Released Nov 1, 2018
Copyright 1997-2018, Theo de Raadt.
6.4 Song: Maybe...
- See the information on the FTP page for
a list of mirror machines.
- Go to the pub/OpenBSD/6.4/ directory on
one of the mirror sites.
- Have a look at the 6.4 errata page for a list
of bugs and workarounds.
- See a detailed log of changes between the
6.3 and 6.4 releases.
- signify(1)
pubkeys for this release:
base: RWQq6XmS4eDAcQW4KsT5Ka0KwTQp2JMOP9V/DR4HTVOL5Bc0D7LeuPwA
fw: RWRoBbjnosJ/39llpve1XaNIrrQND4knG+jSBeIUYU8x4WNkxz6a2K97
pkg: RWRF5TTY+LoN/51QD5kM2hKDtMTzycQBBPmPYhyQEb1+4pff/H6fh/kA
All applicable copyrights and credits are in the src.tar.gz,
sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
files fetched via ports.tar.gz.
What's New
This is a partial list of new features and systems included in OpenBSD 6.4.
For a comprehensive list, see the changelog leading
to 6.4.
- Improved hardware support, including:
- ACPI support on OpenBSD/arm64 platforms.
- The radeondrm(4)
driver was updated to code based on Linux 4.4.155 adding modesetting
support for KAVERI/KABINI/MULLINS APUs and
OLAND/BONAIRE/HAINAN/HAWAII GPUs.
- Support for
radeondrm(4)
on OpenBSD/arm64 platforms.
- New umt(4) driver
for USB Windows Precision Touchpad devices.
- New bnxt(4)
driver for Broadcom NetXtreme-C/E PCI Express Ethernet
adapters based on the Broadcom BCM573xx and BCM574xx chipsets. Enabled
on amd64 and arm64 platforms.
- New mue(4)
driver for Microchip LAN7500/LAN7505/LAN7515/LAN7850 USB 2.0
and LAN7800/LAN7801 USB 3.0 Gigabit Ethernet devices.
- New acpisurface(4)
driver providing ACPI support for Microsoft Surface Book laptops.
- New
agintcmsi(4/arm64)
driver for the ITS component of the ARM GIC.
- New dwpcie(4)
driver for the Synopsys Designware PCIe controller,
which is built into various SoCs.
- New acpipci(4/arm64)
driver providing support for PCI host bridges
based on information provided by ACPI.
- New
mvclock(4),
mvgpio(4),
mvicu(4),
mvrng(4),
mvrtc(4), and
mvtemp(4)
drivers for various components of the Marvell Armada SoCs.
- New
hiclock(4),
hidwusb(4),
hireset(4), and
hitemp(4)
drivers for various components of the HiSilicon SoCs.
- New ccp(4) and
octcrypto(4/octeon)
drivers for hardware-accelerated cryptography.
- New ccpmic(4) and
tipmic(4)
drivers for Intel Crystal Cove and Dollar Cove
TI Power Management ICs.
- New imxrtc(4)
driver for the RTC integrated in Freescale i.MX7 and i.MX8 processors.
- New fanpwr(4)
driver for the Fairchild FAN53555 and Silergy SYR827/828
voltage regulators.
- New pinctrl(4)
driver for generic pin multiplexing.
- New plgpio(4)
driver for the ARM PrimeCell PL061 GPIO controller.
- PIE support for the m88k platform.
- Support for some HID-over-I2C touchscreen devices in
imt(4).
- Support for RTL8188EE and RTL8723AE in
rtwn(4).
- Support for RT3290 in
ral(4).
- Support for SAS 3.5 controllers (SAS34xx and SAS35xx) in
mpii(4).
- Support for drive and battery status sensors and bio in
mfii(4).
- On i386 Intel CPU microcode is loaded on boot.
- On sparc64 ldomctl(8)
now supports more modern firmwares found on SPARC T2+ and T3 machines in
particular such as T1000, T5120 and T5240.
NVRAM variables can now be set per logical domain.
- com(4)
better supports Synopsys Designware UARTs.
- New islrtc
driver for Intersil ISL1208 Real Time Clock.
- Support for the Huawei k3772 in
umsm.
- Support for the VIA VX900 chipset in
viapm(4).
- Support for GNSS networks other than GPS in
nmea(4).
- vmm(4) and
vmd(8) improvements:
- Support for qcow2 disk and snapshot images.
- Support for VM templates and derived instances in
vm.conf(5) and
vmctl(8).
- Added initial unveil(2)
support to vmctl(8)
along with general cleanups.
- Various bug fixes and improvements.
- IEEE 802.11 wireless stack improvements:
- With the new 'join' feature (managed with
ifconfig(8)), the kernel manages automatic switching between
different wifi networks.
- Generic network stack improvements:
- Installer improvements:
- Security improvements:
- New unveil(2)
system call to restrict file system access of the calling
process to the specified files and directories. It is most
powerful when properly combined with privilege separation
and pledge(2).
- Implemented MAP_STACK option for
mmap(2).
At pagefaults and syscalls the kernel will check that the
stack pointer points to MAP_STACK memory, which mitigates
against attacks using stack pivots.
- New RETGUARD security mechanism on amd64 and arm64:
use per-function random cookies to protect access to function
return instructions, making them harder to use in ROP gadgets.
- clang(1)
includes a pass which identifies common instructions which
may be useful in ROP gadgets and replaces them with safe
alternatives on amd64 and i386.
- The Retpoline mitigation against Spectre Variant 2 has been
enabled in clang(1)
and in assembly files on amd64.
- Meltdown mitigation was added to i386.
- Because Simultaneous multithreading (SMT) uses core resources in
a shared and unsafe manner, it is now disabled by default
and can be enabled with the new
hw.smt
sysctl(2) variable.
- Audio recording is now disabled by default and can be enabled
with the new
kern.audio.record
sysctl(2) variable.
- getpwnam(3) and
getpwuid(3) no
longer return a pointer to static storage but a managed allocation
which gets unmapped. This allows detection of access to stale entries.
- sshd includes
improved defence against user enumeration attacks.
- Routing daemons and other userland network improvements:
- ospf6d(8) can now set
the metric for a route depending on the status of an interface.
- ospf6d(8) can now be
bound into an alternate routing domain.
- ospf6d(8) is
now pledged.
- Prevent ospfd(8) and ospf6d(8) to be started more than once
(in the same routing domain).
- slaacd(8) is now fully
pledged.
- slaacd(8) is informed by
the kernel when Duplicate Address Detection (DAD) fails and generates
different addresses when possible.
- When slaacd(8) detects
roaming between networks it deprecates all configured IPs. IPs from
newly advertised prefixes will be preferred.
- A new daemon, rad(8) sends
IPv6 Router Advertisement messages and replaces the old rtadvd(8)
daemon from KAME.
- The anachronistic
networks(5)
configuration file is no longer supported.
- More robust pfctl(8)
parsing routines and corner case fixes around table and anchor
handling.
- route(8) now errors out
on bad -netmask/-prefixlen usage instead of configuring
ambiguous routes.
- dhclient(8)
now adds a direct route to the default route gateway when the
gateway is not reachable via the address/netmask provided by the
lease.
- dhclient(8)
now updates
dhclient.leases(5),
resolv.conf(5),
and any '-L'
file before going daemon and returning control
to invoking scripts.
- dhclient(8)
'-i' option now discards any previously defined values for the options
to be ignored.
- Any change to any interface now causes
dhclient(8)
to appropriately update
resolv.conf(5).
- dhclient(8)
now always records the client identifier used to obtain a lease,
enabling better conformance to RFC 6842.
- dhclient(8)
now has the option '-r' to release the current lease and exit.
- dhclient(8)
now avoids inappropriate changes to
resolv.conf(5)
by ignoring
dhclient.leases(5)
for interfaces that cannot report their link status.
- bgpd(8) improvements:
- The default filter actions was changed from allow to deny.
- The config option 'announce (all|self|none|default-route)'
has been deprecated and superseded by filter configuration.
- Improved prefix-sets both in speed and user experience.
- Introduced as-sets to match ASPATH against large lists of AS numbers.
- Support for BGP Origin Validation.
RFC 6811
through the
roa-set
directive.
- Added origin-sets for matching prefix / origin AS pairs efficently.
- Some syntax cleanups; newlines are optional inside expansion
lists (previously newlines needed to be escaped), but in neighbor,
group and rdomain blocks multiple statements have to be on new lines.
- Reduce the amount of work done during a configuration reload.
- Make config reload not block other event handling in the
route decision engine.
- Better support and bugfixes for multiple bgpd processes
running in different rdomains.
- Assorted improvements:
- rasops(9)-backed
framebuffer consoles such as
inteldrm(4),
radeondrm(4) and
efifb(4) now support
scrollback.
- rebound(8)
gained support for permanent A records, similiar to
local-data
supported by
unbound(8).
- New
kcov(4)
driver used for collection of code coverage inside the kernel.
It's used in an ongoing effort to fuzz the kernel.
- uid_from_user(3)
and
gid_from_group(3)
were added to the C library and are now used in several programs,
to speed up repeated lookups.
- New semaphore implementation making
sem_post(3)
async-safe.
- pcap_set_immediate_mode(3) was imported from mainline libpcap,
allowing programs to process packets as soon as they arrive.
- ksh(1) now supports
64 bit integers on all architectures.
- A bug in
ksh(1)
related to variable expansion of read-only variables has been fixed.
- lam(1)
now provides UTF-8 support.
- Enable trunk(4) and
vlan(4) on arm64 RAMDISK.
- pf(4) IP fragment
reassembly uses a better algorithm to make it robust against
denial of service attacks.
- New ldap(1)
tool implementing a simple ldap search client.
- A bug in init(8)
that caused hangs on i386 under VMware has been fixed.
- TFTP boot support was added for U-Boot based arm64 and armv7 platforms
via EFI Simple Network protocol.
- Support was added for the EFI Random Number Generator Protocol
to insert additional entropy into the kernel at boot.
- Support for RFC 3430 (TCP connections) was added to
snmpd.
- Enable bwfm(4) on
loongson for USB devices.
- New "Spleen 5x8" font added to wsfont, targetted at small OLED displays.
- usbdevs(8) now reports
USB port statuses.
- top(1) and
systat(1) now report
the time spent by each CPU waiting on spinning locks.
- Improved read speed on MSDOSFS via clustering.
- Access to NFS nodes is now serialized.
- systat(1)
has a new uvm view that displays statistics relevant to the UVM subsystem.
- mg(1)
now handles carriage returns during incremental search by setting the
mark and exiting the search, as modern emacsen do.
- disklabel(8)
improved the rounding of partition offsets and
sizes to cylinder boundaries.
- disklabel(8)
now range checks all user input.
- disklabel(8)
no longer allows FS_RAID partitions to be given a mount point.
- disklabel(8)
now changes partition information only when all user
input is valid.
- relayd(8) has
improved log directives in it's configuration file for finer
grained control of what gets logged.
- OpenSMTPD
- Incompatible change to the
smtpd.conf(5)
grammar: separate envelope matching, which happens during the
SMTP dialogue while receiving a message and merely results
in assigning an action name, from delivery actions, which do
not take effect until the queue runner makes a delivery attempt.
This gets rid of several different roadblocks in OpenSMTPD
development.
- Improve SMTP server engine with a new RFC 5322 message parser.
- Remove limitations preventing
smtpd(8)
from dealing with clients submitting long lines.
- Improve security by moving expansion of .forward file variables
into the users' MDA process.
- Introduce MDA wrappers allowing recipient MDA commands to be
transparently wrapped inside global commands.
- Assorted documentation improvements, cleanups and minor bug fixes.
- OpenSSH 7.8
- New features:
- In most places
in ssh(1)
and sshd(8) where
port numbers are used, service names (from /etc/services) can
now be used.
- The ssh(1)
IdentityAgent configuration directive now accepts environment
variable names. This supports the use of multiple agent
sockets without needing to use fixed paths.
- Support signalling sessions via the SSH protocol in
sshd(8).
- "ssh -Q sig" can be used to list supported signature
options. Also "ssh -Q help" will show the full set of
supported queries.
- The new CASignatureAlgorithms option
in ssh(1)
and sshd(8)
controls the allowed signature formats for CAs to sign
certificates with. For example, this allows banning CAs that
sign certificates using the RSA-SHA1 signature algorithm.
- Key revocation lists (KRLs) can now contain keys specified
by SHA256 hash. These lists are managed
by ssh-keygen(8). In
addition, KRLs can now be created from base64-encoded SHA256
fingerprints, i.e. from only the information contained
in sshd(8)
authentication log messages.
- Non-exhaustive list of Bugfixes:
- ssh(1)ssh(1),
ssh-keygen(1):
avoid spurious "invalid format" errors when attempting to load
PEM private keys while using an incorrect passphrase.
- sshd(8): when a
channel closed message is received from a client, close the
stderr file descriptor at the same time stdout is closed. This
avoids stuck processes if they were waiting for stderr to
close and were insensitive to stdin/out closing.
- ssh(1): allow
ForwardX11Timeout=0 to disable the untrusted X11 forwarding
timeout and support X11 forwarding indefinitely. Previously
the behaviour of ForwardX11Timeout=0 was undefined.
- sshd(8): do not
fail closed when configured with a text key revocation list
that contains a too-short key.
- ssh(1):treat
connections with ProxyJump specified the same as ones with a
ProxyCommand set with regards to hostname canonicalisation
(i.e. don't try to canonicalise the hostname unless
CanonicalizeHostname is set to 'always').
- ssh(1): fix
regression in OpenSSH 7.8 that could prevent public-key
authentication using certificates hosted in
a ssh-agent(1) or
against sshd(8)
from OpenSSH <7.8.
- LibreSSL 2.8.2
- Mandoc 1.14.4
- In HTML output, many
mdoc(7) macros
now use more fitting HTML elements.
- In HTML output, almost all "style" attributes and a number of
redundant "class" attributes were removed.
- Baby steps towards responsive design: use a @media query in
mandoc.css, use the HTML meta viewport element, and remove all
hard-coded widths and heights from the generated HTML code.
- Many style improvements in
mandoc.css.
- More than 15 new low level
roff(7)
and GNU man-ext features.
Mandoc can now format the manuals of the groff port.
- Ports and packages:
- update-plist(1)
has been entirely rewritten and now figures out MULTI_PACKAGES and
variable substitution almost 100%.
- New packages now run maintenance database tools like
update-desktop-database just once instead of after
every package addition/removal.
- Many pre-built packages for each architecture:
- aarch64: 8319
- amd64: 10304
- arm:
|
- i386: 10230
- mips64:
- mips64el:
| |
- Some highlights:
- AFL 2.52b
- CMake 3.10.2
- Chromium 69.0.3497.100
- Emacs 21.4 and 26.1
- GCC 4.9.4
- GHC 8.2.2
- Gimp 2.8.22
- GNOME 3.28.2
- Go 1.11
- Groff 1.22.3
- JDK 8u172
- LLVM/Clang 6.0.1
- LibreOffice 6.1.1.2
- Lua 5.1.5, 5.2.4 and 5.3.5
- MariaDB 10.0.36
- Mono 5.14.0.177
- Mozilla Firefox 60.2.2esr and 62.0.3
- Mozilla Thunderbird 60.2.1
|
- Mutt 1.10.1 and NeoMutt 20180716
- Node.js 8.12.0
- Ocaml 4.03.0
- OpenLDAP 2.3.43 and 2.4.46
- PHP 5.6.38, 7.0.32, 7.1.22 and 7.2.10
- Postfix 3.3.1 and 3.4-20180904
- PostgreSQL 10.5
- Python 2.7.15 and 3.6.6
- R 3.5.1
- Ruby 2.3.7, 2.4.4 and 2.5.1
- Rust 1.29.2
- Sendmail 8.16.0.29
- SQLite3 3.24.0
- Sudo 1.8.25
- Tcl/Tk 8.5.19 and 8.6.8
- TeX Live 2017
- Vim 8.1.438
- Xfce 4.12
|
- As usual, steady improvements in manual pages and other documentation.
- The system includes the following major components from outside suppliers:
- Xenocara (based on X.Org 7.7 with xserver 1.19.6 + patches,
freetype 2.9.1, fontconfig 2.12.4, Mesa 13.0.6, xterm 331,
xkeyboard-config 2.20 and more)
- LLVM/Clang 6.0.0 (+ patches)
- GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
- Perl 5.24.3 (+ patches)
- NSD 4.1.25
- Unbound 1.8.1
- Ncurses 5.7
- Binutils 2.17 (+ patches)
- Gdb 6.3 (+ patches)
- Awk Aug 10, 2011 version
- Expat 2.2.6
How to install
Please refer to the following files on the mirror site for
extensive details on how to install OpenBSD 6.4 on your machine:
Quick installer information for people familiar with OpenBSD, and the use of
the "disklabel -E" command.
If you are at all confused when installing OpenBSD, read the relevant
INSTALL.* file as listed above!
OpenBSD/alpha:
-
Write floppy64.fs or floppyB64.fs (depending on your machine)
to a diskette and enter boot dva0.
Refer to INSTALL.alpha for more details.
-
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.
OpenBSD/amd64:
-
If your machine can boot from CD, you can write install64.iso or
cd64.iso to a CD and boot from it.
You may need to adjust your BIOS options first.
-
If your machine can boot from USB, you can write install64.fs or
miniroot64.fs to a USB stick and boot from it.
-
If you can't boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in the included
INSTALL.amd64 document.
-
If you are planning to dual boot OpenBSD with another OS, you will need to
read INSTALL.amd64.
OpenBSD/arm64:
-
Write miniroot64.fs to a disk and boot from it after connecting
to the serial console. Refer to INSTALL.arm64 for more details.
OpenBSD/armv7:
-
Write a system specific miniroot to an SD card and boot from it after connecting
to the serial console. Refer to INSTALL.armv7 for more details.
OpenBSD/hppa:
-
Boot over the network by following the instructions in INSTALL.hppa or the
hppa platform page.
OpenBSD/i386:
-
If your machine can boot from CD, you can write install64.iso or
cd64.iso to a CD and boot from it.
You may need to adjust your BIOS options first.
-
If your machine can boot from USB, you can write install64.fs or
miniroot64.fs to a USB stick and boot from it.
-
If you can't boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in
the included INSTALL.i386 document.
-
If you are planning on dual booting OpenBSD with another OS, you will need to
read INSTALL.i386.
OpenBSD/landisk:
-
Write miniroot64.fs to the start of the CF
or disk, and boot normally.
OpenBSD/loongson:
-
Write miniroot64.fs to a USB stick and boot bsd.rd from it
or boot bsd.rd via tftp.
Refer to the instructions in INSTALL.loongson for more details.
OpenBSD/luna88k:
-
Copy `boot' and `bsd.rd' to a Mach or UniOS partition, and boot the bootloader
from the PROM, and then bsd.rd from the bootloader.
Refer to the instructions in INSTALL.luna88k for more details.
OpenBSD/macppc:
-
Burn the image from a mirror site to a CDROM, and power on your machine
while holding down the C key until the display turns on and
shows OpenBSD/macppc boot.
-
Alternatively, at the Open Firmware prompt, enter boot cd:,ofwboot
/6.4/macppc/bsd.rd
OpenBSD/octeon:
-
After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
Refer to the instructions in INSTALL.octeon for more details.
OpenBSD/sgi:
-
To install, burn cd64.iso on a CD-R, put it in the CD drive of your
machine and select Install System Software from the System Maintenance
menu. Indigo/Indy/Indigo2 (R4000) systems will not boot automatically from
CD-ROM, and need a proper invocation from the PROM prompt.
Refer to the instructions in INSTALL.sgi for more details.
-
If your machine doesn't have a CD drive, you can setup a DHCP/tftp network
server, and boot using "bootp()/bsd.rd.IP##" using the kernel matching your
system type. Refer to the instructions in INSTALL.sgi for more details.
OpenBSD/sparc64:
-
Burn the image from a mirror site to a CDROM, boot from it, and type
boot cdrom.
-
If this doesn't work, or if you don't have a CDROM drive, you can write
floppy64.fs or floppyB64.fs
(depending on your machine) to a floppy and boot it with boot
floppy. Refer to INSTALL.sparc64 for details.
-
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.
-
You can also write miniroot64.fs to the swap partition on
the disk and boot with boot disk:b.
-
If nothing works, you can boot over the network as described in INSTALL.sparc64.
How to upgrade
If you already have an OpenBSD 6.3 system, and do not want to reinstall,
upgrade instructions and advice can be found in the
Upgrade Guide.
Notes about the source code
src.tar.gz contains a source archive starting at /usr/src.
This file contains everything you need except for the kernel sources,
which are in a separate archive.
To extract:
# mkdir -p /usr/src
# cd /usr/src
# tar xvfz /tmp/src.tar.gz
sys.tar.gz contains a source archive starting at /usr/src/sys.
This file contains all the kernel sources you need to rebuild kernels.
To extract:
# mkdir -p /usr/src/sys
# cd /usr/src
# tar xvfz /tmp/sys.tar.gz
Both of these trees are a regular CVS checkout. Using these trees it
is possible to get a head-start on using the anoncvs servers as
described here.
Using these files
results in a much faster initial CVS update than you could expect from
a fresh checkout of the full OpenBSD source tree.
Ports Tree
A ports tree archive is also provided. To extract:
# cd /usr
# tar xvfz /tmp/ports.tar.gz
Go read the ports page
if you know nothing about ports
at this point. This text is not a manual of how to use ports.
Rather, it is a set of notes meant to kickstart the user on the
OpenBSD ports system.
The ports/ directory represents a CVS checkout of our ports.
As with our complete source tree, our ports tree is available via
AnonCVS.
So, in order to keep up to date with the -stable branch, you must make
the ports/ tree available on a read-write medium and update the tree
with a command like:
# cd /usr/ports
# cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_6_4
[Of course, you must replace the server name here with a nearby anoncvs
server.]
Note that most ports are available as packages on our mirrors. Updated
ports for the 6.4 release will be made available if problems arise.
If you're interested in seeing a port added, would like to help out, or just
would like to know more, the mailing list
ports@openbsd.org is a good place to know.