunks to <a
287: href="https://man.openbsd.org/security.8">security(8)</a>.
1.1 benno 288: </ul>
289:
290: <li>Improved hardware support and driver bugfixes, including:
291: <ul>
1.23 jsg 292: <li>New <a href="https://man.openbsd.org/arm64/ampchwm.4">ampchwm(4)</a>
293: driver for Ampere Altra power telemetry.
294: <li>New <a href="https://man.openbsd.org/rkspi.4">rkspi(4)</a>
295: driver for Rockchip SPI controller.
296: <li>Support for RK806 PMIC in
297: <a href="https://man.openbsd.org/rkpmic.4">rkpmic(4)</a>.
298: <li>Support for Allwinner H616 in
299: <a href="https://man.openbsd.org/sxisyscon.4">sxisyscon(4)</a>,
300: <a href="https://man.openbsd.org/sxiccmu.4">sxiccmu(4)</a>,
301: <a href="https://man.openbsd.org/sxipio.4">sxipio(4)</a>,
302: <a href="https://man.openbsd.org/sximmc.4">sximmc(4)</a> and
303: <a href="https://man.openbsd.org/ehci.4">ehci(4)</a>.
304: <li>Support for Allwinner D1 in
305: <a href="https://man.openbsd.org/sxidog.4">sxidog(4)</a>,
306: <a href="https://man.openbsd.org/sxiccmu.4">sxiccmu(4)</a>,
307: <a href="https://man.openbsd.org/sxipio.4">sxipio(4)</a>,
308: <a href="https://man.openbsd.org/sximmc.4">sximmc(4)</a> and
309: <a href="https://man.openbsd.org/ehci.4">ehci(4)</a>.
310: <li>Support for Aero and Sea SAS HBAs in
311: <a href="https://man.openbsd.org/mpii.4">mpii(4)</a>.
312: <li>Support for SAS3816 and SAS3916 in
313: <a href="https://man.openbsd.org/mfii.4">mfii(4)</a>.
1.26 benno 314: <li>In <a href="https://man.openbsd.org/xbf.4">xbf(4)</a>, allowed Xen
315: to use backing store devices with 4K-byte sectors.
316: <li>Added <a href="https://man.openbsd.org/fanpwr.4">fanpwr(4)</a>
317: support for the Rockchip RK8602 and RK8603 voltage regulators.
1.30 benno 318: <li>Support keyboard backlights on Apple Powerbooks.
319: <li>Added operating performance point info about each arm64 cpu and
320: expose the states of thermal zones as <a
321: href="https://man.openbsd.org/kstat.1">kstats(1)</a>.
322: <li>Overhauled <a
323: href="https://man.openbsd.org/ugold.4">ugold(4)</a> temperature sensor
324: identification logic and added support for additional devices.
325: <li>Made <a href="https://man.openbsd.org/uthum.4">uthum(4)</a>
326: TEMPer{1,2} devices display negative degC.
327: <li>Improve support for audio devices that via attach multiple <a
328: href="https://man.openbsd.org/uaudio.4">uaudio(4)</a> drivers.
1.1 benno 329: </ul>
330:
331: <li>New or improved network hardware support:
332: <ul>
1.20 jan 333: <li>Utilize full checksum offload capabilities of
334: <a href="https://man.openbsd.org/vio.4">vio(4)</a> and
1.29 jan 335: <a href="https://man.openbsd.org/vmx.4">vmx(4)</a>.
336: <li>TCP Segmentation Offload (TSO) is also used in
1.20 jan 337: <a href="https://man.openbsd.org/bnxt.4">bnxt(4)</a> and
1.29 jan 338: <a href="https://man.openbsd.org/em.4">em(4)</a>.
1.30 benno 339: <li>Enabled TCP Segmentation Offload (TSO) in <a
340: href="https://man.openbsd.org/ixl.4">ixl(4)</a>.
1.20 jan 341: <li>The Synopsys Ethernet Quality-of-Service Controller
342: (<a href="https://man.openbsd.org/dwqe.4">dwqe(4)</a>) is enabled for
1.29 jan 343: amd64.
1.31 jsg 344: <li>Added initial support for Elkhart Lake Ethernet to <a
1.26 benno 345: href="https://man.openbsd.org/dwqe.4">dwqe(4)</a>.
1.23 jsg 346: <li>Support for AX88179A in
347: <a href="https://man.openbsd.org/axen.4">axen(4)</a>.
1.29 jan 348: <li>Intel I225 and I226 Ethernet Controller
349: <a href="https://man.openbsd.org/igc.4">igc(4)</a> enabled for
350: sparc64.
351: <li>Allwinner EMAC Ethernet Controller
352: <a href="https://man.openbsd.org/dwxe.4">dwxe(4)</a> enabled for
353: riscv64.
1.26 benno 354: <li>Corrected wrong register offset macros for <a
355: href="https://man.openbsd.org/dwqe.4">dwqe(4)</a> DMA burst length.
1.30 benno 356: <li>Fixed Tx watchdog trigger and freeze in <a
357: href="https://man.openbsd.org/dwqe.4">dwqe(4)</a>.
358: <li>Updated <a href="https://man.openbsd.org/rge.4">rge(4)</a>
359: microcode, initialization and reset behavior.
1.34 benno 360: <li>Prevented a potential <a
361: href="https://man.openbsd.org/bnxt.4">bnxt(4)</a> crash after failure
362: to bring up a queue.
1.1 benno 363: </ul>
364:
365: <li>Added or improved wireless network drivers:
366: <ul>
1.14 stsp 367: <li>Introduce <a href="https://man.openbsd.org/qwx.4">qwx(4)</a>,
368: a port of the Linux ath11k driver for QCNFA765 devices.
369: Available on the amd64 and arm64 platforms.
370: <li>Fix Tx rate selection for management frames in
371: <a href="https://man.openbsd.org/iwx.4">iwx(4)</a>.
372: <li>Fix <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> loading the wrong
373: firmware image on some devices.
374: <li>Make <a href="https://man.openbsd.org/bfwm.4">bwfm(4)</a> work with MAC
375: addresses set via ifconfig lladdr.
376: <li>Ensure that <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> uses the
377: 80MHz primary channel index announced in beacons.
378: <li>Avoid using MCS-9 in <a href="https://man.openbsd.org/iwm.4">iwm(4)</a>
379: Tx rate selection if 40 MHz is disabled to prevent firmware errors.
380: <li>Ensure that <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> and
381: <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> devices announce VHT
382: capabilities in probe requests.
383: <li>Fix bug in <a href="https://man.openbsd.org/iwm.4">iwm(4)</a>,
384: <a href="https://man.openbsd.org/iwx.4">iwx(4)</a>, and
385: <a href="https://man.openbsd.org/iwn.4">iwn(4)</a> which could result
386: in some channels missing from scan results.
387: <li>Enable <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> on the
388: arm64 platform.
1.1 benno 389: </ul>
390:
391: <li>IEEE 802.11 wireless stack improvements and bugfixes:
392: <ul>
1.14 stsp 393: <li> Ignore 40/80 MHz wide channel configurations which do not appear
394: in the 802.11ac spec. This prevents device firmware errors which
395: occurred when an access point announced an invalid channel configuration.
1.1 benno 396: </ul>
397:
398: <li>Installer, upgrade and bootloader improvements:
399: <ul>
1.34 benno 400: <li>Add support for disk encryption in unattended installations with
401: <a href="https://man.openbsd.org/autoinstall.8">autoinstall(8)</a>,
402: both with a plaintext passphrase or a keydisk.
1.26 benno 403: <li>Removed default sets answer in <a
404: href="https://man.openbsd.org/autoinstall.8">autoinstall(8)</a>
405: response file such that it now populates only with non-defaults.
406: <li>Made <a
407: href="https://man.openbsd.org/fw_update.8">fw_update(8)</a> verify but
408: not overwrite SHA256.sig.
1.30 benno 409: <li>Improved <a
1.38 tj 410: href="https://man.openbsd.org/fw_update.8">fw_update(8)</a> output on
1.30 benno 411: errors and improved ftp error handling.
1.26 benno 412: <li>Added support in the installer to encrypt the root disk with a key disk.
413: <li>Prevent re-starting the automatic upgrade on octeon and
414: powerpc64, as is already done on other platforms.
1.34 benno 415: <li>Added CD install images to arm64.
1.30 benno 416: <li>Make the amd64 cdXX.iso and installXX.iso CD images bootable in
417: EFI mode (by creating an EFI system partition containing the EFI boot
418: loaders to be installed as an El Torito boot image).
1.1 benno 419: </ul>
420:
421: <li>Security improvements:
422: <ul>
1.35 benno 423: <li>Introduce pinsyscalls(2): The kernel and <a
424: href="https://man.openbsd.org/ld.so.1">ld.so(1)</a> register the
425: precise entry location of every system call used by a program, as
426: described in the new ELF section .openbsd.syscalls inside ld.so and
427: libc.so. ld.so uses the new syscall <a
428: href="https://man.openbsd.org/pinsyscalls.2">pinsyscalls(2)</a> to
429: tell the kernel the precise entry location of system calls in
430: libc.so.<br>
431: Attempting to use a different system call entry instruction to
432: perform a non-corresponding system call operation will fail and the
433: process will be terminated with signal SIGABRT.
434: <li>Removed support for <a
435: href="https://man.openbsd.org/syscall.2">syscall(2)</a>, the
436: "indirection system call," a dangerous alternative entry point for all
437: system calls.<br>
438: Together with <a
439: href="https://man.openbsd.org/pinsyscalls.2">pinsyscalls(2)</a> this
1.39 ! jsg 440: change makes it impossible to perform system call through any other
! 441: way than the libc system call wrapper functions.<br>
1.35 benno 442: Users of syscall(2), such as Perl and the Go programming
1.39 ! jsg 443: language were converted to use the libc functions.
1.26 benno 444: <li>Added <a href="https://man.openbsd.org/pledge.2">pledge(2)</a>
445: stdio before parsing pfkey messages to <a
446: href="https://man.openbsd.org/ipsecctl.8">ipsecctl(8)</a> -m and -s.
1.35 benno 447: <li>Tightened the <a
448: href="https://man.openbsd.org/pledge.2">pledge(2)</a> in <a
449: href="https://man.openbsd.org/pax.1">pax(1)</a> in List and Append
450: modes.
451: <li>Created __OpenBSD versions of llvm cxa guard implementation
452: using <a href="https://man.openbsd.org/futex.2">futex(2)</a> with the
453: correct number of arguments and without using <a
1.26 benno 454: href="https://man.openbsd.org/syscall.2">syscall(2)</a>.
1.35 benno 455: <li>Improvements in Pointer Authentication (PAC) and Branch Target
456: Identification (BTI) on arm64.
1.1 benno 457: </ul>
458:
459: <li>Changes in the network stack:
460: <ul>
1.26 benno 461: <li>Enable IPv6 support in <a
1.19 bluhm 462: href="https://man.openbsd.org/ppp.4">ppp(4)</a>
1.26 benno 463: <li>Socket with sequenced packet type and control messages
1.19 bluhm 464: handle end of record correctly.
1.26 benno 465: <li>The routing table has a generation number. That means
1.19 bluhm 466: cached routes at sockets will be invalidated when the routing
467: table changes. Especially with dynamic routing daemons
468: local connections use the up to date route.
1.26 benno 469: <li>Route cache hits an misses are printed in
1.19 bluhm 470: <a href="https://man.openbsd.org/netstat.1">netstat(1)</a>
1.26 benno 471: statistics.
472: <li>Prevented <a href="https://man.openbsd.org/wg.4">wg(4)</a>
473: getting stuck on peer destruction.
474: <li>Made <a href="https://man.openbsd.org/umb.4">umb(4)</a> delete any
475: existing v4 address before setting a new one, allowing keeping of a
476: working default route when the address changes.
477: <li>Forwarded TCP LRO disabling to parent devices and disabled TCP LR0
478: on bridged <a href="https://man.openbsd.org/vlan.4">vlan(4)</a> and
479: default for <a href="https://man.openbsd.org/bpe.4">bpe(4)</a>, <a
480: href="https://man.openbsd.org/nvgre.4">nvgre(4)</a> and <a
481: href="https://man.openbsd.org/vxlan.4">vxlan(4)</a>.
1.30 benno 482: <li>Fixed race between <a
483: href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a> destroy of
484: an interface and the ARP timer.
1.34 benno 485: <li>Added statistics counters for the route cache, reporting cache
486: hits and misses. This is shown in <a
487: href="https://man.openbsd.org/netstat.1">netstat(1)</a> with
488: <code>netstat -s</code>.
1.1 benno 489: </ul>
490:
491: <li>The following changes were made to the <a
492: href="https://man.openbsd.org/pf.4">pf(4)</a> firewall:
493: <ul>
1.25 benno 494: <li>tcpdump on <a
495: href="https://man.openbsd.org/pflog.4">pflog(4)</a> interface shows
496: packets dropped by the default rule with the "block" action. Although
497: the default rules is a "pass" rule, it blocks malformed packets. Now
498: this is correctly logged.
499: <li>Adjustments to keep up firewall aware of MP related changes in
500: the network stack.
1.24 sashan 501: <li>Fix handling of multiple <code>-K</code>(<code>-k</code>) options in
1.25 benno 502: <a href="https://man.openbsd.org/pfctl.8">pfctl(8)</a>, so behavior
503: matches what's described in manual.
504: <li>Make <a href="https://man.openbsd.org/pfctl.8">pfctl(8)</a> show
505: all tables in all anchors with <code>pfctl -a "*" -sT</code>.
1.26 benno 506: <li>Added check to ensure <a
507: href="https://man.openbsd.org/pfctl.8">pfctl(8)</a> -f won't accept a
508: directory and install an empty ruleset.
1.34 benno 509: <li>Added validation for IPv4 packet options in <a
510: href="https://man.openbsd.org/divert.4">divert(4)</a>.
1.1 benno 511: </ul>
512:
513: <li>Routing daemons and other userland network improvements:
1.30 benno 514: <ul>
1.1 benno 515: <li>IPsec support was improved:
516: <ul>
1.26 benno 517: <li>Made <a href="https://man.openbsd.org/iked.8">iked(8)</a> always
518: prefer group from the initial KE payload as responder if supported.
1.30 benno 519: <li>Corrected renewal of expired certificates in <a
520: href="https://man.openbsd.org/iked.8">iked(8)</a>.
1.34 benno 521: <li>Added an <a href="https://man.openbsd.org/iked.8">iked(8)</a>
522: debug message when no policy is found.
523: <li>Implemented a per connection peerid for <a
524: href="https://man.openbsd.org/iked.8">iked(8)</a> control replies.
525: <li>Made <a href="https://man.openbsd.org/iked.8">iked(8)</a>
526: trigger retransmission only for fragment 1/x to prevent each received
527: fragment triggering retransmission of the full fragment queue.
1.39 ! jsg 528: <li>Prevent routing loops by dropping already encrypted packets that are going through <a
1.34 benno 529: href="https://man.openbsd.org/sec.4">sec(4)</a> again.
1.1 benno 530: </ul>
531:
532: <li>In <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>,
533: <ul>
1.35 benno 534: <li>Rewrite the internal message passing mechanism to use a new
535: memory-safe API.
536: <li>Rewrite most protocol parsers to use the new memory-safe API.
537: Convert the UPDATE parser, all of RTR, as well as both the MRT dump
538: code in bgpd and the parser in bgpctl.
539: <li>Improve RTR logging, error handling and version negotiation.
1.1 benno 540: </ul>
541:
1.2 benno 542: <li><a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> saw these and more changes:
1.1 benno 543: <ul>
1.2 benno 544: <li>Add ability to constrain an RPKI Trust Anchor's effective signing
545: authority to a limited set of Internet numbers. This allows Relying
546: Parties to enjoy the potential benefits of assuming trust, but within
547: a bounded scope.
548: <li>Following a 'failed fetch' (described in RFC 9286), emit a warning and
549: continue with a previously cached Manifest file.
550: <li>Emit a warning when the remote repository presents a Manifest with an
551: unexpected manifestNumber.
552: <li>Improved CRL extension checking.
553: <li>Experimental support for the P-256 signature algorithm.
554: <!-- 8.8. -->
555: <li>A failed manifest fetch could result in a NULL pointer dereference or
556: a use after free.
557: <li>Reject non-conforming RRDP delta elements that contain neither publish
558: nor a withdraw element and fall back to the RRDP snapshot.
559: <li>Refactoring and minor bug fixes in the warning display functions.
560: <!-- 8.9 -->
561: <li>The handling of manifests fetched via rsync or RRDP was reworked to
562: fully conform to RFC 9286.
563: <li>Fix a race condition between closing an idle connection and scheduling a
564: new request on it.
565: <li>The evaluation time specified with -P now also applies to trust anchor
566: certificates.
567: <li>Check that the entire CMS eContent was consumed. Previously, trailing
568: data would be silently discarded on deserialization of products.
569: <li>In file mode do not consider overclaiming intermediate CA certificates
570: as invalid. OAA warning is still issued.
571: <li>Print the revocation time of certificates in file mode.
572: <li>Be more careful when converting OpenSSL numeric identifiers (NIDs)
573: to strings.
574: <!-- 9.0 -->
575: <li>Added support for RPKI Signed Prefix Lists.
576: <li>Added an -x flag to opt into parsing and evaluation of file types that are
577: still considered experimental.
578: <li>Added a metric to track the number of new files that were moved to the
579: validated cache.
580: <li>Ensure that the FileAndHashes list in a Manifest contains no duplicate
581: file names and no duplicate hashes.
1.1 benno 582: </ul>
583:
584: <li>In <a href="https://man.openbsd.org/smtpd.8">smtpd(8)</a>,
585: <ul>
1.5 op 586: <li>Add <code>Message-Id</code> as needed for messages received on
587: the submission port.
588: <li>Added support for RFC 7505 "Null MX" handling and treat
589: an MX of "localhost" as it were a "Null MX".
590: <li>Allow inline tables and filter listings in
591: <a href="https://man.openbsd.org/smtpd.conf.5">smtpd.conf(5)</a>
592: to span over multiple lines.
593: <li>Enabled <abbr title="Delivery Status Notification">DSN</abbr>
594: for the implicit socket too.
595: <li>Added the
596: <a href="https://man.openbsd.org/smtpd.conf.5#no-dsn~2">no-dsn</a>
597: option for <code>listen on socket</code> too.
598: <li>Reject headers that start with a space or a tab.
599: <li>Fixed parsing of the <code>ORCPT</code> parameter.
600: <li>Fixed table lookups of IPv6 addresses.
601: <li>Fixed handling of escape characters in To, From and Cc headers.
602: <li>Run <abbr title="Local Mail Transfer Protocol">LMTP</abbr>
603: deliveries as the recipient user again.
604: <li>Disallow custom commands and file reading in root's
605: <code>.forward</code> file.
606: <li>Do not process other users <code>.forward</code> files when
607: an alternate delivery user is provided in a dispatcher.
608: <li>Unify the <a href="https://man.openbsd.org/table.5">table(5)</a>
609: parser used in
610: <a href="https://man.openbsd.org/smtpd.8">smtpd(8)</a> and
611: <a href="https://man.openbsd.org/makemap.8">makemap(8)</a>.
612: <li>Allow to use <a href="https://man.openbsd.org/table.5">table(5)</a>
613: mappings on various match constraints.
1.1 benno 614: </ul>
1.30 benno 615: <!-- OTHER -->
1.1 benno 616: <li>Many other changes in various network programs and libraries:
617: <ul>
1.30 benno 618: <!-- syslogd -->
1.19 bluhm 619: <li>If a DNS name is configured as remote syslog server,
1.26 benno 620: <a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>
621: retries to resolve the loghost name periodically until it succeeds.
622: UDP packets that get lost during that period are counted and
623: logged later.
624: <li>Added counting of dropped UDP packets to <a
625: href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>.
1.30 benno 626: <li>Prevented use after free of TLS context at <a
627: href="https://man.openbsd.org/syslogd.8">syslogd(8)</a> shutdown.
628: <!-- dhcp -->
1.26 benno 629: <li>Introduced <a href="https://man.openbsd.org/dhcpd.8">dhcpd(8)</a>
630: log output to stderr and '-v' option to make this output more verbose.
1.30 benno 631: <li>In <a href="https://man.openbsd.org/dhcpd.8">dhcpd(8)</a>, made <a
632: href="https://man.openbsd.org/dhcp-options.5">dhcp-options(5)</a>
633: recognize option ipv6-only-preferred (RFC8925).
634: <li>Allowed <a
635: href="https://man.openbsd.org/dhcpleased.8">dhcpleased(8)</a> to
636: request "IPv6-only preferred" and deconfigure IPv4 on the interface if
637: the server replies with this option.
638: <!-- more -->
1.26 benno 639: <li>Fixed <a href="https://man.openbsd.org/radiusd.8">radiusd(8)</a>
640: to properly fixup MPPE-{Send,Recv}-Key and Tunnel-Password attributes of the
641: response.
1.34 benno 642: <li>Added nochroot parameter to <a
643: href="https://man.openbsd.org/radiusd.8">radiusd(8)</a>
644: module_drop_privilege() so that modules can use <a
645: href="https://man.openbsd.org/unveil.2">unveil(2)</a> instead of <a
646: href="https://man.openbsd.org/chroot.2">chroot(2)</a> if needed.
1.30 benno 647: <li>Ensured correct denominators when converting NTP fixed point
648: values to double and vice-versa in <a
649: href="https://man.openbsd.org/ntpd.8">ntpd(8)</a>.
1.34 benno 650: <li>In the resolver, do not short-circuit resolution of localhost
651: when AI_NUMERICHOST is set. Ensure that a proper string is returned by <a
652: href="https://man.openbsd.org/getaddrinfo.3">getaddrinfo(3)</a> when
653: AI_CANONNAME or AI_FQDN is set.
1.30 benno 654: <li>Added <a href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a>
655: support for specifying ports on the src address in tunnel endpoints of
656: <a href="https://man.openbsd.org/gif.4">gif(4)</a>, <a
657: href="https://man.openbsd.org/gre.4">gre(4)</a> and related
658: tunnel interfaces.
659: <li>Added an <a
660: href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a> endpoint
661: command for "bridges" that use addresses as endpoints, usable to add
662: static entries on interfaces like <a
663: href="https://man.openbsd.org/vxlan.4">vxlan(4)</a>.
664: <li>Tightened up <a
1.31 jsg 665: href="https://man.openbsd.org/relayd.8">relayd(8)</a> HTTP header parsing.
1.30 benno 666: <li>Deferred <a href="https://man.openbsd.org/relayd.8">relayd(8)</a>
667: relay_read_http header parsing until after line continuation,
668: preventing potential request smuggling attacks.
669: <li>Improved <a href="https://man.openbsd.org/httpd.8">httpd(8)</a>
670: auto-index, adding human-readable file sizes and allowing per-column
671: sorting.
1.34 benno 672: <li>Switched to using whois.internic.net for <a
673: href="https://man.openbsd.org/whois.1">whois(1)</a> -i.
1.1 benno 674: </ul>
1.30 benno 675: </ul><!-- Routing daemons and other userland network improvements -->
1.1 benno 676:
677: <li><a href="https://man.openbsd.org/tmux.1">tmux(1)</a> improvements and bug fixes:
678: <ul>
1.26 benno 679: <li>Made <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> unzoom
680: a window at the start of destroy so it doesn't happen later after the
681: layout has been freed.
682: <li>Prevented <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> use
683: of combined UTF-8 characters that are too long.
1.30 benno 684: <li>Corrected <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>
685: handling of window ops with no pane.
686: <li>Removed flags from the prefix before comparing with the received
687: key so that <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>
688: modifier keys with flags work correctly.
1.34 benno 689: <li>Increased buffer size to avoid truncating styles in <a
690: href="https://man.openbsd.org/tmux.1">tmux(1)</a>.
691: <li>Added two new values for the <a
692: href="https://man.openbsd.org/tmux.1">tmux(1)</a> destroy-unattached
693: option to destroy sessions only if they are not members of sessions
694: groups.
1.1 benno 695: </ul>
696:
1.3 tb 697: <li>LibreSSL version 3.9.0
1.1 benno 698: <ul>
1.3 tb 699: <li>Portable changes
1.1 benno 700: <ul>
1.3 tb 701: <li>libcrypto no longer exports compat symbols in cmake builds.
702: <li>Most compatibility symbols are prefixed with <code>libressl_</code>
703: to avoid symbol clashes in static links.
704: <li>Fixed various warnings on Windows.
705: <li>Removed assert pop-ups with Windows debug builds.
706: <li>Fixed crashes and hangs in Windows ARM64 builds.
707: <li>Improved control-flow enforcement (CET) support.
1.1 benno 708: </ul>
1.3 tb 709: <li>Internal improvements
1.1 benno 710: <ul>
1.3 tb 711: <li>Converted uses of <code>OBJ_bsearch_()</code> to standard
712: <a href="https://man.openbsd.org/bsearch">bsearch(3)</a>.
713: <li>Greatly simplified <code>by_file_ctrl()</code>.
714: <li>Simplified and cleaned up the OBJ_ API.
715: <li>Cleaned up the <a href="https://man.openbsd.org/EVP_CipherInit">EVP_Cipher{Init,Update,Final}(3)</a> implementations.
716: <li>Removed unused function pointers from X.509 stores and contexts.
717: <li>A lot of cleanup and reorganization in EVP.
718: <li>Removed all remaining <code>ENGINE</code> tentacles.
719: <li>Simplified internals of <code>X509_TRUST</code> handling.
720: <li>Made deletion from a <a href="https://man.openbsd.org/lh_delete">lhash</a>
721: doall callback safe.
722: <li>Rewrote <a href="https://man.openbsd.org/BIO_dump">BIO_dump*(3)</a> internals
723: to be less bad.
1.1 benno 724: </ul>
1.3 tb 725: <li>Documentation improvements
1.1 benno 726: <ul>
1.3 tb 727: <li><code>ENGINE</code> documentation was updated to reflect reality.
728: <li>Made EVP API documentation more accurate and less incoherent.
729: <li>Call out some shortcomings of the <code>EC_KEY_set_*</code> API explicitly.
1.1 benno 730: </ul>
1.3 tb 731: <li>Testing and proactive security
1.1 benno 732: <ul>
1.3 tb 733: <li>Bug fixes and simplifications in the Wycheproof tests.
1.1 benno 734: </ul>
1.3 tb 735: <li>Compatibility changes
1.1 benno 736: <ul>
1.3 tb 737: <li>Added ChaCha20 and chacha20 aliases for ChaCha.
738: <li><a href="https://man.openbsd.org/SSL_library_init">SSL_library_init(3)</a>
739: now has the same effect as OPENSSL_init_ssl().
740: <li><code>EVP_add_{cipher,digest}()</code> were removed. From the <code>OBJ_NAME</code> API,
741: only <a href="https://man.openbsd.org/OBJ_NAME_do_all">OBJ_NAME_do_all*()</a> remain.
742: In particular, it is no longer possible to add aliases for ciphers and digests.
743: <li>The thread unsafe global tables are no longer supported. It is no
744: longer possible to add aliases for ciphers and digests, custom ASN.1
745: strings table entries, ASN.1 methods, PKEY methods, digest methods,
746: CRL methods, purpose and trust identifiers, or X.509 extensions.
747: <li>Removed the _cb() and _fp() versions of
748: <a href="https://man.openbsd.org/BIO_dump">BIO_dump{,_indent}()</a>.
749: <li><code>BIO_set()</code> was removed.
750: <li><code>BIO_{sn,v,vsn}printf()</code> were removed.
751: <li>Turn the long dysfunctional
752: <a href="https://man.openbsd.org/openssl(1)">openssl(1)</a>
753: <code>s_client -pause</code> into a noop.
754: <li><a href="https://man.openbsd.org/openssl(1)">openssl(1)</a> <code>x509</code>
755: now supports <code>-new</code>, <code>-force_pubkey</code>, <code>-multivalue-rdn</code>,
756: <code>-set_issuer</code> <code>-set_subject</code>, and <code>-utf8</code>.
757: <li>Support ECDSA with SHA-3 signature algorithms.
758: <li>Support HMAC with truncated SHA-2 and SHA-3 as PBE PRF.
759: <li>GOST and STREEBOG support was removed.
760: <li><code>CRYPTO_THREADID</code>, <code>_LHASH</code>, <code>_STACK</code> and
761: <code>X509_PURPOSE</code> are now opaque, <code>X509_CERT_AUX</code> and
762: <code>X509_TRUST</code> were removed from the public API.
763: <li><a href="https://man.openbsd.org/ASN1_STRING_TABLE_get()">ASN1_STRING_TABLE_get(3)</a>
764: and <a href="https://man.openbsd.org/X509_PURPOSE_get0">X509_PURPOSE_get0*(3)</a> now
765: return const pointers.
766: <li><code>EVP_{CIPHER,MD}_CTX_init()</code>'s signatures and semantics now match
767: OpenSSL's behavior.
768: <li><code>sk_find_ex()</code> and <code>OBJ_bsearch_()</code> were removed.
769: <li><a href="https://man.openbsd.org/CRYPTO_malloc">CRYPTO_malloc(3)</a> was fixed to use
770: <code>size_t</code> argument. <code>CRYPTO_malloc()</code>
771: and <code>CRYPTO_free()</code> now accept file and line arguments.
772: <li>A lot of decrepit CRYPTO memory API was removed.
1.1 benno 773: </ul>
774: <li>Bug fixes
775: <ul>
1.3 tb 776: <li>Fixed aliasing issues in <code>BN_mod_exp_simple()</code> and <code>BN_mod_exp_recp()</code>.
777: <li>Fixed numerous misuses of
778: <a href="https://man.openbsd.org/X509_ALGOR_set0">X509_ALGOR_set0(3)</a>
779: resulting in leaks and potentially incorrect encodings.
780: <li>Fixed potential double free in
781: <a href="https://man.openbsd.org/X509v3_asid_add_id_or_range">X509v3_asid_add_id_or_range(3)</a>.
782: <li>Stopped using <code>ASN1_time_parse()</code> outside of libcrypto.
783: <li>Prepared <a href="https://man.openbsd.org/OPENSSL_gmtime">OPENSSL_gmtime(3)</a> and
784: <a href="https://man.openbsd.org/OPENSSL_timegm">OPENSSL_timegm(3)</a> as public API
785: wrappers of internal functions compatible with BoringSSL API.
786: <li>Removed <code>print_bin()</code> to avoid overwriting the stack with 5 bytes
787: of <code>" "</code> when ECPK parameters are printed with large
788: indentation.
789: <li>Avoid a <code>NULL</code> dereference after memory allocation failure during TLS
790: version downgrade.
791: <li>Fixed various bugs in CMAC internals.
792: <li>Fixed 4-byte overreads in GHASH assembly on amd64 and i386.
793: <li>Fixed various NULL dereferences in PKCS #12 code due to mishandling
794: of OPTIONAL content in PKCS #7 ContentInfo.
795: <li>Aligned <a href="https://man.openbsd.org/SSL_shutdown">SSL_shutdown(3)</a>
796: behavior in TLSv1.3 with the legacy stack.
797: <li>Fixed the new X.509 verifier to find trust anchors in the trusted
798: stack.
1.1 benno 799: </ul>
800: </ul>
801:
1.16 djm 802: <li>OpenSSH 9.6 and OpenSSH 9.7
1.1 benno 803: <ul>
1.16 djm 804: <li>Security fixes
1.1 benno 805: <ul>
1.16 djm 806: <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>, <a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: implement protocol extensions to thwart the
807: so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus
808: Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a
809: limited break of the integrity of the early encrypted SSH transport
810: protocol by sending extra messages prior to the commencement of
811: encryption, and deleting an equal number of consecutive messages
812: immediately after encryption starts. A peer SSH client/server
813: would not be able to detect that messages were deleted.
814:
815: <br>While cryptographically novel, the security impact of this attack
816: is fortunately very limited as it only allows deletion of
817: consecutive messages, and deleting most messages at this stage of
1.17 gnezdo 818: the protocol prevents user authentication from proceeding and
1.16 djm 819: results in a stuck connection.
820:
821: <br>The most serious identified impact is that it lets a MITM to
822: delete the SSH2_MSG_EXT_INFO message sent before authentication
823: starts, allowing the attacker to disable a subset of the keystroke
824: timing obfuscation features introduced in OpenSSH 9.5. There is no
825: other discernable impact to session secrecy or session integrity.
826:
827: <li><a href='https://man.openbsd.org/ssh-agent.1'>ssh-agent(1)</a>: when adding PKCS#11-hosted private keys while
828: specifying destination constraints, if the PKCS#11 token returned
829: multiple keys then only the first key had the constraints applied.
830: Use of regular private keys, FIDO tokens and unconstrained keys
831: are unaffected.
832:
833: <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: if an invalid user or hostname that contained shell
834: metacharacters was passed to <a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>, and a ProxyCommand,
835: LocalCommand directive or "match exec" predicate referenced the
836: user or hostname via %u, %h or similar expansion token, then
837: an attacker who could supply arbitrary user/hostnames to <a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>
838: could potentially perform command injection depending on what
839: quoting was present in the user-supplied <a href='https://man.openbsd.org/ssh_config.5'>ssh_config(5)</a> directive.
840:
841: <br>OpenSSH 9.6 now
842: bans most shell metacharacters from user and hostnames supplied
843: via the command-line. This countermeasure is not guaranteed to be
844: effective in all situations, as it is infeasible for <a href='https://man.openbsd.org/ssh.1'>ssh(1)</a> to
845: universally filter shell metacharacters potentially relevant to
846: user-supplied commands.
847:
848: <br>User/hostnames provided via <a href='https://man.openbsd.org/ssh_config.5'>ssh_config(5)</a> are not subject to these
849: restrictions, allowing configurations that use strange names to
850: continue to be used, under the assumption that the user knows what
851: they are doing in their own configuration files.
1.1 benno 852: </ul>
853: <li>New features
854: <ul>
1.16 djm 855: <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>, <a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: add a "global" ChannelTimeout type that watches
856: all open channels and will close all open channels if there is no
857: traffic on any of them for the specified interval. This is in
858: addition to the existing per-channel timeouts added recently.
859: <br>This supports situations like having both session and x11
860: forwarding channels open where one may be idle for an extended
861: period but the other is actively used. The global timeout could
862: close both channels when both have been idle for too long.
863:
864: <li>All: make DSA key support compile-time optional, defaulting to on.
1.1 benno 865: </ul>
866: <li>Bugfixes
867: <ul>
1.16 djm 868: <li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: don't append an unnecessary space to the end of subsystem
869: arguments (<a href='https://bugzilla.mindrot.org/show_bug.cgi?id=3667'>bz3667</a>)
870:
871: <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: fix the multiplexing "channel proxy" mode, broken when
872: keystroke timing obfuscation was added. (<a href='https://github.com/openssh/openssh-portable/pull/463'>GHPR#463</a>)
873:
874: <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>, <a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: fix spurious configuration parsing errors when
875: options that accept array arguments are overridden (<a href='https://bugzilla.mindrot.org/show_bug.cgi?id=3657'>bz3657</a>).
876:
877: <li><a href='https://man.openbsd.org/ssh-agent.1'>ssh-agent(1)</a>: fix potential spin in signal handler (<a href='https://bugzilla.mindrot.org/show_bug.cgi?id=3670'>bz3670</a>)
878:
879: <li>Many fixes to manual pages and other documentation, including
880: <a href='https://github.com/openssh/openssh-portable/pull/462'>GHPR#462</a>, <a href='https://github.com/openssh/openssh-portable/pull/454'>GHPR#454</a>, <a href='https://github.com/openssh/openssh-portable/pull/442'>GHPR#442</a> and <a href='https://github.com/openssh/openssh-portable/pull/441'>GHPR#441</a>.
881:
882: <li>Greatly improve interop testing against PuTTY.
1.1 benno 883: </ul>
884: </ul>
885:
886: <li>Ports and packages:
887: <p>Many pre-built packages for each architecture:
888: <!-- number of FTP packages minus SHA256, SHA256.sig, index.txt -->
889: <ul style="column-count: 3">
1.7 sthen 890: <li>aarch64: 12145
1.6 naddy 891: <li>amd64: 12309
1.1 benno 892: <li>arm: XXX
1.7 sthen 893: <li>i386: 10830
1.27 visa 894: <li>mips64: 8674
1.1 benno 895: <li>powerpc: XXX
1.10 sthen 896: <li>powerpc64: 8469
1.28 naddy 897: <li>riscv64: 10508
1.8 sthen 898: <li>sparc64: 9432
1.1 benno 899: </ul>
900:
901: <p>Some highlights:
902: <ul style="column-count: 3"><!-- XXX all need to be checked/updated 2024-03-02 -->
1.9 lteo 903: <li>Asterisk 16.30.1, 18.21.0 and 20.6.0
904: <li>Audacity 3.4.2
905: <li>CMake 3.28.3
906: <li>Chromium 122.0.6261.111
907: <li>Emacs 29.2
1.1 benno 908: <li>FFmpeg 4.4.4
909: <li>GCC 8.4.0 and 11.2.0
1.9 lteo 910: <li>GHC 9.6.4
911: <li>GNOME 45
912: <li>Go 1.22.1
913: <li>JDK 8u402, 11.0.22, 17.0.10 and 21.0.2
914: <li>KDE Applications 23.08.4
915: <li>KDE Frameworks 5.115.0
1.13 rsadowsk 916: <li>KDE Plasma 5.27.10
1.9 lteo 917: <li>Krita 5.2.2
918: <li>LLVM/Clang 13.0.0, 16.0.6 and 17.0.6
919: <li>LibreOffice 24.2.1.2
1.1 benno 920: <li>Lua 5.1.5, 5.2.4, 5.3.6 and 5.4.6
1.9 lteo 921: <li>MariaDB 10.9.8
1.1 benno 922: <li>Mono 6.12.0.199
1.9 lteo 923: <li>Mozilla Firefox 123.0.1 and ESR 115.8.0
924: <li>Mozilla Thunderbird 115.8.1
925: <li>Mutt 2.2.13 and NeoMutt 20240201
926: <li>Node.js 18.19.1
927: <li>OCaml 4.14.1
928: <li>OpenLDAP 2.6.7
929: <li>PHP 7.4.33, 8.0.30, 8.1.27, 8.2.16 and 8.3.3
930: <li>Postfix 3.8.6
931: <li>PostgreSQL 16.2
932: <li>Python 2.7.18, 3.9.18, 3.10.13 and 3.11.8
1.13 rsadowsk 933: <li>Qt 5.15.12 (+ kde patches) and 6.6.1
1.1 benno 934: <li>R 4.2.3
1.9 lteo 935: <li>Ruby 3.1.4, 3.2.3 and 3.3.0
936: <li>Rust 1.76.0
937: <li>SQLite 3.44.2
1.1 benno 938: <li>Shotcut 23.07.29
1.9 lteo 939: <li>Sudo 1.9.15.5
940: <li>Suricata 7.0.3
1.1 benno 941: <li>Tcl/Tk 8.5.19 and 8.6.13
1.9 lteo 942: <li>TeX Live 2023
943: <li>Vim 9.1.139 and Neovim 0.9.5
944: <li>Xfce 4.18.1
1.1 benno 945: </ul>
946: <p>
947:
948: <li>As usual, steady improvements in manual pages and other documentation.
949:
950: <li>The system includes the following major components from outside suppliers:
951: <ul><!-- XXX all need to be checked/updated 2024-03-02 -->
1.4 matthieu 952: <li>Xenocara (based on X.Org 7.7 with xserver 21.1.11 + patches,
953: freetype 2.13.0, fontconfig 2.14.2, Mesa 23.1.9, xterm 378,
954: xkeyboard-config 2.20, fonttosfnt 1.2.3 and more)
955: <li>LLVM/Clang 16.0.6 (+ patches)
1.1 benno 956: <li>GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
1.4 matthieu 957: <li>Perl 5.36.3 (+ patches)
958: <li>NSD 4.8.0
1.1 benno 959: <li>Unbound 1.18.0
960: <li>Ncurses 5.7
961: <li>Binutils 2.17 (+ patches)
962: <li>Gdb 6.3 (+ patches)
1.4 matthieu 963: <li>Awk January 22, 2024
964: <li>Expat 2.6.0
965: <li>zlib 1.3.1 (+ patches)
1.1 benno 966: </ul>
967:
968: </ul>
969: </section>
970:
971: <hr>
972:
973: <section id=install>
974: <h3>How to install</h3>
975: <p>
976: Please refer to the following files on the mirror site for
977: extensive details on how to install OpenBSD 7.5 on your machine:
978:
979: <ul>
980: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/alpha/INSTALL.alpha">
981: .../OpenBSD/7.5/alpha/INSTALL.alpha</a>
982: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/amd64/INSTALL.amd64">
983: .../OpenBSD/7.5/amd64/INSTALL.amd64</a>
984: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/arm64/INSTALL.arm64">
985: .../OpenBSD/7.5/arm64/INSTALL.arm64</a>
986: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/armv7/INSTALL.armv7">
987: .../OpenBSD/7.5/armv7/INSTALL.armv7</a>
988: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/hppa/INSTALL.hppa">
989: .../OpenBSD/7.5/hppa/INSTALL.hppa</a>
990: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/i386/INSTALL.i386">
991: .../OpenBSD/7.5/i386/INSTALL.i386</a>
992: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/landisk/INSTALL.landisk">
993: .../OpenBSD/7.5/landisk/INSTALL.landisk</a>
994: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/loongson/INSTALL.loongson">
995: .../OpenBSD/7.5/loongson/INSTALL.loongson</a>
996: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/luna88k/INSTALL.luna88k">
997: .../OpenBSD/7.5/luna88k/INSTALL.luna88k</a>
998: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/macppc/INSTALL.macppc">
999: .../OpenBSD/7.5/macppc/INSTALL.macppc</a>
1000: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/octeon/INSTALL.octeon">
1001: .../OpenBSD/7.5/octeon/INSTALL.octeon</a>
1002: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/powerpc64/INSTALL.powerpc64">
1003: .../OpenBSD/7.5/powerpc64/INSTALL.powerpc64</a>
1004: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/riscv64/INSTALL.riscv64">
1005: .../OpenBSD/7.5/riscv64/INSTALL.riscv64</a>
1006: <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/sparc64/INSTALL.sparc64">
1007: .../OpenBSD/7.5/sparc64/INSTALL.sparc64</a>
1008: </ul>
1009: </section>
1010:
1011: <hr>
1012:
1013: <section id=quickinstall>
1014: <p>
1015: Quick installer information for people familiar with OpenBSD, and the use of
1016: the "<a href="https://man.openbsd.org/disklabel.8">disklabel</a> -E" command.
1017: If you are at all confused when installing OpenBSD, read the relevant
1018: INSTALL.* file as listed above!
1019:
1020: <h3>OpenBSD/alpha:</h3>
1021:
1022: <p>
1023: If your machine can boot from CD, you can write <i>install75.iso</i> or
1024: <i>cd75.iso</i> to a CD and boot from it.
1025: Refer to INSTALL.alpha for more details.
1026:
1027: <h3>OpenBSD/amd64:</h3>
1028:
1029: <p>
1030: If your machine can boot from CD, you can write <i>install75.iso</i> or
1031: <i>cd75.iso</i> to a CD and boot from it.
1032: You may need to adjust your BIOS options first.
1033:
1034: <p>
1035: If your machine can boot from USB, you can write <i>install75.img</i> or
1036: <i>miniroot75.img</i> to a USB stick and boot from it.
1037:
1038: <p>
1039: If you can't boot from a CD, floppy disk, or USB,
1040: you can install across the network using PXE as described in the included
1041: INSTALL.amd64 document.
1042:
1043: <p>
1044: If you are planning to dual boot OpenBSD with another OS, you will need to
1045: read INSTALL.amd64.
1046:
1047: <h3>OpenBSD/arm64:</h3>
1048:
1049: <p>
1.12 jsg 1050: If your machine can boot from CD, you can write <i>install75.iso</i> or
1051: <i>cd75.iso</i> to a CD and boot from it.
1052:
1053: <p>
1054: To boot from disk, write <i>install75.img</i> or <i>miniroot75.img</i> to a
1055: disk and boot from it after connecting to the serial console. Refer to
1056: INSTALL.arm64 for more details.
1.1 benno 1057:
1058: <h3>OpenBSD/armv7:</h3>
1059:
1060: <p>
1061: Write a system specific miniroot to an SD card and boot from it after connecting
1062: to the serial console. Refer to INSTALL.armv7 for more details.
1063:
1064: <h3>OpenBSD/hppa:</h3>
1065:
1066: <p>
1067: Boot over the network by following the instructions in INSTALL.hppa or the
1068: <a href="hppa.html#install">hppa platform page</a>.
1069:
1070: <h3>OpenBSD/i386:</h3>
1071:
1072: <p>
1073: If your machine can boot from CD, you can write <i>install75.iso</i> or
1074: <i>cd75.iso</i> to a CD and boot from it.
1075: You may need to adjust your BIOS options first.
1076:
1077: <p>
1078: If your machine can boot from USB, you can write <i>install75.img</i> or
1079: <i>miniroot75.img</i> to a USB stick and boot from it.
1080:
1081: <p>
1082: If you can't boot from a CD, floppy disk, or USB,
1083: you can install across the network using PXE as described in
1084: the included INSTALL.i386 document.
1085:
1086: <p>
1087: If you are planning on dual booting OpenBSD with another OS, you will need to
1088: read INSTALL.i386.
1089:
1090: <h3>OpenBSD/landisk:</h3>
1091:
1092: <p>
1093: Write <i>miniroot75.img</i> to the start of the CF
1094: or disk, and boot normally.
1095:
1096: <h3>OpenBSD/loongson:</h3>
1097:
1098: <p>
1099: Write <i>miniroot75.img</i> to a USB stick and boot bsd.rd from it
1100: or boot bsd.rd via tftp.
1101: Refer to the instructions in INSTALL.loongson for more details.
1102:
1103: <h3>OpenBSD/luna88k:</h3>
1104:
1105: <p>
1106: Copy 'boot' and 'bsd.rd' to a Mach or UniOS partition, and boot the bootloader
1107: from the PROM, and then bsd.rd from the bootloader.
1108: Refer to the instructions in INSTALL.luna88k for more details.
1109:
1110: <h3>OpenBSD/macppc:</h3>
1111:
1112: <p>
1113: Burn the image from a mirror site to a CDROM, and power on your machine
1114: while holding down the <i>C</i> key until the display turns on and
1115: shows <i>OpenBSD/macppc boot</i>.
1116:
1117: <p>
1118: Alternatively, at the Open Firmware prompt, enter <i>boot cd:,ofwboot
1119: /7.5/macppc/bsd.rd</i>
1120:
1121: <h3>OpenBSD/octeon:</h3>
1122:
1123: <p>
1124: After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
1125: Refer to the instructions in INSTALL.octeon for more details.
1126:
1127: <h3>OpenBSD/powerpc64:</h3>
1128:
1129: <p>
1130: To install, write <i>install75.img</i> or <i>miniroot75.img</i> to a
1131: USB stick, plug it into the machine and choose the <i>OpenBSD
1132: install</i> menu item in Petitboot.
1133: Refer to the instructions in INSTALL.powerpc64 for more details.
1134:
1135: <h3>OpenBSD/riscv64:</h3>
1136:
1137: <p>
1138: To install, write <i>install75.img</i> or <i>miniroot75.img</i> to a
1139: USB stick, and boot with that drive plugged in.
1140: Make sure you also have the microSD card plugged in that shipped with the
1141: HiFive Unmatched board.
1142: Refer to the instructions in INSTALL.riscv64 for more details.
1143:
1144: <h3>OpenBSD/sparc64:</h3>
1145:
1146: <p>
1147: Burn the image from a mirror site to a CDROM, boot from it, and type
1148: <i>boot cdrom</i>.
1149:
1150: <p>
1151: If this doesn't work, or if you don't have a CDROM drive, you can write
1152: <i>floppy75.img</i> or <i>floppyB75.img</i>
1153: (depending on your machine) to a floppy and boot it with <i>boot
1154: floppy</i>. Refer to INSTALL.sparc64 for details.
1155:
1156: <p>
1157: Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
1158: will most likely fail.
1159:
1160: <p>
1161: You can also write <i>miniroot75.img</i> to the swap partition on
1162: the disk and boot with <i>boot disk:b</i>.
1163:
1164: <p>
1165: If nothing works, you can boot over the network as described in INSTALL.sparc64.
1166: </section>
1167:
1168: <hr>
1169:
1170: <section id=upgrade>
1171: <h3>How to upgrade</h3>
1172: <p>
1173: If you already have an OpenBSD 7.4 system, and do not want to reinstall,
1174: upgrade instructions and advice can be found in the
1175: <a href="faq/upgrade75.html">Upgrade Guide</a>.
1176: </section>
1177:
1178: <hr>
1179:
1180: <section id=sourcecode>
1181: <h3>Notes about the source code</h3>
1182: <p>
1183: <code>src.tar.gz</code> contains a source archive starting at <code>/usr/src</code>.
1184: This file contains everything you need except for the kernel sources,
1185: which are in a separate archive.
1186: To extract:
1187: <blockquote><pre>
1188: # <kbd>mkdir -p /usr/src</kbd>
1189: # <kbd>cd /usr/src</kbd>
1190: # <kbd>tar xvfz /tmp/src.tar.gz</kbd>
1191: </pre></blockquote>
1192: <p>
1193: <code>sys.tar.gz</code> contains a source archive starting at <code>/usr/src/sys</code>.
1194: This file contains all the kernel sources you need to rebuild kernels.
1195: To extract:
1196: <blockquote><pre>
1197: # <kbd>mkdir -p /usr/src/sys</kbd>
1198: # <kbd>cd /usr/src</kbd>
1199: # <kbd>tar xvfz /tmp/sys.tar.gz</kbd>
1200: </pre></blockquote>
1201: <p>
1202: Both of these trees are a regular CVS checkout. Using these trees it
1203: is possible to get a head-start on using the anoncvs servers as
1204: described <a href="anoncvs.html">here</a>.
1205: Using these files
1206: results in a much faster initial CVS update than you could expect from
1207: a fresh checkout of the full OpenBSD source tree.
1208: </section>
1209:
1210: <hr>
1211:
1212: <section id=ports>
1213: <h3>Ports Tree</h3>
1214: <p>
1215: A ports tree archive is also provided. To extract:
1216: <blockquote><pre>
1217: # <kbd>cd /usr</kbd>
1218: # <kbd>tar xvfz /tmp/ports.tar.gz</kbd>
1219: </pre></blockquote>
1220: <p>
1221: Go read the <a href="faq/ports/index.html">ports</a> page
1222: if you know nothing about ports
1223: at this point. This text is not a manual of how to use ports.
1224: Rather, it is a set of notes meant to kickstart the user on the
1225: OpenBSD ports system.
1226: <p>
1227: The <i>ports/</i> directory represents a CVS checkout of our ports.
1228: As with our complete source tree, our ports tree is available via
1229: <a href="anoncvs.html">AnonCVS</a>.
1230: So, in order to keep up to date with the -stable branch, you must make
1231: the <i>ports/</i> tree available on a read-write medium and update the tree
1232: with a command like:
1233: <blockquote><pre>
1234: # <kbd>cd /usr/ports</kbd>
1235: # <kbd>cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_7_5</kbd>
1236: </pre></blockquote>
1237: <p>
1238: [Of course, you must replace the server name here with a nearby anoncvs
1239: server.]
1240: <p>
1241: Note that most ports are available as packages on our mirrors. Updated
1242: ports for the 7.5 release will be made available if problems arise.
1243: <p>
1244: If you're interested in seeing a port added, would like to help out, or just
1245: would like to know more, the mailing list
1246: <a href="mail.html">ports@openbsd.org</a> is a good place to know.
1247: </section>
1248: </body>
1249: </html>
![[BACK]](/icons/back.gif){kind=icon}
Return to 75.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www