Released Xxx xx, 2016
Copyright 1997-2016, Theo de Raadt.
ISBN 978-0-9881561-8-0
6.0 Songs: "XXX",
"XXX", "XXX",
"XXX", "XXX",
"XXX".
- Order a CDROM from our ordering system.
- See the information on the FTP page for
a list of mirror machines.
- Go to the pub/OpenBSD/6.0/ directory on
one of the mirror sites.
- Have a look at the 6.0 errata page for a list
of bugs and workarounds.
- See a detailed log of changes between the
5.9 and 6.0 releases.
- signify(1)
pubkeys for this release:
base: RWSho3oKSqgLQy+NpIhFXZJDtkE65tzlmtC24mStf8DoJd2OPMgna4u8
fw: RWRWf7GJKFvJTWEMIaw9wld0DujiqL1mlrC6HisE6i78C+2SRArV1Iyo
pkg: RWQHIajRlT2mX7tmRgb6oN6mfJu3AgQ/TU38acrWABO8lz90dR3rNmey
All applicable copyrights and credits are in the src.tar.gz,
sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
files fetched via ports.tar.gz.
What's New
This is a partial list of new features and systems included in OpenBSD 6.0.
For a comprehensive list, see the changelog leading
to 6.0.
- Processor support, including:
- Improved hardware support, including:
- The vax port has been removed.
- The iwm driver supports more models, notably the 3165 and 8260.
- ...
- SMP network stack improvements:
- Initial IEEE 802.11n wireless support:
- Generic network stack improvements:
- Installer improvements:
- Routing daemons and other userland network improvements:
- Add routing table support to
rc.d(8) and
rcctl(8).
- Let nc(1)
support service names in addition to port numbers.
- Add -M and -m TTL flags to
nc(1).
- Add AF_UNIX support to
tcpbench(1).
- ...
- Security improvements:
- W^X is now strictly enforced by default;
a program can only violate it if the executable is marked with
PT_OPENBSD_WXNEEDED and its is located on a filesystem
mounted with the wxallowed
mount(8) option.
- The setjmp(3)
family of functions now apply XOR cookies to stack and return-address
values in the jmpbuf on amd64, hppa, i386, mips64, and powerpc.
- sigreturn(2)
can now only be used by the kernel-provided signal trampoline,
with a cookie to detect attempts to reuse it.
- To deter code reuse exploits, in rc(8),
re-link libc.so on startup, placing the objects in a random order.
- In the getpwnam(3)
family of functions, stop opening the shadow database by default.
- Allow tcpdump(8)
-r to be started without root privileges.
- Remove
systrace.
- Remove Linux emulation support.
- Remove support for the usermount option.
- The TCP SYN cache reseeds its random hash function from
time to time.
This prevents an attacker from calculating the distribution
of the hash function with a timing attack.
- To work against SYN flooding attacks the administrator can
change the size of the hash array now.
netstat(1)
-s -p tcp shows the relevant information to tune
the SYN cache with
sysctl(8)
net.inet.tcp.
- ...
- Assorted improvements:
- The thread library can now be loaded into a single-threaded process.
- Improved symbol handling and standards compliance in libc.
For example, defining an open() function will no longer
interfere with the operation of
fopen(3).
- PT_TLS sections are now supported in initially loaded object.
- Improved handling of "no paths" and "empty path" in
fts(3).
- In pcap(3),
provide the functions pcap_free_datalinks()
and pcap_offline_filter().
- Many bugfixes and structural cleanup in the
editline(3) library.
- Remove ancient
dbm(3)
functions;
ndbm(3) remains.
- Add setenv keyword for more powerful environment handling in
doas.conf(5).
- Add -g and -p options to
aucat.1
for time positioning.
- Rewrite audioctl(1)
with a simpler user interface.
- Add -F option to
install(1)
to fsync(2)
the file before closing it.
- kdump(1)
now dumps pollfd structures.
- Improve various details of
ksh(1) POSIX compliance.
- mknod(8) rewritten in a
pledge(2)-friendly
style and to support creating multiple devices at once.
- Implement rcctl(8)
get all and getdef all.
- Implement the rcs(1)
-I (interactive) flag.
- In rcs(1),
implement Mdocdate keyword substitution.
- In top(1),
allow to filter process arguments if they are being displayed.
- Added UTF-8 support to
fold(1) and
rev(1).
- Enable UTF-8 by default in
xterm(1) and
pod2man(1).
- Filter out non-ASCII characters in
wall(1).
- Handle the COLUMNS
environment variable consistently across many programs.
- The options -c and -k allow to provide
TLS client certificates for
syslogd(8)
on the sending side.
With that the receiving side can verify log messages
are authentic.
Note that syslogd does not have this check feature yet.
- When the klog buffer overflows, syslogd will write a log
message to show that some entries is missing.
- ...
- OpenSMTPD X.X
- OpenSSH X.X
- Security:
- Potentially-incompatible changes:
- New/changed features:
- The following significant bugs have been fixed in this release:
- In scp(1)
and sftp(1),
prevent screwing up terminal settings by escaping bytes
not forming ASCII or UTF-8 characters.
- ...
- OpenNTPD 6.0
- When a single "constraint" is specified, try all returned addresses
until one succeeds, rather than the first returned address.
- Relaxed the constraint error margin to be proportional to the number
of NTP peers, avoid constant reconnections when there is a bad NTP
peer.
- Removed disabled
hotplug(4)
sensor support.
- Added support for detecting crashes in constraint subprocesses.
- Moved the execution of constraints from the ntp process to the
parent process, allowing for better privilege separation since the
ntp process can be further restricted.
- Added
pledge(2)
support.
- Fixed high CPU usage when the network is down.
- Fixed various memory leaks.
- Switched to RMS for jitter calculations.
- Unified logging functions with other OpenBSD base programs.
- Set MOD_MAXERROR to avoid unsynced time status when using
ntp_adjtime.
- Fixed HTTP Timestamp header parsing to use
strptime(3)
in a more portable fashion.
- Hardened TLS for
ntpd(8)
constraints, enabling server name verification.
- LibreSSL 2.4.2
- User-visible features:
- Fixed some broken manpage links in the install target.
- cert.pem has been reorganized and synced with Mozilla's
certificate store.
- Reliability fix, correcting an error when parsing certain ASN.1
elements over 16k in size.
- Implemented the IETF ChaCha20-Poly1305 cipher suites.
- Fixed password prompts from
openssl(1)
to properly handle ^C.
- Code improvements:
- Fixed an nginx compatibility issue by adding an
'install_sw' build target.
- Changed default
EVP_aead_chacha20_poly1305(3)
implementation to the IETF version, which is now the default.
- Reworked error handling in libtls so that configuration
errors are more visible.
- Added missing error handling around
bn_wexpand(3)
calls.
- Added
explicit_bzero(3)
calls for freed ASN.1 objects.
- Fixed X509_*set_object functions to return 0 on allocation
failure.
- Deprecated internal use of
EVP_[Cipher|Encrypt|Decrypt]_Final.
- Fixed a problem that prevents the DSA signing algorithm from running
in constant time even if the flag BN_FLG_CONSTTIME is set.
- Fixed several issues in the OCSP code that could result in the
incorrect generation and parsing of OCSP requests. This remediates
a lack of error checking on time parsing in these functions, and
ensures that only GENERALIZEDTIME formats are accepted for
OCSP, as per RFC 6960.
- The following CVEs had been fixed:
- CVE-2016-2105—EVP_EncodeUpdate overflow.
- CVE-2016-2106—EVP_EncryptUpdate overflow.
- CVE-2016-2107—padding oracle in AES-NI CBC MAC check.
- CVE-2016-2108—memory corruption in the ASN.1 encoder.
- CVE-2016-2109—ASN.1 BIO excessive memory allocation.
- Ports and packages:
- Many pre-built packages for each architecture:
- alpha: xxxx
- amd64: xxxx
- hppa: xxxx
|
- i386: xxxx
- mips64: xxxx
- mips64el: xxxx
|
- powerpc: xxxx
- sparc64: xxxx
|
- Some highlights:
- Afl 2.19b
- Chromium 51.0.2704.106
- Emacs 21.4 and 24.5
- GCC 4.9.3
- GHC 7.10.3
- Gimp 2.8.16
- GNOME 3.20.2
- Go 1.6.3
- Groff 1.22.3
- JDK 7u80 and 8u72
- KDE 3.5.10 and 4.14.3 (plus KDE4 core updates)
- LLVM/Clang 3.8.0
- LibreOffice 5.1.4.2
- Lua 5.1.5, 5.2.4, and 5.3.3
- MariaDB 10.0.25
- Mono 4.4.0.182
- Mozilla Firefox 45.2.0esr and 47.0.1
|
- Mozilla Thunderbird 45.2.0
- Mutt 1.6.2
- Node.js 4.4.5
- OpenLDAP 2.3.43 and 2.4.44
- PHP 5.5.37, 5.6.23, and 7.0.8
- Postfix 3.1.1 and 3.2-20160515
- PostgreSQL 9.5.3
- Python 2.7.12, 3.4.5, and 3.5.2
- R 3.3.1
- Ruby 1.8.7.374, 2.0.0.648, 2.1.9, 2.2.5, and 2.3.1
- Rust 1.9.0-20160608
- Sendmail 8.15.2
- Sudo 1.8.17.1
- Tcl/Tk 8.5.18 and 8.6.4
- TeX Live 2015
- Vim 7.4.1467
- Xfce 4.12
|
- As usual, steady improvements in manual pages and other documentation.
- The system includes the following major components from outside suppliers:
- Xenocara (based on X.Org 7.7 with xserver 1.18.3 + patches,
freetype 2.6.3, fontconfig 2.11.1, Mesa 11.2.2, xterm 322,
xkeyboard-config 2.18 and more)
- GCC 4.2.1 (+ patches) and 3.3.6 (+ patches) XXX
- Perl 5.20.3 (+ patches)
- SQLite 3.9.2 (+ patches)
- NSD 4.1.10
- Unbound 1.5.9
- Ncurses 5.7
- Binutils 2.17 (+ patches)
- Gdb 6.3 (+ patches)
- Awk Aug 10, 2011 version
- Expat 2.1.1
How to install
Following this are the instructions which you would have on a piece of
paper if you had purchased a CDROM set instead of doing an alternate
form of install. The instructions for doing an HTTP (or other style
of) install are very similar; the CDROM instructions are left intact
so that you can see how much easier it would have been if you had
purchased a CDROM instead.
Please refer to the following files on the three CDROMs or mirror site for
extensive details on how to install OpenBSD 6.0 on your machine:
Quick installer information for people familiar with OpenBSD, and the use of
the "disklabel -E" command.
If you are at all confused when installing OpenBSD, read the relevant
INSTALL.* file as listed above!
OpenBSD/i386:
-
The OpenBSD/i386 release is on CD1.
Boot from the CD to begin the install - you may need to adjust
your BIOS options first.
-
If your machine can boot from USB, you can write install60.fs or
miniroot60.fs to a USB stick and boot from it.
-
If you can't boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in
the included INSTALL.i386 document.
-
If you are planning on dual booting OpenBSD with another OS, you will need to
read INSTALL.i386.
OpenBSD/amd64:
-
The OpenBSD/amd64 release is on CD2.
Boot from the CD to begin the install - you may need to adjust
your BIOS options first.
-
If your machine can boot from USB, you can write install60.fs or
miniroot60.fs to a USB stick and boot from it.
-
If you can't boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in the included
INSTALL.amd64 document.
-
If you are planning to dual boot OpenBSD with another OS, you will need to
read INSTALL.amd64.
OpenBSD/macppc:
-
Burn the image from a mirror site to a CDROM, and power on your machine
while holding down the C key until the display turns on and
shows OpenBSD/macppc boot.
-
Alternatively, at the Open Firmware prompt, enter boot cd:,ofwboot
/6.0/macppc/bsd.rd
OpenBSD/sparc64:
-
Put CD3 in your CDROM drive and type boot cdrom.
-
If this doesn't work, or if you don't have a CDROM drive, you can write
CD3:6.0/sparc64/floppy60.fs or CD3:6.0/sparc64/floppyB60.fs
(depending on your machine) to a floppy and boot it with boot
floppy. Refer to INSTALL.sparc64 for details.
-
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.
-
You can also write CD3:6.0/sparc64/miniroot60.fs to the swap partition on
the disk and boot with boot disk:b.
-
If nothing works, you can boot over the network as described in INSTALL.sparc64.
OpenBSD/alpha:
-
Write FTP:6.0/alpha/floppy60.fs or
FTP:6.0/alpha/floppyB60.fs (depending on your machine) to a diskette and
enter boot dva0. Refer to INSTALL.alpha for more details.
-
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.
OpenBSD/armv7:
-
Refer to INSTALL.armv7 for more details. XXX
OpenBSD/hppa:
-
Boot over the network by following the instructions in INSTALL.hppa or the
hppa platform page.
OpenBSD/landisk:
-
Write miniroot60.fs to the start of the CF
or disk, and boot normally.
OpenBSD/loongson:
-
Write miniroot60.fs to a USB stick and boot bsd.rd from it
or boot bsd.rd via tftp.
Refer to the instructions in INSTALL.loongson for more details.
OpenBSD/luna88k:
-
Copy `boot' and `bsd.rd' to a Mach or UniOS partition, and boot the bootloader
from the PROM, and then bsd.rd from the bootloader.
Refer to the instructions in INSTALL.luna88k for more details.
OpenBSD/octeon:
-
After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
Refer to the instructions in INSTALL.octeon for more details.
OpenBSD/sgi:
-
To install, burn cd60.iso on a CD-R, put it in the CD drive of your
machine and select Install System Software from the System Maintenance
menu. Indigo/Indy/Indigo2 (R4000) systems will not boot automatically from
CD-ROM, and need a proper invocation from the PROM prompt.
Refer to the instructions in INSTALL.sgi for more details.
-
If your machine doesn't have a CD drive, you can setup a DHCP/tftp network
server, and boot using "bootp()/bsd.rd.IP##" using the kernel matching your
system type. Refer to the instructions in INSTALL.sgi for more details.
OpenBSD/socppc:
-
After connecting a serial port, boot over the network via DHCP/tftp.
Refer to the instructions in INSTALL.socppc for more details.
OpenBSD/zaurus:
-
Using the Linux built-in graphical ipkg installer, install the
openbsd60_arm.ipk package. Reboot, then run it. Read INSTALL.zaurus
for a few important details.
How to upgrade
If you already have an OpenBSD 5.9 system, and do not want to reinstall,
upgrade instructions and advice can be found in the
Upgrade Guide.
Notes about the source code
src.tar.gz contains a source archive starting at /usr/src.
This file contains everything you need except for the kernel sources,
which are in a separate archive.
To extract:
# mkdir -p /usr/src
# cd /usr/src
# tar xvfz /tmp/src.tar.gz
sys.tar.gz contains a source archive starting at /usr/src/sys.
This file contains all the kernel sources you need to rebuild kernels.
To extract:
# mkdir -p /usr/src/sys
# cd /usr/src
# tar xvfz /tmp/sys.tar.gz
Both of these trees are a regular CVS checkout. Using these trees it
is possible to get a head-start on using the anoncvs servers as
described here.
Using these files
results in a much faster initial CVS update than you could expect from
a fresh checkout of the full OpenBSD source tree.
Ports Tree
A ports tree archive is also provided. To extract:
# cd /usr
# tar xvfz /tmp/ports.tar.gz
Go read the ports page
if you know nothing about ports
at this point. This text is not a manual of how to use ports.
Rather, it is a set of notes meant to kickstart the user on the
OpenBSD ports system.
The ports/ directory represents a CVS checkout of our ports.
As with our complete source tree, our ports tree is available via
AnonCVS.
So, in order to keep up to date with the -stable branch, you must make
the ports/ tree available on a read-write medium and update the tree
with a command like:
# cd /usr/ports
# cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_6_0
[Of course, you must replace the server name here with a nearby anoncvs
server.]
Note that most ports are available as packages on our mirrors. Updated
ports for the 6.0 release will be made available if problems arise.
If you're interested in seeing a port added, would like to help out, or just
would like to know more, the mailing list
ports@openbsd.org is a good place to know.