openbsd_73.html - webdump_tests - Testfiles for webdump
(HTM) git clone git://git.codemadness.org/webdump_tests
(DIR) Log
(DIR) Files
(DIR) Refs
(DIR) README
---
openbsd_73.html (79983B)
---
1 <!doctype html>
2 <html lang=en id=release>
3 <head>
4 <meta charset=utf-8>
5
6 <title>OpenBSD 7.3</title>
7 <meta name="description" content="OpenBSD 7.3">
8 <meta name="viewport" content="width=device-width, initial-scale=1">
9 <link rel="stylesheet" type="text/css" href="openbsd.css">
10 <link rel="canonical" href="https://www.openbsd.org/73.html">
11 </head><body>
12 <h2 id=OpenBSD>
13 <a href="index.html">
14 <i>Open</i><b>BSD</b></a>
15 7.3
16 </h2>
17
18 <table>
19 <tr>
20 <td>
21 <a href="images/DryGarden.png">
22 <img width="227" height="303" src="images/DryGarden-s.gif" alt="Dry Garden"></a>
23 <td>
24 Released Apr 10, 2023. (54th OpenBSD release)<br>
25 Copyright 1997-2023, Theo de Raadt.<br>
26 <br>
27 7.3 Song: "<a href="lyrics.html#73">The Wizard and the Fish</a>"<br>
28 Artwork by George Mager.
29 <br>
30 <ul>
31 <li>See the information on <a href="ftp.html">the FTP page</a> for
32 a list of mirror machines.
33 <li>Go to the <code class=reldir>pub/OpenBSD/7.3/</code> directory on
34 one of the mirror sites.
35 <li>Have a look at <a href="errata73.html">the 7.3 errata page</a> for a list
36 of bugs and workarounds.
37 <li>See a <a href="plus73.html">detailed log of changes</a> between the
38 7.2 and 7.3 releases.
39 <p>
40 <li><a href="https://man.openbsd.org/signify.1">signify(1)</a>
41 pubkeys for this release:<p>
42
43 <table class=signify>
44 <tr><td>
45 openbsd-73-base.pub:
46 <td>
47 <a href="https://ftp.openbsd.org/pub/OpenBSD/7.3/openbsd-73-base.pub">
48 RWQS90bYzZ4XFms5z9OodrFABHMQnW6htU+4Tmp88NuQiTEezMm2cQ3K</a>
49 <tr><td>
50 openbsd-73-fw.pub:
51 <td>
52 RWRSJW95RokBEZUxBFvPCEdtQPg2WMExzMIcjnXzVpIwUpyZZmfXun5a
53 <tr><td>
54 openbsd-73-pkg.pub:
55 <td>
56 RWTJxSCZzSPKGp8unIp/yxG2lvCXJg5lFVvbOBQUvKEnGHFAO8RPg3mr
57 <tr><td>
58 openbsd-73-syspatch.pub:
59 <td>
60 RWShXqVD7hfbBpWb1B5EGr1DUX8kkjkTueCsa243lLNocuuVU+2eWMn5
61 </table>
62 </ul>
63 <p>
64 All applicable copyrights and credits are in the src.tar.gz,
65 sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
66 files fetched via <code>ports.tar.gz</code>.
67 </table>
68
69 <hr>
70
71 <section id=new>
72 <h3>What's New</h3>
73 <p>
74 This is a partial list of new features and systems included in OpenBSD 7.3.
75 For a comprehensive list, see the <a href="plus73.html">changelog</a> leading
76 to 7.3.
77
78 <ul>
79
80 <li>Various kernel improvements:
81 <ul>
82
83
84 <li>Added <a href="https://man.openbsd.org/waitid.2">waitid(2)</a>,
85 wait for process state change.
86 <li>Added <a href="https://man.openbsd.org/pinsyscall.2">pinsyscall(2)</a>,
87 specify the call stub for a specific system call.
88 <li>Added <a href="https://man.openbsd.org/getthrname.2">getthrname(2)</a> and
89 <a href="https://man.openbsd.org/setthrname.2">setthrname(2)</a>,
90 get or set thread name.
91 <li>Added WTRAPPED option for <a
92 href="https://man.openbsd.org/waitid.2">waitid(2)</a> to control
93 whether CLD_TRAPPED state changes, i.e., ptrace(2) on a process, are reported.
94
95 <!-- kernel internals -->
96 <li>Introduced <a
97 href="https://man.openbsd.org/clockintr.9">clockintr(9)</a>, a
98 machine-independent clock interrupt scheduler. Switched all
99 architectures to use the new subsystem.
100 <li>Introduced a new kern.autoconf_serial <a
101 href="https://man.openbsd.org/sysctl.8">sysctl(8)</a> that can be used
102 by userland to monitor state changes of the kernel device tree.
103 <li>Fixed <a href="https://man.openbsd.org/pmap.9">pmap(9)</a> bugs
104 involving entering an executable mapping for a page before
105 synchronizing the data and instruction cache on arm64 and riscv64.
106 <li>Removed copystr(9) from the public API.
107 <li>Added <a
108 href="https://man.openbsd.org/getnsecruntime.9">getnsecruntime(9)</a>.
109 Offers fast access to the system runtime clock at the cost of precision.
110
111 <li>Prevent detaching ("bioctl -d detach") of a boot volume on a RAID managed by <a
112 href="https://man.openbsd.org/bioctl.8">bioctl(8)</a>.
113
114 <li>On arm64, avoid using 1GB mappings for the identity map in the
115 early kernel bootstrap phase and when booting the secondary CPUs. This
116 avoids accidentally mapping memory regions that should not be mapped
117 (i.e. secure memory) as all mapped memory can be accessed
118 speculatively.
119 <li>On arm64, add a machdep.lidaction <a
120 href="https://man.openbsd.org/sysctl.8">sysctl(8)</a> for <a
121 href="https://man.openbsd.org/aplsmc.4">aplsmc(4)</a> Apple Silicon
122 laptops.<br>
123 The arm64 default for the machdep.lidaction is 1, making the
124 system suspend when the lid is closed. <a
125 href="https://man.openbsd.org/aplsmc.4">aplsmc(4)</a> provides support
126 for the lid position sensor.
127 <li>Changed arm64 suspend idle loop from WFE to WFI, avoiding spurious
128 wakeups while other CPUs are still active.
129 <li>Added new <a href="https://man.openbsd.org/dt.4">dt(4)</a> tracing ioctl
130 DTIOCARGS to get the type of probe arguments.
131 </ul>
132
133 <li>SMP Improvements
134 <ul>
135 <li>Unlocked <a href="https://man.openbsd.org/mmap.2">mmap(2)</a>, <a
136 href="https://man.openbsd.org/munmap.2">munmap(2)</a>, and <a
137 href="https://man.openbsd.org/mprotect.2">mprotect(2)</a>.
138 <li>Unlocked <a href="https://man.openbsd.org/sched_yield.2">sched_yield(2)</a>.
139 <li>Added support for per-CPU counters to
140 <a href="https://man.openbsd.org/evcount.9">evcount(9)</a>.
141 Useful for counting events that are prone to occur simultaneously
142 across multiple CPUs, like clock interrupts and IPIs.
143 <li>Moved <a href="https://man.openbsd.org/pf.4">pf(4)</a> purge
144 tasks out from under the kernel lock.
145 <li>Unlocked <a href="https://man.openbsd.org/ioctl.2">ioctl(2)</a>
146 SIOCGIFCONF, SIOCGIFGMEMB, SIOCGIFGATTR, and SIOCGIFGLIST.
147 <li>Protected interface tables in <a
148 href="https://man.openbsd.org/pf.4">pf(4)</a> with PF_LOCK(), allowing
149 removal of NET_LOCK() protection from the <a
150 href="https://man.openbsd.org/ioctl.2">ioctl(2)</a> code path in pf.
151 <li>Unlocked <a
152 href="https://man.openbsd.org/getsockopt.2">getsockopt(2)</a> and <a
153 href="https://man.openbsd.org/setsockopt.2">setsockopt(2)</a>.
154 <li>Completed removing kernel lock from IPv6 read ioctls.
155 <li>Unlocked <a href="https://man.openbsd.org/minherit.2">minherit(2)</a>.
156 <li>Made <a href="https://man.openbsd.org/tun.4">tun(4)</a> and <a
157 href="https://man.openbsd.org/tap.4">tap(4)</a> event filters MP-safe.
158 <li>Unlocked <a href="https://man.openbsd.org/utrace.2">utrace(2)</a>.
159 <li>Stopped holding the vm_map lock while flushing pages in <a
160 href="https://man.openbsd.org/msync.2">msync(2)</a> and <a
161 href="https://man.openbsd.org/madvise.2">madvise(2)</a>. Prevents a
162 3-thread deadlock between <a
163 href="https://man.openbsd.org/msync.2">msync(2)</a>, page-fault and <a
164 href="https://man.openbsd.org/mmap.2">mmap(2)</a>.
165 <li>Unlocked <a
166 href="https://man.openbsd.org/select.2">select(2)</a>, <a
167 href="https://man.openbsd.org/pselect.2">pselect(2)</a>, <a
168 href="https://man.openbsd.org/poll.2">poll(2)</a>, and <a
169 href="https://man.openbsd.org/ppoll.2">ppoll(2)</a>.
170 </ul>
171
172 <li>Direct Rendering Manager and graphics drivers
173 <ul>
174 <li>Updated <a href="https://man.openbsd.org/drm.4">drm(4)</a>
175 to Linux 6.1.15
176 <li><a href="https://man.openbsd.org/drm.4">amdgpu(4)</a>: Added
177 support for Ryzen 7000 "Raphael", Ryzen 7020 series "Mendocino",
178 Ryzen 7045 series "Dragon Range",
179 Radeon RX 7900 XT/XTX "Navi 31",
180 Radeon RX 7600M (XT), 7700S, and 7600S "Navi 33."
181 <li>Fixed frame buffer corruption and additional bugs after wakeup
182 on Apple Silicon laptops and the Lenovo x13s.
183 <li>Added support for the backlight connector property to <a
184 href="https://man.openbsd.org/amdgpu.4">amdgpu(4)</a> as in <a
185 href="https://man.openbsd.org/inteldrm.4">inteldrm(4)</a>, making <a
186 href="https://man.openbsd.org/xbacklight.1">xbacklight(1)</a> work
187 when using the Xorg modesetting driver.
188 </ul>
189
190 <li>VMM/VMD improvements
191 <ul>
192 <li>Updated <a href="https://man.openbsd.org/vmm.4">vmm(4)</a> to
193 permit SVM guests read access to MSR_HWCR and MSR_PSTATEDEF.
194 Guests can use these registers on AMD 17h and 19h hosts to
195 determine the TSC frequency without calibrating against a
196 second clock.
197 <li>Allocated reference for vm and vcpu SLISTs in <a
198 href="https://man.openbsd.org/vmm.4">vmm(4)</a>, keeping vmm from
199 triggering excessive wakeup calls while iterating through the list of
200 vms while servicing an <a
201 href="https://man.openbsd.org/ioctl.2">ioctl(2)</a>.
202 <li>Set <a href="https://man.openbsd.org/vmm.4">vmm(4)</a> RAX guest
203 register state based on VMCB.
204 <li>Removed locking in <a
205 href="https://man.openbsd.org/vmm.4">vmm(4)</a> vmm_intr_pending,
206 reducing slowdowns due to requests for a lock held while the VM is
207 running.
208 <li>Increased speed of delivery of interrupts to a running vcpu in <a
209 href="https://man.openbsd.org/vmm.4">vmm(4)</a>.
210 <li>Made <a href="https://man.openbsd.org/vmm.4">vmm(4)</a> treat vcpu
211 lists as immutable, removing the need to reference count individual
212 vcpu objects and use a rwlock.
213 <li>Implemented zero-copy operations on virtqueues in <a
214 href="https://man.openbsd.org/vmd.8">vmd(8)</a>.
215 <li>Provided a detailed e820 memory map when booting <a
216 href="https://man.openbsd.org/vmd.8">vmd(8)</a> guests with SeaBIOS.
217 When a vm initializes memory ranges, we now track what each range
218 represents. This information can be used to supply the e820 memory map
219 to SeaBIOS via the fw_cfg interface allowing it to properly
220 communicate memory ranges to a guest operating system. With this
221 special cases in ports can be removed.
222 <li>Added thread names to vm processes in <a
223 href="https://man.openbsd.org/vmd.8">vmd(8)</a>, visible in <a
224 href="https://man.openbsd.org/ps.1">ps(1)</a>.
225 <li>Hid the WAITPKG cpu feature from <a
226 href="https://man.openbsd.org/vmm.4">vmm(4)</a> guests, preventing
227 invalid instruction exceptions. Also added WAITPKG feature
228 identification to i386 and amd64.
229 <li>Changed <a href="https://man.openbsd.org/vmd.8">vmd(8)</a> to
230 only open /dev/vmm once, having the parent process send the fd to the
231 vmm child process.
232 <li>Restricted <a href="https://man.openbsd.org/vmm.4">vmm(4)</a>
233 exposed cpuid extended feature flags.
234 <li>Adjusted <a href="https://man.openbsd.org/vmd.8">vmd(8)</a> error
235 paths to avoid removal of configuration-defined (known) VMs on error.
236 <li>Stopped being paranoid about hypervisor correct PKU handling.<br>
237 Added saving and restoring guest PKRU to <a
238 href="https://man.openbsd.org/vmm.4">vmm(4)</a>. Expose the PKU cpuid
239 bit to the guest if in use on the host.
240 <li>Made <a href="https://man.openbsd.org/vmd.8">vmd(8)</a> scan the
241 PCI bus to determine bootorder strings.
242 </ul>
243
244 <li>Various new userland features:
245 <ul>
246 <li>Added <a href="https://man.openbsd.org/kdump.1">kdump(1)</a>
247 argument support for msyscall, pledge, unveil, __realpath, ypconnect
248 and __tmpfd.
249 <li>Added <a
250 href="https://man.openbsd.org/mimmutable.2">mimmutable(2)</a> and <a
251 href="https://man.openbsd.org/munmap.2">munmap(2)</a> reporting to <a
252 href="https://man.openbsd.org/kdump.1">kdump(1)</a>.
253 <li>Added <a
254 href="https://man.openbsd.org/lastcomm.1">lastcomm(1)</a> reporting
255 for process kills due to <a
256 href="https://man.openbsd.org/execve.2">execve(2)</a> from non-pinned
257 syscall address.
258 </ul>
259
260 <li>Various bugfixes and tweaks in userland:
261 <ul>
262 <li>Allow TZ to contain absolute paths starting with /usr/share/zoneinfo.
263 All absolute paths were ignored in 7.2 to avoid
264 <a href="https://man.openbsd.org/unveil.2">unveil(2)</a> violations.
265 <li>Made <a href="https://man.openbsd.org/ldomctl.8">ldomctl(8)</a>
266 accept more descriptive name-based paths in addition to number-based
267 paths in <a
268 href="https://man.openbsd.org/ldom.conf.5">ldom.conf(5)</a>.
269 <li>Dropped support for $rc_exec in <a
270 href="https://man.openbsd.org/rc.subr.8">rc.subr(8)</a>. The rc_exec
271 function should be used instead.
272 <li>Excluded /tmp/*.shm files from /tmp cleaning in <a
273 href="https://man.openbsd.org/daily.8">daily(8)</a>. Removing them
274 interferes with programs that use shared memory via <a
275 href="https://man.openbsd.org/shm_open.3">shm_open(3)</a>.
276 <li>Added zap-to-char and zap-up-to-char to <a
277 href="https://man.openbsd.org/mg.1">mg(1)</a>. Bound zap-to-char to
278 M-z.
279 <li>Fixed handling of escaped backslashes in <a
280 href="https://man.openbsd.org/vi.1">vi(1)</a> ex_range.
281 <li>Added support to <a
282 href="https://man.openbsd.org/gunzip.1">gunzip(1)</a> for zip files
283 that contain a single member.
284 <li>Fixed <a href="https://man.openbsd.org/ed.1">ed(1)</a> to print
285 bytes read/written and the ? prompt to stdout, not stderr.
286 <li>Changed the vmstat view in <a
287 href="https://man.openbsd.org/systat.1">systat(1)</a> to measure
288 elapsed time with <a
289 href="https://man.openbsd.org/clock_gettime.2">clock_gettime(2)</a>
290 instead of statclock ticks.
291 <li>Improved the periodic display in <a
292 href="https://man.openbsd.org/iostat.8">iostat(8)</a>.
293 <li>Fixed an edge case in <a href="https://man.openbsd.org/top.1">top(1)</a>
294 where summary statistics for offline CPUs were displayed.
295 <li>Added support for a personal <a
296 href="https://man.openbsd.org/units.1">units(1)</a> library by passing
297 -f multiple times.
298 <li>Changed <a href="https://man.openbsd.org/df.1">df(1)</a> to
299 round up fractional percentages.
300 <li>Fixed unbounded variable expansion in <a
301 href="https://man.openbsd.org/pkg-config.1">pkg-config(1)</a>.
302 <li>Switched to use <a
303 href="https://man.openbsd.org/llvm-strip.1">llvm-strip(1)</a> on
304 architectures that use <a
305 href="https://man.openbsd.org/ld.lld.1">ld.lld(1)</a>.
306 <!-- rc scripts -->
307 <li>Made <a href="https://man.openbsd.org/rc.8">rc(8)</a> reorder
308 libraries in parallel to <a
309 href="https://man.openbsd.org/netstart.8">netstart(8)</a>, as this
310 does not depend on network access.
311 <li>Made <a href="https://man.openbsd.org/rc.8">rc(8)</a> print the
312 name of each library before relinking as a signal to the operator that
313 boot has not stalled.
314 <!-- audio -->
315 <li>Added a -w flag to <a
316 href="https://man.openbsd.org/audioctl.8">audioctl(8)</a> for
317 displaying variables periodically.
318 <li>Added short options for <a
319 href="https://man.openbsd.org/timeout.1">timeout(1)</a> --foreground
320 and --preserve-status.
321 <li>Added signal as a full argument name for <a
322 href="https://man.openbsd.org/timeout.1">timeout(1)</a> -s.
323 <li>Fixed .wav files generated by <a
324 href="https://man.openbsd.org/aucat.1">aucat(1)</a> by using extended
325 header format.
326 <!-- disks ... -->
327 <li>In <a
328 href="https://man.openbsd.org/disklabel.8">disklabel(8)</a>, use the
329 size of the largest chunk of free space, not the total of all such
330 chunks, when checking for sufficient space to add a partition.
331 <li>Extended <a
332 href="https://man.openbsd.org/disklabel.8">disklabel(8)</a> template
333 parsing to allow "[mount point] *" as the specification for putting
334 the maximum available free space into a partition. Extended
335 command line parsing to allow "T-" as the specification to read the
336 template from stdin.
337 <li>Repaired <a
338 href="https://man.openbsd.org/disklabel.8">disklabel(8)</a>
339 to check for D_VENDOR flag in d_flags, not d_secpercyl.
340 <li>Removed remnants of DEC standard 144 bad sector code from
341 <a
342 href="https://man.openbsd.org/disklabel.8">disklabel(8)</a>
343 and
344 <a
345 href="https://man.openbsd.org/disktab.5">disktab(5)</a>.
346 <li>Removed last references to d_drivedata field from <a
347 href="https://man.openbsd.org/disklabel.8">disklabel(8)</a>
348 <li>Enhanced <a
349 href="https://man.openbsd.org/disklabel.8">disklabel(8)</a>
350 auto allocation to use all possible free space.
351 <li>Enhanced <a
352 href="https://man.openbsd.org/disklabel.8">disklabel(8)</a>
353 to ensure valid partition offsets and sizes after rounding.
354 <li>Enhanced <a
355 href="https://man.openbsd.org/disklabel.8">disklabel(8)</a>
356 simple editor to allow '*' when the action is 'delete'.
357 <li>Removed <a
358 href="https://man.openbsd.org/disklabel.8">disklabel(8)</a>
359 code related to defunct disk types 'hd' and 'svnd'.
360 <li>Repaired <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
361 to set the correct 'bootable' bit in GPT partitions.
362 <li>Repaired <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
363 to use GPT_UUID_NBSD_UFS for NetBSD GPT partition entries.
364 <li>Added UEFI defined GPT partition type GPT_UUID_LEGACY_MBR to
365 the partition types
366 <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
367 recognizes.
368 <li>Enhanced <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
369 to avoid spurious warnings when editing unused GPT partition.
370 <li>Fixed <a href="https://man.openbsd.org/cdio.1">cdio(1)</a>
371 error displays and plugged a leak in the error path.
372 <li>Removed pointless :ob#0:pb#0:[tb=swap:] and
373 :pb#N:ob#0: lines from various <a
374 href="https://man.openbsd.org/disktab.5">disktab(5)</a>
375 entries.
376 </ul>
377
378 <li>Improved hardware support and driver bugfixes, including:
379 <ul>
380 <li>Suspend/Resume improvements
381 <ul>
382 <li>Extended arm64 suspend/resume to include support for parking
383 CPUs in a WFE/WFI loop.
384 <li>Put CPUs in the lowest P-state before the final suspend step,
385 needed for systems where we park CPUs in a low-power idle state
386 ourselves.
387 </ul>
388
389 <li>system-on-chip devices
390 <ul>
391 <!-- SoC -->
392 <li>Added support for the Rockchip RK3566/RK3568 SoCs.
393 <li>Added support for the Rockchip RK3568 processor.
394
395 <li>Added support for the RK3568 PCIe controller to <a
396 href="https://man.openbsd.org/dwpcie.4">dwpcie(4)</a>.
397 <li>Added <a
398 href="https://man.openbsd.org/qcdwusb.4">qcdwusb(4)</a>, a driver
399 controlling the interface logic for the Synopsys DesignWare USB 3.0
400 controller found on various Qualcomm Snapdragon SoCs.
401 <li>Added support for the PCIe controller on the Qualcomm SC8280XP
402 to <a href="https://man.openbsd.org/dwpcie.4">dwpcie(4)</a>.
403 <li>Added <a
404 href="https://man.openbsd.org/qcpmicgpio.4">qcpmicgpio(4)</a>, a
405 driver for the GPIO block inside the Qualcomm PMICs.
406 <li>Added <a href="https://man.openbsd.org/qcpmic.4">qcpmic(4)</a>,
407 a driver for the SPMI-connected PMICs found on Qualcomm SoCs.
408 <li>Added <a href="https://man.openbsd.org/qcspmi.4">qcspmi(4)</a>,
409 a driver for the SPMI PMIC Arbiter found on Qualcomm SoCs.
410 <li>Added <a href="https://man.openbsd.org/qcpdc.4">qcpdc(4)</a>, a
411 driver for the Qualcomm Power Domain controller found on Qualcomm
412 SoCs.
413 <li>Added <a href="https://man.openbsd.org/qcpwm.4">qcpwm(4)</a>, a
414 driver for the PWM found on Qualcomm SoCs.
415 <li>Added <a href="https://man.openbsd.org/qcpon.4">qcpon(4)</a>, a
416 driver for the Qualcomm PMIC block that hosts the powerkey and reset
417 input.
418 <li>In <a href="https://man.openbsd.org/rkgpio.4">rkgpio(4)</a>,
419 handled different register layouts in modern Rockchip SoCs as seen in
420 the RK356x and RK3588.
421 <li>Added support for RK356x TSADC clocks to <a
422 href="https://man.openbsd.org/rkclock.4">rkclock(4)</a>.
423 <li>Added GMAC-related RK356x clocks to <a
424 href="https://man.openbsd.org/rkclock.4">rkclock(4)</a>.
425 <li>Added RK3588 support to <a
426 href="https://man.openbsd.org/rkclock.4">rkclock(4)</a> and <a
427 href="https://man.openbsd.org/rkpinctrl.4">rkpinctrl(4)</a>.
428 <li>Added <a href="https://man.openbsd.org/mvortc.4">mvortc(4)</a>,
429 a driver for the RTC on the ARMADA 38x series.
430 <li>Added <a href="https://man.openbsd.org/mvodog.4">mvodog(4)</a>,
431 a driver for the watchdog on the ARMADA 38x series.
432 <li>Implemented <a
433 href="https://man.openbsd.org/rkpinctrl.4">rkpinctrl(4)</a> support
434 for explicit routing to use alternative pin muxings.
435 <li>Added <a href="https://man.openbsd.org/ytphy.4">ytphy(4)</a>, a
436 driver for the MotorComm YT8511 PHY.
437 <li>Made <a href="https://man.openbsd.org/rktemp.4">rktemp(4)</a>
438 work on RK356x with U-Boot.
439 <li>Added initialization code for RK356x in <a
440 href="https://man.openbsd.org/dwpcie.4">dwpcie(4)</a> to prevent
441 kernel hangs.
442 <li>Implemented setting the parent clock for RK356x in <a
443 href="https://man.openbsd.org/rkclock.4">rkclock(4)</a>.
444 <li>Added <a href="https://man.openbsd.org/dwpcie.4">dwpcie(4)</a>
445 code to bring up the PCIe controller on the RK356x.
446 <li>Added <a
447 href="https://man.openbsd.org/rkpciephy.4">rkpciephy(4)</a>, a driver
448 for the PCIe 3.0 PHY found on the RK356x.
449 <li>Added <a
450 href="https://man.openbsd.org/rkcomphy.4">rkcomphy(4)</a>, a driver
451 for the "naneng" combo PHY found on the RK356x (and RK3588). Only
452 PCIe, SATA and USB3 support are implemented.
453 </ul>
454
455 <li>Improved support for Apple arm64 hardware
456 <ul>
457 <!-- Apple -->
458 <li>Made <a
459 href="https://man.openbsd.org/aplhidev.4">aplhidev(4)</a> recognize M1
460 laptops with touchbars and translated Fn+(1-10,-,=) keys to F1-F12 on
461 these systems.
462 <li>Added suspend/resume support to <a
463 href="https://man.openbsd.org/aplns.4">aplns(4)</a>.
464 <li>Implemented wakeup interrupt support in <a
465 href="https://man.openbsd.org/aplintc.4">aplintc(4)</a>.
466 <li>Added suspend/resume support to control the power domain to <a
467 href="https://man.openbsd.org/aplsart.4">aplsart(4)</a>.
468 <li>Made the power button function as a wakeup button during suspend
469 in <a href="https://man.openbsd.org/aplsmc.4">aplsmc(4)</a>.
470 <li>Added <a href="https://man.openbsd.org/aplpwm.4">aplpwm(4)</a>,
471 a driver for the PWM controller found on Apple Silicon.
472 <li>Improve Apple support by increasing the <a
473 href="https://man.openbsd.org/apliic.4">apliic(4)</a> transfer
474 completion timeout to 100ms to accommodate USB Type-C PD chips.
475 <li>Added <a href="https://man.openbsd.org/tipd.4">tipd(4)</a>, a
476 driver fixing USB hotplug of type-C connectors on Apple Silicon
477 hardware.
478 <li>Improved <a
479 href="https://man.openbsd.org/aplpmu.4">aplpmu(4)</a> range check to
480 protect against overflow.
481 <li>Added <a
482 href="https://man.openbsd.org/aplefuse.4">aplefuse(4)</a>, a driver
483 for the eFuses on Apple Silicon SoCs.
484 <li>Enabled <a
485 href="https://man.openbsd.org/aplpcie.4">aplpcie(4)</a> power
486 management for PCI devices.
487 <li>Disable the screen backlight with <a
488 href="https://man.openbsd.org/aplsmc.4">aplsmc(4)</a> on Apple Silicon
489 laptops when the lid is closed.
490 </ul>
491
492 <li>X13s support
493 <ul>
494 <!-- x13s -->
495 <li>Worked around incomplete ACPI tables on the Lenovo x13s by
496 loading the alternate device tree binaries from disk.
497 <li>Set console output to the framebuffer on Lenovo x13s machines.
498 <li>Made the USB ports work after a suspend/resume cycle on the x13s.
499 </ul>
500
501 <li>Improved audio devices
502 <ul>
503 <!-- audio -->
504 <li>Made <a
505 href="https://man.openbsd.org/aplaudio.4">aplaudio(4)</a> calculate
506 the bit clock based on numbers of channels, bytes/sample and sample
507 rate.
508 <li>Set <a href="https://man.openbsd.org/sncodec.4">sncodec(4)</a>
509 and <a href="https://man.openbsd.org/tascodec.4">tascodec(4)</a>
510 default volume to -30dB instead of the hardware default of 0dB
511 (maximum).
512 <li>Added <a
513 href="https://man.openbsd.org/sncodec.4">sncodec(4)</a>, a driver for
514 the TI SNO12776/TAS2764 digital amplifier.
515 </ul>
516
517 <li>Other changes
518 <ul>
519 <!-- various USB -->
520 <li>Added support for the Wacom One M CTL-672 tablet to <a
521 href="https://man.openbsd.org/uwacom.4">uwacom(4)</a>.
522 <li>Hooked up the same USB device drivers on riscv64 as done in the
523 arm64 architecture kernel.<br>Enabled access to <a
524 href="https://man.openbsd.org/usb.4">usb(4)</a>, <a
525 href="https://man.openbsd.org/ugen.4">ugen(4)</a>, <a
526 href="https://man.openbsd.org/ulpt.4">ulpt(4)</a>, <a
527 href="https://man.openbsd.org/ucom.4">ucom(4)</a> and <a
528 href="https://man.openbsd.org/ujoy.4">ujoy(4)</a>.
529 <li>Added <a href="https://man.openbsd.org/uftdi.4">uftdi(4)</a>
530 support for FTDI FT232R.
531 <li>Added <a href="https://man.openbsd.org/uhidpp.4">uhidpp(4)</a>
532 support for Bolt receivers and the Unified Battery feature often found
533 on newer Logitech HID++ hardware.
534
535 <!-- RTC -->
536 <li>Converted more RTC drivers to use todr_attach(). Quality of the
537 RTC is set such that "discrete" RTC chips are preferred over RTCs
538 integrated on a SoC.
539 <li>Added support for the DS1339 RTC as found on the PiJuice.
540 <li>Added <a href="https://man.openbsd.org/qcrtc.4">qcrtc(4)</a>, a
541 driver for the RTC found on Qualcomm PMICs.
542 <li>Improved <a href="https://man.openbsd.org/qcrtc.4">qcrtc(4)</a>
543 RTC reliability.
544
545 <!-- wscons -->
546 <li>Added cursor back tab support to <a
547 href="https://man.openbsd.org/wscons.4">wscons(4)</a> VT100
548 emulation.<br>Added aixterm bright color sequences (SGR 90-97 and
549 100-107).
550 <li>Added missing <a
551 href="https://man.openbsd.org/wscons.4">wscons(4)</a> bounds checks
552 when processing terminal escape sequences.
553 <li>Replaced broken UTF-8 logic in <a
554 href="https://man.openbsd.org/wscons.4">wscons(4)</a> with a better
555 one borrowed from Citrus.
556
557 <!-- other -->
558 <li>Introduced <a
559 href="https://man.openbsd.org/pijuice.4">pijuice(4)</a>, an apm/sensor
560 driver for the PiJuice HAT UPS.
561 <li>Added <a
562 href="https://man.openbsd.org/pwmleds.4">pwmleds(4)</a>, a driver for
563 PWM controlled LEDs.
564 <li>Implemented <a
565 href="https://man.openbsd.org/dwpcie.4">dwpcie(4)</a> support for the
566 (optional) MSI controller of the Synopsys DesignWare PCIe host bridge.
567 <li>Added <a
568 href="https://man.openbsd.org/icc.4">icc(4)</a> driver for
569 I2C Consumer Control devices.
570 <li>Prevented a possible crash when a <a
571 href="https://man.openbsd.org/ugen.4">ugen(4)</a> device is detached.
572 <li>Implemented wakeup interrupt handling in <a
573 href="https://man.openbsd.org/agintc.4">agintc(4)</a>.
574 <li>Enabled <a
575 href="https://man.openbsd.org/pcagpio.4">pcagpio(4)</a> and <a
576 href="https://man.openbsd.org/pcamux.4">pcamux(4)</a>, making the SFP
577 port on the ClearFog Base (CN9130) work.
578 <li>Adopted a workaround for a bug in the ARM generic timer on the
579 A64, disabling userland timecounter support on affected hardware
580 pending a similar libc workaround.
581 <li>Made amd64 cpuid recognize protection keys for Protection Key Supervisor (PKS).
582 <li>Implemented access to EFI variables ESRT through an <a
583 href="https://man.openbsd.org/ioctl.2">ioctl(2)</a> interface
584 compatible with what FreeBSD and NetBSD have.<br>
585 Created /dev/efi on amd64 and arm64.
586 <li>Added <a href="https://man.openbsd.org/dwge.4">dwge(4)</a> support
587 for "enhanced descriptor" mode found on some variants of the Synopsys
588 DesignWare GMAC.
589 <li>Removed the <a
590 href="https://man.openbsd.org/OpenBSD-7.2/elansc.4">elansc(4)</a>
591 driver for AMD Elan SC520 System Controller.
592 <li>Made <a href="https://man.openbsd.org/ppb.4">ppb(4)</a> bus
593 range available after detaching, fixing unplugging and replugging
594 thunderbolt devices that were plugged in when the machine was booted.
595 <li>Reworked the arm64 architecture cpu_init_secondary() function to
596 allow use for both initial powerup and wakeup from deeper sleep
597 states.
598 <li>Added <a href="https://man.openbsd.org/ufshci.4">ufshci(4)</a>,
599 a driver for Universal Flash Storage (UFS) Host Controllers.
600 <li>Added <a href="https://man.openbsd.org/scmi.4">scmi(4)</a>, a
601 driver for the ARM System Control and Management Interface.
602 <li>Added support for the Shenzhen Tangcheng Technology TCS4525
603 voltage regulator to <a
604 href="https://man.openbsd.org/fanpwr.4">fanpwr(4)</a>.
605 <li>Added <a href="https://man.openbsd.org/psci.4">psci(4)</a> (ARM
606 Power State Coordination Interface) support for available deep idle
607 states as advertised in device trees.
608 <li>Added <a href="https://man.openbsd.org/eephy.4">eephy(4)</a>,
609 found on the Turris Omnia WAN port, to armv7.
610 <li>Added polling to <a
611 href="https://man.openbsd.org/tipmic.4">tipmic(4)</a> driver when
612 starting from a cold boot, fixing a hang on boot.
613 <li>Added a workaround for Intel Braswell/Cherry Trail mwait hang.
614 <li>Added the Armada 380 temperature sensor to <a
615 href="https://man.openbsd.org/mvtemp.4">mvtemp(4)</a> and enabled the
616 driver on armv7.
617 </ul>
618 </ul>
619
620 <li>New or improved network hardware support:
621 <ul>
622 <li>Enabled <a href="https://man.openbsd.org/em.4">em(4)</a> IPv4,
623 TCP and UDP checksum offloading and hardware VLAN tagging on devices
624 with 82575, 82576, i350 and i210 chipsets.
625 <li>Improved <a href="https://man.openbsd.org/mcx.4">mcx(4)</a>
626 performance by using interrupt-based command completion.
627 <li>Fixed a panic seen with <a
628 href="https://man.openbsd.org/rge.4">rge(4)</a> RTL8125 with MCLGETL.
629 <li>Add <a href="https://man.openbsd.org/dwqe.4">dwqe(4)</a>, a
630 driver for the Synopsys DesignWare Ethernet QoS controller used on the
631 NXP i.MX8MP, the Rockchip RK35xx series and Intel Elkhart Lake.
632 <li>Worked around an issue on the StarFive JH7100 SoC to make <a
633 href="https://man.openbsd.org/dwge.4">dwge(4)</a> Ethernet work
634 reliably on the StarFive VisionFive 1 board.
635 <li>In <a href="https://man.openbsd.org/mvneta.4">mvneta(4)</a>,
636 passed MII flags depending on the phy mode specified in the device
637 tree, making the WAN port work on the Turris Omnia.
638 </ul>
639
640 <li>Added or improved wireless network drivers:
641 <ul>
642 <li>Increased the timeout for <a
643 href="https://man.openbsd.org/bwfm.4">bwfm(4)</a> PCI devices to
644 avoid spurious firmware load failures, particularly on Apple M2 laptops.
645 <li>Implemented alternative mailbox handling mechanism required by
646 newer <a href="https://man.openbsd.org/bwfm.4">bwfm(4)</a> firmware.
647 <li>Fixed <a href="https://man.openbsd.org/bwfm.4">bwfm(4)</a>
648 issues with suspend/resume and possible firmware crashes on the M2
649 MacBook Air.
650 <li>Prevented an <a href="https://man.openbsd.org/iwx.4">iwx(4)</a>
651 firmware error when authentication to the AP times out.
652 <li>Fixed a crash in <a
653 href="https://man.openbsd.org/iwx.4">iwx(4)</a> when connecting to WEP
654 networks via <a
655 href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a> join.
656 <li>Fixed an alignment issue in <a
657 href="https://man.openbsd.org/iwx.4">iwx(4)</a> Rx descriptors.
658 <li>Avoided trying to remove keys while doing crypto in hardware if
659 the station is not active in <a
660 href="https://man.openbsd.org/iwx.4">iwx(4)</a> firmware, fixing a
661 firmware panic.
662 <li>Prevented potential panics by disallowing the <a
663 href="https://man.openbsd.org/iwx.4">iwx(4)</a> init task from running
664 in parallel to wakeup code during resume.
665 <li>Switched all <a href="https://man.openbsd.org/iwx.4">iwx(4)</a>
666 devices to -77 firmware images.
667 <li>Upgraded firmware images for <a
668 href="https://man.openbsd.org/iwm.4">iwm(4)</a> 9260 and 9560 devices.
669 <li>Made <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> get the
670 primary channel number from AP beacon info, preventing problems on
671 40/80Mhz channels if there is a mismatch.
672 <li>Fixed <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> session
673 protection event duration.
674 </ul>
675
676 <li>IEEE 802.11 wireless stack improvements and bugfixes:
677 <ul>
678 <li>Made net80211 drop beacons received on secondary HT/VHT
679 channels, preventing <a
680 href="https://man.openbsd.org/iwm.4">iwm(4)</a> firmware panics and
681 making association work with 11ac APs which transmit beacons on
682 channels other than their primary.
683 <li>Made WEP encryption work on <a
684 href="https://man.openbsd.org/bwfm.4">bwfm(4)</a>.
685 </ul>
686
687 <li>Installer, upgrade and bootloader improvements:
688 <ul>
689 <li>Made installer answers <code>!</code> and <code>(S)hell</code> drop into a <a
690 href="https://man.openbsd.org/ksh.1">ksh(1)</a> environment rather
691 than the more limited <a href="https://man.openbsd.org/sh.1">sh(1)</a>.
692 <li>Added support for configuring interfaces by lladdr (MAC).
693 <li>Made the installer skip interface configuration questions when no interfaces are available.
694 <li>Fixed resizing partitions on an auto-allocated disk that had a boot partition.
695 <li>Stopped the installer from asking to initialize disks that have
696 <a href="https://man.openbsd.org/softraid.4">softraid(4)</a> chunks.
697 <li>Made efiboot fdt support device trees with NOPs in them (like the kernel version).
698 <li>Improved the default choice for the installer's install media
699 disk question to show the first disk that (a) is not the root disk and (b)
700 is not a disk with softraid chunks (hosting the root disk, for example).
701 <li>Stopped offering WEP in the installer if not supported.
702 <li>Fixed lock file error on installer exit/abort.
703 <li>Made <a href="https://man.openbsd.org/installboot.8">installboot(8)</a> <code>-p</code>
704 support <a href="https://man.openbsd.org/softraid.4">softraid(4)</a>.
705 <li>Made <a href="https://man.openbsd.org/installboot.8">installboot(8)</a> silently skip
706 <a href="https://man.openbsd.org/softraid.4">softraid(4)</a> keydisks.
707 <li>Fixed passing explicit stages files to
708 <a href="https://man.openbsd.org/installboot.8">installboot(8)</a>.
709 <!-- architecture specific -->
710 <li>Added <a
711 href="https://man.openbsd.org/mount_nfs.8">mount_nfs(8)</a> to the
712 sparc64 installer, to fetch sets over NFS.
713 <li>Copy the apple-boot firmware to EFI system partition, enabling
714 automatic bootloader updates on Apple Silicon computers.
715 <li>Made the installer stop printing MD post installation instructions on upgrades.
716 <li>Made it possible to set keyboard layout(s) in arm64's installer.
717 <li>Added initial support in the installer for guided disk
718 encryption for amd64, i386, riscv64 and sparc64.
719 <li>Added passing of boot device information from the bootloader to
720 the kernel on luna88k.
721 <li>Switched luna88k boot loader to MI boot code.
722 <li>Made the luna88k bootloader display a puffy boot logo.
723 <li>Made <a href="https://man.openbsd.org/ls.1">ls(1)</a> work
724 correctly in the luna88k bootloader.
725 <li>Made <a href="https://man.openbsd.org/time.1">time(1)</a> work
726 correctly in the luna88k bootloader.
727 <li>Removed dangerous user-settable "addr" variable from MI
728 bootloader, only compiling tty-related code on platforms where it
729 makes sense for the bootloader to control it.
730 <li>Added "machine poweroff" command on luna88k bootloader.
731 <li>Switched alpha to machine-independent boot blocks.
732 <li>Switched all architectures' ramdisks (except alpha's and luna88k's) to use
733 <a href="https://man.openbsd.org/installboot.8">installboot(8)</a> <code>-p</code>.
734 <li>Fixed ofwboot OpenFirmware <code>map</code> call to unbreak boot on some machines.
735 <li>Reduced ofwboot.net size after libz update to unbreak netboot on some machines.
736 <li>Made riscv64 bootloader support boot from RAID 1C softraid volumes.
737 <li>Made <a href="https://man.openbsd.org/installboot.8">installboot(8)</a> support
738 <a href="https://man.openbsd.org/softraid.4">softraid(4)</a> on riscv64.
739 <li>Stopped creating defunct vax (ra, rx), hp300 (hd) and sparc (xy, xd)
740 devices in /dev.
741 </ul>
742
743 <li>Security improvements:
744 <ul>
745 <li>Permissions (RWX, MAP_STACK, etc.) on address space regions can
746 be made <a href="https://man.openbsd.org/mimmutable.2">immutable</a>,
747 so that <a href="https://man.openbsd.org/mmap.2">mmap(2)</a>, <a
748 href="https://man.openbsd.org/mprotect.2">mprotect(2)</a> or <a
749 href="https://man.openbsd.org/munmap.2">munmap(2)</a> fail with EPERM.
750 Most of the program static address space is now automatically
751 immutable (main program, ld.so, main stack, load-time shared
752 libraries, and dlopen()'d libraries mapped without RTLD_NODELETE).
753 Programmers can request non-immutable static data using the
754 "openbsd.mutable" section, or manually bring immutability to (page
755 aligned heap objects) using <a
756 href="https://man.openbsd.org/mimmutable.2">mimmutable(2)</a>.
757 The main internal data of <a
758 href="https://man.openbsd.org/malloc.3">malloc(3)</a>
759 is marked immutable.
760 <li>Some architectures now have non-readable code ("xonly"), both from
761 the perspective of userland reading its own memory, or the kernel
762 trying to read memory in a system call. Many sloppy practices in
763 userland code had to be repaired to allow this. The linker
764 (<a href="https://man.openbsd.org/ld.lld.1">ld.lld(1)</a> or
765 <a href="https://man.openbsd.org/ld.bfd.1">ld.bfd(1)</a>) option
766 --execute-only is enabled by default. In order of development: arm64,
767 riscv64, hppa, amd64, powerpc64, powerpc (G5 only), octeon, and sparc64
768 (sun4u only; unfinished).
769 <li>These can still benefit from switching to --execute-only binaries if the
770 cpu generates different traps for instruction-fetch versus data-fetch.
771 The VM system will not allow memory to be read before it was executed
772 which is valuable together with library relinking. Architectures
773 switched over include loongson.
774 <li><a href="https://man.openbsd.org/ld.so.1">ld.so(1)</a> and crt0
775 register the location of the <a
776 href="https://man.openbsd.org/execve.2">execve(2)</a> stub with the
777 kernel using pinsyscall(2), after which the kernel only accepts an
778 execve call from that specific location.
779 <li>Added <a href="https://man.openbsd.org/execve.2">execve(2)</a>
780 violations of <a
781 href="https://man.openbsd.org/pinsyscall.2">pinsyscall(2)</a> policy
782 to the daily mail, available by setting rc.conf.local(5)
783 accounting=YES.
784 <li>Added retguard (consistency-check the return address on the
785 stack) to amd64 syscalls.
786 <li>sshd random relinking at boot: Randomly relink and install <a
787 href="https://man.openbsd.org/sshd.8">sshd(8)</a>, resulting
788 in a sshd binary with unknown address layout after every reboot.
789 <li>Add another mitigation against classic BROP on systems without
790 execute-only mmu hardware-enforcement. A range-checking wrapper in
791 front of <a href="https://man.openbsd.org/copyin.9">copyin(9)</a> and
792 <a href="https://man.openbsd.org/copyinstr.9">copyinstr(9)</a> ensures
793 the userland source address doesn't overlap the main program text and
794 other text segments, thereby making these address ranges unreadable to
795 the kernel. No programs have been discovered which require reading
796 their own text segments with a system call.
797 <li>On arm64, introduce mitigation of the Spectre-BHB (Branch
798 History Injection) CPU vulnerability by using core-specific trampoline
799 vectors.
800 <li>Enabled the arm64 Data Independent Timing (DIT) feature in both the kernel and
801 userland on CPUs that support it to mitigate timing side-channel
802 attacks.
803 </ul>
804
805 <li>Changes in the network stack:
806 <ul>
807 <li>Made /dev/pf a clonable device to better track kernel resources
808 used by processes.
809 <li>Modified TCP receive buffer size auto-scaling to use the smoothed
810 RTT (SRTT) instead of the timestamp option, which improves performance
811 on high latency networks if the timestamp option isn't available.
812 <li>Relaxed the requirement for multicast support of interfaces for
813 configuring IPv6. This allows non-multicast interfaces such as
814 point-to-point interfaces and the NBMA / point-to-multipoint
815 interfaces like mpe(4), mgre(4) and wg(4) to work with IPv6.
816 <li>Measure the TCP_KEEPALIVE timeout with <a
817 href="https://man.openbsd.org/getnsecruntime.9">getnsecruntime(9)</a>
818 instead of the system uptime.
819 Prevents TCP connections from needlessly failing en masse after
820 waking a system from suspend.
821 <li>Used stoeplitz (symmetric Toeplitz hash algorithm) to generate a
822 hash/flowid for <a href="https://man.openbsd.org/pf.4">pf(4)</a> state
823 keys. With this change, pf will hash traffic the same way that
824 hardware using a stoeplitz key will hash incoming traffic on rings.
825 stoeplitz is also used by the TCP stack to generate a flow id, which
826 is used to pick which transmit ring is used on nics with multiple
827 queues, too. Using the same algorithm throughout the stack encourages
828 affinity of packets to rings and softnet threads the whole way
829 through.
830 <li>Prevented possible kernel crashes by dropping TCP packets with
831 destination port 0 in <a href="https://man.openbsd.org/pf.4">pf(4)</a>
832 and the stack.
833 <li>Fixed an endian swap bug causing problems with <a
834 href="https://man.openbsd.org/vlan.4">vlan(4)</a> on <a
835 href="https://man.openbsd.org/em.4">em(4)</a> sparc64 systems.
836 <li>Denied "pipex no" tunnel setting for <a
837 href="https://man.openbsd.org/pppx.4">pppx(4)</a> interfaces.
838 <li>Fixed <a href="https://man.openbsd.org/pfsync.4">pfsync(4)</a>
839 crashing on pf_state_key removal.
840 <li>Fixed a panic in <a
841 href="https://man.openbsd.org/pfsync.4">pfsync(4)</a> when there is
842 no data ready for bulk transfer.
843 <li>Turned off TCP Segmentation Offload (TSO) if interface is added
844 to layer 2 devices.
845 <li>Improved <a href="https://man.openbsd.org/vnet.4">vnet(4)</a>
846 to work better in busy conditions.
847 <li>Added a <a href="https://man.openbsd.org/bpf.4">bpf(4)</a> timeout
848 (BIOCSWTIMEOUT) between capturing a packet and making the buffer
849 readable, preventing, for example, <a
850 href="https://man.openbsd.org/pflogd.8">pflogd(8)</a> waking every
851 half second even if there is nothing to read. By default this buffer
852 is infinite and must be filled to become readable.
853 <li>Avoided enabling TSO on interfaces which are already attached to a bridge.
854 </ul>
855
856 <li>Routing daemons and other userland network improvements:
857 <ul>
858 <li>IPsec support was improved:
859 <ul>
860 <li>Added <a href="https://man.openbsd.org/iked.8">iked(8)</a>
861 support for configuring multiple name servers.
862 <li>Synced proc.c from <a
863 href="https://man.openbsd.org/vmd.8">vmd(8)</a> to <a
864 href="https://man.openbsd.org/iked.8">iked(8)</a> to enable fork +
865 exec for all processes. This gives each process a fresh and unique
866 address space to further improve randomization of ASLR and stack
867 protector.
868 </ul>
869 <li>In <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>, <a
870 href="https://man.openbsd.org/bgpctl.8">bgpctl(8)</a> and <a
871 href="https://man.openbsd.org/bgplgd.8">bgplgd(8)</a>:
872 <ul>
873 <li>Improved performance by optimising the output filters.
874 <li>Add Autonomous System Provider Authorization (ASPA) validation
875 based on draft-ietf-sidrops-aspa-verification-12
876 <li>Introduce avs (ASPA validation state) filter and bgpctl
877 filter argument.
878 <li>Add ASPA support for the RTR protocol based on
879 draft-ietf-sidrops-8210bis-10.
880 <li>Improve open policy (RFC 9234) support and enable the capability
881 automatically if a role is specified for the peer.
882 <li>Introduce a per-neighbor 'role' configuration option to specify
883 the session role used by ASPA verification and the open policy
884 capability. The 'announce policy' statement was simplified at
885 the same time.
886 <li>Improve startup behaviour by introducing a small delay before
887 opening the connection to a new peer.
888 <li>Support for aspa-set table config which can be provided by
889 <a
890 href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a>.
891 <li>Make it possible to filter the RIB by invalid and leaked prefixes
892 in bgpctl and bgplgd.
893 <li>Add OpenMetrics output to bgpctl for various BGP statistics and
894 add /metrics endpoint to bgplgd.
895 <li>Fix of incorrect length checks that allowed an out-of-bounds
896 read in bgpd.
897 </ul>
898 <li><a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> saw some changes:
899 <ul>
900 <li>Add a new '-H' command line option to create a shortlist of
901 repositories to synchronize to. For example, when invoking
902 "rpki-client -H rpki.ripe.net -H chloe.sobornost.net", the utility
903 will not connect to any other hosts other than the two specified
904 through the -H option.
905 <li>Add support for validating Geofeed (RFC 9092) authenticators. To
906 see an example download https://sobornost.net/geofeed.csv and run
907 "rpki-client -f geofeed.csv"
908 <li>Add support for validating Trust Anchor Key (TAK) objects. TAK
909 objects can be used to produce new Trust Anchor Locators (TALs) signed
910 by and verified against the previous Trust Anchor. See
911 draft-ietf-sidrops-signed-tal for the full specification.
912 <li>Log lines related to RRDP/HTTPS connection problems now include the
913 IP address of the problematic endpoint (in brackets).
914 <li>Improve the error message when an invalid filename is encountered
915 in the rpkiManifest field in the Subject Access Information (SIA)
916 extension.
917 <li>Emit a warning when unexpected X.509 extensions are encountered.
918 <li>Restrict the ROA ipAddrBlocks field to only allow two
919 ROAIPAddressFamily structures (one per address family). See
920 draft-ietf-sidrops-rfc6482bis.
921 <li>Check the absence of the Path Length constraint in the Basic
922 Constraints extension.
923 <li>Restrict the SIA extension to only allow the signedObject and
924 rpkiNotify accessMethods.
925 <li>Check that the Signed Object access method is present in ROA, MFT,
926 ASPA, TAK, and GBR End-Entity certificates.
927 <li>In addition to the 'rsync://' scheme, also permit other schemes
928 (such as 'https://') in the SIA signedObject access method.
929 <li>Check that the KeyUsage extension is set to nothing but
930 digitalSignature on End-Entity certificates.
931 <li>Check that the KeyUsage extension is set to nothing but keyCertSign
932 and CRLSign on CA certificates.
933 <li>Check that the ExtendedKeyUsage extension is absent on CA
934 certificates.
935 <li>Fix a bug in the handling of the port of http_proxy.
936 <li>The '-r' command line option has been deprecated.
937 <li>Filemode (-f) output is now presented as a text based table.
938 <li>The 'expires' key in the JSON/CSV/OpenBGPD output formats is now
939 calculated with more accuracy. The calculation takes into account the
940 nextUpdate value of all intermediate CRLs in the signature path
941 towards the trust anchor, in addition to the expiry moment of the
942 leaf-CRL and CAs.
943 <li>Handling of CRLs and Manifests in the face of inconsistent RRDP delta
944 publications has been improved. A copy of an alternative version of
945 the applicable CRL is kept in the staging area of the cache directory,
946 in order to increase the potential for establishing a complete
947 publication point, in cases where a single publication point update
948 was smeared across multiple RRDP delta files.
949 <li>The OpenBGPD configuration output now includes validated Autonomous
950 System Provider Authorization (ASPA) payloads as an 'aspa-set {}'
951 configuration block.
952 <li>When rpki-client is invoked with increased verbosity ('-v'), the
953 current RRDP Serial and Session ID are shown to aid debugging.
954 <li>Self-signed X.509 certificates (such as Trust Anchor certificates)
955 now are considered invalid if they contain an X.509
956 AuthorityInfoAccess extension.
957 <li>Signed Objects where the CMS signing-time attribute contains a
958 timestamp later then the X.509 certificate's notAfter timestamp are
959 considered invalid.
960 <li>Manifests where the CMS signing-time attribute contains a timestamp
961 later then the Manifest eContent nextUpdate timestamp are considered
962 invalid.
963 <li>Any objects whose CRL Distribution Points extension contains a
964 CRLIssuer, CRL Reasons, or nameRelativeToCRLIssuer field are
965 considered invalid in accordance with RFC 6487 section 4.8.6.
966 <li>For every X.509 certificate the SHA-1 of the Subject Public Key is
967 calculated and compared to the Subject Key Identifier (SKI). If a
968 mismatch is found the certificate is not trusted.
969 <li>Require the outside-TBS signature OID for every X.509 intermediate
970 CA certificate and CRL to be sha256WithRSAEncryption.
971 <li>Require the RSA key pair modulus and public exponent parameters to
972 strictly conform to the RFC 7935 profile.
973 <li>Ensure there is no trailing garbage present in Signed Objects beyond
974 the self-embedded length field.
975 <li>Require RRDP Session IDs to strictly be version 4 UUIDs.
976 <li>When decoding and validating an individual RPKI file using filemode
977 (rpki-client -f file), display the signature path towards the trust
978 anchor and the timestamp when the signature path will expire.
979 <li>When decoding and validating an individual RPKI file using filemode
980 (rpki-client -f file), display the optional CMS signing-time,
981 non-optional X.509 notBefore timestamp and non-optional X.509
982 notAfter timestamp.
983 </ul>
984
985 <li>Updated zlib to 1.2.13.
986
987 <li>Fixed a long-standing bug in a libreadline header that broke the
988 interactive Python command line interface.
989
990 <li>Switched <a href="https://man.openbsd.org/tftpd.8">tftpd(8)</a> to
991 default to read-only unless -w is specified for write access (the
992 previous default).
993 <li>Stopped printing the prompt for non-interactive usage of <a
994 href="https://man.openbsd.org/tftp.1">tftp(1)</a>.
995 <li>Changed <a href="https://man.openbsd.org/rarpd.8">rarpd(8)</a> to
996 only unveil /tftpboot if -t is specified.
997 <li>Added client certificate authentication and an optional SASL
998 EXTERNAL bind to <a
999 href="https://man.openbsd.org/ypldap.8">ypldap(8)</a>.
1000 <li>Adjusted ipv6 address width to align the display columns better
1001 in the output of <a href="https://man.openbsd.org/ndp.8">ndp(8)</a>,
1002 <a href="https://man.openbsd.org/route.8">route(8)</a> and <a
1003 href="https://man.openbsd.org/netstat.1">netstat(1)</a> as already
1004 available in <a
1005 href="https://man.openbsd.org/systat.1">systat(1)</a>'s netstat.
1006 <li>Used <a href="https://man.openbsd.org/stravis.3">stravis(3)</a> to
1007 sanitize redirect URIs from <a
1008 href="https://man.openbsd.org/ftp.1">ftp(1)</a> fetch before printing.
1009
1010 <li>Prevent an <a
1011 href="https://man.openbsd.org/unwind.8">unwind(8)</a> crash when a TCP
1012 query is larger than the length field indicated.
1013 <li>Preserve the original order of nameservers as configured via <a
1014 href="https://man.openbsd.org/resolv.conf.5">resolv.conf(5)</a> in <a
1015 href="https://man.openbsd.org/resolvd.8">resolvd(8)</a>.
1016 <li>Restrict the characters allowed in the hostname argument of <a
1017 href="https://man.openbsd.org/getaddrinfo.3">getaddrinfo(3)</a> to the
1018 set [A-z0-9-_.]. Additionally, two consecutive dots ('.') are not
1019 allowed nor can the string start with - or '.'. This removes
1020 characters like '$', '`', '\n' or '*' that can traverse the DNS
1021 without problems but have special meaning as in a shell.
1022 <li>Fixed a number of out of bounds reads in DNS response parsing of
1023 the async DNS resolver in libc.
1024 <li>Added <a
1025 href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a> -M (mac) to
1026 find the mac address on an interface and print it.
1027 <li>Added support for configuring interfaces by lladdr to support
1028 interface configurations bound to a specific hardware device. The "if"
1029 part of the <a
1030 href="https://man.openbsd.org/hostname.if.5">hostname.if(5)</a>
1031 configuration file can now be a MAC address.
1032 <li>Limited display of wireguard peers by <a
1033 href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a> to when
1034 either a wireguard interface is specified or the flag "-A" is used.
1035 <li>Implemented the RFC 8781 PREF64 router advertisement option in
1036 <a href="https://man.openbsd.org/rad.8">rad(8)</a> which is used to
1037 communicate NAT64 prefixes to hosts.
1038 <li>Moved the documentation of flag mappings displayed by "route show" from the <a
1039 href="https://man.openbsd.org/netstat.1">netstat(1)</a> manpage to <a
1040 href="https://man.openbsd.org/route.8">route(8)</a>.
1041 <li>Improvements in <a href="https://man.openbsd.org/nc.1">nc(1)</a>:
1042 <ul>
1043 <li>Stop claiming connection success in UDP mode unless true.
1044 <li>Do not test the connection in non-interactive mode. The test
1045 writes characters to the socket which can corrupt data that is
1046 possibly piped into nc.
1047 <li>Some refactoring and code cleanup.
1048 </ul>
1049
1050 <li>Improvements in
1051 <a href="https://man.openbsd.org/acme-client.1">acme-client(1)</a>:
1052 <ul>
1053 <li>Added support for newlines inside the alternative names block in
1054 <a href="https://man.openbsd.org/acme-client.conf.5">acme-client.conf(5)</a>.
1055 <li>Use proper data structures for retrieving subject alternative names in
1056 certificates rather than printing them to a buffer and tokenizing and
1057 parsing the undocumented string.
1058 <li>Simplified, corrected and modernized the use of libcrypto interfaces.
1059 <li>Plugged various memory leaks.
1060 <li>Use <a href="https://man.openbsd.org/ASN1_TIME_to_tm.3">ASN1_TIME_to_tm(3)</a>
1061 instead of a poor man's hand-rolled version of it.
1062 <li>Use <a href="https://man.openbsd.org/acme-client.1">timegm(3)</a>
1063 instead of <a href="https://man.openbsd.org/acme-client.1">mktime(3)</a>
1064 to eliminate time-zone variation.
1065 <li>Encode Subject Alternative Name (SAN) entries before printing.
1066 <li>Prevent <a href="https://man.openbsd.org/acme-client.1">acme-client(1)</a>
1067 from leaking an http get request when receiving a redirect without a
1068 location header.
1069 </ul>
1070
1071 <!-- smtpd -->
1072 <li>Prevented <a href="https://man.openbsd.org/smtpd.8">smtpd(8)</a>
1073 abort due to a connection from a local, scoped ipv6 address.
1074 <li>Fixed a potential NULL dereference in the unpriv child expanding
1075 %{mda} in <a href="https://man.openbsd.org/smtpd.8">smtpd(8)</a>.
1076 <li>Corrected the order of arguments for calls to <a
1077 href="https://man.openbsd.org/shutdown.2">shutdown(2)</a> on the route
1078 socket of <a href="https://man.openbsd.org/slaacd.8">slaacd(8)</a>, <a
1079 href="https://man.openbsd.org/dhcpleased.8">dhcpleased(8)</a> and <a
1080 href="https://man.openbsd.org/unwind.8">unwind(8)</a>.
1081 <li>Made <a href="https://man.openbsd.org/route.8">route(8)</a>
1082 sourceaddr print the used addresses for inet and inet6, or "default"
1083 if no sourceaddr is set and the default algorithm is used.
1084 <li>Added -mpls option to the route(8) monitor command. It can be
1085 used to restrict displayed route messages to the mpls address family.
1086 <li>Fixed <a href="https://man.openbsd.org/openrsync.1">rsync(1)</a>
1087 handling of port numbers in rsync://host[:port]/module URLs.
1088 <li>Made <a href="https://man.openbsd.org/tcpdrop.8">tcpdrop(8)</a>
1089 accept netstat-style address.port syntax.
1090 <li>Ensured <a href="https://man.openbsd.org/pfctl.8">pfctl(8)</a>
1091 correctly adds addresses to the undefined/inactive table.
1092 <li>Switched <a href="https://man.openbsd.org/tftpd.8">tftpd(8)</a> to default
1093 to read-only unless <code>-w</code> is specified for write access
1094 (the previous default).
1095 <li>Changed <a href="https://man.openbsd.org/rarpd.8">rarpd(8)</a> to only unveil /tftpboot if -t is specified.
1096 <li>Fixed the DIOCIGETIFACES ioctl so all network interfaces and
1097 interface groups are reported in <a
1098 href="https://man.openbsd.org/pfctl.8">pfctl(8)</a>.
1099 </ul>
1100
1101 <li><a href="https://man.openbsd.org/tmux.1">tmux(1)</a> improvements and bug fixes:
1102 <ul>
1103 <li>Added scroll-top and scroll-bottom <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> commands to scroll so cursor is at the top or bottom respectively.
1104 <li>Added a -T flag to <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> capture-pane to capture up to the last used cell and not the full width of the pane.
1105 <li>Preserved the marked pane when renumbering windows in <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>.
1106 <li>Added modified tab key sequences to <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>.
1107 <li>Changed <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> to only set the extended flag when searching, which allows send-keys to work.
1108 <li>Added a -l flag to <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> display-message to disable format expansion.
1109 <li>Fixed a <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> crash when there are no window buffers.
1110 <li>Fixed <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> C-S-Tab without extended keys.
1111 <li>Added <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> send-keys -K to handle keys directly as if typed.
1112 <li>Made <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> tty-keys accept \007 as terminator to OSC 10 or 11.
1113 <li>Made <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> recognize pasted texts wrapped in bracket paste sequences, rather than only forwarding to the program inside.
1114 <li>Supported -1 without -N for list-keys in <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>.
1115 <li>Added a flag to <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> display-menu to select the menu item chosen first.
1116 <li>Added Backtab key support to <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>
1117 <li>Disallowed multiple consecutive line separators in <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> menu.
1118 <li>Extended display-message to work for control clients in <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>.
1119 <li>Added -f to list-clients in <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>.
1120 <li>Added a <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> L modifier like P, W, S to loop over clients.
1121 </ul>
1122
1123 <li>LibreSSL version 3.7.2
1124 <ul>
1125 <li>New features
1126 <ul>
1127 <li>Added Ed25519 support both as a primitive and via OpenSSL's EVP interfaces.
1128 <li>X25519 is now also supported via EVP.
1129 <li>The OpenSSL 1.1 raw public and private key API is available with support for
1130 EVP_PKEY_ED25519, EVP_PKEY_HMAC and EVP_PKEY_X25519. Poly1305 is not
1131 currently supported via this interface.
1132 <li>Added EVP_CIPHER_meth_*() setter API.
1133 <li>Added various X.509 accessor functions.
1134 </ul>
1135
1136 <li>Compatibility changes
1137 <ul>
1138 <li>BIO_read() and BIO_write() now behave more closely to OpenSSL 3 in
1139 various corner cases.
1140 </ul>
1141
1142 <li>Bug fixes
1143 <ul>
1144 <li>Added EVP_chacha20_poly1305() to the list of all ciphers.
1145 <li>Fixed potential leaks of EVP_PKEY in various printing functions
1146 <li>Fixed potential leak in OBJ_NAME_add().
1147 <li>Avoid signed overflow in i2c_ASN1_BIT_STRING().
1148 <li>Cleaned up EVP_PKEY_ASN1_METHOD related tables and code.
1149 <li>Fixed long standing bugs BN_GF2m_poly2arr() and BN_GF2m_mod().
1150 <li>Fixed segfaults in BN_{dec,hex}2bn().
1151 <li>Fixed NULL dereference in x509_constraints_uri_host() reachable only
1152 in the process of generating certificates.
1153 <li>Fixed a variety of memory corruption issues in BIO chains coming
1154 from poor old and new API: BIO_push(), BIO_pop(), BIO_set_next().
1155 <li>Avoid potential divide by zero in BIO_dump_indent_cb()
1156 <li>Fixed a memory leak, a double free and various other issues in
1157 BIO_new_NDEF().
1158 <li>Fixed various crashes in the openssl(1) testing utility.
1159 <li>Do not check policies by default in the new X.509 verifier.
1160 <li>Avoid crash with ASN.1 BOOLEANS in openssl(1) asn1parse.
1161 <li>Added missing error checking in PKCS7.
1162 <li>Call CRYPTO_cleanup_all_ex_data() from OPENSSL_cleanup().
1163 </ul>
1164
1165 <li>Documentation improvements
1166 <ul>
1167 <li>Numerous improvements and additions for ASN.1, BIO, BN, and X.509.
1168 <li>The BN documentation is now considered to be complete.
1169 <li>Marked BIO_s_log(3) BIO_nread0(3), BIO_nread(3), BIO_nwrite0(3), BIO_nwrite(3),
1170 BIO_dump_cb(3) and BIO_dump_indent_cb(3) as intentionally undocumented.
1171 <li>Documented various BIO_* interfaces.
1172 <li>Documented ED25519_keypair(3), ED25519_sign(3), and ED25519_verify(3).
1173 <li>Documented EVP_PKEY raw private/public key interfaces.
1174 <li>Documented ASN1_buf_print(3).
1175 <li>Documented DH_get0_*, DSA_get0_*, ECDSA_SIG_get0_* and RSA_get0_*.
1176 <li>Merged documentation of UI_null() from OpenSSL 1.1
1177 <li>Various spelling and other documentation improvements.
1178 </ul>
1179
1180 <li>Internal improvements
1181 <ul>
1182 <li>Remove dependency on system timegm() and gmtime() by replacing
1183 traditional Julian date conversion with POSIX epoch-seconds date
1184 conversion from BoringSSL.
1185 <li>Removed old and unused BN code dealing with primes.
1186 <li>Started rewriting name constraints code using CBS.
1187 <li>Removed support for the HMAC PRIVATE KEY.
1188 <li>Reworked DSA signing and verifying internals.
1189 <li>Rewrote the TLSv1.2 key exporter.
1190 <li>Cleaned up and refactored various aspects of the legacy TLS stack.
1191 <li>Initial overhaul of the BIGNUM code:
1192 <ul>
1193 <li>Added a new framework that allows architecture-dependent
1194 replacement implementations for bignum primitives.
1195 <li>Imported various s2n-bignum's constant time assembly primitives
1196 and switched amd64 to them.
1197 <li>Lots of cleanup, simplification and bug fixes.
1198 </ul>
1199 <li>Changed Perl assembly generators to move constants into .rodata,
1200 allowing code to run with execute-only permissions.
1201 <li>Capped the number of iterations in DSA and ECDSA signing (avoiding
1202 infinite loops), added additional sanity checks to DSA.
1203 <li>ASN.1 parsing improvements.
1204 <li>Cleanup and improvements in EC code, including always clearing EC
1205 groups and points on free.
1206 <li>Various openssl(1) improvements.
1207 <li>Various nc(1) improvements.
1208 </ul>
1209
1210 <li>Security fixes
1211 <ul>
1212 <li>A malicious certificate revocation list or timestamp response token
1213 would allow an attacker to read arbitrary memory.
1214 </ul>
1215 </ul>
1216
1217 <li>OpenSSH 9.3 and OpenSSH 9.2<br>
1218 This release of OpenBSD includes the changes made to OpenSSH since release 9.1:
1219 <ul>
1220 <li>Security
1221 <ul>
1222 <li>ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
1223 per-hop destination constraints (ssh-add -h ...) added in OpenSSH
1224 8.9, a logic error prevented the constraints from being
1225 communicated to the agent. This resulted in the keys being added
1226 without constraints. The common cases of non-smartcard keys and
1227 keys without destination constraints are unaffected. This problem
1228 was reported by Luci Stanescu.
1229 <li>ssh(1): Portable OpenSSH provides an implementation of the
1230 getrrsetbyname(3) function if the standard library does not
1231 provide it, for use by the VerifyHostKeyDNS feature. A
1232 specifically crafted DNS response could cause this function to
1233 perform an out-of-bounds read of adjacent stack data, but this
1234 condition does not appear to be exploitable beyond denial-of-service
1235 to the ssh(1) client.<br>
1236 The getrrsetbyname(3) replacement is only included if the system's
1237 standard library lacks this function and portable OpenSSH was not
1238 compiled with the ldns library (--with-ldns). getrrsetbyname(3) is
1239 only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This
1240 problem was found by the Coverity static analyzer.
1241 <li>sshd(8): fix a pre-authentication double-free memory fault
1242 introduced in OpenSSH 9.1. This is not believed to be exploitable,
1243 and it occurs in the unprivileged pre-auth process that is
1244 subject to chroot(2) and is further sandboxed on most major
1245 platforms.
1246 <li>ssh(8): in OpenSSH releases after 8.7, the PermitRemoteOpen option
1247 would ignore its first argument unless it was one of the special
1248 keywords "any" or "none", causing the permission list to fail open
1249 if only one permission was specified. bz3515
1250 <li>ssh(1): if the CanonicalizeHostname and CanonicalizePermittedCNAMEs
1251 options were enabled, and the system/libc resolver did not check
1252 that names in DNS responses were valid, then use of these options
1253 could allow an attacker with control of DNS to include invalid
1254 characters (possibly including wildcards) in names added to
1255 known_hosts files when they were updated. These names would still
1256 have to match the CanonicalizePermittedCNAMEs allow-list, so
1257 practical exploitation appears unlikely.
1258 </ul>
1259 <li>Potentially-incompatible changes
1260 <ul>
1261 <li>ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that
1262 controls whether the client-side ~C escape sequence that provides a
1263 command-line is available. Among other things, the ~C command-line
1264 could be used to add additional port-forwards at runtime.<br>
1265 This option defaults to "no", disabling the ~C command-line that
1266 was previously enabled by default. Turning off the command-line
1267 allows platforms that support sandboxing of the ssh(1) client
1268 (currently only OpenBSD) to use a stricter default sandbox policy.
1269 </ul>
1270 <li>New features
1271 <ul>
1272 <li>ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256 when
1273 outputting SSHFP fingerprints to allow algorithm selection. bz3493
1274 <li>sshd(8): add a `sshd -G` option that parses and prints the
1275 effective configuration without attempting to load private keys
1276 and perform other checks. This allows usage of the option before
1277 keys have been generated and for configuration evaluation and
1278 verification by unprivileged users.
1279 <li>sshd(8): add support for channel inactivity timeouts via a new
1280 sshd_config(5) ChannelTimeout directive. This allows channels that
1281 have not seen traffic in a configurable interval to be
1282 automatically closed. Different timeouts may be applied to session,
1283 X11, agent and TCP forwarding channels.
1284 <li>sshd(8): add a sshd_config UnusedConnectionTimeout option to
1285 terminate client connections that have no open channels for a
1286 length of time. This complements the ChannelTimeout option above.
1287 <li>sshd(8): add a -V (version) option to sshd like the ssh client has.
1288 <li>ssh(1): add a "Host" line to the output of ssh -G showing the
1289 original hostname argument. bz3343
1290 <li>scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to
1291 allow control over some SFTP protocol parameters: the copy buffer
1292 length and the number of in-flight requests, both of which are used
1293 during upload/download. Previously these could be controlled in
1294 sftp(1) only. This makes them available in both SFTP protocol
1295 clients using the same option character sequence.
1296 <li>ssh-keyscan(1): allow scanning of complete CIDR address ranges,
1297 e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then
1298 it will be expanded to all possible addresses in the range
1299 including the all-0s and all-1s addresses. bz#976
1300 <li>ssh(1): support dynamic remote port forwarding in escape
1301 command-line's -R processing. bz#3499
1302 </ul>
1303 <li>Bugfixes
1304 <ul>
1305 <li>scp(1), sftp(1): fix progressmeter corruption on wide displays;
1306 bz3534
1307 <li>ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing usability
1308 of private keys as some systems are starting to disable RSA/SHA1
1309 in libcrypto.
1310 <li>sftp-server(8): fix a memory leak. GHPR363
1311 <li>ssh(1), sshd(8), ssh-keyscan(1): remove vestigial protocol
1312 compatibility code and simplify what's left.
1313 <li>Fix a number of low-impact Coverity static analysis findings.
1314 These include several reported via bz2687
1315 <li>ssh_config(5), sshd_config(5): mention that some options are not
1316 first-match-wins.
1317 <li>Rework logging for the regression tests. Regression tests will now
1318 capture separate logs for each ssh and sshd invocation in a test.
1319 <li>ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage
1320 says it should; bz3532.
1321 <li>ssh(1): ensure that there is a terminating newline when adding a
1322 new entry to known_hosts; bz3529
1323 <li>ssh(1): when restoring non-blocking mode to stdio fds, restore
1324 exactly the flags that ssh started with and don't just clobber them
1325 with zero, as this could also remove the append flag from the set.
1326 bz3523
1327 <li>ssh(1): avoid printf("%s", NULL) if using UserKnownHostsFile=none
1328 and a hostkey in one of the system known hosts file changes.
1329 <li>scp(1): switch scp from using pipes to a socket-pair for
1330 communication with its ssh sub-processes, matching how sftp(1)
1331 operates.
1332 <li>sshd(8): clear signal mask early in main(); sshd may have been
1333 started with one or more signals masked (sigprocmask(2) is not
1334 cleared on fork/exec) and this could interfere with various things,
1335 e.g. the login grace timer. Execution environments that fail to
1336 clear the signal mask before running sshd are clearly broken, but
1337 apparently they do exist.
1338 <li>ssh(1): warn if no host keys for hostbased auth can be loaded.
1339 <li>sshd(8): Add server debugging for hostbased auth that is queued and
1340 sent to the client after successful authentication, but also logged
1341 to assist in diagnosis of HostbasedAuthentication problems. bz3507
1342 <li>ssh(1): document use of the IdentityFile option as being usable to
1343 list public keys as well as private keys. GHPR352
1344 <li>sshd(8): check for and disallow MaxStartups values less than or
1345 equal to zero during config parsing, rather than failing later at
1346 runtime. bz3489
1347 <li>ssh-keygen(1): fix parsing of hex cert expiry times specified on
1348 the command-line when acting as a CA.
1349 <li>scp(1): when scp(1) is using the SFTP protocol for transport (the
1350 default), better match scp/rcp's handling of globs that don't match
1351 the globbed characters but do match literally (e.g. trying to
1352 transfer a file named "foo.[1]"). Previously scp(1) in SFTP mode
1353 would not match these pathnames but legacy scp/rcp mode would.
1354 bz3488
1355 <li>ssh-agent(1): document the "-O no-restrict-websafe" command-line
1356 option.
1357 <li>ssh(1): honour user's umask(2) if it is more restrictive then the
1358 ssh default (022).
1359 </ul>
1360 </ul>
1361
1362 <li>Ports and packages:
1363 <p>Many pre-built packages for each architecture:
1364 <!-- number of FTP packages minus SHA256, SHA256.sig, index.txt -->
1365 <ul style="column-count: 3">
1366 <li>aarch64: 11561
1367 <li>amd64: 11764
1368 <li>arm: 8653
1369 <li>i386: 10572
1370 <li>mips64: 8936
1371 <li>powerpc: 9893
1372 <li>powerpc64: 8474
1373 <li>riscv64: 10191
1374 <li>sparc64: 9325
1375 </ul>
1376
1377 <p>Some highlights:
1378 <ul style="column-count: 3">
1379 <li>Asterisk 16.30.0, 18.17.0 and 20.2.0
1380 <li>Audacity 3.2.5
1381 <li>CMake 3.25.2
1382 <li>Chromium 111.0.5563.110
1383 <li>Emacs 28.2
1384 <li>FFmpeg 4.4.3
1385 <li>GCC 8.4.0 and 11.2.0
1386 <li>GHC 9.2.7
1387 <li>GNOME 43.3
1388 <li>Go 1.20.1
1389 <li>JDK 8u362, 11.0.18 and 17.0.6
1390 <li>KDE Applications 22.12.3
1391 <li>KDE Frameworks 5.103.0
1392 <li>Krita 5.1.5
1393 <li>LLVM/Clang 13.0.0
1394 <li>LibreOffice 7.5.1.2
1395 <li>Lua 5.1.5, 5.2.4, 5.3.6 and 5.4.4
1396 <li>MariaDB 10.9.4
1397 <li>Mono 6.12.0.182
1398 <li>Mozilla Firefox 111.0 and ESR 102.9.0
1399 <li>Mozilla Thunderbird 102.9.0
1400 <li>Mutt 2.2.9 and NeoMutt 20220429
1401 <li>Node.js 18.15.0
1402 <li>OCaml 4.12.1
1403 <li>OpenLDAP 2.6.4
1404 <li>PHP 7.4.33, 8.0.28, 8.1.16 and 8.2.3
1405 <li>Postfix 3.5.17 and 3.7.3
1406 <li>PostgreSQL 15.2
1407 <li>Python 2.7.18, 3.9.16, 3.10.10 and 3.11.2
1408 <li>Qt 5.15.8 and 6.4.2
1409 <li>R 4.2.1
1410 <li>Ruby 3.0.5, 3.1.3 and 3.2.1
1411 <li>Rust 1.68.0
1412 <li>SQLite 2.8.17 and 3.41.0
1413 <li>Shotcut 22.12.21
1414 <li>Sudo 1.9.13.3
1415 <li>Suricata 6.0.10
1416 <li>Tcl/Tk 8.5.19 and 8.6.13
1417 <li>TeX Live 2022
1418 <li>Vim 9.0.1388 and Neovim 0.8.3
1419 <li>Xfce 4.18
1420 </ul>
1421 <p>
1422
1423 <li>As usual, steady improvements in manual pages and other documentation.
1424
1425 <li>The system includes the following major components from outside suppliers:
1426 <ul>
1427 <li>Xenocara (based on X.Org 7.7 with xserver 21.1.6 + patches,
1428 freetype 2.12.1, fontconfig 2.14, Mesa 22.3.4, xterm 378,
1429 xkeyboard-config 2.20, fonttosfnt 1.2.2 and more)
1430 <li>LLVM/Clang 13.0.0 (+ patches)
1431 <li>GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
1432 <li>Perl 5.36.0 (+ patches)
1433 <li>NSD 4.6.1
1434 <li>Unbound 1.17.0
1435 <li>Ncurses 5.7
1436 <li>Binutils 2.17 (+ patches)
1437 <li>Gdb 6.3 (+ patches)
1438 <li>Awk September 12, 2022
1439 <li>Expat 2.5.0
1440 </ul>
1441
1442 </ul>
1443 </section>
1444
1445 <hr>
1446
1447 <section id=install>
1448 <h3>How to install</h3>
1449 <p>
1450 Please refer to the following files on the mirror site for
1451 extensive details on how to install OpenBSD 7.3 on your machine:
1452
1453 <ul>
1454 <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.3/alpha/INSTALL.alpha">
1455 .../OpenBSD/7.3/alpha/INSTALL.alpha</a>
1456 <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.3/amd64/INSTALL.amd64">
1457 .../OpenBSD/7.3/amd64/INSTALL.amd64</a>
1458 <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.3/arm64/INSTALL.arm64">
1459 .../OpenBSD/7.3/arm64/INSTALL.arm64</a>
1460 <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.3/armv7/INSTALL.armv7">
1461 .../OpenBSD/7.3/armv7/INSTALL.armv7</a>
1462 <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.3/hppa/INSTALL.hppa">
1463 .../OpenBSD/7.3/hppa/INSTALL.hppa</a>
1464 <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.3/i386/INSTALL.i386">
1465 .../OpenBSD/7.3/i386/INSTALL.i386</a>
1466 <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.3/landisk/INSTALL.landisk">
1467 .../OpenBSD/7.3/landisk/INSTALL.landisk</a>
1468 <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.3/loongson/INSTALL.loongson">
1469 .../OpenBSD/7.3/loongson/INSTALL.loongson</a>
1470 <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.3/luna88k/INSTALL.luna88k">
1471 .../OpenBSD/7.3/luna88k/INSTALL.luna88k</a>
1472 <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.3/macppc/INSTALL.macppc">
1473 .../OpenBSD/7.3/macppc/INSTALL.macppc</a>
1474 <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.3/octeon/INSTALL.octeon">
1475 .../OpenBSD/7.3/octeon/INSTALL.octeon</a>
1476 <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.3/powerpc64/INSTALL.powerpc64">
1477 .../OpenBSD/7.3/powerpc64/INSTALL.powerpc64</a>
1478 <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.3/riscv64/INSTALL.riscv64">
1479 .../OpenBSD/7.3/riscv64/INSTALL.riscv64</a>
1480 <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.3/sparc64/INSTALL.sparc64">
1481 .../OpenBSD/7.3/sparc64/INSTALL.sparc64</a>
1482 </ul>
1483 </section>
1484
1485 <hr>
1486
1487 <section id=quickinstall>
1488 <p>
1489 Quick installer information for people familiar with OpenBSD, and the use of
1490 the "<a href="https://man.openbsd.org/disklabel.8">disklabel</a> -E" command.
1491 If you are at all confused when installing OpenBSD, read the relevant
1492 INSTALL.* file as listed above!
1493
1494 <h3>OpenBSD/alpha:</h3>
1495
1496 <p>
1497 If your machine can boot from CD, you can write <i>install73.iso</i> or
1498 <i>cd73.iso</i> to a CD and boot from it.
1499 Refer to INSTALL.alpha for more details.
1500
1501 <h3>OpenBSD/amd64:</h3>
1502
1503 <p>
1504 If your machine can boot from CD, you can write <i>install73.iso</i> or
1505 <i>cd73.iso</i> to a CD and boot from it.
1506 You may need to adjust your BIOS options first.
1507
1508 <p>
1509 If your machine can boot from USB, you can write <i>install73.img</i> or
1510 <i>miniroot73.img</i> to a USB stick and boot from it.
1511
1512 <p>
1513 If you can't boot from a CD, floppy disk, or USB,
1514 you can install across the network using PXE as described in the included
1515 INSTALL.amd64 document.
1516
1517 <p>
1518 If you are planning to dual boot OpenBSD with another OS, you will need to
1519 read INSTALL.amd64.
1520
1521 <h3>OpenBSD/arm64:</h3>
1522
1523 <p>
1524 Write <i>install73.img</i> or <i>miniroot73.img</i> to a disk and boot from it
1525 after connecting to the serial console. Refer to INSTALL.arm64 for more
1526 details.
1527
1528 <h3>OpenBSD/armv7:</h3>
1529
1530 <p>
1531 Write a system specific miniroot to an SD card and boot from it after connecting
1532 to the serial console. Refer to INSTALL.armv7 for more details.
1533
1534 <h3>OpenBSD/hppa:</h3>
1535
1536 <p>
1537 Boot over the network by following the instructions in INSTALL.hppa or the
1538 <a href="hppa.html#install">hppa platform page</a>.
1539
1540 <h3>OpenBSD/i386:</h3>
1541
1542 <p>
1543 If your machine can boot from CD, you can write <i>install73.iso</i> or
1544 <i>cd73.iso</i> to a CD and boot from it.
1545 You may need to adjust your BIOS options first.
1546
1547 <p>
1548 If your machine can boot from USB, you can write <i>install73.img</i> or
1549 <i>miniroot73.img</i> to a USB stick and boot from it.
1550
1551 <p>
1552 If you can't boot from a CD, floppy disk, or USB,
1553 you can install across the network using PXE as described in
1554 the included INSTALL.i386 document.
1555
1556 <p>
1557 If you are planning on dual booting OpenBSD with another OS, you will need to
1558 read INSTALL.i386.
1559
1560 <h3>OpenBSD/landisk:</h3>
1561
1562 <p>
1563 Write <i>miniroot73.img</i> to the start of the CF
1564 or disk, and boot normally.
1565
1566 <h3>OpenBSD/loongson:</h3>
1567
1568 <p>
1569 Write <i>miniroot73.img</i> to a USB stick and boot bsd.rd from it
1570 or boot bsd.rd via tftp.
1571 Refer to the instructions in INSTALL.loongson for more details.
1572
1573 <h3>OpenBSD/luna88k:</h3>
1574
1575 <p>
1576 Copy 'boot' and 'bsd.rd' to a Mach or UniOS partition, and boot the bootloader
1577 from the PROM, and then bsd.rd from the bootloader.
1578 Refer to the instructions in INSTALL.luna88k for more details.
1579
1580 <h3>OpenBSD/macppc:</h3>
1581
1582 <p>
1583 Burn the image from a mirror site to a CDROM, and power on your machine
1584 while holding down the <i>C</i> key until the display turns on and
1585 shows <i>OpenBSD/macppc boot</i>.
1586
1587 <p>
1588 Alternatively, at the Open Firmware prompt, enter <i>boot cd:,ofwboot
1589 /7.3/macppc/bsd.rd</i>
1590
1591 <h3>OpenBSD/octeon:</h3>
1592
1593 <p>
1594 After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
1595 Refer to the instructions in INSTALL.octeon for more details.
1596
1597 <h3>OpenBSD/powerpc64:</h3>
1598
1599 <p>
1600 To install, write <i>install73.img</i> or <i>miniroot73.img</i> to a
1601 USB stick, plug it into the machine and choose the <i>OpenBSD
1602 install</i> menu item in Petitboot.
1603 Refer to the instructions in INSTALL.powerpc64 for more details.
1604
1605 <h3>OpenBSD/riscv64:</h3>
1606
1607 <p>
1608 To install, write <i>install73.img</i> or <i>miniroot73.img</i> to a
1609 USB stick, and boot with that drive plugged in.
1610 Make sure you also have the microSD card plugged in that shipped with the
1611 HiFive Unmatched board.
1612 Refer to the instructions in INSTALL.riscv64 for more details.
1613
1614 <h3>OpenBSD/sparc64:</h3>
1615
1616 <p>
1617 Burn the image from a mirror site to a CDROM, boot from it, and type
1618 <i>boot cdrom</i>.
1619
1620 <p>
1621 If this doesn't work, or if you don't have a CDROM drive, you can write
1622 <i>floppy73.img</i> or <i>floppyB73.img</i>
1623 (depending on your machine) to a floppy and boot it with <i>boot
1624 floppy</i>. Refer to INSTALL.sparc64 for details.
1625
1626 <p>
1627 Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
1628 will most likely fail.
1629
1630 <p>
1631 You can also write <i>miniroot73.img</i> to the swap partition on
1632 the disk and boot with <i>boot disk:b</i>.
1633
1634 <p>
1635 If nothing works, you can boot over the network as described in INSTALL.sparc64.
1636 </section>
1637
1638 <hr>
1639
1640 <section id=upgrade>
1641 <h3>How to upgrade</h3>
1642 <p>
1643 If you already have an OpenBSD 7.2 system, and do not want to reinstall,
1644 upgrade instructions and advice can be found in the
1645 <a href="faq/upgrade73.html">Upgrade Guide</a>.
1646 </section>
1647
1648 <hr>
1649
1650 <section id=sourcecode>
1651 <h3>Notes about the source code</h3>
1652 <p>
1653 <code>src.tar.gz</code> contains a source archive starting at <code>/usr/src</code>.
1654 This file contains everything you need except for the kernel sources,
1655 which are in a separate archive.
1656 To extract:
1657 <blockquote><pre>
1658 # <kbd>mkdir -p /usr/src</kbd>
1659 # <kbd>cd /usr/src</kbd>
1660 # <kbd>tar xvfz /tmp/src.tar.gz</kbd>
1661 </pre></blockquote>
1662 <p>
1663 <code>sys.tar.gz</code> contains a source archive starting at <code>/usr/src/sys</code>.
1664 This file contains all the kernel sources you need to rebuild kernels.
1665 To extract:
1666 <blockquote><pre>
1667 # <kbd>mkdir -p /usr/src/sys</kbd>
1668 # <kbd>cd /usr/src</kbd>
1669 # <kbd>tar xvfz /tmp/sys.tar.gz</kbd>
1670 </pre></blockquote>
1671 <p>
1672 Both of these trees are a regular CVS checkout. Using these trees it
1673 is possible to get a head-start on using the anoncvs servers as
1674 described <a href="anoncvs.html">here</a>.
1675 Using these files
1676 results in a much faster initial CVS update than you could expect from
1677 a fresh checkout of the full OpenBSD source tree.
1678 </section>
1679
1680 <hr>
1681
1682 <section id=ports>
1683 <h3>Ports Tree</h3>
1684 <p>
1685 A ports tree archive is also provided. To extract:
1686 <blockquote><pre>
1687 # <kbd>cd /usr</kbd>
1688 # <kbd>tar xvfz /tmp/ports.tar.gz</kbd>
1689 </pre></blockquote>
1690 <p>
1691 Go read the <a href="faq/ports/index.html">ports</a> page
1692 if you know nothing about ports
1693 at this point. This text is not a manual of how to use ports.
1694 Rather, it is a set of notes meant to kickstart the user on the
1695 OpenBSD ports system.
1696 <p>
1697 The <i>ports/</i> directory represents a CVS checkout of our ports.
1698 As with our complete source tree, our ports tree is available via
1699 <a href="anoncvs.html">AnonCVS</a>.
1700 So, in order to keep up to date with the -stable branch, you must make
1701 the <i>ports/</i> tree available on a read-write medium and update the tree
1702 with a command like:
1703 <blockquote><pre>
1704 # <kbd>cd /usr/ports</kbd>
1705 # <kbd>cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_7_3</kbd>
1706 </pre></blockquote>
1707 <p>
1708 [Of course, you must replace the server name here with a nearby anoncvs
1709 server.]
1710 <p>
1711 Note that most ports are available as packages on our mirrors. Updated
1712 ports for the 7.3 release will be made available if problems arise.
1713 <p>
1714 If you're interested in seeing a port added, would like to help out, or just
1715 would like to know more, the mailing list
1716 <a href="mail.html">ports@openbsd.org</a> is a good place to know.
1717 </section>
1718 </body>
1719 </html>