OpenBSD -current changelog
This selection is intended to include all important
and all user-visible changes.
For a complete record of all changes, please see the "source-changes"
mailing list, called "OpenBSD CVS"
in the archives,
or use CVS.
Note: Problems for which patches exist are marked in red.
For changes in other releases, click below:
2.0,
2.1,
2.2,
2.3,
2.4,
2.5,
2.6,
2.7,
2.8,
2.9,
3.0,
3.1,
3.2,
3.3,
3.4,
3.5,
3.6,
3.7,
3.8,
3.9,
4.0,
4.1,
4.2,
4.3,
4.4,
4.5,
4.6,
4.7,
4.8,
4.9,
5.0,
5.1,
5.2,
5.3,
5.4,
5.5.
Changes made between OpenBSD 5.5 and -current
- On sparc, enabled ssl(8) assembler code for DES.
- On vax, enabled the ssl(8) assembler code for BN.
- In relayd(8) and smtpd(8), fixed SSL/TLS and a possible fatalx() on machines without a default RSA engine.
- Added sysctl(8) kern.nosuidcoredump=3, to dump core(5) into the /var/crash/progname/ directory.
- Enabled ssl(8) assembler code for AES, DES, GCM, SHA1, SHA256 and SHA512 on sparc64.
- Enabled ssl(8) assembler code for AES, BN, GCM128, SHA1, SHA256 and SHA512 on arm.
- Updated to: xauth(1) version 1.0.9; xbacklight(1) version 1.2.1; xrandr(1) version 1.4.2 and xinput(1) version 1.6.1.
- Updated to libFS 1.0.6.
- Unbroke ssh(1) compression.
- Switched to generating bcrypt(3) 2b hashes by default.
- Added checks for invalid base64 encoded data in ssl(8) padding. Fixes a crash (RT#2608).
- Provide extended-precision math constants (required by POSIX).
- Stopped citrus UTF-8 parser rejecting 0xFFFE and 0xFFFF (they do not render strings invalid).
- drm(4) i915 fixes: workaround inverted brightness for Acer Aspire 5336; fixed gen4 composite s-video tv-out.
- Updated Xserver(1) to version 1.15.1.
- On hppa, fixed ssl(8) assembler version of SHA512 to output correct results.
- Make acpiprt(4) correctly handle interrupts with non-standard polarity.
- In acpi(4), made acpi_mutex_acquire/release actually grab the global lock when called.
- Fixed occasional disklabel(8) crashes when altering mount points.
- Reverted __bounded code in ssh(1).
- Oh hppa, use assembly code for AES, BN (Montgomery), SHA1, SHA256 and SHA512 in ssl(8).
- Stopped ssl(8) perl(1) scripts outputting SOM-specific directives.
- Removed unreferenced OPENSSL_instrument_bus and OPENSSL_instrument_bus2 routines from ssl(8).
- Extended fread(3) and fwrite(3) to check for integer overflows.
- Moved smtpd(8) RSA key handling from "lka" to a new dedicated "ca" process.
- 5.4 and 5.5 RELIABILITY FIX: Stop attacker's ability to trigger an ssl(8) alert, which could cause a null pointer dereference.
A source code patch is available for 5.4 and 5.5.
- Fixed gcc(1) on i386, to detect overflows and properly align arrays > 16 bytes.
- Added ChaCha cypher to ssl(8), and provided it with an EVP implementation.
- Added Brainpool and ANSSI FRP256v1 elliptic curves to ssl(8) (RT#2239).
- Corrected isakmpd(8) test when passing data to a keynote.
- Improved malloc(3)'s ability to pick a free chunk at random.
- uvm(9) now correctly flush discarded pages even if the number of hash buckets doesn't change.
- When openssl(1) isn't available, ssh(1) now uses local fallback implementation of AES for UMAC.
- Preserve the intended chronological order of leases in dhclient.leases(5) files.
- Fixed growfs(8) on 4K-sector disks.
- First pass at removing win64 support from the assembly-generating perl(1) scripts in ssl(8).
- Stopped smtpd(8) trying to create folders that already exist when using maildir.
- Improved imsg handling with many concurrent connections in smtpd(8).
- New buffer API, to eventually make ssh(1) usable as a standalone library.
- Improved enforcing of proper alignment of stack variables on sparc.
- smtpd(8) RSA private key privsep will now only load keys after forking the separated process.
- Stopped sftp(1) attempting to append a nul quote character to filenames (bz#2238).
- Implemented RSA privilege separation for smtpd(8). Prevents possible private key leakage.
- Made compiling ssh(8) and sshd(8) against ssl(8) optional.
- When smtpd(8) fails to relay via TLS (and smtpd.conf(5) doesn't require security), try plain; also downgrade if a TLS error happens during the session.
- Constrain bytes read/written to positive values in ssl(8) s3_pkt.c code.
- Re-added local aesctr implementation to ssh(1).
- Moved traceroute6(8) to the attic, fully merged into traceroute(8).
- Removed large memory leak from usb(4).
- Deleted SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS from nginx(8) to keep attack mitigations enabled.
- Stopped ssh(1) sending success/failure replies when channels have sent a close already (bz#1818).
- Removed less(1) support for the obsolete (non-POSIX) "more -d" prompt.
- Made sure the iked(8) state machine only advances if the AUTH payload has been verified.
- Use explicit_bzero(3) instead of memset(3) to clear out sensitive smtpd(8) data.
- Implemented AI_ADDRCONFIG in getaddrinfo(3), as per RFC 3493.
- Removed more WIN32, WIN64 and MINGW32 tentacles from ssl(8).
- Use the correct algorithm mask in ssl(8) t1_enc.c.
- In ssl(8), stopped SSL_OP_ALL disabling attack mitigations against CBC modes.
- Let nm(1) -w correctly return 0 for valid archives.
- Stopped ping(8) and ping6(8) sleeping after poll(2) returns an error.
- Added fuse(4) support for 255 character file names.
- m4(1) now checks for integer overflows in custom allocs.
- Added support to snmpd(8) for exporting ARP table via "ipNetToMediaTable" OID.
- Fixed a loop so that waiting for wds(4/i386) hardware actually happens.
- Improved error handling when using dbopen(3) in mandoc(1).
- Fixed library search order in libtool(1).
- Updated to xproto 7.0.26.
- On i386, installboot(8) no longer overwrites disklabel and nearby blocks on 4k-sector disk drives.
- Stopped bluetooth(4) HID device grabbing the console.
- Re-added "_ppp" user and "_ppp" group, to be solely used by npppd(8) going forward.
- Stopped ssl(8) using random stack memory as addresses of strings.
- Removed support for building openssl(1) on 16-bit Windows.
- Filter excess data from autoinstall output, to avoid filling the ramdisk.
- Made more(1) POSIX compliant with respect to the -e option.
- Merged less(1) version 458, including local changes.
- Reduced the verbosity of makewhatis(8) -t.
- Do not re-probe pms(4) unnecessarily. Fixes 12 seconds Xorg(1) delay on some laptops.
- Stopped iked(8) and mpii(4) accessing pointers prior to a null check.
- Allow snmpd.conf(5) to set user-defined actions on receipt of snmp traps.
- Removed kinit(1).
- Fixed sudo(8) when checking command line environment variables against the blacklist (CVE 2014-0106).
- Fixed copied text in the snmpd(8) error string.
- Stopped ssl(8) do_ssl3_write() being called recursively; don't release buffer meant for use.
- Audited malloc(3)/calloc(3)/realloc(3) usage in mandoc(1) to be safe from overflows.
- Fixes in ssl(8) kssl.c to prevent double frees and removed a use-after-free.
- Fixed leak in ssl(8) BIO_accept which could have caused the caller to crash.
- Audited strlcpy(3)/strlcat(3) usage in mandoc(1).
- Removed "Z" option from malloc.conf(5); by default always junk small chunks now.
- In unbound(8), use arc4random(9) as PRNG backend, instead of the libcrypto RAND.
- disklabel(8) now fills all required fields after clearing. Avoids consistency check failures.
- Improved malloc(3) hash functions that compute the same on big-endian and little-endian archs.
- Removed OPENSSL_indirect_call() from ssl(8) for reduced attack surface.
- Fixed a missing splbio(9) in sys/ufs/ffs/ffs_softdep.c which caused crashes.
- Remove useless RX checksum offloading support from gem(4) and hme(4).
- Removed Apache from base (replaced by nginx(8)).
- On bge(4) when VLAN_HWTAGGING is disabled, stopped tagging the packet twice.
- Prepend ether_vlan_header rather than regular ethernet header for more efficient vlan tagging.
- Kerberos disabled and removed from base, possibly to be moved to ports(7) later.
- Support the CA key for ssl(8) inspection in the relayd(8) CA process.
- Avoid a loop during autoinstall when the path in the responsefile does not exist.
- Made iscsictl(8) print bytes read and written in human-readable form.
- Allow the installer to configure dhcp for an interface without an active network connection.
- Bind iscsid(8) to localAddr if it is specified.
- Print the target and initiator name in iscsictl(8) show command.
- Verify permissions are correct on the ssh(1) id_ed25519 file.
- Fixed msdosfs to cope with 64-bit time_t. Set unrepresentable dates to 1/1/1980.
- Made dhclient(8) delete discarded offered leases from the correct TAILQ. Avoids infinite loop.
- Implemented sftp(1) upload resume support.
- Reverted r1.101 of traceroute(8), which broke source port selection.
- Added mallocarray(3) function (like calloc(3) but without the cleared-memory guarantee).
- Backed out parts of sys/nfs/nfs_serv.c r1.47, which computed wrong block sizes.
- Added pkg_add(1) support for reading/writing long paths and linkpaths as extended headers.
- Allow iscsid(8) to send data immediately for write commands, for 20% performance boost.
- Stopped disklabel(8) leaking mountpoint info. Fixes mysterious crashes.
- 5.5 RELIABILITY FIX: Disable the ssh(1) curve25519-sha256@libssh.org KEX method when the other party's connection will fail.
- Prevent lpd(8) from looking into hosts.equiv(5). Access control is now done only using hosts.lpd.
- Introduced basic stats for the iscsid(8) vscsi(4) layer; added iscsictl(8) controls.
- In mandoc(1) debug messages, truncate strings of excessive lengths.
- dhclient(8) -L now preserves the fd being monitored after new leases, lease renewals and cable unplugs.
- Fixed unchecked snprintf(3) in mandoc(1) page header printing.
- In mandoc(1), made sure static buffers for snprintf(3) are large enough.
- Removed more unused ssl(8) tools and docs.
- Moved iscsid(8) session params initialisation to session start, so config parameters stick.
- iscsid(8) now does proper LoginOperational negotiation.
- Added relayd(8) check for strlcpy(3) overflow when expanding HTTP input value.
- snmpd(8) and relayd(8) will now fail if strlcpy(3) overflows the socket path.
- When installing OpenBSD, ensure that the hostname information is in the dhclient(8) lease db.
- Reimplemented arrays in relayd(8) used to set up process-to-process imsg communication.
- Use calloc(3) instead of malloc(3) + memset(3) across ssl(8), to avoid integer overflows.
- Rearranged qle(4) update processing loop to attach and detach targets last; handle fabric port login errors better.
- Fixed leak in the snmpd(8) and relayd(8) agentx error paths.
- Added support for SSHFP DNS records for ED25519 key types to ssh(1).
- In ssl(8) ts_rsp_verify.c, reset imprint to NULL to avoid double free.
- Added a canonical 6.6+ curve25519 fake version to ssh(1), to be recommended with openssh-6.7.
- Use get/put_u32 to load values and unbreak ssh(1) on strict-alignment architectures.
- Removed checksum offloading from sk(4), faulty on this hardware.
- Added strlcpy(3) check. Stops smtpd(8) fatal at startup if truncation occurred with filters enabled.
- Added missing strlcpy(3) check when parsing the "backup hostname" section in smtpd.conf(5).
- Removed "disable pmtud" and "increased window size" options from sysctl.conf(5) to discourage their use.
- Removed rsh(1). Deprecated in favor of ssh(1).
- Fixed display of destination IP when host is an IP address in traceroute(8).
- Added checks to strlcpy(3) when smtpd(8) is copying envelope "destination" buffer to the mda delivery buffer.
- If user+tag@ exceeds SMTPD_MAXPATHLEN smtpd(8) now fails instead of creating a ".truncated" tag dir.
- Removed obsolete altq bandwidth shaping from pf(4).
- Allow mandoc(1) to properly handle symlinks .
- Disable the ssh(1) curve25519-sha256@libssh.org KEX method when the other party's connection will fail.
- In mandoc(1) update mode, when opening the database fails, just rebuild it from scratch.
- Removed RAND_seed(3) calls in iked(8), ikectl(8), relayd(8) and snmpd(8).
- For wscons(4) WSDISPLAY_COMPAT_USL protocol, send the synchronizing signals to the process, not just the thread.
- Updated unifdef(1) to version 2.10.
- Raised nginx(8) file limits, but lower number of connections (leaving files to spare for other programs).
- Removed bdes(1), so as to not encourage its use.
- Removed dead KAME code that dealt with IPv4-mapped IPv6 addresses; added check for IPv4-mapped IPv6 destination addresses for non-connected sockets.
- Use arc4random_buf(3) instead of harmful RAND_xxx in kerberos(8).
- Sync traceroute6(8) to tracroute(8): don't print source IP if "-s" is not given.
- In relayd(8), fixed ssl(8) client-only mode when no RSA private key is needed.
- Neuter the -legacy_renegotiation option to the openssl(1) "openssl s_{client,server}"; added support for "-starttls lmtp" to openssl s_client.
- When parsing a new cert into memory occupied by a previously verified cert, ssl(8) will no longer bypass verification checks.
- Introduced privsep for relayd(8) private keys.
- Use asprintf(3) for generating path. Eliminates many unsafe uses of strlcpy(3) and strlcat(3) in ssl(8).
- If nfs rpc requests on a stream socket are already being processed, don't panic, just return.
- Cleanup of relayd(8) code tracking of socketpair between different privsep processes.
- Have each thread keeps its own reference to the process's ucreds. Avoids possible use-after-free.
- Allow printf(1) to handle passing zero as a fieldwidth or precision variable.
- Switched to the new makewhatis(8)/apropos(1)/whatis(1) (described in apropos(1)).
- Added support for smtpd(8) mailaddr lookup in the table_db.
- Reworked qle(4) command polling loop to handle multiple responses in one interrupt, like qla(4).
- Fully kill ssl(8) FIPS API.
- Added some UTF-8 utility functions to tmux(1), to stop splitting UTF-8 characters improperly.
- Ensure parent thread is blocked until any others are detached before letting it exit. Avoids panic.
- Only scroll by one line at a time in tmux(1) choose mode (as lists are generally short).
- Fixed dhclient(8) DHCPDISCOVERY and DHCPDECLINE (as INADDR_ANY != INADDR_BROADCAST).
- Changed ssl(8) library to use intrinsic memory allocation functions instead of OPENSSL_foo wrappers.
- Set tmux(1) PATH explicitly, either from the client or session environment.
- Don't limit the tmux(1) DCS buffer to 256 bytes, expand it as needed.
- No longer allow ssl(8) to feed RSA private key information to the random subsystem as entropy.
- openssl(1) PR#3309: when looking for an extension, properly search all extensions.
- Removed the monitor-content option from tmux(1).
- Fixed ssl(8) to call the correct decrypt function in aes_cbc_cipher().
- Execute the active path checks when mpath(4) asks for it (rather than on attach).
- Skip leading zero bytes in ssh(1) buffer_put_bignum2_from_string() function.
- Add ufs2 support in libsa/ufs2.c. One step closer being able to boot from ffs2 filesystems.
- Cleaned up dangerous strncpy(3) use in ssl(8).
- Added missing parens so that rshd(8) errorhost gets properly initialised.
- Gave mlinks and keys tables a sqlite3(1) pageid index. Speeds basic apropos(1) searches by 30%.
- Make dhclient(8) -q even quieter.
- Removed programs from ssl(8) code which don't work with current openssl(1) releases.
- Fixed ssl(8) bugs listed at http://www.viva64.com/en/b/0250/.
- ssl(8) now ignores setting which allowed the connection to negotiate insecurely.
- Zero-pad ssl(8) "usec" format to handle values less than 100,000 correctly.
- Killed bogus "send an SSLv3/TLS hello in SSLv2 format" code from the ssl(8) client.
- Stubbed some functions in ssl(8) mem_dbg.c, to avoid all possibility of using them.
- Always return 1 in the ssl(8) arc4random(9) backend. Unbreaks lynx(1) and git.
- Added generic driver for "NEC PC-9801 extension board slot" on luna88k.
- Made directory ordering in our libtool stable.
- Closed memory leaks in snmpctl(8) client code.
- Removed md2, seed and jpake cyphers from ssl(8).
- Removed approx 30 unused makefiles and more vestiges of ssl2 support from ssl(8).
- In ssh(8) EC_POINT_invert(), check the correct function pointer before attempting to invoke it (openssl(1) RT #2569).
- RotIBM stream cipher (ebcdic), FIPS mode support and GOST engine removed from ssl(8).
- Replaced ssl(8) PRNG with arc4random_buf(), keeping existing RAND interfaces unchanged.
- Added -s (two-byte signed decimal display) to od(1), as mandated by POSIX.
- ssl(8) fixes: corrected cases where code occurred directly after goto/break/return; removed pentium specific benchmark code; removed more vms and windows specific code.
- Unbroke xcb-util-cursor.
- Made smtpd(8) reply with correct imsg when using non-system authentication.
- Stopped mandoc(1) crashing when processing macros in .Sh header lines, or having .Sm off or .Bk -words open.
- Stopped leaking socketpair file descriptors if tmux(1) fork(2) fails.
- Fixed potential race in UFS where an allocated inode could fail to get added.
- Removed o_dir.c from openssl(1) now that OPENSSL_DIR_XXX has been removed from the build.
- Removed nonstandard and unsafe DES support from ed(1).
- Switched pkg_mklocatedb(1) to using common SetList code, renaming -x into -X.
- Updated xcb-utils to 0.3.9.
- Allow slowcgi(8) QUERY_STRING to be longer than 127 bytes.
- Update libxcb to version 1.10.
- Made OPENSSL_NO_HEARTBLEED the default and only option in ssl(8) code.
- Adapted snmpctl(8), relayd(8) and snmpd(8) to use AgentX protocol to send traps.
- Confirm passwords when signify(1) is generating keys.
- Fixed SQL_STEP failures for man(7) pages lacking descriptions.
- Better mandoc(1) error reporting in case of SQL errors: mention dir and file.
- Major ssl(8) cleanup to remove: MacOS, Netware, OS/2, VMS and Windows build machinery and shared libraries; openssl(1) engines and code that were not properly licensed; vms support; various horrible socket syscall wrappers; insecure use of time as a random seed in the TLS engine.
- In qla(4) debug output, print loop ids as decimals and port ids as 24bit hex.
- Update to xtrans 1.3.4.
- Updated to xextproto 7.3.0.
- Added presentproto 1.0.
- Bring back r1.16 of protector.c in gcc(1) version 2.95. Fixes code generation of usr.sbin/dhcpd/memory.c!new_address_range() on vax.
- 5.3, 5.4, 5.5 and -current SECURITY FIX: Fixed openssl(1) read buffer to stop an attacker injecting data from one connection into another.
A source code patch is available for 5.3, 5.4 and 5.5.
- Made sure cu(1) -l overrides HOST.
- Avoid sshd(8) crash at exit, by checking that pmonitor!=NULL before dereferencing (bz#2225).
- Fixed more(1) to use basic regular expressions (unlike less(1)).
- Clamp offsets to the available memory space. Fixes tmux(1) crash.
- Further apropos(1) speed optimisation, with mmap(3) MAP_ANON SQLITE_CONFIG_PAGECACHE.
- Updated to libdrm 2.4.53
- Disabled Segglemann's RFC520 heartbeat from ssl(8).
- Don't release the ssl(8) read buffer if we're not done reading from it; disabled buf freelists.
- Added validation routines to iked(8): overall header structure is checked for sanity before copying the header; avoid overflow by passing down the number of remaining bytes.
- Notify userland when an arp(4) entry is removed.
- Fixed fd leaks in mg(1) error paths.
- Retired rtinit() and switched to using rt_ifa_add(9) and rt_ifa_del(9) to manage connected routes to prefixes/hosts.
- Revived fix for perl(1) RT bug 116441 (null dereference affecting mod_perl).
- Split manual names out of the common "keys" table into their own "names" table. Reduces standard apropos(1) search times 70% for the full /usr/share/man database.
- Moved descriptions from mandoc(1) keys table to mpages table: reduces typical apropos(1) search times by about 40%; reduces database size.
- In less(1) "more" mode, made command specified by -p option apply to every edited file, as per POSIX.
- Reverted r1.93 of mg(1) file.c, which broke permission checks.
- 5.5 SECURITY FIX: Make ftp(1) client check the server hostname, to avoid false validation when connecting to an https website.
A source code patch is available for 5.5.
- Updated to xf86-video-ati 7.3.0.
- Made smtpd(8) display correct imsg when profiling is on and if the type was changed.
- Zapped the smtpd(8) mfa process. Content filtering will be done at session level.
- Removed CA certificates from ssl(8) which are not listed in Mozilla's certdata.txt.
- Use root CAs in ssl(8) used by TeleSec (Deutsche Telekom AG): Baltimore CyberTrust Root, Deutsche Telekom Root CA, T-TeleSec GlobalRoot Class 2 and T-TeleSec GlobalRoot Class 3.
- If TLS validation is on, make ftp(1) fetch TLS certificate and check the server hostname against the subjectAltName and/or CommonName.
- Build libgcc without SSP. Unbreaks landisk bootblocks.
- Updated to xorg-macros 1.19.0.
- Ensure that we free buffers written out by the page daemon rather than caching them.
- Fixed error in bcrypt_pbkdf(3) stride calculations.
- Added error detection mechanism to detect when sudo(8) configuration is incorrect for building ports.
- Zero-fill smtpd(8) mta static buffer before use in DSN code.
- Added term_flushln() flag to control indentation of continuation lines in TERMP_NOBREAK mode. Reduces groff-mandoc differences in base by more than 15%.
- Added rgephy(4) for axe(4) and axen(4) on hppa and zaurus.
- Fully implemented roff(7) \B (validate numerical expression) and partially implemented \w (measure text width) escape sequence.
- 5.3, 5.4, 5.5 and -current SECURITY FIX: Fixed openssl(1) CVE-2014-0160 "heartbleed" vulnerability.
A source code patch is available for 5.3, 5.4 and 5.5.
- Added MSI support for xhci(4).
- Enable upd(4) on archs where uhidev(4) is present.
- Do not attach when no upd(4) sensors can be allocated; made device querying smarter.
- Added roff(7) support for indirect references to user-defined strings.
- Made iscsid(8) listen to the control socket, so the connect() call from iscsictl(8) will not fail.
- In udp_output(), use the correct source address in case of an unbound socket.
- Accept arbitrary argument delimiters for various roff(7) escape sequences.
- Increased MSGBUFSIZE on macppc.
- Exit on error or HUP when poll()ing the keyboard. Otherwise, top(1) may spin when its tty goes away.
- Added implementation of roff(7) numerical expressions.
- Retired kernel support for SO_DONTROUTE, this time without breaking localhost connections.
- Updated termtypes.master to upstream terminfo-20140329.src.
- When qla(4) is iterating through fabric ports, start at our own port ID, to simplify tracking.
- Added axen(4) wherever axe(4) is found.
- qla(4) ISP2322 chips need a different firmware image to other 2300s, don't load firmware for them.
- Removed (expensive) temporary connect in udp_output(). Also fixes possible memory leak.
- Added missing addressing modes for the fucomip instruction on i386. Unbreaks webkit port.
- Fixed smtpd(8) when writing multi-line "To" and "Cc" headers.
- Implemented the roff(7) .rr (remove register) request.
- Fixed uvm(9) logic error (and prevented theoretical infinite loop) in uvm_pmr_rootupdate().
- mandoc(1) bugfix: make sure all variables are properly initialised when rendering .ll (line length) requests.
- Added the -t ktrace(1) option to ltrace(1). Allows triggering library function call trace and other kernel events trace simultaneously.
- Fixed smtpd(8) header parsing issue in enqueuer, which was stripping the "From:" header in some cases.
- Made mandoc(1) warn about missing mlinks when the -p (picky) option is given, and not overridden by: -Q, -d, -u, or -t.
- Merged the mda, mta and smtp smtpd(8) processes into a single unprivileged process.
- Start the smtpd(8) purge task after events are set, so we don't miss a SIGCHLD.
- Reworked qla(4) command polling loop so it can handle multiple responses in a single interrupt. Allows talking to Hitachi disk arrays.
- Fixed pppx kernel panic when using npppd(8) with multiple pppx devices.
- When the -n or -t flag is given to makewhatis(8), write names and descriptions to stdout (format similar to apropos(1)).
- Instead of silently doing nothing, made mandoc(1) warn and return non-zero when the manpath is empty.
- Added a uvm_yield function to uvm(9) and use it to prevent the reaper from hogging the cpu.
- Reworked wait/kernel lock heuristics to give interrupts on other CPUs to a chance to run, for reduced latency.
- When mg(1) discovers a directory is non-existent, offer a "y" option to make the directory.
- Renamed the makewhatis(8) -W option to -p. Matches flag introduced in OpenBSD 2.7.
- Proper validation and computation of bsize now occurs in the disklabel(8) expert mode.
- Renamed -v option of mandocdb(8) to -D, to avoid a clash with the -v option of makewhatis(8).
- Reduced the tmux(4) mouse wheel scroll size to 3; allow shift to reduce it to 1; allow meta and ctrl to multiply by 3; support wheel in "choose" mode.
- Fixed npppctl(8) calculation of response message size.
- Added the "#" character as a comment character in the mg(1) startup file.
- Support UTF-8 with tmux(4) choose-buffer; made buffer_sample bigger to let it trim at window right edge.
- Enabled hds(4) on hppa.
- Enabled mpath(4) on macppc.
- When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any certificate keys to plain keys and attempt SSHFP resolution. Prevents server from forcing a new-hostkey dialog.
- Include fingerprint of key not found by ssh-keysign(8); use arc4random_buf() instead of loop+arc4random().
- In four byte UTF-8 sequences, make sure tmux(1) only uses three bits of the first byte.
- Stopped tmux(1) crashing when a zero-length argument is passed to setb.
- Made tmux(1) message-limit a server option.
- Stopped tmux(1) segfaulting when the parent of the layout cell is NULL.
- Added setb -a to tmux(1) append; added a copy mode append command.
- Made session_attached a count; added session_many_attached flag to tmux(1).
- Added start-of-list, end-of-list, top-line and bottom-line in tmux(1) choice mode.
- Stopped tmux(1) writing into the buffer if there are no arguments.
- Changed secondary device attributes response to "\033[>84;0;0c" which is unique for tmux(1).
- Made bus_dmamap_load(9) and bus_dmamap_unload(9) mpsafe on alpha.
- Restored behaviour of ls(1) -f implying -a (lost in commit made in 1989). Conforms to IEEE 1003.1-2008 ("POSIX.1").
- On loongson, mips and octeon, stopped whole L1 cache being flushed unnecessarily.
- Again allow more than one level of directories to be created via mg(1) make-directory.
- Force detach of all usb(4) devices by disconnecting root hubs before suspending machine. Avoids races.
- libtool(1) now properly add -rpath to the linker when linking libraries. Matches GNU libtool.
- Increased Xtranssock.c send buffer for UNIX sockets. Makes Firefox usable again when viewing large images.
- If HOST or the host argument starts with a "/", cu(1) will now treat it as a device name.
- Fixed REMOTE on cu(1) to work like tip(1); added support for HOST.
- Added SNI support to ftp(1).
- Allow roff(7) to support relative arguments to .ll (increase or decrease line length).
- Repaired boot.net operation on (at least) sparc SS5 PROM v2.21
- Implement the roff(7) .ll (line length) request.
- 5.5 RELIABILITY FIX: Memory corruption occurring during icmp(4) reflection handling (ICMP reflection is disabled by default).
A source code patch is available for 5.5.
- Recognise so-called "EFI-like" interface provided by newer PMON firmware on Loongson 2Gq and Loongson 3A.
- Bugfix and security update to nginx(8) version 1.4.7 (note: CVE-2014-0133 does not affect OpenBSD).
- Speed-up overlapping copy operations in gio(4/sgi) by attempting to perform them in larger chunks whenever possible.
- Removed pflowproto 9 (unfixable post-2038). Better option is pflowproto 10.
- Allow leading and trailing vertical lines in mandoc(1), format them in the same way as groff; do not require whitespace before vertical lines in layout specifications.
- Properly initialise malloc(3)ed memory in mandoc(1), to fix crashes when using apropos(1).
- Made sure the command TRB is reset if a command is submitted when the usb(4) hardware is already gone.
- Reverted "retire kernel support for SO_DONTROUTE" diff, which caused problems in localhost connections.
- On loongson, made sure the HIBERNATE pages get reserved regardless of the memory layout.
- Program the colormap correctly on grtwo(4/sgi); added a simple screen burner accessop.
- When enforcing TOS (Traffic Class), made pf(4) preserve the ECN bits (as with IPv4 packets).
- Adjusted (commented-out) nginx.conf(5) sample blocks for PHP and SSL configurations.
- Made mg(1) C-t (transpose two chars) behave like emacs.
- Ended experimental machine-independent login.conf(5) template support.
- Made cu(1) handle REMOTE in the environment as either a separate remote(5) file or a host.
- Added cu(1) support for retrieving the line and speed from the /etc/remote "dv" and "br" capabilities like tip(1).
- Fixed handling of the kill(1) "-1" option from a thread other than the original thread.
- Permit generating of NAMI and CSW records inside ktrace(2).
- Ignore the -b option if cksum(1) is called as-is (e.g. "cksum -b /bsd"), to match man page.
- Removed file2c(1). hexdump(1) works as well for most use cases.
- usb(4) root hubs can now happily be detached and reattached.
- When smtpd(8) is locally enqueuing messages without specifying a domain, update headers to show the local domain.
- Strengthened ssh(1): removed weaker pre-SHA2 hashes, broken cipher (arcfour), and the broken mode (CBC) from the default configuration.
- skey(1) bugfixes: default algorithm switched back to md5; do not let skey_set_algorithm() cause a segfault if an unsupported algorithm is specified.
- Added acpithinkpad(4) support for aux button strip on newer thinkpads missing regular F1-F12 keys.
- dd(1) now supports g for gigabytes.
- Reworked the way sysmerge(8) fetches and verifies sets, to simplify the process.
- Merged perl(1) version 5.18.2 (including local patches).
- Stopped calling smtpd(8) purge_task every 10 secs (only needed once at startup).
- Removed "-r" option from ping(8), traceroute6(8) and traceroute(8).
- Enabled SQLITE_ENABLE_FTS3_PARENTHESIS in sqlite3(1).
- Removed the MD4 functions (highly susceptible to collision attacks).
- Skip leading escape sequences in mandoc(1) man_deroff(), for better indexing.
- Gave powerpc PIE.
- Initialise additional BATs (IBAT4-IBAT7 and DBAT4-IBAT7) on socppc. Stops memory corruption on devices with rb600.
- Fix uhidev_detach() when detaching a device which did not claim all reported IDs.
- Reverted audio key handling.
- Make sure sysmerge(8) adds missing users/groups before running the target; otherwise mtree(8) can fail.
- Let mg(1) users input a tag to find, even if no default tag is defined.
- Disabled smtpd(8) imsg buffers profiling code, to stop processes waking up each second.
- npppd(8) tunnels can now have multiple listen addresses.
- Reimplemented control part of npppd(8) with imsg; added "monitor" command for npppctl(8) to monitor PPP session start/stop events.
- Fixed npppd(8) bug which caused segfaults when npppd.conf(5) had "username-suffix" and "strip-atmark-realm" as yes.
- Made npppd(8) keep listening on 1723/tcp when accept() is failed.
- Removed tape as a method for fetching install sets.
- Attempt to workaround the R4000 end-of-page errata on sgi and mips64, triggered by TLB misses when the code flow crosses a page boundary.
- Disabled MS-CHAPv1 (RFC 2433) support in pppd(8).
- Fixed sysmerge(8) regression when not using a full path to sets; make it use ftp(1) -D.
- Installed /var/unbound/db directory for DNSSEC root key; added (commented-out) options for DNSSEC to unbound.conf(5).
- Removed insecure MD4 checksum algorithm from cksum(1).
- Removed ftp method for obtaining installation sets when running the installer.
- Enabled upd(4) on amd64, sparc64 and macppc archs for testing.
- Sync timestamp changes for inodes of special files to disk as late as possible to avoid useless disk i/o.
- Include support in pstat(8) -v to display the IN_LAZYMOD flag.
- On sgi machines, fixed clipping bounds in "fill" and "blt" graphics operations; added colormap support.
- Removed timeout logic from the polling loop in qlw(4). Stops devices timing out before attaching.
- Retired the rarely used hp300, mvme68k and mvme88k ports.
- Allow checking mandoc(1) databases are up to date even when you don't have write permissions.
- Notify userland (via the routing socket) when ARP resolution completes.
- Put the AF_ROUTE socket that arp(8) operates on into the appropriate rdomain. Stops "arp -V 1 -d 10.0.0.1" hanging forever.
- Made bgpctl(8) correctly parse attribute length form imsg.
- Exit from traceroute6(8) if there is at least one unreachable and sum of unreachables and timeouts are >= number of probes.
- Unbroke sndiod(1) monitoring mode, which was shifted in time by 1 block.
- Userland ppp(9) removed.
- In apropos(1) output, sort names and avoid multiple section numbers.
- In slowcgi(8), use SCRIPT_FILENAME (can be an absolute filesystem path). Fallback to SCRIPT_NAME if this is not present.
- Reimplemented htpasswd(1) from scratch.
- Don't use volume keys when in raw-mode. Stops simultaneous volume changes by X(7) and ukbd(4).
- Enable qlw(4) at sbus(4) on sparc64.
- Enabled unbound(8) in base.
- Updated to xcb-proto version 1.10.
- Updated to libdrm 2.4.52.
- Removed the unused userland agp(4) interface.
- Reverted to the freetype2.pc we had before to bring back local changes.
- More informative smtpd(8) log message on unknown SNI.
- Provide an MI api for byteswapping loads and stores, especially beneficial for sparc64 and powerpc.
- Updated to freetype-2.5.3. Fixes vulnerability in the CFF driver (CVE-2014-2240).
- Enabled qla(4) and qle(4) in ramdisks (except on sgi).
- smtpd(8) now prints the correct user name if SMTPD_QUEUE_USER is missing.
- Use ticket locks (not spinlocks) on i386/amd64/sparc64. Provides fairer access to the kernel lock.
- Added a few more instruction patterns to binutils that are needed by gcc(1) version 4.8.
- In mandoc(1) -Tutf8 mode, count hyphens against the output line length even when they are breakable.
- Stopped the smtpd(8) enqueue utility adding a User-Agent header to emails.
- Block userland from entering drm(4) code during suspend/resume. Fixes inteldrm(4) bugs.
- Unhooked httpd(8) from build: use of nginx(8) is encouraged now.
- No more spray(8) in base.
- Fixed buffer overflows in icmp(4) redirect handling (introduced in rev 1.106).
- Switched over from sendmail(8) to smtpd(8) by default.
- Fixed iked(8) config-address w/o pool.
- Unbroke nc(1) "-6 -l" and apply correct fix for previous commit.
- Removed rmail(8).
- Made ssh(1) scan for ed25519 keys by default.
- For isakmpd(8) CA generation, set the correct certificate extensions so more SSL implementations will trust this as a CA cert. Matches ssl(8).
- Bugfix update to nginx(8) version 1.4.6.
- When pf(4) is translating packets from one address family to another, pass the TOS/Traffic Class field of the original packet.
- When pf(4) is setting packet description, also retrieve the Traffic Class field of IPv6 packets.
- Fixed the cnmac(4/octeon) mediastatus when the interface is not configured.
- Optimisation of opendir(3), rewinddir(3) and related functions. 2000x speedup of seekdir(3) in some tests.
- Fixed acpi(4) on amd64, to avoid reboot and stack corruption problems when resuming.
- Reworked per-cpu cache information, to avoid using hardcoding data based on processor type on mips, octeon, and sgi.
- In re(4), fixed operation and made reception of packets work on the 8168G controllers.
- Made mandoc(1) user-defined macros wrapping ".TP" work correctly; preserve line breaks contained in user-defined macros called in ".nf" mode.
- Enable DMA bursting and tagged queueing in qlw(4); enable qlw(4) on alpha/amd64/i386/macppc/sgi/sparc64; only attempt to load firmware if we actually have some.
- Initial xhci(4) implementation: USB 3.0 umass(4) devices get reasonable read/write speed.
- Improved roff(7)'s .if/.ie condition handling.
- Fixed env(1) diagnostic messages to stderr, so failure of env(1) and failure of the specified utility can be distinguished.
- Allow signify(1) to read input messages on a pipe.
- Added usbd_get_hub_descriptor(), to clean up uhub(4) and deal with hub device descriptors in high speed devices.
- With md5(1) -C, exit with exit status of 1 if any of the files specified do not exist.
- mandoc(1) bugfixes related to the closing of conditional blocks: handle more than one `\}' on macro lines; do not treat `\}' as a macro invocation after a dot at the beginning of a line; do not complain about characters following `\}'.
- Makes the "cleartoggle" function in HC drivers optional (upcoming xhci(4) driver doesn't use it).
- Allow signify(1) to accept a password on stdin, as long as it is not a tty(4).
- On qlw(4), set the correct clock rate for ISP1020/1020A.
- When running sysmerge(8), always print the key signify(1) is using.
- Fix the return values of getpwnam_r(3), getpwuid_r(3), getgrnam_r(3), and getgrgid_r(3) to agree with POSIX.
- Altered qlw(4) so it can compile on sparc64 too.
- In -Tutf8 mode, make mandoc_char(7) named accent character escape sequences render as non-combining accents (lets mandoc behave like groff); made \' and \` equivalent to \(aa and \(ga, respectively.
- Introduced qlw(4), a new driver for QLogic ISP SCSI HBAs (currently only supports the pci(4) variants).
- Raised the delay before initialising sdmmc(4). Lets the reader on X220 work reliably.
- Fixed: sndiod(1) read/write position tracking; incorrect delta propagated after xruns in play-only and rec-only modes; crashes seen after a few days of continuous playback.
- Fixed incorrect position reporting with sndiod(1) when using tiny block sizes on busy machines.
- Made sndiod(1) check that the socket is writable before attempting to write data packets.
- On armv7, removed TIMEZONE and DST options from GENERIC-* kernels; added option USBVERBOSE to all kernels.