OpenBSD
-current Changelog
This selection is intended to include all important
and all user-visible changes.
For a complete record of all changes, please see the "source-changes"
mailing list, called "OpenBSD CVS"
in the archives,
or use CVS.
For changes in other releases, click below:
2.0,
2.1,
2.2,
2.3,
2.4,
2.5,
2.6,
2.7,
2.8,
2.9,
3.0,
3.1,
3.2,
3.3,
3.4,
3.5,
3.6,
3.7,
3.8,
3.9,
4.0,
4.1,
4.2,
4.3,
4.4,
4.5,
4.6,
4.7,
4.8,
4.9,
5.0,
5.1,
5.2,
5.3,
5.4,
5.5,
5.6,
5.7,
5.8,
5.9,
6.0,
6.1,
6.2,
6.3,
6.4,
6.5,
6.6,
6.7,
6.8.
Changes made between OpenBSD 6.8 and -current
- Added PerSourceMaxStartups and PerSourceNetBlockSize options to sshd.
- Updated to libc++ and libc++abi 10.0.1.
- Added requests for a new certificate without requiring -F when acme-client(1) detects an added or removed SAN in the config file not reflected in the existing certificate on disk.
- Updated to compiler-rt 11.0.0.
- Used native display resolution 1368x768 for Lynloong all-in-one computers.
- Made loongson kernels recognize Lynloong LM9002/9003 and LM9013.
- Changed the pool(9) timeouts to use the system uptime instead of ticks.
- Handled permanent redirects (RFC 7538) in ftp(1) fetch.
- Added kstat(1) to ogx(4).
- Updated to xkbcomp(1) 1.4.4.
- Updated to xinit(1) 1.4.1.
- Updated to xprop(1) 1.2.5.
- Updated to xev(1) 1.2.4.
- Updated to fonttosfnt(1) 1.2.1.
- Added a -C flag to tmux(1) run-shell to use a tmux command rather than a shell command.
- Corrected amltemp(4) attachment to allow thermal management despite temperature sensor reading failure on Amlogic SoCs.
- Added trace points for malloc(9) and free(9), making them traceabe via dt(4) and btrace(8).
- Enabled IPv4 and TCP/UDP checksum offload on transmission in ogx(4).
- Renamed smtpd(8) pony process to dispatcher and klondike to crypto.
- Set klist lock for pipes.
- Added singly-linked tail queue macros from FreeBSD.
- Added bgpctl(8) "show sets" to display information about the roa-set, as-sets and prefix-sets loaded into bgpd(8).
- Introduced power-saving mode on POWER9 (ISA v3).
- Updated to libexpat 2.2.10.
- Added support for kern.video.record to sysctl(8).
- Introduced kern.video.record for video(4) devices, an analog to the kern.audio.record sysctl(8) parameter for audio(4) devices. By default, kern.video.record will be set to zero and blank all data delivered by drivers attaching to video(4).
- Used per-CPU counter for fault and stats counters reached in uvm_fault().
- Added support to dwpcie(4) for the PCIe controller found on Amlogic G12A/G12B/SM1 SoCs.
- Fixed "any" and "dynamic" keywords for flows in iked(8) and added proper IPv6 support.
- Added PCIe support to amlpciephy(4).
- Fixed a memory leak in ld.so's malloc.
- Added Gemini Lake I2C id to dwiic(4), making the touchpad work on the Teclast F7 Plus laptop.
- Corrected accounting of zero length TDs in xhci(4), preventing free TRBs from running out.
- Fixed hangs on amd64 bsd.rd due to misreported core clock frequency on newer Intel Comet Lake models.
- Added a global "nowake" channel for threads avoiding wakeup(9) to tsleep(9).
- Added Wake on LAN support to rge(4).
- Added a specific headline to netstat(1) for TCP state and IP protocol.
- Prevented a crash due to premature release of resources by the smtpd(8) filter state machine.
- Allowed the provision of dhclient(8) options on "dhcp" lines in hostname.if(5) files.
- Fixed a memory leak in smtpd(8) resolver.
- Introduced a send hold timer in bgpd(8) to detect stalls on the sending side of a TCP connection, acting as a last resort to detect faulty peers.
- Fixed ofw regulators that use "active-low" polarity.
- Added PCIe clocks to amlclock(4).
- Implemented select(2) and pselect(2) on top of kqueue(2).
- Made clang the default compiler on loongson.
- Added an ssh_config(5) KnownHostsCommand that allows the client to obtain known_hosts data from a command in addition to the usual files.
- Prevented initiation of new additional SAs for each policy upon every ikectl(8) config reload.
- Introduced smtp(1) -a to perform authentication before sending a message.
- Fixed DRI3 support on amdgpu(4) and ati(4).
- Accepted reject and blackhole routes for IPsec PMTU discovery.
- Prevented leaking of ipsec_hosts in iked(8) when building hosts_list.
- Fixed booting on powerpc64 machines with memory banks higher in physical address space, needing a larger TCE table.
- Introduced klistops, introducing a way to associate lock operations with a klist.
- Fixed dig(1) EDNS Client Subnet option (+subnet=).
- Fixed IPv6 link-local address handling for nameservers to talk to and address to bind to in dig(1).
- Added support for the i.MX8MP PCIe clocks, USB clocks and second ethernet.
- Made large read and write transactions work in amliic(4).
- Updated to the December 18, 2020 version of awk(1).
- Added fd close notification for kqueue-based poll(2) and select(2).
- Corrected the first packet of an ipsec(4) SA to have sequence number 1.
- Added "amlogic,meson-g12a-dwmac" to dwge(4).
- Added amlpinctrl(4) support for the "Always On" GPIOs.
- Introduced a delay to work around an issue in bwfm(4) on the BCM43602 that was triggering "unexpected pairwise key update" errors.
- Made pfctl(8) detect and reject bogus ranges before loading the ruleset to prevent a panic.
- Made tmux(1) synchronize-panes a pane option and added set-option -U flag to unset an option on all panes.
- Updated to xcb-proto 1.14.1.
- Updated to Xserver(1) 1.20.10.
- Prevented a race in dhclient(8) privsep which could cause autoinstall to fail by calling ftp(1) without a local address.
- Correctly enumerated files with more than INT_MAX lines with the cat(1) -n flag.
- Updated to unbound(8) 1.13.0.
- Updated to nsd(8) 4.3.4.
- Fixed TCP going over an interface with fq codel enabled.
- Avoided spurious "input packet decapsulations failed" errors in netstat(1) -W with A-MSDU enabled.
- Allowed booting of amd64/i386 from 4TB GPT formatted disks.
- Flushed the reorder buffer after gap timeout to prevent frames from remaining in the buffer until the next frame is received.
- Validated ghostbuster records (RFC 6493) in rpki-client(8).
- Fixed 802.11 RSN capabilities announced to peers.
- Fixed a potential NULL pointer dereference due to malformed ASN.1 in a certificate revocation list or a timestamp response token.
- Fixed the calculation of "maxlen" in iwm(4) and iwx(4) when there are multiple MPDUs in one packet.
- Limited the URL embedded in .cer files in rpki-client(8) to alphanumeric characters and punctuation.
- Added dwgpio(4), a driver for the Synopsys DesignWare GPIO controller.
- Added iked(8) support for RSASSA-PSS signature verification (RFC 7427).
- Fixed a race condition in wsmux(4).
- Allowed exporting prefixes from multiple sessions in bgpd(8) into the same pf(4) table, preventing a prefix from being removed from the table on the first withdrawal even if an alternative exists.
- Prevented a TOCTOU race in single_thread_set() by extending the scope of the lock.
- Enabled auto-negotiation on the SerDes links, allowing in-band-status to work between mvpp(4) and mvsw(4) on the ClearFog GT 8K.
- Allowed rad(8) to handle all rdomains in a single daemon.
- Made uvm_pagealloc() mp-safe.
- Ensured rekeying of every child SA in iked(8).
- Fixed ldapd(8) cert and key path inference for absolute paths.
- Taught lld to link the macppc kernel.
- Added support for 1000base-x and 2500base-x connections to mvneta(4).
- Added mvsw(4), a driver for Marvel "SOHO" switches.
- Added the iked(8) "set stickyaddress" option, which attempts to assign the same "config address" when an IKESA is negotiated with the DSTID of an existing IKESA.
- Added support for the use of !command to mygate(5), so that netstart has a late opportunity to perform network configuration.
- Updated to libX11 1.7.0.
- Handled an autoconf interface changing its rdomain in slaacd(8).
- Added iked(8) support for multiple address pools.
- Set the specified TOS/DSCP for interactive use prior to TCP connect in ssh(1).
- CLeaned up passing of struct passwd from monitor to preauth privsep process in ssh(1).
- Used a counter instead of random IV for AES-GCM in iked(8), eliminating the risk of random collisions.
- Changed kqueue_scan() to keep track of collected events in the given context.
- Killed rpki-client(8) connection upon openrsync(1) server stall.
- Added a simple --timeout implementation to openrsync(1).
- Fixed very old umass(4) devices where the INQUIRY command succeeds but with a residue equal to the requested bytes.
- Fixed a panic seen with mbuf chains on arm64.
- Fixed incorrect behavior when using dhclient.conf(5) to change the lease renew/rebind/expiry timing.
- Added iked(8) -s socket option to specify a control socket.
- When doing an sftp(1) recursive upload or download of a read-only directory, ensured that the directory was created with write and execute permissions in the interim to allow the transfer.
- Fixed urtwn(4) repeated DEAUTH and loss/restoration of link.
- Allowed specific sndio(7) devices to be used for play-only and rec-only modes.
- Fixed panics on the HoneyComb LX2K with amdgpu(4).
- Prevented accidental truncation of large memory segments on loongson.
- Added ACPI support to imxiic(4).
- Implemented the key material exporter for TLSv1.3.
- Prevented process exit in multithreaded programs from reporting the wrong error code.
- Added multicast support to bwfm(4) to allow IPv6.
- Added acpige(4), a driver for ACPI generic event devices, used on te HoneyComb LX2K to implement power button handling.
- Added pchgpio(4), a driver for the GPIO controllers found on modern Intel PCHs.
- Revised the initialization of the drm(4) Linux emulation layer to call it only when the first drm instance attaches.
- Extended pcamux(4) with ACPI support.
- Added support for the VF610 I2C controller to imxiic(4).
- Made sure not to replace 0.0.0.0 with a dynamic address in iked(8) if it is a network address.
- Added 10G media support to mvpp(4).
- Added SFP+ support to ofw, including support for direct attach cables.
- Added support for the PL2303HXN series chips to uplcom(4).
- Added support for the PCA9547 I2C mux to pcamux(4).
- Added witness(4) check for uninitialized (or zeroed) lock usage.
- Prefixed ssh(1) keyboard interactive prompts with "user@host" for easier identification of connections.
- Displayed any other hostnames/addresses associated with a new hostkey when ssh(1) prompts the user to accept it.
- Implemented auto chain for the TLSv1.3 server.
- Updated to freetype 2.10.4.
- Fixed athn(4) in client mode against APs that use WPA1/TKIP as the group cipher.
- Fixed urtwn(4) against access points using WPA1/TKIP as the group cipher.
- Fixed a panic associated with locks and drm(4) on macppc with Powerbook5,6 and RV350.
- Fixed issues with network stopping after the first down/up cycle in mvpp(4).
- Fixed link state change behavior in 82598 ix(4) chips.
- Increased speed of the dependency check pass for pkg_add(1).
- Allowed use of ## and # in tmux(1) styles and added a "w" format modifier for width.
- Added clock support for i.MX8MP.
- Implemented iked(8) "from dynamic," installing flows where "dynamic" is replaced by the received dynamic IP address.
- Fixed ilogb(3) implementation, preventing a potential infinite loop.
- Changed from rwlock(9) to mutex(9) for linux rwlocks.
- Removed the -L option from dhclient(8).
- Fixed wg(4) on macppc by keeping track of allowed ips pointer correctly.
- Added the ClearFog GT 8K to mvclock(4).
- Enabled iked(8) support for ASN1_DN ipsec identifiers.
- Fixed rare crashes of unwind(8) when DNS answers are larger than the maximum imsg size.
- Fixed rpki-client(8) checks for manifest validity interval.
- Released OpenBGPD-6.8p1.
- Added recognition of Cortex-A78AE, Cortex-X1 and Neoverse V1 arm64 CPUs.
- Corrected an issue where openssl(1) verify might not error on expired certificates.
- Fixed an issue in the TLS 1.3 code that caused stalls in haproxy and other software.
- Changed crypto(3) to call its get_issuer() callback to try and find a suitable certificate in cases where it has failed to find a print certificate from the supplied roots and intermediates.
- Added the 'any' keyword to iked.conf(5) for requests to allow "request address any".
- Enabled brightness keys on powerbooks where the keyboard attaches as ukbd(4).
- Set initial default display brightness on macppc via of_setbrightness() to ensure wscons(4) and ofw are in sync.
- Added 'dynamic' keyword to iked.conf(5) to allow configuration of flows to dynamically assigned addresses.
- Implemented RFC 8914 Extended DNS Errors for dig(1).
- Added tracking of address proposal creation times to be able to establish total lifetime. This information is used to renew pltime/vltime of privacy addresse per RFC 4941.
- Changed slaacd(8) Duplicate Address Detection (DAD) to only generate a new address if we are using Semantically Opaque Interface Identifiers.
- Added a directive to httpd(8) to check if a path is accessible.
- Fixed detection of duplicate locations in httpd(8).
- Added support for passing a bootmac command line argument to RAMDISK on powerpc64.
- Make iked(8) accept ANY dynamic address with 'request addr 0.0.0.0'.
- Fixed the "entry point at 0x10010000" hang reported on amd64 machines by using a 64MB block to load the kernel.
- Changed astfb(4) to allow it to become the console on powerpc64.
- Added support to request IP addresses as IKEv2 initiator to iked(8). If 'request addr 0.0.0.0' is configured, any address will be accepted.
- Added the ability to force the selection of source IP address via route(8).
- Created a new "location (found|notfound)" option for httpd.conf(5) to allow testing for resource path existence.
- Prevented kernel reuse of mbuf memory when generating the ICMP6 response to an IPv6 packet.
- Updated to unbound(8) 1.12.0.
- Added notices to syslog whenever the "%n" format string component of printf(3) is used.
- Stopped allowing configuration of the same neighbor multiple times in bgpd(8).
- Edited syspatch(8) to ensure SHA256.sig has at least three lines.
- Added limited emulation of unaligned access in the powerpc64 kernel.
- Added AMD Vi and Intel VTD IOMMU support. This creates separate domains for each PCI device and can provide protection against invalid memory access.
- Fixed wsconsctl(8) display commands when using drm(4) drivers on macppc.
- Fixed a deadlock between uvn_io() and uvn_flush().
- Added a top-level 'reboot' command to ddb(4).
- Added a -legacy_verify flag to openssl(1) to force use of the old validator.
- Fixed a memory leak when parsing bgpd(8) roa-set lists.
- Added a workaround for PCIO devices that cannot address the full 64-bit PCI address space to powerpc64. Needed for radeondrm(4) and amdgpu(4) since Radeon GPUs only implement 36, 40, or 44 bits of address space.
- Introduced a system-wide mutex that serializes msgbuf operations.
- Fixed brightness setting on MacBooks.
- Updated to fonttosfnt(1) 1.2.0.
- Added retguard macros to powerpc64 locore functions.
- Changed ping(8) to drain the raw socket of packets received before we were fully setup to avoid reporting ICMP responses intended for other instances of ping(8) running in parallel.
- Made sysupgrade(8) specify a version when it uses fw_update(1) to avoid the situation where upgrading a pre-6.8 snapshot to 6.8 release with "-r" would install firmware packages from snapshots.
- Ensured copyout(9), copyinstr(9) and copyoutstr(9) bail out properly if called with a length of 0 on arm64, hppa and mips64.
- Modified daily(8) to stop reporting disk status and networking statistics.
- Released OpenBGPD portable 6.8p0.
- Released rpki-client(8) 6.8p0.
- Added powerpc64 retguard macros for setjmp/longjmp.
- Released LibreSSL 3.2.2.
- Implemented linux interval tree functions for drm(4).
- Added basic support for kclock timeouts to timeout(9).
- Updated to nsd(8) 4.3.3.
- Added RETGUARD implementation for powerpc and powerpc64.
- Stopped exempting file systems from security(8) on the basis of nodev and nosuid options, which may not be used for file systems mounted beneath.
- Supported use of more than one URI in the TAL file for rpki-client(8), sorting with a preference for https.
- Prevented a crash due to httpd(8) listening on port 443 with missing TLS certificates.
- Optimized arm64 copyin(9), copyout(9) and kcopy(9) by doing 16-byte copies if possible.
- Added doas.conf(5) "nolog" option to avoid syslog(3).
- Added Intel 495 Series LP PCH and Ice Lake graphics pci(4) ids.
- Fixed a pledge violation in csh(1) where redirecting input from a file containing ^T would cause csh(1) to perform a tty ioctl operation against a non-tty.
- Fixed a write hang-up on file system in vnd(4).
- Enabled ssh_config(5) UpdateHostkeys by default when the configuration has not overridden UserKnownHostFile.
- Added bsd.mp to powerpc64's installXX.{img,iso}.
- Preferred ed25519 signature algorithm variants over ECDSA in ssh_config(5) and sshd_config(5).
- Introduced "if_cloners_lock" rwlock and used it to serialize if_clone_{create,destroy}(), avoiding multiple race conditions.
- Added astfb(4), a driver for the framebuffer of the Aspeed BMC found on many POWER8 and POWER9 systems.
- Added Intel 400-series chipsets to dwiic(4).
- Relaxed checks in pfctl(8) and pf(4) to accept any valid routing domain, even if it does not yet exist.
- Moved mfokclock(4) from loongson to make it available for other platforms and renamed it to mfokrtc(4).
- Removed osrelease from system.fvwmrc, as the version string matches the kernel of the fvwm(1) build machine, not the user's kernel.
- Moved to 6.8-current.