Released XXX XX, 2019
Copyright 1997-2019, Theo de Raadt.
- See the information on the FTP page for
a list of mirror machines.
- Go to the pub/OpenBSD/6.5/ directory on
one of the mirror sites.
- Have a look at the 6.5 errata page for a list
of bugs and workarounds.
- See a detailed log of changes between the
6.4 and 6.5 releases.
- signify(1)
pubkeys for this release:
base: RWSZaRmt1LEQT9CtPygf9CvONu8kYPTlVEJdysNoUR62/NkeWgdkc3zY
fw: RWQYdGVtTv5IvpH2c+TLQAC4iV7RjoGZ/v75q8MCuC9Mca7nFVCXRefy
pkg: RWS5D4+188RI6jULDOFzga0Cm1zrXYUAHT6xu0mLrZidbn6xrMB5aZeR
syspatch: RWT8U2yd3Aq5DnetILjmSoCQxmyt3VqfGS7GBh19oh4Xre4ywc31PEpw
All applicable copyrights and credits are in the src.tar.gz,
sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
files fetched via ports.tar.gz.
What's New
This is a partial list of new features and systems included in OpenBSD 6.5.
For a comprehensive list, see the changelog leading
to 6.5.
- Improved hardware support, including:
- clang(1)
is now provided on mips64.
- The default linker has been switched from the binutils bfd-based linker
to lld on amd64 and i386.
- The radeonsi Mesa driver is now included for hardware acceleration
on Southern Islands and Sea Islands
radeondrm(4) devices.
- octeon: Now the system automatically detects the number of available
cores. However, manual setting of the numcores, or coremask,
boot parameter is still needed to enable secondary cores.
- octeon: It is now possible to use the root disk's DUID as the value
of the rootdev boot parameter.
- New octgpio(4)
driver for the OCTEON GPIO controller.
- New pvclock(4)
driver for KVM paravirtual clock.
- New ixl(4)
driver for Intel Ethernet 700 series controller devices.
- New abcrtc(4)
driver for Abracon AB1805 real-time clock.
- New imxsrc(4)
driver for i.MX system reset controller.
- New uxrcom(4)
driver for Exar XR21V1410 USB serial adapters.
- New mvgicp(4)
driver for Marvell ARMADA 7K/8K GICP controller.
- Support for QCA AR816x/AR817x in
alc(4).
- Support for isochronous transfers in
xhci(4).
- uaudio(4) has
been replaced by a new driver which supports USB audio class v2.0.
- IEEE 802.11 wireless stack improvements:
- Reduced usage of RTS frames improves overall throughput and latency.
- Improved transmit rate selection in the
iwm(4) driver.
- Improved radio hardware calibration in the
athn(4) driver.
- The bwfm(4) driver now
provides more accurate device configuration information to userland.
- Added new routing socket message RTM_80211INFO to provide details
of 802.11 interface state changes to
dhclient(8) and
route(8).
- The autojoin feature will no longer connect to unknown open networks
by default. This behaviour must now be explicitly enabled with
ifconfig(8).
- The iwn(4) and
iwm(4) drivers will now
automatically try to connect to a network if the radio kill switch is
toggled to allow radio transmissions while the interface is marked UP.
- Generic network stack improvements:
- New bpe(4)
Backbone Provider Edge pseudo-device.
- New mpip(4)
MPLS IP layer 2 pseudowire.
- New per SAD counters visible via
ipsecctl(8).
- Installer improvements:
- Security improvements:
-
unveil(2) has been
improved to understand and find covering unveil matches above the
working directory of the running process for relative path accesses.
As a result many programs now can use unveil in broad ways such as
unveil("/", "r");
-
unveil(2) no longer
silently allows
stat(2) and
access(2) to work on any
unveiled path component.
- Routing daemons and other userland network improvements:
- bgplg(8) and
bgplgsh(8) can
now filter on Origin Validation State and Extended Communities.
- bgplgsh(8) can
now [clear|destroy|down|refresh|up] and show groups of neighbors.
- Prevent bgpd(8)
from being started more than once with the same config.
- pcap-filter(3) can
now filter on MPLS packets.
- The routing priority for
ospfd(8),
ospf6d(8) and
ripd(8)
is now configurable.
- ripd(8) is now pledged.
- ospfd(8),
ospf6d(8) and
ripd(8) now use unveil(2)
to limit file system access of the parent process to read only.
- First release of
unwind(8), a validating,
recursive nameserver for 127.0.0.1. It is particularly suitable for
laptops moving between networks.
- Assorted improvements:
-
kcov(4)
gained support for
KCOV_MODE_TRACE_CMP.
-
A 'video' promise was added to pledge(2).
-
The
kern.witnesswatch
sysctl(8)
has been renamed to kern.witness.watch
.
- New pthread
rwlock
implementation improving latency of threaded applications.
-
kubsan(4)
capable of detecting undefined behavior in the kernel.
- signify
-n option to zero date header in -z mode.
- Remove OXTABS from default pty flags.
- install(1) now
always copies files safely (as with -S), avoiding race conditions.
- syslog.conf(5)
now supports program names containing dots and underscores.
- OpenSMTPD
- LibreSSL 2.9.X
- API and Documentation Enhancements
-
CRYPTO_LOCK is now automatically initialized, with the legacy
callbacks stubbed for compatibility.
-
Added the SM3 hash function from the Chinese standard GB/T 32905-2016.
-
Added the SM4 block cipher from the Chinese standard GB/T 32907-2016.
-
Added more OPENSSL_NO_* macros for compatibility with OpenSSL.
-
Partial port of the OpenSSL EC_KEY_METHOD API for use by OpenSSH.
-
Implemented further missing OpenSSL 1.1 API.
-
Added support for XChaCha20 and XChaCha20-Poly1305.
-
Added support for AES key wrap constructions via the EVP interface.
- Compatibility Changes
-
Added pbkdf2 key derivation support
to openssl(1) enc.
-
Changed the default digest type of
openssl(1) enc
to sha256.
-
Changed the default digest type of
openssl(1) dgst
to sha256.
-
Changed the default digest type of
openssl(1)
x509 -fingerprint to sha256.
-
Changed the default digest type of
openssl(1)
crl -fingerprint to sha256.
- Testing and Proactive Security
-
Added extensive interoperability tests between LibreSSL and OpenSSL 1.0
and 1.1.
-
Added additional Wycheproof tests and related bug fixes.
- Internal Improvements
-
Simplified sigalgs option processing and handshake signing algorithm
selection.
-
Added the ability to use the RSA PSS algorithm for handshake signatures.
-
Added bn_rand_interval() and use it in code needing ranges of random bn
values.
-
Added functionality to derive early, handshake, and application secrets
as per RFC8446.
-
Added handshake state machine from RFC8446.
-
Removed some ASN.1 related code from libcrypto that had not been used
since around 2000.
-
Unexported internal symbols and internalized more record layer structs.
-
Removed SHA224 based handshake signatures from consideration for use in a TLS 1.2 handshake.
- Portable Improvements
-
Added support for assembly optimizations on 32-bit ARM ELF targets.
- Bug Fixes
-
Improved protection against timing side channels in ECDSA signature
generation.
-
Coordinate blinding was added to some elliptic curves.
This is the last bit of the work by Brumley et al. to protect against
the Portsmash vulnerability.
-
Ensure transcript handshake is always freed with TLS 1.2.
- Mandoc 1.14.5
-
Improved POSIX compliance in
apropos(1) by
accepting case-insensitive extended regular expressions by default.
-
New -O tag
output option to open a page at the definition of a term.
-
Many tbl(7)
improvements: line drawing, spanning, horizontal and vertical
alignment in HTML output, improved column width calculations in
terminal output, use of box drawing characters in UTF-8 output.
-
Much better HTML output, in particular with respect to
paragraphs, line breaks, and vertical spacing in tagged lists.
Tooltips are now implemented in pure CSS, the
title
attribute is no longer abused.
- Xenocara
-
Xorg(1), the
X window server, is no longer installed setuid.
xenodm(1) should be
used to start X.
- Ports and packages:
- Many pre-built packages for each architecture:
- aarch64: XXXX
- amd64: XXXXX
- arm: XXXX
|
- i386: XXXXX
- mips64: XXXX
- mips64el: XXXX
|
- powerpc: XXXX
- sparc64: XXXX
|
- Some highlights:
- AFL 2.52b
- Asterisk 16.2.1
- Audacity 2.3.1
- CMake 3.10.2
- Chromium 73.0.3683.86
- Emacs 26.1
- FFmpeg 4.1.3
- GCC 4.9.4 and 8.3.0
- GHC 8.2.2
- GNOME 3.30.2.1
- Go 1.12.1
- Groff 1.22.4
- JDK 8u202 and 11.0.2+9-3
|
- LLVM/Clang 7.0.1
- LibreOffice 6.2.2.2
- Lua 5.1.5, 5.2.4 and 5.3.5
- MariaDB 10.0.38
- Mono 5.18.1.0
- Mozilla Firefox 66.0.2 and ESR 60.6.1
- Mozilla Thunderbird 60.6.1
- Mutt 1.11.4 and NeoMutt 20180716
- Node.js 10.15.0
- OCaml 4.07.1
- OpenLDAP 2.3.43 and 2.4.47
- PHP 7.1.28, 7.1.28 and 7.3.4
- Postfix 3.3.3 and 3.4.20190106
|
- PostgreSQL 11.2
- Python 2.7.16 and 3.6.8
- R 3.5.3
- Ruby 2.4.6, 2.5.5 and 2.6.2
- Rust 1.33.0
- Sendmail 8.16.0.41
- SQLite3 3.27.2
- Sudo 1.8.27
- Suricata 4.1.3
- Tcl/Tk 8.5.19 and 8.6.8
- TeX Live 2018
- Vim 8.1.1048 and Neovim 0.3.4
- Xfce 4.12
|
- As usual, steady improvements in manual pages and other documentation.
- The system includes the following major components from outside suppliers:
- Xenocara (based on X.Org 7.7 with xserver 1.19.7 + patches,
freetype 2.9.1, fontconfig 2.12.4, Mesa 18.3.5, xterm 344,
xkeyboard-config 2.20 and more)
- LLVM/Clang 7.0.1 (+ patches)
- GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
- Perl 5.28.1 (+ patches)
- NSD 4.1.27
- Unbound 1.9.1
- Ncurses 5.7
- Binutils 2.17 (+ patches)
- Gdb 6.3 (+ patches)
- Awk Aug 10, 2011 version
- Expat 2.2.6
How to install
Please refer to the following files on the mirror site for
extensive details on how to install OpenBSD 6.5 on your machine:
Quick installer information for people familiar with OpenBSD, and the use of
the "disklabel -E" command.
If you are at all confused when installing OpenBSD, read the relevant
INSTALL.* file as listed above!
OpenBSD/alpha:
-
Write floppy65.fs or floppyB65.fs (depending on your machine)
to a diskette and enter boot dva0.
Refer to INSTALL.alpha for more details.
-
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.
OpenBSD/amd64:
-
If your machine can boot from CD, you can write install65.iso or
cd65.iso to a CD and boot from it.
You may need to adjust your BIOS options first.
-
If your machine can boot from USB, you can write install65.fs or
miniroot65.fs to a USB stick and boot from it.
-
If you can't boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in the included
INSTALL.amd64 document.
-
If you are planning to dual boot OpenBSD with another OS, you will need to
read INSTALL.amd64.
OpenBSD/arm64:
-
Write miniroot65.fs to a disk and boot from it after connecting
to the serial console. Refer to INSTALL.arm64 for more details.
OpenBSD/armv7:
-
Write a system specific miniroot to an SD card and boot from it after connecting
to the serial console. Refer to INSTALL.armv7 for more details.
OpenBSD/hppa:
-
Boot over the network by following the instructions in INSTALL.hppa or the
hppa platform page.
OpenBSD/i386:
-
If your machine can boot from CD, you can write install65.iso or
cd65.iso to a CD and boot from it.
You may need to adjust your BIOS options first.
-
If your machine can boot from USB, you can write install65.fs or
miniroot65.fs to a USB stick and boot from it.
-
If you can't boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in
the included INSTALL.i386 document.
-
If you are planning on dual booting OpenBSD with another OS, you will need to
read INSTALL.i386.
OpenBSD/landisk:
-
Write miniroot65.fs to the start of the CF
or disk, and boot normally.
OpenBSD/loongson:
-
Write miniroot65.fs to a USB stick and boot bsd.rd from it
or boot bsd.rd via tftp.
Refer to the instructions in INSTALL.loongson for more details.
OpenBSD/luna88k:
-
Copy `boot' and `bsd.rd' to a Mach or UniOS partition, and boot the bootloader
from the PROM, and then bsd.rd from the bootloader.
Refer to the instructions in INSTALL.luna88k for more details.
OpenBSD/macppc:
-
Burn the image from a mirror site to a CDROM, and power on your machine
while holding down the C key until the display turns on and
shows OpenBSD/macppc boot.
-
Alternatively, at the Open Firmware prompt, enter boot cd:,ofwboot
/6.5/macppc/bsd.rd
OpenBSD/octeon:
-
After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
Refer to the instructions in INSTALL.octeon for more details.
OpenBSD/sgi:
-
To install, burn cd65.iso on a CD-R, put it in the CD drive of your
machine and select Install System Software from the System Maintenance
menu. Indigo/Indy/Indigo2 (R4000) systems will not boot automatically from
CD-ROM, and need a proper invocation from the PROM prompt.
Refer to the instructions in INSTALL.sgi for more details.
-
If your machine doesn't have a CD drive, you can setup a DHCP/tftp network
server, and boot using "bootp()/bsd.rd.IP##" using the kernel matching your
system type. Refer to the instructions in INSTALL.sgi for more details.
OpenBSD/sparc64:
-
Burn the image from a mirror site to a CDROM, boot from it, and type
boot cdrom.
-
If this doesn't work, or if you don't have a CDROM drive, you can write
floppy65.fs or floppyB65.fs
(depending on your machine) to a floppy and boot it with boot
floppy. Refer to INSTALL.sparc64 for details.
-
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.
-
You can also write miniroot65.fs to the swap partition on
the disk and boot with boot disk:b.
-
If nothing works, you can boot over the network as described in INSTALL.sparc64.
How to upgrade
If you already have an OpenBSD 6.4 system, and do not want to reinstall,
upgrade instructions and advice can be found in the
Upgrade Guide.
Notes about the source code
src.tar.gz contains a source archive starting at /usr/src.
This file contains everything you need except for the kernel sources,
which are in a separate archive.
To extract:
# mkdir -p /usr/src
# cd /usr/src
# tar xvfz /tmp/src.tar.gz
sys.tar.gz contains a source archive starting at /usr/src/sys.
This file contains all the kernel sources you need to rebuild kernels.
To extract:
# mkdir -p /usr/src/sys
# cd /usr/src
# tar xvfz /tmp/sys.tar.gz
Both of these trees are a regular CVS checkout. Using these trees it
is possible to get a head-start on using the anoncvs servers as
described here.
Using these files
results in a much faster initial CVS update than you could expect from
a fresh checkout of the full OpenBSD source tree.
Ports Tree
A ports tree archive is also provided. To extract:
# cd /usr
# tar xvfz /tmp/ports.tar.gz
Go read the ports page
if you know nothing about ports
at this point. This text is not a manual of how to use ports.
Rather, it is a set of notes meant to kickstart the user on the
OpenBSD ports system.
The ports/ directory represents a CVS checkout of our ports.
As with our complete source tree, our ports tree is available via
AnonCVS.
So, in order to keep up to date with the -stable branch, you must make
the ports/ tree available on a read-write medium and update the tree
with a command like:
# cd /usr/ports
# cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_6_5
[Of course, you must replace the server name here with a nearby anoncvs
server.]
Note that most ports are available as packages on our mirrors. Updated
ports for the 6.5 release will be made available if problems arise.
If you're interested in seeing a port added, would like to help out, or just
would like to know more, the mailing list
ports@openbsd.org is a good place to know.