https://www.openbsd.org/75.html
OpenBSD 7.5
Released Apr 5, 2024. (56th OpenBSD release)
Copyright 1997-2024, Theo de Raadt.
Artwork by Stipan Morian.
* See the information on the FTP page for a list of mirror
machines.
* Go to the pub/OpenBSD/7.5/ directory on one of the mirror sites.
* Have a look at the 7.5 errata page for a list of bugs and
King workarounds.
of * See a detailed log of changes between the 7.4 and 7.5 releases.
Kings
* signify(1) pubkeys for this release:
openbsd-75-base.pub: RWRGj1pRpprAfgeF/rgld4ubduChLvTkigA1Zj7WLDsVA4qfYSWOEI8q
openbsd-75-fw.pub: RWQ6EsXr4NMYvyLICug3dLHfmbpXlVasF1jbt3GVNQsosgB5+PgaufBu
openbsd-75-pkg.pub: RWS/sEFDvf+rjUmS1WROzxH05pB1kB7JRRq76DUGUhCE0Ks8AdpjP5pD
openbsd-75-syspatch.pub: RWRAAZC5WcFgn+8b5msDR+yDVCx4ziLaSQI2sy7e4GFY42nFW9p7mP2t
All applicable copyrights and credits are in the src.tar.gz,
sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the files
fetched via ports.tar.gz.
---------------------------------------------------------------------
What's New
This is a partial list of new features and systems included in
OpenBSD 7.5. For a comprehensive list, see the changelog leading to
7.5.
* Various kernel improvements:
+ Added bt(5) and btrace(8) support for binary modulo operator
('%').
+ Added a TIMEOUT_MPSAFE flag to timeout(9).
+ Added IBM encoded version of the "Spleen 8x16" font, usable
as console font.
+ Cleanup and machine-independent refactoring of three context
switch paths outside of mi_switch(): when a process forks and
the new proc needs to be scheduled by proc_trampoline,
cpu_hatch: when booting APs, and sched_exit: when a proc
exits.
+ Made vscsi(4) 'vscsi_filtops' mpsafe and extended the
'sc_state_mtx' mutex(9) to protect 'sc_klist' knotes list.
+ Made out-of-swap checking more robust, preventing potential
deadlocks.
+ Eliminated the ioctl whitelist that bio(4) will tunnel for
other devices, allowing bio to be used with other (non-raid)
related devices.
+ On msdos filesystems, ensure that a complete struct fsinfo is
read even if the filesystem sectors are smaller.
+ Implemented per-CPU caching for the page table page (vp) pool
and the PTE descriptor (pted) pool in the arm64 pmap
implementation. This significantly reduces the side-effects
of lock contention on the kernel map lock and leads to
significant speedups on machines with many CPU cores.
+ Implemented acpi(4) RootPathString support in the LoadTable()
AML function, fixing OpenBSD boot on an older version of
Hyper-V.
+ Fixed Linux NFS clients freezing after five minutes of
inactivity.
+ Fixed core file writing when a file map into memory has later
been truncated to be smaller than the mapping.
+ Disallow madvise(2) and msync(2) memory/mapping destructive
operations on immutable memory regions. Instead return EPERM.
+ Added new amd64-only sysctl machdep.retpoline which says
whether the cpu requires the retpoline branch target
injection mitigation.
+ Added new accounting flag ABTCFI to acct(5) to indicate
SIGILL + code ILL_BTCFI has occurred in the process.
* SMP Improvements
+ Some network timers run without kernel lock.
+ TCP syn cache timer runs with shared net lock.
+ bind(2) and connect(2) system calls can run in parallel.
+ Packet counter for lo(4) loopback interface are MP safe.
+ Split protocol control block table for UDP into IPv4 and IPv6
tables to allow concurrent access.
+ UDP packets can be sent in parallel by multiple threads.
* Direct Rendering Manager and graphics drivers
+ Updated drm(4) to Linux 6.6.19.
+ New apldcp(4) and apldrm(4) drivers for Apple display
coprocessor.
* VMM/VMD improvements
+ Fixed IRQ storm caused by edge-triggered devices such as the
UART.
+ Fixed block size calculation for vioscsi devices.
+ Added io instruction length to vm exit information, allowing
vmd(8) to perform validation in userspace.
+ Adopted new imsg_get_*(3) api.
+ Rewrote vionet devices to allow zero-copy data transfers
between host and guest.
+ Improved error messages related to getgrnam(3) usage and out
of tap(4) device conditions.
+ Fixed various things found by smatch static analyzer.
+ Fixed various file descriptor lifecycle issues and leaks
across fork(2)/ execve(2) usage.
+ Added multi-threading support to vionet device emulation,
improving latency.
+ Fixed vmm(4) instability on Intel VMX hosts by updating GDTR
& TR if vcpu moves host cpus.
+ Added EPT flushing upon vmm(4) enabling VMX mode.
+ Added branch predictor flushing if IBPB is supported.
+ Corrected restoring GDTR and IDTR limits upon VMX guest exit.
+ Corrected handling of CPUID 0xd subleaves
+ Added additional use of VERW and register clobbering to
mitigate RFDS vulnerabilities on Intel Atom cores.
* Various new userland features:
+ Made malloc(3) save backtraces to show in leak dump with
depth of backtrace set via malloc option D (aka 1), 2, 3 or
4.
+ Added support for cksum(1) -c checking base64 digests in
reverse mode.
+ Added kdump(1) [-p program] to filter dumps by basename.
+ Made ps(1) accept numerical user IDs.
+ Built and provide the tzdata.zi and leap-seconds.list files
from zoneinfo. Some third-party software now expects these
files to be installed. Provide the zonenow.tab file, a table
where each row stands for a timezone where civil timestamps
are predicted to agree from now on.
+ Added basic write support for pax(1) format archives.
+ Added 'pax' format support for files over 8GB to tar(1).
+ Added 'pax' format support for mtime and atime to tar(1).
+ Extended imsg and the ibuf buffer manipulation API with
useful getter methods. Unified file descriptor passing in all
imsg using programs with the use of the imsg_get_fd()
function.
+ Added mkdtemps(3), identical to mkdtemp(3) except that it
permits a suffix to exist in the template.
+ Added mktemp(1) suffix support for compatibility with the GNU
version. It is now possible to use templates where the Xs are
not at the end.
* Various bugfixes and tweaks in userland:
+ Silenced list of specific firmware not needing update in
pkg_add(1).
+ Improved ls(1) horizontal alignment in long format.
+ Added bioctl(8) retry on empty passphrase.
+ Fixed unveil(2) in patch(1) with explicit patchfile.
+ Made gnu99 the default for gcc 3.3.6 and 4.2.1 rather than
defaulting to gnu89.
+ Enhanced fdisk(8) 'flag' to accept hex values.
+ Prevented fdisk(8) 'flag' from altering other GPT partition
attributes when flagging a partition as the only bootable
partition.
+ Allow fdisk(8) to add GPT partitions of protected types,
making it possible to provision virtual machine images that
need a "BIOS Boot" partition.
+ Added group handling matching fbtab(5) to xenodm.
+ Made grep(1) -m behavior match GNU grep.
+ Tweaked the default memory limits in /etc/login.conf on
several architectures to account for increased memory
requirements, for example when compiling or linking under
user pbuild.
+ Initialize all terminals with "tset -I", thereby avoiding
extra newlines to be printed.
+ Added mkhybrid(8) '-e' (-eltorito-boot-efi) option for
writing an EFI eltorito boot image, in addition to or instead
of the x86 boot image, to the output file.
+ Added openrsync(1) --omit-dir-times (-O) to omit directories
from --times, as well as --no-O and --no-omit-dir-times
options for compatibility.
+ Implemented openrsync(1) --omit-link-times (-J) option to
omit symlinks from --times.
+ Added accounting flag and lastcomm(1) report for syscall
pinning violations.
+ Added ktrace(1) and kdump(1) support to observe pinsyscall(2)
violations.
+ Changed ftp(1) to avoid use of the interactive shell if -o is
given.
+ Moved non-daemon services to run in a different rc(8) process
group to avoid SIGHUP at boot.
+ Changed ld.so(1) to only load the first libc version
encountered requested and substituting it for all further
loads, ensuring that the libc version requested by an
executable itself is the one loaded.
+ Significantly (for small programs) reduce the size of
statically linked binaries by splitting several libc internal
functions into separate compilation and thus linkage units.
Specifically getpwnam(3) does not need the full YP socket
setup and does not use all possible dbopen(3) database
backends.
+ Added vi(1) showfilename set option to display the file name
in the lower left corner.
+ Added backup of disklabel for softraid(4) chunks to security
(8).
* Improved hardware support and driver bugfixes, including:
+ New ampchwm(4) driver for Ampere Altra power telemetry.
+ New rkspi(4) driver for Rockchip SPI controller.
+ Support for RK806 PMIC in rkpmic(4).
+ Support for Allwinner H616 in sxisyscon(4), sxiccmu(4),
sxipio(4), sximmc(4) and ehci(4).
+ Support for Allwinner D1 in sxidog(4), sxiccmu(4), sxipio(4),
sximmc(4) and ehci(4).
+ Support for Aero and Sea SAS HBAs in mpii(4).
+ Support for SAS3816 and SAS3916 in mfii(4).
+ In xbf(4), allowed Xen to use backing store devices with
4K-byte sectors.
+ Added fanpwr(4) support for the Rockchip RK8602 and RK8603
voltage regulators.
+ Support keyboard backlights on Apple Powerbooks.
+ Added operating performance point info about each arm64 cpu
and expose the states of thermal zones as kstats(1).
+ Overhauled ugold(4) temperature sensor identification logic
and added support for additional devices.
+ Made uthum(4) TEMPer{1,2} devices display negative degC.
+ Improve support for audio devices that via attach multiple
uaudio(4) drivers.
+ In nvme(4) don't create sd(4) devices larger than the
namespace.
+ Fix nvme(4) decoding of status fields.
* New or improved network hardware support:
+ Utilize full checksum offload capabilities of vio(4) and vmx
(4).
+ TCP Segmentation Offload (TSO) is also used in bnxt(4) and em
(4).
+ Enabled TCP Segmentation Offload (TSO) in ixl(4).
+ The Synopsys Ethernet Quality-of-Service Controller (dwqe(4))
is enabled for amd64.
+ Added initial support for Elkhart Lake Ethernet to dwqe(4).
+ Support for AX88179A in axen(4).
+ Intel I225 and I226 Ethernet Controller igc(4) enabled for
sparc64.
+ Allwinner EMAC Ethernet Controller dwxe(4) enabled for
riscv64.
+ Corrected wrong register offset macros for dwqe(4) DMA burst
length.
+ Fixed Tx watchdog trigger and freeze in dwqe(4).
+ Updated rge(4) microcode, initialization and reset behavior.
+ Prevented a potential bnxt(4) crash after failure to bring up
a queue.
* Added or improved wireless network drivers:
+ Introduce qwx(4), a port of the Linux ath11k driver for
QCNFA765 devices. Available on the amd64 and arm64 platforms.
+ Fix Tx rate selection for management frames in iwx(4).
+ Fix iwx(4) loading the wrong firmware image on some devices.
+ Make bwfm(4) work with MAC addresses set via ifconfig lladdr.
+ Ensure that iwm(4) uses the 80MHz primary channel index
announced in beacons.
+ Avoid using MCS-9 in iwm(4) Tx rate selection if 40 MHz is
disabled to prevent firmware errors.
+ Ensure that iwm(4) and iwx(4) devices announce VHT
capabilities in probe requests.
+ Fix bug in iwm(4), iwx(4), and iwn(4) which could result in
some channels missing from scan results.
+ Enable iwm(4) on the arm64 platform.
* IEEE 802.11 wireless stack improvements and bugfixes:
+ Ignore 40/80 MHz wide channel configurations which do not
appear in the 802.11ac spec. This prevents device firmware
errors which occurred when an access point announced an
invalid channel configuration.
* Installer, upgrade and bootloader improvements:
+ Add support for disk encryption in unattended installations
with autoinstall(8), both with a plaintext passphrase or a
keydisk.
+ Removed default sets answer in autoinstall(8) response file
such that it now populates only with non-defaults.
+ Made fw_update(8) verify but not overwrite SHA256.sig.
+ Improved fw_update(8) output on errors and improved ftp error
handling.
+ Added support in the installer to encrypt the root disk with
a key disk.
+ Prevent re-starting the automatic upgrade on octeon and
powerpc64, as is already done on other platforms.
+ Added CD install images to arm64.
+ Make the amd64 cdXX.iso and installXX.iso CD images bootable
in EFI mode (by creating an EFI system partition containing
the EFI boot loaders to be installed as an El Torito boot
image).
* Security improvements:
+ Introduce pinsyscalls(2): The kernel and ld.so(1) register
the precise entry location of every system call used by a
program, as described in the new ELF section
.openbsd.syscalls inside ld.so and libc.so. ld.so uses the
new syscall pinsyscalls(2) to tell the kernel the precise
entry location of system calls in libc.so.
Attempting to use a different system call entry instruction
to perform a non-corresponding system call operation will
fail and the process will be terminated with signal SIGABRT.
+ Removed support for syscall(2), the "indirection system
call," a dangerous alternative entry point for all system
calls.
Together with pinsyscalls(2) this change makes it impossible
to perform system call through any other way than the libc
system call wrapper functions.
Users of syscall(2), such as Perl and the Go programming
language were converted to use the libc functions.
+ Added pledge(2) stdio before parsing pfkey messages to
ipsecctl(8) -m and -s.
+ Tightened the pledge(2) in pax(1) in List and Append modes.
+ Created __OpenBSD versions of llvm cxa guard implementation
using futex(2) with the correct number of arguments and
without using syscall(2).
+ Improvements in Pointer Authentication (PAC) and Branch
Target Identification (BTI) on arm64.
* Changes in the network stack:
+ Enable IPv6 support in ppp(4)
+ Socket with sequenced packet type and control messages handle
end of record correctly.
+ The routing table has a generation number. That means cached
routes at sockets will be invalidated when the routing table
changes. Especially with dynamic routing daemons local
connections use the up to date route.
+ Route cache hits an misses are printed in netstat(1)
statistics.
+ Prevented wg(4) getting stuck on peer destruction.
+ Made umb(4) delete any existing v4 address before setting a
new one, allowing keeping of a working default route when the
address changes.
+ Forwarded TCP LRO disabling to parent devices and disabled
TCP LR0 on bridged vlan(4) and default for bpe(4), nvgre(4)
and vxlan(4).
+ Fixed race between ifconfig(8) destroy of an interface and
the ARP timer.
+ Added statistics counters for the route cache, reporting
cache hits and misses. This is shown in netstat(1) with
netstat -s.
* The following changes were made to the pf(4) firewall:
+ tcpdump on pflog(4) interface shows packets dropped by the
default rule with the "block" action. Although the default
rules is a "pass" rule, it blocks malformed packets. Now this
is correctly logged.
+ Adjustments to keep up firewall aware of MP related changes
in the network stack.
+ Fix handling of multiple -K(-k) options in pfctl(8), so
behavior matches what's described in manual.
+ Make pfctl(8) show all tables in all anchors with pfctl -a
"*" -sT.
+ Added check to ensure pfctl(8) -f won't accept a directory
and install an empty ruleset.
+ Added validation for IPv4 packet options in divert(4).
* Routing daemons and other userland network improvements:
+ IPsec support was improved:
o Made iked(8) always prefer group from the initial KE
payload as responder if supported.
o Corrected renewal of expired certificates in iked(8).
o Added an iked(8) debug message when no policy is found.
o Implemented a per connection peerid for iked(8) control
replies.
o Made iked(8) trigger retransmission only for fragment 1/x
to prevent each received fragment triggering
retransmission of the full fragment queue.
o Prevent routing loops by dropping already encrypted
packets that are going through sec(4) again.
+ In bgpd(8),
o Rewrite the internal message passing mechanism to use a
new memory-safe API.
o Rewrite most protocol parsers to use the new memory-safe
API. Convert the UPDATE parser, all of RTR, as well as
both the MRT dump code in bgpd and the parser in bgpctl.
o Improve RTR logging, error handling and version
negotiation.
+ rpki-client(8) saw these and more changes:
o Add ability to constrain an RPKI Trust Anchor's effective
signing authority to a limited set of Internet numbers.
This allows Relying Parties to enjoy the potential
benefits of assuming trust, but within a bounded scope.
o Following a 'failed fetch' (described in RFC 9286), emit
a warning and continue with a previously cached Manifest
file.
o Emit a warning when the remote repository presents a
Manifest with an unexpected manifestNumber.
o Improved CRL extension checking.
o Experimental support for the P-256 signature algorithm.
o A failed manifest fetch could result in a NULL pointer
dereference or a use after free.
o Reject non-conforming RRDP delta elements that contain
neither publish nor a withdraw element and fall back to
the RRDP snapshot.
o Refactoring and minor bug fixes in the warning display
functions.
o The handling of manifests fetched via rsync or RRDP was
reworked to fully conform to RFC 9286.
o Fix a race condition between closing an idle connection
and scheduling a new request on it.
o The evaluation time specified with -P now also applies to
trust anchor certificates.
o Check that the entire CMS eContent was consumed.
Previously, trailing data would be silently discarded on
deserialization of products.
o In file mode do not consider overclaiming intermediate CA
certificates as invalid. OAA warning is still issued.
o Print the revocation time of certificates in file mode.
o Be more careful when converting OpenSSL numeric
identifiers (NIDs) to strings.
o Added support for RPKI Signed Prefix Lists.
o Added an -x flag to opt into parsing and evaluation of
file types that are still considered experimental.
o Added a metric to track the number of new files that were
moved to the validated cache.
o Ensure that the FileAndHashes list in a Manifest contains
no duplicate file names and no duplicate hashes.
+ In smtpd(8),
o Add Message-Id as needed for messages received on the
submission port.
o Added support for RFC 7505 "Null MX" handling and treat
an MX of "localhost" as it were a "Null MX".
o Allow inline tables and filter listings in smtpd.conf(5)
to span over multiple lines.
o Enabled DSN for the implicit socket too.
o Added the no-dsn option for listen on socket too.
o Reject headers that start with a space or a tab.
o Fixed parsing of the ORCPT parameter.
o Fixed table lookups of IPv6 addresses.
o Fixed handling of escape characters in To, From and Cc
headers.
o Run LMTP deliveries as the recipient user again.
o Disallow custom commands and file reading in root's
.forward file.
o Do not process other users .forward files when an
alternate delivery user is provided in a dispatcher.
o Unify the table(5) parser used in smtpd(8) and makemap(8)
.
o Allow to use table(5) mappings on various match
constraints.
+ Many other changes in various network programs and libraries:
o If a DNS name is configured as remote syslog server,
syslogd(8) retries to resolve the loghost name
periodically until it succeeds. UDP packets that get lost
during that period are counted and logged later.
o Added counting of dropped UDP packets to syslogd(8).
o Prevented use after free of TLS context at syslogd(8)
shutdown.
o Introduced dhcpd(8) log output to stderr and '-v' option
to make this output more verbose.
o In dhcpd(8), made dhcp-options(5) recognize option
ipv6-only-preferred (RFC8925).
o Allowed dhcpleased(8) to request "IPv6-only preferred"
and deconfigure IPv4 on the interface if the server
replies with this option.
o Fixed radiusd(8) to properly fixup MPPE-{Send,Recv}-Key
and Tunnel-Password attributes of the response.
o Added nochroot parameter to radiusd(8)
module_drop_privilege() so that modules can use unveil(2)
instead of chroot(2) if needed.
o Ensured correct denominators when converting NTP fixed
point values to double and vice-versa in ntpd(8).
o In the resolver, do not short-circuit resolution of
localhost when AI_NUMERICHOST is set. Ensure that a
proper string is returned by getaddrinfo(3) when
AI_CANONNAME or AI_FQDN is set.
o Added ifconfig(8) support for specifying ports on the src
address in tunnel endpoints of gif(4), gre(4) and related
tunnel interfaces.
o Added an ifconfig(8) endpoint command for "bridges" that
use addresses as endpoints, usable to add static entries
on interfaces like vxlan(4).
o Tightened up relayd(8) HTTP header parsing.
o Deferred relayd(8) relay_read_http header parsing until
after line continuation, preventing potential request
smuggling attacks.
o Improved httpd(8) auto-index, adding human-readable file
sizes and allowing per-column sorting.
o Switched to using whois.internic.net for whois(1) -i.
* tmux(1) improvements and bug fixes:
+ Made tmux(1) unzoom a window at the start of destroy so it
doesn't happen later after the layout has been freed.
+ Prevented tmux(1) use of combined UTF-8 characters that are
too long.
+ Corrected tmux(1) handling of window ops with no pane.
+ Removed flags from the prefix before comparing with the
received key so that tmux(1) modifier keys with flags work
correctly.
+ Increased buffer size to avoid truncating styles in tmux(1).
+ Added two new values for the tmux(1) destroy-unattached
option to destroy sessions only if they are not members of
sessions groups.
* LibreSSL version 3.9.0
+ Portable changes
o libcrypto no longer exports compat symbols in cmake
builds.
o Most compatibility symbols are prefixed with libressl_ to
avoid symbol clashes in static links.
o Fixed various warnings on Windows.
o Removed assert pop-ups with Windows debug builds.
o Fixed crashes and hangs in Windows ARM64 builds.
o Improved control-flow enforcement (CET) support.
+ Internal improvements
o Converted uses of OBJ_bsearch_() to standard bsearch(3).
o Greatly simplified by_file_ctrl().
o Simplified and cleaned up the OBJ_ API.
o Cleaned up the EVP_Cipher{Init,Update,Final}(3)
implementations.
o Removed unused function pointers from X.509 stores and
contexts.
o A lot of cleanup and reorganization in EVP.
o Removed all remaining ENGINE tentacles.
o Simplified internals of X509_TRUST handling.
o Made deletion from a lhash doall callback safe.
o Rewrote BIO_dump*(3) internals to be less bad.
+ Documentation improvements
o ENGINE documentation was updated to reflect reality.
o Made EVP API documentation more accurate and less
incoherent.
o Call out some shortcomings of the EC_KEY_set_* API
explicitly.
+ Testing and proactive security
o Bug fixes and simplifications in the Wycheproof tests.
+ Compatibility changes
o Added ChaCha20 and chacha20 aliases for ChaCha.
o SSL_library_init(3) now has the same effect as
OPENSSL_init_ssl().
o EVP_add_{cipher,digest}() were removed. From the OBJ_NAME
API, only OBJ_NAME_do_all*() remain. In particular, it is
no longer possible to add aliases for ciphers and
digests.
o The thread unsafe global tables are no longer supported.
It is no longer possible to add aliases for ciphers and
digests, custom ASN.1 strings table entries, ASN.1
methods, PKEY methods, digest methods, CRL methods,
purpose and trust identifiers, or X.509 extensions.
o Removed the _cb() and _fp() versions of BIO_dump
{,_indent}().
o BIO_set() was removed.
o BIO_{sn,v,vsn}printf() were removed.
o Turn the long dysfunctional openssl(1) s_client -pause
into a noop.
o openssl(1) x509 now supports -new, -force_pubkey,
-multivalue-rdn, -set_issuer -set_subject, and -utf8.
o Support ECDSA with SHA-3 signature algorithms.
o Support HMAC with truncated SHA-2 and SHA-3 as PBE PRF.
o GOST and STREEBOG support was removed.
o CRYPTO_THREADID, _LHASH, _STACK and X509_PURPOSE are now
opaque, X509_CERT_AUX and X509_TRUST were removed from
the public API.
o ASN1_STRING_TABLE_get(3) and X509_PURPOSE_get0*(3) now
return const pointers.
o EVP_{CIPHER,MD}_CTX_init()'s signatures and semantics now
match OpenSSL's behavior.
o sk_find_ex() and OBJ_bsearch_() were removed.
o CRYPTO_malloc(3) was fixed to use size_t argument.
CRYPTO_malloc() and CRYPTO_free() now accept file and
line arguments.
o A lot of decrepit CRYPTO memory API was removed.
+ Bug fixes
o Fixed aliasing issues in BN_mod_exp_simple() and
BN_mod_exp_recp().
o Fixed numerous misuses of X509_ALGOR_set0(3) resulting in
leaks and potentially incorrect encodings.
o Fixed potential double free in
X509v3_asid_add_id_or_range(3).
o Stopped using ASN1_time_parse() outside of libcrypto.
o Prepared OPENSSL_gmtime(3) and OPENSSL_timegm(3) as
public API wrappers of internal functions compatible with
BoringSSL API.
o Removed print_bin() to avoid overwriting the stack with 5
bytes of " " when ECPK parameters are printed with large
indentation.
o Avoid a NULL dereference after memory allocation failure
during TLS version downgrade.
o Fixed various bugs in CMAC internals.
o Fixed 4-byte overreads in GHASH assembly on amd64 and
i386.
o Fixed various NULL dereferences in PKCS #12 code due to
mishandling of OPTIONAL content in PKCS #7 ContentInfo.
o Aligned SSL_shutdown(3) behavior in TLSv1.3 with the
legacy stack.
o Fixed the new X.509 verifier to find trust anchors in the
trusted stack.
* OpenSSH 9.6 and OpenSSH 9.7
+ Security fixes
o ssh(1), sshd(8): implement protocol extensions to thwart
the so-called "Terrapin attack" discovered by Fabian
Baumer, Marcus Brinkmann and Jorg Schwenk. This attack
allows a MITM to effect a limited break of the integrity
of the early encrypted SSH transport protocol by sending
extra messages prior to the commencement of encryption,
and deleting an equal number of consecutive messages
immediately after encryption starts. A peer SSH client/
server would not be able to detect that messages were
deleted.
While cryptographically novel, the security impact of
this attack is fortunately very limited as it only allows
deletion of consecutive messages, and deleting most
messages at this stage of the protocol prevents user
authentication from proceeding and results in a stuck
connection.
The most serious identified impact is that it lets a MITM
to delete the SSH2_MSG_EXT_INFO message sent before
authentication starts, allowing the attacker to disable a
subset of the keystroke timing obfuscation features
introduced in OpenSSH 9.5. There is no other discernable
impact to session secrecy or session integrity.
o ssh-agent(1): when adding PKCS#11-hosted private keys
while specifying destination constraints, if the PKCS#11
token returned multiple keys then only the first key had
the constraints applied. Use of regular private keys,
FIDO tokens and unconstrained keys are unaffected.
o ssh(1): if an invalid user or hostname that contained
shell metacharacters was passed to ssh(1), and a
ProxyCommand, LocalCommand directive or "match exec"
predicate referenced the user or hostname via %u, %h or
similar expansion token, then an attacker who could
supply arbitrary user/hostnames to ssh(1) could
potentially perform command injection depending on what
quoting was present in the user-supplied ssh_config(5)
directive.
OpenSSH 9.6 now bans most shell metacharacters from user
and hostnames supplied via the command-line. This
countermeasure is not guaranteed to be effective in all
situations, as it is infeasible for ssh(1) to universally
filter shell metacharacters potentially relevant to
user-supplied commands.
User/hostnames provided via ssh_config(5) are not subject
to these restrictions, allowing configurations that use
strange names to continue to be used, under the
assumption that the user knows what they are doing in
their own configuration files.
+ New features
o ssh(1), sshd(8): add a "global" ChannelTimeout type that
watches all open channels and will close all open
channels if there is no traffic on any of them for the
specified interval. This is in addition to the existing
per-channel timeouts added recently.
This supports situations like having both session and x11
forwarding channels open where one may be idle for an
extended period but the other is actively used. The
global timeout could close both channels when both have
been idle for too long.
o All: make DSA key support compile-time optional,
defaulting to on.
+ Bugfixes
o sshd(8): don't append an unnecessary space to the end of
subsystem arguments (bz3667)
o ssh(1): fix the multiplexing "channel proxy" mode, broken
when keystroke timing obfuscation was added. (GHPR#463)
o ssh(1), sshd(8): fix spurious configuration parsing
errors when options that accept array arguments are
overridden (bz3657).
o ssh-agent(1): fix potential spin in signal handler (
bz3670)
o Many fixes to manual pages and other documentation,
including GHPR#462, GHPR#454, GHPR#442 and GHPR#441.
o Greatly improve interop testing against PuTTY.
* Ports and packages:
Many pre-built packages for each architecture:
+ aarch64: 12145
+ amd64: 12309
+ arm: XXX
+ i386: 10830
+ mips64: 8674
+ powerpc: XXX
+ powerpc64: 8469
+ riscv64: 10508
+ sparc64: 9432
Some highlights:
+ Asterisk 16.30.1, 18.21.0 and 20.6.0
+ Audacity 3.4.2
+ CMake 3.28.3
+ Chromium 122.0.6261.111
+ Emacs 29.2
+ FFmpeg 4.4.4
+ GCC 8.4.0 and 11.2.0
+ GHC 9.6.4
+ GNOME 45
+ Go 1.22.1
+ JDK 8u402, 11.0.22, 17.0.10 and 21.0.2
+ KDE Applications 23.08.4
+ KDE Frameworks 5.115.0
+ KDE Plasma 5.27.10
+ Krita 5.2.2
+ LLVM/Clang 13.0.0, 16.0.6 and 17.0.6
+ LibreOffice 24.2.1.2
+ Lua 5.1.5, 5.2.4, 5.3.6 and 5.4.6
+ MariaDB 10.9.8
+ Mono 6.12.0.199
+ Mozilla Firefox 123.0.1 and ESR 115.8.0
+ Mozilla Thunderbird 115.8.1
+ Mutt 2.2.13 and NeoMutt 20240201
+ Node.js 18.19.1
+ OCaml 4.14.1
+ OpenLDAP 2.6.7
+ PHP 7.4.33, 8.0.30, 8.1.27, 8.2.16 and 8.3.3
+ Postfix 3.8.6
+ PostgreSQL 16.2
+ Python 2.7.18, 3.9.18, 3.10.13 and 3.11.8
+ Qt 5.15.12 (+ kde patches) and 6.6.1
+ R 4.2.3
+ Ruby 3.1.4, 3.2.3 and 3.3.0
+ Rust 1.76.0
+ SQLite 3.44.2
+ Shotcut 23.07.29
+ Sudo 1.9.15.5
+ Suricata 7.0.3
+ Tcl/Tk 8.5.19 and 8.6.13
+ TeX Live 2023
+ Vim 9.1.139 and Neovim 0.9.5
+ Xfce 4.18.1
* As usual, steady improvements in manual pages and other
documentation.
* The system includes the following major components from outside
suppliers:
+ Xenocara (based on X.Org 7.7 with xserver 21.1.11 + patches,
freetype 2.13.0, fontconfig 2.14.2, Mesa 23.1.9, xterm 378,
xkeyboard-config 2.20, fonttosfnt 1.2.3 and more)
+ LLVM/Clang 16.0.6 (+ patches)
+ GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
+ Perl 5.36.3 (+ patches)
+ NSD 4.8.0
+ Unbound 1.18.0
+ Ncurses 5.7
+ Binutils 2.17 (+ patches)
+ Gdb 6.3 (+ patches)
+ Awk January 22, 2024
+ Expat 2.6.0
+ zlib 1.3.1 (+ patches)
---------------------------------------------------------------------
How to install
Please refer to the following files on the mirror site for extensive
details on how to install OpenBSD 7.5 on your machine:
* .../OpenBSD/7.5/alpha/INSTALL.alpha
* .../OpenBSD/7.5/amd64/INSTALL.amd64
* .../OpenBSD/7.5/arm64/INSTALL.arm64
* .../OpenBSD/7.5/armv7/INSTALL.armv7
* .../OpenBSD/7.5/hppa/INSTALL.hppa
* .../OpenBSD/7.5/i386/INSTALL.i386
* .../OpenBSD/7.5/landisk/INSTALL.landisk
* .../OpenBSD/7.5/loongson/INSTALL.loongson
* .../OpenBSD/7.5/luna88k/INSTALL.luna88k
* .../OpenBSD/7.5/macppc/INSTALL.macppc
* .../OpenBSD/7.5/octeon/INSTALL.octeon
* .../OpenBSD/7.5/powerpc64/INSTALL.powerpc64
* .../OpenBSD/7.5/riscv64/INSTALL.riscv64
* .../OpenBSD/7.5/sparc64/INSTALL.sparc64
---------------------------------------------------------------------
Quick installer information for people familiar with OpenBSD, and the
use of the "disklabel -E" command. If you are at all confused when
installing OpenBSD, read the relevant INSTALL.* file as listed above!
OpenBSD/alpha:
If your machine can boot from CD, you can write install75.iso or
cd75.iso to a CD and boot from it. Refer to INSTALL.alpha for more
details.
OpenBSD/amd64:
If your machine can boot from CD, you can write install75.iso or
cd75.iso to a CD and boot from it. You may need to adjust your BIOS
options first.
If your machine can boot from USB, you can write install75.img or
miniroot75.img to a USB stick and boot from it.
If you can't boot from a CD, floppy disk, or USB, you can install
across the network using PXE as described in the included
INSTALL.amd64 document.
If you are planning to dual boot OpenBSD with another OS, you will
need to read INSTALL.amd64.
OpenBSD/arm64:
If your machine can boot from CD, you can write install75.iso or
cd75.iso to a CD and boot from it.
To boot from disk, write install75.img or miniroot75.img to a disk
and boot from it after connecting to the serial console. Refer to
INSTALL.arm64 for more details.
OpenBSD/armv7:
Write a system specific miniroot to an SD card and boot from it after
connecting to the serial console. Refer to INSTALL.armv7 for more
details.
OpenBSD/hppa:
Boot over the network by following the instructions in INSTALL.hppa
or the hppa platform page.
OpenBSD/i386:
If your machine can boot from CD, you can write install75.iso or
cd75.iso to a CD and boot from it. You may need to adjust your BIOS
options first.
If your machine can boot from USB, you can write install75.img or
miniroot75.img to a USB stick and boot from it.
If you can't boot from a CD, floppy disk, or USB, you can install
across the network using PXE as described in the included
INSTALL.i386 document.
If you are planning on dual booting OpenBSD with another OS, you will
need to read INSTALL.i386.
OpenBSD/landisk:
Write miniroot75.img to the start of the CF or disk, and boot
normally.
OpenBSD/loongson:
Write miniroot75.img to a USB stick and boot bsd.rd from it or boot
bsd.rd via tftp. Refer to the instructions in INSTALL.loongson for
more details.
OpenBSD/luna88k:
Copy 'boot' and 'bsd.rd' to a Mach or UniOS partition, and boot the
bootloader from the PROM, and then bsd.rd from the bootloader. Refer
to the instructions in INSTALL.luna88k for more details.
OpenBSD/macppc:
Burn the image from a mirror site to a CDROM, and power on your
machine while holding down the C key until the display turns on and
shows OpenBSD/macppc boot.
Alternatively, at the Open Firmware prompt, enter boot cd:,ofwboot /
7.5/macppc/bsd.rd
OpenBSD/octeon:
After connecting a serial port, boot bsd.rd over the network via DHCP
/tftp. Refer to the instructions in INSTALL.octeon for more details.
OpenBSD/powerpc64:
To install, write install75.img or miniroot75.img to a USB stick,
plug it into the machine and choose the OpenBSD install menu item in
Petitboot. Refer to the instructions in INSTALL.powerpc64 for more
details.
OpenBSD/riscv64:
To install, write install75.img or miniroot75.img to a USB stick, and
boot with that drive plugged in. Make sure you also have the microSD
card plugged in that shipped with the HiFive Unmatched board. Refer
to the instructions in INSTALL.riscv64 for more details.
OpenBSD/sparc64:
Burn the image from a mirror site to a CDROM, boot from it, and type
boot cdrom.
If this doesn't work, or if you don't have a CDROM drive, you can
write floppy75.img or floppyB75.img (depending on your machine) to a
floppy and boot it with boot floppy. Refer to INSTALL.sparc64 for
details.
Make sure you use a properly formatted floppy with NO BAD BLOCKS or
your install will most likely fail.
You can also write miniroot75.img to the swap partition on the disk
and boot with boot disk:b.
If nothing works, you can boot over the network as described in
INSTALL.sparc64.
---------------------------------------------------------------------
How to upgrade
If you already have an OpenBSD 7.4 system, and do not want to
reinstall, upgrade instructions and advice can be found in the
Upgrade Guide.
---------------------------------------------------------------------
Notes about the source code
src.tar.gz contains a source archive starting at /usr/src. This file
contains everything you need except for the kernel sources, which are
in a separate archive. To extract:
# mkdir -p /usr/src
# cd /usr/src
# tar xvfz /tmp/src.tar.gz
sys.tar.gz contains a source archive starting at /usr/src/sys. This
file contains all the kernel sources you need to rebuild kernels. To
extract:
# mkdir -p /usr/src/sys
# cd /usr/src
# tar xvfz /tmp/sys.tar.gz
Both of these trees are a regular CVS checkout. Using these trees it
is possible to get a head-start on using the anoncvs servers as
described here. Using these files results in a much faster initial
CVS update than you could expect from a fresh checkout of the full
OpenBSD source tree.
---------------------------------------------------------------------
Ports Tree
A ports tree archive is also provided. To extract:
# cd /usr
# tar xvfz /tmp/ports.tar.gz
Go read the ports page if you know nothing about ports at this point.
This text is not a manual of how to use ports. Rather, it is a set of
notes meant to kickstart the user on the OpenBSD ports system.
The ports/ directory represents a CVS checkout of our ports. As with
our complete source tree, our ports tree is available via AnonCVS.
So, in order to keep up to date with the -stable branch, you must
make the ports/ tree available on a read-write medium and update the
tree with a command like:
# cd /usr/ports
# cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_7_5
[Of course, you must replace the server name here with a nearby
anoncvs server.]
Note that most ports are available as packages on our mirrors.
Updated ports for the 7.5 release will be made available if problems
arise.
If you're interested in seeing a port added, would like to help out,
or just would like to know more, the mailing list ports@openbsd.org
is a good place to know.