OpenBSD
-current Changelog
This selection is intended to include all important
and all user-visible changes.
For a complete record of all changes, please see the "source-changes"
mailing list, called "OpenBSD CVS"
in the archives,
or use CVS.
For changes in other releases, click below:
2.0,
2.1,
2.2,
2.3,
2.4,
2.5,
2.6,
2.7,
2.8,
2.9,
3.0,
3.1,
3.2,
3.3,
3.4,
3.5,
3.6,
3.7,
3.8,
3.9,
4.0,
4.1,
4.2,
4.3,
4.4,
4.5,
4.6,
4.7,
4.8,
4.9,
5.0,
5.1,
5.2,
5.3,
5.4,
5.5,
5.6,
5.7,
5.8,
5.9,
6.0,
6.1,
6.2,
6.3,
6.4,
6.5,
6.6,
6.7,
6.8.
Changes made between OpenBSD 6.8 and -current
- Fixed "any" and "dynamic" keywords for flows in iked(8) and added proper IPv6 support.
- Added PCIe support to amlpciephy(4).
- Fixed a memory leak in ld.so's malloc.
- Added Gemini Lake I2C id to dwiic(4), making the touchpad work on the Teclast F7 Plus laptop.
- Corrected accounting of zero length TDs in xhci(4), preventing free TRBs from running out.
- Fixed hangs on amd64 bsd.rd due to misreported core clock frequency on newer Intel Comet Lake models.
- Added a global "nowake" channel for threads avoiding wakeup(9) to tsleep(9).
- Added Wake on LAN support to rge(4).
- Added a specific headline to netstat(1) for TCP state and IP protocol.
- Prevented a crash due to premature release of resources by the smtpd(8) filter state machine.
- Allowed the provision of dhclient(8) options on "dhcp" lines in hostname.if(5) files.
- Fixed a memory leak in smtpd(8) resolver.
- Introduced a send hold timer in bgpd(8) to detect stalls on the sending side of a TCP connection, acting as a last resort to detect faulty peers.
- Fixed ofw regulators that use "active-low" polarity.
- Added PCIe clocks to amlclock(4).
- Implemented select(2) and pselect(2) on top of kqueue(2).
- Made clang the default compiler on loongson.
- Added an ssh_config(5) KnownHostsCommand that allows the client to obtain known_hosts data from a command in addition to the usual files.
- Prevented initiation of new additional SAs for each policy upon every ikectl(8) config reload.
- Introduced smtp(1) -a to perform authentication before sending a message.
- Fixed DRI3 support on amdgpu(4) and ati(4).
- Accepted reject and blackhole routes for IPsec PMTU discovery.
- Prevented leaking of ipsec_hosts in iked(8) when building hosts_list.
- Fixed booting on powerpc64 machines with memory banks higher in physical address space, needing a larger TCE table.
- Introduced klistops, introducing a way to associate lock operations with a klist.
- Fixed dig(1) EDNS Client Subnet option (+subnet=).
- Fixed IPv6 link-local address handling for nameservers to talk to and address to bind to in dig(1).
- Added support for the i.MX8MP PCIe clocks, USB clocks and second ethernet.
- Made large read and write transactions work in amliic(4).
- Updated to the December 18, 2020 version of awk(1).
- Added fd close notification for kqueue-based poll(2) and select(2).
- Corrected the first packet of an ipsec(4) SA to have sequence number 1.
- Added "amlogic,meson-g12a-dwmac" to dwge(4).
- Added amlpinctrl(4) support for the "Always On" GPIOs.
- Introduced a delay to work around an issue in bwfm(4) on the BCM43602 that was triggering "unexpected pairwise key update" errors.
- Made pfctl(8) detect and reject bogus ranges before loading the ruleset to prevent a panic.
- Made tmux(1) synchronize-panes a pane option and added set-option -U flag to unset an option on all panes.
- Updated to xcb-proto 1.14.1.
- Updated to Xserver(1) 1.20.10.
- Prevented a race in dhclient(8) privsep which could cause autoinstall to fail by calling ftp(1) without a local address.
- Correctly enumerated files with more than INT_MAX lines with the cat(1) -n flag.
- Updated to unbound(8) 1.13.0.
- Updated to nsd(8) 4.3.4.
- Fixed TCP going over an interface with fq codel enabled.
- Avoided spurious "input packet decapsulations failed" errors in netstat(1) -W with A-MSDU enabled.
- Allowed booting of amd64/i386 from 4TB GPT formatted disks.
- Flushed the reorder buffer after gap timeout to prevent frames from remaining in the buffer until the next frame is received.
- Validated ghostbuster records (RFC 6493) in rpki-client(8).
- Fixed 802.11 RSN capabilities announced to peers.
- Fixed a potential NULL pointer dereference due to malformed ASN.1 in a certificate revocation list or a timestamp response token.
- Fixed the calculation of "maxlen" in iwm(4) and iwx(4) when there are multiple MPDUs in one packet.
- Limited the URL embedded in .cer files in rpki-client(8) to alphanumeric characters and punctuation.
- Added dwgpio(4), a driver for the Synopsys DesignWare GPIO controller.
- Added iked(8) support for RSASSA-PSS signature verification (RFC 7427).
- Fixed a race condition in wsmux(4).
- Allowed exporting prefixes from multiple sessions in bgpd(8) into the same pf(4) table, preventing a prefix from being removed from the table on the first withdrawal even if an alternative exists.
- Prevented a TOCTOU race in single_thread_set() by extending the scope of the lock.
- Enabled auto-negotiation on the SerDes links, allowing in-band-status to work between mvpp(4) and mvsw(4) on the ClearFog GT 8K.
- Allowed rad(8) to handle all rdomains in a single daemon.
- Made uvm_pagealloc() mp-safe.
- Ensured rekeying of every child SA in iked(8).
- Fixed ldapd(8) cert and key path inference for absolute paths.
- Taught lld to link the macppc kernel.
- Added support for 1000base-x and 2500base-x connections to mvneta(4).
- Added mvsw(4), a driver for Marvel "SOHO" switches.
- Added the iked(8) "set stickyaddress" option, which attempts to assign the same "config address" when an IKESA is negotiated with the DSTID of an existing IKESA.
- Added support for the use of !command to mygate(5), so that netstart has a late opportunity to perform network configuration.
- Updated to libX11 1.7.0.
- Handled an autoconf interface changing its rdomain in slaacd(8).
- Added iked(8) support for multiple address pools.
- Set the specified TOS/DSCP for interactive use prior to TCP connect in ssh(1).
- CLeaned up passing of struct passwd from monitor to preauth privsep process in ssh(1).
- Used a counter instead of random IV for AES-GCM in iked(8), eliminating the risk of random collisions.
- Changed kqueue_scan() to keep track of collected events in the given context.
- Killed rpki-client(8) connection upon openrsync(1) server stall.
- Added a simple --timeout implementation to openrsync(1).
- Fixed very old umass(4) devices where the INQUIRY command succeeds but with a residue equal to the requested bytes.
- Fixed a panic seen with mbuf chains on arm64.
- Fixed incorrect behavior when using dhclient.conf(5) to change the lease renew/rebind/expiry timing.
- Added iked(8) -s socket option to specify a control socket.
- When doing an sftp(1) recursive upload or download of a read-only directory, ensured that the directory was created with write and execute permissions in the interim to allow the transfer.
- Fixed urtwn(4) repeated DEAUTH and loss/restoration of link.
- Allowed specific sndio(7) devices to be used for play-only and rec-only modes.
- Fixed panics on the HoneyComb LX2K with amdgpu(4).
- Prevented accidental truncation of large memory segments on loongson.
- Added ACPI support to imxiic(4).
- Implemented the key material exporter for TLSv1.3.
- Prevented process exit in multithreaded programs from reporting the wrong error code.
- Added multicast support to bwfm(4) to allow IPv6.
- Added acpige(4), a driver for ACPI generic event devices, used on te HoneyComb LX2K to implement power button handling.
- Added pchgpio(4), a driver for the GPIO controllers found on modern Intel PCHs.
- Revised the initialization of the drm(4) Linux emulation layer to call it only when the first drm instance attaches.
- Extended pcamux(4) with ACPI support.
- Added support for the VF610 I2C controller to imxiic(4).
- Made sure not to replace 0.0.0.0 with a dynamic address in iked(8) if it is a network address.
- Added 10G media support to mvpp(4).
- Added SFP+ support to ofw, including support for direct attach cables.
- Added support for the PL2303HXN series chips to uplcom(4).
- Added support for the PCA9547 I2C mux to pcamux(4).
- Added witness(4) check for uninitialized (or zeroed) lock usage.
- Prefixed ssh(1) keyboard interactive prompts with "user@host" for easier identification of connections.
- Displayed any other hostnames/addresses associated with a new hostkey when ssh(1) prompts the user to accept it.
- Implemented auto chain for the TLSv1.3 server.
- Updated to freetype 2.10.4.
- Fixed athn(4) in client mode against APs that use WPA1/TKIP as the group cipher.
- Fixed urtwn(4) against access points using WPA1/TKIP as the group cipher.
- Fixed a panic associated with locks and drm(4) on macppc with Powerbook5,6 and RV350.
- Fixed issues with network stopping after the first down/up cycle in mvpp(4).
- Fixed link state change behavior in 82598 ix(4) chips.
- Increased speed of the dependency check pass for pkg_add(1).
- Allowed use of ## and # in tmux(1) styles and added a "w" format modifier for width.
- Added clock support for i.MX8MP.
- Implemented iked(8) "from dynamic," installing flows where "dynamic" is replaced by the received dynamic IP address.
- Fixed ilogb(3) implementation, preventing a potential infinite loop.
- Changed from rwlock(9) to mutex(9) for linux rwlocks.
- Removed the -L option from dhclient(8).
- Fixed wg(4) on macppc by keeping track of allowed ips pointer correctly.
- Added the ClearFog GT 8K to mvclock(4).
- Enabled iked(8) support for ASN1_DN ipsec identifiers.
- Fixed rare crashes of unwind(8) when DNS answers are larger than the maximum imsg size.
- Fixed rpki-client(8) checks for manifest validity interval.
- Released OpenBGPD-6.8p1.
- Added recognition of Cortex-A78AE, Cortex-X1 and Neoverse V1 arm64 CPUs.
- Corrected an issue where openssl(1) verify might not error on expired certificates.
- Fixed an issue in the TLS 1.3 code that caused stalls in haproxy and other software.
- Changed crypto(3) to call its get_issuer() callback to try and find a suitable certificate in cases where it has failed to find a print certificate from the supplied roots and intermediates.
- Added the 'any' keyword to iked.conf(5) for requests to allow "request address any".
- Enabled brightness keys on powerbooks where the keyboard attaches as ukbd(4).
- Set initial default display brightness on macppc via of_setbrightness() to ensure wscons(4) and ofw are in sync.
- Added 'dynamic' keyword to iked.conf(5) to allow configuration of flows to dynamically assigned addresses.
- Implemented RFC 8914 Extended DNS Errors for dig(1).
- Added tracking of address proposal creation times to be able to establish total lifetime. This information is used to renew pltime/vltime of privacy addresse per RFC 4941.
- Changed slaacd(8) Duplicate Address Detection (DAD) to only generate a new address if we are using Semantically Opaque Interface Identifiers.
- Added a directive to httpd(8) to check if a path is accessible.
- Fixed detection of duplicate locations in httpd(8).
- Added support for passing a bootmac command line argument to RAMDISK on powerpc64.
- Make iked(8) accept ANY dynamic address with 'request addr 0.0.0.0'.
- Fixed the "entry point at 0x10010000" hang reported on amd64 machines by using a 64MB block to load the kernel.
- Changed astfb(4) to allow it to become the console on powerpc64.
- Added support to request IP addresses as IKEv2 initiator to iked(8). If 'request addr 0.0.0.0' is configured, any address will be accepted.
- Added the ability to force the selection of source IP address via route(8).
- Created a new "location (found|notfound)" option for httpd.conf(5) to allow testing for resource path existence.
- Prevented kernel reuse of mbuf memory when generating the ICMP6 response to an IPv6 packet.
- Updated to unbound(8) 1.12.0.
- Added notices to syslog whenever the "%n" format string component of printf(3) is used.
- Stopped allowing configuration of the same neighbor multiple times in bgpd(8).
- Edited syspatch(8) to ensure SHA256.sig has at least three lines.
- Added limited emulation of unaligned access in the powerpc64 kernel.
- Added AMD Vi and Intel VTD IOMMU support. This creates separate domains for each PCI device and can provide protection against invalid memory access.
- Fixed wsconsctl(8) display commands when using drm(4) drivers on macppc.
- Fixed a deadlock between uvn_io() and uvn_flush().
- Added a top-level 'reboot' command to ddb(4).
- Added a -legacy_verify flag to openssl(1) to force use of the old validator.
- Fixed a memory leak when parsing bgpd(8) roa-set lists.
- Added a workaround for PCIO devices that cannot address the full 64-bit PCI address space to powerpc64. Needed for radeondrm(4) and amdgpu(4) since Radeon GPUs only implement 36, 40, or 44 bits of address space.
- Introduced a system-wide mutex that serializes msgbuf operations.
- Fixed brightness setting on MacBooks.
- Updated to fonttosfnt(1) 1.2.0.
- Added retguard macros to powerpc64 locore functions.
- Changed ping(8) to drain the raw socket of packets received before we were fully setup to avoid reporting ICMP responses intended for other instances of ping(8) running in parallel.
- Made sysupgrade(8) specify a version when it uses fw_update(1) to avoid the situation where upgrading a pre-6.8 snapshot to 6.8 release with "-r" would install firmware packages from snapshots.
- Ensured copyout(9), copyinstr(9) and copyoutstr(9) bail out properly if called with a length of 0 on arm64, hppa and mips64.
- Modified daily(8) to stop reporting disk status and networking statistics.
- Released OpenBGPD portable 6.8p0.
- Released rpki-client(8) 6.8p0.
- Added powerpc64 retguard macros for setjmp/longjmp.
- Released LibreSSL 3.2.2.
- Implemented linux interval tree functions for drm(4).
- Added basic support for kclock timeouts to timeout(9).
- Updated to nsd(8) 4.3.3.
- Added RETGUARD implementation for powerpc and powerpc64.
- Stopped exempting file systems from security(8) on the basis of nodev and nosuid options, which may not be used for file systems mounted beneath.
- Supported use of more than one URI in the TAL file for rpki-client(8), sorting with a preference for https.
- Prevented a crash due to httpd(8) listening on port 443 with missing TLS certificates.
- Optimized arm64 copyin(9), copyout(9) and kcopy(9) by doing 16-byte copies if possible.
- Added doas.conf(5) "nolog" option to avoid syslog(3).
- Added Intel 495 Series LP PCH and Ice Lake graphics pci(4) ids.
- Fixed a pledge violation in csh(1) where redirecting input from a file containing ^T would cause csh(1) to perform a tty ioctl operation against a non-tty.
- Fixed a write hang-up on file system in vnd(4).
- Enabled ssh_config(5) UpdateHostkeys by default when the configuration has not overridden UserKnownHostFile.
- Added bsd.mp to powerpc64's installXX.{img,iso}.
- Preferred ed25519 signature algorithm variants over ECDSA in ssh_config(5) and sshd_config(5).
- Introduced "if_cloners_lock" rwlock and used it to serialize if_clone_{create,destroy}(), avoiding multiple race conditions.
- Added astfb(4), a driver for the framebuffer of the Aspeed BMC found on many POWER8 and POWER9 systems.
- Added Intel 400-series chipsets to dwiic(4).
- Relaxed checks in pfctl(8) and pf(4) to accept any valid routing domain, even if it does not yet exist.
- Moved mfokclock(4) from loongson to make it available for other platforms and renamed it to mfokrtc(4).
- Removed osrelease from system.fvwmrc, as the version string matches the kernel of the fvwm(1) build machine, not the user's kernel.
- Moved to 6.8-current.