Released October 15, 2017
Copyright 1997-2017, Theo de Raadt.
6.2 Song:
XXX.
- See the information on the FTP page for
a list of mirror machines.
- Go to the pub/OpenBSD/6.2/ directory on
one of the mirror sites.
- Have a look at the 6.2 errata page for a list
of bugs and workarounds.
- See a detailed log of changes between the
6.1 and 6.2 releases.
- signify(1)
pubkeys for this release:
base: RWRVWzAMgtyg7g27STK1h1xA6RIwtjex6Vr5Y9q5SC5q5+b0GN4lLhfu
fw: RWSbA8C2TPUQLi48EqHtg7Rx7KGDt6E/2d8OeJinGZPbpoqGRxA0N2oW
pkg: RWRvEq+UPCq0VGI9ar7VMy+HYKDrOb4WS5JLhdUBiX3qvJgPQjyZSTxI
All applicable copyrights and credits are in the src.tar.gz,
sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
files fetched via ports.tar.gz.
What's New
This is a partial list of new features and systems included in OpenBSD 6.2.
For a comprehensive list, see the changelog leading
to 6.2.
- New/extended platforms:
- The i386 and
amd64
platforms have switched to using
clang(1)
as the base system compiler.
- ...
- Improved hardware support, including:
- arm: New rkgrf(4) driver for the Rockchip RK3399/RK3288 register file.
- arm: New rkclock(4) driver for Rockchip RK3399/RK3288 clocks.
- arm: New rkpinctrl(4) driver for controlling Rockchip RK3399/RK3288 pins.
- arm: New rkpgpio(4) driver for Rockchip RK3399 GPIO.
- arm: New rkptemp(4) driver for Rockchip RK3399 temperature sensors.
- arm: New rkiic(4) driver for Rockchip RK3399 I2C controllers.
- arm: New rkpmic(4) driver for the RK808 Power Management IC.
- arm: New dwmmc(4) driver for Synopsis Designware SD/MMC controllers.
- arm: New dwdog(4) driver for the Synopsys Designware watchdog timer.
- arm: New dwxe(4) driver for the Synopsys Designware Ethernet controller.
- arm: New sxitwi(4) driver for the two-wire bus on Allwinner SoCs.
- arm: New axppmic(4) driver for the AXP209 I2C PMIC.
- arm: New bcmaux(4) driver for clocks and interrupts on the auxilliary UART on BCM2835 devices.
- arm: New mvpinctrl(4) driver to configure pins on Marvell SoCs (Armada 388).
- arm: New mvneta(4) driver the Ethernet controller on the Armada 38x series.
- arm: New amdisplay(4) & nxphdmi(4) drivers for the Texas Instruments AM335x LCD controller.
- octeon: New octsctl(4) driver for the OCTEON SATA controller bridge.
- octeon: New octxctl(4) driver for the OCTEON USB3 controller bridge.
- New hvs(4) driver for Hyper-V storage.
- New pcxrtc(4) driver for the NXP PCF8563 Real Time Clock.
- New urng(4) driver for USB random number generator devices.
- Intel 8265 and 3168 support was added to the iwm(4) driver.
- RTL8192CE support was added to the rtwn(4) driver.
- RT5360 support was added to the ral(4) driver.
- RTS525A support was added to the rtsx(4) driver.
- The acpibat(4) driver now supports _BIX entries from ACPI 4.0.
- ACPI hibernate support was added to the nvme(4) driver.
- Substantially improved ACPI hibernate performance in the ahci(4) driver.
- The inteldrm(4) driver was updated to code based on Linux 4.4.70. It now supports Skylake, Kaby Lake, and Cherryview devices and has better support for Broadwell and Valleyview devices.
- The puc(4) driver now supports ASIX AX99100 devices.
- Xen platform support and the xbf(4) driver in particular have been substantially improved.
- ...
- vmm(4)/
vmd(8) improvements:
- vmctl(8) supports
paused VM migration using send and receive commands.
- ...
- IEEE 802.11 wireless stack improvements:
- MiRA 802.11n TX rate scaling now supports devices with unequal numbers of Tx and Rx streams. Fixes 11n mode for some athn(8) devices.
- The iwn(8) and iwm(8) drivers will now start scanning for a new access point if they no longer receive beacons from their current AP.
- Prefer the 5GHz band over the 2GHz band during access point selection.
- Improved debug output in dmesg(8) when a wireless interface is put into debug mode with ifconfig(8).
- Generic network stack improvements:
- Incoming and forwarded IP packets are now processed without
KERNEL_LOCK, resulting in better performances and reduced latency
- The kernel no longer handles IPv6 Stateless Address
Autoconfiguration (RFC 4862), allowing cleanup and simplification
of the IPv6 network stack.
- The kernel sends IPv6 router solicitations for link local addresses
with a link local source address.
- FQ-CoDel algorithm has been implemented for use with pf(4) queueing.
- Improve IPv6 checks for IPsec policies and make them consistent
with IPv4.
- Refactor local IP delivery to process IPsec packets in a flow.
Avoid that they are enqueued a second time.
- pf(4)
looks into AH packets and matches on the inner protocol.
This makes IPv4 authentication headers work like IPv6.
- The length of extension header chains in pf(4) is limited.
This prevents spending excessive cpu time on crafted packets.
- Block IPv6 packets in pf(4) that have hop-by-hop options
header or destination options header.
Such packets can be passed by adding "allow-opts" to the
rule.
So IPv6 options are handled like their counterpart in IPv4
now.
- If the IPv4 ID gets reused too fast, pf(4) fragment reassembly
uses a smarter strategy to drop packets.
- ...
- Installer improvements:
- The installer now uses the Allotment Routing Table (ART).
- A unique kernel is now created by the installer to boot from after install/upgrade.
- On release installs of architectures supported by syspatch "syspatch -c" is added to rc.firsttime.
- Backwards compatibility code to support the 'rtsol' keyword in hostname.if(5) has been removed.
- The install.site and upgrade.site scripts are now executed at the end of the install/upgrade process.
- More detailed information is shown to identify disks.
- The IPv6 default router selection has been fixed.
- ...
- Routing daemons and other userland network improvements:
- A new daemon, slaacd(8) handles IPv6
Stateless Address Autoconfiguration (RFC 4862).
- rtadvd(8) now supports
"Reducing Energy Consumption of Router Advertisements" (RFC 7772).
- rtadvd(8) has
been fixed to quickly handle IPv6 prefixes changes on the system.
- ipsecctl(8)
can show SA bundles now.
The keyword "bundle" allows to create them explicitly.
This avoids confusion as they were used implicitly before.
- nc(1)
has got the option -W "recvlimit" to terminate netcat after
receiving a number of packets.
This allows to send a UDP request, receive a reply and check
the result on the command line.
- Fix a bunch of races in
relayd(8)
expecially in HTTP chunked mode.
- ndp(8) shows the
relevant NDP information when run in a non-default routing
domain.
- ifstated(8) now
copes with interface departures/arrivals.
- ...
- Security improvements:
- A new function
freezero(3)
to easily clear and free memory holding sensitive data has been added.
- Double free detection has been improved when the F
malloc(3) option is used.
The existing S option now includes F.
- The TIOCSTI
tty ioctl has been removed. The I/O-loops in the last two consumers
csh(1) and
mail(1)
were rewritten to cope with the removal.
- Trapsleds, a new mitigation that significantly reduces the amount of
nops in the instruction stream, converting them to traps, making it
harder to target potential gadgets.
- Kernel Address Randomized Link (KARL), a new "link-kit" allows the .o
files of the kernel to be relinked in a random order, creating a unique
kernel for each boot.
- Like with libc previously,
rc(8) re-links libcrypto on
startup, placing the objects in a random order.
- In addition to libcrypto, to deter code reuse exploits,
rc(8) re-links
ld.so on
startup, placing the objects in a random order.
- If process accounting is activated with
accton(8),
the daily mail shows pledge violations and program crashes.
lastcomm(8)
uses the flags P and T for such processes.
- pflogd(8) uses the
fork+exec model.
- tcpdump(8) uses the
fork+exec model.
- ifstated(8)
uses pledge(2).
- snmpd(8) and
snmpctl(8) now use
pledge(2).
- dhcpd(8)/
dhcrelay(8) improvements:
- Add support for echo-client-id statement to
dhclient.conf(5).
- Take greater care to process all data read, and only data read, from the
bpf(4)
socket.
- Use /dev/bpf instead of /dev/bpf0.
- Handle DHCPINFORM messages from clients behind a DHCP relay.
- Fix handling of
carp(4)
interfaces in
dhcrelay(8).
- Don't stop
dhcrelay(8)
logging to stderr when it is started with the -d option.
- dhclient(8) improvements:
- Log messages reworked and clarified, in particular by prefixing
the name of the relevant network interface.
- Treat SSID as 0 to 32 bytes of binary data, not a string.
- Use RTM_PROPOSAL to take control of an interface rather than flipping
interface down and up in the hope that other
dhclient(8)
instances notice.
- Reduce file operations needed by -L option by opening file at
startup and using it throughout process lifetime.
- Improve resolv.conf(5)
handling by reducing writes and more reliably determining which interface
has the current default route.
- Take greater care to process all data read, and only data read, from the
bpf(4)
socket.
- Improve the determination of the link state of an interface.
- Decline inappropriate lease offers as soon as they are deemed
inappropriate.
- Drop support for the timestamp formats used in lease files created
more than four years ago.
- Accept an offer from the server that sent the first copy of
the offer, not the server that sent the last copy.
- Don't delete addresses and routes when exiting.
- Ensure IPv6 packets are not read from sockets.
- Don't silently ignore obsolete keywords in
dhclient.conf(5)
- Reduce memory footprint by shrinking oversized static buffers.
- Eliminate repeated socket opens by opening the required sockets during
startup.
- Fix construction of unicast UDP packets, broken in 5.6.
- Improve determination of when a renewed lease requires interface
configuration changes.
- Don't exit when addresses are manually added or deleted from an
interface.
- Don't support option 33, classfull IP addresses.
- Fix configuration of default routes supplied by classless route options.
- Consider
dhclient.conf(5)
contents when determining what MTU value to configure.
- Consider
dhclient.conf(5)
contents when creating the content of
resolv.conf(5).
- Delete direct routes when routes are flushed.
- Don't label routes with "DHCLIENT nnnn".
- Don't delete addresses or routes that will be immediately added back.
- Delete addresses and routes only when a renewal request is NAK'ed.
- Don't wait forever for requested information on the default route.
- Don't exit when an attempt to send a packet fails.
- Don't log a packet send when the send fails.
- Remove the -u option, broken since 2013 without complaints.
- Use /dev/bpf instead of /dev/bpf0.
- Assorted improvements:
- Improved UTF-8 line editing support for
ksh(1)
Emacs and Vi input mode.
- The HISTFILE of ksh(1) now uses
a plain text format. Support for the
HISTCONTROL
environment variable was added.
- The performance of the memory deallocator used by
ksh(1) has been fixed.
- The emacs-usemeta ksh(1)
flag is no longer needed and is now deprecated.
- New futex(2) syscall.
- New pthread
mutex and
condition
variable implementations improving latency
of threaded applications.
- New POSIX xlocale
implementation written from scratch, complete in the sense that
all POSIX *locale(3) and *_l(3) functions are included, but in
OpenBSD, we of course only really care about
LC_CTYPE
and we only support ASCII and UTF-8.
- New ctfdump and
ctfconv
tools to manipulate CTF (Compact C Type Format).
- The error handling in
syslogd(8)
has been improved.
Even if internal errors occur, the daemon tries to keep
unaffected subsystems active.
So as many messages as possible are logged.
They can be filtered by severity and facility "syslog".
- syslogd(8) can now suppress "last message repeated" which is
useful for remote logging.
- syslogd(8) can listen on multiple TLS sockets.
- syslogd(8) closes the *.514 UDP sockets when they are not
needed.
- Truncate log messates at 8192 bytes everywhere.
- newsyslog(8)
now skips and logs invalid config lines.
- Nested mount points are umounted in correct order.
- Fix creation of
softraid(4)
CONCAT volumes.
- Include
softraid(4)
volume and backing disk information in i/o error messages.
- Make
vioscsi(4)
a normal
scsi(4)
device by eliminating its use of the obsolete XS_NO_CCB mechanism.
- Remove last vestiges of now unused XS_NO_CCB mechanism.
- OpenSMTPD X.X.X
- OpenSSH 7.X
- Security:
- New/changed features:
- Add RemoteCommand option to specify a command in the
ssh(1)
config file instead of giving it on the client's command
line.
The feature allows to automate tasks using ssh config.
- ...
- The following significant bugs have been fixed in this release:
- LibreSSL X.X.X
- mandoc 1.14.3
- Full mandoc.db(5)
databases are now enabled by default, allowing semantic searching
with apropos(1)
without any local configuration changes.
- Full integration of the former
mdoclint(1)
utility into mandoc(1)
-Wall
, new -Wstyle
and
-Wopenbsd
message levels, and many new messages,
for example about typos in .Sh
lines,
unknown .Xr
targets, and links to self.
- Additional steps unifying the
mdoc(7),
man(7), and
roff(7) parsers:
use one common data type and
ohash_init(3)
for all requests and macros and support creation of syntax tree
nodes in the roff(7) parser, allowing support for many new
low-level roff(7) features.
Only about 25 ports still need
USE_GROFF
now.
- Many improvements to
tbl(7)
parsing and formatting,
including automatic line wrapping inside table columns.
- Many improvements to
eqn(7)
parsing and formatting, including better font selection,
recognition of well-known mathematical function names, and writing
of
<mn>
and <mo>
HTML tags.
- Intelligible rendering of mathematical symbols in
-Tascii
output.
- Several parsing and rendering improvements for the
mdoc(7)
.Lk
macro.
- Some CSS improvements in HTML output, in particular for the
mdoc(7)
.Bl
macro.
- Ports and packages:
- A massive amount of clang-related fixes happened between 6.1 and 6.2.
- Many pre-built packages for each architecture:
- alpha: XXXX
- amd64: XXXX
- arm: XXXX
|
- hppa: XXXX
- i386: XXXX
- mips64: XXXX
|
- mips64el: XXXX
- powerpc: XXXX
- sparc64: XXXX
|
- Some highlights:
- AFL 2.51b
- Chromium 61.0.3163.100
- Emacs 21.4 and 25.3
- GCC 4.9.4
- GHC 7.10.3
- Gimp 2.8.22
- GNOME 3.24.2
- Go 1.9
- Groff 1.22.3
- JDK 8u144
- KDE 3.5.10 and 4.14.3 (plus KDE4 core updates)
- LLVM/Clang 5.0.0
- LibreOffice 5.2.7.2
- Lua 5.1.5, 5.2.4, and 5.3.4
- MariaDB 10.0.32
- Mozilla Firefox 52.4.0esr and 56.0.0
- Mozilla Thunderbird 52.2.1
|
- Mutt 1.9.1 and NeoMutt 20170912
- Node.js 6.11.2
- Ocaml 4.03.0
- OpenLDAP 2.3.43 and 2.4.45
- PHP 5.6.31 and 7.0.23
- Postfix 3.2.2 and 3.3-20170910
- PostgreSQL 9.6.5
- Python 2.7.14 and 3.6.2
- R 3.4.1
- Ruby 1.8.7.374, 2.1.9, 2.2.8, 2.3.5 and 2.4.2
- Rust 1.20.0
- Sendmail 8.16.0.21
- SQLite3 3.20.1
- Sudo 1.8.21.2
- Tcl/Tk 8.5.19 and 8.6.6
- TeX Live 2016
- Vim 8.0.0987
- Xfce 4.12
|
- As usual, steady improvements in manual pages and other documentation.
- The system includes the following major components from outside suppliers:
- Xenocara (based on X.Org 7.7 with xserver 1.18.4 + patches,
freetype 2.8.0, fontconfig 2.12.4, Mesa 13.0.6, xterm 330,
xkeyboard-config 2.20 and more)
- LLVM/Clang 4.0.0 (+ patches)
- GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
- Perl 5.24.2 (+ patches)
- NSD 4.1.17
- Unbound 1.6.6
- Ncurses 5.7
- Binutils 2.17 (+ patches)
- Gdb 6.3 (+ patches)
- Awk Aug 10, 2011 version
- Expat 2.2.4
How to install
Please refer to the following files on the mirror site for
extensive details on how to install OpenBSD 6.2 on your machine:
Quick installer information for people familiar with OpenBSD, and the use of
the "disklabel -E" command.
If you are at all confused when installing OpenBSD, read the relevant
INSTALL.* file as listed above!
OpenBSD/alpha:
-
Write floppy62.fs or floppyB62.fs (depending on your machine)
to a diskette and enter boot dva0.
Refer to INSTALL.alpha for more details.
-
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.
OpenBSD/amd64:
-
If your machine can boot from CD, you can write install62.iso or
cd62.iso to a CD and boot from it.
You may need to adjust your BIOS options first.
-
If your machine can boot from USB, you can write install62.fs or
miniroot62.fs to a USB stick and boot from it.
-
If you can't boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in the included
INSTALL.amd64 document.
-
If you are planning to dual boot OpenBSD with another OS, you will need to
read INSTALL.amd64.
OpenBSD/arm64:
-
Write miniroot62.fs to a disk and boot from it after connecting
to the serial console. Refer to INSTALL.arm64 for more details.
OpenBSD/armv7:
-
Write a system specific miniroot to an SD card and boot from it after connecting
to the serial console. Refer to INSTALL.armv7 for more details.
OpenBSD/hppa:
-
Boot over the network by following the instructions in INSTALL.hppa or the
hppa platform page.
OpenBSD/i386:
-
If your machine can boot from CD, you can write install62.iso or
cd62.iso to a CD and boot from it.
You may need to adjust your BIOS options first.
-
If your machine can boot from USB, you can write install62.fs or
miniroot62.fs to a USB stick and boot from it.
-
If you can't boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in
the included INSTALL.i386 document.
-
If you are planning on dual booting OpenBSD with another OS, you will need to
read INSTALL.i386.
OpenBSD/landisk:
-
Write miniroot62.fs to the start of the CF
or disk, and boot normally.
OpenBSD/loongson:
-
Write miniroot62.fs to a USB stick and boot bsd.rd from it
or boot bsd.rd via tftp.
Refer to the instructions in INSTALL.loongson for more details.
OpenBSD/luna88k:
-
Copy `boot' and `bsd.rd' to a Mach or UniOS partition, and boot the bootloader
from the PROM, and then bsd.rd from the bootloader.
Refer to the instructions in INSTALL.luna88k for more details.
OpenBSD/macppc:
-
Burn the image from a mirror site to a CDROM, and power on your machine
while holding down the C key until the display turns on and
shows OpenBSD/macppc boot.
-
Alternatively, at the Open Firmware prompt, enter boot cd:,ofwboot
/6.2/macppc/bsd.rd
OpenBSD/octeon:
-
After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
Refer to the instructions in INSTALL.octeon for more details.
OpenBSD/sgi:
-
To install, burn cd62.iso on a CD-R, put it in the CD drive of your
machine and select Install System Software from the System Maintenance
menu. Indigo/Indy/Indigo2 (R4000) systems will not boot automatically from
CD-ROM, and need a proper invocation from the PROM prompt.
Refer to the instructions in INSTALL.sgi for more details.
-
If your machine doesn't have a CD drive, you can setup a DHCP/tftp network
server, and boot using "bootp()/bsd.rd.IP##" using the kernel matching your
system type. Refer to the instructions in INSTALL.sgi for more details.
OpenBSD/sparc64:
-
Burn the image from a mirror site to a CDROM, boot from it, and type
boot cdrom.
-
If this doesn't work, or if you don't have a CDROM drive, you can write
floppy62.fs or floppyB62.fs
(depending on your machine) to a floppy and boot it with boot
floppy. Refer to INSTALL.sparc64 for details.
-
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.
-
You can also write miniroot62.fs to the swap partition on
the disk and boot with boot disk:b.
-
If nothing works, you can boot over the network as described in INSTALL.sparc64.
How to upgrade
If you already have an OpenBSD 6.1 system, and do not want to reinstall,
upgrade instructions and advice can be found in the
Upgrade Guide.
Notes about the source code
src.tar.gz contains a source archive starting at /usr/src.
This file contains everything you need except for the kernel sources,
which are in a separate archive.
To extract:
# mkdir -p /usr/src
# cd /usr/src
# tar xvfz /tmp/src.tar.gz
sys.tar.gz contains a source archive starting at /usr/src/sys.
This file contains all the kernel sources you need to rebuild kernels.
To extract:
# mkdir -p /usr/src/sys
# cd /usr/src
# tar xvfz /tmp/sys.tar.gz
Both of these trees are a regular CVS checkout. Using these trees it
is possible to get a head-start on using the anoncvs servers as
described here.
Using these files
results in a much faster initial CVS update than you could expect from
a fresh checkout of the full OpenBSD source tree.
Ports Tree
A ports tree archive is also provided. To extract:
# cd /usr
# tar xvfz /tmp/ports.tar.gz
Go read the ports page
if you know nothing about ports
at this point. This text is not a manual of how to use ports.
Rather, it is a set of notes meant to kickstart the user on the
OpenBSD ports system.
The ports/ directory represents a CVS checkout of our ports.
As with our complete source tree, our ports tree is available via
AnonCVS.
So, in order to keep up to date with the -stable branch, you must make
the ports/ tree available on a read-write medium and update the tree
with a command like:
# cd /usr/ports
# cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_6_2
[Of course, you must replace the server name here with a nearby anoncvs
server.]
Note that most ports are available as packages on our mirrors. Updated
ports for the 6.2 release will be made available if problems arise.
If you're interested in seeing a port added, would like to help out, or just
would like to know more, the mailing list
ports@openbsd.org is a good place to know.