Released Apr 15, 2018
Copyright 1997-2018, Theo de Raadt.
6.3 Song: XXX.
- See the information on the FTP page for
a list of mirror machines.
- Go to the pub/OpenBSD/6.3/ directory on
one of the mirror sites.
- Have a look at the 6.3 errata page for a list
of bugs and workarounds.
- See a detailed log of changes between the
6.2 and 6.3 releases.
- signify(1)
pubkeys for this release:
base: RWRxzbLwAd76ZZxHU7wuIFUOVGwl6SjNNzanKWTql8w+hui7WLE/72mW
fw: RWT3tdmiAc+DH/CJOxPFT10kUM90/UcLTgSEUEKzhKm9QEhy+UD4CWPy
pkg: RWT58k1AWz/zZO9DHcPHXiHhDNP6hdwGjxNkyMoc/sh4O5NI8Zz1R1lD
All applicable copyrights and credits are in the src.tar.gz,
sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
files fetched via ports.tar.gz.
What's New
This is a partial list of new features and systems included in OpenBSD 6.3.
For a comprehensive list, see the changelog leading
to 6.3.
- Improved hardware support, including:
- SMP support on OpenBSD/arm64 platforms.
- VFP and NEON support on OpenBSD/armv7 platforms.
- New acrtc(4) driver
for X-Powers AC100 audio codec and Real Time Clock.
- New axppmic(4) driver
for X-Powers AXP Power Management ICs.
- New bcmrng(4) driver
for Broadcom BCM2835/BCM2836/BCM2837 random number generator.
- New bcmtemp(4) driver
for Broadcom BCM2835/BCM2836/BCM2837 temperature monitor.
- New bgw(4) driver
for Bosch motion sensor.
- New bwfm(4) driver
for Broadcom and Cypress FullMAC 802.11 devices.
- New efi(4) driver
for EFI runtime services.
- New imxanatop(4) driver
for i.MX6 integrated regulator.
- New rkpcie(4) driver
for Rockchip RK3399 Host/PCIe bridge.
- New sxirsb(4) driver
for Allwinner Reduced Serial Bus controller.
- New sxitemp(4) driver
for Allwinner temperature monitor.
- New sxits(4) driver
for temperature sensor on Allwinner A10/A20 touchpad controller.
- New sxitwi(4) driver
for two-wire bus found on several Allwinner SoCs.
- New sypwr(4) driver
for the Silergy SY8106A regulator.
- Support for Rockchip RK3328 SoCs has been added to the
dwge(4),
rkgrf(4),
rkclock(4) and
rkpinctrl(4)
drivers.
- Support for Rockchip RK3228/3328 SoCs has been added to the
rktemp(4)
driver.
- Support for Allwinner A10/A20, A23/A33, A80 and R40/V40
SoCs has been added to the
sxiccmu(4) driver.
- Support for Allwinner A33, GR8 and R40/V40 SoCs has been
added to the
sxipio(4) driver.
- support for SAS3.5 MegaRAIDs was added to the
mfii(4) driver.
- support for Intel Cannon Lake and Ice Lake integrated Ethernet
was added to the
em(4) driver.
- cnmac(4) ports are now
assigned to different CPU cores for distributed interrupt processing.
- The pms(4) driver now
detects and handles reset announcements.
- On amd64 Intel CPU microcode is loaded on boot and installed/updated by
fw_update(1).
- Support the sun4v hypervisor interrupt cookie API, adding support
for SPARC T7-1/2/4 machines.
- vmm(4)/
vmd(8) improvements:
- Add CD-ROM/DVD ISO support to vmd(8) via vioscsi(4).
- vmd(8) no longer
creates an underlying bridge interface for virtual switches defined in
vm.conf(5)
- vmd(8) receives
switch information (rdomain, etc) from underlying switch interface in
conjunction of settings in vm.conf(5)
- TSC (time stamp counter) support in guest VMs
- Support ukvm/Solo5 unikernels in
vmm(4)
- Handle valid (but uncommon) instruction encodings better
- Better PAE paging support for 32-bit Linux guest VMs
- vmd(8) now allows up
to 4 network interfaces in each VM
- Add paused migration and snapshotting support to vmm(4) for AMD SVM/RVI
hosts.
- BREAK commands sent over a
pty(4) are now understood by
vmd(8).
- Many fixes to vmctl(8)
and vmd(8) error handling
- IEEE 802.11 wireless stack improvements:
- The iwm(4) and
iwn(4) drivers will automatically roam between
access points which share an ESSID. Forcing a particular AP's MAC address with ifconfig's
bssid command disables roaming.
- Automatically clear configured WEP/WPA keys when a new network ESSID is configured.
- Removed the ability for userland to read configured WEP/WPA keys back from the kernel.
- The iwm(4) driver can now connect to networks
with a hidden SSID.
- USB devices supported by the athn(4) driver
now use an open source firmware, and hostap mode now works with these devices.
- Generic network stack improvements:
- The network stack no longer runs with the KERNEL_LOCK() when IPsec is
enabled.
- Processing of incoming TCP/UDP packets is now done without
KERNEL_LOCK().
- Cleanup and removal of code in sys/netinet6 since autoconfiguration
runs in userland now.
- bridge(4) members can
now be prevented to talk to each others with the new protected
option.
- ...
- Installer improvements:
- Routing daemons and other userland network improvements:
- bgpctl(8) has a new
ssv option which outputs rib entries as a single semicolon-seperated
like for selection before output.
- slaacd(8) generates
random but stable IPv6 stateless autoconfiguration addresses according
to RFC 7217.
These are enabled per default in accordance with RFC 8064.
- slaacd(8) can generate
RFC 7217 (random but stable) and RFC 4941 (privacy) style stateless
autoconfiguration addresses on non-/64 prefixes.
- ospfd(8) can now set the
metric for a route depending on the status of an interface.
- ifconfig(8) has a new
staticarp option to make interfaces reply to ARP requests only.
- ipsecctl(8) can now
collapse flow outputs having the same source or destination
- The -n option in the
netstart(8) no longer
messes with the default route.
It is now documented as well.
- ...
- Security improvements:
- Use even more trap-sleds on various architectures.
- More use of .rodata for constant variables in assembly source.
- Stop using x86 "repz ret" in dusty corners of the tree.
- Introduce "execpromises" in
pledge(2).
- Prepare for the introduction of MAP_STACK to
mmap(2) after 6.3.
- Push a small piece of KARL-linked kernel text into the random
number generator as entropy at startup.
- Put a small random gap at the top of thread stacks, so that attackers
have yet another calculation to perform for their ROP work.
- Mitigation for Meltdown vulnerability for Intel brand amd64 CPUs
- OpenBSD/arm64 now uses kernel page table isolation to mitigate
Spectre variant 3 (Meltdown) attacks.
- OpenBSD/armv7 and OpenBSD/arm64 now flush the branch target
cache (BTB) on processors that do speculative execution to
mitigate Spectre variant 2 attacks.
- ...
- dhcpd(8)/
dhcrelay(8) improvements:
- dhclient(8) improvements:
- parsing
dhclient.conf(5) no longer leaks SSID strings, strings that are
too long for the parsing buffer or repeated string options and commands.
- storing leases in
dhclient.conf(5) is no longer supported.
- 'DENY' is no longer valid in
dhclient.conf(5).
-
dhclient.conf(5) and
dhclient.leases(5)
parsing error messages have been simplified and clarified, with
improved behaviour in the presence of unexpected semicolons.
- more care is taken to only use configuration information that was
successfully parsed.
- the '-n' command line option has been added to
dhclient(8), which causes
dhclient(8) to parse
dhclient.conf(5) and immediately exit without taking
charge of the interface.
- ...
- Assorted improvements:
- Code reorganization and other improvements to
malloc(3)
and friends to make them more efficient.
- When performing suspend or hibernate operations, ensure all filesystems
are properly syncronized and marked clean, or if they cannot be
put into perfectly clean state on disk (due to open+unlinked files)
then mark them dirty, so that a failed resume/unhinbernate is gauranteed
to perform fsck.
- acme-client(1)
autodetects the agreement url and follows 30x http redirects.
- Added __cxa_thread_atexit() to support modern C++ tool chains
- Added EVFILT_DEVICE support to
kqueue(2) for
monitoring changes to drm devices.
- ldexp(3) now handles
the sign of denormal numbers correctly on mips64.
- fdisk(8) now ensures the
validity of MBR partition offsets entered while editing.
- fdisk(8) now ensures that
default values lie within the valid range.
- less(1) now splits only
the environment variable LESS on '$'.
- less(1) no longer creates
a spurious file when encountering '$' in the initial command.
- softraid(4) now validates
the number of chunks when assembling a volume, ensuring the on-disk
and in-memory metadata are in sync.
- disklabel(8) now
always offers to edit an FFS partition's fragment size before offering to
edit the blocksize.
- disklabel(8) now
allows editing the cylinders/group (cpg) attribute whenever the partition
blocksize can be edited.
- disklabel(8) now
detects ^D and invalid input during (R)esize commands.
- disklabel(8) now
detects underflows and overflows when -/+ operators are used.
- disklabel(8) now
avoids an off-by-one when calculating the number of cylinders in a free
chunk.
- disklabel(8) now
validates the requested partition size against the size of the largest free
chunk instead of the total free space.
- Support for dumping USB transfers via
bpf(4)
- tcpdump(8) can now
unserstand dumps of USB transfers in the
USBPcap
format.
- The default prompts of csh(1),
ksh(1) and
sh(1) now include the hostname.
- Memory allocation in ksh was switched from
calloc(3) back to
malloc(3),
making it easier to recognize uninitialized memory.
As a result, a history-related bug in emacs editing mode was discovered
and fixed.
- The printf(3) format
string is no longer validated when looking for % formats.
Based on a commit by android and following most other operating systems.
- Improved error checking in
vfwprintf(3).
- Many base programs have been audited and fixed for stale file descriptors,
including
cron(8),
ftp(1),
mandoc(1),
openssl(1),
ssh(1) and
sshd(8).
- Various bug fixes and improvements in
jot(1):
- Arbitrary length limits for the arguments for the
-b, -s, -w options were removed.
- The %F format specifier is now supported and a bug
in the %D format was fixed.
- Better code coverage in regression tests.
- Several buffer overruns were fixed.
- The patch(1) utility now
copes better with git diffs that create or delete files.
- The elfrdsetroot utility used to build ramdisks is now pledged.
- ...
- OpenSMTPD 6.0.4
- OpenSSH 7.7
- Security:
- New/changed features:
- The following significant bugs have been fixed in this release:
- LibreSSL 2.7.2
- Fixed a bug in int_x509_param_set_hosts, calling strlen() if name
length provided is 0 to match the OpenSSL behaviour. Issue noticed
by Christian Heimes <christian@python.org>
- Added support for many OpenSSL 1.0.2 and 1.1 APIs, based on
observations of real-world usage in applications. These are
implemented in parallel with existing OpenSSL 1.0.1 APIs - visibility
changes have not been made to existing structs, allowing code written
for older OpenSSL APIs to continue working.
- Extensive corrections, improvements, and additions to the
API documentation, including new public APIs from OpenSSL that had
no pre-existing documentation.
- Added support for automatic library initialization in libcrypto,
libssl, and libtls. Support for pthread_once or a compatible
equivalent is now required of the target operating system. As a
side-effect, minimum Windows support is Vista or higher.
- Converted more packet handling methods to CBB, which improves
resiliency when generating TLS messages.
- Completed TLS extension handling rewrite, improving consistency of
checks for malformed and duplicate extensions.
- Rewrote ASN1_TYPE_{get,set}_octetstring() using templated ASN.1.
This removes the last remaining use of the old M_ASN1_* macros
(asn1_mac.h) from API that needs to continue to exist.
- Added support for client-side session resumption in libtls.
A libtls client can specify a session file descriptor (a regular
file with appropriate ownership and permissions) and libtls will
manage reading and writing of session data across TLS handshakes.
- Improved support for strict alignment on ARMv7 architectures,
conditionally enabling assembly in those cases.
- Fixed a memory leak in libtls when reusing a tls_config.
- Merged more DTLS support into the regular TLS code path, removing
duplicated code.
- mandoc 1.14.3
- Ports and packages:
- Many pre-built packages for each architecture:
- aarch64: XXXX
- amd64: XXXX
- arm: XXXX
|
- hppa: XXXX
- i386: XXXX
- mips64: XXXX
|
- mips64el: XXXX
- powerpc: XXXX
- sparc64: XXXX
|
- Some highlights:
- AFL 2.52b
- CMake 3.10.2
- Chromium 65.0.3325.181
- Emacs 21.4 and 25.3
- GCC 4.9.4
- GHC 8.2.2
- Gimp 2.8.22
- GNOME 3.26.2
- Go 1.10
- Groff 1.22.3
- JDK 8u144
- KDE 3.5.10 and 4.14.3 (plus KDE4 core updates)
- LLVM/Clang 5.0.1
- LibreOffice 6.0.2.1
- Lua 5.1.5, 5.2.4 and 5.3.4
- MariaDB 10.0.34
- Mozilla Firefox 52.7.2esr and 59.0.1
- Mozilla Thunderbird 52.6.0
|
- Mutt 1.9.4 and NeoMutt 20180223
- Node.js 8.9.4
- Ocaml 4.03.0
- OpenLDAP 2.3.43 and 2.4.45
- PHP 5.6.34 and 7.0.28
- Postfix 3.3.0 and 3.4-20180203
- PostgreSQL 10.3
- Python 2.7.14 and 3.6.4
- R 3.4.4
- Ruby 2.3.6, 2.4.3 and 2.5.0
- Rust 1.24.0
- Sendmail 8.16.0.21
- SQLite3 3.22.0
- Sudo 1.8.22
- Tcl/Tk 8.5.19 and 8.6.8
- TeX Live 2017
- Vim 8.0.1589
- Xfce 4.12
|
- As usual, steady improvements in manual pages and other documentation.
- The system includes the following major components from outside suppliers:
- Xenocara (based on X.Org 7.7 with xserver 1.19.6 + patches,
freetype 2.8.1, fontconfig 2.12.4, Mesa 13.0.6, xterm 330,
xkeyboard-config 2.20 and more)
- LLVM/Clang 5.0.1 (+ patches)
- GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
- Perl 5.24.3 (+ patches)
- NSD 4.1.20
- Unbound 1.6.8
- Ncurses 5.7
- Binutils 2.17 (+ patches)
- Gdb 6.3 (+ patches)
- Awk Aug 10, 2011 version
- Expat 2.2.5
How to install
Please refer to the following files on the mirror site for
extensive details on how to install OpenBSD 6.3 on your machine:
Quick installer information for people familiar with OpenBSD, and the use of
the "disklabel -E" command.
If you are at all confused when installing OpenBSD, read the relevant
INSTALL.* file as listed above!
OpenBSD/alpha:
-
Write floppy63.fs or floppyB63.fs (depending on your machine)
to a diskette and enter boot dva0.
Refer to INSTALL.alpha for more details.
-
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.
OpenBSD/amd64:
-
If your machine can boot from CD, you can write install63.iso or
cd63.iso to a CD and boot from it.
You may need to adjust your BIOS options first.
-
If your machine can boot from USB, you can write install63.fs or
miniroot63.fs to a USB stick and boot from it.
-
If you can't boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in the included
INSTALL.amd64 document.
-
If you are planning to dual boot OpenBSD with another OS, you will need to
read INSTALL.amd64.
OpenBSD/arm64:
-
Write miniroot63.fs to a disk and boot from it after connecting
to the serial console. Refer to INSTALL.arm64 for more details.
OpenBSD/armv7:
-
Write a system specific miniroot to an SD card and boot from it after connecting
to the serial console. Refer to INSTALL.armv7 for more details.
OpenBSD/hppa:
-
Boot over the network by following the instructions in INSTALL.hppa or the
hppa platform page.
OpenBSD/i386:
-
If your machine can boot from CD, you can write install63.iso or
cd63.iso to a CD and boot from it.
You may need to adjust your BIOS options first.
-
If your machine can boot from USB, you can write install63.fs or
miniroot63.fs to a USB stick and boot from it.
-
If you can't boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in
the included INSTALL.i386 document.
-
If you are planning on dual booting OpenBSD with another OS, you will need to
read INSTALL.i386.
OpenBSD/landisk:
-
Write miniroot63.fs to the start of the CF
or disk, and boot normally.
OpenBSD/loongson:
-
Write miniroot63.fs to a USB stick and boot bsd.rd from it
or boot bsd.rd via tftp.
Refer to the instructions in INSTALL.loongson for more details.
OpenBSD/luna88k:
-
Copy `boot' and `bsd.rd' to a Mach or UniOS partition, and boot the bootloader
from the PROM, and then bsd.rd from the bootloader.
Refer to the instructions in INSTALL.luna88k for more details.
OpenBSD/macppc:
-
Burn the image from a mirror site to a CDROM, and power on your machine
while holding down the C key until the display turns on and
shows OpenBSD/macppc boot.
-
Alternatively, at the Open Firmware prompt, enter boot cd:,ofwboot
/6.3/macppc/bsd.rd
OpenBSD/octeon:
-
After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
Refer to the instructions in INSTALL.octeon for more details.
OpenBSD/sgi:
-
To install, burn cd63.iso on a CD-R, put it in the CD drive of your
machine and select Install System Software from the System Maintenance
menu. Indigo/Indy/Indigo2 (R4000) systems will not boot automatically from
CD-ROM, and need a proper invocation from the PROM prompt.
Refer to the instructions in INSTALL.sgi for more details.
-
If your machine doesn't have a CD drive, you can setup a DHCP/tftp network
server, and boot using "bootp()/bsd.rd.IP##" using the kernel matching your
system type. Refer to the instructions in INSTALL.sgi for more details.
OpenBSD/sparc64:
-
Burn the image from a mirror site to a CDROM, boot from it, and type
boot cdrom.
-
If this doesn't work, or if you don't have a CDROM drive, you can write
floppy63.fs or floppyB63.fs
(depending on your machine) to a floppy and boot it with boot
floppy. Refer to INSTALL.sparc64 for details.
-
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.
-
You can also write miniroot63.fs to the swap partition on
the disk and boot with boot disk:b.
-
If nothing works, you can boot over the network as described in INSTALL.sparc64.
How to upgrade
If you already have an OpenBSD 6.2 system, and do not want to reinstall,
upgrade instructions and advice can be found in the
Upgrade Guide.
Notes about the source code
src.tar.gz contains a source archive starting at /usr/src.
This file contains everything you need except for the kernel sources,
which are in a separate archive.
To extract:
# mkdir -p /usr/src
# cd /usr/src
# tar xvfz /tmp/src.tar.gz
sys.tar.gz contains a source archive starting at /usr/src/sys.
This file contains all the kernel sources you need to rebuild kernels.
To extract:
# mkdir -p /usr/src/sys
# cd /usr/src
# tar xvfz /tmp/sys.tar.gz
Both of these trees are a regular CVS checkout. Using these trees it
is possible to get a head-start on using the anoncvs servers as
described here.
Using these files
results in a much faster initial CVS update than you could expect from
a fresh checkout of the full OpenBSD source tree.
Ports Tree
A ports tree archive is also provided. To extract:
# cd /usr
# tar xvfz /tmp/ports.tar.gz
Go read the ports page
if you know nothing about ports
at this point. This text is not a manual of how to use ports.
Rather, it is a set of notes meant to kickstart the user on the
OpenBSD ports system.
The ports/ directory represents a CVS checkout of our ports.
As with our complete source tree, our ports tree is available via
AnonCVS.
So, in order to keep up to date with the -stable branch, you must make
the ports/ tree available on a read-write medium and update the tree
with a command like:
# cd /usr/ports
# cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_6_3
[Of course, you must replace the server name here with a nearby anoncvs
server.]
Note that most ports are available as packages on our mirrors. Updated
ports for the 6.3 release will be made available if problems arise.
If you're interested in seeing a port added, would like to help out, or just
would like to know more, the mailing list
ports@openbsd.org is a good place to know.