OpenBSD
-current Changelog
This selection is intended to include all important
and all user-visible changes.
For a complete record of all changes, please see the "source-changes"
mailing list, called "OpenBSD CVS"
in the archives,
or use CVS.
For changes in other releases, click below:
2.0,
2.1,
2.2,
2.3,
2.4,
2.5,
2.6,
2.7,
2.8,
2.9,
3.0,
3.1,
3.2,
3.3,
3.4,
3.5,
3.6,
3.7,
3.8,
3.9,
4.0,
4.1,
4.2,
4.3,
4.4,
4.5,
4.6,
4.7,
4.8,
4.9,
5.0,
5.1,
5.2,
5.3,
5.4,
5.5,
5.6,
5.7,
5.8,
5.9,
6.0,
6.1,
6.2,
6.3,
6.4,
6.5,
6.6,
6.7,
6.8.
Changes made between OpenBSD 6.8 and -current
- Added recognition of Cortex-A78AE, Cortex-X1 and Neoverse V1 arm64 CPUs.
- Corrected an issue where openssl(1) verify might not error on expired certificates.
- Fixed an issue in the TLS 1.3 code that caused stalls in haproxy and other software.
- Changed crypto(3) to call its get_issuer() callback to try and find a suitable certificate in cases where it has failed to find a print certificate from the supplied roots and intermediates.
- Added the 'any' keyword to iked.conf(5) for requests to allow "request address any".
- Enabled brightness keys on powerbooks where the keyboard attaches as ukbd(4).
- Set initial default display brightness on macppc via of_setbrightness() to ensure wscons(4) and ofw are in sync.
- Added 'dynamic' keyword to iked.conf(5) to allow configuration of flows to dynamically assigned addresses.
- Implemented RFC 8914 Extended DNS Errors for dig(1).
- Added tracking of address proposal creation times to be able to establish total lifetime. This information is used to renew pltime/vltime of privacy addresse per RFC 4941.
- Changed slaacd(8) Duplicate Address Detection (DAD) to only generate a new address if we are using Semantically Opaque Interface Identifiers.
- Added a directive to httpd(8) to check if a path is accessible.
- Fixed detection of duplicate locations in httpd(8).
- Added support for passing a bootmac command line argument to RAMDISK on powerpc64.
- Make iked(8) accept ANY dynamic address with 'request addr 0.0.0.0'.
- Fixed the "entry point at 0x10010000" hang reported on amd64 machines by using a 64MB block to load the kernel.
- Changed astfb(4) to allow it to become the console on powerpc64.
- Added support to request IP addresses as IKEv2 initiator to iked(8). If 'request addr 0.0.0.0' is configured, any address will be accepted.
- Added the ability to force the selection of source IP address via route(8).
- Created a new "location (found|notfound)" option for httpd.conf(5) to allow testing for resource path existence.
- Prevented kernel reuse of mbuf memory when generating the ICMP6 response to an IPv6 packet.
- Updated unbound(8) to 1.12.0.
- Added notices to syslog whenever the "%n" format string component of printf(3) is used.
- Stopped allowing configuration of the same neighbor multiple times in bgpd(8).
- Edited syspatch(8) to ensure SHA256.sig has at least three lines.
- Added limited emulation of unaligned access in the powerpc64 kernel.
- Added AMD Vi and Intel VTD IOMMU support. This creates separate domains for each PCI device and can provide protection against invalid memory access.
- Fixed wsconsctl(8) display commands when using drm(4) drivers on macppc.
- Fixed a deadlock between uvn_io() and uvn_flush().
- Added a top-level 'reboot' command to ddb(4).
- Added a -legacy_verify flag to openssl(1) to force use of the old validator.
- Fixed a memory leak when parsing bgpd(8) roa-set lists.
- Added a workaround for PCIO devices that cannot address the full 64-bit PCI address space to powerpc64. Needed for radeondrm(4) and amdgpu(4) since Radeon GPUs only implement 36, 40, or 44 bits of address space.
- Introduced a system-wide mutex that serializes msgbuf operations.
- Fixed brightness setting on MacBooks.
- Updated to fonttosfnt(1) 1.2.0.
- Added retguard macros to powerpc64 locore functions.
- Changed ping(8) to drain the raw socket of packets received before we were fully setup to avoid reporting ICMP responses intended for other instances of ping(8) running in parallel.
- Made sysupgrade(8) specify a version when it uses fw_update(1) to avoid the situation where upgrading a pre-6.8 snapshot to 6.8 release with "-r" would install firmware packages from snapshots.
- Ensured copyout(9), copyinstr(9) and copyoutstr(9) bail out properly if called with a length of 0 on arm64, hppa and mips64.
- Modified daily(8) to stop reporting disk status and networking statistics.
- Released OpenBGPD portable 6.8p0.
- Released rpki-client(8) 6.8p0.
- Added powerpc64 retguard macros for setjmp/longjmp.
- Released LibreSSL 3.2.2.
- Implemented linux interval tree functions for drm(4).
- Added basic support for kclock timeouts to timeout(9).
- Updated nsd(8) to 4.3.3.
- Added RETGUARD implementation for powerpc and powerpc64.
- Stopped exempting file systems from security(8) on the basis of nodev and nosuid options, which may not be used for file systems mounted beneath.
- Supported use of more than one URI in the TAL file for rpki-client(8), sorting with a preference for https.
- Prevented a crash due to httpd(8) listening on port 443 with missing TLS certificates.
- Optimized arm64 copyin(9), copyout(9) and kcopy(9) by doing 16-byte copies if possible.
- Added doas.conf(5) "nolog" option to avoid syslog(3).
- Added Intel 495 Series LP PCH and Ice Lake graphics pci(4) ids.
- Fixed a pledge violation in csh(1) where redirecting input from a file containing ^T would cause csh(1) to perform a tty ioctl operation against a non-tty.
- Fixed a write hang-up on file system in vnd(4).
- Enabled ssh_config(5) UpdateHostkeys by default when the configuration has not overridden UserKnownHostFile.
- Added bsd.mp to powerpc64's installXX.{img,iso}.
- Preferred ed25519 signature algorithm variants over ECDSA in ssh_config(5) and sshd_config(5).
- Introduced "if_cloners_lock" rwlock and used it to serialize if_clone_{create,destroy}(), avoiding multiple race conditions.
- Added astfb(4), a driver for the framebuffer of the Aspeed BMC found on many POWER8 and POWER9 systems.
- Added Intel 400-series chipsets to dwiic(4).
- Relaxed checks in pfctl(8) and pf(4) to accept any valid routing domain, even if it does not yet exist.
- Moved mfokclock(4) from loongson to make it available for other platforms and renamed it to mfokrtc(4).
- Removed osrelease from system.fvwmrc, as the version string matches the kernel of the fvwm(1) build machine, not the user's kernel.
- Moved to 6.8-current.