OpenBSD 5.8
To be released Oct 18, 2015
Copyright 1997-2015, Theo de Raadt.
ISBN 978-0-9881561-6-6
5.8 Songs: "XXX", "XXX", "XXX", "XXX", "XXX"
All applicable copyrights and credits can be found in the applicable
file sources found in the files src.tar.gz, sys.tar.gz,
xenocara.tar.gz, or in the files fetched via ports.tar.gz. The
distribution files used to build packages from the ports.tar.gz file
are not included on the CDROM because of lack of space.
What's New
This is a partial list of new features and systems included in OpenBSD 5.8.
For a comprehensive list, see the changelog leading
to 5.8.
- Improved hardware support, including:
- The ugold(4) driver now supports TEMPerHUMV1.x temperature and humidity sensors.
- Improved sensor support for the upd(4) driver for USB Power Devices (UPS).
- Support for jumbo frames on re(4) devices using RTL8168C/D/E/F/G and RTL8411, including PC Engines APU.
- re(4) now works with newer devices e.g. RTL8111GU.
- Partial support has been added for full-speed isochronous devices in ehci(4), allowing USB 1.1 audio devices to be used on EHCI-only systems in some cases.
- New hpb(4) driver for HyperTransport bridges as found in the IBM CPC945
- Improved macppc stability and G5 performances with MP kernels
- acpicpu(4) uses ACPI C-state information to reduce power consumption of idle CPUs.
- Kernel supports x86 AVX instructions on CPUs that have them.
- ...
- Removed hardware support:
- Generic network stack improvements:
- MTU of vlan(4) devices can now be set independently from the parent interface's MTU.
- The same network range can now be assigned to multiple interfaces, using interface priorities to choose between them.
- New MPLS pseudowire driver mpw(4).
- ...
- Installer improvements:
- in autoinstalls,
a template can be passed to disklabel(8)
to automatically partition the disk.
- DUID support has improved enough that new installs now use them unconditionally.
- Routing daemons and other userland network improvements:
- Many improvements and simplifications in ldpd(8), including configuration reload and support for mpw(4) pseudowire interfaces.
- bgpd(8) now allows rules to match on the peer AS number.
- For terminated BGP sessions, bgpctl(8) now displays the number of prefixes received on the last session.
- ospfd(8) now correctly handles carp(4) interfaces in "backup" mode at startup.
- Log messages in bgpd(8) and ospfd(8) have been made more specific.
- The default Diffie-Hellman group for VPNs configured by ipsec.conf(5) has been changed to modp3072.
- ...
- Security improvements:
- sudo has been replaced with doas(1).
- file(1) has been replaced with a new modern implementation, including sandbox and privilege separation.
- pax(1) (and tar(1) and cpio(1)) now prevent archive extraction from escaping the current directory via symlinks; tar(1) without -P option now strips up through any ".." path components.
- Improved kernel checks of ELF headers.
- ...
- Assorted improvements:
- The worm(6)
now grows at a rate proportional to terminal size.
- dlclose(3) now unregisters handlers registered by a pthread_atfork(3) call from the unloaded libraries.
- cp(1), mv(1), and pax(1) with the -rw option now preserve timestamps with full nanosecond precision.
- pax(1) now detects failure to decompress an archive when reading it and errors out immediately.
- nm(1) now supports the -D option for displaying the dynamic symbol table.
- dump(8) now uses DUIDs in /etc/dumpdates when present and the -U option has thus been removed.
- Corrected kdump(1) reporting of lseek(2) return value on ILP32 archs and getsockopt/setsockopt(2) level and optname arguments. iovec, msghdr, and cmsghdr structures are now dumped.
- sed(1) -i option added.
- Improvements in checking of numeric option values in many utilities.
- Upgraded to binutils version 2.17 with additional fixes.
- Static PIE support for sparc.
- Alpha switched to secure PLT.
- Improved correctness of poll(2) and poll(2) of O_RDONLY FIFO fds.
- Restored reporting of closed sockets by netstat(1) and systat(1).
- ...
- OpenBSD httpd(8):
- OpenSMTPD X.X.X
- OpenSSH 7.0
- Security:
- sshd(8):
OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world-writable.
Local attackers may be able to write arbitrary messages to logged-in
users, including terminal escape sequences.
- sshd(8):
fix circumvention of MaxAuthTries using keyboard-interactive
authentication. By specifying a long, repeating keyboard-interactive
"devices" string, an attacker could request the same authentication
method be tried thousands of times in a single pass. The
LoginGraceTime timeout in
sshd(8)
and any authentication failure delays implemented by the authentication
mechanism itself were still applied.
- Potentially-incompatible changes:
- Support for the legacy SSH version 1 protocol is disabled by
default at compile time.
- Support for the 1024-bit diffie-hellman-group1-sha1 key exchange
is disabled by default at run-time. It may be re-enabled using
the instructions at http://www.openssh.com/legacy.html.
- Support for ssh-dss, ssh-dss-cert-* host
and user keys is disabled by default at run-time. These may
be re-enabled using the instructions at
http://www.openssh.com/legacy.html.
- Support for the legacy v00 cert format has been removed.
- The default for the
sshd_config(5)
PermitRootLogin option has changed from "yes" to
"without-password".
- New/changed features:
- ssh_config(5):
add PubkeyAcceptedKeyTypes option to control which public
key types are available for user authentication.
- sshd_config(5):
add HostKeyAlgorithms option to control which public key
types are offered for host authentications.
- ssh(1),
sshd(8):
extend Ciphers, MACs, KexAlgorithms,
HostKeyAlgorithms, PubkeyAcceptedKeyTypes and
HostbasedKeyTypes options to allow appending to the default
set of algorithms instead of replacing it. Options may now be
prefixed with a + to append to the default, e.g.
"HostKeyAlgorithms=+ssh-dss".
- The following significant bugs have been fixed in this release:
- ssh(1),
sshd(8):
add compatability workarounds for Cisco and more PuTTY versions.
(bz#2424)
- Fix some omissions and errors in the PROTOCOL and
PROTCOL.mux documentation relating to Unix domain
socket forwarding. (bz#2421, bz#2422)
- ssh(1):
Improve the
ssh(1)
manual page to include a better desciption of Unix domain socket
forwarding. (bz#2423)
- ssh(1),
ssh-agent(1):
skip uninitialised PKCS#11 slots, fixing failures to load keys when
they are present. (bz#2427)
- ssh(1),
ssh-agent(1):
do not ignore PKCS#11 hosted keys that wth empty CKA_ID.
(bz#2429)
- sshd(8):
clarify documentation for UseDNS option. (bz#2045)
- LibreSSL
- User-visible features:
- Switched openssl dhparam default from 512 to 2048 bits.
- More CRYPTO ByteString (CBS) packet parsing conversions.
- Fixed openssl pkeyutl -verify to exit with a 0 on success.
- Fixed dozens of Coverity issues including dead code, memory leaks,
logic errors and more.
- Ensure that
openssl(1)
restores terminal echo state after reading a password.
- Incorporated fix for OpenSSL Issue #3683.
- Removed SSLv3 support from
openssl(1).
- Modified tls_write in libtls to allow partial
writes, clarified with examples in the documentation.
- Removed RSAX engine.
- Tested SSLv3 removal with the OpenBSD ports tree and found several
applications that were not ready to build without SSLv3 yet.
For now, building a program that intentionally uses SSLv3 will
result in a linker warning.
- Added TLS_method, TLS_client_method and
TLS_server_method as a replacement for the
SSLv23_*method calls.
- Default cert.pem, openssl.cnf, and
x509v3.cnf files are now installed under
$sysconfdir/ssl or the directory specified by
--with-openssldir. Previous versions of LibreSSL left
these empty.
- Code improvements:
- Reworked
openssl(1)
option handling.
- LibreSSL version define LIBRESSL_VERSION_NUMBER will now
be bumped for each portable release.
- Removed workarounds for TLS client padding bugs.
- Removed IE 6 SSLv3 workarounds.
- --with-enginesdir is removed as a configuration parameter.
- mandoc X.X.X
- man(1) functionality is now built-in.
- ...
- Syslogd:
- OpenBSD
syslogd(8)
can bind to explicitly given UDP or TCP sockets to receive messages.
TCP streams are accepted with the octet counting or the non
transparent framing method.
- Blocks in
syslog.conf(5)
started with
+host
process messages created by
certain hosts specifically.
- Handle situations when the file descriptor limit is exhausted
gracefully.
- Since libtls handles short writes smarter, syslogd can use the
complete output buffer to save messages, coping with
longer TLS server down times without losing messages.
- Ports and packages:
- Many pre-built packages for each architecture:
- alpha: XXXX
- amd64: XXXX
- arm: XXXX
|
- hppa: XXXX
- i386: 8839
- mips64: XXXX
|
- mips64el: XXXX
- powerpc: XXXX
- sh: XXXX
|
- sparc64: XXXX
- sparc: XXXX
- vax: XXXX
| |
- Some highlights:
- Chromium 44.0.2403.125
- Emacs 21.4 and 24.5
- GCC 4.8.4 and 4.9.3
- GHC 7.8.4
- GNOME 3.16.2
- Go 1.4.2
- Groff 1.22.3
- JDK 1.7.0.80 and 1.8.0.45
- KDE 3.5.10 and 4.14.3
- LLVM/Clang 3.5 (20140228)
- LibreOffice 4.4.4.3
- MariaDB 10.0.20
- Mono 3.12.1
- Mozilla Firefox 38.1.1esr and 39.0.3
- Mozilla Thunderbird 38.1.0
|
- Node.js 0.10.35
- OpenLDAP 2.3.43 and 2.4.41
- PHP 5.4.43, 5.5.27 and 5.6.11
- Postfix 3.0.2
- PostgreSQL 9.4.4
- Python 2.7.10 and 3.4.3
- R 3.2.1
- Ruby 1.8.7.374, 1.9.3.551, 2.0.0.645, 2.1.6, and 2.2.2
- Sendmail 8.15.2
- Sudo 1.8.14.3
- Tcl/Tk 8.5.18 and 8.6.4
- TeX Live 2014
- Vim 7.4.769
- Xfce 4.12
|
|
- As usual, steady improvements in manual pages and other documentation.
- The system includes the following major components from outside suppliers:
- Xenocara (based on X.Org 7.7 with xserver 1.16.4 + patches,
freetype 2.6, fontconfig 2.11.1, Mesa 10.2.9, xterm 314,
xkeyboard-config 2.14 and more)
- Gcc 4.2.1 (+ patches) and 3.3.6 (+ patches)
- Perl 5.20.2 (+ patches)
- SQLite 3.8.9 (+ patches)
- NSD 4.1.3
- Unbound 1.5.4
- Ncurses 5.7
- Binutils 2.17 (+ patches)
- Gdb 6.3 (+ patches)
- Less 458 (+ patches)
- Awk Aug 10, 2011 version
How to install
Following this are the instructions which you would have on a piece of
paper if you had purchased a CDROM set instead of doing an alternate
form of install. The instructions for doing an HTTP (or other style
of) install are very similar; the CDROM instructions are left intact
so that you can see how much easier it would have been if you had
purchased a CDROM instead.
Please refer to the following files on the three CDROMs or mirror site for
extensive details on how to install OpenBSD 5.8 on your machine:
Quick installer information for people familiar with OpenBSD, and the
use of the "disklabel -E" command. If you are at all confused when
installing OpenBSD, read the relevant INSTALL.* file as listed above!
OpenBSD/i386:
The OpenBSD/i386 release is on CD1.
Boot from the CD to begin the install - you may need to adjust
your BIOS options first.
If your machine can boot from USB, you can write install58.fs or
miniroot58.fs to a USB stick and boot from it.
If you can't boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in
the included INSTALL.i386 document.
If you are planning on dual booting OpenBSD with another OS, you will need to
read INSTALL.i386.
OpenBSD/amd64:
The OpenBSD/amd64 release is on CD2.
Boot from the CD to begin the install - you may need to adjust
your BIOS options first.
If your machine can boot from USB, you can write install58.fs or
miniroot58.fs to a USB stick and boot from it.
If you can't boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in the included
INSTALL.amd64 document.
If you are planning to dual boot OpenBSD with another OS, you will need to
read INSTALL.amd64.
OpenBSD/macppc:
Burn the image from a mirror site to a CDROM, and power on your machine
while holding down the C key until the display turns on and
shows OpenBSD/macppc boot.
Alternatively, at the Open Firmware prompt, enter boot cd:,ofwboot
/5.8/macppc/bsd.rd
OpenBSD/sparc64:
Put CD3 in your CDROM drive and type boot cdrom.
If this doesn't work, or if you don't have a CDROM drive, you can write
CD3:5.8/sparc64/floppy58.fs or CD3:5.8/sparc64/floppyB58.fs
(depending on your machine) to a floppy and boot it with boot
floppy. Refer to INSTALL.sparc64 for details.
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.
You can also write CD3:5.8/sparc64/miniroot58.fs to the swap partition on
the disk and boot with boot disk:b.
If nothing works, you can boot over the network as described in INSTALL.sparc64.
OpenBSD/alpha:
Write FTP:5.8/alpha/floppy58.fs or
FTP:5.8/alpha/floppyB58.fs (depending on your machine) to a diskette and
enter boot dva0. Refer to INSTALL.alpha for more details.
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.
OpenBSD/armish:
After connecting a serial port, Thecus can boot directly from the network
either tftp or http. Configure the network using fconfig, reset,
then load bsd.rd, see INSTALL.armish for specific details.
IOData HDL-G can only boot from an EXT-2 partition. Boot into linux
and copy 'boot' and bsd.rd into the first partition on wd0 (hda1)
then load and run bsd.rd, preserving the wd0i (hda1) ext2fs partition.
More details are available in INSTALL.armish.
OpenBSD/hppa:
OpenBSD/landisk:
Write miniroot58.fs to the start of the CF
or disk, and boot normally.
OpenBSD/loongson:
Write miniroot58.fs to a USB stick and boot bsd.rd from it
or boot bsd.rd via tftp.
Refer to the instructions in INSTALL.loongson for more details.
OpenBSD/luna88k:
Copy `boot' and `bsd.rd' to a Mach or UniOS partition, and boot the bootloader
from the PROM, and then bsd.rd from the bootloader.
Refer to the instructions in INSTALL.luna88k for more details.
OpenBSD/octeon:
After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
Refer to the instructions in INSTALL.octeon for more details.
OpenBSD/sgi:
To install, burn cd58.iso on a CD-R, put it in the CD drive of your
machine and select Install System Software from the System Maintenance
menu. Indigo/Indy/Indigo2 (R4000) systems will not boot automatically from
CD-ROM, and need a proper invocation from the PROM prompt.
Refer to the instructions in INSTALL.sgi for more details.
If your machine doesn't have a CD drive, you can setup a DHCP/tftp network
server, and boot using "bootp()/bsd.rd.IP##" using the kernel matching your
system type. Refer to the instructions in INSTALL.sgi for more details.
OpenBSD/socppc:
After connecting a serial port, boot over the network via DHCP/tftp.
Refer to the instructions in INSTALL.socppc for more details.
OpenBSD/sparc:
Boot from one of the provided install ISO images, using one of the two
commands listed below, depending on the version of your ROM.
ok boot cdrom 5.8/sparc/bsd.rd
or
> b sd(0,6,0)5.8/sparc/bsd.rd
If your SPARC system does not have a CD drive, you can alternatively boot from floppy.
To do so you need to write floppy58.fs to a floppy.
For more information see FAQ 4.3.2.
To boot from the floppy use one of the two commands listed below,
depending on the version of your ROM.
ok boot floppy
or
> b fd()
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.
If your SPARC system doesn't have a floppy drive nor a CD drive, you can either
setup a bootable tape, or install via network, as told in the
INSTALL.sparc file.
OpenBSD/vax:
Boot over the network via mopbooting as described in INSTALL.vax.
OpenBSD/zaurus:
Using the Linux built-in graphical ipkg installer, install the
openbsd58_arm.ipk package. Reboot, then run it. Read INSTALL.zaurus
for a few important details.
How to upgrade
If you already have an OpenBSD 5.7 system, and do not want to reinstall,
upgrade instructions and advice can be found in the
Upgrade Guide.
Notes about the source code
src.tar.gz contains a source archive starting at /usr/src. This file
contains everything you need except for the kernel sources, which are
in a separate archive. To extract:
# mkdir -p /usr/src
# cd /usr/src
# tar xvfz /tmp/src.tar.gz
sys.tar.gz contains a source archive starting at /usr/src/sys.
This file contains all the kernel sources you need to rebuild kernels.
To extract:
# mkdir -p /usr/src/sys
# cd /usr/src
# tar xvfz /tmp/sys.tar.gz
Both of these trees are a regular CVS checkout. Using these trees it
is possible to get a head-start on using the anoncvs servers as
described here.
Using these files
results in a much faster initial CVS update than you could expect from
a fresh checkout of the full OpenBSD source tree.
Ports Tree
A ports tree archive is also provided. To extract:
# cd /usr
# tar xvfz /tmp/ports.tar.gz
Go read the ports page
if you know nothing about ports
at this point. This text is not a manual of how to use ports.
Rather, it is a set of notes meant to kickstart the user on the
OpenBSD ports system.
The ports/ directory represents a CVS (see the manpage for
cvs(1) if
you aren't familiar with CVS) checkout of our ports. As with our complete
source tree, our ports tree is available via
AnonCVS.
So, in order to keep up to date with the -stable branch, you must make
the ports/ tree available on a read-write medium and update the tree
with a command like:
# cd /usr/ports
# cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_5_8
[Of course, you must replace the server name here with a nearby anoncvs
server.]
Note that most ports are available as packages on our mirrors. Updated
ports for the 5.8 release will be made available if problems arise.
If you're interested in seeing a port added, would like to help out, or just
would like to know more, the mailing list
ports@openbsd.org is a good place to know.